6189 files changed, 243781 insertions, 196241 deletions

diff --git a/Android.common.mk b/Android.common.mk
new file mode 100644
index 000000000..7f2790ce4
--- /dev/null
+++ b/Android.common.mk
@@ -0,0 +1,30 @@
+# some common definitions used by the main and the NDK-specific Android.mk
+# include this after strongswan_PLUGINS has been defined
+
+# helper macros to only add source files for plugins included in the list above
+# source files are relative to the android.mk that called the macro
+plugin_enabled = $(filter $(1), $(strongswan_PLUGINS))
+add_plugin = $(if $(call plugin_enabled,$(1)), \
+               $(patsubst $(LOCAL_PATH)/%,%, \
+                 $(wildcard \
+                   $(subst %,$(subst -,_,$(strip $(1))), \
+                     $(LOCAL_PATH)/plugins/%/%*.c \
+                    ) \
+                  ) \
+                ) \
+              )
+add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
+               $(patsubst $(LOCAL_PATH)/%,%, \
+                 $(wildcard \
+                   $(subst %,$(subst -,_,$(strip $(1))), \
+                     $(addprefix $(LOCAL_PATH)/plugins/%/,$(addsuffix /*.c, \
+                       $(strip $(2)) \
+                      )) \
+                    ) \
+                  ) \
+                ) \
+              )
+
+# strongSwan version, replaced by top Makefile
+strongswan_VERSION := "5.1.0"
+
diff --git a/Android.common.mk.in b/Android.common.mk.in
new file mode 100644
index 000000000..9f8849d7e
--- /dev/null
+++ b/Android.common.mk.in
@@ -0,0 +1,30 @@
+# some common definitions used by the main and the NDK-specific Android.mk
+# include this after strongswan_PLUGINS has been defined
+
+# helper macros to only add source files for plugins included in the list above
+# source files are relative to the android.mk that called the macro
+plugin_enabled = $(filter $(1), $(strongswan_PLUGINS))
+add_plugin = $(if $(call plugin_enabled,$(1)), \
+               $(patsubst $(LOCAL_PATH)/%,%, \
+                 $(wildcard \
+                   $(subst %,$(subst -,_,$(strip $(1))), \
+                     $(LOCAL_PATH)/plugins/%/%*.c \
+                    ) \
+                  ) \
+                ) \
+              )
+add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
+               $(patsubst $(LOCAL_PATH)/%,%, \
+                 $(wildcard \
+                   $(subst %,$(subst -,_,$(strip $(1))), \
+                     $(addprefix $(LOCAL_PATH)/plugins/%/,$(addsuffix /*.c, \
+                       $(strip $(2)) \
+                      )) \
+                    ) \
+                  ) \
+                ) \
+              )
+
+# strongSwan version, replaced by top Makefile
+strongswan_VERSION := "@PACKAGE_VERSION@"
+
diff --git a/Android.mk b/Android.mk
index 59d27775a..aa61cc0e7 100644
--- a/Android.mk
+++ b/Android.mk
@@ -5,56 +5,43 @@ include $(CLEAR_VARS)
 # to PRODUCT_PACKAGES in
 #   build/target/product/core.mk
 # possible executables are
-#   starter - allows to control and configure the daemons from the command line
-#   charon - the IKEv2 daemon
-#   pluto - the IKEv1 daemon
+#   starter - allows to control and configure the daemon from the command line
+#   charon - the IKE daemon
+#   scepclient - SCEP client
 
-# if you enable starter and/or pluto (see above) uncomment the proper lines here
+# if you enable starter or scepclient (see above) uncomment the proper
+# lines here
 # strongswan_BUILD_STARTER := true
-# strongswan_BUILD_PLUTO := true
+# strongswan_BUILD_SCEPCLIENT := true
 
 # this is the list of plugins that are built into libstrongswan and charon
 # also these plugins are loaded by default (if not changed in strongswan.conf)
-strongswan_CHARON_PLUGINS := openssl fips-prf random pubkey pkcs1 \
-	pem xcbc hmac kernel-netlink socket-default android \
-	stroke eap-identity eap-mschapv2 eap-md5
+strongswan_CHARON_PLUGINS := android-log openssl fips-prf random nonce pubkey \
+	pkcs1 pkcs8 pem xcbc hmac kernel-netlink socket-default android-dns \
+	stroke eap-identity eap-mschapv2 eap-md5 eap-gtc
 
-ifneq ($(strongswan_BUILD_PLUTO),)
-# if both daemons are enabled we use raw sockets in charon
-strongswan_CHARON_PLUGINS := $(subst socket-default,socket-raw, \
-				$(strongswan_CHARON_PLUGINS))
-# plugins loaded by pluto
-strongswan_PLUTO_PLUGINS := openssl fips-prf random pubkey pkcs1 \
-	pem xcbc hmac kernel-netlink xauth
+ifneq ($(strongswan_BUILD_SCEPCLIENT),)
+# plugins loaded by scepclient
+strongswan_SCEPCLIENT_PLUGINS := openssl curl fips-prf random pkcs1 pkcs7 pem
 endif
 
 strongswan_STARTER_PLUGINS := kernel-netlink
 
 # list of all plugins - used to enable them with the function below
 strongswan_PLUGINS := $(sort $(strongswan_CHARON_PLUGINS) \
-			     $(strongswan_PLUTO_PLUGINS) \
-			     $(strongswan_STARTER_PLUGINS))
+			     $(strongswan_STARTER_PLUGINS) \
+			     $(strongswan_SCEPCLIENT_PLUGINS))
 
-# helper macros to only add source files for plugins included in the list above
-# source files are relative to the android.mk that called the macro
-plugin_enabled = $(findstring $(1), $(strongswan_PLUGINS))
-add_plugin = $(if $(call plugin_enabled,$(1)), \
-               $(patsubst $(LOCAL_PATH)/%,%, \
-                 $(wildcard \
-                   $(subst %,$(subst -,_,$(strip $(1))), \
-                     $(LOCAL_PATH)/plugins/%/%*.c \
-                    ) \
-                  ) \
-                ) \
-              )
+include $(LOCAL_PATH)/Android.common.mk
 
 # includes
 strongswan_PATH := $(LOCAL_PATH)
 libvstr_PATH := external/strongswan-support/vstr/include
+libcurl_PATH := external/strongswan-support/libcurl/include
 libgmp_PATH := external/strongswan-support/gmp
+openssl_PATH := external/openssl/include
 
 # some definitions
-strongswan_VERSION := "4.6.4"
 strongswan_DIR := "/system/bin"
 strongswan_SBINDIR := "/system/bin"
 strongswan_PIDDIR := "/data/misc/vpn"
@@ -84,9 +71,12 @@ strongswan_CFLAGS := \
 	-DOPENSSL_NO_ECDSA \
 	-DOPENSSL_NO_ECDH \
 	-DOPENSSL_NO_ENGINE \
+	-DCONFIG_H_INCLUDED \
 	-DCAPABILITIES \
 	-DCAPABILITIES_NATIVE \
 	-DMONOLITHIC \
+	-DUSE_IKEV1 \
+	-DUSE_IKEV2 \
 	-DUSE_VSTR \
 	-DDEBUG \
 	-DROUTING_TABLE=0 \
@@ -110,21 +100,19 @@ strongswan_BUILD := \
 	libhydra \
 	libstrongswan \
 	libtncif \
-	libtnccs
+	libtnccs \
+	libimcv
 
 ifneq ($(strongswan_BUILD_STARTER),)
 strongswan_BUILD += \
-	libfreeswan \
 	starter \
 	stroke \
 	ipsec
 endif
 
-ifneq ($(strongswan_BUILD_PLUTO),)
+ifneq ($(strongswan_BUILD_SCEPCLIENT),)
 strongswan_BUILD += \
-	libfreeswan \
-	pluto \
-	whack
+	scepclient
 endif
 
 include $(addprefix $(LOCAL_PATH)/src/,$(addsuffix /Android.mk, \
diff --git a/Android.mk.in b/Android.mk.in
deleted file mode 100644
index e1f061350..000000000
--- a/Android.mk.in
+++ /dev/null
@@ -1,131 +0,0 @@
-LOCAL_PATH := $(call my-dir)
-include $(CLEAR_VARS)
-
-# the executables that should be installed on the final system have to be added
-# to PRODUCT_PACKAGES in
-#   build/target/product/core.mk
-# possible executables are
-#   starter - allows to control and configure the daemons from the command line
-#   charon - the IKEv2 daemon
-#   pluto - the IKEv1 daemon
-
-# if you enable starter and/or pluto (see above) uncomment the proper lines here
-# strongswan_BUILD_STARTER := true
-# strongswan_BUILD_PLUTO := true
-
-# this is the list of plugins that are built into libstrongswan and charon
-# also these plugins are loaded by default (if not changed in strongswan.conf)
-strongswan_CHARON_PLUGINS := openssl fips-prf random pubkey pkcs1 \
-	pem xcbc hmac kernel-netlink socket-default android \
-	stroke eap-identity eap-mschapv2 eap-md5
-
-ifneq ($(strongswan_BUILD_PLUTO),)
-# if both daemons are enabled we use raw sockets in charon
-strongswan_CHARON_PLUGINS := $(subst socket-default,socket-raw, \
-				$(strongswan_CHARON_PLUGINS))
-# plugins loaded by pluto
-strongswan_PLUTO_PLUGINS := openssl fips-prf random pubkey pkcs1 \
-	pem xcbc hmac kernel-netlink xauth
-endif
-
-strongswan_STARTER_PLUGINS := kernel-netlink
-
-# list of all plugins - used to enable them with the function below
-strongswan_PLUGINS := $(sort $(strongswan_CHARON_PLUGINS) \
-			     $(strongswan_PLUTO_PLUGINS) \
-			     $(strongswan_STARTER_PLUGINS))
-
-# helper macros to only add source files for plugins included in the list above
-# source files are relative to the android.mk that called the macro
-plugin_enabled = $(findstring $(1), $(strongswan_PLUGINS))
-add_plugin = $(if $(call plugin_enabled,$(1)), \
-               $(patsubst $(LOCAL_PATH)/%,%, \
-                 $(wildcard \
-                   $(subst %,$(subst -,_,$(strip $(1))), \
-                     $(LOCAL_PATH)/plugins/%/%*.c \
-                    ) \
-                  ) \
-                ) \
-              )
-
-# includes
-strongswan_PATH := $(LOCAL_PATH)
-libvstr_PATH := external/strongswan-support/vstr/include
-libgmp_PATH := external/strongswan-support/gmp
-
-# some definitions
-strongswan_VERSION := "@PACKAGE_VERSION@"
-strongswan_DIR := "/system/bin"
-strongswan_SBINDIR := "/system/bin"
-strongswan_PIDDIR := "/data/misc/vpn"
-strongswan_PLUGINDIR := "$(strongswan_IPSEC_DIR)/ipsec"
-strongswan_CONFDIR := "/system/etc"
-strongswan_STRONGSWAN_CONF := "$(strongswan_CONFDIR)/strongswan.conf"
-
-# CFLAGS (partially from a configure run using droid-gcc)
-strongswan_CFLAGS := \
-	-Wno-format \
-	-Wno-pointer-sign \
-	-Wno-pointer-arith \
-	-Wno-sign-compare \
-	-Wno-strict-aliasing \
-	-DHAVE___BOOL \
-	-DHAVE_STDBOOL_H \
-	-DHAVE_ALLOCA_H \
-	-DHAVE_ALLOCA \
-	-DHAVE_CLOCK_GETTIME \
-	-DHAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC \
-	-DHAVE_PRCTL \
-	-DHAVE_LINUX_UDP_H \
-	-DHAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY \
-	-DHAVE_IPSEC_MODE_BEET \
-	-DHAVE_IPSEC_DIR_FWD \
-	-DOPENSSL_NO_EC \
-	-DOPENSSL_NO_ECDSA \
-	-DOPENSSL_NO_ECDH \
-	-DOPENSSL_NO_ENGINE \
-	-DCAPABILITIES \
-	-DCAPABILITIES_NATIVE \
-	-DMONOLITHIC \
-	-DUSE_VSTR \
-	-DDEBUG \
-	-DROUTING_TABLE=0 \
-	-DROUTING_TABLE_PRIO=220 \
-	-DVERSION=\"$(strongswan_VERSION)\" \
-	-DPLUGINDIR=\"$(strongswan_PLUGINDIR)\" \
-	-DIPSEC_DIR=\"$(strongswan_DIR)\" \
-	-DIPSEC_PIDDIR=\"$(strongswan_PIDDIR)\" \
-	-DIPSEC_CONFDIR=\"$(strongswan_CONFDIR)\" \
-	-DSTRONGSWAN_CONF=\"$(strongswan_STRONGSWAN_CONF)\" \
-	-DDEV_RANDOM=\"/dev/random\" \
-	-DDEV_URANDOM=\"/dev/urandom\"
-
-# only for Android 2.0+
-strongswan_CFLAGS += \
-	-DHAVE_IN6ADDR_ANY
-
-strongswan_BUILD := \
-	charon \
-	libcharon \
-	libhydra \
-	libstrongswan \
-	libtncif \
-	libtnccs
-
-ifneq ($(strongswan_BUILD_STARTER),)
-strongswan_BUILD += \
-	libfreeswan \
-	starter \
-	stroke \
-	ipsec
-endif
-
-ifneq ($(strongswan_BUILD_PLUTO),)
-strongswan_BUILD += \
-	libfreeswan \
-	pluto \
-	whack
-endif
-
-include $(addprefix $(LOCAL_PATH)/src/,$(addsuffix /Android.mk, \
-		$(sort $(strongswan_BUILD))))
diff --git a/CREDITS b/CREDITS
deleted file mode 100644
index 4ee6faac6..000000000
--- a/CREDITS
+++ /dev/null
@@ -1,110 +0,0 @@
-We haven't kept proper track of everybody who has helped us, alas, but
-here's a first attempt at acknowledgements...
-
-Most of the FreeS/WAN software has been done by Richard Guy Briggs
-(KLIPS), D. Hugh Redelmeier (Pluto), Michael Richardson (technical lead,
-KLIPS, testing, etc.), Henry Spencer (past technical lead, scripts, 
-libraries, packaging, etc.), Sandy Harris (documentation), Claudia 
-Schmeing (support, documentation), and Sam Sgro (support, releases).
-Peter Onion has collaborated extensively with RGB on PFKEY2 stuff.  The
-original version of our IPComp code came from Svenning Soerensen, who has
-also contributed various bug fixes and improvements. 
-
-The first versions of Pluto were done by Angelos D. Keromytis
-<angelos@dsl.cis.upenn.edu>.
-
-The MD2 implementation is from RSA Data Security Inc., so this package must
-include the following phrase: "RSA Data Security, Inc. MD2 Message Digest
-Algorithm"  It is not under the GPL; see details in programs/pluto/md2.c.
-
-The MD5 implementation is from RSA Data Security Inc., so this package must
-include the following phrase:  "derived from the RSA Data Security, Inc.
-MD5 Message-Digest Algorithm".  It is not under the GPL; see details in
-linux/net/ipsec/ipsec_md5c.c.
-
-The PKCS#11 header files in programs/pluto/rsaref/ are from RSA Security Inc.,
-so they must include the following phrase: "RSA Security Inc. PKCS#11
-Cryptographic Token Interface (Cryptoki)". The headers are not under the GPL;
-see details in programs/pluto/rsaref/pkcs11.h.
-
-The LIBDES library by Eric Young is used.  It is not under the GPL -- see
-details in libdes/COPYRIGHT -- although he has graciously waived the
-advertising clause for FreeS/WAN use of LIBDES. 
-
-The SHA-1 code is derived from Steve Reid's; it is public domain.
-
-Some bits of Linux code, notably drivers/net/new_tunnel.c and net/ipv4/ipip.c,
-are used in heavily modified forms.
-
-The lib/pfkeyv2.h header file contains public-domain material published in
-RFC 2367.
-
-Delete SA code and Notification messages were contributed by Mathieu Lafon.
-He also implemented the vital NAT traversal support.
-
-Peter Onion has been immensely helpful in finding portability bugs in
-general, and in making FreeS/WAN work on the Alpha in particular.  Rob
-Hatfield likewise found and fixed some problems making it work on the
-Netwinder.
-
-John S. Denker of AT&T Shannon Labs has found a number of bugs the hard
-way, has pointed out various problems (some of which we have fixed!) in
-using the software in production applications, and has suggested some
-substantial improvements to the documentation.
-
-Marc Boucher <marc@mbsi.ca> did a quick-and-dirty port of KLIPS to the
-Linux 2.2.x kernels, at a time when we needed it badly, and has helped
-chase down 2.2.xx bugs and keep us current with 2.4.x development.
-
-John Gilmore organized the FreeS/WAN project and continues to direct it.
-Hugh Daniel handles day-to-day management, customer interface, and both
-constructive and destructive testing.  See the project's web page
-<http://www.freeswan.org> for other contributors to this project and
-related ones.
-
-Herbert Xu ported the FreeS/WAN code to the native IPsec stack
-of the Linux 2.6 kernel.
-
-Kai Martius added initial support of OpenPGP certificates.
-
-Andreas Steffen introduced the support of X.509 certificates in 2000
-and has been both maintaining the  X.509 code and adding extensions 
-to it ever since.
-
-Andreas Hess, Patric Lichtsteiner, and Roger Wegmann implemented the
-the initial X.509 certificate support, relying on Kai Martius's work.
-
-Marco Bertossa and Andreas Schleiss implemented the verification of
-the X.509 chain from the peer certificate up to the root CA.
-
-Ueli Galizzi and Ariane Seiler did the original work on the support
-of attribute certificates.
-
-Martin Berner and Lukas Suter implemented the definition of group 
-attributes and dynamic fetching of attribute certificates.
-
-Christoph Gysin and Simon Zwahlen implemented PKCS#15-based
-smartcard suppport and contributed a fully operational OCSP client.
-
-David Buechi and Michael Meier implemented the PKCS#11 smartcard
-interface.
-
-The support of port and protocol selectors was based on Stephen J.
-Bevan's original work.
-
-Stephane Laroche donated the original LDAP and HTTP fetching code
-based on pthreads.
-
-JuanJo Ciarlante introduced the modular support of alternative
-encryption and authentication algorithms (AES, Serpent, twofish, etc).
-
-The ipsec starter is based on Mathieu Lafon's original work.
-
-Jan Hutter and Martin Willi developed the scepclient which fully
-supports Cisco's Simple Certificate Enrollment Protocol (SCEP).
-
-Tobias Brunner and Daniel Roethlisberger implemented NAT traversal and
-dead peer detection for the IKEv2 keying daemon.
-
-Daniel Wydler implemented the integrity test of the libstrongswan code
-using the FIPS_canister code from the OpenSSL-FIPS project.
diff --git a/Doxyfile.in b/Doxyfile.in
index 7fb516190..ac0a96c88 100644
--- a/Doxyfile.in
+++ b/Doxyfile.in
@@ -1,14 +1,14 @@
-# Doxyfile 1.5.6
+# Doxyfile 1.8.1.2
 
 # This file describes the settings to be used by the documentation system
-# doxygen (www.doxygen.org) for a project
+# doxygen (www.doxygen.org) for a project.
 #
-# All text after a hash (#) is considered a comment and will be ignored
+# All text after a hash (#) is considered a comment and will be ignored.
 # The format is:
 #       TAG = value [value, ...]
 # For lists items can also be appended using:
 #       TAG += value [value, ...]
-# Values that contain spaces should be placed between quotes (" ")
+# Values that contain spaces should be placed between quotes (" ").
 
 #---------------------------------------------------------------------------
 # Project related configuration options
@@ -22,8 +22,9 @@
 
 DOXYFILE_ENCODING      = UTF-8
 
-# The PROJECT_NAME tag is a single word (or a sequence of words surrounded
-# by quotes) that should identify the project.
+# The PROJECT_NAME tag is a single word (or sequence of words) that should
+# identify the project. Note that if you do not use Doxywizard you need
+# to put quotes around the project name if it contains spaces.
 
 PROJECT_NAME           = "@PACKAGE_NAME@"
 
@@ -33,6 +34,19 @@ PROJECT_NAME           = "@PACKAGE_NAME@"
 
 PROJECT_NUMBER         = "@PACKAGE_VERSION@"
 
+# Using the PROJECT_BRIEF tag one can provide an optional one line description
+# for a project that appears at the top of each page and should give viewer
+# a quick idea about the purpose of the project. Keep the description short.
+
+PROJECT_BRIEF          =
+
+# With the PROJECT_LOGO tag one can specify an logo or icon that is
+# included in the documentation. The maximum height of the logo should not
+# exceed 55 pixels and the maximum width should not exceed 200 pixels.
+# Doxygen will copy the logo to the output directory.
+
+PROJECT_LOGO           =
+
 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
 # base path where the generated documentation will be put.
 # If a relative path is entered, it will be relative to the location
@@ -54,11 +68,11 @@ CREATE_SUBDIRS         = NO
 # information to generate all constant output in the proper language.
 # The default language is English, other supported languages are:
 # Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional,
-# Croatian, Czech, Danish, Dutch, Farsi, Finnish, French, German, Greek,
-# Hungarian, Italian, Japanese, Japanese-en (Japanese with English messages),
-# Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, Polish,
-# Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish,
-# and Ukrainian.
+# Croatian, Czech, Danish, Dutch, Esperanto, Farsi, Finnish, French, German,
+# Greek, Hungarian, Italian, Japanese, Japanese-en (Japanese with English
+# messages), Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian,
+# Polish, Portuguese, Romanian, Russian, Serbian, Serbian-Cyrillic, Slovak,
+# Slovene, Spanish, Swedish, Ukrainian, and Vietnamese.
 
 OUTPUT_LANGUAGE        = English
 
@@ -126,7 +140,7 @@ STRIP_FROM_PATH        =
 STRIP_FROM_INC_PATH    =
 
 # If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter
-# (but less readable) file names. This can be useful is your file systems
+# (but less readable) file names. This can be useful if your file system
 # doesn't support long names like on DOS, Mac, or CD-ROM.
 
 SHORT_NAMES            = NO
@@ -181,6 +195,13 @@ TAB_SIZE               = 4
 
 ALIASES                =
 
+# This tag can be used to specify a number of word-keyword mappings (TCL only).
+# A mapping has the form "name=value". For example adding
+# "class=itcl::class" will allow you to use the command class in the
+# itcl::class meaning.
+
+TCL_SUBST              =
+
 # Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C
 # sources only. Doxygen will then generate output that is more tailored for C.
 # For instance, some of the names that are used will be different. The list
@@ -207,11 +228,32 @@ OPTIMIZE_FOR_FORTRAN   = NO
 
 OPTIMIZE_OUTPUT_VHDL   = NO
 
+# Doxygen selects the parser to use depending on the extension of the files it
+# parses. With this tag you can assign which parser to use for a given extension.
+# Doxygen has a built-in mapping, but you can override or extend it using this
+# tag. The format is ext=language, where ext is a file extension, and language
+# is one of the parsers supported by doxygen: IDL, Java, Javascript, CSharp, C,
+# C++, D, PHP, Objective-C, Python, Fortran, VHDL, C, C++. For instance to make
+# doxygen treat .inc files as Fortran files (default is PHP), and .f files as C
+# (default is Fortran), use: inc=Fortran f=C. Note that for custom extensions
+# you also need to set FILE_PATTERNS otherwise the files are not read by doxygen.
+
+EXTENSION_MAPPING      =
+
+# If MARKDOWN_SUPPORT is enabled (the default) then doxygen pre-processes all
+# comments according to the Markdown format, which allows for more readable
+# documentation. See http://daringfireball.net/projects/markdown/ for details.
+# The output of markdown processing is further processed by doxygen, so you
+# can mix doxygen, HTML, and XML commands with Markdown formatting.
+# Disable only in case of backward compatibilities issues.
+
+MARKDOWN_SUPPORT       = YES
+
 # If you use STL classes (i.e. std::string, std::vector, etc.) but do not want
 # to include (a tag file for) the STL sources as input, then you should
 # set this tag to YES in order to let doxygen match functions declarations and
 # definitions whose arguments contain STL classes (e.g. func(std::string); v.s.
-# func(std::string) {}). This also make the inheritance and collaboration
+# func(std::string) {}). This also makes the inheritance and collaboration
 # diagrams that involve STL classes more complete and accurate.
 
 BUILTIN_STL_SUPPORT    = NO
@@ -229,7 +271,7 @@ SIP_SUPPORT            = NO
 
 # For Microsoft's IDL there are propget and propput attributes to indicate getter
 # and setter methods for a property. Setting this option to YES (the default)
-# will make doxygen to replace the get and set methods by a property in the
+# will make doxygen replace the get and set methods by a property in the
 # documentation. This will only work if the methods are indeed getting or
 # setting a simple type. If this is not the case, or you want to show the
 # methods anyway, you should set this option to NO.
@@ -251,6 +293,22 @@ DISTRIBUTE_GROUP_DOC   = NO
 
 SUBGROUPING            = YES
 
+# When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and
+# unions are shown inside the group in which they are included (e.g. using
+# @ingroup) instead of on a separate page (for HTML and Man pages) or
+# section (for LaTeX and RTF).
+
+INLINE_GROUPED_CLASSES = NO
+
+# When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and
+# unions with only public data fields will be shown inline in the documentation
+# of the scope in which they are defined (i.e. file, namespace, or group
+# documentation), provided this scope is documented. If set to NO (the default),
+# structs, classes, and unions are shown on a separate page (for HTML and Man
+# pages) or section (for LaTeX and RTF).
+
+INLINE_SIMPLE_STRUCTS  = NO
+
 # When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum
 # is documented as struct, union, or enum with the name of the typedef. So
 # typedef struct TypeS {} TypeT, will appear in the documentation as a struct
@@ -261,6 +319,33 @@ SUBGROUPING            = YES
 
 TYPEDEF_HIDES_STRUCT   = YES
 
+# The SYMBOL_CACHE_SIZE determines the size of the internal cache use to
+# determine which symbols to keep in memory and which to flush to disk.
+# When the cache is full, less often used symbols will be written to disk.
+# For small to medium size projects (<1000 input files) the default value is
+# probably good enough. For larger projects a too small cache size can cause
+# doxygen to be busy swapping symbols to and from disk most of the time
+# causing a significant performance penalty.
+# If the system has enough physical memory increasing the cache will improve the
+# performance by keeping more symbols in memory. Note that the value works on
+# a logarithmic scale so increasing the size by one will roughly double the
+# memory usage. The cache size is given by this formula:
+# 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0,
+# corresponding to a cache size of 2^16 = 65536 symbols.
+
+SYMBOL_CACHE_SIZE      = 0
+
+# Similar to the SYMBOL_CACHE_SIZE the size of the symbol lookup cache can be
+# set using LOOKUP_CACHE_SIZE. This cache is used to resolve symbols given
+# their name and scope. Since this can be an expensive process and often the
+# same symbol appear multiple times in the code, doxygen keeps a cache of
+# pre-resolved symbols. If the cache is too small doxygen will become slower.
+# If the cache is too large, memory is wasted. The cache size is given by this
+# formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range is 0..9, the default is 0,
+# corresponding to a cache size of 2^16 = 65536 symbols.
+
+LOOKUP_CACHE_SIZE      = 0
+
 #---------------------------------------------------------------------------
 # Build related configuration options
 #---------------------------------------------------------------------------
@@ -277,6 +362,10 @@ EXTRACT_ALL            = NO
 
 EXTRACT_PRIVATE        = NO
 
+# If the EXTRACT_PACKAGE tag is set to YES all members with package or internal scope will be included in the documentation.
+
+EXTRACT_PACKAGE        = NO
+
 # If the EXTRACT_STATIC tag is set to YES all static members of a file
 # will be included in the documentation.
 
@@ -299,7 +388,7 @@ EXTRACT_LOCAL_METHODS  = NO
 # extracted and appear in the documentation as a namespace called
 # 'anonymous_namespace{file}', where file will be replaced with the base
 # name of the file that contains the anonymous namespace. By default
-# anonymous namespace are hidden.
+# anonymous namespaces are hidden.
 
 EXTRACT_ANON_NSPACES   = NO
 
@@ -359,6 +448,12 @@ HIDE_SCOPE_NAMES       = NO
 
 SHOW_INCLUDE_FILES     = NO
 
+# If the FORCE_LOCAL_INCLUDES tag is set to YES then Doxygen
+# will list include files with double quotes in the documentation
+# rather than with sharp brackets.
+
+FORCE_LOCAL_INCLUDES   = NO
+
 # If the INLINE_INFO tag is set to YES (the default) then a tag [inline]
 # is inserted in the documentation for inline members.
 
@@ -378,6 +473,16 @@ SORT_MEMBER_DOCS       = NO
 
 SORT_BRIEF_DOCS        = NO
 
+# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen
+# will sort the (brief and detailed) documentation of class members so that
+# constructors and destructors are listed first. If set to NO (the default)
+# the constructors will appear in the respective orders defined by
+# SORT_MEMBER_DOCS and SORT_BRIEF_DOCS.
+# This tag will be ignored for brief docs if SORT_BRIEF_DOCS is set to NO
+# and ignored for detailed docs if SORT_MEMBER_DOCS is set to NO.
+
+SORT_MEMBERS_CTORS_1ST = NO
+
 # If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the
 # hierarchy of group names into alphabetical order. If set to NO (the default)
 # the group names will appear in their defined order.
@@ -394,6 +499,15 @@ SORT_GROUP_NAMES       = NO
 
 SORT_BY_SCOPE_NAME     = NO
 
+# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to
+# do proper type resolution of all parameters of a function it will reject a
+# match between the prototype and the implementation of a member function even
+# if there is only one candidate or it is obvious which candidate to choose
+# by doing a simple string match. By disabling STRICT_PROTO_MATCHING doxygen
+# will still accept a match between prototype and implementation in such cases.
+
+STRICT_PROTO_MATCHING  = NO
+
 # The GENERATE_TODOLIST tag can be used to enable (YES) or
 # disable (NO) the todo list. This list is created by putting \todo
 # commands in the documentation.
@@ -424,10 +538,10 @@ GENERATE_DEPRECATEDLIST= NO
 ENABLED_SECTIONS       =
 
 # The MAX_INITIALIZER_LINES tag determines the maximum number of lines
-# the initial value of a variable or define consists of for it to appear in
+# the initial value of a variable or macro consists of for it to appear in
 # the documentation. If the initializer consists of more lines than specified
 # here it will be hidden. Use a value of 0 to hide initializers completely.
-# The appearance of the initializer of individual variables and defines in the
+# The appearance of the initializer of individual variables and macros in the
 # documentation can be controlled using \showinitializer or \hideinitializer
 # command in the documentation regardless of this setting.
 
@@ -439,20 +553,15 @@ MAX_INITIALIZER_LINES  = 30
 
 SHOW_USED_FILES        = NO
 
-# If the sources in your project are distributed over multiple directories
-# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy
-# in the documentation. The default is NO.
-
-SHOW_DIRECTORIES       = YES
-
 # Set the SHOW_FILES tag to NO to disable the generation of the Files page.
 # This will remove the Files entry from the Quick Index and from the
 # Folder Tree View (if specified). The default is YES.
 
-SHOW_FILES             = NO
+SHOW_FILES             = YES
 
 # Set the SHOW_NAMESPACES tag to NO to disable the generation of the
-# Namespaces page.  This will remove the Namespaces entry from the Quick Index
+# Namespaces page.
+# This will remove the Namespaces entry from the Quick Index
 # and from the Folder Tree View (if specified). The default is YES.
 
 SHOW_NAMESPACES        = YES
@@ -467,6 +576,25 @@ SHOW_NAMESPACES        = YES
 
 FILE_VERSION_FILTER    =
 
+# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed
+# by doxygen. The layout file controls the global structure of the generated
+# output files in an output format independent way. To create the layout file
+# that represents doxygen's defaults, run doxygen with the -l option.
+# You can optionally specify a file name after the option, if omitted
+# DoxygenLayout.xml will be used as the name of the layout file.
+
+LAYOUT_FILE            =
+
+# The CITE_BIB_FILES tag can be used to specify one or more bib files
+# containing the references data. This must be a list of .bib files. The
+# .bib extension is automatically appended if omitted. Using this command
+# requires the bibtex tool to be installed. See also
+# http://en.wikipedia.org/wiki/BibTeX for more info. For LaTeX the style
+# of the bibliography can be controlled using LATEX_BIB_STYLE. To use this
+# feature you need bibtex and perl available in the search path.
+
+CITE_BIB_FILES         =
+
 #---------------------------------------------------------------------------
 # configuration options related to warning and progress messages
 #---------------------------------------------------------------------------
@@ -495,13 +623,13 @@ WARN_IF_UNDOCUMENTED   = NO
 
 WARN_IF_DOC_ERROR      = YES
 
-# This WARN_NO_PARAMDOC option can be abled to get warnings for
+# The WARN_NO_PARAMDOC option can be enabled to get warnings for
 # functions that are documented, but have no documentation for their parameters
 # or return value. If set to NO (the default) doxygen will only warn about
 # wrong or incomplete parameter documentation, but not about the absence of
 # documentation.
 
-WARN_NO_PARAMDOC       = NO
+WARN_NO_PARAMDOC       = YES
 
 # The WARN_FORMAT tag determines the format of the warning messages that
 # doxygen can produce. The string should contain the $file, $line, and $text
@@ -527,16 +655,7 @@ WARN_LOGFILE           =
 # directories like "/usr/src/myproject". Separate the files or directories
 # with spaces.
 
-INPUT                  = @SRC_DIR@/src/libstrongswan \
-                         @SRC_DIR@/src/libhydra \
-                         @SRC_DIR@/src/libcharon \
-                         @SRC_DIR@/src/libsimaka \
-                         @SRC_DIR@/src/libtls \
-                         @SRC_DIR@/src/libradius \
-                         @SRC_DIR@/src/libtnccs \
-                         @SRC_DIR@/src/libtncif \
-                         @SRC_DIR@/src/libfast \
-                         @SRC_DIR@/src/manager
+INPUT                  = @SRC_DIR@/src/
 
 # This tag can be used to specify the character encoding of the source files
 # that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is
@@ -550,8 +669,9 @@ INPUT_ENCODING         = UTF-8
 # FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp
 # and *.h) to filter out the source-files in the directories. If left
 # blank the following patterns are tested:
-# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx
-# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90
+# *.c *.cc *.cxx *.cpp *.c++ *.d *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh
+# *.hxx *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.dox *.py
+# *.f90 *.f *.for *.vhd *.vhdl
 
 FILE_PATTERNS          = *.h
 
@@ -561,17 +681,19 @@ FILE_PATTERNS          = *.h
 
 RECURSIVE              = YES
 
-# The EXCLUDE tag can be used to specify files and/or directories that should
+# The EXCLUDE tag can be used to specify files and/or directories that should be
 # excluded from the INPUT source files. This way you can easily exclude a
 # subdirectory from a directory tree whose root is specified with the INPUT tag.
+# Note that relative paths are relative to the directory from which doxygen is
+# run.
 
-EXCLUDE                =
+EXCLUDE                = @SRC_DIR@/src/include
 
-# The EXCLUDE_SYMLINKS tag can be used select whether or not files or
-# directories that are symbolic links (a Unix filesystem feature) are excluded
+# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
+# directories that are symbolic links (a Unix file system feature) are excluded
 # from the input.
 
-EXCLUDE_SYMLINKS       = NO
+EXCLUDE_SYMLINKS       = YES
 
 # If the value of the INPUT tag contains directories, you can use the
 # EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
@@ -620,17 +742,20 @@ IMAGE_PATH             =
 # by executing (via popen()) the command <filter> <input-file>, where <filter>
 # is the value of the INPUT_FILTER tag, and <input-file> is the name of an
 # input file. Doxygen will then use the output that the filter program writes
-# to standard output.  If FILTER_PATTERNS is specified, this tag will be
+# to standard output.
+# If FILTER_PATTERNS is specified, this tag will be
 # ignored.
 
 INPUT_FILTER           =
 
 # The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
-# basis.  Doxygen will compare the file name with each pattern and apply the
-# filter if there is a match.  The filters are a list of the form:
+# basis.
+# Doxygen will compare the file name with each pattern and apply the
+# filter if there is a match.
+# The filters are a list of the form:
 # pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further
-# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER
-# is applied to all files.
+# info on how filters are used. If FILTER_PATTERNS is empty or if
+# non of the patterns match the file name, INPUT_FILTER is applied.
 
 FILTER_PATTERNS        =
 
@@ -640,6 +765,14 @@ FILTER_PATTERNS        =
 
 FILTER_SOURCE_FILES    = NO
 
+# The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file
+# pattern. A pattern will override the setting for FILTER_PATTERN (if any)
+# and it is also possible to disable source filtering for a specific pattern
+# using *.ext= (so without naming a filter). This option only has effect when
+# FILTER_SOURCE_FILES is enabled.
+
+FILTER_SOURCE_PATTERNS =
+
 #---------------------------------------------------------------------------
 # configuration options related to source browsing
 #---------------------------------------------------------------------------
@@ -649,7 +782,7 @@ FILTER_SOURCE_FILES    = NO
 # Note: To get rid of all source code in the generated output, make sure also
 # VERBATIM_HEADERS is set to NO.
 
-SOURCE_BROWSER         = NO
+SOURCE_BROWSER         = YES
 
 # Setting the INLINE_SOURCES tag to YES will include the body
 # of functions and classes directly in the documentation.
@@ -658,7 +791,7 @@ INLINE_SOURCES         = NO
 
 # Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct
 # doxygen to hide any special comment blocks from generated source code
-# fragments. Normal C and C++ comments will always remain visible.
+# fragments. Normal C, C++ and Fortran comments will always remain visible.
 
 STRIP_CODE_COMMENTS    = NO
 
@@ -677,7 +810,8 @@ REFERENCES_RELATION    = NO
 # If the REFERENCES_LINK_SOURCE tag is set to YES (the default)
 # and SOURCE_BROWSER tag is set to YES, then the hyperlinks from
 # functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will
-# link to the source code.  Otherwise they will link to the documentstion.
+# link to the source code.
+# Otherwise they will link to the documentation.
 
 REFERENCES_LINK_SOURCE = YES
 
@@ -741,7 +875,14 @@ HTML_FILE_EXTENSION    = .html
 
 # The HTML_HEADER tag can be used to specify a personal HTML header for
 # each generated HTML page. If it is left blank doxygen will generate a
-# standard header.
+# standard header. Note that when using a custom header you are responsible
+#  for the proper inclusion of any scripts and style sheets that doxygen
+# needs, which is dependent on the configuration options used.
+# It is advised to generate a default header using "doxygen -w html
+# header.html footer.html stylesheet.css YourConfigFile" and then modify
+# that header. Note that the header is subject to change so you typically
+# have to redo this when upgrading to a newer version of doxygen or when
+# changing the value of configuration settings such as GENERATE_TREEVIEW!
 
 HTML_HEADER            =
 
@@ -756,22 +897,66 @@ HTML_FOOTER            =
 # fine-tune the look of the HTML output. If the tag is left blank doxygen
 # will generate a default style sheet. Note that doxygen will try to copy
 # the style sheet file to the HTML output directory, so don't put your own
-# stylesheet in the HTML output directory as well, or it will be erased!
+# style sheet in the HTML output directory as well, or it will be erased!
 
 HTML_STYLESHEET        =
 
-# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes,
-# files or namespaces will be aligned in HTML using tables. If set to
-# NO a bullet list will be used.
+# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or
+# other source files which should be copied to the HTML output directory. Note
+# that these files will be copied to the base HTML output directory. Use the
+# $relpath$ marker in the HTML_HEADER and/or HTML_FOOTER files to load these
+# files. In the HTML_STYLESHEET file, use the file name only. Also note that
+# the files will be copied as-is; there are no commands or markers available.
 
-HTML_ALIGN_MEMBERS     = YES
+HTML_EXTRA_FILES       =
 
-# If the GENERATE_HTMLHELP tag is set to YES, additional index files
-# will be generated that can be used as input for tools like the
-# Microsoft HTML help workshop to generate a compiled HTML help file (.chm)
-# of the generated HTML documentation.
+# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output.
+# Doxygen will adjust the colors in the style sheet and background images
+# according to this color. Hue is specified as an angle on a colorwheel,
+# see http://en.wikipedia.org/wiki/Hue for more information.
+# For instance the value 0 represents red, 60 is yellow, 120 is green,
+# 180 is cyan, 240 is blue, 300 purple, and 360 is red again.
+# The allowed range is 0 to 359.
 
-GENERATE_HTMLHELP      = NO
+HTML_COLORSTYLE_HUE    = 220
+
+# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of
+# the colors in the HTML output. For a value of 0 the output will use
+# grayscales only. A value of 255 will produce the most vivid colors.
+
+HTML_COLORSTYLE_SAT    = 100
+
+# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to
+# the luminance component of the colors in the HTML output. Values below
+# 100 gradually make the output lighter, whereas values above 100 make
+# the output darker. The value divided by 100 is the actual gamma applied,
+# so 80 represents a gamma of 0.8, The value 220 represents a gamma of 2.2,
+# and 100 does not change the gamma.
+
+HTML_COLORSTYLE_GAMMA  = 80
+
+# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML
+# page will contain the date and time when the page was generated. Setting
+# this to NO can help when comparing the output of multiple runs.
+
+HTML_TIMESTAMP         = YES
+
+# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
+# documentation will contain sections that can be hidden and shown after the
+# page has loaded.
+
+HTML_DYNAMIC_SECTIONS  = YES
+
+# With HTML_INDEX_NUM_ENTRIES one can control the preferred number of
+# entries shown in the various tree structured indices initially; the user
+# can expand and collapse entries dynamically later on. Doxygen will expand
+# the tree to such a level that at most the specified number of entries are
+# visible (unless a fully collapsed tree already exceeds this amount).
+# So setting the number of entries 1 will produce a full collapsed tree by
+# default. 0 is a special value representing an infinite number of entries
+# and will result in a full expanded tree by default.
+
+HTML_INDEX_NUM_ENTRIES = 100
 
 # If the GENERATE_DOCSET tag is set to YES, additional index files
 # will be generated that can be used as input for Apple's Xcode 3
@@ -781,6 +966,8 @@ GENERATE_HTMLHELP      = NO
 # directory and running "make install" will install the docset in
 # ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find
 # it at startup.
+# See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html
+# for more information.
 
 GENERATE_DOCSET        = NO
 
@@ -798,13 +985,22 @@ DOCSET_FEEDNAME        = "Doxygen generated docs"
 
 DOCSET_BUNDLE_ID       = org.doxygen.Project
 
-# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
-# documentation will contain sections that can be hidden and shown after the
-# page has loaded. For this to work a browser that supports
-# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox
-# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari).
+# When GENERATE_PUBLISHER_ID tag specifies a string that should uniquely identify
+# the documentation publisher. This should be a reverse domain-name style
+# string, e.g. com.mycompany.MyDocSet.documentation.
 
-HTML_DYNAMIC_SECTIONS  = NO
+DOCSET_PUBLISHER_ID    = org.doxygen.Publisher
+
+# The GENERATE_PUBLISHER_NAME tag identifies the documentation publisher.
+
+DOCSET_PUBLISHER_NAME  = Publisher
+
+# If the GENERATE_HTMLHELP tag is set to YES, additional index files
+# will be generated that can be used as input for tools like the
+# Microsoft HTML help workshop to generate a compiled HTML help file (.chm)
+# of the generated HTML documentation.
+
+GENERATE_HTMLHELP      = NO
 
 # If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can
 # be used to specify the file name of the resulting .chm file. You
@@ -843,40 +1039,114 @@ BINARY_TOC             = NO
 
 TOC_EXPAND             = NO
 
-# The DISABLE_INDEX tag can be used to turn on/off the condensed index at
-# top of each HTML page. The value NO (the default) enables the index and
-# the value YES disables it.
+# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and
+# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated
+# that can be used as input for Qt's qhelpgenerator to generate a
+# Qt Compressed Help (.qch) of the generated HTML documentation.
 
-DISABLE_INDEX          = NO
+GENERATE_QHP           = NO
 
-# This tag can be used to set the number of enum values (range [1..20])
-# that doxygen will group on one line in the generated HTML documentation.
+# If the QHG_LOCATION tag is specified, the QCH_FILE tag can
+# be used to specify the file name of the resulting .qch file.
+# The path specified is relative to the HTML output folder.
 
-ENUM_VALUES_PER_LINE   = 1
+QCH_FILE               =
+
+# The QHP_NAMESPACE tag specifies the namespace to use when generating
+# Qt Help Project output. For more information please see
+# http://doc.trolltech.com/qthelpproject.html#namespace
+
+QHP_NAMESPACE          = org.doxygen.Project
+
+# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating
+# Qt Help Project output. For more information please see
+# http://doc.trolltech.com/qthelpproject.html#virtual-folders
+
+QHP_VIRTUAL_FOLDER     = doc
+
+# If QHP_CUST_FILTER_NAME is set, it specifies the name of a custom filter to
+# add. For more information please see
+# http://doc.trolltech.com/qthelpproject.html#custom-filters
+
+QHP_CUST_FILTER_NAME   =
+
+# The QHP_CUST_FILT_ATTRS tag specifies the list of the attributes of the
+# custom filter to add. For more information please see
+# <a href="http://doc.trolltech.com/qthelpproject.html#custom-filters">
+# Qt Help Project / Custom Filters</a>.
+
+QHP_CUST_FILTER_ATTRS  =
+
+# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this
+# project's
+# filter section matches.
+# <a href="http://doc.trolltech.com/qthelpproject.html#filter-attributes">
+# Qt Help Project / Filter Attributes</a>.
+
+QHP_SECT_FILTER_ATTRS  =
+
+# If the GENERATE_QHP tag is set to YES, the QHG_LOCATION tag can
+# be used to specify the location of Qt's qhelpgenerator.
+# If non-empty doxygen will try to run qhelpgenerator on the generated
+# .qhp file.
+
+QHG_LOCATION           =
+
+# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files
+#  will be generated, which together with the HTML files, form an Eclipse help
+# plugin. To install this plugin and make it available under the help contents
+# menu in Eclipse, the contents of the directory containing the HTML and XML
+# files needs to be copied into the plugins directory of eclipse. The name of
+# the directory within the plugins directory should be the same as
+# the ECLIPSE_DOC_ID value. After copying Eclipse needs to be restarted before
+# the help appears.
+
+GENERATE_ECLIPSEHELP   = NO
+
+# A unique identifier for the eclipse help plugin. When installing the plugin
+# the directory name containing the HTML and XML files should also have
+# this name.
+
+ECLIPSE_DOC_ID         = org.doxygen.Project
+
+# The DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs)
+# at top of each HTML page. The value NO (the default) enables the index and
+# the value YES disables it. Since the tabs have the same information as the
+# navigation tree you can set this option to NO if you already set
+# GENERATE_TREEVIEW to YES.
+
+DISABLE_INDEX          = NO
 
 # The GENERATE_TREEVIEW tag is used to specify whether a tree-like index
 # structure should be generated to display hierarchical information.
-# If the tag value is set to FRAME, a side panel will be generated
+# If the tag value is set to YES, a side panel will be generated
 # containing a tree-like index structure (just like the one that
 # is generated for HTML Help). For this to work a browser that supports
-# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+,
-# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are
-# probably better off using the HTML help feature. Other possible values
-# for this tag are: HIERARCHIES, which will generate the Groups, Directories,
-# and Class Hiererachy pages using a tree view instead of an ordered list;
-# ALL, which combines the behavior of FRAME and HIERARCHIES; and NONE, which
-# disables this behavior completely. For backwards compatibility with previous
-# releases of Doxygen, the values YES and NO are equivalent to FRAME and NONE
-# respectively.
+# JavaScript, DHTML, CSS and frames is required (i.e. any modern browser).
+# Windows users are probably better off using the HTML help feature.
+# Since the tree basically has the same information as the tab index you
+# could consider to set DISABLE_INDEX to NO when enabling this option.
 
 GENERATE_TREEVIEW      = YES
 
+# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values
+# (range [0,1..20]) that doxygen will group on one line in the generated HTML
+# documentation. Note that a value of 0 will completely suppress the enum
+# values from appearing in the overview section.
+
+ENUM_VALUES_PER_LINE   = 1
+
 # If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be
 # used to set the initial width (in pixels) of the frame in which the tree
 # is shown.
 
 TREEVIEW_WIDTH         = 250
 
+# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open
+# links to external symbols imported via tag files in a separate window.
+
+EXT_LINKS_IN_WINDOW    = NO
+
 # Use this tag to change the font size of Latex formulas included
 # as images in the HTML documentation. The default is 10. Note that
 # when you change the font size after a successful doxygen run you need
@@ -885,6 +1155,60 @@ TREEVIEW_WIDTH         = 250
 
 FORMULA_FONTSIZE       = 10
 
+# Use the FORMULA_TRANPARENT tag to determine whether or not the images
+# generated for formulas are transparent PNGs. Transparent PNGs are
+# not supported properly for IE 6.0, but are supported on all modern browsers.
+# Note that when changing this option you need to delete any form_*.png files
+# in the HTML output before the changes have effect.
+
+FORMULA_TRANSPARENT    = YES
+
+# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax
+# (see http://www.mathjax.org) which uses client side Javascript for the
+# rendering instead of using prerendered bitmaps. Use this if you do not
+# have LaTeX installed or if you want to formulas look prettier in the HTML
+# output. When enabled you may also need to install MathJax separately and
+# configure the path to it using the MATHJAX_RELPATH option.
+
+USE_MATHJAX            = NO
+
+# When MathJax is enabled you need to specify the location relative to the
+# HTML output directory using the MATHJAX_RELPATH option. The destination
+# directory should contain the MathJax.js script. For instance, if the mathjax
+# directory is located at the same level as the HTML output directory, then
+# MATHJAX_RELPATH should be ../mathjax. The default value points to
+# the MathJax Content Delivery Network so you can quickly see the result without
+# installing MathJax.
+# However, it is strongly recommended to install a local
+# copy of MathJax from http://www.mathjax.org before deployment.
+
+MATHJAX_RELPATH        = http://cdn.mathjax.org/mathjax/latest
+
+# The MATHJAX_EXTENSIONS tag can be used to specify one or MathJax extension
+# names that should be enabled during MathJax rendering.
+
+MATHJAX_EXTENSIONS     =
+
+# When the SEARCHENGINE tag is enabled doxygen will generate a search box
+# for the HTML output. The underlying search engine uses javascript
+# and DHTML and should work on any modern browser. Note that when using
+# HTML help (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets
+# (GENERATE_DOCSET) there is already a search function so this one should
+# typically be disabled. For large projects the javascript based search engine
+# can be slow, then enabling SERVER_BASED_SEARCH may provide a better solution.
+
+SEARCHENGINE           = NO
+
+# When the SERVER_BASED_SEARCH tag is enabled the search engine will be
+# implemented using a PHP enabled web server instead of at the web client
+# using Javascript. Doxygen will generate the search PHP script and index
+# file to put on the web server. The advantage of the server
+# based approach is that it scales better to large projects and allows
+# full text search. The disadvantages are that it is more difficult to setup
+# and does not have live searching capabilities.
+
+SERVER_BASED_SEARCH    = NO
+
 #---------------------------------------------------------------------------
 # configuration options related to the LaTeX output
 #---------------------------------------------------------------------------
@@ -902,6 +1226,9 @@ LATEX_OUTPUT           = latex
 
 # The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be
 # invoked. If left blank `latex' will be used as the default command name.
+# Note that when enabling USE_PDFLATEX this option is only used for
+# generating bitmaps for formulas in the HTML output, but not in the
+# Makefile that is written to the output directory.
 
 LATEX_CMD_NAME         = latex
 
@@ -918,7 +1245,7 @@ MAKEINDEX_CMD_NAME     = makeindex
 COMPACT_LATEX          = NO
 
 # The PAPER_TYPE tag can be used to set the paper type that is used
-# by the printer. Possible values are: a4, a4wide, letter, legal and
+# by the printer. Possible values are: a4, letter, legal and
 # executive. If left blank a4wide will be used.
 
 PAPER_TYPE             = a4wide
@@ -935,6 +1262,13 @@ EXTRA_PACKAGES         =
 
 LATEX_HEADER           =
 
+# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for
+# the generated latex document. The footer should contain everything after
+# the last chapter. If it is left blank doxygen will generate a
+# standard footer. Notice: only use this tag if you know what you are doing!
+
+LATEX_FOOTER           =
+
 # If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated
 # is prepared for conversion to pdf (using ps2pdf). The pdf file will
 # contain links (just like the HTML output) instead of page references
@@ -961,6 +1295,19 @@ LATEX_BATCHMODE        = NO
 
 LATEX_HIDE_INDICES     = NO
 
+# If LATEX_SOURCE_CODE is set to YES then doxygen will include
+# source code with syntax highlighting in the LaTeX output.
+# Note that which sources are shown also depends on other settings
+# such as SOURCE_BROWSER.
+
+LATEX_SOURCE_CODE      = NO
+
+# The LATEX_BIB_STYLE tag can be used to specify the style to use for the
+# bibliography, e.g. plainnat, or ieeetr. The default style is "plain". See
+# http://en.wikipedia.org/wiki/BibTeX for more info.
+
+LATEX_BIB_STYLE        = plain
+
 #---------------------------------------------------------------------------
 # configuration options related to the RTF output
 #---------------------------------------------------------------------------
@@ -992,7 +1339,7 @@ COMPACT_RTF            = NO
 
 RTF_HYPERLINKS         = NO
 
-# Load stylesheet definitions from file. Syntax is similar to doxygen's
+# Load style sheet definitions from file. Syntax is similar to doxygen's
 # config file, i.e. a series of assignments. You only have to provide
 # replacements, missing definitions are set to their default value.
 
@@ -1097,8 +1444,10 @@ GENERATE_PERLMOD       = NO
 PERLMOD_LATEX          = NO
 
 # If the PERLMOD_PRETTY tag is set to YES the Perl module output will be
-# nicely formatted so it can be parsed by a human reader.  This is useful
-# if you want to understand what is going on.  On the other hand, if this
+# nicely formatted so it can be parsed by a human reader.
+# This is useful
+# if you want to understand what is going on.
+# On the other hand, if this
 # tag is set to NO the size of the Perl module output will be much smaller
 # and Perl will parse it just the same.
 
@@ -1135,7 +1484,7 @@ MACRO_EXPANSION        = YES
 EXPAND_ONLY_PREDEF     = NO
 
 # If the SEARCH_INCLUDES tag is set to YES (the default) the includes files
-# in the INCLUDE_PATH (see below) will be search if a #include is found.
+# pointed to by INCLUDE_PATH will be searched when a #include is found.
 
 SEARCH_INCLUDES        = YES
 
@@ -1160,20 +1509,20 @@ INCLUDE_FILE_PATTERNS  =
 # undefined via #undef or recursively expanded use the := operator
 # instead of the = operator.
 
-PREDEFINED             = LEAK_DETECTIVE
+PREDEFINED             = LEAK_DETECTIVE __attribute__(x)=
 
 # If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then
 # this tag can be used to specify a list of macro names that should be expanded.
 # The macro definition that is found in the sources will be used.
-# Use the PREDEFINED tag if you want to use a different macro definition.
+# Use the PREDEFINED tag if you want to use a different macro definition that
+# overrules the definition found in the source code.
 
 EXPAND_AS_DEFINED      =
 
 # If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then
-# doxygen's preprocessor will remove all function-like macros that are alone
-# on a line, have an all uppercase name, and do not end with a semicolon. Such
-# function macros are typically used for boiler-plate code, and will confuse
-# the parser if not removed.
+# doxygen's preprocessor will remove all references to function-like macros
+# that are alone on a line, have an all uppercase name, and do not end with a
+# semicolon, because these will confuse the parser if not removed.
 
 SKIP_FUNCTION_MACROS   = YES
 
@@ -1181,20 +1530,18 @@ SKIP_FUNCTION_MACROS   = YES
 # Configuration::additions related to external references
 #---------------------------------------------------------------------------
 
-# The TAGFILES option can be used to specify one or more tagfiles.
-# Optionally an initial location of the external documentation
-# can be added for each tagfile. The format of a tag file without
-# this location is as follows:
-#   TAGFILES = file1 file2 ...
+# The TAGFILES option can be used to specify one or more tagfiles. For each
+# tag file the location of the external documentation should be added. The
+# format of a tag file without this location is as follows:
+#
+# TAGFILES = file1 file2 ...
 # Adding location for the tag files is done as follows:
-#   TAGFILES = file1=loc1 "file2 = loc2" ...
-# where "loc1" and "loc2" can be relative or absolute paths or
-# URLs. If a location is present for each tag, the installdox tool
-# does not have to be run to correct the links.
-# Note that each tag file must have a unique name
-# (where the name does NOT include the path)
-# If a tag file is not located in the directory in which doxygen
-# is run, you must also specify the path to the tagfile here.
+#
+# TAGFILES = file1=loc1 "file2 = loc2" ...
+# where "loc1" and "loc2" can be relative or absolute paths
+# or URLs. Note that each tag file must have a unique name (where the name does
+# NOT include the path). If a tag file is not located in the directory in which
+# doxygen is run, you must also specify the path to the tagfile here.
 
 TAGFILES               =
 
@@ -1227,9 +1574,8 @@ PERL_PATH              = /usr/bin/perl
 # If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will
 # generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base
 # or super classes. Setting the tag to NO turns the diagrams off. Note that
-# this option is superseded by the HAVE_DOT option below. This is only a
-# fallback. It is recommended to install and use dot, since it yields more
-# powerful graphs.
+# this option also works with HAVE_DOT disabled, but it is recommended to
+# install and use dot, since it yields more powerful graphs.
 
 CLASS_DIAGRAMS         = YES
 
@@ -1255,28 +1601,38 @@ HIDE_UNDOC_RELATIONS   = YES
 
 HAVE_DOT               = NO
 
-# By default doxygen will write a font called FreeSans.ttf to the output
-# directory and reference it in all dot files that doxygen generates. This
-# font does not include all possible unicode characters however, so when you need
-# these (or just want a differently looking font) you can specify the font name
-# using DOT_FONTNAME. You need need to make sure dot is able to find the font,
-# which can be done by putting it in a standard location or by setting the
-# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory
-# containing the font.
+# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is
+# allowed to run in parallel. When set to 0 (the default) doxygen will
+# base this on the number of processors available in the system. You can set it
+# explicitly to a value larger than 0 to get control over the balance
+# between CPU load and processing speed.
+
+DOT_NUM_THREADS        = 0
+
+# By default doxygen will use the Helvetica font for all dot files that
+# doxygen generates. When you want a differently looking font you can specify
+# the font name using DOT_FONTNAME. You need to make sure dot is able to find
+# the font, which can be done by putting it in a standard location or by setting
+# the DOTFONTPATH environment variable or by setting DOT_FONTPATH to the
+# directory containing the font.
 
 DOT_FONTNAME           = FreeSans
 
-# By default doxygen will tell dot to use the output directory to look for the
-# FreeSans.ttf font (which doxygen will put there itself). If you specify a
-# different font using DOT_FONTNAME you can set the path where dot
-# can find it using this tag.
+# The DOT_FONTSIZE tag can be used to set the size of the font of dot graphs.
+# The default size is 10pt.
+
+DOT_FONTSIZE           = 10
+
+# By default doxygen will tell dot to use the Helvetica font.
+# If you specify a different font using DOT_FONTNAME you can use DOT_FONTPATH to
+# set the path where dot can find it.
 
 DOT_FONTPATH           =
 
 # If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen
 # will generate a graph for each documented class showing the direct and
 # indirect inheritance relations. Setting this tag to YES will force the
-# the CLASS_DIAGRAMS tag to NO.
+# CLASS_DIAGRAMS tag to NO.
 
 CLASS_GRAPH            = YES
 
@@ -1298,6 +1654,15 @@ GROUP_GRAPHS           = YES
 
 UML_LOOK               = NO
 
+# If the UML_LOOK tag is enabled, the fields and methods are shown inside
+# the class node. If there are many fields or methods and many nodes the
+# graph may become too big to be useful. The UML_LIMIT_NUM_FIELDS
+# threshold limits the number of items for each type to make the size more
+# managable. Set this to 0 for no limit. Note that the threshold may be
+# exceeded by 50% before the limit is enforced.
+
+UML_LIMIT_NUM_FIELDS   = 10
+
 # If set to YES, the inheritance and collaboration graphs will show the
 # relations between templates and their instances.
 
@@ -1334,11 +1699,11 @@ CALL_GRAPH             = NO
 CALLER_GRAPH           = NO
 
 # If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen
-# will graphical hierarchy of all classes instead of a textual one.
+# will generate a graphical hierarchy of all classes instead of a textual one.
 
 GRAPHICAL_HIERARCHY    = YES
 
-# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES
+# If the DIRECTORY_GRAPH and HAVE_DOT tags are set to YES
 # then doxygen will show the dependencies a directory has on other directories
 # in a graphical way. The dependency relations are determined by the #include
 # relations between the files in the directories.
@@ -1346,11 +1711,22 @@ GRAPHICAL_HIERARCHY    = YES
 DIRECTORY_GRAPH        = YES
 
 # The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
-# generated by dot. Possible values are png, jpg, or gif
-# If left blank png will be used.
+# generated by dot. Possible values are svg, png, jpg, or gif.
+# If left blank png will be used. If you choose svg you need to set
+# HTML_FILE_EXTENSION to xhtml in order to make the SVG files
+# visible in IE 9+ (other browsers do not have this requirement).
 
 DOT_IMAGE_FORMAT       = png
 
+# If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to
+# enable generation of interactive SVG images that allow zooming and panning.
+# Note that this requires a modern browser other than Internet Explorer.
+# Tested and working are Firefox, Chrome, Safari, and Opera. For IE 9+ you
+# need to set HTML_FILE_EXTENSION to xhtml in order to make the SVG files
+# visible. Older versions of IE do not have SVG support.
+
+INTERACTIVE_SVG        = NO
+
 # The tag DOT_PATH can be used to specify the path where the dot tool can be
 # found. If left blank, it is assumed the dot tool can be found in the path.
 
@@ -1362,6 +1738,12 @@ DOT_PATH               =
 
 DOTFILE_DIRS           =
 
+# The MSCFILE_DIRS tag can be used to specify one or more directories that
+# contain msc files that are included in the documentation (see the
+# \mscfile command).
+
+MSCFILE_DIRS           =
+
 # The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of
 # nodes that will be shown in the graph. If the number of nodes in a graph
 # becomes larger than this value, doxygen will truncate the graph, which is
@@ -1383,10 +1765,10 @@ DOT_GRAPH_MAX_NODES    = 50
 MAX_DOT_GRAPH_DEPTH    = 0
 
 # Set the DOT_TRANSPARENT tag to YES to generate images with a transparent
-# background. This is enabled by default, which results in a transparent
-# background. Warning: Depending on the platform used, enabling this option
-# may lead to badly anti-aliased labels on the edges of a graph (i.e. they
-# become hard to read).
+# background. This is disabled by default, because dot on Windows does not
+# seem to support this out of the box. Warning: Depending on the platform used,
+# enabling this option may lead to badly anti-aliased labels on the edges of
+# a graph (i.e. they become hard to read).
 
 DOT_TRANSPARENT        = NO
 
@@ -1408,12 +1790,3 @@ GENERATE_LEGEND        = YES
 # the various graphs.
 
 DOT_CLEANUP            = YES
-
-#---------------------------------------------------------------------------
-# Configuration::additions related to the search engine
-#---------------------------------------------------------------------------
-
-# The SEARCHENGINE tag specifies whether or not a search engine should be
-# used. If set to NO the values of all tags below this one will be ignored.
-
-SEARCHENGINE           = NO
diff --git a/INSTALL b/INSTALL
index 0cd375ea2..029b9a284 100644
--- a/INSTALL
+++ b/INSTALL
@@ -9,20 +9,20 @@ Contents
    1.   Overview
    2.   Required packages
    3.   Optional packages
-   3.1   libcurl
-   3.2   OpenLDAP
-   3.3   PKCS#11 smartcard library modules
+   3.1   HTTP fetcher
+   3.2   LDAP
+   3.3   Other pluggable modules
    4.   Kernel configuration
 
 1.  Overview
     --------
 
-    The strongSwan 4.x branch introduces a new build environment featuring
-    GNU autotools. This should simplify the build process and package
-    maintenance.
-    First check for the availability of required packages on your system
-    (section 2.). You may want to include support for additional features, which
-    require other packages to be installed (section 3.).
+    Since version 4.x strongSwan uses the GNU build system (Autotools).
+    This simplifies the build process and package maintenance. First, check for
+    the availability of required packages on your system (section 2.). You may
+    want to include support for additional features, which require other
+    packages to be installed (section 3.).
+
     To compile an extracted tarball, run the ./configure script first:
 
       ./configure
@@ -40,13 +40,10 @@ Contents
 
     in the usual manner.
 
-    To check if your kernel fullfills the requirements, see section 4.
+    To check if your kernel fulfills the requirements, see section 4.
 
     Next add your connections to "/etc/ipsec.conf" and your secrets to
-    "/etc/ipsec.secrets". Connections that are to be negotiated by the new
-    IKEv2 charon keying daemon should be designated by "keyexchange=ikev2" and
-    those by the IKEv1 pluto keying daemon either by "keyexchange=ikev1" or
-    the default "keyexchange=ike".
+    "/etc/ipsec.secrets".
 
     At last start strongSwan with
 
@@ -56,46 +53,45 @@ Contents
 2.  Required packages
     -----------------
 
-    In order to be able to build strongSwan you'll need the GNU Multiprecision
-    Arithmetic Library (GMP) available from http://www.swox.com/gmp/. At least
-    version 4.1.5 of libgmp is required.
+    In order to be able to build strongSwan you'll need one of the following
+    cryptographic libraries:
+
+      * The GNU Multiprecision Arithmetic Library (GMP, libgmp)
+        http://www.gmplib.org
+      * The OpenSSL cryptographic library (libcrypto)
+        http://www.openssl.org
+      * The GNU cryptographic library (libgcrypt)
+        http://www.gnupg.org
+
+    If no other options are specified during ./configure libgmp will be used.
 
-    The libgmp library and the corresponding header file gmp.h are usually
-    included in the form of one or two packages in the major Linux
-    distributions (SuSE: gmp; Debian unstable:  libgmp3, libgmp3-dev).
+    The libraries and the corresponding header files are usually included in
+    the form of one or two packages in the major Linux distributions (for GMP on
+    Debian: libgmp3 and libgmp3-dev).
 
 
 3.  Optional packages
     -----------------
 
-3.1 libcurl
-    -------
+3.1 HTTP Fetcher
+    ------------
 
     If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
     from an HTTP server or as an alternative want to use the Online
-    Certificate Status Protocol (OCSP) then you will need the  libcurl library
-    available from http://curl.haxx.se/.
+    Certificate Status Protocol (OCSP) then you will need the either of the
+    following libraries:
 
-    In order to keep the library as compact as possible for use with strongSwan
-    you can build libcurl from the sources with the optimized options
+      * The cURL library (libcurl)
+        http://curl.haxx.se/libcurl/
+      * The LibSoup library (libsoup)
+        https://live.gnome.org/LibSoup
 
-       ./configure --prefix=<dir> --without-ssl \
-                   --disable-ldap --disable-telnet \
-                   --disable-dict --disable-gopher \
-                   --disable-debug \
-                   --enable-nonblocking --enable-thread
+    In order to activate the use of either of these libraries in strongSwan you
+    must enable the appropriate ./configure switch.
 
-    As an alternative you can use the ready-made packages included with your
-    favorite Linux distribution (SuSE: curl, curl-devel).
-
-    In order to activate the use of the libcurl library in strongSwan you must
-    enable the ./configure switch:
 
-       ./configure [...] --enable-http
-
-
-3.2 OpenLDAP
-    --------
+3.2 LDAP
+    ----
 
     If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
     from an LDAP server then you will need the libldap library available
@@ -110,62 +106,33 @@ Contents
 
        ./configure [...] --enable-ldap
 
-    LDAP Protocl version 2 is not supported anymore, --enable-ldap uses always
+    LDAP Protocol version 2 is not supported anymore, --enable-ldap uses always
     version 3 of the LDAP protocol
 
 
-3.3 PKCS#11 smartcard library modules
-    ---------------------------------
-
-    If you want to securely store your X.509 certificates and private RSA keys
-    on a smart card or a USB crypto token then you will need a PKCS #11 library
-    for the smart card of your choice. The OpenSC PKCS#11 library (use
-    versions >= 0.9.4) available from http://www.opensc.org/ supports quite a
-    selection of cards and tokens (e.g. Aladdin eToken Pro32k, Schlumberger
-    Cryptoflex e-gate, Oberthur AuthentIC,  etc.) but requires that a PKCS#15
-    directory structure be present on the smart card. But in principle
-    any other PKCS#11 library could be used since the PKCS#11 API hides the
-    internal data representation on the card.
+3.3 Other pluggable modules
+    -----------------------
 
-    For USB crypto token support you must add the OpenCT driver library
-    (version >= 0.6.2) from the OpenSC site, whereas for serial smartcard
-    readers you'll need the pcsc-lite library and the matching driver from the
-    M.U.S.C.L.E project http://www.linuxnet.com/ .
+    There are many other optional plugins that, for instance, provide support
+    for PKCS#11 or SQL databases.
+    For a more detailed description of these refer to our wiki:
 
-    In order to activate the PKCS#11-based smartcard support in strongSwan
-    you must enable the smartcard ./configure switch:
-
-       ./configure [...] --enable-smartcard
-
-    During compilation no externel smart card libraries must be present.
-    strongSwan directly references a copy of the standard RSAREF pkcs11.h
-    header files stored in the pluto/rsaref sub directory. During compile
-    time a pathname to a default PKCS#11 dynamical library can be specified
-    with a ./configure flag:
-
-      ./configure --enable-smartcard --with-default-pkcs11=/path/to/lib.so
-
-    This default path to the easily-obtainable OpenSC library module can be
-    simply overridden during run-time by specifying an alternative path in
-    ipsec.conf pointing to any dynamic PKCS#11 library of your choice.
-
-    config setup
-          pkcs11module="/usr/lib/xyz-pkcs11.so"
+      * http://wiki.strongswan.org
 
 
 4.  Kernel configuration
     --------------------
 
-    The strongSwan 4.x series currently support only 2.6 kernels and its
-    native IPsec stack. Please make sure that the following IPsec kernel
+    Since version 4.x strongSwan only supports 2.6.x and 3.x kernels and its
+    native NETKEY IPsec stack. Please make sure that the following IPsec kernel
     modules are available:
 
-      o af_key
-      o ah4
-      o esp4
-      o ipcomp
-      o xfrm_user
-      o xfrm4_tunnel
+      * af_key
+      * ah4
+      * esp4
+      * ipcomp
+      * xfrm_user
+      * xfrm4_tunnel
 
     These may be built into the kernel or as modules. Modules get loaded
     automatically at strongSwan startup.
@@ -173,3 +140,9 @@ Contents
     Also the built-in kernel Cryptoapi modules with selected encryption and
     hash algorithms should be available.
 
+    Support for multiple routing tables is also recommended.
+
+    For a more up-to-date list of recommended modules refer to:
+
+     * http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
+
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 000000000..57215d2c9
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,46 @@
+Except for code in the blowfish, des, md4 and md5 plugins (see below) the
+following terms apply:
+
+For copyright information see the headers of individual source files.
+
+This program is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free Software
+Foundation; either version 2 of the License, or (at your option) any later
+version.
+
+This program is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with
+this program; if not, see <http://www.gnu.org/licenses>.
+
+Linking strongSwan statically or dynamically with other modules is making a
+combined work based on strongSwan. Thus, the terms and conditions of the GNU
+General Public License cover the whole combination.
+
+In addition, as a special exception, the copyright holders of strongSwan give
+you permission to combine strongSwan with free software programs or libraries
+that are released under the GNU LGPL and with code included in the standard
+release of the OpenSSL project's OpenSSL library under the OpenSSL or SSLeay
+licenses (or modified versions of such code, with unchanged license). You may
+copy and distribute such a system following the terms of the GNU GPL for
+strongSwan and the licenses of the other code concerned, provided that you
+include the source code of that other code when and as the GNU GPL requires
+distribution of source code.
+
+Note that people who make modified versions of strongSwan are not obligated to
+grant this special exception for their modified versions; it is their choice
+whether to do so. The GNU General Public License gives permission to release a
+modified version without this exception; this exception also makes it possible
+to release a modified version which carries forward this exception.
+
+
+The DES implementation in the des plugin and the Blowfish implementation in the
+blowfish plugin are under a BSD style license (see source files for details).
+Note that these parts have an advertising clause in it.
+
+The MD4 and MD5 implementations in the md4 and md5 plugins are from RSA Data
+Security Inc., so this package must include the following phrase:
+"derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm".
+
diff --git a/Makefile.am b/Makefile.am
index 4757c8c7a..0e08794c1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,19 +4,30 @@ if USE_SCRIPTS
   SUBDIRS += scripts
 endif
 
+if USE_SILENT_RULES
+  AM_MAKEFLAGS = -s
+endif
+
 ACLOCAL_AMFLAGS = -I m4/config
 
-EXTRA_DIST = Doxyfile.in CREDITS Android.mk.in Android.mk
+EXTRA_DIST = Doxyfile.in LICENSE Android.common.mk.in Android.common.mk Android.mk
 CLEANFILES = Doxyfile
-BUILT_SOURCES = Android.mk
-MAINTAINERCLEANFILES = Android.mk
+BUILT_SOURCES = Android.common.mk
+MAINTAINERCLEANFILES = Android.common.mk
 
-Android.mk :	Android.mk.in configure.in
+if USE_DEV_HEADERS
+config_includedir = $(ipseclibdir)/include
+nodist_config_include_HEADERS = config.h
+endif
+
+Android.common.mk :	Android.common.mk.in configure.ac
+		$(AM_V_GEN) \
 		sed \
 		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
 		$(srcdir)/$@.in > $@
 
 Doxyfile :	Doxyfile.in
+		$(AM_V_GEN) \
 		sed \
 		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
 		-e "s:\@PACKAGE_NAME\@:$(PACKAGE_NAME):" \
@@ -26,5 +37,37 @@ Doxyfile :	Doxyfile.in
 apidoc :	Doxyfile
 		doxygen
 
-clean-local:
-		rm -rf apidoc
+cov-reset-common:
+		@rm -rf $(top_builddir)/coverage
+		@find $(top_builddir)/{src,scripts} -name "*.gcda" -delete
+
+if COVERAGE
+cov-reset: cov-reset-common
+		@lcov --zerocounters --directory $(top_builddir)
+
+cov-report:
+		@mkdir $(top_builddir)/coverage
+		lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir)
+		lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' \
+			 -o $(top_builddir)/coverage/coverage.cleaned.info
+		genhtml --num-spaces 4 --legend \
+				-t "$(PACKAGE_STRING)" \
+				-o $(top_builddir)/coverage/html \
+				-p `readlink -m $(abs_top_srcdir)`/src \
+				$(top_builddir)/coverage/coverage.cleaned.info
+		@echo "Coverage Report at $(top_builddir)/coverage/html" >&2
+
+coverage:
+		@$(MAKE) cov-reset
+		@$(MAKE) check
+		@$(MAKE) cov-report
+else
+coverage:
+		@echo "reconfigure with --enable-coverage"
+endif
+
+clean-local: cov-reset-common
+		@find $(top_builddir)/{src,scripts} -name "*.gcno" -delete
+		@rm -rf apidoc
+
+.PHONY: cov-reset-common cov-reset cov-report coverage
diff --git a/Makefile.in b/Makefile.in
index 4b9363f5f..7792802e2 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,7 +14,25 @@
 # PARTICULAR PURPOSE.
 
 @SET_MAKE@
+
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -36,10 +54,11 @@ host_triplet = @host@
 @USE_SCRIPTS_TRUE@am__append_1 = scripts
 subdir = .
 DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
-	$(srcdir)/Makefile.in $(top_srcdir)/configure \
+	$(srcdir)/Makefile.in $(srcdir)/config.h.in \
+	$(top_srcdir)/configure \
 	$(top_srcdir)/src/dumm/ext/extconf.rb.in AUTHORS COPYING \
-	ChangeLog INSTALL NEWS TODO config.guess config.sub depcomp \
-	install-sh ltmain.sh missing ylwrap
+	ChangeLog INSTALL NEWS TODO compile config.guess config.sub \
+	depcomp install-sh ltmain.sh missing ylwrap
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -49,14 +68,21 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
  configure.lineno config.status.lineno
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = config.h
 CONFIG_CLEAN_FILES = src/dumm/ext/extconf.rb
 CONFIG_CLEAN_VPATH_FILES =
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -66,6 +92,40 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(config_includedir)"
+HEADERS = $(nodist_config_include_HEADERS)
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
@@ -78,9 +138,11 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
 am__remove_distdir = \
-  { test ! -d "$(distdir)" \
-    || { find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
-         && rm -fr "$(distdir)"; }; }
+  if test -d "$(distdir)"; then \
+    find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
+      && rm -rf "$(distdir)" \
+      || { sleep 5 && rm -rf "$(distdir)"; }; \
+  else :; fi
 am__relativize = \
   dir0=`pwd`; \
   sed_first='s,^\([^/]*\)/.*$$,\1,'; \
@@ -109,25 +171,34 @@ am__relativize = \
 DIST_ARCHIVES = $(distdir).tar.gz
 GZIP_ENV = --best
 distuninstallcheck_listfiles = find . -type f -print
+am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
+  | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
 distcleancheck_listfiles = find . -type f -print
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -136,13 +207,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -155,6 +229,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -182,11 +257,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -194,6 +271,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -202,8 +280,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -212,14 +288,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -233,17 +314,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -253,16 +334,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -291,16 +371,19 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 SUBDIRS = src man init testing $(am__append_1)
+@USE_SILENT_RULES_TRUE@AM_MAKEFLAGS = -s
 ACLOCAL_AMFLAGS = -I m4/config
-EXTRA_DIST = Doxyfile.in CREDITS Android.mk.in Android.mk
+EXTRA_DIST = Doxyfile.in LICENSE Android.common.mk.in Android.common.mk Android.mk
 CLEANFILES = Doxyfile
-BUILT_SOURCES = Android.mk
-MAINTAINERCLEANFILES = Android.mk
-all: $(BUILT_SOURCES)
+BUILT_SOURCES = Android.common.mk
+MAINTAINERCLEANFILES = Android.common.mk
+@USE_DEV_HEADERS_TRUE@config_includedir = $(ipseclibdir)/include
+@USE_DEV_HEADERS_TRUE@nodist_config_include_HEADERS = config.h
+all: $(BUILT_SOURCES) config.h
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
 .SUFFIXES:
-am--refresh:
+am--refresh: Makefile
 	@:
 $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
@@ -334,6 +417,21 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	$(am__cd) $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
 $(am__aclocal_m4_deps):
+
+config.h: stamp-h1
+	@if test ! -f $@; then rm -f stamp-h1; else :; fi
+	@if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) stamp-h1; else :; fi
+
+stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status
+	@rm -f stamp-h1
+	cd $(top_builddir) && $(SHELL) ./config.status config.h
+$(srcdir)/config.h.in:  $(am__configure_deps) 
+	($(am__cd) $(top_srcdir) && $(AUTOHEADER))
+	rm -f stamp-h1
+	touch $@
+
+distclean-hdr:
+	-rm -f config.h stamp-h1
 src/dumm/ext/extconf.rb: $(top_builddir)/config.status $(top_srcdir)/src/dumm/ext/extconf.rb.in
 	cd $(top_builddir) && $(SHELL) ./config.status $@
 
@@ -345,6 +443,27 @@ clean-libtool:
 
 distclean-libtool:
 	-rm -f libtool config.lt
+install-nodist_config_includeHEADERS: $(nodist_config_include_HEADERS)
+	@$(NORMAL_INSTALL)
+	@list='$(nodist_config_include_HEADERS)'; test -n "$(config_includedir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(config_includedir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(config_includedir)" || exit 1; \
+	fi; \
+	for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(config_includedir)'"; \
+	  $(INSTALL_HEADER) $$files "$(DESTDIR)$(config_includedir)" || exit $$?; \
+	done
+
+uninstall-nodist_config_includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(nodist_config_include_HEADERS)'; test -n "$(config_includedir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	dir='$(DESTDIR)$(config_includedir)'; $(am__uninstall_files_from_dir)
 
 # This directory's subdirectories are mostly independent; you can cd
 # into them and run `make' without going through this Makefile.
@@ -426,7 +545,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	mkid -fID $$unique
 tags: TAGS
 
-TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+TAGS: tags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
 	set x; \
 	here=`pwd`; \
@@ -443,7 +562,7 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
 	  fi; \
 	done; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
@@ -461,9 +580,9 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	  fi; \
 	fi
 ctags: CTAGS
-CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+CTAGS: ctags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
@@ -515,13 +634,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
@@ -553,7 +669,11 @@ dist-gzip: distdir
 	$(am__remove_distdir)
 
 dist-bzip2: distdir
-	tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2
+	tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2
+	$(am__remove_distdir)
+
+dist-lzip: distdir
+	tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz
 	$(am__remove_distdir)
 
 dist-lzma: distdir
@@ -561,7 +681,7 @@ dist-lzma: distdir
 	$(am__remove_distdir)
 
 dist-xz: distdir
-	tardir=$(distdir) && $(am__tar) | xz -c >$(distdir).tar.xz
+	tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
 	$(am__remove_distdir)
 
 dist-tarZ: distdir
@@ -592,6 +712,8 @@ distcheck: dist
 	  bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
 	*.tar.lzma*) \
 	  lzma -dc $(distdir).tar.lzma | $(am__untar) ;;\
+	*.tar.lz*) \
+	  lzip -dc $(distdir).tar.lz | $(am__untar) ;;\
 	*.tar.xz*) \
 	  xz -dc $(distdir).tar.xz | $(am__untar) ;;\
 	*.tar.Z*) \
@@ -601,7 +723,7 @@ distcheck: dist
 	*.zip*) \
 	  unzip $(distdir).zip ;;\
 	esac
-	chmod -R a-w $(distdir); chmod a+w $(distdir)
+	chmod -R a-w $(distdir); chmod u+w $(distdir)
 	mkdir $(distdir)/_build
 	mkdir $(distdir)/_inst
 	chmod a-w $(distdir)
@@ -611,6 +733,7 @@ distcheck: dist
 	  && am__cwd=`pwd` \
 	  && $(am__cd) $(distdir)/_build \
 	  && ../configure --srcdir=.. --prefix="$$dc_install_base" \
+	    $(AM_DISTCHECK_CONFIGURE_FLAGS) \
 	    $(DISTCHECK_CONFIGURE_FLAGS) \
 	  && $(MAKE) $(AM_MAKEFLAGS) \
 	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
@@ -639,8 +762,16 @@ distcheck: dist
 	  list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
 	  sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
 distuninstallcheck:
-	@$(am__cd) '$(distuninstallcheck_dir)' \
-	&& test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \
+	@test -n '$(distuninstallcheck_dir)' || { \
+	  echo 'ERROR: trying to run $@ with an empty' \
+	       '$$(distuninstallcheck_dir)' >&2; \
+	  exit 1; \
+	}; \
+	$(am__cd) '$(distuninstallcheck_dir)' || { \
+	  echo 'ERROR: cannot chdir into $(distuninstallcheck_dir)' >&2; \
+	  exit 1; \
+	}; \
+	test `$(am__distuninstallcheck_listfiles) | wc -l` -eq 0 \
 	   || { echo "ERROR: files left after uninstall:" ; \
 	        if test -n "$(DESTDIR)"; then \
 	          echo "  (check DESTDIR support)"; \
@@ -659,9 +790,12 @@ distcleancheck: distclean
 check-am: all-am
 check: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) check-recursive
-all-am: Makefile
+all-am: Makefile $(HEADERS) config.h
 installdirs: installdirs-recursive
 installdirs-am:
+	for dir in "$(DESTDIR)$(config_includedir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
 install: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) install-recursive
 install-exec: install-exec-recursive
@@ -673,10 +807,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -698,8 +837,8 @@ clean-am: clean-generic clean-libtool clean-local mostlyclean-am
 distclean: distclean-recursive
 	-rm -f $(am__CONFIG_DISTCLEAN_FILES)
 	-rm -f Makefile
-distclean-am: clean-am distclean-generic distclean-libtool \
-	distclean-tags
+distclean-am: clean-am distclean-generic distclean-hdr \
+	distclean-libtool distclean-tags
 
 dvi: dvi-recursive
 
@@ -713,7 +852,7 @@ info: info-recursive
 
 info-am:
 
-install-data-am:
+install-data-am: install-nodist_config_includeHEADERS
 
 install-dvi: install-dvi-recursive
 
@@ -759,7 +898,7 @@ ps: ps-recursive
 
 ps-am:
 
-uninstall-am:
+uninstall-am: uninstall-nodist_config_includeHEADERS
 
 .MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) all check \
 	ctags-recursive install install-am install-strip \
@@ -768,26 +907,30 @@ uninstall-am:
 .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
 	all all-am am--refresh check check-am clean clean-generic \
 	clean-libtool clean-local ctags ctags-recursive dist dist-all \
-	dist-bzip2 dist-gzip dist-lzma dist-shar dist-tarZ dist-xz \
-	dist-zip distcheck distclean distclean-generic \
-	distclean-libtool distclean-tags distcleancheck distdir \
-	distuninstallcheck dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	installdirs-am maintainer-clean maintainer-clean-generic \
-	mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
-	ps ps-am tags tags-recursive uninstall uninstall-am
-
-
-Android.mk :	Android.mk.in configure.in
+	dist-bzip2 dist-gzip dist-lzip dist-lzma dist-shar dist-tarZ \
+	dist-xz dist-zip distcheck distclean distclean-generic \
+	distclean-hdr distclean-libtool distclean-tags distcleancheck \
+	distdir distuninstallcheck dvi dvi-am html html-am info \
+	info-am install install-am install-data install-data-am \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-html install-html-am install-info install-info-am \
+	install-man install-nodist_config_includeHEADERS install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs installdirs-am \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-recursive uninstall uninstall-am \
+	uninstall-nodist_config_includeHEADERS
+
+
+Android.common.mk :	Android.common.mk.in configure.ac
+		$(AM_V_GEN) \
 		sed \
 		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
 		$(srcdir)/$@.in > $@
 
 Doxyfile :	Doxyfile.in
+		$(AM_V_GEN) \
 		sed \
 		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
 		-e "s:\@PACKAGE_NAME\@:$(PACKAGE_NAME):" \
@@ -797,8 +940,37 @@ Doxyfile :	Doxyfile.in
 apidoc :	Doxyfile
 		doxygen
 
-clean-local:
-		rm -rf apidoc
+cov-reset-common:
+		@rm -rf $(top_builddir)/coverage
+		@find $(top_builddir)/{src,scripts} -name "*.gcda" -delete
+
+@COVERAGE_TRUE@cov-reset: cov-reset-common
+@COVERAGE_TRUE@		@lcov --zerocounters --directory $(top_builddir)
+
+@COVERAGE_TRUE@cov-report:
+@COVERAGE_TRUE@		@mkdir $(top_builddir)/coverage
+@COVERAGE_TRUE@		lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir)
+@COVERAGE_TRUE@		lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' \
+@COVERAGE_TRUE@			 -o $(top_builddir)/coverage/coverage.cleaned.info
+@COVERAGE_TRUE@		genhtml --num-spaces 4 --legend \
+@COVERAGE_TRUE@				-t "$(PACKAGE_STRING)" \
+@COVERAGE_TRUE@				-o $(top_builddir)/coverage/html \
+@COVERAGE_TRUE@				-p `readlink -m $(abs_top_srcdir)`/src \
+@COVERAGE_TRUE@				$(top_builddir)/coverage/coverage.cleaned.info
+@COVERAGE_TRUE@		@echo "Coverage Report at $(top_builddir)/coverage/html" >&2
+
+@COVERAGE_TRUE@coverage:
+@COVERAGE_TRUE@		@$(MAKE) cov-reset
+@COVERAGE_TRUE@		@$(MAKE) check
+@COVERAGE_TRUE@		@$(MAKE) cov-report
+@COVERAGE_FALSE@coverage:
+@COVERAGE_FALSE@		@echo "reconfigure with --enable-coverage"
+
+clean-local: cov-reset-common
+		@find $(top_builddir)/{src,scripts} -name "*.gcno" -delete
+		@rm -rf apidoc
+
+.PHONY: cov-reset-common cov-reset cov-report coverage
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/NEWS b/NEWS
index deef65b91..fb0b4a2c8 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,328 @@
+strongswan-5.1.0
+----------------
+
+- Fixed a denial-of-service vulnerability triggered by specific XAuth usernames
+  and EAP identities (since 5.0.3), and PEM files (since 4.1.11).  The crash
+  was caused by insufficient error handling in the is_asn1() function.
+  The vulnerability has been registered as CVE-2013-5018.
+
+- The new charon-cmd command line IKE client can establish road warrior
+  connections using IKEv1 or IKEv2 with different authentication profiles.
+  It does not depend on any configuration files and can be configured using a
+  few simple command line options.
+
+- The kernel-pfroute networking backend has been greatly improved. It now
+  can install virtual IPs on TUN devices on OS X and FreeBSD, allowing these
+  systems to act as a client in common road warrior scenarios.
+
+- The new kernel-libipsec plugin uses TUN devices and libipsec to provide IPsec
+  processing in userland on Linux, FreeBSD and Mac OS X.
+
+- The eap-radius plugin can now serve as an XAuth backend called xauth-radius,
+  directly verifying XAuth credentials using RADIUS User-Name/User-Password
+  attributes. This is more efficient than the existing xauth-eap+eap-radius
+  combination, and allows RADIUS servers without EAP support to act as AAA
+  backend for IKEv1.
+
+- The new osx-attr plugin installs configuration attributes (currently DNS
+  servers) via SystemConfiguration on Mac OS X. The keychain plugin provides
+  certificates from the OS X keychain service.
+
+- The sshkey plugin parses SSH public keys, which, together with the --agent
+  option for charon-cmd, allows the use of ssh-agent for authentication.
+  To configure SSH keys in ipsec.conf the left|rightrsasigkey options are
+  replaced with left|rightsigkey, which now take public keys in one of three
+  formats: SSH (RFC 4253, ssh: prefix), DNSKEY (RFC 3110, dns: prefix), and
+  PKCS#1 (the default, no prefix).
+
+- Extraction of certificates and private keys from PKCS#12 files is now provided
+  by the new pkcs12 plugin or the openssl plugin.  charon-cmd (--p12) as well
+  as charon (via P12 token in ipsec.secrets) can make use of this.
+
+- IKEv2 can now negotiate transport mode and IPComp in NAT situations.
+
+- IKEv2 exchange initiators now properly close an established IKE or CHILD_SA
+  on error conditions using an additional exchange, keeping state in sync
+  between peers.
+
+- Using a SQL database interface a Trusted Network Connect (TNC) Policy Manager
+  can  generate specific measurement workitems for an arbitrary number of
+  Integrity Measurement Verifiers (IMVs) based on the history of the VPN user
+  and/or device.
+
+- Several core classes in libstrongswan are now tested with unit tests.  These
+  can be enabled with --enable-unit-tests and run with 'make check'.  Coverage
+  reports can be generated with --enable-coverage and 'make coverage' (this
+  disables any optimization, so it should not be enabled when building
+  production releases).
+
+- The leak-detective developer tool has been greatly improved. It works much
+  faster/stabler with multiple threads, does not use deprecated malloc hooks
+  anymore and has been ported to OS X.
+
+- chunk_hash() is now based on SipHash-2-4 with a random key.  This provides
+  better distribution and prevents hash flooding attacks when used with
+  hashtables.
+
+- All default plugins implement the get_features() method to define features
+  and their dependencies.  The plugin loader has been improved, so that plugins
+  in a custom load statement can be ordered freely or to express preferences
+  without being affected by dependencies between plugin features.
+
+- A centralized thread can take care for watching multiple file descriptors
+  concurrently. This removes the need for a dedicated listener threads in
+  various plugins. The number of "reserved" threads for such tasks has been
+  reduced to about five, depending on the plugin configuration.
+
+- Plugins that can be controlled by a UNIX socket IPC mechanism gained network
+  transparency. Third party applications querying these plugins now can use
+  TCP connections from a different host.
+
+- libipsec now supports AES-GCM.
+
+
+strongswan-5.0.4
+----------------
+
+- Fixed a security vulnerability in the openssl plugin which was reported by
+  Kevin Wojtysiak. The vulnerability has been registered as CVE-2013-2944.
+  Before the fix, if the openssl plugin's ECDSA signature verification was used,
+  due to a misinterpretation of the error code returned by the OpenSSL
+  ECDSA_verify() function, an empty or zeroed signature was accepted as a
+  legitimate one.
+
+- The handling of a couple of other non-security relevant openssl return codes
+  was fixed as well.
+
+- The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses via its
+  TCG TNC IF-MAP 2.1 interface.
+
+- The charon.initiator_only option causes charon to ignore IKE initiation
+  requests.
+
+- The openssl plugin can now use the openssl-fips library.
+
+
+strongswan-5.0.3
+----------------
+
+- The new ipseckey plugin enables authentication based on trustworthy public
+  keys stored as IPSECKEY resource records in the DNS and protected by DNSSEC.
+  To do so it uses a DNSSEC enabled resolver, like the one provided by the new
+  unbound plugin, which is based on libldns and libunbound.  Both plugins were
+  created by Reto Guadagnini.
+
+- Implemented the TCG TNC IF-IMV 1.4 draft making access requestor identities
+  available to an IMV. The OS IMV stores the AR identity together with the
+  device ID in the attest database.
+
+- The openssl plugin now uses the AES-NI accelerated version of AES-GCM
+  if the hardware supports it.
+
+- The eap-radius plugin can now assign virtual IPs to IKE clients using the
+  Framed-IP-Address attribute by using the "%radius" named pool in the
+  rightsourceip ipsec.conf option. Cisco Banner attributes are forwarded to
+  Unity-capable IKEv1 clients during mode config. charon now sends Interim
+  Accounting updates if requested by the RADIUS server, reports
+  sent/received packets in Accounting messages, and adds a Terminate-Cause
+  to Accounting-Stops.
+
+- The recently introduced "ipsec listcounters" command can report connection
+  specific counters by passing a connection name, and global or connection
+  counters can be reset by the "ipsec resetcounters" command.
+
+- The strongSwan libpttls library provides an experimental implementation of
+  PT-TLS (RFC 6876), a Posture Transport Protocol over TLS.
+
+- The charon systime-fix plugin can disable certificate lifetime checks on
+  embedded systems if the system time is obviously out of sync after bootup.
+  Certificates lifetimes get checked once the system time gets sane, closing
+  or reauthenticating connections using expired certificates.
+
+- The "ikedscp" ipsec.conf option can set DiffServ code points on outgoing
+  IKE packets.
+
+- The new xauth-noauth plugin allows to use basic RSA or PSK authentication with
+  clients that cannot be configured without XAuth authentication.  The plugin
+  simply concludes the XAuth exchange successfully without actually performing
+  any authentication.  Therefore, to use this backend it has to be selected
+  explicitly with rightauth2=xauth-noauth.
+
+- The new charon-tkm IKEv2 daemon delegates security critical operations to a
+  separate process. This has the benefit that the network facing daemon has no
+  knowledge of keying material used to protect child SAs. Thus subverting
+  charon-tkm does not result in the compromise of cryptographic keys.
+  The extracted functionality has been implemented from scratch in a minimal TCB
+  (trusted computing base) in the Ada programming language. Further information
+  can be found at http://www.codelabs.ch/tkm/.
+
+strongswan-5.0.2
+----------------
+
+- Implemented all IETF Standard PA-TNC attributes and an OS IMC/IMV
+  pair using them to transfer operating system information.
+
+- The new "ipsec listcounters" command prints a list of global counter values
+  about received and sent IKE messages and rekeyings.
+
+- A new lookip plugin can perform fast lookup of tunnel information using a
+  clients virtual IP and can send notifications about established or deleted
+  tunnels. The "ipsec lookip" command can be used to query such information
+  or receive notifications.
+
+- The new error-notify plugin catches some common error conditions and allows
+  an external application to receive notifications for them over a UNIX socket.
+
+- IKE proposals can now use a PRF algorithm different to that defined for
+  integrity protection. If an algorithm with a "prf" prefix is defined
+  explicitly (such as prfsha1 or prfsha256), no implicit PRF algorithm based on
+  the integrity algorithm is added to the proposal.
+
+- The pkcs11 plugin can now load leftcert certificates from a smartcard for a
+  specific ipsec.conf conn section and cacert CA certificates for a specific ca
+  section.
+
+- The load-tester plugin gained additional options for certificate generation
+  and can load keys and multiple CA certificates from external files. It can
+  install a dedicated outer IP address for each tunnel and tunnel initiation
+  batches can be triggered and monitored externally using the
+  "ipsec load-tester" tool.
+
+- PKCS#7 container parsing has been modularized, and the openssl plugin
+  gained an alternative implementation to decrypt and verify such files.
+  In contrast to our own DER parser, OpenSSL can handle BER files, which is
+  required for interoperability of our scepclient with EJBCA.
+
+- Support for the proprietary IKEv1 fragmentation extension has been added.
+  Fragments are always handled on receipt but only sent if supported by the peer
+  and if enabled with the new fragmentation ipsec.conf option.
+
+- IKEv1 in charon can now parse certificates received in PKCS#7 containers and
+  supports NAT traversal as used by Windows clients. Patches courtesy of
+  Volker Rümelin.
+
+- The new rdrand plugin provides a high quality / high performance random
+  source using the Intel rdrand instruction found on Ivy Bridge processors.
+
+- The integration test environment was updated and now uses KVM and reproducible
+  guest images based on Debian.
+
+
+strongswan-5.0.1
+----------------
+
+- Introduced the sending of the standard IETF Assessment Result
+  PA-TNC attribute by all strongSwan Integrity Measurement Verifiers.
+
+- Extended PTS Attestation IMC/IMV pair to provide full evidence of
+  the Linux IMA measurement process. All pertinent file information
+  of a Linux OS can be collected and stored in an SQL database.
+
+- The PA-TNC and PB-TNC protocols can now process huge data payloads
+  >64 kB by distributing PA-TNC attributes over multiple PA-TNC messages
+  and these messages over several PB-TNC batches. As long as no
+  consolidated recommandation from all IMVs can be obtained, the TNC
+  server requests more client data by sending an empty SDATA batch.
+
+- The rightgroups2 ipsec.conf option can require group membership during
+  a second authentication round, for example during XAuth authentication
+  against a RADIUS server.
+
+- The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid authenticated
+  clients against any PAM service. The IKEv2 eap-gtc plugin does not use
+  PAM directly anymore, but can use any XAuth backend to verify credentials,
+  including xauth-pam.
+
+- The new unity plugin brings support for some parts of the IKEv1 Cisco Unity
+  Extension. As client, charon narrows traffic selectors to the received
+  Split-Include attributes and automatically installs IPsec bypass policies
+  for received Local-LAN attributes. As server, charon sends Split-Include
+  attributes for leftsubnet definitions containing multiple subnets to Unity-
+  aware clients.
+
+- An EAP-Nak payload is returned by clients if the gateway requests an EAP
+  method that the client does not support.  Clients can also request a specific
+  EAP method by configuring that method with leftauth.
+
+- The eap-dynamic plugin handles EAP-Nak payloads returned by clients and uses
+  these to select a different EAP method supported/requested by the client.
+  The plugin initially requests the first registered method or the first method
+  configured with charon.plugins.eap-dynamic.preferred.
+
+- The new left/rightdns options specify connection specific DNS servers to
+  request/respond in IKEv2 configuration payloads or IKEv2 mode config. leftdns
+  can be any (comma separated) combination of %config4 and %config6 to request
+  multiple servers, both for IPv4 and IPv6. rightdns takes a list of DNS server
+  IP addresses to return.
+
+- The left/rightsourceip options now accept multiple addresses or pools.
+  leftsourceip can be any (comma separated) combination of %config4, %config6
+  or fixed IP addresses to request. rightsourceip accepts multiple explicitly
+  specified or referenced named pools.
+
+- Multiple connections can now share a single address pool when they use the
+  same definition in one of the rightsourceip pools.
+
+- The options charon.interfaces_ignore and charon.interfaces_use allow one to
+  configure the network interfaces used by the daemon.
+
+- The kernel-netlink plugin supports the charon.install_virtual_ip_on option,
+  which specifies the interface on which virtual IP addresses will be installed.
+  If it is not specified the current behavior of using the outbound interface
+  is preserved.
+
+- The kernel-netlink plugin tries to keep the current source address when
+  looking for valid routes to reach other hosts.
+
+- The autotools build has been migrated to use a config.h header. strongSwan
+  development headers will get installed during "make install" if
+  --with-dev-headers has been passed to ./configure.
+
+- All crypto primitives gained return values for most operations, allowing
+  crypto backends to fail, for example when using hardware accelerators.
+
+
+strongswan-5.0.0
+----------------
+
+- The charon IKE daemon gained experimental support for the IKEv1 protocol.
+  Pluto has been removed from the 5.x series, and unless strongSwan is
+  configured with --disable-ikev1 or --disable-ikev2, charon handles both
+  keying protocols. The feature-set of IKEv1 in charon is almost on par with
+  pluto, but currently does not support AH or bundled AH+ESP SAs. Beside
+  RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication
+  mode. Informations for interoperability and migration is available at
+  http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1.
+
+- Charon's bus_t has been refactored so that loggers and other listeners are
+  now handled separately.  The single lock was previously cause for deadlocks
+  if extensive listeners, such as the one provided by the updown plugin, wanted
+  to acquire locks that were held by other threads which in turn tried to log
+  messages, and thus were waiting to acquire the same lock currently held by
+  the thread calling the listener.
+  The implemented changes also allow the use of a read/write-lock for the
+  loggers which increases performance if multiple loggers are registered.
+  Besides several interface changes this last bit also changes the semantics
+  for loggers as these may now be called by multiple threads at the same time.
+
+- Source routes are reinstalled if interfaces are reactivated or IP addresses
+  reappear.
+
+- The thread pool (processor_t) now has more control over the lifecycle of
+  a job (see job.h for details).  In particular, it now controls the destruction
+  of jobs after execution and the cancellation of jobs during shutdown.  Due to
+  these changes the requeueing feature, previously available to callback_job_t
+  only, is now available to all jobs (in addition to a new rescheduling
+  feature).
+
+- In addition to trustchain key strength definitions for different public key
+  systems, the rightauth option now takes a list of signature hash algorithms
+  considered save for trustchain validation. For example, the setting
+  rightauth=rsa-2048-ecdsa-256-sha256-sha384-sha512 requires a trustchain
+  that uses at least RSA-2048 or ECDSA-256 keys and certificate signatures
+  using SHA-256 or better.
+
+
 strongswan-4.6.4
 ----------------
 
@@ -260,7 +585,7 @@ strongswan-4.5.1
   ./configure switch.
 
 - The new libstrongswan constraints plugin provides advanced X.509 constraint
-  checking. In additon to X.509 pathLen constraints, the plugin checks for
+  checking. In addition to X.509 pathLen constraints, the plugin checks for
   nameConstraints and certificatePolicies, including policyMappings and
   policyConstraints. The x509 certificate plugin and the pki tool have been
   enhanced to support these extensions. The new left/rightcertpolicy ipsec.conf
diff --git a/README b/README
index 58f865d30..aa40fe394 100644
--- a/README
+++ b/README
@@ -8,140 +8,62 @@ Contents
 
    1. Overview
    2. Quickstart
-	2.1 Site-to-Site case
-	2.2 Host-to-Host case
-	2.3 Four Tunnel case
-	2.4 Four Tunnel case the elegant way with source routing
-	2.5 Roadwarrior case
-	2.6 Roadwarrior case with virtual IP
-   3. Generating X.509 certificates and CRLs with OpenSSL
-	3.1 Generating a CA certificate
-	3.2 Generating a host or user certificate
-	3.3 Generating a CRL
-	3.4 Revoking a certificate
+    2.1 Site-to-Site case
+    2.2 Host-to-Host case
+    2.3 Roadwarrior case
+    2.4 Roadwarrior case with virtual IP
+   3. Generating X.509 certificates and CRLs
+    3.1 Generating a CA certificate
+    3.2 Generating a host or user certificate
+    3.3 Generating a CRL
+    3.4 Revoking a certificate
    4. Configuring the connections - ipsec.conf
-	4.1 Configuring my side
-	4.2 Multiple certificates
-	4.3 Configuring the peer side using CA certificates
-	4.4 Handling Virtual IPs and wildcard subnets
-	4.5 Protocol and port selectors
-	4.6 IPsec policies based on wildcards
-	4.7 IPsec policies based on CA certificates
-	4.8 Sending certificate requests
-	4.9 IPsec policies based on group attributes
+    4.1 Configuring my side
+    4.2 Multiple certificates
+    4.3 Configuring the peer side using CA certificates
+    4.4 Handling Virtual IPs and wildcard subnets
+    4.5 Protocol and port selectors
+    4.6 IPsec policies based on wildcards
+    4.7 IPsec policies based on CA certificates
    5. Configuring certificates and CRLs
-	5.1 Installing CA certificates
-	5.2 Installing optional Certificate Revocation Lists (CRLs)
-	5.3 Dynamic update of certificates and CRLs
-	5.4 Local caching of CRLs
-	5.5 Online Certificate Status Protocol (OCSP)
-	5.6 CRL policy
-	5.7 Configuring the peer side using locally stored certificates
+    5.1 Installing CA certificates
+    5.2 Installing optional Certificate Revocation Lists (CRLs)
+    5.3 Dynamic update of certificates and CRLs
+    5.4 Local caching of CRLs
+    5.5 Online Certificate Status Protocol (OCSP)
+    5.6 CRL policy
+    5.7 Configuring the peer side using locally stored certificates
    6. Configuring the private keys - ipsec.secrets
-	6.1 Loading private key files in PKCS#1 format
-	6.2 Entering passphrases interactively
-	6.3 Multiple private keys
+    6.1 Loading private key files in PKCS#1 format
+    6.2 Entering passphrases interactively
+    6.3 Multiple private keys
    7. Configuring CA properties - ipsec.conf
-   8. Smartcard support
-	8.1 Configuring a smartcard-based connection
-	8.2 Entering the PIN code
-	8.3 PIN-pad equipped smartcard readers
-	8.4 Configuring a smartcard using pkcs15-init
-        8.5 PKCS#1 proxy functions
-   9. Configuring the clients
-	9.1 strongSwan
-	9.2 PGPnet
-	9.3 Safenet/Soft-Remote
-	9.4 SSH Sentinel
-	9.5 Windows 2000/XP
-  10. Monitoring functions
-  11. Firewall support functions
-       11.1 Environment variables in the updown script
-       11.2 Automatic insertion and deletion of iptables firewall rules
-       11.3 Sample Linux 2.6 _updown_espmark script for iptables < 1.3.5
-  12. Authentication with raw RSA public keys
-  13. Authentication with OpenPGP certificates
-       13.1 OpenPGP certificates
-       13.2 OpenPGP private keys
-       13.3 Monitoring functions
-       13.4 Suppression of certificate request messages
-  14. Additional features
-       14.1 Authentication and encryption algorithms
-       14.2 NAT traversal
-       14.3 Dead peer detection
-       14.4 IKE Mode Config Pull Mode
-       14.5 IKE Mode Config Push Mode
-       14.6 XAUTH - Extended Authentication  (NEW)
-  15. Copyright statement and acknowledgements
+   8. Monitoring functions
+   9. Firewall support functions
+       9.1 Environment variables in the updown script
+       9.2 Automatic insertion and deletion of iptables firewall rules
 
 
 1. Overview
    --------
 
-strongSwan is an OpenSource IPsec solution for the Linux operating system
-and currently supports the following features:
+strongSwan is an OpenSource IPsec solution for Unix based operating systems.
 
-  * runs on Linux 2.6 (native IPsec) kernels.
+This document is just a short introduction, for more detailed information
+consult the manual pages and our wiki:
 
-  * strong 3DES, AES, Serpent, Twofish, or Blowfish encryption.
-
-  * Authentication based on X.509 certificates or preshared secrets.
-
-  * IPsec policies based on wildcards or intermediate CAs.
-
-  * Powerful and flexible IPsec policies based on group attributes.
-
-  * Retrieval of Certificate Revocation Lists (CRLs) via HTTP or LDAP.
-
-  * Local caching of fetched CRLs
-
-  * Full support of the Online Certificate Status Protocol (OCSP, RFC 2560).
-
-  * CA management functions including OCSP and CRL URIs and default LDAP server.
-
-  * Optional storage of RSA private keys on smartcards or USB crypto tokens
-
-  * Standardized PKCS#11 interface with optional proxy functions serving 
-    external applications (disc encryption, etc.).
- 
-  * NAT-Traversal (RFC 3947)
-
-  * Support of Virtual IPs via static configuration and IKE Mode Config
-
-  * XAUTH client and server functionality in conjunction with either PSK
-    or RSA IKE Main Mode authentication.
-
-  * Support of Delete SA and informational Notification messages.
-
-  * Dead Peer Detection (DPD, RFC 3706)
-
-Compatibility has successfully been tested with peers running the following
-IPsec clients:
-
-  FreeS/WAN, Openswan, SafeNet/SoftRemote, NCP Secure Entry Client,
-  SonicWALL Global VPN Client, The GreenBow, Microsoft Windows 2000/XP, etc.
-
-Furthermore, interoperability with the following VPN gateways
-has been demonstrated during the IPsec 2001 Conference in Paris:
-
-  Cisco IOS Routers, Cisco PIX firewall, Cisco VPN3000,
-  Nortel Contivity VPN Switch, NetScreen (FreeS/WAN as responder only),
-  OpenBSD with isakmpd, Netasq, Netcelo, and 6WIND.
-
-Potentially any IPsec implementation with X.509 certificate support can
-be made to cooperate with strongSwan. The latest addition has been the successful
-interoperability with the Check Point VPN-1 NG gateway.
+    http://wiki.strongswan.org
 
 
 2. Quickstart
    ----------
-   
+
 In the following examples we assume for reasons of clarity that left designates
-the local host and that right is the remote host. Certificates for users, hosts
-and gateways are issued by a fictitious strongSwan CA. How to generate private keys
-and certificates using OpenSSL will be explained in section 3. The CA certificate
-"strongswanCert.pem" must be present on all VPN end points in order to be able to
-authenticate the peers.
+the local host and that right is the remote host.  Certificates for users,
+hosts and gateways are issued by a fictitious strongSwan CA.  How to generate
+private keys and certificates using OpenSSL or the strongSwan PKI tool will be
+explained in section 3.  The CA certificate "strongswanCert.pem" must be present
+on all VPN end points in order to be able to authenticate the peers.
 
 
 2.1 Site-to-site case
@@ -156,52 +78,50 @@ set up between the two gateways:
 
 Configuration on gateway moon:
 
-   /etc/ipsec.d/cacerts/strongswanCert.pem
+    /etc/ipsec.d/cacerts/strongswanCert.pem
 
-   /etc/ipsec.d/certs/moonCert.pem
+    /etc/ipsec.d/certs/moonCert.pem
 
-   /etc/ipsec.secrets:
+    /etc/ipsec.secrets:
 
-     : RSA moonKey.pem "<optional passphrase>"
+        : RSA moonKey.pem "<optional passphrase>"
 
-   /etc/ipsec.conf:
+    /etc/ipsec.conf:
 
-     conn net-net
-	  left=%defaultroute
-	  leftsubnet=10.1.0.0/16
-	  leftcert=moonCert.pem
-	  right=192.168.0.2
-	  rightsubnet=10.2.0.0/16
-	  rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
-	  auto=start
+        conn net-net
+            leftsubnet=10.1.0.0/16
+            leftcert=moonCert.pem
+            right=192.168.0.2
+            rightsubnet=10.2.0.0/16
+            rightid="C=CH, O=strongSwan, CN=sun.strongswan.org"
+            auto=start
 
 Configuration on gateway sun:
 
-   /etc/ipsec.d/cacerts/strongswanCert.pem
+    /etc/ipsec.d/cacerts/strongswanCert.pem
 
-   /etc/ipsec.d/certs/sunCert.pem
+    /etc/ipsec.d/certs/sunCert.pem
 
-   /etc/ipsec.secrets:
+    /etc/ipsec.secrets:
 
-     : RSA sunKey.pem "<optional passphrase>"
+        : RSA sunKey.pem "<optional passphrase>"
 
-   /etc/ipsec.conf:
+    /etc/ipsec.conf:
 
-     conn net-net
-	  left=%defaultroute
-	  leftsubnet=10.2.0.0/16
-	  leftcert=sunCert.pem
-	  right=192.168.0.1
-	  rightsubnet=10.1.0.0/16
-	  rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
-	  auto=start
+        conn net-net
+            leftsubnet=10.2.0.0/16
+            leftcert=sunCert.pem
+            right=192.168.0.1
+            rightsubnet=10.1.0.0/16
+            rightid="C=CH, O=strongSwan, CN=moon.strongswan.org"
+            auto=start
 
 
 2.2 Host-to-host case
     -----------------
 
 This is a setup between two single hosts which don't have a subnet behind
-them. Although IPsec transport mode would be sufficient for host-to-host
+them.  Although IPsec transport mode would be sufficient for host-to-host
 connections we will use the default IPsec tunnel mode.
 
     | 192.168.0.1 | === | 192.168.0.2 |
@@ -209,321 +129,156 @@ connections we will use the default IPsec tunnel mode.
 
 Configuration on host moon:
 
-   /etc/ipsec.d/cacerts/strongswanCert.pem
+    /etc/ipsec.d/cacerts/strongswanCert.pem
 
-   /etc/ipsec.d/certs/moonCert.pem
+    /etc/ipsec.d/certs/moonCert.pem
 
-   /etc/ipsec.secrets:
+    /etc/ipsec.secrets:
 
-     : RSA moonKey.pem "<optional passphrase>"
+        : RSA moonKey.pem "<optional passphrase>"
 
-   /etc/ipsec.conf:
+    /etc/ipsec.conf:
 
-     conn host-host
-	  left=%defaultroute
-	  leftcert=moonCert.pem
-	  right=192.168.0.2
-	  rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
-	  auto=start
+        conn host-host
+            leftcert=moonCert.pem
+            right=192.168.0.2
+            rightid="C=CH, O=strongSwan, CN=sun.strongswan.org"
+            auto=start
 
 Configuration on host sun:
 
-   /etc/ipsec.d/cacerts/strongswanCert.pem
+    /etc/ipsec.d/cacerts/strongswanCert.pem
 
-   /etc/ipsec.d/certs/sunCert.pem
+    /etc/ipsec.d/certs/sunCert.pem
 
-   /etc/ipsec.secrets:
+    /etc/ipsec.secrets:
 
-     : RSA sunKey.pem "<optional passphrase>"
+        : RSA sunKey.pem "<optional passphrase>"
 
-   /etc/ipsec.conf:
+    /etc/ipsec.conf:
 
-     conn host-host
-	  left=%defaultroute
-	  leftcert=sunCert.pem
-	  right=192.168.0.1
-	  rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
-	  auto=start
+        conn host-host
+            leftcert=sunCert.pem
+            right=192.168.0.1
+            rightid="C=CH, O=strongSwan, CN=moon.strongswan.org"
+            auto=start
 
 
-2.3 Four Tunnel case
+2.3 Roadwarrior case
     ----------------
 
-In a site-to-site setup a system administrator logged into the local gateway
-often would like to access the peer gateway or a server in the subnet behind
-the peer gateway over a secure IPsec tunnel.Since IP packets leaving a gateway
-via the outer network interface carry the IP address of this NIC, four IPsec
-Security Associations (SAs) must be set up to achieve full connectivity. The
-example below shows how this can be done without much additional typing work ,
-using the "also" macro which includes connection definitions defined farther
-down in the ipsec.conf file.
-
-   10.1.0.0/16 -- | 192.168.0.1 | === | 192.168.0.2 | -- 10.2.0.0/16
-    moon-net           moon                 sun           sun-net
-
-Configuration on gateway moon:
-
-   /etc/ipsec.d/cacerts/strongswanCert.pem
-
-   /etc/ipsec.d/certs/moonCert.pem
-
-   /etc/ipsec.secrets:
-
-     : RSA moonKey.pem "<optional passphrase>"
-
-   /etc/ipsec.conf:
-
-     conn net-net
-	  leftsubnet=10.1.0.0/16
-	  rightsubnet=10.2.0.0/16
-	  also host-host
-
-     conn net-host
-	  leftsubnet=10.1.0.0/16
-	  also host-host
-
-     conn host-net
-	  rightsubnet=10.2.0.0/16
-	  also host-host
-
-     conn host-host
-	  left=%defaultroute
-	  leftcert=moonCert.pem
-	  right=192.168.0.2
-	  rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
-	  auto=start
-
-Configuration on gateway sun:
-
-   /etc/ipsec.d/cacerts/strongswanCert.pem
-
-   /etc/ipsec.d/certs/sunCert.pem
-
-   /etc/ipsec.secrets:
-
-     : RSA sunKey.pem "<optional passphrase>"
-
-   /etc/ipsec.conf:
-
-     conn net-net
-	  leftsubnet=10.2.0.0/16
-	  rightsubnet=10.1.0.0/16
-	  also=host-host
-
-     conn net-host
-	  leftsubnet=10.2.0.0/16
-	  also=host-host
-
-     conn host-net
-	  rightsubnet=10.1.0.0/16
-	  also=host-host
-
-     conn host-host
-	  left=%defaultroute
-	  leftcert=sunCert.pem
-	  right=192.168.0.1
-	  rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
-	  auto=start
-
-
-2.4 The four tunnel case the elegant way with source routing
-    --------------------------------------------------------
-
-As you certainly agree, the full four tunnel case described in the previous
-section becomes quite complex. If we could force the source address of the
-IP packets leaving the gateway through the outer interface to take on the
-IP address of the inner interface then we could use the single subnet-to-subnet
-tunnel from section 2.1. Such a setup becomes possible if we use the
-source routing capabilites of the ip route command that is already used
-by strongSwan's updown scripts.
-
-    10.1.0.0/16 -- | 192.168.0.1 | === | 192.168.0.2 | -- 10.2.0.0/16
-      moon-net          moon                sun            sun-net
-
-If we assume that the inner IP address of gateway moon is 10.1.0.1
-and the inner IP address of gateway sun is 10.2.0.1 then the
-insertion of the parameter
-
-    leftsourceip=10.1.0.1
-   
-in the connection definition of moon and
-
-      leftsourceip=10.2.0.1
-  
-on sun, respectively, will install source routing on both gateways.
-As a result the command
-
-      ping 10.2.0.1
-  
-executed on moon will leave the gateway with a source address of
-10.1.0.1 and will therefore take the net-net IPsec tunnel.
-
-Configuration on gateway moon:
-
-   /etc/ipsec.d/cacerts/strongswanCert.pem
-
-   /etc/ipsec.d/certs/moonCert.pem
-
-   /etc/ipsec.secrets:
-
-     : RSA moonKey.pem "<optional passphrase>"
-
-   /etc/ipsec.conf:
-
-     conn net-net
-	  left=%defaultroute
-	  leftsourceip=10.1.0.1
-	  leftsubnet=10.1.0.0/16
-	  leftcert=moonCert.pem
-	  right=192.168.0.2
-	  rightsubnet=10.2.0.0/16
-	  rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
-	  auto=start
-
-Configuration on gateway sun:
-
-   /etc/ipsec.d/cacerts/strongswanCert.pem
-
-   /etc/ipsec.d/certs/sunCert.pem
-
-   /etc/ipsec.secrets:
-
-     : RSA sunKey.pem "<optional passphrase>"
-
-   /etc/ipsec.conf:
-
-     conn net-net
-	  left=%defaultroute
-	  leftsubnet=10.2.0.0/16
-	  leftsourceip=10.2.0.1
-	  leftcert=sunCert.pem
-	  right=192.168.0.1
-	  rightsubnet=10.1.0.0/16
-	  rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
-	  auto=start
-
-
-2.5 Roadwarrior case
-    ----------------
-
-This is a very common case where a strongSwan gateway serves an arbitrary number
-of remote VPN clients usually having dynamic IP addresses.
+This is a very common case where a strongSwan gateway serves an arbitrary
+number of remote VPN clients usually having dynamic IP addresses.
 
     10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x |
       moon-net          moon              carol
 
 Configuration on gateway moon:
 
-   /etc/ipsec.d/cacerts/strongswanCert.pem
+    /etc/ipsec.d/cacerts/strongswanCert.pem
 
-   /etc/ipsec.d/certs/moonCert.pem
+    /etc/ipsec.d/certs/moonCert.pem
 
-   /etc/ipsec.secrets:
+    /etc/ipsec.secrets:
 
-     : RSA moonKey.pem "<optional passphrase>"
+        : RSA moonKey.pem "<optional passphrase>"
 
-   /etc/ipsec.conf:
+    /etc/ipsec.conf:
 
-     conn rw
-	  left=%defaultroute
-	  leftsubnet=10.1.0.0/16
-	  leftcert=moonCert.pem
-          right=%any
-	  auto=add
+        conn rw
+            leftsubnet=10.1.0.0/16
+            leftcert=moonCert.pem
+            right=%any
+            auto=add
 
 Configuration on roadwarrior carol:
 
-   /etc/ipsec.d/cacerts/strongswanCert.pem
+    /etc/ipsec.d/cacerts/strongswanCert.pem
 
-   /etc/ipsec.d/certs/carolCert.pem
+    /etc/ipsec.d/certs/carolCert.pem
 
-   /etc/ipsec.secrets:
+    /etc/ipsec.secrets:
 
-     : RSA carolKey.pem "<optional passphrase>"
+        : RSA carolKey.pem "<optional passphrase>"
 
-   /etc/ipsec.conf:
+    /etc/ipsec.conf:
 
-     conn home
-	  left=%defaultroute
-	  leftcert=carolCert.pem
-	  right=192.168.0.1
-	  rightsubnet=10.1.0.0/16
-	  rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
-	  auto=start
+        conn home
+            leftcert=carolCert.pem
+            right=192.168.0.1
+            rightsubnet=10.1.0.0/16
+            rightid="C=CH, O=strongSwan, CN=moon.strongswan.org"
+            auto=start
 
 
 2.6 Roadwarrior case with virtual IP
     --------------------------------
 
 Roadwarriors usually have dynamic IP addresses assigned by the ISP they are
-currently attached to. In order to simplify the routing from moon-net back
+currently attached to.  In order to simplify the routing from moon-net back
 to the remote access client carol it would be desirable if the roadwarrior had
 an inner IP address chosen from a pre-assigned pool.
- 
+
     10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x | -- 10.3.0.1
       moon-net          moon              carol       virtual IP
 
-This virtual IP address can be assigned to a strongSwan roadwarrior by adding 
-the parameter
+In our example the virtual IP address is chosen from the address pool
+10.3.0.0/16 which can be configured by adding the parameter
+
+    rightsourceip=10.3.0.0/16
 
-    leftsourceip=10.3.0.1
-    
-to the roadwarrior's ipsec.conf. Of course the virtual IP of each roadwarrior
-must be distinct. In our example it is chosen from the address pool
+to the gateway's ipsec.conf.  To request an IP address from this pool a
+roadwarrior can use IKEv1 mode config or IKEv2 configuration payloads.
+The configuration for both is the same
 
-    rightsubnetwithin=10.3.0.0/16
-    
-which can be added to the gateway's ipsec.conf so that a single connection
-definition can handle multiple roadwarriors.
+    leftsourceip=%config
 
 Configuration on gateway moon:
 
-   /etc/ipsec.d/cacerts/strongswanCert.pem
+    /etc/ipsec.d/cacerts/strongswanCert.pem
 
-   /etc/ipsec.d/certs/moonCert.pem
+    /etc/ipsec.d/certs/moonCert.pem
 
-   /etc/ipsec.secrets:
+    /etc/ipsec.secrets:
 
-     : RSA moonKey.pem "<optional passphrase>"
+        : RSA moonKey.pem "<optional passphrase>"
 
-   /etc/ipsec.conf:
+    /etc/ipsec.conf:
 
-     conn rw
-	  left=%defaultroute
-	  leftsubnet=10.1.0.0/16
-	  leftcert=moonCert.pem
-	  right=%any
-	  rightsubnetwithin=10.3.0.0/16
-	  auto=add
+        conn rw
+            leftsubnet=10.1.0.0/16
+            leftcert=moonCert.pem
+            right=%any
+            rightsourceip=10.3.0.0/16
+            auto=add
 
 Configuration on roadwarrior carol:
 
-   /etc/ipsec.d/cacerts/strongswanCert.pem
+    /etc/ipsec.d/cacerts/strongswanCert.pem
 
-   /etc/ipsec.d/certs/carolCert.pem
+    /etc/ipsec.d/certs/carolCert.pem
 
-   /etc/ipsec.secrets:
+    /etc/ipsec.secrets:
 
-     : RSA carolKey.pem "<optional passphrase>"
+        : RSA carolKey.pem "<optional passphrase>"
 
-   /etc/ipsec.conf:
+    /etc/ipsec.conf:
 
-     conn home
-	  left=%defaultroute
-	  leftsourceip=10.3.0.1
-	  leftcert=carolCert.pem
-	  right=192.168.0.1
-	  rightsubnet=10.1.0.0/16
-	  rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
-	  auto=start
+        conn home
+            leftsourceip=%config
+            leftcert=carolCert.pem
+            right=192.168.0.1
+            rightsubnet=10.1.0.0/16
+            rightid="C=CH, O=strongSwan, CN=moon.strongswan.org"
+            auto=start
 
 
-3. Generating certificates and CRLs with OpenSSL
-   ---------------------------------------------
+3. Generating certificates and CRLs
+   --------------------------------
 
-This section is not a full-blown tutorial on how to use OpenSSL. It just lists
-a few points that are relevant if you want to generate your own certificates
-and CRLs for use with strongSwan.
+This section is not a full-blown tutorial on how to use OpenSSL or the
+strongSwan PKI tool.  It just lists a few points that are relevant if you want
+to generate your own certificates and CRLs for use with strongSwan.
 
 
 3.1 Generating a CA certificate
@@ -531,13 +286,13 @@ and CRLs for use with strongSwan.
 
 The OpenSSL statement
 
-     openssl req -x509 -days 1460 -newkey rsa:2048 \
-                 -keyout strongswanKey.pem -out strongswanCert.pem
+    openssl req -x509 -days 1460 -newkey rsa:4096 \
+                -keyout strongswanKey.pem -out strongswanCert.pem
 
-creates a 2048 bit RSA private key strongswanKey.pem and a self-signed CA
+creates a 4096 bit RSA private key strongswanKey.pem and a self-signed CA
 certificate strongswanCert.pem with a validity of 4 years (1460 days).
 
-     openssl x509 -in cert.pem -noout -text
+    openssl x509 -in cert.pem -noout -text
 
 lists the properties of  a X.509 certificate cert.pem. It allows you to verify
 whether the configuration defaults in openssl.cnf have been inserted correctly.
@@ -547,9 +302,21 @@ command achieves this transformation:
 
      openssl x509 -in strongswanCert.pem -outform DER -out strongswanCert.der
 
+The statements
+
+    ipsec pki --gen -s 4096 > strongswanKey.der
+    ipsec pki --self --ca --lifetime 1460 --in strongswanKey.der \
+              --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
+              > strongswanCert.der
+    ipsec pki --print --in strongswanCert.der
+
+achieve about the same with the strongSwan PKI tool.  Unlike OpenSSL the tool
+stores keys and certificates in the binary DER format by default.  The --outform
+option may be used to write PEM encoded files.
+
 The directory /etc/ipsec.d/cacerts contains all required CA certificates either
-in binary DER or in base64 PEM format. Irrespective of the file suffix, Pluto
-"automagically" determines the correct format.
+in binary DER or in base64 PEM format, irrespective of the file suffix the
+correct format will be determined.
 
 
 3.2 Generating a host or user certificate
@@ -557,10 +324,10 @@ in binary DER or in base64 PEM format. Irrespective of the file suffix, Pluto
 
 The OpenSSL statement
 
-     openssl req -newkey rsa:1024 -keyout hostKey.pem \
+     openssl req -newkey rsa:2048 -keyout hostKey.pem \
                  -out hostReq.pem
 
-generates a 1024 bit RSA private key hostKey.pem and a certificate request
+generates a 2048 bit RSA private key hostKey.pem and a certificate request
 hostReq.pem which has to be signed by the CA.
 
 If you want to add a subjectAltName field to the host certificate you must edit
@@ -569,7 +336,7 @@ the OpenSSL configuration file openssl.cnf and add the following line in the
 
      subjectAltName=DNS:moon.strongswan.org
 
-if you want to identify the host by its Fully Qualified Domain Name (FQDN ), or
+if you want to identify the host by its Fully Qualified Domain Name (FQDN), or
 
      subjectAltName=IP:192.168.0.1
 
@@ -581,7 +348,7 @@ ID types with
 but the use of an IP address for the identification of a host should be
 discouraged anyway.
 
-For user certificates the appropriate ID type is USER_FQDN which can be
+For user certificates the appropriate ID type is RFC822_ADDR which can be
 specified as
 
      subjectAltName=email:carol@strongswan.org
@@ -595,32 +362,43 @@ Now the certificate request can be signed by the CA with the command
      openssl ca -in hostReq.pem -days 730 -out hostCert.pem -notext
 
 If you omit the -days option then the default_days value (365 days) specified
-in openssl.cnf is used. The -notext option avoids that a human readable
+in openssl.cnf is used.  The -notext option avoids that a human readable
 listing of the certificate is prepended to the base64 encoded certificate
 body.
 
 If you want to use the dynamic CRL fetching feature described in section 4.7
 then you may include one or several crlDistributionPoints in your end
-certificates. This can be done in the [ usr_cert ] section of the openssl.cnf
+certificates.  This can be done in the [ usr_cert ] section of the openssl.cnf
 configuration file:
 
-    crlDistributionPoints= @crl_dp
+    crlDistributionPoints=@crl_dp
 
     [ crl_dp ]
 
     URI.1="http://crl.strongswan.org/strongswan.crl"
-    URI.2="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan
-      , c=CH?certificateRevocationList"
+    URI.2="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan,
+           c=CH?certificateRevocationList"
 
-If you have only a single http distribution point then the short form
+If you have only a single HTTP distribution point then the short form
 
     crlDistributionPoints="URI:http://crl.strongswan.org/strongswan.crl"
 
-also works. Due to a known bug in OpenSSL this notation fails with ldap URIs.
+also works.
+
+Again the statements
 
-Usually a Windows-based VPN client needs its private key, its host or
-user certificate, and the CA certificate. The most convenient way to load
-this information is to put everything into a  PKCS#12 file:
+    ipsec pki --gen > moonKey.der
+    ipsec pki --pub --in moonKey.der | ipsec pki --issue --lifetime 730 \
+              --cacert strongswanCert.der --cakey strongswanKey.der \
+              --dn "C=CH, O=strongSwan, CN=moon.strongswan.org" \
+              --san moon.strongswan.org --san 192.168.0.1 \
+              --crl http://crl.strongswan.org/strongswan.crl > moonCert.der
+
+do something thing similar using the strongSwan PKI tool.
+
+Usually, a Windows or Mac OS X (or iOS) based VPN client needs its private key,
+its host or user certificate, and the CA certificate. The most convenient way
+to load this information is to put everything into a PKCS#12 file:
 
      openssl pkcs12 -export -inkey carolKey.pem \
                     -in carolCert.pem -name "carol" \
@@ -643,9 +421,11 @@ can be achieved with
 
      openssl crl -in crl.pem -outform DER -out cert.crl
 
+The strongSwan PKI tool provides the ipsec pki --signcrl command to sign CRLs.
+
 The directory /etc/ipsec.d/crls contains all CRLs either in binary DER
-or in base64 PEM format. Irrespective of the file suffix, Pluto
-"automagically" determines the correct format.
+or in base64 PEM format, irrespective of the file suffix the correct format
+will be determined.
 
 
 3.4 Revoking a certificate
@@ -668,6 +448,8 @@ in the case of a base64 CRL, or alternatively for a CRL in DER format
 
      openssl crl -inform DER -in cert.crl -noout -text
 
+Again the ipsec pki --signcrl command may be used to create new CRLs containing
+additional certificates.
 
 
 4. Configuring the connections - ipsec.conf
@@ -676,15 +458,13 @@ in the case of a base64 CRL, or alternatively for a CRL in DER format
 4.1 Configuring my side
     -------------------
 
-Usually the local side is the same for all connections. Therefore it makes
+Usually the local side is the same for all connections.  Therefore it makes
 sense to put the definitions characterizing the strongSwan security gateway into
-the conn %default section of the configuration file /etc/ipsec.conf. If we
+the conn %default section of the configuration file /etc/ipsec.conf.  If we
 assume throughout this document that the strongSwan security gateway is left and
 the peer is right then we can write
 
 conn %default
-     # my side is left - the freeswan security gateway
-     left=%defaultroute
      leftcert=moonCert.pem
      # load connection definitions automatically
      auto=add
@@ -696,8 +476,8 @@ Exchange (IKE) is specified in the line
      leftcert=moonCert.pem
 
 The certificate can either be stored in base64 PEM-format or in the binary
-DER-format. Irrespective of the file suffix, Pluto "automagically" determines
-the correct format. Therefore
+DER-format. Irrespective of the file suffix the correct format will be
+determined.  Therefore
 
      leftcert=moonCert.der
 
@@ -708,7 +488,7 @@ or
 would also be valid alternatives.
 
 When using relative pathnames as in the examples above, the certificate files
-must be stored in in the directory /etc/ipsec.d/certs. In order to distinguish
+must be stored in in the directory /etc/ipsec.d/certs.  In order to distinguish
 strongSwan's own certificates from locally stored trusted peer certificates
 (see section 5.5 for details), they could also be stored in a subdirectory
 below /etc/ipsec.d/certs as e.g. in
@@ -726,10 +506,10 @@ conn rw
      right=%any
      leftid=@moon.strongswan.org
 
-Important: When an FQDN identifier is used it must be explicitly included as a
+Important: When a FQDN identifier is used it must be explicitly included as a
 so called subjectAltName of type dnsName (DNS:) in the certificate indicated
-by leftcert. For details on how to generate certificates with subjectAltNames,
-please refer to section 7.2.
+by leftcert.  For details on how to generate certificates with subjectAltNames,
+please refer to section 3.2.
 
 If you don't want to mess with subjectAltNames, you can use the certificate's
 Distinguished Name (DN) instead, which is an identifier of type DER_ASN1_DN
@@ -737,7 +517,7 @@ and which can be written e.g. in the LDAP-type format
 
 conn rw
      right=%any
-     leftid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+     leftid="C=CH, O=strongSwan, CN=moon.strongswan.org"
 
 Since the subject's DN is part of the certificate, the leftid does not have to
 be declared explicitly. Thus the entry
@@ -774,40 +554,40 @@ myCert2 and myKey2 will be used in a connection setup started from peer2.
 4.3 Configuring the peer side using CA certificates
     -----------------------------------------------
 
-Now we can proceed to define our connections. In many applications we might
-have dozens of mostly Windows-based road warriors connecting to a central
-strongSwan security gateway. The following most simple statement:
+Now we can proceed to define our connections.  In many applications we might
+have dozens of road warriors connecting to a central strongSwan security
+gateway. The following most simple statement:
 
 conn rw
      right=%any
 
-defines the general roadwarrior case. The line right=%any literally means that
-any IPSec peer is accepted, regardless of its current IP source address and its
+defines the general roadwarrior case.  The line right=%any literally means that
+any IPsec peer is accepted, regardless of its current IP source address and its
 ID, as long as the peer presents a valid X.509 certificate signed by a CA the
-strongSwan security gateway puts explicit trust in. Additionally the signature
-during IKE main mode gives proof that the peer is in possession of the private
-RSA key matching the public key contained in the transmitted certificate.
+strongSwan security gateway puts explicit trust in.  Additionally, the signature
+during IKE gives proof that the peer is in possession of the private RSA key
+matching the public key contained in the transmitted certificate.
 
-The ID by which a peer is identifying itself during IKE main mode can by any of
-the ID types IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN. If one of the first
+The ID by which a peer is identifying itself during IKE can by any of the ID
+types IPV[46]_ADDR, FQDN, RFC822_ADDR or DER_ASN1_DN.  If one of the first
 three ID types is used, then the accompanying X.509 certificate of the peer
 must contain a matching subjectAltName field of the type ipAddress (IP:),
-dnsName (DNS:) or rfc822Name (email:), respectively. With the fourth type
+dnsName (DNS:) or rfc822Name (email:), respectively.  With the fourth type
 DER_ASN1_DN the identifier must completely match the subject field of the
-peer's certificate. One of the two possible representations of a
+peer's certificate.  One of the two possible representations of a
 Distinguished Name (DN) is the LDAP-type format
 
-     rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
+     rightid="C=CH, O=strongSwan IPsec, CN=sun.strongswan.org"
 
 Additional whitespace can be added everywhere as desired since it will be
-automatically eliminated by the X.509 parser. An exception is the single
-whitespace between individual words , like e.g. in Linux strongSwan, which is
+automatically eliminated by the X.509 parser.  An exception is the single
+whitespace between individual words, like e.g. in strongSwan IPsec, which is
 preserved by the parser.
 
 The Relative Distinguished Names (RDNs) can alternatively be separated by a
 slash '/' instead of a comma ','
 
-     rightid="/C=CH/O=Linux strongSwan/CN=sun.strongswan.org"
+     rightid="/C=CH/O=strongSwan IPsec/CN=sun.strongswan.org"
 
 This is the representation extracted from the certificate by the OpenSSL
 command line option
@@ -816,59 +596,65 @@ command line option
 
 The following RDNs are supported by strongSwan
 
-+---------------------------------------------------+
-| DC               Domain Component                 |
-|---------------------------------------------------|
-| C                Country                          |
-|---------------------------------------------------|
-| ST               State or province                |
-|---------------------------------------------------|
-| L                Locality or town                 |
-|---------------------------------------------------|
-| O                Organisation                     |
-|---------------------------------------------------|
-| OU               Organisational Unit              |
-|---------------------------------------------------|
-| CN               Common Name                      |
-|---------------------------------------------------|
-| ND               NameDistinguisher, used with CN  |
-|---------------------------------------------------|
-| N                Name                             |
-|---------------------------------------------------|
-| G                Given name                       |
-|---------------------------------------------------|
-| S                Surname                          |
-|---------------------------------------------------|
-| I                Initials                         |
-|---------------------------------------------------|
-| T                Personal title                   |
-|---------------------------------------------------|
-| E                E-mail                           |
-|---------------------------------------------------|
-| Email            E-mail                           |
-|---------------------------------------------------|
-| emailAddress     E-mail                           |
-|---------------------------------------------------|
-| SN               Serial number                    |
-|---------------------------------------------------|
-| serialNumber     Serial number                    |
-|---------------------------------------------------|
-| D                Description                      |
-|---------------------------------------------------|
-| ID               X.500 Unique Identifier          |
-|---------------------------------------------------|
-| UID              User ID                          |
-|---------------------------------------------------|
-| TCGID            [Siemens] Trust Center Global ID |
-|---------------------------------------------------|
-| unstructuredName Unstructured Name                |
-|---------------------------------------------------|
-| UN               Unstructured Name                |
-|---------------------------------------------------|
-| employeeNumber   Employee Number                  |
-|---------------------------------------------------|
-| EN               Employee Number                  |
-+---------------------------------------------------+
++-------------------------------------------------------+
+| DC                   Domain Component                 |
+|-------------------------------------------------------|
+| C                    Country                          |
+|-------------------------------------------------------|
+| ST                   State or province                |
+|-------------------------------------------------------|
+| L                    Locality or town                 |
+|-------------------------------------------------------|
+| O                    Organization                     |
+|-------------------------------------------------------|
+| OU                   Organizational Unit              |
+|-------------------------------------------------------|
+| CN                   Common Name                      |
+|-------------------------------------------------------|
+| ND                   NameDistinguisher, used with CN  |
+|-------------------------------------------------------|
+| N                    Name                             |
+|-------------------------------------------------------|
+| G                    Given name                       |
+|-------------------------------------------------------|
+| S                    Surname                          |
+|-------------------------------------------------------|
+| I                    Initials                         |
+|-------------------------------------------------------|
+| T                    Personal title                   |
+|-------------------------------------------------------|
+| E                    E-mail                           |
+|-------------------------------------------------------|
+| Email                E-mail                           |
+|-------------------------------------------------------|
+| emailAddress         E-mail                           |
+|-------------------------------------------------------|
+| SN                   Serial number                    |
+|-------------------------------------------------------|
+| serialNumber         Serial number                    |
+|-------------------------------------------------------|
+| D                    Description                      |
+|-------------------------------------------------------|
+| ID                   X.500 Unique Identifier          |
+|-------------------------------------------------------|
+| UID                  User ID                          |
+|-------------------------------------------------------|
+| TCGID                [Siemens] Trust Center Global ID |
+|-------------------------------------------------------|
+| UN                   Unstructured Name                |
+|-------------------------------------------------------|
+| unstructuredName     Unstructured Name                |
+|-------------------------------------------------------|
+| UA                   Unstructured Address             |
+|-------------------------------------------------------|
+| unstructuredAddress  Unstructured Address             |
+|-------------------------------------------------------|
+| EN                   Employee Number                  |
+|-------------------------------------------------------|
+| employeeNumber       Employee Number                  |
+|-------------------------------------------------------|
+| dnQualifier          DN Qualifier                     |
++-------------------------------------------------------+
 
 With the roadwarrior connection definition listed above, an IPsec SA for
 the strongSwan security gateway moon.strongswan.org itself can be established.
@@ -884,6 +670,10 @@ conn rw3
      right=%any
      leftsubnet=10.1.3.0/24
 
+For IKEv2 connections this can even be simplified by using
+
+    leftsubnet=10.1.0.0/24,10.1.3.0/24
+
 If not all peers in possession of a X.509 certificate signed by a specific
 certificate authority shall be given access to the Linux security gateway,
 then either a subset of them can be barred by listing the serial numbers of
@@ -901,11 +691,11 @@ conn carol
 
 conn dave
      right=%any
-     rightid="C=CH, O=Linux strongSwan, CN=dave@strongswan.org"
+     rightid="C=CH, O=strongSwan, CN=dave@strongswan.org"
 
 When the IP address of a peer is known to be stable, it can be specified as
-well. This entry is mandatory when the strongSwan host wants to act as the
-initiator of an IPSec connection.
+well.  This entry is mandatory when the strongSwan host wants to act as the
+initiator of an IPsec connection.
 
 conn sun
      right=192.168.0.2
@@ -917,19 +707,19 @@ conn carol
 
 conn dave
      right=192.168.0.200
-     rightid="C=CH, O=Linux strongSwan, CN=dave@strongswan.org"
+     rightid="C=CH, O=strongSwan, CN=dave@strongswan.org"
 
 conn venus
      right=192.168.0.50
 
-In the last example the ID types FQDN, USER_FQDN, DER_ASN1_DN and IPV4_ADDR,
-respectively, were used. Of course all connection definitions presented so far
+In the last example the ID types FQDN, RFC822_ADDR, DER_ASN1_DN and IPV4_ADDR,
+respectively, were used.  Of course all connection definitions presented so far
 have included the lines in the conn %defaults section, comprising among other
-a left and leftcert entry.
+a leftcert entry.
 
 
-4.4 Handling Virtual IPs and wildcard subnets
-    -----------------------------------------
+4.4 Handling Virtual IPs and narrowing
+    ----------------------------------
 
 Often roadwarriors are behind NAT-boxes with IPsec passthrough, which causes
 the inner IP source address of an IPsec tunnel to be different from the
@@ -952,19 +742,17 @@ conn rw3
      right=%any
      rightsubnet=10.4.0.128/28
 
-With the wildcard parameter rightsubnetwithin these three entries can be
-reduced to the single connection definition
+Because the charon daemon uses narrowing (even for IKEv1) these three entries
+can be reduced to the single connection definition
 
 conn rw
      right=%any
-     rightsubnetwithin=10.4.0.0/24
+     rightsubnet=10.4.0.0/24
 
 Any host will be accepted (of course after successful authentication based on
 the peer's X.509 certificate only) if it declares a client subnet lying totally
-within the brackets defined by the wildcard subnet definition (in our example
-10.4.0.0/24). For each roadwarrior a connection instance tailored to the
-subnet of the particular client will be created,based on the generic
-rightsubnetwithin template.
+within the brackets defined by the subnet definition (in our example
+10.4.0.0/24).
 
 This strongSwan feature can also be helpful with VPN clients getting a
 dynamically assigned inner IP from a DHCP server located on the NAT router box.
@@ -981,28 +769,24 @@ Some examples:
 conn icmp
      right=%any
      rightprotoport=icmp
-     left=%defaultroute
      leftid=@moon.strongswan.org
      leftprotoport=icmp
 
 conn http
      right=%any
      rightprotoport=6
-     left=%defaultroute
      leftid=@moon.strongswan.org
      leftprotoport=6/80
 
 conn l2tp       # with port wildcard for Mac OS X Panther interoperability
      right=%any
      rightprotoport=17/%any
-     left=%defaultroute
      leftid=@moon.strongswan.org
      leftprotoport=17/1701
 
 conn dhcp
      right=%any
      rightprotoport=udp/bootpc
-     left=%defaultroute
      leftid=@moon.strongswan.org
      leftsubnet=0.0.0.0/0  #allows DHCP discovery broadcast
      leftprotoport=udp/bootps
@@ -1023,7 +807,7 @@ shows the following connection definitions:
 "l2tp": 192.168.0.1[@moon.strongswan.org]:17/1701...%any:17/%any
 "dhcp": 0.0.0.0/0===192.168.0.1[@moon.strongswan.org]:17/67...%any:17/68
 
-Based on the protocol and port selectors appropriate eroutes will be set
+Based on the protocol and port selectors appropriate policies will be set
 up, so that only the specified payload types will pass through the IPsec
 tunnel.
 
@@ -1033,20 +817,20 @@ tunnel.
 
 In large VPN-based remote access networks there is often a requirement that
 access to the various parts of an internal network must be granted selectively,
-e.g. depending on the group membership of the remote access user. strongSwan
-makes this possible by applying wildcard filtering on the VPN user's 
+e.g. depending on the group membership of the remote access user.  strongSwan
+makes this possible by applying wildcard filtering on the VPN user's
 distinguished name (ID_DER_ASN1_DN).
 
 Let's make a practical example:
- 
+
 An organization has a sales department (OU=Sales) and a research group
-(OU=Research). In the company intranet there are separate subnets for Sales
+(OU=Research).  In the company intranet there are separate subnets for Sales
 (10.0.0.0/24) and Research (10.0.1.0/24) but both groups share a common web
-server (10.0.2.100). The VPN clients use Virtual IP addresses that are either
-assigned statically or via DHCP-over-IPsec. The sales and research departments
-use IP addresses from separate DHCP address pools (10.1.0.0/24) and (10.1.1.0/24),
-respectively. An X.509 certificate is issued to each employee, containing in its
-subject distinguished name the country (C=CH), the company (O=ACME),
+server (10.0.2.100).  The VPN clients use Virtual IP addresses that are either
+assigned statically or from a dynamic pool.  The sales and research departments
+use IP addresses from separate address pools (10.1.0.0/24) and (10.1.1.0/24),
+respectively.  An X.509 certificate is issued to each employee, containing in
+its subject distinguished name the country (C=CH), the company (O=ACME),
 the group membership(OU=Sales or OU=Research) and the common name (e.g.
 CN=Bart Simpson).
 
@@ -1056,28 +840,23 @@ IPsec security associations:
 conn sales
      right=%any
      rightid="C=CH, O=ACME, OU=Sales, CN=*"
-     rightsubnetwithin=10.1.0.0/24  # Sales DHCP range
-     leftsubnet=10.0.0.0/24         # Sales subnet
+     rightsubnet=10.1.0.0/24         # Sales IP range
+     leftsubnet=10.0.0.0/24          # Sales subnet
 
 conn research
      right=%any
      rightid="C=CH, O=ACME, OU=Research, CN=*"
-     rightsubnetwithin=10.1.1.0/24   # Research DHCP range
+     rightsubnet=10.1.1.0/24         # Research IP range
      leftsubnet=10.0.1.0/24          # Research subnet
 
 conn web
      right=%any
      rightid="C=CH, O=ACME, OU=*, CN=*"
-     rightsubnetwithin=10.1.0.0/23   # Remote access DHCP range
+     rightsubnet=10.1.0.0/23         # Remote access IP range
      leftsubnet=10.0.2.100/32        # Web server
      rightprotoport=tcp              # TCP protocol only
      leftprotoport=tcp/http          # TCP port 80 only
 
-Of course group specific tunneling could be implemented on the
-basis of the Virtual IP range specified by the rightsubnetwithin
-parameter alone, but the wildcard matching mechanism guarantees that
-only authorized user can access the corresponding subnets.
-
 The '*' character is used as a wildcard in relative distinguished names (RDNs).
 In order to match a wildcard template, the ID_DER_ASN1_DN of a peer must contain
 the same number of RDNs (selected from the list in section 4.3) appearing in the
@@ -1104,42 +883,42 @@ which doesn't have the same number of RDNs.
     ---------------------------------------
 
 As an alternative to the wildcard based IPsec policies described in section 4.6,
-access to specific client host and subnets can abe controlled on the basis of
+access to specific client host and subnets can be controlled on the basis of
 the CA that issued the peer certificate
 
 
 conn sales
      right=%any
      rightca="C=CH, O=ACME, OU=Sales, CN=Sales CA"
-     rightsubnetwithin=10.1.0.0/24  # Sales DHCP range
-     leftsubnet=10.0.0.0/24         # Sales subnet
+     rightsubnet=10.1.0.0/24         # Sales IP range
+     leftsubnet=10.0.0.0/24          # Sales subnet
 
 conn research
      right=%any
      rightca="C=CH, O=ACME, OU=Research, CN=Research CA"
-     rightsubnetwithin=10.1.1.0/24   # Research DHCP range
+     rightsubnet=10.1.1.0/24         # Research IP range
      leftsubnet=10.0.1.0/24          # Research subnet
 
 conn web
      right=%any
      rightca="C=CH, O=ACME, CN=ACME Root CA"
-     rightsubnetwithin=10.1.0.0/23   # Remote access DHCP range
+     rightsubnet=10.1.0.0/23         # Remote access IP range
      leftsubnet=10.0.2.100/32        # Web server
      rightprotoport=tcp              # TCP protocol only
      leftprotoport=tcp/http          # TCP port 80 only
 
 In the example above, the connection "sales" can be used by peers
-presenting certificates issued by the Sales CA, only. In the same way,
+presenting certificates issued by the Sales CA, only.  In the same way,
 the use of the connection "research" is restricted to owners of certificates
-issued by the Research CA. The connection "web" is open to both "Sales" and
+issued by the Research CA.  The connection "web" is open to both "Sales" and
 "Research" peers because the required "ACME Root CA" is the issuer of the
-Research and Sales intermediate CAs. If no rightca parameter is present
+Research and Sales intermediate CAs.  If no rightca parameter is present
 then any valid certificate issued by one of the trusted CAs in
 /etc/ipsec.d/cacerts can be used by the peer.
 
 The leftca parameter usually doesn't have to be set explicitly because
 by default it is set to the issuer field of the certificate loaded via
-leftcert. The statement
+leftcert.  The statement
 
      rightca=%same
 
@@ -1152,54 +931,6 @@ conn sales
      leftcert=mySalesCert.pem
 
 
-4.8 Sending certificate requests
-    ----------------------------
-
-The presence of a rightca parameter also causes the CA to be sent as
-part of the certificate request message when strongSwan is the initiator.
-A special case occurs when strongSwan responds to a roadwarrior. If several
-roadwarrior connections based on different CAs are defined then all eligible
-CAs will be listed in Pluto�s certificate request message.
-
-
-4.9 IPsec policies based on group attributes
-    ----------------------------------------
-
-X.509 attribute certificates are the most powerful mechanism for implementing
-IPsec security policies. The rightgroups parameter in a connection definition
-restricts the access to members of the listed groups only. An IPsec peer must
-have a valid attribute certificate issued by a trusted Authorization Authority
-and listing one of the requirede group attributes in order to get admitted.
-
-conn sales
-     right=%any
-     rightgroups="Sales"
-     rightsubnetwithin=10.1.0.0/24  # Sales DHCP range
-     leftsubnet=10.0.0.0/24         # Sales subnet
-
-conn research
-     right=%any
-     rightgroups="Research"
-     rightsubnetwithin=10.1.1.0/24   # Research DHCP range
-     leftsubnet=10.0.1.0/24          # Research subnet
-
-conn web
-     right=%any
-     rightgroups="Sales, Research"
-     rightsubnetwithin=10.1.0.0/23   # Remote access DHCP range
-     leftsubnet=10.0.2.100/32        # Web server
-     rightprotoport=tcp              # TCP protocol only
-     leftprotoport=tcp/http          # TCP port 80 only
-
-In the examples above membership of the group "Sales" is required for
-connection sales and membership of "Research" for connection research
-whereas connection web is accessible for both groups.
-
-Currently the attribute certificates of the peers must be loaded statically
-via the /etc/ipsec.d/acerts/ directory. In future releases of strongSwan it
-will be possible to fetch them from an LDAP directory server.
-
-
 5. Configuring certificates and CRLs
    ---------------------------------
 
@@ -1209,9 +940,9 @@ will be possible to fetch them from an LDAP directory server.
 
 X.509 certificates received by strongSwan during the IKE protocol are
 automatically authenticated by going up the trust chain until a self-signed
-root CA certificate is reached. Usually host certificates are directly signed
+root CA certificate is reached.  Usually host certificates are directly signed
 by a root CA, but strongSwan also supports multi-level hierarchies with
-intermediate CAs in between. All CA certificates belonging to a trust chain
+intermediate CAs in between.  All CA certificates belonging to a trust chain
 must be copied in either binary DER or base64 PEM format into the directory
 
      /etc/ipsec.d/cacerts/
@@ -1221,38 +952,36 @@ must be copied in either binary DER or base64 PEM format into the directory
     -------------------------------------------------------
 
 By copying a CA certificate into /etc/ipsec.d/cacerts/, automatically all user
-or host certificates issued by this CA are declared valid. Unfortunately
+or host certificates issued by this CA are declared valid.  Unfortunately,
 private keys might get compromised inadvertently or intentionally, personal
 certificates of users leaving a company have to be blocked immediately, etc.
-To this purpose certificate revocation lists (CRLs) have been created. CRLs
+To this purpose certificate revocation lists (CRLs) have been created.  CRLs
 contain the serial numbers of all user or host certificates that have been
 revoked due to various reasons.
 
-After successful verification of the X.509 trust chain, Pluto searches its
+After successful verification of the X.509 trust chain, strongSwan searches its
 list of CRLs either obtained by loading them from the /etc/ipsec.d/crls/
 directory or fetching them dynamically from a HTTP or LDAP server for the
 presence of a CRL issued by the CA that has signed the certificate.
 
 If the serial number of the certificate is found in the CRL then the public key
-contained in the certificate is declared invalid and the IPSec SA will not be
-established. If no CRL is found or if the deadline defined in the nextUpdate
+contained in the certificate is declared invalid and the IPsec SA will not be
+established.  If no CRL is found or if the deadline defined in the nextUpdate
 field of the CRL has been reached, a warning is issued but the public key will
-nevertheless be accepted. CRLs must be stored either in binary DER or base64 PEM
-format in the crls directory. Section 7.3 will explain in detail how CRLs can
-be created using OpenSSL.
+nevertheless be accepted.  CRLs must be stored either in binary DER or base64
+PEM format in the crls directory.
 
 
 5.3 Dynamic update of certificates and CRLs
     ---------------------------------------
 
-Pluto reads certificates and CRLs from their respective files during system
-startup and keeps them in memory in the form of chained lists. X.509
-certificates have a finite life span defined by their validity field. Therefore
-it must be possible to replace CA or OCSP certificates kept in system memory
-without disturbing established ISAKMP SAs. Certificate revocation lists should
-also be updated in the regular intervals indicated by the nextUpdate field in
-the CRL body. The following interactive commands allow the manual replacement
-of the various files:
+strongSwan reads certificates and CRLs from their respective files during system
+startup and keeps them in memory.  X.509 certificates have a finite life span
+defined by their validity field.  Therefore it must be possible to replace CA or
+OCSP certificates kept in system memory without disturbing established IKE SAs.
+Certificate revocation lists should also be updated in the regular intervals
+indicated by the nextUpdate field in the CRL body.  The following interactive
+commands allow the manual replacement of the various files:
 
 +---------------------------------------------------------------------------+
 | ipsec rereadsecrets       reload file /etc/ipsec.secrets                  |
@@ -1278,50 +1007,7 @@ of the various files:
 +---------------------------------------------------------------------------+
 
 CRLs can also be automatically fetched from an HTTP or LDAP server by using
-the CRL distribution points contained in X.509 certificates. The command
-
-    ipsec listcrls
-    
-shows any pending fetch requests:
-
-  Oct 31 00:29:53 2002, trials: 2
-         issuer:  'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
-         distPts: 'http://crl.strongswan.org/strongswan.crl'
-	          'ldap://ldap.strongswan.org/o=Linux strongSwan, c=CH
-		     ?certificateRevocationList?base
-		     ?(objectClass=certificationAuthority)'
-
-In the example above, an http and an ldap URL were extracted from a received
-end certificate. An independent thread then tries to fetch a CRL from the
-designated distribution points. The same thread also periodically checks
-if any loaded CRLs are about to expire. The check interval can be defined in
-the "config setup" section of the ipsec.conf file:
-
-   config setup
-       crlcheckinterval=600
-
-In our example the thread wakes up every 600 seconds or 10 minutes in order
-to check the validity of the CRLs or to retry any pending fetch requests:
-
-  List of X.509 CRLs:
-  
-  Dec 19 09:35:31 2002, revoked certs: 40
-         issuer:  'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
-         distPts: 'http://crl.strongswan.org/strongswan.crl'
-         updates:  this Dec 19 09:35:00 2002
-                   next Dec 19 10:35:00 2002 warning (expires in 19 minutes)
-
-  List of fetch requests:
-
-  Dec 19 10:15:31 2002, trials: 1
-        issuer:  'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
-        distPts: 'http://crl.strongwan.org/strongswan.crl'
-
-The first trial to update a CRL is started 2*crlcheckinterval before the
-nextUpdate time, i.e. when less than 20 minutes are left in our practical
-example. When crlcheckinterval is set to 0 (this is also the default value
-when the parameter is not set in ipsec.conf) then the CRL checking and updating 
-thread is not started and dynamic CRL fetching is disabled.
+the CRL distribution points contained in X.509 certificates.
 
 
 5.4 Local caching of CRLs
@@ -1333,49 +1019,39 @@ The the ipsec.conf option
         cachecrls=yes
 
 activates the local caching of CRLs that were dynamically fetched from an
-HTTP or LDAP server. Cached copies are stored in /etc/ipsec.d/crls under a
-unique filename formed from the issuer's SubjectKeyIdentifier and the suffix .crl.
+HTTP or LDAP server.  Cached copies are stored in /etc/ipsec.d/crls using a
+unique filename formed from the issuer's SubjectKeyIdentifier and the
+suffix .crl.
 
-With the cached copy the CRL is immediately available after pluto's startup.
-When the local copy is about to expire it is automatically replaced with an
-updated CRL fetched from one of the defined CRL distribution points.
+With the cached copy the CRL is immediately available after startup.  When the
+local copy is about to expire it is automatically replaced with an updated CRL
+fetched from one of the defined CRL distribution points.
 
 
 5.5 Online Certificate Status Protocol (OCSP)
     -----------------------------------------
 
-The Online Certificate Status Protocol is defined by RFC 2560. It can be
+The Online Certificate Status Protocol is defined by RFC 2560.  It can be
 used to query an OCSP server about the current status of an X.509 certificate
 and is often used as a more dynamic alternative to a static Certificate
-Revocation List (CRL). Both the OCSP request sent by the client and the OCSP
+Revocation List (CRL).  Both the OCSP request sent by the client and the OCSP
 response messages returned by the server are transported via a standard
-TCP/HTTP connection. Therefore cURL support must be enabled in pluto/Makefile:
-
-  # Uncomment this line to enable OCSP fetching using HTTP
-  LIBCURL=1
+TCP/HTTP connection.  Therefore cURL support must be enabled during
+configuration.
 
 In the simplest OCSP setup, a default URI under which the OCSP server for a
 given CA can be accessed is defined in ipsec.conf:
 
-   config setup
-        crlcheckinterval=600
-	
    ca strongswan
         cacert=strongswanCert.pem
         ocspuri=http://ocsp.strongswan.org:8880
         auto=add
 
-The HTTP port can be freely chosen. In our example we have assumed TCP port 8880.
-The crlcheckinterval must be set to a value different from zero. Otherwise the
-OCSP fetching thread will not be started.
-
-The well-known openssl-0.9.7 package from http://www.openssl.org implements
-an OCSP server that can be used in conjunction with an openssl-based Public
-Key Infrastructure. The OCSP client integrated into Pluto does not contain
-any OpenSSL code though, but is based on the existing ASN.1 functionality of
-strongSwan.
+The HTTP port can be freely chosen.
 
-The OpenSSL-based OCSP server is started with the following command:
+OpenSSL implements an OCSP server that can be used in conjunction with an
+openssl-based Public Key Infrastructure.  The OCSP server is started with the
+following command:
 
     openssl ocsp -index index.txt -CA strongswanCert.pem -port 8880 \
                  -rkey ocspKey.pem -rsigner ocspCert.pem \
@@ -1383,57 +1059,44 @@ The OpenSSL-based OCSP server is started with the following command:
 
 The command consists of the parameters
 
- -index  index.txt is a copy of the OpenSSL index file containing the list of
-         all issued certificates. The certificate status in indext.txt
-         is designated either by V for valid or R for revoked. If
-         a new certificate is added or if a certificate is revoked
-         using the openssl ca command, the OCSP server must be restarted
-         in order for the changes in index.txt to take effect.
-
- -CA     the CA certificate
-
- -port   the HTTP port the OCSP server is listening on.
- 
--rkey    the private key used to sign the OCSP response. The use of the
-         sensitive CA private key is not recommended since this could
-         jeopardize the security of your production PKI if the OCSP
-         server is hacked. It is much better to generate a special
-         RSA private key just for OCSP signing use instead.
-
--rsigner the certificate of the OCSP server containing a public key which
-         matches the private key defined by -rkey and which can be used by
-         the client to check the trustworthiness of the signed OCSP response.
-
--resp_no_certs  With this option the OCSP signer certificate defined by
-                -rsigner is not included in the OCSP response.
-
--nmin    the validity interval of an OCSP response given in minutes.
-         2*crlcheckinterval before the expiration of the OCSP responses,
-         a new query will by pro-actively started by the Pluto fetching thread.
-
-         If nmin is missing or set to zero then the default validity interval
-         compiled into Pluto will be 2 minutes, leading to a quasi one-time
-         use of the OCSP status response which will not be periodically 
-         refreshed by the fetching thread. In conjunction with the parameter
-        setting "strictcrlpolicy=yes" a real-time certificate status query
-        can be implemented in this way.
-
--text   This option activates a verbose logging output, showing the contents
-        of both the received OCSP request and sent OCSP response.
-
-How does Pluto get hold of the OCSP signer certificate? There are two
-possibilities:
- 
-Either you put the OCSP certificate into the default directory
+ -index    index.txt is a copy of the OpenSSL index file containing the list of
+           all issued certificates.  The certificate status in index.txt
+           is designated either by V for valid or R for revoked.  If a new
+           certificate is added or if a certificate is revoked using the
+           openssl ca command, the OCSP server must be restarted in order for
+           the changes in index.txt to take effect.
+
+ -CA       the CA certificate
+
+ -port     the HTTP port the OCSP server is listening on.
+
+ -rkey     the private key used to sign the OCSP response.  The use of the
+           sensitive CA private key is not recommended since this could
+           jeopardize the security of your production PKI if the OCSP
+           server is hacked.  It is much better to generate a special
+           RSA private key just for OCSP signing use instead.
+
+ -rsigner  the certificate of the OCSP server containing a public key which
+           matches the private key defined by -rkey and which can be used by
+           the client to check the trustworthiness of the signed OCSP response.
+
+ -resp_no_certs  With this option the OCSP signer certificate defined by
+                 -rsigner is not included in the OCSP response.
+
+ -nmin     the validity interval of an OCSP response given in minutes.
+
+ -text     this option activates a verbose logging output, showing the contents
+           of both the received OCSP request and sent OCSP response.
+
+
+The OCSP signer certificate can either be put into the default directory
 
     /etc/ipsec.d/ocspcerts
-    
-or alternatively Pluto can receive it as part of the OCSP response from the
-remote OCSP server. In the latter case, how can Pluto make sure that
-the server has indeed been authorized by the CA to deal out certificate status
-information? In order to ascertain the OCSP signer capability, an extended
-key usage attribute can be included in the OCSP server certificate. Just
-insert the parameter
+
+or alternatively strongSwan can receive it as part of the OCSP response from the
+remote OCSP server.  In order to verify that the server is indeed authorized by
+a CA to deal out certificate status information an extended key usage attribute
+must be included in the OCSP server certificate.  Just insert the parameter
 
     extendedKeyUsage=OCSPSigner
 
@@ -1441,7 +1104,7 @@ in the [ usr_cert ] section of your openssl.cnf configuration file before
 the CA signs the OCSP server certificate.
 
 For a given CA the corresponding ca section in ipsec.conf (see section 7) allows
-to define the URI of a single OCSP server. As an alternative an OCSP URI can be
+to define the URI of a single OCSP server.  As an alternative an OCSP URI can be
 embedded into each host and user certificate by putting the line
 
     authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880
@@ -1454,14 +1117,14 @@ record overrides the default URI defined by the ca section.
 5.6 CRL Policy
     ----------
 
-By default Pluto is quite tolerant concerning the handling of CRLs. It is not
-mandatory for a CRL to be present in /etc/ipsec.d/crls and if the expiration
+By default strongSwan is quite tolerant concerning the handling of CRLs. It is
+not mandatory for a CRL to be present in /etc/ipsec.d/crls and if the expiration
 date defined by the nextUpdate field of a CRL has been reached just a warning
 is issued but a peer certificate will always be accepted if it has not been
 revoked.
 
 If you want to enforce a stricter CRL policy then you can do this by setting
-the "strictcrlpolicy" option. This is done in the "config setup" section
+the "strictcrlpolicy" option.  This is done in the "config setup" section
 of the ipsec.conf file:
 
     config setup
@@ -1469,12 +1132,12 @@ of the ipsec.conf file:
           ...
 
 A certificate received from a peer will not be accepted if no corresponding
-CRL or OCSP response is available. And if an ISAKMP SA re-negotiation takes
+CRL or OCSP response is available.  And if an ISAKMP SA re-negotiation takes
 place after the nextUpdate deadline has been reached, the peer certificate
 will be declared invalid and the cached RSA public key will be deleted, causing
-the connection in question to fail. Therefore if you are going to use the
+the connection in question to fail.  Therefore if you are going to use the
 "strictcrlpolicy=yes" option, make sure that the CRLs will always be updated
-in time. Otherwise a total standstill would ensue.
+in time.  Otherwise a total standstill would ensue.
 
 As mentioned earlier the default setting is "strictcrlpolicy=no"
 
@@ -1483,9 +1146,9 @@ As mentioned earlier the default setting is "strictcrlpolicy=no"
     -----------------------------------------------------------
 
 If you don't want to use trust chains based on CA certificates as proposed in
-section 4.3 you can alternatively import trusted peer certificates directly
-into Pluto. Thus you do not have to rely on the certificate to be transmitted
-by the peer as part of the IKE protocol.
+section 4.3 you can alternatively import trusted peer certificates directly.
+Thus you do not have to rely on the certificate to be transmitted by the peer
+as part of the IKE protocol.
 
 With the conn %default section defined in section 4.1 and the use of the
 rightcert keyword for the peer side, the connection definitions in section 4.3
@@ -1501,14 +1164,14 @@ can alternatively be written as
           rightcert=carolCert.der
 
 If the peer certificates are loaded locally then there is no sense in sending
-any certificates to the other end via the IKE Main Mode protocol. Especially
-if self-signed certificates are used which wouldn't be accepted any way by
-the other side. In these cases it is recommended to add
+any certificates to the other end via the IKE protocol.  Especially if
+self-signed certificates are used which wouldn't be accepted anyway by
+the other side.  In these cases it is recommended to add
 
     leftsendcert=never
 
 to the connection definition[s] in order to avoid the sending of the host's
-own certificate. The default value is
+own certificate.  The default value is
 
     leftsendcert=ifasked
 
@@ -1517,7 +1180,7 @@ If a peer does not send a certificate request then use the setting
     leftsendcert=always
 
 If a peer certificate contains a subjectAltName extension, then an alternative
-rightid type can be used, as the example "conn sun" shows. If no rightid
+rightid type can be used, as the example "conn sun" shows.  If no rightid
 entry is present then the subject distinguished name contained in the
 certificate is taken as the ID.
 
@@ -1532,27 +1195,26 @@ or
     rightcert=/usr/ssl/certs/carolCert.der
 
 
-6. Installing the private key - ipsec.secrets
-   ------------------------------------------
+6. Configuring the private keys - ipsec.secrets
+   --------------------------------------------
 
-6.1 Loading private key files in PKCS#1 format
-    ------------------------------------------
+6.1 Loading private key files in PKCS#1 or PKCS#8 format
+    ----------------------------------------------------
 
 Besides strongSwan's raw private key format strongSwan has been enabled to
-load RSA private keys in the PKCS#1 file format. The key files can be
-optionally secured with a passphrase.
+load RSA (or ECDSA) private keys in the PKCS#1 or PKCS#8 file format.
+The key files can be optionally secured with a passphrase.
 
 RSA private key files are declared in /etc/ipsec.secrets using the syntax
 
     : RSA <my keyfile> "<optional passphrase>"
 
-The key file can be either in base64 PEM-format or binary DER-format. The
-actual coding is detected "automagically" by Pluto. The example
+The key file can be either in base64 PEM-format or binary DER-format.  The
+actual coding is detected automatically.  The example
 
     : RSA moonKey.pem
 
-uses a relative pathname. In this case Pluto will look for the key file
-in the directory
+uses a pathname relative to the default directory
 
     /etc/ipsec.d/private
 
@@ -1564,29 +1226,24 @@ In both cases make sure that the key files are root readable only.
 
 Often a private key must be transported from the Certification Authority
 where it was generated to the target security gateway where it is going
-to be used. In order to protect the key it can be encrypted with 3DES
-using a symmetric transport key derived from a cryptographically strong
+to be used.  In order to protect the key it can be encrypted with a symmetric
+cipher using a transport key derived from a cryptographically strong
 passphrase.
 
-    openssl genrsa -des3 -out moonKey.pem 1024
-
-Because of the weak security, key files protected by single DES will not
-be accepted by Pluto!!!
-
 Once on the security gateway the private key can either be permanently
 unlocked so that it can be used by Pluto without having to know a
 passphrase
 
     openssl rsa -in moonKey.pem -out moonKey.pem
 
-or as an option the key file can remain secured. In this case the passphrase
+or as an option the key file can remain secured.  In this case the passphrase
 unlocking the private key must be added after the pathname in
 /etc/ipsec.secrets
 
     : RSA moonKey.pem "This is my passphrase"
 
-Some CAs distribute private keys embedded in a PKCS#12 file. Since Pluto
-is not able yet to read this format directly, the private key part must
+Some CAs distribute private keys embedded in a PKCS#12 file. Since strongSwan
+is not yet able to read this format directly, the private key part must
 first be extracted using the command
 
      openssl pkcs12 -nocerts -in moonCert.p12 -out moonKey.pem
@@ -1600,49 +1257,34 @@ if the private key is to be stored unlocked.
 
 6.2 Entering passphrases interactively
     ----------------------------------
-    
+
 On a VPN gateway you would want to put the passphrase protecting the private
 key file right into /etc/ipsec.secrets as described in the previous paragraph,
-so that the gateway can be booted in unattended mode. The risk of keeping
+so that the gateway can be booted in unattended mode.  The risk of keeping
 unencrypted secrets on a server can be minimized by putting the box into a
-locked room. As long as no one can get root access on the machine the private
+locked room.  As long as no one can get root access on the machine the private
 keys are safe.
-    
-On a mobile laptop computer the situation is quite different. The computer can
+
+On a mobile laptop computer the situation is quite different.  The computer can
 be stolen or the user is leaving it unattended so that unauthorized persons
-can get access to it. In theses cases it would be preferable not to keep any
+can get access to it.  In theses cases it would be preferable not to keep any
 passphrases openly in /etc/ipsec.secrets but to prompt for them interactively
-instead. This is easily done by defining
+instead.  This is easily done by defining
 
     : RSA moonKey.pem %prompt
-    
+
 Since strongSwan is usually started during the boot process, usually no
-interactive console windows is available which can be used by Pluto to
-prompt for the passphrase. This must be initiated by the user by typing
+interactive console windows is available which can be used to prompt for
+the passphrase.  This must be initiated by the user by typing
 
     ipsec secrets
-    
+
 which actually is an alias for the existing command
 
     ipsec rereadsecrets
 
-and which causes the prompt
-
-    need passphrase for '/etc/ipsec.d/private/moonKey.pem'
-    Enter:
-
-to appear. If the passphrase was correct and the private key file could be
-successfully decrypted then
-
-    valid passphrase
-    
-results. Otherwise the prompt
-
-   invalid passphrase, please try again
-   Enter:
-
-will give you another try. Entering a carriage return will abort the
-the passphrase prompting.
+and which causes a passphrase prompt to appear.  To abort entering a passphrase
+enter just a carriage return.
 
 
 6.3 Multiple private keys
@@ -1663,22 +1305,21 @@ definitions without specific IDs can be used
 
 Besides the definition of IPsec connections the ipsec.conf file can also
 be used to configure a few properties of the certification authorities
-needed to establish the X.509 trust chains. The following example shows
-the parameters that are currently available:
+needed to establish the X.509 trust chains.  The following example shows
+some of the parameters that are currently available:
 
     ca strongswan
        cacert=strongswanCert.pem
        ocspuri=http://ocsp.strongswan.org:8880
        crluri=http://crl.strongswan.org/strongswan.crl'
-       crluri2="ldap:///O=Linux strongSwan, C=CH?certificateRevocationList"
-       ldaphost=ldap.strongswan.org
+       crluri2="ldap://ldap.strongswan.org/O=strongSwan, C=CH?certificateRevocationList"
        auto=add
 
 In a similar way as conn sections are used for connection definitions, an
 arbitrary number of optional ca sections define the basic properties of CAs.
 
 Each ca section is named with a unique label
- 
+
        ca strongswan
 
 The only mandatory parameter is
@@ -1687,551 +1328,43 @@ The only mandatory parameter is
 
 which points to the CA certificate which usually resides in the default
 directory /etc/ipsec.d/cacerts/ but could also be retrieved via an absolute
-path name. If the CA certificate is stored on a smartcard then the
-notation
-
-       cacert=%smartcard#<n>
-
-or alternatively
-
-       cacert=%smartcard<optional slot nr>:<key id>
-
-can be used. The selection of smartcard slots is described in more detail
-in section 8.1.
-
-From the certificate the CA's distinguished name and the serial number
-is extracted. If an optional subjectKeyAuthentifier is present then it can
-be used to uniquely identify consecutive generations of CA certificates
-carrying the same distinguished name.
+path name.
 
 The OCSP URI
 
        ocspuri=http://ocsp.strongswan.org:8880
 
-allows to define an individual OCSP server per CA. Also up to two additional
+allows to define an individual OCSP server per CA.  Also up to two additional
 CRL distribution points (CDPs) can be defined
 
        crluri=http://crl.strongswan.org/strongswan.crl'
-       crluri2="ldap:///O=Linux strongSwan, C=CH?certificateRevocationList"
+       crluri2="ldap://ldap.strongswan.org/O=strongSwan, C=CH?certificateRevocationList"
 
 which are added to any CDPs already present in the received certificates
-themselves. The last parameter
-
-       ldaphost=ldap.strongswan.org
-
-can be used to fill in the actual server name in LDAP CDPs where the host is missing
-as e.g. in the crluri2 above. In future releases this ldaphost parameter might be used
-to retrieve user, host and attribute certificates.
-
-
-With the auto=add statement the ca definition is automatically loaded into Pluto during
-system startup. Setting auto=ignore will ignore the ca section. Additional ca definitions
-can be loaded from ipsec.conf during runtime with the command
-
-      ipsec auto --type ca --add strongswan-sales
+themselves.
 
-and
+With the auto=add statement the ca definition is automatically loaded during
+startup.  Setting auto=ignore will ignore the ca section.
 
-      ipsec auto --type ca --delete strongswan-sales
-
-deletes the labeled ca entry. And finally the command
-
-    ipsec auto --type ca --replace strongswan
-
-first deletes the old definition in Pluto's memory and then loads the updated version
-from ipsec.conf. Any parameters which appear in several ca definitions can be put in
+Any parameters which appear in several ca definitions can be put in
 a common ca %default section
 
     ca %default
-       ldaphost=ldap.strongswan.org
-
-
-8. Smartcard support
-   -----------------
-
-8.1 Configuring a smartcard-based connection
-    ----------------------------------------
-
-Defining a smartcard-based connection in ipsec.conf is easy:
-
-    conn sun
-         right=192.168.0.2
-	 rightid=@sun.strongswan.org
-	 left=%defaultroute
-	 leftcert=%smartcard
-	 auto=add
-
-In most cases there is a single smartcard reader or cryptotoken and only one
-RSA private key safely stored on the crypto device. Thus usually the entry
-
-    leftcert=%smartcard
-
-which stands for the full notation
-
-    leftcert=%smartcard#1
-
-is sufficient where the first certificate/private key object enumerated by
-the PKCS#11 module is used. If several certificate/private key objects are
-present then the nth object can be selected using
-
-    leftcert=%smartcard#<n>
-
-The command
-
-    ipsec listcards
-
-gives an overview over all certificate objects made available by the PKCS#11
-module.CA certificates are automatically available as trust anchors.
-
-As an alternative the certificate ID and/or the slot number defined by
-the PKCS#11 standard can be specified using the notation
-
-   leftcert=%smartcard<optional slot nr>:<key id in hex format>
-
-Thus
-
-    leftcert=%smartcard:50
-
-will look in all available slots for ID 0x50 starting with the first slot
-(usually slot 0) whereas
-
-    leftcert=%smartcard4:50
-
-will directly check slot 4 (which is usually the first slot on the second
-reader/token when using the OpenSC library) for a key with ID 0x50.
-
-
-8.2 Entering the PIN code
-    ---------------------
-
-Since the smartcard signing operation needed to sign the hash with the
-RSA private key during IKE Main Mode is protected by a PIN code,
-the secret PIN must be made available to Pluto.
-
-For gateways that must be able to start IPsec tunnels automatically in
-unattended mode after a reboot, the secret PIN  can be stored statically
-in ipsec.secrets
-
-   : PIN %smartcard "12345678"
-  
-or with the general notation
-
-   : PIN %smartcard#<n> "<PIN code>"
-
-or alternatively
-
-   : PIN %smartcard<optional slot nr>:<key id> "<PIN code>"
-  
-On personal notebooks that could get stolen, you wouldn't want to store
-your PIN in ipsec.secrets. Thus the alternative form
-
-   : PIN %smartcard %prompt
-  
-will prompt you for the PIN when you start up the first IPsec connection
-using the command
-
-   ipsec up sun
-  
-The auto command calls the whack function which in turn communicates with
-Pluto over a socket. Since the whack function call is executed from a command
-window, Pluto can prompt you for the PIN over this socket connection.
-Unfortunately roadwarrior connections which just wait passively for peers
-cannot be initiated via the command window:
-
-   conn rw
-         right=%any
-	 left=%defaultroute
-	 leftcert=%smartcard4:50
-	 auto=add
-
-But if there is a corresponding entry
-
-   : PIN %smartcard4:50 %prompt
-  
-in ipsec.secrets, then the standard command
-
-   ipsec rereadsecrets
-  
-or the alias
-
-   ipsec secrets
-   
-can be used to enter the PIN code for this connection interactively.
-
-The command
-
-   ipsec listcards
-
-can be executed at any time to check the current status of the PIN code[s].
-
-
-8.3 PIN-pad equipped smartcard readers
-    ----------------------------------
-
-Smartcard readers with an integrated PIN-pad offer an increased security
-level because the PIN entry cannot be sniffed on the host computer e.g.
-by a surrepticiously installed key logger. In order to tell pluto not to
-prompt for the PIN on the host itself, the entry
-
-   : PIN %smartcard:50 %pinpad
-
-can be used in ipsec.secrets. Because the key pad does not cache the PIN in
-the smartcard reader, it must be entered for every PKCS #11 session login.
-By default pluto does a session logout after every RSA signature. In order
-to avoid the repeated entry of the PIN code during the periodic IKE main
-mode rekeyings, the following parameter can be set in the config setup
-section of ipsec.conf:
-
-   config setup
-        pkcs11keepstate=yes
-
-The default setting is pkcs11keepstate=no. 
-
-
-8.4 Configuring a smartcard with pkcsc15-init
-    -----------------------------------------
-
-strongSwan's smartcard solution is based on the PKCS#15 "Cryptographic Token
-Information Format Standard" fully supported by OpenSC library functions.
-Using the command
-
-    pkcs15-init --erase-card --create-pkcs15
-
-a fresh PKCS#15 file structure is created on a smartcard or cryptotoken.
-With the next command
-
-    pkcs15-init --auth-id 1 --store-pin --pin "12345678" --puk "87654321"
-                --label "my PIN"
-
-a secret PIN code with auth-id 1 is stored in an unretrievable location on
-the smart card. The PIN will protect the RSA signing operation. If the PIN
-is entered incorrectly more than three times the smartcard will be locked
-and the PUK code can be used to unlock the card again.
-
-Next the RSA private key is transferred to the smartcard
-
-    pkcs15-init --auth-id 1 --store-private-key myKey.pem [--id 45]
-
-By default the PKCS#15 smartcard record will be assigned the id 45.
-Using the --id option multiple key records can be stored on a smartcard.
-
-At last we load the matching X.509 certificate onto the smartcard
-
-    pkcs15-init --auth-id 1 --store-certificate myCert.pem [--id 45]
-
-The pkcs15-tool can now be used to verify the contents of the smartcard.
-
-   pkcs15-tool --list-pins --list-keys --list-certificates
-
-If everything is ok then you are ready to use the generated PKCS#15
-structure with strongSwan.
-
-8.5 PKCS#11 proxy functions
-    -----------------------
-
-   With the setting pkcs11keepstate=yes some PKCS#11 implementations
-   (e.g. OpenSC) will lock the access to the smartcard as soon as pluto has
-   opened a session and will thus prevent other application from sharing the
-   smartcard resource. In order to solve this locking problem, strongSwan
-   offers a PKCS#11 proxy service making use of the whack socket communication
-   channel. The setting
-
-   config setup
-      pkcs11proxy=yes
-
-will enable the proxy mode that is disabled by default. 
-
-Currently two smartcard operations are supported: RSA encryption and
-RSA decryption. The notation is as follows:
-
-   ipsec scdecrypt <encrypted data>
-                   [--inbase  16|hex|64|base64|256|text|ascii]
-                   [--outbase 16|hex|64|base64|256|text|ascii]
-                   [--keyid <id>]
-
-The default settings for inbase and outbase is hexadecimal.
-Thus the simplest call has the form
-
-   ipsec scdecrypt bb952b71920094ce0696ef9b8b26...12e6
-
-and the returned result might be a decrypted 128 bit AES key
-
-   000 8836362e030e6707c32ffaa0bdad5540
-
-The leading three characters represent the return code of the whack channel
-with 000 signifying that no error has occurred. Here is another example showing
-the use of the inbase and outbase attributes
-
-   ipsec scdecrypt m/ewDnTs0k...woE= --inbase base64 --outbase text
-
-where the result has the form
-
-   000 This is a secret
-
-By default the first RSA private key found by the PKCS#11 enumeration is
-used. If a different key should be selected then the notation introduced
-in sections 8.1 and 8.2 can be used:
-
-  --keyid %smartcard:50
-  --keyid %smartcard4:50
-  --keyid %smartcard#3
-
-with --keyid %smartcard#1 being the default. If supported by the smartcard
-and PKCS#11 library RSA encryption can be used with the notation
-
-   ipsec scencrypt <plaintext data>
-                   [--inbase  16|hex|64|base64|256|text|ascii]
-                   [--outbase 16|hex|64|base64|256|text|ascii]
-                   [--keyid <id>]
-
-with the example
-
-   ipsec scencrypt "This is a secret" --inbase ascii --outbase 64
-
-returning the expected output
-
-   000 m/ewDnTs0k...woE=
-
-
-9. Configuring the clients
-   -----------------------
-
-9.1 strongSwan
-    ----------
-
-A strongSwan to strongSwan connection is symmetrical. Any of the four defined
-ID types can be used, even different types on either end of the connection,
-although this wouldn't make much sense.
-
-+--------------------------------------------------------------+
-| Connection Definition        ID type          subjectAltName |
-|--------------------------------------------------------------|
-| rightid  (strongSwan)        DER_ASN1_DN      -              |
-|                              FQDN             DNS:           |
-|                              USER_FQDN        email:         |
-|                              IPV4_ADDR        IP:            |
-|--------------------------------------------------------------|
-| leftid   (strongSwan)        DER_ASN1_DN      -              |
-|                              FQDN             DNS:           |
-|                              USER_FQDN        email:         |
-|                              IPV4_ADDR        IP:            |
-+--------------------------------------------------------------+
-
-
-9.2 PGPnet
-    ------
-
-Use the file peerCert.p12 to import PGPnet's X.509 certificate, the CA
-certificate, plus the encrypted private key in binary PKCS#12 format into the
-PGPkey tool. You will be prompted for the passphrase securing the private key.
-
-Use the file myCert.pem to import the X.509 certificate of the strongSwan
-security gateway into the PGPkey tool. The PGPkeyTool does not accept X.509
-certificates in binary DER format, so it must be imported in base64 format:
-
-     -----BEGIN CERTIFICATE-----
-     M...
-
-     ...
-     -----END CERTIFICATE-----
-
-Make sure that there is no human-readable listing of the X.509 certificate in
-front of the line
-
-     -----BEGIN CERTIFICATE-----
-
-otherwise PGPnet will refuse to load the *.PEM file. Any surplus lines can
-either be deleted by loading the certificate into a text editor or you can
-apply the command
-
-     openssl x509 -in myCert.pem -out myCert.pem
-
-to achieve the same effect.
-
-With authentication based on X.509 certificates, PGPnet always sends the ID
-type DER_ASN1_DN, therefore rightid in the connection definition of the
-strongSwan security gateway must be an ASN.1 distinguished name.
-
-In the receiving direction PGPnet accepts all four ID types from strongSwan.
-
-+--------------------------------------------------------------+
-| Connection Definition        ID type          subjectAltName |
-|--------------------------------------------------------------|
-| rightid  (PGPnet)            DER_ASN1_DN      -              |
-|--------------------------------------------------------------|
-| leftid   (strongSwan)        DER_ASN1_DN      -              |
-|                              FQDN             DNS:           |
-|                              USER_FQDN        email:         |
-|                              IPV4_ADDR        IP:            |
-+--------------------------------------------------------------+
-
+       crluri=http://crl.strongswan.org/strongswan.crl'
 
-9.3 SafeNet/Soft-PK/Soft-Remote
-    ---------------------------
 
-SafeNet/Soft-PK and SafeNet/Soft-Remote can be configured to send their
-identity either as DER_ASN1_DN, IPV4_ADDR, FQDN, or USER_FQDN.
-In the receiving direction SafeNet/Soft-PK and SafeNet/Soft-Remote
-accept all four ID types coming from strongSwan.
-
-+--------------------------------------------------------------+
-| Connection Definition        ID type          subjectAltName |
-|--------------------------------------------------------------|
-| rightid  (SafeNet/Soft-PK)   DER_ASN1_DN      -              |
-|                              FQDN             DNS:           |
-|                              USER_FQDN        email:         |
-|                              IPV4_ADDR        IP:            |
-|--------------------------------------------------------------|
-| leftid  (strongSwan)         DER_ASN1_DN      -              |
-|                              FQDN             DNS:           |
-|                              USER_FQDN        email:         |
-|                              IPV4_ADDR        IP:            |
-+--------------------------------------------------------------+
-
-
-9.4 SSH Sentinel
-    ------------
-
-SSH Sentinel sends its identity as DER_ASN1_DN if the subjectAltName field of
-its certificate is empty. If a subjectAltName field is present, then the
-corresponding type IPV4_ADDR, FQDN, or USER_FQDN is automatically chosen.
-With several subjectAltName entries, the precedence of the different ID types
-is not quite clear. In the receiving direction SSH Sentinel accepts all four
-ID types from strongSwan.
-
-+--------------------------------------------------------------+
-| Connection Definition        ID type          subjectAltName |
-|--------------------------------------------------------------|
-| rightid  (SSH Sentinel)      DER_ASN1_DN      -              |
-|                              FQDN             DNS:           |
-|                              USER_FQDN        email:         |
-|                              IPV4_ADDR        IP:            |
-|--------------------------------------------------------------|
-| leftid  (strongSwan)         DER_ASN1_DN      -              |
-|                              FQDN             DNS:           |
-|                              USER_FQDN        email:         |
-|                              IPV4_ADDR        IP:            |
-+--------------------------------------------------------------+
-
-
-9.5 Windows 2000/XP
-    ---------------
-
-Windows 2000 and Windows XP always send the ID type DER_ASN1_DN,
-therefore rightid in the connection definition of the strongSwan
-security gateway must be an ASN.1 distinguished name.In the
-receiving direction Windows 2000/XP accepts all four ID types
-from strongSwan.
-
-+--------------------------------------------------------------+
-| Connection Definition        ID type          subjectAltName |
-|--------------------------------------------------------------|
-| rightid  (Windows 2000/XP)   DER_ASN1_DN      -              |
-|--------------------------------------------------------------|
-| leftid   (strongSwan)        DER_ASN1_D       -              |
-|                              FQDN             DNS:           |
-|                              USER_FQDN        email:         |
-|                              IPV4_ADDR        IP:            |
-+--------------------------------------------------------------+
-
-
-10. Monitoring functions
-    --------------------
+8. Monitoring functions
+   --------------------
 
 strongSwan offers the following monitoring functions:
 
+The command
 
     ipsec listalgs
 
-lists all IKE and ESP cryptographic algorithms that are currently
+lists all IKE cryptographic algorithms that are currently
 registered with strongSwan.
 
-The a listing has the following form:
-
-  List of registered IKE Encryption Algorithms:
-
-  #3     OAKLEY_BLOWFISH_CBC, blocksize: 64, keylen: 128-128-256
-  #5     OAKLEY_3DES_CBC, blocksize: 64, keylen: 192-192-192
-  #7     OAKLEY_AES_CBC, blocksize: 128, keylen: 128-128-256
-  #65004 OAKLEY_SERPENT_CBC, blocksize: 128, keylen: 128-128-256
-  #65005 OAKLEY_TWOFISH_CBC, blocksize: 128, keylen: 128-128-256
-  #65289 OAKLEY_TWOFISH_CBC_SSH, blocksize: 128, keylen: 128-128-256
-
-  List of registered IKE Hash Algorithms:
-
-  #1     OAKLEY_MD5, hashsize: 128
-  #2     OAKLEY_SHA, hashsize: 160
-  #4     OAKLEY_SHA2_256, hashsize: 256
-  #6     OAKLEY_SHA2_512, hashsize: 512
-
-  List of registered IKE DH Groups:
-
-  #2     OAKLEY_GROUP_MODP1024, groupsize: 1024
-  #5     OAKLEY_GROUP_MODP1536, groupsize: 1536
-  #14    OAKLEY_GROUP_MODP2048, groupsize: 2048
-  #15    OAKLEY_GROUP_MODP3072, groupsize: 3072
-  #16    OAKLEY_GROUP_MODP4096, groupsize: 4096
-  #17    OAKLEY_GROUP_MODP6144, groupsize: 6144
-  #18    OAKLEY_GROUP_MODP8192, groupsize: 8192
-
-  List of registered ESP Encryption Algorithms:
-
-  #3     ESP_3DES, blocksize: 64, keylen: 168-168
-  #7     ESP_BLOWFISH, blocksize: 64, keylen: 96-128
-  #12    ESP_AES, blocksize: 128, keylen: 128-256
-  #252   ESP_SERPENT, blocksize: 128, keylen: 128-256
-  #253   ESP_TWOFISH, blocksize: 128, keylen: 128-256
-
-  List of registered ESP Authentication Algorithms:
-
-  #1     AUTH_ALGORITHM_HMAC_MD5, keylen: 128-128
-  #2     AUTH_ALGORITHM_HMAC_SHA1, keylen: 160-160
-  #5     AUTH_ALGORITHM_HMAC_SHA2_256, keylen: 256-256
-  #7     AUTH_ALGORITHM_HMAC_SHA2_512, keylen: 512-512
-
-
-The command
-
-    ipsec listpubkeys [--utc]
-
-lists all public keys currently installed in the chained list of public
-keys. These keys were statically loaded from ipsec.conf or acquired either
-from received certificates or retrieved from secure DNS servers using
-opportunistic mode.
-
-The public key listing has the following form:
-
-  Feb 11 14:40:18 2005, 2048 RSA Key AwEAAa+uL,
-         until Sep 09 13:17:25 2009 ok
-         ID_FQDN '@moon.strongswan.org'
-         issuer: 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
-         serial: '03'
-  Feb 11 14:40:18 2005, 2048 RSA Key AwEAAa+uL,
-         until Sep 09 13:17:25 2009 ok
-         ID_DER_ASN1_DN 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
-         issuer: 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
-         serial: '03'
-  Feb 11 13:36:53 2005, 2048 RSA Key AwEAAbgbh,
-         until Dec 31 22:43:18 2009 ok
-         ID_USER_FQDN 'carol@strongswan.org'
-         issuer: 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
-         serial: '0a'
-
-It consists of
-
- - the date the public key was installed either in local time or UTC (--utc)
- - the modulus size of the RSA key in bits
- - a keyID consisting of 9 base64 symbols representing the public exponent
-   and the most significant bits of the modulus
- - the expiration date of the public key (extracted from the certificate)
- - the type and value of the ID associated with the public key.
- - the issuer of the certificate the public key was extracted from.
- - the serial number of the certificate the public key was extracted from.
-
-A public key can be associated with several IDs, e.g. using subjectAltNames
-in certificates and an ID can possess several public keys, e.g. retrieved
-from a secure DNS server.
-
 
 The command
 
@@ -2240,78 +1373,13 @@ The command
 lists all local certificates, both strongSwan's own and those of
 trusted peer loaded via leftcert and rightcert, respectively.
 
-The output has the form
-
-  Feb 11 13:36:47 2005, count: 4
-         subject:  'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
-         issuer:   'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
-         serial:    03
-         pubkey:    2048 RSA Key AwEAAa+uL, has private key
-         validity:  not before Sep 10 13:17:25 2004 ok
-                    not after  Sep 09 13:17:25 2009 ok
-         subjkey:   e5:e4:10:87:6c:2a:c4:be:ad:85:49:42:a6:de:76:58:30:3a:9f:c1
-         authkey:   5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef
-         aserial:   00
-
-and shows
-
- - the date the certificate was installed either in local time or UTC (--utc)
- - the count shows how many connections refer to this certificate
- - the subject of the certificate
- - the issuer of the certificate
- - the serial number of the certificate
- - the size and keyid of the RSA public key contained in the certificate.
-   the label "has private key" indicates that a matching RSA private key
-   has been found, defined or loaded in ipsec.secrets.
- - the label "on smartcard" indicates that the certificate was loaded from
-   a smartcard or cryptotoken and that most probably a matching RSA private
-   key also resides on-card.
- - the validity of the CA certificate expressed either in local time or
-   UTC (--utc). The validity is checked automatically resulting either
-   in an "ok" message or a "fatal" error message.
- - the optional subjectKeyIdentifier extension which is a 20 byte SHA-1 hash
-   over the certificate's public key.
- - the optional authorityKeyIdentifier extension which is a 20 byte SHA-1 hash
-   over the public key of the issuer who signed the certificate.
- - the serial number of the issuer's certificate.
-
 
 The command
 
     ipsec listcacerts [--utc]
 
 lists all CA certificates that have been either been loaded from the directory
-/etc/ipsec.d/cacerts/ or received via the IKE protocol. The output has the form
-
-  Feb 11 13:36:52 2005, count: 1
-         subject:  'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
-         issuer:   'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
-         serial:    00
-         pubkey:    2048 RSA Key AwEAAb/yX
-         validity:  not before Sep 10 13:01:45 2004 ok
-                    not after  Sep 08 13:01:45 2014 ok
-         subjkey:   5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef
-         authkey:   5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef
-         aserial:   00
-
-and shows
-
- - the date the CA certificate was installed either in local time or UTC (--utc)
- - the count is always set to 1
- - the subject of the CA certificate
- - the issuer of the CA certificate
- - the serial number of the CA certificate
- - the size and keyid of the RSA public key contained in the certificate.
- - the validity of the CA certificate expressed either in local time or
-   UTC (--utc). The validity is checked automatically resulting either
-   in an "ok" message or a "fatal" error message.
- - the optional subjectKeyIdentifier extension which is a 20 byte SHA-1 hash
-   over the CA certificate's public key.
- - the optional authorityKeyIdentifier extension which is a 20 byte SHA-1 hash 
-   over the public key of the issuer who signed the CA certificate.
-   For Root CA certificates the authorityKeyIdentifier and subjectKeyIdentifier
-   fields must be equal.
- - the serial number of the issuer's certificate.
+/etc/ipsec.d/cacerts/ or received via the IKE protocol.
 
 
 The command
@@ -2320,35 +1388,6 @@ The command
 
 lists all Authorization Authority certificates that have been loaded from
 the directory /etc/ipsec.d/aacerts/.
-The output has the form
-
-  Dec 20 13:29:55 2004, count: 1
-         subject:  'C=CH, O=strongSec GmbH, CN=strongSec Authorization Authority'
-         issuer:   'C=CH, O=strongSec GmbH, CN=strongSec Root CA'
-         serial:    0f
-         pubkey:    2048 RSA Key AwEAAfazH
-         validity:  not before Aug 24 13:41:56 2003 ok
-                    not after  Aug 23 13:41:56 2005 ok
-         subjkey:   56:89:b9:28:c9:1b:a0:00:7f:50:9d:ec:28:75:23:c1:1e:d1:dd:90
-         authkey:   af:80:d5:c6:02:1c:96:78:b3:85:a5:65:a2:23:fd:ad:cf:e2:55:b2
-         aserial:   00
-
-and shows
-
- - the date the AA certificate was installed either in local time or UTC (--utc)
- - the count is always set to 1
- - the subject of the AA certificate
- - the issuer of the AA certificate
- - the serial number of the AA certificate
- - the size and keyid of the RSA public key contained in the certificate.
- - the validity of the AA certificate expressed either in local time or
-   UTC (--utc). The validity is checked automatically resulting either
-   in an "ok" message or a "fatal" error message.
- - the optional subjectKeyIdentifier extension which is a 20 byte SHA-1 hash
-   over the AA certificate's public key.
- - the optional authorityKeyIdentifier extension which is a 20 byte SHA-1 hash
-   over the public key of the issuer who signed the AA certificate.
- - the serial number of the issuer's certificate.
 
 
 The command
@@ -2357,36 +1396,7 @@ The command
 
 lists all OCSO signer certificates that have been either loaded from
 /etc/ipsec.d/ocspcerts/ or have been received included in the OCSP server
-response. The output has the form
-
-  Feb 09 22:56:17 2005, count: 1
-         subject:  'C=CH, O=Linux strongSwan, OU=OCSP, CN=ocsp.strongswan.org'
-         issuer:   'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
-         serial:    09
-         pubkey:    2048 RSA Key AwEAAaonT
-         validity:  not before Nov 19 17:29:28 2004 ok
-                    not after  Nov 18 17:29:28 2009 ok
-         subjkey:   88:07:0a:b8:ae:c7:c1:07:5c:be:68:6a:c4:a5:7f:81:1f:37:b5:56
-         authkey:   5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef
-         aserial:   00
-
-and shows
-
- - the date the OCSP signer certificate was installed either in local time
-   or UTC (--utc)
- - the count is always set to 1
- - the subject of the OCSP signer certificate
- - the issuer of the OCSP signer certificate
- - the serial number of the OCSP signer certificate
- - the size and keyid of the RSA public key contained in the certificate.
- - the validity of the OCSP signer certificate expressed either in local time
-   or UTC (--utc). The validity is checked automatically resulting either
-   in an "ok" message or a "fatal" error message.
- - the optional subjectKeyIdentifier extension which is a 20 byte SHA-1 hash
-   over the OCSP signer certificate's public key.
- - the optional authorityKeyIdentifier extension which is a 20 byte SHA-1 hash
-   over the public key of the issuer who signed the OCSP certificate.
- - the serial number of the issuer's certificate.
+response.
 
 
 The command
@@ -2395,59 +1405,6 @@ The command
 
 lists all X.509 attribute certificates that have been loaded from the directory
 /etc/ipsec.d/acerts/.
-The output has the form
-
-  Dec 20 13:29:56 2004
-         holder:   'C=CH, O=strongSec GmbH, CN=Andreas Steffen'
-         hissuer:  'C=CH, O=strongSec GmbH, CN=strongSec Root CA'
-         hserial:   1e
-         groups:    Research, Sales
-         issuer:   'C=CH, O=strongSec GmbH, CN=strongSec Authorization Authority'
-         serial:    2c
-         validity:  not before Dec 19 14:51:38 2004 ok
-                    not after  Dec 20 14:51:38 2004 fatal (expired)
-         authkey:   56:89:b9:28:c9:1b:a0:00:7f:50:9d:ec:28:75:23:c1:1e:d1:dd:90
-         aserial:   0f
-
-and shows
-
- - the date the attribute certificate was installed either in local time
-   or UTC (--utc)
- - the holder of the attribute certificate
- - the issuer of holder's certificate
- - the serial number of the holder's certificate
- - the group attributes
- - the issuing Authorization Authority of the attribute certificate
- - the serial number of the attribute certificate
- - the validity of the attribute certificate expressed either in local time or
-   UTC (--utc). The validity is checked automatically resulting either
-   in an "ok" message or a "fatal" error message.
- - an authorityKeyIdentifier extension which is a 20 byte SHA-1 hash
-   over the public key of the issuing Authorization Authority
- - the serial number of the AA certificate.
-
-
-The command
-
-    ipsec listgroups [--utc]
-
-lists all group attributes either defined in right|leftgroups statements
-in ipsec.conf or contained in loaded X.509 attribute certificates.
-The output has the form
-
-  Dec 20 13:29:55 2004, count: 4
-         Research
-  Dec 20 13:30:04 2004, count: 1
-         Research New York
-  Dec 20 13:29:55 2004, count: 3
-         Sales
-
-and shows
-
- - the date the group attribute was first installed either in local time
-   or UTC (--utc)
- - the count shows how many times the attribute is used
- - the group name
 
 
 The command
@@ -2455,28 +1412,6 @@ The command
     ipsec listcainfos [--utc]
 
 lists the properties defined by the ca definition sections in ipsec.conf.
-The output has the form
-
-  Jun 08 22:31:37 2004, "strongswan"
-         authname: 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
-         ldaphost: 'ldap.strongswan.org'
-         ocspuri:  'http://ocsp.strongswan.org:8880'
-         distPts:  'http://crl.strongswan.org/strongswan.crl'
-                   'ldap:///O=Linux strongSwan, C=CH?certificateRevocationList'
-         authkey:   5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef
-         aserial:   00
-
-and shows
-
- - the date the CA definition was loaded either in local time or UTC (--utc)
- - the name of the ca section
- - the distinguished name of the CA
- - an optional default ldap host for the CA
- - an optional OCSP URI
- - a maximum of two optional CRL distribution points
- - the optional authorityKeyIdentifier extension which is a 20 byte SHA-1 hash
-   over the public key of the CA.
- - the serial number of the CA.
 
 
 The command
@@ -2484,32 +1419,6 @@ The command
     ipsec listcrls [--utc]
 
 lists all CRLs that have been loaded from /etc/ipsec.d/crls/.
-The output has the form
-
-  Feb 11 13:37:00 2005, revoked certs: 1
-         issuer:   'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
-         distPts:  'http://crl.strongswan.org/strongswan.crl'
-         updates:   this Feb 08 07:46:29 2005
-                    next Mar 10 07:46:29 2005 ok
-         authkey:   5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef 
-         aserial:   00
-
-and shows
-
- - the date the CRL was installed either in local time or UTC (--utc)
- - the number revoked certificates
- - the issuer of the CRL
- - the URLs of the distribution points where the CRL can be fetched from.
- - the dates when the CRL was issued and when the next update
-   is expected, respectively, expressed either in local time or
-   UTC (--utc). It is automatically checked if the next update
-   deadline has passed, resulting either in an "ok" message, a
-   a "warning" message when strictcrlpolicy=no or a "fatal" message when
-   strictcrlpolicy=yes.
- - the optional authorityKeyIdentifier extension which is a 20 byte SHA-1 hash
-   over the public key of the issuer who signed the CRL. This extension is 
-   present in version 2 CRLs, only.
- - the serial number of the issuer's certificate.
 
 
 The command
@@ -2517,114 +1426,43 @@ The command
 
     ipsec listocsp [--utc]
 
-lists the contents of the OCSP response cache. The output has the form
-
-         issuer:  'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
-         uri:     'http://ocsp.strongswan.org:8880'
-         authname: 13:9d:a0:9e:f4:32:ab:8f:e2:89:56:67:fa:d0:d4:e3:35:86:71:b9
-         authkey:  5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef
-         aserial:  00
-  Feb 09 22:56:17 2005, until Feb 09 23:01:17 2005 warning (expires in 4 minutes)
-         serial:   0a, good
-
-and shows
-
- - the distinguished name of the CA handled by the OCSP server
- - the http URI of the OCSP server.
- - the 20 byte SHA-1 hash of the CA's distinguished name
- - the 20 byte SHA-1 hash of the CA's public key
- - the serial number of the CA's certificate
- - a certificate status list showing
-    - the time the OCSP status was received
-    - an optional nextUpdate deadline (if missing the OCSP status will be
-      onetime with a lifetime of 2 minutes only).
-    - the serial number of the certificate
-    - the status of the certificate (good, revoked, unknown)
-
-
-The command
-
-    ipsec listcards [--utc]
-
-lists all smartcard records that are currently in use by Pluto.
-The output has the form
-
-  Aug 17 16:47:59 2005, #1, count: 6
-         slot:     0, session closed, logged out, has valid pin
-         id:       45
-         label:   'strongSwan'
-         subject: 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org'
-
-with pkcs11keepstate=no and
-
-  Aug 17 16:47:59 2005, #1, count: 6
-         slot:     0, session opened, logged in, has pin pad
-         id:       45
-         label:   'strongSwan'
-         subject: 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org'
-
-with pkcs11keepstate=yes and shows
-
-- the date the certificate was read from the smartcard record
-- the certificate objects are numbered starting from #1
-- the count shows how many connections and secret pin entries point
-  to the smartcard record
-- the PKCS #11 slot number
-- the PKCS #11 session state: closed | opened
-- the PKCS #11 session login state: logged out | logged in
-- the status of the PIN: no pin | valid pin | invalid pin | pin pad
-- the ID of the certificate object
-- the label of the certificate object
-- the subject distinguished name of the certificate
+lists the contents of the OCSP response cache.
 
 
 The command
 
-    ipsec auto --listall [--utc]
+    ipsec listall [--utc]
 
-is equivalent to
-
-    ipsec listalgs
-    ipsec listpubkeys [--utc]
-    ipsec listcerts [--utc]
-    ipsec listcacerts [--utc]
-    ipsec listaacerts [--utc]
-    ipsec listocspcerts [--utc]
-    ipsec listacerts [--utc]
-    ipsec listgroups [--utc]
-    ipsec listcainfos [--utc]
-    ipsec listcrls [--utc]
-    ipsec listocsp [--utc]
-    ipsec listcards [--utc]
+is equivalent to using all of the above commands.
 
 
-11. Firewall support functions
-    --------------------------
+9. Firewall support functions
+   --------------------------
 
 
-11.1 Environment variables in the updown script
-     ------------------------------------------
+9.1 Environment variables in the updown script
+    ------------------------------------------
 
 strongSwan makes the following environment variables available
 in the updown script indicated by the leftupdown option:
 
-+------------------------------------------------------------------+
-| Variable               Example                    Comment        |
-|------------------------------------------------------------------|
-| $PLUTO_PEER_ID         carol@strongswan.org       USER_FQDN  (1) |
-|------------------------------------------------------------------|
-| $PLUTO_PEER_PROTOCOL   17                         udp        (2) |
-|------------------------------------------------------------------|
-| $PLUTO_PEER_PORT       68                         bootpc     (3) |
-|------------------------------------------------------------------|
-| $PLUTO_PEER_CA         C=CH, O=ACME, CN=Sales CA             (4) |
-|------------------------------------------------------------------|
-| $PLUTO_MY_ID           @moon.strongswan.org       FQDN       (1) |
-|------------------------------------------------------------------|
-| $PLUTO_MY_PROTOCOL     17                         udp        (2) |
-|------------------------------------------------------------------|
-| $PLUTO_MY_PORT         67                         bootps     (3) |
-+------------------------------------------------------------------+
++-------------------------------------------------------------------+
+| Variable               Example                    Comment         |
+|-------------------------------------------------------------------|
+| $PLUTO_PEER_ID         carol@strongswan.org       RFC822_ADDR (1) |
+|-------------------------------------------------------------------|
+| $PLUTO_PEER_PROTOCOL   17                         udp         (2) |
+|-------------------------------------------------------------------|
+| $PLUTO_PEER_PORT       68                         bootpc      (3) |
+|-------------------------------------------------------------------|
+| $PLUTO_PEER_CA         C=CH, O=ACME, CN=Sales CA              (4) |
+|-------------------------------------------------------------------|
+| $PLUTO_MY_ID           @moon.strongswan.org       FQDN        (1) |
+|-------------------------------------------------------------------|
+| $PLUTO_MY_PROTOCOL     17                         udp         (2) |
+|-------------------------------------------------------------------|
+| $PLUTO_MY_PORT         67                         bootps      (3) |
++-------------------------------------------------------------------+
 
 (1) $PLUTO_PEER_ID/$PLUTO_MY_ID contain the IDs of the two ends
     of an established connection. In our examples these
@@ -2643,27 +1481,23 @@ in the updown script indicated by the leftupdown option:
 (4) $PLUTO_PEER_CA contains the distinguished name of the CA that
     issued the peer's certificate.
 
+There are several more, refer to the provided default script for a documentation
+of these.
 
-11.2 Automatic insertion and deletion of iptables firewall rules
-     -----------------------------------------------------------
 
-Starting with strongswan-2.7.0, the default _updown script automatically inserts
-and deletes dynamic iptables firewall rules upon the establishment or teardown,
-respectively, of an IPsec security association. This new feature is activated
-with the line
-
-   leftfirewall=yes
+9.2 Automatic insertion and deletion of iptables firewall rules
+    -----------------------------------------------------------
 
-and can be used when the following prerequisites are fulfilled:
+The default _updown script automatically inserts and deletes dynamic iptables
+firewall rules upon the establishment or teardown, respectively, of an IPsec
+security association.  This feature is activated with the line
 
-  - Linux 2.6.16 kernel or newer, native NETKEY IPsec stack, and
-    iptables-1.3.5 or newer. Filtering of tunneled traffic is based on
-    IPsec policy matching rules.
+   leftfirewall=yes
 
 If you define a local client subnet with a netmask larger than /32 behind
 the gateway then the automatically inserted FORWARD iptables rules will
 not allow to access the internal IP address of the host although it is
-part of the client subnet definition. If you want additional INPUT and
+part of the client subnet definition.  If you want additional INPUT and
 OUTPUT iptables rules to be inserted, so that the host itself can be accessed
 then add the following line:
 
@@ -2678,473 +1512,3 @@ Jul 19 18:58:38 moon vpn:
     + @carol.strongswan.org  192.168.0.100 -- 192.168.0.1 == 10.1.0.0/16
 Jul 19 22:15:17 moon vpn:
     - @carol.strongswan.org  192.168.0.100 -- 192.168.0.1 == 10.1.0.0/16
-
-
-11.3 Sample Linux 2.6 updown script for iptables < 1.3.5
-     ---------------------------------------------------
-
-If you are using a Linux 2.6 kernel older than 2.6.16 or an iptables version
-older than 1.3.5 then the IPsec policy matching rules will not be available.
-In order to make sure that only tunneled packets are accepted, a mark can be
-set on incoming ESP packets. This "ESP" mark will be retained on the
-decapsulated packet so that iptables rules inserted by the updown script can
-check on the presence of this mark. For this purpose the template located in
-
-   programs/_updown_espmark
-
-can be used. Store a copy of _updown_espmark e.g. in /etc/ipsec.updown and load
-the script with the line
-
-  leftupdown=/etc/updown.ipsec.
-
-In addition for the dynamic updown script to work the following static iptables rules
-must be applied:
-
-   iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50
-
-
-12. Authentication with raw RSA public keys
-    ---------------------------------------
-
-FreeS/WAN, as it is available from www.freeswan.org does public key 
-authentication with raw RSA public keys that are directly defined in
-/etc/ipsec.conf
-
-    rightrsasigkey=0sAq4c....
-
-When version 1.x of standard FreeS/WAN receives a certificate request (CR),
-it immediately drops the negotiation because it does not know how to answer
-the request. As a workaround strongSwan does not send a CR if the RSA
-key has been statically loaded using [right/left]rsasigkey. A problem
-remains with roadwarriors initiating a connection. Since strongSwan
-does not know the identity of the initiating peer in advance, it will always
-send a CR, causing the rupture of the IKE negotiation if the peer is a
-version 1.x  FreeS/WAN host. To circumvent this problem the configuration
-parameter 'nocrsend' can be set in the config setup section of /etc/ipsec.conf:
-
-    config setup:
-        nocrsend=yes
-
-With this entry no certificate request is sent in any connection.
-The default setting is nocrsend=no.
-
-
-13. Authentication with OpenPGP certificates
-    ----------------------------------------
-
-strongSwan also supports RSA based authentication using OpenPGP
-certificates and OpenPGP V3 fingerprints used as an KEY_ID identifier.
-
-
-13.1 OpenPGP certificates
-     --------------------
-     
-OpenPGP certificates containing RSA public keys can now directly be loaded
-in ASCII armored PGP format using the leftcert and rightcert parameters
-in /etc/ipsec.conf:
-
-  conn pgp
-       right=%any
-       righcert=peerCert.asc
-       left=%defaultroute
-       leftcert=gatewayCert.asc
-
-The peer certificate must be stored locally (the default directory is
-/etc/ipsec.d/certs) since currently no trust can be established for
-PGP certificates received from a peer via the IKE protocol.
-
-
-13.2 OpenPGP private keys
-     --------------------
-     
-PGP private keys in unencrypted form can now directly be loaded in ASCII
-armored PGP format via an entry in /etc/ipsec.secrets:
-
-  : RSA gatewayKey.asc
-
-Existing IDEA-encrypted RSA private keys can be unlocked with GnuPG and
-the IDEA extension (see http://www.gnupg.org/gph/en/pgp2x.html) using
-the commands
-
-  gpg --import gatewayCert.asc
-
-  gpg --allow-secret-key-import --import gatewayKey.asc
-
-  gpg --edit-key <gateway ID>
-  > passwd                    #change to empty password
-  > save
-
-  gpg -a --export-secret-key <gateway ID> gatewayKey.asc
-
-
-13.3 Monitoring functions
-     --------------------
-
-The command ipsec listcerts shows all loaded PGP certificates
-in the following format:
-
-  Aug 28 09:51:55 2002, count: 1
-         fingerprint:  0x1ccfca12d93467ffa9d5093d87a465dc
-         pubkey:   1024 RSA Key ARHso6uKQ
-         created:  Aug 27 08:51:39 2002
-         until:    --- -- --:--:-- ---- ok (expires never)
-
-The entries are
-
- - the date the certificate was loaded either in local time or UTC (--utc)
- - the V3 fingerprint consisting of the 16 byte MD5 hash of the public key
-   which is used as an ID of type KEY_ID
- - the modulus size of the RSA key in bits
- - a keyID consisting of 9 base64 symbols representing the public exponent
-   and the most significant bits of the modulus
- - the creation date of the public key (extracted from the certificate)
- - the optional expiration date of the public key (extracted from the
-   certificate)
-
-
-13.4 Suppression of certificate request messages
-     -------------------------------------------
-
-PGPnet configured to work with OpenPGP certificates aborts the IKE
-negotiation when it receives a X.509 certificate. Therefore it is recommended
-(mandatory for roadwarrior connections) to set
-
-    config setup:
-        nocrsend=yes
-
-in /etc/ipsec.conf.
-
-
-14. Additional Features
-    -------------------
-
-
-14.1 Authentication and encryption algorithms
-     ----------------------------------------
-
-strongSwan supports the following suite of encryption and authentication
-algorithms for both IKE and ESP payloads.
-
-+------------------------------------------------------------------+
-| IKE algorithms (negotiated in Phase 1 Main Mode)                 |
-+------------------------------------------------------------------+
-| Encryption algorithms:  3des, aes, serpent, twofish, blowfish    |
-|------------------------------------------------------------------|
-| Hash algorithms:        md5, sha, sha2                           |
-|------------------------------------------------------------------|
-| DH groups:              1024, 1536, 2048, 3072, 4096, 6144, 8192 |
-+------------------------------------------------------------------+
-
-NOTE: For IKE the SHA-1 algorithm is denoted by "sha"
-
-The cryptographic IKE algorithms listed above are a fixed part of the
-strongSwan distribution. Particular algorithms can be added or removed
-in the "programs/pluto/alg" directory.
-  
-+------------------------------------------------------------------+
-| ESP algorithms (negotiated in Phase 2 Quick Mode)                |
-+------------------------------------------------------------------+
-| Encryption algorithms:  3des, aes, serpent, twofish, blowfish    |
-|------------------------------------------------------------------|
-| Hash algorithms:        md5, sha1, sha2                          |
-|------------------------------------------------------------------|
-| PFS groups:             1024, 1536, 2048, 3072, 4096, 6144, 8192 |
-+------------------------------------------------------------------+
-
-The cryptographic ESP algorithms listed above are a fixed part of the
-strongSwan distribution. If your Linux 2.4 or 2.6 kernel includes the
-CryptoAPI then additional ESP algorithms can be added or deleted as
-kernel modules.
-
-The IKE and ESP cryptographic algorithms to be proposed to the peer
-as an initiator can be specified on a per connection basis in the form
-
-conn normal
-     ...
-     ike=aes128-sha-modp1536,3des-sha-modp1536
-     esp=aes128-sha1,3des-sha1
-     ...
-
-or if you are more paranoid
-
-conn paranoid
-     ...
-     ike=aes256-sha2_512-modp2048
-     esp=aes256-sha2_512
-     ...
-
-If the the "ike" and "esp" configuration parameters are missing in
-ipsec.conf, then the default settings
-   
-    ike=3des-md5-modp1536,3des-sha-modp1536,\
-        3des-md5-modp1024,3des-sha-modp1024
-    esp=3des-md5,3des-sha1
-
-arre implicitly assumed. The 3DES encryption algorithm and the MD5 and
-SHA-1 hash algorithms are hardcoded into strongSwan and cannot be removed.
-
-If Perfect Forward Secrecy (PFS is desired), then a PFS group can be
-optionally specified:
-
-conn make_sure
-     ...
-     pfs=yes
-     pfsgroup=modp2048,modp1536
-     ...
-
-If the "pfs" parameter is missing then "pfs=yes" is assumed by default.
-This means that PFS must be disabled explicitly by setting "pfs=no".
-
-If the "pfsgroup" parameter is missing then the default is
-
-    pfsgroup=<Phase1 DH group>
-    
-The "ike" and "esp" parameters are used to formulate one or several
-transform proposals to the peer if the strongSwan VPN host is the initiator.
-Attention! As a responder the first proposal from the peer is accepted that
-is supported the by one of the registered algorithms listed by the command
-
-    ipsec listalgs
-    
-If the responder wants to restrict the allowed cipher suites the '!' flag
-can be used to do so. The configuration
-
-conn normal_but_strict
-     ...
-     ike=aes128-sha-modp1536,3des-sha-modp1536!
-     esp=aes128-sha1,3des-sha1!
-     ...
-
-will only permit the listed algorithms defined above but no other methods
-even if they might be supported by the responder.
-
-
-14.2 NAT traversal
-     -------------
-
-Currently please refer to README.NAT-Traversal document in the strongSwan
-distribution.
-
-
-14.3 Dead peer detection
-    --------------------
-
-strongSwan implements the RFC 3706 Dead Peer Detection (DPD) keep-alive
-scheme. If an established IPsec SA has been idle (i.e. without any traffic)
-for N seconds (dpddelay=N) then strongSwan side sends a "hello" message
-(R_U_THERE) and the peer replies with an acknowledge message (R_U_THERE_ACK).
-If no response is received, the R_U_THERE messages are repeated until a DPD
-timeout of M seconds (dpdtimeout=M) has elapsed. If still no traffic or 
-R_U_THERE_ACK packets were received, the peer is declared to be dead and all
-SAs belonging to a common Phase 1 SA are deleted.
-
-DPD support is tuneable on a per connection basis by using the dpdaction,
-dpddelay and dpdtimeout directives:
-
-   conn roadwarrior
-	right=%any
-	left=%defaultroute
-	leftsubnet=10.1.0.0/16
-	dpdaction=clear
-
-   conn net-to-net
-	right=192.168.0.2
-	rightsubnet=10.2.0.0/16
-	left=%defaultroute
-	leftsubnet=10.1.0.0/16
-	dpdaction=hold
-	dpddelay=60
-	dpdtimeout=500
-
-In the first example dpdaction=clear activates the DPD mechanism under the
-condition that the peer supports RFC 3706. The values dpddelay=30s and
-dpdtimeout=120s are assumed by default in the absence of these parameters, so
-that during idle periods an R_U_THERE packet is sent every 30 seconds. If no
-traffic or a no R_U_THERE_ACK packet is received from the peer within a
-120 second time span, the peer will be declared dead and all SAs and associated
-eroutes will be cleared.
-
-In the second example R_U_THERE packets are sent every 60 seconds and the
-parameter setting dpdaction=hold will put the eroute of the ruptured connection
-into a %trap state, so that when new outgoing traffic will occur, the
-correspondig connection will be automatically renegotiated as soon as the
-peer is up again.
-
-It is recommended to use dpdaction=hold for statically defined connections and
-dpdaction=clear for dynamic roadwarrior connections. The default value is
-dpdaction=none, which disables DPD.
-
-
-14.4 IKE Mode Config Pull Mode
-     -------------------------
-
-The IKE Mode Config protocol <draft-ietf-ipsec-isakmp-mode-cfg-04.txt> allows
-the dynamic assignment of virtual IP addresses and optional DNS and WINS server
-information to IPsec clients. As a default the "Mode Config Pull Mode" is
-used where the client actively sends a Mode Config request to the server
-in order to obtain a virtual IP. The server answers with a Mode Config reply
-message containing the requested information.
-
-Client side configuration (carol):
-
-  conn home
-       right=192.168.0.1
-       rightsubnet=10.1.0.0/16
-       rightid=@moon.strongswan.org
-       left=%defaultroute
-       leftsourceip=%modeconfig
-       leftcert=carolCert.pem
-       leftid=carol@strongswan.org
-       auto=start
-
-Server side configuration (moon):
-
-  conn roadwarrior
-       right=%any
-       rightid=carol@strongswan.org
-       rightsourceip=10.3.0.1
-       left=%defaultroute
-       leftsubnet=10.1.0.0/16
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       auto=add
-
-The wildcard %modeconfig or %modecfg used in the leftsourceip parameter of the
-client will trigger a Mode Config request. Currently the server will return
-the virtual IP address defined by the rightsourceip parameter. In the future
-an LDAP-based lookup mechanism will be supported.
-
-
-14.5 IKE Mode Config Push Mode
-     -------------------------
-
-Cisco VPN equipment uses the alternative "Mode Config Push Mode" where the
-initiating clients waits for the server to push down a virtual address via
-a Mode Config set message. The receipt is acknowledged by the client with a
-Mode Config ack message.
-
-Mode Config Push Mode is activated by the parameter
-
-  modeconfig=push
-
-as part of the connection definition in ipsec.conf. The default value is 
-modeconfig=pull.
-
-
-14.6 XAUTH - Extended Authentication
-     -------------------------------
-
-The XAUTH protocol <draft-beaulieu-ike-xauth-02.txt> allows an extended
-client authentication using e.g. a username/password paradigm in addition
-to the IKE Main Mode authentication. Thus XAUTH can be used in conjunction
-with Pre-Shared Keys (PSK) by defining
-
-  authby=xauthpsk
-
-or with RSA signatures
-
-  authby=xauthrsasig
-
-in the connection definition, correspondingly. strongSwan can act either as
-an XAUTH client with
-
-  xauth=client
-
-or as an XAUTH server with
-
-  xauth=server
-
-with xauth=client being the default value. strongSwan integrates a default
-implementation where the XAUTH user credentials are stored on both the
-server and the client in the /etc/ipsec.secrets file, using the syntax
-
-  : XAUTH john "rT6q!V2p"
-
-The client must not have more than one XAUTH entry whereas the server can
-contain an unlimited number of user credentials in ipsec.secrets.
-
-Either the prompting on the client side or the verification of the user
-credentials on the server side can be implemented as a customized XAUTH
-dynamic library module. The corresponding library interface is defined
-by the pluto/xauth.h header file.
-
-
-15. Copyright statement and acknowledgements
-    ----------------------------------------
-
-
-		     FreeS/WAN version base system:
-
-			Copyright (c) 1999-2004
-		     Henry Spencer, Richard Guy Briggs,
-	    D. Hugh Redelmeier, Sandy Harris, Claudia Schmeing,
-	 Michael Richardson, Angelos D. Keromytis, John Ioannidis,
-
-     NAT-Traversal, ipsec starter, Delete SA and Notification messages:
-
-		 Copyright (c) 2002-2003, Mathieu Lafon
-
-		 Additional cryptoalgorithms (AES, etc):
-
-		Copyright (c) 2002-2003, JuanJo Ciarlante
-		
-		         Dead Peer Detection:
-
-			 Copyright (c) 2002-2004
-		Ken Bantoft, JuanJo Ciarlante, Philip Craig,
-		  Pawel Krawczyk, Srinvasan Venkataraman
-
-		      Porting to Linux 2.6 kernel:
-
-		     Copyright (c) 2003, Herbert Xu
-
-			  Dynamic CRL fetching:
-
-		   Copyright (c) 2002, Stephane Laroche
-
-		        IKE Mode Config and XAUTH protocol:
-
-		   Copyright (c) 2001-2002, Colubris Networks
-
-		        Virtual IP and source routing: 
-
-		     Copyright (c) 2003, Tuomo Soini
-
-	      Port and protocol selectors for outbound traffic:
-
-		   Copyright (c) 2002, Stephen J. Bevan
-
-			  PGPnet-RSA parts of patch:
-
-	               Copyright (c) 2000, Kai Martius
-
-		   X.509, OCSP and smartcard functionality:
-
-  Copyright (c) 2000, Andreas Hess, Patric Lichtsteiner, Roger Wegmann
-  Copyright (c) 2001, Marco Bertossa, Andreas Schleiss
-  Copyright (c) 2002, Uli Galizzi, Ariane Seiler, Mario Strasser
-  Copyright (c) 2002, Martin Berner, Lukas Suter
-  Copyright (c) 2003, Christoph Gysin, Simon Zwahlen
-  Copyright (c) 2004, David Buechi, Michael Meier
-  Copyright (c) 2000-2005, Andreas Steffen
-
-      Zurich University of Applied Sciences in Winterthur, Switzerland
-
-				scepclient:
-
-               Copyright (c) 2005, Jan Hutter, Martin Willi
-               Copyright (c) 2005-2007, Andreas Steffen
-
-        University of Applied Sciences in Rapperswil, Switzerland
-
-  This program is free software; you can redistribute it and/or modify
-  it under the terms of the GNU General Public License as published by
-  the Free Software Foundation; either version 2 of the License, or
-  (at your option) any later version. See http://www.fsf.org/copyleft/gpl.txt.
-
-  This program is distributed in the hope that it will be useful, but
-  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-  or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-  for more details.
------------------------------------------------------------------------------
-
diff --git a/TODO b/TODO
index 458384a8d..186d4d02b 100644
--- a/TODO
+++ b/TODO
@@ -2,31 +2,7 @@
                   strongSwan - TODO
                  ----------------------
 
-This is a TODO list we should keep in mind. A roadmap of the strongSwan
-project is available online at:
+A roadmap of the strongSwan project is available online at:
 
         http://wiki.strongswan.org/projects/strongswan/roadmap
 
-Certificate support
--------------------
-- synchronized CRL fetcher
-- Smartcard interface
-- Attribute certificates
-
-Stroke interface
-----------------
-- add a Rekey-Counter for SAs in "statusall"
-- ipsec statusall bytecount
-
-Misc
-----
-- Address pool/backend for virtual IP assignement
-
-libstrongswan stuff
--------------------
-- Header installation support (#include <strongswan/strongswan.h>?)
-- object style for leak detective, include an API
-- Cleanup/Refactor PEM/ASN1 stuff
-- replace file reads through chunk_read
-- rewrite lexparser in object-oriented style
-
diff --git a/aclocal.m4 b/aclocal.m4
index 9d68d0d80..871193eef 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,7 +1,8 @@
-# generated automatically by aclocal 1.11.1 -*- Autoconf -*-
+# generated automatically by aclocal 1.11.6 -*- Autoconf -*-
 
 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
-# 2005, 2006, 2007, 2008, 2009  Free Software Foundation, Inc.
+# 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation,
+# Inc.
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -13,8 +14,8 @@
 
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
-m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.67],,
-[m4_warning([this file was generated for autoconf 2.67.
+m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.69],,
+[m4_warning([this file was generated for autoconf 2.69.
 You have another version of autoconf.  It may work, but is not guaranteed to.
 If you have problems, you may need to regenerate the build system entirely.
 To do so, use the procedure documented by the package, typically `autoreconf'.])])
@@ -272,7 +273,8 @@ sixtyfour bits
 # ----------------------------------
 AC_DEFUN([PKG_PROG_PKG_CONFIG],
 [m4_pattern_forbid([^_?PKG_[A-Z_]+$])
-m4_pattern_allow([^PKG_CONFIG(_PATH)?$])
+m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$])
+m4_pattern_allow([^PKG_CONFIG_(DISABLE_UNINSTALLED|TOP_BUILD_DIR|DEBUG_SPEW)$])
 AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])
 AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search path])
 AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in search path])
@@ -318,7 +320,8 @@ m4_define([_PKG_CONFIG],
     pkg_cv_[]$1="$$1"
  elif test -n "$PKG_CONFIG"; then
     PKG_CHECK_EXISTS([$3],
-                     [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`],
+                     [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes ],
 		     [pkg_failed=yes])
  else
     pkg_failed=untried
@@ -366,9 +369,9 @@ if test $pkg_failed = yes; then
    	AC_MSG_RESULT([no])
         _PKG_SHORT_ERRORS_SUPPORTED
         if test $_pkg_short_errors_supported = yes; then
-	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "$2" 2>&1`
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1`
         else 
-	        $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors "$2" 2>&1`
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
@@ -381,7 +384,7 @@ $$1_PKG_ERRORS
 Consider adjusting the PKG_CONFIG_PATH environment variable if you
 installed software in a non-standard prefix.
 
-_PKG_TEXT])dnl
+_PKG_TEXT])[]dnl
         ])
 elif test $pkg_failed = untried; then
      	AC_MSG_RESULT([no])
@@ -392,7 +395,7 @@ path to pkg-config.
 
 _PKG_TEXT
 
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.])dnl
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.])[]dnl
         ])
 else
 	$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
@@ -402,12 +405,15 @@ else
 fi[]dnl
 ])# PKG_CHECK_MODULES
 
-# Copyright (C) 2002, 2003, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# Copyright (C) 2002, 2003, 2005, 2006, 2007, 2008, 2011 Free Software
+# Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # AM_AUTOMAKE_VERSION(VERSION)
 # ----------------------------
 # Automake X.Y traces this macro to ensure aclocal.m4 has been
@@ -417,7 +423,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
 [am__api_version='1.11'
 dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
 dnl require some minimum version.  Point them to the right macro.
-m4_if([$1], [1.11.1], [],
+m4_if([$1], [1.11.6], [],
       [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
 ])
 
@@ -433,19 +439,21 @@ m4_define([_AM_AUTOCONF_VERSION], [])
 # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
 # This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
 AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
-[AM_AUTOMAKE_VERSION([1.11.1])dnl
+[AM_AUTOMAKE_VERSION([1.11.6])dnl
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
 _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
 
 # AM_AUX_DIR_EXPAND                                         -*- Autoconf -*-
 
-# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+# Copyright (C) 2001, 2003, 2005, 2011 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets
 # $ac_aux_dir to `$srcdir/foo'.  In other projects, it is set to
 # `$srcdir', `$srcdir/..', or `$srcdir/../..'.
@@ -527,14 +535,14 @@ AC_CONFIG_COMMANDS_PRE(
 Usually this means the macro was only invoked conditionally.]])
 fi])])
 
-# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2009
-# Free Software Foundation, Inc.
+# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2009,
+# 2010, 2011 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
-# serial 10
+# serial 12
 
 # There are a few dirty hacks below to avoid letting `AC_PROG_CC' be
 # written in clear, in which case automake, when reading aclocal.m4,
@@ -574,6 +582,7 @@ AC_CACHE_CHECK([dependency style of $depcc],
   # instance it was reported that on HP-UX the gcc test will end up
   # making a dummy file named `D' -- because `-MD' means `put the output
   # in D'.
+  rm -rf conftest.dir
   mkdir conftest.dir
   # Copy depcomp to subdir because otherwise we won't find it if we're
   # using a relative directory.
@@ -638,7 +647,7 @@ AC_CACHE_CHECK([dependency style of $depcc],
 	break
       fi
       ;;
-    msvisualcpp | msvcmsys)
+    msvc7 | msvc7msys | msvisualcpp | msvcmsys)
       # This compiler won't grok `-c -o', but also, the minuso test has
       # not run yet.  These depmodes are late enough in the game, and
       # so weak that their functioning should not be impacted.
@@ -703,10 +712,13 @@ AC_DEFUN([AM_DEP_TRACK],
 if test "x$enable_dependency_tracking" != xno; then
   am_depcomp="$ac_aux_dir/depcomp"
   AMDEPBACKSLASH='\'
+  am__nodep='_no'
 fi
 AM_CONDITIONAL([AMDEP], [test "x$enable_dependency_tracking" != xno])
 AC_SUBST([AMDEPBACKSLASH])dnl
 _AM_SUBST_NOTMAKE([AMDEPBACKSLASH])dnl
+AC_SUBST([am__nodep])dnl
+_AM_SUBST_NOTMAKE([am__nodep])dnl
 ])
 
 # Generate code to set up dependency tracking.              -*- Autoconf -*-
@@ -928,12 +940,15 @@ for _am_header in $config_headers :; do
 done
 echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count])
 
-# Copyright (C) 2001, 2003, 2005, 2008  Free Software Foundation, Inc.
+# Copyright (C) 2001, 2003, 2005, 2008, 2011 Free Software Foundation,
+# Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # AM_PROG_INSTALL_SH
 # ------------------
 # Define $install_sh.
@@ -1022,6 +1037,41 @@ AC_MSG_RESULT([$_am_result])
 rm -f confinc confmf
 ])
 
+# Copyright (C) 1999, 2000, 2001, 2003, 2004, 2005, 2008
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 6
+
+# AM_PROG_CC_C_O
+# --------------
+# Like AC_PROG_CC_C_O, but changed for automake.
+AC_DEFUN([AM_PROG_CC_C_O],
+[AC_REQUIRE([AC_PROG_CC_C_O])dnl
+AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
+AC_REQUIRE_AUX_FILE([compile])dnl
+# FIXME: we rely on the cache variable name because
+# there is no other way.
+set dummy $CC
+am_cc=`echo $[2] | sed ['s/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/']`
+eval am_t=\$ac_cv_prog_cc_${am_cc}_c_o
+if test "$am_t" != yes; then
+   # Losing compiler, so override with the script.
+   # FIXME: It is wrong to rewrite CC.
+   # But if we don't then we get into trouble of one sort or another.
+   # A longer-term fix would be to have automake use am__CC in this case,
+   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
+   CC="$am_aux_dir/compile $CC"
+fi
+dnl Make sure AC_PROG_CC is never called again, or it will override our
+dnl setting of CC.
+m4_define([AC_PROG_CC],
+          [m4_fatal([AC_PROG_CC cannot be called after AM_PROG_CC_C_O])])
+])
+
 # Fake the existence of programs that GNU maintainers use.  -*- Autoconf -*-
 
 # Copyright (C) 1997, 1999, 2000, 2001, 2003, 2004, 2005, 2008
@@ -1065,12 +1115,15 @@ else
 fi
 ])
 
-# Copyright (C) 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# Copyright (C) 2003, 2004, 2005, 2006, 2011 Free Software Foundation,
+# Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # AM_PROG_MKDIR_P
 # ---------------
 # Check for `mkdir -p'.
@@ -1093,13 +1146,14 @@ esac
 
 # Helper functions for option handling.                     -*- Autoconf -*-
 
-# Copyright (C) 2001, 2002, 2003, 2005, 2008  Free Software Foundation, Inc.
+# Copyright (C) 2001, 2002, 2003, 2005, 2008, 2010 Free Software
+# Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
-# serial 4
+# serial 5
 
 # _AM_MANGLE_OPTION(NAME)
 # -----------------------
@@ -1107,13 +1161,13 @@ AC_DEFUN([_AM_MANGLE_OPTION],
 [[_AM_OPTION_]m4_bpatsubst($1, [[^a-zA-Z0-9_]], [_])])
 
 # _AM_SET_OPTION(NAME)
-# ------------------------------
+# --------------------
 # Set option NAME.  Presently that only means defining a flag for this option.
 AC_DEFUN([_AM_SET_OPTION],
 [m4_define(_AM_MANGLE_OPTION([$1]), 1)])
 
 # _AM_SET_OPTIONS(OPTIONS)
-# ----------------------------------
+# ------------------------
 # OPTIONS is a space-separated list of Automake options.
 AC_DEFUN([_AM_SET_OPTIONS],
 [m4_foreach_w([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])])
@@ -1124,12 +1178,14 @@ AC_DEFUN([_AM_SET_OPTIONS],
 AC_DEFUN([_AM_IF_OPTION],
 [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
 
-# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+# Copyright (C) 2001, 2003, 2005, 2011 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # AM_RUN_LOG(COMMAND)
 # -------------------
 # Run COMMAND, save the exit status in ac_status, and log it.
@@ -1206,12 +1262,71 @@ Check your system clock])
 fi
 AC_MSG_RESULT(yes)])
 
-# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+# Copyright (C) 2009, 2011  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 2
+
+# AM_SILENT_RULES([DEFAULT])
+# --------------------------
+# Enable less verbose build rules; with the default set to DEFAULT
+# (`yes' being less verbose, `no' or empty being verbose).
+AC_DEFUN([AM_SILENT_RULES],
+[AC_ARG_ENABLE([silent-rules],
+[  --enable-silent-rules          less verbose build output (undo: `make V=1')
+  --disable-silent-rules         verbose build output (undo: `make V=0')])
+case $enable_silent_rules in
+yes) AM_DEFAULT_VERBOSITY=0;;
+no)  AM_DEFAULT_VERBOSITY=1;;
+*)   AM_DEFAULT_VERBOSITY=m4_if([$1], [yes], [0], [1]);;
+esac
+dnl
+dnl A few `make' implementations (e.g., NonStop OS and NextStep)
+dnl do not support nested variable expansions.
+dnl See automake bug#9928 and bug#10237.
+am_make=${MAKE-make}
+AC_CACHE_CHECK([whether $am_make supports nested variables],
+   [am_cv_make_support_nested_variables],
+   [if AS_ECHO([['TRUE=$(BAR$(V))
+BAR0=false
+BAR1=true
+V=1
+am__doit:
+	@$(TRUE)
+.PHONY: am__doit']]) | $am_make -f - >/dev/null 2>&1; then
+  am_cv_make_support_nested_variables=yes
+else
+  am_cv_make_support_nested_variables=no
+fi])
+if test $am_cv_make_support_nested_variables = yes; then
+  dnl Using `$V' instead of `$(V)' breaks IRIX make.
+  AM_V='$(V)'
+  AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)'
+else
+  AM_V=$AM_DEFAULT_VERBOSITY
+  AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY
+fi
+AC_SUBST([AM_V])dnl
+AM_SUBST_NOTMAKE([AM_V])dnl
+AC_SUBST([AM_DEFAULT_V])dnl
+AM_SUBST_NOTMAKE([AM_DEFAULT_V])dnl
+AC_SUBST([AM_DEFAULT_VERBOSITY])dnl
+AM_BACKSLASH='\'
+AC_SUBST([AM_BACKSLASH])dnl
+_AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl
+])
+
+# Copyright (C) 2001, 2003, 2005, 2011 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
+# serial 1
+
 # AM_PROG_INSTALL_STRIP
 # ---------------------
 # One issue with vendor `install' (even GNU) is that you can't
@@ -1234,13 +1349,13 @@ fi
 INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
 AC_SUBST([INSTALL_STRIP_PROGRAM])])
 
-# Copyright (C) 2006, 2008  Free Software Foundation, Inc.
+# Copyright (C) 2006, 2008, 2010 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 
-# serial 2
+# serial 3
 
 # _AM_SUBST_NOTMAKE(VARIABLE)
 # ---------------------------
@@ -1249,13 +1364,13 @@ AC_SUBST([INSTALL_STRIP_PROGRAM])])
 AC_DEFUN([_AM_SUBST_NOTMAKE])
 
 # AM_SUBST_NOTMAKE(VARIABLE)
-# ---------------------------
+# --------------------------
 # Public sister of _AM_SUBST_NOTMAKE.
 AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
 
 # Check how to create a tarball.                            -*- Autoconf -*-
 
-# Copyright (C) 2004, 2005  Free Software Foundation, Inc.
+# Copyright (C) 2004, 2005, 2012 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -1277,10 +1392,11 @@ AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
 # a tarball read from stdin.
 #     $(am__untar) < result.tar
 AC_DEFUN([_AM_PROG_TAR],
-[# Always define AMTAR for backward compatibility.
-AM_MISSING_PROG([AMTAR], [tar])
+[# Always define AMTAR for backward compatibility.  Yes, it's still used
+# in the wild :-(  We should find a proper way to deprecate it ...
+AC_SUBST([AMTAR], ['$${TAR-tar}'])
 m4_if([$1], [v7],
-     [am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -'],
+     [am__tar='$${TAR-tar} chof - "$$tardir"' am__untar='$${TAR-tar} xf -'],
      [m4_case([$1], [ustar],, [pax],,
               [m4_fatal([Unknown tar format])])
 AC_MSG_CHECKING([how to create a $1 tar archive])
diff --git a/compile b/compile
new file mode 100755
index 000000000..862a14e8c
--- /dev/null
+++ b/compile
@@ -0,0 +1,343 @@
+#! /bin/sh
+# Wrapper for compilers which do not understand '-c -o'.
+
+scriptversion=2012-03-05.13; # UTC
+
+# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2009, 2010, 2012 Free
+# Software Foundation, Inc.
+# Written by Tom Tromey <tromey@cygnus.com>.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# This file is maintained in Automake, please report
+# bugs to <bug-automake@gnu.org> or send patches to
+# <automake-patches@gnu.org>.
+
+nl='
+'
+
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent tools from complaining about whitespace usage.
+IFS=" ""	$nl"
+
+file_conv=
+
+# func_file_conv build_file lazy
+# Convert a $build file to $host form and store it in $file
+# Currently only supports Windows hosts. If the determined conversion
+# type is listed in (the comma separated) LAZY, no conversion will
+# take place.
+func_file_conv ()
+{
+  file=$1
+  case $file in
+    / | /[!/]*) # absolute file, and not a UNC file
+      if test -z "$file_conv"; then
+	# lazily determine how to convert abs files
+	case `uname -s` in
+	  MINGW*)
+	    file_conv=mingw
+	    ;;
+	  CYGWIN*)
+	    file_conv=cygwin
+	    ;;
+	  *)
+	    file_conv=wine
+	    ;;
+	esac
+      fi
+      case $file_conv/,$2, in
+	*,$file_conv,*)
+	  ;;
+	mingw/*)
+	  file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
+	  ;;
+	cygwin/*)
+	  file=`cygpath -m "$file" || echo "$file"`
+	  ;;
+	wine/*)
+	  file=`winepath -w "$file" || echo "$file"`
+	  ;;
+      esac
+      ;;
+  esac
+}
+
+# func_cl_dashL linkdir
+# Make cl look for libraries in LINKDIR
+func_cl_dashL ()
+{
+  func_file_conv "$1"
+  if test -z "$lib_path"; then
+    lib_path=$file
+  else
+    lib_path="$lib_path;$file"
+  fi
+  linker_opts="$linker_opts -LIBPATH:$file"
+}
+
+# func_cl_dashl library
+# Do a library search-path lookup for cl
+func_cl_dashl ()
+{
+  lib=$1
+  found=no
+  save_IFS=$IFS
+  IFS=';'
+  for dir in $lib_path $LIB
+  do
+    IFS=$save_IFS
+    if $shared && test -f "$dir/$lib.dll.lib"; then
+      found=yes
+      lib=$dir/$lib.dll.lib
+      break
+    fi
+    if test -f "$dir/$lib.lib"; then
+      found=yes
+      lib=$dir/$lib.lib
+      break
+    fi
+  done
+  IFS=$save_IFS
+
+  if test "$found" != yes; then
+    lib=$lib.lib
+  fi
+}
+
+# func_cl_wrapper cl arg...
+# Adjust compile command to suit cl
+func_cl_wrapper ()
+{
+  # Assume a capable shell
+  lib_path=
+  shared=:
+  linker_opts=
+  for arg
+  do
+    if test -n "$eat"; then
+      eat=
+    else
+      case $1 in
+	-o)
+	  # configure might choose to run compile as 'compile cc -o foo foo.c'.
+	  eat=1
+	  case $2 in
+	    *.o | *.[oO][bB][jJ])
+	      func_file_conv "$2"
+	      set x "$@" -Fo"$file"
+	      shift
+	      ;;
+	    *)
+	      func_file_conv "$2"
+	      set x "$@" -Fe"$file"
+	      shift
+	      ;;
+	  esac
+	  ;;
+	-I)
+	  eat=1
+	  func_file_conv "$2" mingw
+	  set x "$@" -I"$file"
+	  shift
+	  ;;
+	-I*)
+	  func_file_conv "${1#-I}" mingw
+	  set x "$@" -I"$file"
+	  shift
+	  ;;
+	-l)
+	  eat=1
+	  func_cl_dashl "$2"
+	  set x "$@" "$lib"
+	  shift
+	  ;;
+	-l*)
+	  func_cl_dashl "${1#-l}"
+	  set x "$@" "$lib"
+	  shift
+	  ;;
+	-L)
+	  eat=1
+	  func_cl_dashL "$2"
+	  ;;
+	-L*)
+	  func_cl_dashL "${1#-L}"
+	  ;;
+	-static)
+	  shared=false
+	  ;;
+	-Wl,*)
+	  arg=${1#-Wl,}
+	  save_ifs="$IFS"; IFS=','
+	  for flag in $arg; do
+	    IFS="$save_ifs"
+	    linker_opts="$linker_opts $flag"
+	  done
+	  IFS="$save_ifs"
+	  ;;
+	-Xlinker)
+	  eat=1
+	  linker_opts="$linker_opts $2"
+	  ;;
+	-*)
+	  set x "$@" "$1"
+	  shift
+	  ;;
+	*.cc | *.CC | *.cxx | *.CXX | *.[cC]++)
+	  func_file_conv "$1"
+	  set x "$@" -Tp"$file"
+	  shift
+	  ;;
+	*.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO])
+	  func_file_conv "$1" mingw
+	  set x "$@" "$file"
+	  shift
+	  ;;
+	*)
+	  set x "$@" "$1"
+	  shift
+	  ;;
+      esac
+    fi
+    shift
+  done
+  if test -n "$linker_opts"; then
+    linker_opts="-link$linker_opts"
+  fi
+  exec "$@" $linker_opts
+  exit 1
+}
+
+eat=
+
+case $1 in
+  '')
+     echo "$0: No command.  Try '$0 --help' for more information." 1>&2
+     exit 1;
+     ;;
+  -h | --h*)
+    cat <<\EOF
+Usage: compile [--help] [--version] PROGRAM [ARGS]
+
+Wrapper for compilers which do not understand '-c -o'.
+Remove '-o dest.o' from ARGS, run PROGRAM with the remaining
+arguments, and rename the output as expected.
+
+If you are trying to build a whole package this is not the
+right script to run: please start by reading the file 'INSTALL'.
+
+Report bugs to <bug-automake@gnu.org>.
+EOF
+    exit $?
+    ;;
+  -v | --v*)
+    echo "compile $scriptversion"
+    exit $?
+    ;;
+  cl | *[/\\]cl | cl.exe | *[/\\]cl.exe )
+    func_cl_wrapper "$@"      # Doesn't return...
+    ;;
+esac
+
+ofile=
+cfile=
+
+for arg
+do
+  if test -n "$eat"; then
+    eat=
+  else
+    case $1 in
+      -o)
+	# configure might choose to run compile as 'compile cc -o foo foo.c'.
+	# So we strip '-o arg' only if arg is an object.
+	eat=1
+	case $2 in
+	  *.o | *.obj)
+	    ofile=$2
+	    ;;
+	  *)
+	    set x "$@" -o "$2"
+	    shift
+	    ;;
+	esac
+	;;
+      *.c)
+	cfile=$1
+	set x "$@" "$1"
+	shift
+	;;
+      *)
+	set x "$@" "$1"
+	shift
+	;;
+    esac
+  fi
+  shift
+done
+
+if test -z "$ofile" || test -z "$cfile"; then
+  # If no '-o' option was seen then we might have been invoked from a
+  # pattern rule where we don't need one.  That is ok -- this is a
+  # normal compilation that the losing compiler can handle.  If no
+  # '.c' file was seen then we are probably linking.  That is also
+  # ok.
+  exec "$@"
+fi
+
+# Name of file we expect compiler to create.
+cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'`
+
+# Create the lock directory.
+# Note: use '[/\\:.-]' here to ensure that we don't use the same name
+# that we are using for the .o file.  Also, base the name on the expected
+# object file name, since that is what matters with a parallel build.
+lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d
+while true; do
+  if mkdir "$lockdir" >/dev/null 2>&1; then
+    break
+  fi
+  sleep 1
+done
+# FIXME: race condition here if user kills between mkdir and trap.
+trap "rmdir '$lockdir'; exit 1" 1 2 15
+
+# Run the compile.
+"$@"
+ret=$?
+
+if test -f "$cofile"; then
+  test "$cofile" = "$ofile" || mv "$cofile" "$ofile"
+elif test -f "${cofile}bj"; then
+  test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile"
+fi
+
+rmdir "$lockdir"
+exit $ret
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-time-zone: "UTC"
+# time-stamp-end: "; # UTC"
+# End:
diff --git a/config.guess b/config.guess
index c2246a4f7..d622a44e5 100755
--- a/config.guess
+++ b/config.guess
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
-#   Free Software Foundation, Inc.
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
+#   2011, 2012 Free Software Foundation, Inc.
 
-timestamp='2009-12-30'
+timestamp='2012-02-10'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -17,9 +17,7 @@ timestamp='2009-12-30'
 # General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
-# 02110-1301, USA.
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -57,8 +55,8 @@ GNU config.guess ($timestamp)
 
 Originally written by Per Bothner.
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free
-Software Foundation, Inc.
+2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012
+Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -145,7 +143,7 @@ UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
 case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
     *:NetBSD:*:*)
 	# NetBSD (nbsd) targets should (where applicable) match one or
-	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
 	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
 	# switched to ELF, *-*-netbsd* would select the old
 	# object file format.  This provides both forward
@@ -181,7 +179,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 		fi
 		;;
 	    *)
-	        os=netbsd
+		os=netbsd
 		;;
 	esac
 	# The OS release
@@ -224,7 +222,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
 		;;
 	*5.*)
-	        UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
+		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
 		;;
 	esac
 	# According to Compaq, /usr/sbin/psrinfo has been available on
@@ -270,7 +268,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	# A Xn.n version is an unreleased experimental baselevel.
 	# 1.2 uses "1.2" for uname -r.
 	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-	exit ;;
+	# Reset EXIT trap before exiting to avoid spurious non-zero exit code.
+	exitcode=$?
+	trap '' 0
+	exit $exitcode ;;
     Alpha\ *:Windows_NT*:*)
 	# How do we know it's Interix rather than the generic POSIX subsystem?
 	# Should we change UNAME_MACHINE based on the output of uname instead
@@ -296,7 +297,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	echo s390-ibm-zvmoe
 	exit ;;
     *:OS400:*:*)
-        echo powerpc-ibm-os400
+	echo powerpc-ibm-os400
 	exit ;;
     arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
 	echo arm-acorn-riscix${UNAME_RELEASE}
@@ -395,23 +396,23 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
     # MiNT.  But MiNT is downward compatible to TOS, so this should
     # be no problem.
     atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
+	echo m68k-atari-mint${UNAME_RELEASE}
 	exit ;;
     atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
 	echo m68k-atari-mint${UNAME_RELEASE}
-        exit ;;
+	exit ;;
     *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
+	echo m68k-atari-mint${UNAME_RELEASE}
 	exit ;;
     milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
-        echo m68k-milan-mint${UNAME_RELEASE}
-        exit ;;
+	echo m68k-milan-mint${UNAME_RELEASE}
+	exit ;;
     hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
-        echo m68k-hades-mint${UNAME_RELEASE}
-        exit ;;
+	echo m68k-hades-mint${UNAME_RELEASE}
+	exit ;;
     *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
-        echo m68k-unknown-mint${UNAME_RELEASE}
-        exit ;;
+	echo m68k-unknown-mint${UNAME_RELEASE}
+	exit ;;
     m68k:machten:*:*)
 	echo m68k-apple-machten${UNAME_RELEASE}
 	exit ;;
@@ -481,8 +482,8 @@ EOF
 	echo m88k-motorola-sysv3
 	exit ;;
     AViiON:dgux:*:*)
-        # DG/UX returns AViiON for all architectures
-        UNAME_PROCESSOR=`/usr/bin/uname -p`
+	# DG/UX returns AViiON for all architectures
+	UNAME_PROCESSOR=`/usr/bin/uname -p`
 	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
 	then
 	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
@@ -495,7 +496,7 @@ EOF
 	else
 	    echo i586-dg-dgux${UNAME_RELEASE}
 	fi
- 	exit ;;
+	exit ;;
     M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
 	echo m88k-dolphin-sysv3
 	exit ;;
@@ -552,7 +553,7 @@ EOF
 		echo rs6000-ibm-aix3.2
 	fi
 	exit ;;
-    *:AIX:*:[456])
+    *:AIX:*:[4567])
 	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
 	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
 		IBM_ARCH=rs6000
@@ -595,52 +596,52 @@ EOF
 	    9000/[678][0-9][0-9])
 		if [ -x /usr/bin/getconf ]; then
 		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
-                    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
-                    case "${sc_cpu_version}" in
-                      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
-                      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
-                      532)                      # CPU_PA_RISC2_0
-                        case "${sc_kernel_bits}" in
-                          32) HP_ARCH="hppa2.0n" ;;
-                          64) HP_ARCH="hppa2.0w" ;;
+		    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
+		    case "${sc_cpu_version}" in
+		      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
+		      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+		      532)                      # CPU_PA_RISC2_0
+			case "${sc_kernel_bits}" in
+			  32) HP_ARCH="hppa2.0n" ;;
+			  64) HP_ARCH="hppa2.0w" ;;
 			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
-                        esac ;;
-                    esac
+			esac ;;
+		    esac
 		fi
 		if [ "${HP_ARCH}" = "" ]; then
 		    eval $set_cc_for_build
-		    sed 's/^              //' << EOF >$dummy.c
+		    sed 's/^		//' << EOF >$dummy.c
 
-              #define _HPUX_SOURCE
-              #include <stdlib.h>
-              #include <unistd.h>
+		#define _HPUX_SOURCE
+		#include <stdlib.h>
+		#include <unistd.h>
 
-              int main ()
-              {
-              #if defined(_SC_KERNEL_BITS)
-                  long bits = sysconf(_SC_KERNEL_BITS);
-              #endif
-                  long cpu  = sysconf (_SC_CPU_VERSION);
+		int main ()
+		{
+		#if defined(_SC_KERNEL_BITS)
+		    long bits = sysconf(_SC_KERNEL_BITS);
+		#endif
+		    long cpu  = sysconf (_SC_CPU_VERSION);
 
-                  switch (cpu)
-              	{
-              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
-              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
-              	case CPU_PA_RISC2_0:
-              #if defined(_SC_KERNEL_BITS)
-              	    switch (bits)
-              		{
-              		case 64: puts ("hppa2.0w"); break;
-              		case 32: puts ("hppa2.0n"); break;
-              		default: puts ("hppa2.0"); break;
-              		} break;
-              #else  /* !defined(_SC_KERNEL_BITS) */
-              	    puts ("hppa2.0"); break;
-              #endif
-              	default: puts ("hppa1.0"); break;
-              	}
-                  exit (0);
-              }
+		    switch (cpu)
+			{
+			case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
+			case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
+			case CPU_PA_RISC2_0:
+		#if defined(_SC_KERNEL_BITS)
+			    switch (bits)
+				{
+				case 64: puts ("hppa2.0w"); break;
+				case 32: puts ("hppa2.0n"); break;
+				default: puts ("hppa2.0"); break;
+				} break;
+		#else  /* !defined(_SC_KERNEL_BITS) */
+			    puts ("hppa2.0"); break;
+		#endif
+			default: puts ("hppa1.0"); break;
+			}
+		    exit (0);
+		}
 EOF
 		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
 		    test -z "$HP_ARCH" && HP_ARCH=hppa
@@ -731,22 +732,22 @@ EOF
 	exit ;;
     C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
 	echo c1-convex-bsd
-        exit ;;
+	exit ;;
     C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
 	if getsysinfo -f scalar_acc
 	then echo c32-convex-bsd
 	else echo c2-convex-bsd
 	fi
-        exit ;;
+	exit ;;
     C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
 	echo c34-convex-bsd
-        exit ;;
+	exit ;;
     C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
 	echo c38-convex-bsd
-        exit ;;
+	exit ;;
     C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
 	echo c4-convex-bsd
-        exit ;;
+	exit ;;
     CRAY*Y-MP:*:*:*)
 	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
 	exit ;;
@@ -770,14 +771,14 @@ EOF
 	exit ;;
     F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
 	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
-        echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
-        exit ;;
+	FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+	FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+	echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+	exit ;;
     5000:UNIX_System_V:4.*:*)
-        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-        FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
-        echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+	FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+	FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
+	echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
 	exit ;;
     i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
 	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
@@ -789,13 +790,12 @@ EOF
 	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
 	exit ;;
     *:FreeBSD:*:*)
-	case ${UNAME_MACHINE} in
-	    pc98)
-		echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+	UNAME_PROCESSOR=`/usr/bin/uname -p`
+	case ${UNAME_PROCESSOR} in
 	    amd64)
 		echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
 	    *)
-		echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+		echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
 	esac
 	exit ;;
     i*:CYGWIN*:*)
@@ -804,15 +804,18 @@ EOF
     *:MINGW*:*)
 	echo ${UNAME_MACHINE}-pc-mingw32
 	exit ;;
+    i*:MSYS*:*)
+	echo ${UNAME_MACHINE}-pc-msys
+	exit ;;
     i*:windows32*:*)
-    	# uname -m includes "-pc" on this system.
-    	echo ${UNAME_MACHINE}-mingw32
+	# uname -m includes "-pc" on this system.
+	echo ${UNAME_MACHINE}-mingw32
 	exit ;;
     i*:PW*:*)
 	echo ${UNAME_MACHINE}-pc-pw32
 	exit ;;
     *:Interix*:*)
-    	case ${UNAME_MACHINE} in
+	case ${UNAME_MACHINE} in
 	    x86)
 		echo i586-pc-interix${UNAME_RELEASE}
 		exit ;;
@@ -858,6 +861,13 @@ EOF
     i*86:Minix:*:*)
 	echo ${UNAME_MACHINE}-pc-minix
 	exit ;;
+    aarch64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    aarch64_be:Linux:*:*)
+	UNAME_MACHINE=aarch64_be
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
     alpha:Linux:*:*)
 	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
 	  EV5)   UNAME_MACHINE=alphaev5 ;;
@@ -867,7 +877,7 @@ EOF
 	  EV6)   UNAME_MACHINE=alphaev6 ;;
 	  EV67)  UNAME_MACHINE=alphaev67 ;;
 	  EV68*) UNAME_MACHINE=alphaev68 ;;
-        esac
+	esac
 	objdump --private-headers /bin/sh | grep -q ld.so.1
 	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
 	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
@@ -879,20 +889,29 @@ EOF
 	then
 	    echo ${UNAME_MACHINE}-unknown-linux-gnu
 	else
-	    echo ${UNAME_MACHINE}-unknown-linux-gnueabi
+	    if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
+		| grep -q __ARM_PCS_VFP
+	    then
+		echo ${UNAME_MACHINE}-unknown-linux-gnueabi
+	    else
+		echo ${UNAME_MACHINE}-unknown-linux-gnueabihf
+	    fi
 	fi
 	exit ;;
     avr32*:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     cris:Linux:*:*)
-	echo cris-axis-linux-gnu
+	echo ${UNAME_MACHINE}-axis-linux-gnu
 	exit ;;
     crisv32:Linux:*:*)
-	echo crisv32-axis-linux-gnu
+	echo ${UNAME_MACHINE}-axis-linux-gnu
 	exit ;;
     frv:Linux:*:*)
-    	echo frv-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    hexagon:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     i*86:Linux:*:*)
 	LIBC=gnu
@@ -934,7 +953,7 @@ EOF
 	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
 	;;
     or32:Linux:*:*)
-	echo or32-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     padre:Linux:*:*)
 	echo sparc-unknown-linux-gnu
@@ -960,7 +979,7 @@ EOF
 	echo ${UNAME_MACHINE}-ibm-linux
 	exit ;;
     sh64*:Linux:*:*)
-    	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     sh*:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
@@ -968,14 +987,17 @@ EOF
     sparc:Linux:*:* | sparc64:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
+    tile*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
     vax:Linux:*:*)
 	echo ${UNAME_MACHINE}-dec-linux-gnu
 	exit ;;
     x86_64:Linux:*:*)
-	echo x86_64-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     xtensa*:Linux:*:*)
-    	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
     i*86:DYNIX/ptx:4*:*)
 	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
@@ -984,11 +1006,11 @@ EOF
 	echo i386-sequent-sysv4
 	exit ;;
     i*86:UNIX_SV:4.2MP:2.*)
-        # Unixware is an offshoot of SVR4, but it has its own version
-        # number series starting with 2...
-        # I am not positive that other SVR4 systems won't match this,
+	# Unixware is an offshoot of SVR4, but it has its own version
+	# number series starting with 2...
+	# I am not positive that other SVR4 systems won't match this,
 	# I just have to hope.  -- rms.
-        # Use sysv4.2uw... so that sysv4* matches it.
+	# Use sysv4.2uw... so that sysv4* matches it.
 	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
 	exit ;;
     i*86:OS/2:*:*)
@@ -1020,7 +1042,7 @@ EOF
 	fi
 	exit ;;
     i*86:*:5:[678]*)
-    	# UnixWare 7.x, OpenUNIX and OpenServer 6.
+	# UnixWare 7.x, OpenUNIX and OpenServer 6.
 	case `/bin/uname -X | grep "^Machine"` in
 	    *486*)	     UNAME_MACHINE=i486 ;;
 	    *Pentium)	     UNAME_MACHINE=i586 ;;
@@ -1048,13 +1070,13 @@ EOF
 	exit ;;
     pc:*:*:*)
 	# Left here for compatibility:
-        # uname -m prints for DJGPP always 'pc', but it prints nothing about
-        # the processor, so we play safe by assuming i586.
+	# uname -m prints for DJGPP always 'pc', but it prints nothing about
+	# the processor, so we play safe by assuming i586.
 	# Note: whatever this is, it MUST be the same as what config.sub
 	# prints for the "djgpp" host, or else GDB configury will decide that
 	# this is a cross-build.
 	echo i586-pc-msdosdjgpp
-        exit ;;
+	exit ;;
     Intel:Mach:3*:*)
 	echo i386-pc-mach3
 	exit ;;
@@ -1089,8 +1111,8 @@ EOF
 	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
 	  && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
     3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
-        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-          && { echo i486-ncr-sysv4; exit; } ;;
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	  && { echo i486-ncr-sysv4; exit; } ;;
     NCR*:*:4.2:* | MPRAS*:*:4.2:*)
 	OS_REL='.3'
 	test -r /etc/.relid \
@@ -1133,10 +1155,10 @@ EOF
 		echo ns32k-sni-sysv
 	fi
 	exit ;;
-    PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
-                      # says <Richard.M.Bartel@ccMail.Census.GOV>
-        echo i586-unisys-sysv4
-        exit ;;
+    PENTIUM:*:4.0*:*)	# Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+			# says <Richard.M.Bartel@ccMail.Census.GOV>
+	echo i586-unisys-sysv4
+	exit ;;
     *:UNIX_System_V:4*:FTX*)
 	# From Gerald Hewes <hewes@openmarket.com>.
 	# How about differentiating between stratus architectures? -djm
@@ -1162,11 +1184,11 @@ EOF
 	exit ;;
     R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
 	if [ -d /usr/nec ]; then
-	        echo mips-nec-sysv${UNAME_RELEASE}
+		echo mips-nec-sysv${UNAME_RELEASE}
 	else
-	        echo mips-unknown-sysv${UNAME_RELEASE}
+		echo mips-unknown-sysv${UNAME_RELEASE}
 	fi
-        exit ;;
+	exit ;;
     BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
 	echo powerpc-be-beos
 	exit ;;
@@ -1231,6 +1253,9 @@ EOF
     *:QNX:*:4*)
 	echo i386-pc-qnx
 	exit ;;
+    NEO-?:NONSTOP_KERNEL:*:*)
+	echo neo-tandem-nsk${UNAME_RELEASE}
+	exit ;;
     NSE-?:NONSTOP_KERNEL:*:*)
 	echo nse-tandem-nsk${UNAME_RELEASE}
 	exit ;;
@@ -1276,13 +1301,13 @@ EOF
 	echo pdp10-unknown-its
 	exit ;;
     SEI:*:*:SEIUX)
-        echo mips-sei-seiux${UNAME_RELEASE}
+	echo mips-sei-seiux${UNAME_RELEASE}
 	exit ;;
     *:DragonFly:*:*)
 	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
 	exit ;;
     *:*VMS:*:*)
-    	UNAME_MACHINE=`(uname -p) 2>/dev/null`
+	UNAME_MACHINE=`(uname -p) 2>/dev/null`
 	case "${UNAME_MACHINE}" in
 	    A*) echo alpha-dec-vms ; exit ;;
 	    I*) echo ia64-dec-vms ; exit ;;
@@ -1300,6 +1325,9 @@ EOF
     i*86:AROS:*:*)
 	echo ${UNAME_MACHINE}-pc-aros
 	exit ;;
+    x86_64:VMkernel:*:*)
+	echo ${UNAME_MACHINE}-unknown-esx
+	exit ;;
 esac
 
 #echo '(No uname command or uname output not recognized.)' 1>&2
@@ -1322,11 +1350,11 @@ main ()
 #include <sys/param.h>
   printf ("m68k-sony-newsos%s\n",
 #ifdef NEWSOS4
-          "4"
+	"4"
 #else
-	  ""
+	""
 #endif
-         ); exit (0);
+	); exit (0);
 #endif
 #endif
 
diff --git a/config.h.in b/config.h.in
new file mode 100644
index 000000000..62c3ee5b8
--- /dev/null
+++ b/config.h.in
@@ -0,0 +1,304 @@
+/* config.h.in.  Generated from configure.ac by autoheader.  */
+
+/* Define if building universal (internal helper macro) */
+#undef AC_APPLE_UNIVERSAL_BUILD
+
+/* capability dropping support */
+#undef CAPABILITIES
+
+/* have libpcap library */
+#undef CAPABILITIES_LIBCAP
+
+/* have native linux capset() */
+#undef CAPABILITIES_NATIVE
+
+/* UDP post used by charon locally in case a NAT is detected */
+#undef CHARON_NATT_PORT
+
+/* UDP port used by charon locally */
+#undef CHARON_UDP_PORT
+
+/* defined if config.h included */
+#undef CONFIG_H_INCLUDED
+
+/* Define to one of `_getb67', `GETB67', `getb67' for Cray-2 and Cray-YMP
+   systems. This function is required for `alloca.c' support on those systems.
+   */
+#undef CRAY_STACKSEG_END
+
+/* Define to 1 if using `alloca.c'. */
+#undef C_ALLOCA
+
+/* Define to 1 if you have `alloca', as a function or macro. */
+#undef HAVE_ALLOCA
+
+/* Define to 1 if you have <alloca.h> and it should be used (not on Ultrix).
+   */
+#undef HAVE_ALLOCA_H
+
+/* Define to 1 if you have the `backtrace' function. */
+#undef HAVE_BACKTRACE
+
+/* have binutils bfd.h */
+#undef HAVE_BFD_H
+
+/* Define to 1 if you have the `clock_gettime' function. */
+#undef HAVE_CLOCK_GETTIME
+
+/* Define to 1 if you have the `closefrom' function. */
+#undef HAVE_CLOSEFROM
+
+/* pthread_condattr_setclock supports CLOCK_MONOTONIC */
+#undef HAVE_CONDATTR_CLOCK_MONOTONIC
+
+/* Define to 1 if you have the declaration of `strerror_r', and to 0 if you
+   don't. */
+#undef HAVE_DECL_STRERROR_R
+
+/* have dladdr() */
+#undef HAVE_DLADDR
+
+/* Define to 1 if you have the <dlfcn.h> header file. */
+#undef HAVE_DLFCN_H
+
+/* have GCC __sync_* atomic operations */
+#undef HAVE_GCC_ATOMIC_OPERATIONS
+
+/* have GCRY_CIPHER_CAMELLIA128 */
+#undef HAVE_GCRY_CIPHER_CAMELLIA
+
+/* Define to 1 if you have the `getgrnam_r' function. */
+#undef HAVE_GETGRNAM_R
+
+/* Define to 1 if you have the `getpass' function. */
+#undef HAVE_GETPASS
+
+/* Define to 1 if you have the `getpwnam_r' function. */
+#undef HAVE_GETPWNAM_R
+
+/* Define to 1 if you have the `getpwuid_r' function. */
+#undef HAVE_GETPWUID_R
+
+/* have gettid() */
+#undef HAVE_GETTID
+
+/* Define to 1 if you have the <glob.h> header file. */
+#undef HAVE_GLOB_H
+
+/* have struct in6_addr in6addr_any */
+#undef HAVE_IN6ADDR_ANY
+
+/* have struct in6_pktinfo.ipi6_ifindex */
+#undef HAVE_IN6_PKTINFO
+
+/* Define to 1 if you have the <inttypes.h> header file. */
+#undef HAVE_INTTYPES_H
+
+/* have IPSEC_DIR_FWD defined */
+#undef HAVE_IPSEC_DIR_FWD
+
+/* have IPSEC_MODE_BEET defined */
+#undef HAVE_IPSEC_MODE_BEET
+
+/* Define to 1 if you have the `gmp' library (-lgmp). */
+#undef HAVE_LIBGMP
+
+/* have libunwind.h */
+#undef HAVE_LIBUNWIND_H
+
+/* Define to 1 if you have the <linux/udp.h> header file. */
+#undef HAVE_LINUX_UDP_H
+
+/* Define to 1 if you have the `mallinfo' function. */
+#undef HAVE_MALLINFO
+
+/* Define to 1 if you have the <memory.h> header file. */
+#undef HAVE_MEMORY_H
+
+/* have mpz_mown_sec() */
+#undef HAVE_MPZ_POWM_SEC
+
+/* Define to 1 if you have the <netinet6/ipsec.h> header file. */
+#undef HAVE_NETINET6_IPSEC_H
+
+/* Define to 1 if you have the <netinet/ip6.h> header file. */
+#undef HAVE_NETINET_IP6_H
+
+/* Define to 1 if you have the <netipsec/ipsec.h> header file. */
+#undef HAVE_NETIPSEC_IPSEC_H
+
+/* Define to 1 if you have the <net/pfkeyv2.h> header file. */
+#undef HAVE_NET_PFKEYV2_H
+
+/* Define to 1 if you have the `prctl' function. */
+#undef HAVE_PRCTL
+
+/* have register_printf_function() */
+#undef HAVE_PRINTF_FUNCTION
+
+/* have register_printf_specifier() */
+#undef HAVE_PRINTF_SPECIFIER
+
+/* Define to 1 if you have the `pthread_cancel' function. */
+#undef HAVE_PTHREAD_CANCEL
+
+/* Define to 1 if you have the `pthread_condattr_init' function. */
+#undef HAVE_PTHREAD_CONDATTR_INIT
+
+/* Define to 1 if you have the `pthread_condattr_setclock' function. */
+#undef HAVE_PTHREAD_CONDATTR_SETCLOCK
+
+/* Define to 1 if you have the `pthread_cond_timedwait_monotonic' function. */
+#undef HAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC
+
+/* Define to 1 if you have the `pthread_rwlock_init' function. */
+#undef HAVE_PTHREAD_RWLOCK_INIT
+
+/* Define to 1 if you have the `pthread_spin_init' function. */
+#undef HAVE_PTHREAD_SPIN_INIT
+
+/* Define to 1 if you have the `rb_errinfo' function. */
+#undef HAVE_RB_ERRINFO
+
+/* have netlink RTA_TABLE defined */
+#undef HAVE_RTA_TABLE
+
+/* Define to 1 if you have the `sem_timedwait' function. */
+#undef HAVE_SEM_TIMEDWAIT
+
+/* have sqlite3_prepare_v2() */
+#undef HAVE_SQLITE3_PREPARE_V2
+
+/* Define to 1 if stdbool.h conforms to C99. */
+#undef HAVE_STDBOOL_H
+
+/* Define to 1 if you have the <stdint.h> header file. */
+#undef HAVE_STDINT_H
+
+/* Define to 1 if you have the <stdlib.h> header file. */
+#undef HAVE_STDLIB_H
+
+/* Define to 1 if you have the `strerror_r' function. */
+#undef HAVE_STRERROR_R
+
+/* Define to 1 if you have the <strings.h> header file. */
+#undef HAVE_STRINGS_H
+
+/* Define to 1 if you have the <string.h> header file. */
+#undef HAVE_STRING_H
+
+/* Define to 1 if `sadb_x_policy_priority' is a member of `struct
+   sadb_x_policy'. */
+#undef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
+
+/* Define to 1 if `sa_len' is a member of `struct sockaddr'. */
+#undef HAVE_STRUCT_SOCKADDR_SA_LEN
+
+/* have sys/capability.h */
+#undef HAVE_SYS_CAPABILITY_H
+
+/* have syscall(SYS_gettid) */
+#undef HAVE_SYS_GETTID
+
+/* Define to 1 if you have the <sys/sockio.h> header file. */
+#undef HAVE_SYS_SOCKIO_H
+
+/* Define to 1 if you have the <sys/stat.h> header file. */
+#undef HAVE_SYS_STAT_H
+
+/* Define to 1 if you have the <sys/types.h> header file. */
+#undef HAVE_SYS_TYPES_H
+
+/* Define to 1 if you have the <unistd.h> header file. */
+#undef HAVE_UNISTD_H
+
+/* Define to 1 if the system has the type `_Bool'. */
+#undef HAVE__BOOL
+
+/* groupname to run daemon with */
+#undef IPSEC_GROUP
+
+/* username to run daemon with */
+#undef IPSEC_USER
+
+/* Define to the sub-directory in which libtool stores uninstalled libraries.
+   */
+#undef LT_OBJDIR
+
+/* mediation extension support */
+#undef ME
+
+/* monolithic build embedding plugins */
+#undef MONOLITHIC
+
+/* Define to 1 if your C compiler doesn't accept -c and -o together. */
+#undef NO_MINUS_C_MINUS_O
+
+/* Name of package */
+#undef PACKAGE
+
+/* Define to the address where bug reports for this package should be sent. */
+#undef PACKAGE_BUGREPORT
+
+/* Define to the full name of this package. */
+#undef PACKAGE_NAME
+
+/* Define to the full name and version of this package. */
+#undef PACKAGE_STRING
+
+/* Define to the one symbol short name of this package. */
+#undef PACKAGE_TARNAME
+
+/* Define to the home page for this package. */
+#undef PACKAGE_URL
+
+/* Define to the version of this package. */
+#undef PACKAGE_VERSION
+
+/* If using the C implementation of alloca, define if you know the
+   direction of stack growth for your system; otherwise it will be
+   automatically deduced at runtime.
+	STACK_DIRECTION > 0 => grows toward higher addresses
+	STACK_DIRECTION < 0 => grows toward lower addresses
+	STACK_DIRECTION = 0 => direction of growth unknown */
+#undef STACK_DIRECTION
+
+/* Define to 1 if you have the ANSI C header files. */
+#undef STDC_HEADERS
+
+/* Define to 1 if strerror_r returns char *. */
+#undef STRERROR_R_CHAR_P
+
+/* use TrouSerS library libtspi as TSS implementation */
+#undef TSS_TROUSERS
+
+/* support for IKEv1 protocol */
+#undef USE_IKEV1
+
+/* support for IKEv2 protocol */
+#undef USE_IKEV2
+
+/* use vstring library for printf hooks */
+#undef USE_VSTR
+
+/* Version number of package */
+#undef VERSION
+
+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
+   significant byte first (like Motorola and SPARC, unlike Intel). */
+#if defined AC_APPLE_UNIVERSAL_BUILD
+# if defined __BIG_ENDIAN__
+#  define WORDS_BIGENDIAN 1
+# endif
+#else
+# ifndef WORDS_BIGENDIAN
+#  undef WORDS_BIGENDIAN
+# endif
+#endif
+
+/* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a
+   `char[]'. */
+#undef YYTEXT_POINTER
+
+/* Define to `unsigned int' if <sys/types.h> does not define. */
+#undef size_t
diff --git a/config.sub b/config.sub
index c2d125724..6205f8423 100755
--- a/config.sub
+++ b/config.sub
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Configuration validation subroutine script.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
-#   Free Software Foundation, Inc.
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
+#   2011, 2012 Free Software Foundation, Inc.
 
-timestamp='2010-01-22'
+timestamp='2012-04-18'
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -21,9 +21,7 @@ timestamp='2010-01-22'
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
-# 02110-1301, USA.
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -76,8 +74,8 @@ version="\
 GNU config.sub ($timestamp)
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free
-Software Foundation, Inc.
+2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012
+Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -124,13 +122,18 @@ esac
 # Here we must recognize all the valid KERNEL-OS combinations.
 maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
 case $maybe_os in
-  nto-qnx* | linux-gnu* | linux-dietlibc | linux-newlib* | linux-uclibc* | \
-  uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | \
+  nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
+  linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
+  knetbsd*-gnu* | netbsd*-gnu* | \
   kopensolaris*-gnu* | \
   storm-chaos* | os2-emx* | rtmk-nova*)
     os=-$maybe_os
     basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
     ;;
+  android-linux)
+    os=-linux-android
+    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
+    ;;
   *)
     basic_machine=`echo $1 | sed 's/-[^-]*$//'`
     if [ $basic_machine != $1 ]
@@ -157,8 +160,8 @@ case $os in
 		os=
 		basic_machine=$1
 		;;
-        -bluegene*)
-	        os=-cnk
+	-bluegene*)
+		os=-cnk
 		;;
 	-sim | -cisco | -oki | -wec | -winbond)
 		os=
@@ -174,10 +177,10 @@ case $os in
 		os=-chorusos
 		basic_machine=$1
 		;;
- 	-chorusrdb)
- 		os=-chorusrdb
+	-chorusrdb)
+		os=-chorusrdb
 		basic_machine=$1
- 		;;
+		;;
 	-hiux*)
 		os=-hiuxwe2
 		;;
@@ -222,6 +225,12 @@ case $os in
 	-isc*)
 		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
 		;;
+	-lynx*178)
+		os=-lynxos178
+		;;
+	-lynx*5)
+		os=-lynxos5
+		;;
 	-lynx*)
 		os=-lynxos
 		;;
@@ -246,17 +255,22 @@ case $basic_machine in
 	# Some are omitted here because they have special meanings below.
 	1750a | 580 \
 	| a29k \
+	| aarch64 | aarch64_be \
 	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
 	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
 	| am33_2.0 \
 	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \
+        | be32 | be64 \
 	| bfin \
 	| c4x | clipper \
 	| d10v | d30v | dlx | dsp16xx \
+	| epiphany \
 	| fido | fr30 | frv \
 	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
+	| hexagon \
 	| i370 | i860 | i960 | ia64 \
 	| ip2k | iq2000 \
+	| le32 | le64 \
 	| lm32 \
 	| m32c | m32r | m32rle | m68000 | m68k | m88k \
 	| maxq | mb | microblaze | mcore | mep | metag \
@@ -282,29 +296,39 @@ case $basic_machine in
 	| moxie \
 	| mt \
 	| msp430 \
+	| nds32 | nds32le | nds32be \
 	| nios | nios2 \
 	| ns16k | ns32k \
+	| open8 \
 	| or32 \
 	| pdp10 | pdp11 | pj | pjl \
-	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
+	| powerpc | powerpc64 | powerpc64le | powerpcle \
 	| pyramid \
-	| rx \
+	| rl78 | rx \
 	| score \
 	| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
 	| sh64 | sh64le \
 	| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
 	| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
-	| spu | strongarm \
-	| tahoe | thumb | tic4x | tic80 | tron \
+	| spu \
+	| tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \
 	| ubicom32 \
-	| v850 | v850e \
+	| v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \
 	| we32k \
-	| x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \
+	| x86 | xc16x | xstormy16 | xtensa \
 	| z8k | z80)
 		basic_machine=$basic_machine-unknown
 		;;
-	m6811 | m68hc11 | m6812 | m68hc12 | picochip)
-		# Motorola 68HC11/12.
+	c54x)
+		basic_machine=tic54x-unknown
+		;;
+	c55x)
+		basic_machine=tic55x-unknown
+		;;
+	c6x)
+		basic_machine=tic6x-unknown
+		;;
+	m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip)
 		basic_machine=$basic_machine-unknown
 		os=-none
 		;;
@@ -314,6 +338,21 @@ case $basic_machine in
 		basic_machine=mt-unknown
 		;;
 
+	strongarm | thumb | xscale)
+		basic_machine=arm-unknown
+		;;
+	xgate)
+		basic_machine=$basic_machine-unknown
+		os=-none
+		;;
+	xscaleeb)
+		basic_machine=armeb-unknown
+		;;
+
+	xscaleel)
+		basic_machine=armel-unknown
+		;;
+
 	# We use `pc' rather than `unknown'
 	# because (1) that's what they normally are, and
 	# (2) the word "unknown" tends to confuse beginning users.
@@ -328,21 +367,25 @@ case $basic_machine in
 	# Recognize the basic CPU types with company name.
 	580-* \
 	| a29k-* \
+	| aarch64-* | aarch64_be-* \
 	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
 	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
 	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
 	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
 	| avr-* | avr32-* \
+	| be32-* | be64-* \
 	| bfin-* | bs2000-* \
-	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
+	| c[123]* | c30-* | [cjt]90-* | c4x-* \
 	| clipper-* | craynv-* | cydra-* \
 	| d10v-* | d30v-* | dlx-* \
 	| elxsi-* \
 	| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
 	| h8300-* | h8500-* \
 	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
+	| hexagon-* \
 	| i*86-* | i860-* | i960-* | ia64-* \
 	| ip2k-* | iq2000-* \
+	| le32-* | le64-* \
 	| lm32-* \
 	| m32c-* | m32r-* | m32rle-* \
 	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
@@ -368,26 +411,29 @@ case $basic_machine in
 	| mmix-* \
 	| mt-* \
 	| msp430-* \
+	| nds32-* | nds32le-* | nds32be-* \
 	| nios-* | nios2-* \
 	| none-* | np1-* | ns16k-* | ns32k-* \
+	| open8-* \
 	| orion-* \
 	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
-	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
+	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
 	| pyramid-* \
-	| romp-* | rs6000-* | rx-* \
+	| rl78-* | romp-* | rs6000-* | rx-* \
 	| sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
 	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
 	| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
 	| sparclite-* \
-	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \
-	| tahoe-* | thumb-* \
+	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \
+	| tahoe-* \
 	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
-	| tile-* | tilegx-* \
+	| tile*-* \
 	| tron-* \
 	| ubicom32-* \
-	| v850-* | v850e-* | vax-* \
+	| v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \
+	| vax-* \
 	| we32k-* \
-	| x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
+	| x86-* | x86_64-* | xc16x-* | xps100-* \
 	| xstormy16-* | xtensa*-* \
 	| ymp-* \
 	| z8k-* | z80-*)
@@ -412,7 +458,7 @@ case $basic_machine in
 		basic_machine=a29k-amd
 		os=-udi
 		;;
-    	abacus)
+	abacus)
 		basic_machine=abacus-unknown
 		;;
 	adobe68k)
@@ -482,11 +528,20 @@ case $basic_machine in
 		basic_machine=powerpc-ibm
 		os=-cnk
 		;;
+	c54x-*)
+		basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	c55x-*)
+		basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	c6x-*)
+		basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
 	c90)
 		basic_machine=c90-cray
 		os=-unicos
 		;;
-        cegcc)
+	cegcc)
 		basic_machine=arm-unknown
 		os=-cegcc
 		;;
@@ -518,7 +573,7 @@ case $basic_machine in
 		basic_machine=craynv-cray
 		os=-unicosmp
 		;;
-	cr16)
+	cr16 | cr16-*)
 		basic_machine=cr16-unknown
 		os=-elf
 		;;
@@ -676,7 +731,6 @@ case $basic_machine in
 	i370-ibm* | ibm*)
 		basic_machine=i370-ibm
 		;;
-# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
 	i*86v32)
 		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
 		os=-sysv32
@@ -734,7 +788,7 @@ case $basic_machine in
 		basic_machine=ns32k-utek
 		os=-sysv
 		;;
-        microblaze)
+	microblaze)
 		basic_machine=microblaze-xilinx
 		;;
 	mingw32)
@@ -773,10 +827,18 @@ case $basic_machine in
 	ms1-*)
 		basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
 		;;
+	msys)
+		basic_machine=i386-pc
+		os=-msys
+		;;
 	mvs)
 		basic_machine=i370-ibm
 		os=-mvs
 		;;
+	nacl)
+		basic_machine=le32-unknown
+		os=-nacl
+		;;
 	ncr3000)
 		basic_machine=i486-ncr
 		os=-sysv4
@@ -841,6 +903,12 @@ case $basic_machine in
 	np1)
 		basic_machine=np1-gould
 		;;
+	neo-tandem)
+		basic_machine=neo-tandem
+		;;
+	nse-tandem)
+		basic_machine=nse-tandem
+		;;
 	nsr-tandem)
 		basic_machine=nsr-tandem
 		;;
@@ -923,9 +991,10 @@ case $basic_machine in
 		;;
 	power)	basic_machine=power-ibm
 		;;
-	ppc)	basic_machine=powerpc-unknown
+	ppc | ppcbe)	basic_machine=powerpc-unknown
 		;;
-	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+	ppc-* | ppcbe-*)
+		basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
 		;;
 	ppcle | powerpclittle | ppc-le | powerpc-little)
 		basic_machine=powerpcle-unknown
@@ -1019,6 +1088,9 @@ case $basic_machine in
 		basic_machine=i860-stratus
 		os=-sysv4
 		;;
+	strongarm-* | thumb-*)
+		basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
 	sun2)
 		basic_machine=m68000-sun
 		;;
@@ -1075,25 +1147,8 @@ case $basic_machine in
 		basic_machine=t90-cray
 		os=-unicos
 		;;
-	tic54x | c54x*)
-		basic_machine=tic54x-unknown
-		os=-coff
-		;;
-	tic55x | c55x*)
-		basic_machine=tic55x-unknown
-		os=-coff
-		;;
-	tic6x | c6x*)
-		basic_machine=tic6x-unknown
-		os=-coff
-		;;
-        # This must be matched before tile*.
-        tilegx*)
-		basic_machine=tilegx-unknown
-		os=-linux-gnu
-		;;
 	tile*)
-		basic_machine=tile-unknown
+		basic_machine=$basic_machine-unknown
 		os=-linux-gnu
 		;;
 	tx39)
@@ -1163,6 +1218,9 @@ case $basic_machine in
 	xps | xps100)
 		basic_machine=xps100-honeywell
 		;;
+	xscale-* | xscalee[bl]-*)
+		basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'`
+		;;
 	ymp)
 		basic_machine=ymp-cray
 		os=-unicos
@@ -1260,11 +1318,11 @@ esac
 if [ x"$os" != x"" ]
 then
 case $os in
-        # First match some system type aliases
-        # that might get confused with valid system types.
+	# First match some system type aliases
+	# that might get confused with valid system types.
 	# -solaris* is a basic system type, with this one exception.
-        -auroraux)
-	        os=-auroraux
+	-auroraux)
+		os=-auroraux
 		;;
 	-solaris1 | -solaris1.*)
 		os=`echo $os | sed -e 's|solaris1|sunos4|'`
@@ -1300,8 +1358,9 @@ case $os in
 	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
 	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
 	      | -chorusos* | -chorusrdb* | -cegcc* \
-	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-	      | -mingw32* | -linux-gnu* | -linux-newlib* | -linux-uclibc* \
+	      | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
+	      | -mingw32* | -linux-gnu* | -linux-android* \
+	      | -linux-newlib* | -linux-uclibc* \
 	      | -uxpv* | -beos* | -mpeix* | -udk* \
 	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
 	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
@@ -1348,7 +1407,7 @@ case $os in
 	-opened*)
 		os=-openedition
 		;;
-        -os400*)
+	-os400*)
 		os=-os400
 		;;
 	-wince*)
@@ -1397,7 +1456,7 @@ case $os in
 	-sinix*)
 		os=-sysv4
 		;;
-        -tpf*)
+	-tpf*)
 		os=-tpf
 		;;
 	-triton*)
@@ -1442,8 +1501,8 @@ case $os in
 	-dicos*)
 		os=-dicos
 		;;
-        -nacl*)
-	        ;;
+	-nacl*)
+		;;
 	-none)
 		;;
 	*)
@@ -1466,10 +1525,10 @@ else
 # system, and we'll never get to this point.
 
 case $basic_machine in
-        score-*)
+	score-*)
 		os=-elf
 		;;
-        spu-*)
+	spu-*)
 		os=-elf
 		;;
 	*-acorn)
@@ -1481,8 +1540,20 @@ case $basic_machine in
 	arm*-semi)
 		os=-aout
 		;;
-        c4x-* | tic4x-*)
-        	os=-coff
+	c4x-* | tic4x-*)
+		os=-coff
+		;;
+	hexagon-*)
+		os=-elf
+		;;
+	tic54x-*)
+		os=-coff
+		;;
+	tic55x-*)
+		os=-coff
+		;;
+	tic6x-*)
+		os=-coff
 		;;
 	# This must come before the *-dec entry.
 	pdp10-*)
@@ -1502,14 +1573,11 @@ case $basic_machine in
 		;;
 	m68000-sun)
 		os=-sunos3
-		# This also exists in the configure program, but was not the
-		# default.
-		# os=-sunos4
 		;;
 	m68*-cisco)
 		os=-aout
 		;;
-        mep-*)
+	mep-*)
 		os=-elf
 		;;
 	mips*-cisco)
@@ -1536,7 +1604,7 @@ case $basic_machine in
 	*-ibm)
 		os=-aix
 		;;
-    	*-knuth)
+	*-knuth)
 		os=-mmixware
 		;;
 	*-wec)
diff --git a/configure b/configure
index 5151f9759..7f4469fe9 100755
--- a/configure
+++ b/configure
@@ -1,11 +1,9 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.67 for strongSwan 4.6.4.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.1.0.
 #
 #
-# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
-# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
-# Foundation, Inc.
+# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
 #
 #
 # This configure script is free software; the Free Software Foundation
@@ -89,6 +87,7 @@ fi
 IFS=" ""	$as_nl"
 
 # Find who we are.  Look in the path if we contain no directory separator.
+as_myself=
 case $0 in #((
   *[\\/]* ) as_myself=$0 ;;
   *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -133,6 +132,31 @@ export LANGUAGE
 # CDPATH.
 (unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
+# Use a proper internal environment variable to ensure we don't fall
+  # into an infinite loop, continuously re-executing ourselves.
+  if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then
+    _as_can_reexec=no; export _as_can_reexec;
+    # We cannot yet assume a decent shell, so we have to provide a
+# neutralization value for shells without unset; and this also
+# works around shells that cannot unset nonexistent variables.
+# Preserve -v and -x to the replacement shell.
+BASH_ENV=/dev/null
+ENV=/dev/null
+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+case $- in # ((((
+  *v*x* | *x*v* ) as_opts=-vx ;;
+  *v* ) as_opts=-v ;;
+  *x* ) as_opts=-x ;;
+  * ) as_opts= ;;
+esac
+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
+# Admittedly, this is quite paranoid, since all the known shells bail
+# out after a failed `exec'.
+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
+as_fn_exit 255
+  fi
+  # We don't want this to propagate to other subprocesses.
+          { _as_can_reexec=; unset _as_can_reexec;}
 if test "x$CONFIG_SHELL" = x; then
   as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
   emulate sh
@@ -166,12 +190,21 @@ if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
 else
   exitcode=1; echo positional parameters were not saved.
 fi
-test x\$exitcode = x0 || exit 1"
+test x\$exitcode = x0 || exit 1
+test -x / || exit 1"
   as_suggested="  as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
   as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
   eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
   test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1
-test \$(( 1 + 1 )) = 2 || exit 1"
+test \$(( 1 + 1 )) = 2 || exit 1
+
+  test -n \"\${ZSH_VERSION+set}\${BASH_VERSION+set}\" || (
+    ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+    ECHO=\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO
+    ECHO=\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO
+    PATH=/empty FPATH=/empty; export PATH FPATH
+    test \"X\`printf %s \$ECHO\`\" = \"X\$ECHO\" \\
+      || test \"X\`print -r -- \$ECHO\`\" = \"X\$ECHO\" ) || exit 1"
   if (eval "$as_required") 2>/dev/null; then :
   as_have_required=yes
 else
@@ -211,14 +244,25 @@ IFS=$as_save_IFS
 
 
       if test "x$CONFIG_SHELL" != x; then :
-  # We cannot yet assume a decent shell, so we have to provide a
-	# neutralization value for shells without unset; and this also
-	# works around shells that cannot unset nonexistent variables.
-	BASH_ENV=/dev/null
-	ENV=/dev/null
-	(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
-	export CONFIG_SHELL
-	exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
+  export CONFIG_SHELL
+             # We cannot yet assume a decent shell, so we have to provide a
+# neutralization value for shells without unset; and this also
+# works around shells that cannot unset nonexistent variables.
+# Preserve -v and -x to the replacement shell.
+BASH_ENV=/dev/null
+ENV=/dev/null
+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+case $- in # ((((
+  *v*x* | *x*v* ) as_opts=-vx ;;
+  *v* ) as_opts=-v ;;
+  *x* ) as_opts=-x ;;
+  * ) as_opts= ;;
+esac
+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
+# Admittedly, this is quite paranoid, since all the known shells bail
+# out after a failed `exec'.
+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
+exit 255
 fi
 
     if test x$as_have_required = xno; then :
@@ -320,6 +364,14 @@ $as_echo X"$as_dir" |
 
 
 } # as_fn_mkdir_p
+
+# as_fn_executable_p FILE
+# -----------------------
+# Test if FILE is an executable regular file.
+as_fn_executable_p ()
+{
+  test -f "$1" && test -x "$1"
+} # as_fn_executable_p
 # as_fn_append VAR VALUE
 # ----------------------
 # Append the text in VALUE to the end of the definition contained in VAR. Take
@@ -441,6 +493,10 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits
   chmod +x "$as_me.lineno" ||
     { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
 
+  # If we had to re-execute with $CONFIG_SHELL, we're ensured to have
+  # already done that, so ensure we don't try to do so again and fall
+  # in an infinite loop.  This has already happened in practice.
+  _as_can_reexec=no; export _as_can_reexec
   # Don't try to exec as it changes $[0], causing all sort of problems
   # (the dirname of $[0] is not the place where we might find the
   # original and so on.  Autoconf is especially sensitive to this).
@@ -475,16 +531,16 @@ if (echo >conf$$.file) 2>/dev/null; then
     # ... but there are two gotchas:
     # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
     # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-    # In both cases, we have to default to `cp -p'.
+    # In both cases, we have to default to `cp -pR'.
     ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-      as_ln_s='cp -p'
+      as_ln_s='cp -pR'
   elif ln conf$$.file conf$$ 2>/dev/null; then
     as_ln_s=ln
   else
-    as_ln_s='cp -p'
+    as_ln_s='cp -pR'
   fi
 else
-  as_ln_s='cp -p'
+  as_ln_s='cp -pR'
 fi
 rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
 rmdir conf$$.dir 2>/dev/null
@@ -496,28 +552,8 @@ else
   as_mkdir_p=false
 fi
 
-if test -x / >/dev/null 2>&1; then
-  as_test_x='test -x'
-else
-  if ls -dL / >/dev/null 2>&1; then
-    as_ls_L_option=L
-  else
-    as_ls_L_option=
-  fi
-  as_test_x='
-    eval sh -c '\''
-      if test -d "$1"; then
-	test -d "$1/.";
-      else
-	case $1 in #(
-	-*)set "./$1";;
-	esac;
-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
-	???[sx]*):;;*)false;;esac;fi
-    '\'' sh
-  '
-fi
-as_executable_p=$as_test_x
+as_test_x='test -x'
+as_executable_p=as_fn_executable_p
 
 # Sed expression to map a string onto a valid CPP name.
 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@@ -525,155 +561,8 @@ as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
 # Sed expression to map a string onto a valid variable name.
 as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
 
-
-
-# Check that we are running under the correct shell.
 SHELL=${CONFIG_SHELL-/bin/sh}
 
-case X$lt_ECHO in
-X*--fallback-echo)
-  # Remove one level of quotation (which was required for Make).
-  ECHO=`echo "$lt_ECHO" | sed 's,\\\\\$\\$0,'$0','`
-  ;;
-esac
-
-ECHO=${lt_ECHO-echo}
-if test "X$1" = X--no-reexec; then
-  # Discard the --no-reexec flag, and continue.
-  shift
-elif test "X$1" = X--fallback-echo; then
-  # Avoid inline document here, it may be left over
-  :
-elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' ; then
-  # Yippee, $ECHO works!
-  :
-else
-  # Restart under the correct shell.
-  exec $SHELL "$0" --no-reexec ${1+"$@"}
-fi
-
-if test "X$1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<_LT_EOF
-$*
-_LT_EOF
-  exit 0
-fi
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-if test -z "$lt_ECHO"; then
-  if test "X${echo_test_string+set}" != Xset; then
-    # find a string as large as possible, as long as the shell can cope with it
-    for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do
-      # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
-      if { echo_test_string=`eval $cmd`; } 2>/dev/null &&
-	 { test "X$echo_test_string" = "X$echo_test_string"; } 2>/dev/null
-      then
-        break
-      fi
-    done
-  fi
-
-  if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
-     echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
-     test "X$echo_testing_string" = "X$echo_test_string"; then
-    :
-  else
-    # The Solaris, AIX, and Digital Unix default echo programs unquote
-    # backslashes.  This makes it impossible to quote backslashes using
-    #   echo "$something" | sed 's/\\/\\\\/g'
-    #
-    # So, first we look for a working echo in the user's PATH.
-
-    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-    for dir in $PATH /usr/ucb; do
-      IFS="$lt_save_ifs"
-      if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
-         test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
-         echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
-         test "X$echo_testing_string" = "X$echo_test_string"; then
-        ECHO="$dir/echo"
-        break
-      fi
-    done
-    IFS="$lt_save_ifs"
-
-    if test "X$ECHO" = Xecho; then
-      # We didn't find a better echo, so look for alternatives.
-      if test "X`{ print -r '\t'; } 2>/dev/null`" = 'X\t' &&
-         echo_testing_string=`{ print -r "$echo_test_string"; } 2>/dev/null` &&
-         test "X$echo_testing_string" = "X$echo_test_string"; then
-        # This shell has a builtin print -r that does the trick.
-        ECHO='print -r'
-      elif { test -f /bin/ksh || test -f /bin/ksh$ac_exeext; } &&
-	   test "X$CONFIG_SHELL" != X/bin/ksh; then
-        # If we have ksh, try running configure again with it.
-        ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
-        export ORIGINAL_CONFIG_SHELL
-        CONFIG_SHELL=/bin/ksh
-        export CONFIG_SHELL
-        exec $CONFIG_SHELL "$0" --no-reexec ${1+"$@"}
-      else
-        # Try using printf.
-        ECHO='printf %s\n'
-        if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
-	   echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	  # Cool, printf works
-	  :
-        elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
-	     test "X$echo_testing_string" = 'X\t' &&
-	     echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	     test "X$echo_testing_string" = "X$echo_test_string"; then
-	  CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
-	  export CONFIG_SHELL
-	  SHELL="$CONFIG_SHELL"
-	  export SHELL
-	  ECHO="$CONFIG_SHELL $0 --fallback-echo"
-        elif echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
-	     test "X$echo_testing_string" = 'X\t' &&
-	     echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	     test "X$echo_testing_string" = "X$echo_test_string"; then
-	  ECHO="$CONFIG_SHELL $0 --fallback-echo"
-        else
-	  # maybe with a smaller string...
-	  prev=:
-
-	  for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do
-	    if { test "X$echo_test_string" = "X`eval $cmd`"; } 2>/dev/null
-	    then
-	      break
-	    fi
-	    prev="$cmd"
-	  done
-
-	  if test "$prev" != 'sed 50q "$0"'; then
-	    echo_test_string=`eval $prev`
-	    export echo_test_string
-	    exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "$0" ${1+"$@"}
-	  else
-	    # Oops.  We lost completely, so just stick with echo.
-	    ECHO=echo
-	  fi
-        fi
-      fi
-    fi
-  fi
-fi
-
-# Copy echo and quote the copy suitably for passing to libtool from
-# the Makefile, instead of quoting the original, which is used later.
-lt_ECHO=$ECHO
-if test "X$lt_ECHO" = "X$CONFIG_SHELL $0 --fallback-echo"; then
-   lt_ECHO="$CONFIG_SHELL \\\$\$0 --fallback-echo"
-fi
-
-
-
 
 test -n "$DJDIR" || exec 7<&0 </dev/null
 exec 6>&1
@@ -698,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='4.6.4'
-PACKAGE_STRING='strongSwan 4.6.4'
+PACKAGE_VERSION='5.1.0'
+PACKAGE_STRING='strongSwan 5.1.0'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -743,8 +632,20 @@ ac_subst_vars='am__EXEEXT_FALSE
 am__EXEEXT_TRUE
 LTLIBOBJS
 LIBOBJS
+USE_CMD_FALSE
+USE_CMD_TRUE
+USE_TKM_FALSE
+USE_TKM_TRUE
+COVERAGE_FALSE
+COVERAGE_TRUE
+UNITTESTS_FALSE
+UNITTESTS_TRUE
+USE_SILENT_RULES_FALSE
+USE_SILENT_RULES_TRUE
 MONOLITHIC_FALSE
 MONOLITHIC_TRUE
+USE_TROUSERS_FALSE
+USE_TROUSERS_TRUE
 USE_PTS_FALSE
 USE_PTS_TRUE
 USE_IMCV_FALSE
@@ -763,10 +664,14 @@ USE_IPSEC_SCRIPT_FALSE
 USE_IPSEC_SCRIPT_TRUE
 USE_FILE_CONFIG_FALSE
 USE_FILE_CONFIG_TRUE
+USE_LIBPTTLS_FALSE
+USE_LIBPTTLS_TRUE
 USE_LIBTNCCS_FALSE
 USE_LIBTNCCS_TRUE
 USE_LIBTNCIF_FALSE
 USE_LIBTNCIF_TRUE
+USE_LIBIPSEC_FALSE
+USE_LIBIPSEC_TRUE
 USE_LIBCHARON_FALSE
 USE_LIBCHARON_TRUE
 USE_LIBHYDRA_FALSE
@@ -779,14 +684,18 @@ USE_SCRIPTS_FALSE
 USE_SCRIPTS_TRUE
 USE_TOOLS_FALSE
 USE_TOOLS_TRUE
+USE_NM_FALSE
+USE_NM_TRUE
 USE_CHARON_FALSE
 USE_CHARON_TRUE
 USE_ADNS_FALSE
 USE_ADNS_TRUE
 USE_THREADS_FALSE
 USE_THREADS_TRUE
-USE_PLUTO_FALSE
-USE_PLUTO_TRUE
+USE_IKEV2_FALSE
+USE_IKEV2_TRUE
+USE_IKEV1_FALSE
+USE_IKEV1_TRUE
 USE_LOAD_WARNING_FALSE
 USE_LOAD_WARNING_TRUE
 USE_INTEGRITY_TEST_FALSE
@@ -799,22 +708,10 @@ USE_FAST_FALSE
 USE_FAST_TRUE
 USE_DUMM_FALSE
 USE_DUMM_TRUE
-USE_XAUTH_VID_FALSE
-USE_XAUTH_VID_TRUE
-USE_VENDORID_FALSE
-USE_VENDORID_TRUE
-USE_NAT_TRANSPORT_FALSE
-USE_NAT_TRANSPORT_TRUE
 USE_LOCK_PROFILER_FALSE
 USE_LOCK_PROFILER_TRUE
 USE_LEAK_DETECTIVE_FALSE
 USE_LEAK_DETECTIVE_TRUE
-USE_CISCO_QUIRKS_FALSE
-USE_CISCO_QUIRKS_TRUE
-USE_SMARTCARD_FALSE
-USE_SMARTCARD_TRUE
-USE_XAUTH_FALSE
-USE_XAUTH_TRUE
 USE_RESOLVE_FALSE
 USE_RESOLVE_TRUE
 USE_KERNEL_PFROUTE_FALSE
@@ -829,20 +726,24 @@ USE_ATTR_SQL_FALSE
 USE_ATTR_SQL_TRUE
 USE_ATTR_FALSE
 USE_ATTR_TRUE
+USE_UNITY_FALSE
+USE_UNITY_TRUE
 USE_ADDRBLOCK_FALSE
 USE_ADDRBLOCK_TRUE
 USE_FARP_FALSE
 USE_FARP_TRUE
 USE_SOCKET_DYNAMIC_FALSE
 USE_SOCKET_DYNAMIC_TRUE
-USE_SOCKET_RAW_FALSE
-USE_SOCKET_RAW_TRUE
 USE_SOCKET_DEFAULT_FALSE
 USE_SOCKET_DEFAULT_TRUE
 USE_IMV_ATTESTATION_FALSE
 USE_IMV_ATTESTATION_TRUE
 USE_IMC_ATTESTATION_FALSE
 USE_IMC_ATTESTATION_TRUE
+USE_IMV_OS_FALSE
+USE_IMV_OS_TRUE
+USE_IMC_OS_FALSE
+USE_IMC_OS_TRUE
 USE_IMV_SCANNER_FALSE
 USE_IMV_SCANNER_TRUE
 USE_IMC_SCANNER_FALSE
@@ -867,8 +768,18 @@ USE_TNC_PDP_FALSE
 USE_TNC_PDP_TRUE
 USE_TNC_IFMAP_FALSE
 USE_TNC_IFMAP_TRUE
+USE_XAUTH_NOAUTH_FALSE
+USE_XAUTH_NOAUTH_TRUE
+USE_XAUTH_PAM_FALSE
+USE_XAUTH_PAM_TRUE
+USE_XAUTH_EAP_FALSE
+USE_XAUTH_EAP_TRUE
+USE_XAUTH_GENERIC_FALSE
+USE_XAUTH_GENERIC_TRUE
 USE_EAP_RADIUS_FALSE
 USE_EAP_RADIUS_TRUE
+USE_EAP_DYNAMIC_FALSE
+USE_EAP_DYNAMIC_TRUE
 USE_EAP_TNC_FALSE
 USE_EAP_TNC_TRUE
 USE_EAP_PEAP_FALSE
@@ -909,10 +820,18 @@ USE_DUPLICHECK_FALSE
 USE_DUPLICHECK_TRUE
 USE_LED_FALSE
 USE_LED_TRUE
+USE_SYSTIME_FIX_FALSE
+USE_SYSTIME_FIX_TRUE
 USE_CERTEXPIRE_FALSE
 USE_CERTEXPIRE_TRUE
+USE_ERROR_NOTIFY_FALSE
+USE_ERROR_NOTIFY_TRUE
+USE_LOOKIP_FALSE
+USE_LOOKIP_TRUE
 USE_WHITELIST_FALSE
 USE_WHITELIST_TRUE
+USE_KERNEL_LIBIPSEC_FALSE
+USE_KERNEL_LIBIPSEC_TRUE
 USE_HA_FALSE
 USE_HA_TRUE
 USE_LOAD_TESTER_FALSE
@@ -923,18 +842,22 @@ USE_DHCP_FALSE
 USE_DHCP_TRUE
 USE_UPDOWN_FALSE
 USE_UPDOWN_TRUE
+USE_IPSECKEY_FALSE
+USE_IPSECKEY_TRUE
 USE_SQL_FALSE
 USE_SQL_TRUE
 USE_SMP_FALSE
 USE_SMP_TRUE
 USE_MAEMO_FALSE
 USE_MAEMO_TRUE
-USE_ANDROID_FALSE
-USE_ANDROID_TRUE
+USE_ANDROID_LOG_FALSE
+USE_ANDROID_LOG_TRUE
+USE_ANDROID_DNS_FALSE
+USE_ANDROID_DNS_TRUE
+USE_OSX_ATTR_FALSE
+USE_OSX_ATTR_TRUE
 USE_UCI_FALSE
 USE_UCI_TRUE
-USE_NM_FALSE
-USE_NM_TRUE
 USE_MEDCLI_FALSE
 USE_MEDCLI_TRUE
 USE_MEDSRV_FALSE
@@ -951,6 +874,8 @@ USE_CTR_FALSE
 USE_CTR_TRUE
 USE_PKCS11_FALSE
 USE_PKCS11_TRUE
+USE_KEYCHAIN_FALSE
+USE_KEYCHAIN_TRUE
 USE_AGENT_FALSE
 USE_AGENT_TRUE
 USE_GCRYPT_FALSE
@@ -971,12 +896,18 @@ USE_HMAC_FALSE
 USE_HMAC_TRUE
 USE_PEM_FALSE
 USE_PEM_TRUE
+USE_SSHKEY_FALSE
+USE_SSHKEY_TRUE
 USE_DNSKEY_FALSE
 USE_DNSKEY_TRUE
 USE_PGP_FALSE
 USE_PGP_TRUE
+USE_PKCS12_FALSE
+USE_PKCS12_TRUE
 USE_PKCS8_FALSE
 USE_PKCS8_TRUE
+USE_PKCS7_FALSE
+USE_PKCS7_TRUE
 USE_PKCS1_FALSE
 USE_PKCS1_TRUE
 USE_PUBKEY_FALSE
@@ -987,8 +918,12 @@ USE_REVOCATION_FALSE
 USE_REVOCATION_TRUE
 USE_X509_FALSE
 USE_X509_TRUE
+USE_NONCE_FALSE
+USE_NONCE_TRUE
 USE_RANDOM_FALSE
 USE_RANDOM_TRUE
+USE_RDRAND_FALSE
+USE_RDRAND_TRUE
 USE_GMP_FALSE
 USE_GMP_TRUE
 USE_FIPS_PRF_FALSE
@@ -1001,6 +936,8 @@ USE_MD5_FALSE
 USE_MD5_TRUE
 USE_MD4_FALSE
 USE_MD4_TRUE
+USE_RC2_FALSE
+USE_RC2_TRUE
 USE_BLOWFISH_FALSE
 USE_BLOWFISH_TRUE
 USE_DES_FALSE
@@ -1011,14 +948,17 @@ USE_LDAP_FALSE
 USE_LDAP_TRUE
 USE_SOUP_FALSE
 USE_SOUP_TRUE
+USE_UNBOUND_FALSE
+USE_UNBOUND_TRUE
 USE_CURL_FALSE
 USE_CURL_TRUE
 USE_TEST_VECTORS_FALSE
 USE_TEST_VECTORS_TRUE
 s_plugins
 h_plugins
-p_plugins
 c_plugins
+cmd_plugins
+nm_plugins
 medsrv_plugins
 manager_plugins
 scripts_plugins
@@ -1028,8 +968,19 @@ openac_plugins
 attest_plugins
 pool_plugins
 starter_plugins
-pluto_plugins
-libcharon_plugins
+charon_plugins
+COVERAGE_LDFLAGS
+COVERAGE_CFLAGS
+GENHTML
+LCOV
+CHECK_LIBS
+CHECK_CFLAGS
+GPRBUILD
+dev_headers
+USE_DEV_HEADERS_FALSE
+USE_DEV_HEADERS_TRUE
+UNWINDLIB
+BFDLIB
 nm_LIBS
 nm_CFLAGS
 pcsclite_LIBS
@@ -1041,12 +992,11 @@ MYSQLCFLAG
 MYSQLLIB
 MYSQLCONFIG
 clearsilver_LIBS
+RUBYLIB
 RUBYINCLUDE
 RUBY
 gtk_LIBS
 gtk_CFLAGS
-axis2c_LIBS
-axis2c_CFLAGS
 xml_LIBS
 xml_CFLAGS
 soup_LIBS
@@ -1069,9 +1019,11 @@ OTOOL
 LIPO
 NMEDIT
 DSYMUTIL
-lt_ECHO
+MANIFEST_TOOL
 RANLIB
+ac_ct_AR
 AR
+DLLTOOL
 OBJDUMP
 LN_S
 NM
@@ -1095,6 +1047,7 @@ build
 am__fastdepCC_FALSE
 am__fastdepCC_TRUE
 CCDEPMODE
+am__nodep
 AMDEPBACKSLASH
 AMDEP_FALSE
 AMDEP_TRUE
@@ -1108,11 +1061,16 @@ CPPFLAGS
 LDFLAGS
 CFLAGS
 CC
+ipsec_script_upper
+charon_natt_port
+charon_udp_port
 ipsecgroup
 ipsecuser
 systemdsystemunitdir
 HAVE_SYSTEMD_FALSE
 HAVE_SYSTEMD_TRUE
+fips_mode
+ipsec_script
 routing_table_prio
 routing_table
 linux_headers
@@ -1126,10 +1084,13 @@ resolv_conf
 strongswan_conf
 urandom_device
 random_device
-default_pkcs11
 PKG_CONFIG_LIBDIR
 PKG_CONFIG_PATH
 PKG_CONFIG
+AM_BACKSLASH
+AM_DEFAULT_VERBOSITY
+AM_DEFAULT_V
+AM_V
 am__untar
 am__tar
 AMTAR
@@ -1194,7 +1155,7 @@ SHELL'
 ac_subst_files=''
 ac_user_opts='
 enable_option_checking
-with_default_pkcs11
+enable_silent_rules
 with_random_device
 with_urandom_device
 with_strongswan_conf
@@ -1208,33 +1169,46 @@ with_nm_ca_dir
 with_linux_headers
 with_routing_table
 with_routing_table_prio
+with_ipsec_script
+with_fips_mode
+with_tss
 with_capabilities
 with_mpz_powm_sec
+with_dev_headers
 with_systemdsystemunitdir
-with_xauth_module
 with_user
 with_group
+with_charon_udp_port
+with_charon_natt_port
 enable_curl
+enable_unbound
 enable_soup
 enable_ldap
 enable_aes
 enable_des
 enable_blowfish
+enable_rc2
 enable_md4
 enable_md5
 enable_sha1
 enable_sha2
 enable_fips_prf
 enable_gmp
+enable_rdrand
 enable_random
+enable_nonce
 enable_x509
 enable_revocation
 enable_constraints
 enable_pubkey
 enable_pkcs1
+enable_pkcs7
 enable_pkcs8
+enable_pkcs12
 enable_pgp
 enable_dnskey
+enable_sshkey
+enable_ipseckey
 enable_pem
 enable_hmac
 enable_cmac
@@ -1248,8 +1222,6 @@ enable_medsrv
 enable_medcli
 enable_smp
 enable_sql
-enable_smartcard
-enable_cisco_quirks
 enable_leak_detective
 enable_lock_profiler
 enable_unit_tester
@@ -1270,7 +1242,12 @@ enable_eap_tls
 enable_eap_ttls
 enable_eap_peap
 enable_eap_tnc
+enable_eap_dynamic
 enable_eap_radius
+enable_xauth_generic
+enable_xauth_eap
+enable_xauth_pam
+enable_xauth_noauth
 enable_tnc_ifmap
 enable_tnc_pdp
 enable_tnc_imc
@@ -1282,29 +1259,27 @@ enable_imc_test
 enable_imv_test
 enable_imc_scanner
 enable_imv_scanner
+enable_imc_os
+enable_imv_os
 enable_imc_attestation
 enable_imv_attestation
 enable_kernel_netlink
 enable_kernel_pfkey
 enable_kernel_pfroute
 enable_kernel_klips
+enable_kernel_libipsec
+enable_libipsec
 enable_socket_default
-enable_socket_raw
 enable_socket_dynamic
 enable_farp
-enable_nat_transport
-enable_vendor_id
-enable_xauth_vid
 enable_dumm
 enable_fast
 enable_manager
 enable_mediation
 enable_integrity_test
 enable_load_warning
-enable_pluto
-enable_xauth
-enable_threads
-enable_adns
+enable_ikev1
+enable_ikev2
 enable_charon
 enable_tools
 enable_scripts
@@ -1318,24 +1293,38 @@ enable_padlock
 enable_openssl
 enable_gcrypt
 enable_agent
+enable_keychain
 enable_pkcs11
 enable_ctr
 enable_ccm
 enable_gcm
 enable_addrblock
+enable_unity
 enable_uci
-enable_android
+enable_osx_attr
+enable_android_dns
+enable_android_log
 enable_maemo
 enable_nm
 enable_ha
 enable_whitelist
+enable_lookip
+enable_error_notify
 enable_certexpire
+enable_systime_fix
 enable_led
 enable_duplicheck
 enable_coupling
 enable_radattr
 enable_vstr
 enable_monolithic
+enable_bfd_backtraces
+enable_unwind_backtraces
+enable_unit_tests
+enable_coverage
+enable_tkm
+enable_cmd
+enable_defaults
 enable_dependency_tracking
 with_lib_prefix
 enable_shared
@@ -1343,6 +1332,7 @@ enable_static
 with_pic
 enable_fast_install
 with_gnu_ld
+with_sysroot
 enable_libtool_lock
 '
       ac_precious_vars='build_alias
@@ -1363,8 +1353,6 @@ soup_CFLAGS
 soup_LIBS
 xml_CFLAGS
 xml_LIBS
-axis2c_CFLAGS
-axis2c_LIBS
 gtk_CFLAGS
 gtk_LIBS
 maemo_CFLAGS
@@ -1372,7 +1360,9 @@ maemo_LIBS
 pcsclite_CFLAGS
 pcsclite_LIBS
 nm_CFLAGS
-nm_LIBS'
+nm_LIBS
+CHECK_CFLAGS
+CHECK_LIBS'
 
 
 # Initialize some variables set by options.
@@ -1777,7 +1767,7 @@ Try \`$0 --help' for more information"
     $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2
     expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
       $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2
-    : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
+    : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}"
     ;;
 
   esac
@@ -1828,8 +1818,6 @@ target=$target_alias
 if test "x$host_alias" != x; then
   if test "x$build_alias" = x; then
     cross_compiling=maybe
-    $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
-    If a cross compiler is detected then cross compile mode will be used" >&2
   elif test "x$build_alias" != "x$host_alias"; then
     cross_compiling=yes
   fi
@@ -1915,7 +1903,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 4.6.4 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.1.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1985,7 +1973,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 4.6.4:";;
+     short | recursive ) echo "Configuration of strongSwan 5.1.0:";;
    esac
   cat <<\_ACEOF
 
@@ -1993,8 +1981,13 @@ Optional Features:
   --disable-option-checking  ignore unrecognized --enable/--with options
   --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --enable-silent-rules          less verbose build output (undo: `make V=1')
+  --disable-silent-rules         verbose build output (undo: `make V=0')
   --enable-curl           enable CURL fetcher plugin to fetch files via
                           libcurl. Requires libcurl.
+  --enable-unbound        enable UNBOUND resolver plugin to perform DNS
+                          queries via libunbound. Requires libldns and
+                          libunbound.
   --enable-soup           enable soup fetcher plugin to fetch from HTTP via
                           libsoup. Requires libsoup.
   --enable-ldap           enable LDAP fetching plugin to fetch files via
@@ -2002,6 +1995,7 @@ Optional Features:
   --disable-aes           disable AES software implementation plugin.
   --disable-des           disable DES/3DES software implementation plugin.
   --enable-blowfish       enable Blowfish software implementation plugin.
+  --disable-rc2           disable RC2 software implementation plugin.
   --enable-md4            enable MD4 software implementation plugin.
   --disable-md5           disable MD5 software implementation plugin.
   --disable-sha1          disable SHA1 software implementation plugin.
@@ -2010,15 +2004,21 @@ Optional Features:
   --disable-fips-prf      disable FIPS PRF software implementation plugin.
   --disable-gmp           disable GNU MP (libgmp) based crypto implementation
                           plugin.
+  --enable-rdrand         enable Intel RDRAND random generator plugin.
   --disable-random        disable RNG implementation on top of /dev/(u)random.
+  --disable-nonce         disable nonce generation plugin.
   --disable-x509          disable X509 certificate implementation plugin.
   --disable-revocation    disable X509 CRL/OCSP revocation check plugin.
   --disable-constraints   disable advanced X509 constraint checking plugin.
   --disable-pubkey        disable RAW public key support plugin.
   --disable-pkcs1         disable PKCS1 key decoding plugin.
+  --disable-pkcs7         disable PKCS7 container support plugin.
   --disable-pkcs8         disable PKCS8 private key decoding plugin.
+  --disable-pkcs12        disable PKCS12 container support plugin.
   --disable-pgp           disable PGP key decoding plugin.
   --disable-dnskey        disable DNS RR key decoding plugin.
+  --disable-sshkey        disable SSH key decoding plugin.
+  --enable-ipseckey       enable IPSECKEY authentication plugin.
   --disable-pem           disable PEM decoding plugin.
   --disable-hmac          disable HMAC crypto implementation plugin.
   --disable-cmac          disable CMAC crypto implementation plugin.
@@ -2028,8 +2028,7 @@ Optional Features:
   --enable-mysql          enable MySQL database support. Requires
                           libmysqlclient_r.
   --enable-sqlite         enable SQLite database support. Requires libsqlite3.
-  --disable-stroke        disable charons stroke (pluto compatibility)
-                          configuration backend.
+  --disable-stroke        disable charons stroke configuration backend.
   --enable-medsrv         enable mediation server web frontend and daemon
                           plugin.
   --enable-medcli         enable mediation client configuration database
@@ -2037,8 +2036,6 @@ Optional Features:
   --enable-smp            enable SMP configuration and control interface.
                           Requires libxml.
   --enable-sql            enable SQL database configuration backend.
-  --enable-smartcard      enable smartcard support.
-  --enable-cisco-quirks   enable support of Cisco VPN client.
   --enable-leak-detective enable malloc hooks to find memory leaks.
   --enable-lock-profiler  enable lock/mutex profiling code.
   --enable-unit-tester    enable unit tests on IKEv2 daemon startup.
@@ -2059,24 +2056,33 @@ Optional Features:
                           plugin.
   --enable-eap-identity   enable EAP module providing EAP-Identity helper.
   --enable-eap-md5        enable EAP MD5 (CHAP) authentication module.
-  --enable-eap-gtc        enable PAM based EAP GTC authentication module.
+  --enable-eap-gtc        enable EAP GTC authentication module.
   --enable-eap-mschapv2   enable EAP MS-CHAPv2 authentication module.
   --enable-eap-tls        enable EAP TLS authentication module.
   --enable-eap-ttls       enable EAP TTLS authentication module.
   --enable-eap-peap       enable EAP PEAP authentication module.
   --enable-eap-tnc        enable EAP TNC trusted network connect module.
+  --enable-eap-dynamic    enable dynamic EAP proxy module.
   --enable-eap-radius     enable RADIUS proxy authentication module.
-  --enable-tnc-ifmap      enable TNC IF-MAP module.
+  --disable-xauth-generic disable generic XAuth backend.
+  --enable-xauth-eap      enable XAuth backend using EAP methods to verify
+                          passwords.
+  --enable-xauth-pam      enable XAuth backend using PAM to verify passwords.
+  --enable-xauth-noauth   enable XAuth pseudo-backend that does not actually
+                          verify or even request any credentials.
+  --enable-tnc-ifmap      enable TNC IF-MAP module. Requires libxml
   --enable-tnc-pdp        enable TNC policy decision point module.
   --enable-tnc-imc        enable TNC IMC module.
   --enable-tnc-imv        enable TNC IMV module.
-  --enable-tnccs-11       enable TNCCS 1.1 protocol module.
+  --enable-tnccs-11       enable TNCCS 1.1 protocol module. Requires libxml
   --enable-tnccs-20       enable TNCCS 2.0 protocol module.
   --enable-tnccs-dynamic  enable dynamic TNCCS protocol discovery module.
   --enable-imc-test       enable IMC test module.
   --enable-imv-test       enable IMV test module.
   --enable-imc-scanner    enable IMC port scanner module.
   --enable-imv-scanner    enable IMV port scanner module.
+  --enable-imc-os         enable IMC operating system module.
+  --enable-imv-os         enable IMV operating system module.
   --enable-imc-attestation
                           enable IMC attestation module.
   --enable-imv-attestation
@@ -2086,18 +2092,14 @@ Optional Features:
   --enable-kernel-pfkey   enable the PF_KEY kernel interface.
   --enable-kernel-pfroute enable the PF_ROUTE kernel interface.
   --enable-kernel-klips   enable the KLIPS kernel interface.
+  --enable-kernel-libipsec
+                          enable the libipsec kernel interface.
+  --enable-libipsec       enable user space IPsec implementation.
   --disable-socket-default
                           disable default socket implementation for charon.
-  --enable-socket-raw     enable raw socket implementation of charon, enforced
-                          if pluto is enabled
   --enable-socket-dynamic enable dynamic socket implementation for charon
   --enable-farp           enable ARP faking plugin that responds to ARP
                           requests to peers virtual IP
-  --enable-nat-transport  enable NAT traversal with IPsec transport mode in
-                          pluto.
-  --disable-vendor-id     disable the sending of the strongSwan vendor ID in
-                          pluto.
-  --disable-xauth-vid     disable the sending of the XAUTH vendor ID.
   --enable-dumm           enable the DUMM UML test framework.
   --enable-fast           enable libfast (FastCGI Application Server w/
                           templates.
@@ -2105,15 +2107,11 @@ Optional Features:
   --enable-mediation      enable IKEv2 Mediation Extension.
   --enable-integrity-test enable integrity testing of libstrongswan and
                           plugins.
-  --disable-load-warning  disable the charon/pluto plugin load option warning
-                          in starter.
-  --disable-pluto         disable the IKEv1 keying daemon pluto.
-  --disable-xauth         disable xauth plugin.
-  --disable-threads       disable the use of threads in pluto. Charon always
-                          uses threads.
-  --disable-adns          disable the use of adns in pluto (disables
-                          opportunistic encryption).
-  --disable-charon        disable the IKEv2 keying daemon charon.
+  --disable-load-warning  disable the charon plugin load option warning in
+                          starter.
+  --disable-ikev1         disable IKEv1 protocol support in charon.
+  --disable-ikev2         disable IKEv2 protocol support in charon.
+  --disable-charon        disable the IKEv1/IKEv2 keying daemon charon.
   --disable-tools         disable additional utilities (openac, scepclient and
                           pki).
   --disable-scripts       disable additional utilities (found in directory
@@ -2129,19 +2127,28 @@ Optional Features:
   --enable-openssl        enables the OpenSSL crypto plugin.
   --enable-gcrypt         enables the libgcrypt plugin.
   --enable-agent          enables the ssh-agent signing plugin.
+  --enable-keychain       enables OS X Keychain Services credential set.
   --enable-pkcs11         enables the PKCS11 token support plugin.
   --enable-ctr            enables the Counter Mode wrapper crypto plugin.
   --enable-ccm            enables the CCM AEAD wrapper crypto plugin.
   --enable-gcm            enables the GCM AEAD wrapper crypto plugin.
   --enable-addrblock      enables RFC 3779 address block constraint support.
+  --enable-unity          enables Cisco Unity extension plugin.
   --enable-uci            enable OpenWRT UCI configuration plugin.
-  --enable-android        enable Android specific plugin.
+  --enable-osx-attr       enable OS X SystemConfiguration attribute handler.
+  --enable-android-dns    enable Android specific DNS handler.
+  --enable-android-log    enable Android specific logger plugin.
   --enable-maemo          enable Maemo specific plugin.
-  --enable-nm             enable NetworkManager plugin.
+  --enable-nm             enable NetworkManager backend.
   --enable-ha             enable high availability cluster plugin.
   --enable-whitelist      enable peer identity whitelisting plugin.
+  --enable-lookip         enable fast virtual IP lookup and notification
+                          plugin.
+  --enable-error-notify   enable error notification plugin.
   --enable-certexpire     enable CSV export of expiration dates of used
                           certificates.
+  --enable-systime-fix    enable plugin to handle cert lifetimes with invalid
+                          system time gracefully.
   --enable-led            enable plugin to control LEDs on IKEv2 activity
                           using the Linux kernel LED subsystem.
   --enable-duplicheck     advanced duplicate checking plugin using liveness
@@ -2155,6 +2162,17 @@ Optional Features:
   --enable-monolithic     build monolithic version of libstrongswan that
                           includes all enabled plugins. Similarly, the plugins
                           of charon are assembled in libcharon.
+  --enable-bfd-backtraces use binutils libbfd to resolve backtraces for memory
+                          leaks and segfaults.
+  --enable-unwind-backtraces
+                          use libunwind to create backtraces for memory leaks
+                          and segfaults.
+  --enable-unit-tests     enable unit tests using the check test framework.
+  --enable-coverage       enable lcov coverage report generation.
+  --enable-tkm            enable Trusted Key Manager support.
+  --enable-cmd            enable the command line IKE client charon-cmd.
+  --disable-defaults      disable all default plugins (they can be enabled
+                          with their respective --enable options)
   --disable-dependency-tracking  speeds up one-time build
   --enable-dependency-tracking   do not reject slow dependency extractors
   --enable-shared[=PKGS]  build shared libraries [default=yes]
@@ -2166,9 +2184,6 @@ Optional Features:
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
   --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
-  --with-default-pkcs11=arg
-                          set the default PKCS11 library (default:
-                          /usr/lib/opensc-pkcs11.so).
   --with-random-device=arg
                           set the device to read real random data from
                           (default: /dev/random).
@@ -2190,8 +2205,9 @@ Optional Packages:
                           ${ipseclibdir%/}/plugins).
   --with-imcvdir=arg      set the installation path of IMC and IMV dynamic
                           librariers (default: ${ipseclibdir%/}/imcvs).
-  --with-nm-ca-dir=arg    directory the NM plugin uses to look up trusted root
-                          certificates (default: /usr/share/ca-certificates).
+  --with-nm-ca-dir=arg    directory the NM backend uses to look up trusted
+                          root certificates (default:
+                          /usr/share/ca-certificates).
   --with-linux-headers=arg
                           set directory of linux header files to use (default:
                           \${top_srcdir}/src/include).
@@ -2200,23 +2216,40 @@ Optional Packages:
                           220).
   --with-routing-table-prio=arg
                           set priority for IPsec routing table (default: 220).
+  --with-ipsec-script=arg change the name of the ipsec script (default:
+                          ipsec).
+  --with-fips-mode=arg    set openssl FIPS mode: disabled(0), enabled(1),
+                          Suite B enabled(2) (default: 0).
+  --with-tss=arg          set implementation of the Trusted Computing Group's
+                          Software Stack (TSS). Currently the only supported
+                          value is "trousers" (default: no).
   --with-capabilities=arg set capability dropping library. Currently supported
                           values are "libcap" and "native" (default: no).
   --with-mpz_powm_sec=arg use the more side-channel resistant mpz_powm_sec in
                           libgmp, if available (default: yes).
+  --with-dev-headers=arg  install strongSwan development headers to directory.
+                          (default: no).
   --with-systemdsystemunitdir=arg
                           directory for systemd service files (default:
                           $systemdsystemunitdir_default).
-  --with-xauth-module=lib set the path to the XAUTH module
   --with-user=user        change user of the daemons to "user" after startup
                           (default is "root").
   --with-group=group      change group of the daemons to "group" after startup
                           (default is "root").
+  --with-charon-udp-port=port
+                          UDP port used by charon locally (default 500). Set
+                          to 0 to allocate randomly.
+  --with-charon-natt-port=port
+                          UDP port used by charon locally in case a NAT is
+                          detected (must be different from charon-udp-port,
+                          default 4500). Set to 0 to allocate randomly.
   --with-lib-prefix[=DIR] search for libraries in DIR/include and DIR/lib
   --without-lib-prefix    don't search for libraries in includedir and libdir
-  --with-pic              try to use only PIC/non-PIC objects [default=use
+  --with-pic[=PKGS]       try to use only PIC/non-PIC objects [default=use
                           both]
   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
+  --with-sysroot=DIR Search for dependent libraries within DIR
+                        (or the compiler's sysroot if not specified).
 
 Some influential environment variables:
   PKG_CONFIG  path to pkg-config utility
@@ -2232,8 +2265,9 @@ Some influential environment variables:
   CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
               you have headers in a nonstandard directory <include dir>
   CPP         C preprocessor
-  YACC        The `Yet Another C Compiler' implementation to use. Defaults to
-              the first program found out of: `bison -y', `byacc', `yacc'.
+  YACC        The `Yet Another Compiler Compiler' implementation to use.
+              Defaults to the first program found out of: `bison -y', `byacc',
+              `yacc'.
   YFLAGS      The list of arguments that will be passed by default to $YACC.
               This script will default YFLAGS to the empty string to avoid a
               default value of `-d' given by some make applications.
@@ -2241,9 +2275,6 @@ Some influential environment variables:
   soup_LIBS   linker flags for soup, overriding pkg-config
   xml_CFLAGS  C compiler flags for xml, overriding pkg-config
   xml_LIBS    linker flags for xml, overriding pkg-config
-  axis2c_CFLAGS
-              C compiler flags for axis2c, overriding pkg-config
-  axis2c_LIBS linker flags for axis2c, overriding pkg-config
   gtk_CFLAGS  C compiler flags for gtk, overriding pkg-config
   gtk_LIBS    linker flags for gtk, overriding pkg-config
   maemo_CFLAGS
@@ -2255,6 +2286,9 @@ Some influential environment variables:
               linker flags for pcsclite, overriding pkg-config
   nm_CFLAGS   C compiler flags for nm, overriding pkg-config
   nm_LIBS     linker flags for nm, overriding pkg-config
+  CHECK_CFLAGS
+              C compiler flags for CHECK, overriding pkg-config
+  CHECK_LIBS  linker flags for CHECK, overriding pkg-config
 
 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
@@ -2322,10 +2356,10 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 4.6.4
-generated by GNU Autoconf 2.67
+strongSwan configure 5.1.0
+generated by GNU Autoconf 2.69
 
-Copyright (C) 2010 Free Software Foundation, Inc.
+Copyright (C) 2012 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.
 _ACEOF
@@ -2369,7 +2403,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_retval=1
 fi
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
   as_fn_set_status $ac_retval
 
 } # ac_fn_c_try_compile
@@ -2406,7 +2440,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
     ac_retval=1
 fi
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
   as_fn_set_status $ac_retval
 
 } # ac_fn_c_try_cpp
@@ -2448,7 +2482,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
        ac_retval=$ac_status
 fi
   rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
   as_fn_set_status $ac_retval
 
 } # ac_fn_c_try_run
@@ -2462,7 +2496,7 @@ ac_fn_c_check_header_compile ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if eval "test \"\${$3+set}\"" = set; then :
+if eval \${$3+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -2480,7 +2514,7 @@ fi
 eval ac_res=\$$3
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_header_compile
 
@@ -2511,7 +2545,7 @@ $as_echo "$ac_try_echo"; } >&5
 	 test ! -s conftest.err
        } && test -s conftest$ac_exeext && {
 	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
+	 test -x conftest$ac_exeext
        }; then :
   ac_retval=0
 else
@@ -2525,7 +2559,7 @@ fi
   # interfere with the next link command; also delete a directory that is
   # left behind by Apple's compiler.  We do this before executing the actions.
   rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
   as_fn_set_status $ac_retval
 
 } # ac_fn_c_try_link
@@ -2538,7 +2572,7 @@ ac_fn_c_check_func ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if eval "test \"\${$3+set}\"" = set; then :
+if eval \${$3+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -2593,7 +2627,7 @@ fi
 eval ac_res=\$$3
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_func
 
@@ -2606,7 +2640,7 @@ ac_fn_c_check_type ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if eval "test \"\${$3+set}\"" = set; then :
+if eval \${$3+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   eval "$3=no"
@@ -2647,10 +2681,56 @@ fi
 eval ac_res=\$$3
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_type
 
+# ac_fn_c_check_decl LINENO SYMBOL VAR INCLUDES
+# ---------------------------------------------
+# Tests whether SYMBOL is declared in INCLUDES, setting cache variable VAR
+# accordingly.
+ac_fn_c_check_decl ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  as_decl_name=`echo $2|sed 's/ *(.*//'`
+  as_decl_use=`echo $2|sed -e 's/(/((/' -e 's/)/) 0&/' -e 's/,/) 0& (/g'`
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $as_decl_name is declared" >&5
+$as_echo_n "checking whether $as_decl_name is declared... " >&6; }
+if eval \${$3+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+int
+main ()
+{
+#ifndef $as_decl_name
+#ifdef __cplusplus
+  (void) $as_decl_use;
+#else
+  (void) $as_decl_name;
+#endif
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  eval "$3=yes"
+else
+  eval "$3=no"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+eval ac_res=\$$3
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+
+} # ac_fn_c_check_decl
+
 # ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES
 # -------------------------------------------------------
 # Tests whether HEADER exists, giving a warning if it cannot be compiled using
@@ -2659,10 +2739,10 @@ $as_echo "$ac_res" >&6; }
 ac_fn_c_check_header_mongrel ()
 {
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-  if eval "test \"\${$3+set}\"" = set; then :
+  if eval \${$3+:} false; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if eval "test \"\${$3+set}\"" = set; then :
+if eval \${$3+:} false; then :
   $as_echo_n "(cached) " >&6
 fi
 eval ac_res=\$$3
@@ -2725,7 +2805,7 @@ $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
 esac
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if eval "test \"\${$3+set}\"" = set; then :
+if eval \${$3+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   eval "$3=\$ac_header_compiler"
@@ -2734,7 +2814,7 @@ eval ac_res=\$$3
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
 fi
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_header_mongrel
 
@@ -2747,7 +2827,7 @@ ac_fn_c_check_member ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5
 $as_echo_n "checking for $2.$3... " >&6; }
-if eval "test \"\${$4+set}\"" = set; then :
+if eval \${$4+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -2791,15 +2871,15 @@ fi
 eval ac_res=\$$4
 	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 $as_echo "$ac_res" >&6; }
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_member
 cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 4.6.4, which was
-generated by GNU Autoconf 2.67.  Invocation command line was
+It was created by strongSwan $as_me 5.1.0, which was
+generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
 
@@ -3057,7 +3137,7 @@ $as_echo "$as_me: loading site script $ac_site_file" >&6;}
       || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "failed to load site script $ac_site_file
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
   fi
 done
 
@@ -3194,7 +3274,7 @@ ac_configure="$SHELL $ac_aux_dir/configure"  # Please don't use this var.
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5
 $as_echo_n "checking for a BSD-compatible install... " >&6; }
 if test -z "$INSTALL"; then
-if test "${ac_cv_path_install+set}" = set; then :
+if ${ac_cv_path_install+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -3214,7 +3294,7 @@ case $as_dir/ in #((
     # by default.
     for ac_prog in ginstall scoinst install; do
       for ac_exec_ext in '' $ac_executable_extensions; do
-	if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then
+	if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then
 	  if test $ac_prog = install &&
 	    grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
 	    # AIX install.  It has an incompatible calling convention.
@@ -3281,11 +3361,11 @@ am_lf='
 '
 case `pwd` in
   *[\\\"\#\$\&\'\`$am_lf]*)
-    as_fn_error $? "unsafe absolute working directory name" "$LINENO" 5 ;;
+    as_fn_error $? "unsafe absolute working directory name" "$LINENO" 5;;
 esac
 case $srcdir in
   *[\\\"\#\$\&\'\`$am_lf\ \	]*)
-    as_fn_error $? "unsafe srcdir value: \`$srcdir'" "$LINENO" 5 ;;
+    as_fn_error $? "unsafe srcdir value: \`$srcdir'" "$LINENO" 5;;
 esac
 
 # Do `set' in a subshell so we don't clobber the current shell's
@@ -3371,7 +3451,7 @@ if test "$cross_compiling" != no; then
 set dummy ${ac_tool_prefix}strip; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_STRIP+set}" = set; then :
+if ${ac_cv_prog_STRIP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$STRIP"; then
@@ -3383,7 +3463,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_STRIP="${ac_tool_prefix}strip"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -3411,7 +3491,7 @@ if test -z "$ac_cv_prog_STRIP"; then
 set dummy strip; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then :
+if ${ac_cv_prog_ac_ct_STRIP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_STRIP"; then
@@ -3423,7 +3503,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_STRIP="strip"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -3464,7 +3544,7 @@ INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a thread-safe mkdir -p" >&5
 $as_echo_n "checking for a thread-safe mkdir -p... " >&6; }
 if test -z "$MKDIR_P"; then
-  if test "${ac_cv_path_mkdir+set}" = set; then :
+  if ${ac_cv_path_mkdir+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -3474,7 +3554,7 @@ do
   test -z "$as_dir" && as_dir=.
     for ac_prog in mkdir gmkdir; do
 	 for ac_exec_ext in '' $ac_executable_extensions; do
-	   { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue
+	   as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue
 	   case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #(
 	     'mkdir (GNU coreutils) '* | \
 	     'mkdir (coreutils) '* | \
@@ -3515,7 +3595,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_AWK+set}" = set; then :
+if ${ac_cv_prog_AWK+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$AWK"; then
@@ -3527,7 +3607,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_AWK="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -3555,7 +3635,7 @@ done
 $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; }
 set x ${MAKE-make}
 ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'`
-if eval "test \"\${ac_cv_prog_make_${ac_make}_set+set}\"" = set; then :
+if eval \${ac_cv_prog_make_${ac_make}_set+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat >conftest.make <<\_ACEOF
@@ -3613,7 +3693,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='4.6.4'
+ VERSION='5.1.0'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -3643,9 +3723,9 @@ MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"}
 
 # We need awk for the "check" target.  The system "awk" is bad on
 # some platforms.
-# Always define AMTAR for backward compatibility.
-
-AMTAR=${AMTAR-"${am_missing_run}tar"}
+# Always define AMTAR for backward compatibility.  Yes, it's still used
+# in the wild :-(  We should find a proper way to deprecate it ...
+AMTAR='$${TAR-tar}'
 
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to create a ustar tar archive" >&5
@@ -3721,7 +3801,7 @@ do
 done
 rm -rf conftest.dir
 
-if test "${am_cv_prog_tar_ustar+set}" = set; then :
+if ${am_cv_prog_tar_ustar+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   am_cv_prog_tar_ustar=$_am_tool
@@ -3734,6 +3814,51 @@ $as_echo "$am_cv_prog_tar_ustar" >&6; }
 
 
 
+# Check whether --enable-silent-rules was given.
+if test "${enable_silent_rules+set}" = set; then :
+  enableval=$enable_silent_rules;
+fi
+
+case $enable_silent_rules in
+yes) AM_DEFAULT_VERBOSITY=0;;
+no)  AM_DEFAULT_VERBOSITY=1;;
+*)   AM_DEFAULT_VERBOSITY=1;;
+esac
+am_make=${MAKE-make}
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $am_make supports nested variables" >&5
+$as_echo_n "checking whether $am_make supports nested variables... " >&6; }
+if ${am_cv_make_support_nested_variables+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if $as_echo 'TRUE=$(BAR$(V))
+BAR0=false
+BAR1=true
+V=1
+am__doit:
+	@$(TRUE)
+.PHONY: am__doit' | $am_make -f - >/dev/null 2>&1; then
+  am_cv_make_support_nested_variables=yes
+else
+  am_cv_make_support_nested_variables=no
+fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_make_support_nested_variables" >&5
+$as_echo "$am_cv_make_support_nested_variables" >&6; }
+if test $am_cv_make_support_nested_variables = yes; then
+    AM_V='$(V)'
+  AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)'
+else
+  AM_V=$AM_DEFAULT_VERBOSITY
+  AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY
+fi
+AM_BACKSLASH='\'
+
+
+ac_config_headers="$ac_config_headers config.h"
+
+
+$as_echo "#define CONFIG_H_INCLUDED /**/" >>confdefs.h
+
 
 
 
@@ -3747,7 +3872,7 @@ if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
 set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_PKG_CONFIG+set}" = set; then :
+if ${ac_cv_path_PKG_CONFIG+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $PKG_CONFIG in
@@ -3761,7 +3886,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -3790,7 +3915,7 @@ if test -z "$ac_cv_path_PKG_CONFIG"; then
 set dummy pkg-config; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_ac_pt_PKG_CONFIG+set}" = set; then :
+if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $ac_pt_PKG_CONFIG in
@@ -3804,7 +3929,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -3855,6 +3980,9 @@ $as_echo "no" >&6; }
 	fi
 fi
 
+# =================================
+#  check --enable-xxx & --with-xxx
+# =================================
 
 
 # ARG_WITH_SUBST(option, default, help)
@@ -3869,18 +3997,6 @@ fi
 
 
 
-# Check whether --with-default-pkcs11 was given.
-if test "${with_default_pkcs11+set}" = set; then :
-  withval=$with_default_pkcs11; default_pkcs11="$withval"
-
-else
-  default_pkcs11="/usr/lib/opensc-pkcs11.so"
-
-
-fi
-
-
-
 # Check whether --with-random-device was given.
 if test "${with_random_device+set}" = set; then :
   withval=$with_random_device; random_device="$withval"
@@ -4037,6 +4153,40 @@ fi
 
 
 
+# Check whether --with-ipsec-script was given.
+if test "${with_ipsec_script+set}" = set; then :
+  withval=$with_ipsec_script; ipsec_script="$withval"
+
+else
+  ipsec_script="ipsec"
+
+
+fi
+
+
+
+# Check whether --with-fips-mode was given.
+if test "${with_fips_mode+set}" = set; then :
+  withval=$with_fips_mode; fips_mode="$withval"
+
+else
+  fips_mode="0"
+
+
+fi
+
+
+
+
+# Check whether --with-tss was given.
+if test "${with_tss+set}" = set; then :
+  withval=$with_tss; tss="$withval"
+else
+  tss=no
+
+fi
+
+
 
 # Check whether --with-capabilities was given.
 if test "${with_capabilities+set}" = set; then :
@@ -4058,6 +4208,16 @@ fi
 
 
 
+# Check whether --with-dev-headers was given.
+if test "${with_dev_headers+set}" = set; then :
+  withval=$with_dev_headers; dev_headers="$withval"
+else
+  dev_headers=no
+
+fi
+
+
+
 if test -n "$PKG_CONFIG"; then
 	systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
 fi
@@ -4082,22 +4242,14 @@ fi
 
 
 
-# Check whether --with-xauth-module was given.
-if test "${with_xauth_module+set}" = set; then :
-  withval=$with_xauth_module; cat >>confdefs.h <<_ACEOF
-#define XAUTH_DEFAULT_LIB "$withval"
-_ACEOF
-
-fi
-
-
-
 # Check whether --with-user was given.
 if test "${with_user+set}" = set; then :
-  withval=$with_user; cat >>confdefs.h <<_ACEOF
+  withval=$with_user;
+cat >>confdefs.h <<_ACEOF
 #define IPSEC_USER "$withval"
 _ACEOF
- ipsecuser="$withval"
+
+	 ipsecuser="$withval"
 
 else
   ipsecuser="root"
@@ -4109,10 +4261,12 @@ fi
 
 # Check whether --with-group was given.
 if test "${with_group+set}" = set; then :
-  withval=$with_group; cat >>confdefs.h <<_ACEOF
+  withval=$with_group;
+cat >>confdefs.h <<_ACEOF
 #define IPSEC_GROUP "$withval"
 _ACEOF
- ipsecgroup="$withval"
+
+	 ipsecgroup="$withval"
 
 else
   ipsecgroup="root"
@@ -4122,6 +4276,53 @@ fi
 
 
 
+# Check whether --with-charon-udp-port was given.
+if test "${with_charon_udp_port+set}" = set; then :
+  withval=$with_charon_udp_port;
+cat >>confdefs.h <<_ACEOF
+#define CHARON_UDP_PORT $withval
+_ACEOF
+
+	 charon_udp_port=$withval
+
+else
+  charon_udp_port=500
+
+
+fi
+
+
+
+# Check whether --with-charon-natt-port was given.
+if test "${with_charon_natt_port+set}" = set; then :
+  withval=$with_charon_natt_port;
+cat >>confdefs.h <<_ACEOF
+#define CHARON_NATT_PORT $withval
+_ACEOF
+
+	 charon_natt_port=$withval
+
+else
+  charon_natt_port=4500
+
+
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking configured UDP ports ($charon_udp_port, $charon_natt_port)" >&5
+$as_echo_n "checking configured UDP ports ($charon_udp_port, $charon_natt_port)... " >&6; }
+if test x$charon_udp_port != x0 -a x$charon_udp_port = x$charon_natt_port; then
+	as_fn_error $? "the ports have to be different" "$LINENO" 5
+else
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5
+$as_echo "ok" >&6; }
+fi
+
+# convert script name to uppercase
+ipsec_script_upper=`echo -n "$ipsec_script" | tr a-z A-Z`
+
+
+
 # ARG_ENABL_SET(option, help)
 # ---------------------------
 # Create a --enable-$1 option with helptext, set a variable $1 to true/false
@@ -4130,6 +4331,7 @@ fi
 # ARG_DISBL_SET(option, help)
 # ---------------------------
 # Create a --disable-$1 option with helptext, set a variable $1 to true/false
+# All $1 are collected in the variable $enabled_by_default
 
 
 
@@ -4148,6 +4350,21 @@ else
 fi
 
 
+# Check whether --enable-unbound was given.
+if test "${enable_unbound+set}" = set; then :
+  enableval=$enable_unbound; unbound_given=true
+		if test x$enableval = xyes; then
+			unbound=true
+		 else
+			unbound=false
+		fi
+else
+  unbound=false
+		unbound_given=false
+
+fi
+
+
 # Check whether --enable-soup was given.
 if test "${enable_soup+set}" = set; then :
   enableval=$enable_soup; soup_given=true
@@ -4192,6 +4409,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" aes"
 
 # Check whether --enable-des was given.
 if test "${enable_des+set}" = set; then :
@@ -4207,6 +4425,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" des"
 
 # Check whether --enable-blowfish was given.
 if test "${enable_blowfish+set}" = set; then :
@@ -4223,6 +4442,22 @@ else
 fi
 
 
+# Check whether --enable-rc2 was given.
+if test "${enable_rc2+set}" = set; then :
+  enableval=$enable_rc2; rc2_given=true
+		if test x$enableval = xyes; then
+			rc2=true
+		 else
+			rc2=false
+		fi
+else
+  rc2=true
+		rc2_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" rc2"
+
 # Check whether --enable-md4 was given.
 if test "${enable_md4+set}" = set; then :
   enableval=$enable_md4; md4_given=true
@@ -4252,6 +4487,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" md5"
 
 # Check whether --enable-sha1 was given.
 if test "${enable_sha1+set}" = set; then :
@@ -4267,6 +4503,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" sha1"
 
 # Check whether --enable-sha2 was given.
 if test "${enable_sha2+set}" = set; then :
@@ -4282,6 +4519,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" sha2"
 
 # Check whether --enable-fips-prf was given.
 if test "${enable_fips_prf+set}" = set; then :
@@ -4297,6 +4535,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" fips_prf"
 
 # Check whether --enable-gmp was given.
 if test "${enable_gmp+set}" = set; then :
@@ -4312,6 +4551,22 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" gmp"
+
+# Check whether --enable-rdrand was given.
+if test "${enable_rdrand+set}" = set; then :
+  enableval=$enable_rdrand; rdrand_given=true
+		if test x$enableval = xyes; then
+			rdrand=true
+		 else
+			rdrand=false
+		fi
+else
+  rdrand=false
+		rdrand_given=false
+
+fi
+
 
 # Check whether --enable-random was given.
 if test "${enable_random+set}" = set; then :
@@ -4327,6 +4582,23 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" random"
+
+# Check whether --enable-nonce was given.
+if test "${enable_nonce+set}" = set; then :
+  enableval=$enable_nonce; nonce_given=true
+		if test x$enableval = xyes; then
+			nonce=true
+		 else
+			nonce=false
+		fi
+else
+  nonce=true
+		nonce_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" nonce"
 
 # Check whether --enable-x509 was given.
 if test "${enable_x509+set}" = set; then :
@@ -4342,6 +4614,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" x509"
 
 # Check whether --enable-revocation was given.
 if test "${enable_revocation+set}" = set; then :
@@ -4357,6 +4630,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" revocation"
 
 # Check whether --enable-constraints was given.
 if test "${enable_constraints+set}" = set; then :
@@ -4372,6 +4646,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" constraints"
 
 # Check whether --enable-pubkey was given.
 if test "${enable_pubkey+set}" = set; then :
@@ -4387,6 +4662,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" pubkey"
 
 # Check whether --enable-pkcs1 was given.
 if test "${enable_pkcs1+set}" = set; then :
@@ -4402,6 +4678,23 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" pkcs1"
+
+# Check whether --enable-pkcs7 was given.
+if test "${enable_pkcs7+set}" = set; then :
+  enableval=$enable_pkcs7; pkcs7_given=true
+		if test x$enableval = xyes; then
+			pkcs7=true
+		 else
+			pkcs7=false
+		fi
+else
+  pkcs7=true
+		pkcs7_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" pkcs7"
 
 # Check whether --enable-pkcs8 was given.
 if test "${enable_pkcs8+set}" = set; then :
@@ -4417,6 +4710,23 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" pkcs8"
+
+# Check whether --enable-pkcs12 was given.
+if test "${enable_pkcs12+set}" = set; then :
+  enableval=$enable_pkcs12; pkcs12_given=true
+		if test x$enableval = xyes; then
+			pkcs12=true
+		 else
+			pkcs12=false
+		fi
+else
+  pkcs12=true
+		pkcs12_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" pkcs12"
 
 # Check whether --enable-pgp was given.
 if test "${enable_pgp+set}" = set; then :
@@ -4432,6 +4742,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" pgp"
 
 # Check whether --enable-dnskey was given.
 if test "${enable_dnskey+set}" = set; then :
@@ -4447,6 +4758,38 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" dnskey"
+
+# Check whether --enable-sshkey was given.
+if test "${enable_sshkey+set}" = set; then :
+  enableval=$enable_sshkey; sshkey_given=true
+		if test x$enableval = xyes; then
+			sshkey=true
+		 else
+			sshkey=false
+		fi
+else
+  sshkey=true
+		sshkey_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" sshkey"
+
+# Check whether --enable-ipseckey was given.
+if test "${enable_ipseckey+set}" = set; then :
+  enableval=$enable_ipseckey; ipseckey_given=true
+		if test x$enableval = xyes; then
+			ipseckey=true
+		 else
+			ipseckey=false
+		fi
+else
+  ipseckey=false
+		ipseckey_given=false
+
+fi
+
 
 # Check whether --enable-pem was given.
 if test "${enable_pem+set}" = set; then :
@@ -4462,6 +4805,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" pem"
 
 # Check whether --enable-hmac was given.
 if test "${enable_hmac+set}" = set; then :
@@ -4477,6 +4821,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" hmac"
 
 # Check whether --enable-cmac was given.
 if test "${enable_cmac+set}" = set; then :
@@ -4492,6 +4837,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" cmac"
 
 # Check whether --enable-xcbc was given.
 if test "${enable_xcbc+set}" = set; then :
@@ -4507,6 +4853,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" xcbc"
 
 # Check whether --enable-af-alg was given.
 if test "${enable_af_alg+set}" = set; then :
@@ -4582,6 +4929,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" stroke"
 
 # Check whether --enable-medsrv was given.
 if test "${enable_medsrv+set}" = set; then :
@@ -4643,36 +4991,6 @@ else
 fi
 
 
-# Check whether --enable-smartcard was given.
-if test "${enable_smartcard+set}" = set; then :
-  enableval=$enable_smartcard; smartcard_given=true
-		if test x$enableval = xyes; then
-			smartcard=true
-		 else
-			smartcard=false
-		fi
-else
-  smartcard=false
-		smartcard_given=false
-
-fi
-
-
-# Check whether --enable-cisco-quirks was given.
-if test "${enable_cisco_quirks+set}" = set; then :
-  enableval=$enable_cisco_quirks; cisco_quirks_given=true
-		if test x$enableval = xyes; then
-			cisco_quirks=true
-		 else
-			cisco_quirks=false
-		fi
-else
-  cisco_quirks=false
-		cisco_quirks_given=false
-
-fi
-
-
 # Check whether --enable-leak-detective was given.
 if test "${enable_leak_detective+set}" = set; then :
   enableval=$enable_leak_detective; leak_detective_given=true
@@ -4973,6 +5291,21 @@ else
 fi
 
 
+# Check whether --enable-eap-dynamic was given.
+if test "${enable_eap_dynamic+set}" = set; then :
+  enableval=$enable_eap_dynamic; eap_dynamic_given=true
+		if test x$enableval = xyes; then
+			eap_dynamic=true
+		 else
+			eap_dynamic=false
+		fi
+else
+  eap_dynamic=false
+		eap_dynamic_given=false
+
+fi
+
+
 # Check whether --enable-eap-radius was given.
 if test "${enable_eap_radius+set}" = set; then :
   enableval=$enable_eap_radius; eap_radius_given=true
@@ -4988,6 +5321,67 @@ else
 fi
 
 
+# Check whether --enable-xauth-generic was given.
+if test "${enable_xauth_generic+set}" = set; then :
+  enableval=$enable_xauth_generic; xauth_generic_given=true
+		if test x$enableval = xyes; then
+			xauth_generic=true
+		 else
+			xauth_generic=false
+		fi
+else
+  xauth_generic=true
+		xauth_generic_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" xauth_generic"
+
+# Check whether --enable-xauth-eap was given.
+if test "${enable_xauth_eap+set}" = set; then :
+  enableval=$enable_xauth_eap; xauth_eap_given=true
+		if test x$enableval = xyes; then
+			xauth_eap=true
+		 else
+			xauth_eap=false
+		fi
+else
+  xauth_eap=false
+		xauth_eap_given=false
+
+fi
+
+
+# Check whether --enable-xauth-pam was given.
+if test "${enable_xauth_pam+set}" = set; then :
+  enableval=$enable_xauth_pam; xauth_pam_given=true
+		if test x$enableval = xyes; then
+			xauth_pam=true
+		 else
+			xauth_pam=false
+		fi
+else
+  xauth_pam=false
+		xauth_pam_given=false
+
+fi
+
+
+# Check whether --enable-xauth-noauth was given.
+if test "${enable_xauth_noauth+set}" = set; then :
+  enableval=$enable_xauth_noauth; xauth_noauth_given=true
+		if test x$enableval = xyes; then
+			xauth_noauth=true
+		 else
+			xauth_noauth=false
+		fi
+else
+  xauth_noauth=false
+		xauth_noauth_given=false
+
+fi
+
+
 # Check whether --enable-tnc-ifmap was given.
 if test "${enable_tnc_ifmap+set}" = set; then :
   enableval=$enable_tnc_ifmap; tnc_ifmap_given=true
@@ -5153,6 +5547,36 @@ else
 fi
 
 
+# Check whether --enable-imc-os was given.
+if test "${enable_imc_os+set}" = set; then :
+  enableval=$enable_imc_os; imc_os_given=true
+		if test x$enableval = xyes; then
+			imc_os=true
+		 else
+			imc_os=false
+		fi
+else
+  imc_os=false
+		imc_os_given=false
+
+fi
+
+
+# Check whether --enable-imv-os was given.
+if test "${enable_imv_os+set}" = set; then :
+  enableval=$enable_imv_os; imv_os_given=true
+		if test x$enableval = xyes; then
+			imv_os=true
+		 else
+			imv_os=false
+		fi
+else
+  imv_os=false
+		imv_os_given=false
+
+fi
+
+
 # Check whether --enable-imc-attestation was given.
 if test "${enable_imc_attestation+set}" = set; then :
   enableval=$enable_imc_attestation; imc_attestation_given=true
@@ -5197,6 +5621,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" kernel_netlink"
 
 # Check whether --enable-kernel-pfkey was given.
 if test "${enable_kernel_pfkey+set}" = set; then :
@@ -5243,36 +5668,52 @@ else
 fi
 
 
-# Check whether --enable-socket-default was given.
-if test "${enable_socket_default+set}" = set; then :
-  enableval=$enable_socket_default; socket_default_given=true
+# Check whether --enable-kernel-libipsec was given.
+if test "${enable_kernel_libipsec+set}" = set; then :
+  enableval=$enable_kernel_libipsec; kernel_libipsec_given=true
 		if test x$enableval = xyes; then
-			socket_default=true
+			kernel_libipsec=true
 		 else
-			socket_default=false
+			kernel_libipsec=false
 		fi
 else
-  socket_default=true
-		socket_default_given=false
+  kernel_libipsec=false
+		kernel_libipsec_given=false
 
 fi
 
 
-# Check whether --enable-socket-raw was given.
-if test "${enable_socket_raw+set}" = set; then :
-  enableval=$enable_socket_raw; socket_raw_given=true
+# Check whether --enable-libipsec was given.
+if test "${enable_libipsec+set}" = set; then :
+  enableval=$enable_libipsec; libipsec_given=true
 		if test x$enableval = xyes; then
-			socket_raw=true
+			libipsec=true
 		 else
-			socket_raw=false
+			libipsec=false
 		fi
 else
-  socket_raw=false
-		socket_raw_given=false
+  libipsec=false
+		libipsec_given=false
 
 fi
 
 
+# Check whether --enable-socket-default was given.
+if test "${enable_socket_default+set}" = set; then :
+  enableval=$enable_socket_default; socket_default_given=true
+		if test x$enableval = xyes; then
+			socket_default=true
+		 else
+			socket_default=false
+		fi
+else
+  socket_default=true
+		socket_default_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" socket_default"
+
 # Check whether --enable-socket-dynamic was given.
 if test "${enable_socket_dynamic+set}" = set; then :
   enableval=$enable_socket_dynamic; socket_dynamic_given=true
@@ -5303,51 +5744,6 @@ else
 fi
 
 
-# Check whether --enable-nat-transport was given.
-if test "${enable_nat_transport+set}" = set; then :
-  enableval=$enable_nat_transport; nat_transport_given=true
-		if test x$enableval = xyes; then
-			nat_transport=true
-		 else
-			nat_transport=false
-		fi
-else
-  nat_transport=false
-		nat_transport_given=false
-
-fi
-
-
-# Check whether --enable-vendor-id was given.
-if test "${enable_vendor_id+set}" = set; then :
-  enableval=$enable_vendor_id; vendor_id_given=true
-		if test x$enableval = xyes; then
-			vendor_id=true
-		 else
-			vendor_id=false
-		fi
-else
-  vendor_id=true
-		vendor_id_given=false
-
-fi
-
-
-# Check whether --enable-xauth-vid was given.
-if test "${enable_xauth_vid+set}" = set; then :
-  enableval=$enable_xauth_vid; xauth_vid_given=true
-		if test x$enableval = xyes; then
-			xauth_vid=true
-		 else
-			xauth_vid=false
-		fi
-else
-  xauth_vid=true
-		xauth_vid_given=false
-
-fi
-
-
 # Check whether --enable-dumm was given.
 if test "${enable_dumm+set}" = set; then :
   enableval=$enable_dumm; dumm_given=true
@@ -5437,66 +5833,39 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" load_warning"
 
-# Check whether --enable-pluto was given.
-if test "${enable_pluto+set}" = set; then :
-  enableval=$enable_pluto; pluto_given=true
+# Check whether --enable-ikev1 was given.
+if test "${enable_ikev1+set}" = set; then :
+  enableval=$enable_ikev1; ikev1_given=true
 		if test x$enableval = xyes; then
-			pluto=true
+			ikev1=true
 		 else
-			pluto=false
+			ikev1=false
 		fi
 else
-  pluto=true
-		pluto_given=false
+  ikev1=true
+		ikev1_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" ikev1"
 
-# Check whether --enable-xauth was given.
-if test "${enable_xauth+set}" = set; then :
-  enableval=$enable_xauth; xauth_given=true
+# Check whether --enable-ikev2 was given.
+if test "${enable_ikev2+set}" = set; then :
+  enableval=$enable_ikev2; ikev2_given=true
 		if test x$enableval = xyes; then
-			xauth=true
+			ikev2=true
 		 else
-			xauth=false
+			ikev2=false
 		fi
 else
-  xauth=true
-		xauth_given=false
-
-fi
-
-
-# Check whether --enable-threads was given.
-if test "${enable_threads+set}" = set; then :
-  enableval=$enable_threads; threads_given=true
-		if test x$enableval = xyes; then
-			threads=true
-		 else
-			threads=false
-		fi
-else
-  threads=true
-		threads_given=false
-
-fi
-
-
-# Check whether --enable-adns was given.
-if test "${enable_adns+set}" = set; then :
-  enableval=$enable_adns; adns_given=true
-		if test x$enableval = xyes; then
-			adns=true
-		 else
-			adns=false
-		fi
-else
-  adns=true
-		adns_given=false
+  ikev2=true
+		ikev2_given=false
 
 fi
 
+	enabled_by_default=${enabled_by_default}" ikev2"
 
 # Check whether --enable-charon was given.
 if test "${enable_charon+set}" = set; then :
@@ -5512,6 +5881,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" charon"
 
 # Check whether --enable-tools was given.
 if test "${enable_tools+set}" = set; then :
@@ -5527,6 +5897,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" tools"
 
 # Check whether --enable-scripts was given.
 if test "${enable_scripts+set}" = set; then :
@@ -5542,6 +5913,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" scripts"
 
 # Check whether --enable-conftest was given.
 if test "${enable_conftest+set}" = set; then :
@@ -5572,6 +5944,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" updown"
 
 # Check whether --enable-attr was given.
 if test "${enable_attr+set}" = set; then :
@@ -5587,6 +5960,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" attr"
 
 # Check whether --enable-attr-sql was given.
 if test "${enable_attr_sql+set}" = set; then :
@@ -5632,6 +6006,7 @@ else
 
 fi
 
+	enabled_by_default=${enabled_by_default}" resolve"
 
 # Check whether --enable-padlock was given.
 if test "${enable_padlock+set}" = set; then :
@@ -5693,6 +6068,21 @@ else
 fi
 
 
+# Check whether --enable-keychain was given.
+if test "${enable_keychain+set}" = set; then :
+  enableval=$enable_keychain; keychain_given=true
+		if test x$enableval = xyes; then
+			keychain=true
+		 else
+			keychain=false
+		fi
+else
+  keychain=false
+		keychain_given=false
+
+fi
+
+
 # Check whether --enable-pkcs11 was given.
 if test "${enable_pkcs11+set}" = set; then :
   enableval=$enable_pkcs11; pkcs11_given=true
@@ -5768,6 +6158,21 @@ else
 fi
 
 
+# Check whether --enable-unity was given.
+if test "${enable_unity+set}" = set; then :
+  enableval=$enable_unity; unity_given=true
+		if test x$enableval = xyes; then
+			unity=true
+		 else
+			unity=false
+		fi
+else
+  unity=false
+		unity_given=false
+
+fi
+
+
 # Check whether --enable-uci was given.
 if test "${enable_uci+set}" = set; then :
   enableval=$enable_uci; uci_given=true
@@ -5783,17 +6188,47 @@ else
 fi
 
 
-# Check whether --enable-android was given.
-if test "${enable_android+set}" = set; then :
-  enableval=$enable_android; android_given=true
+# Check whether --enable-osx-attr was given.
+if test "${enable_osx_attr+set}" = set; then :
+  enableval=$enable_osx_attr; osx_attr_given=true
 		if test x$enableval = xyes; then
-			android=true
+			osx_attr=true
 		 else
-			android=false
+			osx_attr=false
 		fi
 else
-  android=false
-		android_given=false
+  osx_attr=false
+		osx_attr_given=false
+
+fi
+
+
+# Check whether --enable-android-dns was given.
+if test "${enable_android_dns+set}" = set; then :
+  enableval=$enable_android_dns; android_dns_given=true
+		if test x$enableval = xyes; then
+			android_dns=true
+		 else
+			android_dns=false
+		fi
+else
+  android_dns=false
+		android_dns_given=false
+
+fi
+
+
+# Check whether --enable-android-log was given.
+if test "${enable_android_log+set}" = set; then :
+  enableval=$enable_android_log; android_log_given=true
+		if test x$enableval = xyes; then
+			android_log=true
+		 else
+			android_log=false
+		fi
+else
+  android_log=false
+		android_log_given=false
 
 fi
 
@@ -5858,6 +6293,36 @@ else
 fi
 
 
+# Check whether --enable-lookip was given.
+if test "${enable_lookip+set}" = set; then :
+  enableval=$enable_lookip; lookip_given=true
+		if test x$enableval = xyes; then
+			lookip=true
+		 else
+			lookip=false
+		fi
+else
+  lookip=false
+		lookip_given=false
+
+fi
+
+
+# Check whether --enable-error-notify was given.
+if test "${enable_error_notify+set}" = set; then :
+  enableval=$enable_error_notify; error_notify_given=true
+		if test x$enableval = xyes; then
+			error_notify=true
+		 else
+			error_notify=false
+		fi
+else
+  error_notify=false
+		error_notify_given=false
+
+fi
+
+
 # Check whether --enable-certexpire was given.
 if test "${enable_certexpire+set}" = set; then :
   enableval=$enable_certexpire; certexpire_given=true
@@ -5873,6 +6338,21 @@ else
 fi
 
 
+# Check whether --enable-systime-fix was given.
+if test "${enable_systime_fix+set}" = set; then :
+  enableval=$enable_systime_fix; systime_fix_given=true
+		if test x$enableval = xyes; then
+			systime_fix=true
+		 else
+			systime_fix=false
+		fi
+else
+  systime_fix=false
+		systime_fix_given=false
+
+fi
+
+
 # Check whether --enable-led was given.
 if test "${enable_led+set}" = set; then :
   enableval=$enable_led; led_given=true
@@ -5963,7 +6443,128 @@ else
 fi
 
 
+# Check whether --enable-bfd-backtraces was given.
+if test "${enable_bfd_backtraces+set}" = set; then :
+  enableval=$enable_bfd_backtraces; bfd_backtraces_given=true
+		if test x$enableval = xyes; then
+			bfd_backtraces=true
+		 else
+			bfd_backtraces=false
+		fi
+else
+  bfd_backtraces=false
+		bfd_backtraces_given=false
+
+fi
+
+
+# Check whether --enable-unwind-backtraces was given.
+if test "${enable_unwind_backtraces+set}" = set; then :
+  enableval=$enable_unwind_backtraces; unwind_backtraces_given=true
+		if test x$enableval = xyes; then
+			unwind_backtraces=true
+		 else
+			unwind_backtraces=false
+		fi
+else
+  unwind_backtraces=false
+		unwind_backtraces_given=false
+
+fi
+
+
+# Check whether --enable-unit-tests was given.
+if test "${enable_unit_tests+set}" = set; then :
+  enableval=$enable_unit_tests; unit_tests_given=true
+		if test x$enableval = xyes; then
+			unit_tests=true
+		 else
+			unit_tests=false
+		fi
+else
+  unit_tests=false
+		unit_tests_given=false
+
+fi
+
+
+# Check whether --enable-coverage was given.
+if test "${enable_coverage+set}" = set; then :
+  enableval=$enable_coverage; coverage_given=true
+		if test x$enableval = xyes; then
+			coverage=true
+		 else
+			coverage=false
+		fi
+else
+  coverage=false
+		coverage_given=false
+
+fi
+
+
+# Check whether --enable-tkm was given.
+if test "${enable_tkm+set}" = set; then :
+  enableval=$enable_tkm; tkm_given=true
+		if test x$enableval = xyes; then
+			tkm=true
+		 else
+			tkm=false
+		fi
+else
+  tkm=false
+		tkm_given=false
+
+fi
+
+
+# Check whether --enable-cmd was given.
+if test "${enable_cmd+set}" = set; then :
+  enableval=$enable_cmd; cmd_given=true
+		if test x$enableval = xyes; then
+			cmd=true
+		 else
+			cmd=false
+		fi
+else
+  cmd=false
+		cmd_given=false
+
+fi
+
+
 
+# ===================================
+#  option to disable default options
+# ===================================
+
+# Check whether --enable-defaults was given.
+if test "${enable_defaults+set}" = set; then :
+  enableval=$enable_defaults; defaults_given=true
+		if test x$enableval = xyes; then
+			defaults=true
+		 else
+			defaults=false
+		fi
+else
+  defaults=true
+		defaults_given=false
+
+fi
+
+	enabled_by_default=${enabled_by_default}" defaults"
+
+
+if test x$defaults = xfalse; then
+	for option in $enabled_by_default; do
+		eval test x\${${option}_given} = xtrue && continue
+		let $option=false
+	done
+fi
+
+# ===========================
+#  set up compiler and flags
+# ===========================
 
 if test -z "$CFLAGS"; then
 	CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign"
@@ -5978,7 +6579,7 @@ if test -n "$ac_tool_prefix"; then
 set dummy ${ac_tool_prefix}gcc; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then :
+if ${ac_cv_prog_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$CC"; then
@@ -5990,7 +6591,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_CC="${ac_tool_prefix}gcc"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -6018,7 +6619,7 @@ if test -z "$ac_cv_prog_CC"; then
 set dummy gcc; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
+if ${ac_cv_prog_ac_ct_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_CC"; then
@@ -6030,7 +6631,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_CC="gcc"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -6071,7 +6672,7 @@ if test -z "$CC"; then
 set dummy ${ac_tool_prefix}cc; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then :
+if ${ac_cv_prog_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$CC"; then
@@ -6083,7 +6684,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_CC="${ac_tool_prefix}cc"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -6111,7 +6712,7 @@ if test -z "$CC"; then
 set dummy cc; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then :
+if ${ac_cv_prog_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$CC"; then
@@ -6124,7 +6725,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
        ac_prog_rejected=yes
        continue
@@ -6170,7 +6771,7 @@ if test -z "$CC"; then
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_CC+set}" = set; then :
+if ${ac_cv_prog_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$CC"; then
@@ -6182,7 +6783,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -6214,7 +6815,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
+if ${ac_cv_prog_ac_ct_CC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_CC"; then
@@ -6226,7 +6827,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_CC="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -6269,7 +6870,7 @@ fi
 test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "no acceptable C compiler found in \$PATH
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 
 # Provide some information about the compiler.
 $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5
@@ -6384,7 +6985,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error 77 "C compiler cannot create executables
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@@ -6427,7 +7028,7 @@ else
   { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "cannot compute suffix of executables: cannot compile and link
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 fi
 rm -f conftest conftest$ac_cv_exeext
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5
@@ -6486,7 +7087,7 @@ $as_echo "$ac_try_echo"; } >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "cannot run C compiled programs.
 If you meant to cross compile, use \`--host'.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
     fi
   fi
 fi
@@ -6497,7 +7098,7 @@ rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out
 ac_clean_files=$ac_clean_files_save
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5
 $as_echo_n "checking for suffix of object files... " >&6; }
-if test "${ac_cv_objext+set}" = set; then :
+if ${ac_cv_objext+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -6538,7 +7139,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "cannot compute suffix of object files: cannot compile
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 fi
 rm -f conftest.$ac_cv_objext conftest.$ac_ext
 fi
@@ -6548,7 +7149,7 @@ OBJEXT=$ac_cv_objext
 ac_objext=$OBJEXT
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5
 $as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
-if test "${ac_cv_c_compiler_gnu+set}" = set; then :
+if ${ac_cv_c_compiler_gnu+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -6585,7 +7186,7 @@ ac_test_CFLAGS=${CFLAGS+set}
 ac_save_CFLAGS=$CFLAGS
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5
 $as_echo_n "checking whether $CC accepts -g... " >&6; }
-if test "${ac_cv_prog_cc_g+set}" = set; then :
+if ${ac_cv_prog_cc_g+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_save_c_werror_flag=$ac_c_werror_flag
@@ -6663,7 +7264,7 @@ else
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5
 $as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
-if test "${ac_cv_prog_cc_c89+set}" = set; then :
+if ${ac_cv_prog_cc_c89+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_cv_prog_cc_c89=no
@@ -6672,8 +7273,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <stdarg.h>
 #include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+struct stat;
 /* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
 struct buf { int x; };
 FILE * (*rcsopen) (struct buf *, struct stat *, int);
@@ -6809,6 +7409,7 @@ fi
 if test "x$enable_dependency_tracking" != xno; then
   am_depcomp="$ac_aux_dir/depcomp"
   AMDEPBACKSLASH='\'
+  am__nodep='_no'
 fi
  if test "x$enable_dependency_tracking" != xno; then
   AMDEP_TRUE=
@@ -6824,7 +7425,7 @@ depcc="$CC"   am_compiler_list=
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking dependency style of $depcc" >&5
 $as_echo_n "checking dependency style of $depcc... " >&6; }
-if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then :
+if ${am_cv_CC_dependencies_compiler_type+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
@@ -6833,6 +7434,7 @@ else
   # instance it was reported that on HP-UX the gcc test will end up
   # making a dummy file named `D' -- because `-MD' means `put the output
   # in D'.
+  rm -rf conftest.dir
   mkdir conftest.dir
   # Copy depcomp to subdir because otherwise we won't find it if we're
   # using a relative directory.
@@ -6892,7 +7494,7 @@ else
 	break
       fi
       ;;
-    msvisualcpp | msvcmsys)
+    msvc7 | msvc7msys | msvisualcpp | msvcmsys)
       # This compiler won't grok `-c -o', but also, the minuso test has
       # not run yet.  These depmodes are late enough in the game, and
       # so weak that their functioning should not be impacted.
@@ -6947,13 +7549,140 @@ else
 fi
 
 
+if test "x$CC" != xcc; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC and cc understand -c and -o together" >&5
+$as_echo_n "checking whether $CC and cc understand -c and -o together... " >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether cc understands -c and -o together" >&5
+$as_echo_n "checking whether cc understands -c and -o together... " >&6; }
+fi
+set dummy $CC; ac_cc=`$as_echo "$2" |
+		      sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'`
+if eval \${ac_cv_prog_cc_${ac_cc}_c_o+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+# Make sure it works both with $CC and with simple cc.
+# We do the test twice because some compilers refuse to overwrite an
+# existing .o file with -o, though they will create one.
+ac_try='$CC -c conftest.$ac_ext -o conftest2.$ac_objext >&5'
+rm -f conftest2.*
+if { { case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } &&
+   test -f conftest2.$ac_objext && { { case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; };
+then
+  eval ac_cv_prog_cc_${ac_cc}_c_o=yes
+  if test "x$CC" != xcc; then
+    # Test first that cc exists at all.
+    if { ac_try='cc -c conftest.$ac_ext >&5'
+  { { case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then
+      ac_try='cc -c conftest.$ac_ext -o conftest2.$ac_objext >&5'
+      rm -f conftest2.*
+      if { { case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } &&
+	 test -f conftest2.$ac_objext && { { case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; };
+      then
+	# cc works too.
+	:
+      else
+	# cc exists but doesn't like -o.
+	eval ac_cv_prog_cc_${ac_cc}_c_o=no
+      fi
+    fi
+  fi
+else
+  eval ac_cv_prog_cc_${ac_cc}_c_o=no
+fi
+rm -f core conftest*
+
+fi
+if eval test \$ac_cv_prog_cc_${ac_cc}_c_o = yes; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+$as_echo "#define NO_MINUS_C_MINUS_O 1" >>confdefs.h
+
+fi
+
+# FIXME: we rely on the cache variable name because
+# there is no other way.
+set dummy $CC
+am_cc=`echo $2 | sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'`
+eval am_t=\$ac_cv_prog_cc_${am_cc}_c_o
+if test "$am_t" != yes; then
+   # Losing compiler, so override with the script.
+   # FIXME: It is wrong to rewrite CC.
+   # But if we don't then we get into trouble of one sort or another.
+   # A longer-term fix would be to have automake use am__CC in this case,
+   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
+   CC="$am_aux_dir/compile $CC"
+fi
+
+
+
 # Make sure we can run config.sub.
 $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
   as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5
 $as_echo_n "checking build system type... " >&6; }
-if test "${ac_cv_build+set}" = set; then :
+if ${ac_cv_build+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_build_alias=$build_alias
@@ -6969,7 +7698,7 @@ fi
 $as_echo "$ac_cv_build" >&6; }
 case $ac_cv_build in
 *-*-*) ;;
-*) as_fn_error $? "invalid value of canonical build" "$LINENO" 5 ;;
+*) as_fn_error $? "invalid value of canonical build" "$LINENO" 5;;
 esac
 build=$ac_cv_build
 ac_save_IFS=$IFS; IFS='-'
@@ -6987,7 +7716,7 @@ case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking host system type" >&5
 $as_echo_n "checking host system type... " >&6; }
-if test "${ac_cv_host+set}" = set; then :
+if ${ac_cv_host+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test "x$host_alias" = x; then
@@ -7002,7 +7731,7 @@ fi
 $as_echo "$ac_cv_host" >&6; }
 case $ac_cv_host in
 *-*-*) ;;
-*) as_fn_error $? "invalid value of canonical host" "$LINENO" 5 ;;
+*) as_fn_error $? "invalid value of canonical host" "$LINENO" 5;;
 esac
 host=$ac_cv_host
 ac_save_IFS=$IFS; IFS='-'
@@ -7031,7 +7760,7 @@ if test -n "$CPP" && test -d "$CPP"; then
   CPP=
 fi
 if test -z "$CPP"; then
-  if test "${ac_cv_prog_CPP+set}" = set; then :
+  if ${ac_cv_prog_CPP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
       # Double quotes because CPP needs to be expanded
@@ -7147,7 +7876,7 @@ else
   { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "C preprocessor \"$CPP\" fails sanity check
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 fi
 
 ac_ext=c
@@ -7159,7 +7888,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5
 $as_echo_n "checking for grep that handles long lines and -e... " >&6; }
-if test "${ac_cv_path_GREP+set}" = set; then :
+if ${ac_cv_path_GREP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -z "$GREP"; then
@@ -7173,7 +7902,7 @@ do
     for ac_prog in grep ggrep; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
+      as_fn_executable_p "$ac_path_GREP" || continue
 # Check for GNU ac_path_GREP and select it if it is found.
   # Check for GNU $ac_path_GREP
 case `"$ac_path_GREP" --version 2>&1` in
@@ -7222,7 +7951,7 @@ $as_echo "$ac_cv_path_GREP" >&6; }
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5
 $as_echo_n "checking for egrep... " >&6; }
-if test "${ac_cv_path_EGREP+set}" = set; then :
+if ${ac_cv_path_EGREP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
@@ -7239,7 +7968,7 @@ do
     for ac_prog in egrep; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+      as_fn_executable_p "$ac_path_EGREP" || continue
 # Check for GNU ac_path_EGREP and select it if it is found.
   # Check for GNU $ac_path_EGREP
 case `"$ac_path_EGREP" --version 2>&1` in
@@ -7295,7 +8024,7 @@ $as_echo "$ac_cv_path_EGREP" >&6; }
     solaris*)
                                     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for 64-bit host" >&5
 $as_echo_n "checking for 64-bit host... " >&6; }
-if test "${gl_cv_solaris_64bit+set}" = set; then :
+if ${gl_cv_solaris_64bit+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -7482,7 +8211,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
 $as_echo_n "checking for ANSI C header files... " >&6; }
-if test "${ac_cv_header_stdc+set}" = set; then :
+if ${ac_cv_header_stdc+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -7611,7 +8340,7 @@ done
 
  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether byte ordering is bigendian" >&5
 $as_echo_n "checking whether byte ordering is bigendian... " >&6; }
-if test "${ac_cv_c_bigendian+set}" = set; then :
+if ${ac_cv_c_bigendian+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_cv_c_bigendian=unknown
@@ -7830,11 +8559,13 @@ $as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h
      ;; #(
    *)
      as_fn_error $? "unknown endianness
- presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5  ;;
+ presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;;
  esac
 
 
-
+# =========================
+#  check required programs
+# =========================
 
 case `pwd` in
   *\ * | *\	*)
@@ -7844,8 +8575,8 @@ esac
 
 
 
-macro_version='2.2.6b'
-macro_revision='1.3017'
+macro_version='2.4.2'
+macro_revision='1.3337'
 
 
 
@@ -7861,9 +8592,78 @@ macro_revision='1.3017'
 
 ltmain="$ac_aux_dir/ltmain.sh"
 
+# Backslashify metacharacters that are still active within
+# double-quoted strings.
+sed_quote_subst='s/\(["`$\\]\)/\\\1/g'
+
+# Same as above, but do not quote variable references.
+double_quote_subst='s/\(["`\\]\)/\\\1/g'
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# Sed substitution to delay expansion of an escaped single quote.
+delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
+
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
+
+ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO
+ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to print strings" >&5
+$as_echo_n "checking how to print strings... " >&6; }
+# Test print first, because it will be a builtin if present.
+if test "X`( print -r -- -n ) 2>/dev/null`" = X-n && \
+   test "X`print -r -- $ECHO 2>/dev/null`" = "X$ECHO"; then
+  ECHO='print -r --'
+elif test "X`printf %s $ECHO 2>/dev/null`" = "X$ECHO"; then
+  ECHO='printf %s\n'
+else
+  # Use this function as a fallback that always works.
+  func_fallback_echo ()
+  {
+    eval 'cat <<_LTECHO_EOF
+$1
+_LTECHO_EOF'
+  }
+  ECHO='func_fallback_echo'
+fi
+
+# func_echo_all arg...
+# Invoke $ECHO with all args, space-separated.
+func_echo_all ()
+{
+    $ECHO ""
+}
+
+case "$ECHO" in
+  printf*) { $as_echo "$as_me:${as_lineno-$LINENO}: result: printf" >&5
+$as_echo "printf" >&6; } ;;
+  print*) { $as_echo "$as_me:${as_lineno-$LINENO}: result: print -r" >&5
+$as_echo "print -r" >&6; } ;;
+  *) { $as_echo "$as_me:${as_lineno-$LINENO}: result: cat" >&5
+$as_echo "cat" >&6; } ;;
+esac
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a sed that does not truncate output" >&5
 $as_echo_n "checking for a sed that does not truncate output... " >&6; }
-if test "${ac_cv_path_SED+set}" = set; then :
+if ${ac_cv_path_SED+:} false; then :
   $as_echo_n "(cached) " >&6
 else
             ac_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/
@@ -7883,7 +8683,7 @@ do
     for ac_prog in sed gsed; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_SED="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_SED" && $as_test_x "$ac_path_SED"; } || continue
+      as_fn_executable_p "$ac_path_SED" || continue
 # Check for GNU ac_path_SED and select it if it is found.
   # Check for GNU $ac_path_SED
 case `"$ac_path_SED" --version 2>&1` in
@@ -7945,7 +8745,7 @@ Xsed="$SED -e 1s/^X//"
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for fgrep" >&5
 $as_echo_n "checking for fgrep... " >&6; }
-if test "${ac_cv_path_FGREP+set}" = set; then :
+if ${ac_cv_path_FGREP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if echo 'ab*c' | $GREP -F 'ab*c' >/dev/null 2>&1
@@ -7962,7 +8762,7 @@ do
     for ac_prog in fgrep; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_FGREP="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_FGREP" && $as_test_x "$ac_path_FGREP"; } || continue
+      as_fn_executable_p "$ac_path_FGREP" || continue
 # Check for GNU ac_path_FGREP and select it if it is found.
   # Check for GNU $ac_path_FGREP
 case `"$ac_path_FGREP" --version 2>&1` in
@@ -8076,7 +8876,7 @@ else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for non-GNU ld" >&5
 $as_echo_n "checking for non-GNU ld... " >&6; }
 fi
-if test "${lt_cv_path_LD+set}" = set; then :
+if ${lt_cv_path_LD+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -z "$LD"; then
@@ -8116,7 +8916,7 @@ fi
 test -z "$LD" && as_fn_error $? "no acceptable ld found in \$PATH" "$LINENO" 5
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if the linker ($LD) is GNU ld" >&5
 $as_echo_n "checking if the linker ($LD) is GNU ld... " >&6; }
-if test "${lt_cv_prog_gnu_ld+set}" = set; then :
+if ${lt_cv_prog_gnu_ld+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   # I'd rather use --version here, but apparently some GNU lds only accept -v.
@@ -8143,7 +8943,7 @@ with_gnu_ld=$lt_cv_prog_gnu_ld
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for BSD- or MS-compatible name lister (nm)" >&5
 $as_echo_n "checking for BSD- or MS-compatible name lister (nm)... " >&6; }
-if test "${lt_cv_path_NM+set}" = set; then :
+if ${lt_cv_path_NM+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$NM"; then
@@ -8196,14 +8996,17 @@ if test "$lt_cv_path_NM" != "no"; then
   NM="$lt_cv_path_NM"
 else
   # Didn't find any BSD compatible name lister, look for dumpbin.
-  if test -n "$ac_tool_prefix"; then
-  for ac_prog in "dumpbin -symbols" "link -dump -symbols"
+  if test -n "$DUMPBIN"; then :
+    # Let the user override the test.
+  else
+    if test -n "$ac_tool_prefix"; then
+  for ac_prog in dumpbin "link -dump"
   do
     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_DUMPBIN+set}" = set; then :
+if ${ac_cv_prog_DUMPBIN+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$DUMPBIN"; then
@@ -8215,7 +9018,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_DUMPBIN="$ac_tool_prefix$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -8241,13 +9044,13 @@ fi
 fi
 if test -z "$DUMPBIN"; then
   ac_ct_DUMPBIN=$DUMPBIN
-  for ac_prog in "dumpbin -symbols" "link -dump -symbols"
+  for ac_prog in dumpbin "link -dump"
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_DUMPBIN+set}" = set; then :
+if ${ac_cv_prog_ac_ct_DUMPBIN+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_DUMPBIN"; then
@@ -8259,7 +9062,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_DUMPBIN="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -8296,6 +9099,15 @@ esac
   fi
 fi
 
+    case `$DUMPBIN -symbols /dev/null 2>&1 | sed '1q'` in
+    *COFF*)
+      DUMPBIN="$DUMPBIN -symbols"
+      ;;
+    *)
+      DUMPBIN=:
+      ;;
+    esac
+  fi
 
   if test "$DUMPBIN" != ":"; then
     NM="$DUMPBIN"
@@ -8310,18 +9122,18 @@ test -z "$NM" && NM=nm
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking the name lister ($NM) interface" >&5
 $as_echo_n "checking the name lister ($NM) interface... " >&6; }
-if test "${lt_cv_nm_interface+set}" = set; then :
+if ${lt_cv_nm_interface+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:8318: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:$LINENO: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:8321: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:$LINENO: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:8324: output\"" >&5)
+  (eval echo "\"\$as_me:$LINENO: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -8345,7 +9157,7 @@ fi
 # find the maximum length of command line arguments
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking the maximum length of command line arguments" >&5
 $as_echo_n "checking the maximum length of command line arguments... " >&6; }
-if test "${lt_cv_sys_max_cmd_len+set}" = set; then :
+if ${lt_cv_sys_max_cmd_len+:} false; then :
   $as_echo_n "(cached) " >&6
 else
     i=0
@@ -8378,6 +9190,11 @@ else
     lt_cv_sys_max_cmd_len=8192;
     ;;
 
+  mint*)
+    # On MiNT this can take a long time and run out of memory.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
   amigaos*)
     # On AmigaOS with pdksh, this test takes hours, literally.
     # So we just punt and use a minimum line length of 8192.
@@ -8403,6 +9220,11 @@ else
     lt_cv_sys_max_cmd_len=196608
     ;;
 
+  os2*)
+    # The test takes a long time on OS/2.
+    lt_cv_sys_max_cmd_len=8192
+    ;;
+
   osf*)
     # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
     # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
@@ -8429,7 +9251,8 @@ else
     ;;
   *)
     lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
-    if test -n "$lt_cv_sys_max_cmd_len"; then
+    if test -n "$lt_cv_sys_max_cmd_len" && \
+	test undefined != "$lt_cv_sys_max_cmd_len"; then
       lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
       lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
     else
@@ -8442,8 +9265,8 @@ else
       # If test is not a shell built-in, we'll probably end up computing a
       # maximum length that is only half of the actual maximum length, but
       # we can't tell.
-      while { test "X"`$SHELL $0 --fallback-echo "X$teststring$teststring" 2>/dev/null` \
-	         = "XX$teststring$teststring"; } >/dev/null 2>&1 &&
+      while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \
+	         = "X$teststring$teststring"; } >/dev/null 2>&1 &&
 	      test $i != 17 # 1/2 MB should be enough
       do
         i=`expr $i + 1`
@@ -8485,8 +9308,8 @@ $as_echo_n "checking whether the shell understands some XSI constructs... " >&6;
 # Try some XSI features
 xsi_shell=no
 ( _lt_dummy="a/b/c"
-  test "${_lt_dummy##*/},${_lt_dummy%/*},"${_lt_dummy%"$_lt_dummy"}, \
-      = c,a/b,, \
+  test "${_lt_dummy##*/},${_lt_dummy%/*},${_lt_dummy#??}"${_lt_dummy%"$_lt_dummy"}, \
+      = c,a/b,b/c, \
     && eval 'test $(( 1 + 1 )) -eq 2 \
     && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \
   && xsi_shell=yes
@@ -8535,9 +9358,83 @@ esac
 
 
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to convert $build file names to $host format" >&5
+$as_echo_n "checking how to convert $build file names to $host format... " >&6; }
+if ${lt_cv_to_host_file_cmd+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $host in
+  *-*-mingw* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_host_file_cmd=func_convert_file_msys_to_w32
+        ;;
+      *-*-cygwin* )
+        lt_cv_to_host_file_cmd=func_convert_file_cygwin_to_w32
+        ;;
+      * ) # otherwise, assume *nix
+        lt_cv_to_host_file_cmd=func_convert_file_nix_to_w32
+        ;;
+    esac
+    ;;
+  *-*-cygwin* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_host_file_cmd=func_convert_file_msys_to_cygwin
+        ;;
+      *-*-cygwin* )
+        lt_cv_to_host_file_cmd=func_convert_file_noop
+        ;;
+      * ) # otherwise, assume *nix
+        lt_cv_to_host_file_cmd=func_convert_file_nix_to_cygwin
+        ;;
+    esac
+    ;;
+  * ) # unhandled hosts (and "normal" native builds)
+    lt_cv_to_host_file_cmd=func_convert_file_noop
+    ;;
+esac
+
+fi
+
+to_host_file_cmd=$lt_cv_to_host_file_cmd
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_to_host_file_cmd" >&5
+$as_echo "$lt_cv_to_host_file_cmd" >&6; }
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to convert $build file names to toolchain format" >&5
+$as_echo_n "checking how to convert $build file names to toolchain format... " >&6; }
+if ${lt_cv_to_tool_file_cmd+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  #assume ordinary cross tools, or native build.
+lt_cv_to_tool_file_cmd=func_convert_file_noop
+case $host in
+  *-*-mingw* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_tool_file_cmd=func_convert_file_msys_to_w32
+        ;;
+    esac
+    ;;
+esac
+
+fi
+
+to_tool_file_cmd=$lt_cv_to_tool_file_cmd
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_to_tool_file_cmd" >&5
+$as_echo "$lt_cv_to_tool_file_cmd" >&6; }
+
+
+
+
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $LD option to reload object files" >&5
 $as_echo_n "checking for $LD option to reload object files... " >&6; }
-if test "${lt_cv_ld_reload_flag+set}" = set; then :
+if ${lt_cv_ld_reload_flag+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_ld_reload_flag='-r'
@@ -8551,6 +9448,11 @@ case $reload_flag in
 esac
 reload_cmds='$LD$reload_flag -o $output$reload_objs'
 case $host_os in
+  cygwin* | mingw* | pw32* | cegcc*)
+    if test "$GCC" != yes; then
+      reload_cmds=false
+    fi
+    ;;
   darwin*)
     if test "$GCC" = yes; then
       reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
@@ -8573,7 +9475,7 @@ if test -n "$ac_tool_prefix"; then
 set dummy ${ac_tool_prefix}objdump; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_OBJDUMP+set}" = set; then :
+if ${ac_cv_prog_OBJDUMP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$OBJDUMP"; then
@@ -8585,7 +9487,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -8613,7 +9515,7 @@ if test -z "$ac_cv_prog_OBJDUMP"; then
 set dummy objdump; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_OBJDUMP+set}" = set; then :
+if ${ac_cv_prog_ac_ct_OBJDUMP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_OBJDUMP"; then
@@ -8625,7 +9527,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_OBJDUMP="objdump"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -8672,7 +9574,7 @@ test -z "$OBJDUMP" && OBJDUMP=objdump
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to recognize dependent libraries" >&5
 $as_echo_n "checking how to recognize dependent libraries... " >&6; }
-if test "${lt_cv_deplibs_check_method+set}" = set; then :
+if ${lt_cv_deplibs_check_method+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_file_magic_cmd='$MAGIC_CMD'
@@ -8714,16 +9616,18 @@ mingw* | pw32*)
   # Base MSYS/MinGW do not provide the 'file' command needed by
   # func_win32_libid shell function, so use a weaker test based on 'objdump',
   # unless we find 'file', for example because we are cross-compiling.
-  if ( file / ) >/dev/null 2>&1; then
+  # func_win32_libid assumes BSD nm, so disallow it if using MS dumpbin.
+  if ( test "$lt_cv_nm_interface" = "BSD nm" && file / ) >/dev/null 2>&1; then
     lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
     lt_cv_file_magic_cmd='func_win32_libid'
   else
-    lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+    # Keep this pattern in sync with the one in func_win32_libid.
+    lt_cv_deplibs_check_method='file_magic file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)'
     lt_cv_file_magic_cmd='$OBJDUMP -f'
   fi
   ;;
 
-cegcc)
+cegcc*)
   # use the weaker test based on 'objdump'. See mingw*.
   lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?'
   lt_cv_file_magic_cmd='$OBJDUMP -f'
@@ -8749,7 +9653,7 @@ freebsd* | dragonfly*)
   fi
   ;;
 
-gnu*)
+haiku*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -8761,11 +9665,11 @@ hpux10.20* | hpux11*)
     lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
     ;;
   hppa*64*)
-    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]'
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF[ -][0-9][0-9])(-bit)?( [LM]SB)? shared object( file)?[, -]* PA-RISC [0-9]\.[0-9]'
     lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
     ;;
   *)
-    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9].[0-9]) shared library'
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9]\.[0-9]) shared library'
     lt_cv_file_magic_test_file=/usr/lib/libc.sl
     ;;
   esac
@@ -8786,8 +9690,8 @@ irix5* | irix6* | nonstopux*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-# This must be Linux ELF.
-linux* | k*bsd*-gnu | kopensolaris*-gnu)
+# This must be glibc/ELF.
+linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -8868,6 +9772,21 @@ esac
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_deplibs_check_method" >&5
 $as_echo "$lt_cv_deplibs_check_method" >&6; }
+
+file_magic_glob=
+want_nocaseglob=no
+if test "$build" = "$host"; then
+  case $host_os in
+  mingw* | pw32*)
+    if ( shopt | grep nocaseglob ) >/dev/null 2>&1; then
+      want_nocaseglob=yes
+    else
+      file_magic_glob=`echo aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ | $SED -e "s/\(..\)/s\/[\1]\/[\1]\/g;/g"`
+    fi
+    ;;
+  esac
+fi
+
 file_magic_cmd=$lt_cv_file_magic_cmd
 deplibs_check_method=$lt_cv_deplibs_check_method
 test -z "$deplibs_check_method" && deplibs_check_method=unknown
@@ -8883,12 +9802,165 @@ test -z "$deplibs_check_method" && deplibs_check_method=unknown
 
 
 
+
+
+
+
+
+
+
+
+
+
 if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args.
-set dummy ${ac_tool_prefix}ar; ac_word=$2
+  # Extract the first word of "${ac_tool_prefix}dlltool", so it can be a program name with args.
+set dummy ${ac_tool_prefix}dlltool; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_AR+set}" = set; then :
+if ${ac_cv_prog_DLLTOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$DLLTOOL"; then
+  ac_cv_prog_DLLTOOL="$DLLTOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_DLLTOOL="${ac_tool_prefix}dlltool"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+DLLTOOL=$ac_cv_prog_DLLTOOL
+if test -n "$DLLTOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DLLTOOL" >&5
+$as_echo "$DLLTOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_DLLTOOL"; then
+  ac_ct_DLLTOOL=$DLLTOOL
+  # Extract the first word of "dlltool", so it can be a program name with args.
+set dummy dlltool; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_DLLTOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_DLLTOOL"; then
+  ac_cv_prog_ac_ct_DLLTOOL="$ac_ct_DLLTOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_DLLTOOL="dlltool"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_DLLTOOL=$ac_cv_prog_ac_ct_DLLTOOL
+if test -n "$ac_ct_DLLTOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DLLTOOL" >&5
+$as_echo "$ac_ct_DLLTOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_DLLTOOL" = x; then
+    DLLTOOL="false"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    DLLTOOL=$ac_ct_DLLTOOL
+  fi
+else
+  DLLTOOL="$ac_cv_prog_DLLTOOL"
+fi
+
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+
+
+
+
+
+
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to associate runtime and link libraries" >&5
+$as_echo_n "checking how to associate runtime and link libraries... " >&6; }
+if ${lt_cv_sharedlib_from_linklib_cmd+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_sharedlib_from_linklib_cmd='unknown'
+
+case $host_os in
+cygwin* | mingw* | pw32* | cegcc*)
+  # two different shell functions defined in ltmain.sh
+  # decide which to use based on capabilities of $DLLTOOL
+  case `$DLLTOOL --help 2>&1` in
+  *--identify-strict*)
+    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib
+    ;;
+  *)
+    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib_fallback
+    ;;
+  esac
+  ;;
+*)
+  # fallback: assume linklib IS sharedlib
+  lt_cv_sharedlib_from_linklib_cmd="$ECHO"
+  ;;
+esac
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_sharedlib_from_linklib_cmd" >&5
+$as_echo "$lt_cv_sharedlib_from_linklib_cmd" >&6; }
+sharedlib_from_linklib_cmd=$lt_cv_sharedlib_from_linklib_cmd
+test -z "$sharedlib_from_linklib_cmd" && sharedlib_from_linklib_cmd=$ECHO
+
+
+
+
+
+
+
+if test -n "$ac_tool_prefix"; then
+  for ac_prog in ar
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_AR+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$AR"; then
@@ -8900,8 +9972,8 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_AR="${ac_tool_prefix}ar"
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_AR="$ac_tool_prefix$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -8921,14 +9993,18 @@ $as_echo "no" >&6; }
 fi
 
 
+    test -n "$AR" && break
+  done
 fi
-if test -z "$ac_cv_prog_AR"; then
+if test -z "$AR"; then
   ac_ct_AR=$AR
-  # Extract the first word of "ar", so it can be a program name with args.
-set dummy ar; ac_word=$2
+  for ac_prog in ar
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_AR+set}" = set; then :
+if ${ac_cv_prog_ac_ct_AR+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_AR"; then
@@ -8940,8 +10016,8 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_prog_ac_ct_AR="ar"
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_AR="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -8960,6 +10036,10 @@ else
 $as_echo "no" >&6; }
 fi
 
+
+  test -n "$ac_ct_AR" && break
+done
+
   if test "x$ac_ct_AR" = x; then
     AR="false"
   else
@@ -8971,12 +10051,10 @@ ac_tool_warned=yes ;;
 esac
     AR=$ac_ct_AR
   fi
-else
-  AR="$ac_cv_prog_AR"
 fi
 
-test -z "$AR" && AR=ar
-test -z "$AR_FLAGS" && AR_FLAGS=cru
+: ${AR=ar}
+: ${AR_FLAGS=cru}
 
 
 
@@ -8988,12 +10066,70 @@ test -z "$AR_FLAGS" && AR_FLAGS=cru
 
 
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for archiver @FILE support" >&5
+$as_echo_n "checking for archiver @FILE support... " >&6; }
+if ${lt_cv_ar_at_file+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_ar_at_file=no
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  echo conftest.$ac_objext > conftest.lst
+      lt_ar_try='$AR $AR_FLAGS libconftest.a @conftest.lst >&5'
+      { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$lt_ar_try\""; } >&5
+  (eval $lt_ar_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+      if test "$ac_status" -eq 0; then
+	# Ensure the archiver fails upon bogus file names.
+	rm -f conftest.$ac_objext libconftest.a
+	{ { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$lt_ar_try\""; } >&5
+  (eval $lt_ar_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+	if test "$ac_status" -ne 0; then
+          lt_cv_ar_at_file=@
+        fi
+      fi
+      rm -f conftest.* libconftest.a
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ar_at_file" >&5
+$as_echo "$lt_cv_ar_at_file" >&6; }
+
+if test "x$lt_cv_ar_at_file" = xno; then
+  archiver_list_spec=
+else
+  archiver_list_spec=$lt_cv_ar_at_file
+fi
+
+
+
+
+
+
+
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
 set dummy ${ac_tool_prefix}strip; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_STRIP+set}" = set; then :
+if ${ac_cv_prog_STRIP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$STRIP"; then
@@ -9005,7 +10141,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_STRIP="${ac_tool_prefix}strip"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9033,7 +10169,7 @@ if test -z "$ac_cv_prog_STRIP"; then
 set dummy strip; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then :
+if ${ac_cv_prog_ac_ct_STRIP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_STRIP"; then
@@ -9045,7 +10181,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_STRIP="strip"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9092,7 +10228,7 @@ if test -n "$ac_tool_prefix"; then
 set dummy ${ac_tool_prefix}ranlib; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_RANLIB+set}" = set; then :
+if ${ac_cv_prog_RANLIB+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$RANLIB"; then
@@ -9104,7 +10240,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9132,7 +10268,7 @@ if test -z "$ac_cv_prog_RANLIB"; then
 set dummy ranlib; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then :
+if ${ac_cv_prog_ac_ct_RANLIB+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_RANLIB"; then
@@ -9144,7 +10280,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_RANLIB="ranlib"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9194,15 +10330,27 @@ old_postuninstall_cmds=
 if test -n "$RANLIB"; then
   case $host_os in
   openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib"
     ;;
   *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib"
     ;;
   esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib"
 fi
 
+case $host_os in
+  darwin*)
+    lock_old_archive_extraction=yes ;;
+  *)
+    lock_old_archive_extraction=no ;;
+esac
+
+
+
+
+
+
 
 
 
@@ -9249,7 +10397,7 @@ compiler=$CC
 # Check for command to grab the raw symbol name followed by C symbol from nm.
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking command to parse $NM output from $compiler object" >&5
 $as_echo_n "checking command to parse $NM output from $compiler object... " >&6; }
-if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then :
+if ${lt_cv_sys_global_symbol_pipe+:} false; then :
   $as_echo_n "(cached) " >&6
 else
 
@@ -9310,8 +10458,8 @@ esac
 lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
 
 # Transform an extracted symbol line into symbol name and symbol address
-lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (void *) \&\2},/p'"
-lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \(lib[^ ]*\)$/  {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"lib\2\", (void *) \&\2},/p'"
+lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\)[ ]*$/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (void *) \&\2},/p'"
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([^ ]*\)[ ]*$/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \(lib[^ ]*\)$/  {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"lib\2\", (void *) \&\2},/p'"
 
 # Handle CRLF in mingw tool chain
 opt_cr=
@@ -9335,6 +10483,7 @@ for ac_symprfx in "" "_"; do
     # which start with @ or ?.
     lt_cv_sys_global_symbol_pipe="$AWK '"\
 "     {last_section=section; section=\$ 3};"\
+"     /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\
 "     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
 "     \$ 0!~/External *\|/{next};"\
 "     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
@@ -9347,6 +10496,7 @@ for ac_symprfx in "" "_"; do
   else
     lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[	 ]\($symcode$symcode*\)[	 ][	 ]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
   fi
+  lt_cv_sys_global_symbol_pipe="$lt_cv_sys_global_symbol_pipe | sed '/ __gnu_lto/d'"
 
   # Check to see that the pipe works correctly.
   pipe_works=no
@@ -9372,8 +10522,8 @@ _LT_EOF
   test $ac_status = 0; }; then
     # Now try to grab the symbols.
     nlist=conftest.nm
-    if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\""; } >&5
-  (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5
+    if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist\""; } >&5
+  (eval $NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) 2>&5
   ac_status=$?
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; } && test -s "$nlist"; then
@@ -9388,6 +10538,18 @@ _LT_EOF
       if $GREP ' nm_test_var$' "$nlist" >/dev/null; then
 	if $GREP ' nm_test_func$' "$nlist" >/dev/null; then
 	  cat <<_LT_EOF > conftest.$ac_ext
+/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests.  */
+#if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE)
+/* DATA imports from DLLs on WIN32 con't be const, because runtime
+   relocations are performed -- see ld's documentation on pseudo-relocs.  */
+# define LT_DLSYM_CONST
+#elif defined(__osf__)
+/* This system does not cope well with relocations in const data.  */
+# define LT_DLSYM_CONST
+#else
+# define LT_DLSYM_CONST const
+#endif
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -9399,7 +10561,7 @@ _LT_EOF
 	  cat <<_LT_EOF >> conftest.$ac_ext
 
 /* The mapping between symbol names and symbols.  */
-const struct {
+LT_DLSYM_CONST struct {
   const char *name;
   void       *address;
 }
@@ -9425,8 +10587,8 @@ static const void *lt_preloaded_setup() {
 _LT_EOF
 	  # Now try linking the two files.
 	  mv conftest.$ac_objext conftstm.$ac_objext
-	  lt_save_LIBS="$LIBS"
-	  lt_save_CFLAGS="$CFLAGS"
+	  lt_globsym_save_LIBS=$LIBS
+	  lt_globsym_save_CFLAGS=$CFLAGS
 	  LIBS="conftstm.$ac_objext"
 	  CFLAGS="$CFLAGS$lt_prog_compiler_no_builtin_flag"
 	  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5
@@ -9436,8 +10598,8 @@ _LT_EOF
   test $ac_status = 0; } && test -s conftest${ac_exeext}; then
 	    pipe_works=yes
 	  fi
-	  LIBS="$lt_save_LIBS"
-	  CFLAGS="$lt_save_CFLAGS"
+	  LIBS=$lt_globsym_save_LIBS
+	  CFLAGS=$lt_globsym_save_CFLAGS
 	else
 	  echo "cannot find nm_test_func in $nlist" >&5
 	fi
@@ -9474,6 +10636,16 @@ else
 $as_echo "ok" >&6; }
 fi
 
+# Response file support.
+if test "$lt_cv_nm_interface" = "MS dumpbin"; then
+  nm_file_list_spec='@'
+elif $NM --help 2>/dev/null | grep '[@]FILE' >/dev/null; then
+  nm_file_list_spec='@'
+fi
+
+
+
+
 
 
 
@@ -9495,6 +10667,45 @@ fi
 
 
 
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sysroot" >&5
+$as_echo_n "checking for sysroot... " >&6; }
+
+# Check whether --with-sysroot was given.
+if test "${with_sysroot+set}" = set; then :
+  withval=$with_sysroot;
+else
+  with_sysroot=no
+fi
+
+
+lt_sysroot=
+case ${with_sysroot} in #(
+ yes)
+   if test "$GCC" = yes; then
+     lt_sysroot=`$CC --print-sysroot 2>/dev/null`
+   fi
+   ;; #(
+ /*)
+   lt_sysroot=`echo "$with_sysroot" | sed -e "$sed_quote_subst"`
+   ;; #(
+ no|'')
+   ;; #(
+ *)
+   { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${with_sysroot}" >&5
+$as_echo "${with_sysroot}" >&6; }
+   as_fn_error $? "The sysroot must be an absolute path." "$LINENO" 5
+   ;;
+esac
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${lt_sysroot:-no}" >&5
+$as_echo "${lt_sysroot:-no}" >&6; }
+
+
+
+
+
 # Check whether --enable-libtool-lock was given.
 if test "${enable_libtool_lock+set}" = set; then :
   enableval=$enable_libtool_lock;
@@ -9526,7 +10737,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 9529 "configure"' > conftest.$ac_ext
+  echo '#line '$LINENO' "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9577,7 +10788,14 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
 	    LD="${LD-ld} -m elf_i386_fbsd"
 	    ;;
 	  x86_64-*linux*)
-	    LD="${LD-ld} -m elf_i386"
+	    case `/usr/bin/file conftest.o` in
+	      *x86-64*)
+		LD="${LD-ld} -m elf32_x86_64"
+		;;
+	      *)
+		LD="${LD-ld} -m elf_i386"
+		;;
+	    esac
 	    ;;
 	  ppc64-*linux*|powerpc64-*linux*)
 	    LD="${LD-ld} -m elf32ppclinux"
@@ -9620,7 +10838,7 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
   CFLAGS="$CFLAGS -belf"
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler needs -belf" >&5
 $as_echo_n "checking whether the C compiler needs -belf... " >&6; }
-if test "${lt_cv_cc_needs_belf+set}" = set; then :
+if ${lt_cv_cc_needs_belf+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_ext=c
@@ -9661,7 +10879,7 @@ $as_echo "$lt_cv_cc_needs_belf" >&6; }
     CFLAGS="$SAVE_CFLAGS"
   fi
   ;;
-sparc*-*solaris*)
+*-*solaris*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
@@ -9672,7 +10890,20 @@ sparc*-*solaris*)
     case `/usr/bin/file conftest.o` in
     *64-bit*)
       case $lt_cv_prog_gnu_ld in
-      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      yes*)
+        case $host in
+        i?86-*-solaris*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        sparc*-*-solaris*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+        esac
+        # GNU ld 2.21 introduced _sol2 emulations.  Use them if available.
+        if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then
+          LD="${LD-ld}_sol2"
+        fi
+        ;;
       *)
 	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
 	  LD="${LD-ld} -64"
@@ -9688,6 +10919,123 @@ esac
 
 need_locks="$enable_libtool_lock"
 
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}mt", so it can be a program name with args.
+set dummy ${ac_tool_prefix}mt; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_MANIFEST_TOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$MANIFEST_TOOL"; then
+  ac_cv_prog_MANIFEST_TOOL="$MANIFEST_TOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_MANIFEST_TOOL="${ac_tool_prefix}mt"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+MANIFEST_TOOL=$ac_cv_prog_MANIFEST_TOOL
+if test -n "$MANIFEST_TOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MANIFEST_TOOL" >&5
+$as_echo "$MANIFEST_TOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_MANIFEST_TOOL"; then
+  ac_ct_MANIFEST_TOOL=$MANIFEST_TOOL
+  # Extract the first word of "mt", so it can be a program name with args.
+set dummy mt; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_MANIFEST_TOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$ac_ct_MANIFEST_TOOL"; then
+  ac_cv_prog_ac_ct_MANIFEST_TOOL="$ac_ct_MANIFEST_TOOL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_MANIFEST_TOOL="mt"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_MANIFEST_TOOL=$ac_cv_prog_ac_ct_MANIFEST_TOOL
+if test -n "$ac_ct_MANIFEST_TOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_MANIFEST_TOOL" >&5
+$as_echo "$ac_ct_MANIFEST_TOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_ct_MANIFEST_TOOL" = x; then
+    MANIFEST_TOOL=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    MANIFEST_TOOL=$ac_ct_MANIFEST_TOOL
+  fi
+else
+  MANIFEST_TOOL="$ac_cv_prog_MANIFEST_TOOL"
+fi
+
+test -z "$MANIFEST_TOOL" && MANIFEST_TOOL=mt
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $MANIFEST_TOOL is a manifest tool" >&5
+$as_echo_n "checking if $MANIFEST_TOOL is a manifest tool... " >&6; }
+if ${lt_cv_path_mainfest_tool+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_path_mainfest_tool=no
+  echo "$as_me:$LINENO: $MANIFEST_TOOL '-?'" >&5
+  $MANIFEST_TOOL '-?' 2>conftest.err > conftest.out
+  cat conftest.err >&5
+  if $GREP 'Manifest Tool' conftest.out > /dev/null; then
+    lt_cv_path_mainfest_tool=yes
+  fi
+  rm -f conftest*
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_path_mainfest_tool" >&5
+$as_echo "$lt_cv_path_mainfest_tool" >&6; }
+if test "x$lt_cv_path_mainfest_tool" != xyes; then
+  MANIFEST_TOOL=:
+fi
+
+
+
+
+
 
   case $host_os in
     rhapsody* | darwin*)
@@ -9696,7 +11044,7 @@ need_locks="$enable_libtool_lock"
 set dummy ${ac_tool_prefix}dsymutil; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_DSYMUTIL+set}" = set; then :
+if ${ac_cv_prog_DSYMUTIL+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$DSYMUTIL"; then
@@ -9708,7 +11056,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9736,7 +11084,7 @@ if test -z "$ac_cv_prog_DSYMUTIL"; then
 set dummy dsymutil; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then :
+if ${ac_cv_prog_ac_ct_DSYMUTIL+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_DSYMUTIL"; then
@@ -9748,7 +11096,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_DSYMUTIL="dsymutil"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9788,7 +11136,7 @@ fi
 set dummy ${ac_tool_prefix}nmedit; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_NMEDIT+set}" = set; then :
+if ${ac_cv_prog_NMEDIT+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$NMEDIT"; then
@@ -9800,7 +11148,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9828,7 +11176,7 @@ if test -z "$ac_cv_prog_NMEDIT"; then
 set dummy nmedit; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then :
+if ${ac_cv_prog_ac_ct_NMEDIT+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_NMEDIT"; then
@@ -9840,7 +11188,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_NMEDIT="nmedit"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9880,7 +11228,7 @@ fi
 set dummy ${ac_tool_prefix}lipo; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_LIPO+set}" = set; then :
+if ${ac_cv_prog_LIPO+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$LIPO"; then
@@ -9892,7 +11240,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_LIPO="${ac_tool_prefix}lipo"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9920,7 +11268,7 @@ if test -z "$ac_cv_prog_LIPO"; then
 set dummy lipo; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_LIPO+set}" = set; then :
+if ${ac_cv_prog_ac_ct_LIPO+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_LIPO"; then
@@ -9932,7 +11280,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_LIPO="lipo"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -9972,7 +11320,7 @@ fi
 set dummy ${ac_tool_prefix}otool; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_OTOOL+set}" = set; then :
+if ${ac_cv_prog_OTOOL+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$OTOOL"; then
@@ -9984,7 +11332,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_OTOOL="${ac_tool_prefix}otool"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -10012,7 +11360,7 @@ if test -z "$ac_cv_prog_OTOOL"; then
 set dummy otool; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_OTOOL+set}" = set; then :
+if ${ac_cv_prog_ac_ct_OTOOL+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_OTOOL"; then
@@ -10024,7 +11372,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_OTOOL="otool"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -10064,7 +11412,7 @@ fi
 set dummy ${ac_tool_prefix}otool64; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_OTOOL64+set}" = set; then :
+if ${ac_cv_prog_OTOOL64+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$OTOOL64"; then
@@ -10076,7 +11424,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_OTOOL64="${ac_tool_prefix}otool64"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -10104,7 +11452,7 @@ if test -z "$ac_cv_prog_OTOOL64"; then
 set dummy otool64; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_ac_ct_OTOOL64+set}" = set; then :
+if ${ac_cv_prog_ac_ct_OTOOL64+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$ac_ct_OTOOL64"; then
@@ -10116,7 +11464,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_ac_ct_OTOOL64="otool64"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -10179,7 +11527,7 @@ fi
 
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -single_module linker flag" >&5
 $as_echo_n "checking for -single_module linker flag... " >&6; }
-if test "${lt_cv_apple_cc_single_mod+set}" = set; then :
+if ${lt_cv_apple_cc_single_mod+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_apple_cc_single_mod=no
@@ -10195,7 +11543,13 @@ else
 	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
 	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
         _lt_result=$?
-	if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then
+	# If there is a non-empty error log, and "single_module"
+	# appears in it, assume the flag caused a linker warning
+        if test -s conftest.err && $GREP single_module conftest.err; then
+	  cat conftest.err >&5
+	# Otherwise, if the output was created with a 0 exit code from
+	# the compiler, it worked.
+	elif test -f libconftest.dylib && test $_lt_result -eq 0; then
 	  lt_cv_apple_cc_single_mod=yes
 	else
 	  cat conftest.err >&5
@@ -10206,9 +11560,10 @@ else
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_apple_cc_single_mod" >&5
 $as_echo "$lt_cv_apple_cc_single_mod" >&6; }
+
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -exported_symbols_list linker flag" >&5
 $as_echo_n "checking for -exported_symbols_list linker flag... " >&6; }
-if test "${lt_cv_ld_exported_symbols_list+set}" = set; then :
+if ${lt_cv_ld_exported_symbols_list+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_ld_exported_symbols_list=no
@@ -10238,6 +11593,41 @@ rm -f core conftest.err conftest.$ac_objext \
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_exported_symbols_list" >&5
 $as_echo "$lt_cv_ld_exported_symbols_list" >&6; }
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -force_load linker flag" >&5
+$as_echo_n "checking for -force_load linker flag... " >&6; }
+if ${lt_cv_ld_force_load+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_ld_force_load=no
+      cat > conftest.c << _LT_EOF
+int forced_loaded() { return 2;}
+_LT_EOF
+      echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&5
+      $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&5
+      echo "$AR cru libconftest.a conftest.o" >&5
+      $AR cru libconftest.a conftest.o 2>&5
+      echo "$RANLIB libconftest.a" >&5
+      $RANLIB libconftest.a 2>&5
+      cat > conftest.c << _LT_EOF
+int main() { return 0;}
+_LT_EOF
+      echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&5
+      $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err
+      _lt_result=$?
+      if test -s conftest.err && $GREP force_load conftest.err; then
+	cat conftest.err >&5
+      elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then
+	lt_cv_ld_force_load=yes
+      else
+	cat conftest.err >&5
+      fi
+        rm -f conftest.err libconftest.a conftest conftest.c
+        rm -rf conftest.dSYM
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_force_load" >&5
+$as_echo "$lt_cv_ld_force_load" >&6; }
     case $host_os in
     rhapsody* | darwin1.[012])
       _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
@@ -10265,7 +11655,7 @@ $as_echo "$lt_cv_ld_exported_symbols_list" >&6; }
     else
       _lt_dar_export_syms='~$NMEDIT -s $output_objdir/${libname}-symbols.expsym ${lib}'
     fi
-    if test "$DSYMUTIL" != ":"; then
+    if test "$DSYMUTIL" != ":" && test "$lt_cv_ld_force_load" = "no"; then
       _lt_dsymutil='~$DSYMUTIL $lib || :'
     else
       _lt_dsymutil=
@@ -10277,7 +11667,7 @@ for ac_header in dlfcn.h
 do :
   ac_fn_c_check_header_compile "$LINENO" "dlfcn.h" "ac_cv_header_dlfcn_h" "$ac_includes_default
 "
-if test "x$ac_cv_header_dlfcn_h" = x""yes; then :
+if test "x$ac_cv_header_dlfcn_h" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_DLFCN_H 1
 _ACEOF
@@ -10288,6 +11678,8 @@ done
 
 
 
+
+
 # Set options
 
 
@@ -10363,7 +11755,22 @@ fi
 
 # Check whether --with-pic was given.
 if test "${with_pic+set}" = set; then :
-  withval=$with_pic; pic_mode="$withval"
+  withval=$with_pic; lt_p=${PACKAGE-default}
+    case $withval in
+    yes|no) pic_mode=$withval ;;
+    *)
+      pic_mode=default
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for lt_pkg in $withval; do
+	IFS="$lt_save_ifs"
+	if test "X$lt_pkg" = "X$lt_p"; then
+	  pic_mode=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac
 else
   pic_mode=default
 fi
@@ -10440,6 +11847,11 @@ LIBTOOL='$(SHELL) $(top_builddir)/libtool'
 
 
 
+
+
+
+
+
 test -z "$LN_S" && LN_S="ln -s"
 
 
@@ -10461,7 +11873,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for objdir" >&5
 $as_echo_n "checking for objdir... " >&6; }
-if test "${lt_cv_objdir+set}" = set; then :
+if ${lt_cv_objdir+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   rm -f .libs 2>/dev/null
@@ -10489,19 +11901,6 @@ _ACEOF
 
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-
 case $host_os in
 aix3*)
   # AIX sometimes has problems with the GCC collect2 program.  For some
@@ -10514,23 +11913,6 @@ aix3*)
   ;;
 esac
 
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-sed_quote_subst='s/\(["`$\\]\)/\\\1/g'
-
-# Same as above, but do not quote variable references.
-double_quote_subst='s/\(["`\\]\)/\\\1/g'
-
-# Sed substitution to delay expansion of an escaped shell variable in a
-# double_quote_subst'ed string.
-delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
-
-# Sed substitution to delay expansion of an escaped single quote.
-delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
-
-# Sed substitution to avoid accidental globbing in evaled expressions
-no_glob_subst='s/\*/\\\*/g'
-
 # Global variables:
 ofile=libtool
 can_build_shared=yes
@@ -10559,7 +11941,7 @@ for cc_temp in $compiler""; do
     *) break;;
   esac
 done
-cc_basename=`$ECHO "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+cc_basename=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"`
 
 
 # Only perform the check for file, if the check method requires it
@@ -10569,7 +11951,7 @@ file_magic*)
   if test "$file_magic_cmd" = '$MAGIC_CMD'; then
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${ac_tool_prefix}file" >&5
 $as_echo_n "checking for ${ac_tool_prefix}file... " >&6; }
-if test "${lt_cv_path_MAGIC_CMD+set}" = set; then :
+if ${lt_cv_path_MAGIC_CMD+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $MAGIC_CMD in
@@ -10635,7 +12017,7 @@ if test -z "$lt_cv_path_MAGIC_CMD"; then
   if test -n "$ac_tool_prefix"; then
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for file" >&5
 $as_echo_n "checking for file... " >&6; }
-if test "${lt_cv_path_MAGIC_CMD+set}" = set; then :
+if ${lt_cv_path_MAGIC_CMD+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $MAGIC_CMD in
@@ -10768,11 +12150,16 @@ if test -n "$compiler"; then
 lt_prog_compiler_no_builtin_flag=
 
 if test "$GCC" = yes; then
-  lt_prog_compiler_no_builtin_flag=' -fno-builtin'
+  case $cc_basename in
+  nvcc*)
+    lt_prog_compiler_no_builtin_flag=' -Xcompiler -fno-builtin' ;;
+  *)
+    lt_prog_compiler_no_builtin_flag=' -fno-builtin' ;;
+  esac
 
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
 $as_echo_n "checking if $compiler supports -fno-rtti -fno-exceptions... " >&6; }
-if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then :
+if ${lt_cv_prog_compiler_rtti_exceptions+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_rtti_exceptions=no
@@ -10788,15 +12175,15 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10791: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10795: \$? = $ac_status" >&5
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp
      $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
      if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_rtti_exceptions=yes
@@ -10825,8 +12212,6 @@ fi
 lt_prog_compiler_pic=
 lt_prog_compiler_static=
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $compiler option to produce PIC" >&5
-$as_echo_n "checking for $compiler option to produce PIC... " >&6; }
 
   if test "$GCC" = yes; then
     lt_prog_compiler_wl='-Wl,'
@@ -10874,6 +12259,12 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
       lt_prog_compiler_pic='-fno-common'
       ;;
 
+    haiku*)
+      # PIC is the default for Haiku.
+      # The "-static" flag exists, but is broken.
+      lt_prog_compiler_static=
+      ;;
+
     hpux*)
       # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
       # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
@@ -10916,6 +12307,15 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
       lt_prog_compiler_pic='-fPIC'
       ;;
     esac
+
+    case $cc_basename in
+    nvcc*) # Cuda Compiler Driver 2.2
+      lt_prog_compiler_wl='-Xlinker '
+      if test -n "$lt_prog_compiler_pic"; then
+        lt_prog_compiler_pic="-Xcompiler $lt_prog_compiler_pic"
+      fi
+      ;;
+    esac
   else
     # PORTME Check for flag to pass linker flags through the system compiler.
     case $host_os in
@@ -10957,7 +12357,7 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
       lt_prog_compiler_static='-non_shared'
       ;;
 
-    linux* | k*bsd*-gnu | kopensolaris*-gnu)
+    linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
       case $cc_basename in
       # old Intel for x86_64 which still supported -KPIC.
       ecc*)
@@ -10978,7 +12378,13 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
 	lt_prog_compiler_pic='--shared'
 	lt_prog_compiler_static='--static'
 	;;
-      pgcc* | pgf77* | pgf90* | pgf95*)
+      nagfor*)
+	# NAG Fortran compiler
+	lt_prog_compiler_wl='-Wl,-Wl,,'
+	lt_prog_compiler_pic='-PIC'
+	lt_prog_compiler_static='-Bstatic'
+	;;
+      pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*)
         # Portland Group compilers (*not* the Pentium gcc compiler,
 	# which looks to be a dead project)
 	lt_prog_compiler_wl='-Wl,'
@@ -10990,25 +12396,40 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
         # All Alpha code is PIC.
         lt_prog_compiler_static='-non_shared'
         ;;
-      xl*)
-	# IBM XL C 8.0/Fortran 10.1 on PPC
+      xl* | bgxl* | bgf* | mpixl*)
+	# IBM XL C 8.0/Fortran 10.1, 11.1 on PPC and BlueGene
 	lt_prog_compiler_wl='-Wl,'
 	lt_prog_compiler_pic='-qpic'
 	lt_prog_compiler_static='-qstaticlink'
 	;;
       *)
 	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [1-7].* | *Sun*Fortran*\ 8.[0-3]*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  lt_prog_compiler_pic='-KPIC'
+	  lt_prog_compiler_static='-Bstatic'
+	  lt_prog_compiler_wl=''
+	  ;;
+	*Sun\ F* | *Sun*Fortran*)
+	  lt_prog_compiler_pic='-KPIC'
+	  lt_prog_compiler_static='-Bstatic'
+	  lt_prog_compiler_wl='-Qoption ld '
+	  ;;
 	*Sun\ C*)
 	  # Sun C 5.9
 	  lt_prog_compiler_pic='-KPIC'
 	  lt_prog_compiler_static='-Bstatic'
 	  lt_prog_compiler_wl='-Wl,'
 	  ;;
-	*Sun\ F*)
-	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
-	  lt_prog_compiler_pic='-KPIC'
+        *Intel*\ [CF]*Compiler*)
+	  lt_prog_compiler_wl='-Wl,'
+	  lt_prog_compiler_pic='-fPIC'
+	  lt_prog_compiler_static='-static'
+	  ;;
+	*Portland\ Group*)
+	  lt_prog_compiler_wl='-Wl,'
+	  lt_prog_compiler_pic='-fpic'
 	  lt_prog_compiler_static='-Bstatic'
-	  lt_prog_compiler_wl=''
 	  ;;
 	esac
 	;;
@@ -11040,7 +12461,7 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
       lt_prog_compiler_pic='-KPIC'
       lt_prog_compiler_static='-Bstatic'
       case $cc_basename in
-      f77* | f90* | f95*)
+      f77* | f90* | f95* | sunf77* | sunf90* | sunf95*)
 	lt_prog_compiler_wl='-Qoption ld ';;
       *)
 	lt_prog_compiler_wl='-Wl,';;
@@ -11097,13 +12518,17 @@ case $host_os in
     lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC"
     ;;
 esac
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_prog_compiler_pic" >&5
-$as_echo "$lt_prog_compiler_pic" >&6; }
-
-
-
-
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $compiler option to produce PIC" >&5
+$as_echo_n "checking for $compiler option to produce PIC... " >&6; }
+if ${lt_cv_prog_compiler_pic+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_prog_compiler_pic=$lt_prog_compiler_pic
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_pic" >&5
+$as_echo "$lt_cv_prog_compiler_pic" >&6; }
+lt_prog_compiler_pic=$lt_cv_prog_compiler_pic
 
 #
 # Check to make sure the PIC flag actually works.
@@ -11111,7 +12536,7 @@ $as_echo "$lt_prog_compiler_pic" >&6; }
 if test -n "$lt_prog_compiler_pic"; then
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
 $as_echo_n "checking if $compiler PIC flag $lt_prog_compiler_pic works... " >&6; }
-if test "${lt_cv_prog_compiler_pic_works+set}" = set; then :
+if ${lt_cv_prog_compiler_pic_works+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_pic_works=no
@@ -11127,15 +12552,15 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:11130: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:11134: \$? = $ac_status" >&5
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp
      $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
      if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_pic_works=yes
@@ -11164,13 +12589,18 @@ fi
 
 
 
+
+
+
+
+
 #
 # Check to make sure the static flag actually works.
 #
 wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\"
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler static flag $lt_tmp_static_flag works" >&5
 $as_echo_n "checking if $compiler static flag $lt_tmp_static_flag works... " >&6; }
-if test "${lt_cv_prog_compiler_static_works+set}" = set; then :
+if ${lt_cv_prog_compiler_static_works+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_static_works=no
@@ -11183,7 +12613,7 @@ else
      if test -s conftest.err; then
        # Append any errors to the config.log.
        cat conftest.err 1>&5
-       $ECHO "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp
        $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
        if diff conftest.exp conftest.er2 >/dev/null; then
          lt_cv_prog_compiler_static_works=yes
@@ -11213,7 +12643,7 @@ fi
 
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5
 $as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; }
-if test "${lt_cv_prog_compiler_c_o+set}" = set; then :
+if ${lt_cv_prog_compiler_c_o+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_c_o=no
@@ -11232,16 +12662,16 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:11235: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:11239: \$? = $ac_status" >&5
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp
      $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
      if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_c_o=yes
@@ -11268,7 +12698,7 @@ $as_echo "$lt_cv_prog_compiler_c_o" >&6; }
 
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5
 $as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; }
-if test "${lt_cv_prog_compiler_c_o+set}" = set; then :
+if ${lt_cv_prog_compiler_c_o+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   lt_cv_prog_compiler_c_o=no
@@ -11287,16 +12717,16 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:11290: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:11294: \$? = $ac_status" >&5
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp
      $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
      if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
        lt_cv_prog_compiler_c_o=yes
@@ -11362,7 +12792,6 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
   hardcode_direct=no
   hardcode_direct_absolute=no
   hardcode_libdir_flag_spec=
-  hardcode_libdir_flag_spec_ld=
   hardcode_libdir_separator=
   hardcode_minus_L=no
   hardcode_shlibpath_var=unsupported
@@ -11406,13 +12835,39 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
   openbsd*)
     with_gnu_ld=no
     ;;
-  linux* | k*bsd*-gnu)
+  linux* | k*bsd*-gnu | gnu*)
     link_all_deplibs=no
     ;;
   esac
 
   ld_shlibs=yes
+
+  # On some targets, GNU ld is compatible enough with the native linker
+  # that we're better off using the native interface for both.
+  lt_use_gnu_ld_interface=no
   if test "$with_gnu_ld" = yes; then
+    case $host_os in
+      aix*)
+	# The AIX port of GNU ld has always aspired to compatibility
+	# with the native linker.  However, as the warning in the GNU ld
+	# block says, versions before 2.19.5* couldn't really create working
+	# shared libraries, regardless of the interface used.
+	case `$LD -v 2>&1` in
+	  *\ \(GNU\ Binutils\)\ 2.19.5*) ;;
+	  *\ \(GNU\ Binutils\)\ 2.[2-9]*) ;;
+	  *\ \(GNU\ Binutils\)\ [3-9]*) ;;
+	  *)
+	    lt_use_gnu_ld_interface=yes
+	    ;;
+	esac
+	;;
+      *)
+	lt_use_gnu_ld_interface=yes
+	;;
+    esac
+  fi
+
+  if test "$lt_use_gnu_ld_interface" = yes; then
     # If archive_cmds runs LD, not CC, wlarc should be empty
     wlarc='${wl}'
 
@@ -11446,11 +12901,12 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
 	ld_shlibs=no
 	cat <<_LT_EOF 1>&2
 
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** Warning: the GNU linker, at least up to release 2.19, is reported
 *** to be unable to reliably create shared libraries on AIX.
 *** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
+*** really care for shared libraries, you may want to install binutils
+*** 2.20 or above, or modify your PATH so that a non-GNU linker is found.
+*** You will then need to restart the configuration process.
 
 _LT_EOF
       fi
@@ -11486,10 +12942,12 @@ _LT_EOF
       # _LT_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless,
       # as there is no search path for DLLs.
       hardcode_libdir_flag_spec='-L$libdir'
+      export_dynamic_flag_spec='${wl}--export-all-symbols'
       allow_undefined_flag=unsupported
       always_export_symbols=no
       enable_shared_with_static_runtimes=yes
-      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
+      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/;s/^.*[ ]__nm__\([^ ]*\)[ ][^ ]*/\1 DATA/;/^I[ ]/d;/^[AITW][ ]/s/.* //'\'' | sort | uniq > $export_symbols'
+      exclude_expsyms='[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname'
 
       if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
         archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
@@ -11507,6 +12965,11 @@ _LT_EOF
       fi
       ;;
 
+    haiku*)
+      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      link_all_deplibs=yes
+      ;;
+
     interix[3-9]*)
       hardcode_direct=no
       hardcode_shlibpath_var=no
@@ -11532,15 +12995,16 @@ _LT_EOF
       if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \
 	 && test "$tmp_diet" = no
       then
-	tmp_addflag=
+	tmp_addflag=' $pic_flag'
 	tmp_sharedflag='-shared'
 	case $cc_basename,$host_cpu in
         pgcc*)				# Portland Group C compiler
-	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  tmp_addflag=' $pic_flag'
 	  ;;
-	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
-	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	pgf77* | pgf90* | pgf95* | pgfortran*)
+					# Portland Group f77 and f90 compilers
+	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  tmp_addflag=' $pic_flag -Mnomain' ;;
 	ecc*,ia64* | icc*,ia64*)	# Intel C compiler on ia64
 	  tmp_addflag=' -i_dynamic' ;;
@@ -11551,13 +13015,17 @@ _LT_EOF
 	lf95*)				# Lahey Fortran 8.1
 	  whole_archive_flag_spec=
 	  tmp_sharedflag='--shared' ;;
-	xl[cC]*)			# IBM XL C 8.0 on PPC (deal with xlf below)
+	xl[cC]* | bgxl[cC]* | mpixl[cC]*) # IBM XL C 8.0 on PPC (deal with xlf below)
 	  tmp_sharedflag='-qmkshrobj'
 	  tmp_addflag= ;;
+	nvcc*)	# Cuda Compiler Driver 2.2
+	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
+	  compiler_needs_object=yes
+	  ;;
 	esac
 	case `$CC -V 2>&1 | sed 5q` in
 	*Sun\ C*)			# Sun C 5.9
-	  whole_archive_flag_spec='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  whole_archive_flag_spec='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  compiler_needs_object=yes
 	  tmp_sharedflag='-G' ;;
 	*Sun\ F*)			# Sun Fortran 8.3
@@ -11573,17 +13041,16 @@ _LT_EOF
         fi
 
 	case $cc_basename in
-	xlf*)
+	xlf* | bgf* | bgxlf* | mpixlf*)
 	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
 	  whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive'
-	  hardcode_libdir_flag_spec=
-	  hardcode_libdir_flag_spec_ld='-rpath $libdir'
-	  archive_cmds='$LD -shared $libobjs $deplibs $compiler_flags -soname $soname -o $lib'
+	  hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+	  archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
 	  if test "x$supports_anon_versioning" = xyes; then
 	    archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~
 	      cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
 	      echo "local: *; };" >> $output_objdir/$libname.ver~
-	      $LD -shared $libobjs $deplibs $compiler_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
+	      $LD -shared $libobjs $deplibs $linker_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
 	  fi
 	  ;;
 	esac
@@ -11597,8 +13064,8 @@ _LT_EOF
 	archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
       else
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       fi
       ;;
 
@@ -11616,8 +13083,8 @@ _LT_EOF
 
 _LT_EOF
       elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       else
 	ld_shlibs=no
       fi
@@ -11663,8 +13130,8 @@ _LT_EOF
 
     *)
       if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       else
 	ld_shlibs=no
       fi
@@ -11704,8 +13171,10 @@ _LT_EOF
       else
 	# If we're using GNU nm, then we don't want the "-C" option.
 	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	# Also, AIX nm treats weak defined symbols like other global
+	# defined symbols, whereas GNU nm marks them as "W".
 	if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
-	  export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+	  export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
 	else
 	  export_symbols_cmds='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
 	fi
@@ -11793,7 +13262,13 @@ _LT_EOF
 	allow_undefined_flag='-berok'
         # Determine the default libpath from the value encoded in an
         # empty executable.
-        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+        if test "${lt_cv_aix_libpath+set}" = set; then
+  aix_libpath=$lt_cv_aix_libpath
+else
+  if ${lt_cv_aix_libpath_+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -11806,25 +13281,32 @@ main ()
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
 
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
+  lt_aix_libpath_sed='
+      /Import File Strings/,/^$/ {
+	  /^0/ {
+	      s/^0  *\([^ ]*\) *$/\1/
+	      p
+	  }
+      }'
+  lt_cv_aix_libpath_=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  # Check for a 64-bit object if we didn't find anything.
+  if test -z "$lt_cv_aix_libpath_"; then
+    lt_cv_aix_libpath_=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  fi
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+  if test -z "$lt_cv_aix_libpath_"; then
+    lt_cv_aix_libpath_="/usr/lib:/lib"
+  fi
+
+fi
+
+  aix_libpath=$lt_cv_aix_libpath_
+fi
 
         hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
-        archive_expsym_cmds='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+        archive_expsym_cmds='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then func_echo_all "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
       else
 	if test "$host_cpu" = ia64; then
 	  hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib'
@@ -11833,7 +13315,13 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	else
 	 # Determine the default libpath from the value encoded in an
 	 # empty executable.
-	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+	 if test "${lt_cv_aix_libpath+set}" = set; then
+  aix_libpath=$lt_cv_aix_libpath
+else
+  if ${lt_cv_aix_libpath_+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -11846,30 +13334,42 @@ main ()
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
 
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi
+  lt_aix_libpath_sed='
+      /Import File Strings/,/^$/ {
+	  /^0/ {
+	      s/^0  *\([^ ]*\) *$/\1/
+	      p
+	  }
+      }'
+  lt_cv_aix_libpath_=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  # Check for a 64-bit object if we didn't find anything.
+  if test -z "$lt_cv_aix_libpath_"; then
+    lt_cv_aix_libpath_=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  fi
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+  if test -z "$lt_cv_aix_libpath_"; then
+    lt_cv_aix_libpath_="/usr/lib:/lib"
+  fi
+
+fi
+
+  aix_libpath=$lt_cv_aix_libpath_
+fi
 
 	 hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
 	  # Warning - without using the other run time loading flags,
 	  # -berok will link without error, but may produce a broken library.
 	  no_undefined_flag=' ${wl}-bernotok'
 	  allow_undefined_flag=' ${wl}-berok'
-	  # Exported symbols can be pulled into shared objects from archives
-	  whole_archive_flag_spec='$convenience'
+	  if test "$with_gnu_ld" = yes; then
+	    # We only use this code for GNU lds that support --whole-archive.
+	    whole_archive_flag_spec='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	  else
+	    # Exported symbols can be pulled into shared objects from archives
+	    whole_archive_flag_spec='$convenience'
+	  fi
 	  archive_cmds_need_lc=yes
 	  # This is similar to how AIX traditionally builds its shared libraries.
 	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
@@ -11901,20 +13401,64 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # Microsoft Visual C++.
       # hardcode_libdir_flag_spec is actually meaningless, as there is
       # no search path for DLLs.
-      hardcode_libdir_flag_spec=' '
-      allow_undefined_flag=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      archive_cmds='$CC -o $lib $libobjs $compiler_flags `$ECHO "X$deplibs" | $Xsed -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      old_archive_from_new_cmds='true'
-      # FIXME: Should let the user specify the lib program.
-      old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs'
-      fix_srcfile_path='`cygpath -w "$srcfile"`'
-      enable_shared_with_static_runtimes=yes
+      case $cc_basename in
+      cl*)
+	# Native MSVC
+	hardcode_libdir_flag_spec=' '
+	allow_undefined_flag=unsupported
+	always_export_symbols=yes
+	file_list_spec='@'
+	# Tell ltmain to make .lib files, not .a files.
+	libext=lib
+	# Tell ltmain to make .dll files, not .so files.
+	shrext_cmds=".dll"
+	# FIXME: Setting linknames here is a bad hack.
+	archive_cmds='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-dll~linknames='
+	archive_expsym_cmds='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	    sed -n -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' -e '1\\\!p' < $export_symbols > $output_objdir/$soname.exp;
+	  else
+	    sed -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' < $export_symbols > $output_objdir/$soname.exp;
+	  fi~
+	  $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~
+	  linknames='
+	# The linker will not automatically build a static lib if we build a DLL.
+	# _LT_TAGVAR(old_archive_from_new_cmds, )='true'
+	enable_shared_with_static_runtimes=yes
+	exclude_expsyms='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
+	export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1,DATA/'\'' | $SED -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
+	# Don't use ranlib
+	old_postinstall_cmds='chmod 644 $oldlib'
+	postlink_cmds='lt_outputfile="@OUTPUT@"~
+	  lt_tool_outputfile="@TOOL_OUTPUT@"~
+	  case $lt_outputfile in
+	    *.exe|*.EXE) ;;
+	    *)
+	      lt_outputfile="$lt_outputfile.exe"
+	      lt_tool_outputfile="$lt_tool_outputfile.exe"
+	      ;;
+	  esac~
+	  if test "$MANIFEST_TOOL" != ":" && test -f "$lt_outputfile.manifest"; then
+	    $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1;
+	    $RM "$lt_outputfile.manifest";
+	  fi'
+	;;
+      *)
+	# Assume MSVC wrapper
+	hardcode_libdir_flag_spec=' '
+	allow_undefined_flag=unsupported
+	# Tell ltmain to make .lib files, not .a files.
+	libext=lib
+	# Tell ltmain to make .dll files, not .so files.
+	shrext_cmds=".dll"
+	# FIXME: Setting linknames here is a bad hack.
+	archive_cmds='$CC -o $lib $libobjs $compiler_flags `func_echo_all "$deplibs" | $SED '\''s/ -lc$//'\''` -link -dll~linknames='
+	# The linker will automatically build a .lib file if we build a DLL.
+	old_archive_from_new_cmds='true'
+	# FIXME: Should let the user specify the lib program.
+	old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs'
+	enable_shared_with_static_runtimes=yes
+	;;
+      esac
       ;;
 
     darwin* | rhapsody*)
@@ -11924,7 +13468,12 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
   hardcode_direct=no
   hardcode_automatic=yes
   hardcode_shlibpath_var=unsupported
-  whole_archive_flag_spec=''
+  if test "$lt_cv_ld_force_load" = "yes"; then
+    whole_archive_flag_spec='`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`'
+
+  else
+    whole_archive_flag_spec=''
+  fi
   link_all_deplibs=yes
   allow_undefined_flag="$_lt_dar_allow_undefined"
   case $cc_basename in
@@ -11932,7 +13481,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
      *) _lt_dar_can_shared=$GCC ;;
   esac
   if test "$_lt_dar_can_shared" = "yes"; then
-    output_verbose_link_cmd=echo
+    output_verbose_link_cmd=func_echo_all
     archive_cmds="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
     module_cmds="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
     archive_expsym_cmds="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
@@ -11950,10 +13499,6 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_shlibpath_var=no
       ;;
 
-    freebsd1*)
-      ld_shlibs=no
-      ;;
-
     # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
     # support.  Future versions do this automatically, but an explicit c++rt0.o
     # does not break anything, and helps significantly (at the cost of a little
@@ -11966,7 +13511,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
+    freebsd2.*)
       archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
       hardcode_direct=yes
       hardcode_minus_L=yes
@@ -11975,7 +13520,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
     # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
     freebsd* | dragonfly*)
-      archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
       hardcode_libdir_flag_spec='-R$libdir'
       hardcode_direct=yes
       hardcode_shlibpath_var=no
@@ -11983,7 +13528,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
     hpux9*)
       if test "$GCC" = yes; then
-	archive_cmds='$RM $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+	archive_cmds='$RM $output_objdir/$soname~$CC -shared $pic_flag ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
       else
 	archive_cmds='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
       fi
@@ -11998,14 +13543,13 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     hpux10*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      if test "$GCC" = yes && test "$with_gnu_ld" = no; then
+	archive_cmds='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
       else
 	archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
       fi
       if test "$with_gnu_ld" = no; then
 	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-	hardcode_libdir_flag_spec_ld='+b $libdir'
 	hardcode_libdir_separator=:
 	hardcode_direct=yes
 	hardcode_direct_absolute=yes
@@ -12017,16 +13561,16 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+      if test "$GCC" = yes && test "$with_gnu_ld" = no; then
 	case $host_cpu in
 	hppa*64*)
 	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	ia64*)
-	  archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  archive_cmds='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
-	  archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  archive_cmds='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	esac
       else
@@ -12038,7 +13582,46 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
-	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+
+	  # Older versions of the 11.00 compiler do not understand -b yet
+	  # (HP92453-01 A.11.01.20 doesn't, HP92453-01 B.11.X.35175-35176.GP does)
+	  { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC understands -b" >&5
+$as_echo_n "checking if $CC understands -b... " >&6; }
+if ${lt_cv_prog_compiler__b+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_prog_compiler__b=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS -b"
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_cv_prog_compiler__b=yes
+       fi
+     else
+       lt_cv_prog_compiler__b=yes
+     fi
+   fi
+   $RM -r conftest*
+   LDFLAGS="$save_LDFLAGS"
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler__b" >&5
+$as_echo "$lt_cv_prog_compiler__b" >&6; }
+
+if test x"$lt_cv_prog_compiler__b" = xyes; then
+    archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+else
+    archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+fi
+
 	  ;;
 	esac
       fi
@@ -12066,26 +13649,39 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 
     irix5* | irix6* | nonstopux*)
       if test "$GCC" = yes; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	# Try to use the -exported_symbol ld option, if it does not
 	# work, assume that -exports_file does not work either and
 	# implicitly export all symbols.
-        save_LDFLAGS="$LDFLAGS"
-        LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
-        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+	# This should be the same for all languages, so no per-tag cache variable.
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the $host_os linker accepts -exported_symbol" >&5
+$as_echo_n "checking whether the $host_os linker accepts -exported_symbol... " >&6; }
+if ${lt_cv_irix_exported_symbol+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  save_LDFLAGS="$LDFLAGS"
+	   LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
+	   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-int foo(void) {}
+int foo (void) { return 0; }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
-
+  lt_cv_irix_exported_symbol=yes
+else
+  lt_cv_irix_exported_symbol=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-        LDFLAGS="$save_LDFLAGS"
+           LDFLAGS="$save_LDFLAGS"
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_irix_exported_symbol" >&5
+$as_echo "$lt_cv_irix_exported_symbol" >&6; }
+	if test "$lt_cv_irix_exported_symbol" = yes; then
+          archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
+	fi
       else
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib'
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib'
       fi
       archive_cmds_need_lc='no'
       hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
@@ -12147,17 +13743,17 @@ rm -f core conftest.err conftest.$ac_objext \
       hardcode_libdir_flag_spec='-L$libdir'
       hardcode_minus_L=yes
       allow_undefined_flag=unsupported
-      archive_cmds='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$ECHO DATA >> $output_objdir/$libname.def~$ECHO " SINGLE NONSHARED" >> $output_objdir/$libname.def~$ECHO EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      archive_cmds='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~echo DATA >> $output_objdir/$libname.def~echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
       old_archive_from_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
       ;;
 
     osf3*)
       if test "$GCC" = yes; then
 	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
       else
 	allow_undefined_flag=' -expect_unresolved \*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
       fi
       archive_cmds_need_lc='no'
       hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
@@ -12167,13 +13763,13 @@ rm -f core conftest.err conftest.$ac_objext \
     osf4* | osf5*)	# as osf3* with the addition of -msym flag
       if test "$GCC" = yes; then
 	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	archive_cmds='$CC -shared${allow_undefined_flag} $pic_flag $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
       else
 	allow_undefined_flag=' -expect_unresolved \*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
 	archive_expsym_cmds='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~
-	$CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp'
+	$CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp'
 
 	# Both c and cxx compiler support -rpath directly
 	hardcode_libdir_flag_spec='-rpath $libdir'
@@ -12186,9 +13782,9 @@ rm -f core conftest.err conftest.$ac_objext \
       no_undefined_flag=' -z defs'
       if test "$GCC" = yes; then
 	wlarc='${wl}'
-	archive_cmds='$CC -shared ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_cmds='$CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
+	  $CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
       else
 	case `$CC -V 2>&1` in
 	*"Compilers 5.0"*)
@@ -12376,44 +13972,50 @@ x|xyes)
       # to ld, don't add -lc before -lgcc.
       { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether -lc should be explicitly linked in" >&5
 $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
-      $RM conftest*
-      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+if ${lt_cv_archive_cmds_need_lc+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  $RM conftest*
+	echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
-      if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
+	if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; } 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$lt_prog_compiler_wl
-	pic_flag=$lt_prog_compiler_pic
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$allow_undefined_flag
-        allow_undefined_flag=
-        if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\""; } >&5
+	  soname=conftest
+	  lib=conftest
+	  libobjs=conftest.$ac_objext
+	  deplibs=
+	  wl=$lt_prog_compiler_wl
+	  pic_flag=$lt_prog_compiler_pic
+	  compiler_flags=-v
+	  linker_flags=-v
+	  verstring=
+	  output_objdir=.
+	  libname=conftest
+	  lt_save_allow_undefined_flag=$allow_undefined_flag
+	  allow_undefined_flag=
+	  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\""; } >&5
   (eval $archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1) 2>&5
   ac_status=$?
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }
-        then
-	  archive_cmds_need_lc=no
-        else
-	  archive_cmds_need_lc=yes
-        fi
-        allow_undefined_flag=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $RM conftest*
-      { $as_echo "$as_me:${as_lineno-$LINENO}: result: $archive_cmds_need_lc" >&5
-$as_echo "$archive_cmds_need_lc" >&6; }
+	  then
+	    lt_cv_archive_cmds_need_lc=no
+	  else
+	    lt_cv_archive_cmds_need_lc=yes
+	  fi
+	  allow_undefined_flag=$lt_save_allow_undefined_flag
+	else
+	  cat conftest.err 1>&5
+	fi
+	$RM conftest*
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_archive_cmds_need_lc" >&5
+$as_echo "$lt_cv_archive_cmds_need_lc" >&6; }
+      archive_cmds_need_lc=$lt_cv_archive_cmds_need_lc
       ;;
     esac
   fi
@@ -12571,11 +14173,6 @@ esac
 
 
 
-
-
-
-
-
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking dynamic linker characteristics" >&5
 $as_echo_n "checking dynamic linker characteristics... " >&6; }
 
@@ -12584,16 +14181,23 @@ if test "$GCC" = yes; then
     darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
     *) lt_awk_arg="/^libraries:/" ;;
   esac
-  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if $ECHO "$lt_search_path_spec" | $GREP ';' >/dev/null ; then
+  case $host_os in
+    mingw* | cegcc*) lt_sed_strip_eq="s,=\([A-Za-z]:\),\1,g" ;;
+    *) lt_sed_strip_eq="s,=/,/,g" ;;
+  esac
+  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e $lt_sed_strip_eq`
+  case $lt_search_path_spec in
+  *\;*)
     # if the path contains ";" then we assume it to be the separator
     # otherwise default to the standard path separator (i.e. ":") - it is
     # assumed that no part of a normal pathname contains ";" but that should
     # okay in the real world where ";" in dirpaths is itself problematic.
-    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED 's/;/ /g'`
+    ;;
+  *)
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED "s/$PATH_SEPARATOR/ /g"`
+    ;;
+  esac
   # Ok, now we have the path, separated by spaces, we can step through it
   # and add multilib dir if necessary.
   lt_tmp_lt_search_path_spec=
@@ -12606,7 +14210,7 @@ if test "$GCC" = yes; then
 	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
     fi
   done
-  lt_search_path_spec=`$ECHO $lt_tmp_lt_search_path_spec | awk '
+  lt_search_path_spec=`$ECHO "$lt_tmp_lt_search_path_spec" | awk '
 BEGIN {RS=" "; FS="/|\n";} {
   lt_foo="";
   lt_count=0;
@@ -12626,7 +14230,13 @@ BEGIN {RS=" "; FS="/|\n";} {
   if (lt_foo != "") { lt_freq[lt_foo]++; }
   if (lt_freq[lt_foo] == 1) { print lt_foo; }
 }'`
-  sys_lib_search_path_spec=`$ECHO $lt_search_path_spec`
+  # AWK program above erroneously prepends '/' to C:/dos/paths
+  # for these hosts.
+  case $host_os in
+    mingw* | cegcc*) lt_search_path_spec=`$ECHO "$lt_search_path_spec" |\
+      $SED 's,/\([A-Za-z]:\),\1,g'` ;;
+  esac
+  sys_lib_search_path_spec=`$ECHO "$lt_search_path_spec" | $lt_NL2SP`
 else
   sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
 fi
@@ -12652,7 +14262,7 @@ need_version=unknown
 
 case $host_os in
 aix3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
   shlibpath_var=LIBPATH
 
@@ -12661,7 +14271,7 @@ aix3*)
   ;;
 
 aix[4-9]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   hardcode_into_libs=yes
@@ -12714,7 +14324,7 @@ amigaos*)
   m68k)
     library_names_spec='$libname.ixlibrary $libname.a'
     # Create ${libname}_ixlibrary.a entries in /sys/libs.
-    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$ECHO "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`func_echo_all "$lib" | $SED '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
     ;;
   esac
   ;;
@@ -12726,7 +14336,7 @@ beos*)
   ;;
 
 bsdi[45]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
@@ -12745,8 +14355,9 @@ cygwin* | mingw* | pw32* | cegcc*)
   need_version=no
   need_lib_prefix=no
 
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32* | yes,cegcc*)
+  case $GCC,$cc_basename in
+  yes,*)
+    # gcc
     library_names_spec='$libname.dll.a'
     # DLL is installed to $(libdir)/../bin by postinstall_cmds
     postinstall_cmds='base_file=`basename \${file}`~
@@ -12767,36 +14378,83 @@ cygwin* | mingw* | pw32* | cegcc*)
     cygwin*)
       # Cygwin DLLs use 'cyg' prefix rather than 'lib'
       soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+
+      sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/lib/w32api"
       ;;
     mingw* | cegcc*)
       # MinGW DLLs use traditional 'lib' prefix
       soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | $GREP "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if $ECHO "$sys_lib_search_path_spec" | $GREP ';[c-zC-Z]:/' >/dev/null; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
       ;;
     pw32*)
       # pw32 DLLs use 'pw' prefix rather than 'lib'
       library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
       ;;
     esac
+    dynamic_linker='Win32 ld.exe'
+    ;;
+
+  *,cl*)
+    # Native MSVC
+    libname_spec='$name'
+    soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+    library_names_spec='${libname}.dll.lib'
+
+    case $build_os in
+    mingw*)
+      sys_lib_search_path_spec=
+      lt_save_ifs=$IFS
+      IFS=';'
+      for lt_path in $LIB
+      do
+        IFS=$lt_save_ifs
+        # Let DOS variable expansion print the short 8.3 style file name.
+        lt_path=`cd "$lt_path" 2>/dev/null && cmd //C "for %i in (".") do @echo %~si"`
+        sys_lib_search_path_spec="$sys_lib_search_path_spec $lt_path"
+      done
+      IFS=$lt_save_ifs
+      # Convert to MSYS style.
+      sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | sed -e 's|\\\\|/|g' -e 's| \\([a-zA-Z]\\):| /\\1|g' -e 's|^ ||'`
+      ;;
+    cygwin*)
+      # Convert to unix form, then to dos form, then back to unix form
+      # but this time dos style (no spaces!) so that the unix form looks
+      # like /cygdrive/c/PROGRA~1:/cygdr...
+      sys_lib_search_path_spec=`cygpath --path --unix "$LIB"`
+      sys_lib_search_path_spec=`cygpath --path --dos "$sys_lib_search_path_spec" 2>/dev/null`
+      sys_lib_search_path_spec=`cygpath --path --unix "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
+      ;;
+    *)
+      sys_lib_search_path_spec="$LIB"
+      if $ECHO "$sys_lib_search_path_spec" | $GREP ';[c-zC-Z]:/' >/dev/null; then
+        # It is most probably a Windows format PATH.
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      # FIXME: find the short name or the path components, as spaces are
+      # common. (e.g. "Program Files" -> "PROGRA~1")
+      ;;
+    esac
+
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $RM \$dlpath'
+    shlibpath_overrides_runpath=yes
+    dynamic_linker='Win32 link.exe'
     ;;
 
   *)
+    # Assume MSVC wrapper
     library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    dynamic_linker='Win32 ld.exe'
     ;;
   esac
-  dynamic_linker='Win32 ld.exe'
   # FIXME: first we should search . and the directory the executable is in
   shlibpath_var=PATH
   ;;
@@ -12817,7 +14475,7 @@ darwin* | rhapsody*)
   ;;
 
 dgux*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
@@ -12825,10 +14483,6 @@ dgux*)
   shlibpath_var=LD_LIBRARY_PATH
   ;;
 
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
 freebsd* | dragonfly*)
   # DragonFly does not have aout.  When/if they implement a new
   # versioning mechanism, adjust this.
@@ -12836,7 +14490,7 @@ freebsd* | dragonfly*)
     objformat=`/usr/bin/objformat`
   else
     case $host_os in
-    freebsd[123]*) objformat=aout ;;
+    freebsd[23].*) objformat=aout ;;
     *) objformat=elf ;;
     esac
   fi
@@ -12854,7 +14508,7 @@ freebsd* | dragonfly*)
   esac
   shlibpath_var=LD_LIBRARY_PATH
   case $host_os in
-  freebsd2*)
+  freebsd2.*)
     shlibpath_overrides_runpath=yes
     ;;
   freebsd3.[01]* | freebsdelf3.[01]*)
@@ -12873,13 +14527,16 @@ freebsd* | dragonfly*)
   esac
   ;;
 
-gnu*)
-  version_type=linux
+haiku*)
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
+  dynamic_linker="$host_os runtime_loader"
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_var=LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
   hardcode_into_libs=yes
   ;;
 
@@ -12925,12 +14582,14 @@ hpux9* | hpux10* | hpux11*)
     soname_spec='${libname}${release}${shared_ext}$major'
     ;;
   esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  # HP-UX runs *really* slowly unless shared libraries are mode 555, ...
   postinstall_cmds='chmod 555 $lib'
+  # or fails outright, so override atomically:
+  install_override_mode=555
   ;;
 
 interix[3-9]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
@@ -12946,7 +14605,7 @@ irix5* | irix6* | nonstopux*)
     nonstopux*) version_type=nonstopux ;;
     *)
 	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
+		version_type=linux # correct to gnu/linux during the next big refactor
 	else
 		version_type=irix
 	fi ;;
@@ -12983,9 +14642,9 @@ linux*oldld* | linux*aout* | linux*coff*)
   dynamic_linker=no
   ;;
 
-# This must be Linux ELF.
-linux* | k*bsd*-gnu | kopensolaris*-gnu)
-  version_type=linux
+# This must be glibc/ELF.
+linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -12993,12 +14652,17 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu)
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=no
+
   # Some binutils ld are patched to set DT_RUNPATH
-  save_LDFLAGS=$LDFLAGS
-  save_libdir=$libdir
-  eval "libdir=/foo; wl=\"$lt_prog_compiler_wl\"; \
-       LDFLAGS=\"\$LDFLAGS $hardcode_libdir_flag_spec\""
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+  if ${lt_cv_shlibpath_overrides_runpath+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  lt_cv_shlibpath_overrides_runpath=no
+    save_LDFLAGS=$LDFLAGS
+    save_libdir=$libdir
+    eval "libdir=/foo; wl=\"$lt_prog_compiler_wl\"; \
+	 LDFLAGS=\"\$LDFLAGS $hardcode_libdir_flag_spec\""
+    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
 int
@@ -13011,13 +14675,17 @@ main ()
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
   if  ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null; then :
-  shlibpath_overrides_runpath=yes
+  lt_cv_shlibpath_overrides_runpath=yes
 fi
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-  LDFLAGS=$save_LDFLAGS
-  libdir=$save_libdir
+    LDFLAGS=$save_LDFLAGS
+    libdir=$save_libdir
+
+fi
+
+  shlibpath_overrides_runpath=$lt_cv_shlibpath_overrides_runpath
 
   # This implies no fast_install, which is unacceptable.
   # Some rework will be needed to allow for fast_install
@@ -13026,7 +14694,7 @@ rm -f core conftest.err conftest.$ac_objext \
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
     sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
@@ -13070,7 +14738,7 @@ netbsd*)
   ;;
 
 newsos6)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=yes
@@ -13139,7 +14807,7 @@ rdos*)
   ;;
 
 solaris*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -13164,7 +14832,7 @@ sunos4*)
   ;;
 
 sysv4 | sysv4.3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -13188,7 +14856,7 @@ sysv4 | sysv4.3*)
 
 sysv4*MP*)
   if test -d /usr/nec ;then
-    version_type=linux
+    version_type=linux # correct to gnu/linux during the next big refactor
     library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
     soname_spec='$libname${shared_ext}.$major'
     shlibpath_var=LD_LIBRARY_PATH
@@ -13219,7 +14887,7 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
 
 tpf*)
   # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -13229,7 +14897,7 @@ tpf*)
   ;;
 
 uts4*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -13341,6 +15009,11 @@ fi
 
 
 
+
+
+
+
+
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to hardcode library paths into programs" >&5
 $as_echo_n "checking how to hardcode library paths into programs... " >&6; }
 hardcode_action=
@@ -13413,7 +15086,7 @@ else
   # if libdl is installed we need to link against it
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5
 $as_echo_n "checking for dlopen in -ldl... " >&6; }
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then :
+if ${ac_cv_lib_dl_dlopen+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -13447,7 +15120,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5
 $as_echo "$ac_cv_lib_dl_dlopen" >&6; }
-if test "x$ac_cv_lib_dl_dlopen" = x""yes; then :
+if test "x$ac_cv_lib_dl_dlopen" = xyes; then :
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
 else
 
@@ -13461,12 +15134,12 @@ fi
 
   *)
     ac_fn_c_check_func "$LINENO" "shl_load" "ac_cv_func_shl_load"
-if test "x$ac_cv_func_shl_load" = x""yes; then :
+if test "x$ac_cv_func_shl_load" = xyes; then :
   lt_cv_dlopen="shl_load"
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for shl_load in -ldld" >&5
 $as_echo_n "checking for shl_load in -ldld... " >&6; }
-if test "${ac_cv_lib_dld_shl_load+set}" = set; then :
+if ${ac_cv_lib_dld_shl_load+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -13500,16 +15173,16 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_shl_load" >&5
 $as_echo "$ac_cv_lib_dld_shl_load" >&6; }
-if test "x$ac_cv_lib_dld_shl_load" = x""yes; then :
+if test "x$ac_cv_lib_dld_shl_load" = xyes; then :
   lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"
 else
   ac_fn_c_check_func "$LINENO" "dlopen" "ac_cv_func_dlopen"
-if test "x$ac_cv_func_dlopen" = x""yes; then :
+if test "x$ac_cv_func_dlopen" = xyes; then :
   lt_cv_dlopen="dlopen"
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5
 $as_echo_n "checking for dlopen in -ldl... " >&6; }
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then :
+if ${ac_cv_lib_dl_dlopen+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -13543,12 +15216,12 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5
 $as_echo "$ac_cv_lib_dl_dlopen" >&6; }
-if test "x$ac_cv_lib_dl_dlopen" = x""yes; then :
+if test "x$ac_cv_lib_dl_dlopen" = xyes; then :
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -lsvld" >&5
 $as_echo_n "checking for dlopen in -lsvld... " >&6; }
-if test "${ac_cv_lib_svld_dlopen+set}" = set; then :
+if ${ac_cv_lib_svld_dlopen+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -13582,12 +15255,12 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_svld_dlopen" >&5
 $as_echo "$ac_cv_lib_svld_dlopen" >&6; }
-if test "x$ac_cv_lib_svld_dlopen" = x""yes; then :
+if test "x$ac_cv_lib_svld_dlopen" = xyes; then :
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dld_link in -ldld" >&5
 $as_echo_n "checking for dld_link in -ldld... " >&6; }
-if test "${ac_cv_lib_dld_dld_link+set}" = set; then :
+if ${ac_cv_lib_dld_dld_link+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -13621,7 +15294,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_dld_link" >&5
 $as_echo "$ac_cv_lib_dld_dld_link" >&6; }
-if test "x$ac_cv_lib_dld_dld_link" = x""yes; then :
+if test "x$ac_cv_lib_dld_dld_link" = xyes; then :
   lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"
 fi
 
@@ -13662,7 +15335,7 @@ fi
 
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a program can dlopen itself" >&5
 $as_echo_n "checking whether a program can dlopen itself... " >&6; }
-if test "${lt_cv_dlopen_self+set}" = set; then :
+if ${lt_cv_dlopen_self+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   	  if test "$cross_compiling" = yes; then :
@@ -13671,7 +15344,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 13674 "configure"
+#line $LINENO "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13712,7 +15385,13 @@ else
 #  endif
 #endif
 
-void fnord() { int i=42;}
+/* When -fvisbility=hidden is used, assume the code has been annotated
+   correspondingly for the symbols needed.  */
+#if defined(__GNUC__) && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3))
+int fnord () __attribute__((visibility("default")));
+#endif
+
+int fnord () { return 42; }
 int main ()
 {
   void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
@@ -13721,7 +15400,11 @@ int main ()
   if (self)
     {
       if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      else
+        {
+	  if (dlsym( self,"_fnord"))  status = $lt_dlneed_uscore;
+          else puts (dlerror ());
+	}
       /* dlclose (self); */
     }
   else
@@ -13758,7 +15441,7 @@ $as_echo "$lt_cv_dlopen_self" >&6; }
       wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
       { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a statically linked program can dlopen itself" >&5
 $as_echo_n "checking whether a statically linked program can dlopen itself... " >&6; }
-if test "${lt_cv_dlopen_self_static+set}" = set; then :
+if ${lt_cv_dlopen_self_static+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   	  if test "$cross_compiling" = yes; then :
@@ -13767,7 +15450,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 13770 "configure"
+#line $LINENO "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13808,7 +15491,13 @@ else
 #  endif
 #endif
 
-void fnord() { int i=42;}
+/* When -fvisbility=hidden is used, assume the code has been annotated
+   correspondingly for the symbols needed.  */
+#if defined(__GNUC__) && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3))
+int fnord () __attribute__((visibility("default")));
+#endif
+
+int fnord () { return 42; }
 int main ()
 {
   void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
@@ -13817,7 +15506,11 @@ int main ()
   if (self)
     {
       if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      else
+        {
+	  if (dlsym( self,"_fnord"))  status = $lt_dlneed_uscore;
+          else puts (dlerror ());
+	}
       /* dlclose (self); */
     }
   else
@@ -13986,6 +15679,8 @@ CC="$lt_save_CC"
 
 
 
+
+
         ac_config_commands="$ac_config_commands libtool"
 
 
@@ -13994,9 +15689,10 @@ CC="$lt_save_CC"
 # Only expand once:
 
 
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5
 $as_echo_n "checking for egrep... " >&6; }
-if test "${ac_cv_path_EGREP+set}" = set; then :
+if ${ac_cv_path_EGREP+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
@@ -14013,7 +15709,7 @@ do
     for ac_prog in egrep; do
     for ac_exec_ext in '' $ac_executable_extensions; do
       ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+      as_fn_executable_p "$ac_path_EGREP" || continue
 # Check for GNU ac_path_EGREP and select it if it is found.
   # Check for GNU $ac_path_EGREP
 case `"$ac_path_EGREP" --version 2>&1` in
@@ -14067,7 +15763,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_AWK+set}" = set; then :
+if ${ac_cv_prog_AWK+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$AWK"; then
@@ -14079,7 +15775,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_AWK="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -14109,7 +15805,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_LEX+set}" = set; then :
+if ${ac_cv_prog_LEX+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$LEX"; then
@@ -14121,7 +15817,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_LEX="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -14153,7 +15849,8 @@ a { ECHO; }
 b { REJECT; }
 c { yymore (); }
 d { yyless (1); }
-e { yyless (input () != 0); }
+e { /* IRIX 6.5 flex 2.5.4 underquotes its yyless argument.  */
+    yyless ((input () != 0)); }
 f { unput (yytext[0]); }
 . { BEGIN INITIAL; }
 %%
@@ -14179,7 +15876,7 @@ $as_echo "$ac_try_echo"; } >&5
   test $ac_status = 0; }
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking lex output file root" >&5
 $as_echo_n "checking lex output file root... " >&6; }
-if test "${ac_cv_prog_lex_root+set}" = set; then :
+if ${ac_cv_prog_lex_root+:} false; then :
   $as_echo_n "(cached) " >&6
 else
 
@@ -14198,7 +15895,7 @@ LEX_OUTPUT_ROOT=$ac_cv_prog_lex_root
 if test -z "${LEXLIB+set}"; then
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking lex library" >&5
 $as_echo_n "checking lex library... " >&6; }
-if test "${ac_cv_lib_lex+set}" = set; then :
+if ${ac_cv_lib_lex+:} false; then :
   $as_echo_n "(cached) " >&6
 else
 
@@ -14228,7 +15925,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether yytext is a pointer" >&5
 $as_echo_n "checking whether yytext is a pointer... " >&6; }
-if test "${ac_cv_prog_lex_yytext_pointer+set}" = set; then :
+if ${ac_cv_prog_lex_yytext_pointer+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   # POSIX says lex can declare yytext either as a pointer or an array; the
@@ -14239,7 +15936,8 @@ ac_save_LIBS=$LIBS
 LIBS="$LEXLIB $ac_save_LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-#define YYTEXT_POINTER 1
+
+  #define YYTEXT_POINTER 1
 `cat $LEX_OUTPUT_ROOT.c`
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
@@ -14266,7 +15964,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_YACC+set}" = set; then :
+if ${ac_cv_prog_YACC+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$YACC"; then
@@ -14278,7 +15976,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_YACC="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -14307,7 +16005,7 @@ test -n "$YACC" || YACC="yacc"
 set dummy perl; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_PERL+set}" = set; then :
+if ${ac_cv_path_PERL+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $PERL in
@@ -14322,7 +16020,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -14348,7 +16046,7 @@ fi
 set dummy gperf; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_GPERF+set}" = set; then :
+if ${ac_cv_path_GPERF+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $GPERF in
@@ -14363,7 +16061,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_path_GPERF="$as_dir/$ac_word$ac_exec_ext"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -14386,6 +16084,7 @@ fi
 
 
 
+# because gperf is not needed by end-users we just report it but do not abort on failure
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking gperf version >= 3.0.0" >&5
 $as_echo_n "checking gperf version >= 3.0.0... " >&6; }
 if test -x "$GPERF"; then
@@ -14401,6 +16100,17 @@ else
 $as_echo "not found" >&6; }
 fi
 
+# ========================
+#  dependency calculation
+# ========================
+
+if test x$xauth_generic_given = xfalse -a x$ikev1 = xfalse; then
+	xauth_generic=false;
+fi
+
+if test x$kernel_libipsec = xtrue; then
+	libipsec=true;
+fi
 
 if test x$eap_aka_3gpp2 = xtrue; then
 	gmp=true;
@@ -14428,7 +16138,7 @@ if test x$tnc_imc = xtrue -o x$tnc_imv = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_
 	tnc_tnccs=true;
 fi
 
-if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$imv_scanner = xtrue -o x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
+if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$imv_scanner = xtrue -o x$imc_os = xtrue -o x$imv_os = xtrue -o x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
 	imcv=true;
 fi
 
@@ -14442,14 +16152,10 @@ if test x$fips_prf = xtrue; then
 	fi
 fi
 
-if test x$smp = xtrue -o x$tnccs_11 = xtrue; then
+if test x$smp = xtrue -o x$tnccs_11 = xtrue -o x$tnc_ifmap = xtrue; then
 	xml=true
 fi
 
-if test x$tnc_ifmap = xtrue; then
-	axis2c=true
-fi
-
 if test x$manager = xtrue; then
 	fast=true
 fi
@@ -14463,98 +16169,76 @@ if test x$medcli = xtrue; then
 	mediation=true
 fi
 
-if test x$pluto = xtrue; then
-	if test x$socket_raw = xfalse; then
-		{ $as_echo "$as_me:${as_lineno-$LINENO}: Enforcing --enable-socket-raw, as pluto is enabled" >&5
-$as_echo "$as_me: Enforcing --enable-socket-raw, as pluto is enabled" >&6;}
-		socket_raw=true
-		if test x$socket_default_given = xfalse; then
-			socket_default=false
-		fi
-	fi
+if test x$coverage = xtrue; then
+	unit_tests=true
 fi
 
+# ===========================================
+#  check required libraries and header files
+# ===========================================
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdbool.h that conforms to C99" >&5
 $as_echo_n "checking for stdbool.h that conforms to C99... " >&6; }
-if test "${ac_cv_header_stdbool_h+set}" = set; then :
+if ${ac_cv_header_stdbool_h+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-#include <stdbool.h>
-#ifndef bool
- "error: bool is not defined"
-#endif
-#ifndef false
- "error: false is not defined"
-#endif
-#if false
- "error: false is not 0"
-#endif
-#ifndef true
- "error: true is not defined"
-#endif
-#if true != 1
- "error: true is not 1"
-#endif
-#ifndef __bool_true_false_are_defined
- "error: __bool_true_false_are_defined is not defined"
-#endif
-
-	struct s { _Bool s: 1; _Bool t; } s;
-
-	char a[true == 1 ? 1 : -1];
-	char b[false == 0 ? 1 : -1];
-	char c[__bool_true_false_are_defined == 1 ? 1 : -1];
-	char d[(bool) 0.5 == true ? 1 : -1];
-	bool e = &s;
-	char f[(_Bool) 0.0 == false ? 1 : -1];
-	char g[true];
-	char h[sizeof (_Bool)];
-	char i[sizeof s.t];
-	enum { j = false, k = true, l = false * true, m = true * 256 };
-	/* The following fails for
-	   HP aC++/ANSI C B3910B A.05.55 [Dec 04 2003]. */
-	_Bool n[m];
-	char o[sizeof n == m * sizeof n[0] ? 1 : -1];
-	char p[-1 - (_Bool) 0 < 0 && -1 - (bool) 0 < 0 ? 1 : -1];
-#	if defined __xlc__ || defined __GNUC__
-	 /* Catch a bug in IBM AIX xlc compiler version 6.0.0.0
-	    reported by James Lemley on 2005-10-05; see
-	    http://lists.gnu.org/archive/html/bug-coreutils/2005-10/msg00086.html
-	    This test is not quite right, since xlc is allowed to
-	    reject this program, as the initializer for xlcbug is
-	    not one of the forms that C requires support for.
-	    However, doing the test right would require a runtime
-	    test, and that would make cross-compilation harder.
-	    Let us hope that IBM fixes the xlc bug, and also adds
-	    support for this kind of constant expression.  In the
-	    meantime, this test will reject xlc, which is OK, since
-	    our stdbool.h substitute should suffice.  We also test
-	    this with GCC, where it should work, to detect more
-	    quickly whether someone messes up the test in the
-	    future.  */
-	 char digs[] = "0123456789";
-	 int xlcbug = 1 / (&(digs + 5)[-2 + (bool) 1] == &digs[4] ? 1 : -1);
-#	endif
-	/* Catch a bug in an HP-UX C compiler.  See
-	   http://gcc.gnu.org/ml/gcc-patches/2003-12/msg02303.html
-	   http://lists.gnu.org/archive/html/bug-coreutils/2005-11/msg00161.html
-	 */
-	_Bool q = true;
-	_Bool *pq = &q;
+             #include <stdbool.h>
+             #ifndef bool
+              "error: bool is not defined"
+             #endif
+             #ifndef false
+              "error: false is not defined"
+             #endif
+             #if false
+              "error: false is not 0"
+             #endif
+             #ifndef true
+              "error: true is not defined"
+             #endif
+             #if true != 1
+              "error: true is not 1"
+             #endif
+             #ifndef __bool_true_false_are_defined
+              "error: __bool_true_false_are_defined is not defined"
+             #endif
+
+             struct s { _Bool s: 1; _Bool t; } s;
+
+             char a[true == 1 ? 1 : -1];
+             char b[false == 0 ? 1 : -1];
+             char c[__bool_true_false_are_defined == 1 ? 1 : -1];
+             char d[(bool) 0.5 == true ? 1 : -1];
+             /* See body of main program for 'e'.  */
+             char f[(_Bool) 0.0 == false ? 1 : -1];
+             char g[true];
+             char h[sizeof (_Bool)];
+             char i[sizeof s.t];
+             enum { j = false, k = true, l = false * true, m = true * 256 };
+             /* The following fails for
+                HP aC++/ANSI C B3910B A.05.55 [Dec 04 2003]. */
+             _Bool n[m];
+             char o[sizeof n == m * sizeof n[0] ? 1 : -1];
+             char p[-1 - (_Bool) 0 < 0 && -1 - (bool) 0 < 0 ? 1 : -1];
+             /* Catch a bug in an HP-UX C compiler.  See
+                http://gcc.gnu.org/ml/gcc-patches/2003-12/msg02303.html
+                http://lists.gnu.org/archive/html/bug-coreutils/2005-11/msg00161.html
+              */
+             _Bool q = true;
+             _Bool *pq = &q;
 
 int
 main ()
 {
 
-	*pq |= q;
-	*pq |= ! q;
-	/* Refer to every declared value, to avoid compiler optimizations.  */
-	return (!a + !b + !c + !d + !e + !f + !g + !h + !i + !!j + !k + !!l
-		+ !m + !n + !o + !p + !q + !pq);
+             bool e = &s;
+             *pq |= q;
+             *pq |= ! q;
+             /* Refer to every declared value, to avoid compiler optimizations.  */
+             return (!a + !b + !c + !d + !e + !f + !g + !h + !i + !!j + !k + !!l
+                     + !m + !n + !o + !p + !q + !pq);
 
   ;
   return 0;
@@ -14569,8 +16253,8 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdbool_h" >&5
 $as_echo "$ac_cv_header_stdbool_h" >&6; }
-ac_fn_c_check_type "$LINENO" "_Bool" "ac_cv_type__Bool" "$ac_includes_default"
-if test "x$ac_cv_type__Bool" = x""yes; then :
+   ac_fn_c_check_type "$LINENO" "_Bool" "ac_cv_type__Bool" "$ac_includes_default"
+if test "x$ac_cv_type__Bool" = xyes; then :
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE__BOOL 1
@@ -14579,17 +16263,29 @@ _ACEOF
 
 fi
 
+
 if test $ac_cv_header_stdbool_h = yes; then
 
 $as_echo "#define HAVE_STDBOOL_H 1" >>confdefs.h
 
 fi
 
+ac_fn_c_check_type "$LINENO" "size_t" "ac_cv_type_size_t" "$ac_includes_default"
+if test "x$ac_cv_type_size_t" = xyes; then :
+
+else
+
+cat >>confdefs.h <<_ACEOF
+#define size_t unsigned int
+_ACEOF
+
+fi
+
 # The Ultrix 4.2 mips builtin alloca declared by alloca.h only works
 # for constant arguments.  Useless!
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5
 $as_echo_n "checking for working alloca.h... " >&6; }
-if test "${ac_cv_working_alloca_h+set}" = set; then :
+if ${ac_cv_working_alloca_h+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -14622,7 +16318,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for alloca" >&5
 $as_echo_n "checking for alloca... " >&6; }
-if test "${ac_cv_func_alloca_works+set}" = set; then :
+if ${ac_cv_func_alloca_works+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -14641,7 +16337,7 @@ else
  #pragma alloca
 #   else
 #    ifndef alloca /* predefined by HP cc +Olibcalls */
-char *alloca ();
+void *alloca (size_t);
 #    endif
 #   endif
 #  endif
@@ -14685,7 +16381,7 @@ $as_echo "#define C_ALLOCA 1" >>confdefs.h
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether \`alloca.c' needs Cray hooks" >&5
 $as_echo_n "checking whether \`alloca.c' needs Cray hooks... " >&6; }
-if test "${ac_cv_os_cray+set}" = set; then :
+if ${ac_cv_os_cray+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -14726,7 +16422,7 @@ fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking stack direction for C alloca" >&5
 $as_echo_n "checking stack direction for C alloca... " >&6; }
-if test "${ac_cv_c_stack_direction+set}" = set; then :
+if ${ac_cv_c_stack_direction+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test "$cross_compiling" = yes; then :
@@ -14736,23 +16432,20 @@ else
 /* end confdefs.h.  */
 $ac_includes_default
 int
-find_stack_direction ()
+find_stack_direction (int *addr, int depth)
 {
-  static char *addr = 0;
-  auto char dummy;
-  if (addr == 0)
-    {
-      addr = &dummy;
-      return find_stack_direction ();
-    }
-  else
-    return (&dummy > addr) ? 1 : -1;
+  int dir, dummy = 0;
+  if (! addr)
+    addr = &dummy;
+  *addr = addr < &dummy ? 1 : addr == &dummy ? 0 : -1;
+  dir = depth ? find_stack_direction (addr, depth - 1) : 0;
+  return dir + dummy;
 }
 
 int
-main ()
+main (int argc, char **argv)
 {
-  return find_stack_direction () < 0;
+  return find_stack_direction (0, argc + !argv + 20) < 0;
 }
 _ACEOF
 if ac_fn_c_try_run "$LINENO"; then :
@@ -14774,13 +16467,108 @@ _ACEOF
 
 fi
 
+ac_fn_c_check_decl "$LINENO" "strerror_r" "ac_cv_have_decl_strerror_r" "$ac_includes_default"
+if test "x$ac_cv_have_decl_strerror_r" = xyes; then :
+  ac_have_decl=1
+else
+  ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_STRERROR_R $ac_have_decl
+_ACEOF
+
+for ac_func in strerror_r
+do :
+  ac_fn_c_check_func "$LINENO" "strerror_r" "ac_cv_func_strerror_r"
+if test "x$ac_cv_func_strerror_r" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_STRERROR_R 1
+_ACEOF
+
+fi
+done
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether strerror_r returns char *" >&5
+$as_echo_n "checking whether strerror_r returns char *... " >&6; }
+if ${ac_cv_func_strerror_r_char_p+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+    ac_cv_func_strerror_r_char_p=no
+    if test $ac_cv_have_decl_strerror_r = yes; then
+      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$ac_includes_default
+int
+main ()
+{
+
+	  char buf[100];
+	  char x = *strerror_r (0, buf, sizeof buf);
+	  char *p = strerror_r (0, buf, sizeof buf);
+	  return !p || x;
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_func_strerror_r_char_p=yes
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+    else
+      # strerror_r is not declared.  Choose between
+      # systems that have relatively inaccessible declarations for the
+      # function.  BeOS and DEC UNIX 4.0 fall in this category, but the
+      # former has a strerror_r that returns char*, while the latter
+      # has a strerror_r that returns `int'.
+      # This test should segfault on the DEC system.
+      if test "$cross_compiling" = yes; then :
+  :
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$ac_includes_default
+	extern char *strerror_r ();
+int
+main ()
+{
+char buf[100];
+	  char x = *strerror_r (0, buf, sizeof buf);
+	  return ! isalpha (x);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+  ac_cv_func_strerror_r_char_p=yes
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+    fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_strerror_r_char_p" >&5
+$as_echo "$ac_cv_func_strerror_r_char_p" >&6; }
+if test $ac_cv_func_strerror_r_char_p = yes; then
+
+$as_echo "#define STRERROR_R_CHAR_P 1" >>confdefs.h
+
+fi
+
 
+#  libraries needed on some platforms but not on others
+# ------------------------------------------------------
 saved_LIBS=$LIBS
 
+# FreeBSD and Mac OS X have dlopen integrated in libc, Linux needs libdl
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5
 $as_echo_n "checking for library containing dlopen... " >&6; }
-if test "${ac_cv_search_dlopen+set}" = set; then :
+if ${ac_cv_search_dlopen+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
@@ -14814,11 +16602,11 @@ for ac_lib in '' dl; do
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext
-  if test "${ac_cv_search_dlopen+set}" = set; then :
+  if ${ac_cv_search_dlopen+:} false; then :
   break
 fi
 done
-if test "${ac_cv_search_dlopen+set}" = set; then :
+if ${ac_cv_search_dlopen+:} false; then :
 
 else
   ac_cv_search_dlopen=no
@@ -14836,10 +16624,11 @@ fi
 
 
 
+# glibc's backtrace() can be replicated on FreeBSD with libexecinfo
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing backtrace" >&5
 $as_echo_n "checking for library containing backtrace... " >&6; }
-if test "${ac_cv_search_backtrace+set}" = set; then :
+if ${ac_cv_search_backtrace+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
@@ -14873,11 +16662,11 @@ for ac_lib in '' execinfo; do
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext
-  if test "${ac_cv_search_backtrace+set}" = set; then :
+  if ${ac_cv_search_backtrace+:} false; then :
   break
 fi
 done
-if test "${ac_cv_search_backtrace+set}" = set; then :
+if ${ac_cv_search_backtrace+:} false; then :
 
 else
   ac_cv_search_backtrace=no
@@ -14896,7 +16685,7 @@ fi
 for ac_func in backtrace
 do :
   ac_fn_c_check_func "$LINENO" "backtrace" "ac_cv_func_backtrace"
-if test "x$ac_cv_func_backtrace" = x""yes; then :
+if test "x$ac_cv_func_backtrace" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_BACKTRACE 1
 _ACEOF
@@ -14906,10 +16695,11 @@ done
 
 
 
+# OpenSolaris needs libsocket and libnsl for socket()
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing socket" >&5
 $as_echo_n "checking for library containing socket... " >&6; }
-if test "${ac_cv_search_socket+set}" = set; then :
+if ${ac_cv_search_socket+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
@@ -14943,11 +16733,11 @@ for ac_lib in '' socket; do
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext
-  if test "${ac_cv_search_socket+set}" = set; then :
+  if ${ac_cv_search_socket+:} false; then :
   break
 fi
 done
-if test "${ac_cv_search_socket+set}" = set; then :
+if ${ac_cv_search_socket+:} false; then :
 
 else
   ac_cv_search_socket=no
@@ -14964,7 +16754,7 @@ if test "$ac_res" != no; then :
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for socket in -lnsl" >&5
 $as_echo_n "checking for socket in -lnsl... " >&6; }
-if test "${ac_cv_lib_nsl_socket+set}" = set; then :
+if ${ac_cv_lib_nsl_socket+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -14998,7 +16788,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nsl_socket" >&5
 $as_echo "$ac_cv_lib_nsl_socket" >&6; }
-if test "x$ac_cv_lib_nsl_socket" = x""yes; then :
+if test "x$ac_cv_lib_nsl_socket" = xyes; then :
   SOCKLIB="-lsocket -lnsl"
 fi
 
@@ -15007,10 +16797,11 @@ fi
 
 
 
+# FreeBSD has clock_gettime in libc, Linux needs librt
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5
 $as_echo_n "checking for library containing clock_gettime... " >&6; }
-if test "${ac_cv_search_clock_gettime+set}" = set; then :
+if ${ac_cv_search_clock_gettime+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
@@ -15044,11 +16835,11 @@ for ac_lib in '' rt; do
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext
-  if test "${ac_cv_search_clock_gettime+set}" = set; then :
+  if ${ac_cv_search_clock_gettime+:} false; then :
   break
 fi
 done
-if test "${ac_cv_search_clock_gettime+set}" = set; then :
+if ${ac_cv_search_clock_gettime+:} false; then :
 
 else
   ac_cv_search_clock_gettime=no
@@ -15067,7 +16858,7 @@ fi
 for ac_func in clock_gettime
 do :
   ac_fn_c_check_func "$LINENO" "clock_gettime" "ac_cv_func_clock_gettime"
-if test "x$ac_cv_func_clock_gettime" = x""yes; then :
+if test "x$ac_cv_func_clock_gettime" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_CLOCK_GETTIME 1
 _ACEOF
@@ -15077,10 +16868,11 @@ done
 
 
 
+# Android has pthread_* functions in bionic (libc), others need libpthread
 LIBS=""
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing pthread_create" >&5
 $as_echo_n "checking for library containing pthread_create... " >&6; }
-if test "${ac_cv_search_pthread_create+set}" = set; then :
+if ${ac_cv_search_pthread_create+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_func_search_save_LIBS=$LIBS
@@ -15114,11 +16906,11 @@ for ac_lib in '' pthread; do
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext
-  if test "${ac_cv_search_pthread_create+set}" = set; then :
+  if ${ac_cv_search_pthread_create+:} false; then :
   break
 fi
 done
-if test "${ac_cv_search_pthread_create+set}" = set; then :
+if ${ac_cv_search_pthread_create+:} false; then :
 
 else
   ac_cv_search_pthread_create=no
@@ -15137,25 +16929,27 @@ fi
 
 
 LIBS=$saved_LIBS
+# ------------------------------------------------------
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dladdr" >&5
 $as_echo_n "checking for dladdr... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #define _GNU_SOURCE
-	 #include <dlfcn.h>
+		  #include <dlfcn.h>
 int
 main ()
 {
 Dl_info* info = 0;
-	 dladdr(0, info);
+		  dladdr(0, info);
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }; $as_echo "#define HAVE_DLADDR 1" >>confdefs.h
+$as_echo "yes" >&6; };
+$as_echo "#define HAVE_DLADDR /**/" >>confdefs.h
 
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
@@ -15164,21 +16958,24 @@ $as_echo "no" >&6; }
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
+# check if pthread_condattr_setclock(CLOCK_MONOTONE) is supported
 saved_LIBS=$LIBS
 LIBS=$PTHREADLIB
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_condattr_setclock(CLOCK_MONOTONE)" >&5
 $as_echo_n "checking for pthread_condattr_setclock(CLOCK_MONOTONE)... " >&6; }
 if test "$cross_compiling" = yes; then :
-  	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: unknown" >&5
+  # Check existence of pthread_condattr_setclock if cross-compiling
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: unknown" >&5
 $as_echo "unknown" >&6; };
 	 for ac_func in pthread_condattr_setclock
 do :
   ac_fn_c_check_func "$LINENO" "pthread_condattr_setclock" "ac_cv_func_pthread_condattr_setclock"
-if test "x$ac_cv_func_pthread_condattr_setclock" = x""yes; then :
+if test "x$ac_cv_func_pthread_condattr_setclock" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_PTHREAD_CONDATTR_SETCLOCK 1
 _ACEOF
- $as_echo "#define HAVE_CONDATTR_CLOCK_MONOTONIC 1" >>confdefs.h
+
+$as_echo "#define HAVE_CONDATTR_CLOCK_MONOTONIC /**/" >>confdefs.h
 
 
 fi
@@ -15189,13 +16986,15 @@ else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <pthread.h>
-	 int main() { pthread_condattr_t attr;
-		pthread_condattr_init(&attr);
-		return pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);}
+		  int main() { pthread_condattr_t attr;
+			pthread_condattr_init(&attr);
+			return pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);}
 _ACEOF
 if ac_fn_c_try_run "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }; $as_echo "#define HAVE_CONDATTR_CLOCK_MONOTONIC 1" >>confdefs.h
+$as_echo "yes" >&6; };
+
+$as_echo "#define HAVE_CONDATTR_CLOCK_MONOTONIC /**/" >>confdefs.h
 
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
@@ -15205,10 +17004,11 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
   conftest.$ac_objext conftest.beam conftest.$ac_ext
 fi
 
+# check if we actually are able to configure attributes on cond vars
 for ac_func in pthread_condattr_init
 do :
   ac_fn_c_check_func "$LINENO" "pthread_condattr_init" "ac_cv_func_pthread_condattr_init"
-if test "x$ac_cv_func_pthread_condattr_init" = x""yes; then :
+if test "x$ac_cv_func_pthread_condattr_init" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_PTHREAD_CONDATTR_INIT 1
 _ACEOF
@@ -15216,10 +17016,11 @@ _ACEOF
 fi
 done
 
+# instead of pthread_condattr_setclock Android has this function
 for ac_func in pthread_cond_timedwait_monotonic
 do :
   ac_fn_c_check_func "$LINENO" "pthread_cond_timedwait_monotonic" "ac_cv_func_pthread_cond_timedwait_monotonic"
-if test "x$ac_cv_func_pthread_cond_timedwait_monotonic" = x""yes; then :
+if test "x$ac_cv_func_pthread_cond_timedwait_monotonic" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC 1
 _ACEOF
@@ -15227,10 +17028,11 @@ _ACEOF
 fi
 done
 
+# check if we can cancel threads
 for ac_func in pthread_cancel
 do :
   ac_fn_c_check_func "$LINENO" "pthread_cancel" "ac_cv_func_pthread_cancel"
-if test "x$ac_cv_func_pthread_cancel" = x""yes; then :
+if test "x$ac_cv_func_pthread_cancel" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_PTHREAD_CANCEL 1
 _ACEOF
@@ -15238,10 +17040,11 @@ _ACEOF
 fi
 done
 
+# check if native rwlocks are available
 for ac_func in pthread_rwlock_init
 do :
   ac_fn_c_check_func "$LINENO" "pthread_rwlock_init" "ac_cv_func_pthread_rwlock_init"
-if test "x$ac_cv_func_pthread_rwlock_init" = x""yes; then :
+if test "x$ac_cv_func_pthread_rwlock_init" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_PTHREAD_RWLOCK_INIT 1
 _ACEOF
@@ -15249,11 +17052,36 @@ _ACEOF
 fi
 done
 
+# check if pthread spinlocks are available
+for ac_func in pthread_spin_init
+do :
+  ac_fn_c_check_func "$LINENO" "pthread_spin_init" "ac_cv_func_pthread_spin_init"
+if test "x$ac_cv_func_pthread_spin_init" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_PTHREAD_SPIN_INIT 1
+_ACEOF
+
+fi
+done
+
+# check if we have POSIX semaphore functions, including timed-wait
+for ac_func in sem_timedwait
+do :
+  ac_fn_c_check_func "$LINENO" "sem_timedwait" "ac_cv_func_sem_timedwait"
+if test "x$ac_cv_func_sem_timedwait" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_SEM_TIMEDWAIT 1
+_ACEOF
+
+fi
+done
+
 LIBS=$saved_LIBS
 
 ac_fn_c_check_func "$LINENO" "gettid" "ac_cv_func_gettid"
-if test "x$ac_cv_func_gettid" = x""yes; then :
-  $as_echo "#define HAVE_GETTID 1" >>confdefs.h
+if test "x$ac_cv_func_gettid" = xyes; then :
+
+$as_echo "#define HAVE_GETTID /**/" >>confdefs.h
 
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SYS_gettid" >&5
@@ -15261,22 +17089,25 @@ $as_echo_n "checking for SYS_gettid... " >&6; }
 	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #define _GNU_SOURCE
-		 #include <unistd.h>
-		 #include <sys/syscall.h>
+			  #include <unistd.h>
+			  #include <sys/syscall.h>
 int
 main ()
 {
 int main() {
-			return syscall(SYS_gettid);}
+			  return syscall(SYS_gettid);}
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }; $as_echo "#define HAVE_GETTID 1" >>confdefs.h
+$as_echo "yes" >&6; };
+
+$as_echo "#define HAVE_GETTID /**/" >>confdefs.h
 
-		 $as_echo "#define HAVE_SYS_GETTID 1" >>confdefs.h
+
+$as_echo "#define HAVE_SYS_GETTID /**/" >>confdefs.h
 
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
@@ -15288,7 +17119,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
 
-for ac_func in prctl mallinfo getpass closefrom
+for ac_func in prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -15327,13 +17158,29 @@ fi
 
 done
 
+for ac_header in netinet/ip6.h
+do :
+  ac_fn_c_check_header_compile "$LINENO" "netinet/ip6.h" "ac_cv_header_netinet_ip6_h" "
+	#include <sys/types.h>
+	#include <netinet/in.h>
+
+"
+if test "x$ac_cv_header_netinet_ip6_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_NETINET_IP6_H 1
+_ACEOF
+
+fi
+
+done
+
 
 ac_fn_c_check_member "$LINENO" "struct sockaddr" "sa_len" "ac_cv_member_struct_sockaddr_sa_len" "
 	#include <sys/types.h>
 	#include <sys/socket.h>
 
 "
-if test "x$ac_cv_member_struct_sockaddr_sa_len" = x""yes; then :
+if test "x$ac_cv_member_struct_sockaddr_sa_len" = xyes; then :
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE_STRUCT_SOCKADDR_SA_LEN 1
@@ -15353,7 +17200,7 @@ ac_fn_c_check_member "$LINENO" "struct sadb_x_policy" "sadb_x_policy_priority" "
 	#endif
 
 "
-if test "x$ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority" = x""yes; then :
+if test "x$ac_cv_member_struct_sadb_x_policy_sadb_x_policy_priority" = xyes; then :
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY 1
@@ -15368,20 +17215,22 @@ $as_echo_n "checking for in6addr_any... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <sys/types.h>
-	#include <sys/socket.h>
-	#include <netinet/in.h>
+		  #include <sys/socket.h>
+		  #include <netinet/in.h>
 int
 main ()
 {
 struct in6_addr in6;
-	in6 = in6addr_any;
+		  in6 = in6addr_any;
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }; $as_echo "#define HAVE_IN6ADDR_ANY 1" >>confdefs.h
+$as_echo "yes" >&6; };
+
+$as_echo "#define HAVE_IN6ADDR_ANY /**/" >>confdefs.h
 
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
@@ -15395,24 +17244,26 @@ $as_echo_n "checking for in6_pktinfo... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #define _GNU_SOURCE
-	#include <sys/types.h>
-	#include <sys/socket.h>
-	#include <netinet/in.h>
+		  #include <sys/types.h>
+		  #include <sys/socket.h>
+		  #include <netinet/in.h>
 int
 main ()
 {
 struct in6_pktinfo pi;
-	if (pi.ipi6_ifindex)
-	{
-		return 0;
-	}
+		  if (pi.ipi6_ifindex)
+		  {
+		    return 0;
+		  }
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }; $as_echo "#define HAVE_IN6_PKTINFO 1" >>confdefs.h
+$as_echo "yes" >&6; };
+
+$as_echo "#define HAVE_IN6_PKTINFO /**/" >>confdefs.h
 
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
@@ -15426,26 +17277,28 @@ $as_echo_n "checking for IPSEC_MODE_BEET... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <sys/types.h>
-	#ifdef HAVE_NETIPSEC_IPSEC_H
-	#include <netipsec/ipsec.h>
-	#elif defined(HAVE_NETINET6_IPSEC_H)
-	#include <netinet6/ipsec.h>
-	#else
-	#include <stdint.h>
-	#include <linux/ipsec.h>
-	#endif
+		  #ifdef HAVE_NETIPSEC_IPSEC_H
+		  #include <netipsec/ipsec.h>
+		  #elif defined(HAVE_NETINET6_IPSEC_H)
+		  #include <netinet6/ipsec.h>
+		  #else
+		  #include <stdint.h>
+		  #include <linux/ipsec.h>
+		  #endif
 int
 main ()
 {
 int mode = IPSEC_MODE_BEET;
-	 return mode;
+		  return mode;
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }; $as_echo "#define HAVE_IPSEC_MODE_BEET 1" >>confdefs.h
+$as_echo "yes" >&6; };
+
+$as_echo "#define HAVE_IPSEC_MODE_BEET /**/" >>confdefs.h
 
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
@@ -15459,26 +17312,28 @@ $as_echo_n "checking for IPSEC_DIR_FWD... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <sys/types.h>
-	#ifdef HAVE_NETIPSEC_IPSEC_H
-	#include <netipsec/ipsec.h>
-	#elif defined(HAVE_NETINET6_IPSEC_H)
-	#include <netinet6/ipsec.h>
-	#else
-	#include <stdint.h>
-	#include <linux/ipsec.h>
-	#endif
+		  #ifdef HAVE_NETIPSEC_IPSEC_H
+		  #include <netipsec/ipsec.h>
+		  #elif defined(HAVE_NETINET6_IPSEC_H)
+		  #include <netinet6/ipsec.h>
+		  #else
+		  #include <stdint.h>
+		  #include <linux/ipsec.h>
+		  #endif
 int
 main ()
 {
 int dir = IPSEC_DIR_FWD;
-	 return dir;
+		  return dir;
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }; $as_echo "#define HAVE_IPSEC_DIR_FWD 1" >>confdefs.h
+$as_echo "yes" >&6; };
+
+$as_echo "#define HAVE_IPSEC_DIR_FWD /**/" >>confdefs.h
 
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
@@ -15492,20 +17347,22 @@ $as_echo_n "checking for RTA_TABLE... " >&6; }
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #include <sys/socket.h>
-	#include <linux/netlink.h>
-	#include <linux/rtnetlink.h>
+		  #include <linux/netlink.h>
+		  #include <linux/rtnetlink.h>
 int
 main ()
 {
 int rta_type = RTA_TABLE;
-	 return rta_type;
+		  return rta_type;
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }; $as_echo "#define HAVE_RTA_TABLE 1" >>confdefs.h
+$as_echo "yes" >&6; };
+
+$as_echo "#define HAVE_RTA_TABLE /**/" >>confdefs.h
 
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
@@ -15519,23 +17376,26 @@ $as_echo_n "checking for gcc atomic operations... " >&6; }
 if test "$cross_compiling" = yes; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
+
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-	int main() {
-		volatile int ref = 1;
-		__sync_fetch_and_add (&ref, 1);
-		__sync_sub_and_fetch (&ref, 1);
-		/* Make sure test fails if operations are not supported */
-		__sync_val_compare_and_swap(&ref, 1, 0);
-		return ref;
-	}
+			int main() {
+			volatile int ref = 1;
+			__sync_fetch_and_add (&ref, 1);
+			__sync_sub_and_fetch (&ref, 1);
+			/* Make sure test fails if operations are not supported */
+			__sync_val_compare_and_swap(&ref, 1, 0);
+			return ref;
+		}
 
 _ACEOF
 if ac_fn_c_try_run "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }; $as_echo "#define HAVE_GCC_ATOMIC_OPERATIONS 1" >>confdefs.h
+$as_echo "yes" >&6; };
+
+$as_echo "#define HAVE_GCC_ATOMIC_OPERATIONS /**/" >>confdefs.h
 
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
@@ -15546,14 +17406,18 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
 fi
 
 
+# check for the new register_printf_specifier function with len argument,
+# or the deprecated register_printf_function without
 ac_fn_c_check_func "$LINENO" "register_printf_specifier" "ac_cv_func_register_printf_specifier"
-if test "x$ac_cv_func_register_printf_specifier" = x""yes; then :
-  $as_echo "#define HAVE_PRINTF_SPECIFIER 1" >>confdefs.h
+if test "x$ac_cv_func_register_printf_specifier" = xyes; then :
+
+$as_echo "#define HAVE_PRINTF_SPECIFIER /**/" >>confdefs.h
 
 else
   ac_fn_c_check_func "$LINENO" "register_printf_function" "ac_cv_func_register_printf_function"
-if test "x$ac_cv_func_register_printf_function" = x""yes; then :
-  $as_echo "#define HAVE_PRINTF_FUNCTION 1" >>confdefs.h
+if test "x$ac_cv_func_register_printf_function" = xyes; then :
+
+$as_echo "#define HAVE_PRINTF_FUNCTION /**/" >>confdefs.h
 
 else
 
@@ -15571,7 +17435,7 @@ fi
 if test x$vstr = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lvstr" >&5
 $as_echo_n "checking for main in -lvstr... " >&6; }
-if test "${ac_cv_lib_vstr_main+set}" = set; then :
+if ${ac_cv_lib_vstr_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -15599,14 +17463,14 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_vstr_main" >&5
 $as_echo "$ac_cv_lib_vstr_main" >&6; }
-if test "x$ac_cv_lib_vstr_main" = x""yes; then :
+if test "x$ac_cv_lib_vstr_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "Vstr string library not found" "$LINENO" 5
 fi
-ac_cv_lib_vstr=ac_cv_lib_vstr_main
 
-	$as_echo "#define USE_VSTR 1" >>confdefs.h
+
+$as_echo "#define USE_VSTR /**/" >>confdefs.h
 
 fi
 
@@ -15614,7 +17478,7 @@ if test x$gmp = xtrue; then
 	saved_LIBS=$LIBS
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lgmp" >&5
 $as_echo_n "checking for main in -lgmp... " >&6; }
-if test "${ac_cv_lib_gmp_main+set}" = set; then :
+if ${ac_cv_lib_gmp_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -15642,7 +17506,7 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gmp_main" >&5
 $as_echo "$ac_cv_lib_gmp_main" >&6; }
-if test "x$ac_cv_lib_gmp_main" = x""yes; then :
+if test "x$ac_cv_lib_gmp_main" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBGMP 1
 _ACEOF
@@ -15652,7 +17516,6 @@ _ACEOF
 else
   as_fn_error $? "GNU Multi Precision library gmp not found" "$LINENO" 5
 fi
-ac_cv_lib_gmp=ac_cv_lib_gmp_main
 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking mpz_powm_sec" >&5
 $as_echo_n "checking mpz_powm_sec... " >&6; }
@@ -15663,16 +17526,16 @@ $as_echo_n "checking mpz_powm_sec... " >&6; }
 int
 main ()
 {
-
-				void *x = mpz_powm_sec;
-
+void *x = mpz_powm_sec;
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }; $as_echo "#define HAVE_MPZ_POWM_SEC 1" >>confdefs.h
+$as_echo "yes" >&6; };
+
+$as_echo "#define HAVE_MPZ_POWM_SEC /**/" >>confdefs.h
 
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
@@ -15694,10 +17557,9 @@ int
 main ()
 {
 
-			#if (__GNU_MP_VERSION*100 +  __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
-				#error bad gmp
-			#endif
-
+				#if (__GNU_MP_VERSION*100 +  __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
+					#error bad gmp
+				#endif
   ;
   return 0;
 }
@@ -15716,7 +17578,7 @@ fi
 if test x$ldap = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lldap" >&5
 $as_echo_n "checking for main in -lldap... " >&6; }
-if test "${ac_cv_lib_ldap_main+set}" = set; then :
+if ${ac_cv_lib_ldap_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -15744,16 +17606,15 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldap_main" >&5
 $as_echo "$ac_cv_lib_ldap_main" >&6; }
-if test "x$ac_cv_lib_ldap_main" = x""yes; then :
+if test "x$ac_cv_lib_ldap_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "LDAP library ldap not found" "$LINENO" 5
 fi
-ac_cv_lib_ldap=ac_cv_lib_ldap_main
 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -llber" >&5
 $as_echo_n "checking for main in -llber... " >&6; }
-if test "${ac_cv_lib_lber_main+set}" = set; then :
+if ${ac_cv_lib_lber_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -15781,15 +17642,14 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lber_main" >&5
 $as_echo "$ac_cv_lib_lber_main" >&6; }
-if test "x$ac_cv_lib_lber_main" = x""yes; then :
+if test "x$ac_cv_lib_lber_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "LDAP library lber not found" "$LINENO" 5
 fi
-ac_cv_lib_lber=ac_cv_lib_lber_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "ldap.h" "ac_cv_header_ldap_h" "$ac_includes_default"
-if test "x$ac_cv_header_ldap_h" = x""yes; then :
+if test "x$ac_cv_header_ldap_h" = xyes; then :
 
 else
   as_fn_error $? "LDAP header ldap.h not found!" "$LINENO" 5
@@ -15801,7 +17661,7 @@ fi
 if test x$curl = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcurl" >&5
 $as_echo_n "checking for main in -lcurl... " >&6; }
-if test "${ac_cv_lib_curl_main+set}" = set; then :
+if ${ac_cv_lib_curl_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -15829,15 +17689,14 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_curl_main" >&5
 $as_echo "$ac_cv_lib_curl_main" >&6; }
-if test "x$ac_cv_lib_curl_main" = x""yes; then :
+if test "x$ac_cv_lib_curl_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "CURL library curl not found" "$LINENO" 5
 fi
-ac_cv_lib_curl=ac_cv_lib_curl_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "curl/curl.h" "ac_cv_header_curl_curl_h" "$ac_includes_default"
-if test "x$ac_cv_header_curl_curl_h" = x""yes; then :
+if test "x$ac_cv_header_curl_curl_h" = xyes; then :
 
 else
   as_fn_error $? "CURL header curl/curl.h not found!" "$LINENO" 5
@@ -15846,6 +17705,99 @@ fi
 
 fi
 
+if test x$unbound = xtrue; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lldns" >&5
+$as_echo_n "checking for main in -lldns... " >&6; }
+if ${ac_cv_lib_ldns_main+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lldns  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_ldns_main=yes
+else
+  ac_cv_lib_ldns_main=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldns_main" >&5
+$as_echo "$ac_cv_lib_ldns_main" >&6; }
+if test "x$ac_cv_lib_ldns_main" = xyes; then :
+  LIBS="$LIBS"
+else
+  as_fn_error $? "UNBOUND library ldns not found" "$LINENO" 5
+fi
+ac_cv_lib_ldns=ac_cv_lib_ldns_main
+
+	ac_fn_c_check_header_mongrel "$LINENO" "ldns/ldns.h" "ac_cv_header_ldns_ldns_h" "$ac_includes_default"
+if test "x$ac_cv_header_ldns_ldns_h" = xyes; then :
+
+else
+  as_fn_error $? "UNBOUND header ldns/ldns.h not found!" "$LINENO" 5
+fi
+
+
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lunbound" >&5
+$as_echo_n "checking for main in -lunbound... " >&6; }
+if ${ac_cv_lib_unbound_main+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lunbound  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_unbound_main=yes
+else
+  ac_cv_lib_unbound_main=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_unbound_main" >&5
+$as_echo "$ac_cv_lib_unbound_main" >&6; }
+if test "x$ac_cv_lib_unbound_main" = xyes; then :
+  LIBS="$LIBS"
+else
+  as_fn_error $? "UNBOUND library libunbound not found" "$LINENO" 5
+fi
+ac_cv_lib_unbound=ac_cv_lib_unbound_main
+
+	ac_fn_c_check_header_mongrel "$LINENO" "unbound.h" "ac_cv_header_unbound_h" "$ac_includes_default"
+if test "x$ac_cv_header_unbound_h" = xyes; then :
+
+else
+  as_fn_error $? "UNBOUND header unbound.h not found!" "$LINENO" 5
+fi
+
+
+fi
+
 if test x$soup = xtrue; then
 
 pkg_failed=no
@@ -15862,6 +17814,7 @@ if test -n "$soup_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_soup_CFLAGS=`$PKG_CONFIG --cflags "libsoup-2.4" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -15878,6 +17831,7 @@ if test -n "$soup_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_soup_LIBS=`$PKG_CONFIG --libs "libsoup-2.4" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -15897,9 +17851,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        soup_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libsoup-2.4" 2>&1`
+	        soup_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsoup-2.4" 2>&1`
         else
-	        soup_PKG_ERRORS=`$PKG_CONFIG --print-errors "libsoup-2.4" 2>&1`
+	        soup_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsoup-2.4" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$soup_PKG_ERRORS" >&5
@@ -15928,7 +17882,7 @@ and soup_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	soup_CFLAGS=$pkg_cv_soup_CFLAGS
 	soup_LIBS=$pkg_cv_soup_LIBS
@@ -15956,6 +17910,7 @@ if test -n "$xml_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_xml_CFLAGS=`$PKG_CONFIG --cflags "libxml-2.0" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -15972,6 +17927,7 @@ if test -n "$xml_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_xml_LIBS=`$PKG_CONFIG --libs "libxml-2.0" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -15991,9 +17947,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        xml_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libxml-2.0" 2>&1`
+	        xml_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libxml-2.0" 2>&1`
         else
-	        xml_PKG_ERRORS=`$PKG_CONFIG --print-errors "libxml-2.0" 2>&1`
+	        xml_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libxml-2.0" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$xml_PKG_ERRORS" >&5
@@ -16022,7 +17978,7 @@ and xml_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	xml_CFLAGS=$pkg_cv_xml_CFLAGS
 	xml_LIBS=$pkg_cv_xml_LIBS
@@ -16034,104 +17990,10 @@ fi
 
 fi
 
-if test x$axis2c = xtrue; then
-
-pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for axis2c" >&5
-$as_echo_n "checking for axis2c... " >&6; }
-
-if test -n "$axis2c_CFLAGS"; then
-    pkg_cv_axis2c_CFLAGS="$axis2c_CFLAGS"
- elif test -n "$PKG_CONFIG"; then
-    if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"axis2c\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "axis2c") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }; then
-  pkg_cv_axis2c_CFLAGS=`$PKG_CONFIG --cflags "axis2c" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
- else
-    pkg_failed=untried
-fi
-if test -n "$axis2c_LIBS"; then
-    pkg_cv_axis2c_LIBS="$axis2c_LIBS"
- elif test -n "$PKG_CONFIG"; then
-    if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"axis2c\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "axis2c") 2>&5
-  ac_status=$?
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }; then
-  pkg_cv_axis2c_LIBS=`$PKG_CONFIG --libs "axis2c" 2>/dev/null`
-else
-  pkg_failed=yes
-fi
- else
-    pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
-   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi
-        if test $_pkg_short_errors_supported = yes; then
-	        axis2c_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "axis2c" 2>&1`
-        else
-	        axis2c_PKG_ERRORS=`$PKG_CONFIG --print-errors "axis2c" 2>&1`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$axis2c_PKG_ERRORS" >&5
-
-	as_fn_error $? "Package requirements (axis2c) were not met:
-
-$axis2c_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-Alternatively, you may set the environment variables axis2c_CFLAGS
-and axis2c_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details." "$LINENO" 5
-elif test $pkg_failed = untried; then
-     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-Alternatively, you may set the environment variables axis2c_CFLAGS
-and axis2c_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
-else
-	axis2c_CFLAGS=$pkg_cv_axis2c_CFLAGS
-	axis2c_LIBS=$pkg_cv_axis2c_LIBS
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-
-fi
-
-
-fi
-
-if test x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
+if test x$tss = xtrousers; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -ltspi" >&5
 $as_echo_n "checking for main in -ltspi... " >&6; }
-if test "${ac_cv_lib_tspi_main+set}" = set; then :
+if ${ac_cv_lib_tspi_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16159,21 +18021,23 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tspi_main" >&5
 $as_echo "$ac_cv_lib_tspi_main" >&6; }
-if test "x$ac_cv_lib_tspi_main" = x""yes; then :
+if test "x$ac_cv_lib_tspi_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "TrouSerS library libtspi not found" "$LINENO" 5
 fi
-ac_cv_lib_tspi=ac_cv_lib_tspi_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "trousers/tss.h" "ac_cv_header_trousers_tss_h" "$ac_includes_default"
-if test "x$ac_cv_header_trousers_tss_h" = x""yes; then :
+if test "x$ac_cv_header_trousers_tss_h" = xyes; then :
 
 else
   as_fn_error $? "TrouSerS header trousers/tss.h not found!" "$LINENO" 5
 fi
 
 
+
+$as_echo "#define TSS_TROUSERS /**/" >>confdefs.h
+
 fi
 
 if test x$dumm = xtrue; then
@@ -16192,6 +18056,7 @@ if test -n "$gtk_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_gtk_CFLAGS=`$PKG_CONFIG --cflags "gtk+-2.0 vte" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16208,6 +18073,7 @@ if test -n "$gtk_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_gtk_LIBS=`$PKG_CONFIG --libs "gtk+-2.0 vte" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16227,9 +18093,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        gtk_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "gtk+-2.0 vte" 2>&1`
+	        gtk_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "gtk+-2.0 vte" 2>&1`
         else
-	        gtk_PKG_ERRORS=`$PKG_CONFIG --print-errors "gtk+-2.0 vte" 2>&1`
+	        gtk_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "gtk+-2.0 vte" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$gtk_PKG_ERRORS" >&5
@@ -16258,7 +18124,7 @@ and gtk_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	gtk_CFLAGS=$pkg_cv_gtk_CFLAGS
 	gtk_LIBS=$pkg_cv_gtk_LIBS
@@ -16274,7 +18140,7 @@ do
 set dummy $ac_prog; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_prog_RUBY+set}" = set; then :
+if ${ac_cv_prog_RUBY+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   if test -n "$RUBY"; then
@@ -16286,7 +18152,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_prog_RUBY="$ac_prog"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -16313,34 +18179,79 @@ done
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Ruby header files" >&5
 $as_echo_n "checking for Ruby header files... " >&6; }
 	if test -n "$RUBY"; then
-		RUBYDIR=`($RUBY -rmkmf -e 'print Config::CONFIG["archdir"] || $archdir') 2>/dev/null`
-		if test -n "$RUBYDIR"; then
-			dirs="$RUBYDIR"
-			RUBYINCLUDE=none
-			for i in $dirs; do
-				if test -r $i/ruby.h; then
-					{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $i" >&5
-$as_echo "$i" >&6; }
-					RUBYINCLUDE="-I$i"
-					break;
-				fi
-			done
-			if test x"$RUBYINCLUDE" = xnone; then
-				as_fn_error $? "ruby.h not found" "$LINENO" 5
+		RUBYINCLUDE=
+		RUBYDIR=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG["rubyhdrdir"] || ""') 2>/dev/null`
+		if test -n "$RUBYDIR" -a -r "$RUBYDIR/ruby.h"; then
+			RUBYARCH=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG["arch"] || ""') 2>/dev/null`
+			if test -n "$RUBYARCH"; then
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $RUBYDIR" >&5
+$as_echo "$RUBYDIR" >&6; }
+				RUBYINCLUDE="-I$RUBYDIR -I$RUBYDIR/$RUBYARCH"
 			fi
-
 		else
-			as_fn_error $? "unable to determine ruby configuration" "$LINENO" 5
+			RUBYDIR=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG["archdir"] || ""') 2>/dev/null`
+			if test -n "$RUBYDIR" -a -r "$RUBYDIR/ruby.h"; then
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $RUBYDIR" >&5
+$as_echo "$RUBYDIR" >&6; }
+				RUBYINCLUDE="-I$RUBYDIR"
+			fi
 		fi
+		if test -z "$RUBYINCLUDE"; then
+			as_fn_error $? "ruby.h not found" "$LINENO" 5
+		fi
+
 	else
 		as_fn_error $? "don't know how to run ruby" "$LINENO" 5
 	fi
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libruby" >&5
+$as_echo_n "checking for libruby... " >&6; }
+	saved_LIBS=$LIBS
+	LIBS=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG["LIBRUBYARG_SHARED"] || ""') 2>/dev/null`
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char ruby_init ();
+int
+main ()
+{
+return ruby_init ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LIBS" >&5
+$as_echo "$LIBS" >&6; }; RUBYLIB=$LIBS
+else
+  as_fn_error $? "not found" "$LINENO" 5
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+	for ac_func in rb_errinfo
+do :
+  ac_fn_c_check_func "$LINENO" "rb_errinfo" "ac_cv_func_rb_errinfo"
+if test "x$ac_cv_func_rb_errinfo" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_RB_ERRINFO 1
+_ACEOF
+
+fi
+done
+
+	LIBS=$saved_LIBS
 fi
 
 if test x$fast = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lneo_cgi" >&5
 $as_echo_n "checking for main in -lneo_cgi... " >&6; }
-if test "${ac_cv_lib_neo_cgi_main+set}" = set; then :
+if ${ac_cv_lib_neo_cgi_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16368,16 +18279,15 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_neo_cgi_main" >&5
 $as_echo "$ac_cv_lib_neo_cgi_main" >&6; }
-if test "x$ac_cv_lib_neo_cgi_main" = x""yes; then :
+if test "x$ac_cv_lib_neo_cgi_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "ClearSilver library neo_cgi not found!" "$LINENO" 5
 fi
-ac_cv_lib_neo_cgi=ac_cv_lib_neo_cgi_main
 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lneo_utl" >&5
 $as_echo_n "checking for main in -lneo_utl... " >&6; }
-if test "${ac_cv_lib_neo_utl_main+set}" = set; then :
+if ${ac_cv_lib_neo_utl_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16405,12 +18315,11 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_neo_utl_main" >&5
 $as_echo "$ac_cv_lib_neo_utl_main" >&6; }
-if test "x$ac_cv_lib_neo_utl_main" = x""yes; then :
+if test "x$ac_cv_lib_neo_utl_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "ClearSilver library neo_utl not found!" "$LINENO" 5
 fi
-ac_cv_lib_neo_utl=ac_cv_lib_neo_utl_main
 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking ClearSilver requires zlib" >&5
 $as_echo_n "checking ClearSilver requires zlib... " >&6; }
@@ -16424,9 +18333,7 @@ $as_echo_n "checking ClearSilver requires zlib... " >&6; }
 int
 main ()
 {
-
-			NEOERR *err = cgi_display(NULL, NULL);
-
+NEOERR *err = cgi_display(NULL, NULL);
   ;
   return 0;
 }
@@ -16444,10 +18351,12 @@ rm -f core conftest.err conftest.$ac_objext \
 
 	LIBS=$saved_LIBS
 	CFLAGS=$saved_CFLAGS
+# autoconf does not like CamelCase!? How to fix this?
+#	AC_CHECK_HEADER([ClearSilver/ClearSilver.h],,[AC_MSG_ERROR([ClearSilver header file ClearSilver/ClearSilver.h not found!])])
 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lfcgi" >&5
 $as_echo_n "checking for main in -lfcgi... " >&6; }
-if test "${ac_cv_lib_fcgi_main+set}" = set; then :
+if ${ac_cv_lib_fcgi_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16475,15 +18384,14 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_fcgi_main" >&5
 $as_echo "$ac_cv_lib_fcgi_main" >&6; }
-if test "x$ac_cv_lib_fcgi_main" = x""yes; then :
+if test "x$ac_cv_lib_fcgi_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "FastCGI library fcgi not found!" "$LINENO" 5
 fi
-ac_cv_lib_fcgi=ac_cv_lib_fcgi_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "fcgiapp.h" "ac_cv_header_fcgiapp_h" "$ac_includes_default"
-if test "x$ac_cv_header_fcgiapp_h" = x""yes; then :
+if test "x$ac_cv_header_fcgiapp_h" = xyes; then :
 
 else
   as_fn_error $? "FastCGI header file fcgiapp.h not found!" "$LINENO" 5
@@ -16497,7 +18405,7 @@ if test x$mysql = xtrue; then
 set dummy mysql_config; ac_word=$2
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 $as_echo_n "checking for $ac_word... " >&6; }
-if test "${ac_cv_path_MYSQLCONFIG+set}" = set; then :
+if ${ac_cv_path_MYSQLCONFIG+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   case $MYSQLCONFIG in
@@ -16512,7 +18420,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
     for ac_exec_ext in '' $ac_executable_extensions; do
-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
     ac_cv_path_MYSQLCONFIG="$as_dir/$ac_word$ac_exec_ext"
     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -16546,7 +18454,7 @@ fi
 if test x$sqlite = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lsqlite3" >&5
 $as_echo_n "checking for main in -lsqlite3... " >&6; }
-if test "${ac_cv_lib_sqlite3_main+set}" = set; then :
+if ${ac_cv_lib_sqlite3_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16574,15 +18482,14 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_sqlite3_main" >&5
 $as_echo "$ac_cv_lib_sqlite3_main" >&6; }
-if test "x$ac_cv_lib_sqlite3_main" = x""yes; then :
+if test "x$ac_cv_lib_sqlite3_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "SQLite library sqlite3 not found" "$LINENO" 5
 fi
-ac_cv_lib_sqlite3=ac_cv_lib_sqlite3_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "sqlite3.h" "ac_cv_header_sqlite3_h" "$ac_includes_default"
-if test "x$ac_cv_header_sqlite3_h" = x""yes; then :
+if test "x$ac_cv_header_sqlite3_h" = xyes; then :
 
 else
   as_fn_error $? "SQLite header sqlite3.h not found!" "$LINENO" 5
@@ -16597,22 +18504,21 @@ $as_echo_n "checking sqlite3_prepare_v2... " >&6; }
 int
 main ()
 {
-
-			void *test = sqlite3_prepare_v2;
-
+void *test = sqlite3_prepare_v2;
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }; cat >>confdefs.h <<_ACEOF
-#define HAVE_SQLITE3_PREPARE_V2 1
-_ACEOF
+$as_echo "yes" >&6; };
+
+$as_echo "#define HAVE_SQLITE3_PREPARE_V2 /**/" >>confdefs.h
 
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
+
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking sqlite3.h version >= 3.3.1" >&5
@@ -16624,10 +18530,9 @@ int
 main ()
 {
 
-			#if SQLITE_VERSION_NUMBER < 3003001
-				#error bad sqlite
-			#endif
-
+				#if SQLITE_VERSION_NUMBER < 3003001
+					#error bad sqlite
+				#endif
   ;
   return 0;
 }
@@ -16638,6 +18543,7 @@ $as_echo "yes" >&6; }
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }; as_fn_error $? "SQLite version >= 3.3.1 required!" "$LINENO" 5
+
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
@@ -16645,7 +18551,7 @@ fi
 if test x$openssl = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcrypto" >&5
 $as_echo_n "checking for main in -lcrypto... " >&6; }
-if test "${ac_cv_lib_crypto_main+set}" = set; then :
+if ${ac_cv_lib_crypto_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16673,15 +18579,14 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_main" >&5
 $as_echo "$ac_cv_lib_crypto_main" >&6; }
-if test "x$ac_cv_lib_crypto_main" = x""yes; then :
+if test "x$ac_cv_lib_crypto_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "OpenSSL crypto library not found" "$LINENO" 5
 fi
-ac_cv_lib_crypto=ac_cv_lib_crypto_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "openssl/evp.h" "ac_cv_header_openssl_evp_h" "$ac_includes_default"
-if test "x$ac_cv_header_openssl_evp_h" = x""yes; then :
+if test "x$ac_cv_header_openssl_evp_h" = xyes; then :
 
 else
   as_fn_error $? "OpenSSL header openssl/evp.h not found!" "$LINENO" 5
@@ -16693,7 +18598,7 @@ fi
 if test x$gcrypt = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lgcrypt" >&5
 $as_echo_n "checking for main in -lgcrypt... " >&6; }
-if test "${ac_cv_lib_gcrypt_main+set}" = set; then :
+if ${ac_cv_lib_gcrypt_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16721,15 +18626,14 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gcrypt_main" >&5
 $as_echo "$ac_cv_lib_gcrypt_main" >&6; }
-if test "x$ac_cv_lib_gcrypt_main" = x""yes; then :
+if test "x$ac_cv_lib_gcrypt_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "gcrypt library not found" "$LINENO" 5
 fi
-ac_cv_lib_gcrypt=ac_cv_lib_gcrypt_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "gcrypt.h" "ac_cv_header_gcrypt_h" "$ac_includes_default"
-if test "x$ac_cv_header_gcrypt_h" = x""yes; then :
+if test "x$ac_cv_header_gcrypt_h" = xyes; then :
 
 else
   as_fn_error $? "gcrypt header gcrypt.h not found!" "$LINENO" 5
@@ -16751,7 +18655,9 @@ enum gcry_cipher_algos alg = GCRY_CIPHER_CAMELLIA128;
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }; $as_echo "#define HAVE_GCRY_CIPHER_CAMELLIA 1" >>confdefs.h
+$as_echo "yes" >&6; };
+
+$as_echo "#define HAVE_GCRY_CIPHER_CAMELLIA /**/" >>confdefs.h
 
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
@@ -16764,7 +18670,7 @@ fi
 if test x$uci = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -luci" >&5
 $as_echo_n "checking for main in -luci... " >&6; }
-if test "${ac_cv_lib_uci_main+set}" = set; then :
+if ${ac_cv_lib_uci_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16792,15 +18698,14 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_uci_main" >&5
 $as_echo "$ac_cv_lib_uci_main" >&6; }
-if test "x$ac_cv_lib_uci_main" = x""yes; then :
+if test "x$ac_cv_lib_uci_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "UCI library libuci not found" "$LINENO" 5
 fi
-ac_cv_lib_uci=ac_cv_lib_uci_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "uci.h" "ac_cv_header_uci_h" "$ac_includes_default"
-if test "x$ac_cv_header_uci_h" = x""yes; then :
+if test "x$ac_cv_header_uci_h" = xyes; then :
 
 else
   as_fn_error $? "UCI header uci.h not found!" "$LINENO" 5
@@ -16809,10 +18714,10 @@ fi
 
 fi
 
-if test x$android = xtrue; then
+if test x$android_dns = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcutils" >&5
 $as_echo_n "checking for main in -lcutils... " >&6; }
-if test "${ac_cv_lib_cutils_main+set}" = set; then :
+if ${ac_cv_lib_cutils_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -16840,22 +18745,23 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cutils_main" >&5
 $as_echo "$ac_cv_lib_cutils_main" >&6; }
-if test "x$ac_cv_lib_cutils_main" = x""yes; then :
+if test "x$ac_cv_lib_cutils_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "Android library libcutils not found" "$LINENO" 5
 fi
-ac_cv_lib_cutils=ac_cv_lib_cutils_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "cutils/properties.h" "ac_cv_header_cutils_properties_h" "$ac_includes_default"
-if test "x$ac_cv_header_cutils_properties_h" = x""yes; then :
+if test "x$ac_cv_header_cutils_properties_h" = xyes; then :
 
 else
   as_fn_error $? "Android header cutils/properties.h not found!" "$LINENO" 5
 fi
 
 
-			DLLIB="-ldl"
+	# we have to force the use of libdl here because the autodetection
+	# above does not work correctly when cross-compiling for android.
+	DLLIB="-ldl"
 
 fi
 
@@ -16875,6 +18781,7 @@ if test -n "$maemo_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_maemo_CFLAGS=`$PKG_CONFIG --cflags "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16891,6 +18798,7 @@ if test -n "$maemo_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_maemo_LIBS=`$PKG_CONFIG --libs "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16910,9 +18818,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        maemo_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
+	        maemo_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
         else
-	        maemo_PKG_ERRORS=`$PKG_CONFIG --print-errors "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
+	        maemo_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$maemo_PKG_ERRORS" >&5
@@ -16941,7 +18849,7 @@ and maemo_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	maemo_CFLAGS=$pkg_cv_maemo_CFLAGS
 	maemo_LIBS=$pkg_cv_maemo_LIBS
@@ -16971,6 +18879,7 @@ if test -n "$pcsclite_CFLAGS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_pcsclite_CFLAGS=`$PKG_CONFIG --cflags "libpcsclite" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -16987,6 +18896,7 @@ if test -n "$pcsclite_LIBS"; then
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
   pkg_cv_pcsclite_LIBS=`$PKG_CONFIG --libs "libpcsclite" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17006,9 +18916,9 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        pcsclite_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libpcsclite" 2>&1`
+	        pcsclite_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libpcsclite" 2>&1`
         else
-	        pcsclite_PKG_ERRORS=`$PKG_CONFIG --print-errors "libpcsclite" 2>&1`
+	        pcsclite_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libpcsclite" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$pcsclite_PKG_ERRORS" >&5
@@ -17037,7 +18947,7 @@ and pcsclite_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	pcsclite_CFLAGS=$pkg_cv_pcsclite_CFLAGS
 	pcsclite_LIBS=$pkg_cv_pcsclite_LIBS
@@ -17065,12 +18975,13 @@ if test -n "$nm_CFLAGS"; then
     pkg_cv_nm_CFLAGS="$nm_CFLAGS"
  elif test -n "$PKG_CONFIG"; then
     if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn") 2>&5
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn") 2>&5
   ac_status=$?
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
-  pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn" 2>/dev/null`
+  pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17081,12 +18992,13 @@ if test -n "$nm_LIBS"; then
     pkg_cv_nm_LIBS="$nm_LIBS"
  elif test -n "$PKG_CONFIG"; then
     if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn") 2>&5
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn") 2>&5
   ac_status=$?
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
-  pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn" 2>/dev/null`
+  pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17106,14 +19018,14 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn" 2>&1`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>&1`
         else
-	        nm_PKG_ERRORS=`$PKG_CONFIG --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn" 2>&1`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$nm_PKG_ERRORS" >&5
 
-	as_fn_error $? "Package requirements (NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn) were not met:
+	as_fn_error $? "Package requirements (NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn) were not met:
 
 $nm_PKG_ERRORS
 
@@ -17137,7 +19049,7 @@ and nm_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	nm_CFLAGS=$pkg_cv_nm_CFLAGS
 	nm_LIBS=$pkg_cv_nm_LIBS
@@ -17155,12 +19067,13 @@ if test -n "$nm_CFLAGS"; then
     pkg_cv_nm_CFLAGS="$nm_CFLAGS"
  elif test -n "$PKG_CONFIG"; then
     if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn") 2>&5
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn") 2>&5
   ac_status=$?
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
-  pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn" 2>/dev/null`
+  pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17171,12 +19084,13 @@ if test -n "$nm_LIBS"; then
     pkg_cv_nm_LIBS="$nm_LIBS"
  elif test -n "$PKG_CONFIG"; then
     if test -n "$PKG_CONFIG" && \
-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn\""; } >&5
-  ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn") 2>&5
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn") 2>&5
   ac_status=$?
   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }; then
-  pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn" 2>/dev/null`
+  pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
 else
   pkg_failed=yes
 fi
@@ -17196,14 +19110,14 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn" 2>&1`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>&1`
         else
-	        nm_PKG_ERRORS=`$PKG_CONFIG --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn" 2>&1`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$nm_PKG_ERRORS" >&5
 
-	as_fn_error $? "Package requirements (NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn) were not met:
+	as_fn_error $? "Package requirements (NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn) were not met:
 
 $nm_PKG_ERRORS
 
@@ -17227,7 +19141,7 @@ and nm_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details" "$LINENO" 5 ; }
+See \`config.log' for more details" "$LINENO" 5; }
 else
 	nm_CFLAGS=$pkg_cv_nm_CFLAGS
 	nm_LIBS=$pkg_cv_nm_LIBS
@@ -17241,10 +19155,10 @@ fi
 
 fi
 
-if test x$eap_gtc = xtrue; then
+if test x$xauth_pam = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpam" >&5
 $as_echo_n "checking for main in -lpam... " >&6; }
-if test "${ac_cv_lib_pam_main+set}" = set; then :
+if ${ac_cv_lib_pam_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -17272,15 +19186,14 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_main" >&5
 $as_echo "$ac_cv_lib_pam_main" >&6; }
-if test "x$ac_cv_lib_pam_main" = x""yes; then :
+if test "x$ac_cv_lib_pam_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "PAM library not found" "$LINENO" 5
 fi
-ac_cv_lib_pam=ac_cv_lib_pam_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "security/pam_appl.h" "ac_cv_header_security_pam_appl_h" "$ac_includes_default"
-if test "x$ac_cv_header_security_pam_appl_h" = x""yes; then :
+if test "x$ac_cv_header_security_pam_appl_h" = xyes; then :
 
 else
   as_fn_error $? "PAM header security/pam_appl.h not found!" "$LINENO" 5
@@ -17292,10 +19205,12 @@ fi
 if test x$capabilities = xnative; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: Usage of the native Linux capabilities interface is deprecated, use libcap instead" >&5
 $as_echo "$as_me: Usage of the native Linux capabilities interface is deprecated, use libcap instead" >&6;}
-			for ac_header in sys/capability.h
+	# Linux requires the following for capset(), Android does not have it,
+	# but defines capset() in unistd.h instead.
+	for ac_header in sys/capability.h
 do :
   ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default"
-if test "x$ac_cv_header_sys_capability_h" = x""yes; then :
+if test "x$ac_cv_header_sys_capability_h" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_SYS_CAPABILITY_H 1
 _ACEOF
@@ -17305,20 +19220,21 @@ fi
 done
 
 	ac_fn_c_check_func "$LINENO" "capset" "ac_cv_func_capset"
-if test "x$ac_cv_func_capset" = x""yes; then :
+if test "x$ac_cv_func_capset" = xyes; then :
 
 else
   as_fn_error $? "capset() not found!" "$LINENO" 5
 fi
 
-	$as_echo "#define CAPABILITIES_NATIVE 1" >>confdefs.h
+
+$as_echo "#define CAPABILITIES_NATIVE /**/" >>confdefs.h
 
 fi
 
 if test x$capabilities = xlibcap; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcap" >&5
 $as_echo_n "checking for main in -lcap... " >&6; }
-if test "${ac_cv_lib_cap_main+set}" = set; then :
+if ${ac_cv_lib_cap_main+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -17346,23 +19262,24 @@ LIBS=$ac_check_lib_save_LIBS
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cap_main" >&5
 $as_echo "$ac_cv_lib_cap_main" >&6; }
-if test "x$ac_cv_lib_cap_main" = x""yes; then :
+if test "x$ac_cv_lib_cap_main" = xyes; then :
   LIBS="$LIBS"
 else
   as_fn_error $? "libcap library not found" "$LINENO" 5
 fi
-ac_cv_lib_cap=ac_cv_lib_cap_main
 
 	ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default"
-if test "x$ac_cv_header_sys_capability_h" = x""yes; then :
-  $as_echo "#define HAVE_SYS_CAPABILITY_H 1" >>confdefs.h
+if test "x$ac_cv_header_sys_capability_h" = xyes; then :
+
+$as_echo "#define HAVE_SYS_CAPABILITY_H /**/" >>confdefs.h
 
 else
   as_fn_error $? "libcap header sys/capability.h not found!" "$LINENO" 5
 fi
 
 
-	$as_echo "#define CAPABILITIES_LIBCAP 1" >>confdefs.h
+
+$as_echo "#define CAPABILITIES_LIBCAP /**/" >>confdefs.h
 
 fi
 
@@ -17372,7 +19289,7 @@ $as_echo_n "checking for dladdr()... " >&6; }
 	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #define _GNU_SOURCE
-		 #include <dlfcn.h>
+			  #include <dlfcn.h>
 int
 main ()
 {
@@ -17396,7 +19313,7 @@ $as_echo_n "checking for dl_iterate_phdr()... " >&6; }
 	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 #define _GNU_SOURCE
-		 #include <link.h>
+			  #include <link.h>
 int
 main ()
 {
@@ -17417,6 +19334,366 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
+if test x$bfd_backtraces = xtrue; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lbfd" >&5
+$as_echo_n "checking for main in -lbfd... " >&6; }
+if ${ac_cv_lib_bfd_main+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lbfd  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_bfd_main=yes
+else
+  ac_cv_lib_bfd_main=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_bfd_main" >&5
+$as_echo "$ac_cv_lib_bfd_main" >&6; }
+if test "x$ac_cv_lib_bfd_main" = xyes; then :
+  LIBS="$LIBS"
+else
+  as_fn_error $? "binutils libbfd not found!" "$LINENO" 5
+fi
+
+	ac_fn_c_check_header_mongrel "$LINENO" "bfd.h" "ac_cv_header_bfd_h" "$ac_includes_default"
+if test "x$ac_cv_header_bfd_h" = xyes; then :
+
+$as_echo "#define HAVE_BFD_H /**/" >>confdefs.h
+
+else
+  as_fn_error $? "binutils bfd.h header not found!" "$LINENO" 5
+fi
+
+
+	BFDLIB="-lbfd"
+
+fi
+
+if test x$unwind_backtraces = xtrue; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lunwind" >&5
+$as_echo_n "checking for main in -lunwind... " >&6; }
+if ${ac_cv_lib_unwind_main+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lunwind  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_unwind_main=yes
+else
+  ac_cv_lib_unwind_main=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_unwind_main" >&5
+$as_echo "$ac_cv_lib_unwind_main" >&6; }
+if test "x$ac_cv_lib_unwind_main" = xyes; then :
+  LIBS="$LIBS"
+else
+  as_fn_error $? "libunwind not found!" "$LINENO" 5
+fi
+
+	ac_fn_c_check_header_mongrel "$LINENO" "libunwind.h" "ac_cv_header_libunwind_h" "$ac_includes_default"
+if test "x$ac_cv_header_libunwind_h" = xyes; then :
+
+$as_echo "#define HAVE_LIBUNWIND_H /**/" >>confdefs.h
+
+else
+  as_fn_error $? "libunwind.h header not found!" "$LINENO" 5
+fi
+
+
+	UNWINDLIB="-lunwind"
+
+fi
+
+ if test "x$dev_headers" != xno; then
+  USE_DEV_HEADERS_TRUE=
+  USE_DEV_HEADERS_FALSE='#'
+else
+  USE_DEV_HEADERS_TRUE='#'
+  USE_DEV_HEADERS_FALSE=
+fi
+
+if test x$dev_headers = xyes; then
+	dev_headers="$includedir/strongswan"
+fi
+
+
+CFLAGS="$CFLAGS -include `pwd`/config.h"
+
+if test x$tkm = xtrue; then
+	# Extract the first word of "gprbuild", so it can be a program name with args.
+set dummy gprbuild; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_GPRBUILD+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $GPRBUILD in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_GPRBUILD="$GPRBUILD" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_GPRBUILD="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+GPRBUILD=$ac_cv_path_GPRBUILD
+if test -n "$GPRBUILD"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GPRBUILD" >&5
+$as_echo "$GPRBUILD" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+
+if test x$unit_tests = xtrue; then
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CHECK" >&5
+$as_echo_n "checking for CHECK... " >&6; }
+
+if test -n "$CHECK_CFLAGS"; then
+    pkg_cv_CHECK_CFLAGS="$CHECK_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"check >= 0.9.4\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "check >= 0.9.4") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_CHECK_CFLAGS=`$PKG_CONFIG --cflags "check >= 0.9.4" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$CHECK_LIBS"; then
+    pkg_cv_CHECK_LIBS="$CHECK_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"check >= 0.9.4\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "check >= 0.9.4") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_CHECK_LIBS=`$PKG_CONFIG --libs "check >= 0.9.4" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        CHECK_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "check >= 0.9.4" 2>&1`
+        else
+	        CHECK_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "check >= 0.9.4" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$CHECK_PKG_ERRORS" >&5
+
+	as_fn_error $? "Package requirements (check >= 0.9.4) were not met:
+
+$CHECK_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables CHECK_CFLAGS
+and CHECK_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables CHECK_CFLAGS
+and CHECK_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
+else
+	CHECK_CFLAGS=$pkg_cv_CHECK_CFLAGS
+	CHECK_LIBS=$pkg_cv_CHECK_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+fi
+
+
+fi
+
+if test x$coverage = xtrue; then
+	# Extract the first word of "lcov", so it can be a program name with args.
+set dummy lcov; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_LCOV+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $LCOV in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_LCOV="$LCOV" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_LCOV="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+LCOV=$ac_cv_path_LCOV
+if test -n "$LCOV"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LCOV" >&5
+$as_echo "$LCOV" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+	if test x$LCOV = x; then
+		as_fn_error $? "lcov not found" "$LINENO" 5
+	fi
+	# Extract the first word of "genhtml", so it can be a program name with args.
+set dummy genhtml; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_GENHTML+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $GENHTML in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_GENHTML="$GENHTML" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_GENHTML="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+GENHTML=$ac_cv_path_GENHTML
+if test -n "$GENHTML"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GENHTML" >&5
+$as_echo "$GENHTML" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+	if test x$GENHTML = x; then
+		as_fn_error $? "genhtml not found" "$LINENO" 5
+	fi
+
+	COVERAGE_CFLAGS="-fprofile-arcs -ftest-coverage"
+	COVERAGE_LDFLAGS="-fprofile-arcs"
+
+
+
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: coverage enabled, adding \"-g -O0\" to CFLAGS" >&5
+$as_echo "$as_me: coverage enabled, adding \"-g -O0\" to CFLAGS" >&6;}
+	CFLAGS="${CFLAGS} -g -O0"
+fi
+
+# ===============================================
+#  collect plugin list for strongSwan components
+# ===============================================
 
 # ADD_PLUGIN(plugin, category list)
 # -----------------------------------
@@ -17425,8 +19702,7 @@ fi
 
 
 # plugin lists for all components
-libcharon_plugins=
-pluto_plugins=
+charon_plugins=
 starter_plugins=
 pool_plugins=
 attest_plugins=
@@ -17436,18 +19712,18 @@ pki_plugins=
 scripts_plugins=
 manager_plugins=
 medsrv_plugins=
+nm_plugins=
+cmd_plugins=
 
 # location specific lists for checksumming,
-# for src/libcharon, src/pluto, src/libhydra and src/libstrongswan
+# for src/libcharon, src/libhydra and src/libstrongswan
 c_plugins=
-p_plugins=
 h_plugins=
 s_plugins=
 
 if test x$test_vectors = xtrue; then
 		s_plugins=${s_plugins}" test-vectors"
-		libcharon_plugins=${libcharon_plugins}" test-vectors"
-		pluto_plugins=${pluto_plugins}" test-vectors"
+		charon_plugins=${charon_plugins}" test-vectors"
 		openac_plugins=${openac_plugins}" test-vectors"
 		scepclient_plugins=${scepclient_plugins}" test-vectors"
 		pki_plugins=${pki_plugins}" test-vectors"
@@ -17456,34 +19732,43 @@ if test x$test_vectors = xtrue; then
 
 if test x$curl = xtrue; then
 		s_plugins=${s_plugins}" curl"
-		libcharon_plugins=${libcharon_plugins}" curl"
-		pluto_plugins=${pluto_plugins}" curl"
+		charon_plugins=${charon_plugins}" curl"
 		scepclient_plugins=${scepclient_plugins}" curl"
 		scripts_plugins=${scripts_plugins}" curl"
+		nm_plugins=${nm_plugins}" curl"
+		cmd_plugins=${cmd_plugins}" curl"
 
 	fi
 
 if test x$soup = xtrue; then
 		s_plugins=${s_plugins}" soup"
-		libcharon_plugins=${libcharon_plugins}" soup"
-		pluto_plugins=${pluto_plugins}" soup"
+		charon_plugins=${charon_plugins}" soup"
 		scripts_plugins=${scripts_plugins}" soup"
+		nm_plugins=${nm_plugins}" soup"
+		cmd_plugins=${cmd_plugins}" soup"
+
+	fi
+
+if test x$unbound = xtrue; then
+		s_plugins=${s_plugins}" unbound"
+		charon_plugins=${charon_plugins}" unbound"
+		scripts_plugins=${scripts_plugins}" unbound"
 
 	fi
 
 if test x$ldap = xtrue; then
 		s_plugins=${s_plugins}" ldap"
-		libcharon_plugins=${libcharon_plugins}" ldap"
-		pluto_plugins=${pluto_plugins}" ldap"
+		charon_plugins=${charon_plugins}" ldap"
 		scepclient_plugins=${scepclient_plugins}" ldap"
 		scripts_plugins=${scripts_plugins}" ldap"
+		nm_plugins=${nm_plugins}" ldap"
+		cmd_plugins=${cmd_plugins}" ldap"
 
 	fi
 
 if test x$mysql = xtrue; then
 		s_plugins=${s_plugins}" mysql"
-		libcharon_plugins=${libcharon_plugins}" mysql"
-		pluto_plugins=${pluto_plugins}" mysql"
+		charon_plugins=${charon_plugins}" mysql"
 		pool_plugins=${pool_plugins}" mysql"
 		manager_plugins=${manager_plugins}" mysql"
 		medsrv_plugins=${medsrv_plugins}" mysql"
@@ -17493,8 +19778,7 @@ if test x$mysql = xtrue; then
 
 if test x$sqlite = xtrue; then
 		s_plugins=${s_plugins}" sqlite"
-		libcharon_plugins=${libcharon_plugins}" sqlite"
-		pluto_plugins=${pluto_plugins}" sqlite"
+		charon_plugins=${charon_plugins}" sqlite"
 		pool_plugins=${pool_plugins}" sqlite"
 		manager_plugins=${manager_plugins}" sqlite"
 		medsrv_plugins=${medsrv_plugins}" sqlite"
@@ -17504,139 +19788,189 @@ if test x$sqlite = xtrue; then
 
 if test x$pkcs11 = xtrue; then
 		s_plugins=${s_plugins}" pkcs11"
-		libcharon_plugins=${libcharon_plugins}" pkcs11"
+		charon_plugins=${charon_plugins}" pkcs11"
 		pki_plugins=${pki_plugins}" pkcs11"
+		nm_plugins=${nm_plugins}" pkcs11"
+		cmd_plugins=${cmd_plugins}" pkcs11"
 
 	fi
 
 if test x$aes = xtrue; then
 		s_plugins=${s_plugins}" aes"
-		libcharon_plugins=${libcharon_plugins}" aes"
-		pluto_plugins=${pluto_plugins}" aes"
+		charon_plugins=${charon_plugins}" aes"
 		openac_plugins=${openac_plugins}" aes"
 		scepclient_plugins=${scepclient_plugins}" aes"
 		pki_plugins=${pki_plugins}" aes"
 		scripts_plugins=${scripts_plugins}" aes"
+		nm_plugins=${nm_plugins}" aes"
+		cmd_plugins=${cmd_plugins}" aes"
 
 	fi
 
 if test x$des = xtrue; then
 		s_plugins=${s_plugins}" des"
-		libcharon_plugins=${libcharon_plugins}" des"
-		pluto_plugins=${pluto_plugins}" des"
+		charon_plugins=${charon_plugins}" des"
 		openac_plugins=${openac_plugins}" des"
 		scepclient_plugins=${scepclient_plugins}" des"
 		pki_plugins=${pki_plugins}" des"
 		scripts_plugins=${scripts_plugins}" des"
+		nm_plugins=${nm_plugins}" des"
+		cmd_plugins=${cmd_plugins}" des"
 
 	fi
 
 if test x$blowfish = xtrue; then
 		s_plugins=${s_plugins}" blowfish"
-		libcharon_plugins=${libcharon_plugins}" blowfish"
-		pluto_plugins=${pluto_plugins}" blowfish"
+		charon_plugins=${charon_plugins}" blowfish"
 		openac_plugins=${openac_plugins}" blowfish"
 		scepclient_plugins=${scepclient_plugins}" blowfish"
 		pki_plugins=${pki_plugins}" blowfish"
 		scripts_plugins=${scripts_plugins}" blowfish"
+		nm_plugins=${nm_plugins}" blowfish"
+		cmd_plugins=${cmd_plugins}" blowfish"
+
+	fi
+
+if test x$rc2 = xtrue; then
+		s_plugins=${s_plugins}" rc2"
+		charon_plugins=${charon_plugins}" rc2"
+		openac_plugins=${openac_plugins}" rc2"
+		scepclient_plugins=${scepclient_plugins}" rc2"
+		pki_plugins=${pki_plugins}" rc2"
+		scripts_plugins=${scripts_plugins}" rc2"
+		nm_plugins=${nm_plugins}" rc2"
+		cmd_plugins=${cmd_plugins}" rc2"
 
 	fi
 
 if test x$sha1 = xtrue; then
 		s_plugins=${s_plugins}" sha1"
-		libcharon_plugins=${libcharon_plugins}" sha1"
-		pluto_plugins=${pluto_plugins}" sha1"
+		charon_plugins=${charon_plugins}" sha1"
 		openac_plugins=${openac_plugins}" sha1"
 		scepclient_plugins=${scepclient_plugins}" sha1"
 		pki_plugins=${pki_plugins}" sha1"
 		scripts_plugins=${scripts_plugins}" sha1"
 		medsrv_plugins=${medsrv_plugins}" sha1"
 		attest_plugins=${attest_plugins}" sha1"
+		nm_plugins=${nm_plugins}" sha1"
+		cmd_plugins=${cmd_plugins}" sha1"
 
 	fi
 
 if test x$sha2 = xtrue; then
 		s_plugins=${s_plugins}" sha2"
-		libcharon_plugins=${libcharon_plugins}" sha2"
-		pluto_plugins=${pluto_plugins}" sha2"
+		charon_plugins=${charon_plugins}" sha2"
 		openac_plugins=${openac_plugins}" sha2"
 		scepclient_plugins=${scepclient_plugins}" sha2"
 		pki_plugins=${pki_plugins}" sha2"
 		scripts_plugins=${scripts_plugins}" sha2"
 		medsrv_plugins=${medsrv_plugins}" sha2"
 		attest_plugins=${attest_plugins}" sha2"
+		nm_plugins=${nm_plugins}" sha2"
+		cmd_plugins=${cmd_plugins}" sha2"
 
 	fi
 
 if test x$md4 = xtrue; then
 		s_plugins=${s_plugins}" md4"
-		libcharon_plugins=${libcharon_plugins}" md4"
+		charon_plugins=${charon_plugins}" md4"
 		openac_plugins=${openac_plugins}" md4"
 		manager_plugins=${manager_plugins}" md4"
 		scepclient_plugins=${scepclient_plugins}" md4"
 		pki_plugins=${pki_plugins}" md4"
+		nm_plugins=${nm_plugins}" md4"
+		cmd_plugins=${cmd_plugins}" md4"
 
 	fi
 
 if test x$md5 = xtrue; then
 		s_plugins=${s_plugins}" md5"
-		libcharon_plugins=${libcharon_plugins}" md5"
-		pluto_plugins=${pluto_plugins}" md5"
+		charon_plugins=${charon_plugins}" md5"
 		openac_plugins=${openac_plugins}" md5"
 		scepclient_plugins=${scepclient_plugins}" md5"
 		pki_plugins=${pki_plugins}" md5"
 		scripts_plugins=${scripts_plugins}" md5"
 		attest_plugins=${attest_plugins}" md5"
+		nm_plugins=${nm_plugins}" md5"
+		cmd_plugins=${cmd_plugins}" md5"
+
+	fi
+
+if test x$rdrand = xtrue; then
+		s_plugins=${s_plugins}" rdrand"
+		charon_plugins=${charon_plugins}" rdrand"
+		openac_plugins=${openac_plugins}" rdrand"
+		scepclient_plugins=${scepclient_plugins}" rdrand"
+		pki_plugins=${pki_plugins}" rdrand"
+		scripts_plugins=${scripts_plugins}" rdrand"
+		medsrv_plugins=${medsrv_plugins}" rdrand"
+		attest_plugins=${attest_plugins}" rdrand"
+		nm_plugins=${nm_plugins}" rdrand"
+		cmd_plugins=${cmd_plugins}" rdrand"
 
 	fi
 
 if test x$random = xtrue; then
 		s_plugins=${s_plugins}" random"
-		libcharon_plugins=${libcharon_plugins}" random"
-		pluto_plugins=${pluto_plugins}" random"
+		charon_plugins=${charon_plugins}" random"
 		openac_plugins=${openac_plugins}" random"
 		scepclient_plugins=${scepclient_plugins}" random"
 		pki_plugins=${pki_plugins}" random"
 		scripts_plugins=${scripts_plugins}" random"
 		medsrv_plugins=${medsrv_plugins}" random"
 		attest_plugins=${attest_plugins}" random"
+		nm_plugins=${nm_plugins}" random"
+		cmd_plugins=${cmd_plugins}" random"
+
+	fi
+
+if test x$nonce = xtrue; then
+		s_plugins=${s_plugins}" nonce"
+		charon_plugins=${charon_plugins}" nonce"
+		nm_plugins=${nm_plugins}" nonce"
+		cmd_plugins=${cmd_plugins}" nonce"
 
 	fi
 
 if test x$x509 = xtrue; then
 		s_plugins=${s_plugins}" x509"
-		libcharon_plugins=${libcharon_plugins}" x509"
-		pluto_plugins=${pluto_plugins}" x509"
+		charon_plugins=${charon_plugins}" x509"
 		openac_plugins=${openac_plugins}" x509"
 		scepclient_plugins=${scepclient_plugins}" x509"
 		pki_plugins=${pki_plugins}" x509"
 		scripts_plugins=${scripts_plugins}" x509"
 		attest_plugins=${attest_plugins}" x509"
+		nm_plugins=${nm_plugins}" x509"
+		cmd_plugins=${cmd_plugins}" x509"
 
 	fi
 
 if test x$revocation = xtrue; then
 		s_plugins=${s_plugins}" revocation"
-		libcharon_plugins=${libcharon_plugins}" revocation"
+		charon_plugins=${charon_plugins}" revocation"
+		nm_plugins=${nm_plugins}" revocation"
+		cmd_plugins=${cmd_plugins}" revocation"
 
 	fi
 
 if test x$constraints = xtrue; then
 		s_plugins=${s_plugins}" constraints"
-		libcharon_plugins=${libcharon_plugins}" constraints"
+		charon_plugins=${charon_plugins}" constraints"
+		nm_plugins=${nm_plugins}" constraints"
+		cmd_plugins=${cmd_plugins}" constraints"
 
 	fi
 
 if test x$pubkey = xtrue; then
 		s_plugins=${s_plugins}" pubkey"
-		libcharon_plugins=${libcharon_plugins}" pubkey"
+		charon_plugins=${charon_plugins}" pubkey"
+		cmd_plugins=${cmd_plugins}" pubkey"
 
 	fi
 
 if test x$pkcs1 = xtrue; then
 		s_plugins=${s_plugins}" pkcs1"
-		libcharon_plugins=${libcharon_plugins}" pkcs1"
-		pluto_plugins=${pluto_plugins}" pkcs1"
+		charon_plugins=${charon_plugins}" pkcs1"
 		openac_plugins=${openac_plugins}" pkcs1"
 		scepclient_plugins=${scepclient_plugins}" pkcs1"
 		pki_plugins=${pki_plugins}" pkcs1"
@@ -17644,13 +19978,25 @@ if test x$pkcs1 = xtrue; then
 		manager_plugins=${manager_plugins}" pkcs1"
 		medsrv_plugins=${medsrv_plugins}" pkcs1"
 		attest_plugins=${attest_plugins}" pkcs1"
+		nm_plugins=${nm_plugins}" pkcs1"
+		cmd_plugins=${cmd_plugins}" pkcs1"
+
+	fi
+
+if test x$pkcs7 = xtrue; then
+		s_plugins=${s_plugins}" pkcs7"
+		charon_plugins=${charon_plugins}" pkcs7"
+		scepclient_plugins=${scepclient_plugins}" pkcs7"
+		pki_plugins=${pki_plugins}" pkcs7"
+		scripts_plugins=${scripts_plugins}" pkcs7"
+		nm_plugins=${nm_plugins}" pkcs7"
+		cmd_plugins=${cmd_plugins}" pkcs7"
 
 	fi
 
 if test x$pkcs8 = xtrue; then
 		s_plugins=${s_plugins}" pkcs8"
-		libcharon_plugins=${libcharon_plugins}" pkcs8"
-		pluto_plugins=${pluto_plugins}" pkcs8"
+		charon_plugins=${charon_plugins}" pkcs8"
 		openac_plugins=${openac_plugins}" pkcs8"
 		scepclient_plugins=${scepclient_plugins}" pkcs8"
 		pki_plugins=${pki_plugins}" pkcs8"
@@ -17658,26 +20004,50 @@ if test x$pkcs8 = xtrue; then
 		manager_plugins=${manager_plugins}" pkcs8"
 		medsrv_plugins=${medsrv_plugins}" pkcs8"
 		attest_plugins=${attest_plugins}" pkcs8"
+		nm_plugins=${nm_plugins}" pkcs8"
+		cmd_plugins=${cmd_plugins}" pkcs8"
+
+	fi
+
+if test x$pkcs12 = xtrue; then
+		s_plugins=${s_plugins}" pkcs12"
+		charon_plugins=${charon_plugins}" pkcs12"
+		scepclient_plugins=${scepclient_plugins}" pkcs12"
+		pki_plugins=${pki_plugins}" pkcs12"
+		scripts_plugins=${scripts_plugins}" pkcs12"
+		cmd_plugins=${cmd_plugins}" pkcs12"
 
 	fi
 
 if test x$pgp = xtrue; then
 		s_plugins=${s_plugins}" pgp"
-		libcharon_plugins=${libcharon_plugins}" pgp"
-		pluto_plugins=${pluto_plugins}" pgp"
+		charon_plugins=${charon_plugins}" pgp"
 
 	fi
 
 if test x$dnskey = xtrue; then
 		s_plugins=${s_plugins}" dnskey"
-		pluto_plugins=${pluto_plugins}" dnskey"
+		charon_plugins=${charon_plugins}" dnskey"
+
+	fi
+
+if test x$sshkey = xtrue; then
+		s_plugins=${s_plugins}" sshkey"
+		charon_plugins=${charon_plugins}" sshkey"
+		nm_plugins=${nm_plugins}" sshkey"
+		cmd_plugins=${cmd_plugins}" sshkey"
+
+	fi
+
+if test x$ipseckey = xtrue; then
+		c_plugins=${c_plugins}" ipseckey"
+		charon_plugins=${charon_plugins}" ipseckey"
 
 	fi
 
 if test x$pem = xtrue; then
 		s_plugins=${s_plugins}" pem"
-		libcharon_plugins=${libcharon_plugins}" pem"
-		pluto_plugins=${pluto_plugins}" pem"
+		charon_plugins=${charon_plugins}" pem"
 		openac_plugins=${openac_plugins}" pem"
 		scepclient_plugins=${scepclient_plugins}" pem"
 		pki_plugins=${pki_plugins}" pem"
@@ -17685,19 +20055,20 @@ if test x$pem = xtrue; then
 		manager_plugins=${manager_plugins}" pem"
 		medsrv_plugins=${medsrv_plugins}" pem"
 		attest_plugins=${attest_plugins}" pem"
+		nm_plugins=${nm_plugins}" pem"
+		cmd_plugins=${cmd_plugins}" pem"
 
 	fi
 
 if test x$padlock = xtrue; then
 		s_plugins=${s_plugins}" padlock"
-		libcharon_plugins=${libcharon_plugins}" padlock"
+		charon_plugins=${charon_plugins}" padlock"
 
 	fi
 
 if test x$openssl = xtrue; then
 		s_plugins=${s_plugins}" openssl"
-		libcharon_plugins=${libcharon_plugins}" openssl"
-		pluto_plugins=${pluto_plugins}" openssl"
+		charon_plugins=${charon_plugins}" openssl"
 		openac_plugins=${openac_plugins}" openssl"
 		scepclient_plugins=${scepclient_plugins}" openssl"
 		pki_plugins=${pki_plugins}" openssl"
@@ -17705,13 +20076,14 @@ if test x$openssl = xtrue; then
 		manager_plugins=${manager_plugins}" openssl"
 		medsrv_plugins=${medsrv_plugins}" openssl"
 		attest_plugins=${attest_plugins}" openssl"
+		nm_plugins=${nm_plugins}" openssl"
+		cmd_plugins=${cmd_plugins}" openssl"
 
 	fi
 
 if test x$gcrypt = xtrue; then
 		s_plugins=${s_plugins}" gcrypt"
-		libcharon_plugins=${libcharon_plugins}" gcrypt"
-		pluto_plugins=${pluto_plugins}" gcrypt"
+		charon_plugins=${charon_plugins}" gcrypt"
 		openac_plugins=${openac_plugins}" gcrypt"
 		scepclient_plugins=${scepclient_plugins}" gcrypt"
 		pki_plugins=${pki_plugins}" gcrypt"
@@ -17719,32 +20091,36 @@ if test x$gcrypt = xtrue; then
 		manager_plugins=${manager_plugins}" gcrypt"
 		medsrv_plugins=${medsrv_plugins}" gcrypt"
 		attest_plugins=${attest_plugins}" gcrypt"
+		nm_plugins=${nm_plugins}" gcrypt"
+		cmd_plugins=${cmd_plugins}" gcrypt"
 
 	fi
 
 if test x$af_alg = xtrue; then
 		s_plugins=${s_plugins}" af-alg"
-		libcharon_plugins=${libcharon_plugins}" af-alg"
-		pluto_plugins=${pluto_plugins}" af-alg"
+		charon_plugins=${charon_plugins}" af-alg"
 		openac_plugins=${openac_plugins}" af-alg"
 		scepclient_plugins=${scepclient_plugins}" af-alg"
 		pki_plugins=${pki_plugins}" af-alg"
 		scripts_plugins=${scripts_plugins}" af-alg"
 		medsrv_plugins=${medsrv_plugins}" af-alg"
 		attest_plugins=${attest_plugins}" af-alg"
+		nm_plugins=${nm_plugins}" af-alg"
+		cmd_plugins=${cmd_plugins}" af-alg"
 
 	fi
 
 if test x$fips_prf = xtrue; then
 		s_plugins=${s_plugins}" fips-prf"
-		libcharon_plugins=${libcharon_plugins}" fips-prf"
+		charon_plugins=${charon_plugins}" fips-prf"
+		nm_plugins=${nm_plugins}" fips-prf"
+		cmd_plugins=${cmd_plugins}" fips-prf"
 
 	fi
 
 if test x$gmp = xtrue; then
 		s_plugins=${s_plugins}" gmp"
-		libcharon_plugins=${libcharon_plugins}" gmp"
-		pluto_plugins=${pluto_plugins}" gmp"
+		charon_plugins=${charon_plugins}" gmp"
 		openac_plugins=${openac_plugins}" gmp"
 		scepclient_plugins=${scepclient_plugins}" gmp"
 		pki_plugins=${pki_plugins}" gmp"
@@ -17752,412 +20128,508 @@ if test x$gmp = xtrue; then
 		manager_plugins=${manager_plugins}" gmp"
 		medsrv_plugins=${medsrv_plugins}" gmp"
 		attest_plugins=${attest_plugins}" gmp"
+		nm_plugins=${nm_plugins}" gmp"
+		cmd_plugins=${cmd_plugins}" gmp"
 
 	fi
 
 if test x$agent = xtrue; then
 		s_plugins=${s_plugins}" agent"
-		libcharon_plugins=${libcharon_plugins}" agent"
+		charon_plugins=${charon_plugins}" agent"
+		nm_plugins=${nm_plugins}" agent"
+		cmd_plugins=${cmd_plugins}" agent"
+
+	fi
+
+if test x$keychain = xtrue; then
+		s_plugins=${s_plugins}" keychain"
+		charon_plugins=${charon_plugins}" keychain"
+		cmd_plugins=${cmd_plugins}" keychain"
 
 	fi
 
 if test x$xcbc = xtrue; then
 		s_plugins=${s_plugins}" xcbc"
-		libcharon_plugins=${libcharon_plugins}" xcbc"
+		charon_plugins=${charon_plugins}" xcbc"
+		nm_plugins=${nm_plugins}" xcbc"
+		cmd_plugins=${cmd_plugins}" xcbc"
 
 	fi
 
 if test x$cmac = xtrue; then
 		s_plugins=${s_plugins}" cmac"
-		libcharon_plugins=${libcharon_plugins}" cmac"
+		charon_plugins=${charon_plugins}" cmac"
+		nm_plugins=${nm_plugins}" cmac"
+		cmd_plugins=${cmd_plugins}" cmac"
 
 	fi
 
 if test x$hmac = xtrue; then
 		s_plugins=${s_plugins}" hmac"
-		libcharon_plugins=${libcharon_plugins}" hmac"
-		pluto_plugins=${pluto_plugins}" hmac"
+		charon_plugins=${charon_plugins}" hmac"
 		scripts_plugins=${scripts_plugins}" hmac"
+		nm_plugins=${nm_plugins}" hmac"
+		cmd_plugins=${cmd_plugins}" hmac"
 
 	fi
 
 if test x$ctr = xtrue; then
 		s_plugins=${s_plugins}" ctr"
-		libcharon_plugins=${libcharon_plugins}" ctr"
+		charon_plugins=${charon_plugins}" ctr"
 		scripts_plugins=${scripts_plugins}" ctr"
+		nm_plugins=${nm_plugins}" ctr"
+		cmd_plugins=${cmd_plugins}" ctr"
 
 	fi
 
 if test x$ccm = xtrue; then
 		s_plugins=${s_plugins}" ccm"
-		libcharon_plugins=${libcharon_plugins}" ccm"
+		charon_plugins=${charon_plugins}" ccm"
 		scripts_plugins=${scripts_plugins}" ccm"
+		nm_plugins=${nm_plugins}" ccm"
+		cmd_plugins=${cmd_plugins}" ccm"
 
 	fi
 
 if test x$gcm = xtrue; then
 		s_plugins=${s_plugins}" gcm"
-		libcharon_plugins=${libcharon_plugins}" gcm"
+		charon_plugins=${charon_plugins}" gcm"
 		scripts_plugins=${scripts_plugins}" gcm"
-
-	fi
-
-if test x$xauth = xtrue; then
-		p_plugins=${p_plugins}" xauth"
-		pluto_plugins=${pluto_plugins}" xauth"
+		nm_plugins=${nm_plugins}" gcm"
+		cmd_plugins=${cmd_plugins}" gcm"
 
 	fi
 
 if test x$attr = xtrue; then
 		h_plugins=${h_plugins}" attr"
-		libcharon_plugins=${libcharon_plugins}" attr"
-		pluto_plugins=${pluto_plugins}" attr"
+		charon_plugins=${charon_plugins}" attr"
 
 	fi
 
 if test x$attr_sql = xtrue; then
 		h_plugins=${h_plugins}" attr-sql"
-		libcharon_plugins=${libcharon_plugins}" attr-sql"
-		pluto_plugins=${pluto_plugins}" attr-sql"
+		charon_plugins=${charon_plugins}" attr-sql"
 
 	fi
 
 if test x$load_tester = xtrue; then
 		c_plugins=${c_plugins}" load-tester"
-		libcharon_plugins=${libcharon_plugins}" load-tester"
+		charon_plugins=${charon_plugins}" load-tester"
+
+	fi
+
+if test x$kernel_libipsec = xtrue; then
+		c_plugins=${c_plugins}" kernel-libipsec"
+		charon_plugins=${charon_plugins}" kernel-libipsec"
+		cmd_plugins=${cmd_plugins}" kernel-libipsec"
 
 	fi
 
 if test x$kernel_pfkey = xtrue; then
 		h_plugins=${h_plugins}" kernel-pfkey"
-		libcharon_plugins=${libcharon_plugins}" kernel-pfkey"
-		pluto_plugins=${pluto_plugins}" kernel-pfkey"
+		charon_plugins=${charon_plugins}" kernel-pfkey"
 		starter_plugins=${starter_plugins}" kernel-pfkey"
+		nm_plugins=${nm_plugins}" kernel-pfkey"
+		cmd_plugins=${cmd_plugins}" kernel-pfkey"
 
 	fi
 
 if test x$kernel_pfroute = xtrue; then
 		h_plugins=${h_plugins}" kernel-pfroute"
-		libcharon_plugins=${libcharon_plugins}" kernel-pfroute"
-		pluto_plugins=${pluto_plugins}" kernel-pfroute"
+		charon_plugins=${charon_plugins}" kernel-pfroute"
 		starter_plugins=${starter_plugins}" kernel-pfroute"
+		nm_plugins=${nm_plugins}" kernel-pfroute"
+		cmd_plugins=${cmd_plugins}" kernel-pfroute"
 
 	fi
 
 if test x$kernel_klips = xtrue; then
 		h_plugins=${h_plugins}" kernel-klips"
-		libcharon_plugins=${libcharon_plugins}" kernel-klips"
-		pluto_plugins=${pluto_plugins}" kernel-klips"
+		charon_plugins=${charon_plugins}" kernel-klips"
 		starter_plugins=${starter_plugins}" kernel-klips"
 
 	fi
 
 if test x$kernel_netlink = xtrue; then
 		h_plugins=${h_plugins}" kernel-netlink"
-		libcharon_plugins=${libcharon_plugins}" kernel-netlink"
-		pluto_plugins=${pluto_plugins}" kernel-netlink"
+		charon_plugins=${charon_plugins}" kernel-netlink"
 		starter_plugins=${starter_plugins}" kernel-netlink"
+		nm_plugins=${nm_plugins}" kernel-netlink"
+		cmd_plugins=${cmd_plugins}" kernel-netlink"
 
 	fi
 
 if test x$resolve = xtrue; then
 		h_plugins=${h_plugins}" resolve"
-		libcharon_plugins=${libcharon_plugins}" resolve"
-		pluto_plugins=${pluto_plugins}" resolve"
+		charon_plugins=${charon_plugins}" resolve"
+		cmd_plugins=${cmd_plugins}" resolve"
 
 	fi
 
 if test x$socket_default = xtrue; then
 		c_plugins=${c_plugins}" socket-default"
-		libcharon_plugins=${libcharon_plugins}" socket-default"
-
-	fi
-
-if test x$socket_raw = xtrue; then
-		c_plugins=${c_plugins}" socket-raw"
-		libcharon_plugins=${libcharon_plugins}" socket-raw"
+		charon_plugins=${charon_plugins}" socket-default"
+		nm_plugins=${nm_plugins}" socket-default"
+		cmd_plugins=${cmd_plugins}" socket-default"
 
 	fi
 
 if test x$socket_dynamic = xtrue; then
 		c_plugins=${c_plugins}" socket-dynamic"
-		libcharon_plugins=${libcharon_plugins}" socket-dynamic"
+		charon_plugins=${charon_plugins}" socket-dynamic"
+		cmd_plugins=${cmd_plugins}" socket-dynamic"
 
 	fi
 
 if test x$farp = xtrue; then
 		c_plugins=${c_plugins}" farp"
-		libcharon_plugins=${libcharon_plugins}" farp"
+		charon_plugins=${charon_plugins}" farp"
 
 	fi
 
 if test x$stroke = xtrue; then
 		c_plugins=${c_plugins}" stroke"
-		libcharon_plugins=${libcharon_plugins}" stroke"
+		charon_plugins=${charon_plugins}" stroke"
 
 	fi
 
 if test x$smp = xtrue; then
 		c_plugins=${c_plugins}" smp"
-		libcharon_plugins=${libcharon_plugins}" smp"
+		charon_plugins=${charon_plugins}" smp"
 
 	fi
 
 if test x$sql = xtrue; then
 		c_plugins=${c_plugins}" sql"
-		libcharon_plugins=${libcharon_plugins}" sql"
+		charon_plugins=${charon_plugins}" sql"
 
 	fi
 
 if test x$updown = xtrue; then
 		c_plugins=${c_plugins}" updown"
-		libcharon_plugins=${libcharon_plugins}" updown"
+		charon_plugins=${charon_plugins}" updown"
 
 	fi
 
 if test x$eap_identity = xtrue; then
 		c_plugins=${c_plugins}" eap-identity"
-		libcharon_plugins=${libcharon_plugins}" eap-identity"
+		charon_plugins=${charon_plugins}" eap-identity"
+		nm_plugins=${nm_plugins}" eap-identity"
+		cmd_plugins=${cmd_plugins}" eap-identity"
 
 	fi
 
 if test x$eap_sim = xtrue; then
 		c_plugins=${c_plugins}" eap-sim"
-		libcharon_plugins=${libcharon_plugins}" eap-sim"
+		charon_plugins=${charon_plugins}" eap-sim"
 
 	fi
 
 if test x$eap_sim_file = xtrue; then
 		c_plugins=${c_plugins}" eap-sim-file"
-		libcharon_plugins=${libcharon_plugins}" eap-sim-file"
+		charon_plugins=${charon_plugins}" eap-sim-file"
 
 	fi
 
 if test x$eap_sim_pcsc = xtrue; then
 		c_plugins=${c_plugins}" eap-sim-pcsc"
-		libcharon_plugins=${libcharon_plugins}" eap-sim-pcsc"
+		charon_plugins=${charon_plugins}" eap-sim-pcsc"
 
 	fi
 
 if test x$eap_aka = xtrue; then
 		c_plugins=${c_plugins}" eap-aka"
-		libcharon_plugins=${libcharon_plugins}" eap-aka"
+		charon_plugins=${charon_plugins}" eap-aka"
 
 	fi
 
 if test x$eap_aka_3gpp2 = xtrue; then
 		c_plugins=${c_plugins}" eap-aka-3gpp2"
-		libcharon_plugins=${libcharon_plugins}" eap-aka-3gpp2"
+		charon_plugins=${charon_plugins}" eap-aka-3gpp2"
 
 	fi
 
 if test x$eap_simaka_sql = xtrue; then
 		c_plugins=${c_plugins}" eap-simaka-sql"
-		libcharon_plugins=${libcharon_plugins}" eap-simaka-sql"
+		charon_plugins=${charon_plugins}" eap-simaka-sql"
 
 	fi
 
 if test x$eap_simaka_pseudonym = xtrue; then
 		c_plugins=${c_plugins}" eap-simaka-pseudonym"
-		libcharon_plugins=${libcharon_plugins}" eap-simaka-pseudonym"
+		charon_plugins=${charon_plugins}" eap-simaka-pseudonym"
 
 	fi
 
 if test x$eap_simaka_reauth = xtrue; then
 		c_plugins=${c_plugins}" eap-simaka-reauth"
-		libcharon_plugins=${libcharon_plugins}" eap-simaka-reauth"
+		charon_plugins=${charon_plugins}" eap-simaka-reauth"
 
 	fi
 
 if test x$eap_md5 = xtrue; then
 		c_plugins=${c_plugins}" eap-md5"
-		libcharon_plugins=${libcharon_plugins}" eap-md5"
+		charon_plugins=${charon_plugins}" eap-md5"
+		nm_plugins=${nm_plugins}" eap-md5"
+		cmd_plugins=${cmd_plugins}" eap-md5"
 
 	fi
 
 if test x$eap_gtc = xtrue; then
 		c_plugins=${c_plugins}" eap-gtc"
-		libcharon_plugins=${libcharon_plugins}" eap-gtc"
+		charon_plugins=${charon_plugins}" eap-gtc"
+		nm_plugins=${nm_plugins}" eap-gtc"
+		cmd_plugins=${cmd_plugins}" eap-gtc"
 
 	fi
 
 if test x$eap_mschapv2 = xtrue; then
 		c_plugins=${c_plugins}" eap-mschapv2"
-		libcharon_plugins=${libcharon_plugins}" eap-mschapv2"
+		charon_plugins=${charon_plugins}" eap-mschapv2"
+		nm_plugins=${nm_plugins}" eap-mschapv2"
+		cmd_plugins=${cmd_plugins}" eap-mschapv2"
+
+	fi
+
+if test x$eap_dynamic = xtrue; then
+		c_plugins=${c_plugins}" eap-dynamic"
+		charon_plugins=${charon_plugins}" eap-dynamic"
 
 	fi
 
 if test x$eap_radius = xtrue; then
 		c_plugins=${c_plugins}" eap-radius"
-		libcharon_plugins=${libcharon_plugins}" eap-radius"
+		charon_plugins=${charon_plugins}" eap-radius"
 
 	fi
 
 if test x$eap_tls = xtrue; then
 		c_plugins=${c_plugins}" eap-tls"
-		libcharon_plugins=${libcharon_plugins}" eap-tls"
+		charon_plugins=${charon_plugins}" eap-tls"
+		nm_plugins=${nm_plugins}" eap-tls"
+		cmd_plugins=${cmd_plugins}" eap-tls"
 
 	fi
 
 if test x$eap_ttls = xtrue; then
 		c_plugins=${c_plugins}" eap-ttls"
-		libcharon_plugins=${libcharon_plugins}" eap-ttls"
+		charon_plugins=${charon_plugins}" eap-ttls"
+		nm_plugins=${nm_plugins}" eap-ttls"
+		cmd_plugins=${cmd_plugins}" eap-ttls"
 
 	fi
 
 if test x$eap_peap = xtrue; then
 		c_plugins=${c_plugins}" eap-peap"
-		libcharon_plugins=${libcharon_plugins}" eap-peap"
+		charon_plugins=${charon_plugins}" eap-peap"
+		nm_plugins=${nm_plugins}" eap-peap"
+		cmd_plugins=${cmd_plugins}" eap-peap"
 
 	fi
 
 if test x$eap_tnc = xtrue; then
 		c_plugins=${c_plugins}" eap-tnc"
-		libcharon_plugins=${libcharon_plugins}" eap-tnc"
+		charon_plugins=${charon_plugins}" eap-tnc"
+
+	fi
+
+if test x$xauth_generic = xtrue; then
+		c_plugins=${c_plugins}" xauth-generic"
+		charon_plugins=${charon_plugins}" xauth-generic"
+		cmd_plugins=${cmd_plugins}" xauth-generic"
+
+	fi
+
+if test x$xauth_eap = xtrue; then
+		c_plugins=${c_plugins}" xauth-eap"
+		charon_plugins=${charon_plugins}" xauth-eap"
+
+	fi
+
+if test x$xauth_pam = xtrue; then
+		c_plugins=${c_plugins}" xauth-pam"
+		charon_plugins=${charon_plugins}" xauth-pam"
+
+	fi
+
+if test x$xauth_noauth = xtrue; then
+		c_plugins=${c_plugins}" xauth-noauth"
+		charon_plugins=${charon_plugins}" xauth-noauth"
 
 	fi
 
 if test x$tnc_ifmap = xtrue; then
 		c_plugins=${c_plugins}" tnc-ifmap"
-		libcharon_plugins=${libcharon_plugins}" tnc-ifmap"
+		charon_plugins=${charon_plugins}" tnc-ifmap"
 
 	fi
 
 if test x$tnc_pdp = xtrue; then
 		c_plugins=${c_plugins}" tnc-pdp"
-		libcharon_plugins=${libcharon_plugins}" tnc-pdp"
+		charon_plugins=${charon_plugins}" tnc-pdp"
 
 	fi
 
 if test x$tnc_imc = xtrue; then
 		c_plugins=${c_plugins}" tnc-imc"
-		libcharon_plugins=${libcharon_plugins}" tnc-imc"
+		charon_plugins=${charon_plugins}" tnc-imc"
 
 	fi
 
 if test x$tnc_imv = xtrue; then
 		c_plugins=${c_plugins}" tnc-imv"
-		libcharon_plugins=${libcharon_plugins}" tnc-imv"
+		charon_plugins=${charon_plugins}" tnc-imv"
 
 	fi
 
 if test x$tnc_tnccs = xtrue; then
 		c_plugins=${c_plugins}" tnc-tnccs"
-		libcharon_plugins=${libcharon_plugins}" tnc-tnccs"
+		charon_plugins=${charon_plugins}" tnc-tnccs"
 
 	fi
 
 if test x$tnccs_20 = xtrue; then
 		c_plugins=${c_plugins}" tnccs-20"
-		libcharon_plugins=${libcharon_plugins}" tnccs-20"
+		charon_plugins=${charon_plugins}" tnccs-20"
 
 	fi
 
 if test x$tnccs_11 = xtrue; then
 		c_plugins=${c_plugins}" tnccs-11"
-		libcharon_plugins=${libcharon_plugins}" tnccs-11"
+		charon_plugins=${charon_plugins}" tnccs-11"
 
 	fi
 
 if test x$tnccs_dynamic = xtrue; then
 		c_plugins=${c_plugins}" tnccs-dynamic"
-		libcharon_plugins=${libcharon_plugins}" tnccs-dynamic"
+		charon_plugins=${charon_plugins}" tnccs-dynamic"
 
 	fi
 
 if test x$medsrv = xtrue; then
 		c_plugins=${c_plugins}" medsrv"
-		libcharon_plugins=${libcharon_plugins}" medsrv"
+		charon_plugins=${charon_plugins}" medsrv"
 
 	fi
 
 if test x$medcli = xtrue; then
 		c_plugins=${c_plugins}" medcli"
-		libcharon_plugins=${libcharon_plugins}" medcli"
+		charon_plugins=${charon_plugins}" medcli"
 
 	fi
 
-if test x$nm = xtrue; then
-		c_plugins=${c_plugins}" nm"
-		libcharon_plugins=${libcharon_plugins}" nm"
+if test x$dhcp = xtrue; then
+		c_plugins=${c_plugins}" dhcp"
+		charon_plugins=${charon_plugins}" dhcp"
 
 	fi
 
-if test x$dhcp = xtrue; then
-		c_plugins=${c_plugins}" dhcp"
-		libcharon_plugins=${libcharon_plugins}" dhcp"
+if test x$osx_attr = xtrue; then
+		c_plugins=${c_plugins}" osx-attr"
+		charon_plugins=${charon_plugins}" osx-attr"
+		cmd_plugins=${cmd_plugins}" osx-attr"
 
 	fi
 
-if test x$android = xtrue; then
-		c_plugins=${c_plugins}" android"
-		libcharon_plugins=${libcharon_plugins}" android"
+if test x$android_dns = xtrue; then
+		c_plugins=${c_plugins}" android-dns"
+		charon_plugins=${charon_plugins}" android-dns"
+
+	fi
+
+if test x$android_log = xtrue; then
+		c_plugins=${c_plugins}" android-log"
+		charon_plugins=${charon_plugins}" android-log"
 
 	fi
 
 if test x$ha = xtrue; then
 		c_plugins=${c_plugins}" ha"
-		libcharon_plugins=${libcharon_plugins}" ha"
+		charon_plugins=${charon_plugins}" ha"
 
 	fi
 
 if test x$whitelist = xtrue; then
 		c_plugins=${c_plugins}" whitelist"
-		libcharon_plugins=${libcharon_plugins}" whitelist"
+		charon_plugins=${charon_plugins}" whitelist"
+
+	fi
+
+if test x$lookip = xtrue; then
+		c_plugins=${c_plugins}" lookip"
+		charon_plugins=${charon_plugins}" lookip"
+
+	fi
+
+if test x$error_notify = xtrue; then
+		c_plugins=${c_plugins}" error-notify"
+		charon_plugins=${charon_plugins}" error-notify"
 
 	fi
 
 if test x$certexpire = xtrue; then
 		c_plugins=${c_plugins}" certexpire"
-		libcharon_plugins=${libcharon_plugins}" certexpire"
+		charon_plugins=${charon_plugins}" certexpire"
+
+	fi
+
+if test x$systime_fix = xtrue; then
+		c_plugins=${c_plugins}" systime-fix"
+		charon_plugins=${charon_plugins}" systime-fix"
 
 	fi
 
 if test x$led = xtrue; then
 		c_plugins=${c_plugins}" led"
-		libcharon_plugins=${libcharon_plugins}" led"
+		charon_plugins=${charon_plugins}" led"
 
 	fi
 
 if test x$duplicheck = xtrue; then
 		c_plugins=${c_plugins}" duplicheck"
-		libcharon_plugins=${libcharon_plugins}" duplicheck"
+		charon_plugins=${charon_plugins}" duplicheck"
 
 	fi
 
 if test x$coupling = xtrue; then
 		c_plugins=${c_plugins}" coupling"
-		libcharon_plugins=${libcharon_plugins}" coupling"
+		charon_plugins=${charon_plugins}" coupling"
 
 	fi
 
 if test x$radattr = xtrue; then
 		c_plugins=${c_plugins}" radattr"
-		libcharon_plugins=${libcharon_plugins}" radattr"
+		charon_plugins=${charon_plugins}" radattr"
 
 	fi
 
 if test x$maemo = xtrue; then
 		c_plugins=${c_plugins}" maemo"
-		libcharon_plugins=${libcharon_plugins}" maemo"
+		charon_plugins=${charon_plugins}" maemo"
 
 	fi
 
 if test x$uci = xtrue; then
 		c_plugins=${c_plugins}" uci"
-		libcharon_plugins=${libcharon_plugins}" uci"
+		charon_plugins=${charon_plugins}" uci"
 
 	fi
 
 if test x$addrblock = xtrue; then
 		c_plugins=${c_plugins}" addrblock"
-		libcharon_plugins=${libcharon_plugins}" addrblock"
+		charon_plugins=${charon_plugins}" addrblock"
+
+	fi
+
+if test x$unity = xtrue; then
+		c_plugins=${c_plugins}" unity"
+		charon_plugins=${charon_plugins}" unity"
 
 	fi
 
 if test x$unit_tester = xtrue; then
 		c_plugins=${c_plugins}" unit-tester"
-		libcharon_plugins=${libcharon_plugins}" unit-tester"
+		charon_plugins=${charon_plugins}" unit-tester"
 
 	fi
 
@@ -18179,7 +20651,12 @@ if test x$unit_tester = xtrue; then
 
 
 
+# ======================
+#  set Makefile.am vars
+# ======================
 
+#  libstrongswan plugins
+# -----------------------
  if test x$test_vectors = xtrue; then
   USE_TEST_VECTORS_TRUE=
   USE_TEST_VECTORS_FALSE='#'
@@ -18196,6 +20673,14 @@ else
   USE_CURL_FALSE=
 fi
 
+ if test x$unbound = xtrue; then
+  USE_UNBOUND_TRUE=
+  USE_UNBOUND_FALSE='#'
+else
+  USE_UNBOUND_TRUE='#'
+  USE_UNBOUND_FALSE=
+fi
+
  if test x$soup = xtrue; then
   USE_SOUP_TRUE=
   USE_SOUP_FALSE='#'
@@ -18236,6 +20721,14 @@ else
   USE_BLOWFISH_FALSE=
 fi
 
+ if test x$rc2 = xtrue; then
+  USE_RC2_TRUE=
+  USE_RC2_FALSE='#'
+else
+  USE_RC2_TRUE='#'
+  USE_RC2_FALSE=
+fi
+
  if test x$md4 = xtrue; then
   USE_MD4_TRUE=
   USE_MD4_FALSE='#'
@@ -18284,6 +20777,14 @@ else
   USE_GMP_FALSE=
 fi
 
+ if test x$rdrand = xtrue; then
+  USE_RDRAND_TRUE=
+  USE_RDRAND_FALSE='#'
+else
+  USE_RDRAND_TRUE='#'
+  USE_RDRAND_FALSE=
+fi
+
  if test x$random = xtrue; then
   USE_RANDOM_TRUE=
   USE_RANDOM_FALSE='#'
@@ -18292,6 +20793,14 @@ else
   USE_RANDOM_FALSE=
 fi
 
+ if test x$nonce = xtrue; then
+  USE_NONCE_TRUE=
+  USE_NONCE_FALSE='#'
+else
+  USE_NONCE_TRUE='#'
+  USE_NONCE_FALSE=
+fi
+
  if test x$x509 = xtrue; then
   USE_X509_TRUE=
   USE_X509_FALSE='#'
@@ -18332,6 +20841,14 @@ else
   USE_PKCS1_FALSE=
 fi
 
+ if test x$pkcs7 = xtrue; then
+  USE_PKCS7_TRUE=
+  USE_PKCS7_FALSE='#'
+else
+  USE_PKCS7_TRUE='#'
+  USE_PKCS7_FALSE=
+fi
+
  if test x$pkcs8 = xtrue; then
   USE_PKCS8_TRUE=
   USE_PKCS8_FALSE='#'
@@ -18340,6 +20857,14 @@ else
   USE_PKCS8_FALSE=
 fi
 
+ if test x$pkcs12 = xtrue; then
+  USE_PKCS12_TRUE=
+  USE_PKCS12_FALSE='#'
+else
+  USE_PKCS12_TRUE='#'
+  USE_PKCS12_FALSE=
+fi
+
  if test x$pgp = xtrue; then
   USE_PGP_TRUE=
   USE_PGP_FALSE='#'
@@ -18356,6 +20881,14 @@ else
   USE_DNSKEY_FALSE=
 fi
 
+ if test x$sshkey = xtrue; then
+  USE_SSHKEY_TRUE=
+  USE_SSHKEY_FALSE='#'
+else
+  USE_SSHKEY_TRUE='#'
+  USE_SSHKEY_FALSE=
+fi
+
  if test x$pem = xtrue; then
   USE_PEM_TRUE=
   USE_PEM_FALSE='#'
@@ -18436,6 +20969,14 @@ else
   USE_AGENT_FALSE=
 fi
 
+ if test x$keychain = xtrue; then
+  USE_KEYCHAIN_TRUE=
+  USE_KEYCHAIN_FALSE='#'
+else
+  USE_KEYCHAIN_TRUE='#'
+  USE_KEYCHAIN_FALSE=
+fi
+
  if test x$pkcs11 = xtrue; then
   USE_PKCS11_TRUE=
   USE_PKCS11_FALSE='#'
@@ -18477,6 +21018,8 @@ else
 fi
 
 
+#  charon plugins
+# ----------------
  if test x$stroke = xtrue; then
   USE_STROKE_TRUE=
   USE_STROKE_FALSE='#'
@@ -18501,14 +21044,6 @@ else
   USE_MEDCLI_FALSE=
 fi
 
- if test x$nm = xtrue; then
-  USE_NM_TRUE=
-  USE_NM_FALSE='#'
-else
-  USE_NM_TRUE='#'
-  USE_NM_FALSE=
-fi
-
  if test x$uci = xtrue; then
   USE_UCI_TRUE=
   USE_UCI_FALSE='#'
@@ -18517,12 +21052,28 @@ else
   USE_UCI_FALSE=
 fi
 
- if test x$android = xtrue; then
-  USE_ANDROID_TRUE=
-  USE_ANDROID_FALSE='#'
+ if test x$osx_attr = xtrue; then
+  USE_OSX_ATTR_TRUE=
+  USE_OSX_ATTR_FALSE='#'
+else
+  USE_OSX_ATTR_TRUE='#'
+  USE_OSX_ATTR_FALSE=
+fi
+
+ if test x$android_dns = xtrue; then
+  USE_ANDROID_DNS_TRUE=
+  USE_ANDROID_DNS_FALSE='#'
+else
+  USE_ANDROID_DNS_TRUE='#'
+  USE_ANDROID_DNS_FALSE=
+fi
+
+ if test x$android_log = xtrue; then
+  USE_ANDROID_LOG_TRUE=
+  USE_ANDROID_LOG_FALSE='#'
 else
-  USE_ANDROID_TRUE='#'
-  USE_ANDROID_FALSE=
+  USE_ANDROID_LOG_TRUE='#'
+  USE_ANDROID_LOG_FALSE=
 fi
 
  if test x$maemo = xtrue; then
@@ -18549,6 +21100,14 @@ else
   USE_SQL_FALSE=
 fi
 
+ if test x$ipseckey = xtrue; then
+  USE_IPSECKEY_TRUE=
+  USE_IPSECKEY_FALSE='#'
+else
+  USE_IPSECKEY_TRUE='#'
+  USE_IPSECKEY_FALSE=
+fi
+
  if test x$updown = xtrue; then
   USE_UPDOWN_TRUE=
   USE_UPDOWN_FALSE='#'
@@ -18589,6 +21148,14 @@ else
   USE_HA_FALSE=
 fi
 
+ if test x$kernel_libipsec = xtrue; then
+  USE_KERNEL_LIBIPSEC_TRUE=
+  USE_KERNEL_LIBIPSEC_FALSE='#'
+else
+  USE_KERNEL_LIBIPSEC_TRUE='#'
+  USE_KERNEL_LIBIPSEC_FALSE=
+fi
+
  if test x$whitelist = xtrue; then
   USE_WHITELIST_TRUE=
   USE_WHITELIST_FALSE='#'
@@ -18597,6 +21164,22 @@ else
   USE_WHITELIST_FALSE=
 fi
 
+ if test x$lookip = xtrue; then
+  USE_LOOKIP_TRUE=
+  USE_LOOKIP_FALSE='#'
+else
+  USE_LOOKIP_TRUE='#'
+  USE_LOOKIP_FALSE=
+fi
+
+ if test x$error_notify = xtrue; then
+  USE_ERROR_NOTIFY_TRUE=
+  USE_ERROR_NOTIFY_FALSE='#'
+else
+  USE_ERROR_NOTIFY_TRUE='#'
+  USE_ERROR_NOTIFY_FALSE=
+fi
+
  if test x$certexpire = xtrue; then
   USE_CERTEXPIRE_TRUE=
   USE_CERTEXPIRE_FALSE='#'
@@ -18605,6 +21188,14 @@ else
   USE_CERTEXPIRE_FALSE=
 fi
 
+ if test x$systime_fix = xtrue; then
+  USE_SYSTIME_FIX_TRUE=
+  USE_SYSTIME_FIX_FALSE='#'
+else
+  USE_SYSTIME_FIX_TRUE='#'
+  USE_SYSTIME_FIX_FALSE=
+fi
+
  if test x$led = xtrue; then
   USE_LED_TRUE=
   USE_LED_FALSE='#'
@@ -18765,6 +21356,14 @@ else
   USE_EAP_TNC_FALSE=
 fi
 
+ if test x$eap_dynamic = xtrue; then
+  USE_EAP_DYNAMIC_TRUE=
+  USE_EAP_DYNAMIC_FALSE='#'
+else
+  USE_EAP_DYNAMIC_TRUE='#'
+  USE_EAP_DYNAMIC_FALSE=
+fi
+
  if test x$eap_radius = xtrue; then
   USE_EAP_RADIUS_TRUE=
   USE_EAP_RADIUS_FALSE='#'
@@ -18773,6 +21372,38 @@ else
   USE_EAP_RADIUS_FALSE=
 fi
 
+ if test x$xauth_generic = xtrue; then
+  USE_XAUTH_GENERIC_TRUE=
+  USE_XAUTH_GENERIC_FALSE='#'
+else
+  USE_XAUTH_GENERIC_TRUE='#'
+  USE_XAUTH_GENERIC_FALSE=
+fi
+
+ if test x$xauth_eap = xtrue; then
+  USE_XAUTH_EAP_TRUE=
+  USE_XAUTH_EAP_FALSE='#'
+else
+  USE_XAUTH_EAP_TRUE='#'
+  USE_XAUTH_EAP_FALSE=
+fi
+
+ if test x$xauth_pam = xtrue; then
+  USE_XAUTH_PAM_TRUE=
+  USE_XAUTH_PAM_FALSE='#'
+else
+  USE_XAUTH_PAM_TRUE='#'
+  USE_XAUTH_PAM_FALSE=
+fi
+
+ if test x$xauth_noauth = xtrue; then
+  USE_XAUTH_NOAUTH_TRUE=
+  USE_XAUTH_NOAUTH_FALSE='#'
+else
+  USE_XAUTH_NOAUTH_TRUE='#'
+  USE_XAUTH_NOAUTH_FALSE=
+fi
+
  if test x$tnc_ifmap = xtrue; then
   USE_TNC_IFMAP_TRUE=
   USE_TNC_IFMAP_FALSE='#'
@@ -18869,6 +21500,22 @@ else
   USE_IMV_SCANNER_FALSE=
 fi
 
+ if test x$imc_os = xtrue; then
+  USE_IMC_OS_TRUE=
+  USE_IMC_OS_FALSE='#'
+else
+  USE_IMC_OS_TRUE='#'
+  USE_IMC_OS_FALSE=
+fi
+
+ if test x$imv_os = xtrue; then
+  USE_IMV_OS_TRUE=
+  USE_IMV_OS_FALSE='#'
+else
+  USE_IMV_OS_TRUE='#'
+  USE_IMV_OS_FALSE=
+fi
+
  if test x$imc_attestation = xtrue; then
   USE_IMC_ATTESTATION_TRUE=
   USE_IMC_ATTESTATION_FALSE='#'
@@ -18893,14 +21540,6 @@ else
   USE_SOCKET_DEFAULT_FALSE=
 fi
 
- if test x$socket_raw = xtrue; then
-  USE_SOCKET_RAW_TRUE=
-  USE_SOCKET_RAW_FALSE='#'
-else
-  USE_SOCKET_RAW_TRUE='#'
-  USE_SOCKET_RAW_FALSE=
-fi
-
  if test x$socket_dynamic = xtrue; then
   USE_SOCKET_DYNAMIC_TRUE=
   USE_SOCKET_DYNAMIC_FALSE='#'
@@ -18925,7 +21564,17 @@ else
   USE_ADDRBLOCK_FALSE=
 fi
 
+ if test x$unity = xtrue; then
+  USE_UNITY_TRUE=
+  USE_UNITY_FALSE='#'
+else
+  USE_UNITY_TRUE='#'
+  USE_UNITY_FALSE=
+fi
+
 
+#  hydra plugins
+# ---------------
  if test x$attr = xtrue; then
   USE_ATTR_TRUE=
   USE_ATTR_FALSE='#'
@@ -18934,7 +21583,7 @@ else
   USE_ATTR_FALSE=
 fi
 
- if test x$attr_sql = xtrue -o x$sql = xtrue; then
+ if test x$attr_sql = xtrue; then
   USE_ATTR_SQL_TRUE=
   USE_ATTR_SQL_FALSE='#'
 else
@@ -18983,31 +21632,8 @@ else
 fi
 
 
- if test x$xauth = xtrue; then
-  USE_XAUTH_TRUE=
-  USE_XAUTH_FALSE='#'
-else
-  USE_XAUTH_TRUE='#'
-  USE_XAUTH_FALSE=
-fi
-
-
- if test x$smartcard = xtrue; then
-  USE_SMARTCARD_TRUE=
-  USE_SMARTCARD_FALSE='#'
-else
-  USE_SMARTCARD_TRUE='#'
-  USE_SMARTCARD_FALSE=
-fi
-
- if test x$cisco_quirks = xtrue; then
-  USE_CISCO_QUIRKS_TRUE=
-  USE_CISCO_QUIRKS_FALSE='#'
-else
-  USE_CISCO_QUIRKS_TRUE='#'
-  USE_CISCO_QUIRKS_FALSE=
-fi
-
+#  other options
+# ---------------
  if test x$leak_detective = xtrue; then
   USE_LEAK_DETECTIVE_TRUE=
   USE_LEAK_DETECTIVE_FALSE='#'
@@ -19024,30 +21650,6 @@ else
   USE_LOCK_PROFILER_FALSE=
 fi
 
- if test x$nat_transport = xtrue; then
-  USE_NAT_TRANSPORT_TRUE=
-  USE_NAT_TRANSPORT_FALSE='#'
-else
-  USE_NAT_TRANSPORT_TRUE='#'
-  USE_NAT_TRANSPORT_FALSE=
-fi
-
- if test x$vendor_id = xtrue; then
-  USE_VENDORID_TRUE=
-  USE_VENDORID_FALSE='#'
-else
-  USE_VENDORID_TRUE='#'
-  USE_VENDORID_FALSE=
-fi
-
- if test x$xauth_vid = xtrue; then
-  USE_XAUTH_VID_TRUE=
-  USE_XAUTH_VID_FALSE='#'
-else
-  USE_XAUTH_VID_TRUE='#'
-  USE_XAUTH_VID_FALSE=
-fi
-
  if test x$dumm = xtrue; then
   USE_DUMM_TRUE=
   USE_DUMM_FALSE='#'
@@ -19096,12 +21698,20 @@ else
   USE_LOAD_WARNING_FALSE=
 fi
 
- if test x$pluto = xtrue; then
-  USE_PLUTO_TRUE=
-  USE_PLUTO_FALSE='#'
+ if test x$ikev1 = xtrue; then
+  USE_IKEV1_TRUE=
+  USE_IKEV1_FALSE='#'
 else
-  USE_PLUTO_TRUE='#'
-  USE_PLUTO_FALSE=
+  USE_IKEV1_TRUE='#'
+  USE_IKEV1_FALSE=
+fi
+
+ if test x$ikev2 = xtrue; then
+  USE_IKEV2_TRUE=
+  USE_IKEV2_FALSE='#'
+else
+  USE_IKEV2_TRUE='#'
+  USE_IKEV2_FALSE=
 fi
 
  if test x$threads = xtrue; then
@@ -19128,6 +21738,14 @@ else
   USE_CHARON_FALSE=
 fi
 
+ if test x$nm = xtrue; then
+  USE_NM_TRUE=
+  USE_NM_FALSE='#'
+else
+  USE_NM_TRUE='#'
+  USE_NM_FALSE=
+fi
+
  if test x$tools = xtrue; then
   USE_TOOLS_TRUE=
   USE_TOOLS_FALSE='#'
@@ -19152,7 +21770,7 @@ else
   USE_CONFTEST_FALSE=
 fi
 
- if test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue; then
+ if test x$charon = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue; then
   USE_LIBSTRONGSWAN_TRUE=
   USE_LIBSTRONGSWAN_FALSE='#'
 else
@@ -19160,7 +21778,7 @@ else
   USE_LIBSTRONGSWAN_FALSE=
 fi
 
- if test x$charon = xtrue -o x$pluto = xtrue; then
+ if test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue; then
   USE_LIBHYDRA_TRUE=
   USE_LIBHYDRA_FALSE='#'
 else
@@ -19168,7 +21786,7 @@ else
   USE_LIBHYDRA_FALSE=
 fi
 
- if test x$charon = xtrue -o x$conftest = xtrue; then
+ if test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue; then
   USE_LIBCHARON_TRUE=
   USE_LIBCHARON_FALSE='#'
 else
@@ -19176,6 +21794,14 @@ else
   USE_LIBCHARON_FALSE=
 fi
 
+ if test x$libipsec = xtrue; then
+  USE_LIBIPSEC_TRUE=
+  USE_LIBIPSEC_FALSE='#'
+else
+  USE_LIBIPSEC_TRUE='#'
+  USE_LIBIPSEC_FALSE=
+fi
+
  if test x$tnc_tnccs = xtrue -o x$imcv = xtrue; then
   USE_LIBTNCIF_TRUE=
   USE_LIBTNCIF_FALSE='#'
@@ -19192,7 +21818,15 @@ else
   USE_LIBTNCCS_FALSE=
 fi
 
- if test x$pluto = xtrue -o x$stroke = xtrue; then
+ if test x$tnc_tnccs = xtrue; then
+  USE_LIBPTTLS_TRUE=
+  USE_LIBPTTLS_FALSE='#'
+else
+  USE_LIBPTTLS_TRUE='#'
+  USE_LIBPTTLS_FALSE=
+fi
+
+ if test x$stroke = xtrue; then
   USE_FILE_CONFIG_TRUE=
   USE_FILE_CONFIG_FALSE='#'
 else
@@ -19200,7 +21834,7 @@ else
   USE_FILE_CONFIG_FALSE=
 fi
 
- if test x$pluto = xtrue -o x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue; then
+ if test x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue; then
   USE_IPSEC_SCRIPT_TRUE=
   USE_IPSEC_SCRIPT_FALSE='#'
 else
@@ -19264,6 +21898,14 @@ else
   USE_PTS_FALSE=
 fi
 
+ if test x$tss = xtrousers; then
+  USE_TROUSERS_TRUE=
+  USE_TROUSERS_FALSE='#'
+else
+  USE_TROUSERS_TRUE='#'
+  USE_TROUSERS_FALSE=
+fi
+
  if test x$monolithic = xtrue; then
   MONOLITHIC_TRUE=
   MONOLITHIC_FALSE='#'
@@ -19272,24 +21914,82 @@ else
   MONOLITHIC_FALSE=
 fi
 
+ if test x$enable_silent_rules = xyes; then
+  USE_SILENT_RULES_TRUE=
+  USE_SILENT_RULES_FALSE='#'
+else
+  USE_SILENT_RULES_TRUE='#'
+  USE_SILENT_RULES_FALSE=
+fi
+
+ if test x$unit_tests = xtrue; then
+  UNITTESTS_TRUE=
+  UNITTESTS_FALSE='#'
+else
+  UNITTESTS_TRUE='#'
+  UNITTESTS_FALSE=
+fi
+
+ if test x$coverage = xtrue; then
+  COVERAGE_TRUE=
+  COVERAGE_FALSE='#'
+else
+  COVERAGE_TRUE='#'
+  COVERAGE_FALSE=
+fi
+
+ if test x$tkm = xtrue; then
+  USE_TKM_TRUE=
+  USE_TKM_FALSE='#'
+else
+  USE_TKM_TRUE='#'
+  USE_TKM_FALSE=
+fi
+
+ if test x$cmd = xtrue; then
+  USE_CMD_TRUE=
+  USE_CMD_FALSE='#'
+else
+  USE_CMD_TRUE='#'
+  USE_CMD_FALSE=
+fi
 
 
+# ========================
+#  set global definitions
+# ========================
+
 if test x$mediation = xtrue; then
-	$as_echo "#define ME 1" >>confdefs.h
+
+$as_echo "#define ME /**/" >>confdefs.h
 
 fi
 if test x$capabilities = xlibcap -o x$capabilities = xnative; then
-	$as_echo "#define CAPABILITIES 1" >>confdefs.h
+
+$as_echo "#define CAPABILITIES /**/" >>confdefs.h
 
 fi
 if test x$monolithic = xtrue; then
-	$as_echo "#define MONOLITHIC 1" >>confdefs.h
+
+$as_echo "#define MONOLITHIC /**/" >>confdefs.h
 
 fi
+if test x$ikev1 = xtrue; then
 
+$as_echo "#define USE_IKEV1 /**/" >>confdefs.h
 
+fi
+if test x$ikev2 = xtrue; then
 
-ac_config_files="$ac_config_files Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/pluto/Makefile src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnc_tnccs/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile scripts/Makefile testing/Makefile"
+$as_echo "#define USE_IKEV2 /**/" >>confdefs.h
+
+fi
+
+# =================
+#  build Makefiles
+# =================
+
+ac_config_files="$ac_config_files Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libpttls/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnc_tnccs/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile scripts/Makefile testing/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -19355,10 +22055,21 @@ $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
      :end' >>confcache
 if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
   if test -w "$cache_file"; then
-    test "x$cache_file" != "x/dev/null" &&
+    if test "x$cache_file" != "x/dev/null"; then
       { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5
 $as_echo "$as_me: updating cache $cache_file" >&6;}
-    cat confcache >$cache_file
+      if test ! -f "$cache_file" || test -h "$cache_file"; then
+	cat confcache >"$cache_file"
+      else
+        case $cache_file in #(
+        */* | ?:*)
+	  mv -f confcache "$cache_file"$$ &&
+	  mv -f "$cache_file"$$ "$cache_file" ;; #(
+        *)
+	  mv -f confcache "$cache_file" ;;
+	esac
+      fi
+    fi
   else
     { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5
 $as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
@@ -19370,43 +22081,7 @@ test "x$prefix" = xNONE && prefix=$ac_default_prefix
 # Let make expand exec_prefix.
 test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
 
-# Transform confdefs.h into DEFS.
-# Protect against shell expansion while executing Makefile rules.
-# Protect against Makefile macro expansion.
-#
-# If the first sed substitution is executed (which looks for macros that
-# take arguments), then branch to the quote section.  Otherwise,
-# look for a macro that doesn't take arguments.
-ac_script='
-:mline
-/\\$/{
- N
- s,\\\n,,
- b mline
-}
-t clear
-:clear
-s/^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 (][^	 (]*([^)]*)\)[	 ]*\(.*\)/-D\1=\2/g
-t quote
-s/^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 ][^	 ]*\)[	 ]*\(.*\)/-D\1=\2/g
-t quote
-b any
-:quote
-s/[	 `~#$^&*(){}\\|;'\''"<>?]/\\&/g
-s/\[/\\&/g
-s/\]/\\&/g
-s/\$/$$/g
-H
-:any
-${
-	g
-	s/^\n//
-	s/\n/ /g
-	p
-}
-'
-DEFS=`sed -n "$ac_script" confdefs.h`
-
+DEFS=-DHAVE_CONFIG_H
 
 ac_libobjs=
 ac_ltlibobjs=
@@ -19446,6 +22121,10 @@ if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 
+if test -z "${USE_DEV_HEADERS_TRUE}" && test -z "${USE_DEV_HEADERS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_DEV_HEADERS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_TEST_VECTORS_TRUE}" && test -z "${USE_TEST_VECTORS_FALSE}"; then
   as_fn_error $? "conditional \"USE_TEST_VECTORS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19454,6 +22133,10 @@ if test -z "${USE_CURL_TRUE}" && test -z "${USE_CURL_FALSE}"; then
   as_fn_error $? "conditional \"USE_CURL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_UNBOUND_TRUE}" && test -z "${USE_UNBOUND_FALSE}"; then
+  as_fn_error $? "conditional \"USE_UNBOUND\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_SOUP_TRUE}" && test -z "${USE_SOUP_FALSE}"; then
   as_fn_error $? "conditional \"USE_SOUP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19474,6 +22157,10 @@ if test -z "${USE_BLOWFISH_TRUE}" && test -z "${USE_BLOWFISH_FALSE}"; then
   as_fn_error $? "conditional \"USE_BLOWFISH\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_RC2_TRUE}" && test -z "${USE_RC2_FALSE}"; then
+  as_fn_error $? "conditional \"USE_RC2\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_MD4_TRUE}" && test -z "${USE_MD4_FALSE}"; then
   as_fn_error $? "conditional \"USE_MD4\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19498,10 +22185,18 @@ if test -z "${USE_GMP_TRUE}" && test -z "${USE_GMP_FALSE}"; then
   as_fn_error $? "conditional \"USE_GMP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_RDRAND_TRUE}" && test -z "${USE_RDRAND_FALSE}"; then
+  as_fn_error $? "conditional \"USE_RDRAND\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_RANDOM_TRUE}" && test -z "${USE_RANDOM_FALSE}"; then
   as_fn_error $? "conditional \"USE_RANDOM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_NONCE_TRUE}" && test -z "${USE_NONCE_FALSE}"; then
+  as_fn_error $? "conditional \"USE_NONCE\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_X509_TRUE}" && test -z "${USE_X509_FALSE}"; then
   as_fn_error $? "conditional \"USE_X509\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19522,10 +22217,18 @@ if test -z "${USE_PKCS1_TRUE}" && test -z "${USE_PKCS1_FALSE}"; then
   as_fn_error $? "conditional \"USE_PKCS1\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_PKCS7_TRUE}" && test -z "${USE_PKCS7_FALSE}"; then
+  as_fn_error $? "conditional \"USE_PKCS7\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_PKCS8_TRUE}" && test -z "${USE_PKCS8_FALSE}"; then
   as_fn_error $? "conditional \"USE_PKCS8\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_PKCS12_TRUE}" && test -z "${USE_PKCS12_FALSE}"; then
+  as_fn_error $? "conditional \"USE_PKCS12\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_PGP_TRUE}" && test -z "${USE_PGP_FALSE}"; then
   as_fn_error $? "conditional \"USE_PGP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19534,6 +22237,10 @@ if test -z "${USE_DNSKEY_TRUE}" && test -z "${USE_DNSKEY_FALSE}"; then
   as_fn_error $? "conditional \"USE_DNSKEY\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_SSHKEY_TRUE}" && test -z "${USE_SSHKEY_FALSE}"; then
+  as_fn_error $? "conditional \"USE_SSHKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_PEM_TRUE}" && test -z "${USE_PEM_FALSE}"; then
   as_fn_error $? "conditional \"USE_PEM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19574,6 +22281,10 @@ if test -z "${USE_AGENT_TRUE}" && test -z "${USE_AGENT_FALSE}"; then
   as_fn_error $? "conditional \"USE_AGENT\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_KEYCHAIN_TRUE}" && test -z "${USE_KEYCHAIN_FALSE}"; then
+  as_fn_error $? "conditional \"USE_KEYCHAIN\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_PKCS11_TRUE}" && test -z "${USE_PKCS11_FALSE}"; then
   as_fn_error $? "conditional \"USE_PKCS11\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19606,16 +22317,20 @@ if test -z "${USE_MEDCLI_TRUE}" && test -z "${USE_MEDCLI_FALSE}"; then
   as_fn_error $? "conditional \"USE_MEDCLI\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_NM_TRUE}" && test -z "${USE_NM_FALSE}"; then
-  as_fn_error $? "conditional \"USE_NM\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
 if test -z "${USE_UCI_TRUE}" && test -z "${USE_UCI_FALSE}"; then
   as_fn_error $? "conditional \"USE_UCI\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_ANDROID_TRUE}" && test -z "${USE_ANDROID_FALSE}"; then
-  as_fn_error $? "conditional \"USE_ANDROID\" was never defined.
+if test -z "${USE_OSX_ATTR_TRUE}" && test -z "${USE_OSX_ATTR_FALSE}"; then
+  as_fn_error $? "conditional \"USE_OSX_ATTR\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_ANDROID_DNS_TRUE}" && test -z "${USE_ANDROID_DNS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_ANDROID_DNS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_ANDROID_LOG_TRUE}" && test -z "${USE_ANDROID_LOG_FALSE}"; then
+  as_fn_error $? "conditional \"USE_ANDROID_LOG\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MAEMO_TRUE}" && test -z "${USE_MAEMO_FALSE}"; then
@@ -19630,6 +22345,10 @@ if test -z "${USE_SQL_TRUE}" && test -z "${USE_SQL_FALSE}"; then
   as_fn_error $? "conditional \"USE_SQL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_IPSECKEY_TRUE}" && test -z "${USE_IPSECKEY_FALSE}"; then
+  as_fn_error $? "conditional \"USE_IPSECKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_UPDOWN_TRUE}" && test -z "${USE_UPDOWN_FALSE}"; then
   as_fn_error $? "conditional \"USE_UPDOWN\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19650,14 +22369,30 @@ if test -z "${USE_HA_TRUE}" && test -z "${USE_HA_FALSE}"; then
   as_fn_error $? "conditional \"USE_HA\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_KERNEL_LIBIPSEC_TRUE}" && test -z "${USE_KERNEL_LIBIPSEC_FALSE}"; then
+  as_fn_error $? "conditional \"USE_KERNEL_LIBIPSEC\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_WHITELIST_TRUE}" && test -z "${USE_WHITELIST_FALSE}"; then
   as_fn_error $? "conditional \"USE_WHITELIST\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_LOOKIP_TRUE}" && test -z "${USE_LOOKIP_FALSE}"; then
+  as_fn_error $? "conditional \"USE_LOOKIP\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_ERROR_NOTIFY_TRUE}" && test -z "${USE_ERROR_NOTIFY_FALSE}"; then
+  as_fn_error $? "conditional \"USE_ERROR_NOTIFY\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_CERTEXPIRE_TRUE}" && test -z "${USE_CERTEXPIRE_FALSE}"; then
   as_fn_error $? "conditional \"USE_CERTEXPIRE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_SYSTIME_FIX_TRUE}" && test -z "${USE_SYSTIME_FIX_FALSE}"; then
+  as_fn_error $? "conditional \"USE_SYSTIME_FIX\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_LED_TRUE}" && test -z "${USE_LED_FALSE}"; then
   as_fn_error $? "conditional \"USE_LED\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19738,10 +22473,30 @@ if test -z "${USE_EAP_TNC_TRUE}" && test -z "${USE_EAP_TNC_FALSE}"; then
   as_fn_error $? "conditional \"USE_EAP_TNC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_EAP_DYNAMIC_TRUE}" && test -z "${USE_EAP_DYNAMIC_FALSE}"; then
+  as_fn_error $? "conditional \"USE_EAP_DYNAMIC\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_EAP_RADIUS_TRUE}" && test -z "${USE_EAP_RADIUS_FALSE}"; then
   as_fn_error $? "conditional \"USE_EAP_RADIUS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_XAUTH_GENERIC_TRUE}" && test -z "${USE_XAUTH_GENERIC_FALSE}"; then
+  as_fn_error $? "conditional \"USE_XAUTH_GENERIC\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_XAUTH_EAP_TRUE}" && test -z "${USE_XAUTH_EAP_FALSE}"; then
+  as_fn_error $? "conditional \"USE_XAUTH_EAP\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_XAUTH_PAM_TRUE}" && test -z "${USE_XAUTH_PAM_FALSE}"; then
+  as_fn_error $? "conditional \"USE_XAUTH_PAM\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_XAUTH_NOAUTH_TRUE}" && test -z "${USE_XAUTH_NOAUTH_FALSE}"; then
+  as_fn_error $? "conditional \"USE_XAUTH_NOAUTH\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_TNC_IFMAP_TRUE}" && test -z "${USE_TNC_IFMAP_FALSE}"; then
   as_fn_error $? "conditional \"USE_TNC_IFMAP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19790,6 +22545,14 @@ if test -z "${USE_IMV_SCANNER_TRUE}" && test -z "${USE_IMV_SCANNER_FALSE}"; then
   as_fn_error $? "conditional \"USE_IMV_SCANNER\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_IMC_OS_TRUE}" && test -z "${USE_IMC_OS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_IMC_OS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_IMV_OS_TRUE}" && test -z "${USE_IMV_OS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_IMV_OS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_IMC_ATTESTATION_TRUE}" && test -z "${USE_IMC_ATTESTATION_FALSE}"; then
   as_fn_error $? "conditional \"USE_IMC_ATTESTATION\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19802,10 +22565,6 @@ if test -z "${USE_SOCKET_DEFAULT_TRUE}" && test -z "${USE_SOCKET_DEFAULT_FALSE}"
   as_fn_error $? "conditional \"USE_SOCKET_DEFAULT\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_SOCKET_RAW_TRUE}" && test -z "${USE_SOCKET_RAW_FALSE}"; then
-  as_fn_error $? "conditional \"USE_SOCKET_RAW\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
 if test -z "${USE_SOCKET_DYNAMIC_TRUE}" && test -z "${USE_SOCKET_DYNAMIC_FALSE}"; then
   as_fn_error $? "conditional \"USE_SOCKET_DYNAMIC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19818,6 +22577,10 @@ if test -z "${USE_ADDRBLOCK_TRUE}" && test -z "${USE_ADDRBLOCK_FALSE}"; then
   as_fn_error $? "conditional \"USE_ADDRBLOCK\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_UNITY_TRUE}" && test -z "${USE_UNITY_FALSE}"; then
+  as_fn_error $? "conditional \"USE_UNITY\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_ATTR_TRUE}" && test -z "${USE_ATTR_FALSE}"; then
   as_fn_error $? "conditional \"USE_ATTR\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19846,18 +22609,6 @@ if test -z "${USE_RESOLVE_TRUE}" && test -z "${USE_RESOLVE_FALSE}"; then
   as_fn_error $? "conditional \"USE_RESOLVE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_XAUTH_TRUE}" && test -z "${USE_XAUTH_FALSE}"; then
-  as_fn_error $? "conditional \"USE_XAUTH\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
-if test -z "${USE_SMARTCARD_TRUE}" && test -z "${USE_SMARTCARD_FALSE}"; then
-  as_fn_error $? "conditional \"USE_SMARTCARD\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
-if test -z "${USE_CISCO_QUIRKS_TRUE}" && test -z "${USE_CISCO_QUIRKS_FALSE}"; then
-  as_fn_error $? "conditional \"USE_CISCO_QUIRKS\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
 if test -z "${USE_LEAK_DETECTIVE_TRUE}" && test -z "${USE_LEAK_DETECTIVE_FALSE}"; then
   as_fn_error $? "conditional \"USE_LEAK_DETECTIVE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19866,18 +22617,6 @@ if test -z "${USE_LOCK_PROFILER_TRUE}" && test -z "${USE_LOCK_PROFILER_FALSE}";
   as_fn_error $? "conditional \"USE_LOCK_PROFILER\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_NAT_TRANSPORT_TRUE}" && test -z "${USE_NAT_TRANSPORT_FALSE}"; then
-  as_fn_error $? "conditional \"USE_NAT_TRANSPORT\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
-if test -z "${USE_VENDORID_TRUE}" && test -z "${USE_VENDORID_FALSE}"; then
-  as_fn_error $? "conditional \"USE_VENDORID\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
-if test -z "${USE_XAUTH_VID_TRUE}" && test -z "${USE_XAUTH_VID_FALSE}"; then
-  as_fn_error $? "conditional \"USE_XAUTH_VID\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
 if test -z "${USE_DUMM_TRUE}" && test -z "${USE_DUMM_FALSE}"; then
   as_fn_error $? "conditional \"USE_DUMM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19902,8 +22641,12 @@ if test -z "${USE_LOAD_WARNING_TRUE}" && test -z "${USE_LOAD_WARNING_FALSE}"; th
   as_fn_error $? "conditional \"USE_LOAD_WARNING\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_PLUTO_TRUE}" && test -z "${USE_PLUTO_FALSE}"; then
-  as_fn_error $? "conditional \"USE_PLUTO\" was never defined.
+if test -z "${USE_IKEV1_TRUE}" && test -z "${USE_IKEV1_FALSE}"; then
+  as_fn_error $? "conditional \"USE_IKEV1\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_IKEV2_TRUE}" && test -z "${USE_IKEV2_FALSE}"; then
+  as_fn_error $? "conditional \"USE_IKEV2\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_THREADS_TRUE}" && test -z "${USE_THREADS_FALSE}"; then
@@ -19918,6 +22661,10 @@ if test -z "${USE_CHARON_TRUE}" && test -z "${USE_CHARON_FALSE}"; then
   as_fn_error $? "conditional \"USE_CHARON\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_NM_TRUE}" && test -z "${USE_NM_FALSE}"; then
+  as_fn_error $? "conditional \"USE_NM\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_TOOLS_TRUE}" && test -z "${USE_TOOLS_FALSE}"; then
   as_fn_error $? "conditional \"USE_TOOLS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19942,6 +22689,10 @@ if test -z "${USE_LIBCHARON_TRUE}" && test -z "${USE_LIBCHARON_FALSE}"; then
   as_fn_error $? "conditional \"USE_LIBCHARON\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_LIBIPSEC_TRUE}" && test -z "${USE_LIBIPSEC_FALSE}"; then
+  as_fn_error $? "conditional \"USE_LIBIPSEC\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_LIBTNCIF_TRUE}" && test -z "${USE_LIBTNCIF_FALSE}"; then
   as_fn_error $? "conditional \"USE_LIBTNCIF\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19950,6 +22701,10 @@ if test -z "${USE_LIBTNCCS_TRUE}" && test -z "${USE_LIBTNCCS_FALSE}"; then
   as_fn_error $? "conditional \"USE_LIBTNCCS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_LIBPTTLS_TRUE}" && test -z "${USE_LIBPTTLS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_LIBPTTLS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_FILE_CONFIG_TRUE}" && test -z "${USE_FILE_CONFIG_FALSE}"; then
   as_fn_error $? "conditional \"USE_FILE_CONFIG\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -19986,12 +22741,36 @@ if test -z "${USE_PTS_TRUE}" && test -z "${USE_PTS_FALSE}"; then
   as_fn_error $? "conditional \"USE_PTS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_TROUSERS_TRUE}" && test -z "${USE_TROUSERS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_TROUSERS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${MONOLITHIC_TRUE}" && test -z "${MONOLITHIC_FALSE}"; then
   as_fn_error $? "conditional \"MONOLITHIC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_SILENT_RULES_TRUE}" && test -z "${USE_SILENT_RULES_FALSE}"; then
+  as_fn_error $? "conditional \"USE_SILENT_RULES\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${UNITTESTS_TRUE}" && test -z "${UNITTESTS_FALSE}"; then
+  as_fn_error $? "conditional \"UNITTESTS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${COVERAGE_TRUE}" && test -z "${COVERAGE_FALSE}"; then
+  as_fn_error $? "conditional \"COVERAGE\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_TKM_TRUE}" && test -z "${USE_TKM_FALSE}"; then
+  as_fn_error $? "conditional \"USE_TKM\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_CMD_TRUE}" && test -z "${USE_CMD_FALSE}"; then
+  as_fn_error $? "conditional \"USE_CMD\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 
-: ${CONFIG_STATUS=./config.status}
+: "${CONFIG_STATUS=./config.status}"
 ac_write_fail=0
 ac_clean_files_save=$ac_clean_files
 ac_clean_files="$ac_clean_files $CONFIG_STATUS"
@@ -20092,6 +22871,7 @@ fi
 IFS=" ""	$as_nl"
 
 # Find who we are.  Look in the path if we contain no directory separator.
+as_myself=
 case $0 in #((
   *[\\/]* ) as_myself=$0 ;;
   *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -20287,16 +23067,16 @@ if (echo >conf$$.file) 2>/dev/null; then
     # ... but there are two gotchas:
     # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
     # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-    # In both cases, we have to default to `cp -p'.
+    # In both cases, we have to default to `cp -pR'.
     ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-      as_ln_s='cp -p'
+      as_ln_s='cp -pR'
   elif ln conf$$.file conf$$ 2>/dev/null; then
     as_ln_s=ln
   else
-    as_ln_s='cp -p'
+    as_ln_s='cp -pR'
   fi
 else
-  as_ln_s='cp -p'
+  as_ln_s='cp -pR'
 fi
 rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
 rmdir conf$$.dir 2>/dev/null
@@ -20356,28 +23136,16 @@ else
   as_mkdir_p=false
 fi
 
-if test -x / >/dev/null 2>&1; then
-  as_test_x='test -x'
-else
-  if ls -dL / >/dev/null 2>&1; then
-    as_ls_L_option=L
-  else
-    as_ls_L_option=
-  fi
-  as_test_x='
-    eval sh -c '\''
-      if test -d "$1"; then
-	test -d "$1/.";
-      else
-	case $1 in #(
-	-*)set "./$1";;
-	esac;
-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
-	???[sx]*):;;*)false;;esac;fi
-    '\'' sh
-  '
-fi
-as_executable_p=$as_test_x
+
+# as_fn_executable_p FILE
+# -----------------------
+# Test if FILE is an executable regular file.
+as_fn_executable_p ()
+{
+  test -f "$1" && test -x "$1"
+} # as_fn_executable_p
+as_test_x='test -x'
+as_executable_p=as_fn_executable_p
 
 # Sed expression to map a string onto a valid CPP name.
 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@@ -20398,8 +23166,8 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 4.6.4, which was
-generated by GNU Autoconf 2.67.  Invocation command line was
+This file was extended by strongSwan $as_me 5.1.0, which was
+generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
   CONFIG_HEADERS  = $CONFIG_HEADERS
@@ -20416,11 +23184,15 @@ case $ac_config_files in *"
 "*) set x $ac_config_files; shift; ac_config_files=$*;;
 esac
 
+case $ac_config_headers in *"
+"*) set x $ac_config_headers; shift; ac_config_headers=$*;;
+esac
 
 
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 # Files that config.status was made for.
 config_files="$ac_config_files"
+config_headers="$ac_config_headers"
 config_commands="$ac_config_commands"
 
 _ACEOF
@@ -20442,10 +23214,15 @@ Usage: $0 [OPTION]... [TAG]...
       --recheck    update $as_me by reconfiguring in the same conditions
       --file=FILE[:TEMPLATE]
                    instantiate the configuration file FILE
+      --header=FILE[:TEMPLATE]
+                   instantiate the configuration header FILE
 
 Configuration files:
 $config_files
 
+Configuration headers:
+$config_headers
+
 Configuration commands:
 $config_commands
 
@@ -20455,11 +23232,11 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 4.6.4
-configured by $0, generated by GNU Autoconf 2.67,
+strongSwan config.status 5.1.0
+configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
-Copyright (C) 2010 Free Software Foundation, Inc.
+Copyright (C) 2012 Free Software Foundation, Inc.
 This config.status script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it."
 
@@ -20512,7 +23289,18 @@ do
     esac
     as_fn_append CONFIG_FILES " '$ac_optarg'"
     ac_need_defaults=false;;
-  --he | --h |  --help | --hel | -h )
+  --header | --heade | --head | --hea )
+    $ac_shift
+    case $ac_optarg in
+    *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
+    esac
+    as_fn_append CONFIG_HEADERS " '$ac_optarg'"
+    ac_need_defaults=false;;
+  --he | --h)
+    # Conflict between --help and --header
+    as_fn_error $? "ambiguous option: \`$1'
+Try \`$0 --help' for more information.";;
+  --help | --hel | -h )
     $as_echo "$ac_cs_usage"; exit ;;
   -q | -quiet | --quiet | --quie | --qui | --qu | --q \
   | -silent | --silent | --silen | --sile | --sil | --si | --s)
@@ -20539,7 +23327,7 @@ fi
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 if \$ac_cs_recheck; then
-  set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+  set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
   shift
   \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
   CONFIG_SHELL='$SHELL'
@@ -20573,131 +23361,154 @@ AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"
 sed_quote_subst='$sed_quote_subst'
 double_quote_subst='$double_quote_subst'
 delay_variable_subst='$delay_variable_subst'
-macro_version='`$ECHO "X$macro_version" | $Xsed -e "$delay_single_quote_subst"`'
-macro_revision='`$ECHO "X$macro_revision" | $Xsed -e "$delay_single_quote_subst"`'
-enable_shared='`$ECHO "X$enable_shared" | $Xsed -e "$delay_single_quote_subst"`'
-enable_static='`$ECHO "X$enable_static" | $Xsed -e "$delay_single_quote_subst"`'
-pic_mode='`$ECHO "X$pic_mode" | $Xsed -e "$delay_single_quote_subst"`'
-enable_fast_install='`$ECHO "X$enable_fast_install" | $Xsed -e "$delay_single_quote_subst"`'
-host_alias='`$ECHO "X$host_alias" | $Xsed -e "$delay_single_quote_subst"`'
-host='`$ECHO "X$host" | $Xsed -e "$delay_single_quote_subst"`'
-host_os='`$ECHO "X$host_os" | $Xsed -e "$delay_single_quote_subst"`'
-build_alias='`$ECHO "X$build_alias" | $Xsed -e "$delay_single_quote_subst"`'
-build='`$ECHO "X$build" | $Xsed -e "$delay_single_quote_subst"`'
-build_os='`$ECHO "X$build_os" | $Xsed -e "$delay_single_quote_subst"`'
-SED='`$ECHO "X$SED" | $Xsed -e "$delay_single_quote_subst"`'
-Xsed='`$ECHO "X$Xsed" | $Xsed -e "$delay_single_quote_subst"`'
-GREP='`$ECHO "X$GREP" | $Xsed -e "$delay_single_quote_subst"`'
-EGREP='`$ECHO "X$EGREP" | $Xsed -e "$delay_single_quote_subst"`'
-FGREP='`$ECHO "X$FGREP" | $Xsed -e "$delay_single_quote_subst"`'
-LD='`$ECHO "X$LD" | $Xsed -e "$delay_single_quote_subst"`'
-NM='`$ECHO "X$NM" | $Xsed -e "$delay_single_quote_subst"`'
-LN_S='`$ECHO "X$LN_S" | $Xsed -e "$delay_single_quote_subst"`'
-max_cmd_len='`$ECHO "X$max_cmd_len" | $Xsed -e "$delay_single_quote_subst"`'
-ac_objext='`$ECHO "X$ac_objext" | $Xsed -e "$delay_single_quote_subst"`'
-exeext='`$ECHO "X$exeext" | $Xsed -e "$delay_single_quote_subst"`'
-lt_unset='`$ECHO "X$lt_unset" | $Xsed -e "$delay_single_quote_subst"`'
-lt_SP2NL='`$ECHO "X$lt_SP2NL" | $Xsed -e "$delay_single_quote_subst"`'
-lt_NL2SP='`$ECHO "X$lt_NL2SP" | $Xsed -e "$delay_single_quote_subst"`'
-reload_flag='`$ECHO "X$reload_flag" | $Xsed -e "$delay_single_quote_subst"`'
-reload_cmds='`$ECHO "X$reload_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-OBJDUMP='`$ECHO "X$OBJDUMP" | $Xsed -e "$delay_single_quote_subst"`'
-deplibs_check_method='`$ECHO "X$deplibs_check_method" | $Xsed -e "$delay_single_quote_subst"`'
-file_magic_cmd='`$ECHO "X$file_magic_cmd" | $Xsed -e "$delay_single_quote_subst"`'
-AR='`$ECHO "X$AR" | $Xsed -e "$delay_single_quote_subst"`'
-AR_FLAGS='`$ECHO "X$AR_FLAGS" | $Xsed -e "$delay_single_quote_subst"`'
-STRIP='`$ECHO "X$STRIP" | $Xsed -e "$delay_single_quote_subst"`'
-RANLIB='`$ECHO "X$RANLIB" | $Xsed -e "$delay_single_quote_subst"`'
-old_postinstall_cmds='`$ECHO "X$old_postinstall_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-old_postuninstall_cmds='`$ECHO "X$old_postuninstall_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-old_archive_cmds='`$ECHO "X$old_archive_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-CC='`$ECHO "X$CC" | $Xsed -e "$delay_single_quote_subst"`'
-CFLAGS='`$ECHO "X$CFLAGS" | $Xsed -e "$delay_single_quote_subst"`'
-compiler='`$ECHO "X$compiler" | $Xsed -e "$delay_single_quote_subst"`'
-GCC='`$ECHO "X$GCC" | $Xsed -e "$delay_single_quote_subst"`'
-lt_cv_sys_global_symbol_pipe='`$ECHO "X$lt_cv_sys_global_symbol_pipe" | $Xsed -e "$delay_single_quote_subst"`'
-lt_cv_sys_global_symbol_to_cdecl='`$ECHO "X$lt_cv_sys_global_symbol_to_cdecl" | $Xsed -e "$delay_single_quote_subst"`'
-lt_cv_sys_global_symbol_to_c_name_address='`$ECHO "X$lt_cv_sys_global_symbol_to_c_name_address" | $Xsed -e "$delay_single_quote_subst"`'
-lt_cv_sys_global_symbol_to_c_name_address_lib_prefix='`$ECHO "X$lt_cv_sys_global_symbol_to_c_name_address_lib_prefix" | $Xsed -e "$delay_single_quote_subst"`'
-objdir='`$ECHO "X$objdir" | $Xsed -e "$delay_single_quote_subst"`'
-SHELL='`$ECHO "X$SHELL" | $Xsed -e "$delay_single_quote_subst"`'
-ECHO='`$ECHO "X$ECHO" | $Xsed -e "$delay_single_quote_subst"`'
-MAGIC_CMD='`$ECHO "X$MAGIC_CMD" | $Xsed -e "$delay_single_quote_subst"`'
-lt_prog_compiler_no_builtin_flag='`$ECHO "X$lt_prog_compiler_no_builtin_flag" | $Xsed -e "$delay_single_quote_subst"`'
-lt_prog_compiler_wl='`$ECHO "X$lt_prog_compiler_wl" | $Xsed -e "$delay_single_quote_subst"`'
-lt_prog_compiler_pic='`$ECHO "X$lt_prog_compiler_pic" | $Xsed -e "$delay_single_quote_subst"`'
-lt_prog_compiler_static='`$ECHO "X$lt_prog_compiler_static" | $Xsed -e "$delay_single_quote_subst"`'
-lt_cv_prog_compiler_c_o='`$ECHO "X$lt_cv_prog_compiler_c_o" | $Xsed -e "$delay_single_quote_subst"`'
-need_locks='`$ECHO "X$need_locks" | $Xsed -e "$delay_single_quote_subst"`'
-DSYMUTIL='`$ECHO "X$DSYMUTIL" | $Xsed -e "$delay_single_quote_subst"`'
-NMEDIT='`$ECHO "X$NMEDIT" | $Xsed -e "$delay_single_quote_subst"`'
-LIPO='`$ECHO "X$LIPO" | $Xsed -e "$delay_single_quote_subst"`'
-OTOOL='`$ECHO "X$OTOOL" | $Xsed -e "$delay_single_quote_subst"`'
-OTOOL64='`$ECHO "X$OTOOL64" | $Xsed -e "$delay_single_quote_subst"`'
-libext='`$ECHO "X$libext" | $Xsed -e "$delay_single_quote_subst"`'
-shrext_cmds='`$ECHO "X$shrext_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-extract_expsyms_cmds='`$ECHO "X$extract_expsyms_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-archive_cmds_need_lc='`$ECHO "X$archive_cmds_need_lc" | $Xsed -e "$delay_single_quote_subst"`'
-enable_shared_with_static_runtimes='`$ECHO "X$enable_shared_with_static_runtimes" | $Xsed -e "$delay_single_quote_subst"`'
-export_dynamic_flag_spec='`$ECHO "X$export_dynamic_flag_spec" | $Xsed -e "$delay_single_quote_subst"`'
-whole_archive_flag_spec='`$ECHO "X$whole_archive_flag_spec" | $Xsed -e "$delay_single_quote_subst"`'
-compiler_needs_object='`$ECHO "X$compiler_needs_object" | $Xsed -e "$delay_single_quote_subst"`'
-old_archive_from_new_cmds='`$ECHO "X$old_archive_from_new_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-old_archive_from_expsyms_cmds='`$ECHO "X$old_archive_from_expsyms_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-archive_cmds='`$ECHO "X$archive_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-archive_expsym_cmds='`$ECHO "X$archive_expsym_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-module_cmds='`$ECHO "X$module_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-module_expsym_cmds='`$ECHO "X$module_expsym_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-with_gnu_ld='`$ECHO "X$with_gnu_ld" | $Xsed -e "$delay_single_quote_subst"`'
-allow_undefined_flag='`$ECHO "X$allow_undefined_flag" | $Xsed -e "$delay_single_quote_subst"`'
-no_undefined_flag='`$ECHO "X$no_undefined_flag" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_libdir_flag_spec='`$ECHO "X$hardcode_libdir_flag_spec" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_libdir_flag_spec_ld='`$ECHO "X$hardcode_libdir_flag_spec_ld" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_libdir_separator='`$ECHO "X$hardcode_libdir_separator" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_direct='`$ECHO "X$hardcode_direct" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_direct_absolute='`$ECHO "X$hardcode_direct_absolute" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_minus_L='`$ECHO "X$hardcode_minus_L" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_shlibpath_var='`$ECHO "X$hardcode_shlibpath_var" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_automatic='`$ECHO "X$hardcode_automatic" | $Xsed -e "$delay_single_quote_subst"`'
-inherit_rpath='`$ECHO "X$inherit_rpath" | $Xsed -e "$delay_single_quote_subst"`'
-link_all_deplibs='`$ECHO "X$link_all_deplibs" | $Xsed -e "$delay_single_quote_subst"`'
-fix_srcfile_path='`$ECHO "X$fix_srcfile_path" | $Xsed -e "$delay_single_quote_subst"`'
-always_export_symbols='`$ECHO "X$always_export_symbols" | $Xsed -e "$delay_single_quote_subst"`'
-export_symbols_cmds='`$ECHO "X$export_symbols_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-exclude_expsyms='`$ECHO "X$exclude_expsyms" | $Xsed -e "$delay_single_quote_subst"`'
-include_expsyms='`$ECHO "X$include_expsyms" | $Xsed -e "$delay_single_quote_subst"`'
-prelink_cmds='`$ECHO "X$prelink_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-file_list_spec='`$ECHO "X$file_list_spec" | $Xsed -e "$delay_single_quote_subst"`'
-variables_saved_for_relink='`$ECHO "X$variables_saved_for_relink" | $Xsed -e "$delay_single_quote_subst"`'
-need_lib_prefix='`$ECHO "X$need_lib_prefix" | $Xsed -e "$delay_single_quote_subst"`'
-need_version='`$ECHO "X$need_version" | $Xsed -e "$delay_single_quote_subst"`'
-version_type='`$ECHO "X$version_type" | $Xsed -e "$delay_single_quote_subst"`'
-runpath_var='`$ECHO "X$runpath_var" | $Xsed -e "$delay_single_quote_subst"`'
-shlibpath_var='`$ECHO "X$shlibpath_var" | $Xsed -e "$delay_single_quote_subst"`'
-shlibpath_overrides_runpath='`$ECHO "X$shlibpath_overrides_runpath" | $Xsed -e "$delay_single_quote_subst"`'
-libname_spec='`$ECHO "X$libname_spec" | $Xsed -e "$delay_single_quote_subst"`'
-library_names_spec='`$ECHO "X$library_names_spec" | $Xsed -e "$delay_single_quote_subst"`'
-soname_spec='`$ECHO "X$soname_spec" | $Xsed -e "$delay_single_quote_subst"`'
-postinstall_cmds='`$ECHO "X$postinstall_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-postuninstall_cmds='`$ECHO "X$postuninstall_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-finish_cmds='`$ECHO "X$finish_cmds" | $Xsed -e "$delay_single_quote_subst"`'
-finish_eval='`$ECHO "X$finish_eval" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_into_libs='`$ECHO "X$hardcode_into_libs" | $Xsed -e "$delay_single_quote_subst"`'
-sys_lib_search_path_spec='`$ECHO "X$sys_lib_search_path_spec" | $Xsed -e "$delay_single_quote_subst"`'
-sys_lib_dlsearch_path_spec='`$ECHO "X$sys_lib_dlsearch_path_spec" | $Xsed -e "$delay_single_quote_subst"`'
-hardcode_action='`$ECHO "X$hardcode_action" | $Xsed -e "$delay_single_quote_subst"`'
-enable_dlopen='`$ECHO "X$enable_dlopen" | $Xsed -e "$delay_single_quote_subst"`'
-enable_dlopen_self='`$ECHO "X$enable_dlopen_self" | $Xsed -e "$delay_single_quote_subst"`'
-enable_dlopen_self_static='`$ECHO "X$enable_dlopen_self_static" | $Xsed -e "$delay_single_quote_subst"`'
-old_striplib='`$ECHO "X$old_striplib" | $Xsed -e "$delay_single_quote_subst"`'
-striplib='`$ECHO "X$striplib" | $Xsed -e "$delay_single_quote_subst"`'
+macro_version='`$ECHO "$macro_version" | $SED "$delay_single_quote_subst"`'
+macro_revision='`$ECHO "$macro_revision" | $SED "$delay_single_quote_subst"`'
+enable_shared='`$ECHO "$enable_shared" | $SED "$delay_single_quote_subst"`'
+enable_static='`$ECHO "$enable_static" | $SED "$delay_single_quote_subst"`'
+pic_mode='`$ECHO "$pic_mode" | $SED "$delay_single_quote_subst"`'
+enable_fast_install='`$ECHO "$enable_fast_install" | $SED "$delay_single_quote_subst"`'
+SHELL='`$ECHO "$SHELL" | $SED "$delay_single_quote_subst"`'
+ECHO='`$ECHO "$ECHO" | $SED "$delay_single_quote_subst"`'
+PATH_SEPARATOR='`$ECHO "$PATH_SEPARATOR" | $SED "$delay_single_quote_subst"`'
+host_alias='`$ECHO "$host_alias" | $SED "$delay_single_quote_subst"`'
+host='`$ECHO "$host" | $SED "$delay_single_quote_subst"`'
+host_os='`$ECHO "$host_os" | $SED "$delay_single_quote_subst"`'
+build_alias='`$ECHO "$build_alias" | $SED "$delay_single_quote_subst"`'
+build='`$ECHO "$build" | $SED "$delay_single_quote_subst"`'
+build_os='`$ECHO "$build_os" | $SED "$delay_single_quote_subst"`'
+SED='`$ECHO "$SED" | $SED "$delay_single_quote_subst"`'
+Xsed='`$ECHO "$Xsed" | $SED "$delay_single_quote_subst"`'
+GREP='`$ECHO "$GREP" | $SED "$delay_single_quote_subst"`'
+EGREP='`$ECHO "$EGREP" | $SED "$delay_single_quote_subst"`'
+FGREP='`$ECHO "$FGREP" | $SED "$delay_single_quote_subst"`'
+LD='`$ECHO "$LD" | $SED "$delay_single_quote_subst"`'
+NM='`$ECHO "$NM" | $SED "$delay_single_quote_subst"`'
+LN_S='`$ECHO "$LN_S" | $SED "$delay_single_quote_subst"`'
+max_cmd_len='`$ECHO "$max_cmd_len" | $SED "$delay_single_quote_subst"`'
+ac_objext='`$ECHO "$ac_objext" | $SED "$delay_single_quote_subst"`'
+exeext='`$ECHO "$exeext" | $SED "$delay_single_quote_subst"`'
+lt_unset='`$ECHO "$lt_unset" | $SED "$delay_single_quote_subst"`'
+lt_SP2NL='`$ECHO "$lt_SP2NL" | $SED "$delay_single_quote_subst"`'
+lt_NL2SP='`$ECHO "$lt_NL2SP" | $SED "$delay_single_quote_subst"`'
+lt_cv_to_host_file_cmd='`$ECHO "$lt_cv_to_host_file_cmd" | $SED "$delay_single_quote_subst"`'
+lt_cv_to_tool_file_cmd='`$ECHO "$lt_cv_to_tool_file_cmd" | $SED "$delay_single_quote_subst"`'
+reload_flag='`$ECHO "$reload_flag" | $SED "$delay_single_quote_subst"`'
+reload_cmds='`$ECHO "$reload_cmds" | $SED "$delay_single_quote_subst"`'
+OBJDUMP='`$ECHO "$OBJDUMP" | $SED "$delay_single_quote_subst"`'
+deplibs_check_method='`$ECHO "$deplibs_check_method" | $SED "$delay_single_quote_subst"`'
+file_magic_cmd='`$ECHO "$file_magic_cmd" | $SED "$delay_single_quote_subst"`'
+file_magic_glob='`$ECHO "$file_magic_glob" | $SED "$delay_single_quote_subst"`'
+want_nocaseglob='`$ECHO "$want_nocaseglob" | $SED "$delay_single_quote_subst"`'
+DLLTOOL='`$ECHO "$DLLTOOL" | $SED "$delay_single_quote_subst"`'
+sharedlib_from_linklib_cmd='`$ECHO "$sharedlib_from_linklib_cmd" | $SED "$delay_single_quote_subst"`'
+AR='`$ECHO "$AR" | $SED "$delay_single_quote_subst"`'
+AR_FLAGS='`$ECHO "$AR_FLAGS" | $SED "$delay_single_quote_subst"`'
+archiver_list_spec='`$ECHO "$archiver_list_spec" | $SED "$delay_single_quote_subst"`'
+STRIP='`$ECHO "$STRIP" | $SED "$delay_single_quote_subst"`'
+RANLIB='`$ECHO "$RANLIB" | $SED "$delay_single_quote_subst"`'
+old_postinstall_cmds='`$ECHO "$old_postinstall_cmds" | $SED "$delay_single_quote_subst"`'
+old_postuninstall_cmds='`$ECHO "$old_postuninstall_cmds" | $SED "$delay_single_quote_subst"`'
+old_archive_cmds='`$ECHO "$old_archive_cmds" | $SED "$delay_single_quote_subst"`'
+lock_old_archive_extraction='`$ECHO "$lock_old_archive_extraction" | $SED "$delay_single_quote_subst"`'
+CC='`$ECHO "$CC" | $SED "$delay_single_quote_subst"`'
+CFLAGS='`$ECHO "$CFLAGS" | $SED "$delay_single_quote_subst"`'
+compiler='`$ECHO "$compiler" | $SED "$delay_single_quote_subst"`'
+GCC='`$ECHO "$GCC" | $SED "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_pipe='`$ECHO "$lt_cv_sys_global_symbol_pipe" | $SED "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_to_cdecl='`$ECHO "$lt_cv_sys_global_symbol_to_cdecl" | $SED "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_to_c_name_address='`$ECHO "$lt_cv_sys_global_symbol_to_c_name_address" | $SED "$delay_single_quote_subst"`'
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix='`$ECHO "$lt_cv_sys_global_symbol_to_c_name_address_lib_prefix" | $SED "$delay_single_quote_subst"`'
+nm_file_list_spec='`$ECHO "$nm_file_list_spec" | $SED "$delay_single_quote_subst"`'
+lt_sysroot='`$ECHO "$lt_sysroot" | $SED "$delay_single_quote_subst"`'
+objdir='`$ECHO "$objdir" | $SED "$delay_single_quote_subst"`'
+MAGIC_CMD='`$ECHO "$MAGIC_CMD" | $SED "$delay_single_quote_subst"`'
+lt_prog_compiler_no_builtin_flag='`$ECHO "$lt_prog_compiler_no_builtin_flag" | $SED "$delay_single_quote_subst"`'
+lt_prog_compiler_pic='`$ECHO "$lt_prog_compiler_pic" | $SED "$delay_single_quote_subst"`'
+lt_prog_compiler_wl='`$ECHO "$lt_prog_compiler_wl" | $SED "$delay_single_quote_subst"`'
+lt_prog_compiler_static='`$ECHO "$lt_prog_compiler_static" | $SED "$delay_single_quote_subst"`'
+lt_cv_prog_compiler_c_o='`$ECHO "$lt_cv_prog_compiler_c_o" | $SED "$delay_single_quote_subst"`'
+need_locks='`$ECHO "$need_locks" | $SED "$delay_single_quote_subst"`'
+MANIFEST_TOOL='`$ECHO "$MANIFEST_TOOL" | $SED "$delay_single_quote_subst"`'
+DSYMUTIL='`$ECHO "$DSYMUTIL" | $SED "$delay_single_quote_subst"`'
+NMEDIT='`$ECHO "$NMEDIT" | $SED "$delay_single_quote_subst"`'
+LIPO='`$ECHO "$LIPO" | $SED "$delay_single_quote_subst"`'
+OTOOL='`$ECHO "$OTOOL" | $SED "$delay_single_quote_subst"`'
+OTOOL64='`$ECHO "$OTOOL64" | $SED "$delay_single_quote_subst"`'
+libext='`$ECHO "$libext" | $SED "$delay_single_quote_subst"`'
+shrext_cmds='`$ECHO "$shrext_cmds" | $SED "$delay_single_quote_subst"`'
+extract_expsyms_cmds='`$ECHO "$extract_expsyms_cmds" | $SED "$delay_single_quote_subst"`'
+archive_cmds_need_lc='`$ECHO "$archive_cmds_need_lc" | $SED "$delay_single_quote_subst"`'
+enable_shared_with_static_runtimes='`$ECHO "$enable_shared_with_static_runtimes" | $SED "$delay_single_quote_subst"`'
+export_dynamic_flag_spec='`$ECHO "$export_dynamic_flag_spec" | $SED "$delay_single_quote_subst"`'
+whole_archive_flag_spec='`$ECHO "$whole_archive_flag_spec" | $SED "$delay_single_quote_subst"`'
+compiler_needs_object='`$ECHO "$compiler_needs_object" | $SED "$delay_single_quote_subst"`'
+old_archive_from_new_cmds='`$ECHO "$old_archive_from_new_cmds" | $SED "$delay_single_quote_subst"`'
+old_archive_from_expsyms_cmds='`$ECHO "$old_archive_from_expsyms_cmds" | $SED "$delay_single_quote_subst"`'
+archive_cmds='`$ECHO "$archive_cmds" | $SED "$delay_single_quote_subst"`'
+archive_expsym_cmds='`$ECHO "$archive_expsym_cmds" | $SED "$delay_single_quote_subst"`'
+module_cmds='`$ECHO "$module_cmds" | $SED "$delay_single_quote_subst"`'
+module_expsym_cmds='`$ECHO "$module_expsym_cmds" | $SED "$delay_single_quote_subst"`'
+with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`'
+allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`'
+no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`'
+hardcode_libdir_flag_spec='`$ECHO "$hardcode_libdir_flag_spec" | $SED "$delay_single_quote_subst"`'
+hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`'
+hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`'
+hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`'
+hardcode_minus_L='`$ECHO "$hardcode_minus_L" | $SED "$delay_single_quote_subst"`'
+hardcode_shlibpath_var='`$ECHO "$hardcode_shlibpath_var" | $SED "$delay_single_quote_subst"`'
+hardcode_automatic='`$ECHO "$hardcode_automatic" | $SED "$delay_single_quote_subst"`'
+inherit_rpath='`$ECHO "$inherit_rpath" | $SED "$delay_single_quote_subst"`'
+link_all_deplibs='`$ECHO "$link_all_deplibs" | $SED "$delay_single_quote_subst"`'
+always_export_symbols='`$ECHO "$always_export_symbols" | $SED "$delay_single_quote_subst"`'
+export_symbols_cmds='`$ECHO "$export_symbols_cmds" | $SED "$delay_single_quote_subst"`'
+exclude_expsyms='`$ECHO "$exclude_expsyms" | $SED "$delay_single_quote_subst"`'
+include_expsyms='`$ECHO "$include_expsyms" | $SED "$delay_single_quote_subst"`'
+prelink_cmds='`$ECHO "$prelink_cmds" | $SED "$delay_single_quote_subst"`'
+postlink_cmds='`$ECHO "$postlink_cmds" | $SED "$delay_single_quote_subst"`'
+file_list_spec='`$ECHO "$file_list_spec" | $SED "$delay_single_quote_subst"`'
+variables_saved_for_relink='`$ECHO "$variables_saved_for_relink" | $SED "$delay_single_quote_subst"`'
+need_lib_prefix='`$ECHO "$need_lib_prefix" | $SED "$delay_single_quote_subst"`'
+need_version='`$ECHO "$need_version" | $SED "$delay_single_quote_subst"`'
+version_type='`$ECHO "$version_type" | $SED "$delay_single_quote_subst"`'
+runpath_var='`$ECHO "$runpath_var" | $SED "$delay_single_quote_subst"`'
+shlibpath_var='`$ECHO "$shlibpath_var" | $SED "$delay_single_quote_subst"`'
+shlibpath_overrides_runpath='`$ECHO "$shlibpath_overrides_runpath" | $SED "$delay_single_quote_subst"`'
+libname_spec='`$ECHO "$libname_spec" | $SED "$delay_single_quote_subst"`'
+library_names_spec='`$ECHO "$library_names_spec" | $SED "$delay_single_quote_subst"`'
+soname_spec='`$ECHO "$soname_spec" | $SED "$delay_single_quote_subst"`'
+install_override_mode='`$ECHO "$install_override_mode" | $SED "$delay_single_quote_subst"`'
+postinstall_cmds='`$ECHO "$postinstall_cmds" | $SED "$delay_single_quote_subst"`'
+postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`'
+finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`'
+finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`'
+hardcode_into_libs='`$ECHO "$hardcode_into_libs" | $SED "$delay_single_quote_subst"`'
+sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`'
+sys_lib_dlsearch_path_spec='`$ECHO "$sys_lib_dlsearch_path_spec" | $SED "$delay_single_quote_subst"`'
+hardcode_action='`$ECHO "$hardcode_action" | $SED "$delay_single_quote_subst"`'
+enable_dlopen='`$ECHO "$enable_dlopen" | $SED "$delay_single_quote_subst"`'
+enable_dlopen_self='`$ECHO "$enable_dlopen_self" | $SED "$delay_single_quote_subst"`'
+enable_dlopen_self_static='`$ECHO "$enable_dlopen_self_static" | $SED "$delay_single_quote_subst"`'
+old_striplib='`$ECHO "$old_striplib" | $SED "$delay_single_quote_subst"`'
+striplib='`$ECHO "$striplib" | $SED "$delay_single_quote_subst"`'
 
 LTCC='$LTCC'
 LTCFLAGS='$LTCFLAGS'
 compiler='$compiler_DEFAULT'
 
+# A function that is used when there is no print builtin or printf.
+func_fallback_echo ()
+{
+  eval 'cat <<_LTECHO_EOF
+\$1
+_LTECHO_EOF'
+}
+
 # Quote evaled strings.
-for var in SED \
+for var in SHELL \
+ECHO \
+PATH_SEPARATOR \
+SED \
 GREP \
 EGREP \
 FGREP \
@@ -20710,8 +23521,13 @@ reload_flag \
 OBJDUMP \
 deplibs_check_method \
 file_magic_cmd \
+file_magic_glob \
+want_nocaseglob \
+DLLTOOL \
+sharedlib_from_linklib_cmd \
 AR \
 AR_FLAGS \
+archiver_list_spec \
 STRIP \
 RANLIB \
 CC \
@@ -20721,14 +23537,14 @@ lt_cv_sys_global_symbol_pipe \
 lt_cv_sys_global_symbol_to_cdecl \
 lt_cv_sys_global_symbol_to_c_name_address \
 lt_cv_sys_global_symbol_to_c_name_address_lib_prefix \
-SHELL \
-ECHO \
+nm_file_list_spec \
 lt_prog_compiler_no_builtin_flag \
-lt_prog_compiler_wl \
 lt_prog_compiler_pic \
+lt_prog_compiler_wl \
 lt_prog_compiler_static \
 lt_cv_prog_compiler_c_o \
 need_locks \
+MANIFEST_TOOL \
 DSYMUTIL \
 NMEDIT \
 LIPO \
@@ -20742,9 +23558,7 @@ with_gnu_ld \
 allow_undefined_flag \
 no_undefined_flag \
 hardcode_libdir_flag_spec \
-hardcode_libdir_flag_spec_ld \
 hardcode_libdir_separator \
-fix_srcfile_path \
 exclude_expsyms \
 include_expsyms \
 file_list_spec \
@@ -20752,12 +23566,13 @@ variables_saved_for_relink \
 libname_spec \
 library_names_spec \
 soname_spec \
+install_override_mode \
 finish_eval \
 old_striplib \
 striplib; do
-    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
     *[\\\\\\\`\\"\\\$]*)
-      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$sed_quote_subst\\"\\\`\\\\\\""
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED \\"\\\$sed_quote_subst\\"\\\`\\\\\\""
       ;;
     *)
       eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
@@ -20779,14 +23594,15 @@ module_cmds \
 module_expsym_cmds \
 export_symbols_cmds \
 prelink_cmds \
+postlink_cmds \
 postinstall_cmds \
 postuninstall_cmds \
 finish_cmds \
 sys_lib_search_path_spec \
 sys_lib_dlsearch_path_spec; do
-    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
     *[\\\\\\\`\\"\\\$]*)
-      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\""
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\""
       ;;
     *)
       eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
@@ -20794,12 +23610,6 @@ sys_lib_dlsearch_path_spec; do
     esac
 done
 
-# Fix-up fallback echo if it was mangled by the above quoting rules.
-case \$lt_ECHO in
-*'\\\$0 --fallback-echo"')  lt_ECHO=\`\$ECHO "X\$lt_ECHO" | \$Xsed -e 's/\\\\\\\\\\\\\\\$0 --fallback-echo"\$/\$0 --fallback-echo"/'\`
-  ;;
-esac
-
 ac_aux_dir='$ac_aux_dir'
 xsi_shell='$xsi_shell'
 lt_shell_append='$lt_shell_append'
@@ -20828,6 +23638,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 for ac_config_target in $ac_config_targets
 do
   case $ac_config_target in
+    "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
     "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;;
     "libtool") CONFIG_COMMANDS="$CONFIG_COMMANDS libtool" ;;
     "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
@@ -20841,13 +23652,16 @@ do
     "src/libstrongswan/plugins/cmac/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/cmac/Makefile" ;;
     "src/libstrongswan/plugins/des/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/des/Makefile" ;;
     "src/libstrongswan/plugins/blowfish/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/blowfish/Makefile" ;;
+    "src/libstrongswan/plugins/rc2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/rc2/Makefile" ;;
     "src/libstrongswan/plugins/md4/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/md4/Makefile" ;;
     "src/libstrongswan/plugins/md5/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/md5/Makefile" ;;
     "src/libstrongswan/plugins/sha1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha1/Makefile" ;;
     "src/libstrongswan/plugins/sha2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha2/Makefile" ;;
     "src/libstrongswan/plugins/fips_prf/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/fips_prf/Makefile" ;;
     "src/libstrongswan/plugins/gmp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gmp/Makefile" ;;
+    "src/libstrongswan/plugins/rdrand/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/rdrand/Makefile" ;;
     "src/libstrongswan/plugins/random/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/random/Makefile" ;;
+    "src/libstrongswan/plugins/nonce/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/nonce/Makefile" ;;
     "src/libstrongswan/plugins/hmac/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/hmac/Makefile" ;;
     "src/libstrongswan/plugins/xcbc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/xcbc/Makefile" ;;
     "src/libstrongswan/plugins/x509/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/x509/Makefile" ;;
@@ -20855,11 +23669,15 @@ do
     "src/libstrongswan/plugins/constraints/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/constraints/Makefile" ;;
     "src/libstrongswan/plugins/pubkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pubkey/Makefile" ;;
     "src/libstrongswan/plugins/pkcs1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs1/Makefile" ;;
+    "src/libstrongswan/plugins/pkcs7/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs7/Makefile" ;;
     "src/libstrongswan/plugins/pkcs8/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs8/Makefile" ;;
+    "src/libstrongswan/plugins/pkcs12/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs12/Makefile" ;;
     "src/libstrongswan/plugins/pgp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pgp/Makefile" ;;
     "src/libstrongswan/plugins/dnskey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/dnskey/Makefile" ;;
+    "src/libstrongswan/plugins/sshkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sshkey/Makefile" ;;
     "src/libstrongswan/plugins/pem/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pem/Makefile" ;;
     "src/libstrongswan/plugins/curl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/curl/Makefile" ;;
+    "src/libstrongswan/plugins/unbound/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/unbound/Makefile" ;;
     "src/libstrongswan/plugins/soup/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/soup/Makefile" ;;
     "src/libstrongswan/plugins/ldap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ldap/Makefile" ;;
     "src/libstrongswan/plugins/mysql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/mysql/Makefile" ;;
@@ -20868,12 +23686,14 @@ do
     "src/libstrongswan/plugins/openssl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/openssl/Makefile" ;;
     "src/libstrongswan/plugins/gcrypt/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcrypt/Makefile" ;;
     "src/libstrongswan/plugins/agent/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/agent/Makefile" ;;
+    "src/libstrongswan/plugins/keychain/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/keychain/Makefile" ;;
     "src/libstrongswan/plugins/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs11/Makefile" ;;
     "src/libstrongswan/plugins/ctr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ctr/Makefile" ;;
     "src/libstrongswan/plugins/ccm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ccm/Makefile" ;;
     "src/libstrongswan/plugins/gcm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcm/Makefile" ;;
     "src/libstrongswan/plugins/af_alg/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/af_alg/Makefile" ;;
     "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;;
+    "src/libstrongswan/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/tests/Makefile" ;;
     "src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;;
     "src/libhydra/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr/Makefile" ;;
     "src/libhydra/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr_sql/Makefile" ;;
@@ -20882,12 +23702,13 @@ do
     "src/libhydra/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_pfkey/Makefile" ;;
     "src/libhydra/plugins/kernel_pfroute/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_pfroute/Makefile" ;;
     "src/libhydra/plugins/resolve/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/resolve/Makefile" ;;
-    "src/libfreeswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfreeswan/Makefile" ;;
+    "src/libipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/libipsec/Makefile" ;;
     "src/libsimaka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libsimaka/Makefile" ;;
     "src/libtls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtls/Makefile" ;;
     "src/libradius/Makefile") CONFIG_FILES="$CONFIG_FILES src/libradius/Makefile" ;;
     "src/libtncif/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtncif/Makefile" ;;
     "src/libtnccs/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtnccs/Makefile" ;;
+    "src/libpttls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpttls/Makefile" ;;
     "src/libpts/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpts/Makefile" ;;
     "src/libpts/plugins/imc_attestation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpts/plugins/imc_attestation/Makefile" ;;
     "src/libpts/plugins/imv_attestation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpts/plugins/imv_attestation/Makefile" ;;
@@ -20896,13 +23717,16 @@ do
     "src/libimcv/plugins/imv_test/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_test/Makefile" ;;
     "src/libimcv/plugins/imc_scanner/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imc_scanner/Makefile" ;;
     "src/libimcv/plugins/imv_scanner/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_scanner/Makefile" ;;
-    "src/pluto/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/Makefile" ;;
-    "src/pluto/plugins/xauth/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/plugins/xauth/Makefile" ;;
-    "src/whack/Makefile") CONFIG_FILES="$CONFIG_FILES src/whack/Makefile" ;;
+    "src/libimcv/plugins/imc_os/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imc_os/Makefile" ;;
+    "src/libimcv/plugins/imv_os/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_os/Makefile" ;;
     "src/charon/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/Makefile" ;;
+    "src/charon-nm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-nm/Makefile" ;;
+    "src/charon-tkm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-tkm/Makefile" ;;
+    "src/charon-cmd/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-cmd/Makefile" ;;
     "src/libcharon/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/Makefile" ;;
     "src/libcharon/plugins/eap_aka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_aka/Makefile" ;;
     "src/libcharon/plugins/eap_aka_3gpp2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_aka_3gpp2/Makefile" ;;
+    "src/libcharon/plugins/eap_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_dynamic/Makefile" ;;
     "src/libcharon/plugins/eap_identity/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_identity/Makefile" ;;
     "src/libcharon/plugins/eap_md5/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_md5/Makefile" ;;
     "src/libcharon/plugins/eap_gtc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_gtc/Makefile" ;;
@@ -20918,6 +23742,10 @@ do
     "src/libcharon/plugins/eap_peap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_peap/Makefile" ;;
     "src/libcharon/plugins/eap_tnc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_tnc/Makefile" ;;
     "src/libcharon/plugins/eap_radius/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_radius/Makefile" ;;
+    "src/libcharon/plugins/xauth_generic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/xauth_generic/Makefile" ;;
+    "src/libcharon/plugins/xauth_eap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/xauth_eap/Makefile" ;;
+    "src/libcharon/plugins/xauth_pam/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/xauth_pam/Makefile" ;;
+    "src/libcharon/plugins/xauth_noauth/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/xauth_noauth/Makefile" ;;
     "src/libcharon/plugins/tnc_ifmap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_ifmap/Makefile" ;;
     "src/libcharon/plugins/tnc_pdp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_pdp/Makefile" ;;
     "src/libcharon/plugins/tnc_imc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_imc/Makefile" ;;
@@ -20927,24 +23755,30 @@ do
     "src/libcharon/plugins/tnccs_20/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_20/Makefile" ;;
     "src/libcharon/plugins/tnccs_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_dynamic/Makefile" ;;
     "src/libcharon/plugins/socket_default/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_default/Makefile" ;;
-    "src/libcharon/plugins/socket_raw/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_raw/Makefile" ;;
     "src/libcharon/plugins/socket_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_dynamic/Makefile" ;;
     "src/libcharon/plugins/farp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/farp/Makefile" ;;
     "src/libcharon/plugins/smp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/smp/Makefile" ;;
     "src/libcharon/plugins/sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/sql/Makefile" ;;
+    "src/libcharon/plugins/ipseckey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/ipseckey/Makefile" ;;
     "src/libcharon/plugins/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/medsrv/Makefile" ;;
     "src/libcharon/plugins/medcli/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/medcli/Makefile" ;;
-    "src/libcharon/plugins/nm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/nm/Makefile" ;;
     "src/libcharon/plugins/addrblock/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/addrblock/Makefile" ;;
+    "src/libcharon/plugins/unity/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/unity/Makefile" ;;
     "src/libcharon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/uci/Makefile" ;;
     "src/libcharon/plugins/ha/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/ha/Makefile" ;;
+    "src/libcharon/plugins/kernel_libipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_libipsec/Makefile" ;;
     "src/libcharon/plugins/whitelist/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/whitelist/Makefile" ;;
+    "src/libcharon/plugins/lookip/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/lookip/Makefile" ;;
+    "src/libcharon/plugins/error_notify/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/error_notify/Makefile" ;;
     "src/libcharon/plugins/certexpire/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/certexpire/Makefile" ;;
+    "src/libcharon/plugins/systime_fix/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/systime_fix/Makefile" ;;
     "src/libcharon/plugins/led/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/led/Makefile" ;;
     "src/libcharon/plugins/duplicheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/duplicheck/Makefile" ;;
     "src/libcharon/plugins/coupling/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/coupling/Makefile" ;;
     "src/libcharon/plugins/radattr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/radattr/Makefile" ;;
-    "src/libcharon/plugins/android/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android/Makefile" ;;
+    "src/libcharon/plugins/osx_attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/osx_attr/Makefile" ;;
+    "src/libcharon/plugins/android_dns/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android_dns/Makefile" ;;
+    "src/libcharon/plugins/android_log/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android_log/Makefile" ;;
     "src/libcharon/plugins/maemo/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/maemo/Makefile" ;;
     "src/libcharon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/stroke/Makefile" ;;
     "src/libcharon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/updown/Makefile" ;;
@@ -20970,7 +23804,7 @@ do
     "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;;
     "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;;
 
-  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5 ;;
+  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
   esac
 done
 
@@ -20981,6 +23815,7 @@ done
 # bizarre bug on SunOS 4.1.3.
 if $ac_need_defaults; then
   test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files
+  test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers
   test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands
 fi
 
@@ -20992,9 +23827,10 @@ fi
 # after its creation but before its name has been assigned to `$tmp'.
 $debug ||
 {
-  tmp=
+  tmp= ac_tmp=
   trap 'exit_status=$?
-  { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
+  : "${ac_tmp:=$tmp}"
+  { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status
 ' 0
   trap 'as_fn_exit 1' 1 2 13 15
 }
@@ -21002,12 +23838,13 @@ $debug ||
 
 {
   tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
-  test -n "$tmp" && test -d "$tmp"
+  test -d "$tmp"
 }  ||
 {
   tmp=./conf$$-$RANDOM
   (umask 077 && mkdir "$tmp")
 } || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5
+ac_tmp=$tmp
 
 # Set up the scripts for CONFIG_FILES section.
 # No need to generate them if there are no CONFIG_FILES.
@@ -21029,7 +23866,7 @@ else
   ac_cs_awk_cr=$ac_cr
 fi
 
-echo 'BEGIN {' >"$tmp/subs1.awk" &&
+echo 'BEGIN {' >"$ac_tmp/subs1.awk" &&
 _ACEOF
 
 
@@ -21057,7 +23894,7 @@ done
 rm -f conf$$subs.sh
 
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-cat >>"\$tmp/subs1.awk" <<\\_ACAWK &&
+cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK &&
 _ACEOF
 sed -n '
 h
@@ -21105,7 +23942,7 @@ t delim
 rm -f conf$$subs.awk
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 _ACAWK
-cat >>"\$tmp/subs1.awk" <<_ACAWK &&
+cat >>"\$ac_tmp/subs1.awk" <<_ACAWK &&
   for (key in S) S_is_set[key] = 1
   FS = ""
 
@@ -21137,7 +23974,7 @@ if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
   sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g"
 else
   cat
-fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \
+fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \
   || as_fn_error $? "could not setup config files machinery" "$LINENO" 5
 _ACEOF
 
@@ -21167,8 +24004,116 @@ fi
 cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 fi # test -n "$CONFIG_FILES"
 
+# Set up the scripts for CONFIG_HEADERS section.
+# No need to generate them if there are no CONFIG_HEADERS.
+# This happens for instance with `./config.status Makefile'.
+if test -n "$CONFIG_HEADERS"; then
+cat >"$ac_tmp/defines.awk" <<\_ACAWK ||
+BEGIN {
+_ACEOF
 
-eval set X "  :F $CONFIG_FILES      :C $CONFIG_COMMANDS"
+# Transform confdefs.h into an awk script `defines.awk', embedded as
+# here-document in config.status, that substitutes the proper values into
+# config.h.in to produce config.h.
+
+# Create a delimiter string that does not exist in confdefs.h, to ease
+# handling of long lines.
+ac_delim='%!_!# '
+for ac_last_try in false false :; do
+  ac_tt=`sed -n "/$ac_delim/p" confdefs.h`
+  if test -z "$ac_tt"; then
+    break
+  elif $ac_last_try; then
+    as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+  fi
+done
+
+# For the awk script, D is an array of macro values keyed by name,
+# likewise P contains macro parameters if any.  Preserve backslash
+# newline sequences.
+
+ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]*
+sed -n '
+s/.\{148\}/&'"$ac_delim"'/g
+t rset
+:rset
+s/^[	 ]*#[	 ]*define[	 ][	 ]*/ /
+t def
+d
+:def
+s/\\$//
+t bsnl
+s/["\\]/\\&/g
+s/^ \('"$ac_word_re"'\)\(([^()]*)\)[	 ]*\(.*\)/P["\1"]="\2"\
+D["\1"]=" \3"/p
+s/^ \('"$ac_word_re"'\)[	 ]*\(.*\)/D["\1"]=" \2"/p
+d
+:bsnl
+s/["\\]/\\&/g
+s/^ \('"$ac_word_re"'\)\(([^()]*)\)[	 ]*\(.*\)/P["\1"]="\2"\
+D["\1"]=" \3\\\\\\n"\\/p
+t cont
+s/^ \('"$ac_word_re"'\)[	 ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p
+t cont
+d
+:cont
+n
+s/.\{148\}/&'"$ac_delim"'/g
+t clear
+:clear
+s/\\$//
+t bsnlc
+s/["\\]/\\&/g; s/^/"/; s/$/"/p
+d
+:bsnlc
+s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p
+b cont
+' <confdefs.h | sed '
+s/'"$ac_delim"'/"\\\
+"/g' >>$CONFIG_STATUS || ac_write_fail=1
+
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+  for (key in D) D_is_set[key] = 1
+  FS = ""
+}
+/^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ {
+  line = \$ 0
+  split(line, arg, " ")
+  if (arg[1] == "#") {
+    defundef = arg[2]
+    mac1 = arg[3]
+  } else {
+    defundef = substr(arg[1], 2)
+    mac1 = arg[2]
+  }
+  split(mac1, mac2, "(") #)
+  macro = mac2[1]
+  prefix = substr(line, 1, index(line, defundef) - 1)
+  if (D_is_set[macro]) {
+    # Preserve the white space surrounding the "#".
+    print prefix "define", macro P[macro] D[macro]
+    next
+  } else {
+    # Replace #undef with comments.  This is necessary, for example,
+    # in the case of _POSIX_SOURCE, which is predefined and required
+    # on some systems where configure will not decide to define it.
+    if (defundef == "undef") {
+      print "/*", prefix defundef, macro, "*/"
+      next
+    }
+  }
+}
+{ print }
+_ACAWK
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+  as_fn_error $? "could not setup config headers machinery" "$LINENO" 5
+fi # test -n "$CONFIG_HEADERS"
+
+
+eval set X "  :F $CONFIG_FILES  :H $CONFIG_HEADERS    :C $CONFIG_COMMANDS"
 shift
 for ac_tag
 do
@@ -21177,7 +24122,7 @@ do
   esac
   case $ac_mode$ac_tag in
   :[FHL]*:*);;
-  :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5 ;;
+  :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;;
   :[FH]-) ac_tag=-:-;;
   :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
   esac
@@ -21196,7 +24141,7 @@ do
     for ac_f
     do
       case $ac_f in
-      -) ac_f="$tmp/stdin";;
+      -) ac_f="$ac_tmp/stdin";;
       *) # Look for the file first in the build tree, then in the source tree
 	 # (if the path is not absolute).  The absolute path cannot be DOS-style,
 	 # because $ac_f cannot contain `:'.
@@ -21205,7 +24150,7 @@ do
 	   [\\/$]*) false;;
 	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
 	   esac ||
-	   as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5 ;;
+	   as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;;
       esac
       case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
       as_fn_append ac_file_inputs " '$ac_f'"
@@ -21231,8 +24176,8 @@ $as_echo "$as_me: creating $ac_file" >&6;}
     esac
 
     case $ac_tag in
-    *:-:* | *:-) cat >"$tmp/stdin" \
-      || as_fn_error $? "could not create $ac_file" "$LINENO" 5  ;;
+    *:-:* | *:-) cat >"$ac_tmp/stdin" \
+      || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;;
     esac
     ;;
   esac
@@ -21368,25 +24313,83 @@ s&@INSTALL@&$ac_INSTALL&;t t
 s&@MKDIR_P@&$ac_MKDIR_P&;t t
 $ac_datarootdir_hack
 "
-eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \
-  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
+eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \
+  >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5
 
 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
-  { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
-  { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
+  { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } &&
+  { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' \
+      "$ac_tmp/out"`; test -z "$ac_out"; } &&
   { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir'
 which seems to be undefined.  Please make sure it is defined" >&5
 $as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
 which seems to be undefined.  Please make sure it is defined" >&2;}
 
-  rm -f "$tmp/stdin"
+  rm -f "$ac_tmp/stdin"
   case $ac_file in
-  -) cat "$tmp/out" && rm -f "$tmp/out";;
-  *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";;
+  -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";;
+  *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";;
   esac \
   || as_fn_error $? "could not create $ac_file" "$LINENO" 5
  ;;
-
+  :H)
+  #
+  # CONFIG_HEADER
+  #
+  if test x"$ac_file" != x-; then
+    {
+      $as_echo "/* $configure_input  */" \
+      && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs"
+    } >"$ac_tmp/config.h" \
+      || as_fn_error $? "could not create $ac_file" "$LINENO" 5
+    if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then
+      { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5
+$as_echo "$as_me: $ac_file is unchanged" >&6;}
+    else
+      rm -f "$ac_file"
+      mv "$ac_tmp/config.h" "$ac_file" \
+	|| as_fn_error $? "could not create $ac_file" "$LINENO" 5
+    fi
+  else
+    $as_echo "/* $configure_input  */" \
+      && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \
+      || as_fn_error $? "could not create -" "$LINENO" 5
+  fi
+# Compute "$ac_file"'s index in $config_headers.
+_am_arg="$ac_file"
+_am_stamp_count=1
+for _am_header in $config_headers :; do
+  case $_am_header in
+    $_am_arg | $_am_arg:* )
+      break ;;
+    * )
+      _am_stamp_count=`expr $_am_stamp_count + 1` ;;
+  esac
+done
+echo "timestamp for $_am_arg" >`$as_dirname -- "$_am_arg" ||
+$as_expr X"$_am_arg" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$_am_arg" : 'X\(//\)[^/]' \| \
+	 X"$_am_arg" : 'X\(//\)$' \| \
+	 X"$_am_arg" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X"$_am_arg" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`/stamp-h$_am_stamp_count
+ ;;
 
   :C)  { $as_echo "$as_me:${as_lineno-$LINENO}: executing $ac_file commands" >&5
 $as_echo "$as_me: executing $ac_file commands" >&6;}
@@ -21511,7 +24514,8 @@ $as_echo X"$file" |
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 #
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008 Free Software Foundation, Inc.
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 #   This file is part of GNU Libtool.
@@ -21559,6 +24563,15 @@ pic_mode=$pic_mode
 # Whether or not to optimize for fast installation.
 fast_install=$enable_fast_install
 
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# An echo program that protects backslashes.
+ECHO=$lt_ECHO
+
+# The PATH separator for the build system.
+PATH_SEPARATOR=$lt_PATH_SEPARATOR
+
 # The host system.
 host_alias=$host_alias
 host=$host
@@ -21608,9 +24621,11 @@ SP2NL=$lt_lt_SP2NL
 # turn newlines into spaces.
 NL2SP=$lt_lt_NL2SP
 
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
+# convert \$build file names to \$host format.
+to_host_file_cmd=$lt_cv_to_host_file_cmd
+
+# convert \$build files to toolchain format.
+to_tool_file_cmd=$lt_cv_to_tool_file_cmd
 
 # An object symbol dumper.
 OBJDUMP=$lt_OBJDUMP
@@ -21618,13 +24633,30 @@ OBJDUMP=$lt_OBJDUMP
 # Method to check whether dependent libraries are shared objects.
 deplibs_check_method=$lt_deplibs_check_method
 
-# Command to use when deplibs_check_method == "file_magic".
+# Command to use when deplibs_check_method = "file_magic".
 file_magic_cmd=$lt_file_magic_cmd
 
+# How to find potential files when deplibs_check_method = "file_magic".
+file_magic_glob=$lt_file_magic_glob
+
+# Find potential files using nocaseglob when deplibs_check_method = "file_magic".
+want_nocaseglob=$lt_want_nocaseglob
+
+# DLL creation program.
+DLLTOOL=$lt_DLLTOOL
+
+# Command to associate shared and link libraries.
+sharedlib_from_linklib_cmd=$lt_sharedlib_from_linklib_cmd
+
 # The archiver.
 AR=$lt_AR
+
+# Flags to create an archive.
 AR_FLAGS=$lt_AR_FLAGS
 
+# How to feed a file listing to the archiver.
+archiver_list_spec=$lt_archiver_list_spec
+
 # A symbol stripping program.
 STRIP=$lt_STRIP
 
@@ -21633,6 +24665,9 @@ RANLIB=$lt_RANLIB
 old_postinstall_cmds=$lt_old_postinstall_cmds
 old_postuninstall_cmds=$lt_old_postuninstall_cmds
 
+# Whether to use a lock for old archive extraction.
+lock_old_archive_extraction=$lock_old_archive_extraction
+
 # A C compiler.
 LTCC=$lt_CC
 
@@ -21651,14 +24686,14 @@ global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
 # Transform the output of nm in a C name address pair when lib prefix is needed.
 global_symbol_to_c_name_address_lib_prefix=$lt_lt_cv_sys_global_symbol_to_c_name_address_lib_prefix
 
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
+# Specify filename containing input files for \$NM.
+nm_file_list_spec=$lt_nm_file_list_spec
 
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
+# The root where to search for dependent libraries,and in which our libraries should be installed.
+lt_sysroot=$lt_sysroot
 
-# An echo program that does not interpret backslashes.
-ECHO=$lt_ECHO
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
 
 # Used to examine libraries when file_magic_cmd begins with "file".
 MAGIC_CMD=$MAGIC_CMD
@@ -21666,6 +24701,9 @@ MAGIC_CMD=$MAGIC_CMD
 # Must we lock files when doing compilation?
 need_locks=$lt_need_locks
 
+# Manifest tool.
+MANIFEST_TOOL=$lt_MANIFEST_TOOL
+
 # Tool to manipulate archived DWARF debug symbol files on Mac OS X.
 DSYMUTIL=$lt_DSYMUTIL
 
@@ -21722,6 +24760,9 @@ library_names_spec=$lt_library_names_spec
 # The coded name of the library, if different from the real name.
 soname_spec=$lt_soname_spec
 
+# Permission mode override for installation of shared libraries.
+install_override_mode=$lt_install_override_mode
+
 # Command to use after installation of a shared archive.
 postinstall_cmds=$lt_postinstall_cmds
 
@@ -21761,6 +24802,10 @@ striplib=$lt_striplib
 # The linker used to build libraries.
 LD=$lt_LD
 
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
 # Commands used to build an old-style archive.
 old_archive_cmds=$lt_old_archive_cmds
 
@@ -21773,12 +24818,12 @@ with_gcc=$GCC
 # Compiler flag to turn off builtin functions.
 no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag
 
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl
-
 # Additional compiler flags for building library objects.
 pic_flag=$lt_lt_prog_compiler_pic
 
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl
+
 # Compiler flag to prevent dynamic linking.
 link_static_flag=$lt_lt_prog_compiler_static
 
@@ -21828,10 +24873,6 @@ no_undefined_flag=$lt_no_undefined_flag
 # This must work even if \$libdir does not exist
 hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec
 
-# If ld is used when linking, flag to hardcode \$libdir into a binary
-# during linking.  This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld
-
 # Whether we need a single "-rpath" flag with a separated argument.
 hardcode_libdir_separator=$lt_hardcode_libdir_separator
 
@@ -21865,9 +24906,6 @@ inherit_rpath=$inherit_rpath
 # Whether libtool must link a program against all its dependency libraries.
 link_all_deplibs=$link_all_deplibs
 
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path=$lt_fix_srcfile_path
-
 # Set to "yes" if exported symbols are required.
 always_export_symbols=$always_export_symbols
 
@@ -21883,6 +24921,9 @@ include_expsyms=$lt_include_expsyms
 # Commands necessary for linking programs (against libraries) with templates.
 prelink_cmds=$lt_prelink_cmds
 
+# Commands necessary for finishing linking programs.
+postlink_cmds=$lt_postlink_cmds
+
 # Specify filename containing input files.
 file_list_spec=$lt_file_list_spec
 
@@ -21915,212 +24956,169 @@ ltmain="$ac_aux_dir/ltmain.sh"
   # if finds mixed CR/LF and LF-only lines.  Since sed operates in
   # text mode, it properly converts lines to CR/LF.  This bash problem
   # is reportedly fixed, but why not run on old versions too?
-  sed '/^# Generated shell functions inserted here/q' "$ltmain" >> "$cfgfile" \
-    || (rm -f "$cfgfile"; exit 1)
-
-  case $xsi_shell in
-  yes)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_dirname file append nondir_replacement
-# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
-# otherwise set result to NONDIR_REPLACEMENT.
-func_dirname ()
-{
-  case ${1} in
-    */*) func_dirname_result="${1%/*}${2}" ;;
-    *  ) func_dirname_result="${3}" ;;
-  esac
-}
-
-# func_basename file
-func_basename ()
-{
-  func_basename_result="${1##*/}"
-}
-
-# func_dirname_and_basename file append nondir_replacement
-# perform func_basename and func_dirname in a single function
-# call:
-#   dirname:  Compute the dirname of FILE.  If nonempty,
-#             add APPEND to the result, otherwise set result
-#             to NONDIR_REPLACEMENT.
-#             value returned in "$func_dirname_result"
-#   basename: Compute filename of FILE.
-#             value retuned in "$func_basename_result"
-# Implementation must be kept synchronized with func_dirname
-# and func_basename. For efficiency, we do not delegate to
-# those functions but instead duplicate the functionality here.
-func_dirname_and_basename ()
-{
-  case ${1} in
-    */*) func_dirname_result="${1%/*}${2}" ;;
-    *  ) func_dirname_result="${3}" ;;
-  esac
-  func_basename_result="${1##*/}"
-}
-
-# func_stripname prefix suffix name
-# strip PREFIX and SUFFIX off of NAME.
-# PREFIX and SUFFIX must not contain globbing or regex special
-# characters, hashes, percent signs, but SUFFIX may contain a leading
-# dot (in which case that matches only a dot).
-func_stripname ()
-{
-  # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are
-  # positional parameters, so assign one to ordinary parameter first.
-  func_stripname_result=${3}
-  func_stripname_result=${func_stripname_result#"${1}"}
-  func_stripname_result=${func_stripname_result%"${2}"}
-}
-
-# func_opt_split
-func_opt_split ()
-{
-  func_opt_split_opt=${1%%=*}
-  func_opt_split_arg=${1#*=}
-}
-
-# func_lo2o object
-func_lo2o ()
-{
-  case ${1} in
-    *.lo) func_lo2o_result=${1%.lo}.${objext} ;;
-    *)    func_lo2o_result=${1} ;;
-  esac
-}
-
-# func_xform libobj-or-source
-func_xform ()
-{
-  func_xform_result=${1%.*}.lo
-}
-
-# func_arith arithmetic-term...
-func_arith ()
-{
-  func_arith_result=$(( $* ))
-}
-
-# func_len string
-# STRING may not start with a hyphen.
-func_len ()
-{
-  func_len_result=${#1}
-}
-
-_LT_EOF
-    ;;
-  *) # Bourne compatible functions.
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_dirname file append nondir_replacement
-# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
-# otherwise set result to NONDIR_REPLACEMENT.
-func_dirname ()
-{
-  # Extract subdirectory from the argument.
-  func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"`
-  if test "X$func_dirname_result" = "X${1}"; then
-    func_dirname_result="${3}"
-  else
-    func_dirname_result="$func_dirname_result${2}"
-  fi
-}
-
-# func_basename file
-func_basename ()
-{
-  func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"`
-}
-
-
-# func_stripname prefix suffix name
-# strip PREFIX and SUFFIX off of NAME.
-# PREFIX and SUFFIX must not contain globbing or regex special
-# characters, hashes, percent signs, but SUFFIX may contain a leading
-# dot (in which case that matches only a dot).
-# func_strip_suffix prefix name
-func_stripname ()
-{
-  case ${2} in
-    .*) func_stripname_result=`$ECHO "X${3}" \
-           | $Xsed -e "s%^${1}%%" -e "s%\\\\${2}\$%%"`;;
-    *)  func_stripname_result=`$ECHO "X${3}" \
-           | $Xsed -e "s%^${1}%%" -e "s%${2}\$%%"`;;
-  esac
-}
-
-# sed scripts:
-my_sed_long_opt='1s/^\(-[^=]*\)=.*/\1/;q'
-my_sed_long_arg='1s/^-[^=]*=//'
-
-# func_opt_split
-func_opt_split ()
-{
-  func_opt_split_opt=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_opt"`
-  func_opt_split_arg=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_arg"`
-}
-
-# func_lo2o object
-func_lo2o ()
-{
-  func_lo2o_result=`$ECHO "X${1}" | $Xsed -e "$lo2o"`
-}
-
-# func_xform libobj-or-source
-func_xform ()
-{
-  func_xform_result=`$ECHO "X${1}" | $Xsed -e 's/\.[^.]*$/.lo/'`
-}
-
-# func_arith arithmetic-term...
-func_arith ()
-{
-  func_arith_result=`expr "$@"`
-}
-
-# func_len string
-# STRING may not start with a hyphen.
-func_len ()
-{
-  func_len_result=`expr "$1" : ".*" 2>/dev/null || echo $max_cmd_len`
-}
-
-_LT_EOF
-esac
-
-case $lt_shell_append in
-  yes)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_append var value
-# Append VALUE to the end of shell variable VAR.
-func_append ()
-{
-  eval "$1+=\$2"
-}
-_LT_EOF
-    ;;
-  *)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_append var value
-# Append VALUE to the end of shell variable VAR.
-func_append ()
-{
-  eval "$1=\$$1\$2"
-}
-
-_LT_EOF
-    ;;
-  esac
-
-
-  sed -n '/^# Generated shell functions inserted here/,$p' "$ltmain" >> "$cfgfile" \
-    || (rm -f "$cfgfile"; exit 1)
-
-  mv -f "$cfgfile" "$ofile" ||
+  sed '$q' "$ltmain" >> "$cfgfile" \
+     || (rm -f "$cfgfile"; exit 1)
+
+  if test x"$xsi_shell" = xyes; then
+  sed -e '/^func_dirname ()$/,/^} # func_dirname /c\
+func_dirname ()\
+{\
+\    case ${1} in\
+\      */*) func_dirname_result="${1%/*}${2}" ;;\
+\      *  ) func_dirname_result="${3}" ;;\
+\    esac\
+} # Extended-shell func_dirname implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_basename ()$/,/^} # func_basename /c\
+func_basename ()\
+{\
+\    func_basename_result="${1##*/}"\
+} # Extended-shell func_basename implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_dirname_and_basename ()$/,/^} # func_dirname_and_basename /c\
+func_dirname_and_basename ()\
+{\
+\    case ${1} in\
+\      */*) func_dirname_result="${1%/*}${2}" ;;\
+\      *  ) func_dirname_result="${3}" ;;\
+\    esac\
+\    func_basename_result="${1##*/}"\
+} # Extended-shell func_dirname_and_basename implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_stripname ()$/,/^} # func_stripname /c\
+func_stripname ()\
+{\
+\    # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are\
+\    # positional parameters, so assign one to ordinary parameter first.\
+\    func_stripname_result=${3}\
+\    func_stripname_result=${func_stripname_result#"${1}"}\
+\    func_stripname_result=${func_stripname_result%"${2}"}\
+} # Extended-shell func_stripname implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_split_long_opt ()$/,/^} # func_split_long_opt /c\
+func_split_long_opt ()\
+{\
+\    func_split_long_opt_name=${1%%=*}\
+\    func_split_long_opt_arg=${1#*=}\
+} # Extended-shell func_split_long_opt implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_split_short_opt ()$/,/^} # func_split_short_opt /c\
+func_split_short_opt ()\
+{\
+\    func_split_short_opt_arg=${1#??}\
+\    func_split_short_opt_name=${1%"$func_split_short_opt_arg"}\
+} # Extended-shell func_split_short_opt implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_lo2o ()$/,/^} # func_lo2o /c\
+func_lo2o ()\
+{\
+\    case ${1} in\
+\      *.lo) func_lo2o_result=${1%.lo}.${objext} ;;\
+\      *)    func_lo2o_result=${1} ;;\
+\    esac\
+} # Extended-shell func_lo2o implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_xform ()$/,/^} # func_xform /c\
+func_xform ()\
+{\
+    func_xform_result=${1%.*}.lo\
+} # Extended-shell func_xform implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_arith ()$/,/^} # func_arith /c\
+func_arith ()\
+{\
+    func_arith_result=$(( $* ))\
+} # Extended-shell func_arith implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_len ()$/,/^} # func_len /c\
+func_len ()\
+{\
+    func_len_result=${#1}\
+} # Extended-shell func_len implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+fi
+
+if test x"$lt_shell_append" = xyes; then
+  sed -e '/^func_append ()$/,/^} # func_append /c\
+func_append ()\
+{\
+    eval "${1}+=\\${2}"\
+} # Extended-shell func_append implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  sed -e '/^func_append_quoted ()$/,/^} # func_append_quoted /c\
+func_append_quoted ()\
+{\
+\    func_quote_for_eval "${2}"\
+\    eval "${1}+=\\\\ \\$func_quote_for_eval_result"\
+} # Extended-shell func_append_quoted implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+
+
+  # Save a `func_append' function call where possible by direct use of '+='
+  sed -e 's%func_append \([a-zA-Z_]\{1,\}\) "%\1+="%g' $cfgfile > $cfgfile.tmp \
+    && mv -f "$cfgfile.tmp" "$cfgfile" \
+      || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+  test 0 -eq $? || _lt_function_replace_fail=:
+else
+  # Save a `func_append' function call even when '+=' is not available
+  sed -e 's%func_append \([a-zA-Z_]\{1,\}\) "%\1="$\1%g' $cfgfile > $cfgfile.tmp \
+    && mv -f "$cfgfile.tmp" "$cfgfile" \
+      || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+  test 0 -eq $? || _lt_function_replace_fail=:
+fi
+
+if test x"$_lt_function_replace_fail" = x":"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Unable to substitute extended shell functions in $ofile" >&5
+$as_echo "$as_me: WARNING: Unable to substitute extended shell functions in $ofile" >&2;}
+fi
+
+
+   mv -f "$cfgfile" "$ofile" ||
     (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
   chmod +x "$ofile"
 
@@ -22163,3 +25161,23 @@ if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
 $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
 fi
 
+
+# ========================
+#  report enabled plugins
+# ========================
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5
+$as_echo "" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result:  strongSwan will be built with the following plugins" >&5
+$as_echo " strongSwan will be built with the following plugins" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: -----------------------------------------------------" >&5
+$as_echo "-----------------------------------------------------" >&6; }
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: libstrongswan:$s_plugins" >&5
+$as_echo "libstrongswan:$s_plugins" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: libcharon:    $c_plugins" >&5
+$as_echo "libcharon:    $c_plugins" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: libhydra:     $h_plugins" >&5
+$as_echo "libhydra:     $h_plugins" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5
+$as_echo "" >&6; }
diff --git a/configure.ac b/configure.ac
new file mode 100644
index 000000000..a2be84495
--- /dev/null
+++ b/configure.ac
@@ -0,0 +1,1486 @@
+#
+# Copyright (C) 2007-2013 Tobias Brunner
+# Copyright (C) 2006-2013 Andreas Steffen
+# Copyright (C) 2006-2013 Martin Willi
+# Hochschule fuer Technik Rapperswil
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+
+# ============================
+#  initialize & set some vars
+# ============================
+
+AC_INIT([strongSwan],[5.1.0])
+AM_INIT_AUTOMAKE(tar-ustar)
+m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES])
+AC_CONFIG_MACRO_DIR([m4/config])
+AC_CONFIG_HEADERS([config.h])
+AC_DEFINE([CONFIG_H_INCLUDED], [], [defined if config.h included])
+PKG_PROG_PKG_CONFIG
+
+# =================================
+#  check --enable-xxx & --with-xxx
+# =================================
+
+m4_include(m4/macros/with.m4)
+
+ARG_WITH_SUBST([random-device],      [/dev/random], [set the device to read real random data from])
+ARG_WITH_SUBST([urandom-device],     [/dev/urandom], [set the device to read pseudo random data from])
+ARG_WITH_SUBST([strongswan-conf],    [${sysconfdir}/strongswan.conf], [set the strongswan.conf file location])
+ARG_WITH_SUBST([resolv-conf],        [${sysconfdir}/resolv.conf], [set the file to use in DNS handler plugin])
+ARG_WITH_SUBST([piddir],             [/var/run], [set path for PID and UNIX socket files])
+ARG_WITH_SUBST([ipsecdir],           [${libexecdir%/}/ipsec], [set installation path for ipsec tools])
+ARG_WITH_SUBST([ipseclibdir],        [${libdir%/}/ipsec], [set installation path for ipsec libraries])
+ARG_WITH_SUBST([plugindir],          [${ipseclibdir%/}/plugins], [set the installation path of plugins])
+ARG_WITH_SUBST([imcvdir],            [${ipseclibdir%/}/imcvs], [set the installation path of IMC and IMV dynamic librariers])
+ARG_WITH_SUBST([nm-ca-dir],          [/usr/share/ca-certificates], [directory the NM backend uses to look up trusted root certificates])
+ARG_WITH_SUBST([linux-headers],      [\${top_srcdir}/src/include], [set directory of linux header files to use])
+ARG_WITH_SUBST([routing-table],      [220], [set routing table to use for IPsec routes])
+ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table])
+ARG_WITH_SUBST([ipsec-script],       [ipsec], [change the name of the ipsec script])
+ARG_WITH_SUBST([fips-mode],          [0], [set openssl FIPS mode: disabled(0), enabled(1), Suite B enabled(2)])
+
+ARG_WITH_SET([tss],                  [no], [set implementation of the Trusted Computing Group's Software Stack (TSS). Currently the only supported value is "trousers"])
+ARG_WITH_SET([capabilities],         [no], [set capability dropping library. Currently supported values are "libcap" and "native"])
+ARG_WITH_SET([mpz_powm_sec],         [yes], [use the more side-channel resistant mpz_powm_sec in libgmp, if available])
+ARG_WITH_SET([dev-headers],          [no], [install strongSwan development headers to directory.])
+
+if test -n "$PKG_CONFIG"; then
+	systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
+fi
+ARG_WITH_SET([systemdsystemunitdir], [$systemdsystemunitdir_default], [directory for systemd service files])
+AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno])
+AC_SUBST(systemdsystemunitdir)
+
+AC_ARG_WITH(
+	[user],
+	AS_HELP_STRING([--with-user=user],[change user of the daemons to "user" after startup (default is "root").]),
+	[AC_DEFINE_UNQUOTED([IPSEC_USER], "$withval", [username to run daemon with])
+	 AC_SUBST(ipsecuser, "$withval")],
+	[AC_SUBST(ipsecuser, "root")]
+)
+
+AC_ARG_WITH(
+	[group],
+	AS_HELP_STRING([--with-group=group],[change group of the daemons to "group" after startup (default is "root").]),
+	[AC_DEFINE_UNQUOTED(IPSEC_GROUP, "$withval", [groupname to run daemon with])
+	 AC_SUBST(ipsecgroup, "$withval")],
+	[AC_SUBST(ipsecgroup, "root")]
+)
+
+AC_ARG_WITH(
+	[charon-udp-port],
+	AS_HELP_STRING([--with-charon-udp-port=port],[UDP port used by charon locally (default 500). Set to 0 to allocate randomly.]),
+	[AC_DEFINE_UNQUOTED(CHARON_UDP_PORT, [$withval], [UDP port used by charon locally])
+	 AC_SUBST(charon_udp_port, [$withval])],
+	[AC_SUBST(charon_udp_port, 500)]
+)
+
+AC_ARG_WITH(
+	[charon-natt-port],
+	AS_HELP_STRING([--with-charon-natt-port=port],[UDP port used by charon locally in case a NAT is detected (must be different from charon-udp-port, default 4500). Set to 0 to allocate randomly.]),
+	[AC_DEFINE_UNQUOTED(CHARON_NATT_PORT, [$withval], [UDP post used by charon locally in case a NAT is detected])
+	 AC_SUBST(charon_natt_port, [$withval])],
+	[AC_SUBST(charon_natt_port, 4500)]
+)
+
+AC_MSG_CHECKING([configured UDP ports ($charon_udp_port, $charon_natt_port)])
+if test x$charon_udp_port != x0 -a x$charon_udp_port = x$charon_natt_port; then
+	AC_MSG_ERROR(the ports have to be different)
+else
+	AC_MSG_RESULT(ok)
+fi
+
+# convert script name to uppercase
+AC_SUBST(ipsec_script_upper, [`echo -n "$ipsec_script" | tr a-z A-Z`])
+
+m4_include(m4/macros/enable-disable.m4)
+
+ARG_ENABL_SET([curl],           [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.])
+ARG_ENABL_SET([unbound],        [enable UNBOUND resolver plugin to perform DNS queries via libunbound. Requires libldns and libunbound.])
+ARG_ENABL_SET([soup],           [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.])
+ARG_ENABL_SET([ldap],           [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.])
+ARG_DISBL_SET([aes],            [disable AES software implementation plugin.])
+ARG_DISBL_SET([des],            [disable DES/3DES software implementation plugin.])
+ARG_ENABL_SET([blowfish],       [enable Blowfish software implementation plugin.])
+ARG_DISBL_SET([rc2],            [disable RC2 software implementation plugin.])
+ARG_ENABL_SET([md4],            [enable MD4 software implementation plugin.])
+ARG_DISBL_SET([md5],            [disable MD5 software implementation plugin.])
+ARG_DISBL_SET([sha1],           [disable SHA1 software implementation plugin.])
+ARG_DISBL_SET([sha2],           [disable SHA256/SHA384/SHA512 software implementation plugin.])
+ARG_DISBL_SET([fips-prf],       [disable FIPS PRF software implementation plugin.])
+ARG_DISBL_SET([gmp],            [disable GNU MP (libgmp) based crypto implementation plugin.])
+ARG_ENABL_SET([rdrand],         [enable Intel RDRAND random generator plugin.])
+ARG_DISBL_SET([random],         [disable RNG implementation on top of /dev/(u)random.])
+ARG_DISBL_SET([nonce],          [disable nonce generation plugin.])
+ARG_DISBL_SET([x509],           [disable X509 certificate implementation plugin.])
+ARG_DISBL_SET([revocation],     [disable X509 CRL/OCSP revocation check plugin.])
+ARG_DISBL_SET([constraints],    [disable advanced X509 constraint checking plugin.])
+ARG_DISBL_SET([pubkey],         [disable RAW public key support plugin.])
+ARG_DISBL_SET([pkcs1],          [disable PKCS1 key decoding plugin.])
+ARG_DISBL_SET([pkcs7],          [disable PKCS7 container support plugin.])
+ARG_DISBL_SET([pkcs8],          [disable PKCS8 private key decoding plugin.])
+ARG_DISBL_SET([pkcs12],         [disable PKCS12 container support plugin.])
+ARG_DISBL_SET([pgp],            [disable PGP key decoding plugin.])
+ARG_DISBL_SET([dnskey],         [disable DNS RR key decoding plugin.])
+ARG_DISBL_SET([sshkey],         [disable SSH key decoding plugin.])
+ARG_ENABL_SET([ipseckey],       [enable IPSECKEY authentication plugin.])
+ARG_DISBL_SET([pem],            [disable PEM decoding plugin.])
+ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
+ARG_DISBL_SET([cmac],           [disable CMAC crypto implementation plugin.])
+ARG_DISBL_SET([xcbc],           [disable xcbc crypto implementation plugin.])
+ARG_ENABL_SET([af-alg],         [enable AF_ALG crypto interface to Linux Crypto API.])
+ARG_ENABL_SET([test-vectors],   [enable plugin providing crypto test vectors.])
+ARG_ENABL_SET([mysql],          [enable MySQL database support. Requires libmysqlclient_r.])
+ARG_ENABL_SET([sqlite],         [enable SQLite database support. Requires libsqlite3.])
+ARG_DISBL_SET([stroke],         [disable charons stroke configuration backend.])
+ARG_ENABL_SET([medsrv],         [enable mediation server web frontend and daemon plugin.])
+ARG_ENABL_SET([medcli],         [enable mediation client configuration database plugin.])
+ARG_ENABL_SET([smp],            [enable SMP configuration and control interface. Requires libxml.])
+ARG_ENABL_SET([sql],            [enable SQL database configuration backend.])
+ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.])
+ARG_ENABL_SET([lock-profiler],  [enable lock/mutex profiling code.])
+ARG_ENABL_SET([unit-tester],    [enable unit tests on IKEv2 daemon startup.])
+ARG_ENABL_SET([load-tester],    [enable load testing plugin for IKEv2 daemon.])
+ARG_ENABL_SET([eap-sim],        [enable SIM authentication module for EAP.])
+ARG_ENABL_SET([eap-sim-file],   [enable EAP-SIM backend based on a triplet file.])
+ARG_ENABL_SET([eap-sim-pcsc],   [enable EAP-SIM backend based on a smartcard reader. Requires libpcsclite.])
+ARG_ENABL_SET([eap-aka],        [enable EAP AKA authentication module.])
+ARG_ENABL_SET([eap-aka-3gpp2],  [enable EAP AKA backend implementing 3GPP2 algorithms in software. Requires libgmp.])
+ARG_ENABL_SET([eap-simaka-sql], [enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database.])
+ARG_ENABL_SET([eap-simaka-pseudonym], [enable EAP-SIM/AKA pseudonym storage plugin.])
+ARG_ENABL_SET([eap-simaka-reauth],    [enable EAP-SIM/AKA reauthentication data storage plugin.])
+ARG_ENABL_SET([eap-identity],   [enable EAP module providing EAP-Identity helper.])
+ARG_ENABL_SET([eap-md5],        [enable EAP MD5 (CHAP) authentication module.])
+ARG_ENABL_SET([eap-gtc],        [enable EAP GTC authentication module.])
+ARG_ENABL_SET([eap-mschapv2],   [enable EAP MS-CHAPv2 authentication module.])
+ARG_ENABL_SET([eap-tls],        [enable EAP TLS authentication module.])
+ARG_ENABL_SET([eap-ttls],       [enable EAP TTLS authentication module.])
+ARG_ENABL_SET([eap-peap],       [enable EAP PEAP authentication module.])
+ARG_ENABL_SET([eap-tnc],        [enable EAP TNC trusted network connect module.])
+ARG_ENABL_SET([eap-dynamic],    [enable dynamic EAP proxy module.])
+ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authentication module.])
+ARG_DISBL_SET([xauth-generic],  [disable generic XAuth backend.])
+ARG_ENABL_SET([xauth-eap],      [enable XAuth backend using EAP methods to verify passwords.])
+ARG_ENABL_SET([xauth-pam],      [enable XAuth backend using PAM to verify passwords.])
+ARG_ENABL_SET([xauth-noauth],   [enable XAuth pseudo-backend that does not actually verify or even request any credentials.])
+ARG_ENABL_SET([tnc-ifmap],      [enable TNC IF-MAP module. Requires libxml])
+ARG_ENABL_SET([tnc-pdp],        [enable TNC policy decision point module.])
+ARG_ENABL_SET([tnc-imc],        [enable TNC IMC module.])
+ARG_ENABL_SET([tnc-imv],        [enable TNC IMV module.])
+ARG_ENABL_SET([tnccs-11],       [enable TNCCS 1.1 protocol module. Requires libxml])
+ARG_ENABL_SET([tnccs-20],       [enable TNCCS 2.0 protocol module.])
+ARG_ENABL_SET([tnccs-dynamic],  [enable dynamic TNCCS protocol discovery module.])
+ARG_ENABL_SET([imc-test],       [enable IMC test module.])
+ARG_ENABL_SET([imv-test],       [enable IMV test module.])
+ARG_ENABL_SET([imc-scanner],    [enable IMC port scanner module.])
+ARG_ENABL_SET([imv-scanner],    [enable IMV port scanner module.])
+ARG_ENABL_SET([imc-os],         [enable IMC operating system module.])
+ARG_ENABL_SET([imv-os],         [enable IMV operating system module.])
+ARG_ENABL_SET([imc-attestation],[enable IMC attestation module.])
+ARG_ENABL_SET([imv-attestation],[enable IMV attestation module.])
+ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
+ARG_ENABL_SET([kernel-pfkey],   [enable the PF_KEY kernel interface.])
+ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.])
+ARG_ENABL_SET([kernel-klips],   [enable the KLIPS kernel interface.])
+ARG_ENABL_SET([kernel-libipsec],[enable the libipsec kernel interface.])
+ARG_ENABL_SET([libipsec],       [enable user space IPsec implementation.])
+ARG_DISBL_SET([socket-default], [disable default socket implementation for charon.])
+ARG_ENABL_SET([socket-dynamic], [enable dynamic socket implementation for charon])
+ARG_ENABL_SET([farp],           [enable ARP faking plugin that responds to ARP requests to peers virtual IP])
+ARG_ENABL_SET([dumm],           [enable the DUMM UML test framework.])
+ARG_ENABL_SET([fast],           [enable libfast (FastCGI Application Server w/ templates.])
+ARG_ENABL_SET([manager],        [enable web management console (proof of concept).])
+ARG_ENABL_SET([mediation],      [enable IKEv2 Mediation Extension.])
+ARG_ENABL_SET([integrity-test], [enable integrity testing of libstrongswan and plugins.])
+ARG_DISBL_SET([load-warning],   [disable the charon plugin load option warning in starter.])
+ARG_DISBL_SET([ikev1],          [disable IKEv1 protocol support in charon.])
+ARG_DISBL_SET([ikev2],          [disable IKEv2 protocol support in charon.])
+ARG_DISBL_SET([charon],         [disable the IKEv1/IKEv2 keying daemon charon.])
+ARG_DISBL_SET([tools],          [disable additional utilities (openac, scepclient and pki).])
+ARG_DISBL_SET([scripts],        [disable additional utilities (found in directory scripts).])
+ARG_ENABL_SET([conftest],       [enforce Suite B conformance test framework.])
+ARG_DISBL_SET([updown],         [disable updown firewall script plugin.])
+ARG_DISBL_SET([attr],           [disable strongswan.conf based configuration attribute plugin.])
+ARG_ENABL_SET([attr-sql],       [enable SQL based configuration attribute plugin.])
+ARG_ENABL_SET([dhcp],           [enable DHCP based attribute provider plugin.])
+ARG_DISBL_SET([resolve],        [disable resolve DNS handler plugin.])
+ARG_ENABL_SET([padlock],        [enables VIA Padlock crypto plugin.])
+ARG_ENABL_SET([openssl],        [enables the OpenSSL crypto plugin.])
+ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
+ARG_ENABL_SET([agent],          [enables the ssh-agent signing plugin.])
+ARG_ENABL_SET([keychain],       [enables OS X Keychain Services credential set.])
+ARG_ENABL_SET([pkcs11],         [enables the PKCS11 token support plugin.])
+ARG_ENABL_SET([ctr],            [enables the Counter Mode wrapper crypto plugin.])
+ARG_ENABL_SET([ccm],            [enables the CCM AEAD wrapper crypto plugin.])
+ARG_ENABL_SET([gcm],            [enables the GCM AEAD wrapper crypto plugin.])
+ARG_ENABL_SET([addrblock],      [enables RFC 3779 address block constraint support.])
+ARG_ENABL_SET([unity],          [enables Cisco Unity extension plugin.])
+ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
+ARG_ENABL_SET([osx-attr],       [enable OS X SystemConfiguration attribute handler.])
+ARG_ENABL_SET([android-dns],    [enable Android specific DNS handler.])
+ARG_ENABL_SET([android-log],    [enable Android specific logger plugin.])
+ARG_ENABL_SET([maemo],          [enable Maemo specific plugin.])
+ARG_ENABL_SET([nm],             [enable NetworkManager backend.])
+ARG_ENABL_SET([ha],             [enable high availability cluster plugin.])
+ARG_ENABL_SET([whitelist],      [enable peer identity whitelisting plugin.])
+ARG_ENABL_SET([lookip],         [enable fast virtual IP lookup and notification plugin.])
+ARG_ENABL_SET([error-notify],   [enable error notification plugin.])
+ARG_ENABL_SET([certexpire],     [enable CSV export of expiration dates of used certificates.])
+ARG_ENABL_SET([systime-fix],    [enable plugin to handle cert lifetimes with invalid system time gracefully.])
+ARG_ENABL_SET([led],            [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.])
+ARG_ENABL_SET([duplicheck],     [advanced duplicate checking plugin using liveness checks.])
+ARG_ENABL_SET([coupling],       [enable IKEv2 plugin to couple peer certificates permanently to authentication.])
+ARG_ENABL_SET([radattr],        [enable plugin to inject and process custom RADIUS attributes as IKEv2 client.])
+ARG_ENABL_SET([vstr],           [enforce using the Vstr string library to replace glibc-like printf hooks.])
+ARG_ENABL_SET([monolithic],     [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
+ARG_ENABL_SET([bfd-backtraces], [use binutils libbfd to resolve backtraces for memory leaks and segfaults.])
+ARG_ENABL_SET([unwind-backtraces],[use libunwind to create backtraces for memory leaks and segfaults.])
+ARG_ENABL_SET([unit-tests],     [enable unit tests using the check test framework.])
+ARG_ENABL_SET([coverage],       [enable lcov coverage report generation.])
+ARG_ENABL_SET([tkm],            [enable Trusted Key Manager support.])
+ARG_ENABL_SET([cmd],            [enable the command line IKE client charon-cmd.])
+
+# ===================================
+#  option to disable default options
+# ===================================
+
+ARG_DISBL_SET([defaults],       [disable all default plugins (they can be enabled with their respective --enable options)])
+
+if test x$defaults = xfalse; then
+	for option in $enabled_by_default; do
+		eval test x\${${option}_given} = xtrue && continue
+		let $option=false
+	done
+fi
+
+# ===========================
+#  set up compiler and flags
+# ===========================
+
+if test -z "$CFLAGS"; then
+	CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign"
+fi
+AC_PROG_CC
+AM_PROG_CC_C_O
+
+AC_LIB_PREFIX
+AC_C_BIGENDIAN
+
+# =========================
+#  check required programs
+# =========================
+
+LT_INIT
+AC_PROG_INSTALL
+AC_PROG_EGREP
+AC_PROG_AWK
+AC_PROG_LEX
+AC_PROG_YACC
+AC_PATH_PROG([PERL], [perl], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+AC_PATH_PROG([GPERF], [gperf], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+
+# because gperf is not needed by end-users we just report it but do not abort on failure
+AC_MSG_CHECKING([gperf version >= 3.0.0])
+if test -x "$GPERF"; then
+	if test "`$GPERF --version | $AWK -F' ' '/^GNU gperf/ { print $3 }' | $AWK -F. '{ print $1 }'`" -ge "3"; then
+		AC_MSG_RESULT([yes])
+	else
+		AC_MSG_RESULT([no])
+	fi
+else
+	AC_MSG_RESULT([not found])
+fi
+
+# ========================
+#  dependency calculation
+# ========================
+
+if test x$xauth_generic_given = xfalse -a x$ikev1 = xfalse; then
+	xauth_generic=false;
+fi
+
+if test x$kernel_libipsec = xtrue; then
+	libipsec=true;
+fi
+
+if test x$eap_aka_3gpp2 = xtrue; then
+	gmp=true;
+fi
+
+if test x$eap_aka = xtrue; then
+	fips_prf=true;
+	simaka=true;
+fi
+
+if test x$eap_sim = xtrue; then
+	fips_prf=true;
+	simaka=true;
+fi
+
+if test x$eap_tls = xtrue -o x$eap_ttls = xtrue -o x$eap_peap = xtrue; then
+	tls=true;
+fi
+
+if test x$eap_radius = xtrue -o x$radattr = xtrue -o x$tnc_pdp = xtrue; then
+	radius=true;
+fi
+
+if test x$tnc_imc = xtrue -o x$tnc_imv = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_dynamic = xtrue -o x$eap_tnc = xtrue; then
+	tnc_tnccs=true;
+fi
+
+if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$imv_scanner = xtrue -o x$imc_os = xtrue -o x$imv_os = xtrue -o x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
+	imcv=true;
+fi
+
+if test x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
+	pts=true;
+fi
+
+if test x$fips_prf = xtrue; then
+	if test x$openssl = xfalse; then
+		sha1=true;
+	fi
+fi
+
+if test x$smp = xtrue -o x$tnccs_11 = xtrue -o x$tnc_ifmap = xtrue; then
+	xml=true
+fi
+
+if test x$manager = xtrue; then
+	fast=true
+fi
+
+if test x$medsrv = xtrue; then
+	mediation=true
+	fast=true
+fi
+
+if test x$medcli = xtrue; then
+	mediation=true
+fi
+
+if test x$coverage = xtrue; then
+	unit_tests=true
+fi
+
+# ===========================================
+#  check required libraries and header files
+# ===========================================
+
+AC_HEADER_STDBOOL
+AC_FUNC_ALLOCA
+AC_FUNC_STRERROR_R
+
+#  libraries needed on some platforms but not on others
+# ------------------------------------------------------
+saved_LIBS=$LIBS
+
+# FreeBSD and Mac OS X have dlopen integrated in libc, Linux needs libdl
+LIBS=""
+AC_SEARCH_LIBS(dlopen, dl, [DLLIB=$LIBS])
+AC_SUBST(DLLIB)
+
+# glibc's backtrace() can be replicated on FreeBSD with libexecinfo
+LIBS=""
+AC_SEARCH_LIBS(backtrace, execinfo, [BTLIB=$LIBS])
+AC_CHECK_FUNCS(backtrace)
+AC_SUBST(BTLIB)
+
+# OpenSolaris needs libsocket and libnsl for socket()
+LIBS=""
+AC_SEARCH_LIBS(socket, socket, [SOCKLIB=$LIBS],
+	[AC_CHECK_LIB(nsl, socket, [SOCKLIB="-lsocket -lnsl"], [], [-lsocket])]
+)
+AC_SUBST(SOCKLIB)
+
+# FreeBSD has clock_gettime in libc, Linux needs librt
+LIBS=""
+AC_SEARCH_LIBS(clock_gettime, rt, [RTLIB=$LIBS])
+AC_CHECK_FUNCS(clock_gettime)
+AC_SUBST(RTLIB)
+
+# Android has pthread_* functions in bionic (libc), others need libpthread
+LIBS=""
+AC_SEARCH_LIBS(pthread_create, pthread, [PTHREADLIB=$LIBS])
+AC_SUBST(PTHREADLIB)
+
+LIBS=$saved_LIBS
+# ------------------------------------------------------
+
+AC_MSG_CHECKING(for dladdr)
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#define _GNU_SOURCE
+		  #include <dlfcn.h>]],
+		[[Dl_info* info = 0;
+		  dladdr(0, info);]])],
+	[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_DLADDR], [], [have dladdr()])],
+	[AC_MSG_RESULT([no])]
+)
+
+# check if pthread_condattr_setclock(CLOCK_MONOTONE) is supported
+saved_LIBS=$LIBS
+LIBS=$PTHREADLIB
+AC_MSG_CHECKING([for pthread_condattr_setclock(CLOCK_MONOTONE)])
+AC_RUN_IFELSE(
+	[AC_LANG_SOURCE(
+		[[#include <pthread.h>
+		  int main() { pthread_condattr_t attr;
+			pthread_condattr_init(&attr);
+			return pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);}]])],
+	[AC_MSG_RESULT([yes]);
+	 AC_DEFINE([HAVE_CONDATTR_CLOCK_MONOTONIC], [],
+			   [pthread_condattr_setclock supports CLOCK_MONOTONIC])],
+	[AC_MSG_RESULT([no])],
+	# Check existence of pthread_condattr_setclock if cross-compiling
+	[AC_MSG_RESULT([unknown]);
+	 AC_CHECK_FUNCS(pthread_condattr_setclock,
+		[AC_DEFINE([HAVE_CONDATTR_CLOCK_MONOTONIC], [],
+				   [have pthread_condattr_setclock()])]
+	)]
+)
+# check if we actually are able to configure attributes on cond vars
+AC_CHECK_FUNCS(pthread_condattr_init)
+# instead of pthread_condattr_setclock Android has this function
+AC_CHECK_FUNCS(pthread_cond_timedwait_monotonic)
+# check if we can cancel threads
+AC_CHECK_FUNCS(pthread_cancel)
+# check if native rwlocks are available
+AC_CHECK_FUNCS(pthread_rwlock_init)
+# check if pthread spinlocks are available
+AC_CHECK_FUNCS(pthread_spin_init)
+# check if we have POSIX semaphore functions, including timed-wait
+AC_CHECK_FUNCS(sem_timedwait)
+LIBS=$saved_LIBS
+
+AC_CHECK_FUNC(
+	[gettid],
+	[AC_DEFINE([HAVE_GETTID], [], [have gettid()])],
+	[AC_MSG_CHECKING([for SYS_gettid])
+	 AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#define _GNU_SOURCE
+			  #include <unistd.h>
+			  #include <sys/syscall.h>]],
+			[[int main() {
+			  return syscall(SYS_gettid);}]])],
+		[AC_MSG_RESULT([yes]);
+		 AC_DEFINE([HAVE_GETTID], [], [have gettid()])
+		 AC_DEFINE([HAVE_SYS_GETTID], [], [have syscall(SYS_gettid)])],
+		[AC_MSG_RESULT([no])]
+	)]
+)
+
+AC_CHECK_FUNCS(prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r)
+
+AC_CHECK_HEADERS(sys/sockio.h glob.h)
+AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h)
+AC_CHECK_HEADERS(netinet/ip6.h, [], [],
+[
+	#include <sys/types.h>
+	#include <netinet/in.h>
+])
+
+AC_CHECK_MEMBERS([struct sockaddr.sa_len], [], [],
+[
+	#include <sys/types.h>
+	#include <sys/socket.h>
+])
+
+AC_CHECK_MEMBERS([struct sadb_x_policy.sadb_x_policy_priority], [], [],
+[
+	#include <sys/types.h>
+	#ifdef HAVE_NET_PFKEYV2_H
+	#include <net/pfkeyv2.h>
+	#else
+	#include <stdint.h>
+	#include <linux/pfkeyv2.h>
+	#endif
+])
+
+AC_MSG_CHECKING([for in6addr_any])
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#include <sys/types.h>
+		  #include <sys/socket.h>
+		  #include <netinet/in.h>]],
+		[[struct in6_addr in6;
+		  in6 = in6addr_any;]])],
+	[AC_MSG_RESULT([yes]);
+	 AC_DEFINE([HAVE_IN6ADDR_ANY], [], [have struct in6_addr in6addr_any])],
+	[AC_MSG_RESULT([no])]
+)
+
+AC_MSG_CHECKING([for in6_pktinfo])
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#define _GNU_SOURCE
+		  #include <sys/types.h>
+		  #include <sys/socket.h>
+		  #include <netinet/in.h>]],
+		[[struct in6_pktinfo pi;
+		  if (pi.ipi6_ifindex)
+		  {
+		    return 0;
+		  }]])],
+	[AC_MSG_RESULT([yes]);
+	 AC_DEFINE([HAVE_IN6_PKTINFO], [], [have struct in6_pktinfo.ipi6_ifindex])],
+	[AC_MSG_RESULT([no])]
+)
+
+AC_MSG_CHECKING([for IPSEC_MODE_BEET])
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#include <sys/types.h>
+		  #ifdef HAVE_NETIPSEC_IPSEC_H
+		  #include <netipsec/ipsec.h>
+		  #elif defined(HAVE_NETINET6_IPSEC_H)
+		  #include <netinet6/ipsec.h>
+		  #else
+		  #include <stdint.h>
+		  #include <linux/ipsec.h>
+		  #endif]],
+		[[int mode = IPSEC_MODE_BEET;
+		  return mode;]])],
+	[AC_MSG_RESULT([yes]);
+	 AC_DEFINE([HAVE_IPSEC_MODE_BEET], [], [have IPSEC_MODE_BEET defined])],
+	[AC_MSG_RESULT([no])]
+)
+
+AC_MSG_CHECKING([for IPSEC_DIR_FWD])
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#include <sys/types.h>
+		  #ifdef HAVE_NETIPSEC_IPSEC_H
+		  #include <netipsec/ipsec.h>
+		  #elif defined(HAVE_NETINET6_IPSEC_H)
+		  #include <netinet6/ipsec.h>
+		  #else
+		  #include <stdint.h>
+		  #include <linux/ipsec.h>
+		  #endif]],
+		[[int dir = IPSEC_DIR_FWD;
+		  return dir;]])],
+	[AC_MSG_RESULT([yes]);
+	 AC_DEFINE([HAVE_IPSEC_DIR_FWD], [], [have IPSEC_DIR_FWD defined])],
+	[AC_MSG_RESULT([no])]
+)
+
+AC_MSG_CHECKING([for RTA_TABLE])
+AC_COMPILE_IFELSE(
+	[AC_LANG_PROGRAM(
+		[[#include <sys/socket.h>
+		  #include <linux/netlink.h>
+		  #include <linux/rtnetlink.h>]],
+		[[int rta_type = RTA_TABLE;
+		  return rta_type;]])],
+	[AC_MSG_RESULT([yes]);
+	 AC_DEFINE([HAVE_RTA_TABLE], [], [have netlink RTA_TABLE defined])],
+	[AC_MSG_RESULT([no])]
+)
+
+AC_MSG_CHECKING([for gcc atomic operations])
+AC_RUN_IFELSE([AC_LANG_SOURCE(
+	[[
+			int main() {
+			volatile int ref = 1;
+			__sync_fetch_and_add (&ref, 1);
+			__sync_sub_and_fetch (&ref, 1);
+			/* Make sure test fails if operations are not supported */
+			__sync_val_compare_and_swap(&ref, 1, 0);
+			return ref;
+		}
+	]])],
+	[AC_MSG_RESULT([yes]);
+	 AC_DEFINE([HAVE_GCC_ATOMIC_OPERATIONS], [],
+		   [have GCC __sync_* atomic operations])],
+	[AC_MSG_RESULT([no])],
+	[AC_MSG_RESULT([no])]
+)
+
+# check for the new register_printf_specifier function with len argument,
+# or the deprecated register_printf_function without
+AC_CHECK_FUNC(
+	[register_printf_specifier],
+	[AC_DEFINE([HAVE_PRINTF_SPECIFIER], [], [have register_printf_specifier()])],
+	[AC_CHECK_FUNC(
+		[register_printf_function],
+		[AC_DEFINE([HAVE_PRINTF_FUNCTION], [], [have register_printf_function()])],
+		[
+			AC_MSG_NOTICE([printf does not support custom format specifiers!])
+			vstr=true
+		]
+	)]
+)
+
+if test x$vstr = xtrue; then
+	AC_CHECK_LIB([vstr],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])],[])
+	AC_DEFINE([USE_VSTR], [], [use vstring library for printf hooks])
+fi
+
+if test x$gmp = xtrue; then
+	saved_LIBS=$LIBS
+	AC_CHECK_LIB([gmp],[main],[],[AC_MSG_ERROR([GNU Multi Precision library gmp not found])],[])
+	AC_MSG_CHECKING([mpz_powm_sec])
+	if test x$mpz_powm_sec = xyes; then
+		AC_COMPILE_IFELSE(
+			[AC_LANG_PROGRAM(
+				[[#include "gmp.h"]],
+				[[void *x = mpz_powm_sec;]])],
+			[AC_MSG_RESULT([yes]);
+			 AC_DEFINE([HAVE_MPZ_POWM_SEC], [], [have mpz_mown_sec()])],
+			[AC_MSG_RESULT([no])]
+		)
+	else
+		AC_MSG_RESULT([disabled])
+	fi
+	LIBS=$saved_LIBS
+	AC_MSG_CHECKING([gmp.h version >= 4.1.4])
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#include "gmp.h"]],
+			[[
+				#if (__GNU_MP_VERSION*100 +  __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
+					#error bad gmp
+				#endif]])],
+		[AC_MSG_RESULT([yes])],
+		[AC_MSG_RESULT([no]); AC_MSG_ERROR([No usable gmp.h found!])]
+	)
+fi
+
+if test x$ldap = xtrue; then
+	AC_CHECK_LIB([ldap],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library ldap not found])],[])
+	AC_CHECK_LIB([lber],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library lber not found])],[])
+	AC_CHECK_HEADER([ldap.h],,[AC_MSG_ERROR([LDAP header ldap.h not found!])])
+fi
+
+if test x$curl = xtrue; then
+	AC_CHECK_LIB([curl],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([CURL library curl not found])],[])
+	AC_CHECK_HEADER([curl/curl.h],,[AC_MSG_ERROR([CURL header curl/curl.h not found!])])
+fi
+
+if test x$unbound = xtrue; then
+	AC_HAVE_LIBRARY([ldns],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library ldns not found])])
+	AC_CHECK_HEADER([ldns/ldns.h],,[AC_MSG_ERROR([UNBOUND header ldns/ldns.h not found!])])
+	AC_HAVE_LIBRARY([unbound],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library libunbound not found])])
+	AC_CHECK_HEADER([unbound.h],,[AC_MSG_ERROR([UNBOUND header unbound.h not found!])])
+fi
+
+if test x$soup = xtrue; then
+	PKG_CHECK_MODULES(soup, [libsoup-2.4])
+	AC_SUBST(soup_CFLAGS)
+	AC_SUBST(soup_LIBS)
+fi
+
+if test x$xml = xtrue; then
+	PKG_CHECK_MODULES(xml, [libxml-2.0])
+	AC_SUBST(xml_CFLAGS)
+	AC_SUBST(xml_LIBS)
+fi
+
+if test x$tss = xtrousers; then
+	AC_CHECK_LIB([tspi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([TrouSerS library libtspi not found])],[])
+	AC_CHECK_HEADER([trousers/tss.h],,[AC_MSG_ERROR([TrouSerS header trousers/tss.h not found!])])
+	AC_DEFINE([TSS_TROUSERS], [], [use TrouSerS library libtspi as TSS implementation])
+fi
+
+if test x$dumm = xtrue; then
+	PKG_CHECK_MODULES(gtk, [gtk+-2.0 vte])
+	AC_SUBST(gtk_CFLAGS)
+	AC_SUBST(gtk_LIBS)
+	AC_CHECK_PROGS(RUBY, ruby)
+	AC_MSG_CHECKING([for Ruby header files])
+	if test -n "$RUBY"; then
+		RUBYINCLUDE=
+		RUBYDIR=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["rubyhdrdir"]] || ""') 2>/dev/null`
+		if test -n "$RUBYDIR" -a -r "$RUBYDIR/ruby.h"; then
+			RUBYARCH=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["arch"]] || ""') 2>/dev/null`
+			if test -n "$RUBYARCH"; then
+				AC_MSG_RESULT([$RUBYDIR])
+				RUBYINCLUDE="-I$RUBYDIR -I$RUBYDIR/$RUBYARCH"
+			fi
+		else
+			RUBYDIR=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["archdir"]] || ""') 2>/dev/null`
+			if test -n "$RUBYDIR" -a -r "$RUBYDIR/ruby.h"; then
+				AC_MSG_RESULT([$RUBYDIR])
+				RUBYINCLUDE="-I$RUBYDIR"
+			fi
+		fi
+		if test -z "$RUBYINCLUDE"; then
+			AC_MSG_ERROR([ruby.h not found])
+		fi
+		AC_SUBST(RUBYINCLUDE)
+	else
+		AC_MSG_ERROR([don't know how to run ruby])
+	fi
+	AC_MSG_CHECKING([for libruby])
+	saved_LIBS=$LIBS
+	LIBS=`($RUBY -r rbconfig -e 'print RbConfig::CONFIG[["LIBRUBYARG_SHARED"]] || ""') 2>/dev/null`
+	AC_TRY_LINK_FUNC(ruby_init,
+		[AC_MSG_RESULT([$LIBS]); RUBYLIB=$LIBS],
+		[AC_MSG_ERROR([not found])])
+	AC_SUBST(RUBYLIB)
+	AC_CHECK_FUNCS(rb_errinfo)
+	LIBS=$saved_LIBS
+fi
+
+if test x$fast = xtrue; then
+	AC_CHECK_LIB([neo_cgi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_cgi not found!])],[])
+	AC_CHECK_LIB([neo_utl],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_utl not found!])],[])
+	AC_MSG_CHECKING([ClearSilver requires zlib])
+	saved_CFLAGS=$CFLAGS
+	saved_LIBS=$LIBS
+	LIBS="-lneo_cgi -lneo_cs -lneo_utl"
+	CFLAGS="-I/usr/include/ClearSilver"
+	AC_LINK_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#include <ClearSilver.h>]],
+			[[NEOERR *err = cgi_display(NULL, NULL);]])],
+		[AC_MSG_RESULT([no]); clearsilver_LIBS="$LIBS"],
+		[AC_MSG_RESULT([yes]); clearsilver_LIBS="$LIBS -lz"]
+	)
+	AC_SUBST(clearsilver_LIBS)
+	LIBS=$saved_LIBS
+	CFLAGS=$saved_CFLAGS
+# autoconf does not like CamelCase!? How to fix this?
+#	AC_CHECK_HEADER([ClearSilver/ClearSilver.h],,[AC_MSG_ERROR([ClearSilver header file ClearSilver/ClearSilver.h not found!])])
+
+	AC_CHECK_LIB([fcgi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([FastCGI library fcgi not found!])],[])
+	AC_CHECK_HEADER([fcgiapp.h],,[AC_MSG_ERROR([FastCGI header file fcgiapp.h not found!])])
+fi
+
+if test x$mysql = xtrue; then
+	AC_PATH_PROG([MYSQLCONFIG], [mysql_config], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+	if test x$MYSQLCONFIG = x; then
+		AC_MSG_ERROR([mysql_config not found!])
+	fi
+	AC_SUBST(MYSQLLIB, `$MYSQLCONFIG --libs_r`)
+	AC_SUBST(MYSQLCFLAG, `$MYSQLCONFIG --cflags`)
+fi
+
+if test x$sqlite = xtrue; then
+	AC_CHECK_LIB([sqlite3],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([SQLite library sqlite3 not found])],[])
+	AC_CHECK_HEADER([sqlite3.h],,[AC_MSG_ERROR([SQLite header sqlite3.h not found!])])
+	AC_MSG_CHECKING([sqlite3_prepare_v2])
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#include <sqlite3.h>]],
+			[[void *test = sqlite3_prepare_v2;]])],
+		[AC_MSG_RESULT([yes]);
+		 AC_DEFINE([HAVE_SQLITE3_PREPARE_V2], [], [have sqlite3_prepare_v2()])],
+		[AC_MSG_RESULT([no])]
+	)
+	AC_MSG_CHECKING([sqlite3.h version >= 3.3.1])
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#include <sqlite3.h>]],
+			[[
+				#if SQLITE_VERSION_NUMBER < 3003001
+					#error bad sqlite
+				#endif]])],
+		[AC_MSG_RESULT([yes])],
+		[AC_MSG_RESULT([no]); AC_MSG_ERROR([SQLite version >= 3.3.1 required!])]
+	)
+fi
+
+if test x$openssl = xtrue; then
+	AC_CHECK_LIB([crypto],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([OpenSSL crypto library not found])],[])
+	AC_CHECK_HEADER([openssl/evp.h],,[AC_MSG_ERROR([OpenSSL header openssl/evp.h not found!])])
+fi
+
+if test x$gcrypt = xtrue; then
+	AC_CHECK_LIB([gcrypt],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])],[-lgpg-error])
+	AC_CHECK_HEADER([gcrypt.h],,[AC_MSG_ERROR([gcrypt header gcrypt.h not found!])])
+	AC_MSG_CHECKING([gcrypt CAMELLIA cipher])
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#include <gcrypt.h>]],
+			[[enum gcry_cipher_algos alg = GCRY_CIPHER_CAMELLIA128;]])],
+		[AC_MSG_RESULT([yes]);
+		 AC_DEFINE([HAVE_GCRY_CIPHER_CAMELLIA], [], [have GCRY_CIPHER_CAMELLIA128])],
+		[AC_MSG_RESULT([no])]
+	)
+fi
+
+if test x$uci = xtrue; then
+	AC_CHECK_LIB([uci],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])],[])
+	AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
+fi
+
+if test x$android_dns = xtrue; then
+	AC_CHECK_LIB([cutils],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])],[])
+	AC_CHECK_HEADER([cutils/properties.h],,[AC_MSG_ERROR([Android header cutils/properties.h not found!])])
+	# we have to force the use of libdl here because the autodetection
+	# above does not work correctly when cross-compiling for android.
+	DLLIB="-ldl"
+	AC_SUBST(DLLIB)
+fi
+
+if test x$maemo = xtrue; then
+	PKG_CHECK_MODULES(maemo, [glib-2.0 gthread-2.0 libosso osso-af-settings])
+	AC_SUBST(maemo_CFLAGS)
+	AC_SUBST(maemo_LIBS)
+	dbusservicedir="/usr/share/dbus-1/system-services"
+	AC_SUBST(dbusservicedir)
+fi
+
+if test x$eap_sim_pcsc = xtrue; then
+	PKG_CHECK_MODULES(pcsclite, [libpcsclite])
+	AC_SUBST(pcsclite_CFLAGS)
+	AC_SUBST(pcsclite_LIBS)
+fi
+
+if test x$nm = xtrue; then
+	PKG_CHECK_EXISTS([libnm-glib],
+		[PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn])],
+		[PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn])]
+	)
+	AC_SUBST(nm_CFLAGS)
+	AC_SUBST(nm_LIBS)
+fi
+
+if test x$xauth_pam = xtrue; then
+	AC_CHECK_LIB([pam],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([PAM library not found])],[])
+	AC_CHECK_HEADER([security/pam_appl.h],,[AC_MSG_ERROR([PAM header security/pam_appl.h not found!])])
+fi
+
+if test x$capabilities = xnative; then
+	AC_MSG_NOTICE([Usage of the native Linux capabilities interface is deprecated, use libcap instead])
+	# Linux requires the following for capset(), Android does not have it,
+	# but defines capset() in unistd.h instead.
+	AC_CHECK_HEADERS([sys/capability.h])
+	AC_CHECK_FUNC(capset,,[AC_MSG_ERROR([capset() not found!])])
+	AC_DEFINE([CAPABILITIES_NATIVE], [], [have native linux capset()])
+fi
+
+if test x$capabilities = xlibcap; then
+	AC_CHECK_LIB([cap],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([libcap library not found])],[])
+	AC_CHECK_HEADER([sys/capability.h],
+		[AC_DEFINE([HAVE_SYS_CAPABILITY_H], [], [have sys/capability.h])],
+		[AC_MSG_ERROR([libcap header sys/capability.h not found!])])
+	AC_DEFINE([CAPABILITIES_LIBCAP], [], [have libpcap library])
+fi
+
+if test x$integrity_test = xtrue; then
+	AC_MSG_CHECKING([for dladdr()])
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#define _GNU_SOURCE
+			  #include <dlfcn.h>]],
+			[[Dl_info info; dladdr(main, &info);]])],
+		[AC_MSG_RESULT([yes])],
+		[AC_MSG_RESULT([no]);
+		 AC_MSG_ERROR([dladdr() not supported, required by integrity-test!])]
+	)
+	AC_MSG_CHECKING([for dl_iterate_phdr()])
+	AC_COMPILE_IFELSE(
+		[AC_LANG_PROGRAM(
+			[[#define _GNU_SOURCE
+			  #include <link.h>]],
+			[[dl_iterate_phdr((void*)0, (void*)0);]])],
+		[AC_MSG_RESULT([yes])],
+		[AC_MSG_RESULT([no]);
+		 AC_MSG_ERROR([dl_iterate_phdr() not supported, required by integrity-test!])]
+	)
+fi
+
+if test x$bfd_backtraces = xtrue; then
+	AC_CHECK_LIB([bfd],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([binutils libbfd not found!])],[])
+	AC_CHECK_HEADER([bfd.h],[AC_DEFINE([HAVE_BFD_H],,[have binutils bfd.h])],
+		[AC_MSG_ERROR([binutils bfd.h header not found!])])
+	BFDLIB="-lbfd"
+	AC_SUBST(BFDLIB)
+fi
+
+if test x$unwind_backtraces = xtrue; then
+	AC_CHECK_LIB([unwind],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([libunwind not found!])],[])
+	AC_CHECK_HEADER([libunwind.h],[AC_DEFINE([HAVE_LIBUNWIND_H],,[have libunwind.h])],
+		[AC_MSG_ERROR([libunwind.h header not found!])])
+	UNWINDLIB="-lunwind"
+	AC_SUBST(UNWINDLIB)
+fi
+
+AM_CONDITIONAL(USE_DEV_HEADERS, [test "x$dev_headers" != xno])
+if test x$dev_headers = xyes; then
+	dev_headers="$includedir/strongswan"
+fi
+AC_SUBST(dev_headers)
+
+CFLAGS="$CFLAGS -include `pwd`/config.h"
+
+if test x$tkm = xtrue; then
+	AC_PATH_PROG([GPRBUILD], [gprbuild], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+fi
+
+if test x$unit_tests = xtrue; then
+	PKG_CHECK_MODULES(CHECK, [check >= 0.9.4])
+	AC_SUBST(CHECK_CFLAGS)
+	AC_SUBST(CHECK_LIBS)
+fi
+
+if test x$coverage = xtrue; then
+	AC_PATH_PROG([LCOV], [lcov], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+	if test x$LCOV = x; then
+		AC_MSG_ERROR([lcov not found])
+	fi
+	AC_PATH_PROG([GENHTML], [genhtml], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+	if test x$GENHTML = x; then
+		AC_MSG_ERROR([genhtml not found])
+	fi
+
+	COVERAGE_CFLAGS="-fprofile-arcs -ftest-coverage"
+	COVERAGE_LDFLAGS="-fprofile-arcs"
+	AC_SUBST(COVERAGE_CFLAGS)
+	AC_SUBST(COVERAGE_LDFLAGS)
+
+	AC_MSG_NOTICE([coverage enabled, adding "-g -O0" to CFLAGS])
+	CFLAGS="${CFLAGS} -g -O0"
+fi
+
+# ===============================================
+#  collect plugin list for strongSwan components
+# ===============================================
+
+m4_include(m4/macros/add-plugin.m4)
+
+# plugin lists for all components
+charon_plugins=
+starter_plugins=
+pool_plugins=
+attest_plugins=
+openac_plugins=
+scepclient_plugins=
+pki_plugins=
+scripts_plugins=
+manager_plugins=
+medsrv_plugins=
+nm_plugins=
+cmd_plugins=
+
+# location specific lists for checksumming,
+# for src/libcharon, src/libhydra and src/libstrongswan
+c_plugins=
+h_plugins=
+s_plugins=
+
+ADD_PLUGIN([test-vectors],         [s charon openac scepclient pki])
+ADD_PLUGIN([curl],                 [s charon scepclient scripts nm cmd])
+ADD_PLUGIN([soup],                 [s charon scripts nm cmd])
+ADD_PLUGIN([unbound],              [s charon scripts])
+ADD_PLUGIN([ldap],                 [s charon scepclient scripts nm cmd])
+ADD_PLUGIN([mysql],                [s charon pool manager medsrv attest])
+ADD_PLUGIN([sqlite],               [s charon pool manager medsrv attest])
+ADD_PLUGIN([pkcs11],               [s charon pki nm cmd])
+ADD_PLUGIN([aes],                  [s charon openac scepclient pki scripts nm cmd])
+ADD_PLUGIN([des],                  [s charon openac scepclient pki scripts nm cmd])
+ADD_PLUGIN([blowfish],             [s charon openac scepclient pki scripts nm cmd])
+ADD_PLUGIN([rc2],                  [s charon openac scepclient pki scripts nm cmd])
+ADD_PLUGIN([sha1],                 [s charon openac scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([sha2],                 [s charon openac scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([md4],                  [s charon openac manager scepclient pki nm cmd])
+ADD_PLUGIN([md5],                  [s charon openac scepclient pki scripts attest nm cmd])
+ADD_PLUGIN([rdrand],               [s charon openac scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([random],               [s charon openac scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([nonce],                [s charon nm cmd])
+ADD_PLUGIN([x509],                 [s charon openac scepclient pki scripts attest nm cmd])
+ADD_PLUGIN([revocation],           [s charon nm cmd])
+ADD_PLUGIN([constraints],          [s charon nm cmd])
+ADD_PLUGIN([pubkey],               [s charon cmd])
+ADD_PLUGIN([pkcs1],                [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([pkcs7],                [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([pkcs8],                [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([pkcs12],               [s charon scepclient pki scripts cmd])
+ADD_PLUGIN([pgp],                  [s charon])
+ADD_PLUGIN([dnskey],               [s charon])
+ADD_PLUGIN([sshkey],               [s charon nm cmd])
+ADD_PLUGIN([ipseckey],             [c charon])
+ADD_PLUGIN([pem],                  [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([padlock],              [s charon])
+ADD_PLUGIN([openssl],              [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([gcrypt],               [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([af-alg],               [s charon openac scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([fips-prf],             [s charon nm cmd])
+ADD_PLUGIN([gmp],                  [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([agent],                [s charon nm cmd])
+ADD_PLUGIN([keychain],             [s charon cmd])
+ADD_PLUGIN([xcbc],                 [s charon nm cmd])
+ADD_PLUGIN([cmac],                 [s charon nm cmd])
+ADD_PLUGIN([hmac],                 [s charon scripts nm cmd])
+ADD_PLUGIN([ctr],                  [s charon scripts nm cmd])
+ADD_PLUGIN([ccm],                  [s charon scripts nm cmd])
+ADD_PLUGIN([gcm],                  [s charon scripts nm cmd])
+ADD_PLUGIN([attr],                 [h charon])
+ADD_PLUGIN([attr-sql],             [h charon])
+ADD_PLUGIN([load-tester],          [c charon])
+ADD_PLUGIN([kernel-libipsec],      [c charon cmd])
+ADD_PLUGIN([kernel-pfkey],         [h charon starter nm cmd])
+ADD_PLUGIN([kernel-pfroute],       [h charon starter nm cmd])
+ADD_PLUGIN([kernel-klips],         [h charon starter])
+ADD_PLUGIN([kernel-netlink],       [h charon starter nm cmd])
+ADD_PLUGIN([resolve],              [h charon cmd])
+ADD_PLUGIN([socket-default],       [c charon nm cmd])
+ADD_PLUGIN([socket-dynamic],       [c charon cmd])
+ADD_PLUGIN([farp],                 [c charon])
+ADD_PLUGIN([stroke],               [c charon])
+ADD_PLUGIN([smp],                  [c charon])
+ADD_PLUGIN([sql],                  [c charon])
+ADD_PLUGIN([updown],               [c charon])
+ADD_PLUGIN([eap-identity],         [c charon nm cmd])
+ADD_PLUGIN([eap-sim],              [c charon])
+ADD_PLUGIN([eap-sim-file],         [c charon])
+ADD_PLUGIN([eap-sim-pcsc],         [c charon])
+ADD_PLUGIN([eap-aka],              [c charon])
+ADD_PLUGIN([eap-aka-3gpp2],        [c charon])
+ADD_PLUGIN([eap-simaka-sql],       [c charon])
+ADD_PLUGIN([eap-simaka-pseudonym], [c charon])
+ADD_PLUGIN([eap-simaka-reauth],    [c charon])
+ADD_PLUGIN([eap-md5],              [c charon nm cmd])
+ADD_PLUGIN([eap-gtc],              [c charon nm cmd])
+ADD_PLUGIN([eap-mschapv2],         [c charon nm cmd])
+ADD_PLUGIN([eap-dynamic],          [c charon])
+ADD_PLUGIN([eap-radius],           [c charon])
+ADD_PLUGIN([eap-tls],              [c charon nm cmd])
+ADD_PLUGIN([eap-ttls],             [c charon nm cmd])
+ADD_PLUGIN([eap-peap],             [c charon nm cmd])
+ADD_PLUGIN([eap-tnc],              [c charon])
+ADD_PLUGIN([xauth-generic],        [c charon cmd])
+ADD_PLUGIN([xauth-eap],            [c charon])
+ADD_PLUGIN([xauth-pam],            [c charon])
+ADD_PLUGIN([xauth-noauth],         [c charon])
+ADD_PLUGIN([tnc-ifmap],            [c charon])
+ADD_PLUGIN([tnc-pdp],              [c charon])
+ADD_PLUGIN([tnc-imc],              [c charon])
+ADD_PLUGIN([tnc-imv],              [c charon])
+ADD_PLUGIN([tnc-tnccs],            [c charon])
+ADD_PLUGIN([tnccs-20],             [c charon])
+ADD_PLUGIN([tnccs-11],             [c charon])
+ADD_PLUGIN([tnccs-dynamic],        [c charon])
+ADD_PLUGIN([medsrv],               [c charon])
+ADD_PLUGIN([medcli],               [c charon])
+ADD_PLUGIN([dhcp],                 [c charon])
+ADD_PLUGIN([osx-attr],             [c charon cmd])
+ADD_PLUGIN([android-dns],          [c charon])
+ADD_PLUGIN([android-log],          [c charon])
+ADD_PLUGIN([ha],                   [c charon])
+ADD_PLUGIN([whitelist],            [c charon])
+ADD_PLUGIN([lookip],               [c charon])
+ADD_PLUGIN([error-notify],         [c charon])
+ADD_PLUGIN([certexpire],           [c charon])
+ADD_PLUGIN([systime-fix],          [c charon])
+ADD_PLUGIN([led],                  [c charon])
+ADD_PLUGIN([duplicheck],           [c charon])
+ADD_PLUGIN([coupling],             [c charon])
+ADD_PLUGIN([radattr],              [c charon])
+ADD_PLUGIN([maemo],                [c charon])
+ADD_PLUGIN([uci],                  [c charon])
+ADD_PLUGIN([addrblock],            [c charon])
+ADD_PLUGIN([unity],                [c charon])
+ADD_PLUGIN([unit-tester],          [c charon])
+
+AC_SUBST(charon_plugins)
+AC_SUBST(starter_plugins)
+AC_SUBST(pool_plugins)
+AC_SUBST(attest_plugins)
+AC_SUBST(openac_plugins)
+AC_SUBST(scepclient_plugins)
+AC_SUBST(pki_plugins)
+AC_SUBST(scripts_plugins)
+AC_SUBST(manager_plugins)
+AC_SUBST(medsrv_plugins)
+AC_SUBST(nm_plugins)
+AC_SUBST(cmd_plugins)
+
+AC_SUBST(c_plugins)
+AC_SUBST(h_plugins)
+AC_SUBST(s_plugins)
+
+# ======================
+#  set Makefile.am vars
+# ======================
+
+#  libstrongswan plugins
+# -----------------------
+AM_CONDITIONAL(USE_TEST_VECTORS, test x$test_vectors = xtrue)
+AM_CONDITIONAL(USE_CURL, test x$curl = xtrue)
+AM_CONDITIONAL(USE_UNBOUND, test x$unbound = xtrue)
+AM_CONDITIONAL(USE_SOUP, test x$soup = xtrue)
+AM_CONDITIONAL(USE_LDAP, test x$ldap = xtrue)
+AM_CONDITIONAL(USE_AES, test x$aes = xtrue)
+AM_CONDITIONAL(USE_DES, test x$des = xtrue)
+AM_CONDITIONAL(USE_BLOWFISH, test x$blowfish = xtrue)
+AM_CONDITIONAL(USE_RC2, test x$rc2 = xtrue)
+AM_CONDITIONAL(USE_MD4, test x$md4 = xtrue)
+AM_CONDITIONAL(USE_MD5, test x$md5 = xtrue)
+AM_CONDITIONAL(USE_SHA1, test x$sha1 = xtrue)
+AM_CONDITIONAL(USE_SHA2, test x$sha2 = xtrue)
+AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
+AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
+AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
+AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue)
+AM_CONDITIONAL(USE_NONCE, test x$nonce = xtrue)
+AM_CONDITIONAL(USE_X509, test x$x509 = xtrue)
+AM_CONDITIONAL(USE_REVOCATION, test x$revocation = xtrue)
+AM_CONDITIONAL(USE_CONSTRAINTS, test x$constraints = xtrue)
+AM_CONDITIONAL(USE_PUBKEY, test x$pubkey = xtrue)
+AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue)
+AM_CONDITIONAL(USE_PKCS7, test x$pkcs7 = xtrue)
+AM_CONDITIONAL(USE_PKCS8, test x$pkcs8 = xtrue)
+AM_CONDITIONAL(USE_PKCS12, test x$pkcs12 = xtrue)
+AM_CONDITIONAL(USE_PGP, test x$pgp = xtrue)
+AM_CONDITIONAL(USE_DNSKEY, test x$dnskey = xtrue)
+AM_CONDITIONAL(USE_SSHKEY, test x$sshkey = xtrue)
+AM_CONDITIONAL(USE_PEM, test x$pem = xtrue)
+AM_CONDITIONAL(USE_HMAC, test x$hmac = xtrue)
+AM_CONDITIONAL(USE_CMAC, test x$cmac = xtrue)
+AM_CONDITIONAL(USE_XCBC, test x$xcbc = xtrue)
+AM_CONDITIONAL(USE_MYSQL, test x$mysql = xtrue)
+AM_CONDITIONAL(USE_SQLITE, test x$sqlite = xtrue)
+AM_CONDITIONAL(USE_PADLOCK, test x$padlock = xtrue)
+AM_CONDITIONAL(USE_OPENSSL, test x$openssl = xtrue)
+AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue)
+AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
+AM_CONDITIONAL(USE_KEYCHAIN, test x$keychain = xtrue)
+AM_CONDITIONAL(USE_PKCS11, test x$pkcs11 = xtrue)
+AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue)
+AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
+AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
+AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue)
+
+#  charon plugins
+# ----------------
+AM_CONDITIONAL(USE_STROKE, test x$stroke = xtrue)
+AM_CONDITIONAL(USE_MEDSRV, test x$medsrv = xtrue)
+AM_CONDITIONAL(USE_MEDCLI, test x$medcli = xtrue)
+AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
+AM_CONDITIONAL(USE_OSX_ATTR, test x$osx_attr = xtrue)
+AM_CONDITIONAL(USE_ANDROID_DNS, test x$android_dns = xtrue)
+AM_CONDITIONAL(USE_ANDROID_LOG, test x$android_log = xtrue)
+AM_CONDITIONAL(USE_MAEMO, test x$maemo = xtrue)
+AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
+AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
+AM_CONDITIONAL(USE_IPSECKEY, test x$ipseckey = xtrue)
+AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
+AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue)
+AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tester = xtrue)
+AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue)
+AM_CONDITIONAL(USE_HA, test x$ha = xtrue)
+AM_CONDITIONAL(USE_KERNEL_LIBIPSEC, test x$kernel_libipsec = xtrue)
+AM_CONDITIONAL(USE_WHITELIST, test x$whitelist = xtrue)
+AM_CONDITIONAL(USE_LOOKIP, test x$lookip = xtrue)
+AM_CONDITIONAL(USE_ERROR_NOTIFY, test x$error_notify = xtrue)
+AM_CONDITIONAL(USE_CERTEXPIRE, test x$certexpire = xtrue)
+AM_CONDITIONAL(USE_SYSTIME_FIX, test x$systime_fix = xtrue)
+AM_CONDITIONAL(USE_LED, test x$led = xtrue)
+AM_CONDITIONAL(USE_DUPLICHECK, test x$duplicheck = xtrue)
+AM_CONDITIONAL(USE_COUPLING, test x$coupling = xtrue)
+AM_CONDITIONAL(USE_RADATTR, test x$radattr = xtrue)
+AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue)
+AM_CONDITIONAL(USE_EAP_SIM_FILE, test x$eap_sim_file = xtrue)
+AM_CONDITIONAL(USE_EAP_SIM_PCSC, test x$eap_sim_pcsc = xtrue)
+AM_CONDITIONAL(USE_EAP_SIMAKA_SQL, test x$eap_simaka_sql = xtrue)
+AM_CONDITIONAL(USE_EAP_SIMAKA_PSEUDONYM, test x$eap_simaka_pseudonym = xtrue)
+AM_CONDITIONAL(USE_EAP_SIMAKA_REAUTH, test x$eap_simaka_reauth = xtrue)
+AM_CONDITIONAL(USE_EAP_IDENTITY, test x$eap_identity = xtrue)
+AM_CONDITIONAL(USE_EAP_MD5, test x$eap_md5 = xtrue)
+AM_CONDITIONAL(USE_EAP_GTC, test x$eap_gtc = xtrue)
+AM_CONDITIONAL(USE_EAP_AKA, test x$eap_aka = xtrue)
+AM_CONDITIONAL(USE_EAP_AKA_3GPP2, test x$eap_aka_3gpp2 = xtrue)
+AM_CONDITIONAL(USE_EAP_MSCHAPV2, test x$eap_mschapv2 = xtrue)
+AM_CONDITIONAL(USE_EAP_TLS, test x$eap_tls = xtrue)
+AM_CONDITIONAL(USE_EAP_TTLS, test x$eap_ttls = xtrue)
+AM_CONDITIONAL(USE_EAP_PEAP, test x$eap_peap = xtrue)
+AM_CONDITIONAL(USE_EAP_TNC, test x$eap_tnc = xtrue)
+AM_CONDITIONAL(USE_EAP_DYNAMIC, test x$eap_dynamic = xtrue)
+AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
+AM_CONDITIONAL(USE_XAUTH_GENERIC, test x$xauth_generic = xtrue)
+AM_CONDITIONAL(USE_XAUTH_EAP, test x$xauth_eap = xtrue)
+AM_CONDITIONAL(USE_XAUTH_PAM, test x$xauth_pam = xtrue)
+AM_CONDITIONAL(USE_XAUTH_NOAUTH, test x$xauth_noauth = xtrue)
+AM_CONDITIONAL(USE_TNC_IFMAP, test x$tnc_ifmap = xtrue)
+AM_CONDITIONAL(USE_TNC_PDP, test x$tnc_pdp = xtrue)
+AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue)
+AM_CONDITIONAL(USE_TNC_IMV, test x$tnc_imv = xtrue)
+AM_CONDITIONAL(USE_TNC_TNCCS, test x$tnc_tnccs = xtrue)
+AM_CONDITIONAL(USE_TNCCS_11, test x$tnccs_11 = xtrue)
+AM_CONDITIONAL(USE_TNCCS_20, test x$tnccs_20 = xtrue)
+AM_CONDITIONAL(USE_TNCCS_DYNAMIC, test x$tnccs_dynamic = xtrue)
+AM_CONDITIONAL(USE_IMC_TEST, test x$imc_test = xtrue)
+AM_CONDITIONAL(USE_IMV_TEST, test x$imv_test = xtrue)
+AM_CONDITIONAL(USE_IMC_SCANNER, test x$imc_scanner = xtrue)
+AM_CONDITIONAL(USE_IMV_SCANNER, test x$imv_scanner = xtrue)
+AM_CONDITIONAL(USE_IMC_OS, test x$imc_os = xtrue)
+AM_CONDITIONAL(USE_IMV_OS, test x$imv_os = xtrue)
+AM_CONDITIONAL(USE_IMC_ATTESTATION, test x$imc_attestation = xtrue)
+AM_CONDITIONAL(USE_IMV_ATTESTATION, test x$imv_attestation = xtrue)
+AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
+AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
+AM_CONDITIONAL(USE_FARP, test x$farp = xtrue)
+AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue)
+AM_CONDITIONAL(USE_UNITY, test x$unity = xtrue)
+
+#  hydra plugins
+# ---------------
+AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
+AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue)
+AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
+AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
+AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
+AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
+AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
+
+#  other options
+# ---------------
+AM_CONDITIONAL(USE_LEAK_DETECTIVE, test x$leak_detective = xtrue)
+AM_CONDITIONAL(USE_LOCK_PROFILER, test x$lock_profiler = xtrue)
+AM_CONDITIONAL(USE_DUMM, test x$dumm = xtrue)
+AM_CONDITIONAL(USE_FAST, test x$fast = xtrue)
+AM_CONDITIONAL(USE_MANAGER, test x$manager = xtrue)
+AM_CONDITIONAL(USE_ME, test x$mediation = xtrue)
+AM_CONDITIONAL(USE_INTEGRITY_TEST, test x$integrity_test = xtrue)
+AM_CONDITIONAL(USE_LOAD_WARNING, test x$load_warning = xtrue)
+AM_CONDITIONAL(USE_IKEV1, test x$ikev1 = xtrue)
+AM_CONDITIONAL(USE_IKEV2, test x$ikev2 = xtrue)
+AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue)
+AM_CONDITIONAL(USE_ADNS, test x$adns = xtrue)
+AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
+AM_CONDITIONAL(USE_NM, test x$nm = xtrue)
+AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
+AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
+AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
+AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue)
+AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue)
+AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue)
+AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue)
+AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
+AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
+AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue)
+AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue)
+AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue)
+AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
+AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue)
+AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue)
+AM_CONDITIONAL(USE_TLS, test x$tls = xtrue)
+AM_CONDITIONAL(USE_RADIUS, test x$radius = xtrue)
+AM_CONDITIONAL(USE_IMCV, test x$imcv = xtrue)
+AM_CONDITIONAL(USE_PTS, test x$pts = xtrue)
+AM_CONDITIONAL(USE_TROUSERS, test x$tss = xtrousers)
+AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue)
+AM_CONDITIONAL(USE_SILENT_RULES, test x$enable_silent_rules = xyes)
+AM_CONDITIONAL(UNITTESTS, test x$unit_tests = xtrue)
+AM_CONDITIONAL(COVERAGE, test x$coverage = xtrue)
+AM_CONDITIONAL(USE_TKM, test x$tkm = xtrue)
+AM_CONDITIONAL(USE_CMD, test x$cmd = xtrue)
+
+# ========================
+#  set global definitions
+# ========================
+
+if test x$mediation = xtrue; then
+	AC_DEFINE([ME], [], [mediation extension support])
+fi
+if test x$capabilities = xlibcap -o x$capabilities = xnative; then
+	AC_DEFINE([CAPABILITIES], [], [capability dropping support])
+fi
+if test x$monolithic = xtrue; then
+	AC_DEFINE([MONOLITHIC], [], [monolithic build embedding plugins])
+fi
+if test x$ikev1 = xtrue; then
+	AC_DEFINE([USE_IKEV1], [], [support for IKEv1 protocol])
+fi
+if test x$ikev2 = xtrue; then
+	AC_DEFINE([USE_IKEV2], [], [support for IKEv2 protocol])
+fi
+
+# =================
+#  build Makefiles
+# =================
+
+AC_CONFIG_FILES([
+	Makefile
+	man/Makefile
+	init/Makefile
+	init/systemd/Makefile
+	src/Makefile
+	src/include/Makefile
+	src/libstrongswan/Makefile
+	src/libstrongswan/plugins/aes/Makefile
+	src/libstrongswan/plugins/cmac/Makefile
+	src/libstrongswan/plugins/des/Makefile
+	src/libstrongswan/plugins/blowfish/Makefile
+	src/libstrongswan/plugins/rc2/Makefile
+	src/libstrongswan/plugins/md4/Makefile
+	src/libstrongswan/plugins/md5/Makefile
+	src/libstrongswan/plugins/sha1/Makefile
+	src/libstrongswan/plugins/sha2/Makefile
+	src/libstrongswan/plugins/fips_prf/Makefile
+	src/libstrongswan/plugins/gmp/Makefile
+	src/libstrongswan/plugins/rdrand/Makefile
+	src/libstrongswan/plugins/random/Makefile
+	src/libstrongswan/plugins/nonce/Makefile
+	src/libstrongswan/plugins/hmac/Makefile
+	src/libstrongswan/plugins/xcbc/Makefile
+	src/libstrongswan/plugins/x509/Makefile
+	src/libstrongswan/plugins/revocation/Makefile
+	src/libstrongswan/plugins/constraints/Makefile
+	src/libstrongswan/plugins/pubkey/Makefile
+	src/libstrongswan/plugins/pkcs1/Makefile
+	src/libstrongswan/plugins/pkcs7/Makefile
+	src/libstrongswan/plugins/pkcs8/Makefile
+	src/libstrongswan/plugins/pkcs12/Makefile
+	src/libstrongswan/plugins/pgp/Makefile
+	src/libstrongswan/plugins/dnskey/Makefile
+	src/libstrongswan/plugins/sshkey/Makefile
+	src/libstrongswan/plugins/pem/Makefile
+	src/libstrongswan/plugins/curl/Makefile
+	src/libstrongswan/plugins/unbound/Makefile
+	src/libstrongswan/plugins/soup/Makefile
+	src/libstrongswan/plugins/ldap/Makefile
+	src/libstrongswan/plugins/mysql/Makefile
+	src/libstrongswan/plugins/sqlite/Makefile
+	src/libstrongswan/plugins/padlock/Makefile
+	src/libstrongswan/plugins/openssl/Makefile
+	src/libstrongswan/plugins/gcrypt/Makefile
+	src/libstrongswan/plugins/agent/Makefile
+	src/libstrongswan/plugins/keychain/Makefile
+	src/libstrongswan/plugins/pkcs11/Makefile
+	src/libstrongswan/plugins/ctr/Makefile
+	src/libstrongswan/plugins/ccm/Makefile
+	src/libstrongswan/plugins/gcm/Makefile
+	src/libstrongswan/plugins/af_alg/Makefile
+	src/libstrongswan/plugins/test_vectors/Makefile
+	src/libstrongswan/tests/Makefile
+	src/libhydra/Makefile
+	src/libhydra/plugins/attr/Makefile
+	src/libhydra/plugins/attr_sql/Makefile
+	src/libhydra/plugins/kernel_klips/Makefile
+	src/libhydra/plugins/kernel_netlink/Makefile
+	src/libhydra/plugins/kernel_pfkey/Makefile
+	src/libhydra/plugins/kernel_pfroute/Makefile
+	src/libhydra/plugins/resolve/Makefile
+	src/libipsec/Makefile
+	src/libsimaka/Makefile
+	src/libtls/Makefile
+	src/libradius/Makefile
+	src/libtncif/Makefile
+	src/libtnccs/Makefile
+	src/libpttls/Makefile
+	src/libpts/Makefile
+	src/libpts/plugins/imc_attestation/Makefile
+	src/libpts/plugins/imv_attestation/Makefile
+	src/libimcv/Makefile
+	src/libimcv/plugins/imc_test/Makefile
+	src/libimcv/plugins/imv_test/Makefile
+	src/libimcv/plugins/imc_scanner/Makefile
+	src/libimcv/plugins/imv_scanner/Makefile
+	src/libimcv/plugins/imc_os/Makefile
+	src/libimcv/plugins/imv_os/Makefile
+	src/charon/Makefile
+	src/charon-nm/Makefile
+	src/charon-tkm/Makefile
+	src/charon-cmd/Makefile
+	src/libcharon/Makefile
+	src/libcharon/plugins/eap_aka/Makefile
+	src/libcharon/plugins/eap_aka_3gpp2/Makefile
+	src/libcharon/plugins/eap_dynamic/Makefile
+	src/libcharon/plugins/eap_identity/Makefile
+	src/libcharon/plugins/eap_md5/Makefile
+	src/libcharon/plugins/eap_gtc/Makefile
+	src/libcharon/plugins/eap_sim/Makefile
+	src/libcharon/plugins/eap_sim_file/Makefile
+	src/libcharon/plugins/eap_sim_pcsc/Makefile
+	src/libcharon/plugins/eap_simaka_sql/Makefile
+	src/libcharon/plugins/eap_simaka_pseudonym/Makefile
+	src/libcharon/plugins/eap_simaka_reauth/Makefile
+	src/libcharon/plugins/eap_mschapv2/Makefile
+	src/libcharon/plugins/eap_tls/Makefile
+	src/libcharon/plugins/eap_ttls/Makefile
+	src/libcharon/plugins/eap_peap/Makefile
+	src/libcharon/plugins/eap_tnc/Makefile
+	src/libcharon/plugins/eap_radius/Makefile
+	src/libcharon/plugins/xauth_generic/Makefile
+	src/libcharon/plugins/xauth_eap/Makefile
+	src/libcharon/plugins/xauth_pam/Makefile
+	src/libcharon/plugins/xauth_noauth/Makefile
+	src/libcharon/plugins/tnc_ifmap/Makefile
+	src/libcharon/plugins/tnc_pdp/Makefile
+	src/libcharon/plugins/tnc_imc/Makefile
+	src/libcharon/plugins/tnc_imv/Makefile
+	src/libcharon/plugins/tnc_tnccs/Makefile
+	src/libcharon/plugins/tnccs_11/Makefile
+	src/libcharon/plugins/tnccs_20/Makefile
+	src/libcharon/plugins/tnccs_dynamic/Makefile
+	src/libcharon/plugins/socket_default/Makefile
+	src/libcharon/plugins/socket_dynamic/Makefile
+	src/libcharon/plugins/farp/Makefile
+	src/libcharon/plugins/smp/Makefile
+	src/libcharon/plugins/sql/Makefile
+	src/libcharon/plugins/ipseckey/Makefile
+	src/libcharon/plugins/medsrv/Makefile
+	src/libcharon/plugins/medcli/Makefile
+	src/libcharon/plugins/addrblock/Makefile
+	src/libcharon/plugins/unity/Makefile
+	src/libcharon/plugins/uci/Makefile
+	src/libcharon/plugins/ha/Makefile
+	src/libcharon/plugins/kernel_libipsec/Makefile
+	src/libcharon/plugins/whitelist/Makefile
+	src/libcharon/plugins/lookip/Makefile
+	src/libcharon/plugins/error_notify/Makefile
+	src/libcharon/plugins/certexpire/Makefile
+	src/libcharon/plugins/systime_fix/Makefile
+	src/libcharon/plugins/led/Makefile
+	src/libcharon/plugins/duplicheck/Makefile
+	src/libcharon/plugins/coupling/Makefile
+	src/libcharon/plugins/radattr/Makefile
+	src/libcharon/plugins/osx_attr/Makefile
+	src/libcharon/plugins/android_dns/Makefile
+	src/libcharon/plugins/android_log/Makefile
+	src/libcharon/plugins/maemo/Makefile
+	src/libcharon/plugins/stroke/Makefile
+	src/libcharon/plugins/updown/Makefile
+	src/libcharon/plugins/dhcp/Makefile
+	src/libcharon/plugins/unit_tester/Makefile
+	src/libcharon/plugins/load_tester/Makefile
+	src/stroke/Makefile
+	src/ipsec/Makefile
+	src/starter/Makefile
+	src/_updown/Makefile
+	src/_updown_espmark/Makefile
+	src/_copyright/Makefile
+	src/openac/Makefile
+	src/scepclient/Makefile
+	src/pki/Makefile
+	src/dumm/Makefile
+	src/dumm/ext/extconf.rb
+	src/libfast/Makefile
+	src/manager/Makefile
+	src/medsrv/Makefile
+	src/checksum/Makefile
+	src/conftest/Makefile
+	scripts/Makefile
+	testing/Makefile
+])
+AC_OUTPUT
+
+# ========================
+#  report enabled plugins
+# ========================
+
+AC_MSG_RESULT([])
+AC_MSG_RESULT([ strongSwan will be built with the following plugins])
+AC_MSG_RESULT([-----------------------------------------------------])
+
+AC_MSG_RESULT([libstrongswan:$s_plugins])
+AC_MSG_RESULT([libcharon:    $c_plugins])
+AC_MSG_RESULT([libhydra:     $h_plugins])
+AC_MSG_RESULT([])
diff --git a/configure.in b/configure.in
deleted file mode 100644
index 9a9796e81..000000000
--- a/configure.in
+++ /dev/null
@@ -1,1232 +0,0 @@
-dnl  configure.in for linux strongSwan
-dnl  Copyright (C) 2006 Martin Willi
-dnl  Hochschule fuer Technik Rapperswil
-dnl
-dnl  This program is free software; you can redistribute it and/or modify it
-dnl  under the terms of the GNU General Public License as published by the
-dnl  Free Software Foundation; either version 2 of the License, or (at your
-dnl  option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-dnl
-dnl  This program is distributed in the hope that it will be useful, but
-dnl  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-dnl  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-dnl  for more details.
-
-dnl ===========================
-dnl  initialize & set some vars
-dnl ===========================
-
-AC_INIT(strongSwan,4.6.4)
-AM_INIT_AUTOMAKE(tar-ustar)
-AC_CONFIG_MACRO_DIR([m4/config])
-PKG_PROG_PKG_CONFIG
-
-dnl =================================
-dnl  check --enable-xxx & --with-xxx
-dnl =================================
-
-m4_include(m4/macros/with.m4)
-
-ARG_WITH_SUBST([default-pkcs11],     [/usr/lib/opensc-pkcs11.so], [set the default PKCS11 library])
-ARG_WITH_SUBST([random-device],      [/dev/random], [set the device to read real random data from])
-ARG_WITH_SUBST([urandom-device],     [/dev/urandom], [set the device to read pseudo random data from])
-ARG_WITH_SUBST([strongswan-conf],    [${sysconfdir}/strongswan.conf], [set the strongswan.conf file location])
-ARG_WITH_SUBST([resolv-conf],        [${sysconfdir}/resolv.conf], [set the file to use in DNS handler plugin])
-ARG_WITH_SUBST([piddir],             [/var/run], [set path for PID and UNIX socket files])
-ARG_WITH_SUBST([ipsecdir],           [${libexecdir%/}/ipsec], [set installation path for ipsec tools])
-ARG_WITH_SUBST([ipseclibdir],        [${libdir%/}/ipsec], [set installation path for ipsec libraries])
-ARG_WITH_SUBST([plugindir],          [${ipseclibdir%/}/plugins], [set the installation path of plugins])
-ARG_WITH_SUBST([imcvdir],            [${ipseclibdir%/}/imcvs], [set the installation path of IMC and IMV dynamic librariers])
-ARG_WITH_SUBST([nm-ca-dir],          [/usr/share/ca-certificates], [directory the NM plugin uses to look up trusted root certificates])
-ARG_WITH_SUBST([linux-headers],      [\${top_srcdir}/src/include], [set directory of linux header files to use])
-ARG_WITH_SUBST([routing-table],      [220], [set routing table to use for IPsec routes])
-ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table])
-
-ARG_WITH_SET([capabilities],         [no], [set capability dropping library. Currently supported values are "libcap" and "native"])
-ARG_WITH_SET([mpz_powm_sec],         [yes], [use the more side-channel resistant mpz_powm_sec in libgmp, if available])
-
-if test -n "$PKG_CONFIG"; then
-	systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
-fi
-ARG_WITH_SET([systemdsystemunitdir], [$systemdsystemunitdir_default], [directory for systemd service files])
-AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno])
-AC_SUBST(systemdsystemunitdir)
-
-AC_ARG_WITH(
-	[xauth-module],
-	AS_HELP_STRING([--with-xauth-module=lib],[set the path to the XAUTH module]),
-	[AC_DEFINE_UNQUOTED(XAUTH_DEFAULT_LIB, "$withval")],
-)
-
-AC_ARG_WITH(
-	[user],
-	AS_HELP_STRING([--with-user=user],[change user of the daemons to "user" after startup (default is "root").]),
-	[AC_DEFINE_UNQUOTED(IPSEC_USER, "$withval") AC_SUBST(ipsecuser, "$withval")],
-	[AC_SUBST(ipsecuser, "root")]
-)
-
-AC_ARG_WITH(
-	[group],
-	AS_HELP_STRING([--with-group=group],[change group of the daemons to "group" after startup (default is "root").]),
-	[AC_DEFINE_UNQUOTED(IPSEC_GROUP, "$withval") AC_SUBST(ipsecgroup, "$withval")],
-	[AC_SUBST(ipsecgroup, "root")]
-)
-
-m4_include(m4/macros/enable-disable.m4)
-
-ARG_ENABL_SET([curl],           [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.])
-ARG_ENABL_SET([soup],           [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.])
-ARG_ENABL_SET([ldap],           [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.])
-ARG_DISBL_SET([aes],            [disable AES software implementation plugin.])
-ARG_DISBL_SET([des],            [disable DES/3DES software implementation plugin.])
-ARG_ENABL_SET([blowfish],       [enable Blowfish software implementation plugin.])
-ARG_ENABL_SET([md4],            [enable MD4 software implementation plugin.])
-ARG_DISBL_SET([md5],            [disable MD5 software implementation plugin.])
-ARG_DISBL_SET([sha1],           [disable SHA1 software implementation plugin.])
-ARG_DISBL_SET([sha2],           [disable SHA256/SHA384/SHA512 software implementation plugin.])
-ARG_DISBL_SET([fips-prf],       [disable FIPS PRF software implementation plugin.])
-ARG_DISBL_SET([gmp],            [disable GNU MP (libgmp) based crypto implementation plugin.])
-ARG_DISBL_SET([random],         [disable RNG implementation on top of /dev/(u)random.])
-ARG_DISBL_SET([x509],           [disable X509 certificate implementation plugin.])
-ARG_DISBL_SET([revocation],     [disable X509 CRL/OCSP revocation check plugin.])
-ARG_DISBL_SET([constraints],    [disable advanced X509 constraint checking plugin.])
-ARG_DISBL_SET([pubkey],         [disable RAW public key support plugin.])
-ARG_DISBL_SET([pkcs1],          [disable PKCS1 key decoding plugin.])
-ARG_DISBL_SET([pkcs8],          [disable PKCS8 private key decoding plugin.])
-ARG_DISBL_SET([pgp],            [disable PGP key decoding plugin.])
-ARG_DISBL_SET([dnskey],         [disable DNS RR key decoding plugin.])
-ARG_DISBL_SET([pem],            [disable PEM decoding plugin.])
-ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
-ARG_DISBL_SET([cmac],           [disable CMAC crypto implementation plugin.])
-ARG_DISBL_SET([xcbc],           [disable xcbc crypto implementation plugin.])
-ARG_ENABL_SET([af-alg],         [enable AF_ALG crypto interface to Linux Crypto API.])
-ARG_ENABL_SET([test-vectors],   [enable plugin providing crypto test vectors.])
-ARG_ENABL_SET([mysql],          [enable MySQL database support. Requires libmysqlclient_r.])
-ARG_ENABL_SET([sqlite],         [enable SQLite database support. Requires libsqlite3.])
-ARG_DISBL_SET([stroke],         [disable charons stroke (pluto compatibility) configuration backend.])
-ARG_ENABL_SET([medsrv],         [enable mediation server web frontend and daemon plugin.])
-ARG_ENABL_SET([medcli],         [enable mediation client configuration database plugin.])
-ARG_ENABL_SET([smp],            [enable SMP configuration and control interface. Requires libxml.])
-ARG_ENABL_SET([sql],            [enable SQL database configuration backend.])
-ARG_ENABL_SET([smartcard],      [enable smartcard support.])
-ARG_ENABL_SET([cisco-quirks],   [enable support of Cisco VPN client.])
-ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.])
-ARG_ENABL_SET([lock-profiler],  [enable lock/mutex profiling code.])
-ARG_ENABL_SET([unit-tester],    [enable unit tests on IKEv2 daemon startup.])
-ARG_ENABL_SET([load-tester],    [enable load testing plugin for IKEv2 daemon.])
-ARG_ENABL_SET([eap-sim],        [enable SIM authentication module for EAP.])
-ARG_ENABL_SET([eap-sim-file],   [enable EAP-SIM backend based on a triplet file.])
-ARG_ENABL_SET([eap-sim-pcsc],   [enable EAP-SIM backend based on a smartcard reader. Requires libpcsclite.])
-ARG_ENABL_SET([eap-aka],        [enable EAP AKA authentication module.])
-ARG_ENABL_SET([eap-aka-3gpp2],  [enable EAP AKA backend implementing 3GPP2 algorithms in software. Requires libgmp.])
-ARG_ENABL_SET([eap-simaka-sql], [enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database.])
-ARG_ENABL_SET([eap-simaka-pseudonym], [enable EAP-SIM/AKA pseudonym storage plugin.])
-ARG_ENABL_SET([eap-simaka-reauth],    [enable EAP-SIM/AKA reauthentication data storage plugin.])
-ARG_ENABL_SET([eap-identity],   [enable EAP module providing EAP-Identity helper.])
-ARG_ENABL_SET([eap-md5],        [enable EAP MD5 (CHAP) authentication module.])
-ARG_ENABL_SET([eap-gtc],        [enable PAM based EAP GTC authentication module.])
-ARG_ENABL_SET([eap-mschapv2],   [enable EAP MS-CHAPv2 authentication module.])
-ARG_ENABL_SET([eap-tls],        [enable EAP TLS authentication module.])
-ARG_ENABL_SET([eap-ttls],       [enable EAP TTLS authentication module.])
-ARG_ENABL_SET([eap-peap],       [enable EAP PEAP authentication module.])
-ARG_ENABL_SET([eap-tnc],        [enable EAP TNC trusted network connect module.])
-ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authentication module.])
-ARG_ENABL_SET([tnc-ifmap],      [enable TNC IF-MAP module.])
-ARG_ENABL_SET([tnc-pdp],        [enable TNC policy decision point module.])
-ARG_ENABL_SET([tnc-imc],        [enable TNC IMC module.])
-ARG_ENABL_SET([tnc-imv],        [enable TNC IMV module.])
-ARG_ENABL_SET([tnccs-11],       [enable TNCCS 1.1 protocol module.])
-ARG_ENABL_SET([tnccs-20],       [enable TNCCS 2.0 protocol module.])
-ARG_ENABL_SET([tnccs-dynamic],  [enable dynamic TNCCS protocol discovery module.])
-ARG_ENABL_SET([imc-test],       [enable IMC test module.])
-ARG_ENABL_SET([imv-test],       [enable IMV test module.])
-ARG_ENABL_SET([imc-scanner],    [enable IMC port scanner module.])
-ARG_ENABL_SET([imv-scanner],    [enable IMV port scanner module.])
-ARG_ENABL_SET([imc-attestation],[enable IMC attestation module.])
-ARG_ENABL_SET([imv-attestation],[enable IMV attestation module.])
-ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
-ARG_ENABL_SET([kernel-pfkey],   [enable the PF_KEY kernel interface.])
-ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.])
-ARG_ENABL_SET([kernel-klips],   [enable the KLIPS kernel interface.])
-ARG_DISBL_SET([socket-default], [disable default socket implementation for charon.])
-ARG_ENABL_SET([socket-raw],     [enable raw socket implementation of charon, enforced if pluto is enabled])
-ARG_ENABL_SET([socket-dynamic], [enable dynamic socket implementation for charon])
-ARG_ENABL_SET([farp],           [enable ARP faking plugin that responds to ARP requests to peers virtual IP])
-ARG_ENABL_SET([nat-transport],  [enable NAT traversal with IPsec transport mode in pluto.])
-ARG_DISBL_SET([vendor-id],      [disable the sending of the strongSwan vendor ID in pluto.])
-ARG_DISBL_SET([xauth-vid],      [disable the sending of the XAUTH vendor ID.])
-ARG_ENABL_SET([dumm],           [enable the DUMM UML test framework.])
-ARG_ENABL_SET([fast],           [enable libfast (FastCGI Application Server w/ templates.])
-ARG_ENABL_SET([manager],        [enable web management console (proof of concept).])
-ARG_ENABL_SET([mediation],      [enable IKEv2 Mediation Extension.])
-ARG_ENABL_SET([integrity-test], [enable integrity testing of libstrongswan and plugins.])
-ARG_DISBL_SET([load-warning],   [disable the charon/pluto plugin load option warning in starter.])
-ARG_DISBL_SET([pluto],          [disable the IKEv1 keying daemon pluto.])
-ARG_DISBL_SET([xauth],          [disable xauth plugin.])
-ARG_DISBL_SET([threads],        [disable the use of threads in pluto. Charon always uses threads.])
-ARG_DISBL_SET([adns],           [disable the use of adns in pluto (disables opportunistic encryption).])
-ARG_DISBL_SET([charon],         [disable the IKEv2 keying daemon charon.])
-ARG_DISBL_SET([tools],          [disable additional utilities (openac, scepclient and pki).])
-ARG_DISBL_SET([scripts],        [disable additional utilities (found in directory scripts).])
-ARG_ENABL_SET([conftest],       [enforce Suite B conformance test framework.])
-ARG_DISBL_SET([updown],         [disable updown firewall script plugin.])
-ARG_DISBL_SET([attr],           [disable strongswan.conf based configuration attribute plugin.])
-ARG_ENABL_SET([attr-sql],       [enable SQL based configuration attribute plugin.])
-ARG_ENABL_SET([dhcp],           [enable DHCP based attribute provider plugin.])
-ARG_DISBL_SET([resolve],        [disable resolve DNS handler plugin.])
-ARG_ENABL_SET([padlock],        [enables VIA Padlock crypto plugin.])
-ARG_ENABL_SET([openssl],        [enables the OpenSSL crypto plugin.])
-ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
-ARG_ENABL_SET([agent],          [enables the ssh-agent signing plugin.])
-ARG_ENABL_SET([pkcs11],         [enables the PKCS11 token support plugin.])
-ARG_ENABL_SET([ctr],            [enables the Counter Mode wrapper crypto plugin.])
-ARG_ENABL_SET([ccm],            [enables the CCM AEAD wrapper crypto plugin.])
-ARG_ENABL_SET([gcm],            [enables the GCM AEAD wrapper crypto plugin.])
-ARG_ENABL_SET([addrblock],      [enables RFC 3779 address block constraint support.])
-ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
-ARG_ENABL_SET([android],        [enable Android specific plugin.])
-ARG_ENABL_SET([maemo],          [enable Maemo specific plugin.])
-ARG_ENABL_SET([nm],             [enable NetworkManager plugin.])
-ARG_ENABL_SET([ha],             [enable high availability cluster plugin.])
-ARG_ENABL_SET([whitelist],      [enable peer identity whitelisting plugin.])
-ARG_ENABL_SET([certexpire],     [enable CSV export of expiration dates of used certificates.])
-ARG_ENABL_SET([led],            [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.])
-ARG_ENABL_SET([duplicheck],     [advanced duplicate checking plugin using liveness checks.])
-ARG_ENABL_SET([coupling],       [enable IKEv2 plugin to couple peer certificates permanently to authentication.])
-ARG_ENABL_SET([radattr],        [enable plugin to inject and process custom RADIUS attributes as IKEv2 client.])
-ARG_ENABL_SET([vstr],           [enforce using the Vstr string library to replace glibc-like printf hooks.])
-ARG_ENABL_SET([monolithic],     [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
-
-dnl =========================
-dnl  set up compiler and flags
-dnl =========================
-
-if test -z "$CFLAGS"; then
-	CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign"
-fi
-AC_PROG_CC
-AC_LIB_PREFIX
-AC_C_BIGENDIAN
-
-dnl =========================
-dnl  check required programs
-dnl =========================
-
-AC_PROG_INSTALL
-AC_PROG_LIBTOOL
-AC_PROG_EGREP
-AC_PROG_AWK
-AC_PROG_LEX
-AC_PROG_YACC
-AC_PATH_PROG([PERL], [perl], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
-AC_PATH_PROG([GPERF], [gperf], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
-
-dnl because gperf is not needed by end-users we just report it but do not abort on failure
-AC_MSG_CHECKING([gperf version >= 3.0.0])
-if test -x "$GPERF"; then
-	if test "`$GPERF --version | $AWK -F' ' '/^GNU gperf/ { print $3 }' | $AWK -F. '{ print $1 }'`" -ge "3"; then
-		AC_MSG_RESULT([yes])
-	else
-		AC_MSG_RESULT([no])
-	fi
-else
-	AC_MSG_RESULT([not found])
-fi
-
-dnl =========================
-dnl  dependency calculation
-dnl =========================
-
-if test x$eap_aka_3gpp2 = xtrue; then
-	gmp=true;
-fi
-
-if test x$eap_aka = xtrue; then
-	fips_prf=true;
-	simaka=true;
-fi
-
-if test x$eap_sim = xtrue; then
-	fips_prf=true;
-	simaka=true;
-fi
-
-if test x$eap_tls = xtrue -o x$eap_ttls = xtrue -o x$eap_peap = xtrue; then
-	tls=true;
-fi
-
-if test x$eap_radius = xtrue -o x$radattr = xtrue -o x$tnc_pdp = xtrue; then
-	radius=true;
-fi
-
-if test x$tnc_imc = xtrue -o x$tnc_imv = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_11 = xtrue -o x$tnccs_dynamic = xtrue -o x$eap_tnc = xtrue; then
-	tnc_tnccs=true;
-fi
-
-if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$imv_scanner = xtrue -o x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
-	imcv=true;
-fi
-
-if test x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
-	pts=true;
-fi
-
-if test x$fips_prf = xtrue; then
-	if test x$openssl = xfalse; then
-		sha1=true;
-	fi
-fi
-
-if test x$smp = xtrue -o x$tnccs_11 = xtrue; then
-	xml=true
-fi
-
-if test x$tnc_ifmap = xtrue; then
-	axis2c=true
-fi
-
-if test x$manager = xtrue; then
-	fast=true
-fi
-
-if test x$medsrv = xtrue; then
-	mediation=true
-	fast=true
-fi
-
-if test x$medcli = xtrue; then
-	mediation=true
-fi
-
-if test x$pluto = xtrue; then
-	if test x$socket_raw = xfalse; then
-		AC_MSG_NOTICE([Enforcing --enable-socket-raw, as pluto is enabled])
-		socket_raw=true
-		if test x$socket_default_given = xfalse; then
-			socket_default=false
-		fi
-	fi
-fi
-
-dnl ===========================================
-dnl  check required libraries and header files
-dnl ===========================================
-
-AC_HEADER_STDBOOL
-AC_FUNC_ALLOCA
-
-dnl libraries needed on some platforms but not on others
-dnl ====================================================
-saved_LIBS=$LIBS
-
-dnl FreeBSD and Mac OS X have dlopen integrated in libc, Linux needs libdl
-LIBS=""
-AC_SEARCH_LIBS(dlopen, dl, [DLLIB=$LIBS])
-AC_SUBST(DLLIB)
-
-dnl glibc's backtrace() can be replicated on FreeBSD with libexecinfo
-LIBS=""
-AC_SEARCH_LIBS(backtrace, execinfo, [BTLIB=$LIBS])
-AC_CHECK_FUNCS(backtrace)
-AC_SUBST(BTLIB)
-
-dnl OpenSolaris needs libsocket and libnsl for socket()
-LIBS=""
-AC_SEARCH_LIBS(socket, socket, [SOCKLIB=$LIBS],
-	[AC_CHECK_LIB(nsl, socket, [SOCKLIB="-lsocket -lnsl"], [], [-lsocket])]
-)
-AC_SUBST(SOCKLIB)
-
-dnl FreeBSD has clock_gettime in libc, Linux needs librt
-LIBS=""
-AC_SEARCH_LIBS(clock_gettime, rt, [RTLIB=$LIBS])
-AC_CHECK_FUNCS(clock_gettime)
-AC_SUBST(RTLIB)
-
-dnl Android has pthread_* functions in bionic (libc), others need libpthread
-LIBS=""
-AC_SEARCH_LIBS(pthread_create, pthread, [PTHREADLIB=$LIBS])
-AC_SUBST(PTHREADLIB)
-
-LIBS=$saved_LIBS
-dnl ======================
-
-AC_MSG_CHECKING(for dladdr)
-AC_TRY_COMPILE(
-	[#define _GNU_SOURCE
-	 #include <dlfcn.h>],
-	[Dl_info* info = 0;
-	 dladdr(0, info);],
-	[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_DLADDR])],
-	[AC_MSG_RESULT([no])]
-)
-
-dnl check if pthread_condattr_setclock(CLOCK_MONOTONE) is supported
-saved_LIBS=$LIBS
-LIBS=$PTHREADLIB
-AC_MSG_CHECKING([for pthread_condattr_setclock(CLOCK_MONOTONE)])
-AC_TRY_RUN(
-	[#include <pthread.h>
-	 int main() { pthread_condattr_t attr;
-		pthread_condattr_init(&attr);
-		return pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);}],
-	[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_CONDATTR_CLOCK_MONOTONIC])],
-	[AC_MSG_RESULT([no])],
-	dnl Check existence of pthread_condattr_setclock if cross-compiling
-	[AC_MSG_RESULT([unknown]);
-	 AC_CHECK_FUNCS(pthread_condattr_setclock,
-		[AC_DEFINE([HAVE_CONDATTR_CLOCK_MONOTONIC])]
-	)]
-)
-dnl check if we actually are able to configure attributes on cond vars
-AC_CHECK_FUNCS(pthread_condattr_init)
-dnl instead of pthread_condattr_setclock Android has this function
-AC_CHECK_FUNCS(pthread_cond_timedwait_monotonic)
-dnl check if we can cancel threads
-AC_CHECK_FUNCS(pthread_cancel)
-dnl check if native rwlocks are available
-AC_CHECK_FUNCS(pthread_rwlock_init)
-LIBS=$saved_LIBS
-
-AC_CHECK_FUNC(
-	[gettid],
-	[AC_DEFINE(HAVE_GETTID)],
-	[AC_MSG_CHECKING([for SYS_gettid])
-	 AC_TRY_COMPILE(
-		[#define _GNU_SOURCE
-		 #include <unistd.h>
-		 #include <sys/syscall.h>],
-		[int main() {
-			return syscall(SYS_gettid);}],
-		[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_GETTID])
-		 AC_DEFINE([HAVE_SYS_GETTID])],
-		[AC_MSG_RESULT([no])]
-	)]
-)
-
-AC_CHECK_FUNCS(prctl mallinfo getpass closefrom)
-
-AC_CHECK_HEADERS(sys/sockio.h glob.h)
-AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h)
-
-AC_CHECK_MEMBERS([struct sockaddr.sa_len], [], [],
-[
-	#include <sys/types.h>
-	#include <sys/socket.h>
-])
-
-AC_CHECK_MEMBERS([struct sadb_x_policy.sadb_x_policy_priority], [], [],
-[
-	#include <sys/types.h>
-	#ifdef HAVE_NET_PFKEYV2_H
-	#include <net/pfkeyv2.h>
-	#else
-	#include <stdint.h>
-	#include <linux/pfkeyv2.h>
-	#endif
-])
-
-AC_MSG_CHECKING([for in6addr_any])
-AC_TRY_COMPILE(
-	[#include <sys/types.h>
-	#include <sys/socket.h>
-	#include <netinet/in.h>],
-	[struct in6_addr in6;
-	in6 = in6addr_any;],
-	[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_IN6ADDR_ANY])],
-	[AC_MSG_RESULT([no])]
-)
-
-AC_MSG_CHECKING([for in6_pktinfo])
-AC_TRY_COMPILE(
-	[#define _GNU_SOURCE
-	#include <sys/types.h>
-	#include <sys/socket.h>
-	#include <netinet/in.h>],
-	[struct in6_pktinfo pi;
-	if (pi.ipi6_ifindex)
-	{
-		return 0;
-	}],
-	[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_IN6_PKTINFO])],
-	[AC_MSG_RESULT([no])]
-)
-
-AC_MSG_CHECKING([for IPSEC_MODE_BEET])
-AC_TRY_COMPILE(
-	[#include <sys/types.h>
-	#ifdef HAVE_NETIPSEC_IPSEC_H
-	#include <netipsec/ipsec.h>
-	#elif defined(HAVE_NETINET6_IPSEC_H)
-	#include <netinet6/ipsec.h>
-	#else
-	#include <stdint.h>
-	#include <linux/ipsec.h>
-	#endif],
-	[int mode = IPSEC_MODE_BEET;
-	 return mode;],
-	[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_IPSEC_MODE_BEET])],
-	[AC_MSG_RESULT([no])]
-)
-
-AC_MSG_CHECKING([for IPSEC_DIR_FWD])
-AC_TRY_COMPILE(
-	[#include <sys/types.h>
-	#ifdef HAVE_NETIPSEC_IPSEC_H
-	#include <netipsec/ipsec.h>
-	#elif defined(HAVE_NETINET6_IPSEC_H)
-	#include <netinet6/ipsec.h>
-	#else
-	#include <stdint.h>
-	#include <linux/ipsec.h>
-	#endif],
-	[int dir = IPSEC_DIR_FWD;
-	 return dir;],
-	[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_IPSEC_DIR_FWD])],
-	[AC_MSG_RESULT([no])]
-)
-
-AC_MSG_CHECKING([for RTA_TABLE])
-AC_TRY_COMPILE(
-	[#include <sys/socket.h>
-	#include <linux/netlink.h>
-	#include <linux/rtnetlink.h>],
-	[int rta_type = RTA_TABLE;
-	 return rta_type;],
-	[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_RTA_TABLE])],
-	[AC_MSG_RESULT([no])]
-)
-
-AC_MSG_CHECKING([for gcc atomic operations])
-AC_TRY_RUN(
-[
-	int main() {
-		volatile int ref = 1;
-		__sync_fetch_and_add (&ref, 1);
-		__sync_sub_and_fetch (&ref, 1);
-		/* Make sure test fails if operations are not supported */
-		__sync_val_compare_and_swap(&ref, 1, 0);
-		return ref;
-	}
-],
-[AC_MSG_RESULT([yes]); AC_DEFINE(HAVE_GCC_ATOMIC_OPERATIONS)],
-[AC_MSG_RESULT([no])],
-[AC_MSG_RESULT([no])])
-
-dnl check for the new register_printf_specifier function with len argument,
-dnl or the deprecated register_printf_function without
-AC_CHECK_FUNC(
-	[register_printf_specifier],
-	[AC_DEFINE(HAVE_PRINTF_SPECIFIER)],
-	[AC_CHECK_FUNC(
-		[register_printf_function],
-		[AC_DEFINE(HAVE_PRINTF_FUNCTION)],
-		[
-			AC_MSG_NOTICE([printf does not support custom format specifiers!])
-			vstr=true
-		]
-	)]
-)
-
-if test x$vstr = xtrue; then
-	AC_HAVE_LIBRARY([vstr],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])])
-	AC_DEFINE(USE_VSTR)
-fi
-
-if test x$gmp = xtrue; then
-	saved_LIBS=$LIBS
-	AC_HAVE_LIBRARY([gmp],,[AC_MSG_ERROR([GNU Multi Precision library gmp not found])])
-	AC_MSG_CHECKING([mpz_powm_sec])
-	if test x$mpz_powm_sec = xyes; then
-		AC_TRY_COMPILE(
-			[#include "gmp.h"],
-			[
-				void *x = mpz_powm_sec;
-			],
-			[AC_MSG_RESULT([yes]); AC_DEFINE(HAVE_MPZ_POWM_SEC)], [AC_MSG_RESULT([no])]
-		)
-	else
-		AC_MSG_RESULT([disabled])
-	fi
-	LIBS=$saved_LIBS
-	AC_MSG_CHECKING([gmp.h version >= 4.1.4])
-	AC_TRY_COMPILE(
-		[#include "gmp.h"],
-		[
-			#if (__GNU_MP_VERSION*100 +  __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
-				#error bad gmp
-			#endif
-		],
-		[AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]); AC_MSG_ERROR([No usable gmp.h found!])]
-	)
-fi
-
-if test x$ldap = xtrue; then
-	AC_HAVE_LIBRARY([ldap],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library ldap not found])])
-	AC_HAVE_LIBRARY([lber],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library lber not found])])
-	AC_CHECK_HEADER([ldap.h],,[AC_MSG_ERROR([LDAP header ldap.h not found!])])
-fi
-
-if test x$curl = xtrue; then
-	AC_HAVE_LIBRARY([curl],[LIBS="$LIBS"],[AC_MSG_ERROR([CURL library curl not found])])
-	AC_CHECK_HEADER([curl/curl.h],,[AC_MSG_ERROR([CURL header curl/curl.h not found!])])
-fi
-
-if test x$soup = xtrue; then
-	PKG_CHECK_MODULES(soup, [libsoup-2.4])
-	AC_SUBST(soup_CFLAGS)
-	AC_SUBST(soup_LIBS)
-fi
-
-if test x$xml = xtrue; then
-	PKG_CHECK_MODULES(xml, [libxml-2.0])
-	AC_SUBST(xml_CFLAGS)
-	AC_SUBST(xml_LIBS)
-fi
-
-if test x$axis2c = xtrue; then
-	PKG_CHECK_MODULES(axis2c, [axis2c])
-	AC_SUBST(axis2c_CFLAGS)
-	AC_SUBST(axis2c_LIBS)
-fi
-
-if test x$imc_attestation = xtrue -o x$imv_attestation = xtrue; then
-	AC_HAVE_LIBRARY([tspi],[LIBS="$LIBS"],[AC_MSG_ERROR([TrouSerS library libtspi not found])])
-	AC_CHECK_HEADER([trousers/tss.h],,[AC_MSG_ERROR([TrouSerS header trousers/tss.h not found!])])
-fi
-
-if test x$dumm = xtrue; then
-	PKG_CHECK_MODULES(gtk, [gtk+-2.0 vte])
-	AC_SUBST(gtk_CFLAGS)
-	AC_SUBST(gtk_LIBS)
-	AC_CHECK_PROGS(RUBY, ruby)
-	AC_MSG_CHECKING([for Ruby header files])
-	if test -n "$RUBY"; then
-		RUBYDIR=`($RUBY -rmkmf -e 'print Config::CONFIG[["archdir"]] || $archdir') 2>/dev/null`
-		if test -n "$RUBYDIR"; then
-			dirs="$RUBYDIR"
-			RUBYINCLUDE=none
-			for i in $dirs; do
-				if test -r $i/ruby.h; then
-					AC_MSG_RESULT([$i])
-					RUBYINCLUDE="-I$i"
-					break;
-				fi
-			done
-			if test x"$RUBYINCLUDE" = xnone; then
-				AC_MSG_ERROR([ruby.h not found])
-			fi
-			AC_SUBST(RUBYINCLUDE)
-		else
-			AC_MSG_ERROR([unable to determine ruby configuration])
-		fi
-	else
-		AC_MSG_ERROR([don't know how to run ruby])
-	fi
-fi
-
-if test x$fast = xtrue; then
-	AC_HAVE_LIBRARY([neo_cgi],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_cgi not found!])])
-	AC_HAVE_LIBRARY([neo_utl],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_utl not found!])])
-	AC_MSG_CHECKING([ClearSilver requires zlib])
-	saved_CFLAGS=$CFLAGS
-	saved_LIBS=$LIBS
-	LIBS="-lneo_cgi -lneo_cs -lneo_utl"
-	CFLAGS="-I/usr/include/ClearSilver"
-	AC_TRY_LINK(
-		[#include <ClearSilver.h>],
-		[
-			NEOERR *err = cgi_display(NULL, NULL);
-		],
-		[AC_MSG_RESULT([no]); clearsilver_LIBS="$LIBS"],
-		[AC_MSG_RESULT([yes]); clearsilver_LIBS="$LIBS -lz"]
-	)
-	AC_SUBST(clearsilver_LIBS)
-	LIBS=$saved_LIBS
-	CFLAGS=$saved_CFLAGS
-dnl autoconf does not like CamelCase!? How to fix this?
-dnl	AC_CHECK_HEADER([ClearSilver/ClearSilver.h],,[AC_MSG_ERROR([ClearSilver header file ClearSilver/ClearSilver.h not found!])])
-
-	AC_HAVE_LIBRARY([fcgi],[LIBS="$LIBS"],[AC_MSG_ERROR([FastCGI library fcgi not found!])])
-	AC_CHECK_HEADER([fcgiapp.h],,[AC_MSG_ERROR([FastCGI header file fcgiapp.h not found!])])
-fi
-
-if test x$mysql = xtrue; then
-	AC_PATH_PROG([MYSQLCONFIG], [mysql_config], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
-	if test x$MYSQLCONFIG = x; then
-		AC_MSG_ERROR([mysql_config not found!])
-	fi
-	AC_SUBST(MYSQLLIB, `$MYSQLCONFIG --libs_r`)
-	AC_SUBST(MYSQLCFLAG, `$MYSQLCONFIG --cflags`)
-fi
-
-if test x$sqlite = xtrue; then
-	AC_HAVE_LIBRARY([sqlite3],[LIBS="$LIBS"],[AC_MSG_ERROR([SQLite library sqlite3 not found])])
-	AC_CHECK_HEADER([sqlite3.h],,[AC_MSG_ERROR([SQLite header sqlite3.h not found!])])
-	AC_MSG_CHECKING([sqlite3_prepare_v2])
-	AC_TRY_COMPILE(
-		[#include <sqlite3.h>],
-		[
-			void *test = sqlite3_prepare_v2;
-		],
-		[AC_MSG_RESULT([yes])]; AC_DEFINE_UNQUOTED(HAVE_SQLITE3_PREPARE_V2, 1), [AC_MSG_RESULT([no])])
-	AC_MSG_CHECKING([sqlite3.h version >= 3.3.1])
-	AC_TRY_COMPILE(
-		[#include <sqlite3.h>],
-		[
-			#if SQLITE_VERSION_NUMBER < 3003001
-				#error bad sqlite
-			#endif
-		],
-		[AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]); AC_MSG_ERROR([SQLite version >= 3.3.1 required!])])
-fi
-
-if test x$openssl = xtrue; then
-	AC_HAVE_LIBRARY([crypto],[LIBS="$LIBS"],[AC_MSG_ERROR([OpenSSL crypto library not found])])
-	AC_CHECK_HEADER([openssl/evp.h],,[AC_MSG_ERROR([OpenSSL header openssl/evp.h not found!])])
-fi
-
-if test x$gcrypt = xtrue; then
-	AC_HAVE_LIBRARY([gcrypt],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])],[-lgpg-error])
-	AC_CHECK_HEADER([gcrypt.h],,[AC_MSG_ERROR([gcrypt header gcrypt.h not found!])])
-	AC_MSG_CHECKING([gcrypt CAMELLIA cipher])
-	AC_TRY_COMPILE(
-		[#include <gcrypt.h>],
-		[enum gcry_cipher_algos alg = GCRY_CIPHER_CAMELLIA128;],
-		[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_GCRY_CIPHER_CAMELLIA])],
-		[AC_MSG_RESULT([no])]
-	)
-fi
-
-if test x$uci = xtrue; then
-	AC_HAVE_LIBRARY([uci],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])])
-	AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
-fi
-
-if test x$android = xtrue; then
-	AC_HAVE_LIBRARY([cutils],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])])
-	AC_CHECK_HEADER([cutils/properties.h],,[AC_MSG_ERROR([Android header cutils/properties.h not found!])])
-	dnl we have to force the use of libdl here because the autodetection
-	dnl above does not work correctly when cross-compiling for android.
-	DLLIB="-ldl"
-	AC_SUBST(DLLIB)
-fi
-
-if test x$maemo = xtrue; then
-	PKG_CHECK_MODULES(maemo, [glib-2.0 gthread-2.0 libosso osso-af-settings])
-	AC_SUBST(maemo_CFLAGS)
-	AC_SUBST(maemo_LIBS)
-	dbusservicedir="/usr/share/dbus-1/system-services"
-	AC_SUBST(dbusservicedir)
-fi
-
-if test x$eap_sim_pcsc = xtrue; then
-	PKG_CHECK_MODULES(pcsclite, [libpcsclite])
-	AC_SUBST(pcsclite_CFLAGS)
-	AC_SUBST(pcsclite_LIBS)
-fi
-
-if test x$nm = xtrue; then
-	PKG_CHECK_EXISTS([libnm-glib],
-		[PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn])],
-		[PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn])]
-	)
-	AC_SUBST(nm_CFLAGS)
-	AC_SUBST(nm_LIBS)
-fi
-
-if test x$eap_gtc = xtrue; then
-	AC_HAVE_LIBRARY([pam],[LIBS="$LIBS"],[AC_MSG_ERROR([PAM library not found])])
-	AC_CHECK_HEADER([security/pam_appl.h],,[AC_MSG_ERROR([PAM header security/pam_appl.h not found!])])
-fi
-
-if test x$capabilities = xnative; then
-	AC_MSG_NOTICE([Usage of the native Linux capabilities interface is deprecated, use libcap instead])
-	dnl Linux requires the following for capset(), Android does not have it,
-	dnl but defines capset() in unistd.h instead.
-	AC_CHECK_HEADERS([sys/capability.h])
-	AC_CHECK_FUNC(capset,,[AC_MSG_ERROR([capset() not found!])])
-	AC_DEFINE(CAPABILITIES_NATIVE)
-fi
-
-if test x$capabilities = xlibcap; then
-	AC_HAVE_LIBRARY([cap],[LIBS="$LIBS"],[AC_MSG_ERROR([libcap library not found])])
-	AC_CHECK_HEADER([sys/capability.h],
-		[AC_DEFINE(HAVE_SYS_CAPABILITY_H)],
-		[AC_MSG_ERROR([libcap header sys/capability.h not found!])])
-	AC_DEFINE(CAPABILITIES_LIBCAP)
-fi
-
-if test x$integrity_test = xtrue; then
-	AC_MSG_CHECKING([for dladdr()])
-	AC_TRY_COMPILE(
-		[#define _GNU_SOURCE
-		 #include <dlfcn.h>],
-		[Dl_info info; dladdr(main, &info);],
-		[AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]);
-		 AC_MSG_ERROR([dladdr() not supported, required by integrity-test!])]
-	)
-	AC_MSG_CHECKING([for dl_iterate_phdr()])
-	AC_TRY_COMPILE(
-		[#define _GNU_SOURCE
-		 #include <link.h>],
-		[dl_iterate_phdr((void*)0, (void*)0);],
-		[AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]);
-		 AC_MSG_ERROR([dl_iterate_phdr() not supported, required by integrity-test!])]
-	)
-fi
-
-dnl ==============================================
-dnl  collect plugin list for strongSwan components
-dnl ==============================================
-
-m4_include(m4/macros/add-plugin.m4)
-
-# plugin lists for all components
-libcharon_plugins=
-pluto_plugins=
-starter_plugins=
-pool_plugins=
-attest_plugins=
-openac_plugins=
-scepclient_plugins=
-pki_plugins=
-scripts_plugins=
-manager_plugins=
-medsrv_plugins=
-
-# location specific lists for checksumming,
-# for src/libcharon, src/pluto, src/libhydra and src/libstrongswan
-c_plugins=
-p_plugins=
-h_plugins=
-s_plugins=
-
-ADD_PLUGIN([test-vectors],         [s libcharon pluto openac scepclient pki])
-ADD_PLUGIN([curl],                 [s libcharon pluto scepclient scripts])
-ADD_PLUGIN([soup],                 [s libcharon pluto scripts])
-ADD_PLUGIN([ldap],                 [s libcharon pluto scepclient scripts])
-ADD_PLUGIN([mysql],                [s libcharon pluto pool manager medsrv attest])
-ADD_PLUGIN([sqlite],               [s libcharon pluto pool manager medsrv attest])
-ADD_PLUGIN([pkcs11],               [s libcharon pki])
-ADD_PLUGIN([aes],                  [s libcharon pluto openac scepclient pki scripts])
-ADD_PLUGIN([des],                  [s libcharon pluto openac scepclient pki scripts])
-ADD_PLUGIN([blowfish],             [s libcharon pluto openac scepclient pki scripts])
-ADD_PLUGIN([sha1],                 [s libcharon pluto openac scepclient pki scripts medsrv attest])
-ADD_PLUGIN([sha2],                 [s libcharon pluto openac scepclient pki scripts medsrv attest])
-ADD_PLUGIN([md4],                  [s libcharon openac manager scepclient pki])
-ADD_PLUGIN([md5],                  [s libcharon pluto openac scepclient pki scripts attest])
-ADD_PLUGIN([random],               [s libcharon pluto openac scepclient pki scripts medsrv attest])
-ADD_PLUGIN([x509],                 [s libcharon pluto openac scepclient pki scripts attest])
-ADD_PLUGIN([revocation],           [s libcharon])
-ADD_PLUGIN([constraints],          [s libcharon])
-ADD_PLUGIN([pubkey],               [s libcharon])
-ADD_PLUGIN([pkcs1],                [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
-ADD_PLUGIN([pkcs8],                [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
-ADD_PLUGIN([pgp],                  [s libcharon pluto])
-ADD_PLUGIN([dnskey],               [s pluto])
-ADD_PLUGIN([pem],                  [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
-ADD_PLUGIN([padlock],              [s libcharon])
-ADD_PLUGIN([openssl],              [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
-ADD_PLUGIN([gcrypt],               [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
-ADD_PLUGIN([af-alg],               [s libcharon pluto openac scepclient pki scripts medsrv attest])
-ADD_PLUGIN([fips-prf],             [s libcharon])
-ADD_PLUGIN([gmp],                  [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
-ADD_PLUGIN([agent],                [s libcharon])
-ADD_PLUGIN([xcbc],                 [s libcharon])
-ADD_PLUGIN([cmac],                 [s libcharon])
-ADD_PLUGIN([hmac],                 [s libcharon pluto scripts])
-ADD_PLUGIN([ctr],                  [s libcharon scripts])
-ADD_PLUGIN([ccm],                  [s libcharon scripts])
-ADD_PLUGIN([gcm],                  [s libcharon scripts])
-ADD_PLUGIN([xauth],                [p pluto])
-ADD_PLUGIN([attr],                 [h libcharon pluto])
-ADD_PLUGIN([attr-sql],             [h libcharon pluto])
-ADD_PLUGIN([load-tester],          [c libcharon])
-ADD_PLUGIN([kernel-pfkey],         [h libcharon pluto starter])
-ADD_PLUGIN([kernel-pfroute],       [h libcharon pluto starter])
-ADD_PLUGIN([kernel-klips],         [h libcharon pluto starter])
-ADD_PLUGIN([kernel-netlink],       [h libcharon pluto starter])
-ADD_PLUGIN([resolve],              [h libcharon pluto])
-ADD_PLUGIN([socket-default],       [c libcharon])
-ADD_PLUGIN([socket-raw],           [c libcharon])
-ADD_PLUGIN([socket-dynamic],       [c libcharon])
-ADD_PLUGIN([farp],                 [c libcharon])
-ADD_PLUGIN([stroke],               [c libcharon])
-ADD_PLUGIN([smp],                  [c libcharon])
-ADD_PLUGIN([sql],                  [c libcharon])
-ADD_PLUGIN([updown],               [c libcharon])
-ADD_PLUGIN([eap-identity],         [c libcharon])
-ADD_PLUGIN([eap-sim],              [c libcharon])
-ADD_PLUGIN([eap-sim-file],         [c libcharon])
-ADD_PLUGIN([eap-sim-pcsc],         [c libcharon])
-ADD_PLUGIN([eap-aka],              [c libcharon])
-ADD_PLUGIN([eap-aka-3gpp2],        [c libcharon])
-ADD_PLUGIN([eap-simaka-sql],       [c libcharon])
-ADD_PLUGIN([eap-simaka-pseudonym], [c libcharon])
-ADD_PLUGIN([eap-simaka-reauth],    [c libcharon])
-ADD_PLUGIN([eap-md5],              [c libcharon])
-ADD_PLUGIN([eap-gtc],              [c libcharon])
-ADD_PLUGIN([eap-mschapv2],         [c libcharon])
-ADD_PLUGIN([eap-radius],           [c libcharon])
-ADD_PLUGIN([eap-tls],              [c libcharon])
-ADD_PLUGIN([eap-ttls],             [c libcharon])
-ADD_PLUGIN([eap-peap],             [c libcharon])
-ADD_PLUGIN([eap-tnc],              [c libcharon])
-ADD_PLUGIN([tnc-ifmap],            [c libcharon])
-ADD_PLUGIN([tnc-pdp],              [c libcharon])
-ADD_PLUGIN([tnc-imc],              [c libcharon])
-ADD_PLUGIN([tnc-imv],              [c libcharon])
-ADD_PLUGIN([tnc-tnccs],            [c libcharon])
-ADD_PLUGIN([tnccs-20],             [c libcharon])
-ADD_PLUGIN([tnccs-11],             [c libcharon])
-ADD_PLUGIN([tnccs-dynamic],        [c libcharon])
-ADD_PLUGIN([medsrv],               [c libcharon])
-ADD_PLUGIN([medcli],               [c libcharon])
-ADD_PLUGIN([nm],                   [c libcharon])
-ADD_PLUGIN([dhcp],                 [c libcharon])
-ADD_PLUGIN([android],              [c libcharon])
-ADD_PLUGIN([ha],                   [c libcharon])
-ADD_PLUGIN([whitelist],            [c libcharon])
-ADD_PLUGIN([certexpire],           [c libcharon])
-ADD_PLUGIN([led],                  [c libcharon])
-ADD_PLUGIN([duplicheck],           [c libcharon])
-ADD_PLUGIN([coupling],             [c libcharon])
-ADD_PLUGIN([radattr],              [c libcharon])
-ADD_PLUGIN([maemo],                [c libcharon])
-ADD_PLUGIN([uci],                  [c libcharon])
-ADD_PLUGIN([addrblock],            [c libcharon])
-ADD_PLUGIN([unit-tester],          [c libcharon])
-
-AC_SUBST(libcharon_plugins)
-AC_SUBST(pluto_plugins)
-AC_SUBST(starter_plugins)
-AC_SUBST(pool_plugins)
-AC_SUBST(attest_plugins)
-AC_SUBST(openac_plugins)
-AC_SUBST(scepclient_plugins)
-AC_SUBST(pki_plugins)
-AC_SUBST(scripts_plugins)
-AC_SUBST(manager_plugins)
-AC_SUBST(medsrv_plugins)
-
-AC_SUBST(c_plugins)
-AC_SUBST(p_plugins)
-AC_SUBST(h_plugins)
-AC_SUBST(s_plugins)
-
-dnl =========================
-dnl  set Makefile.am vars
-dnl =========================
-
-dnl libstrongswan plugins
-dnl =====================
-AM_CONDITIONAL(USE_TEST_VECTORS, test x$test_vectors = xtrue)
-AM_CONDITIONAL(USE_CURL, test x$curl = xtrue)
-AM_CONDITIONAL(USE_SOUP, test x$soup = xtrue)
-AM_CONDITIONAL(USE_LDAP, test x$ldap = xtrue)
-AM_CONDITIONAL(USE_AES, test x$aes = xtrue)
-AM_CONDITIONAL(USE_DES, test x$des = xtrue)
-AM_CONDITIONAL(USE_BLOWFISH, test x$blowfish = xtrue)
-AM_CONDITIONAL(USE_MD4, test x$md4 = xtrue)
-AM_CONDITIONAL(USE_MD5, test x$md5 = xtrue)
-AM_CONDITIONAL(USE_SHA1, test x$sha1 = xtrue)
-AM_CONDITIONAL(USE_SHA2, test x$sha2 = xtrue)
-AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
-AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
-AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue)
-AM_CONDITIONAL(USE_X509, test x$x509 = xtrue)
-AM_CONDITIONAL(USE_REVOCATION, test x$revocation = xtrue)
-AM_CONDITIONAL(USE_CONSTRAINTS, test x$constraints = xtrue)
-AM_CONDITIONAL(USE_PUBKEY, test x$pubkey = xtrue)
-AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue)
-AM_CONDITIONAL(USE_PKCS8, test x$pkcs8 = xtrue)
-AM_CONDITIONAL(USE_PGP, test x$pgp = xtrue)
-AM_CONDITIONAL(USE_DNSKEY, test x$dnskey = xtrue)
-AM_CONDITIONAL(USE_PEM, test x$pem = xtrue)
-AM_CONDITIONAL(USE_HMAC, test x$hmac = xtrue)
-AM_CONDITIONAL(USE_CMAC, test x$cmac = xtrue)
-AM_CONDITIONAL(USE_XCBC, test x$xcbc = xtrue)
-AM_CONDITIONAL(USE_MYSQL, test x$mysql = xtrue)
-AM_CONDITIONAL(USE_SQLITE, test x$sqlite = xtrue)
-AM_CONDITIONAL(USE_PADLOCK, test x$padlock = xtrue)
-AM_CONDITIONAL(USE_OPENSSL, test x$openssl = xtrue)
-AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue)
-AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
-AM_CONDITIONAL(USE_PKCS11, test x$pkcs11 = xtrue)
-AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue)
-AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
-AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
-AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue)
-
-dnl charon plugins
-dnl ==============
-AM_CONDITIONAL(USE_STROKE, test x$stroke = xtrue)
-AM_CONDITIONAL(USE_MEDSRV, test x$medsrv = xtrue)
-AM_CONDITIONAL(USE_MEDCLI, test x$medcli = xtrue)
-AM_CONDITIONAL(USE_NM, test x$nm = xtrue)
-AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
-AM_CONDITIONAL(USE_ANDROID, test x$android = xtrue)
-AM_CONDITIONAL(USE_MAEMO, test x$maemo = xtrue)
-AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
-AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
-AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
-AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue)
-AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tester = xtrue)
-AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue)
-AM_CONDITIONAL(USE_HA, test x$ha = xtrue)
-AM_CONDITIONAL(USE_WHITELIST, test x$whitelist = xtrue)
-AM_CONDITIONAL(USE_CERTEXPIRE, test x$certexpire = xtrue)
-AM_CONDITIONAL(USE_LED, test x$led = xtrue)
-AM_CONDITIONAL(USE_DUPLICHECK, test x$duplicheck = xtrue)
-AM_CONDITIONAL(USE_COUPLING, test x$coupling = xtrue)
-AM_CONDITIONAL(USE_RADATTR, test x$radattr = xtrue)
-AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue)
-AM_CONDITIONAL(USE_EAP_SIM_FILE, test x$eap_sim_file = xtrue)
-AM_CONDITIONAL(USE_EAP_SIM_PCSC, test x$eap_sim_pcsc = xtrue)
-AM_CONDITIONAL(USE_EAP_SIMAKA_SQL, test x$eap_simaka_sql = xtrue)
-AM_CONDITIONAL(USE_EAP_SIMAKA_PSEUDONYM, test x$eap_simaka_pseudonym = xtrue)
-AM_CONDITIONAL(USE_EAP_SIMAKA_REAUTH, test x$eap_simaka_reauth = xtrue)
-AM_CONDITIONAL(USE_EAP_IDENTITY, test x$eap_identity = xtrue)
-AM_CONDITIONAL(USE_EAP_MD5, test x$eap_md5 = xtrue)
-AM_CONDITIONAL(USE_EAP_GTC, test x$eap_gtc = xtrue)
-AM_CONDITIONAL(USE_EAP_AKA, test x$eap_aka = xtrue)
-AM_CONDITIONAL(USE_EAP_AKA_3GPP2, test x$eap_aka_3gpp2 = xtrue)
-AM_CONDITIONAL(USE_EAP_MSCHAPV2, test x$eap_mschapv2 = xtrue)
-AM_CONDITIONAL(USE_EAP_TLS, test x$eap_tls = xtrue)
-AM_CONDITIONAL(USE_EAP_TTLS, test x$eap_ttls = xtrue)
-AM_CONDITIONAL(USE_EAP_PEAP, test x$eap_peap = xtrue)
-AM_CONDITIONAL(USE_EAP_TNC, test x$eap_tnc = xtrue)
-AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
-AM_CONDITIONAL(USE_TNC_IFMAP, test x$tnc_ifmap = xtrue)
-AM_CONDITIONAL(USE_TNC_PDP, test x$tnc_pdp = xtrue)
-AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue)
-AM_CONDITIONAL(USE_TNC_IMV, test x$tnc_imv = xtrue)
-AM_CONDITIONAL(USE_TNC_TNCCS, test x$tnc_tnccs = xtrue)
-AM_CONDITIONAL(USE_TNCCS_11, test x$tnccs_11 = xtrue)
-AM_CONDITIONAL(USE_TNCCS_20, test x$tnccs_20 = xtrue)
-AM_CONDITIONAL(USE_TNCCS_DYNAMIC, test x$tnccs_dynamic = xtrue)
-AM_CONDITIONAL(USE_IMC_TEST, test x$imc_test = xtrue)
-AM_CONDITIONAL(USE_IMV_TEST, test x$imv_test = xtrue)
-AM_CONDITIONAL(USE_IMC_SCANNER, test x$imc_scanner = xtrue)
-AM_CONDITIONAL(USE_IMV_SCANNER, test x$imv_scanner = xtrue)
-AM_CONDITIONAL(USE_IMC_ATTESTATION, test x$imc_attestation = xtrue)
-AM_CONDITIONAL(USE_IMV_ATTESTATION, test x$imv_attestation = xtrue)
-AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
-AM_CONDITIONAL(USE_SOCKET_RAW, test x$socket_raw = xtrue)
-AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
-AM_CONDITIONAL(USE_FARP, test x$farp = xtrue)
-AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue)
-
-dnl hydra plugins
-dnl =============
-AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
-AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue -o x$sql = xtrue)
-AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
-AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
-AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
-AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
-AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
-
-dnl pluto plugins
-dnl =============
-AM_CONDITIONAL(USE_XAUTH, test x$xauth = xtrue)
-
-dnl other options
-dnl =============
-AM_CONDITIONAL(USE_SMARTCARD, test x$smartcard = xtrue)
-AM_CONDITIONAL(USE_CISCO_QUIRKS, test x$cisco_quirks = xtrue)
-AM_CONDITIONAL(USE_LEAK_DETECTIVE, test x$leak_detective = xtrue)
-AM_CONDITIONAL(USE_LOCK_PROFILER, test x$lock_profiler = xtrue)
-AM_CONDITIONAL(USE_NAT_TRANSPORT, test x$nat_transport = xtrue)
-AM_CONDITIONAL(USE_VENDORID, test x$vendor_id = xtrue)
-AM_CONDITIONAL(USE_XAUTH_VID, test x$xauth_vid = xtrue)
-AM_CONDITIONAL(USE_DUMM, test x$dumm = xtrue)
-AM_CONDITIONAL(USE_FAST, test x$fast = xtrue)
-AM_CONDITIONAL(USE_MANAGER, test x$manager = xtrue)
-AM_CONDITIONAL(USE_ME, test x$mediation = xtrue)
-AM_CONDITIONAL(USE_INTEGRITY_TEST, test x$integrity_test = xtrue)
-AM_CONDITIONAL(USE_LOAD_WARNING, test x$load_warning = xtrue)
-AM_CONDITIONAL(USE_PLUTO, test x$pluto = xtrue)
-AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue)
-AM_CONDITIONAL(USE_ADNS, test x$adns = xtrue)
-AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
-AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
-AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
-AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
-AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue)
-AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$pluto = xtrue)
-AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue)
-AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
-AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
-AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue)
-AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$pluto = xtrue -o x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue)
-AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
-AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue)
-AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue)
-AM_CONDITIONAL(USE_TLS, test x$tls = xtrue)
-AM_CONDITIONAL(USE_RADIUS, test x$radius = xtrue)
-AM_CONDITIONAL(USE_IMCV, test x$imcv = xtrue)
-AM_CONDITIONAL(USE_PTS, test x$pts = xtrue)
-AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue)
-
-dnl ==============================
-dnl  set global definitions
-dnl ==============================
-
-if test x$mediation = xtrue; then
-	AC_DEFINE(ME)
-fi
-if test x$capabilities = xlibcap -o x$capabilities = xnative; then
-	AC_DEFINE(CAPABILITIES)
-fi
-if test x$monolithic = xtrue; then
-	AC_DEFINE(MONOLITHIC)
-fi
-
-
-dnl ==============================
-dnl  build Makefiles
-dnl ==============================
-
-AC_OUTPUT(
-	Makefile
-	man/Makefile
-	init/Makefile
-	init/systemd/Makefile
-	src/Makefile
-	src/include/Makefile
-	src/libstrongswan/Makefile
-	src/libstrongswan/plugins/aes/Makefile
-	src/libstrongswan/plugins/cmac/Makefile
-	src/libstrongswan/plugins/des/Makefile
-	src/libstrongswan/plugins/blowfish/Makefile
-	src/libstrongswan/plugins/md4/Makefile
-	src/libstrongswan/plugins/md5/Makefile
-	src/libstrongswan/plugins/sha1/Makefile
-	src/libstrongswan/plugins/sha2/Makefile
-	src/libstrongswan/plugins/fips_prf/Makefile
-	src/libstrongswan/plugins/gmp/Makefile
-	src/libstrongswan/plugins/random/Makefile
-	src/libstrongswan/plugins/hmac/Makefile
-	src/libstrongswan/plugins/xcbc/Makefile
-	src/libstrongswan/plugins/x509/Makefile
-	src/libstrongswan/plugins/revocation/Makefile
-	src/libstrongswan/plugins/constraints/Makefile
-	src/libstrongswan/plugins/pubkey/Makefile
-	src/libstrongswan/plugins/pkcs1/Makefile
-	src/libstrongswan/plugins/pkcs8/Makefile
-	src/libstrongswan/plugins/pgp/Makefile
-	src/libstrongswan/plugins/dnskey/Makefile
-	src/libstrongswan/plugins/pem/Makefile
-	src/libstrongswan/plugins/curl/Makefile
-	src/libstrongswan/plugins/soup/Makefile
-	src/libstrongswan/plugins/ldap/Makefile
-	src/libstrongswan/plugins/mysql/Makefile
-	src/libstrongswan/plugins/sqlite/Makefile
-	src/libstrongswan/plugins/padlock/Makefile
-	src/libstrongswan/plugins/openssl/Makefile
-	src/libstrongswan/plugins/gcrypt/Makefile
-	src/libstrongswan/plugins/agent/Makefile
-	src/libstrongswan/plugins/pkcs11/Makefile
-	src/libstrongswan/plugins/ctr/Makefile
-	src/libstrongswan/plugins/ccm/Makefile
-	src/libstrongswan/plugins/gcm/Makefile
-	src/libstrongswan/plugins/af_alg/Makefile
-	src/libstrongswan/plugins/test_vectors/Makefile
-	src/libhydra/Makefile
-	src/libhydra/plugins/attr/Makefile
-	src/libhydra/plugins/attr_sql/Makefile
-	src/libhydra/plugins/kernel_klips/Makefile
-	src/libhydra/plugins/kernel_netlink/Makefile
-	src/libhydra/plugins/kernel_pfkey/Makefile
-	src/libhydra/plugins/kernel_pfroute/Makefile
-	src/libhydra/plugins/resolve/Makefile
-	src/libfreeswan/Makefile
-	src/libsimaka/Makefile
-	src/libtls/Makefile
-	src/libradius/Makefile
-	src/libtncif/Makefile
-	src/libtnccs/Makefile
-	src/libpts/Makefile
-	src/libpts/plugins/imc_attestation/Makefile
-	src/libpts/plugins/imv_attestation/Makefile
-	src/libimcv/Makefile
-	src/libimcv/plugins/imc_test/Makefile
-	src/libimcv/plugins/imv_test/Makefile
-	src/libimcv/plugins/imc_scanner/Makefile
-	src/libimcv/plugins/imv_scanner/Makefile
-	src/pluto/Makefile
-	src/pluto/plugins/xauth/Makefile
-	src/whack/Makefile
-	src/charon/Makefile
-	src/libcharon/Makefile
-	src/libcharon/plugins/eap_aka/Makefile
-	src/libcharon/plugins/eap_aka_3gpp2/Makefile
-	src/libcharon/plugins/eap_identity/Makefile
-	src/libcharon/plugins/eap_md5/Makefile
-	src/libcharon/plugins/eap_gtc/Makefile
-	src/libcharon/plugins/eap_sim/Makefile
-	src/libcharon/plugins/eap_sim_file/Makefile
-	src/libcharon/plugins/eap_sim_pcsc/Makefile
-	src/libcharon/plugins/eap_simaka_sql/Makefile
-	src/libcharon/plugins/eap_simaka_pseudonym/Makefile
-	src/libcharon/plugins/eap_simaka_reauth/Makefile
-	src/libcharon/plugins/eap_mschapv2/Makefile
-	src/libcharon/plugins/eap_tls/Makefile
-	src/libcharon/plugins/eap_ttls/Makefile
-	src/libcharon/plugins/eap_peap/Makefile
-	src/libcharon/plugins/eap_tnc/Makefile
-	src/libcharon/plugins/eap_radius/Makefile
-	src/libcharon/plugins/tnc_ifmap/Makefile
-	src/libcharon/plugins/tnc_pdp/Makefile
-	src/libcharon/plugins/tnc_imc/Makefile
-	src/libcharon/plugins/tnc_imv/Makefile
-	src/libcharon/plugins/tnc_tnccs/Makefile
-	src/libcharon/plugins/tnccs_11/Makefile
-	src/libcharon/plugins/tnccs_20/Makefile
-	src/libcharon/plugins/tnccs_dynamic/Makefile
-	src/libcharon/plugins/socket_default/Makefile
-	src/libcharon/plugins/socket_raw/Makefile
-	src/libcharon/plugins/socket_dynamic/Makefile
-	src/libcharon/plugins/farp/Makefile
-	src/libcharon/plugins/smp/Makefile
-	src/libcharon/plugins/sql/Makefile
-	src/libcharon/plugins/medsrv/Makefile
-	src/libcharon/plugins/medcli/Makefile
-	src/libcharon/plugins/nm/Makefile
-	src/libcharon/plugins/addrblock/Makefile
-	src/libcharon/plugins/uci/Makefile
-	src/libcharon/plugins/ha/Makefile
-	src/libcharon/plugins/whitelist/Makefile
-	src/libcharon/plugins/certexpire/Makefile
-	src/libcharon/plugins/led/Makefile
-	src/libcharon/plugins/duplicheck/Makefile
-	src/libcharon/plugins/coupling/Makefile
-	src/libcharon/plugins/radattr/Makefile
-	src/libcharon/plugins/android/Makefile
-	src/libcharon/plugins/maemo/Makefile
-	src/libcharon/plugins/stroke/Makefile
-	src/libcharon/plugins/updown/Makefile
-	src/libcharon/plugins/dhcp/Makefile
-	src/libcharon/plugins/unit_tester/Makefile
-	src/libcharon/plugins/load_tester/Makefile
-	src/stroke/Makefile
-	src/ipsec/Makefile
-	src/starter/Makefile
-	src/_updown/Makefile
-	src/_updown_espmark/Makefile
-	src/_copyright/Makefile
-	src/openac/Makefile
-	src/scepclient/Makefile
-	src/pki/Makefile
-	src/dumm/Makefile
-	src/dumm/ext/extconf.rb
-	src/libfast/Makefile
-	src/manager/Makefile
-	src/medsrv/Makefile
-	src/checksum/Makefile
-	src/conftest/Makefile
-	scripts/Makefile
-	testing/Makefile
-)
diff --git a/debian/NEWS b/debian/NEWS
index dfdd1a4a7..f6fd43e8c 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,17 @@
+strongswan (5.1.0-1) unstable; urgency=low
+
+  Starting with strongSwan 5, the IKEv1 daemon (pluto) is gone, and the charon
+  daemon is now able to handle both IKEv1 and IKEv2 protocols.
+
+  There should be no issue for previous charon users, but for pluto users that
+  means they need to re-configure strongSwan in order to use charon. Some
+  migration help can be found on the strongSwan website at
+  http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1 and in
+  some IKEv1 configuration examples at
+  http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples.
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Mon, 30 Sep 2013 20:43:03 +0200
+
 strongswan (4.5.0-1) unstable; urgency=low
 
   Starting with strongswan 4.5.0 upstream, the IKEv2 protocol is now the
@@ -34,3 +48,35 @@ strongswan (4.5.0-1) unstable; urgency=low
 Local variables:
 mode: debian-changelog
 End:
+strongswan (5.1.0-1) unstable; urgency=low
+
+  Starting with strongswan 4.5.0 upstream, the IKEv2 protocol is now the
+  default. This can easily be changed using the keyexchange=ikev1 config
+  option (either in the respective "conn" section or by putting it in the
+  "default" section and therefore applying it to all existing connections).
+
+  The IKEv2 protocol has less overhead, more features (e.g. NAT-Traversal by
+  default, MOBIKE, Mobile IPv6), and provides better error messages in case
+  the connection can not be established. It is therefore highly recommended
+  to use it when the other side also supports it.
+  
+  Addtionally, strongswan 4.5.0-1 now enables support for NAT Traversal in
+  combination with IPsec transport mode (the support for this has existed 
+  for a long time, but was disabled due to security concerns). This is 
+  required e.g. to let mobile phone clients (notably Android, iPhone) 
+  connect to an L2TP/IPsec gateway using strongswan. The security 
+  implications as described in the original README.NAT-Traversal file from 
+  the openswan distribution are:
+  
+  * Transport Mode can't be used without NAT in the IPSec layer. Otherwise,
+    all packets for the NAT device (including all hosts behind it) would be
+    sent to the NAT-T Client. This would create a sort of blackhole between
+    the peer which is not behind NAT and the NAT device.
+
+  * In Tunnel Mode with roadwarriors, we CAN'T accept any IP address,
+    otherwise, an evil roadwarrior could redirect all trafic for one host
+    (including a host on the private network) to himself. That's why, you have
+    to specify the private IP in the configuration file, use virtual IP
+    management, or DHCP-over-IPSec.
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Mon, 30 Sep 2013 20:43:03 +0200
diff --git a/debian/changelog b/debian/changelog
index 3e052ade7..5fc499a19 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,31 +1,77 @@
-strongswan (4.6.4-9) unstable; urgency=low
+strongswan (5.1.0-1) unstable; urgency=low
 
+  * New upstream release.
+  * debian/libstrongswan.install:
+    - install new rc2, pkcs12 and sshkey plugins.
   * debian/control:
-    - protect strongswan-ikev1 dependencies using linux-any since it's only
-      available there.
-    - switch strongswan package to arch:any because of that change. 
-    - update standards version to 3.9.4. 
-    - add build-dep on autotools-dev
+    - update standards version to 3.9.4.
+    - add build-dep on dh-autoreconf.
   * debian/rules:
-    - use autotools-dev addon to update config.{guess,sub}. 
+    - use autoreconf addon to refresh autotools helper files and gain support
+      for ARM64.
+    - enable charon-cmd command line tool.
+  * debian/source/options: ignore files regenerated by autoreconf addon.
+  * debian/strongswan-ike.install:
+    - install charon-cmd command and manpage.
+  * debian/NEWS:
+    - warn users about charon replacing pluto as IKEv1 daemon and provide some
+      migration pointers.
 
- -- Yves-Alexis Perez <corsac@debian.org>  Wed, 26 Jun 2013 21:57:53 +0200
+ -- Yves-Alexis Perez <corsac@debian.org>  Mon, 30 Sep 2013 20:59:04 +0200
 
-strongswan (4.6.4-8) unstable; urgency=low
+strongswan (5.0.4-3) experimental; urgency=low
 
-  * debian/control:
-    - strongswan-ikev{1,2}: only depends on iproute on Linux arches.
-                                                                closes: #708686
+  * debian/rules, debian/libstrongswan.install:
+    - only install rdrand plugin on i386 and amd64.
 
- -- Yves-Alexis Perez <corsac@debian.org>  Fri, 17 May 2013 23:04:15 +0200
+ -- Yves-Alexis Perez <corsac@debian.org>  Sat, 18 May 2013 09:26:22 +0200
 
-strongswan (4.6.4-7) unstable; urgency=high
+strongswan (5.0.4-2) experimental; urgency=low
 
-  * debian/patches:
-    - 0001-Check-return-value-of-ECDSA_Verify-correctly added. Fix ECDSA
-      signature verification when using openssl plugin (CVE-2013-2944).
+  * debian/rules:
+    - only enable RdRand on i386 and amd64.
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Mon, 06 May 2013 13:14:03 +0200
 
- -- Yves-Alexis Perez <corsac@debian.org>  Tue, 30 Apr 2013 09:47:27 +0200
+strongswan (5.0.4-1) experimental; urgency=low
+
+  * New upstream release.
+    - Fix for ECDSA signature verification vulnerability (CVE-2013-2944).
+  * debian/patches:
+    - 01_fix-manpages refreshed.
+    - 02_add-LICENSE dropped, included upstream.
+    - 03_Pass-lo-as-faked-tundev-to-NM-as-it-now-needs-a-vali removed,
+      included upstream.
+    - 04-Fixed-IPv6-source-address-lookup dropped, included upstream. 
+  * debian/rules:
+    - --enable-smartcard, --with-default-pkcs11 and --enable-nat-transport not
+      valid anymore for ./configure, remove them.
+    - add --enable-xauth-eap and --enable-xauth-pam.
+    - remove pluto handling since it's gone
+    - don't special-case XAuth on kFreeBSD anymore.
+    - add --enable-attr-sql and --enable-rdrand.
+    - build using all hardening flags.
+    - use -Wl,--as-needed -Wl,-O1 for LDFLAGS.
+  * debian/control:
+    - drop strongswan-ikev1 package
+    - rename strongswan-ikev2 package to strongswan-ike for now and makes it
+      replace strongswan-ikev1 and strongswan-ikev2.
+    - rephrase long description to remove references to pluto.
+    - provide transition -ikev{1,2} packages for upgrades.
+  * debian/strongswan-ikev1.install removed.
+  * debian/strongswan-ikev2.* renamed to strongswan-ike.
+  * debian/strongswan-nm.install:
+    - NetworkManager plugin is now a separate executable.
+  * debian/libstrongswan.install:
+    - install new pkcs7, xauth-eap, xauth-generic, xauth-pam and nonce plugins.
+    - install libpttls files (experimental implementation of PT-TLS, RFC 6876)
+    - install rdrand plugin.
+  * debian/strongswan.docs: CREDITS file is gone.
+  * debian/ipsec.secrets.proto: remove reference to pluto.
+  * debian/strongswan-starter.* remove references to pluto.
+  * debian/po: update potfiles for new phrasing.
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Sun, 05 May 2013 11:06:20 +0200
 
 strongswan (4.6.4-6) unstable; urgency=low
 
diff --git a/debian/control b/debian/control
index 36a02f757..54309fcb2 100644
--- a/debian/control
+++ b/debian/control
@@ -12,12 +12,12 @@ Build-Depends: debhelper (>= 9), dpkg-dev (>= 1.16.2), libtool, libgmp3-dev,
   hardening-wrapper, libfcgi-dev, clearsilver-dev,
   libxml2-dev, libsqlite3-dev, network-manager-dev (>= 0.7) [linux-any], 
   libnm-glib-vpn-dev (>= 0.7) [linux-any], libnm-util-dev (>= 0.7) [linux-any], 
-  gperf, libcap-dev [linux-any], autotools-dev
+  gperf, libcap-dev [linux-any], dh-autoreconf
 Homepage: http://www.strongswan.org
 
 Package: strongswan
-Architecture: any
-Depends: ${misc:Depends}, strongswan-ikev1 [linux-any], strongswan-ikev2
+Architecture: all
+Depends: ${misc:Depends}, strongswan-ike
 Suggests: network-manager-strongswan
 Description: IPsec VPN solution metapackage
  The strongSwan VPN suite is based on the IPsec stack in standard Linux 2.6
@@ -61,40 +61,19 @@ Description: strongSwan library and binaries - debugging symbols
 Package: strongswan-starter
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}, 
-  libstrongswan (= ${binary:Version}), strongswan-ikev1 [linux-any] | strongswan-ikev2, 
+  libstrongswan (= ${binary:Version}), strongswan-ike,
   adduser
 Conflicts: strongswan (<< 4.2.12-1)
 Description: strongSwan daemon starter and configuration file parser
- StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the
- native IPsec stack and runs on any recent 2.6 kernel (no patching required).
+ StrongSwan is an IPsec-based VPN solution for Linux and other Unixes. It uses
+ the native IPsec stack and runs on any recent kernel (no patching required).
  It supports both IKEv1 and the newer IKEv2 protocols.
  .
- The starter and the associated "ipsec" script control both pluto and charon
+ The starter and the associated "ipsec" script control the charon daemon
  from the command line. It parses ipsec.conf and loads the configurations to
- the daemons. While the IKEv2 daemon can use other configuration backends, the
- IKEv1 daemon is limited to configurations from ipsec.conf.
-
-Package: strongswan-ikev1
-Architecture: linux-any
-Pre-Depends: debconf | debconf-2.0
-Depends: ${shlibs:Depends}, ${misc:Depends}, 
-  libstrongswan (= ${binary:Version}), strongswan-starter, bsdmainutils,
-  debianutils (>=1.7), ipsec-tools, host, iproute [linux-any]
-Suggests: curl
-Provides: ike-server
-Conflicts: freeswan (<< 2.04-12), openswan, strongswan (<< 4.2.12-1)
-Replaces: openswan
-Description: strongSwan Internet Key Exchange (v1) daemon
- StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the
- native IPsec stack and runs on any recent 2.6 kernel (no patching required).
- It supports both IKEv1 and the newer IKEv2 protocols.
- .
- Pluto is an IPsec IKEv1 daemon. It was inherited from the FreeS/WAN
- project, but provides improved X.509 certificate support and other features.
- .
- Pluto can run in parallel with charon, the newer IKEv2 daemon.
+ the daemon.
 
-Package: strongswan-ikev2
+Package: strongswan-ike
 Architecture: any
 Pre-Depends: debconf | debconf-2.0
 Depends: ${shlibs:Depends}, ${misc:Depends}, 
@@ -103,6 +82,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends},
 Suggests: curl
 Provides: ike-server
 Conflicts: freeswan (<< 2.04-12), openswan, strongswan (<< 4.2.12-1)
+Replaces: strongswan-ikev1, strongswan-ikev2
 Description: strongSwan Internet Key Exchange (v2) daemon
  StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the
  native IPsec stack and runs on any recent 2.6 kernel (no patching required).
@@ -111,12 +91,10 @@ Description: strongSwan Internet Key Exchange (v2) daemon
  Charon is an IPsec IKEv2 daemon. It is
  written from scratch using a fully multi-threaded design and a modular
  architecture. Various plugins provide additional functionality.
- .
- This build of charon can run in parallel with pluto, the IKEv1 daemon.
 
 Package: strongswan-nm
 Architecture: linux-any
-Depends: ${shlibs:Depends}, ${misc:Depends}, strongswan-ikev2
+Depends: ${shlibs:Depends}, ${misc:Depends}, strongswan-ike
 Recommends: network-manager-strongswan
 Description: strongSwan plugin to interact with NetworkManager
  StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the
@@ -127,3 +105,29 @@ Description: strongSwan plugin to interact with NetworkManager
  and control the IKEv2 daemon directly through D-Bus. It is designed to work
  in conjunction with the network-manager-strongswan package, providing
  a simple graphical frontend to configure IPsec based VPNs.
+
+Package: strongswan-ikev1
+Architecture: all
+Depends: ${misc:Depends}, strongswan-ike
+Section: oldlibs
+Priority: extra
+Description: strongswan IKEv1 daemon, transitional package
+ StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the
+ native IPsec stack and runs on any recent 2.6 kernel (no patching required).
+ It supports both IKEv1 and the newer IKEv2 protocols.
+ .
+ This package used to install the pluto daemon, implementing the IKEv1
+ protocol. It has been replaced by charon in the strongswan-ike package.
+
+Package: strongswan-ikev2
+Architecture: all
+Depends: ${misc:Depends}, strongswan-ike
+Section: oldlibs
+Priority: extra
+Description: strongswan IKEv2 daemon, transitional package
+ StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the
+ native IPsec stack and runs on any recent 2.6 kernel (no patching required).
+ It supports both IKEv1 and the newer IKEv2 protocols.
+ .
+ This package used to install the charon daemon, implementing the IKEv2
+ protocol. It has been replaced the strongswan-ike package.
diff --git a/debian/ipsec.secrets.proto b/debian/ipsec.secrets.proto
index 0fe54b65d..b164b64ed 100644
--- a/debian/ipsec.secrets.proto
+++ b/debian/ipsec.secrets.proto
@@ -1,5 +1,4 @@
-# This file holds shared secrets or RSA private keys for inter-Pluto
-# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.
+# This file holds shared secrets or RSA private keys for authentication.
 
 # RSA private key for this host, authenticating it to any other host
 # which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
diff --git a/debian/libstrongswan.install b/debian/libstrongswan.install
index c69727d69..44c063f22 100644
--- a/debian/libstrongswan.install
+++ b/debian/libstrongswan.install
@@ -6,9 +6,11 @@ usr/lib/ipsec/libsimaka.so*
 usr/lib/ipsec/libtnccs.so*
 usr/lib/ipsec/libradius.so*
 usr/lib/ipsec/libtls.so*
+usr/lib/ipsec/libpttls.so*
 usr/lib/ipsec/plugins/libstrongswan-gmp.so
 usr/lib/ipsec/plugins/libstrongswan-openssl.so
 usr/lib/ipsec/plugins/libstrongswan-x509.so
+usr/lib/ipsec/plugins/libstrongswan-pkcs7.so
 usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
 usr/lib/ipsec/plugins/libstrongswan-pgp.so
 usr/lib/ipsec/plugins/libstrongswan-pem.so
@@ -42,4 +44,11 @@ usr/lib/ipsec/plugins/libstrongswan-ldap.so
 usr/lib/ipsec/plugins/libstrongswan-attr*.so
 usr/lib/ipsec/plugins/libstrongswan-curl.so
 usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
+usr/lib/ipsec/plugins/libstrongswan-nonce.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
+usr/lib/ipsec/plugins/libstrongswan-rc2.so
+usr/lib/ipsec/plugins/libstrongswan-pkcs12.so
+usr/lib/ipsec/plugins/libstrongswan-sshkey.so
 etc/strongswan.conf
diff --git a/debian/patches/01_fix-manpages.patch b/debian/patches/01_fix-manpages.patch
index c3b689bd9..656882939 100644
--- a/debian/patches/01_fix-manpages.patch
+++ b/debian/patches/01_fix-manpages.patch
@@ -1,7 +1,5 @@
-Index: strongswan/src/_updown/_updown.8
-===================================================================
---- strongswan.orig/src/_updown/_updown.8	2012-06-28 20:48:14.337158901 +0200
-+++ strongswan/src/_updown/_updown.8	2012-06-29 11:25:55.897696373 +0200
+--- a/src/_updown/_updown.8
++++ b/src/_updown/_updown.8
 @@ -1,6 +1,6 @@
  .TH _UPDOWN 8 "27 Apr 2006"
  .SH NAME
@@ -10,10 +8,8 @@ Index: strongswan/src/_updown/_updown.8
  .SH SYNOPSIS
  .I _updown
  is invoked by pluto when it has brought up a new connection. This script
-Index: strongswan/src/_updown_espmark/_updown_espmark.8
-===================================================================
---- strongswan.orig/src/_updown_espmark/_updown_espmark.8	2012-06-28 20:48:14.337158901 +0200
-+++ strongswan/src/_updown_espmark/_updown_espmark.8	2012-06-29 11:26:18.517907016 +0200
+--- a/src/_updown_espmark/_updown_espmark.8
++++ b/src/_updown_espmark/_updown_espmark.8
 @@ -1,6 +1,6 @@
  .TH _UPDOWN_ESPMARK 8 "7 Apr 2005"
  .SH NAME
@@ -22,10 +18,8 @@ Index: strongswan/src/_updown_espmark/_updown_espmark.8
  .SH SYNOPSIS
  .I _updown_espmark
  is invoked by pluto when it has brought up a new connection. This script
-Index: strongswan/src/openac/openac.8
-===================================================================
---- strongswan.orig/src/openac/openac.8	2012-06-28 20:48:14.473160290 +0200
-+++ strongswan/src/openac/openac.8	2012-06-29 11:26:38.854096394 +0200
+--- a/src/openac/openac.8
++++ b/src/openac/openac.8
 @@ -1,6 +1,6 @@
  .TH IPSEC_OPENAC 8 "22 September 2007"
  .SH NAME
@@ -34,13 +28,11 @@ Index: strongswan/src/openac/openac.8
  .SH SYNOPSIS
  .B ipsec
  .B openac
-Index: strongswan/src/scepclient/scepclient.8
-===================================================================
---- strongswan.orig/src/scepclient/scepclient.8	2012-06-28 20:48:14.497160535 +0200
-+++ strongswan/src/scepclient/scepclient.8	2012-06-29 11:27:01.934311341 +0200
+--- a/src/scepclient/scepclient.8
++++ b/src/scepclient/scepclient.8
 @@ -1,7 +1,7 @@
- .\" 
- .TH "IPSEC_SCEPCLIENT" "8" "29 September 2005" "Jan Hutter, Martin Willi" ""
+ .\"
+ .TH "IPSEC_SCEPCLIENT" "8" "2012-05-11" "strongSwan" ""
  .SH "NAME"
 -ipsec scepclient \- Client for the SCEP protocol
 +ipsec_scepclient \- Client for the SCEP protocol
diff --git a/debian/patches/02_add-LICENSE.patch b/debian/patches/02_add-LICENSE.patch
deleted file mode 100644
index 60e2536c2..000000000
--- a/debian/patches/02_add-LICENSE.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-Index: strongswan/LICENSE
-===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ strongswan/LICENSE	2012-06-29 15:32:05.809212661 +0200
-@@ -0,0 +1,47 @@
-+Except for code in the blowfish, des, md4 and md5 plugins (see below) the
-+following terms apply:
-+
-+For copyright information see the headers of individual source files.
-+
-+This program is free software; you can redistribute it and/or modify it under
-+the terms of the GNU General Public License as published by the Free Software
-+Foundation; either version 2 of the License, or (at your option) any later
-+version.
-+
-+This program is distributed in the hope that it will be useful, but WITHOUT ANY
-+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-+PARTICULAR PURPOSE. See the GNU General Public License for more details.
-+
-+You should have received a copy of the GNU General Public License along with
-+this program; if not, see <http://www.gnu.org/licenses>.
-+
-+Linking strongSwan statically or dynamically with other modules is making a
-+combined work based on strongSwan. Thus, the terms and conditions of the GNU
-+General Public License cover the whole combination.
-+
-+In addition, as a special exception, the copyright holders of strongSwan give
-+you permission to combine strongSwan with free software programs or libraries
-+that are released under the GNU LGPL and with code included in the standard
-+release of the OpenSSL project's OpenSSL library under the OpenSSL or SSLeay
-+licenses (or modified versions of such code, with unchanged license). You may
-+copy and distribute such a system following the terms of the GNU GPL for
-+strongSwan and the licenses of the other code concerned, provided that you
-+include the source code of that other code when and as the GNU GPL requires
-+distribution of source code.
-+
-+Note that people who make modified versions of strongSwan are not obligated to
-+grant this special exception for their modified versions; it is their choice
-+whether to do so. The GNU General Public License gives permission to release a
-+modified version without this exception; this exception also makes it possible
-+to release a modified version which carries forward this exception.
-+
-+
-+The DES implementation in the des plugin and the Blowfish implementation in the
-+blowfish plugin are under a BSD style license, see
-+src/libstrongswan/plugins/des and src/libstrongswan/plugins/blowfish.
-+Note that these parts have an advertising clause in it.
-+
-+The MD4 and MD5 implementations in the md4 and md5 plugins are from RSA Data
-+Security Inc., so this package must include the following phrase:
-+"derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm".
-+
diff --git a/debian/patches/03_Pass-lo-as-faked-tundev-to-NM-as-it-now-needs-a-vali.patch b/debian/patches/03_Pass-lo-as-faked-tundev-to-NM-as-it-now-needs-a-vali.patch
deleted file mode 100644
index 68cf1c3bf..000000000
--- a/debian/patches/03_Pass-lo-as-faked-tundev-to-NM-as-it-now-needs-a-vali.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 49e918021b16f2be8650f3aa24c464a829758b26 Mon Sep 17 00:00:00 2001
-From: Martin Willi <martin@revosec.ch>
-Date: Mon, 25 Jun 2012 16:02:20 +0200
-Subject: [PATCH 2/2] Pass "lo" as faked tundev to NM, as it now needs a valid
- interface since 0.9
-
----
- src/libcharon/plugins/nm/nm_service.c |    7 ++++---
- 1 files changed, 4 insertions(+), 3 deletions(-)
-
---- a/src/libcharon/plugins/nm/nm_service.c
-+++ b/src/libcharon/plugins/nm/nm_service.c
-@@ -89,11 +89,12 @@ static void signal_ipv4_config(NMVPNPlug
- 	me = ike_sa->get_my_host(ike_sa);
- 	handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
- 
--	/* NM requires a tundev, but netkey does not use one. Passing an invalid
--	 * iface makes NM complain, but it accepts it without fiddling on eth0. */
-+	/* NM requires a tundev, but netkey does not use one. Passing the physical
-+	 * interface does not work, as NM fiddles around with it. Passing the
-+	 * loopback seems to work, though... */
- 	val = g_slice_new0 (GValue);
- 	g_value_init (val, G_TYPE_STRING);
--	g_value_set_string (val, "none");
-+	g_value_set_string (val, "lo");
- 	g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV, val);
- 
- 	val = g_slice_new0(GValue);
diff --git a/debian/patches/04-Fixed-IPv6-source-address-lookup.patch b/debian/patches/04-Fixed-IPv6-source-address-lookup.patch
deleted file mode 100644
index 91eac4094..000000000
--- a/debian/patches/04-Fixed-IPv6-source-address-lookup.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From 7beb31aae4e231f95366dc2ef83888e197bc693c Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Mon, 18 Jun 2012 12:01:10 +0200
-Subject: [PATCH] Fixed IPv6 source address lookup
-
-Because Linux kernels prior to 3.0 do not support RTA_PREFSRC for
-IPv6 routes we didn't use NLM_F_DUMP to get all routes.
-Still routes installed with policies are installed also for IPv6.
-So since only one route is returned without DUMP, and we ignore
-all routes from our own routing table, no source address was found
-during roaming if DST of the installed route included the IKE peer.
-
-With newer kernels we can now use DUMP as we did for IPv4 already,
-for older kernels we do so if our own routes are installed in a
-separate routing table, otherwise we still use GET.
----
- .../plugins/kernel_netlink/kernel_netlink_net.c    |   48 ++++++++++++++++++--
- 1 file changed, 43 insertions(+), 5 deletions(-)
-
-Index: strongswan/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
-===================================================================
---- strongswan.orig/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c	2012-06-28 21:16:07.000000000 +0200
-+++ strongswan/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c	2012-07-02 17:10:51.224474221 +0200
-@@ -38,6 +38,7 @@
-  */
- 
- #include <sys/socket.h>
-+#include <sys/utsname.h>
- #include <linux/netlink.h>
- #include <linux/rtnetlink.h>
- #include <unistd.h>
-@@ -183,6 +184,11 @@
- 	bool install_virtual_ip;
- 
- 	/**
-+	 * whether preferred source addresses can be specified for IPv6 routes
-+	 */
-+	bool rta_prefsrc_for_ipv6;
-+
-+	/**
- 	 * list with routing tables to be excluded from route lookup
- 	 */
- 	linked_list_t *rt_exclude;
-@@ -869,11 +875,11 @@
- 
- 	hdr = (struct nlmsghdr*)request;
- 	hdr->nlmsg_flags = NLM_F_REQUEST;
--	if (dest->get_family(dest) == AF_INET)
--	{
--		/* We dump all addresses for IPv4, as we want to ignore IPsec specific
--		 * routes installed by us. But the kernel does not return source
--		 * addresses in a IPv6 dump, so fall back to get() for v6 routes. */
-+	if (dest->get_family(dest) == AF_INET || this->rta_prefsrc_for_ipv6 ||
-+		this->routing_table)
-+	{	/* kernels prior to 3.0 do not support RTA_PREFSRC for IPv6 routes.
-+		 * as we want to ignore routes with virtual IPs we cannot use DUMP
-+		 * if these routes are not installed in a separate table */
- 		hdr->nlmsg_flags |= NLM_F_ROOT | NLM_F_DUMP;
- 	}
- 	hdr->nlmsg_type = RTM_GETROUTE;
-@@ -1443,6 +1449,36 @@
- 	return this->socket->send_ack(this->socket, hdr);
- }
- 
-+/**
-+ * check for kernel features (currently only via version number)
-+ */
-+static void check_kernel_features(private_kernel_netlink_net_t *this)
-+{
-+	struct utsname utsname;
-+	int a, b, c;
-+
-+	if (uname(&utsname) == 0)
-+	{
-+		switch(sscanf(utsname.release, "%d.%d.%d", &a, &b, &c))
-+		{
-+			case 3:
-+				if (a == 2)
-+				{
-+					DBG2(DBG_KNL, "detected Linux %d.%d.%d, no support for "
-+						 "RTA_PREFSRC for IPv6 routes", a, b, c);
-+					break;
-+				}
-+				/* fall-through */
-+			case 2:
-+				/* only 3.x+ uses two part version numbers */
-+				this->rta_prefsrc_for_ipv6 = TRUE;
-+				break;
-+			default:
-+				break;
-+		}
-+	}
-+}
-+
- METHOD(kernel_net_t, destroy, void,
- 	private_kernel_netlink_net_t *this)
- {
-@@ -1509,6 +1545,8 @@
- 	);
- 	timerclear(&this->last_roam);
- 
-+	check_kernel_features(this);
-+
- 	exclude = lib->settings->get_str(lib->settings,
- 					"%s.ignore_routing_tables", NULL, hydra->daemon);
- 	if (exclude)
diff --git a/debian/patches/series b/debian/patches/series
index 29c60134c..2cf256b6c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,5 +1 @@
 01_fix-manpages.patch
-02_add-LICENSE.patch
-03_Pass-lo-as-faked-tundev-to-NM-as-it-now-needs-a-vali.patch
-04-Fixed-IPv6-source-address-lookup.patch
-0001-Check-return-value-of-ECDSA_Verify-correctly.patch
diff --git a/debian/po/cs.po b/debian/po/cs.po
index abaab5d9a..9edf61ee1 100644
--- a/debian/po/cs.po
+++ b/debian/po/cs.po
@@ -13,7 +13,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: strongswan\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-16 14:23+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2010-10-16 13:09+0200\n"
 "Last-Translator: Miroslav Kure <kurem@debian.cz>\n"
 "Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n"
@@ -73,43 +73,34 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "Spustit strongSwan daemon IKEv1?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"Pro podporu 1. verze protokolu Internet Key Exchange musí běžet daemon pluto."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "Spustit strongSwan daemon IKEv2?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "Pro podporu 2. verze protokolu Internet Key Exchange musí běžet daemon "
 "charon."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid "Use an X.509 certificate for this host?"
 msgstr "Použít pro tento po�íta� certifikát X.509?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -128,7 +119,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -138,25 +129,25 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr "vytvořit"
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr "importovat"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr "Získání certifikátu X.509 pro autentizaci tohoto po�íta�e:"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -168,7 +159,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -185,7 +176,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -205,13 +196,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr "Jméno souboru s certifikátem X.509 ve formátu PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid ""
 "Please enter the location of the file containing your X.509 certificate in "
 "PEM format."
@@ -220,13 +211,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr "Jméno souboru se soukromým klí�em X.509 ve formátu PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid ""
 "Please enter the location of the file containing the private RSA key "
 "matching your X.509 certificate in PEM format. This can be the same file "
@@ -238,13 +229,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr "Jméno souboru s kořenovou certifika�ní autoritou X.509 ve formátu PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -260,13 +251,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr "Zadejte délku vytvářeného RSA klí�e:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -279,13 +270,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr "Vytvořit certifikát X.509 podepsaný sám sebou?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -305,7 +296,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "If you do not choose to create a self-signed certificate, only the RSA "
 "private key and the certificate request will be created, and you will have "
@@ -317,13 +308,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr "Kód státu pro požadavek na certifikát X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -333,7 +324,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -345,13 +336,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr "Jméno země nebo oblasti pro požadavek na certifikát X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid ""
 "Please enter the full name of the state or province the server resides in "
 "(such as \"Upper Austria\")."
@@ -361,13 +352,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr "Jméno lokality pro požadavek na certifikát X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -377,26 +368,26 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr "Název organizace pro požadavek na certifikát X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr "Zadejte název organizace, které server patří (například „Debian“)."
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr "Název organiza�ní jednotky pro požadavek na certifikát X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid ""
 "Please enter the organizational unit the server belongs to (such as "
 "\"security group\")."
@@ -406,13 +397,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr "Obecné jméno pro požadavek na certifikát X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr ""
@@ -420,13 +411,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr "Emailová adresa pro požadavek na certifikát X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid ""
 "Please enter the email address of the person or organization responsible for "
 "the X.509 certificate."
@@ -436,13 +427,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "Povolit oportunistické šifrování?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -456,16 +447,30 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "Oportunistické šifrování byste měli povolit pouze v případě, že ho opravdu "
 "chcete. Při startu daemona pluto je možné, že se vaše probíhající spojení do "
 "Internetu přeruší (přesněji přestane fungovat výchozí cesta)."
 
+#~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "Pro podporu 1. verze protokolu Internet Key Exchange musí běžet daemon "
+#~ "pluto."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "Spustit strongSwan daemon IKEv2?"
+
 #~ msgid "Do you wish to restart strongSwan?"
 #~ msgstr "Přejete si restartovat strongSwan?"
 
diff --git a/debian/po/da.po b/debian/po/da.po
index 0687e0219..8adb3ca3e 100644
--- a/debian/po/da.po
+++ b/debian/po/da.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: strongswan\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-16 14:23+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2010-11-04 12:42+0000\n"
 "Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n"
 "Language-Team: Danish <dansk@dansk-gruppen.dk>\n"
@@ -69,44 +69,34 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "Start strongSwans IKEv1-dæmon?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"Dæmonen pluto skal køre for at understøtte version 1 af Internet Key "
-"Exchange-protokollen."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "Start streongSwans IKEv2-dæmon?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "Dæmonen charon skal køre for at understøtte version 2 af Internet Key "
 "Exchange-protokollen."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid "Use an X.509 certificate for this host?"
 msgstr "Brug et X.509-certifikat for denne vært?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -126,7 +116,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -136,26 +126,26 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr "opret"
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr "importer"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr ""
 "Metoder hvormed et X.509-certifikat kan bruges til at godkende denne vært:"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -167,7 +157,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -185,7 +175,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -205,13 +195,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr "Filnavn på dit PEM-formateret X.509-certifikat:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid ""
 "Please enter the location of the file containing your X.509 certificate in "
 "PEM format."
@@ -221,13 +211,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr "Filnavn på din private PEM-formateret X.509-nøgle:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid ""
 "Please enter the location of the file containing the private RSA key "
 "matching your X.509 certificate in PEM format. This can be the same file "
@@ -239,13 +229,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr "Filnavn på dit PEM-formaterede X.509-RootCA:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -261,13 +251,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr "Indtast venligst hvilken længde den oprettede RSA-nøgle skal have:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -281,13 +271,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr "Opret et X.509-certifikat du selv har underskrevet?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -308,7 +298,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "If you do not choose to create a self-signed certificate, only the RSA "
 "private key and the certificate request will be created, and you will have "
@@ -320,7 +310,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr "Landekode for X.509-certifikatforespørgslen:"
 
@@ -330,7 +320,7 @@ msgstr "Landekode for X.509-certifikatforespørgslen:"
 # som Midtjylland DK-82 med flere.
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -340,7 +330,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -352,13 +342,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr "Stat eller provinsnavn for X.509-certifikatforespørgslen:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid ""
 "Please enter the full name of the state or province the server resides in "
 "(such as \"Upper Austria\")."
@@ -368,13 +358,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr "Lokalitetsnavn for X.509-certifikatforespørgslen:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -384,13 +374,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr "Organisationsnavn for X.509-certifikatforespørglsen:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr ""
@@ -398,13 +388,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr "Organisationsgruppe for X.509-certifikatforespørgslen:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid ""
 "Please enter the organizational unit the server belongs to (such as "
 "\"security group\")."
@@ -414,13 +404,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr "Betegnelsen for X.509-certifikatforespørgslen:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr ""
@@ -429,13 +419,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr "E-post-adresse for X.509-certifikatforespørgslen:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid ""
 "Please enter the email address of the person or organization responsible for "
 "the X.509 certificate."
@@ -445,13 +435,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "Aktiver opportunistisk kryptering?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -465,12 +455,26 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "Du skal kun aktivere opportunistisk kryptering, hvis du er sikker på, at du "
 "ønsker det. Det kan få internetforbindelsen til at gå ned (standardrute), "
 "når plutodæmonen starter op."
+
+#~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "Dæmonen pluto skal køre for at understøtte version 1 af Internet Key "
+#~ "Exchange-protokollen."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "Start streongSwans IKEv2-dæmon?"
diff --git a/debian/po/de.po b/debian/po/de.po
index 8930d6b5b..95aaa6224 100644
--- a/debian/po/de.po
+++ b/debian/po/de.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: strongswan 4.4.0-1\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-16 14:23+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2010-06-29 21:55+0200\n"
 "Last-Translator: Helge Kreutzmann <debian@helgefjell.de>\n"
 "Language-Team: German <debian-l10n-german@lists.debian.org>\n"
@@ -72,44 +72,34 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "strongSwans IKEv1-Daemon starten?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"Der Pluto-Daemon muss laufen, um Version 1 des Internet Key Exchange-"
-"Protokolls zu unterstützen."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "strongSwans IKEv2-Daemon starten?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "Der Charon-Daemon muss laufen, um Version 2 des Internet Key Exchange-"
 "Protokolls zu unterstützen."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid "Use an X.509 certificate for this host?"
 msgstr "Für diesen Rechner ein X.509-Zertifikat verwenden?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -130,7 +120,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -140,19 +130,19 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr "erstellen"
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr "importieren"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr ""
 "Methoden für die Authentifizierung dieses Rechners mittels eines X.509-"
@@ -160,7 +150,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -173,7 +163,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -194,7 +184,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -216,13 +206,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr "Dateiname Ihres X.509-Zertifikats im PEM-Format:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid ""
 "Please enter the location of the file containing your X.509 certificate in "
 "PEM format."
@@ -232,13 +222,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr "Dateiname des privaten X.509-Schlüssels im PEM-Format:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid ""
 "Please enter the location of the file containing the private RSA key "
 "matching your X.509 certificate in PEM format. This can be the same file "
@@ -250,13 +240,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr "Dateinamen Ihrer PEM-Format-X.509-RootCA:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -273,14 +263,14 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr ""
 "Bitte geben Sie ein, welche Länge der erstellte RSA-Schlüssels haben soll:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -294,13 +284,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr "Selbstsigniertes X.509-Zertifikat erstellen?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -322,7 +312,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "If you do not choose to create a self-signed certificate, only the RSA "
 "private key and the certificate request will be created, and you will have "
@@ -335,13 +325,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr "Ländercode für die X.509-Zertifikatsanforderung:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -351,7 +341,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -363,13 +353,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr "Name des Landes oder der Provinz für diese X.509-Zertifikatsanfrage:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid ""
 "Please enter the full name of the state or province the server resides in "
 "(such as \"Upper Austria\")."
@@ -379,13 +369,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr "Ort für die X.509-Zertifikatsanforderung:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -395,13 +385,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr "Organisationsname für die X.509-Zertifikatsanforderung:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr ""
@@ -410,13 +400,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr "Organisationseinheit für die X.509-Zertifikatsanforderung:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid ""
 "Please enter the organizational unit the server belongs to (such as "
 "\"security group\")."
@@ -426,13 +416,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr "»Common Name« für die X.509-Zertifikatsanforderung:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr ""
@@ -441,13 +431,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr "E-Mail-Adresse für die X.509-Zertifikatsanforderung:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid ""
 "Please enter the email address of the person or organization responsible for "
 "the X.509 certificate."
@@ -457,13 +447,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "Opportunistische Verschlüsselung aktivieren?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -477,17 +467,31 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "Sie sollten opportunistische Verschlüsselung nur verwenden, falls Sie sich "
 "sicher sind, dass Sie sie verwenden möchten. Beim Starten des Pluto-Daemons "
 "könnte die Internetverbindung (Default Route) unterbrochen werden."
 
 #~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "Der Pluto-Daemon muss laufen, um Version 1 des Internet Key Exchange-"
+#~ "Protokolls zu unterstützen."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "strongSwans IKEv2-Daemon starten?"
+
+#~ msgid ""
 #~ "Previous versions of the Openswan package gave a choice between three "
 #~ "different Start/Stop-Levels. Due to changes in the standard system "
 #~ "startup procedure, this is no longer necessary or useful. For all new "
diff --git a/debian/po/es.po b/debian/po/es.po
index b1b8cb1f3..888f99e15 100644
--- a/debian/po/es.po
+++ b/debian/po/es.po
@@ -28,7 +28,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: strongswan 4.4.1-5\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-16 14:23+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2010-10-09 20:45+0100\n"
 "Last-Translator: Francisco Javier Cuadrado <fcocuadrado@gmail.com>\n"
 "Language-Team: Debian l10n Spanish <debian-l10n-spanish@lists.debian.org>\n"
@@ -91,44 +91,34 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "¿Desea iniciar el demonio IKEv1 de StrongSwan?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"El demonio pluto se debe ejecutar para poder utilizar la versión 1 del "
-"protocolo de intercambio de claves por internet («Internet Key Exchange»)."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "¿Desea iniciar el demonio IKEv2 de StrongSwan?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "El demonio charon se debe ejecutar para permitir utilizar la versión 2 del "
 "protocolo de intercambio de claves por internet («Internet Key Exchange»)."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid "Use an X.509 certificate for this host?"
 msgstr "¿Desea utilizar un certificado X.509 para esta máquina?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -148,7 +138,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -158,26 +148,26 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr "crear"
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr "importar"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr ""
 "Métodos para utilizar un certificado X.509 para autenticar esta máquina:"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -189,7 +179,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -208,7 +198,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -229,13 +219,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr "Nombre del archivo del certificado X.509 en el formato PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid ""
 "Please enter the location of the file containing your X.509 certificate in "
 "PEM format."
@@ -245,7 +235,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr ""
 "Nombre del archivo de la clave privada del certificado X.509 en el formato "
@@ -253,7 +243,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid ""
 "Please enter the location of the file containing the private RSA key "
 "matching your X.509 certificate in PEM format. This can be the same file "
@@ -265,7 +255,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr ""
 "Nombre del archivo del certificado X.509 de la raíz de la Autoridad de "
@@ -273,7 +263,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -290,13 +280,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr "Introduzca la longitud que debería tener la clave RSA creada:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -310,13 +300,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr "¿Desea crear un certificado X.509 auto-firmado?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -337,7 +327,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "If you do not choose to create a self-signed certificate, only the RSA "
 "private key and the certificate request will be created, and you will have "
@@ -349,13 +339,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr "Código del país para la petición del certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -365,7 +355,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -377,13 +367,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr "Estado o provincia para la petición del certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid ""
 "Please enter the full name of the state or province the server resides in "
 "(such as \"Upper Austria\")."
@@ -393,13 +383,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr "Localidad para la petición del certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -409,13 +399,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr "Nombre de la organización para la petición del certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr ""
@@ -424,13 +414,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr "Unidad de la organización para la petición del certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid ""
 "Please enter the organizational unit the server belongs to (such as "
 "\"security group\")."
@@ -440,13 +430,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr "Nombre Común (CN) para la petición del certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr ""
@@ -455,14 +445,14 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr ""
 "Dirección de correo electrónico para la petición del certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid ""
 "Please enter the email address of the person or organization responsible for "
 "the X.509 certificate."
@@ -472,13 +462,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "¿Desea activar el cifrado oportunístico?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -493,16 +483,30 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "Sólo debería activar el cifrado oportunístico si está seguro que lo quiere. "
 "Esto puede romper la conexión a internet (la ruta predeterminada) cuando el "
 "demonio pluto se inicie."
 
+#~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "El demonio pluto se debe ejecutar para poder utilizar la versión 1 del "
+#~ "protocolo de intercambio de claves por internet («Internet Key Exchange»)."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "¿Desea iniciar el demonio IKEv2 de StrongSwan?"
+
 #~ msgid "earliest"
 #~ msgstr "lo más pronto posible"
 
diff --git a/debian/po/eu.po b/debian/po/eu.po
index 0b672b811..e54921624 100644
--- a/debian/po/eu.po
+++ b/debian/po/eu.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: strongswan_4.4.1-5.1_eu\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-16 14:23+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2010-11-16 20:23+0100\n"
 "Last-Translator: Iñaki Larrañaga Murgoitio <dooteo@zundan.com>\n"
 "Language-Team: Basque <debian-l10n-basque@lists.debian.org>\n"
@@ -72,44 +72,34 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "StrongSwan-ren IKEv1 daemona abiarazi?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"'pluto' daemona exekutatzen egon behar da Interneteko Gakoen Trukaketa (IKE) "
-"protokoloaren lehen bertsioa onartzeko."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "StrongSwan-ren IKEv2 daemona abiarazi?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "'charon' daemona exekutatzen egon behar da Interneteko Gakoen Trukaketa "
 "(IKE) protokoloaren lehen bertsioa onartzeko."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid "Use an X.509 certificate for this host?"
 msgstr "X.509 ziurtagiria erabili ostalari honentzako?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -129,7 +119,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -139,25 +129,25 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr "sortu"
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr "inportatu"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr "Metodoa ostalari hau X.509 ziurtagiria erabiliz autentifikatzeko:"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -169,7 +159,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -188,7 +178,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -208,13 +198,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr "Zure PEM formatuko X.509 ziurtagiriaren fitxategi-izena :"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid ""
 "Please enter the location of the file containing your X.509 certificate in "
 "PEM format."
@@ -224,13 +214,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr "PEM formatuko X.509 gako pribatuaren fitxategi-izena :"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid ""
 "Please enter the location of the file containing the private RSA key "
 "matching your X.509 certificate in PEM format. This can be the same file "
@@ -242,13 +232,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr "PEM formatuko X.509 ziurtagiriaren fitxategi-izena:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -264,13 +254,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr "Sartu sortutako RSA gakoak edukiko duen luzera:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -284,13 +274,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr "Sortu auto-sinatutako X.509 ziurtagiria?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -310,7 +300,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "If you do not choose to create a self-signed certificate, only the RSA "
 "private key and the certificate request will be created, and you will have "
@@ -322,13 +312,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr "X.509 ziurtagiriaren eskaeraren herrialdearen kodea:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -338,7 +328,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -350,13 +340,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr "X.509 ziurtagiri eskaeraren estatu edo probintziaren izena:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid ""
 "Please enter the full name of the state or province the server resides in "
 "(such as \"Upper Austria\")."
@@ -366,13 +356,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr "X.509 ziurtagiri eskaeraren herriaren izena:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -382,26 +372,26 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr "X.509 ziurtagiri eskaeraren erakundearen izena:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr "Idatzi zerbitzaria duen erakundea (adibidez, \"Debian\")"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr "X.509 ziurtagiri eskaeraren saila:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid ""
 "Please enter the organizational unit the server belongs to (such as "
 "\"security group\")."
@@ -409,13 +399,13 @@ msgstr "Idatzi zerbitzaria duen saila (adibidez, \"segurtasunaren taldea\")"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr "X.509 ziurtagiri eskaeraren izen arrunta:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr ""
@@ -423,13 +413,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr "X.509 ziurtagiri eskaeraren helbide elektronikoa:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid ""
 "Please enter the email address of the person or organization responsible for "
 "the X.509 certificate."
@@ -439,13 +429,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "Gaitu enkriptazio oportunista?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -459,12 +449,26 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "Enkriptazio oportunista behar duzula ziur bazaude bakarrik gaitu beharko "
 "zenuke. Interneteko konexioak moztuko dira (lehenetsitako atebidea) pluto "
 "daemona abiaraztean."
+
+#~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "'pluto' daemona exekutatzen egon behar da Interneteko Gakoen Trukaketa "
+#~ "(IKE) protokoloaren lehen bertsioa onartzeko."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "StrongSwan-ren IKEv2 daemona abiarazi?"
diff --git a/debian/po/fi.po b/debian/po/fi.po
index 1b226f9a9..f74f40e59 100644
--- a/debian/po/fi.po
+++ b/debian/po/fi.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: strongswan\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-09 12:15+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2009-05-25 14:49+0100\n"
 "Last-Translator: Esko Arajärvi <edu@iki.fi>\n"
 "Language-Team: Finnish <debian-l10n-finnish@lists.debian.org>\n"
@@ -54,9 +54,8 @@ msgid ""
 "Restarting strongSwan is recommended, since if there is a security fix, it "
 "will not be applied until the daemon restarts. Most people expect the daemon "
 "to restart, so this is generally a good idea. However, this might take down "
-"existing connections and then bring them back up, so if you are using such "
-"a strongSwan tunnel to connect for this update, restarting is not "
-"recommended."
+"existing connections and then bring them back up, so if you are using such a "
+"strongSwan tunnel to connect for this update, restarting is not recommended."
 msgstr ""
 "On suositeltavaa käynnistää strongSwan-taustaohjelma uudelleen, koska "
 "mahdolliset tietoturvapäivitykset eivät tule käyttöön ennen tätä. Tämä "
@@ -66,38 +65,28 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "Käynnistetäänkö strongSwanin IKEv1-taustaohjelma?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"Internet Key Exchange -protokollan version 1 tuki vaatii, että pluto-"
-"taustaohjelma on käynnissä."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "Käynnistetäänkö strongSwanin IKEv2-taustaohjelma?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "Internet Key Exchange -protokollan version 2 tuki vaatii, että charon-"
 "taustaohjelma on käynnissä."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 #, fuzzy
 #| msgid "Use an existing X.509 certificate for strongSwan?"
 msgid "Use an X.509 certificate for this host?"
@@ -105,7 +94,7 @@ msgstr "Tulisiko strongSwanin käyttää olemassa olevaa X.509-varmennetiedostoa
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -118,7 +107,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -126,25 +115,25 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -153,7 +142,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -165,7 +154,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -178,7 +167,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 #, fuzzy
 #| msgid "File name of your X.509 certificate in PEM format:"
 msgid "File name of your PEM format X.509 certificate:"
@@ -186,7 +175,7 @@ msgstr "PEM-muodossa olevan X.509-varmennetiedoston nimi:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 #, fuzzy
 #| msgid ""
 #| "Please enter the full location of the file containing your X.509 "
@@ -200,7 +189,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 #, fuzzy
 #| msgid "File name of your existing X.509 private key in PEM format:"
 msgid "File name of your PEM format X.509 private key:"
@@ -208,7 +197,7 @@ msgstr "PEM-muotoisen, olemassa olevan, salaisen X.509-avaimen tiedostonimi:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 #, fuzzy
 #| msgid ""
 #| "Please enter the full location of the file containing the private RSA key "
@@ -225,7 +214,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 #, fuzzy
 #| msgid "File name of your X.509 certificate in PEM format:"
 msgid "File name of your PEM format X.509 RootCA:"
@@ -233,7 +222,7 @@ msgstr "PEM-muodossa olevan X.509-varmennetiedoston nimi:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -244,13 +233,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -260,7 +249,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 #, fuzzy
 #| msgid "Create a self-signed X.509 certificate?"
 msgid "Create a self-signed X.509 certificate?"
@@ -268,7 +257,7 @@ msgstr "Luodaanko itseallekirjoitettu X.509-varmenne?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -281,7 +270,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 #, fuzzy
 #| msgid ""
 #| "If you do not accept this option, only the RSA private key will be "
@@ -298,7 +287,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 #, fuzzy
 #| msgid "Country code for the X.509 certificate request:"
 msgid "Country code for the X.509 certificate request:"
@@ -306,7 +295,7 @@ msgstr "X.509-varmennepyynnön maakoodi:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -314,7 +303,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -323,7 +312,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 #, fuzzy
 #| msgid "State or province name for the X.509 certificate request:"
 msgid "State or province name for the X.509 certificate request:"
@@ -331,7 +320,7 @@ msgstr "X.509-varmennepyynnön osavaltio, lääni tai maakunta:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 #, fuzzy
 #| msgid ""
 #| "Please enter the full name of the state or province to include in the "
@@ -345,7 +334,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 #, fuzzy
 #| msgid "Locality name for the X.509 certificate request:"
 msgid "Locality name for the X.509 certificate request:"
@@ -353,7 +342,7 @@ msgstr "X.509-varmennepyynnön paikkakunta:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -361,7 +350,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 #, fuzzy
 #| msgid "Organization name for the X.509 certificate request:"
 msgid "Organization name for the X.509 certificate request:"
@@ -369,14 +358,14 @@ msgstr "X.509-varmennepyynnön järjestön nimi:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 #, fuzzy
 #| msgid "Organizational unit for the X.509 certificate request:"
 msgid "Organizational unit for the X.509 certificate request:"
@@ -384,7 +373,7 @@ msgstr "X.509-varmennepyynnön järjestön yksikkö:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 #, fuzzy
 #| msgid "Organizational unit for the X.509 certificate request:"
 msgid ""
@@ -394,7 +383,7 @@ msgstr "X.509-varmennepyynnön järjestön yksikkö:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 #, fuzzy
 #| msgid "Common name for the X.509 certificate request:"
 msgid "Common Name for the X.509 certificate request:"
@@ -402,14 +391,14 @@ msgstr "X.509-varmennepyynnön yleinen nimi:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 #, fuzzy
 #| msgid "Email address for the X.509 certificate request:"
 msgid "Email address for the X.509 certificate request:"
@@ -417,7 +406,7 @@ msgstr "X.509-varmennepyynnön sähköpostiosoite:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 #, fuzzy
 #| msgid ""
 #| "Please enter the email address (for the individual or organization "
@@ -430,13 +419,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "Käytetäänkö opportunistista salausta?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -450,16 +439,30 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "Valitse opportunistinen salaus vain, jos olet varma, että haluat sen "
 "käyttöön. Se saattaa rikkoa Internet-yhteyden (oletusreitityksen), kun pluto-"
 "taustaohjelma käynnistyy."
 
+#~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "Internet Key Exchange -protokollan version 1 tuki vaatii, että pluto-"
+#~ "taustaohjelma on käynnissä."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "Käynnistetäänkö strongSwanin IKEv2-taustaohjelma?"
+
 #, fuzzy
 #~| msgid "When to start strongSwan:"
 #~ msgid "Do you wish to restart strongSwan?"
diff --git a/debian/po/fr.po b/debian/po/fr.po
index 22a9f6bc7..b868e0f89 100644
--- a/debian/po/fr.po
+++ b/debian/po/fr.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: strongswan\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-09 12:15+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2010-06-24 22:17+0200\n"
 "Last-Translator: Christian Perrier <bubulle@debian.org>\n"
 "Language-Team: French <debian-l10n-french@lists.debian.org>\n"
@@ -60,9 +60,8 @@ msgid ""
 "Restarting strongSwan is recommended, since if there is a security fix, it "
 "will not be applied until the daemon restarts. Most people expect the daemon "
 "to restart, so this is generally a good idea. However, this might take down "
-"existing connections and then bring them back up, so if you are using such "
-"a strongSwan tunnel to connect for this update, restarting is not "
-"recommended."
+"existing connections and then bring them back up, so if you are using such a "
+"strongSwan tunnel to connect for this update, restarting is not recommended."
 msgstr ""
 "Redémarrer strongSwan est préférable car un éventuel correctif de sécurité "
 "ne prendra effet que si le démon est redémarré. La plupart des utilisateurs "
@@ -75,44 +74,34 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "Faut-il démarrer le démon IKEv1 de StrongSwan ?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"Le démon « pluto » doit fonctionner pour que la version 1 du protocole IKE "
-"(Internet Key Exchange) puisse être gérée."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "Faut-il démarrer le démon IKEv2 de StrongSwan ?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "Le démon « charon » doit fonctionner pour que la version 2 du protocole IKE "
 "(Internet Key Exchange) puisse être gérée."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid "Use an X.509 certificate for this host?"
 msgstr "Faut-il utiliser un certificat X.509 existant avec cet hôte ?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -133,7 +122,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -143,19 +132,19 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr "Créer"
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr "Importer"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr ""
 "Méthode de mise en place d'un certificat X.509 pour l'authentification de "
@@ -163,7 +152,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -175,7 +164,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -193,7 +182,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -213,13 +202,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr "Nom du fichier PEM contenant le certificat X.509 :"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid ""
 "Please enter the location of the file containing your X.509 certificate in "
 "PEM format."
@@ -229,13 +218,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr "Nom du fichier PEM contenant la clé privée X.509 :"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid ""
 "Please enter the location of the file containing the private RSA key "
 "matching your X.509 certificate in PEM format. This can be the same file "
@@ -247,7 +236,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr ""
 "Nom du fichier PEM contenant le certificat X.509 de l'autorité de "
@@ -255,7 +244,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -272,13 +261,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr "Longueur de la clé RSA à créer :"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -293,13 +282,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr "Souhaitez-vous créer un certificat X.509 auto-signé ?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -320,7 +309,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "If you do not choose to create a self-signed certificate, only the RSA "
 "private key and the certificate request will be created, and you will have "
@@ -332,13 +321,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr "Code du pays pour la demande de certificat X.509 :"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -348,7 +337,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -360,13 +349,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr "État ou province pour la demande de certificat X.509 :"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid ""
 "Please enter the full name of the state or province the server resides in "
 "(such as \"Upper Austria\")."
@@ -376,13 +365,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr "Localité pour la demande de certificat X.509 :"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -392,13 +381,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr "Organisme pour la demande de certificat X.509 :"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr ""
@@ -406,13 +395,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr "Unité d'organisation pour la demande de certificat X.509 :"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid ""
 "Please enter the organizational unit the server belongs to (such as "
 "\"security group\")."
@@ -422,13 +411,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr "Nom ordinaire pour la demande de certification X.509 :"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr ""
@@ -437,13 +426,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr "Adresse électronique pour la demande de certificat X.509 :"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid ""
 "Please enter the email address of the person or organization responsible for "
 "the X.509 certificate."
@@ -453,13 +442,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "Faut-il activer le chiffrement opportuniste ?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -473,16 +462,30 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "Vous ne devriez l'activer que s'il est indispensable de l'utiliser. Il est "
 "possible que cela coupe la connexion Internet (la route par défaut) au "
 "moment où le démon « pluto » démarre."
 
+#~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "Le démon « pluto » doit fonctionner pour que la version 1 du protocole "
+#~ "IKE (Internet Key Exchange) puisse être gérée."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "Faut-il démarrer le démon IKEv2 de StrongSwan ?"
+
 #, fuzzy
 #~ msgid "Do you wish to restart strongSwan?"
 #~ msgstr "Moment de démarrage de strongSwan :"
diff --git a/debian/po/gl.po b/debian/po/gl.po
index e92bbd1ea..11125f690 100644
--- a/debian/po/gl.po
+++ b/debian/po/gl.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: templates_[kI6655]\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-09 12:15+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2009-05-25 14:50+0100\n"
 "Last-Translator: marce villarino <mvillarino@users.sourceforge.net>\n"
 "Language-Team: Galician <proxecto@trasno.ent>\n"
@@ -54,9 +54,8 @@ msgid ""
 "Restarting strongSwan is recommended, since if there is a security fix, it "
 "will not be applied until the daemon restarts. Most people expect the daemon "
 "to restart, so this is generally a good idea. However, this might take down "
-"existing connections and then bring them back up, so if you are using such "
-"a strongSwan tunnel to connect for this update, restarting is not "
-"recommended."
+"existing connections and then bring them back up, so if you are using such a "
+"strongSwan tunnel to connect for this update, restarting is not recommended."
 msgstr ""
 "Recoméndase reiniciar strongSwan porque se houbese algunha actualización de "
 "seguridade non se aplicará até que se reinicie o daemon. Porén, pode pechar "
@@ -65,38 +64,28 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "Desexa iniciar o daemon IKEv1 de strongSwan?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"O daemon pluto debe estar en execución para soportar a versión 1 do "
-"protocolo Internet Key Exchange."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "Desexa iniciar o IKEv2 de strongSwan?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "O daemon charon debe estar en execución para soportar a versión 2 do "
 "protocolo Internet Key Exchange."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 #, fuzzy
 #| msgid "Use an existing X.509 certificate for strongSwan?"
 msgid "Use an X.509 certificate for this host?"
@@ -104,7 +93,7 @@ msgstr "Desexa empregar un certificado X.509 xa existente para strongSwan?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -117,7 +106,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -125,25 +114,25 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -152,7 +141,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -164,7 +153,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -177,7 +166,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 #, fuzzy
 #| msgid "File name of your X.509 certificate in PEM format:"
 msgid "File name of your PEM format X.509 certificate:"
@@ -185,7 +174,7 @@ msgstr "Nome do ficheiro do certificado X.509 en formato PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 #, fuzzy
 #| msgid ""
 #| "Please enter the full location of the file containing your X.509 "
@@ -199,7 +188,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 #, fuzzy
 #| msgid "File name of your existing X.509 private key in PEM format:"
 msgid "File name of your PEM format X.509 private key:"
@@ -207,7 +196,7 @@ msgstr "Nome do ficheiro coa chave privada X.509 en formato PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 #, fuzzy
 #| msgid ""
 #| "Please enter the full location of the file containing the private RSA key "
@@ -224,7 +213,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 #, fuzzy
 #| msgid "File name of your X.509 certificate in PEM format:"
 msgid "File name of your PEM format X.509 RootCA:"
@@ -232,7 +221,7 @@ msgstr "Nome do ficheiro do certificado X.509 en formato PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -243,13 +232,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -259,7 +248,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 #, fuzzy
 #| msgid "Create a self-signed X.509 certificate?"
 msgid "Create a self-signed X.509 certificate?"
@@ -267,7 +256,7 @@ msgstr "Desexa crear un certificado X.509 autoasinado?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -280,7 +269,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 #, fuzzy
 #| msgid ""
 #| "If you do not accept this option, only the RSA private key will be "
@@ -296,7 +285,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 #, fuzzy
 #| msgid "Country code for the X.509 certificate request:"
 msgid "Country code for the X.509 certificate request:"
@@ -304,7 +293,7 @@ msgstr "Código de país para o pedido do certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -312,7 +301,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -321,7 +310,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 #, fuzzy
 #| msgid "State or province name for the X.509 certificate request:"
 msgid "State or province name for the X.509 certificate request:"
@@ -329,7 +318,7 @@ msgstr "Nome do estado ou provincia para o pedido de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 #, fuzzy
 #| msgid ""
 #| "Please enter the full name of the state or province to include in the "
@@ -343,7 +332,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 #, fuzzy
 #| msgid "Locality name for the X.509 certificate request:"
 msgid "Locality name for the X.509 certificate request:"
@@ -351,7 +340,7 @@ msgstr "Nome de localidade para o pedido de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -359,7 +348,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 #, fuzzy
 #| msgid "Organization name for the X.509 certificate request:"
 msgid "Organization name for the X.509 certificate request:"
@@ -367,14 +356,14 @@ msgstr "Nome da organización para o pedido de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 #, fuzzy
 #| msgid "Organizational unit for the X.509 certificate request:"
 msgid "Organizational unit for the X.509 certificate request:"
@@ -382,7 +371,7 @@ msgstr "Unidade organizacional para o pedido de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 #, fuzzy
 #| msgid "Organizational unit for the X.509 certificate request:"
 msgid ""
@@ -392,7 +381,7 @@ msgstr "Unidade organizacional para o pedido de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 #, fuzzy
 #| msgid "Common name for the X.509 certificate request:"
 msgid "Common Name for the X.509 certificate request:"
@@ -400,14 +389,14 @@ msgstr "Nome común para o pedido de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 #, fuzzy
 #| msgid "Email address for the X.509 certificate request:"
 msgid "Email address for the X.509 certificate request:"
@@ -415,7 +404,7 @@ msgstr "Enderezo de correo electrónico para o pedido de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 #, fuzzy
 #| msgid ""
 #| "Please enter the email address (for the individual or organization "
@@ -429,13 +418,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "Desexa activar a cifraxe oportunista?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -449,16 +438,30 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "Só debería activar a cifraxe oportunista se está certo de que a desexa. Pode "
 "estragar a conexión a Internet (a rota por omisión) segundo se inicie o "
 "daemon pluto."
 
+#~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "O daemon pluto debe estar en execución para soportar a versión 1 do "
+#~ "protocolo Internet Key Exchange."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "Desexa iniciar o IKEv2 de strongSwan?"
+
 #, fuzzy
 #~| msgid "When to start strongSwan:"
 #~ msgid "Do you wish to restart strongSwan?"
diff --git a/debian/po/it.po b/debian/po/it.po
index e9f11d539..1cae0f7aa 100644
--- a/debian/po/it.po
+++ b/debian/po/it.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: strongswan\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-16 14:23+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2010-11-13 16:03+0100\n"
 "Last-Translator: Vincenzo Campanella <vinz65@gmail.com>\n"
 "Language-Team: Italian <tp@lists.linux.it>\n"
@@ -70,44 +70,34 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "Avviare il demone di strongSwan IKEv1?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"Per il supporto alla versione 1 del protocollo IKE (Internet Key Exchange) è "
-"necessario che il demone pluto sia in esecuzione."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "Avviare il demone di strongSwan IKEv2?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "Per il supporto alla versione 2 del protocollo IKE (Internet Key Exchange) è "
 "necessario che il demone charon sia in esecuzione."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid "Use an X.509 certificate for this host?"
 msgstr "Utilizzare un certificato X.509 per questo host?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -126,7 +116,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -136,26 +126,26 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr "creare"
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr "importare"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr ""
 "Metodi per l'utilizzo di un certificato X.509 per autenticare questo host:"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -167,7 +157,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -186,7 +176,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -207,13 +197,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr "Nome file del proprio certificato X.509 formato PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid ""
 "Please enter the location of the file containing your X.509 certificate in "
 "PEM format."
@@ -223,13 +213,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr "Nome file della propria chiave privata X.509 formato PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid ""
 "Please enter the location of the file containing the private RSA key "
 "matching your X.509 certificate in PEM format. This can be the same file "
@@ -241,13 +231,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr "Nome file del proprio RootCA X.509 formato PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -264,13 +254,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr "Inserire la lunghezza che la chiave RSA creata dovrà avere:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -284,13 +274,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr "Creare un certificato X.509 auto-firmato?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -311,7 +301,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "If you do not choose to create a self-signed certificate, only the RSA "
 "private key and the certificate request will be created, and you will have "
@@ -323,13 +313,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr "Codice paese per la richiesta di certificato X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -339,7 +329,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -351,14 +341,14 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr ""
 "Nome dello stato o della provincia per la richiesta di certificato X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid ""
 "Please enter the full name of the state or province the server resides in "
 "(such as \"Upper Austria\")."
@@ -368,13 +358,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr "Nome della località per la richiesta di certificato X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -384,13 +374,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr "Nome dell'organizzazione per la richiesta di certificato X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr ""
@@ -399,13 +389,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr "Unità organizzativa per la richiesta di certificato X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid ""
 "Please enter the organizational unit the server belongs to (such as "
 "\"security group\")."
@@ -415,13 +405,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr "Nome comune host per la richiesta di certificato X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr ""
@@ -429,13 +419,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr "Indirizzo e-mail per la richiesta di certificato X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid ""
 "Please enter the email address of the person or organization responsible for "
 "the X.509 certificate."
@@ -445,13 +435,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "Abilitare la cifratura opportunistica?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -465,12 +455,26 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "Si dovrebbe abilitare l'OE solo se lo si desidera veramente. Potrebbe "
 "interrompere la connessione Internet (route predefinita) durante l'avvio del "
 "demone pluto."
+
+#~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "Per il supporto alla versione 1 del protocollo IKE (Internet Key "
+#~ "Exchange) è necessario che il demone pluto sia in esecuzione."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "Avviare il demone di strongSwan IKEv2?"
diff --git a/debian/po/ja.po b/debian/po/ja.po
index 979b31dcc..8cc0c478a 100644
--- a/debian/po/ja.po
+++ b/debian/po/ja.po
@@ -16,7 +16,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: strongswan 4.4.1-4\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-16 14:23+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2010-09-27 20:52+0900\n"
 "Last-Translator: Hideki Yamane <henrich@debian.org>\n"
 "Language-Team: Japanese <debian-japanese@lists.debian.org>\n"
@@ -76,44 +76,34 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "strongSwan � IKEv1 デーモンを起動����?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"Internet Key Exchange プロトコル�ージョン 1 をサ�ート�る�� pluto デーモ"
-"ン�実行�れ��る必���り��。"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "strongSwan � IKEv2 デーモンを起動����?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "Internet Key Exchange プロトコル�ージョン 2 をサ�ート�る�� charon デーモ"
 "ン�実行�れ��る必���り��。"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid "Use an X.509 certificate for this host?"
 msgstr "��ホスト�対�� X.509 証明書を利用����?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -131,7 +121,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -141,25 +131,25 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr "作��る"
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr "イン�ート�る"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr "��ホストを�証�る��利用�る X.509 証明書を���る�:"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -171,7 +161,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -188,7 +178,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -207,13 +197,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr "PEM 形�� X.509 証明書�ファイル�:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid ""
 "Please enter the location of the file containing your X.509 certificate in "
 "PEM format."
@@ -221,13 +211,13 @@ msgstr "PEM å½¢å¼�ã�® X.509 証明書をå�«ã‚“ã�§ã�„るファイルã�®å ´æ‰€ã‚’å
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr "PEM 形�� X.509 秘密��ファイル�:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid ""
 "Please enter the location of the file containing the private RSA key "
 "matching your X.509 certificate in PEM format. This can be the same file "
@@ -238,13 +228,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr "PEM 形�� X.509 ルート CA �ファイル�:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -260,13 +250,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr "作��る RSA ���長を入力������:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -279,13 +269,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr "自己署� X.509 証明書を生�����?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -304,7 +294,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "If you do not choose to create a self-signed certificate, only the RSA "
 "private key and the certificate request will be created, and you will have "
@@ -315,13 +305,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr "X.509 証明書�求�記載�る国コード:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -331,7 +321,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -343,13 +333,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr "X.509 証明書�求�記載�る都�府県�:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid ""
 "Please enter the full name of the state or province the server resides in "
 "(such as \"Upper Austria\")."
@@ -357,13 +347,13 @@ msgstr "サー�所在地�都�府県� (例:「Tokyo�)を入力���
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr "X.509 証明書�求�記載�る地域�:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -371,26 +361,26 @@ msgstr "サーãƒ�所在地 (大抵ã�¯ã€ŒShinjukuã€�ã�®ã‚ˆã�†ã�ªå¸‚区å��)ã‚’å…¥å
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr "X.509 証明書�求�記載�る組織�:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr "サー��所属�る組織 (「Debian���) を入力������。"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr "X.509 証明書�求�記載�る部署�:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid ""
 "Please enter the organizational unit the server belongs to (such as "
 "\"security group\")."
@@ -398,13 +388,13 @@ msgstr "サー��所属�る部署� (「security group���) を入力
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr "X.509 証明書�求�記載�るコモン�ーム:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr ""
@@ -413,13 +403,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr "X.509 証明書�求�記載�るメールアドレス:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid ""
 "Please enter the email address of the person or organization responsible for "
 "the X.509 certificate."
@@ -429,13 +419,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "opportunistic encryption を有効�����?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -449,17 +439,31 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "opportunistic encryption を有効��る���本当�利用����考��時����"
 "����。��設定��pluto デーモン�起動��インター�ット接続 (デフォルト"
 "ルート) を切断�る�能性��り��。"
 
 #~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "Internet Key Exchange プロトコル�ージョン 1 をサ�ート�る�� pluto デー"
+#~ "モン�実行�れ��る必���り��。"
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "strongSwan � IKEv2 デーモンを起動����?"
+
+#~ msgid ""
 #~ "Please enter the 2 letter country code for your country. This code will "
 #~ "be placed in the certificate request."
 #~ msgstr ""
diff --git a/debian/po/nb.po b/debian/po/nb.po
index a7313eff5..cdef4c1c7 100644
--- a/debian/po/nb.po
+++ b/debian/po/nb.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: nb\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-16 14:23+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2012-01-03 15:56+0100\n"
 "Last-Translator: Bjørn Steensrud <bjornst@skogkatt.homelinux.org>\n"
 "Language-Team: Norwegian Bokmål <i18n-nb@lister.ping.uio.no>\n"
@@ -69,44 +69,34 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "Skal strongSwans IKEv1-daemon startes?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"Pluto-daemonen må kjøre for å kunne støtte versjon 1 av Internet Key "
-"Exchange-protokollen."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "Skal strongSwans IKEv2-daemon startes?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "Charon-daemonen må kjøre for å kunne støtte versjon 2 av Internet Key "
 "Exchange-protokollen."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid "Use an X.509 certificate for this host?"
 msgstr "Skal et X.509-sertifikat brukes for denne vertsmaskinen?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -126,7 +116,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -136,26 +126,26 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr "opprett"
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr "importer"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr ""
 "Metoder for å bruke et X.509-sertifikat til å autentisere denne verten:"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -167,7 +157,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -185,7 +175,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -205,13 +195,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr "Filnavn for ditt X.509-sertifikat i PEM-format:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid ""
 "Please enter the location of the file containing your X.509 certificate in "
 "PEM format."
@@ -220,13 +210,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr "Filnavn for din eksisterende private X.509-nøkkel i PEM-format:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid ""
 "Please enter the location of the file containing the private RSA key "
 "matching your X.509 certificate in PEM format. This can be the same file "
@@ -238,13 +228,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr "Filnavn for ditt rot-sertifikat i PEM-format:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -260,13 +250,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr "Skriv inn hvilken lengde det skal være på den genererte RSA-nøkkelen:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -280,13 +270,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr "Skal det lages et selvsignert X.509-sertifikat?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -306,7 +296,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "If you do not choose to create a self-signed certificate, only the RSA "
 "private key and the certificate request will be created, and you will have "
@@ -318,13 +308,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr "Landskode for X.509-sertifikatsøknaden:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -334,7 +324,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -346,13 +336,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr "Stat eller provinsnavn for X.509-sertifikatsøknaden:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid ""
 "Please enter the full name of the state or province the server resides in "
 "(such as \"Upper Austria\")."
@@ -362,13 +352,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr "Stedsnavn for X.509-sertifikatsøknaden:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -378,26 +368,26 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr "Organisasjonsnavn for X.509-sertifikatsøknaden:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr "Skriv inn organisasjonen som tjeneren tilhører (slik som «Debian»)"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr "Organisasjonsenhet for X.509-sertifikatsøknaden:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid ""
 "Please enter the organizational unit the server belongs to (such as "
 "\"security group\")."
@@ -407,13 +397,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr "Entydig navn for X.509-sertifikatsøknaden:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr ""
@@ -421,13 +411,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr "E-postadresse for X.509-sertifikatsøknaden:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid ""
 "Please enter the email address of the person or organization responsible for "
 "the X.509 certificate."
@@ -437,13 +427,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "Slå på opportunistisk kryptering?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -457,16 +447,30 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "Du bør bare slå på opportunistisk kryptering hvis du er sikker på at du vil "
 "ha det. Det kan koble ut Internett-forbindelsen (standardruten) når pluto- "
 "daemonen starter."
 
+#~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "Pluto-daemonen må kjøre for å kunne støtte versjon 1 av Internet Key "
+#~ "Exchange-protokollen."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "Skal strongSwans IKEv2-daemon startes?"
+
 #, fuzzy
 #~| msgid "When to start strongSwan:"
 #~ msgid "Do you wish to restart strongSwan?"
diff --git a/debian/po/nl.po b/debian/po/nl.po
index f99bcc965..00f517055 100644
--- a/debian/po/nl.po
+++ b/debian/po/nl.po
@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: strongswan 4.5.0-1\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-09 12:15+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2011-06-17 12:00+0200\n"
 "Last-Translator: Jeroen Schot <schot@a-eskwadraat.nl>\n"
 "Language-Team: Debian l10n Dutch <debian-l10n-dutch@lists.debian.org>\n"
@@ -71,44 +71,34 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "IKEv1-achtergronddienst van strongSwan starten?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"De pluto-achtergronddienst moet actief zijn om versie 1 van het Internet Key "
-"Exchange protocol te ondersteunen."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "IKEv2-achtergronddienst van strongSwan starten?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "De charon-achtergronddienst moet actief zijn om versie 2 van het Internet "
 "Key Exchange protocol te ondersteunen."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid "Use an X.509 certificate for this host?"
 msgstr "Moet er een X.509-certificaat voor deze computer gebruikt worden?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -129,7 +119,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -139,19 +129,19 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr "aanmaken"
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr "importeren"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr ""
 "Methodes bij het gebruik van een X.509-certificaat voor authenticatie van "
@@ -159,7 +149,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -171,7 +161,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -189,7 +179,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -209,13 +199,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr "Bestandsnaam van uw X.509-certificaat in PEM-indeling:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid ""
 "Please enter the location of the file containing your X.509 certificate in "
 "PEM format."
@@ -225,13 +215,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr "Bestandsnaam van uw geheime X.509-sleutel in PEM-indeling:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid ""
 "Please enter the location of the file containing the private RSA key "
 "matching your X.509 certificate in PEM format. This can be the same file "
@@ -243,13 +233,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr "Bestandsnaam van uw X.509-RootCA in PEM-indeling:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -266,13 +256,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr "Geef de lengte voor de aan te maken RSA-sleutel:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -286,13 +276,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr "Wilt u een door uzelf getekend X.509-certificaat aanmaken?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -313,7 +303,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "If you do not choose to create a self-signed certificate, only the RSA "
 "private key and the certificate request will be created, and you will have "
@@ -325,13 +315,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr "Landcode van de X.509-certificaataanvraag:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -341,7 +331,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -353,13 +343,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr "Staat of provincie voor de X.509-certificaataanvraag:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid ""
 "Please enter the full name of the state or province the server resides in "
 "(such as \"Upper Austria\")."
@@ -369,13 +359,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr "Plaatsnaam voor de X.509-certificaataanvraag:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -384,13 +374,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr "Naam van de organisatie voor de X.509-certificaataanvraag:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr ""
@@ -398,13 +388,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr "Organisatie-eenheid voor de X.509-certificaataanvraag:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid ""
 "Please enter the organizational unit the server belongs to (such as "
 "\"security group\")."
@@ -414,13 +404,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr "Naam (Common Name) voor de X.509-certificaataanvraag:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr ""
@@ -429,13 +419,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr "E-mailadres voor de X.509-certificaataanvraag:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid ""
 "Please enter the email address of the person or organization responsible for "
 "the X.509 certificate."
@@ -445,13 +435,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "Wilt u opportunistische encryptie inschakelen?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -465,12 +455,26 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "Schakel opportunistische versleuteling alleen in als u er zeker van bent dat "
 "u dit wilt. Het kan er voor zorgen dat uw internetverbinding "
 "(standaardroute) niet meer werkt zodra de pluto-achtergronddienst opstart."
+
+#~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "De pluto-achtergronddienst moet actief zijn om versie 1 van het Internet "
+#~ "Key Exchange protocol te ondersteunen."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "IKEv2-achtergronddienst van strongSwan starten?"
diff --git a/debian/po/pl.po b/debian/po/pl.po
index ad457d5ed..7d3a3fd26 100644
--- a/debian/po/pl.po
+++ b/debian/po/pl.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-16 14:23+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2012-01-31 15:36+0100\n"
 "Last-Translator: Michał Kułach <michal.kulach@gmail.com>\n"
 "Language-Team: Polish <debian-l10n-polish@lists.debian.org>\n"
@@ -71,44 +71,34 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "Uruchomić demona IKEv1 strongSwan?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"Demon pluto musi być uruchomiony, aby obsłużyć 1 wersję protokołu Internet "
-"Key Exchange."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "Uruchomić demona IKEv2 strongSwan?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "Demon charon musi być uruchomiony, aby obsłużyć 2 wersję protokołu Internet "
 "Key Exchange."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid "Use an X.509 certificate for this host?"
 msgstr "Użyć certyfikatu X.509 dla tego komputera?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -128,7 +118,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -138,25 +128,25 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr "utwórz"
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr "zaimportuj"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr "Metody używające certyfikatu X.509 do uwierzytelniania tego komputera:"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -168,7 +158,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -188,7 +178,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -209,13 +199,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr "Nazwa pliku certyfikatu X.509 użytkownika, w formacie PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid ""
 "Please enter the location of the file containing your X.509 certificate in "
 "PEM format."
@@ -225,13 +215,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr "Nazwa pliku klucza prywatnego X.509 użytkownika, w formacie PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid ""
 "Please enter the location of the file containing the private RSA key "
 "matching your X.509 certificate in PEM format. This can be the same file "
@@ -243,13 +233,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr "Nazwa pliku X.509 RootCA użytkownika, w formacie PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -265,13 +255,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr "Proszę wprowadzić długość tworzonego klucza RSA:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -286,13 +276,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr "Utworzyć podpisany przez samego siebie certyfikat X.509?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -313,7 +303,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "If you do not choose to create a self-signed certificate, only the RSA "
 "private key and the certificate request will be created, and you will have "
@@ -326,13 +316,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr "Kod kraju do żądania podpisania certyfikatu X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -342,7 +332,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -354,13 +344,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr "Nazwa regionu lub prowincji do żądania podpisania certyfikatu X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid ""
 "Please enter the full name of the state or province the server resides in "
 "(such as \"Upper Austria\")."
@@ -370,13 +360,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr "Nazwa lokalizacji do żądania podpisania certyfikatu X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -386,13 +376,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr "Nazwa organizacji do żądania podpisania certyfikatu X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr ""
@@ -401,13 +391,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr "Jednostka organizacyjna do żądania podpisania certyfikatu X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid ""
 "Please enter the organizational unit the server belongs to (such as "
 "\"security group\")."
@@ -417,14 +407,14 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr ""
 "Nazwa domeny (ang. Common Name) do żądania podpisania certyfikatu X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr ""
@@ -433,13 +423,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr "Adres poczty elektronicznej do żądania podpisania certyfikatu X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid ""
 "Please enter the email address of the person or organization responsible for "
 "the X.509 certificate."
@@ -449,13 +439,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "Włączyć szyfrowanie oportunistyczne?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -470,12 +460,26 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "Szyfrowanie oportunistyczne powinno być włączone tylko przez osoby, które go "
 "potrzebują. Może bowiem doprowadzić do przerwania połączenia internetowego "
 "(domyślnej trasy), kiedy tylko uruchomi się demon pluto."
+
+#~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "Demon pluto musi być uruchomiony, aby obsłużyć 1 wersję protokołu "
+#~ "Internet Key Exchange."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "Uruchomić demona IKEv2 strongSwan?"
diff --git a/debian/po/pt.po b/debian/po/pt.po
index 7fd40d15c..800e4c015 100644
--- a/debian/po/pt.po
+++ b/debian/po/pt.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: strongswan 4.4.0-1\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-09 12:15+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2010-06-26 18:47+0100\n"
 "Last-Translator: Américo Monteiro <a_monteiro@netcabo.pt>\n"
 "Language-Team: Portuguese <traduz@debianpt.org>\n"
@@ -59,9 +59,8 @@ msgid ""
 "Restarting strongSwan is recommended, since if there is a security fix, it "
 "will not be applied until the daemon restarts. Most people expect the daemon "
 "to restart, so this is generally a good idea. However, this might take down "
-"existing connections and then bring them back up, so if you are using such "
-"a strongSwan tunnel to connect for this update, restarting is not "
-"recommended."
+"existing connections and then bring them back up, so if you are using such a "
+"strongSwan tunnel to connect for this update, restarting is not recommended."
 msgstr ""
 "É recomendado reiniciar o strongSwan, porque se existir uma correcção de "
 "segurança, esta não será aplicada até que o daemon seja reiniciado. A "
@@ -73,44 +72,34 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "Iniciar o daemon IKEv1 do strongSwan?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"O daemon pluto precisa de estar a correr para suportar a versão 1 do "
-"protocolo Internet Key Exchange."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "Iniciar o daemon IKEv2 do strongSwan?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "O daemon charon precisa de estar a correr para suportar a versão 2 do "
 "protocolo Internet Key Exchange."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid "Use an X.509 certificate for this host?"
 msgstr "Usar um certificado X.509 para esta máquina?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -130,7 +119,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -140,25 +129,25 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr "criar"
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr "importar"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr "Métodos de usar um certificado X.509 para autenticar esta máquina:"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -170,7 +159,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -189,7 +178,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -210,13 +199,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr "Nome de ficheiro do seu certificado X.509 em formato PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid ""
 "Please enter the location of the file containing your X.509 certificate in "
 "PEM format."
@@ -226,13 +215,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr "Nome do ficheiro da sua chave privada X.509 em formato PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid ""
 "Please enter the location of the file containing the private RSA key "
 "matching your X.509 certificate in PEM format. This can be the same file "
@@ -244,13 +233,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr "Nome de ficheiro do seu RootCA X.509 em formato PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -266,13 +255,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr "Por favor indique o comprimento que a chave RSA criada deve ter:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -286,13 +275,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr "Criar um certificado X.509 auto-assinado?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -313,7 +302,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "If you do not choose to create a self-signed certificate, only the RSA "
 "private key and the certificate request will be created, and you will have "
@@ -325,13 +314,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr "Código de país para o pedido de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -341,7 +330,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -353,13 +342,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr "Estado ou nome da província para o pedido do certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid ""
 "Please enter the full name of the state or province the server resides in "
 "(such as \"Upper Austria\")."
@@ -369,13 +358,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr "Nome da localidade para o pedido de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -385,13 +374,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr "Nome da organização para o pedido de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr ""
@@ -400,13 +389,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr "Unidade organizativa para o pedido de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid ""
 "Please enter the organizational unit the server belongs to (such as "
 "\"security group\")."
@@ -416,13 +405,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr "Nome comum para o pedido de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr ""
@@ -431,13 +420,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr "Endereço de email para o pedido de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid ""
 "Please enter the email address of the person or organization responsible for "
 "the X.509 certificate."
@@ -447,13 +436,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "Activar encriptação oportunista?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -467,12 +456,26 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "Você deverá apenas activar a encriptação oportunista se tiver a certeza que "
 "a quer. Pode quebrar a ligação à Internet (rota predefinida) assim que o "
 "daemon pluto arrancar."
+
+#~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "O daemon pluto precisa de estar a correr para suportar a versão 1 do "
+#~ "protocolo Internet Key Exchange."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "Iniciar o daemon IKEv2 do strongSwan?"
diff --git a/debian/po/pt_BR.po b/debian/po/pt_BR.po
index e9c7b66d1..00e9a3e57 100644
--- a/debian/po/pt_BR.po
+++ b/debian/po/pt_BR.po
@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: strongswan\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-16 14:23+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2010-12-12 00:00-0200\n"
 "Last-Translator: Adriano Rafael Gomes <adrianorg@gmail.com>\n"
 "Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian."
@@ -75,44 +75,34 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "Iniciar o daemon IKEv1 do strongSwan?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"O daemon \"pluto\" deve estar em execução para suportar a versão 1 do "
-"protocolo Internet Key Exchange."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "Iniciar o daemon IKEv2 do strongSwan?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "O daemon \"charon\" deve estar em execução para suportar a versão 2 do "
 "protocolo Internet Key Exchange."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid "Use an X.509 certificate for this host?"
 msgstr "Usar um certificado X.509 para este host?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -132,7 +122,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -142,25 +132,25 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr "criar"
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr "importar"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr "Métodos para usar um certificado X.509 para autenticar este host:"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -172,7 +162,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -191,7 +181,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -213,13 +203,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr "Nome de arquivo do seu certificado X.509 no formato PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid ""
 "Please enter the location of the file containing your X.509 certificate in "
 "PEM format."
@@ -229,13 +219,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr "Nome de arquivo da sua chave privada X.509 no formato PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid ""
 "Please enter the location of the file containing the private RSA key "
 "matching your X.509 certificate in PEM format. This can be the same file "
@@ -247,13 +237,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr "Nome de arquivo da sua RootCA X.509 no formato PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -269,13 +259,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr "Por favor, informe que tamanho a chave RSA a ser criada deve ter:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -290,13 +280,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr "Criar um certificado X.509 auto-assinado?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -317,7 +307,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "If you do not choose to create a self-signed certificate, only the RSA "
 "private key and the certificate request will be created, and you will have "
@@ -329,13 +319,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr "Código de país para a requisição de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -345,7 +335,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -357,13 +347,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr "Estado ou nome de província para a requisição de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid ""
 "Please enter the full name of the state or province the server resides in "
 "(such as \"Upper Austria\")."
@@ -373,13 +363,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr "Nome da localidade para a requisição de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -389,13 +379,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr "Nome da organização para a requisição de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr ""
@@ -404,13 +394,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr "Unidade organizacional para a requisição de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid ""
 "Please enter the organizational unit the server belongs to (such as "
 "\"security group\")."
@@ -420,13 +410,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr "Nome Comum para a requisição de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr ""
@@ -435,13 +425,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr "Endereço de e-mail para a requisição de certificado X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid ""
 "Please enter the email address of the person or organization responsible for "
 "the X.509 certificate."
@@ -451,13 +441,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "Habilitar encriptação oportunista?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -471,16 +461,30 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "Você deve habilitar a encriptação oportunista somente se você tiver certeza "
 "de querê-la. Ela pode quebrar a conexão à Internet (rota padrão) quando o "
 "daemon \"pluto\" iniciar."
 
+#~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "O daemon \"pluto\" deve estar em execução para suportar a versão 1 do "
+#~ "protocolo Internet Key Exchange."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "Iniciar o daemon IKEv2 do strongSwan?"
+
 #, fuzzy
 #~ msgid "Do you wish to restart strongSwan?"
 #~ msgstr "Você deseja reiniciar o Openswan ?"
diff --git a/debian/po/ru.po b/debian/po/ru.po
index e3e3ffb09..f17555345 100644
--- a/debian/po/ru.po
+++ b/debian/po/ru.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: strongswan 4.4.0-1\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-09 12:15+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2010-06-25 19:08+0400\n"
 "Last-Translator: Yuri Kozlov <yuray@komyakino.ru>\n"
 "Language-Team: Russian <debian-l10n-russian@lists.debian.org>\n"
@@ -58,9 +58,8 @@ msgid ""
 "Restarting strongSwan is recommended, since if there is a security fix, it "
 "will not be applied until the daemon restarts. Most people expect the daemon "
 "to restart, so this is generally a good idea. However, this might take down "
-"existing connections and then bring them back up, so if you are using such "
-"a strongSwan tunnel to connect for this update, restarting is not "
-"recommended."
+"existing connections and then bring them back up, so if you are using such a "
+"strongSwan tunnel to connect for this update, restarting is not recommended."
 msgstr ""
 "Рекомендует�� перезапу�тить strongSwan, так как при наличии и�правлений "
 "безопа�но�ти они не заработают, пока �лужба не будет перезапущена. "
@@ -72,44 +71,34 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "Запу�тить �лужбу strongSwan IKEv1?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"Дл� поддержки 1-й вер�ии протокола обмена ключами Интернет должна быть "
-"запущена �лужба pluto."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "Запу�тить �лужбу strongSwan IKEv2?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "Дл� поддержки 2-й вер�ии протокола обмена ключами Интернет должна быть "
 "запущена �лужба charon."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid "Use an X.509 certificate for this host?"
 msgstr "И�пользовать �уще�твующий �ертификат X.509 дл� �того узла?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -129,7 +118,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -139,25 +128,25 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr "�оздать"
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr "импортировать"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr "Методы, и�пользующие �ертификат X.509 дл� аутентификации данного узла:"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -169,7 +158,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -187,7 +176,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -207,13 +196,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr "Им� файла �ертификата X.509 в формате PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid ""
 "Please enter the location of the file containing your X.509 certificate in "
 "PEM format."
@@ -222,13 +211,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr "Им� файла �ертификата X.509 в формате PEM � закрытым ключом:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid ""
 "Please enter the location of the file containing the private RSA key "
 "matching your X.509 certificate in PEM format. This can be the same file "
@@ -239,13 +228,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr "Им� файла �ертификата X.509 в формате PEM дл� RootCA:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -261,13 +250,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr "Длина �оздаваемого ключа RSA:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -281,13 +270,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr "Создать �амоподпи�анный �ертификат X.509?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -308,7 +297,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "If you do not choose to create a self-signed certificate, only the RSA "
 "private key and the certificate request will be created, and you will have "
@@ -320,13 +309,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr "Код �траны дл� запро�а �ертификата X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -336,7 +325,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -348,13 +337,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr "�азвание обла�ти или округа дл� запро�а �ертификата X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid ""
 "Please enter the full name of the state or province the server resides in "
 "(such as \"Upper Austria\")."
@@ -364,13 +353,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr "�азвание ме�та дл� запро�а �ертификата X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -380,13 +369,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr "�азвание организации дл� запро�а �ертификата X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr ""
@@ -395,14 +384,14 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr ""
 "�азвание �труктурной единицы организации дл� запро�а �ертификата X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid ""
 "Please enter the organizational unit the server belongs to (such as "
 "\"security group\")."
@@ -411,13 +400,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr "Общеизве�тное название дл� запро�а �ертификата X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr ""
@@ -426,13 +415,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr "�дре� �лектронной почты дл� запро�а �ертификата X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid ""
 "Please enter the email address of the person or organization responsible for "
 "the X.509 certificate."
@@ -442,13 +431,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "Включить поддержку гибкого шифровани�?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -462,12 +451,26 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "Включайте гибкое шифрование, е�ли вам �то дей�твительно нужно. Это может "
 "прервать �оединение � интернетом (маршрут по умолчанию) при запу�ке �лужбы "
 "pluto."
+
+#~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "Дл� поддержки 1-й вер�ии протокола обмена ключами Интернет должна быть "
+#~ "запущена �лужба pluto."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "Запу�тить �лужбу strongSwan IKEv2?"
diff --git a/debian/po/sv.po b/debian/po/sv.po
index c93658ffd..045bc11bf 100644
--- a/debian/po/sv.po
+++ b/debian/po/sv.po
@@ -17,7 +17,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: strongswan_sv\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-09 12:15+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2010-06-26 16:51+0200\n"
 "Last-Translator: Martin Ågren <martin.agren@gmail.com>\n"
 "Language-Team: Swedish <debian-l10n-swedish@lists.debian.org>\n"
@@ -70,9 +70,8 @@ msgid ""
 "Restarting strongSwan is recommended, since if there is a security fix, it "
 "will not be applied until the daemon restarts. Most people expect the daemon "
 "to restart, so this is generally a good idea. However, this might take down "
-"existing connections and then bring them back up, so if you are using such "
-"a strongSwan tunnel to connect for this update, restarting is not "
-"recommended."
+"existing connections and then bring them back up, so if you are using such a "
+"strongSwan tunnel to connect for this update, restarting is not recommended."
 msgstr ""
 "Att starta om strongSwan rekommenderas eftersom en eventuell "
 "säkerhetsrättning inte kommer användas förrän demonen startas om. De flesta "
@@ -84,44 +83,34 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "Starta strongSwans IKEv1-demon?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"Pluto-demonen måste köras för att stödja version 1 av Internet Key Exchange-"
-"protokollet."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "Starta strongSwans IKEv2-demon?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "Charon-demonen måste köras för att stödja version 2 av Internet Key Exchange-"
 "protokollet."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid "Use an X.509 certificate for this host?"
 msgstr "Vill du använda ett X.509-certifikat för den här värden?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -141,7 +130,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -151,19 +140,19 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr "skapa"
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr "importera"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr ""
 "Metoder för användning av ett X.509-certifikat för autentisering av den här "
@@ -171,7 +160,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -183,7 +172,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -201,7 +190,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -220,13 +209,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr "Namn på filen med ditt X.509-certifikat i PEM-format:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid ""
 "Please enter the location of the file containing your X.509 certificate in "
 "PEM format."
@@ -235,13 +224,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr "Namn på filen med din privata X.509-nyckel i PEM-format:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid ""
 "Please enter the location of the file containing the private RSA key "
 "matching your X.509 certificate in PEM format. This can be the same file "
@@ -253,13 +242,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr "Namn på filen med rot-CA:ns X.509-certifikat i PEM-format:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -275,13 +264,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr "Ange vilken längd den skapade RSA-nyckeln ska ha:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -295,13 +284,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr "Vill du skapa ett självsignerat X.509-certifikat?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -321,7 +310,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "If you do not choose to create a self-signed certificate, only the RSA "
 "private key and the certificate request will be created, and you will have "
@@ -333,13 +322,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr "Landskod för X.509-certifikatsförfrågan:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -349,7 +338,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -361,13 +350,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr "Region eller län för X.509-certifikatsförfrågan:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid ""
 "Please enter the full name of the state or province the server resides in "
 "(such as \"Upper Austria\")."
@@ -377,13 +366,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr "Lokaliteten för X.509-certifikatsförfrågan:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -391,13 +380,13 @@ msgstr "Ange den lokalitet servern står i (ofta en stad, såsom \"Malmö\")."
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr "Organisationsnamn för X.509-certifikatsförfrågan:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr ""
@@ -405,13 +394,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr "Organisationsenhet för X.509-certifikatsförfrågan:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid ""
 "Please enter the organizational unit the server belongs to (such as "
 "\"security group\")."
@@ -421,26 +410,26 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr "Namn på X.509-certifikatsförfrågan:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr "Ange namnet på den här värden (exempelvis \"gateway.example.org\")."
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr "E-postadress för X.509-certifikatsförfrågan:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid ""
 "Please enter the email address of the person or organization responsible for "
 "the X.509 certificate."
@@ -450,13 +439,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "Vill du aktivera opportunistisk kryptering?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -470,12 +459,26 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "Du ska bara aktivera opportunistisk kryptering om du är säker på att du vill "
 "ha det. Det kan bryta internetanslutningen (standardvägen) när pluto-demonen "
 "startas."
+
+#~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "Pluto-demonen måste köras för att stödja version 1 av Internet Key "
+#~ "Exchange-protokollet."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "Starta strongSwans IKEv2-demon?"
diff --git a/debian/po/templates.pot b/debian/po/templates.pot
index 59fbb9d6c..1a7f922ba 100644
--- a/debian/po/templates.pot
+++ b/debian/po/templates.pot
@@ -6,9 +6,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: PACKAGE VERSION\n"
+"Project-Id-Version: strongswan\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-16 14:23+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -56,40 +56,26 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr ""
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr ""
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:6001
 msgid "Use an X.509 certificate for this host?"
 msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -102,7 +88,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -110,25 +96,25 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -137,7 +123,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -149,7 +135,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -162,13 +148,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid ""
 "Please enter the location of the file containing your X.509 certificate in "
 "PEM format."
@@ -176,13 +162,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid ""
 "Please enter the location of the file containing the private RSA key "
 "matching your X.509 certificate in PEM format. This can be the same file "
@@ -191,13 +177,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -208,13 +194,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -224,13 +210,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -243,7 +229,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "If you do not choose to create a self-signed certificate, only the RSA "
 "private key and the certificate request will be created, and you will have "
@@ -252,13 +238,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -266,7 +252,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -275,13 +261,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid ""
 "Please enter the full name of the state or province the server resides in "
 "(such as \"Upper Austria\")."
@@ -289,13 +275,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -303,26 +289,26 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid ""
 "Please enter the organizational unit the server belongs to (such as "
 "\"security group\")."
@@ -330,26 +316,26 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid ""
 "Please enter the email address of the person or organization responsible for "
 "the X.509 certificate."
@@ -357,13 +343,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -373,9 +359,8 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
diff --git a/debian/po/tr.po b/debian/po/tr.po
index da6caca79..d7745124d 100644
--- a/debian/po/tr.po
+++ b/debian/po/tr.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: strongswan\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-16 14:23+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2012-02-11 21:17+0200\n"
 "Last-Translator: Atila KOÇ <akoc@artielektronik.com.tr>\n"
 "Language-Team: Türkçe <debian-l10n-turkish@lists.debian.org>\n"
@@ -25,8 +25,22 @@ msgstr "Eski çalışma düzeyi yönetimi yerine yenisi geçti"
 #. Type: note
 #. Description
 #: ../strongswan-starter.templates:2001
-msgid "Previous versions of the strongSwan package gave a choice between three different Start/Stop-Levels. Due to changes in the standard system startup procedure, this is no longer necessary or useful. For all new installations as well as old ones running in any of the predefined modes, sane default levels will now be set. If you are upgrading from a previous version and changed your strongSwan startup parameters, then please take a look at NEWS.Debian for instructions on how to modify your setup accordingly."
-msgstr "strongSwan paketinin önceki sürümleri üç farklı Başlama/Durma-Seviyesi arasında seçim şansı tanırdı. Bu, olağan sistem başlatma yordamındaki değişiklikler nedeni ile artık gerekli ya da faydalı değildir. Şimdi tüm yeni kurulumlar ve herhangi bir öntanımlı kipte çalışan eskiler için aynı öntanımlı seviyeler ayarlanacaktır. Eğer eski bir sürümü yükseltiyorsanız ya da strongSwan başlatma değişkenlerinizi değiştirdiyseniz, kurulumunuzu nasıl uyumlandıracağınızı anlamak için NEWS.Debian'a göz atınız."
+msgid ""
+"Previous versions of the strongSwan package gave a choice between three "
+"different Start/Stop-Levels. Due to changes in the standard system startup "
+"procedure, this is no longer necessary or useful. For all new installations "
+"as well as old ones running in any of the predefined modes, sane default "
+"levels will now be set. If you are upgrading from a previous version and "
+"changed your strongSwan startup parameters, then please take a look at NEWS."
+"Debian for instructions on how to modify your setup accordingly."
+msgstr ""
+"strongSwan paketinin önceki sürümleri üç farklı Başlama/Durma-Seviyesi "
+"arasında seçim şansı tanırdı. Bu, olağan sistem başlatma yordamındaki "
+"değişiklikler nedeni ile artık gerekli ya da faydalı değildir. Şimdi tüm "
+"yeni kurulumlar ve herhangi bir öntanımlı kipte çalışan eskiler için aynı "
+"öntanımlı seviyeler ayarlanacaktır. Eğer eski bir sürümü yükseltiyorsanız ya "
+"da strongSwan başlatma değişkenlerinizi değiştirdiyseniz, kurulumunuzu nasıl "
+"uyumlandıracağınızı anlamak için NEWS.Debian'a göz atınız."
 
 #. Type: boolean
 #. Description
@@ -37,258 +51,415 @@ msgstr "strongSwan şimdi yeniden başlatılsın mı?"
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:3001
-msgid "Restarting strongSwan is recommended, since if there is a security fix, it will not be applied until the daemon restarts. Most people expect the daemon to restart, so this is generally a good idea. However, this might take down existing connections and then bring them back up, so if you are using such a strongSwan tunnel to connect for this update, restarting is not recommended."
-msgstr "Yapılan güvenlik iyileştirmesi artalan süreci yeniden başlatılmadan uygulanamayacağından, strongSwan'ı yeniden başlatmanız önerilir. Çoğu kişi artalan sürecinin tekrar başlayacağını düşünür ve bu genellikle aldatıcıdır. Oysa, yeniden başlatma, varolan bağlantıları koparıp yeniden yapar ki, eğer bu güncellemeyi bir strongSwan tüneli bağlantısını kullanarak yapıyorsanız yeniden başlatma önerilmez."
+msgid ""
+"Restarting strongSwan is recommended, since if there is a security fix, it "
+"will not be applied until the daemon restarts. Most people expect the daemon "
+"to restart, so this is generally a good idea. However, this might take down "
+"existing connections and then bring them back up, so if you are using such a "
+"strongSwan tunnel to connect for this update, restarting is not recommended."
+msgstr ""
+"Yapılan güvenlik iyileştirmesi artalan süreci yeniden başlatılmadan "
+"uygulanamayacağından, strongSwan'ı yeniden başlatmanız önerilir. Çoğu kişi "
+"artalan sürecinin tekrar başlayacağını düşünür ve bu genellikle aldatıcıdır. "
+"Oysa, yeniden başlatma, varolan bağlantıları koparıp yeniden yapar ki, eğer "
+"bu güncellemeyi bir strongSwan tüneli bağlantısını kullanarak yapıyorsanız "
+"yeniden başlatma önerilmez."
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "strongSwan'ın IKEv1 artalan süreci başlatılsın mı?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "The pluto daemon must be running to support version 1 of the Internet Key Exchange protocol."
-msgstr "Internet Anahtar Değişimi (IKE) protokolü 1. sürümünün desteklenmesi için 'pluto' artalan süreci çalışıyor olmalıdır."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "strongSwan'ın IKEv2 artalan süreci başlatılsın mı?"
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
+msgid ""
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
+msgstr ""
+"Internet Anahtar Değişimi (IKE) protokolü 2. sürümünün desteklenmesi için "
+"'charon' artalan süreci çalışıyor olmalıdır."
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:5001
-msgid "The charon daemon must be running to support version 2 of the Internet Key Exchange protocol."
-msgstr "Internet Anahtar Değişimi (IKE) protokolü 2. sürümünün desteklenmesi için 'charon' artalan süreci çalışıyor olmalıdır."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:6001
 msgid "Use an X.509 certificate for this host?"
 msgstr "Bu makine için bir X.509 sertifikası kullanılsın mı?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
-msgid "An X.509 certificate for this host can be automatically created or imported. It can be used to authenticate IPsec connections to other hosts and is the preferred way of building up secure IPsec connections. The other possibility would be to use shared secrets (passwords that are the same on both sides of the tunnel) for authenticating a connection, but for a larger number of connections, key based authentication is easier to administer and more secure."
-msgstr "Bu makine için bir X.509 sertifikası kendiliğinden yaratılabilir ya da içe aktarılabilir. Bu sertifika diğer makinelerle IPsec bağlantılarını yetkilendirmek için kullanılacaktır ve bu yöntem güvenli IPsec bağlantıları için yeğlenen seçenektir. Başka bir seçenek de bağlantıyı yetkilendirmek için paylaşılan gizlerin (tünelin her iki tarafında da aynı olan parolalar) kullanılmasıdır, fakat çoğu bağlantılarda anahtar tabanlı yetkilendirme daha kolay yönetilir ve daha güvenlidir."
+#: ../strongswan-starter.templates:5001
+msgid ""
+"An X.509 certificate for this host can be automatically created or imported. "
+"It can be used to authenticate IPsec connections to other hosts and is the "
+"preferred way of building up secure IPsec connections. The other possibility "
+"would be to use shared secrets (passwords that are the same on both sides of "
+"the tunnel) for authenticating a connection, but for a larger number of "
+"connections, key based authentication is easier to administer and more "
+"secure."
+msgstr ""
+"Bu makine için bir X.509 sertifikası kendiliğinden yaratılabilir ya da içe "
+"aktarılabilir. Bu sertifika diğer makinelerle IPsec bağlantılarını "
+"yetkilendirmek için kullanılacaktır ve bu yöntem güvenli IPsec bağlantıları "
+"için yeğlenen seçenektir. Başka bir seçenek de bağlantıyı yetkilendirmek "
+"için paylaşılan gizlerin (tünelin her iki tarafında da aynı olan parolalar) "
+"kullanılmasıdır, fakat çoğu bağlantılarda anahtar tabanlı yetkilendirme daha "
+"kolay yönetilir ve daha güvenlidir."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
-msgid "Alternatively you can reject this option and later use the command \"dpkg-reconfigure strongswan\" to come back."
-msgstr "Dilerseniz bu öneriyi geri çevirir ve daha sonra \"dpkg-reconfigure strongswan\" komutu ile yeniden değerlendirebilirisiniz."
+#: ../strongswan-starter.templates:5001
+msgid ""
+"Alternatively you can reject this option and later use the command \"dpkg-"
+"reconfigure strongswan\" to come back."
+msgstr ""
+"Dilerseniz bu öneriyi geri çevirir ve daha sonra \"dpkg-reconfigure "
+"strongswan\" komutu ile yeniden deÄŸerlendirebilirisiniz."
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr "yarat"
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr "içe aktar"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr "Bu makineyi yetkilendirmek için X.509 sertifika kullanım yöntemleri:"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
-msgid "It is possible to create a new X.509 certificate with user-defined settings or to import an existing public and private key stored in PEM file(s) for authenticating IPsec connections."
-msgstr "IPsec bağlantılarını yetkilendirmek için kullanıcı tanımlı ayarlar ile yeni bir X.509 sertifikası yaratmak ya da PEM dosyası içinde varolan bir anahtarı içe aktarmak olasıdır."
+#: ../strongswan-starter.templates:6002
+msgid ""
+"It is possible to create a new X.509 certificate with user-defined settings "
+"or to import an existing public and private key stored in PEM file(s) for "
+"authenticating IPsec connections."
+msgstr ""
+"IPsec bağlantılarını yetkilendirmek için kullanıcı tanımlı ayarlar ile yeni "
+"bir X.509 sertifikası yaratmak ya da PEM dosyası içinde varolan bir anahtarı "
+"içe aktarmak olasıdır."
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
-msgid "If you choose to create a new X.509 certificate you will first be asked a number of questions which must be answered before the creation can start. Please keep in mind that if you want the public key to get signed by an existing Certificate Authority you should not select to create a self-signed certificate and all the answers given must match exactly the requirements of the CA, otherwise the certificate request may be rejected."
-msgstr "Eğer yeni bir X.509 sertifikası yaratma seçeneğini seçerseniz, sertifika yaratılmadan önce bir takım soruları yanıtlamanız gerekecektir. Unutmayın, eğer ortak anahtarın varolan bir Sertifika Yetkilisi (CA) tarafından imzalanmasını istiyorsanız, kendiliğinden imzalı bir sertifika yaratmayı seçmemeli ve vereceğiniz tüm yanıtların Sertifika Yetkilisinin koşullarını bütünüyle karşıladığından emin olmalısınız, tersi durumda sertifika isteğiniz geri çevirilebilir."
+#: ../strongswan-starter.templates:6002
+msgid ""
+"If you choose to create a new X.509 certificate you will first be asked a "
+"number of questions which must be answered before the creation can start. "
+"Please keep in mind that if you want the public key to get signed by an "
+"existing Certificate Authority you should not select to create a self-signed "
+"certificate and all the answers given must match exactly the requirements of "
+"the CA, otherwise the certificate request may be rejected."
+msgstr ""
+"Eğer yeni bir X.509 sertifikası yaratma seçeneğini seçerseniz, sertifika "
+"yaratılmadan önce bir takım soruları yanıtlamanız gerekecektir. Unutmayın, "
+"eğer ortak anahtarın varolan bir Sertifika Yetkilisi (CA) tarafından "
+"imzalanmasını istiyorsanız, kendiliğinden imzalı bir sertifika yaratmayı "
+"seçmemeli ve vereceğiniz tüm yanıtların Sertifika Yetkilisinin koşullarını "
+"bütünüyle karşıladığından emin olmalısınız, tersi durumda sertifika "
+"isteğiniz geri çevirilebilir."
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
-msgid "If you want to import an existing public and private key you will be prompted for their filenames (which may be identical if both parts are stored together in one file). Optionally you may also specify a filename where the public key(s) of the Certificate Authority are kept, but this file cannot be the same as the former ones. Please also be aware that the format for the X.509 certificates has to be PEM and that the private key must not be encrypted or the import procedure will fail."
-msgstr "Eğer varolan bir özel ve genel anahtarı içe aktarmak istiyorsanız, onların dosya adlarını girmeniz istenecektir (eğer anahtarların ikisi de aynı dosyada ise dosya adları da aynı olacaktır). İsteğe bağlı olarak, Sertifika Yetkilisinin genel anahtarını barındıran dosya adını belirtebilirsiniz, fakat bu dosya öncekilerle aynı olamaz. X.509 sertifikalarının biçiminin PEM ve özel anahtarın şifrelenmemiş olması gerektiğini unutmayın yoksa içe aktarma süreci başarısız olacaktır."
+#: ../strongswan-starter.templates:6002
+msgid ""
+"If you want to import an existing public and private key you will be "
+"prompted for their filenames (which may be identical if both parts are "
+"stored together in one file). Optionally you may also specify a filename "
+"where the public key(s) of the Certificate Authority are kept, but this file "
+"cannot be the same as the former ones. Please also be aware that the format "
+"for the X.509 certificates has to be PEM and that the private key must not "
+"be encrypted or the import procedure will fail."
+msgstr ""
+"Eğer varolan bir özel ve genel anahtarı içe aktarmak istiyorsanız, onların "
+"dosya adlarını girmeniz istenecektir (eğer anahtarların ikisi de aynı "
+"dosyada ise dosya adları da aynı olacaktır). İsteğe bağlı olarak, Sertifika "
+"Yetkilisinin genel anahtarını barındıran dosya adını belirtebilirsiniz, "
+"fakat bu dosya öncekilerle aynı olamaz. X.509 sertifikalarının biçiminin PEM "
+"ve özel anahtarın şifrelenmemiş olması gerektiğini unutmayın yoksa içe "
+"aktarma süreci başarısız olacaktır."
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr "PEM biçimindeki X.509 sertifikanızın dosya adı:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
-msgid "Please enter the location of the file containing your X.509 certificate in PEM format."
-msgstr "PEM biçimindeki X.509 sertifikanızı barındıran dosyanın yolunu giriniz."
+#: ../strongswan-starter.templates:7001
+msgid ""
+"Please enter the location of the file containing your X.509 certificate in "
+"PEM format."
+msgstr ""
+"PEM biçimindeki X.509 sertifikanızı barındıran dosyanın yolunu giriniz."
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr "PEM biçimindeki X.509 özel anahtarınızın dosya adı:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
-msgid "Please enter the location of the file containing the private RSA key matching your X.509 certificate in PEM format. This can be the same file that contains the X.509 certificate."
-msgstr "X.509 sertifikanıza karşılık gelen özel RSA anahtarınızı barındıran PEM biçimindeki dosyanın yolunu giriniz. Bu dosya, X.509 sertifikasını barındıran dosya ile aynı olabilir."
+#: ../strongswan-starter.templates:8001
+msgid ""
+"Please enter the location of the file containing the private RSA key "
+"matching your X.509 certificate in PEM format. This can be the same file "
+"that contains the X.509 certificate."
+msgstr ""
+"X.509 sertifikanıza karşılık gelen özel RSA anahtarınızı barındıran PEM "
+"biçimindeki dosyanın yolunu giriniz. Bu dosya, X.509 sertifikasını "
+"barındıran dosya ile aynı olabilir."
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr "PEM biçimindeki X.509 KökSY (RootCA) dosya adı:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
-msgid "Optionally you can now enter the location of the file containing the X.509 Certificate Authority root used to sign your certificate in PEM format. If you do not have one or do not want to use it please leave the field empty. Please note that it's not possible to store the RootCA in the same file as your X.509 certificate or private key."
-msgstr "Şimdi, isteğe bağlı olarak, sertifikanızı imzalamak için kullanılan X.509 Sertifika Yetkilisi kökünü barındıran dosyanın yolunu girebilirsiniz. Eğer yoksa ya da kullanmak istemiyorsanız bu alanı boş bırakınız. Unutmayın, KökSY (RootCA) ile X.509 sertifikanızı ya da özel anahtarınızı aynı dosyada tutamazsınız."
+#: ../strongswan-starter.templates:9001
+msgid ""
+"Optionally you can now enter the location of the file containing the X.509 "
+"Certificate Authority root used to sign your certificate in PEM format. If "
+"you do not have one or do not want to use it please leave the field empty. "
+"Please note that it's not possible to store the RootCA in the same file as "
+"your X.509 certificate or private key."
+msgstr ""
+"Şimdi, isteğe bağlı olarak, sertifikanızı imzalamak için kullanılan X.509 "
+"Sertifika Yetkilisi kökünü barındıran dosyanın yolunu girebilirsiniz. Eğer "
+"yoksa ya da kullanmak istemiyorsanız bu alanı boş bırakınız. Unutmayın, "
+"KökSY (RootCA) ile X.509 sertifikanızı ya da özel anahtarınızı aynı dosyada "
+"tutamazsınız."
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
-msgstr "Lütfen yaratılacak RSA anahtarının sahip olması gereken uzunluğu girin:"
+msgstr ""
+"Lütfen yaratılacak RSA anahtarının sahip olması gereken uzunluğu girin:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
-msgid "Please enter the length of the created RSA key. It should not be less than 1024 bits because this should be considered unsecure and you will probably not need anything more than 4096 bits because it only slows the authentication process down and is not needed at the moment."
-msgstr "Yaratılacak RSA anahtar uzunluğunu giriniz. Anahtar uzunluğu, yeterince güvenli olması için, 1024 bit'ten kısa olmamalı; doğrulama sürecini yavaşlatmaması için de 4096 bit'ten fazla olmamalıdır ve zaten şu anda daha fazlasına da gerek yoktur."
+#: ../strongswan-starter.templates:10001
+msgid ""
+"Please enter the length of the created RSA key. It should not be less than "
+"1024 bits because this should be considered unsecure and you will probably "
+"not need anything more than 4096 bits because it only slows the "
+"authentication process down and is not needed at the moment."
+msgstr ""
+"Yaratılacak RSA anahtar uzunluğunu giriniz. Anahtar uzunluğu, yeterince "
+"güvenli olması için, 1024 bit'ten kısa olmamalı; doğrulama sürecini "
+"yavaşlatmaması için de 4096 bit'ten fazla olmamalıdır ve zaten şu anda daha "
+"fazlasına da gerek yoktur."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr "Öz imzalı bir sertifika yaratılsın mı?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
-msgid "Only self-signed X.509 certificates can be created automatically, because otherwise a Certificate Authority is needed to sign the certificate request. If you choose to create a self-signed certificate, you can use it immediately to connect to other IPsec hosts that support X.509 certificate for authentication of IPsec connections. However, using strongSwan's PKI features requires all certificates to be signed by a single Certificate Authority to create a trust path."
-msgstr "Yalnızca öz imzalı X.509 sertifikaları kendiliğinden yaratılabilir, çünkü öteki durumda sertifika isteğini imzalaması için bir Sertifika Yetkilisi gereklidir. Eğer öz imzalı bir sertifika yaratmayı seçerseniz, onu hemen X.509 sertifikaları ile yetkilendirmeyi destekleyen diğer IPsec makineleri ile bağlanmak için kullanabilirsiniz. Öte yandan, strongSwan'ın PKI özellikleri, güven yolu oluşturmak için tüm sertifikaların aynı Sertifika Yetkilisi tarafından imzalanmış olmasını gerektirir."
+#: ../strongswan-starter.templates:11001
+msgid ""
+"Only self-signed X.509 certificates can be created automatically, because "
+"otherwise a Certificate Authority is needed to sign the certificate request. "
+"If you choose to create a self-signed certificate, you can use it "
+"immediately to connect to other IPsec hosts that support X.509 certificate "
+"for authentication of IPsec connections. However, using strongSwan's PKI "
+"features requires all certificates to be signed by a single Certificate "
+"Authority to create a trust path."
+msgstr ""
+"Yalnızca öz imzalı X.509 sertifikaları kendiliğinden yaratılabilir, çünkü "
+"öteki durumda sertifika isteğini imzalaması için bir Sertifika Yetkilisi "
+"gereklidir. Eğer öz imzalı bir sertifika yaratmayı seçerseniz, onu hemen "
+"X.509 sertifikaları ile yetkilendirmeyi destekleyen diğer IPsec makineleri "
+"ile bağlanmak için kullanabilirsiniz. Öte yandan, strongSwan'ın PKI "
+"özellikleri, güven yolu oluşturmak için tüm sertifikaların aynı Sertifika "
+"Yetkilisi tarafından imzalanmış olmasını gerektirir."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
-msgid "If you do not choose to create a self-signed certificate, only the RSA private key and the certificate request will be created, and you will have to sign the certificate request with your Certificate Authority."
-msgstr "Eğer öz imzalı bir sertifika yaratmayı seçmezseniz, yalnızca RSA özel anahtarı ve sertifika isteği yaratılacaktır ve sizin bu isteği Sertifika Yetkilinize imzalatmanız gerekecektedir."
+#: ../strongswan-starter.templates:11001
+msgid ""
+"If you do not choose to create a self-signed certificate, only the RSA "
+"private key and the certificate request will be created, and you will have "
+"to sign the certificate request with your Certificate Authority."
+msgstr ""
+"Eğer öz imzalı bir sertifika yaratmayı seçmezseniz, yalnızca RSA özel "
+"anahtarı ve sertifika isteği yaratılacaktır ve sizin bu isteği Sertifika "
+"Yetkilinize imzalatmanız gerekecektedir."
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr "X.509 sertifika isteği için ülke kodu:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
-msgid "Please enter the two-letter code for the country the server resides in (such as \"AT\" for Austria)."
-msgstr "Sunucunun bulunduğu ülke için iki harfli ülke kodunu giriniz (Türkiye için \"TR\" gibi)."
+#: ../strongswan-starter.templates:12001
+msgid ""
+"Please enter the two-letter code for the country the server resides in (such "
+"as \"AT\" for Austria)."
+msgstr ""
+"Sunucunun bulunduğu ülke için iki harfli ülke kodunu giriniz (Türkiye için "
+"\"TR\" gibi)."
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
-msgid "OpenSSL will refuse to generate a certificate unless this is a valid ISO-3166 country code; an empty field is allowed elsewhere in the X.509 certificate, but not here."
-msgstr "Bu geçerli bir ISO-3166 ülke kodu olmadığı sürece OpenSSL sertifika üretmeyi geri çevirecektir; X.509 sertifikasının başka bir yerinde boş alan kabul edilir ama burada değil."
+#: ../strongswan-starter.templates:12001
+msgid ""
+"OpenSSL will refuse to generate a certificate unless this is a valid "
+"ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
+"certificate, but not here."
+msgstr ""
+"Bu geçerli bir ISO-3166 ülke kodu olmadığı sürece OpenSSL sertifika üretmeyi "
+"geri çevirecektir; X.509 sertifikasının başka bir yerinde boş alan kabul "
+"edilir ama burada deÄŸil."
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr "X.509 sertifika isteği için şehir adı:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
-msgid "Please enter the full name of the state or province the server resides in (such as \"Upper Austria\")."
+#: ../strongswan-starter.templates:13001
+msgid ""
+"Please enter the full name of the state or province the server resides in "
+"(such as \"Upper Austria\")."
 msgstr "Sunucunun bulunduğu şehrin tam adını giriniz (örneğin \"Ankara\")."
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr "X.509 sertifika isteği için ilçe adı:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
-msgid "Please enter the locality the server resides in (often a city, such as \"Vienna\")."
+#: ../strongswan-starter.templates:14001
+msgid ""
+"Please enter the locality the server resides in (often a city, such as "
+"\"Vienna\")."
 msgstr "Sunucunun bulunduğu ilçeyi girin (örneğin \"Yenimahalle\" gibi):"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr "X.509 sertifika isteği için örgüt adı:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
-msgid "Please enter the organization the server belongs to (such as \"Debian\")."
+#: ../strongswan-starter.templates:15001
+msgid ""
+"Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr "Sunucunuzun bağlı olduğu örgütü giriniz (örneğin \"Debian\")."
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr "X.509 sertifika isteği için örgütsel birim:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
-msgid "Please enter the organizational unit the server belongs to (such as \"security group\")."
-msgstr "Sunucunuzun bağlı olduğu örgütsel birimi giriniz (örneğin \"Çeviri Birimi\")."
+#: ../strongswan-starter.templates:16001
+msgid ""
+"Please enter the organizational unit the server belongs to (such as "
+"\"security group\")."
+msgstr ""
+"Sunucunuzun bağlı olduğu örgütsel birimi giriniz (örneğin \"Çeviri Birimi\")."
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr "X.509 sertifika isteği için Genel Ad:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
-msgid "Please enter the Common Name for this host (such as \"gateway.example.org\")."
+#: ../strongswan-starter.templates:17001
+msgid ""
+"Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr "Bu makine için Genel Ad giriniz (örneğin \"gumruk.example.org\")."
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr "X.509 sertifika isteği için e-posta adresi:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
-msgid "Please enter the email address of the person or organization responsible for the X.509 certificate."
-msgstr "X.509 sertifikasından sorumlu kişinin ya da örgütün e-posta adresini giriniz."
+#: ../strongswan-starter.templates:18001
+msgid ""
+"Please enter the email address of the person or organization responsible for "
+"the X.509 certificate."
+msgstr ""
+"X.509 sertifikasından sorumlu kişinin ya da örgütün e-posta adresini giriniz."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "Fırsatçı şifrelemeye izin verilsin mi?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
-msgid "This version of strongSwan supports opportunistic encryption (OE), which stores IPSec authentication information in DNS records. Until this is widely deployed, activating it will cause a significant delay for every new outgoing connection."
-msgstr "strongSwan'ın bu sürümü IPsec doğrulama bilgisini DNS kayıtlarında tutan fırsatçı şifrelemeyi (OE) desteklemektedir. Kullanımı yaygınlaşmadan etkinleştirilirse her yeni çıkış bağlantısında ciddi gecikmelere neden olacaktır."
+#: ../strongswan-starter.templates:19001
+msgid ""
+"This version of strongSwan supports opportunistic encryption (OE), which "
+"stores IPSec authentication information in DNS records. Until this is widely "
+"deployed, activating it will cause a significant delay for every new "
+"outgoing connection."
+msgstr ""
+"strongSwan'ın bu sürümü IPsec doğrulama bilgisini DNS kayıtlarında tutan "
+"fırsatçı şifrelemeyi (OE) desteklemektedir. Kullanımı yaygınlaşmadan "
+"etkinleştirilirse her yeni çıkış bağlantısında ciddi gecikmelere neden "
+"olacaktır."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
-msgid "You should only enable opportunistic encryption if you are sure you want it. It may break the Internet connection (default route) as the pluto daemon starts."
-msgstr "Fırsatçı şifrelemeyi onu kullanmak istediğinizden eminseniz etkinleştirmelisiniz. Bu, pluto artalan süreci başladığında Internet bağlantısını (varsayılan rota) koparabilir."
-
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
+msgid ""
+"You should only enable opportunistic encryption if you are sure you want it. "
+"It may break the Internet connection (default route) as the daemon starts."
+msgstr ""
+"Fırsatçı şifrelemeyi onu kullanmak istediğinizden eminseniz "
+"etkinleştirmelisiniz. Bu, pluto artalan süreci başladığında Internet "
+"bağlantısını (varsayılan rota) koparabilir."
+
+#~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "Internet Anahtar Değişimi (IKE) protokolü 1. sürümünün desteklenmesi için "
+#~ "'pluto' artalan süreci çalışıyor olmalıdır."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "strongSwan'ın IKEv2 artalan süreci başlatılsın mı?"
diff --git a/debian/po/vi.po b/debian/po/vi.po
index 180377b5f..41358dbd7 100644
--- a/debian/po/vi.po
+++ b/debian/po/vi.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: strongswan 4.4.0-1\n"
 "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n"
-"POT-Creation-Date: 2010-08-16 14:23+0200\n"
+"POT-Creation-Date: 2013-02-07 13:28+0100\n"
 "PO-Revision-Date: 2010-10-03 19:22+1030\n"
 "Last-Translator: Clytie Siddall <clytie@riverland.net.au>\n"
 "Language-Team: Vietnamese <vi-VN@googlegroups.com>\n"
@@ -70,44 +70,34 @@ msgstr ""
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
-msgid "Start strongSwan's IKEv1 daemon?"
+#, fuzzy
+#| msgid "Start strongSwan's IKEv1 daemon?"
+msgid "Start strongSwan's charon daemon?"
 msgstr "Khởi chạy trình n�n IKEv1 của strongSwan ?"
 
 #. Type: boolean
 #. Description
 #: ../strongswan-starter.templates:4001
+#, fuzzy
+#| msgid ""
+#| "The charon daemon must be running to support version 2 of the Internet "
+#| "Key Exchange protocol."
 msgid ""
-"The pluto daemon must be running to support version 1 of the Internet Key "
-"Exchange protocol."
-msgstr ""
-"�ồng th�i cũng cần phải chạy trình n�n pluto, để hỗ trợ phiên bản 1 của giao "
-"thức Trao �ổi Khoá Internet (IKE)."
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid "Start strongSwan's IKEv2 daemon?"
-msgstr "Khởi chạy trình n�n IKEv2 của strongSwan ?"
-
-#. Type: boolean
-#. Description
-#: ../strongswan-starter.templates:5001
-msgid ""
-"The charon daemon must be running to support version 2 of the Internet Key "
-"Exchange protocol."
+"The charon daemon must be running to support the Internet Key Exchange "
+"protocol."
 msgstr ""
 "�ồng th�i cũng cần phải chạy trình n�n charon, để hỗ trợ phiên bản 2 của "
 "giao thức Trao �ổi Khoá Internet (IKE)."
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid "Use an X.509 certificate for this host?"
 msgstr "Dùng chứng nhận X.509 cho máy này ?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "An X.509 certificate for this host can be automatically created or imported. "
 "It can be used to authenticate IPsec connections to other hosts and is the "
@@ -126,7 +116,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:6001
+#: ../strongswan-starter.templates:5001
 msgid ""
 "Alternatively you can reject this option and later use the command \"dpkg-"
 "reconfigure strongswan\" to come back."
@@ -136,25 +126,25 @@ msgstr ""
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "create"
 msgstr "tạo"
 
 #. Type: select
 #. Choices
-#: ../strongswan-starter.templates:7001
+#: ../strongswan-starter.templates:6001
 msgid "import"
 msgstr "nhập"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid "Methods for using a X.509 certificate to authenticate this host:"
 msgstr "Phương pháp sử dụng chứng nhận X.509 để xác thực máy này:"
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "It is possible to create a new X.509 certificate with user-defined settings "
 "or to import an existing public and private key stored in PEM file(s) for "
@@ -166,7 +156,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you choose to create a new X.509 certificate you will first be asked a "
 "number of questions which must be answered before the creation can start. "
@@ -184,7 +174,7 @@ msgstr ""
 
 #. Type: select
 #. Description
-#: ../strongswan-starter.templates:7002
+#: ../strongswan-starter.templates:6002
 msgid ""
 "If you want to import an existing public and private key you will be "
 "prompted for their filenames (which may be identical if both parts are "
@@ -203,13 +193,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid "File name of your PEM format X.509 certificate:"
 msgstr "Tên tập tin của chứng nhận X.509 dạng PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:8001
+#: ../strongswan-starter.templates:7001
 msgid ""
 "Please enter the location of the file containing your X.509 certificate in "
 "PEM format."
@@ -217,13 +207,13 @@ msgstr "Hãy nhập vị trí của tập tin chứa chứng nhận X.509 dạng
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid "File name of your PEM format X.509 private key:"
 msgstr "Tên tập tin cỳa khoá riêng X.509 dạng PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:9001
+#: ../strongswan-starter.templates:8001
 msgid ""
 "Please enter the location of the file containing the private RSA key "
 "matching your X.509 certificate in PEM format. This can be the same file "
@@ -235,13 +225,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid "File name of your PEM format X.509 RootCA:"
 msgstr "Tên tập tin của RootCA X.509 dạng PEM:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:10001
+#: ../strongswan-starter.templates:9001
 msgid ""
 "Optionally you can now enter the location of the file containing the X.509 "
 "Certificate Authority root used to sign your certificate in PEM format. If "
@@ -257,13 +247,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid "Please enter which length the created RSA key should have:"
 msgstr "Gõ chi�u dài dự định của khoá RSA cần tạo :"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:11001
+#: ../strongswan-starter.templates:10001
 msgid ""
 "Please enter the length of the created RSA key. It should not be less than "
 "1024 bits because this should be considered unsecure and you will probably "
@@ -276,13 +266,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid "Create a self-signed X.509 certificate?"
 msgstr "Tạo một chứng nhận X.509 tự ký ?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "Only self-signed X.509 certificates can be created automatically, because "
 "otherwise a Certificate Authority is needed to sign the certificate request. "
@@ -301,7 +291,7 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:12001
+#: ../strongswan-starter.templates:11001
 msgid ""
 "If you do not choose to create a self-signed certificate, only the RSA "
 "private key and the certificate request will be created, and you will have "
@@ -312,13 +302,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid "Country code for the X.509 certificate request:"
 msgstr "Mã quốc gia cho yêu cầu chứng nhận X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "Please enter the two-letter code for the country the server resides in (such "
 "as \"AT\" for Austria)."
@@ -327,7 +317,7 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:13001
+#: ../strongswan-starter.templates:12001
 msgid ""
 "OpenSSL will refuse to generate a certificate unless this is a valid "
 "ISO-3166 country code; an empty field is allowed elsewhere in the X.509 "
@@ -339,13 +329,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid "State or province name for the X.509 certificate request:"
 msgstr "Tên của bảng hay tỉnh cho yêu cầu chứng nhận X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:14001
+#: ../strongswan-starter.templates:13001
 msgid ""
 "Please enter the full name of the state or province the server resides in "
 "(such as \"Upper Austria\")."
@@ -354,13 +344,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid "Locality name for the X.509 certificate request:"
 msgstr "Tên vùng cho yêu cầu chứng nhận X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:15001
+#: ../strongswan-starter.templates:14001
 msgid ""
 "Please enter the locality the server resides in (often a city, such as "
 "\"Vienna\")."
@@ -369,13 +359,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid "Organization name for the X.509 certificate request:"
 msgstr "Tên tổ chức cho yêu cầu chứng nhận X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:16001
+#: ../strongswan-starter.templates:15001
 msgid ""
 "Please enter the organization the server belongs to (such as \"Debian\")."
 msgstr ""
@@ -383,13 +373,13 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid "Organizational unit for the X.509 certificate request:"
 msgstr "Tên đơn vị tổ chức cho yêu cầu chứng nhận X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:17001
+#: ../strongswan-starter.templates:16001
 msgid ""
 "Please enter the organizational unit the server belongs to (such as "
 "\"security group\")."
@@ -399,26 +389,26 @@ msgstr ""
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid "Common Name for the X.509 certificate request:"
 msgstr "Tên chung cho yêu cầu chứng nhận X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:18001
+#: ../strongswan-starter.templates:17001
 msgid ""
 "Please enter the Common Name for this host (such as \"gateway.example.org\")."
 msgstr "Hãy nhập Tên Chung cho máy này (v.d. « cổng_ra.vị_dụ.org »)."
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid "Email address for the X.509 certificate request:"
 msgstr "�ịa chỉ thư cho yêu cầu chứng nhận X.509:"
 
 #. Type: string
 #. Description
-#: ../strongswan-starter.templates:19001
+#: ../strongswan-starter.templates:18001
 msgid ""
 "Please enter the email address of the person or organization responsible for "
 "the X.509 certificate."
@@ -428,13 +418,13 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid "Enable opportunistic encryption?"
 msgstr "Bật mật mã cơ hội chủ nghĩa ?"
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
 msgid ""
 "This version of strongSwan supports opportunistic encryption (OE), which "
 "stores IPSec authentication information in DNS records. Until this is widely "
@@ -447,12 +437,26 @@ msgstr ""
 
 #. Type: boolean
 #. Description
-#: ../strongswan-starter.templates:20001
+#: ../strongswan-starter.templates:19001
+#, fuzzy
+#| msgid ""
+#| "You should only enable opportunistic encryption if you are sure you want "
+#| "it. It may break the Internet connection (default route) as the pluto "
+#| "daemon starts."
 msgid ""
 "You should only enable opportunistic encryption if you are sure you want it. "
-"It may break the Internet connection (default route) as the pluto daemon "
-"starts."
+"It may break the Internet connection (default route) as the daemon starts."
 msgstr ""
 "Chưa chắc thì không nên hiệu lực chức năng mật mã cơ hội chủ nghĩa. Nó cũng "
 "có thể đóng kết nối Internet (đư�ng dẫn mặc định) do trình n�n pluto khởi "
 "chạy."
+
+#~ msgid ""
+#~ "The pluto daemon must be running to support version 1 of the Internet Key "
+#~ "Exchange protocol."
+#~ msgstr ""
+#~ "�ồng th�i cũng cần phải chạy trình n�n pluto, để hỗ trợ phiên bản 1 của "
+#~ "giao thức Trao �ổi Khoá Internet (IKE)."
+
+#~ msgid "Start strongSwan's IKEv2 daemon?"
+#~ msgstr "Khởi chạy trình n�n IKEv2 của strongSwan ?"
diff --git a/debian/rules b/debian/rules
index bca7751bc..7eb0aef43 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,11 +1,11 @@
 #!/usr/bin/make -f
+export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1
 #export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1 -Wl,-z,defs
-export DEB_BUILD_MAINT_OPTIONS=hardening=+pie,+bindnow
+export DEB_BUILD_MAINT_OPTIONS=hardening=+all
 
 CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
 		--enable-ldap --enable-curl \
-		--enable-smartcard --enable-pkcs11 \
-		--with-default-pkcs11=/usr/lib/$(DEB_HOST_MULTIARCH)/opensc-pkcs11.so \
+		--enable-pkcs11 \
 		--enable-mediation --enable-medsrv --enable-medcli \
 		--enable-openssl --enable-agent \
 		--enable-ctr --enable-ccm --enable-gcm --enable-addrblock \
@@ -15,7 +15,10 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
 		--enable-sql --enable-integrity-test \
 		--enable-ha \
 		--enable-led --enable-gcrypt \
-		--enable-test-vectors --enable-nat-transport \
+		--enable-test-vectors \
+		--enable-xauth-eap --enable-xauth-pam \
+		--enable-attr-sql \
+		--enable-cmd \
 		--disable-blowfish --disable-des # BSD-Young license
 	#--with-user=strongswan --with-group=nogroup
 	#	--enable-kernel-pfkey --enable-kernel-klips \
@@ -26,10 +29,14 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
 	# sends these Cisco options.
 
 # the padlock plugin only makes sense on i386 
-# but it actually doesn't do much, so maybe we don't need it
+# RdRand only makes sense on i386 and amd64
 DEB_BUILD_ARCH_CPU ?=$(shell dpkg-architecture -qDEB_BUILD_ARCH_CPU)
 ifeq ($(DEB_BUILD_ARCH_CPU),i386)
-  CONFIGUREARGS += --enable-padlock
+  CONFIGUREARGS += --enable-padlock --enable-rdrand
+endif
+
+ifeq ($(DEB_BUILD_ARCH_CPU),amd64)
+  CONFIGUREARGS += --enable-rdrand
 endif
 
 ifeq ($(DEB_BUILD_ARCH_OS),linux)
@@ -46,7 +53,7 @@ ifeq ($(DEB_BUILD_ARCH_OS),kfreebsd)
 	# http://wiki.strongswan.org/projects/strongswan/wiki/FreeBSD
 	CONFIGUREARGS += --disable-kernel-netlink \
 		--enable-kernel-pfkey --enable-kernel-pfroute \
-		--disable-pluto --with-group=wheel
+		--with-group=wheel
 endif
 
 override_dh_auto_configure:
@@ -76,7 +83,6 @@ ifeq ($(DEB_BUILD_ARCH_OS),linux)
 	# handle Linux-only plugins
 	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-dhcp.so
 	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-farp.so
-	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-xauth.so
 	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.so
 endif
 
@@ -89,6 +95,11 @@ endif
 ifeq ($(DEB_BUILD_ARCH_CPU),i386)
 	# special handling for padlock, as it is only built on i386
 	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-padlock.so
+	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-rdrand.so
+endif
+
+ifeq ($(DEB_BUILD_ARCH_CPU), amd64)
+	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-rdrand.so
 endif
 
 	# then install the rest, ignoring the above
@@ -98,8 +109,8 @@ endif
 		-Xlibstrongswan-kernel \
 		-Xlibstrongswan-dhcp.so \
 		-Xlibstrongswan-farp.so \
-		-Xlibstrongswan-xauth.so \
-	 	-Xlibstrongswan-padlock.so
+	 	-Xlibstrongswan-padlock.so \
+	 	-Xlibstrongswan-rdrand.so
 
 	# add additional files not covered by upstream makefile...
 	install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
@@ -107,7 +118,7 @@ endif
 	echo >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
 	echo "include /var/lib/strongswan/ipsec.conf.inc" >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
 	# and to enable both IKEv1 and IKEv2 by default
-	sed -r 's/^[ \t]+# *plutostart=(yes|no) */\tplutostart=yes/;s/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp
+	sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp
 	mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
 
 	# set permissions on ipsec.secrets
@@ -145,4 +156,4 @@ override_dh_installlogcheck:
 	dh_installlogcheck --name strongswan
 
 %:
-	dh $@ --parallel --with autotools-dev
+	dh $@ --parallel --with autoreconf
diff --git a/debian/source/options b/debian/source/options
new file mode 100644
index 000000000..9942c61f1
--- /dev/null
+++ b/debian/source/options
@@ -0,0 +1 @@
+extend-diff-ignore = "(^|/)(config\.sub|config\.guess|Makefile)$"
diff --git a/debian/strongswan-ike.install b/debian/strongswan-ike.install
new file mode 100644
index 000000000..be9791257
--- /dev/null
+++ b/debian/strongswan-ike.install
@@ -0,0 +1,9 @@
+usr/sbin/charon-cmd
+usr/share/man/man8/charon-cmd.8
+usr/lib/ipsec/libcharon.so*
+usr/lib/ipsec/charon
+usr/lib/ipsec/plugins/libstrongswan-socket*.so
+usr/lib/ipsec/plugins/libstrongswan-eap*.so
+usr/lib/ipsec/plugins/libstrongswan-agent.so
+usr/lib/ipsec/plugins/libstrongswan-medsrv.so
+usr/lib/ipsec/plugins/libstrongswan-medcli.so
diff --git a/debian/strongswan-ike.lintian-overrides b/debian/strongswan-ike.lintian-overrides
new file mode 100644
index 000000000..90f644f8f
--- /dev/null
+++ b/debian/strongswan-ike.lintian-overrides
@@ -0,0 +1,3 @@
+# we do pass hardening flags
+strongswan-ike: hardening-no-fortify-functions usr/lib/ipsec/plugins/libstrongswan-agent.so
+strongswan-ike: hardening-no-fortify-functions usr/lib/ipsec/plugins/libstrongswan-socket-raw.so
diff --git a/debian/strongswan-ikev1.install b/debian/strongswan-ikev1.install
deleted file mode 100644
index 5f91e1b7c..000000000
--- a/debian/strongswan-ikev1.install
+++ /dev/null
@@ -1,4 +0,0 @@
-usr/lib/ipsec/pluto
-usr/lib/ipsec/_pluto_adns
-usr/lib/ipsec/whack
-usr/share/man/man8/pluto.8
diff --git a/debian/strongswan-ikev2.install b/debian/strongswan-ikev2.install
deleted file mode 100644
index 0b7bb0e94..000000000
--- a/debian/strongswan-ikev2.install
+++ /dev/null
@@ -1,7 +0,0 @@
-usr/lib/ipsec/libcharon.so*
-usr/lib/ipsec/charon
-usr/lib/ipsec/plugins/libstrongswan-socket*.so
-usr/lib/ipsec/plugins/libstrongswan-eap*.so
-usr/lib/ipsec/plugins/libstrongswan-agent.so
-usr/lib/ipsec/plugins/libstrongswan-medsrv.so
-usr/lib/ipsec/plugins/libstrongswan-medcli.so
diff --git a/debian/strongswan-ikev2.lintian-overrides b/debian/strongswan-ikev2.lintian-overrides
deleted file mode 100644
index 56c239da4..000000000
--- a/debian/strongswan-ikev2.lintian-overrides
+++ /dev/null
@@ -1,3 +0,0 @@
-# we do pass hardening flags
-strongswan-ikev2: hardening-no-fortify-functions usr/lib/ipsec/plugins/libstrongswan-agent.so
-strongswan-ikev2: hardening-no-fortify-functions usr/lib/ipsec/plugins/libstrongswan-socket-raw.so
diff --git a/debian/strongswan-nm.dirs b/debian/strongswan-nm.dirs
deleted file mode 100644
index d00915ff0..000000000
--- a/debian/strongswan-nm.dirs
+++ /dev/null
@@ -1 +0,0 @@
-/usr/lib/ipsec/plugins
diff --git a/debian/strongswan-nm.install b/debian/strongswan-nm.install
index 4cd32661e..9e31d775a 100644
--- a/debian/strongswan-nm.install
+++ b/debian/strongswan-nm.install
@@ -1 +1 @@
-usr/lib/ipsec/plugins/libstrongswan-nm.so
+usr/lib/ipsec/charon-nm
diff --git a/debian/strongswan-starter.ipsec.init b/debian/strongswan-starter.ipsec.init
index cd10682cf..0f4e153eb 100644
--- a/debian/strongswan-starter.ipsec.init
+++ b/debian/strongswan-starter.ipsec.init
@@ -15,9 +15,7 @@ PATH=/sbin:/usr/sbin:/bin:/usr/bin
 DESC="strongswan IPsec services"
 NAME=ipsec
 STARTER=/usr/sbin/$NAME
-PIDFILE1=/var/run/pluto.pid
-PIDFILE2=/var/run/charon.pid
-PLUTO=/usr/lib/ipsec/pluto
+PIDFILE=/var/run/charon.pid
 CHARON=/usr/lib/ipsec/charon
 SCRIPTNAME=/etc/init.d/$NAME
 
@@ -47,13 +45,9 @@ do_start()
 	#   1 if daemon was already running
 	#   2 if daemon could not be started
 
-	# test if either charon or pluto are currently running (PIDFILE1 or PIDFILE2)
-	if [ -e $PLUTO ]; then
-	  start-stop-daemon --start --quiet --pidfile $PIDFILE1 --exec $STARTER --test > /dev/null \
-		|| return 1
-	fi
+	# test if charon is currently running
 	if [ -e $CHARON ]; then
-	  start-stop-daemon --start --quiet --pidfile $PIDFILE2 --exec $STARTER --test > /dev/null \
+	  start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $STARTER --test > /dev/null \
 		|| return 1
 	fi
 
@@ -75,13 +69,8 @@ do_stop()
 
 	RETVAL=0
 	# but kill if that didn't work
-	if [ -e $PIDFILE1 ]; then
-		start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE1 --name $NAME
-		RETVAL="$?"
-		[ "$RETVAL" = 2 ] && return 2
-	fi
-	if [ -e $PIDFILE2 ]; then
-		start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE2 --name $NAME
+	if [ -e $PIDFILE ]; then
+		start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
 		RETVAL="$?"
 		[ "$RETVAL" = 2 ] && return 2
 	fi
@@ -92,19 +81,14 @@ do_stop()
 	# that waits for the process to drop all resources that could be
 	# needed by services started subsequently.  A last resort is to
 	# sleep for some time.
-	if [ -e $PLUTO ]; then
-	  start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $PLUTO
-	  [ "$?" = 2 ] && return 2
-	fi
 	if [ -e $CHARON ]; then
 	  start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $CHARON
 	  [ "$?" = 2 ] && return 2
 	fi
 
 	# strongswan is known to leave PID files behind when something goes wrong, cleanup here
-	rm -f $PIDFILE1 $PIDFILE2
+	rm -f $PIDFILE
 	# and just to make sure they are really really dead at this point...
-	killall -9 $PLUTO 2>/dev/null
 	killall -9 $CHARON 2>/dev/null
 
 	return "$RETVAL"
diff --git a/debian/strongswan-starter.postinst b/debian/strongswan-starter.postinst
index 52e895a88..9e4d7b10e 100644
--- a/debian/strongswan-starter.postinst
+++ b/debian/strongswan-starter.postinst
@@ -79,7 +79,7 @@ enable_daemon_start() {
     daemon=$1
     protocol=$2
 
-    echo -n "Enabling ${protocol} support by pluto ... "
+    echo -n "Enabling ${protocol} support by ${daemon}... "
     if [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then
         echo "already enabled"
     elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE; then
@@ -103,7 +103,7 @@ disable_daemon_start() {
     daemon=$1
     protocol=$2
 
-    echo -n "Disabling ${protocol} support by pluto ... "
+    echo -n "Disabling ${protocol} support by ${daemon}... "
     if [ -e $CONF_FILE ] && ( egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE ||
        egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE ); then
         echo "already disabled"
diff --git a/debian/strongswan-starter.templates b/debian/strongswan-starter.templates
index f36a76388..a54581e8a 100644
--- a/debian/strongswan-starter.templates
+++ b/debian/strongswan-starter.templates
@@ -28,18 +28,11 @@ _Description: Restart strongSwan now?
  existing connections and then bring them back up, so if you are using such
  a strongSwan tunnel to connect for this update, restarting is not recommended.
 
-Template: strongswan/ikev1
+Template: strongswan/charon
 Type: boolean
 Default: true
-_Description: Start strongSwan's IKEv1 daemon?
- The pluto daemon must be running to support version 1 of the Internet Key
- Exchange protocol.
-
-Template: strongswan/ikev2
-Type: boolean
-Default: true
-_Description: Start strongSwan's IKEv2 daemon?
- The charon daemon must be running to support version 2 of the Internet Key
+_Description: Start strongSwan's charon daemon?
+ The charon daemon must be running to support the Internet Key
  Exchange protocol.
 
 Template: strongswan/install_x509_certificate
@@ -190,5 +183,4 @@ _Description: Enable opportunistic encryption?
  cause a significant delay for every new outgoing connection.
  .
  You should only enable opportunistic encryption if you are sure you want it.
- It may break the Internet connection (default route) as the pluto daemon
- starts.
+ It may break the Internet connection (default route) as the daemon starts.
diff --git a/debian/strongswan.docs b/debian/strongswan.docs
index 297170db8..e845566c0 100644
--- a/debian/strongswan.docs
+++ b/debian/strongswan.docs
@@ -1,2 +1 @@
 README
-CREDITS
diff --git a/depcomp b/depcomp
index df8eea7e4..25a39e6cd 100755
--- a/depcomp
+++ b/depcomp
@@ -1,10 +1,10 @@
 #! /bin/sh
 # depcomp - compile a program generating dependencies as side-effects
 
-scriptversion=2009-04-28.21; # UTC
+scriptversion=2012-03-27.16; # UTC
 
-# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007, 2009 Free
-# Software Foundation, Inc.
+# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007, 2009, 2010,
+# 2011, 2012 Free Software Foundation, Inc.
 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -28,7 +28,7 @@ scriptversion=2009-04-28.21; # UTC
 
 case $1 in
   '')
-     echo "$0: No command.  Try \`$0 --help' for more information." 1>&2
+     echo "$0: No command.  Try '$0 --help' for more information." 1>&2
      exit 1;
      ;;
   -h | --h*)
@@ -40,11 +40,11 @@ as side-effects.
 
 Environment variables:
   depmode     Dependency tracking mode.
-  source      Source file read by `PROGRAMS ARGS'.
-  object      Object file output by `PROGRAMS ARGS'.
+  source      Source file read by 'PROGRAMS ARGS'.
+  object      Object file output by 'PROGRAMS ARGS'.
   DEPDIR      directory where to store dependencies.
   depfile     Dependency file to output.
-  tmpdepfile  Temporary file to use when outputing dependencies.
+  tmpdepfile  Temporary file to use when outputting dependencies.
   libtool     Whether libtool is used (yes/no).
 
 Report bugs to <bug-automake@gnu.org>.
@@ -57,6 +57,12 @@ EOF
     ;;
 esac
 
+# A tabulation character.
+tab='	'
+# A newline character.
+nl='
+'
+
 if test -z "$depmode" || test -z "$source" || test -z "$object"; then
   echo "depcomp: Variables source, object and depmode must be set" 1>&2
   exit 1
@@ -90,10 +96,24 @@ if test "$depmode" = msvcmsys; then
    # This is just like msvisualcpp but w/o cygpath translation.
    # Just convert the backslash-escaped backslashes to single forward
    # slashes to satisfy depend.m4
-   cygpath_u="sed s,\\\\\\\\,/,g"
+   cygpath_u='sed s,\\\\,/,g'
    depmode=msvisualcpp
 fi
 
+if test "$depmode" = msvc7msys; then
+   # This is just like msvc7 but w/o cygpath translation.
+   # Just convert the backslash-escaped backslashes to single forward
+   # slashes to satisfy depend.m4
+   cygpath_u='sed s,\\\\,/,g'
+   depmode=msvc7
+fi
+
+if test "$depmode" = xlc; then
+   # IBM C/C++ Compilers xlc/xlC can output gcc-like dependency informations.
+   gccflag=-qmakedep=gcc,-MF
+   depmode=gcc
+fi
+
 case "$depmode" in
 gcc3)
 ## gcc 3 implements dependency tracking that does exactly what
@@ -148,20 +168,21 @@ gcc)
 ## The second -e expression handles DOS-style file names with drive letters.
   sed -e 's/^[^:]*: / /' \
       -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
-## This next piece of magic avoids the `deleted header file' problem.
+## This next piece of magic avoids the "deleted header file" problem.
 ## The problem is that when a header file which appears in a .P file
 ## is deleted, the dependency causes make to die (because there is
 ## typically no way to rebuild the header).  We avoid this by adding
 ## dummy dependencies for each header file.  Too bad gcc doesn't do
 ## this for us directly.
-  tr ' ' '
-' < "$tmpdepfile" |
-## Some versions of gcc put a space before the `:'.  On the theory
+  tr ' ' "$nl" < "$tmpdepfile" |
+## Some versions of gcc put a space before the ':'.  On the theory
 ## that the space means something, we add a space to the output as
-## well.
+## well.  hp depmode also adds that space, but also prefixes the VPATH
+## to the object.  Take care to not repeat it in the output.
 ## Some versions of the HPUX 10.20 sed can't process this invocation
 ## correctly.  Breaking it into two sed invocations is a workaround.
-    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
+    sed -e 's/^\\$//' -e '/^$/d' -e "s|.*$object$||" -e '/:$/d' \
+      | sed -e 's/$/ :/' >> "$depfile"
   rm -f "$tmpdepfile"
   ;;
 
@@ -193,18 +214,15 @@ sgi)
     # clever and replace this with sed code, as IRIX sed won't handle
     # lines with more than a fixed number of characters (4096 in
     # IRIX 6.2 sed, 8192 in IRIX 6.5).  We also remove comment lines;
-    # the IRIX cc adds comments like `#:fec' to the end of the
+    # the IRIX cc adds comments like '#:fec' to the end of the
     # dependency line.
-    tr ' ' '
-' < "$tmpdepfile" \
+    tr ' ' "$nl" < "$tmpdepfile" \
     | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
-    tr '
-' ' ' >> "$depfile"
+    tr "$nl" ' ' >> "$depfile"
     echo >> "$depfile"
 
     # The second pass generates a dummy entry for each header file.
-    tr ' ' '
-' < "$tmpdepfile" \
+    tr ' ' "$nl" < "$tmpdepfile" \
    | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
    >> "$depfile"
   else
@@ -216,10 +234,17 @@ sgi)
   rm -f "$tmpdepfile"
   ;;
 
+xlc)
+  # This case exists only to let depend.m4 do its work.  It works by
+  # looking at the text of this script.  This case will never be run,
+  # since it is checked for above.
+  exit 1
+  ;;
+
 aix)
   # The C for AIX Compiler uses -M and outputs the dependencies
   # in a .u file.  In older versions, this file always lives in the
-  # current directory.  Also, the AIX compiler puts `$object:' at the
+  # current directory.  Also, the AIX compiler puts '$object:' at the
   # start of each line; $object doesn't have directory information.
   # Version 6 uses the directory in both cases.
   dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
@@ -249,12 +274,11 @@ aix)
     test -f "$tmpdepfile" && break
   done
   if test -f "$tmpdepfile"; then
-    # Each line is of the form `foo.o: dependent.h'.
+    # Each line is of the form 'foo.o: dependent.h'.
     # Do two passes, one to just change these to
-    # `$object: dependent.h' and one to simply `dependent.h:'.
+    # '$object: dependent.h' and one to simply 'dependent.h:'.
     sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
-    # That's a tab and a space in the [].
-    sed -e 's,^.*\.[a-z]*:[	 ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
+    sed -e 's,^.*\.[a-z]*:['"$tab"' ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
   else
     # The sourcefile does not contain any dependencies, so just
     # store a dummy comment line, to avoid errors with the Makefile
@@ -265,23 +289,26 @@ aix)
   ;;
 
 icc)
-  # Intel's C compiler understands `-MD -MF file'.  However on
-  #    icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c
+  # Intel's C compiler anf tcc (Tiny C Compiler) understand '-MD -MF file'.
+  # However on
+  #    $CC -MD -MF foo.d -c -o sub/foo.o sub/foo.c
   # ICC 7.0 will fill foo.d with something like
   #    foo.o: sub/foo.c
   #    foo.o: sub/foo.h
-  # which is wrong.  We want:
+  # which is wrong.  We want
   #    sub/foo.o: sub/foo.c
   #    sub/foo.o: sub/foo.h
   #    sub/foo.c:
   #    sub/foo.h:
   # ICC 7.1 will output
   #    foo.o: sub/foo.c sub/foo.h
-  # and will wrap long lines using \ :
+  # and will wrap long lines using '\':
   #    foo.o: sub/foo.c ... \
   #     sub/foo.h ... \
   #     ...
-
+  # tcc 0.9.26 (FIXME still under development at the moment of writing)
+  # will emit a similar output, but also prepend the continuation lines
+  # with horizontal tabulation characters.
   "$@" -MD -MF "$tmpdepfile"
   stat=$?
   if test $stat -eq 0; then :
@@ -290,15 +317,21 @@ icc)
     exit $stat
   fi
   rm -f "$depfile"
-  # Each line is of the form `foo.o: dependent.h',
-  # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'.
+  # Each line is of the form 'foo.o: dependent.h',
+  # or 'foo.o: dep1.h dep2.h \', or ' dep3.h dep4.h \'.
   # Do two passes, one to just change these to
-  # `$object: dependent.h' and one to simply `dependent.h:'.
-  sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
-  # Some versions of the HPUX 10.20 sed can't process this invocation
-  # correctly.  Breaking it into two sed invocations is a workaround.
-  sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
-    sed -e 's/$/ :/' >> "$depfile"
+  # '$object: dependent.h' and one to simply 'dependent.h:'.
+  sed -e "s/^[ $tab][ $tab]*/  /" -e "s,^[^:]*:,$object :," \
+    < "$tmpdepfile" > "$depfile"
+  sed '
+    s/[ '"$tab"'][ '"$tab"']*/ /g
+    s/^ *//
+    s/ *\\*$//
+    s/^[^:]*: *//
+    /^$/d
+    /:$/d
+    s/$/ :/
+  ' < "$tmpdepfile" >> "$depfile"
   rm -f "$tmpdepfile"
   ;;
 
@@ -334,7 +367,7 @@ hp2)
   done
   if test -f "$tmpdepfile"; then
     sed -e "s,^.*\.[a-z]*:,$object:," "$tmpdepfile" > "$depfile"
-    # Add `dependent.h:' lines.
+    # Add 'dependent.h:' lines.
     sed -ne '2,${
 	       s/^ *//
 	       s/ \\*$//
@@ -349,9 +382,9 @@ hp2)
 
 tru64)
    # The Tru64 compiler uses -MD to generate dependencies as a side
-   # effect.  `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'.
+   # effect.  'cc -MD -o foo.o ...' puts the dependencies into 'foo.o.d'.
    # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
-   # dependencies in `foo.d' instead, so we check for that too.
+   # dependencies in 'foo.d' instead, so we check for that too.
    # Subdirectories are respected.
    dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
    test "x$dir" = "x$object" && dir=
@@ -397,14 +430,59 @@ tru64)
    done
    if test -f "$tmpdepfile"; then
       sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
-      # That's a tab and a space in the [].
-      sed -e 's,^.*\.[a-z]*:[	 ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
+      sed -e 's,^.*\.[a-z]*:['"$tab"' ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
    else
       echo "#dummy" > "$depfile"
    fi
    rm -f "$tmpdepfile"
    ;;
 
+msvc7)
+  if test "$libtool" = yes; then
+    showIncludes=-Wc,-showIncludes
+  else
+    showIncludes=-showIncludes
+  fi
+  "$@" $showIncludes > "$tmpdepfile"
+  stat=$?
+  grep -v '^Note: including file: ' "$tmpdepfile"
+  if test "$stat" = 0; then :
+  else
+    rm -f "$tmpdepfile"
+    exit $stat
+  fi
+  rm -f "$depfile"
+  echo "$object : \\" > "$depfile"
+  # The first sed program below extracts the file names and escapes
+  # backslashes for cygpath.  The second sed program outputs the file
+  # name when reading, but also accumulates all include files in the
+  # hold buffer in order to output them again at the end.  This only
+  # works with sed implementations that can handle large buffers.
+  sed < "$tmpdepfile" -n '
+/^Note: including file:  *\(.*\)/ {
+  s//\1/
+  s/\\/\\\\/g
+  p
+}' | $cygpath_u | sort -u | sed -n '
+s/ /\\ /g
+s/\(.*\)/'"$tab"'\1 \\/p
+s/.\(.*\) \\/\1:/
+H
+$ {
+  s/.*/'"$tab"'/
+  G
+  p
+}' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+msvc7msys)
+  # This case exists only to let depend.m4 do its work.  It works by
+  # looking at the text of this script.  This case will never be run,
+  # since it is checked for above.
+  exit 1
+  ;;
+
 #nosideeffect)
   # This comment above is used by automake to tell side-effect
   # dependency tracking mechanisms from slower ones.
@@ -422,7 +500,7 @@ dashmstdout)
     shift
   fi
 
-  # Remove `-o $object'.
+  # Remove '-o $object'.
   IFS=" "
   for arg
   do
@@ -442,15 +520,14 @@ dashmstdout)
   done
 
   test -z "$dashmflag" && dashmflag=-M
-  # Require at least two characters before searching for `:'
+  # Require at least two characters before searching for ':'
   # in the target name.  This is to cope with DOS-style filenames:
-  # a dependency such as `c:/foo/bar' could be seen as target `c' otherwise.
+  # a dependency such as 'c:/foo/bar' could be seen as target 'c' otherwise.
   "$@" $dashmflag |
-    sed 's:^[  ]*[^: ][^:][^:]*\:[    ]*:'"$object"'\: :' > "$tmpdepfile"
+    sed 's:^['"$tab"' ]*[^:'"$tab"' ][^:][^:]*\:['"$tab"' ]*:'"$object"'\: :' > "$tmpdepfile"
   rm -f "$depfile"
   cat < "$tmpdepfile" > "$depfile"
-  tr ' ' '
-' < "$tmpdepfile" | \
+  tr ' ' "$nl" < "$tmpdepfile" | \
 ## Some versions of the HPUX 10.20 sed can't process this invocation
 ## correctly.  Breaking it into two sed invocations is a workaround.
     sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
@@ -503,9 +580,10 @@ makedepend)
   touch "$tmpdepfile"
   ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
   rm -f "$depfile"
-  cat < "$tmpdepfile" > "$depfile"
-  sed '1,2d' "$tmpdepfile" | tr ' ' '
-' | \
+  # makedepend may prepend the VPATH from the source file name to the object.
+  # No need to regex-escape $object, excess matching of '.' is harmless.
+  sed "s|^.*\($object *:\)|\1|" "$tmpdepfile" > "$depfile"
+  sed '1,2d' "$tmpdepfile" | tr ' ' "$nl" | \
 ## Some versions of the HPUX 10.20 sed can't process this invocation
 ## correctly.  Breaking it into two sed invocations is a workaround.
     sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
@@ -525,7 +603,7 @@ cpp)
     shift
   fi
 
-  # Remove `-o $object'.
+  # Remove '-o $object'.
   IFS=" "
   for arg
   do
@@ -594,8 +672,8 @@ msvisualcpp)
   sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile"
   rm -f "$depfile"
   echo "$object : \\" > "$depfile"
-  sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::	\1 \\:p' >> "$depfile"
-  echo "	" >> "$depfile"
+  sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::'"$tab"'\1 \\:p' >> "$depfile"
+  echo "$tab" >> "$depfile"
   sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile"
   rm -f "$tmpdepfile"
   ;;
diff --git a/init/Makefile.in b/init/Makefile.in
index 141169af8..d9b475638 100644
--- a/init/Makefile.in
+++ b/init/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -15,6 +15,23 @@
 
 @SET_MAKE@
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,12 +62,19 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -60,6 +84,11 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
@@ -97,21 +126,28 @@ am__relativize = \
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -120,13 +156,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -139,6 +178,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -166,11 +206,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -178,6 +220,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -186,8 +229,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -196,14 +237,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -217,17 +263,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -237,16 +283,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -482,13 +527,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
@@ -523,10 +565,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
index e2bbfc451..e4b7166d6 100644
--- a/init/systemd/Makefile.am
+++ b/init/systemd/Makefile.am
@@ -5,4 +5,8 @@ CLEANFILES = strongswan.service
 systemdsystemunit_DATA = strongswan.service
 
 strongswan.service : strongswan.service.in
-	sed -e "s:@SBINDIR@:$(sbindir):" $(srcdir)/$@.in > $@
+	$(AM_V_GEN) \
+	sed \
+	-e "s:@SBINDIR@:$(sbindir):" \
+	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):" \
+	$(srcdir)/$@.in > $@
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
index a1dbe39eb..e9fd2443d 100644
--- a/init/systemd/Makefile.in
+++ b/init/systemd/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,14 +62,26 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -74,27 +103,40 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(systemdsystemunitdir)"
 DATA = $(systemdsystemunit_DATA)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -103,13 +145,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -122,6 +167,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -149,11 +195,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -161,6 +209,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -169,8 +218,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -179,14 +226,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -200,17 +252,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -220,16 +272,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -301,8 +352,11 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-systemdsystemunitDATA: $(systemdsystemunit_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(systemdsystemunitdir)" || $(MKDIR_P) "$(DESTDIR)$(systemdsystemunitdir)"
 	@list='$(systemdsystemunit_DATA)'; test -n "$(systemdsystemunitdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(systemdsystemunitdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(systemdsystemunitdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -316,9 +370,7 @@ uninstall-systemdsystemunitDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(systemdsystemunit_DATA)'; test -n "$(systemdsystemunitdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(systemdsystemunitdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(systemdsystemunitdir)" && rm -f $$files
+	dir='$(DESTDIR)$(systemdsystemunitdir)'; $(am__uninstall_files_from_dir)
 tags: TAGS
 TAGS:
 
@@ -373,10 +425,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -472,7 +529,11 @@ uninstall-am: uninstall-systemdsystemunitDATA
 
 
 strongswan.service : strongswan.service.in
-	sed -e "s:@SBINDIR@:$(sbindir):" $(srcdir)/$@.in > $@
+	$(AM_V_GEN) \
+	sed \
+	-e "s:@SBINDIR@:$(sbindir):" \
+	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):" \
+	$(srcdir)/$@.in > $@
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/init/systemd/strongswan.service.in b/init/systemd/strongswan.service.in
index e8dc5e819..dee892e90 100644
--- a/init/systemd/strongswan.service.in
+++ b/init/systemd/strongswan.service.in
@@ -3,7 +3,7 @@ Description=strongSwan IPsec
 After=syslog.target
 
 [Service]
-ExecStart=@SBINDIR@/ipsec start --nofork
+ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork
 StandardOutput=syslog
 
 [Install]
diff --git a/install-sh b/install-sh
index 6781b987b..a9244eb07 100755
--- a/install-sh
+++ b/install-sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 # install - install a program, script, or datafile
 
-scriptversion=2009-04-28.21; # UTC
+scriptversion=2011-01-19.21; # UTC
 
 # This originates from X11R5 (mit/util/scripts/install.sh), which was
 # later released in X11R6 (xc/config/util/install.sh) with the
@@ -156,6 +156,10 @@ while test $# -ne 0; do
     -s) stripcmd=$stripprog;;
 
     -t) dst_arg=$2
+	# Protect names problematic for `test' and other utilities.
+	case $dst_arg in
+	  -* | [=\(\)!]) dst_arg=./$dst_arg;;
+	esac
 	shift;;
 
     -T) no_target_directory=true;;
@@ -186,6 +190,10 @@ if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
     fi
     shift # arg
     dst_arg=$arg
+    # Protect names problematic for `test' and other utilities.
+    case $dst_arg in
+      -* | [=\(\)!]) dst_arg=./$dst_arg;;
+    esac
   done
 fi
 
@@ -200,7 +208,11 @@ if test $# -eq 0; then
 fi
 
 if test -z "$dir_arg"; then
-  trap '(exit $?); exit' 1 2 13 15
+  do_exit='(exit $ret); exit $ret'
+  trap "ret=129; $do_exit" 1
+  trap "ret=130; $do_exit" 2
+  trap "ret=141; $do_exit" 13
+  trap "ret=143; $do_exit" 15
 
   # Set umask so as not to create temps with too-generous modes.
   # However, 'strip' requires both read and write access to temps.
@@ -228,9 +240,9 @@ fi
 
 for src
 do
-  # Protect names starting with `-'.
+  # Protect names problematic for `test' and other utilities.
   case $src in
-    -*) src=./$src;;
+    -* | [=\(\)!]) src=./$src;;
   esac
 
   if test -n "$dir_arg"; then
@@ -252,12 +264,7 @@ do
       echo "$0: no destination specified." >&2
       exit 1
     fi
-
     dst=$dst_arg
-    # Protect names starting with `-'.
-    case $dst in
-      -*) dst=./$dst;;
-    esac
 
     # If destination is a directory, append the input filename; won't work
     # if double slashes aren't ignored.
@@ -385,7 +392,7 @@ do
 
       case $dstdir in
 	/*) prefix='/';;
-	-*) prefix='./';;
+	[-=\(\)!]*) prefix='./';;
 	*)  prefix='';;
       esac
 
@@ -403,7 +410,7 @@ do
 
       for d
       do
-	test -z "$d" && continue
+	test X"$d" = X && continue
 
 	prefix=$prefix$d
 	if test -d "$prefix"; then
diff --git a/ltmain.sh b/ltmain.sh
index 7ed280bc9..b9205eeb4 100755..100644
--- a/ltmain.sh
+++ b/ltmain.sh
@@ -1,9 +1,9 @@
-# Generated from ltmain.m4sh.
 
-# ltmain.sh (GNU libtool) 2.2.6b
+# libtool (GNU libtool) 2.4.2
 # Written by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, 2007 2008 Free Software Foundation, Inc.
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006,
+# 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc.
 # This is free software; see the source for copying conditions.  There is NO
 # warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 
@@ -32,50 +32,57 @@
 #
 # Provide generalized library-building support services.
 #
-#     --config             show all configuration variables
-#     --debug              enable verbose shell tracing
-# -n, --dry-run            display commands without modifying any files
-#     --features           display basic configuration information and exit
-#     --mode=MODE          use operation mode MODE
-#     --preserve-dup-deps  don't remove duplicate dependency libraries
-#     --quiet, --silent    don't print informational messages
-#     --tag=TAG            use configuration variables from tag TAG
-# -v, --verbose            print informational messages (default)
-#     --version            print version information
-# -h, --help               print short or long help message
+#       --config             show all configuration variables
+#       --debug              enable verbose shell tracing
+#   -n, --dry-run            display commands without modifying any files
+#       --features           display basic configuration information and exit
+#       --mode=MODE          use operation mode MODE
+#       --preserve-dup-deps  don't remove duplicate dependency libraries
+#       --quiet, --silent    don't print informational messages
+#       --no-quiet, --no-silent
+#                            print informational messages (default)
+#       --no-warn            don't display warning messages
+#       --tag=TAG            use configuration variables from tag TAG
+#   -v, --verbose            print more informational messages than default
+#       --no-verbose         don't print the extra informational messages
+#       --version            print version information
+#   -h, --help, --help-all   print short, long, or detailed help message
 #
 # MODE must be one of the following:
 #
-#       clean              remove files from the build directory
-#       compile            compile a source file into a libtool object
-#       execute            automatically set library path, then run a program
-#       finish             complete the installation of libtool libraries
-#       install            install libraries or executables
-#       link               create a library or an executable
-#       uninstall          remove libraries from an installed directory
+#         clean              remove files from the build directory
+#         compile            compile a source file into a libtool object
+#         execute            automatically set library path, then run a program
+#         finish             complete the installation of libtool libraries
+#         install            install libraries or executables
+#         link               create a library or an executable
+#         uninstall          remove libraries from an installed directory
 #
-# MODE-ARGS vary depending on the MODE.
+# MODE-ARGS vary depending on the MODE.  When passed as first option,
+# `--mode=MODE' may be abbreviated as `MODE' or a unique abbreviation of that.
 # Try `$progname --help --mode=MODE' for a more detailed description of MODE.
 #
 # When reporting a bug, please describe a test case to reproduce it and
 # include the following information:
 #
-#       host-triplet:	$host
-#       shell:		$SHELL
-#       compiler:		$LTCC
-#       compiler flags:		$LTCFLAGS
-#       linker:		$LD (gnu? $with_gnu_ld)
-#       $progname:		(GNU libtool) 2.2.6b Debian-2.2.6b-2ubuntu1
-#       automake:		$automake_version
-#       autoconf:		$autoconf_version
+#         host-triplet:	$host
+#         shell:		$SHELL
+#         compiler:		$LTCC
+#         compiler flags:		$LTCFLAGS
+#         linker:		$LD (gnu? $with_gnu_ld)
+#         $progname:	(GNU libtool) 2.4.2 Debian-2.4.2-1.2ubuntu1
+#         automake:	$automake_version
+#         autoconf:	$autoconf_version
 #
 # Report bugs to <bug-libtool@gnu.org>.
+# GNU libtool home page: <http://www.gnu.org/software/libtool/>.
+# General help using GNU software: <http://www.gnu.org/gethelp/>.
 
-PROGRAM=ltmain.sh
+PROGRAM=libtool
 PACKAGE=libtool
-VERSION="2.2.6b Debian-2.2.6b-2ubuntu1"
+VERSION="2.4.2 Debian-2.4.2-1.2ubuntu1"
 TIMESTAMP=""
-package_revision=1.3017
+package_revision=1.3337
 
 # Be Bourne compatible
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
@@ -91,10 +98,15 @@ fi
 BIN_SH=xpg4; export BIN_SH # for Tru64
 DUALCASE=1; export DUALCASE # for MKS sh
 
+# A function that is used when there is no print builtin or printf.
+func_fallback_echo ()
+{
+  eval 'cat <<_LTECHO_EOF
+$1
+_LTECHO_EOF'
+}
+
 # NLS nuisances: We save the old values to restore during execute mode.
-# Only set LANG and LC_ALL to C if already set.
-# These must not be set unconditionally because not all systems understand
-# e.g. LANG=C (notably SCO).
 lt_user_locale=
 lt_safe_locale=
 for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
@@ -107,24 +119,28 @@ do
 	  lt_safe_locale=\"$lt_var=C; \$lt_safe_locale\"
 	fi"
 done
+LC_ALL=C
+LANGUAGE=C
+export LANGUAGE LC_ALL
 
 $lt_unset CDPATH
 
 
+# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
+# is ksh but when the shell is invoked as "sh" and the current value of
+# the _XPG environment variable is not equal to 1 (one), the special
+# positional parameter $0, within a function call, is the name of the
+# function.
+progpath="$0"
 
 
 
 : ${CP="cp -f"}
-: ${ECHO="echo"}
-: ${EGREP="/bin/grep -E"}
-: ${FGREP="/bin/grep -F"}
-: ${GREP="/bin/grep"}
-: ${LN_S="ln -s"}
+test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
 : ${MAKE="make"}
 : ${MKDIR="mkdir"}
 : ${MV="mv -f"}
 : ${RM="rm -f"}
-: ${SED="/bin/sed"}
 : ${SHELL="${CONFIG_SHELL-/bin/sh}"}
 : ${Xsed="$SED -e 1s/^X//"}
 
@@ -144,6 +160,27 @@ IFS=" 	$lt_nl"
 dirname="s,/[^/]*$,,"
 basename="s,^.*/,,"
 
+# func_dirname file append nondir_replacement
+# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
+# otherwise set result to NONDIR_REPLACEMENT.
+func_dirname ()
+{
+    func_dirname_result=`$ECHO "${1}" | $SED "$dirname"`
+    if test "X$func_dirname_result" = "X${1}"; then
+      func_dirname_result="${3}"
+    else
+      func_dirname_result="$func_dirname_result${2}"
+    fi
+} # func_dirname may be replaced by extended shell implementation
+
+
+# func_basename file
+func_basename ()
+{
+    func_basename_result=`$ECHO "${1}" | $SED "$basename"`
+} # func_basename may be replaced by extended shell implementation
+
+
 # func_dirname_and_basename file append nondir_replacement
 # perform func_basename and func_dirname in a single function
 # call:
@@ -158,33 +195,183 @@ basename="s,^.*/,,"
 # those functions but instead duplicate the functionality here.
 func_dirname_and_basename ()
 {
-  # Extract subdirectory from the argument.
-  func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"`
-  if test "X$func_dirname_result" = "X${1}"; then
-    func_dirname_result="${3}"
-  else
-    func_dirname_result="$func_dirname_result${2}"
-  fi
-  func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"`
+    # Extract subdirectory from the argument.
+    func_dirname_result=`$ECHO "${1}" | $SED -e "$dirname"`
+    if test "X$func_dirname_result" = "X${1}"; then
+      func_dirname_result="${3}"
+    else
+      func_dirname_result="$func_dirname_result${2}"
+    fi
+    func_basename_result=`$ECHO "${1}" | $SED -e "$basename"`
+} # func_dirname_and_basename may be replaced by extended shell implementation
+
+
+# func_stripname prefix suffix name
+# strip PREFIX and SUFFIX off of NAME.
+# PREFIX and SUFFIX must not contain globbing or regex special
+# characters, hashes, percent signs, but SUFFIX may contain a leading
+# dot (in which case that matches only a dot).
+# func_strip_suffix prefix name
+func_stripname ()
+{
+    case ${2} in
+      .*) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%\\\\${2}\$%%"`;;
+      *)  func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%${2}\$%%"`;;
+    esac
+} # func_stripname may be replaced by extended shell implementation
+
+
+# These SED scripts presuppose an absolute path with a trailing slash.
+pathcar='s,^/\([^/]*\).*$,\1,'
+pathcdr='s,^/[^/]*,,'
+removedotparts=':dotsl
+		s@/\./@/@g
+		t dotsl
+		s,/\.$,/,'
+collapseslashes='s@/\{1,\}@/@g'
+finalslash='s,/*$,/,'
+
+# func_normal_abspath PATH
+# Remove doubled-up and trailing slashes, "." path components,
+# and cancel out any ".." path components in PATH after making
+# it an absolute path.
+#             value returned in "$func_normal_abspath_result"
+func_normal_abspath ()
+{
+  # Start from root dir and reassemble the path.
+  func_normal_abspath_result=
+  func_normal_abspath_tpath=$1
+  func_normal_abspath_altnamespace=
+  case $func_normal_abspath_tpath in
+    "")
+      # Empty path, that just means $cwd.
+      func_stripname '' '/' "`pwd`"
+      func_normal_abspath_result=$func_stripname_result
+      return
+    ;;
+    # The next three entries are used to spot a run of precisely
+    # two leading slashes without using negated character classes;
+    # we take advantage of case's first-match behaviour.
+    ///*)
+      # Unusual form of absolute path, do nothing.
+    ;;
+    //*)
+      # Not necessarily an ordinary path; POSIX reserves leading '//'
+      # and for example Cygwin uses it to access remote file shares
+      # over CIFS/SMB, so we conserve a leading double slash if found.
+      func_normal_abspath_altnamespace=/
+    ;;
+    /*)
+      # Absolute path, do nothing.
+    ;;
+    *)
+      # Relative path, prepend $cwd.
+      func_normal_abspath_tpath=`pwd`/$func_normal_abspath_tpath
+    ;;
+  esac
+  # Cancel out all the simple stuff to save iterations.  We also want
+  # the path to end with a slash for ease of parsing, so make sure
+  # there is one (and only one) here.
+  func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \
+        -e "$removedotparts" -e "$collapseslashes" -e "$finalslash"`
+  while :; do
+    # Processed it all yet?
+    if test "$func_normal_abspath_tpath" = / ; then
+      # If we ascended to the root using ".." the result may be empty now.
+      if test -z "$func_normal_abspath_result" ; then
+        func_normal_abspath_result=/
+      fi
+      break
+    fi
+    func_normal_abspath_tcomponent=`$ECHO "$func_normal_abspath_tpath" | $SED \
+        -e "$pathcar"`
+    func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \
+        -e "$pathcdr"`
+    # Figure out what to do with it
+    case $func_normal_abspath_tcomponent in
+      "")
+        # Trailing empty path component, ignore it.
+      ;;
+      ..)
+        # Parent dir; strip last assembled component from result.
+        func_dirname "$func_normal_abspath_result"
+        func_normal_abspath_result=$func_dirname_result
+      ;;
+      *)
+        # Actual path component, append it.
+        func_normal_abspath_result=$func_normal_abspath_result/$func_normal_abspath_tcomponent
+      ;;
+    esac
+  done
+  # Restore leading double-slash if one was found on entry.
+  func_normal_abspath_result=$func_normal_abspath_altnamespace$func_normal_abspath_result
 }
 
-# Generated shell functions inserted here.
+# func_relative_path SRCDIR DSTDIR
+# generates a relative path from SRCDIR to DSTDIR, with a trailing
+# slash if non-empty, suitable for immediately appending a filename
+# without needing to append a separator.
+#             value returned in "$func_relative_path_result"
+func_relative_path ()
+{
+  func_relative_path_result=
+  func_normal_abspath "$1"
+  func_relative_path_tlibdir=$func_normal_abspath_result
+  func_normal_abspath "$2"
+  func_relative_path_tbindir=$func_normal_abspath_result
+
+  # Ascend the tree starting from libdir
+  while :; do
+    # check if we have found a prefix of bindir
+    case $func_relative_path_tbindir in
+      $func_relative_path_tlibdir)
+        # found an exact match
+        func_relative_path_tcancelled=
+        break
+        ;;
+      $func_relative_path_tlibdir*)
+        # found a matching prefix
+        func_stripname "$func_relative_path_tlibdir" '' "$func_relative_path_tbindir"
+        func_relative_path_tcancelled=$func_stripname_result
+        if test -z "$func_relative_path_result"; then
+          func_relative_path_result=.
+        fi
+        break
+        ;;
+      *)
+        func_dirname $func_relative_path_tlibdir
+        func_relative_path_tlibdir=${func_dirname_result}
+        if test "x$func_relative_path_tlibdir" = x ; then
+          # Have to descend all the way to the root!
+          func_relative_path_result=../$func_relative_path_result
+          func_relative_path_tcancelled=$func_relative_path_tbindir
+          break
+        fi
+        func_relative_path_result=../$func_relative_path_result
+        ;;
+    esac
+  done
 
-# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
-# is ksh but when the shell is invoked as "sh" and the current value of
-# the _XPG environment variable is not equal to 1 (one), the special
-# positional parameter $0, within a function call, is the name of the
-# function.
-progpath="$0"
+  # Now calculate path; take care to avoid doubling-up slashes.
+  func_stripname '' '/' "$func_relative_path_result"
+  func_relative_path_result=$func_stripname_result
+  func_stripname '/' '/' "$func_relative_path_tcancelled"
+  if test "x$func_stripname_result" != x ; then
+    func_relative_path_result=${func_relative_path_result}/${func_stripname_result}
+  fi
+
+  # Normalisation. If bindir is libdir, return empty string,
+  # else relative path ending with a slash; either way, target
+  # file name can be directly appended.
+  if test ! -z "$func_relative_path_result"; then
+    func_stripname './' '' "$func_relative_path_result/"
+    func_relative_path_result=$func_stripname_result
+  fi
+}
 
 # The name of this program:
-# In the unlikely event $progname began with a '-', it would play havoc with
-# func_echo (imagine progname=-n), so we prepend ./ in that case:
 func_dirname_and_basename "$progpath"
 progname=$func_basename_result
-case $progname in
-  -*) progname=./$progname ;;
-esac
 
 # Make sure we have an absolute path for reexecution:
 case $progpath in
@@ -196,7 +383,7 @@ case $progpath in
      ;;
   *)
      save_IFS="$IFS"
-     IFS=:
+     IFS=${PATH_SEPARATOR-:}
      for progdir in $PATH; do
        IFS="$save_IFS"
        test -x "$progdir/$progname" && break
@@ -215,6 +402,15 @@ sed_quote_subst='s/\([`"$\\]\)/\\\1/g'
 # Same as above, but do not quote variable references.
 double_quote_subst='s/\(["`\\]\)/\\\1/g'
 
+# Sed substitution that turns a string into a regex matching for the
+# string literally.
+sed_make_literal_regex='s,[].[^$\\*\/],\\&,g'
+
+# Sed substitution that converts a w32 file name or path
+# which contains forward slashes, into one that contains
+# (escaped) backslashes.  A very naive implementation.
+lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g'
+
 # Re-`\' parameter expansions in output of double_quote_subst that were
 # `\'-ed in input to the same.  If an odd number of `\' preceded a '$'
 # in input to double_quote_subst, that '$' was protected from expansion.
@@ -243,7 +439,7 @@ opt_warning=:
 # name if it has been set yet.
 func_echo ()
 {
-    $ECHO "$progname${mode+: }$mode: $*"
+    $ECHO "$progname: ${opt_mode+$opt_mode: }$*"
 }
 
 # func_verbose arg...
@@ -258,18 +454,25 @@ func_verbose ()
     :
 }
 
+# func_echo_all arg...
+# Invoke $ECHO with all args, space-separated.
+func_echo_all ()
+{
+    $ECHO "$*"
+}
+
 # func_error arg...
 # Echo program name prefixed message to standard error.
 func_error ()
 {
-    $ECHO "$progname${mode+: }$mode: "${1+"$@"} 1>&2
+    $ECHO "$progname: ${opt_mode+$opt_mode: }"${1+"$@"} 1>&2
 }
 
 # func_warning arg...
 # Echo program name prefixed warning message to standard error.
 func_warning ()
 {
-    $opt_warning && $ECHO "$progname${mode+: }$mode: warning: "${1+"$@"} 1>&2
+    $opt_warning && $ECHO "$progname: ${opt_mode+$opt_mode: }warning: "${1+"$@"} 1>&2
 
     # bash bug again:
     :
@@ -326,9 +529,9 @@ func_mkdir_p ()
         case $my_directory_path in */*) ;; *) break ;; esac
 
         # ...otherwise throw away the child directory and loop
-        my_directory_path=`$ECHO "X$my_directory_path" | $Xsed -e "$dirname"`
+        my_directory_path=`$ECHO "$my_directory_path" | $SED -e "$dirname"`
       done
-      my_dir_list=`$ECHO "X$my_dir_list" | $Xsed -e 's,:*$,,'`
+      my_dir_list=`$ECHO "$my_dir_list" | $SED 's,:*$,,'`
 
       save_mkdir_p_IFS="$IFS"; IFS=':'
       for my_dir in $my_dir_list; do
@@ -378,7 +581,7 @@ func_mktempdir ()
         func_fatal_error "cannot create temporary directory \`$my_tmpdir'"
     fi
 
-    $ECHO "X$my_tmpdir" | $Xsed
+    $ECHO "$my_tmpdir"
 }
 
 
@@ -392,7 +595,7 @@ func_quote_for_eval ()
 {
     case $1 in
       *[\\\`\"\$]*)
-	func_quote_for_eval_unquoted_result=`$ECHO "X$1" | $Xsed -e "$sed_quote_subst"` ;;
+	func_quote_for_eval_unquoted_result=`$ECHO "$1" | $SED "$sed_quote_subst"` ;;
       *)
         func_quote_for_eval_unquoted_result="$1" ;;
     esac
@@ -419,7 +622,7 @@ func_quote_for_expand ()
 {
     case $1 in
       *[\\\`\"]*)
-	my_arg=`$ECHO "X$1" | $Xsed \
+	my_arg=`$ECHO "$1" | $SED \
 	    -e "$double_quote_subst" -e "$sed_double_backslash"` ;;
       *)
         my_arg="$1" ;;
@@ -488,15 +691,39 @@ func_show_eval_locale ()
     fi
 }
 
-
-
+# func_tr_sh
+# Turn $1 into a string suitable for a shell variable name.
+# Result is stored in $func_tr_sh_result.  All characters
+# not in the set a-zA-Z0-9_ are replaced with '_'. Further,
+# if $1 begins with a digit, a '_' is prepended as well.
+func_tr_sh ()
+{
+  case $1 in
+  [0-9]* | *[!a-zA-Z0-9_]*)
+    func_tr_sh_result=`$ECHO "$1" | $SED 's/^\([0-9]\)/_\1/; s/[^a-zA-Z0-9_]/_/g'`
+    ;;
+  * )
+    func_tr_sh_result=$1
+    ;;
+  esac
+}
 
 
 # func_version
 # Echo version message to standard output and exit.
 func_version ()
 {
-    $SED -n '/^# '$PROGRAM' (GNU /,/# warranty; / {
+    $opt_debug
+
+    $SED -n '/(C)/!b go
+	:more
+	/\./!{
+	  N
+	  s/\n# / /
+	  b more
+	}
+	:go
+	/^# '$PROGRAM' (GNU /,/# warranty; / {
         s/^# //
 	s/^# *$//
         s/\((C)\)[ 0-9,-]*\( [1-9][0-9]*\)/\1\2/
@@ -509,22 +736,28 @@ func_version ()
 # Echo short help message to standard output and exit.
 func_usage ()
 {
-    $SED -n '/^# Usage:/,/# -h/ {
+    $opt_debug
+
+    $SED -n '/^# Usage:/,/^#  *.*--help/ {
         s/^# //
 	s/^# *$//
 	s/\$progname/'$progname'/
 	p
     }' < "$progpath"
-    $ECHO
+    echo
     $ECHO "run \`$progname --help | more' for full usage"
     exit $?
 }
 
-# func_help
-# Echo long help message to standard output and exit.
+# func_help [NOEXIT]
+# Echo long help message to standard output and exit,
+# unless 'noexit' is passed as argument.
 func_help ()
 {
+    $opt_debug
+
     $SED -n '/^# Usage:/,/# Report bugs to/ {
+	:print
         s/^# //
 	s/^# *$//
 	s*\$progname*'$progname'*
@@ -534,11 +767,18 @@ func_help ()
 	s*\$LTCFLAGS*'"$LTCFLAGS"'*
 	s*\$LD*'"$LD"'*
 	s/\$with_gnu_ld/'"$with_gnu_ld"'/
-	s/\$automake_version/'"`(automake --version) 2>/dev/null |$SED 1q`"'/
-	s/\$autoconf_version/'"`(autoconf --version) 2>/dev/null |$SED 1q`"'/
+	s/\$automake_version/'"`(${AUTOMAKE-automake} --version) 2>/dev/null |$SED 1q`"'/
+	s/\$autoconf_version/'"`(${AUTOCONF-autoconf} --version) 2>/dev/null |$SED 1q`"'/
 	p
-     }' < "$progpath"
-    exit $?
+	d
+     }
+     /^# .* home page:/b print
+     /^# General help using/b print
+     ' < "$progpath"
+    ret=$?
+    if test -z "$1"; then
+      exit $ret
+    fi
 }
 
 # func_missing_arg argname
@@ -546,63 +786,106 @@ func_help ()
 # exit_cmd.
 func_missing_arg ()
 {
-    func_error "missing argument for $1"
+    $opt_debug
+
+    func_error "missing argument for $1."
     exit_cmd=exit
 }
 
-exit_cmd=:
 
+# func_split_short_opt shortopt
+# Set func_split_short_opt_name and func_split_short_opt_arg shell
+# variables after splitting SHORTOPT after the 2nd character.
+func_split_short_opt ()
+{
+    my_sed_short_opt='1s/^\(..\).*$/\1/;q'
+    my_sed_short_rest='1s/^..\(.*\)$/\1/;q'
 
+    func_split_short_opt_name=`$ECHO "$1" | $SED "$my_sed_short_opt"`
+    func_split_short_opt_arg=`$ECHO "$1" | $SED "$my_sed_short_rest"`
+} # func_split_short_opt may be replaced by extended shell implementation
+
+
+# func_split_long_opt longopt
+# Set func_split_long_opt_name and func_split_long_opt_arg shell
+# variables after splitting LONGOPT at the `=' sign.
+func_split_long_opt ()
+{
+    my_sed_long_opt='1s/^\(--[^=]*\)=.*/\1/;q'
+    my_sed_long_arg='1s/^--[^=]*=//'
+
+    func_split_long_opt_name=`$ECHO "$1" | $SED "$my_sed_long_opt"`
+    func_split_long_opt_arg=`$ECHO "$1" | $SED "$my_sed_long_arg"`
+} # func_split_long_opt may be replaced by extended shell implementation
+
+exit_cmd=:
 
 
 
-# Check that we have a working $ECHO.
-if test "X$1" = X--no-reexec; then
-  # Discard the --no-reexec flag, and continue.
-  shift
-elif test "X$1" = X--fallback-echo; then
-  # Avoid inline document here, it may be left over
-  :
-elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t'; then
-  # Yippee, $ECHO works!
-  :
-else
-  # Restart under the correct shell, and then maybe $ECHO will work.
-  exec $SHELL "$progpath" --no-reexec ${1+"$@"}
-fi
 
-if test "X$1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<EOF
-$*
-EOF
-  exit $EXIT_SUCCESS
-fi
 
 magic="%%%MAGIC variable%%%"
 magic_exe="%%%MAGIC EXE variable%%%"
 
 # Global variables.
-# $mode is unset
 nonopt=
-execute_dlfiles=
 preserve_args=
 lo2o="s/\\.lo\$/.${objext}/"
 o2lo="s/\\.${objext}\$/.lo/"
 extracted_archives=
 extracted_serial=0
 
-opt_dry_run=false
-opt_duplicate_deps=false
-opt_silent=false
-opt_debug=:
-
 # If this variable is set in any of the actions, the command in it
 # will be execed at the end.  This prevents here-documents from being
 # left over by shells.
 exec_cmd=
 
+# func_append var value
+# Append VALUE to the end of shell variable VAR.
+func_append ()
+{
+    eval "${1}=\$${1}\${2}"
+} # func_append may be replaced by extended shell implementation
+
+# func_append_quoted var value
+# Quote VALUE and append to the end of shell variable VAR, separated
+# by a space.
+func_append_quoted ()
+{
+    func_quote_for_eval "${2}"
+    eval "${1}=\$${1}\\ \$func_quote_for_eval_result"
+} # func_append_quoted may be replaced by extended shell implementation
+
+
+# func_arith arithmetic-term...
+func_arith ()
+{
+    func_arith_result=`expr "${@}"`
+} # func_arith may be replaced by extended shell implementation
+
+
+# func_len string
+# STRING may not start with a hyphen.
+func_len ()
+{
+    func_len_result=`expr "${1}" : ".*" 2>/dev/null || echo $max_cmd_len`
+} # func_len may be replaced by extended shell implementation
+
+
+# func_lo2o object
+func_lo2o ()
+{
+    func_lo2o_result=`$ECHO "${1}" | $SED "$lo2o"`
+} # func_lo2o may be replaced by extended shell implementation
+
+
+# func_xform libobj-or-source
+func_xform ()
+{
+    func_xform_result=`$ECHO "${1}" | $SED 's/\.[^.]*$/.lo/'`
+} # func_xform may be replaced by extended shell implementation
+
+
 # func_fatal_configuration arg...
 # Echo program name prefixed message to standard error, followed by
 # a configuration failure hint, and exit.
@@ -636,16 +919,16 @@ func_config ()
 # Display the features supported by this script.
 func_features ()
 {
-    $ECHO "host: $host"
+    echo "host: $host"
     if test "$build_libtool_libs" = yes; then
-      $ECHO "enable shared libraries"
+      echo "enable shared libraries"
     else
-      $ECHO "disable shared libraries"
+      echo "disable shared libraries"
     fi
     if test "$build_old_libs" = yes; then
-      $ECHO "enable static libraries"
+      echo "enable static libraries"
     else
-      $ECHO "disable static libraries"
+      echo "disable static libraries"
     fi
 
     exit $?
@@ -692,117 +975,209 @@ func_enable_tag ()
   esac
 }
 
-# Parse options once, thoroughly.  This comes as soon as possible in
-# the script to make things like `libtool --version' happen quickly.
+# func_check_version_match
+# Ensure that we are using m4 macros, and libtool script from the same
+# release of libtool.
+func_check_version_match ()
 {
+  if test "$package_revision" != "$macro_revision"; then
+    if test "$VERSION" != "$macro_version"; then
+      if test -z "$macro_version"; then
+        cat >&2 <<_LT_EOF
+$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
+$progname: definition of this LT_INIT comes from an older release.
+$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
+$progname: and run autoconf again.
+_LT_EOF
+      else
+        cat >&2 <<_LT_EOF
+$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
+$progname: definition of this LT_INIT comes from $PACKAGE $macro_version.
+$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
+$progname: and run autoconf again.
+_LT_EOF
+      fi
+    else
+      cat >&2 <<_LT_EOF
+$progname: Version mismatch error.  This is $PACKAGE $VERSION, revision $package_revision,
+$progname: but the definition of this LT_INIT comes from revision $macro_revision.
+$progname: You should recreate aclocal.m4 with macros from revision $package_revision
+$progname: of $PACKAGE $VERSION and run autoconf again.
+_LT_EOF
+    fi
+
+    exit $EXIT_MISMATCH
+  fi
+}
+
+
+# Shorthand for --mode=foo, only valid as the first argument
+case $1 in
+clean|clea|cle|cl)
+  shift; set dummy --mode clean ${1+"$@"}; shift
+  ;;
+compile|compil|compi|comp|com|co|c)
+  shift; set dummy --mode compile ${1+"$@"}; shift
+  ;;
+execute|execut|execu|exec|exe|ex|e)
+  shift; set dummy --mode execute ${1+"$@"}; shift
+  ;;
+finish|finis|fini|fin|fi|f)
+  shift; set dummy --mode finish ${1+"$@"}; shift
+  ;;
+install|instal|insta|inst|ins|in|i)
+  shift; set dummy --mode install ${1+"$@"}; shift
+  ;;
+link|lin|li|l)
+  shift; set dummy --mode link ${1+"$@"}; shift
+  ;;
+uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u)
+  shift; set dummy --mode uninstall ${1+"$@"}; shift
+  ;;
+esac
+
 
-  # Shorthand for --mode=foo, only valid as the first argument
-  case $1 in
-  clean|clea|cle|cl)
-    shift; set dummy --mode clean ${1+"$@"}; shift
-    ;;
-  compile|compil|compi|comp|com|co|c)
-    shift; set dummy --mode compile ${1+"$@"}; shift
-    ;;
-  execute|execut|execu|exec|exe|ex|e)
-    shift; set dummy --mode execute ${1+"$@"}; shift
-    ;;
-  finish|finis|fini|fin|fi|f)
-    shift; set dummy --mode finish ${1+"$@"}; shift
-    ;;
-  install|instal|insta|inst|ins|in|i)
-    shift; set dummy --mode install ${1+"$@"}; shift
-    ;;
-  link|lin|li|l)
-    shift; set dummy --mode link ${1+"$@"}; shift
-    ;;
-  uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u)
-    shift; set dummy --mode uninstall ${1+"$@"}; shift
-    ;;
-  esac
 
-  # Parse non-mode specific arguments:
-  while test "$#" -gt 0; do
+# Option defaults:
+opt_debug=:
+opt_dry_run=false
+opt_config=false
+opt_preserve_dup_deps=false
+opt_features=false
+opt_finish=false
+opt_help=false
+opt_help_all=false
+opt_silent=:
+opt_warning=:
+opt_verbose=:
+opt_silent=false
+opt_verbose=false
+
+
+# Parse options once, thoroughly.  This comes as soon as possible in the
+# script to make things like `--version' happen as quickly as we can.
+{
+  # this just eases exit handling
+  while test $# -gt 0; do
     opt="$1"
     shift
-
     case $opt in
-      --config)		func_config					;;
-
-      --debug)		preserve_args="$preserve_args $opt"
+      --debug|-x)	opt_debug='set -x'
 			func_echo "enabling shell trace mode"
-			opt_debug='set -x'
 			$opt_debug
 			;;
-
-      -dlopen)		test "$#" -eq 0 && func_missing_arg "$opt" && break
-			execute_dlfiles="$execute_dlfiles $1"
-			shift
+      --dry-run|--dryrun|-n)
+			opt_dry_run=:
 			;;
-
-      --dry-run | -n)	opt_dry_run=:					;;
-      --features)       func_features					;;
-      --finish)		mode="finish"					;;
-
-      --mode)		test "$#" -eq 0 && func_missing_arg "$opt" && break
-			case $1 in
-			  # Valid mode arguments:
-			  clean)	;;
-			  compile)	;;
-			  execute)	;;
-			  finish)	;;
-			  install)	;;
-			  link)		;;
-			  relink)	;;
-			  uninstall)	;;
-
-			  # Catch anything else as an error
-			  *) func_error "invalid argument for $opt"
-			     exit_cmd=exit
-			     break
-			     ;;
-		        esac
-
-			mode="$1"
+      --config)
+			opt_config=:
+func_config
+			;;
+      --dlopen|-dlopen)
+			optarg="$1"
+			opt_dlopen="${opt_dlopen+$opt_dlopen
+}$optarg"
 			shift
 			;;
-
       --preserve-dup-deps)
-			opt_duplicate_deps=:				;;
-
-      --quiet|--silent)	preserve_args="$preserve_args $opt"
-			opt_silent=:
+			opt_preserve_dup_deps=:
 			;;
-
-      --verbose| -v)	preserve_args="$preserve_args $opt"
+      --features)
+			opt_features=:
+func_features
+			;;
+      --finish)
+			opt_finish=:
+set dummy --mode finish ${1+"$@"}; shift
+			;;
+      --help)
+			opt_help=:
+			;;
+      --help-all)
+			opt_help_all=:
+opt_help=': help-all'
+			;;
+      --mode)
+			test $# = 0 && func_missing_arg $opt && break
+			optarg="$1"
+			opt_mode="$optarg"
+case $optarg in
+  # Valid mode arguments:
+  clean|compile|execute|finish|install|link|relink|uninstall) ;;
+
+  # Catch anything else as an error
+  *) func_error "invalid argument for $opt"
+     exit_cmd=exit
+     break
+     ;;
+esac
+			shift
+			;;
+      --no-silent|--no-quiet)
 			opt_silent=false
+func_append preserve_args " $opt"
 			;;
-
-      --tag)		test "$#" -eq 0 && func_missing_arg "$opt" && break
-			preserve_args="$preserve_args $opt $1"
-			func_enable_tag "$1"	# tagname is set here
+      --no-warning|--no-warn)
+			opt_warning=false
+func_append preserve_args " $opt"
+			;;
+      --no-verbose)
+			opt_verbose=false
+func_append preserve_args " $opt"
+			;;
+      --silent|--quiet)
+			opt_silent=:
+func_append preserve_args " $opt"
+        opt_verbose=false
+			;;
+      --verbose|-v)
+			opt_verbose=:
+func_append preserve_args " $opt"
+opt_silent=false
+			;;
+      --tag)
+			test $# = 0 && func_missing_arg $opt && break
+			optarg="$1"
+			opt_tag="$optarg"
+func_append preserve_args " $opt $optarg"
+func_enable_tag "$optarg"
 			shift
 			;;
 
+      -\?|-h)		func_usage				;;
+      --help)		func_help				;;
+      --version)	func_version				;;
+
       # Separate optargs to long options:
-      -dlopen=*|--mode=*|--tag=*)
-			func_opt_split "$opt"
-			set dummy "$func_opt_split_opt" "$func_opt_split_arg" ${1+"$@"}
+      --*=*)
+			func_split_long_opt "$opt"
+			set dummy "$func_split_long_opt_name" "$func_split_long_opt_arg" ${1+"$@"}
 			shift
 			;;
 
-      -\?|-h)		func_usage					;;
-      --help)		opt_help=:					;;
-      --version)	func_version					;;
-
-      -*)		func_fatal_help "unrecognized option \`$opt'"	;;
-
-      *)		nonopt="$opt"
-			break
+      # Separate non-argument short options:
+      -\?*|-h*|-n*|-v*)
+			func_split_short_opt "$opt"
+			set dummy "$func_split_short_opt_name" "-$func_split_short_opt_arg" ${1+"$@"}
+			shift
 			;;
+
+      --)		break					;;
+      -*)		func_fatal_help "unrecognized option \`$opt'" ;;
+      *)		set dummy "$opt" ${1+"$@"};	shift; break  ;;
     esac
   done
 
+  # Validate options:
+
+  # save first non-option argument
+  if test "$#" -gt 0; then
+    nonopt="$opt"
+    shift
+  fi
+
+  # preserve --debug
+  test "$opt_debug" = : || func_append preserve_args " --debug"
 
   case $host in
     *cygwin* | *mingw* | *pw32* | *cegcc*)
@@ -810,82 +1185,44 @@ func_enable_tag ()
       opt_duplicate_compiler_generated_deps=:
       ;;
     *)
-      opt_duplicate_compiler_generated_deps=$opt_duplicate_deps
+      opt_duplicate_compiler_generated_deps=$opt_preserve_dup_deps
       ;;
   esac
 
-  # Having warned about all mis-specified options, bail out if
-  # anything was wrong.
-  $exit_cmd $EXIT_FAILURE
-}
+  $opt_help || {
+    # Sanity checks first:
+    func_check_version_match
 
-# func_check_version_match
-# Ensure that we are using m4 macros, and libtool script from the same
-# release of libtool.
-func_check_version_match ()
-{
-  if test "$package_revision" != "$macro_revision"; then
-    if test "$VERSION" != "$macro_version"; then
-      if test -z "$macro_version"; then
-        cat >&2 <<_LT_EOF
-$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
-$progname: definition of this LT_INIT comes from an older release.
-$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
-$progname: and run autoconf again.
-_LT_EOF
-      else
-        cat >&2 <<_LT_EOF
-$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
-$progname: definition of this LT_INIT comes from $PACKAGE $macro_version.
-$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
-$progname: and run autoconf again.
-_LT_EOF
-      fi
-    else
-      cat >&2 <<_LT_EOF
-$progname: Version mismatch error.  This is $PACKAGE $VERSION, revision $package_revision,
-$progname: but the definition of this LT_INIT comes from revision $macro_revision.
-$progname: You should recreate aclocal.m4 with macros from revision $package_revision
-$progname: of $PACKAGE $VERSION and run autoconf again.
-_LT_EOF
+    if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
+      func_fatal_configuration "not configured to build any kind of library"
     fi
 
-    exit $EXIT_MISMATCH
-  fi
-}
-
-
-## ----------- ##
-##    Main.    ##
-## ----------- ##
-
-$opt_help || {
-  # Sanity checks first:
-  func_check_version_match
+    # Darwin sucks
+    eval std_shrext=\"$shrext_cmds\"
 
-  if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
-    func_fatal_configuration "not configured to build any kind of library"
-  fi
+    # Only execute mode is allowed to have -dlopen flags.
+    if test -n "$opt_dlopen" && test "$opt_mode" != execute; then
+      func_error "unrecognized option \`-dlopen'"
+      $ECHO "$help" 1>&2
+      exit $EXIT_FAILURE
+    fi
 
-  test -z "$mode" && func_fatal_error "error: you must specify a MODE."
+    # Change the help message to a mode-specific one.
+    generic_help="$help"
+    help="Try \`$progname --help --mode=$opt_mode' for more information."
+  }
 
 
-  # Darwin sucks
-  eval std_shrext=\"$shrext_cmds\"
+  # Bail if the options were screwed
+  $exit_cmd $EXIT_FAILURE
+}
 
 
-  # Only execute mode is allowed to have -dlopen flags.
-  if test -n "$execute_dlfiles" && test "$mode" != execute; then
-    func_error "unrecognized option \`-dlopen'"
-    $ECHO "$help" 1>&2
-    exit $EXIT_FAILURE
-  fi
 
-  # Change the help message to a mode-specific one.
-  generic_help="$help"
-  help="Try \`$progname --help --mode=$mode' for more information."
-}
 
+## ----------- ##
+##    Main.    ##
+## ----------- ##
 
 # func_lalib_p file
 # True iff FILE is a libtool `.la' library or `.lo' object file.
@@ -950,12 +1287,9 @@ func_ltwrapper_executable_p ()
 # temporary ltwrapper_script.
 func_ltwrapper_scriptname ()
 {
-    func_ltwrapper_scriptname_result=""
-    if func_ltwrapper_executable_p "$1"; then
-	func_dirname_and_basename "$1" "" "."
-	func_stripname '' '.exe' "$func_basename_result"
-	func_ltwrapper_scriptname_result="$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper"
-    fi
+    func_dirname_and_basename "$1" "" "."
+    func_stripname '' '.exe' "$func_basename_result"
+    func_ltwrapper_scriptname_result="$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper"
 }
 
 # func_ltwrapper_p file
@@ -1001,6 +1335,37 @@ func_source ()
 }
 
 
+# func_resolve_sysroot PATH
+# Replace a leading = in PATH with a sysroot.  Store the result into
+# func_resolve_sysroot_result
+func_resolve_sysroot ()
+{
+  func_resolve_sysroot_result=$1
+  case $func_resolve_sysroot_result in
+  =*)
+    func_stripname '=' '' "$func_resolve_sysroot_result"
+    func_resolve_sysroot_result=$lt_sysroot$func_stripname_result
+    ;;
+  esac
+}
+
+# func_replace_sysroot PATH
+# If PATH begins with the sysroot, replace it with = and
+# store the result into func_replace_sysroot_result.
+func_replace_sysroot ()
+{
+  case "$lt_sysroot:$1" in
+  ?*:"$lt_sysroot"*)
+    func_stripname "$lt_sysroot" '' "$1"
+    func_replace_sysroot_result="=$func_stripname_result"
+    ;;
+  *)
+    # Including no sysroot.
+    func_replace_sysroot_result=$1
+    ;;
+  esac
+}
+
 # func_infer_tag arg
 # Infer tagged configuration to use if any are available and
 # if one wasn't chosen via the "--tag" command line option.
@@ -1013,13 +1378,15 @@ func_infer_tag ()
     if test -n "$available_tags" && test -z "$tagname"; then
       CC_quoted=
       for arg in $CC; do
-        func_quote_for_eval "$arg"
-	CC_quoted="$CC_quoted $func_quote_for_eval_result"
+	func_append_quoted CC_quoted "$arg"
       done
+      CC_expanded=`func_echo_all $CC`
+      CC_quoted_expanded=`func_echo_all $CC_quoted`
       case $@ in
       # Blanks in the command may have been stripped by the calling shell,
       # but not from the CC environment variable when configure was run.
-      " $CC "* | "$CC "* | " `$ECHO $CC` "* | "`$ECHO $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$ECHO $CC_quoted` "* | "`$ECHO $CC_quoted` "*) ;;
+      " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \
+      " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*) ;;
       # Blanks at the start of $base_compile will cause this to fail
       # if we don't check for them as well.
       *)
@@ -1030,11 +1397,13 @@ func_infer_tag ()
 	    CC_quoted=
 	    for arg in $CC; do
 	      # Double-quote args containing other shell metacharacters.
-	      func_quote_for_eval "$arg"
-	      CC_quoted="$CC_quoted $func_quote_for_eval_result"
+	      func_append_quoted CC_quoted "$arg"
 	    done
+	    CC_expanded=`func_echo_all $CC`
+	    CC_quoted_expanded=`func_echo_all $CC_quoted`
 	    case "$@ " in
-	      " $CC "* | "$CC "* | " `$ECHO $CC` "* | "`$ECHO $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$ECHO $CC_quoted` "* | "`$ECHO $CC_quoted` "*)
+	    " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \
+	    " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*)
 	      # The compiler in the base compile command matches
 	      # the one in the tagged configuration.
 	      # Assume this is the tagged configuration we want.
@@ -1097,6 +1466,486 @@ EOF
     }
 }
 
+
+##################################################
+# FILE NAME AND PATH CONVERSION HELPER FUNCTIONS #
+##################################################
+
+# func_convert_core_file_wine_to_w32 ARG
+# Helper function used by file name conversion functions when $build is *nix,
+# and $host is mingw, cygwin, or some other w32 environment. Relies on a
+# correctly configured wine environment available, with the winepath program
+# in $build's $PATH.
+#
+# ARG is the $build file name to be converted to w32 format.
+# Result is available in $func_convert_core_file_wine_to_w32_result, and will
+# be empty on error (or when ARG is empty)
+func_convert_core_file_wine_to_w32 ()
+{
+  $opt_debug
+  func_convert_core_file_wine_to_w32_result="$1"
+  if test -n "$1"; then
+    # Unfortunately, winepath does not exit with a non-zero error code, so we
+    # are forced to check the contents of stdout. On the other hand, if the
+    # command is not found, the shell will set an exit code of 127 and print
+    # *an error message* to stdout. So we must check for both error code of
+    # zero AND non-empty stdout, which explains the odd construction:
+    func_convert_core_file_wine_to_w32_tmp=`winepath -w "$1" 2>/dev/null`
+    if test "$?" -eq 0 && test -n "${func_convert_core_file_wine_to_w32_tmp}"; then
+      func_convert_core_file_wine_to_w32_result=`$ECHO "$func_convert_core_file_wine_to_w32_tmp" |
+        $SED -e "$lt_sed_naive_backslashify"`
+    else
+      func_convert_core_file_wine_to_w32_result=
+    fi
+  fi
+}
+# end: func_convert_core_file_wine_to_w32
+
+
+# func_convert_core_path_wine_to_w32 ARG
+# Helper function used by path conversion functions when $build is *nix, and
+# $host is mingw, cygwin, or some other w32 environment. Relies on a correctly
+# configured wine environment available, with the winepath program in $build's
+# $PATH. Assumes ARG has no leading or trailing path separator characters.
+#
+# ARG is path to be converted from $build format to win32.
+# Result is available in $func_convert_core_path_wine_to_w32_result.
+# Unconvertible file (directory) names in ARG are skipped; if no directory names
+# are convertible, then the result may be empty.
+func_convert_core_path_wine_to_w32 ()
+{
+  $opt_debug
+  # unfortunately, winepath doesn't convert paths, only file names
+  func_convert_core_path_wine_to_w32_result=""
+  if test -n "$1"; then
+    oldIFS=$IFS
+    IFS=:
+    for func_convert_core_path_wine_to_w32_f in $1; do
+      IFS=$oldIFS
+      func_convert_core_file_wine_to_w32 "$func_convert_core_path_wine_to_w32_f"
+      if test -n "$func_convert_core_file_wine_to_w32_result" ; then
+        if test -z "$func_convert_core_path_wine_to_w32_result"; then
+          func_convert_core_path_wine_to_w32_result="$func_convert_core_file_wine_to_w32_result"
+        else
+          func_append func_convert_core_path_wine_to_w32_result ";$func_convert_core_file_wine_to_w32_result"
+        fi
+      fi
+    done
+    IFS=$oldIFS
+  fi
+}
+# end: func_convert_core_path_wine_to_w32
+
+
+# func_cygpath ARGS...
+# Wrapper around calling the cygpath program via LT_CYGPATH. This is used when
+# when (1) $build is *nix and Cygwin is hosted via a wine environment; or (2)
+# $build is MSYS and $host is Cygwin, or (3) $build is Cygwin. In case (1) or
+# (2), returns the Cygwin file name or path in func_cygpath_result (input
+# file name or path is assumed to be in w32 format, as previously converted
+# from $build's *nix or MSYS format). In case (3), returns the w32 file name
+# or path in func_cygpath_result (input file name or path is assumed to be in
+# Cygwin format). Returns an empty string on error.
+#
+# ARGS are passed to cygpath, with the last one being the file name or path to
+# be converted.
+#
+# Specify the absolute *nix (or w32) name to cygpath in the LT_CYGPATH
+# environment variable; do not put it in $PATH.
+func_cygpath ()
+{
+  $opt_debug
+  if test -n "$LT_CYGPATH" && test -f "$LT_CYGPATH"; then
+    func_cygpath_result=`$LT_CYGPATH "$@" 2>/dev/null`
+    if test "$?" -ne 0; then
+      # on failure, ensure result is empty
+      func_cygpath_result=
+    fi
+  else
+    func_cygpath_result=
+    func_error "LT_CYGPATH is empty or specifies non-existent file: \`$LT_CYGPATH'"
+  fi
+}
+#end: func_cygpath
+
+
+# func_convert_core_msys_to_w32 ARG
+# Convert file name or path ARG from MSYS format to w32 format.  Return
+# result in func_convert_core_msys_to_w32_result.
+func_convert_core_msys_to_w32 ()
+{
+  $opt_debug
+  # awkward: cmd appends spaces to result
+  func_convert_core_msys_to_w32_result=`( cmd //c echo "$1" ) 2>/dev/null |
+    $SED -e 's/[ ]*$//' -e "$lt_sed_naive_backslashify"`
+}
+#end: func_convert_core_msys_to_w32
+
+
+# func_convert_file_check ARG1 ARG2
+# Verify that ARG1 (a file name in $build format) was converted to $host
+# format in ARG2. Otherwise, emit an error message, but continue (resetting
+# func_to_host_file_result to ARG1).
+func_convert_file_check ()
+{
+  $opt_debug
+  if test -z "$2" && test -n "$1" ; then
+    func_error "Could not determine host file name corresponding to"
+    func_error "  \`$1'"
+    func_error "Continuing, but uninstalled executables may not work."
+    # Fallback:
+    func_to_host_file_result="$1"
+  fi
+}
+# end func_convert_file_check
+
+
+# func_convert_path_check FROM_PATHSEP TO_PATHSEP FROM_PATH TO_PATH
+# Verify that FROM_PATH (a path in $build format) was converted to $host
+# format in TO_PATH. Otherwise, emit an error message, but continue, resetting
+# func_to_host_file_result to a simplistic fallback value (see below).
+func_convert_path_check ()
+{
+  $opt_debug
+  if test -z "$4" && test -n "$3"; then
+    func_error "Could not determine the host path corresponding to"
+    func_error "  \`$3'"
+    func_error "Continuing, but uninstalled executables may not work."
+    # Fallback.  This is a deliberately simplistic "conversion" and
+    # should not be "improved".  See libtool.info.
+    if test "x$1" != "x$2"; then
+      lt_replace_pathsep_chars="s|$1|$2|g"
+      func_to_host_path_result=`echo "$3" |
+        $SED -e "$lt_replace_pathsep_chars"`
+    else
+      func_to_host_path_result="$3"
+    fi
+  fi
+}
+# end func_convert_path_check
+
+
+# func_convert_path_front_back_pathsep FRONTPAT BACKPAT REPL ORIG
+# Modifies func_to_host_path_result by prepending REPL if ORIG matches FRONTPAT
+# and appending REPL if ORIG matches BACKPAT.
+func_convert_path_front_back_pathsep ()
+{
+  $opt_debug
+  case $4 in
+  $1 ) func_to_host_path_result="$3$func_to_host_path_result"
+    ;;
+  esac
+  case $4 in
+  $2 ) func_append func_to_host_path_result "$3"
+    ;;
+  esac
+}
+# end func_convert_path_front_back_pathsep
+
+
+##################################################
+# $build to $host FILE NAME CONVERSION FUNCTIONS #
+##################################################
+# invoked via `$to_host_file_cmd ARG'
+#
+# In each case, ARG is the path to be converted from $build to $host format.
+# Result will be available in $func_to_host_file_result.
+
+
+# func_to_host_file ARG
+# Converts the file name ARG from $build format to $host format. Return result
+# in func_to_host_file_result.
+func_to_host_file ()
+{
+  $opt_debug
+  $to_host_file_cmd "$1"
+}
+# end func_to_host_file
+
+
+# func_to_tool_file ARG LAZY
+# converts the file name ARG from $build format to toolchain format. Return
+# result in func_to_tool_file_result.  If the conversion in use is listed
+# in (the comma separated) LAZY, no conversion takes place.
+func_to_tool_file ()
+{
+  $opt_debug
+  case ,$2, in
+    *,"$to_tool_file_cmd",*)
+      func_to_tool_file_result=$1
+      ;;
+    *)
+      $to_tool_file_cmd "$1"
+      func_to_tool_file_result=$func_to_host_file_result
+      ;;
+  esac
+}
+# end func_to_tool_file
+
+
+# func_convert_file_noop ARG
+# Copy ARG to func_to_host_file_result.
+func_convert_file_noop ()
+{
+  func_to_host_file_result="$1"
+}
+# end func_convert_file_noop
+
+
+# func_convert_file_msys_to_w32 ARG
+# Convert file name ARG from (mingw) MSYS to (mingw) w32 format; automatic
+# conversion to w32 is not available inside the cwrapper.  Returns result in
+# func_to_host_file_result.
+func_convert_file_msys_to_w32 ()
+{
+  $opt_debug
+  func_to_host_file_result="$1"
+  if test -n "$1"; then
+    func_convert_core_msys_to_w32 "$1"
+    func_to_host_file_result="$func_convert_core_msys_to_w32_result"
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_msys_to_w32
+
+
+# func_convert_file_cygwin_to_w32 ARG
+# Convert file name ARG from Cygwin to w32 format.  Returns result in
+# func_to_host_file_result.
+func_convert_file_cygwin_to_w32 ()
+{
+  $opt_debug
+  func_to_host_file_result="$1"
+  if test -n "$1"; then
+    # because $build is cygwin, we call "the" cygpath in $PATH; no need to use
+    # LT_CYGPATH in this case.
+    func_to_host_file_result=`cygpath -m "$1"`
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_cygwin_to_w32
+
+
+# func_convert_file_nix_to_w32 ARG
+# Convert file name ARG from *nix to w32 format.  Requires a wine environment
+# and a working winepath. Returns result in func_to_host_file_result.
+func_convert_file_nix_to_w32 ()
+{
+  $opt_debug
+  func_to_host_file_result="$1"
+  if test -n "$1"; then
+    func_convert_core_file_wine_to_w32 "$1"
+    func_to_host_file_result="$func_convert_core_file_wine_to_w32_result"
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_nix_to_w32
+
+
+# func_convert_file_msys_to_cygwin ARG
+# Convert file name ARG from MSYS to Cygwin format.  Requires LT_CYGPATH set.
+# Returns result in func_to_host_file_result.
+func_convert_file_msys_to_cygwin ()
+{
+  $opt_debug
+  func_to_host_file_result="$1"
+  if test -n "$1"; then
+    func_convert_core_msys_to_w32 "$1"
+    func_cygpath -u "$func_convert_core_msys_to_w32_result"
+    func_to_host_file_result="$func_cygpath_result"
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_msys_to_cygwin
+
+
+# func_convert_file_nix_to_cygwin ARG
+# Convert file name ARG from *nix to Cygwin format.  Requires Cygwin installed
+# in a wine environment, working winepath, and LT_CYGPATH set.  Returns result
+# in func_to_host_file_result.
+func_convert_file_nix_to_cygwin ()
+{
+  $opt_debug
+  func_to_host_file_result="$1"
+  if test -n "$1"; then
+    # convert from *nix to w32, then use cygpath to convert from w32 to cygwin.
+    func_convert_core_file_wine_to_w32 "$1"
+    func_cygpath -u "$func_convert_core_file_wine_to_w32_result"
+    func_to_host_file_result="$func_cygpath_result"
+  fi
+  func_convert_file_check "$1" "$func_to_host_file_result"
+}
+# end func_convert_file_nix_to_cygwin
+
+
+#############################################
+# $build to $host PATH CONVERSION FUNCTIONS #
+#############################################
+# invoked via `$to_host_path_cmd ARG'
+#
+# In each case, ARG is the path to be converted from $build to $host format.
+# The result will be available in $func_to_host_path_result.
+#
+# Path separators are also converted from $build format to $host format.  If
+# ARG begins or ends with a path separator character, it is preserved (but
+# converted to $host format) on output.
+#
+# All path conversion functions are named using the following convention:
+#   file name conversion function    : func_convert_file_X_to_Y ()
+#   path conversion function         : func_convert_path_X_to_Y ()
+# where, for any given $build/$host combination the 'X_to_Y' value is the
+# same.  If conversion functions are added for new $build/$host combinations,
+# the two new functions must follow this pattern, or func_init_to_host_path_cmd
+# will break.
+
+
+# func_init_to_host_path_cmd
+# Ensures that function "pointer" variable $to_host_path_cmd is set to the
+# appropriate value, based on the value of $to_host_file_cmd.
+to_host_path_cmd=
+func_init_to_host_path_cmd ()
+{
+  $opt_debug
+  if test -z "$to_host_path_cmd"; then
+    func_stripname 'func_convert_file_' '' "$to_host_file_cmd"
+    to_host_path_cmd="func_convert_path_${func_stripname_result}"
+  fi
+}
+
+
+# func_to_host_path ARG
+# Converts the path ARG from $build format to $host format. Return result
+# in func_to_host_path_result.
+func_to_host_path ()
+{
+  $opt_debug
+  func_init_to_host_path_cmd
+  $to_host_path_cmd "$1"
+}
+# end func_to_host_path
+
+
+# func_convert_path_noop ARG
+# Copy ARG to func_to_host_path_result.
+func_convert_path_noop ()
+{
+  func_to_host_path_result="$1"
+}
+# end func_convert_path_noop
+
+
+# func_convert_path_msys_to_w32 ARG
+# Convert path ARG from (mingw) MSYS to (mingw) w32 format; automatic
+# conversion to w32 is not available inside the cwrapper.  Returns result in
+# func_to_host_path_result.
+func_convert_path_msys_to_w32 ()
+{
+  $opt_debug
+  func_to_host_path_result="$1"
+  if test -n "$1"; then
+    # Remove leading and trailing path separator characters from ARG.  MSYS
+    # behavior is inconsistent here; cygpath turns them into '.;' and ';.';
+    # and winepath ignores them completely.
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_convert_core_msys_to_w32 "$func_to_host_path_tmp1"
+    func_to_host_path_result="$func_convert_core_msys_to_w32_result"
+    func_convert_path_check : ";" \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" ";" "$1"
+  fi
+}
+# end func_convert_path_msys_to_w32
+
+
+# func_convert_path_cygwin_to_w32 ARG
+# Convert path ARG from Cygwin to w32 format.  Returns result in
+# func_to_host_file_result.
+func_convert_path_cygwin_to_w32 ()
+{
+  $opt_debug
+  func_to_host_path_result="$1"
+  if test -n "$1"; then
+    # See func_convert_path_msys_to_w32:
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_to_host_path_result=`cygpath -m -p "$func_to_host_path_tmp1"`
+    func_convert_path_check : ";" \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" ";" "$1"
+  fi
+}
+# end func_convert_path_cygwin_to_w32
+
+
+# func_convert_path_nix_to_w32 ARG
+# Convert path ARG from *nix to w32 format.  Requires a wine environment and
+# a working winepath.  Returns result in func_to_host_file_result.
+func_convert_path_nix_to_w32 ()
+{
+  $opt_debug
+  func_to_host_path_result="$1"
+  if test -n "$1"; then
+    # See func_convert_path_msys_to_w32:
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1"
+    func_to_host_path_result="$func_convert_core_path_wine_to_w32_result"
+    func_convert_path_check : ";" \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" ";" "$1"
+  fi
+}
+# end func_convert_path_nix_to_w32
+
+
+# func_convert_path_msys_to_cygwin ARG
+# Convert path ARG from MSYS to Cygwin format.  Requires LT_CYGPATH set.
+# Returns result in func_to_host_file_result.
+func_convert_path_msys_to_cygwin ()
+{
+  $opt_debug
+  func_to_host_path_result="$1"
+  if test -n "$1"; then
+    # See func_convert_path_msys_to_w32:
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_convert_core_msys_to_w32 "$func_to_host_path_tmp1"
+    func_cygpath -u -p "$func_convert_core_msys_to_w32_result"
+    func_to_host_path_result="$func_cygpath_result"
+    func_convert_path_check : : \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" : "$1"
+  fi
+}
+# end func_convert_path_msys_to_cygwin
+
+
+# func_convert_path_nix_to_cygwin ARG
+# Convert path ARG from *nix to Cygwin format.  Requires Cygwin installed in a
+# a wine environment, working winepath, and LT_CYGPATH set.  Returns result in
+# func_to_host_file_result.
+func_convert_path_nix_to_cygwin ()
+{
+  $opt_debug
+  func_to_host_path_result="$1"
+  if test -n "$1"; then
+    # Remove leading and trailing path separator characters from
+    # ARG. msys behavior is inconsistent here, cygpath turns them
+    # into '.;' and ';.', and winepath ignores them completely.
+    func_stripname : : "$1"
+    func_to_host_path_tmp1=$func_stripname_result
+    func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1"
+    func_cygpath -u -p "$func_convert_core_path_wine_to_w32_result"
+    func_to_host_path_result="$func_cygpath_result"
+    func_convert_path_check : : \
+      "$func_to_host_path_tmp1" "$func_to_host_path_result"
+    func_convert_path_front_back_pathsep ":*" "*:" : "$1"
+  fi
+}
+# end func_convert_path_nix_to_cygwin
+
+
 # func_mode_compile arg...
 func_mode_compile ()
 {
@@ -1137,12 +1986,12 @@ func_mode_compile ()
 	  ;;
 
 	-pie | -fpie | -fPIE)
-          pie_flag="$pie_flag $arg"
+          func_append pie_flag " $arg"
 	  continue
 	  ;;
 
 	-shared | -static | -prefer-pic | -prefer-non-pic)
-	  later="$later $arg"
+	  func_append later " $arg"
 	  continue
 	  ;;
 
@@ -1163,15 +2012,14 @@ func_mode_compile ()
 	  save_ifs="$IFS"; IFS=','
 	  for arg in $args; do
 	    IFS="$save_ifs"
-	    func_quote_for_eval "$arg"
-	    lastarg="$lastarg $func_quote_for_eval_result"
+	    func_append_quoted lastarg "$arg"
 	  done
 	  IFS="$save_ifs"
 	  func_stripname ' ' '' "$lastarg"
 	  lastarg=$func_stripname_result
 
 	  # Add the arguments to base_compile.
-	  base_compile="$base_compile $lastarg"
+	  func_append base_compile " $lastarg"
 	  continue
 	  ;;
 
@@ -1187,8 +2035,7 @@ func_mode_compile ()
       esac    #  case $arg_mode
 
       # Aesthetically quote the previous argument.
-      func_quote_for_eval "$lastarg"
-      base_compile="$base_compile $func_quote_for_eval_result"
+      func_append_quoted base_compile "$lastarg"
     done # for arg
 
     case $arg_mode in
@@ -1213,7 +2060,7 @@ func_mode_compile ()
     *.[cCFSifmso] | \
     *.ada | *.adb | *.ads | *.asm | \
     *.c++ | *.cc | *.ii | *.class | *.cpp | *.cxx | \
-    *.[fF][09]? | *.for | *.java | *.obj | *.sx)
+    *.[fF][09]? | *.for | *.java | *.go | *.obj | *.sx | *.cu | *.cup)
       func_xform "$libobj"
       libobj=$func_xform_result
       ;;
@@ -1288,7 +2135,7 @@ func_mode_compile ()
     # Calculate the filename of the output object if compiler does
     # not support -o with -c
     if test "$compiler_c_o" = no; then
-      output_obj=`$ECHO "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext}
+      output_obj=`$ECHO "$srcfile" | $SED 's%^.*/%%; s%\.[^.]*$%%'`.${objext}
       lockfile="$output_obj.lock"
     else
       output_obj=
@@ -1319,17 +2166,16 @@ compiler."
 	$opt_dry_run || $RM $removelist
 	exit $EXIT_FAILURE
       fi
-      removelist="$removelist $output_obj"
+      func_append removelist " $output_obj"
       $ECHO "$srcfile" > "$lockfile"
     fi
 
     $opt_dry_run || $RM $removelist
-    removelist="$removelist $lockfile"
+    func_append removelist " $lockfile"
     trap '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE' 1 2 15
 
-    if test -n "$fix_srcfile_path"; then
-      eval srcfile=\"$fix_srcfile_path\"
-    fi
+    func_to_tool_file "$srcfile" func_convert_file_msys_to_w32
+    srcfile=$func_to_tool_file_result
     func_quote_for_eval "$srcfile"
     qsrcfile=$func_quote_for_eval_result
 
@@ -1349,7 +2195,7 @@ compiler."
 
       if test -z "$output_obj"; then
 	# Place PIC objects in $objdir
-	command="$command -o $lobj"
+	func_append command " -o $lobj"
       fi
 
       func_show_eval_locale "$command"	\
@@ -1396,11 +2242,11 @@ compiler."
 	command="$base_compile $qsrcfile $pic_flag"
       fi
       if test "$compiler_c_o" = yes; then
-	command="$command -o $obj"
+	func_append command " -o $obj"
       fi
 
       # Suppress compiler output if we already did a PIC compilation.
-      command="$command$suppress_output"
+      func_append command "$suppress_output"
       func_show_eval_locale "$command" \
         '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE'
 
@@ -1445,13 +2291,13 @@ compiler."
 }
 
 $opt_help || {
-test "$mode" = compile && func_mode_compile ${1+"$@"}
+  test "$opt_mode" = compile && func_mode_compile ${1+"$@"}
 }
 
 func_mode_help ()
 {
     # We need to display help for each of the modes.
-    case $mode in
+    case $opt_mode in
       "")
         # Generic help is extracted from the usage comments
         # at the start of this file.
@@ -1482,10 +2328,11 @@ This mode accepts the following additional options:
 
   -o OUTPUT-FILE    set the output file name to OUTPUT-FILE
   -no-suppress      do not suppress compiler output for multiple passes
-  -prefer-pic       try to building PIC objects only
-  -prefer-non-pic   try to building non-PIC objects only
+  -prefer-pic       try to build PIC objects only
+  -prefer-non-pic   try to build non-PIC objects only
   -shared           do not build a \`.o' file suitable for static linking
   -static           only build a \`.o' file suitable for static linking
+  -Wc,FLAG          pass FLAG directly to the compiler
 
 COMPILE-COMMAND is a command to be used in creating a \`standard' object file
 from the given SOURCEFILE.
@@ -1538,7 +2385,7 @@ either the \`install' or \`cp' program.
 
 The following components of INSTALL-COMMAND are treated specially:
 
-  -inst-prefix PREFIX-DIR  Use PREFIX-DIR as a staging area for installation
+  -inst-prefix-dir PREFIX-DIR  Use PREFIX-DIR as a staging area for installation
 
 The rest of the components are interpreted as arguments to that command (only
 BSD-compatible install options are recognized)."
@@ -1558,6 +2405,8 @@ The following components of LINK-COMMAND are treated specially:
 
   -all-static       do not do any dynamic linking at all
   -avoid-version    do not add a version suffix if possible
+  -bindir BINDIR    specify path to binaries directory (for systems where
+                    libraries must be found in the PATH setting at runtime)
   -dlopen FILE      \`-dlpreopen' FILE if it cannot be dlopened at runtime
   -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
   -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
@@ -1586,6 +2435,11 @@ The following components of LINK-COMMAND are treated specially:
   -version-info CURRENT[:REVISION[:AGE]]
                     specify library version info [each variable defaults to 0]
   -weak LIBNAME     declare that the target provides the LIBNAME interface
+  -Wc,FLAG
+  -Xcompiler FLAG   pass linker-specific FLAG directly to the compiler
+  -Wl,FLAG
+  -Xlinker FLAG     pass linker-specific FLAG directly to the linker
+  -XCClinker FLAG   pass link-specific FLAG to the compiler driver (CC)
 
 All other options (arguments beginning with \`-') are ignored.
 
@@ -1619,18 +2473,44 @@ Otherwise, only FILE itself is deleted using RM."
         ;;
 
       *)
-        func_fatal_help "invalid operation mode \`$mode'"
+        func_fatal_help "invalid operation mode \`$opt_mode'"
         ;;
     esac
 
-    $ECHO
+    echo
     $ECHO "Try \`$progname --help' for more information about other modes."
-
-    exit $?
 }
 
-  # Now that we've collected a possible --mode arg, show help if necessary
-  $opt_help && func_mode_help
+# Now that we've collected a possible --mode arg, show help if necessary
+if $opt_help; then
+  if test "$opt_help" = :; then
+    func_mode_help
+  else
+    {
+      func_help noexit
+      for opt_mode in compile link execute install finish uninstall clean; do
+	func_mode_help
+      done
+    } | sed -n '1p; 2,$s/^Usage:/  or: /p'
+    {
+      func_help noexit
+      for opt_mode in compile link execute install finish uninstall clean; do
+	echo
+	func_mode_help
+      done
+    } |
+    sed '1d
+      /^When reporting/,/^Report/{
+	H
+	d
+      }
+      $x
+      /information about other modes/d
+      /more detailed .*MODE/d
+      s/^Usage:.*--mode=\([^ ]*\) .*/Description of \1 mode:/'
+  fi
+  exit $?
+fi
 
 
 # func_mode_execute arg...
@@ -1643,13 +2523,16 @@ func_mode_execute ()
       func_fatal_help "you must specify a COMMAND"
 
     # Handle -dlopen flags immediately.
-    for file in $execute_dlfiles; do
+    for file in $opt_dlopen; do
       test -f "$file" \
 	|| func_fatal_help "\`$file' is not a file"
 
       dir=
       case $file in
       *.la)
+	func_resolve_sysroot "$file"
+	file=$func_resolve_sysroot_result
+
 	# Check to see that this really is a libtool archive.
 	func_lalib_unsafe_p "$file" \
 	  || func_fatal_help "\`$lib' is not a valid libtool archive"
@@ -1671,7 +2554,7 @@ func_mode_execute ()
 	dir="$func_dirname_result"
 
 	if test -f "$dir/$objdir/$dlname"; then
-	  dir="$dir/$objdir"
+	  func_append dir "/$objdir"
 	else
 	  if test ! -f "$dir/$dlname"; then
 	    func_fatal_error "cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'"
@@ -1712,7 +2595,7 @@ func_mode_execute ()
     for file
     do
       case $file in
-      -*) ;;
+      -* | *.la | *.lo ) ;;
       *)
 	# Do a test to see if this is really a libtool program.
 	if func_ltwrapper_script_p "$file"; then
@@ -1728,8 +2611,7 @@ func_mode_execute ()
 	;;
       esac
       # Quote arguments (to preserve shell metacharacters).
-      func_quote_for_eval "$file"
-      args="$args $func_quote_for_eval_result"
+      func_append_quoted args "$file"
     done
 
     if test "X$opt_dry_run" = Xfalse; then
@@ -1754,29 +2636,66 @@ func_mode_execute ()
       # Display what would be done.
       if test -n "$shlibpath_var"; then
 	eval "\$ECHO \"\$shlibpath_var=\$$shlibpath_var\""
-	$ECHO "export $shlibpath_var"
+	echo "export $shlibpath_var"
       fi
       $ECHO "$cmd$args"
       exit $EXIT_SUCCESS
     fi
 }
 
-test "$mode" = execute && func_mode_execute ${1+"$@"}
+test "$opt_mode" = execute && func_mode_execute ${1+"$@"}
 
 
 # func_mode_finish arg...
 func_mode_finish ()
 {
     $opt_debug
-    libdirs="$nonopt"
+    libs=
+    libdirs=
     admincmds=
 
-    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
-      for dir
-      do
-	libdirs="$libdirs $dir"
-      done
+    for opt in "$nonopt" ${1+"$@"}
+    do
+      if test -d "$opt"; then
+	func_append libdirs " $opt"
 
+      elif test -f "$opt"; then
+	if func_lalib_unsafe_p "$opt"; then
+	  func_append libs " $opt"
+	else
+	  func_warning "\`$opt' is not a valid libtool archive"
+	fi
+
+      else
+	func_fatal_error "invalid argument \`$opt'"
+      fi
+    done
+
+    if test -n "$libs"; then
+      if test -n "$lt_sysroot"; then
+        sysroot_regex=`$ECHO "$lt_sysroot" | $SED "$sed_make_literal_regex"`
+        sysroot_cmd="s/\([ ']\)$sysroot_regex/\1/g;"
+      else
+        sysroot_cmd=
+      fi
+
+      # Remove sysroot references
+      if $opt_dry_run; then
+        for lib in $libs; do
+          echo "removing references to $lt_sysroot and \`=' prefixes from $lib"
+        done
+      else
+        tmpdir=`func_mktempdir`
+        for lib in $libs; do
+	  sed -e "${sysroot_cmd} s/\([ ']-[LR]\)=/\1/g; s/\([ ']\)=/\1/g" $lib \
+	    > $tmpdir/tmp-la
+	  mv -f $tmpdir/tmp-la $lib
+	done
+        ${RM}r "$tmpdir"
+      fi
+    fi
+
+    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
       for libdir in $libdirs; do
 	if test -n "$finish_cmds"; then
 	  # Do each command in the finish commands.
@@ -1786,7 +2705,7 @@ func_mode_finish ()
 	if test -n "$finish_eval"; then
 	  # Do the single finish_eval.
 	  eval cmds=\"$finish_eval\"
-	  $opt_dry_run || eval "$cmds" || admincmds="$admincmds
+	  $opt_dry_run || eval "$cmds" || func_append admincmds "
        $cmds"
 	fi
       done
@@ -1795,53 +2714,55 @@ func_mode_finish ()
     # Exit here if they wanted silent mode.
     $opt_silent && exit $EXIT_SUCCESS
 
-    $ECHO "X----------------------------------------------------------------------" | $Xsed
-    $ECHO "Libraries have been installed in:"
-    for libdir in $libdirs; do
-      $ECHO "   $libdir"
-    done
-    $ECHO
-    $ECHO "If you ever happen to want to link against installed libraries"
-    $ECHO "in a given directory, LIBDIR, you must either use libtool, and"
-    $ECHO "specify the full pathname of the library, or use the \`-LLIBDIR'"
-    $ECHO "flag during linking and do at least one of the following:"
-    if test -n "$shlibpath_var"; then
-      $ECHO "   - add LIBDIR to the \`$shlibpath_var' environment variable"
-      $ECHO "     during execution"
-    fi
-    if test -n "$runpath_var"; then
-      $ECHO "   - add LIBDIR to the \`$runpath_var' environment variable"
-      $ECHO "     during linking"
-    fi
-    if test -n "$hardcode_libdir_flag_spec"; then
-      libdir=LIBDIR
-      eval flag=\"$hardcode_libdir_flag_spec\"
+    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
+      echo "----------------------------------------------------------------------"
+      echo "Libraries have been installed in:"
+      for libdir in $libdirs; do
+	$ECHO "   $libdir"
+      done
+      echo
+      echo "If you ever happen to want to link against installed libraries"
+      echo "in a given directory, LIBDIR, you must either use libtool, and"
+      echo "specify the full pathname of the library, or use the \`-LLIBDIR'"
+      echo "flag during linking and do at least one of the following:"
+      if test -n "$shlibpath_var"; then
+	echo "   - add LIBDIR to the \`$shlibpath_var' environment variable"
+	echo "     during execution"
+      fi
+      if test -n "$runpath_var"; then
+	echo "   - add LIBDIR to the \`$runpath_var' environment variable"
+	echo "     during linking"
+      fi
+      if test -n "$hardcode_libdir_flag_spec"; then
+	libdir=LIBDIR
+	eval flag=\"$hardcode_libdir_flag_spec\"
 
-      $ECHO "   - use the \`$flag' linker flag"
-    fi
-    if test -n "$admincmds"; then
-      $ECHO "   - have your system administrator run these commands:$admincmds"
-    fi
-    if test -f /etc/ld.so.conf; then
-      $ECHO "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
-    fi
-    $ECHO
+	$ECHO "   - use the \`$flag' linker flag"
+      fi
+      if test -n "$admincmds"; then
+	$ECHO "   - have your system administrator run these commands:$admincmds"
+      fi
+      if test -f /etc/ld.so.conf; then
+	echo "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
+      fi
+      echo
 
-    $ECHO "See any operating system documentation about shared libraries for"
-    case $host in
-      solaris2.[6789]|solaris2.1[0-9])
-        $ECHO "more information, such as the ld(1), crle(1) and ld.so(8) manual"
-	$ECHO "pages."
-	;;
-      *)
-        $ECHO "more information, such as the ld(1) and ld.so(8) manual pages."
-        ;;
-    esac
-    $ECHO "X----------------------------------------------------------------------" | $Xsed
+      echo "See any operating system documentation about shared libraries for"
+      case $host in
+	solaris2.[6789]|solaris2.1[0-9])
+	  echo "more information, such as the ld(1), crle(1) and ld.so(8) manual"
+	  echo "pages."
+	  ;;
+	*)
+	  echo "more information, such as the ld(1) and ld.so(8) manual pages."
+	  ;;
+      esac
+      echo "----------------------------------------------------------------------"
+    fi
     exit $EXIT_SUCCESS
 }
 
-test "$mode" = finish && func_mode_finish ${1+"$@"}
+test "$opt_mode" = finish && func_mode_finish ${1+"$@"}
 
 
 # func_mode_install arg...
@@ -1852,7 +2773,7 @@ func_mode_install ()
     # install_prog (especially on Windows NT).
     if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh ||
        # Allow the use of GNU shtool's install command.
-       $ECHO "X$nonopt" | $GREP shtool >/dev/null; then
+       case $nonopt in *shtool*) :;; *) false;; esac; then
       # Aesthetically quote it.
       func_quote_for_eval "$nonopt"
       install_prog="$func_quote_for_eval_result "
@@ -1866,7 +2787,12 @@ func_mode_install ()
     # The real first argument should be the name of the installation program.
     # Aesthetically quote it.
     func_quote_for_eval "$arg"
-    install_prog="$install_prog$func_quote_for_eval_result"
+    func_append install_prog "$func_quote_for_eval_result"
+    install_shared_prog=$install_prog
+    case " $install_prog " in
+      *[\\\ /]cp\ *) install_cp=: ;;
+      *) install_cp=false ;;
+    esac
 
     # We need to accept at least all the BSD install flags.
     dest=
@@ -1876,10 +2802,12 @@ func_mode_install ()
     install_type=
     isdir=no
     stripme=
+    no_mode=:
     for arg
     do
+      arg2=
       if test -n "$dest"; then
-	files="$files $dest"
+	func_append files " $dest"
 	dest=$arg
 	continue
       fi
@@ -1887,10 +2815,9 @@ func_mode_install ()
       case $arg in
       -d) isdir=yes ;;
       -f)
-	case " $install_prog " in
-	*[\\\ /]cp\ *) ;;
-	*) prev=$arg ;;
-	esac
+	if $install_cp; then :; else
+	  prev=$arg
+	fi
 	;;
       -g | -m | -o)
 	prev=$arg
@@ -1904,6 +2831,10 @@ func_mode_install ()
       *)
 	# If the previous option needed an argument, then skip it.
 	if test -n "$prev"; then
+	  if test "x$prev" = x-m && test -n "$install_override_mode"; then
+	    arg2=$install_override_mode
+	    no_mode=false
+	  fi
 	  prev=
 	else
 	  dest=$arg
@@ -1914,7 +2845,11 @@ func_mode_install ()
 
       # Aesthetically quote the argument.
       func_quote_for_eval "$arg"
-      install_prog="$install_prog $func_quote_for_eval_result"
+      func_append install_prog " $func_quote_for_eval_result"
+      if test -n "$arg2"; then
+	func_quote_for_eval "$arg2"
+      fi
+      func_append install_shared_prog " $func_quote_for_eval_result"
     done
 
     test -z "$install_prog" && \
@@ -1923,6 +2858,13 @@ func_mode_install ()
     test -n "$prev" && \
       func_fatal_help "the \`$prev' option requires an argument"
 
+    if test -n "$install_override_mode" && $no_mode; then
+      if $install_cp; then :; else
+	func_quote_for_eval "$install_override_mode"
+	func_append install_shared_prog " -m $func_quote_for_eval_result"
+      fi
+    fi
+
     if test -z "$files"; then
       if test -z "$dest"; then
 	func_fatal_help "no file or destination specified"
@@ -1977,10 +2919,13 @@ func_mode_install ()
       case $file in
       *.$libext)
 	# Do the static libraries later.
-	staticlibs="$staticlibs $file"
+	func_append staticlibs " $file"
 	;;
 
       *.la)
+	func_resolve_sysroot "$file"
+	file=$func_resolve_sysroot_result
+
 	# Check to see that this really is a libtool archive.
 	func_lalib_unsafe_p "$file" \
 	  || func_fatal_help "\`$file' is not a valid libtool archive"
@@ -1994,23 +2939,23 @@ func_mode_install ()
 	if test "X$destdir" = "X$libdir"; then
 	  case "$current_libdirs " in
 	  *" $libdir "*) ;;
-	  *) current_libdirs="$current_libdirs $libdir" ;;
+	  *) func_append current_libdirs " $libdir" ;;
 	  esac
 	else
 	  # Note the libdir as a future libdir.
 	  case "$future_libdirs " in
 	  *" $libdir "*) ;;
-	  *) future_libdirs="$future_libdirs $libdir" ;;
+	  *) func_append future_libdirs " $libdir" ;;
 	  esac
 	fi
 
 	func_dirname "$file" "/" ""
 	dir="$func_dirname_result"
-	dir="$dir$objdir"
+	func_append dir "$objdir"
 
 	if test -n "$relink_command"; then
 	  # Determine the prefix the user has applied to our future dir.
-	  inst_prefix_dir=`$ECHO "X$destdir" | $Xsed -e "s%$libdir\$%%"`
+	  inst_prefix_dir=`$ECHO "$destdir" | $SED -e "s%$libdir\$%%"`
 
 	  # Don't allow the user to place us outside of our expected
 	  # location b/c this prevents finding dependent libraries that
@@ -2023,9 +2968,9 @@ func_mode_install ()
 
 	  if test -n "$inst_prefix_dir"; then
 	    # Stick the inst_prefix_dir data into the link command.
-	    relink_command=`$ECHO "X$relink_command" | $Xsed -e "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"`
+	    relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"`
 	  else
-	    relink_command=`$ECHO "X$relink_command" | $Xsed -e "s%@inst_prefix_dir@%%"`
+	    relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%%"`
 	  fi
 
 	  func_warning "relinking \`$file'"
@@ -2043,7 +2988,7 @@ func_mode_install ()
 	  test -n "$relink_command" && srcname="$realname"T
 
 	  # Install the shared library and build the symlinks.
-	  func_show_eval "$install_prog $dir/$srcname $destdir/$realname" \
+	  func_show_eval "$install_shared_prog $dir/$srcname $destdir/$realname" \
 	      'exit $?'
 	  tstripme="$stripme"
 	  case $host_os in
@@ -2083,7 +3028,7 @@ func_mode_install ()
 	func_show_eval "$install_prog $instname $destdir/$name" 'exit $?'
 
 	# Maybe install the static library, too.
-	test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
+	test -n "$old_library" && func_append staticlibs " $dir/$old_library"
 	;;
 
       *.lo)
@@ -2183,7 +3128,7 @@ func_mode_install ()
 	    if test -f "$lib"; then
 	      func_source "$lib"
 	    fi
-	    libfile="$libdir/"`$ECHO "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test
+	    libfile="$libdir/"`$ECHO "$lib" | $SED 's%^.*/%%g'` ### testsuite: skip nested quoting test
 	    if test -n "$libdir" && test ! -f "$libfile"; then
 	      func_warning "\`$lib' has not been installed in \`$libdir'"
 	      finalize=no
@@ -2202,7 +3147,7 @@ func_mode_install ()
 		file="$func_basename_result"
 	        outputname="$tmpdir/$file"
 	        # Replace the output file specification.
-	        relink_command=`$ECHO "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'`
+	        relink_command=`$ECHO "$relink_command" | $SED 's%@OUTPUT@%'"$outputname"'%g'`
 
 	        $opt_silent || {
 	          func_quote_for_expand "$relink_command"
@@ -2221,7 +3166,7 @@ func_mode_install ()
 	    }
 	  else
 	    # Install the binary that we compiled earlier.
-	    file=`$ECHO "X$file$stripped_ext" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"`
+	    file=`$ECHO "$file$stripped_ext" | $SED "s%\([^/]*\)$%$objdir/\1%"`
 	  fi
 	fi
 
@@ -2257,11 +3202,13 @@ func_mode_install ()
 
       # Set up the ranlib parameters.
       oldlib="$destdir/$name"
+      func_to_tool_file "$oldlib" func_convert_file_msys_to_w32
+      tool_oldlib=$func_to_tool_file_result
 
       func_show_eval "$install_prog \$file \$oldlib" 'exit $?'
 
       if test -n "$stripme" && test -n "$old_striplib"; then
-	func_show_eval "$old_striplib $oldlib" 'exit $?'
+	func_show_eval "$old_striplib $tool_oldlib" 'exit $?'
       fi
 
       # Do each command in the postinstall commands.
@@ -2280,7 +3227,7 @@ func_mode_install ()
     fi
 }
 
-test "$mode" = install && func_mode_install ${1+"$@"}
+test "$opt_mode" = install && func_mode_install ${1+"$@"}
 
 
 # func_generate_dlsyms outputname originator pic_p
@@ -2323,6 +3270,22 @@ func_generate_dlsyms ()
 extern \"C\" {
 #endif
 
+#if defined(__GNUC__) && (((__GNUC__ == 4) && (__GNUC_MINOR__ >= 4)) || (__GNUC__ > 4))
+#pragma GCC diagnostic ignored \"-Wstrict-prototypes\"
+#endif
+
+/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests.  */
+#if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE)
+/* DATA imports from DLLs on WIN32 con't be const, because runtime
+   relocations are performed -- see ld's documentation on pseudo-relocs.  */
+# define LT_DLSYM_CONST
+#elif defined(__osf__)
+/* This system does not cope well with relocations in const data.  */
+# define LT_DLSYM_CONST
+#else
+# define LT_DLSYM_CONST const
+#endif
+
 /* External symbol declarations for the compiler. */\
 "
 
@@ -2332,10 +3295,11 @@ extern \"C\" {
 	  $opt_dry_run || echo ': @PROGRAM@ ' > "$nlist"
 
 	  # Add our own program objects to the symbol list.
-	  progfiles=`$ECHO "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	  progfiles=`$ECHO "$objs$old_deplibs" | $SP2NL | $SED "$lo2o" | $NL2SP`
 	  for progfile in $progfiles; do
-	    func_verbose "extracting global C symbols from \`$progfile'"
-	    $opt_dry_run || eval "$NM $progfile | $global_symbol_pipe >> '$nlist'"
+	    func_to_tool_file "$progfile" func_convert_file_msys_to_w32
+	    func_verbose "extracting global C symbols from \`$func_to_tool_file_result'"
+	    $opt_dry_run || eval "$NM $func_to_tool_file_result | $global_symbol_pipe >> '$nlist'"
 	  done
 
 	  if test -n "$exclude_expsyms"; then
@@ -2371,7 +3335,7 @@ extern \"C\" {
 	      eval '$GREP -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T'
 	      eval '$MV "$nlist"T "$nlist"'
 	      case $host in
-	        *cygwin | *mingw* | *cegcc* )
+	        *cygwin* | *mingw* | *cegcc* )
 	          eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
 	          eval 'cat "$nlist" >> "$output_objdir/$outputname.def"'
 	          ;;
@@ -2384,10 +3348,52 @@ extern \"C\" {
 	  func_verbose "extracting global C symbols from \`$dlprefile'"
 	  func_basename "$dlprefile"
 	  name="$func_basename_result"
-	  $opt_dry_run || {
-	    eval '$ECHO ": $name " >> "$nlist"'
-	    eval "$NM $dlprefile 2>/dev/null | $global_symbol_pipe >> '$nlist'"
-	  }
+          case $host in
+	    *cygwin* | *mingw* | *cegcc* )
+	      # if an import library, we need to obtain dlname
+	      if func_win32_import_lib_p "$dlprefile"; then
+	        func_tr_sh "$dlprefile"
+	        eval "curr_lafile=\$libfile_$func_tr_sh_result"
+	        dlprefile_dlbasename=""
+	        if test -n "$curr_lafile" && func_lalib_p "$curr_lafile"; then
+	          # Use subshell, to avoid clobbering current variable values
+	          dlprefile_dlname=`source "$curr_lafile" && echo "$dlname"`
+	          if test -n "$dlprefile_dlname" ; then
+	            func_basename "$dlprefile_dlname"
+	            dlprefile_dlbasename="$func_basename_result"
+	          else
+	            # no lafile. user explicitly requested -dlpreopen <import library>.
+	            $sharedlib_from_linklib_cmd "$dlprefile"
+	            dlprefile_dlbasename=$sharedlib_from_linklib_result
+	          fi
+	        fi
+	        $opt_dry_run || {
+	          if test -n "$dlprefile_dlbasename" ; then
+	            eval '$ECHO ": $dlprefile_dlbasename" >> "$nlist"'
+	          else
+	            func_warning "Could not compute DLL name from $name"
+	            eval '$ECHO ": $name " >> "$nlist"'
+	          fi
+	          func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32
+	          eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe |
+	            $SED -e '/I __imp/d' -e 's/I __nm_/D /;s/_nm__//' >> '$nlist'"
+	        }
+	      else # not an import lib
+	        $opt_dry_run || {
+	          eval '$ECHO ": $name " >> "$nlist"'
+	          func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32
+	          eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'"
+	        }
+	      fi
+	    ;;
+	    *)
+	      $opt_dry_run || {
+	        eval '$ECHO ": $name " >> "$nlist"'
+	        func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32
+	        eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'"
+	      }
+	    ;;
+          esac
 	done
 
 	$opt_dry_run || {
@@ -2415,36 +3421,19 @@ extern \"C\" {
 	  if test -f "$nlist"S; then
 	    eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$my_dlsyms"'
 	  else
-	    $ECHO '/* NONE */' >> "$output_objdir/$my_dlsyms"
+	    echo '/* NONE */' >> "$output_objdir/$my_dlsyms"
 	  fi
 
-	  $ECHO >> "$output_objdir/$my_dlsyms" "\
+	  echo >> "$output_objdir/$my_dlsyms" "\
 
 /* The mapping between symbol names and symbols.  */
 typedef struct {
   const char *name;
   void *address;
 } lt_dlsymlist;
-"
-	  case $host in
-	  *cygwin* | *mingw* | *cegcc* )
-	    $ECHO >> "$output_objdir/$my_dlsyms" "\
-/* DATA imports from DLLs on WIN32 con't be const, because
-   runtime relocations are performed -- see ld's documentation
-   on pseudo-relocs.  */"
-	    lt_dlsym_const= ;;
-	  *osf5*)
-	    echo >> "$output_objdir/$my_dlsyms" "\
-/* This system does not cope well with relocations in const data */"
-	    lt_dlsym_const= ;;
-	  *)
-	    lt_dlsym_const=const ;;
-	  esac
-
-	  $ECHO >> "$output_objdir/$my_dlsyms" "\
-extern $lt_dlsym_const lt_dlsymlist
+extern LT_DLSYM_CONST lt_dlsymlist
 lt_${my_prefix}_LTX_preloaded_symbols[];
-$lt_dlsym_const lt_dlsymlist
+LT_DLSYM_CONST lt_dlsymlist
 lt_${my_prefix}_LTX_preloaded_symbols[] =
 {\
   { \"$my_originator\", (void *) 0 },"
@@ -2457,7 +3446,7 @@ lt_${my_prefix}_LTX_preloaded_symbols[] =
 	    eval "$global_symbol_to_c_name_address_lib_prefix" < "$nlist" >> "$output_objdir/$my_dlsyms"
 	    ;;
 	  esac
-	  $ECHO >> "$output_objdir/$my_dlsyms" "\
+	  echo >> "$output_objdir/$my_dlsyms" "\
   {0, (void *) 0}
 };
 
@@ -2484,7 +3473,7 @@ static const void *lt_preloaded_setup() {
 	  # linked before any other PIC object.  But we must not use
 	  # pic_flag when linking with -static.  The problem exists in
 	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
-	  *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
+	  *-*-freebsd2.*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
 	    pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND" ;;
 	  *-*-hpux*)
 	    pic_flag_for_symtable=" $pic_flag"  ;;
@@ -2500,7 +3489,7 @@ static const void *lt_preloaded_setup() {
 	for arg in $LTCFLAGS; do
 	  case $arg in
 	  -pie | -fpie | -fPIE) ;;
-	  *) symtab_cflags="$symtab_cflags $arg" ;;
+	  *) func_append symtab_cflags " $arg" ;;
 	  esac
 	done
 
@@ -2515,16 +3504,16 @@ static const void *lt_preloaded_setup() {
 	case $host in
 	*cygwin* | *mingw* | *cegcc* )
 	  if test -f "$output_objdir/$my_outputname.def"; then
-	    compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
-	    finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
+	    compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
+	    finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
 	  else
-	    compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"`
-	    finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"`
+	    compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"`
+	    finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"`
 	  fi
 	  ;;
 	*)
-	  compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"`
-	  finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"`
+	  compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"`
+	  finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"`
 	  ;;
 	esac
 	;;
@@ -2538,8 +3527,8 @@ static const void *lt_preloaded_setup() {
       # really was required.
 
       # Nullify the symbol file.
-      compile_command=`$ECHO "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"`
-      finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"`
+      compile_command=`$ECHO "$compile_command" | $SED "s% @SYMFILE@%%"`
+      finalize_command=`$ECHO "$finalize_command" | $SED "s% @SYMFILE@%%"`
     fi
 }
 
@@ -2549,6 +3538,7 @@ static const void *lt_preloaded_setup() {
 # Need a lot of goo to handle *both* DLLs and import libs
 # Has to be a shell function in order to 'eat' the argument
 # that is supplied when $file_magic_command is called.
+# Despite the name, also deal with 64 bit binaries.
 func_win32_libid ()
 {
   $opt_debug
@@ -2559,9 +3549,11 @@ func_win32_libid ()
     win32_libid_type="x86 archive import"
     ;;
   *ar\ archive*) # could be an import, or static
+    # Keep the egrep pattern in sync with the one in _LT_CHECK_MAGIC_METHOD.
     if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null |
-       $EGREP 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then
-      win32_nmres=`eval $NM -f posix -A $1 |
+       $EGREP 'file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)' >/dev/null; then
+      func_to_tool_file "$1" func_convert_file_msys_to_w32
+      win32_nmres=`eval $NM -f posix -A \"$func_to_tool_file_result\" |
 	$SED -n -e '
 	    1,100{
 		/ I /{
@@ -2590,6 +3582,131 @@ func_win32_libid ()
   $ECHO "$win32_libid_type"
 }
 
+# func_cygming_dll_for_implib ARG
+#
+# Platform-specific function to extract the
+# name of the DLL associated with the specified
+# import library ARG.
+# Invoked by eval'ing the libtool variable
+#    $sharedlib_from_linklib_cmd
+# Result is available in the variable
+#    $sharedlib_from_linklib_result
+func_cygming_dll_for_implib ()
+{
+  $opt_debug
+  sharedlib_from_linklib_result=`$DLLTOOL --identify-strict --identify "$1"`
+}
+
+# func_cygming_dll_for_implib_fallback_core SECTION_NAME LIBNAMEs
+#
+# The is the core of a fallback implementation of a
+# platform-specific function to extract the name of the
+# DLL associated with the specified import library LIBNAME.
+#
+# SECTION_NAME is either .idata$6 or .idata$7, depending
+# on the platform and compiler that created the implib.
+#
+# Echos the name of the DLL associated with the
+# specified import library.
+func_cygming_dll_for_implib_fallback_core ()
+{
+  $opt_debug
+  match_literal=`$ECHO "$1" | $SED "$sed_make_literal_regex"`
+  $OBJDUMP -s --section "$1" "$2" 2>/dev/null |
+    $SED '/^Contents of section '"$match_literal"':/{
+      # Place marker at beginning of archive member dllname section
+      s/.*/====MARK====/
+      p
+      d
+    }
+    # These lines can sometimes be longer than 43 characters, but
+    # are always uninteresting
+    /:[	 ]*file format pe[i]\{,1\}-/d
+    /^In archive [^:]*:/d
+    # Ensure marker is printed
+    /^====MARK====/p
+    # Remove all lines with less than 43 characters
+    /^.\{43\}/!d
+    # From remaining lines, remove first 43 characters
+    s/^.\{43\}//' |
+    $SED -n '
+      # Join marker and all lines until next marker into a single line
+      /^====MARK====/ b para
+      H
+      $ b para
+      b
+      :para
+      x
+      s/\n//g
+      # Remove the marker
+      s/^====MARK====//
+      # Remove trailing dots and whitespace
+      s/[\. \t]*$//
+      # Print
+      /./p' |
+    # we now have a list, one entry per line, of the stringified
+    # contents of the appropriate section of all members of the
+    # archive which possess that section. Heuristic: eliminate
+    # all those which have a first or second character that is
+    # a '.' (that is, objdump's representation of an unprintable
+    # character.) This should work for all archives with less than
+    # 0x302f exports -- but will fail for DLLs whose name actually
+    # begins with a literal '.' or a single character followed by
+    # a '.'.
+    #
+    # Of those that remain, print the first one.
+    $SED -e '/^\./d;/^.\./d;q'
+}
+
+# func_cygming_gnu_implib_p ARG
+# This predicate returns with zero status (TRUE) if
+# ARG is a GNU/binutils-style import library. Returns
+# with nonzero status (FALSE) otherwise.
+func_cygming_gnu_implib_p ()
+{
+  $opt_debug
+  func_to_tool_file "$1" func_convert_file_msys_to_w32
+  func_cygming_gnu_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $EGREP ' (_head_[A-Za-z0-9_]+_[ad]l*|[A-Za-z0-9_]+_[ad]l*_iname)$'`
+  test -n "$func_cygming_gnu_implib_tmp"
+}
+
+# func_cygming_ms_implib_p ARG
+# This predicate returns with zero status (TRUE) if
+# ARG is an MS-style import library. Returns
+# with nonzero status (FALSE) otherwise.
+func_cygming_ms_implib_p ()
+{
+  $opt_debug
+  func_to_tool_file "$1" func_convert_file_msys_to_w32
+  func_cygming_ms_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $GREP '_NULL_IMPORT_DESCRIPTOR'`
+  test -n "$func_cygming_ms_implib_tmp"
+}
+
+# func_cygming_dll_for_implib_fallback ARG
+# Platform-specific function to extract the
+# name of the DLL associated with the specified
+# import library ARG.
+#
+# This fallback implementation is for use when $DLLTOOL
+# does not support the --identify-strict option.
+# Invoked by eval'ing the libtool variable
+#    $sharedlib_from_linklib_cmd
+# Result is available in the variable
+#    $sharedlib_from_linklib_result
+func_cygming_dll_for_implib_fallback ()
+{
+  $opt_debug
+  if func_cygming_gnu_implib_p "$1" ; then
+    # binutils import library
+    sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$7' "$1"`
+  elif func_cygming_ms_implib_p "$1" ; then
+    # ms-generated import library
+    sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$6' "$1"`
+  else
+    # unknown
+    sharedlib_from_linklib_result=""
+  fi
+}
 
 
 # func_extract_an_archive dir oldlib
@@ -2598,7 +3715,18 @@ func_extract_an_archive ()
     $opt_debug
     f_ex_an_ar_dir="$1"; shift
     f_ex_an_ar_oldlib="$1"
-    func_show_eval "(cd \$f_ex_an_ar_dir && $AR x \"\$f_ex_an_ar_oldlib\")" 'exit $?'
+    if test "$lock_old_archive_extraction" = yes; then
+      lockfile=$f_ex_an_ar_oldlib.lock
+      until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do
+	func_echo "Waiting for $lockfile to be removed"
+	sleep 2
+      done
+    fi
+    func_show_eval "(cd \$f_ex_an_ar_dir && $AR x \"\$f_ex_an_ar_oldlib\")" \
+		   'stat=$?; rm -f "$lockfile"; exit $stat'
+    if test "$lock_old_archive_extraction" = yes; then
+      $opt_dry_run || rm -f "$lockfile"
+    fi
     if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then
      :
     else
@@ -2669,7 +3797,7 @@ func_extract_archives ()
 	    darwin_file=
 	    darwin_files=
 	    for darwin_file in $darwin_filelist; do
-	      darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP`
+	      darwin_files=`find unfat-$$ -name $darwin_file -print | sort | $NL2SP`
 	      $LIPO -create -output "$darwin_file" $darwin_files
 	    done # $darwin_filelist
 	    $RM -rf unfat-$$
@@ -2684,25 +3812,30 @@ func_extract_archives ()
         func_extract_an_archive "$my_xdir" "$my_xabs"
 	;;
       esac
-      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
+      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | sort | $NL2SP`
     done
 
     func_extract_archives_result="$my_oldobjs"
 }
 
 
-
-# func_emit_wrapper_part1 [arg=no]
+# func_emit_wrapper [arg=no]
 #
-# Emit the first part of a libtool wrapper script on stdout.
-# For more information, see the description associated with
-# func_emit_wrapper(), below.
-func_emit_wrapper_part1 ()
+# Emit a libtool wrapper script on stdout.
+# Don't directly open a file because we may want to
+# incorporate the script contents within a cygwin/mingw
+# wrapper executable.  Must ONLY be called from within
+# func_mode_link because it depends on a number of variables
+# set therein.
+#
+# ARG is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR
+# variable will take.  If 'yes', then the emitted script
+# will assume that the directory in which it is stored is
+# the $objdir directory.  This is a cygwin/mingw-specific
+# behavior.
+func_emit_wrapper ()
 {
-	func_emit_wrapper_part1_arg1=no
-	if test -n "$1" ; then
-	  func_emit_wrapper_part1_arg1=$1
-	fi
+	func_emit_wrapper_arg1=${1-no}
 
 	$ECHO "\
 #! $SHELL
@@ -2718,7 +3851,6 @@ func_emit_wrapper_part1 ()
 
 # Sed substitution that helps us do robust quoting.  It backslashifies
 # metacharacters that are still active within double-quoted strings.
-Xsed='${SED} -e 1s/^X//'
 sed_quote_subst='$sed_quote_subst'
 
 # Be Bourne compatible
@@ -2749,31 +3881,135 @@ if test \"\$libtool_install_magic\" = \"$magic\"; then
 else
   # When we are sourced in execute mode, \$file and \$ECHO are already set.
   if test \"\$libtool_execute_magic\" != \"$magic\"; then
-    ECHO=\"$qecho\"
-    file=\"\$0\"
-    # Make sure echo works.
-    if test \"X\$1\" = X--no-reexec; then
-      # Discard the --no-reexec flag, and continue.
-      shift
-    elif test \"X\`{ \$ECHO '\t'; } 2>/dev/null\`\" = 'X\t'; then
-      # Yippee, \$ECHO works!
-      :
-    else
-      # Restart under the correct shell, and then maybe \$ECHO will work.
-      exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"}
-    fi
-  fi\
+    file=\"\$0\""
+
+    qECHO=`$ECHO "$ECHO" | $SED "$sed_quote_subst"`
+    $ECHO "\
+
+# A function that is used when there is no print builtin or printf.
+func_fallback_echo ()
+{
+  eval 'cat <<_LTECHO_EOF
+\$1
+_LTECHO_EOF'
+}
+    ECHO=\"$qECHO\"
+  fi
+
+# Very basic option parsing. These options are (a) specific to
+# the libtool wrapper, (b) are identical between the wrapper
+# /script/ and the wrapper /executable/ which is used only on
+# windows platforms, and (c) all begin with the string "--lt-"
+# (application programs are unlikely to have options which match
+# this pattern).
+#
+# There are only two supported options: --lt-debug and
+# --lt-dump-script. There is, deliberately, no --lt-help.
+#
+# The first argument to this parsing function should be the
+# script's $0 value, followed by "$@".
+lt_option_debug=
+func_parse_lt_options ()
+{
+  lt_script_arg0=\$0
+  shift
+  for lt_opt
+  do
+    case \"\$lt_opt\" in
+    --lt-debug) lt_option_debug=1 ;;
+    --lt-dump-script)
+        lt_dump_D=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%/[^/]*$%%'\`
+        test \"X\$lt_dump_D\" = \"X\$lt_script_arg0\" && lt_dump_D=.
+        lt_dump_F=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%^.*/%%'\`
+        cat \"\$lt_dump_D/\$lt_dump_F\"
+        exit 0
+      ;;
+    --lt-*)
+        \$ECHO \"Unrecognized --lt- option: '\$lt_opt'\" 1>&2
+        exit 1
+      ;;
+    esac
+  done
+
+  # Print the debug banner immediately:
+  if test -n \"\$lt_option_debug\"; then
+    echo \"${outputname}:${output}:\${LINENO}: libtool wrapper (GNU $PACKAGE$TIMESTAMP) $VERSION\" 1>&2
+  fi
+}
+
+# Used when --lt-debug. Prints its arguments to stdout
+# (redirection is the responsibility of the caller)
+func_lt_dump_args ()
+{
+  lt_dump_args_N=1;
+  for lt_arg
+  do
+    \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[\$lt_dump_args_N]: \$lt_arg\"
+    lt_dump_args_N=\`expr \$lt_dump_args_N + 1\`
+  done
+}
+
+# Core function for launching the target application
+func_exec_program_core ()
+{
 "
-	$ECHO "\
+  case $host in
+  # Backslashes separate directories on plain windows
+  *-*-mingw | *-*-os2* | *-cegcc*)
+    $ECHO "\
+      if test -n \"\$lt_option_debug\"; then
+        \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir\\\\\$program\" 1>&2
+        func_lt_dump_args \${1+\"\$@\"} 1>&2
+      fi
+      exec \"\$progdir\\\\\$program\" \${1+\"\$@\"}
+"
+    ;;
+
+  *)
+    $ECHO "\
+      if test -n \"\$lt_option_debug\"; then
+        \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir/\$program\" 1>&2
+        func_lt_dump_args \${1+\"\$@\"} 1>&2
+      fi
+      exec \"\$progdir/\$program\" \${1+\"\$@\"}
+"
+    ;;
+  esac
+  $ECHO "\
+      \$ECHO \"\$0: cannot exec \$program \$*\" 1>&2
+      exit 1
+}
+
+# A function to encapsulate launching the target application
+# Strips options in the --lt-* namespace from \$@ and
+# launches target application with the remaining arguments.
+func_exec_program ()
+{
+  case \" \$* \" in
+  *\\ --lt-*)
+    for lt_wr_arg
+    do
+      case \$lt_wr_arg in
+      --lt-*) ;;
+      *) set x \"\$@\" \"\$lt_wr_arg\"; shift;;
+      esac
+      shift
+    done ;;
+  esac
+  func_exec_program_core \${1+\"\$@\"}
+}
+
+  # Parse options
+  func_parse_lt_options \"\$0\" \${1+\"\$@\"}
 
   # Find the directory that this script lives in.
-  thisdir=\`\$ECHO \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\`
+  thisdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*$%%'\`
   test \"x\$thisdir\" = \"x\$file\" && thisdir=.
 
   # Follow symbolic links until we get to the real thisdir.
-  file=\`ls -ld \"\$file\" | ${SED} -n 's/.*-> //p'\`
+  file=\`ls -ld \"\$file\" | $SED -n 's/.*-> //p'\`
   while test -n \"\$file\"; do
-    destdir=\`\$ECHO \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\`
+    destdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*\$%%'\`
 
     # If there was a directory component, then change thisdir.
     if test \"x\$destdir\" != \"x\$file\"; then
@@ -2783,30 +4019,13 @@ else
       esac
     fi
 
-    file=\`\$ECHO \"X\$file\" | \$Xsed -e 's%^.*/%%'\`
-    file=\`ls -ld \"\$thisdir/\$file\" | ${SED} -n 's/.*-> //p'\`
+    file=\`\$ECHO \"\$file\" | $SED 's%^.*/%%'\`
+    file=\`ls -ld \"\$thisdir/\$file\" | $SED -n 's/.*-> //p'\`
   done
-"
-}
-# end: func_emit_wrapper_part1
-
-# func_emit_wrapper_part2 [arg=no]
-#
-# Emit the second part of a libtool wrapper script on stdout.
-# For more information, see the description associated with
-# func_emit_wrapper(), below.
-func_emit_wrapper_part2 ()
-{
-	func_emit_wrapper_part2_arg1=no
-	if test -n "$1" ; then
-	  func_emit_wrapper_part2_arg1=$1
-	fi
-
-	$ECHO "\
 
   # Usually 'no', except on cygwin/mingw when embedded into
   # the cwrapper.
-  WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_part2_arg1
+  WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_arg1
   if test \"\$WRAPPER_SCRIPT_BELONGS_IN_OBJDIR\" = \"yes\"; then
     # special case for '.'
     if test \"\$thisdir\" = \".\"; then
@@ -2814,7 +4033,7 @@ func_emit_wrapper_part2 ()
     fi
     # remove .libs from thisdir
     case \"\$thisdir\" in
-    *[\\\\/]$objdir ) thisdir=\`\$ECHO \"X\$thisdir\" | \$Xsed -e 's%[\\\\/][^\\\\/]*$%%'\` ;;
+    *[\\\\/]$objdir ) thisdir=\`\$ECHO \"\$thisdir\" | $SED 's%[\\\\/][^\\\\/]*$%%'\` ;;
     $objdir )   thisdir=. ;;
     esac
   fi
@@ -2869,6 +4088,18 @@ func_emit_wrapper_part2 ()
 
   if test -f \"\$progdir/\$program\"; then"
 
+	# fixup the dll searchpath if we need to.
+	#
+	# Fix the DLL searchpath if we need to.  Do this before prepending
+	# to shlibpath, because on Windows, both are PATH and uninstalled
+	# libraries must come first.
+	if test -n "$dllsearchpath"; then
+	  $ECHO "\
+    # Add the dll search path components to the executable PATH
+    PATH=$dllsearchpath:\$PATH
+"
+	fi
+
 	# Export our shlibpath_var if we have one.
 	if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
 	  $ECHO "\
@@ -2877,254 +4108,29 @@ func_emit_wrapper_part2 ()
 
     # Some systems cannot cope with colon-terminated $shlibpath_var
     # The second colon is a workaround for a bug in BeOS R4 sed
-    $shlibpath_var=\`\$ECHO \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\`
+    $shlibpath_var=\`\$ECHO \"\$$shlibpath_var\" | $SED 's/::*\$//'\`
 
     export $shlibpath_var
 "
 	fi
 
-	# fixup the dll searchpath if we need to.
-	if test -n "$dllsearchpath"; then
-	  $ECHO "\
-    # Add the dll search path components to the executable PATH
-    PATH=$dllsearchpath:\$PATH
-"
-	fi
-
 	$ECHO "\
     if test \"\$libtool_execute_magic\" != \"$magic\"; then
       # Run the actual program with our arguments.
-"
-	case $host in
-	# Backslashes separate directories on plain windows
-	*-*-mingw | *-*-os2* | *-cegcc*)
-	  $ECHO "\
-      exec \"\$progdir\\\\\$program\" \${1+\"\$@\"}
-"
-	  ;;
-
-	*)
-	  $ECHO "\
-      exec \"\$progdir/\$program\" \${1+\"\$@\"}
-"
-	  ;;
-	esac
-	$ECHO "\
-      \$ECHO \"\$0: cannot exec \$program \$*\" 1>&2
-      exit 1
+      func_exec_program \${1+\"\$@\"}
     fi
   else
     # The program doesn't exist.
     \$ECHO \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2
     \$ECHO \"This script is just a wrapper for \$program.\" 1>&2
-    $ECHO \"See the $PACKAGE documentation for more information.\" 1>&2
+    \$ECHO \"See the $PACKAGE documentation for more information.\" 1>&2
     exit 1
   fi
 fi\
 "
 }
-# end: func_emit_wrapper_part2
-
-
-# func_emit_wrapper [arg=no]
-#
-# Emit a libtool wrapper script on stdout.
-# Don't directly open a file because we may want to
-# incorporate the script contents within a cygwin/mingw
-# wrapper executable.  Must ONLY be called from within
-# func_mode_link because it depends on a number of variables
-# set therein.
-#
-# ARG is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR
-# variable will take.  If 'yes', then the emitted script
-# will assume that the directory in which it is stored is
-# the $objdir directory.  This is a cygwin/mingw-specific
-# behavior.
-func_emit_wrapper ()
-{
-	func_emit_wrapper_arg1=no
-	if test -n "$1" ; then
-	  func_emit_wrapper_arg1=$1
-	fi
-
-	# split this up so that func_emit_cwrapperexe_src
-	# can call each part independently.
-	func_emit_wrapper_part1 "${func_emit_wrapper_arg1}"
-	func_emit_wrapper_part2 "${func_emit_wrapper_arg1}"
-}
 
 
-# func_to_host_path arg
-#
-# Convert paths to host format when used with build tools.
-# Intended for use with "native" mingw (where libtool itself
-# is running under the msys shell), or in the following cross-
-# build environments:
-#    $build          $host
-#    mingw (msys)    mingw  [e.g. native]
-#    cygwin          mingw
-#    *nix + wine     mingw
-# where wine is equipped with the `winepath' executable.
-# In the native mingw case, the (msys) shell automatically
-# converts paths for any non-msys applications it launches,
-# but that facility isn't available from inside the cwrapper.
-# Similar accommodations are necessary for $host mingw and
-# $build cygwin.  Calling this function does no harm for other
-# $host/$build combinations not listed above.
-#
-# ARG is the path (on $build) that should be converted to
-# the proper representation for $host. The result is stored
-# in $func_to_host_path_result.
-func_to_host_path ()
-{
-  func_to_host_path_result="$1"
-  if test -n "$1" ; then
-    case $host in
-      *mingw* )
-        lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g'
-        case $build in
-          *mingw* ) # actually, msys
-            # awkward: cmd appends spaces to result
-            lt_sed_strip_trailing_spaces="s/[ ]*\$//"
-            func_to_host_path_tmp1=`( cmd //c echo "$1" |\
-              $SED -e "$lt_sed_strip_trailing_spaces" ) 2>/dev/null || echo ""`
-            func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\
-              $SED -e "$lt_sed_naive_backslashify"`
-            ;;
-          *cygwin* )
-            func_to_host_path_tmp1=`cygpath -w "$1"`
-            func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\
-              $SED -e "$lt_sed_naive_backslashify"`
-            ;;
-          * )
-            # Unfortunately, winepath does not exit with a non-zero
-            # error code, so we are forced to check the contents of
-            # stdout. On the other hand, if the command is not
-            # found, the shell will set an exit code of 127 and print
-            # *an error message* to stdout. So we must check for both
-            # error code of zero AND non-empty stdout, which explains
-            # the odd construction:
-            func_to_host_path_tmp1=`winepath -w "$1" 2>/dev/null`
-            if test "$?" -eq 0 && test -n "${func_to_host_path_tmp1}"; then
-              func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\
-                $SED -e "$lt_sed_naive_backslashify"`
-            else
-              # Allow warning below.
-              func_to_host_path_result=""
-            fi
-            ;;
-        esac
-        if test -z "$func_to_host_path_result" ; then
-          func_error "Could not determine host path corresponding to"
-          func_error "  '$1'"
-          func_error "Continuing, but uninstalled executables may not work."
-          # Fallback:
-          func_to_host_path_result="$1"
-        fi
-        ;;
-    esac
-  fi
-}
-# end: func_to_host_path
-
-# func_to_host_pathlist arg
-#
-# Convert pathlists to host format when used with build tools.
-# See func_to_host_path(), above. This function supports the
-# following $build/$host combinations (but does no harm for
-# combinations not listed here):
-#    $build          $host
-#    mingw (msys)    mingw  [e.g. native]
-#    cygwin          mingw
-#    *nix + wine     mingw
-#
-# Path separators are also converted from $build format to
-# $host format. If ARG begins or ends with a path separator
-# character, it is preserved (but converted to $host format)
-# on output.
-#
-# ARG is a pathlist (on $build) that should be converted to
-# the proper representation on $host. The result is stored
-# in $func_to_host_pathlist_result.
-func_to_host_pathlist ()
-{
-  func_to_host_pathlist_result="$1"
-  if test -n "$1" ; then
-    case $host in
-      *mingw* )
-        lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g'
-        # Remove leading and trailing path separator characters from
-        # ARG. msys behavior is inconsistent here, cygpath turns them
-        # into '.;' and ';.', and winepath ignores them completely.
-        func_to_host_pathlist_tmp2="$1"
-        # Once set for this call, this variable should not be
-        # reassigned. It is used in tha fallback case.
-        func_to_host_pathlist_tmp1=`echo "$func_to_host_pathlist_tmp2" |\
-          $SED -e 's|^:*||' -e 's|:*$||'`
-        case $build in
-          *mingw* ) # Actually, msys.
-            # Awkward: cmd appends spaces to result.
-            lt_sed_strip_trailing_spaces="s/[ ]*\$//"
-            func_to_host_pathlist_tmp2=`( cmd //c echo "$func_to_host_pathlist_tmp1" |\
-              $SED -e "$lt_sed_strip_trailing_spaces" ) 2>/dev/null || echo ""`
-            func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp2" |\
-              $SED -e "$lt_sed_naive_backslashify"`
-            ;;
-          *cygwin* )
-            func_to_host_pathlist_tmp2=`cygpath -w -p "$func_to_host_pathlist_tmp1"`
-            func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp2" |\
-              $SED -e "$lt_sed_naive_backslashify"`
-            ;;
-          * )
-            # unfortunately, winepath doesn't convert pathlists
-            func_to_host_pathlist_result=""
-            func_to_host_pathlist_oldIFS=$IFS
-            IFS=:
-            for func_to_host_pathlist_f in $func_to_host_pathlist_tmp1 ; do
-              IFS=$func_to_host_pathlist_oldIFS
-              if test -n "$func_to_host_pathlist_f" ; then
-                func_to_host_path "$func_to_host_pathlist_f"
-                if test -n "$func_to_host_path_result" ; then
-                  if test -z "$func_to_host_pathlist_result" ; then
-                    func_to_host_pathlist_result="$func_to_host_path_result"
-                  else
-                    func_to_host_pathlist_result="$func_to_host_pathlist_result;$func_to_host_path_result"
-                  fi
-                fi
-              fi
-              IFS=:
-            done
-            IFS=$func_to_host_pathlist_oldIFS
-            ;;
-        esac
-        if test -z "$func_to_host_pathlist_result" ; then
-          func_error "Could not determine the host path(s) corresponding to"
-          func_error "  '$1'"
-          func_error "Continuing, but uninstalled executables may not work."
-          # Fallback. This may break if $1 contains DOS-style drive
-          # specifications. The fix is not to complicate the expression
-          # below, but for the user to provide a working wine installation
-          # with winepath so that path translation in the cross-to-mingw
-          # case works properly.
-          lt_replace_pathsep_nix_to_dos="s|:|;|g"
-          func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp1" |\
-            $SED -e "$lt_replace_pathsep_nix_to_dos"`
-        fi
-        # Now, add the leading and trailing path separators back
-        case "$1" in
-          :* ) func_to_host_pathlist_result=";$func_to_host_pathlist_result"
-            ;;
-        esac
-        case "$1" in
-          *: ) func_to_host_pathlist_result="$func_to_host_pathlist_result;"
-            ;;
-        esac
-        ;;
-    esac
-  fi
-}
-# end: func_to_host_pathlist
-
 # func_emit_cwrapperexe_src
 # emit the source code for a wrapper executable on stdout
 # Must ONLY be called from within func_mode_link because
@@ -3141,31 +4147,23 @@ func_emit_cwrapperexe_src ()
 
    This wrapper executable should never be moved out of the build directory.
    If it is, it will not operate correctly.
-
-   Currently, it simply execs the wrapper *script* "$SHELL $output",
-   but could eventually absorb all of the scripts functionality and
-   exec $objdir/$outputname directly.
 */
 EOF
 	    cat <<"EOF"
+#ifdef _MSC_VER
+# define _CRT_SECURE_NO_DEPRECATE 1
+#endif
 #include <stdio.h>
 #include <stdlib.h>
 #ifdef _MSC_VER
 # include <direct.h>
 # include <process.h>
 # include <io.h>
-# define setmode _setmode
 #else
 # include <unistd.h>
 # include <stdint.h>
 # ifdef __CYGWIN__
 #  include <io.h>
-#  define HAVE_SETENV
-#  ifdef __STRICT_ANSI__
-char *realpath (const char *, char *);
-int putenv (char *);
-int setenv (const char *, const char *, int);
-#  endif
 # endif
 #endif
 #include <malloc.h>
@@ -3177,6 +4175,44 @@ int setenv (const char *, const char *, int);
 #include <fcntl.h>
 #include <sys/stat.h>
 
+/* declarations of non-ANSI functions */
+#if defined(__MINGW32__)
+# ifdef __STRICT_ANSI__
+int _putenv (const char *);
+# endif
+#elif defined(__CYGWIN__)
+# ifdef __STRICT_ANSI__
+char *realpath (const char *, char *);
+int putenv (char *);
+int setenv (const char *, const char *, int);
+# endif
+/* #elif defined (other platforms) ... */
+#endif
+
+/* portability defines, excluding path handling macros */
+#if defined(_MSC_VER)
+# define setmode _setmode
+# define stat    _stat
+# define chmod   _chmod
+# define getcwd  _getcwd
+# define putenv  _putenv
+# define S_IXUSR _S_IEXEC
+# ifndef _INTPTR_T_DEFINED
+#  define _INTPTR_T_DEFINED
+#  define intptr_t int
+# endif
+#elif defined(__MINGW32__)
+# define setmode _setmode
+# define stat    _stat
+# define chmod   _chmod
+# define getcwd  _getcwd
+# define putenv  _putenv
+#elif defined(__CYGWIN__)
+# define HAVE_SETENV
+# define FOPEN_WB "wb"
+/* #elif defined (other platforms) ... */
+#endif
+
 #if defined(PATH_MAX)
 # define LT_PATHMAX PATH_MAX
 #elif defined(MAXPATHLEN)
@@ -3192,14 +4228,7 @@ int setenv (const char *, const char *, int);
 # define S_IXGRP 0
 #endif
 
-#ifdef _MSC_VER
-# define S_IXUSR _S_IEXEC
-# define stat _stat
-# ifndef _INTPTR_T_DEFINED
-#  define intptr_t int
-# endif
-#endif
-
+/* path handling portability macros */
 #ifndef DIR_SEPARATOR
 # define DIR_SEPARATOR '/'
 # define PATH_SEPARATOR ':'
@@ -3230,10 +4259,6 @@ int setenv (const char *, const char *, int);
 # define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2)
 #endif /* PATH_SEPARATOR_2 */
 
-#ifdef __CYGWIN__
-# define FOPEN_WB "wb"
-#endif
-
 #ifndef FOPEN_WB
 # define FOPEN_WB "w"
 #endif
@@ -3246,22 +4271,13 @@ int setenv (const char *, const char *, int);
   if (stale) { free ((void *) stale); stale = 0; } \
 } while (0)
 
-#undef LTWRAPPER_DEBUGPRINTF
-#if defined DEBUGWRAPPER
-# define LTWRAPPER_DEBUGPRINTF(args) ltwrapper_debugprintf args
-static void
-ltwrapper_debugprintf (const char *fmt, ...)
-{
-    va_list args;
-    va_start (args, fmt);
-    (void) vfprintf (stderr, fmt, args);
-    va_end (args);
-}
+#if defined(LT_DEBUGWRAPPER)
+static int lt_debug = 1;
 #else
-# define LTWRAPPER_DEBUGPRINTF(args)
+static int lt_debug = 0;
 #endif
 
-const char *program_name = NULL;
+const char *program_name = "libtool-wrapper"; /* in case xstrdup fails */
 
 void *xmalloc (size_t num);
 char *xstrdup (const char *string);
@@ -3271,41 +4287,27 @@ char *chase_symlinks (const char *pathspec);
 int make_executable (const char *path);
 int check_executable (const char *path);
 char *strendzap (char *str, const char *pat);
-void lt_fatal (const char *message, ...);
+void lt_debugprintf (const char *file, int line, const char *fmt, ...);
+void lt_fatal (const char *file, int line, const char *message, ...);
+static const char *nonnull (const char *s);
+static const char *nonempty (const char *s);
 void lt_setenv (const char *name, const char *value);
 char *lt_extend_str (const char *orig_value, const char *add, int to_end);
-void lt_opt_process_env_set (const char *arg);
-void lt_opt_process_env_prepend (const char *arg);
-void lt_opt_process_env_append (const char *arg);
-int lt_split_name_value (const char *arg, char** name, char** value);
 void lt_update_exe_path (const char *name, const char *value);
 void lt_update_lib_path (const char *name, const char *value);
-
-static const char *script_text_part1 =
+char **prepare_spawn (char **argv);
+void lt_dump_script (FILE *f);
 EOF
 
-	    func_emit_wrapper_part1 yes |
-	        $SED -e 's/\([\\"]\)/\\\1/g' \
-	             -e 's/^/  "/' -e 's/$/\\n"/'
-	    echo ";"
 	    cat <<EOF
-
-static const char *script_text_part2 =
-EOF
-	    func_emit_wrapper_part2 yes |
-	        $SED -e 's/\([\\"]\)/\\\1/g' \
-	             -e 's/^/  "/' -e 's/$/\\n"/'
-	    echo ";"
-
-	    cat <<EOF
-const char * MAGIC_EXE = "$magic_exe";
+volatile const char * MAGIC_EXE = "$magic_exe";
 const char * LIB_PATH_VARNAME = "$shlibpath_var";
 EOF
 
 	    if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
-              func_to_host_pathlist "$temp_rpath"
+              func_to_host_path "$temp_rpath"
 	      cat <<EOF
-const char * LIB_PATH_VALUE   = "$func_to_host_pathlist_result";
+const char * LIB_PATH_VALUE   = "$func_to_host_path_result";
 EOF
 	    else
 	      cat <<"EOF"
@@ -3314,10 +4316,10 @@ EOF
 	    fi
 
 	    if test -n "$dllsearchpath"; then
-              func_to_host_pathlist "$dllsearchpath:"
+              func_to_host_path "$dllsearchpath:"
 	      cat <<EOF
 const char * EXE_PATH_VARNAME = "PATH";
-const char * EXE_PATH_VALUE   = "$func_to_host_pathlist_result";
+const char * EXE_PATH_VALUE   = "$func_to_host_path_result";
 EOF
 	    else
 	      cat <<"EOF"
@@ -3340,24 +4342,10 @@ EOF
 	    cat <<"EOF"
 
 #define LTWRAPPER_OPTION_PREFIX         "--lt-"
-#define LTWRAPPER_OPTION_PREFIX_LENGTH  5
 
-static const size_t opt_prefix_len         = LTWRAPPER_OPTION_PREFIX_LENGTH;
 static const char *ltwrapper_option_prefix = LTWRAPPER_OPTION_PREFIX;
-
 static const char *dumpscript_opt       = LTWRAPPER_OPTION_PREFIX "dump-script";
-
-static const size_t env_set_opt_len     = LTWRAPPER_OPTION_PREFIX_LENGTH + 7;
-static const char *env_set_opt          = LTWRAPPER_OPTION_PREFIX "env-set";
-  /* argument is putenv-style "foo=bar", value of foo is set to bar */
-
-static const size_t env_prepend_opt_len = LTWRAPPER_OPTION_PREFIX_LENGTH + 11;
-static const char *env_prepend_opt      = LTWRAPPER_OPTION_PREFIX "env-prepend";
-  /* argument is putenv-style "foo=bar", new value of foo is bar${foo} */
-
-static const size_t env_append_opt_len  = LTWRAPPER_OPTION_PREFIX_LENGTH + 10;
-static const char *env_append_opt       = LTWRAPPER_OPTION_PREFIX "env-append";
-  /* argument is putenv-style "foo=bar", new value of foo is ${foo}bar */
+static const char *debug_opt            = LTWRAPPER_OPTION_PREFIX "debug";
 
 int
 main (int argc, char *argv[])
@@ -3374,10 +4362,13 @@ main (int argc, char *argv[])
   int i;
 
   program_name = (char *) xstrdup (base_name (argv[0]));
-  LTWRAPPER_DEBUGPRINTF (("(main) argv[0]      : %s\n", argv[0]));
-  LTWRAPPER_DEBUGPRINTF (("(main) program_name : %s\n", program_name));
+  newargz = XMALLOC (char *, argc + 1);
 
-  /* very simple arg parsing; don't want to rely on getopt */
+  /* very simple arg parsing; don't want to rely on getopt
+   * also, copy all non cwrapper options to newargz, except
+   * argz[0], which is handled differently
+   */
+  newargc=0;
   for (i = 1; i < argc; i++)
     {
       if (strcmp (argv[i], dumpscript_opt) == 0)
@@ -3391,25 +4382,57 @@ EOF
 	      esac
 
 	    cat <<"EOF"
-	  printf ("%s", script_text_part1);
-	  printf ("%s", script_text_part2);
+	  lt_dump_script (stdout);
 	  return 0;
 	}
+      if (strcmp (argv[i], debug_opt) == 0)
+	{
+          lt_debug = 1;
+          continue;
+	}
+      if (strcmp (argv[i], ltwrapper_option_prefix) == 0)
+        {
+          /* however, if there is an option in the LTWRAPPER_OPTION_PREFIX
+             namespace, but it is not one of the ones we know about and
+             have already dealt with, above (inluding dump-script), then
+             report an error. Otherwise, targets might begin to believe
+             they are allowed to use options in the LTWRAPPER_OPTION_PREFIX
+             namespace. The first time any user complains about this, we'll
+             need to make LTWRAPPER_OPTION_PREFIX a configure-time option
+             or a configure.ac-settable value.
+           */
+          lt_fatal (__FILE__, __LINE__,
+		    "unrecognized %s option: '%s'",
+                    ltwrapper_option_prefix, argv[i]);
+        }
+      /* otherwise ... */
+      newargz[++newargc] = xstrdup (argv[i]);
     }
+  newargz[++newargc] = NULL;
+
+EOF
+	    cat <<EOF
+  /* The GNU banner must be the first non-error debug message */
+  lt_debugprintf (__FILE__, __LINE__, "libtool wrapper (GNU $PACKAGE$TIMESTAMP) $VERSION\n");
+EOF
+	    cat <<"EOF"
+  lt_debugprintf (__FILE__, __LINE__, "(main) argv[0]: %s\n", argv[0]);
+  lt_debugprintf (__FILE__, __LINE__, "(main) program_name: %s\n", program_name);
 
-  newargz = XMALLOC (char *, argc + 1);
   tmp_pathspec = find_executable (argv[0]);
   if (tmp_pathspec == NULL)
-    lt_fatal ("Couldn't find %s", argv[0]);
-  LTWRAPPER_DEBUGPRINTF (("(main) found exe (before symlink chase) at : %s\n",
-			  tmp_pathspec));
+    lt_fatal (__FILE__, __LINE__, "couldn't find %s", argv[0]);
+  lt_debugprintf (__FILE__, __LINE__,
+                  "(main) found exe (before symlink chase) at: %s\n",
+		  tmp_pathspec);
 
   actual_cwrapper_path = chase_symlinks (tmp_pathspec);
-  LTWRAPPER_DEBUGPRINTF (("(main) found exe (after symlink chase) at : %s\n",
-			  actual_cwrapper_path));
+  lt_debugprintf (__FILE__, __LINE__,
+                  "(main) found exe (after symlink chase) at: %s\n",
+		  actual_cwrapper_path);
   XFREE (tmp_pathspec);
 
-  actual_cwrapper_name = xstrdup( base_name (actual_cwrapper_path));
+  actual_cwrapper_name = xstrdup (base_name (actual_cwrapper_path));
   strendzap (actual_cwrapper_path, actual_cwrapper_name);
 
   /* wrapper name transforms */
@@ -3427,8 +4450,9 @@ EOF
   target_name = tmp_pathspec;
   tmp_pathspec = 0;
 
-  LTWRAPPER_DEBUGPRINTF (("(main) libtool target name: %s\n",
-			  target_name));
+  lt_debugprintf (__FILE__, __LINE__,
+		  "(main) libtool target name: %s\n",
+		  target_name);
 EOF
 
 	    cat <<EOF
@@ -3478,80 +4502,19 @@ EOF
 
   lt_setenv ("BIN_SH", "xpg4"); /* for Tru64 */
   lt_setenv ("DUALCASE", "1");  /* for MSK sh */
-  lt_update_lib_path (LIB_PATH_VARNAME, LIB_PATH_VALUE);
+  /* Update the DLL searchpath.  EXE_PATH_VALUE ($dllsearchpath) must
+     be prepended before (that is, appear after) LIB_PATH_VALUE ($temp_rpath)
+     because on Windows, both *_VARNAMEs are PATH but uninstalled
+     libraries must come first. */
   lt_update_exe_path (EXE_PATH_VARNAME, EXE_PATH_VALUE);
+  lt_update_lib_path (LIB_PATH_VARNAME, LIB_PATH_VALUE);
 
-  newargc=0;
-  for (i = 1; i < argc; i++)
-    {
-      if (strncmp (argv[i], env_set_opt, env_set_opt_len) == 0)
-        {
-          if (argv[i][env_set_opt_len] == '=')
-            {
-              const char *p = argv[i] + env_set_opt_len + 1;
-              lt_opt_process_env_set (p);
-            }
-          else if (argv[i][env_set_opt_len] == '\0' && i + 1 < argc)
-            {
-              lt_opt_process_env_set (argv[++i]); /* don't copy */
-            }
-          else
-            lt_fatal ("%s missing required argument", env_set_opt);
-          continue;
-        }
-      if (strncmp (argv[i], env_prepend_opt, env_prepend_opt_len) == 0)
-        {
-          if (argv[i][env_prepend_opt_len] == '=')
-            {
-              const char *p = argv[i] + env_prepend_opt_len + 1;
-              lt_opt_process_env_prepend (p);
-            }
-          else if (argv[i][env_prepend_opt_len] == '\0' && i + 1 < argc)
-            {
-              lt_opt_process_env_prepend (argv[++i]); /* don't copy */
-            }
-          else
-            lt_fatal ("%s missing required argument", env_prepend_opt);
-          continue;
-        }
-      if (strncmp (argv[i], env_append_opt, env_append_opt_len) == 0)
-        {
-          if (argv[i][env_append_opt_len] == '=')
-            {
-              const char *p = argv[i] + env_append_opt_len + 1;
-              lt_opt_process_env_append (p);
-            }
-          else if (argv[i][env_append_opt_len] == '\0' && i + 1 < argc)
-            {
-              lt_opt_process_env_append (argv[++i]); /* don't copy */
-            }
-          else
-            lt_fatal ("%s missing required argument", env_append_opt);
-          continue;
-        }
-      if (strncmp (argv[i], ltwrapper_option_prefix, opt_prefix_len) == 0)
-        {
-          /* however, if there is an option in the LTWRAPPER_OPTION_PREFIX
-             namespace, but it is not one of the ones we know about and
-             have already dealt with, above (inluding dump-script), then
-             report an error. Otherwise, targets might begin to believe
-             they are allowed to use options in the LTWRAPPER_OPTION_PREFIX
-             namespace. The first time any user complains about this, we'll
-             need to make LTWRAPPER_OPTION_PREFIX a configure-time option
-             or a configure.ac-settable value.
-           */
-          lt_fatal ("Unrecognized option in %s namespace: '%s'",
-                    ltwrapper_option_prefix, argv[i]);
-        }
-      /* otherwise ... */
-      newargz[++newargc] = xstrdup (argv[i]);
-    }
-  newargz[++newargc] = NULL;
-
-  LTWRAPPER_DEBUGPRINTF     (("(main) lt_argv_zero : %s\n", (lt_argv_zero ? lt_argv_zero : "<NULL>")));
+  lt_debugprintf (__FILE__, __LINE__, "(main) lt_argv_zero: %s\n",
+		  nonnull (lt_argv_zero));
   for (i = 0; i < newargc; i++)
     {
-      LTWRAPPER_DEBUGPRINTF (("(main) newargz[%d]   : %s\n", i, (newargz[i] ? newargz[i] : "<NULL>")));
+      lt_debugprintf (__FILE__, __LINE__, "(main) newargz[%d]: %s\n",
+		      i, nonnull (newargz[i]));
     }
 
 EOF
@@ -3560,11 +4523,14 @@ EOF
 	      mingw*)
 		cat <<"EOF"
   /* execv doesn't actually work on mingw as expected on unix */
+  newargz = prepare_spawn (newargz);
   rval = _spawnv (_P_WAIT, lt_argv_zero, (const char * const *) newargz);
   if (rval == -1)
     {
       /* failed to start process */
-      LTWRAPPER_DEBUGPRINTF (("(main) failed to launch target \"%s\": errno = %d\n", lt_argv_zero, errno));
+      lt_debugprintf (__FILE__, __LINE__,
+		      "(main) failed to launch target \"%s\": %s\n",
+		      lt_argv_zero, nonnull (strerror (errno)));
       return 127;
     }
   return rval;
@@ -3586,7 +4552,7 @@ xmalloc (size_t num)
 {
   void *p = (void *) malloc (num);
   if (!p)
-    lt_fatal ("Memory exhausted");
+    lt_fatal (__FILE__, __LINE__, "memory exhausted");
 
   return p;
 }
@@ -3620,8 +4586,8 @@ check_executable (const char *path)
 {
   struct stat st;
 
-  LTWRAPPER_DEBUGPRINTF (("(check_executable)  : %s\n",
-			  path ? (*path ? path : "EMPTY!") : "NULL!"));
+  lt_debugprintf (__FILE__, __LINE__, "(check_executable): %s\n",
+                  nonempty (path));
   if ((!path) || (!*path))
     return 0;
 
@@ -3638,8 +4604,8 @@ make_executable (const char *path)
   int rval = 0;
   struct stat st;
 
-  LTWRAPPER_DEBUGPRINTF (("(make_executable)   : %s\n",
-			  path ? (*path ? path : "EMPTY!") : "NULL!"));
+  lt_debugprintf (__FILE__, __LINE__, "(make_executable): %s\n",
+                  nonempty (path));
   if ((!path) || (!*path))
     return 0;
 
@@ -3665,8 +4631,8 @@ find_executable (const char *wrapper)
   int tmp_len;
   char *concat_name;
 
-  LTWRAPPER_DEBUGPRINTF (("(find_executable)   : %s\n",
-			  wrapper ? (*wrapper ? wrapper : "EMPTY!") : "NULL!"));
+  lt_debugprintf (__FILE__, __LINE__, "(find_executable): %s\n",
+                  nonempty (wrapper));
 
   if ((wrapper == NULL) || (*wrapper == '\0'))
     return NULL;
@@ -3719,7 +4685,8 @@ find_executable (const char *wrapper)
 		{
 		  /* empty path: current directory */
 		  if (getcwd (tmp, LT_PATHMAX) == NULL)
-		    lt_fatal ("getcwd failed");
+		    lt_fatal (__FILE__, __LINE__, "getcwd failed: %s",
+                              nonnull (strerror (errno)));
 		  tmp_len = strlen (tmp);
 		  concat_name =
 		    XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1);
@@ -3744,7 +4711,8 @@ find_executable (const char *wrapper)
     }
   /* Relative path | not found in path: prepend cwd */
   if (getcwd (tmp, LT_PATHMAX) == NULL)
-    lt_fatal ("getcwd failed");
+    lt_fatal (__FILE__, __LINE__, "getcwd failed: %s",
+              nonnull (strerror (errno)));
   tmp_len = strlen (tmp);
   concat_name = XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1);
   memcpy (concat_name, tmp, tmp_len);
@@ -3770,8 +4738,9 @@ chase_symlinks (const char *pathspec)
   int has_symlinks = 0;
   while (strlen (tmp_pathspec) && !has_symlinks)
     {
-      LTWRAPPER_DEBUGPRINTF (("checking path component for symlinks: %s\n",
-			      tmp_pathspec));
+      lt_debugprintf (__FILE__, __LINE__,
+		      "checking path component for symlinks: %s\n",
+		      tmp_pathspec);
       if (lstat (tmp_pathspec, &s) == 0)
 	{
 	  if (S_ISLNK (s.st_mode) != 0)
@@ -3793,8 +4762,9 @@ chase_symlinks (const char *pathspec)
 	}
       else
 	{
-	  char *errstr = strerror (errno);
-	  lt_fatal ("Error accessing file %s (%s)", tmp_pathspec, errstr);
+	  lt_fatal (__FILE__, __LINE__,
+		    "error accessing file \"%s\": %s",
+		    tmp_pathspec, nonnull (strerror (errno)));
 	}
     }
   XFREE (tmp_pathspec);
@@ -3807,7 +4777,8 @@ chase_symlinks (const char *pathspec)
   tmp_pathspec = realpath (pathspec, buf);
   if (tmp_pathspec == 0)
     {
-      lt_fatal ("Could not follow symlinks for %s", pathspec);
+      lt_fatal (__FILE__, __LINE__,
+		"could not follow symlinks for %s", pathspec);
     }
   return xstrdup (tmp_pathspec);
 #endif
@@ -3833,11 +4804,25 @@ strendzap (char *str, const char *pat)
   return str;
 }
 
+void
+lt_debugprintf (const char *file, int line, const char *fmt, ...)
+{
+  va_list args;
+  if (lt_debug)
+    {
+      (void) fprintf (stderr, "%s:%s:%d: ", program_name, file, line);
+      va_start (args, fmt);
+      (void) vfprintf (stderr, fmt, args);
+      va_end (args);
+    }
+}
+
 static void
-lt_error_core (int exit_status, const char *mode,
+lt_error_core (int exit_status, const char *file,
+	       int line, const char *mode,
 	       const char *message, va_list ap)
 {
-  fprintf (stderr, "%s: %s: ", program_name, mode);
+  fprintf (stderr, "%s:%s:%d: %s: ", program_name, file, line, mode);
   vfprintf (stderr, message, ap);
   fprintf (stderr, ".\n");
 
@@ -3846,20 +4831,32 @@ lt_error_core (int exit_status, const char *mode,
 }
 
 void
-lt_fatal (const char *message, ...)
+lt_fatal (const char *file, int line, const char *message, ...)
 {
   va_list ap;
   va_start (ap, message);
-  lt_error_core (EXIT_FAILURE, "FATAL", message, ap);
+  lt_error_core (EXIT_FAILURE, file, line, "FATAL", message, ap);
   va_end (ap);
 }
 
+static const char *
+nonnull (const char *s)
+{
+  return s ? s : "(null)";
+}
+
+static const char *
+nonempty (const char *s)
+{
+  return (s && !*s) ? "(empty)" : nonnull (s);
+}
+
 void
 lt_setenv (const char *name, const char *value)
 {
-  LTWRAPPER_DEBUGPRINTF (("(lt_setenv) setting '%s' to '%s'\n",
-                          (name ? name : "<NULL>"),
-                          (value ? value : "<NULL>")));
+  lt_debugprintf (__FILE__, __LINE__,
+		  "(lt_setenv) setting '%s' to '%s'\n",
+                  nonnull (name), nonnull (value));
   {
 #ifdef HAVE_SETENV
     /* always make a copy, for consistency with !HAVE_SETENV */
@@ -3904,95 +4901,12 @@ lt_extend_str (const char *orig_value, const char *add, int to_end)
   return new_value;
 }
 
-int
-lt_split_name_value (const char *arg, char** name, char** value)
-{
-  const char *p;
-  int len;
-  if (!arg || !*arg)
-    return 1;
-
-  p = strchr (arg, (int)'=');
-
-  if (!p)
-    return 1;
-
-  *value = xstrdup (++p);
-
-  len = strlen (arg) - strlen (*value);
-  *name = XMALLOC (char, len);
-  strncpy (*name, arg, len-1);
-  (*name)[len - 1] = '\0';
-
-  return 0;
-}
-
-void
-lt_opt_process_env_set (const char *arg)
-{
-  char *name = NULL;
-  char *value = NULL;
-
-  if (lt_split_name_value (arg, &name, &value) != 0)
-    {
-      XFREE (name);
-      XFREE (value);
-      lt_fatal ("bad argument for %s: '%s'", env_set_opt, arg);
-    }
-
-  lt_setenv (name, value);
-  XFREE (name);
-  XFREE (value);
-}
-
-void
-lt_opt_process_env_prepend (const char *arg)
-{
-  char *name = NULL;
-  char *value = NULL;
-  char *new_value = NULL;
-
-  if (lt_split_name_value (arg, &name, &value) != 0)
-    {
-      XFREE (name);
-      XFREE (value);
-      lt_fatal ("bad argument for %s: '%s'", env_prepend_opt, arg);
-    }
-
-  new_value = lt_extend_str (getenv (name), value, 0);
-  lt_setenv (name, new_value);
-  XFREE (new_value);
-  XFREE (name);
-  XFREE (value);
-}
-
-void
-lt_opt_process_env_append (const char *arg)
-{
-  char *name = NULL;
-  char *value = NULL;
-  char *new_value = NULL;
-
-  if (lt_split_name_value (arg, &name, &value) != 0)
-    {
-      XFREE (name);
-      XFREE (value);
-      lt_fatal ("bad argument for %s: '%s'", env_append_opt, arg);
-    }
-
-  new_value = lt_extend_str (getenv (name), value, 1);
-  lt_setenv (name, new_value);
-  XFREE (new_value);
-  XFREE (name);
-  XFREE (value);
-}
-
 void
 lt_update_exe_path (const char *name, const char *value)
 {
-  LTWRAPPER_DEBUGPRINTF (("(lt_update_exe_path) modifying '%s' by prepending '%s'\n",
-                          (name ? name : "<NULL>"),
-                          (value ? value : "<NULL>")));
+  lt_debugprintf (__FILE__, __LINE__,
+		  "(lt_update_exe_path) modifying '%s' by prepending '%s'\n",
+                  nonnull (name), nonnull (value));
 
   if (name && *name && value && *value)
     {
@@ -4011,9 +4925,9 @@ lt_update_exe_path (const char *name, const char *value)
 void
 lt_update_lib_path (const char *name, const char *value)
 {
-  LTWRAPPER_DEBUGPRINTF (("(lt_update_lib_path) modifying '%s' by prepending '%s'\n",
-                          (name ? name : "<NULL>"),
-                          (value ? value : "<NULL>")));
+  lt_debugprintf (__FILE__, __LINE__,
+		  "(lt_update_lib_path) modifying '%s' by prepending '%s'\n",
+                  nonnull (name), nonnull (value));
 
   if (name && *name && value && *value)
     {
@@ -4023,11 +4937,158 @@ lt_update_lib_path (const char *name, const char *value)
     }
 }
 
+EOF
+	    case $host_os in
+	      mingw*)
+		cat <<"EOF"
+
+/* Prepares an argument vector before calling spawn().
+   Note that spawn() does not by itself call the command interpreter
+     (getenv ("COMSPEC") != NULL ? getenv ("COMSPEC") :
+      ({ OSVERSIONINFO v; v.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
+         GetVersionEx(&v);
+         v.dwPlatformId == VER_PLATFORM_WIN32_NT;
+      }) ? "cmd.exe" : "command.com").
+   Instead it simply concatenates the arguments, separated by ' ', and calls
+   CreateProcess().  We must quote the arguments since Win32 CreateProcess()
+   interprets characters like ' ', '\t', '\\', '"' (but not '<' and '>') in a
+   special way:
+   - Space and tab are interpreted as delimiters. They are not treated as
+     delimiters if they are surrounded by double quotes: "...".
+   - Unescaped double quotes are removed from the input. Their only effect is
+     that within double quotes, space and tab are treated like normal
+     characters.
+   - Backslashes not followed by double quotes are not special.
+   - But 2*n+1 backslashes followed by a double quote become
+     n backslashes followed by a double quote (n >= 0):
+       \" -> "
+       \\\" -> \"
+       \\\\\" -> \\"
+ */
+#define SHELL_SPECIAL_CHARS "\"\\ \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037"
+#define SHELL_SPACE_CHARS " \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037"
+char **
+prepare_spawn (char **argv)
+{
+  size_t argc;
+  char **new_argv;
+  size_t i;
+
+  /* Count number of arguments.  */
+  for (argc = 0; argv[argc] != NULL; argc++)
+    ;
+
+  /* Allocate new argument vector.  */
+  new_argv = XMALLOC (char *, argc + 1);
+
+  /* Put quoted arguments into the new argument vector.  */
+  for (i = 0; i < argc; i++)
+    {
+      const char *string = argv[i];
 
+      if (string[0] == '\0')
+	new_argv[i] = xstrdup ("\"\"");
+      else if (strpbrk (string, SHELL_SPECIAL_CHARS) != NULL)
+	{
+	  int quote_around = (strpbrk (string, SHELL_SPACE_CHARS) != NULL);
+	  size_t length;
+	  unsigned int backslashes;
+	  const char *s;
+	  char *quoted_string;
+	  char *p;
+
+	  length = 0;
+	  backslashes = 0;
+	  if (quote_around)
+	    length++;
+	  for (s = string; *s != '\0'; s++)
+	    {
+	      char c = *s;
+	      if (c == '"')
+		length += backslashes + 1;
+	      length++;
+	      if (c == '\\')
+		backslashes++;
+	      else
+		backslashes = 0;
+	    }
+	  if (quote_around)
+	    length += backslashes + 1;
+
+	  quoted_string = XMALLOC (char, length + 1);
+
+	  p = quoted_string;
+	  backslashes = 0;
+	  if (quote_around)
+	    *p++ = '"';
+	  for (s = string; *s != '\0'; s++)
+	    {
+	      char c = *s;
+	      if (c == '"')
+		{
+		  unsigned int j;
+		  for (j = backslashes + 1; j > 0; j--)
+		    *p++ = '\\';
+		}
+	      *p++ = c;
+	      if (c == '\\')
+		backslashes++;
+	      else
+		backslashes = 0;
+	    }
+	  if (quote_around)
+	    {
+	      unsigned int j;
+	      for (j = backslashes; j > 0; j--)
+		*p++ = '\\';
+	      *p++ = '"';
+	    }
+	  *p = '\0';
+
+	  new_argv[i] = quoted_string;
+	}
+      else
+	new_argv[i] = (char *) string;
+    }
+  new_argv[argc] = NULL;
+
+  return new_argv;
+}
+EOF
+		;;
+	    esac
+
+            cat <<"EOF"
+void lt_dump_script (FILE* f)
+{
+EOF
+	    func_emit_wrapper yes |
+	      $SED -n -e '
+s/^\(.\{79\}\)\(..*\)/\1\
+\2/
+h
+s/\([\\"]\)/\\\1/g
+s/$/\\n/
+s/\([^\n]*\).*/  fputs ("\1", f);/p
+g
+D'
+            cat <<"EOF"
+}
 EOF
 }
 # end: func_emit_cwrapperexe_src
 
+# func_win32_import_lib_p ARG
+# True if ARG is an import lib, as indicated by $file_magic_cmd
+func_win32_import_lib_p ()
+{
+    $opt_debug
+    case `eval $file_magic_cmd \"\$1\" 2>/dev/null | $SED -e 10q` in
+    *import*) : ;;
+    *) false ;;
+    esac
+}
+
 # func_mode_link arg...
 func_mode_link ()
 {
@@ -4072,6 +5133,7 @@ func_mode_link ()
     new_inherited_linker_flags=
 
     avoid_version=no
+    bindir=
     dlfiles=
     dlprefiles=
     dlself=no
@@ -4164,6 +5226,11 @@ func_mode_link ()
 	esac
 
 	case $prev in
+	bindir)
+	  bindir="$arg"
+	  prev=
+	  continue
+	  ;;
 	dlfiles|dlprefiles)
 	  if test "$preload" = no; then
 	    # Add the symbol object into the linking commands.
@@ -4195,9 +5262,9 @@ func_mode_link ()
 	    ;;
 	  *)
 	    if test "$prev" = dlfiles; then
-	      dlfiles="$dlfiles $arg"
+	      func_append dlfiles " $arg"
 	    else
-	      dlprefiles="$dlprefiles $arg"
+	      func_append dlprefiles " $arg"
 	    fi
 	    prev=
 	    continue
@@ -4221,7 +5288,7 @@ func_mode_link ()
 	    *-*-darwin*)
 	      case "$deplibs " in
 		*" $qarg.ltframework "*) ;;
-		*) deplibs="$deplibs $qarg.ltframework" # this is fixed later
+		*) func_append deplibs " $qarg.ltframework" # this is fixed later
 		   ;;
 	      esac
 	      ;;
@@ -4240,7 +5307,7 @@ func_mode_link ()
 	    moreargs=
 	    for fil in `cat "$save_arg"`
 	    do
-#	      moreargs="$moreargs $fil"
+#	      func_append moreargs " $fil"
 	      arg=$fil
 	      # A libtool-controlled object.
 
@@ -4269,7 +5336,7 @@ func_mode_link ()
 
 		  if test "$prev" = dlfiles; then
 		    if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
-		      dlfiles="$dlfiles $pic_object"
+		      func_append dlfiles " $pic_object"
 		      prev=
 		      continue
 		    else
@@ -4281,7 +5348,7 @@ func_mode_link ()
 		  # CHECK ME:  I think I busted this.  -Ossama
 		  if test "$prev" = dlprefiles; then
 		    # Preload the old-style object.
-		    dlprefiles="$dlprefiles $pic_object"
+		    func_append dlprefiles " $pic_object"
 		    prev=
 		  fi
 
@@ -4351,12 +5418,12 @@ func_mode_link ()
 	  if test "$prev" = rpath; then
 	    case "$rpath " in
 	    *" $arg "*) ;;
-	    *) rpath="$rpath $arg" ;;
+	    *) func_append rpath " $arg" ;;
 	    esac
 	  else
 	    case "$xrpath " in
 	    *" $arg "*) ;;
-	    *) xrpath="$xrpath $arg" ;;
+	    *) func_append xrpath " $arg" ;;
 	    esac
 	  fi
 	  prev=
@@ -4368,28 +5435,28 @@ func_mode_link ()
 	  continue
 	  ;;
 	weak)
-	  weak_libs="$weak_libs $arg"
+	  func_append weak_libs " $arg"
 	  prev=
 	  continue
 	  ;;
 	xcclinker)
-	  linker_flags="$linker_flags $qarg"
-	  compiler_flags="$compiler_flags $qarg"
+	  func_append linker_flags " $qarg"
+	  func_append compiler_flags " $qarg"
 	  prev=
 	  func_append compile_command " $qarg"
 	  func_append finalize_command " $qarg"
 	  continue
 	  ;;
 	xcompiler)
-	  compiler_flags="$compiler_flags $qarg"
+	  func_append compiler_flags " $qarg"
 	  prev=
 	  func_append compile_command " $qarg"
 	  func_append finalize_command " $qarg"
 	  continue
 	  ;;
 	xlinker)
-	  linker_flags="$linker_flags $qarg"
-	  compiler_flags="$compiler_flags $wl$qarg"
+	  func_append linker_flags " $qarg"
+	  func_append compiler_flags " $wl$qarg"
 	  prev=
 	  func_append compile_command " $wl$qarg"
 	  func_append finalize_command " $wl$qarg"
@@ -4425,6 +5492,11 @@ func_mode_link ()
 	continue
 	;;
 
+      -bindir)
+	prev=bindir
+	continue
+	;;
+
       -dlopen)
 	prev=dlfiles
 	continue
@@ -4475,15 +5547,16 @@ func_mode_link ()
 	;;
 
       -L*)
-	func_stripname '-L' '' "$arg"
-	dir=$func_stripname_result
-	if test -z "$dir"; then
+	func_stripname "-L" '' "$arg"
+	if test -z "$func_stripname_result"; then
 	  if test "$#" -gt 0; then
 	    func_fatal_error "require no space between \`-L' and \`$1'"
 	  else
 	    func_fatal_error "need path for \`-L' option"
 	  fi
 	fi
+	func_resolve_sysroot "$func_stripname_result"
+	dir=$func_resolve_sysroot_result
 	# We need an absolute path.
 	case $dir in
 	[\\/]* | [A-Za-z]:[\\/]*) ;;
@@ -4495,24 +5568,30 @@ func_mode_link ()
 	  ;;
 	esac
 	case "$deplibs " in
-	*" -L$dir "*) ;;
+	*" -L$dir "* | *" $arg "*)
+	  # Will only happen for absolute or sysroot arguments
+	  ;;
 	*)
-	  deplibs="$deplibs -L$dir"
-	  lib_search_path="$lib_search_path $dir"
+	  # Preserve sysroot, but never include relative directories
+	  case $dir in
+	    [\\/]* | [A-Za-z]:[\\/]* | =*) func_append deplibs " $arg" ;;
+	    *) func_append deplibs " -L$dir" ;;
+	  esac
+	  func_append lib_search_path " $dir"
 	  ;;
 	esac
 	case $host in
 	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*)
-	  testbindir=`$ECHO "X$dir" | $Xsed -e 's*/lib$*/bin*'`
+	  testbindir=`$ECHO "$dir" | $SED 's*/lib$*/bin*'`
 	  case :$dllsearchpath: in
 	  *":$dir:"*) ;;
 	  ::) dllsearchpath=$dir;;
-	  *) dllsearchpath="$dllsearchpath:$dir";;
+	  *) func_append dllsearchpath ":$dir";;
 	  esac
 	  case :$dllsearchpath: in
 	  *":$testbindir:"*) ;;
 	  ::) dllsearchpath=$testbindir;;
-	  *) dllsearchpath="$dllsearchpath:$testbindir";;
+	  *) func_append dllsearchpath ":$testbindir";;
 	  esac
 	  ;;
 	esac
@@ -4522,7 +5601,7 @@ func_mode_link ()
       -l*)
 	if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then
 	  case $host in
-	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos* | *-cegcc*)
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos* | *-cegcc* | *-*-haiku*)
 	    # These systems don't actually have a C or math library (as such)
 	    continue
 	    ;;
@@ -4536,7 +5615,7 @@ func_mode_link ()
 	    ;;
 	  *-*-rhapsody* | *-*-darwin1.[012])
 	    # Rhapsody C and math libraries are in the System framework
-	    deplibs="$deplibs System.ltframework"
+	    func_append deplibs " System.ltframework"
 	    continue
 	    ;;
 	  *-*-sco3.2v5* | *-*-sco5v6*)
@@ -4556,7 +5635,7 @@ func_mode_link ()
 	   ;;
 	 esac
 	fi
-	deplibs="$deplibs $arg"
+	func_append deplibs " $arg"
 	continue
 	;;
 
@@ -4568,21 +5647,22 @@ func_mode_link ()
       # Tru64 UNIX uses -model [arg] to determine the layout of C++
       # classes, name mangling, and exception handling.
       # Darwin uses the -arch flag to determine output architecture.
-      -model|-arch|-isysroot)
-	compiler_flags="$compiler_flags $arg"
+      -model|-arch|-isysroot|--sysroot)
+	func_append compiler_flags " $arg"
 	func_append compile_command " $arg"
 	func_append finalize_command " $arg"
 	prev=xcompiler
 	continue
 	;;
 
-      -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
-	compiler_flags="$compiler_flags $arg"
+      -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \
+      |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*)
+	func_append compiler_flags " $arg"
 	func_append compile_command " $arg"
 	func_append finalize_command " $arg"
 	case "$new_inherited_linker_flags " in
 	    *" $arg "*) ;;
-	    * ) new_inherited_linker_flags="$new_inherited_linker_flags $arg" ;;
+	    * ) func_append new_inherited_linker_flags " $arg" ;;
 	esac
 	continue
 	;;
@@ -4649,13 +5729,17 @@ func_mode_link ()
 	# We need an absolute path.
 	case $dir in
 	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	=*)
+	  func_stripname '=' '' "$dir"
+	  dir=$lt_sysroot$func_stripname_result
+	  ;;
 	*)
 	  func_fatal_error "only absolute run-paths are allowed"
 	  ;;
 	esac
 	case "$xrpath " in
 	*" $dir "*) ;;
-	*) xrpath="$xrpath $dir" ;;
+	*) func_append xrpath " $dir" ;;
 	esac
 	continue
 	;;
@@ -4708,8 +5792,8 @@ func_mode_link ()
 	for flag in $args; do
 	  IFS="$save_ifs"
           func_quote_for_eval "$flag"
-	  arg="$arg $wl$func_quote_for_eval_result"
-	  compiler_flags="$compiler_flags $func_quote_for_eval_result"
+	  func_append arg " $func_quote_for_eval_result"
+	  func_append compiler_flags " $func_quote_for_eval_result"
 	done
 	IFS="$save_ifs"
 	func_stripname ' ' '' "$arg"
@@ -4724,9 +5808,9 @@ func_mode_link ()
 	for flag in $args; do
 	  IFS="$save_ifs"
           func_quote_for_eval "$flag"
-	  arg="$arg $wl$func_quote_for_eval_result"
-	  compiler_flags="$compiler_flags $wl$func_quote_for_eval_result"
-	  linker_flags="$linker_flags $func_quote_for_eval_result"
+	  func_append arg " $wl$func_quote_for_eval_result"
+	  func_append compiler_flags " $wl$func_quote_for_eval_result"
+	  func_append linker_flags " $func_quote_for_eval_result"
 	done
 	IFS="$save_ifs"
 	func_stripname ' ' '' "$arg"
@@ -4754,23 +5838,27 @@ func_mode_link ()
 	arg="$func_quote_for_eval_result"
 	;;
 
-      # -64, -mips[0-9] enable 64-bit mode on the SGI compiler
-      # -r[0-9][0-9]* specifies the processor on the SGI compiler
-      # -xarch=*, -xtarget=* enable 64-bit mode on the Sun compiler
-      # +DA*, +DD* enable 64-bit mode on the HP compiler
-      # -q* pass through compiler args for the IBM compiler
-      # -m*, -t[45]*, -txscale* pass through architecture-specific
-      # compiler args for GCC
-      # -F/path gives path to uninstalled frameworks, gcc on darwin
-      # -p, -pg, --coverage, -fprofile-* pass through profiling flag for GCC
-      # @file GCC response files
+      # Flags to be passed through unchanged, with rationale:
+      # -64, -mips[0-9]      enable 64-bit mode for the SGI compiler
+      # -r[0-9][0-9]*        specify processor for the SGI compiler
+      # -xarch=*, -xtarget=* enable 64-bit mode for the Sun compiler
+      # +DA*, +DD*           enable 64-bit mode for the HP compiler
+      # -q*                  compiler args for the IBM compiler
+      # -m*, -t[45]*, -txscale* architecture-specific flags for GCC
+      # -F/path              path to uninstalled frameworks, gcc on darwin
+      # -p, -pg, --coverage, -fprofile-*  profiling flags for GCC
+      # @file                GCC response files
+      # -tp=*                Portland pgcc target processor selection
+      # --sysroot=*          for sysroot support
+      # -O*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization
       -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
-      -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*)
+      -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \
+      -O*|-flto*|-fwhopr*|-fuse-linker-plugin)
         func_quote_for_eval "$arg"
 	arg="$func_quote_for_eval_result"
         func_append compile_command " $arg"
         func_append finalize_command " $arg"
-        compiler_flags="$compiler_flags $arg"
+        func_append compiler_flags " $arg"
         continue
         ;;
 
@@ -4782,7 +5870,7 @@ func_mode_link ()
 
       *.$objext)
 	# A standard object.
-	objs="$objs $arg"
+	func_append objs " $arg"
 	;;
 
       *.lo)
@@ -4813,7 +5901,7 @@ func_mode_link ()
 
 	    if test "$prev" = dlfiles; then
 	      if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
-		dlfiles="$dlfiles $pic_object"
+		func_append dlfiles " $pic_object"
 		prev=
 		continue
 	      else
@@ -4825,7 +5913,7 @@ func_mode_link ()
 	    # CHECK ME:  I think I busted this.  -Ossama
 	    if test "$prev" = dlprefiles; then
 	      # Preload the old-style object.
-	      dlprefiles="$dlprefiles $pic_object"
+	      func_append dlprefiles " $pic_object"
 	      prev=
 	    fi
 
@@ -4870,24 +5958,25 @@ func_mode_link ()
 
       *.$libext)
 	# An archive.
-	deplibs="$deplibs $arg"
-	old_deplibs="$old_deplibs $arg"
+	func_append deplibs " $arg"
+	func_append old_deplibs " $arg"
 	continue
 	;;
 
       *.la)
 	# A libtool-controlled library.
 
+	func_resolve_sysroot "$arg"
 	if test "$prev" = dlfiles; then
 	  # This library was specified with -dlopen.
-	  dlfiles="$dlfiles $arg"
+	  func_append dlfiles " $func_resolve_sysroot_result"
 	  prev=
 	elif test "$prev" = dlprefiles; then
 	  # The library was specified with -dlpreopen.
-	  dlprefiles="$dlprefiles $arg"
+	  func_append dlprefiles " $func_resolve_sysroot_result"
 	  prev=
 	else
-	  deplibs="$deplibs $arg"
+	  func_append deplibs " $func_resolve_sysroot_result"
 	fi
 	continue
 	;;
@@ -4925,7 +6014,7 @@ func_mode_link ()
 
     if test -n "$shlibpath_var"; then
       # get the directories listed in $shlibpath_var
-      eval shlib_search_path=\`\$ECHO \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\`
+      eval shlib_search_path=\`\$ECHO \"\${$shlibpath_var}\" \| \$SED \'s/:/ /g\'\`
     else
       shlib_search_path=
     fi
@@ -4934,6 +6023,8 @@ func_mode_link ()
 
     func_dirname "$output" "/" ""
     output_objdir="$func_dirname_result$objdir"
+    func_to_tool_file "$output_objdir/"
+    tool_output_objdir=$func_to_tool_file_result
     # Create the object directory.
     func_mkdir_p "$output_objdir"
 
@@ -4954,12 +6045,12 @@ func_mode_link ()
     # Find all interdependent deplibs by searching for libraries
     # that are linked more than once (e.g. -la -lb -la)
     for deplib in $deplibs; do
-      if $opt_duplicate_deps ; then
+      if $opt_preserve_dup_deps ; then
 	case "$libs " in
-	*" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	*" $deplib "*) func_append specialdeplibs " $deplib" ;;
 	esac
       fi
-      libs="$libs $deplib"
+      func_append libs " $deplib"
     done
 
     if test "$linkmode" = lib; then
@@ -4972,9 +6063,9 @@ func_mode_link ()
       if $opt_duplicate_compiler_generated_deps; then
 	for pre_post_dep in $predeps $postdeps; do
 	  case "$pre_post_deps " in
-	  *" $pre_post_dep "*) specialdeplibs="$specialdeplibs $pre_post_deps" ;;
+	  *" $pre_post_dep "*) func_append specialdeplibs " $pre_post_deps" ;;
 	  esac
-	  pre_post_deps="$pre_post_deps $pre_post_dep"
+	  func_append pre_post_deps " $pre_post_dep"
 	done
       fi
       pre_post_deps=
@@ -5044,17 +6135,19 @@ func_mode_link ()
 	for lib in $dlprefiles; do
 	  # Ignore non-libtool-libs
 	  dependency_libs=
+	  func_resolve_sysroot "$lib"
 	  case $lib in
-	  *.la)	func_source "$lib" ;;
+	  *.la)	func_source "$func_resolve_sysroot_result" ;;
 	  esac
 
 	  # Collect preopened libtool deplibs, except any this library
 	  # has declared as weak libs
 	  for deplib in $dependency_libs; do
-            deplib_base=`$ECHO "X$deplib" | $Xsed -e "$basename"`
+	    func_basename "$deplib"
+            deplib_base=$func_basename_result
 	    case " $weak_libs " in
 	    *" $deplib_base "*) ;;
-	    *) deplibs="$deplibs $deplib" ;;
+	    *) func_append deplibs " $deplib" ;;
 	    esac
 	  done
 	done
@@ -5070,16 +6163,17 @@ func_mode_link ()
 	lib=
 	found=no
 	case $deplib in
-	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
+	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \
+        |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*)
 	  if test "$linkmode,$pass" = "prog,link"; then
 	    compile_deplibs="$deplib $compile_deplibs"
 	    finalize_deplibs="$deplib $finalize_deplibs"
 	  else
-	    compiler_flags="$compiler_flags $deplib"
+	    func_append compiler_flags " $deplib"
 	    if test "$linkmode" = lib ; then
 		case "$new_inherited_linker_flags " in
 		    *" $deplib "*) ;;
-		    * ) new_inherited_linker_flags="$new_inherited_linker_flags $deplib" ;;
+		    * ) func_append new_inherited_linker_flags " $deplib" ;;
 		esac
 	    fi
 	  fi
@@ -5164,7 +6258,7 @@ func_mode_link ()
 	    if test "$linkmode" = lib ; then
 		case "$new_inherited_linker_flags " in
 		    *" $deplib "*) ;;
-		    * ) new_inherited_linker_flags="$new_inherited_linker_flags $deplib" ;;
+		    * ) func_append new_inherited_linker_flags " $deplib" ;;
 		esac
 	    fi
 	  fi
@@ -5177,7 +6271,8 @@ func_mode_link ()
 	    test "$pass" = conv && continue
 	    newdependency_libs="$deplib $newdependency_libs"
 	    func_stripname '-L' '' "$deplib"
-	    newlib_search_path="$newlib_search_path $func_stripname_result"
+	    func_resolve_sysroot "$func_stripname_result"
+	    func_append newlib_search_path " $func_resolve_sysroot_result"
 	    ;;
 	  prog)
 	    if test "$pass" = conv; then
@@ -5191,7 +6286,8 @@ func_mode_link ()
 	      finalize_deplibs="$deplib $finalize_deplibs"
 	    fi
 	    func_stripname '-L' '' "$deplib"
-	    newlib_search_path="$newlib_search_path $func_stripname_result"
+	    func_resolve_sysroot "$func_stripname_result"
+	    func_append newlib_search_path " $func_resolve_sysroot_result"
 	    ;;
 	  *)
 	    func_warning "\`-L' is ignored for archives/objects"
@@ -5202,17 +6298,21 @@ func_mode_link ()
 	-R*)
 	  if test "$pass" = link; then
 	    func_stripname '-R' '' "$deplib"
-	    dir=$func_stripname_result
+	    func_resolve_sysroot "$func_stripname_result"
+	    dir=$func_resolve_sysroot_result
 	    # Make sure the xrpath contains only unique directories.
 	    case "$xrpath " in
 	    *" $dir "*) ;;
-	    *) xrpath="$xrpath $dir" ;;
+	    *) func_append xrpath " $dir" ;;
 	    esac
 	  fi
 	  deplibs="$deplib $deplibs"
 	  continue
 	  ;;
-	*.la) lib="$deplib" ;;
+	*.la)
+	  func_resolve_sysroot "$deplib"
+	  lib=$func_resolve_sysroot_result
+	  ;;
 	*.$libext)
 	  if test "$pass" = conv; then
 	    deplibs="$deplib $deplibs"
@@ -5230,7 +6330,7 @@ func_mode_link ()
 		match_pattern*)
 		  set dummy $deplibs_check_method; shift
 		  match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"`
-		  if eval "\$ECHO \"X$deplib\"" 2>/dev/null | $Xsed -e 10q \
+		  if eval "\$ECHO \"$deplib\"" 2>/dev/null | $SED 10q \
 		    | $EGREP "$match_pattern_regex" > /dev/null; then
 		    valid_a_lib=yes
 		  fi
@@ -5240,15 +6340,15 @@ func_mode_link ()
 		;;
 	      esac
 	      if test "$valid_a_lib" != yes; then
-		$ECHO
+		echo
 		$ECHO "*** Warning: Trying to link with static lib archive $deplib."
-		$ECHO "*** I have the capability to make that library automatically link in when"
-		$ECHO "*** you link to this library.  But I can only do this if you have a"
-		$ECHO "*** shared version of the library, which you do not appear to have"
-		$ECHO "*** because the file extensions .$libext of this argument makes me believe"
-		$ECHO "*** that it is just a static archive that I should not use here."
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have"
+		echo "*** because the file extensions .$libext of this argument makes me believe"
+		echo "*** that it is just a static archive that I should not use here."
 	      else
-		$ECHO
+		echo
 		$ECHO "*** Warning: Linking the shared library $output against the"
 		$ECHO "*** static library $deplib is not portable!"
 		deplibs="$deplib $deplibs"
@@ -5275,11 +6375,11 @@ func_mode_link ()
 	    if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
 	      # If there is no dlopen support or we're linking statically,
 	      # we need to preload.
-	      newdlprefiles="$newdlprefiles $deplib"
+	      func_append newdlprefiles " $deplib"
 	      compile_deplibs="$deplib $compile_deplibs"
 	      finalize_deplibs="$deplib $finalize_deplibs"
 	    else
-	      newdlfiles="$newdlfiles $deplib"
+	      func_append newdlfiles " $deplib"
 	    fi
 	  fi
 	  continue
@@ -5321,20 +6421,20 @@ func_mode_link ()
 
 	# Convert "-framework foo" to "foo.ltframework"
 	if test -n "$inherited_linker_flags"; then
-	  tmp_inherited_linker_flags=`$ECHO "X$inherited_linker_flags" | $Xsed -e 's/-framework \([^ $]*\)/\1.ltframework/g'`
+	  tmp_inherited_linker_flags=`$ECHO "$inherited_linker_flags" | $SED 's/-framework \([^ $]*\)/\1.ltframework/g'`
 	  for tmp_inherited_linker_flag in $tmp_inherited_linker_flags; do
 	    case " $new_inherited_linker_flags " in
 	      *" $tmp_inherited_linker_flag "*) ;;
-	      *) new_inherited_linker_flags="$new_inherited_linker_flags $tmp_inherited_linker_flag";;
+	      *) func_append new_inherited_linker_flags " $tmp_inherited_linker_flag";;
 	    esac
 	  done
 	fi
-	dependency_libs=`$ECHO "X $dependency_libs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	dependency_libs=`$ECHO " $dependency_libs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
 	if test "$linkmode,$pass" = "lib,link" ||
 	   test "$linkmode,$pass" = "prog,scan" ||
 	   { test "$linkmode" != prog && test "$linkmode" != lib; }; then
-	  test -n "$dlopen" && dlfiles="$dlfiles $dlopen"
-	  test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen"
+	  test -n "$dlopen" && func_append dlfiles " $dlopen"
+	  test -n "$dlpreopen" && func_append dlprefiles " $dlpreopen"
 	fi
 
 	if test "$pass" = conv; then
@@ -5345,17 +6445,17 @@ func_mode_link ()
 	      func_fatal_error "cannot find name of link library for \`$lib'"
 	    fi
 	    # It is a libtool convenience library, so add in its objects.
-	    convenience="$convenience $ladir/$objdir/$old_library"
-	    old_convenience="$old_convenience $ladir/$objdir/$old_library"
+	    func_append convenience " $ladir/$objdir/$old_library"
+	    func_append old_convenience " $ladir/$objdir/$old_library"
 	    tmp_libs=
 	    for deplib in $dependency_libs; do
 	      deplibs="$deplib $deplibs"
-	      if $opt_duplicate_deps ; then
+	      if $opt_preserve_dup_deps ; then
 		case "$tmp_libs " in
-		*" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+		*" $deplib "*) func_append specialdeplibs " $deplib" ;;
 		esac
 	      fi
-	      tmp_libs="$tmp_libs $deplib"
+	      func_append tmp_libs " $deplib"
 	    done
 	  elif test "$linkmode" != prog && test "$linkmode" != lib; then
 	    func_fatal_error "\`$lib' is not a convenience library"
@@ -5366,9 +6466,15 @@ func_mode_link ()
 
 	# Get the name of the library we link against.
 	linklib=
-	for l in $old_library $library_names; do
-	  linklib="$l"
-	done
+	if test -n "$old_library" &&
+	   { test "$prefer_static_libs" = yes ||
+	     test "$prefer_static_libs,$installed" = "built,no"; }; then
+	  linklib=$old_library
+	else
+	  for l in $old_library $library_names; do
+	    linklib="$l"
+	  done
+	fi
 	if test -z "$linklib"; then
 	  func_fatal_error "cannot find name of link library for \`$lib'"
 	fi
@@ -5385,9 +6491,9 @@ func_mode_link ()
 	    # statically, we need to preload.  We also need to preload any
 	    # dependent libraries so libltdl's deplib preloader doesn't
 	    # bomb out in the load deplibs phase.
-	    dlprefiles="$dlprefiles $lib $dependency_libs"
+	    func_append dlprefiles " $lib $dependency_libs"
 	  else
-	    newdlfiles="$newdlfiles $lib"
+	    func_append newdlfiles " $lib"
 	  fi
 	  continue
 	fi # $pass = dlopen
@@ -5409,14 +6515,14 @@ func_mode_link ()
 
 	# Find the relevant object directory and library name.
 	if test "X$installed" = Xyes; then
-	  if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
+	  if test ! -f "$lt_sysroot$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
 	    func_warning "library \`$lib' was moved."
 	    dir="$ladir"
 	    absdir="$abs_ladir"
 	    libdir="$abs_ladir"
 	  else
-	    dir="$libdir"
-	    absdir="$libdir"
+	    dir="$lt_sysroot$libdir"
+	    absdir="$lt_sysroot$libdir"
 	  fi
 	  test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes
 	else
@@ -5424,12 +6530,12 @@ func_mode_link ()
 	    dir="$ladir"
 	    absdir="$abs_ladir"
 	    # Remove this search path later
-	    notinst_path="$notinst_path $abs_ladir"
+	    func_append notinst_path " $abs_ladir"
 	  else
 	    dir="$ladir/$objdir"
 	    absdir="$abs_ladir/$objdir"
 	    # Remove this search path later
-	    notinst_path="$notinst_path $abs_ladir"
+	    func_append notinst_path " $abs_ladir"
 	  fi
 	fi # $installed = yes
 	func_stripname 'lib' '.la' "$laname"
@@ -5440,20 +6546,46 @@ func_mode_link ()
 	  if test -z "$libdir" && test "$linkmode" = prog; then
 	    func_fatal_error "only libraries may -dlpreopen a convenience library: \`$lib'"
 	  fi
-	  # Prefer using a static library (so that no silly _DYNAMIC symbols
-	  # are required to link).
-	  if test -n "$old_library"; then
-	    newdlprefiles="$newdlprefiles $dir/$old_library"
-	    # Keep a list of preopened convenience libraries to check
-	    # that they are being used correctly in the link pass.
-	    test -z "$libdir" && \
-		dlpreconveniencelibs="$dlpreconveniencelibs $dir/$old_library"
-	  # Otherwise, use the dlname, so that lt_dlopen finds it.
-	  elif test -n "$dlname"; then
-	    newdlprefiles="$newdlprefiles $dir/$dlname"
-	  else
-	    newdlprefiles="$newdlprefiles $dir/$linklib"
-	  fi
+	  case "$host" in
+	    # special handling for platforms with PE-DLLs.
+	    *cygwin* | *mingw* | *cegcc* )
+	      # Linker will automatically link against shared library if both
+	      # static and shared are present.  Therefore, ensure we extract
+	      # symbols from the import library if a shared library is present
+	      # (otherwise, the dlopen module name will be incorrect).  We do
+	      # this by putting the import library name into $newdlprefiles.
+	      # We recover the dlopen module name by 'saving' the la file
+	      # name in a special purpose variable, and (later) extracting the
+	      # dlname from the la file.
+	      if test -n "$dlname"; then
+	        func_tr_sh "$dir/$linklib"
+	        eval "libfile_$func_tr_sh_result=\$abs_ladir/\$laname"
+	        func_append newdlprefiles " $dir/$linklib"
+	      else
+	        func_append newdlprefiles " $dir/$old_library"
+	        # Keep a list of preopened convenience libraries to check
+	        # that they are being used correctly in the link pass.
+	        test -z "$libdir" && \
+	          func_append dlpreconveniencelibs " $dir/$old_library"
+	      fi
+	    ;;
+	    * )
+	      # Prefer using a static library (so that no silly _DYNAMIC symbols
+	      # are required to link).
+	      if test -n "$old_library"; then
+	        func_append newdlprefiles " $dir/$old_library"
+	        # Keep a list of preopened convenience libraries to check
+	        # that they are being used correctly in the link pass.
+	        test -z "$libdir" && \
+	          func_append dlpreconveniencelibs " $dir/$old_library"
+	      # Otherwise, use the dlname, so that lt_dlopen finds it.
+	      elif test -n "$dlname"; then
+	        func_append newdlprefiles " $dir/$dlname"
+	      else
+	        func_append newdlprefiles " $dir/$linklib"
+	      fi
+	    ;;
+	  esac
 	fi # $pass = dlpreopen
 
 	if test -z "$libdir"; then
@@ -5471,7 +6603,7 @@ func_mode_link ()
 
 
 	if test "$linkmode" = prog && test "$pass" != link; then
-	  newlib_search_path="$newlib_search_path $ladir"
+	  func_append newlib_search_path " $ladir"
 	  deplibs="$lib $deplibs"
 
 	  linkalldeplibs=no
@@ -5484,7 +6616,8 @@ func_mode_link ()
 	  for deplib in $dependency_libs; do
 	    case $deplib in
 	    -L*) func_stripname '-L' '' "$deplib"
-	         newlib_search_path="$newlib_search_path $func_stripname_result"
+	         func_resolve_sysroot "$func_stripname_result"
+	         func_append newlib_search_path " $func_resolve_sysroot_result"
 		 ;;
 	    esac
 	    # Need to link against all dependency_libs?
@@ -5495,12 +6628,12 @@ func_mode_link ()
 	      # or/and link against static libraries
 	      newdependency_libs="$deplib $newdependency_libs"
 	    fi
-	    if $opt_duplicate_deps ; then
+	    if $opt_preserve_dup_deps ; then
 	      case "$tmp_libs " in
-	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      *" $deplib "*) func_append specialdeplibs " $deplib" ;;
 	      esac
 	    fi
-	    tmp_libs="$tmp_libs $deplib"
+	    func_append tmp_libs " $deplib"
 	  done # for deplib
 	  continue
 	fi # $linkmode = prog...
@@ -5515,7 +6648,7 @@ func_mode_link ()
 	      # Make sure the rpath contains only unique directories.
 	      case "$temp_rpath:" in
 	      *"$absdir:"*) ;;
-	      *) temp_rpath="$temp_rpath$absdir:" ;;
+	      *) func_append temp_rpath "$absdir:" ;;
 	      esac
 	    fi
 
@@ -5527,7 +6660,7 @@ func_mode_link ()
 	    *)
 	      case "$compile_rpath " in
 	      *" $absdir "*) ;;
-	      *) compile_rpath="$compile_rpath $absdir"
+	      *) func_append compile_rpath " $absdir" ;;
 	      esac
 	      ;;
 	    esac
@@ -5536,7 +6669,7 @@ func_mode_link ()
 	    *)
 	      case "$finalize_rpath " in
 	      *" $libdir "*) ;;
-	      *) finalize_rpath="$finalize_rpath $libdir"
+	      *) func_append finalize_rpath " $libdir" ;;
 	      esac
 	      ;;
 	    esac
@@ -5561,12 +6694,12 @@ func_mode_link ()
 	  case $host in
 	  *cygwin* | *mingw* | *cegcc*)
 	      # No point in relinking DLLs because paths are not encoded
-	      notinst_deplibs="$notinst_deplibs $lib"
+	      func_append notinst_deplibs " $lib"
 	      need_relink=no
 	    ;;
 	  *)
 	    if test "$installed" = no; then
-	      notinst_deplibs="$notinst_deplibs $lib"
+	      func_append notinst_deplibs " $lib"
 	      need_relink=yes
 	    fi
 	    ;;
@@ -5583,7 +6716,7 @@ func_mode_link ()
 	    fi
 	  done
 	  if test -z "$dlopenmodule" && test "$shouldnotlink" = yes && test "$pass" = link; then
-	    $ECHO
+	    echo
 	    if test "$linkmode" = prog; then
 	      $ECHO "*** Warning: Linking the executable $output against the loadable module"
 	    else
@@ -5601,7 +6734,7 @@ func_mode_link ()
 	    *)
 	      case "$compile_rpath " in
 	      *" $absdir "*) ;;
-	      *) compile_rpath="$compile_rpath $absdir"
+	      *) func_append compile_rpath " $absdir" ;;
 	      esac
 	      ;;
 	    esac
@@ -5610,7 +6743,7 @@ func_mode_link ()
 	    *)
 	      case "$finalize_rpath " in
 	      *" $libdir "*) ;;
-	      *) finalize_rpath="$finalize_rpath $libdir"
+	      *) func_append finalize_rpath " $libdir" ;;
 	      esac
 	      ;;
 	    esac
@@ -5664,7 +6797,7 @@ func_mode_link ()
 	    linklib=$newlib
 	  fi # test -n "$old_archive_from_expsyms_cmds"
 
-	  if test "$linkmode" = prog || test "$mode" != relink; then
+	  if test "$linkmode" = prog || test "$opt_mode" != relink; then
 	    add_shlibpath=
 	    add_dir=
 	    add=
@@ -5686,9 +6819,9 @@ func_mode_link ()
 		      if test "X$dlopenmodule" != "X$lib"; then
 			$ECHO "*** Warning: lib $linklib is a module, not a shared library"
 			if test -z "$old_library" ; then
-			  $ECHO
-			  $ECHO "*** And there doesn't seem to be a static archive available"
-			  $ECHO "*** The link will probably fail, sorry"
+			  echo
+			  echo "*** And there doesn't seem to be a static archive available"
+			  echo "*** The link will probably fail, sorry"
 			else
 			  add="$dir/$old_library"
 			fi
@@ -5715,12 +6848,12 @@ func_mode_link ()
 	         test "$hardcode_direct_absolute" = no; then
 		add="$dir/$linklib"
 	      elif test "$hardcode_minus_L" = yes; then
-		add_dir="-L$dir"
+		add_dir="-L$absdir"
 		# Try looking first in the location we're being installed to.
 		if test -n "$inst_prefix_dir"; then
 		  case $libdir in
 		    [\\/]*)
-		      add_dir="$add_dir -L$inst_prefix_dir$libdir"
+		      func_append add_dir " -L$inst_prefix_dir$libdir"
 		      ;;
 		  esac
 		fi
@@ -5742,7 +6875,7 @@ func_mode_link ()
 	    if test -n "$add_shlibpath"; then
 	      case :$compile_shlibpath: in
 	      *":$add_shlibpath:"*) ;;
-	      *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;;
+	      *) func_append compile_shlibpath "$add_shlibpath:" ;;
 	      esac
 	    fi
 	    if test "$linkmode" = prog; then
@@ -5756,13 +6889,13 @@ func_mode_link ()
 		 test "$hardcode_shlibpath_var" = yes; then
 		case :$finalize_shlibpath: in
 		*":$libdir:"*) ;;
-		*) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+		*) func_append finalize_shlibpath "$libdir:" ;;
 		esac
 	      fi
 	    fi
 	  fi
 
-	  if test "$linkmode" = prog || test "$mode" = relink; then
+	  if test "$linkmode" = prog || test "$opt_mode" = relink; then
 	    add_shlibpath=
 	    add_dir=
 	    add=
@@ -5776,7 +6909,7 @@ func_mode_link ()
 	    elif test "$hardcode_shlibpath_var" = yes; then
 	      case :$finalize_shlibpath: in
 	      *":$libdir:"*) ;;
-	      *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+	      *) func_append finalize_shlibpath "$libdir:" ;;
 	      esac
 	      add="-l$name"
 	    elif test "$hardcode_automatic" = yes; then
@@ -5793,7 +6926,7 @@ func_mode_link ()
 	      if test -n "$inst_prefix_dir"; then
 		case $libdir in
 		  [\\/]*)
-		    add_dir="$add_dir -L$inst_prefix_dir$libdir"
+		    func_append add_dir " -L$inst_prefix_dir$libdir"
 		    ;;
 		esac
 	      fi
@@ -5828,21 +6961,21 @@ func_mode_link ()
 
 	    # Just print a warning and add the library to dependency_libs so
 	    # that the program can be linked against the static library.
-	    $ECHO
+	    echo
 	    $ECHO "*** Warning: This system can not link to static lib archive $lib."
-	    $ECHO "*** I have the capability to make that library automatically link in when"
-	    $ECHO "*** you link to this library.  But I can only do this if you have a"
-	    $ECHO "*** shared version of the library, which you do not appear to have."
+	    echo "*** I have the capability to make that library automatically link in when"
+	    echo "*** you link to this library.  But I can only do this if you have a"
+	    echo "*** shared version of the library, which you do not appear to have."
 	    if test "$module" = yes; then
-	      $ECHO "*** But as you try to build a module library, libtool will still create "
-	      $ECHO "*** a static module, that should work as long as the dlopening application"
-	      $ECHO "*** is linked with the -dlopen flag to resolve symbols at runtime."
+	      echo "*** But as you try to build a module library, libtool will still create "
+	      echo "*** a static module, that should work as long as the dlopening application"
+	      echo "*** is linked with the -dlopen flag to resolve symbols at runtime."
 	      if test -z "$global_symbol_pipe"; then
-		$ECHO
-		$ECHO "*** However, this would only work if libtool was able to extract symbol"
-		$ECHO "*** lists from a program, using \`nm' or equivalent, but libtool could"
-		$ECHO "*** not find such a program.  So, this module is probably useless."
-		$ECHO "*** \`nm' from GNU binutils and a full rebuild may help."
+		echo
+		echo "*** However, this would only work if libtool was able to extract symbol"
+		echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+		echo "*** not find such a program.  So, this module is probably useless."
+		echo "*** \`nm' from GNU binutils and a full rebuild may help."
 	      fi
 	      if test "$build_old_libs" = no; then
 		build_libtool_libs=module
@@ -5870,27 +7003,33 @@ func_mode_link ()
 	           temp_xrpath=$func_stripname_result
 		   case " $xrpath " in
 		   *" $temp_xrpath "*) ;;
-		   *) xrpath="$xrpath $temp_xrpath";;
+		   *) func_append xrpath " $temp_xrpath";;
 		   esac;;
-	      *) temp_deplibs="$temp_deplibs $libdir";;
+	      *) func_append temp_deplibs " $libdir";;
 	      esac
 	    done
 	    dependency_libs="$temp_deplibs"
 	  fi
 
-	  newlib_search_path="$newlib_search_path $absdir"
+	  func_append newlib_search_path " $absdir"
 	  # Link against this library
 	  test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
 	  # ... and its dependency_libs
 	  tmp_libs=
 	  for deplib in $dependency_libs; do
 	    newdependency_libs="$deplib $newdependency_libs"
-	    if $opt_duplicate_deps ; then
+	    case $deplib in
+              -L*) func_stripname '-L' '' "$deplib"
+                   func_resolve_sysroot "$func_stripname_result";;
+              *) func_resolve_sysroot "$deplib" ;;
+            esac
+	    if $opt_preserve_dup_deps ; then
 	      case "$tmp_libs " in
-	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      *" $func_resolve_sysroot_result "*)
+                func_append specialdeplibs " $func_resolve_sysroot_result" ;;
 	      esac
 	    fi
-	    tmp_libs="$tmp_libs $deplib"
+	    func_append tmp_libs " $func_resolve_sysroot_result"
 	  done
 
 	  if test "$link_all_deplibs" != no; then
@@ -5900,8 +7039,10 @@ func_mode_link ()
 	      case $deplib in
 	      -L*) path="$deplib" ;;
 	      *.la)
+	        func_resolve_sysroot "$deplib"
+	        deplib=$func_resolve_sysroot_result
 	        func_dirname "$deplib" "" "."
-		dir="$func_dirname_result"
+		dir=$func_dirname_result
 		# We need an absolute path.
 		case $dir in
 		[\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;;
@@ -5928,8 +7069,8 @@ func_mode_link ()
                       if test -z "$darwin_install_name"; then
                           darwin_install_name=`${OTOOL64} -L $depdepl  | awk '{if (NR == 2) {print $1;exit}}'`
                       fi
-		      compiler_flags="$compiler_flags ${wl}-dylib_file ${wl}${darwin_install_name}:${depdepl}"
-		      linker_flags="$linker_flags -dylib_file ${darwin_install_name}:${depdepl}"
+		      func_append compiler_flags " ${wl}-dylib_file ${wl}${darwin_install_name}:${depdepl}"
+		      func_append linker_flags " -dylib_file ${darwin_install_name}:${depdepl}"
 		      path=
 		    fi
 		  fi
@@ -5962,7 +7103,7 @@ func_mode_link ()
 	  compile_deplibs="$new_inherited_linker_flags $compile_deplibs"
 	  finalize_deplibs="$new_inherited_linker_flags $finalize_deplibs"
 	else
-	  compiler_flags="$compiler_flags "`$ECHO "X $new_inherited_linker_flags" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  compiler_flags="$compiler_flags "`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
 	fi
       fi
       dependency_libs="$newdependency_libs"
@@ -5979,7 +7120,7 @@ func_mode_link ()
 	  for dir in $newlib_search_path; do
 	    case "$lib_search_path " in
 	    *" $dir "*) ;;
-	    *) lib_search_path="$lib_search_path $dir" ;;
+	    *) func_append lib_search_path " $dir" ;;
 	    esac
 	  done
 	  newlib_search_path=
@@ -6037,10 +7178,10 @@ func_mode_link ()
 	    -L*)
 	      case " $tmp_libs " in
 	      *" $deplib "*) ;;
-	      *) tmp_libs="$tmp_libs $deplib" ;;
+	      *) func_append tmp_libs " $deplib" ;;
 	      esac
 	      ;;
-	    *) tmp_libs="$tmp_libs $deplib" ;;
+	    *) func_append tmp_libs " $deplib" ;;
 	    esac
 	  done
 	  eval $var=\"$tmp_libs\"
@@ -6056,7 +7197,7 @@ func_mode_link ()
 	  ;;
 	esac
 	if test -n "$i" ; then
-	  tmp_libs="$tmp_libs $i"
+	  func_append tmp_libs " $i"
 	fi
       done
       dependency_libs=$tmp_libs
@@ -6097,7 +7238,7 @@ func_mode_link ()
       # Now set the variables for building old libraries.
       build_libtool_libs=no
       oldlibs="$output"
-      objs="$objs$old_deplibs"
+      func_append objs "$old_deplibs"
       ;;
 
     lib)
@@ -6130,10 +7271,10 @@ func_mode_link ()
 	if test "$deplibs_check_method" != pass_all; then
 	  func_fatal_error "cannot build libtool library \`$output' from non-libtool objects on this host:$objs"
 	else
-	  $ECHO
+	  echo
 	  $ECHO "*** Warning: Linking the shared library $output against the non-libtool"
 	  $ECHO "*** objects $objs is not portable!"
-	  libobjs="$libobjs $objs"
+	  func_append libobjs " $objs"
 	fi
       fi
 
@@ -6192,13 +7333,14 @@ func_mode_link ()
 	  # which has an extra 1 added just for fun
 	  #
 	  case $version_type in
+	  # correct linux to gnu/linux during the next big refactor
 	  darwin|linux|osf|windows|none)
 	    func_arith $number_major + $number_minor
 	    current=$func_arith_result
 	    age="$number_minor"
 	    revision="$number_revision"
 	    ;;
-	  freebsd-aout|freebsd-elf|sunos)
+	  freebsd-aout|freebsd-elf|qnx|sunos)
 	    current="$number_major"
 	    revision="$number_minor"
 	    age="0"
@@ -6311,7 +7453,7 @@ func_mode_link ()
 	  versuffix="$major.$revision"
 	  ;;
 
-	linux)
+	linux) # correct to gnu/linux during the next big refactor
 	  func_arith $current - $age
 	  major=.$func_arith_result
 	  versuffix="$major.$age.$revision"
@@ -6334,7 +7476,7 @@ func_mode_link ()
 	  done
 
 	  # Make executables depend on our current version.
-	  verstring="$verstring:${current}.0"
+	  func_append verstring ":${current}.0"
 	  ;;
 
 	qnx)
@@ -6402,10 +7544,10 @@ func_mode_link ()
       fi
 
       func_generate_dlsyms "$libname" "$libname" "yes"
-      libobjs="$libobjs $symfileobj"
+      func_append libobjs " $symfileobj"
       test "X$libobjs" = "X " && libobjs=
 
-      if test "$mode" != relink; then
+      if test "$opt_mode" != relink; then
 	# Remove our outputs, but don't remove object files since they
 	# may have been created when compiling PIC objects.
 	removelist=
@@ -6421,7 +7563,7 @@ func_mode_link ()
 		   continue
 		 fi
 	       fi
-	       removelist="$removelist $p"
+	       func_append removelist " $p"
 	       ;;
 	    *) ;;
 	  esac
@@ -6432,27 +7574,28 @@ func_mode_link ()
 
       # Now set the variables for building old libraries.
       if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then
-	oldlibs="$oldlibs $output_objdir/$libname.$libext"
+	func_append oldlibs " $output_objdir/$libname.$libext"
 
 	# Transform .lo files to .o files.
-	oldobjs="$objs "`$ECHO "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP`
+	oldobjs="$objs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; $lo2o" | $NL2SP`
       fi
 
       # Eliminate all temporary directories.
       #for path in $notinst_path; do
-      #	lib_search_path=`$ECHO "X$lib_search_path " | $Xsed -e "s% $path % %g"`
-      #	deplibs=`$ECHO "X$deplibs " | $Xsed -e "s% -L$path % %g"`
-      #	dependency_libs=`$ECHO "X$dependency_libs " | $Xsed -e "s% -L$path % %g"`
+      #	lib_search_path=`$ECHO "$lib_search_path " | $SED "s% $path % %g"`
+      #	deplibs=`$ECHO "$deplibs " | $SED "s% -L$path % %g"`
+      #	dependency_libs=`$ECHO "$dependency_libs " | $SED "s% -L$path % %g"`
       #done
 
       if test -n "$xrpath"; then
 	# If the user specified any rpath flags, then add them.
 	temp_xrpath=
 	for libdir in $xrpath; do
-	  temp_xrpath="$temp_xrpath -R$libdir"
+	  func_replace_sysroot "$libdir"
+	  func_append temp_xrpath " -R$func_replace_sysroot_result"
 	  case "$finalize_rpath " in
 	  *" $libdir "*) ;;
-	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  *) func_append finalize_rpath " $libdir" ;;
 	  esac
 	done
 	if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then
@@ -6466,7 +7609,7 @@ func_mode_link ()
       for lib in $old_dlfiles; do
 	case " $dlprefiles $dlfiles " in
 	*" $lib "*) ;;
-	*) dlfiles="$dlfiles $lib" ;;
+	*) func_append dlfiles " $lib" ;;
 	esac
       done
 
@@ -6476,19 +7619,19 @@ func_mode_link ()
       for lib in $old_dlprefiles; do
 	case "$dlprefiles " in
 	*" $lib "*) ;;
-	*) dlprefiles="$dlprefiles $lib" ;;
+	*) func_append dlprefiles " $lib" ;;
 	esac
       done
 
       if test "$build_libtool_libs" = yes; then
 	if test -n "$rpath"; then
 	  case $host in
-	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos* | *-cegcc*)
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos* | *-cegcc* | *-*-haiku*)
 	    # these systems don't actually have a c library (as such)!
 	    ;;
 	  *-*-rhapsody* | *-*-darwin1.[012])
 	    # Rhapsody C library is in the System framework
-	    deplibs="$deplibs System.ltframework"
+	    func_append deplibs " System.ltframework"
 	    ;;
 	  *-*-netbsd*)
 	    # Don't link with libc until the a.out ld.so is fixed.
@@ -6505,7 +7648,7 @@ func_mode_link ()
 	  *)
 	    # Add libc to deplibs on all other systems if necessary.
 	    if test "$build_libtool_need_lc" = "yes"; then
-	      deplibs="$deplibs -lc"
+	      func_append deplibs " -lc"
 	    fi
 	    ;;
 	  esac
@@ -6554,7 +7697,7 @@ EOF
 		if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 		  case " $predeps $postdeps " in
 		  *" $i "*)
-		    newdeplibs="$newdeplibs $i"
+		    func_append newdeplibs " $i"
 		    i=""
 		    ;;
 		  esac
@@ -6565,21 +7708,21 @@ EOF
 		  set dummy $deplib_matches; shift
 		  deplib_match=$1
 		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
-		    newdeplibs="$newdeplibs $i"
+		    func_append newdeplibs " $i"
 		  else
 		    droppeddeps=yes
-		    $ECHO
+		    echo
 		    $ECHO "*** Warning: dynamic linker does not accept needed library $i."
-		    $ECHO "*** I have the capability to make that library automatically link in when"
-		    $ECHO "*** you link to this library.  But I can only do this if you have a"
-		    $ECHO "*** shared version of the library, which I believe you do not have"
-		    $ECHO "*** because a test_compile did reveal that the linker did not use it for"
-		    $ECHO "*** its dynamic dependency list that programs get resolved with at runtime."
+		    echo "*** I have the capability to make that library automatically link in when"
+		    echo "*** you link to this library.  But I can only do this if you have a"
+		    echo "*** shared version of the library, which I believe you do not have"
+		    echo "*** because a test_compile did reveal that the linker did not use it for"
+		    echo "*** its dynamic dependency list that programs get resolved with at runtime."
 		  fi
 		fi
 		;;
 	      *)
-		newdeplibs="$newdeplibs $i"
+		func_append newdeplibs " $i"
 		;;
 	      esac
 	    done
@@ -6597,7 +7740,7 @@ EOF
 		  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 		    case " $predeps $postdeps " in
 		    *" $i "*)
-		      newdeplibs="$newdeplibs $i"
+		      func_append newdeplibs " $i"
 		      i=""
 		      ;;
 		    esac
@@ -6608,29 +7751,29 @@ EOF
 		    set dummy $deplib_matches; shift
 		    deplib_match=$1
 		    if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
-		      newdeplibs="$newdeplibs $i"
+		      func_append newdeplibs " $i"
 		    else
 		      droppeddeps=yes
-		      $ECHO
+		      echo
 		      $ECHO "*** Warning: dynamic linker does not accept needed library $i."
-		      $ECHO "*** I have the capability to make that library automatically link in when"
-		      $ECHO "*** you link to this library.  But I can only do this if you have a"
-		      $ECHO "*** shared version of the library, which you do not appear to have"
-		      $ECHO "*** because a test_compile did reveal that the linker did not use this one"
-		      $ECHO "*** as a dynamic dependency that programs can get resolved with at runtime."
+		      echo "*** I have the capability to make that library automatically link in when"
+		      echo "*** you link to this library.  But I can only do this if you have a"
+		      echo "*** shared version of the library, which you do not appear to have"
+		      echo "*** because a test_compile did reveal that the linker did not use this one"
+		      echo "*** as a dynamic dependency that programs can get resolved with at runtime."
 		    fi
 		  fi
 		else
 		  droppeddeps=yes
-		  $ECHO
+		  echo
 		  $ECHO "*** Warning!  Library $i is needed by this library but I was not able to"
-		  $ECHO "*** make it link in!  You will probably need to install it or some"
-		  $ECHO "*** library that it depends on before this library will be fully"
-		  $ECHO "*** functional.  Installing it before continuing would be even better."
+		  echo "*** make it link in!  You will probably need to install it or some"
+		  echo "*** library that it depends on before this library will be fully"
+		  echo "*** functional.  Installing it before continuing would be even better."
 		fi
 		;;
 	      *)
-		newdeplibs="$newdeplibs $i"
+		func_append newdeplibs " $i"
 		;;
 	      esac
 	    done
@@ -6647,15 +7790,27 @@ EOF
 	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 		case " $predeps $postdeps " in
 		*" $a_deplib "*)
-		  newdeplibs="$newdeplibs $a_deplib"
+		  func_append newdeplibs " $a_deplib"
 		  a_deplib=""
 		  ;;
 		esac
 	      fi
 	      if test -n "$a_deplib" ; then
 		libname=`eval "\\$ECHO \"$libname_spec\""`
+		if test -n "$file_magic_glob"; then
+		  libnameglob=`func_echo_all "$libname" | $SED -e $file_magic_glob`
+		else
+		  libnameglob=$libname
+		fi
+		test "$want_nocaseglob" = yes && nocaseglob=`shopt -p nocaseglob`
 		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
-		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		  if test "$want_nocaseglob" = yes; then
+		    shopt -s nocaseglob
+		    potential_libs=`ls $i/$libnameglob[.-]* 2>/dev/null`
+		    $nocaseglob
+		  else
+		    potential_libs=`ls $i/$libnameglob[.-]* 2>/dev/null`
+		  fi
 		  for potent_lib in $potential_libs; do
 		      # Follow soft links.
 		      if ls -lLd "$potent_lib" 2>/dev/null |
@@ -6672,13 +7827,13 @@ EOF
 			potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'`
 			case $potliblink in
 			[\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";;
-			*) potlib=`$ECHO "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";;
+			*) potlib=`$ECHO "$potlib" | $SED 's,[^/]*$,,'`"$potliblink";;
 			esac
 		      done
 		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null |
 			 $SED -e 10q |
 			 $EGREP "$file_magic_regex" > /dev/null; then
-			newdeplibs="$newdeplibs $a_deplib"
+			func_append newdeplibs " $a_deplib"
 			a_deplib=""
 			break 2
 		      fi
@@ -6687,12 +7842,12 @@ EOF
 	      fi
 	      if test -n "$a_deplib" ; then
 		droppeddeps=yes
-		$ECHO
+		echo
 		$ECHO "*** Warning: linker path does not have real file for library $a_deplib."
-		$ECHO "*** I have the capability to make that library automatically link in when"
-		$ECHO "*** you link to this library.  But I can only do this if you have a"
-		$ECHO "*** shared version of the library, which you do not appear to have"
-		$ECHO "*** because I did check the linker path looking for a file starting"
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have"
+		echo "*** because I did check the linker path looking for a file starting"
 		if test -z "$potlib" ; then
 		  $ECHO "*** with $libname but no candidates were found. (...for file magic test)"
 		else
@@ -6703,7 +7858,7 @@ EOF
 	      ;;
 	    *)
 	      # Add a -L argument.
-	      newdeplibs="$newdeplibs $a_deplib"
+	      func_append newdeplibs " $a_deplib"
 	      ;;
 	    esac
 	  done # Gone through all deplibs.
@@ -6719,7 +7874,7 @@ EOF
 	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 		case " $predeps $postdeps " in
 		*" $a_deplib "*)
-		  newdeplibs="$newdeplibs $a_deplib"
+		  func_append newdeplibs " $a_deplib"
 		  a_deplib=""
 		  ;;
 		esac
@@ -6730,9 +7885,9 @@ EOF
 		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
 		  for potent_lib in $potential_libs; do
 		    potlib="$potent_lib" # see symlink-check above in file_magic test
-		    if eval "\$ECHO \"X$potent_lib\"" 2>/dev/null | $Xsed -e 10q | \
+		    if eval "\$ECHO \"$potent_lib\"" 2>/dev/null | $SED 10q | \
 		       $EGREP "$match_pattern_regex" > /dev/null; then
-		      newdeplibs="$newdeplibs $a_deplib"
+		      func_append newdeplibs " $a_deplib"
 		      a_deplib=""
 		      break 2
 		    fi
@@ -6741,12 +7896,12 @@ EOF
 	      fi
 	      if test -n "$a_deplib" ; then
 		droppeddeps=yes
-		$ECHO
+		echo
 		$ECHO "*** Warning: linker path does not have real file for library $a_deplib."
-		$ECHO "*** I have the capability to make that library automatically link in when"
-		$ECHO "*** you link to this library.  But I can only do this if you have a"
-		$ECHO "*** shared version of the library, which you do not appear to have"
-		$ECHO "*** because I did check the linker path looking for a file starting"
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have"
+		echo "*** because I did check the linker path looking for a file starting"
 		if test -z "$potlib" ; then
 		  $ECHO "*** with $libname but no candidates were found. (...for regex pattern test)"
 		else
@@ -6757,32 +7912,32 @@ EOF
 	      ;;
 	    *)
 	      # Add a -L argument.
-	      newdeplibs="$newdeplibs $a_deplib"
+	      func_append newdeplibs " $a_deplib"
 	      ;;
 	    esac
 	  done # Gone through all deplibs.
 	  ;;
 	none | unknown | *)
 	  newdeplibs=""
-	  tmp_deplibs=`$ECHO "X $deplibs" | $Xsed \
-	      -e 's/ -lc$//' -e 's/ -[LR][^ ]*//g'`
+	  tmp_deplibs=`$ECHO " $deplibs" | $SED 's/ -lc$//; s/ -[LR][^ ]*//g'`
 	  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 	    for i in $predeps $postdeps ; do
 	      # can't use Xsed below, because $i might contain '/'
-	      tmp_deplibs=`$ECHO "X $tmp_deplibs" | $Xsed -e "s,$i,,"`
+	      tmp_deplibs=`$ECHO " $tmp_deplibs" | $SED "s,$i,,"`
 	    done
 	  fi
-	  if $ECHO "X $tmp_deplibs" | $Xsed -e 's/[	 ]//g' |
-	     $GREP . >/dev/null; then
-	    $ECHO
+	  case $tmp_deplibs in
+	  *[!\	\ ]*)
+	    echo
 	    if test "X$deplibs_check_method" = "Xnone"; then
-	      $ECHO "*** Warning: inter-library dependencies are not supported in this platform."
+	      echo "*** Warning: inter-library dependencies are not supported in this platform."
 	    else
-	      $ECHO "*** Warning: inter-library dependencies are not known to be supported."
+	      echo "*** Warning: inter-library dependencies are not known to be supported."
 	    fi
-	    $ECHO "*** All declared inter-library dependencies are being dropped."
+	    echo "*** All declared inter-library dependencies are being dropped."
 	    droppeddeps=yes
-	  fi
+	    ;;
+	  esac
 	  ;;
 	esac
 	versuffix=$versuffix_save
@@ -6794,23 +7949,23 @@ EOF
 	case $host in
 	*-*-rhapsody* | *-*-darwin1.[012])
 	  # On Rhapsody replace the C library with the System framework
-	  newdeplibs=`$ECHO "X $newdeplibs" | $Xsed -e 's/ -lc / System.ltframework /'`
+	  newdeplibs=`$ECHO " $newdeplibs" | $SED 's/ -lc / System.ltframework /'`
 	  ;;
 	esac
 
 	if test "$droppeddeps" = yes; then
 	  if test "$module" = yes; then
-	    $ECHO
-	    $ECHO "*** Warning: libtool could not satisfy all declared inter-library"
+	    echo
+	    echo "*** Warning: libtool could not satisfy all declared inter-library"
 	    $ECHO "*** dependencies of module $libname.  Therefore, libtool will create"
-	    $ECHO "*** a static module, that should work as long as the dlopening"
-	    $ECHO "*** application is linked with the -dlopen flag."
+	    echo "*** a static module, that should work as long as the dlopening"
+	    echo "*** application is linked with the -dlopen flag."
 	    if test -z "$global_symbol_pipe"; then
-	      $ECHO
-	      $ECHO "*** However, this would only work if libtool was able to extract symbol"
-	      $ECHO "*** lists from a program, using \`nm' or equivalent, but libtool could"
-	      $ECHO "*** not find such a program.  So, this module is probably useless."
-	      $ECHO "*** \`nm' from GNU binutils and a full rebuild may help."
+	      echo
+	      echo "*** However, this would only work if libtool was able to extract symbol"
+	      echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+	      echo "*** not find such a program.  So, this module is probably useless."
+	      echo "*** \`nm' from GNU binutils and a full rebuild may help."
 	    fi
 	    if test "$build_old_libs" = no; then
 	      oldlibs="$output_objdir/$libname.$libext"
@@ -6820,16 +7975,16 @@ EOF
 	      build_libtool_libs=no
 	    fi
 	  else
-	    $ECHO "*** The inter-library dependencies that have been dropped here will be"
-	    $ECHO "*** automatically added whenever a program is linked with this library"
-	    $ECHO "*** or is declared to -dlopen it."
+	    echo "*** The inter-library dependencies that have been dropped here will be"
+	    echo "*** automatically added whenever a program is linked with this library"
+	    echo "*** or is declared to -dlopen it."
 
 	    if test "$allow_undefined" = no; then
-	      $ECHO
-	      $ECHO "*** Since this library must not contain undefined symbols,"
-	      $ECHO "*** because either the platform does not support them or"
-	      $ECHO "*** it was explicitly requested with -no-undefined,"
-	      $ECHO "*** libtool will only create a static version of it."
+	      echo
+	      echo "*** Since this library must not contain undefined symbols,"
+	      echo "*** because either the platform does not support them or"
+	      echo "*** it was explicitly requested with -no-undefined,"
+	      echo "*** libtool will only create a static version of it."
 	      if test "$build_old_libs" = no; then
 		oldlibs="$output_objdir/$libname.$libext"
 		build_libtool_libs=module
@@ -6846,9 +8001,9 @@ EOF
       # Time to change all our "foo.ltframework" stuff back to "-framework foo"
       case $host in
 	*-*-darwin*)
-	  newdeplibs=`$ECHO "X $newdeplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
-	  new_inherited_linker_flags=`$ECHO "X $new_inherited_linker_flags" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
-	  deplibs=`$ECHO "X $deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  newdeplibs=`$ECHO " $newdeplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  new_inherited_linker_flags=`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
+	  deplibs=`$ECHO " $deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
 	  ;;
       esac
 
@@ -6861,7 +8016,7 @@ EOF
 	*)
 	  case " $deplibs " in
 	  *" -L$path/$objdir "*)
-	    new_libs="$new_libs -L$path/$objdir" ;;
+	    func_append new_libs " -L$path/$objdir" ;;
 	  esac
 	  ;;
 	esac
@@ -6871,10 +8026,10 @@ EOF
 	-L*)
 	  case " $new_libs " in
 	  *" $deplib "*) ;;
-	  *) new_libs="$new_libs $deplib" ;;
+	  *) func_append new_libs " $deplib" ;;
 	  esac
 	  ;;
-	*) new_libs="$new_libs $deplib" ;;
+	*) func_append new_libs " $deplib" ;;
 	esac
       done
       deplibs="$new_libs"
@@ -6886,15 +8041,22 @@ EOF
 
       # Test again, we may have decided not to build it any more
       if test "$build_libtool_libs" = yes; then
+	# Remove ${wl} instances when linking with ld.
+	# FIXME: should test the right _cmds variable.
+	case $archive_cmds in
+	  *\$LD\ *) wl= ;;
+        esac
 	if test "$hardcode_into_libs" = yes; then
 	  # Hardcode the library paths
 	  hardcode_libdirs=
 	  dep_rpath=
 	  rpath="$finalize_rpath"
-	  test "$mode" != relink && rpath="$compile_rpath$rpath"
+	  test "$opt_mode" != relink && rpath="$compile_rpath$rpath"
 	  for libdir in $rpath; do
 	    if test -n "$hardcode_libdir_flag_spec"; then
 	      if test -n "$hardcode_libdir_separator"; then
+		func_replace_sysroot "$libdir"
+		libdir=$func_replace_sysroot_result
 		if test -z "$hardcode_libdirs"; then
 		  hardcode_libdirs="$libdir"
 		else
@@ -6903,18 +8065,18 @@ EOF
 		  *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
 		    ;;
 		  *)
-		    hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		    func_append hardcode_libdirs "$hardcode_libdir_separator$libdir"
 		    ;;
 		  esac
 		fi
 	      else
 		eval flag=\"$hardcode_libdir_flag_spec\"
-		dep_rpath="$dep_rpath $flag"
+		func_append dep_rpath " $flag"
 	      fi
 	    elif test -n "$runpath_var"; then
 	      case "$perm_rpath " in
 	      *" $libdir "*) ;;
-	      *) perm_rpath="$perm_rpath $libdir" ;;
+	      *) func_append perm_rpath " $libdir" ;;
 	      esac
 	    fi
 	  done
@@ -6922,17 +8084,13 @@ EOF
 	  if test -n "$hardcode_libdir_separator" &&
 	     test -n "$hardcode_libdirs"; then
 	    libdir="$hardcode_libdirs"
-	    if test -n "$hardcode_libdir_flag_spec_ld"; then
-	      eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\"
-	    else
-	      eval dep_rpath=\"$hardcode_libdir_flag_spec\"
-	    fi
+	    eval "dep_rpath=\"$hardcode_libdir_flag_spec\""
 	  fi
 	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
 	    # We should set the runpath_var.
 	    rpath=
 	    for dir in $perm_rpath; do
-	      rpath="$rpath$dir:"
+	      func_append rpath "$dir:"
 	    done
 	    eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var"
 	  fi
@@ -6940,7 +8098,7 @@ EOF
 	fi
 
 	shlibpath="$finalize_shlibpath"
-	test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
+	test "$opt_mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
 	if test -n "$shlibpath"; then
 	  eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var"
 	fi
@@ -6966,18 +8124,18 @@ EOF
 	linknames=
 	for link
 	do
-	  linknames="$linknames $link"
+	  func_append linknames " $link"
 	done
 
 	# Use standard objects if they are pic
-	test -z "$pic_flag" && libobjs=`$ECHO "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	test -z "$pic_flag" && libobjs=`$ECHO "$libobjs" | $SP2NL | $SED "$lo2o" | $NL2SP`
 	test "X$libobjs" = "X " && libobjs=
 
 	delfiles=
 	if test -n "$export_symbols" && test -n "$include_expsyms"; then
 	  $opt_dry_run || cp "$export_symbols" "$output_objdir/$libname.uexp"
 	  export_symbols="$output_objdir/$libname.uexp"
-	  delfiles="$delfiles $export_symbols"
+	  func_append delfiles " $export_symbols"
 	fi
 
 	orig_export_symbols=
@@ -7008,13 +8166,45 @@ EOF
 	    $opt_dry_run || $RM $export_symbols
 	    cmds=$export_symbols_cmds
 	    save_ifs="$IFS"; IFS='~'
-	    for cmd in $cmds; do
+	    for cmd1 in $cmds; do
 	      IFS="$save_ifs"
-	      eval cmd=\"$cmd\"
-	      func_len " $cmd"
-	      len=$func_len_result
-	      if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then
+	      # Take the normal branch if the nm_file_list_spec branch
+	      # doesn't work or if tool conversion is not needed.
+	      case $nm_file_list_spec~$to_tool_file_cmd in
+		*~func_convert_file_noop | *~func_convert_file_msys_to_w32 | ~*)
+		  try_normal_branch=yes
+		  eval cmd=\"$cmd1\"
+		  func_len " $cmd"
+		  len=$func_len_result
+		  ;;
+		*)
+		  try_normal_branch=no
+		  ;;
+	      esac
+	      if test "$try_normal_branch" = yes \
+		 && { test "$len" -lt "$max_cmd_len" \
+		      || test "$max_cmd_len" -le -1; }
+	      then
+		func_show_eval "$cmd" 'exit $?'
+		skipped_export=false
+	      elif test -n "$nm_file_list_spec"; then
+		func_basename "$output"
+		output_la=$func_basename_result
+		save_libobjs=$libobjs
+		save_output=$output
+		output=${output_objdir}/${output_la}.nm
+		func_to_tool_file "$output"
+		libobjs=$nm_file_list_spec$func_to_tool_file_result
+		func_append delfiles " $output"
+		func_verbose "creating $NM input file list: $output"
+		for obj in $save_libobjs; do
+		  func_to_tool_file "$obj"
+		  $ECHO "$func_to_tool_file_result"
+		done > "$output"
+		eval cmd=\"$cmd1\"
 		func_show_eval "$cmd" 'exit $?'
+		output=$save_output
+		libobjs=$save_libobjs
 		skipped_export=false
 	      else
 		# The command line is too long to execute in one step.
@@ -7036,7 +8226,7 @@ EOF
 	if test -n "$export_symbols" && test -n "$include_expsyms"; then
 	  tmp_export_symbols="$export_symbols"
 	  test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols"
-	  $opt_dry_run || eval '$ECHO "X$include_expsyms" | $Xsed | $SP2NL >> "$tmp_export_symbols"'
+	  $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"'
 	fi
 
 	if test "X$skipped_export" != "X:" && test -n "$orig_export_symbols"; then
@@ -7048,7 +8238,7 @@ EOF
 	  # global variables. join(1) would be nice here, but unfortunately
 	  # isn't a blessed tool.
 	  $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter
-	  delfiles="$delfiles $export_symbols $output_objdir/$libname.filter"
+	  func_append delfiles " $export_symbols $output_objdir/$libname.filter"
 	  export_symbols=$output_objdir/$libname.def
 	  $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols
 	fi
@@ -7058,7 +8248,7 @@ EOF
 	  case " $convenience " in
 	  *" $test_deplib "*) ;;
 	  *)
-	    tmp_deplibs="$tmp_deplibs $test_deplib"
+	    func_append tmp_deplibs " $test_deplib"
 	    ;;
 	  esac
 	done
@@ -7078,21 +8268,21 @@ EOF
 	    test "X$libobjs" = "X " && libobjs=
 	  else
 	    gentop="$output_objdir/${outputname}x"
-	    generated="$generated $gentop"
+	    func_append generated " $gentop"
 
 	    func_extract_archives $gentop $convenience
-	    libobjs="$libobjs $func_extract_archives_result"
+	    func_append libobjs " $func_extract_archives_result"
 	    test "X$libobjs" = "X " && libobjs=
 	  fi
 	fi
 
 	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
 	  eval flag=\"$thread_safe_flag_spec\"
-	  linker_flags="$linker_flags $flag"
+	  func_append linker_flags " $flag"
 	fi
 
 	# Make a backup of the uninstalled library when relinking
-	if test "$mode" = relink; then
+	if test "$opt_mode" = relink; then
 	  $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}U && $MV $realname ${realname}U)' || exit $?
 	fi
 
@@ -7137,7 +8327,8 @@ EOF
 	    save_libobjs=$libobjs
 	  fi
 	  save_output=$output
-	  output_la=`$ECHO "X$output" | $Xsed -e "$basename"`
+	  func_basename "$output"
+	  output_la=$func_basename_result
 
 	  # Clear the reloadable object creation command queue and
 	  # initialize k to one.
@@ -7150,13 +8341,16 @@ EOF
 	  if test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "$with_gnu_ld" = yes; then
 	    output=${output_objdir}/${output_la}.lnkscript
 	    func_verbose "creating GNU ld script: $output"
-	    $ECHO 'INPUT (' > $output
+	    echo 'INPUT (' > $output
 	    for obj in $save_libobjs
 	    do
-	      $ECHO "$obj" >> $output
+	      func_to_tool_file "$obj"
+	      $ECHO "$func_to_tool_file_result" >> $output
 	    done
-	    $ECHO ')' >> $output
-	    delfiles="$delfiles $output"
+	    echo ')' >> $output
+	    func_append delfiles " $output"
+	    func_to_tool_file "$output"
+	    output=$func_to_tool_file_result
 	  elif test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "X$file_list_spec" != X; then
 	    output=${output_objdir}/${output_la}.lnk
 	    func_verbose "creating linker input file list: $output"
@@ -7170,10 +8364,12 @@ EOF
 	    fi
 	    for obj
 	    do
-	      $ECHO "$obj" >> $output
+	      func_to_tool_file "$obj"
+	      $ECHO "$func_to_tool_file_result" >> $output
 	    done
-	    delfiles="$delfiles $output"
-	    output=$firstobj\"$file_list_spec$output\"
+	    func_append delfiles " $output"
+	    func_to_tool_file "$output"
+	    output=$firstobj\"$file_list_spec$func_to_tool_file_result\"
 	  else
 	    if test -n "$save_libobjs"; then
 	      func_verbose "creating reloadable object files..."
@@ -7197,17 +8393,19 @@ EOF
 		  # command to the queue.
 		  if test "$k" -eq 1 ; then
 		    # The first file doesn't have a previous command to add.
-		    eval concat_cmds=\"$reload_cmds $objlist $last_robj\"
+		    reload_objs=$objlist
+		    eval concat_cmds=\"$reload_cmds\"
 		  else
 		    # All subsequent reloadable object files will link in
 		    # the last one created.
-		    eval concat_cmds=\"\$concat_cmds~$reload_cmds $objlist $last_robj~\$RM $last_robj\"
+		    reload_objs="$objlist $last_robj"
+		    eval concat_cmds=\"\$concat_cmds~$reload_cmds~\$RM $last_robj\"
 		  fi
 		  last_robj=$output_objdir/$output_la-${k}.$objext
 		  func_arith $k + 1
 		  k=$func_arith_result
 		  output=$output_objdir/$output_la-${k}.$objext
-		  objlist=$obj
+		  objlist=" $obj"
 		  func_len " $last_robj"
 		  func_arith $len0 + $func_len_result
 		  len=$func_arith_result
@@ -7217,11 +8415,12 @@ EOF
 	      # reloadable object file.  All subsequent reloadable object
 	      # files will link in the last one created.
 	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
-	      eval concat_cmds=\"\${concat_cmds}$reload_cmds $objlist $last_robj\"
+	      reload_objs="$objlist $last_robj"
+	      eval concat_cmds=\"\${concat_cmds}$reload_cmds\"
 	      if test -n "$last_robj"; then
 	        eval concat_cmds=\"\${concat_cmds}~\$RM $last_robj\"
 	      fi
-	      delfiles="$delfiles $output"
+	      func_append delfiles " $output"
 
 	    else
 	      output=
@@ -7255,7 +8454,7 @@ EOF
 		lt_exit=$?
 
 		# Restore the uninstalled library and exit
-		if test "$mode" = relink; then
+		if test "$opt_mode" = relink; then
 		  ( cd "$output_objdir" && \
 		    $RM "${realname}T" && \
 		    $MV "${realname}U" "$realname" )
@@ -7276,7 +8475,7 @@ EOF
 	    if test -n "$export_symbols" && test -n "$include_expsyms"; then
 	      tmp_export_symbols="$export_symbols"
 	      test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols"
-	      $opt_dry_run || eval '$ECHO "X$include_expsyms" | $Xsed | $SP2NL >> "$tmp_export_symbols"'
+	      $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"'
 	    fi
 
 	    if test -n "$orig_export_symbols"; then
@@ -7288,7 +8487,7 @@ EOF
 	      # global variables. join(1) would be nice here, but unfortunately
 	      # isn't a blessed tool.
 	      $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter
-	      delfiles="$delfiles $export_symbols $output_objdir/$libname.filter"
+	      func_append delfiles " $export_symbols $output_objdir/$libname.filter"
 	      export_symbols=$output_objdir/$libname.def
 	      $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols
 	    fi
@@ -7329,10 +8528,10 @@ EOF
 	# Add any objects from preloaded convenience libraries
 	if test -n "$dlprefiles"; then
 	  gentop="$output_objdir/${outputname}x"
-	  generated="$generated $gentop"
+	  func_append generated " $gentop"
 
 	  func_extract_archives $gentop $dlprefiles
-	  libobjs="$libobjs $func_extract_archives_result"
+	  func_append libobjs " $func_extract_archives_result"
 	  test "X$libobjs" = "X " && libobjs=
 	fi
 
@@ -7348,7 +8547,7 @@ EOF
 	    lt_exit=$?
 
 	    # Restore the uninstalled library and exit
-	    if test "$mode" = relink; then
+	    if test "$opt_mode" = relink; then
 	      ( cd "$output_objdir" && \
 	        $RM "${realname}T" && \
 		$MV "${realname}U" "$realname" )
@@ -7360,7 +8559,7 @@ EOF
 	IFS="$save_ifs"
 
 	# Restore the uninstalled library and exit
-	if test "$mode" = relink; then
+	if test "$opt_mode" = relink; then
 	  $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}T && $MV $realname ${realname}T && $MV ${realname}U $realname)' || exit $?
 
 	  if test -n "$convenience"; then
@@ -7441,18 +8640,21 @@ EOF
       if test -n "$convenience"; then
 	if test -n "$whole_archive_flag_spec"; then
 	  eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\"
-	  reload_conv_objs=$reload_objs\ `$ECHO "X$tmp_whole_archive_flags" | $Xsed -e 's|,| |g'`
+	  reload_conv_objs=$reload_objs\ `$ECHO "$tmp_whole_archive_flags" | $SED 's|,| |g'`
 	else
 	  gentop="$output_objdir/${obj}x"
-	  generated="$generated $gentop"
+	  func_append generated " $gentop"
 
 	  func_extract_archives $gentop $convenience
 	  reload_conv_objs="$reload_objs $func_extract_archives_result"
 	fi
       fi
 
+      # If we're not building shared, we need to use non_pic_objs
+      test "$build_libtool_libs" != yes && libobjs="$non_pic_objects"
+
       # Create the old-style object.
-      reload_objs="$objs$old_deplibs "`$ECHO "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
+      reload_objs="$objs$old_deplibs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; /\.lib$/d; $lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
 
       output="$obj"
       func_execute_cmds "$reload_cmds" 'exit $?'
@@ -7512,8 +8714,8 @@ EOF
       case $host in
       *-*-rhapsody* | *-*-darwin1.[012])
 	# On Rhapsody replace the C library is the System framework
-	compile_deplibs=`$ECHO "X $compile_deplibs" | $Xsed -e 's/ -lc / System.ltframework /'`
-	finalize_deplibs=`$ECHO "X $finalize_deplibs" | $Xsed -e 's/ -lc / System.ltframework /'`
+	compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's/ -lc / System.ltframework /'`
+	finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's/ -lc / System.ltframework /'`
 	;;
       esac
 
@@ -7524,14 +8726,14 @@ EOF
 	if test "$tagname" = CXX ; then
 	  case ${MACOSX_DEPLOYMENT_TARGET-10.0} in
 	    10.[0123])
-	      compile_command="$compile_command ${wl}-bind_at_load"
-	      finalize_command="$finalize_command ${wl}-bind_at_load"
+	      func_append compile_command " ${wl}-bind_at_load"
+	      func_append finalize_command " ${wl}-bind_at_load"
 	    ;;
 	  esac
 	fi
 	# Time to change all our "foo.ltframework" stuff back to "-framework foo"
-	compile_deplibs=`$ECHO "X $compile_deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
-	finalize_deplibs=`$ECHO "X $finalize_deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'`
+	compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
+	finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
 	;;
       esac
 
@@ -7545,7 +8747,7 @@ EOF
 	*)
 	  case " $compile_deplibs " in
 	  *" -L$path/$objdir "*)
-	    new_libs="$new_libs -L$path/$objdir" ;;
+	    func_append new_libs " -L$path/$objdir" ;;
 	  esac
 	  ;;
 	esac
@@ -7555,17 +8757,17 @@ EOF
 	-L*)
 	  case " $new_libs " in
 	  *" $deplib "*) ;;
-	  *) new_libs="$new_libs $deplib" ;;
+	  *) func_append new_libs " $deplib" ;;
 	  esac
 	  ;;
-	*) new_libs="$new_libs $deplib" ;;
+	*) func_append new_libs " $deplib" ;;
 	esac
       done
       compile_deplibs="$new_libs"
 
 
-      compile_command="$compile_command $compile_deplibs"
-      finalize_command="$finalize_command $finalize_deplibs"
+      func_append compile_command " $compile_deplibs"
+      func_append finalize_command " $finalize_deplibs"
 
       if test -n "$rpath$xrpath"; then
 	# If the user specified any rpath flags, then add them.
@@ -7573,7 +8775,7 @@ EOF
 	  # This is the magic to use -rpath.
 	  case "$finalize_rpath " in
 	  *" $libdir "*) ;;
-	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  *) func_append finalize_rpath " $libdir" ;;
 	  esac
 	done
       fi
@@ -7592,18 +8794,18 @@ EOF
 	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
 		;;
 	      *)
-		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		func_append hardcode_libdirs "$hardcode_libdir_separator$libdir"
 		;;
 	      esac
 	    fi
 	  else
 	    eval flag=\"$hardcode_libdir_flag_spec\"
-	    rpath="$rpath $flag"
+	    func_append rpath " $flag"
 	  fi
 	elif test -n "$runpath_var"; then
 	  case "$perm_rpath " in
 	  *" $libdir "*) ;;
-	  *) perm_rpath="$perm_rpath $libdir" ;;
+	  *) func_append perm_rpath " $libdir" ;;
 	  esac
 	fi
 	case $host in
@@ -7612,12 +8814,12 @@ EOF
 	  case :$dllsearchpath: in
 	  *":$libdir:"*) ;;
 	  ::) dllsearchpath=$libdir;;
-	  *) dllsearchpath="$dllsearchpath:$libdir";;
+	  *) func_append dllsearchpath ":$libdir";;
 	  esac
 	  case :$dllsearchpath: in
 	  *":$testbindir:"*) ;;
 	  ::) dllsearchpath=$testbindir;;
-	  *) dllsearchpath="$dllsearchpath:$testbindir";;
+	  *) func_append dllsearchpath ":$testbindir";;
 	  esac
 	  ;;
 	esac
@@ -7643,18 +8845,18 @@ EOF
 	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
 		;;
 	      *)
-		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		func_append hardcode_libdirs "$hardcode_libdir_separator$libdir"
 		;;
 	      esac
 	    fi
 	  else
 	    eval flag=\"$hardcode_libdir_flag_spec\"
-	    rpath="$rpath $flag"
+	    func_append rpath " $flag"
 	  fi
 	elif test -n "$runpath_var"; then
 	  case "$finalize_perm_rpath " in
 	  *" $libdir "*) ;;
-	  *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;;
+	  *) func_append finalize_perm_rpath " $libdir" ;;
 	  esac
 	fi
       done
@@ -7668,8 +8870,8 @@ EOF
 
       if test -n "$libobjs" && test "$build_old_libs" = yes; then
 	# Transform all the library objects into standard objects.
-	compile_command=`$ECHO "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
-	finalize_command=`$ECHO "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	compile_command=`$ECHO "$compile_command" | $SP2NL | $SED "$lo2o" | $NL2SP`
+	finalize_command=`$ECHO "$finalize_command" | $SP2NL | $SED "$lo2o" | $NL2SP`
       fi
 
       func_generate_dlsyms "$outputname" "@PROGRAM@" "no"
@@ -7681,15 +8883,15 @@ EOF
 
       wrappers_required=yes
       case $host in
+      *cegcc* | *mingw32ce*)
+        # Disable wrappers for cegcc and mingw32ce hosts, we are cross compiling anyway.
+        wrappers_required=no
+        ;;
       *cygwin* | *mingw* )
         if test "$build_libtool_libs" != yes; then
           wrappers_required=no
         fi
         ;;
-      *cegcc)
-        # Disable wrappers for cegcc, we are cross compiling anyway.
-        wrappers_required=no
-        ;;
       *)
         if test "$need_relink" = no || test "$build_libtool_libs" != yes; then
           wrappers_required=no
@@ -7698,13 +8900,19 @@ EOF
       esac
       if test "$wrappers_required" = no; then
 	# Replace the output file specification.
-	compile_command=`$ECHO "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	compile_command=`$ECHO "$compile_command" | $SED 's%@OUTPUT@%'"$output"'%g'`
 	link_command="$compile_command$compile_rpath"
 
 	# We have no uninstalled library dependencies, so finalize right now.
 	exit_status=0
 	func_show_eval "$link_command" 'exit_status=$?'
 
+	if test -n "$postlink_cmds"; then
+	  func_to_tool_file "$output"
+	  postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'`
+	  func_execute_cmds "$postlink_cmds" 'exit $?'
+	fi
+
 	# Delete the generated files.
 	if test -f "$output_objdir/${outputname}S.${objext}"; then
 	  func_show_eval '$RM "$output_objdir/${outputname}S.${objext}"'
@@ -7727,7 +8935,7 @@ EOF
 	  # We should set the runpath_var.
 	  rpath=
 	  for dir in $perm_rpath; do
-	    rpath="$rpath$dir:"
+	    func_append rpath "$dir:"
 	  done
 	  compile_var="$runpath_var=\"$rpath\$$runpath_var\" "
 	fi
@@ -7735,7 +8943,7 @@ EOF
 	  # We should set the runpath_var.
 	  rpath=
 	  for dir in $finalize_perm_rpath; do
-	    rpath="$rpath$dir:"
+	    func_append rpath "$dir:"
 	  done
 	  finalize_var="$runpath_var=\"$rpath\$$runpath_var\" "
 	fi
@@ -7745,11 +8953,18 @@ EOF
 	# We don't need to create a wrapper script.
 	link_command="$compile_var$compile_command$compile_rpath"
 	# Replace the output file specification.
-	link_command=`$ECHO "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output"'%g'`
 	# Delete the old output file.
 	$opt_dry_run || $RM $output
 	# Link the executable and exit
 	func_show_eval "$link_command" 'exit $?'
+
+	if test -n "$postlink_cmds"; then
+	  func_to_tool_file "$output"
+	  postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'`
+	  func_execute_cmds "$postlink_cmds" 'exit $?'
+	fi
+
 	exit $EXIT_SUCCESS
       fi
 
@@ -7764,7 +8979,7 @@ EOF
 	if test "$fast_install" != no; then
 	  link_command="$finalize_var$compile_command$finalize_rpath"
 	  if test "$fast_install" = yes; then
-	    relink_command=`$ECHO "X$compile_var$compile_command$compile_rpath" | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g'`
+	    relink_command=`$ECHO "$compile_var$compile_command$compile_rpath" | $SED 's%@OUTPUT@%\$progdir/\$file%g'`
 	  else
 	    # fast_install is set to needless
 	    relink_command=
@@ -7776,13 +8991,19 @@ EOF
       fi
 
       # Replace the output file specification.
-      link_command=`$ECHO "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
+      link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
 
       # Delete the old output files.
       $opt_dry_run || $RM $output $output_objdir/$outputname $output_objdir/lt-$outputname
 
       func_show_eval "$link_command" 'exit $?'
 
+      if test -n "$postlink_cmds"; then
+	func_to_tool_file "$output_objdir/$outputname"
+	postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'`
+	func_execute_cmds "$postlink_cmds" 'exit $?'
+      fi
+
       # Now create the wrapper script.
       func_verbose "creating $output"
 
@@ -7800,18 +9021,7 @@ EOF
 	  fi
 	done
 	relink_command="(cd `pwd`; $relink_command)"
-	relink_command=`$ECHO "X$relink_command" | $Xsed -e "$sed_quote_subst"`
-      fi
-
-      # Quote $ECHO for shipping.
-      if test "X$ECHO" = "X$SHELL $progpath --fallback-echo"; then
-	case $progpath in
-	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $progpath --fallback-echo";;
-	*) qecho="$SHELL `pwd`/$progpath --fallback-echo";;
-	esac
-	qecho=`$ECHO "X$qecho" | $Xsed -e "$sed_quote_subst"`
-      else
-	qecho=`$ECHO "X$ECHO" | $Xsed -e "$sed_quote_subst"`
+	relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"`
       fi
 
       # Only actually do things if not in dry run mode.
@@ -7891,7 +9101,7 @@ EOF
 	else
 	  oldobjs="$old_deplibs $non_pic_objects"
 	  if test "$preload" = yes && test -f "$symfileobj"; then
-	    oldobjs="$oldobjs $symfileobj"
+	    func_append oldobjs " $symfileobj"
 	  fi
 	fi
 	addlibs="$old_convenience"
@@ -7899,10 +9109,10 @@ EOF
 
       if test -n "$addlibs"; then
 	gentop="$output_objdir/${outputname}x"
-	generated="$generated $gentop"
+	func_append generated " $gentop"
 
 	func_extract_archives $gentop $addlibs
-	oldobjs="$oldobjs $func_extract_archives_result"
+	func_append oldobjs " $func_extract_archives_result"
       fi
 
       # Do each command in the archive commands.
@@ -7913,10 +9123,10 @@ EOF
 	# Add any objects from preloaded convenience libraries
 	if test -n "$dlprefiles"; then
 	  gentop="$output_objdir/${outputname}x"
-	  generated="$generated $gentop"
+	  func_append generated " $gentop"
 
 	  func_extract_archives $gentop $dlprefiles
-	  oldobjs="$oldobjs $func_extract_archives_result"
+	  func_append oldobjs " $func_extract_archives_result"
 	fi
 
 	# POSIX demands no paths to be encoded in archives.  We have
@@ -7932,9 +9142,9 @@ EOF
 	    done | sort | sort -uc >/dev/null 2>&1); then
 	  :
 	else
-	  $ECHO "copying selected object files to avoid basename conflicts..."
+	  echo "copying selected object files to avoid basename conflicts..."
 	  gentop="$output_objdir/${outputname}x"
-	  generated="$generated $gentop"
+	  func_append generated " $gentop"
 	  func_mkdir_p "$gentop"
 	  save_oldobjs=$oldobjs
 	  oldobjs=
@@ -7958,18 +9168,30 @@ EOF
 		esac
 	      done
 	      func_show_eval "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj"
-	      oldobjs="$oldobjs $gentop/$newobj"
+	      func_append oldobjs " $gentop/$newobj"
 	      ;;
-	    *) oldobjs="$oldobjs $obj" ;;
+	    *) func_append oldobjs " $obj" ;;
 	    esac
 	  done
 	fi
+	func_to_tool_file "$oldlib" func_convert_file_msys_to_w32
+	tool_oldlib=$func_to_tool_file_result
 	eval cmds=\"$old_archive_cmds\"
 
 	func_len " $cmds"
 	len=$func_len_result
 	if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then
 	  cmds=$old_archive_cmds
+	elif test -n "$archiver_list_spec"; then
+	  func_verbose "using command file archive linking..."
+	  for obj in $oldobjs
+	  do
+	    func_to_tool_file "$obj"
+	    $ECHO "$func_to_tool_file_result"
+	  done > $output_objdir/$libname.libcmd
+	  func_to_tool_file "$output_objdir/$libname.libcmd"
+	  oldobjs=" $archiver_list_spec$func_to_tool_file_result"
+	  cmds=$old_archive_cmds
 	else
 	  # the command line is too long to link in one step, link in parts
 	  func_verbose "using piecewise archive linking..."
@@ -8043,7 +9265,7 @@ EOF
       done
       # Quote the link command for shipping.
       relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
-      relink_command=`$ECHO "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+      relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"`
       if test "$hardcode_automatic" = yes ; then
 	relink_command=
       fi
@@ -8063,12 +9285,23 @@ EOF
 	      *.la)
 		func_basename "$deplib"
 		name="$func_basename_result"
-		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		func_resolve_sysroot "$deplib"
+		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $func_resolve_sysroot_result`
 		test -z "$libdir" && \
 		  func_fatal_error "\`$deplib' is not a valid libtool archive"
-		newdependency_libs="$newdependency_libs $libdir/$name"
+		func_append newdependency_libs " ${lt_sysroot:+=}$libdir/$name"
+		;;
+	      -L*)
+		func_stripname -L '' "$deplib"
+		func_replace_sysroot "$func_stripname_result"
+		func_append newdependency_libs " -L$func_replace_sysroot_result"
+		;;
+	      -R*)
+		func_stripname -R '' "$deplib"
+		func_replace_sysroot "$func_stripname_result"
+		func_append newdependency_libs " -R$func_replace_sysroot_result"
 		;;
-	      *) newdependency_libs="$newdependency_libs $deplib" ;;
+	      *) func_append newdependency_libs " $deplib" ;;
 	      esac
 	    done
 	    dependency_libs="$newdependency_libs"
@@ -8082,9 +9315,9 @@ EOF
 		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
 		test -z "$libdir" && \
 		  func_fatal_error "\`$lib' is not a valid libtool archive"
-		newdlfiles="$newdlfiles $libdir/$name"
+		func_append newdlfiles " ${lt_sysroot:+=}$libdir/$name"
 		;;
-	      *) newdlfiles="$newdlfiles $lib" ;;
+	      *) func_append newdlfiles " $lib" ;;
 	      esac
 	    done
 	    dlfiles="$newdlfiles"
@@ -8101,7 +9334,7 @@ EOF
 		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
 		test -z "$libdir" && \
 		  func_fatal_error "\`$lib' is not a valid libtool archive"
-		newdlprefiles="$newdlprefiles $libdir/$name"
+		func_append newdlprefiles " ${lt_sysroot:+=}$libdir/$name"
 		;;
 	      esac
 	    done
@@ -8113,7 +9346,7 @@ EOF
 		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
 		*) abs=`pwd`"/$lib" ;;
 	      esac
-	      newdlfiles="$newdlfiles $abs"
+	      func_append newdlfiles " $abs"
 	    done
 	    dlfiles="$newdlfiles"
 	    newdlprefiles=
@@ -8122,15 +9355,33 @@ EOF
 		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
 		*) abs=`pwd`"/$lib" ;;
 	      esac
-	      newdlprefiles="$newdlprefiles $abs"
+	      func_append newdlprefiles " $abs"
 	    done
 	    dlprefiles="$newdlprefiles"
 	  fi
 	  $RM $output
 	  # place dlname in correct position for cygwin
+	  # In fact, it would be nice if we could use this code for all target
+	  # systems that can't hard-code library paths into their executables
+	  # and that have no shared library path variable independent of PATH,
+	  # but it turns out we can't easily determine that from inspecting
+	  # libtool variables, so we have to hard-code the OSs to which it
+	  # applies here; at the moment, that means platforms that use the PE
+	  # object format with DLL files.  See the long comment at the top of
+	  # tests/bindir.at for full details.
 	  tdlname=$dlname
 	  case $host,$output,$installed,$module,$dlname in
-	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll | *cegcc*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;;
+	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll | *cegcc*,*lai,yes,no,*.dll)
+	      # If a -bindir argument was supplied, place the dll there.
+	      if test "x$bindir" != x ;
+	      then
+		func_relative_path "$install_libdir" "$bindir"
+		tdlname=$func_relative_path_result$dlname
+	      else
+		# Otherwise fall back on heuristic.
+		tdlname=../bin/$dlname
+	      fi
+	      ;;
 	  esac
 	  $ECHO > $output "\
 # $outputname - a libtool library file
@@ -8189,7 +9440,7 @@ relink_command=\"$relink_command\""
     exit $EXIT_SUCCESS
 }
 
-{ test "$mode" = link || test "$mode" = relink; } &&
+{ test "$opt_mode" = link || test "$opt_mode" = relink; } &&
     func_mode_link ${1+"$@"}
 
 
@@ -8209,9 +9460,9 @@ func_mode_uninstall ()
     for arg
     do
       case $arg in
-      -f) RM="$RM $arg"; rmforce=yes ;;
-      -*) RM="$RM $arg" ;;
-      *) files="$files $arg" ;;
+      -f) func_append RM " $arg"; rmforce=yes ;;
+      -*) func_append RM " $arg" ;;
+      *) func_append files " $arg" ;;
       esac
     done
 
@@ -8220,24 +9471,23 @@ func_mode_uninstall ()
 
     rmdirs=
 
-    origobjdir="$objdir"
     for file in $files; do
       func_dirname "$file" "" "."
       dir="$func_dirname_result"
       if test "X$dir" = X.; then
-	objdir="$origobjdir"
+	odir="$objdir"
       else
-	objdir="$dir/$origobjdir"
+	odir="$dir/$objdir"
       fi
       func_basename "$file"
       name="$func_basename_result"
-      test "$mode" = uninstall && objdir="$dir"
+      test "$opt_mode" = uninstall && odir="$dir"
 
-      # Remember objdir for removal later, being careful to avoid duplicates
-      if test "$mode" = clean; then
+      # Remember odir for removal later, being careful to avoid duplicates
+      if test "$opt_mode" = clean; then
 	case " $rmdirs " in
-	  *" $objdir "*) ;;
-	  *) rmdirs="$rmdirs $objdir" ;;
+	  *" $odir "*) ;;
+	  *) func_append rmdirs " $odir" ;;
 	esac
       fi
 
@@ -8263,18 +9513,17 @@ func_mode_uninstall ()
 
 	  # Delete the libtool libraries and symlinks.
 	  for n in $library_names; do
-	    rmfiles="$rmfiles $objdir/$n"
+	    func_append rmfiles " $odir/$n"
 	  done
-	  test -n "$old_library" && rmfiles="$rmfiles $objdir/$old_library"
+	  test -n "$old_library" && func_append rmfiles " $odir/$old_library"
 
-	  case "$mode" in
+	  case "$opt_mode" in
 	  clean)
-	    case "  $library_names " in
-	    # "  " in the beginning catches empty $dlname
+	    case " $library_names " in
 	    *" $dlname "*) ;;
-	    *) rmfiles="$rmfiles $objdir/$dlname" ;;
+	    *) test -n "$dlname" && func_append rmfiles " $odir/$dlname" ;;
 	    esac
-	    test -n "$libdir" && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
+	    test -n "$libdir" && func_append rmfiles " $odir/$name $odir/${name}i"
 	    ;;
 	  uninstall)
 	    if test -n "$library_names"; then
@@ -8302,19 +9551,19 @@ func_mode_uninstall ()
 	  # Add PIC object to the list of files to remove.
 	  if test -n "$pic_object" &&
 	     test "$pic_object" != none; then
-	    rmfiles="$rmfiles $dir/$pic_object"
+	    func_append rmfiles " $dir/$pic_object"
 	  fi
 
 	  # Add non-PIC object to the list of files to remove.
 	  if test -n "$non_pic_object" &&
 	     test "$non_pic_object" != none; then
-	    rmfiles="$rmfiles $dir/$non_pic_object"
+	    func_append rmfiles " $dir/$non_pic_object"
 	  fi
 	fi
 	;;
 
       *)
-	if test "$mode" = clean ; then
+	if test "$opt_mode" = clean ; then
 	  noexename=$name
 	  case $file in
 	  *.exe)
@@ -8324,7 +9573,7 @@ func_mode_uninstall ()
 	    noexename=$func_stripname_result
 	    # $file with .exe has already been added to rmfiles,
 	    # add $file without .exe
-	    rmfiles="$rmfiles $file"
+	    func_append rmfiles " $file"
 	    ;;
 	  esac
 	  # Do a test to see if this is a libtool program.
@@ -8333,7 +9582,7 @@ func_mode_uninstall ()
 	      func_ltwrapper_scriptname "$file"
 	      relink_command=
 	      func_source $func_ltwrapper_scriptname_result
-	      rmfiles="$rmfiles $func_ltwrapper_scriptname_result"
+	      func_append rmfiles " $func_ltwrapper_scriptname_result"
 	    else
 	      relink_command=
 	      func_source $dir/$noexename
@@ -8341,12 +9590,12 @@ func_mode_uninstall ()
 
 	    # note $name still contains .exe if it was in $file originally
 	    # as does the version of $file that was added into $rmfiles
-	    rmfiles="$rmfiles $objdir/$name $objdir/${name}S.${objext}"
+	    func_append rmfiles " $odir/$name $odir/${name}S.${objext}"
 	    if test "$fast_install" = yes && test -n "$relink_command"; then
-	      rmfiles="$rmfiles $objdir/lt-$name"
+	      func_append rmfiles " $odir/lt-$name"
 	    fi
 	    if test "X$noexename" != "X$name" ; then
-	      rmfiles="$rmfiles $objdir/lt-${noexename}.c"
+	      func_append rmfiles " $odir/lt-${noexename}.c"
 	    fi
 	  fi
 	fi
@@ -8354,7 +9603,6 @@ func_mode_uninstall ()
       esac
       func_show_eval "$RM $rmfiles" 'exit_status=1'
     done
-    objdir="$origobjdir"
 
     # Try to remove the ${objdir}s in the directories where we deleted files
     for dir in $rmdirs; do
@@ -8366,16 +9614,16 @@ func_mode_uninstall ()
     exit $exit_status
 }
 
-{ test "$mode" = uninstall || test "$mode" = clean; } &&
+{ test "$opt_mode" = uninstall || test "$opt_mode" = clean; } &&
     func_mode_uninstall ${1+"$@"}
 
-test -z "$mode" && {
+test -z "$opt_mode" && {
   help="$generic_help"
   func_fatal_help "you must specify a MODE"
 }
 
 test -z "$exec_cmd" && \
-  func_fatal_help "invalid operation mode \`$mode'"
+  func_fatal_help "invalid operation mode \`$opt_mode'"
 
 if test -n "$exec_cmd"; then
   eval exec "$exec_cmd"
diff --git a/m4/config/libtool.m4 b/m4/config/libtool.m4
index a3fee5360..02b4bbec5 100644
--- a/m4/config/libtool.m4
+++ b/m4/config/libtool.m4
@@ -1,7 +1,8 @@
 # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
 #
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008 Free Software Foundation, Inc.
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 # This file is free software; the Free Software Foundation gives
@@ -10,7 +11,8 @@
 
 m4_define([_LT_COPYING], [dnl
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008 Free Software Foundation, Inc.
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 #   This file is part of GNU Libtool.
@@ -37,7 +39,7 @@ m4_define([_LT_COPYING], [dnl
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 ])
 
-# serial 56 LT_INIT
+# serial 57 LT_INIT
 
 
 # LT_PREREQ(VERSION)
@@ -66,6 +68,7 @@ esac
 # ------------------
 AC_DEFUN([LT_INIT],
 [AC_PREREQ([2.58])dnl We use AC_INCLUDES_DEFAULT
+AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl
 AC_BEFORE([$0], [LT_LANG])dnl
 AC_BEFORE([$0], [LT_OUTPUT])dnl
 AC_BEFORE([$0], [LTDL_INIT])dnl
@@ -82,6 +85,8 @@ AC_REQUIRE([LTVERSION_VERSION])dnl
 AC_REQUIRE([LTOBSOLETE_VERSION])dnl
 m4_require([_LT_PROG_LTMAIN])dnl
 
+_LT_SHELL_INIT([SHELL=${CONFIG_SHELL-/bin/sh}])
+
 dnl Parse OPTIONS
 _LT_SET_OPTIONS([$0], [$1])
 
@@ -118,7 +123,7 @@ m4_defun([_LT_CC_BASENAME],
     *) break;;
   esac
 done
-cc_basename=`$ECHO "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+cc_basename=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"`
 ])
 
 
@@ -138,6 +143,11 @@ m4_defun([_LT_FILEUTILS_DEFAULTS],
 m4_defun([_LT_SETUP],
 [AC_REQUIRE([AC_CANONICAL_HOST])dnl
 AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+AC_REQUIRE([_LT_PREPARE_SED_QUOTE_VARS])dnl
+AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])dnl
+
+_LT_DECL([], [PATH_SEPARATOR], [1], [The PATH separator for the build system])dnl
+dnl
 _LT_DECL([], [host_alias], [0], [The host system])dnl
 _LT_DECL([], [host], [0])dnl
 _LT_DECL([], [host_os], [0])dnl
@@ -160,10 +170,13 @@ _LT_DECL([], [exeext], [0], [Executable file suffix (normally "")])dnl
 dnl
 m4_require([_LT_FILEUTILS_DEFAULTS])dnl
 m4_require([_LT_CHECK_SHELL_FEATURES])dnl
+m4_require([_LT_PATH_CONVERSION_FUNCTIONS])dnl
 m4_require([_LT_CMD_RELOAD])dnl
 m4_require([_LT_CHECK_MAGIC_METHOD])dnl
+m4_require([_LT_CHECK_SHAREDLIB_FROM_LINKLIB])dnl
 m4_require([_LT_CMD_OLD_ARCHIVE])dnl
 m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl
+m4_require([_LT_WITH_SYSROOT])dnl
 
 _LT_CONFIG_LIBTOOL_INIT([
 # See if we are running on zsh, and set the options which allow our
@@ -179,7 +192,6 @@ fi
 _LT_CHECK_OBJDIR
 
 m4_require([_LT_TAG_COMPILER])dnl
-_LT_PROG_ECHO_BACKSLASH
 
 case $host_os in
 aix3*)
@@ -193,23 +205,6 @@ aix3*)
   ;;
 esac
 
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-sed_quote_subst='s/\([["`$\\]]\)/\\\1/g'
-
-# Same as above, but do not quote variable references.
-double_quote_subst='s/\([["`\\]]\)/\\\1/g'
-
-# Sed substitution to delay expansion of an escaped shell variable in a
-# double_quote_subst'ed string.
-delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
-
-# Sed substitution to delay expansion of an escaped single quote.
-delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
-
-# Sed substitution to avoid accidental globbing in evaled expressions
-no_glob_subst='s/\*/\\\*/g'
-
 # Global variables:
 ofile=libtool
 can_build_shared=yes
@@ -250,6 +245,28 @@ _LT_CONFIG_COMMANDS
 ])# _LT_SETUP
 
 
+# _LT_PREPARE_SED_QUOTE_VARS
+# --------------------------
+# Define a few sed substitution that help us do robust quoting.
+m4_defun([_LT_PREPARE_SED_QUOTE_VARS],
+[# Backslashify metacharacters that are still active within
+# double-quoted strings.
+sed_quote_subst='s/\([["`$\\]]\)/\\\1/g'
+
+# Same as above, but do not quote variable references.
+double_quote_subst='s/\([["`\\]]\)/\\\1/g'
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# Sed substitution to delay expansion of an escaped single quote.
+delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
+
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
+])
+
 # _LT_PROG_LTMAIN
 # ---------------
 # Note that this code is called both from `configure', and `config.status'
@@ -408,7 +425,7 @@ m4_define([_lt_decl_all_varnames],
 # declaration there will have the same value as in `configure'.  VARNAME
 # must have a single quote delimited value for this to work.
 m4_define([_LT_CONFIG_STATUS_DECLARE],
-[$1='`$ECHO "X$][$1" | $Xsed -e "$delay_single_quote_subst"`'])
+[$1='`$ECHO "$][$1" | $SED "$delay_single_quote_subst"`'])
 
 
 # _LT_CONFIG_STATUS_DECLARATIONS
@@ -418,7 +435,7 @@ m4_define([_LT_CONFIG_STATUS_DECLARE],
 # embedded single quotes properly.  In configure, this macro expands
 # each variable declared with _LT_DECL (and _LT_TAGDECL) into:
 #
-#    <var>='`$ECHO "X$<var>" | $Xsed -e "$delay_single_quote_subst"`'
+#    <var>='`$ECHO "$<var>" | $SED "$delay_single_quote_subst"`'
 m4_defun([_LT_CONFIG_STATUS_DECLARATIONS],
 [m4_foreach([_lt_var], m4_quote(lt_decl_all_varnames),
     [m4_n([_LT_CONFIG_STATUS_DECLARE(_lt_var)])])])
@@ -517,12 +534,20 @@ LTCC='$LTCC'
 LTCFLAGS='$LTCFLAGS'
 compiler='$compiler_DEFAULT'
 
+# A function that is used when there is no print builtin or printf.
+func_fallback_echo ()
+{
+  eval 'cat <<_LTECHO_EOF
+\$[]1
+_LTECHO_EOF'
+}
+
 # Quote evaled strings.
 for var in lt_decl_all_varnames([[ \
 ]], lt_decl_quote_varnames); do
-    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
     *[[\\\\\\\`\\"\\\$]]*)
-      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$sed_quote_subst\\"\\\`\\\\\\""
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED \\"\\\$sed_quote_subst\\"\\\`\\\\\\""
       ;;
     *)
       eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
@@ -533,9 +558,9 @@ done
 # Double-quote double-evaled strings.
 for var in lt_decl_all_varnames([[ \
 ]], lt_decl_dquote_varnames); do
-    case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in
+    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
     *[[\\\\\\\`\\"\\\$]]*)
-      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\""
+      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\""
       ;;
     *)
       eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
@@ -543,16 +568,38 @@ for var in lt_decl_all_varnames([[ \
     esac
 done
 
-# Fix-up fallback echo if it was mangled by the above quoting rules.
-case \$lt_ECHO in
-*'\\\[$]0 --fallback-echo"')dnl "
-  lt_ECHO=\`\$ECHO "X\$lt_ECHO" | \$Xsed -e 's/\\\\\\\\\\\\\\\[$]0 --fallback-echo"\[$]/\[$]0 --fallback-echo"/'\`
-  ;;
-esac
-
 _LT_OUTPUT_LIBTOOL_INIT
 ])
 
+# _LT_GENERATED_FILE_INIT(FILE, [COMMENT])
+# ------------------------------------
+# Generate a child script FILE with all initialization necessary to
+# reuse the environment learned by the parent script, and make the
+# file executable.  If COMMENT is supplied, it is inserted after the
+# `#!' sequence but before initialization text begins.  After this
+# macro, additional text can be appended to FILE to form the body of
+# the child script.  The macro ends with non-zero status if the
+# file could not be fully written (such as if the disk is full).
+m4_ifdef([AS_INIT_GENERATED],
+[m4_defun([_LT_GENERATED_FILE_INIT],[AS_INIT_GENERATED($@)])],
+[m4_defun([_LT_GENERATED_FILE_INIT],
+[m4_require([AS_PREPARE])]dnl
+[m4_pushdef([AS_MESSAGE_LOG_FD])]dnl
+[lt_write_fail=0
+cat >$1 <<_ASEOF || lt_write_fail=1
+#! $SHELL
+# Generated by $as_me.
+$2
+SHELL=\${CONFIG_SHELL-$SHELL}
+export SHELL
+_ASEOF
+cat >>$1 <<\_ASEOF || lt_write_fail=1
+AS_SHELL_SANITIZE
+_AS_PREPARE
+exec AS_MESSAGE_FD>&1
+_ASEOF
+test $lt_write_fail = 0 && chmod +x $1[]dnl
+m4_popdef([AS_MESSAGE_LOG_FD])])])# _LT_GENERATED_FILE_INIT
 
 # LT_OUTPUT
 # ---------
@@ -562,20 +609,11 @@ _LT_OUTPUT_LIBTOOL_INIT
 AC_DEFUN([LT_OUTPUT],
 [: ${CONFIG_LT=./config.lt}
 AC_MSG_NOTICE([creating $CONFIG_LT])
-cat >"$CONFIG_LT" <<_LTEOF
-#! $SHELL
-# Generated by $as_me.
-# Run this file to recreate a libtool stub with the current configuration.
-
-lt_cl_silent=false
-SHELL=\${CONFIG_SHELL-$SHELL}
-_LTEOF
+_LT_GENERATED_FILE_INIT(["$CONFIG_LT"],
+[# Run this file to recreate a libtool stub with the current configuration.])
 
 cat >>"$CONFIG_LT" <<\_LTEOF
-AS_SHELL_SANITIZE
-_AS_PREPARE
-
-exec AS_MESSAGE_FD>&1
+lt_cl_silent=false
 exec AS_MESSAGE_LOG_FD>>config.log
 {
   echo
@@ -601,7 +639,7 @@ m4_ifset([AC_PACKAGE_NAME], [AC_PACKAGE_NAME ])config.lt[]dnl
 m4_ifset([AC_PACKAGE_VERSION], [ AC_PACKAGE_VERSION])
 configured by $[0], generated by m4_PACKAGE_STRING.
 
-Copyright (C) 2008 Free Software Foundation, Inc.
+Copyright (C) 2011 Free Software Foundation, Inc.
 This config.lt script is free software; the Free Software Foundation
 gives unlimited permision to copy, distribute and modify it."
 
@@ -646,15 +684,13 @@ chmod +x "$CONFIG_LT"
 # appending to config.log, which fails on DOS, as config.log is still kept
 # open by configure.  Here we exec the FD to /dev/null, effectively closing
 # config.log, so it can be properly (re)opened and appended to by config.lt.
-if test "$no_create" != yes; then
-  lt_cl_success=:
-  test "$silent" = yes &&
-    lt_config_lt_args="$lt_config_lt_args --quiet"
-  exec AS_MESSAGE_LOG_FD>/dev/null
-  $SHELL "$CONFIG_LT" $lt_config_lt_args || lt_cl_success=false
-  exec AS_MESSAGE_LOG_FD>>config.log
-  $lt_cl_success || AS_EXIT(1)
-fi
+lt_cl_success=:
+test "$silent" = yes &&
+  lt_config_lt_args="$lt_config_lt_args --quiet"
+exec AS_MESSAGE_LOG_FD>/dev/null
+$SHELL "$CONFIG_LT" $lt_config_lt_args || lt_cl_success=false
+exec AS_MESSAGE_LOG_FD>>config.log
+$lt_cl_success || AS_EXIT(1)
 ])# LT_OUTPUT
 
 
@@ -717,15 +753,12 @@ _LT_EOF
   # if finds mixed CR/LF and LF-only lines.  Since sed operates in
   # text mode, it properly converts lines to CR/LF.  This bash problem
   # is reportedly fixed, but why not run on old versions too?
-  sed '/^# Generated shell functions inserted here/q' "$ltmain" >> "$cfgfile" \
-    || (rm -f "$cfgfile"; exit 1)
-
-  _LT_PROG_XSI_SHELLFNS
+  sed '$q' "$ltmain" >> "$cfgfile" \
+     || (rm -f "$cfgfile"; exit 1)
 
-  sed -n '/^# Generated shell functions inserted here/,$p' "$ltmain" >> "$cfgfile" \
-    || (rm -f "$cfgfile"; exit 1)
+  _LT_PROG_REPLACE_SHELLFNS
 
-  mv -f "$cfgfile" "$ofile" ||
+   mv -f "$cfgfile" "$ofile" ||
     (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
   chmod +x "$ofile"
 ],
@@ -770,6 +803,7 @@ AC_DEFUN([LT_LANG],
 m4_case([$1],
   [C],			[_LT_LANG(C)],
   [C++],		[_LT_LANG(CXX)],
+  [Go],			[_LT_LANG(GO)],
   [Java],		[_LT_LANG(GCJ)],
   [Fortran 77],		[_LT_LANG(F77)],
   [Fortran],		[_LT_LANG(FC)],
@@ -791,6 +825,31 @@ m4_defun([_LT_LANG],
 ])# _LT_LANG
 
 
+m4_ifndef([AC_PROG_GO], [
+############################################################
+# NOTE: This macro has been submitted for inclusion into   #
+#  GNU Autoconf as AC_PROG_GO.  When it is available in    #
+#  a released version of Autoconf we should remove this    #
+#  macro and use it instead.                               #
+############################################################
+m4_defun([AC_PROG_GO],
+[AC_LANG_PUSH(Go)dnl
+AC_ARG_VAR([GOC],     [Go compiler command])dnl
+AC_ARG_VAR([GOFLAGS], [Go compiler flags])dnl
+_AC_ARG_VAR_LDFLAGS()dnl
+AC_CHECK_TOOL(GOC, gccgo)
+if test -z "$GOC"; then
+  if test -n "$ac_tool_prefix"; then
+    AC_CHECK_PROG(GOC, [${ac_tool_prefix}gccgo], [${ac_tool_prefix}gccgo])
+  fi
+fi
+if test -z "$GOC"; then
+  AC_CHECK_PROG(GOC, gccgo, gccgo, false)
+fi
+])#m4_defun
+])#m4_ifndef
+
+
 # _LT_LANG_DEFAULT_CONFIG
 # -----------------------
 m4_defun([_LT_LANG_DEFAULT_CONFIG],
@@ -821,6 +880,10 @@ AC_PROVIDE_IFELSE([AC_PROG_GCJ],
        m4_ifdef([LT_PROG_GCJ],
 	[m4_define([LT_PROG_GCJ], defn([LT_PROG_GCJ])[LT_LANG(GCJ)])])])])])
 
+AC_PROVIDE_IFELSE([AC_PROG_GO],
+  [LT_LANG(GO)],
+  [m4_define([AC_PROG_GO], defn([AC_PROG_GO])[LT_LANG(GO)])])
+
 AC_PROVIDE_IFELSE([LT_PROG_RC],
   [LT_LANG(RC)],
   [m4_define([LT_PROG_RC], defn([LT_PROG_RC])[LT_LANG(RC)])])
@@ -831,11 +894,13 @@ AU_DEFUN([AC_LIBTOOL_CXX], [LT_LANG(C++)])
 AU_DEFUN([AC_LIBTOOL_F77], [LT_LANG(Fortran 77)])
 AU_DEFUN([AC_LIBTOOL_FC], [LT_LANG(Fortran)])
 AU_DEFUN([AC_LIBTOOL_GCJ], [LT_LANG(Java)])
+AU_DEFUN([AC_LIBTOOL_RC], [LT_LANG(Windows Resource)])
 dnl aclocal-1.4 backwards compatibility:
 dnl AC_DEFUN([AC_LIBTOOL_CXX], [])
 dnl AC_DEFUN([AC_LIBTOOL_F77], [])
 dnl AC_DEFUN([AC_LIBTOOL_FC], [])
 dnl AC_DEFUN([AC_LIBTOOL_GCJ], [])
+dnl AC_DEFUN([AC_LIBTOOL_RC], [])
 
 
 # _LT_TAG_COMPILER
@@ -921,7 +986,13 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
 	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
         _lt_result=$?
-	if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then
+	# If there is a non-empty error log, and "single_module"
+	# appears in it, assume the flag caused a linker warning
+        if test -s conftest.err && $GREP single_module conftest.err; then
+	  cat conftest.err >&AS_MESSAGE_LOG_FD
+	# Otherwise, if the output was created with a 0 exit code from
+	# the compiler, it worked.
+	elif test -f libconftest.dylib && test $_lt_result -eq 0; then
 	  lt_cv_apple_cc_single_mod=yes
 	else
 	  cat conftest.err >&AS_MESSAGE_LOG_FD
@@ -929,6 +1000,7 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	rm -rf libconftest.dylib*
 	rm -f conftest.*
       fi])
+
     AC_CACHE_CHECK([for -exported_symbols_list linker flag],
       [lt_cv_ld_exported_symbols_list],
       [lt_cv_ld_exported_symbols_list=no
@@ -940,6 +1012,34 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	[lt_cv_ld_exported_symbols_list=no])
 	LDFLAGS="$save_LDFLAGS"
     ])
+
+    AC_CACHE_CHECK([for -force_load linker flag],[lt_cv_ld_force_load],
+      [lt_cv_ld_force_load=no
+      cat > conftest.c << _LT_EOF
+int forced_loaded() { return 2;}
+_LT_EOF
+      echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD
+      $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD
+      echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
+      $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
+      echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD
+      $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD
+      cat > conftest.c << _LT_EOF
+int main() { return 0;}
+_LT_EOF
+      echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&AS_MESSAGE_LOG_FD
+      $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err
+      _lt_result=$?
+      if test -s conftest.err && $GREP force_load conftest.err; then
+	cat conftest.err >&AS_MESSAGE_LOG_FD
+      elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then
+	lt_cv_ld_force_load=yes
+      else
+	cat conftest.err >&AS_MESSAGE_LOG_FD
+      fi
+        rm -f conftest.err libconftest.a conftest conftest.c
+        rm -rf conftest.dSYM
+    ])
     case $host_os in
     rhapsody* | darwin1.[[012]])
       _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
@@ -967,7 +1067,7 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
     else
       _lt_dar_export_syms='~$NMEDIT -s $output_objdir/${libname}-symbols.expsym ${lib}'
     fi
-    if test "$DSYMUTIL" != ":"; then
+    if test "$DSYMUTIL" != ":" && test "$lt_cv_ld_force_load" = "no"; then
       _lt_dsymutil='~$DSYMUTIL $lib || :'
     else
       _lt_dsymutil=
@@ -977,8 +1077,8 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 ])
 
 
-# _LT_DARWIN_LINKER_FEATURES
-# --------------------------
+# _LT_DARWIN_LINKER_FEATURES([TAG])
+# ---------------------------------
 # Checks for linker and compiler features on darwin
 m4_defun([_LT_DARWIN_LINKER_FEATURES],
 [
@@ -987,7 +1087,13 @@ m4_defun([_LT_DARWIN_LINKER_FEATURES],
   _LT_TAGVAR(hardcode_direct, $1)=no
   _LT_TAGVAR(hardcode_automatic, $1)=yes
   _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-  _LT_TAGVAR(whole_archive_flag_spec, $1)=''
+  if test "$lt_cv_ld_force_load" = "yes"; then
+    _LT_TAGVAR(whole_archive_flag_spec, $1)='`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`'
+    m4_case([$1], [F77], [_LT_TAGVAR(compiler_needs_object, $1)=yes],
+                  [FC],  [_LT_TAGVAR(compiler_needs_object, $1)=yes])
+  else
+    _LT_TAGVAR(whole_archive_flag_spec, $1)=''
+  fi
   _LT_TAGVAR(link_all_deplibs, $1)=yes
   _LT_TAGVAR(allow_undefined_flag, $1)="$_lt_dar_allow_undefined"
   case $cc_basename in
@@ -995,7 +1101,7 @@ m4_defun([_LT_DARWIN_LINKER_FEATURES],
      *) _lt_dar_can_shared=$GCC ;;
   esac
   if test "$_lt_dar_can_shared" = "yes"; then
-    output_verbose_link_cmd=echo
+    output_verbose_link_cmd=func_echo_all
     _LT_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
     _LT_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
     _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
@@ -1011,203 +1117,142 @@ m4_defun([_LT_DARWIN_LINKER_FEATURES],
   fi
 ])
 
-# _LT_SYS_MODULE_PATH_AIX
-# -----------------------
+# _LT_SYS_MODULE_PATH_AIX([TAGNAME])
+# ----------------------------------
 # Links a minimal program and checks the executable
 # for the system default hardcoded library path. In most cases,
 # this is /usr/lib:/lib, but when the MPI compilers are used
 # the location of the communication and MPI libs are included too.
 # If we don't find anything, use the default library path according
 # to the aix ld manual.
+# Store the results from the different compilers for each TAGNAME.
+# Allow to override them for all tags through lt_cv_aix_libpath.
 m4_defun([_LT_SYS_MODULE_PATH_AIX],
 [m4_require([_LT_DECL_SED])dnl
-AC_LINK_IFELSE(AC_LANG_PROGRAM,[
-lt_aix_libpath_sed='
-    /Import File Strings/,/^$/ {
-	/^0/ {
-	    s/^0  *\(.*\)$/\1/
-	    p
-	}
-    }'
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then
-  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-fi],[])
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+if test "${lt_cv_aix_libpath+set}" = set; then
+  aix_libpath=$lt_cv_aix_libpath
+else
+  AC_CACHE_VAL([_LT_TAGVAR([lt_cv_aix_libpath_], [$1])],
+  [AC_LINK_IFELSE([AC_LANG_PROGRAM],[
+  lt_aix_libpath_sed='[
+      /Import File Strings/,/^$/ {
+	  /^0/ {
+	      s/^0  *\([^ ]*\) *$/\1/
+	      p
+	  }
+      }]'
+  _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  # Check for a 64-bit object if we didn't find anything.
+  if test -z "$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])"; then
+    _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+  fi],[])
+  if test -z "$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])"; then
+    _LT_TAGVAR([lt_cv_aix_libpath_], [$1])="/usr/lib:/lib"
+  fi
+  ])
+  aix_libpath=$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])
+fi
 ])# _LT_SYS_MODULE_PATH_AIX
 
 
 # _LT_SHELL_INIT(ARG)
 # -------------------
 m4_define([_LT_SHELL_INIT],
-[ifdef([AC_DIVERSION_NOTICE],
-	     [AC_DIVERT_PUSH(AC_DIVERSION_NOTICE)],
-	 [AC_DIVERT_PUSH(NOTICE)])
-$1
-AC_DIVERT_POP
-])# _LT_SHELL_INIT
+[m4_divert_text([M4SH-INIT], [$1
+])])# _LT_SHELL_INIT
+
 
 
 # _LT_PROG_ECHO_BACKSLASH
 # -----------------------
-# Add some code to the start of the generated configure script which
-# will find an echo command which doesn't interpret backslashes.
+# Find how we can fake an echo command that does not interpret backslash.
+# In particular, with Autoconf 2.60 or later we add some code to the start
+# of the generated configure script which will find a shell with a builtin
+# printf (which we can use as an echo command).
 m4_defun([_LT_PROG_ECHO_BACKSLASH],
-[_LT_SHELL_INIT([
-# Check that we are running under the correct shell.
-SHELL=${CONFIG_SHELL-/bin/sh}
-
-case X$lt_ECHO in
-X*--fallback-echo)
-  # Remove one level of quotation (which was required for Make).
-  ECHO=`echo "$lt_ECHO" | sed 's,\\\\\[$]\\[$]0,'[$]0','`
-  ;;
-esac
-
-ECHO=${lt_ECHO-echo}
-if test "X[$]1" = X--no-reexec; then
-  # Discard the --no-reexec flag, and continue.
-  shift
-elif test "X[$]1" = X--fallback-echo; then
-  # Avoid inline document here, it may be left over
-  :
-elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' ; then
-  # Yippee, $ECHO works!
-  :
+[ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO
+ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO
+
+AC_MSG_CHECKING([how to print strings])
+# Test print first, because it will be a builtin if present.
+if test "X`( print -r -- -n ) 2>/dev/null`" = X-n && \
+   test "X`print -r -- $ECHO 2>/dev/null`" = "X$ECHO"; then
+  ECHO='print -r --'
+elif test "X`printf %s $ECHO 2>/dev/null`" = "X$ECHO"; then
+  ECHO='printf %s\n'
 else
-  # Restart under the correct shell.
-  exec $SHELL "[$]0" --no-reexec ${1+"[$]@"}
-fi
-
-if test "X[$]1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<_LT_EOF
-[$]*
-_LT_EOF
-  exit 0
+  # Use this function as a fallback that always works.
+  func_fallback_echo ()
+  {
+    eval 'cat <<_LTECHO_EOF
+$[]1
+_LTECHO_EOF'
+  }
+  ECHO='func_fallback_echo'
 fi
 
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-if test -z "$lt_ECHO"; then
-  if test "X${echo_test_string+set}" != Xset; then
-    # find a string as large as possible, as long as the shell can cope with it
-    for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do
-      # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
-      if { echo_test_string=`eval $cmd`; } 2>/dev/null &&
-	 { test "X$echo_test_string" = "X$echo_test_string"; } 2>/dev/null
-      then
-        break
-      fi
-    done
-  fi
-
-  if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
-     echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
-     test "X$echo_testing_string" = "X$echo_test_string"; then
-    :
-  else
-    # The Solaris, AIX, and Digital Unix default echo programs unquote
-    # backslashes.  This makes it impossible to quote backslashes using
-    #   echo "$something" | sed 's/\\/\\\\/g'
-    #
-    # So, first we look for a working echo in the user's PATH.
-
-    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-    for dir in $PATH /usr/ucb; do
-      IFS="$lt_save_ifs"
-      if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
-         test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
-         echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
-         test "X$echo_testing_string" = "X$echo_test_string"; then
-        ECHO="$dir/echo"
-        break
-      fi
-    done
-    IFS="$lt_save_ifs"
-
-    if test "X$ECHO" = Xecho; then
-      # We didn't find a better echo, so look for alternatives.
-      if test "X`{ print -r '\t'; } 2>/dev/null`" = 'X\t' &&
-         echo_testing_string=`{ print -r "$echo_test_string"; } 2>/dev/null` &&
-         test "X$echo_testing_string" = "X$echo_test_string"; then
-        # This shell has a builtin print -r that does the trick.
-        ECHO='print -r'
-      elif { test -f /bin/ksh || test -f /bin/ksh$ac_exeext; } &&
-	   test "X$CONFIG_SHELL" != X/bin/ksh; then
-        # If we have ksh, try running configure again with it.
-        ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
-        export ORIGINAL_CONFIG_SHELL
-        CONFIG_SHELL=/bin/ksh
-        export CONFIG_SHELL
-        exec $CONFIG_SHELL "[$]0" --no-reexec ${1+"[$]@"}
-      else
-        # Try using printf.
-        ECHO='printf %s\n'
-        if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' &&
-	   echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	  # Cool, printf works
-	  :
-        elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
-	     test "X$echo_testing_string" = 'X\t' &&
-	     echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	     test "X$echo_testing_string" = "X$echo_test_string"; then
-	  CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
-	  export CONFIG_SHELL
-	  SHELL="$CONFIG_SHELL"
-	  export SHELL
-	  ECHO="$CONFIG_SHELL [$]0 --fallback-echo"
-        elif echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
-	     test "X$echo_testing_string" = 'X\t' &&
-	     echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	     test "X$echo_testing_string" = "X$echo_test_string"; then
-	  ECHO="$CONFIG_SHELL [$]0 --fallback-echo"
-        else
-	  # maybe with a smaller string...
-	  prev=:
-
-	  for cmd in 'echo test' 'sed 2q "[$]0"' 'sed 10q "[$]0"' 'sed 20q "[$]0"' 'sed 50q "[$]0"'; do
-	    if { test "X$echo_test_string" = "X`eval $cmd`"; } 2>/dev/null
-	    then
-	      break
-	    fi
-	    prev="$cmd"
-	  done
+# func_echo_all arg...
+# Invoke $ECHO with all args, space-separated.
+func_echo_all ()
+{
+    $ECHO "$*" 
+}
 
-	  if test "$prev" != 'sed 50q "[$]0"'; then
-	    echo_test_string=`eval $prev`
-	    export echo_test_string
-	    exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "[$]0" ${1+"[$]@"}
-	  else
-	    # Oops.  We lost completely, so just stick with echo.
-	    ECHO=echo
-	  fi
-        fi
-      fi
-    fi
-  fi
-fi
+case "$ECHO" in
+  printf*) AC_MSG_RESULT([printf]) ;;
+  print*) AC_MSG_RESULT([print -r]) ;;
+  *) AC_MSG_RESULT([cat]) ;;
+esac
 
-# Copy echo and quote the copy suitably for passing to libtool from
-# the Makefile, instead of quoting the original, which is used later.
-lt_ECHO=$ECHO
-if test "X$lt_ECHO" = "X$CONFIG_SHELL [$]0 --fallback-echo"; then
-   lt_ECHO="$CONFIG_SHELL \\\$\[$]0 --fallback-echo"
-fi
+m4_ifdef([_AS_DETECT_SUGGESTED],
+[_AS_DETECT_SUGGESTED([
+  test -n "${ZSH_VERSION+set}${BASH_VERSION+set}" || (
+    ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+    ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO
+    ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO
+    PATH=/empty FPATH=/empty; export PATH FPATH
+    test "X`printf %s $ECHO`" = "X$ECHO" \
+      || test "X`print -r -- $ECHO`" = "X$ECHO" )])])
 
-AC_SUBST(lt_ECHO)
-])
 _LT_DECL([], [SHELL], [1], [Shell to use when invoking shell scripts])
-_LT_DECL([], [ECHO], [1],
-    [An echo program that does not interpret backslashes])
+_LT_DECL([], [ECHO], [1], [An echo program that protects backslashes])
 ])# _LT_PROG_ECHO_BACKSLASH
 
 
+# _LT_WITH_SYSROOT
+# ----------------
+AC_DEFUN([_LT_WITH_SYSROOT],
+[AC_MSG_CHECKING([for sysroot])
+AC_ARG_WITH([sysroot],
+[  --with-sysroot[=DIR] Search for dependent libraries within DIR
+                        (or the compiler's sysroot if not specified).],
+[], [with_sysroot=no])
+
+dnl lt_sysroot will always be passed unquoted.  We quote it here
+dnl in case the user passed a directory name.
+lt_sysroot=
+case ${with_sysroot} in #(
+ yes)
+   if test "$GCC" = yes; then
+     lt_sysroot=`$CC --print-sysroot 2>/dev/null`
+   fi
+   ;; #(
+ /*)
+   lt_sysroot=`echo "$with_sysroot" | sed -e "$sed_quote_subst"`
+   ;; #(
+ no|'')
+   ;; #(
+ *)
+   AC_MSG_RESULT([${with_sysroot}])
+   AC_MSG_ERROR([The sysroot must be an absolute path.])
+   ;;
+esac
+
+ AC_MSG_RESULT([${lt_sysroot:-no}])
+_LT_DECL([], [lt_sysroot], [0], [The root where to search for ]dnl
+[dependent libraries, and in which our libraries should be installed.])])
+
 # _LT_ENABLE_LOCK
 # ---------------
 m4_defun([_LT_ENABLE_LOCK],
@@ -1236,7 +1281,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '[#]line __oline__ "configure"' > conftest.$ac_ext
+  echo '[#]line '$LINENO' "configure"' > conftest.$ac_ext
   if AC_TRY_EVAL(ac_compile); then
     if test "$lt_cv_prog_gnu_ld" = yes; then
       case `/usr/bin/file conftest.$ac_objext` in
@@ -1279,7 +1324,14 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
 	    LD="${LD-ld} -m elf_i386_fbsd"
 	    ;;
 	  x86_64-*linux*)
-	    LD="${LD-ld} -m elf_i386"
+	    case `/usr/bin/file conftest.o` in
+	      *x86-64*)
+		LD="${LD-ld} -m elf32_x86_64"
+		;;
+	      *)
+		LD="${LD-ld} -m elf_i386"
+		;;
+	    esac
 	    ;;
 	  ppc64-*linux*|powerpc64-*linux*)
 	    LD="${LD-ld} -m elf32ppclinux"
@@ -1329,14 +1381,27 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
     CFLAGS="$SAVE_CFLAGS"
   fi
   ;;
-sparc*-*solaris*)
+*-*solaris*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
   if AC_TRY_EVAL(ac_compile); then
     case `/usr/bin/file conftest.o` in
     *64-bit*)
       case $lt_cv_prog_gnu_ld in
-      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      yes*)
+        case $host in
+        i?86-*-solaris*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        sparc*-*-solaris*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+        esac
+        # GNU ld 2.21 introduced _sol2 emulations.  Use them if available.
+        if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then
+          LD="${LD-ld}_sol2"
+        fi
+        ;;
       *)
 	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
 	  LD="${LD-ld} -64"
@@ -1354,14 +1419,47 @@ need_locks="$enable_libtool_lock"
 ])# _LT_ENABLE_LOCK
 
 
+# _LT_PROG_AR
+# -----------
+m4_defun([_LT_PROG_AR],
+[AC_CHECK_TOOLS(AR, [ar], false)
+: ${AR=ar}
+: ${AR_FLAGS=cru}
+_LT_DECL([], [AR], [1], [The archiver])
+_LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive])
+
+AC_CACHE_CHECK([for archiver @FILE support], [lt_cv_ar_at_file],
+  [lt_cv_ar_at_file=no
+   AC_COMPILE_IFELSE([AC_LANG_PROGRAM],
+     [echo conftest.$ac_objext > conftest.lst
+      lt_ar_try='$AR $AR_FLAGS libconftest.a @conftest.lst >&AS_MESSAGE_LOG_FD'
+      AC_TRY_EVAL([lt_ar_try])
+      if test "$ac_status" -eq 0; then
+	# Ensure the archiver fails upon bogus file names.
+	rm -f conftest.$ac_objext libconftest.a
+	AC_TRY_EVAL([lt_ar_try])
+	if test "$ac_status" -ne 0; then
+          lt_cv_ar_at_file=@
+        fi
+      fi
+      rm -f conftest.* libconftest.a
+     ])
+  ])
+
+if test "x$lt_cv_ar_at_file" = xno; then
+  archiver_list_spec=
+else
+  archiver_list_spec=$lt_cv_ar_at_file
+fi
+_LT_DECL([], [archiver_list_spec], [1],
+  [How to feed a file listing to the archiver])
+])# _LT_PROG_AR
+
+
 # _LT_CMD_OLD_ARCHIVE
 # -------------------
 m4_defun([_LT_CMD_OLD_ARCHIVE],
-[AC_CHECK_TOOL(AR, ar, false)
-test -z "$AR" && AR=ar
-test -z "$AR_FLAGS" && AR_FLAGS=cru
-_LT_DECL([], [AR], [1], [The archiver])
-_LT_DECL([], [AR_FLAGS], [1])
+[_LT_PROG_AR
 
 AC_CHECK_TOOL(STRIP, strip, :)
 test -z "$STRIP" && STRIP=:
@@ -1380,18 +1478,27 @@ old_postuninstall_cmds=
 if test -n "$RANLIB"; then
   case $host_os in
   openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib"
     ;;
   *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib"
     ;;
   esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib"
 fi
+
+case $host_os in
+  darwin*)
+    lock_old_archive_extraction=yes ;;
+  *)
+    lock_old_archive_extraction=no ;;
+esac
 _LT_DECL([], [old_postinstall_cmds], [2])
 _LT_DECL([], [old_postuninstall_cmds], [2])
 _LT_TAGDECL([], [old_archive_cmds], [2],
     [Commands used to build an old-style archive])
+_LT_DECL([], [lock_old_archive_extraction], [0],
+    [Whether to use a lock for old archive extraction])
 ])# _LT_CMD_OLD_ARCHIVE
 
 
@@ -1416,15 +1523,15 @@ AC_CACHE_CHECK([$1], [$2],
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&AS_MESSAGE_LOG_FD
-   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp
      $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
      if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        $2=yes
@@ -1464,7 +1571,7 @@ AC_CACHE_CHECK([$1], [$2],
      if test -s conftest.err; then
        # Append any errors to the config.log.
        cat conftest.err 1>&AS_MESSAGE_LOG_FD
-       $ECHO "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp
        $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
        if diff conftest.exp conftest.er2 >/dev/null; then
          $2=yes
@@ -1527,6 +1634,11 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
     lt_cv_sys_max_cmd_len=8192;
     ;;
 
+  mint*)
+    # On MiNT this can take a long time and run out of memory.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
   amigaos*)
     # On AmigaOS with pdksh, this test takes hours, literally.
     # So we just punt and use a minimum line length of 8192.
@@ -1552,6 +1664,11 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
     lt_cv_sys_max_cmd_len=196608
     ;;
 
+  os2*)
+    # The test takes a long time on OS/2.
+    lt_cv_sys_max_cmd_len=8192
+    ;;
+
   osf*)
     # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
     # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
@@ -1578,7 +1695,8 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
     ;;
   *)
     lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
-    if test -n "$lt_cv_sys_max_cmd_len"; then
+    if test -n "$lt_cv_sys_max_cmd_len" && \
+	test undefined != "$lt_cv_sys_max_cmd_len"; then
       lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
       lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
     else
@@ -1591,8 +1709,8 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
       # If test is not a shell built-in, we'll probably end up computing a
       # maximum length that is only half of the actual maximum length, but
       # we can't tell.
-      while { test "X"`$SHELL [$]0 --fallback-echo "X$teststring$teststring" 2>/dev/null` \
-	         = "XX$teststring$teststring"; } >/dev/null 2>&1 &&
+      while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \
+	         = "X$teststring$teststring"; } >/dev/null 2>&1 &&
 	      test $i != 17 # 1/2 MB should be enough
       do
         i=`expr $i + 1`
@@ -1643,7 +1761,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-[#line __oline__ "configure"
+[#line $LINENO "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -1684,7 +1802,13 @@ else
 #  endif
 #endif
 
-void fnord() { int i=42;}
+/* When -fvisbility=hidden is used, assume the code has been annotated
+   correspondingly for the symbols needed.  */
+#if defined(__GNUC__) && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3))
+int fnord () __attribute__((visibility("default")));
+#endif
+
+int fnord () { return 42; }
 int main ()
 {
   void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
@@ -1693,7 +1817,11 @@ int main ()
   if (self)
     {
       if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      else
+        {
+	  if (dlsym( self,"_fnord"))  status = $lt_dlneed_uscore;
+          else puts (dlerror ());
+	}
       /* dlclose (self); */
     }
   else
@@ -1869,16 +1997,16 @@ AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&AS_MESSAGE_LOG_FD
-   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
-     $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp
      $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
      if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
        _LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
@@ -2037,6 +2165,7 @@ m4_require([_LT_DECL_EGREP])dnl
 m4_require([_LT_FILEUTILS_DEFAULTS])dnl
 m4_require([_LT_DECL_OBJDUMP])dnl
 m4_require([_LT_DECL_SED])dnl
+m4_require([_LT_CHECK_SHELL_FEATURES])dnl
 AC_MSG_CHECKING([dynamic linker characteristics])
 m4_if([$1],
 	[], [
@@ -2045,16 +2174,23 @@ if test "$GCC" = yes; then
     darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
     *) lt_awk_arg="/^libraries:/" ;;
   esac
-  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if $ECHO "$lt_search_path_spec" | $GREP ';' >/dev/null ; then
+  case $host_os in
+    mingw* | cegcc*) lt_sed_strip_eq="s,=\([[A-Za-z]]:\),\1,g" ;;
+    *) lt_sed_strip_eq="s,=/,/,g" ;;
+  esac
+  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e $lt_sed_strip_eq`
+  case $lt_search_path_spec in
+  *\;*)
     # if the path contains ";" then we assume it to be the separator
     # otherwise default to the standard path separator (i.e. ":") - it is
     # assumed that no part of a normal pathname contains ";" but that should
     # okay in the real world where ";" in dirpaths is itself problematic.
-    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED 's/;/ /g'`
+    ;;
+  *)
+    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED "s/$PATH_SEPARATOR/ /g"`
+    ;;
+  esac
   # Ok, now we have the path, separated by spaces, we can step through it
   # and add multilib dir if necessary.
   lt_tmp_lt_search_path_spec=
@@ -2067,7 +2203,7 @@ if test "$GCC" = yes; then
 	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
     fi
   done
-  lt_search_path_spec=`$ECHO $lt_tmp_lt_search_path_spec | awk '
+  lt_search_path_spec=`$ECHO "$lt_tmp_lt_search_path_spec" | awk '
 BEGIN {RS=" "; FS="/|\n";} {
   lt_foo="";
   lt_count=0;
@@ -2087,7 +2223,13 @@ BEGIN {RS=" "; FS="/|\n";} {
   if (lt_foo != "") { lt_freq[[lt_foo]]++; }
   if (lt_freq[[lt_foo]] == 1) { print lt_foo; }
 }'`
-  sys_lib_search_path_spec=`$ECHO $lt_search_path_spec`
+  # AWK program above erroneously prepends '/' to C:/dos/paths
+  # for these hosts.
+  case $host_os in
+    mingw* | cegcc*) lt_search_path_spec=`$ECHO "$lt_search_path_spec" |\
+      $SED 's,/\([[A-Za-z]]:\),\1,g'` ;;
+  esac
+  sys_lib_search_path_spec=`$ECHO "$lt_search_path_spec" | $lt_NL2SP`
 else
   sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
 fi])
@@ -2113,7 +2255,7 @@ need_version=unknown
 
 case $host_os in
 aix3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
   shlibpath_var=LIBPATH
 
@@ -2122,7 +2264,7 @@ aix3*)
   ;;
 
 aix[[4-9]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   hardcode_into_libs=yes
@@ -2175,7 +2317,7 @@ amigaos*)
   m68k)
     library_names_spec='$libname.ixlibrary $libname.a'
     # Create ${libname}_ixlibrary.a entries in /sys/libs.
-    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$ECHO "X$lib" | $Xsed -e '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`func_echo_all "$lib" | $SED '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
     ;;
   esac
   ;;
@@ -2187,7 +2329,7 @@ beos*)
   ;;
 
 bsdi[[45]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
@@ -2206,8 +2348,9 @@ cygwin* | mingw* | pw32* | cegcc*)
   need_version=no
   need_lib_prefix=no
 
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32* | yes,cegcc*)
+  case $GCC,$cc_basename in
+  yes,*)
+    # gcc
     library_names_spec='$libname.dll.a'
     # DLL is installed to $(libdir)/../bin by postinstall_cmds
     postinstall_cmds='base_file=`basename \${file}`~
@@ -2228,36 +2371,83 @@ cygwin* | mingw* | pw32* | cegcc*)
     cygwin*)
       # Cygwin DLLs use 'cyg' prefix rather than 'lib'
       soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+m4_if([$1], [],[
+      sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/lib/w32api"])
       ;;
     mingw* | cegcc*)
       # MinGW DLLs use traditional 'lib' prefix
       soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | $GREP "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if $ECHO "$sys_lib_search_path_spec" | [$GREP ';[c-zC-Z]:/' >/dev/null]; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
       ;;
     pw32*)
       # pw32 DLLs use 'pw' prefix rather than 'lib'
       library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
       ;;
     esac
+    dynamic_linker='Win32 ld.exe'
+    ;;
+
+  *,cl*)
+    # Native MSVC
+    libname_spec='$name'
+    soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+    library_names_spec='${libname}.dll.lib'
+
+    case $build_os in
+    mingw*)
+      sys_lib_search_path_spec=
+      lt_save_ifs=$IFS
+      IFS=';'
+      for lt_path in $LIB
+      do
+        IFS=$lt_save_ifs
+        # Let DOS variable expansion print the short 8.3 style file name.
+        lt_path=`cd "$lt_path" 2>/dev/null && cmd //C "for %i in (".") do @echo %~si"`
+        sys_lib_search_path_spec="$sys_lib_search_path_spec $lt_path"
+      done
+      IFS=$lt_save_ifs
+      # Convert to MSYS style.
+      sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | sed -e 's|\\\\|/|g' -e 's| \\([[a-zA-Z]]\\):| /\\1|g' -e 's|^ ||'`
+      ;;
+    cygwin*)
+      # Convert to unix form, then to dos form, then back to unix form
+      # but this time dos style (no spaces!) so that the unix form looks
+      # like /cygdrive/c/PROGRA~1:/cygdr...
+      sys_lib_search_path_spec=`cygpath --path --unix "$LIB"`
+      sys_lib_search_path_spec=`cygpath --path --dos "$sys_lib_search_path_spec" 2>/dev/null`
+      sys_lib_search_path_spec=`cygpath --path --unix "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
+      ;;
+    *)
+      sys_lib_search_path_spec="$LIB"
+      if $ECHO "$sys_lib_search_path_spec" | [$GREP ';[c-zC-Z]:/' >/dev/null]; then
+        # It is most probably a Windows format PATH.
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      # FIXME: find the short name or the path components, as spaces are
+      # common. (e.g. "Program Files" -> "PROGRA~1")
+      ;;
+    esac
+
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $RM \$dlpath'
+    shlibpath_overrides_runpath=yes
+    dynamic_linker='Win32 link.exe'
     ;;
 
   *)
+    # Assume MSVC wrapper
     library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    dynamic_linker='Win32 ld.exe'
     ;;
   esac
-  dynamic_linker='Win32 ld.exe'
   # FIXME: first we should search . and the directory the executable is in
   shlibpath_var=PATH
   ;;
@@ -2278,7 +2468,7 @@ m4_if([$1], [],[
   ;;
 
 dgux*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
@@ -2286,10 +2476,6 @@ dgux*)
   shlibpath_var=LD_LIBRARY_PATH
   ;;
 
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
 freebsd* | dragonfly*)
   # DragonFly does not have aout.  When/if they implement a new
   # versioning mechanism, adjust this.
@@ -2297,7 +2483,7 @@ freebsd* | dragonfly*)
     objformat=`/usr/bin/objformat`
   else
     case $host_os in
-    freebsd[[123]]*) objformat=aout ;;
+    freebsd[[23]].*) objformat=aout ;;
     *) objformat=elf ;;
     esac
   fi
@@ -2315,7 +2501,7 @@ freebsd* | dragonfly*)
   esac
   shlibpath_var=LD_LIBRARY_PATH
   case $host_os in
-  freebsd2*)
+  freebsd2.*)
     shlibpath_overrides_runpath=yes
     ;;
   freebsd3.[[01]]* | freebsdelf3.[[01]]*)
@@ -2334,13 +2520,16 @@ freebsd* | dragonfly*)
   esac
   ;;
 
-gnu*)
-  version_type=linux
+haiku*)
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
+  dynamic_linker="$host_os runtime_loader"
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_var=LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
   hardcode_into_libs=yes
   ;;
 
@@ -2386,12 +2575,14 @@ hpux9* | hpux10* | hpux11*)
     soname_spec='${libname}${release}${shared_ext}$major'
     ;;
   esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  # HP-UX runs *really* slowly unless shared libraries are mode 555, ...
   postinstall_cmds='chmod 555 $lib'
+  # or fails outright, so override atomically:
+  install_override_mode=555
   ;;
 
 interix[[3-9]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
@@ -2407,7 +2598,7 @@ irix5* | irix6* | nonstopux*)
     nonstopux*) version_type=nonstopux ;;
     *)
 	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
+		version_type=linux # correct to gnu/linux during the next big refactor
 	else
 		version_type=irix
 	fi ;;
@@ -2444,9 +2635,9 @@ linux*oldld* | linux*aout* | linux*coff*)
   dynamic_linker=no
   ;;
 
-# This must be Linux ELF.
-linux* | k*bsd*-gnu | kopensolaris*-gnu)
-  version_type=linux
+# This must be glibc/ELF.
+linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -2454,16 +2645,21 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu)
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=no
+
   # Some binutils ld are patched to set DT_RUNPATH
-  save_LDFLAGS=$LDFLAGS
-  save_libdir=$libdir
-  eval "libdir=/foo; wl=\"$_LT_TAGVAR(lt_prog_compiler_wl, $1)\"; \
-       LDFLAGS=\"\$LDFLAGS $_LT_TAGVAR(hardcode_libdir_flag_spec, $1)\""
-  AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
-    [AS_IF([ ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null],
-       [shlibpath_overrides_runpath=yes])])
-  LDFLAGS=$save_LDFLAGS
-  libdir=$save_libdir
+  AC_CACHE_VAL([lt_cv_shlibpath_overrides_runpath],
+    [lt_cv_shlibpath_overrides_runpath=no
+    save_LDFLAGS=$LDFLAGS
+    save_libdir=$libdir
+    eval "libdir=/foo; wl=\"$_LT_TAGVAR(lt_prog_compiler_wl, $1)\"; \
+	 LDFLAGS=\"\$LDFLAGS $_LT_TAGVAR(hardcode_libdir_flag_spec, $1)\""
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
+      [AS_IF([ ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null],
+	 [lt_cv_shlibpath_overrides_runpath=yes])])
+    LDFLAGS=$save_LDFLAGS
+    libdir=$save_libdir
+    ])
+  shlibpath_overrides_runpath=$lt_cv_shlibpath_overrides_runpath
 
   # This implies no fast_install, which is unacceptable.
   # Some rework will be needed to allow for fast_install
@@ -2472,7 +2668,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
     sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
@@ -2516,7 +2712,7 @@ netbsd*)
   ;;
 
 newsos6)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=yes
@@ -2585,7 +2781,7 @@ rdos*)
   ;;
 
 solaris*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -2610,7 +2806,7 @@ sunos4*)
   ;;
 
 sysv4 | sysv4.3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -2634,7 +2830,7 @@ sysv4 | sysv4.3*)
 
 sysv4*MP*)
   if test -d /usr/nec ;then
-    version_type=linux
+    version_type=linux # correct to gnu/linux during the next big refactor
     library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
     soname_spec='$libname${shared_ext}.$major'
     shlibpath_var=LD_LIBRARY_PATH
@@ -2665,7 +2861,7 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
 
 tpf*)
   # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -2675,7 +2871,7 @@ tpf*)
   ;;
 
 uts4*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -2717,6 +2913,8 @@ _LT_DECL([], [library_names_spec], [1],
     The last name is the one that the linker finds with -lNAME]])
 _LT_DECL([], [soname_spec], [1],
     [[The coded name of the library, if different from the real name]])
+_LT_DECL([], [install_override_mode], [1],
+    [Permission mode override for installation of shared libraries])
 _LT_DECL([], [postinstall_cmds], [2],
     [Command to use after installation of a shared archive])
 _LT_DECL([], [postuninstall_cmds], [2],
@@ -2829,6 +3027,7 @@ AC_REQUIRE([AC_CANONICAL_HOST])dnl
 AC_REQUIRE([AC_CANONICAL_BUILD])dnl
 m4_require([_LT_DECL_SED])dnl
 m4_require([_LT_DECL_EGREP])dnl
+m4_require([_LT_PROG_ECHO_BACKSLASH])dnl
 
 AC_ARG_WITH([gnu-ld],
     [AS_HELP_STRING([--with-gnu-ld],
@@ -2950,6 +3149,11 @@ case $reload_flag in
 esac
 reload_cmds='$LD$reload_flag -o $output$reload_objs'
 case $host_os in
+  cygwin* | mingw* | pw32* | cegcc*)
+    if test "$GCC" != yes; then
+      reload_cmds=false
+    fi
+    ;;
   darwin*)
     if test "$GCC" = yes; then
       reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
@@ -2958,8 +3162,8 @@ case $host_os in
     fi
     ;;
 esac
-_LT_DECL([], [reload_flag], [1], [How to create reloadable object files])dnl
-_LT_DECL([], [reload_cmds], [2])dnl
+_LT_TAGDECL([], [reload_flag], [1], [How to create reloadable object files])dnl
+_LT_TAGDECL([], [reload_cmds], [2])dnl
 ])# _LT_CMD_RELOAD
 
 
@@ -3011,16 +3215,18 @@ mingw* | pw32*)
   # Base MSYS/MinGW do not provide the 'file' command needed by
   # func_win32_libid shell function, so use a weaker test based on 'objdump',
   # unless we find 'file', for example because we are cross-compiling.
-  if ( file / ) >/dev/null 2>&1; then
+  # func_win32_libid assumes BSD nm, so disallow it if using MS dumpbin.
+  if ( test "$lt_cv_nm_interface" = "BSD nm" && file / ) >/dev/null 2>&1; then
     lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
     lt_cv_file_magic_cmd='func_win32_libid'
   else
-    lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+    # Keep this pattern in sync with the one in func_win32_libid.
+    lt_cv_deplibs_check_method='file_magic file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)'
     lt_cv_file_magic_cmd='$OBJDUMP -f'
   fi
   ;;
 
-cegcc)
+cegcc*)
   # use the weaker test based on 'objdump'. See mingw*.
   lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?'
   lt_cv_file_magic_cmd='$OBJDUMP -f'
@@ -3046,7 +3252,7 @@ freebsd* | dragonfly*)
   fi
   ;;
 
-gnu*)
+haiku*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -3058,11 +3264,11 @@ hpux10.20* | hpux11*)
     lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
     ;;
   hppa*64*)
-    [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]']
+    [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF[ -][0-9][0-9])(-bit)?( [LM]SB)? shared object( file)?[, -]* PA-RISC [0-9]\.[0-9]']
     lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
     ;;
   *)
-    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]].[[0-9]]) shared library'
+    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]]\.[[0-9]]) shared library'
     lt_cv_file_magic_test_file=/usr/lib/libc.sl
     ;;
   esac
@@ -3083,8 +3289,8 @@ irix5* | irix6* | nonstopux*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-# This must be Linux ELF.
-linux* | k*bsd*-gnu | kopensolaris*-gnu)
+# This must be glibc/ELF.
+linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -3162,6 +3368,21 @@ tpf*)
   ;;
 esac
 ])
+
+file_magic_glob=
+want_nocaseglob=no
+if test "$build" = "$host"; then
+  case $host_os in
+  mingw* | pw32*)
+    if ( shopt | grep nocaseglob ) >/dev/null 2>&1; then
+      want_nocaseglob=yes
+    else
+      file_magic_glob=`echo aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ | $SED -e "s/\(..\)/s\/[[\1]]\/[[\1]]\/g;/g"`
+    fi
+    ;;
+  esac
+fi
+
 file_magic_cmd=$lt_cv_file_magic_cmd
 deplibs_check_method=$lt_cv_deplibs_check_method
 test -z "$deplibs_check_method" && deplibs_check_method=unknown
@@ -3169,7 +3390,11 @@ test -z "$deplibs_check_method" && deplibs_check_method=unknown
 _LT_DECL([], [deplibs_check_method], [1],
     [Method to check whether dependent libraries are shared objects])
 _LT_DECL([], [file_magic_cmd], [1],
-    [Command to use when deplibs_check_method == "file_magic"])
+    [Command to use when deplibs_check_method = "file_magic"])
+_LT_DECL([], [file_magic_glob], [1],
+    [How to find potential files when deplibs_check_method = "file_magic"])
+_LT_DECL([], [want_nocaseglob], [1],
+    [Find potential files using nocaseglob when deplibs_check_method = "file_magic"])
 ])# _LT_CHECK_MAGIC_METHOD
 
 
@@ -3226,7 +3451,19 @@ if test "$lt_cv_path_NM" != "no"; then
   NM="$lt_cv_path_NM"
 else
   # Didn't find any BSD compatible name lister, look for dumpbin.
-  AC_CHECK_TOOLS(DUMPBIN, ["dumpbin -symbols" "link -dump -symbols"], :)
+  if test -n "$DUMPBIN"; then :
+    # Let the user override the test.
+  else
+    AC_CHECK_TOOLS(DUMPBIN, [dumpbin "link -dump"], :)
+    case `$DUMPBIN -symbols /dev/null 2>&1 | sed '1q'` in
+    *COFF*)
+      DUMPBIN="$DUMPBIN -symbols"
+      ;;
+    *)
+      DUMPBIN=:
+      ;;
+    esac
+  fi
   AC_SUBST([DUMPBIN])
   if test "$DUMPBIN" != ":"; then
     NM="$DUMPBIN"
@@ -3239,13 +3476,13 @@ _LT_DECL([], [NM], [1], [A BSD- or MS-compatible name lister])dnl
 AC_CACHE_CHECK([the name lister ($NM) interface], [lt_cv_nm_interface],
   [lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:__oline__: $ac_compile\"" >&AS_MESSAGE_LOG_FD)
+  (eval echo "\"\$as_me:$LINENO: $ac_compile\"" >&AS_MESSAGE_LOG_FD)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&AS_MESSAGE_LOG_FD
-  (eval echo "\"\$as_me:__oline__: $NM \\\"conftest.$ac_objext\\\"\"" >&AS_MESSAGE_LOG_FD)
+  (eval echo "\"\$as_me:$LINENO: $NM \\\"conftest.$ac_objext\\\"\"" >&AS_MESSAGE_LOG_FD)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&AS_MESSAGE_LOG_FD
-  (eval echo "\"\$as_me:__oline__: output\"" >&AS_MESSAGE_LOG_FD)
+  (eval echo "\"\$as_me:$LINENO: output\"" >&AS_MESSAGE_LOG_FD)
   cat conftest.out >&AS_MESSAGE_LOG_FD
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -3260,6 +3497,67 @@ dnl aclocal-1.4 backwards compatibility:
 dnl AC_DEFUN([AM_PROG_NM], [])
 dnl AC_DEFUN([AC_PROG_NM], [])
 
+# _LT_CHECK_SHAREDLIB_FROM_LINKLIB
+# --------------------------------
+# how to determine the name of the shared library
+# associated with a specific link library.
+#  -- PORTME fill in with the dynamic library characteristics
+m4_defun([_LT_CHECK_SHAREDLIB_FROM_LINKLIB],
+[m4_require([_LT_DECL_EGREP])
+m4_require([_LT_DECL_OBJDUMP])
+m4_require([_LT_DECL_DLLTOOL])
+AC_CACHE_CHECK([how to associate runtime and link libraries],
+lt_cv_sharedlib_from_linklib_cmd,
+[lt_cv_sharedlib_from_linklib_cmd='unknown'
+
+case $host_os in
+cygwin* | mingw* | pw32* | cegcc*)
+  # two different shell functions defined in ltmain.sh
+  # decide which to use based on capabilities of $DLLTOOL
+  case `$DLLTOOL --help 2>&1` in
+  *--identify-strict*)
+    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib
+    ;;
+  *)
+    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib_fallback
+    ;;
+  esac
+  ;;
+*)
+  # fallback: assume linklib IS sharedlib
+  lt_cv_sharedlib_from_linklib_cmd="$ECHO"
+  ;;
+esac
+])
+sharedlib_from_linklib_cmd=$lt_cv_sharedlib_from_linklib_cmd
+test -z "$sharedlib_from_linklib_cmd" && sharedlib_from_linklib_cmd=$ECHO
+
+_LT_DECL([], [sharedlib_from_linklib_cmd], [1],
+    [Command to associate shared and link libraries])
+])# _LT_CHECK_SHAREDLIB_FROM_LINKLIB
+
+
+# _LT_PATH_MANIFEST_TOOL
+# ----------------------
+# locate the manifest tool
+m4_defun([_LT_PATH_MANIFEST_TOOL],
+[AC_CHECK_TOOL(MANIFEST_TOOL, mt, :)
+test -z "$MANIFEST_TOOL" && MANIFEST_TOOL=mt
+AC_CACHE_CHECK([if $MANIFEST_TOOL is a manifest tool], [lt_cv_path_mainfest_tool],
+  [lt_cv_path_mainfest_tool=no
+  echo "$as_me:$LINENO: $MANIFEST_TOOL '-?'" >&AS_MESSAGE_LOG_FD
+  $MANIFEST_TOOL '-?' 2>conftest.err > conftest.out
+  cat conftest.err >&AS_MESSAGE_LOG_FD
+  if $GREP 'Manifest Tool' conftest.out > /dev/null; then
+    lt_cv_path_mainfest_tool=yes
+  fi
+  rm -f conftest*])
+if test "x$lt_cv_path_mainfest_tool" != xyes; then
+  MANIFEST_TOOL=:
+fi
+_LT_DECL([], [MANIFEST_TOOL], [1], [Manifest tool])dnl
+])# _LT_PATH_MANIFEST_TOOL
+
 
 # LT_LIB_M
 # --------
@@ -3268,7 +3566,7 @@ AC_DEFUN([LT_LIB_M],
 [AC_REQUIRE([AC_CANONICAL_HOST])dnl
 LIBM=
 case $host in
-*-*-beos* | *-*-cygwin* | *-*-pw32* | *-*-darwin*)
+*-*-beos* | *-*-cegcc* | *-*-cygwin* | *-*-haiku* | *-*-pw32* | *-*-darwin*)
   # These system don't have libm, or don't need it
   ;;
 *-ncr-sysv4.3*)
@@ -3296,7 +3594,12 @@ m4_defun([_LT_COMPILER_NO_RTTI],
 _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
 
 if test "$GCC" = yes; then
-  _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+  case $cc_basename in
+  nvcc*)
+    _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -Xcompiler -fno-builtin' ;;
+  *)
+    _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' ;;
+  esac
 
   _LT_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions],
     lt_cv_prog_compiler_rtti_exceptions,
@@ -3313,6 +3616,7 @@ _LT_TAGDECL([no_builtin_flag], [lt_prog_compiler_no_builtin_flag], [1],
 m4_defun([_LT_CMD_GLOBAL_SYMBOLS],
 [AC_REQUIRE([AC_CANONICAL_HOST])dnl
 AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_PROG_AWK])dnl
 AC_REQUIRE([LT_PATH_NM])dnl
 AC_REQUIRE([LT_PATH_LD])dnl
 m4_require([_LT_DECL_SED])dnl
@@ -3380,8 +3684,8 @@ esac
 lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
 
 # Transform an extracted symbol line into symbol name and symbol address
-lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p'"
-lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \(lib[[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"lib\2\", (void *) \&\2},/p'"
+lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\)[[ ]]*$/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p'"
+lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([[^ ]]*\)[[ ]]*$/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \(lib[[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"lib\2\", (void *) \&\2},/p'"
 
 # Handle CRLF in mingw tool chain
 opt_cr=
@@ -3405,6 +3709,7 @@ for ac_symprfx in "" "_"; do
     # which start with @ or ?.
     lt_cv_sys_global_symbol_pipe="$AWK ['"\
 "     {last_section=section; section=\$ 3};"\
+"     /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\
 "     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
 "     \$ 0!~/External *\|/{next};"\
 "     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
@@ -3417,6 +3722,7 @@ for ac_symprfx in "" "_"; do
   else
     lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[	 ]]\($symcode$symcode*\)[[	 ]][[	 ]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
   fi
+  lt_cv_sys_global_symbol_pipe="$lt_cv_sys_global_symbol_pipe | sed '/ __gnu_lto/d'"
 
   # Check to see that the pipe works correctly.
   pipe_works=no
@@ -3438,7 +3744,7 @@ _LT_EOF
   if AC_TRY_EVAL(ac_compile); then
     # Now try to grab the symbols.
     nlist=conftest.nm
-    if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) && test -s "$nlist"; then
+    if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then
       # Try sorting and uniquifying the output.
       if sort "$nlist" | uniq > "$nlist"T; then
 	mv -f "$nlist"T "$nlist"
@@ -3450,6 +3756,18 @@ _LT_EOF
       if $GREP ' nm_test_var$' "$nlist" >/dev/null; then
 	if $GREP ' nm_test_func$' "$nlist" >/dev/null; then
 	  cat <<_LT_EOF > conftest.$ac_ext
+/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests.  */
+#if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE)
+/* DATA imports from DLLs on WIN32 con't be const, because runtime
+   relocations are performed -- see ld's documentation on pseudo-relocs.  */
+# define LT@&t@_DLSYM_CONST
+#elif defined(__osf__)
+/* This system does not cope well with relocations in const data.  */
+# define LT@&t@_DLSYM_CONST
+#else
+# define LT@&t@_DLSYM_CONST const
+#endif
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -3461,7 +3779,7 @@ _LT_EOF
 	  cat <<_LT_EOF >> conftest.$ac_ext
 
 /* The mapping between symbol names and symbols.  */
-const struct {
+LT@&t@_DLSYM_CONST struct {
   const char *name;
   void       *address;
 }
@@ -3487,15 +3805,15 @@ static const void *lt_preloaded_setup() {
 _LT_EOF
 	  # Now try linking the two files.
 	  mv conftest.$ac_objext conftstm.$ac_objext
-	  lt_save_LIBS="$LIBS"
-	  lt_save_CFLAGS="$CFLAGS"
+	  lt_globsym_save_LIBS=$LIBS
+	  lt_globsym_save_CFLAGS=$CFLAGS
 	  LIBS="conftstm.$ac_objext"
 	  CFLAGS="$CFLAGS$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)"
 	  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then
 	    pipe_works=yes
 	  fi
-	  LIBS="$lt_save_LIBS"
-	  CFLAGS="$lt_save_CFLAGS"
+	  LIBS=$lt_globsym_save_LIBS
+	  CFLAGS=$lt_globsym_save_CFLAGS
 	else
 	  echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD
 	fi
@@ -3528,6 +3846,13 @@ else
   AC_MSG_RESULT(ok)
 fi
 
+# Response file support.
+if test "$lt_cv_nm_interface" = "MS dumpbin"; then
+  nm_file_list_spec='@'
+elif $NM --help 2>/dev/null | grep '[[@]]FILE' >/dev/null; then
+  nm_file_list_spec='@'
+fi
+
 _LT_DECL([global_symbol_pipe], [lt_cv_sys_global_symbol_pipe], [1],
     [Take the output of nm and produce a listing of raw symbols and C names])
 _LT_DECL([global_symbol_to_cdecl], [lt_cv_sys_global_symbol_to_cdecl], [1],
@@ -3538,6 +3863,8 @@ _LT_DECL([global_symbol_to_c_name_address],
 _LT_DECL([global_symbol_to_c_name_address_lib_prefix],
     [lt_cv_sys_global_symbol_to_c_name_address_lib_prefix], [1],
     [Transform the output of nm in a C name address pair when lib prefix is needed])
+_LT_DECL([], [nm_file_list_spec], [1],
+    [Specify filename containing input files for $NM])
 ]) # _LT_CMD_GLOBAL_SYMBOLS
 
 
@@ -3549,7 +3876,6 @@ _LT_TAGVAR(lt_prog_compiler_wl, $1)=
 _LT_TAGVAR(lt_prog_compiler_pic, $1)=
 _LT_TAGVAR(lt_prog_compiler_static, $1)=
 
-AC_MSG_CHECKING([for $compiler option to produce PIC])
 m4_if([$1], [CXX], [
   # C++ specific cases for pic, static, wl, etc.
   if test "$GXX" = yes; then
@@ -3600,6 +3926,11 @@ m4_if([$1], [CXX], [
       # DJGPP does not support shared libraries at all
       _LT_TAGVAR(lt_prog_compiler_pic, $1)=
       ;;
+    haiku*)
+      # PIC is the default for Haiku.
+      # The "-static" flag exists, but is broken.
+      _LT_TAGVAR(lt_prog_compiler_static, $1)=
+      ;;
     interix[[3-9]]*)
       # Interix 3.x gcc -fpic/-fPIC options generate broken code.
       # Instead, we relocate shared libraries at runtime.
@@ -3649,6 +3980,12 @@ m4_if([$1], [CXX], [
 	  ;;
 	esac
 	;;
+      mingw* | cygwin* | os2* | pw32* | cegcc*)
+	# This hack is so that the source file can tell whether it is being
+	# built for inclusion in a dll (and should export symbols for example).
+	m4_if([$1], [GCJ], [],
+	  [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
+	;;
       dgux*)
 	case $cc_basename in
 	  ec++*)
@@ -3705,7 +4042,7 @@ m4_if([$1], [CXX], [
 	    ;;
 	esac
 	;;
-      linux* | k*bsd*-gnu | kopensolaris*-gnu)
+      linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
 	case $cc_basename in
 	  KCC*)
 	    # KAI C++ Compiler
@@ -3738,8 +4075,8 @@ m4_if([$1], [CXX], [
 	    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
 	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
 	    ;;
-	  xlc* | xlC*)
-	    # IBM XL 8.0 on PPC
+	  xlc* | xlC* | bgxl[[cC]]* | mpixl[[cC]]*)
+	    # IBM XL 8.0, 9.0 on PPC and BlueGene
 	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic'
 	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
@@ -3801,7 +4138,7 @@ m4_if([$1], [CXX], [
 	;;
       solaris*)
 	case $cc_basename in
-	  CC*)
+	  CC* | sunCC*)
 	    # Sun C++ 4.2, 5.x and Centerline C++
 	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
@@ -3905,6 +4242,12 @@ m4_if([$1], [CXX], [
       _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
       ;;
 
+    haiku*)
+      # PIC is the default for Haiku.
+      # The "-static" flag exists, but is broken.
+      _LT_TAGVAR(lt_prog_compiler_static, $1)=
+      ;;
+
     hpux*)
       # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
       # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
@@ -3947,6 +4290,15 @@ m4_if([$1], [CXX], [
       _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
       ;;
     esac
+
+    case $cc_basename in
+    nvcc*) # Cuda Compiler Driver 2.2
+      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Xlinker '
+      if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then
+        _LT_TAGVAR(lt_prog_compiler_pic, $1)="-Xcompiler $_LT_TAGVAR(lt_prog_compiler_pic, $1)"
+      fi
+      ;;
+    esac
   else
     # PORTME Check for flag to pass linker flags through the system compiler.
     case $host_os in
@@ -3989,7 +4341,7 @@ m4_if([$1], [CXX], [
       _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
       ;;
 
-    linux* | k*bsd*-gnu | kopensolaris*-gnu)
+    linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
       case $cc_basename in
       # old Intel for x86_64 which still supported -KPIC.
       ecc*)
@@ -4010,7 +4362,13 @@ m4_if([$1], [CXX], [
 	_LT_TAGVAR(lt_prog_compiler_pic, $1)='--shared'
 	_LT_TAGVAR(lt_prog_compiler_static, $1)='--static'
 	;;
-      pgcc* | pgf77* | pgf90* | pgf95*)
+      nagfor*)
+	# NAG Fortran compiler
+	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,-Wl,,'
+	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	;;
+      pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*)
         # Portland Group compilers (*not* the Pentium gcc compiler,
 	# which looks to be a dead project)
 	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
@@ -4022,25 +4380,40 @@ m4_if([$1], [CXX], [
         # All Alpha code is PIC.
         _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
         ;;
-      xl*)
-	# IBM XL C 8.0/Fortran 10.1 on PPC
+      xl* | bgxl* | bgf* | mpixl*)
+	# IBM XL C 8.0/Fortran 10.1, 11.1 on PPC and BlueGene
 	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic'
 	_LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
 	;;
       *)
 	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [[1-7]].* | *Sun*Fortran*\ 8.[[0-3]]*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)=''
+	  ;;
+	*Sun\ F* | *Sun*Fortran*)
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	  ;;
 	*Sun\ C*)
 	  # Sun C 5.9
 	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
 	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	  ;;
-	*Sun\ F*)
-	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
-	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+        *Intel*\ [[CF]]*Compiler*)
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	  ;;
+	*Portland\ Group*)
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
 	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	  _LT_TAGVAR(lt_prog_compiler_wl, $1)=''
 	  ;;
 	esac
 	;;
@@ -4072,7 +4445,7 @@ m4_if([$1], [CXX], [
       _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
       _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
       case $cc_basename in
-      f77* | f90* | f95*)
+      f77* | f90* | f95* | sunf77* | sunf90* | sunf95*)
 	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';;
       *)
 	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';;
@@ -4129,9 +4502,11 @@ case $host_os in
     _LT_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])"
     ;;
 esac
-AC_MSG_RESULT([$_LT_TAGVAR(lt_prog_compiler_pic, $1)])
-_LT_TAGDECL([wl], [lt_prog_compiler_wl], [1],
-	[How to pass a linker flag through the compiler])
+
+AC_CACHE_CHECK([for $compiler option to produce PIC],
+  [_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)],
+  [_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)=$_LT_TAGVAR(lt_prog_compiler_pic, $1)])
+_LT_TAGVAR(lt_prog_compiler_pic, $1)=$_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)
 
 #
 # Check to make sure the PIC flag actually works.
@@ -4150,6 +4525,8 @@ fi
 _LT_TAGDECL([pic_flag], [lt_prog_compiler_pic], [1],
 	[Additional compiler flags for building library objects])
 
+_LT_TAGDECL([wl], [lt_prog_compiler_wl], [1],
+	[How to pass a linker flag through the compiler])
 #
 # Check to make sure the static flag actually works.
 #
@@ -4170,6 +4547,7 @@ _LT_TAGDECL([link_static_flag], [lt_prog_compiler_static], [1],
 m4_defun([_LT_LINKER_SHLIBS],
 [AC_REQUIRE([LT_PATH_LD])dnl
 AC_REQUIRE([LT_PATH_NM])dnl
+m4_require([_LT_PATH_MANIFEST_TOOL])dnl
 m4_require([_LT_FILEUTILS_DEFAULTS])dnl
 m4_require([_LT_DECL_EGREP])dnl
 m4_require([_LT_DECL_SED])dnl
@@ -4178,30 +4556,40 @@ m4_require([_LT_TAG_COMPILER])dnl
 AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
 m4_if([$1], [CXX], [
   _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
   case $host_os in
   aix[[4-9]]*)
     # If we're using GNU nm, then we don't want the "-C" option.
     # -C means demangle to AIX nm, but means don't demangle with GNU nm
+    # Also, AIX nm treats weak defined symbols like other global defined
+    # symbols, whereas GNU nm marks them as "W".
     if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
-      _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
     else
       _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
     fi
     ;;
   pw32*)
     _LT_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
-  ;;
+    ;;
   cygwin* | mingw* | cegcc*)
-    _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;/^.*[[ ]]__nm__/s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
-  ;;
-  linux* | k*bsd*-gnu)
+    case $cc_basename in
+    cl*)
+      _LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
+      ;;
+    *)
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
+      _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname']
+      ;;
+    esac
+    ;;
+  linux* | k*bsd*-gnu | gnu*)
     _LT_TAGVAR(link_all_deplibs, $1)=no
-  ;;
+    ;;
   *)
     _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  ;;
+    ;;
   esac
-  _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
 ], [
   runpath_var=
   _LT_TAGVAR(allow_undefined_flag, $1)=
@@ -4216,7 +4604,6 @@ m4_if([$1], [CXX], [
   _LT_TAGVAR(hardcode_direct, $1)=no
   _LT_TAGVAR(hardcode_direct_absolute, $1)=no
   _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
   _LT_TAGVAR(hardcode_libdir_separator, $1)=
   _LT_TAGVAR(hardcode_minus_L, $1)=no
   _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
@@ -4261,13 +4648,39 @@ dnl Note also adjust exclude_expsyms for C++ above.
   openbsd*)
     with_gnu_ld=no
     ;;
-  linux* | k*bsd*-gnu)
+  linux* | k*bsd*-gnu | gnu*)
     _LT_TAGVAR(link_all_deplibs, $1)=no
     ;;
   esac
 
   _LT_TAGVAR(ld_shlibs, $1)=yes
+
+  # On some targets, GNU ld is compatible enough with the native linker
+  # that we're better off using the native interface for both.
+  lt_use_gnu_ld_interface=no
   if test "$with_gnu_ld" = yes; then
+    case $host_os in
+      aix*)
+	# The AIX port of GNU ld has always aspired to compatibility
+	# with the native linker.  However, as the warning in the GNU ld
+	# block says, versions before 2.19.5* couldn't really create working
+	# shared libraries, regardless of the interface used.
+	case `$LD -v 2>&1` in
+	  *\ \(GNU\ Binutils\)\ 2.19.5*) ;;
+	  *\ \(GNU\ Binutils\)\ 2.[[2-9]]*) ;;
+	  *\ \(GNU\ Binutils\)\ [[3-9]]*) ;;
+	  *)
+	    lt_use_gnu_ld_interface=yes
+	    ;;
+	esac
+	;;
+      *)
+	lt_use_gnu_ld_interface=yes
+	;;
+    esac
+  fi
+
+  if test "$lt_use_gnu_ld_interface" = yes; then
     # If archive_cmds runs LD, not CC, wlarc should be empty
     wlarc='${wl}'
 
@@ -4301,11 +4714,12 @@ dnl Note also adjust exclude_expsyms for C++ above.
 	_LT_TAGVAR(ld_shlibs, $1)=no
 	cat <<_LT_EOF 1>&2
 
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** Warning: the GNU linker, at least up to release 2.19, is reported
 *** to be unable to reliably create shared libraries on AIX.
 *** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
+*** really care for shared libraries, you may want to install binutils
+*** 2.20 or above, or modify your PATH so that a non-GNU linker is found.
+*** You will then need to restart the configuration process.
 
 _LT_EOF
       fi
@@ -4341,10 +4755,12 @@ _LT_EOF
       # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
       # as there is no search path for DLLs.
       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-all-symbols'
       _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
       _LT_TAGVAR(always_export_symbols, $1)=no
       _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-      _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
+      _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
+      _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname']
 
       if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
         _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
@@ -4362,6 +4778,11 @@ _LT_EOF
       fi
       ;;
 
+    haiku*)
+      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      _LT_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
     interix[[3-9]]*)
       _LT_TAGVAR(hardcode_direct, $1)=no
       _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
@@ -4387,15 +4808,16 @@ _LT_EOF
       if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \
 	 && test "$tmp_diet" = no
       then
-	tmp_addflag=
+	tmp_addflag=' $pic_flag'
 	tmp_sharedflag='-shared'
 	case $cc_basename,$host_cpu in
         pgcc*)				# Portland Group C compiler
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  tmp_addflag=' $pic_flag'
 	  ;;
-	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	pgf77* | pgf90* | pgf95* | pgfortran*)
+					# Portland Group f77 and f90 compilers
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  tmp_addflag=' $pic_flag -Mnomain' ;;
 	ecc*,ia64* | icc*,ia64*)	# Intel C compiler on ia64
 	  tmp_addflag=' -i_dynamic' ;;
@@ -4406,13 +4828,17 @@ _LT_EOF
 	lf95*)				# Lahey Fortran 8.1
 	  _LT_TAGVAR(whole_archive_flag_spec, $1)=
 	  tmp_sharedflag='--shared' ;;
-	xl[[cC]]*)			# IBM XL C 8.0 on PPC (deal with xlf below)
+	xl[[cC]]* | bgxl[[cC]]* | mpixl[[cC]]*) # IBM XL C 8.0 on PPC (deal with xlf below)
 	  tmp_sharedflag='-qmkshrobj'
 	  tmp_addflag= ;;
+	nvcc*)	# Cuda Compiler Driver 2.2
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
+	  _LT_TAGVAR(compiler_needs_object, $1)=yes
+	  ;;
 	esac
 	case `$CC -V 2>&1 | sed 5q` in
 	*Sun\ C*)			# Sun C 5.9
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	  _LT_TAGVAR(compiler_needs_object, $1)=yes
 	  tmp_sharedflag='-G' ;;
 	*Sun\ F*)			# Sun Fortran 8.3
@@ -4428,17 +4854,16 @@ _LT_EOF
         fi
 
 	case $cc_basename in
-	xlf*)
+	xlf* | bgf* | bgxlf* | mpixlf*)
 	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
 	  _LT_TAGVAR(whole_archive_flag_spec, $1)='--whole-archive$convenience --no-whole-archive'
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-	  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir'
-	  _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $compiler_flags -soname $soname -o $lib'
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	  _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
 	  if test "x$supports_anon_versioning" = xyes; then
 	    _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
 	      cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
 	      echo "local: *; };" >> $output_objdir/$libname.ver~
-	      $LD -shared $libobjs $deplibs $compiler_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
+	      $LD -shared $libobjs $deplibs $linker_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
 	  fi
 	  ;;
 	esac
@@ -4452,8 +4877,8 @@ _LT_EOF
 	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
       else
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       fi
       ;;
 
@@ -4471,8 +4896,8 @@ _LT_EOF
 
 _LT_EOF
       elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       else
 	_LT_TAGVAR(ld_shlibs, $1)=no
       fi
@@ -4518,8 +4943,8 @@ _LT_EOF
 
     *)
       if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
       else
 	_LT_TAGVAR(ld_shlibs, $1)=no
       fi
@@ -4559,8 +4984,10 @@ _LT_EOF
       else
 	# If we're using GNU nm, then we don't want the "-C" option.
 	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	# Also, AIX nm treats weak defined symbols like other global
+	# defined symbols, whereas GNU nm marks them as "W".
 	if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
-	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
+	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
 	else
 	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
 	fi
@@ -4648,9 +5075,9 @@ _LT_EOF
 	_LT_TAGVAR(allow_undefined_flag, $1)='-berok'
         # Determine the default libpath from the value encoded in an
         # empty executable.
-        _LT_SYS_MODULE_PATH_AIX
+        _LT_SYS_MODULE_PATH_AIX([$1])
         _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then func_echo_all "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
       else
 	if test "$host_cpu" = ia64; then
 	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
@@ -4659,14 +5086,19 @@ _LT_EOF
 	else
 	 # Determine the default libpath from the value encoded in an
 	 # empty executable.
-	 _LT_SYS_MODULE_PATH_AIX
+	 _LT_SYS_MODULE_PATH_AIX([$1])
 	 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
 	  # Warning - without using the other run time loading flags,
 	  # -berok will link without error, but may produce a broken library.
 	  _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
 	  _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	  # Exported symbols can be pulled into shared objects from archives
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	  if test "$with_gnu_ld" = yes; then
+	    # We only use this code for GNU lds that support --whole-archive.
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	  else
+	    # Exported symbols can be pulled into shared objects from archives
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	  fi
 	  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
 	  # This is similar to how AIX traditionally builds its shared libraries.
 	  _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
@@ -4698,20 +5130,64 @@ _LT_EOF
       # Microsoft Visual C++.
       # hardcode_libdir_flag_spec is actually meaningless, as there is
       # no search path for DLLs.
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
-      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      _LT_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `$ECHO "X$deplibs" | $Xsed -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
-      # FIXME: Should let the user specify the lib program.
-      _LT_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs'
-      _LT_TAGVAR(fix_srcfile_path, $1)='`cygpath -w "$srcfile"`'
-      _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      case $cc_basename in
+      cl*)
+	# Native MSVC
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+	_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	_LT_TAGVAR(always_export_symbols, $1)=yes
+	_LT_TAGVAR(file_list_spec, $1)='@'
+	# Tell ltmain to make .lib files, not .a files.
+	libext=lib
+	# Tell ltmain to make .dll files, not .so files.
+	shrext_cmds=".dll"
+	# FIXME: Setting linknames here is a bad hack.
+	_LT_TAGVAR(archive_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-dll~linknames='
+	_LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	    sed -n -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' -e '1\\\!p' < $export_symbols > $output_objdir/$soname.exp;
+	  else
+	    sed -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' < $export_symbols > $output_objdir/$soname.exp;
+	  fi~
+	  $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~
+	  linknames='
+	# The linker will not automatically build a static lib if we build a DLL.
+	# _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
+	_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+	_LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
+	_LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1,DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
+	# Don't use ranlib
+	_LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib'
+	_LT_TAGVAR(postlink_cmds, $1)='lt_outputfile="@OUTPUT@"~
+	  lt_tool_outputfile="@TOOL_OUTPUT@"~
+	  case $lt_outputfile in
+	    *.exe|*.EXE) ;;
+	    *)
+	      lt_outputfile="$lt_outputfile.exe"
+	      lt_tool_outputfile="$lt_tool_outputfile.exe"
+	      ;;
+	  esac~
+	  if test "$MANIFEST_TOOL" != ":" && test -f "$lt_outputfile.manifest"; then
+	    $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1;
+	    $RM "$lt_outputfile.manifest";
+	  fi'
+	;;
+      *)
+	# Assume MSVC wrapper
+	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+	_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	# Tell ltmain to make .lib files, not .a files.
+	libext=lib
+	# Tell ltmain to make .dll files, not .so files.
+	shrext_cmds=".dll"
+	# FIXME: Setting linknames here is a bad hack.
+	_LT_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `func_echo_all "$deplibs" | $SED '\''s/ -lc$//'\''` -link -dll~linknames='
+	# The linker will automatically build a .lib file if we build a DLL.
+	_LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
+	# FIXME: Should let the user specify the lib program.
+	_LT_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs'
+	_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+	;;
+      esac
       ;;
 
     darwin* | rhapsody*)
@@ -4724,10 +5200,6 @@ _LT_EOF
       _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
       ;;
 
-    freebsd1*)
-      _LT_TAGVAR(ld_shlibs, $1)=no
-      ;;
-
     # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
     # support.  Future versions do this automatically, but an explicit c++rt0.o
     # does not break anything, and helps significantly (at the cost of a little
@@ -4740,7 +5212,7 @@ _LT_EOF
       ;;
 
     # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
+    freebsd2.*)
       _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
       _LT_TAGVAR(hardcode_direct, $1)=yes
       _LT_TAGVAR(hardcode_minus_L, $1)=yes
@@ -4749,7 +5221,7 @@ _LT_EOF
 
     # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
     freebsd* | dragonfly*)
-      _LT_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
       _LT_TAGVAR(hardcode_direct, $1)=yes
       _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
@@ -4757,7 +5229,7 @@ _LT_EOF
 
     hpux9*)
       if test "$GCC" = yes; then
-	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared $pic_flag ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
       else
 	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
       fi
@@ -4772,14 +5244,13 @@ _LT_EOF
       ;;
 
     hpux10*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      if test "$GCC" = yes && test "$with_gnu_ld" = no; then
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
       else
 	_LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
       fi
       if test "$with_gnu_ld" = no; then
 	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
 	_LT_TAGVAR(hardcode_libdir_separator, $1)=:
 	_LT_TAGVAR(hardcode_direct, $1)=yes
 	_LT_TAGVAR(hardcode_direct_absolute, $1)=yes
@@ -4791,16 +5262,16 @@ _LT_EOF
       ;;
 
     hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+      if test "$GCC" = yes && test "$with_gnu_ld" = no; then
 	case $host_cpu in
 	hppa*64*)
 	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	ia64*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	esac
       else
@@ -4812,7 +5283,14 @@ _LT_EOF
 	  _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	m4_if($1, [], [
+	  # Older versions of the 11.00 compiler do not understand -b yet
+	  # (HP92453-01 A.11.01.20 doesn't, HP92453-01 B.11.X.35175-35176.GP does)
+	  _LT_LINKER_OPTION([if $CC understands -b],
+	    _LT_TAGVAR(lt_cv_prog_compiler__b, $1), [-b],
+	    [_LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'],
+	    [_LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'])],
+	  [_LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'])
 	  ;;
 	esac
       fi
@@ -4840,19 +5318,34 @@ _LT_EOF
 
     irix5* | irix6* | nonstopux*)
       if test "$GCC" = yes; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	# Try to use the -exported_symbol ld option, if it does not
 	# work, assume that -exports_file does not work either and
 	# implicitly export all symbols.
-        save_LDFLAGS="$LDFLAGS"
-        LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
-        AC_LINK_IFELSE(int foo(void) {},
-          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
-        )
-        LDFLAGS="$save_LDFLAGS"
+	# This should be the same for all languages, so no per-tag cache variable.
+	AC_CACHE_CHECK([whether the $host_os linker accepts -exported_symbol],
+	  [lt_cv_irix_exported_symbol],
+	  [save_LDFLAGS="$LDFLAGS"
+	   LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
+	   AC_LINK_IFELSE(
+	     [AC_LANG_SOURCE(
+	        [AC_LANG_CASE([C], [[int foo (void) { return 0; }]],
+			      [C++], [[int foo (void) { return 0; }]],
+			      [Fortran 77], [[
+      subroutine foo
+      end]],
+			      [Fortran], [[
+      subroutine foo
+      end]])])],
+	      [lt_cv_irix_exported_symbol=yes],
+	      [lt_cv_irix_exported_symbol=no])
+           LDFLAGS="$save_LDFLAGS"])
+	if test "$lt_cv_irix_exported_symbol" = yes; then
+          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
+	fi
       else
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib'
       fi
       _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
@@ -4914,17 +5407,17 @@ _LT_EOF
       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
       _LT_TAGVAR(hardcode_minus_L, $1)=yes
       _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$ECHO DATA >> $output_objdir/$libname.def~$ECHO " SINGLE NONSHARED" >> $output_objdir/$libname.def~$ECHO EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~echo DATA >> $output_objdir/$libname.def~echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
       _LT_TAGVAR(old_archive_from_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
       ;;
 
     osf3*)
       if test "$GCC" = yes; then
 	_LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
       else
 	_LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
       fi
       _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
       _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
@@ -4934,13 +5427,13 @@ _LT_EOF
     osf4* | osf5*)	# as osf3* with the addition of -msym flag
       if test "$GCC" = yes; then
 	_LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $pic_flag $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
       else
 	_LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
 	_LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~
-	$CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp'
+	$CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp'
 
 	# Both c and cxx compiler support -rpath directly
 	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
@@ -4953,9 +5446,9 @@ _LT_EOF
       _LT_TAGVAR(no_undefined_flag, $1)=' -z defs'
       if test "$GCC" = yes; then
 	wlarc='${wl}'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	_LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
+	  $CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
       else
 	case `$CC -V 2>&1` in
 	*"Compilers 5.0"*)
@@ -5131,36 +5624,38 @@ x|xyes)
       # Test whether the compiler implicitly links with -lc since on some
       # systems, -lgcc has to come before -lc. If gcc already passes -lc
       # to ld, don't add -lc before -lgcc.
-      AC_MSG_CHECKING([whether -lc should be explicitly linked in])
-      $RM conftest*
-      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-      if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1)
-	pic_flag=$_LT_TAGVAR(lt_prog_compiler_pic, $1)
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$_LT_TAGVAR(allow_undefined_flag, $1)
-        _LT_TAGVAR(allow_undefined_flag, $1)=
-        if AC_TRY_EVAL(_LT_TAGVAR(archive_cmds, $1) 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1)
-        then
-	  _LT_TAGVAR(archive_cmds_need_lc, $1)=no
-        else
-	  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
-        fi
-        _LT_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $RM conftest*
-      AC_MSG_RESULT([$_LT_TAGVAR(archive_cmds_need_lc, $1)])
+      AC_CACHE_CHECK([whether -lc should be explicitly linked in],
+	[lt_cv_]_LT_TAGVAR(archive_cmds_need_lc, $1),
+	[$RM conftest*
+	echo "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+	if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
+	  soname=conftest
+	  lib=conftest
+	  libobjs=conftest.$ac_objext
+	  deplibs=
+	  wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1)
+	  pic_flag=$_LT_TAGVAR(lt_prog_compiler_pic, $1)
+	  compiler_flags=-v
+	  linker_flags=-v
+	  verstring=
+	  output_objdir=.
+	  libname=conftest
+	  lt_save_allow_undefined_flag=$_LT_TAGVAR(allow_undefined_flag, $1)
+	  _LT_TAGVAR(allow_undefined_flag, $1)=
+	  if AC_TRY_EVAL(_LT_TAGVAR(archive_cmds, $1) 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1)
+	  then
+	    lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+	  else
+	    lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)=yes
+	  fi
+	  _LT_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
+	else
+	  cat conftest.err 1>&5
+	fi
+	$RM conftest*
+	])
+      _LT_TAGVAR(archive_cmds_need_lc, $1)=$lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)
       ;;
     esac
   fi
@@ -5197,9 +5692,6 @@ _LT_TAGDECL([], [no_undefined_flag], [1],
 _LT_TAGDECL([], [hardcode_libdir_flag_spec], [1],
     [Flag to hardcode $libdir into a binary during linking.
     This must work even if $libdir does not exist])
-_LT_TAGDECL([], [hardcode_libdir_flag_spec_ld], [1],
-    [[If ld is used when linking, flag to hardcode $libdir into a binary
-    during linking.  This must work even if $libdir does not exist]])
 _LT_TAGDECL([], [hardcode_libdir_separator], [1],
     [Whether we need a single "-rpath" flag with a separated argument])
 _LT_TAGDECL([], [hardcode_direct], [0],
@@ -5225,8 +5717,6 @@ _LT_TAGDECL([], [inherit_rpath], [0],
     to runtime path list])
 _LT_TAGDECL([], [link_all_deplibs], [0],
     [Whether libtool must link a program against all its dependency libraries])
-_LT_TAGDECL([], [fix_srcfile_path], [1],
-    [Fix the shell variable $srcfile for the compiler])
 _LT_TAGDECL([], [always_export_symbols], [0],
     [Set to "yes" if exported symbols are required])
 _LT_TAGDECL([], [export_symbols_cmds], [2],
@@ -5237,6 +5727,8 @@ _LT_TAGDECL([], [include_expsyms], [1],
     [Symbols that must always be exported])
 _LT_TAGDECL([], [prelink_cmds], [2],
     [Commands necessary for linking programs (against libraries) with templates])
+_LT_TAGDECL([], [postlink_cmds], [2],
+    [Commands necessary for finishing linking programs])
 _LT_TAGDECL([], [file_list_spec], [1],
     [Specify filename containing input files])
 dnl FIXME: Not yet implemented
@@ -5330,37 +5822,22 @@ CC="$lt_save_CC"
 ])# _LT_LANG_C_CONFIG
 
 
-# _LT_PROG_CXX
-# ------------
-# Since AC_PROG_CXX is broken, in that it returns g++ if there is no c++
-# compiler, we have our own version here.
-m4_defun([_LT_PROG_CXX],
-[
-pushdef([AC_MSG_ERROR], [_lt_caught_CXX_error=yes])
-AC_PROG_CXX
-if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-    (test "X$CXX" != "Xg++"))) ; then
-  AC_PROG_CXXCPP
-else
-  _lt_caught_CXX_error=yes
-fi
-popdef([AC_MSG_ERROR])
-])# _LT_PROG_CXX
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([_LT_PROG_CXX], [])
-
-
 # _LT_LANG_CXX_CONFIG([TAG])
 # --------------------------
 # Ensure that the configuration variables for a C++ compiler are suitably
 # defined.  These variables are subsequently used by _LT_CONFIG to write
 # the compiler configuration to `libtool'.
 m4_defun([_LT_LANG_CXX_CONFIG],
-[AC_REQUIRE([_LT_PROG_CXX])dnl
-m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
 m4_require([_LT_DECL_EGREP])dnl
+m4_require([_LT_PATH_MANIFEST_TOOL])dnl
+if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
+    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
+    (test "X$CXX" != "Xg++"))) ; then
+  AC_PROG_CXXCPP
+else
+  _lt_caught_CXX_error=yes
+fi
 
 AC_LANG_PUSH(C++)
 _LT_TAGVAR(archive_cmds_need_lc, $1)=no
@@ -5372,7 +5849,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
@@ -5382,6 +5858,8 @@ _LT_TAGVAR(module_cmds, $1)=
 _LT_TAGVAR(module_expsym_cmds, $1)=
 _LT_TAGVAR(link_all_deplibs, $1)=unknown
 _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
 _LT_TAGVAR(no_undefined_flag, $1)=
 _LT_TAGVAR(whole_archive_flag_spec, $1)=
 _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
@@ -5413,6 +5891,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 
   # Allow CC to be a program name with arguments.
   lt_save_CC=$CC
+  lt_save_CFLAGS=$CFLAGS
   lt_save_LD=$LD
   lt_save_GCC=$GCC
   GCC=$GXX
@@ -5430,6 +5909,7 @@ if test "$_lt_caught_CXX_error" != yes; then
   fi
   test -z "${LDCXX+set}" || LD=$LDCXX
   CC=${CXX-"c++"}
+  CFLAGS=$CXXFLAGS
   compiler=$CC
   _LT_TAGVAR(compiler, $1)=$CC
   _LT_CC_BASENAME([$compiler])
@@ -5451,8 +5931,8 @@ if test "$_lt_caught_CXX_error" != yes; then
       # Check if GNU C++ uses GNU ld as the underlying linker, since the
       # archiving commands below assume that GNU ld is being used.
       if test "$with_gnu_ld" = yes; then
-        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+        _LT_TAGVAR(archive_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
 
         _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
         _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
@@ -5484,7 +5964,7 @@ if test "$_lt_caught_CXX_error" != yes; then
       # Commands to make compiler produce verbose output that lists
       # what "hidden" libraries, object files and flags are used when
       # linking a shared library.
-      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 
     else
       GXX=no
@@ -5593,10 +6073,10 @@ if test "$_lt_caught_CXX_error" != yes; then
           _LT_TAGVAR(allow_undefined_flag, $1)='-berok'
           # Determine the default libpath from the value encoded in an empty
           # executable.
-          _LT_SYS_MODULE_PATH_AIX
+          _LT_SYS_MODULE_PATH_AIX([$1])
           _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
 
-          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then func_echo_all "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
         else
           if test "$host_cpu" = ia64; then
 	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
@@ -5605,14 +6085,19 @@ if test "$_lt_caught_CXX_error" != yes; then
           else
 	    # Determine the default libpath from the value encoded in an
 	    # empty executable.
-	    _LT_SYS_MODULE_PATH_AIX
+	    _LT_SYS_MODULE_PATH_AIX([$1])
 	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
 	    # Warning - without using the other run time loading flags,
 	    # -berok will link without error, but may produce a broken library.
 	    _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
 	    _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	    # Exported symbols can be pulled into shared objects from archives
-	    _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	    if test "$with_gnu_ld" = yes; then
+	      # We only use this code for GNU lds that support --whole-archive.
+	      _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	    else
+	      # Exported symbols can be pulled into shared objects from archives
+	      _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	    fi
 	    _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
 	    # This is similar to how AIX traditionally builds its shared
 	    # libraries.
@@ -5642,28 +6127,75 @@ if test "$_lt_caught_CXX_error" != yes; then
         ;;
 
       cygwin* | mingw* | pw32* | cegcc*)
-        # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
-        # as there is no search path for DLLs.
-        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-        _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-        _LT_TAGVAR(always_export_symbols, $1)=no
-        _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-
-        if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
-          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-          # If the export-symbols file already is a .def file (1st line
-          # is EXPORTS), use it as is; otherwise, prepend...
-          _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	    cp $export_symbols $output_objdir/$soname.def;
-          else
-	    echo EXPORTS > $output_objdir/$soname.def;
-	    cat $export_symbols >> $output_objdir/$soname.def;
-          fi~
-          $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-        else
-          _LT_TAGVAR(ld_shlibs, $1)=no
-        fi
-        ;;
+	case $GXX,$cc_basename in
+	,cl* | no,cl*)
+	  # Native MSVC
+	  # hardcode_libdir_flag_spec is actually meaningless, as there is
+	  # no search path for DLLs.
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+	  _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	  _LT_TAGVAR(always_export_symbols, $1)=yes
+	  _LT_TAGVAR(file_list_spec, $1)='@'
+	  # Tell ltmain to make .lib files, not .a files.
+	  libext=lib
+	  # Tell ltmain to make .dll files, not .so files.
+	  shrext_cmds=".dll"
+	  # FIXME: Setting linknames here is a bad hack.
+	  _LT_TAGVAR(archive_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-dll~linknames='
+	  _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	      $SED -n -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' -e '1\\\!p' < $export_symbols > $output_objdir/$soname.exp;
+	    else
+	      $SED -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' < $export_symbols > $output_objdir/$soname.exp;
+	    fi~
+	    $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~
+	    linknames='
+	  # The linker will not automatically build a static lib if we build a DLL.
+	  # _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
+	  _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+	  # Don't use ranlib
+	  _LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib'
+	  _LT_TAGVAR(postlink_cmds, $1)='lt_outputfile="@OUTPUT@"~
+	    lt_tool_outputfile="@TOOL_OUTPUT@"~
+	    case $lt_outputfile in
+	      *.exe|*.EXE) ;;
+	      *)
+		lt_outputfile="$lt_outputfile.exe"
+		lt_tool_outputfile="$lt_tool_outputfile.exe"
+		;;
+	    esac~
+	    func_to_tool_file "$lt_outputfile"~
+	    if test "$MANIFEST_TOOL" != ":" && test -f "$lt_outputfile.manifest"; then
+	      $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1;
+	      $RM "$lt_outputfile.manifest";
+	    fi'
+	  ;;
+	*)
+	  # g++
+	  # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+	  # as there is no search path for DLLs.
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	  _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-all-symbols'
+	  _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
+	  _LT_TAGVAR(always_export_symbols, $1)=no
+	  _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+
+	  if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	    # If the export-symbols file already is a .def file (1st line
+	    # is EXPORTS), use it as is; otherwise, prepend...
+	    _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	      cp $export_symbols $output_objdir/$soname.def;
+	    else
+	      echo EXPORTS > $output_objdir/$soname.def;
+	      cat $export_symbols >> $output_objdir/$soname.def;
+	    fi~
+	    $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	  else
+	    _LT_TAGVAR(ld_shlibs, $1)=no
+	  fi
+	  ;;
+	esac
+	;;
       darwin* | rhapsody*)
         _LT_DARWIN_LINKER_FEATURES($1)
 	;;
@@ -5686,7 +6218,7 @@ if test "$_lt_caught_CXX_error" != yes; then
         esac
         ;;
 
-      freebsd[[12]]*)
+      freebsd2.*)
         # C++ shared libraries reported to be fairly broken before
 	# switch to ELF
         _LT_TAGVAR(ld_shlibs, $1)=no
@@ -5702,7 +6234,9 @@ if test "$_lt_caught_CXX_error" != yes; then
         _LT_TAGVAR(ld_shlibs, $1)=yes
         ;;
 
-      gnu*)
+      haiku*)
+        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+        _LT_TAGVAR(link_all_deplibs, $1)=yes
         ;;
 
       hpux9*)
@@ -5729,11 +6263,11 @@ if test "$_lt_caught_CXX_error" != yes; then
             # explicitly linking system object files so we need to strip them
             # from the output so that they don't get included in the library
             # dependencies.
-            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
             ;;
           *)
             if test "$GXX" = yes; then
-              _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+              _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -nostdlib $pic_flag ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
             else
               # FIXME: insert proper C++ library support
               _LT_TAGVAR(ld_shlibs, $1)=no
@@ -5794,7 +6328,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    # explicitly linking system object files so we need to strip them
 	    # from the output so that they don't get included in the library
 	    # dependencies.
-	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
 	    ;;
           *)
 	    if test "$GXX" = yes; then
@@ -5804,10 +6338,10 @@ if test "$_lt_caught_CXX_error" != yes; then
 	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	            ;;
 	          ia64*)
-	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $pic_flag ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	            ;;
 	          *)
-	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	            ;;
 	        esac
 	      fi
@@ -5837,7 +6371,7 @@ if test "$_lt_caught_CXX_error" != yes; then
         case $cc_basename in
           CC*)
 	    # SGI C++
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
 
 	    # Archives containing C++ object files must be created using
 	    # "CC -ar", where "CC" is the IRIX C++ compiler.  This is
@@ -5848,9 +6382,9 @@ if test "$_lt_caught_CXX_error" != yes; then
           *)
 	    if test "$GXX" = yes; then
 	      if test "$with_gnu_ld" = no; then
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	      else
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` -o $lib'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` -o $lib'
 	      fi
 	    fi
 	    _LT_TAGVAR(link_all_deplibs, $1)=yes
@@ -5861,7 +6395,7 @@ if test "$_lt_caught_CXX_error" != yes; then
         _LT_TAGVAR(inherit_rpath, $1)=yes
         ;;
 
-      linux* | k*bsd*-gnu | kopensolaris*-gnu)
+      linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
         case $cc_basename in
           KCC*)
 	    # Kuck and Associates, Inc. (KAI) C++ Compiler
@@ -5879,7 +6413,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    # explicitly linking system object files so we need to strip them
 	    # from the output so that they don't get included in the library
 	    # dependencies.
-	    output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | $GREP "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | $GREP "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
 
 	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
 	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
@@ -5916,26 +6450,26 @@ if test "$_lt_caught_CXX_error" != yes; then
           pgCC* | pgcpp*)
             # Portland Group C++ compiler
 	    case `$CC -V` in
-	    *pgCC\ [[1-5]]* | *pgcpp\ [[1-5]]*)
+	    *pgCC\ [[1-5]].* | *pgcpp\ [[1-5]].*)
 	      _LT_TAGVAR(prelink_cmds, $1)='tpldir=Template.dir~
 		rm -rf $tpldir~
 		$CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
-		compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
+		compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
 	      _LT_TAGVAR(old_archive_cmds, $1)='tpldir=Template.dir~
 		rm -rf $tpldir~
 		$CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
-		$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
+		$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
 		$RANLIB $oldlib'
 	      _LT_TAGVAR(archive_cmds, $1)='tpldir=Template.dir~
 		rm -rf $tpldir~
 		$CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
-		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
 	      _LT_TAGVAR(archive_expsym_cmds, $1)='tpldir=Template.dir~
 		rm -rf $tpldir~
 		$CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
-		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
 	      ;;
-	    *) # Version 6 will use weak symbols
+	    *) # Version 6 and above use weak symbols
 	      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
 	      _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
 	      ;;
@@ -5943,7 +6477,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 
 	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
 	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
             ;;
 	  cxx*)
 	    # Compaq C++
@@ -5962,9 +6496,9 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    # explicitly linking system object files so we need to strip them
 	    # from the output so that they don't get included in the library
 	    # dependencies.
-	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld"`; templist=`$ECHO "X$templist" | $Xsed -e "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld"`; templist=`func_echo_all "$templist" | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "X$list" | $Xsed'
 	    ;;
-	  xl*)
+	  xl* | mpixl* | bgxl*)
 	    # IBM XL 8.0 on PPC, with GNU ld
 	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
@@ -5984,13 +6518,13 @@ if test "$_lt_caught_CXX_error" != yes; then
 	      _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	      _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols'
 	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	      _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive'
+	      _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
 	      _LT_TAGVAR(compiler_needs_object, $1)=yes
 
 	      # Not sure whether something based on
 	      # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1
 	      # would be better.
-	      output_verbose_link_cmd='echo'
+	      output_verbose_link_cmd='func_echo_all'
 
 	      # Archives containing C++ object files must be created using
 	      # "CC -xar", where "CC" is the Sun C++ compiler.  This is
@@ -6059,7 +6593,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
 	    _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
 	  fi
-	  output_verbose_link_cmd=echo
+	  output_verbose_link_cmd=func_echo_all
 	else
 	  _LT_TAGVAR(ld_shlibs, $1)=no
 	fi
@@ -6094,15 +6628,15 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    case $host in
 	      osf3*)
 	        _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && $ECHO "X${wl}-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && func_echo_all "${wl}-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
 	        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 		;;
 	      *)
 	        _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
 	        _LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
 	          echo "-hidden">> $lib.exp~
-	          $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname ${wl}-input ${wl}$lib.exp  `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~
+	          $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname ${wl}-input ${wl}$lib.exp  `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib~
 	          $RM $lib.exp'
 	        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
 		;;
@@ -6118,17 +6652,17 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    # explicitly linking system object files so we need to strip them
 	    # from the output so that they don't get included in the library
 	    # dependencies.
-	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld" | $GREP -v "ld:"`; templist=`$ECHO "X$templist" | $Xsed -e "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; $ECHO "X$list" | $Xsed'
+	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld" | $GREP -v "ld:"`; templist=`func_echo_all "$templist" | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
 	    ;;
 	  *)
 	    if test "$GXX" = yes && test "$with_gnu_ld" = no; then
 	      _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
 	      case $host in
 	        osf3*)
-	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 		  ;;
 	        *)
-	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 		  ;;
 	      esac
 
@@ -6138,7 +6672,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	      # Commands to make compiler produce verbose output that lists
 	      # what "hidden" libraries, object files and flags are used when
 	      # linking a shared library.
-	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 
 	    else
 	      # FIXME: insert proper C++ library support
@@ -6174,7 +6708,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 
       solaris*)
         case $cc_basename in
-          CC*)
+          CC* | sunCC*)
 	    # Sun C++ 4.2, 5.x and Centerline C++
             _LT_TAGVAR(archive_cmds_need_lc,$1)=yes
 	    _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs'
@@ -6195,7 +6729,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    esac
 	    _LT_TAGVAR(link_all_deplibs, $1)=yes
 
-	    output_verbose_link_cmd='echo'
+	    output_verbose_link_cmd='func_echo_all'
 
 	    # Archives containing C++ object files must be created using
 	    # "CC -xar", where "CC" is the Sun C++ compiler.  This is
@@ -6215,14 +6749,14 @@ if test "$_lt_caught_CXX_error" != yes; then
 	    if test "$GXX" = yes && test "$with_gnu_ld" = no; then
 	      _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs'
 	      if $CC --version | $GREP -v '^2\.7' > /dev/null; then
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
 	        _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-		  $CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
+		  $CC -shared $pic_flag -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
 
 	        # Commands to make compiler produce verbose output that lists
 	        # what "hidden" libraries, object files and flags are used when
 	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 	      else
 	        # g++ 2.7 appears to require `-G' NOT `-shared' on this
 	        # platform.
@@ -6233,7 +6767,7 @@ if test "$_lt_caught_CXX_error" != yes; then
 	        # Commands to make compiler produce verbose output that lists
 	        # what "hidden" libraries, object files and flags are used when
 	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP "\-L"'
+	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
 	      fi
 
 	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir'
@@ -6287,6 +6821,10 @@ if test "$_lt_caught_CXX_error" != yes; then
           CC*)
 	    _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
 	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -Tprelink_objects $oldobjs~
+	      '"$_LT_TAGVAR(old_archive_cmds, $1)"
+	    _LT_TAGVAR(reload_cmds, $1)='$CC -Tprelink_objects $reload_objs~
+	      '"$_LT_TAGVAR(reload_cmds, $1)"
 	    ;;
 	  *)
 	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
@@ -6342,6 +6880,7 @@ if test "$_lt_caught_CXX_error" != yes; then
   fi # test -n "$compiler"
 
   CC=$lt_save_CC
+  CFLAGS=$lt_save_CFLAGS
   LDCXX=$LD
   LD=$lt_save_LD
   GCC=$lt_save_GCC
@@ -6356,6 +6895,29 @@ AC_LANG_POP
 ])# _LT_LANG_CXX_CONFIG
 
 
+# _LT_FUNC_STRIPNAME_CNF
+# ----------------------
+# func_stripname_cnf prefix suffix name
+# strip PREFIX and SUFFIX off of NAME.
+# PREFIX and SUFFIX must not contain globbing or regex special
+# characters, hashes, percent signs, but SUFFIX may contain a leading
+# dot (in which case that matches only a dot).
+#
+# This function is identical to the (non-XSI) version of func_stripname,
+# except this one can be used by m4 code that may be executed by configure,
+# rather than the libtool script.
+m4_defun([_LT_FUNC_STRIPNAME_CNF],[dnl
+AC_REQUIRE([_LT_DECL_SED])
+AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])
+func_stripname_cnf ()
+{
+  case ${2} in
+  .*) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%\\\\${2}\$%%"`;;
+  *)  func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%${2}\$%%"`;;
+  esac
+} # func_stripname_cnf
+])# _LT_FUNC_STRIPNAME_CNF
+
 # _LT_SYS_HIDDEN_LIBDEPS([TAGNAME])
 # ---------------------------------
 # Figure out "hidden" library dependencies from verbose
@@ -6364,6 +6926,7 @@ AC_LANG_POP
 # objects, libraries and library flags.
 m4_defun([_LT_SYS_HIDDEN_LIBDEPS],
 [m4_require([_LT_FILEUTILS_DEFAULTS])dnl
+AC_REQUIRE([_LT_FUNC_STRIPNAME_CNF])dnl
 # Dependencies to place before and after the object being linked:
 _LT_TAGVAR(predep_objects, $1)=
 _LT_TAGVAR(postdep_objects, $1)=
@@ -6413,7 +6976,20 @@ public class foo {
   }
 };
 _LT_EOF
+], [$1], [GO], [cat > conftest.$ac_ext <<_LT_EOF
+package foo
+func foo() {
+}
+_LT_EOF
 ])
+
+_lt_libdeps_save_CFLAGS=$CFLAGS
+case "$CC $CFLAGS " in #(
+*\ -flto*\ *) CFLAGS="$CFLAGS -fno-lto" ;;
+*\ -fwhopr*\ *) CFLAGS="$CFLAGS -fno-whopr" ;;
+*\ -fuse-linker-plugin*\ *) CFLAGS="$CFLAGS -fno-use-linker-plugin" ;;
+esac
+
 dnl Parse the compiler output and extract the necessary
 dnl objects, libraries and library flags.
 if AC_TRY_EVAL(ac_compile); then
@@ -6425,7 +7001,7 @@ if AC_TRY_EVAL(ac_compile); then
   pre_test_object_deps_done=no
 
   for p in `eval "$output_verbose_link_cmd"`; do
-    case $p in
+    case ${prev}${p} in
 
     -L* | -R* | -l*)
        # Some compilers place space between "-{L,R}" and the path.
@@ -6434,13 +7010,22 @@ if AC_TRY_EVAL(ac_compile); then
           test $p = "-R"; then
 	 prev=$p
 	 continue
-       else
-	 prev=
        fi
 
+       # Expand the sysroot to ease extracting the directories later.
+       if test -z "$prev"; then
+         case $p in
+         -L*) func_stripname_cnf '-L' '' "$p"; prev=-L; p=$func_stripname_result ;;
+         -R*) func_stripname_cnf '-R' '' "$p"; prev=-R; p=$func_stripname_result ;;
+         -l*) func_stripname_cnf '-l' '' "$p"; prev=-l; p=$func_stripname_result ;;
+         esac
+       fi
+       case $p in
+       =*) func_stripname_cnf '=' '' "$p"; p=$lt_sysroot$func_stripname_result ;;
+       esac
        if test "$pre_test_object_deps_done" = no; then
-	 case $p in
-	 -L* | -R*)
+	 case ${prev} in
+	 -L | -R)
 	   # Internal compiler library paths should come after those
 	   # provided the user.  The postdeps already come after the
 	   # user supplied libs so there is no need to process them.
@@ -6460,8 +7045,10 @@ if AC_TRY_EVAL(ac_compile); then
 	   _LT_TAGVAR(postdeps, $1)="${_LT_TAGVAR(postdeps, $1)} ${prev}${p}"
 	 fi
        fi
+       prev=
        ;;
 
+    *.lto.$objext) ;; # Ignore GCC LTO objects
     *.$objext)
        # This assumes that the test object file only shows up
        # once in the compiler output.
@@ -6497,6 +7084,7 @@ else
 fi
 
 $RM -f confest.$objext
+CFLAGS=$_lt_libdeps_save_CFLAGS
 
 # PORTME: override above test on systems where it is broken
 m4_if([$1], [CXX],
@@ -6533,7 +7121,7 @@ linux*)
 
 solaris*)
   case $cc_basename in
-  CC*)
+  CC* | sunCC*)
     # The more standards-conforming stlport4 library is
     # incompatible with the Cstd library. Avoid specifying
     # it if it's in CXXFLAGS. Ignore libCrun as
@@ -6577,32 +7165,16 @@ _LT_TAGDECL([], [compiler_lib_search_path], [1],
 ])# _LT_SYS_HIDDEN_LIBDEPS
 
 
-# _LT_PROG_F77
-# ------------
-# Since AC_PROG_F77 is broken, in that it returns the empty string
-# if there is no fortran compiler, we have our own version here.
-m4_defun([_LT_PROG_F77],
-[
-pushdef([AC_MSG_ERROR], [_lt_disable_F77=yes])
-AC_PROG_F77
-if test -z "$F77" || test "X$F77" = "Xno"; then
-  _lt_disable_F77=yes
-fi
-popdef([AC_MSG_ERROR])
-])# _LT_PROG_F77
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([_LT_PROG_F77], [])
-
-
 # _LT_LANG_F77_CONFIG([TAG])
 # --------------------------
 # Ensure that the configuration variables for a Fortran 77 compiler are
 # suitably defined.  These variables are subsequently used by _LT_CONFIG
 # to write the compiler configuration to `libtool'.
 m4_defun([_LT_LANG_F77_CONFIG],
-[AC_REQUIRE([_LT_PROG_F77])dnl
-AC_LANG_PUSH(Fortran 77)
+[AC_LANG_PUSH(Fortran 77)
+if test -z "$F77" || test "X$F77" = "Xno"; then
+  _lt_disable_F77=yes
+fi
 
 _LT_TAGVAR(archive_cmds_need_lc, $1)=no
 _LT_TAGVAR(allow_undefined_flag, $1)=
@@ -6612,7 +7184,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_automatic, $1)=no
@@ -6621,6 +7192,8 @@ _LT_TAGVAR(module_cmds, $1)=
 _LT_TAGVAR(module_expsym_cmds, $1)=
 _LT_TAGVAR(link_all_deplibs, $1)=unknown
 _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
 _LT_TAGVAR(no_undefined_flag, $1)=
 _LT_TAGVAR(whole_archive_flag_spec, $1)=
 _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
@@ -6660,7 +7233,9 @@ if test "$_lt_disable_F77" != yes; then
   # Allow CC to be a program name with arguments.
   lt_save_CC="$CC"
   lt_save_GCC=$GCC
+  lt_save_CFLAGS=$CFLAGS
   CC=${F77-"f77"}
+  CFLAGS=$FFLAGS
   compiler=$CC
   _LT_TAGVAR(compiler, $1)=$CC
   _LT_CC_BASENAME([$compiler])
@@ -6714,38 +7289,24 @@ if test "$_lt_disable_F77" != yes; then
 
   GCC=$lt_save_GCC
   CC="$lt_save_CC"
+  CFLAGS="$lt_save_CFLAGS"
 fi # test "$_lt_disable_F77" != yes
 
 AC_LANG_POP
 ])# _LT_LANG_F77_CONFIG
 
 
-# _LT_PROG_FC
-# -----------
-# Since AC_PROG_FC is broken, in that it returns the empty string
-# if there is no fortran compiler, we have our own version here.
-m4_defun([_LT_PROG_FC],
-[
-pushdef([AC_MSG_ERROR], [_lt_disable_FC=yes])
-AC_PROG_FC
-if test -z "$FC" || test "X$FC" = "Xno"; then
-  _lt_disable_FC=yes
-fi
-popdef([AC_MSG_ERROR])
-])# _LT_PROG_FC
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([_LT_PROG_FC], [])
-
-
 # _LT_LANG_FC_CONFIG([TAG])
 # -------------------------
 # Ensure that the configuration variables for a Fortran compiler are
 # suitably defined.  These variables are subsequently used by _LT_CONFIG
 # to write the compiler configuration to `libtool'.
 m4_defun([_LT_LANG_FC_CONFIG],
-[AC_REQUIRE([_LT_PROG_FC])dnl
-AC_LANG_PUSH(Fortran)
+[AC_LANG_PUSH(Fortran)
+
+if test -z "$FC" || test "X$FC" = "Xno"; then
+  _lt_disable_FC=yes
+fi
 
 _LT_TAGVAR(archive_cmds_need_lc, $1)=no
 _LT_TAGVAR(allow_undefined_flag, $1)=
@@ -6755,7 +7316,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_automatic, $1)=no
@@ -6764,6 +7324,8 @@ _LT_TAGVAR(module_cmds, $1)=
 _LT_TAGVAR(module_expsym_cmds, $1)=
 _LT_TAGVAR(link_all_deplibs, $1)=unknown
 _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
 _LT_TAGVAR(no_undefined_flag, $1)=
 _LT_TAGVAR(whole_archive_flag_spec, $1)=
 _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
@@ -6803,7 +7365,9 @@ if test "$_lt_disable_FC" != yes; then
   # Allow CC to be a program name with arguments.
   lt_save_CC="$CC"
   lt_save_GCC=$GCC
+  lt_save_CFLAGS=$CFLAGS
   CC=${FC-"f95"}
+  CFLAGS=$FCFLAGS
   compiler=$CC
   GCC=$ac_cv_fc_compiler_gnu
 
@@ -6859,7 +7423,8 @@ if test "$_lt_disable_FC" != yes; then
   fi # test -n "$compiler"
 
   GCC=$lt_save_GCC
-  CC="$lt_save_CC"
+  CC=$lt_save_CC
+  CFLAGS=$lt_save_CFLAGS
 fi # test "$_lt_disable_FC" != yes
 
 AC_LANG_POP
@@ -6896,10 +7461,12 @@ _LT_COMPILER_BOILERPLATE
 _LT_LINKER_BOILERPLATE
 
 # Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
+lt_save_CC=$CC
+lt_save_CFLAGS=$CFLAGS
 lt_save_GCC=$GCC
 GCC=yes
 CC=${GCJ-"gcj"}
+CFLAGS=$GCJFLAGS
 compiler=$CC
 _LT_TAGVAR(compiler, $1)=$CC
 _LT_TAGVAR(LD, $1)="$LD"
@@ -6909,6 +7476,8 @@ _LT_CC_BASENAME([$compiler])
 _LT_TAGVAR(archive_cmds_need_lc, $1)=no
 
 _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
 
 ## CAVEAT EMPTOR:
 ## There is no encapsulation within the following macros, do not change
@@ -6928,10 +7497,82 @@ fi
 AC_LANG_RESTORE
 
 GCC=$lt_save_GCC
-CC="$lt_save_CC"
+CC=$lt_save_CC
+CFLAGS=$lt_save_CFLAGS
 ])# _LT_LANG_GCJ_CONFIG
 
 
+# _LT_LANG_GO_CONFIG([TAG])
+# --------------------------
+# Ensure that the configuration variables for the GNU Go compiler
+# are suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to `libtool'.
+m4_defun([_LT_LANG_GO_CONFIG],
+[AC_REQUIRE([LT_PROG_GO])dnl
+AC_LANG_SAVE
+
+# Source file extension for Go test sources.
+ac_ext=go
+
+# Object file extension for compiled Go test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="package main; func main() { }"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='package main; func main() { }'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_TAG_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC=$CC
+lt_save_CFLAGS=$CFLAGS
+lt_save_GCC=$GCC
+GCC=yes
+CC=${GOC-"gccgo"}
+CFLAGS=$GOFLAGS
+compiler=$CC
+_LT_TAGVAR(compiler, $1)=$CC
+_LT_TAGVAR(LD, $1)="$LD"
+_LT_CC_BASENAME([$compiler])
+
+# Go did not exist at the time GCC didn't implicitly link libc in.
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+if test -n "$compiler"; then
+  _LT_COMPILER_NO_RTTI($1)
+  _LT_COMPILER_PIC($1)
+  _LT_COMPILER_C_O($1)
+  _LT_COMPILER_FILE_LOCKS($1)
+  _LT_LINKER_SHLIBS($1)
+  _LT_LINKER_HARDCODE_LIBPATH($1)
+
+  _LT_CONFIG($1)
+fi
+
+AC_LANG_RESTORE
+
+GCC=$lt_save_GCC
+CC=$lt_save_CC
+CFLAGS=$lt_save_CFLAGS
+])# _LT_LANG_GO_CONFIG
+
+
 # _LT_LANG_RC_CONFIG([TAG])
 # -------------------------
 # Ensure that the configuration variables for the Windows resource compiler
@@ -6963,9 +7604,11 @@ _LT_LINKER_BOILERPLATE
 
 # Allow CC to be a program name with arguments.
 lt_save_CC="$CC"
+lt_save_CFLAGS=$CFLAGS
 lt_save_GCC=$GCC
 GCC=
 CC=${RC-"windres"}
+CFLAGS=
 compiler=$CC
 _LT_TAGVAR(compiler, $1)=$CC
 _LT_CC_BASENAME([$compiler])
@@ -6978,7 +7621,8 @@ fi
 
 GCC=$lt_save_GCC
 AC_LANG_RESTORE
-CC="$lt_save_CC"
+CC=$lt_save_CC
+CFLAGS=$lt_save_CFLAGS
 ])# _LT_LANG_RC_CONFIG
 
 
@@ -6998,6 +7642,13 @@ dnl aclocal-1.4 backwards compatibility:
 dnl AC_DEFUN([LT_AC_PROG_GCJ], [])
 
 
+# LT_PROG_GO
+# ----------
+AC_DEFUN([LT_PROG_GO],
+[AC_CHECK_TOOL(GOC, gccgo,)
+])
+
+
 # LT_PROG_RC
 # ----------
 AC_DEFUN([LT_PROG_RC],
@@ -7037,6 +7688,15 @@ _LT_DECL([], [OBJDUMP], [1], [An object symbol dumper])
 AC_SUBST([OBJDUMP])
 ])
 
+# _LT_DECL_DLLTOOL
+# ----------------
+# Ensure DLLTOOL variable is set.
+m4_defun([_LT_DECL_DLLTOOL],
+[AC_CHECK_TOOL(DLLTOOL, dlltool, false)
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+_LT_DECL([], [DLLTOOL], [1], [DLL creation program])
+AC_SUBST([DLLTOOL])
+])
 
 # _LT_DECL_SED
 # ------------
@@ -7130,8 +7790,8 @@ m4_defun([_LT_CHECK_SHELL_FEATURES],
 # Try some XSI features
 xsi_shell=no
 ( _lt_dummy="a/b/c"
-  test "${_lt_dummy##*/},${_lt_dummy%/*},"${_lt_dummy%"$_lt_dummy"}, \
-      = c,a/b,, \
+  test "${_lt_dummy##*/},${_lt_dummy%/*},${_lt_dummy#??}"${_lt_dummy%"$_lt_dummy"}, \
+      = c,a/b,b/c, \
     && eval 'test $(( 1 + 1 )) -eq 2 \
     && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \
   && xsi_shell=yes
@@ -7170,208 +7830,162 @@ _LT_DECL([NL2SP], [lt_NL2SP], [1], [turn newlines into spaces])dnl
 ])# _LT_CHECK_SHELL_FEATURES
 
 
-# _LT_PROG_XSI_SHELLFNS
-# ---------------------
-# Bourne and XSI compatible variants of some useful shell functions.
-m4_defun([_LT_PROG_XSI_SHELLFNS],
-[case $xsi_shell in
-  yes)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_dirname file append nondir_replacement
-# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
-# otherwise set result to NONDIR_REPLACEMENT.
-func_dirname ()
-{
-  case ${1} in
-    */*) func_dirname_result="${1%/*}${2}" ;;
-    *  ) func_dirname_result="${3}" ;;
-  esac
-}
-
-# func_basename file
-func_basename ()
-{
-  func_basename_result="${1##*/}"
-}
-
-# func_dirname_and_basename file append nondir_replacement
-# perform func_basename and func_dirname in a single function
-# call:
-#   dirname:  Compute the dirname of FILE.  If nonempty,
-#             add APPEND to the result, otherwise set result
-#             to NONDIR_REPLACEMENT.
-#             value returned in "$func_dirname_result"
-#   basename: Compute filename of FILE.
-#             value retuned in "$func_basename_result"
-# Implementation must be kept synchronized with func_dirname
-# and func_basename. For efficiency, we do not delegate to
-# those functions but instead duplicate the functionality here.
-func_dirname_and_basename ()
-{
-  case ${1} in
-    */*) func_dirname_result="${1%/*}${2}" ;;
-    *  ) func_dirname_result="${3}" ;;
-  esac
-  func_basename_result="${1##*/}"
-}
-
-# func_stripname prefix suffix name
-# strip PREFIX and SUFFIX off of NAME.
-# PREFIX and SUFFIX must not contain globbing or regex special
-# characters, hashes, percent signs, but SUFFIX may contain a leading
-# dot (in which case that matches only a dot).
-func_stripname ()
-{
-  # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are
-  # positional parameters, so assign one to ordinary parameter first.
-  func_stripname_result=${3}
-  func_stripname_result=${func_stripname_result#"${1}"}
-  func_stripname_result=${func_stripname_result%"${2}"}
-}
-
-# func_opt_split
-func_opt_split ()
-{
-  func_opt_split_opt=${1%%=*}
-  func_opt_split_arg=${1#*=}
-}
-
-# func_lo2o object
-func_lo2o ()
-{
-  case ${1} in
-    *.lo) func_lo2o_result=${1%.lo}.${objext} ;;
-    *)    func_lo2o_result=${1} ;;
-  esac
-}
-
-# func_xform libobj-or-source
-func_xform ()
-{
-  func_xform_result=${1%.*}.lo
-}
+# _LT_PROG_FUNCTION_REPLACE (FUNCNAME, REPLACEMENT-BODY)
+# ------------------------------------------------------
+# In `$cfgfile', look for function FUNCNAME delimited by `^FUNCNAME ()$' and
+# '^} FUNCNAME ', and replace its body with REPLACEMENT-BODY.
+m4_defun([_LT_PROG_FUNCTION_REPLACE],
+[dnl {
+sed -e '/^$1 ()$/,/^} # $1 /c\
+$1 ()\
+{\
+m4_bpatsubsts([$2], [$], [\\], [^\([	 ]\)], [\\\1])
+} # Extended-shell $1 implementation' "$cfgfile" > $cfgfile.tmp \
+  && mv -f "$cfgfile.tmp" "$cfgfile" \
+    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+test 0 -eq $? || _lt_function_replace_fail=:
+])
 
-# func_arith arithmetic-term...
-func_arith ()
-{
-  func_arith_result=$(( $[*] ))
-}
 
-# func_len string
-# STRING may not start with a hyphen.
-func_len ()
-{
-  func_len_result=${#1}
-}
+# _LT_PROG_REPLACE_SHELLFNS
+# -------------------------
+# Replace existing portable implementations of several shell functions with
+# equivalent extended shell implementations where those features are available..
+m4_defun([_LT_PROG_REPLACE_SHELLFNS],
+[if test x"$xsi_shell" = xyes; then
+  _LT_PROG_FUNCTION_REPLACE([func_dirname], [dnl
+    case ${1} in
+      */*) func_dirname_result="${1%/*}${2}" ;;
+      *  ) func_dirname_result="${3}" ;;
+    esac])
+
+  _LT_PROG_FUNCTION_REPLACE([func_basename], [dnl
+    func_basename_result="${1##*/}"])
+
+  _LT_PROG_FUNCTION_REPLACE([func_dirname_and_basename], [dnl
+    case ${1} in
+      */*) func_dirname_result="${1%/*}${2}" ;;
+      *  ) func_dirname_result="${3}" ;;
+    esac
+    func_basename_result="${1##*/}"])
 
-_LT_EOF
-    ;;
-  *) # Bourne compatible functions.
-    cat << \_LT_EOF >> "$cfgfile"
+  _LT_PROG_FUNCTION_REPLACE([func_stripname], [dnl
+    # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are
+    # positional parameters, so assign one to ordinary parameter first.
+    func_stripname_result=${3}
+    func_stripname_result=${func_stripname_result#"${1}"}
+    func_stripname_result=${func_stripname_result%"${2}"}])
 
-# func_dirname file append nondir_replacement
-# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
-# otherwise set result to NONDIR_REPLACEMENT.
-func_dirname ()
-{
-  # Extract subdirectory from the argument.
-  func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"`
-  if test "X$func_dirname_result" = "X${1}"; then
-    func_dirname_result="${3}"
-  else
-    func_dirname_result="$func_dirname_result${2}"
-  fi
-}
+  _LT_PROG_FUNCTION_REPLACE([func_split_long_opt], [dnl
+    func_split_long_opt_name=${1%%=*}
+    func_split_long_opt_arg=${1#*=}])
 
-# func_basename file
-func_basename ()
-{
-  func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"`
-}
+  _LT_PROG_FUNCTION_REPLACE([func_split_short_opt], [dnl
+    func_split_short_opt_arg=${1#??}
+    func_split_short_opt_name=${1%"$func_split_short_opt_arg"}])
 
-dnl func_dirname_and_basename
-dnl A portable version of this function is already defined in general.m4sh
-dnl so there is no need for it here.
+  _LT_PROG_FUNCTION_REPLACE([func_lo2o], [dnl
+    case ${1} in
+      *.lo) func_lo2o_result=${1%.lo}.${objext} ;;
+      *)    func_lo2o_result=${1} ;;
+    esac])
 
-# func_stripname prefix suffix name
-# strip PREFIX and SUFFIX off of NAME.
-# PREFIX and SUFFIX must not contain globbing or regex special
-# characters, hashes, percent signs, but SUFFIX may contain a leading
-# dot (in which case that matches only a dot).
-# func_strip_suffix prefix name
-func_stripname ()
-{
-  case ${2} in
-    .*) func_stripname_result=`$ECHO "X${3}" \
-           | $Xsed -e "s%^${1}%%" -e "s%\\\\${2}\$%%"`;;
-    *)  func_stripname_result=`$ECHO "X${3}" \
-           | $Xsed -e "s%^${1}%%" -e "s%${2}\$%%"`;;
-  esac
-}
+  _LT_PROG_FUNCTION_REPLACE([func_xform], [    func_xform_result=${1%.*}.lo])
 
-# sed scripts:
-my_sed_long_opt='1s/^\(-[[^=]]*\)=.*/\1/;q'
-my_sed_long_arg='1s/^-[[^=]]*=//'
+  _LT_PROG_FUNCTION_REPLACE([func_arith], [    func_arith_result=$(( $[*] ))])
 
-# func_opt_split
-func_opt_split ()
-{
-  func_opt_split_opt=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_opt"`
-  func_opt_split_arg=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_arg"`
-}
+  _LT_PROG_FUNCTION_REPLACE([func_len], [    func_len_result=${#1}])
+fi
 
-# func_lo2o object
-func_lo2o ()
-{
-  func_lo2o_result=`$ECHO "X${1}" | $Xsed -e "$lo2o"`
-}
+if test x"$lt_shell_append" = xyes; then
+  _LT_PROG_FUNCTION_REPLACE([func_append], [    eval "${1}+=\\${2}"])
 
-# func_xform libobj-or-source
-func_xform ()
-{
-  func_xform_result=`$ECHO "X${1}" | $Xsed -e 's/\.[[^.]]*$/.lo/'`
-}
+  _LT_PROG_FUNCTION_REPLACE([func_append_quoted], [dnl
+    func_quote_for_eval "${2}"
+dnl m4 expansion turns \\\\ into \\, and then the shell eval turns that into \
+    eval "${1}+=\\\\ \\$func_quote_for_eval_result"])
 
-# func_arith arithmetic-term...
-func_arith ()
-{
-  func_arith_result=`expr "$[@]"`
-}
-
-# func_len string
-# STRING may not start with a hyphen.
-func_len ()
-{
-  func_len_result=`expr "$[1]" : ".*" 2>/dev/null || echo $max_cmd_len`
-}
-
-_LT_EOF
-esac
+  # Save a `func_append' function call where possible by direct use of '+='
+  sed -e 's%func_append \([[a-zA-Z_]]\{1,\}\) "%\1+="%g' $cfgfile > $cfgfile.tmp \
+    && mv -f "$cfgfile.tmp" "$cfgfile" \
+      || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+  test 0 -eq $? || _lt_function_replace_fail=:
+else
+  # Save a `func_append' function call even when '+=' is not available
+  sed -e 's%func_append \([[a-zA-Z_]]\{1,\}\) "%\1="$\1%g' $cfgfile > $cfgfile.tmp \
+    && mv -f "$cfgfile.tmp" "$cfgfile" \
+      || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
+  test 0 -eq $? || _lt_function_replace_fail=:
+fi
 
-case $lt_shell_append in
-  yes)
-    cat << \_LT_EOF >> "$cfgfile"
+if test x"$_lt_function_replace_fail" = x":"; then
+  AC_MSG_WARN([Unable to substitute extended shell functions in $ofile])
+fi
+])
 
-# func_append var value
-# Append VALUE to the end of shell variable VAR.
-func_append ()
-{
-  eval "$[1]+=\$[2]"
-}
-_LT_EOF
+# _LT_PATH_CONVERSION_FUNCTIONS
+# -----------------------------
+# Determine which file name conversion functions should be used by
+# func_to_host_file (and, implicitly, by func_to_host_path).  These are needed
+# for certain cross-compile configurations and native mingw.
+m4_defun([_LT_PATH_CONVERSION_FUNCTIONS],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+AC_MSG_CHECKING([how to convert $build file names to $host format])
+AC_CACHE_VAL(lt_cv_to_host_file_cmd,
+[case $host in
+  *-*-mingw* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_host_file_cmd=func_convert_file_msys_to_w32
+        ;;
+      *-*-cygwin* )
+        lt_cv_to_host_file_cmd=func_convert_file_cygwin_to_w32
+        ;;
+      * ) # otherwise, assume *nix
+        lt_cv_to_host_file_cmd=func_convert_file_nix_to_w32
+        ;;
+    esac
     ;;
-  *)
-    cat << \_LT_EOF >> "$cfgfile"
-
-# func_append var value
-# Append VALUE to the end of shell variable VAR.
-func_append ()
-{
-  eval "$[1]=\$$[1]\$[2]"
-}
-
-_LT_EOF
+  *-*-cygwin* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_host_file_cmd=func_convert_file_msys_to_cygwin
+        ;;
+      *-*-cygwin* )
+        lt_cv_to_host_file_cmd=func_convert_file_noop
+        ;;
+      * ) # otherwise, assume *nix
+        lt_cv_to_host_file_cmd=func_convert_file_nix_to_cygwin
+        ;;
+    esac
     ;;
-  esac
+  * ) # unhandled hosts (and "normal" native builds)
+    lt_cv_to_host_file_cmd=func_convert_file_noop
+    ;;
+esac
+])
+to_host_file_cmd=$lt_cv_to_host_file_cmd
+AC_MSG_RESULT([$lt_cv_to_host_file_cmd])
+_LT_DECL([to_host_file_cmd], [lt_cv_to_host_file_cmd],
+         [0], [convert $build file names to $host format])dnl
+
+AC_MSG_CHECKING([how to convert $build file names to toolchain format])
+AC_CACHE_VAL(lt_cv_to_tool_file_cmd,
+[#assume ordinary cross tools, or native build.
+lt_cv_to_tool_file_cmd=func_convert_file_noop
+case $host in
+  *-*-mingw* )
+    case $build in
+      *-*-mingw* ) # actually msys
+        lt_cv_to_tool_file_cmd=func_convert_file_msys_to_w32
+        ;;
+    esac
+    ;;
+esac
 ])
+to_tool_file_cmd=$lt_cv_to_tool_file_cmd
+AC_MSG_RESULT([$lt_cv_to_tool_file_cmd])
+_LT_DECL([to_tool_file_cmd], [lt_cv_to_tool_file_cmd],
+         [0], [convert $build files to toolchain format])dnl
+])# _LT_PATH_CONVERSION_FUNCTIONS
diff --git a/m4/config/ltoptions.m4 b/m4/config/ltoptions.m4
index 34151a3ba..5d9acd8e2 100644
--- a/m4/config/ltoptions.m4
+++ b/m4/config/ltoptions.m4
@@ -1,13 +1,14 @@
 # Helper functions for option handling.                    -*- Autoconf -*-
 #
-#   Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
+#   Copyright (C) 2004, 2005, 2007, 2008, 2009 Free Software Foundation,
+#   Inc.
 #   Written by Gary V. Vaughan, 2004
 #
 # This file is free software; the Free Software Foundation gives
 # unlimited permission to copy and/or distribute it, with or without
 # modifications, as long as this notice is preserved.
 
-# serial 6 ltoptions.m4
+# serial 7 ltoptions.m4
 
 # This is to help aclocal find these macros, as it can't see m4_define.
 AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])])
@@ -125,7 +126,7 @@ LT_OPTION_DEFINE([LT_INIT], [win32-dll],
 [enable_win32_dll=yes
 
 case $host in
-*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-cegcc*)
+*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-cegcc*)
   AC_CHECK_TOOL(AS, as, false)
   AC_CHECK_TOOL(DLLTOOL, dlltool, false)
   AC_CHECK_TOOL(OBJDUMP, objdump, false)
@@ -133,13 +134,13 @@ case $host in
 esac
 
 test -z "$AS" && AS=as
-_LT_DECL([], [AS],      [0], [Assembler program])dnl
+_LT_DECL([], [AS],      [1], [Assembler program])dnl
 
 test -z "$DLLTOOL" && DLLTOOL=dlltool
-_LT_DECL([], [DLLTOOL], [0], [DLL creation program])dnl
+_LT_DECL([], [DLLTOOL], [1], [DLL creation program])dnl
 
 test -z "$OBJDUMP" && OBJDUMP=objdump
-_LT_DECL([], [OBJDUMP], [0], [Object dumper program])dnl
+_LT_DECL([], [OBJDUMP], [1], [Object dumper program])dnl
 ])# win32-dll
 
 AU_DEFUN([AC_LIBTOOL_WIN32_DLL],
@@ -325,9 +326,24 @@ dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
 # MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
 m4_define([_LT_WITH_PIC],
 [AC_ARG_WITH([pic],
-    [AS_HELP_STRING([--with-pic],
+    [AS_HELP_STRING([--with-pic@<:@=PKGS@:>@],
 	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
-    [pic_mode="$withval"],
+    [lt_p=${PACKAGE-default}
+    case $withval in
+    yes|no) pic_mode=$withval ;;
+    *)
+      pic_mode=default
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for lt_pkg in $withval; do
+	IFS="$lt_save_ifs"
+	if test "X$lt_pkg" = "X$lt_p"; then
+	  pic_mode=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
     [pic_mode=default])
 
 test -z "$pic_mode" && pic_mode=m4_default([$1], [default])
diff --git a/m4/config/ltversion.m4 b/m4/config/ltversion.m4
index f3c530980..07a8602d4 100644
--- a/m4/config/ltversion.m4
+++ b/m4/config/ltversion.m4
@@ -7,17 +7,17 @@
 # unlimited permission to copy and/or distribute it, with or without
 # modifications, as long as this notice is preserved.
 
-# Generated from ltversion.in.
+# @configure_input@
 
-# serial 3017 ltversion.m4
+# serial 3337 ltversion.m4
 # This file is part of GNU Libtool
 
-m4_define([LT_PACKAGE_VERSION], [2.2.6b])
-m4_define([LT_PACKAGE_REVISION], [1.3017])
+m4_define([LT_PACKAGE_VERSION], [2.4.2])
+m4_define([LT_PACKAGE_REVISION], [1.3337])
 
 AC_DEFUN([LTVERSION_VERSION],
-[macro_version='2.2.6b'
-macro_revision='1.3017'
+[macro_version='2.4.2'
+macro_revision='1.3337'
 _LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
 _LT_DECL(, macro_revision, 0)
 ])
diff --git a/m4/config/lt~obsolete.m4 b/m4/config/lt~obsolete.m4
index 637bb2066..c573da90c 100644
--- a/m4/config/lt~obsolete.m4
+++ b/m4/config/lt~obsolete.m4
@@ -1,13 +1,13 @@
 # lt~obsolete.m4 -- aclocal satisfying obsolete definitions.    -*-Autoconf-*-
 #
-#   Copyright (C) 2004, 2005, 2007 Free Software Foundation, Inc.
+#   Copyright (C) 2004, 2005, 2007, 2009 Free Software Foundation, Inc.
 #   Written by Scott James Remnant, 2004.
 #
 # This file is free software; the Free Software Foundation gives
 # unlimited permission to copy and/or distribute it, with or without
 # modifications, as long as this notice is preserved.
 
-# serial 4 lt~obsolete.m4
+# serial 5 lt~obsolete.m4
 
 # These exist entirely to fool aclocal when bootstrapping libtool.
 #
@@ -77,7 +77,6 @@ m4_ifndef([AC_DISABLE_FAST_INSTALL],	[AC_DEFUN([AC_DISABLE_FAST_INSTALL])])
 m4_ifndef([_LT_AC_LANG_CXX],		[AC_DEFUN([_LT_AC_LANG_CXX])])
 m4_ifndef([_LT_AC_LANG_F77],		[AC_DEFUN([_LT_AC_LANG_F77])])
 m4_ifndef([_LT_AC_LANG_GCJ],		[AC_DEFUN([_LT_AC_LANG_GCJ])])
-m4_ifndef([AC_LIBTOOL_RC],		[AC_DEFUN([AC_LIBTOOL_RC])])
 m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])])
 m4_ifndef([_LT_AC_LANG_C_CONFIG],	[AC_DEFUN([_LT_AC_LANG_C_CONFIG])])
 m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])])
@@ -90,3 +89,10 @@ m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG],	[AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])])
 m4_ifndef([_LT_AC_LANG_RC_CONFIG],	[AC_DEFUN([_LT_AC_LANG_RC_CONFIG])])
 m4_ifndef([AC_LIBTOOL_CONFIG],		[AC_DEFUN([AC_LIBTOOL_CONFIG])])
 m4_ifndef([_LT_AC_FILE_LTDLL_C],	[AC_DEFUN([_LT_AC_FILE_LTDLL_C])])
+m4_ifndef([_LT_REQUIRED_DARWIN_CHECKS],	[AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS])])
+m4_ifndef([_LT_AC_PROG_CXXCPP],		[AC_DEFUN([_LT_AC_PROG_CXXCPP])])
+m4_ifndef([_LT_PREPARE_SED_QUOTE_VARS],	[AC_DEFUN([_LT_PREPARE_SED_QUOTE_VARS])])
+m4_ifndef([_LT_PROG_ECHO_BACKSLASH],	[AC_DEFUN([_LT_PROG_ECHO_BACKSLASH])])
+m4_ifndef([_LT_PROG_F77],		[AC_DEFUN([_LT_PROG_F77])])
+m4_ifndef([_LT_PROG_FC],		[AC_DEFUN([_LT_PROG_FC])])
+m4_ifndef([_LT_PROG_CXX],		[AC_DEFUN([_LT_PROG_CXX])])
diff --git a/m4/macros/enable-disable.m4 b/m4/macros/enable-disable.m4
index 3d423652f..2e4552068 100644
--- a/m4/macros/enable-disable.m4
+++ b/m4/macros/enable-disable.m4
@@ -20,6 +20,7 @@ AC_DEFUN([ARG_ENABL_SET],
 # ARG_DISBL_SET(option, help)
 # ---------------------------
 # Create a --disable-$1 option with helptext, set a variable $1 to true/false
+# All $1 are collected in the variable $enabled_by_default
 AC_DEFUN([ARG_DISBL_SET],
 	[AC_ARG_ENABLE(
 		[$1],
@@ -32,5 +33,6 @@ AC_DEFUN([ARG_DISBL_SET],
 		fi],
 		[patsubst([$1], [-], [_])=true
 		patsubst([$1], [-], [_])_given=false]
-	)]
+	)
+	enabled_by_default=${enabled_by_default}" patsubst([$1], [-], [_])"]
 )
diff --git a/man/Makefile.am b/man/Makefile.am
index a74a901b8..0becd24c7 100644
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -5,7 +5,9 @@ CLEANFILES = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
 SUFFIXES = .in
 
 .in:
+	$(AM_V_GEN) \
 	sed \
 	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	-e "s:@DEV_URANDOM@:$(urandom_device):" \
+	-e "s:@DEV_RANDOM@:$(random_device):" \
 	$(srcdir)/$@.in > $@
-
diff --git a/man/Makefile.in b/man/Makefile.in
index a38cf70ba..0bc64a6eb 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -15,6 +15,23 @@
 
 @SET_MAKE@
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,14 +62,26 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -74,6 +103,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 man5dir = $(mandir)/man5
 am__installdirs = "$(DESTDIR)$(man5dir)"
 NROFF = nroff
@@ -82,21 +117,28 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -105,13 +147,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -124,6 +169,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -151,11 +197,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -163,6 +211,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -171,8 +220,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -181,14 +228,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -202,17 +254,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -222,16 +274,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -305,11 +356,18 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-man5: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
-	@list=''; test -n "$(man5dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.5[a-z]*$$/p'; \
+	@list1=''; \
+	list2='$(dist_man_MANS)'; \
+	test -n "$(man5dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.5[a-z]*$$/p'; \
+	fi; \
 	} | while read p; do \
 	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; echo "$$p"; \
@@ -338,9 +396,7 @@ uninstall-man5:
 	  sed -n '/\.5[a-z]*$$/p'; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man5dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir)
 tags: TAGS
 TAGS:
 
@@ -408,10 +464,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -508,8 +569,11 @@ uninstall-man: uninstall-man5
 
 
 .in:
+	$(AM_V_GEN) \
 	sed \
 	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	-e "s:@DEV_URANDOM@:$(urandom_device):" \
+	-e "s:@DEV_RANDOM@:$(random_device):" \
 	$(srcdir)/$@.in > $@
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5
index 0a7f8bfe5..76bef614f 100644
--- a/man/ipsec.conf.5
+++ b/man/ipsec.conf.5
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2011-12-14" "4.6.4" "strongSwan"
+.TH IPSEC.CONF 5 "2012-06-26" "5.1.0" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -172,9 +172,9 @@ keying, rekeying, and general control.
 The path to control the connection is called 'ISAKMP SA' in IKEv1
 and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
 level data path, is called 'IPsec SA' or 'Child SA'.
-strongSwan currently uses two separate keying daemons. \fIpluto\fP handles
-all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2
-protocol.
+strongSwan previously used two separate keying daemons, \fIpluto\fP and
+\fIcharon\fP. This manual does not discuss \fIpluto\fP options anymore, but
+only \fIcharon\fP that since strongSwan 5.0 supports both IKEv1 and IKEv2.
 .PP
 To avoid trivial editing of the configuration file to suit it to each system
 involved in a connection,
@@ -233,21 +233,14 @@ defines the identity of the AAA backend used during IKEv2 EAP authentication.
 This is required if the EAP client uses a method that verifies the server
 identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity.
 .TP
+.BR aggressive " = yes | " no
+whether to use IKEv1 Aggressive or Main Mode (the default).
+.TP
 .BR also " = <name>"
 includes conn section
 .BR <name> .
 .TP
-.BR auth " = " esp " | ah"
-whether authentication should be done as part of
-ESP encryption, or separately using the AH protocol;
-acceptable values are
-.B esp
-(the default) and
-.BR ah .
-.br
-The IKEv2 daemon currently supports ESP only.
-.TP
-.BR authby " = " pubkey " | rsasig | ecdsasig | psk | eap | never | xauth..."
+.BR authby " = " pubkey " | rsasig | ecdsasig | psk | secret | never | xauthpsk | xauthrsasig"
 how the two security gateways should authenticate each other;
 acceptable values are
 .B psk
@@ -268,17 +261,12 @@ IKEv1 additionally supports the values
 .B xauthpsk
 and
 .B xauthrsasig
-that will enable eXtended Authentication (XAuth) in addition to IKEv1 main mode
-based on shared secrets  or digital RSA signatures, respectively.
-IKEv2 additionally supports the value
-.BR eap ,
-which indicates an initiator to request EAP authentication. The EAP method
-to use is selected by the server (see
-.BR eap ).
-This parameter is deprecated for IKEv2 connections, as two peers do not need
-to agree on an authentication method. Use the
+that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
+based on shared secrets or digital RSA signatures, respectively.
+This parameter is deprecated, as two peers do not need to agree on an
+authentication method in IKEv2. Use the
 .B leftauth
-parameter instead to define authentication methods in IKEv2.
+parameter instead to define authentication methods.
 .TP
 .BR auto " = " ignore " | add | route | start"
 what operation, if any, should be done automatically at IPsec startup;
@@ -295,18 +283,24 @@ loads a connection without starting it.
 loads a connection and installs kernel traps. If traffic is detected between
 .B leftsubnet
 and
-.B rightsubnet
-, a connection is established.
+.BR rightsubnet ,
+a connection is established.
 .B start
 loads a connection and brings it up immediately.
 .B ignore
-ignores the connection. This is equal to delete a connection from the config
+ignores the connection. This is equal to deleting a connection from the config
 file.
-Relevant only locally, other end need not agree on it
-(but in general, for an intended-to-be-permanent connection,
-both ends should use
-.B auto=start
-to ensure that any reboot causes immediate renegotiation).
+Relevant only locally, other end need not agree on it.
+.TP
+.BR closeaction " = " none " | clear | hold | restart"
+defines the action to take if the remote peer unexpectedly closes a CHILD_SA
+(see
+.B dpdaction
+for meaning of values).
+A
+.B closeaction should not be
+used if the peer uses reauthentication or uniquids checking, as these events
+might trigger the defined action when not desired.
 .TP
 .BR compress " = yes | " no
 whether IPComp compression of content is proposed on the connection
@@ -318,12 +312,11 @@ and
 .B no
 (the default). A value of
 .B yes
-causes IPsec to propose both compressed and uncompressed,
+causes the daemon to propose both compressed and uncompressed,
 and prefer compressed.
 A value of
 .B no
-prevents IPsec from proposing compression;
-a proposal to compress will still be accepted.
+prevents the daemon from proposing or accepting compression.
 .TP
 .BR dpdaction " = " none " | clear | hold | restart"
 controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
@@ -341,16 +334,9 @@ put in the hold state
 .RB ( hold )
 or restarted
 .RB ( restart ).
-For IKEv1, the default is
-.B none
-which disables the active sending of R_U_THERE notifications.
-Nevertheless pluto will always send the DPD Vendor ID during connection set up
-in order to signal the readiness to act passively as a responder if the peer
-wants to use DPD. For IKEv2,
+The default is
 .B none
-does't make sense, since all messages are used to detect dead peers. If specified,
-it has the same meaning as the default
-.RB ( clear ).
+which disables the active sending of DPD messages.
 .TP
 .BR dpddelay " = " 30s " | <time>"
 defines the period time interval with which R_U_THERE messages/INFORMATIONAL
@@ -359,58 +345,17 @@ received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
 messages and uses only standard messages (such as those to rekey) to detect
 dead peers.
 .TP
-.BR dpdtimeout " = " 150s " | <time>"
+.BR dpdtimeout " = " 150s " | <time>
 defines the timeout interval, after which all connections to a peer are deleted
 in case of inactivity. This only applies to IKEv1, in IKEv2 the default
 retransmission timeout applies, as every exchange is used to detect dead peers.
-See
-.IR strongswan.conf (5)
-for a description of the IKEv2 retransmission timeout.
-.TP
-.BR closeaction " = " none " | clear | hold | restart"
-defines the action to take if the remote peer unexpectedly closes a CHILD_SA
-(IKEv2 only, see dpdaction for meaning of values). A closeaction should not be
-used if the peer uses reauthentication or uniquids checking, as these events
-might trigger a closeaction when not desired.
 .TP
 .BR inactivity " = <time>"
 defines the timeout interval, after which a CHILD_SA is closed if it did
-not send or receive any traffic. Currently supported in IKEv2 connections only.
-.TP
-.BR eap " = aka | ... | radius | ... | <type> | <type>-<vendor>
-defines the EAP type to propose as server if the client requests EAP
-authentication. Currently supported values are
-.B aka
-for EAP-AKA,
-.B gtc
-for EAP-GTC,
-.B md5
-for EAP-MD5,
-.B mschapv2
-for EAP-MS-CHAPv2,
-.B peap
-for EAP-PEAPv0,
-.B radius
-for the EAP-RADIUS proxy,
-.B sim
-for EAP-SIM,
-.B tls
-for EAP-TLS, and
-.B ttls
-for EAP-TTLSv0.
-Additionally, IANA assigned EAP method numbers are accepted, or a
-definition in the form
-.B eap=type-vendor
-(e.g. eap=7-12345) can be used to specify vendor specific EAP types.
-This parameter is deprecated in the favour of
-.B leftauth.
-
-To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
-set
-.BR eap=radius .
+not send or receive any traffic.
 .TP
 .BR eap_identity " = <id>"
-defines the identity the client uses to reply to a EAP Identity request.
+defines the identity the client uses to reply to an EAP Identity request.
 If defined on the EAP server, the defined identity will be used as peer
 identity during EAP authentication. The special value
 .B %identity
@@ -423,17 +368,17 @@ for the connection, e.g.
 .BR aes128-sha256 .
 The notation is
 .BR encryption-integrity[-dhgroup][-esnmode] .
-.br
+
 Defaults to
-.BR aes128-sha1,3des-sha1
-for IKEv1.  The IKEv2 daemon adds its extensive default proposal to this default
+.BR aes128-sha1,3des-sha1 .
+The daemon adds its extensive default proposal to this default
 or the configured value.  To restrict it to the configured proposal an
 exclamation mark
 .RB ( ! )
 can be added at the end.
-.br
+
 .BR Note :
-As a responder both daemons accept the first supported proposal received from
+As a responder the daemon accepts the first supported proposal received from
 the peer. In order to restrict a responder to only accept specific cipher
 suites, the strict flag
 .RB ( ! ,
@@ -441,8 +386,8 @@ exclamation mark) can be used, e.g: aes256-sha512-modp4096!
 .br
 If
 .B dh-group
-is specified, CHILD_SA setup and rekeying include a separate Diffie-Hellman
-exchange (IKEv2 only).  Valid values for
+is specified, CHILD_SA/Quick Mode setup and rekeying include a separate
+Diffie-Hellman exchange.  Valid values for
 .B esnmode
 (IKEv2 only) are
 .B esn
@@ -455,39 +400,69 @@ the default is
 .BR forceencaps " = yes | " no
 force UDP encapsulation for ESP packets even if no NAT situation is detected.
 This may help to surmount restrictive firewalls. In order to force the peer to
-encapsulate packets, NAT detection payloads are faked (IKEv2 only).
+encapsulate packets, NAT detection payloads are faked.
+.TP
+.BR fragmentation " = yes | force | " no
+whether to use IKE fragmentation (proprietary IKEv1 extension).  Acceptable
+values are
+.BR yes ,
+.B force
+and
+.B no
+(the default). Fragmented messages sent by a peer are always accepted
+irrespective of the value of this option. If set to
+.BR yes ,
+and the peer supports it, larger IKE messages will be sent in fragments.
+If set to
+.B force
+the initial IKE message will already be fragmented if required.
 .TP
 .BR ike " = <cipher suites>"
 comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
 to be used, e.g.
 .BR aes128-sha1-modp2048 .
 The notation is
-.BR encryption-integrity-dhgroup .
-In IKEv2, multiple algorithms and proposals may be included, such as
-aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
+.BR encryption-integrity[-prf]-dhgroup .
+If no PRF is given, the algorithms defined for integrity are used for the PRF.
+The prf keywords are the same as the integrity algorithms, but have a
+.B prf
+prefix (such as
+.BR prfsha1 ,
+.B prfsha256
+or
+.BR prfaesxcbc ).
 .br
+In IKEv2, multiple algorithms and proposals may be included, such as
+.BR aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024 .
+
 Defaults to
-.B aes128-sha1-modp2048,3des-sha1-modp1536
-for IKEv1.  The IKEv2 daemon adds its extensive default proposal to this
+.BR aes128-sha1-modp2048,3des-sha1-modp1536 .
+The daemon adds its extensive default proposal to this
 default or the configured value.  To restrict it to the configured proposal an
 exclamation mark
 .RB ( ! )
 can be added at the end.
-.br
+
 .BR Note :
-As a responder both daemons accept the first supported proposal received from
+As a responder the daemon accepts the first supported proposal received from
 the peer.  In order to restrict a responder to only accept specific cipher
 suites, the strict flag
-.BR ( ! ,
-exclamation mark) can be used, e.g: aes256-sha512-modp4096!
+.RB ( ! ,
+exclamation mark) can be used, e.g:
+.BR aes256-sha512-modp4096!
+.TP
+.BR ikedscp " = " 000000 " | <DSCP field>"
+Differentiated Services Field Codepoint to set on outgoing IKE packets sent
+from this connection. The value is a six digit binary encoded string defining
+the Codepoint to set, as defined in RFC 2474.
 .TP
 .BR ikelifetime " = " 3h " | <time>"
 how long the keying channel of a connection (ISAKMP or IKE SA)
 should last before being renegotiated. Also see EXPIRY/REKEY below.
 .TP
 .BR installpolicy " = " yes " | no"
-decides whether IPsec policies are installed in the kernel by the IKEv2
-charon daemon for a given connection. Allows peaceful cooperation e.g. with
+decides whether IPsec policies are installed in the kernel by the charon daemon
+for a given connection. Allows peaceful cooperation e.g. with
 the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
 Acceptable values are
 .B yes
@@ -495,21 +470,10 @@ Acceptable values are
 .BR no .
 .TP
 .BR keyexchange " = " ike " | ikev1 | ikev2"
-method of key exchange;
-which protocol should be used to initialize the connection. Connections marked with
-.B ikev1
-are initiated with pluto, those marked with
-.B ikev2
-with charon. An incoming request from the remote peer is handled by the correct
-daemon, unaffected from the
-.B keyexchange
-setting. Starting with strongSwan 4.5 the default value
+which key exchange protocol should be used to initiate the connection.
+Connections marked with
 .B ike
-is a synonym for
-.BR ikev2 ,
-whereas in older strongSwan releases
-.B ikev1
-was assumed.
+use IKEv2 when initiating, but accept any protocol version when responding.
 .TP
 .BR keyingtries " = " 3 " | <number> | %forever"
 how many attempts (a whole number or \fB%forever\fP) should be made to
@@ -524,45 +488,23 @@ Relevant only locally, other end need not agree on it.
 synonym for
 .BR lifetime .
 .TP
-.BR left " = <ip address> | <fqdn> | %defaultroute | " %any
+.BR left " = <ip address> | <fqdn> | " %any
 (required)
 the IP address of the left participant's public-network interface
 or one of several magic values.
-If it is
-.BR %defaultroute ,
-.B left
-will be filled in automatically with the local address
-of the default-route interface (as determined at IPsec startup time and
-during configuration update).
-Either
-.B left
-or
-.B right
-may be
-.BR %defaultroute ,
-but not both.
-The prefix
-.B  %
-in front of a fully-qualified domain name or an IP address will implicitly set
-.B leftallowany=yes.
-If the domain name cannot be resolved into an IP address at IPsec startup or
-update time then
-.B left=%any
-and
-.B leftallowany=no
-will be assumed.
-
-In case of an IKEv2 connection, the value
+The value
 .B %any
-for the local endpoint signifies an address to be filled in (by automatic
-keying) during negotiation. If the local peer initiates the connection setup
-the routing table will be queried to determine the correct local IP address.
+(the default) for the local endpoint signifies an address to be filled in (by
+automatic keying) during negotiation. If the local peer initiates the
+connection setup the routing table will be queried to determine the correct
+local IP address.
 In case the local peer is responding to a connection setup then any IP address
 that is assigned to a local interface will be accepted.
-.br
-Note that specifying
-.B %any
-for the local endpoint is not supported by the IKEv1 pluto daemon.
+
+The prefix
+.B %
+in front of a fully-qualified domain name or an IP address will implicitly set
+.BR leftallowany =yes.
 
 If
 .B %any
@@ -574,35 +516,37 @@ is used in that case.
 .TP
 .BR leftallowany " = yes | " no
 a modifier for
-.B left
-, making it behave as
+.BR left ,
+making it behave as
 .B %any
-although a concrete IP address has been assigned.
-Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec
-startup or update time.
-Acceptable values are
-.B yes
-and
-.B no
-(the default).
+although a concrete IP address or domain name has been assigned.
 .TP
 .BR leftauth " = <auth method>"
 Authentication method to use locally (left) or require from the remote (right)
 side.
-This parameter is supported in IKEv2 only. Acceptable values are
+Acceptable values are
 .B pubkey
 for public key authentication (RSA/ECDSA),
 .B psk
-for pre-shared key authentication and
+for pre-shared key authentication,
 .B eap
-to (require the) use of the Extensible Authentication Protocol.
+to (require the) use of the Extensible Authentication Protocol in IKEv2, and
+.B xauth
+for IKEv1 eXtended Authentication.
 To require a trustchain public key strength for the remote side, specify the
-key type followed by the strength in bits (for example
-.BR rsa-2048
+key type followed by the minimum strength in bits (for example
+.BR ecdsa-384
+or
+.BR rsa-2048-ecdsa-256 ).
+To limit the acceptable set of hashing algorithms for trustchain validation,
+append hash algorithms to
+.BR pubkey
+or a key strength definition (for example
+.BR pubkey-sha1-sha256
 or
-.BR ecdsa-256 ).
+.BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ).
 For
-.B eap,
+.BR eap ,
 an optional EAP method can be appended. Currently defined methods are
 .BR eap-aka ,
 .BR eap-gtc ,
@@ -611,25 +555,41 @@ an optional EAP method can be appended. Currently defined methods are
 .BR eap-peap ,
 .BR eap-sim ,
 .BR eap-tls ,
+.BR eap-ttls ,
+.BR eap-dynamic ,
 and
-.BR eap-ttls .
+.BR eap-radius .
 Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
 EAP methods are defined in the form
 .B eap-type-vendor
 .RB "(e.g. " eap-7-12345 ).
+For
+.B xauth,
+an XAuth authentication backend can be specified, such as
+.B xauth-generic
+or
+.BR xauth-eap .
+If XAuth is used in
+.BR leftauth ,
+Hybrid authentication is used. For traditional XAuth authentication, define
+XAuth in
+.BR lefauth2 .
 .TP
 .BR leftauth2 " = <auth method>"
 Same as
 .BR leftauth ,
-but defines an additional authentication exchange. IKEv2 supports multiple
+but defines an additional authentication exchange. In IKEv1, only XAuth can be
+used in the second authentication round. IKEv2 supports multiple complete
 authentication rounds using "Multiple Authentication Exchanges" defined
-in RFC4739. This allows, for example, separated authentication
-of host and user (IKEv2 only).
+in RFC 4739. This allows, for example, separated authentication
+of host and user.
 .TP
 .BR leftca " = <issuer dn> | %same"
 the distinguished name of a certificate authority which is required to
 lie in the trust path going from the left participant's certificate up
 to the root certification authority.
+.B %same
+means that the value configured for the right participant should be reused.
 .TP
 .BR leftca2 " = <issuer dn> | %same"
 Same as
@@ -644,12 +604,23 @@ are accepted. By default
 .B leftcert
 sets
 .B leftid
-to the distinguished name of the certificate's subject and
-.B leftca
-to the distinguished name of the certificate's issuer.
+to the distinguished name of the certificate's subject.
 The left participant's ID can be overridden by specifying a
 .B leftid
 value which must be certified by the certificate, though.
+.br
+A value in the form
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
+defines a specific certificate to load from a PKCS#11 backend for this
+connection. See ipsec.secrets(5) for details about smartcard definitions.
+.B leftcert
+is required only if selecting the certificate with
+.B leftid
+is not sufficient, for example if multiple certificates use the same subject.
+.br
+Multiple certificate paths or PKCS#11 backends can be specified in a comma
+separated list. The daemon chooses the certificate based on the received
+certificate requests if possible before enforcing the first.
 .TP
 .BR leftcert2 " = <path>"
 Same as
@@ -657,8 +628,17 @@ Same as
 but for the second authentication round (IKEv2 only).
 .TP
 .BR leftcertpolicy " = <OIDs>"
-Comma separated list of certificate policy OIDs the peers certificate must have.
-OIDs are specified using the numerical dotted representation (IKEv2 only).
+Comma separated list of certificate policy OIDs the peer's certificate must
+have.
+OIDs are specified using the numerical dotted representation.
+.TP
+.BR leftdns " = <servers>"
+Comma separated list of DNS server addresses to exchange as configuration
+attributes. On the initiator, a server is a fixed IPv4/IPv6 address, or
+.BR %config4 / %config6
+to request attributes without an address. On the responder,
+only fixed IPv4/IPv6 addresses are allowed and define DNS servers assigned
+to the client.
 .TP
 .BR leftfirewall " = yes | " no
 whether the left participant is doing forwarding-firewalling
@@ -683,8 +663,7 @@ tunnels established with IPsec are exempted from it
 so that packets can flow unchanged through the tunnels.
 (This means that all subnets connected in this manner must have
 distinct, non-overlapping subnet address blocks.)
-This is done by the default \fBipsec _updown\fR script (see
-.IR pluto (8)).
+This is done by the default \fBipsec _updown\fR script.
 
 In situations calling for more control,
 it may be preferable for the user to supply his own
@@ -696,12 +675,13 @@ which makes the appropriate adjustments for his system.
 a comma separated list of group names. If the
 .B leftgroups
 parameter is present then the peer must be a member of at least one
-of the groups defined by the parameter. Group membership must be certified
-by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has
-been issued to the peer by a trusted Authorization Authority stored in
-\fI/etc/ipsec.d/aacerts/\fP.
-.br
-Attribute certificates are not supported in IKEv2 yet.
+of the groups defined by the parameter.
+.TP
+.BR leftgroups2 " = <group list>"
+Same as
+.B leftgroups,
+but for the second authentication round defined with
+.B leftauth2.
 .TP
 .BR lefthostaccess " = yes | " no
 inserts a pair of INPUT and OUTPUT iptables rules using the default
@@ -717,10 +697,25 @@ and
 .BR leftid " = <id>"
 how the left participant should be identified for authentication;
 defaults to
-.BR left .
-Can be an IP address or a fully-qualified domain name preceded by
-.B @
-(which is used as a literal string and not resolved).
+.B left
+or the subject of the certificate configured with
+.BR leftcert .
+Can be an IP address, a fully-qualified domain name, an email address, or
+a keyid. If
+.B leftcert
+is configured the identity has to be confirmed by the certificate.
+
+For IKEv2 and
+.B rightid
+the prefix
+.B %
+in front of the identity prevents the daemon from sending IDr in its IKE_AUTH
+request and will allow it to verify the configured identity against the subject
+and subjectAltNames contained in the responder's certificate (otherwise it is
+only compared with the IDr returned by the responder).  The IDr sent by the
+initiator might otherwise prevent the responder from finding a config if it
+has configured a different value for
+.BR leftid .
 .TP
 .BR leftid2 " = <id>"
 identity to use for a second authentication for the left participant
@@ -728,51 +723,30 @@ identity to use for a second authentication for the left participant
 .BR leftid .
 .TP
 .BR leftikeport " = <port>"
-UDP port the left participant uses for IKE communication. Currently supported in
-IKEv2 connections only. If unspecified, port 500 is used with the port floating
+UDP port the left participant uses for IKE communication.
+If unspecified, port 500 is used with the port floating
 to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
 different from the default additionally requires a socket implementation that
-listens to this port.
-.TP
-.BR leftnexthop " = %direct | %defaultroute | <ip address> | <fqdn>"
-this parameter is usually not needed any more because the NETKEY IPsec stack
-does not require explicit routing entries for the traffic to be tunneled. If
-.B leftsourceip
-is used with IKEv1 then
-.B leftnexthop
-must still be set in order for the source routes to work properly.
+listens on this port.
 .TP
 .BR leftprotoport " = <protocol>/<port>"
-restrict the traffic selector to a single protocol and/or port.
-Examples:
-.B leftprotoport=tcp/http
+restrict the traffic selector to a single protocol and/or port. This option
+is now deprecated, protocol/port information can be defined for each subnet
+directly in
+.BR leftsubnet .
+.TP
+.BR leftsigkey " = <raw public key> | <path to public key>"
+the left participant's public key for public key signature authentication,
+in PKCS#1 format using hex (0x prefix) or base64 (0s prefix) encoding. With the
+optional
+.B dns:
 or
-.B leftprotoport=6/80
-or
-.B leftprotoport=udp
-.TP
-.BR leftrsasigkey " = " %cert " | <raw rsa public key>"
-the left participant's
-public key for RSA signature authentication,
-in RFC 2537 format using
-.IR ttodata (3)
+.B ssh:
+prefix in front of 0x or 0s, the public key is expected to be in either
+the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
+respectively.
+Also accepted is the path to a file containing the public key in PEM or DER
 encoding.
-The magic value
-.B %none
-means the same as not specifying a value (useful to override a default).
-The value
-.B %cert
-(the default)
-means that the key is extracted from a certificate.
-The identity used for the left participant
-must be a specific host, not
-.B %any
-or another magic value.
-.B Caution:
-if two connection descriptions
-specify different public keys for the same
-.BR leftid ,
-confusion and madness will ensue.
 .TP
 .BR leftsendcert " = never | no | " ifasked " | always | yes"
 Accepted values are
@@ -787,20 +761,25 @@ and
 the latter meaning that the peer must send a certificate request payload in
 order to get a certificate in return.
 .TP
-.BR leftsourceip " = %config | %cfg | %modeconfig | %modecfg | <ip address>"
-The internal source IP to use in a tunnel, also known as virtual IP. If the
-value is one of the synonyms
+.BR leftsourceip " = %config4 | %config6 | <ip address>"
+Comma separated list of internal source IPs to use in a tunnel, also known as
+virtual IP. If the value is one of the synonyms
 .BR %config ,
 .BR %cfg ,
 .BR %modeconfig ,
 or
 .BR %modecfg ,
-an address is requested from the peer. In IKEv2, a statically defined address
-is also requested, since the server may change it.
+an address (from the tunnel address family) is requested from the peer. With
+.B %config4
+and
+.B %config6
+an address of the given address family will be requested explicitly.
+If an IP address is configured, it will be requested from the responder,
+which is free to respond with a different address.
 .TP
 .BR rightsourceip " = %config | <network>/<netmask> | %poolname"
-The internal source IP to use in a tunnel for the remote peer. If the
-value is
+Comma separated list of internal source IPs to use in a tunnel for the remote
+peer. If the value is
 .B %config
 on the responder side, the initiator must propose an address which is then
 echoed back. Also supported are address pools expressed as
@@ -808,21 +787,47 @@ echoed back. Also supported are address pools expressed as
 or the use of an external IP address pool using %\fIpoolname\fR,
 where \fIpoolname\fR is the name of the IP address pool used for the lookup.
 .TP
-.BR leftsubnet " = <ip subnet>"
+.BR leftsubnet " = <ip subnet>[[<proto/port>]][,...]"
 private subnet behind the left participant, expressed as
 \fInetwork\fB/\fInetmask\fR;
 if omitted, essentially assumed to be \fIleft\fB/32\fR,
 signifying that the left end of the connection goes to the left participant
-only. When using IKEv2, the configured subnet of the peers may differ, the
-protocol narrows it to the greatest common subnet. Further, IKEv2 supports
-multiple subnets separated by commas. IKEv1 only interprets the first subnet
-of such a definition.
-.TP
-.BR leftsubnetwithin " = <ip subnet>"
-the peer can propose any subnet or single IP address that fits within the
-range defined by
-.BR leftsubnetwithin.
-Not relevant for IKEv2, as subnets are narrowed.
+only. Configured subnets of the peers may differ, the protocol narrows it to
+the greatest common subnet. In IKEv1, this may lead to problems with other
+implementations, make sure to configure identical subnets in such
+configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only
+interprets the first subnet of such a definition, unless the Cisco Unity
+extension plugin is enabled.
+
+The optional part after each subnet enclosed in square brackets specifies a
+protocol/port to restrict the selector for that subnet.
+
+Examples:
+.BR leftsubnet=10.0.0.1[tcp/http],10.0.0.2[6/80] " or"
+.BR leftsubnet=fec1::1[udp],10.0.0.0/16[/53] .
+Instead of omitting either value
+.B %any
+can be used to the same effect, e.g.
+.BR leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53] .
+
+The port value can alternatively take the value
+.B %opaque
+for RFC 4301 OPAQUE selectors, or a numerical range in the form
+.BR 1024-65535 .
+None of the kernel backends currently supports opaque or port ranges and uses
+.B %any
+for policy installation instead.
+
+Instead of specifying a subnet,
+.B %dynamic
+can be used to replace it with the IKE address, having the same effect
+as omitting
+.B leftsubnet
+completely. Using
+.B %dynamic
+can be used to define multiple dynamic selectors, each having a potentially
+different protocol/port definition.
+
 .TP
 .BR leftupdown " = <path>"
 what ``updown'' script to run to adjust routing and/or firewalling
@@ -832,20 +837,15 @@ changes (default
 May include positional parameters separated by white space
 (although this requires enclosing the whole string in quotes);
 including shell metacharacters is unwise.
-See
-.IR pluto (8)
-for details.
-Relevant only locally, other end need not agree on it. IKEv2 uses the updown
+Relevant only locally, other end need not agree on it. Charon uses the updown
 script to insert firewall rules only, since routing has been implemented
-directly into charon.
+directly into the daemon.
 .TP
 .BR lifebytes " = <number>"
-the number of bytes transmitted over an IPsec SA before it expires (IKEv2
-only).
+the number of bytes transmitted over an IPsec SA before it expires.
 .TP
 .BR lifepackets " = <number>"
-the number of packets transmitted over an IPsec SA before it expires (IKEv2
-only).
+the number of packets transmitted over an IPsec SA before it expires.
 .TP
 .BR lifetime " = " 1h " | <time>"
 how long a particular instance of a connection
@@ -877,12 +877,12 @@ which thinks the lifetime is longer. Also see EXPIRY/REKEY below.
 .BR marginbytes " = <number>"
 how many bytes before IPsec SA expiry (see
 .BR lifebytes )
-should attempts to negotiate a replacement begin (IKEv2 only).
+should attempts to negotiate a replacement begin.
 .TP
 .BR marginpackets " = <number>"
 how many packets before IPsec SA expiry (see
 .BR lifepackets )
-should attempts to negotiate a replacement begin (IKEv2 only).
+should attempts to negotiate a replacement begin.
 .TP
 .BR margintime " = " 9m " | <time>"
 how long before connection expiry or keying-channel expiry
@@ -921,7 +921,7 @@ enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
 .BR no .
 If set to
 .BR no ,
-the IKEv2 charon daemon will not actively propose MOBIKE as initiator and
+the charon daemon will not actively propose MOBIKE as initiator and
 ignore the MOBIKE_SUPPORTED notify as responder.
 .TP
 .BR modeconfig " = push | " pull
@@ -931,29 +931,8 @@ Accepted values are
 and
 .B pull
 (the default).
-Currently relevant for IKEv1 only since IKEv2 always uses the configuration
-payload in pull mode. Cisco VPN gateways usually operate in
-.B push
-mode.
-.TP
-.BR pfs " = " yes " | no"
-whether Perfect Forward Secrecy of keys is desired on the connection's
-keying channel
-(with PFS, penetration of the key-exchange protocol
-does not compromise keys negotiated earlier);
-acceptable values are
-.B yes
-(the default)
-and
-.BR no.
-IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying
-PFS is enforced by defining a Diffie-Hellman modp group in the
-.B esp
-parameter.
-.TP
-.BR pfsgroup " = <modp group>"
-defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
-differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
+Push mode is currently not supported in charon, hence this parameter has no
+effect.
 .TP
 .BR reauth " = " yes " | no"
 whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
@@ -973,11 +952,12 @@ and
 .BR no .
 The two ends need not agree, but while a value of
 .B no
-prevents pluto/charon from requesting renegotiation,
+prevents charon from requesting renegotiation,
 it does not prevent responding to renegotiation requested from the other end,
 so
 .B no
-will be largely ineffective unless both ends agree on it.
+will be largely ineffective unless both ends agree on it. Also see
+.BR reauth .
 .TP
 .BR rekeyfuzz " = " 100% " | <percentage>"
 maximum percentage by which
@@ -1035,11 +1015,7 @@ signifying the special Mobile IPv6 transport proxy mode;
 .BR passthrough ,
 signifying that no IPsec processing should be done at all;
 .BR drop ,
-signifying that packets should be discarded; and
-.BR reject ,
-signifying that packets should be discarded and a diagnostic ICMP returned
-.RB ( reject
-is currently not supported by the NETKEY stack of the Linux 2.6 kernel).
+signifying that packets should be discarded.
 .TP
 .BR xauth " = " client " | server"
 specifies the role in the XAuth protocol if activated by
@@ -1105,6 +1081,11 @@ currently can have either the value
 .BR cacert " = <path>"
 defines a path to the CA certificate either relative to
 \fI/etc/ipsec.d/cacerts\fP or as an absolute path.
+.br
+A value in the form
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
+defines a specific CA certificate to load from a PKCS#11 backend for this CA.
+See ipsec.secrets(5) for details about smartcard definitions.
 .TP
 .BR crluri " = <uri>"
 defines a CRL distribution point (ldap, http, or file URI)
@@ -1116,8 +1097,6 @@ synonym for
 .BR crluri2 " = <uri>"
 defines an alternative CRL distribution point (ldap, http, or file URI)
 .TP
-.BR ldaphost " = <hostname>"
-defines an ldap host. Currently used by IKEv1 only.
 .TP
 .BR ocspuri " = <uri>"
 defines an OCSP URI.
@@ -1127,11 +1106,11 @@ synonym for
 .B ocspuri.
 .TP
 .BR ocspuri2 " = <uri>"
-defines an alternative OCSP URI. Currently used by IKEv2 only.
+defines an alternative OCSP URI.
 .TP
 .BR certuribase " = <uri>"
 defines the base URI for the Hash and URL feature supported by IKEv2.
-Instead of exchanging complete certificates, IKEv2 allows to send an URI
+Instead of exchanging complete certificates, IKEv2 allows one to send an URI
 that resolves to the DER encoded certificate. The certificate URIs are built
 by appending the SHA1 hash of the DER encoded certificates to this base URI.
 .SH "CONFIG SECTIONS"
@@ -1140,48 +1119,34 @@ At present, the only
 section known to the IPsec software is the one named
 .BR setup ,
 which contains information used when the software is being started.
-Here's an example:
-.PP
-.ne 8
-.nf
-.ft B
-.ta 1c
-config setup
-	plutodebug=all
-	crlcheckinterval=10m
-	strictcrlpolicy=yes
-.ft
-.fi
-.PP
-Parameters are optional unless marked ``(required)''.
 The currently-accepted
 .I parameter
 names in a
 .B config
 .B setup
-section affecting both daemons are:
+section are:
 .TP
 .BR cachecrls " = yes | " no
-certificate revocation lists (CRLs) fetched via http or ldap will be cached in
-\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification
-authority's public key.
-Accepted values are
-.B yes
-and
-.B no
-(the default). Only relevant for IKEv1, as CRLs are always cached in IKEv2.
+if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will
+be cached in
+.I /etc/ipsec.d/crls/
+under a unique file name derived from the certification authority's public key.
 .TP
-.BR charonstart " = " yes " | no"
-whether to start the IKEv2 charon daemon or not.
-The default is
-.B yes
-if starter was compiled with IKEv2 support.
-.TP
-.BR plutostart " = " yes " | no"
-whether to start the IKEv1 pluto daemon or not.
-The default is
-.B yes
-if starter was compiled with IKEv1 support.
+.BR charondebug " = <debug list>"
+how much charon debugging output should be logged.
+A comma separated list containing type/level-pairs may
+be specified, e.g:
+.B dmn 3, ike 1, net -1.
+Acceptable values for types are
+.B dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls,
+.B tnc, imc, imv, pts
+and the level is one of
+.B -1, 0, 1, 2, 3, 4
+(for silent, audit, control, controlmore, raw, private).  By default, the level
+is set to
+.B 1
+for all types.  For more flexibility see LOGGER CONFIGURATION in
+.IR strongswan.conf (5).
 .TP
 .BR strictcrlpolicy " = yes | ifuri | " no
 defines if a fresh CRL must be available in order for the peer authentication
@@ -1194,146 +1159,35 @@ if at least one CRL URI is defined and to
 .B no
 if no URI is known.
 .TP
-.BR uniqueids " = " yes " | no | replace | keep"
+.BR uniqueids " = " yes " | no | never | replace | keep"
 whether a particular participant ID should be kept unique,
-with any new (automatically keyed)
-connection using an ID from a different IP address
-deemed to replace all old ones using that ID;
+with any new IKE_SA using an ID deemed to replace all old ones using that ID;
 acceptable values are
 .B yes
-(the default)
+(the default),
+.B no
 and
-.BR no .
-Participant IDs normally \fIare\fR unique,
-so a new (automatically-keyed) connection using the same ID is
-almost invariably intended to replace an old one.
-The IKEv2 daemon also accepts the value
+.BR never .
+Participant IDs normally \fIare\fR unique, so a new IKE_SA using the same ID is
+almost invariably intended to replace an old one. The difference between
+.B no
+and
+.B never
+is that the daemon will replace old IKE_SAs when receiving an INITIAL_CONTACT
+notify if the option is
+.B no
+but will ignore these notifies if
+.B never
+is configured.
+The daemon also accepts the value
 .B replace
 which is identical to
 .B yes
 and the value
 .B keep
 to reject new IKE_SA setups and keep the duplicate established earlier.
-.PP
-The following
-.B config section
-parameters are used by the IKEv1 Pluto daemon only:
-.TP
-.BR crlcheckinterval " = " 0s " | <time>"
-interval in seconds. CRL fetching is enabled if the value is greater than zero.
-Asynchronous, periodic checking for fresh CRLs is currently done by the
-IKEv1 Pluto daemon only.
-.TP
-.BR keep_alive " = " 20s " | <time>"
-interval in seconds between NAT keep alive packets, the default being 20 seconds.
-.TP
-.BR nat_traversal " = yes | " no
-activates NAT traversal by accepting source ISAKMP ports different from udp/500 and
-being able of floating to udp/4500 if a NAT situation is detected.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-Used by IKEv1 only, NAT traversal is always being active in IKEv2.
-.TP
-.BR nocrsend " = yes | " no
-no certificate request payloads will be sent.
-.TP
-.BR pkcs11initargs " = <args>"
-non-standard argument string for PKCS#11 C_Initialize() function;
-required by NSS softoken.
-.TP
-.BR pkcs11module " = <args>"
-defines the path to a dynamically loadable PKCS #11 library.
-.TP
-.BR pkcs11keepstate " = yes | " no
-PKCS #11 login sessions will be kept during the whole lifetime of the keying
-daemon. Useful with pin-pad smart card readers.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.BR pkcs11proxy " = yes | " no
-Pluto will act as a PKCS #11 proxy accessible via the whack interface.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.BR plutodebug " = " none " | <debug list> | all"
-how much pluto debugging output should be logged.
-An empty value,
-or the magic value
-.BR none ,
-means no debugging output (the default).
-The magic value
-.B all
-means full output.
-Otherwise only the specified types of output
-(a quoted list, names without the
-.B \-\-debug\-
-prefix,
-separated by white space) are enabled;
-for details on available debugging types, see
-.IR pluto (8).
-.TP
-.BR plutostderrlog " = <file>"
-Pluto will not use syslog, but rather log to stderr, and redirect stderr
-to <file>.
-.TP
-.BR postpluto " = <command>"
-shell command to run after starting pluto
-(e.g., to remove a decrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.BR prepluto " = <command>"
-shell command to run before starting pluto
-(e.g., to decrypt an encrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.BR virtual_private " = <networks>"
-defines private networks using a wildcard notation.
-.PP
-The following
-.B config section
-parameters are used by the IKEv2 charon daemon only:
-.TP
-.BR charondebug " = <debug list>"
-how much charon debugging output should be logged.
-A comma separated list containing type/level-pairs may
-be specified, e.g:
-.B dmn 3, ike 1, net -1.
-Acceptable values for types are
-.B dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, tls, tnc, imc, imv, pts
-and the level is one of
-.B -1, 0, 1, 2, 3, 4
-(for silent, audit, control, controlmore, raw, private).  By default, the level
-is set to
-.B 1
-for all types.  For more flexibility see LOGGER CONFIGURATION in
-.IR strongswan.conf (5).
 
-.SH IKEv2 EXPIRY/REKEY
+.SH SA EXPIRY/REKEY
 The IKE SAs and IPsec SAs negotiated by the daemon can be configured to expire
 after a specific amount of time. For IPsec SAs this can also happen after a
 specified number of transmitted packets or transmitted bytes. The following
@@ -1419,12 +1273,8 @@ time equals zero and, thus, rekeying gets disabled.
 /etc/ipsec.d/crls
 
 .SH SEE ALSO
-strongswan.conf(5), ipsec.secrets(5), ipsec(8), pluto(8)
+strongswan.conf(5), ipsec.secrets(5), ipsec(8)
 .SH HISTORY
 Originally written for the FreeS/WAN project by Henry Spencer.
 Updated and extended for the strongSwan project <http://www.strongswan.org> by
 Tobias Brunner, Andreas Steffen and Martin Willi.
-.SH BUGS
-.PP
-If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP
-will fail.
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index ab255304d..4c64e86ca 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2011-12-14" "@IPSEC_VERSION@" "strongSwan"
+.TH IPSEC.CONF 5 "2012-06-26" "@IPSEC_VERSION@" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -172,9 +172,9 @@ keying, rekeying, and general control.
 The path to control the connection is called 'ISAKMP SA' in IKEv1
 and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
 level data path, is called 'IPsec SA' or 'Child SA'.
-strongSwan currently uses two separate keying daemons. \fIpluto\fP handles
-all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2
-protocol.
+strongSwan previously used two separate keying daemons, \fIpluto\fP and
+\fIcharon\fP. This manual does not discuss \fIpluto\fP options anymore, but
+only \fIcharon\fP that since strongSwan 5.0 supports both IKEv1 and IKEv2.
 .PP
 To avoid trivial editing of the configuration file to suit it to each system
 involved in a connection,
@@ -233,21 +233,14 @@ defines the identity of the AAA backend used during IKEv2 EAP authentication.
 This is required if the EAP client uses a method that verifies the server
 identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity.
 .TP
+.BR aggressive " = yes | " no
+whether to use IKEv1 Aggressive or Main Mode (the default).
+.TP
 .BR also " = <name>"
 includes conn section
 .BR <name> .
 .TP
-.BR auth " = " esp " | ah"
-whether authentication should be done as part of
-ESP encryption, or separately using the AH protocol;
-acceptable values are
-.B esp
-(the default) and
-.BR ah .
-.br
-The IKEv2 daemon currently supports ESP only.
-.TP
-.BR authby " = " pubkey " | rsasig | ecdsasig | psk | eap | never | xauth..."
+.BR authby " = " pubkey " | rsasig | ecdsasig | psk | secret | never | xauthpsk | xauthrsasig"
 how the two security gateways should authenticate each other;
 acceptable values are
 .B psk
@@ -268,17 +261,12 @@ IKEv1 additionally supports the values
 .B xauthpsk
 and
 .B xauthrsasig
-that will enable eXtended Authentication (XAuth) in addition to IKEv1 main mode
-based on shared secrets  or digital RSA signatures, respectively.
-IKEv2 additionally supports the value
-.BR eap ,
-which indicates an initiator to request EAP authentication. The EAP method
-to use is selected by the server (see
-.BR eap ).
-This parameter is deprecated for IKEv2 connections, as two peers do not need
-to agree on an authentication method. Use the
+that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
+based on shared secrets or digital RSA signatures, respectively.
+This parameter is deprecated, as two peers do not need to agree on an
+authentication method in IKEv2. Use the
 .B leftauth
-parameter instead to define authentication methods in IKEv2.
+parameter instead to define authentication methods.
 .TP
 .BR auto " = " ignore " | add | route | start"
 what operation, if any, should be done automatically at IPsec startup;
@@ -295,18 +283,24 @@ loads a connection without starting it.
 loads a connection and installs kernel traps. If traffic is detected between
 .B leftsubnet
 and
-.B rightsubnet
-, a connection is established.
+.BR rightsubnet ,
+a connection is established.
 .B start
 loads a connection and brings it up immediately.
 .B ignore
-ignores the connection. This is equal to delete a connection from the config
+ignores the connection. This is equal to deleting a connection from the config
 file.
-Relevant only locally, other end need not agree on it
-(but in general, for an intended-to-be-permanent connection,
-both ends should use
-.B auto=start
-to ensure that any reboot causes immediate renegotiation).
+Relevant only locally, other end need not agree on it.
+.TP
+.BR closeaction " = " none " | clear | hold | restart"
+defines the action to take if the remote peer unexpectedly closes a CHILD_SA
+(see
+.B dpdaction
+for meaning of values).
+A
+.B closeaction should not be
+used if the peer uses reauthentication or uniquids checking, as these events
+might trigger the defined action when not desired.
 .TP
 .BR compress " = yes | " no
 whether IPComp compression of content is proposed on the connection
@@ -318,12 +312,11 @@ and
 .B no
 (the default). A value of
 .B yes
-causes IPsec to propose both compressed and uncompressed,
+causes the daemon to propose both compressed and uncompressed,
 and prefer compressed.
 A value of
 .B no
-prevents IPsec from proposing compression;
-a proposal to compress will still be accepted.
+prevents the daemon from proposing or accepting compression.
 .TP
 .BR dpdaction " = " none " | clear | hold | restart"
 controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
@@ -341,16 +334,9 @@ put in the hold state
 .RB ( hold )
 or restarted
 .RB ( restart ).
-For IKEv1, the default is
-.B none
-which disables the active sending of R_U_THERE notifications.
-Nevertheless pluto will always send the DPD Vendor ID during connection set up
-in order to signal the readiness to act passively as a responder if the peer
-wants to use DPD. For IKEv2,
+The default is
 .B none
-does't make sense, since all messages are used to detect dead peers. If specified,
-it has the same meaning as the default
-.RB ( clear ).
+which disables the active sending of DPD messages.
 .TP
 .BR dpddelay " = " 30s " | <time>"
 defines the period time interval with which R_U_THERE messages/INFORMATIONAL
@@ -359,58 +345,17 @@ received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
 messages and uses only standard messages (such as those to rekey) to detect
 dead peers.
 .TP
-.BR dpdtimeout " = " 150s " | <time>"
+.BR dpdtimeout " = " 150s " | <time>
 defines the timeout interval, after which all connections to a peer are deleted
 in case of inactivity. This only applies to IKEv1, in IKEv2 the default
 retransmission timeout applies, as every exchange is used to detect dead peers.
-See
-.IR strongswan.conf (5)
-for a description of the IKEv2 retransmission timeout.
-.TP
-.BR closeaction " = " none " | clear | hold | restart"
-defines the action to take if the remote peer unexpectedly closes a CHILD_SA
-(IKEv2 only, see dpdaction for meaning of values). A closeaction should not be
-used if the peer uses reauthentication or uniquids checking, as these events
-might trigger a closeaction when not desired.
 .TP
 .BR inactivity " = <time>"
 defines the timeout interval, after which a CHILD_SA is closed if it did
-not send or receive any traffic. Currently supported in IKEv2 connections only.
-.TP
-.BR eap " = aka | ... | radius | ... | <type> | <type>-<vendor>
-defines the EAP type to propose as server if the client requests EAP
-authentication. Currently supported values are
-.B aka
-for EAP-AKA,
-.B gtc
-for EAP-GTC,
-.B md5
-for EAP-MD5,
-.B mschapv2
-for EAP-MS-CHAPv2,
-.B peap
-for EAP-PEAPv0,
-.B radius
-for the EAP-RADIUS proxy,
-.B sim
-for EAP-SIM,
-.B tls
-for EAP-TLS, and
-.B ttls
-for EAP-TTLSv0.
-Additionally, IANA assigned EAP method numbers are accepted, or a
-definition in the form
-.B eap=type-vendor
-(e.g. eap=7-12345) can be used to specify vendor specific EAP types.
-This parameter is deprecated in the favour of
-.B leftauth.
-
-To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
-set
-.BR eap=radius .
+not send or receive any traffic.
 .TP
 .BR eap_identity " = <id>"
-defines the identity the client uses to reply to a EAP Identity request.
+defines the identity the client uses to reply to an EAP Identity request.
 If defined on the EAP server, the defined identity will be used as peer
 identity during EAP authentication. The special value
 .B %identity
@@ -423,17 +368,17 @@ for the connection, e.g.
 .BR aes128-sha256 .
 The notation is
 .BR encryption-integrity[-dhgroup][-esnmode] .
-.br
+
 Defaults to
-.BR aes128-sha1,3des-sha1
-for IKEv1.  The IKEv2 daemon adds its extensive default proposal to this default
+.BR aes128-sha1,3des-sha1 .
+The daemon adds its extensive default proposal to this default
 or the configured value.  To restrict it to the configured proposal an
 exclamation mark
 .RB ( ! )
 can be added at the end.
-.br
+
 .BR Note :
-As a responder both daemons accept the first supported proposal received from
+As a responder the daemon accepts the first supported proposal received from
 the peer. In order to restrict a responder to only accept specific cipher
 suites, the strict flag
 .RB ( ! ,
@@ -441,8 +386,8 @@ exclamation mark) can be used, e.g: aes256-sha512-modp4096!
 .br
 If
 .B dh-group
-is specified, CHILD_SA setup and rekeying include a separate Diffie-Hellman
-exchange (IKEv2 only).  Valid values for
+is specified, CHILD_SA/Quick Mode setup and rekeying include a separate
+Diffie-Hellman exchange.  Valid values for
 .B esnmode
 (IKEv2 only) are
 .B esn
@@ -455,39 +400,69 @@ the default is
 .BR forceencaps " = yes | " no
 force UDP encapsulation for ESP packets even if no NAT situation is detected.
 This may help to surmount restrictive firewalls. In order to force the peer to
-encapsulate packets, NAT detection payloads are faked (IKEv2 only).
+encapsulate packets, NAT detection payloads are faked.
+.TP
+.BR fragmentation " = yes | force | " no
+whether to use IKE fragmentation (proprietary IKEv1 extension).  Acceptable
+values are
+.BR yes ,
+.B force
+and
+.B no
+(the default). Fragmented messages sent by a peer are always accepted
+irrespective of the value of this option. If set to
+.BR yes ,
+and the peer supports it, larger IKE messages will be sent in fragments.
+If set to
+.B force
+the initial IKE message will already be fragmented if required.
 .TP
 .BR ike " = <cipher suites>"
 comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
 to be used, e.g.
 .BR aes128-sha1-modp2048 .
 The notation is
-.BR encryption-integrity-dhgroup .
-In IKEv2, multiple algorithms and proposals may be included, such as
-aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
+.BR encryption-integrity[-prf]-dhgroup .
+If no PRF is given, the algorithms defined for integrity are used for the PRF.
+The prf keywords are the same as the integrity algorithms, but have a
+.B prf
+prefix (such as
+.BR prfsha1 ,
+.B prfsha256
+or
+.BR prfaesxcbc ).
 .br
+In IKEv2, multiple algorithms and proposals may be included, such as
+.BR aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024 .
+
 Defaults to
-.B aes128-sha1-modp2048,3des-sha1-modp1536
-for IKEv1.  The IKEv2 daemon adds its extensive default proposal to this
+.BR aes128-sha1-modp2048,3des-sha1-modp1536 .
+The daemon adds its extensive default proposal to this
 default or the configured value.  To restrict it to the configured proposal an
 exclamation mark
 .RB ( ! )
 can be added at the end.
-.br
+
 .BR Note :
-As a responder both daemons accept the first supported proposal received from
+As a responder the daemon accepts the first supported proposal received from
 the peer.  In order to restrict a responder to only accept specific cipher
 suites, the strict flag
-.BR ( ! ,
-exclamation mark) can be used, e.g: aes256-sha512-modp4096!
+.RB ( ! ,
+exclamation mark) can be used, e.g:
+.BR aes256-sha512-modp4096!
+.TP
+.BR ikedscp " = " 000000 " | <DSCP field>"
+Differentiated Services Field Codepoint to set on outgoing IKE packets sent
+from this connection. The value is a six digit binary encoded string defining
+the Codepoint to set, as defined in RFC 2474.
 .TP
 .BR ikelifetime " = " 3h " | <time>"
 how long the keying channel of a connection (ISAKMP or IKE SA)
 should last before being renegotiated. Also see EXPIRY/REKEY below.
 .TP
 .BR installpolicy " = " yes " | no"
-decides whether IPsec policies are installed in the kernel by the IKEv2
-charon daemon for a given connection. Allows peaceful cooperation e.g. with
+decides whether IPsec policies are installed in the kernel by the charon daemon
+for a given connection. Allows peaceful cooperation e.g. with
 the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
 Acceptable values are
 .B yes
@@ -495,21 +470,10 @@ Acceptable values are
 .BR no .
 .TP
 .BR keyexchange " = " ike " | ikev1 | ikev2"
-method of key exchange;
-which protocol should be used to initialize the connection. Connections marked with
-.B ikev1
-are initiated with pluto, those marked with
-.B ikev2
-with charon. An incoming request from the remote peer is handled by the correct
-daemon, unaffected from the
-.B keyexchange
-setting. Starting with strongSwan 4.5 the default value
+which key exchange protocol should be used to initiate the connection.
+Connections marked with
 .B ike
-is a synonym for
-.BR ikev2 ,
-whereas in older strongSwan releases
-.B ikev1
-was assumed.
+use IKEv2 when initiating, but accept any protocol version when responding.
 .TP
 .BR keyingtries " = " 3 " | <number> | %forever"
 how many attempts (a whole number or \fB%forever\fP) should be made to
@@ -524,45 +488,23 @@ Relevant only locally, other end need not agree on it.
 synonym for
 .BR lifetime .
 .TP
-.BR left " = <ip address> | <fqdn> | %defaultroute | " %any
+.BR left " = <ip address> | <fqdn> | " %any
 (required)
 the IP address of the left participant's public-network interface
 or one of several magic values.
-If it is
-.BR %defaultroute ,
-.B left
-will be filled in automatically with the local address
-of the default-route interface (as determined at IPsec startup time and
-during configuration update).
-Either
-.B left
-or
-.B right
-may be
-.BR %defaultroute ,
-but not both.
-The prefix
-.B  %
-in front of a fully-qualified domain name or an IP address will implicitly set
-.B leftallowany=yes.
-If the domain name cannot be resolved into an IP address at IPsec startup or
-update time then
-.B left=%any
-and
-.B leftallowany=no
-will be assumed.
-
-In case of an IKEv2 connection, the value
+The value
 .B %any
-for the local endpoint signifies an address to be filled in (by automatic
-keying) during negotiation. If the local peer initiates the connection setup
-the routing table will be queried to determine the correct local IP address.
+(the default) for the local endpoint signifies an address to be filled in (by
+automatic keying) during negotiation. If the local peer initiates the
+connection setup the routing table will be queried to determine the correct
+local IP address.
 In case the local peer is responding to a connection setup then any IP address
 that is assigned to a local interface will be accepted.
-.br
-Note that specifying
-.B %any
-for the local endpoint is not supported by the IKEv1 pluto daemon.
+
+The prefix
+.B %
+in front of a fully-qualified domain name or an IP address will implicitly set
+.BR leftallowany =yes.
 
 If
 .B %any
@@ -574,35 +516,37 @@ is used in that case.
 .TP
 .BR leftallowany " = yes | " no
 a modifier for
-.B left
-, making it behave as
+.BR left ,
+making it behave as
 .B %any
-although a concrete IP address has been assigned.
-Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec
-startup or update time.
-Acceptable values are
-.B yes
-and
-.B no
-(the default).
+although a concrete IP address or domain name has been assigned.
 .TP
 .BR leftauth " = <auth method>"
 Authentication method to use locally (left) or require from the remote (right)
 side.
-This parameter is supported in IKEv2 only. Acceptable values are
+Acceptable values are
 .B pubkey
 for public key authentication (RSA/ECDSA),
 .B psk
-for pre-shared key authentication and
+for pre-shared key authentication,
 .B eap
-to (require the) use of the Extensible Authentication Protocol.
+to (require the) use of the Extensible Authentication Protocol in IKEv2, and
+.B xauth
+for IKEv1 eXtended Authentication.
 To require a trustchain public key strength for the remote side, specify the
-key type followed by the strength in bits (for example
-.BR rsa-2048
+key type followed by the minimum strength in bits (for example
+.BR ecdsa-384
+or
+.BR rsa-2048-ecdsa-256 ).
+To limit the acceptable set of hashing algorithms for trustchain validation,
+append hash algorithms to
+.BR pubkey
+or a key strength definition (for example
+.BR pubkey-sha1-sha256
 or
-.BR ecdsa-256 ).
+.BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ).
 For
-.B eap,
+.BR eap ,
 an optional EAP method can be appended. Currently defined methods are
 .BR eap-aka ,
 .BR eap-gtc ,
@@ -611,25 +555,41 @@ an optional EAP method can be appended. Currently defined methods are
 .BR eap-peap ,
 .BR eap-sim ,
 .BR eap-tls ,
+.BR eap-ttls ,
+.BR eap-dynamic ,
 and
-.BR eap-ttls .
+.BR eap-radius .
 Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
 EAP methods are defined in the form
 .B eap-type-vendor
 .RB "(e.g. " eap-7-12345 ).
+For
+.B xauth,
+an XAuth authentication backend can be specified, such as
+.B xauth-generic
+or
+.BR xauth-eap .
+If XAuth is used in
+.BR leftauth ,
+Hybrid authentication is used. For traditional XAuth authentication, define
+XAuth in
+.BR lefauth2 .
 .TP
 .BR leftauth2 " = <auth method>"
 Same as
 .BR leftauth ,
-but defines an additional authentication exchange. IKEv2 supports multiple
+but defines an additional authentication exchange. In IKEv1, only XAuth can be
+used in the second authentication round. IKEv2 supports multiple complete
 authentication rounds using "Multiple Authentication Exchanges" defined
-in RFC4739. This allows, for example, separated authentication
-of host and user (IKEv2 only).
+in RFC 4739. This allows, for example, separated authentication
+of host and user.
 .TP
 .BR leftca " = <issuer dn> | %same"
 the distinguished name of a certificate authority which is required to
 lie in the trust path going from the left participant's certificate up
 to the root certification authority.
+.B %same
+means that the value configured for the right participant should be reused.
 .TP
 .BR leftca2 " = <issuer dn> | %same"
 Same as
@@ -644,12 +604,23 @@ are accepted. By default
 .B leftcert
 sets
 .B leftid
-to the distinguished name of the certificate's subject and
-.B leftca
-to the distinguished name of the certificate's issuer.
+to the distinguished name of the certificate's subject.
 The left participant's ID can be overridden by specifying a
 .B leftid
 value which must be certified by the certificate, though.
+.br
+A value in the form
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
+defines a specific certificate to load from a PKCS#11 backend for this
+connection. See ipsec.secrets(5) for details about smartcard definitions.
+.B leftcert
+is required only if selecting the certificate with
+.B leftid
+is not sufficient, for example if multiple certificates use the same subject.
+.br
+Multiple certificate paths or PKCS#11 backends can be specified in a comma
+separated list. The daemon chooses the certificate based on the received
+certificate requests if possible before enforcing the first.
 .TP
 .BR leftcert2 " = <path>"
 Same as
@@ -657,8 +628,17 @@ Same as
 but for the second authentication round (IKEv2 only).
 .TP
 .BR leftcertpolicy " = <OIDs>"
-Comma separated list of certificate policy OIDs the peers certificate must have.
-OIDs are specified using the numerical dotted representation (IKEv2 only).
+Comma separated list of certificate policy OIDs the peer's certificate must
+have.
+OIDs are specified using the numerical dotted representation.
+.TP
+.BR leftdns " = <servers>"
+Comma separated list of DNS server addresses to exchange as configuration
+attributes. On the initiator, a server is a fixed IPv4/IPv6 address, or
+.BR %config4 / %config6
+to request attributes without an address. On the responder,
+only fixed IPv4/IPv6 addresses are allowed and define DNS servers assigned
+to the client.
 .TP
 .BR leftfirewall " = yes | " no
 whether the left participant is doing forwarding-firewalling
@@ -683,8 +663,7 @@ tunnels established with IPsec are exempted from it
 so that packets can flow unchanged through the tunnels.
 (This means that all subnets connected in this manner must have
 distinct, non-overlapping subnet address blocks.)
-This is done by the default \fBipsec _updown\fR script (see
-.IR pluto (8)).
+This is done by the default \fBipsec _updown\fR script.
 
 In situations calling for more control,
 it may be preferable for the user to supply his own
@@ -696,12 +675,13 @@ which makes the appropriate adjustments for his system.
 a comma separated list of group names. If the
 .B leftgroups
 parameter is present then the peer must be a member of at least one
-of the groups defined by the parameter. Group membership must be certified
-by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has
-been issued to the peer by a trusted Authorization Authority stored in
-\fI/etc/ipsec.d/aacerts/\fP.
-.br
-Attribute certificates are not supported in IKEv2 yet.
+of the groups defined by the parameter.
+.TP
+.BR leftgroups2 " = <group list>"
+Same as
+.B leftgroups,
+but for the second authentication round defined with
+.B leftauth2.
 .TP
 .BR lefthostaccess " = yes | " no
 inserts a pair of INPUT and OUTPUT iptables rules using the default
@@ -717,10 +697,25 @@ and
 .BR leftid " = <id>"
 how the left participant should be identified for authentication;
 defaults to
-.BR left .
-Can be an IP address or a fully-qualified domain name preceded by
-.B @
-(which is used as a literal string and not resolved).
+.B left
+or the subject of the certificate configured with
+.BR leftcert .
+Can be an IP address, a fully-qualified domain name, an email address, or
+a keyid. If
+.B leftcert
+is configured the identity has to be confirmed by the certificate.
+
+For IKEv2 and
+.B rightid
+the prefix
+.B %
+in front of the identity prevents the daemon from sending IDr in its IKE_AUTH
+request and will allow it to verify the configured identity against the subject
+and subjectAltNames contained in the responder's certificate (otherwise it is
+only compared with the IDr returned by the responder).  The IDr sent by the
+initiator might otherwise prevent the responder from finding a config if it
+has configured a different value for
+.BR leftid .
 .TP
 .BR leftid2 " = <id>"
 identity to use for a second authentication for the left participant
@@ -728,51 +723,30 @@ identity to use for a second authentication for the left participant
 .BR leftid .
 .TP
 .BR leftikeport " = <port>"
-UDP port the left participant uses for IKE communication. Currently supported in
-IKEv2 connections only. If unspecified, port 500 is used with the port floating
+UDP port the left participant uses for IKE communication.
+If unspecified, port 500 is used with the port floating
 to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
 different from the default additionally requires a socket implementation that
-listens to this port.
-.TP
-.BR leftnexthop " = %direct | %defaultroute | <ip address> | <fqdn>"
-this parameter is usually not needed any more because the NETKEY IPsec stack
-does not require explicit routing entries for the traffic to be tunneled. If
-.B leftsourceip
-is used with IKEv1 then
-.B leftnexthop
-must still be set in order for the source routes to work properly.
+listens on this port.
 .TP
 .BR leftprotoport " = <protocol>/<port>"
-restrict the traffic selector to a single protocol and/or port.
-Examples:
-.B leftprotoport=tcp/http
+restrict the traffic selector to a single protocol and/or port. This option
+is now deprecated, protocol/port information can be defined for each subnet
+directly in
+.BR leftsubnet .
+.TP
+.BR leftsigkey " = <raw public key> | <path to public key>"
+the left participant's public key for public key signature authentication,
+in PKCS#1 format using hex (0x prefix) or base64 (0s prefix) encoding. With the
+optional
+.B dns:
 or
-.B leftprotoport=6/80
-or
-.B leftprotoport=udp
-.TP
-.BR leftrsasigkey " = " %cert " | <raw rsa public key>"
-the left participant's
-public key for RSA signature authentication,
-in RFC 2537 format using
-.IR ttodata (3)
+.B ssh:
+prefix in front of 0x or 0s, the public key is expected to be in either
+the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
+respectively.
+Also accepted is the path to a file containing the public key in PEM or DER
 encoding.
-The magic value
-.B %none
-means the same as not specifying a value (useful to override a default).
-The value
-.B %cert
-(the default)
-means that the key is extracted from a certificate.
-The identity used for the left participant
-must be a specific host, not
-.B %any
-or another magic value.
-.B Caution:
-if two connection descriptions
-specify different public keys for the same
-.BR leftid ,
-confusion and madness will ensue.
 .TP
 .BR leftsendcert " = never | no | " ifasked " | always | yes"
 Accepted values are
@@ -787,20 +761,25 @@ and
 the latter meaning that the peer must send a certificate request payload in
 order to get a certificate in return.
 .TP
-.BR leftsourceip " = %config | %cfg | %modeconfig | %modecfg | <ip address>"
-The internal source IP to use in a tunnel, also known as virtual IP. If the
-value is one of the synonyms
+.BR leftsourceip " = %config4 | %config6 | <ip address>"
+Comma separated list of internal source IPs to use in a tunnel, also known as
+virtual IP. If the value is one of the synonyms
 .BR %config ,
 .BR %cfg ,
 .BR %modeconfig ,
 or
 .BR %modecfg ,
-an address is requested from the peer. In IKEv2, a statically defined address
-is also requested, since the server may change it.
+an address (from the tunnel address family) is requested from the peer. With
+.B %config4
+and
+.B %config6
+an address of the given address family will be requested explicitly.
+If an IP address is configured, it will be requested from the responder,
+which is free to respond with a different address.
 .TP
 .BR rightsourceip " = %config | <network>/<netmask> | %poolname"
-The internal source IP to use in a tunnel for the remote peer. If the
-value is
+Comma separated list of internal source IPs to use in a tunnel for the remote
+peer. If the value is
 .B %config
 on the responder side, the initiator must propose an address which is then
 echoed back. Also supported are address pools expressed as
@@ -808,21 +787,47 @@ echoed back. Also supported are address pools expressed as
 or the use of an external IP address pool using %\fIpoolname\fR,
 where \fIpoolname\fR is the name of the IP address pool used for the lookup.
 .TP
-.BR leftsubnet " = <ip subnet>"
+.BR leftsubnet " = <ip subnet>[[<proto/port>]][,...]"
 private subnet behind the left participant, expressed as
 \fInetwork\fB/\fInetmask\fR;
 if omitted, essentially assumed to be \fIleft\fB/32\fR,
 signifying that the left end of the connection goes to the left participant
-only. When using IKEv2, the configured subnet of the peers may differ, the
-protocol narrows it to the greatest common subnet. Further, IKEv2 supports
-multiple subnets separated by commas. IKEv1 only interprets the first subnet
-of such a definition.
-.TP
-.BR leftsubnetwithin " = <ip subnet>"
-the peer can propose any subnet or single IP address that fits within the
-range defined by
-.BR leftsubnetwithin.
-Not relevant for IKEv2, as subnets are narrowed.
+only. Configured subnets of the peers may differ, the protocol narrows it to
+the greatest common subnet. In IKEv1, this may lead to problems with other
+implementations, make sure to configure identical subnets in such
+configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only
+interprets the first subnet of such a definition, unless the Cisco Unity
+extension plugin is enabled.
+
+The optional part after each subnet enclosed in square brackets specifies a
+protocol/port to restrict the selector for that subnet.
+
+Examples:
+.BR leftsubnet=10.0.0.1[tcp/http],10.0.0.2[6/80] " or"
+.BR leftsubnet=fec1::1[udp],10.0.0.0/16[/53] .
+Instead of omitting either value
+.B %any
+can be used to the same effect, e.g.
+.BR leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53] .
+
+The port value can alternatively take the value
+.B %opaque
+for RFC 4301 OPAQUE selectors, or a numerical range in the form
+.BR 1024-65535 .
+None of the kernel backends currently supports opaque or port ranges and uses
+.B %any
+for policy installation instead.
+
+Instead of specifying a subnet,
+.B %dynamic
+can be used to replace it with the IKE address, having the same effect
+as omitting
+.B leftsubnet
+completely. Using
+.B %dynamic
+can be used to define multiple dynamic selectors, each having a potentially
+different protocol/port definition.
+
 .TP
 .BR leftupdown " = <path>"
 what ``updown'' script to run to adjust routing and/or firewalling
@@ -832,20 +837,15 @@ changes (default
 May include positional parameters separated by white space
 (although this requires enclosing the whole string in quotes);
 including shell metacharacters is unwise.
-See
-.IR pluto (8)
-for details.
-Relevant only locally, other end need not agree on it. IKEv2 uses the updown
+Relevant only locally, other end need not agree on it. Charon uses the updown
 script to insert firewall rules only, since routing has been implemented
-directly into charon.
+directly into the daemon.
 .TP
 .BR lifebytes " = <number>"
-the number of bytes transmitted over an IPsec SA before it expires (IKEv2
-only).
+the number of bytes transmitted over an IPsec SA before it expires.
 .TP
 .BR lifepackets " = <number>"
-the number of packets transmitted over an IPsec SA before it expires (IKEv2
-only).
+the number of packets transmitted over an IPsec SA before it expires.
 .TP
 .BR lifetime " = " 1h " | <time>"
 how long a particular instance of a connection
@@ -877,12 +877,12 @@ which thinks the lifetime is longer. Also see EXPIRY/REKEY below.
 .BR marginbytes " = <number>"
 how many bytes before IPsec SA expiry (see
 .BR lifebytes )
-should attempts to negotiate a replacement begin (IKEv2 only).
+should attempts to negotiate a replacement begin.
 .TP
 .BR marginpackets " = <number>"
 how many packets before IPsec SA expiry (see
 .BR lifepackets )
-should attempts to negotiate a replacement begin (IKEv2 only).
+should attempts to negotiate a replacement begin.
 .TP
 .BR margintime " = " 9m " | <time>"
 how long before connection expiry or keying-channel expiry
@@ -921,7 +921,7 @@ enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
 .BR no .
 If set to
 .BR no ,
-the IKEv2 charon daemon will not actively propose MOBIKE as initiator and
+the charon daemon will not actively propose MOBIKE as initiator and
 ignore the MOBIKE_SUPPORTED notify as responder.
 .TP
 .BR modeconfig " = push | " pull
@@ -931,29 +931,8 @@ Accepted values are
 and
 .B pull
 (the default).
-Currently relevant for IKEv1 only since IKEv2 always uses the configuration
-payload in pull mode. Cisco VPN gateways usually operate in
-.B push
-mode.
-.TP
-.BR pfs " = " yes " | no"
-whether Perfect Forward Secrecy of keys is desired on the connection's
-keying channel
-(with PFS, penetration of the key-exchange protocol
-does not compromise keys negotiated earlier);
-acceptable values are
-.B yes
-(the default)
-and
-.BR no.
-IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying
-PFS is enforced by defining a Diffie-Hellman modp group in the
-.B esp
-parameter.
-.TP
-.BR pfsgroup " = <modp group>"
-defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
-differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
+Push mode is currently not supported in charon, hence this parameter has no
+effect.
 .TP
 .BR reauth " = " yes " | no"
 whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
@@ -973,11 +952,12 @@ and
 .BR no .
 The two ends need not agree, but while a value of
 .B no
-prevents pluto/charon from requesting renegotiation,
+prevents charon from requesting renegotiation,
 it does not prevent responding to renegotiation requested from the other end,
 so
 .B no
-will be largely ineffective unless both ends agree on it.
+will be largely ineffective unless both ends agree on it. Also see
+.BR reauth .
 .TP
 .BR rekeyfuzz " = " 100% " | <percentage>"
 maximum percentage by which
@@ -1035,11 +1015,7 @@ signifying the special Mobile IPv6 transport proxy mode;
 .BR passthrough ,
 signifying that no IPsec processing should be done at all;
 .BR drop ,
-signifying that packets should be discarded; and
-.BR reject ,
-signifying that packets should be discarded and a diagnostic ICMP returned
-.RB ( reject
-is currently not supported by the NETKEY stack of the Linux 2.6 kernel).
+signifying that packets should be discarded.
 .TP
 .BR xauth " = " client " | server"
 specifies the role in the XAuth protocol if activated by
@@ -1105,6 +1081,11 @@ currently can have either the value
 .BR cacert " = <path>"
 defines a path to the CA certificate either relative to
 \fI/etc/ipsec.d/cacerts\fP or as an absolute path.
+.br
+A value in the form
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
+defines a specific CA certificate to load from a PKCS#11 backend for this CA.
+See ipsec.secrets(5) for details about smartcard definitions.
 .TP
 .BR crluri " = <uri>"
 defines a CRL distribution point (ldap, http, or file URI)
@@ -1116,8 +1097,6 @@ synonym for
 .BR crluri2 " = <uri>"
 defines an alternative CRL distribution point (ldap, http, or file URI)
 .TP
-.BR ldaphost " = <hostname>"
-defines an ldap host. Currently used by IKEv1 only.
 .TP
 .BR ocspuri " = <uri>"
 defines an OCSP URI.
@@ -1127,11 +1106,11 @@ synonym for
 .B ocspuri.
 .TP
 .BR ocspuri2 " = <uri>"
-defines an alternative OCSP URI. Currently used by IKEv2 only.
+defines an alternative OCSP URI.
 .TP
 .BR certuribase " = <uri>"
 defines the base URI for the Hash and URL feature supported by IKEv2.
-Instead of exchanging complete certificates, IKEv2 allows to send an URI
+Instead of exchanging complete certificates, IKEv2 allows one to send an URI
 that resolves to the DER encoded certificate. The certificate URIs are built
 by appending the SHA1 hash of the DER encoded certificates to this base URI.
 .SH "CONFIG SECTIONS"
@@ -1140,48 +1119,34 @@ At present, the only
 section known to the IPsec software is the one named
 .BR setup ,
 which contains information used when the software is being started.
-Here's an example:
-.PP
-.ne 8
-.nf
-.ft B
-.ta 1c
-config setup
-	plutodebug=all
-	crlcheckinterval=10m
-	strictcrlpolicy=yes
-.ft
-.fi
-.PP
-Parameters are optional unless marked ``(required)''.
 The currently-accepted
 .I parameter
 names in a
 .B config
 .B setup
-section affecting both daemons are:
+section are:
 .TP
 .BR cachecrls " = yes | " no
-certificate revocation lists (CRLs) fetched via http or ldap will be cached in
-\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification
-authority's public key.
-Accepted values are
-.B yes
-and
-.B no
-(the default). Only relevant for IKEv1, as CRLs are always cached in IKEv2.
+if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will
+be cached in
+.I /etc/ipsec.d/crls/
+under a unique file name derived from the certification authority's public key.
 .TP
-.BR charonstart " = " yes " | no"
-whether to start the IKEv2 charon daemon or not.
-The default is
-.B yes
-if starter was compiled with IKEv2 support.
-.TP
-.BR plutostart " = " yes " | no"
-whether to start the IKEv1 pluto daemon or not.
-The default is
-.B yes
-if starter was compiled with IKEv1 support.
+.BR charondebug " = <debug list>"
+how much charon debugging output should be logged.
+A comma separated list containing type/level-pairs may
+be specified, e.g:
+.B dmn 3, ike 1, net -1.
+Acceptable values for types are
+.B dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls,
+.B tnc, imc, imv, pts
+and the level is one of
+.B -1, 0, 1, 2, 3, 4
+(for silent, audit, control, controlmore, raw, private).  By default, the level
+is set to
+.B 1
+for all types.  For more flexibility see LOGGER CONFIGURATION in
+.IR strongswan.conf (5).
 .TP
 .BR strictcrlpolicy " = yes | ifuri | " no
 defines if a fresh CRL must be available in order for the peer authentication
@@ -1194,146 +1159,35 @@ if at least one CRL URI is defined and to
 .B no
 if no URI is known.
 .TP
-.BR uniqueids " = " yes " | no | replace | keep"
+.BR uniqueids " = " yes " | no | never | replace | keep"
 whether a particular participant ID should be kept unique,
-with any new (automatically keyed)
-connection using an ID from a different IP address
-deemed to replace all old ones using that ID;
+with any new IKE_SA using an ID deemed to replace all old ones using that ID;
 acceptable values are
 .B yes
-(the default)
+(the default),
+.B no
 and
-.BR no .
-Participant IDs normally \fIare\fR unique,
-so a new (automatically-keyed) connection using the same ID is
-almost invariably intended to replace an old one.
-The IKEv2 daemon also accepts the value
+.BR never .
+Participant IDs normally \fIare\fR unique, so a new IKE_SA using the same ID is
+almost invariably intended to replace an old one. The difference between
+.B no
+and
+.B never
+is that the daemon will replace old IKE_SAs when receiving an INITIAL_CONTACT
+notify if the option is
+.B no
+but will ignore these notifies if
+.B never
+is configured.
+The daemon also accepts the value
 .B replace
 which is identical to
 .B yes
 and the value
 .B keep
 to reject new IKE_SA setups and keep the duplicate established earlier.
-.PP
-The following
-.B config section
-parameters are used by the IKEv1 Pluto daemon only:
-.TP
-.BR crlcheckinterval " = " 0s " | <time>"
-interval in seconds. CRL fetching is enabled if the value is greater than zero.
-Asynchronous, periodic checking for fresh CRLs is currently done by the
-IKEv1 Pluto daemon only.
-.TP
-.BR keep_alive " = " 20s " | <time>"
-interval in seconds between NAT keep alive packets, the default being 20 seconds.
-.TP
-.BR nat_traversal " = yes | " no
-activates NAT traversal by accepting source ISAKMP ports different from udp/500 and
-being able of floating to udp/4500 if a NAT situation is detected.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-Used by IKEv1 only, NAT traversal is always being active in IKEv2.
-.TP
-.BR nocrsend " = yes | " no
-no certificate request payloads will be sent.
-.TP
-.BR pkcs11initargs " = <args>"
-non-standard argument string for PKCS#11 C_Initialize() function;
-required by NSS softoken.
-.TP
-.BR pkcs11module " = <args>"
-defines the path to a dynamically loadable PKCS #11 library.
-.TP
-.BR pkcs11keepstate " = yes | " no
-PKCS #11 login sessions will be kept during the whole lifetime of the keying
-daemon. Useful with pin-pad smart card readers.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.BR pkcs11proxy " = yes | " no
-Pluto will act as a PKCS #11 proxy accessible via the whack interface.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.BR plutodebug " = " none " | <debug list> | all"
-how much pluto debugging output should be logged.
-An empty value,
-or the magic value
-.BR none ,
-means no debugging output (the default).
-The magic value
-.B all
-means full output.
-Otherwise only the specified types of output
-(a quoted list, names without the
-.B \-\-debug\-
-prefix,
-separated by white space) are enabled;
-for details on available debugging types, see
-.IR pluto (8).
-.TP
-.BR plutostderrlog " = <file>"
-Pluto will not use syslog, but rather log to stderr, and redirect stderr
-to <file>.
-.TP
-.BR postpluto " = <command>"
-shell command to run after starting pluto
-(e.g., to remove a decrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.BR prepluto " = <command>"
-shell command to run before starting pluto
-(e.g., to decrypt an encrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.BR virtual_private " = <networks>"
-defines private networks using a wildcard notation.
-.PP
-The following
-.B config section
-parameters are used by the IKEv2 charon daemon only:
-.TP
-.BR charondebug " = <debug list>"
-how much charon debugging output should be logged.
-A comma separated list containing type/level-pairs may
-be specified, e.g:
-.B dmn 3, ike 1, net -1.
-Acceptable values for types are
-.B dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, tls, tnc, imc, imv, pts
-and the level is one of
-.B -1, 0, 1, 2, 3, 4
-(for silent, audit, control, controlmore, raw, private).  By default, the level
-is set to
-.B 1
-for all types.  For more flexibility see LOGGER CONFIGURATION in
-.IR strongswan.conf (5).
 
-.SH IKEv2 EXPIRY/REKEY
+.SH SA EXPIRY/REKEY
 The IKE SAs and IPsec SAs negotiated by the daemon can be configured to expire
 after a specific amount of time. For IPsec SAs this can also happen after a
 specified number of transmitted packets or transmitted bytes. The following
@@ -1419,12 +1273,8 @@ time equals zero and, thus, rekeying gets disabled.
 /etc/ipsec.d/crls
 
 .SH SEE ALSO
-strongswan.conf(5), ipsec.secrets(5), ipsec(8), pluto(8)
+strongswan.conf(5), ipsec.secrets(5), ipsec(8)
 .SH HISTORY
 Originally written for the FreeS/WAN project by Henry Spencer.
 Updated and extended for the strongSwan project <http://www.strongswan.org> by
 Tobias Brunner, Andreas Steffen and Martin Willi.
-.SH BUGS
-.PP
-If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP
-will fail.
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5
index c7c092502..a4a58f261 100644
--- a/man/ipsec.secrets.5
+++ b/man/ipsec.secrets.5
@@ -1,4 +1,4 @@
-.TH IPSEC.SECRETS 5 "2011-12-14" "4.6.2dr3" "strongSwan"
+.TH IPSEC.SECRETS 5 "2011-12-14" "5.1.0rc1" "strongSwan"
 .SH NAME
 ipsec.secrets \- secrets for IKE/IPsec authentication
 .SH DESCRIPTION
@@ -37,13 +37,7 @@ by whitespace. If no ID selectors are specified the line must start with a
 colon.
 .LP
 A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
-\fB%any\fP or \fB%any6\fP (other kinds may come).  An IP address may be written
-in the familiar dotted quad form or as a domain name to be looked up
-when the file is loaded.
-In many cases it is a bad idea to use domain names because
-the name server may not be running or may be insecure.  To denote a
-Fully Qualified Domain Name (as opposed to an IP address denoted by
-its domain name), precede the name with an at sign (\fB@\fP).
+\fB%any\fP or \fB%any6\fP (other kinds may come).
 .LP
 Matching IDs with selectors is fairly straightforward: they have to be
 equal.  In the case of a ``Road Warrior'' connection, if an equal
@@ -97,9 +91,15 @@ defines an RSA private key
 .B ECDSA
 defines an ECDSA private key
 .TP
+.B P12
+defines a PKCS#12 container
+.TP
 .B EAP
 defines EAP credentials
 .TP
+.B NTLM
+defines NTLM credentials
+.TP
 .B XAUTH
 defines XAUTH credentials
 .TP
@@ -136,35 +136,49 @@ Similarly, a character sequence beginning with
 .B 0s
 is interpreted as Base64 encoded binary data.
 .TP
-.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ]
+.B : RSA <private key file> [ <passphrase> | %prompt ]
 .TQ
-.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ]
+.B : ECDSA <private key file> [ <passphrase> | %prompt ]
 For the private key file both absolute paths or paths relative to
 \fI/etc/ipsec.d/private\fP are accepted. If the private key file is
 encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
 .B %prompt
-can be used which then causes the daemons to ask the user for the password
+can be used which then causes the daemon to ask the user for the password
 whenever it is required to decrypt the key.
 .TP
+.B : P12 <PKCS#12 file> [ <passphrase> | %prompt ]
+For the PKCS#12 file both absolute paths or paths relative to
+\fI/etc/ipsec.d/private\fP are accepted. If the container is
+encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
+.B %prompt
+can be used which then causes the daemon to ask the user for the password
+whenever it is required to decrypt the container. Private keys, client and CA
+certificates are extracted from the container. To use such a client certificate
+in a connection set leftid to one of the subjects of the certificate.
+.TP
 .B <user id> : EAP <secret>
 The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets.
 .br
 \fBEAP\fP secrets are IKEv2 only.
 .TP
+.B <user id> : NTLM <secret>
+The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets, but the
+secret is stored as NTLM hash, which is MD4(UTF-16LE(secret)), instead of as
+cleartext.
+.br
+\fBNTLM\fP secrets can only be used with the \fBeap-mschapv2\fP plugin.
+.TP
 .B [ <servername> ] <username> : XAUTH <password>
 The format of \fIpassword\fP is the same as that of \fBPSK\fP secrets.
 \fBXAUTH\fP secrets are IKEv1 only.
 .TP
-.B : PIN <smartcard selector> <pin code> | %prompt
-IKEv1 uses the format
-.B "%smartcard[<slot nr>[:<key id>]]"
-to specify the smartcard selector (e.g. %smartcard1:50).
-The IKEv2 daemon supports multiple modules with the format
-.B "%smartcard[<slot nr>[@<module>]]:<keyid>"
-, but always requires a keyid to uniquely select the correct key. Instead of
-specifying the pin code statically,
+.B : PIN %smartcard[<slot nr>[@<module>]]:<keyid> <pin code> | %prompt
+The smartcard selector always requires a keyid to uniquely select the correct
+key. The slot number defines the slot on the token, the module name refers to
+the module name defined in strongswan.conf(5).
+Instead of specifying the pin code statically,
 .B %prompt
-can be specified, which causes the daemons to ask the user for the pin code.
+can be specified, which causes the daemon to ask the user for the pin code.
 .LP
 
 .SH FILES
diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
index aa1b5c9c1..ee20c9670 100644
--- a/man/ipsec.secrets.5.in
+++ b/man/ipsec.secrets.5.in
@@ -37,13 +37,7 @@ by whitespace. If no ID selectors are specified the line must start with a
 colon.
 .LP
 A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
-\fB%any\fP or \fB%any6\fP (other kinds may come).  An IP address may be written
-in the familiar dotted quad form or as a domain name to be looked up
-when the file is loaded.
-In many cases it is a bad idea to use domain names because
-the name server may not be running or may be insecure.  To denote a
-Fully Qualified Domain Name (as opposed to an IP address denoted by
-its domain name), precede the name with an at sign (\fB@\fP).
+\fB%any\fP or \fB%any6\fP (other kinds may come).
 .LP
 Matching IDs with selectors is fairly straightforward: they have to be
 equal.  In the case of a ``Road Warrior'' connection, if an equal
@@ -97,9 +91,15 @@ defines an RSA private key
 .B ECDSA
 defines an ECDSA private key
 .TP
+.B P12
+defines a PKCS#12 container
+.TP
 .B EAP
 defines EAP credentials
 .TP
+.B NTLM
+defines NTLM credentials
+.TP
 .B XAUTH
 defines XAUTH credentials
 .TP
@@ -136,35 +136,49 @@ Similarly, a character sequence beginning with
 .B 0s
 is interpreted as Base64 encoded binary data.
 .TP
-.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ]
+.B : RSA <private key file> [ <passphrase> | %prompt ]
 .TQ
-.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ]
+.B : ECDSA <private key file> [ <passphrase> | %prompt ]
 For the private key file both absolute paths or paths relative to
 \fI/etc/ipsec.d/private\fP are accepted. If the private key file is
 encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
 .B %prompt
-can be used which then causes the daemons to ask the user for the password
+can be used which then causes the daemon to ask the user for the password
 whenever it is required to decrypt the key.
 .TP
+.B : P12 <PKCS#12 file> [ <passphrase> | %prompt ]
+For the PKCS#12 file both absolute paths or paths relative to
+\fI/etc/ipsec.d/private\fP are accepted. If the container is
+encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
+.B %prompt
+can be used which then causes the daemon to ask the user for the password
+whenever it is required to decrypt the container. Private keys, client and CA
+certificates are extracted from the container. To use such a client certificate
+in a connection set leftid to one of the subjects of the certificate.
+.TP
 .B <user id> : EAP <secret>
 The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets.
 .br
 \fBEAP\fP secrets are IKEv2 only.
 .TP
+.B <user id> : NTLM <secret>
+The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets, but the
+secret is stored as NTLM hash, which is MD4(UTF-16LE(secret)), instead of as
+cleartext.
+.br
+\fBNTLM\fP secrets can only be used with the \fBeap-mschapv2\fP plugin.
+.TP
 .B [ <servername> ] <username> : XAUTH <password>
 The format of \fIpassword\fP is the same as that of \fBPSK\fP secrets.
 \fBXAUTH\fP secrets are IKEv1 only.
 .TP
-.B : PIN <smartcard selector> <pin code> | %prompt
-IKEv1 uses the format
-.B "%smartcard[<slot nr>[:<key id>]]"
-to specify the smartcard selector (e.g. %smartcard1:50).
-The IKEv2 daemon supports multiple modules with the format
-.B "%smartcard[<slot nr>[@<module>]]:<keyid>"
-, but always requires a keyid to uniquely select the correct key. Instead of
-specifying the pin code statically,
+.B : PIN %smartcard[<slot nr>[@<module>]]:<keyid> <pin code> | %prompt
+The smartcard selector always requires a keyid to uniquely select the correct
+key. The slot number defines the slot on the token, the module name refers to
+the module name defined in strongswan.conf(5).
+Instead of specifying the pin code statically,
 .B %prompt
-can be specified, which causes the daemons to ask the user for the pin code.
+can be specified, which causes the daemon to ask the user for the pin code.
 .LP
 
 .SH FILES
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
index e56e786e0..fc99c8c47 100644
--- a/man/strongswan.conf.5
+++ b/man/strongswan.conf.5
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2011-07-26" "4.6.4" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-07-22" "5.1.0" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -133,11 +133,20 @@ Path to database with file measurement information
 .TP
 .BR attest.load
 Plugins to load in ipsec attest tool
+
 .SS charon section
 .TP
+.BR Note :
+Many of these options also apply to \fBcharon\-cmd\fR and other
+\fBcharon\fR derivatives. Just use their respective name (e.g.
+\fIcharon\-cmd\fR) instead of  \fIcharon\fR.
+.TP
 .BR charon.block_threshold " [5]"
 Maximum number of half-open IKE_SAs for a single peer IP
 .TP
+.BR charon.cisco_unity " [no]
+Send Cisco Unity vendor ID payload (IKEv1 only)
+.TP
 .BR charon.close_ike_on_child_failure " [no]"
 Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed
 .TP
@@ -156,7 +165,17 @@ Enable Denial of Service protection using cookies and aggressiveness checks
 Section to define file loggers, see LOGGER CONFIGURATION
 .TP
 .BR charon.flush_auth_cfg " [no]"
-
+If enabled objects used during authentication (certificates, identities etc.)
+are released to free memory once an IKE_SA is established.
+Enabling this might conflict with plugins that later need access to e.g. the
+used certificates.
+.TP
+.BR charon.fragment_size " [512]"
+Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
+fragmentation extension.
+.TP
+.BR charon.group
+Name of the group the daemon changes to after startup
 .TP
 .BR charon.half_open_timeout " [30]"
 Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
@@ -164,8 +183,17 @@ Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
 .BR charon.hash_and_url " [no]"
 Enable hash and URL support
 .TP
+.BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]"
+If enabled responders are allowed to use IKEv1 Aggressive Mode with pre-shared
+keys, which is discouraged due to security concerns (offline attacks on the
+openly transmitted hash of the PSK)
+.TP
 .BR charon.ignore_routing_tables
-A list of routing tables to be excluded from route lookup
+A space-separated list of routing tables to be excluded from route lookups
+.TP
+.BR charon.ikesa_limit " [0]"
+Maximum number of IKE_SAs that can be established at the same time before new
+connection attempts are blocked
 .TP
 .BR charon.ikesa_table_segments " [1]"
 Number of exclusively locked segments in the hash table
@@ -184,12 +212,28 @@ IKE_SA_INIT DROPPING).
 Limit new connections based on the number of jobs currently queued for
 processing (see IKE_SA_INIT DROPPING).
 .TP
+.BR charon.initiator_only " [no]"
+Causes charon daemon to ignore IKE initiation requests.
+.TP
 .BR charon.install_routes " [yes]"
 Install routes into a separate routing table for established IPsec tunnels
 .TP
 .BR charon.install_virtual_ip " [yes]"
 Install virtual IP addresses
 .TP
+.BR charon.install_virtual_ip_on
+The name of the interface on which virtual IP addresses should be installed.
+If not specified the addresses will be installed on the outbound interface.
+.TP
+.BR charon.interfaces_ignore
+A comma-separated list of network interfaces that should be ignored, if
+.B charon.interfaces_use
+is specified this option has no effect.
+.TP
+.BR charon.interfaces_use
+A comma-separated list of network interfaces that should be used by charon.
+All other interfaces are ignored.
+.TP
 .BR charon.keep_alive " [20s]"
 NAT keep alive interval
 .TP
@@ -207,11 +251,20 @@ Enable multiple authentication exchanges (RFC 4739)
 .BR charon.nbns2
 WINS servers assigned to peer via configuration payload (CP)
 .TP
+.BR charon.port " [500]"
+UDP port used locally. If set to 0 a random port will be allocated.
+.TP
+.BR charon.port_nat_t " [4500]"
+UDP port used locally in case of NAT-T. If set to 0 a random port will be
+allocated.  Has to be different from
+.BR charon.port ,
+otherwise a random port will be allocated.
+.TP
 .BR charon.process_route " [yes]"
 Process RTM_NEWROUTE and RTM_DELROUTE events
 .TP
 .BR charon.receive_delay " [0]"
-Delay for receiving packets, to simulate larger RTT
+Delay in ms for receiving packets, to simulate larger RTT
 .TP
 .BR charon.receive_delay_response " [yes]"
 Delay response messages
@@ -234,6 +287,10 @@ Timeout in seconds before sending first retransmit
 .BR charon.retransmit_tries " [5]"
 Number of times to retransmit a packet before giving up
 .TP
+.BR charon.retry_initiate_interval " [0]"
+Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
+failed), 0 to disable retries.
+.TP
 .BR charon.reuse_ikesa " [yes]
 Initiate CHILD_SA within existing IKE_SAs
 .TP
@@ -244,7 +301,7 @@ Numerical routing table to install routes to
 Priority of the routing table
 .TP
 .BR charon.send_delay " [0]"
-Delay for sending packets, to simulate larger RTT
+Delay in ms for sending packets, to simulate larger RTT
 .TP
 .BR charon.send_delay_response " [yes]"
 Delay response messages
@@ -263,15 +320,59 @@ Section to define syslog loggers, see LOGGER CONFIGURATION
 .TP
 .BR charon.threads " [16]"
 Number of worker threads in charon
+.TP
+.BR charon.user
+Name of the user the daemon changes to after startup
 .SS charon.plugins subsection
 .TP
-.BR charon.plugins.android.loglevel " [1]"
+.BR charon.plugins.android_log.loglevel " [1]"
 Loglevel for logging to Android specific logger
 .TP
 .BR charon.plugins.attr
 Section to specify arbitrary attributes that are assigned to a peer via
 configuration payload (CP)
 .TP
+.BR charon.plugins.certexpire.csv.cron
+Cron style string specifying CSV export times
+.TP
+.BR charon.plugins.certexpire.csv.empty_string
+String to use in empty intermediate CA fields
+.TP
+.BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
+Use a fixed intermediate CA field count
+.TP
+.BR charon.plugins.certexpire.csv.force " [yes]"
+Force export of all trustchains we have a private key for
+.TP
+.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
+strftime(3) format string to export expiration dates as
+.TP
+.BR charon.plugins.certexpire.csv.local
+strftime(3) format string for the CSV file name to export local certificates to
+.TP
+.BR charon.plugins.certexpire.csv.remote
+strftime(3) format string for the CSV file name to export remote certificates to
+.TP
+.BR charon.plugins.certexpire.csv.separator " [,]"
+CSV field separator
+.TP
+.BR charon.plugins.coupling.file
+File to store coupling list to
+.TP
+.BR charon.plugins.coupling.hash " [sha1]"
+Hashing algorithm to fingerprint coupled certificates
+.TP
+.BR charon.plugins.coupling.max " [1]"
+Maximum number of coupling entries to create
+.TP
+.BR charon.plugins.dhcp.force_server_address " [no]"
+Always use the configured server address. This might be helpful if the DHCP
+server runs on the same host as strongSwan, and the DHCP daemon does not listen
+on the loopback interface.  In that case the server cannot be reached via
+unicast (or even 255.255.255.255) as that would be routed via loopback.
+Setting this option to yes and configuring the local broadcast address (e.g.
+192.168.0.255) as server address might work.
+.TP
 .BR charon.plugins.dhcp.identity_lease " [no]"
 Derive user-defined MAC address from hash of IKEv2 identity
 .TP
@@ -279,7 +380,10 @@ Derive user-defined MAC address from hash of IKEv2 identity
 DHCP server unicast or broadcast IP address
 .TP
 .BR charon.plugins.duplicheck.enable " [yes]"
-enable loaded duplicheck plugin
+Enable duplicheck plugin (if loaded)
+.TP
+.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]"
+Socket provided by the duplicheck plugin
 .TP
 .BR charon.plugins.eap-aka.request_identity " [yes]"
 
@@ -287,15 +391,24 @@ enable loaded duplicheck plugin
 .BR charon.plugins.eap-aka-3ggp2.seq_check
 
 .TP
-.BR charon.plugins.eap-gtc.pam_service " [login]"
-PAM service to be used for authentication
-
+.BR charon.plugins.eap-dynamic.preferred
+The preferred EAP method(s) to be used.  If it is not given the first
+registered method will be used initially.  If a comma separated list is given
+the methods are tried in the given order before trying the rest of the
+registered methods.
+.TP
+.BR charon.plugins.eap-dynamic.prefer_user " [no]"
+If enabled the EAP methods proposed in an EAP-Nak message sent by the peer are
+preferred over the methods registered locally.
+.TP
+.BR charon.plugins.eap-gtc.backend " [pam]"
+XAuth backend to be used for credential verification
 .TP
 .BR charon.plugins.eap-peap.fragment_size " [1024]"
 Maximum size of an EAP-PEAP packet
 .TP
 .BR charon.plugins.eap-peap.max_message_count " [32]"
-Maximum number of processed EAP-PEAP packets
+Maximum number of processed EAP-PEAP packets (0 = no limit)
 .TP
 .BR charon.plugins.eap-peap.include_length " [no]"
 Include length in non-fragmented EAP-PEAP packets
@@ -311,11 +424,13 @@ Start phase2 EAP TNC protocol after successful client authentication
 .TP
 .BR charon.plugins.eap-peap.request_peer_auth " [no]"
 Request peer authentication based on a client certificate
-
 .TP
 .BR charon.plugins.eap-radius.accounting " [no]"
 Send RADIUS accounting information to RADIUS servers.
 .TP
+.BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
+If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP
+.TP
 .BR charon.plugins.eap-radius.class_group " [no]"
 Use the
 .I class
@@ -325,6 +440,22 @@ is compared to the groups specified in the
 option in
 .B ipsec.conf (5).
 .TP
+.BR charon.plugins.eap-radius.close_all_on_timeout " [no]"
+Closes all IKE_SAs if communication with the RADIUS server times out. If it is
+not set only the current IKE_SA is closed.
+.TP
+.BR charon.plugins.eap-radius.dae.enable " [no]"
+Enables support for the Dynamic Authorization Extension (RFC 5176)
+.TP
+.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]"
+Address to listen for DAE messages from the RADIUS server
+.TP
+.BR charon.plugins.eap-radius.dae.port " [3799]"
+Port to listen for DAE requests
+.TP
+.BR charon.plugins.eap-radius.dae.secret
+Shared secret used to verify/sign DAE messages
+.TP
 .BR charon.plugins.eap-radius.eap_start " [no]"
 Send EAP-Start instead of EAP-Identity to start RADIUS conversation
 .TP
@@ -341,6 +472,18 @@ is compared to the groups specified in the
 option in
 .B ipsec.conf (5).
 .TP
+.BR charon.plugins.eap-radius.forward.ike_to_radius
+RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by
+name or attribute number, a colon can be used to specify vendor-specific
+attributes, e.g. Reply-Message, or 11, or 36906:12).
+.TP
+.BR charon.plugins.eap-radius.forward.radius_to_ike
+Same as
+.B charon.plugins.eap-radius.forward.ike_to_radius
+but from RADIUS to
+IKEv2, a strongSwan specific private notify (40969) is used to transmit the
+attributes.
+.TP
 .BR charon.plugins.eap-radius.id_prefix
 Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
 EAP method
@@ -364,10 +507,15 @@ Section to specify multiple RADIUS servers. The
 .B sockets
 and
 .B port
+(or
+.BR auth_port )
 options can be specified for each server. A server's IP/Hostname can be
 configured using the
 .B address
-option. For each RADIUS server a priority can be specified using the
+option. The
+.BR acct_port " [1813]"
+option can be used to specify the port used for RADIUS accounting.
+For each RADIUS server a priority can be specified using the
 .BR preference " [0]"
 option.
 .TP
@@ -380,32 +528,29 @@ Number of sockets (ports) to use, increase for high load
 .BR charon.plugins.eap-simaka-sql.database
 
 .TP
-.BR charon.plugins.eap-simaka-sql.remove_used
+.BR charon.plugins.eap-simaka-sql.remove_used " [no]"
 
 .TP
 .BR charon.plugins.eap-tls.fragment_size " [1024]"
 Maximum size of an EAP-TLS packet
 .TP
 .BR charon.plugins.eap-tls.max_message_count " [32]"
-Maximum number of processed EAP-TLS packets
+Maximum number of processed EAP-TLS packets (0 = no limit)
 .TP
 .BR charon.plugins.eap-tls.include_length " [yes]"
 Include length in non-fragmented EAP-TLS packets
 .TP
-.BR charon.plugins.eap-tnc.fragment_size " [50000]"
-Maximum size of an EAP-TNC packet
-.TP
 .BR charon.plugins.eap-tnc.max_message_count " [10]"
-Maximum number of processed EAP-TNC packets
+Maximum number of processed EAP-TNC packets (0 = no limit)
 .TP
-.BR charon.plugins.eap-tnc.include_length " [yes]"
-Include length in non-fragmented EAP-TNC packets
+.BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]"
+IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0, tnccs-dynamic)
 .TP
 .BR charon.plugins.eap-ttls.fragment_size " [1024]"
 Maximum size of an EAP-TTLS packet
 .TP
 .BR charon.plugins.eap-ttls.max_message_count " [32]"
-Maximum number of processed EAP-TTLS packets
+Maximum number of processed EAP-TTLS packets (0 = no limit)
 .TP
 .BR charon.plugins.eap-ttls.include_length " [yes]"
 Include length in non-fragmented EAP-TTLS packets
@@ -422,6 +567,13 @@ Start phase2 EAP TNC protocol after successful client authentication
 .BR charon.plugins.eap-ttls.request_peer_auth " [no]"
 Request peer authentication based on a client certificate
 .TP
+.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]"
+Socket provided by the error-notify plugin
+.TP
+.BR charon.plugins.ha.autobalance " [0]"
+Interval in seconds to automatically balance handled segments between nodes.
+Set to 0 to disable.
+.TP
 .BR charon.plugins.ha.fifo_interface " [yes]"
 
 .TP
@@ -452,6 +604,9 @@ Request peer authentication based on a client certificate
 .BR charon.plugins.ha.segment_count " [1]"
 
 .TP
+.BR charon.plugins.ipseckey.enable " [no]"
+Enable the fetching of IPSECKEY RRs via DNS
+.TP
 .BR charon.plugins.led.activity_led
 
 .TP
@@ -464,9 +619,25 @@ Number of ipsecN devices
 .BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
 Set MTU of ipsecN device
 .TP
+.BR charon.plugins.kernel-netlink.roam_events " [yes]"
+Whether to trigger roam events when interfaces, addresses or routes change
+.TP
+.BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
+Time in ms to wait until virtual IP addresses appear/disappear before failing.
+.TP
 .BR charon.plugins.load-tester
 Section to configure the load-tester plugin, see LOAD TESTS
 .TP
+.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]"
+Socket provided by the lookip plugin
+.TP
+.BR charon.plugins.radattr.dir
+Directory where RADIUS attributes are stored in client-ID specific files.
+.TP
+.BR charon.plugins.radattr.message_id " [-1]"
+Attributes are added to all IKE_AUTH messages by default (-1), or only to the
+IKE_AUTH message with the given IKEv2 message ID.
+.TP
 .BR charon.plugins.resolve.file " [/etc/resolv.conf]"
 File where to add DNS server entries
 .TP
@@ -476,6 +647,15 @@ is appended to this prefix to make it unique.  The result has to be a valid
 interface name according to the rules defined by resolvconf.  Also, it should
 have a high priority according to the order defined in interface-order(5).
 .TP
+.BR charon.plugins.socket-default.set_source " [yes]"
+Set source address on outbound packets, if possible.
+.TP
+.BR charon.plugins.socket-default.use_ipv4 " [yes]"
+Listen on IPv4, if possible.
+.TP
+.BR charon.plugins.socket-default.use_ipv6 " [yes]"
+Listen on IPv6, if possible.
+.TP
 .BR charon.plugins.sql.database
 Database URI for charons SQL plugin
 .TP
@@ -489,27 +669,63 @@ certificates even if they don't contain a CA basic constraint.
 .BR charon.plugins.stroke.max_concurrent " [4]"
 Maximum number of stroke messages handled concurrently
 .TP
+.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]"
+Socket provided by the stroke plugin
+.TP
+.BR charon.plugins.stroke.timeout " [0]"
+Timeout in ms for any stroke command. Use 0 to disable the timeout
+.TP
+.BR charon.plugins.systime-fix.interval " [0]"
+Interval in seconds to check system time for validity. 0 disables the check
+.TP
+.BR charon.plugins.systime-fix.reauth " [no]"
+Whether to use reauth or delete if an invalid cert lifetime is detected
+.TP
+.BR charon.plugins.systime-fix.threshold
+Threshold date where system time is considered valid. Disabled if not specified
+.TP
+.BR charon.plugins.systime-fix.threshold_format " [%Y]"
+strptime(3) format used to parse threshold option
+.TP
+.BR charon.plugins.tnccs-11.max_message_size " [45000]"
+Maximum size of a PA-TNC message (XML & Base64 encoding)
+.TP
+.BR charon.plugins.tnccs-20.max_batch_size " [65522]"
+Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529)
+.TP
+.BR charon.plugins.tnccs-20.max_message_size " [65490]"
+Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497)
+.TP
+.BR charon.plugins.tnc-ifmap.client_cert
+Path to X.509 certificate file of IF-MAP client
+.TP
+.BR charon.plugins.tnc-ifmap.client_key
+Path to private key file of IF-MAP client
+.TP
 .BR charon.plugins.tnc-ifmap.device_name
-Unique name of strongSwan as a PEP and/or PDP device
+Unique name of strongSwan server as a PEP and/or PDP device
 .TP
-.BR charon.plugins.tnc-ifmap.key_file
-Concatenated client certificate and private key
+.BR charon.plugins.tnc-ifmap.renew_session_interval " [150]"
+Interval in seconds between periodic IF-MAP RenewSession requests
 .TP
-.BR charon.plugins.tnc-ifmap.password
-Authentication password of strongSwan MAP client
+.BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]"
+URI of the form [https://]servername[:port][/path]
 .TP
 .BR charon.plugins.tnc-ifmap.server_cert
-Certificate of MAP server
+Path to X.509 certificate file of IF-MAP server
 .TP
-.BR charon.plugins.tnc-ifmap.ssl_passphrase
-Passphrase protecting the private key
+.BR charon.plugins.tnc-ifmap.username_password
+Credentials of IF-MAP client of the form username:password
 .TP
-.BR charon.plugins.tnc-ifmap.username
-Authentication username of strongSwan MAP client
+.BR charon.plugins.tnc-imc.dlclose " [yes]"
+Unload IMC after use
 .TP
 .BR charon.plugins.tnc-imc.preferred_language " [en]"
 Preferred language for TNC recommendations
 .TP
+.BR charon.plugins.tnc-imv.dlclose " [yes]"
+Unload IMV after use
+.TP
 .BR charon.plugins.tnc-pdp.method " [ttls]"
 EAP tunnel method to be used
 .TP
@@ -520,12 +736,32 @@ RADIUS server port the strongSwan PDP is listening on
 Shared RADIUS secret between strongSwan PDP and NAS
 .TP
 .BR charon.plugins.tnc-pdp.server
-name of the strongSwan PDP as contained in the AAA certificate
+Name of the strongSwan PDP as contained in the AAA certificate
+.TP
+.BR charon.plugins.tnc-pdp.timeout
+Timeout in seconds before closing incomplete connections
+.TP
+.BR charon.plugins.updown.dns_handler " [no]"
+Whether the updown script should handle DNS serves assigned via IKEv1 Mode
+Config or IKEv2 Config Payloads (if enabled they can't be handled by other
+plugins, like resolve)
 .TP
 .BR charon.plugins.whitelist.enable " [yes]"
-enable loaded whitelist plugin
+Enable loaded whitelist plugin
+.TP
+.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]"
+Socket provided by the whitelist plugin
+.TP
+.BR charon.plugins.xauth-eap.backend " [radius]"
+EAP plugin to be used as backend for XAuth credential verification
+.TP
+.BR charon.plugins.xauth-pam.pam_service " [login]"
+PAM service to be used for authentication
 .SS libstrongswan section
 .TP
+.BR libstrongswan.cert_cache " [yes]"
+Whether relations in validated certificate chains should be cached in memory
+.TP
 .BR libstrongswan.crypto_test.bench " [no]"
 
 .TP
@@ -554,12 +790,24 @@ strength
 .BR libstrongswan.ecp_x_coordinate_only " [yes]"
 Compliance with the errata for RFC 4753
 .TP
+.BR libstrongswan.host_resolver.max_threads " [3]"
+Maximum number of concurrent resolver threads (they are terminated if unused)
+.TP
+.BR libstrongswan.host_resolver.min_threads " [0]"
+Minimum number of resolver threads to keep around
+.TP
 .BR libstrongswan.integrity_test " [no]"
 Check daemon, libstrongswan and plugin integrity at startup
 .TP
 .BR libstrongswan.leak_detective.detailed " [yes]"
 Includes source file names and line numbers in leak detective output
 .TP
+.BR libstrongswan.leak_detective.usage_threshold " [10240]"
+Threshold in bytes for leaks to be reported (0 to report all)
+.TP
+.BR libstrongswan.leak_detective.usage_threshold_count " [0]"
+Threshold in number of allocations for leaks to be reported (0 to report all)
+.TP
 .BR libstrongswan.processor.priority_threads
 Subsection to configure the number of reserved threads per priority class
 see JOB PRIORITY MANAGEMENT
@@ -569,7 +817,7 @@ Discard certificates with unsupported or unknown critical extensions
 .SS libstrongswan.plugins subsection
 .TP
 .BR libstrongswan.plugins.attr-sql.database
-Database URI for attr-sql plugin used by charon and pluto
+Database URI for attr-sql plugin used by charon
 .TP
 .BR libstrongswan.plugins.attr-sql.lease_history " [yes]"
 Enable logging of SQL IP pool leases
@@ -580,9 +828,18 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys!
 .BR libstrongswan.plugins.openssl.engine_id " [pkcs11]"
 ENGINE ID to use in the OpenSSL plugin
 .TP
+.BR libstrongswan.plugins.openssl.fips_mode " [0]"
+Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2)
+.TP
 .BR libstrongswan.plugins.pkcs11.modules
 List of available PKCS#11 modules
 .TP
+.BR libstrongswan.plugins.pkcs11.load_certs " [yes]"
+Whether to load certificates from tokens
+.TP
+.BR libstrongswan.plugins.pkcs11.reload_certs " [no]"
+Reload certificates from all tokens if charon receives a SIGHUP
+.TP
 .BR libstrongswan.plugins.pkcs11.use_dh " [no]"
 Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option)
 .TP
@@ -599,22 +856,63 @@ keys not stored on tokens
 .TP
 .BR libstrongswan.plugins.pkcs11.use_rng " [no]"
 Whether the PKCS#11 modules should be used as RNG
+.TP
+.BR libstrongswan.plugins.random.random " [/dev/random]"
+File to read random bytes from, instead of /dev/random
+.TP
+.BR libstrongswan.plugins.random.urandom " [/dev/urandom]"
+File to read pseudo random bytes from, instead of /dev/urandom
+.TP
+.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
+File to read DNS resolver configuration from
+.TP
+.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
+File to read DNSSEC trust anchors from (usually root zone KSK)
+.SS libtls section
+.TP
+.BR libtls.cipher
+List of TLS encryption ciphers
+.TP
+.BR libtls.key_exchange
+List of TLS key exchange methods
+.TP
+.BR libtls.mac
+List of TLS MAC algorithms
+.TP
+.BR libtls.suites
+List of TLS cipher suites
 .SS libtnccs section
 .TP
 .BR libtnccs.tnc_config " [/etc/tnc_config]"
 TNC IMC/IMV configuration directory
 .SS libimcv section
 .TP
+.BR libimcv.assessment_result " [yes]"
+Whether IMVs send a standard IETF Assessment Result attribute
+.TP
+.BR libimcv.database
+Global IMV policy database URI
+.TP
 .BR libimcv.debug_level " [1]"
 Debug level for a stand-alone libimcv library
 .TP
+.BR libimcv.load " [random nonce gmp pubkey x509]"
+Plugins to load in IMC/IMVs
+.TP
+.BR libimcv.os_info.name
+Manually set the name of the client OS (e.g. Ubuntu)
+.TP
+.BR libimcv.os_info.version
+Manually set the version of the client OS (e.g. 12.04 i686)
+.TP
+.BR libimcv.policy_script " [ipsec _imv_policy]"
+Script called for each TNC connection to generate IMV policies
+.TP
 .BR libimcv.stderr_quiet " [no]"
-Disable output to stderr with a stand-alone libimcv library
+isable output to stderr with a stand-alone libimcv library
+.PP
 .SS libimcv plugins section
 .TP
-.BR libimcv.plugins.imc-attestation.platform_info
-Information on operating system and hardware platform
-.TP
 .BR libimcv.plugins.imc-attestation.aik_blob
 AIK encrypted private key blob file
 .TP
@@ -633,9 +931,6 @@ Use Quote2 AIK signature instead of Quote signature
 .BR libimcv.plugins.imv-attestation.cadir
 Path to directory with AIK cacerts
 .TP
-.BR libimcv.plugins.imv-attestation.database
-Path to database with file measurement information
-.TP
 .BR libimcv.plugins.imv-attestation.dh_group " [ecp256]"
 Preferred Diffie-Hellman group
 .TP
@@ -645,17 +940,20 @@ Preferred measurement hash algorithm
 .BR libimcv.plugins.imv-attestation.min_nonce_len " [0]"
 DH minimum nonce length
 .TP
-.BR libimcv.plugins.imv-attestation.platform_info
-Information on operating system and hardware platform
+.BR libimcv.plugins.imv-attestation.remediation_uri
+URI pointing to attestation remediation instructions
 .TP
-.BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]"
-By default all ports must be closed (yes) or can be open (no)
+.BR libimcv.plugins.imc-os.push_info " [yes]"
+Send operating system info without being prompted
 .TP
-.BR libimcv.plugins.imv-scanner.tcp_ports
-List of TCP ports that can be open or must be closed
+.BR libimcv.plugins.imv-os.remediation_uri
+URI pointing to operating system remediation instructions
 .TP
-.BR libimcv.plugins.imv-scanner.udp_ports
-List of UDP ports that can be open or must be closed
+.BR libimcv.plugins.imc-scanner.push_info " [yes]"
+Send open listening ports without being prompted
+.TP
+.BR libimcv.plugins.imv-scanner.remediation_uri
+URI pointing to scanner remediation instructions
 .TP
 .BR libimcv.plugins.imc-test.additional_ids " [0]"
 Number of additional IMC IDs
@@ -663,6 +961,12 @@ Number of additional IMC IDs
 .BR libimcv.plugins.imc-test.command " [none]"
 Command to be sent to the Test IMV
 .TP
+.BR libimcv.plugins.imc-test.dummy_size " [0]"
+Size of dummy attribute to be sent to the Test IMV (0 = disabled)
+.TP
+.BR libimcv.plugins.imv-test.remediation_uri
+URI pointing to test remediation instructions
+.TP
 .BR libimcv.plugins.imc-test.retry " [no]"
 Do a handshake retry
 .TP
@@ -671,19 +975,6 @@ Command to be sent to the Test IMV in the handshake retry
 .TP
 .BR libimcv.plugins.imv-test.rounds " [0]"
 Number of IMC-IMV retry rounds
-.SS libtls section
-.TP
-.BR libtls.cipher
-List of TLS encryption ciphers
-.TP
-.BR libtls.key_exchange
-List of TLS key exchange methods
-.TP
-.BR libtls.mac
-List of TLS MAC algorithms
-.TP
-.BR libtls.suites
-List of TLS cipher suites
 .SS manager section
 .TP
 .BR manager.database
@@ -745,38 +1036,14 @@ Session timeout for mediation service
 .TP
 .BR openac.load
 Plugins to load in ipsec openac tool
+.SS pacman section
+.TP
+.BR pacman.database
+Database URI for the database that stores the package information
 .SS pki section
 .TP
 .BR pki.load
 Plugins to load in ipsec pki tool
-.SS pluto section
-.TP
-.BR pluto.dns1
-.TQ
-.BR pluto.dns2
-DNS servers assigned to peer via Mode Config
-.TP
-.BR pluto.load
-Plugins to load in IKEv1 pluto daemon
-.TP
-.BR pluto.nbns1
-.TQ
-.BR pluto.nbns2
-WINS servers assigned to peer via Mode Config
-.TP
-.BR pluto.threads " [4]"
-Number of worker threads in pluto
-.SS pluto.plugins section
-.TP
-.BR pluto.plugins.attr
-Section to specify arbitrary attributes that are assigned to a peer via
-Mode Config
-.TP
-.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
-Number of ipsecN devices
-.TP
-.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
-Set MTU of ipsecN device
 .SS pool section
 .TP
 .BR pool.load
@@ -791,7 +1058,7 @@ Plugins to load in ipsec scepclient tool
 Plugins to load in starter
 .TP
 .BR starter.load_warning " [yes]"
-Disable charon/pluto plugin load option warning
+Disable charon plugin load option warning
 
 .SH LOGGER CONFIGURATION
 The options described below provide a much more flexible way to configure
@@ -897,6 +1164,9 @@ Packet encoding/decoding encryption/decryption operations
 .B tls
 libtls library messages
 .TP
+.B esp
+libipsec library messages
+.TP
 .B lib
 libstrongwan library messages
 .TP
@@ -1104,7 +1374,7 @@ it within 30 seconds. Under high load, a higher value might be required.
 
 .SH LOAD TESTS
 To do stability testing and performance optimizations, the IKEv2 daemon charon
-provides the load-tester plugin. This plugin allows to setup thousands of
+provides the load-tester plugin. This plugin allows one to setup thousands of
 tunnels concurrently against the daemon itself or a remote host.
 .PP
 .B WARNING:
@@ -1112,6 +1382,20 @@ Never enable the load-testing plugin on productive systems. It provides
 preconfigured credentials and allows an attacker to authenticate as any user.
 .SS Options
 .TP
+.BR charon.plugins.load-tester.addrs
+Subsection that contains key/value pairs with address pools (in CIDR notation)
+to use for a specific network interface e.g. eth0 = 10.10.0.0/16
+.TP
+.BR charon.plugins.load-tester.addrs_keep " [no]"
+Whether to keep dynamic addresses even after the associated SA got terminated
+.TP
+.BR charon.plugins.load-tester.addrs_prefix " [16]"
+Network prefix length to use when installing dynamic addresses. If set to -1 the
+full address is used (i.e. 32 or 128)
+.TP
+.BR charon.plugins.load-tester.ca_dir
+Directory to load (intermediate) CA certificates from
+.TP
 .BR charon.plugins.load-tester.child_rekey " [600]"
 Seconds to start CHILD_SA rekeying after setup
 .TP
@@ -1121,6 +1405,9 @@ Delay between initiatons for each thread
 .BR charon.plugins.load-tester.delete_after_established " [no]"
 Delete an IKE_SA as soon as it has been established
 .TP
+.BR charon.plugins.load-tester.digest " [sha1]"
+Digest algorithm used when issuing certificates
+.TP
 .BR charon.plugins.load-tester.dpd_delay " [0]"
 DPD delay to use in load test
 .TP
@@ -1133,6 +1420,9 @@ EAP secret to use in load test
 .BR charon.plugins.load-tester.enable " [no]"
 Enable the load testing plugin
 .TP
+.BR charon.plugins.load-tester.esp " [aes128-sha1]"
+CHILD_SA proposal to use for load tests
+.TP
 .BR charon.plugins.load-tester.fake_kernel " [no]"
 Fake the kernel interface to allow load-testing against self
 .TP
@@ -1142,6 +1432,9 @@ Seconds to start IKE_SA rekeying after setup
 .BR charon.plugins.load-tester.init_limit " [0]"
 Global limit of concurrently established SAs during load test
 .TP
+.BR charon.plugins.load-tester.initiator " [0.0.0.0]"
+Address to initiate from
+.TP
 .BR charon.plugins.load-tester.initiators " [0]"
 Number of concurrent initiator threads to use in load test
 .TP
@@ -1151,8 +1444,24 @@ Authentication method(s) the intiator uses
 .BR charon.plugins.load-tester.initiator_id
 Initiator ID used in load test
 .TP
+.BR charon.plugins.load-tester.initiator_match
+Initiator ID to match against as responder
+.TP
+.BR charon.plugins.load-tester.initiator_tsi
+Traffic selector on initiator side, as proposed by initiator
+.TP
+.BR charon.plugins.load-tester.initiator_tsr
+Traffic selector on responder side, as proposed by initiator
+.TP
 .BR charon.plugins.load-tester.iterations " [1]"
-Number of IKE_SAs to initate by each initiator in load test
+Number of IKE_SAs to initiate by each initiator in load test
+.TP
+.BR charon.plugins.load-tester.issuer_cert
+Path to the issuer certificate (if not configured a hard-coded value is used)
+.TP
+.BR charon.plugins.load-tester.issuer_key
+Path to private key that is used to issue certificates (if not configured a
+hard-coded value is used)
 .TP
 .BR charon.plugins.load-tester.pool
 Provide INTERNAL_IPV4_ADDRs from a named pool
@@ -1163,7 +1472,7 @@ Preshared key to use in load test
 .BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
 IKE proposal to use in load test
 .TP
-.BR charon.plugins.load-tester.remote " [127.0.0.1]"
+.BR charon.plugins.load-tester.responder " [127.0.0.1]"
 Address to initiation connections to
 .TP
 .BR charon.plugins.load-tester.responder_auth " [pubkey]"
@@ -1172,11 +1481,25 @@ Authentication method(s) the responder uses
 .BR charon.plugins.load-tester.responder_id
 Responder ID used in load test
 .TP
+.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]"
+Traffic selector on initiator side, as narrowed by responder
+.TP
+.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]"
+Traffic selector on responder side, as narrowed by responder
+.TP
 .BR charon.plugins.load-tester.request_virtual_ip " [no]"
 Request an INTERNAL_IPV4_ADDR from the server
 .TP
 .BR charon.plugins.load-tester.shutdown_when_complete " [no]"
 Shutdown the daemon after all IKE_SAs have been established
+.TP
+.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]"
+Socket provided by the load-tester plugin
+.TP
+.BR charon.plugins.load-tester.version " [0]"
+IKE version to use (0 means use IKEv2 as initiator and accept any version as
+responder)
+.PP
 .SS Configuration details
 For public key authentication, the responder uses the
 .B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
@@ -1211,7 +1534,7 @@ implementation called modpnull. By setting
 	proposal = aes128-sha1-modpnull
 .EE
 this wicked fast DH implementation is used. It does not provide any security
-at all, but allows to run tests without DH calculation overhead.
+at all, but allows one to run tests without DH calculation overhead.
 .SS Examples
 .PP
 In the simplest case, the daemon initiates IKE_SAs against itself using the
@@ -1255,9 +1578,9 @@ value if your box can not handle that much load, or decrease it to put more
 load on it. If the daemon starts retransmitting messages your box probably can
 not handle all connection attempts.
 .PP
-The plugin also allows to test against a remote host. This might help to test
-against a real world configuration. A connection setup to do stress testing of
-a gateway might look like this:
+The plugin also allows one to test against a remote host. This might help to
+test against a real world configuration. A connection setup to do stress
+testing of a gateway might look like this:
 .PP
 .EX
 	charon {
@@ -1332,7 +1655,8 @@ giving up	76s	165s
 /etc/strongswan.conf
 
 .SH SEE ALSO
-ipsec.conf(5), ipsec.secrets(5), ipsec(8)
+\fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
+
 .SH HISTORY
 Written for the
 .UR http://www.strongswan.org
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 05493ec75..847d9d520 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2011-07-26" "@IPSEC_VERSION@" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-07-22" "@IPSEC_VERSION@" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -133,11 +133,20 @@ Path to database with file measurement information
 .TP
 .BR attest.load
 Plugins to load in ipsec attest tool
+
 .SS charon section
 .TP
+.BR Note :
+Many of these options also apply to \fBcharon\-cmd\fR and other
+\fBcharon\fR derivatives. Just use their respective name (e.g.
+\fIcharon\-cmd\fR) instead of  \fIcharon\fR.
+.TP
 .BR charon.block_threshold " [5]"
 Maximum number of half-open IKE_SAs for a single peer IP
 .TP
+.BR charon.cisco_unity " [no]
+Send Cisco Unity vendor ID payload (IKEv1 only)
+.TP
 .BR charon.close_ike_on_child_failure " [no]"
 Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed
 .TP
@@ -156,7 +165,17 @@ Enable Denial of Service protection using cookies and aggressiveness checks
 Section to define file loggers, see LOGGER CONFIGURATION
 .TP
 .BR charon.flush_auth_cfg " [no]"
-
+If enabled objects used during authentication (certificates, identities etc.)
+are released to free memory once an IKE_SA is established.
+Enabling this might conflict with plugins that later need access to e.g. the
+used certificates.
+.TP
+.BR charon.fragment_size " [512]"
+Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
+fragmentation extension.
+.TP
+.BR charon.group
+Name of the group the daemon changes to after startup
 .TP
 .BR charon.half_open_timeout " [30]"
 Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
@@ -164,8 +183,17 @@ Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
 .BR charon.hash_and_url " [no]"
 Enable hash and URL support
 .TP
+.BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]"
+If enabled responders are allowed to use IKEv1 Aggressive Mode with pre-shared
+keys, which is discouraged due to security concerns (offline attacks on the
+openly transmitted hash of the PSK)
+.TP
 .BR charon.ignore_routing_tables
-A list of routing tables to be excluded from route lookup
+A space-separated list of routing tables to be excluded from route lookups
+.TP
+.BR charon.ikesa_limit " [0]"
+Maximum number of IKE_SAs that can be established at the same time before new
+connection attempts are blocked
 .TP
 .BR charon.ikesa_table_segments " [1]"
 Number of exclusively locked segments in the hash table
@@ -184,12 +212,28 @@ IKE_SA_INIT DROPPING).
 Limit new connections based on the number of jobs currently queued for
 processing (see IKE_SA_INIT DROPPING).
 .TP
+.BR charon.initiator_only " [no]"
+Causes charon daemon to ignore IKE initiation requests.
+.TP
 .BR charon.install_routes " [yes]"
 Install routes into a separate routing table for established IPsec tunnels
 .TP
 .BR charon.install_virtual_ip " [yes]"
 Install virtual IP addresses
 .TP
+.BR charon.install_virtual_ip_on
+The name of the interface on which virtual IP addresses should be installed.
+If not specified the addresses will be installed on the outbound interface.
+.TP
+.BR charon.interfaces_ignore
+A comma-separated list of network interfaces that should be ignored, if
+.B charon.interfaces_use
+is specified this option has no effect.
+.TP
+.BR charon.interfaces_use
+A comma-separated list of network interfaces that should be used by charon.
+All other interfaces are ignored.
+.TP
 .BR charon.keep_alive " [20s]"
 NAT keep alive interval
 .TP
@@ -207,11 +251,20 @@ Enable multiple authentication exchanges (RFC 4739)
 .BR charon.nbns2
 WINS servers assigned to peer via configuration payload (CP)
 .TP
+.BR charon.port " [500]"
+UDP port used locally. If set to 0 a random port will be allocated.
+.TP
+.BR charon.port_nat_t " [4500]"
+UDP port used locally in case of NAT-T. If set to 0 a random port will be
+allocated.  Has to be different from
+.BR charon.port ,
+otherwise a random port will be allocated.
+.TP
 .BR charon.process_route " [yes]"
 Process RTM_NEWROUTE and RTM_DELROUTE events
 .TP
 .BR charon.receive_delay " [0]"
-Delay for receiving packets, to simulate larger RTT
+Delay in ms for receiving packets, to simulate larger RTT
 .TP
 .BR charon.receive_delay_response " [yes]"
 Delay response messages
@@ -234,6 +287,10 @@ Timeout in seconds before sending first retransmit
 .BR charon.retransmit_tries " [5]"
 Number of times to retransmit a packet before giving up
 .TP
+.BR charon.retry_initiate_interval " [0]"
+Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
+failed), 0 to disable retries.
+.TP
 .BR charon.reuse_ikesa " [yes]
 Initiate CHILD_SA within existing IKE_SAs
 .TP
@@ -244,7 +301,7 @@ Numerical routing table to install routes to
 Priority of the routing table
 .TP
 .BR charon.send_delay " [0]"
-Delay for sending packets, to simulate larger RTT
+Delay in ms for sending packets, to simulate larger RTT
 .TP
 .BR charon.send_delay_response " [yes]"
 Delay response messages
@@ -263,15 +320,59 @@ Section to define syslog loggers, see LOGGER CONFIGURATION
 .TP
 .BR charon.threads " [16]"
 Number of worker threads in charon
+.TP
+.BR charon.user
+Name of the user the daemon changes to after startup
 .SS charon.plugins subsection
 .TP
-.BR charon.plugins.android.loglevel " [1]"
+.BR charon.plugins.android_log.loglevel " [1]"
 Loglevel for logging to Android specific logger
 .TP
 .BR charon.plugins.attr
 Section to specify arbitrary attributes that are assigned to a peer via
 configuration payload (CP)
 .TP
+.BR charon.plugins.certexpire.csv.cron
+Cron style string specifying CSV export times
+.TP
+.BR charon.plugins.certexpire.csv.empty_string
+String to use in empty intermediate CA fields
+.TP
+.BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
+Use a fixed intermediate CA field count
+.TP
+.BR charon.plugins.certexpire.csv.force " [yes]"
+Force export of all trustchains we have a private key for
+.TP
+.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
+strftime(3) format string to export expiration dates as
+.TP
+.BR charon.plugins.certexpire.csv.local
+strftime(3) format string for the CSV file name to export local certificates to
+.TP
+.BR charon.plugins.certexpire.csv.remote
+strftime(3) format string for the CSV file name to export remote certificates to
+.TP
+.BR charon.plugins.certexpire.csv.separator " [,]"
+CSV field separator
+.TP
+.BR charon.plugins.coupling.file
+File to store coupling list to
+.TP
+.BR charon.plugins.coupling.hash " [sha1]"
+Hashing algorithm to fingerprint coupled certificates
+.TP
+.BR charon.plugins.coupling.max " [1]"
+Maximum number of coupling entries to create
+.TP
+.BR charon.plugins.dhcp.force_server_address " [no]"
+Always use the configured server address. This might be helpful if the DHCP
+server runs on the same host as strongSwan, and the DHCP daemon does not listen
+on the loopback interface.  In that case the server cannot be reached via
+unicast (or even 255.255.255.255) as that would be routed via loopback.
+Setting this option to yes and configuring the local broadcast address (e.g.
+192.168.0.255) as server address might work.
+.TP
 .BR charon.plugins.dhcp.identity_lease " [no]"
 Derive user-defined MAC address from hash of IKEv2 identity
 .TP
@@ -279,7 +380,10 @@ Derive user-defined MAC address from hash of IKEv2 identity
 DHCP server unicast or broadcast IP address
 .TP
 .BR charon.plugins.duplicheck.enable " [yes]"
-enable loaded duplicheck plugin
+Enable duplicheck plugin (if loaded)
+.TP
+.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]"
+Socket provided by the duplicheck plugin
 .TP
 .BR charon.plugins.eap-aka.request_identity " [yes]"
 
@@ -287,15 +391,24 @@ enable loaded duplicheck plugin
 .BR charon.plugins.eap-aka-3ggp2.seq_check
 
 .TP
-.BR charon.plugins.eap-gtc.pam_service " [login]"
-PAM service to be used for authentication
-
+.BR charon.plugins.eap-dynamic.preferred
+The preferred EAP method(s) to be used.  If it is not given the first
+registered method will be used initially.  If a comma separated list is given
+the methods are tried in the given order before trying the rest of the
+registered methods.
+.TP
+.BR charon.plugins.eap-dynamic.prefer_user " [no]"
+If enabled the EAP methods proposed in an EAP-Nak message sent by the peer are
+preferred over the methods registered locally.
+.TP
+.BR charon.plugins.eap-gtc.backend " [pam]"
+XAuth backend to be used for credential verification
 .TP
 .BR charon.plugins.eap-peap.fragment_size " [1024]"
 Maximum size of an EAP-PEAP packet
 .TP
 .BR charon.plugins.eap-peap.max_message_count " [32]"
-Maximum number of processed EAP-PEAP packets
+Maximum number of processed EAP-PEAP packets (0 = no limit)
 .TP
 .BR charon.plugins.eap-peap.include_length " [no]"
 Include length in non-fragmented EAP-PEAP packets
@@ -311,11 +424,13 @@ Start phase2 EAP TNC protocol after successful client authentication
 .TP
 .BR charon.plugins.eap-peap.request_peer_auth " [no]"
 Request peer authentication based on a client certificate
-
 .TP
 .BR charon.plugins.eap-radius.accounting " [no]"
 Send RADIUS accounting information to RADIUS servers.
 .TP
+.BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
+If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP
+.TP
 .BR charon.plugins.eap-radius.class_group " [no]"
 Use the
 .I class
@@ -325,6 +440,22 @@ is compared to the groups specified in the
 option in
 .B ipsec.conf (5).
 .TP
+.BR charon.plugins.eap-radius.close_all_on_timeout " [no]"
+Closes all IKE_SAs if communication with the RADIUS server times out. If it is
+not set only the current IKE_SA is closed.
+.TP
+.BR charon.plugins.eap-radius.dae.enable " [no]"
+Enables support for the Dynamic Authorization Extension (RFC 5176)
+.TP
+.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]"
+Address to listen for DAE messages from the RADIUS server
+.TP
+.BR charon.plugins.eap-radius.dae.port " [3799]"
+Port to listen for DAE requests
+.TP
+.BR charon.plugins.eap-radius.dae.secret
+Shared secret used to verify/sign DAE messages
+.TP
 .BR charon.plugins.eap-radius.eap_start " [no]"
 Send EAP-Start instead of EAP-Identity to start RADIUS conversation
 .TP
@@ -341,6 +472,18 @@ is compared to the groups specified in the
 option in
 .B ipsec.conf (5).
 .TP
+.BR charon.plugins.eap-radius.forward.ike_to_radius
+RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by
+name or attribute number, a colon can be used to specify vendor-specific
+attributes, e.g. Reply-Message, or 11, or 36906:12).
+.TP
+.BR charon.plugins.eap-radius.forward.radius_to_ike
+Same as
+.B charon.plugins.eap-radius.forward.ike_to_radius
+but from RADIUS to
+IKEv2, a strongSwan specific private notify (40969) is used to transmit the
+attributes.
+.TP
 .BR charon.plugins.eap-radius.id_prefix
 Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
 EAP method
@@ -364,10 +507,15 @@ Section to specify multiple RADIUS servers. The
 .B sockets
 and
 .B port
+(or
+.BR auth_port )
 options can be specified for each server. A server's IP/Hostname can be
 configured using the
 .B address
-option. For each RADIUS server a priority can be specified using the
+option. The
+.BR acct_port " [1813]"
+option can be used to specify the port used for RADIUS accounting.
+For each RADIUS server a priority can be specified using the
 .BR preference " [0]"
 option.
 .TP
@@ -380,32 +528,29 @@ Number of sockets (ports) to use, increase for high load
 .BR charon.plugins.eap-simaka-sql.database
 
 .TP
-.BR charon.plugins.eap-simaka-sql.remove_used
+.BR charon.plugins.eap-simaka-sql.remove_used " [no]"
 
 .TP
 .BR charon.plugins.eap-tls.fragment_size " [1024]"
 Maximum size of an EAP-TLS packet
 .TP
 .BR charon.plugins.eap-tls.max_message_count " [32]"
-Maximum number of processed EAP-TLS packets
+Maximum number of processed EAP-TLS packets (0 = no limit)
 .TP
 .BR charon.plugins.eap-tls.include_length " [yes]"
 Include length in non-fragmented EAP-TLS packets
 .TP
-.BR charon.plugins.eap-tnc.fragment_size " [50000]"
-Maximum size of an EAP-TNC packet
-.TP
 .BR charon.plugins.eap-tnc.max_message_count " [10]"
-Maximum number of processed EAP-TNC packets
+Maximum number of processed EAP-TNC packets (0 = no limit)
 .TP
-.BR charon.plugins.eap-tnc.include_length " [yes]"
-Include length in non-fragmented EAP-TNC packets
+.BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]"
+IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0, tnccs-dynamic)
 .TP
 .BR charon.plugins.eap-ttls.fragment_size " [1024]"
 Maximum size of an EAP-TTLS packet
 .TP
 .BR charon.plugins.eap-ttls.max_message_count " [32]"
-Maximum number of processed EAP-TTLS packets
+Maximum number of processed EAP-TTLS packets (0 = no limit)
 .TP
 .BR charon.plugins.eap-ttls.include_length " [yes]"
 Include length in non-fragmented EAP-TTLS packets
@@ -422,6 +567,13 @@ Start phase2 EAP TNC protocol after successful client authentication
 .BR charon.plugins.eap-ttls.request_peer_auth " [no]"
 Request peer authentication based on a client certificate
 .TP
+.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]"
+Socket provided by the error-notify plugin
+.TP
+.BR charon.plugins.ha.autobalance " [0]"
+Interval in seconds to automatically balance handled segments between nodes.
+Set to 0 to disable.
+.TP
 .BR charon.plugins.ha.fifo_interface " [yes]"
 
 .TP
@@ -452,6 +604,9 @@ Request peer authentication based on a client certificate
 .BR charon.plugins.ha.segment_count " [1]"
 
 .TP
+.BR charon.plugins.ipseckey.enable " [no]"
+Enable the fetching of IPSECKEY RRs via DNS
+.TP
 .BR charon.plugins.led.activity_led
 
 .TP
@@ -464,9 +619,25 @@ Number of ipsecN devices
 .BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
 Set MTU of ipsecN device
 .TP
+.BR charon.plugins.kernel-netlink.roam_events " [yes]"
+Whether to trigger roam events when interfaces, addresses or routes change
+.TP
+.BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
+Time in ms to wait until virtual IP addresses appear/disappear before failing.
+.TP
 .BR charon.plugins.load-tester
 Section to configure the load-tester plugin, see LOAD TESTS
 .TP
+.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]"
+Socket provided by the lookip plugin
+.TP
+.BR charon.plugins.radattr.dir
+Directory where RADIUS attributes are stored in client-ID specific files.
+.TP
+.BR charon.plugins.radattr.message_id " [-1]"
+Attributes are added to all IKE_AUTH messages by default (-1), or only to the
+IKE_AUTH message with the given IKEv2 message ID.
+.TP
 .BR charon.plugins.resolve.file " [/etc/resolv.conf]"
 File where to add DNS server entries
 .TP
@@ -476,6 +647,15 @@ is appended to this prefix to make it unique.  The result has to be a valid
 interface name according to the rules defined by resolvconf.  Also, it should
 have a high priority according to the order defined in interface-order(5).
 .TP
+.BR charon.plugins.socket-default.set_source " [yes]"
+Set source address on outbound packets, if possible.
+.TP
+.BR charon.plugins.socket-default.use_ipv4 " [yes]"
+Listen on IPv4, if possible.
+.TP
+.BR charon.plugins.socket-default.use_ipv6 " [yes]"
+Listen on IPv6, if possible.
+.TP
 .BR charon.plugins.sql.database
 Database URI for charons SQL plugin
 .TP
@@ -489,27 +669,63 @@ certificates even if they don't contain a CA basic constraint.
 .BR charon.plugins.stroke.max_concurrent " [4]"
 Maximum number of stroke messages handled concurrently
 .TP
+.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]"
+Socket provided by the stroke plugin
+.TP
+.BR charon.plugins.stroke.timeout " [0]"
+Timeout in ms for any stroke command. Use 0 to disable the timeout
+.TP
+.BR charon.plugins.systime-fix.interval " [0]"
+Interval in seconds to check system time for validity. 0 disables the check
+.TP
+.BR charon.plugins.systime-fix.reauth " [no]"
+Whether to use reauth or delete if an invalid cert lifetime is detected
+.TP
+.BR charon.plugins.systime-fix.threshold
+Threshold date where system time is considered valid. Disabled if not specified
+.TP
+.BR charon.plugins.systime-fix.threshold_format " [%Y]"
+strptime(3) format used to parse threshold option
+.TP
+.BR charon.plugins.tnccs-11.max_message_size " [45000]"
+Maximum size of a PA-TNC message (XML & Base64 encoding)
+.TP
+.BR charon.plugins.tnccs-20.max_batch_size " [65522]"
+Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529)
+.TP
+.BR charon.plugins.tnccs-20.max_message_size " [65490]"
+Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497)
+.TP
+.BR charon.plugins.tnc-ifmap.client_cert
+Path to X.509 certificate file of IF-MAP client
+.TP
+.BR charon.plugins.tnc-ifmap.client_key
+Path to private key file of IF-MAP client
+.TP
 .BR charon.plugins.tnc-ifmap.device_name
-Unique name of strongSwan as a PEP and/or PDP device
+Unique name of strongSwan server as a PEP and/or PDP device
 .TP
-.BR charon.plugins.tnc-ifmap.key_file
-Concatenated client certificate and private key
+.BR charon.plugins.tnc-ifmap.renew_session_interval " [150]"
+Interval in seconds between periodic IF-MAP RenewSession requests
 .TP
-.BR charon.plugins.tnc-ifmap.password
-Authentication password of strongSwan MAP client
+.BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]"
+URI of the form [https://]servername[:port][/path]
 .TP
 .BR charon.plugins.tnc-ifmap.server_cert
-Certificate of MAP server
+Path to X.509 certificate file of IF-MAP server
 .TP
-.BR charon.plugins.tnc-ifmap.ssl_passphrase
-Passphrase protecting the private key
+.BR charon.plugins.tnc-ifmap.username_password
+Credentials of IF-MAP client of the form username:password
 .TP
-.BR charon.plugins.tnc-ifmap.username
-Authentication username of strongSwan MAP client
+.BR charon.plugins.tnc-imc.dlclose " [yes]"
+Unload IMC after use
 .TP
 .BR charon.plugins.tnc-imc.preferred_language " [en]"
 Preferred language for TNC recommendations
 .TP
+.BR charon.plugins.tnc-imv.dlclose " [yes]"
+Unload IMV after use
+.TP
 .BR charon.plugins.tnc-pdp.method " [ttls]"
 EAP tunnel method to be used
 .TP
@@ -520,12 +736,32 @@ RADIUS server port the strongSwan PDP is listening on
 Shared RADIUS secret between strongSwan PDP and NAS
 .TP
 .BR charon.plugins.tnc-pdp.server
-name of the strongSwan PDP as contained in the AAA certificate
+Name of the strongSwan PDP as contained in the AAA certificate
+.TP
+.BR charon.plugins.tnc-pdp.timeout
+Timeout in seconds before closing incomplete connections
+.TP
+.BR charon.plugins.updown.dns_handler " [no]"
+Whether the updown script should handle DNS serves assigned via IKEv1 Mode
+Config or IKEv2 Config Payloads (if enabled they can't be handled by other
+plugins, like resolve)
 .TP
 .BR charon.plugins.whitelist.enable " [yes]"
-enable loaded whitelist plugin
+Enable loaded whitelist plugin
+.TP
+.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]"
+Socket provided by the whitelist plugin
+.TP
+.BR charon.plugins.xauth-eap.backend " [radius]"
+EAP plugin to be used as backend for XAuth credential verification
+.TP
+.BR charon.plugins.xauth-pam.pam_service " [login]"
+PAM service to be used for authentication
 .SS libstrongswan section
 .TP
+.BR libstrongswan.cert_cache " [yes]"
+Whether relations in validated certificate chains should be cached in memory
+.TP
 .BR libstrongswan.crypto_test.bench " [no]"
 
 .TP
@@ -554,12 +790,24 @@ strength
 .BR libstrongswan.ecp_x_coordinate_only " [yes]"
 Compliance with the errata for RFC 4753
 .TP
+.BR libstrongswan.host_resolver.max_threads " [3]"
+Maximum number of concurrent resolver threads (they are terminated if unused)
+.TP
+.BR libstrongswan.host_resolver.min_threads " [0]"
+Minimum number of resolver threads to keep around
+.TP
 .BR libstrongswan.integrity_test " [no]"
 Check daemon, libstrongswan and plugin integrity at startup
 .TP
 .BR libstrongswan.leak_detective.detailed " [yes]"
 Includes source file names and line numbers in leak detective output
 .TP
+.BR libstrongswan.leak_detective.usage_threshold " [10240]"
+Threshold in bytes for leaks to be reported (0 to report all)
+.TP
+.BR libstrongswan.leak_detective.usage_threshold_count " [0]"
+Threshold in number of allocations for leaks to be reported (0 to report all)
+.TP
 .BR libstrongswan.processor.priority_threads
 Subsection to configure the number of reserved threads per priority class
 see JOB PRIORITY MANAGEMENT
@@ -569,7 +817,7 @@ Discard certificates with unsupported or unknown critical extensions
 .SS libstrongswan.plugins subsection
 .TP
 .BR libstrongswan.plugins.attr-sql.database
-Database URI for attr-sql plugin used by charon and pluto
+Database URI for attr-sql plugin used by charon
 .TP
 .BR libstrongswan.plugins.attr-sql.lease_history " [yes]"
 Enable logging of SQL IP pool leases
@@ -580,9 +828,18 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys!
 .BR libstrongswan.plugins.openssl.engine_id " [pkcs11]"
 ENGINE ID to use in the OpenSSL plugin
 .TP
+.BR libstrongswan.plugins.openssl.fips_mode " [0]"
+Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2)
+.TP
 .BR libstrongswan.plugins.pkcs11.modules
 List of available PKCS#11 modules
 .TP
+.BR libstrongswan.plugins.pkcs11.load_certs " [yes]"
+Whether to load certificates from tokens
+.TP
+.BR libstrongswan.plugins.pkcs11.reload_certs " [no]"
+Reload certificates from all tokens if charon receives a SIGHUP
+.TP
 .BR libstrongswan.plugins.pkcs11.use_dh " [no]"
 Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option)
 .TP
@@ -599,22 +856,63 @@ keys not stored on tokens
 .TP
 .BR libstrongswan.plugins.pkcs11.use_rng " [no]"
 Whether the PKCS#11 modules should be used as RNG
+.TP
+.BR libstrongswan.plugins.random.random " [@DEV_RANDOM@]"
+File to read random bytes from, instead of @DEV_RANDOM@
+.TP
+.BR libstrongswan.plugins.random.urandom " [@DEV_URANDOM@]"
+File to read pseudo random bytes from, instead of @DEV_URANDOM@
+.TP
+.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
+File to read DNS resolver configuration from
+.TP
+.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
+File to read DNSSEC trust anchors from (usually root zone KSK)
+.SS libtls section
+.TP
+.BR libtls.cipher
+List of TLS encryption ciphers
+.TP
+.BR libtls.key_exchange
+List of TLS key exchange methods
+.TP
+.BR libtls.mac
+List of TLS MAC algorithms
+.TP
+.BR libtls.suites
+List of TLS cipher suites
 .SS libtnccs section
 .TP
 .BR libtnccs.tnc_config " [/etc/tnc_config]"
 TNC IMC/IMV configuration directory
 .SS libimcv section
 .TP
+.BR libimcv.assessment_result " [yes]"
+Whether IMVs send a standard IETF Assessment Result attribute
+.TP
+.BR libimcv.database
+Global IMV policy database URI
+.TP
 .BR libimcv.debug_level " [1]"
 Debug level for a stand-alone libimcv library
 .TP
+.BR libimcv.load " [random nonce gmp pubkey x509]"
+Plugins to load in IMC/IMVs
+.TP
+.BR libimcv.os_info.name
+Manually set the name of the client OS (e.g. Ubuntu)
+.TP
+.BR libimcv.os_info.version
+Manually set the version of the client OS (e.g. 12.04 i686)
+.TP
+.BR libimcv.policy_script " [ipsec _imv_policy]"
+Script called for each TNC connection to generate IMV policies
+.TP
 .BR libimcv.stderr_quiet " [no]"
-Disable output to stderr with a stand-alone libimcv library
+isable output to stderr with a stand-alone libimcv library
+.PP
 .SS libimcv plugins section
 .TP
-.BR libimcv.plugins.imc-attestation.platform_info
-Information on operating system and hardware platform
-.TP
 .BR libimcv.plugins.imc-attestation.aik_blob
 AIK encrypted private key blob file
 .TP
@@ -633,9 +931,6 @@ Use Quote2 AIK signature instead of Quote signature
 .BR libimcv.plugins.imv-attestation.cadir
 Path to directory with AIK cacerts
 .TP
-.BR libimcv.plugins.imv-attestation.database
-Path to database with file measurement information
-.TP
 .BR libimcv.plugins.imv-attestation.dh_group " [ecp256]"
 Preferred Diffie-Hellman group
 .TP
@@ -645,17 +940,20 @@ Preferred measurement hash algorithm
 .BR libimcv.plugins.imv-attestation.min_nonce_len " [0]"
 DH minimum nonce length
 .TP
-.BR libimcv.plugins.imv-attestation.platform_info
-Information on operating system and hardware platform
+.BR libimcv.plugins.imv-attestation.remediation_uri
+URI pointing to attestation remediation instructions
 .TP
-.BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]"
-By default all ports must be closed (yes) or can be open (no)
+.BR libimcv.plugins.imc-os.push_info " [yes]"
+Send operating system info without being prompted
 .TP
-.BR libimcv.plugins.imv-scanner.tcp_ports
-List of TCP ports that can be open or must be closed
+.BR libimcv.plugins.imv-os.remediation_uri
+URI pointing to operating system remediation instructions
 .TP
-.BR libimcv.plugins.imv-scanner.udp_ports
-List of UDP ports that can be open or must be closed
+.BR libimcv.plugins.imc-scanner.push_info " [yes]"
+Send open listening ports without being prompted
+.TP
+.BR libimcv.plugins.imv-scanner.remediation_uri
+URI pointing to scanner remediation instructions
 .TP
 .BR libimcv.plugins.imc-test.additional_ids " [0]"
 Number of additional IMC IDs
@@ -663,6 +961,12 @@ Number of additional IMC IDs
 .BR libimcv.plugins.imc-test.command " [none]"
 Command to be sent to the Test IMV
 .TP
+.BR libimcv.plugins.imc-test.dummy_size " [0]"
+Size of dummy attribute to be sent to the Test IMV (0 = disabled)
+.TP
+.BR libimcv.plugins.imv-test.remediation_uri
+URI pointing to test remediation instructions
+.TP
 .BR libimcv.plugins.imc-test.retry " [no]"
 Do a handshake retry
 .TP
@@ -671,19 +975,6 @@ Command to be sent to the Test IMV in the handshake retry
 .TP
 .BR libimcv.plugins.imv-test.rounds " [0]"
 Number of IMC-IMV retry rounds
-.SS libtls section
-.TP
-.BR libtls.cipher
-List of TLS encryption ciphers
-.TP
-.BR libtls.key_exchange
-List of TLS key exchange methods
-.TP
-.BR libtls.mac
-List of TLS MAC algorithms
-.TP
-.BR libtls.suites
-List of TLS cipher suites
 .SS manager section
 .TP
 .BR manager.database
@@ -745,38 +1036,14 @@ Session timeout for mediation service
 .TP
 .BR openac.load
 Plugins to load in ipsec openac tool
+.SS pacman section
+.TP
+.BR pacman.database
+Database URI for the database that stores the package information
 .SS pki section
 .TP
 .BR pki.load
 Plugins to load in ipsec pki tool
-.SS pluto section
-.TP
-.BR pluto.dns1
-.TQ
-.BR pluto.dns2
-DNS servers assigned to peer via Mode Config
-.TP
-.BR pluto.load
-Plugins to load in IKEv1 pluto daemon
-.TP
-.BR pluto.nbns1
-.TQ
-.BR pluto.nbns2
-WINS servers assigned to peer via Mode Config
-.TP
-.BR pluto.threads " [4]"
-Number of worker threads in pluto
-.SS pluto.plugins section
-.TP
-.BR pluto.plugins.attr
-Section to specify arbitrary attributes that are assigned to a peer via
-Mode Config
-.TP
-.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
-Number of ipsecN devices
-.TP
-.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
-Set MTU of ipsecN device
 .SS pool section
 .TP
 .BR pool.load
@@ -791,7 +1058,7 @@ Plugins to load in ipsec scepclient tool
 Plugins to load in starter
 .TP
 .BR starter.load_warning " [yes]"
-Disable charon/pluto plugin load option warning
+Disable charon plugin load option warning
 
 .SH LOGGER CONFIGURATION
 The options described below provide a much more flexible way to configure
@@ -897,6 +1164,9 @@ Packet encoding/decoding encryption/decryption operations
 .B tls
 libtls library messages
 .TP
+.B esp
+libipsec library messages
+.TP
 .B lib
 libstrongwan library messages
 .TP
@@ -1104,7 +1374,7 @@ it within 30 seconds. Under high load, a higher value might be required.
 
 .SH LOAD TESTS
 To do stability testing and performance optimizations, the IKEv2 daemon charon
-provides the load-tester plugin. This plugin allows to setup thousands of
+provides the load-tester plugin. This plugin allows one to setup thousands of
 tunnels concurrently against the daemon itself or a remote host.
 .PP
 .B WARNING:
@@ -1112,6 +1382,20 @@ Never enable the load-testing plugin on productive systems. It provides
 preconfigured credentials and allows an attacker to authenticate as any user.
 .SS Options
 .TP
+.BR charon.plugins.load-tester.addrs
+Subsection that contains key/value pairs with address pools (in CIDR notation)
+to use for a specific network interface e.g. eth0 = 10.10.0.0/16
+.TP
+.BR charon.plugins.load-tester.addrs_keep " [no]"
+Whether to keep dynamic addresses even after the associated SA got terminated
+.TP
+.BR charon.plugins.load-tester.addrs_prefix " [16]"
+Network prefix length to use when installing dynamic addresses. If set to -1 the
+full address is used (i.e. 32 or 128)
+.TP
+.BR charon.plugins.load-tester.ca_dir
+Directory to load (intermediate) CA certificates from
+.TP
 .BR charon.plugins.load-tester.child_rekey " [600]"
 Seconds to start CHILD_SA rekeying after setup
 .TP
@@ -1121,6 +1405,9 @@ Delay between initiatons for each thread
 .BR charon.plugins.load-tester.delete_after_established " [no]"
 Delete an IKE_SA as soon as it has been established
 .TP
+.BR charon.plugins.load-tester.digest " [sha1]"
+Digest algorithm used when issuing certificates
+.TP
 .BR charon.plugins.load-tester.dpd_delay " [0]"
 DPD delay to use in load test
 .TP
@@ -1133,6 +1420,9 @@ EAP secret to use in load test
 .BR charon.plugins.load-tester.enable " [no]"
 Enable the load testing plugin
 .TP
+.BR charon.plugins.load-tester.esp " [aes128-sha1]"
+CHILD_SA proposal to use for load tests
+.TP
 .BR charon.plugins.load-tester.fake_kernel " [no]"
 Fake the kernel interface to allow load-testing against self
 .TP
@@ -1142,6 +1432,9 @@ Seconds to start IKE_SA rekeying after setup
 .BR charon.plugins.load-tester.init_limit " [0]"
 Global limit of concurrently established SAs during load test
 .TP
+.BR charon.plugins.load-tester.initiator " [0.0.0.0]"
+Address to initiate from
+.TP
 .BR charon.plugins.load-tester.initiators " [0]"
 Number of concurrent initiator threads to use in load test
 .TP
@@ -1151,8 +1444,24 @@ Authentication method(s) the intiator uses
 .BR charon.plugins.load-tester.initiator_id
 Initiator ID used in load test
 .TP
+.BR charon.plugins.load-tester.initiator_match
+Initiator ID to match against as responder
+.TP
+.BR charon.plugins.load-tester.initiator_tsi
+Traffic selector on initiator side, as proposed by initiator
+.TP
+.BR charon.plugins.load-tester.initiator_tsr
+Traffic selector on responder side, as proposed by initiator
+.TP
 .BR charon.plugins.load-tester.iterations " [1]"
-Number of IKE_SAs to initate by each initiator in load test
+Number of IKE_SAs to initiate by each initiator in load test
+.TP
+.BR charon.plugins.load-tester.issuer_cert
+Path to the issuer certificate (if not configured a hard-coded value is used)
+.TP
+.BR charon.plugins.load-tester.issuer_key
+Path to private key that is used to issue certificates (if not configured a
+hard-coded value is used)
 .TP
 .BR charon.plugins.load-tester.pool
 Provide INTERNAL_IPV4_ADDRs from a named pool
@@ -1163,7 +1472,7 @@ Preshared key to use in load test
 .BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
 IKE proposal to use in load test
 .TP
-.BR charon.plugins.load-tester.remote " [127.0.0.1]"
+.BR charon.plugins.load-tester.responder " [127.0.0.1]"
 Address to initiation connections to
 .TP
 .BR charon.plugins.load-tester.responder_auth " [pubkey]"
@@ -1172,11 +1481,25 @@ Authentication method(s) the responder uses
 .BR charon.plugins.load-tester.responder_id
 Responder ID used in load test
 .TP
+.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]"
+Traffic selector on initiator side, as narrowed by responder
+.TP
+.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]"
+Traffic selector on responder side, as narrowed by responder
+.TP
 .BR charon.plugins.load-tester.request_virtual_ip " [no]"
 Request an INTERNAL_IPV4_ADDR from the server
 .TP
 .BR charon.plugins.load-tester.shutdown_when_complete " [no]"
 Shutdown the daemon after all IKE_SAs have been established
+.TP
+.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]"
+Socket provided by the load-tester plugin
+.TP
+.BR charon.plugins.load-tester.version " [0]"
+IKE version to use (0 means use IKEv2 as initiator and accept any version as
+responder)
+.PP
 .SS Configuration details
 For public key authentication, the responder uses the
 .B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
@@ -1211,7 +1534,7 @@ implementation called modpnull. By setting
 	proposal = aes128-sha1-modpnull
 .EE
 this wicked fast DH implementation is used. It does not provide any security
-at all, but allows to run tests without DH calculation overhead.
+at all, but allows one to run tests without DH calculation overhead.
 .SS Examples
 .PP
 In the simplest case, the daemon initiates IKE_SAs against itself using the
@@ -1255,9 +1578,9 @@ value if your box can not handle that much load, or decrease it to put more
 load on it. If the daemon starts retransmitting messages your box probably can
 not handle all connection attempts.
 .PP
-The plugin also allows to test against a remote host. This might help to test
-against a real world configuration. A connection setup to do stress testing of
-a gateway might look like this:
+The plugin also allows one to test against a remote host. This might help to
+test against a real world configuration. A connection setup to do stress
+testing of a gateway might look like this:
 .PP
 .EX
 	charon {
@@ -1332,7 +1655,8 @@ giving up	76s	165s
 /etc/strongswan.conf
 
 .SH SEE ALSO
-ipsec.conf(5), ipsec.secrets(5), ipsec(8)
+\fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
+
 .SH HISTORY
 Written for the
 .UR http://www.strongswan.org
diff --git a/missing b/missing
index 28055d2ae..86a8fc31e 100755
--- a/missing
+++ b/missing
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Common stub for a few missing GNU programs while installing.
 
-scriptversion=2009-04-28.21; # UTC
+scriptversion=2012-01-06.13; # UTC
 
 # Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006,
-# 2008, 2009 Free Software Foundation, Inc.
+# 2008, 2009, 2010, 2011, 2012 Free Software Foundation, Inc.
 # Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
 
 # This program is free software; you can redistribute it and/or modify
@@ -84,7 +84,6 @@ Supported PROGRAM values:
   help2man     touch the output file
   lex          create \`lex.yy.c', if possible, from existing .c
   makeinfo     touch the output file
-  tar          try tar, gnutar, gtar, then tar without non-portable flags
   yacc         create \`y.tab.[ch]', if possible, from existing .[ch]
 
 Version suffixes to PROGRAM as well as the prefixes \`gnu-', \`gnu', and
@@ -122,15 +121,6 @@ case $1 in
     # Not GNU programs, they don't have --version.
     ;;
 
-  tar*)
-    if test -n "$run"; then
-       echo 1>&2 "ERROR: \`tar' requires --run"
-       exit 1
-    elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
-       exit 1
-    fi
-    ;;
-
   *)
     if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
        # We have it, but it failed.
@@ -226,7 +216,7 @@ WARNING: \`$1' $msg.  You should only need it if
          \`Bison' from any GNU archive site."
     rm -f y.tab.c y.tab.h
     if test $# -ne 1; then
-        eval LASTARG="\${$#}"
+        eval LASTARG=\${$#}
 	case $LASTARG in
 	*.y)
 	    SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
@@ -256,7 +246,7 @@ WARNING: \`$1' is $msg.  You should only need it if
          \`Flex' from any GNU archive site."
     rm -f lex.yy.c
     if test $# -ne 1; then
-        eval LASTARG="\${$#}"
+        eval LASTARG=\${$#}
 	case $LASTARG in
 	*.l)
 	    SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
@@ -318,41 +308,6 @@ WARNING: \`$1' is $msg.  You should only need it if
     touch $file
     ;;
 
-  tar*)
-    shift
-
-    # We have already tried tar in the generic part.
-    # Look for gnutar/gtar before invocation to avoid ugly error
-    # messages.
-    if (gnutar --version > /dev/null 2>&1); then
-       gnutar "$@" && exit 0
-    fi
-    if (gtar --version > /dev/null 2>&1); then
-       gtar "$@" && exit 0
-    fi
-    firstarg="$1"
-    if shift; then
-	case $firstarg in
-	*o*)
-	    firstarg=`echo "$firstarg" | sed s/o//`
-	    tar "$firstarg" "$@" && exit 0
-	    ;;
-	esac
-	case $firstarg in
-	*h*)
-	    firstarg=`echo "$firstarg" | sed s/h//`
-	    tar "$firstarg" "$@" && exit 0
-	    ;;
-	esac
-    fi
-
-    echo 1>&2 "\
-WARNING: I can't seem to be able to run \`tar' with the given arguments.
-         You may want to install GNU tar or Free paxutils, or check the
-         command line arguments."
-    exit 1
-    ;;
-
   *)
     echo 1>&2 "\
 WARNING: \`$1' is needed, and is $msg.
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index 5f303be17..06d4609cf 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -1,9 +1,11 @@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls
-AM_CFLAGS = \
--DPLUGINS="\"${scripts_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtls \
+	-DPLUGINS="\"${scripts_plugins}\""
 
 noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql oid2der \
-	thread_analysis dh_speed pubkey_speed crypt_burn fetch
+	thread_analysis dh_speed pubkey_speed crypt_burn hash_burn fetch \
+	dnssec malloc_speed
 
 if USE_TLS
   noinst_PROGRAMS += tls_test
@@ -22,7 +24,10 @@ thread_analysis_SOURCES = thread_analysis.c
 dh_speed_SOURCES = dh_speed.c
 pubkey_speed_SOURCES = pubkey_speed.c
 crypt_burn_SOURCES = crypt_burn.c
+hash_burn_SOURCES = hash_burn.c
+malloc_speed_SOURCES = malloc_speed.c
 fetch_SOURCES = fetch.c
+dnssec_SOURCES = dnssec.c
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -30,7 +35,10 @@ oid2der_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+hash_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+malloc_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 
 key2keyid.o :	$(top_builddir)/config.status
 
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index f16ca8735..6808d2436 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -37,7 +54,8 @@ host_triplet = @host@
 noinst_PROGRAMS = bin2array$(EXEEXT) bin2sql$(EXEEXT) id2sql$(EXEEXT) \
 	key2keyid$(EXEEXT) keyid2sql$(EXEEXT) oid2der$(EXEEXT) \
 	thread_analysis$(EXEEXT) dh_speed$(EXEEXT) \
-	pubkey_speed$(EXEEXT) crypt_burn$(EXEEXT) fetch$(EXEEXT) \
+	pubkey_speed$(EXEEXT) crypt_burn$(EXEEXT) hash_burn$(EXEEXT) \
+	fetch$(EXEEXT) dnssec$(EXEEXT) malloc_speed$(EXEEXT) \
 	$(am__EXEEXT_1)
 @USE_TLS_TRUE@am__append_1 = tls_test
 subdir = scripts
@@ -51,10 +69,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 @USE_TLS_TRUE@am__EXEEXT_1 = tls_test$(EXEEXT)
@@ -62,6 +81,9 @@ PROGRAMS = $(noinst_PROGRAMS)
 am_bin2array_OBJECTS = bin2array.$(OBJEXT)
 bin2array_OBJECTS = $(am_bin2array_OBJECTS)
 bin2array_LDADD = $(LDADD)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 am_bin2sql_OBJECTS = bin2sql.$(OBJEXT)
 bin2sql_OBJECTS = $(am_bin2sql_OBJECTS)
 bin2sql_LDADD = $(LDADD)
@@ -73,10 +95,18 @@ am_dh_speed_OBJECTS = dh_speed.$(OBJEXT)
 dh_speed_OBJECTS = $(am_dh_speed_OBJECTS)
 dh_speed_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am_dnssec_OBJECTS = dnssec.$(OBJEXT)
+dnssec_OBJECTS = $(am_dnssec_OBJECTS)
+dnssec_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_fetch_OBJECTS = fetch.$(OBJEXT)
 fetch_OBJECTS = $(am_fetch_OBJECTS)
 fetch_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am_hash_burn_OBJECTS = hash_burn.$(OBJEXT)
+hash_burn_OBJECTS = $(am_hash_burn_OBJECTS)
+hash_burn_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_id2sql_OBJECTS = id2sql.$(OBJEXT)
 id2sql_OBJECTS = $(am_id2sql_OBJECTS)
 id2sql_DEPENDENCIES =  \
@@ -89,6 +119,10 @@ am_keyid2sql_OBJECTS = keyid2sql.$(OBJEXT)
 keyid2sql_OBJECTS = $(am_keyid2sql_OBJECTS)
 keyid2sql_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am_malloc_speed_OBJECTS = malloc_speed.$(OBJEXT)
+malloc_speed_OBJECTS = $(am_malloc_speed_OBJECTS)
+malloc_speed_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_oid2der_OBJECTS = oid2der.$(OBJEXT)
 oid2der_OBJECTS = $(am_oid2der_OBJECTS)
 oid2der_DEPENDENCIES =  \
@@ -105,50 +139,79 @@ am__tls_test_SOURCES_DIST = tls_test.c
 tls_test_OBJECTS = $(am_tls_test_OBJECTS)
 @USE_TLS_TRUE@tls_test_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la \
 @USE_TLS_TRUE@	$(top_builddir)/src/libtls/libtls.la
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \
-	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(fetch_SOURCES) \
-	$(id2sql_SOURCES) $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
-	$(oid2der_SOURCES) $(pubkey_speed_SOURCES) \
-	$(thread_analysis_SOURCES) $(tls_test_SOURCES)
+	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(dnssec_SOURCES) \
+	$(fetch_SOURCES) $(hash_burn_SOURCES) $(id2sql_SOURCES) \
+	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
+	$(malloc_speed_SOURCES) $(oid2der_SOURCES) \
+	$(pubkey_speed_SOURCES) $(thread_analysis_SOURCES) \
+	$(tls_test_SOURCES)
 DIST_SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \
-	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(fetch_SOURCES) \
-	$(id2sql_SOURCES) $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
-	$(oid2der_SOURCES) $(pubkey_speed_SOURCES) \
-	$(thread_analysis_SOURCES) $(am__tls_test_SOURCES_DIST)
+	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(dnssec_SOURCES) \
+	$(fetch_SOURCES) $(hash_burn_SOURCES) $(id2sql_SOURCES) \
+	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
+	$(malloc_speed_SOURCES) $(oid2der_SOURCES) \
+	$(pubkey_speed_SOURCES) $(thread_analysis_SOURCES) \
+	$(am__tls_test_SOURCES_DIST)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -157,13 +220,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -176,6 +242,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -203,11 +270,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -215,6 +284,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -223,8 +293,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -233,14 +301,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -254,17 +327,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -274,16 +347,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -311,9 +383,10 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls
-AM_CFLAGS = \
--DPLUGINS="\"${scripts_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtls \
+	-DPLUGINS="\"${scripts_plugins}\""
 
 @USE_TLS_TRUE@tls_test_SOURCES = tls_test.c
 @USE_TLS_TRUE@tls_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
@@ -329,7 +402,10 @@ thread_analysis_SOURCES = thread_analysis.c
 dh_speed_SOURCES = dh_speed.c
 pubkey_speed_SOURCES = pubkey_speed.c
 crypt_burn_SOURCES = crypt_burn.c
+hash_burn_SOURCES = hash_burn.c
+malloc_speed_SOURCES = malloc_speed.c
 fetch_SOURCES = fetch.c
+dnssec_SOURCES = dnssec.c
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -337,7 +413,10 @@ oid2der_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+hash_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+malloc_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
 
 .SUFFIXES:
@@ -381,42 +460,51 @@ clean-noinstPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-bin2array$(EXEEXT): $(bin2array_OBJECTS) $(bin2array_DEPENDENCIES) 
+bin2array$(EXEEXT): $(bin2array_OBJECTS) $(bin2array_DEPENDENCIES) $(EXTRA_bin2array_DEPENDENCIES) 
 	@rm -f bin2array$(EXEEXT)
-	$(LINK) $(bin2array_OBJECTS) $(bin2array_LDADD) $(LIBS)
-bin2sql$(EXEEXT): $(bin2sql_OBJECTS) $(bin2sql_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(bin2array_OBJECTS) $(bin2array_LDADD) $(LIBS)
+bin2sql$(EXEEXT): $(bin2sql_OBJECTS) $(bin2sql_DEPENDENCIES) $(EXTRA_bin2sql_DEPENDENCIES) 
 	@rm -f bin2sql$(EXEEXT)
-	$(LINK) $(bin2sql_OBJECTS) $(bin2sql_LDADD) $(LIBS)
-crypt_burn$(EXEEXT): $(crypt_burn_OBJECTS) $(crypt_burn_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(bin2sql_OBJECTS) $(bin2sql_LDADD) $(LIBS)
+crypt_burn$(EXEEXT): $(crypt_burn_OBJECTS) $(crypt_burn_DEPENDENCIES) $(EXTRA_crypt_burn_DEPENDENCIES) 
 	@rm -f crypt_burn$(EXEEXT)
-	$(LINK) $(crypt_burn_OBJECTS) $(crypt_burn_LDADD) $(LIBS)
-dh_speed$(EXEEXT): $(dh_speed_OBJECTS) $(dh_speed_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(crypt_burn_OBJECTS) $(crypt_burn_LDADD) $(LIBS)
+dh_speed$(EXEEXT): $(dh_speed_OBJECTS) $(dh_speed_DEPENDENCIES) $(EXTRA_dh_speed_DEPENDENCIES) 
 	@rm -f dh_speed$(EXEEXT)
-	$(LINK) $(dh_speed_OBJECTS) $(dh_speed_LDADD) $(LIBS)
-fetch$(EXEEXT): $(fetch_OBJECTS) $(fetch_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(dh_speed_OBJECTS) $(dh_speed_LDADD) $(LIBS)
+dnssec$(EXEEXT): $(dnssec_OBJECTS) $(dnssec_DEPENDENCIES) $(EXTRA_dnssec_DEPENDENCIES) 
+	@rm -f dnssec$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(dnssec_OBJECTS) $(dnssec_LDADD) $(LIBS)
+fetch$(EXEEXT): $(fetch_OBJECTS) $(fetch_DEPENDENCIES) $(EXTRA_fetch_DEPENDENCIES) 
 	@rm -f fetch$(EXEEXT)
-	$(LINK) $(fetch_OBJECTS) $(fetch_LDADD) $(LIBS)
-id2sql$(EXEEXT): $(id2sql_OBJECTS) $(id2sql_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(fetch_OBJECTS) $(fetch_LDADD) $(LIBS)
+hash_burn$(EXEEXT): $(hash_burn_OBJECTS) $(hash_burn_DEPENDENCIES) $(EXTRA_hash_burn_DEPENDENCIES) 
+	@rm -f hash_burn$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(hash_burn_OBJECTS) $(hash_burn_LDADD) $(LIBS)
+id2sql$(EXEEXT): $(id2sql_OBJECTS) $(id2sql_DEPENDENCIES) $(EXTRA_id2sql_DEPENDENCIES) 
 	@rm -f id2sql$(EXEEXT)
-	$(LINK) $(id2sql_OBJECTS) $(id2sql_LDADD) $(LIBS)
-key2keyid$(EXEEXT): $(key2keyid_OBJECTS) $(key2keyid_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(id2sql_OBJECTS) $(id2sql_LDADD) $(LIBS)
+key2keyid$(EXEEXT): $(key2keyid_OBJECTS) $(key2keyid_DEPENDENCIES) $(EXTRA_key2keyid_DEPENDENCIES) 
 	@rm -f key2keyid$(EXEEXT)
-	$(LINK) $(key2keyid_OBJECTS) $(key2keyid_LDADD) $(LIBS)
-keyid2sql$(EXEEXT): $(keyid2sql_OBJECTS) $(keyid2sql_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(key2keyid_OBJECTS) $(key2keyid_LDADD) $(LIBS)
+keyid2sql$(EXEEXT): $(keyid2sql_OBJECTS) $(keyid2sql_DEPENDENCIES) $(EXTRA_keyid2sql_DEPENDENCIES) 
 	@rm -f keyid2sql$(EXEEXT)
-	$(LINK) $(keyid2sql_OBJECTS) $(keyid2sql_LDADD) $(LIBS)
-oid2der$(EXEEXT): $(oid2der_OBJECTS) $(oid2der_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(keyid2sql_OBJECTS) $(keyid2sql_LDADD) $(LIBS)
+malloc_speed$(EXEEXT): $(malloc_speed_OBJECTS) $(malloc_speed_DEPENDENCIES) $(EXTRA_malloc_speed_DEPENDENCIES) 
+	@rm -f malloc_speed$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(malloc_speed_OBJECTS) $(malloc_speed_LDADD) $(LIBS)
+oid2der$(EXEEXT): $(oid2der_OBJECTS) $(oid2der_DEPENDENCIES) $(EXTRA_oid2der_DEPENDENCIES) 
 	@rm -f oid2der$(EXEEXT)
-	$(LINK) $(oid2der_OBJECTS) $(oid2der_LDADD) $(LIBS)
-pubkey_speed$(EXEEXT): $(pubkey_speed_OBJECTS) $(pubkey_speed_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(oid2der_OBJECTS) $(oid2der_LDADD) $(LIBS)
+pubkey_speed$(EXEEXT): $(pubkey_speed_OBJECTS) $(pubkey_speed_DEPENDENCIES) $(EXTRA_pubkey_speed_DEPENDENCIES) 
 	@rm -f pubkey_speed$(EXEEXT)
-	$(LINK) $(pubkey_speed_OBJECTS) $(pubkey_speed_LDADD) $(LIBS)
-thread_analysis$(EXEEXT): $(thread_analysis_OBJECTS) $(thread_analysis_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(pubkey_speed_OBJECTS) $(pubkey_speed_LDADD) $(LIBS)
+thread_analysis$(EXEEXT): $(thread_analysis_OBJECTS) $(thread_analysis_DEPENDENCIES) $(EXTRA_thread_analysis_DEPENDENCIES) 
 	@rm -f thread_analysis$(EXEEXT)
-	$(LINK) $(thread_analysis_OBJECTS) $(thread_analysis_LDADD) $(LIBS)
-tls_test$(EXEEXT): $(tls_test_OBJECTS) $(tls_test_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(thread_analysis_OBJECTS) $(thread_analysis_LDADD) $(LIBS)
+tls_test$(EXEEXT): $(tls_test_OBJECTS) $(tls_test_DEPENDENCIES) $(EXTRA_tls_test_DEPENDENCIES) 
 	@rm -f tls_test$(EXEEXT)
-	$(LINK) $(tls_test_OBJECTS) $(tls_test_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(tls_test_OBJECTS) $(tls_test_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -428,35 +516,38 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bin2sql.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypt_burn.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dh_speed.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnssec.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetch.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hash_burn.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id2sql.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/key2keyid.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid2sql.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/malloc_speed.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oid2der.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_speed.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/thread_analysis.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_test.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -560,10 +651,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/scripts/bin2array.c b/scripts/bin2array.c
index 5e0ad7c74..b82391a12 100644
--- a/scripts/bin2array.c
+++ b/scripts/bin2array.c
@@ -1,3 +1,17 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
 
 #include <stdio.h>
 
diff --git a/scripts/bin2sql.c b/scripts/bin2sql.c
index ce5e600a3..88edb7f7a 100644
--- a/scripts/bin2sql.c
+++ b/scripts/bin2sql.c
@@ -1,3 +1,17 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
 
 #include <stdio.h>
 
diff --git a/scripts/crypt_burn.c b/scripts/crypt_burn.c
index 5c41b191b..8101f9cbd 100644
--- a/scripts/crypt_burn.c
+++ b/scripts/crypt_burn.c
@@ -1,7 +1,20 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
 
 #include <stdio.h>
 #include <library.h>
-#include <crypto/proposal/proposal_keywords.h>
 
 int main(int argc, char *argv[])
 {
@@ -14,7 +27,7 @@ int main(int argc, char *argv[])
 
 
 	library_init(NULL);
-	lib->plugins->load(lib->plugins, NULL, PLUGINS);
+	lib->plugins->load(lib->plugins, PLUGINS);
 	atexit(library_deinit);
 
 	printf("loaded: %s\n", PLUGINS);
@@ -33,7 +46,7 @@ int main(int argc, char *argv[])
 		limit = atoi(argv[2]);
 	}
 
-	token = proposal_get_token(argv[1], strlen(argv[1]));
+	token = lib->proposal->get_token(lib->proposal, argv[1]);
 	if (!token)
 	{
 		fprintf(stderr, "algorithm '%s' unknown!\n", argv[1]);
@@ -56,10 +69,14 @@ int main(int argc, char *argv[])
 		}
 		while (TRUE)
 		{
-			aead->encrypt(aead,
+			if (!aead->encrypt(aead,
 				chunk_create(buffer, sizeof(buffer) - aead->get_icv_size(aead)),
 				chunk_from_thing(assoc),
-				chunk_create(iv, aead->get_iv_size(aead)), NULL);
+				chunk_create(iv, aead->get_iv_size(aead)), NULL))
+			{
+				fprintf(stderr, "aead encryption failed!\n");
+				return 1;
+			}
 			if (!aead->decrypt(aead, chunk_create(buffer, sizeof(buffer)),
 				chunk_from_thing(assoc),
 				chunk_create(iv, aead->get_iv_size(aead)), NULL))
@@ -72,6 +89,7 @@ int main(int argc, char *argv[])
 				break;
 			}
 		}
+		aead->destroy(aead);
 	}
 	else
 	{
@@ -84,19 +102,26 @@ int main(int argc, char *argv[])
 		}
 		bs = crypter->get_block_size(crypter);
 
-		while (i--)
+		while (TRUE)
 		{
-			crypter->encrypt(crypter,
-				chunk_create(buffer, sizeof(buffer) / bs * bs),
-				chunk_create(iv, crypter->get_iv_size(crypter)), NULL);
-			crypter->decrypt(crypter,
-				chunk_create(buffer, sizeof(buffer) / bs * bs),
-				chunk_create(iv, crypter->get_iv_size(crypter)), NULL);
+			if (!crypter->encrypt(crypter,
+					chunk_create(buffer, sizeof(buffer) / bs * bs),
+					chunk_create(iv, crypter->get_iv_size(crypter)), NULL))
+			{
+				continue;
+			}
+			if (!crypter->decrypt(crypter,
+					chunk_create(buffer, sizeof(buffer) / bs * bs),
+					chunk_create(iv, crypter->get_iv_size(crypter)), NULL))
+			{
+				continue;
+			}
 			if (limit && ++i == limit)
 			{
 				break;
 			}
 		}
+		crypter->destroy(crypter);
 	}
 	return 0;
 }
diff --git a/scripts/dh_speed.c b/scripts/dh_speed.c
index ce102491b..dc0a2870f 100644
--- a/scripts/dh_speed.c
+++ b/scripts/dh_speed.c
@@ -1,8 +1,22 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
 
 #include <stdio.h>
 #include <time.h>
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/diffie_hellman.h>
 
 static void usage()
@@ -105,7 +119,7 @@ int main(int argc, char *argv[])
 	}
 
 	library_init(NULL);
-	lib->plugins->load(lib->plugins, NULL, argv[1]);
+	lib->plugins->load(lib->plugins, argv[1]);
 	atexit(library_deinit);
 
 	rounds = atoi(argv[2]);
diff --git a/scripts/dnssec.c b/scripts/dnssec.c
new file mode 100644
index 000000000..0cddfc47e
--- /dev/null
+++ b/scripts/dnssec.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+
+#include <library.h>
+#include <utils/debug.h>
+
+/**
+ * Define debug level
+ */
+static level_t dbg_level = 1;
+
+static void dbg_dnssec(debug_t group, level_t level, char *fmt, ...)
+{
+	if ((level <= dbg_level) || level <= 1)
+	{
+		va_list args;
+
+		va_start(args, fmt);
+		vfprintf(stderr, fmt, args);
+		fprintf(stderr, "\n");
+		va_end(args);
+	}
+}
+
+int main(int argc, char *argv[])
+{
+	resolver_t *resolver;
+	resolver_response_t *response;
+	enumerator_t *enumerator;
+	chunk_t rdata;
+	rr_set_t *rrset;
+	rr_t *rr;
+
+	library_init(NULL);
+	atexit(library_deinit);
+
+	dbg = dbg_dnssec;
+
+	if (!lib->plugins->load(lib->plugins, PLUGINS))
+	{
+		return 1;
+	}
+	if (argc != 2)
+	{
+		fprintf(stderr, "usage: dnssec <name>\n");
+		return 1;
+	}
+
+	resolver = lib->resolver->create(lib->resolver);
+	if (!resolver)
+	{
+		printf("failed to create a resolver!\n");
+		return 1;
+	}
+
+	response = resolver->query(resolver, argv[1], RR_CLASS_IN, RR_TYPE_A);
+	if (!response)
+	{
+		printf("no response received!\n");
+		resolver->destroy(resolver);
+		return 1;
+	}
+
+	printf("DNS response:\n");
+	if (!response->has_data(response) || !response->query_name_exist(response))
+	{
+		if (!response->has_data(response))
+		{
+			printf("  no data in the response\n");
+		}
+		if (!response->query_name_exist(response))
+		{
+			printf("  query name does not exist\n");
+		}
+		response->destroy(response);
+		resolver->destroy(resolver);
+		return 1;
+	}
+
+	printf("  RRs in the response:\n");
+	rrset = response->get_rr_set(response);
+	if (!rrset)
+	{
+		printf("    response contains no RRset!\n");
+		response->destroy(response);
+		resolver->destroy(resolver);
+		return 1;
+	}
+
+	enumerator = rrset->create_rr_enumerator(rrset);
+	while (enumerator->enumerate(enumerator, &rr))
+	{
+		printf("    name: %s\n", rr->get_name(rr));
+	}
+
+	enumerator = rrset->create_rrsig_enumerator(rrset);
+	if (enumerator)
+	{
+		printf("  RRSIGs for the RRset:\n");
+		while (enumerator->enumerate(enumerator, &rr))
+		{
+			rdata = rr->get_rdata(rr);
+
+			printf("    name: %s\n", rr->get_name(rr));
+			printf("    RDATA: %#B\n", &rdata);
+		}
+	}
+
+	printf("  security status of the response: ");
+	switch (response->get_security_state(response))
+	{
+		case SECURE:
+			printf("SECURE\n\n");
+			break;
+		case INSECURE:
+			printf("INSECURE\n\n");
+			break;
+		case BOGUS:
+			printf("BOGUS\n\n");
+			break;
+		case INDETERMINATE:
+			printf("INDETERMINATE\n\n");
+			break;
+	}
+	response->destroy(response);
+	resolver->destroy(resolver);
+	return 0;
+}
diff --git a/scripts/fetch.c b/scripts/fetch.c
index ad50d0cd6..f58b37f89 100644
--- a/scripts/fetch.c
+++ b/scripts/fetch.c
@@ -17,7 +17,7 @@
 #include <unistd.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 static int count = 0;
 
@@ -37,7 +37,7 @@ int main(int argc, char *argv[])
 
 	library_init(NULL);
 	atexit(library_deinit);
-	lib->plugins->load(lib->plugins, NULL, PLUGINS);
+	lib->plugins->load(lib->plugins, PLUGINS);
 
 	if (argc != 3 || (!streq(argv[1], "a") && !streq(argv[1], "s")))
 	{
diff --git a/scripts/hash_burn.c b/scripts/hash_burn.c
new file mode 100644
index 000000000..20e5642d4
--- /dev/null
+++ b/scripts/hash_burn.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <library.h>
+
+
+
+int main(int argc, char *argv[])
+{
+	hash_algorithm_t alg;
+	hasher_t *hasher;
+	char buffer[1024];
+	int limit = 0, i = 0;
+
+	library_init(NULL);
+	lib->plugins->load(lib->plugins, PLUGINS);
+	atexit(library_deinit);
+
+	printf("loaded: %s\n", PLUGINS);
+
+	memset(buffer, 0x12, sizeof(buffer));
+
+	if (argc < 2)
+	{
+		fprintf(stderr, "usage: %s <algorithm>!\n", argv[0]);
+		return 1;
+	}
+	if (argc > 2)
+	{
+		limit = atoi(argv[2]);
+	}
+
+	alg = enum_from_name(hash_algorithm_short_names, argv[1]);
+	if (alg == -1)
+	{
+		fprintf(stderr, "unknown hash algorthm: %s\n", argv[1]);
+		return 1;
+	}
+	hasher = lib->crypto->create_hasher(lib->crypto, alg);
+	if (!hasher)
+	{
+		fprintf(stderr, "hash algorthm not supported: %N\n",
+				hash_algorithm_names, alg);
+		return 1;
+	}
+
+	while (TRUE)
+	{
+		if (!hasher->get_hash(hasher, chunk_from_thing(buffer), buffer))
+		{
+			fprintf(stderr, "hashing failed!\n");
+			return 1;
+		}
+		if (limit && ++i == limit)
+		{
+			break;
+		}
+	}
+	hasher->destroy(hasher);
+	return 0;
+}
diff --git a/scripts/id2sql.c b/scripts/id2sql.c
index 5bc94f5b6..0742c1c71 100644
--- a/scripts/id2sql.c
+++ b/scripts/id2sql.c
@@ -1,3 +1,17 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
 
 #include <stdio.h>
 #include <utils/identification.h>
diff --git a/scripts/key2keyid.c b/scripts/key2keyid.c
index 6a8301c6a..31f3bee82 100644
--- a/scripts/key2keyid.c
+++ b/scripts/key2keyid.c
@@ -1,7 +1,21 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
 
 #include <stdio.h>
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/keys/private_key.h>
 #include <credentials/keys/public_key.h>
 
@@ -17,7 +31,7 @@ int main(int argc, char *argv[])
 	int read;
 
 	library_init(NULL);
-	lib->plugins->load(lib->plugins, NULL, PLUGINS);
+	lib->plugins->load(lib->plugins, PLUGINS);
 	atexit(library_deinit);
 
 	read = fread(buf, 1, sizeof(buf), stdin);
diff --git a/scripts/keyid2sql.c b/scripts/keyid2sql.c
index e37303c08..6e9a1334e 100644
--- a/scripts/keyid2sql.c
+++ b/scripts/keyid2sql.c
@@ -1,7 +1,21 @@
+/*
+ * Copyright (C) 2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
 
 #include <stdio.h>
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/keys/private_key.h>
 #include <credentials/keys/public_key.h>
 
@@ -17,7 +31,7 @@ int main(int argc, char *argv[])
 	int read, n;
 
 	library_init(NULL);
-	lib->plugins->load(lib->plugins, NULL, PLUGINS);
+	lib->plugins->load(lib->plugins, PLUGINS);
 	atexit(library_deinit);
 
 	read = fread(buf, 1, sizeof(buf), stdin);
diff --git a/scripts/malloc_speed.c b/scripts/malloc_speed.c
new file mode 100644
index 000000000..85d51a281
--- /dev/null
+++ b/scripts/malloc_speed.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec aG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <time.h>
+#include <library.h>
+#include <utils/debug.h>
+
+#ifdef HAVE_MALLINFO
+#include <malloc.h>
+#endif /* HAVE_MALLINFO */
+
+static void start_timing(struct timespec *start)
+{
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, start);
+}
+
+static double end_timing(struct timespec *start)
+{
+	struct timespec end;
+
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, &end);
+	return (end.tv_nsec - start->tv_nsec) / 1000000000.0 +
+			(end.tv_sec - start->tv_sec) * 1.0;
+}
+
+static void print_mallinfo()
+{
+#ifdef HAVE_MALLINFO
+	struct mallinfo mi = mallinfo();
+
+	printf("malloc: sbrk %d, mmap %d, used %d, free %d\n",
+		   mi.arena, mi.hblkhd, mi.uordblks, mi.fordblks);
+#endif /* HAVE_MALLINFO */
+}
+
+#define ALLOCS 1024
+#define ROUNDS 2048
+
+int main(int argc, char *argv[])
+{
+	struct timespec timing;
+	int i, round;
+	void *m[ALLOCS];
+	/* a random set of allocations we test */
+	int sizes[16] = { 1, 13, 100, 1000, 16, 10000, 50, 17,
+					  123, 32, 8, 64, 8096, 1024, 123, 9 };
+
+	library_init(NULL);
+	atexit(library_deinit);
+
+	print_mallinfo();
+
+	start_timing(&timing);
+
+	for (round = 0; round < ROUNDS; round++)
+	{
+		for (i = 0; i < ALLOCS; i++)
+		{
+			m[i] = malloc(sizes[(round + i) % countof(sizes)]);
+		}
+		for (i = 0; i < ALLOCS; i++)
+		{
+			free(m[i]);
+		}
+	}
+	printf("time for %d malloc/frees, repeating %d rounds: %.4fs\n",
+		   ALLOCS, ROUNDS, end_timing(&timing));
+
+	print_mallinfo();
+
+	return 0;
+}
diff --git a/scripts/oid2der.c b/scripts/oid2der.c
index 0da3bbb62..793c9804a 100644
--- a/scripts/oid2der.c
+++ b/scripts/oid2der.c
@@ -1,3 +1,17 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
 
 #include <stdio.h>
 #include <asn1/asn1.h>
diff --git a/scripts/pubkey_speed.c b/scripts/pubkey_speed.c
index 6402e606d..ba3ad1f5e 100644
--- a/scripts/pubkey_speed.c
+++ b/scripts/pubkey_speed.c
@@ -2,7 +2,7 @@
 #include <stdio.h>
 #include <time.h>
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/keys/private_key.h>
 
 void start_timing(struct timespec *start)
@@ -58,7 +58,7 @@ int main(int argc, char *argv[])
 	}
 
 	library_init(NULL);
-	lib->plugins->load(lib->plugins, NULL, argv[1]);
+	lib->plugins->load(lib->plugins, argv[1]);
 	atexit(library_deinit);
 
 	keydata = chunk_create(buf, 0);
diff --git a/scripts/tls_test.c b/scripts/tls_test.c
index 560c4a4ba..e1e8ca82b 100644
--- a/scripts/tls_test.c
+++ b/scripts/tls_test.c
@@ -22,9 +22,9 @@
 #include <string.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <tls_socket.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <credentials/sets/mem_cred.h>
 
 /**
@@ -33,15 +33,59 @@
 static void usage(FILE *out, char *cmd)
 {
 	fprintf(out, "usage:\n");
-	fprintf(out, "  %s --connect <address> --port <port> [--cert <file>]+ [--times <n>]\n", cmd);
+	fprintf(out, "  %s --connect <address> --port <port> [--key <key] [--cert <file>]+ [--times <n>]\n", cmd);
 	fprintf(out, "  %s --listen <address> --port <port> --key <key> [--cert <file>]+ [--times <n>]\n", cmd);
 }
 
 /**
+ * Check, as client, if we have a client certificate with private key
+ */
+static identification_t *find_client_id()
+{
+	identification_t *client = NULL, *keyid;
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	public_key_t *pubkey;
+	private_key_t *privkey;
+	chunk_t chunk;
+
+	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+											CERT_X509, KEY_ANY, NULL, FALSE);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		pubkey = cert->get_public_key(cert);
+		if (pubkey)
+		{
+			if (pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &chunk))
+			{
+				keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
+				privkey = lib->credmgr->get_private(lib->credmgr,
+									pubkey->get_type(pubkey), keyid, NULL);
+				keyid->destroy(keyid);
+				if (privkey)
+				{
+					client = cert->get_subject(cert);
+					client = client->clone(client);
+					privkey->destroy(privkey);
+				}
+			}
+			pubkey->destroy(pubkey);
+		}
+		if (client)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return client;
+}
+
+/**
  * Client routine
  */
-static int client(host_t *host, identification_t *server,
-				  int times, tls_cache_t *cache)
+static int run_client(host_t *host, identification_t *server,
+					  identification_t *client, int times, tls_cache_t *cache)
 {
 	tls_socket_t *tls;
 	int fd, res;
@@ -61,7 +105,7 @@ static int client(host_t *host, identification_t *server,
 			close(fd);
 			return 1;
 		}
-		tls = tls_socket_create(FALSE, server, NULL, fd, cache);
+		tls = tls_socket_create(FALSE, server, client, fd, cache);
 		if (!tls)
 		{
 			close(fd);
@@ -211,7 +255,7 @@ static void init()
 
 	dbg = dbg_tls;
 
-	lib->plugins->load(lib->plugins, NULL, PLUGINS);
+	lib->plugins->load(lib->plugins, PLUGINS);
 
 	creds = mem_cred_create();
 	lib->credmgr->add_set(lib->credmgr, &creds->set);
@@ -224,7 +268,7 @@ int main(int argc, char *argv[])
 	char *address = NULL;
 	bool listen = FALSE;
 	int port = 0, times = -1, res;
-	identification_t *server;
+	identification_t *server, *client;
 	tls_cache_t *cache;
 	host_t *host;
 
@@ -307,11 +351,12 @@ int main(int argc, char *argv[])
 	}
 	else
 	{
-		res = client(host, server, times, cache);
+		client = find_client_id();
+		res = run_client(host, server, client, times, cache);
+		DESTROY_IF(client);
 	}
 	cache->destroy(cache);
 	host->destroy(host);
 	server->destroy(server);
 	return res;
 }
-
diff --git a/src/Makefile.am b/src/Makefile.am
index 1440de20f..47299b03c 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -8,6 +8,10 @@ if USE_LIBHYDRA
   SUBDIRS += libhydra
 endif
 
+if USE_LIBIPSEC
+  SUBDIRS += libipsec
+endif
+
 if USE_SIMAKA
   SUBDIRS += libsimaka
 endif
@@ -28,6 +32,10 @@ if USE_LIBTNCCS
   SUBDIRS += libtnccs
 endif
 
+if USE_LIBPTTLS
+  SUBDIRS += libpttls
+endif
+
 if USE_IMCV
   SUBDIRS += libimcv
 endif
@@ -41,21 +49,21 @@ if USE_LIBCHARON
 endif
 
 if USE_FILE_CONFIG
-  SUBDIRS += libfreeswan starter
+  SUBDIRS += starter
 endif
 
 if USE_IPSEC_SCRIPT
   SUBDIRS += ipsec _copyright
 endif
 
-if USE_PLUTO
-  SUBDIRS += pluto whack
-endif
-
 if USE_CHARON
   SUBDIRS += charon
 endif
 
+if USE_NM
+  SUBDIRS += charon-nm
+endif
+
 if USE_STROKE
   SUBDIRS += stroke
 endif
@@ -65,7 +73,7 @@ if USE_UPDOWN
 endif
 
 if USE_TOOLS
-  SUBDIRS += libfreeswan openac scepclient pki
+  SUBDIRS += openac scepclient pki
 endif
 
 if USE_CONFTEST
@@ -92,6 +100,14 @@ if USE_INTEGRITY_TEST
   SUBDIRS += checksum
 endif
 
+if USE_TKM
+  SUBDIRS += charon-tkm
+endif
+
+if USE_CMD
+  SUBDIRS += charon-cmd
+endif
+
 EXTRA_DIST = strongswan.conf
 
 install-exec-local :
diff --git a/src/Makefile.in b/src/Makefile.in
index caa0c5bb9..00055e34b 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -15,6 +15,23 @@
 
 @SET_MAKE@
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -35,27 +52,31 @@ build_triplet = @build@
 host_triplet = @host@
 @USE_LIBSTRONGSWAN_TRUE@am__append_1 = libstrongswan
 @USE_LIBHYDRA_TRUE@am__append_2 = libhydra
-@USE_SIMAKA_TRUE@am__append_3 = libsimaka
-@USE_TLS_TRUE@am__append_4 = libtls
-@USE_RADIUS_TRUE@am__append_5 = libradius
-@USE_LIBTNCIF_TRUE@am__append_6 = libtncif
-@USE_LIBTNCCS_TRUE@am__append_7 = libtnccs
-@USE_IMCV_TRUE@am__append_8 = libimcv
-@USE_PTS_TRUE@am__append_9 = libpts
-@USE_LIBCHARON_TRUE@am__append_10 = libcharon
-@USE_FILE_CONFIG_TRUE@am__append_11 = libfreeswan starter
-@USE_IPSEC_SCRIPT_TRUE@am__append_12 = ipsec _copyright
-@USE_PLUTO_TRUE@am__append_13 = pluto whack
-@USE_CHARON_TRUE@am__append_14 = charon
-@USE_STROKE_TRUE@am__append_15 = stroke
-@USE_UPDOWN_TRUE@am__append_16 = _updown _updown_espmark
-@USE_TOOLS_TRUE@am__append_17 = libfreeswan openac scepclient pki
-@USE_CONFTEST_TRUE@am__append_18 = conftest
-@USE_DUMM_TRUE@am__append_19 = dumm
-@USE_FAST_TRUE@am__append_20 = libfast
-@USE_MANAGER_TRUE@am__append_21 = manager
-@USE_MEDSRV_TRUE@am__append_22 = medsrv
-@USE_INTEGRITY_TEST_TRUE@am__append_23 = checksum
+@USE_LIBIPSEC_TRUE@am__append_3 = libipsec
+@USE_SIMAKA_TRUE@am__append_4 = libsimaka
+@USE_TLS_TRUE@am__append_5 = libtls
+@USE_RADIUS_TRUE@am__append_6 = libradius
+@USE_LIBTNCIF_TRUE@am__append_7 = libtncif
+@USE_LIBTNCCS_TRUE@am__append_8 = libtnccs
+@USE_LIBPTTLS_TRUE@am__append_9 = libpttls
+@USE_IMCV_TRUE@am__append_10 = libimcv
+@USE_PTS_TRUE@am__append_11 = libpts
+@USE_LIBCHARON_TRUE@am__append_12 = libcharon
+@USE_FILE_CONFIG_TRUE@am__append_13 = starter
+@USE_IPSEC_SCRIPT_TRUE@am__append_14 = ipsec _copyright
+@USE_CHARON_TRUE@am__append_15 = charon
+@USE_NM_TRUE@am__append_16 = charon-nm
+@USE_STROKE_TRUE@am__append_17 = stroke
+@USE_UPDOWN_TRUE@am__append_18 = _updown _updown_espmark
+@USE_TOOLS_TRUE@am__append_19 = openac scepclient pki
+@USE_CONFTEST_TRUE@am__append_20 = conftest
+@USE_DUMM_TRUE@am__append_21 = dumm
+@USE_FAST_TRUE@am__append_22 = libfast
+@USE_MANAGER_TRUE@am__append_23 = manager
+@USE_MEDSRV_TRUE@am__append_24 = medsrv
+@USE_INTEGRITY_TEST_TRUE@am__append_25 = checksum
+@USE_TKM_TRUE@am__append_26 = charon-tkm
+@USE_CMD_TRUE@am__append_27 = charon-cmd
 subdir = src
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -67,12 +88,19 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -82,6 +110,11 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
@@ -89,11 +122,11 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 	distdir
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . include libstrongswan libhydra libsimaka libtls \
-	libradius libtncif libtnccs libimcv libpts libcharon \
-	libfreeswan starter ipsec _copyright pluto whack charon stroke \
+DIST_SUBDIRS = . include libstrongswan libhydra libipsec libsimaka \
+	libtls libradius libtncif libtnccs libpttls libimcv libpts \
+	libcharon starter ipsec _copyright charon charon-nm stroke \
 	_updown _updown_espmark openac scepclient pki conftest dumm \
-	libfast manager medsrv checksum
+	libfast manager medsrv checksum charon-tkm charon-cmd
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -123,21 +156,28 @@ am__relativize = \
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -146,13 +186,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -165,6 +208,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -192,11 +236,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -204,6 +250,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -212,8 +259,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -222,14 +267,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -243,17 +293,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -263,16 +313,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -307,7 +356,8 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_13) $(am__append_14) $(am__append_15) \
 	$(am__append_16) $(am__append_17) $(am__append_18) \
 	$(am__append_19) $(am__append_20) $(am__append_21) \
-	$(am__append_22) $(am__append_23)
+	$(am__append_22) $(am__append_23) $(am__append_24) \
+	$(am__append_25) $(am__append_26) $(am__append_27)
 EXTRA_DIST = strongswan.conf
 all: all-recursive
 
@@ -516,13 +566,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
@@ -557,10 +604,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/_copyright/Makefile.am b/src/_copyright/Makefile.am
index 405e08b3d..62baf94da 100644
--- a/src/_copyright/Makefile.am
+++ b/src/_copyright/Makefile.am
@@ -1,8 +1,7 @@
 ipsec_PROGRAMS = _copyright
 _copyright_SOURCES = _copyright.c
 
-INCLUDES = \
--I$(top_srcdir)/src/libfreeswan \
--I$(top_srcdir)/src/libstrongswan
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-_copyright_LDADD = $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la
+_copyright_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index ae15d3cde..2a0d6779d 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -46,10 +63,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)"
@@ -57,44 +75,71 @@ PROGRAMS = $(ipsec_PROGRAMS)
 am__copyright_OBJECTS = _copyright.$(OBJEXT)
 _copyright_OBJECTS = $(am__copyright_OBJECTS)
 _copyright_DEPENDENCIES =  \
-	$(top_builddir)/src/libfreeswan/libfreeswan.a \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(_copyright_SOURCES)
 DIST_SOURCES = $(_copyright_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -103,13 +148,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -122,6 +170,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -149,11 +198,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -161,6 +212,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -169,8 +221,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -179,14 +229,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -200,17 +255,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -220,16 +275,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -258,11 +312,10 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 _copyright_SOURCES = _copyright.c
-INCLUDES = \
--I$(top_srcdir)/src/libfreeswan \
--I$(top_srcdir)/src/libstrongswan
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-_copyright_LDADD = $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la
+_copyright_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
 
 .SUFFIXES:
@@ -299,8 +352,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -340,9 +396,9 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-_copyright$(EXEEXT): $(_copyright_OBJECTS) $(_copyright_DEPENDENCIES) 
+_copyright$(EXEEXT): $(_copyright_OBJECTS) $(_copyright_DEPENDENCIES) $(EXTRA__copyright_DEPENDENCIES) 
 	@rm -f _copyright$(EXEEXT)
-	$(LINK) $(_copyright_OBJECTS) $(_copyright_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(_copyright_OBJECTS) $(_copyright_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -353,25 +409,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/_copyright.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -478,10 +534,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/_copyright/_copyright.c b/src/_copyright/_copyright.c
index 072998345..b20b17256 100644
--- a/src/_copyright/_copyright.c
+++ b/src/_copyright/_copyright.c
@@ -21,9 +21,41 @@
 #include <unistd.h>
 #include <getopt.h>
 
-#include <freeswan.h>
 #include <library.h>
 
+static const char *copyright[] = {
+	"Copyright (C) 1999-2012",
+	"    Henry Spencer, D. Hugh Redelmeier, Michael Richardson, Ken Bantoft,",
+	"    Stephen J. Bevan, JuanJo Ciarlante, Thomas Egerer, Heiko Hund,",
+	"    Mathieu Lafon, Stephane Laroche, Kai Martius, Stephan Scholz,",
+	"    Tuomo Soini, Herbert Xu.",
+	"",
+	"    Martin Berner, Marco Bertossa, David Buechi, Ueli Galizzi,",
+	"    Christoph Gysin, Andreas Hess, Patric Lichtsteiner, Michael Meier,",
+	"    Andreas Schleiss, Ariane Seiler, Mario Strasser, Lukas Suter,",
+	"    Roger Wegmann, Simon Zwahlen,",
+	"    ZHW Zuercher Hochschule Winterthur (Switzerland).",
+	"",
+	"    Philip Boetschi, Tobias Brunner, Sansar Choinyambuu, Adrian Doerig,",
+	"    Andreas Eigenmann, Giuliano Grassi, Reto Guadagnini, Fabian Hartmann,",
+	"    Noah Heusser, Jan Hutter, Thomas Kallenberg, Daniel Roethlisberger,",
+	"    Ralf Sager, Joel Stillhart, Daniel Wydler, Andreas Steffen,",
+	"    HSR Hochschule fuer Technik Rapperswil (Switzerland).",
+	"",
+	"    Martin Willi (revosec AG), Clavister (Sweden).",
+	"",
+	"This program is free software; you can redistribute it and/or modify it",
+	"under the terms of the GNU General Public License as published by the",
+	"Free Software Foundation; either version 2 of the License, or (at your",
+	"option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.",
+	"",
+	"This program is distributed in the hope that it will be useful, but",
+	"WITHOUT ANY WARRANTY; without even the implied warranty of",
+	"MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General",
+	"Public License (file COPYING in the distribution) for more details.",
+	NULL,
+};
+
 char usage[] = "Usage: ipsec _copyright";
 struct option opts[] = {
   {"help",	0,	NULL,	'h',},
@@ -39,7 +71,7 @@ main(int argc, char *argv[])
 	int opt;
 	extern int optind;
 	int errflg = 0;
-	const char **notice = ipsec_copyright_notice();
+	const char **notice = copyright;
 	const char **co;
 
 	library_init(NULL);
diff --git a/src/_updown/Makefile.am b/src/_updown/Makefile.am
index 116322e1e..b6a81f547 100644
--- a/src/_updown/Makefile.am
+++ b/src/_updown/Makefile.am
@@ -4,6 +4,7 @@ dist_man8_MANS = _updown.8
 EXTRA_DIST = _updown.in
 
 _updown : _updown.in
+	$(AM_V_GEN) \
 	sed \
 	-e "s:\@sbindir\@:$(sbindir):" \
 	-e "s:\@routing_table\@:$(routing_table):" \
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index a406d79ac..9a9e66f88 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -46,10 +63,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -73,10 +91,27 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
 SCRIPTS = $(ipsec_SCRIPTS)
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man8_MANS)
@@ -84,21 +119,28 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -107,13 +149,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -126,6 +171,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -153,11 +199,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -165,6 +213,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -173,8 +222,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -183,14 +230,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -204,17 +256,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -224,16 +276,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -300,8 +351,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecSCRIPTS: $(ipsec_SCRIPTS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
@@ -329,9 +383,7 @@ uninstall-ipsecSCRIPTS:
 	@list='$(ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || exit 0; \
 	files=`for p in $$list; do echo "$$p"; done | \
 	       sed -e 's,.*/,,;$(transform)'`; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+	dir='$(DESTDIR)$(ipsecdir)'; $(am__uninstall_files_from_dir)
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -340,9 +392,18 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-man8: $(dist_man8_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
+	@list1='$(dist_man8_MANS)'; \
+	list2=''; \
+	test -n "$(man8dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.8[a-z]*$$/p'; \
+	fi; \
 	} | while read p; do \
 	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; echo "$$p"; \
@@ -369,9 +430,7 @@ uninstall-man8:
 	files=`{ for i in $$list; do echo "$$i"; done; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 tags: TAGS
 TAGS:
 
@@ -439,10 +498,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -540,6 +604,7 @@ uninstall-man: uninstall-man8
 
 
 _updown : _updown.in
+	$(AM_V_GEN) \
 	sed \
 	-e "s:\@sbindir\@:$(sbindir):" \
 	-e "s:\@routing_table\@:$(routing_table):" \
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index 2c742c010..7320a80fb 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -51,6 +51,9 @@
 #       PLUTO_REQID
 #              is the requid of the ESP policy
 #
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
 #       PLUTO_ME
 #              is the IP address of our host.
 #
@@ -73,8 +76,12 @@
 #              just the host, this will be 255.255.255.255.
 #
 #       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
 #              is the IP protocol that will be transported.
@@ -128,6 +135,12 @@
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
 
 # define a minimum PATH environment in case it is not set
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index 3ae236a90..1b1458d3f 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -46,10 +63,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -73,10 +91,27 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
 SCRIPTS = $(dist_ipsec_SCRIPTS)
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man8_MANS)
@@ -84,21 +119,28 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -107,13 +149,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -126,6 +171,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -153,11 +199,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -165,6 +213,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -173,8 +222,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -183,14 +230,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -204,17 +256,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -224,16 +276,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -298,8 +349,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-dist_ipsecSCRIPTS: $(dist_ipsec_SCRIPTS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(dist_ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
@@ -327,9 +381,7 @@ uninstall-dist_ipsecSCRIPTS:
 	@list='$(dist_ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || exit 0; \
 	files=`for p in $$list; do echo "$$p"; done | \
 	       sed -e 's,.*/,,;$(transform)'`; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+	dir='$(DESTDIR)$(ipsecdir)'; $(am__uninstall_files_from_dir)
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -338,9 +390,18 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-man8: $(dist_man8_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
+	@list1='$(dist_man8_MANS)'; \
+	list2=''; \
+	test -n "$(man8dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.8[a-z]*$$/p'; \
+	fi; \
 	} | while read p; do \
 	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; echo "$$p"; \
@@ -367,9 +428,7 @@ uninstall-man8:
 	files=`{ for i in $$list; do echo "$$i"; done; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 tags: TAGS
 TAGS:
 
@@ -437,10 +496,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/charon-cmd/Makefile.am b/src/charon-cmd/Makefile.am
new file mode 100644
index 000000000..9ed82be5e
--- /dev/null
+++ b/src/charon-cmd/Makefile.am
@@ -0,0 +1,32 @@
+sbin_PROGRAMS = charon-cmd
+CLEANFILES = charon-cmd.8
+dist_man8_MANS = charon-cmd.8
+EXTRA_DIST = charon-cmd.8.in
+
+charon_cmd_SOURCES = \
+	cmd/cmd_options.h cmd/cmd_options.c \
+	cmd/cmd_connection.h cmd/cmd_connection.c \
+	cmd/cmd_creds.h cmd/cmd_creds.c \
+	charon-cmd.c
+
+charon-cmd.o :	$(top_builddir)/config.status
+
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${cmd_plugins}\""
+
+charon_cmd_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	-lm $(PTHREADLIB) $(DLLIB)
+
+charon-cmd.8 : charon-cmd.8.in
+	$(AM_V_GEN) \
+	sed \
+	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	$(srcdir)/$@.in > $@
diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in
new file mode 100644
index 000000000..aa18e05c7
--- /dev/null
+++ b/src/charon-cmd/Makefile.in
@@ -0,0 +1,812 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+sbin_PROGRAMS = charon-cmd$(EXEEXT)
+subdir = src/charon-cmd
+DIST_COMMON = $(dist_man8_MANS) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
+PROGRAMS = $(sbin_PROGRAMS)
+am_charon_cmd_OBJECTS = cmd_options.$(OBJEXT) cmd_connection.$(OBJEXT) \
+	cmd_creds.$(OBJEXT) charon-cmd.$(OBJEXT)
+charon_cmd_OBJECTS = $(am_charon_cmd_OBJECTS)
+am__DEPENDENCIES_1 =
+charon_cmd_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(charon_cmd_SOURCES)
+DIST_SOURCES = $(charon_cmd_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+man8dir = $(mandir)/man8
+NROFF = nroff
+MANS = $(dist_man8_MANS)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+CLEANFILES = charon-cmd.8
+dist_man8_MANS = charon-cmd.8
+EXTRA_DIST = charon-cmd.8.in
+charon_cmd_SOURCES = \
+	cmd/cmd_options.h cmd/cmd_options.c \
+	cmd/cmd_connection.h cmd/cmd_connection.c \
+	cmd/cmd_creds.h cmd/cmd_creds.c \
+	charon-cmd.c
+
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${cmd_plugins}\""
+
+charon_cmd_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	-lm $(PTHREADLIB) $(DLLIB)
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon-cmd/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon-cmd/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-sbinPROGRAMS: $(sbin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	@list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \
+	fi; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-sbinPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(sbindir)" && rm -f $$files
+
+clean-sbinPROGRAMS:
+	@list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+charon-cmd$(EXEEXT): $(charon_cmd_OBJECTS) $(charon_cmd_DEPENDENCIES) $(EXTRA_charon_cmd_DEPENDENCIES) 
+	@rm -f charon-cmd$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(charon_cmd_OBJECTS) $(charon_cmd_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/charon-cmd.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cmd_connection.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cmd_creds.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cmd_options.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+cmd_options.o: cmd/cmd_options.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cmd_options.o -MD -MP -MF $(DEPDIR)/cmd_options.Tpo -c -o cmd_options.o `test -f 'cmd/cmd_options.c' || echo '$(srcdir)/'`cmd/cmd_options.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cmd_options.Tpo $(DEPDIR)/cmd_options.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='cmd/cmd_options.c' object='cmd_options.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cmd_options.o `test -f 'cmd/cmd_options.c' || echo '$(srcdir)/'`cmd/cmd_options.c
+
+cmd_options.obj: cmd/cmd_options.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cmd_options.obj -MD -MP -MF $(DEPDIR)/cmd_options.Tpo -c -o cmd_options.obj `if test -f 'cmd/cmd_options.c'; then $(CYGPATH_W) 'cmd/cmd_options.c'; else $(CYGPATH_W) '$(srcdir)/cmd/cmd_options.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cmd_options.Tpo $(DEPDIR)/cmd_options.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='cmd/cmd_options.c' object='cmd_options.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cmd_options.obj `if test -f 'cmd/cmd_options.c'; then $(CYGPATH_W) 'cmd/cmd_options.c'; else $(CYGPATH_W) '$(srcdir)/cmd/cmd_options.c'; fi`
+
+cmd_connection.o: cmd/cmd_connection.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cmd_connection.o -MD -MP -MF $(DEPDIR)/cmd_connection.Tpo -c -o cmd_connection.o `test -f 'cmd/cmd_connection.c' || echo '$(srcdir)/'`cmd/cmd_connection.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cmd_connection.Tpo $(DEPDIR)/cmd_connection.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='cmd/cmd_connection.c' object='cmd_connection.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cmd_connection.o `test -f 'cmd/cmd_connection.c' || echo '$(srcdir)/'`cmd/cmd_connection.c
+
+cmd_connection.obj: cmd/cmd_connection.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cmd_connection.obj -MD -MP -MF $(DEPDIR)/cmd_connection.Tpo -c -o cmd_connection.obj `if test -f 'cmd/cmd_connection.c'; then $(CYGPATH_W) 'cmd/cmd_connection.c'; else $(CYGPATH_W) '$(srcdir)/cmd/cmd_connection.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cmd_connection.Tpo $(DEPDIR)/cmd_connection.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='cmd/cmd_connection.c' object='cmd_connection.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cmd_connection.obj `if test -f 'cmd/cmd_connection.c'; then $(CYGPATH_W) 'cmd/cmd_connection.c'; else $(CYGPATH_W) '$(srcdir)/cmd/cmd_connection.c'; fi`
+
+cmd_creds.o: cmd/cmd_creds.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cmd_creds.o -MD -MP -MF $(DEPDIR)/cmd_creds.Tpo -c -o cmd_creds.o `test -f 'cmd/cmd_creds.c' || echo '$(srcdir)/'`cmd/cmd_creds.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cmd_creds.Tpo $(DEPDIR)/cmd_creds.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='cmd/cmd_creds.c' object='cmd_creds.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cmd_creds.o `test -f 'cmd/cmd_creds.c' || echo '$(srcdir)/'`cmd/cmd_creds.c
+
+cmd_creds.obj: cmd/cmd_creds.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cmd_creds.obj -MD -MP -MF $(DEPDIR)/cmd_creds.Tpo -c -o cmd_creds.obj `if test -f 'cmd/cmd_creds.c'; then $(CYGPATH_W) 'cmd/cmd_creds.c'; else $(CYGPATH_W) '$(srcdir)/cmd/cmd_creds.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cmd_creds.Tpo $(DEPDIR)/cmd_creds.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='cmd/cmd_creds.c' object='cmd_creds.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cmd_creds.obj `if test -f 'cmd/cmd_creds.c'; then $(CYGPATH_W) 'cmd/cmd_creds.c'; else $(CYGPATH_W) '$(srcdir)/cmd/cmd_creds.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+install-man8: $(dist_man8_MANS)
+	@$(NORMAL_INSTALL)
+	@list1='$(dist_man8_MANS)'; \
+	list2=''; \
+	test -n "$(man8dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.8[a-z]*$$/p'; \
+	fi; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
+	  fi; \
+	done; \
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
+	done; }
+
+uninstall-man8:
+	@$(NORMAL_UNINSTALL)
+	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@list='$(MANS)'; if test -n "$$list"; then \
+	  list=`for p in $$list; do \
+	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
+	  if test -n "$$list" && \
+	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
+	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
+	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
+	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
+	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
+	    exit 1; \
+	  else :; fi; \
+	else :; fi
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS) $(MANS)
+installdirs:
+	for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-man
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am: install-sbinPROGRAMS
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man: install-man8
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-man uninstall-sbinPROGRAMS
+
+uninstall-man: uninstall-man8
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-sbinPROGRAMS ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-man8 install-pdf install-pdf-am install-ps \
+	install-ps-am install-sbinPROGRAMS install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-man uninstall-man8 \
+	uninstall-sbinPROGRAMS
+
+
+charon-cmd.o :	$(top_builddir)/config.status
+
+charon-cmd.8 : charon-cmd.8.in
+	$(AM_V_GEN) \
+	sed \
+	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	$(srcdir)/$@.in > $@
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon-cmd/charon-cmd.8 b/src/charon-cmd/charon-cmd.8
new file mode 100644
index 000000000..e93cbcf6f
--- /dev/null
+++ b/src/charon-cmd/charon-cmd.8
@@ -0,0 +1,161 @@
+.TH CHARON\-CMD 8 "2013-06-21" "5.1.0" "strongSwan"
+.SH "NAME"
+charon\-cmd \- Simple IKE client (IPsec VPN client)
+.SH SYNOPSIS
+.B charon\-cmd
+.B \-\-host
+.I hostname
+.B \-\-identity
+.I identity
+.B [ options ]
+.PP
+.SH "DESCRIPTION"
+.B charon\-cmd
+is a program for setting up IPsec VPN connections using the Internet Key
+Exchange protocol (IKE) in version 1 and 2.  It supports a number of different
+road-warrior scenarios.
+.PP
+Like the IKE daemon
+.BR charon ,
+.B charon\-cmd
+has to be run as
+.B root
+(or more specifically as a user with
+.B CAP_NET_ADMIN
+capability).
+.PP
+Of the following options at least
+.I \-\-host
+and
+.I \-\-identity
+are required. Depending on the selected authentication
+.I profile
+credentials also have to be provided with their respective options.
+.PP
+Many of the
+.BR charon -specific
+configuration options in
+.I strongswan.conf
+also apply to
+.BR charon\-cmd .
+For instance, to configure customized logging to
+.B stdout
+the following snippet can be used:
+.PP
+.EX
+	charon-cmd {
+		filelog {
+			stdout {
+				default = 1
+				ike = 2
+				cfg = 2
+			}
+		}
+	}
+.EE
+.PP
+.SH "OPTIONS"
+.TP
+.B "\-\-help"
+Prints usage information and a short summary of the available options.
+.TP
+.B "\-\-version"
+Prints the strongSwan version.
+.TP
+.BI "\-\-debug " level
+Sets the default log level (defaults to 1).
+.I level
+is a number between -1 and 4.
+Refer to
+.I strongswan.conf
+for options that allow a more fine-grained configuration of the logging
+output.
+.TP
+.BI "\-\-host " hostname
+DNS name or IP address to connect to.
+.TP
+.BI "\-\-identity " identity
+Identity the client uses for the IKE exchange.
+.TP
+.BI "\-\-eap\-identity " identity
+Identity the client uses for EAP authentication.
+.TP
+.BI "\-\-xauth\-username " username
+Username the client uses for XAuth authentication.
+.TP
+.BI "\-\-remote\-identity " identity
+Server identity to expect, defaults to
+.IR hostname .
+.TP
+.BI "\-\-cert " path
+Trusted certificate, either for authentication or trust chain validation.
+To provide more than one certificate multiple
+.B \-\-cert
+options can be used.
+.TP
+.BI "\-\-rsa " path
+RSA private key to use for authentication (if a password is required, it will
+be requested on demand).
+.TP
+.BI "\-\-p12 " path
+PKCS#12 file with private key and certificates to use for authentication and
+trust chain validation (if a password is required it will be requested on
+demand).
+.TP
+.RI "\fB\-\-agent\fR[=" socket ]
+Use SSH agent for authentication. If
+.I socket
+is not specified it is read from the
+.B SSH_AUTH_SOCK
+environment variable.
+.TP
+.BI "\-\-local\-ts " subnet
+Additional traffic selector to propose for our side, the requested virtual IP
+address will always be proposed.
+.TP
+.BI "\-\-remote\-ts " subnet
+Traffic selector to propose for remote side, defaults to 0.0.0.0/0.
+.TP
+.BI "\-\-profile " name
+Authentication profile to use, the list of supported profiles can be found
+in the
+.B Authentication Profiles
+sections below. Defaults to
+.B ikev2\-pub
+if a private key was supplied, and to
+.B ikev2\-eap
+otherwise.
+.PP
+.SS "IKEv2 Authentication Profiles"
+.TP
+.B "ikev2\-pub"
+IKEv2 with public key client and server authentication
+.TP
+.B "ikev2\-eap"
+IKEv2 with EAP client authentication and public key server authentication
+.TP
+.B "ikev2\-pub\-eap"
+IKEv2 with public key and EAP client authentication (RFC 4739) and public key
+server authentication
+.PP
+.SS "IKEv1 Authentication Profiles"
+The following authentication profiles use either Main Mode or Aggressive Mode,
+the latter is denoted with a \fB\-am\fR suffix.
+.TP
+.BR "ikev1\-pub" ", " "ikev1\-pub\-am"
+IKEv1 with public key client and server authentication
+.TP
+.BR "ikev1\-xauth" ", " "ikev1\-xauth\-am"
+IKEv1 with public key client and server authentication, followed by client XAuth
+authentication
+.TP
+.BR "ikev1\-xauth\-psk" ", " "ikev1\-xauth\-psk\-am"
+IKEv1 with pre-shared key (PSK) client and server authentication, followed by
+client XAuth authentication (INSECURE!)
+.TP
+.BR "ikev1\-hybrid" ", " "ikev1\-hybrid\-am"
+IKEv1 with public key server authentication only, followed by client XAuth
+authentication
+.PP
+.SH "SEE ALSO"
+\fBstrongswan.conf\fR(5), \fBipsec\fR(8)
diff --git a/src/charon-cmd/charon-cmd.8.in b/src/charon-cmd/charon-cmd.8.in
new file mode 100644
index 000000000..c9d52c92f
--- /dev/null
+++ b/src/charon-cmd/charon-cmd.8.in
@@ -0,0 +1,161 @@
+.TH CHARON\-CMD 8 "2013-06-21" "@IPSEC_VERSION@" "strongSwan"
+.SH "NAME"
+charon\-cmd \- Simple IKE client (IPsec VPN client)
+.SH SYNOPSIS
+.B charon\-cmd
+.B \-\-host
+.I hostname
+.B \-\-identity
+.I identity
+.B [ options ]
+.PP
+.SH "DESCRIPTION"
+.B charon\-cmd
+is a program for setting up IPsec VPN connections using the Internet Key
+Exchange protocol (IKE) in version 1 and 2.  It supports a number of different
+road-warrior scenarios.
+.PP
+Like the IKE daemon
+.BR charon ,
+.B charon\-cmd
+has to be run as
+.B root
+(or more specifically as a user with
+.B CAP_NET_ADMIN
+capability).
+.PP
+Of the following options at least
+.I \-\-host
+and
+.I \-\-identity
+are required. Depending on the selected authentication
+.I profile
+credentials also have to be provided with their respective options.
+.PP
+Many of the
+.BR charon -specific
+configuration options in
+.I strongswan.conf
+also apply to
+.BR charon\-cmd .
+For instance, to configure customized logging to
+.B stdout
+the following snippet can be used:
+.PP
+.EX
+	charon-cmd {
+		filelog {
+			stdout {
+				default = 1
+				ike = 2
+				cfg = 2
+			}
+		}
+	}
+.EE
+.PP
+.SH "OPTIONS"
+.TP
+.B "\-\-help"
+Prints usage information and a short summary of the available options.
+.TP
+.B "\-\-version"
+Prints the strongSwan version.
+.TP
+.BI "\-\-debug " level
+Sets the default log level (defaults to 1).
+.I level
+is a number between -1 and 4.
+Refer to
+.I strongswan.conf
+for options that allow a more fine-grained configuration of the logging
+output.
+.TP
+.BI "\-\-host " hostname
+DNS name or IP address to connect to.
+.TP
+.BI "\-\-identity " identity
+Identity the client uses for the IKE exchange.
+.TP
+.BI "\-\-eap\-identity " identity
+Identity the client uses for EAP authentication.
+.TP
+.BI "\-\-xauth\-username " username
+Username the client uses for XAuth authentication.
+.TP
+.BI "\-\-remote\-identity " identity
+Server identity to expect, defaults to
+.IR hostname .
+.TP
+.BI "\-\-cert " path
+Trusted certificate, either for authentication or trust chain validation.
+To provide more than one certificate multiple
+.B \-\-cert
+options can be used.
+.TP
+.BI "\-\-rsa " path
+RSA private key to use for authentication (if a password is required, it will
+be requested on demand).
+.TP
+.BI "\-\-p12 " path
+PKCS#12 file with private key and certificates to use for authentication and
+trust chain validation (if a password is required it will be requested on
+demand).
+.TP
+.RI "\fB\-\-agent\fR[=" socket ]
+Use SSH agent for authentication. If
+.I socket
+is not specified it is read from the
+.B SSH_AUTH_SOCK
+environment variable.
+.TP
+.BI "\-\-local\-ts " subnet
+Additional traffic selector to propose for our side, the requested virtual IP
+address will always be proposed.
+.TP
+.BI "\-\-remote\-ts " subnet
+Traffic selector to propose for remote side, defaults to 0.0.0.0/0.
+.TP
+.BI "\-\-profile " name
+Authentication profile to use, the list of supported profiles can be found
+in the
+.B Authentication Profiles
+sections below. Defaults to
+.B ikev2\-pub
+if a private key was supplied, and to
+.B ikev2\-eap
+otherwise.
+.PP
+.SS "IKEv2 Authentication Profiles"
+.TP
+.B "ikev2\-pub"
+IKEv2 with public key client and server authentication
+.TP
+.B "ikev2\-eap"
+IKEv2 with EAP client authentication and public key server authentication
+.TP
+.B "ikev2\-pub\-eap"
+IKEv2 with public key and EAP client authentication (RFC 4739) and public key
+server authentication
+.PP
+.SS "IKEv1 Authentication Profiles"
+The following authentication profiles use either Main Mode or Aggressive Mode,
+the latter is denoted with a \fB\-am\fR suffix.
+.TP
+.BR "ikev1\-pub" ", " "ikev1\-pub\-am"
+IKEv1 with public key client and server authentication
+.TP
+.BR "ikev1\-xauth" ", " "ikev1\-xauth\-am"
+IKEv1 with public key client and server authentication, followed by client XAuth
+authentication
+.TP
+.BR "ikev1\-xauth\-psk" ", " "ikev1\-xauth\-psk\-am"
+IKEv1 with pre-shared key (PSK) client and server authentication, followed by
+client XAuth authentication (INSECURE!)
+.TP
+.BR "ikev1\-hybrid" ", " "ikev1\-hybrid\-am"
+IKEv1 with public key server authentication only, followed by client XAuth
+authentication
+.PP
+.SH "SEE ALSO"
+\fBstrongswan.conf\fR(5), \fBipsec\fR(8)
diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c
new file mode 100644
index 000000000..5f4787b58
--- /dev/null
+++ b/src/charon-cmd/charon-cmd.c
@@ -0,0 +1,404 @@
+/*
+ * Copyright (C) 2006-2013 Tobias Brunner
+ * Copyright (C) 2005-2013 Martin Willi
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#define _POSIX_PTHREAD_SEMANTICS /* for two param sigwait on OpenSolaris */
+#include <signal.h>
+#undef _POSIX_PTHREAD_SEMANTICS
+#include <pthread.h>
+#include <sys/types.h>
+#include <sys/utsname.h>
+#include <unistd.h>
+#include <getopt.h>
+
+#include <library.h>
+#include <hydra.h>
+#include <daemon.h>
+#include <utils/backtrace.h>
+#include <threading/thread.h>
+
+#include "cmd/cmd_options.h"
+#include "cmd/cmd_connection.h"
+#include "cmd/cmd_creds.h"
+
+/**
+ * Default loglevel
+ */
+static level_t default_loglevel = LEVEL_CTRL;
+
+/**
+ * Loglevel configuration
+ */
+static level_t levels[DBG_MAX];
+
+/**
+ * Connection to initiate
+ */
+static cmd_connection_t *conn;
+
+/**
+ * Credential backend
+ */
+static cmd_creds_t *creds;
+
+/**
+ * hook in library for debugging messages
+ */
+extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
+
+/**
+ * Logging hook for library logs, using stderr output
+ */
+static void dbg_stderr(debug_t group, level_t level, char *fmt, ...)
+{
+	va_list args;
+
+	if (level <= default_loglevel)
+	{
+		va_start(args, fmt);
+		fprintf(stderr, "00[%N] ", debug_names, group);
+		vfprintf(stderr, fmt, args);
+		fprintf(stderr, "\n");
+		va_end(args);
+	}
+}
+
+/**
+ * Clean up connection definition atexit()
+ */
+static void cleanup_conn()
+{
+	DESTROY_IF(conn);
+}
+
+/**
+ * Clean up credentials atexit()
+ */
+static void cleanup_creds()
+{
+	DESTROY_IF(creds);
+}
+
+/**
+ * Run the daemon and handle unix signals
+ */
+static int run()
+{
+	sigset_t set;
+
+	/* handle SIGINT, SIGHUP and SIGTERM in this handler */
+	sigemptyset(&set);
+	sigaddset(&set, SIGINT);
+	sigaddset(&set, SIGHUP);
+	sigaddset(&set, SIGTERM);
+	sigaddset(&set, SIGUSR1);
+	sigprocmask(SIG_BLOCK, &set, NULL);
+
+	while (TRUE)
+	{
+		int sig;
+		int error;
+
+		error = sigwait(&set, &sig);
+		if (error)
+		{
+			DBG1(DBG_DMN, "error %d while waiting for a signal", error);
+			return 1;
+		}
+		switch (sig)
+		{
+			case SIGHUP:
+			{
+				DBG1(DBG_DMN, "signal of type SIGHUP received. Reloading "
+					 "configuration");
+				if (lib->settings->load_files(lib->settings, NULL, FALSE))
+				{
+					charon->load_loggers(charon, levels, TRUE);
+					lib->plugins->reload(lib->plugins, NULL);
+				}
+				else
+				{
+					DBG1(DBG_DMN, "reloading config failed, keeping old");
+				}
+				break;
+			}
+			case SIGINT:
+			{
+				DBG1(DBG_DMN, "signal of type SIGINT received. Shutting down");
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
+				return 0;
+			}
+			case SIGTERM:
+			{
+				DBG1(DBG_DMN, "signal of type SIGTERM received. Shutting down");
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
+				return 0;
+			}
+			case SIGUSR1:
+			{	/* an error occurred */
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
+				return 1;
+			}
+			default:
+			{
+				DBG1(DBG_DMN, "unknown signal %d received. Ignored", sig);
+				break;
+			}
+		}
+	}
+}
+
+/**
+ * lookup UID and GID
+ */
+static bool lookup_uid_gid()
+{
+#ifdef IPSEC_USER
+	if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
+	{
+		return FALSE;
+	}
+#endif
+#ifdef IPSEC_GROUP
+	if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
+	{
+		return FALSE;
+	}
+#endif
+	return TRUE;
+}
+
+/**
+ * Handle SIGSEGV/SIGILL signals raised by threads
+ */
+static void segv_handler(int signal)
+{
+	backtrace_t *backtrace;
+
+	DBG1(DBG_DMN, "thread %u received %d", thread_current_id(), signal);
+	backtrace = backtrace_create(2);
+	backtrace->log(backtrace, stderr, TRUE);
+	backtrace->destroy(backtrace);
+
+	DBG1(DBG_DMN, "killing ourself, received critical signal");
+	abort();
+}
+
+/**
+ * Print command line usage and exit
+ */
+static void usage(FILE *out, char *msg, char *binary)
+{
+	static const int padto = 18;
+	char cmd[64], *pre, *post;
+	int i, line, pad;
+
+	if (msg)
+	{
+		fprintf(out, "%s\n", msg);
+	}
+	fprintf(out, "Usage: %s\n", binary);
+	for (i = 0; i < CMD_OPT_COUNT; i++)
+	{
+		switch (cmd_options[i].has_arg)
+		{
+			case required_argument:
+				pre = " <";
+				post = ">";
+				break;
+			case optional_argument:
+				pre = "[=";
+				post = "]";
+				break;
+			case no_argument:
+			default:
+				pre = "  ";
+				post = " ";
+				break;
+		}
+		snprintf(cmd, sizeof(cmd), "  --%s%s%s%s", cmd_options[i].name,
+				 pre, cmd_options[i].arg, post);
+		pad = padto - strlen(cmd);
+		if (pad >= 1)
+		{
+			fprintf(out, "%s%-*s%s\n", cmd, pad, "", cmd_options[i].desc);
+		}
+		else
+		{	/* write description to a separate line */
+			fprintf(out, "%s\n%-*s%s\n", cmd, padto, "", cmd_options[i].desc);
+		}
+		for (line = 0; line < countof(cmd_options[i].lines); line++)
+		{
+			if (cmd_options[i].lines[line])
+			{
+				fprintf(out, "%-*s%s\n", padto, "", cmd_options[i].lines[line]);
+			}
+		}
+	}
+}
+
+/**
+ * Handle command line options, if simple is TRUE only arguments like --help
+ * and --version are handled.
+ */
+static void handle_arguments(int argc, char *argv[], bool simple)
+{
+	struct option long_opts[CMD_OPT_COUNT + 1] = {};
+	int i, opt;
+
+	for (i = 0; i < CMD_OPT_COUNT; i++)
+	{
+		long_opts[i].name = cmd_options[i].name;
+		long_opts[i].val = cmd_options[i].id;
+		long_opts[i].has_arg = cmd_options[i].has_arg;
+	}
+	/* reset option parser */
+	optind = 1;
+	while (TRUE)
+	{
+		bool handled = FALSE;
+
+		opt = getopt_long(argc, argv, "", long_opts, NULL);
+		switch (opt)
+		{
+			case EOF:
+				break;
+			case CMD_OPT_HELP:
+				usage(stdout, NULL, argv[0]);
+				exit(0);
+			case CMD_OPT_VERSION:
+				printf("%s, strongSwan %s\n", "charon-cmd", VERSION);
+				exit(0);
+			case CMD_OPT_DEBUG:
+				default_loglevel = atoi(optarg);
+				continue;
+			default:
+				if (simple)
+				{
+					continue;
+				}
+				handled |= conn->handle(conn, opt, optarg);
+				handled |= creds->handle(creds, opt, optarg);
+				if (handled)
+				{
+					continue;
+				}
+				/* fall-through */
+			case '?':
+				/* missing argument, unrecognized option */
+				usage(stderr, NULL, argv[0]);
+				exit(1);
+		}
+		break;
+	}
+}
+
+/**
+ * Main function, starts the daemon.
+ */
+int main(int argc, char *argv[])
+{
+	struct sigaction action;
+	struct utsname utsname;
+	int group;
+
+	/* handle simple arguments */
+	handle_arguments(argc, argv, TRUE);
+
+	dbg = dbg_stderr;
+	atexit(library_deinit);
+	if (!library_init(NULL))
+	{
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	if (lib->integrity)
+	{
+		if (!lib->integrity->check_file(lib->integrity, "charon-cmd", argv[0]))
+		{
+			exit(SS_RC_DAEMON_INTEGRITY);
+		}
+	}
+	atexit(libhydra_deinit);
+	if (!libhydra_init("charon-cmd"))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	atexit(libcharon_deinit);
+	if (!libcharon_init("charon-cmd"))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	for (group = 0; group < DBG_MAX; group++)
+	{
+		levels[group] = default_loglevel;
+	}
+	charon->load_loggers(charon, levels, TRUE);
+
+	if (!lookup_uid_gid())
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	lib->settings->set_default_str(lib->settings, "charon-cmd.port", "0");
+	lib->settings->set_default_str(lib->settings, "charon-cmd.port_nat_t", "0");
+	if (!charon->initialize(charon,
+			lib->settings->get_str(lib->settings, "charon-cmd.load", PLUGINS)))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	if (!lib->caps->drop(lib->caps))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+
+	conn = cmd_connection_create();
+	atexit(cleanup_conn);
+	creds = cmd_creds_create();
+	atexit(cleanup_creds);
+
+	/* handle all arguments */
+	handle_arguments(argc, argv, FALSE);
+
+	if (uname(&utsname) != 0)
+	{
+		memset(&utsname, 0, sizeof(utsname));
+	}
+	DBG1(DBG_DMN, "Starting charon-cmd IKE client (strongSwan %s, %s %s, %s)",
+		 VERSION, utsname.sysname, utsname.release, utsname.machine);
+	lib->plugins->status(lib->plugins, LEVEL_CTRL);
+
+	/* add handler for SEGV and ILL,
+	 * INT, TERM and HUP are handled by sigwait() in run() */
+	action.sa_handler = segv_handler;
+	action.sa_flags = 0;
+	sigemptyset(&action.sa_mask);
+	sigaddset(&action.sa_mask, SIGINT);
+	sigaddset(&action.sa_mask, SIGTERM);
+	sigaddset(&action.sa_mask, SIGHUP);
+	sigaction(SIGSEGV, &action, NULL);
+	sigaction(SIGILL, &action, NULL);
+	sigaction(SIGBUS, &action, NULL);
+	action.sa_handler = SIG_IGN;
+	sigaction(SIGPIPE, &action, NULL);
+
+	pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL);
+
+	/* start daemon with thread-pool */
+	charon->start(charon);
+	/* wait for signal */
+	return run();
+}
diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
new file mode 100644
index 000000000..5c459f99f
--- /dev/null
+++ b/src/charon-cmd/cmd/cmd_connection.c
@@ -0,0 +1,498 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "cmd_connection.h"
+
+#include <signal.h>
+#include <unistd.h>
+
+#include <utils/debug.h>
+#include <processing/jobs/callback_job.h>
+#include <threading/thread.h>
+#include <daemon.h>
+
+typedef enum profile_t profile_t;
+typedef struct private_cmd_connection_t private_cmd_connection_t;
+
+/**
+ * Connection profiles we support
+ */
+enum profile_t {
+	PROF_UNDEF,
+	PROF_V2_PUB,
+	PROF_V2_EAP,
+	PROF_V2_PUB_EAP,
+	PROF_V1_PUB,
+	PROF_V1_PUB_AM,
+	PROF_V1_XAUTH,
+	PROF_V1_XAUTH_AM,
+	PROF_V1_XAUTH_PSK,
+	PROF_V1_XAUTH_PSK_AM,
+	PROF_V1_HYBRID,
+	PROF_V1_HYBRID_AM,
+};
+
+ENUM(profile_names, PROF_V2_PUB, PROF_V1_HYBRID_AM,
+	"ikev2-pub",
+	"ikev2-eap",
+	"ikev2-pub-eap",
+	"ikev1-pub",
+	"ikev1-pub-am",
+	"ikev1-xauth",
+	"ikev1-xauth-am",
+	"ikev1-xauth-psk",
+	"ikev1-xauth-psk-am",
+	"ikev1-hybrid",
+	"ikev1-hybrid-am",
+);
+
+/**
+ * Private data of an cmd_connection_t object.
+ */
+struct private_cmd_connection_t {
+
+	/**
+	 * Public cmd_connection_t interface.
+	 */
+	cmd_connection_t public;
+
+	/**
+	 * Process ID to terminate on failure
+	 */
+	pid_t pid;
+
+	/**
+	 * List of local traffic selectors
+	 */
+	linked_list_t *local_ts;
+
+	/**
+	 * List of remote traffic selectors
+	 */
+	linked_list_t *remote_ts;
+
+	/**
+	 * Hostname to connect to
+	 */
+	char *host;
+
+	/**
+	 * Server identity, or NULL to use host
+	 */
+	char *server;
+
+	/**
+	 * Local identity
+	 */
+	char *identity;
+
+	/**
+	 * XAuth/EAP identity
+	 */
+	char *xautheap;
+
+	/**
+	 * Is a private key configured
+	 */
+	bool key_seen;
+
+	/**
+	 * Selected connection profile
+	 */
+	profile_t profile;
+};
+
+/**
+ * Shut down application
+ */
+static void terminate(pid_t pid)
+{
+	kill(pid, SIGUSR1);
+}
+
+/**
+ * Create peer config with associated ike config
+ */
+static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
+{
+	ike_cfg_t *ike_cfg;
+	peer_cfg_t *peer_cfg;
+	u_int16_t local_port, remote_port = IKEV2_UDP_PORT;
+	ike_version_t version = IKE_ANY;
+	bool aggressive = FALSE;
+
+	switch (this->profile)
+	{
+		case PROF_UNDEF:
+		case PROF_V2_PUB:
+		case PROF_V2_EAP:
+		case PROF_V2_PUB_EAP:
+			version = IKEV2;
+			break;
+		case PROF_V1_PUB_AM:
+		case PROF_V1_XAUTH_AM:
+		case PROF_V1_XAUTH_PSK_AM:
+		case PROF_V1_HYBRID_AM:
+			aggressive = TRUE;
+			/* FALL */
+		case PROF_V1_PUB:
+		case PROF_V1_XAUTH:
+		case PROF_V1_XAUTH_PSK:
+		case PROF_V1_HYBRID:
+			version = IKEV1;
+			break;
+	}
+
+	local_port = charon->socket->get_port(charon->socket, FALSE);
+	if (local_port != IKEV2_UDP_PORT)
+	{
+		remote_port = IKEV2_NATT_PORT;
+	}
+	ike_cfg = ike_cfg_create(version, TRUE, FALSE, "0.0.0.0", FALSE, local_port,
+					this->host, FALSE, remote_port, FRAGMENTATION_NO, 0);
+	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	peer_cfg = peer_cfg_create("cmd", ike_cfg,
+					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
+					36000, 0, /* rekey 10h, reauth none */
+					600, 600, /* jitter, over 10min */
+					TRUE, aggressive, /* mobike, aggressive */
+					30, 0, /* DPD delay, timeout */
+					FALSE, NULL, NULL); /* mediation */
+	peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
+
+	return peer_cfg;
+}
+
+/**
+ * Add a single auth cfg of given class to peer cfg
+ */
+static void add_auth_cfg(private_cmd_connection_t *this, peer_cfg_t *peer_cfg,
+						 bool local, auth_class_t class)
+{
+	identification_t *id;
+	auth_cfg_t *auth;
+
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, class);
+	if (local)
+	{
+		id = identification_create_from_string(this->identity);
+		if (this->xautheap)
+		{
+			switch (class)
+			{
+				case AUTH_CLASS_EAP:
+					auth->add(auth, AUTH_RULE_EAP_IDENTITY,
+							identification_create_from_string(this->xautheap));
+					break;
+				case AUTH_CLASS_XAUTH:
+					auth->add(auth, AUTH_RULE_XAUTH_IDENTITY,
+							identification_create_from_string(this->xautheap));
+					break;
+				default:
+					break;
+			}
+		}
+	}
+	else
+	{
+		if (this->server)
+		{
+			id = identification_create_from_string(this->server);
+		}
+		else
+		{
+			id = identification_create_from_string(this->host);
+		}
+		auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, TRUE);
+	}
+	auth->add(auth, AUTH_RULE_IDENTITY, id);
+	peer_cfg->add_auth_cfg(peer_cfg, auth, local);
+}
+
+/**
+ * Attach authentication configs to peer config
+ */
+static bool add_auth_cfgs(private_cmd_connection_t *this, peer_cfg_t *peer_cfg)
+{
+	if (this->profile == PROF_UNDEF)
+	{
+		if (this->key_seen)
+		{
+			this->profile = PROF_V2_PUB;
+		}
+		else
+		{
+			this->profile = PROF_V2_EAP;
+		}
+	}
+	switch (this->profile)
+	{
+		case PROF_V2_PUB:
+		case PROF_V2_PUB_EAP:
+		case PROF_V1_PUB:
+		case PROF_V1_XAUTH:
+		case PROF_V1_PUB_AM:
+		case PROF_V1_XAUTH_AM:
+			if (!this->key_seen)
+			{
+				DBG1(DBG_CFG, "missing private key for profile %N",
+					 profile_names, this->profile);
+				return FALSE;
+			}
+			break;
+		default:
+			break;
+	}
+
+	switch (this->profile)
+	{
+		case PROF_V2_PUB:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_ANY);
+			break;
+		case PROF_V2_EAP:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_EAP);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_ANY);
+			break;
+		case PROF_V2_PUB_EAP:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY);
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_EAP);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_ANY);
+			break;
+		case PROF_V1_PUB:
+		case PROF_V1_PUB_AM:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PUBKEY);
+			break;
+		case PROF_V1_XAUTH:
+		case PROF_V1_XAUTH_AM:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY);
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_XAUTH);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PUBKEY);
+			break;
+		case PROF_V1_XAUTH_PSK:
+		case PROF_V1_XAUTH_PSK_AM:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PSK);
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_XAUTH);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PSK);
+			break;
+		case PROF_V1_HYBRID:
+		case PROF_V1_HYBRID_AM:
+			add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_XAUTH);
+			add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PUBKEY);
+			break;
+		default:
+			return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Attach child config to peer config
+ */
+static child_cfg_t* create_child_cfg(private_cmd_connection_t *this)
+{
+	child_cfg_t *child_cfg;
+	traffic_selector_t *ts;
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = 10800 /* 3h */,
+			.rekey = 10200 /* 2h50min */,
+			.jitter = 300 /* 5min */
+		}
+	};
+
+	child_cfg = child_cfg_create("cmd", &lifetime,
+								 NULL, FALSE, MODE_TUNNEL, /* updown, hostaccess */
+								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
+								 0, 0, NULL, NULL, 0);
+	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	while (this->local_ts->remove_first(this->local_ts, (void**)&ts) == SUCCESS)
+	{
+		child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
+	}
+	if (this->remote_ts->get_count(this->remote_ts) == 0)
+	{
+		/* add a 0.0.0.0/0 TS for remote side if none given */
+		ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
+									"0.0.0.0", 0, "255.255.255.255", 65535);
+		this->remote_ts->insert_last(this->remote_ts, ts);
+	}
+	while (this->remote_ts->remove_first(this->remote_ts,
+										 (void**)&ts) == SUCCESS)
+	{
+		child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+	}
+
+	return child_cfg;
+}
+
+/**
+ * Initiate the configured connection
+ */
+static job_requeue_t initiate(private_cmd_connection_t *this)
+{
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	pid_t pid = this->pid;
+
+	if (!this->host)
+	{
+		DBG1(DBG_CFG, "unable to initiate, missing --host option");
+		terminate(pid);
+		return JOB_REQUEUE_NONE;
+	}
+	if (!this->identity)
+	{
+		DBG1(DBG_CFG, "unable to initiate, missing --identity option");
+		terminate(pid);
+		return JOB_REQUEUE_NONE;
+	}
+
+	peer_cfg = create_peer_cfg(this);
+
+	if (!add_auth_cfgs(this, peer_cfg))
+	{
+		peer_cfg->destroy(peer_cfg);
+		terminate(pid);
+		return JOB_REQUEUE_NONE;
+	}
+
+	child_cfg = create_child_cfg(this);
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg));
+
+	if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
+									 controller_cb_empty, NULL, 0) != SUCCESS)
+	{
+		terminate(pid);
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Create a traffic selector from string, add to list
+ */
+static void add_ts(private_cmd_connection_t *this,
+				   linked_list_t *list, char *string)
+{
+	traffic_selector_t *ts;
+
+	ts = traffic_selector_create_from_cidr(string, 0, 0, 65535);
+	if (!ts)
+	{
+		DBG1(DBG_CFG, "invalid traffic selector: %s", string);
+		exit(1);
+	}
+	list->insert_last(list, ts);
+}
+
+/**
+ * Parse profile name identifier
+ */
+static void set_profile(private_cmd_connection_t *this, char *name)
+{
+	int profile;
+
+	profile = enum_from_name(profile_names, name);
+	if (profile == -1)
+	{
+		DBG1(DBG_CFG, "unknown connection profile: %s", name);
+		exit(1);
+	}
+	this->profile = profile;
+}
+
+METHOD(cmd_connection_t, handle, bool,
+	private_cmd_connection_t *this, cmd_option_type_t opt, char *arg)
+{
+	switch (opt)
+	{
+		case CMD_OPT_HOST:
+			this->host = arg;
+			break;
+		case CMD_OPT_REMOTE_IDENTITY:
+			this->server = arg;
+			break;
+		case CMD_OPT_IDENTITY:
+			this->identity = arg;
+			break;
+		case CMD_OPT_EAP_IDENTITY:
+		case CMD_OPT_XAUTH_USER:
+			this->xautheap = arg;
+			break;
+		case CMD_OPT_RSA:
+		case CMD_OPT_AGENT:
+		case CMD_OPT_PKCS12:
+			this->key_seen = TRUE;
+			break;
+		case CMD_OPT_LOCAL_TS:
+			add_ts(this, this->local_ts, arg);
+			break;
+		case CMD_OPT_REMOTE_TS:
+			add_ts(this, this->remote_ts, arg);
+			break;
+		case CMD_OPT_PROFILE:
+			set_profile(this, arg);
+			break;
+		default:
+			return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(cmd_connection_t, destroy, void,
+	private_cmd_connection_t *this)
+{
+	this->local_ts->destroy_offset(this->local_ts,
+								offsetof(traffic_selector_t, destroy));
+	this->remote_ts->destroy_offset(this->remote_ts,
+								offsetof(traffic_selector_t, destroy));
+	free(this);
+}
+
+/**
+ * See header
+ */
+cmd_connection_t *cmd_connection_create()
+{
+	private_cmd_connection_t *this;
+
+	INIT(this,
+		.public = {
+			.handle = _handle,
+			.destroy = _destroy,
+		},
+		.pid = getpid(),
+		.local_ts = linked_list_create(),
+		.remote_ts = linked_list_create(),
+		.profile = PROF_UNDEF,
+	);
+
+	/* always include the virtual IP in traffic selector list */
+	this->local_ts->insert_last(this->local_ts,
+								traffic_selector_create_dynamic(0, 0, 65535));
+
+	/* queue job, gets initiated as soon as we are up and running */
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio(
+			(callback_job_cb_t)initiate, this, NULL,
+			(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+
+	return &this->public;
+}
diff --git a/src/charon-cmd/cmd/cmd_connection.h b/src/charon-cmd/cmd/cmd_connection.h
new file mode 100644
index 000000000..221802617
--- /dev/null
+++ b/src/charon-cmd/cmd/cmd_connection.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup charon-cmd charon-cmd
+ *
+ * @defgroup cmd cmd
+ * @ingroup charon-cmd
+ *
+ * @defgroup cmd_connection cmd_connection
+ * @{ @ingroup cmd
+ */
+
+#ifndef CMD_CONNECTION_H_
+#define CMD_CONNECTION_H_
+
+#include <library.h>
+
+#include "cmd_options.h"
+
+typedef struct cmd_connection_t cmd_connection_t;
+
+/**
+ * Connection definition to construct and initiate.
+ */
+struct cmd_connection_t {
+
+	/**
+	 * Handle a command line option.
+	 *
+	 * @param opt		option to handle
+	 * @param arg		option argument
+	 * @return			TRUE if option handled
+	 */
+	bool (*handle)(cmd_connection_t *this, cmd_option_type_t opt, char *arg);
+
+	/**
+	 * Destroy a cmd_connection_t.
+	 */
+	void (*destroy)(cmd_connection_t *this);
+};
+
+/**
+ * Create a cmd_connection instance.
+ */
+cmd_connection_t *cmd_connection_create();
+
+#endif /** CMD_CONNECTION_H_ @}*/
diff --git a/src/charon-cmd/cmd/cmd_creds.c b/src/charon-cmd/cmd/cmd_creds.c
new file mode 100644
index 000000000..526ff7c9c
--- /dev/null
+++ b/src/charon-cmd/cmd/cmd_creds.c
@@ -0,0 +1,291 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "cmd_creds.h"
+
+#include <unistd.h>
+
+#include <utils/debug.h>
+#include <credentials/sets/mem_cred.h>
+#include <credentials/containers/pkcs12.h>
+#include <credentials/sets/callback_cred.h>
+
+typedef struct private_cmd_creds_t private_cmd_creds_t;
+
+/**
+ * Private data of an cmd_creds_t object.
+ */
+struct private_cmd_creds_t {
+
+	/**
+	 * Public cmd_creds_t interface.
+	 */
+	cmd_creds_t public;
+
+	/**
+	 * Reused in-memory credential set
+	 */
+	mem_cred_t *creds;
+
+	/**
+	 * Callback credential set to get secrets
+	 */
+	callback_cred_t *cb;
+
+	/**
+	 * Already prompted for password?
+	 */
+	bool prompted;
+
+	/**
+	 * Path to ssh-agent socket
+	 */
+	char *agent;
+
+	/**
+	 * Local identity
+	 */
+	char *identity;
+};
+
+/**
+ * Callback function to prompt for secret
+ */
+static shared_key_t* callback_shared(private_cmd_creds_t *this,
+								shared_key_type_t type,
+								identification_t *me, identification_t *other,
+								id_match_t *match_me, id_match_t *match_other)
+{
+	shared_key_t *shared;
+	char *label, *pwd;
+
+	if (this->prompted)
+	{
+		return NULL;
+	}
+	switch (type)
+	{
+		case SHARED_EAP:
+			label = "EAP password: ";
+			break;
+		case SHARED_IKE:
+			label = "Preshared Key: ";
+			break;
+		case SHARED_PRIVATE_KEY_PASS:
+			label = "Password: ";
+			break;
+		default:
+			return NULL;
+	}
+	pwd = getpass(label);
+	if (!pwd || strlen(pwd) == 0)
+	{
+		return NULL;
+	}
+	this->prompted = TRUE;
+	if (match_me)
+	{
+		*match_me = ID_MATCH_PERFECT;
+	}
+	if (match_other)
+	{
+		*match_other = ID_MATCH_PERFECT;
+	}
+	shared = shared_key_create(type, chunk_clone(chunk_from_str(pwd)));
+	/* cache password in case it is required more than once */
+	this->creds->add_shared(this->creds, shared, NULL);
+	return shared->get_ref(shared);
+}
+
+/**
+ * Load a trusted certificate from path
+ */
+static void load_cert(private_cmd_creds_t *this, char *path)
+{
+	certificate_t *cert;
+
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							  BUILD_FROM_FILE, path, BUILD_END);
+	if (!cert)
+	{
+		DBG1(DBG_CFG, "loading certificate from '%s' failed", path);
+		exit(1);
+	}
+	this->creds->add_cert(this->creds, TRUE, cert);
+}
+
+/**
+ * Load a private key of given kind from path
+ */
+static void load_key(private_cmd_creds_t *this, key_type_t type, char *path)
+{
+	private_key_t *privkey;
+
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+								 BUILD_FROM_FILE, path, BUILD_END);
+	if (!privkey)
+	{
+		DBG1(DBG_CFG, "loading %N private key from '%s' failed",
+			 key_type_names, type, path);
+		exit(1);
+	}
+	this->creds->add_key(this->creds, privkey);
+}
+
+/**
+ * Load a private and public key via ssh-agent
+ */
+static void load_agent(private_cmd_creds_t *this)
+{
+	private_key_t *privkey;
+	public_key_t *pubkey;
+	identification_t *id;
+	certificate_t *cert;
+
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+								 BUILD_AGENT_SOCKET, this->agent, BUILD_END);
+	if (!privkey)
+	{
+		DBG1(DBG_CFG, "failed to load private key from ssh-agent");
+		exit(1);
+	}
+	pubkey = privkey->get_public_key(privkey);
+	if (!pubkey)
+	{
+		DBG1(DBG_CFG, "failed to load public key from ssh-agent");
+		privkey->destroy(privkey);
+		exit(1);
+	}
+	id = identification_create_from_string(this->identity);
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+							  CERT_TRUSTED_PUBKEY, BUILD_PUBLIC_KEY, pubkey,
+							  BUILD_SUBJECT, id, BUILD_END);
+	pubkey->destroy(pubkey);
+	id->destroy(id);
+	if (!cert)
+	{
+		DBG1(DBG_CFG, "failed to create certificate for ssh-agent public key");
+		privkey->destroy(privkey);
+		exit(1);
+	}
+	this->creds->add_cert(this->creds, TRUE, cert);
+	this->creds->add_key(this->creds, privkey);
+}
+
+/**
+ * Load a PKCS#12 file from path
+ */
+static void load_pkcs12(private_cmd_creds_t *this, char *path)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	private_key_t *key;
+	container_t *container;
+	pkcs12_t *pkcs12;
+
+	container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS12,
+								   BUILD_FROM_FILE, path, BUILD_END);
+	if (!container)
+	{
+		DBG1(DBG_CFG, "loading PKCS#12 file '%s' failed", path);
+		exit(1);
+	}
+	pkcs12 = (pkcs12_t*)container;
+	enumerator = pkcs12->create_cert_enumerator(pkcs12);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		this->creds->add_cert(this->creds, TRUE, cert->get_ref(cert));
+	}
+	enumerator->destroy(enumerator);
+	enumerator = pkcs12->create_key_enumerator(pkcs12);
+	while (enumerator->enumerate(enumerator, &key))
+	{
+		this->creds->add_key(this->creds, key->get_ref(key));
+	}
+	enumerator->destroy(enumerator);
+	container->destroy(container);
+}
+
+METHOD(cmd_creds_t, handle, bool,
+	private_cmd_creds_t *this, cmd_option_type_t opt, char *arg)
+{
+	switch (opt)
+	{
+		case CMD_OPT_CERT:
+			load_cert(this, arg);
+			break;
+		case CMD_OPT_RSA:
+			load_key(this, KEY_RSA, arg);
+			break;
+		case CMD_OPT_PKCS12:
+			load_pkcs12(this, arg);
+			break;
+		case CMD_OPT_IDENTITY:
+			this->identity = arg;
+			break;
+		case CMD_OPT_AGENT:
+			this->agent = arg ?: getenv("SSH_AUTH_SOCK");
+			if (!this->agent)
+			{
+				DBG1(DBG_CFG, "no ssh-agent socket defined");
+				exit(1);
+			}
+			break;
+		default:
+			return FALSE;
+	}
+	if (this->agent && this->identity)
+	{
+		load_agent(this);
+		/* only do this once */
+		this->agent = NULL;
+	}
+	return TRUE;
+}
+
+METHOD(cmd_creds_t, destroy, void,
+	private_cmd_creds_t *this)
+{
+	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+	lib->credmgr->remove_set(lib->credmgr, &this->cb->set);
+	this->creds->destroy(this->creds);
+	this->cb->destroy(this->cb);
+	free(this);
+}
+
+/**
+ * See header
+ */
+cmd_creds_t *cmd_creds_create()
+{
+	private_cmd_creds_t *this;
+
+	INIT(this,
+		.public = {
+			.handle = _handle,
+			.destroy = _destroy,
+		},
+		.creds = mem_cred_create(),
+	);
+	this->cb = callback_cred_create_shared((void*)callback_shared, this);
+
+	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+	lib->credmgr->add_set(lib->credmgr, &this->cb->set);
+
+	return &this->public;
+}
diff --git a/src/charon-cmd/cmd/cmd_creds.h b/src/charon-cmd/cmd/cmd_creds.h
new file mode 100644
index 000000000..053e596a5
--- /dev/null
+++ b/src/charon-cmd/cmd/cmd_creds.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup cmd_creds cmd_creds
+ * @{ @ingroup cmd
+ */
+
+#ifndef CMD_CREDS_H_
+#define CMD_CREDS_H_
+
+#include <library.h>
+
+#include "cmd_options.h"
+
+typedef struct cmd_creds_t cmd_creds_t;
+
+/**
+ * Credential backend providing certificates, private keys and shared secrets.
+ */
+struct cmd_creds_t {
+
+	/**
+	 * Handle a command line options related to credentials.
+	 *
+	 * @param opt		option to handle
+	 * @param arg		option argument
+	 * @return			TRUE if option handled
+	 */
+	bool (*handle)(cmd_creds_t *this, cmd_option_type_t opt, char *arg);
+
+	/**
+	 * Destroy a cmd_creds_t.
+	 */
+	void (*destroy)(cmd_creds_t *this);
+};
+
+/**
+ * Create a cmd_creds instance.
+ */
+cmd_creds_t *cmd_creds_create();
+
+#endif /** CMD_CREDS_H_ @}*/
diff --git a/src/charon-cmd/cmd/cmd_options.c b/src/charon-cmd/cmd/cmd_options.c
new file mode 100644
index 000000000..597ccda1f
--- /dev/null
+++ b/src/charon-cmd/cmd/cmd_options.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "cmd_options.h"
+
+#include <getopt.h>
+
+/**
+ * See header.
+ */
+cmd_option_t cmd_options[CMD_OPT_COUNT] = {
+	{ CMD_OPT_HELP, "help", no_argument, "",
+	  "print this usage information and exit", {}},
+	{ CMD_OPT_VERSION, "version", no_argument, "",
+	  "show version information and exit", {}},
+	{ CMD_OPT_DEBUG, "debug", required_argument, "level",
+	  "set the default log level (-1..4, default: 1)", {}},
+	{ CMD_OPT_HOST, "host", required_argument, "hostname",
+	  "DNS name or address to connect to", {}},
+	{ CMD_OPT_IDENTITY, "identity", required_argument, "identity",
+	  "identity the client uses for the IKE exchange", {}},
+	{ CMD_OPT_EAP_IDENTITY, "eap-identity", required_argument, "eap-identity",
+	  "identity the client uses for EAP authentication", {}},
+	{ CMD_OPT_XAUTH_USER, "xauth-username", required_argument, "xauth-username",
+	  "username the client uses for XAuth authentication", {}},
+	{ CMD_OPT_REMOTE_IDENTITY, "remote-identity", required_argument, "identity",
+	  "server identity to expect, defaults to host", {}},
+	{ CMD_OPT_CERT, "cert", required_argument, "path",
+	  "certificate for authentication or trust chain validation", {}},
+	{ CMD_OPT_RSA, "rsa", required_argument, "path",
+	  "RSA private key to use for authentication", {}},
+	{ CMD_OPT_PKCS12, "p12", required_argument, "path",
+	  "PKCS#12 file with private key and certificates to use for ", {
+		"authentication and trust chain validation"
+	}},
+	{ CMD_OPT_AGENT, "agent", optional_argument, "socket",
+	  "use SSH agent for authentication. If socket is not specified", {
+		"it is read from the SSH_AUTH_SOCK environment variable",
+	}},
+	{ CMD_OPT_LOCAL_TS, "local-ts", required_argument, "subnet",
+	  "additional traffic selector to propose for our side", {}},
+	{ CMD_OPT_REMOTE_TS, "remote-ts", required_argument, "subnet",
+	  "traffic selector to propose for remote side", {}},
+	{ CMD_OPT_PROFILE, "profile", required_argument, "name",
+	  "authentication profile to use, where name is one of:", {
+		"  ikev2-pub, ikev2-eap, ikev2-pub-eap",
+		"  ikev1-pub[-am], ikev1-xauth[-am],",
+		"  ikev1-xauth-psk[-am], ikev1-hybrid[-am]",
+	}},
+};
diff --git a/src/charon-cmd/cmd/cmd_options.h b/src/charon-cmd/cmd/cmd_options.h
new file mode 100644
index 000000000..6b8b04cdf
--- /dev/null
+++ b/src/charon-cmd/cmd/cmd_options.h
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup cmd_option cmd_option
+ * @{ @ingroup cmd
+ */
+
+#ifndef CMD_OPTION_H_
+#define CMD_OPTION_H_
+
+typedef struct cmd_option_t cmd_option_t;
+typedef enum cmd_option_type_t cmd_option_type_t;
+
+/**
+ * Command line options
+ */
+enum cmd_option_type_t {
+	CMD_OPT_HELP,
+	CMD_OPT_VERSION,
+	CMD_OPT_DEBUG,
+	CMD_OPT_HOST,
+	CMD_OPT_IDENTITY,
+	CMD_OPT_EAP_IDENTITY,
+	CMD_OPT_XAUTH_USER,
+	CMD_OPT_REMOTE_IDENTITY,
+	CMD_OPT_CERT,
+	CMD_OPT_RSA,
+	CMD_OPT_PKCS12,
+	CMD_OPT_AGENT,
+	CMD_OPT_LOCAL_TS,
+	CMD_OPT_REMOTE_TS,
+	CMD_OPT_PROFILE,
+
+	CMD_OPT_COUNT
+};
+
+/**
+ * Command line arguments, similar to "struct option", but with descriptions
+ */
+struct cmd_option_t {
+	/** option identifier */
+	cmd_option_type_t id;
+	/** long option name */
+	const char *name;
+	/** takes argument */
+	int has_arg;
+	/** decription of argument */
+	const char *arg;
+	/** short description to option */
+	const char *desc;
+	/** additional description lines */
+	const char *lines[12];
+};
+
+/**
+ * Registered CMD options.
+ */
+extern cmd_option_t cmd_options[CMD_OPT_COUNT];
+
+#endif /** CMD_OPTION_H_ @}*/
diff --git a/src/charon-nm/Makefile.am b/src/charon-nm/Makefile.am
new file mode 100644
index 000000000..d3630ffd5
--- /dev/null
+++ b/src/charon-nm/Makefile.am
@@ -0,0 +1,26 @@
+ipsec_PROGRAMS = charon-nm
+
+charon_nm_SOURCES = \
+	charon-nm.c \
+	nm/nm_backend.c nm/nm_backend.h \
+	nm/nm_creds.c nm/nm_creds.h \
+	nm/nm_handler.c nm/nm_handler.h \
+	nm/nm_service.c nm/nm_service.h
+
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DNM_CA_DIR=\"${nm_ca_dir}\" \
+	-DPLUGINS=\""${nm_plugins}\""
+
+AM_CFLAGS = \
+	${nm_CFLAGS}
+
+charon_nm_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	-lm $(PTHREADLIB) $(DLLIB) ${nm_LIBS}
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
new file mode 100644
index 000000000..6eb52f947
--- /dev/null
+++ b/src/charon-nm/Makefile.in
@@ -0,0 +1,733 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = charon-nm$(EXEEXT)
+subdir = src/charon-nm
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__installdirs = "$(DESTDIR)$(ipsecdir)"
+PROGRAMS = $(ipsec_PROGRAMS)
+am_charon_nm_OBJECTS = charon-nm.$(OBJEXT) nm_backend.$(OBJEXT) \
+	nm_creds.$(OBJEXT) nm_handler.$(OBJEXT) nm_service.$(OBJEXT)
+charon_nm_OBJECTS = $(am_charon_nm_OBJECTS)
+am__DEPENDENCIES_1 =
+charon_nm_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(charon_nm_SOURCES)
+DIST_SOURCES = $(charon_nm_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+charon_nm_SOURCES = \
+	charon-nm.c \
+	nm/nm_backend.c nm/nm_backend.h \
+	nm/nm_creds.c nm/nm_creds.h \
+	nm/nm_handler.c nm/nm_handler.h \
+	nm/nm_service.c nm/nm_service.h
+
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DNM_CA_DIR=\"${nm_ca_dir}\" \
+	-DPLUGINS=\""${nm_plugins}\""
+
+AM_CFLAGS = \
+	${nm_CFLAGS}
+
+charon_nm_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
+	-lm $(PTHREADLIB) $(DLLIB) ${nm_LIBS}
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon-nm/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon-nm/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+charon-nm$(EXEEXT): $(charon_nm_OBJECTS) $(charon_nm_DEPENDENCIES) $(EXTRA_charon_nm_DEPENDENCIES) 
+	@rm -f charon-nm$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(charon_nm_OBJECTS) $(charon_nm_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/charon-nm.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_backend.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_creds.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_handler.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_service.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+nm_backend.o: nm/nm_backend.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_backend.o -MD -MP -MF $(DEPDIR)/nm_backend.Tpo -c -o nm_backend.o `test -f 'nm/nm_backend.c' || echo '$(srcdir)/'`nm/nm_backend.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nm_backend.Tpo $(DEPDIR)/nm_backend.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='nm/nm_backend.c' object='nm_backend.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_backend.o `test -f 'nm/nm_backend.c' || echo '$(srcdir)/'`nm/nm_backend.c
+
+nm_backend.obj: nm/nm_backend.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_backend.obj -MD -MP -MF $(DEPDIR)/nm_backend.Tpo -c -o nm_backend.obj `if test -f 'nm/nm_backend.c'; then $(CYGPATH_W) 'nm/nm_backend.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_backend.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nm_backend.Tpo $(DEPDIR)/nm_backend.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='nm/nm_backend.c' object='nm_backend.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_backend.obj `if test -f 'nm/nm_backend.c'; then $(CYGPATH_W) 'nm/nm_backend.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_backend.c'; fi`
+
+nm_creds.o: nm/nm_creds.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_creds.o -MD -MP -MF $(DEPDIR)/nm_creds.Tpo -c -o nm_creds.o `test -f 'nm/nm_creds.c' || echo '$(srcdir)/'`nm/nm_creds.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nm_creds.Tpo $(DEPDIR)/nm_creds.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='nm/nm_creds.c' object='nm_creds.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_creds.o `test -f 'nm/nm_creds.c' || echo '$(srcdir)/'`nm/nm_creds.c
+
+nm_creds.obj: nm/nm_creds.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_creds.obj -MD -MP -MF $(DEPDIR)/nm_creds.Tpo -c -o nm_creds.obj `if test -f 'nm/nm_creds.c'; then $(CYGPATH_W) 'nm/nm_creds.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_creds.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nm_creds.Tpo $(DEPDIR)/nm_creds.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='nm/nm_creds.c' object='nm_creds.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_creds.obj `if test -f 'nm/nm_creds.c'; then $(CYGPATH_W) 'nm/nm_creds.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_creds.c'; fi`
+
+nm_handler.o: nm/nm_handler.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_handler.o -MD -MP -MF $(DEPDIR)/nm_handler.Tpo -c -o nm_handler.o `test -f 'nm/nm_handler.c' || echo '$(srcdir)/'`nm/nm_handler.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nm_handler.Tpo $(DEPDIR)/nm_handler.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='nm/nm_handler.c' object='nm_handler.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_handler.o `test -f 'nm/nm_handler.c' || echo '$(srcdir)/'`nm/nm_handler.c
+
+nm_handler.obj: nm/nm_handler.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_handler.obj -MD -MP -MF $(DEPDIR)/nm_handler.Tpo -c -o nm_handler.obj `if test -f 'nm/nm_handler.c'; then $(CYGPATH_W) 'nm/nm_handler.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_handler.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nm_handler.Tpo $(DEPDIR)/nm_handler.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='nm/nm_handler.c' object='nm_handler.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_handler.obj `if test -f 'nm/nm_handler.c'; then $(CYGPATH_W) 'nm/nm_handler.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_handler.c'; fi`
+
+nm_service.o: nm/nm_service.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_service.o -MD -MP -MF $(DEPDIR)/nm_service.Tpo -c -o nm_service.o `test -f 'nm/nm_service.c' || echo '$(srcdir)/'`nm/nm_service.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nm_service.Tpo $(DEPDIR)/nm_service.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='nm/nm_service.c' object='nm_service.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_service.o `test -f 'nm/nm_service.c' || echo '$(srcdir)/'`nm/nm_service.c
+
+nm_service.obj: nm/nm_service.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nm_service.obj -MD -MP -MF $(DEPDIR)/nm_service.Tpo -c -o nm_service.obj `if test -f 'nm/nm_service.c'; then $(CYGPATH_W) 'nm/nm_service.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_service.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nm_service.Tpo $(DEPDIR)/nm_service.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='nm/nm_service.c' object='nm_service.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nm_service.obj `if test -f 'nm/nm_service.c'; then $(CYGPATH_W) 'nm/nm_service.c'; else $(CYGPATH_W) '$(srcdir)/nm/nm_service.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipsecPROGRAMS
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-ipsecPROGRAMS install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
new file mode 100644
index 000000000..9ce6dbaeb
--- /dev/null
+++ b/src/charon-nm/charon-nm.c
@@ -0,0 +1,265 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <syslog.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <hydra.h>
+#include <daemon.h>
+
+#include <library.h>
+#include <utils/backtrace.h>
+#include <threading/thread.h>
+
+#include <nm/nm_backend.h>
+
+/**
+ * Default user and group
+ */
+#ifndef IPSEC_USER
+#define IPSEC_USER NULL
+#endif
+
+#ifndef IPSEC_GROUP
+#define IPSEC_GROUP NULL
+#endif
+
+/**
+ * Hook in library for debugging messages
+ */
+extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
+
+/**
+ * Simple logging hook for library logs, using syslog output
+ */
+static void dbg_syslog(debug_t group, level_t level, char *fmt, ...)
+{
+	if (level <= 1)
+	{
+		char buffer[8192], groupstr[4];
+		va_list args;
+
+		va_start(args, fmt);
+		/* write in memory buffer first */
+		vsnprintf(buffer, sizeof(buffer), fmt, args);
+		/* cache group name */
+		snprintf(groupstr, sizeof(groupstr), "%N", debug_names, group);
+		syslog(LOG_DAEMON|LOG_INFO, "00[%s] %s", groupstr, buffer);
+		va_end(args);
+	}
+}
+
+/**
+ * Run the daemon and handle unix signals
+ */
+static void run()
+{
+	sigset_t set;
+
+	/* handle SIGINT and SIGTERM in this handler */
+	sigemptyset(&set);
+	sigaddset(&set, SIGINT);
+	sigaddset(&set, SIGTERM);
+	sigprocmask(SIG_BLOCK, &set, NULL);
+
+	while (TRUE)
+	{
+		int sig;
+		int error;
+
+		error = sigwait(&set, &sig);
+		if (error)
+		{
+			DBG1(DBG_DMN, "error %d while waiting for a signal", error);
+			return;
+		}
+		switch (sig)
+		{
+			case SIGINT:
+			{
+				DBG1(DBG_DMN, "signal of type SIGINT received. Shutting down");
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
+				return;
+			}
+			case SIGTERM:
+			{
+				DBG1(DBG_DMN, "signal of type SIGTERM received. Shutting down");
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
+				return;
+			}
+			default:
+			{
+				DBG1(DBG_DMN, "unknown signal %d received. Ignored", sig);
+				break;
+			}
+		}
+	}
+}
+
+/**
+ * Handle SIGSEGV/SIGILL signals raised by threads
+ */
+static void segv_handler(int signal)
+{
+	backtrace_t *backtrace;
+
+	DBG1(DBG_DMN, "thread %u received %d", thread_current_id(), signal);
+	backtrace = backtrace_create(2);
+	backtrace->log(backtrace, stderr, TRUE);
+	backtrace->destroy(backtrace);
+
+	DBG1(DBG_DMN, "killing ourself, received critical signal");
+	abort();
+}
+
+/**
+ * Lookup UID and GID
+ */
+static bool lookup_uid_gid()
+{
+	char *name;
+
+	name = lib->settings->get_str(lib->settings, "charon-nm.user",
+								  IPSEC_USER);
+	if (name && !lib->caps->resolve_uid(lib->caps, name))
+	{
+		return FALSE;
+	}
+	name = lib->settings->get_str(lib->settings, "charon-nm.group",
+								  IPSEC_GROUP);
+	if (name && !lib->caps->resolve_gid(lib->caps, name))
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Main function, starts NetworkManager backend.
+ */
+int main(int argc, char *argv[])
+{
+	struct sigaction action;
+	int status = SS_RC_INITIALIZATION_FAILED;
+
+	/* logging for library during initialization, as we have no bus yet */
+	dbg = dbg_syslog;
+
+	/* initialize library */
+	if (!library_init(NULL))
+	{
+		library_deinit();
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+
+	if (lib->integrity &&
+		!lib->integrity->check_file(lib->integrity, "charon-nm", argv[0]))
+	{
+		dbg_syslog(DBG_DMN, 1, "integrity check of charon-nm failed");
+		library_deinit();
+		exit(SS_RC_DAEMON_INTEGRITY);
+	}
+
+	if (!libhydra_init("charon-nm"))
+	{
+		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting charon-nm");
+		libhydra_deinit();
+		library_deinit();
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+
+	if (!libcharon_init("charon-nm"))
+	{
+		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting charon-nm");
+		goto deinit;
+	}
+
+	if (!lookup_uid_gid())
+	{
+		dbg_syslog(DBG_DMN, 1, "invalid uid/gid - aborting charon-nm");
+		goto deinit;
+	}
+
+	/* make sure we log to the DAEMON facility by default */
+	lib->settings->set_int(lib->settings, "charon-nm.syslog.daemon.default",
+		lib->settings->get_int(lib->settings,
+							   "charon-nm.syslog.daemon.default", 1));
+	charon->load_loggers(charon, NULL, FALSE);
+
+	/* use random ports to avoid conflicts with regular charon */
+	lib->settings->set_int(lib->settings, "charon-nm.port", 0);
+	lib->settings->set_int(lib->settings, "charon-nm.port_natt_t", 0);
+
+	DBG1(DBG_DMN, "Starting charon NetworkManager backend (strongSwan "VERSION")");
+	if (lib->integrity)
+	{
+		DBG1(DBG_DMN, "integrity tests enabled:");
+		DBG1(DBG_DMN, "lib    'libstrongswan': passed file and segment integrity tests");
+		DBG1(DBG_DMN, "lib    'libhydra': passed file and segment integrity tests");
+		DBG1(DBG_DMN, "lib    'libcharon': passed file and segment integrity tests");
+		DBG1(DBG_DMN, "daemon 'charon-nm': passed file integrity test");
+	}
+
+	/* register NM backend to be loaded with plugins */
+	nm_backend_register();
+
+	/* initialize daemon */
+	if (!charon->initialize(charon,
+			lib->settings->get_str(lib->settings, "charon-nm.load", PLUGINS)))
+	{
+		DBG1(DBG_DMN, "initialization failed - aborting charon-nm");
+		goto deinit;
+	}
+	lib->plugins->status(lib->plugins, LEVEL_CTRL);
+
+	if (!lib->caps->drop(lib->caps))
+	{
+		DBG1(DBG_DMN, "capability dropping failed - aborting charon-nm");
+		goto deinit;
+	}
+
+	/* add handler for SEGV and ILL,
+	 * INT and TERM are handled by sigwait() in run() */
+	action.sa_handler = segv_handler;
+	action.sa_flags = 0;
+	sigemptyset(&action.sa_mask);
+	sigaddset(&action.sa_mask, SIGINT);
+	sigaddset(&action.sa_mask, SIGTERM);
+	sigaction(SIGSEGV, &action, NULL);
+	sigaction(SIGILL, &action, NULL);
+	sigaction(SIGBUS, &action, NULL);
+	action.sa_handler = SIG_IGN;
+	sigaction(SIGPIPE, &action, NULL);
+
+	pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL);
+
+	/* start daemon (i.e. the threads in the thread-pool) */
+	charon->start(charon);
+
+	/* main thread goes to run loop */
+	run();
+
+	status = 0;
+
+deinit:
+	libcharon_deinit();
+	libhydra_deinit();
+	library_deinit();
+	return status;
+}
+
diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c
new file mode 100644
index 000000000..f474dad60
--- /dev/null
+++ b/src/charon-nm/nm/nm_backend.c
@@ -0,0 +1,190 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "nm_service.h"
+#include "nm_creds.h"
+#include "nm_handler.h"
+
+#include <hydra.h>
+#include <daemon.h>
+#include <processing/jobs/callback_job.h>
+
+#ifndef CAP_DAC_OVERRIDE
+#define CAP_DAC_OVERRIDE 1
+#endif
+
+typedef struct nm_backend_t nm_backend_t;
+
+/**
+ * Data for the NetworkManager backend.
+ */
+struct nm_backend_t {
+
+	/**
+	 * NetworkManager service (VPNPlugin)
+	 */
+	NMStrongswanPlugin *plugin;
+
+	/**
+	 * Glib main loop for a thread, handles DBUS calls
+	 */
+	GMainLoop *loop;
+
+	/**
+	 * credential set registered at the daemon
+	 */
+	nm_creds_t *creds;
+
+	/**
+	 * attribute handler regeisterd at the daemon
+	 */
+	nm_handler_t *handler;
+};
+
+/**
+ * Global (but private) instance of the NM backend.
+ */
+static nm_backend_t *nm_backend = NULL;
+
+/**
+ * NM plugin processing routine, creates and handles NMVPNPlugin
+ */
+static job_requeue_t run(nm_backend_t *this)
+{
+	this->loop = g_main_loop_new(NULL, FALSE);
+	g_main_loop_run(this->loop);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Cancel the GLib Main Event Loop
+ */
+static bool cancel(nm_backend_t *this)
+{
+	if (this->loop)
+	{
+		if (g_main_loop_is_running(this->loop))
+		{
+			g_main_loop_quit(this->loop);
+		}
+		g_main_loop_unref(this->loop);
+	}
+	return TRUE;
+}
+
+/**
+ * Deinitialize NetworkManager backend
+ */
+static void nm_backend_deinit()
+{
+	nm_backend_t *this = nm_backend;
+
+	if (!this)
+	{
+		return;
+	}
+	if (this->plugin)
+	{
+		g_object_unref(this->plugin);
+	}
+	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
+	this->creds->destroy(this->creds);
+	this->handler->destroy(this->handler);
+	free(this);
+
+	nm_backend = NULL;
+}
+
+/**
+ * Initialize NetworkManager backend
+ */
+static bool nm_backend_init()
+{
+	nm_backend_t *this;
+
+#if !GLIB_CHECK_VERSION(2,36,0)
+	g_type_init ();
+#endif
+
+#if !GLIB_CHECK_VERSION(2,23,0)
+	if (!g_thread_supported())
+	{
+		g_thread_init(NULL);
+	}
+#endif
+
+	INIT(this,
+		.creds = nm_creds_create(),
+		.handler = nm_handler_create(),
+	);
+	this->plugin = nm_strongswan_plugin_new(this->creds, this->handler);
+	nm_backend = this;
+
+	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
+	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+	if (!this->plugin)
+	{
+		DBG1(DBG_CFG, "DBUS binding failed");
+		nm_backend_deinit();
+		return FALSE;
+	}
+
+	/* bypass file permissions to read from users ssh-agent */
+	if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
+	{
+		DBG1(DBG_CFG, "NM backend requires CAP_DAC_OVERRIDE capability");
+		nm_backend_deinit();
+		return FALSE;
+	}
+
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this,
+				NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL));
+	return TRUE;
+}
+
+/**
+ * Initialize/deinitialize NetworkManager backend
+ */
+static bool nm_backend_cb(void *plugin,
+						  plugin_feature_t *feature, bool reg, void *data)
+{
+	if (reg)
+	{
+		return nm_backend_init();
+	}
+	nm_backend_deinit();
+	return TRUE;
+}
+
+/*
+ * see header file
+ */
+void nm_backend_register()
+{
+	static plugin_feature_t features[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)nm_backend_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "NetworkManager backend"),
+				PLUGIN_DEPENDS(CUSTOM, "libcharon"),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_RSA),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_ANY),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+	};
+	lib->plugins->add_static_features(lib->plugins, "nm-backend", features,
+									  countof(features), TRUE);
+}
diff --git a/src/charon-nm/nm/nm_backend.h b/src/charon-nm/nm/nm_backend.h
new file mode 100644
index 000000000..89dc536f6
--- /dev/null
+++ b/src/charon-nm/nm/nm_backend.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup charon-nm charon-nm
+ *
+ * @defgroup nm nm
+ * @ingroup charon-nm
+ *
+ * @defgroup nm_backend nm_backend
+ * @{ @ingroup nm
+ */
+
+#ifndef NM_BACKEND_H_
+#define NM_BACKEND_H_
+
+/**
+ * Initialize the NetworkManager backend.
+ *
+ * @return		TRUE, if initialization was successful
+ */
+void nm_backend_register();
+
+#endif /** NM_BACKEND_H_ @}*/
diff --git a/src/libcharon/plugins/nm/nm_creds.c b/src/charon-nm/nm/nm_creds.c
index f8fae9504..f8fae9504 100644
--- a/src/libcharon/plugins/nm/nm_creds.c
+++ b/src/charon-nm/nm/nm_creds.c
diff --git a/src/libcharon/plugins/nm/nm_creds.h b/src/charon-nm/nm/nm_creds.h
index 91f645c7e..91f645c7e 100644
--- a/src/libcharon/plugins/nm/nm_creds.h
+++ b/src/charon-nm/nm/nm_creds.h
diff --git a/src/libcharon/plugins/nm/nm_handler.c b/src/charon-nm/nm/nm_handler.c
index 408129ebe..28aa04b31 100644
--- a/src/libcharon/plugins/nm/nm_handler.c
+++ b/src/charon-nm/nm/nm_handler.c
@@ -92,15 +92,17 @@ static bool enumerate_dns(enumerator_t *this,
 }
 
 METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*,
-	private_nm_handler_t *this, identification_t *server, host_t *vip)
+	private_nm_handler_t *this, identification_t *server, linked_list_t *vips)
 {
-	if (vip && vip->get_family(vip) == AF_INET)
-	{	/* no IPv6 attributes yet */
-		enumerator_t *enumerator = malloc_thing(enumerator_t);
-		/* enumerate DNS attribute first ... */
-		enumerator->enumerate = (void*)enumerate_dns;
-		enumerator->destroy = (void*)free;
+	if (vips->get_count(vips))
+	{
+		enumerator_t *enumerator;
 
+		INIT(enumerator,
+			/* enumerate DNS attribute first ... */
+			.enumerate = (void*)enumerate_dns,
+			.destroy = (void*)free,
+		);
 		return enumerator;
 	}
 	return enumerator_create_empty();
diff --git a/src/libcharon/plugins/nm/nm_handler.h b/src/charon-nm/nm/nm_handler.h
index bb35ce767..bb35ce767 100644
--- a/src/libcharon/plugins/nm/nm_handler.h
+++ b/src/charon-nm/nm/nm_handler.h
diff --git a/src/libcharon/plugins/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index a6783fcc3..901abd348 100644
--- a/src/libcharon/plugins/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2008-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -18,10 +19,11 @@
 #include "nm_service.h"
 
 #include <daemon.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 #include <config/peer_cfg.h>
 #include <credentials/certificates/x509.h>
+#include <networking/tun_device.h>
 
 #include <stdio.h>
 
@@ -41,6 +43,8 @@ typedef struct {
 	nm_creds_t *creds;
 	/* attribute handler for DNS/NBNS server information */
 	nm_handler_t *handler;
+	/* dummy TUN device */
+	tun_device_t *tun;
 	/* name of the connection */
 	char *name;
 } NMStrongswanPluginPrivate;
@@ -80,22 +84,33 @@ static GValue* handler_to_val(nm_handler_t *handler,
 static void signal_ipv4_config(NMVPNPlugin *plugin,
 							   ike_sa_t *ike_sa, child_sa_t *child_sa)
 {
+	NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
 	GValue *val;
 	GHashTable *config;
+	enumerator_t *enumerator;
 	host_t *me;
 	nm_handler_t *handler;
 
 	config = g_hash_table_new(g_str_hash, g_str_equal);
-	me = ike_sa->get_my_host(ike_sa);
-	handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
+	handler = priv->handler;
 
-	/* NM requires a tundev, but netkey does not use one. Passing an invalid
-	 * iface makes NM complain, but it accepts it without fiddling on eth0. */
+	/* NM requires a tundev, but netkey does not use one. Passing the physical
+	 * interface does not work, as NM fiddles around with it. So we pass a dummy
+	 * TUN device along for NM to play with... */
 	val = g_slice_new0 (GValue);
 	g_value_init (val, G_TYPE_STRING);
-	g_value_set_string (val, "none");
+	g_value_set_string (val, priv->tun->get_name(priv->tun));
 	g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV, val);
 
+	/* NM installs this IP address on the interface above, so we use the VIP if
+	 * we got one.
+	 */
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
+	if (!enumerator->enumerate(enumerator, &me))
+	{
+		me = ike_sa->get_my_host(ike_sa);
+	}
+	enumerator->destroy(enumerator);
 	val = g_slice_new0(GValue);
 	g_value_init(val, G_TYPE_UINT);
 	g_value_set_uint(val, *(u_int32_t*)me->get_address(me).ptr);
@@ -106,6 +121,14 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
 	g_value_set_uint(val, me->get_address(me).len * 8);
 	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
 
+	/* prevent NM from changing the default route. we set our own route in our
+	 * own routing table
+	 */
+	val = g_slice_new0(GValue);
+	g_value_init(val, G_TYPE_BOOLEAN);
+	g_value_set_boolean(val, TRUE);
+	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT, val);
+
 	val = handler_to_val(handler, INTERNAL_IP4_DNS);
 	g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_DNS, val);
 
@@ -276,7 +299,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	auth_class_t auth_class = AUTH_CLASS_EAP;
 	certificate_t *cert = NULL;
 	x509_t *x509;
-	bool agent = FALSE, smartcard = FALSE;
+	bool agent = FALSE, smartcard = FALSE, loose_gateway_id = FALSE;
 	lifetime_cfg_t lifetime = {
 		.time = {
 			.life = 10800 /* 3h */,
@@ -302,6 +325,13 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 		 priv->name);
 	DBG4(DBG_CFG, "%s",
 		 nm_setting_to_string(NM_SETTING(vpn)));
+	if (!priv->tun)
+	{
+		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
+					"Failed to create dummy TUN device.");
+		gateway->destroy(gateway);
+		return FALSE;
+	}
 	address = nm_setting_vpn_get_data_item(vpn, "address");
 	if (!address || !*address)
 	{
@@ -379,6 +409,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 		 * included in the gateway certificate. */
 		gateway = identification_create_from_string((char*)address);
 		DBG1(DBG_CFG, "using CA certificate, gateway identity '%Y'", gateway);
+		loose_gateway_id = TRUE;
 	}
 
 	if (auth_class == AUTH_CLASS_EAP)
@@ -496,16 +527,22 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	/**
 	 * Set up configurations
 	 */
-	ike_cfg = ike_cfg_create(TRUE, encap,
-					"0.0.0.0", IKEV2_UDP_PORT, (char*)address, IKEV2_UDP_PORT);
+	ike_cfg = ike_cfg_create(IKEV2, TRUE, encap, "0.0.0.0", FALSE,
+							 charon->socket->get_port(charon->socket, FALSE),
+							(char*)address, FALSE, IKEV2_UDP_PORT,
+							 FRAGMENTATION_NO, 0);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
-	peer_cfg = peer_cfg_create(priv->name, 2, ike_cfg,
+	peer_cfg = peer_cfg_create(priv->name, ike_cfg,
 					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
 					36000, 0, /* rekey 10h, reauth none */
 					600, 600, /* jitter, over 10min */
-					TRUE, 0, /* mobike, DPD */
-					virtual ? host_create_from_string("0.0.0.0", 0) : NULL,
-					NULL, FALSE, NULL, NULL); /* pool, mediation */
+					TRUE, FALSE, /* mobike, aggressive */
+					0, 0, /* DPD delay, timeout */
+					FALSE, NULL, NULL); /* mediation */
+	if (virtual)
+	{
+		peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
+	}
 	auth = auth_cfg_create();
 	auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_class);
 	auth->add(auth, AUTH_RULE_IDENTITY, user);
@@ -513,6 +550,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	auth = auth_cfg_create();
 	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 	auth->add(auth, AUTH_RULE_IDENTITY, gateway);
+	auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, loose_gateway_id);
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
 	child_cfg = child_cfg_create(priv->name, &lifetime,
@@ -533,6 +571,13 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	 */
 	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
 														peer_cfg);
+	if (!ike_sa)
+	{
+		peer_cfg->destroy(peer_cfg);
+		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
+					"IKE version not supported.");
+		return FALSE;
+	}
 	if (!ike_sa->get_peer_cfg(ike_sa))
 	{
 		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
@@ -550,6 +595,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	/**
 	 * Initiate
 	 */
+	child_cfg->get_ref(child_cfg);
 	if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
 	{
 		charon->bus->remove_listener(charon->bus, &priv->listener);
@@ -608,7 +654,7 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
 				}
 			}
 		}
-		else if streq(method, "smartcard")
+		else if (streq(method, "smartcard"))
 		{
 			if (nm_setting_vpn_get_secret(settings, "password"))
 			{
@@ -660,9 +706,28 @@ static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
 
 	priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
 	priv->plugin = NM_VPN_PLUGIN(plugin);
-	memset(&priv->listener.log, 0, sizeof(listener_t));
+	memset(&priv->listener, 0, sizeof(listener_t));
 	priv->listener.child_updown = child_updown;
 	priv->listener.ike_rekey = ike_rekey;
+	priv->tun = tun_device_create(NULL);
+	priv->name = NULL;
+}
+
+/**
+ * Destructor
+ */
+static void nm_strongswan_plugin_dispose(GObject *obj)
+{
+	NMStrongswanPlugin *plugin;
+	NMStrongswanPluginPrivate *priv;
+
+	plugin = NM_STRONGSWAN_PLUGIN(obj);
+	priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
+	if (priv->tun)
+	{
+		priv->tun->destroy(priv->tun);
+		priv->tun = NULL;
+	}
 }
 
 /**
@@ -678,6 +743,7 @@ static void nm_strongswan_plugin_class_init(
 	parent_class->connect = connect_;
 	parent_class->need_secrets = need_secrets;
 	parent_class->disconnect = disconnect;
+	G_OBJECT_CLASS(strongswan_class)->dispose = nm_strongswan_plugin_dispose;
 }
 
 /**
@@ -694,11 +760,10 @@ NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
 	{
 		NMStrongswanPluginPrivate *priv;
 
+		/* the rest of the initialization happened in _init above */
 		priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
 		priv->creds = creds;
 		priv->handler = handler;
-		priv->name = NULL;
 	}
 	return plugin;
 }
-
diff --git a/src/libcharon/plugins/nm/nm_service.h b/src/charon-nm/nm/nm_service.h
index 828d1a452..0cb23e120 100644
--- a/src/libcharon/plugins/nm/nm_service.h
+++ b/src/charon-nm/nm/nm_service.h
@@ -29,11 +29,11 @@
 #include "nm_handler.h"
 
 #define NM_TYPE_STRONGSWAN_PLUGIN            (nm_strongswan_plugin_get_type ())
-#define NM_STRONGSWAN_PLUGIN(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_STRONGSWAN_PLUGIN, NMSTRONGSWANPlugin))
-#define NM_STRONGSWAN_PLUGIN_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_STRONGSWAN_PLUGIN, NMSTRONGSWANPluginClass))
+#define NM_STRONGSWAN_PLUGIN(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPlugin))
+#define NM_STRONGSWAN_PLUGIN_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPluginClass))
 #define NM_IS_STRONGSWAN_PLUGIN(obj)         (G_TYPE_CHECK_INSTANCE_TYPE ((obj), NM_TYPE_STRONGSWAN_PLUGIN))
 #define NM_IS_STRONGSWAN_PLUGIN_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((obj), NM_TYPE_STRONGSWAN_PLUGIN))
-#define NM_STRONGSWAN_PLUGIN_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS ((obj), NM_TYPE_STRONGSWAN_PLUGIN, NMSTRONGSWANPluginClass))
+#define NM_STRONGSWAN_PLUGIN_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS ((obj), NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPluginClass))
 
 #define NM_DBUS_SERVICE_STRONGSWAN    "org.freedesktop.NetworkManager.strongswan"
 #define NM_DBUS_INTERFACE_STRONGSWAN  "org.freedesktop.NetworkManager.strongswan"
diff --git a/src/charon-tkm/Makefile.am b/src/charon-tkm/Makefile.am
new file mode 100644
index 000000000..0fef1f62d
--- /dev/null
+++ b/src/charon-tkm/Makefile.am
@@ -0,0 +1,54 @@
+SRC = $(top_builddir)/src
+
+# includes relative to obj directory
+AM_CPPFLAGS = \
+	-include $(top_builddir)/config.h \
+	-I../$(SRC)/libstrongswan \
+	-I../$(SRC)/libhydra \
+	-I../$(SRC)/libcharon
+
+LIBLD = \
+	-L$(SRC)/libstrongswan/.libs \
+	-L$(SRC)/libhydra/.libs \
+	-L$(SRC)/libcharon/.libs
+LIBPT = $(SRC)/libstrongswan/.libs:$(SRC)/libhydra/.libs:$(SRC)/libcharon/.libs
+LIBFL = -lstrongswan -lhydra -lcharon
+
+DEFS += -DPLUGINS=\""$(PLUGINS)\"" -DIPSEC_PIDDIR=\"${piddir}\"
+
+BUILD_OPTS = \
+	-XOBJ_DIR=$(CURDIR)/obj \
+	-cargs $(AM_CPPFLAGS) $(DEFS) \
+	-largs $(LIBLD) $(LIBFL)
+
+# plugins to enable
+PLUGINS = \
+	kernel-netlink \
+	pem \
+	socket-default \
+	openssl \
+	stroke
+
+all: build_charon
+
+build_charon: build_charon.gpr src/charon-tkm.c
+	@$(GPRBUILD) -p $< $(BUILD_OPTS)
+
+build_tests: build_tests.gpr
+	@$(GPRBUILD) -p $< $(BUILD_OPTS) -cargs @CHECK_CFLAGS@ -largs @CHECK_LIBS@
+
+if UNITTESTS
+check: build_tests
+	@LD_LIBRARY_PATH=$(LIBPT) obj/test_runner
+else
+check:
+	@echo "reconfigure with --enable-unit-tests"
+endif
+
+install: build_charon
+	$(INSTALL) -m 755 obj/charon-tkm $(DESTDIR)$(ipsecdir)
+
+clean:
+	rm -rf obj
+
+EXTRA_DIST = build_charon.gpr build_common.gpr build_tests.gpr src tests
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
new file mode 100644
index 000000000..e32a01e1b
--- /dev/null
+++ b/src/charon-tkm/Makefile.in
@@ -0,0 +1,520 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon-tkm
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+SOURCES =
+DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@ -DPLUGINS=\""$(PLUGINS)\"" -DIPSEC_PIDDIR=\"${piddir}\"
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+SRC = $(top_builddir)/src
+
+# includes relative to obj directory
+AM_CPPFLAGS = \
+	-include $(top_builddir)/config.h \
+	-I../$(SRC)/libstrongswan \
+	-I../$(SRC)/libhydra \
+	-I../$(SRC)/libcharon
+
+LIBLD = \
+	-L$(SRC)/libstrongswan/.libs \
+	-L$(SRC)/libhydra/.libs \
+	-L$(SRC)/libcharon/.libs
+
+LIBPT = $(SRC)/libstrongswan/.libs:$(SRC)/libhydra/.libs:$(SRC)/libcharon/.libs
+LIBFL = -lstrongswan -lhydra -lcharon
+BUILD_OPTS = \
+	-XOBJ_DIR=$(CURDIR)/obj \
+	-cargs $(AM_CPPFLAGS) $(DEFS) \
+	-largs $(LIBLD) $(LIBFL)
+
+
+# plugins to enable
+PLUGINS = \
+	kernel-netlink \
+	pem \
+	socket-default \
+	openssl \
+	stroke
+
+EXTRA_DIST = build_charon.gpr build_common.gpr build_tests.gpr src tests
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon-tkm/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/charon-tkm/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile
+installdirs:
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	distclean distclean-generic distclean-libtool distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am
+
+
+all: build_charon
+
+build_charon: build_charon.gpr src/charon-tkm.c
+	@$(GPRBUILD) -p $< $(BUILD_OPTS)
+
+build_tests: build_tests.gpr
+	@$(GPRBUILD) -p $< $(BUILD_OPTS) -cargs @CHECK_CFLAGS@ -largs @CHECK_LIBS@
+
+@UNITTESTS_TRUE@check: build_tests
+@UNITTESTS_TRUE@	@LD_LIBRARY_PATH=$(LIBPT) obj/test_runner
+@UNITTESTS_FALSE@check:
+@UNITTESTS_FALSE@	@echo "reconfigure with --enable-unit-tests"
+
+install: build_charon
+	$(INSTALL) -m 755 obj/charon-tkm $(DESTDIR)$(ipsecdir)
+
+clean:
+	rm -rf obj
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon-tkm/build_charon.gpr b/src/charon-tkm/build_charon.gpr
new file mode 100644
index 000000000..b208667a3
--- /dev/null
+++ b/src/charon-tkm/build_charon.gpr
@@ -0,0 +1,20 @@
+with "build_common";
+
+project Build_Charon is
+
+   for Languages use ("Ada", "C");
+   for Source_Dirs use ("src/**");
+   for Main use ("charon-tkm");
+   for Object_Dir use Build_Common.Obj_Dir;
+
+   package Compiler is
+      for Default_Switches ("ada") use Build_Common.Ada_Compiler_Switches;
+      for Default_Switches ("c") use Build_Common.C_Compiler_Switches
+        & "-Werror";
+   end Compiler;
+
+   package Binder is
+      for Default_Switches ("ada") use Build_Common.Ada_Binder_Switches;
+   end Binder;
+
+end Build_Charon;
diff --git a/src/charon-tkm/build_common.gpr b/src/charon-tkm/build_common.gpr
new file mode 100644
index 000000000..ac322d713
--- /dev/null
+++ b/src/charon-tkm/build_common.gpr
@@ -0,0 +1,25 @@
+with "tkmrpc_client";
+with "tkmrpc_server-ees";
+
+project Build_Common is
+
+   for Source_Dirs use ();
+
+   Obj_Dir := "obj";
+
+   C_Compiler_Switches   := ("-W",
+                             "-Wall",
+                             "-Wno-unused-parameter");
+   Ada_Compiler_Switches := ("-gnatwale",
+                             "-gnatygAdISuxo",
+                             "-gnata",
+                             "-gnatVa",
+                             "-gnat05",
+                             "-gnatf",
+                             "-fstack-check",
+                             "-gnato",
+                             "-g");
+
+   Ada_Binder_Switches   := ("-E");
+
+end Build_Common;
diff --git a/src/charon-tkm/build_tests.gpr b/src/charon-tkm/build_tests.gpr
new file mode 100644
index 000000000..032c7969e
--- /dev/null
+++ b/src/charon-tkm/build_tests.gpr
@@ -0,0 +1,14 @@
+with "build_common";
+
+project Build_Tests is
+
+   for Languages use ("Ada", "C");
+   for Source_Dirs use ("src/ees", "src/ehandler", "src/tkm", "tests");
+   for Main use ("test_runner");
+   for Object_Dir use Build_Common.Obj_Dir;
+
+   package Compiler is
+      for Default_Switches ("c") use Build_Common.C_Compiler_Switches;
+   end Compiler;
+
+end Build_Tests;
diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
new file mode 100644
index 000000000..14a735590
--- /dev/null
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -0,0 +1,388 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <syslog.h>
+#include <signal.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <libgen.h>
+
+#include <hydra.h>
+#include <daemon.h>
+#include <library.h>
+#include <utils/backtrace.h>
+#include <threading/thread.h>
+#include <sa/keymat.h>
+#include <credentials/credential_manager.h>
+
+#include "tkm.h"
+#include "tkm_nonceg.h"
+#include "tkm_diffie_hellman.h"
+#include "tkm_keymat.h"
+#include "tkm_listener.h"
+#include "tkm_kernel_ipsec.h"
+#include "tkm_public_key.h"
+#include "tkm_cred.h"
+#include "tkm_encoder.h"
+
+/**
+ * TKM bus listener for IKE authorize events.
+ */
+static tkm_listener_t *listener;
+
+/**
+ * PID file, in which charon-tkm stores its process id
+ */
+static char *pidfile_name = NULL;
+
+/**
+ * Global reference to PID file (required to truncate, if undeletable)
+ */
+static FILE *pidfile = NULL;
+
+/**
+ * Hook in library for debugging messages
+ */
+extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
+
+/**
+ * Simple logging hook for library logs, using syslog output
+ */
+static void dbg_syslog(debug_t group, level_t level, char *fmt, ...)
+{
+	if (level <= 1)
+	{
+		char buffer[8192];
+		va_list args;
+
+		va_start(args, fmt);
+		/* write in memory buffer first */
+		vsnprintf(buffer, sizeof(buffer), fmt, args);
+		syslog(LOG_DAEMON|LOG_INFO, "00[%s] %s", debug_names->names[group],
+				buffer);
+		va_end(args);
+	}
+}
+
+/**
+ * Run the daemon and handle unix signals
+ */
+static void run()
+{
+	sigset_t set;
+
+	/* handle SIGINT and SIGTERM in this handler */
+	sigemptyset(&set);
+	sigaddset(&set, SIGINT);
+	sigaddset(&set, SIGTERM);
+	sigprocmask(SIG_BLOCK, &set, NULL);
+
+	while (TRUE)
+	{
+		int sig;
+		int error;
+
+		error = sigwait(&set, &sig);
+		if (error)
+		{
+			DBG1(DBG_DMN, "error %d while waiting for a signal", error);
+			return;
+		}
+		switch (sig)
+		{
+			case SIGINT:
+			{
+				DBG1(DBG_DMN, "signal of type SIGINT received. Shutting down");
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
+				return;
+			}
+			case SIGTERM:
+			{
+				DBG1(DBG_DMN, "signal of type SIGTERM received. Shutting down");
+				charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
+				return;
+			}
+			default:
+			{
+				DBG1(DBG_DMN, "unknown signal %d received. Ignored", sig);
+				break;
+			}
+		}
+	}
+}
+
+/**
+ * Handle SIGSEGV/SIGILL signals raised by threads
+ */
+static void segv_handler(int signal)
+{
+	backtrace_t *backtrace;
+
+	DBG1(DBG_DMN, "thread %u received %d", thread_current_id(), signal);
+	backtrace = backtrace_create(2);
+	backtrace->log(backtrace, stderr, TRUE);
+	backtrace->destroy(backtrace);
+
+	DBG1(DBG_DMN, "killing ourself, received critical signal");
+	abort();
+}
+
+/**
+ * Lookup UID and GID
+ */
+static bool lookup_uid_gid()
+{
+#ifdef IPSEC_USER
+	if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
+	{
+		return FALSE;
+	}
+#endif
+#ifdef IPSEC_GROUP
+	if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
+	{
+		return FALSE;
+	}
+#endif
+	return TRUE;
+}
+
+/**
+ * Check/create PID file, return TRUE if already running
+ */
+static bool check_pidfile()
+{
+	struct stat stb;
+
+	if (stat(pidfile_name, &stb) == 0)
+	{
+		pidfile = fopen(pidfile_name, "r");
+		if (pidfile)
+		{
+			char buf[64];
+			pid_t pid = 0;
+
+			memset(buf, 0, sizeof(buf));
+			if (fread(buf, 1, sizeof(buf), pidfile))
+			{
+				buf[sizeof(buf) - 1] = '\0';
+				pid = atoi(buf);
+			}
+			fclose(pidfile);
+			if (pid && kill(pid, 0) == 0)
+			{	/* such a process is running */
+				return TRUE;
+			}
+		}
+		DBG1(DBG_DMN, "removing pidfile '%s', process not running", pidfile_name);
+		unlink(pidfile_name);
+	}
+
+	/* create new pidfile */
+	pidfile = fopen(pidfile_name, "w");
+	if (pidfile)
+	{
+		ignore_result(fchown(fileno(pidfile),
+							 lib->caps->get_uid(lib->caps),
+							 lib->caps->get_gid(lib->caps)));
+		fprintf(pidfile, "%d\n", getpid());
+		fflush(pidfile);
+	}
+	return FALSE;
+}
+
+/**
+ * Delete/truncate the PID file
+ */
+static void unlink_pidfile()
+{
+	/* because unlinking the PID file may fail, we truncate it to ensure the
+	 * daemon can be properly restarted.  one probable cause for this is the
+	 * combination of not running as root and the effective user lacking
+	 * permissions on the parent dir(s) of the PID file */
+	if (pidfile)
+	{
+		ignore_result(ftruncate(fileno(pidfile), 0));
+		fclose(pidfile);
+	}
+	unlink(pidfile_name);
+}
+/**
+ * Main function, starts TKM backend.
+ */
+int main(int argc, char *argv[])
+{
+	char *dmn_name;
+	if (argc > 0 && strlen(argv[0]) > 0)
+	{
+		dmn_name = basename(argv[0]);
+	}
+	else
+	{
+		dmn_name = "charon-tkm";
+	}
+
+	/* TKM credential set */
+	tkm_cred_t *creds;
+
+	struct sigaction action;
+	int status = SS_RC_INITIALIZATION_FAILED;
+
+	/* logging for library during initialization, as we have no bus yet */
+	dbg = dbg_syslog;
+
+	/* initialize library */
+	if (!library_init(NULL))
+	{
+		library_deinit();
+		exit(status);
+	}
+
+	if (!libhydra_init(dmn_name))
+	{
+		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting %s", dmn_name);
+		libhydra_deinit();
+		library_deinit();
+		exit(status);
+	}
+
+	if (!libcharon_init(dmn_name))
+	{
+		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting %s", dmn_name);
+		goto deinit;
+	}
+
+	if (!lookup_uid_gid())
+	{
+		dbg_syslog(DBG_DMN, 1, "invalid uid/gid - aborting %s", dmn_name);
+		goto deinit;
+	}
+
+	/* make sure we log to the DAEMON facility by default */
+	lib->settings->set_int(lib->settings, "%s.syslog.daemon.default",
+			lib->settings->get_int(lib->settings, "%s.syslog.daemon.default", 1,
+								   dmn_name), dmn_name);
+	charon->load_loggers(charon, NULL, FALSE);
+
+	DBG1(DBG_DMN, "Starting charon with TKM backend (strongSwan "VERSION")");
+
+	/* register TKM specific plugins */
+	static plugin_feature_t features[] = {
+		PLUGIN_REGISTER(NONCE_GEN, tkm_nonceg_create),
+			PLUGIN_PROVIDE(NONCE_GEN),
+		PLUGIN_REGISTER(DH, tkm_diffie_hellman_create),
+			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
+			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
+		PLUGIN_REGISTER(PUBKEY, tkm_public_key_load, TRUE),
+			PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
+			PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1),
+			PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA256),
+		PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create),
+			PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
+	};
+	lib->plugins->add_static_features(lib->plugins, "tkm-backend", features,
+			countof(features), TRUE);
+
+	/* register TKM keymat variant */
+	keymat_register_constructor(IKEV2, (keymat_constructor_t)tkm_keymat_create);
+
+	/* initialize daemon */
+	if (!charon->initialize(charon, PLUGINS))
+	{
+		DBG1(DBG_DMN, "initialization failed - aborting %s", dmn_name);
+		goto deinit;
+	}
+	lib->plugins->status(lib->plugins, LEVEL_CTRL);
+
+	/* set global pidfile name depending on daemon name */
+	if (asprintf(&pidfile_name, IPSEC_PIDDIR"/%s.pid", dmn_name) < 0)
+	{
+		DBG1(DBG_DMN, "unable to set pidfile name - aborting %s", dmn_name);
+		goto deinit;
+	};
+
+	if (check_pidfile())
+	{
+		DBG1(DBG_DMN, "%s already running (\"%s\" exists)", dmn_name,
+			 pidfile_name);
+		goto deinit;
+	}
+
+	if (!lib->caps->drop(lib->caps))
+	{
+		DBG1(DBG_DMN, "capability dropping failed - aborting %s", dmn_name);
+		goto deinit;
+	}
+
+	/* initialize TKM client */
+	if (!tkm_init())
+	{
+		DBG1(DBG_DMN, "init of TKM client failed - aborting %s", dmn_name);
+		goto deinit;
+	}
+
+	/* register TKM authorization hook */
+	listener = tkm_listener_create();
+	charon->bus->add_listener(charon->bus, &listener->listener);
+
+	/* register TKM credential set */
+	creds = tkm_cred_create();
+	lib->credmgr->add_set(lib->credmgr, (credential_set_t*)creds);
+
+	/* register TKM credential encoder */
+	lib->encoding->add_encoder(lib->encoding, tkm_encoder_encode);
+
+	/* add handler for SEGV and ILL,
+	 * INT and TERM are handled by sigwait() in run() */
+	action.sa_handler = segv_handler;
+	action.sa_flags = 0;
+	sigemptyset(&action.sa_mask);
+	sigaddset(&action.sa_mask, SIGINT);
+	sigaddset(&action.sa_mask, SIGTERM);
+	sigaction(SIGSEGV, &action, NULL);
+	sigaction(SIGILL, &action, NULL);
+	sigaction(SIGBUS, &action, NULL);
+	action.sa_handler = SIG_IGN;
+	sigaction(SIGPIPE, &action, NULL);
+
+	pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL);
+
+	/* start daemon (i.e. the threads in the thread-pool) */
+	charon->start(charon);
+
+	/* main thread goes to run loop */
+	run();
+
+	unlink_pidfile();
+	status = 0;
+	charon->bus->remove_listener(charon->bus, &listener->listener);
+	listener->destroy(listener);
+	creds->destroy(creds);
+	lib->encoding->remove_encoder(lib->encoding, tkm_encoder_encode);
+
+deinit:
+	libcharon_deinit();
+	libhydra_deinit();
+	library_deinit();
+	tkm_deinit();
+	return status;
+}
diff --git a/src/charon-tkm/src/ees/ees_callbacks.c b/src/charon-tkm/src/ees/ees_callbacks.c
new file mode 100644
index 000000000..2d9653837
--- /dev/null
+++ b/src/charon-tkm/src/ees/ees_callbacks.c
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <hydra.h>
+#include <utils/debug.h>
+#include <tkm/constants.h>
+#include <tkm/types.h>
+
+#include "ees_callbacks.h"
+
+void charon_esa_acquire(result_type *res, const sp_id_type sp_id)
+{
+	DBG1(DBG_KNL, "ees: acquire received for reqid {%d}", sp_id);
+	hydra->kernel_interface->acquire(hydra->kernel_interface, sp_id, NULL,
+									 NULL);
+	*res = TKM_OK;
+}
+
+void charon_esa_expire(result_type *res, const sp_id_type sp_id,
+					   const esp_spi_type spi_rem, const protocol_type protocol,
+					   const expiry_flag_type hard)
+{
+	DBG1(DBG_KNL, "ees: expire received for reqid {%d}", sp_id);
+	hydra->kernel_interface->expire(hydra->kernel_interface, sp_id, protocol,
+									spi_rem, hard != 0);
+	*res = TKM_OK;
+}
diff --git a/src/charon-tkm/src/ees/ees_callbacks.h b/src/charon-tkm/src/ees/ees_callbacks.h
new file mode 100644
index 000000000..b73dc6cb5
--- /dev/null
+++ b/src/charon-tkm/src/ees/ees_callbacks.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-eescallbacks ees callbacks
+ * @{ @ingroup tkm
+ *
+ * ESP SA Event Service (EES) callbacks.
+ * The xfrm-proxy forwards acquire and expire events from the kernel to
+ * charon-tkm using the EES interface. Upon reception of an event the
+ * corresponding callback is executed.
+ */
+
+#ifndef EES_CALLBACKS_H_
+#define EES_CALLBACKS_H_
+
+/**
+ * Process Acquire event for given security policy.
+ */
+void charon_esa_acquire(result_type *res, const sp_id_type sp_id);
+
+/**
+ * Process Expire event for given security policy.
+ */
+void charon_esa_expire(result_type *res, const sp_id_type sp_id,
+					   const esp_spi_type spi_rem, const protocol_type protocol,
+					   const expiry_flag_type hard);
+
+#endif /** EES_CALLBACKS_H_ @}*/
diff --git a/src/charon-tkm/src/ees/esa_event_service.adb b/src/charon-tkm/src/ees/esa_event_service.adb
new file mode 100644
index 000000000..5b5d7003b
--- /dev/null
+++ b/src/charon-tkm/src/ees/esa_event_service.adb
@@ -0,0 +1,57 @@
+--
+--  Copyright (C) 2012 Reto Buerki
+--  Copyright (C) 2012 Adrian-Ken Rueegsegger
+--  Hochschule fuer Technik Rapperswil
+--
+--  This program is free software; you can redistribute it and/or modify it
+--  under the terms of the GNU General Public License as published by the
+--  Free Software Foundation; either version 2 of the License, or (at your
+--  option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+--
+--  This program is distributed in the hope that it will be useful, but
+--  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+--  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+--  for more details.
+--
+
+with Anet.Sockets.Unix;
+with Anet.Receivers.Stream;
+
+with Tkmrpc.Dispatchers.Ees;
+with Tkmrpc.Process_Stream;
+
+pragma Elaborate_All (Anet.Receivers.Stream);
+pragma Elaborate_All (Tkmrpc.Process_Stream);
+
+package body Esa_Event_Service
+is
+
+   package Unix_TCP_Receiver is new Anet.Receivers.Stream
+     (Socket_Type => Anet.Sockets.Unix.TCP_Socket_Type);
+
+   procedure Dispatch is new Tkmrpc.Process_Stream
+     (Dispatch => Tkmrpc.Dispatchers.Ees.Dispatch);
+
+   Sock     : aliased Anet.Sockets.Unix.TCP_Socket_Type;
+   Receiver : Unix_TCP_Receiver.Receiver_Type (S => Sock'Access);
+
+   -------------------------------------------------------------------------
+
+   procedure Finalize
+   is
+   begin
+      Receiver.Stop;
+   end Finalize;
+
+   -------------------------------------------------------------------------
+
+   procedure Init (Address : Interfaces.C.Strings.chars_ptr)
+   is
+      Path : constant String := Interfaces.C.Strings.Value (Address);
+   begin
+      Sock.Init;
+      Sock.Bind (Path => Anet.Sockets.Unix.Path_Type (Path));
+      Receiver.Listen (Callback => Dispatch'Access);
+   end Init;
+
+end Esa_Event_Service;
diff --git a/src/charon-tkm/src/ees/esa_event_service.ads b/src/charon-tkm/src/ees/esa_event_service.ads
new file mode 100644
index 000000000..f3630b7ac
--- /dev/null
+++ b/src/charon-tkm/src/ees/esa_event_service.ads
@@ -0,0 +1,30 @@
+--
+--  Copyright (C) 2012 Reto Buerki
+--  Copyright (C) 2012 Adrian-Ken Rueegsegger
+--  Hochschule fuer Technik Rapperswil
+--
+--  This program is free software; you can redistribute it and/or modify it
+--  under the terms of the GNU General Public License as published by the
+--  Free Software Foundation; either version 2 of the License, or (at your
+--  option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+--
+--  This program is distributed in the hope that it will be useful, but
+--  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+--  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+--  for more details.
+--
+
+with Interfaces.C.Strings;
+
+package Esa_Event_Service
+is
+
+   procedure Init (Address : Interfaces.C.Strings.chars_ptr);
+   pragma Export (C, Init, "ees_server_init");
+   --  Initialize Esa Event Service (EES) with given address.
+
+   procedure Finalize;
+   pragma Export (C, Finalize, "ees_server_finalize");
+   --  Finalize EES.
+
+end Esa_Event_Service;
diff --git a/src/charon-tkm/src/ees/tkmrpc-servers-ees.adb b/src/charon-tkm/src/ees/tkmrpc-servers-ees.adb
new file mode 100644
index 000000000..2240065c2
--- /dev/null
+++ b/src/charon-tkm/src/ees/tkmrpc-servers-ees.adb
@@ -0,0 +1,65 @@
+package body Tkmrpc.Servers.Ees
+is
+
+   --------------------------------
+   -- charon callback signatures --
+   --------------------------------
+
+   procedure Charon_Esa_Acquire
+     (Result : out Results.Result_Type;
+      Sp_Id  :     Types.Sp_Id_Type);
+   pragma Import (C, Charon_Esa_Acquire, "charon_esa_acquire");
+
+   procedure Charon_Esa_Expire
+     (Result   : out Results.Result_Type;
+      Sp_Id    :     Types.Sp_Id_Type;
+      Spi_Rem  :     Types.Esp_Spi_Type;
+      Protocol :     Types.Protocol_Type;
+      Hard     :     Types.Expiry_Flag_Type);
+   pragma Import (C, Charon_Esa_Expire, "charon_esa_expire");
+
+   -------------------------------------------------------------------------
+
+   procedure Esa_Acquire
+     (Result : out Results.Result_Type;
+      Sp_Id  :     Types.Sp_Id_Type)
+   is
+   begin
+      Charon_Esa_Acquire (Result => Result,
+                          Sp_Id  => Sp_Id);
+   end Esa_Acquire;
+
+   -------------------------------------------------------------------------
+
+   procedure Esa_Expire
+     (Result   : out Results.Result_Type;
+      Sp_Id    :     Types.Sp_Id_Type;
+      Spi_Rem  :     Types.Esp_Spi_Type;
+      Protocol :     Types.Protocol_Type;
+      Hard     :     Types.Expiry_Flag_Type)
+   is
+   begin
+      Charon_Esa_Expire (Result   => Result,
+                         Sp_Id    => Sp_Id,
+                         Spi_Rem  => Spi_Rem,
+                         Protocol => Protocol,
+                         Hard     => Hard);
+   end Esa_Expire;
+
+   -------------------------------------------------------------------------
+
+   procedure Finalize
+   is
+   begin
+      null;
+   end Finalize;
+
+   -------------------------------------------------------------------------
+
+   procedure Init
+   is
+   begin
+      null;
+   end Init;
+
+end Tkmrpc.Servers.Ees;
diff --git a/src/charon-tkm/src/ehandler/eh_callbacks.c b/src/charon-tkm/src/ehandler/eh_callbacks.c
new file mode 100644
index 000000000..7dca97c3e
--- /dev/null
+++ b/src/charon-tkm/src/ehandler/eh_callbacks.c
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/types.h>
+#include <signal.h>
+#include <utils/debug.h>
+
+#include "eh_callbacks.h"
+
+void charon_terminate(char *msg)
+{
+	DBG1(DBG_DMN, "critical TKM error, terminating!");
+	DBG1(DBG_DMN, msg);
+	kill(0, SIGTERM);
+}
diff --git a/src/charon-tkm/src/ehandler/eh_callbacks.h b/src/charon-tkm/src/ehandler/eh_callbacks.h
new file mode 100644
index 000000000..db325dcd2
--- /dev/null
+++ b/src/charon-tkm/src/ehandler/eh_callbacks.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-ehandler exception handler
+ * @{ @ingroup tkm
+ *
+ * The exception handler callback is registered as global exception action in
+ * the Ada runtime. If an exception is raised in Ada code this callback is
+ * executed.
+ */
+
+#ifndef EH_CALLBACKS_H_
+#define EH_CALLBACKS_H_
+
+/**
+ * Log given message and terminate charon.
+ */
+void charon_terminate(char *msg);
+
+#endif /** EH_CALLBACKS_H_ @}*/
diff --git a/src/charon-tkm/src/ehandler/exception_handler.adb b/src/charon-tkm/src/ehandler/exception_handler.adb
new file mode 100644
index 000000000..3f165e1cd
--- /dev/null
+++ b/src/charon-tkm/src/ehandler/exception_handler.adb
@@ -0,0 +1,57 @@
+--
+--  Copyright (C) 2012 Reto Buerki
+--  Copyright (C) 2012 Adrian-Ken Rueegsegger
+--  Hochschule fuer Technik Rapperswil
+--
+--  This program is free software; you can redistribute it and/or modify it
+--  under the terms of the GNU General Public License as published by the
+--  Free Software Foundation; either version 2 of the License, or (at your
+--  option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+--
+--  This program is distributed in the hope that it will be useful, but
+--  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+--  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+--  for more details.
+--
+
+with Ada.Exceptions;
+
+with GNAT.Exception_Actions;
+
+with Interfaces.C.Strings;
+
+package body Exception_Handler
+is
+
+   procedure Charon_Terminate (Message : Interfaces.C.Strings.chars_ptr);
+   pragma Import (C, Charon_Terminate, "charon_terminate");
+
+   procedure Bailout (Ex : Ada.Exceptions.Exception_Occurrence);
+   --  Signal critical condition to charon daemon.
+
+   -------------------------------------------------------------------------
+
+   procedure Bailout (Ex : Ada.Exceptions.Exception_Occurrence)
+   is
+   begin
+      if Ada.Exceptions.Exception_Name (Ex) = "_ABORT_SIGNAL" then
+
+         --  Ignore runtime-internal abort signal exception.
+
+         return;
+      end if;
+
+      Charon_Terminate (Message => Interfaces.C.Strings.New_String
+                        (Ada.Exceptions.Exception_Information (Ex)));
+   end Bailout;
+
+   -------------------------------------------------------------------------
+
+   procedure Init
+   is
+   begin
+      GNAT.Exception_Actions.Register_Global_Action
+        (Action => Bailout'Access);
+   end Init;
+
+end Exception_Handler;
diff --git a/src/charon-tkm/src/ehandler/exception_handler.ads b/src/charon-tkm/src/ehandler/exception_handler.ads
new file mode 100644
index 000000000..29dd3d8f4
--- /dev/null
+++ b/src/charon-tkm/src/ehandler/exception_handler.ads
@@ -0,0 +1,24 @@
+--
+--  Copyright (C) 2012 Reto Buerki
+--  Copyright (C) 2012 Adrian-Ken Rueegsegger
+--  Hochschule fuer Technik Rapperswil
+--
+--  This program is free software; you can redistribute it and/or modify it
+--  under the terms of the GNU General Public License as published by the
+--  Free Software Foundation; either version 2 of the License, or (at your
+--  option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+--
+--  This program is distributed in the hope that it will be useful, but
+--  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+--  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+--  for more details.
+--
+
+package Exception_Handler
+is
+
+   procedure Init;
+   pragma Export (C, Init, "ehandler_init");
+   --  Register last-chance exception handler.
+
+end Exception_Handler;
diff --git a/src/charon-tkm/src/tkm/.gitignore b/src/charon-tkm/src/tkm/.gitignore
new file mode 100644
index 000000000..b672fdeaf
--- /dev/null
+++ b/src/charon-tkm/src/tkm/.gitignore
@@ -0,0 +1 @@
+obj
diff --git a/src/charon-tkm/src/tkm/tkm.c b/src/charon-tkm/src/tkm/tkm.c
new file mode 100644
index 000000000..a39221dc2
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm.c
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+
+#include <tkm/client.h>
+#include <tkm/constants.h>
+
+#include "tkm.h"
+
+#define IKE_SOCKET "/tmp/tkm.rpc.ike"
+#define EES_SOCKET "/tmp/tkm.rpc.ees"
+
+typedef struct private_tkm_t private_tkm_t;
+
+extern result_type ees_server_init(const char * const address);
+extern void ees_server_finalize(void);
+extern void ehandler_init(void);
+
+/*
+ * Private additions to tkm_t.
+ */
+struct private_tkm_t {
+
+	/**
+	 * Public members of tkm_t.
+	 */
+	tkm_t public;
+};
+
+/**
+ * Single instance of tkm_t.
+ */
+tkm_t *tkm = NULL;
+
+/**
+ * Described in header.
+ */
+bool tkm_init()
+{
+	private_tkm_t *this;
+	active_requests_type max_requests;
+	char *ikesock, *eessock;
+	tkm_limits_t limits;
+
+	/* initialize TKM client library */
+	tkmlib_init();
+	ehandler_init();
+
+	ikesock = lib->settings->get_str(lib->settings, "%s.ike_socket", IKE_SOCKET,
+									 charon->name);
+	if (ike_init(ikesock) != TKM_OK)
+	{
+		tkmlib_final();
+		return FALSE;
+	}
+	DBG1(DBG_DMN, "connected to TKM via socket '%s'", ikesock);
+
+	eessock = lib->settings->get_str(lib->settings, "%s.ees_socket", EES_SOCKET,
+									 charon->name);
+	ees_server_init(eessock);
+	DBG1(DBG_DMN, "serving EES requests on socket '%s'", eessock);
+
+	if (ike_tkm_reset() != TKM_OK)
+	{
+		ees_server_finalize();
+		tkmlib_final();
+		return FALSE;
+	}
+
+	/* get limits from tkm */
+	if (ike_tkm_limits(&max_requests, &limits[TKM_CTX_NONCE], &limits[TKM_CTX_DH],
+					   &limits[TKM_CTX_CC], &limits[TKM_CTX_AE],
+					   &limits[TKM_CTX_ISA], &limits[TKM_CTX_ESA]) != TKM_OK)
+	{
+		ees_server_finalize();
+		tkmlib_final();
+		return FALSE;
+	}
+
+	INIT(this,
+		.public = {
+			.idmgr = tkm_id_manager_create(limits),
+			.chunk_map = tkm_chunk_map_create(),
+		},
+	);
+	tkm = &this->public;
+
+	return TRUE;
+}
+
+/**
+ * Described in header.
+ */
+void tkm_deinit()
+{
+	if (!tkm)
+	{
+		return;
+	}
+	private_tkm_t *this = (private_tkm_t*)tkm;
+	this->public.idmgr->destroy(this->public.idmgr);
+	this->public.chunk_map->destroy(this->public.chunk_map);
+
+	ees_server_finalize();
+
+	tkmlib_final();
+	free(this);
+	tkm = NULL;
+}
diff --git a/src/charon-tkm/src/tkm/tkm.h b/src/charon-tkm/src/tkm/tkm.h
new file mode 100644
index 000000000..fb5acd117
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm.h
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm tkm
+ *
+ * @addtogroup tkm
+ * @{
+ *
+ * Untrusted IKEv2 component used with Trusted Key Manager for IKE
+ * disaggregation.
+ *
+ * The untrusted IKEv2 component used in conjunction with the Trusted Key
+ * Manager infrastructure is implemented as a separate charon instance located
+ * in its own directory below the strongSwan top-level source directory
+ * (src/charon-tkm). This has the advantage that the TKM code is contained and
+ * does not mix with other strongSwan files. The charon-tkm binary startup code
+ * is modeled after the charon-nm instance, a special charon daemon variant to
+ * be used with the GNOME NetworkManager project. The major difference is the
+ * registration of custom TKM plugins as the final step of the startup phase.
+ * The charon-tkm daemon does not rely on the dynamic plugin loading mechanism
+ * for its core plugins, they are statically registered before entering the main
+ * processing loop.
+ *
+ * The following diagram shows the main components of the system and how they
+ * communicate.
+   @verbatim
+
+       +------------+            +------------+             +------------+
+       | xfrm-proxy |<-[tkm-rpc->| charon-tkm |<-[tkm-rpc]->|    TKM     |
+       +------------+            +------------+             +------------+
+             ^                                                    ^
+    [Netlink | XFRM]                                        [XFRM | Netlink]
+             |                                                    v
+       +-----------------------------------------------------------------+
+       |                            Kernel                               |
+       +-----------------------------------------------------------------+
+
+   @endverbatim
+ * Since the charon-tkm code uses the tkm-rpc library written in Ada, the daemon
+ * has to be built using an Ada-aware toolchain. The integration of Ada code
+ * into the strongSwan codebase is explained in the TKM documentation, section
+ * 5.4.1: http://www.codelabs.ch/tkm#anchor-doc.
+ *
+ * The Trusted Key Manager (TKM) is a minimal Trusted Computing Base which
+ * implements security-critical functions of the IKEv2 protocol.
+ *
+ * The xfrm-proxy receives XFRM Acquire and Expiry events from the kernel and
+ * forwards them to the charon-tkm IKE daemon for further processing.
+ *
+ * The underlying concept of IKE disaggregation and the design of TKM and all
+ * related components, of which charon-tkm is one component, is presented in
+ * detail in the project documentation found at
+ * http://www.codelabs.ch/tkm#anchor-doc.
+ */
+
+#ifndef TKM_H_
+#define TKM_H_
+
+#include "tkm_id_manager.h"
+#include "tkm_chunk_map.h"
+
+typedef struct tkm_t tkm_t;
+
+/**
+ * Trusted key manager context, contains tkm related globals.
+ */
+struct tkm_t {
+
+	/**
+	 * Context ID manager.
+	 */
+	tkm_id_manager_t *idmgr;
+
+	/**
+	 * Chunk-to-ID mappings.
+	 */
+	tkm_chunk_map_t *chunk_map;
+
+};
+
+/**
+ * Initialize trusted key manager, creates "tkm" instance.
+ *
+ * @return				FALSE if initialization error occurred
+ */
+bool tkm_init();
+
+/**
+ * Deinitialize trusted key manager, destroys "tkm" instance.
+ */
+void tkm_deinit();
+
+/**
+ * Trusted key manager instance, set after tkm_init() and before tkm_deinit()
+ * calls.
+ */
+extern tkm_t *tkm;
+
+#endif /** TKM_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_chunk_map.c b/src/charon-tkm/src/tkm/tkm_chunk_map.c
new file mode 100644
index 000000000..03ff22836
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_chunk_map.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <collections/hashtable.h>
+#include <threading/rwlock.h>
+#include <utils/chunk.h>
+#include <utils/debug.h>
+
+#include "tkm_chunk_map.h"
+
+typedef struct private_tkm_chunk_map_t private_tkm_chunk_map_t;
+
+/**
+ * Private data of tkm chunk map.
+ */
+struct private_tkm_chunk_map_t {
+
+	/**
+	 * public functions
+	 */
+	tkm_chunk_map_t public;
+
+	/**
+	 * Hashtable to store mappings.
+	 */
+	hashtable_t *mappings;
+
+	/**
+	 * rwlock for table.
+	 */
+	rwlock_t *lock;
+
+};
+
+/**
+ * Entry for hashtables
+ */
+typedef struct {
+	/** Key chunk */
+	chunk_t key;
+	/** Entry value */
+	uint64_t value;
+} entry_t;
+
+/**
+ * Destroy a hashtable entry
+ */
+static void entry_destroy(entry_t *this)
+{
+	chunk_free(&this->key);
+	free(this);
+}
+
+METHOD(tkm_chunk_map_t, insert, void,
+	private_tkm_chunk_map_t * const this, const chunk_t * const data,
+	const uint64_t id)
+{
+	entry_t *entry;
+	INIT(entry,
+		.key = chunk_clone(*data),
+		.value = id
+	);
+
+	this->lock->write_lock(this->lock);
+	entry = this->mappings->put(this->mappings, (void*)&entry->key, entry);
+	this->lock->unlock(this->lock);
+
+	if (entry)
+	{
+		entry_destroy(entry);
+	}
+}
+
+METHOD(tkm_chunk_map_t, get_id, uint64_t,
+	private_tkm_chunk_map_t * const this, chunk_t *data)
+{
+	entry_t *entry;
+	this->lock->read_lock(this->lock);
+	entry = this->mappings->get(this->mappings, data);
+	this->lock->unlock(this->lock);
+
+	if (!entry)
+	{
+		return 0;
+	}
+
+	return entry->value;
+}
+
+METHOD(tkm_chunk_map_t, remove_, bool,
+	private_tkm_chunk_map_t * const this, chunk_t *data)
+{
+	entry_t *entry;
+
+	this->lock->write_lock(this->lock);
+	entry = this->mappings->remove(this->mappings, data);
+	this->lock->unlock(this->lock);
+
+	if (entry)
+	{
+		entry_destroy(entry);
+		return TRUE;
+	}
+	else
+	{
+		return FALSE;
+	}
+}
+
+METHOD(tkm_chunk_map_t, destroy, void,
+	private_tkm_chunk_map_t *this)
+{
+	entry_t *entry;
+	enumerator_t *enumerator;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->mappings->create_enumerator(this->mappings);
+	while (enumerator->enumerate(enumerator, NULL, &entry))
+	{
+		entry_destroy(entry);
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	this->mappings->destroy(this->mappings);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * Hashtable hash function.
+ */
+static u_int hash(chunk_t *key)
+{
+	return chunk_hash(*key);
+}
+
+/*
+ * see header file
+ */
+tkm_chunk_map_t *tkm_chunk_map_create()
+{
+	private_tkm_chunk_map_t *this;
+
+	INIT(this,
+		.public = {
+			.insert = _insert,
+			.get_id = _get_id,
+			.remove = _remove_,
+			.destroy = _destroy,
+		},
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.mappings = hashtable_create((hashtable_hash_t)hash,
+									 (hashtable_equals_t)chunk_equals_ptr, 32),
+	);
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_chunk_map.h b/src/charon-tkm/src/tkm/tkm_chunk_map.h
new file mode 100644
index 000000000..c183937c1
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_chunk_map.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-chunk-map chunk map
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_CHUNK_MAP_H_
+#define TKM_CHUNK_MAP_H_
+
+#include <stdint.h>
+#include <utils/chunk.h>
+
+typedef struct tkm_chunk_map_t tkm_chunk_map_t;
+
+/**
+ * The tkm chunk map handles mappings of chunks to ids.
+ */
+struct tkm_chunk_map_t {
+
+	/**
+	 * Store new mapping for given chunk and id.
+	 *
+	 * @param data	data associated with id
+	 * @param id	id associated with data
+	 */
+	void (*insert)(tkm_chunk_map_t * const this, const chunk_t * const data,
+				   const uint64_t id);
+
+	/**
+	 * Get id for given chunk.
+	 *
+	 * @param data	data specifying the mapping
+	 * @return		id of given chunk, 0 if not found
+	 */
+	uint64_t (*get_id)(tkm_chunk_map_t * const this, chunk_t *data);
+
+	/**
+	 * Remove mapping for given chunk.
+	 *
+	 * @param data	data specifying the mapping to remove
+	 * @return		TRUE if mapping was removed, FALSE otherwise
+	 */
+	bool (*remove)(tkm_chunk_map_t * const this, chunk_t *data);
+
+	/**
+	 * Destroy a tkm chunk map instance.
+	 */
+	void (*destroy)(tkm_chunk_map_t *this);
+
+};
+
+/**
+ * Create a tkm chunk map instance.
+ */
+tkm_chunk_map_t *tkm_chunk_map_create();
+
+#endif /** TKM_CHUNK_MAP_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_cred.c b/src/charon-tkm/src/tkm/tkm_cred.c
new file mode 100644
index 000000000..d9517f908
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_cred.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <credentials/sets/mem_cred.h>
+#include <collections/hashtable.h>
+#include <threading/rwlock.h>
+#include <utils/debug.h>
+
+#include "tkm_private_key.h"
+#include "tkm_cred.h"
+
+typedef struct private_tkm_cred_t private_tkm_cred_t;
+
+/**
+ * Private data of a tkm_cred_t object.
+ */
+struct private_tkm_cred_t {
+
+	/**
+	 * Public tkm_cred_t interface.
+	 */
+	tkm_cred_t public;
+
+	/**
+	 * In-memory credential set.
+	 */
+	mem_cred_t *creds;
+
+	/**
+	 * Key-id hashtable.
+	 */
+	hashtable_t *known_keys;
+
+	/**
+	 * rwlock for hashtable.
+	 */
+	rwlock_t *lock;
+
+};
+
+METHOD(credential_set_t, create_private_enumerator, enumerator_t*,
+	private_tkm_cred_t *this, key_type_t type, identification_t *id)
+{
+	identification_t *entry;
+
+	if (!id)
+	{
+		return this->known_keys->create_enumerator(this->known_keys);
+	}
+
+	this->lock->write_lock(this->lock);
+	entry = this->known_keys->get(this->known_keys, id);
+
+	if (!entry)
+	{
+		identification_t *clone = id->clone(id);
+		tkm_private_key_t *key = tkm_private_key_init(id);
+
+		DBG1(DBG_CFG, "adding private key proxy for id '%Y'", clone);
+		if (!key)
+		{
+			DBG1(DBG_CFG, "unable to create private key for id '%Y'", clone);
+			this->lock->unlock(this->lock);
+			return NULL;
+		}
+		this->creds->add_key(this->creds, (private_key_t *)key);
+		entry = this->known_keys->put(this->known_keys, clone, clone);
+	}
+	this->lock->unlock(this->lock);
+
+	return this->creds->set.create_private_enumerator(&this->creds->set,
+													  type, id);
+}
+
+METHOD(tkm_cred_t, destroy, void,
+	private_tkm_cred_t *this)
+{
+	enumerator_t *enumerator;
+	identification_t *entry;
+
+	enumerator = this->known_keys->create_enumerator(this->known_keys);
+	while (enumerator->enumerate(enumerator, NULL, &entry))
+	{
+		entry->destroy(entry);
+	}
+	enumerator->destroy(enumerator);
+	this->known_keys->destroy(this->known_keys);
+
+	this->creds->destroy(this->creds);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * Hashtable hash function.
+ */
+static u_int hash(identification_t *id)
+{
+	return chunk_hash(id->get_encoding(id));
+}
+
+/**
+ * Hashtable equals function.
+ */
+static bool equals(identification_t *a, identification_t *b)
+{
+	return a->equals(a, b);
+}
+
+/**
+ * See header
+ */
+tkm_cred_t *tkm_cred_create()
+{
+	private_tkm_cred_t *this;
+
+	INIT(this,
+		.public = {
+			.set = {
+				.create_shared_enumerator = (void*)return_null,
+				.create_private_enumerator = _create_private_enumerator,
+				.create_cert_enumerator = (void*)return_null,
+				.create_cdp_enumerator = (void*)return_null,
+				.cache_cert = (void*)nop,
+			},
+			.destroy = _destroy,
+		},
+		.creds = mem_cred_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.known_keys = hashtable_create((hashtable_hash_t)hash,
+									   (hashtable_equals_t)equals, 4),
+	);
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_cred.h b/src/charon-tkm/src/tkm/tkm_cred.h
new file mode 100644
index 000000000..1cfb5b9c7
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_cred.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-credential credential set
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_CRED_H_
+#define TKM_CRED_H_
+
+typedef struct tkm_cred_t tkm_cred_t;
+
+#include <credentials/credential_set.h>
+
+/**
+ * TKM in-memory credential set.
+ */
+struct tkm_cred_t {
+
+	/**
+	 * Implements credential_set_t.
+	 */
+	credential_set_t set;
+
+	/**
+	 * Destroy a tkm_cred_t.
+	 */
+	void (*destroy)(tkm_cred_t *this);
+
+};
+
+/**
+ * Create a tkm_cred instance.
+ */
+tkm_cred_t *tkm_cred_create();
+
+#endif /** TKM_CRED_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
new file mode 100644
index 000000000..19f57de01
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
@@ -0,0 +1,140 @@
+/*
+ * Copyrigth (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <tkm/client.h>
+#include <tkm/constants.h>
+
+#include "tkm.h"
+#include "tkm_utils.h"
+#include "tkm_diffie_hellman.h"
+
+#include <utils/debug.h>
+
+typedef struct private_tkm_diffie_hellman_t private_tkm_diffie_hellman_t;
+
+/**
+ * Private data of a tkm_diffie_hellman_t object.
+ */
+struct private_tkm_diffie_hellman_t {
+
+	/**
+	 * Public tkm_diffie_hellman_t interface.
+	 */
+	tkm_diffie_hellman_t public;
+
+	/**
+	 * Diffie Hellman group number.
+	 */
+	u_int16_t group;
+
+	/**
+	 * Diffie Hellman public value.
+	 */
+	dh_pubvalue_type pubvalue;
+
+	/**
+	 * Context id.
+	 */
+	dh_id_type context_id;
+
+};
+
+METHOD(diffie_hellman_t, get_my_public_value, void,
+	private_tkm_diffie_hellman_t *this, chunk_t *value)
+{
+	sequence_to_chunk(this->pubvalue.data, this->pubvalue.size, value);
+}
+
+METHOD(diffie_hellman_t, get_shared_secret, status_t,
+	private_tkm_diffie_hellman_t *this, chunk_t *secret)
+{
+	*secret = chunk_empty;
+	return SUCCESS;
+}
+
+
+METHOD(diffie_hellman_t, set_other_public_value, void,
+	private_tkm_diffie_hellman_t *this, chunk_t value)
+{
+	// TODO: unvoid this function
+
+	dh_pubvalue_type othervalue;
+	othervalue.size = value.len;
+	memcpy(&othervalue.data, value.ptr, value.len);
+
+	ike_dh_generate_key(this->context_id, othervalue);
+}
+
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_tkm_diffie_hellman_t *this)
+{
+	return this->group;
+}
+
+METHOD(diffie_hellman_t, destroy, void,
+	private_tkm_diffie_hellman_t *this)
+{
+	if (ike_dh_reset(this->context_id) != TKM_OK)
+	{
+		DBG1(DBG_LIB, "failed to reset DH context %d", this->context_id);
+	}
+
+	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_DH, this->context_id);
+	free(this);
+}
+
+METHOD(tkm_diffie_hellman_t, get_id, dh_id_type,
+	private_tkm_diffie_hellman_t *this)
+{
+	return this->context_id;
+}
+
+/*
+ * Described in header.
+ */
+tkm_diffie_hellman_t *tkm_diffie_hellman_create(diffie_hellman_group_t group)
+{
+	private_tkm_diffie_hellman_t *this;
+
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+			.get_id = _get_id,
+		},
+		.group = group,
+		.context_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_DH),
+	);
+
+	if (!this->context_id)
+	{
+		free(this);
+		return NULL;
+	}
+
+	if (ike_dh_create(this->context_id, group, &this->pubvalue) != TKM_OK)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.h b/src/charon-tkm/src/tkm/tkm_diffie_hellman.h
new file mode 100644
index 000000000..a144303fa
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-dh diffie hellman
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_DIFFIE_HELLMAN_H_
+#define TKM_DIFFIE_HELLMAN_H_
+
+typedef struct tkm_diffie_hellman_t tkm_diffie_hellman_t;
+
+#include <library.h>
+#include <tkm/types.h>
+
+/**
+ * diffie_hellman_t implementation using the trusted key manager.
+ */
+struct tkm_diffie_hellman_t {
+
+	/**
+	 * Implements diffie_hellman_t interface.
+	 */
+	diffie_hellman_t dh;
+
+	/**
+	 * Get Diffie-Hellman context id.
+	 *
+	 * @return	id of this DH context.
+	 */
+	dh_id_type (*get_id)(tkm_diffie_hellman_t * const this);
+
+};
+
+/**
+ * Creates a new tkm_diffie_hellman_t object.
+ *
+ * @param group			Diffie Hellman group number to use
+ * @return				tkm_diffie_hellman_t object, NULL if not supported
+ */
+tkm_diffie_hellman_t *tkm_diffie_hellman_create(diffie_hellman_group_t group);
+
+#endif /** TKM_DIFFIE_HELLMAN_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_encoder.c b/src/charon-tkm/src/tkm/tkm_encoder.c
new file mode 100644
index 000000000..d5367ea78
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_encoder.c
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2013 Reto Buerki
+ * Copyright (C) 2013 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <utils/debug.h>
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+
+#include "tkm_encoder.h"
+
+/**
+ * Build the SHA1 hash of pubkey(info) ASN.1 data.
+ */
+static bool hash_pubkey(chunk_t pubkey, chunk_t *hash)
+{
+	hasher_t *hasher;
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher || !hasher->allocate_hash(hasher, pubkey, hash))
+	{
+		DBG1(DBG_LIB, "SHA1 hash algorithm not supported, "
+			 "fingerprinting failed");
+		DESTROY_IF(hasher);
+		chunk_free(&pubkey);
+		return FALSE;
+	}
+	hasher->destroy(hasher);
+	chunk_free(&pubkey);
+	return TRUE;
+}
+
+/**
+ * Encode the public key blob into subjectPublicKeyInfo.
+ */
+static bool build_pub_info(chunk_t *encoding, va_list args)
+{
+	chunk_t blob;
+
+	if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, &blob,
+						   CRED_PART_END))
+	{
+		*encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+							  asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+							  asn1_bitstring("c", blob));
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Build the fingerprint of the subjectPublicKeyInfo object.
+ */
+static bool build_info_sha1(chunk_t *encoding, va_list args)
+{
+	chunk_t pubkey;
+
+	if (build_pub_info(&pubkey, args))
+	{
+		return hash_pubkey(pubkey, encoding);
+	}
+	return FALSE;
+}
+
+/**
+ * Build the fingerprint of the subjectPublicKey object.
+ */
+static bool build_sha1(chunk_t *encoding, va_list args)
+{
+	chunk_t blob;
+
+	if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, &blob,
+						   CRED_PART_END))
+	{
+		return hash_pubkey(chunk_clone(blob), encoding);
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool tkm_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
+						va_list args)
+{
+	switch (type)
+	{
+		case KEYID_PUBKEY_INFO_SHA1:
+			return build_info_sha1(encoding, args);
+		case KEYID_PUBKEY_SHA1:
+			return build_sha1(encoding, args);
+		default:
+			return FALSE;
+	}
+}
diff --git a/src/charon-tkm/src/tkm/tkm_encoder.h b/src/charon-tkm/src/tkm/tkm_encoder.h
new file mode 100644
index 000000000..7c6a4989d
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_encoder.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2013 Reto Buerki
+ * Copyright (C) 2013 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-credential-enc credential encoder
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_ENCODER_H_
+#define TKM_ENCODER_H_
+
+#include <credentials/cred_encoding.h>
+
+/**
+ * Encoding function for TKM key fingerprints.
+ */
+bool tkm_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
+						va_list args);
+
+#endif /** TKM_ENCODER_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_id_manager.c b/src/charon-tkm/src/tkm/tkm_id_manager.c
new file mode 100644
index 000000000..407d0a87f
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_id_manager.c
@@ -0,0 +1,168 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tkm_id_manager.h"
+
+#include <utils/debug.h>
+#include <collections/linked_list.h>
+#include <threading/rwlock.h>
+
+#define TKM_LIMIT 100
+
+ENUM_BEGIN(tkm_context_kind_names, TKM_CTX_NONCE, TKM_CTX_ESA,
+	"NONCE_CONTEXT",
+	"DH_CONTEXT",
+	"CC_CONTEXT"
+	"ISA_CONTEXT",
+	"AE_CONTEXT",
+	"ESA_CONTEXT");
+ENUM_END(tkm_context_kind_names, TKM_CTX_ESA);
+
+typedef struct private_tkm_id_manager_t private_tkm_id_manager_t;
+
+/**
+ * private data of tkm_id_manager
+ */
+struct private_tkm_id_manager_t {
+
+	/**
+	 * public functions
+	 */
+	tkm_id_manager_t public;
+
+	/**
+	 * Per-kind array of free context ids
+	 */
+	bool* ctxids[TKM_CTX_MAX];
+
+	/**
+	 * Per-kind context limits.
+	 */
+	tkm_limits_t limits;
+
+	/**
+	 * rwlocks for context id lists
+	 */
+	rwlock_t *locks[TKM_CTX_MAX];
+
+};
+
+/**
+ * Check if given kind is a valid context kind value.
+ *
+ * @param kind			context kind to check
+ * @return				TRUE if given kind is a valid context kind,
+ *						FALSE otherwise
+ */
+static bool is_valid_kind(const tkm_context_kind_t kind)
+{
+	return (int)kind >= 0 && kind < TKM_CTX_MAX;
+};
+
+METHOD(tkm_id_manager_t, acquire_id, int,
+	private_tkm_id_manager_t * const this, const tkm_context_kind_t kind)
+{
+	int id = 0;
+	uint64_t j;
+
+	if (!is_valid_kind(kind))
+	{
+		DBG1(DBG_LIB, "tried to acquire id for invalid context kind '%d'",
+			 kind);
+		return 0;
+	}
+
+	this->locks[kind]->write_lock(this->locks[kind]);
+	for (j = 0; j < this->limits[kind]; j++)
+	{
+		if (!this->ctxids[kind][j])
+		{
+			this->ctxids[kind][j] = true;
+			id = j + 1;
+			break;
+		}
+	}
+	this->locks[kind]->unlock(this->locks[kind]);
+
+	if (!id)
+	{
+		DBG1(DBG_LIB, "acquiring %N context id failed",	tkm_context_kind_names,
+			 kind);
+	}
+
+	return id;
+}
+
+METHOD(tkm_id_manager_t, release_id, bool,
+	private_tkm_id_manager_t * const this, const tkm_context_kind_t kind,
+	const int id)
+{
+	const int idx = id - 1;
+
+	if (!is_valid_kind(kind))
+	{
+		DBG1(DBG_LIB, "tried to release id %d for invalid context kind '%d'",
+			 id, kind);
+		return FALSE;
+	}
+
+	this->locks[kind]->write_lock(this->locks[kind]);
+	this->ctxids[kind][idx] = false;
+	this->locks[kind]->unlock(this->locks[kind]);
+
+	return TRUE;
+}
+
+
+METHOD(tkm_id_manager_t, destroy, void,
+	private_tkm_id_manager_t *this)
+{
+	int i;
+	for (i = 0; i < TKM_CTX_MAX; i++)
+	{
+		free(this->ctxids[i]);
+		this->locks[i]->destroy(this->locks[i]);
+	}
+	free(this);
+}
+
+/*
+ * see header file
+ */
+tkm_id_manager_t *tkm_id_manager_create(const tkm_limits_t limits)
+{
+	private_tkm_id_manager_t *this;
+	int i;
+
+	INIT(this,
+		.public = {
+			.acquire_id = _acquire_id,
+			.release_id = _release_id,
+			.destroy = _destroy,
+		},
+	);
+
+	for (i = 0; i < TKM_CTX_MAX; i++)
+	{
+		this->limits[i] = limits[i];
+		this->ctxids[i] = calloc(limits[i], sizeof(bool));
+		this->locks[i] = rwlock_create(RWLOCK_TYPE_DEFAULT);
+		DBG2(DBG_LIB, "%N initialized, %llu slot(s)", tkm_context_kind_names, i,
+			 limits[i]);
+	}
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_id_manager.h b/src/charon-tkm/src/tkm/tkm_id_manager.h
new file mode 100644
index 000000000..0fc9ff8ef
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_id_manager.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-id-manager id manager
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_ID_MANAGER_H_
+#define TKM_ID_MANAGER_H_
+
+#include <library.h>
+
+typedef struct tkm_id_manager_t tkm_id_manager_t;
+typedef enum tkm_context_kind_t tkm_context_kind_t;
+
+/**
+ * Trusted key manager context kinds.
+ */
+enum tkm_context_kind_t {
+	/** Nonce context */
+	TKM_CTX_NONCE,
+	/** Diffie-Hellman context */
+	TKM_CTX_DH,
+	/** Certificate chain context */
+	TKM_CTX_CC,
+	/** IKE SA context */
+	TKM_CTX_ISA,
+	/** Authenticated Endpoint context */
+	TKM_CTX_AE,
+	/** ESP SA context */
+	TKM_CTX_ESA,
+
+	/** helper to determine the number of elements in this enum */
+	TKM_CTX_MAX,
+};
+
+/**
+ * enum name for context_kind_t.
+ */
+extern enum_name_t *tkm_context_kind_names;
+
+/**
+ * TKM context limits.
+ */
+typedef uint64_t tkm_limits_t[TKM_CTX_MAX];
+
+/**
+ * The tkm id manager hands out context ids for all context kinds (e.g. nonce).
+ */
+struct tkm_id_manager_t {
+
+	/**
+	 * Acquire new context id for a specific context kind.
+	 *
+	 * @param kind			kind of context id to acquire
+	 * @return				context id of given kind,
+	 *						0 if no id of given kind could be acquired
+	 */
+	int (*acquire_id)(tkm_id_manager_t * const this,
+					  const tkm_context_kind_t kind);
+
+	/**
+	 * Release a previously acquired context id.
+	 *
+	 * @param kind			kind of context id to release
+	 * @param id			id to release
+	 * @return				TRUE if id was released, FALSE otherwise
+	 */
+	bool (*release_id)(tkm_id_manager_t * const this,
+					   const tkm_context_kind_t kind,
+					   const int id);
+
+	/**
+	 * Destroy a tkm_id_manager instance.
+	 */
+	void (*destroy)(tkm_id_manager_t *this);
+
+};
+
+/**
+ * Create a tkm id manager instance using the given context limits.
+ */
+tkm_id_manager_t *tkm_id_manager_create(const tkm_limits_t limits);
+
+#endif /** TKM_ID_MANAGER_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
new file mode 100644
index 000000000..1d070fd5f
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
@@ -0,0 +1,393 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <errno.h>
+#include <netinet/udp.h>
+#include <linux/xfrm.h>
+#include <utils/debug.h>
+#include <utils/chunk.h>
+#include <tkm/constants.h>
+#include <tkm/client.h>
+
+#include "tkm.h"
+#include "tkm_utils.h"
+#include "tkm_types.h"
+#include "tkm_keymat.h"
+#include "tkm_kernel_sad.h"
+#include "tkm_kernel_ipsec.h"
+
+/** From linux/in.h */
+#ifndef IP_XFRM_POLICY
+#define IP_XFRM_POLICY 17
+#endif
+
+typedef struct private_tkm_kernel_ipsec_t private_tkm_kernel_ipsec_t;
+
+/**
+ * Private variables and functions of TKM kernel ipsec instance.
+ */
+struct private_tkm_kernel_ipsec_t {
+
+	/**
+	 * Public tkm_kernel_ipsec interface.
+	 */
+	tkm_kernel_ipsec_t public;
+
+	/**
+	 * RNG used for SPI generation.
+	 */
+	rng_t *rng;
+
+	/**
+	 * CHILD/ESP SA database.
+	 */
+	tkm_kernel_sad_t *sad;
+
+};
+
+METHOD(kernel_ipsec_t, get_spi, status_t,
+	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
+	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+{
+	bool result;
+
+	if (!this->rng)
+	{
+		this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+		if (!this->rng)
+		{
+			DBG1(DBG_KNL, "unable to create RNG");
+			return FAILED;
+		}
+	}
+
+	DBG1(DBG_KNL, "getting SPI for reqid {%u}", reqid);
+	result = this->rng->get_bytes(this->rng, sizeof(u_int32_t),
+								  (u_int8_t *)spi);
+	return result ? SUCCESS : FAILED;
+}
+
+METHOD(kernel_ipsec_t, get_cpi, status_t,
+	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t reqid, u_int16_t *cpi)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, add_sa, status_t,
+	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
+	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
+	u_int16_t cpi, bool _initiator, bool encap, bool esn, bool inbound,
+	traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
+{
+	esa_info_t esa;
+	bool initiator;
+	esp_spi_type spi_loc, spi_rem;
+	host_t *local, *peer;
+	chunk_t *nonce_loc, *nonce_rem;
+	nc_id_type nonce_loc_id;
+	esa_id_type esa_id;
+	nonce_type nc_rem;
+
+	if (enc_key.ptr == NULL)
+	{
+		DBG1(DBG_KNL, "Unable to get ESA information");
+		return FAILED;
+	}
+	esa = *(esa_info_t *)(enc_key.ptr);
+
+	/* only handle the case where we have both distinct ESP spi's available */
+	if (esa.spi_r == spi)
+	{
+		chunk_free(&esa.nonce_i);
+		chunk_free(&esa.nonce_r);
+		return SUCCESS;
+	}
+
+	/* Initiator if encr_r is passed as enc_key to the inbound add_sa call */
+	/* TODO: does the new _initiator parameter have the same meaning? */
+	initiator = esa.is_encr_r && inbound;
+	if (initiator)
+	{
+		spi_loc = spi;
+		spi_rem = esa.spi_r;
+		local = dst;
+		peer = src;
+		nonce_loc = &esa.nonce_i;
+		nonce_rem = &esa.nonce_r;
+	}
+	else
+	{
+		spi_loc = esa.spi_r;
+		spi_rem = spi;
+		local = src;
+		peer = dst;
+		nonce_loc = &esa.nonce_r;
+		nonce_rem = &esa.nonce_i;
+	}
+
+	esa_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ESA);
+	if (!this->sad->insert(this->sad, esa_id, peer, local, spi_loc, protocol))
+	{
+		DBG1(DBG_KNL, "unable to add entry (%llu) to SAD", esa_id);
+		goto sad_failure;
+	}
+
+	/*
+	 * creation of first CHILD SA:
+	 * no nonce and no dh contexts because the ones from the IKE SA are re-used
+	 */
+	nonce_loc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce_loc);
+	if (nonce_loc_id == 0 && esa.dh_id == 0)
+	{
+		if (ike_esa_create_first(esa_id, esa.isa_id, reqid, 1, spi_loc, spi_rem)
+			!= TKM_OK)
+		{
+			DBG1(DBG_KNL, "child SA (%llu, first) creation failed", esa_id);
+			goto failure;
+		}
+	}
+	/* creation of child SA without PFS: no dh context */
+	else if (nonce_loc_id != 0 && esa.dh_id == 0)
+	{
+		chunk_to_sequence(nonce_rem, &nc_rem, sizeof(nonce_type));
+		if (ike_esa_create_no_pfs(esa_id, esa.isa_id, reqid, 1, nonce_loc_id,
+								  nc_rem, initiator, spi_loc, spi_rem)
+			!= TKM_OK)
+		{
+			DBG1(DBG_KNL, "child SA (%llu, no PFS) creation failed", esa_id);
+			goto failure;
+		}
+		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nonce_loc_id);
+	}
+	/* creation of subsequent child SA with PFS: nonce and dh context are set */
+	else
+	{
+		chunk_to_sequence(nonce_rem, &nc_rem, sizeof(nonce_type));
+		if (ike_esa_create(esa_id, esa.isa_id, reqid, 1, esa.dh_id, nonce_loc_id,
+						   nc_rem, initiator, spi_loc, spi_rem) != TKM_OK)
+		{
+			DBG1(DBG_KNL, "child SA (%llu) creation failed", esa_id);
+			goto failure;
+		}
+		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nonce_loc_id);
+	}
+	if (ike_esa_select(esa_id) != TKM_OK)
+	{
+		DBG1(DBG_KNL, "error selecting new child SA (%llu)", esa_id);
+		if (ike_esa_reset(esa_id) != TKM_OK)
+		{
+			DBG1(DBG_KNL, "child SA (%llu) deletion failed", esa_id);
+		}
+		goto failure;
+	}
+
+	DBG1(DBG_KNL, "added child SA (esa: %llu, isa: %llu, esp_spi_loc: %x, "
+		 "esp_spi_rem: %x, role: %s)", esa_id, esa.isa_id, ntohl(spi_loc),
+		 ntohl(spi_rem), initiator ? "initiator" : "responder");
+	chunk_free(&esa.nonce_i);
+	chunk_free(&esa.nonce_r);
+
+	return SUCCESS;
+
+failure:
+	this->sad->remove(this->sad, esa_id);
+sad_failure:
+	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ESA, esa_id);
+	chunk_free(&esa.nonce_i);
+	chunk_free(&esa.nonce_r);
+	return FAILED;
+}
+
+METHOD(kernel_ipsec_t, query_sa, status_t,
+	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes,
+	u_int64_t *packets, u_int32_t *time)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, del_sa, status_t,
+	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
+{
+	esa_id_type esa_id;
+
+	esa_id = this->sad->get_esa_id(this->sad, src, dst, spi, protocol);
+	if (esa_id)
+	{
+		DBG1(DBG_KNL, "deleting child SA (esa: %llu, spi: %x)", esa_id,
+			 ntohl(spi));
+		if (ike_esa_reset(esa_id) != TKM_OK)
+		{
+			DBG1(DBG_KNL, "child SA (%llu) deletion failed", esa_id);
+			return FAILED;
+		}
+		this->sad->remove(this->sad, esa_id);
+		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ESA, esa_id);
+	}
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, update_sa, status_t,
+	private_tkm_kernel_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
+	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
+	bool old_encap, bool new_encap, mark_t mark)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, flush_sas, status_t,
+	private_tkm_kernel_ipsec_t *this)
+{
+	DBG1(DBG_KNL, "flushing child SA entries");
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, add_policy, status_t,
+	private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+	mark_t mark, policy_priority_t priority)
+{
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_policy, status_t,
+	private_tkm_kernel_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	u_int32_t *use_time)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, del_policy, status_t,
+	private_tkm_kernel_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
+	mark_t mark, policy_priority_t prio)
+{
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, flush_policies, status_t,
+	private_tkm_kernel_ipsec_t *this)
+{
+	return SUCCESS;
+}
+
+
+METHOD(kernel_ipsec_t, bypass_socket, bool,
+	private_tkm_kernel_ipsec_t *this, int fd, int family)
+{
+	struct xfrm_userpolicy_info policy;
+	u_int sol, ipsec_policy;
+
+	switch (family)
+	{
+		case AF_INET:
+			sol = SOL_IP;
+			ipsec_policy = IP_XFRM_POLICY;
+			break;
+		case AF_INET6:
+			sol = SOL_IPV6;
+			ipsec_policy = IPV6_XFRM_POLICY;
+			break;
+		default:
+			return FALSE;
+	}
+
+	memset(&policy, 0, sizeof(policy));
+	policy.action = XFRM_POLICY_ALLOW;
+	policy.sel.family = family;
+
+	policy.dir = XFRM_POLICY_OUT;
+	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+	{
+		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+			 strerror(errno));
+		return FALSE;
+	}
+	policy.dir = XFRM_POLICY_IN;
+	if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+	{
+		DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+			 strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(kernel_ipsec_t, enable_udp_decap, bool,
+	private_tkm_kernel_ipsec_t *this, int fd, int family, u_int16_t port)
+{
+	int type = UDP_ENCAP_ESPINUDP;
+
+	if (setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
+	{
+		DBG1(DBG_KNL, "unable to set UDP_ENCAP: %s", strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(kernel_ipsec_t, destroy, void,
+	private_tkm_kernel_ipsec_t *this)
+{
+	DESTROY_IF(this->rng);
+	DESTROY_IF(this->sad);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+tkm_kernel_ipsec_t *tkm_kernel_ipsec_create()
+{
+	private_tkm_kernel_ipsec_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_spi = _get_spi,
+				.get_cpi = _get_cpi,
+				.add_sa  = _add_sa,
+				.update_sa = _update_sa,
+				.query_sa = _query_sa,
+				.del_sa = _del_sa,
+				.flush_sas = _flush_sas,
+				.add_policy = _add_policy,
+				.query_policy = _query_policy,
+				.del_policy = _del_policy,
+				.flush_policies = _flush_policies,
+				.bypass_socket = _bypass_socket,
+				.enable_udp_decap = _enable_udp_decap,
+				.destroy = _destroy,
+			},
+		},
+		.sad = tkm_kernel_sad_create(),
+	);
+
+	if (!this->sad)
+	{
+		DBG1(DBG_KNL, "unable to create SAD");
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.h b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.h
new file mode 100644
index 000000000..14db21266
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-kernel-ipsec kernel ipsec
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_KERNEL_IPSEC_H_
+#define TKM_KERNEL_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct tkm_kernel_ipsec_t tkm_kernel_ipsec_t;
+
+/**
+ * TKM implementation of the kernel ipsec interface.
+ */
+struct tkm_kernel_ipsec_t {
+
+	/**
+	 * Implements kernel_ipsec_t interface
+	 */
+	kernel_ipsec_t interface;
+};
+
+/**
+ * Create a TKM kernel ipsec interface instance.
+ *
+ * @return			tkm_kernel_ipsec_t instance
+ */
+tkm_kernel_ipsec_t *tkm_kernel_ipsec_create();
+
+#endif /** TKM_KERNEL_IPSEC_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.c b/src/charon-tkm/src/tkm/tkm_kernel_sad.c
new file mode 100644
index 000000000..360a47bdc
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.c
@@ -0,0 +1,253 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <collections/linked_list.h>
+#include <threading/mutex.h>
+#include <utils/debug.h>
+
+#include "tkm_kernel_sad.h"
+
+typedef struct private_tkm_kernel_sad_t private_tkm_kernel_sad_t;
+
+/**
+ * Private data of tkm_kernel_sad.
+ */
+struct private_tkm_kernel_sad_t {
+
+	/**
+	 * Public functions.
+	 */
+	tkm_kernel_sad_t public;
+
+	/**
+	 * Linked list of SAD entries.
+	 */
+	linked_list_t *data;
+
+	/**
+	 * Lock used to protect SA data.
+	 */
+	mutex_t *mutex;
+
+};
+
+typedef struct sad_entry_t sad_entry_t;
+
+/**
+ * Data structure holding all information of an SAD entry.
+ */
+struct sad_entry_t {
+
+	/**
+	 * ESA identifier.
+	 */
+	esa_id_type esa_id;
+
+	/**
+	 * Source address of CHILD SA.
+	 */
+	host_t *src;
+
+	/**
+	 * Destination address of CHILD SA.
+	 */
+	host_t *dst;
+
+	/**
+	 * SPI of CHILD SA.
+	 */
+	u_int32_t spi;
+
+	/**
+	 * Protocol of CHILD SA (ESP/AH).
+	 */
+	u_int8_t proto;
+
+};
+
+/**
+ * Destroy an sad_entry_t object.
+ */
+static void sad_entry_destroy(sad_entry_t *entry)
+{
+	if (entry)
+	{
+		DESTROY_IF(entry->src);
+		DESTROY_IF(entry->dst);
+		free(entry);
+	}
+}
+
+/**
+ * Find a list entry with given src, dst, spi and proto values.
+ */
+static bool sad_entry_match(sad_entry_t * const entry, const host_t * const src,
+							const host_t * const dst, const u_int32_t * const spi,
+							const u_int8_t * const proto)
+{
+	if (entry->src == NULL || entry->dst == NULL)
+	{
+		return FALSE;
+	}
+
+	return src->ip_equals(entry->src, (host_t *)src) &&
+		   dst->ip_equals(entry->dst, (host_t *)dst) &&
+		   entry->spi == *spi && entry->proto == *proto;
+}
+
+/**
+ * Compare two SAD entries for equality.
+ */
+static bool sad_entry_equal(sad_entry_t * const left, sad_entry_t * const right)
+{
+	if (left->src == NULL || left->dst == NULL || right->src == NULL ||
+		right->dst == NULL)
+	{
+		return FALSE;
+	}
+	return left->esa_id == right->esa_id &&
+		   left->src->ip_equals(left->src, right->src) &&
+		   left->dst->ip_equals(left->dst, right->dst) &&
+		   left->spi == right->spi && left->proto == right->proto;
+}
+
+METHOD(tkm_kernel_sad_t, insert, bool,
+	private_tkm_kernel_sad_t * const this, const esa_id_type esa_id,
+	const host_t * const src, const host_t * const dst, const u_int32_t spi,
+	const u_int8_t proto)
+{
+	status_t result;
+	sad_entry_t *new_entry;
+
+	INIT(new_entry,
+		 .esa_id = esa_id,
+		 .src = (host_t *)src,
+		 .dst = (host_t *)dst,
+		 .spi = spi,
+		 .proto = proto,
+	);
+
+	this->mutex->lock(this->mutex);
+	result = this->data->find_first(this->data,
+									(linked_list_match_t)sad_entry_equal, NULL,
+									new_entry);
+	if (result == NOT_FOUND)
+	{
+		DBG3(DBG_KNL, "inserting SAD entry (esa: %llu, src: %H, dst: %H, "
+			 "spi: %x, proto: %u)", esa_id, src, dst, ntohl(spi), proto);
+		new_entry->src = src->clone((host_t *)src);
+		new_entry->dst = dst->clone((host_t *)dst);
+		this->data->insert_last(this->data, new_entry);
+	}
+	else
+	{
+		DBG1(DBG_KNL, "SAD entry with esa id %llu already exists!", esa_id);
+		free(new_entry);
+	}
+	this->mutex->unlock(this->mutex);
+	return result == NOT_FOUND;
+}
+
+METHOD(tkm_kernel_sad_t, get_esa_id, esa_id_type,
+	private_tkm_kernel_sad_t * const this, const host_t * const src,
+	const host_t * const dst, const u_int32_t spi, const u_int8_t proto)
+{
+	esa_id_type id = 0;
+	sad_entry_t *entry = NULL;
+
+	this->mutex->lock(this->mutex);
+	const status_t res = this->data->find_first(this->data,
+												(linked_list_match_t)sad_entry_match,
+												(void**)&entry, src, dst, &spi,
+												&proto);
+	if (res == SUCCESS && entry)
+	{
+		id = entry->esa_id;
+		DBG3(DBG_KNL, "getting ESA id of SAD entry (esa: %llu, src: %H, "
+			 "dst: %H, spi: %x, proto: %u)", id, src, dst, ntohl(spi),
+			 proto);
+	}
+	else
+	{
+		DBG3(DBG_KNL, "no SAD entry found");
+	}
+	this->mutex->unlock(this->mutex);
+	return id;
+}
+
+METHOD(tkm_kernel_sad_t, _remove, bool,
+	private_tkm_kernel_sad_t * const this, const esa_id_type esa_id)
+{
+	sad_entry_t *current;
+	bool removed = FALSE;
+	enumerator_t *enumerator;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->data->create_enumerator(this->data);
+	while (enumerator->enumerate(enumerator, (void **)&current))
+	{
+		if (current->esa_id == esa_id)
+		{
+			this->data->remove_at(this->data, enumerator);
+			sad_entry_destroy(current);
+			removed = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (removed)
+	{
+		DBG3(DBG_KNL, "removed SAD entry (esa: %llu)", esa_id);
+	}
+	else
+	{
+		DBG1(DBG_KNL, "no SAD entry with ESA id %llu found!", esa_id);
+	}
+	this->mutex->unlock(this->mutex);
+
+	return removed;
+}
+
+
+METHOD(tkm_kernel_sad_t, destroy, void,
+	private_tkm_kernel_sad_t *this)
+{
+	this->mutex->destroy(this->mutex);
+	this->data->destroy_function(this->data, (void*)sad_entry_destroy);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+tkm_kernel_sad_t *tkm_kernel_sad_create()
+{
+	private_tkm_kernel_sad_t *this;
+
+	INIT(this,
+		.public = {
+			.insert = _insert,
+			.get_esa_id = _get_esa_id,
+			.remove = __remove,
+			.destroy = _destroy,
+		},
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.data = linked_list_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.h b/src/charon-tkm/src/tkm/tkm_kernel_sad.h
new file mode 100644
index 000000000..0194cd3bc
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.h
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-kernel-sad kernel sad
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_KERNEL_SAD_H_
+#define TKM_KERNEL_SAD_H_
+
+#include <networking/host.h>
+#include <tkm/types.h>
+
+typedef struct tkm_kernel_sad_t tkm_kernel_sad_t;
+
+/**
+ * The TKM kernel SAD (security association database) stores information about
+ * CHILD SAs.
+ */
+struct tkm_kernel_sad_t {
+
+	/**
+	 * Insert new SAD entry with specified parameters.
+	 *
+	 * @param esa_id		ESP SA context identifier
+	 * @param src			source address of CHILD SA
+	 * @param dst			destination address of CHILD SA
+	 * @param spi			SPI of CHILD SA
+	 * @param proto			protocol of CHILD SA (ESP/AH)
+	 * @return				TRUE if entry was inserted, FALSE otherwise
+	 */
+	bool (*insert)(tkm_kernel_sad_t * const this, const esa_id_type esa_id,
+				   const host_t * const src, const host_t * const dst,
+				   const u_int32_t spi, const u_int8_t proto);
+
+	/**
+	 * Get ESA id for entry with given parameters.
+	 *
+	 * @param src			source address of CHILD SA
+	 * @param dst			destination address of CHILD SA
+	 * @param spi			SPI of CHILD SA
+	 * @param proto			protocol of CHILD SA (ESP/AH)
+	 * @return				ESA id of entry if found, 0 otherwise
+	 */
+	esa_id_type (*get_esa_id)(tkm_kernel_sad_t * const this,
+				 const host_t * const src, const host_t * const dst,
+				 const u_int32_t spi, const u_int8_t proto);
+
+	/**
+	 * Remove entry with given ESA id from SAD.
+	 *
+	 * @param esa_id		ESA identifier of entry to remove
+	 * @return				TRUE if entry was removed, FALSE otherwise
+	 */
+	bool (*remove)(tkm_kernel_sad_t * const this, const esa_id_type esa_id);
+
+	/**
+	 * Destroy a tkm_kernel_sad instance.
+	 */
+	void (*destroy)(tkm_kernel_sad_t *this);
+
+};
+
+/**
+ * Create a TKM kernel SAD instance.
+ */
+tkm_kernel_sad_t *tkm_kernel_sad_create();
+
+#endif /** TKM_KERNEL_SAD_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
new file mode 100644
index 000000000..772fac8b0
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_keymat.c
@@ -0,0 +1,511 @@
+/*
+ * Copyrigth (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+#include <tkm/constants.h>
+#include <tkm/client.h>
+
+#include "tkm.h"
+#include "tkm_types.h"
+#include "tkm_utils.h"
+#include "tkm_diffie_hellman.h"
+#include "tkm_keymat.h"
+
+typedef struct private_tkm_keymat_t private_tkm_keymat_t;
+
+/**
+ * Private data of a keymat_t object.
+ */
+struct private_tkm_keymat_t {
+
+	/**
+	 * Public tkm_keymat_t interface.
+	 */
+	tkm_keymat_t public;
+
+	/**
+	 * IKE_SA Role, initiator or responder.
+	 */
+	bool initiator;
+
+	/**
+	 * Inbound AEAD.
+	 */
+	aead_t *aead_in;
+
+	/**
+	 * Outbound AEAD.
+	 */
+	aead_t *aead_out;
+
+	/**
+	 * ISA context id.
+	 */
+	isa_id_type isa_ctx_id;
+
+	/**
+	 * AE context id.
+	 */
+	ae_id_type ae_ctx_id;
+
+	/**
+	 * AUTH payload chunk.
+	 */
+	chunk_t auth_payload;
+
+	/**
+	 * Peer init message chunk.
+	 */
+	chunk_t other_init_msg;
+
+};
+
+/**
+ * Create AEAD transforms from given key chunks.
+ *
+ * @param in			inbound AEAD transform to allocate, NULL if failed
+ * @param out			outbound AEAD transform to allocate, NULL if failed
+ * @param sk_ai			SK_ai key chunk
+ * @param sk_ar			SK_ar key chunk
+ * @param sk_ei			SK_ei key chunk
+ * @param sk_er			SK_er key chunk
+ * @param enc_alg		encryption algorithm to use
+ * @param int_alg		integrity algorithm to use
+ * @param key_size		encryption key size in bytes
+ * @param initiator		TRUE if initiator
+ */
+static void aead_create_from_keys(aead_t **in, aead_t **out,
+	   const chunk_t * const sk_ai, const chunk_t * const sk_ar,
+	   const chunk_t * const sk_ei, const chunk_t * const sk_er,
+	   const u_int16_t enc_alg, const u_int16_t int_alg,
+	   const u_int16_t key_size, bool initiator)
+{
+	*in = *out = NULL;
+	signer_t *signer_i, *signer_r;
+	crypter_t *crypter_i, *crypter_r;
+
+	signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
+	signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
+	if (signer_i == NULL || signer_r == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N not supported!",
+			 transform_type_names, INTEGRITY_ALGORITHM,
+			 integrity_algorithm_names, int_alg);
+		return;
+	}
+	crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, key_size);
+	crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, key_size);
+	if (crypter_i == NULL || crypter_r == NULL)
+	{
+		signer_i->destroy(signer_i);
+		signer_r->destroy(signer_r);
+		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
+			 transform_type_names, ENCRYPTION_ALGORITHM,
+			 encryption_algorithm_names, enc_alg, key_size);
+		return;
+	}
+
+	DBG4(DBG_IKE, "Sk_ai %B", sk_ai);
+	if (!signer_i->set_key(signer_i, *sk_ai))
+	{
+		return;
+	}
+	DBG4(DBG_IKE, "Sk_ar %B", sk_ar);
+	if (!signer_r->set_key(signer_r, *sk_ar))
+	{
+		return;
+	}
+	DBG4(DBG_IKE, "Sk_ei %B", sk_ei);
+	if (!crypter_i->set_key(crypter_i, *sk_ei))
+	{
+		return;
+	}
+	DBG4(DBG_IKE, "Sk_er %B", sk_er);
+	if (!crypter_r->set_key(crypter_r, *sk_er))
+	{
+		return;
+	}
+
+	if (initiator)
+	{
+		*in = aead_create(crypter_r, signer_r);
+		*out = aead_create(crypter_i, signer_i);
+	}
+	else
+	{
+		*in = aead_create(crypter_i, signer_i);
+		*out = aead_create(crypter_r, signer_r);
+	}
+}
+
+METHOD(keymat_t, get_version, ike_version_t,
+	private_tkm_keymat_t *this)
+{
+	return IKEV2;
+}
+
+METHOD(keymat_t, create_dh, diffie_hellman_t*,
+	private_tkm_keymat_t *this, diffie_hellman_group_t group)
+{
+	return lib->crypto->create_dh(lib->crypto, group);
+}
+
+METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
+	private_tkm_keymat_t *this)
+{
+	return lib->crypto->create_nonce_gen(lib->crypto);
+}
+
+METHOD(keymat_v2_t, derive_ike_keys, bool,
+	private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+	chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
+	pseudo_random_function_t rekey_function, chunk_t rekey_skd)
+{
+	u_int16_t enc_alg, int_alg, key_size;
+	u_int64_t nc_id, spi_loc, spi_rem;
+	chunk_t *nonce, c_ai, c_ar, c_ei, c_er;
+	tkm_diffie_hellman_t *tkm_dh;
+	dh_id_type dh_id;
+	nonce_type nonce_rem;
+	result_type res;
+	key_type sk_ai, sk_ar, sk_ei, sk_er;
+
+	/* Check encryption and integrity algorithms */
+	if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_alg,
+								 &key_size))
+	{
+		DBG1(DBG_IKE, "no %N selected", transform_type_names,
+			 ENCRYPTION_ALGORITHM);
+		return FALSE;
+	}
+	if (encryption_algorithm_is_aead(enc_alg))
+	{
+		DBG1(DBG_IKE, "AEAD algorithm %N not supported",
+			 encryption_algorithm_names, enc_alg);
+		return FALSE;
+	}
+	if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_alg, NULL))
+	{
+		DBG1(DBG_IKE, "no %N selected", transform_type_names,
+			 INTEGRITY_ALGORITHM);
+		return FALSE;
+	}
+	if (!(enc_alg == ENCR_AES_CBC && key_size == 256 &&
+		  int_alg == AUTH_HMAC_SHA2_512_256))
+	{
+		DBG1(DBG_IKE, "the TKM only supports aes256-sha512 at the moment, "
+			 "please update your configuration");
+		return FALSE;
+	}
+
+	DBG2(DBG_IKE, "using %N for encryption, %N for integrity",
+		 encryption_algorithm_names, enc_alg, integrity_algorithm_names,
+		 int_alg);
+
+	/* Acquire nonce context id */
+	nonce = this->initiator ? &nonce_i : &nonce_r;
+	nc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce);
+	if (!nc_id)
+	{
+		DBG1(DBG_IKE, "unable to acquire context id for nonce");
+		return FALSE;
+	}
+
+	/* Get DH context id */
+	tkm_dh = (tkm_diffie_hellman_t *)dh;
+	dh_id = tkm_dh->get_id(tkm_dh);
+
+	if (this->initiator)
+	{
+		chunk_to_sequence(&nonce_r, &nonce_rem, sizeof(nonce_type));
+		spi_loc = id->get_initiator_spi(id);
+		spi_rem = id->get_responder_spi(id);
+	}
+	else
+	{
+		chunk_to_sequence(&nonce_i, &nonce_rem, sizeof(nonce_type));
+		spi_loc = id->get_responder_spi(id);
+		spi_rem = id->get_initiator_spi(id);
+	}
+
+	if (rekey_function == PRF_UNDEFINED)
+	{
+		this->ae_ctx_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_AE);
+		if (!this->ae_ctx_id)
+		{
+			DBG1(DBG_IKE, "unable to acquire ae context id");
+			return FALSE;
+		}
+		DBG1(DBG_IKE, "deriving IKE keys (nc: %llu, dh: %llu, spi_loc: %llx, "
+			 "spi_rem: %llx)", nc_id, dh_id, spi_loc, spi_rem);
+		res = ike_isa_create(this->isa_ctx_id, this->ae_ctx_id, 1, dh_id, nc_id,
+							 nonce_rem, this->initiator, spi_loc, spi_rem,
+							 &sk_ai, &sk_ar, &sk_ei, &sk_er);
+	}
+	else
+	{
+		isa_info_t isa_info;
+
+		if (rekey_skd.ptr == NULL || rekey_skd.len != sizeof(isa_info_t))
+		{
+			DBG1(DBG_IKE, "unable to retrieve parent isa info");
+			return FALSE;
+		}
+		isa_info = *((isa_info_t *)(rekey_skd.ptr));
+		DBG1(DBG_IKE, "deriving IKE keys (parent_isa: %llu, ae: %llu, nc: %llu,"
+			 "dh: %llu, spi_loc: %llx, spi_rem: %llx)", isa_info.parent_isa_id,
+			 isa_info.ae_id, nc_id, dh_id, spi_loc, spi_rem);
+		this->ae_ctx_id = isa_info.ae_id;
+		res = ike_isa_create_child(this->isa_ctx_id, isa_info.parent_isa_id, 1,
+								   dh_id, nc_id, nonce_rem, this->initiator,
+								   spi_loc, spi_rem, &sk_ai, &sk_ar, &sk_ei,
+								   &sk_er);
+		chunk_free(&rekey_skd);
+	}
+
+	if (res != TKM_OK)
+	{
+		DBG1(DBG_IKE, "key derivation failed (isa: %llu)", this->isa_ctx_id);
+		return FALSE;
+	}
+
+	sequence_to_chunk(sk_ai.data, sk_ai.size, &c_ai);
+	sequence_to_chunk(sk_ar.data, sk_ar.size, &c_ar);
+	sequence_to_chunk(sk_ei.data, sk_ei.size, &c_ei);
+	sequence_to_chunk(sk_er.data, sk_er.size, &c_er);
+
+	aead_create_from_keys(&this->aead_in, &this->aead_out, &c_ai, &c_ar, &c_ei,
+						  &c_er, enc_alg, int_alg, key_size / 8,
+						  this->initiator);
+
+	chunk_clear(&c_ai);
+	chunk_clear(&c_ar);
+	chunk_clear(&c_ei);
+	chunk_clear(&c_er);
+
+	if (!this->aead_in || !this->aead_out)
+	{
+		DBG1(DBG_IKE, "could not initialize AEAD transforms");
+		return FALSE;
+	}
+
+	/* TODO: Add failure handler (see keymat_v2.c) */
+
+	tkm->chunk_map->remove(tkm->chunk_map, nonce);
+	if (ike_nc_reset(nc_id) != TKM_OK)
+	{
+		DBG1(DBG_IKE, "failed to reset nonce context %llu", nc_id);
+	}
+	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nc_id);
+
+	return TRUE;
+}
+
+METHOD(keymat_v2_t, derive_child_keys, bool,
+	private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+	chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
+	chunk_t *encr_r, chunk_t *integ_r)
+{
+	esa_info_t *esa_info_i, *esa_info_r;
+	dh_id_type dh_id = 0;
+
+	if (dh)
+	{
+		dh_id = ((tkm_diffie_hellman_t *)dh)->get_id((tkm_diffie_hellman_t *)dh);
+	}
+
+	INIT(esa_info_i,
+		 .isa_id = this->isa_ctx_id,
+		 .spi_r = proposal->get_spi(proposal),
+		 .nonce_i = chunk_clone(nonce_i),
+		 .nonce_r = chunk_clone(nonce_r),
+		 .is_encr_r = FALSE,
+		 .dh_id = dh_id,
+	);
+
+	INIT(esa_info_r,
+		 .isa_id = this->isa_ctx_id,
+		 .spi_r = proposal->get_spi(proposal),
+		 .nonce_i = chunk_clone(nonce_i),
+		 .nonce_r = chunk_clone(nonce_r),
+		 .is_encr_r = TRUE,
+		 .dh_id = dh_id,
+	);
+
+	DBG1(DBG_CHD, "passing on esa info (isa: %llu, spi_r: %x, dh_id: %llu)",
+		 esa_info_i->isa_id, ntohl(esa_info_i->spi_r), esa_info_i->dh_id);
+
+	/* store ESA info in encr_i/r, which is passed to add_sa */
+	*encr_i = chunk_create((u_char *)esa_info_i, sizeof(esa_info_t));
+	*encr_r = chunk_create((u_char *)esa_info_r, sizeof(esa_info_t));
+	*integ_i = chunk_empty;
+	*integ_r = chunk_empty;
+
+	return TRUE;
+}
+
+METHOD(keymat_t, get_aead, aead_t*,
+	private_tkm_keymat_t *this, bool in)
+{
+	return in ? this->aead_in : this->aead_out;
+}
+
+METHOD(keymat_v2_t, get_auth_octets, bool,
+	private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
+	chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
+{
+	sign_info_t *sign;
+
+	if (verify)
+	{
+		/* store peer init message for authentication step */
+		this->other_init_msg = chunk_clone(ike_sa_init);
+		*octets = chunk_empty;
+		return TRUE;
+	}
+
+	INIT(sign,
+		 .isa_id = this->isa_ctx_id,
+		 .init_message = chunk_clone(ike_sa_init),
+	);
+
+	/*
+	 * store signature info in AUTH octets, which is passed to the private key
+	 * sign() operation
+	 */
+	*octets = chunk_create((u_char *)sign, sizeof(sign_info_t));
+	return TRUE;
+}
+
+METHOD(keymat_v2_t, get_skd, pseudo_random_function_t,
+	private_tkm_keymat_t *this, chunk_t *skd)
+{
+	isa_info_t *isa_info;
+
+	INIT(isa_info,
+		 .parent_isa_id = this->isa_ctx_id,
+		 .ae_id = this->ae_ctx_id,
+	);
+
+	*skd = chunk_create((u_char *)isa_info, sizeof(isa_info_t));
+
+	/*
+	 * remove ae context id, since control has now been handed over to the new
+	 * IKE SA keymat
+	 */
+	this->ae_ctx_id = 0;
+	return PRF_HMAC_SHA2_512;
+}
+
+METHOD(keymat_v2_t, get_psk_sig, bool,
+	private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
+	chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
+{
+	return FALSE;
+}
+
+METHOD(keymat_t, destroy, void,
+	private_tkm_keymat_t *this)
+{
+	if (ike_isa_reset(this->isa_ctx_id) != TKM_OK)
+	{
+		DBG1(DBG_IKE, "failed to reset ISA context %d", this->isa_ctx_id);
+	}
+	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ISA, this->isa_ctx_id);
+	/* only reset ae context if set */
+	if (this->ae_ctx_id != 0)
+	{
+		if (ike_ae_reset(this->ae_ctx_id) != TKM_OK)
+		{
+			DBG1(DBG_IKE, "failed to reset AE context %d", this->ae_ctx_id);
+		}
+		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_AE, this->ae_ctx_id);
+	}
+
+	DESTROY_IF(this->aead_in);
+	DESTROY_IF(this->aead_out);
+	chunk_free(&this->auth_payload);
+	chunk_free(&this->other_init_msg);
+	free(this);
+}
+
+METHOD(tkm_keymat_t, get_isa_id, isa_id_type,
+	private_tkm_keymat_t *this)
+{
+	return this->isa_ctx_id;
+}
+
+METHOD(tkm_keymat_t, set_auth_payload, void,
+	private_tkm_keymat_t *this, const chunk_t * const payload)
+{
+	this->auth_payload = chunk_clone(*payload);
+}
+
+METHOD(tkm_keymat_t, get_auth_payload, chunk_t*,
+	private_tkm_keymat_t *this)
+{
+	return &this->auth_payload;
+}
+
+METHOD(tkm_keymat_t, get_peer_init_msg, chunk_t*,
+	private_tkm_keymat_t *this)
+{
+	return &this->other_init_msg;
+}
+
+/**
+ * See header.
+ */
+tkm_keymat_t *tkm_keymat_create(bool initiator)
+{
+	private_tkm_keymat_t *this;
+
+	INIT(this,
+		.public = {
+			.keymat_v2 = {
+				.keymat = {
+					.get_version = _get_version,
+					.create_dh = _create_dh,
+					.create_nonce_gen = _create_nonce_gen,
+					.get_aead = _get_aead,
+					.destroy = _destroy,
+				},
+				.derive_ike_keys = _derive_ike_keys,
+				.derive_child_keys = _derive_child_keys,
+				.get_skd = _get_skd,
+				.get_auth_octets = _get_auth_octets,
+				.get_psk_sig = _get_psk_sig,
+			},
+			.get_isa_id = _get_isa_id,
+			.set_auth_payload = _set_auth_payload,
+			.get_auth_payload = _get_auth_payload,
+			.get_peer_init_msg = _get_peer_init_msg,
+		},
+		.initiator = initiator,
+		.isa_ctx_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ISA),
+		.ae_ctx_id = 0,
+		.auth_payload = chunk_empty,
+		.other_init_msg = chunk_empty,
+	);
+
+	if (!this->isa_ctx_id)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.h b/src/charon-tkm/src/tkm/tkm_keymat.h
new file mode 100644
index 000000000..ee90bead5
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_keymat.h
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-keymat keymat
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_KEYMAT_H_
+#define TKM_KEYMAT_H_
+
+#include <sa/ikev2/keymat_v2.h>
+
+typedef struct tkm_keymat_t tkm_keymat_t;
+
+/**
+ * Derivation and management of sensitive keying material, TKM variant.
+ */
+struct tkm_keymat_t {
+
+	/**
+	 * Implements keymat_v2_t.
+	 */
+	keymat_v2_t keymat_v2;
+
+	/**
+	 * Get ISA context id.
+	 *
+	 * @return	id of associated ISA context.
+	 */
+	isa_id_type (*get_isa_id)(tkm_keymat_t * const this);
+
+	/**
+	 * Set IKE AUTH payload.
+	 *
+	 * @param payload		AUTH payload
+	 */
+	void (*set_auth_payload)(tkm_keymat_t *this, const chunk_t * const payload);
+
+	/**
+	 * Get IKE AUTH payload.
+	 *
+	 * @return				AUTH payload if set, chunk_empty otherwise
+	 */
+	chunk_t* (*get_auth_payload)(tkm_keymat_t * const this);
+
+	/**
+	 * Get IKE init message of peer.
+	 *
+	 * @return				init message if set, chunk_empty otherwise
+	 */
+	chunk_t* (*get_peer_init_msg)(tkm_keymat_t * const this);
+
+};
+
+/**
+ * Create TKM keymat instance.
+ *
+ * @param initiator			TRUE if we are the initiator
+ * @return					keymat instance
+ */
+tkm_keymat_t *tkm_keymat_create(bool initiator);
+
+#endif /** KEYMAT_TKM_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_listener.c b/src/charon-tkm/src/tkm/tkm_listener.c
new file mode 100644
index 000000000..050586456
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_listener.c
@@ -0,0 +1,355 @@
+/*
+ * Copyrigth (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+#include <encoding/payloads/auth_payload.h>
+#include <utils/chunk.h>
+#include <tkm/types.h>
+#include <tkm/constants.h>
+#include <tkm/client.h>
+
+#include "tkm.h"
+#include "tkm_listener.h"
+#include "tkm_keymat.h"
+#include "tkm_utils.h"
+
+typedef struct private_tkm_listener_t private_tkm_listener_t;
+
+/**
+ * Private data of a tkm_listener_t object.
+ */
+struct private_tkm_listener_t {
+
+	/**
+	 * Public tkm_listener_t interface.
+	 */
+	tkm_listener_t public;
+
+};
+
+/**
+ * Return id of remote identity.
+ *
+ * TODO: Replace this with the lookup for the remote identitiy id.
+ *
+ * Currently the reqid of the first child SA in peer config of IKE SA is
+ * returned. Might choose wrong reqid if IKE SA has multiple child configs
+ * with different reqids.
+ *
+ * @param peer_cfg	Remote peer config
+ * @return			remote identity id if found, 0 otherwise
+ */
+static ri_id_type get_remote_identity_id(peer_cfg_t *peer)
+{
+	ri_id_type remote_id = 0;
+	child_cfg_t *child;
+	enumerator_t* children;
+
+	children = peer->create_child_cfg_enumerator(peer);
+
+	/* pick the reqid of the first child, no need to enumerate all children. */
+	children->enumerate(children, &child);
+	remote_id = child->get_reqid(child);
+	children->destroy(children);
+
+	return remote_id;
+}
+
+/**
+ * Build a TKM certificate chain context with given cc id.
+ *
+ * @param ike_sa	IKE SA containing auth config to build certificate chain from
+ * @param cc_id		Certificate chain ID
+ * @return			TRUE if certificate chain was built successfully,
+ *					FALSE otherwise
+ */
+static bool build_cert_chain(const ike_sa_t * const ike_sa, cc_id_type cc_id)
+{
+	auth_cfg_t *auth;
+	certificate_t *cert;
+	enumerator_t *rounds;
+
+	DBG1(DBG_IKE, "building certificate chain context %llu for IKE SA %s",
+		 cc_id, ike_sa->get_name((ike_sa_t *)ike_sa));
+
+	rounds = ike_sa->create_auth_cfg_enumerator((ike_sa_t *)ike_sa, FALSE);
+	while (rounds->enumerate(rounds, &auth))
+	{
+		cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+		if (cert)
+		{
+			chunk_t enc_user_cert;
+			ri_id_type ri_id;
+			certificate_type user_cert;
+			auth_rule_t rule;
+			enumerator_t *enumerator;
+
+			/* set user certificate */
+			if (!cert->get_encoding(cert, CERT_ASN1_DER, &enc_user_cert))
+			{
+				DBG1(DBG_IKE, "unable to extract encoded user certificate");
+				rounds->destroy(rounds);
+				return FALSE;
+			}
+
+			ri_id = get_remote_identity_id(ike_sa->get_peer_cfg((ike_sa_t *)ike_sa));
+			chunk_to_sequence(&enc_user_cert, &user_cert, sizeof(certificate_type));
+			chunk_free(&enc_user_cert);
+			if (ike_cc_set_user_certificate(cc_id, ri_id, 1, user_cert) != TKM_OK)
+			{
+				DBG1(DBG_IKE, "error setting user certificate of cert chain"
+					 " (cc_id: %llu)", cc_id);
+				rounds->destroy(rounds);
+				return FALSE;
+			}
+
+			/* process intermediate CA certificates */
+			enumerator = auth->create_enumerator(auth);
+			while (enumerator->enumerate(enumerator, &rule, &cert))
+			{
+				if (rule == AUTH_RULE_IM_CERT)
+				{
+					chunk_t enc_im_cert;
+					certificate_type im_cert;
+
+					if (!cert->get_encoding(cert, CERT_ASN1_DER, &enc_im_cert))
+					{
+						DBG1(DBG_IKE, "unable to extract encoded intermediate CA"
+							 " certificate");
+						rounds->destroy(rounds);
+						enumerator->destroy(enumerator);
+						return FALSE;
+					}
+
+					chunk_to_sequence(&enc_im_cert, &im_cert,
+									  sizeof(certificate_type));
+					chunk_free(&enc_im_cert);
+					if (ike_cc_add_certificate(cc_id, 1, im_cert) != TKM_OK)
+					{
+						DBG1(DBG_IKE, "error adding intermediate certificate to"
+							 " cert chain (cc_id: %llu)", cc_id);
+						rounds->destroy(rounds);
+						enumerator->destroy(enumerator);
+						return FALSE;
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+
+			/* finally add CA certificate */
+			cert = auth->get(auth, AUTH_RULE_CA_CERT);
+			if (cert)
+			{
+				const ca_id_type ca_id = 1;
+				certificate_type ca_cert;
+				chunk_t enc_ca_cert;
+
+				if (!cert->get_encoding(cert, CERT_ASN1_DER, &enc_ca_cert))
+				{
+					DBG1(DBG_IKE, "unable to extract encoded CA certificate");
+					rounds->destroy(rounds);
+					return FALSE;
+				}
+
+				chunk_to_sequence(&enc_ca_cert, &ca_cert,
+								  sizeof(certificate_type));
+				chunk_free(&enc_ca_cert);
+				if (ike_cc_add_certificate(cc_id, 1, ca_cert) != TKM_OK)
+				{
+					DBG1(DBG_IKE, "error adding CA certificate to cert chain "
+						 "(cc_id: %llu)", cc_id);
+					rounds->destroy(rounds);
+					return FALSE;
+				}
+
+				if (ike_cc_check_ca(cc_id, ca_id) != TKM_OK)
+				{
+					DBG1(DBG_IKE, "certificate chain (cc_id: %llu) not based on"
+						 " trusted CA (ca_id: %llu)", cc_id, ca_id);
+					rounds->destroy(rounds);
+					return FALSE;
+				}
+
+				rounds->destroy(rounds);
+				return TRUE;
+			}
+			else
+			{
+				DBG1(DBG_IKE, "no CA certificate");
+			}
+		}
+		else
+		{
+			DBG1(DBG_IKE, "no subject certificate for remote peer");
+		}
+	}
+
+	rounds->destroy(rounds);
+	return FALSE;
+}
+
+METHOD(listener_t, alert, bool,
+	private_tkm_listener_t *this, ike_sa_t *ike_sa,
+	alert_t alert, va_list args)
+{
+	if (alert == ALERT_KEEP_ON_CHILD_SA_FAILURE)
+	{
+		tkm_keymat_t *keymat;
+		isa_id_type isa_id;
+
+		keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa);
+		isa_id = keymat->get_isa_id(keymat);
+
+		DBG1(DBG_IKE, "TKM alert listener called for ISA context %llu", isa_id);
+		if (ike_isa_skip_create_first(isa_id) != TKM_OK)
+		{
+			DBG1(DBG_IKE, "Skip of first child SA creation failed for ISA "
+				 "context %llu", isa_id);
+		}
+	}
+
+	return TRUE;
+}
+
+METHOD(listener_t, authorize, bool,
+	private_tkm_listener_t *this, ike_sa_t *ike_sa,
+	bool final, bool *success)
+{
+	tkm_keymat_t *keymat;
+	isa_id_type isa_id;
+	cc_id_type cc_id;
+	chunk_t *auth, *other_init_msg;
+	signature_type signature;
+	init_message_type init_msg;
+
+	if (!final)
+	{
+		return TRUE;
+	}
+
+	keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa);
+	isa_id = keymat->get_isa_id(keymat);
+	DBG1(DBG_IKE, "TKM authorize listener called for ISA context %llu", isa_id);
+
+	cc_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_CC);
+	if (!cc_id)
+	{
+		DBG1(DBG_IKE, "unable to acquire CC context id");
+		*success = FALSE;
+		return TRUE;
+	}
+	if (!build_cert_chain(ike_sa, cc_id))
+	{
+		DBG1(DBG_IKE, "unable to build certificate chain");
+		*success = FALSE;
+		return TRUE;
+	}
+
+	auth = keymat->get_auth_payload(keymat);
+	if (!auth->ptr)
+	{
+		DBG1(DBG_IKE, "no AUTHENTICATION data available");
+		*success = FALSE;
+	}
+
+	other_init_msg = keymat->get_peer_init_msg(keymat);
+	if (!other_init_msg->ptr)
+	{
+		DBG1(DBG_IKE, "no peer init message available");
+		*success = FALSE;
+	}
+
+	chunk_to_sequence(auth, &signature, sizeof(signature_type));
+	chunk_to_sequence(other_init_msg, &init_msg, sizeof(init_message_type));
+
+	if (ike_isa_auth(isa_id, cc_id, init_msg, signature) != TKM_OK)
+	{
+		DBG1(DBG_IKE, "TKM based authentication failed"
+			 " for ISA context %llu", isa_id);
+		*success = FALSE;
+	}
+	else
+	{
+		DBG1(DBG_IKE, "TKM based authentication successful"
+			 " for ISA context %llu", isa_id);
+		*success = TRUE;
+	}
+
+	return TRUE;
+}
+
+METHOD(listener_t, message, bool,
+	private_tkm_listener_t *this, ike_sa_t *ike_sa,
+	message_t *message, bool incoming, bool plain)
+{
+	tkm_keymat_t *keymat;
+	isa_id_type isa_id;
+	auth_payload_t *auth_payload;
+
+	if (!incoming || !plain || message->get_exchange_type(message) != IKE_AUTH)
+	{
+		return TRUE;
+	}
+
+	keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa);
+	isa_id = keymat->get_isa_id(keymat);
+	DBG1(DBG_IKE, "saving AUTHENTICATION payload for authorize hook"
+	     " (ISA context %llu)", isa_id);
+
+	auth_payload = (auth_payload_t*)message->get_payload(message,
+														 AUTHENTICATION);
+	if (auth_payload)
+	{
+		chunk_t auth_data;
+
+		auth_data = auth_payload->get_data(auth_payload);
+		keymat->set_auth_payload(keymat, &auth_data);
+	}
+	else
+	{
+		DBG1(DBG_IKE, "unable to extract AUTHENTICATION payload, authorize will"
+			 " fail");
+	}
+
+	return TRUE;
+}
+
+METHOD(tkm_listener_t, destroy, void,
+	private_tkm_listener_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+tkm_listener_t *tkm_listener_create()
+{
+	private_tkm_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.authorize = _authorize,
+				.message = _message,
+				.alert = _alert,
+			},
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_listener.h b/src/charon-tkm/src/tkm/tkm_listener.h
new file mode 100644
index 000000000..1162a77be
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_listener.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-listener listener
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_LISTENER_H_
+#define TKM_LISTENER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct tkm_listener_t tkm_listener_t;
+
+/**
+ * TKM bus listener.
+ */
+struct tkm_listener_t {
+
+	/**
+	 * Implements listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a tkm_listener_t.
+	 */
+	void (*destroy)(tkm_listener_t *this);
+};
+
+/**
+ * Create a tkm_listener instance.
+ *
+ * @return		listener instance
+ */
+tkm_listener_t *tkm_listener_create();
+
+#endif /** TKM_LISTENER_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_nonceg.c b/src/charon-tkm/src/tkm/tkm_nonceg.c
new file mode 100644
index 000000000..a07326798
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_nonceg.c
@@ -0,0 +1,106 @@
+/*
+ * Copyrigth (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <tkm/client.h>
+#include <tkm/constants.h>
+
+#include "tkm.h"
+#include "tkm_nonceg.h"
+
+typedef struct private_tkm_nonceg_t private_tkm_nonceg_t;
+
+/**
+ * Private data of a tkm_nonceg_t object.
+ */
+struct private_tkm_nonceg_t {
+
+	/**
+	 * Public tkm_nonceg_t interface.
+	 */
+	tkm_nonceg_t public;
+
+	/**
+	 * Context id.
+	 */
+	nc_id_type context_id;
+
+};
+
+METHOD(nonce_gen_t, get_nonce, bool,
+	private_tkm_nonceg_t *this, size_t size, u_int8_t *buffer)
+{
+	nonce_type nonce;
+
+	if (ike_nc_create(this->context_id, size, &nonce) != TKM_OK)
+	{
+		return FALSE;
+	}
+
+	memcpy(buffer, &nonce.data, size);
+	return TRUE;
+}
+
+METHOD(nonce_gen_t, allocate_nonce, bool,
+	private_tkm_nonceg_t *this, size_t size, chunk_t *chunk)
+{
+	*chunk = chunk_alloc(size);
+	if (get_nonce(this, chunk->len, chunk->ptr))
+	{
+		tkm->chunk_map->insert(tkm->chunk_map, chunk, this->context_id);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(nonce_gen_t, destroy, void,
+	private_tkm_nonceg_t *this)
+{
+	free(this);
+}
+
+METHOD(tkm_nonceg_t, get_id, nc_id_type,
+	private_tkm_nonceg_t *this)
+{
+	return this->context_id;
+}
+
+/*
+ * Described in header.
+ */
+tkm_nonceg_t *tkm_nonceg_create()
+{
+	private_tkm_nonceg_t *this;
+
+	INIT(this,
+		.public = {
+			.nonce_gen = {
+				.get_nonce = _get_nonce,
+				.allocate_nonce = _allocate_nonce,
+				.destroy = _destroy,
+			},
+			.get_id = _get_id,
+		},
+		.context_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_NONCE),
+	);
+
+	if (!this->context_id)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_nonceg.h b/src/charon-tkm/src/tkm/tkm_nonceg.h
new file mode 100644
index 000000000..ceadb081f
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_nonceg.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-nonceg nonce generator
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_NONCEG_H_
+#define TKM_NONCEG_H_
+
+typedef struct tkm_nonceg_t tkm_nonceg_t;
+
+#include <library.h>
+#include <tkm/types.h>
+
+/**
+ * nonce_gen_t implementation using the trusted key manager.
+ */
+struct tkm_nonceg_t {
+
+	/**
+	 * Implements nonce_gen_t.
+	 */
+	nonce_gen_t nonce_gen;
+
+	/**
+	 * Get nonce context id.
+	 *
+	 * @return	context id of this nonce generator.
+	 */
+	nc_id_type (*get_id)(tkm_nonceg_t * const this);
+
+};
+
+/**
+ * Creates a tkm_nonceg_t instance.
+ *
+ * @return			created tkm_nonceg_t
+ */
+tkm_nonceg_t *tkm_nonceg_create();
+
+#endif /** TKM_NONCEG_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_private_key.c b/src/charon-tkm/src/tkm/tkm_private_key.c
new file mode 100644
index 000000000..db57ec1c7
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_private_key.c
@@ -0,0 +1,190 @@
+/*
+ * Copyright (C) 2012-2013 Reto Buerki
+ * Copyright (C) 2012-2013 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <utils/debug.h>
+#include <tkm/constants.h>
+#include <tkm/client.h>
+
+#include "tkm_utils.h"
+#include "tkm_types.h"
+#include "tkm_private_key.h"
+
+typedef struct private_tkm_private_key_t private_tkm_private_key_t;
+
+/**
+ * Private data of a tkm_private_key_t object.
+ */
+struct private_tkm_private_key_t {
+
+	/**
+	 * Public interface for this signer.
+	 */
+	tkm_private_key_t public;
+
+	/**
+	 * Key ID.
+	 */
+	identification_t *id;
+
+	/**
+	 * Key type.
+	 */
+	key_type_t key_type;
+
+	/**
+	 * Reference count.
+	 */
+	refcount_t ref;
+
+};
+
+METHOD(private_key_t, get_type, key_type_t,
+	private_tkm_private_key_t *this)
+{
+	return this->key_type;
+}
+
+METHOD(private_key_t, sign, bool,
+	private_tkm_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
+{
+	signature_type sig;
+	init_message_type msg;
+	sign_info_t sign;
+	isa_id_type isa_id;
+
+	if (data.ptr == NULL)
+	{
+		DBG1(DBG_LIB, "unable to get signature information");
+		return FALSE;
+	}
+	sign = *(sign_info_t *)(data.ptr);
+
+	chunk_to_sequence(&sign.init_message, &msg, sizeof(init_message_type));
+	isa_id = sign.isa_id;
+	chunk_free(&sign.init_message);
+
+	if (ike_isa_sign(isa_id, 1, msg, &sig) != TKM_OK)
+	{
+		DBG1(DBG_LIB, "signature operation failed");
+		return FALSE;
+	}
+
+	sequence_to_chunk(sig.data, sig.size, signature);
+	return TRUE;
+}
+
+METHOD(private_key_t, decrypt, bool,
+	private_tkm_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
+{
+	return FALSE;
+}
+
+METHOD(private_key_t, get_keysize, int,
+	private_tkm_private_key_t *this)
+{
+	return 0;
+}
+
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_tkm_private_key_t *this)
+{
+	return NULL;
+}
+
+METHOD(private_key_t, get_encoding, bool,
+	private_tkm_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
+{
+	return FALSE;
+}
+
+METHOD(private_key_t, get_fingerprint, bool,
+	private_tkm_private_key_t *this, cred_encoding_type_t type, chunk_t *fp)
+{
+	*fp = this->id->get_encoding(this->id);
+	return TRUE;
+}
+
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_tkm_private_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.key;
+}
+
+METHOD(private_key_t, destroy, void,
+	private_tkm_private_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->id->destroy(this->id);
+		free(this);
+	}
+}
+
+/**
+ * See header.
+ */
+tkm_private_key_t *tkm_private_key_init(identification_t * const id)
+{
+	private_tkm_private_key_t *this;
+	certificate_t *cert;
+	public_key_t *pubkey;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+		.id = id->clone(id),
+	);
+
+	/* get key type from associated public key */
+	cert = lib->credmgr->get_cert(lib->credmgr, CERT_ANY, KEY_ANY, id, FALSE);
+	if (!cert)
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	pubkey = cert->get_public_key(cert);
+	if (!pubkey)
+	{
+		cert->destroy(cert);
+		destroy(this);
+		return NULL;
+	}
+	this->key_type = pubkey->get_type(pubkey);
+	pubkey->destroy(pubkey);
+	cert->destroy(cert);
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_private_key.h b/src/charon-tkm/src/tkm/tkm_private_key.h
new file mode 100644
index 000000000..ded8300ca
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_private_key.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-privkey private key
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_PRIVATE_KEY_H_
+#define TKM_PRIVATE_KEY_H_
+
+#include <credentials/keys/private_key.h>
+
+typedef struct tkm_private_key_t tkm_private_key_t;
+
+/**
+ * TKM private_key_t implementation.
+ */
+struct tkm_private_key_t {
+
+	/**
+	 * Implements private_key_t interface
+	 */
+	private_key_t key;
+};
+
+/**
+ * Initialize TKM private key with given key ID.
+ */
+tkm_private_key_t *tkm_private_key_init(identification_t * const id);
+
+#endif /** TKM_PRIVATE_KEY_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_public_key.c b/src/charon-tkm/src/tkm/tkm_public_key.c
new file mode 100644
index 000000000..9ebdc29e6
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_public_key.c
@@ -0,0 +1,169 @@
+/*
+ * Copyright (C) 2012-2013 Reto Buerki
+ * Copyright (C) 2012-2013 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <utils/debug.h>
+
+#include "tkm_public_key.h"
+
+typedef struct private_tkm_public_key_t private_tkm_public_key_t;
+
+/**
+ * Private data of tkm_public_key_t object.
+ */
+struct private_tkm_public_key_t {
+
+	/**
+	 * Public interface for this signer.
+	 */
+	tkm_public_key_t public;
+
+	/**
+	 * ASN.1 blob of pubkey.
+	 */
+	chunk_t asn_blob;
+
+	/**
+	 * Key type.
+	 */
+	key_type_t key_type;
+
+	/**
+	 * Reference count.
+	 */
+	refcount_t ref;
+};
+
+METHOD(public_key_t, get_type, key_type_t,
+	private_tkm_public_key_t *this)
+{
+	return this->key_type;
+}
+
+METHOD(public_key_t, verify, bool,
+	private_tkm_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t signature)
+{
+	return TRUE;
+}
+
+METHOD(public_key_t, encrypt_, bool,
+	private_tkm_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t plain, chunk_t *crypto)
+{
+	return FALSE;
+}
+
+METHOD(public_key_t, get_keysize, int,
+	private_tkm_public_key_t *this)
+{
+	return 0;
+}
+
+METHOD(public_key_t, get_encoding, bool,
+	private_tkm_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
+{
+	return NULL;
+}
+
+METHOD(public_key_t, get_fingerprint, bool,
+	private_tkm_public_key_t *this, cred_encoding_type_t type, chunk_t *fp)
+{
+	if (lib->encoding->get_cache(lib->encoding, type, this, fp))
+	{
+		return TRUE;
+	}
+	switch(this->key_type)
+	{
+		case KEY_RSA:
+			return lib->encoding->encode(lib->encoding, type, this, fp,
+										 CRED_PART_RSA_PUB_ASN1_DER,
+										 this->asn_blob, CRED_PART_END);
+		default:
+			DBG1(DBG_LIB, "%N public key not supported, fingerprinting failed",
+				 key_type_names, this->key_type);
+			return FALSE;
+	}
+}
+
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_tkm_public_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.key;
+}
+
+METHOD(public_key_t, destroy, void,
+	private_tkm_public_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		lib->encoding->clear_cache(lib->encoding, this);
+		chunk_free(&this->asn_blob);
+		free(this);
+	}
+}
+
+/**
+ * See header.
+ */
+tkm_public_key_t *tkm_public_key_load(key_type_t type, va_list args)
+{
+	private_tkm_public_key_t *this;
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	if (!blob.ptr)
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt_,
+				.equals = public_key_equals,
+				.get_keysize = _get_keysize,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+		.asn_blob = chunk_clone(blob),
+		.key_type = type,
+	);
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_public_key.h b/src/charon-tkm/src/tkm/tkm_public_key.h
new file mode 100644
index 000000000..5b21287b7
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_public_key.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2012-2013 Reto Buerki
+ * Copyright (C) 2012-2013 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-pubkey public key
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_PUBLIC_KEY_H_
+#define TKM_PUBLIC_KEY_H_
+
+#include <credentials/keys/public_key.h>
+
+typedef struct tkm_public_key_t tkm_public_key_t;
+
+/**
+ * TKM public_key_t implementation.
+ */
+struct tkm_public_key_t {
+
+	/**
+	 * Implements the public_key_t interface
+	 */
+	public_key_t key;
+};
+
+/**
+ * Load a TKM public key.
+ *
+ * @param type		type of the key
+ * @param args		builder_part_t argument list
+ * @return			loaded key, NULL on failure
+ */
+tkm_public_key_t *tkm_public_key_load(key_type_t type, va_list args);
+
+#endif /** TKM_PUBLIC_KEY_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_types.h b/src/charon-tkm/src/tkm/tkm_types.h
new file mode 100644
index 000000000..cef53deb3
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_types.h
@@ -0,0 +1,128 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-types types
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_TYPES_H_
+#define TKM_TYPES_H_
+
+#include <tkm/types.h>
+#include <utils/chunk.h>
+
+typedef struct esa_info_t esa_info_t;
+
+/**
+ * ESP SA info data structure.
+ *
+ * This type is used to transfer ESA information from the keymat
+ * derive_child_keys to the kernel IPsec interface add_sa operation. This is
+ * necessary because the CHILD SA key derivation and installation is handled
+ * by a single exchange with the TKM (esa_create*) in add_sa.
+ * For this purpose the out parameters encr_i and encr_r of the
+ * derive_child_keys function are (ab)used and the data is stored in these
+ * data chunks. This is possible since the child SA keys are treated as opaque
+ * values and handed to the add_sa procedure of the kernel interface as-is
+ * without any processing.
+ */
+struct esa_info_t {
+
+	/**
+	 * ISA context id.
+	 */
+	isa_id_type isa_id;
+
+	/**
+	 * Responder SPI of child SA.
+	 */
+	esp_spi_type spi_r;
+
+	/**
+	 * Initiator nonce.
+	 */
+	chunk_t nonce_i;
+
+	/**
+	 * Responder nonce.
+	 */
+	chunk_t nonce_r;
+
+	/**
+	 * Flag specifying if this esa info struct is contained in encr_r.
+	 * It is set to TRUE for encr_r and FALSE for encr_i.
+	 */
+	bool is_encr_r;
+
+	/**
+	 * Diffie-Hellman context id.
+	 */
+	dh_id_type dh_id;
+
+};
+
+typedef struct isa_info_t isa_info_t;
+
+/**
+ * IKE SA info data structure.
+ *
+ * This type is used to transfer ISA information from the keymat of the parent
+ * SA to the keymat of the new IKE SA. For this purpose the skd data chunk is
+ * (ab)used. This is possible since the sk_d chunk is treated as an opaque value
+ * and handed to the derive_ike_keys procedure of the new keymat as-is without
+ * any processing.
+ */
+struct isa_info_t {
+
+	/**
+	 * Parent isa context id.
+	 */
+	isa_id_type parent_isa_id;
+
+	/**
+	 * Authenticated endpoint context id.
+	 */
+	ae_id_type ae_id;
+
+};
+
+typedef struct sign_info_t sign_info_t;
+
+/**
+ * AUTH signature info data structure.
+ *
+ * This type is used to transfer an ISA context id and the initial message
+ * from the keymat to the TKM private key sign operation. For this purpose the
+ * auth octets chunk is (ab)used and the data is stored in this chunk.
+ * This is possible since the auth octets are treated as opaque value and handed
+ * to the private key sign function as-is without any processing.
+ */
+struct sign_info_t {
+
+	/**
+	 * ISA context id.
+	 */
+	isa_id_type isa_id;
+
+	/**
+	 * Init message.
+	 */
+	chunk_t init_message;
+
+};
+
+#endif /** TKM_TYPES_H_ @}*/
diff --git a/src/charon-tkm/src/tkm/tkm_utils.c b/src/charon-tkm/src/tkm/tkm_utils.c
new file mode 100644
index 000000000..e0692b893
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_utils.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <utils/debug.h>
+
+#include "tkm_utils.h"
+
+/* Generic variable-length sequence */
+struct sequence_type {
+	uint32_t size;
+	byte_t data[];
+};
+typedef struct sequence_type sequence_type;
+
+void sequence_to_chunk(const byte_t * const first, const uint32_t len,
+					   chunk_t * const chunk)
+{
+	*chunk = chunk_alloc(len);
+	memcpy(chunk->ptr, first, len);
+}
+
+void chunk_to_sequence(const chunk_t * const chunk, void *sequence,
+					   const uint32_t typelen)
+{
+	const uint32_t seqlenmax = typelen - sizeof(uint32_t);
+	sequence_type *seq = sequence;
+
+	memset(sequence, 0, typelen);
+	if (chunk->len > seqlenmax)
+	{
+		DBG1(DBG_LIB, "chunk too large to fit into sequence %d > %d, limiting"
+			 " to %d bytes", chunk->len, seqlenmax, seqlenmax);
+		seq->size = seqlenmax;
+	}
+	else
+	{
+		seq->size = chunk->len;
+	}
+	memcpy(seq->data, chunk->ptr, seq->size);
+}
diff --git a/src/charon-tkm/src/tkm/tkm_utils.h b/src/charon-tkm/src/tkm/tkm_utils.h
new file mode 100644
index 000000000..308c58fbb
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_utils.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tkm-utils utils
+ * @{ @ingroup tkm
+ */
+
+#ifndef TKM_UTILS_H_
+#define TKM_UTILS_H_
+
+#include <utils/chunk.h>
+#include <tkm/types.h>
+
+/**
+ * Convert byte sequence to chunk.
+ *
+ * @param first		pointer to first byte of sequence
+ * @param len		length of byte sequence
+ * @param chunk		pointer to chunk struct
+ */
+void sequence_to_chunk(const byte_t * const first, const uint32_t len,
+					   chunk_t * const chunk);
+
+/**
+ * Convert chunk to variable-length byte sequence.
+ *
+ * @param chunk		pointer to chunk struct
+ * @param sequence	pointer to variable-length sequence
+ * @param typelen	length of sequence type
+ */
+void chunk_to_sequence(const chunk_t * const chunk, void *sequence,
+					   const uint32_t typelen);
+
+#endif /** TKM_UTILS_H_ @}*/
diff --git a/src/charon-tkm/tests/.gitignore b/src/charon-tkm/tests/.gitignore
new file mode 100644
index 000000000..35429f617
--- /dev/null
+++ b/src/charon-tkm/tests/.gitignore
@@ -0,0 +1 @@
+test_runner
diff --git a/src/charon-tkm/tests/chunk_map_tests.c b/src/charon-tkm/tests/chunk_map_tests.c
new file mode 100644
index 000000000..6deef9a80
--- /dev/null
+++ b/src/charon-tkm/tests/chunk_map_tests.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <check.h>
+
+#include "tkm_chunk_map.h"
+
+START_TEST(test_chunk_map_creation)
+{
+	tkm_chunk_map_t *map = NULL;
+
+	map = tkm_chunk_map_create();
+	fail_if(map == NULL, "Error creating chunk map");
+
+	map->destroy(map);
+}
+END_TEST
+
+START_TEST(test_chunk_map_handling)
+{
+	tkm_chunk_map_t *map = NULL;
+	const int ref = 35;
+	chunk_t data = chunk_from_thing(ref);
+
+	map = tkm_chunk_map_create();
+	fail_if(map == NULL, "Error creating chunk map");
+
+	map->insert(map, &data, 24);
+	fail_if(map->get_id(map, &data) != 24, "Id mismatch");
+
+	fail_unless(map->remove(map, &data), "Unable to remove mapping");
+	fail_unless(!map->get_id(map, &data), "Error removing mapping");
+
+	map->destroy(map);
+}
+END_TEST
+
+TCase *make_chunk_map_tests(void)
+{
+	TCase *tc = tcase_create("Chunk map tests");
+	tcase_add_test(tc, test_chunk_map_creation);
+	tcase_add_test(tc, test_chunk_map_handling);
+
+	return tc;
+}
diff --git a/src/charon-tkm/tests/diffie_hellman_tests.c b/src/charon-tkm/tests/diffie_hellman_tests.c
new file mode 100644
index 000000000..ffe99614d
--- /dev/null
+++ b/src/charon-tkm/tests/diffie_hellman_tests.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <check.h>
+
+#include "tkm_diffie_hellman.h"
+
+START_TEST(test_dh_creation)
+{
+	tkm_diffie_hellman_t *dh = NULL;
+
+	dh = tkm_diffie_hellman_create(MODP_768_BIT);
+	fail_if(dh, "MODP_768 created");
+
+	dh = tkm_diffie_hellman_create(MODP_4096_BIT);
+	fail_if(!dh, "MODP_4096 not created");
+	fail_if(!dh->get_id(dh), "Invalid context id (0)");
+
+	dh->dh.destroy(&dh->dh);
+}
+END_TEST
+
+START_TEST(test_dh_get_my_pubvalue)
+{
+	tkm_diffie_hellman_t *dh = tkm_diffie_hellman_create(MODP_4096_BIT);
+	fail_if(!dh, "Unable to create DH");
+
+	chunk_t value;
+	dh->dh.get_my_public_value(&dh->dh, &value);
+	dh->dh.destroy(&dh->dh);
+
+	fail_if(value.ptr == NULL, "Pubvalue is NULL");
+	fail_if(value.len != 512, "Pubvalue size mismatch");
+
+	chunk_free(&value);
+}
+END_TEST
+
+TCase *make_diffie_hellman_tests(void)
+{
+	TCase *tc = tcase_create("Diffie-Hellman tests");
+	tcase_add_test(tc, test_dh_creation);
+	tcase_add_test(tc, test_dh_get_my_pubvalue);
+
+	return tc;
+}
diff --git a/src/charon-tkm/tests/id_manager_tests.c b/src/charon-tkm/tests/id_manager_tests.c
new file mode 100644
index 000000000..15522f118
--- /dev/null
+++ b/src/charon-tkm/tests/id_manager_tests.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <check.h>
+
+#include "tkm_id_manager.h"
+
+static const tkm_limits_t limits = {125, 100, 55, 30, 200, 42};
+
+START_TEST(test_id_mgr_creation)
+{
+	tkm_id_manager_t *idmgr = NULL;
+
+	idmgr = tkm_id_manager_create(limits);
+	fail_if(idmgr == NULL, "Error creating tkm id manager");
+
+	idmgr->destroy(idmgr);
+}
+END_TEST
+
+START_TEST(test_acquire_id)
+{
+	int i, id = 0;
+	tkm_id_manager_t *idmgr = tkm_id_manager_create(limits);
+
+	for (i = 0; i < TKM_CTX_MAX; i++)
+	{
+		id = idmgr->acquire_id(idmgr, i);
+		fail_unless(id > 0, "Error acquiring id of context kind %d", i);
+
+		/* Reset test variable */
+		id = 0;
+	}
+
+	idmgr->destroy(idmgr);
+}
+END_TEST
+
+START_TEST(test_acquire_id_invalid_kind)
+{
+	int id = 0;
+	tkm_id_manager_t *idmgr = tkm_id_manager_create(limits);
+
+	id = idmgr->acquire_id(idmgr, TKM_CTX_MAX);
+	fail_unless(id == 0, "Acquired id for invalid context kind %d", TKM_CTX_MAX);
+
+	/* Reset test variable */
+	id = 0;
+
+	id = idmgr->acquire_id(idmgr, -1);
+	fail_unless(id == 0, "Acquired id for invalid context kind %d", -1);
+
+	idmgr->destroy(idmgr);
+}
+END_TEST
+
+START_TEST(test_acquire_id_same)
+{
+	int id1 = 0, id2 = 0;
+	tkm_id_manager_t *idmgr = tkm_id_manager_create(limits);
+
+	id1 = idmgr->acquire_id(idmgr, TKM_CTX_NONCE);
+	fail_unless(id1 > 0, "Unable to acquire first id");
+
+	/* Acquire another id, must be different than first */
+	id2 = idmgr->acquire_id(idmgr, TKM_CTX_NONCE);
+	fail_unless(id2 > 0, "Unable to acquire second id");
+	fail_unless(id1 != id2, "Same id received twice");
+
+	idmgr->destroy(idmgr);
+}
+END_TEST
+
+START_TEST(test_release_id)
+{
+	int i, id = 0;
+	bool released = false;
+	tkm_id_manager_t *idmgr = tkm_id_manager_create(limits);
+
+	for (i = 0; i < TKM_CTX_MAX; i++)
+	{
+		id = idmgr->acquire_id(idmgr, i);
+		released = idmgr->release_id(idmgr, i, id);
+
+		fail_unless(released, "Error releasing id of context kind %d", i);
+
+		/* Reset released variable */
+		released = FALSE;
+	}
+
+	idmgr->destroy(idmgr);
+}
+END_TEST
+
+START_TEST(test_release_id_invalid_kind)
+{
+	bool released = TRUE;
+	tkm_id_manager_t *idmgr = tkm_id_manager_create(limits);
+
+	released = idmgr->release_id(idmgr, TKM_CTX_MAX, 1);
+	fail_if(released, "Released id for invalid context kind %d", TKM_CTX_MAX);
+
+	/* Reset test variable */
+	released = TRUE;
+
+	released = idmgr->release_id(idmgr, -1, 1);
+	fail_if(released, "Released id for invalid context kind %d", -1);
+
+	idmgr->destroy(idmgr);
+}
+END_TEST
+
+START_TEST(test_release_id_nonexistent)
+{
+	bool released = FALSE;
+	tkm_id_manager_t *idmgr = tkm_id_manager_create(limits);
+
+	released = idmgr->release_id(idmgr, TKM_CTX_NONCE, 1);
+	fail_unless(released, "Release of nonexistent id failed");
+
+	idmgr->destroy(idmgr);
+}
+END_TEST
+
+TCase *make_id_manager_tests(void)
+{
+	TCase *tc = tcase_create("Context id manager tests");
+	tcase_add_test(tc, test_id_mgr_creation);
+	tcase_add_test(tc, test_acquire_id);
+	tcase_add_test(tc, test_acquire_id_invalid_kind);
+	tcase_add_test(tc, test_acquire_id_same);
+	tcase_add_test(tc, test_release_id);
+	tcase_add_test(tc, test_release_id_invalid_kind);
+	tcase_add_test(tc, test_release_id_nonexistent);
+
+	return tc;
+}
diff --git a/src/charon-tkm/tests/kernel_sad_tests.c b/src/charon-tkm/tests/kernel_sad_tests.c
new file mode 100644
index 000000000..11785602d
--- /dev/null
+++ b/src/charon-tkm/tests/kernel_sad_tests.c
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <check.h>
+
+#include "tkm_kernel_sad.h"
+
+START_TEST(test_sad_creation)
+{
+	tkm_kernel_sad_t *sad = NULL;
+
+	sad = tkm_kernel_sad_create();
+	fail_if(!sad, "Error creating tkm kernel SAD");
+
+	sad->destroy(sad);
+}
+END_TEST
+
+START_TEST(test_insert)
+{
+	host_t *addr = host_create_from_string("127.0.0.1", 1024);
+	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+
+	fail_unless(sad->insert(sad, 1, addr, addr, 42, 50),
+				"Error inserting SAD entry");
+
+	sad->destroy(sad);
+	addr->destroy(addr);
+}
+END_TEST
+
+START_TEST(test_insert_duplicate)
+{
+	host_t *addr = host_create_from_string("127.0.0.1", 1024);
+	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+
+	fail_unless(sad->insert(sad, 1, addr, addr, 42, 50),
+				"Error inserting SAD entry");
+	fail_if(sad->insert(sad, 1, addr, addr, 42, 50),
+			"Expected error inserting duplicate entry");
+
+	sad->destroy(sad);
+	addr->destroy(addr);
+}
+END_TEST
+
+START_TEST(test_get_esa_id)
+{
+	host_t *addr = host_create_from_string("127.0.0.1", 1024);
+	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+	fail_unless(sad->insert(sad, 23, addr, addr, 42, 50),
+				"Error inserting SAD entry");
+	fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23,
+				"Error getting esa id");
+	sad->destroy(sad);
+	addr->destroy(addr);
+}
+END_TEST
+
+START_TEST(test_get_esa_id_nonexistent)
+{
+	host_t *addr = host_create_from_string("127.0.0.1", 1024);
+	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+	fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 0,
+				"Got esa id for nonexistent SAD entry");
+	sad->destroy(sad);
+	addr->destroy(addr);
+}
+END_TEST
+
+START_TEST(test_remove)
+{
+	host_t *addr = host_create_from_string("127.0.0.1", 1024);
+	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+	fail_unless(sad->insert(sad, 23, addr, addr, 42, 50),
+				"Error inserting SAD entry");
+	fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23,
+				"Error getting esa id");
+	fail_unless(sad->remove(sad, 23),
+				"Error removing SAD entry");
+	fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 0,
+				"Got esa id for removed SAD entry");
+	sad->destroy(sad);
+	addr->destroy(addr);
+}
+END_TEST
+
+START_TEST(test_remove_nonexistent)
+{
+	tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+	fail_if(sad->remove(sad, 1),
+			"Expected error removing nonexistent SAD entry");
+	sad->destroy(sad);
+}
+END_TEST
+
+TCase *make_kernel_sad_tests(void)
+{
+	TCase *tc = tcase_create("Kernel SAD tests");
+	tcase_add_test(tc, test_sad_creation);
+	tcase_add_test(tc, test_insert);
+	tcase_add_test(tc, test_insert_duplicate);
+	tcase_add_test(tc, test_get_esa_id);
+	tcase_add_test(tc, test_get_esa_id_nonexistent);
+	tcase_add_test(tc, test_remove);
+	tcase_add_test(tc, test_remove_nonexistent);
+
+	return tc;
+}
diff --git a/src/charon-tkm/tests/keymat_tests.c b/src/charon-tkm/tests/keymat_tests.c
new file mode 100644
index 000000000..2a7525d4e
--- /dev/null
+++ b/src/charon-tkm/tests/keymat_tests.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <check.h>
+#include <daemon.h>
+#include <hydra.h>
+#include <config/proposal.h>
+#include <encoding/payloads/ike_header.h>
+#include <tkm/client.h>
+
+#include "tkm.h"
+#include "tkm_nonceg.h"
+#include "tkm_diffie_hellman.h"
+#include "tkm_keymat.h"
+#include "tkm_types.h"
+
+START_TEST(test_derive_ike_keys)
+{
+	proposal_t *proposal = proposal_create_from_string(PROTO_IKE,
+			"aes256-sha512-modp4096");
+	fail_if(!proposal, "Unable to create proposal");
+	ike_sa_id_t *ike_sa_id = ike_sa_id_create(IKEV2_MAJOR_VERSION,
+			123912312312, 32312313122, TRUE);
+	fail_if(!ike_sa_id, "Unable to create IKE SA ID");
+
+	tkm_keymat_t *keymat = tkm_keymat_create(TRUE);
+	fail_if(!keymat, "Unable to create keymat");
+	fail_if(!keymat->get_isa_id(keymat), "Invalid ISA context id (0)");
+
+	chunk_t nonce;
+	tkm_nonceg_t *ng = tkm_nonceg_create();
+	fail_if(!ng, "Unable to create nonce generator");
+	fail_unless(ng->nonce_gen.allocate_nonce(&ng->nonce_gen, 32, &nonce),
+			"Unable to allocate nonce");
+	ng->nonce_gen.destroy(&ng->nonce_gen);
+
+	tkm_diffie_hellman_t *dh = tkm_diffie_hellman_create(MODP_4096_BIT);
+	fail_if(!dh, "Unable to create DH");
+
+	/* Use the same pubvalue for both sides */
+	chunk_t pubvalue;
+	dh->dh.get_my_public_value(&dh->dh, &pubvalue);
+	dh->dh.set_other_public_value(&dh->dh, pubvalue);
+
+	fail_unless(keymat->keymat_v2.derive_ike_keys(&keymat->keymat_v2, proposal,
+				&dh->dh, nonce, nonce, ike_sa_id, PRF_UNDEFINED, chunk_empty),
+				"Key derivation failed");
+	chunk_free(&nonce);
+
+	aead_t * const aead = keymat->keymat_v2.keymat.get_aead(&keymat->keymat_v2.keymat, TRUE);
+	fail_if(!aead, "AEAD is NULL");
+
+	fail_if(aead->get_key_size(aead) != 96, "Key size mismatch %d",
+			aead->get_key_size(aead));
+	fail_if(aead->get_block_size(aead) != 16, "Block size mismatch %d",
+			aead->get_block_size(aead));
+
+	proposal->destroy(proposal);
+	dh->dh.destroy(&dh->dh);
+	ike_sa_id->destroy(ike_sa_id);
+	keymat->keymat_v2.keymat.destroy(&keymat->keymat_v2.keymat);
+	chunk_free(&pubvalue);
+}
+END_TEST
+
+START_TEST(test_derive_child_keys)
+{
+	tkm_diffie_hellman_t *dh = tkm_diffie_hellman_create(MODP_4096_BIT);
+	fail_if(!dh, "Unable to create DH object");
+	proposal_t *proposal = proposal_create_from_string(PROTO_ESP,
+			"aes256-sha512-modp4096");
+	fail_if(!proposal, "Unable to create proposal");
+	proposal->set_spi(proposal, 42);
+
+	tkm_keymat_t *keymat = tkm_keymat_create(TRUE);
+	fail_if(!keymat, "Unable to create keymat");
+
+	chunk_t encr_i, encr_r, integ_i, integ_r;
+	chunk_t nonce = chunk_from_chars("test chunk");
+
+	fail_unless(keymat->keymat_v2.derive_child_keys(&keymat->keymat_v2, proposal,
+													(diffie_hellman_t *)dh,
+													nonce, nonce, &encr_i,
+													&integ_i, &encr_r, &integ_r),
+				"Child key derivation failed");
+
+	esa_info_t *info = (esa_info_t *)encr_i.ptr;
+	fail_if(!info, "encr_i does not contain esa information");
+	fail_if(info->isa_id != keymat->get_isa_id(keymat),
+			"Isa context id mismatch (encr_i)");
+	fail_if(info->spi_r != 42,
+			"SPI mismatch (encr_i)");
+	fail_unless(chunk_equals(info->nonce_i, nonce),
+				"nonce_i mismatch (encr_i)");
+	fail_unless(chunk_equals(info->nonce_r, nonce),
+				"nonce_r mismatch (encr_i)");
+	fail_if(info->is_encr_r,
+			"Flag is_encr_r set for encr_i");
+	fail_if(info->dh_id != dh->get_id(dh),
+			"DH context id mismatch (encr_i)");
+	chunk_free(&info->nonce_i);
+	chunk_free(&info->nonce_r);
+
+	info = (esa_info_t *)encr_r.ptr;
+	fail_if(!info, "encr_r does not contain esa information");
+	fail_if(info->isa_id != keymat->get_isa_id(keymat),
+			"Isa context id mismatch (encr_r)");
+	fail_if(info->spi_r != 42,
+			"SPI mismatch (encr_r)");
+	fail_unless(chunk_equals(info->nonce_i, nonce),
+				"nonce_i mismatch (encr_r)");
+	fail_unless(chunk_equals(info->nonce_r, nonce),
+				"nonce_r mismatch (encr_r)");
+	fail_unless(info->is_encr_r,
+				"Flag is_encr_r set for encr_r");
+	fail_if(info->dh_id != dh->get_id(dh),
+			"DH context id mismatch (encr_i)");
+	chunk_free(&info->nonce_i);
+	chunk_free(&info->nonce_r);
+
+	proposal->destroy(proposal);
+	dh->dh.destroy(&dh->dh);
+	keymat->keymat_v2.keymat.destroy(&keymat->keymat_v2.keymat);
+	chunk_free(&encr_i);
+	chunk_free(&encr_r);
+}
+END_TEST
+
+TCase *make_keymat_tests(void)
+{
+	TCase *tc = tcase_create("Keymat tests");
+	tcase_add_test(tc, test_derive_ike_keys);
+	tcase_add_test(tc, test_derive_child_keys);
+
+	return tc;
+}
diff --git a/src/charon-tkm/tests/nonceg_tests.c b/src/charon-tkm/tests/nonceg_tests.c
new file mode 100644
index 000000000..3a1effab8
--- /dev/null
+++ b/src/charon-tkm/tests/nonceg_tests.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <check.h>
+#include <tkm/client.h>
+
+#include "tkm.h"
+#include "tkm_nonceg.h"
+
+START_TEST(test_nonceg_creation)
+{
+	tkm_nonceg_t *ng = NULL;
+
+	ng = tkm_nonceg_create();
+	fail_if(ng == NULL, "Error creating tkm nonce generator");
+	fail_if(ng->get_id(ng) == 0, "Invalid context id (0)");
+
+	ng->nonce_gen.destroy(&ng->nonce_gen);
+}
+END_TEST
+
+START_TEST(test_nonceg_allocate_nonce)
+{
+	tkm_nonceg_t *ng = tkm_nonceg_create();
+
+	const size_t length = 256;
+	u_int8_t zero[length];
+	memset(zero, 0, length);
+
+	chunk_t nonce;
+	const bool got_nonce = ng->nonce_gen.allocate_nonce(&ng->nonce_gen,
+			length, &nonce);
+
+	fail_unless(got_nonce, "Call to allocate_nonce failed");
+	fail_unless(nonce.len = length, "Allocated nonce length mismatch");
+	fail_if(memcmp(nonce.ptr, zero, length) == 0, "Unable to allocate nonce");
+
+	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, 1);
+	ike_nc_reset(1);
+
+	chunk_free(&nonce);
+	ng->nonce_gen.destroy(&ng->nonce_gen);
+}
+END_TEST
+
+START_TEST(test_nonceg_get_nonce)
+{
+	tkm_nonceg_t *ng = tkm_nonceg_create();
+
+	const size_t length = 128;
+	u_int8_t zero[length];
+	memset(zero, 0, length);
+
+	u_int8_t *buf = malloc(length + 1);
+	memset(buf, 0, length);
+	/* set end marker */
+	buf[length] = 255;
+
+	const bool got_nonce = ng->nonce_gen.get_nonce(&ng->nonce_gen, length, buf);
+	fail_unless(got_nonce, "Call to get_nonce failed");
+	fail_if(memcmp(buf, zero, length) == 0, "Unable to get nonce");
+	fail_if(buf[length] != 255, "End marker not found");
+
+	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, 1);
+	ike_nc_reset(1);
+
+	free(buf);
+	ng->nonce_gen.destroy(&ng->nonce_gen);
+}
+END_TEST
+
+TCase *make_nonceg_tests(void)
+{
+	TCase *tc = tcase_create("Nonce generator tests");
+	tcase_add_test(tc, test_nonceg_creation);
+	tcase_add_test(tc, test_nonceg_allocate_nonce);
+	tcase_add_test(tc, test_nonceg_get_nonce);
+
+	return tc;
+}
diff --git a/src/charon-tkm/tests/test_runner.c b/src/charon-tkm/tests/test_runner.c
new file mode 100644
index 000000000..5ae032935
--- /dev/null
+++ b/src/charon-tkm/tests/test_runner.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <hydra.h>
+#include <daemon.h>
+
+#include "tkm.h"
+#include "tkm_nonceg.h"
+#include "tkm_diffie_hellman.h"
+#include "tkm_kernel_ipsec.h"
+#include "test_runner.h"
+
+int main(void)
+{
+	library_init(NULL);
+	libhydra_init("test_runner");
+	libcharon_init("test_runner");
+
+	lib->settings->set_int(lib->settings, "test_runner.filelog.stdout.default",
+						   1);
+	charon->load_loggers(charon, NULL, FALSE);
+
+	/* Register TKM specific plugins */
+	static plugin_feature_t features[] = {
+		PLUGIN_REGISTER(NONCE_GEN, tkm_nonceg_create),
+			PLUGIN_PROVIDE(NONCE_GEN),
+		PLUGIN_REGISTER(DH, tkm_diffie_hellman_create),
+			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
+			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
+		PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create),
+			PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
+	};
+	lib->plugins->add_static_features(lib->plugins, "tkm-tests", features,
+			countof(features), TRUE);
+
+	if (!charon->initialize(charon, PLUGINS))
+	{
+		fprintf(stderr, "Unable to init charon");
+		return EXIT_FAILURE;
+	}
+
+	if (!tkm_init())
+	{
+		fprintf(stderr, "Could not connect to TKM, aborting tests\n");
+		return EXIT_FAILURE;
+	}
+
+	int number_failed;
+	Suite *s = suite_create("TKM tests");
+	suite_add_tcase(s, make_id_manager_tests());
+	suite_add_tcase(s, make_chunk_map_tests());
+	suite_add_tcase(s, make_utility_tests());
+	suite_add_tcase(s, make_nonceg_tests());
+	suite_add_tcase(s, make_diffie_hellman_tests());
+	suite_add_tcase(s, make_keymat_tests());
+	suite_add_tcase(s, make_kernel_sad_tests());
+
+	SRunner *sr = srunner_create(s);
+
+	srunner_run_all(sr, CK_NORMAL);
+	number_failed = srunner_ntests_failed(sr);
+
+	tkm_deinit();
+	libcharon_deinit();
+	libhydra_deinit();
+	library_deinit();
+	srunner_free(sr);
+
+	return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
+}
diff --git a/src/charon-tkm/tests/test_runner.h b/src/charon-tkm/tests/test_runner.h
new file mode 100644
index 000000000..236a7f2a6
--- /dev/null
+++ b/src/charon-tkm/tests/test_runner.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef TEST_RUNNER_H_
+#define TEST_RUNNER_H_
+
+#include <check.h>
+
+TCase *make_id_manager_tests(void);
+TCase *make_chunk_map_tests(void);
+TCase *make_utility_tests(void);
+TCase *make_nonceg_tests(void);
+TCase *make_diffie_hellman_tests(void);
+TCase *make_keymat_tests(void);
+TCase *make_kernel_sad_tests(void);
+
+#endif /** TEST_RUNNER_H_ */
diff --git a/src/charon-tkm/tests/utils_tests.c b/src/charon-tkm/tests/utils_tests.c
new file mode 100644
index 000000000..b3ead7633
--- /dev/null
+++ b/src/charon-tkm/tests/utils_tests.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <check.h>
+#include <tkm/types.h>
+
+#include "tkm_utils.h"
+
+START_TEST(test_sequence_to_chunk)
+{
+	key_type key = {5, {0, 1, 2, 3, 4}};
+	chunk_t chunk = chunk_empty;
+
+	sequence_to_chunk(key.data, key.size, &chunk);
+	fail_if(chunk.len != key.size, "Chunk size mismatch");
+
+	uint32_t i;
+	for (i = 0; i < key.size; i++)
+	{
+		fail_if(chunk.ptr[i] != i, "Data mismatch");
+	}
+	chunk_free(&chunk);
+}
+END_TEST
+
+START_TEST(test_chunk_to_sequence)
+{
+	chunk_t chunk = chunk_from_thing("ABCDEFGH");
+	key_type key;
+
+	chunk_to_sequence(&chunk, &key, sizeof(key_type));
+	fail_if(key.size != chunk.len, "Seq size mismatch");
+
+	uint32_t i;
+	for (i = 0; i < key.size - 1; i++)
+	{
+		fail_if(key.data[i] != 65 + i, "Data mismatch (1)");
+	}
+	fail_if(key.data[key.size - 1] != 0, "Data mismatch (2)");
+}
+END_TEST
+
+TCase *make_utility_tests(void)
+{
+	TCase *tc = tcase_create("Utility tests");
+	tcase_add_test(tc, test_sequence_to_chunk);
+	tcase_add_test(tc, test_chunk_to_sequence);
+
+	return tc;
+}
diff --git a/src/charon/Android.mk b/src/charon/Android.mk
index eb7eca9dd..1dd27d534 100644
--- a/src/charon/Android.mk
+++ b/src/charon/Android.mk
@@ -13,7 +13,8 @@ LOCAL_C_INCLUDES += \
 	$(strongswan_PATH)/src/libcharon \
 	$(strongswan_PATH)/src/libstrongswan
 
-LOCAL_CFLAGS := $(strongswan_CFLAGS)
+LOCAL_CFLAGS := $(strongswan_CFLAGS) \
+	-DPLUGINS='"$(strongswan_CHARON_PLUGINS)"'
 
 LOCAL_MODULE := charon
 
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index 6481947f1..6c5b88eb8 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -3,14 +3,15 @@ ipsec_PROGRAMS = charon
 charon_SOURCES = \
 charon.c
 
-INCLUDES = \
+charon.o :	$(top_builddir)/config.status
+
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
-	-DIPSEC_PIDDIR=\"${piddir}\"
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${charon_plugins}\""
 
 charon_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
@@ -19,4 +20,3 @@ charon_LDADD = \
 	-lm $(PTHREADLIB) $(DLLIB)
 
 EXTRA_DIST = Android.mk
-
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 5da167dfd..9da6d604b 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -46,10 +63,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)"
@@ -62,42 +80,70 @@ charon_DEPENDENCIES =  \
 	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(charon_SOURCES)
 DIST_SOURCES = $(charon_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -106,13 +152,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -125,6 +174,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -152,11 +202,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -164,6 +216,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -172,8 +225,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -182,14 +233,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -203,17 +259,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -223,16 +279,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -263,14 +318,13 @@ xml_LIBS = @xml_LIBS@
 charon_SOURCES = \
 charon.c
 
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
-	-DIPSEC_PIDDIR=\"${piddir}\"
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${charon_plugins}\""
 
 charon_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
@@ -315,8 +369,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -356,9 +413,9 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-charon$(EXEEXT): $(charon_OBJECTS) $(charon_DEPENDENCIES) 
+charon$(EXEEXT): $(charon_OBJECTS) $(charon_DEPENDENCIES) $(EXTRA_charon_DEPENDENCIES) 
 	@rm -f charon$(EXEEXT)
-	$(LINK) $(charon_OBJECTS) $(charon_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(charon_OBJECTS) $(charon_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -369,25 +426,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/charon.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -494,10 +551,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -597,6 +659,8 @@ uninstall-am: uninstall-ipsecPROGRAMS
 	tags uninstall uninstall-am uninstall-ipsecPROGRAMS
 
 
+charon.o :	$(top_builddir)/config.status
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/charon/charon.c b/src/charon/charon.c
index 6dbb0b592..340f852cd 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2010 Tobias Brunner
+ * Copyright (C) 2006-2012 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
@@ -17,21 +17,15 @@
  */
 
 #include <stdio.h>
-#ifdef HAVE_PRCTL
-#include <sys/prctl.h>
-#endif
 #define _POSIX_PTHREAD_SEMANTICS /* for two param sigwait on OpenSolaris */
 #include <signal.h>
 #undef _POSIX_PTHREAD_SEMANTICS
 #include <pthread.h>
 #include <sys/stat.h>
 #include <sys/types.h>
-#include <syslog.h>
-#include <errno.h>
+#include <sys/utsname.h>
 #include <unistd.h>
 #include <getopt.h>
-#include <pwd.h>
-#include <grp.h>
 
 #include <hydra.h>
 #include <daemon.h>
@@ -44,21 +38,38 @@
 #include <private/android_filesystem_config.h> /* for AID_VPN */
 #endif
 
-#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
-#define LOG_AUTHPRIV LOG_AUTH
-#endif
-
 /**
  * PID file, in which charon stores its process id
  */
 #define PID_FILE IPSEC_PIDDIR "/charon.pid"
 
 /**
+ * Default user and group
+ */
+#ifndef IPSEC_USER
+#define IPSEC_USER NULL
+#endif
+
+#ifndef IPSEC_GROUP
+#define IPSEC_GROUP NULL
+#endif
+
+/**
  * Global reference to PID file (required to truncate, if undeletable)
  */
 static FILE *pidfile = NULL;
 
 /**
+ * Log levels as defined via command line arguments
+ */
+static level_t levels[DBG_MAX];
+
+/**
+ * Whether to only use syslog when logging
+ */
+static bool use_syslog = FALSE;
+
+/**
  * hook in library for debugging messages
  */
 extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
@@ -113,6 +124,7 @@ static void run()
 					 "configuration");
 				if (lib->settings->load_files(lib->settings, NULL, FALSE))
 				{
+					charon->load_loggers(charon, levels, !use_syslog);
 					lib->plugins->reload(lib->plugins, NULL);
 				}
 				else
@@ -143,67 +155,24 @@ static void run()
 }
 
 /**
- * drop daemon capabilities
+ * lookup UID and GID
  */
-static bool drop_capabilities()
+static bool lookup_uid_gid()
 {
-#ifdef HAVE_PRCTL
-	prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
-#endif
+	char *name;
 
-	if (setgid(charon->gid) != 0)
+	name = lib->settings->get_str(lib->settings, "charon.user", IPSEC_USER);
+	if (name && !lib->caps->resolve_uid(lib->caps, name))
 	{
-		DBG1(DBG_DMN, "change to unprivileged group failed");
 		return FALSE;
 	}
-	if (setuid(charon->uid) != 0)
+	name = lib->settings->get_str(lib->settings, "charon.group", IPSEC_GROUP);
+	if (name && !lib->caps->resolve_gid(lib->caps, name))
 	{
-		DBG1(DBG_DMN, "change to unprivileged user failed");
 		return FALSE;
 	}
-	if (!charon->drop_capabilities(charon))
-	{
-		DBG1(DBG_DMN, "unable to drop daemon capabilities");
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/**
- * lookup UID and GID
- */
-static bool lookup_uid_gid()
-{
-#ifdef IPSEC_USER
-	{
-		char buf[1024];
-		struct passwd passwd, *pwp;
-
-		if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 ||
-			pwp == NULL)
-		{
-			DBG1(DBG_DMN, "resolving user '"IPSEC_USER"' failed");
-			return FALSE;
-		}
-		charon->uid = pwp->pw_uid;
-	}
-#endif
-#ifdef IPSEC_GROUP
-	{
-		char buf[1024];
-		struct group group, *grp;
-
-		if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 ||
-			grp == NULL)
-		{
-			DBG1(DBG_DMN, "resolving group '"IPSEC_GROUP"' failed");
-			return FALSE;
-		}
-		charon->gid = grp->gr_gid;
-	}
-#endif
 #ifdef ANDROID
-	charon->uid = AID_VPN;
+	lib->caps->set_uid(lib->caps, AID_VPN);
 #endif
 	return TRUE;
 }
@@ -217,6 +186,7 @@ static void segv_handler(int signal)
 
 	DBG1(DBG_DMN, "thread %u received %d", thread_current_id(), signal);
 	backtrace = backtrace_create(2);
+	backtrace->log(backtrace, NULL, TRUE);
 	backtrace->log(backtrace, stderr, TRUE);
 	backtrace->destroy(backtrace);
 
@@ -259,7 +229,9 @@ static bool check_pidfile()
 	pidfile = fopen(PID_FILE, "w");
 	if (pidfile)
 	{
-		ignore_result(fchown(fileno(pidfile), charon->uid, charon->gid));
+		ignore_result(fchown(fileno(pidfile),
+							 lib->caps->get_uid(lib->caps),
+							 lib->caps->get_gid(lib->caps)));
 		fprintf(pidfile, "%d\n", getpid());
 		fflush(pidfile);
 	}
@@ -284,141 +256,6 @@ static void unlink_pidfile()
 }
 
 /**
- * Initialize logging
- */
-static void initialize_loggers(bool use_stderr, level_t levels[])
-{
-	sys_logger_t *sys_logger;
-	file_logger_t *file_logger;
-	enumerator_t *enumerator;
-	char *identifier, *facility, *filename;
-	int loggers_defined = 0;
-	debug_t group;
-	level_t  def;
-	bool append, ike_name;
-	FILE *file;
-
-	/* setup sysloggers */
-	identifier = lib->settings->get_str(lib->settings,
-										"charon.syslog.identifier", NULL);
-	if (identifier)
-	{	/* set identifier, which is prepended to each log line */
-		openlog(identifier, 0, 0);
-	}
-	enumerator = lib->settings->create_section_enumerator(lib->settings,
-														  "charon.syslog");
-	while (enumerator->enumerate(enumerator, &facility))
-	{
-		loggers_defined++;
-
-		ike_name = lib->settings->get_bool(lib->settings,
-								"charon.syslog.%s.ike_name", FALSE, facility);
-		if (streq(facility, "daemon"))
-		{
-			sys_logger = sys_logger_create(LOG_DAEMON, ike_name);
-		}
-		else if (streq(facility, "auth"))
-		{
-			sys_logger = sys_logger_create(LOG_AUTHPRIV, ike_name);
-		}
-		else
-		{
-			continue;
-		}
-		def = lib->settings->get_int(lib->settings,
-									 "charon.syslog.%s.default", 1, facility);
-		for (group = 0; group < DBG_MAX; group++)
-		{
-			sys_logger->set_level(sys_logger, group,
-				lib->settings->get_int(lib->settings,
-									   "charon.syslog.%s.%N", def,
-									   facility, debug_lower_names, group));
-		}
-		charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger);
-		charon->bus->add_listener(charon->bus, &sys_logger->listener);
-	}
-	enumerator->destroy(enumerator);
-
-	/* and file loggers */
-	enumerator = lib->settings->create_section_enumerator(lib->settings,
-														  "charon.filelog");
-	while (enumerator->enumerate(enumerator, &filename))
-	{
-		loggers_defined++;
-		if (streq(filename, "stderr"))
-		{
-			file = stderr;
-		}
-		else if (streq(filename, "stdout"))
-		{
-			file = stdout;
-		}
-		else
-		{
-			append = lib->settings->get_bool(lib->settings,
-									"charon.filelog.%s.append", TRUE, filename);
-			file = fopen(filename, append ? "a" : "w");
-			if (file == NULL)
-			{
-				DBG1(DBG_DMN, "opening file %s for logging failed: %s",
-					 filename, strerror(errno));
-				continue;
-			}
-			if (lib->settings->get_bool(lib->settings,
-							"charon.filelog.%s.flush_line", FALSE, filename))
-			{
-				setlinebuf(file);
-			}
-		}
-		file_logger = file_logger_create(file,
-						lib->settings->get_str(lib->settings,
-							"charon.filelog.%s.time_format", NULL, filename),
-						lib->settings->get_bool(lib->settings,
-							"charon.filelog.%s.ike_name", FALSE, filename));
-		def = lib->settings->get_int(lib->settings,
-									 "charon.filelog.%s.default", 1, filename);
-		for (group = 0; group < DBG_MAX; group++)
-		{
-			file_logger->set_level(file_logger, group,
-				lib->settings->get_int(lib->settings,
-									   "charon.filelog.%s.%N", def,
-									   filename, debug_lower_names, group));
-		}
-		charon->file_loggers->insert_last(charon->file_loggers, file_logger);
-		charon->bus->add_listener(charon->bus, &file_logger->listener);
-
-	}
-	enumerator->destroy(enumerator);
-
-	/* set up legacy style default loggers provided via command-line */
-	if (!loggers_defined)
-	{
-		/* set up default stdout file_logger */
-		file_logger = file_logger_create(stdout, NULL, FALSE);
-		charon->bus->add_listener(charon->bus, &file_logger->listener);
-		charon->file_loggers->insert_last(charon->file_loggers, file_logger);
-		/* set up default daemon sys_logger */
-		sys_logger = sys_logger_create(LOG_DAEMON, FALSE);
-		charon->bus->add_listener(charon->bus, &sys_logger->listener);
-		charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger);
-		for (group = 0; group < DBG_MAX; group++)
-		{
-			sys_logger->set_level(sys_logger, group, levels[group]);
-			if (use_stderr)
-			{
-				file_logger->set_level(file_logger, group, levels[group]);
-			}
-		}
-
-		/* set up default auth sys_logger */
-		sys_logger = sys_logger_create(LOG_AUTHPRIV, FALSE);
-		charon->bus->add_listener(charon->bus, &sys_logger->listener);
-		charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger);
-		sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT);
-	}
-}
-
-/**
  * print command line usage and exit
  */
 static void usage(const char *msg)
@@ -432,7 +269,7 @@ static void usage(const char *msg)
 					"         [--version]\n"
 					"         [--use-syslog]\n"
 					"         [--debug-<type> <level>]\n"
-					"           <type>:  log context type (dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|tnc|imc|imv|pts|tls|lib)\n"
+					"           <type>:  log context type (dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|tnc|imc|imv|pts|tls|esp|lib)\n"
 					"           <level>: log verbosity (-1 = silent, 0 = audit, 1 = control,\n"
 					"                                    2 = controlmore, 3 = raw, 4 = private)\n"
 					"\n"
@@ -445,9 +282,8 @@ static void usage(const char *msg)
 int main(int argc, char *argv[])
 {
 	struct sigaction action;
-	bool use_syslog = FALSE;
-	level_t levels[DBG_MAX];
 	int group, status = SS_RC_INITIALIZATION_FAILED;
+	struct utsname utsname;
 
 	/* logging for library during initialization, as we have no bus yet */
 	dbg = dbg_stderr;
@@ -475,7 +311,7 @@ int main(int argc, char *argv[])
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
 
-	if (!libcharon_init())
+	if (!libcharon_init("charon"))
 	{
 		dbg_stderr(DBG_DMN, 1, "initialization failed - aborting charon");
 		goto deinit;
@@ -510,6 +346,7 @@ int main(int argc, char *argv[])
 			{ "debug-imv", required_argument, &group, DBG_IMV },
 			{ "debug-pts", required_argument, &group, DBG_PTS },
 			{ "debug-tls", required_argument, &group, DBG_TLS },
+			{ "debug-esp", required_argument, &group, DBG_ESP },
 			{ "debug-lib", required_argument, &group, DBG_LIB },
 			{ 0,0,0,0 }
 		};
@@ -548,23 +385,39 @@ int main(int argc, char *argv[])
 		goto deinit;
 	}
 
-	initialize_loggers(!use_syslog, levels);
+	charon->load_loggers(charon, levels, !use_syslog);
+
+	if (uname(&utsname) != 0)
+	{
+		memset(&utsname, 0, sizeof(utsname));
+	}
+	DBG1(DBG_DMN, "Starting IKE charon daemon (strongSwan "VERSION", %s %s, %s)",
+		  utsname.sysname, utsname.release, utsname.machine);
+	if (lib->integrity)
+	{
+		DBG1(DBG_DMN, "integrity tests enabled:");
+		DBG1(DBG_DMN, "lib    'libstrongswan': passed file and segment integrity tests");
+		DBG1(DBG_DMN, "lib    'libhydra': passed file and segment integrity tests");
+		DBG1(DBG_DMN, "lib    'libcharon': passed file and segment integrity tests");
+		DBG1(DBG_DMN, "daemon 'charon': passed file integrity test");
+	}
 
 	/* initialize daemon */
-	if (!charon->initialize(charon))
+	if (!charon->initialize(charon,
+				lib->settings->get_str(lib->settings, "charon.load", PLUGINS)))
 	{
 		DBG1(DBG_DMN, "initialization failed - aborting charon");
 		goto deinit;
 	}
+	lib->plugins->status(lib->plugins, LEVEL_CTRL);
 
 	if (check_pidfile())
 	{
 		DBG1(DBG_DMN, "charon already running (\""PID_FILE"\" exists)");
-		status = -1;
 		goto deinit;
 	}
 
-	if (!drop_capabilities())
+	if (!lib->caps->drop(lib->caps))
 	{
 		DBG1(DBG_DMN, "capability dropping failed - aborting charon");
 		goto deinit;
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index 58292a45a..ddb0ea65b 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -13,12 +13,14 @@ checksum_builder_LDADD = \
 	$(DLLIB)
 
 CLEANFILES = checksum.c
-INCLUDES = \
+
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
+	-I$(top_srcdir)/src/libcharon \
+	-DPLUGINDIR=\"${DESTDIR}${plugindir}\"
+
 AM_CFLAGS = \
-	-DPLUGINDIR=\"${plugindir}\" \
 	-rdynamic
 
 # we keep track of build dependencies in deps and use libs to store the paths
@@ -29,17 +31,22 @@ libs = $(DESTDIR)$(ipseclibdir)/libstrongswan.so
 exes =
 
 if !MONOLITHIC
-  AM_CFLAGS += -DS_PLUGINS=\""${s_plugins}\""
+  AM_CPPFLAGS += -DS_PLUGINS=\""${s_plugins}\""
 endif
 
 if USE_LIBHYDRA
   deps += $(top_builddir)/src/libhydra/libhydra.la
   libs += $(DESTDIR)$(ipseclibdir)/libhydra.so
 if !MONOLITHIC
-  AM_CFLAGS += -DH_PLUGINS=\""${h_plugins}\""
+  AM_CPPFLAGS += -DH_PLUGINS=\""${h_plugins}\""
 endif
 endif
 
+if USE_LIBIPSEC
+  deps += $(top_builddir)/src/libipsec/libipsec.la
+  libs += $(DESTDIR)$(ipseclibdir)/libipsec.so
+endif
+
 if USE_TLS
   deps += $(top_builddir)/src/libtls/libtls.la
   libs += $(DESTDIR)$(ipseclibdir)/libtls.so
@@ -75,13 +82,12 @@ if USE_CHARON
   libs += $(DESTDIR)$(ipseclibdir)/libcharon.so
   exes += $(top_builddir)/src/charon/.libs/charon
 if !MONOLITHIC
-  AM_CFLAGS += -DC_PLUGINS=\""${c_plugins}\""
+  AM_CPPFLAGS += -DC_PLUGINS=\""${c_plugins}\""
 endif
 endif
 
-if USE_PLUTO
-  exes += $(top_builddir)/src/pluto/.libs/pluto
-  AM_CFLAGS += -DP_PLUGINS=\""${p_plugins}\""
+if USE_CMD
+  exes += $(top_builddir)/src/charon-cmd/.libs/charon-cmd
 endif
 
 if USE_TOOLS
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 8c89fc615..b45879f94 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -40,30 +57,31 @@ noinst_PROGRAMS = checksum_builder$(EXEEXT)
 @USE_LIBHYDRA_TRUE@am__append_2 = $(top_builddir)/src/libhydra/libhydra.la
 @USE_LIBHYDRA_TRUE@am__append_3 = $(DESTDIR)$(ipseclibdir)/libhydra.so
 @MONOLITHIC_FALSE@@USE_LIBHYDRA_TRUE@am__append_4 = -DH_PLUGINS=\""${h_plugins}\""
-@USE_TLS_TRUE@am__append_5 = $(top_builddir)/src/libtls/libtls.la
-@USE_TLS_TRUE@am__append_6 = $(DESTDIR)$(ipseclibdir)/libtls.so
-@USE_RADIUS_TRUE@am__append_7 = $(top_builddir)/src/libradius/libradius.la
-@USE_RADIUS_TRUE@am__append_8 = $(DESTDIR)$(ipseclibdir)/libradius.so
-@USE_LIBTNCCS_TRUE@am__append_9 = $(top_builddir)/src/libtnccs/libtnccs.la
-@USE_LIBTNCCS_TRUE@am__append_10 = $(DESTDIR)$(ipseclibdir)/libtnccs.so
-@USE_SIMAKA_TRUE@am__append_11 = $(top_builddir)/src/libsimaka/libsimaka.la
-@USE_SIMAKA_TRUE@am__append_12 = $(DESTDIR)$(ipseclibdir)/libsimaka.so
-@USE_IMCV_TRUE@am__append_13 = $(top_builddir)/src/libimcv/libimcv.la
-@USE_IMCV_TRUE@am__append_14 = $(DESTDIR)$(ipseclibdir)/libimcv.so
-@USE_PTS_TRUE@am__append_15 = $(top_builddir)/src/libpts/libpts.la
-@USE_PTS_TRUE@am__append_16 = $(DESTDIR)$(ipseclibdir)/libpts.so
-@USE_CHARON_TRUE@am__append_17 = $(top_builddir)/src/libcharon/libcharon.la
-@USE_CHARON_TRUE@am__append_18 = $(DESTDIR)$(ipseclibdir)/libcharon.so
-@USE_CHARON_TRUE@am__append_19 = $(top_builddir)/src/charon/.libs/charon
-@MONOLITHIC_FALSE@@USE_CHARON_TRUE@am__append_20 = -DC_PLUGINS=\""${c_plugins}\""
-@USE_PLUTO_TRUE@am__append_21 = $(top_builddir)/src/pluto/.libs/pluto
-@USE_PLUTO_TRUE@am__append_22 = -DP_PLUGINS=\""${p_plugins}\""
-@USE_TOOLS_TRUE@am__append_23 =  \
+@USE_LIBIPSEC_TRUE@am__append_5 = $(top_builddir)/src/libipsec/libipsec.la
+@USE_LIBIPSEC_TRUE@am__append_6 = $(DESTDIR)$(ipseclibdir)/libipsec.so
+@USE_TLS_TRUE@am__append_7 = $(top_builddir)/src/libtls/libtls.la
+@USE_TLS_TRUE@am__append_8 = $(DESTDIR)$(ipseclibdir)/libtls.so
+@USE_RADIUS_TRUE@am__append_9 = $(top_builddir)/src/libradius/libradius.la
+@USE_RADIUS_TRUE@am__append_10 = $(DESTDIR)$(ipseclibdir)/libradius.so
+@USE_LIBTNCCS_TRUE@am__append_11 = $(top_builddir)/src/libtnccs/libtnccs.la
+@USE_LIBTNCCS_TRUE@am__append_12 = $(DESTDIR)$(ipseclibdir)/libtnccs.so
+@USE_SIMAKA_TRUE@am__append_13 = $(top_builddir)/src/libsimaka/libsimaka.la
+@USE_SIMAKA_TRUE@am__append_14 = $(DESTDIR)$(ipseclibdir)/libsimaka.so
+@USE_IMCV_TRUE@am__append_15 = $(top_builddir)/src/libimcv/libimcv.la
+@USE_IMCV_TRUE@am__append_16 = $(DESTDIR)$(ipseclibdir)/libimcv.so
+@USE_PTS_TRUE@am__append_17 = $(top_builddir)/src/libpts/libpts.la
+@USE_PTS_TRUE@am__append_18 = $(DESTDIR)$(ipseclibdir)/libpts.so
+@USE_CHARON_TRUE@am__append_19 = $(top_builddir)/src/libcharon/libcharon.la
+@USE_CHARON_TRUE@am__append_20 = $(DESTDIR)$(ipseclibdir)/libcharon.so
+@USE_CHARON_TRUE@am__append_21 = $(top_builddir)/src/charon/.libs/charon
+@MONOLITHIC_FALSE@@USE_CHARON_TRUE@am__append_22 = -DC_PLUGINS=\""${c_plugins}\""
+@USE_CMD_TRUE@am__append_23 = $(top_builddir)/src/charon-cmd/.libs/charon-cmd
+@USE_TOOLS_TRUE@am__append_24 =  \
 @USE_TOOLS_TRUE@	$(top_builddir)/src/openac/.libs/openac \
 @USE_TOOLS_TRUE@	$(top_builddir)/src/pki/.libs/pki \
 @USE_TOOLS_TRUE@	$(top_builddir)/src/scepclient/.libs/scepclient
-@USE_ATTR_SQL_TRUE@am__append_24 = $(top_builddir)/src/libhydra/plugins/attr_sql/.libs/pool
-@USE_IMV_ATTESTATION_TRUE@am__append_25 = $(top_builddir)/src/libpts/plugins/imv_attestation/.libs/attest
+@USE_ATTR_SQL_TRUE@am__append_25 = $(top_builddir)/src/libhydra/plugins/attr_sql/.libs/pool
+@USE_IMV_ATTESTATION_TRUE@am__append_26 = $(top_builddir)/src/libpts/plugins/imv_attestation/.libs/attest
 subdir = src/checksum
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -75,10 +93,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -102,14 +121,24 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libchecksum_la_LIBADD =
 nodist_libchecksum_la_OBJECTS = checksum.lo
 libchecksum_la_OBJECTS = $(nodist_libchecksum_la_OBJECTS)
-libchecksum_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libchecksum_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libchecksum_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libchecksum_la_LDFLAGS) $(LDFLAGS) -o \
+	$@
 PROGRAMS = $(noinst_PROGRAMS)
 am_checksum_builder_OBJECTS = checksum_builder.$(OBJEXT)
 checksum_builder_OBJECTS = $(am_checksum_builder_OBJECTS)
@@ -119,42 +148,67 @@ checksum_builder_DEPENDENCIES =  \
 	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(nodist_libchecksum_la_SOURCES) $(checksum_builder_SOURCES)
 DIST_SOURCES = $(checksum_builder_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -163,13 +217,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -182,6 +239,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -209,11 +267,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -221,6 +281,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -229,8 +290,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -239,14 +298,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -260,17 +324,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -280,16 +344,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -331,13 +394,13 @@ checksum_builder_LDADD = \
 	$(DLLIB)
 
 CLEANFILES = checksum.c
-INCLUDES = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
+AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon \
+	-DPLUGINDIR=\"${DESTDIR}${plugindir}\" $(am__append_1) \
+	$(am__append_4) $(am__append_22)
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -DPLUGINDIR=\"${plugindir}\" -rdynamic $(am__append_1) \
-	$(am__append_4) $(am__append_20) $(am__append_22)
 
 # we keep track of build dependencies in deps and use libs to store the paths
 # to the installed libraries. for executables we use the built files directly
@@ -345,13 +408,13 @@ AM_CFLAGS = -DPLUGINDIR=\"${plugindir}\" -rdynamic $(am__append_1) \
 deps = $(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(am__append_2) $(am__append_5) $(am__append_7) \
 	$(am__append_9) $(am__append_11) $(am__append_13) \
-	$(am__append_15) $(am__append_17)
+	$(am__append_15) $(am__append_17) $(am__append_19)
 libs = $(DESTDIR)$(ipseclibdir)/libstrongswan.so $(am__append_3) \
 	$(am__append_6) $(am__append_8) $(am__append_10) \
 	$(am__append_12) $(am__append_14) $(am__append_16) \
-	$(am__append_18)
-exes = $(am__append_19) $(am__append_21) $(am__append_23) \
-	$(am__append_24) $(am__append_25)
+	$(am__append_18) $(am__append_20)
+exes = $(am__append_21) $(am__append_23) $(am__append_24) \
+	$(am__append_25) $(am__append_26)
 all: all-am
 
 .SUFFIXES:
@@ -388,7 +451,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -396,6 +458,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -417,8 +481,8 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libchecksum.la: $(libchecksum_la_OBJECTS) $(libchecksum_la_DEPENDENCIES) 
-	$(libchecksum_la_LINK)  $(libchecksum_la_OBJECTS) $(libchecksum_la_LIBADD) $(LIBS)
+libchecksum.la: $(libchecksum_la_OBJECTS) $(libchecksum_la_DEPENDENCIES) $(EXTRA_libchecksum_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libchecksum_la_LINK)  $(libchecksum_la_OBJECTS) $(libchecksum_la_LIBADD) $(LIBS)
 
 clean-noinstPROGRAMS:
 	@list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
@@ -428,9 +492,9 @@ clean-noinstPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-checksum_builder$(EXEEXT): $(checksum_builder_OBJECTS) $(checksum_builder_DEPENDENCIES) 
+checksum_builder$(EXEEXT): $(checksum_builder_OBJECTS) $(checksum_builder_DEPENDENCIES) $(EXTRA_checksum_builder_DEPENDENCIES) 
 	@rm -f checksum_builder$(EXEEXT)
-	$(LINK) $(checksum_builder_OBJECTS) $(checksum_builder_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(checksum_builder_OBJECTS) $(checksum_builder_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -442,25 +506,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/checksum_builder.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -567,10 +631,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c
index 670ec76bd..0d9e8fd85 100644
--- a/src/checksum/checksum_builder.c
+++ b/src/checksum/checksum_builder.c
@@ -21,7 +21,7 @@
 #include <library.h>
 #include <hydra.h>
 #include <daemon.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 /* we need to fake the pluto symbol to dlopen() the xauth plugin */
 void *pluto;
@@ -106,14 +106,16 @@ static void build_binary_checksum(char *path)
 		pos = strrchr(binary, '.');
 		if (pos && streq(pos, ".so"))
 		{
-			snprintf(name, sizeof(name), "%.*s\",", pos - binary, binary);
+			snprintf(name, sizeof(name), "%.*s\",", (int)(pos - binary),
+					 binary);
 			if (streq(name, "libstrongswan\","))
 			{
 				snprintf(sname, sizeof(sname), "%s", "library_init");
 			}
 			else
 			{
-				snprintf(sname, sizeof(sname), "%.*s_init", pos - binary, binary);
+				snprintf(sname, sizeof(sname), "%.*s_init", (int)(pos - binary),
+						 binary);
 			}
 			build_checksum(path, name, sname);
 		}
diff --git a/src/conftest/Makefile.am b/src/conftest/Makefile.am
index 7eab0df27..2aafc7a6f 100644
--- a/src/conftest/Makefile.am
+++ b/src/conftest/Makefile.am
@@ -1,6 +1,10 @@
 ipsec_PROGRAMS = conftest
 
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = -rdynamic \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DPLUGINS=\""${charon_plugins}\""
 
 conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \
 	hooks/hook.h hooks/ike_auth_fill.c hooks/unsort_message.c \
@@ -12,11 +16,6 @@ conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \
 	hooks/set_ike_request.c hooks/set_reserved.c hooks/set_ike_initiator.c \
 	hooks/log_ts.c hooks/rebuild_auth.c hooks/reset_seq.c
 
-INCLUDES = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
 conftest_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libhydra/libhydra.la \
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index 4efdeaad5..5e3713aa3 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -46,10 +63,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)"
@@ -73,42 +91,70 @@ conftest_DEPENDENCIES =  \
 	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(conftest_SOURCES)
 DIST_SOURCES = $(conftest_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -117,13 +163,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -136,6 +185,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -163,11 +213,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -175,6 +227,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -183,8 +236,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -193,14 +244,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -214,17 +270,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -234,16 +290,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -271,7 +326,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = -rdynamic \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DPLUGINS=\""${charon_plugins}\""
+
 conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \
 	hooks/hook.h hooks/ike_auth_fill.c hooks/unsort_message.c \
 	hooks/add_notify.c hooks/unencrypted_notify.c hooks/ignore_message.c \
@@ -282,11 +342,6 @@ conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \
 	hooks/set_ike_request.c hooks/set_reserved.c hooks/set_ike_initiator.c \
 	hooks/log_ts.c hooks/rebuild_auth.c hooks/reset_seq.c
 
-INCLUDES = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
 conftest_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libhydra/libhydra.la \
@@ -330,8 +385,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -371,9 +429,9 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-conftest$(EXEEXT): $(conftest_OBJECTS) $(conftest_DEPENDENCIES) 
+conftest$(EXEEXT): $(conftest_OBJECTS) $(conftest_DEPENDENCIES) $(EXTRA_conftest_DEPENDENCIES) 
 	@rm -f conftest$(EXEEXT)
-	$(LINK) $(conftest_OBJECTS) $(conftest_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(conftest_OBJECTS) $(conftest_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -409,347 +467,347 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unsort_message.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 ike_auth_fill.o: hooks/ike_auth_fill.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_fill.o -MD -MP -MF $(DEPDIR)/ike_auth_fill.Tpo -c -o ike_auth_fill.o `test -f 'hooks/ike_auth_fill.c' || echo '$(srcdir)/'`hooks/ike_auth_fill.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth_fill.Tpo $(DEPDIR)/ike_auth_fill.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/ike_auth_fill.c' object='ike_auth_fill.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_fill.o -MD -MP -MF $(DEPDIR)/ike_auth_fill.Tpo -c -o ike_auth_fill.o `test -f 'hooks/ike_auth_fill.c' || echo '$(srcdir)/'`hooks/ike_auth_fill.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_auth_fill.Tpo $(DEPDIR)/ike_auth_fill.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/ike_auth_fill.c' object='ike_auth_fill.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_fill.o `test -f 'hooks/ike_auth_fill.c' || echo '$(srcdir)/'`hooks/ike_auth_fill.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_fill.o `test -f 'hooks/ike_auth_fill.c' || echo '$(srcdir)/'`hooks/ike_auth_fill.c
 
 ike_auth_fill.obj: hooks/ike_auth_fill.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_fill.obj -MD -MP -MF $(DEPDIR)/ike_auth_fill.Tpo -c -o ike_auth_fill.obj `if test -f 'hooks/ike_auth_fill.c'; then $(CYGPATH_W) 'hooks/ike_auth_fill.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ike_auth_fill.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth_fill.Tpo $(DEPDIR)/ike_auth_fill.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/ike_auth_fill.c' object='ike_auth_fill.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_fill.obj -MD -MP -MF $(DEPDIR)/ike_auth_fill.Tpo -c -o ike_auth_fill.obj `if test -f 'hooks/ike_auth_fill.c'; then $(CYGPATH_W) 'hooks/ike_auth_fill.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ike_auth_fill.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_auth_fill.Tpo $(DEPDIR)/ike_auth_fill.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/ike_auth_fill.c' object='ike_auth_fill.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_fill.obj `if test -f 'hooks/ike_auth_fill.c'; then $(CYGPATH_W) 'hooks/ike_auth_fill.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ike_auth_fill.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_fill.obj `if test -f 'hooks/ike_auth_fill.c'; then $(CYGPATH_W) 'hooks/ike_auth_fill.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ike_auth_fill.c'; fi`
 
 unsort_message.o: hooks/unsort_message.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unsort_message.o -MD -MP -MF $(DEPDIR)/unsort_message.Tpo -c -o unsort_message.o `test -f 'hooks/unsort_message.c' || echo '$(srcdir)/'`hooks/unsort_message.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unsort_message.Tpo $(DEPDIR)/unsort_message.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/unsort_message.c' object='unsort_message.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unsort_message.o -MD -MP -MF $(DEPDIR)/unsort_message.Tpo -c -o unsort_message.o `test -f 'hooks/unsort_message.c' || echo '$(srcdir)/'`hooks/unsort_message.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/unsort_message.Tpo $(DEPDIR)/unsort_message.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/unsort_message.c' object='unsort_message.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unsort_message.o `test -f 'hooks/unsort_message.c' || echo '$(srcdir)/'`hooks/unsort_message.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unsort_message.o `test -f 'hooks/unsort_message.c' || echo '$(srcdir)/'`hooks/unsort_message.c
 
 unsort_message.obj: hooks/unsort_message.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unsort_message.obj -MD -MP -MF $(DEPDIR)/unsort_message.Tpo -c -o unsort_message.obj `if test -f 'hooks/unsort_message.c'; then $(CYGPATH_W) 'hooks/unsort_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unsort_message.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unsort_message.Tpo $(DEPDIR)/unsort_message.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/unsort_message.c' object='unsort_message.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unsort_message.obj -MD -MP -MF $(DEPDIR)/unsort_message.Tpo -c -o unsort_message.obj `if test -f 'hooks/unsort_message.c'; then $(CYGPATH_W) 'hooks/unsort_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unsort_message.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/unsort_message.Tpo $(DEPDIR)/unsort_message.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/unsort_message.c' object='unsort_message.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unsort_message.obj `if test -f 'hooks/unsort_message.c'; then $(CYGPATH_W) 'hooks/unsort_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unsort_message.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unsort_message.obj `if test -f 'hooks/unsort_message.c'; then $(CYGPATH_W) 'hooks/unsort_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unsort_message.c'; fi`
 
 add_notify.o: hooks/add_notify.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_notify.o -MD -MP -MF $(DEPDIR)/add_notify.Tpo -c -o add_notify.o `test -f 'hooks/add_notify.c' || echo '$(srcdir)/'`hooks/add_notify.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/add_notify.Tpo $(DEPDIR)/add_notify.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/add_notify.c' object='add_notify.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_notify.o -MD -MP -MF $(DEPDIR)/add_notify.Tpo -c -o add_notify.o `test -f 'hooks/add_notify.c' || echo '$(srcdir)/'`hooks/add_notify.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/add_notify.Tpo $(DEPDIR)/add_notify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/add_notify.c' object='add_notify.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_notify.o `test -f 'hooks/add_notify.c' || echo '$(srcdir)/'`hooks/add_notify.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_notify.o `test -f 'hooks/add_notify.c' || echo '$(srcdir)/'`hooks/add_notify.c
 
 add_notify.obj: hooks/add_notify.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_notify.obj -MD -MP -MF $(DEPDIR)/add_notify.Tpo -c -o add_notify.obj `if test -f 'hooks/add_notify.c'; then $(CYGPATH_W) 'hooks/add_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_notify.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/add_notify.Tpo $(DEPDIR)/add_notify.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/add_notify.c' object='add_notify.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_notify.obj -MD -MP -MF $(DEPDIR)/add_notify.Tpo -c -o add_notify.obj `if test -f 'hooks/add_notify.c'; then $(CYGPATH_W) 'hooks/add_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_notify.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/add_notify.Tpo $(DEPDIR)/add_notify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/add_notify.c' object='add_notify.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_notify.obj `if test -f 'hooks/add_notify.c'; then $(CYGPATH_W) 'hooks/add_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_notify.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_notify.obj `if test -f 'hooks/add_notify.c'; then $(CYGPATH_W) 'hooks/add_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_notify.c'; fi`
 
 unencrypted_notify.o: hooks/unencrypted_notify.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unencrypted_notify.o -MD -MP -MF $(DEPDIR)/unencrypted_notify.Tpo -c -o unencrypted_notify.o `test -f 'hooks/unencrypted_notify.c' || echo '$(srcdir)/'`hooks/unencrypted_notify.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unencrypted_notify.Tpo $(DEPDIR)/unencrypted_notify.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/unencrypted_notify.c' object='unencrypted_notify.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unencrypted_notify.o -MD -MP -MF $(DEPDIR)/unencrypted_notify.Tpo -c -o unencrypted_notify.o `test -f 'hooks/unencrypted_notify.c' || echo '$(srcdir)/'`hooks/unencrypted_notify.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/unencrypted_notify.Tpo $(DEPDIR)/unencrypted_notify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/unencrypted_notify.c' object='unencrypted_notify.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unencrypted_notify.o `test -f 'hooks/unencrypted_notify.c' || echo '$(srcdir)/'`hooks/unencrypted_notify.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unencrypted_notify.o `test -f 'hooks/unencrypted_notify.c' || echo '$(srcdir)/'`hooks/unencrypted_notify.c
 
 unencrypted_notify.obj: hooks/unencrypted_notify.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unencrypted_notify.obj -MD -MP -MF $(DEPDIR)/unencrypted_notify.Tpo -c -o unencrypted_notify.obj `if test -f 'hooks/unencrypted_notify.c'; then $(CYGPATH_W) 'hooks/unencrypted_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unencrypted_notify.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unencrypted_notify.Tpo $(DEPDIR)/unencrypted_notify.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/unencrypted_notify.c' object='unencrypted_notify.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unencrypted_notify.obj -MD -MP -MF $(DEPDIR)/unencrypted_notify.Tpo -c -o unencrypted_notify.obj `if test -f 'hooks/unencrypted_notify.c'; then $(CYGPATH_W) 'hooks/unencrypted_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unencrypted_notify.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/unencrypted_notify.Tpo $(DEPDIR)/unencrypted_notify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/unencrypted_notify.c' object='unencrypted_notify.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unencrypted_notify.obj `if test -f 'hooks/unencrypted_notify.c'; then $(CYGPATH_W) 'hooks/unencrypted_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unencrypted_notify.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unencrypted_notify.obj `if test -f 'hooks/unencrypted_notify.c'; then $(CYGPATH_W) 'hooks/unencrypted_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unencrypted_notify.c'; fi`
 
 ignore_message.o: hooks/ignore_message.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ignore_message.o -MD -MP -MF $(DEPDIR)/ignore_message.Tpo -c -o ignore_message.o `test -f 'hooks/ignore_message.c' || echo '$(srcdir)/'`hooks/ignore_message.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ignore_message.Tpo $(DEPDIR)/ignore_message.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/ignore_message.c' object='ignore_message.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ignore_message.o -MD -MP -MF $(DEPDIR)/ignore_message.Tpo -c -o ignore_message.o `test -f 'hooks/ignore_message.c' || echo '$(srcdir)/'`hooks/ignore_message.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ignore_message.Tpo $(DEPDIR)/ignore_message.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/ignore_message.c' object='ignore_message.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ignore_message.o `test -f 'hooks/ignore_message.c' || echo '$(srcdir)/'`hooks/ignore_message.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ignore_message.o `test -f 'hooks/ignore_message.c' || echo '$(srcdir)/'`hooks/ignore_message.c
 
 ignore_message.obj: hooks/ignore_message.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ignore_message.obj -MD -MP -MF $(DEPDIR)/ignore_message.Tpo -c -o ignore_message.obj `if test -f 'hooks/ignore_message.c'; then $(CYGPATH_W) 'hooks/ignore_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ignore_message.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ignore_message.Tpo $(DEPDIR)/ignore_message.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/ignore_message.c' object='ignore_message.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ignore_message.obj -MD -MP -MF $(DEPDIR)/ignore_message.Tpo -c -o ignore_message.obj `if test -f 'hooks/ignore_message.c'; then $(CYGPATH_W) 'hooks/ignore_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ignore_message.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ignore_message.Tpo $(DEPDIR)/ignore_message.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/ignore_message.c' object='ignore_message.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ignore_message.obj `if test -f 'hooks/ignore_message.c'; then $(CYGPATH_W) 'hooks/ignore_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ignore_message.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ignore_message.obj `if test -f 'hooks/ignore_message.c'; then $(CYGPATH_W) 'hooks/ignore_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ignore_message.c'; fi`
 
 add_payload.o: hooks/add_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_payload.o -MD -MP -MF $(DEPDIR)/add_payload.Tpo -c -o add_payload.o `test -f 'hooks/add_payload.c' || echo '$(srcdir)/'`hooks/add_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/add_payload.Tpo $(DEPDIR)/add_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/add_payload.c' object='add_payload.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_payload.o -MD -MP -MF $(DEPDIR)/add_payload.Tpo -c -o add_payload.o `test -f 'hooks/add_payload.c' || echo '$(srcdir)/'`hooks/add_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/add_payload.Tpo $(DEPDIR)/add_payload.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/add_payload.c' object='add_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_payload.o `test -f 'hooks/add_payload.c' || echo '$(srcdir)/'`hooks/add_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_payload.o `test -f 'hooks/add_payload.c' || echo '$(srcdir)/'`hooks/add_payload.c
 
 add_payload.obj: hooks/add_payload.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_payload.obj -MD -MP -MF $(DEPDIR)/add_payload.Tpo -c -o add_payload.obj `if test -f 'hooks/add_payload.c'; then $(CYGPATH_W) 'hooks/add_payload.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_payload.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/add_payload.Tpo $(DEPDIR)/add_payload.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/add_payload.c' object='add_payload.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_payload.obj -MD -MP -MF $(DEPDIR)/add_payload.Tpo -c -o add_payload.obj `if test -f 'hooks/add_payload.c'; then $(CYGPATH_W) 'hooks/add_payload.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_payload.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/add_payload.Tpo $(DEPDIR)/add_payload.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/add_payload.c' object='add_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_payload.obj `if test -f 'hooks/add_payload.c'; then $(CYGPATH_W) 'hooks/add_payload.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_payload.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_payload.obj `if test -f 'hooks/add_payload.c'; then $(CYGPATH_W) 'hooks/add_payload.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_payload.c'; fi`
 
 set_critical.o: hooks/set_critical.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_critical.o -MD -MP -MF $(DEPDIR)/set_critical.Tpo -c -o set_critical.o `test -f 'hooks/set_critical.c' || echo '$(srcdir)/'`hooks/set_critical.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_critical.Tpo $(DEPDIR)/set_critical.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_critical.c' object='set_critical.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_critical.o -MD -MP -MF $(DEPDIR)/set_critical.Tpo -c -o set_critical.o `test -f 'hooks/set_critical.c' || echo '$(srcdir)/'`hooks/set_critical.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_critical.Tpo $(DEPDIR)/set_critical.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_critical.c' object='set_critical.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_critical.o `test -f 'hooks/set_critical.c' || echo '$(srcdir)/'`hooks/set_critical.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_critical.o `test -f 'hooks/set_critical.c' || echo '$(srcdir)/'`hooks/set_critical.c
 
 set_critical.obj: hooks/set_critical.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_critical.obj -MD -MP -MF $(DEPDIR)/set_critical.Tpo -c -o set_critical.obj `if test -f 'hooks/set_critical.c'; then $(CYGPATH_W) 'hooks/set_critical.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_critical.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_critical.Tpo $(DEPDIR)/set_critical.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_critical.c' object='set_critical.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_critical.obj -MD -MP -MF $(DEPDIR)/set_critical.Tpo -c -o set_critical.obj `if test -f 'hooks/set_critical.c'; then $(CYGPATH_W) 'hooks/set_critical.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_critical.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_critical.Tpo $(DEPDIR)/set_critical.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_critical.c' object='set_critical.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_critical.obj `if test -f 'hooks/set_critical.c'; then $(CYGPATH_W) 'hooks/set_critical.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_critical.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_critical.obj `if test -f 'hooks/set_critical.c'; then $(CYGPATH_W) 'hooks/set_critical.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_critical.c'; fi`
 
 force_cookie.o: hooks/force_cookie.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT force_cookie.o -MD -MP -MF $(DEPDIR)/force_cookie.Tpo -c -o force_cookie.o `test -f 'hooks/force_cookie.c' || echo '$(srcdir)/'`hooks/force_cookie.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/force_cookie.Tpo $(DEPDIR)/force_cookie.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/force_cookie.c' object='force_cookie.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT force_cookie.o -MD -MP -MF $(DEPDIR)/force_cookie.Tpo -c -o force_cookie.o `test -f 'hooks/force_cookie.c' || echo '$(srcdir)/'`hooks/force_cookie.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/force_cookie.Tpo $(DEPDIR)/force_cookie.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/force_cookie.c' object='force_cookie.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o force_cookie.o `test -f 'hooks/force_cookie.c' || echo '$(srcdir)/'`hooks/force_cookie.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o force_cookie.o `test -f 'hooks/force_cookie.c' || echo '$(srcdir)/'`hooks/force_cookie.c
 
 force_cookie.obj: hooks/force_cookie.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT force_cookie.obj -MD -MP -MF $(DEPDIR)/force_cookie.Tpo -c -o force_cookie.obj `if test -f 'hooks/force_cookie.c'; then $(CYGPATH_W) 'hooks/force_cookie.c'; else $(CYGPATH_W) '$(srcdir)/hooks/force_cookie.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/force_cookie.Tpo $(DEPDIR)/force_cookie.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/force_cookie.c' object='force_cookie.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT force_cookie.obj -MD -MP -MF $(DEPDIR)/force_cookie.Tpo -c -o force_cookie.obj `if test -f 'hooks/force_cookie.c'; then $(CYGPATH_W) 'hooks/force_cookie.c'; else $(CYGPATH_W) '$(srcdir)/hooks/force_cookie.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/force_cookie.Tpo $(DEPDIR)/force_cookie.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/force_cookie.c' object='force_cookie.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o force_cookie.obj `if test -f 'hooks/force_cookie.c'; then $(CYGPATH_W) 'hooks/force_cookie.c'; else $(CYGPATH_W) '$(srcdir)/hooks/force_cookie.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o force_cookie.obj `if test -f 'hooks/force_cookie.c'; then $(CYGPATH_W) 'hooks/force_cookie.c'; else $(CYGPATH_W) '$(srcdir)/hooks/force_cookie.c'; fi`
 
 set_ike_version.o: hooks/set_ike_version.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_version.o -MD -MP -MF $(DEPDIR)/set_ike_version.Tpo -c -o set_ike_version.o `test -f 'hooks/set_ike_version.c' || echo '$(srcdir)/'`hooks/set_ike_version.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_version.Tpo $(DEPDIR)/set_ike_version.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_version.c' object='set_ike_version.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_version.o -MD -MP -MF $(DEPDIR)/set_ike_version.Tpo -c -o set_ike_version.o `test -f 'hooks/set_ike_version.c' || echo '$(srcdir)/'`hooks/set_ike_version.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_ike_version.Tpo $(DEPDIR)/set_ike_version.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_ike_version.c' object='set_ike_version.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_version.o `test -f 'hooks/set_ike_version.c' || echo '$(srcdir)/'`hooks/set_ike_version.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_version.o `test -f 'hooks/set_ike_version.c' || echo '$(srcdir)/'`hooks/set_ike_version.c
 
 set_ike_version.obj: hooks/set_ike_version.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_version.obj -MD -MP -MF $(DEPDIR)/set_ike_version.Tpo -c -o set_ike_version.obj `if test -f 'hooks/set_ike_version.c'; then $(CYGPATH_W) 'hooks/set_ike_version.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_version.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_version.Tpo $(DEPDIR)/set_ike_version.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_version.c' object='set_ike_version.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_version.obj -MD -MP -MF $(DEPDIR)/set_ike_version.Tpo -c -o set_ike_version.obj `if test -f 'hooks/set_ike_version.c'; then $(CYGPATH_W) 'hooks/set_ike_version.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_version.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_ike_version.Tpo $(DEPDIR)/set_ike_version.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_ike_version.c' object='set_ike_version.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_version.obj `if test -f 'hooks/set_ike_version.c'; then $(CYGPATH_W) 'hooks/set_ike_version.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_version.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_version.obj `if test -f 'hooks/set_ike_version.c'; then $(CYGPATH_W) 'hooks/set_ike_version.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_version.c'; fi`
 
 pretend_auth.o: hooks/pretend_auth.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pretend_auth.o -MD -MP -MF $(DEPDIR)/pretend_auth.Tpo -c -o pretend_auth.o `test -f 'hooks/pretend_auth.c' || echo '$(srcdir)/'`hooks/pretend_auth.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pretend_auth.Tpo $(DEPDIR)/pretend_auth.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/pretend_auth.c' object='pretend_auth.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pretend_auth.o -MD -MP -MF $(DEPDIR)/pretend_auth.Tpo -c -o pretend_auth.o `test -f 'hooks/pretend_auth.c' || echo '$(srcdir)/'`hooks/pretend_auth.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pretend_auth.Tpo $(DEPDIR)/pretend_auth.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/pretend_auth.c' object='pretend_auth.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pretend_auth.o `test -f 'hooks/pretend_auth.c' || echo '$(srcdir)/'`hooks/pretend_auth.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pretend_auth.o `test -f 'hooks/pretend_auth.c' || echo '$(srcdir)/'`hooks/pretend_auth.c
 
 pretend_auth.obj: hooks/pretend_auth.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pretend_auth.obj -MD -MP -MF $(DEPDIR)/pretend_auth.Tpo -c -o pretend_auth.obj `if test -f 'hooks/pretend_auth.c'; then $(CYGPATH_W) 'hooks/pretend_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/pretend_auth.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pretend_auth.Tpo $(DEPDIR)/pretend_auth.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/pretend_auth.c' object='pretend_auth.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pretend_auth.obj -MD -MP -MF $(DEPDIR)/pretend_auth.Tpo -c -o pretend_auth.obj `if test -f 'hooks/pretend_auth.c'; then $(CYGPATH_W) 'hooks/pretend_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/pretend_auth.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pretend_auth.Tpo $(DEPDIR)/pretend_auth.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/pretend_auth.c' object='pretend_auth.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pretend_auth.obj `if test -f 'hooks/pretend_auth.c'; then $(CYGPATH_W) 'hooks/pretend_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/pretend_auth.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pretend_auth.obj `if test -f 'hooks/pretend_auth.c'; then $(CYGPATH_W) 'hooks/pretend_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/pretend_auth.c'; fi`
 
 set_length.o: hooks/set_length.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_length.o -MD -MP -MF $(DEPDIR)/set_length.Tpo -c -o set_length.o `test -f 'hooks/set_length.c' || echo '$(srcdir)/'`hooks/set_length.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_length.Tpo $(DEPDIR)/set_length.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_length.c' object='set_length.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_length.o -MD -MP -MF $(DEPDIR)/set_length.Tpo -c -o set_length.o `test -f 'hooks/set_length.c' || echo '$(srcdir)/'`hooks/set_length.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_length.Tpo $(DEPDIR)/set_length.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_length.c' object='set_length.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_length.o `test -f 'hooks/set_length.c' || echo '$(srcdir)/'`hooks/set_length.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_length.o `test -f 'hooks/set_length.c' || echo '$(srcdir)/'`hooks/set_length.c
 
 set_length.obj: hooks/set_length.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_length.obj -MD -MP -MF $(DEPDIR)/set_length.Tpo -c -o set_length.obj `if test -f 'hooks/set_length.c'; then $(CYGPATH_W) 'hooks/set_length.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_length.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_length.Tpo $(DEPDIR)/set_length.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_length.c' object='set_length.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_length.obj -MD -MP -MF $(DEPDIR)/set_length.Tpo -c -o set_length.obj `if test -f 'hooks/set_length.c'; then $(CYGPATH_W) 'hooks/set_length.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_length.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_length.Tpo $(DEPDIR)/set_length.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_length.c' object='set_length.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_length.obj `if test -f 'hooks/set_length.c'; then $(CYGPATH_W) 'hooks/set_length.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_length.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_length.obj `if test -f 'hooks/set_length.c'; then $(CYGPATH_W) 'hooks/set_length.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_length.c'; fi`
 
 log_proposals.o: hooks/log_proposals.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_proposals.o -MD -MP -MF $(DEPDIR)/log_proposals.Tpo -c -o log_proposals.o `test -f 'hooks/log_proposals.c' || echo '$(srcdir)/'`hooks/log_proposals.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_proposals.Tpo $(DEPDIR)/log_proposals.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_proposals.c' object='log_proposals.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_proposals.o -MD -MP -MF $(DEPDIR)/log_proposals.Tpo -c -o log_proposals.o `test -f 'hooks/log_proposals.c' || echo '$(srcdir)/'`hooks/log_proposals.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/log_proposals.Tpo $(DEPDIR)/log_proposals.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/log_proposals.c' object='log_proposals.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_proposals.o `test -f 'hooks/log_proposals.c' || echo '$(srcdir)/'`hooks/log_proposals.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_proposals.o `test -f 'hooks/log_proposals.c' || echo '$(srcdir)/'`hooks/log_proposals.c
 
 log_proposals.obj: hooks/log_proposals.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_proposals.obj -MD -MP -MF $(DEPDIR)/log_proposals.Tpo -c -o log_proposals.obj `if test -f 'hooks/log_proposals.c'; then $(CYGPATH_W) 'hooks/log_proposals.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_proposals.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_proposals.Tpo $(DEPDIR)/log_proposals.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_proposals.c' object='log_proposals.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_proposals.obj -MD -MP -MF $(DEPDIR)/log_proposals.Tpo -c -o log_proposals.obj `if test -f 'hooks/log_proposals.c'; then $(CYGPATH_W) 'hooks/log_proposals.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_proposals.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/log_proposals.Tpo $(DEPDIR)/log_proposals.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/log_proposals.c' object='log_proposals.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_proposals.obj `if test -f 'hooks/log_proposals.c'; then $(CYGPATH_W) 'hooks/log_proposals.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_proposals.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_proposals.obj `if test -f 'hooks/log_proposals.c'; then $(CYGPATH_W) 'hooks/log_proposals.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_proposals.c'; fi`
 
 set_proposal_number.o: hooks/set_proposal_number.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_proposal_number.o -MD -MP -MF $(DEPDIR)/set_proposal_number.Tpo -c -o set_proposal_number.o `test -f 'hooks/set_proposal_number.c' || echo '$(srcdir)/'`hooks/set_proposal_number.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_proposal_number.Tpo $(DEPDIR)/set_proposal_number.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_proposal_number.c' object='set_proposal_number.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_proposal_number.o -MD -MP -MF $(DEPDIR)/set_proposal_number.Tpo -c -o set_proposal_number.o `test -f 'hooks/set_proposal_number.c' || echo '$(srcdir)/'`hooks/set_proposal_number.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_proposal_number.Tpo $(DEPDIR)/set_proposal_number.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_proposal_number.c' object='set_proposal_number.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_proposal_number.o `test -f 'hooks/set_proposal_number.c' || echo '$(srcdir)/'`hooks/set_proposal_number.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_proposal_number.o `test -f 'hooks/set_proposal_number.c' || echo '$(srcdir)/'`hooks/set_proposal_number.c
 
 set_proposal_number.obj: hooks/set_proposal_number.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_proposal_number.obj -MD -MP -MF $(DEPDIR)/set_proposal_number.Tpo -c -o set_proposal_number.obj `if test -f 'hooks/set_proposal_number.c'; then $(CYGPATH_W) 'hooks/set_proposal_number.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_proposal_number.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_proposal_number.Tpo $(DEPDIR)/set_proposal_number.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_proposal_number.c' object='set_proposal_number.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_proposal_number.obj -MD -MP -MF $(DEPDIR)/set_proposal_number.Tpo -c -o set_proposal_number.obj `if test -f 'hooks/set_proposal_number.c'; then $(CYGPATH_W) 'hooks/set_proposal_number.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_proposal_number.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_proposal_number.Tpo $(DEPDIR)/set_proposal_number.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_proposal_number.c' object='set_proposal_number.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_proposal_number.obj `if test -f 'hooks/set_proposal_number.c'; then $(CYGPATH_W) 'hooks/set_proposal_number.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_proposal_number.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_proposal_number.obj `if test -f 'hooks/set_proposal_number.c'; then $(CYGPATH_W) 'hooks/set_proposal_number.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_proposal_number.c'; fi`
 
 log_ke.o: hooks/log_ke.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ke.o -MD -MP -MF $(DEPDIR)/log_ke.Tpo -c -o log_ke.o `test -f 'hooks/log_ke.c' || echo '$(srcdir)/'`hooks/log_ke.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_ke.Tpo $(DEPDIR)/log_ke.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_ke.c' object='log_ke.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ke.o -MD -MP -MF $(DEPDIR)/log_ke.Tpo -c -o log_ke.o `test -f 'hooks/log_ke.c' || echo '$(srcdir)/'`hooks/log_ke.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/log_ke.Tpo $(DEPDIR)/log_ke.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/log_ke.c' object='log_ke.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ke.o `test -f 'hooks/log_ke.c' || echo '$(srcdir)/'`hooks/log_ke.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ke.o `test -f 'hooks/log_ke.c' || echo '$(srcdir)/'`hooks/log_ke.c
 
 log_ke.obj: hooks/log_ke.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ke.obj -MD -MP -MF $(DEPDIR)/log_ke.Tpo -c -o log_ke.obj `if test -f 'hooks/log_ke.c'; then $(CYGPATH_W) 'hooks/log_ke.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ke.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_ke.Tpo $(DEPDIR)/log_ke.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_ke.c' object='log_ke.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ke.obj -MD -MP -MF $(DEPDIR)/log_ke.Tpo -c -o log_ke.obj `if test -f 'hooks/log_ke.c'; then $(CYGPATH_W) 'hooks/log_ke.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ke.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/log_ke.Tpo $(DEPDIR)/log_ke.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/log_ke.c' object='log_ke.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ke.obj `if test -f 'hooks/log_ke.c'; then $(CYGPATH_W) 'hooks/log_ke.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ke.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ke.obj `if test -f 'hooks/log_ke.c'; then $(CYGPATH_W) 'hooks/log_ke.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ke.c'; fi`
 
 log_id.o: hooks/log_id.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_id.o -MD -MP -MF $(DEPDIR)/log_id.Tpo -c -o log_id.o `test -f 'hooks/log_id.c' || echo '$(srcdir)/'`hooks/log_id.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_id.Tpo $(DEPDIR)/log_id.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_id.c' object='log_id.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_id.o -MD -MP -MF $(DEPDIR)/log_id.Tpo -c -o log_id.o `test -f 'hooks/log_id.c' || echo '$(srcdir)/'`hooks/log_id.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/log_id.Tpo $(DEPDIR)/log_id.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/log_id.c' object='log_id.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_id.o `test -f 'hooks/log_id.c' || echo '$(srcdir)/'`hooks/log_id.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_id.o `test -f 'hooks/log_id.c' || echo '$(srcdir)/'`hooks/log_id.c
 
 log_id.obj: hooks/log_id.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_id.obj -MD -MP -MF $(DEPDIR)/log_id.Tpo -c -o log_id.obj `if test -f 'hooks/log_id.c'; then $(CYGPATH_W) 'hooks/log_id.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_id.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_id.Tpo $(DEPDIR)/log_id.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_id.c' object='log_id.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_id.obj -MD -MP -MF $(DEPDIR)/log_id.Tpo -c -o log_id.obj `if test -f 'hooks/log_id.c'; then $(CYGPATH_W) 'hooks/log_id.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_id.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/log_id.Tpo $(DEPDIR)/log_id.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/log_id.c' object='log_id.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_id.obj `if test -f 'hooks/log_id.c'; then $(CYGPATH_W) 'hooks/log_id.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_id.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_id.obj `if test -f 'hooks/log_id.c'; then $(CYGPATH_W) 'hooks/log_id.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_id.c'; fi`
 
 custom_proposal.o: hooks/custom_proposal.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT custom_proposal.o -MD -MP -MF $(DEPDIR)/custom_proposal.Tpo -c -o custom_proposal.o `test -f 'hooks/custom_proposal.c' || echo '$(srcdir)/'`hooks/custom_proposal.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/custom_proposal.Tpo $(DEPDIR)/custom_proposal.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/custom_proposal.c' object='custom_proposal.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT custom_proposal.o -MD -MP -MF $(DEPDIR)/custom_proposal.Tpo -c -o custom_proposal.o `test -f 'hooks/custom_proposal.c' || echo '$(srcdir)/'`hooks/custom_proposal.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/custom_proposal.Tpo $(DEPDIR)/custom_proposal.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/custom_proposal.c' object='custom_proposal.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o custom_proposal.o `test -f 'hooks/custom_proposal.c' || echo '$(srcdir)/'`hooks/custom_proposal.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o custom_proposal.o `test -f 'hooks/custom_proposal.c' || echo '$(srcdir)/'`hooks/custom_proposal.c
 
 custom_proposal.obj: hooks/custom_proposal.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT custom_proposal.obj -MD -MP -MF $(DEPDIR)/custom_proposal.Tpo -c -o custom_proposal.obj `if test -f 'hooks/custom_proposal.c'; then $(CYGPATH_W) 'hooks/custom_proposal.c'; else $(CYGPATH_W) '$(srcdir)/hooks/custom_proposal.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/custom_proposal.Tpo $(DEPDIR)/custom_proposal.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/custom_proposal.c' object='custom_proposal.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT custom_proposal.obj -MD -MP -MF $(DEPDIR)/custom_proposal.Tpo -c -o custom_proposal.obj `if test -f 'hooks/custom_proposal.c'; then $(CYGPATH_W) 'hooks/custom_proposal.c'; else $(CYGPATH_W) '$(srcdir)/hooks/custom_proposal.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/custom_proposal.Tpo $(DEPDIR)/custom_proposal.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/custom_proposal.c' object='custom_proposal.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o custom_proposal.obj `if test -f 'hooks/custom_proposal.c'; then $(CYGPATH_W) 'hooks/custom_proposal.c'; else $(CYGPATH_W) '$(srcdir)/hooks/custom_proposal.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o custom_proposal.obj `if test -f 'hooks/custom_proposal.c'; then $(CYGPATH_W) 'hooks/custom_proposal.c'; else $(CYGPATH_W) '$(srcdir)/hooks/custom_proposal.c'; fi`
 
 set_ike_spi.o: hooks/set_ike_spi.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_spi.o -MD -MP -MF $(DEPDIR)/set_ike_spi.Tpo -c -o set_ike_spi.o `test -f 'hooks/set_ike_spi.c' || echo '$(srcdir)/'`hooks/set_ike_spi.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_spi.Tpo $(DEPDIR)/set_ike_spi.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_spi.c' object='set_ike_spi.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_spi.o -MD -MP -MF $(DEPDIR)/set_ike_spi.Tpo -c -o set_ike_spi.o `test -f 'hooks/set_ike_spi.c' || echo '$(srcdir)/'`hooks/set_ike_spi.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_ike_spi.Tpo $(DEPDIR)/set_ike_spi.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_ike_spi.c' object='set_ike_spi.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_spi.o `test -f 'hooks/set_ike_spi.c' || echo '$(srcdir)/'`hooks/set_ike_spi.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_spi.o `test -f 'hooks/set_ike_spi.c' || echo '$(srcdir)/'`hooks/set_ike_spi.c
 
 set_ike_spi.obj: hooks/set_ike_spi.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_spi.obj -MD -MP -MF $(DEPDIR)/set_ike_spi.Tpo -c -o set_ike_spi.obj `if test -f 'hooks/set_ike_spi.c'; then $(CYGPATH_W) 'hooks/set_ike_spi.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_spi.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_spi.Tpo $(DEPDIR)/set_ike_spi.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_spi.c' object='set_ike_spi.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_spi.obj -MD -MP -MF $(DEPDIR)/set_ike_spi.Tpo -c -o set_ike_spi.obj `if test -f 'hooks/set_ike_spi.c'; then $(CYGPATH_W) 'hooks/set_ike_spi.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_spi.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_ike_spi.Tpo $(DEPDIR)/set_ike_spi.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_ike_spi.c' object='set_ike_spi.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_spi.obj `if test -f 'hooks/set_ike_spi.c'; then $(CYGPATH_W) 'hooks/set_ike_spi.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_spi.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_spi.obj `if test -f 'hooks/set_ike_spi.c'; then $(CYGPATH_W) 'hooks/set_ike_spi.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_spi.c'; fi`
 
 set_ike_request.o: hooks/set_ike_request.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_request.o -MD -MP -MF $(DEPDIR)/set_ike_request.Tpo -c -o set_ike_request.o `test -f 'hooks/set_ike_request.c' || echo '$(srcdir)/'`hooks/set_ike_request.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_request.Tpo $(DEPDIR)/set_ike_request.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_request.c' object='set_ike_request.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_request.o -MD -MP -MF $(DEPDIR)/set_ike_request.Tpo -c -o set_ike_request.o `test -f 'hooks/set_ike_request.c' || echo '$(srcdir)/'`hooks/set_ike_request.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_ike_request.Tpo $(DEPDIR)/set_ike_request.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_ike_request.c' object='set_ike_request.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_request.o `test -f 'hooks/set_ike_request.c' || echo '$(srcdir)/'`hooks/set_ike_request.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_request.o `test -f 'hooks/set_ike_request.c' || echo '$(srcdir)/'`hooks/set_ike_request.c
 
 set_ike_request.obj: hooks/set_ike_request.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_request.obj -MD -MP -MF $(DEPDIR)/set_ike_request.Tpo -c -o set_ike_request.obj `if test -f 'hooks/set_ike_request.c'; then $(CYGPATH_W) 'hooks/set_ike_request.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_request.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_request.Tpo $(DEPDIR)/set_ike_request.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_request.c' object='set_ike_request.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_request.obj -MD -MP -MF $(DEPDIR)/set_ike_request.Tpo -c -o set_ike_request.obj `if test -f 'hooks/set_ike_request.c'; then $(CYGPATH_W) 'hooks/set_ike_request.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_request.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_ike_request.Tpo $(DEPDIR)/set_ike_request.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_ike_request.c' object='set_ike_request.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_request.obj `if test -f 'hooks/set_ike_request.c'; then $(CYGPATH_W) 'hooks/set_ike_request.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_request.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_request.obj `if test -f 'hooks/set_ike_request.c'; then $(CYGPATH_W) 'hooks/set_ike_request.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_request.c'; fi`
 
 set_reserved.o: hooks/set_reserved.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_reserved.o -MD -MP -MF $(DEPDIR)/set_reserved.Tpo -c -o set_reserved.o `test -f 'hooks/set_reserved.c' || echo '$(srcdir)/'`hooks/set_reserved.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_reserved.Tpo $(DEPDIR)/set_reserved.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_reserved.c' object='set_reserved.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_reserved.o -MD -MP -MF $(DEPDIR)/set_reserved.Tpo -c -o set_reserved.o `test -f 'hooks/set_reserved.c' || echo '$(srcdir)/'`hooks/set_reserved.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_reserved.Tpo $(DEPDIR)/set_reserved.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_reserved.c' object='set_reserved.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_reserved.o `test -f 'hooks/set_reserved.c' || echo '$(srcdir)/'`hooks/set_reserved.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_reserved.o `test -f 'hooks/set_reserved.c' || echo '$(srcdir)/'`hooks/set_reserved.c
 
 set_reserved.obj: hooks/set_reserved.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_reserved.obj -MD -MP -MF $(DEPDIR)/set_reserved.Tpo -c -o set_reserved.obj `if test -f 'hooks/set_reserved.c'; then $(CYGPATH_W) 'hooks/set_reserved.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_reserved.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_reserved.Tpo $(DEPDIR)/set_reserved.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_reserved.c' object='set_reserved.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_reserved.obj -MD -MP -MF $(DEPDIR)/set_reserved.Tpo -c -o set_reserved.obj `if test -f 'hooks/set_reserved.c'; then $(CYGPATH_W) 'hooks/set_reserved.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_reserved.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_reserved.Tpo $(DEPDIR)/set_reserved.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_reserved.c' object='set_reserved.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_reserved.obj `if test -f 'hooks/set_reserved.c'; then $(CYGPATH_W) 'hooks/set_reserved.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_reserved.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_reserved.obj `if test -f 'hooks/set_reserved.c'; then $(CYGPATH_W) 'hooks/set_reserved.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_reserved.c'; fi`
 
 set_ike_initiator.o: hooks/set_ike_initiator.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_initiator.o -MD -MP -MF $(DEPDIR)/set_ike_initiator.Tpo -c -o set_ike_initiator.o `test -f 'hooks/set_ike_initiator.c' || echo '$(srcdir)/'`hooks/set_ike_initiator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_initiator.Tpo $(DEPDIR)/set_ike_initiator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_initiator.c' object='set_ike_initiator.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_initiator.o -MD -MP -MF $(DEPDIR)/set_ike_initiator.Tpo -c -o set_ike_initiator.o `test -f 'hooks/set_ike_initiator.c' || echo '$(srcdir)/'`hooks/set_ike_initiator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_ike_initiator.Tpo $(DEPDIR)/set_ike_initiator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_ike_initiator.c' object='set_ike_initiator.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_initiator.o `test -f 'hooks/set_ike_initiator.c' || echo '$(srcdir)/'`hooks/set_ike_initiator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_initiator.o `test -f 'hooks/set_ike_initiator.c' || echo '$(srcdir)/'`hooks/set_ike_initiator.c
 
 set_ike_initiator.obj: hooks/set_ike_initiator.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_initiator.obj -MD -MP -MF $(DEPDIR)/set_ike_initiator.Tpo -c -o set_ike_initiator.obj `if test -f 'hooks/set_ike_initiator.c'; then $(CYGPATH_W) 'hooks/set_ike_initiator.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_initiator.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/set_ike_initiator.Tpo $(DEPDIR)/set_ike_initiator.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/set_ike_initiator.c' object='set_ike_initiator.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_initiator.obj -MD -MP -MF $(DEPDIR)/set_ike_initiator.Tpo -c -o set_ike_initiator.obj `if test -f 'hooks/set_ike_initiator.c'; then $(CYGPATH_W) 'hooks/set_ike_initiator.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_initiator.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/set_ike_initiator.Tpo $(DEPDIR)/set_ike_initiator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/set_ike_initiator.c' object='set_ike_initiator.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_initiator.obj `if test -f 'hooks/set_ike_initiator.c'; then $(CYGPATH_W) 'hooks/set_ike_initiator.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_initiator.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_initiator.obj `if test -f 'hooks/set_ike_initiator.c'; then $(CYGPATH_W) 'hooks/set_ike_initiator.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_initiator.c'; fi`
 
 log_ts.o: hooks/log_ts.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ts.o -MD -MP -MF $(DEPDIR)/log_ts.Tpo -c -o log_ts.o `test -f 'hooks/log_ts.c' || echo '$(srcdir)/'`hooks/log_ts.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_ts.Tpo $(DEPDIR)/log_ts.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_ts.c' object='log_ts.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ts.o -MD -MP -MF $(DEPDIR)/log_ts.Tpo -c -o log_ts.o `test -f 'hooks/log_ts.c' || echo '$(srcdir)/'`hooks/log_ts.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/log_ts.Tpo $(DEPDIR)/log_ts.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/log_ts.c' object='log_ts.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ts.o `test -f 'hooks/log_ts.c' || echo '$(srcdir)/'`hooks/log_ts.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ts.o `test -f 'hooks/log_ts.c' || echo '$(srcdir)/'`hooks/log_ts.c
 
 log_ts.obj: hooks/log_ts.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ts.obj -MD -MP -MF $(DEPDIR)/log_ts.Tpo -c -o log_ts.obj `if test -f 'hooks/log_ts.c'; then $(CYGPATH_W) 'hooks/log_ts.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ts.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/log_ts.Tpo $(DEPDIR)/log_ts.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/log_ts.c' object='log_ts.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ts.obj -MD -MP -MF $(DEPDIR)/log_ts.Tpo -c -o log_ts.obj `if test -f 'hooks/log_ts.c'; then $(CYGPATH_W) 'hooks/log_ts.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ts.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/log_ts.Tpo $(DEPDIR)/log_ts.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/log_ts.c' object='log_ts.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ts.obj `if test -f 'hooks/log_ts.c'; then $(CYGPATH_W) 'hooks/log_ts.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ts.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ts.obj `if test -f 'hooks/log_ts.c'; then $(CYGPATH_W) 'hooks/log_ts.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ts.c'; fi`
 
 rebuild_auth.o: hooks/rebuild_auth.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rebuild_auth.o -MD -MP -MF $(DEPDIR)/rebuild_auth.Tpo -c -o rebuild_auth.o `test -f 'hooks/rebuild_auth.c' || echo '$(srcdir)/'`hooks/rebuild_auth.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rebuild_auth.Tpo $(DEPDIR)/rebuild_auth.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/rebuild_auth.c' object='rebuild_auth.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rebuild_auth.o -MD -MP -MF $(DEPDIR)/rebuild_auth.Tpo -c -o rebuild_auth.o `test -f 'hooks/rebuild_auth.c' || echo '$(srcdir)/'`hooks/rebuild_auth.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rebuild_auth.Tpo $(DEPDIR)/rebuild_auth.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/rebuild_auth.c' object='rebuild_auth.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rebuild_auth.o `test -f 'hooks/rebuild_auth.c' || echo '$(srcdir)/'`hooks/rebuild_auth.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rebuild_auth.o `test -f 'hooks/rebuild_auth.c' || echo '$(srcdir)/'`hooks/rebuild_auth.c
 
 rebuild_auth.obj: hooks/rebuild_auth.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rebuild_auth.obj -MD -MP -MF $(DEPDIR)/rebuild_auth.Tpo -c -o rebuild_auth.obj `if test -f 'hooks/rebuild_auth.c'; then $(CYGPATH_W) 'hooks/rebuild_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/rebuild_auth.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rebuild_auth.Tpo $(DEPDIR)/rebuild_auth.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/rebuild_auth.c' object='rebuild_auth.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rebuild_auth.obj -MD -MP -MF $(DEPDIR)/rebuild_auth.Tpo -c -o rebuild_auth.obj `if test -f 'hooks/rebuild_auth.c'; then $(CYGPATH_W) 'hooks/rebuild_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/rebuild_auth.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rebuild_auth.Tpo $(DEPDIR)/rebuild_auth.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/rebuild_auth.c' object='rebuild_auth.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rebuild_auth.obj `if test -f 'hooks/rebuild_auth.c'; then $(CYGPATH_W) 'hooks/rebuild_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/rebuild_auth.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rebuild_auth.obj `if test -f 'hooks/rebuild_auth.c'; then $(CYGPATH_W) 'hooks/rebuild_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/rebuild_auth.c'; fi`
 
 reset_seq.o: hooks/reset_seq.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT reset_seq.o -MD -MP -MF $(DEPDIR)/reset_seq.Tpo -c -o reset_seq.o `test -f 'hooks/reset_seq.c' || echo '$(srcdir)/'`hooks/reset_seq.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/reset_seq.Tpo $(DEPDIR)/reset_seq.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/reset_seq.c' object='reset_seq.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT reset_seq.o -MD -MP -MF $(DEPDIR)/reset_seq.Tpo -c -o reset_seq.o `test -f 'hooks/reset_seq.c' || echo '$(srcdir)/'`hooks/reset_seq.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/reset_seq.Tpo $(DEPDIR)/reset_seq.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/reset_seq.c' object='reset_seq.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o reset_seq.o `test -f 'hooks/reset_seq.c' || echo '$(srcdir)/'`hooks/reset_seq.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o reset_seq.o `test -f 'hooks/reset_seq.c' || echo '$(srcdir)/'`hooks/reset_seq.c
 
 reset_seq.obj: hooks/reset_seq.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT reset_seq.obj -MD -MP -MF $(DEPDIR)/reset_seq.Tpo -c -o reset_seq.obj `if test -f 'hooks/reset_seq.c'; then $(CYGPATH_W) 'hooks/reset_seq.c'; else $(CYGPATH_W) '$(srcdir)/hooks/reset_seq.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/reset_seq.Tpo $(DEPDIR)/reset_seq.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hooks/reset_seq.c' object='reset_seq.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT reset_seq.obj -MD -MP -MF $(DEPDIR)/reset_seq.Tpo -c -o reset_seq.obj `if test -f 'hooks/reset_seq.c'; then $(CYGPATH_W) 'hooks/reset_seq.c'; else $(CYGPATH_W) '$(srcdir)/hooks/reset_seq.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/reset_seq.Tpo $(DEPDIR)/reset_seq.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hooks/reset_seq.c' object='reset_seq.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o reset_seq.obj `if test -f 'hooks/reset_seq.c'; then $(CYGPATH_W) 'hooks/reset_seq.c'; else $(CYGPATH_W) '$(srcdir)/hooks/reset_seq.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o reset_seq.obj `if test -f 'hooks/reset_seq.c'; then $(CYGPATH_W) 'hooks/reset_seq.c'; else $(CYGPATH_W) '$(srcdir)/hooks/reset_seq.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -856,10 +914,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/conftest/README b/src/conftest/README
index e2156921f..617195df9 100644
--- a/src/conftest/README
+++ b/src/conftest/README
@@ -98,9 +98,10 @@ The IKE_SA configuration uses the following options (as key/value pairs):
                   src/libstrongswan/crypt/proposal/proposal_keywords.txt
   fake_nat:       Fake the NAT_DETECTION_*_IP payloads to simulate a NAT
                   scenario
-  rsa_strength:   connection requires a trustchain with RSA keys of given bits
-  ecdsa_strength: connection requires a trustchain with ECDSA keys of given bits
-  cert_policy:    connection requries a certificate with the given OID policy
+  rsa_strength:   Connection requires a trustchain with RSA keys of given bits
+  ecdsa_strength: Connection requires a trustchain with ECDSA keys of given bits
+  cert_policy:    Connection requries a certificate with the given OID policy
+  named_pool:     Name of an IP pool defined e.g. in a database backend
 
 The following CHILD_SA specific configuration options are supported:
 
@@ -109,6 +110,7 @@ The following CHILD_SA specific configuration options are supported:
   transport:   Propose IPsec transport mode instead of tunnel mode
   tfc_padding: Inject Traffic Flow Confidentialty bytes to align packets to the
                given length
+  proposal:    CHILD_SA proposal list, same syntax as IKE_SA proposal list
 
 6. Credentials
 --------------
@@ -238,6 +240,7 @@ Currently, the following hooks are defined with the following options:
   rebuild_auth:       rebuild AUTH payload, i.e. if ID payload changed
   reset_seq:          Reset sequence numbers of an ESP SA
     delay:            Seconds to delay reset after SA established
+    oseq:             Sequence number to set, default is 0
   set_critical:       Set critical bit on existing payloads:
     request:          yes to set in request, no in response
     id:               IKEv2 message identifier of message to mangle payloads
diff --git a/src/conftest/config.c b/src/conftest/config.c
index 952141211..7f05e9c72 100644
--- a/src/conftest/config.c
+++ b/src/conftest/config.c
@@ -101,12 +101,13 @@ static ike_cfg_t *load_ike_config(private_config_t *this,
 	proposal_t *proposal;
 	char *token;
 
-	ike_cfg = ike_cfg_create(TRUE,
+	ike_cfg = ike_cfg_create(IKEV2, TRUE,
 		settings->get_bool(settings, "configs.%s.fake_nat", FALSE, config),
-		settings->get_str(settings, "configs.%s.lhost", "%any", config),
+		settings->get_str(settings, "configs.%s.lhost", "%any", config), FALSE,
 		settings->get_int(settings, "configs.%s.lport", 500, config),
-		settings->get_str(settings, "configs.%s.rhost", "%any", config),
-		settings->get_int(settings, "configs.%s.rport", 500, config));
+		settings->get_str(settings, "configs.%s.rhost", "%any", config), FALSE,
+		settings->get_int(settings, "configs.%s.rport", 500, config),
+		FRAGMENTATION_NO, 0);
 	token = settings->get_str(settings, "configs.%s.proposal", NULL, config);
 	if (token)
 	{
@@ -143,9 +144,7 @@ static child_cfg_t *load_child_config(private_config_t *this,
 	proposal_t *proposal;
 	traffic_selector_t *ts;
 	ipsec_mode_t mode = MODE_TUNNEL;
-	host_t *net;
 	char *token;
-	int bits;
 	u_int32_t tfc;
 
 	if (settings->get_bool(settings, "configs.%s.%s.transport",
@@ -183,16 +182,15 @@ static child_cfg_t *load_child_config(private_config_t *this,
 		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	}
 
-	token = settings->get_str(settings, "configs.%s.%s.lts", NULL, config);
+	token = settings->get_str(settings, "configs.%s.%s.lts", NULL, config, child);
 	if (token)
 	{
 		enumerator = enumerator_create_token(token, ",", " ");
 		while (enumerator->enumerate(enumerator, &token))
 		{
-			net = host_create_from_subnet(token, &bits);
-			if (net)
+			ts = traffic_selector_create_from_cidr(token, 0, 0, 65535);
+			if (ts)
 			{
-				ts = traffic_selector_create_from_subnet(net, bits, 0, 0);
 				child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
 			}
 			else
@@ -208,16 +206,15 @@ static child_cfg_t *load_child_config(private_config_t *this,
 		child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
 	}
 
-	token = settings->get_str(settings, "configs.%s.%s.rts", NULL, config);
+	token = settings->get_str(settings, "configs.%s.%s.rts", NULL, config, child);
 	if (token)
 	{
 		enumerator = enumerator_create_token(token, ",", " ");
 		while (enumerator->enumerate(enumerator, &token))
 		{
-			net = host_create_from_subnet(token, &bits);
-			if (net)
+			ts = traffic_selector_create_from_cidr(token, 0, 0, 65535);
+			if (ts)
 			{
-				ts = traffic_selector_create_from_subnet(net, bits, 0, 0);
 				child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
 			}
 			else
@@ -247,13 +244,13 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
 	child_cfg_t *child_cfg;
 	enumerator_t *enumerator;
 	identification_t *lid, *rid;
-	char *child, *policy;
+	char *child, *policy, *pool;
 	uintptr_t strength;
 
 	ike_cfg = load_ike_config(this, settings, config);
-	peer_cfg = peer_cfg_create(config, 2, ike_cfg, CERT_ALWAYS_SEND,
-							   UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, 0,
-							   NULL, NULL, FALSE, NULL, NULL);
+	peer_cfg = peer_cfg_create(config, ike_cfg, CERT_ALWAYS_SEND,
+							   UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, FALSE, 0, 0,
+							   FALSE, NULL, NULL);
 
 	auth = auth_cfg_create();
 	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
@@ -266,12 +263,12 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
 	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 	rid = identification_create_from_string(
 				settings->get_str(settings, "configs.%s.rid", "%any", config));
-	strength = settings->get_int(settings, "configs.%s.rsa_strength", 0);
+	strength = settings->get_int(settings, "configs.%s.rsa_strength", 0, config);
 	if (strength)
 	{
 		auth->add(auth, AUTH_RULE_RSA_STRENGTH, strength);
 	}
-	strength = settings->get_int(settings, "configs.%s.ecdsa_strength", 0);
+	strength = settings->get_int(settings, "configs.%s.ecdsa_strength", 0, config);
 	if (strength)
 	{
 		auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength);
@@ -283,6 +280,11 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
 	}
 	auth->add(auth, AUTH_RULE_IDENTITY, rid);
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+	pool = settings->get_str(settings, "configs.%s.named_pool", NULL, config);
+	if (pool)
+	{
+		peer_cfg->add_pool(peer_cfg, pool);
+	}
 
 	DBG1(DBG_CFG, "loaded config %s: %Y - %Y", config, lid, rid);
 
diff --git a/src/conftest/config.h b/src/conftest/config.h
index 2a62b9ce0..ce9e24586 100644
--- a/src/conftest/config.h
+++ b/src/conftest/config.h
@@ -14,7 +14,7 @@
  */
 
 /**
- * @defgroup config config
+ * @defgroup config_t config
  * @{ @ingroup conftest
  */
 
diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c
index 48bf9681f..8d2060c66 100644
--- a/src/conftest/conftest.c
+++ b/src/conftest/conftest.c
@@ -26,6 +26,7 @@
 #include "config.h"
 #include "hooks/hook.h"
 
+#include <bus/listeners/file_logger.h>
 #include <threading/thread.h>
 #include <credentials/certificates/x509.h>
 
@@ -289,7 +290,8 @@ static bool load_hooks()
 		pos = strchr(name, '-');
 		if (pos)
 		{
-			snprintf(buf, sizeof(buf), "%.*s_hook_create", pos - name, name);
+			snprintf(buf, sizeof(buf), "%.*s_hook_create", (int)(pos - name),
+					 name);
 		}
 		else
 		{
@@ -321,6 +323,7 @@ static bool load_hooks()
  */
 static void cleanup()
 {
+	file_logger_t *logger;
 	hook_t *hook;
 
 	DESTROY_IF(conftest->test);
@@ -343,6 +346,13 @@ static void cleanup()
 		}
 		conftest->config->destroy(conftest->config);
 	}
+	while (conftest->loggers->remove_last(conftest->loggers,
+										  (void**)&logger) == SUCCESS)
+	{
+		charon->bus->remove_logger(charon->bus, &logger->logger);
+		logger->destroy(logger);
+	}
+	conftest->loggers->destroy(conftest->loggers);
 	free(conftest->suite_dir);
 	free(conftest);
 	libcharon_deinit();
@@ -368,32 +378,46 @@ static void load_log_levels(file_logger_t *logger, char *section)
 }
 
 /**
+ * Load logger options for a logger from section
+ */
+static void load_logger_options(file_logger_t *logger, char *section)
+{
+	bool ike_name;
+	char *time_format;
+
+	time_format = conftest->test->get_str(conftest->test,
+					"log.%s.time_format", NULL, section);
+	ike_name = conftest->test->get_bool(conftest->test,
+					"log.%s.ike_name", FALSE, section);
+
+	logger->set_options(logger, time_format, ike_name);
+}
+
+/**
  * Load logger configuration
  */
 static void load_loggers(file_logger_t *logger)
 {
 	enumerator_t *enumerator;
 	char *section;
-	FILE *file;
 
 	load_log_levels(logger, "stdout");
+	load_logger_options(logger, "stdout");
+	/* Re-add the logger to propagate configuration changes to the
+	 * logging system */
+	charon->bus->add_logger(charon->bus, &logger->logger);
 
 	enumerator = conftest->test->create_section_enumerator(conftest->test, "log");
 	while (enumerator->enumerate(enumerator, &section))
 	{
 		if (!streq(section, "stdout"))
 		{
-			file = fopen(section, "w");
-			if (file == NULL)
-			{
-				fprintf(stderr, "opening file %s for logging failed: %s",
-						section, strerror(errno));
-				continue;
-			}
-			logger = file_logger_create(file, NULL, FALSE);
+			logger = file_logger_create(section);
+			load_logger_options(logger, section);
+			logger->open(logger, FALSE, FALSE);
 			load_log_levels(logger, section);
-			charon->bus->add_listener(charon->bus, &logger->listener);
-			charon->file_loggers->insert_last(charon->file_loggers, logger);
+			charon->bus->add_logger(charon->bus, &logger->logger);
+			conftest->loggers->insert_last(conftest->loggers, logger);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -422,7 +446,7 @@ int main(int argc, char *argv[])
 		library_deinit();
 		return SS_RC_INITIALIZATION_FAILED;
 	}
-	if (!libcharon_init())
+	if (!libcharon_init("conftest"))
 	{
 		libcharon_deinit();
 		libhydra_deinit();
@@ -432,16 +456,18 @@ int main(int argc, char *argv[])
 
 	INIT(conftest,
 		.creds = mem_cred_create(),
+		.config = config_create(),
+		.hooks = linked_list_create(),
+		.loggers = linked_list_create(),
 	);
+	lib->credmgr->add_set(lib->credmgr, &conftest->creds->set);
 
-	logger = file_logger_create(stdout, NULL, FALSE);
+	logger = file_logger_create("stdout");
+	logger->set_options(logger, NULL, FALSE);
+	logger->open(logger, FALSE, FALSE);
 	logger->set_level(logger, DBG_ANY, LEVEL_CTRL);
-	charon->bus->add_listener(charon->bus, &logger->listener);
-	charon->file_loggers->insert_last(charon->file_loggers, logger);
-
-	lib->credmgr->add_set(lib->credmgr, &conftest->creds->set);
-	conftest->hooks = linked_list_create();
-	conftest->config = config_create();
+	charon->bus->add_logger(charon->bus, &logger->logger);
+	conftest->loggers->insert_last(conftest->loggers, logger);
 
 	atexit(cleanup);
 
@@ -483,15 +509,17 @@ int main(int argc, char *argv[])
 	}
 	load_loggers(logger);
 
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			conftest->test->get_str(conftest->test, "preload", "")))
 	{
 		return 1;
 	}
-	if (!charon->initialize(charon))
+	if (!charon->initialize(charon, PLUGINS))
 	{
 		return 1;
 	}
+	lib->plugins->status(lib->plugins, LEVEL_CTRL);
+
 	if (!load_certs(conftest->test, conftest->suite_dir))
 	{
 		return 1;
diff --git a/src/conftest/conftest.h b/src/conftest/conftest.h
index 2caf9b3ce..6bbdabd07 100644
--- a/src/conftest/conftest.h
+++ b/src/conftest/conftest.h
@@ -64,6 +64,11 @@ struct conftest_t {
 	 * Action handling
 	 */
 	actions_t *actions;
+
+	/**
+	 * Test specific loggers
+	 */
+	linked_list_t *loggers;
 };
 
 /**
diff --git a/src/conftest/hooks/add_notify.c b/src/conftest/hooks/add_notify.c
index de46ca81f..9611cad6c 100644
--- a/src/conftest/hooks/add_notify.c
+++ b/src/conftest/hooks/add_notify.c
@@ -60,9 +60,9 @@ struct private_add_notify_t {
 
 METHOD(listener_t, message, bool,
 	private_add_notify_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (!incoming &&
+	if (!incoming && plain &&
 		message->get_request(message) == this->req &&
 		message->get_message_id(message) == this->id)
 	{
@@ -85,11 +85,11 @@ METHOD(listener_t, message, bool,
 			data = chunk_skip(chunk_create(this->data, strlen(this->data)), 2);
 			data = chunk_from_hex(data, NULL);
 		}
-		else if (this->data && strlen(this->data))
+		else if (strlen(this->data))
 		{
 			data = chunk_clone(chunk_create(this->data, strlen(this->data)));
 		}
-		notify = notify_payload_create_from_protocol_and_type(
+		notify = notify_payload_create_from_protocol_and_type(NOTIFY,
 									this->esp ? PROTO_ESP : PROTO_IKE, type);
 		notify->set_spi(notify, this->spi);
 		if (data.len)
diff --git a/src/conftest/hooks/add_payload.c b/src/conftest/hooks/add_payload.c
index 03a47cc23..2903bb20f 100644
--- a/src/conftest/hooks/add_payload.c
+++ b/src/conftest/hooks/add_payload.c
@@ -62,9 +62,9 @@ struct private_add_payload_t {
 
 METHOD(listener_t, message, bool,
 	private_add_payload_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (!incoming &&
+	if (!incoming && plain &&
 		message->get_request(message) == this->req &&
 		message->get_message_id(message) == this->id)
 	{
@@ -103,7 +103,7 @@ METHOD(listener_t, message, bool,
 			data = chunk_skip(chunk_create(this->data, strlen(this->data)), 2);
 			data = chunk_from_hex(data, NULL);
 		}
-		else if (this->data && strlen(this->data))
+		else if (strlen(this->data))
 		{
 			data = chunk_clone(chunk_create(this->data, strlen(this->data)));
 		}
diff --git a/src/conftest/hooks/custom_proposal.c b/src/conftest/hooks/custom_proposal.c
index e4acd841f..38d4286c4 100644
--- a/src/conftest/hooks/custom_proposal.c
+++ b/src/conftest/hooks/custom_proposal.c
@@ -19,7 +19,6 @@
 
 #include <encoding/payloads/sa_payload.h>
 #include <config/proposal.h>
-#include <crypto/proposal/proposal_keywords.h>
 
 typedef struct private_custom_proposal_t private_custom_proposal_t;
 
@@ -91,7 +90,7 @@ static linked_list_t* load_proposals(private_custom_proposal_t *this,
 			alg = strtoul(value, &end, 10);
 			if (end == value || errno)
 			{
-				token = proposal_get_token(value, strlen(value));
+				token = lib->proposal->get_token(lib->proposal, value);
 				if (!token)
 				{
 					DBG1(DBG_CFG, "unknown algorithm: '%s', skipped", value);
@@ -111,9 +110,9 @@ static linked_list_t* load_proposals(private_custom_proposal_t *this,
 
 METHOD(listener_t, message, bool,
 	private_custom_proposal_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (!incoming &&
+	if (!incoming && plain &&
 		message->get_request(message) == this->req &&
 		message->get_message_id(message) == this->id)
 	{
@@ -145,7 +144,7 @@ METHOD(listener_t, message, bool,
 										   proposal->get_protocol(proposal),
 										   proposal->get_spi(proposal));
 				DBG1(DBG_CFG, "injecting custom proposal: %#P", new_props);
-				new = sa_payload_create_from_proposal_list(new_props);
+				new = sa_payload_create_from_proposals_v2(new_props);
 				message->add_payload(message, (payload_t*)new);
 				new_props->destroy_offset(new_props, offsetof(proposal_t, destroy));
 			}
diff --git a/src/conftest/hooks/force_cookie.c b/src/conftest/hooks/force_cookie.c
index e34f82851..1b044db14 100644
--- a/src/conftest/hooks/force_cookie.c
+++ b/src/conftest/hooks/force_cookie.c
@@ -32,9 +32,9 @@ struct private_force_cookie_t {
 
 METHOD(listener_t, message, bool,
 	private_force_cookie_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (incoming && message->get_request(message) &&
+	if (incoming && plain && message->get_request(message) &&
 		message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		enumerator_t *enumerator;
@@ -68,7 +68,7 @@ METHOD(listener_t, message, bool,
 			chunk_t data = chunk_from_thing("COOKIE test data");
 
 			DBG1(DBG_CFG, "sending COOKIE: %#B", &data);
-			response = message_create();
+			response = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
 			dst = message->get_source(message);
 			src = message->get_destination(message);
 			response->set_source(response, src->clone(src));
diff --git a/src/conftest/hooks/hook.h b/src/conftest/hooks/hook.h
index 39a15f21b..b93711726 100644
--- a/src/conftest/hooks/hook.h
+++ b/src/conftest/hooks/hook.h
@@ -14,8 +14,8 @@
  */
 
 /**
- * @defgroup hook hook
- * @{ @ingroup hooks
+ * @defgroup hook_t hook
+ * @{ @ingroup conftest
  */
 
 #ifndef HOOK_H_
diff --git a/src/conftest/hooks/ignore_message.c b/src/conftest/hooks/ignore_message.c
index 210f3ac50..3cb5f2059 100644
--- a/src/conftest/hooks/ignore_message.c
+++ b/src/conftest/hooks/ignore_message.c
@@ -45,9 +45,9 @@ struct private_ignore_message_t {
 
 METHOD(listener_t, message, bool,
 	private_ignore_message_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (incoming == this->in &&
+	if (incoming == this->in && plain &&
 		message->get_request(message) == this->req &&
 		message->get_message_id(message) == this->id)
 	{
diff --git a/src/conftest/hooks/ike_auth_fill.c b/src/conftest/hooks/ike_auth_fill.c
index 2843d60c1..09590d4f3 100644
--- a/src/conftest/hooks/ike_auth_fill.c
+++ b/src/conftest/hooks/ike_auth_fill.c
@@ -51,7 +51,10 @@ struct private_ike_auth_fill_t {
 
 /** size of non ESP-Marker */
 #define NON_ESP_MARKER_LEN 4
-
+/** length of fixed encryption payload header */
+#define ENCRYPTION_PAYLOAD_HEADER_LENGTH 4
+/** length of fixed cert payload header */
+#define CERT_PAYLOAD_HEADER_LENGTH 5
 /**
  * Calculate packet size on wire (without ethernet/IP header)
  */
@@ -89,9 +92,9 @@ static size_t calculate_wire_size(message_t *message, ike_sa_t *ike_sa)
 
 METHOD(listener_t, message, bool,
 	private_ike_auth_fill_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (!incoming &&
+	if (!incoming && plain &&
 		message->get_request(message) == this->req &&
 		message->get_message_id(message) == this->id)
 	{
@@ -105,7 +108,7 @@ METHOD(listener_t, message, bool,
 			diff = this->bytes - size - CERT_PAYLOAD_HEADER_LENGTH;
 			data = chunk_alloc(diff);
 			memset(data.ptr, 0x12, data.len);
-			pld = cert_payload_create_custom(201, data);
+			pld = cert_payload_create_custom(CERTIFICATE, 201, data);
 			message->add_payload(message, &pld->payload_interface);
 			DBG1(DBG_CFG, "inserting %d dummy bytes certificate payload", diff);
 		}
diff --git a/src/conftest/hooks/log_id.c b/src/conftest/hooks/log_id.c
index ad14cea10..07dd6a44e 100644
--- a/src/conftest/hooks/log_id.c
+++ b/src/conftest/hooks/log_id.c
@@ -32,9 +32,9 @@ struct private_log_id_t {
 
 METHOD(listener_t, message, bool,
 	private_log_id_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (incoming)
+	if (incoming && plain)
 	{
 		enumerator_t *enumerator;
 		payload_t *payload;
diff --git a/src/conftest/hooks/log_ke.c b/src/conftest/hooks/log_ke.c
index 231c0a8d8..710482326 100644
--- a/src/conftest/hooks/log_ke.c
+++ b/src/conftest/hooks/log_ke.c
@@ -32,9 +32,9 @@ struct private_log_ke_t {
 
 METHOD(listener_t, message, bool,
 	private_log_ke_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (incoming)
+	if (incoming && plain)
 	{
 		enumerator_t *enumerator;
 		payload_t *payload;
diff --git a/src/conftest/hooks/log_proposals.c b/src/conftest/hooks/log_proposals.c
index 8c330ab3d..347b83209 100644
--- a/src/conftest/hooks/log_proposals.c
+++ b/src/conftest/hooks/log_proposals.c
@@ -32,9 +32,9 @@ struct private_log_proposals_t {
 
 METHOD(listener_t, message, bool,
 	private_log_proposals_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (incoming)
+	if (incoming && plain)
 	{
 		enumerator_t *enumerator, *proposals;
 		payload_t *payload;
diff --git a/src/conftest/hooks/log_ts.c b/src/conftest/hooks/log_ts.c
index fb7c89a0a..f212efa12 100644
--- a/src/conftest/hooks/log_ts.c
+++ b/src/conftest/hooks/log_ts.c
@@ -32,9 +32,9 @@ struct private_log_ts_t {
 
 METHOD(listener_t, message, bool,
 	private_log_ts_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (incoming)
+	if (incoming && plain)
 	{
 		enumerator_t *enumerator;
 		payload_t *payload;
diff --git a/src/conftest/hooks/pretend_auth.c b/src/conftest/hooks/pretend_auth.c
index 4b7168cac..4166afc79 100644
--- a/src/conftest/hooks/pretend_auth.c
+++ b/src/conftest/hooks/pretend_auth.c
@@ -15,6 +15,7 @@
 
 #include "hook.h"
 
+#include <sa/ikev2/keymat_v2.h>
 #include <encoding/payloads/nonce_payload.h>
 #include <encoding/payloads/cert_payload.h>
 #include <encoding/payloads/auth_payload.h>
@@ -135,7 +136,7 @@ static void process_auth_request(private_pretend_auth_t *this,
 static void process_init_response(private_pretend_auth_t *this,
 								  ike_sa_t *ike_sa, message_t *message)
 {
-	this->ike_init = message->get_packet_data(message);
+	this->ike_init = chunk_clone(message->get_packet_data(message));
 }
 
 /**
@@ -153,7 +154,7 @@ static void build_certs(private_pretend_auth_t *this,
 	cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
 	if (cert)
 	{
-		payload = cert_payload_create_from_cert(cert);
+		payload = cert_payload_create_from_cert(CERTIFICATE, cert);
 		if (payload)
 		{
 			DBG1(DBG_IKE, "pretending end entity cert \"%Y\"",
@@ -166,7 +167,7 @@ static void build_certs(private_pretend_auth_t *this,
 	{
 		if (type == AUTH_RULE_IM_CERT)
 		{
-			payload = cert_payload_create_from_cert(cert);
+			payload = cert_payload_create_from_cert(CERTIFICATE, cert);
 			if (payload)
 			{
 				DBG1(DBG_IKE, "pretending issuer cert \"%Y\"",
@@ -190,7 +191,7 @@ static bool build_auth(private_pretend_auth_t *this,
 	auth_payload_t *auth_payload;
 	auth_method_t auth_method;
 	signature_scheme_t scheme;
-	keymat_t *keymat;
+	keymat_v2_t *keymat;
 
 	auth = auth_cfg_create();
 	private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->id, auth);
@@ -235,9 +236,13 @@ static bool build_auth(private_pretend_auth_t *this,
 					key_type_names, private->get_type(private));
 			return FALSE;
 	}
-	keymat = ike_sa->get_keymat(ike_sa);
-	octets = keymat->get_auth_octets(keymat, TRUE, this->ike_init,
-									 this->nonce, this->id, this->reserved);
+	keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
+	if (!keymat->get_auth_octets(keymat, TRUE, this->ike_init,
+								 this->nonce, this->id, this->reserved, &octets))
+	{
+		private->destroy(private);
+		return FALSE;
+	}
 	if (!private->sign(private, scheme, octets, &auth_data))
 	{
 		chunk_free(&octets);
@@ -294,7 +299,7 @@ static void process_auth_response(private_pretend_auth_t *this,
 	if (this->proposal)
 	{
 		message->add_payload(message, (payload_t*)
-					sa_payload_create_from_proposal(this->proposal));
+					sa_payload_create_from_proposal_v2(this->proposal));
 	}
 	if (this->tsi)
 	{
@@ -310,35 +315,38 @@ static void process_auth_response(private_pretend_auth_t *this,
 
 METHOD(listener_t, message, bool,
 	private_pretend_auth_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (incoming)
+	if (plain)
 	{
-		if (!message->get_request(message))
+		if (incoming)
 		{
-			if (message->get_exchange_type(message) == IKE_SA_INIT)
-			{
-				process_init_response(this, ike_sa, message);
-			}
-			if (message->get_exchange_type(message) == IKE_AUTH &&
-				message->get_message_id(message) == 1)
+			if (!message->get_request(message))
 			{
-				process_auth_response(this, ike_sa, message);
+				if (message->get_exchange_type(message) == IKE_SA_INIT)
+				{
+					process_init_response(this, ike_sa, message);
+				}
+				if (message->get_exchange_type(message) == IKE_AUTH &&
+					message->get_message_id(message) == 1)
+				{
+					process_auth_response(this, ike_sa, message);
+				}
 			}
 		}
-	}
-	else
-	{
-		if (message->get_request(message))
+		else
 		{
-			if (message->get_exchange_type(message) == IKE_SA_INIT)
-			{
-				process_init_request(this, ike_sa, message);
-			}
-			if (message->get_exchange_type(message) == IKE_AUTH &&
-				message->get_message_id(message) == 1)
+			if (message->get_request(message))
 			{
-				process_auth_request(this, ike_sa, message);
+				if (message->get_exchange_type(message) == IKE_SA_INIT)
+				{
+					process_init_request(this, ike_sa, message);
+				}
+				if (message->get_exchange_type(message) == IKE_AUTH &&
+					message->get_message_id(message) == 1)
+				{
+					process_auth_request(this, ike_sa, message);
+				}
 			}
 		}
 	}
diff --git a/src/conftest/hooks/rebuild_auth.c b/src/conftest/hooks/rebuild_auth.c
index 993c952e0..b7e6f22e7 100644
--- a/src/conftest/hooks/rebuild_auth.c
+++ b/src/conftest/hooks/rebuild_auth.c
@@ -15,6 +15,7 @@
 
 #include "hook.h"
 
+#include <sa/ikev2/keymat_v2.h>
 #include <encoding/generator.h>
 #include <encoding/payloads/nonce_payload.h>
 #include <encoding/payloads/auth_payload.h>
@@ -57,12 +58,11 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
 	enumerator_t *enumerator;
 	chunk_t octets, auth_data;
 	private_key_t *private;
-	auth_cfg_t *auth;
 	payload_t *payload;
 	auth_payload_t *auth_payload;
 	auth_method_t auth_method;
 	signature_scheme_t scheme;
-	keymat_t *keymat;
+	keymat_v2_t *keymat;
 	identification_t *id;
 	char reserved[3];
 	generator_t *generator;
@@ -90,10 +90,8 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
 	id = identification_create_from_encoding(data.ptr[4], chunk_skip(data, 8));
 	generator->destroy(generator);
 
-	auth = auth_cfg_create();
 	private = lib->credmgr->get_private(lib->credmgr, KEY_ANY,
-										this->id ?: id, auth);
-	auth->destroy(auth);
+										this->id ?: id, NULL);
 	if (private == NULL)
 	{
 		DBG1(DBG_CFG, "no private key found for '%Y' to rebuild AUTH",
@@ -137,9 +135,14 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
 			id->destroy(id);
 			return FALSE;
 	}
-	keymat = ike_sa->get_keymat(ike_sa);
-	octets = keymat->get_auth_octets(keymat, FALSE, this->ike_init,
-									 this->nonce, id, reserved);
+	keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
+	if (!keymat->get_auth_octets(keymat, FALSE, this->ike_init,
+								 this->nonce, id, reserved, &octets))
+	{
+		private->destroy(private);
+		id->destroy(id);
+		return FALSE;
+	}
 	if (!private->sign(private, scheme, octets, &auth_data))
 	{
 		chunk_free(&octets);
@@ -174,34 +177,37 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
 
 METHOD(listener_t, message, bool,
 	private_rebuild_auth_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (!incoming && message->get_message_id(message) == 1)
-	{
-		rebuild_auth(this, ike_sa, message);
-	}
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	if (plain)
 	{
-		if (incoming)
+		if (!incoming && message->get_message_id(message) == 1)
 		{
-			nonce_payload_t *nonce;
-
-			nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
-			if (nonce)
-			{
-				free(this->nonce.ptr);
-				this->nonce = nonce->get_nonce(nonce);
-			}
+			rebuild_auth(this, ike_sa, message);
 		}
-		else
+		if (message->get_exchange_type(message) == IKE_SA_INIT)
 		{
-			packet_t *packet;
-
-			if (message->generate(message, NULL, &packet) == SUCCESS)
+			if (incoming)
+			{
+				nonce_payload_t *nonce;
+
+				nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
+				if (nonce)
+				{
+					free(this->nonce.ptr);
+					this->nonce = nonce->get_nonce(nonce);
+				}
+			}
+			else
 			{
-				free(this->ike_init.ptr);
-				this->ike_init = chunk_clone(packet->get_data(packet));
-				packet->destroy(packet);
+				packet_t *packet;
+
+				if (message->generate(message, NULL, &packet) == SUCCESS)
+				{
+					free(this->ike_init.ptr);
+					this->ike_init = chunk_clone(packet->get_data(packet));
+					packet->destroy(packet);
+				}
 			}
 		}
 	}
diff --git a/src/conftest/hooks/reset_seq.c b/src/conftest/hooks/reset_seq.c
index ccf8e997d..100977324 100644
--- a/src/conftest/hooks/reset_seq.c
+++ b/src/conftest/hooks/reset_seq.c
@@ -12,6 +12,27 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
+/*
+ * Copyright (C) 2012 achelos GmbH
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 
 #include "hook.h"
 
@@ -40,22 +61,46 @@ struct private_reset_seq_t {
 	 * Delay for reset
 	 */
 	int delay;
+
+	/**
+	 * Sequence number to set for outgoing packages
+	 */
+	int oseq;
+};
+
+typedef struct reset_cb_data_t reset_cb_data_t;
+
+/**
+ * Data needed for the callback job
+ */
+struct reset_cb_data_t {
+
+	/**
+	 * The SA to modify
+	 */
+	struct xfrm_usersa_id usersa;
+
+	/**
+	 * Sequence number to set for outgoing packages
+	 */
+	int oseq;
 };
 
 /**
  * Callback job
  */
-static job_requeue_t reset_cb(struct xfrm_usersa_id *data)
+static job_requeue_t reset_cb(struct reset_cb_data_t *data)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
 	struct xfrm_aevent_id *id;
 	struct rtattr *rthdr;
-	struct xfrm_replay_state *replay;
+	struct xfrm_replay_state *rpstate;
 	struct sockaddr_nl addr;
 	int s, len;
 
-	DBG1(DBG_CFG, "resetting sequence number of SPI 0x%x", htonl(data->spi));
+	DBG1(DBG_CFG, "setting sequence number of SPI 0x%x to %d",
+		 htonl(data->usersa.spi), data->oseq);
 
 	memset(&request, 0, sizeof(request));
 
@@ -67,14 +112,21 @@ static job_requeue_t reset_cb(struct xfrm_usersa_id *data)
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
 
 	id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
-	id->sa_id = *data;
+	id->sa_id = data->usersa;
 
 	rthdr = XFRM_RTA(hdr, struct xfrm_aevent_id);
 	rthdr->rta_type = XFRMA_REPLAY_VAL;
 	rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
 	hdr->nlmsg_len += rthdr->rta_len;
 
-	replay = (struct xfrm_replay_state*)RTA_DATA(rthdr);
+	/* xfrm_replay_state is the structure the kernel uses for
+	 * replay detection, and the oseq element contains the
+	 * sequence number for outgoing packets. Currently, this
+	 * function sets the other elements seq (records the number of
+	 * incoming packets) and bitmask to zero, but they could be
+	 * adjusted in the same way as oseq if required. */
+	rpstate = (struct xfrm_replay_state*)RTA_DATA(rthdr);
+	rpstate->oseq = data->oseq;
 
 	s = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
 	if (s == -1)
@@ -100,17 +152,21 @@ static job_requeue_t reset_cb(struct xfrm_usersa_id *data)
 static void schedule_reset_job(private_reset_seq_t *this, host_t *dst,
 							   u_int32_t spi)
 {
-	struct xfrm_usersa_id *data;
+	struct reset_cb_data_t *data;
 	chunk_t chunk;
 
 	INIT(data,
-		.spi = spi,
-		.family = dst->get_family(dst),
-		.proto = IPPROTO_ESP,
+		.usersa = {
+			.spi = spi,
+			.family = dst->get_family(dst),
+			.proto = IPPROTO_ESP,
+		},
+		.oseq = this->oseq,
 	);
 
 	chunk = dst->get_address(dst);
-	memcpy(&data->daddr, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
+	memcpy(&data->usersa.daddr, chunk.ptr,
+		   min(chunk.len, sizeof(xfrm_address_t)));
 
 	lib->scheduler->schedule_job(lib->scheduler,
 								 (job_t*)callback_job_create(
@@ -152,6 +208,8 @@ hook_t *reset_seq_hook_create(char *name)
 		},
 		.delay = conftest->test->get_int(conftest->test,
 										"hooks.%s.delay", 10, name),
+		.oseq = conftest->test->get_int(conftest->test,
+										"hooks.%s.oseq", 0, name),
 	);
 
 	return &this->hook;
diff --git a/src/conftest/hooks/set_critical.c b/src/conftest/hooks/set_critical.c
index caf2215c3..8ec84e13d 100644
--- a/src/conftest/hooks/set_critical.c
+++ b/src/conftest/hooks/set_critical.c
@@ -47,9 +47,9 @@ struct private_set_critical_t {
 
 METHOD(listener_t, message, bool,
 	private_set_critical_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (!incoming &&
+	if (!incoming && plain &&
 		message->get_request(message) == this->req &&
 		message->get_message_id(message) == this->id)
 	{
diff --git a/src/conftest/hooks/set_ike_initiator.c b/src/conftest/hooks/set_ike_initiator.c
index 6ba43eaca..1674f0a2d 100644
--- a/src/conftest/hooks/set_ike_initiator.c
+++ b/src/conftest/hooks/set_ike_initiator.c
@@ -42,9 +42,9 @@ struct private_set_ike_initiator_t {
 
 METHOD(listener_t, message, bool,
 	private_set_ike_initiator_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (!incoming &&
+	if (!incoming && plain &&
 		message->get_request(message) == this->req &&
 		message->get_message_id(message) == this->id)
 	{
diff --git a/src/conftest/hooks/set_ike_request.c b/src/conftest/hooks/set_ike_request.c
index baabea66a..fd5b6de61 100644
--- a/src/conftest/hooks/set_ike_request.c
+++ b/src/conftest/hooks/set_ike_request.c
@@ -42,9 +42,9 @@ struct private_set_ike_request_t {
 
 METHOD(listener_t, message, bool,
 	private_set_ike_request_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (!incoming &&
+	if (!incoming && plain &&
 		message->get_request(message) == this->req &&
 		message->get_message_id(message) == this->id)
 	{
diff --git a/src/conftest/hooks/set_ike_spi.c b/src/conftest/hooks/set_ike_spi.c
index 14a0da9cd..bda02580d 100644
--- a/src/conftest/hooks/set_ike_spi.c
+++ b/src/conftest/hooks/set_ike_spi.c
@@ -52,9 +52,9 @@ struct private_set_ike_spi_t {
 
 METHOD(listener_t, message, bool,
 	private_set_ike_spi_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (!incoming &&
+	if (!incoming && plain &&
 		message->get_request(message) == this->req &&
 		message->get_message_id(message) == this->id)
 	{
diff --git a/src/conftest/hooks/set_ike_version.c b/src/conftest/hooks/set_ike_version.c
index d2de9dc81..ca52879d1 100644
--- a/src/conftest/hooks/set_ike_version.c
+++ b/src/conftest/hooks/set_ike_version.c
@@ -57,9 +57,9 @@ struct private_set_ike_version_t {
 
 METHOD(listener_t, message, bool,
 	private_set_ike_version_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (!incoming &&
+	if (!incoming && plain &&
 		message->get_request(message) == this->req &&
 		message->get_message_id(message) == this->id)
 	{
diff --git a/src/conftest/hooks/set_length.c b/src/conftest/hooks/set_length.c
index 0379dcb7c..c1a867a99 100644
--- a/src/conftest/hooks/set_length.c
+++ b/src/conftest/hooks/set_length.c
@@ -50,9 +50,9 @@ struct private_set_length_t {
 
 METHOD(listener_t, message, bool,
 	private_set_length_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (!incoming &&
+	if (!incoming && plain &&
 		message->get_request(message) == this->req &&
 		message->get_message_id(message) == this->id)
 	{
@@ -76,11 +76,10 @@ METHOD(listener_t, message, bool,
 			if (type == payload->get_type(payload))
 			{
 				encoding_rule_t *rules;
-				size_t count;
 				u_int16_t *len;
-				int i;
+				int i, count;
 
-				payload->get_encoding_rules(payload, &rules, &count);
+				count = payload->get_encoding_rules(payload, &rules);
 				for (i = 0; i < count; i++)
 				{
 					if (rules[i].type == PAYLOAD_LENGTH)
diff --git a/src/conftest/hooks/set_proposal_number.c b/src/conftest/hooks/set_proposal_number.c
index a59d96b6d..0cc3cfc63 100644
--- a/src/conftest/hooks/set_proposal_number.c
+++ b/src/conftest/hooks/set_proposal_number.c
@@ -69,9 +69,9 @@ static void copy_proposal_algs(proposal_t *from, proposal_t *to,
 
 METHOD(listener_t, message, bool,
 	private_set_proposal_number_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (!incoming &&
+	if (!incoming && plain &&
 		message->get_request(message) == this->req &&
 		message->get_message_id(message) == this->id)
 	{
@@ -121,7 +121,7 @@ METHOD(listener_t, message, bool,
 			}
 			enumerator->destroy(enumerator);
 		}
-		sa = sa_payload_create_from_proposal_list(updated);
+		sa = sa_payload_create_from_proposals_v2(updated);
 		list->destroy_offset(list, offsetof(proposal_t, destroy));
 		updated->destroy_offset(updated, offsetof(proposal_t, destroy));
 		message->add_payload(message, (payload_t*)sa);
diff --git a/src/conftest/hooks/set_reserved.c b/src/conftest/hooks/set_reserved.c
index 77a605d2a..d1a4a977b 100644
--- a/src/conftest/hooks/set_reserved.c
+++ b/src/conftest/hooks/set_reserved.c
@@ -163,9 +163,9 @@ static void set_byte(private_set_reserved_t *this, message_t *message,
 
 METHOD(listener_t, message, bool,
 	private_set_reserved_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (!incoming &&
+	if (!incoming && plain &&
 		message->get_request(message) == this->req &&
 		message->get_message_id(message) == this->id)
 	{
diff --git a/src/conftest/hooks/unencrypted_notify.c b/src/conftest/hooks/unencrypted_notify.c
index 80bdc64b7..f4c35725c 100644
--- a/src/conftest/hooks/unencrypted_notify.c
+++ b/src/conftest/hooks/unencrypted_notify.c
@@ -80,11 +80,11 @@ METHOD(listener_t, ike_updown, bool,
 			data = chunk_skip(chunk_create(this->data, strlen(this->data)), 2);
 			data = chunk_from_hex(data, NULL);
 		}
-		else if (this->data && strlen(this->data))
+		else if (strlen(this->data))
 		{
 			data = chunk_clone(chunk_create(this->data, strlen(this->data)));
 		}
-		notify = notify_payload_create_from_protocol_and_type(
+		notify = notify_payload_create_from_protocol_and_type(NOTIFY,
 									this->esp ? PROTO_ESP : PROTO_IKE, type);
 		notify->set_spi(notify, this->spi);
 		if (data.len)
@@ -95,7 +95,7 @@ METHOD(listener_t, ike_updown, bool,
 
 		DBG1(DBG_CFG, "injecting unencrypted INFORMATIONAL message");
 
-		message = message_create();
+		message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
 		message->set_message_id(message, this->id);
 		message->set_ike_sa_id(message, ike_sa->get_id(ike_sa));
 		message->set_exchange_type(message, INFORMATIONAL);
diff --git a/src/conftest/hooks/unsort_message.c b/src/conftest/hooks/unsort_message.c
index b37b261a4..1b2b302af 100644
--- a/src/conftest/hooks/unsort_message.c
+++ b/src/conftest/hooks/unsort_message.c
@@ -45,9 +45,9 @@ struct private_unsort_message_t {
 
 METHOD(listener_t, message, bool,
 	private_unsort_message_t *this, ike_sa_t *ike_sa, message_t *message,
-	bool incoming)
+	bool incoming, bool plain)
 {
-	if (!incoming &&
+	if (!incoming && plain &&
 		message->get_request(message) == this->req &&
 		message->get_message_id(message) == this->id)
 	{
diff --git a/src/dumm/Makefile.am b/src/dumm/Makefile.am
index 8b8cebcd8..1c6a68f58 100644
--- a/src/dumm/Makefile.am
+++ b/src/dumm/Makefile.am
@@ -11,11 +11,15 @@ irdumm_SOURCES = irdumm.c
 
 libdumm_la_LIBADD = -lbridge -lfuse -lutil $(top_builddir)/src/libstrongswan/libstrongswan.la
 dumm_LDADD = libdumm.la ${gtk_LIBS} $(top_builddir)/src/libstrongswan/libstrongswan.la
-irdumm_LDADD = libdumm.la -lruby1.8 $(top_builddir)/src/libstrongswan/libstrongswan.la
+irdumm_LDADD = libdumm.la ${RUBYLIB} $(top_builddir)/src/libstrongswan/libstrongswan.la
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan ${gtk_CFLAGS} \
-  ${RUBYINCLUDE}
-AM_CFLAGS = -D_FILE_OFFSET_BITS=64
+AM_CPPFLAGS = \
+	-D_FILE_OFFSET_BITS=64 \
+	-I$(top_srcdir)/src/libstrongswan \
+	${RUBYINCLUDE}
+
+AM_CFLAGS = \
+	${gtk_CFLAGS}
 
 all-local: ext
 
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index bd172b701..6467dc439 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -47,10 +64,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -74,6 +92,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libdumm_la_DEPENDENCIES =  \
@@ -81,6 +105,9 @@ libdumm_la_DEPENDENCIES =  \
 am_libdumm_la_OBJECTS = dumm.lo guest.lo iface.lo bridge.lo \
 	mconsole.lo cowfs.lo
 libdumm_la_OBJECTS = $(am_libdumm_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
 PROGRAMS = $(ipsec_PROGRAMS)
 am_dumm_OBJECTS = main.$(OBJEXT)
 dumm_OBJECTS = $(am_dumm_OBJECTS)
@@ -89,44 +116,69 @@ dumm_DEPENDENCIES = libdumm.la $(am__DEPENDENCIES_1) \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_irdumm_OBJECTS = irdumm.$(OBJEXT)
 irdumm_OBJECTS = $(am_irdumm_OBJECTS)
-irdumm_DEPENDENCIES = libdumm.la \
+irdumm_DEPENDENCIES = libdumm.la $(am__DEPENDENCIES_1) \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libdumm_la_SOURCES) $(dumm_SOURCES) $(irdumm_SOURCES)
 DIST_SOURCES = $(libdumm_la_SOURCES) $(dumm_SOURCES) $(irdumm_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -135,13 +187,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -154,6 +209,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -181,11 +237,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -193,6 +251,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -201,8 +260,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -211,14 +268,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -232,17 +294,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -252,16 +314,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -300,11 +361,15 @@ dumm_SOURCES = main.c
 irdumm_SOURCES = irdumm.c
 libdumm_la_LIBADD = -lbridge -lfuse -lutil $(top_builddir)/src/libstrongswan/libstrongswan.la
 dumm_LDADD = libdumm.la ${gtk_LIBS} $(top_builddir)/src/libstrongswan/libstrongswan.la
-irdumm_LDADD = libdumm.la -lruby1.8 $(top_builddir)/src/libstrongswan/libstrongswan.la
-INCLUDES = -I$(top_srcdir)/src/libstrongswan ${gtk_CFLAGS} \
-  ${RUBYINCLUDE}
+irdumm_LDADD = libdumm.la ${RUBYLIB} $(top_builddir)/src/libstrongswan/libstrongswan.la
+AM_CPPFLAGS = \
+	-D_FILE_OFFSET_BITS=64 \
+	-I$(top_srcdir)/src/libstrongswan \
+	${RUBYINCLUDE}
+
+AM_CFLAGS = \
+	${gtk_CFLAGS}
 
-AM_CFLAGS = -D_FILE_OFFSET_BITS=64
 all: all-am
 
 .SUFFIXES:
@@ -341,7 +406,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -349,6 +413,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -370,12 +436,15 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libdumm.la: $(libdumm_la_OBJECTS) $(libdumm_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libdumm_la_OBJECTS) $(libdumm_la_LIBADD) $(LIBS)
+libdumm.la: $(libdumm_la_OBJECTS) $(libdumm_la_DEPENDENCIES) $(EXTRA_libdumm_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libdumm_la_OBJECTS) $(libdumm_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -415,12 +484,12 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-dumm$(EXEEXT): $(dumm_OBJECTS) $(dumm_DEPENDENCIES) 
+dumm$(EXEEXT): $(dumm_OBJECTS) $(dumm_DEPENDENCIES) $(EXTRA_dumm_DEPENDENCIES) 
 	@rm -f dumm$(EXEEXT)
-	$(LINK) $(dumm_OBJECTS) $(dumm_LDADD) $(LIBS)
-irdumm$(EXEEXT): $(irdumm_OBJECTS) $(irdumm_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(dumm_OBJECTS) $(dumm_LDADD) $(LIBS)
+irdumm$(EXEEXT): $(irdumm_OBJECTS) $(irdumm_DEPENDENCIES) $(EXTRA_irdumm_DEPENDENCIES) 
 	@rm -f irdumm$(EXEEXT)
-	$(LINK) $(irdumm_OBJECTS) $(irdumm_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(irdumm_OBJECTS) $(irdumm_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -438,25 +507,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mconsole.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -563,10 +632,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/dumm/bridge.c b/src/dumm/bridge.c
index 85b6471b6..c76b3acda 100644
--- a/src/dumm/bridge.c
+++ b/src/dumm/bridge.c
@@ -14,10 +14,11 @@
  */
 
 #include <sys/types.h>
+#include <netinet/in.h>
 #include <libbridge.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 #include "bridge.h"
 
@@ -178,4 +179,3 @@ bridge_t *bridge_create(char *name)
 	instances++;
 	return &this->public;
 }
-
diff --git a/src/dumm/bridge.h b/src/dumm/bridge.h
index c557de994..9d48092df 100644
--- a/src/dumm/bridge.h
+++ b/src/dumm/bridge.h
@@ -17,7 +17,7 @@
 #define BRIDGE_H
 
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct bridge_t bridge_t;
 
diff --git a/src/dumm/cowfs.c b/src/dumm/cowfs.c
index f708a293b..28c62c217 100644
--- a/src/dumm/cowfs.c
+++ b/src/dumm/cowfs.c
@@ -34,10 +34,10 @@
 #include "cowfs.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /** define _XOPEN_SOURCE 500 fails when using libstrongswan, define popen */
 extern ssize_t pread(int fd, void *buf, size_t count, off_t offset);
diff --git a/src/dumm/dumm.c b/src/dumm/dumm.c
index 59751fa09..cc4f5a16b 100644
--- a/src/dumm/dumm.c
+++ b/src/dumm/dumm.c
@@ -23,8 +23,8 @@
 #include <dirent.h>
 #include <errno.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 #include "dumm.h"
 
diff --git a/src/dumm/dumm.h b/src/dumm/dumm.h
index 4bd20808c..7c7923c46 100644
--- a/src/dumm/dumm.h
+++ b/src/dumm/dumm.h
@@ -20,7 +20,7 @@
 #include <signal.h>
 
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 #include "guest.h"
 #include "bridge.h"
diff --git a/src/dumm/ext/dumm.c b/src/dumm/ext/dumm.c
index ca9b29388..5acda3a9c 100644
--- a/src/dumm/ext/dumm.c
+++ b/src/dumm/ext/dumm.c
@@ -21,8 +21,8 @@
 
 #include <library.h>
 #include <dumm.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 #undef PACKAGE_NAME
 #undef PACKAGE_TARNAME
@@ -30,6 +30,8 @@
 #undef PACKAGE_STRING
 #undef PACKAGE_BUGREPORT
 #undef PACKAGE_URL
+/* avoid redefintiion of snprintf etc. */
+#define RUBY_DONT_SUBST
 #include <ruby.h>
 
 static dumm_t *dumm;
@@ -141,7 +143,11 @@ static VALUE guest_hash(VALUE class)
 	if (!rb_cvar_defined(class, id))
 	{
 		VALUE hash = guest_hash_create(class);
+#ifdef RB_CVAR_SET_4_ARGS
 		rb_cvar_set(class, id, hash, 0);
+#else
+		rb_cvar_set(class, id, hash);
+#endif
 		return hash;
 	}
 	return rb_cvar_get(class, id);
@@ -627,6 +633,7 @@ static VALUE iface_each_addr(int argc, VALUE *argv, VALUE self)
 	{
 		rb_raise(rb_eArgError, "must be called with a block");
 	}
+	list = linked_list_create();
 	Data_Get_Struct(self, iface_t, iface);
 	enumerator = iface->create_address_enumerator(iface);
 	while (enumerator->enumerate(enumerator, &addr))
@@ -733,6 +740,7 @@ static VALUE template_each(int argc, VALUE *argv, VALUE class)
 static void template_init()
 {
 	rbc_template = rb_define_class_under(rbm_dumm , "Template", rb_cObject);
+	rb_include_module(rb_class_of(rbc_template), rb_mEnumerable);
 
 	rb_define_singleton_method(rbc_template, "load", template_load, 1);
 	rb_define_singleton_method(rbc_template, "unload", template_unload, 0);
diff --git a/src/dumm/ext/extconf.rb.in b/src/dumm/ext/extconf.rb.in
index 36536ec52..29df65ca7 100644
--- a/src/dumm/ext/extconf.rb.in
+++ b/src/dumm/ext/extconf.rb.in
@@ -5,7 +5,7 @@
 require 'mkmf'
 
 $defs << " @DEFS@"
-$CFLAGS << " -Wno-format"
+$CFLAGS << " -Wno-format -include \"@top_builddir@/config.h\""
 
 dir_config('dumm', '@top_srcdir@/src/dumm', '../.libs')
 dir_config('strongswan', '@top_srcdir@/src/libstrongswan', '../../libstrongswan/.libs')
diff --git a/src/dumm/ext/lib/dumm.rb b/src/dumm/ext/lib/dumm.rb
index bb60aad8f..959ec87df 100644
--- a/src/dumm/ext/lib/dumm.rb
+++ b/src/dumm/ext/lib/dumm.rb
@@ -34,8 +34,9 @@ module Dumm
     if name
       Template.load name
     else
-      Template.each {|t| puts t }
+      Template.sort.each {|t| puts t }
     end
+    return Dumm
   end
   
   # unload template/overlays, reset all guests and delete bridges
diff --git a/src/dumm/guest.c b/src/dumm/guest.c
index 336f6effa..8e74ca629 100644
--- a/src/dumm/guest.c
+++ b/src/dumm/guest.c
@@ -28,8 +28,8 @@
 #include <termios.h>
 #include <stdarg.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 #include "dumm.h"
 #include "guest.h"
diff --git a/src/dumm/guest.h b/src/dumm/guest.h
index 789f2310e..0da05d88c 100644
--- a/src/dumm/guest.h
+++ b/src/dumm/guest.h
@@ -18,7 +18,7 @@
 #define GUEST_H
 
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef enum guest_state_t guest_state_t;
 typedef struct guest_t guest_t;
diff --git a/src/dumm/iface.c b/src/dumm/iface.c
index 214387e88..3e7b010b3 100644
--- a/src/dumm/iface.c
+++ b/src/dumm/iface.c
@@ -25,8 +25,8 @@
 #include <sys/ioctl.h>
 #include <linux/if_tun.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 #include "iface.h"
 
diff --git a/src/dumm/iface.h b/src/dumm/iface.h
index e96ee508c..ae886acc3 100644
--- a/src/dumm/iface.h
+++ b/src/dumm/iface.h
@@ -17,8 +17,8 @@
 #define IFACE_H
 
 #include <library.h>
-#include <utils/enumerator.h>
-#include <utils/host.h>
+#include <collections/enumerator.h>
+#include <networking/host.h>
 
 #define TAP_DEVICE "/dev/net/tun"
 
diff --git a/src/dumm/irdumm.c b/src/dumm/irdumm.c
index 7543e6bd6..d30973737 100644
--- a/src/dumm/irdumm.c
+++ b/src/dumm/irdumm.c
@@ -21,6 +21,10 @@
 #undef PACKAGE_URL
 #include <ruby.h>
 
+#ifdef HAVE_RB_ERRINFO
+#define ruby_errinfo rb_errinfo()
+#endif
+
 /**
  * main routine, parses args and reads from console
  */
diff --git a/src/dumm/main.c b/src/dumm/main.c
index 37e7ba8f7..4cdf4682f 100644
--- a/src/dumm/main.c
+++ b/src/dumm/main.c
@@ -15,7 +15,7 @@
 
 #include "dumm.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 #include <sys/types.h>
 #include <unistd.h>
diff --git a/src/dumm/mconsole.c b/src/dumm/mconsole.c
index de70b7e69..54c4fe395 100644
--- a/src/dumm/mconsole.c
+++ b/src/dumm/mconsole.c
@@ -25,7 +25,7 @@
 #include <errno.h>
 #include <sys/un.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "mconsole.h"
 
@@ -150,7 +150,7 @@ static int request(private_mconsole_t *this, void(*cb)(void*,char*,size_t),
 				if (reply.len && *reply.data)
 				{
 					DBG1(DBG_LIB, "received mconsole error %d: %.*s",
-						 reply.err, reply.len, reply.data);
+						 reply.err, (int)reply.len, reply.data);
 				}
 				break;
 			}
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 8bc6befc7..18af82a9f 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -15,6 +15,23 @@
 
 @SET_MAKE@
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -44,33 +61,52 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -79,13 +115,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -98,6 +137,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -125,11 +165,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -137,6 +179,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -145,8 +188,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -155,14 +196,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -176,17 +222,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -196,16 +242,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -327,10 +372,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/ipsec/Android.mk b/src/ipsec/Android.mk
index d134f7fd2..c25be3ebc 100644
--- a/src/ipsec/Android.mk
+++ b/src/ipsec/Android.mk
@@ -18,13 +18,14 @@ $(GEN) : PRIVATE_CUSTOM_TOOL = sed \
 	-e "s:@IPSEC_NAME@:strongSwan:" \
 	-e "s:@IPSEC_DISTRO@::" \
 	-e "s:@IPSEC_DIR@:$(strongswan_DIR):" \
+	-e "s:@IPSEC_SCRIPT@:ipsec:" \
 	-e "s:@IPSEC_SBINDIR@:$(strongswan_SBINDIR):" \
 	-e "s:@IPSEC_CONFDIR@:$(strongswan_CONFDIR):" \
 	-e "s:@IPSEC_PIDDIR@:$(strongswan_PIDDIR):" \
 	$< > $@ && chmod +x $@
 
 $(GEN) : $(strongswan_PATH)/Android.mk
-$(GEN) : $(LOCAL_PATH)/ipsec.in
+$(GEN) : $(LOCAL_PATH)/_ipsec.in
 	$(transform-generated-source)
 
 LOCAL_GENERATED_SOURCES := $(GEN)
diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am
index bbf009721..73427c0fa 100644
--- a/src/ipsec/Makefile.am
+++ b/src/ipsec/Makefile.am
@@ -1,22 +1,37 @@
-sbin_SCRIPTS = ipsec
-CLEANFILES = ipsec ipsec.8
-dist_man8_MANS = ipsec.8
-EXTRA_DIST = ipsec.in ipsec.8.in Android.mk
+sbin_SCRIPTS = _ipsec
+CLEANFILES = _ipsec _ipsec.8
+dist_man8_MANS = _ipsec.8
+EXTRA_DIST = _ipsec.in _ipsec.8.in Android.mk
 
-ipsec.8 : ipsec.8.in
+_ipsec.8 : _ipsec.8.in
+	$(AM_V_GEN) \
 	sed \
 	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):g" \
+	-e "s:@IPSEC_SCRIPT_UPPER@:$(ipsec_script_upper):g" \
 	$(srcdir)/$@.in > $@
 
-ipsec : ipsec.in
+_ipsec : _ipsec.in
+	$(AM_V_GEN) \
 	sed \
 	-e "s:@IPSEC_SHELL@:/bin/sh:" \
 	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
 	-e "s:@IPSEC_NAME@:$(PACKAGE_NAME):" \
 	-e "s:@IPSEC_DISTRO@::" \
 	-e "s:@IPSEC_DIR@:$(ipsecdir):" \
+	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):" \
 	-e "s:@IPSEC_SBINDIR@:$(sbindir):" \
 	-e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \
 	-e "s:@IPSEC_PIDDIR@:$(piddir):" \
 	$(srcdir)/$@.in > $@
 	chmod +x $@
+
+install-exec-hook:
+	mv $(DESTDIR)$(sbindir)/_ipsec $(DESTDIR)$(sbindir)/$(ipsec_script)
+
+install-data-hook:
+	mv $(DESTDIR)$(man8dir)/_ipsec.8 $(DESTDIR)$(man8dir)/$(ipsec_script).8
+
+uninstall-hook:
+	rm -f $(DESTDIR)$(sbindir)/$(ipsec_script)
+	rm -f $(DESTDIR)$(man8dir)/$(ipsec_script).8
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index b0474159d..58072f20a 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -46,10 +63,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -73,10 +91,27 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
 SCRIPTS = $(sbin_SCRIPTS)
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man8_MANS)
@@ -84,21 +119,28 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -107,13 +149,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -126,6 +171,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -153,11 +199,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -165,6 +213,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -173,8 +222,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -183,14 +230,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -204,17 +256,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -224,16 +276,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -261,10 +312,10 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-sbin_SCRIPTS = ipsec
-CLEANFILES = ipsec ipsec.8
-dist_man8_MANS = ipsec.8
-EXTRA_DIST = ipsec.in ipsec.8.in Android.mk
+sbin_SCRIPTS = _ipsec
+CLEANFILES = _ipsec _ipsec.8
+dist_man8_MANS = _ipsec.8
+EXTRA_DIST = _ipsec.in _ipsec.8.in Android.mk
 all: all-am
 
 .SUFFIXES:
@@ -300,8 +351,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-sbinSCRIPTS: $(sbin_SCRIPTS)
 	@$(NORMAL_INSTALL)
-	test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)"
 	@list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
@@ -329,9 +383,7 @@ uninstall-sbinSCRIPTS:
 	@list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || exit 0; \
 	files=`for p in $$list; do echo "$$p"; done | \
 	       sed -e 's,.*/,,;$(transform)'`; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(sbindir)" && rm -f $$files
+	dir='$(DESTDIR)$(sbindir)'; $(am__uninstall_files_from_dir)
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -340,9 +392,18 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-man8: $(dist_man8_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
+	@list1='$(dist_man8_MANS)'; \
+	list2=''; \
+	test -n "$(man8dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.8[a-z]*$$/p'; \
+	fi; \
 	} | while read p; do \
 	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; echo "$$p"; \
@@ -369,9 +430,7 @@ uninstall-man8:
 	files=`{ for i in $$list; do echo "$$i"; done; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 tags: TAGS
 TAGS:
 
@@ -439,10 +498,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -476,13 +540,15 @@ info: info-am
 info-am:
 
 install-data-am: install-man
-
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 install-dvi: install-dvi-am
 
 install-dvi-am:
 
 install-exec-am: install-sbinSCRIPTS
-
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
 install-html: install-html-am
 
 install-html-am:
@@ -520,43 +586,61 @@ ps: ps-am
 ps-am:
 
 uninstall-am: uninstall-man uninstall-sbinSCRIPTS
-
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 uninstall-man: uninstall-man8
 
-.MAKE: install-am install-strip
+.MAKE: install-am install-data-am install-exec-am install-strip \
+	uninstall-am
 
 .PHONY: all all-am check check-am clean clean-generic clean-libtool \
 	distclean distclean-generic distclean-libtool distdir dvi \
 	dvi-am html html-am info info-am install install-am \
-	install-data install-data-am install-dvi install-dvi-am \
-	install-exec install-exec-am install-html install-html-am \
-	install-info install-info-am install-man install-man8 \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-sbinSCRIPTS install-strip installcheck installcheck-am \
-	installdirs maintainer-clean maintainer-clean-generic \
-	mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
-	ps ps-am uninstall uninstall-am uninstall-man uninstall-man8 \
+	install-data install-data-am install-data-hook install-dvi \
+	install-dvi-am install-exec install-exec-am install-exec-hook \
+	install-html install-html-am install-info install-info-am \
+	install-man install-man8 install-pdf install-pdf-am install-ps \
+	install-ps-am install-sbinSCRIPTS install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am \
+	uninstall-hook uninstall-man uninstall-man8 \
 	uninstall-sbinSCRIPTS
 
 
-ipsec.8 : ipsec.8.in
+_ipsec.8 : _ipsec.8.in
+	$(AM_V_GEN) \
 	sed \
 	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):g" \
+	-e "s:@IPSEC_SCRIPT_UPPER@:$(ipsec_script_upper):g" \
 	$(srcdir)/$@.in > $@
 
-ipsec : ipsec.in
+_ipsec : _ipsec.in
+	$(AM_V_GEN) \
 	sed \
 	-e "s:@IPSEC_SHELL@:/bin/sh:" \
 	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
 	-e "s:@IPSEC_NAME@:$(PACKAGE_NAME):" \
 	-e "s:@IPSEC_DISTRO@::" \
 	-e "s:@IPSEC_DIR@:$(ipsecdir):" \
+	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):" \
 	-e "s:@IPSEC_SBINDIR@:$(sbindir):" \
 	-e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \
 	-e "s:@IPSEC_PIDDIR@:$(piddir):" \
 	$(srcdir)/$@.in > $@
 	chmod +x $@
 
+install-exec-hook:
+	mv $(DESTDIR)$(sbindir)/_ipsec $(DESTDIR)$(sbindir)/$(ipsec_script)
+
+install-data-hook:
+	mv $(DESTDIR)$(man8dir)/_ipsec.8 $(DESTDIR)$(man8dir)/$(ipsec_script).8
+
+uninstall-hook:
+	rm -f $(DESTDIR)$(sbindir)/$(ipsec_script)
+	rm -f $(DESTDIR)$(man8dir)/$(ipsec_script).8
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
new file mode 100644
index 000000000..02aeaace3
--- /dev/null
+++ b/src/ipsec/_ipsec.8
@@ -0,0 +1,299 @@
+.TH IPSEC 8 "2013-07-22" "5.1.0" "strongSwan"
+.SH NAME
+ipsec \- invoke IPsec utilities
+.SH SYNOPSIS
+.B ipsec
+\fIcommand\fP [ \fIarguments\fP ] [ \fIoptions\fP ]
+.PP
+.SH DESCRIPTION
+The
+.B ipsec
+utility invokes any of several utilities involved in controlling and monitoring
+the IPsec encryption/authentication system, running the specified \fIcommand\fP
+with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked
+directly. This largely eliminates possible name collisions with other software,
+and also permits some centralized services.
+.PP
+All the commands described in this manual page are built-in and are used to
+control and monitor IPsec connections as well as the IKE daemons.
+.PP
+For other commands
+.I ipsec
+supplies the invoked
+.I command
+with a suitable PATH environment variable,
+and also provides IPSEC_DIR,
+IPSEC_CONFS, and IPSEC_VERSION environment variables,
+containing respectively
+the full pathname of the directory where the IPsec utilities are stored,
+the full pathname of the directory where the configuration files live,
+and the IPsec version number.
+.PP
+.SS CONTROL COMMANDS
+.TP
+.B "start [ starter options ]"
+calls
+.BR "starter"
+which in turn parses \fIipsec.conf\fR and starts the IKEv1/IKEv2 daemon
+\fIcharon\fR.
+.PP
+.TP
+.B "update"
+sends a \fIHUP\fR signal to
+.BR "starter"
+which in turn determines any changes in \fIipsec.conf\fR
+and updates the configuration on the running IKE daemon \fIcharon\fR.
+.PP
+.TP
+.B "reload"
+sends a \fIUSR1\fR signal to
+.BR "starter"
+which in turn reloads the whole configuration on the running IKE daemon
+\fIcharon\fR based on the actual \fIipsec.conf\fR.
+.PP
+.TP
+.B "restart"
+is equivalent to
+.B "stop"
+followed by
+.B "start"
+after a guard of 2 seconds.
+.PP
+.TP
+.B "stop"
+terminates all IPsec connections and stops the IKE daemon \fIcharon\fR
+by sending a \fITERM\fR signal to
+.BR "starter".
+.PP
+.TP
+.B "up \fIname\fP"
+tells the IKE daemon to start up connection \fIname\fP.
+.PP
+.TP
+.B "down \fIname\fP"
+tells the IKE daemon to terminate connection \fIname\fP.
+.PP
+.TP
+.B "down \fIname{n}\fP"
+terminates IKEv1 Quick Mode and IKEv2 CHILD SA instance \fIn\fP of
+connection \fIname\fP.
+.PP
+.TP
+.B "down \fIname{*}\fP"
+terminates all IKEv1 Quick Mode and  IKEv2 CHILD SA instances of connection
+\fIname\fP.
+.PP
+.TP
+.B "down \fIname[n]\fP"
+terminates IKE SA instance \fIn\fP of connection \fIname\fP.
+.PP
+.TP
+.B "down \fIname[*]\fP"
+terminates all IKE SA instances of connection \fIname\fP.
+.PP
+.TP
+.B "route \fIname\fP"
+tells the IKE daemon to insert an IPsec policy in the kernel
+for connection \fIname\fP. The first payload packet matching the IPsec policy
+will automatically trigger an IKE connection setup.
+.PP
+.TP
+.B "unroute \fIname\fP"
+remove the IPsec policy in the kernel for connection \fIname\fP.
+.PP
+.TP
+.B "status [ \fIname\fP ]"
+returns concise status information either on connection
+\fIname\fP or if the argument is lacking, on all connections.
+.PP
+.TP
+.B "statusall [ \fIname\fP ]"
+returns detailed status information either on connection
+\fIname\fP or if the argument is lacking, on all connections.
+.PP
+.SS LIST COMMANDS
+.TP
+.B "listalgs"
+returns a list supported cryptographic algorithms usable for IKE, and their
+corresponding plugin.
+.PP
+.TP
+.B "listpubkeys [ --utc ]"
+returns a list of RSA public keys that were either loaded in raw key format
+or extracted from X.509 and|or OpenPGP certificates.
+.PP
+.TP
+.B "listcerts [ --utc ]"
+returns a list of X.509 and|or OpenPGP certificates that were either loaded
+locally by the IKE daemon or received via the IKE protocol.
+.PP
+.TP
+.B "listcacerts [ --utc ]"
+returns a list of X.509 Certification Authority (CA) certificates that were
+loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP
+directory or received via the IKE protocol.
+.PP
+.TP
+.B "listaacerts [ --utc ]"
+returns a list of X.509 Authorization Authority (AA) certificates that were
+loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP
+directory.
+.PP
+.TP
+.B "listocspcerts [ --utc ]"
+returns a list of X.509 OCSP Signer certificates that were either loaded
+locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
+directory or were sent by an OCSP server.
+.PP
+.TP
+.B "listacerts [ --utc ]"
+returns a list of X.509 Attribute certificates that were loaded locally by
+the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
+.PP
+.TP
+.B "listgroups [ --utc ]"
+returns a list of groups that are used to define user authorization profiles.
+.PP
+.TP
+.B "listcainfos [ --utc ]"
+returns certification authority information (CRL distribution points, OCSP URIs,
+LDAP servers) that were defined by
+.BR ca
+sections in \fIipsec.conf\fP.
+.PP
+.TP
+.B "listcrls [ --utc ]"
+returns a list of Certificate Revocation Lists (CRLs) that were either loaded
+by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from
+an HTTP- or LDAP-based CRL distribution point.
+.PP
+.TP
+.B "listocsp [ --utc ]"
+returns revocation information fetched from OCSP servers.
+.PP
+.TP
+.B "listcounters"
+show IKE counter values collected since daemon startup.
+.PP
+.TP
+.B "listall [ --utc ]"
+returns all information generated by the list commands above. Each list command
+can be called with the
+\fB\-\-utc\fP
+option which displays all dates in UTC instead of local time.
+.PP
+.SS REREAD COMMANDS
+.TP
+.B "rereadsecrets"
+flushes and rereads all secrets defined in \fIipsec.secrets\fP.
+.PP
+.TP
+.B "rereadcacerts"
+reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP
+directory and adds them to the list of Certification Authority (CA)
+certificates.
+.PP
+.TP
+.B "rereadaacerts"
+reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP
+directory and adds them to the list of Authorization Authority (AA)
+certificates.
+.PP
+.TP
+.B "rereadocspcerts"
+reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
+directory and adds them to the list of OCSP signer certificates.
+.PP
+.TP
+.B "rereadacerts"
+reads all certificate files contained in the  \fI/etc/ipsec.d/acerts/\fP
+directory and adds them to the list of attribute certificates.
+.PP
+.TP
+.B "rereadcrls"
+reads  all Certificate  Revocation Lists (CRLs) contained in the
+\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
+.PP
+.TP
+.B "rereadall"
+executes all reread commands listed above.
+.PP
+.SS PURGE COMMANDS
+.TP
+.B "purgeike"
+purges IKE SAs that don't have a Quick Mode or CHILD SA.
+.PP
+.TP
+.B "purgeocsp"
+purges all cached OCSP information records.
+.PP
+.SS INFO COMMANDS
+.TP
+.B "\-\-help"
+returns the usage information for the
+.B ipsec
+command.
+.PP
+.TP
+.B "\-\-version"
+returns the version in the form of
+.B Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>
+if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
+running on.
+.PP
+.TP
+.B "\-\-versioncode"
+returns the version number in the form of
+.B U<strongSwan userland version>/K<Linux kernel version>
+if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
+running on.
+.PP
+.TP
+.B "\-\-copyright"
+returns the copyright information.
+.PP
+.TP
+.B "\-\-directory"
+returns the \fILIBEXECDIR\fP directory as defined by the configure options.
+.PP
+.TP
+.B "\-\-confdir"
+returns the \fISYSCONFDIR\fP directory as defined by the configure options.
+.PP
+.TP
+.B "\-\-piddir"
+returns the \fIPIDDIR\fP directory as defined by the configure options.
+.SH FILES
+/usr/local/lib/ipsec	usual utilities directory
+.SH ENVIRONMENT
+.PP
+The following environment variables control where strongSwan finds its
+components.
+The
+.B ipsec
+command sets them if they are not already set.
+.nf
+.na
+
+IPSEC_DIR               directory containing ipsec programs and utilities
+IPSEC_SBINDIR           directory containing \fBipsec\fP command
+IPSEC_CONFDIR           directory containing configuration files
+IPSEC_PIDDIR            directory containing PID/socket files
+IPSEC_SCRIPT            name of the ipsec script
+IPSEC_NAME              name of ipsec distribution
+IPSEC_VERSION           version numer of ipsec userland and kernel
+IPSEC_STARTER_PID       PID file for ipsec starter
+IPSEC_CHARON_PID        PID file for IKE keying daemon
+.ad
+.fi
+.SH SEE ALSO
+.hy 0
+.na
+ipsec.conf(5), ipsec.secrets(5)
+.ad
+.hy
+.PP
+.SH HISTORY
+Originally written for the FreeS/WAN project by Henry Spencer.
+Updated and extended for the strongSwan project <http://www.strongswan.org> by
+Tobias Brunner and Andreas Steffen.
diff --git a/src/ipsec/_ipsec.8.in b/src/ipsec/_ipsec.8.in
new file mode 100644
index 000000000..4cbc89686
--- /dev/null
+++ b/src/ipsec/_ipsec.8.in
@@ -0,0 +1,299 @@
+.TH @IPSEC_SCRIPT_UPPER@ 8 "2013-07-22" "@IPSEC_VERSION@" "strongSwan"
+.SH NAME
+@IPSEC_SCRIPT@ \- invoke IPsec utilities
+.SH SYNOPSIS
+.B @IPSEC_SCRIPT@
+\fIcommand\fP [ \fIarguments\fP ] [ \fIoptions\fP ]
+.PP
+.SH DESCRIPTION
+The
+.B @IPSEC_SCRIPT@
+utility invokes any of several utilities involved in controlling and monitoring
+the IPsec encryption/authentication system, running the specified \fIcommand\fP
+with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked
+directly. This largely eliminates possible name collisions with other software,
+and also permits some centralized services.
+.PP
+All the commands described in this manual page are built-in and are used to
+control and monitor IPsec connections as well as the IKE daemons.
+.PP
+For other commands
+.I @IPSEC_SCRIPT@
+supplies the invoked
+.I command
+with a suitable PATH environment variable,
+and also provides IPSEC_DIR,
+IPSEC_CONFS, and IPSEC_VERSION environment variables,
+containing respectively
+the full pathname of the directory where the IPsec utilities are stored,
+the full pathname of the directory where the configuration files live,
+and the IPsec version number.
+.PP
+.SS CONTROL COMMANDS
+.TP
+.B "start [ starter options ]"
+calls
+.BR "starter"
+which in turn parses \fIipsec.conf\fR and starts the IKEv1/IKEv2 daemon
+\fIcharon\fR.
+.PP
+.TP
+.B "update"
+sends a \fIHUP\fR signal to
+.BR "starter"
+which in turn determines any changes in \fIipsec.conf\fR
+and updates the configuration on the running IKE daemon \fIcharon\fR.
+.PP
+.TP
+.B "reload"
+sends a \fIUSR1\fR signal to
+.BR "starter"
+which in turn reloads the whole configuration on the running IKE daemon
+\fIcharon\fR based on the actual \fIipsec.conf\fR.
+.PP
+.TP
+.B "restart"
+is equivalent to
+.B "stop"
+followed by
+.B "start"
+after a guard of 2 seconds.
+.PP
+.TP
+.B "stop"
+terminates all IPsec connections and stops the IKE daemon \fIcharon\fR
+by sending a \fITERM\fR signal to
+.BR "starter".
+.PP
+.TP
+.B "up \fIname\fP"
+tells the IKE daemon to start up connection \fIname\fP.
+.PP
+.TP
+.B "down \fIname\fP"
+tells the IKE daemon to terminate connection \fIname\fP.
+.PP
+.TP
+.B "down \fIname{n}\fP"
+terminates IKEv1 Quick Mode and IKEv2 CHILD SA instance \fIn\fP of
+connection \fIname\fP.
+.PP
+.TP
+.B "down \fIname{*}\fP"
+terminates all IKEv1 Quick Mode and  IKEv2 CHILD SA instances of connection
+\fIname\fP.
+.PP
+.TP
+.B "down \fIname[n]\fP"
+terminates IKE SA instance \fIn\fP of connection \fIname\fP.
+.PP
+.TP
+.B "down \fIname[*]\fP"
+terminates all IKE SA instances of connection \fIname\fP.
+.PP
+.TP
+.B "route \fIname\fP"
+tells the IKE daemon to insert an IPsec policy in the kernel
+for connection \fIname\fP. The first payload packet matching the IPsec policy
+will automatically trigger an IKE connection setup.
+.PP
+.TP
+.B "unroute \fIname\fP"
+remove the IPsec policy in the kernel for connection \fIname\fP.
+.PP
+.TP
+.B "status [ \fIname\fP ]"
+returns concise status information either on connection
+\fIname\fP or if the argument is lacking, on all connections.
+.PP
+.TP
+.B "statusall [ \fIname\fP ]"
+returns detailed status information either on connection
+\fIname\fP or if the argument is lacking, on all connections.
+.PP
+.SS LIST COMMANDS
+.TP
+.B "listalgs"
+returns a list supported cryptographic algorithms usable for IKE, and their
+corresponding plugin.
+.PP
+.TP
+.B "listpubkeys [ --utc ]"
+returns a list of RSA public keys that were either loaded in raw key format
+or extracted from X.509 and|or OpenPGP certificates.
+.PP
+.TP
+.B "listcerts [ --utc ]"
+returns a list of X.509 and|or OpenPGP certificates that were either loaded
+locally by the IKE daemon or received via the IKE protocol.
+.PP
+.TP
+.B "listcacerts [ --utc ]"
+returns a list of X.509 Certification Authority (CA) certificates that were
+loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP
+directory or received via the IKE protocol.
+.PP
+.TP
+.B "listaacerts [ --utc ]"
+returns a list of X.509 Authorization Authority (AA) certificates that were
+loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP
+directory.
+.PP
+.TP
+.B "listocspcerts [ --utc ]"
+returns a list of X.509 OCSP Signer certificates that were either loaded
+locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
+directory or were sent by an OCSP server.
+.PP
+.TP
+.B "listacerts [ --utc ]"
+returns a list of X.509 Attribute certificates that were loaded locally by
+the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
+.PP
+.TP
+.B "listgroups [ --utc ]"
+returns a list of groups that are used to define user authorization profiles.
+.PP
+.TP
+.B "listcainfos [ --utc ]"
+returns certification authority information (CRL distribution points, OCSP URIs,
+LDAP servers) that were defined by
+.BR ca
+sections in \fIipsec.conf\fP.
+.PP
+.TP
+.B "listcrls [ --utc ]"
+returns a list of Certificate Revocation Lists (CRLs) that were either loaded
+by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from
+an HTTP- or LDAP-based CRL distribution point.
+.PP
+.TP
+.B "listocsp [ --utc ]"
+returns revocation information fetched from OCSP servers.
+.PP
+.TP
+.B "listcounters"
+show IKE counter values collected since daemon startup.
+.PP
+.TP
+.B "listall [ --utc ]"
+returns all information generated by the list commands above. Each list command
+can be called with the
+\fB\-\-utc\fP
+option which displays all dates in UTC instead of local time.
+.PP
+.SS REREAD COMMANDS
+.TP
+.B "rereadsecrets"
+flushes and rereads all secrets defined in \fIipsec.secrets\fP.
+.PP
+.TP
+.B "rereadcacerts"
+reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP
+directory and adds them to the list of Certification Authority (CA)
+certificates.
+.PP
+.TP
+.B "rereadaacerts"
+reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP
+directory and adds them to the list of Authorization Authority (AA)
+certificates.
+.PP
+.TP
+.B "rereadocspcerts"
+reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
+directory and adds them to the list of OCSP signer certificates.
+.PP
+.TP
+.B "rereadacerts"
+reads all certificate files contained in the  \fI/etc/ipsec.d/acerts/\fP
+directory and adds them to the list of attribute certificates.
+.PP
+.TP
+.B "rereadcrls"
+reads  all Certificate  Revocation Lists (CRLs) contained in the
+\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
+.PP
+.TP
+.B "rereadall"
+executes all reread commands listed above.
+.PP
+.SS PURGE COMMANDS
+.TP
+.B "purgeike"
+purges IKE SAs that don't have a Quick Mode or CHILD SA.
+.PP
+.TP
+.B "purgeocsp"
+purges all cached OCSP information records.
+.PP
+.SS INFO COMMANDS
+.TP
+.B "\-\-help"
+returns the usage information for the
+.B @IPSEC_SCRIPT@
+command.
+.PP
+.TP
+.B "\-\-version"
+returns the version in the form of
+.B Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>
+if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
+running on.
+.PP
+.TP
+.B "\-\-versioncode"
+returns the version number in the form of
+.B U<strongSwan userland version>/K<Linux kernel version>
+if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
+running on.
+.PP
+.TP
+.B "\-\-copyright"
+returns the copyright information.
+.PP
+.TP
+.B "\-\-directory"
+returns the \fILIBEXECDIR\fP directory as defined by the configure options.
+.PP
+.TP
+.B "\-\-confdir"
+returns the \fISYSCONFDIR\fP directory as defined by the configure options.
+.PP
+.TP
+.B "\-\-piddir"
+returns the \fIPIDDIR\fP directory as defined by the configure options.
+.SH FILES
+/usr/local/lib/ipsec	usual utilities directory
+.SH ENVIRONMENT
+.PP
+The following environment variables control where strongSwan finds its
+components.
+The
+.B @IPSEC_SCRIPT@
+command sets them if they are not already set.
+.nf
+.na
+
+IPSEC_DIR               directory containing ipsec programs and utilities
+IPSEC_SBINDIR           directory containing \fBipsec\fP command
+IPSEC_CONFDIR           directory containing configuration files
+IPSEC_PIDDIR            directory containing PID/socket files
+IPSEC_SCRIPT            name of the ipsec script
+IPSEC_NAME              name of ipsec distribution
+IPSEC_VERSION           version numer of ipsec userland and kernel
+IPSEC_STARTER_PID       PID file for ipsec starter
+IPSEC_CHARON_PID        PID file for IKE keying daemon
+.ad
+.fi
+.SH SEE ALSO
+.hy 0
+.na
+ipsec.conf(5), ipsec.secrets(5)
+.ad
+.hy
+.PP
+.SH HISTORY
+Originally written for the FreeS/WAN project by Henry Spencer.
+Updated and extended for the strongSwan project <http://www.strongswan.org> by
+Tobias Brunner and Andreas Steffen.
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
new file mode 100644
index 000000000..03ddb744d
--- /dev/null
+++ b/src/ipsec/_ipsec.in
@@ -0,0 +1,343 @@
+#! @IPSEC_SHELL@
+# prefix command to run stuff from our programs directory
+# Copyright (C) 1998-2002  Henry Spencer.
+# Copyright (C) 2006 Andreas Steffen
+# Copyright (C) 2006 Martin Willi
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@"
+export PATH
+
+# set daemon name
+[ -z "$DAEMON_NAME" ] && DAEMON_NAME="charon"
+
+# name and version of the ipsec implementation
+OS_NAME=`uname -s`
+IPSEC_NAME="@IPSEC_NAME@"
+IPSEC_VERSION="U@IPSEC_VERSION@/K`uname -r`"
+
+# where the private directory and the config files are
+IPSEC_DIR="@IPSEC_DIR@"
+IPSEC_SBINDIR="@IPSEC_SBINDIR@"
+IPSEC_CONFDIR="@IPSEC_CONFDIR@"
+IPSEC_PIDDIR="@IPSEC_PIDDIR@"
+IPSEC_SCRIPT="@IPSEC_SCRIPT@"
+
+IPSEC_STARTER_PID="${IPSEC_PIDDIR}/starter.${DAEMON_NAME}.pid"
+IPSEC_CHARON_PID="${IPSEC_PIDDIR}/${DAEMON_NAME}.pid"
+
+IPSEC_STROKE="${IPSEC_DIR}/stroke"
+IPSEC_STARTER="${IPSEC_DIR}/starter"
+
+export IPSEC_DIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCRIPT IPSEC_VERSION IPSEC_NAME IPSEC_STARTER_PID IPSEC_CHARON_PID
+
+IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
+
+case "$1" in
+'')
+	echo "Usage: $IPSEC_SCRIPT command argument ..."
+	echo "Use --help for list of commands, or see $IPSEC_SCRIPT(8) manual "
+	echo "page or the $IPSEC_NAME documentation for names of the common "
+	echo "ones."
+	echo "See <http://www.strongswan.org> for more general info."
+	exit 0
+	;;
+--help)
+	echo "Usage: $IPSEC_SCRIPT command argument ..."
+	echo "where command is one of:"
+	echo "	start|restart  arguments..."
+	echo "	update|reload|stop"
+	echo "	up|down|route|unroute <connectionname>"
+	echo "	status|statusall [<connectionname>]"
+	echo "	listalgs|listpubkeys|listcerts [--utc]"
+	echo "	listcacerts|listaacerts|listocspcerts [--utc]"
+	echo "	listacerts|listgroups|listcainfos [--utc]"
+	echo "	listcrls|listocsp|listcards|listplugins|listall [--utc]"
+	echo "	listcounters|resetcounters [name]"
+	echo "	leases [<poolname> [<address>]]"
+	echo "	rereadsecrets|rereadgroups"
+	echo "	rereadcacerts|rereadaacerts|rereadocspcerts"
+	echo "	rereadacerts|rereadcrls|rereadall"
+	echo "	purgeocsp|purgecrls|purgecerts|purgeike"
+	echo "	openac"
+	echo "	scepclient"
+	echo "	secrets"
+	echo "	starter"
+	echo "	version"
+	echo "	stroke"
+	echo
+	echo "Some of these functions have their own manual pages, e.g. scepclient(8)."
+	exit 0
+	;;
+--versioncode)
+	echo "$IPSEC_VERSION"
+	exit 0
+	;;
+--directory)
+	echo "$IPSEC_DIR"
+	exit 0
+	;;
+--confdir)
+	echo "$IPSEC_CONFDIR"
+	exit 0
+	;;
+--piddir)
+	echo "$IPSEC_PIDDIR"
+	exit 0
+	;;
+copyright|--copyright)
+	set _copyright
+	# and fall through, invoking "ipsec _copyright"
+	;;
+down)
+	shift
+	if [ "$#" -ne 1 ]
+	then
+	    echo "Usage: $IPSEC_SCRIPT down <connection name>"
+	    exit 2
+	fi
+	rc=7
+	if [ -e $IPSEC_CHARON_PID ]
+	then
+		$IPSEC_STROKE down "$1"
+		rc="$?"
+	fi
+	exit "$rc"
+	;;
+down-srcip)
+	shift
+	if [ "$#" -lt 1 ]
+	then
+	    echo "Usage: $IPSEC_SCRIPT down-srcip <start> [<end>]"
+	    exit 2
+	fi
+	rc=7
+	if [ -e $IPSEC_CHARON_PID ]
+	then
+		$IPSEC_STROKE down-srcip $*
+		rc="$?"
+	fi
+	exit "$rc"
+	;;
+listcards|rereadgroups)
+	op="$1"
+	shift
+	if [ -e $IPSEC_CHARON_PID ]
+	then
+		exit 3
+	else
+		exit 7
+	fi
+	;;
+leases)
+	op="$1"
+	rc=7
+	shift
+	if [ -e $IPSEC_CHARON_PID ]
+	then
+		case "$#" in
+		0) $IPSEC_STROKE "$op" ;;
+		1) $IPSEC_STROKE "$op" "$1" ;;
+		*) $IPSEC_STROKE "$op" "$1" "$2" ;;
+		esac
+		rc="$?"
+	fi
+	exit "$rc"
+	;;
+listalgs|listpubkeys|listplugins|\
+listcerts|listcacerts|listaacerts|\
+listacerts|listgroups|listocspcerts|\
+listcainfos|listcrls|listocsp|listall|\
+rereadsecrets|rereadcacerts|rereadaacerts|\
+rereadacerts|rereadocspcerts|rereadcrls|\
+rereadall|purgeocsp|listcounters|resetcounters)
+	op="$1"
+	rc=7
+	shift
+	if [ -e $IPSEC_CHARON_PID ]
+	then
+		$IPSEC_STROKE "$op" "$@"
+		rc="$?"
+	fi
+	exit "$rc"
+	;;
+purgeike|purgecrls|purgecerts)
+	rc=7
+	if [ -e $IPSEC_CHARON_PID ]
+	then
+		$IPSEC_STROKE "$1"
+		rc="$?"
+	fi
+	exit "$rc"
+	;;
+reload)
+	rc=7
+	if [ -e $IPSEC_STARTER_PID ]
+	then
+		echo "Reloading strongSwan IPsec configuration..." >&2
+		kill -USR1 `cat $IPSEC_STARTER_PID` 2>/dev/null && rc=0
+	else
+		echo "Reloading strongSwan IPsec failed: starter is not running" >&2
+	fi
+	exit "$rc"
+	;;
+restart)
+	$IPSEC_SBINDIR/$IPSEC_SCRIPT stop
+	sleep 2
+	shift
+	exec $IPSEC_SBINDIR/$IPSEC_SCRIPT start "$@"
+	;;
+route|unroute)
+	op="$1"
+	rc=7
+	shift
+	if [ "$#" -ne 1 ]
+	then
+		echo "Usage: $IPSEC_SCRIPT $op <connection name>"
+		exit 2
+	fi
+	if [ -e $IPSEC_CHARON_PID ]
+	then
+		$IPSEC_STROKE "$op" "$1"
+		rc="$?"
+	fi
+	exit "$rc"
+	;;
+secrets)
+	rc=7
+	if [ -e $IPSEC_CHARON_PID ]
+	then
+		$IPSEC_STROKE rereadsecrets
+		rc="$?"
+	fi
+	exit "$rc"
+	;;
+start)
+	shift
+	if [ -d /var/lock/subsys ]; then
+		touch /var/lock/subsys/ipsec
+	fi
+	exec $IPSEC_STARTER --daemon $DAEMON_NAME "$@"
+	;;
+status|statusall)
+	op="$1"
+	# Return value is slightly different for the status command:
+	# 0 - service up and running
+	# 1 - service dead, but /var/run/  pid  file exists
+	# 2 - service dead, but /var/lock/ lock file exists
+	# 3 - service not running (unused)
+	# 4 - service status unknown :-(
+	# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
+	shift
+	if [ $# -eq 0 ]
+	then
+		if [ -e $IPSEC_CHARON_PID ]
+		then
+			$IPSEC_STROKE "$op"
+		fi
+	else
+		if [ -e $IPSEC_CHARON_PID ]
+		then
+			$IPSEC_STROKE "$op" "$1"
+		fi
+	fi
+	if [ -e $IPSEC_STARTER_PID ]
+	then
+		kill -0 `cat $IPSEC_STARTER_PID` 2>/dev/null
+		exit $?
+	fi
+	exit 3
+	;;
+stop)
+	# stopping a not-running service is considered as success
+	if [ -e $IPSEC_STARTER_PID ]
+	then
+		echo "Stopping strongSwan IPsec..." >&2
+		spid=`cat $IPSEC_STARTER_PID`
+		if [ -n "$spid" ]
+		then
+			kill $spid 2>/dev/null
+			loop=11
+			while [ $loop -gt 0 ] ; do
+				kill -0 $spid 2>/dev/null || break
+				sleep 1
+				loop=$(($loop - 1))
+			done
+			if [ $loop -eq 0 ]
+			then
+				kill -KILL $spid 2>/dev/null
+				rm -f $IPSEC_STARTER_PID
+			fi
+		fi
+	else
+		echo "Stopping strongSwan IPsec failed: starter is not running" >&2
+	fi
+	if [ -d /var/lock/subsys ]; then
+		rm -f /var/lock/subsys/ipsec
+	fi
+	exit 0
+	;;
+up)
+	shift
+	if [ "$#" -ne 1 ]
+	then
+	    echo "Usage: $IPSEC_SCRIPT up <connection name>"
+	    exit 2
+	fi
+	rc=7
+	if [ -e $IPSEC_CHARON_PID ]
+	then
+		$IPSEC_STROKE up "$1"
+		rc="$?"
+	fi
+	exit "$rc"
+	;;
+update)
+	if [ -e $IPSEC_STARTER_PID ]
+	then
+		echo "Updating strongSwan IPsec configuration..." >&2
+		kill -HUP `cat $IPSEC_STARTER_PID`
+		exit 0
+	else
+		echo "Updating strongSwan IPsec failed: starter is not running" >&2
+		exit 7
+	fi
+	;;
+version|--version)
+	printf "$OS_NAME $IPSEC_NAME $IPSEC_VERSION\n"
+	printf "$IPSEC_DISTRO\n"
+	printf "See '$IPSEC_SCRIPT --copyright' for copyright information.\n"
+	exit 0
+	;;
+--*)
+	echo "$0: unknown option \`$1' (perhaps command name was omitted?)" >&2
+	exit 2
+	;;
+esac
+
+cmd="$1"
+shift
+
+path="$IPSEC_DIR/$cmd"
+
+if [ ! -x "$path" ]
+then
+    path="$IPSEC_DIR/$cmd"
+    if [ ! -x "$path" ]
+    then
+	echo "$0: unknown IPsec command \`$cmd' (\`$IPSEC_SCRIPT --help' for list)" >&2
+	exit 2
+    fi
+fi
+
+exec $path "$@"
diff --git a/src/ipsec/ipsec.8 b/src/ipsec/ipsec.8
deleted file mode 100644
index 66e43b481..000000000
--- a/src/ipsec/ipsec.8
+++ /dev/null
@@ -1,302 +0,0 @@
-.TH IPSEC 8 "2010-05-30" "4.5.3dr3" "strongSwan"
-.SH NAME
-ipsec \- invoke IPsec utilities
-.SH SYNOPSIS
-.B ipsec
-\fIcommand\fP [ \fIarguments\fP ] [ \fIoptions\fP ]
-.PP
-.SH DESCRIPTION
-The
-.B ipsec
-utility invokes any of several utilities involved in controlling and monitoring
-the IPsec encryption/authentication system, running the specified \fIcommand\fP
-with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked
-directly. This largely eliminates possible name collisions with other software,
-and also permits some centralized services.
-.PP
-All the commands described in this manual page are built-in and are used to
-control and monitor IPsec connections as well as the IKE daemons.
-.PP
-For other commands
-.I ipsec
-supplies the invoked
-.I command
-with a suitable PATH environment variable,
-and also provides IPSEC_DIR,
-IPSEC_CONFS, and IPSEC_VERSION environment variables,
-containing respectively
-the full pathname of the directory where the IPsec utilities are stored,
-the full pathname of the directory where the configuration files live,
-and the IPsec version number.
-.PP
-.SS CONTROL COMMANDS
-.TP
-.B "ipsec start [ starter options ]"
-calls
-.BR "ipsec starter"
-which in turn parses \fIipsec.conf\fR and starts the IKEv1 \fIpluto\fR and
-IKEv2 \fIcharon\fR daemons.
-.PP
-.TP
-.B "ipsec update"
-sends a \fIHUP\fR signal to
-.BR "ipsec starter"
-which in turn determines any changes in \fIipsec.conf\fR
-and updates the configuration on the running IKEv1 \fIpluto\fR and IKEv2
-\fIcharon\fR daemons, correspondingly.
-.PP
-.TP
-.B "ipsec reload"
-sends a \fIUSR1\fR signal to
-.BR "ipsec starter"
-which in turn reloads the whole configuration on the running IKEv1 \fIpluto\fR
-and IKEv2 \fIcharon\fR daemons based on the actual \fIipsec.conf\fR.
-.PP
-.TP
-.B "ipsec restart"
-is equivalent to
-.B "ipsec stop"
-followed by
-.B "ipsec start"
-after a guard of 2 seconds.
-.PP
-.TP
-.B "ipsec stop"
-terminates all IPsec connections and stops the IKEv1 \fIpluto\fR and IKEv2
-\fIcharon\fR daemons by sending a \fITERM\fR signal to
-.BR "ipsec starter".
-.PP
-.TP
-.B "ipsec up \fIname\fP"
-tells the responsible IKE daemon to start up connection \fIname\fP.
-.PP
-.TP
-.B "ipsec down \fIname\fP"
-tells the responsible IKE daemon to terminate connection \fIname\fP.
-.PP
-.TP
-.B "ipsec down \fIname{n}\fP"
-terminates IKEv2 CHILD SA instance \fIn\fP of connection \fIname\fP.
-.PP
-.TP
-.B "ipsec down \fIname{*}\fP"
-terminates all IKEv2 CHILD SA instances of connection \fIname\fP.
-.PP
-.TP
-.B "ipsec down \fIname[n]\fP"
-terminates all IKEv2 IKE SA instance \fIn\fP of connection \fIname\fP.
-.PP
-.TP
-.B "ipsec down \fIname[*]\fP"
-terminates all IKEv2 IKE SA instances of connection \fIname\fP.
-.PP
-.TP
-.B "ipsec route \fIname\fP"
-tells the responsible IKE daemon to insert an IPsec policy in the kernel
-for connection \fIname\fP. The first payload packet matching the IPsec policy
-will automatically trigger an IKE connection setup.
-.PP
-.TP
-.B "ipsec unroute \fIname\fP"
-remove the IPsec policy in the kernel for connection \fIname\fP.
-.PP
-.TP
-.B "ipsec status [ \fIname\fP ]"
-returns concise status information either on connection
-\fIname\fP or if the argument is lacking, on all connections.
-.PP
-.TP
-.B "ipsec statusall [ \fIname\fP ]"
-returns detailed status information either on connection
-\fIname\fP or if the argument is lacking, on all connections.
-.PP
-.SS LIST COMMANDS
-.TP
-.B "ipsec listalgs"
-returns a list all supported IKE encryption and hash algorithms, the available
-Diffie-Hellman groups, as well as all supported ESP encryption and
-authentication algorithms registered via the Linux kernel's Crypto API.
-.br
-Supported by the IKEv1 \fIpluto\fP daemon only.
-.PP
-.TP
-.B "ipsec listpubkeys [ --utc ]"
-returns a list of RSA public keys that were either loaded in raw key format
-or extracted from X.509 and|or OpenPGP certificates.
-.br
-Supported by the IKEv1 \fIpluto\fP daemon only.
-.PP
-.TP
-.B "ipsec listcerts [ --utc ]"
-returns a list of X.509 and|or OpenPGP certificates that were either loaded
-locally by the IKE daemon or received via the IKEv2 protocol.
-.PP
-.TP
-.B "ipsec listcacerts [ --utc ]"
-returns a list of X.509 Certification Authority (CA) certificates that were
-loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP
-directory or received in PKCS#7-wrapped certificate payloads via the IKE
-protocol.
-.PP
-.TP
-.B "ipsec listaacerts [ --utc ]"
-returns a list of X.509 Authorization Authority (AA) certificates that were
-loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP
-directory.
-.PP
-.TP
-.B "ipsec listocspcerts [ --utc ]"
-returns a list of X.509 OCSP Signer certificates that were either loaded
-locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
-directory or were sent by an OCSP server.
-.PP
-.TP
-.B "ipsec listacerts [ --utc ]"
-returns a list of X.509 Attribute certificates that were loaded locally by
-the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
-.PP
-.TP
-.B "ipsec listgroups [ --utc ]"
-returns a list of groups that are used to define user authorization profiles.
-.br
-Supported by the IKEv1 \fIpluto\fP daemon only.
-.PP
-.TP
-.B "ipsec listcainfos [ --utc ]"
-returns certification authority information (CRL distribution points, OCSP URIs,
-LDAP servers) that were defined by
-.BR ca
-sections in \fIipsec.conf\fP.
-.PP
-.TP
-.B "ipsec listcrls [ --utc ]"
-returns a list of Certificate Revocation Lists (CRLs) that were either loaded
-by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from
-an HTTP- or LDAP-based CRL distribution point.
-.PP
-.TP
-.B "ipsec listocsp [ --utc ]"
-returns revocation information fetched from OCSP servers.
-.PP
-.TP
-.B "ipsec listcards [ --utc ]"
-list all certificates found on attached smart cards.
-.br
-Supported by the IKEv1 \fIpluto\fP daemon only.
-.PP
-.TP
-.B "ipsec listall [ --utc ]"
-returns all information generated by the list commands above. Each list command 
-can be called with the
-\fB\-\-utc\fP
-option which displays all dates in UTC instead of local time.
-.PP
-.SS REREAD COMMANDS
-.TP
-.B "ipsec rereadsecrets"
-flushes and rereads all secrets defined in \fIipsec.secrets\fP.
-.PP
-.TP
-.B "ipsec rereadcacerts"
-reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP
-directory and adds them to the list of Certification Authority (CA)
-certificates.
-.PP
-.TP
-.B "ipsec rereadaacerts"
-reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP
-directory and adds them to the list of Authorization Authority (AA)
-certificates.
-.PP
-.TP
-.B "ipsec rereadocspcerts" 
-reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
-directory and adds them to the list of OCSP signer certificates.
-.PP
-.TP
-.B "ipsec rereadacerts"
-reads all certificate files contained in the  \fI/etc/ipsec.d/acerts/\fP
-directory and adds them to the list of attribute certificates.
-.PP
-.TP
-.B "ipsec rereadcrls"
-reads  all Certificate  Revocation Lists (CRLs) contained in the
-\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
-.PP
-.TP
-.B "ipsec rereadall"
-executes all reread commands listed above.
-.PP
-.SS PURGE COMMANDS
-.TP
-.B "ipsec purgeike"
-purges IKEv2 SAs that don't have a CHILD SA.
-.PP
-.TP
-.B "ipsec purgeocsp"
-purges all cached OCSP information records.
-.PP
-.SS INFO COMMANDS
-.TP
-.B "ipsec \-\-help"
-returns the usage information for the ipsec command.
-.PP
-.TP
-.B "ipsec \-\-version"
-returns the version in the form of
-.B Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>
-if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
-running on.
-.PP
-.TP
-.B "ipsec \-\-versioncode"
-returns the version number in the form of
-.B U<strongSwan userland version>/K<Linux kernel version>
-if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
-running on.
-.PP
-.TP
-.B "ipsec \-\-copyright"
-returns the copyright information.
-.PP
-.TP
-.B "ipsec \-\-directory"
-returns the \fILIBEXECDIR\fP directory as defined by the configure options.
-.PP
-.TP
-.B "ipsec \-\-confdir"
-returns the \fISYSCONFDIR\fP directory as defined by the configure options.
-.SH FILES
-/usr/local/lib/ipsec	usual utilities directory
-.SH ENVIRONMENT
-.PP
-The following environment variables control where strongSwan finds its
-components.
-The
-.B ipsec
-command sets them if they are not already set.
-.nf
-.na
-
-IPSEC_DIR 		directory containing ipsec programs and utilities
-IPSEC_SBINDIR		directory containing \fBipsec\fP command
-IPSEC_CONFDIR 		directory containing configuration files
-IPSEC_PIDDIR		directory containing PID files
-IPSEC_NAME 		name of ipsec distribution
-IPSEC_VERSION 		version numer of ipsec userland and kernel
-IPSEC_STARTER_PID 	PID file for ipsec starter
-IPSEC_PLUTO_PID 	PID file for IKEv1 keying daemon
-IPSEC_CHARON_PID	PID file for IKEv2 keying daemon
-.ad
-.fi
-.SH SEE ALSO
-.hy 0
-.na
-ipsec.conf(5), ipsec.secrets(5)
-.ad
-.hy
-.PP
-.SH HISTORY
-Originally written for the FreeS/WAN project by Henry Spencer.
-Updated and extended for the strongSwan project <http://www.strongswan.org> by
-Tobias Brunner and Andreas Steffen.
diff --git a/src/ipsec/ipsec.8.in b/src/ipsec/ipsec.8.in
deleted file mode 100644
index 24a796392..000000000
--- a/src/ipsec/ipsec.8.in
+++ /dev/null
@@ -1,302 +0,0 @@
-.TH IPSEC 8 "2010-05-30" "@IPSEC_VERSION@" "strongSwan"
-.SH NAME
-ipsec \- invoke IPsec utilities
-.SH SYNOPSIS
-.B ipsec
-\fIcommand\fP [ \fIarguments\fP ] [ \fIoptions\fP ]
-.PP
-.SH DESCRIPTION
-The
-.B ipsec
-utility invokes any of several utilities involved in controlling and monitoring
-the IPsec encryption/authentication system, running the specified \fIcommand\fP
-with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked
-directly. This largely eliminates possible name collisions with other software,
-and also permits some centralized services.
-.PP
-All the commands described in this manual page are built-in and are used to
-control and monitor IPsec connections as well as the IKE daemons.
-.PP
-For other commands
-.I ipsec
-supplies the invoked
-.I command
-with a suitable PATH environment variable,
-and also provides IPSEC_DIR,
-IPSEC_CONFS, and IPSEC_VERSION environment variables,
-containing respectively
-the full pathname of the directory where the IPsec utilities are stored,
-the full pathname of the directory where the configuration files live,
-and the IPsec version number.
-.PP
-.SS CONTROL COMMANDS
-.TP
-.B "ipsec start [ starter options ]"
-calls
-.BR "ipsec starter"
-which in turn parses \fIipsec.conf\fR and starts the IKEv1 \fIpluto\fR and
-IKEv2 \fIcharon\fR daemons.
-.PP
-.TP
-.B "ipsec update"
-sends a \fIHUP\fR signal to
-.BR "ipsec starter"
-which in turn determines any changes in \fIipsec.conf\fR
-and updates the configuration on the running IKEv1 \fIpluto\fR and IKEv2
-\fIcharon\fR daemons, correspondingly.
-.PP
-.TP
-.B "ipsec reload"
-sends a \fIUSR1\fR signal to
-.BR "ipsec starter"
-which in turn reloads the whole configuration on the running IKEv1 \fIpluto\fR
-and IKEv2 \fIcharon\fR daemons based on the actual \fIipsec.conf\fR.
-.PP
-.TP
-.B "ipsec restart"
-is equivalent to
-.B "ipsec stop"
-followed by
-.B "ipsec start"
-after a guard of 2 seconds.
-.PP
-.TP
-.B "ipsec stop"
-terminates all IPsec connections and stops the IKEv1 \fIpluto\fR and IKEv2
-\fIcharon\fR daemons by sending a \fITERM\fR signal to
-.BR "ipsec starter".
-.PP
-.TP
-.B "ipsec up \fIname\fP"
-tells the responsible IKE daemon to start up connection \fIname\fP.
-.PP
-.TP
-.B "ipsec down \fIname\fP"
-tells the responsible IKE daemon to terminate connection \fIname\fP.
-.PP
-.TP
-.B "ipsec down \fIname{n}\fP"
-terminates IKEv2 CHILD SA instance \fIn\fP of connection \fIname\fP.
-.PP
-.TP
-.B "ipsec down \fIname{*}\fP"
-terminates all IKEv2 CHILD SA instances of connection \fIname\fP.
-.PP
-.TP
-.B "ipsec down \fIname[n]\fP"
-terminates all IKEv2 IKE SA instance \fIn\fP of connection \fIname\fP.
-.PP
-.TP
-.B "ipsec down \fIname[*]\fP"
-terminates all IKEv2 IKE SA instances of connection \fIname\fP.
-.PP
-.TP
-.B "ipsec route \fIname\fP"
-tells the responsible IKE daemon to insert an IPsec policy in the kernel
-for connection \fIname\fP. The first payload packet matching the IPsec policy
-will automatically trigger an IKE connection setup.
-.PP
-.TP
-.B "ipsec unroute \fIname\fP"
-remove the IPsec policy in the kernel for connection \fIname\fP.
-.PP
-.TP
-.B "ipsec status [ \fIname\fP ]"
-returns concise status information either on connection
-\fIname\fP or if the argument is lacking, on all connections.
-.PP
-.TP
-.B "ipsec statusall [ \fIname\fP ]"
-returns detailed status information either on connection
-\fIname\fP or if the argument is lacking, on all connections.
-.PP
-.SS LIST COMMANDS
-.TP
-.B "ipsec listalgs"
-returns a list all supported IKE encryption and hash algorithms, the available
-Diffie-Hellman groups, as well as all supported ESP encryption and
-authentication algorithms registered via the Linux kernel's Crypto API.
-.br
-Supported by the IKEv1 \fIpluto\fP daemon only.
-.PP
-.TP
-.B "ipsec listpubkeys [ --utc ]"
-returns a list of RSA public keys that were either loaded in raw key format
-or extracted from X.509 and|or OpenPGP certificates.
-.br
-Supported by the IKEv1 \fIpluto\fP daemon only.
-.PP
-.TP
-.B "ipsec listcerts [ --utc ]"
-returns a list of X.509 and|or OpenPGP certificates that were either loaded
-locally by the IKE daemon or received via the IKEv2 protocol.
-.PP
-.TP
-.B "ipsec listcacerts [ --utc ]"
-returns a list of X.509 Certification Authority (CA) certificates that were
-loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP
-directory or received in PKCS#7-wrapped certificate payloads via the IKE
-protocol.
-.PP
-.TP
-.B "ipsec listaacerts [ --utc ]"
-returns a list of X.509 Authorization Authority (AA) certificates that were
-loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP
-directory.
-.PP
-.TP
-.B "ipsec listocspcerts [ --utc ]"
-returns a list of X.509 OCSP Signer certificates that were either loaded
-locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
-directory or were sent by an OCSP server.
-.PP
-.TP
-.B "ipsec listacerts [ --utc ]"
-returns a list of X.509 Attribute certificates that were loaded locally by
-the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
-.PP
-.TP
-.B "ipsec listgroups [ --utc ]"
-returns a list of groups that are used to define user authorization profiles.
-.br
-Supported by the IKEv1 \fIpluto\fP daemon only.
-.PP
-.TP
-.B "ipsec listcainfos [ --utc ]"
-returns certification authority information (CRL distribution points, OCSP URIs,
-LDAP servers) that were defined by
-.BR ca
-sections in \fIipsec.conf\fP.
-.PP
-.TP
-.B "ipsec listcrls [ --utc ]"
-returns a list of Certificate Revocation Lists (CRLs) that were either loaded
-by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from
-an HTTP- or LDAP-based CRL distribution point.
-.PP
-.TP
-.B "ipsec listocsp [ --utc ]"
-returns revocation information fetched from OCSP servers.
-.PP
-.TP
-.B "ipsec listcards [ --utc ]"
-list all certificates found on attached smart cards.
-.br
-Supported by the IKEv1 \fIpluto\fP daemon only.
-.PP
-.TP
-.B "ipsec listall [ --utc ]"
-returns all information generated by the list commands above. Each list command 
-can be called with the
-\fB\-\-utc\fP
-option which displays all dates in UTC instead of local time.
-.PP
-.SS REREAD COMMANDS
-.TP
-.B "ipsec rereadsecrets"
-flushes and rereads all secrets defined in \fIipsec.secrets\fP.
-.PP
-.TP
-.B "ipsec rereadcacerts"
-reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP
-directory and adds them to the list of Certification Authority (CA)
-certificates.
-.PP
-.TP
-.B "ipsec rereadaacerts"
-reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP
-directory and adds them to the list of Authorization Authority (AA)
-certificates.
-.PP
-.TP
-.B "ipsec rereadocspcerts" 
-reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
-directory and adds them to the list of OCSP signer certificates.
-.PP
-.TP
-.B "ipsec rereadacerts"
-reads all certificate files contained in the  \fI/etc/ipsec.d/acerts/\fP
-directory and adds them to the list of attribute certificates.
-.PP
-.TP
-.B "ipsec rereadcrls"
-reads  all Certificate  Revocation Lists (CRLs) contained in the
-\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
-.PP
-.TP
-.B "ipsec rereadall"
-executes all reread commands listed above.
-.PP
-.SS PURGE COMMANDS
-.TP
-.B "ipsec purgeike"
-purges IKEv2 SAs that don't have a CHILD SA.
-.PP
-.TP
-.B "ipsec purgeocsp"
-purges all cached OCSP information records.
-.PP
-.SS INFO COMMANDS
-.TP
-.B "ipsec \-\-help"
-returns the usage information for the ipsec command.
-.PP
-.TP
-.B "ipsec \-\-version"
-returns the version in the form of
-.B Linux strongSwan U<strongSwan userland version>/K<Linux kernel version>
-if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
-running on.
-.PP
-.TP
-.B "ipsec \-\-versioncode"
-returns the version number in the form of
-.B U<strongSwan userland version>/K<Linux kernel version>
-if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is
-running on.
-.PP
-.TP
-.B "ipsec \-\-copyright"
-returns the copyright information.
-.PP
-.TP
-.B "ipsec \-\-directory"
-returns the \fILIBEXECDIR\fP directory as defined by the configure options.
-.PP
-.TP
-.B "ipsec \-\-confdir"
-returns the \fISYSCONFDIR\fP directory as defined by the configure options.
-.SH FILES
-/usr/local/lib/ipsec	usual utilities directory
-.SH ENVIRONMENT
-.PP
-The following environment variables control where strongSwan finds its
-components.
-The
-.B ipsec
-command sets them if they are not already set.
-.nf
-.na
-
-IPSEC_DIR 		directory containing ipsec programs and utilities
-IPSEC_SBINDIR		directory containing \fBipsec\fP command
-IPSEC_CONFDIR 		directory containing configuration files
-IPSEC_PIDDIR		directory containing PID files
-IPSEC_NAME 		name of ipsec distribution
-IPSEC_VERSION 		version numer of ipsec userland and kernel
-IPSEC_STARTER_PID 	PID file for ipsec starter
-IPSEC_PLUTO_PID 	PID file for IKEv1 keying daemon
-IPSEC_CHARON_PID	PID file for IKEv2 keying daemon
-.ad
-.fi
-.SH SEE ALSO
-.hy 0
-.na
-ipsec.conf(5), ipsec.secrets(5)
-.ad
-.hy
-.PP
-.SH HISTORY
-Originally written for the FreeS/WAN project by Henry Spencer.
-Updated and extended for the strongSwan project <http://www.strongswan.org> by
-Tobias Brunner and Andreas Steffen.
diff --git a/src/ipsec/ipsec.in b/src/ipsec/ipsec.in
deleted file mode 100755
index 479974a0e..000000000
--- a/src/ipsec/ipsec.in
+++ /dev/null
@@ -1,408 +0,0 @@
-#! @IPSEC_SHELL@
-# prefix command to run stuff from our programs directory
-# Copyright (C) 1998-2002  Henry Spencer.
-# Copyright (C) 2006 Andreas Steffen
-# Copyright (C) 2006 Martin Willi
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-# define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@"
-export PATH
-
-# name and version of the ipsec implementation
-OS_NAME=`uname -s`
-IPSEC_NAME="@IPSEC_NAME@"
-IPSEC_VERSION="U@IPSEC_VERSION@/K`uname -r`"
-
-# where the private directory and the config files are
-IPSEC_DIR="@IPSEC_DIR@"
-IPSEC_SBINDIR="@IPSEC_SBINDIR@"
-IPSEC_CONFDIR="@IPSEC_CONFDIR@"
-IPSEC_PIDDIR="@IPSEC_PIDDIR@"
-
-IPSEC_STARTER_PID="${IPSEC_PIDDIR}/starter.pid"
-IPSEC_PLUTO_PID="${IPSEC_PIDDIR}/pluto.pid"
-IPSEC_CHARON_PID="${IPSEC_PIDDIR}/charon.pid"
-
-IPSEC_WHACK="${IPSEC_DIR}/whack"
-IPSEC_STROKE="${IPSEC_DIR}/stroke"
-IPSEC_STARTER="${IPSEC_DIR}/starter"
-
-export IPSEC_DIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_VERSION IPSEC_NAME IPSEC_STARTER_PID IPSEC_PLUTO_PID IPSEC_CHARON_PID
-
-IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
-
-case "$1" in
-'')
-	echo "Usage: ipsec command argument ..."
-	echo "Use --help for list of commands, or see ipsec(8) manual page"
-	echo "or the $IPSEC_NAME documentation for names of the common ones."
-	echo "Most have their own manual pages, e.g. ipsec_auto(8)."
-	echo "See <http://www.strongswan.org> for more general info."
-	exit 0
-	;;
---help)
-	echo "Usage: ipsec command argument ..."
-	echo "where command is one of:"
-	echo "	start|restart  arguments..."
-	echo "	update|reload|stop"
-	echo "	up|down|route|unroute <connectionname>"
-	echo "	status|statusall [<connectionname>]"
-	echo "	ready"
-	echo "	listalgs|listpubkeys|listcerts [--utc]"
-	echo "	listcacerts|listaacerts|listocspcerts [--utc]"
-	echo "	listacerts|listgroups|listcainfos [--utc]"
-	echo "	listcrls|listocsp|listcards|listplugins|listall [--utc]"
-	echo "	leases [<poolname> [<address>]]"
-	echo "	rereadsecrets|rereadgroups"
-	echo "	rereadcacerts|rereadaacerts|rereadocspcerts"
-	echo "	rereadacerts|rereadcrls|rereadall"
-	echo "	purgeocsp|purgecrls|purgecerts|purgeike"
-	echo "	scencrypt|scdecrypt <value> [--inbase <base>] [--outbase <base>] [--keyid <id>]"
-	echo "	openac"
-	echo "	pluto"
-	echo "	scepclient"
-	echo "	secrets"
-	echo "	starter"
-	echo "	version"
-	echo "	whack"
-	echo "	stroke"
-	echo
-	echo "Some of these functions have their own manual pages, e.g. ipsec_scepclient(8)."
-	exit 0
-	;;
---versioncode)
-	echo "$IPSEC_VERSION"
-	exit 0
-	;;
---directory)
-	echo "$IPSEC_DIR"
-	exit 0
-	;;
---confdir)
-	echo "$IPSEC_CONFDIR"
-	exit 0
-	;;
-copyright|--copyright)
-	set _copyright
-	# and fall through, invoking "ipsec _copyright"
-	;;
-down)
-	shift
-	if [ "$#" -ne 1 ]
-	then
-	    echo "Usage: ipsec down <connection name>"
-	    exit 2
-	fi
-	rc=7
-	if [ -e $IPSEC_PLUTO_PID ]
-	then
-		$IPSEC_WHACK --name "$1" --terminate
-		rc="$?"
-	fi
-	if [ -e $IPSEC_CHARON_PID ]
-	then
-		$IPSEC_STROKE down "$1"
-		rc="$?"
-	fi
-	exit "$rc"
-	;;
-down-srcip)
-	shift
-	if [ "$#" -lt 1 ]
-	then
-	    echo "Usage: ipsec down-srcip <start> [<end>]"
-	    exit 2
-	fi
-	rc=7
-	if [ -e $IPSEC_CHARON_PID ]
-	then
-		$IPSEC_STROKE down-srcip $*
-		rc="$?"
-	fi
-	exit "$rc"
-	;;
-listcards|rereadgroups)
-	op="$1"
-	shift
-	if [ -e $IPSEC_PLUTO_PID ]
-	then
-		$IPSEC_WHACK "$@" "--$op"
-		rc="$?"
-	fi
-	if [ -e $IPSEC_CHARON_PID ]
-	then
-		exit 3
-	else
-		exit 7
-	fi
-	;;
-leases)
-	op="$1"
-	rc=7
-	shift
-	if [ -e $IPSEC_PLUTO_PID ]
-	then
-		case "$#" in
-		0) $IPSEC_WHACK "--$op" ;;
-		1) $IPSEC_WHACK "--$op" --name "$1" ;;
-		*) $IPSEC_WHACK "--$op" --name "$1" --lease-addr "$2" ;;
-		esac
-		rc="$?"
-	fi
-	if [ -e $IPSEC_CHARON_PID ]
-	then
-		case "$#" in
-		0) $IPSEC_STROKE "$op" ;;
-		1) $IPSEC_STROKE "$op" "$1" ;;
-		*) $IPSEC_STROKE "$op" "$1" "$2" ;;
-		esac
-		rc="$?"
-	fi
-	exit "$rc"
-	;;
-listalgs|listpubkeys|listplugins|\
-listcerts|listcacerts|listaacerts|\
-listacerts|listgroups|listocspcerts|\
-listcainfos|listcrls|listocsp|listall|\
-rereadsecrets|rereadcacerts|rereadaacerts|\
-rereadacerts|rereadocspcerts|rereadcrls|\
-rereadall|purgeocsp)
-	op="$1"
-	rc=7
-	shift
-	if [ -e $IPSEC_PLUTO_PID ]
-	then
-		$IPSEC_WHACK "$@" "--$op"
-		rc="$?"
-	fi
-	if [ -e $IPSEC_CHARON_PID ]
-	then
-		$IPSEC_STROKE "$op" "$@"
-		rc="$?"
-	fi
-	exit "$rc"
-	;;
-purgeike|purgecrls|purgecerts)
-	rc=7
-	if [ -e $IPSEC_CHARON_PID ]
-	then
-		$IPSEC_STROKE "$1"
-		rc="$?"
-	fi
-	exit "$rc"
-	;;
-ready)
-	shift
-	if [ -e $IPSEC_PLUTO_PID ]
-	then
-		$IPSEC_WHACK --listen
-		exit 0
-	else
-		exit 7
-	fi
-	;;
-reload)
-	rc=7
-	if [ -e $IPSEC_STARTER_PID ]
-	then
-		echo "Reloading strongSwan IPsec configuration..." >&2
-		kill -USR1 `cat $IPSEC_STARTER_PID` 2>/dev/null && rc=0
-	else
-		echo "Reloading strongSwan IPsec failed: starter is not running" >&2
-	fi
-	exit "$rc"
-	;;
-restart)
-	$IPSEC_SBINDIR/ipsec stop
-	sleep 2
-	shift
-	exec $IPSEC_SBINDIR/ipsec start "$@"
-	;;
-route|unroute)
-	op="$1"
-	rc=7
-	shift
-	if [ "$#" -ne 1 ]
-	then
-		echo "Usage: ipsec $op <connection name>"
-		exit 2
-	fi
-	if [ -e $IPSEC_PLUTO_PID ]
-	then
-		$IPSEC_WHACK --name "$1" "--$op"
-		rc="$?"
-	fi
-	if [ -e $IPSEC_CHARON_PID ]
-	then
-		$IPSEC_STROKE "$op" "$1"
-		rc="$?"
-	fi
-	exit "$rc"
-	;;
-scencrypt|scdecrypt)
-	op="$1"
-	shift
-	if [ -e $IPSEC_PLUTO_PID ]
-	then
-		$IPSEC_WHACK "--$op" "$@"
-		exit "$?"
-	else
-		exit 7
-	fi
-	;;
-secrets)
-	rc=7
-	if [ -e $IPSEC_PLUTO_PID ]
-	then
-		$IPSEC_WHACK --rereadsecrets
-		rc="$?"
-	fi
-	if [ -e $IPSEC_CHARON_PID ]
-	then
-		$IPSEC_STROKE rereadsecrets
-		rc="$?"
-	fi
-	exit "$rc"
-	;;
-start)
-	shift
-	if [ -d /var/lock/subsys ]; then
-		touch /var/lock/subsys/ipsec
-	fi
-	exec $IPSEC_STARTER "$@"
-	;;
-status|statusall)
-	op="$1"
-	# Return value is slightly different for the status command:
-	# 0 - service up and running
-	# 1 - service dead, but /var/run/  pid  file exists
-	# 2 - service dead, but /var/lock/ lock file exists
-	# 3 - service not running (unused)
-	# 4 - service status unknown :-(
-	# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
-	shift
-	if [ $# -eq 0 ]
-	then
-		if [ -e $IPSEC_PLUTO_PID ]
-		then
-			$IPSEC_WHACK "--$op"
-		fi
-		if [ -e $IPSEC_CHARON_PID ]
-		then
-			$IPSEC_STROKE "$op"
-		fi
-	else
-		if [ -e $IPSEC_PLUTO_PID ]
-		then
-			$IPSEC_WHACK --name "$1" "--$op"
-		fi
-		if [ -e $IPSEC_CHARON_PID ]
-		then
-			$IPSEC_STROKE "$op" "$1"
-		fi
-	fi
-	if [ -e $IPSEC_STARTER_PID ]
-	then
-		kill -0 `cat $IPSEC_STARTER_PID` 2>/dev/null
-		exit $?
-	fi
-	exit 3
-	;;
-stop)
-	# stopping a not-running service is considered as success
-	if [ -e $IPSEC_STARTER_PID ]
-	then
-		echo "Stopping strongSwan IPsec..." >&2
-		spid=`cat $IPSEC_STARTER_PID`
-		if [ -n "$spid" ]
-		then
-			kill $spid 2>/dev/null
-			loop=11
-			while [ $loop -gt 0 ] ; do
-				kill -0 $spid 2>/dev/null || break
-				sleep 1
-				loop=$(($loop - 1))
-			done
-			if [ $loop -eq 0 ]
-			then
-				kill -KILL $spid 2>/dev/null
-				rm -f $IPSEC_STARTER_PID
-			fi
-		fi
-	else
-		echo "Stopping strongSwan IPsec failed: starter is not running" >&2
-	fi
-	if [ -d /var/lock/subsys ]; then
-		rm -f /var/lock/subsys/ipsec
-	fi
-	exit 0
-	;;
-up)
-	shift
-	if [ "$#" -ne 1 ]
-	then
-	    echo "Usage: ipsec up <connection name>"
-	    exit 2
-	fi
-	rc=7
-	if [ -e $IPSEC_PLUTO_PID ]
-	then
-		$IPSEC_WHACK --name "$1" --initiate
-		rc="$?"
-	fi
-	if [ -e $IPSEC_CHARON_PID ]
-	then
-		$IPSEC_STROKE up "$1"
-		rc="$?"
-	fi
-	exit "$rc"
-	;;
-update)
-	if [ -e $IPSEC_STARTER_PID ]
-	then
-		echo "Updating strongSwan IPsec configuration..." >&2
-		kill -HUP `cat $IPSEC_STARTER_PID`
-		exit 0
-	else
-		echo "Updating strongSwan IPsec failed: starter is not running" >&2
-		exit 7
-	fi
-	;;
-version|--version)
-	printf "$OS_NAME $IPSEC_NAME $IPSEC_VERSION\n"
-	printf "$IPSEC_DISTRO\n"
-	printf "See 'ipsec --copyright' for copyright information.\n"
-	exit 0
-	;;
---*)
-	echo "$0: unknown option \`$1' (perhaps command name was omitted?)" >&2
-	exit 2
-	;;
-esac
-
-cmd="$1"
-shift
-
-path="$IPSEC_DIR/$cmd"
-
-if [ ! -x "$path" ]
-then
-    path="$IPSEC_DIR/$cmd"
-    if [ ! -x "$path" ]
-    then
-	echo "$0: unknown IPsec command \`$cmd' (\`ipsec --help' for list)" >&2
-	exit 2
-    fi
-fi
-
-exec $path "$@"
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index f98d36a61..75cf74fa4 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -2,9 +2,10 @@ LOCAL_PATH := $(call my-dir)
 include $(CLEAR_VARS)
 
 # copy-n-paste from Makefile.am
-LOCAL_SRC_FILES := \
+libcharon_la_SOURCES := \
 bus/bus.c bus/bus.h \
 bus/listeners/listener.h \
+bus/listeners/logger.h \
 bus/listeners/file_logger.c bus/listeners/file_logger.h \
 bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
 config/backend_manager.c config/backend_manager.h config/backend.h \
@@ -40,9 +41,11 @@ encoding/payloads/transform_substructure.c encoding/payloads/transform_substruct
 encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
 encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
 encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
+encoding/payloads/hash_payload.c encoding/payloads/hash_payload.h \
+encoding/payloads/fragment_payload.c encoding/payloads/fragment_payload.h \
 kernel/kernel_handler.c kernel/kernel_handler.h \
 network/receiver.c network/receiver.h network/sender.c network/sender.h \
-network/packet.c network/packet.h network/socket.c network/socket.h \
+network/socket.c network/socket.h \
 network/socket_manager.c network/socket_manager.h \
 processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
 processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
@@ -52,52 +55,88 @@ processing/jobs/process_message_job.c processing/jobs/process_message_job.h \
 processing/jobs/rekey_child_sa_job.c processing/jobs/rekey_child_sa_job.h \
 processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \
 processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \
+processing/jobs/retry_initiate_job.c processing/jobs/retry_initiate_job.h \
 processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
 processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
 processing/jobs/start_action_job.c processing/jobs/start_action_job.h \
 processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
 processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
-sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
-sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
-sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
-sa/authenticators/eap/eap_manager.c sa/authenticators/eap/eap_manager.h \
-sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
-sa/authenticators/pubkey_authenticator.c sa/authenticators/pubkey_authenticator.h \
+sa/eap/eap_method.c sa/eap/eap_method.h sa/eap/eap_inner_method.h \
+sa/eap/eap_manager.c sa/eap/eap_manager.h \
+sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
+sa/xauth/xauth_manager.c sa/xauth/xauth_manager.h \
+sa/authenticator.c sa/authenticator.h \
 sa/child_sa.c sa/child_sa.h \
 sa/ike_sa.c sa/ike_sa.h \
 sa/ike_sa_id.c sa/ike_sa_id.h \
+sa/keymat.h sa/keymat.c \
 sa/ike_sa_manager.c sa/ike_sa_manager.h \
-sa/task_manager.c sa/task_manager.h \
-sa/keymat.c sa/keymat.h \
+sa/task_manager.h sa/task_manager.c \
 sa/shunt_manager.c sa/shunt_manager.h \
 sa/trap_manager.c sa/trap_manager.h \
-sa/tasks/child_create.c sa/tasks/child_create.h \
-sa/tasks/child_delete.c sa/tasks/child_delete.h \
-sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
-sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
-sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
-sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
-sa/tasks/ike_config.c sa/tasks/ike_config.h \
-sa/tasks/ike_delete.c sa/tasks/ike_delete.h \
-sa/tasks/ike_dpd.c sa/tasks/ike_dpd.h \
-sa/tasks/ike_init.c sa/tasks/ike_init.h \
-sa/tasks/ike_natd.c sa/tasks/ike_natd.h \
-sa/tasks/ike_mobike.c sa/tasks/ike_mobike.h \
-sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
-sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
-sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
-sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
-sa/tasks/task.c sa/tasks/task.h
+sa/task.c sa/task.h
+
+libcharon_la_SOURCES += \
+sa/ikev2/keymat_v2.c sa/ikev2/keymat_v2.h \
+sa/ikev2/task_manager_v2.c sa/ikev2/task_manager_v2.h \
+sa/ikev2/authenticators/eap_authenticator.c sa/ikev2/authenticators/eap_authenticator.h \
+sa/ikev2/authenticators/psk_authenticator.c sa/ikev2/authenticators/psk_authenticator.h \
+sa/ikev2/authenticators/pubkey_authenticator.c sa/ikev2/authenticators/pubkey_authenticator.h \
+sa/ikev2/tasks/child_create.c sa/ikev2/tasks/child_create.h \
+sa/ikev2/tasks/child_delete.c sa/ikev2/tasks/child_delete.h \
+sa/ikev2/tasks/child_rekey.c sa/ikev2/tasks/child_rekey.h \
+sa/ikev2/tasks/ike_auth.c sa/ikev2/tasks/ike_auth.h \
+sa/ikev2/tasks/ike_cert_pre.c sa/ikev2/tasks/ike_cert_pre.h \
+sa/ikev2/tasks/ike_cert_post.c sa/ikev2/tasks/ike_cert_post.h \
+sa/ikev2/tasks/ike_config.c sa/ikev2/tasks/ike_config.h \
+sa/ikev2/tasks/ike_delete.c sa/ikev2/tasks/ike_delete.h \
+sa/ikev2/tasks/ike_dpd.c sa/ikev2/tasks/ike_dpd.h \
+sa/ikev2/tasks/ike_init.c sa/ikev2/tasks/ike_init.h \
+sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \
+sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
+sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
+sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
+sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \
+sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h
+
+libcharon_la_SOURCES += \
+sa/ikev1/keymat_v1.c sa/ikev1/keymat_v1.h \
+sa/ikev1/task_manager_v1.c sa/ikev1/task_manager_v1.h \
+sa/ikev1/authenticators/psk_v1_authenticator.c sa/ikev1/authenticators/psk_v1_authenticator.h \
+sa/ikev1/authenticators/pubkey_v1_authenticator.c sa/ikev1/authenticators/pubkey_v1_authenticator.h \
+sa/ikev1/authenticators/hybrid_authenticator.c sa/ikev1/authenticators/hybrid_authenticator.h \
+sa/ikev1/phase1.c sa/ikev1/phase1.h \
+sa/ikev1/tasks/main_mode.c sa/ikev1/tasks/main_mode.h \
+sa/ikev1/tasks/aggressive_mode.c sa/ikev1/tasks/aggressive_mode.h \
+sa/ikev1/tasks/informational.c sa/ikev1/tasks/informational.h \
+sa/ikev1/tasks/isakmp_cert_pre.c sa/ikev1/tasks/isakmp_cert_pre.h \
+sa/ikev1/tasks/isakmp_cert_post.c sa/ikev1/tasks/isakmp_cert_post.h \
+sa/ikev1/tasks/isakmp_natd.c sa/ikev1/tasks/isakmp_natd.h \
+sa/ikev1/tasks/isakmp_vendor.c sa/ikev1/tasks/isakmp_vendor.h \
+sa/ikev1/tasks/isakmp_delete.c sa/ikev1/tasks/isakmp_delete.h \
+sa/ikev1/tasks/isakmp_dpd.c sa/ikev1/tasks/isakmp_dpd.h \
+sa/ikev1/tasks/xauth.c sa/ikev1/tasks/xauth.h \
+sa/ikev1/tasks/quick_mode.c sa/ikev1/tasks/quick_mode.h \
+sa/ikev1/tasks/quick_delete.c sa/ikev1/tasks/quick_delete.h \
+sa/ikev1/tasks/mode_config.c sa/ikev1/tasks/mode_config.h \
+processing/jobs/dpd_timeout_job.c processing/jobs/dpd_timeout_job.h \
+processing/jobs/adopt_children_job.c processing/jobs/adopt_children_job.h
+
+LOCAL_SRC_FILES := $(filter %.c,$(libcharon_la_SOURCES))
 
 # adding the plugin source files
 
-LOCAL_SRC_FILES += $(call add_plugin, android)
-ifneq ($(call plugin_enabled, android),)
-LOCAL_C_INCLUDES += frameworks/base/cmds/keystore
+LOCAL_SRC_FILES += $(call add_plugin, android-dns)
+ifneq ($(call plugin_enabled, android-dns),)
 LOCAL_SHARED_LIBRARIES += libcutils
 endif
 
+LOCAL_SRC_FILES += $(call add_plugin, android-log)
+ifneq ($(call plugin_enabled, android-log),)
+LOCAL_LDLIBS += -llog
+endif
+
 LOCAL_SRC_FILES += $(call add_plugin, attr)
 
 LOCAL_SRC_FILES += $(call add_plugin, eap-aka)
@@ -137,19 +176,66 @@ LOCAL_SRC_FILES += $(addprefix ../libsimaka/, \
 	)
 endif
 
+LOCAL_SRC_FILES += $(call add_plugin, eap-tls)
+
+LOCAL_SRC_FILES += $(call add_plugin, eap-ttls)
+ifneq ($(call plugin_enabled, eap-ttls),)
+# for radius_message.h
+LOCAL_C_INCLUDES += $(LOCAL_PATH)/../libradius/
+endif
+
+LOCAL_SRC_FILES += $(call add_plugin, eap-peap)
+
+LOCAL_SRC_FILES += $(call add_plugin, eap-tnc)
+
+# adding libtls if any of the four plugins above is enabled
+ifneq ($(or $(call plugin_enabled, eap-tls), $(call plugin_enabled, eap-ttls), \
+			$(call plugin_enabled, eap-peap), $(call plugin_enabled, eap-tnc)),)
+LOCAL_C_INCLUDES += $(LOCAL_PATH)/../libtls/
+LOCAL_SRC_FILES += $(addprefix ../libtls/, \
+		tls_protection.c tls_compression.c tls_fragmentation.c tls_alert.c \
+		tls_crypto.c tls_prf.c tls_socket.c tls_eap.c tls_cache.c tls_peer.c \
+		tls_server.c tls.c \
+	)
+endif
+
 LOCAL_SRC_FILES += $(call add_plugin, load-tester)
 
 LOCAL_SRC_FILES += $(call add_plugin, socket-default)
 
 LOCAL_SRC_FILES += $(call add_plugin, socket-dynamic)
 
-LOCAL_SRC_FILES += $(call add_plugin, socket-raw)
-
 LOCAL_SRC_FILES += $(call add_plugin, stroke)
 ifneq ($(call plugin_enabled, stroke),)
 LOCAL_C_INCLUDES += $(LOCAL_PATH)/../stroke/
 endif
 
+LOCAL_SRC_FILES += $(call add_plugin, tnc-imc)
+ifneq ($(call plugin_enabled, tnc-imc),)
+LOCAL_SHARED_LIBRARIES += libdl
+endif
+
+LOCAL_SRC_FILES += $(call add_plugin, tnc-tnccs)
+
+LOCAL_SRC_FILES += $(call add_plugin, tnccs-20)
+LOCAL_SRC_FILES += $(call add_plugin_subdirs, tnccs-20, batch messages state_machine)
+ifneq ($(call plugin_enabled, tnccs-20),)
+LOCAL_C_INCLUDES += $(LOCAL_PATH)/plugins/tnccs_20/
+# for tls.h
+LOCAL_C_INCLUDES += $(LOCAL_PATH)/../libtls/
+endif
+
+ifneq ($(or $(call plugin_enabled, eap-tnc), $(call plugin_enabled, tnc-imc), \
+			$(call plugin_enabled, tnc-tnccs), $(call plugin_enabled, tnccs-20)),)
+LOCAL_C_INCLUDES += $(LOCAL_PATH)/../libtnccs/
+LOCAL_SHARED_LIBRARIES += libtnccs
+endif
+
+ifneq ($(or $(call plugin_enabled, tnc-imc), $(call plugin_enabled, tnc-tnccs), \
+			$(call plugin_enabled, tnccs-20)),)
+LOCAL_C_INCLUDES += $(LOCAL_PATH)/../libtncif/
+LOCAL_SHARED_LIBRARIES += libtncif
+endif
 
 # build libcharon --------------------------------------------------------------
 
@@ -160,8 +246,7 @@ LOCAL_C_INCLUDES += \
 	$(strongswan_PATH)/src/libstrongswan \
 	$(strongswan_PATH)/src/libtncif
 
-LOCAL_CFLAGS := $(strongswan_CFLAGS) \
-	-DPLUGINS='"$(strongswan_CHARON_PLUGINS)"'
+LOCAL_CFLAGS := $(strongswan_CFLAGS)
 
 LOCAL_MODULE := libcharon
 
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index b86bd428c..10d0b04cb 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -3,6 +3,7 @@ ipseclib_LTLIBRARIES = libcharon.la
 libcharon_la_SOURCES = \
 bus/bus.c bus/bus.h \
 bus/listeners/listener.h \
+bus/listeners/logger.h \
 bus/listeners/file_logger.c bus/listeners/file_logger.h \
 bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
 config/backend_manager.c config/backend_manager.h config/backend.h \
@@ -38,9 +39,11 @@ encoding/payloads/transform_substructure.c encoding/payloads/transform_substruct
 encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
 encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
 encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
+encoding/payloads/hash_payload.c encoding/payloads/hash_payload.h \
+encoding/payloads/fragment_payload.c encoding/payloads/fragment_payload.h \
 kernel/kernel_handler.c kernel/kernel_handler.h \
 network/receiver.c network/receiver.h network/sender.c network/sender.h \
-network/packet.c network/packet.h network/socket.c network/socket.h \
+network/socket.c network/socket.h \
 network/socket_manager.c network/socket_manager.h \
 processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
 processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
@@ -50,56 +53,88 @@ processing/jobs/process_message_job.c processing/jobs/process_message_job.h \
 processing/jobs/rekey_child_sa_job.c processing/jobs/rekey_child_sa_job.h \
 processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \
 processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \
+processing/jobs/retry_initiate_job.c processing/jobs/retry_initiate_job.h \
 processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
 processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
 processing/jobs/start_action_job.c processing/jobs/start_action_job.h \
 processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
 processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
-sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
-sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
-sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
-sa/authenticators/eap/eap_manager.c sa/authenticators/eap/eap_manager.h \
-sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
-sa/authenticators/pubkey_authenticator.c sa/authenticators/pubkey_authenticator.h \
+sa/eap/eap_method.c sa/eap/eap_method.h sa/eap/eap_inner_method.h \
+sa/eap/eap_manager.c sa/eap/eap_manager.h \
+sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
+sa/xauth/xauth_manager.c sa/xauth/xauth_manager.h \
+sa/authenticator.c sa/authenticator.h \
 sa/child_sa.c sa/child_sa.h \
 sa/ike_sa.c sa/ike_sa.h \
 sa/ike_sa_id.c sa/ike_sa_id.h \
+sa/keymat.h sa/keymat.c \
 sa/ike_sa_manager.c sa/ike_sa_manager.h \
-sa/task_manager.c sa/task_manager.h \
-sa/keymat.c sa/keymat.h \
+sa/task_manager.h sa/task_manager.c \
 sa/shunt_manager.c sa/shunt_manager.h \
 sa/trap_manager.c sa/trap_manager.h \
-sa/tasks/child_create.c sa/tasks/child_create.h \
-sa/tasks/child_delete.c sa/tasks/child_delete.h \
-sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
-sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
-sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
-sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
-sa/tasks/ike_config.c sa/tasks/ike_config.h \
-sa/tasks/ike_delete.c sa/tasks/ike_delete.h \
-sa/tasks/ike_dpd.c sa/tasks/ike_dpd.h \
-sa/tasks/ike_init.c sa/tasks/ike_init.h \
-sa/tasks/ike_natd.c sa/tasks/ike_natd.h \
-sa/tasks/ike_mobike.c sa/tasks/ike_mobike.h \
-sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
-sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
-sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
-sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
-sa/tasks/task.c sa/tasks/task.h
+sa/task.c sa/task.h
+
+if USE_IKEV2
+libcharon_la_SOURCES += \
+sa/ikev2/keymat_v2.c sa/ikev2/keymat_v2.h \
+sa/ikev2/task_manager_v2.c sa/ikev2/task_manager_v2.h \
+sa/ikev2/authenticators/eap_authenticator.c sa/ikev2/authenticators/eap_authenticator.h \
+sa/ikev2/authenticators/psk_authenticator.c sa/ikev2/authenticators/psk_authenticator.h \
+sa/ikev2/authenticators/pubkey_authenticator.c sa/ikev2/authenticators/pubkey_authenticator.h \
+sa/ikev2/tasks/child_create.c sa/ikev2/tasks/child_create.h \
+sa/ikev2/tasks/child_delete.c sa/ikev2/tasks/child_delete.h \
+sa/ikev2/tasks/child_rekey.c sa/ikev2/tasks/child_rekey.h \
+sa/ikev2/tasks/ike_auth.c sa/ikev2/tasks/ike_auth.h \
+sa/ikev2/tasks/ike_cert_pre.c sa/ikev2/tasks/ike_cert_pre.h \
+sa/ikev2/tasks/ike_cert_post.c sa/ikev2/tasks/ike_cert_post.h \
+sa/ikev2/tasks/ike_config.c sa/ikev2/tasks/ike_config.h \
+sa/ikev2/tasks/ike_delete.c sa/ikev2/tasks/ike_delete.h \
+sa/ikev2/tasks/ike_dpd.c sa/ikev2/tasks/ike_dpd.h \
+sa/ikev2/tasks/ike_init.c sa/ikev2/tasks/ike_init.h \
+sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \
+sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
+sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
+sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
+sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \
+sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h
+endif
+
+if USE_IKEV1
+libcharon_la_SOURCES += \
+sa/ikev1/keymat_v1.c sa/ikev1/keymat_v1.h \
+sa/ikev1/task_manager_v1.c sa/ikev1/task_manager_v1.h \
+sa/ikev1/authenticators/psk_v1_authenticator.c sa/ikev1/authenticators/psk_v1_authenticator.h \
+sa/ikev1/authenticators/pubkey_v1_authenticator.c sa/ikev1/authenticators/pubkey_v1_authenticator.h \
+sa/ikev1/authenticators/hybrid_authenticator.c sa/ikev1/authenticators/hybrid_authenticator.h \
+sa/ikev1/phase1.c sa/ikev1/phase1.h \
+sa/ikev1/tasks/main_mode.c sa/ikev1/tasks/main_mode.h \
+sa/ikev1/tasks/aggressive_mode.c sa/ikev1/tasks/aggressive_mode.h \
+sa/ikev1/tasks/informational.c sa/ikev1/tasks/informational.h \
+sa/ikev1/tasks/isakmp_cert_pre.c sa/ikev1/tasks/isakmp_cert_pre.h \
+sa/ikev1/tasks/isakmp_cert_post.c sa/ikev1/tasks/isakmp_cert_post.h \
+sa/ikev1/tasks/isakmp_natd.c sa/ikev1/tasks/isakmp_natd.h \
+sa/ikev1/tasks/isakmp_vendor.c sa/ikev1/tasks/isakmp_vendor.h \
+sa/ikev1/tasks/isakmp_delete.c sa/ikev1/tasks/isakmp_delete.h \
+sa/ikev1/tasks/isakmp_dpd.c sa/ikev1/tasks/isakmp_dpd.h \
+sa/ikev1/tasks/xauth.c sa/ikev1/tasks/xauth.h \
+sa/ikev1/tasks/quick_mode.c sa/ikev1/tasks/quick_mode.h \
+sa/ikev1/tasks/quick_delete.c sa/ikev1/tasks/quick_delete.h \
+sa/ikev1/tasks/mode_config.c sa/ikev1/tasks/mode_config.h \
+processing/jobs/dpd_timeout_job.c processing/jobs/dpd_timeout_job.h \
+processing/jobs/adopt_children_job.c processing/jobs/adopt_children_job.h
+endif
+
 
 daemon.lo :		$(top_builddir)/config.status
 
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
-	-DIPSEC_PIDDIR=\"${piddir}\" \
-	-DPLUGINS=\""${libcharon_plugins}\""
+	-DIPSEC_PIDDIR=\"${piddir}\"
 
 libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB)
 
@@ -112,13 +147,9 @@ if USE_ME
   libcharon_la_SOURCES += encoding/payloads/endpoint_notify.c encoding/payloads/endpoint_notify.h \
     processing/jobs/initiate_mediation_job.c processing/jobs/initiate_mediation_job.h \
     processing/jobs/mediation_job.c processing/jobs/mediation_job.h \
-    sa/connect_manager.c sa/connect_manager.h \
-    sa/mediation_manager.c sa/mediation_manager.h \
-    sa/tasks/ike_me.c sa/tasks/ike_me.h
-endif
-
-if USE_LIBCAP
-  libcharon_la_LIBADD += -lcap
+    sa/ikev2/connect_manager.c sa/ikev2/connect_manager.h \
+    sa/ikev2/mediation_manager.c sa/ikev2/mediation_manager.h \
+    sa/ikev2/tasks/ike_me.c sa/ikev2/tasks/ike_me.h
 endif
 
 # build optional plugins
@@ -144,13 +175,6 @@ if MONOLITHIC
 endif
 endif
 
-if USE_SOCKET_RAW
-  SUBDIRS += plugins/socket_raw
-if MONOLITHIC
-  libcharon_la_LIBADD += plugins/socket_raw/libstrongswan-socket-raw.la
-endif
-endif
-
 if USE_SOCKET_DYNAMIC
   SUBDIRS += plugins/socket_dynamic
 if MONOLITHIC
@@ -186,6 +210,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_IPSECKEY
+  SUBDIRS += plugins/ipseckey
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/ipseckey/libstrongswan-ipseckey.la
+endif
+endif
+
 if USE_UPDOWN
   SUBDIRS += plugins/updown
 if MONOLITHIC
@@ -284,6 +315,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_EAP_DYNAMIC
+  SUBDIRS += plugins/eap_dynamic
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_dynamic/libstrongswan-eap-dynamic.la
+endif
+endif
+
 if USE_EAP_RADIUS
   SUBDIRS += plugins/eap_radius
 if MONOLITHIC
@@ -410,24 +448,31 @@ if MONOLITHIC
 endif
 endif
 
-if USE_NM
-  SUBDIRS += plugins/nm
+if USE_DHCP
+  SUBDIRS += plugins/dhcp
 if MONOLITHIC
-  libcharon_la_LIBADD += plugins/nm/libstrongswan-nm.la
+  libcharon_la_LIBADD += plugins/dhcp/libstrongswan-dhcp.la
 endif
 endif
 
-if USE_DHCP
-  SUBDIRS += plugins/dhcp
+if USE_OSX_ATTR
+  SUBDIRS += plugins/osx_attr
 if MONOLITHIC
-  libcharon_la_LIBADD += plugins/dhcp/libstrongswan-dhcp.la
+  libcharon_la_LIBADD += plugins/osx_attr/libstrongswan-osx-attr.la
 endif
 endif
 
-if USE_ANDROID
-  SUBDIRS += plugins/android
+if USE_ANDROID_DNS
+  SUBDIRS += plugins/android_dns
 if MONOLITHIC
-  libcharon_la_LIBADD += plugins/android/libstrongswan-android.la
+  libcharon_la_LIBADD += plugins/android_dns/libstrongswan-android-dns.la
+endif
+endif
+
+if USE_ANDROID_LOG
+  SUBDIRS += plugins/android_log
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/android_log/libstrongswan-android-log.la
 endif
 endif
 
@@ -445,6 +490,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_KERNEL_LIBIPSEC
+  SUBDIRS += plugins/kernel_libipsec
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
+endif
+endif
+
 if USE_WHITELIST
   SUBDIRS += plugins/whitelist
 if MONOLITHIC
@@ -452,6 +504,20 @@ if MONOLITHIC
 endif
 endif
 
+if USE_LOOKIP
+  SUBDIRS += plugins/lookip
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/lookip/libstrongswan-lookip.la
+endif
+endif
+
+if USE_ERROR_NOTIFY
+  SUBDIRS += plugins/error_notify
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/error_notify/libstrongswan-error-notify.la
+endif
+endif
+
 if USE_CERTEXPIRE
   SUBDIRS += plugins/certexpire
 if MONOLITHIC
@@ -459,6 +525,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_SYSTIME_FIX
+  SUBDIRS += plugins/systime_fix
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/systime_fix/libstrongswan-systime-fix.la
+endif
+endif
+
 if USE_LED
   SUBDIRS += plugins/led
 if MONOLITHIC
@@ -497,7 +570,14 @@ endif
 if USE_ADDRBLOCK
   SUBDIRS += plugins/addrblock
 if MONOLITHIC
-  libcharon_la_LIBADD += plugins/uci/libstrongswan-addrblock.la
+  libcharon_la_LIBADD += plugins/addrblock/libstrongswan-addrblock.la
+endif
+endif
+
+if USE_UNITY
+  SUBDIRS += plugins/unity
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/unity/libstrongswan-unity.la
 endif
 endif
 
@@ -508,3 +588,30 @@ if MONOLITHIC
 endif
 endif
 
+if USE_XAUTH_GENERIC
+  SUBDIRS += plugins/xauth_generic
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/xauth_generic/libstrongswan-xauth-generic.la
+endif
+endif
+
+if USE_XAUTH_EAP
+  SUBDIRS += plugins/xauth_eap
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/xauth_eap/libstrongswan-xauth-eap.la
+endif
+endif
+
+if USE_XAUTH_PAM
+  SUBDIRS += plugins/xauth_pam
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/xauth_pam/libstrongswan-xauth-pam.la
+endif
+endif
+
+if USE_XAUTH_NOAUTH
+  SUBDIRS += plugins/xauth_noauth
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/xauth_noauth/libstrongswan-xauth-noauth.la
+endif
+endif
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index ccbd4add2..e224605ad 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -34,121 +51,188 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
+@USE_IKEV2_TRUE@am__append_1 = \
+@USE_IKEV2_TRUE@sa/ikev2/keymat_v2.c sa/ikev2/keymat_v2.h \
+@USE_IKEV2_TRUE@sa/ikev2/task_manager_v2.c sa/ikev2/task_manager_v2.h \
+@USE_IKEV2_TRUE@sa/ikev2/authenticators/eap_authenticator.c sa/ikev2/authenticators/eap_authenticator.h \
+@USE_IKEV2_TRUE@sa/ikev2/authenticators/psk_authenticator.c sa/ikev2/authenticators/psk_authenticator.h \
+@USE_IKEV2_TRUE@sa/ikev2/authenticators/pubkey_authenticator.c sa/ikev2/authenticators/pubkey_authenticator.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/child_create.c sa/ikev2/tasks/child_create.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/child_delete.c sa/ikev2/tasks/child_delete.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/child_rekey.c sa/ikev2/tasks/child_rekey.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_auth.c sa/ikev2/tasks/ike_auth.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_cert_pre.c sa/ikev2/tasks/ike_cert_pre.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_cert_post.c sa/ikev2/tasks/ike_cert_post.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_config.c sa/ikev2/tasks/ike_config.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_delete.c sa/ikev2/tasks/ike_delete.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_dpd.c sa/ikev2/tasks/ike_dpd.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_init.c sa/ikev2/tasks/ike_init.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h
+
+@USE_IKEV1_TRUE@am__append_2 = \
+@USE_IKEV1_TRUE@sa/ikev1/keymat_v1.c sa/ikev1/keymat_v1.h \
+@USE_IKEV1_TRUE@sa/ikev1/task_manager_v1.c sa/ikev1/task_manager_v1.h \
+@USE_IKEV1_TRUE@sa/ikev1/authenticators/psk_v1_authenticator.c sa/ikev1/authenticators/psk_v1_authenticator.h \
+@USE_IKEV1_TRUE@sa/ikev1/authenticators/pubkey_v1_authenticator.c sa/ikev1/authenticators/pubkey_v1_authenticator.h \
+@USE_IKEV1_TRUE@sa/ikev1/authenticators/hybrid_authenticator.c sa/ikev1/authenticators/hybrid_authenticator.h \
+@USE_IKEV1_TRUE@sa/ikev1/phase1.c sa/ikev1/phase1.h \
+@USE_IKEV1_TRUE@sa/ikev1/tasks/main_mode.c sa/ikev1/tasks/main_mode.h \
+@USE_IKEV1_TRUE@sa/ikev1/tasks/aggressive_mode.c sa/ikev1/tasks/aggressive_mode.h \
+@USE_IKEV1_TRUE@sa/ikev1/tasks/informational.c sa/ikev1/tasks/informational.h \
+@USE_IKEV1_TRUE@sa/ikev1/tasks/isakmp_cert_pre.c sa/ikev1/tasks/isakmp_cert_pre.h \
+@USE_IKEV1_TRUE@sa/ikev1/tasks/isakmp_cert_post.c sa/ikev1/tasks/isakmp_cert_post.h \
+@USE_IKEV1_TRUE@sa/ikev1/tasks/isakmp_natd.c sa/ikev1/tasks/isakmp_natd.h \
+@USE_IKEV1_TRUE@sa/ikev1/tasks/isakmp_vendor.c sa/ikev1/tasks/isakmp_vendor.h \
+@USE_IKEV1_TRUE@sa/ikev1/tasks/isakmp_delete.c sa/ikev1/tasks/isakmp_delete.h \
+@USE_IKEV1_TRUE@sa/ikev1/tasks/isakmp_dpd.c sa/ikev1/tasks/isakmp_dpd.h \
+@USE_IKEV1_TRUE@sa/ikev1/tasks/xauth.c sa/ikev1/tasks/xauth.h \
+@USE_IKEV1_TRUE@sa/ikev1/tasks/quick_mode.c sa/ikev1/tasks/quick_mode.h \
+@USE_IKEV1_TRUE@sa/ikev1/tasks/quick_delete.c sa/ikev1/tasks/quick_delete.h \
+@USE_IKEV1_TRUE@sa/ikev1/tasks/mode_config.c sa/ikev1/tasks/mode_config.h \
+@USE_IKEV1_TRUE@processing/jobs/dpd_timeout_job.c processing/jobs/dpd_timeout_job.h \
+@USE_IKEV1_TRUE@processing/jobs/adopt_children_job.c processing/jobs/adopt_children_job.h
+
 
 # compile options
 #################
-@USE_ME_TRUE@am__append_1 = encoding/payloads/endpoint_notify.c encoding/payloads/endpoint_notify.h \
+@USE_ME_TRUE@am__append_3 = encoding/payloads/endpoint_notify.c encoding/payloads/endpoint_notify.h \
 @USE_ME_TRUE@    processing/jobs/initiate_mediation_job.c processing/jobs/initiate_mediation_job.h \
 @USE_ME_TRUE@    processing/jobs/mediation_job.c processing/jobs/mediation_job.h \
-@USE_ME_TRUE@    sa/connect_manager.c sa/connect_manager.h \
-@USE_ME_TRUE@    sa/mediation_manager.c sa/mediation_manager.h \
-@USE_ME_TRUE@    sa/tasks/ike_me.c sa/tasks/ike_me.h
-
-@USE_LIBCAP_TRUE@am__append_2 = -lcap
-@USE_LOAD_TESTER_TRUE@am__append_3 = plugins/load_tester
-@MONOLITHIC_TRUE@@USE_LOAD_TESTER_TRUE@am__append_4 = plugins/load_tester/libstrongswan-load-tester.la
-@USE_SOCKET_DEFAULT_TRUE@am__append_5 = plugins/socket_default
-@MONOLITHIC_TRUE@@USE_SOCKET_DEFAULT_TRUE@am__append_6 = plugins/socket_default/libstrongswan-socket-default.la
-@USE_SOCKET_RAW_TRUE@am__append_7 = plugins/socket_raw
-@MONOLITHIC_TRUE@@USE_SOCKET_RAW_TRUE@am__append_8 = plugins/socket_raw/libstrongswan-socket-raw.la
-@USE_SOCKET_DYNAMIC_TRUE@am__append_9 = plugins/socket_dynamic
-@MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_10 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la
-@USE_FARP_TRUE@am__append_11 = plugins/farp
-@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_12 = plugins/farp/libstrongswan-farp.la
-@USE_STROKE_TRUE@am__append_13 = plugins/stroke
-@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_14 = plugins/stroke/libstrongswan-stroke.la
-@USE_SMP_TRUE@am__append_15 = plugins/smp
-@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_16 = plugins/smp/libstrongswan-smp.la
-@USE_SQL_TRUE@am__append_17 = plugins/sql
-@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_18 = plugins/sql/libstrongswan-sql.la
-@USE_UPDOWN_TRUE@am__append_19 = plugins/updown
-@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_20 = plugins/updown/libstrongswan-updown.la
-@USE_EAP_IDENTITY_TRUE@am__append_21 = plugins/eap_identity
-@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_22 = plugins/eap_identity/libstrongswan-eap-identity.la
-@USE_EAP_SIM_TRUE@am__append_23 = plugins/eap_sim
-@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_24 = plugins/eap_sim/libstrongswan-eap-sim.la
-@USE_EAP_SIM_FILE_TRUE@am__append_25 = plugins/eap_sim_file
-@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_26 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
-@USE_EAP_SIM_PCSC_TRUE@am__append_27 = plugins/eap_sim_pcsc
-@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_28 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
-@USE_EAP_SIMAKA_SQL_TRUE@am__append_29 = plugins/eap_simaka_sql
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_30 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
-@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_31 = plugins/eap_simaka_pseudonym
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_32 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
-@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_33 = plugins/eap_simaka_reauth
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_34 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
-@USE_EAP_AKA_TRUE@am__append_35 = plugins/eap_aka
-@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_36 = plugins/eap_aka/libstrongswan-eap-aka.la
-@USE_EAP_AKA_3GPP2_TRUE@am__append_37 = plugins/eap_aka_3gpp2
-@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_38 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
-@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_39 = $(top_builddir)/src/libsimaka/libsimaka.la
-@USE_EAP_MD5_TRUE@am__append_40 = plugins/eap_md5
-@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_41 = plugins/eap_md5/libstrongswan-eap-md5.la
-@USE_EAP_GTC_TRUE@am__append_42 = plugins/eap_gtc
-@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_43 = plugins/eap_gtc/libstrongswan-eap-gtc.la
-@USE_EAP_MSCHAPV2_TRUE@am__append_44 = plugins/eap_mschapv2
-@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_45 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
-@USE_EAP_RADIUS_TRUE@am__append_46 = plugins/eap_radius
-@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_47 = plugins/eap_radius/libstrongswan-eap-radius.la
-@USE_EAP_TLS_TRUE@am__append_48 = plugins/eap_tls
-@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_49 = plugins/eap_tls/libstrongswan-eap-tls.la
-@USE_EAP_TTLS_TRUE@am__append_50 = plugins/eap_ttls
-@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_51 = plugins/eap_ttls/libstrongswan-eap-ttls.la
-@USE_EAP_PEAP_TRUE@am__append_52 = plugins/eap_peap
-@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_53 = plugins/eap_peap/libstrongswan-eap-peap.la
-@USE_EAP_TNC_TRUE@am__append_54 = plugins/eap_tnc
-@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_55 = plugins/eap_tnc/libstrongswan-eap-tnc.la
-@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_56 = $(top_builddir)/src/libtls/libtls.la
-@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_57 = $(top_builddir)/src/libradius/libradius.la
-@USE_TNC_IFMAP_TRUE@am__append_58 = plugins/tnc_ifmap
-@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_59 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
-@USE_TNC_PDP_TRUE@am__append_60 = plugins/tnc_pdp
-@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_61 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
-@USE_TNC_IMC_TRUE@am__append_62 = plugins/tnc_imc
-@MONOLITHIC_TRUE@@USE_TNC_IMC_TRUE@am__append_63 = plugins/tnc_imc/libstrongswan-tnc-imc.la
-@USE_TNC_IMV_TRUE@am__append_64 = plugins/tnc_imv
-@MONOLITHIC_TRUE@@USE_TNC_IMV_TRUE@am__append_65 = plugins/tnc_imv/libstrongswan-tnc-imv.la
-@USE_TNC_TNCCS_TRUE@am__append_66 = plugins/tnc_tnccs
-@MONOLITHIC_TRUE@@USE_TNC_TNCCS_TRUE@am__append_67 = plugins/tnc_tnccs/libstrongswan-tnc-tnccs.la
-@USE_TNCCS_11_TRUE@am__append_68 = plugins/tnccs_11
-@MONOLITHIC_TRUE@@USE_TNCCS_11_TRUE@am__append_69 = plugins/tnccs_11/libstrongswan-tnccs-11.la
-@USE_TNCCS_20_TRUE@am__append_70 = plugins/tnccs_20
-@MONOLITHIC_TRUE@@USE_TNCCS_20_TRUE@am__append_71 = plugins/tnccs_20/libstrongswan-tnccs-20.la
-@USE_TNCCS_DYNAMIC_TRUE@am__append_72 = plugins/tnccs_dynamic
-@MONOLITHIC_TRUE@@USE_TNCCS_DYNAMIC_TRUE@am__append_73 = plugins/tnccs_dynamic/libstrongswan-tnccs-dynamic.la
-@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_74 = $(top_builddir)/src/libtnccs/libtnccs.la
-@USE_MEDSRV_TRUE@am__append_75 = plugins/medsrv
-@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_76 = plugins/medsrv/libstrongswan-medsrv.la
-@USE_MEDCLI_TRUE@am__append_77 = plugins/medcli
-@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_78 = plugins/medcli/libstrongswan-medcli.la
-@USE_NM_TRUE@am__append_79 = plugins/nm
-@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_80 = plugins/nm/libstrongswan-nm.la
-@USE_DHCP_TRUE@am__append_81 = plugins/dhcp
-@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_82 = plugins/dhcp/libstrongswan-dhcp.la
-@USE_ANDROID_TRUE@am__append_83 = plugins/android
-@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_84 = plugins/android/libstrongswan-android.la
-@USE_MAEMO_TRUE@am__append_85 = plugins/maemo
-@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_86 = plugins/maemo/libstrongswan-maemo.la
-@USE_HA_TRUE@am__append_87 = plugins/ha
-@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_88 = plugins/ha/libstrongswan-ha.la
-@USE_WHITELIST_TRUE@am__append_89 = plugins/whitelist
-@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_90 = plugins/whitelist/libstrongswan-whitelist.la
-@USE_CERTEXPIRE_TRUE@am__append_91 = plugins/certexpire
-@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_92 = plugins/certexpire/libstrongswan-certexpire.la
-@USE_LED_TRUE@am__append_93 = plugins/led
-@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_94 = plugins/led/libstrongswan-led.la
-@USE_DUPLICHECK_TRUE@am__append_95 = plugins/duplicheck
-@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_96 = plugins/duplicheck/libstrongswan-duplicheck.la
-@USE_COUPLING_TRUE@am__append_97 = plugins/coupling
-@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_98 = plugins/coupling/libstrongswan-coupling.la
-@USE_RADATTR_TRUE@am__append_99 = plugins/radattr
-@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_100 = plugins/radattr/libstrongswan-radattr.la
-@USE_UCI_TRUE@am__append_101 = plugins/uci
-@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_102 = plugins/uci/libstrongswan-uci.la
-@USE_ADDRBLOCK_TRUE@am__append_103 = plugins/addrblock
-@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_104 = plugins/uci/libstrongswan-addrblock.la
-@USE_UNIT_TESTS_TRUE@am__append_105 = plugins/unit_tester
-@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_106 = plugins/unit_tester/libstrongswan-unit-tester.la
+@USE_ME_TRUE@    sa/ikev2/connect_manager.c sa/ikev2/connect_manager.h \
+@USE_ME_TRUE@    sa/ikev2/mediation_manager.c sa/ikev2/mediation_manager.h \
+@USE_ME_TRUE@    sa/ikev2/tasks/ike_me.c sa/ikev2/tasks/ike_me.h
+
+@USE_LOAD_TESTER_TRUE@am__append_4 = plugins/load_tester
+@MONOLITHIC_TRUE@@USE_LOAD_TESTER_TRUE@am__append_5 = plugins/load_tester/libstrongswan-load-tester.la
+@USE_SOCKET_DEFAULT_TRUE@am__append_6 = plugins/socket_default
+@MONOLITHIC_TRUE@@USE_SOCKET_DEFAULT_TRUE@am__append_7 = plugins/socket_default/libstrongswan-socket-default.la
+@USE_SOCKET_DYNAMIC_TRUE@am__append_8 = plugins/socket_dynamic
+@MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_9 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la
+@USE_FARP_TRUE@am__append_10 = plugins/farp
+@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_11 = plugins/farp/libstrongswan-farp.la
+@USE_STROKE_TRUE@am__append_12 = plugins/stroke
+@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_13 = plugins/stroke/libstrongswan-stroke.la
+@USE_SMP_TRUE@am__append_14 = plugins/smp
+@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_15 = plugins/smp/libstrongswan-smp.la
+@USE_SQL_TRUE@am__append_16 = plugins/sql
+@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_17 = plugins/sql/libstrongswan-sql.la
+@USE_IPSECKEY_TRUE@am__append_18 = plugins/ipseckey
+@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_19 = plugins/ipseckey/libstrongswan-ipseckey.la
+@USE_UPDOWN_TRUE@am__append_20 = plugins/updown
+@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_21 = plugins/updown/libstrongswan-updown.la
+@USE_EAP_IDENTITY_TRUE@am__append_22 = plugins/eap_identity
+@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_23 = plugins/eap_identity/libstrongswan-eap-identity.la
+@USE_EAP_SIM_TRUE@am__append_24 = plugins/eap_sim
+@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_25 = plugins/eap_sim/libstrongswan-eap-sim.la
+@USE_EAP_SIM_FILE_TRUE@am__append_26 = plugins/eap_sim_file
+@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_27 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
+@USE_EAP_SIM_PCSC_TRUE@am__append_28 = plugins/eap_sim_pcsc
+@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_29 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
+@USE_EAP_SIMAKA_SQL_TRUE@am__append_30 = plugins/eap_simaka_sql
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_31 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
+@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_32 = plugins/eap_simaka_pseudonym
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_33 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
+@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_34 = plugins/eap_simaka_reauth
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_35 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
+@USE_EAP_AKA_TRUE@am__append_36 = plugins/eap_aka
+@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_37 = plugins/eap_aka/libstrongswan-eap-aka.la
+@USE_EAP_AKA_3GPP2_TRUE@am__append_38 = plugins/eap_aka_3gpp2
+@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_39 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
+@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_40 = $(top_builddir)/src/libsimaka/libsimaka.la
+@USE_EAP_MD5_TRUE@am__append_41 = plugins/eap_md5
+@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_42 = plugins/eap_md5/libstrongswan-eap-md5.la
+@USE_EAP_GTC_TRUE@am__append_43 = plugins/eap_gtc
+@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_44 = plugins/eap_gtc/libstrongswan-eap-gtc.la
+@USE_EAP_MSCHAPV2_TRUE@am__append_45 = plugins/eap_mschapv2
+@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_46 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
+@USE_EAP_DYNAMIC_TRUE@am__append_47 = plugins/eap_dynamic
+@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_48 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la
+@USE_EAP_RADIUS_TRUE@am__append_49 = plugins/eap_radius
+@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_50 = plugins/eap_radius/libstrongswan-eap-radius.la
+@USE_EAP_TLS_TRUE@am__append_51 = plugins/eap_tls
+@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_52 = plugins/eap_tls/libstrongswan-eap-tls.la
+@USE_EAP_TTLS_TRUE@am__append_53 = plugins/eap_ttls
+@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_54 = plugins/eap_ttls/libstrongswan-eap-ttls.la
+@USE_EAP_PEAP_TRUE@am__append_55 = plugins/eap_peap
+@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_56 = plugins/eap_peap/libstrongswan-eap-peap.la
+@USE_EAP_TNC_TRUE@am__append_57 = plugins/eap_tnc
+@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_58 = plugins/eap_tnc/libstrongswan-eap-tnc.la
+@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_59 = $(top_builddir)/src/libtls/libtls.la
+@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_60 = $(top_builddir)/src/libradius/libradius.la
+@USE_TNC_IFMAP_TRUE@am__append_61 = plugins/tnc_ifmap
+@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_62 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
+@USE_TNC_PDP_TRUE@am__append_63 = plugins/tnc_pdp
+@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_64 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
+@USE_TNC_IMC_TRUE@am__append_65 = plugins/tnc_imc
+@MONOLITHIC_TRUE@@USE_TNC_IMC_TRUE@am__append_66 = plugins/tnc_imc/libstrongswan-tnc-imc.la
+@USE_TNC_IMV_TRUE@am__append_67 = plugins/tnc_imv
+@MONOLITHIC_TRUE@@USE_TNC_IMV_TRUE@am__append_68 = plugins/tnc_imv/libstrongswan-tnc-imv.la
+@USE_TNC_TNCCS_TRUE@am__append_69 = plugins/tnc_tnccs
+@MONOLITHIC_TRUE@@USE_TNC_TNCCS_TRUE@am__append_70 = plugins/tnc_tnccs/libstrongswan-tnc-tnccs.la
+@USE_TNCCS_11_TRUE@am__append_71 = plugins/tnccs_11
+@MONOLITHIC_TRUE@@USE_TNCCS_11_TRUE@am__append_72 = plugins/tnccs_11/libstrongswan-tnccs-11.la
+@USE_TNCCS_20_TRUE@am__append_73 = plugins/tnccs_20
+@MONOLITHIC_TRUE@@USE_TNCCS_20_TRUE@am__append_74 = plugins/tnccs_20/libstrongswan-tnccs-20.la
+@USE_TNCCS_DYNAMIC_TRUE@am__append_75 = plugins/tnccs_dynamic
+@MONOLITHIC_TRUE@@USE_TNCCS_DYNAMIC_TRUE@am__append_76 = plugins/tnccs_dynamic/libstrongswan-tnccs-dynamic.la
+@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_77 = $(top_builddir)/src/libtnccs/libtnccs.la
+@USE_MEDSRV_TRUE@am__append_78 = plugins/medsrv
+@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_79 = plugins/medsrv/libstrongswan-medsrv.la
+@USE_MEDCLI_TRUE@am__append_80 = plugins/medcli
+@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_81 = plugins/medcli/libstrongswan-medcli.la
+@USE_DHCP_TRUE@am__append_82 = plugins/dhcp
+@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_83 = plugins/dhcp/libstrongswan-dhcp.la
+@USE_OSX_ATTR_TRUE@am__append_84 = plugins/osx_attr
+@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_85 = plugins/osx_attr/libstrongswan-osx-attr.la
+@USE_ANDROID_DNS_TRUE@am__append_86 = plugins/android_dns
+@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_87 = plugins/android_dns/libstrongswan-android-dns.la
+@USE_ANDROID_LOG_TRUE@am__append_88 = plugins/android_log
+@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_89 = plugins/android_log/libstrongswan-android-log.la
+@USE_MAEMO_TRUE@am__append_90 = plugins/maemo
+@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_91 = plugins/maemo/libstrongswan-maemo.la
+@USE_HA_TRUE@am__append_92 = plugins/ha
+@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_93 = plugins/ha/libstrongswan-ha.la
+@USE_KERNEL_LIBIPSEC_TRUE@am__append_94 = plugins/kernel_libipsec
+@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_95 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
+@USE_WHITELIST_TRUE@am__append_96 = plugins/whitelist
+@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_97 = plugins/whitelist/libstrongswan-whitelist.la
+@USE_LOOKIP_TRUE@am__append_98 = plugins/lookip
+@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_99 = plugins/lookip/libstrongswan-lookip.la
+@USE_ERROR_NOTIFY_TRUE@am__append_100 = plugins/error_notify
+@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_101 = plugins/error_notify/libstrongswan-error-notify.la
+@USE_CERTEXPIRE_TRUE@am__append_102 = plugins/certexpire
+@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_103 = plugins/certexpire/libstrongswan-certexpire.la
+@USE_SYSTIME_FIX_TRUE@am__append_104 = plugins/systime_fix
+@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_105 = plugins/systime_fix/libstrongswan-systime-fix.la
+@USE_LED_TRUE@am__append_106 = plugins/led
+@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_107 = plugins/led/libstrongswan-led.la
+@USE_DUPLICHECK_TRUE@am__append_108 = plugins/duplicheck
+@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_109 = plugins/duplicheck/libstrongswan-duplicheck.la
+@USE_COUPLING_TRUE@am__append_110 = plugins/coupling
+@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_111 = plugins/coupling/libstrongswan-coupling.la
+@USE_RADATTR_TRUE@am__append_112 = plugins/radattr
+@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_113 = plugins/radattr/libstrongswan-radattr.la
+@USE_UCI_TRUE@am__append_114 = plugins/uci
+@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_115 = plugins/uci/libstrongswan-uci.la
+@USE_ADDRBLOCK_TRUE@am__append_116 = plugins/addrblock
+@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_117 = plugins/addrblock/libstrongswan-addrblock.la
+@USE_UNITY_TRUE@am__append_118 = plugins/unity
+@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_119 = plugins/unity/libstrongswan-unity.la
+@USE_UNIT_TESTS_TRUE@am__append_120 = plugins/unit_tester
+@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_121 = plugins/unit_tester/libstrongswan-unit-tester.la
+@USE_XAUTH_GENERIC_TRUE@am__append_122 = plugins/xauth_generic
+@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_123 = plugins/xauth_generic/libstrongswan-xauth-generic.la
+@USE_XAUTH_EAP_TRUE@am__append_124 = plugins/xauth_eap
+@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_125 = plugins/xauth_eap/libstrongswan-xauth-eap.la
+@USE_XAUTH_PAM_TRUE@am__append_126 = plugins/xauth_pam
+@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_127 = plugins/xauth_pam/libstrongswan-xauth-pam.la
+@USE_XAUTH_NOAUTH_TRUE@am__append_128 = plugins/xauth_noauth
+@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_129 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
 subdir = src/libcharon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -160,10 +244,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -187,41 +272,51 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libcharon_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__append_4) $(am__append_6) \
-	$(am__append_8) $(am__append_10) $(am__append_12) \
-	$(am__append_14) $(am__append_16) $(am__append_18) \
-	$(am__append_20) $(am__append_22) $(am__append_24) \
-	$(am__append_26) $(am__append_28) $(am__append_30) \
-	$(am__append_32) $(am__append_34) $(am__append_36) \
-	$(am__append_38) $(am__append_39) $(am__append_41) \
-	$(am__append_43) $(am__append_45) $(am__append_47) \
-	$(am__append_49) $(am__append_51) $(am__append_53) \
-	$(am__append_55) $(am__append_56) $(am__append_57) \
-	$(am__append_59) $(am__append_61) $(am__append_63) \
-	$(am__append_65) $(am__append_67) $(am__append_69) \
-	$(am__append_71) $(am__append_73) $(am__append_74) \
-	$(am__append_76) $(am__append_78) $(am__append_80) \
-	$(am__append_82) $(am__append_84) $(am__append_86) \
-	$(am__append_88) $(am__append_90) $(am__append_92) \
-	$(am__append_94) $(am__append_96) $(am__append_98) \
-	$(am__append_100) $(am__append_102) $(am__append_104) \
-	$(am__append_106)
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_5) \
+	$(am__append_7) $(am__append_9) $(am__append_11) \
+	$(am__append_13) $(am__append_15) $(am__append_17) \
+	$(am__append_19) $(am__append_21) $(am__append_23) \
+	$(am__append_25) $(am__append_27) $(am__append_29) \
+	$(am__append_31) $(am__append_33) $(am__append_35) \
+	$(am__append_37) $(am__append_39) $(am__append_40) \
+	$(am__append_42) $(am__append_44) $(am__append_46) \
+	$(am__append_48) $(am__append_50) $(am__append_52) \
+	$(am__append_54) $(am__append_56) $(am__append_58) \
+	$(am__append_59) $(am__append_60) $(am__append_62) \
+	$(am__append_64) $(am__append_66) $(am__append_68) \
+	$(am__append_70) $(am__append_72) $(am__append_74) \
+	$(am__append_76) $(am__append_77) $(am__append_79) \
+	$(am__append_81) $(am__append_83) $(am__append_85) \
+	$(am__append_87) $(am__append_89) $(am__append_91) \
+	$(am__append_93) $(am__append_95) $(am__append_97) \
+	$(am__append_99) $(am__append_101) $(am__append_103) \
+	$(am__append_105) $(am__append_107) $(am__append_109) \
+	$(am__append_111) $(am__append_113) $(am__append_115) \
+	$(am__append_117) $(am__append_119) $(am__append_121) \
+	$(am__append_123) $(am__append_125) $(am__append_127) \
+	$(am__append_129)
 am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
-	bus/listeners/listener.h bus/listeners/file_logger.c \
-	bus/listeners/file_logger.h bus/listeners/sys_logger.c \
-	bus/listeners/sys_logger.h config/backend_manager.c \
-	config/backend_manager.h config/backend.h config/child_cfg.c \
-	config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \
-	config/peer_cfg.c config/peer_cfg.h config/proposal.c \
-	config/proposal.h control/controller.c control/controller.h \
-	daemon.c daemon.h encoding/generator.c encoding/generator.h \
-	encoding/message.c encoding/message.h encoding/parser.c \
-	encoding/parser.h encoding/payloads/auth_payload.c \
+	bus/listeners/listener.h bus/listeners/logger.h \
+	bus/listeners/file_logger.c bus/listeners/file_logger.h \
+	bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
+	config/backend_manager.c config/backend_manager.h \
+	config/backend.h config/child_cfg.c config/child_cfg.h \
+	config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
+	config/peer_cfg.h config/proposal.c config/proposal.h \
+	control/controller.c control/controller.h daemon.c daemon.h \
+	encoding/generator.c encoding/generator.h encoding/message.c \
+	encoding/message.h encoding/parser.c encoding/parser.h \
+	encoding/payloads/auth_payload.c \
 	encoding/payloads/auth_payload.h \
 	encoding/payloads/cert_payload.c \
 	encoding/payloads/cert_payload.h \
@@ -258,12 +353,16 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	encoding/payloads/unknown_payload.c \
 	encoding/payloads/unknown_payload.h \
 	encoding/payloads/vendor_id_payload.c \
-	encoding/payloads/vendor_id_payload.h kernel/kernel_handler.c \
+	encoding/payloads/vendor_id_payload.h \
+	encoding/payloads/hash_payload.c \
+	encoding/payloads/hash_payload.h \
+	encoding/payloads/fragment_payload.c \
+	encoding/payloads/fragment_payload.h kernel/kernel_handler.c \
 	kernel/kernel_handler.h network/receiver.c network/receiver.h \
-	network/sender.c network/sender.h network/packet.c \
-	network/packet.h network/socket.c network/socket.h \
-	network/socket_manager.c network/socket_manager.h \
-	processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
+	network/sender.c network/sender.h network/socket.c \
+	network/socket.h network/socket_manager.c \
+	network/socket_manager.h processing/jobs/acquire_job.c \
+	processing/jobs/acquire_job.h \
 	processing/jobs/delete_child_sa_job.c \
 	processing/jobs/delete_child_sa_job.h \
 	processing/jobs/delete_ike_sa_job.c \
@@ -277,6 +376,8 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	processing/jobs/rekey_ike_sa_job.h \
 	processing/jobs/retransmit_job.c \
 	processing/jobs/retransmit_job.h \
+	processing/jobs/retry_initiate_job.c \
+	processing/jobs/retry_initiate_job.h \
 	processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
 	processing/jobs/send_keepalive_job.c \
 	processing/jobs/send_keepalive_job.h \
@@ -285,47 +386,98 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	processing/jobs/roam_job.h processing/jobs/update_sa_job.c \
 	processing/jobs/update_sa_job.h \
 	processing/jobs/inactivity_job.c \
-	processing/jobs/inactivity_job.h \
-	sa/authenticators/authenticator.c \
-	sa/authenticators/authenticator.h \
-	sa/authenticators/eap_authenticator.c \
-	sa/authenticators/eap_authenticator.h \
-	sa/authenticators/eap/eap_method.c \
-	sa/authenticators/eap/eap_method.h \
-	sa/authenticators/eap/eap_manager.c \
-	sa/authenticators/eap/eap_manager.h \
-	sa/authenticators/psk_authenticator.c \
-	sa/authenticators/psk_authenticator.h \
-	sa/authenticators/pubkey_authenticator.c \
-	sa/authenticators/pubkey_authenticator.h sa/child_sa.c \
+	processing/jobs/inactivity_job.h sa/eap/eap_method.c \
+	sa/eap/eap_method.h sa/eap/eap_inner_method.h \
+	sa/eap/eap_manager.c sa/eap/eap_manager.h \
+	sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
+	sa/xauth/xauth_manager.c sa/xauth/xauth_manager.h \
+	sa/authenticator.c sa/authenticator.h sa/child_sa.c \
 	sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \
-	sa/ike_sa_id.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
-	sa/task_manager.c sa/task_manager.h sa/keymat.c sa/keymat.h \
+	sa/ike_sa_id.h sa/keymat.h sa/keymat.c sa/ike_sa_manager.c \
+	sa/ike_sa_manager.h sa/task_manager.h sa/task_manager.c \
 	sa/shunt_manager.c sa/shunt_manager.h sa/trap_manager.c \
-	sa/trap_manager.h sa/tasks/child_create.c \
-	sa/tasks/child_create.h sa/tasks/child_delete.c \
-	sa/tasks/child_delete.h sa/tasks/child_rekey.c \
-	sa/tasks/child_rekey.h sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
-	sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
-	sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
-	sa/tasks/ike_config.c sa/tasks/ike_config.h \
-	sa/tasks/ike_delete.c sa/tasks/ike_delete.h sa/tasks/ike_dpd.c \
-	sa/tasks/ike_dpd.h sa/tasks/ike_init.c sa/tasks/ike_init.h \
-	sa/tasks/ike_natd.c sa/tasks/ike_natd.h sa/tasks/ike_mobike.c \
-	sa/tasks/ike_mobike.h sa/tasks/ike_rekey.c \
-	sa/tasks/ike_rekey.h sa/tasks/ike_reauth.c \
-	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
-	sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \
-	sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \
+	sa/trap_manager.h sa/task.c sa/task.h sa/ikev2/keymat_v2.c \
+	sa/ikev2/keymat_v2.h sa/ikev2/task_manager_v2.c \
+	sa/ikev2/task_manager_v2.h \
+	sa/ikev2/authenticators/eap_authenticator.c \
+	sa/ikev2/authenticators/eap_authenticator.h \
+	sa/ikev2/authenticators/psk_authenticator.c \
+	sa/ikev2/authenticators/psk_authenticator.h \
+	sa/ikev2/authenticators/pubkey_authenticator.c \
+	sa/ikev2/authenticators/pubkey_authenticator.h \
+	sa/ikev2/tasks/child_create.c sa/ikev2/tasks/child_create.h \
+	sa/ikev2/tasks/child_delete.c sa/ikev2/tasks/child_delete.h \
+	sa/ikev2/tasks/child_rekey.c sa/ikev2/tasks/child_rekey.h \
+	sa/ikev2/tasks/ike_auth.c sa/ikev2/tasks/ike_auth.h \
+	sa/ikev2/tasks/ike_cert_pre.c sa/ikev2/tasks/ike_cert_pre.h \
+	sa/ikev2/tasks/ike_cert_post.c sa/ikev2/tasks/ike_cert_post.h \
+	sa/ikev2/tasks/ike_config.c sa/ikev2/tasks/ike_config.h \
+	sa/ikev2/tasks/ike_delete.c sa/ikev2/tasks/ike_delete.h \
+	sa/ikev2/tasks/ike_dpd.c sa/ikev2/tasks/ike_dpd.h \
+	sa/ikev2/tasks/ike_init.c sa/ikev2/tasks/ike_init.h \
+	sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \
+	sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
+	sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
+	sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
+	sa/ikev2/tasks/ike_auth_lifetime.c \
+	sa/ikev2/tasks/ike_auth_lifetime.h sa/ikev2/tasks/ike_vendor.c \
+	sa/ikev2/tasks/ike_vendor.h sa/ikev1/keymat_v1.c \
+	sa/ikev1/keymat_v1.h sa/ikev1/task_manager_v1.c \
+	sa/ikev1/task_manager_v1.h \
+	sa/ikev1/authenticators/psk_v1_authenticator.c \
+	sa/ikev1/authenticators/psk_v1_authenticator.h \
+	sa/ikev1/authenticators/pubkey_v1_authenticator.c \
+	sa/ikev1/authenticators/pubkey_v1_authenticator.h \
+	sa/ikev1/authenticators/hybrid_authenticator.c \
+	sa/ikev1/authenticators/hybrid_authenticator.h \
+	sa/ikev1/phase1.c sa/ikev1/phase1.h sa/ikev1/tasks/main_mode.c \
+	sa/ikev1/tasks/main_mode.h sa/ikev1/tasks/aggressive_mode.c \
+	sa/ikev1/tasks/aggressive_mode.h \
+	sa/ikev1/tasks/informational.c sa/ikev1/tasks/informational.h \
+	sa/ikev1/tasks/isakmp_cert_pre.c \
+	sa/ikev1/tasks/isakmp_cert_pre.h \
+	sa/ikev1/tasks/isakmp_cert_post.c \
+	sa/ikev1/tasks/isakmp_cert_post.h sa/ikev1/tasks/isakmp_natd.c \
+	sa/ikev1/tasks/isakmp_natd.h sa/ikev1/tasks/isakmp_vendor.c \
+	sa/ikev1/tasks/isakmp_vendor.h sa/ikev1/tasks/isakmp_delete.c \
+	sa/ikev1/tasks/isakmp_delete.h sa/ikev1/tasks/isakmp_dpd.c \
+	sa/ikev1/tasks/isakmp_dpd.h sa/ikev1/tasks/xauth.c \
+	sa/ikev1/tasks/xauth.h sa/ikev1/tasks/quick_mode.c \
+	sa/ikev1/tasks/quick_mode.h sa/ikev1/tasks/quick_delete.c \
+	sa/ikev1/tasks/quick_delete.h sa/ikev1/tasks/mode_config.c \
+	sa/ikev1/tasks/mode_config.h processing/jobs/dpd_timeout_job.c \
+	processing/jobs/dpd_timeout_job.h \
+	processing/jobs/adopt_children_job.c \
+	processing/jobs/adopt_children_job.h \
 	encoding/payloads/endpoint_notify.c \
 	encoding/payloads/endpoint_notify.h \
 	processing/jobs/initiate_mediation_job.c \
 	processing/jobs/initiate_mediation_job.h \
 	processing/jobs/mediation_job.c \
-	processing/jobs/mediation_job.h sa/connect_manager.c \
-	sa/connect_manager.h sa/mediation_manager.c \
-	sa/mediation_manager.h sa/tasks/ike_me.c sa/tasks/ike_me.h
-@USE_ME_TRUE@am__objects_1 = endpoint_notify.lo \
+	processing/jobs/mediation_job.h sa/ikev2/connect_manager.c \
+	sa/ikev2/connect_manager.h sa/ikev2/mediation_manager.c \
+	sa/ikev2/mediation_manager.h sa/ikev2/tasks/ike_me.c \
+	sa/ikev2/tasks/ike_me.h
+@USE_IKEV2_TRUE@am__objects_1 = keymat_v2.lo task_manager_v2.lo \
+@USE_IKEV2_TRUE@	eap_authenticator.lo psk_authenticator.lo \
+@USE_IKEV2_TRUE@	pubkey_authenticator.lo child_create.lo \
+@USE_IKEV2_TRUE@	child_delete.lo child_rekey.lo ike_auth.lo \
+@USE_IKEV2_TRUE@	ike_cert_pre.lo ike_cert_post.lo ike_config.lo \
+@USE_IKEV2_TRUE@	ike_delete.lo ike_dpd.lo ike_init.lo \
+@USE_IKEV2_TRUE@	ike_natd.lo ike_mobike.lo ike_rekey.lo \
+@USE_IKEV2_TRUE@	ike_reauth.lo ike_auth_lifetime.lo \
+@USE_IKEV2_TRUE@	ike_vendor.lo
+@USE_IKEV1_TRUE@am__objects_2 = keymat_v1.lo task_manager_v1.lo \
+@USE_IKEV1_TRUE@	psk_v1_authenticator.lo \
+@USE_IKEV1_TRUE@	pubkey_v1_authenticator.lo \
+@USE_IKEV1_TRUE@	hybrid_authenticator.lo phase1.lo main_mode.lo \
+@USE_IKEV1_TRUE@	aggressive_mode.lo informational.lo \
+@USE_IKEV1_TRUE@	isakmp_cert_pre.lo isakmp_cert_post.lo \
+@USE_IKEV1_TRUE@	isakmp_natd.lo isakmp_vendor.lo \
+@USE_IKEV1_TRUE@	isakmp_delete.lo isakmp_dpd.lo xauth.lo \
+@USE_IKEV1_TRUE@	quick_mode.lo quick_delete.lo mode_config.lo \
+@USE_IKEV1_TRUE@	dpd_timeout_job.lo adopt_children_job.lo
+@USE_ME_TRUE@am__objects_3 = endpoint_notify.lo \
 @USE_ME_TRUE@	initiate_mediation_job.lo mediation_job.lo \
 @USE_ME_TRUE@	connect_manager.lo mediation_manager.lo ike_me.lo
 am_libcharon_la_OBJECTS = bus.lo file_logger.lo sys_logger.lo \
@@ -338,36 +490,49 @@ am_libcharon_la_OBJECTS = bus.lo file_logger.lo sys_logger.lo \
 	notify_payload.lo payload.lo proposal_substructure.lo \
 	sa_payload.lo traffic_selector_substructure.lo \
 	transform_attribute.lo transform_substructure.lo ts_payload.lo \
-	unknown_payload.lo vendor_id_payload.lo kernel_handler.lo \
-	receiver.lo sender.lo packet.lo socket.lo socket_manager.lo \
-	acquire_job.lo delete_child_sa_job.lo delete_ike_sa_job.lo \
-	migrate_job.lo process_message_job.lo rekey_child_sa_job.lo \
-	rekey_ike_sa_job.lo retransmit_job.lo send_dpd_job.lo \
-	send_keepalive_job.lo start_action_job.lo roam_job.lo \
-	update_sa_job.lo inactivity_job.lo authenticator.lo \
-	eap_authenticator.lo eap_method.lo eap_manager.lo \
-	psk_authenticator.lo pubkey_authenticator.lo child_sa.lo \
-	ike_sa.lo ike_sa_id.lo ike_sa_manager.lo task_manager.lo \
-	keymat.lo shunt_manager.lo trap_manager.lo child_create.lo \
-	child_delete.lo child_rekey.lo ike_auth.lo ike_cert_pre.lo \
-	ike_cert_post.lo ike_config.lo ike_delete.lo ike_dpd.lo \
-	ike_init.lo ike_natd.lo ike_mobike.lo ike_rekey.lo \
-	ike_reauth.lo ike_auth_lifetime.lo ike_vendor.lo task.lo \
-	$(am__objects_1)
+	unknown_payload.lo vendor_id_payload.lo hash_payload.lo \
+	fragment_payload.lo kernel_handler.lo receiver.lo sender.lo \
+	socket.lo socket_manager.lo acquire_job.lo \
+	delete_child_sa_job.lo delete_ike_sa_job.lo migrate_job.lo \
+	process_message_job.lo rekey_child_sa_job.lo \
+	rekey_ike_sa_job.lo retransmit_job.lo retry_initiate_job.lo \
+	send_dpd_job.lo send_keepalive_job.lo start_action_job.lo \
+	roam_job.lo update_sa_job.lo inactivity_job.lo eap_method.lo \
+	eap_manager.lo xauth_method.lo xauth_manager.lo \
+	authenticator.lo child_sa.lo ike_sa.lo ike_sa_id.lo keymat.lo \
+	ike_sa_manager.lo task_manager.lo shunt_manager.lo \
+	trap_manager.lo task.lo $(am__objects_1) $(am__objects_2) \
+	$(am__objects_3)
 libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS)
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libcharon_la_SOURCES)
 DIST_SOURCES = $(am__libcharon_la_SOURCES_DIST)
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -377,6 +542,11 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
@@ -385,22 +555,26 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
-	plugins/socket_raw plugins/socket_dynamic plugins/farp \
-	plugins/stroke plugins/smp plugins/sql plugins/updown \
+	plugins/socket_dynamic plugins/farp plugins/stroke plugins/smp \
+	plugins/sql plugins/ipseckey plugins/updown \
 	plugins/eap_identity plugins/eap_sim plugins/eap_sim_file \
 	plugins/eap_sim_pcsc plugins/eap_simaka_sql \
 	plugins/eap_simaka_pseudonym plugins/eap_simaka_reauth \
 	plugins/eap_aka plugins/eap_aka_3gpp2 plugins/eap_md5 \
-	plugins/eap_gtc plugins/eap_mschapv2 plugins/eap_radius \
-	plugins/eap_tls plugins/eap_ttls plugins/eap_peap \
-	plugins/eap_tnc plugins/tnc_ifmap plugins/tnc_pdp \
-	plugins/tnc_imc plugins/tnc_imv plugins/tnc_tnccs \
-	plugins/tnccs_11 plugins/tnccs_20 plugins/tnccs_dynamic \
-	plugins/medsrv plugins/medcli plugins/nm plugins/dhcp \
-	plugins/android plugins/maemo plugins/ha plugins/whitelist \
-	plugins/certexpire plugins/led plugins/duplicheck \
-	plugins/coupling plugins/radattr plugins/uci plugins/addrblock \
-	plugins/unit_tester
+	plugins/eap_gtc plugins/eap_mschapv2 plugins/eap_dynamic \
+	plugins/eap_radius plugins/eap_tls plugins/eap_ttls \
+	plugins/eap_peap plugins/eap_tnc plugins/tnc_ifmap \
+	plugins/tnc_pdp plugins/tnc_imc plugins/tnc_imv \
+	plugins/tnc_tnccs plugins/tnccs_11 plugins/tnccs_20 \
+	plugins/tnccs_dynamic plugins/medsrv plugins/medcli \
+	plugins/dhcp plugins/osx_attr plugins/android_dns \
+	plugins/android_log plugins/maemo plugins/ha \
+	plugins/kernel_libipsec plugins/whitelist plugins/lookip \
+	plugins/error_notify plugins/certexpire plugins/systime_fix \
+	plugins/led plugins/duplicheck plugins/coupling \
+	plugins/radattr plugins/uci plugins/addrblock plugins/unity \
+	plugins/unit_tester plugins/xauth_generic plugins/xauth_eap \
+	plugins/xauth_pam plugins/xauth_noauth
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -430,21 +604,28 @@ am__relativize = \
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -453,13 +634,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -472,6 +656,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -499,11 +684,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -511,6 +698,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -519,8 +707,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -529,14 +715,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -550,17 +741,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -570,16 +761,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -609,16 +799,16 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 ipseclib_LTLIBRARIES = libcharon.la
 libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
-	bus/listeners/file_logger.c bus/listeners/file_logger.h \
-	bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
-	config/backend_manager.c config/backend_manager.h \
-	config/backend.h config/child_cfg.c config/child_cfg.h \
-	config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
-	config/peer_cfg.h config/proposal.c config/proposal.h \
-	control/controller.c control/controller.h daemon.c daemon.h \
-	encoding/generator.c encoding/generator.h encoding/message.c \
-	encoding/message.h encoding/parser.c encoding/parser.h \
-	encoding/payloads/auth_payload.c \
+	bus/listeners/logger.h bus/listeners/file_logger.c \
+	bus/listeners/file_logger.h bus/listeners/sys_logger.c \
+	bus/listeners/sys_logger.h config/backend_manager.c \
+	config/backend_manager.h config/backend.h config/child_cfg.c \
+	config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \
+	config/peer_cfg.c config/peer_cfg.h config/proposal.c \
+	config/proposal.h control/controller.c control/controller.h \
+	daemon.c daemon.h encoding/generator.c encoding/generator.h \
+	encoding/message.c encoding/message.h encoding/parser.c \
+	encoding/parser.h encoding/payloads/auth_payload.c \
 	encoding/payloads/auth_payload.h \
 	encoding/payloads/cert_payload.c \
 	encoding/payloads/cert_payload.h \
@@ -655,12 +845,16 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	encoding/payloads/unknown_payload.c \
 	encoding/payloads/unknown_payload.h \
 	encoding/payloads/vendor_id_payload.c \
-	encoding/payloads/vendor_id_payload.h kernel/kernel_handler.c \
+	encoding/payloads/vendor_id_payload.h \
+	encoding/payloads/hash_payload.c \
+	encoding/payloads/hash_payload.h \
+	encoding/payloads/fragment_payload.c \
+	encoding/payloads/fragment_payload.h kernel/kernel_handler.c \
 	kernel/kernel_handler.h network/receiver.c network/receiver.h \
-	network/sender.c network/sender.h network/packet.c \
-	network/packet.h network/socket.c network/socket.h \
-	network/socket_manager.c network/socket_manager.h \
-	processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
+	network/sender.c network/sender.h network/socket.c \
+	network/socket.h network/socket_manager.c \
+	network/socket_manager.h processing/jobs/acquire_job.c \
+	processing/jobs/acquire_job.h \
 	processing/jobs/delete_child_sa_job.c \
 	processing/jobs/delete_child_sa_job.h \
 	processing/jobs/delete_ike_sa_job.c \
@@ -674,6 +868,8 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	processing/jobs/rekey_ike_sa_job.h \
 	processing/jobs/retransmit_job.c \
 	processing/jobs/retransmit_job.h \
+	processing/jobs/retry_initiate_job.c \
+	processing/jobs/retry_initiate_job.h \
 	processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
 	processing/jobs/send_keepalive_job.c \
 	processing/jobs/send_keepalive_job.h \
@@ -682,124 +878,115 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	processing/jobs/roam_job.h processing/jobs/update_sa_job.c \
 	processing/jobs/update_sa_job.h \
 	processing/jobs/inactivity_job.c \
-	processing/jobs/inactivity_job.h \
-	sa/authenticators/authenticator.c \
-	sa/authenticators/authenticator.h \
-	sa/authenticators/eap_authenticator.c \
-	sa/authenticators/eap_authenticator.h \
-	sa/authenticators/eap/eap_method.c \
-	sa/authenticators/eap/eap_method.h \
-	sa/authenticators/eap/eap_manager.c \
-	sa/authenticators/eap/eap_manager.h \
-	sa/authenticators/psk_authenticator.c \
-	sa/authenticators/psk_authenticator.h \
-	sa/authenticators/pubkey_authenticator.c \
-	sa/authenticators/pubkey_authenticator.h sa/child_sa.c \
+	processing/jobs/inactivity_job.h sa/eap/eap_method.c \
+	sa/eap/eap_method.h sa/eap/eap_inner_method.h \
+	sa/eap/eap_manager.c sa/eap/eap_manager.h \
+	sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
+	sa/xauth/xauth_manager.c sa/xauth/xauth_manager.h \
+	sa/authenticator.c sa/authenticator.h sa/child_sa.c \
 	sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \
-	sa/ike_sa_id.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
-	sa/task_manager.c sa/task_manager.h sa/keymat.c sa/keymat.h \
+	sa/ike_sa_id.h sa/keymat.h sa/keymat.c sa/ike_sa_manager.c \
+	sa/ike_sa_manager.h sa/task_manager.h sa/task_manager.c \
 	sa/shunt_manager.c sa/shunt_manager.h sa/trap_manager.c \
-	sa/trap_manager.h sa/tasks/child_create.c \
-	sa/tasks/child_create.h sa/tasks/child_delete.c \
-	sa/tasks/child_delete.h sa/tasks/child_rekey.c \
-	sa/tasks/child_rekey.h sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
-	sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
-	sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
-	sa/tasks/ike_config.c sa/tasks/ike_config.h \
-	sa/tasks/ike_delete.c sa/tasks/ike_delete.h sa/tasks/ike_dpd.c \
-	sa/tasks/ike_dpd.h sa/tasks/ike_init.c sa/tasks/ike_init.h \
-	sa/tasks/ike_natd.c sa/tasks/ike_natd.h sa/tasks/ike_mobike.c \
-	sa/tasks/ike_mobike.h sa/tasks/ike_rekey.c \
-	sa/tasks/ike_rekey.h sa/tasks/ike_reauth.c \
-	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
-	sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \
-	sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \
-	$(am__append_1)
-INCLUDES = \
+	sa/trap_manager.h sa/task.c sa/task.h $(am__append_1) \
+	$(am__append_2) $(am__append_3)
+AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
-	-DIPSEC_PIDDIR=\"${piddir}\" \
-	-DPLUGINS=\""${libcharon_plugins}\""
+	-DIPSEC_PIDDIR=\"${piddir}\"
 
 libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) \
-	$(am__append_2) $(am__append_4) $(am__append_6) \
-	$(am__append_8) $(am__append_10) $(am__append_12) \
-	$(am__append_14) $(am__append_16) $(am__append_18) \
-	$(am__append_20) $(am__append_22) $(am__append_24) \
-	$(am__append_26) $(am__append_28) $(am__append_30) \
-	$(am__append_32) $(am__append_34) $(am__append_36) \
-	$(am__append_38) $(am__append_39) $(am__append_41) \
-	$(am__append_43) $(am__append_45) $(am__append_47) \
-	$(am__append_49) $(am__append_51) $(am__append_53) \
-	$(am__append_55) $(am__append_56) $(am__append_57) \
-	$(am__append_59) $(am__append_61) $(am__append_63) \
-	$(am__append_65) $(am__append_67) $(am__append_69) \
-	$(am__append_71) $(am__append_73) $(am__append_74) \
-	$(am__append_76) $(am__append_78) $(am__append_80) \
-	$(am__append_82) $(am__append_84) $(am__append_86) \
-	$(am__append_88) $(am__append_90) $(am__append_92) \
-	$(am__append_94) $(am__append_96) $(am__append_98) \
-	$(am__append_100) $(am__append_102) $(am__append_104) \
-	$(am__append_106)
+	$(am__append_5) $(am__append_7) $(am__append_9) \
+	$(am__append_11) $(am__append_13) $(am__append_15) \
+	$(am__append_17) $(am__append_19) $(am__append_21) \
+	$(am__append_23) $(am__append_25) $(am__append_27) \
+	$(am__append_29) $(am__append_31) $(am__append_33) \
+	$(am__append_35) $(am__append_37) $(am__append_39) \
+	$(am__append_40) $(am__append_42) $(am__append_44) \
+	$(am__append_46) $(am__append_48) $(am__append_50) \
+	$(am__append_52) $(am__append_54) $(am__append_56) \
+	$(am__append_58) $(am__append_59) $(am__append_60) \
+	$(am__append_62) $(am__append_64) $(am__append_66) \
+	$(am__append_68) $(am__append_70) $(am__append_72) \
+	$(am__append_74) $(am__append_76) $(am__append_77) \
+	$(am__append_79) $(am__append_81) $(am__append_83) \
+	$(am__append_85) $(am__append_87) $(am__append_89) \
+	$(am__append_91) $(am__append_93) $(am__append_95) \
+	$(am__append_97) $(am__append_99) $(am__append_101) \
+	$(am__append_103) $(am__append_105) $(am__append_107) \
+	$(am__append_109) $(am__append_111) $(am__append_113) \
+	$(am__append_115) $(am__append_117) $(am__append_119) \
+	$(am__append_121) $(am__append_123) $(am__append_125) \
+	$(am__append_127) $(am__append_129)
 EXTRA_DIST = Android.mk
-@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_3) $(am__append_5) \
-@MONOLITHIC_FALSE@	$(am__append_7) $(am__append_9) \
-@MONOLITHIC_FALSE@	$(am__append_11) $(am__append_13) \
-@MONOLITHIC_FALSE@	$(am__append_15) $(am__append_17) \
-@MONOLITHIC_FALSE@	$(am__append_19) $(am__append_21) \
-@MONOLITHIC_FALSE@	$(am__append_23) $(am__append_25) \
-@MONOLITHIC_FALSE@	$(am__append_27) $(am__append_29) \
-@MONOLITHIC_FALSE@	$(am__append_31) $(am__append_33) \
-@MONOLITHIC_FALSE@	$(am__append_35) $(am__append_37) \
-@MONOLITHIC_FALSE@	$(am__append_40) $(am__append_42) \
-@MONOLITHIC_FALSE@	$(am__append_44) $(am__append_46) \
-@MONOLITHIC_FALSE@	$(am__append_48) $(am__append_50) \
-@MONOLITHIC_FALSE@	$(am__append_52) $(am__append_54) \
-@MONOLITHIC_FALSE@	$(am__append_58) $(am__append_60) \
-@MONOLITHIC_FALSE@	$(am__append_62) $(am__append_64) \
-@MONOLITHIC_FALSE@	$(am__append_66) $(am__append_68) \
-@MONOLITHIC_FALSE@	$(am__append_70) $(am__append_72) \
-@MONOLITHIC_FALSE@	$(am__append_75) $(am__append_77) \
-@MONOLITHIC_FALSE@	$(am__append_79) $(am__append_81) \
-@MONOLITHIC_FALSE@	$(am__append_83) $(am__append_85) \
-@MONOLITHIC_FALSE@	$(am__append_87) $(am__append_89) \
-@MONOLITHIC_FALSE@	$(am__append_91) $(am__append_93) \
-@MONOLITHIC_FALSE@	$(am__append_95) $(am__append_97) \
-@MONOLITHIC_FALSE@	$(am__append_99) $(am__append_101) \
-@MONOLITHIC_FALSE@	$(am__append_103) $(am__append_105)
+@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_4) $(am__append_6) \
+@MONOLITHIC_FALSE@	$(am__append_8) $(am__append_10) \
+@MONOLITHIC_FALSE@	$(am__append_12) $(am__append_14) \
+@MONOLITHIC_FALSE@	$(am__append_16) $(am__append_18) \
+@MONOLITHIC_FALSE@	$(am__append_20) $(am__append_22) \
+@MONOLITHIC_FALSE@	$(am__append_24) $(am__append_26) \
+@MONOLITHIC_FALSE@	$(am__append_28) $(am__append_30) \
+@MONOLITHIC_FALSE@	$(am__append_32) $(am__append_34) \
+@MONOLITHIC_FALSE@	$(am__append_36) $(am__append_38) \
+@MONOLITHIC_FALSE@	$(am__append_41) $(am__append_43) \
+@MONOLITHIC_FALSE@	$(am__append_45) $(am__append_47) \
+@MONOLITHIC_FALSE@	$(am__append_49) $(am__append_51) \
+@MONOLITHIC_FALSE@	$(am__append_53) $(am__append_55) \
+@MONOLITHIC_FALSE@	$(am__append_57) $(am__append_61) \
+@MONOLITHIC_FALSE@	$(am__append_63) $(am__append_65) \
+@MONOLITHIC_FALSE@	$(am__append_67) $(am__append_69) \
+@MONOLITHIC_FALSE@	$(am__append_71) $(am__append_73) \
+@MONOLITHIC_FALSE@	$(am__append_75) $(am__append_78) \
+@MONOLITHIC_FALSE@	$(am__append_80) $(am__append_82) \
+@MONOLITHIC_FALSE@	$(am__append_84) $(am__append_86) \
+@MONOLITHIC_FALSE@	$(am__append_88) $(am__append_90) \
+@MONOLITHIC_FALSE@	$(am__append_92) $(am__append_94) \
+@MONOLITHIC_FALSE@	$(am__append_96) $(am__append_98) \
+@MONOLITHIC_FALSE@	$(am__append_100) $(am__append_102) \
+@MONOLITHIC_FALSE@	$(am__append_104) $(am__append_106) \
+@MONOLITHIC_FALSE@	$(am__append_108) $(am__append_110) \
+@MONOLITHIC_FALSE@	$(am__append_112) $(am__append_114) \
+@MONOLITHIC_FALSE@	$(am__append_116) $(am__append_118) \
+@MONOLITHIC_FALSE@	$(am__append_120) $(am__append_122) \
+@MONOLITHIC_FALSE@	$(am__append_124) $(am__append_126) \
+@MONOLITHIC_FALSE@	$(am__append_128)
 
 # build optional plugins
 ########################
-@MONOLITHIC_TRUE@SUBDIRS = $(am__append_3) $(am__append_5) \
-@MONOLITHIC_TRUE@	$(am__append_7) $(am__append_9) \
-@MONOLITHIC_TRUE@	$(am__append_11) $(am__append_13) \
-@MONOLITHIC_TRUE@	$(am__append_15) $(am__append_17) \
-@MONOLITHIC_TRUE@	$(am__append_19) $(am__append_21) \
-@MONOLITHIC_TRUE@	$(am__append_23) $(am__append_25) \
-@MONOLITHIC_TRUE@	$(am__append_27) $(am__append_29) \
-@MONOLITHIC_TRUE@	$(am__append_31) $(am__append_33) \
-@MONOLITHIC_TRUE@	$(am__append_35) $(am__append_37) \
-@MONOLITHIC_TRUE@	$(am__append_40) $(am__append_42) \
-@MONOLITHIC_TRUE@	$(am__append_44) $(am__append_46) \
-@MONOLITHIC_TRUE@	$(am__append_48) $(am__append_50) \
-@MONOLITHIC_TRUE@	$(am__append_52) $(am__append_54) \
-@MONOLITHIC_TRUE@	$(am__append_58) $(am__append_60) \
-@MONOLITHIC_TRUE@	$(am__append_62) $(am__append_64) \
-@MONOLITHIC_TRUE@	$(am__append_66) $(am__append_68) \
-@MONOLITHIC_TRUE@	$(am__append_70) $(am__append_72) \
-@MONOLITHIC_TRUE@	$(am__append_75) $(am__append_77) \
-@MONOLITHIC_TRUE@	$(am__append_79) $(am__append_81) \
-@MONOLITHIC_TRUE@	$(am__append_83) $(am__append_85) \
-@MONOLITHIC_TRUE@	$(am__append_87) $(am__append_89) \
-@MONOLITHIC_TRUE@	$(am__append_91) $(am__append_93) \
-@MONOLITHIC_TRUE@	$(am__append_95) $(am__append_97) \
-@MONOLITHIC_TRUE@	$(am__append_99) $(am__append_101) \
-@MONOLITHIC_TRUE@	$(am__append_103) $(am__append_105)
+@MONOLITHIC_TRUE@SUBDIRS = $(am__append_4) $(am__append_6) \
+@MONOLITHIC_TRUE@	$(am__append_8) $(am__append_10) \
+@MONOLITHIC_TRUE@	$(am__append_12) $(am__append_14) \
+@MONOLITHIC_TRUE@	$(am__append_16) $(am__append_18) \
+@MONOLITHIC_TRUE@	$(am__append_20) $(am__append_22) \
+@MONOLITHIC_TRUE@	$(am__append_24) $(am__append_26) \
+@MONOLITHIC_TRUE@	$(am__append_28) $(am__append_30) \
+@MONOLITHIC_TRUE@	$(am__append_32) $(am__append_34) \
+@MONOLITHIC_TRUE@	$(am__append_36) $(am__append_38) \
+@MONOLITHIC_TRUE@	$(am__append_41) $(am__append_43) \
+@MONOLITHIC_TRUE@	$(am__append_45) $(am__append_47) \
+@MONOLITHIC_TRUE@	$(am__append_49) $(am__append_51) \
+@MONOLITHIC_TRUE@	$(am__append_53) $(am__append_55) \
+@MONOLITHIC_TRUE@	$(am__append_57) $(am__append_61) \
+@MONOLITHIC_TRUE@	$(am__append_63) $(am__append_65) \
+@MONOLITHIC_TRUE@	$(am__append_67) $(am__append_69) \
+@MONOLITHIC_TRUE@	$(am__append_71) $(am__append_73) \
+@MONOLITHIC_TRUE@	$(am__append_75) $(am__append_78) \
+@MONOLITHIC_TRUE@	$(am__append_80) $(am__append_82) \
+@MONOLITHIC_TRUE@	$(am__append_84) $(am__append_86) \
+@MONOLITHIC_TRUE@	$(am__append_88) $(am__append_90) \
+@MONOLITHIC_TRUE@	$(am__append_92) $(am__append_94) \
+@MONOLITHIC_TRUE@	$(am__append_96) $(am__append_98) \
+@MONOLITHIC_TRUE@	$(am__append_100) $(am__append_102) \
+@MONOLITHIC_TRUE@	$(am__append_104) $(am__append_106) \
+@MONOLITHIC_TRUE@	$(am__append_108) $(am__append_110) \
+@MONOLITHIC_TRUE@	$(am__append_112) $(am__append_114) \
+@MONOLITHIC_TRUE@	$(am__append_116) $(am__append_118) \
+@MONOLITHIC_TRUE@	$(am__append_120) $(am__append_122) \
+@MONOLITHIC_TRUE@	$(am__append_124) $(am__append_126) \
+@MONOLITHIC_TRUE@	$(am__append_128)
 all: all-recursive
 
 .SUFFIXES:
@@ -836,7 +1023,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -844,6 +1030,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -865,8 +1053,8 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libcharon.la: $(libcharon_la_OBJECTS) $(libcharon_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libcharon_la_OBJECTS) $(libcharon_la_LIBADD) $(LIBS)
+libcharon.la: $(libcharon_la_OBJECTS) $(libcharon_la_DEPENDENCIES) $(EXTRA_libcharon_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libcharon_la_OBJECTS) $(libcharon_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -875,6 +1063,8 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/acquire_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/adopt_children_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aggressive_mode.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/authenticator.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backend_manager.Plo@am__quote@
@@ -894,6 +1084,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_child_sa_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_ike_sa_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dpd_timeout_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_authenticator.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_method.Plo@am__quote@
@@ -902,7 +1093,10 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/encryption_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/endpoint_notify.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/file_logger.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fragment_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/generator.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hash_payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hybrid_authenticator.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_auth.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_auth_lifetime.Plo@am__quote@
@@ -924,29 +1118,45 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_vendor.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/inactivity_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/informational.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initiate_mediation_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_cert_post.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_cert_pre.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_delete.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_dpd.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_natd.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_vendor.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ke_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_handler.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keymat.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keymat_v1.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keymat_v2.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/main_mode.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mediation_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mediation_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/message.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/migrate_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mode_config.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nonce_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/notify_payload.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parser.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/peer_cfg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/phase1.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/process_message_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_substructure.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/psk_authenticator.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/psk_v1_authenticator.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_authenticator.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_v1_authenticator.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/quick_delete.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/quick_mode.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/receiver.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rekey_child_sa_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rekey_ike_sa_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/retransmit_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/retry_initiate_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/roam_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sa_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/send_dpd_job.Plo@am__quote@
@@ -959,6 +1169,8 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sys_logger.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task_manager_v1.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task_manager_v2.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector_substructure.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_attribute.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_substructure.Plo@am__quote@
@@ -967,671 +1179,863 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unknown_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/update_sa_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vendor_id_payload.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_method.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 bus.lo: bus/bus.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bus.lo -MD -MP -MF $(DEPDIR)/bus.Tpo -c -o bus.lo `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/bus.Tpo $(DEPDIR)/bus.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/bus.c' object='bus.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bus.lo -MD -MP -MF $(DEPDIR)/bus.Tpo -c -o bus.lo `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/bus.Tpo $(DEPDIR)/bus.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='bus/bus.c' object='bus.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bus.lo `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bus.lo `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c
 
 file_logger.lo: bus/listeners/file_logger.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT file_logger.lo -MD -MP -MF $(DEPDIR)/file_logger.Tpo -c -o file_logger.lo `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/file_logger.Tpo $(DEPDIR)/file_logger.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/file_logger.c' object='file_logger.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT file_logger.lo -MD -MP -MF $(DEPDIR)/file_logger.Tpo -c -o file_logger.lo `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/file_logger.Tpo $(DEPDIR)/file_logger.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='bus/listeners/file_logger.c' object='file_logger.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o file_logger.lo `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o file_logger.lo `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c
 
 sys_logger.lo: bus/listeners/sys_logger.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.lo -MD -MP -MF $(DEPDIR)/sys_logger.Tpo -c -o sys_logger.lo `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sys_logger.Tpo $(DEPDIR)/sys_logger.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/sys_logger.c' object='sys_logger.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.lo -MD -MP -MF $(DEPDIR)/sys_logger.Tpo -c -o sys_logger.lo `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sys_logger.Tpo $(DEPDIR)/sys_logger.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='bus/listeners/sys_logger.c' object='sys_logger.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.lo `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.lo `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c
 
 backend_manager.lo: config/backend_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backend_manager.lo -MD -MP -MF $(DEPDIR)/backend_manager.Tpo -c -o backend_manager.lo `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/backend_manager.Tpo $(DEPDIR)/backend_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/backend_manager.c' object='backend_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backend_manager.lo -MD -MP -MF $(DEPDIR)/backend_manager.Tpo -c -o backend_manager.lo `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/backend_manager.Tpo $(DEPDIR)/backend_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='config/backend_manager.c' object='backend_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backend_manager.lo `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backend_manager.lo `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c
 
 child_cfg.lo: config/child_cfg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_cfg.lo -MD -MP -MF $(DEPDIR)/child_cfg.Tpo -c -o child_cfg.lo `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_cfg.Tpo $(DEPDIR)/child_cfg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/child_cfg.c' object='child_cfg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_cfg.lo -MD -MP -MF $(DEPDIR)/child_cfg.Tpo -c -o child_cfg.lo `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/child_cfg.Tpo $(DEPDIR)/child_cfg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='config/child_cfg.c' object='child_cfg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_cfg.lo `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_cfg.lo `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c
 
 ike_cfg.lo: config/ike_cfg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cfg.lo -MD -MP -MF $(DEPDIR)/ike_cfg.Tpo -c -o ike_cfg.lo `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cfg.Tpo $(DEPDIR)/ike_cfg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/ike_cfg.c' object='ike_cfg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cfg.lo -MD -MP -MF $(DEPDIR)/ike_cfg.Tpo -c -o ike_cfg.lo `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_cfg.Tpo $(DEPDIR)/ike_cfg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='config/ike_cfg.c' object='ike_cfg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cfg.lo `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cfg.lo `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c
 
 peer_cfg.lo: config/peer_cfg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_cfg.lo -MD -MP -MF $(DEPDIR)/peer_cfg.Tpo -c -o peer_cfg.lo `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/peer_cfg.Tpo $(DEPDIR)/peer_cfg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/peer_cfg.c' object='peer_cfg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_cfg.lo -MD -MP -MF $(DEPDIR)/peer_cfg.Tpo -c -o peer_cfg.lo `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/peer_cfg.Tpo $(DEPDIR)/peer_cfg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='config/peer_cfg.c' object='peer_cfg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_cfg.lo `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_cfg.lo `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c
 
 proposal.lo: config/proposal.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal.lo -MD -MP -MF $(DEPDIR)/proposal.Tpo -c -o proposal.lo `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal.Tpo $(DEPDIR)/proposal.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/proposal.c' object='proposal.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal.lo -MD -MP -MF $(DEPDIR)/proposal.Tpo -c -o proposal.lo `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/proposal.Tpo $(DEPDIR)/proposal.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='config/proposal.c' object='proposal.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.lo `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.lo `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c
 
 controller.lo: control/controller.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT controller.lo -MD -MP -MF $(DEPDIR)/controller.Tpo -c -o controller.lo `test -f 'control/controller.c' || echo '$(srcdir)/'`control/controller.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/controller.Tpo $(DEPDIR)/controller.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='control/controller.c' object='controller.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT controller.lo -MD -MP -MF $(DEPDIR)/controller.Tpo -c -o controller.lo `test -f 'control/controller.c' || echo '$(srcdir)/'`control/controller.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/controller.Tpo $(DEPDIR)/controller.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='control/controller.c' object='controller.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o controller.lo `test -f 'control/controller.c' || echo '$(srcdir)/'`control/controller.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o controller.lo `test -f 'control/controller.c' || echo '$(srcdir)/'`control/controller.c
 
 generator.lo: encoding/generator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.lo -MD -MP -MF $(DEPDIR)/generator.Tpo -c -o generator.lo `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/generator.Tpo $(DEPDIR)/generator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/generator.c' object='generator.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.lo -MD -MP -MF $(DEPDIR)/generator.Tpo -c -o generator.lo `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/generator.Tpo $(DEPDIR)/generator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/generator.c' object='generator.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.lo `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.lo `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c
 
 message.lo: encoding/message.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.lo -MD -MP -MF $(DEPDIR)/message.Tpo -c -o message.lo `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/message.Tpo $(DEPDIR)/message.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/message.c' object='message.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.lo -MD -MP -MF $(DEPDIR)/message.Tpo -c -o message.lo `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/message.Tpo $(DEPDIR)/message.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/message.c' object='message.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.lo `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.lo `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c
 
 parser.lo: encoding/parser.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.lo -MD -MP -MF $(DEPDIR)/parser.Tpo -c -o parser.lo `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/parser.Tpo $(DEPDIR)/parser.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/parser.c' object='parser.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.lo -MD -MP -MF $(DEPDIR)/parser.Tpo -c -o parser.lo `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/parser.Tpo $(DEPDIR)/parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/parser.c' object='parser.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.lo `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.lo `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c
 
 auth_payload.lo: encoding/payloads/auth_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.lo -MD -MP -MF $(DEPDIR)/auth_payload.Tpo -c -o auth_payload.lo `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_payload.Tpo $(DEPDIR)/auth_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/auth_payload.c' object='auth_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.lo -MD -MP -MF $(DEPDIR)/auth_payload.Tpo -c -o auth_payload.lo `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/auth_payload.Tpo $(DEPDIR)/auth_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/auth_payload.c' object='auth_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.lo `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.lo `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c
 
 cert_payload.lo: encoding/payloads/cert_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.lo -MD -MP -MF $(DEPDIR)/cert_payload.Tpo -c -o cert_payload.lo `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cert_payload.Tpo $(DEPDIR)/cert_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cert_payload.c' object='cert_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.lo -MD -MP -MF $(DEPDIR)/cert_payload.Tpo -c -o cert_payload.lo `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cert_payload.Tpo $(DEPDIR)/cert_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/cert_payload.c' object='cert_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.lo `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.lo `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c
 
 certreq_payload.lo: encoding/payloads/certreq_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.lo -MD -MP -MF $(DEPDIR)/certreq_payload.Tpo -c -o certreq_payload.lo `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/certreq_payload.Tpo $(DEPDIR)/certreq_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/certreq_payload.c' object='certreq_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.lo -MD -MP -MF $(DEPDIR)/certreq_payload.Tpo -c -o certreq_payload.lo `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/certreq_payload.Tpo $(DEPDIR)/certreq_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/certreq_payload.c' object='certreq_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.lo `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.lo `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c
 
 configuration_attribute.lo: encoding/payloads/configuration_attribute.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.lo -MD -MP -MF $(DEPDIR)/configuration_attribute.Tpo -c -o configuration_attribute.lo `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/configuration_attribute.Tpo $(DEPDIR)/configuration_attribute.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.lo -MD -MP -MF $(DEPDIR)/configuration_attribute.Tpo -c -o configuration_attribute.lo `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/configuration_attribute.Tpo $(DEPDIR)/configuration_attribute.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.lo `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.lo `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c
 
 cp_payload.lo: encoding/payloads/cp_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.lo -MD -MP -MF $(DEPDIR)/cp_payload.Tpo -c -o cp_payload.lo `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cp_payload.Tpo $(DEPDIR)/cp_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cp_payload.c' object='cp_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.lo -MD -MP -MF $(DEPDIR)/cp_payload.Tpo -c -o cp_payload.lo `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cp_payload.Tpo $(DEPDIR)/cp_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/cp_payload.c' object='cp_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.lo `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.lo `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c
 
 delete_payload.lo: encoding/payloads/delete_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.lo -MD -MP -MF $(DEPDIR)/delete_payload.Tpo -c -o delete_payload.lo `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_payload.Tpo $(DEPDIR)/delete_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/delete_payload.c' object='delete_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.lo -MD -MP -MF $(DEPDIR)/delete_payload.Tpo -c -o delete_payload.lo `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/delete_payload.Tpo $(DEPDIR)/delete_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/delete_payload.c' object='delete_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.lo `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.lo `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c
 
 eap_payload.lo: encoding/payloads/eap_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.lo -MD -MP -MF $(DEPDIR)/eap_payload.Tpo -c -o eap_payload.lo `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_payload.Tpo $(DEPDIR)/eap_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/eap_payload.c' object='eap_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.lo -MD -MP -MF $(DEPDIR)/eap_payload.Tpo -c -o eap_payload.lo `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/eap_payload.Tpo $(DEPDIR)/eap_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/eap_payload.c' object='eap_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.lo `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.lo `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c
 
 encodings.lo: encoding/payloads/encodings.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.lo -MD -MP -MF $(DEPDIR)/encodings.Tpo -c -o encodings.lo `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/encodings.Tpo $(DEPDIR)/encodings.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encodings.c' object='encodings.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.lo -MD -MP -MF $(DEPDIR)/encodings.Tpo -c -o encodings.lo `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/encodings.Tpo $(DEPDIR)/encodings.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/encodings.c' object='encodings.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.lo `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.lo `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c
 
 encryption_payload.lo: encoding/payloads/encryption_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.lo -MD -MP -MF $(DEPDIR)/encryption_payload.Tpo -c -o encryption_payload.lo `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/encryption_payload.Tpo $(DEPDIR)/encryption_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encryption_payload.c' object='encryption_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.lo -MD -MP -MF $(DEPDIR)/encryption_payload.Tpo -c -o encryption_payload.lo `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/encryption_payload.Tpo $(DEPDIR)/encryption_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/encryption_payload.c' object='encryption_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.lo `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.lo `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c
 
 id_payload.lo: encoding/payloads/id_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.lo -MD -MP -MF $(DEPDIR)/id_payload.Tpo -c -o id_payload.lo `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/id_payload.Tpo $(DEPDIR)/id_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/id_payload.c' object='id_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.lo -MD -MP -MF $(DEPDIR)/id_payload.Tpo -c -o id_payload.lo `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/id_payload.Tpo $(DEPDIR)/id_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/id_payload.c' object='id_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.lo `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.lo `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c
 
 ike_header.lo: encoding/payloads/ike_header.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.lo -MD -MP -MF $(DEPDIR)/ike_header.Tpo -c -o ike_header.lo `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_header.Tpo $(DEPDIR)/ike_header.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ike_header.c' object='ike_header.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.lo -MD -MP -MF $(DEPDIR)/ike_header.Tpo -c -o ike_header.lo `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_header.Tpo $(DEPDIR)/ike_header.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/ike_header.c' object='ike_header.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.lo `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.lo `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c
 
 ke_payload.lo: encoding/payloads/ke_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.lo -MD -MP -MF $(DEPDIR)/ke_payload.Tpo -c -o ke_payload.lo `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ke_payload.Tpo $(DEPDIR)/ke_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ke_payload.c' object='ke_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.lo -MD -MP -MF $(DEPDIR)/ke_payload.Tpo -c -o ke_payload.lo `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ke_payload.Tpo $(DEPDIR)/ke_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/ke_payload.c' object='ke_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.lo `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.lo `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c
 
 nonce_payload.lo: encoding/payloads/nonce_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.lo -MD -MP -MF $(DEPDIR)/nonce_payload.Tpo -c -o nonce_payload.lo `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/nonce_payload.Tpo $(DEPDIR)/nonce_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/nonce_payload.c' object='nonce_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.lo -MD -MP -MF $(DEPDIR)/nonce_payload.Tpo -c -o nonce_payload.lo `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/nonce_payload.Tpo $(DEPDIR)/nonce_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/nonce_payload.c' object='nonce_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.lo `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.lo `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c
 
 notify_payload.lo: encoding/payloads/notify_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.lo -MD -MP -MF $(DEPDIR)/notify_payload.Tpo -c -o notify_payload.lo `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/notify_payload.Tpo $(DEPDIR)/notify_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/notify_payload.c' object='notify_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.lo -MD -MP -MF $(DEPDIR)/notify_payload.Tpo -c -o notify_payload.lo `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/notify_payload.Tpo $(DEPDIR)/notify_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/notify_payload.c' object='notify_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.lo `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.lo `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c
 
 payload.lo: encoding/payloads/payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.lo -MD -MP -MF $(DEPDIR)/payload.Tpo -c -o payload.lo `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/payload.Tpo $(DEPDIR)/payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/payload.c' object='payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.lo -MD -MP -MF $(DEPDIR)/payload.Tpo -c -o payload.lo `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/payload.Tpo $(DEPDIR)/payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/payload.c' object='payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.lo `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.lo `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c
 
 proposal_substructure.lo: encoding/payloads/proposal_substructure.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.lo -MD -MP -MF $(DEPDIR)/proposal_substructure.Tpo -c -o proposal_substructure.lo `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal_substructure.Tpo $(DEPDIR)/proposal_substructure.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.lo -MD -MP -MF $(DEPDIR)/proposal_substructure.Tpo -c -o proposal_substructure.lo `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/proposal_substructure.Tpo $(DEPDIR)/proposal_substructure.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.lo `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.lo `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c
 
 sa_payload.lo: encoding/payloads/sa_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.lo -MD -MP -MF $(DEPDIR)/sa_payload.Tpo -c -o sa_payload.lo `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sa_payload.Tpo $(DEPDIR)/sa_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/sa_payload.c' object='sa_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.lo -MD -MP -MF $(DEPDIR)/sa_payload.Tpo -c -o sa_payload.lo `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sa_payload.Tpo $(DEPDIR)/sa_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/sa_payload.c' object='sa_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.lo `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.lo `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c
 
 traffic_selector_substructure.lo: encoding/payloads/traffic_selector_substructure.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector_substructure.lo -MD -MP -MF $(DEPDIR)/traffic_selector_substructure.Tpo -c -o traffic_selector_substructure.lo `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/traffic_selector_substructure.Tpo $(DEPDIR)/traffic_selector_substructure.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/traffic_selector_substructure.c' object='traffic_selector_substructure.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector_substructure.lo -MD -MP -MF $(DEPDIR)/traffic_selector_substructure.Tpo -c -o traffic_selector_substructure.lo `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/traffic_selector_substructure.Tpo $(DEPDIR)/traffic_selector_substructure.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/traffic_selector_substructure.c' object='traffic_selector_substructure.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector_substructure.lo `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector_substructure.lo `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c
 
 transform_attribute.lo: encoding/payloads/transform_attribute.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_attribute.lo -MD -MP -MF $(DEPDIR)/transform_attribute.Tpo -c -o transform_attribute.lo `test -f 'encoding/payloads/transform_attribute.c' || echo '$(srcdir)/'`encoding/payloads/transform_attribute.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform_attribute.Tpo $(DEPDIR)/transform_attribute.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_attribute.c' object='transform_attribute.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_attribute.lo -MD -MP -MF $(DEPDIR)/transform_attribute.Tpo -c -o transform_attribute.lo `test -f 'encoding/payloads/transform_attribute.c' || echo '$(srcdir)/'`encoding/payloads/transform_attribute.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/transform_attribute.Tpo $(DEPDIR)/transform_attribute.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/transform_attribute.c' object='transform_attribute.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_attribute.lo `test -f 'encoding/payloads/transform_attribute.c' || echo '$(srcdir)/'`encoding/payloads/transform_attribute.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_attribute.lo `test -f 'encoding/payloads/transform_attribute.c' || echo '$(srcdir)/'`encoding/payloads/transform_attribute.c
 
 transform_substructure.lo: encoding/payloads/transform_substructure.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_substructure.lo -MD -MP -MF $(DEPDIR)/transform_substructure.Tpo -c -o transform_substructure.lo `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform_substructure.Tpo $(DEPDIR)/transform_substructure.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_substructure.c' object='transform_substructure.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_substructure.lo -MD -MP -MF $(DEPDIR)/transform_substructure.Tpo -c -o transform_substructure.lo `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/transform_substructure.Tpo $(DEPDIR)/transform_substructure.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/transform_substructure.c' object='transform_substructure.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_substructure.lo `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_substructure.lo `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c
 
 ts_payload.lo: encoding/payloads/ts_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.lo -MD -MP -MF $(DEPDIR)/ts_payload.Tpo -c -o ts_payload.lo `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ts_payload.Tpo $(DEPDIR)/ts_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ts_payload.c' object='ts_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.lo -MD -MP -MF $(DEPDIR)/ts_payload.Tpo -c -o ts_payload.lo `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ts_payload.Tpo $(DEPDIR)/ts_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/ts_payload.c' object='ts_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.lo `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.lo `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c
 
 unknown_payload.lo: encoding/payloads/unknown_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.lo -MD -MP -MF $(DEPDIR)/unknown_payload.Tpo -c -o unknown_payload.lo `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/unknown_payload.Tpo $(DEPDIR)/unknown_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/unknown_payload.c' object='unknown_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.lo -MD -MP -MF $(DEPDIR)/unknown_payload.Tpo -c -o unknown_payload.lo `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/unknown_payload.Tpo $(DEPDIR)/unknown_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/unknown_payload.c' object='unknown_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.lo `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.lo `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c
 
 vendor_id_payload.lo: encoding/payloads/vendor_id_payload.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.lo -MD -MP -MF $(DEPDIR)/vendor_id_payload.Tpo -c -o vendor_id_payload.lo `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/vendor_id_payload.Tpo $(DEPDIR)/vendor_id_payload.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.lo -MD -MP -MF $(DEPDIR)/vendor_id_payload.Tpo -c -o vendor_id_payload.lo `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/vendor_id_payload.Tpo $(DEPDIR)/vendor_id_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.lo `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
+
+hash_payload.lo: encoding/payloads/hash_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hash_payload.lo -MD -MP -MF $(DEPDIR)/hash_payload.Tpo -c -o hash_payload.lo `test -f 'encoding/payloads/hash_payload.c' || echo '$(srcdir)/'`encoding/payloads/hash_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/hash_payload.Tpo $(DEPDIR)/hash_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/hash_payload.c' object='hash_payload.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hash_payload.lo `test -f 'encoding/payloads/hash_payload.c' || echo '$(srcdir)/'`encoding/payloads/hash_payload.c
+
+fragment_payload.lo: encoding/payloads/fragment_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fragment_payload.lo -MD -MP -MF $(DEPDIR)/fragment_payload.Tpo -c -o fragment_payload.lo `test -f 'encoding/payloads/fragment_payload.c' || echo '$(srcdir)/'`encoding/payloads/fragment_payload.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/fragment_payload.Tpo $(DEPDIR)/fragment_payload.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/fragment_payload.c' object='fragment_payload.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.lo `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fragment_payload.lo `test -f 'encoding/payloads/fragment_payload.c' || echo '$(srcdir)/'`encoding/payloads/fragment_payload.c
 
 kernel_handler.lo: kernel/kernel_handler.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_handler.lo -MD -MP -MF $(DEPDIR)/kernel_handler.Tpo -c -o kernel_handler.lo `test -f 'kernel/kernel_handler.c' || echo '$(srcdir)/'`kernel/kernel_handler.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_handler.Tpo $(DEPDIR)/kernel_handler.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_handler.c' object='kernel_handler.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_handler.lo -MD -MP -MF $(DEPDIR)/kernel_handler.Tpo -c -o kernel_handler.lo `test -f 'kernel/kernel_handler.c' || echo '$(srcdir)/'`kernel/kernel_handler.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/kernel_handler.Tpo $(DEPDIR)/kernel_handler.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kernel/kernel_handler.c' object='kernel_handler.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_handler.lo `test -f 'kernel/kernel_handler.c' || echo '$(srcdir)/'`kernel/kernel_handler.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_handler.lo `test -f 'kernel/kernel_handler.c' || echo '$(srcdir)/'`kernel/kernel_handler.c
 
 receiver.lo: network/receiver.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.lo -MD -MP -MF $(DEPDIR)/receiver.Tpo -c -o receiver.lo `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/receiver.Tpo $(DEPDIR)/receiver.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/receiver.c' object='receiver.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.lo -MD -MP -MF $(DEPDIR)/receiver.Tpo -c -o receiver.lo `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/receiver.Tpo $(DEPDIR)/receiver.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='network/receiver.c' object='receiver.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.lo `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.lo `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c
 
 sender.lo: network/sender.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.lo -MD -MP -MF $(DEPDIR)/sender.Tpo -c -o sender.lo `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sender.Tpo $(DEPDIR)/sender.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/sender.c' object='sender.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.lo -MD -MP -MF $(DEPDIR)/sender.Tpo -c -o sender.lo `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sender.Tpo $(DEPDIR)/sender.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='network/sender.c' object='sender.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.lo `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c
-
-packet.lo: network/packet.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.lo -MD -MP -MF $(DEPDIR)/packet.Tpo -c -o packet.lo `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/packet.Tpo $(DEPDIR)/packet.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/packet.c' object='packet.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.lo `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.lo `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c
 
 socket.lo: network/socket.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.lo -MD -MP -MF $(DEPDIR)/socket.Tpo -c -o socket.lo `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/socket.Tpo $(DEPDIR)/socket.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket.c' object='socket.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.lo -MD -MP -MF $(DEPDIR)/socket.Tpo -c -o socket.lo `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/socket.Tpo $(DEPDIR)/socket.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='network/socket.c' object='socket.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.lo `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.lo `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c
 
 socket_manager.lo: network/socket_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket_manager.lo -MD -MP -MF $(DEPDIR)/socket_manager.Tpo -c -o socket_manager.lo `test -f 'network/socket_manager.c' || echo '$(srcdir)/'`network/socket_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/socket_manager.Tpo $(DEPDIR)/socket_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket_manager.c' object='socket_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket_manager.lo -MD -MP -MF $(DEPDIR)/socket_manager.Tpo -c -o socket_manager.lo `test -f 'network/socket_manager.c' || echo '$(srcdir)/'`network/socket_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/socket_manager.Tpo $(DEPDIR)/socket_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='network/socket_manager.c' object='socket_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket_manager.lo `test -f 'network/socket_manager.c' || echo '$(srcdir)/'`network/socket_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket_manager.lo `test -f 'network/socket_manager.c' || echo '$(srcdir)/'`network/socket_manager.c
 
 acquire_job.lo: processing/jobs/acquire_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.lo -MD -MP -MF $(DEPDIR)/acquire_job.Tpo -c -o acquire_job.lo `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/acquire_job.Tpo $(DEPDIR)/acquire_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/acquire_job.c' object='acquire_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.lo -MD -MP -MF $(DEPDIR)/acquire_job.Tpo -c -o acquire_job.lo `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/acquire_job.Tpo $(DEPDIR)/acquire_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/acquire_job.c' object='acquire_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.lo `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.lo `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c
 
 delete_child_sa_job.lo: processing/jobs/delete_child_sa_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.lo -MD -MP -MF $(DEPDIR)/delete_child_sa_job.Tpo -c -o delete_child_sa_job.lo `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_child_sa_job.Tpo $(DEPDIR)/delete_child_sa_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_child_sa_job.c' object='delete_child_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.lo -MD -MP -MF $(DEPDIR)/delete_child_sa_job.Tpo -c -o delete_child_sa_job.lo `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/delete_child_sa_job.Tpo $(DEPDIR)/delete_child_sa_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/delete_child_sa_job.c' object='delete_child_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.lo `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.lo `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c
 
 delete_ike_sa_job.lo: processing/jobs/delete_ike_sa_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.lo -MD -MP -MF $(DEPDIR)/delete_ike_sa_job.Tpo -c -o delete_ike_sa_job.lo `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_ike_sa_job.Tpo $(DEPDIR)/delete_ike_sa_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.lo -MD -MP -MF $(DEPDIR)/delete_ike_sa_job.Tpo -c -o delete_ike_sa_job.lo `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/delete_ike_sa_job.Tpo $(DEPDIR)/delete_ike_sa_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.lo `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.lo `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c
 
 migrate_job.lo: processing/jobs/migrate_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT migrate_job.lo -MD -MP -MF $(DEPDIR)/migrate_job.Tpo -c -o migrate_job.lo `test -f 'processing/jobs/migrate_job.c' || echo '$(srcdir)/'`processing/jobs/migrate_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/migrate_job.Tpo $(DEPDIR)/migrate_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/migrate_job.c' object='migrate_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT migrate_job.lo -MD -MP -MF $(DEPDIR)/migrate_job.Tpo -c -o migrate_job.lo `test -f 'processing/jobs/migrate_job.c' || echo '$(srcdir)/'`processing/jobs/migrate_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/migrate_job.Tpo $(DEPDIR)/migrate_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/migrate_job.c' object='migrate_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o migrate_job.lo `test -f 'processing/jobs/migrate_job.c' || echo '$(srcdir)/'`processing/jobs/migrate_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o migrate_job.lo `test -f 'processing/jobs/migrate_job.c' || echo '$(srcdir)/'`processing/jobs/migrate_job.c
 
 process_message_job.lo: processing/jobs/process_message_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.lo -MD -MP -MF $(DEPDIR)/process_message_job.Tpo -c -o process_message_job.lo `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/process_message_job.Tpo $(DEPDIR)/process_message_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/process_message_job.c' object='process_message_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.lo -MD -MP -MF $(DEPDIR)/process_message_job.Tpo -c -o process_message_job.lo `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/process_message_job.Tpo $(DEPDIR)/process_message_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/process_message_job.c' object='process_message_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.lo `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.lo `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c
 
 rekey_child_sa_job.lo: processing/jobs/rekey_child_sa_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.lo -MD -MP -MF $(DEPDIR)/rekey_child_sa_job.Tpo -c -o rekey_child_sa_job.lo `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rekey_child_sa_job.Tpo $(DEPDIR)/rekey_child_sa_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.lo -MD -MP -MF $(DEPDIR)/rekey_child_sa_job.Tpo -c -o rekey_child_sa_job.lo `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rekey_child_sa_job.Tpo $(DEPDIR)/rekey_child_sa_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.lo `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.lo `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c
 
 rekey_ike_sa_job.lo: processing/jobs/rekey_ike_sa_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.lo -MD -MP -MF $(DEPDIR)/rekey_ike_sa_job.Tpo -c -o rekey_ike_sa_job.lo `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rekey_ike_sa_job.Tpo $(DEPDIR)/rekey_ike_sa_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.lo -MD -MP -MF $(DEPDIR)/rekey_ike_sa_job.Tpo -c -o rekey_ike_sa_job.lo `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rekey_ike_sa_job.Tpo $(DEPDIR)/rekey_ike_sa_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.lo `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.lo `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c
 
 retransmit_job.lo: processing/jobs/retransmit_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.lo -MD -MP -MF $(DEPDIR)/retransmit_job.Tpo -c -o retransmit_job.lo `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/retransmit_job.Tpo $(DEPDIR)/retransmit_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/retransmit_job.c' object='retransmit_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.lo -MD -MP -MF $(DEPDIR)/retransmit_job.Tpo -c -o retransmit_job.lo `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/retransmit_job.Tpo $(DEPDIR)/retransmit_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/retransmit_job.c' object='retransmit_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.lo `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c
+
+retry_initiate_job.lo: processing/jobs/retry_initiate_job.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retry_initiate_job.lo -MD -MP -MF $(DEPDIR)/retry_initiate_job.Tpo -c -o retry_initiate_job.lo `test -f 'processing/jobs/retry_initiate_job.c' || echo '$(srcdir)/'`processing/jobs/retry_initiate_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/retry_initiate_job.Tpo $(DEPDIR)/retry_initiate_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/retry_initiate_job.c' object='retry_initiate_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.lo `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retry_initiate_job.lo `test -f 'processing/jobs/retry_initiate_job.c' || echo '$(srcdir)/'`processing/jobs/retry_initiate_job.c
 
 send_dpd_job.lo: processing/jobs/send_dpd_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.lo -MD -MP -MF $(DEPDIR)/send_dpd_job.Tpo -c -o send_dpd_job.lo `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/send_dpd_job.Tpo $(DEPDIR)/send_dpd_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_dpd_job.c' object='send_dpd_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.lo -MD -MP -MF $(DEPDIR)/send_dpd_job.Tpo -c -o send_dpd_job.lo `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/send_dpd_job.Tpo $(DEPDIR)/send_dpd_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/send_dpd_job.c' object='send_dpd_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.lo `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.lo `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c
 
 send_keepalive_job.lo: processing/jobs/send_keepalive_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.lo -MD -MP -MF $(DEPDIR)/send_keepalive_job.Tpo -c -o send_keepalive_job.lo `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/send_keepalive_job.Tpo $(DEPDIR)/send_keepalive_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_keepalive_job.c' object='send_keepalive_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.lo -MD -MP -MF $(DEPDIR)/send_keepalive_job.Tpo -c -o send_keepalive_job.lo `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/send_keepalive_job.Tpo $(DEPDIR)/send_keepalive_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/send_keepalive_job.c' object='send_keepalive_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.lo `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.lo `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c
 
 start_action_job.lo: processing/jobs/start_action_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT start_action_job.lo -MD -MP -MF $(DEPDIR)/start_action_job.Tpo -c -o start_action_job.lo `test -f 'processing/jobs/start_action_job.c' || echo '$(srcdir)/'`processing/jobs/start_action_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/start_action_job.Tpo $(DEPDIR)/start_action_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/start_action_job.c' object='start_action_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT start_action_job.lo -MD -MP -MF $(DEPDIR)/start_action_job.Tpo -c -o start_action_job.lo `test -f 'processing/jobs/start_action_job.c' || echo '$(srcdir)/'`processing/jobs/start_action_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/start_action_job.Tpo $(DEPDIR)/start_action_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/start_action_job.c' object='start_action_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o start_action_job.lo `test -f 'processing/jobs/start_action_job.c' || echo '$(srcdir)/'`processing/jobs/start_action_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o start_action_job.lo `test -f 'processing/jobs/start_action_job.c' || echo '$(srcdir)/'`processing/jobs/start_action_job.c
 
 roam_job.lo: processing/jobs/roam_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT roam_job.lo -MD -MP -MF $(DEPDIR)/roam_job.Tpo -c -o roam_job.lo `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/roam_job.Tpo $(DEPDIR)/roam_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/roam_job.c' object='roam_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT roam_job.lo -MD -MP -MF $(DEPDIR)/roam_job.Tpo -c -o roam_job.lo `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/roam_job.Tpo $(DEPDIR)/roam_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/roam_job.c' object='roam_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o roam_job.lo `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o roam_job.lo `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c
 
 update_sa_job.lo: processing/jobs/update_sa_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT update_sa_job.lo -MD -MP -MF $(DEPDIR)/update_sa_job.Tpo -c -o update_sa_job.lo `test -f 'processing/jobs/update_sa_job.c' || echo '$(srcdir)/'`processing/jobs/update_sa_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/update_sa_job.Tpo $(DEPDIR)/update_sa_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/update_sa_job.c' object='update_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT update_sa_job.lo -MD -MP -MF $(DEPDIR)/update_sa_job.Tpo -c -o update_sa_job.lo `test -f 'processing/jobs/update_sa_job.c' || echo '$(srcdir)/'`processing/jobs/update_sa_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/update_sa_job.Tpo $(DEPDIR)/update_sa_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/update_sa_job.c' object='update_sa_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o update_sa_job.lo `test -f 'processing/jobs/update_sa_job.c' || echo '$(srcdir)/'`processing/jobs/update_sa_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o update_sa_job.lo `test -f 'processing/jobs/update_sa_job.c' || echo '$(srcdir)/'`processing/jobs/update_sa_job.c
 
 inactivity_job.lo: processing/jobs/inactivity_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT inactivity_job.lo -MD -MP -MF $(DEPDIR)/inactivity_job.Tpo -c -o inactivity_job.lo `test -f 'processing/jobs/inactivity_job.c' || echo '$(srcdir)/'`processing/jobs/inactivity_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/inactivity_job.Tpo $(DEPDIR)/inactivity_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/inactivity_job.c' object='inactivity_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT inactivity_job.lo -MD -MP -MF $(DEPDIR)/inactivity_job.Tpo -c -o inactivity_job.lo `test -f 'processing/jobs/inactivity_job.c' || echo '$(srcdir)/'`processing/jobs/inactivity_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/inactivity_job.Tpo $(DEPDIR)/inactivity_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/inactivity_job.c' object='inactivity_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o inactivity_job.lo `test -f 'processing/jobs/inactivity_job.c' || echo '$(srcdir)/'`processing/jobs/inactivity_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o inactivity_job.lo `test -f 'processing/jobs/inactivity_job.c' || echo '$(srcdir)/'`processing/jobs/inactivity_job.c
 
-authenticator.lo: sa/authenticators/authenticator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.lo -MD -MP -MF $(DEPDIR)/authenticator.Tpo -c -o authenticator.lo `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/authenticator.Tpo $(DEPDIR)/authenticator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/authenticator.c' object='authenticator.lo' libtool=yes @AMDEPBACKSLASH@
+eap_method.lo: sa/eap/eap_method.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.lo -MD -MP -MF $(DEPDIR)/eap_method.Tpo -c -o eap_method.lo `test -f 'sa/eap/eap_method.c' || echo '$(srcdir)/'`sa/eap/eap_method.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/eap_method.Tpo $(DEPDIR)/eap_method.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/eap/eap_method.c' object='eap_method.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.lo `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.lo `test -f 'sa/eap/eap_method.c' || echo '$(srcdir)/'`sa/eap/eap_method.c
 
-eap_authenticator.lo: sa/authenticators/eap_authenticator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.lo -MD -MP -MF $(DEPDIR)/eap_authenticator.Tpo -c -o eap_authenticator.lo `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_authenticator.Tpo $(DEPDIR)/eap_authenticator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap_authenticator.c' object='eap_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
+eap_manager.lo: sa/eap/eap_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_manager.lo -MD -MP -MF $(DEPDIR)/eap_manager.Tpo -c -o eap_manager.lo `test -f 'sa/eap/eap_manager.c' || echo '$(srcdir)/'`sa/eap/eap_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/eap_manager.Tpo $(DEPDIR)/eap_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/eap/eap_manager.c' object='eap_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.lo `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_manager.lo `test -f 'sa/eap/eap_manager.c' || echo '$(srcdir)/'`sa/eap/eap_manager.c
 
-eap_method.lo: sa/authenticators/eap/eap_method.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.lo -MD -MP -MF $(DEPDIR)/eap_method.Tpo -c -o eap_method.lo `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_method.Tpo $(DEPDIR)/eap_method.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_method.c' object='eap_method.lo' libtool=yes @AMDEPBACKSLASH@
+xauth_method.lo: sa/xauth/xauth_method.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xauth_method.lo -MD -MP -MF $(DEPDIR)/xauth_method.Tpo -c -o xauth_method.lo `test -f 'sa/xauth/xauth_method.c' || echo '$(srcdir)/'`sa/xauth/xauth_method.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/xauth_method.Tpo $(DEPDIR)/xauth_method.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/xauth/xauth_method.c' object='xauth_method.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.lo `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xauth_method.lo `test -f 'sa/xauth/xauth_method.c' || echo '$(srcdir)/'`sa/xauth/xauth_method.c
 
-eap_manager.lo: sa/authenticators/eap/eap_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_manager.lo -MD -MP -MF $(DEPDIR)/eap_manager.Tpo -c -o eap_manager.lo `test -f 'sa/authenticators/eap/eap_manager.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap_manager.Tpo $(DEPDIR)/eap_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_manager.c' object='eap_manager.lo' libtool=yes @AMDEPBACKSLASH@
+xauth_manager.lo: sa/xauth/xauth_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xauth_manager.lo -MD -MP -MF $(DEPDIR)/xauth_manager.Tpo -c -o xauth_manager.lo `test -f 'sa/xauth/xauth_manager.c' || echo '$(srcdir)/'`sa/xauth/xauth_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/xauth_manager.Tpo $(DEPDIR)/xauth_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/xauth/xauth_manager.c' object='xauth_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_manager.lo `test -f 'sa/authenticators/eap/eap_manager.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xauth_manager.lo `test -f 'sa/xauth/xauth_manager.c' || echo '$(srcdir)/'`sa/xauth/xauth_manager.c
 
-psk_authenticator.lo: sa/authenticators/psk_authenticator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.lo -MD -MP -MF $(DEPDIR)/psk_authenticator.Tpo -c -o psk_authenticator.lo `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/psk_authenticator.Tpo $(DEPDIR)/psk_authenticator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/psk_authenticator.c' object='psk_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
+authenticator.lo: sa/authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.lo -MD -MP -MF $(DEPDIR)/authenticator.Tpo -c -o authenticator.lo `test -f 'sa/authenticator.c' || echo '$(srcdir)/'`sa/authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/authenticator.Tpo $(DEPDIR)/authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/authenticator.c' object='authenticator.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.lo `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c
-
-pubkey_authenticator.lo: sa/authenticators/pubkey_authenticator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pubkey_authenticator.lo -MD -MP -MF $(DEPDIR)/pubkey_authenticator.Tpo -c -o pubkey_authenticator.lo `test -f 'sa/authenticators/pubkey_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/pubkey_authenticator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pubkey_authenticator.Tpo $(DEPDIR)/pubkey_authenticator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/pubkey_authenticator.c' object='pubkey_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pubkey_authenticator.lo `test -f 'sa/authenticators/pubkey_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/pubkey_authenticator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.lo `test -f 'sa/authenticator.c' || echo '$(srcdir)/'`sa/authenticator.c
 
 child_sa.lo: sa/child_sa.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.lo -MD -MP -MF $(DEPDIR)/child_sa.Tpo -c -o child_sa.lo `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_sa.Tpo $(DEPDIR)/child_sa.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/child_sa.c' object='child_sa.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.lo -MD -MP -MF $(DEPDIR)/child_sa.Tpo -c -o child_sa.lo `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/child_sa.Tpo $(DEPDIR)/child_sa.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/child_sa.c' object='child_sa.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.lo `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.lo `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c
 
 ike_sa.lo: sa/ike_sa.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.lo -MD -MP -MF $(DEPDIR)/ike_sa.Tpo -c -o ike_sa.lo `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa.Tpo $(DEPDIR)/ike_sa.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa.c' object='ike_sa.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.lo -MD -MP -MF $(DEPDIR)/ike_sa.Tpo -c -o ike_sa.lo `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_sa.Tpo $(DEPDIR)/ike_sa.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ike_sa.c' object='ike_sa.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.lo `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.lo `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c
 
 ike_sa_id.lo: sa/ike_sa_id.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.lo -MD -MP -MF $(DEPDIR)/ike_sa_id.Tpo -c -o ike_sa_id.lo `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa_id.Tpo $(DEPDIR)/ike_sa_id.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_id.c' object='ike_sa_id.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.lo -MD -MP -MF $(DEPDIR)/ike_sa_id.Tpo -c -o ike_sa_id.lo `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_sa_id.Tpo $(DEPDIR)/ike_sa_id.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ike_sa_id.c' object='ike_sa_id.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.lo `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.lo `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c
 
-ike_sa_manager.lo: sa/ike_sa_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.lo -MD -MP -MF $(DEPDIR)/ike_sa_manager.Tpo -c -o ike_sa_manager.lo `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_sa_manager.Tpo $(DEPDIR)/ike_sa_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_manager.c' object='ike_sa_manager.lo' libtool=yes @AMDEPBACKSLASH@
+keymat.lo: sa/keymat.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keymat.lo -MD -MP -MF $(DEPDIR)/keymat.Tpo -c -o keymat.lo `test -f 'sa/keymat.c' || echo '$(srcdir)/'`sa/keymat.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/keymat.Tpo $(DEPDIR)/keymat.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/keymat.c' object='keymat.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.lo `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat.lo `test -f 'sa/keymat.c' || echo '$(srcdir)/'`sa/keymat.c
 
-task_manager.lo: sa/task_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.lo -MD -MP -MF $(DEPDIR)/task_manager.Tpo -c -o task_manager.lo `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/task_manager.Tpo $(DEPDIR)/task_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/task_manager.c' object='task_manager.lo' libtool=yes @AMDEPBACKSLASH@
+ike_sa_manager.lo: sa/ike_sa_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.lo -MD -MP -MF $(DEPDIR)/ike_sa_manager.Tpo -c -o ike_sa_manager.lo `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_sa_manager.Tpo $(DEPDIR)/ike_sa_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ike_sa_manager.c' object='ike_sa_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.lo `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.lo `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c
 
-keymat.lo: sa/keymat.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keymat.lo -MD -MP -MF $(DEPDIR)/keymat.Tpo -c -o keymat.lo `test -f 'sa/keymat.c' || echo '$(srcdir)/'`sa/keymat.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/keymat.Tpo $(DEPDIR)/keymat.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/keymat.c' object='keymat.lo' libtool=yes @AMDEPBACKSLASH@
+task_manager.lo: sa/task_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.lo -MD -MP -MF $(DEPDIR)/task_manager.Tpo -c -o task_manager.lo `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/task_manager.Tpo $(DEPDIR)/task_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/task_manager.c' object='task_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat.lo `test -f 'sa/keymat.c' || echo '$(srcdir)/'`sa/keymat.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.lo `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c
 
 shunt_manager.lo: sa/shunt_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT shunt_manager.lo -MD -MP -MF $(DEPDIR)/shunt_manager.Tpo -c -o shunt_manager.lo `test -f 'sa/shunt_manager.c' || echo '$(srcdir)/'`sa/shunt_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/shunt_manager.Tpo $(DEPDIR)/shunt_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/shunt_manager.c' object='shunt_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT shunt_manager.lo -MD -MP -MF $(DEPDIR)/shunt_manager.Tpo -c -o shunt_manager.lo `test -f 'sa/shunt_manager.c' || echo '$(srcdir)/'`sa/shunt_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/shunt_manager.Tpo $(DEPDIR)/shunt_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/shunt_manager.c' object='shunt_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shunt_manager.lo `test -f 'sa/shunt_manager.c' || echo '$(srcdir)/'`sa/shunt_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shunt_manager.lo `test -f 'sa/shunt_manager.c' || echo '$(srcdir)/'`sa/shunt_manager.c
 
 trap_manager.lo: sa/trap_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT trap_manager.lo -MD -MP -MF $(DEPDIR)/trap_manager.Tpo -c -o trap_manager.lo `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/trap_manager.Tpo $(DEPDIR)/trap_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/trap_manager.c' object='trap_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT trap_manager.lo -MD -MP -MF $(DEPDIR)/trap_manager.Tpo -c -o trap_manager.lo `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/trap_manager.Tpo $(DEPDIR)/trap_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/trap_manager.c' object='trap_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o trap_manager.lo `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
+
+task.lo: sa/task.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.lo -MD -MP -MF $(DEPDIR)/task.Tpo -c -o task.lo `test -f 'sa/task.c' || echo '$(srcdir)/'`sa/task.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/task.Tpo $(DEPDIR)/task.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/task.c' object='task.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o trap_manager.lo `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.lo `test -f 'sa/task.c' || echo '$(srcdir)/'`sa/task.c
 
-child_create.lo: sa/tasks/child_create.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.lo -MD -MP -MF $(DEPDIR)/child_create.Tpo -c -o child_create.lo `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_create.Tpo $(DEPDIR)/child_create.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_create.c' object='child_create.lo' libtool=yes @AMDEPBACKSLASH@
+keymat_v2.lo: sa/ikev2/keymat_v2.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keymat_v2.lo -MD -MP -MF $(DEPDIR)/keymat_v2.Tpo -c -o keymat_v2.lo `test -f 'sa/ikev2/keymat_v2.c' || echo '$(srcdir)/'`sa/ikev2/keymat_v2.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/keymat_v2.Tpo $(DEPDIR)/keymat_v2.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/keymat_v2.c' object='keymat_v2.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.lo `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat_v2.lo `test -f 'sa/ikev2/keymat_v2.c' || echo '$(srcdir)/'`sa/ikev2/keymat_v2.c
 
-child_delete.lo: sa/tasks/child_delete.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.lo -MD -MP -MF $(DEPDIR)/child_delete.Tpo -c -o child_delete.lo `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_delete.Tpo $(DEPDIR)/child_delete.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_delete.c' object='child_delete.lo' libtool=yes @AMDEPBACKSLASH@
+task_manager_v2.lo: sa/ikev2/task_manager_v2.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager_v2.lo -MD -MP -MF $(DEPDIR)/task_manager_v2.Tpo -c -o task_manager_v2.lo `test -f 'sa/ikev2/task_manager_v2.c' || echo '$(srcdir)/'`sa/ikev2/task_manager_v2.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/task_manager_v2.Tpo $(DEPDIR)/task_manager_v2.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/task_manager_v2.c' object='task_manager_v2.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.lo `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager_v2.lo `test -f 'sa/ikev2/task_manager_v2.c' || echo '$(srcdir)/'`sa/ikev2/task_manager_v2.c
 
-child_rekey.lo: sa/tasks/child_rekey.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.lo -MD -MP -MF $(DEPDIR)/child_rekey.Tpo -c -o child_rekey.lo `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/child_rekey.Tpo $(DEPDIR)/child_rekey.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_rekey.c' object='child_rekey.lo' libtool=yes @AMDEPBACKSLASH@
+eap_authenticator.lo: sa/ikev2/authenticators/eap_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.lo -MD -MP -MF $(DEPDIR)/eap_authenticator.Tpo -c -o eap_authenticator.lo `test -f 'sa/ikev2/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/eap_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/eap_authenticator.Tpo $(DEPDIR)/eap_authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/authenticators/eap_authenticator.c' object='eap_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.lo `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.lo `test -f 'sa/ikev2/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/eap_authenticator.c
 
-ike_auth.lo: sa/tasks/ike_auth.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.lo -MD -MP -MF $(DEPDIR)/ike_auth.Tpo -c -o ike_auth.lo `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth.Tpo $(DEPDIR)/ike_auth.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth.c' object='ike_auth.lo' libtool=yes @AMDEPBACKSLASH@
+psk_authenticator.lo: sa/ikev2/authenticators/psk_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.lo -MD -MP -MF $(DEPDIR)/psk_authenticator.Tpo -c -o psk_authenticator.lo `test -f 'sa/ikev2/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/psk_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/psk_authenticator.Tpo $(DEPDIR)/psk_authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/authenticators/psk_authenticator.c' object='psk_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.lo `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.lo `test -f 'sa/ikev2/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/psk_authenticator.c
 
-ike_cert_pre.lo: sa/tasks/ike_cert_pre.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_pre.lo -MD -MP -MF $(DEPDIR)/ike_cert_pre.Tpo -c -o ike_cert_pre.lo `test -f 'sa/tasks/ike_cert_pre.c' || echo '$(srcdir)/'`sa/tasks/ike_cert_pre.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cert_pre.Tpo $(DEPDIR)/ike_cert_pre.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert_pre.c' object='ike_cert_pre.lo' libtool=yes @AMDEPBACKSLASH@
+pubkey_authenticator.lo: sa/ikev2/authenticators/pubkey_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pubkey_authenticator.lo -MD -MP -MF $(DEPDIR)/pubkey_authenticator.Tpo -c -o pubkey_authenticator.lo `test -f 'sa/ikev2/authenticators/pubkey_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/pubkey_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pubkey_authenticator.Tpo $(DEPDIR)/pubkey_authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/authenticators/pubkey_authenticator.c' object='pubkey_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_pre.lo `test -f 'sa/tasks/ike_cert_pre.c' || echo '$(srcdir)/'`sa/tasks/ike_cert_pre.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pubkey_authenticator.lo `test -f 'sa/ikev2/authenticators/pubkey_authenticator.c' || echo '$(srcdir)/'`sa/ikev2/authenticators/pubkey_authenticator.c
 
-ike_cert_post.lo: sa/tasks/ike_cert_post.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_post.lo -MD -MP -MF $(DEPDIR)/ike_cert_post.Tpo -c -o ike_cert_post.lo `test -f 'sa/tasks/ike_cert_post.c' || echo '$(srcdir)/'`sa/tasks/ike_cert_post.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_cert_post.Tpo $(DEPDIR)/ike_cert_post.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert_post.c' object='ike_cert_post.lo' libtool=yes @AMDEPBACKSLASH@
+child_create.lo: sa/ikev2/tasks/child_create.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.lo -MD -MP -MF $(DEPDIR)/child_create.Tpo -c -o child_create.lo `test -f 'sa/ikev2/tasks/child_create.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_create.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/child_create.Tpo $(DEPDIR)/child_create.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/child_create.c' object='child_create.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_post.lo `test -f 'sa/tasks/ike_cert_post.c' || echo '$(srcdir)/'`sa/tasks/ike_cert_post.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.lo `test -f 'sa/ikev2/tasks/child_create.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_create.c
 
-ike_config.lo: sa/tasks/ike_config.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.lo -MD -MP -MF $(DEPDIR)/ike_config.Tpo -c -o ike_config.lo `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_config.Tpo $(DEPDIR)/ike_config.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_config.c' object='ike_config.lo' libtool=yes @AMDEPBACKSLASH@
+child_delete.lo: sa/ikev2/tasks/child_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.lo -MD -MP -MF $(DEPDIR)/child_delete.Tpo -c -o child_delete.lo `test -f 'sa/ikev2/tasks/child_delete.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/child_delete.Tpo $(DEPDIR)/child_delete.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/child_delete.c' object='child_delete.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.lo `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.lo `test -f 'sa/ikev2/tasks/child_delete.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_delete.c
 
-ike_delete.lo: sa/tasks/ike_delete.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.lo -MD -MP -MF $(DEPDIR)/ike_delete.Tpo -c -o ike_delete.lo `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_delete.Tpo $(DEPDIR)/ike_delete.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_delete.c' object='ike_delete.lo' libtool=yes @AMDEPBACKSLASH@
+child_rekey.lo: sa/ikev2/tasks/child_rekey.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.lo -MD -MP -MF $(DEPDIR)/child_rekey.Tpo -c -o child_rekey.lo `test -f 'sa/ikev2/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_rekey.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/child_rekey.Tpo $(DEPDIR)/child_rekey.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/child_rekey.c' object='child_rekey.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.lo `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.lo `test -f 'sa/ikev2/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/ikev2/tasks/child_rekey.c
 
-ike_dpd.lo: sa/tasks/ike_dpd.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.lo -MD -MP -MF $(DEPDIR)/ike_dpd.Tpo -c -o ike_dpd.lo `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_dpd.Tpo $(DEPDIR)/ike_dpd.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_dpd.c' object='ike_dpd.lo' libtool=yes @AMDEPBACKSLASH@
+ike_auth.lo: sa/ikev2/tasks/ike_auth.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.lo -MD -MP -MF $(DEPDIR)/ike_auth.Tpo -c -o ike_auth.lo `test -f 'sa/ikev2/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_auth.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_auth.Tpo $(DEPDIR)/ike_auth.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_auth.c' object='ike_auth.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.lo `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.lo `test -f 'sa/ikev2/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_auth.c
 
-ike_init.lo: sa/tasks/ike_init.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.lo -MD -MP -MF $(DEPDIR)/ike_init.Tpo -c -o ike_init.lo `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_init.Tpo $(DEPDIR)/ike_init.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_init.c' object='ike_init.lo' libtool=yes @AMDEPBACKSLASH@
+ike_cert_pre.lo: sa/ikev2/tasks/ike_cert_pre.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_pre.lo -MD -MP -MF $(DEPDIR)/ike_cert_pre.Tpo -c -o ike_cert_pre.lo `test -f 'sa/ikev2/tasks/ike_cert_pre.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_cert_pre.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_cert_pre.Tpo $(DEPDIR)/ike_cert_pre.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_cert_pre.c' object='ike_cert_pre.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.lo `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_pre.lo `test -f 'sa/ikev2/tasks/ike_cert_pre.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_cert_pre.c
 
-ike_natd.lo: sa/tasks/ike_natd.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.lo -MD -MP -MF $(DEPDIR)/ike_natd.Tpo -c -o ike_natd.lo `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_natd.Tpo $(DEPDIR)/ike_natd.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_natd.c' object='ike_natd.lo' libtool=yes @AMDEPBACKSLASH@
+ike_cert_post.lo: sa/ikev2/tasks/ike_cert_post.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert_post.lo -MD -MP -MF $(DEPDIR)/ike_cert_post.Tpo -c -o ike_cert_post.lo `test -f 'sa/ikev2/tasks/ike_cert_post.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_cert_post.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_cert_post.Tpo $(DEPDIR)/ike_cert_post.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_cert_post.c' object='ike_cert_post.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.lo `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert_post.lo `test -f 'sa/ikev2/tasks/ike_cert_post.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_cert_post.c
 
-ike_mobike.lo: sa/tasks/ike_mobike.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_mobike.lo -MD -MP -MF $(DEPDIR)/ike_mobike.Tpo -c -o ike_mobike.lo `test -f 'sa/tasks/ike_mobike.c' || echo '$(srcdir)/'`sa/tasks/ike_mobike.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_mobike.Tpo $(DEPDIR)/ike_mobike.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_mobike.c' object='ike_mobike.lo' libtool=yes @AMDEPBACKSLASH@
+ike_config.lo: sa/ikev2/tasks/ike_config.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.lo -MD -MP -MF $(DEPDIR)/ike_config.Tpo -c -o ike_config.lo `test -f 'sa/ikev2/tasks/ike_config.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_config.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_config.Tpo $(DEPDIR)/ike_config.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_config.c' object='ike_config.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_mobike.lo `test -f 'sa/tasks/ike_mobike.c' || echo '$(srcdir)/'`sa/tasks/ike_mobike.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.lo `test -f 'sa/ikev2/tasks/ike_config.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_config.c
 
-ike_rekey.lo: sa/tasks/ike_rekey.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.lo -MD -MP -MF $(DEPDIR)/ike_rekey.Tpo -c -o ike_rekey.lo `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_rekey.Tpo $(DEPDIR)/ike_rekey.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_rekey.c' object='ike_rekey.lo' libtool=yes @AMDEPBACKSLASH@
+ike_delete.lo: sa/ikev2/tasks/ike_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.lo -MD -MP -MF $(DEPDIR)/ike_delete.Tpo -c -o ike_delete.lo `test -f 'sa/ikev2/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_delete.Tpo $(DEPDIR)/ike_delete.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_delete.c' object='ike_delete.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.lo `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.lo `test -f 'sa/ikev2/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_delete.c
 
-ike_reauth.lo: sa/tasks/ike_reauth.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_reauth.lo -MD -MP -MF $(DEPDIR)/ike_reauth.Tpo -c -o ike_reauth.lo `test -f 'sa/tasks/ike_reauth.c' || echo '$(srcdir)/'`sa/tasks/ike_reauth.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_reauth.Tpo $(DEPDIR)/ike_reauth.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_reauth.c' object='ike_reauth.lo' libtool=yes @AMDEPBACKSLASH@
+ike_dpd.lo: sa/ikev2/tasks/ike_dpd.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.lo -MD -MP -MF $(DEPDIR)/ike_dpd.Tpo -c -o ike_dpd.lo `test -f 'sa/ikev2/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_dpd.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_dpd.Tpo $(DEPDIR)/ike_dpd.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_dpd.c' object='ike_dpd.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_reauth.lo `test -f 'sa/tasks/ike_reauth.c' || echo '$(srcdir)/'`sa/tasks/ike_reauth.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.lo `test -f 'sa/ikev2/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_dpd.c
 
-ike_auth_lifetime.lo: sa/tasks/ike_auth_lifetime.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_lifetime.lo -MD -MP -MF $(DEPDIR)/ike_auth_lifetime.Tpo -c -o ike_auth_lifetime.lo `test -f 'sa/tasks/ike_auth_lifetime.c' || echo '$(srcdir)/'`sa/tasks/ike_auth_lifetime.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_auth_lifetime.Tpo $(DEPDIR)/ike_auth_lifetime.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth_lifetime.c' object='ike_auth_lifetime.lo' libtool=yes @AMDEPBACKSLASH@
+ike_init.lo: sa/ikev2/tasks/ike_init.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.lo -MD -MP -MF $(DEPDIR)/ike_init.Tpo -c -o ike_init.lo `test -f 'sa/ikev2/tasks/ike_init.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_init.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_init.Tpo $(DEPDIR)/ike_init.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_init.c' object='ike_init.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_lifetime.lo `test -f 'sa/tasks/ike_auth_lifetime.c' || echo '$(srcdir)/'`sa/tasks/ike_auth_lifetime.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.lo `test -f 'sa/ikev2/tasks/ike_init.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_init.c
 
-ike_vendor.lo: sa/tasks/ike_vendor.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_vendor.lo -MD -MP -MF $(DEPDIR)/ike_vendor.Tpo -c -o ike_vendor.lo `test -f 'sa/tasks/ike_vendor.c' || echo '$(srcdir)/'`sa/tasks/ike_vendor.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_vendor.Tpo $(DEPDIR)/ike_vendor.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_vendor.c' object='ike_vendor.lo' libtool=yes @AMDEPBACKSLASH@
+ike_natd.lo: sa/ikev2/tasks/ike_natd.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.lo -MD -MP -MF $(DEPDIR)/ike_natd.Tpo -c -o ike_natd.lo `test -f 'sa/ikev2/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_natd.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_natd.Tpo $(DEPDIR)/ike_natd.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_natd.c' object='ike_natd.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_vendor.lo `test -f 'sa/tasks/ike_vendor.c' || echo '$(srcdir)/'`sa/tasks/ike_vendor.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.lo `test -f 'sa/ikev2/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_natd.c
 
-task.lo: sa/tasks/task.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.lo -MD -MP -MF $(DEPDIR)/task.Tpo -c -o task.lo `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/task.Tpo $(DEPDIR)/task.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/task.c' object='task.lo' libtool=yes @AMDEPBACKSLASH@
+ike_mobike.lo: sa/ikev2/tasks/ike_mobike.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_mobike.lo -MD -MP -MF $(DEPDIR)/ike_mobike.Tpo -c -o ike_mobike.lo `test -f 'sa/ikev2/tasks/ike_mobike.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_mobike.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_mobike.Tpo $(DEPDIR)/ike_mobike.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_mobike.c' object='ike_mobike.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.lo `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_mobike.lo `test -f 'sa/ikev2/tasks/ike_mobike.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_mobike.c
+
+ike_rekey.lo: sa/ikev2/tasks/ike_rekey.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.lo -MD -MP -MF $(DEPDIR)/ike_rekey.Tpo -c -o ike_rekey.lo `test -f 'sa/ikev2/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_rekey.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_rekey.Tpo $(DEPDIR)/ike_rekey.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_rekey.c' object='ike_rekey.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.lo `test -f 'sa/ikev2/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_rekey.c
+
+ike_reauth.lo: sa/ikev2/tasks/ike_reauth.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_reauth.lo -MD -MP -MF $(DEPDIR)/ike_reauth.Tpo -c -o ike_reauth.lo `test -f 'sa/ikev2/tasks/ike_reauth.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_reauth.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_reauth.Tpo $(DEPDIR)/ike_reauth.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_reauth.c' object='ike_reauth.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_reauth.lo `test -f 'sa/ikev2/tasks/ike_reauth.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_reauth.c
+
+ike_auth_lifetime.lo: sa/ikev2/tasks/ike_auth_lifetime.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_lifetime.lo -MD -MP -MF $(DEPDIR)/ike_auth_lifetime.Tpo -c -o ike_auth_lifetime.lo `test -f 'sa/ikev2/tasks/ike_auth_lifetime.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_auth_lifetime.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_auth_lifetime.Tpo $(DEPDIR)/ike_auth_lifetime.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_auth_lifetime.c' object='ike_auth_lifetime.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_lifetime.lo `test -f 'sa/ikev2/tasks/ike_auth_lifetime.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_auth_lifetime.c
+
+ike_vendor.lo: sa/ikev2/tasks/ike_vendor.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_vendor.lo -MD -MP -MF $(DEPDIR)/ike_vendor.Tpo -c -o ike_vendor.lo `test -f 'sa/ikev2/tasks/ike_vendor.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_vendor.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_vendor.Tpo $(DEPDIR)/ike_vendor.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_vendor.c' object='ike_vendor.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_vendor.lo `test -f 'sa/ikev2/tasks/ike_vendor.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_vendor.c
+
+keymat_v1.lo: sa/ikev1/keymat_v1.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keymat_v1.lo -MD -MP -MF $(DEPDIR)/keymat_v1.Tpo -c -o keymat_v1.lo `test -f 'sa/ikev1/keymat_v1.c' || echo '$(srcdir)/'`sa/ikev1/keymat_v1.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/keymat_v1.Tpo $(DEPDIR)/keymat_v1.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/keymat_v1.c' object='keymat_v1.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat_v1.lo `test -f 'sa/ikev1/keymat_v1.c' || echo '$(srcdir)/'`sa/ikev1/keymat_v1.c
+
+task_manager_v1.lo: sa/ikev1/task_manager_v1.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager_v1.lo -MD -MP -MF $(DEPDIR)/task_manager_v1.Tpo -c -o task_manager_v1.lo `test -f 'sa/ikev1/task_manager_v1.c' || echo '$(srcdir)/'`sa/ikev1/task_manager_v1.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/task_manager_v1.Tpo $(DEPDIR)/task_manager_v1.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/task_manager_v1.c' object='task_manager_v1.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager_v1.lo `test -f 'sa/ikev1/task_manager_v1.c' || echo '$(srcdir)/'`sa/ikev1/task_manager_v1.c
+
+psk_v1_authenticator.lo: sa/ikev1/authenticators/psk_v1_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_v1_authenticator.lo -MD -MP -MF $(DEPDIR)/psk_v1_authenticator.Tpo -c -o psk_v1_authenticator.lo `test -f 'sa/ikev1/authenticators/psk_v1_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/psk_v1_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/psk_v1_authenticator.Tpo $(DEPDIR)/psk_v1_authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/authenticators/psk_v1_authenticator.c' object='psk_v1_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_v1_authenticator.lo `test -f 'sa/ikev1/authenticators/psk_v1_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/psk_v1_authenticator.c
+
+pubkey_v1_authenticator.lo: sa/ikev1/authenticators/pubkey_v1_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pubkey_v1_authenticator.lo -MD -MP -MF $(DEPDIR)/pubkey_v1_authenticator.Tpo -c -o pubkey_v1_authenticator.lo `test -f 'sa/ikev1/authenticators/pubkey_v1_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/pubkey_v1_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pubkey_v1_authenticator.Tpo $(DEPDIR)/pubkey_v1_authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/authenticators/pubkey_v1_authenticator.c' object='pubkey_v1_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pubkey_v1_authenticator.lo `test -f 'sa/ikev1/authenticators/pubkey_v1_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/pubkey_v1_authenticator.c
+
+hybrid_authenticator.lo: sa/ikev1/authenticators/hybrid_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hybrid_authenticator.lo -MD -MP -MF $(DEPDIR)/hybrid_authenticator.Tpo -c -o hybrid_authenticator.lo `test -f 'sa/ikev1/authenticators/hybrid_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/hybrid_authenticator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/hybrid_authenticator.Tpo $(DEPDIR)/hybrid_authenticator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/authenticators/hybrid_authenticator.c' object='hybrid_authenticator.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hybrid_authenticator.lo `test -f 'sa/ikev1/authenticators/hybrid_authenticator.c' || echo '$(srcdir)/'`sa/ikev1/authenticators/hybrid_authenticator.c
+
+phase1.lo: sa/ikev1/phase1.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT phase1.lo -MD -MP -MF $(DEPDIR)/phase1.Tpo -c -o phase1.lo `test -f 'sa/ikev1/phase1.c' || echo '$(srcdir)/'`sa/ikev1/phase1.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/phase1.Tpo $(DEPDIR)/phase1.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/phase1.c' object='phase1.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o phase1.lo `test -f 'sa/ikev1/phase1.c' || echo '$(srcdir)/'`sa/ikev1/phase1.c
+
+main_mode.lo: sa/ikev1/tasks/main_mode.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT main_mode.lo -MD -MP -MF $(DEPDIR)/main_mode.Tpo -c -o main_mode.lo `test -f 'sa/ikev1/tasks/main_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/main_mode.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/main_mode.Tpo $(DEPDIR)/main_mode.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/main_mode.c' object='main_mode.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o main_mode.lo `test -f 'sa/ikev1/tasks/main_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/main_mode.c
+
+aggressive_mode.lo: sa/ikev1/tasks/aggressive_mode.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aggressive_mode.lo -MD -MP -MF $(DEPDIR)/aggressive_mode.Tpo -c -o aggressive_mode.lo `test -f 'sa/ikev1/tasks/aggressive_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/aggressive_mode.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/aggressive_mode.Tpo $(DEPDIR)/aggressive_mode.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/aggressive_mode.c' object='aggressive_mode.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aggressive_mode.lo `test -f 'sa/ikev1/tasks/aggressive_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/aggressive_mode.c
+
+informational.lo: sa/ikev1/tasks/informational.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT informational.lo -MD -MP -MF $(DEPDIR)/informational.Tpo -c -o informational.lo `test -f 'sa/ikev1/tasks/informational.c' || echo '$(srcdir)/'`sa/ikev1/tasks/informational.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/informational.Tpo $(DEPDIR)/informational.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/informational.c' object='informational.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o informational.lo `test -f 'sa/ikev1/tasks/informational.c' || echo '$(srcdir)/'`sa/ikev1/tasks/informational.c
+
+isakmp_cert_pre.lo: sa/ikev1/tasks/isakmp_cert_pre.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_cert_pre.lo -MD -MP -MF $(DEPDIR)/isakmp_cert_pre.Tpo -c -o isakmp_cert_pre.lo `test -f 'sa/ikev1/tasks/isakmp_cert_pre.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_cert_pre.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/isakmp_cert_pre.Tpo $(DEPDIR)/isakmp_cert_pre.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/isakmp_cert_pre.c' object='isakmp_cert_pre.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_cert_pre.lo `test -f 'sa/ikev1/tasks/isakmp_cert_pre.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_cert_pre.c
+
+isakmp_cert_post.lo: sa/ikev1/tasks/isakmp_cert_post.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_cert_post.lo -MD -MP -MF $(DEPDIR)/isakmp_cert_post.Tpo -c -o isakmp_cert_post.lo `test -f 'sa/ikev1/tasks/isakmp_cert_post.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_cert_post.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/isakmp_cert_post.Tpo $(DEPDIR)/isakmp_cert_post.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/isakmp_cert_post.c' object='isakmp_cert_post.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_cert_post.lo `test -f 'sa/ikev1/tasks/isakmp_cert_post.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_cert_post.c
+
+isakmp_natd.lo: sa/ikev1/tasks/isakmp_natd.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_natd.lo -MD -MP -MF $(DEPDIR)/isakmp_natd.Tpo -c -o isakmp_natd.lo `test -f 'sa/ikev1/tasks/isakmp_natd.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_natd.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/isakmp_natd.Tpo $(DEPDIR)/isakmp_natd.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/isakmp_natd.c' object='isakmp_natd.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_natd.lo `test -f 'sa/ikev1/tasks/isakmp_natd.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_natd.c
+
+isakmp_vendor.lo: sa/ikev1/tasks/isakmp_vendor.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_vendor.lo -MD -MP -MF $(DEPDIR)/isakmp_vendor.Tpo -c -o isakmp_vendor.lo `test -f 'sa/ikev1/tasks/isakmp_vendor.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_vendor.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/isakmp_vendor.Tpo $(DEPDIR)/isakmp_vendor.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/isakmp_vendor.c' object='isakmp_vendor.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_vendor.lo `test -f 'sa/ikev1/tasks/isakmp_vendor.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_vendor.c
+
+isakmp_delete.lo: sa/ikev1/tasks/isakmp_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_delete.lo -MD -MP -MF $(DEPDIR)/isakmp_delete.Tpo -c -o isakmp_delete.lo `test -f 'sa/ikev1/tasks/isakmp_delete.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/isakmp_delete.Tpo $(DEPDIR)/isakmp_delete.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/isakmp_delete.c' object='isakmp_delete.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_delete.lo `test -f 'sa/ikev1/tasks/isakmp_delete.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_delete.c
+
+isakmp_dpd.lo: sa/ikev1/tasks/isakmp_dpd.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT isakmp_dpd.lo -MD -MP -MF $(DEPDIR)/isakmp_dpd.Tpo -c -o isakmp_dpd.lo `test -f 'sa/ikev1/tasks/isakmp_dpd.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_dpd.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/isakmp_dpd.Tpo $(DEPDIR)/isakmp_dpd.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/isakmp_dpd.c' object='isakmp_dpd.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o isakmp_dpd.lo `test -f 'sa/ikev1/tasks/isakmp_dpd.c' || echo '$(srcdir)/'`sa/ikev1/tasks/isakmp_dpd.c
+
+xauth.lo: sa/ikev1/tasks/xauth.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xauth.lo -MD -MP -MF $(DEPDIR)/xauth.Tpo -c -o xauth.lo `test -f 'sa/ikev1/tasks/xauth.c' || echo '$(srcdir)/'`sa/ikev1/tasks/xauth.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/xauth.Tpo $(DEPDIR)/xauth.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/xauth.c' object='xauth.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xauth.lo `test -f 'sa/ikev1/tasks/xauth.c' || echo '$(srcdir)/'`sa/ikev1/tasks/xauth.c
+
+quick_mode.lo: sa/ikev1/tasks/quick_mode.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT quick_mode.lo -MD -MP -MF $(DEPDIR)/quick_mode.Tpo -c -o quick_mode.lo `test -f 'sa/ikev1/tasks/quick_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/quick_mode.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/quick_mode.Tpo $(DEPDIR)/quick_mode.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/quick_mode.c' object='quick_mode.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o quick_mode.lo `test -f 'sa/ikev1/tasks/quick_mode.c' || echo '$(srcdir)/'`sa/ikev1/tasks/quick_mode.c
+
+quick_delete.lo: sa/ikev1/tasks/quick_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT quick_delete.lo -MD -MP -MF $(DEPDIR)/quick_delete.Tpo -c -o quick_delete.lo `test -f 'sa/ikev1/tasks/quick_delete.c' || echo '$(srcdir)/'`sa/ikev1/tasks/quick_delete.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/quick_delete.Tpo $(DEPDIR)/quick_delete.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/quick_delete.c' object='quick_delete.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o quick_delete.lo `test -f 'sa/ikev1/tasks/quick_delete.c' || echo '$(srcdir)/'`sa/ikev1/tasks/quick_delete.c
+
+mode_config.lo: sa/ikev1/tasks/mode_config.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mode_config.lo -MD -MP -MF $(DEPDIR)/mode_config.Tpo -c -o mode_config.lo `test -f 'sa/ikev1/tasks/mode_config.c' || echo '$(srcdir)/'`sa/ikev1/tasks/mode_config.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/mode_config.Tpo $(DEPDIR)/mode_config.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev1/tasks/mode_config.c' object='mode_config.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mode_config.lo `test -f 'sa/ikev1/tasks/mode_config.c' || echo '$(srcdir)/'`sa/ikev1/tasks/mode_config.c
+
+dpd_timeout_job.lo: processing/jobs/dpd_timeout_job.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT dpd_timeout_job.lo -MD -MP -MF $(DEPDIR)/dpd_timeout_job.Tpo -c -o dpd_timeout_job.lo `test -f 'processing/jobs/dpd_timeout_job.c' || echo '$(srcdir)/'`processing/jobs/dpd_timeout_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/dpd_timeout_job.Tpo $(DEPDIR)/dpd_timeout_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/dpd_timeout_job.c' object='dpd_timeout_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o dpd_timeout_job.lo `test -f 'processing/jobs/dpd_timeout_job.c' || echo '$(srcdir)/'`processing/jobs/dpd_timeout_job.c
+
+adopt_children_job.lo: processing/jobs/adopt_children_job.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT adopt_children_job.lo -MD -MP -MF $(DEPDIR)/adopt_children_job.Tpo -c -o adopt_children_job.lo `test -f 'processing/jobs/adopt_children_job.c' || echo '$(srcdir)/'`processing/jobs/adopt_children_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/adopt_children_job.Tpo $(DEPDIR)/adopt_children_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/adopt_children_job.c' object='adopt_children_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o adopt_children_job.lo `test -f 'processing/jobs/adopt_children_job.c' || echo '$(srcdir)/'`processing/jobs/adopt_children_job.c
 
 endpoint_notify.lo: encoding/payloads/endpoint_notify.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.lo -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/endpoint_notify.Tpo $(DEPDIR)/endpoint_notify.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/endpoint_notify.c' object='endpoint_notify.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.lo -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/endpoint_notify.Tpo $(DEPDIR)/endpoint_notify.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='encoding/payloads/endpoint_notify.c' object='endpoint_notify.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
 
 initiate_mediation_job.lo: processing/jobs/initiate_mediation_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT initiate_mediation_job.lo -MD -MP -MF $(DEPDIR)/initiate_mediation_job.Tpo -c -o initiate_mediation_job.lo `test -f 'processing/jobs/initiate_mediation_job.c' || echo '$(srcdir)/'`processing/jobs/initiate_mediation_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/initiate_mediation_job.Tpo $(DEPDIR)/initiate_mediation_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/initiate_mediation_job.c' object='initiate_mediation_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT initiate_mediation_job.lo -MD -MP -MF $(DEPDIR)/initiate_mediation_job.Tpo -c -o initiate_mediation_job.lo `test -f 'processing/jobs/initiate_mediation_job.c' || echo '$(srcdir)/'`processing/jobs/initiate_mediation_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/initiate_mediation_job.Tpo $(DEPDIR)/initiate_mediation_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/initiate_mediation_job.c' object='initiate_mediation_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o initiate_mediation_job.lo `test -f 'processing/jobs/initiate_mediation_job.c' || echo '$(srcdir)/'`processing/jobs/initiate_mediation_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o initiate_mediation_job.lo `test -f 'processing/jobs/initiate_mediation_job.c' || echo '$(srcdir)/'`processing/jobs/initiate_mediation_job.c
 
 mediation_job.lo: processing/jobs/mediation_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_job.lo -MD -MP -MF $(DEPDIR)/mediation_job.Tpo -c -o mediation_job.lo `test -f 'processing/jobs/mediation_job.c' || echo '$(srcdir)/'`processing/jobs/mediation_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mediation_job.Tpo $(DEPDIR)/mediation_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/mediation_job.c' object='mediation_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_job.lo -MD -MP -MF $(DEPDIR)/mediation_job.Tpo -c -o mediation_job.lo `test -f 'processing/jobs/mediation_job.c' || echo '$(srcdir)/'`processing/jobs/mediation_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/mediation_job.Tpo $(DEPDIR)/mediation_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/mediation_job.c' object='mediation_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_job.lo `test -f 'processing/jobs/mediation_job.c' || echo '$(srcdir)/'`processing/jobs/mediation_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_job.lo `test -f 'processing/jobs/mediation_job.c' || echo '$(srcdir)/'`processing/jobs/mediation_job.c
 
-connect_manager.lo: sa/connect_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT connect_manager.lo -MD -MP -MF $(DEPDIR)/connect_manager.Tpo -c -o connect_manager.lo `test -f 'sa/connect_manager.c' || echo '$(srcdir)/'`sa/connect_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/connect_manager.Tpo $(DEPDIR)/connect_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/connect_manager.c' object='connect_manager.lo' libtool=yes @AMDEPBACKSLASH@
+connect_manager.lo: sa/ikev2/connect_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT connect_manager.lo -MD -MP -MF $(DEPDIR)/connect_manager.Tpo -c -o connect_manager.lo `test -f 'sa/ikev2/connect_manager.c' || echo '$(srcdir)/'`sa/ikev2/connect_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/connect_manager.Tpo $(DEPDIR)/connect_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/connect_manager.c' object='connect_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o connect_manager.lo `test -f 'sa/connect_manager.c' || echo '$(srcdir)/'`sa/connect_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o connect_manager.lo `test -f 'sa/ikev2/connect_manager.c' || echo '$(srcdir)/'`sa/ikev2/connect_manager.c
 
-mediation_manager.lo: sa/mediation_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_manager.lo -MD -MP -MF $(DEPDIR)/mediation_manager.Tpo -c -o mediation_manager.lo `test -f 'sa/mediation_manager.c' || echo '$(srcdir)/'`sa/mediation_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mediation_manager.Tpo $(DEPDIR)/mediation_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/mediation_manager.c' object='mediation_manager.lo' libtool=yes @AMDEPBACKSLASH@
+mediation_manager.lo: sa/ikev2/mediation_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mediation_manager.lo -MD -MP -MF $(DEPDIR)/mediation_manager.Tpo -c -o mediation_manager.lo `test -f 'sa/ikev2/mediation_manager.c' || echo '$(srcdir)/'`sa/ikev2/mediation_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/mediation_manager.Tpo $(DEPDIR)/mediation_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/mediation_manager.c' object='mediation_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_manager.lo `test -f 'sa/mediation_manager.c' || echo '$(srcdir)/'`sa/mediation_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mediation_manager.lo `test -f 'sa/ikev2/mediation_manager.c' || echo '$(srcdir)/'`sa/ikev2/mediation_manager.c
 
-ike_me.lo: sa/tasks/ike_me.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_me.lo -MD -MP -MF $(DEPDIR)/ike_me.Tpo -c -o ike_me.lo `test -f 'sa/tasks/ike_me.c' || echo '$(srcdir)/'`sa/tasks/ike_me.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ike_me.Tpo $(DEPDIR)/ike_me.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_me.c' object='ike_me.lo' libtool=yes @AMDEPBACKSLASH@
+ike_me.lo: sa/ikev2/tasks/ike_me.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_me.lo -MD -MP -MF $(DEPDIR)/ike_me.Tpo -c -o ike_me.lo `test -f 'sa/ikev2/tasks/ike_me.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_me.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ike_me.Tpo $(DEPDIR)/ike_me.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sa/ikev2/tasks/ike_me.c' object='ike_me.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_me.lo `test -f 'sa/tasks/ike_me.c' || echo '$(srcdir)/'`sa/tasks/ike_me.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_me.lo `test -f 'sa/ikev2/tasks/ike_me.c' || echo '$(srcdir)/'`sa/ikev2/tasks/ike_me.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -1806,13 +2210,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
@@ -1850,10 +2251,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index bf0ab2286..b46184809 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2011-2012 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -19,8 +20,8 @@
 
 #include <threading/thread.h>
 #include <threading/thread_value.h>
-#include <threading/condvar.h>
 #include <threading/mutex.h>
+#include <threading/rwlock.h>
 
 typedef struct private_bus_t private_bus_t;
 
@@ -34,16 +35,39 @@ struct private_bus_t {
 	bus_t public;
 
 	/**
-	 * List of registered listeners as entry_t's
+	 * List of registered listeners as entry_t.
 	 */
 	linked_list_t *listeners;
 
 	/**
-	 * mutex to synchronize active listeners, recursively
+	 * List of registered loggers for each log group as log_entry_t.
+	 * Loggers are ordered by descending log level.
+	 * The extra list stores all loggers so we can properly unregister them.
+	 */
+	linked_list_t *loggers[DBG_MAX + 1];
+
+	/**
+	 * Maximum log level of any registered logger for each log group.
+	 * This allows to check quickly if a log message has to be logged at all.
+	 */
+	level_t max_level[DBG_MAX + 1];
+
+	/**
+	 * Same as max level, but for loggers using the vlog() method.
+	 */
+	level_t max_vlevel[DBG_MAX + 1];
+
+	/**
+	 * Mutex for the list of listeners, recursively.
 	 */
 	mutex_t *mutex;
 
 	/**
+	 * Read-write lock for the list of loggers.
+	 */
+	rwlock_t *log_lock;
+
+	/**
 	 * Thread local storage the threads IKE_SA
 	 */
 	thread_value_t *thread_sa;
@@ -52,7 +76,7 @@ struct private_bus_t {
 typedef struct entry_t entry_t;
 
 /**
- * a listener entry, either active or passive
+ * a listener entry
  */
 struct entry_t {
 
@@ -62,50 +86,42 @@ struct entry_t {
 	listener_t *listener;
 
 	/**
-	 * is this a active listen() call with a blocking thread
-	 */
-	bool blocker;
-
-	/**
 	 * are we currently calling this listener
 	 */
 	int calling;
 
-	/**
-	 * condvar where active listeners wait
-	 */
-	condvar_t *condvar;
 };
 
+typedef struct log_entry_t log_entry_t;
+
 /**
- * create a listener entry
+ * a logger entry
  */
-static entry_t *entry_create(listener_t *listener, bool blocker)
-{
-	entry_t *this = malloc_thing(entry_t);
+struct log_entry_t {
 
-	this->listener = listener;
-	this->blocker = blocker;
-	this->calling = 0;
-	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
+	/**
+	 * registered logger interface
+	 */
+	logger_t *logger;
 
-	return this;
-}
+	/**
+	 * registered log levels per group
+	 */
+	level_t levels[DBG_MAX];
 
-/**
- * destroy an entry_t
- */
-static void entry_destroy(entry_t *entry)
-{
-	entry->condvar->destroy(entry->condvar);
-	free(entry);
-}
+};
 
 METHOD(bus_t, add_listener, void,
 	private_bus_t *this, listener_t *listener)
 {
+	entry_t *entry;
+
+	INIT(entry,
+		.listener = listener,
+	);
+
 	this->mutex->lock(this->mutex);
-	this->listeners->insert_last(this->listeners, entry_create(listener, FALSE));
+	this->listeners->insert_last(this->listeners, entry);
 	this->mutex->unlock(this->mutex);
 }
 
@@ -122,7 +138,7 @@ METHOD(bus_t, remove_listener, void,
 		if (entry->listener == listener)
 		{
 			this->listeners->remove_at(this->listeners, enumerator);
-			entry_destroy(entry);
+			free(entry);
 			break;
 		}
 	}
@@ -130,74 +146,117 @@ METHOD(bus_t, remove_listener, void,
 	this->mutex->unlock(this->mutex);
 }
 
-typedef struct cleanup_data_t cleanup_data_t;
-
 /**
- * data to remove a listener using thread_cleanup_t handler
+ * Register a logger on the given log group according to the requested level
  */
-struct cleanup_data_t {
-	/** bus instance */
-	private_bus_t *this;
-	/** listener entry */
-	entry_t *entry;
-};
-
-/**
- * thread_cleanup_t handler to remove a listener
- */
-static void listener_cleanup(cleanup_data_t *data)
+static inline void register_logger(private_bus_t *this, debug_t group,
+								   log_entry_t *entry)
 {
-	data->this->listeners->remove(data->this->listeners, data->entry, NULL);
-	entry_destroy(data->entry);
+	enumerator_t *enumerator;
+	linked_list_t *loggers;
+	log_entry_t *current;
+	level_t level;
+
+	loggers = this->loggers[group];
+	level = entry->levels[group];
+
+	enumerator = loggers->create_enumerator(loggers);
+	while (enumerator->enumerate(enumerator, (void**)&current))
+	{
+		if (current->levels[group] <= level)
+		{
+			break;
+		}
+	}
+	loggers->insert_before(loggers, enumerator, entry);
+	enumerator->destroy(enumerator);
+
+	if (entry->logger->log)
+	{
+		this->max_level[group] = max(this->max_level[group], level);
+	}
+	if (entry->logger->vlog)
+	{
+		this->max_vlevel[group] = max(this->max_vlevel[group], level);
+	}
 }
 
-METHOD(bus_t, listen_, bool,
-	private_bus_t *this, listener_t *listener, job_t *job, u_int timeout)
+/**
+ * Unregister a logger from all log groups (destroys the log_entry_t)
+ */
+static inline void unregister_logger(private_bus_t *this, logger_t *logger)
 {
-	bool old, timed_out = FALSE;
-	cleanup_data_t data;
-	timeval_t tv, add;
+	enumerator_t *enumerator;
+	linked_list_t *loggers;
+	log_entry_t *entry, *found = NULL;
 
-	if (timeout)
+	loggers = this->loggers[DBG_MAX];
+	enumerator = loggers->create_enumerator(loggers);
+	while (enumerator->enumerate(enumerator, &entry))
 	{
-		add.tv_sec = timeout / 1000;
-		add.tv_usec = (timeout - (add.tv_sec * 1000)) * 1000;
-		time_monotonic(&tv);
-		timeradd(&tv, &add, &tv);
+		if (entry->logger == logger)
+		{
+			loggers->remove_at(loggers, enumerator);
+			found = entry;
+			break;
+		}
 	}
+	enumerator->destroy(enumerator);
 
-	data.this = this;
-	data.entry = entry_create(listener, TRUE);
-
-	this->mutex->lock(this->mutex);
-	this->listeners->insert_last(this->listeners, data.entry);
-	lib->processor->queue_job(lib->processor, job);
-	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
-	thread_cleanup_push((thread_cleanup_t)listener_cleanup, &data);
-	old = thread_cancelability(TRUE);
-	while (data.entry->blocker)
+	if (found)
 	{
-		if (timeout)
+		debug_t group;
+
+		for (group = 0; group < DBG_MAX; group++)
 		{
-			if (data.entry->condvar->timed_wait_abs(data.entry->condvar,
-												    this->mutex, tv))
+			if (found->levels[group] > LEVEL_SILENT)
 			{
-				this->listeners->remove(this->listeners, data.entry, NULL);
-				timed_out = TRUE;
-				break;
+				loggers = this->loggers[group];
+				loggers->remove(loggers, found, NULL);
+
+				this->max_level[group] = LEVEL_SILENT;
+				this->max_vlevel[group] = LEVEL_SILENT;
+				if (loggers->get_first(loggers, (void**)&entry) == SUCCESS)
+				{
+					this->max_level[group] = entry->levels[group];
+					this->max_vlevel[group] = entry->levels[group];
+				}
 			}
 		}
-		else
+		free(found);
+	}
+}
+
+METHOD(bus_t, add_logger, void,
+	private_bus_t *this, logger_t *logger)
+{
+	log_entry_t *entry;
+	debug_t group;
+
+	INIT(entry,
+		.logger = logger,
+	);
+
+	this->log_lock->write_lock(this->log_lock);
+	unregister_logger(this, logger);
+	for (group = 0; group < DBG_MAX; group++)
+	{
+		entry->levels[group] = logger->get_level(logger, group);
+		if (entry->levels[group] > LEVEL_SILENT)
 		{
-			data.entry->condvar->wait(data.entry->condvar, this->mutex);
+			register_logger(this, group, entry);
 		}
 	}
-	thread_cancelability(old);
-	thread_cleanup_pop(FALSE);
-	/* unlock mutex */
-	thread_cleanup_pop(TRUE);
-	entry_destroy(data.entry);
-	return timed_out;
+	this->loggers[DBG_MAX]->insert_last(this->loggers[DBG_MAX], entry);
+	this->log_lock->unlock(this->log_lock);
+}
+
+METHOD(bus_t, remove_logger, void,
+	private_bus_t *this, logger_t *logger)
+{
+	this->log_lock->write_lock(this->log_lock);
+	unregister_logger(this, logger);
+	this->log_lock->unlock(this->log_lock);
 }
 
 METHOD(bus_t, set_sa, void,
@@ -224,66 +283,94 @@ typedef struct {
 	debug_t group;
 	/** debug level */
 	level_t level;
-	/** format string */
-	char *format;
-	/** argument list */
+	/** message/fmt */
+	char *message;
+	/** argument list if message is a format string for vlog() */
 	va_list args;
 } log_data_t;
 
 /**
- * listener->log() invocation as a list remove callback
+ * logger->log() invocation as a invoke_function callback
  */
-static bool log_cb(entry_t *entry, log_data_t *data)
+static void log_cb(log_entry_t *entry, log_data_t *data)
 {
-	va_list args;
-
-	if (entry->calling || !entry->listener->log)
-	{	/* avoid recursive calls */
-		return FALSE;
+	if (entry->logger->log && entry->levels[data->group] >= data->level)
+	{
+		entry->logger->log(entry->logger, data->group, data->level,
+						   data->thread, data->ike_sa, data->message);
 	}
-	entry->calling++;
-	va_copy(args, data->args);
-	if (!entry->listener->log(entry->listener, data->group, data->level,
-							  data->thread, data->ike_sa, data->format, args))
+}
+
+/**
+ * logger->vlog() invocation as a invoke_function callback
+ */
+static void vlog_cb(log_entry_t *entry, log_data_t *data)
+{
+	if (entry->logger->vlog && entry->levels[data->group] >= data->level)
 	{
-		if (entry->blocker)
-		{
-			entry->blocker = FALSE;
-			entry->condvar->signal(entry->condvar);
-			entry->calling--;
-		}
-		else
-		{
-			entry_destroy(entry);
-		}
-		va_end(args);
-		return TRUE;
+		va_list copy;
+
+		va_copy(copy, data->args);
+		entry->logger->vlog(entry->logger, data->group, data->level,
+							data->thread, data->ike_sa, data->message, copy);
+		va_end(copy);
 	}
-	va_end(args);
-	entry->calling--;
-	return FALSE;
 }
 
 METHOD(bus_t, vlog, void,
 	private_bus_t *this, debug_t group, level_t level,
 	char* format, va_list args)
 {
+	linked_list_t *loggers;
 	log_data_t data;
 
-	data.ike_sa = this->thread_sa->get(this->thread_sa);
-	data.thread = thread_current_id();
-	data.group = group;
-	data.level = level;
-	data.format = format;
-	va_copy(data.args, args);
+	this->log_lock->read_lock(this->log_lock);
+	loggers = this->loggers[group];
 
-	this->mutex->lock(this->mutex);
-	/* We use the remove() method to invoke all listeners. This is cheap and
-	 * does not require an allocation for this performance critical function. */
-	this->listeners->remove(this->listeners, &data, (void*)log_cb);
-	this->mutex->unlock(this->mutex);
+	if (this->max_level[group] >= level)
+	{
+		char buf[1024];
+		ssize_t len;
+
+		data.ike_sa = this->thread_sa->get(this->thread_sa);
+		data.thread = thread_current_id();
+		data.group = group;
+		data.level = level;
+		data.message = buf;
+
+		va_copy(data.args, args);
+		len = vsnprintf(data.message, sizeof(buf), format, data.args);
+		va_end(data.args);
+		if (len >= sizeof(buf))
+		{
+			len++;
+			data.message = malloc(len);
+			len = vsnprintf(data.message, len, format, args);
+		}
+		if (len > 0)
+		{
+			loggers->invoke_function(loggers, (linked_list_invoke_t)log_cb,
+									 &data);
+		}
+		if (data.message != buf)
+		{
+			free(data.message);
+		}
+	}
+	if (this->max_vlevel[group] >= level)
+	{
+		data.ike_sa = this->thread_sa->get(this->thread_sa);
+		data.thread = thread_current_id();
+		data.group = group;
+		data.level = level;
+		data.message = format;
+
+		va_copy(data.args, args);
+		loggers->invoke_function(loggers, (linked_list_invoke_t)vlog_cb, &data);
+		va_end(data.args);
+	}
 
-	va_end(data.args);
+	this->log_lock->unlock(this->log_lock);
 }
 
 METHOD(bus_t, log_, void,
@@ -299,19 +386,11 @@ METHOD(bus_t, log_, void,
 /**
  * unregister a listener
  */
-static void unregister_listener(private_bus_t *this, entry_t *entry,
-								enumerator_t *enumerator)
+static inline void unregister_listener(private_bus_t *this, entry_t *entry,
+									   enumerator_t *enumerator)
 {
-	if (entry->blocker)
-	{
-		entry->blocker = FALSE;
-		entry->condvar->signal(entry->condvar);
-	}
-	else
-	{
-		entry_destroy(entry);
-	}
 	this->listeners->remove_at(this->listeners, enumerator);
+	free(entry);
 }
 
 METHOD(bus_t, alert, void,
@@ -406,7 +485,7 @@ METHOD(bus_t, child_state_change, void,
 }
 
 METHOD(bus_t, message, void,
-	private_bus_t *this, message_t *message, bool incoming)
+	private_bus_t *this, message_t *message, bool incoming, bool plain)
 {
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
@@ -425,7 +504,7 @@ METHOD(bus_t, message, void,
 		}
 		entry->calling++;
 		keep = entry->listener->message(entry->listener, ike_sa,
-										message, incoming);
+										message, incoming, plain);
 		entry->calling--;
 		if (!keep)
 		{
@@ -438,7 +517,8 @@ METHOD(bus_t, message, void,
 
 METHOD(bus_t, ike_keys, void,
 	private_bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
-	chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey)
+	chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
+	ike_sa_t *rekey, shared_key_t *shared)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -453,8 +533,8 @@ METHOD(bus_t, ike_keys, void,
 			continue;
 		}
 		entry->calling++;
-		keep = entry->listener->ike_keys(entry->listener, ike_sa, dh,
-										 nonce_i, nonce_r, rekey);
+		keep = entry->listener->ike_keys(entry->listener, ike_sa, dh, dh_other,
+										 nonce_i, nonce_r, rekey, shared);
 		entry->calling--;
 		if (!keep)
 		{
@@ -485,8 +565,8 @@ METHOD(bus_t, child_keys, void,
 			continue;
 		}
 		entry->calling++;
-		keep = entry->listener->child_keys(entry->listener, ike_sa, child_sa,
-										   initiator, dh, nonce_i, nonce_r);
+		keep = entry->listener->child_keys(entry->listener, ike_sa,
+								child_sa, initiator, dh, nonce_i, nonce_r);
 		entry->calling--;
 		if (!keep)
 		{
@@ -547,7 +627,8 @@ METHOD(bus_t, child_rekey, void,
 			continue;
 		}
 		entry->calling++;
-		keep = entry->listener->child_rekey(entry->listener, ike_sa, old, new);
+		keep = entry->listener->child_rekey(entry->listener, ike_sa,
+											old, new);
 		entry->calling--;
 		if (!keep)
 		{
@@ -626,6 +707,33 @@ METHOD(bus_t, ike_rekey, void,
 	this->mutex->unlock(this->mutex);
 }
 
+METHOD(bus_t, ike_reestablish, void,
+	private_bus_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	bool keep;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->ike_reestablish)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->ike_reestablish(entry->listener, old, new);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
 METHOD(bus_t, authorize, bool,
 	private_bus_t *this, bool final)
 {
@@ -659,6 +767,10 @@ METHOD(bus_t, authorize, bool,
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
+	if (!success)
+	{
+		alert(this, ALERT_AUTHORIZATION_FAILED);
+	}
 	return success;
 }
 
@@ -694,12 +806,74 @@ METHOD(bus_t, narrow, void,
 	this->mutex->unlock(this->mutex);
 }
 
+METHOD(bus_t, assign_vips, void,
+	private_bus_t *this, ike_sa_t *ike_sa, bool assign)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	bool keep;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->calling || !entry->listener->assign_vips)
+		{
+			continue;
+		}
+		entry->calling++;
+		keep = entry->listener->assign_vips(entry->listener, ike_sa, assign);
+		entry->calling--;
+		if (!keep)
+		{
+			unregister_listener(this, entry, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Credential manager hook function to forward bus alerts
+ */
+static void hook_creds(private_bus_t *this, credential_hook_type_t type,
+					   certificate_t *cert)
+{
+	switch (type)
+	{
+		case CRED_HOOK_EXPIRED:
+			return alert(this, ALERT_CERT_EXPIRED, cert);
+		case CRED_HOOK_REVOKED:
+			return alert(this, ALERT_CERT_REVOKED, cert);
+		case CRED_HOOK_VALIDATION_FAILED:
+			return alert(this, ALERT_CERT_VALIDATION_FAILED, cert);
+		case CRED_HOOK_NO_ISSUER:
+			return alert(this, ALERT_CERT_NO_ISSUER, cert);
+		case CRED_HOOK_UNTRUSTED_ROOT:
+			return alert(this, ALERT_CERT_UNTRUSTED_ROOT, cert);
+		case CRED_HOOK_EXCEEDED_PATH_LEN:
+			return alert(this, ALERT_CERT_EXCEEDED_PATH_LEN, cert);
+		case CRED_HOOK_POLICY_VIOLATION:
+			return alert(this, ALERT_CERT_POLICY_VIOLATION, cert);
+	}
+}
+
 METHOD(bus_t, destroy, void,
 	private_bus_t *this)
 {
+	debug_t group;
+
+	lib->credmgr->set_hook(lib->credmgr, NULL, NULL);
+	for (group = 0; group < DBG_MAX; group++)
+	{
+		this->loggers[group]->destroy(this->loggers[group]);
+	}
+	this->loggers[DBG_MAX]->destroy_function(this->loggers[DBG_MAX],
+											 (void*)free);
+	this->listeners->destroy_function(this->listeners, (void*)free);
 	this->thread_sa->destroy(this->thread_sa);
+	this->log_lock->destroy(this->log_lock);
 	this->mutex->destroy(this->mutex);
-	this->listeners->destroy_function(this->listeners, (void*)entry_destroy);
 	free(this);
 }
 
@@ -709,12 +883,14 @@ METHOD(bus_t, destroy, void,
 bus_t *bus_create()
 {
 	private_bus_t *this;
+	debug_t group;
 
 	INIT(this,
 		.public = {
 			.add_listener = _add_listener,
 			.remove_listener = _remove_listener,
-			.listen = _listen_,
+			.add_logger = _add_logger,
+			.remove_logger = _remove_logger,
 			.set_sa = _set_sa,
 			.get_sa = _get_sa,
 			.log = _log_,
@@ -727,17 +903,28 @@ bus_t *bus_create()
 			.child_keys = _child_keys,
 			.ike_updown = _ike_updown,
 			.ike_rekey = _ike_rekey,
+			.ike_reestablish = _ike_reestablish,
 			.child_updown = _child_updown,
 			.child_rekey = _child_rekey,
 			.authorize = _authorize,
 			.narrow = _narrow,
+			.assign_vips = _assign_vips,
 			.destroy = _destroy,
 		},
 		.listeners = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
+		.log_lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 		.thread_sa = thread_value_create(NULL),
 	);
 
+	for (group = 0; group <= DBG_MAX; group++)
+	{
+		this->loggers[group] = linked_list_create();
+		this->max_level[group] = LEVEL_SILENT;
+		this->max_vlevel[group] = LEVEL_SILENT;
+	}
+
+	lib->credmgr->set_hook(lib->credmgr, (credential_hook_t)hook_creds, this);
+
 	return &this->public;
 }
-
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
index 69060d383..4a0ac68e3 100644
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2006-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -27,10 +28,11 @@ typedef struct bus_t bus_t;
 
 #include <stdarg.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <sa/ike_sa.h>
 #include <sa/child_sa.h>
 #include <processing/jobs/job.h>
+#include <bus/listeners/logger.h>
 #include <bus/listeners/listener.h>
 
 /* undefine the definitions from libstrongswan */
@@ -84,10 +86,70 @@ enum alert_t {
 	ALERT_RADIUS_NOT_RESPONDING,
 	/** a shutdown signal has been received, argument is the signal (int) */
 	ALERT_SHUTDOWN_SIGNAL,
+	/** local peer authentication failed (by us or by peer), no arguments */
+	ALERT_LOCAL_AUTH_FAILED,
 	/** peer authentication failed, no arguments */
 	ALERT_PEER_AUTH_FAILED,
 	/** failed to resolve peer address, no arguments */
 	ALERT_PEER_ADDR_FAILED,
+	/** peer did not respond to initial message, current try (int, 0-based) */
+	ALERT_PEER_INIT_UNREACHABLE,
+	/** received IKE message with invalid SPI, argument is message_t* */
+	ALERT_INVALID_IKE_SPI,
+	/** received IKE message with invalid header, argument is message_t* */
+	ALERT_PARSE_ERROR_HEADER,
+	/** received IKE message with invalid body, argument is message_t*,
+	 *  followed by a status_t result returned by message_t.parse_body(). */
+	ALERT_PARSE_ERROR_BODY,
+	/** sending a retransmit for a message, argument is packet_t */
+	ALERT_RETRANSMIT_SEND,
+	/** sending retransmits timed out, argument is packet_t, if available */
+	ALERT_RETRANSMIT_SEND_TIMEOUT,
+	/** received a retransmit for a message, argument is message_t */
+	ALERT_RETRANSMIT_RECEIVE,
+	/** received half-open timeout before IKE_SA established, no argument */
+	ALERT_HALF_OPEN_TIMEOUT,
+	/** IKE proposals do not match, argument is linked_list_t of proposal_t */
+	ALERT_PROPOSAL_MISMATCH_IKE,
+	/** CHILD proposals do not match, argument is linked_list_t of proposal_t */
+	ALERT_PROPOSAL_MISMATCH_CHILD,
+	/** traffic selectors do not match, arguments are two linked_list_t
+	 *  containing traffic_selector_t for initiator and for responder */
+	ALERT_TS_MISMATCH,
+	/** traffic selectors have been narrowed by the peer, arguments are
+	 *  an int (TRUE for local TS), a linked_list_t* (final TS list), and the
+	 *  child_cfg_t*. */
+	ALERT_TS_NARROWED,
+	/** Installation of IPsec SAs failed, argument is child_sa_t */
+	ALERT_INSTALL_CHILD_SA_FAILED,
+	/** Installation of IPsec Policy failed, argument is child_sa_t */
+	ALERT_INSTALL_CHILD_POLICY_FAILED,
+	/** IKE_SA deleted because of "replace" unique policy, no argument */
+	ALERT_UNIQUE_REPLACE,
+	/** IKE_SA deleted because of "keep" unique policy, no argument */
+	ALERT_UNIQUE_KEEP,
+	/** IKE_SA kept on failed child SA establishment, no argument */
+	ALERT_KEEP_ON_CHILD_SA_FAILURE,
+	/** allocating virtual IP failed, linked_list_t of host_t requested */
+	ALERT_VIP_FAILURE,
+	/** an authorize() hook failed, no argument */
+	ALERT_AUTHORIZATION_FAILED,
+	/** IKE_SA hit the hard lifetime limit before it could be rekeyed */
+	ALERT_IKE_SA_EXPIRED,
+	/** Certificate rejected; it has expired, certificate_t */
+	ALERT_CERT_EXPIRED,
+	/** Certificate rejected; it has been revoked, certificate_t */
+	ALERT_CERT_REVOKED,
+	/** Validating certificate status failed, certificate_t */
+	ALERT_CERT_VALIDATION_FAILED,
+	/** Certificate rejected; no trusted issuer found, certificate_t */
+	ALERT_CERT_NO_ISSUER,
+	/** Certificate rejected; root not trusted, certificate_t */
+	ALERT_CERT_UNTRUSTED_ROOT,
+	/** Certificate rejected; trustchain length exceeds limit, certificate_t */
+	ALERT_CERT_EXCEEDED_PATH_LEN,
+	/** Certificate rejected; other policy violation, certificate_t */
+	ALERT_CERT_POLICY_VIOLATION,
 };
 
 /**
@@ -109,6 +171,8 @@ enum narrow_hook_t {
 	NARROW_INITIATOR_PRE_AUTH,
 	/** invoked as responder during exchange, peer is authenticated */
 	NARROW_RESPONDER,
+	/** invoked as responder after exchange, peer is authenticated */
+	NARROW_RESPONDER_POST,
 	/** invoked as initiator after exchange, follows a INITIATOR_PRE_NOAUTH */
 	NARROW_INITIATOR_POST_NOAUTH,
 	/** invoked as initiator after exchange, follows a INITIATOR_PRE_AUTH */
@@ -118,8 +182,7 @@ enum narrow_hook_t {
 /**
  * The bus receives events and sends them to all registered listeners.
  *
- * Any events sent to are delivered to all registered listeners. Threads
- * may wait actively to events using the blocking listen() call.
+ * Loggers are handled separately.
  */
 struct bus_t {
 
@@ -142,26 +205,37 @@ struct bus_t {
 	void (*remove_listener) (bus_t *this, listener_t *listener);
 
 	/**
-	 * Register a listener and block the calling thread.
+	 * Register a logger with the bus.
 	 *
-	 * This call registers a listener and blocks the calling thread until
-	 * its listeners function returns FALSE. This allows to wait for certain
-	 * events. The associated job is executed after the listener has been
-	 * registered: This allows to listen on events we initiate with the job,
-	 * without missing any events to job may fire.
+	 * The logger is passive; the thread which emitted the event
+	 * processes the logger routine.  This routine may be called concurrently
+	 * by multiple threads.  Recursive calls are not prevented, so logger that
+	 * may cause recursive calls are responsible to avoid infinite loops.
 	 *
-	 * @param listener	listener to register
-	 * @param job		job to execute asynchronously when registered, or NULL
-	 * @param timeout	max timeout in ms to listen for events, 0 to disable
-	 * @return			TRUE if timed out
+	 * During registration get_level() is called for all log groups and the
+	 * logger is registered to receive log messages for groups for which
+	 * the requested log level is > LEVEL_SILENT and whose level is lower
+	 * or equal than the requested level.
+	 *
+	 * To update the registered log levels call add_logger again with the
+	 * same logger and return the new levels from get_level().
+	 *
+	 * @param logger	logger to register.
 	 */
-	bool (*listen)(bus_t *this, listener_t *listener, job_t *job, u_int timeout);
+	void (*add_logger) (bus_t *this, logger_t *logger);
+
+	/**
+	 * Unregister a logger from the bus.
+	 *
+	 * @param logger	logger to unregister.
+	 */
+	void (*remove_logger) (bus_t *this, logger_t *logger);
 
 	/**
 	 * Set the IKE_SA the calling thread is using.
 	 *
-	 * To associate an received log message to an IKE_SA without passing it as
-	 * parameter each time, the thread registers the currenlty used IKE_SA
+	 * To associate a received log message with an IKE_SA without passing it as
+	 * parameter each time, the thread registers the currently used IKE_SA
 	 * during check-out. Before check-in, the thread unregisters the IKE_SA.
 	 * This IKE_SA is stored per-thread, so each thread has its own IKE_SA
 	 * registered.
@@ -183,9 +257,8 @@ struct bus_t {
 	/**
 	 * Send a log message to the bus.
 	 *
-	 * The signal specifies the type of the event occurred. The format string
-	 * specifies an additional informational or error message with a
-	 * printf() like variable argument list.
+	 * The format string specifies an additional informational or error
+	 * message with a printf() like variable argument list.
 	 * Use the DBG() macros.
 	 *
 	 * @param group		debugging group
@@ -198,7 +271,7 @@ struct bus_t {
 	/**
 	 * Send a log message to the bus using va_list arguments.
 	 *
-	 * Same as bus_t.signal(), but uses va_list argument list.
+	 * Same as bus_t.log(), but uses va_list argument list.
 	 *
 	 * @param group		kind of the signal (up, down, rekeyed, ...)
 	 * @param level		verbosity level of the signal
@@ -212,7 +285,7 @@ struct bus_t {
 	 * Raise an alert over the bus.
 	 *
 	 * @param alert		kind of alert
-	 * @param ...		alert specific attributes
+	 * @param ...		alert specific arguments
 	 */
 	void (*alert)(bus_t *this, alert_t alert, ...);
 
@@ -235,10 +308,14 @@ struct bus_t {
 	/**
 	 * Message send/receive hook.
 	 *
+	 * The hook is invoked twice for each message: Once with plain, parsed data
+	 * and once encoded and encrypted.
+	 *
 	 * @param message	message to send/receive
 	 * @param incoming	TRUE for incoming messages, FALSE for outgoing
+	 * @param plain		TRUE if message is parsed and decrypted, FALSE it not
 	 */
-	void (*message)(bus_t *this, message_t *message, bool incoming);
+	void (*message)(bus_t *this, message_t *message, bool incoming, bool plain);
 
 	/**
 	 * IKE_SA authorization hook.
@@ -264,12 +341,16 @@ struct bus_t {
 	 *
 	 * @param ike_sa	IKE_SA this keymat belongs to
 	 * @param dh		diffie hellman shared secret
+	 * @param dh_other	others DH public value (IKEv1 only)
 	 * @param nonce_i	initiators nonce
 	 * @param nonce_r	responders nonce
-	 * @param rekey		IKE_SA we are rekeying, if any
+	 * @param rekey		IKE_SA we are rekeying, if any (IKEv2 only)
+	 * @param shared	shared key used for key derivation (IKEv1-PSK only)
 	 */
 	void (*ike_keys)(bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
-					 chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
+					 chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
+					 ike_sa_t *rekey, shared_key_t *shared);
+
 	/**
 	 * CHILD_SA keymat hook.
 	 *
@@ -299,6 +380,14 @@ struct bus_t {
 	void (*ike_rekey)(bus_t *this, ike_sa_t *old, ike_sa_t *new);
 
 	/**
+	 * IKE_SA reestablishing hook.
+	 *
+	 * @param old		reestablished and obsolete IKE_SA
+	 * @param new		new IKE_SA replacing old
+	 */
+	void (*ike_reestablish)(bus_t *this, ike_sa_t *old, ike_sa_t *new);
+
+	/**
 	 * CHILD_SA up/down hook.
 	 *
 	 * @param child_sa	CHILD_SA coming up/going down
@@ -315,6 +404,14 @@ struct bus_t {
 	void (*child_rekey)(bus_t *this, child_sa_t *old, child_sa_t *new);
 
 	/**
+	 * Virtual IP assignment hook.
+	 *
+	 * @param ike_sa	IKE_SA the VIPs are assigned to
+	 * @param assign	TRUE if assigned to IKE_SA, FALSE if released
+	 */
+	void (*assign_vips)(bus_t *this, ike_sa_t *ike_sa, bool assign);
+
+	/**
 	 * Destroy the event bus.
 	 */
 	void (*destroy) (bus_t *this);
diff --git a/src/libcharon/bus/listeners/file_logger.c b/src/libcharon/bus/listeners/file_logger.c
index 36d18619a..68a386d11 100644
--- a/src/libcharon/bus/listeners/file_logger.c
+++ b/src/libcharon/bus/listeners/file_logger.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -16,9 +17,15 @@
 #include <stdio.h>
 #include <string.h>
 #include <time.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/types.h>
 
 #include "file_logger.h"
 
+#include <daemon.h>
+#include <threading/mutex.h>
+#include <threading/rwlock.h>
 
 typedef struct private_file_logger_t private_file_logger_t;
 
@@ -33,7 +40,12 @@ struct private_file_logger_t {
 	file_logger_t public;
 
 	/**
-	 * output file
+	 * File name of the target
+	 */
+	char *filename;
+
+	/**
+	 * Current output file
 	 */
 	FILE *out;
 
@@ -51,74 +63,99 @@ struct private_file_logger_t {
 	 * Print the name/# of the IKE_SA?
 	 */
 	bool ike_name;
+
+	/**
+	 * Mutex to ensure multi-line log messages are not torn apart
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Lock to read/write options (FD, levels, time_format, etc.)
+	 */
+	rwlock_t *lock;
 };
 
-METHOD(listener_t, log_, bool,
-	   private_file_logger_t *this, debug_t group, level_t level, int thread,
-	   ike_sa_t* ike_sa, char *format, va_list args)
+METHOD(logger_t, log_, void,
+	private_file_logger_t *this, debug_t group, level_t level, int thread,
+	ike_sa_t* ike_sa, const char *message)
 {
-	if (level <= this->levels[group])
-	{
-		char buffer[8192], timestr[128], namestr[128] = "";
-		char *current = buffer, *next;
-		struct tm tm;
-		time_t t;
+	char timestr[128], namestr[128] = "";
+	const char *current = message, *next;
+	struct tm tm;
+	time_t t;
 
-		if (this->time_format)
+	this->lock->read_lock(this->lock);
+	if (!this->out)
+	{	/* file is not open */
+		this->lock->unlock(this->lock);
+		return;
+	}
+	if (this->time_format)
+	{
+		t = time(NULL);
+		localtime_r(&t, &tm);
+		strftime(timestr, sizeof(timestr), this->time_format, &tm);
+	}
+	if (this->ike_name && ike_sa)
+	{
+		if (ike_sa->get_peer_cfg(ike_sa))
 		{
-			t = time(NULL);
-			localtime_r(&t, &tm);
-			strftime(timestr, sizeof(timestr), this->time_format, &tm);
+			snprintf(namestr, sizeof(namestr), " <%s|%d>",
+				ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
 		}
-		if (this->ike_name && ike_sa)
+		else
+		{
+			snprintf(namestr, sizeof(namestr), " <%d>",
+				ike_sa->get_unique_id(ike_sa));
+		}
+	}
+	else
+	{
+		namestr[0] = '\0';
+	}
+
+	/* prepend a prefix in front of every line */
+	this->mutex->lock(this->mutex);
+	while (TRUE)
+	{
+		next = strchr(current, '\n');
+		if (this->time_format)
 		{
-			if (ike_sa->get_peer_cfg(ike_sa))
-			{
-				snprintf(namestr, sizeof(namestr), " <%s|%d>",
-					ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
-			}
-			else
-			{
-				snprintf(namestr, sizeof(namestr), " <%d>",
-					ike_sa->get_unique_id(ike_sa));
-			}
+			fprintf(this->out, "%s %.2d[%N]%s ",
+					timestr, thread, debug_names, group, namestr);
 		}
 		else
 		{
-			namestr[0] = '\0';
+			fprintf(this->out, "%.2d[%N]%s ",
+					thread, debug_names, group, namestr);
 		}
-
-		/* write in memory buffer first */
-		vsnprintf(buffer, sizeof(buffer), format, args);
-
-		/* prepend a prefix in front of every line */
-		while (current)
+		if (next == NULL)
 		{
-			next = strchr(current, '\n');
-			if (next)
-			{
-				*(next++) = '\0';
-			}
-			if (this->time_format)
-			{
-				fprintf(this->out, "%s %.2d[%N]%s %s\n",
-						timestr, thread, debug_names, group, namestr, current);
-			}
-			else
-			{
-				fprintf(this->out, "%.2d[%N]%s %s\n",
-						thread, debug_names, group, namestr, current);
-			}
-			current = next;
+			fprintf(this->out, "%s\n", current);
+			break;
 		}
+		fprintf(this->out, "%.*s\n", (int)(next - current), current);
+		current = next + 1;
 	}
-	/* always stay registered */
-	return TRUE;
+	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(logger_t, get_level, level_t,
+	private_file_logger_t *this, debug_t group)
+{
+	level_t level;
+
+	this->lock->read_lock(this->lock);
+	level = this->levels[group];
+	this->lock->unlock(this->lock);
+	return level;
 }
 
 METHOD(file_logger_t, set_level, void,
-	   private_file_logger_t *this, debug_t group, level_t level)
+	private_file_logger_t *this, debug_t group, level_t level)
 {
+	this->lock->write_lock(this->lock);
 	if (group < DBG_ANY)
 	{
 		this->levels[group] = level;
@@ -130,40 +167,101 @@ METHOD(file_logger_t, set_level, void,
 			this->levels[group] = level;
 		}
 	}
+	this->lock->unlock(this->lock);
 }
 
-METHOD(file_logger_t, destroy, void,
-	   private_file_logger_t *this)
+METHOD(file_logger_t, set_options, void,
+	private_file_logger_t *this, char *time_format, bool ike_name)
+{
+	this->lock->write_lock(this->lock);
+	free(this->time_format);
+	this->time_format = strdupnull(time_format);
+	this->ike_name = ike_name;
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Close the current file, if any
+ */
+static void close_file(private_file_logger_t *this)
 {
-	if (this->out != stdout && this->out != stderr)
+	if (this->out && this->out != stdout && this->out != stderr)
 	{
 		fclose(this->out);
+		this->out = NULL;
+	}
+}
+
+METHOD(file_logger_t, open_, void,
+	private_file_logger_t *this, bool flush_line, bool append)
+{
+	FILE *file;
+
+	if (streq(this->filename, "stderr"))
+	{
+		file = stderr;
 	}
+	else if (streq(this->filename, "stdout"))
+	{
+		file = stdout;
+	}
+	else
+	{
+		file = fopen(this->filename, append ? "a" : "w");
+		if (file == NULL)
+		{
+			DBG1(DBG_DMN, "opening file %s for logging failed: %s",
+				 this->filename, strerror(errno));
+			return;
+		}
+		if (flush_line)
+		{
+			setlinebuf(file);
+		}
+	}
+	this->lock->write_lock(this->lock);
+	close_file(this);
+	this->out = file;
+	this->lock->unlock(this->lock);
+}
+
+METHOD(file_logger_t, destroy, void,
+	private_file_logger_t *this)
+{
+	this->lock->write_lock(this->lock);
+	close_file(this);
+	this->lock->unlock(this->lock);
+	this->mutex->destroy(this->mutex);
+	this->lock->destroy(this->lock);
+	free(this->time_format);
+	free(this->filename);
 	free(this);
 }
 
 /*
  * Described in header.
  */
-file_logger_t *file_logger_create(FILE *out, char *time_format, bool ike_name)
+file_logger_t *file_logger_create(char *filename)
 {
 	private_file_logger_t *this;
 
 	INIT(this,
 		.public = {
-			.listener = {
+			.logger = {
 				.log = _log_,
+				.get_level = _get_level,
 			},
 			.set_level = _set_level,
+			.set_options = _set_options,
+			.open = _open_,
 			.destroy = _destroy,
 		},
-		.out = out,
-		.time_format = time_format,
-		.ike_name = ike_name,
+		.filename = strdup(filename),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 	);
 
 	set_level(this, DBG_ANY, LEVEL_SILENT);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/bus/listeners/file_logger.h b/src/libcharon/bus/listeners/file_logger.h
index d02f1701d..9e5aed50b 100644
--- a/src/libcharon/bus/listeners/file_logger.h
+++ b/src/libcharon/bus/listeners/file_logger.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -21,7 +22,7 @@
 #ifndef FILE_LOGGER_H_
 #define FILE_LOGGER_H_
 
-#include <bus/listeners/listener.h>
+#include <bus/listeners/logger.h>
 
 typedef struct file_logger_t file_logger_t;
 
@@ -31,9 +32,9 @@ typedef struct file_logger_t file_logger_t;
 struct file_logger_t {
 
 	/**
-	 * Implements the listener_t interface.
+	 * Implements the logger_t interface.
 	 */
-	listener_t listener;
+	logger_t logger;
 
 	/**
 	 * Set the loglevel for a debug group.
@@ -44,6 +45,22 @@ struct file_logger_t {
 	void (*set_level) (file_logger_t *this, debug_t group, level_t level);
 
 	/**
+	 * Set options used by this logger
+	 *
+	 * @param time_format	format of timestamp prefix, as in strftime(), cloned
+	 * @param ike_name		TRUE to prefix the name of the IKE_SA
+	 */
+	void (*set_options) (file_logger_t *this, char *time_format, bool ike_name);
+
+	/**
+	 * Open (or reopen) the log file according to the given parameters
+	 *
+	 * @param flush_line	TRUE to flush buffers after every logged line
+	 * @param append		FALSE to overwrite an existing file, TRUE to append
+	 */
+	void (*open) (file_logger_t *this, bool flush_line, bool append);
+
+	/**
 	 * Destroys a file_logger_t object.
 	 */
 	void (*destroy) (file_logger_t *this);
@@ -52,11 +69,13 @@ struct file_logger_t {
 /**
  * Constructor to create a file_logger_t object.
  *
- * @param out			FILE to write to
- * @param time_format	format of timestamp prefix, as in strftime()
- * @param ike_name		TRUE to prefix the name of the IKE_SA
- * @return				file_logger_t object
+ * The logger has to be opened via file_logger_t.open() before anything is
+ * logged.
+ *
+ * @param filename	name of the log file (stderr and stdout are handled
+ *					specially), cloned
+ * @return			file_logger_t object
  */
-file_logger_t *file_logger_create(FILE *out, char *time_format, bool ike_name);
+file_logger_t *file_logger_create(char *filename);
 
 #endif /** FILE_LOGGER_H_ @}*/
diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h
index 21caed064..57445df01 100644
--- a/src/libcharon/bus/listeners/listener.h
+++ b/src/libcharon/bus/listeners/listener.h
@@ -31,26 +31,7 @@ typedef struct listener_t listener_t;
 struct listener_t {
 
 	/**
-	 * Log a debugging message.
-	 *
-	 * The implementing signal function returns TRUE to stay registered
-	 * to the bus, or FALSE to unregister itself.
-	 * Calling bus_t.log() inside of a registered listener is possible,
-	 * but the bus does not invoke listeners recursively.
-	 *
-	 * @param group		kind of the signal (up, down, rekeyed, ...)
-	 * @param level		verbosity level of the signal
-	 * @param thread	ID of the thread raised this signal
-	 * @param ike_sa	IKE_SA associated to the event
-	 * @param format	printf() style format string
-	 * @param args		vprintf() style va_list argument list
-	 * @return			TRUE to stay registered, FALSE to unregister
-	 */
-	bool (*log)(listener_t *this, debug_t group, level_t level, int thread,
-				ike_sa_t *ike_sa, char* format, va_list args);
-
-	/**
-	 * Hook called if a critical alert is risen.
+	 * Hook called if a critical alert is raised.
 	 *
 	 * @param ike_sa	IKE_SA associated to the alert, if any
 	 * @param alert		kind of alert
@@ -84,26 +65,33 @@ struct listener_t {
 	/**
 	 * Hook called for received/sent messages of an IKE_SA.
 	 *
+	 * The hook is invoked twice for each message: Once with plain, parsed data
+	 * and once encoded and encrypted.
+	 *
 	 * @param ike_sa	IKE_SA sending/receiving a message
 	 * @param message	message object
 	 * @param incoming	TRUE for incoming messages, FALSE for outgoing
+	 * @param plain		TRUE if message is parsed and decrypted, FALSE it not
 	 * @return			TRUE to stay registered, FALSE to unregister
 	 */
 	bool (*message)(listener_t *this, ike_sa_t *ike_sa, message_t *message,
-					bool incoming);
+					bool incoming, bool plain);
 
 	/**
 	 * Hook called with IKE_SA key material.
 	 *
 	 * @param ike_sa	IKE_SA this keymat belongs to
 	 * @param dh		diffie hellman shared secret
+	 * @param dh_other	others DH public value (IKEv1 only)
 	 * @param nonce_i	initiators nonce
 	 * @param nonce_r	responders nonce
-	 * @param rekey		IKE_SA we are rekeying, if any
+	 * @param rekey		IKE_SA we are rekeying, if any (IKEv2 only)
+	 * @param shared	shared key used for key derivation (IKEv1-PSK only)
 	 * @return			TRUE to stay registered, FALSE to unregister
 	 */
 	bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
-					 chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
+					 chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
+					 ike_sa_t *rekey, shared_key_t *shared);
 
 	/**
 	 * Hook called with CHILD_SA key material.
@@ -139,6 +127,18 @@ struct listener_t {
 	bool (*ike_rekey)(listener_t *this, ike_sa_t *old, ike_sa_t *new);
 
 	/**
+	 * Hook called when an initiator reestablishes an IKE_SA.
+	 *
+	 * This is invoked right before the new IKE_SA is checked in after
+	 * initiating it.  It is not invoked on the responder.
+	 *
+	 * @param old		IKE_SA getting reestablished (is destroyed)
+	 * @param new		new IKE_SA replacing old (gets established)
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*ike_reestablish)(listener_t *this, ike_sa_t *old, ike_sa_t *new);
+
+	/**
 	 * Hook called when a CHILD_SA gets up or down.
 	 *
 	 * @param ike_sa	IKE_SA containing the handled CHILD_SA
@@ -190,6 +190,19 @@ struct listener_t {
 	 */
 	bool (*narrow)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
 				narrow_hook_t type, linked_list_t *local, linked_list_t *remote);
+
+	/**
+	 * Virtual IP address assignment hook
+	 *
+	 * This hook gets invoked when a a Virtual IP address is assigned to an
+	 * IKE_SA (assign = TRUE) and again when it is released (assign = FALSE)
+	 *
+	 * @param ike_sa	IKE_SA the VIPs are assigned to
+	 * @param assign	TRUE if assigned to IKE_SA, FALSE if released
+	 * @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*assign_vips)(listener_t *this, ike_sa_t *ike_sa, bool assign);
+
 };
 
 #endif /** LISTENER_H_ @}*/
diff --git a/src/libcharon/bus/listeners/logger.h b/src/libcharon/bus/listeners/logger.h
new file mode 100644
index 000000000..d5432d3a8
--- /dev/null
+++ b/src/libcharon/bus/listeners/logger.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup logger logger
+ * @{ @ingroup listeners
+ */
+
+#ifndef LOGGER_H_
+#define LOGGER_H_
+
+typedef struct logger_t logger_t;
+
+#include <bus/bus.h>
+
+/**
+ * Logger interface, listens for log events on the bus.
+ *
+ * Calls to bus_t.log() are handled separately from calls to other functions.
+ * Logger functions may be called concurrently by multiple threads. Also
+ * recursive calls are not prevented, loggers that may cause recursive log
+ * messages are responsible to avoid infinite loops.
+ *
+ * Both the log() and the vlog() methods are optional to implement. With many
+ * loggers, using log() may be faster as printf() format substitution is done
+ * only once for all loggers.
+ */
+struct logger_t {
+
+	/**
+	 * Log a debugging message.
+	 *
+	 * @param group		kind of the signal (up, down, rekeyed, ...)
+	 * @param level		verbosity level of the signal
+	 * @param thread	ID of the thread raised this signal
+	 * @param ike_sa	IKE_SA associated to the event
+	 * @param message	log message
+	 */
+	void (*log)(logger_t *this, debug_t group, level_t level, int thread,
+				ike_sa_t *ike_sa, const char *message);
+
+	/**
+	 * Log a debugging message with a format string.
+	 *
+	 * @note Calls to bus_t.log() are handled separately from calls to
+	 * other functions.  This callback may be called concurrently by
+	 * multiple threads.  Also recursive calls are not prevented, loggers that
+	 * may cause recursive log messages are responsible to avoid infinite loops.
+	 *
+	 * @param group		kind of the signal (up, down, rekeyed, ...)
+	 * @param level		verbosity level of the signal
+	 * @param thread	ID of the thread raised this signal
+	 * @param ike_sa	IKE_SA associated to the event
+	 * @param fmt		log message format string
+	 * @param args		variable arguments to format string
+	 */
+	void (*vlog)(logger_t *this, debug_t group, level_t level, int thread,
+				 ike_sa_t *ike_sa, const char *fmt, va_list args);
+
+	/**
+	 * Get the desired log level for a debug group.  This is called during
+	 * registration.
+	 *
+	 * If the desired log levels have changed, re-register the logger with
+	 * the bus.
+	 *
+	 * @param group		debug group
+	 * @return			max level to log (0..4) or -1 for none (see debug.h)
+	 */
+	level_t (*get_level)(logger_t *this, debug_t group);
+};
+
+#endif /** LOGGER_H_ @}*/
diff --git a/src/libcharon/bus/listeners/sys_logger.c b/src/libcharon/bus/listeners/sys_logger.c
index c29c9f2e4..4aeb1c048 100644
--- a/src/libcharon/bus/listeners/sys_logger.c
+++ b/src/libcharon/bus/listeners/sys_logger.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -19,6 +20,8 @@
 
 #include "sys_logger.h"
 
+#include <threading/mutex.h>
+#include <threading/rwlock.h>
 
 typedef struct private_sys_logger_t private_sys_logger_t;
 
@@ -46,56 +49,77 @@ struct private_sys_logger_t {
 	 * Print the name/# of the IKE_SA?
 	 */
 	bool ike_name;
+
+	/**
+	 * Mutex to ensure multi-line log messages are not torn apart
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Lock to read/write options (levels, ike_name)
+	 */
+	rwlock_t *lock;
 };
 
-METHOD(listener_t, log_, bool,
-	   private_sys_logger_t *this, debug_t group, level_t level, int thread,
-	   ike_sa_t* ike_sa, char *format, va_list args)
+METHOD(logger_t, log_, void,
+	private_sys_logger_t *this, debug_t group, level_t level, int thread,
+	ike_sa_t* ike_sa, const char *message)
 {
-	if (level <= this->levels[group])
-	{
-		char buffer[8192], groupstr[4], namestr[128] = "";
-		char *current = buffer, *next;
+	char groupstr[4], namestr[128] = "";
+	const char *current = message, *next;
 
-		/* write in memory buffer first */
-		vsnprintf(buffer, sizeof(buffer), format, args);
-		/* cache group name */
-		snprintf(groupstr, sizeof(groupstr), "%N", debug_names, group);
+	/* cache group name and optional name string */
+	snprintf(groupstr, sizeof(groupstr), "%N", debug_names, group);
 
-		if (this->ike_name && ike_sa)
+	this->lock->read_lock(this->lock);
+	if (this->ike_name && ike_sa)
+	{
+		if (ike_sa->get_peer_cfg(ike_sa))
+		{
+			snprintf(namestr, sizeof(namestr), " <%s|%d>",
+				ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
+		}
+		else
 		{
-			if (ike_sa->get_peer_cfg(ike_sa))
-			{
-				snprintf(namestr, sizeof(namestr), " <%s|%d>",
-					ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
-			}
-			else
-			{
-				snprintf(namestr, sizeof(namestr), " <%d>",
-					ike_sa->get_unique_id(ike_sa));
-			}
+			snprintf(namestr, sizeof(namestr), " <%d>",
+				ike_sa->get_unique_id(ike_sa));
 		}
+	}
+	this->lock->unlock(this->lock);
 
-		/* do a syslog with every line */
-		while (current)
+	/* do a syslog for every line */
+	this->mutex->lock(this->mutex);
+	while (TRUE)
+	{
+		next = strchr(current, '\n');
+		if (next == NULL)
 		{
-			next = strchr(current, '\n');
-			if (next)
-			{
-				*(next++) = '\0';
-			}
-			syslog(this->facility|LOG_INFO, "%.2d[%s]%s %s\n",
+			syslog(this->facility | LOG_INFO, "%.2d[%s]%s %s\n",
 				   thread, groupstr, namestr, current);
-			current = next;
+			break;
 		}
+		syslog(this->facility | LOG_INFO, "%.2d[%s]%s %.*s\n",
+			   thread, groupstr, namestr, (int)(next - current), current);
+		current = next + 1;
 	}
-	/* always stay registered */
-	return TRUE;
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(logger_t, get_level, level_t,
+	private_sys_logger_t *this, debug_t group)
+{
+	level_t level;
+
+	this->lock->read_lock(this->lock);
+	level = this->levels[group];
+	this->lock->unlock(this->lock);
+	return level;
 }
 
 METHOD(sys_logger_t, set_level, void,
-	   private_sys_logger_t *this, debug_t group, level_t level)
+	private_sys_logger_t *this, debug_t group, level_t level)
 {
+	this->lock->write_lock(this->lock);
 	if (group < DBG_ANY)
 	{
 		this->levels[group] = level;
@@ -107,35 +131,49 @@ METHOD(sys_logger_t, set_level, void,
 			this->levels[group] = level;
 		}
 	}
+	this->lock->unlock(this->lock);
+}
+
+METHOD(sys_logger_t, set_options, void,
+	private_sys_logger_t *this, bool ike_name)
+{
+	this->lock->write_lock(this->lock);
+	this->ike_name = ike_name;
+	this->lock->unlock(this->lock);
 }
 
 METHOD(sys_logger_t, destroy, void,
-	   private_sys_logger_t *this)
+	private_sys_logger_t *this)
 {
-	closelog();
+	this->lock->destroy(this->lock);
+	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
 /*
  * Described in header.
  */
-sys_logger_t *sys_logger_create(int facility, bool ike_name)
+sys_logger_t *sys_logger_create(int facility)
 {
 	private_sys_logger_t *this;
 
 	INIT(this,
 		.public = {
-			.listener = {
+			.logger = {
 				.log = _log_,
+				.get_level = _get_level,
 			},
 			.set_level = _set_level,
+			.set_options = _set_options,
 			.destroy = _destroy,
 		},
 		.facility = facility,
-		.ike_name = ike_name,
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 	);
 
 	set_level(this, DBG_ANY, LEVEL_SILENT);
+	setlogmask(LOG_UPTO(LOG_INFO));
 
 	return &this->public;
 }
diff --git a/src/libcharon/bus/listeners/sys_logger.h b/src/libcharon/bus/listeners/sys_logger.h
index d83715a6a..9a0fee018 100644
--- a/src/libcharon/bus/listeners/sys_logger.h
+++ b/src/libcharon/bus/listeners/sys_logger.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -21,7 +22,7 @@
 #ifndef SYS_LOGGER_H_
 #define SYS_LOGGER_H_
 
-#include <bus/listeners/listener.h>
+#include <bus/listeners/logger.h>
 
 typedef struct sys_logger_t sys_logger_t;
 
@@ -31,9 +32,9 @@ typedef struct sys_logger_t sys_logger_t;
 struct sys_logger_t {
 
 	/**
-	 * Implements the listener_t interface.
+	 * Implements the logger_t interface.
 	 */
-	listener_t listener;
+	logger_t logger;
 
 	/**
 	 * Set the loglevel for a debug group.
@@ -44,6 +45,13 @@ struct sys_logger_t {
 	void (*set_level) (sys_logger_t *this, debug_t group, level_t level);
 
 	/**
+	 * Set options used by this logger.
+	 *
+	 * @param ike_name	TRUE to prefix the name of the IKE_SA
+	 */
+	void (*set_options) (sys_logger_t *this, bool ike_name);
+
+	/**
 	 * Destroys a sys_logger_t object.
 	 */
 	void (*destroy) (sys_logger_t *this);
@@ -53,9 +61,8 @@ struct sys_logger_t {
  * Constructor to create a sys_logger_t object.
  *
  * @param facility	syslog facility to use
- * @param ike_name	TRUE to prefix the name of the IKE_SA
  * @return			sys_logger_t object
  */
-sys_logger_t *sys_logger_create(int facility, bool ike_name);
+sys_logger_t *sys_logger_create(int facility);
 
 #endif /** SYS_LOGGER_H_ @}*/
diff --git a/src/libcharon/config/backend.h b/src/libcharon/config/backend.h
index 458abc37f..aca3352ba 100644
--- a/src/libcharon/config/backend.h
+++ b/src/libcharon/config/backend.h
@@ -26,7 +26,7 @@ typedef struct backend_t backend_t;
 #include <library.h>
 #include <config/ike_cfg.h>
 #include <config/peer_cfg.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * The interface for a configuration backend.
diff --git a/src/libcharon/config/backend_manager.c b/src/libcharon/config/backend_manager.c
index a93457ea4..f47d5715a 100644
--- a/src/libcharon/config/backend_manager.c
+++ b/src/libcharon/config/backend_manager.c
@@ -18,7 +18,7 @@
 #include <sys/types.h>
 
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 
@@ -49,10 +49,16 @@ struct private_backend_manager_t {
  * match of an ike_cfg
  */
 typedef enum ike_cfg_match_t {
-	MATCH_NONE  = 0x00,
-	MATCH_ANY   = 0x01,
-	MATCH_ME	= 0x04,
-	MATCH_OTHER = 0x08,
+	/* doesn't match at all */
+	MATCH_NONE		= 0x00,
+	/* match for a %any host. For both hosts, hence skip 0x02 */
+	MATCH_ANY		= 0x01,
+	/* IKE version matches exactly (config is not for any version) */
+	MATCH_VERSION	= 0x04,
+	/* local identity matches */
+	MATCH_ME		= 0x08,
+	/* remote identity matches */
+	MATCH_OTHER		= 0x10,
 } ike_cfg_match_t;
 
 /**
@@ -75,15 +81,24 @@ static enumerator_t *ike_enum_create(backend_t *backend, ike_data_t *data)
 /**
  * get a match of a candidate ike_cfg for two hosts
  */
-static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
+static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other,
+									 ike_version_t version)
 {
 	host_t *me_cand, *other_cand;
+	char *my_addr, *other_addr;
+	bool my_allow_any, other_allow_any;
 	ike_cfg_match_t match = MATCH_NONE;
 
+	if (cand->get_version(cand) != IKE_ANY &&
+		version != cand->get_version(cand))
+	{
+		return MATCH_NONE;
+	}
+
 	if (me)
 	{
-		me_cand = host_create_from_dns(cand->get_my_addr(cand),
-									   me->get_family(me), 0);
+		my_addr = cand->get_my_addr(cand, &my_allow_any);
+		me_cand = host_create_from_dns(my_addr, me->get_family(me), 0);
 		if (!me_cand)
 		{
 			return MATCH_NONE;
@@ -92,7 +107,7 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
 		{
 			match += MATCH_ME;
 		}
-		else if (me_cand->is_anyaddr(me_cand))
+		else if (my_allow_any || me_cand->is_anyaddr(me_cand))
 		{
 			match += MATCH_ANY;
 		}
@@ -110,8 +125,8 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
 
 	if (other)
 	{
-		other_cand = host_create_from_dns(cand->get_other_addr(cand),
-										  other->get_family(other), 0);
+		other_addr = cand->get_other_addr(cand, &other_allow_any);
+		other_cand = host_create_from_dns(other_addr, other->get_family(other), 0);
 		if (!other_cand)
 		{
 			return MATCH_NONE;
@@ -120,7 +135,7 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
 		{
 			match += MATCH_OTHER;
 		}
-		else if (other_cand->is_anyaddr(other_cand))
+		else if (other_allow_any || other_cand->is_anyaddr(other_cand))
 		{
 			match += MATCH_ANY;
 		}
@@ -135,21 +150,31 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
 	{
 		match += MATCH_ANY;
 	}
+
+	if (match != MATCH_NONE &&
+		cand->get_version(cand) != IKE_ANY)
+	{	/* if we have a match, improve it if candidate version specified */
+		match += MATCH_VERSION;
+	}
 	return match;
 }
 
 METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*,
-	private_backend_manager_t *this, host_t *me, host_t *other)
+	private_backend_manager_t *this, host_t *me, host_t *other,
+	ike_version_t version)
 {
 	ike_cfg_t *current, *found = NULL;
+	char *my_addr, *other_addr;
+	bool my_allow_any, other_allow_any;
 	enumerator_t *enumerator;
 	ike_cfg_match_t match, best = MATCH_ANY;
 	ike_data_t *data;
 
-	data = malloc_thing(ike_data_t);
-	data->this = this;
-	data->me = me;
-	data->other = other;
+	INIT(data,
+		.this = this,
+		.me = me,
+		.other = other,
+	);
 
 	DBG2(DBG_CFG, "looking for an ike config for %H...%H", me, other);
 
@@ -159,13 +184,16 @@ METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*,
 						(void*)ike_enum_create, data, (void*)free);
 	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
-		match = get_ike_match(current, me, other);
-
+		match = get_ike_match(current, me, other, version);
+		DBG3(DBG_CFG, "ike config match: %d (%H %H %N)",
+			 match, me, other, ike_version_names, version);
 		if (match)
 		{
-			DBG2(DBG_CFG, "  candidate: %s...%s, prio %d",
-				 current->get_my_addr(current),
-				 current->get_other_addr(current), match);
+			my_addr = current->get_my_addr(current, &my_allow_any);
+			other_addr = current->get_other_addr(current, &other_allow_any);
+			DBG2(DBG_CFG, "  candidate: %s%s...%s%s, prio %d",
+						  my_allow_any ? "%":"", my_addr,
+						  other_allow_any ? "%":"", other_addr, match);
 			if (match > best)
 			{
 				DESTROY_IF(found);
@@ -179,8 +207,11 @@ METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*,
 	this->lock->unlock(this->lock);
 	if (found)
 	{
-		DBG2(DBG_CFG, "found matching ike config: %s...%s with prio %d",
-			 found->get_my_addr(found), found->get_other_addr(found), best);
+		my_addr = found->get_my_addr(found, &my_allow_any);
+		other_addr = found->get_other_addr(found, &other_allow_any);
+		DBG2(DBG_CFG, "found matching ike config: %s%s...%s%s with prio %d",
+					  my_allow_any ? "%":"", my_addr,
+					  other_allow_any ? "%":"", other_addr, best);
 	}
 	return found;
 }
@@ -195,9 +226,13 @@ static id_match_t get_peer_match(identification_t *id,
 	auth_cfg_t *auth;
 	identification_t *candidate;
 	id_match_t match = ID_MATCH_NONE;
+	char *where = local ? "local" : "remote";
+	chunk_t data;
 
 	if (!id)
 	{
+		DBG3(DBG_CFG, "peer config match %s: %d (%N)",
+			 where, ID_MATCH_ANY, id_type_names, ID_ANY);
 		return ID_MATCH_ANY;
 	}
 
@@ -221,6 +256,10 @@ static id_match_t get_peer_match(identification_t *id,
 		}
 	}
 	enumerator->destroy(enumerator);
+
+	data = id->get_encoding(id);
+	DBG3(DBG_CFG, "peer config match %s: %d (%N -> %#B)",
+		 where, match, id_type_names, id->get_type(id), &data);
 	return match;
 }
 
@@ -317,17 +356,18 @@ static void insert_sorted(match_entry_t *entry, linked_list_t *list,
 
 METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*,
 	private_backend_manager_t *this, host_t *me, host_t *other,
-	identification_t *my_id, identification_t *other_id)
+	identification_t *my_id, identification_t *other_id, ike_version_t version)
 {
 	enumerator_t *enumerator;
 	peer_data_t *data;
 	peer_cfg_t *cfg;
 	linked_list_t *configs, *helper;
 
-	data = malloc_thing(peer_data_t);
-	data->lock = this->lock;
-	data->me = my_id;
-	data->other = other_id;
+	INIT(data,
+		.lock = this->lock,
+		.me = my_id,
+		.other = other_id,
+	);
 
 	/* create a sorted list with all matches */
 	this->lock->read_lock(this->lock);
@@ -340,9 +380,6 @@ METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*,
 		return enumerator;
 	}
 
-	DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
-		 me, my_id, other, other_id);
-
 	configs = linked_list_create();
 	/* only once allocated helper list for sorting */
 	helper = linked_list_create();
@@ -351,28 +388,23 @@ METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*,
 		id_match_t match_peer_me, match_peer_other;
 		ike_cfg_match_t match_ike;
 		match_entry_t *entry;
-		chunk_t data;
 
 		match_peer_me = get_peer_match(my_id, cfg, TRUE);
-		data = my_id->get_encoding(my_id);
-		DBG3(DBG_CFG, "match_peer_me: %d (%N -> %#B)", match_peer_me,
-			 id_type_names, my_id->get_type(my_id), &data);
 		match_peer_other = get_peer_match(other_id, cfg, FALSE);
-		data = other_id->get_encoding(other_id);
-		DBG3(DBG_CFG, "match_peer_other: %d (%N -> %#B)", match_peer_other,
-			 id_type_names, other_id->get_type(other_id), &data);
-		match_ike = get_ike_match(cfg->get_ike_cfg(cfg), me, other);
-		DBG3(DBG_CFG, "match_ike: %d (%H %H)", match_ike, me, other);
+		match_ike = get_ike_match(cfg->get_ike_cfg(cfg), me, other, version);
+		DBG3(DBG_CFG, "ike config match: %d (%H %H %N)",
+			 match_ike, me, other, ike_version_names, version);
 
 		if (match_peer_me && match_peer_other && match_ike)
 		{
 			DBG2(DBG_CFG, "  candidate \"%s\", match: %d/%d/%d (me/other/ike)",
 				 cfg->get_name(cfg), match_peer_me, match_peer_other, match_ike);
 
-			entry = malloc_thing(match_entry_t);
-			entry->match_peer = match_peer_me + match_peer_other;
-			entry->match_ike = match_ike;
-			entry->cfg = cfg->get_ref(cfg);
+			INIT(entry,
+				.match_peer = match_peer_me + match_peer_other,
+				.match_ike = match_ike,
+				.cfg = cfg->get_ref(cfg),
+			);
 			insert_sorted(entry, configs, helper);
 		}
 	}
diff --git a/src/libcharon/config/backend_manager.h b/src/libcharon/config/backend_manager.h
index 5b394f791..cc8ef8785 100644
--- a/src/libcharon/config/backend_manager.h
+++ b/src/libcharon/config/backend_manager.h
@@ -24,7 +24,7 @@
 typedef struct backend_manager_t backend_manager_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 #include <config/ike_cfg.h>
 #include <config/peer_cfg.h>
@@ -56,10 +56,12 @@ struct backend_manager_t {
 	 *
 	 * @param my_host			address of own host
 	 * @param other_host		address of remote host
+	 * @param version			IKE version to get a config for
 	 * @return					matching ike_config, or NULL if none found
 	 */
 	ike_cfg_t* (*get_ike_cfg)(backend_manager_t *this,
-							  host_t *my_host, host_t *other_host);
+							  host_t *my_host, host_t *other_host,
+							  ike_version_t version);
 
 	/**
 	 * Get a peer_config identified by it's name.
@@ -79,11 +81,12 @@ struct backend_manager_t {
 	 * @param other				remote address
 	 * @param my_id				IDr in first authentication round
 	 * @param other_id			IDi in first authentication round
+	 * @param version			IKE version to get a config for
 	 * @return 					enumerator over peer_cfg_t
 	 */
 	enumerator_t* (*create_peer_cfg_enumerator)(backend_manager_t *this,
 							host_t *me, host_t *other, identification_t *my_id,
-							identification_t *other_id);
+							identification_t *other_id, ike_version_t version);
 	/**
 	 * Register a backend on the manager.
 	 *
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index 74949be3c..6fe7d44b8 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -165,12 +165,14 @@ METHOD(child_cfg_t, get_proposals, linked_list_t*,
 		current = current->clone(current);
 		if (strip_dh)
 		{
-			current->strip_dh(current);
+			current->strip_dh(current, MODP_NONE);
 		}
 		proposals->insert_last(proposals, current);
 	}
 	enumerator->destroy(enumerator);
 
+	DBG2(DBG_CFG, "configured proposals: %#P", proposals);
+
 	return proposals;
 }
 
@@ -192,7 +194,7 @@ METHOD(child_cfg_t, select_proposal, proposal_t*,
 		{
 			if (strip_dh)
 			{
-				stored->strip_dh(stored);
+				stored->strip_dh(stored, MODP_NONE);
 			}
 			selected = stored->select(stored, supplied, private);
 			if (selected)
@@ -235,12 +237,16 @@ METHOD(child_cfg_t, add_traffic_selector, void,
 }
 
 METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
-	private_child_cfg_t *this, bool local, linked_list_t *supplied,	host_t *host)
+	private_child_cfg_t *this, bool local, linked_list_t *supplied,
+	linked_list_t *hosts)
 {
 	enumerator_t *e1, *e2;
 	traffic_selector_t *ts1, *ts2, *selected;
-	linked_list_t *result = linked_list_create();
+	linked_list_t *result, *derived;
+	host_t *host;
 
+	result = linked_list_create();
+	derived = linked_list_create();
 	if (local)
 	{
 		e1 = this->my_ts->create_enumerator(this->my_ts);
@@ -249,41 +255,47 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
 	{
 		e1 = this->other_ts->create_enumerator(this->other_ts);
 	}
-
-	/* no list supplied, just fetch the stored traffic selectors */
-	if (supplied == NULL)
+	/* In a first step, replace "dynamic" TS with the host list */
+	while (e1->enumerate(e1, &ts1))
 	{
-		DBG2(DBG_CFG, "proposing traffic selectors for %s:",
-			 local ? "us" : "other");
-		while (e1->enumerate(e1, &ts1))
+		if (hosts && hosts->get_count(hosts) &&
+			ts1->is_dynamic(ts1))
 		{
-			/* we make a copy of the TS, this allows us to update dynamic TS' */
-			selected = ts1->clone(ts1);
-			if (host)
+			e2 = hosts->create_enumerator(hosts);
+			while (e2->enumerate(e2, &host))
 			{
-				selected->set_address(selected, host);
+				ts2 = ts1->clone(ts1);
+				ts2->set_address(ts2, host);
+				derived->insert_last(derived, ts2);
 			}
-			DBG2(DBG_CFG, " %R (derived from %R)", selected, ts1);
-			result->insert_last(result, selected);
+			e2->destroy(e2);
 		}
-		e1->destroy(e1);
+		else
+		{
+			derived->insert_last(derived, ts1->clone(ts1));
+		}
+	}
+	e1->destroy(e1);
+
+	DBG2(DBG_CFG, "%s traffic selectors for %s:",
+		 supplied ? "selecting" : "proposing", local ? "us" : "other");
+	if (supplied == NULL)
+	{
+		while (derived->remove_first(derived, (void**)&ts1) == SUCCESS)
+		{
+			DBG2(DBG_CFG, " %R", ts1);
+			result->insert_last(result, ts1);
+		}
+		derived->destroy(derived);
 	}
 	else
 	{
-		DBG2(DBG_CFG, "selecting traffic selectors for %s:",
-			 local ? "us" : "other");
+		e1 = derived->create_enumerator(derived);
 		e2 = supplied->create_enumerator(supplied);
-		/* iterate over all stored selectors */
+		/* enumerate all configured/derived selectors */
 		while (e1->enumerate(e1, &ts1))
 		{
-			/* we make a copy of the TS, as we have to update dynamic TS' */
-			ts1 = ts1->clone(ts1);
-			if (host)
-			{
-				ts1->set_address(ts1, host);
-			}
-
-			/* iterate over all supplied traffic selectors */
+			/* enumerate all supplied traffic selectors */
 			while (e2->enumerate(e2, &ts2))
 			{
 				selected = ts1->get_subset(ts1, ts2);
@@ -299,12 +311,27 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
 						 ts1, ts2);
 				}
 			}
-			e2->destroy(e2);
-			e2 = supplied->create_enumerator(supplied);
-			ts1->destroy(ts1);
+			supplied->reset_enumerator(supplied, e2);
 		}
 		e1->destroy(e1);
 		e2->destroy(e2);
+
+		/* check if we/peer did any narrowing, raise alert */
+		e1 = derived->create_enumerator(derived);
+		e2 = result->create_enumerator(result);
+		while (e1->enumerate(e1, &ts1))
+		{
+			if (!e2->enumerate(e2, &ts2) || !ts1->equals(ts1, ts2))
+			{
+				charon->bus->alert(charon->bus, ALERT_TS_NARROWED,
+								   local, result, this);
+				break;
+			}
+		}
+		e1->destroy(e1);
+		e2->destroy(e2);
+
+		derived->destroy_offset(derived, offsetof(traffic_selector_t, destroy));
 	}
 
 	/* remove any redundant traffic selectors in the list */
@@ -320,16 +347,14 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
 				{
 					result->remove_at(result, e2);
 					ts2->destroy(ts2);
-					e1->destroy(e1);
-					e1 = result->create_enumerator(result);
+					result->reset_enumerator(result, e1);
 					break;
 				}
 				if (ts1->is_contained_in(ts1, ts2))
 				{
 					result->remove_at(result, e1);
 					ts1->destroy(ts1);
-					e2->destroy(e2);
-					e2 = result->create_enumerator(result);
+					result->reset_enumerator(result, e2);
 					break;
 				}
 			}
@@ -566,4 +591,3 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index 370ff9d58..20d1fa811 100644
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -129,12 +129,12 @@ struct child_cfg_t {
 	 *
 	 * @param local			TRUE for TS on local side, FALSE for remote
 	 * @param supplied		list with TS to select from, or NULL
-	 * @param host			address to use for narrowing "dynamic" TS', or NULL
+	 * @param hosts			addresses to use for narrowing "dynamic" TS', host_t
 	 * @return				list containing the traffic selectors
 	 */
 	linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
 											linked_list_t *supplied,
-											host_t *host);
+											linked_list_t *hosts);
 	/**
 	 * Get the updown script to run for the CHILD_SA.
 	 *
@@ -213,14 +213,14 @@ struct child_cfg_t {
 	u_int32_t (*get_inactivity)(child_cfg_t *this);
 
 	/**
-	 * Specific reqid to use for CHILD_SA
+	 * Specific reqid to use for CHILD_SA.
 	 *
 	 * @return				reqid
 	 */
 	u_int32_t (*get_reqid)(child_cfg_t *this);
 
 	/**
-	 * Optional mark for CHILD_SA
+	 * Optional mark for CHILD_SA.
 	 *
 	 * @param inbound		TRUE for inbound, FALSE for outbound
 	 * @return				mark
@@ -235,7 +235,7 @@ struct child_cfg_t {
 	u_int32_t (*get_tfc)(child_cfg_t *this);
 
 	/**
-	 * Sets two options needed for Mobile IPv6 interoperability
+	 * Sets two options needed for Mobile IPv6 interoperability.
 	 *
 	 * @param proxy_mode	use IPsec transport proxy mode (default FALSE)
 	 * @param install_policy install IPsec kernel policies (default TRUE)
@@ -244,7 +244,7 @@ struct child_cfg_t {
 												 bool install_policy);
 
 	/**
-	 * Check whether IPsec transport SA should be set up in proxy mode
+	 * Check whether IPsec transport SA should be set up in proxy mode.
 	 *
 	 * @return				TRUE, if proxy mode should be used
 	 *						FALSE, otherwise
@@ -252,7 +252,7 @@ struct child_cfg_t {
 	bool (*use_proxy_mode)(child_cfg_t *this);
 
 	/**
-	 * Check whether IPsec policies should be installed in the kernel
+	 * Check whether IPsec policies should be installed in the kernel.
 	 *
 	 * @return				TRUE, if IPsec kernel policies should be installed
 	 *						FALSE, otherwise
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index 342b9ddbe..54a054e40 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -21,6 +21,12 @@
 #include <daemon.h>
 
 
+ENUM(ike_version_names, IKE_ANY, IKEV2,
+	"IKEv1/2",
+	"IKEv1",
+	"IKEv2",
+);
+
 typedef struct private_ike_cfg_t private_ike_cfg_t;
 
 /**
@@ -39,6 +45,11 @@ struct private_ike_cfg_t {
 	refcount_t refcount;
 
 	/**
+	 * IKE version to use
+	 */
+	ike_version_t version;
+
+	/**
 	 * Address of local host
 	 */
 	char *me;
@@ -49,6 +60,16 @@ struct private_ike_cfg_t {
 	char *other;
 
 	/**
+	 * Allow override of local address
+	 */
+	bool my_allow_any;
+
+	/**
+	 * Allow override of remote address
+	 */
+	bool other_allow_any;
+
+	/**
 	 * our source port
 	 */
 	u_int16_t my_port;
@@ -69,11 +90,27 @@ struct private_ike_cfg_t {
 	bool force_encap;
 
 	/**
+	 * use IKEv1 fragmentation
+	 */
+	fragmentation_t fragmentation;
+
+	/**
+	 * DSCP value to use on sent IKE packets
+	 */
+	u_int8_t dscp;
+
+	/**
 	 * List of proposals to use
 	 */
 	linked_list_t *proposals;
 };
 
+METHOD(ike_cfg_t, get_version, ike_version_t,
+	private_ike_cfg_t *this)
+{
+	return this->version;
+}
+
 METHOD(ike_cfg_t, send_certreq, bool,
 	private_ike_cfg_t *this)
 {
@@ -86,15 +123,29 @@ METHOD(ike_cfg_t, force_encap_, bool,
 	return this->force_encap;
 }
 
-METHOD(ike_cfg_t, get_my_addr, char*,
+METHOD(ike_cfg_t, fragmentation, fragmentation_t,
 	private_ike_cfg_t *this)
 {
+	return this->fragmentation;
+}
+
+METHOD(ike_cfg_t, get_my_addr, char*,
+	private_ike_cfg_t *this, bool *allow_any)
+{
+	if (allow_any)
+	{
+		*allow_any = this->my_allow_any;
+	}
 	return this->me;
 }
 
 METHOD(ike_cfg_t, get_other_addr, char*,
-	private_ike_cfg_t *this)
+	private_ike_cfg_t *this, bool *allow_any)
 {
+	if (allow_any)
+	{
+		*allow_any = this->other_allow_any;
+	}
 	return this->other;
 }
 
@@ -110,6 +161,12 @@ METHOD(ike_cfg_t, get_other_port, u_int16_t,
 	return this->other_port;
 }
 
+METHOD(ike_cfg_t, get_dscp, u_int8_t,
+	private_ike_cfg_t *this)
+{
+	return this->dscp;
+}
+
 METHOD(ike_cfg_t, add_proposal, void,
 	private_ike_cfg_t *this, proposal_t *proposal)
 {
@@ -132,6 +189,8 @@ METHOD(ike_cfg_t, get_proposals, linked_list_t*,
 	}
 	enumerator->destroy(enumerator);
 
+	DBG2(DBG_CFG, "configured proposals: %#P", proposals);
+
 	return proposals;
 }
 
@@ -228,8 +287,10 @@ METHOD(ike_cfg_t, equals, bool,
 	e2->destroy(e2);
 
 	return (eq &&
+		this->version == other->version &&
 		this->certreq == other->certreq &&
 		this->force_encap == other->force_encap &&
+		this->fragmentation == other->fragmentation &&
 		streq(this->me, other->me) &&
 		streq(this->other, other->other) &&
 		this->my_port == other->my_port &&
@@ -259,19 +320,24 @@ METHOD(ike_cfg_t, destroy, void,
 /**
  * Described in header.
  */
-ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
-				char *me, u_int16_t my_port, char *other, u_int16_t other_port)
+ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
+						  char *me, bool my_allow_any, u_int16_t my_port,
+						  char *other, bool other_allow_any, u_int16_t other_port,
+						  fragmentation_t fragmentation, u_int8_t dscp)
 {
 	private_ike_cfg_t *this;
 
 	INIT(this,
 		.public = {
+			.get_version = _get_version,
 			.send_certreq = _send_certreq,
 			.force_encap = _force_encap_,
+			.fragmentation = _fragmentation,
 			.get_my_addr = _get_my_addr,
 			.get_other_addr = _get_other_addr,
 			.get_my_port = _get_my_port,
 			.get_other_port = _get_other_port,
+			.get_dscp = _get_dscp,
 			.add_proposal = _add_proposal,
 			.get_proposals = _get_proposals,
 			.select_proposal = _select_proposal,
@@ -281,12 +347,17 @@ ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
 			.destroy = _destroy,
 		},
 		.refcount = 1,
+		.version = version,
 		.certreq = certreq,
 		.force_encap = force_encap,
+		.fragmentation = fragmentation,
 		.me = strdup(me),
 		.other = strdup(other),
+		.my_allow_any = my_allow_any,
+		.other_allow_any = other_allow_any,
 		.my_port = my_port,
 		.other_port = other_port,
+		.dscp = dscp,
 		.proposals = linked_list_create(),
 	);
 
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
index f1edde255..719ceb9dd 100644
--- a/src/libcharon/config/ike_cfg.h
+++ b/src/libcharon/config/ike_cfg.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -22,16 +23,47 @@
 #ifndef IKE_CFG_H_
 #define IKE_CFG_H_
 
+typedef enum ike_version_t ike_version_t;
+typedef enum fragmentation_t fragmentation_t;
 typedef struct ike_cfg_t ike_cfg_t;
 
 #include <library.h>
-#include <utils/host.h>
-#include <utils/linked_list.h>
+#include <networking/host.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 #include <config/proposal.h>
 #include <crypto/diffie_hellman.h>
 
 /**
+ * IKE version.
+ */
+enum ike_version_t {
+	/** any version */
+	IKE_ANY = 0,
+	/** IKE version 1 */
+	IKEV1 = 1,
+	/** IKE version 2 */
+	IKEV2 = 2,
+};
+
+/**
+ * Proprietary IKEv1 fragmentation
+ */
+enum fragmentation_t {
+	/** disable fragmentation */
+	FRAGMENTATION_NO,
+	/** enable fragmentation if supported by peer */
+	FRAGMENTATION_YES,
+	/** force use of fragmentation (even for the first message) */
+	FRAGMENTATION_FORCE,
+};
+
+/**
+ * enum strings fro ike_version_t
+ */
+extern enum_name_t *ike_version_names;
+
+/**
  * An ike_cfg_t defines the rules to set up an IKE_SA.
  *
  * @see peer_cfg_t to get an overview over the configurations.
@@ -39,40 +71,56 @@ typedef struct ike_cfg_t ike_cfg_t;
 struct ike_cfg_t {
 
 	/**
+	 * Get the IKE version to use with this configuration.
+	 *
+	 * @return				IKE major version
+	 */
+	ike_version_t (*get_version)(ike_cfg_t *this);
+
+	/**
 	 * Get own address.
 	 *
-	 * @return		string of address/DNS name
+	 * @param allow_any		allow any address to match
+	 * @return				string of address/DNS name
 	 */
-	char* (*get_my_addr) (ike_cfg_t *this);
+	char* (*get_my_addr) (ike_cfg_t *this, bool *allow_any);
 
 	/**
-	 * Get peers address.
+	 * Get peer's address.
 	 *
-	 * @return		string of address/DNS name
+	 * @param allow_any		allow any address to match
+	 * @return				string of address/DNS name
 	 */
-	char* (*get_other_addr) (ike_cfg_t *this);
+	char* (*get_other_addr) (ike_cfg_t *this, bool *allow_any);
 
 	/**
 	 * Get the port to use as our source port.
 	 *
-	 * @return		source address port, host order
+	 * @return				source address port, host order
 	 */
 	u_int16_t (*get_my_port)(ike_cfg_t *this);
 
 	/**
 	 * Get the port to use as destination port.
 	 *
-	 * @return		destination address, host order
+	 * @return				destination address, host order
 	 */
 	u_int16_t (*get_other_port)(ike_cfg_t *this);
 
 	/**
+	 * Get the DSCP value to use for IKE packets send from connections.
+	 *
+	 * @return				DSCP value
+	 */
+	u_int8_t (*get_dscp)(ike_cfg_t *this);
+
+	/**
 	 * Adds a proposal to the list.
 	 *
 	 * The first added proposal has the highest priority, the last
 	 * added the lowest.
 	 *
-	 * @param proposal	proposal to add
+	 * @param proposal		proposal to add
 	 */
 	void (*add_proposal) (ike_cfg_t *this, proposal_t *proposal);
 
@@ -81,7 +129,7 @@ struct ike_cfg_t {
 	 *
 	 * Returned list and its proposals must be destroyed after use.
 	 *
-	 * @return 			list containing all the proposals
+	 * @return 				list containing all the proposals
 	 */
 	linked_list_t* (*get_proposals) (ike_cfg_t *this);
 
@@ -90,9 +138,9 @@ struct ike_cfg_t {
 	 *
 	 * Returned proposal must be destroyed after use.
 	 *
-	 * @param proposals	list of proposals to select from
-	 * @param private	accept algorithms from a private range
-	 * @return			selected proposal, or NULL if none matches.
+	 * @param proposals		list of proposals to select from
+	 * @param private		accept algorithms from a private range
+	 * @return				selected proposal, or NULL if none matches.
 	 */
 	proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals,
 									bool private);
@@ -100,36 +148,43 @@ struct ike_cfg_t {
 	/**
 	 * Should we send a certificate request in IKE_SA_INIT?
 	 *
-	 * @return			certificate request sending policy
+	 * @return				certificate request sending policy
 	 */
 	bool (*send_certreq) (ike_cfg_t *this);
 
 	/**
 	 * Enforce UDP encapsulation by faking NATD notifies?
 	 *
-	 * @return			TRUE to enfoce UDP encapsulation
+	 * @return				TRUE to enforce UDP encapsulation
 	 */
 	bool (*force_encap) (ike_cfg_t *this);
 
 	/**
+	 * Use proprietary IKEv1 fragmentation
+	 *
+	 * @return				TRUE to use fragmentation
+	 */
+	fragmentation_t (*fragmentation) (ike_cfg_t *this);
+
+	/**
 	 * Get the DH group to use for IKE_SA setup.
 	 *
-	 * @return			dh group to use for initialization
+	 * @return				dh group to use for initialization
 	 */
 	diffie_hellman_group_t (*get_dh_group)(ike_cfg_t *this);
 
 	/**
 	 * Check if two IKE configs are equal.
 	 *
-	 * @param other		other to check for equality
-	 * @return			TRUE if other equal to this
+	 * @param other			other to check for equality
+	 * @return				TRUE if other equal to this
 	 */
 	bool (*equals)(ike_cfg_t *this, ike_cfg_t *other);
 
 	/**
 	 * Increase reference count.
 	 *
-	 * @return			reference to this
+	 * @return				reference to this
 	 */
 	ike_cfg_t* (*get_ref) (ike_cfg_t *this);
 
@@ -147,15 +202,22 @@ struct ike_cfg_t {
  *
  * Supplied hosts become owned by ike_cfg, the name gets cloned.
  *
- * @param certreq		TRUE to send a certificate request
- * @param force_encap	enforce UDP encapsulation by faking NATD notify
- * @param me			address/DNS name of local peer
- * @param my_port		IKE port to use as source, 500 uses IKEv2 port floating
- * @param other			address/DNS name of remote peer
- * @param other_port	IKE port to use as dest, 500 uses IKEv2 port floating
- * @return 				ike_cfg_t object.
+ * @param version			IKE major version to use for this config
+ * @param certreq			TRUE to send a certificate request
+ * @param force_encap		enforce UDP encapsulation by faking NATD notify
+ * @param me				address/DNS name of local peer
+ * @param my_allow_any		allow override of local address by any address
+ * @param my_port			IKE port to use as source, 500 uses IKEv2 port floating
+ * @param other				address/DNS name of remote peer
+ * @param other_allow_any	allow override of remote address by any address
+ * @param other_port		IKE port to use as dest, 500 uses IKEv2 port floating
+ * @param fragmentation		use IKEv1 fragmentation
+ * @param dscp				DSCP value to send IKE packets with
+ * @return 					ike_cfg_t object.
  */
-ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
-				char *me, u_int16_t my_port, char *other, u_int16_t other_port);
+ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
+						  char *me, bool my_allow_any, u_int16_t my_port,
+						  char *other, bool other_allow_any, u_int16_t other_port,
+						  fragmentation_t fragmentation, u_int8_t dscp);
 
 #endif /** IKE_CFG_H_ @}*/
diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
index c623cbc9b..eb983199b 100644
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@@ -22,7 +22,7 @@
 #include <daemon.h>
 
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 
 ENUM(cert_policy_names, CERT_ALWAYS_SEND, CERT_NEVER_SEND,
@@ -60,11 +60,6 @@ struct private_peer_cfg_t {
 	char *name;
 
 	/**
-	 * IKE version to use for initiation
-	 */
-	u_int ike_version;
-
-	/**
 	 * IKE config associated to this peer config
 	 */
 	ike_cfg_t *ike_cfg;
@@ -100,6 +95,11 @@ struct private_peer_cfg_t {
 	bool use_mobike;
 
 	/**
+	 * Use aggressive mode?
+	 */
+	bool aggressive;
+
+	/**
 	 * Time before starting rekeying
 	 */
 	u_int32_t rekey_time;
@@ -125,14 +125,19 @@ struct private_peer_cfg_t {
 	u_int32_t dpd;
 
 	/**
-	 * virtual IP to use locally
+	 * DPD timeout intervall (used for IKEv1 only)
 	 */
-	host_t *virtual_ip;
+	u_int32_t dpd_timeout;
 
 	/**
-	 * pool to acquire configuration attributes from
+	 * List of virtual IPs (host_t*) to request
 	 */
-	char *pool;
+	linked_list_t *vips;
+
+	/**
+	 * List of pool names to use for virtual IP lookup
+	 */
+	linked_list_t *pools;
 
 	/**
 	 * local authentication configs (rulesets)
@@ -169,10 +174,10 @@ METHOD(peer_cfg_t, get_name, char*,
 	return this->name;
 }
 
-METHOD(peer_cfg_t, get_ike_version, u_int,
+METHOD(peer_cfg_t, get_ike_version, ike_version_t,
 	private_peer_cfg_t *this)
 {
-	return this->ike_version;
+	return this->ike_cfg->get_version(this->ike_cfg);
 }
 
 METHOD(peer_cfg_t, get_ike_cfg, ike_cfg_t*,
@@ -240,15 +245,15 @@ METHOD(peer_cfg_t, create_child_cfg_enumerator, enumerator_t*,
  * Check how good a list of TS matches a given child config
  */
 static int get_ts_match(child_cfg_t *cfg, bool local,
-						linked_list_t *sup_list, host_t *host)
+						linked_list_t *sup_list, linked_list_t *hosts)
 {
 	linked_list_t *cfg_list;
 	enumerator_t *sup_enum, *cfg_enum;
-	traffic_selector_t *sup_ts, *cfg_ts;
+	traffic_selector_t *sup_ts, *cfg_ts, *subset;
 	int match = 0, round;
 
 	/* fetch configured TS list, narrowing dynamic TS */
-	cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, host);
+	cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, hosts);
 
 	/* use a round counter to rate leading TS with higher priority */
 	round = sup_list->get_count(sup_list);
@@ -263,10 +268,14 @@ static int get_ts_match(child_cfg_t *cfg, bool local,
 			{	/* equality is honored better than matches */
 				match += round * 5;
 			}
-			else if (cfg_ts->is_contained_in(cfg_ts, sup_ts) ||
-					 sup_ts->is_contained_in(sup_ts, cfg_ts))
+			else
 			{
-				match += round * 1;
+				subset = cfg_ts->get_subset(cfg_ts, sup_ts);
+				if (subset)
+				{
+					subset->destroy(subset);
+					match += round * 1;
+				}
 			}
 		}
 		cfg_enum->destroy(cfg_enum);
@@ -281,7 +290,7 @@ static int get_ts_match(child_cfg_t *cfg, bool local,
 
 METHOD(peer_cfg_t, select_child_cfg, child_cfg_t*,
 	private_peer_cfg_t *this, linked_list_t *my_ts, linked_list_t *other_ts,
-	host_t *my_host, host_t *other_host)
+	linked_list_t *my_hosts, linked_list_t *other_hosts)
 {
 	child_cfg_t *current, *found = NULL;
 	enumerator_t *enumerator;
@@ -293,8 +302,8 @@ METHOD(peer_cfg_t, select_child_cfg, child_cfg_t*,
 	{
 		int my_prio, other_prio;
 
-		my_prio = get_ts_match(current, TRUE, my_ts, my_host);
-		other_prio = get_ts_match(current, FALSE, other_ts, other_host);
+		my_prio = get_ts_match(current, TRUE, my_ts, my_hosts);
+		other_prio = get_ts_match(current, FALSE, other_ts, other_hosts);
 
 		if (my_prio && other_prio)
 		{
@@ -336,13 +345,13 @@ METHOD(peer_cfg_t, get_keyingtries, u_int32_t,
 }
 
 METHOD(peer_cfg_t, get_rekey_time, u_int32_t,
-	private_peer_cfg_t *this)
+	private_peer_cfg_t *this, bool jitter)
 {
 	if (this->rekey_time == 0)
 	{
 		return 0;
 	}
-	if (this->jitter_time == 0)
+	if (this->jitter_time == 0 || !jitter)
 	{
 		return this->rekey_time;
 	}
@@ -350,13 +359,13 @@ METHOD(peer_cfg_t, get_rekey_time, u_int32_t,
 }
 
 METHOD(peer_cfg_t, get_reauth_time, u_int32_t,
-	private_peer_cfg_t *this)
+	private_peer_cfg_t *this, bool jitter)
 {
 	if (this->reauth_time == 0)
 	{
 		return 0;
 	}
-	if (this->jitter_time == 0)
+	if (this->jitter_time == 0 || !jitter)
 	{
 		return this->reauth_time;
 	}
@@ -375,22 +384,46 @@ METHOD(peer_cfg_t, use_mobike, bool,
 	return this->use_mobike;
 }
 
+METHOD(peer_cfg_t, use_aggressive, bool,
+	private_peer_cfg_t *this)
+{
+	return this->aggressive;
+}
+
 METHOD(peer_cfg_t, get_dpd, u_int32_t,
 	private_peer_cfg_t *this)
 {
 	return this->dpd;
 }
 
-METHOD(peer_cfg_t, get_virtual_ip, host_t*,
+METHOD(peer_cfg_t, get_dpd_timeout, u_int32_t,
 	private_peer_cfg_t *this)
 {
-	return this->virtual_ip;
+	return this->dpd_timeout;
+}
+
+METHOD(peer_cfg_t, add_virtual_ip, void,
+	private_peer_cfg_t *this, host_t *vip)
+{
+	this->vips->insert_last(this->vips, vip);
 }
 
-METHOD(peer_cfg_t, get_pool, char*,
+METHOD(peer_cfg_t, create_virtual_ip_enumerator, enumerator_t*,
 	private_peer_cfg_t *this)
 {
-	return this->pool;
+	return this->vips->create_enumerator(this->vips);
+}
+
+METHOD(peer_cfg_t, add_pool, void,
+	private_peer_cfg_t *this, char *name)
+{
+	this->pools->insert_last(this->pools, strdup(name));
+}
+
+METHOD(peer_cfg_t, create_pool_enumerator, enumerator_t*,
+	private_peer_cfg_t *this)
+{
+	return this->pools->create_enumerator(this->pools);
 }
 
 METHOD(peer_cfg_t, add_auth_cfg, void,
@@ -493,6 +526,10 @@ static bool auth_cfg_equal(private_peer_cfg_t *this, private_peer_cfg_t *other)
 METHOD(peer_cfg_t, equals, bool,
 	private_peer_cfg_t *this, private_peer_cfg_t *other)
 {
+	enumerator_t *e1, *e2;
+	host_t *vip1, *vip2;
+	char *pool1, *pool2;
+
 	if (this == other)
 	{
 		return TRUE;
@@ -502,8 +539,45 @@ METHOD(peer_cfg_t, equals, bool,
 		return FALSE;
 	}
 
+	if (this->vips->get_count(this->vips) != other->vips->get_count(other->vips))
+	{
+		return FALSE;
+	}
+	e1 = create_virtual_ip_enumerator(this);
+	e2 = create_virtual_ip_enumerator(other);
+	if (e1->enumerate(e1, &vip1) && e2->enumerate(e2, &vip2))
+	{
+		if (!vip1->ip_equals(vip1, vip2))
+		{
+			e1->destroy(e1);
+			e2->destroy(e2);
+			return FALSE;
+		}
+	}
+	e1->destroy(e1);
+	e2->destroy(e2);
+
+	if (this->pools->get_count(this->pools) !=
+		other->pools->get_count(other->pools))
+	{
+		return FALSE;
+	}
+	e1 = create_pool_enumerator(this);
+	e2 = create_pool_enumerator(other);
+	if (e1->enumerate(e1, &pool1) && e2->enumerate(e2, &pool2))
+	{
+		if (!streq(pool1, pool2))
+		{
+			e1->destroy(e1);
+			e2->destroy(e2);
+			return FALSE;
+		}
+	}
+	e1->destroy(e1);
+	e2->destroy(e2);
+
 	return (
-		this->ike_version == other->ike_version &&
+		get_ike_version(this) == get_ike_version(other) &&
 		this->cert_policy == other->cert_policy &&
 		this->unique == other->unique &&
 		this->keyingtries == other->keyingtries &&
@@ -513,11 +587,7 @@ METHOD(peer_cfg_t, equals, bool,
 		this->jitter_time == other->jitter_time &&
 		this->over_time == other->over_time &&
 		this->dpd == other->dpd &&
-		(this->virtual_ip == other->virtual_ip ||
-		 (this->virtual_ip && other->virtual_ip &&
-		  this->virtual_ip->equals(this->virtual_ip, other->virtual_ip))) &&
-		(this->pool == other->pool ||
-		 (this->pool && other->pool && streq(this->pool, other->pool))) &&
+		this->aggressive == other->aggressive &&
 		auth_cfg_equal(this, other)
 #ifdef ME
 		&& this->mediation == other->mediation &&
@@ -544,18 +614,18 @@ METHOD(peer_cfg_t, destroy, void,
 		this->ike_cfg->destroy(this->ike_cfg);
 		this->child_cfgs->destroy_offset(this->child_cfgs,
 										offsetof(child_cfg_t, destroy));
-		DESTROY_IF(this->virtual_ip);
 		this->local_auth->destroy_offset(this->local_auth,
 										offsetof(auth_cfg_t, destroy));
 		this->remote_auth->destroy_offset(this->remote_auth,
 										offsetof(auth_cfg_t, destroy));
+		this->vips->destroy_offset(this->vips, offsetof(host_t, destroy));
+		this->pools->destroy_function(this->pools, free);
 #ifdef ME
 		DESTROY_IF(this->mediated_by);
 		DESTROY_IF(this->peer_id);
 #endif /* ME */
 		this->mutex->destroy(this->mutex);
 		free(this->name);
-		free(this->pool);
 		free(this);
 	}
 }
@@ -563,12 +633,13 @@ METHOD(peer_cfg_t, destroy, void,
 /*
  * Described in header-file
  */
-peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
-							cert_policy_t cert_policy, unique_policy_t unique,
-							u_int32_t keyingtries, u_int32_t rekey_time,
-							u_int32_t reauth_time, u_int32_t jitter_time,
-							u_int32_t over_time, bool mobike, u_int32_t dpd,
-							host_t *virtual_ip, char *pool,
+peer_cfg_t *peer_cfg_create(char *name,
+							ike_cfg_t *ike_cfg, cert_policy_t cert_policy,
+							unique_policy_t unique, u_int32_t keyingtries,
+							u_int32_t rekey_time, u_int32_t reauth_time,
+							u_int32_t jitter_time, u_int32_t over_time,
+							bool mobike, bool aggressive, u_int32_t dpd,
+							u_int32_t dpd_timeout,
 							bool mediation, peer_cfg_t *mediated_by,
 							identification_t *peer_id)
 {
@@ -599,9 +670,13 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 			.get_reauth_time = _get_reauth_time,
 			.get_over_time = _get_over_time,
 			.use_mobike = _use_mobike,
+			.use_aggressive = _use_aggressive,
 			.get_dpd = _get_dpd,
-			.get_virtual_ip = _get_virtual_ip,
-			.get_pool = _get_pool,
+			.get_dpd_timeout = _get_dpd_timeout,
+			.add_virtual_ip = _add_virtual_ip,
+			.create_virtual_ip_enumerator = _create_virtual_ip_enumerator,
+			.add_pool = _add_pool,
+			.create_pool_enumerator = _create_pool_enumerator,
 			.add_auth_cfg = _add_auth_cfg,
 			.create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
 			.equals = (void*)_equals,
@@ -614,7 +689,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 #endif /* ME */
 		},
 		.name = strdup(name),
-		.ike_version = ike_version,
 		.ike_cfg = ike_cfg,
 		.child_cfgs = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
@@ -626,9 +700,11 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 		.jitter_time = jitter_time,
 		.over_time = over_time,
 		.use_mobike = mobike,
+		.aggressive = aggressive,
 		.dpd = dpd,
-		.virtual_ip = virtual_ip,
-		.pool = strdupnull(pool),
+		.dpd_timeout = dpd_timeout,
+		.vips = linked_list_create(),
+		.pools = linked_list_create(),
 		.local_auth = linked_list_create(),
 		.remote_auth = linked_list_create(),
 		.refcount = 1,
diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
index f644fb547..e62e03ec5 100644
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@@ -29,13 +29,11 @@ typedef struct peer_cfg_t peer_cfg_t;
 
 #include <library.h>
 #include <utils/identification.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <selectors/traffic_selector.h>
 #include <config/proposal.h>
 #include <config/ike_cfg.h>
 #include <config/child_cfg.h>
-#include <sa/authenticators/authenticator.h>
-#include <sa/authenticators/eap/eap_method.h>
 #include <credentials/auth_cfg.h>
 
 /**
@@ -65,11 +63,13 @@ extern enum_name_t *cert_policy_names;
  * Uniqueness of an IKE_SA, used to drop multiple connections with one peer.
  */
 enum unique_policy_t {
-	/** do not check for client uniqueness */
+	/** never check for client uniqueness */
+	UNIQUE_NEVER,
+	/** only check for client uniqueness when receiving an INITIAL_CONTACT */
 	UNIQUE_NO,
-	/** replace unique IKE_SAs if new ones get established */
+	/** replace existing IKE_SAs when new ones get established by a client */
 	UNIQUE_REPLACE,
-	/** keep existing IKE_SAs, close the new ones on connection attept */
+	/** keep existing IKE_SAs, close the new ones on connection attempt */
 	UNIQUE_KEEP,
 };
 
@@ -130,7 +130,7 @@ struct peer_cfg_t {
 	 *
 	 * @return				IKE major version
 	 */
-	u_int (*get_ike_version)(peer_cfg_t *this);
+	ike_version_t (*get_ike_version)(peer_cfg_t *this);
 
 	/**
 	 * Get the IKE config to use for initiaton.
@@ -165,18 +165,18 @@ struct peer_cfg_t {
 	 *
 	 * @param my_ts			TS for local side
 	 * @param other_ts		TS for remote side
-	 * @param my_host		host to narrow down dynamic TS for local side
-	 * @param other_host	host to narrow down dynamic TS for remote side
+	 * @param my_hosts		hosts to narrow down dynamic TS for local side
+	 * @param other_hosts	hosts to narrow down dynamic TS for remote side
 	 * @return				selected CHILD config, or NULL if no match found
 	 */
-	child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts,
-									  linked_list_t *other_ts, host_t *my_host,
-									  host_t *other_host);
+	child_cfg_t* (*select_child_cfg) (peer_cfg_t *this,
+							linked_list_t *my_ts, linked_list_t *other_ts,
+							linked_list_t *my_hosts, linked_list_t *other_hosts);
 
 	/**
 	 * Add an authentication config to the peer configuration.
 	 *
-	 * @param config		config to add
+	 * @param cfg			config to add
 	 * @param local			TRUE for local rules, FALSE for remote constraints
 	 */
 	void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local);
@@ -190,7 +190,7 @@ struct peer_cfg_t {
 	enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local);
 
 	/**
-	 * Should be sent a certificate for this connection?
+	 * Should a certificate be sent for this connection?
 	 *
 	 * @return			certificate sending policy
 	 */
@@ -211,18 +211,20 @@ struct peer_cfg_t {
 	u_int32_t (*get_keyingtries) (peer_cfg_t *this);
 
 	/**
-	 * Get a time to start rekeying (is randomized with jitter).
+	 * Get a time to start rekeying.
 	 *
+	 * @param jitter	remove a jitter value to randomize time
 	 * @return			time in s when to start rekeying, 0 disables rekeying
 	 */
-	u_int32_t (*get_rekey_time)(peer_cfg_t *this);
+	u_int32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter);
 
 	/**
-	 * Get a time to start reauthentication (is randomized with jitter).
+	 * Get a time to start reauthentication.
 	 *
+	 * @param jitter	remove a jitter value to randomize time
 	 * @return			time in s when to start reauthentication, 0 disables it
 	 */
-	u_int32_t (*get_reauth_time)(peer_cfg_t *this);
+	u_int32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter);
 
 	/**
 	 * Get the timeout of a rekeying/reauthenticating SA.
@@ -239,6 +241,13 @@ struct peer_cfg_t {
 	bool (*use_mobike) (peer_cfg_t *this);
 
 	/**
+	 * Use/Accept aggressive mode with IKEv1?.
+	 *
+	 * @return			TRUE to use aggressive mode
+	 */
+	bool (*use_aggressive)(peer_cfg_t *this);
+
+	/**
 	 * Get the DPD check interval.
 	 *
 	 * @return			dpd_delay in seconds
@@ -246,23 +255,41 @@ struct peer_cfg_t {
 	u_int32_t (*get_dpd) (peer_cfg_t *this);
 
 	/**
-	 * Get a virtual IP for the local peer.
+	 * Get the DPD timeout interval (IKEv1 only)
+	 *
+	 * @return			dpd_timeout in seconds
+	 */
+	u_int32_t (*get_dpd_timeout) (peer_cfg_t *this);
+
+	/**
+	 * Add a virtual IP to request as initiator.
 	 *
-	 * If no virtual IP should be used, NULL is returned. %any means to request
-	 * a virtual IP using configuration payloads. A specific address is also
-	 * used for a request and may be changed by the server.
+	 * @param vip			virtual IP to request, may be %any or %any6
+	 */
+	void (*add_virtual_ip)(peer_cfg_t *this, host_t *vip);
+
+	/**
+	 * Create an enumerator over virtual IPs to request.
+	 *
+	 * The returned enumerator enumerates over IPs added with add_virtual_ip().
+	 *
+	 * @return				enumerator over host_t*
+	 */
+	enumerator_t* (*create_virtual_ip_enumerator)(peer_cfg_t *this);
+
+	/**
+	 * Add a pool name this configuration uses to select virtual IPs.
 	 *
-	 * @param suggestion	NULL, %any or specific
-	 * @return				virtual IP, %any or NULL
+	 * @param name			pool name to use for virtual IP lookup
 	 */
-	host_t* (*get_virtual_ip) (peer_cfg_t *this);
+	void (*add_pool)(peer_cfg_t *this, char *name);
 
 	/**
-	 * Get the name of the pool to acquire configuration attributes from.
+	 * Create an enumerator over pool names of this config.
 	 *
-	 * @return				pool name, NULL if none defined
+	 * @return				enumerator over char*
 	 */
-	char* (*get_pool)(peer_cfg_t *this);
+	enumerator_t* (*create_pool_enumerator)(peer_cfg_t *this);
 
 #ifdef ME
 	/**
@@ -329,7 +356,6 @@ struct peer_cfg_t {
  * (rekeylifetime - random(0, jitter)).
  *
  * @param name				name of the peer_cfg
- * @param ike_version		which IKE version we should use for this peer
  * @param ike_cfg			IKE config to use when acting as initiator
  * @param cert_policy		should we send a certificate payload?
  * @param unique			uniqueness of an IKE_SA
@@ -339,20 +365,21 @@ struct peer_cfg_t {
  * @param jitter_time		timerange to randomly subtract from rekey/reauth time
  * @param over_time			maximum overtime before closing a rekeying/reauth SA
  * @param mobike			use MOBIKE (RFC4555) if peer supports it
+ * @param aggressive		use/accept aggressive mode with IKEv1
  * @param dpd				DPD check interval, 0 to disable
- * @param virtual_ip		virtual IP for local host, or NULL
- * @param pool				pool name to get configuration attributes from, or NULL
+ * @param dpd_timeout		DPD timeout interval (IKEv1 only), if 0 default applies
  * @param mediation			TRUE if this is a mediation connection
  * @param mediated_by		peer_cfg_t of the mediation connection to mediate through
  * @param peer_id			ID that identifies our peer at the mediation server
  * @return					peer_cfg_t object
  */
-peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
-							cert_policy_t cert_policy, unique_policy_t unique,
-							u_int32_t keyingtries, u_int32_t rekey_time,
-							u_int32_t reauth_time, u_int32_t jitter_time,
-							u_int32_t over_time, bool mobike, u_int32_t dpd,
-							host_t *virtual_ip, char *pool,
+peer_cfg_t *peer_cfg_create(char *name,
+							ike_cfg_t *ike_cfg, cert_policy_t cert_policy,
+							unique_policy_t unique, u_int32_t keyingtries,
+							u_int32_t rekey_time, u_int32_t reauth_time,
+							u_int32_t jitter_time, u_int32_t over_time,
+							bool mobike, bool aggressive, u_int32_t dpd,
+							u_int32_t dpd_timeout,
 							bool mediation, peer_cfg_t *mediated_by,
 							identification_t *peer_id);
 
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index d3c60a469..0b702e014 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008-2012 Tobias Brunner
  * Copyright (C) 2006-2010 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -19,24 +19,23 @@
 #include "proposal.h"
 
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/array.h>
 #include <utils/identification.h>
-#include <utils/lexparser.h>
+
 #include <crypto/transform.h>
 #include <crypto/prfs/prf.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/signers/signer.h>
-#include <crypto/proposal/proposal_keywords.h>
 
-ENUM(protocol_id_names, PROTO_NONE, PROTO_ESP,
+ENUM(protocol_id_names, PROTO_NONE, PROTO_IPCOMP,
 	"PROTO_NONE",
 	"IKE",
 	"AH",
 	"ESP",
+	"IPCOMP",
 );
 
 typedef struct private_proposal_t private_proposal_t;
-typedef struct algorithm_t algorithm_t;
 
 /**
  * Private data of an proposal_t object
@@ -54,29 +53,9 @@ struct private_proposal_t {
 	protocol_id_t protocol;
 
 	/**
-	 * priority ordered list of encryption algorithms
-	 */
-	linked_list_t *encryption_algos;
-
-	/**
-	 * priority ordered list of integrity algorithms
+	 * Priority ordered list of transforms, as entry_t
 	 */
-	linked_list_t *integrity_algos;
-
-	/**
-	 * priority ordered list of pseudo random functions
-	 */
-	linked_list_t *prf_algos;
-
-	/**
-	 * priority ordered list of dh groups
-	 */
-	linked_list_t *dh_groups;
-
-	/**
-	 * priority ordered list of extended sequence number flags
-	 */
-	linked_list_t *esns;
+	array_t *transforms;
 
 	/**
 	 * senders SPI
@@ -92,68 +71,47 @@ struct private_proposal_t {
 /**
  * Struct used to store different kinds of algorithms.
  */
-struct algorithm_t {
-	/**
-	 * Value from an encryption_algorithm_t/integrity_algorithm_t/...
-	 */
-	u_int16_t algorithm;
-
-	/**
-	 * the associated key size in bits, or zero if not needed
-	 */
+typedef struct {
+	/** Type of the transform */
+	transform_type_t type;
+	/** algorithm identifier */
+	u_int16_t alg;
+	/** key size in bits, or zero if not needed */
 	u_int16_t key_size;
-};
-
-/**
- * Add algorithm/keysize to a algorithm list
- */
-static void add_algo(linked_list_t *list, u_int16_t algo, u_int16_t key_size)
-{
-	algorithm_t *algo_key;
-
-	algo_key = malloc_thing(algorithm_t);
-	algo_key->algorithm = algo;
-	algo_key->key_size = key_size;
-	list->insert_last(list, (void*)algo_key);
-}
+} entry_t;
 
 METHOD(proposal_t, add_algorithm, void,
 	private_proposal_t *this, transform_type_t type,
-	u_int16_t algo, u_int16_t key_size)
+	u_int16_t alg, u_int16_t key_size)
 {
-	switch (type)
-	{
-		case ENCRYPTION_ALGORITHM:
-			add_algo(this->encryption_algos, algo, key_size);
-			break;
-		case INTEGRITY_ALGORITHM:
-			add_algo(this->integrity_algos, algo, key_size);
-			break;
-		case PSEUDO_RANDOM_FUNCTION:
-			add_algo(this->prf_algos, algo, key_size);
-			break;
-		case DIFFIE_HELLMAN_GROUP:
-			add_algo(this->dh_groups, algo, 0);
-			break;
-		case EXTENDED_SEQUENCE_NUMBERS:
-			add_algo(this->esns, algo, 0);
-			break;
-		default:
-			break;
-	}
+	entry_t entry = {
+		.type = type,
+		.alg = alg,
+		.key_size = key_size,
+	};
+
+	array_insert(this->transforms, ARRAY_TAIL, &entry);
 }
 
 /**
  * filter function for peer configs
  */
-static bool alg_filter(void *null, algorithm_t **in, u_int16_t *alg,
+static bool alg_filter(uintptr_t type, entry_t **in, u_int16_t *alg,
 					   void **unused, u_int16_t *key_size)
 {
-	algorithm_t *algo = *in;
-	*alg = algo->algorithm;
+	entry_t *entry = *in;
+
+	if (entry->type != type)
+	{
+		return FALSE;
+	}
+	if (alg)
+	{
+		*alg = entry->alg;
+	}
 	if (key_size)
 	{
-		*key_size = algo->key_size;
+		*key_size = entry->key_size;
 	}
 	return TRUE;
 }
@@ -161,30 +119,9 @@ static bool alg_filter(void *null, algorithm_t **in, u_int16_t *alg,
 METHOD(proposal_t, create_enumerator, enumerator_t*,
 	private_proposal_t *this, transform_type_t type)
 {
-	linked_list_t *list;
-
-	switch (type)
-	{
-		case ENCRYPTION_ALGORITHM:
-			list = this->encryption_algos;
-			break;
-		case INTEGRITY_ALGORITHM:
-			list = this->integrity_algos;
-			break;
-		case PSEUDO_RANDOM_FUNCTION:
-			list = this->prf_algos;
-			break;
-		case DIFFIE_HELLMAN_GROUP:
-			list = this->dh_groups;
-			break;
-		case EXTENDED_SEQUENCE_NUMBERS:
-			list = this->esns;
-			break;
-		default:
-			return NULL;
-	}
-	return enumerator_create_filter(list->create_enumerator(list),
-									(void*)alg_filter, NULL, NULL);
+	return enumerator_create_filter(
+						array_create_enumerator(this->transforms),
+						(void*)alg_filter, (void*)(uintptr_t)type, NULL);
 }
 
 METHOD(proposal_t, get_algorithm, bool,
@@ -200,77 +137,91 @@ METHOD(proposal_t, get_algorithm, bool,
 		found = TRUE;
 	}
 	enumerator->destroy(enumerator);
+
 	return found;
 }
 
 METHOD(proposal_t, has_dh_group, bool,
 	private_proposal_t *this, diffie_hellman_group_t group)
 {
-	bool result = FALSE;
+	bool found = FALSE, any = FALSE;
+	enumerator_t *enumerator;
+	u_int16_t current;
 
-	if (this->dh_groups->get_count(this->dh_groups))
+	enumerator = create_enumerator(this, DIFFIE_HELLMAN_GROUP);
+	while (enumerator->enumerate(enumerator, &current, NULL))
 	{
-		algorithm_t *current;
-		enumerator_t *enumerator;
-
-		enumerator = this->dh_groups->create_enumerator(this->dh_groups);
-		while (enumerator->enumerate(enumerator, (void**)&current))
+		any = TRUE;
+		if (current == group)
 		{
-			if (current->algorithm == group)
-			{
-				result = TRUE;
-				break;
-			}
+			found = TRUE;
+			break;
 		}
-		enumerator->destroy(enumerator);
 	}
-	else if (group == MODP_NONE)
+	enumerator->destroy(enumerator);
+
+	if (!any && group == MODP_NONE)
 	{
-		result = TRUE;
+		found = TRUE;
 	}
-	return result;
+	return found;
 }
 
 METHOD(proposal_t, strip_dh, void,
-	private_proposal_t *this)
+	private_proposal_t *this, diffie_hellman_group_t keep)
 {
-	algorithm_t *alg;
+	enumerator_t *enumerator;
+	entry_t *entry;
 
-	while (this->dh_groups->remove_last(this->dh_groups, (void**)&alg) == SUCCESS)
+	enumerator = array_create_enumerator(this->transforms);
+	while (enumerator->enumerate(enumerator, &entry))
 	{
-		free(alg);
+		if (entry->type == DIFFIE_HELLMAN_GROUP &&
+			entry->alg != keep)
+		{
+			array_remove_at(this->transforms, enumerator);
+		}
 	}
+	enumerator->destroy(enumerator);
 }
 
 /**
- * Find a matching alg/keysize in two linked lists
+ * Select a matching proposal from this and other, insert into selected.
  */
-static bool select_algo(linked_list_t *first, linked_list_t *second, bool priv,
-						bool *add, u_int16_t *alg, size_t *key_size)
+static bool select_algo(private_proposal_t *this, proposal_t *other,
+						proposal_t *selected, transform_type_t type, bool priv)
 {
 	enumerator_t *e1, *e2;
-	algorithm_t *alg1, *alg2;
+	u_int16_t alg1, alg2, ks1, ks2;
+	bool found = FALSE;
 
-	/* if in both are zero algorithms specified, we HAVE a match */
-	if (first->get_count(first) == 0 && second->get_count(second) == 0)
+	if (type == INTEGRITY_ALGORITHM &&
+		selected->get_algorithm(selected, ENCRYPTION_ALGORITHM, &alg1, NULL) &&
+		encryption_algorithm_is_aead(alg1))
 	{
-		*add = FALSE;
+		/* no integrity algorithm required, we have an AEAD */
 		return TRUE;
 	}
 
-	e1 = first->create_enumerator(first);
-	e2 = second->create_enumerator(second);
+	e1 = create_enumerator(this, type);
+	e2 = other->create_enumerator(other, type);
+	if (!e1->enumerate(e1, NULL, NULL) && !e2->enumerate(e2, NULL, NULL))
+	{
+		found = TRUE;
+	}
+
+	e1->destroy(e1);
+	e1 = create_enumerator(this, type);
 	/* compare algs, order of algs in "first" is preferred */
-	while (e1->enumerate(e1, &alg1))
+	while (!found && e1->enumerate(e1, &alg1, &ks1))
 	{
 		e2->destroy(e2);
-		e2 = second->create_enumerator(second);
-		while (e2->enumerate(e2, &alg2))
+		e2 = other->create_enumerator(other, type);
+		while (e2->enumerate(e2, &alg2, &ks2))
 		{
-			if (alg1->algorithm == alg2->algorithm &&
-				alg1->key_size == alg2->key_size)
+			if (alg1 == alg2 && ks1 == ks2)
 			{
-				if (!priv && alg1->algorithm >= 1024)
+				if (!priv && alg1 >= 1024)
 				{
 					/* accept private use algorithms only if requested */
 					DBG1(DBG_CFG, "an algorithm from private space would match, "
@@ -278,132 +229,52 @@ static bool select_algo(linked_list_t *first, linked_list_t *second, bool priv,
 					continue;
 				}
 				/* ok, we have an algorithm */
-				*alg = alg1->algorithm;
-				*key_size = alg1->key_size;
-				*add = TRUE;
-				e1->destroy(e1);
-				e2->destroy(e2);
-				return TRUE;
+				selected->add_algorithm(selected, type, alg1, ks1);
+				found = TRUE;
+				break;
 			}
 		}
 	}
 	/* no match in all comparisons */
 	e1->destroy(e1);
 	e2->destroy(e2);
-	return FALSE;
+
+	if (!found)
+	{
+		DBG2(DBG_CFG, "  no acceptable %N found", transform_type_names, type);
+	}
+	return found;
 }
 
 METHOD(proposal_t, select_proposal, proposal_t*,
-	private_proposal_t *this, proposal_t *other_pub, bool private)
+	private_proposal_t *this, proposal_t *other, bool private)
 {
-	private_proposal_t *other = (private_proposal_t*)other_pub;
 	proposal_t *selected;
-	u_int16_t algo;
-	size_t key_size;
-	bool add;
 
 	DBG2(DBG_CFG, "selecting proposal:");
 
-	/* check protocol */
-	if (this->protocol != other->protocol)
+	if (this->protocol != other->get_protocol(other))
 	{
 		DBG2(DBG_CFG, "  protocol mismatch, skipping");
 		return NULL;
 	}
 
-	selected = proposal_create(this->protocol, other->number);
+	selected = proposal_create(this->protocol, other->get_number(other));
 
-	/* select encryption algorithm */
-	if (select_algo(this->encryption_algos, other->encryption_algos, private,
-					&add, &algo, &key_size))
-	{
-		if (add)
-		{
-			selected->add_algorithm(selected, ENCRYPTION_ALGORITHM,
-									algo, key_size);
-		}
-	}
-	else
-	{
-		selected->destroy(selected);
-		DBG2(DBG_CFG, "  no acceptable %N found",
-			 transform_type_names, ENCRYPTION_ALGORITHM);
-		return NULL;
-	}
-	/* select integrity algorithm */
-	if (!encryption_algorithm_is_aead(algo))
-	{
-		if (select_algo(this->integrity_algos, other->integrity_algos, private,
-						&add, &algo, &key_size))
-		{
-			if (add)
-			{
-				selected->add_algorithm(selected, INTEGRITY_ALGORITHM,
-										algo, key_size);
-			}
-		}
-		else
-		{
-			selected->destroy(selected);
-			DBG2(DBG_CFG, "  no acceptable %N found",
-				 transform_type_names, INTEGRITY_ALGORITHM);
-			return NULL;
-		}
-	}
-	/* select prf algorithm */
-	if (select_algo(this->prf_algos, other->prf_algos, private,
-					&add, &algo, &key_size))
-	{
-		if (add)
-		{
-			selected->add_algorithm(selected, PSEUDO_RANDOM_FUNCTION,
-									algo, key_size);
-		}
-	}
-	else
-	{
-		selected->destroy(selected);
-		DBG2(DBG_CFG, "  no acceptable %N found",
-			 transform_type_names, PSEUDO_RANDOM_FUNCTION);
-		return NULL;
-	}
-	/* select a DH-group */
-	if (select_algo(this->dh_groups, other->dh_groups, private,
-					&add, &algo, &key_size))
-	{
-		if (add)
-		{
-			selected->add_algorithm(selected, DIFFIE_HELLMAN_GROUP, algo, 0);
-		}
-	}
-	else
-	{
-		selected->destroy(selected);
-		DBG2(DBG_CFG, "  no acceptable %N found",
-			 transform_type_names, DIFFIE_HELLMAN_GROUP);
-		return NULL;
-	}
-	/* select if we use ESNs (has no private use space) */
-	if (select_algo(this->esns, other->esns, TRUE, &add, &algo, &key_size))
-	{
-		if (add)
-		{
-			selected->add_algorithm(selected, EXTENDED_SEQUENCE_NUMBERS, algo, 0);
-		}
-	}
-	else
+	if (!select_algo(this, other, selected, ENCRYPTION_ALGORITHM, private) ||
+		!select_algo(this, other, selected, PSEUDO_RANDOM_FUNCTION, private) ||
+		!select_algo(this, other, selected, INTEGRITY_ALGORITHM, private) ||
+		!select_algo(this, other, selected, DIFFIE_HELLMAN_GROUP, private) ||
+		!select_algo(this, other, selected, EXTENDED_SEQUENCE_NUMBERS, private))
 	{
 		selected->destroy(selected);
-		DBG2(DBG_CFG, "  no acceptable %N found",
-			 transform_type_names, EXTENDED_SEQUENCE_NUMBERS);
 		return NULL;
 	}
+
 	DBG2(DBG_CFG, "  proposal matches");
 
-	/* apply SPI from "other" */
-	selected->set_spi(selected, other->spi);
+	selected->set_spi(selected, other->get_spi(other));
 
-	/* everything matched, return new proposal */
 	return selected;
 }
 
@@ -426,50 +297,39 @@ METHOD(proposal_t, get_spi, u_int64_t,
 }
 
 /**
- * Clone a algorithm list
+ * Check if two proposals have the same algorithms for a given transform type
  */
-static void clone_algo_list(linked_list_t *list, linked_list_t *clone_list)
-{
-	algorithm_t *algo, *clone_algo;
-	enumerator_t *enumerator;
-
-	enumerator = list->create_enumerator(list);
-	while (enumerator->enumerate(enumerator, &algo))
-	{
-		clone_algo = malloc_thing(algorithm_t);
-		memcpy(clone_algo, algo, sizeof(algorithm_t));
-		clone_list->insert_last(clone_list, (void*)clone_algo);
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * check if an algorithm list equals
- */
-static bool algo_list_equals(linked_list_t *l1, linked_list_t *l2)
+static bool algo_list_equals(private_proposal_t *this, proposal_t *other,
+							 transform_type_t type)
 {
 	enumerator_t *e1, *e2;
-	algorithm_t *alg1, *alg2;
+	u_int16_t alg1, alg2, ks1, ks2;
 	bool equals = TRUE;
 
-	if (l1->get_count(l1) != l2->get_count(l2))
+	e1 = create_enumerator(this, type);
+	e2 = other->create_enumerator(other, type);
+	while (e1->enumerate(e1, &alg1, &ks1))
 	{
-		return FALSE;
-	}
-
-	e1 = l1->create_enumerator(l1);
-	e2 = l2->create_enumerator(l2);
-	while (e1->enumerate(e1, &alg1) && e2->enumerate(e2, &alg2))
-	{
-		if (alg1->algorithm != alg2->algorithm ||
-			alg1->key_size != alg2->key_size)
+		if (!e2->enumerate(e2, &alg2, &ks2))
 		{
+			/* this has more algs */
 			equals = FALSE;
 			break;
 		}
+		if (alg1 != alg2 || ks1 != ks2)
+		{
+			equals = FALSE;
+			break;
+		}
+	}
+	if (e2->enumerate(e2, &alg2, ks2))
+	{
+		/* other has more algs */
+		equals = FALSE;
 	}
 	e1->destroy(e1);
 	e2->destroy(e2);
+
 	return equals;
 }
 
@@ -480,33 +340,35 @@ METHOD(proposal_t, get_number, u_int,
 }
 
 METHOD(proposal_t, equals, bool,
-	private_proposal_t *this, proposal_t *other_pub)
+	private_proposal_t *this, proposal_t *other)
 {
-	private_proposal_t *other = (private_proposal_t*)other_pub;
-
-	if (this == other)
+	if (&this->public == other)
 	{
 		return TRUE;
 	}
 	return (
-		algo_list_equals(this->encryption_algos, other->encryption_algos) &&
-		algo_list_equals(this->integrity_algos, other->integrity_algos) &&
-		algo_list_equals(this->prf_algos, other->prf_algos) &&
-		algo_list_equals(this->dh_groups, other->dh_groups) &&
-		algo_list_equals(this->esns, other->esns));
+		algo_list_equals(this, other, ENCRYPTION_ALGORITHM) &&
+		algo_list_equals(this, other, INTEGRITY_ALGORITHM) &&
+		algo_list_equals(this, other, PSEUDO_RANDOM_FUNCTION) &&
+		algo_list_equals(this, other, DIFFIE_HELLMAN_GROUP) &&
+		algo_list_equals(this, other, EXTENDED_SEQUENCE_NUMBERS));
 }
 
 METHOD(proposal_t, clone_, proposal_t*,
 	private_proposal_t *this)
 {
 	private_proposal_t *clone;
+	enumerator_t *enumerator;
+	entry_t *entry;
 
 	clone = (private_proposal_t*)proposal_create(this->protocol, 0);
-	clone_algo_list(this->encryption_algos, clone->encryption_algos);
-	clone_algo_list(this->integrity_algos, clone->integrity_algos);
-	clone_algo_list(this->prf_algos, clone->prf_algos);
-	clone_algo_list(this->dh_groups, clone->dh_groups);
-	clone_algo_list(this->esns, clone->esns);
+
+	enumerator = array_create_enumerator(this->transforms);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		array_insert(clone->transforms, ARRAY_TAIL, entry);
+	}
+	enumerator->destroy(enumerator);
 
 	clone->spi = this->spi;
 	clone->number = this->number;
@@ -515,18 +377,62 @@ METHOD(proposal_t, clone_, proposal_t*,
 }
 
 /**
+ * Map integrity algorithms to the PRF functions using the same algorithm.
+ */
+static const struct {
+	integrity_algorithm_t integ;
+	pseudo_random_function_t prf;
+} integ_prf_map[] = {
+	{AUTH_HMAC_SHA1_96,					PRF_HMAC_SHA1					},
+	{AUTH_HMAC_SHA2_256_128,			PRF_HMAC_SHA2_256				},
+	{AUTH_HMAC_SHA2_384_192,			PRF_HMAC_SHA2_384				},
+	{AUTH_HMAC_SHA2_512_256,			PRF_HMAC_SHA2_512				},
+	{AUTH_HMAC_MD5_96,					PRF_HMAC_MD5					},
+	{AUTH_AES_XCBC_96,					PRF_AES128_XCBC					},
+	{AUTH_CAMELLIA_XCBC_96,				PRF_CAMELLIA128_XCBC			},
+	{AUTH_AES_CMAC_96,					PRF_AES128_CMAC					},
+};
+
+/**
  * Checks the proposal read from a string.
  */
 static void check_proposal(private_proposal_t *this)
 {
 	enumerator_t *e;
-	algorithm_t *alg;
+	entry_t *entry;
+	u_int16_t alg, ks;
 	bool all_aead = TRUE;
+	int i;
+
+	if (this->protocol == PROTO_IKE)
+	{
+		e = create_enumerator(this, PSEUDO_RANDOM_FUNCTION);
+		if (!e->enumerate(e, &alg, &ks))
+		{
+			/* No explicit PRF found. We assume the same algorithm as used
+			 * for integrity checking */
+			e->destroy(e);
+			e = create_enumerator(this, INTEGRITY_ALGORITHM);
+			while (e->enumerate(e, &alg, &ks))
+			{
+				for (i = 0; i < countof(integ_prf_map); i++)
+				{
+					if (alg == integ_prf_map[i].integ)
+					{
+						add_algorithm(this, PSEUDO_RANDOM_FUNCTION,
+									  integ_prf_map[i].prf, 0);
+						break;
+					}
+				}
+			}
+		}
+		e->destroy(e);
+	}
 
-	e = this->encryption_algos->create_enumerator(this->encryption_algos);
-	while (e->enumerate(e, &alg))
+	e = create_enumerator(this, ENCRYPTION_ALGORITHM);
+	while (e->enumerate(e, &alg, &ks))
 	{
-		if (!encryption_algorithm_is_aead(alg->algorithm))
+		if (!encryption_algorithm_is_aead(alg))
 		{
 			all_aead = FALSE;
 			break;
@@ -536,86 +442,55 @@ static void check_proposal(private_proposal_t *this)
 
 	if (all_aead)
 	{
-		/* if all encryption algorithms in the proposal are authenticated encryption
-		 * algorithms we MUST NOT propose any integrity algorithms */
-		while (this->integrity_algos->remove_last(this->integrity_algos,
-												  (void**)&alg) == SUCCESS)
+		/* if all encryption algorithms in the proposal are AEADs,
+		 * we MUST NOT propose any integrity algorithms */
+		e = array_create_enumerator(this->transforms);
+		while (e->enumerate(e, &entry))
 		{
-			free(alg);
+			if (entry->type == INTEGRITY_ALGORITHM)
+			{
+				array_remove_at(this->transforms, e);
+			}
 		}
+		e->destroy(e);
 	}
 
 	if (this->protocol == PROTO_AH || this->protocol == PROTO_ESP)
 	{
-		e = this->esns->create_enumerator(this->esns);
-		if (!e->enumerate(e, &alg))
+		e = create_enumerator(this, EXTENDED_SEQUENCE_NUMBERS);
+		if (!e->enumerate(e, NULL, NULL))
 		{	/* ESN not specified, assume not supported */
 			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
 		}
 		e->destroy(e);
 	}
+
+	array_compress(this->transforms);
 }
 
 /**
  * add a algorithm identified by a string to the proposal.
  */
-static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
+static bool add_string_algo(private_proposal_t *this, const char *alg)
 {
-	const proposal_token_t *token = proposal_get_token(alg.ptr, alg.len);
+	const proposal_token_t *token;
 
+	token = lib->proposal->get_token(lib->proposal, alg);
 	if (token == NULL)
 	{
-		DBG1(DBG_CFG, "algorithm '%.*s' not recognized", alg.len, alg.ptr);
-		return FAILED;
+		DBG1(DBG_CFG, "algorithm '%s' not recognized", alg);
+		return FALSE;
 	}
 
 	add_algorithm(this, token->type, token->algorithm, token->keysize);
 
-	if (this->protocol == PROTO_IKE && token->type == INTEGRITY_ALGORITHM)
-	{
-		pseudo_random_function_t prf;
-
-		switch (token->algorithm)
-		{
-			case AUTH_HMAC_SHA1_96:
-				prf = PRF_HMAC_SHA1;
-				break;
-			case AUTH_HMAC_SHA2_256_128:
-				prf = PRF_HMAC_SHA2_256;
-				break;
-			case AUTH_HMAC_SHA2_384_192:
-				prf = PRF_HMAC_SHA2_384;
-				break;
-			case AUTH_HMAC_SHA2_512_256:
-				prf = PRF_HMAC_SHA2_512;
-				break;
-			case AUTH_HMAC_MD5_96:
-				prf = PRF_HMAC_MD5;
-				break;
-			case AUTH_AES_XCBC_96:
-				prf = PRF_AES128_XCBC;
-				break;
-			case AUTH_CAMELLIA_XCBC_96:
-				prf = PRF_CAMELLIA128_XCBC;
-				break;
-			case AUTH_AES_CMAC_96:
-				prf = PRF_AES128_CMAC;
-				break;
-			default:
-				prf = PRF_UNDEFINED;
-		}
-		if (prf != PRF_UNDEFINED)
-		{
-			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
-		}
-	}
-	return SUCCESS;
+	return TRUE;
 }
 
 /**
  * print all algorithms of a kind to buffer
  */
-static int print_alg(private_proposal_t *this, char **dst, size_t *len,
+static int print_alg(private_proposal_t *this, printf_hook_data_t *data,
 					 u_int kind, void *names, bool *first)
 {
 	enumerator_t *enumerator;
@@ -627,16 +502,16 @@ static int print_alg(private_proposal_t *this, char **dst, size_t *len,
 	{
 		if (*first)
 		{
-			written += print_in_hook(*dst, *len, "%N", names, alg);
+			written += print_in_hook(data, "%N", names, alg);
 			*first = FALSE;
 		}
 		else
 		{
-			written += print_in_hook(*dst, *len, "/%N", names, alg);
+			written += print_in_hook(data, "/%N", names, alg);
 		}
 		if (size)
 		{
-			written += print_in_hook(*dst, *len, "_%u", size);
+			written += print_in_hook(data, "_%u", size);
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -646,7 +521,7 @@ static int print_alg(private_proposal_t *this, char **dst, size_t *len,
 /**
  * Described in header.
  */
-int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+int proposal_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 						 const void *const *args)
 {
 	private_proposal_t *this = *((private_proposal_t**)(args[0]));
@@ -657,7 +532,7 @@ int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 
 	if (this == NULL)
 	{
-		return print_in_hook(dst, len, "(null)");
+		return print_in_hook(data, "(null)");
 	}
 
 	if (spec->hash)
@@ -667,28 +542,28 @@ int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 		{	/* call recursivly */
 			if (first)
 			{
-				written += print_in_hook(dst, len, "%P", this);
+				written += print_in_hook(data, "%P", this);
 				first = FALSE;
 			}
 			else
 			{
-				written += print_in_hook(dst, len, ", %P", this);
+				written += print_in_hook(data, ", %P", this);
 			}
 		}
 		enumerator->destroy(enumerator);
 		return written;
 	}
 
-	written = print_in_hook(dst, len, "%N:", protocol_id_names, this->protocol);
-	written += print_alg(this, &dst, &len, ENCRYPTION_ALGORITHM,
+	written = print_in_hook(data, "%N:", protocol_id_names, this->protocol);
+	written += print_alg(this, data, ENCRYPTION_ALGORITHM,
 						 encryption_algorithm_names, &first);
-	written += print_alg(this, &dst, &len, INTEGRITY_ALGORITHM,
+	written += print_alg(this, data, INTEGRITY_ALGORITHM,
 						 integrity_algorithm_names, &first);
-	written += print_alg(this, &dst, &len, PSEUDO_RANDOM_FUNCTION,
+	written += print_alg(this, data, PSEUDO_RANDOM_FUNCTION,
 						 pseudo_random_function_names, &first);
-	written += print_alg(this, &dst, &len, DIFFIE_HELLMAN_GROUP,
+	written += print_alg(this, data, DIFFIE_HELLMAN_GROUP,
 						 diffie_hellman_group_names, &first);
-	written += print_alg(this, &dst, &len, EXTENDED_SEQUENCE_NUMBERS,
+	written += print_alg(this, data, EXTENDED_SEQUENCE_NUMBERS,
 						 extended_sequence_numbers_names, &first);
 	return written;
 }
@@ -696,11 +571,7 @@ int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 METHOD(proposal_t, destroy, void,
 	private_proposal_t *this)
 {
-	this->encryption_algos->destroy_function(this->encryption_algos, free);
-	this->integrity_algos->destroy_function(this->integrity_algos, free);
-	this->prf_algos->destroy_function(this->prf_algos, free);
-	this->dh_groups->destroy_function(this->dh_groups, free);
-	this->esns->destroy_function(this->esns, free);
+	array_destroy(this->transforms);
 	free(this);
 }
 
@@ -729,11 +600,7 @@ proposal_t *proposal_create(protocol_id_t protocol, u_int number)
 		},
 		.protocol = protocol,
 		.number = number,
-		.encryption_algos = linked_list_create(),
-		.integrity_algos = linked_list_create(),
-		.prf_algos = linked_list_create(),
-		.dh_groups = linked_list_create(),
-		.esns = linked_list_create(),
+		.transforms = array_create(sizeof(entry_t), 0),
 	);
 
 	return &this->public;
@@ -760,6 +627,28 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 			case ENCR_AES_CTR:
 			case ENCR_CAMELLIA_CBC:
 			case ENCR_CAMELLIA_CTR:
+				/* we assume that we support all AES/Camellia sizes */
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+				break;
+			case ENCR_3DES:
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
+				break;
+			case ENCR_DES:
+				/* no, thanks */
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
+	{
+		switch (encryption)
+		{
 			case ENCR_AES_CCM_ICV8:
 			case ENCR_AES_CCM_ICV12:
 			case ENCR_AES_CCM_ICV16:
@@ -774,12 +663,6 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
 				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
 				break;
-			case ENCR_3DES:
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
-				break;
-			case ENCR_DES:
-				/* no, thanks */
-				break;
 			default:
 				break;
 		}
@@ -840,6 +723,7 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 			case MODP_1024_BIT:
 			case MODP_1536_BIT:
 			case MODP_2048_BIT:
+			case MODP_3072_BIT:
 			case MODP_4096_BIT:
 			case MODP_8192_BIT:
 			case ECP_256_BIT:
@@ -899,28 +783,27 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
  */
 proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs)
 {
-	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0);
-	chunk_t string = {(void*)algs, strlen(algs)};
-	chunk_t alg;
-	status_t status = SUCCESS;
+	private_proposal_t *this;
+	enumerator_t *enumerator;
+	bool failed = TRUE;
+	char *alg;
 
-	eat_whitespace(&string);
-	if (string.len < 1)
-	{
-		destroy(this);
-		return NULL;
-	}
+	this = (private_proposal_t*)proposal_create(protocol, 0);
 
 	/* get all tokens, separated by '-' */
-	while (extract_token(&alg, '-', &string))
+	enumerator = enumerator_create_token(algs, "-", " ");
+	while (enumerator->enumerate(enumerator, &alg))
 	{
-		status |= add_string_algo(this, alg);
-	}
-	if (string.len)
-	{
-		status |= add_string_algo(this, string);
+		if (!add_string_algo(this, alg))
+		{
+			failed = TRUE;
+			break;
+		}
+		failed = FALSE;
 	}
-	if (status != SUCCESS)
+	enumerator->destroy(enumerator);
+
+	if (failed)
 	{
 		destroy(this);
 		return NULL;
diff --git a/src/libcharon/config/proposal.h b/src/libcharon/config/proposal.h
index 8f54d7e6e..7733143a8 100644
--- a/src/libcharon/config/proposal.h
+++ b/src/libcharon/config/proposal.h
@@ -27,8 +27,8 @@ typedef struct proposal_t proposal_t;
 
 #include <library.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
-#include <utils/host.h>
+#include <collections/linked_list.h>
+#include <networking/host.h>
 #include <crypto/transform.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/signers/signer.h>
@@ -43,6 +43,7 @@ enum protocol_id_t {
 	PROTO_IKE = 1,
 	PROTO_AH = 2,
 	PROTO_ESP = 3,
+	PROTO_IPCOMP = 4, /* IKEv1 only */
 };
 
 /**
@@ -110,8 +111,10 @@ struct proposal_t {
 
 	/**
 	 * Strip DH groups from proposal to use it without PFS.
+	 *
+	 * @param keep			group to keep (MODP_NONE to remove all)
 	 */
-	void (*strip_dh)(proposal_t *this);
+	void (*strip_dh)(proposal_t *this, diffie_hellman_group_t keep);
 
 	/**
 	 * Compare two proposal, and select a matching subset.
@@ -215,7 +218,7 @@ proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs
  * With the #-specifier, arguments are:
  *	linked_list_t *list containing proposal_t*
  */
-int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+int proposal_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 						 const void *const *args);
 
 #endif /** PROPOSAL_H_ @}*/
diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
index 0f247962b..c546da544 100644
--- a/src/libcharon/control/controller.c
+++ b/src/libcharon/control/controller.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2011-2012 Tobias Brunner
  * Copyright (C) 2007-2011 Martin Willi
  * Copyright (C) 2011 revosec AG
  * Hochschule fuer Technik Rapperswil
@@ -23,10 +24,13 @@
 
 #include <daemon.h>
 #include <library.h>
-
+#include <threading/thread.h>
+#include <threading/spinlock.h>
+#include <threading/semaphore.h>
 
 typedef struct private_controller_t private_controller_t;
 typedef struct interface_listener_t interface_listener_t;
+typedef struct interface_logger_t interface_logger_t;
 
 /**
  * Private data of an stroke_t object.
@@ -40,19 +44,18 @@ struct private_controller_t {
 };
 
 /**
- * helper struct to map listener callbacks to interface callbacks
+ * helper struct for the logger interface
  */
-struct interface_listener_t {
-
+struct interface_logger_t {
 	/**
-	 * public bus listener interface
+	 * public logger interface
 	 */
-	listener_t public;
+	logger_t public;
 
 	/**
-	 * status of the operation, return to method callers
+	 * reference to the listener
 	 */
-	status_t status;
+	interface_listener_t *listener;
 
 	/**
 	 *  interface callback (listener gets redirected to here)
@@ -63,6 +66,27 @@ struct interface_listener_t {
 	 * user parameter to pass to callback
 	 */
 	void *param;
+};
+
+/**
+ * helper struct to map listener callbacks to interface callbacks
+ */
+struct interface_listener_t {
+
+	/**
+	 * public bus listener interface
+	 */
+	listener_t public;
+
+	/**
+	 * logger interface
+	 */
+	interface_logger_t logger;
+
+	/**
+	 * status of the operation, return to method callers
+	 */
+	status_t status;
 
 	/**
 	 * child configuration, used for initiate
@@ -80,14 +104,19 @@ struct interface_listener_t {
 	ike_sa_t *ike_sa;
 
 	/**
-	 * CHILD_SA to handle
+	 * unique ID, used for various methods
 	 */
-	child_sa_t *child_sa;
+	u_int32_t id;
 
 	/**
-	 * unique ID, used for various methods
+	 * semaphore to implement wait_for_listener()
 	 */
-	u_int32_t id;
+	semaphore_t *done;
+
+	/**
+	 * spinlock to update the IKE_SA handle properly
+	 */
+	spinlock_t *lock;
 };
 
 
@@ -107,20 +136,103 @@ struct interface_job_t {
 	 * associated listener
 	 */
 	interface_listener_t listener;
+
+	/**
+	 * the job is reference counted as the thread executing a job as well as
+	 * the thread waiting in wait_for_listener() require it but either of them
+	 * could be done first
+	 */
+	refcount_t refcount;
 };
 
-METHOD(listener_t, listener_log, bool,
-	interface_listener_t *this, debug_t group, level_t level, int thread,
-	ike_sa_t *ike_sa, char* format, va_list args)
+/**
+ * This function wakes a thread that is waiting in wait_for_listener(),
+ * either from a listener or from a job.
+ */
+static inline bool listener_done(interface_listener_t *listener)
+{
+	if (listener->done)
+	{
+		listener->done->post(listener->done);
+	}
+	return FALSE;
+}
+
+/**
+ * thread_cleanup_t handler to unregister a listener.
+ */
+static void listener_unregister(interface_listener_t *listener)
+{
+	charon->bus->remove_listener(charon->bus, &listener->public);
+	charon->bus->remove_logger(charon->bus, &listener->logger.public);
+}
+
+/**
+ * Registers the listener, executes the job and then waits synchronously until
+ * the listener is done or the timeout occurred.
+ *
+ * @note Use 'return listener_done(listener)' to properly unregister a listener
+ *
+ * @param listener  listener to register
+ * @param job       job to execute asynchronously when registered, or NULL
+ * @param timeout   max timeout in ms to listen for events, 0 to disable
+ * @return          TRUE if timed out
+ */
+static bool wait_for_listener(interface_job_t *job, u_int timeout)
 {
-	if (this->ike_sa == ike_sa)
+	interface_listener_t *listener = &job->listener;
+	bool old, timed_out = FALSE;
+
+	/* avoid that the job is destroyed too early */
+	ref_get(&job->refcount);
+
+	listener->done = semaphore_create(0);
+
+	charon->bus->add_logger(charon->bus, &listener->logger.public);
+	charon->bus->add_listener(charon->bus, &listener->public);
+	lib->processor->queue_job(lib->processor, &job->public);
+
+	thread_cleanup_push((thread_cleanup_t)listener_unregister, listener);
+	old = thread_cancelability(TRUE);
+	if (timeout)
+	{
+		timed_out = listener->done->timed_wait(listener->done, timeout);
+	}
+	else
 	{
-		if (!this->callback(this->param, group, level, ike_sa, format, args))
+		listener->done->wait(listener->done);
+	}
+	thread_cancelability(old);
+	thread_cleanup_pop(TRUE);
+	return timed_out;
+}
+
+METHOD(logger_t, listener_log, void,
+	interface_logger_t *this, debug_t group, level_t level, int thread,
+	ike_sa_t *ike_sa, const char *message)
+{
+	ike_sa_t *target;
+
+	this->listener->lock->lock(this->listener->lock);
+	target = this->listener->ike_sa;
+	this->listener->lock->unlock(this->listener->lock);
+
+	if (target == ike_sa)
+	{
+		if (!this->callback(this->param, group, level, ike_sa, message))
 		{
-			return FALSE;
+			this->listener->status = NEED_MORE;
+			listener_done(this->listener);
 		}
 	}
-	return TRUE;
+}
+
+METHOD(logger_t, listener_get_level, level_t,
+	interface_logger_t *this, debug_t group)
+{
+	/* in order to allow callback listeners to decide what they want to log
+	 * we request any log message, but only if we actually want logging */
+	return this->callback == controller_cb_empty ? LEVEL_SILENT : LEVEL_PRIVATE;
 }
 
 METHOD(job_t, get_priority_medium, job_priority_t,
@@ -132,7 +244,13 @@ METHOD(job_t, get_priority_medium, job_priority_t,
 METHOD(listener_t, ike_state_change, bool,
 	interface_listener_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
 {
-	if (this->ike_sa == ike_sa)
+	ike_sa_t *target;
+
+	this->lock->lock(this->lock);
+	target = this->ike_sa;
+	this->lock->unlock(this->lock);
+
+	if (target == ike_sa)
 	{
 		switch (state)
 		{
@@ -144,7 +262,7 @@ METHOD(listener_t, ike_state_change, bool,
 				if (peer_cfg->is_mediation(peer_cfg))
 				{
 					this->status = SUCCESS;
-					return FALSE;
+					return listener_done(this);
 				}
 				break;
 			}
@@ -154,7 +272,7 @@ METHOD(listener_t, ike_state_change, bool,
 				{	/* proper termination */
 					this->status = SUCCESS;
 				}
-				return FALSE;
+				return listener_done(this);
 			default:
 				break;
 		}
@@ -166,13 +284,19 @@ METHOD(listener_t, child_state_change, bool,
 	interface_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
 	child_sa_state_t state)
 {
-	if (this->ike_sa == ike_sa)
+	ike_sa_t *target;
+
+	this->lock->lock(this->lock);
+	target = this->ike_sa;
+	this->lock->unlock(this->lock);
+
+	if (target == ike_sa)
 	{
 		switch (state)
 		{
 			case CHILD_INSTALLED:
 				this->status = SUCCESS;
-				return FALSE;
+				return listener_done(this);
 			case CHILD_DESTROYING:
 				switch (child_sa->get_state(child_sa))
 				{
@@ -183,7 +307,7 @@ METHOD(listener_t, child_state_change, bool,
 					default:
 						break;
 				}
-				return FALSE;
+				return listener_done(this);
 			default:
 				break;
 		}
@@ -191,13 +315,14 @@ METHOD(listener_t, child_state_change, bool,
 	return TRUE;
 }
 
-METHOD(job_t, recheckin, void,
-	interface_job_t *job)
+METHOD(job_t, destroy_job, void,
+	interface_job_t *this)
 {
-	if (job->listener.ike_sa)
+	if (ref_put(&this->refcount))
 	{
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager,
-										job->listener.ike_sa);
+		this->listener.lock->destroy(this->listener.lock);
+		DESTROY_IF(this->listener.done);
+		free(this);
 	}
 }
 
@@ -208,7 +333,7 @@ METHOD(controller_t, create_ike_sa_enumerator, enumerator_t*,
 													 wait);
 }
 
-METHOD(job_t, initiate_execute, void,
+METHOD(job_t, initiate_execute, job_requeue_t,
 	interface_job_t *job)
 {
 	ike_sa_t *ike_sa;
@@ -217,7 +342,18 @@ METHOD(job_t, initiate_execute, void,
 
 	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
 														peer_cfg);
+	if (!ike_sa)
+	{
+		listener->child_cfg->destroy(listener->child_cfg);
+		peer_cfg->destroy(peer_cfg);
+		listener->status = FAILED;
+		/* release listener */
+		listener_done(listener);
+		return JOB_REQUEUE_NONE;
+	}
+	listener->lock->lock(listener->lock);
 	listener->ike_sa = ike_sa;
+	listener->lock->unlock(listener->lock);
 
 	if (ike_sa->get_peer_cfg(ike_sa) == NULL)
 	{
@@ -227,228 +363,283 @@ METHOD(job_t, initiate_execute, void,
 
 	if (ike_sa->initiate(ike_sa, listener->child_cfg, 0, NULL, NULL) == SUCCESS)
 	{
+		if (!listener->logger.callback)
+		{
+			listener->status = SUCCESS;
+		}
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-		listener->status = SUCCESS;
 	}
 	else
 	{
+		listener->status = FAILED;
 		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
 													ike_sa);
-		listener->status = FAILED;
 	}
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(controller_t, initiate, status_t,
 	private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
 	controller_cb_t callback, void *param, u_int timeout)
 {
-	interface_job_t job = {
+	interface_job_t *job;
+	status_t status;
+
+	INIT(job,
 		.listener = {
 			.public = {
-				.log = _listener_log,
 				.ike_state_change = _ike_state_change,
 				.child_state_change = _child_state_change,
 			},
-			.callback = callback,
-			.param = param,
+			.logger = {
+				.public = {
+					.log = _listener_log,
+					.get_level = _listener_get_level,
+				},
+				.callback = callback,
+				.param = param,
+			},
 			.status = FAILED,
 			.child_cfg = child_cfg,
 			.peer_cfg = peer_cfg,
+			.lock = spinlock_create(),
 		},
 		.public = {
 			.execute = _initiate_execute,
 			.get_priority = _get_priority_medium,
-			.destroy = _recheckin,
+			.destroy = _destroy_job,
 		},
-	};
+		.refcount = 1,
+	);
+	job->listener.logger.listener = &job->listener;
+	thread_cleanup_push((void*)destroy_job, job);
+
 	if (callback == NULL)
 	{
-		initiate_execute(&job);
+		initiate_execute(job);
 	}
 	else
 	{
-		if (charon->bus->listen(charon->bus, &job.listener.public, &job.public,
-								timeout))
+		if (wait_for_listener(job, timeout))
 		{
-			job.listener.status = OUT_OF_RES;
+			job->listener.status = OUT_OF_RES;
 		}
 	}
-	return job.listener.status;
+	status = job->listener.status;
+	thread_cleanup_pop(TRUE);
+	return status;
 }
 
-METHOD(job_t, terminate_ike_execute, void,
+METHOD(job_t, terminate_ike_execute, job_requeue_t,
 	interface_job_t *job)
 {
 	interface_listener_t *listener = &job->listener;
-	ike_sa_t *ike_sa = listener->ike_sa;
+	u_int32_t unique_id = listener->id;
+	ike_sa_t *ike_sa;
 
-	charon->bus->set_sa(charon->bus, ike_sa);
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													unique_id, FALSE);
+	if (!ike_sa)
+	{
+		DBG1(DBG_IKE, "unable to terminate IKE_SA: ID %d not found", unique_id);
+		listener->status = NOT_FOUND;
+		/* release listener */
+		listener_done(listener);
+		return JOB_REQUEUE_NONE;
+	}
+	listener->lock->lock(listener->lock);
+	listener->ike_sa = ike_sa;
+	listener->lock->unlock(listener->lock);
 
 	if (ike_sa->delete(ike_sa) != DESTROY_ME)
-	{
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-		/* delete failed */
+	{	/* delete failed */
 		listener->status = FAILED;
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
 	else
 	{
+		if (!listener->logger.callback)
+		{
+			listener->status = SUCCESS;
+		}
 		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
 													ike_sa);
-		listener->status = SUCCESS;
 	}
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(controller_t, terminate_ike, status_t,
 	controller_t *this, u_int32_t unique_id,
 	controller_cb_t callback, void *param, u_int timeout)
 {
-	ike_sa_t *ike_sa;
-	interface_job_t job = {
+	interface_job_t *job;
+	status_t status;
+
+	INIT(job,
 		.listener = {
 			.public = {
-				.log = _listener_log,
 				.ike_state_change = _ike_state_change,
 				.child_state_change = _child_state_change,
 			},
-			.callback = callback,
-			.param = param,
+			.logger = {
+				.public = {
+					.log = _listener_log,
+					.get_level = _listener_get_level,
+				},
+				.callback = callback,
+				.param = param,
+			},
 			.status = FAILED,
 			.id = unique_id,
+			.lock = spinlock_create(),
 		},
 		.public = {
 			.execute = _terminate_ike_execute,
 			.get_priority = _get_priority_medium,
-			.destroy = _recheckin,
+			.destroy = _destroy_job,
 		},
-	};
-
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													unique_id, FALSE);
-	if (ike_sa == NULL)
-	{
-		DBG1(DBG_IKE, "unable to terminate IKE_SA: ID %d not found", unique_id);
-		return NOT_FOUND;
-	}
-	job.listener.ike_sa = ike_sa;
+		.refcount = 1,
+	);
+	job->listener.logger.listener = &job->listener;
+	thread_cleanup_push((void*)destroy_job, job);
 
 	if (callback == NULL)
 	{
-		terminate_ike_execute(&job);
+		terminate_ike_execute(job);
 	}
 	else
 	{
-		if (charon->bus->listen(charon->bus, &job.listener.public, &job.public,
-								timeout))
+		if (wait_for_listener(job, timeout))
 		{
-			job.listener.status = OUT_OF_RES;
+			job->listener.status = OUT_OF_RES;
 		}
-		/* checkin of the ike_sa happened in the thread that executed the job */
-		charon->bus->set_sa(charon->bus, NULL);
 	}
-	return job.listener.status;
+	status = job->listener.status;
+	thread_cleanup_pop(TRUE);
+	return status;
 }
 
-METHOD(job_t, terminate_child_execute, void,
+METHOD(job_t, terminate_child_execute, job_requeue_t,
 	interface_job_t *job)
 {
 	interface_listener_t *listener = &job->listener;
-	ike_sa_t *ike_sa = listener->ike_sa;
-	child_sa_t *child_sa = listener->child_sa;
+	u_int32_t reqid = listener->id;
+	enumerator_t *enumerator;
+	child_sa_t *child_sa;
+	ike_sa_t *ike_sa;
+
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													reqid, TRUE);
+	if (!ike_sa)
+	{
+		DBG1(DBG_IKE, "unable to terminate, CHILD_SA with ID %d not found",
+			 reqid);
+		listener->status = NOT_FOUND;
+		/* release listener */
+		listener_done(listener);
+		return JOB_REQUEUE_NONE;
+	}
+	listener->lock->lock(listener->lock);
+	listener->ike_sa = ike_sa;
+	listener->lock->unlock(listener->lock);
+
+	enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
+	while (enumerator->enumerate(enumerator, (void**)&child_sa))
+	{
+		if (child_sa->get_state(child_sa) != CHILD_ROUTED &&
+			child_sa->get_reqid(child_sa) == reqid)
+		{
+			break;
+		}
+		child_sa = NULL;
+	}
+	enumerator->destroy(enumerator);
+
+	if (!child_sa)
+	{
+		DBG1(DBG_IKE, "unable to terminate, established "
+			 "CHILD_SA with ID %d not found", reqid);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		listener->status = NOT_FOUND;
+		/* release listener */
+		listener_done(listener);
+		return JOB_REQUEUE_NONE;
+	}
 
-	charon->bus->set_sa(charon->bus, ike_sa);
 	if (ike_sa->delete_child_sa(ike_sa, child_sa->get_protocol(child_sa),
-								child_sa->get_spi(child_sa, TRUE)) != DESTROY_ME)
+					child_sa->get_spi(child_sa, TRUE), FALSE) != DESTROY_ME)
 	{
+		if (!listener->logger.callback)
+		{
+			listener->status = SUCCESS;
+		}
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-		listener->status = SUCCESS;
 	}
 	else
 	{
+		listener->status = FAILED;
 		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
 													ike_sa);
-		listener->status = FAILED;
 	}
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(controller_t, terminate_child, status_t,
 	controller_t *this, u_int32_t reqid,
 	controller_cb_t callback, void *param, u_int timeout)
 {
-	ike_sa_t *ike_sa;
-	child_sa_t *child_sa;
-	enumerator_t *enumerator;
-	interface_job_t job = {
+	interface_job_t *job;
+	status_t status;
+
+	INIT(job,
 		.listener = {
 			.public = {
-				.log = _listener_log,
 				.ike_state_change = _ike_state_change,
 				.child_state_change = _child_state_change,
 			},
-			.callback = callback,
-			.param = param,
+			.logger = {
+				.public = {
+					.log = _listener_log,
+					.get_level = _listener_get_level,
+				},
+				.callback = callback,
+				.param = param,
+			},
 			.status = FAILED,
 			.id = reqid,
+			.lock = spinlock_create(),
 		},
 		.public = {
 			.execute = _terminate_child_execute,
 			.get_priority = _get_priority_medium,
-			.destroy = _recheckin,
+			.destroy = _destroy_job,
 		},
-	};
-
-	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-													reqid, TRUE);
-	if (ike_sa == NULL)
-	{
-		DBG1(DBG_IKE, "unable to terminate, CHILD_SA with ID %d not found",
-			 reqid);
-		return NOT_FOUND;
-	}
-	job.listener.ike_sa = ike_sa;
-
-	enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
-	while (enumerator->enumerate(enumerator, (void**)&child_sa))
-	{
-		if (child_sa->get_state(child_sa) != CHILD_ROUTED &&
-			child_sa->get_reqid(child_sa) == reqid)
-		{
-			break;
-		}
-		child_sa = NULL;
-	}
-	enumerator->destroy(enumerator);
-
-	if (child_sa == NULL)
-	{
-		DBG1(DBG_IKE, "unable to terminate, established "
-			 "CHILD_SA with ID %d not found", reqid);
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-		return NOT_FOUND;
-	}
-	job.listener.child_sa = child_sa;
+		.refcount = 1,
+	);
+	job->listener.logger.listener = &job->listener;
+	thread_cleanup_push((void*)destroy_job, job);
 
 	if (callback == NULL)
 	{
-		terminate_child_execute(&job);
+		terminate_child_execute(job);
 	}
 	else
 	{
-		if (charon->bus->listen(charon->bus, &job.listener.public, &job.public,
-								timeout))
+		if (wait_for_listener(job, timeout))
 		{
-			job.listener.status = OUT_OF_RES;
+			job->listener.status = OUT_OF_RES;
 		}
-		/* checkin of the ike_sa happened in the thread that executed the job */
-		charon->bus->set_sa(charon->bus, NULL);
 	}
-	return job.listener.status;
+	status = job->listener.status;
+	thread_cleanup_pop(TRUE);
+	return status;
 }
 
 /**
  * See header
  */
 bool controller_cb_empty(void *param, debug_t group, level_t level,
-						 ike_sa_t *ike_sa, char *format, va_list args)
+						 ike_sa_t *ike_sa, const char *message)
 {
 	return TRUE;
 }
@@ -478,4 +669,3 @@ controller_t *controller_create(void)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
index 6adaef109..222285cde 100644
--- a/src/libcharon/control/controller.h
+++ b/src/libcharon/control/controller.h
@@ -24,27 +24,26 @@
 #include <bus/bus.h>
 
 /**
- * callback to log things triggered by controller.
+ * Callback to log things triggered by controller.
  *
- * @param param			echoed parameter supplied when function invoked
+ * @param param			parameter supplied when controller method was called
  * @param group			debugging group
- * @param level			verbosity level if log
+ * @param level			verbosity level
  * @param ike_sa		associated IKE_SA, if any
- * @param format		printf like format string
- * @param args			list of arguments to use for format
- * @return				FALSE to return from invoked function
+ * @param message		log message
+ * @return				FALSE to return from called controller method
  */
-typedef bool(*controller_cb_t)(void* param, debug_t group, level_t level,
-							   ike_sa_t* ike_sa, char* format, va_list args);
+typedef bool (*controller_cb_t)(void* param, debug_t group, level_t level,
+								ike_sa_t* ike_sa, const char *message);
 
 /**
- * Empty callback function for controller_t functions.
+ * Empty callback function for controller_t methods.
  *
  * If you want to do a synchronous call, but don't need a callback, pass
- * this function to the controllers methods.
+ * this function to the controller methods.
  */
 bool controller_cb_empty(void *param, debug_t group, level_t level,
-						 ike_sa_t *ike_sa, char *format, va_list args);
+						 ike_sa_t *ike_sa, const char *message);
 
 typedef struct controller_t controller_t;
 
@@ -75,9 +74,8 @@ struct controller_t {
 	/**
 	 * Initiate a CHILD_SA, and if required, an IKE_SA.
 	 *
-	 * The initiate() function is synchronous and thus blocks until the
-	 * IKE_SA is established or failed. Because of this, the initiate() function
-	 * contains a thread cancellation point.
+	 * If a callback is provided the function is synchronous and thus blocks
+	 * until the IKE_SA is established or failed.
 	 *
 	 * @param peer_cfg		peer_cfg to use for IKE_SA setup
 	 * @param child_cfg		child_cfg to set up CHILD_SA from
@@ -97,9 +95,8 @@ struct controller_t {
 	/**
 	 * Terminate an IKE_SA and all of its CHILD_SAs.
 	 *
-	 * The terminate() function is synchronous and thus blocks until the
-	 * IKE_SA is properly deleted, or the delete timed out.
-	 * The terminate() function contains a thread cancellation point.
+	 * If a callback is provided the function is synchronous and thus blocks
+	 * until the IKE_SA is properly deleted, or the call timed out.
 	 *
 	 * @param unique_id		unique id of the IKE_SA to terminate.
 	 * @param cb			logging callback
@@ -118,6 +115,9 @@ struct controller_t {
 	/**
 	 * Terminate a CHILD_SA.
 	 *
+	 * If a callback is provided the function is synchronous and thus blocks
+	 * until the CHILD_SA is properly deleted, or the call timed out.
+	 *
 	 * @param reqid			reqid of the CHILD_SA to terminate
 	 * @param cb			logging callback
 	 * @param param			parameter to include in each call of cb
@@ -138,12 +138,11 @@ struct controller_t {
 	void (*destroy) (controller_t *this);
 };
 
-
 /**
  * Creates a controller instance.
  *
  * @return 			controller_t object
  */
-controller_t *controller_create(void);
+controller_t *controller_create();
 
 #endif /** CONTROLLER_H_ @}*/
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 3fb49d475..5e3ae72b9 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2010 Tobias Brunner
+ * Copyright (C) 2006-2012 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
@@ -19,23 +19,23 @@
 #include <stdio.h>
 #include <sys/types.h>
 #include <unistd.h>
+#include <syslog.h>
 #include <time.h>
 
-#ifdef CAPABILITIES
-# ifdef HAVE_SYS_CAPABILITY_H
-#  include <sys/capability.h>
-# elif defined(CAPABILITIES_NATIVE)
-#  include <linux/capability.h>
-# endif /* CAPABILITIES_NATIVE */
-#endif /* CAPABILITIES */
-
 #include "daemon.h"
 
 #include <library.h>
-#include <plugins/plugin.h>
+#include <bus/listeners/sys_logger.h>
+#include <bus/listeners/file_logger.h>
 #include <config/proposal.h>
+#include <plugins/plugin_feature.h>
 #include <kernel/kernel_handler.h>
 #include <processing/jobs/start_action_job.h>
+#include <threading/mutex.h>
+
+#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
+#define LOG_AUTHPRIV LOG_AUTH
+#endif
 
 typedef struct private_daemon_t private_daemon_t;
 
@@ -54,15 +54,29 @@ struct private_daemon_t {
 	kernel_handler_t *kernel_handler;
 
 	/**
-	 * capabilities to keep
+	 * A list of installed loggers (as logger_entry_t*)
+	 */
+	linked_list_t *loggers;
+
+	/**
+	 * Identifier used for syslog (in the openlog call)
+	 */
+	char *syslog_identifier;
+
+	/**
+	 * Mutex for configured loggers
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Integrity check failed?
 	 */
-#ifdef CAPABILITIES_LIBCAP
-	cap_t caps;
-#endif /* CAPABILITIES_LIBCAP */
-#ifdef CAPABILITIES_NATIVE
-	struct __user_cap_data_struct caps[2];
-#endif /* CAPABILITIES_NATIVE */
+	bool integrity_failed;
 
+	/**
+	 * Number of times we have been initialized
+	 */
+	refcount_t ref;
 };
 
 /**
@@ -93,13 +107,333 @@ static void dbg_bus(debug_t group, level_t level, char *fmt, ...)
 }
 
 /**
+ * Some metadata about configured loggers
+ */
+typedef struct {
+	/**
+	 * Target of the logger (syslog facility or filename)
+	 */
+	char *target;
+
+	/**
+	 * TRUE if this is a file logger
+	 */
+	bool file;
+
+	/**
+	 * The actual logger
+	 */
+	union {
+		sys_logger_t *sys;
+		file_logger_t *file;
+	} logger;
+
+} logger_entry_t;
+
+/**
+ * Destroy a logger entry
+ */
+static void logger_entry_destroy(logger_entry_t *this)
+{
+	if (this->file)
+	{
+		DESTROY_IF(this->logger.file);
+	}
+	else
+	{
+		DESTROY_IF(this->logger.sys);
+	}
+	free(this->target);
+	free(this);
+}
+
+/**
+ * Unregister and destroy a logger entry
+ */
+static void logger_entry_unregister_destroy(logger_entry_t *this)
+{
+	if (this->file)
+	{
+		charon->bus->remove_logger(charon->bus, &this->logger.file->logger);
+	}
+	else
+	{
+		charon->bus->remove_logger(charon->bus, &this->logger.sys->logger);
+	}
+	logger_entry_destroy(this);
+}
+
+/**
+ * Match a logger entry by target and whether it is a file or syslog logger
+ */
+static bool logger_entry_match(logger_entry_t *this, char *target, bool *file)
+{
+	return this->file == *file && streq(this->target, target);
+}
+
+/**
+ * Handle configured syslog identifier
+ *
+ * mutex must be locked when calling this function
+ */
+static void handle_syslog_identifier(private_daemon_t *this)
+{
+	char *identifier;
+
+	identifier = lib->settings->get_str(lib->settings, "%s.syslog.identifier",
+										NULL, charon->name);
+	if (identifier)
+	{	/* set identifier, which is prepended to each log line */
+		if (!this->syslog_identifier ||
+			!streq(identifier, this->syslog_identifier))
+		{
+			closelog();
+			this->syslog_identifier = identifier;
+			openlog(this->syslog_identifier, 0, 0);
+		}
+	}
+	else if (this->syslog_identifier)
+	{
+		closelog();
+		this->syslog_identifier = NULL;
+	}
+}
+
+/**
+ * Convert the given string into a syslog facility, returns -1 if the facility
+ * is not supported
+ */
+static int get_syslog_facility(char *facility)
+{
+	if (streq(facility, "daemon"))
+	{
+		return LOG_DAEMON;
+	}
+	else if (streq(facility, "auth"))
+	{
+		return LOG_AUTHPRIV;
+	}
+	return -1;
+}
+
+/**
+ * Returns an existing or newly created logger entry (if found, it is removed
+ * from the given linked list of existing loggers)
+ */
+static logger_entry_t *get_logger_entry(char *target, bool is_file_logger,
+										linked_list_t *existing)
+{
+	logger_entry_t *entry;
+
+	if (existing->find_first(existing, (void*)logger_entry_match,
+							(void**)&entry, target, &is_file_logger) != SUCCESS)
+	{
+		INIT(entry,
+			.target = strdup(target),
+			.file = is_file_logger,
+		);
+		if (is_file_logger)
+		{
+			entry->logger.file = file_logger_create(target);
+		}
+		else
+		{
+			entry->logger.sys = sys_logger_create(get_syslog_facility(target));
+		}
+	}
+	else
+	{
+		existing->remove(existing, entry, NULL);
+	}
+	return entry;
+}
+
+/**
+ * Create or reuse a syslog logger
+ */
+static sys_logger_t *add_sys_logger(private_daemon_t *this, char *facility,
+									linked_list_t *current_loggers)
+{
+	logger_entry_t *entry;
+
+	entry = get_logger_entry(facility, FALSE, current_loggers);
+	this->loggers->insert_last(this->loggers, entry);
+	return entry->logger.sys;
+}
+
+/**
+ * Create or reuse a file logger
+ */
+static file_logger_t *add_file_logger(private_daemon_t *this, char *filename,
+									  linked_list_t *current_loggers)
+{
+	logger_entry_t *entry;
+
+	entry = get_logger_entry(filename, TRUE, current_loggers);
+	this->loggers->insert_last(this->loggers, entry);
+	return entry->logger.file;
+}
+
+/**
+ * Load the given syslog logger configured in strongswan.conf
+ */
+static void load_sys_logger(private_daemon_t *this, char *facility,
+							linked_list_t *current_loggers)
+{
+	sys_logger_t *sys_logger;
+	debug_t group;
+	level_t def;
+
+	if (get_syslog_facility(facility) == -1)
+	{
+		return;
+	}
+
+	sys_logger = add_sys_logger(this, facility, current_loggers);
+	sys_logger->set_options(sys_logger,
+				lib->settings->get_bool(lib->settings, "%s.syslog.%s.ike_name",
+										FALSE, charon->name, facility));
+
+	def = lib->settings->get_int(lib->settings, "%s.syslog.%s.default", 1,
+								 charon->name, facility);
+	for (group = 0; group < DBG_MAX; group++)
+	{
+		sys_logger->set_level(sys_logger, group,
+				lib->settings->get_int(lib->settings, "%s.syslog.%s.%N", def,
+							charon->name, facility, debug_lower_names, group));
+	}
+	charon->bus->add_logger(charon->bus, &sys_logger->logger);
+}
+
+/**
+ * Load the given file logger configured in strongswan.conf
+ */
+static void load_file_logger(private_daemon_t *this, char *filename,
+							 linked_list_t *current_loggers)
+{
+	file_logger_t *file_logger;
+	debug_t group;
+	level_t def;
+	bool ike_name, flush_line, append;
+	char *time_format;
+
+	time_format = lib->settings->get_str(lib->settings,
+					"%s.filelog.%s.time_format", NULL, charon->name, filename);
+	ike_name = lib->settings->get_bool(lib->settings,
+					"%s.filelog.%s.ike_name", FALSE, charon->name, filename);
+	flush_line = lib->settings->get_bool(lib->settings,
+					"%s.filelog.%s.flush_line", FALSE, charon->name, filename);
+	append = lib->settings->get_bool(lib->settings,
+					"%s.filelog.%s.append", TRUE, charon->name, filename);
+
+	file_logger = add_file_logger(this, filename, current_loggers);
+	file_logger->set_options(file_logger, time_format, ike_name);
+	file_logger->open(file_logger, flush_line, append);
+
+	def = lib->settings->get_int(lib->settings, "%s.filelog.%s.default", 1,
+								 charon->name, filename);
+	for (group = 0; group < DBG_MAX; group++)
+	{
+		file_logger->set_level(file_logger, group,
+				lib->settings->get_int(lib->settings, "%s.filelog.%s.%N", def,
+							charon->name, filename, debug_lower_names, group));
+	}
+	charon->bus->add_logger(charon->bus, &file_logger->logger);
+}
+
+METHOD(daemon_t, load_loggers, void,
+	private_daemon_t *this, level_t levels[DBG_MAX], bool to_stderr)
+{
+	enumerator_t *enumerator;
+	linked_list_t *current_loggers;
+	char *target;
+
+	this->mutex->lock(this->mutex);
+	handle_syslog_identifier(this);
+	current_loggers = this->loggers;
+	this->loggers = linked_list_create();
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+													"%s.syslog", charon->name);
+	while (enumerator->enumerate(enumerator, &target))
+	{
+		load_sys_logger(this, target, current_loggers);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+													"%s.filelog", charon->name);
+	while (enumerator->enumerate(enumerator, &target))
+	{
+		load_file_logger(this, target, current_loggers);
+	}
+	enumerator->destroy(enumerator);
+
+	if (!this->loggers->get_count(this->loggers) && levels)
+	{	/* setup legacy style default loggers configured via command-line */
+		file_logger_t *file_logger;
+		sys_logger_t *sys_logger;
+		debug_t group;
+
+		sys_logger = add_sys_logger(this, "daemon", current_loggers);
+		file_logger = add_file_logger(this, "stdout", current_loggers);
+		file_logger->open(file_logger, FALSE, FALSE);
+
+		for (group = 0; group < DBG_MAX; group++)
+		{
+			sys_logger->set_level(sys_logger, group, levels[group]);
+			if (to_stderr)
+			{
+				file_logger->set_level(file_logger, group, levels[group]);
+			}
+		}
+		charon->bus->add_logger(charon->bus, &sys_logger->logger);
+		charon->bus->add_logger(charon->bus, &file_logger->logger);
+
+		sys_logger = add_sys_logger(this, "auth", current_loggers);
+		sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT);
+		charon->bus->add_logger(charon->bus, &sys_logger->logger);
+	}
+	/* unregister and destroy any unused remaining loggers */
+	current_loggers->destroy_function(current_loggers,
+									 (void*)logger_entry_unregister_destroy);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(daemon_t, set_level, void,
+	private_daemon_t *this, debug_t group, level_t level)
+{
+	enumerator_t *enumerator;
+	logger_entry_t *entry;
+
+	/* we set the loglevel on ALL sys- and file-loggers */
+	this->mutex->lock(this->mutex);
+	enumerator = this->loggers->create_enumerator(this->loggers);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->file)
+		{
+			entry->logger.file->set_level(entry->logger.file, group, level);
+			charon->bus->add_logger(charon->bus, &entry->logger.file->logger);
+		}
+		else
+		{
+			entry->logger.sys->set_level(entry->logger.sys, group, level);
+			charon->bus->add_logger(charon->bus, &entry->logger.sys->logger);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
  * Clean up all daemon resources
  */
 static void destroy(private_daemon_t *this)
 {
 	/* terminate all idle threads */
 	lib->processor->set_threads(lib->processor, 0);
-
+	/* make sure nobody waits for a DNS query */
+	lib->hosts->flush(lib->hosts);
 	/* close all IKE_SAs */
 	if (this->public.ike_sa_manager)
 	{
@@ -109,132 +443,102 @@ static void destroy(private_daemon_t *this)
 	{
 		this->public.traps->flush(this->public.traps);
 	}
-	DESTROY_IF(this->public.receiver);
-	DESTROY_IF(this->public.sender);
+	if (this->public.sender)
+	{
+		this->public.sender->flush(this->public.sender);
+	}
+
+	/* cancel all threads and wait for their termination */
+	lib->processor->cancel(lib->processor);
+
 #ifdef ME
 	DESTROY_IF(this->public.connect_manager);
 	DESTROY_IF(this->public.mediation_manager);
 #endif /* ME */
 	/* make sure the cache is clear before unloading plugins */
 	lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
-	/* unload plugins to release threads */
 	lib->plugins->unload(lib->plugins);
-#ifdef CAPABILITIES_LIBCAP
-	cap_free(this->caps);
-#endif /* CAPABILITIES_LIBCAP */
 	DESTROY_IF(this->kernel_handler);
 	DESTROY_IF(this->public.traps);
 	DESTROY_IF(this->public.shunts);
 	DESTROY_IF(this->public.ike_sa_manager);
 	DESTROY_IF(this->public.controller);
 	DESTROY_IF(this->public.eap);
+	DESTROY_IF(this->public.xauth);
 	DESTROY_IF(this->public.backends);
 	DESTROY_IF(this->public.socket);
 
 	/* rehook library logging, shutdown logging */
 	dbg = dbg_old;
 	DESTROY_IF(this->public.bus);
-	this->public.file_loggers->destroy_offset(this->public.file_loggers,
-											offsetof(file_logger_t, destroy));
-	this->public.sys_loggers->destroy_offset(this->public.sys_loggers,
-											offsetof(sys_logger_t, destroy));
+	this->loggers->destroy_function(this->loggers, (void*)logger_entry_destroy);
+	this->mutex->destroy(this->mutex);
+	free((void*)this->public.name);
 	free(this);
 }
 
-METHOD(daemon_t, keep_cap, void,
-	   private_daemon_t *this, u_int cap)
+METHOD(daemon_t, start, void,
+	   private_daemon_t *this)
 {
-#ifdef CAPABILITIES_LIBCAP
-	cap_set_flag(this->caps, CAP_EFFECTIVE, 1, &cap, CAP_SET);
-	cap_set_flag(this->caps, CAP_INHERITABLE, 1, &cap, CAP_SET);
-	cap_set_flag(this->caps, CAP_PERMITTED, 1, &cap, CAP_SET);
-#endif /* CAPABILITIES_LIBCAP */
-#ifdef CAPABILITIES_NATIVE
-	int i = 0;
-
-	if (cap >= 32)
-	{
-		i++;
-		cap -= 32;
-	}
-	this->caps[i].effective |= 1 << cap;
-	this->caps[i].permitted |= 1 << cap;
-	this->caps[i].inheritable |= 1 << cap;
-#endif /* CAPABILITIES_NATIVE */
+	/* start the engine, go multithreaded */
+	lib->processor->set_threads(lib->processor,
+						lib->settings->get_int(lib->settings, "%s.threads",
+											   DEFAULT_THREADS, charon->name));
 }
 
-METHOD(daemon_t, drop_capabilities, bool,
-	   private_daemon_t *this)
+
+/**
+ * Initialize/deinitialize sender and receiver
+ */
+static bool sender_receiver_cb(void *plugin, plugin_feature_t *feature,
+							   bool reg, private_daemon_t *this)
 {
-#ifdef CAPABILITIES_LIBCAP
-	if (cap_set_proc(this->caps) != 0)
+	if (reg)
 	{
-		return FALSE;
+		this->public.receiver = receiver_create();
+		if (!this->public.receiver)
+		{
+			return FALSE;
+		}
+		this->public.sender = sender_create();
 	}
-#endif /* CAPABILITIES_LIBCAP */
-#ifdef CAPABILITIES_NATIVE
-	struct __user_cap_header_struct header = {
-#if defined(_LINUX_CAPABILITY_VERSION_3)
-		.version = _LINUX_CAPABILITY_VERSION_3,
-#elif defined(_LINUX_CAPABILITY_VERSION_2)
-		.version = _LINUX_CAPABILITY_VERSION_2,
-#elif defined(_LINUX_CAPABILITY_VERSION_1)
-		.version = _LINUX_CAPABILITY_VERSION_1,
-#else
-		.version = _LINUX_CAPABILITY_VERSION,
-#endif
-	};
-	if (capset(&header, this->caps) != 0)
+	else
 	{
-		return FALSE;
+		DESTROY_IF(this->public.receiver);
+		DESTROY_IF(this->public.sender);
 	}
-#endif /* CAPABILITIES_NATIVE */
 	return TRUE;
 }
 
-METHOD(daemon_t, start, void,
-	   private_daemon_t *this)
-{
-	/* start the engine, go multithreaded */
-	lib->processor->set_threads(lib->processor,
-						lib->settings->get_int(lib->settings, "charon.threads",
-											   DEFAULT_THREADS));
-}
-
 METHOD(daemon_t, initialize, bool,
-	private_daemon_t *this)
+	private_daemon_t *this, char *plugins)
 {
-	DBG1(DBG_DMN, "Starting IKEv2 charon daemon (strongSwan "VERSION")");
-
-	if (lib->integrity)
-	{
-		DBG1(DBG_DMN, "integrity tests enabled:");
-		DBG1(DBG_DMN, "lib    'libstrongswan': passed file and segment integrity tests");
-		DBG1(DBG_DMN, "lib    'libhydra': passed file and segment integrity tests");
-		DBG1(DBG_DMN, "lib    'libcharon': passed file and segment integrity tests");
-		DBG1(DBG_DMN, "daemon 'charon': passed file integrity test");
-	}
+	plugin_feature_t features[] = {
+		PLUGIN_PROVIDE(CUSTOM, "libcharon"),
+			PLUGIN_DEPENDS(NONCE_GEN),
+			PLUGIN_DEPENDS(CUSTOM, "libcharon-receiver"),
+			PLUGIN_DEPENDS(CUSTOM, "kernel-ipsec"),
+			PLUGIN_DEPENDS(CUSTOM, "kernel-net"),
+		PLUGIN_CALLBACK((plugin_feature_callback_t)sender_receiver_cb, this),
+			PLUGIN_PROVIDE(CUSTOM, "libcharon-receiver"),
+				PLUGIN_DEPENDS(HASHER, HASH_SHA1),
+				PLUGIN_DEPENDS(RNG, RNG_STRONG),
+				PLUGIN_DEPENDS(CUSTOM, "socket"),
+	};
+	lib->plugins->add_static_features(lib->plugins, charon->name, features,
+									  countof(features), TRUE);
 
 	/* load plugins, further infrastructure may need it */
-	if (!lib->plugins->load(lib->plugins, NULL,
-			lib->settings->get_str(lib->settings, "charon.load", PLUGINS)))
+	if (!lib->plugins->load(lib->plugins, plugins))
 	{
 		return FALSE;
 	}
-	DBG1(DBG_DMN, "loaded plugins: %s",
-		 lib->plugins->loaded_plugins(lib->plugins));
 
 	this->public.ike_sa_manager = ike_sa_manager_create();
 	if (this->public.ike_sa_manager == NULL)
 	{
 		return FALSE;
 	}
-	this->public.sender = sender_create();
-	this->public.receiver = receiver_create();
-	if (this->public.receiver == NULL)
-	{
-		return FALSE;
-	}
 
 	/* Queue start_action job */
 	lib->processor->queue_job(lib->processor, (job_t*)start_action_job_create());
@@ -254,41 +558,33 @@ METHOD(daemon_t, initialize, bool,
 /**
  * Create the daemon.
  */
-private_daemon_t *daemon_create()
+private_daemon_t *daemon_create(const char *name)
 {
 	private_daemon_t *this;
 
 	INIT(this,
 		.public = {
-			.keep_cap = _keep_cap,
-			.drop_capabilities = _drop_capabilities,
 			.initialize = _initialize,
 			.start = _start,
+			.load_loggers = _load_loggers,
+			.set_level = _set_level,
 			.bus = bus_create(),
-			.file_loggers = linked_list_create(),
-			.sys_loggers = linked_list_create(),
+			.name = strdup(name ?: "libcharon"),
 		},
+		.loggers = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.ref = 1,
 	);
 	charon = &this->public;
 	this->public.controller = controller_create();
 	this->public.eap = eap_manager_create();
+	this->public.xauth = xauth_manager_create();
 	this->public.backends = backend_manager_create();
 	this->public.socket = socket_manager_create();
 	this->public.traps = trap_manager_create();
 	this->public.shunts = shunt_manager_create();
 	this->kernel_handler = kernel_handler_create();
 
-#ifdef CAPABILITIES
-#ifdef CAPABILITIES_LIBCAP
-	this->caps = cap_init();
-#endif /* CAPABILITIES_LIBCAP */
-	keep_cap(this, CAP_NET_ADMIN);
-	if (lib->leak_detective)
-	{
-		keep_cap(this, CAP_SYS_NICE);
-	}
-#endif /* CAPABILITIES */
-
 	return this;
 }
 
@@ -297,16 +593,32 @@ private_daemon_t *daemon_create()
  */
 void libcharon_deinit()
 {
-	destroy((private_daemon_t*)charon);
+	private_daemon_t *this = (private_daemon_t*)charon;
+
+	if (!this || !ref_put(&this->ref))
+	{	/* have more users */
+		return;
+	}
+
+	destroy(this);
 	charon = NULL;
 }
 
 /**
  * Described in header.
  */
-bool libcharon_init()
+bool libcharon_init(const char *name)
 {
-	daemon_create();
+	private_daemon_t *this;
+
+	if (charon)
+	{	/* already initialized, increase refcount */
+		this = (private_daemon_t*)charon;
+		ref_get(&this->ref);
+		return !this->integrity_failed;
+	}
+
+	this = daemon_create(name);
 
 	/* for uncritical pseudo random numbers */
 	srandom(time(NULL) + getpid());
@@ -324,8 +636,7 @@ bool libcharon_init()
 		!lib->integrity->check(lib->integrity, "libcharon", libcharon_init))
 	{
 		dbg(DBG_DMN, 1, "integrity check of libcharon failed");
-		return FALSE;
+		this->integrity_failed = TRUE;
 	}
-
-	return TRUE;
+	return !this->integrity_failed;
 }
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index 2e01c8d9b..24e623c44 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2010 Tobias Brunner
+ * Copyright (C) 2006-2012 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
@@ -55,15 +55,30 @@
  * @defgroup sa sa
  * @ingroup libcharon
  *
- * @defgroup authenticators authenticators
+ * @defgroup ikev1 ikev1
  * @ingroup sa
  *
+ * @defgroup ikev2 ikev2
+ * @ingroup sa
+ *
+ * @defgroup authenticators_v1 authenticators
+ * @ingroup ikev1
+ *
+ * @defgroup authenticators_v2 authenticators
+ * @ingroup ikev2
+ *
  * @defgroup eap eap
- * @ingroup authenticators
+ * @ingroup sa
  *
- * @defgroup tasks tasks
+ * @defgroup xauth xauth
  * @ingroup sa
  *
+ * @defgroup tasks_v1 tasks
+ * @ingroup ikev1
+ *
+ * @defgroup tasks_v2 tasks
+ * @ingroup ikev2
+ *
  * @addtogroup libcharon
  * @{
  *
@@ -142,17 +157,16 @@ typedef struct daemon_t daemon_t;
 #include <network/socket_manager.h>
 #include <control/controller.h>
 #include <bus/bus.h>
-#include <bus/listeners/file_logger.h>
-#include <bus/listeners/sys_logger.h>
 #include <sa/ike_sa_manager.h>
 #include <sa/trap_manager.h>
 #include <sa/shunt_manager.h>
 #include <config/backend_manager.h>
-#include <sa/authenticators/eap/eap_manager.h>
+#include <sa/eap/eap_manager.h>
+#include <sa/xauth/xauth_manager.h>
 
 #ifdef ME
-#include <sa/connect_manager.h>
-#include <sa/mediation_manager.h>
+#include <sa/ikev2/connect_manager.h>
+#include <sa/ikev2/mediation_manager.h>
 #endif /* ME */
 
 /**
@@ -161,16 +175,31 @@ typedef struct daemon_t daemon_t;
 #define DEFAULT_THREADS 16
 
 /**
- * UDP Port on which the daemon will listen for incoming traffic.
+ * Primary UDP port used by IKE.
  */
 #define IKEV2_UDP_PORT 500
 
 /**
- * UDP Port to which the daemon will float to if NAT is detected.
+ * UDP port defined for use in case a NAT is detected.
  */
 #define IKEV2_NATT_PORT 4500
 
 /**
+ * UDP port on which the daemon will listen for incoming traffic (also used as
+ * source port for outgoing traffic).
+ */
+#ifndef CHARON_UDP_PORT
+#define CHARON_UDP_PORT IKEV2_UDP_PORT
+#endif
+
+/**
+ * UDP port used by the daemon in case a NAT is detected.
+ */
+#ifndef CHARON_NATT_PORT
+#define CHARON_NATT_PORT IKEV2_NATT_PORT
+#endif
+
+/**
  * Main class of daemon, contains some globals.
  */
 struct daemon_t {
@@ -216,16 +245,6 @@ struct daemon_t {
 	bus_t *bus;
 
 	/**
-	 * A list of installed file_logger_t's
-	 */
-	linked_list_t *file_loggers;
-
-	/**
-	 * A list of installed sys_logger_t's
-	 */
-	linked_list_t *sys_loggers;
-
-	/**
 	 * Controller to control the daemon
 	 */
 	controller_t *controller;
@@ -235,6 +254,11 @@ struct daemon_t {
 	 */
 	eap_manager_t *eap;
 
+	/**
+	 * XAuth manager to maintain registered XAuth methods
+	 */
+	xauth_manager_t *xauth;
+
 #ifdef ME
 	/**
 	 * Connect manager
@@ -248,45 +272,42 @@ struct daemon_t {
 #endif /* ME */
 
 	/**
-	 * User ID the daemon will user after initialization
+	 * Name of the binary that uses the library (used for settings etc.)
 	 */
-	uid_t uid;
+	const char *name;
 
 	/**
-	 * Group ID the daemon will use after initialization
-	 */
-	gid_t gid;
-
-	/**
-	 * Do not drop a given capability after initialization.
+	 * Initialize the daemon.
 	 *
-	 * Some plugins might need additional capabilites. They tell the daemon
-	 * during plugin initialization which one they need, the daemon won't
-	 * drop these.
+	 * @param plugins	list of plugins to load
+	 * @return			TRUE, if successful
 	 */
-	void (*keep_cap)(daemon_t *this, u_int cap);
+	bool (*initialize)(daemon_t *this, char *plugins);
 
 	/**
-	 * Drop all capabilities of the current process.
-	 *
-	 * Drops all capabalities, excect those exlcuded using keep_cap().
-	 * This should be called after the initialization of the daemon because
-	 * some plugins require the process to keep additional capabilities.
-	 *
-	 * @return		TRUE if successful, FALSE otherwise
+	 * Starts the daemon, i.e. spawns the threads of the thread pool.
 	 */
-	bool (*drop_capabilities)(daemon_t *this);
+	void (*start)(daemon_t *this);
 
 	/**
-	 * Initialize the daemon.
+	 * Load/Reload loggers defined in strongswan.conf
+	 *
+	 * @param levels	optional debug levels used to create default loggers
+	 * 					if none are defined in strongswan.conf
+	 * @param to_stderr	TRUE to log to stderr/stdout if no loggers are defined
+	 * 					in strongswan.conf
 	 */
-	bool (*initialize)(daemon_t *this);
+	void (*load_loggers)(daemon_t *this, level_t levels[DBG_MAX],
+						 bool to_stderr);
 
 	/**
-	 * Starts the daemon, i.e. spawns the threads of the thread pool.
+	 * Set the log level for the given log group for all configured file- and
+	 * syslog-loggers.
+	 *
+	 * @param group		log group
+	 * @param level		log level
 	 */
-	void (*start)(daemon_t *this);
-
+	void (*set_level)(daemon_t *this, debug_t group, level_t level);
 };
 
 /**
@@ -302,9 +323,13 @@ extern daemon_t *charon;
  * This function initializes the bus, listeners can be registered before
  * calling initialize().
  *
+ * libcharon_init() may be called multiple times in a single process, but each
+ * caller should call libcharon_deinit() for each call to libcharon_init().
+ *
+ * @param name	name of the binary that uses the library
  * @return		FALSE if integrity check failed
  */
-bool libcharon_init();
+bool libcharon_init(const char *name);
 
 /**
  * Deinitialize libcharon and destroy the "charon" instance of daemon_t.
diff --git a/src/libcharon/encoding/generator.c b/src/libcharon/encoding/generator.c
index 60fa7e0c4..2b6825c71 100644
--- a/src/libcharon/encoding/generator.c
+++ b/src/libcharon/encoding/generator.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2011 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -23,7 +24,7 @@
 
 #include <library.h>
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/proposal_substructure.h>
 #include <encoding/payloads/transform_substructure.h>
@@ -108,6 +109,11 @@ struct private_generator_t {
 	 * to hold the length of the transform attribute in bytes.
 	 */
 	u_int16_t attribute_length;
+
+	/**
+	 * TRUE, if debug messages should be logged during generation.
+	 */
+	bool debug;
 };
 
 /**
@@ -155,8 +161,11 @@ static void make_space_available(private_generator_t *this, int bits)
 		new_buffer_size = old_buffer_size + GENERATOR_DATA_BUFFER_INCREASE_VALUE;
 		out_position_offset = this->out_position - this->buffer;
 
-		DBG2(DBG_ENC, "increasing gen buffer from %d to %d byte",
-			 old_buffer_size, new_buffer_size);
+		if (this->debug)
+		{
+			DBG2(DBG_ENC, "increasing gen buffer from %d to %d byte",
+				 old_buffer_size, new_buffer_size);
+		}
 
 		this->buffer = realloc(this->buffer,new_buffer_size);
 		this->out_position = (this->buffer + out_position_offset);
@@ -205,7 +214,7 @@ static void generate_u_int_type(private_generator_t *this,
 			break;
 		case U_INT_16:
 		case PAYLOAD_LENGTH:
-		case CONFIGURATION_ATTRIBUTE_LENGTH:
+		case ATTRIBUTE_LENGTH:
 			number_of_bits = 16;
 			break;
 		case U_INT_32:
@@ -244,7 +253,10 @@ static void generate_u_int_type(private_generator_t *this,
 				low = *(this->out_position) & 0x0F;
 				/* high is set, low_val is not changed */
 				*(this->out_position) = high | low;
-				DBG3(DBG_ENC, "   => %d", *(this->out_position));
+				if (this->debug)
+				{
+					DBG3(DBG_ENC, "   => %d", *(this->out_position));
+				}
 				/* write position is not changed, just bit position is moved */
 				this->current_bit = 4;
 			}
@@ -255,7 +267,10 @@ static void generate_u_int_type(private_generator_t *this,
 				/* low of current byte in buffer has to be set to the new value*/
 				low = *((u_int8_t *)(this->data_struct + offset)) & 0x0F;
 				*(this->out_position) = high | low;
-				DBG3(DBG_ENC, "   => %d", *(this->out_position));
+				if (this->debug)
+				{
+					DBG3(DBG_ENC, "   => %d", *(this->out_position));
+				}
 				this->out_position++;
 				this->current_bit = 0;
 			}
@@ -274,7 +289,10 @@ static void generate_u_int_type(private_generator_t *this,
 		{
 			/* 8 bit values are written as they are */
 			*this->out_position = *((u_int8_t *)(this->data_struct + offset));
-			DBG3(DBG_ENC, "   => %d", *(this->out_position));
+			if (this->debug)
+			{
+				DBG3(DBG_ENC, "   => %d", *(this->out_position));
+			}
 			this->out_position++;
 			break;
 		}
@@ -299,7 +317,10 @@ static void generate_u_int_type(private_generator_t *this,
 				val |= 0x8000;
 			}
 			val = htons(val);
-			DBG3(DBG_ENC, "   => %d", val);
+			if (this->debug)
+			{
+				DBG3(DBG_ENC, "   => %d", val);
+			}
 			/* write bytes to buffer (set bit is overwritten) */
 			write_bytes_to_buffer(this, &val, sizeof(u_int16_t));
 			this->current_bit = 0;
@@ -308,17 +329,23 @@ static void generate_u_int_type(private_generator_t *this,
 		}
 		case U_INT_16:
 		case PAYLOAD_LENGTH:
-		case CONFIGURATION_ATTRIBUTE_LENGTH:
+		case ATTRIBUTE_LENGTH:
 		{
 			u_int16_t val = htons(*((u_int16_t*)(this->data_struct + offset)));
-			DBG3(DBG_ENC, "   => %b", &val, sizeof(u_int16_t));
+			if (this->debug)
+			{
+				DBG3(DBG_ENC, "   %b", &val, sizeof(u_int16_t));
+			}
 			write_bytes_to_buffer(this, &val, sizeof(u_int16_t));
 			break;
 		}
 		case U_INT_32:
 		{
 			u_int32_t val = htonl(*((u_int32_t*)(this->data_struct + offset)));
-			DBG3(DBG_ENC, "   => %b", &val, sizeof(u_int32_t));
+			if (this->debug)
+			{
+				DBG3(DBG_ENC, "   %b", &val, sizeof(u_int32_t));
+			}
 			write_bytes_to_buffer(this, &val, sizeof(u_int32_t));
 			break;
 		}
@@ -327,8 +354,11 @@ static void generate_u_int_type(private_generator_t *this,
 			/* 64 bit are written as-is, no host order conversion */
 			write_bytes_to_buffer(this, this->data_struct + offset,
 								  sizeof(u_int64_t));
-			DBG3(DBG_ENC, "   => %b", this->data_struct + offset,
-				 sizeof(u_int64_t));
+			if (this->debug)
+			{
+				DBG3(DBG_ENC, "   %b", this->data_struct + offset,
+					 sizeof(u_int64_t));
+			}
 			break;
 		}
 		default:
@@ -361,7 +391,10 @@ static void generate_flag(private_generator_t *this, u_int32_t offset)
 	}
 
 	*(this->out_position) = *(this->out_position) | flag;
-	DBG3(DBG_ENC, "   => %d", *this->out_position);
+	if (this->debug)
+	{
+		DBG3(DBG_ENC, "   => %d", *this->out_position);
+	}
 
 	this->current_bit++;
 	if (this->current_bit >= 8)
@@ -380,12 +413,16 @@ static void generate_from_chunk(private_generator_t *this, u_int32_t offset)
 
 	if (this->current_bit != 0)
 	{
-		DBG1(DBG_ENC, "can not generate a chunk at Bitpos %d", this->current_bit);
+		DBG1(DBG_ENC, "can not generate a chunk at bitpos %d",
+			 this->current_bit);
 		return ;
 	}
 
 	value = (chunk_t *)(this->data_struct + offset);
-	DBG3(DBG_ENC, "   => %B", value);
+	if (this->debug)
+	{
+		DBG3(DBG_ENC, "   %B", value);
+	}
 
 	write_bytes_to_buffer(this, value->ptr, value->len);
 }
@@ -397,15 +434,17 @@ METHOD(generator_t, get_chunk, chunk_t,
 
 	*lenpos = (u_int32_t*)(this->buffer + this->header_length_offset);
 	data = chunk_create(this->buffer, get_length(this));
-	DBG3(DBG_ENC, "generated data of this generator %B", &data);
+	if (this->debug)
+	{
+		DBG3(DBG_ENC, "generated data of this generator %B", &data);
+	}
 	return data;
 }
 
 METHOD(generator_t, generate_payload, void,
-	private_generator_t *this,payload_t *payload)
+	private_generator_t *this, payload_t *payload)
 {
-	int i, offset_start;
-	size_t rule_count;
+	int i, offset_start, rule_count;
 	encoding_rule_t *rules;
 	payload_type_t payload_type;
 
@@ -414,17 +453,23 @@ METHOD(generator_t, generate_payload, void,
 
 	offset_start = this->out_position - this->buffer;
 
-	DBG2(DBG_ENC, "generating payload of type %N",
-		 payload_type_names, payload_type);
+	if (this->debug)
+	{
+		DBG2(DBG_ENC, "generating payload of type %N",
+			 payload_type_names, payload_type);
+	}
 
 	/* each payload has its own encoding rules */
-	payload->get_encoding_rules(payload, &rules, &rule_count);
+	rule_count = payload->get_encoding_rules(payload, &rules);
 
 	for (i = 0; i < rule_count;i++)
 	{
-		DBG2(DBG_ENC, "  generating rule %d %N",
-			 i, encoding_type_names, rules[i].type);
-		switch (rules[i].type)
+		if (this->debug)
+		{
+			DBG2(DBG_ENC, "  generating rule %d %N",
+				 i, encoding_type_names, rules[i].type);
+		}
+		switch ((int)rules[i].type)
 		{
 			case U_INT_4:
 			case U_INT_8:
@@ -436,7 +481,7 @@ METHOD(generator_t, generate_payload, void,
 			case SPI_SIZE:
 			case TS_TYPE:
 			case ATTRIBUTE_TYPE:
-			case CONFIGURATION_ATTRIBUTE_LENGTH:
+			case ATTRIBUTE_LENGTH:
 				generate_u_int_type(this, rules[i].type, rules[i].offset);
 				break;
 			case RESERVED_BIT:
@@ -449,26 +494,19 @@ METHOD(generator_t, generate_payload, void,
 				break;
 			case ADDRESS:
 			case SPI:
-			case KEY_EXCHANGE_DATA:
-			case NOTIFICATION_DATA:
-			case NONCE_DATA:
-			case ID_DATA:
-			case AUTH_DATA:
-			case CERT_DATA:
-			case CERTREQ_DATA:
-			case SPIS:
-			case CONFIGURATION_ATTRIBUTE_VALUE:
-			case VID_DATA:
-			case EAP_DATA:
+			case CHUNK_DATA:
 			case ENCRYPTED_DATA:
-			case UNKNOWN_DATA:
 				generate_from_chunk(this, rules[i].offset);
 				break;
-			case PROPOSALS:
-			case TRANSFORMS:
-			case TRANSFORM_ATTRIBUTES:
-			case CONFIGURATION_ATTRIBUTES:
-			case TRAFFIC_SELECTORS:
+			case PAYLOAD_LIST + PROPOSAL_SUBSTRUCTURE:
+			case PAYLOAD_LIST + PROPOSAL_SUBSTRUCTURE_V1:
+			case PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE:
+			case PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE_V1:
+			case PAYLOAD_LIST + TRANSFORM_ATTRIBUTE:
+			case PAYLOAD_LIST + TRANSFORM_ATTRIBUTE_V1:
+			case PAYLOAD_LIST + CONFIGURATION_ATTRIBUTE:
+			case PAYLOAD_LIST + CONFIGURATION_ATTRIBUTE_V1:
+			case PAYLOAD_LIST + TRAFFIC_SELECTOR_SUBSTRUCTURE:
 			{
 				linked_list_t *proposals;
 				enumerator_t *enumerator;
@@ -507,7 +545,10 @@ METHOD(generator_t, generate_payload, void,
 			{
 				if (!this->attribute_format)
 				{
-					DBG2(DBG_ENC, "attribute value has not fixed size");
+					if (this->debug)
+					{
+						DBG2(DBG_ENC, "attribute value has not fixed size");
+					}
 					/* the attribute value is generated */
 					generate_from_chunk(this, rules[i].offset);
 				}
@@ -519,11 +560,14 @@ METHOD(generator_t, generate_payload, void,
 				return;
 		}
 	}
-	DBG2(DBG_ENC, "generating %N payload finished",
-		 payload_type_names, payload_type);
-	DBG3(DBG_ENC, "generated data for this payload %b",
-		 this->buffer + offset_start,
-		 (u_int)(this->out_position - this->buffer - offset_start));
+	if (this->debug)
+	{
+		DBG2(DBG_ENC, "generating %N payload finished",
+			 payload_type_names, payload_type);
+		DBG3(DBG_ENC, "generated data for this payload %b",
+			 this->buffer + offset_start,
+			 (u_int)(this->out_position - this->buffer - offset_start));
+	}
 }
 
 METHOD(generator_t, destroy, void,
@@ -547,6 +591,7 @@ generator_t *generator_create()
 			.destroy = _destroy,
 		},
 		.buffer = malloc(GENERATOR_DATA_BUFFER_SIZE),
+		.debug = TRUE,
 	);
 
 	this->out_position = this->buffer;
@@ -555,3 +600,14 @@ generator_t *generator_create()
 	return &this->public;
 }
 
+/*
+ * Described in header
+ */
+generator_t *generator_create_no_dbg()
+{
+	private_generator_t *this = (private_generator_t*)generator_create();
+
+	this->debug = FALSE;
+
+	return &this->public;
+}
diff --git a/src/libcharon/encoding/generator.h b/src/libcharon/encoding/generator.h
index fe561fdfd..c2c0aad2a 100644
--- a/src/libcharon/encoding/generator.h
+++ b/src/libcharon/encoding/generator.h
@@ -72,4 +72,12 @@ struct generator_t {
  */
 generator_t *generator_create(void);
 
+/**
+ * Constructor to create a generator that does not log any debug messages > 1.
+ *
+ * @return generator_t object.
+ */
+generator_t *generator_create_no_dbg(void);
+
+
 #endif /** GENERATOR_H_ @}*/
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 2b5399294..9bb8e5145 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2006-2013 Tobias Brunner
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  * Copyright (C) 2006 Daniel Roethlisberger
@@ -24,37 +24,47 @@
 
 #include <library.h>
 #include <daemon.h>
-#include <sa/ike_sa_id.h>
+#include <sa/ikev1/keymat_v1.h>
 #include <encoding/generator.h>
 #include <encoding/parser.h>
-#include <utils/linked_list.h>
 #include <encoding/payloads/encodings.h>
 #include <encoding/payloads/payload.h>
+#include <encoding/payloads/hash_payload.h>
 #include <encoding/payloads/encryption_payload.h>
 #include <encoding/payloads/unknown_payload.h>
 #include <encoding/payloads/cp_payload.h>
 
 /**
- * Max number of notify payloads per IKEv2 Message
+ * Max number of notify payloads per IKEv2 message
  */
 #define MAX_NOTIFY_PAYLOADS 20
 
 /**
- * Max number of delete payloads per IKEv2 Message
+ * Max number of delete payloads per IKEv2 message
  */
 #define MAX_DELETE_PAYLOADS 20
 
 /**
- * Max number of certificate payloads per IKEv2 Message
+ * Max number of certificate payloads per IKEv2 message
  */
 #define MAX_CERT_PAYLOADS 8
 
 /**
- * Max number of Vendor ID payloads per IKEv2 Message
+ * Max number of vendor ID payloads per IKEv2 message
  */
 #define MAX_VID_PAYLOADS 20
 
 /**
+ * Max number of certificate request payloads per IKEv1 message
+ */
+#define MAX_CERTREQ_PAYLOADS 20
+
+/**
+ * Max number of NAT-D payloads per IKEv1 message
+ */
+#define MAX_NAT_D_PAYLOADS 10
+
+/**
  * A payload rule defines the rules for a payload
  * in a specific message rule. It defines if and how
  * many times a payload must/can occur in a message
@@ -141,7 +151,7 @@ static payload_rule_t ike_sa_init_r_rules[] = {
 	{SECURITY_ASSOCIATION,			1,	1,						FALSE,	FALSE},
 	{KEY_EXCHANGE,					1,	1,						FALSE,	FALSE},
 	{NONCE,							1,	1,						FALSE,	FALSE},
-	{CERTIFICATE_REQUEST,			0,	1,						FALSE,	FALSE},
+	{CERTIFICATE_REQUEST,			0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
 	{VENDOR_ID,						0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 };
 
@@ -171,7 +181,7 @@ static payload_rule_t ike_auth_i_rules[] = {
 	{AUTHENTICATION,				0,	1,						TRUE,	TRUE},
 	{ID_INITIATOR,					0,	1,						TRUE,	FALSE},
 	{CERTIFICATE,					0,	MAX_CERT_PAYLOADS,		TRUE,	FALSE},
-	{CERTIFICATE_REQUEST,			0,	1,						TRUE,	FALSE},
+	{CERTIFICATE_REQUEST,			0,	MAX_CERTREQ_PAYLOADS,	TRUE,	FALSE},
 	{ID_RESPONDER,					0,	1,						TRUE,	FALSE},
 #ifdef ME
 	{SECURITY_ASSOCIATION,			0,	1,						TRUE,	FALSE},
@@ -414,6 +424,293 @@ static payload_order_t me_connect_r_order[] = {
 };
 #endif /* ME */
 
+#ifdef USE_IKEV1
+/**
+ * Message rule for ID_PROT from initiator.
+ */
+static payload_rule_t id_prot_i_rules[] = {
+/*	payload type				min	max						encr	suff */
+	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
+	{SECURITY_ASSOCIATION_V1,	0,	1,						FALSE,	FALSE},
+	{KEY_EXCHANGE_V1,			0,	1,						FALSE,	FALSE},
+	{NONCE_V1,					0,	1,						FALSE,	FALSE},
+	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
+	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
+	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{ID_V1,						0,	1,						TRUE,	FALSE},
+	{CERTIFICATE_V1,			0,	2,						TRUE,	FALSE},
+	{SIGNATURE_V1,				0,	1,						TRUE,	FALSE},
+	{HASH_V1,					0,	1,						TRUE,	FALSE},
+	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
+};
+
+/**
+ * payload order for ID_PROT from initiator.
+ */
+static payload_order_t id_prot_i_order[] = {
+/*	payload type				notify type */
+	{SECURITY_ASSOCIATION_V1,	0},
+	{KEY_EXCHANGE_V1,			0},
+	{NONCE_V1,					0},
+	{ID_V1,						0},
+	{CERTIFICATE_V1,			0},
+	{SIGNATURE_V1,				0},
+	{HASH_V1,					0},
+	{CERTIFICATE_REQUEST_V1,	0},
+	{NOTIFY_V1,					0},
+	{VENDOR_ID_V1,				0},
+	{NAT_D_V1,					0},
+	{NAT_D_DRAFT_00_03_V1,		0},
+	{FRAGMENT_V1,				0},
+};
+
+/**
+ * Message rule for ID_PROT from responder.
+ */
+static payload_rule_t id_prot_r_rules[] = {
+/*	payload type				min	max						encr	suff */
+	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
+	{SECURITY_ASSOCIATION_V1,	0,	1,						FALSE,	FALSE},
+	{KEY_EXCHANGE_V1,			0,	1,						FALSE,	FALSE},
+	{NONCE_V1,					0,	1,						FALSE,	FALSE},
+	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
+	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
+	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{ID_V1,						0,	1,						TRUE,	FALSE},
+	{CERTIFICATE_V1,			0,	2,						TRUE,	FALSE},
+	{SIGNATURE_V1,				0,	1,						TRUE,	FALSE},
+	{HASH_V1,					0,	1,						TRUE,	FALSE},
+	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
+};
+
+/**
+ * payload order for ID_PROT from responder.
+ */
+static payload_order_t id_prot_r_order[] = {
+/*	payload type				notify type */
+	{SECURITY_ASSOCIATION_V1,	0},
+	{KEY_EXCHANGE_V1,			0},
+	{NONCE_V1,					0},
+	{ID_V1,						0},
+	{CERTIFICATE_V1,			0},
+	{SIGNATURE_V1,				0},
+	{HASH_V1,					0},
+	{CERTIFICATE_REQUEST_V1,	0},
+	{NOTIFY_V1,					0},
+	{VENDOR_ID_V1,				0},
+	{NAT_D_V1,					0},
+	{NAT_D_DRAFT_00_03_V1,		0},
+	{FRAGMENT_V1,				0},
+};
+
+/**
+ * Message rule for AGGRESSIVE from initiator.
+ */
+static payload_rule_t aggressive_i_rules[] = {
+/*	payload type				min	max						encr	suff */
+	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
+	{SECURITY_ASSOCIATION_V1,	0,	1,						FALSE,	FALSE},
+	{KEY_EXCHANGE_V1,			0,	1,						FALSE,	FALSE},
+	{NONCE_V1,					0,	1,						FALSE,	FALSE},
+	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
+	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
+	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{ID_V1,						0,	1,						FALSE,	FALSE},
+	{CERTIFICATE_V1,			0,	1,						TRUE,	FALSE},
+	{SIGNATURE_V1,				0,	1,						TRUE,	FALSE},
+	{HASH_V1,					0,	1,						TRUE,	FALSE},
+	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
+};
+
+/**
+ * payload order for AGGRESSIVE from initiator.
+ */
+static payload_order_t aggressive_i_order[] = {
+/*	payload type				notify type */
+	{SECURITY_ASSOCIATION_V1,	0},
+	{KEY_EXCHANGE_V1,			0},
+	{NONCE_V1,					0},
+	{ID_V1,						0},
+	{CERTIFICATE_V1,			0},
+	{NAT_D_V1,					0},
+	{NAT_D_DRAFT_00_03_V1,		0},
+	{SIGNATURE_V1,				0},
+	{HASH_V1,					0},
+	{CERTIFICATE_REQUEST_V1,	0},
+	{NOTIFY_V1,					0},
+	{VENDOR_ID_V1,				0},
+	{FRAGMENT_V1,				0},
+};
+
+/**
+ * Message rule for AGGRESSIVE from responder.
+ */
+static payload_rule_t aggressive_r_rules[] = {
+/*	payload type				min	max						encr	suff */
+	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
+	{SECURITY_ASSOCIATION_V1,	0,	1,						FALSE,	FALSE},
+	{KEY_EXCHANGE_V1,			0,	1,						FALSE,	FALSE},
+	{NONCE_V1,					0,	1,						FALSE,	FALSE},
+	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
+	{CERTIFICATE_REQUEST_V1,	0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
+	{NAT_D_V1,					0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{NAT_D_DRAFT_00_03_V1,		0,	MAX_NAT_D_PAYLOADS,		FALSE,	FALSE},
+	{ID_V1,						0,	1,						FALSE,	FALSE},
+	{CERTIFICATE_V1,			0,	1,						FALSE,	FALSE},
+	{SIGNATURE_V1,				0,	1,						FALSE,	FALSE},
+	{HASH_V1,					0,	1,						FALSE,	FALSE},
+	{FRAGMENT_V1,				0,	1,						FALSE,	TRUE},
+};
+
+/**
+ * payload order for AGGRESSIVE from responder.
+ */
+static payload_order_t aggressive_r_order[] = {
+/*	payload type				notify type */
+	{SECURITY_ASSOCIATION_V1,	0},
+	{KEY_EXCHANGE_V1,			0},
+	{NONCE_V1,					0},
+	{ID_V1,						0},
+	{CERTIFICATE_V1,			0},
+	{NAT_D_V1,					0},
+	{NAT_D_DRAFT_00_03_V1,		0},
+	{SIGNATURE_V1,				0},
+	{HASH_V1,					0},
+	{CERTIFICATE_REQUEST_V1,	0},
+	{NOTIFY_V1,					0},
+	{VENDOR_ID_V1,				0},
+	{FRAGMENT_V1,				0},
+};
+
+/**
+ * Message rule for INFORMATIONAL_V1 from initiator.
+ */
+static payload_rule_t informational_i_rules_v1[] = {
+/*	payload type				min	max						encr	suff */
+	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
+	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
+	{DELETE_V1,					0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
+	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
+};
+
+/**
+ * payload order for INFORMATIONAL_V1 from initiator.
+ */
+static payload_order_t informational_i_order_v1[] = {
+/*	payload type				notify type */
+	{NOTIFY_V1,					0},
+	{DELETE_V1,					0},
+	{VENDOR_ID_V1,				0},
+};
+
+/**
+ * Message rule for INFORMATIONAL_V1 from responder.
+ */
+static payload_rule_t informational_r_rules_v1[] = {
+/*	payload type				min	max						encr	suff */
+	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
+	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
+	{DELETE_V1,					0,	MAX_DELETE_PAYLOADS,	TRUE,	FALSE},
+	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
+};
+
+/**
+ * payload order for INFORMATIONAL_V1 from responder.
+ */
+static payload_order_t informational_r_order_v1[] = {
+/*	payload type				notify type */
+	{NOTIFY_V1,					0},
+	{DELETE_V1,					0},
+	{VENDOR_ID_V1,				0},
+};
+
+/**
+ * Message rule for QUICK_MODE from initiator.
+ */
+static payload_rule_t quick_mode_i_rules[] = {
+/*	payload type				min	max						encr	suff */
+	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
+	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
+	{HASH_V1,					0,	1,						TRUE,	FALSE},
+	{SECURITY_ASSOCIATION_V1,	0,	2,						TRUE,	FALSE},
+	{NONCE_V1,					0,	1,						TRUE,	FALSE},
+	{KEY_EXCHANGE_V1,			0,	1,						TRUE,	FALSE},
+	{ID_V1,						0,	2,						TRUE,	FALSE},
+	{NAT_OA_V1,					0,	2,						TRUE,	FALSE},
+	{NAT_OA_DRAFT_00_03_V1,		0,	2,						TRUE,	FALSE},
+};
+
+/**
+ * payload order for QUICK_MODE from initiator.
+ */
+static payload_order_t quick_mode_i_order[] = {
+/*	payload type				notify type */
+	{NOTIFY_V1,					0},
+	{VENDOR_ID_V1,				0},
+	{HASH_V1,					0},
+	{SECURITY_ASSOCIATION_V1,	0},
+	{NONCE_V1,					0},
+	{KEY_EXCHANGE_V1,			0},
+	{ID_V1,						0},
+	{NAT_OA_V1,					0},
+	{NAT_OA_DRAFT_00_03_V1,		0},
+};
+
+/**
+ * Message rule for QUICK_MODE from responder.
+ */
+static payload_rule_t quick_mode_r_rules[] = {
+/*	payload type				min	max						encr	suff */
+	{NOTIFY_V1,					0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
+	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		TRUE,	FALSE},
+	{HASH_V1,					0,	1,						TRUE,	FALSE},
+	{SECURITY_ASSOCIATION_V1,	0,	2,						TRUE,	FALSE},
+	{NONCE_V1,					0,	1,						TRUE,	FALSE},
+	{KEY_EXCHANGE_V1,			0,	1,						TRUE,	FALSE},
+	{ID_V1,						0,	2,						TRUE,	FALSE},
+	{NAT_OA_V1,					0,	2,						TRUE,	FALSE},
+	{NAT_OA_DRAFT_00_03_V1,		0,	2,						TRUE,	FALSE},
+};
+
+/**
+ * payload order for QUICK_MODE from responder.
+ */
+static payload_order_t quick_mode_r_order[] = {
+/*	payload type				notify type */
+	{NOTIFY_V1,					0},
+	{VENDOR_ID_V1,				0},
+	{HASH_V1,					0},
+	{SECURITY_ASSOCIATION_V1,	0},
+	{NONCE_V1,					0},
+	{KEY_EXCHANGE_V1,			0},
+	{ID_V1,						0},
+	{NAT_OA_V1,					0},
+	{NAT_OA_DRAFT_00_03_V1,		0},
+};
+
+/**
+ * Message rule for TRANSACTION.
+ */
+static payload_rule_t transaction_payload_rules_v1[] = {
+/*	payload type				min	max	encr	suff */
+	{HASH_V1,					0,	1,	TRUE,	FALSE},
+	{CONFIGURATION_V1,			1,	1,	FALSE,	FALSE},
+};
+
+/**
+ * Payload order for TRANSACTION.
+ */
+static payload_order_t transaction_payload_order_v1[] = {
+/*	payload type			notify type */
+	{HASH_V1,					0},
+	{CONFIGURATION_V1,			0},
+};
+
+#endif /* USE_IKEV1 */
+
 /**
  * Message rules, defines allowed payloads.
  */
@@ -460,6 +757,49 @@ static message_rule_t message_rules[] = {
 		countof(me_connect_r_order), me_connect_r_order,
 	},
 #endif /* ME */
+#ifdef USE_IKEV1
+	{ID_PROT,			TRUE,	FALSE,
+		countof(id_prot_i_rules), id_prot_i_rules,
+		countof(id_prot_i_order), id_prot_i_order,
+	},
+	{ID_PROT,			FALSE,	FALSE,
+		countof(id_prot_r_rules), id_prot_r_rules,
+		countof(id_prot_r_order), id_prot_r_order,
+	},
+	{AGGRESSIVE,		TRUE,	FALSE,
+		countof(aggressive_i_rules), aggressive_i_rules,
+		countof(aggressive_i_order), aggressive_i_order,
+	},
+	{AGGRESSIVE,		FALSE,	FALSE,
+		countof(aggressive_r_rules), aggressive_r_rules,
+		countof(aggressive_r_order), aggressive_r_order,
+	},
+	{INFORMATIONAL_V1,	TRUE,	TRUE,
+		countof(informational_i_rules_v1), informational_i_rules_v1,
+		countof(informational_i_order_v1), informational_i_order_v1,
+	},
+	{INFORMATIONAL_V1,	FALSE,	TRUE,
+		countof(informational_r_rules_v1), informational_r_rules_v1,
+		countof(informational_r_order_v1), informational_r_order_v1,
+	},
+	{QUICK_MODE,		TRUE,	TRUE,
+		countof(quick_mode_i_rules), quick_mode_i_rules,
+		countof(quick_mode_i_order), quick_mode_i_order,
+	},
+	{QUICK_MODE,		FALSE,	TRUE,
+		countof(quick_mode_r_rules), quick_mode_r_rules,
+		countof(quick_mode_r_order), quick_mode_r_order,
+	},
+	{TRANSACTION,		TRUE,	TRUE,
+		countof(transaction_payload_rules_v1), transaction_payload_rules_v1,
+		countof(transaction_payload_order_v1), transaction_payload_order_v1,
+	},
+	{TRANSACTION,		FALSE,	TRUE,
+		countof(transaction_payload_rules_v1), transaction_payload_rules_v1,
+		countof(transaction_payload_order_v1), transaction_payload_order_v1,
+	},
+	/* TODO-IKEv1: define rules for other exchanges */
+#endif /* USE_IKEV1 */
 };
 
 
@@ -501,6 +841,11 @@ struct private_message_t {
 	bool is_request;
 
 	/**
+	 * The message is encrypted (IKEv1)
+	 */
+	bool is_encrypted;
+
+	/**
 	 * Higher version supported?
 	 */
 	bool version_flag;
@@ -508,7 +853,7 @@ struct private_message_t {
 	/**
 	 * Reserved bits in IKE header
 	 */
-	bool reserved[5];
+	bool reserved[2];
 
 	/**
 	 * Sorting of message disabled?
@@ -739,7 +1084,14 @@ METHOD(message_t, add_notify, void,
 			payload->destroy(payload);
 		}
 	}
-	notify = notify_payload_create();
+	if (this->major_version == IKEV2_MAJOR_VERSION)
+	{
+		notify = notify_payload_create(NOTIFY);
+	}
+	else
+	{
+		notify = notify_payload_create(NOTIFY_V1);
+	}
 	notify->set_notify_type(notify, type);
 	notify->set_notification_data(notify, data);
 	add_payload(this, (payload_t*)notify);
@@ -810,7 +1162,8 @@ METHOD(message_t, get_notify, notify_payload_t*,
 	enumerator = create_payload_enumerator(this);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
-		if (payload->get_type(payload) == NOTIFY)
+		if (payload->get_type(payload) == NOTIFY ||
+			payload->get_type(payload) == NOTIFY_V1)
 		{
 			notify = (notify_payload_t*)payload;
 			if (notify->get_notify_type(notify) == type)
@@ -837,7 +1190,7 @@ static char* get_string(private_message_t *this, char *buf, int len)
 	memset(buf, 0, len);
 	len--;
 
-	written = snprintf(pos, len, "%N %s %d [",
+	written = snprintf(pos, len, "%N %s %u [",
 					   exchange_type_names, this->exchange_type,
 					   this->is_request ? "request" : "response",
 					   this->message_id);
@@ -859,7 +1212,8 @@ static char* get_string(private_message_t *this, char *buf, int len)
 		}
 		pos += written;
 		len -= written;
-		if (payload->get_type(payload) == NOTIFY)
+		if (payload->get_type(payload) == NOTIFY ||
+			payload->get_type(payload) == NOTIFY_V1)
 		{
 			notify_payload_t *notify;
 			notify_type_t type;
@@ -1017,7 +1371,7 @@ static void order_payloads(private_message_t *this)
 }
 
 /**
- * Wrap payloads in a encryption payload
+ * Wrap payloads in an encryption payload
  */
 static encryption_payload_t* wrap_payloads(private_message_t *this)
 {
@@ -1033,7 +1387,14 @@ static encryption_payload_t* wrap_payloads(private_message_t *this)
 		payloads->insert_last(payloads, current);
 	}
 
-	encryption = encryption_payload_create();
+	if (this->is_encrypted)
+	{
+		encryption = encryption_payload_create(ENCRYPTED_V1);
+	}
+	else
+	{
+		encryption = encryption_payload_create(ENCRYPTED);
+	}
 	while (payloads->remove_first(payloads, (void**)&current) == SUCCESS)
 	{
 		payload_rule_t *rule;
@@ -1046,9 +1407,9 @@ static encryption_payload_t* wrap_payloads(private_message_t *this)
 		{
 			encrypt = rule->encrypted;
 		}
-		if (encrypt)
-		{
-			DBG2(DBG_ENC, "insert payload %N to encryption payload",
+		if (encrypt || this->is_encrypted)
+		{	/* encryption is forced for IKEv1 */
+			DBG2(DBG_ENC, "insert payload %N into encrypted payload",
 				 payload_type_names, type);
 			encryption->add_payload(encryption, current);
 		}
@@ -1071,17 +1432,20 @@ METHOD(message_t, disable_sort, void,
 }
 
 METHOD(message_t, generate, status_t,
-	private_message_t *this, aead_t *aead, packet_t **packet)
+	private_message_t *this, keymat_t *keymat, packet_t **packet)
 {
+	keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
 	generator_t *generator;
 	ike_header_t *ike_header;
 	payload_t *payload, *next;
 	encryption_payload_t *encryption = NULL;
+	payload_type_t next_type;
 	enumerator_t *enumerator;
-	chunk_t chunk;
+	aead_t *aead = NULL;
+	chunk_t chunk, hash = chunk_empty;
 	char str[BUF_LEN];
 	u_int32_t *lenpos;
-	bool *reserved;
+	bool encrypted = FALSE, *reserved;
 	int i;
 
 	if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
@@ -1108,27 +1472,77 @@ METHOD(message_t, generate, status_t,
 	{
 		order_payloads(this);
 	}
+	if (keymat && keymat->get_version(keymat) == IKEV1)
+	{
+		/* get a hash for this message, if any is required */
+		if (keymat_v1->get_hash_phase2(keymat_v1, &this->public, &hash))
+		{	/* insert a HASH payload as first payload */
+			hash_payload_t *hash_payload;
+
+			hash_payload = hash_payload_create(HASH_V1);
+			hash_payload->set_hash(hash_payload, hash);
+			this->payloads->insert_first(this->payloads, hash_payload);
+			if (this->exchange_type == INFORMATIONAL_V1)
+			{
+				this->is_encrypted = encrypted = TRUE;
+			}
+			chunk_free(&hash);
+		}
+	}
+	if (this->major_version == IKEV2_MAJOR_VERSION)
+	{
+		encrypted = this->rule->encrypted;
+	}
+	else if (!encrypted)
+	{
+		/* If at least one payload requires encryption, encrypt the message.
+		 * If no key material is available, the flag will be reset below. */
+		enumerator = this->payloads->create_enumerator(this->payloads);
+		while (enumerator->enumerate(enumerator, (void**)&payload))
+		{
+			payload_rule_t *rule;
+
+			rule = get_payload_rule(this, payload->get_type(payload));
+			if (rule && rule->encrypted)
+			{
+				this->is_encrypted = encrypted = TRUE;
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
 
 	DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
 
-	if (aead && this->rule->encrypted)
+	if (keymat)
+	{
+		aead = keymat->get_aead(keymat, FALSE);
+	}
+	if (aead && encrypted)
 	{
 		encryption = wrap_payloads(this);
 	}
 	else
 	{
 		DBG2(DBG_ENC, "not encrypting payloads");
+		this->is_encrypted = FALSE;
 	}
 
-	ike_header = ike_header_create();
-	ike_header->set_maj_version(ike_header, this->major_version);
-	ike_header->set_min_version(ike_header, this->minor_version);
+	ike_header = ike_header_create_version(this->major_version,
+										   this->minor_version);
 	ike_header->set_exchange_type(ike_header, this->exchange_type);
 	ike_header->set_message_id(ike_header, this->message_id);
-	ike_header->set_response_flag(ike_header, !this->is_request);
-	ike_header->set_version_flag(ike_header, this->version_flag);
-	ike_header->set_initiator_flag(ike_header,
+	if (this->major_version == IKEV2_MAJOR_VERSION)
+	{
+		ike_header->set_response_flag(ike_header, !this->is_request);
+		ike_header->set_version_flag(ike_header, this->version_flag);
+		ike_header->set_initiator_flag(ike_header,
 						this->ike_sa_id->is_initiator(this->ike_sa_id));
+	}
+	else
+	{
+		ike_header->set_encryption_flag(ike_header, this->is_encrypted);
+	}
 	ike_header->set_initiator_spi(ike_header,
 						this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
 	ike_header->set_responder_spi(ike_header,
@@ -1156,22 +1570,38 @@ METHOD(message_t, generate, status_t,
 		payload = next;
 	}
 	enumerator->destroy(enumerator);
-	payload->set_next_type(payload, encryption ? ENCRYPTED : NO_PAYLOAD);
+	if (this->is_encrypted)
+	{	/* for encrypted IKEv1 messages */
+		next_type = encryption->payload_interface.get_next_type(
+														(payload_t*)encryption);
+	}
+	else
+	{
+		next_type = encryption ? ENCRYPTED : NO_PAYLOAD;
+	}
+	payload->set_next_type(payload, next_type);
 	generator->generate_payload(generator, payload);
 	ike_header->destroy(ike_header);
 
 	if (encryption)
-	{
-		u_int32_t *lenpos;
-
-		/* build associated data (without header of encryption payload) */
-		chunk = generator->get_chunk(generator, &lenpos);
+	{	/* set_transform() has to be called before get_length() */
 		encryption->set_transform(encryption, aead);
-		/* fill in length, including encryption payload */
-		htoun32(lenpos, chunk.len + encryption->get_length(encryption));
-
+		if (this->is_encrypted)
+		{	/* for IKEv1 instead of associated data we provide the IV */
+			if (!keymat_v1->get_iv(keymat_v1, this->message_id, &chunk))
+			{
+				generator->destroy(generator);
+				return FAILED;
+			}
+		}
+		else
+		{	/* build associated data (without header of encryption payload) */
+			chunk = generator->get_chunk(generator, &lenpos);
+			/* fill in length, including encryption payload */
+			htoun32(lenpos, chunk.len + encryption->get_length(encryption));
+		}
 		this->payloads->insert_last(this->payloads, encryption);
-		if (!encryption->encrypt(encryption, chunk))
+		if (encryption->encrypt(encryption, chunk) != SUCCESS)
 		{
 			generator->destroy(generator);
 			return INVALID_STATE;
@@ -1181,8 +1611,22 @@ METHOD(message_t, generate, status_t,
 	chunk = generator->get_chunk(generator, &lenpos);
 	htoun32(lenpos, chunk.len);
 	this->packet->set_data(this->packet, chunk_clone(chunk));
+	if (this->is_encrypted)
+	{
+		/* update the IV for the next IKEv1 message */
+		chunk_t last_block;
+		size_t bs;
+
+		bs = aead->get_block_size(aead);
+		last_block = chunk_create(chunk.ptr + chunk.len - bs, bs);
+		if (!keymat_v1->update_iv(keymat_v1, this->message_id, last_block) ||
+			!keymat_v1->confirm_iv(keymat_v1, this->message_id))
+		{
+			generator->destroy(generator);
+			return FAILED;
+		}
+	}
 	generator->destroy(generator);
-
 	*packet = this->packet->clone(this->packet);
 	return SUCCESS;
 }
@@ -1204,7 +1648,7 @@ METHOD(message_t, get_packet_data, chunk_t,
 	{
 		return chunk_empty;
 	}
-	return chunk_clone(this->packet->get_data(this->packet));
+	return this->packet->get_data(this->packet);
 }
 
 METHOD(message_t, parse_header, status_t,
@@ -1237,17 +1681,32 @@ METHOD(message_t, parse_header, status_t,
 	}
 
 	DESTROY_IF(this->ike_sa_id);
-	this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
+	this->ike_sa_id = ike_sa_id_create(
+									ike_header->get_maj_version(ike_header),
+									ike_header->get_initiator_spi(ike_header),
 									ike_header->get_responder_spi(ike_header),
 									ike_header->get_initiator_flag(ike_header));
 
 	this->exchange_type = ike_header->get_exchange_type(ike_header);
 	this->message_id = ike_header->get_message_id(ike_header);
-	this->is_request = !ike_header->get_response_flag(ike_header);
 	this->major_version = ike_header->get_maj_version(ike_header);
 	this->minor_version = ike_header->get_min_version(ike_header);
+	if (this->major_version == IKEV2_MAJOR_VERSION)
+	{
+		this->is_request = !ike_header->get_response_flag(ike_header);
+	}
+	else
+	{
+		this->is_encrypted = ike_header->get_encryption_flag(ike_header);
+	}
 	this->first_payload = ike_header->payload_interface.get_next_type(
 												&ike_header->payload_interface);
+	if (this->first_payload == FRAGMENT_V1 && this->is_encrypted)
+	{	/* racoon sets the encryted bit when sending a fragment, but these
+		 * messages are really not encrypted */
+		this->is_encrypted = FALSE;
+	}
+
 	for (i = 0; i < countof(this->reserved); i++)
 	{
 		reserved = payload_get_field(&ike_header->payload_interface,
@@ -1257,19 +1716,12 @@ METHOD(message_t, parse_header, status_t,
 			this->reserved[i] = *reserved;
 		}
 	}
-	DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
-		 this->is_request ? "request" : "response");
-
 	ike_header->destroy(ike_header);
 
-	this->rule = get_message_rule(this);
-	if (!this->rule)
-	{
-		DBG1(DBG_ENC, "no message rules specified for a %N %s",
-			 exchange_type_names, this->exchange_type,
-			 this->is_request ? "request" : "response");
-	}
-	return status;
+	DBG2(DBG_ENC, "parsed a %N %s header", exchange_type_names,
+		 this->exchange_type, this->major_version == IKEV1_MAJOR_VERSION ?
+		 "message" : (this->is_request ? "request" : "response"));
+	return SUCCESS;
 }
 
 /**
@@ -1298,16 +1750,168 @@ static bool is_connectivity_check(private_message_t *this, payload_t *payload)
 }
 
 /**
+ * Parses and verifies the unencrypted payloads contained in the message
+ */
+static status_t parse_payloads(private_message_t *this)
+{
+	payload_type_t type = this->first_payload;
+	payload_t *payload;
+	status_t status;
+
+	if (this->is_encrypted)
+	{	/* wrap the whole encrypted IKEv1 message in a special encryption
+		 * payload which is then handled just like a regular payload */
+		encryption_payload_t *encryption;
+
+		status = this->parser->parse_payload(this->parser, ENCRYPTED_V1,
+											 (payload_t**)&encryption);
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "failed to wrap encrypted IKEv1 message");
+			return PARSE_ERROR;
+		}
+		encryption->payload_interface.set_next_type((payload_t*)encryption,
+													this->first_payload);
+		this->payloads->insert_last(this->payloads, encryption);
+		return SUCCESS;
+	}
+
+	while (type != NO_PAYLOAD)
+	{
+		DBG2(DBG_ENC, "starting parsing a %N payload",
+			 payload_type_names, type);
+
+		status = this->parser->parse_payload(this->parser, type, &payload);
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "payload type %N could not be parsed",
+				 payload_type_names, type);
+			return PARSE_ERROR;
+		}
+
+		DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type);
+		status = payload->verify(payload);
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "%N payload verification failed",
+				 payload_type_names, type);
+			payload->destroy(payload);
+			return VERIFY_ERROR;
+		}
+
+		DBG2(DBG_ENC, "%N payload verified, adding to payload list",
+			 payload_type_names, type);
+		this->payloads->insert_last(this->payloads, payload);
+
+		/* an encrypted payload is the last one, so STOP here. decryption is
+		 * done later */
+		if (type == ENCRYPTED)
+		{
+			DBG2(DBG_ENC, "%N payload found, stop parsing",
+				 payload_type_names, type);
+			break;
+		}
+		type = payload->get_next_type(payload);
+	}
+	return SUCCESS;
+}
+
+/**
+ * Decrypt an encrypted payload and extract all contained payloads.
+ */
+static status_t decrypt_and_extract(private_message_t *this, keymat_t *keymat,
+						payload_t *previous, encryption_payload_t *encryption)
+{
+	payload_t *encrypted;
+	payload_type_t type;
+	chunk_t chunk;
+	aead_t *aead;
+	size_t bs;
+	status_t status = SUCCESS;
+
+	if (!keymat)
+	{
+		DBG1(DBG_ENC, "found encrypted payload, but no keymat");
+		return INVALID_ARG;
+	}
+	aead = keymat->get_aead(keymat, TRUE);
+	if (!aead)
+	{
+		DBG1(DBG_ENC, "found encrypted payload, but no transform set");
+		return INVALID_ARG;
+	}
+	bs = aead->get_block_size(aead);
+	encryption->set_transform(encryption, aead);
+	chunk = this->packet->get_data(this->packet);
+	if (chunk.len < encryption->get_length(encryption) ||
+		chunk.len < bs)
+	{
+		DBG1(DBG_ENC, "invalid payload length");
+		return VERIFY_ERROR;
+	}
+	if (keymat->get_version(keymat) == IKEV1)
+	{	/* instead of associated data we provide the IV, we also update
+		 * the IV with the last encrypted block */
+		keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
+		chunk_t iv;
+
+		if (keymat_v1->get_iv(keymat_v1, this->message_id, &iv))
+		{
+			status = encryption->decrypt(encryption, iv);
+			if (status == SUCCESS)
+			{
+				if (!keymat_v1->update_iv(keymat_v1, this->message_id,
+						chunk_create(chunk.ptr + chunk.len - bs, bs)))
+				{
+					status = FAILED;
+				}
+			}
+		}
+		else
+		{
+			status = FAILED;
+		}
+	}
+	else
+	{
+		chunk.len -= encryption->get_length(encryption);
+		status = encryption->decrypt(encryption, chunk);
+	}
+	if (status != SUCCESS)
+	{
+		return status;
+	}
+
+	while ((encrypted = encryption->remove_payload(encryption)))
+	{
+		type = encrypted->get_type(encrypted);
+		if (previous)
+		{
+			previous->set_next_type(previous, type);
+		}
+		else
+		{
+			this->first_payload = type;
+		}
+		DBG2(DBG_ENC, "insert decrypted payload of type %N at end of list",
+			 payload_type_names, type);
+		this->payloads->insert_last(this->payloads, encrypted);
+		previous = encrypted;
+	}
+	return SUCCESS;
+}
+
+/**
  * Decrypt payload from the encryption payload
  */
-static status_t decrypt_payloads(private_message_t *this, aead_t *aead)
+static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
 {
-	bool was_encrypted = FALSE;
 	payload_t *payload, *previous = NULL;
 	enumerator_t *enumerator;
 	payload_rule_t *rule;
 	payload_type_t type;
 	status_t status = SUCCESS;
+	bool was_encrypted = FALSE;
 
 	enumerator = this->payloads->create_enumerator(this->payloads);
 	while (enumerator->enumerate(enumerator, &payload))
@@ -1316,60 +1920,41 @@ static status_t decrypt_payloads(private_message_t *this, aead_t *aead)
 
 		DBG2(DBG_ENC, "process payload of type %N", payload_type_names, type);
 
-		if (type == ENCRYPTED)
+		if (type == ENCRYPTED || type == ENCRYPTED_V1)
 		{
 			encryption_payload_t *encryption;
-			payload_t *encrypted;
-			chunk_t chunk;
-
-			encryption = (encryption_payload_t*)payload;
 
-			DBG2(DBG_ENC, "found an encryption payload");
-
-			if (this->payloads->has_more(this->payloads, enumerator))
+			if (was_encrypted)
 			{
-				DBG1(DBG_ENC, "encrypted payload is not last payload");
+				DBG1(DBG_ENC, "encrypted payload can't contain other payloads "
+					 "of type %N", payload_type_names, type);
 				status = VERIFY_ERROR;
 				break;
 			}
-			encryption->set_transform(encryption, aead);
-			chunk = this->packet->get_data(this->packet);
-			if (chunk.len < encryption->get_length(encryption))
+
+			DBG2(DBG_ENC, "found an encrypted payload");
+			encryption = (encryption_payload_t*)payload;
+			this->payloads->remove_at(this->payloads, enumerator);
+
+			if (enumerator->enumerate(enumerator, NULL))
 			{
-				DBG1(DBG_ENC, "invalid payload length");
+				DBG1(DBG_ENC, "encrypted payload is not last payload");
+				encryption->destroy(encryption);
 				status = VERIFY_ERROR;
 				break;
 			}
-			chunk.len -= encryption->get_length(encryption);
-			status = encryption->decrypt(encryption, chunk);
+			status = decrypt_and_extract(this, keymat, previous, encryption);
+			encryption->destroy(encryption);
 			if (status != SUCCESS)
 			{
 				break;
 			}
-
 			was_encrypted = TRUE;
-			this->payloads->remove_at(this->payloads, enumerator);
-
-			while ((encrypted = encryption->remove_payload(encryption)))
-			{
-				type = encrypted->get_type(encrypted);
-				if (previous)
-				{
-					previous->set_next_type(previous, type);
-				}
-				else
-				{
-					this->first_payload = type;
-				}
-				DBG2(DBG_ENC, "insert decrypted payload of type "
-					 "%N at end of list", payload_type_names, type);
-				this->payloads->insert_last(this->payloads, encrypted);
-				previous = encrypted;
-			}
-			encryption->destroy(encryption);
 		}
+
 		if (payload_is_known(type) && !was_encrypted &&
-			!is_connectivity_check(this, payload))
+			!is_connectivity_check(this, payload) &&
+			this->exchange_type != AGGRESSIVE)
 		{
 			rule = get_payload_rule(this, type);
 			if (!rule || rule->encrypted)
@@ -1396,7 +1981,7 @@ static status_t verify(private_message_t *this)
 
 	DBG2(DBG_ENC, "verifying message structure");
 
-	/* check for payloads with wrong count*/
+	/* check for payloads with wrong count */
 	for (i = 0; i < this->rule->rule_count; i++)
 	{
 		enumerator_t *enumerator;
@@ -1443,57 +2028,30 @@ static status_t verify(private_message_t *this)
 }
 
 METHOD(message_t, parse_body, status_t,
-	private_message_t *this, aead_t *aead)
+	private_message_t *this, keymat_t *keymat)
 {
 	status_t status = SUCCESS;
-	payload_t *payload;
-	payload_type_t type;
 	char str[BUF_LEN];
 
-	type = this->first_payload;
-
 	DBG2(DBG_ENC, "parsing body of message, first payload is %N",
-		 payload_type_names, type);
+		 payload_type_names, this->first_payload);
 
-	while (type != NO_PAYLOAD)
+	this->rule = get_message_rule(this);
+	if (!this->rule)
 	{
-		DBG2(DBG_ENC, "starting parsing a %N payload",
-			 payload_type_names, type);
-
-		status = this->parser->parse_payload(this->parser, type, &payload);
-		if (status != SUCCESS)
-		{
-			DBG1(DBG_ENC, "payload type %N could not be parsed",
-				 payload_type_names, type);
-			return this->exchange_type == IKE_SA_INIT ? PARSE_ERROR : FAILED;
-		}
-
-		DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type);
-		status = payload->verify(payload);
-		if (status != SUCCESS)
-		{
-			DBG1(DBG_ENC, "%N payload verification failed",
-				 payload_type_names, type);
-			payload->destroy(payload);
-			return this->exchange_type == IKE_SA_INIT ? VERIFY_ERROR : FAILED;
-		}
-
-		DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
-			 payload_type_names, type);
-		this->payloads->insert_last(this->payloads, payload);
+		DBG1(DBG_ENC, "no message rules specified for a %N %s",
+			 exchange_type_names, this->exchange_type,
+			 this->is_request ? "request" : "response");
+		return NOT_SUPPORTED;
+	}
 
-		/* an encryption payload is the last one, so STOP here. decryption is
-		 * done later */
-		if (type == ENCRYPTED)
-		{
-			DBG2(DBG_ENC, "%N payload found. Stop parsing",
-				 payload_type_names, type);
-			break;
-		}
-		type = payload->get_next_type(payload);
+	status = parse_payloads(this);
+	if (status != SUCCESS)
+	{	/* error is already logged */
+		return status;
 	}
 
-	status = decrypt_payloads(this, aead);
+	status = decrypt_payloads(this, keymat);
 	if (status != SUCCESS)
 	{
 		DBG1(DBG_ENC, "could not decrypt payloads");
@@ -1508,6 +2066,50 @@ METHOD(message_t, parse_body, status_t,
 
 	DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
 
+	if (keymat && keymat->get_version(keymat) == IKEV1)
+	{
+		keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
+		chunk_t hash;
+
+		if (keymat_v1->get_hash_phase2(keymat_v1, &this->public, &hash))
+		{
+			hash_payload_t *hash_payload;
+			chunk_t other_hash;
+
+			if (this->first_payload != HASH_V1)
+			{
+				if (this->exchange_type == INFORMATIONAL_V1)
+				{
+					DBG1(DBG_ENC, "ignoring unprotected INFORMATIONAL from %H",
+						 this->packet->get_source(this->packet));
+				}
+				else
+				{
+					DBG1(DBG_ENC, "expected HASH payload as first payload");
+				}
+				chunk_free(&hash);
+				return VERIFY_ERROR;
+			}
+			hash_payload = (hash_payload_t*)get_payload(this, HASH_V1);
+			other_hash = hash_payload->get_hash(hash_payload);
+			DBG3(DBG_ENC, "HASH received %B\nHASH expected %B",
+				 &other_hash, &hash);
+			if (!chunk_equals(hash, other_hash))
+			{
+				DBG1(DBG_ENC, "received HASH payload does not match");
+				chunk_free(&hash);
+				return FAILED;
+			}
+			chunk_free(&hash);
+		}
+		if (this->is_encrypted)
+		{	/* message verified, confirm IV */
+			if (!keymat_v1->confirm_iv(keymat_v1, this->message_id))
+			{
+				return FAILED;
+			}
+		}
+	}
 	return SUCCESS;
 }
 
@@ -1522,7 +2124,7 @@ METHOD(message_t, destroy, void,
 }
 
 /*
- * Described in Header-File
+ * Described in header.
  */
 message_t *message_create_from_packet(packet_t *packet)
 {
@@ -1567,8 +2169,6 @@ message_t *message_create_from_packet(packet_t *packet)
 			.get_packet_data = _get_packet_data,
 			.destroy = _destroy,
 		},
-		.major_version = IKE_MAJOR_VERSION,
-		.minor_version = IKE_MINOR_VERSION,
 		.exchange_type = EXCHANGE_TYPE_UNDEFINED,
 		.is_request = TRUE,
 		.first_payload = NO_PAYLOAD,
@@ -1577,14 +2177,18 @@ message_t *message_create_from_packet(packet_t *packet)
 		.parser = parser_create(packet->get_data(packet)),
 	);
 
-	return (&this->public);
+	return &this->public;
 }
 
 /*
- * Described in Header.
+ * Described in header.
  */
-message_t *message_create()
+message_t *message_create(int major, int minor)
 {
-	return message_create_from_packet(packet_create());
-}
+	message_t *this = message_create_from_packet(packet_create());
 
+	this->set_major_version(this, major);
+	this->set_minor_version(this, minor);
+
+	return this;
+}
diff --git a/src/libcharon/encoding/message.h b/src/libcharon/encoding/message.h
index 0e78ea436..7631a7c3a 100644
--- a/src/libcharon/encoding/message.h
+++ b/src/libcharon/encoding/message.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2006-2011 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
@@ -27,15 +27,15 @@
 typedef struct message_t message_t;
 
 #include <library.h>
-#include <sa/ike_sa_id.h>
-#include <network/packet.h>
 #include <encoding/payloads/ike_header.h>
 #include <encoding/payloads/notify_payload.h>
-#include <utils/linked_list.h>
-#include <crypto/aead.h>
+#include <sa/keymat.h>
+#include <sa/ike_sa_id.h>
+#include <networking/packet.h>
+#include <collections/linked_list.h>
 
 /**
- * This class is used to represent an IKEv2-Message.
+ * This class is used to represent an IKE-Message.
  *
  * The message handles parsing and generation of payloads
  * via parser_t/generator_t. Encryption is done transparently
@@ -49,7 +49,7 @@ struct message_t {
 	 *
 	 * @param major_version	major version to set
 	 */
-	void (*set_major_version) (message_t *this,u_int8_t major_version);
+	void (*set_major_version) (message_t *this, u_int8_t major_version);
 
 	/**
 	 * Gets the IKE major version of the message.
@@ -63,7 +63,7 @@ struct message_t {
 	 *
 	 * @param minor_version	minor version to set
 	 */
-	void (*set_minor_version) (message_t *this,u_int8_t minor_version);
+	void (*set_minor_version) (message_t *this, u_int8_t minor_version);
 
 	/**
 	 * Gets the IKE minor version of the message.
@@ -77,7 +77,7 @@ struct message_t {
 	 *
 	 * @param message_id	message_id to set
 	 */
-	void (*set_message_id) (message_t *this,u_int32_t message_id);
+	void (*set_message_id) (message_t *this, u_int32_t message_id);
 
 	/**
 	 * Gets the Message ID of the message.
@@ -107,7 +107,7 @@ struct message_t {
 	 *
 	 * @param ike_sa_id		ike_sa_id to set
 	 */
-	void (*set_ike_sa_id) (message_t *this, ike_sa_id_t * ike_sa_id);
+	void (*set_ike_sa_id) (message_t *this, ike_sa_id_t *ike_sa_id);
 
 	/**
 	 * Gets the IKE_SA ID of the message.
@@ -123,7 +123,7 @@ struct message_t {
 	 *
 	 * @param exchange_type	exchange_type to set
 	 */
-	void (*set_exchange_type) (message_t *this,exchange_type_t exchange_type);
+	void (*set_exchange_type) (message_t *this, exchange_type_t exchange_type);
 
 	/**
 	 * Gets the exchange type of the message.
@@ -182,7 +182,7 @@ struct message_t {
 	 * all payloads to encrypt are added to the encryption payload, which is
 	 * always the last one.
 	 *
-	 * @param payload 		payload to append
+	 * @param payload		payload to append
 	 */
 	void (*add_payload) (message_t *this, payload_t *payload);
 
@@ -208,14 +208,14 @@ struct message_t {
 	/**
 	 * Parses header of message.
 	 *
-	 * Begins parisng of a message created via message_create_from_packet().
+	 * Begins parsing of a message created via message_create_from_packet().
 	 * The parsing context is stored, so a subsequent call to parse_body()
 	 * will continue the parsing process.
 	 *
 	 * @return
-	 * 					- SUCCESS if header could be parsed
+	 *					- SUCCESS if header could be parsed
 	 *					- PARSE_ERROR if corrupted/invalid data found
-	 * 					- FAILED if consistence check of header failed
+	 *					- FAILED if consistency check of header failed
 	 */
 	status_t (*parse_header) (message_t *this);
 
@@ -228,15 +228,15 @@ struct message_t {
 	 * If there are encrypted payloads, they get decrypted and verified using
 	 * the given aead transform (if given).
 	 *
-	 * @param aead		aead transform to verify/decrypt message
+	 * @param keymat	keymat to verify/decrypt message
 	 * @return
-	 * 					- SUCCESS if parsing successful
+	 *					- SUCCESS if parsing successful
 	 *					- PARSE_ERROR if message parsing failed
-	 * 					- VERIFY_ERROR if message verification failed (bad syntax)
-	 * 					- FAILED if integrity check failed
-	 * 					- INVALID_STATE if aead not supplied, but needed
+	 *					- VERIFY_ERROR if message verification failed (bad syntax)
+	 *					- FAILED if integrity check failed
+	 *					- INVALID_STATE if aead not supplied, but needed
 	 */
-	status_t (*parse_body) (message_t *this, aead_t *aead);
+	status_t (*parse_body) (message_t *this, keymat_t *keymat);
 
 	/**
 	 * Generates the UDP packet of specific message.
@@ -247,15 +247,15 @@ struct message_t {
 	 * Generation is only done once, multiple calls will just return a copy
 	 * of the packet.
 	 *
-	 * @param aead		aead transform to encrypt/sign message
+	 * @param keymat	keymat to encrypt/sign message
 	 * @param packet	copy of generated packet
 	 * @return
-	 * 					- SUCCESS if packet could be generated
-	 * 					- INVALID_STATE if exchange type is currently not set
-	 * 					- NOT_FOUND if no rules found for message generation
-	 * 					- INVALID_STATE if aead not supplied but needed.
+	 *					- SUCCESS if packet could be generated
+	 *					- INVALID_STATE if exchange type is currently not set
+	 *					- NOT_FOUND if no rules found for message generation
+	 *					- INVALID_STATE if aead not supplied but needed.
 	 */
-	status_t (*generate) (message_t *this, aead_t *aead, packet_t **packet);
+	status_t (*generate) (message_t *this, keymat_t *keymat, packet_t **packet);
 
 	/**
 	 * Check if the message has already been encoded using generate().
@@ -278,7 +278,7 @@ struct message_t {
 	 * Sets the source host informations.
 	 *
 	 * @warning host_t object is not getting cloned and gets destroyed by
-	 * 			message_t.destroy or next call of message_t.set_source.
+	 *			message_t.destroy or next call of message_t.set_source.
 	 *
 	 * @param host		host_t object representing source host
 	 */
@@ -298,7 +298,7 @@ struct message_t {
 	 * Sets the destination host informations.
 	 *
 	 * @warning host_t object is not getting cloned and gets destroyed by
-	 * 			message_t.destroy or next call of message_t.set_destination.
+	 *			message_t.destroy or next call of message_t.set_destination.
 	 *
 	 * @param host		host_t object representing destination host
 	 */
@@ -344,9 +344,9 @@ struct message_t {
 	packet_t * (*get_packet) (message_t *this);
 
 	/**
-	 * Returns a clone of the internal stored packet_t data.
+	 * Returns a chunk pointing to internal packet_t data.
 	 *
-	 * @return			clone of the internal stored packet_t data.
+	 * @return			packet data.
 	 */
 	chunk_t (*get_packet_data) (message_t *this);
 
@@ -357,26 +357,27 @@ struct message_t {
 };
 
 /**
- * Creates an message_t object from a incoming UDP Packet.
+ * Creates a message_t object from an incoming UDP packet.
  *
  * The given packet gets owned by the message. The message is uninitialized,
  * call parse_header() to populate header fields.
  *
  * @param packet		packet_t object which is assigned to message
- * @return 				message_t object
+ * @return				message_t object
  */
-message_t * message_create_from_packet(packet_t *packet);
-
+message_t *message_create_from_packet(packet_t *packet);
 
 /**
- * Creates an empty message_t object.
+ * Creates an empty message_t object for a specific major/minor version.
  *
  * - exchange_type is set to NOT_SET
  * - original_initiator is set to TRUE
  * - is_request is set to TRUE
  *
- * @return message_t object
+ * @param major			major IKE version of this message
+ * @param minor			minor IKE version of this message
+ * @return				message_t object
  */
-message_t * message_create(void);
+message_t *message_create(int major, int minor);
 
 #endif /** MESSAGE_H_ @}*/
diff --git a/src/libcharon/encoding/parser.c b/src/libcharon/encoding/parser.c
index e49210309..9e7f8311b 100644
--- a/src/libcharon/encoding/parser.c
+++ b/src/libcharon/encoding/parser.c
@@ -22,7 +22,7 @@
 
 #include <library.h>
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <encoding/payloads/encodings.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/sa_payload.h>
@@ -137,7 +137,7 @@ static bool parse_uint4(private_parser_t *this, int rule_number,
 	}
 	if (output_pos)
 	{
-		DBG3(DBG_ENC, "   => %d", *output_pos);
+		DBG3(DBG_ENC, "   => %hhu", *output_pos);
 	}
 	return TRUE;
 }
@@ -159,7 +159,7 @@ static bool parse_uint8(private_parser_t *this, int rule_number,
 	if (output_pos)
 	{
 		*output_pos = *(this->byte_pos);
-		DBG3(DBG_ENC, "   => %d", *output_pos);
+		DBG3(DBG_ENC, "   => %hhu", *output_pos);
 	}
 	this->byte_pos++;
 	return TRUE;
@@ -183,7 +183,7 @@ static bool parse_uint15(private_parser_t *this, int rule_number,
 	{
 		memcpy(output_pos, this->byte_pos, sizeof(u_int16_t));
 		*output_pos = ntohs(*output_pos) & ~0x8000;
-		DBG3(DBG_ENC, "   => %d", *output_pos);
+		DBG3(DBG_ENC, "   => %hu", *output_pos);
 	}
 	this->byte_pos += sizeof(u_int16_t);
 	this->bit_pos = 0;
@@ -208,7 +208,7 @@ static bool parse_uint16(private_parser_t *this, int rule_number,
 	{
 		memcpy(output_pos, this->byte_pos, sizeof(u_int16_t));
 		*output_pos = ntohs(*output_pos);
-		DBG3(DBG_ENC, "   => %d", *output_pos);
+		DBG3(DBG_ENC, "   => %hu", *output_pos);
 	}
 	this->byte_pos += sizeof(u_int16_t);
 	return TRUE;
@@ -231,7 +231,7 @@ static bool parse_uint32(private_parser_t *this, int rule_number,
 	{
 		memcpy(output_pos, this->byte_pos, sizeof(u_int32_t));
 		*output_pos = ntohl(*output_pos);
-		DBG3(DBG_ENC, "   => %d", *output_pos);
+		DBG3(DBG_ENC, "   => %u", *output_pos);
 	}
 	this->byte_pos += sizeof(u_int32_t);
 	return TRUE;
@@ -254,7 +254,7 @@ static bool parse_bytes(private_parser_t *this, int rule_number,
 	if (output_pos)
 	{
 		memcpy(output_pos, this->byte_pos, bytes);
-		DBG3(DBG_ENC, "   => %b", output_pos, bytes);
+		DBG3(DBG_ENC, "   %b", output_pos, bytes);
 	}
 	this->byte_pos += bytes;
 	return TRUE;
@@ -352,7 +352,7 @@ static bool parse_chunk(private_parser_t *this, int rule_number,
 	{
 		*output_pos = chunk_alloc(length);
 		memcpy(output_pos->ptr, this->byte_pos, length);
-		DBG3(DBG_ENC, "   => %b", output_pos->ptr, length);
+		DBG3(DBG_ENC, "   %b", output_pos->ptr, length);
 	}
 	this->byte_pos += length;
 	return TRUE;
@@ -363,11 +363,10 @@ METHOD(parser_t, parse_payload, status_t,
 {
 	payload_t *pld;
 	void *output;
-	size_t rule_count;
-	int payload_length = 0, spi_size = 0, attribute_length = 0;
+	int payload_length = 0, spi_size = 0, attribute_length = 0, header_length;
 	u_int16_t ts_type = 0;
 	bool attribute_format = FALSE;
-	int rule_number;
+	int rule_number, rule_count;
 	encoding_rule_t *rule;
 
 	/* create instance of the payload to parse */
@@ -381,15 +380,17 @@ METHOD(parser_t, parse_payload, status_t,
 
 	/* base pointer for output, avoids casting in every rule */
 	output = pld;
-
 	/* parse the payload with its own rulse */
-	pld->get_encoding_rules(pld, &this->rules, &rule_count);
+	rule_count = pld->get_encoding_rules(pld, &this->rules);
 	for (rule_number = 0; rule_number < rule_count; rule_number++)
 	{
+		/* update header length for each rule, as it is dynamic (SPIs) */
+		header_length = pld->get_header_length(pld);
+
 		rule = &(this->rules[rule_number]);
 		DBG2(DBG_ENC, "  parsing rule %d %N",
 			 rule_number, encoding_type_names, rule->type);
-		switch (rule->type)
+		switch ((int)rule->type)
 		{
 			case U_INT_4:
 			{
@@ -457,7 +458,8 @@ METHOD(parser_t, parse_payload, status_t,
 				}
 				/* parsed u_int16 should be aligned */
 				payload_length = *(u_int16_t*)(output + rule->offset);
-				if (payload_length < UNKNOWN_PAYLOAD_HEADER_LENGTH)
+				/* all payloads must have at least 4 bytes header */
+				if (payload_length < 4)
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -484,49 +486,41 @@ METHOD(parser_t, parse_payload, status_t,
 				}
 				break;
 			}
-			case PROPOSALS:
+			case PAYLOAD_LIST + PROPOSAL_SUBSTRUCTURE:
+			case PAYLOAD_LIST + PROPOSAL_SUBSTRUCTURE_V1:
+			case PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE:
+			case PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE_V1:
+			case PAYLOAD_LIST + TRANSFORM_ATTRIBUTE:
+			case PAYLOAD_LIST + TRANSFORM_ATTRIBUTE_V1:
+			case PAYLOAD_LIST + CONFIGURATION_ATTRIBUTE:
+			case PAYLOAD_LIST + CONFIGURATION_ATTRIBUTE_V1:
+			case PAYLOAD_LIST + TRAFFIC_SELECTOR_SUBSTRUCTURE:
 			{
-				if (payload_length < SA_PAYLOAD_HEADER_LENGTH ||
+				if (payload_length < header_length ||
 					!parse_list(this, rule_number, output + rule->offset,
-								PROPOSAL_SUBSTRUCTURE,
-								payload_length - SA_PAYLOAD_HEADER_LENGTH))
+								rule->type - PAYLOAD_LIST,
+								payload_length - header_length))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
 				}
 				break;
 			}
-			case TRANSFORMS:
+			case CHUNK_DATA:
 			{
-				if (payload_length <
-							spi_size + PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH ||
-					!parse_list(this, rule_number, output + rule->offset,
-							TRANSFORM_SUBSTRUCTURE, payload_length - spi_size -
-										PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case TRANSFORM_ATTRIBUTES:
-			{
-				if (payload_length < TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH ||
-					!parse_list(this, rule_number, output + rule->offset,
-						TRANSFORM_ATTRIBUTE,
-						payload_length - TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH))
+				if (payload_length < header_length ||
+					!parse_chunk(this, rule_number, output + rule->offset,
+								 payload_length - header_length))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
 				}
 				break;
 			}
-			case CONFIGURATION_ATTRIBUTES:
+			case ENCRYPTED_DATA:
 			{
-				if (payload_length < CP_PAYLOAD_HEADER_LENGTH ||
-					!parse_list(this, rule_number, output + rule->offset,
-								CONFIGURATION_ATTRIBUTE,
-								payload_length - CP_PAYLOAD_HEADER_LENGTH))
+				if (!parse_chunk(this, rule_number, output + rule->offset,
+								 this->input_roof - this->byte_pos))
 				{
 					pld->destroy(pld);
 					return PARSE_ERROR;
@@ -552,7 +546,7 @@ METHOD(parser_t, parse_payload, status_t,
 				}
 				break;
 			}
-			case CONFIGURATION_ATTRIBUTE_LENGTH:
+			case ATTRIBUTE_LENGTH:
 			{
 				if (!parse_uint16(this, rule_number, output + rule->offset))
 				{
@@ -583,137 +577,6 @@ METHOD(parser_t, parse_payload, status_t,
 				}
 				break;
 			}
-			case NONCE_DATA:
-			{
-				if (payload_length < NONCE_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								 payload_length - NONCE_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case ID_DATA:
-			{
-				if (payload_length < ID_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								 payload_length - ID_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case AUTH_DATA:
-			{
-				if (payload_length < AUTH_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								 payload_length - AUTH_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case CERT_DATA:
-			{
-				if (payload_length < CERT_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								 payload_length - CERT_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case CERTREQ_DATA:
-			{
-				if (payload_length < CERTREQ_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								 payload_length - CERTREQ_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case EAP_DATA:
-			{
-				if (payload_length < EAP_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								 payload_length - EAP_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case SPIS:
-			{
-				if (payload_length < DELETE_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								 payload_length - DELETE_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case VID_DATA:
-			{
-				if (payload_length < VENDOR_ID_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-							payload_length - VENDOR_ID_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case CONFIGURATION_ATTRIBUTE_VALUE:
-			{
-				if (!parse_chunk(this, rule_number, output + rule->offset,
-								 attribute_length))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case KEY_EXCHANGE_DATA:
-			{
-				if (payload_length < KE_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								 payload_length - KE_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case NOTIFICATION_DATA:
-			{
-				if (payload_length < NOTIFY_PAYLOAD_HEADER_LENGTH + spi_size ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-						payload_length - NOTIFY_PAYLOAD_HEADER_LENGTH - spi_size))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case ENCRYPTED_DATA:
-			{
-				if (payload_length < ENCRYPTION_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-							payload_length - ENCRYPTION_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
 			case TS_TYPE:
 			{
 				if (!parse_uint8(this, rule_number, output + rule->offset))
@@ -736,29 +599,6 @@ METHOD(parser_t, parse_payload, status_t,
 				}
 				break;
 			}
-			case TRAFFIC_SELECTORS:
-			{
-				if (payload_length < TS_PAYLOAD_HEADER_LENGTH ||
-					!parse_list(this, rule_number, output + rule->offset,
-								TRAFFIC_SELECTOR_SUBSTRUCTURE,
-								payload_length - TS_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
-			case UNKNOWN_DATA:
-			{
-				if (payload_length < UNKNOWN_PAYLOAD_HEADER_LENGTH ||
-					!parse_chunk(this, rule_number, output + rule->offset,
-								payload_length - UNKNOWN_PAYLOAD_HEADER_LENGTH))
-				{
-					pld->destroy(pld);
-					return PARSE_ERROR;
-				}
-				break;
-			}
 			default:
 			{
 				DBG1(DBG_ENC, "  no rule to parse rule %d %N",
diff --git a/src/libcharon/encoding/payloads/auth_payload.c b/src/libcharon/encoding/payloads/auth_payload.c
index cb44a997c..2410a1aaa 100644
--- a/src/libcharon/encoding/payloads/auth_payload.c
+++ b/src/libcharon/encoding/payloads/auth_payload.c
@@ -74,7 +74,7 @@ struct private_auth_payload_t {
  * The defined offsets are the positions in a object of type
  * private_auth_payload_t.
  */
-encoding_rule_t auth_payload_encodings[] = {
+static encoding_rule_t encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_auth_payload_t, next_payload)		},
 	/* the critical bit */
@@ -96,7 +96,7 @@ encoding_rule_t auth_payload_encodings[] = {
 	{ RESERVED_BYTE,	offsetof(private_auth_payload_t, reserved_byte[1])	},
 	{ RESERVED_BYTE,	offsetof(private_auth_payload_t, reserved_byte[2])	},
 	/* some auth data bytes, length is defined in PAYLOAD_LENGTH */
-	{ AUTH_DATA,		offsetof(private_auth_payload_t, auth_data)	}
+	{ CHUNK_DATA,		offsetof(private_auth_payload_t, auth_data)	}
 };
 
 /*
@@ -119,11 +119,17 @@ METHOD(payload_t, verify, status_t,
 	return SUCCESS;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_auth_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_auth_payload_t *this, encoding_rule_t **rules)
 {
-	*rules = auth_payload_encodings;
-	*rule_count = countof(auth_payload_encodings);
+	*rules = encodings;
+	return countof(encodings);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_auth_payload_t *this)
+{
+	return 8;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
@@ -167,7 +173,7 @@ METHOD(auth_payload_t, set_data, void,
 {
 	free(this->auth_data.ptr);
 	this->auth_data = chunk_clone(data);
-	this->payload_length = AUTH_PAYLOAD_HEADER_LENGTH + this->auth_data.len;
+	this->payload_length = get_header_length(this) + this->auth_data.len;
 }
 
 METHOD(auth_payload_t, get_data, chunk_t,
@@ -195,6 +201,7 @@ auth_payload_t *auth_payload_create()
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
@@ -208,7 +215,7 @@ auth_payload_t *auth_payload_create()
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
-		.payload_length = AUTH_PAYLOAD_HEADER_LENGTH,
+		.payload_length = get_header_length(this),
 	);
 	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/auth_payload.h b/src/libcharon/encoding/payloads/auth_payload.h
index e4c4e6ae3..b922d12c8 100644
--- a/src/libcharon/encoding/payloads/auth_payload.h
+++ b/src/libcharon/encoding/payloads/auth_payload.h
@@ -26,12 +26,7 @@ typedef struct auth_payload_t auth_payload_t;
 
 #include <library.h>
 #include <encoding/payloads/payload.h>
-#include <sa/authenticators/authenticator.h>
-
-/**
- * Length of a auth payload without the auth data in bytes.
- */
-#define AUTH_PAYLOAD_HEADER_LENGTH 8
+#include <sa/authenticator.h>
 
 /**
  * Class representing an IKEv2 AUTH payload.
diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c
index c42cec680..a32f5705d 100644
--- a/src/libcharon/encoding/payloads/cert_payload.c
+++ b/src/libcharon/encoding/payloads/cert_payload.c
@@ -86,6 +86,11 @@ struct private_cert_payload_t {
 	 * TRUE if the "Hash and URL" data is invalid
 	 */
 	bool invalid_hash_and_url;
+
+	/**
+	 * The payload type.
+	 */
+	payload_type_t type;
 };
 
 /**
@@ -95,7 +100,7 @@ struct private_cert_payload_t {
  * private_cert_payload_t.
  *
  */
-encoding_rule_t cert_payload_encodings[] = {
+static encoding_rule_t encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_cert_payload_t, next_payload)	},
 	/* the critical bit */
@@ -113,7 +118,7 @@ encoding_rule_t cert_payload_encodings[] = {
 	/* 1 Byte CERT type*/
 	{ U_INT_8,			offsetof(private_cert_payload_t, encoding)		},
 	/* some cert data bytes, length is defined in PAYLOAD_LENGTH */
-	{ CERT_DATA,		offsetof(private_cert_payload_t, data)			}
+	{ CHUNK_DATA,		offsetof(private_cert_payload_t, data)			}
 };
 
 /*
@@ -166,17 +171,23 @@ METHOD(payload_t, verify, status_t,
 	return SUCCESS;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_cert_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_cert_payload_t *this, encoding_rule_t **rules)
+{
+	*rules = encodings;
+	return countof(encodings);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_cert_payload_t *this)
 {
-	*rules = cert_payload_encodings;
-	*rule_count = countof(cert_payload_encodings);
+	return 5;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
 	private_cert_payload_t *this)
 {
-	return CERTIFICATE;
+	return this->type;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -223,6 +234,23 @@ METHOD(cert_payload_t, get_cert, certificate_t*,
 							  BUILD_BLOB_ASN1_DER, this->data, BUILD_END);
 }
 
+METHOD(cert_payload_t, get_container, container_t*,
+	private_cert_payload_t *this)
+{
+	int type;
+
+	switch (this->encoding)
+	{
+		case ENC_PKCS7_WRAPPED_X509:
+			type = CONTAINER_PKCS7;
+			break;
+		default:
+			return NULL;
+	}
+	return lib->creds->create(lib->creds, CRED_CONTAINER, type,
+							  BUILD_BLOB_ASN1_DER, this->data, BUILD_END);
+}
+
 METHOD(cert_payload_t, get_hash, chunk_t,
 	private_cert_payload_t *this)
 {
@@ -261,7 +289,7 @@ METHOD2(payload_t, cert_payload_t, destroy, void,
 /*
  * Described in header
  */
-cert_payload_t *cert_payload_create()
+cert_payload_t *cert_payload_create(payload_type_t type)
 {
 	private_cert_payload_t *this;
 
@@ -270,6 +298,7 @@ cert_payload_t *cert_payload_create()
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
@@ -277,13 +306,15 @@ cert_payload_t *cert_payload_create()
 				.destroy = _destroy,
 			},
 			.get_cert = _get_cert,
+			.get_container = _get_container,
 			.get_cert_encoding = _get_cert_encoding,
 			.get_hash = _get_hash,
 			.get_url = _get_url,
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
-		.payload_length = CERT_PAYLOAD_HEADER_LENGTH,
+		.payload_length = get_header_length(this),
+		.type = type,
 	);
 	return &this->public;
 }
@@ -291,10 +322,12 @@ cert_payload_t *cert_payload_create()
 /*
  * Described in header
  */
-cert_payload_t *cert_payload_create_from_cert(certificate_t *cert)
+cert_payload_t *cert_payload_create_from_cert(payload_type_t type,
+											  certificate_t *cert)
 {
-	private_cert_payload_t *this = (private_cert_payload_t*)cert_payload_create();
+	private_cert_payload_t *this;
 
+	this = (private_cert_payload_t*)cert_payload_create(type);
 	switch (cert->get_type(cert))
 	{
 		case CERT_X509:
@@ -312,7 +345,8 @@ cert_payload_t *cert_payload_create_from_cert(certificate_t *cert)
 		free(this);
 		return NULL;
 	}
-	this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len;
+	this->payload_length = get_header_length(this) + this->data.len;
+
 	return &this->public;
 }
 
@@ -321,23 +355,29 @@ cert_payload_t *cert_payload_create_from_cert(certificate_t *cert)
  */
 cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url)
 {
-	private_cert_payload_t *this = (private_cert_payload_t*)cert_payload_create();
+	private_cert_payload_t *this;
 
+	this = (private_cert_payload_t*)cert_payload_create(CERTIFICATE);
 	this->encoding = ENC_X509_HASH_AND_URL;
 	this->data = chunk_cat("cc", hash, chunk_create(url, strlen(url)));
-	this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len;
+	this->payload_length = get_header_length(this) + this->data.len;
+
 	return &this->public;
 }
 
 /*
  * Described in header
  */
-cert_payload_t *cert_payload_create_custom(cert_encoding_t type, chunk_t data)
+cert_payload_t *cert_payload_create_custom(payload_type_t type,
+										cert_encoding_t encoding, chunk_t data)
 {
-	private_cert_payload_t *this = (private_cert_payload_t*)cert_payload_create();
+	private_cert_payload_t *this;
 
-	this->encoding = type;
+	this = (private_cert_payload_t*)cert_payload_create(type);
+	this->encoding = encoding;
 	this->data = data;
-	this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len;
+	this->payload_length = get_header_length(this) + this->data.len;
+
 	return &this->public;
 }
+
diff --git a/src/libcharon/encoding/payloads/cert_payload.h b/src/libcharon/encoding/payloads/cert_payload.h
index 21b503a40..834f35d60 100644
--- a/src/libcharon/encoding/payloads/cert_payload.h
+++ b/src/libcharon/encoding/payloads/cert_payload.h
@@ -28,15 +28,11 @@ typedef enum cert_encoding_t cert_encoding_t;
 
 #include <library.h>
 #include <credentials/certificates/certificate.h>
+#include <credentials/containers/container.h>
 #include <encoding/payloads/payload.h>
 
 /**
- * Length of a cert payload without the cert data in bytes.
- */
-#define CERT_PAYLOAD_HEADER_LENGTH 5
-
-/**
- * Certifcate encodings, as in RFC4306
+ * Certificate encodings, as in RFC4306
  */
 enum cert_encoding_t {
 	ENC_PKCS7_WRAPPED_X509 =		 1,
@@ -60,9 +56,7 @@ enum cert_encoding_t {
 extern enum_name_t *cert_encoding_names;
 
 /**
- * Class representing an IKEv2 CERT payload.
- *
- * The CERT payload format is described in RFC section 3.6.
+ * Class representing an IKEv1/IKEv2 CERT payload.
  */
 struct cert_payload_t {
 
@@ -72,13 +66,20 @@ struct cert_payload_t {
 	payload_t payload_interface;
 
 	/**
-	 * Get the playoads encoded certifcate.
+	 * Get the payloads encoded certificate.
 	 *
-	 * @return				certifcate copy
+	 * @return				certificate copy
 	 */
 	certificate_t *(*get_cert)(cert_payload_t *this);
 
 	/**
+	 * Get the payloads certificate container.
+	 *
+	 * @return				container copy
+	 */
+	container_t *(*get_container)(cert_payload_t *this);
+
+	/**
 	 * Get the encoding of the certificate.
 	 *
 	 * @return				encoding
@@ -103,7 +104,6 @@ struct cert_payload_t {
 	 */
 	char *(*get_url)(cert_payload_t *this);
 
-
 	/**
 	 * Destroys the cert_payload object.
 	 */
@@ -113,23 +113,26 @@ struct cert_payload_t {
 /**
  * Creates an empty certificate payload.
  *
+ * @param type				payload type (for IKEv1 or IKEv2)
  * @return					cert_payload_t object
  */
-cert_payload_t *cert_payload_create(void);
+cert_payload_t *cert_payload_create(payload_type_t type);
 
 /**
  * Creates a certificate payload with an embedded certificate.
  *
+ * @param type				payload type (for IKEv1 or IKEv2)
  * @param cert				certificate to embed
  * @return					cert_payload_t object
  */
-cert_payload_t *cert_payload_create_from_cert(certificate_t *cert);
+cert_payload_t *cert_payload_create_from_cert(payload_type_t type,
+											  certificate_t *cert);
 
 /**
- * Creates a certificate payload with hash and URL encoding of a certificate.
+ * Creates an IKEv2 certificate payload with hash and URL encoding.
  *
  * @param hash				hash of the DER encoded certificate (get's cloned)
- * @param url				the URL to locate the certificate (get's cloned)
+ * @param url				URL to the certificate
  * @return					cert_payload_t object
  */
 cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url);
@@ -137,10 +140,12 @@ cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url);
 /**
  * Creates a custom certificate payload using type and associated data.
  *
- * @param type				encoding type of certificate
+ * @param type				payload type (for IKEv1 or IKEv2)
+ * @param encoding			encoding type of certificate
  * @param data				associated data (gets owned)
  * @return					cert_payload_t object
  */
-cert_payload_t *cert_payload_create_custom(cert_encoding_t type, chunk_t data);
+cert_payload_t *cert_payload_create_custom(payload_type_t type,
+										cert_encoding_t encoding, chunk_t data);
 
 #endif /** CERT_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/certreq_payload.c b/src/libcharon/encoding/payloads/certreq_payload.c
index 02015f273..df5e73b5b 100644
--- a/src/libcharon/encoding/payloads/certreq_payload.c
+++ b/src/libcharon/encoding/payloads/certreq_payload.c
@@ -64,15 +64,17 @@ struct private_certreq_payload_t {
 	 * The contained certreq data value.
 	 */
 	chunk_t data;
+
+	/**
+	 * Payload type CERTIFICATE_REQUEST or CERTIFICATE_REQUEST_V1
+	 */
+	payload_type_t type;
 };
 
 /**
- * Encoding rules to parse or generate a CERTREQ payload
- *
- * The defined offsets are the positions in a object of type
- * private_certreq_payload_t.
+ * Encoding rules for CERTREQ payload.
  */
-encoding_rule_t certreq_payload_encodings[] = {
+static encoding_rule_t encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_certreq_payload_t, next_payload)	},
 	/* the critical bit */
@@ -90,7 +92,7 @@ encoding_rule_t certreq_payload_encodings[] = {
 	/* 1 Byte CERTREQ type*/
 	{ U_INT_8,			offsetof(private_certreq_payload_t, encoding)		},
 	/* some certreq data bytes, length is defined in PAYLOAD_LENGTH */
-	{ CERTREQ_DATA,		offsetof(private_certreq_payload_t, data)			}
+	{ CHUNK_DATA,		offsetof(private_certreq_payload_t, data)			}
 };
 
 /*
@@ -109,7 +111,8 @@ encoding_rule_t certreq_payload_encodings[] = {
 METHOD(payload_t, verify, status_t,
 	private_certreq_payload_t *this)
 {
-	if (this->encoding == ENC_X509_SIGNATURE)
+	if (this->type == CERTIFICATE_REQUEST &&
+		this->encoding == ENC_X509_SIGNATURE)
 	{
 		if (this->data.len % HASH_SIZE_SHA1)
 		{
@@ -121,17 +124,23 @@ METHOD(payload_t, verify, status_t,
 	return SUCCESS;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_certreq_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_certreq_payload_t *this, encoding_rule_t **rules)
+{
+	*rules = encodings;
+	return countof(encodings);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_certreq_payload_t *this)
 {
-	*rules = certreq_payload_encodings;
-	*rule_count = countof(certreq_payload_encodings);
+	return 5;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
 	private_certreq_payload_t *this)
 {
-	return CERTIFICATE_REQUEST;
+	return this->type;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -152,6 +161,16 @@ METHOD(payload_t, get_length, size_t,
 	return this->payload_length;
 }
 
+METHOD(certreq_payload_t, get_dn, identification_t*,
+	private_certreq_payload_t *this)
+{
+	if (this->data.len)
+	{
+		return identification_create_from_encoding(ID_DER_ASN1_DN, this->data);
+	}
+	return NULL;
+}
+
 METHOD(certreq_payload_t, add_keyid, void,
 	private_certreq_payload_t *this, chunk_t keyid)
 {
@@ -199,6 +218,10 @@ METHOD(certreq_payload_t, create_keyid_enumerator, enumerator_t*,
 {
 	keyid_enumerator_t *enumerator;
 
+	if (this->type == CERTIFICATE_REQUEST_V1)
+	{
+		return enumerator_create_empty();
+	}
 	INIT(enumerator,
 		.public = {
 			.enumerate = (void*)_keyid_enumerate,
@@ -231,7 +254,7 @@ METHOD2(payload_t, certreq_payload_t, destroy, void,
 /*
  * Described in header
  */
-certreq_payload_t *certreq_payload_create()
+certreq_payload_t *certreq_payload_create(payload_type_t type)
 {
 	private_certreq_payload_t *this;
 
@@ -240,6 +263,7 @@ certreq_payload_t *certreq_payload_create()
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
@@ -250,9 +274,11 @@ certreq_payload_t *certreq_payload_create()
 			.get_cert_type = _get_cert_type,
 			.add_keyid = _add_keyid,
 			.destroy = _destroy,
+			.get_dn = _get_dn,
 		},
 		.next_payload = NO_PAYLOAD,
-		.payload_length = CERTREQ_PAYLOAD_HEADER_LENGTH,
+		.payload_length = get_header_length(this),
+		.type = type,
 	);
 	return &this->public;
 }
@@ -262,8 +288,10 @@ certreq_payload_t *certreq_payload_create()
  */
 certreq_payload_t *certreq_payload_create_type(certificate_type_t type)
 {
-	private_certreq_payload_t *this = (private_certreq_payload_t*)certreq_payload_create();
+	private_certreq_payload_t *this;
 
+	this = (private_certreq_payload_t*)
+					certreq_payload_create(CERTIFICATE_REQUEST);
 	switch (type)
 	{
 		case CERT_X509:
@@ -278,3 +306,19 @@ certreq_payload_t *certreq_payload_create_type(certificate_type_t type)
 	return &this->public;
 }
 
+/*
+ * Described in header
+ */
+certreq_payload_t *certreq_payload_create_dn(identification_t *id)
+{
+	private_certreq_payload_t *this;
+
+	this = (private_certreq_payload_t*)
+					certreq_payload_create(CERTIFICATE_REQUEST_V1);
+
+	this->encoding = ENC_X509_SIGNATURE;
+	this->data = chunk_clone(id->get_encoding(id));
+	this->payload_length = get_header_length(this) + this->data.len;
+
+	return &this->public;
+}
diff --git a/src/libcharon/encoding/payloads/certreq_payload.h b/src/libcharon/encoding/payloads/certreq_payload.h
index 914063628..2915decf3 100644
--- a/src/libcharon/encoding/payloads/certreq_payload.h
+++ b/src/libcharon/encoding/payloads/certreq_payload.h
@@ -27,25 +27,20 @@ typedef struct certreq_payload_t certreq_payload_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/cert_payload.h>
+#include <utils/identification.h>
 
 /**
- * Length of a CERTREQ payload without the CERTREQ data in bytes.
- */
-#define CERTREQ_PAYLOAD_HEADER_LENGTH 5
-
-/**
- * Class representing an IKEv2 CERTREQ payload.
- *
- * The CERTREQ payload format is described in RFC section 3.7.
+ * Class representing an IKEv1/IKEv2 CERTREQ payload.
  */
 struct certreq_payload_t {
+
 	/**
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
 
 	/**
-	 * Create an enumerator over contained keyids.
+	 * Create an enumerator over contained keyids (IKEv2 only).
 	 *
 	 * @return			enumerator over chunk_t's.
 	 */
@@ -59,14 +54,21 @@ struct certreq_payload_t {
 	certificate_type_t (*get_cert_type)(certreq_payload_t *this);
 
 	/**
-	 * Add a certificates keyid to the payload.
+	 * Add a certificates keyid to the payload (IKEv2 only).
 	 *
-	 * @param keyid		keyid of the trusted certifcate
+	 * @param keyid		keyid of the trusted certificate
 	 * @return
 	 */
 	void (*add_keyid)(certreq_payload_t *this, chunk_t keyid);
 
 	/**
+	 * Get the distinguished name of the payload (IKEv1 only).
+	 *
+	 * @return			DN as identity, must be destroyed
+	 */
+	identification_t* (*get_dn)(certreq_payload_t *this);
+
+	/**
 	 * Destroys an certreq_payload_t object.
 	 */
 	void (*destroy) (certreq_payload_t *this);
@@ -77,14 +79,22 @@ struct certreq_payload_t {
  *
  * @return 				certreq payload
  */
-certreq_payload_t *certreq_payload_create(void);
+certreq_payload_t *certreq_payload_create(payload_type_t payload_type);
 
 /**
- * Creates an empty certreq_payload_t for a kind of certificates.
+ * Creates an empty IKEv2 certreq_payload_t for a kind of certificates.
  *
  * @param type			type of the added keyids
  * @return 				certreq payload
  */
 certreq_payload_t *certreq_payload_create_type(certificate_type_t type);
 
+/**
+ * Creates a IKEv1 certreq_payload_t for a given distinguished name.
+ *
+ * @param id			distinguished name, does not get owned
+ * @return 				certreq payload
+ */
+certreq_payload_t *certreq_payload_create_dn(identification_t *id);
+
 #endif /** CERTREQ_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/configuration_attribute.c b/src/libcharon/encoding/payloads/configuration_attribute.c
index e608497bd..482eca882 100644
--- a/src/libcharon/encoding/payloads/configuration_attribute.c
+++ b/src/libcharon/encoding/payloads/configuration_attribute.c
@@ -36,41 +36,48 @@ struct private_configuration_attribute_t {
 	configuration_attribute_t public;
 
 	/**
-	 * Reserved bit
+	 * Value encoded in length field?
+	 */
+	bool af_flag;
+
+	/**
+	 * Reserved bit (af_flag in IKEv2)
 	 */
 	bool reserved;
 
 	/**
 	 * Type of the attribute.
 	 */
-	u_int16_t type;
+	u_int16_t attr_type;
 
 	/**
-	 * Length of the attribute.
+	 * Length of the attribute, value if af_flag set.
 	 */
-	u_int16_t length;
+	u_int16_t length_or_value;
 
 	/**
 	 * Attribute value as chunk.
 	 */
 	chunk_t value;
+
+	/**
+	 * Payload type, CONFIGURATION_ATTRIBUTE or DATA_ATTRIBUTE_V1
+	 */
+	payload_type_t type;
 };
 
 /**
- * Encoding rules to parse or generate a configuration attribute.
- *
- * The defined offsets are the positions in a object of type
- * private_configuration_attribute_t.
+ * Encoding rules for a IKEv2 configuration attribute / IKEv1 data attribute
  */
-encoding_rule_t configuration_attribute_encodings[] = {
+static encoding_rule_t encodings_v2[] = {
 	/* 1 reserved bit */
-	{ RESERVED_BIT,						offsetof(private_configuration_attribute_t, reserved)},
+	{ RESERVED_BIT,					offsetof(private_configuration_attribute_t, reserved)		},
 	/* type of the attribute as 15 bit unsigned integer */
-	{ ATTRIBUTE_TYPE,					offsetof(private_configuration_attribute_t, type)	},
+	{ ATTRIBUTE_TYPE,				offsetof(private_configuration_attribute_t, attr_type)		},
 	/* Length of attribute value */
-	{ CONFIGURATION_ATTRIBUTE_LENGTH,	offsetof(private_configuration_attribute_t, length)	},
+	{ ATTRIBUTE_LENGTH,				offsetof(private_configuration_attribute_t, length_or_value)},
 	/* Value of attribute if attribute format flag is zero */
-	{ CONFIGURATION_ATTRIBUTE_VALUE,	offsetof(private_configuration_attribute_t, value)	}
+	{ ATTRIBUTE_VALUE,				offsetof(private_configuration_attribute_t, value)			},
 };
 
 /*
@@ -85,87 +92,142 @@ encoding_rule_t configuration_attribute_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
+/**
+ * Encoding rules for a IKEv1 data attribute
+ */
+static encoding_rule_t encodings_v1[] = {
+	/* AF Flag */
+	{ ATTRIBUTE_FORMAT,				offsetof(private_configuration_attribute_t, af_flag)		},
+	/* type of the attribute as 15 bit unsigned integer */
+	{ ATTRIBUTE_TYPE,				offsetof(private_configuration_attribute_t, attr_type)		},
+	/* Length of attribute value */
+	{ ATTRIBUTE_LENGTH_OR_VALUE,	offsetof(private_configuration_attribute_t, length_or_value)},
+	/* Value of attribute if attribute format flag is zero */
+	{ ATTRIBUTE_VALUE,				offsetof(private_configuration_attribute_t, value)			},
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !F|         Attribute Type      !            Length             |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                                                               |
+      ~                             Value                             ~
+      |                                                               |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+
 METHOD(payload_t, verify, status_t,
 	private_configuration_attribute_t *this)
 {
 	bool failed = FALSE;
 
-	if (this->length != this->value.len)
-	{
-		DBG1(DBG_ENC, "invalid attribute length");
-		return FAILED;
-	}
-
-	switch (this->type)
+	switch (this->attr_type)
 	{
-		 case INTERNAL_IP4_ADDRESS:
-		 case INTERNAL_IP4_NETMASK:
-		 case INTERNAL_IP4_DNS:
-		 case INTERNAL_IP4_NBNS:
-		 case INTERNAL_ADDRESS_EXPIRY:
-		 case INTERNAL_IP4_DHCP:
-			if (this->length != 0 && this->length != 4)
+		case INTERNAL_IP4_ADDRESS:
+		case INTERNAL_IP4_NETMASK:
+		case INTERNAL_IP4_DNS:
+		case INTERNAL_IP4_NBNS:
+		case INTERNAL_ADDRESS_EXPIRY:
+		case INTERNAL_IP4_DHCP:
+			if (this->length_or_value != 0 && this->length_or_value != 4)
 			{
 				failed = TRUE;
 			}
 			break;
-		 case INTERNAL_IP4_SUBNET:
-			if (this->length != 0 && this->length != 8)
+		case INTERNAL_IP4_SUBNET:
+			if (this->length_or_value != 0 && this->length_or_value != 8)
 			{
 				failed = TRUE;
 			}
 			break;
-		 case INTERNAL_IP6_ADDRESS:
-		 case INTERNAL_IP6_SUBNET:
-			if (this->length != 0 && this->length != 17)
+		case INTERNAL_IP6_ADDRESS:
+		case INTERNAL_IP6_SUBNET:
+			if (this->length_or_value != 0 && this->length_or_value != 17)
 			{
 				failed = TRUE;
 			}
 			break;
-		 case INTERNAL_IP6_DNS:
-		 case INTERNAL_IP6_NBNS:
-		 case INTERNAL_IP6_DHCP:
-			if (this->length != 0 && this->length != 16)
+		case INTERNAL_IP6_DNS:
+		case INTERNAL_IP6_NBNS:
+		case INTERNAL_IP6_DHCP:
+			if (this->length_or_value != 0 && this->length_or_value != 16)
 			{
 				failed = TRUE;
 			}
 			break;
-		 case SUPPORTED_ATTRIBUTES:
-			if (this->length % 2)
+		case SUPPORTED_ATTRIBUTES:
+			if (this->length_or_value % 2)
 			{
 				failed = TRUE;
 			}
 			break;
-		 case APPLICATION_VERSION:
+		case APPLICATION_VERSION:
+		case INTERNAL_IP4_SERVER:
+		case INTERNAL_IP6_SERVER:
+		case XAUTH_TYPE:
+		case XAUTH_USER_NAME:
+		case XAUTH_USER_PASSWORD:
+		case XAUTH_PASSCODE:
+		case XAUTH_MESSAGE:
+		case XAUTH_CHALLENGE:
+		case XAUTH_DOMAIN:
+		case XAUTH_STATUS:
+		case XAUTH_NEXT_PIN:
+		case XAUTH_ANSWER:
+		case UNITY_BANNER:
+		case UNITY_SAVE_PASSWD:
+		case UNITY_DEF_DOMAIN:
+		case UNITY_SPLITDNS_NAME:
+		case UNITY_SPLIT_INCLUDE:
+		case UNITY_NATT_PORT:
+		case UNITY_LOCAL_LAN:
+		case UNITY_PFS:
+		case UNITY_FW_TYPE:
+		case UNITY_BACKUP_SERVERS:
+		case UNITY_DDNS_HOSTNAME:
 			/* any length acceptable */
 			break;
-		 default:
+		default:
 			DBG1(DBG_ENC, "unknown attribute type %N",
-				 configuration_attribute_type_names, this->type);
+				 configuration_attribute_type_names, this->attr_type);
 			break;
 	}
 
 	if (failed)
 	{
 		DBG1(DBG_ENC, "invalid attribute length %d for %N",
-			 this->length, configuration_attribute_type_names, this->type);
+			 this->length_or_value, configuration_attribute_type_names,
+			 this->attr_type);
 		return FAILED;
 	}
 	return SUCCESS;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_configuration_attribute_t *this, encoding_rule_t **rules,
-	size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_configuration_attribute_t *this, encoding_rule_t **rules)
+{
+	if (this->type == CONFIGURATION_ATTRIBUTE)
+	{
+		*rules = encodings_v2;
+		return countof(encodings_v2);
+	}
+	*rules = encodings_v1;
+	return countof(encodings_v1);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_configuration_attribute_t *this)
 {
-	*rules = configuration_attribute_encodings;
-	*rule_count = countof(configuration_attribute_encodings);
+	return 4;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
 	private_configuration_attribute_t *this)
 {
-	return CONFIGURATION_ATTRIBUTE;
+	return this->type;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -182,21 +244,35 @@ METHOD(payload_t, set_next_type, void,
 METHOD(payload_t, get_length, size_t,
 	private_configuration_attribute_t *this)
 {
-	return this->value.len + CONFIGURATION_ATTRIBUTE_HEADER_LENGTH;
+	return get_header_length(this) + this->value.len;
 }
 
 METHOD(configuration_attribute_t, get_cattr_type, configuration_attribute_type_t,
 	private_configuration_attribute_t *this)
 {
-	return this->type;
+	return this->attr_type;
 }
 
-METHOD(configuration_attribute_t, get_value, chunk_t,
+METHOD(configuration_attribute_t, get_chunk, chunk_t,
 	private_configuration_attribute_t *this)
 {
+	if (this->af_flag)
+	{
+		return chunk_from_thing(this->length_or_value);
+	}
 	return this->value;
 }
 
+METHOD(configuration_attribute_t, get_value, u_int16_t,
+	private_configuration_attribute_t *this)
+{
+	if (this->af_flag)
+	{
+		return this->length_or_value;
+	}
+	return 0;
+}
+
 METHOD2(payload_t, configuration_attribute_t, destroy, void,
 	private_configuration_attribute_t *this)
 {
@@ -207,7 +283,7 @@ METHOD2(payload_t, configuration_attribute_t, destroy, void,
 /*
  * Described in header.
  */
-configuration_attribute_t *configuration_attribute_create()
+configuration_attribute_t *configuration_attribute_create(payload_type_t type)
 {
 	private_configuration_attribute_t *this;
 
@@ -216,16 +292,19 @@ configuration_attribute_t *configuration_attribute_create()
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
 				.get_type = _get_type,
 				.destroy = _destroy,
 			},
+			.get_chunk = _get_chunk,
 			.get_value = _get_value,
 			.get_type = _get_cattr_type,
 			.destroy = _destroy,
 		},
+		.type = type
 	);
 	return &this->public;
 }
@@ -233,15 +312,33 @@ configuration_attribute_t *configuration_attribute_create()
 /*
  * Described in header.
  */
+configuration_attribute_t *configuration_attribute_create_chunk(
+	payload_type_t type, configuration_attribute_type_t attr_type, chunk_t chunk)
+{
+	private_configuration_attribute_t *this;
+
+	this = (private_configuration_attribute_t*)
+							configuration_attribute_create(type);
+	this->attr_type = ((u_int16_t)attr_type) & 0x7FFF;
+	this->value = chunk_clone(chunk);
+	this->length_or_value = chunk.len;
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
 configuration_attribute_t *configuration_attribute_create_value(
-							configuration_attribute_type_t type, chunk_t value)
+					configuration_attribute_type_t attr_type, u_int16_t value)
 {
 	private_configuration_attribute_t *this;
 
-	this = (private_configuration_attribute_t*)configuration_attribute_create();
-	this->type = ((u_int16_t)type) & 0x7FFF;
-	this->value = chunk_clone(value);
-	this->length = value.len;
+	this = (private_configuration_attribute_t*)
+					configuration_attribute_create(CONFIGURATION_ATTRIBUTE_V1);
+	this->attr_type = ((u_int16_t)attr_type) & 0x7FFF;
+	this->length_or_value = value;
+	this->af_flag = TRUE;
 
 	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/configuration_attribute.h b/src/libcharon/encoding/payloads/configuration_attribute.h
index 6e4b018bb..ecc0f9c07 100644
--- a/src/libcharon/encoding/payloads/configuration_attribute.h
+++ b/src/libcharon/encoding/payloads/configuration_attribute.h
@@ -29,14 +29,7 @@ typedef struct configuration_attribute_t configuration_attribute_t;
 #include <encoding/payloads/payload.h>
 
 /**
- * Configuration attribute header length in bytes.
- */
-#define CONFIGURATION_ATTRIBUTE_HEADER_LENGTH 4
-
-/**
- * Class representing an IKEv2-CONFIGURATION Attribute.
- *
- * The CONFIGURATION ATTRIBUTE format is described in RFC section 3.15.1.
+ * Class representing an IKEv2 configuration attribute / IKEv1 data attribute.
  */
 struct configuration_attribute_t {
 
@@ -53,11 +46,18 @@ struct configuration_attribute_t {
 	configuration_attribute_type_t (*get_type)(configuration_attribute_t *this);
 
 	/**
-	 * Returns the value of the attribute.
+	 * Returns the value of the attribute as chunk.
 	 *
 	 * @return 		chunk_t pointing to the internal value
 	 */
-	chunk_t (*get_value) (configuration_attribute_t *this);
+	chunk_t (*get_chunk) (configuration_attribute_t *this);
+
+	/**
+	 * Returns the 2 byte value of the attribute as u_int16.
+	 *
+	 * @return 		attribute value
+	 */
+	u_int16_t (*get_value) (configuration_attribute_t *this);
 
 	/**
 	 * Destroys an configuration_attribute_t object.
@@ -68,18 +68,30 @@ struct configuration_attribute_t {
 /**
  * Creates an empty configuration attribute.
  *
- * @return		created configuration attribute
+ * @param type		CONFIGURATION_ATTRIBUTE or CONFIGURATION_ATTRIBUTE_V1
+ * @return			created configuration attribute
  */
-configuration_attribute_t *configuration_attribute_create();
+configuration_attribute_t *configuration_attribute_create(payload_type_t type);
 
 /**
  * Creates a configuration attribute with type and value.
  *
- * @param type	type of configuration attribute
- * @param value	value, gets cloned
- * @return		created configuration attribute
+ * @param type		CONFIGURATION_ATTRIBUTE or CONFIGURATION_ATTRIBUTE_V1
+ * @param attr_type	type of configuration attribute
+ * @param chunk		attribute value, gets cloned
+ * @return			created configuration attribute
+ */
+configuration_attribute_t *configuration_attribute_create_chunk(
+	payload_type_t type, configuration_attribute_type_t attr_type, chunk_t chunk);
+
+/**
+ * Creates a IKEv1 configuration attribute with 2 bytes value (IKEv1 only).
+ *
+ * @param attr_type	type of configuration attribute
+ * @param value		attribute value, gets cloned
+ * @return			created CONFIGURATION_ATTRIBUTE_V1 configuration attribute
  */
 configuration_attribute_t *configuration_attribute_create_value(
-							configuration_attribute_type_t type, chunk_t value);
+					configuration_attribute_type_t attr_type, u_int16_t value);
 
 #endif /** CONFIGURATION_ATTRIBUTE_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/cp_payload.c b/src/libcharon/encoding/payloads/cp_payload.c
index 82e9e51b7..f6f373f99 100644
--- a/src/libcharon/encoding/payloads/cp_payload.c
+++ b/src/libcharon/encoding/payloads/cp_payload.c
@@ -20,7 +20,7 @@
 #include "cp_payload.h"
 
 #include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 ENUM(config_type_names, CFG_REQUEST, CFG_ACK,
 	"CFG_REQUEST",
@@ -44,7 +44,7 @@ struct private_cp_payload_t {
 	/**
 	 * Next payload type.
 	 */
-	u_int8_t  next_payload;
+	u_int8_t next_payload;
 
 	/**
 	 * Critical flag.
@@ -67,6 +67,11 @@ struct private_cp_payload_t {
 	u_int16_t payload_length;
 
 	/**
+	 * Identifier field, IKEv1 only
+	 */
+	u_int16_t identifier;
+
+	/**
 	 * List of attributes, as configuration_attribute_t
 	 */
 	linked_list_t *attributes;
@@ -74,38 +79,40 @@ struct private_cp_payload_t {
 	/**
 	 * Config Type.
 	 */
-	u_int8_t type;
+	u_int8_t cfg_type;
+
+	/**
+	 * CONFIGURATION or CONFIGURATION_V1
+	 */
+	payload_type_t type;
 };
 
 /**
- * Encoding rules to parse or generate a IKEv2-CP Payload
- *
- * The defined offsets are the positions in a object of type
- * private_cp_payload_t.
+ * Encoding rules to for an IKEv2 configuration payload
  */
-encoding_rule_t cp_payload_encodings[] = {
+static encoding_rule_t encodings_v2[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,					offsetof(private_cp_payload_t, next_payload)	},
+	{ U_INT_8,			offsetof(private_cp_payload_t, next_payload)	},
 	/* the critical bit */
-	{ FLAG,						offsetof(private_cp_payload_t, critical)		},
+	{ FLAG,				offsetof(private_cp_payload_t, critical)		},
 	/* 7 Bit reserved bits */
-	{ RESERVED_BIT,				offsetof(private_cp_payload_t, reserved_bit[0])	},
-	{ RESERVED_BIT,				offsetof(private_cp_payload_t, reserved_bit[1])	},
-	{ RESERVED_BIT,				offsetof(private_cp_payload_t, reserved_bit[2])	},
-	{ RESERVED_BIT,				offsetof(private_cp_payload_t, reserved_bit[3])	},
-	{ RESERVED_BIT,				offsetof(private_cp_payload_t, reserved_bit[4])	},
-	{ RESERVED_BIT,				offsetof(private_cp_payload_t, reserved_bit[5])	},
-	{ RESERVED_BIT,				offsetof(private_cp_payload_t, reserved_bit[6])	},
+	{ RESERVED_BIT,		offsetof(private_cp_payload_t, reserved_bit[0])	},
+	{ RESERVED_BIT,		offsetof(private_cp_payload_t, reserved_bit[1])	},
+	{ RESERVED_BIT,		offsetof(private_cp_payload_t, reserved_bit[2])	},
+	{ RESERVED_BIT,		offsetof(private_cp_payload_t, reserved_bit[3])	},
+	{ RESERVED_BIT,		offsetof(private_cp_payload_t, reserved_bit[4])	},
+	{ RESERVED_BIT,		offsetof(private_cp_payload_t, reserved_bit[5])	},
+	{ RESERVED_BIT,		offsetof(private_cp_payload_t, reserved_bit[6])	},
 	/* Length of the whole CP payload*/
-	{ PAYLOAD_LENGTH,			offsetof(private_cp_payload_t, payload_length)	},
-	/* Proposals are stored in a proposal substructure,
-	   offset points to a linked_list_t pointer */
-	{ U_INT_8,					offsetof(private_cp_payload_t, type)			},
+	{ PAYLOAD_LENGTH,	offsetof(private_cp_payload_t, payload_length)	},
+	{ U_INT_8,			offsetof(private_cp_payload_t, cfg_type)		},
 	/* 3 reserved bytes */
-	{ RESERVED_BYTE,			offsetof(private_cp_payload_t, reserved_byte[0])},
-	{ RESERVED_BYTE,			offsetof(private_cp_payload_t, reserved_byte[1])},
-	{ RESERVED_BYTE,			offsetof(private_cp_payload_t, reserved_byte[2])},
-	{ CONFIGURATION_ATTRIBUTES,	offsetof(private_cp_payload_t, attributes)		}
+	{ RESERVED_BYTE,	offsetof(private_cp_payload_t, reserved_byte[0])},
+	{ RESERVED_BYTE,	offsetof(private_cp_payload_t, reserved_byte[1])},
+	{ RESERVED_BYTE,	offsetof(private_cp_payload_t, reserved_byte[2])},
+	/* list of configuration attributes in a list */
+	{ PAYLOAD_LIST + CONFIGURATION_ATTRIBUTE,
+						offsetof(private_cp_payload_t, attributes)		},
 };
 
 /*
@@ -122,6 +129,47 @@ encoding_rule_t cp_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
+/**
+ * Encoding rules to for an IKEv1 configuration payload
+ */
+static encoding_rule_t encodings_v1[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_cp_payload_t, next_payload)	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_cp_payload_t, critical)		},
+	/* 7 Bit reserved bits */
+	{ RESERVED_BIT,		offsetof(private_cp_payload_t, reserved_bit[0])	},
+	{ RESERVED_BIT,		offsetof(private_cp_payload_t, reserved_bit[1])	},
+	{ RESERVED_BIT,		offsetof(private_cp_payload_t, reserved_bit[2])	},
+	{ RESERVED_BIT,		offsetof(private_cp_payload_t, reserved_bit[3])	},
+	{ RESERVED_BIT,		offsetof(private_cp_payload_t, reserved_bit[4])	},
+	{ RESERVED_BIT,		offsetof(private_cp_payload_t, reserved_bit[5])	},
+	{ RESERVED_BIT,		offsetof(private_cp_payload_t, reserved_bit[6])	},
+	/* Length of the whole CP payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_cp_payload_t, payload_length)	},
+	{ U_INT_8,			offsetof(private_cp_payload_t, cfg_type)		},
+	/* 1 reserved bytes */
+	{ RESERVED_BYTE,	offsetof(private_cp_payload_t, reserved_byte[0])},
+	{ U_INT_16,			offsetof(private_cp_payload_t, identifier)},
+	/* list of configuration attributes in a list */
+	{ PAYLOAD_LIST + CONFIGURATION_ATTRIBUTE_V1,
+						offsetof(private_cp_payload_t, attributes)		},
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !   RESERVED    !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !   CFG Type    !   RESERVED    !           Identifier          !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                   Configuration Attributes                    ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
 METHOD(payload_t, verify, status_t,
 	private_cp_payload_t *this)
 {
@@ -142,17 +190,28 @@ METHOD(payload_t, verify, status_t,
 	return status;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_cp_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_cp_payload_t *this, encoding_rule_t **rules)
+{
+	if (this->type == CONFIGURATION)
+	{
+		*rules = encodings_v2;
+		return countof(encodings_v2);
+	}
+	*rules = encodings_v1;
+	return countof(encodings_v1);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_cp_payload_t *this)
 {
-	*rules = cp_payload_encodings;
-	*rule_count = countof(cp_payload_encodings);
+	return 8;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
 	private_cp_payload_t *this)
 {
-	return CONFIGURATION;
+	return this->type;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -175,7 +234,7 @@ static void compute_length(private_cp_payload_t *this)
 	enumerator_t *enumerator;
 	payload_t *attribute;
 
-	this->payload_length = CP_PAYLOAD_HEADER_LENGTH;
+	this->payload_length = get_header_length(this);
 
 	enumerator = this->attributes->create_enumerator(this->attributes);
 	while (enumerator->enumerate(enumerator, &attribute))
@@ -207,7 +266,18 @@ METHOD(cp_payload_t, add_attribute, void,
 METHOD(cp_payload_t, get_config_type, config_type_t,
 	private_cp_payload_t *this)
 {
-	return this->type;
+	return this->cfg_type;
+}
+
+METHOD(cp_payload_t, get_identifier, u_int16_t,
+			 private_cp_payload_t *this)
+{
+	return this->identifier;
+}
+METHOD(cp_payload_t, set_identifier, void,
+			 private_cp_payload_t *this, u_int16_t identifier)
+{
+	this->identifier = identifier;
 }
 
 METHOD2(payload_t, cp_payload_t, destroy, void,
@@ -221,7 +291,7 @@ METHOD2(payload_t, cp_payload_t, destroy, void,
 /*
  * Described in header.
  */
-cp_payload_t *cp_payload_create_type(config_type_t type)
+cp_payload_t *cp_payload_create_type(payload_type_t type, config_type_t cfg_type)
 {
 	private_cp_payload_t *this;
 
@@ -230,6 +300,7 @@ cp_payload_t *cp_payload_create_type(config_type_t type)
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
@@ -239,11 +310,14 @@ cp_payload_t *cp_payload_create_type(config_type_t type)
 			.create_attribute_enumerator = _create_attribute_enumerator,
 			.add_attribute = _add_attribute,
 			.get_type = _get_config_type,
+			.get_identifier = _get_identifier,
+			.set_identifier = _set_identifier,
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
-		.payload_length = CP_PAYLOAD_HEADER_LENGTH,
+		.payload_length = get_header_length(this),
 		.attributes = linked_list_create(),
+		.cfg_type = cfg_type,
 		.type = type,
 	);
 	return &this->public;
@@ -252,7 +326,7 @@ cp_payload_t *cp_payload_create_type(config_type_t type)
 /*
  * Described in header.
  */
-cp_payload_t *cp_payload_create()
+cp_payload_t *cp_payload_create(payload_type_t type)
 {
-	return cp_payload_create_type(CFG_REQUEST);
+	return cp_payload_create_type(type, CFG_REQUEST);
 }
diff --git a/src/libcharon/encoding/payloads/cp_payload.h b/src/libcharon/encoding/payloads/cp_payload.h
index afae6091a..c23bc0bb4 100644
--- a/src/libcharon/encoding/payloads/cp_payload.h
+++ b/src/libcharon/encoding/payloads/cp_payload.h
@@ -28,12 +28,7 @@ typedef struct cp_payload_t cp_payload_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/configuration_attribute.h>
-#include <utils/enumerator.h>
-
-/**
- * CP_PAYLOAD length in bytes without any proposal substructure.
- */
-#define CP_PAYLOAD_HEADER_LENGTH 8
+#include <collections/enumerator.h>
 
 /**
  * Config Type of an Configuration Payload.
@@ -51,9 +46,7 @@ enum config_type_t {
 extern enum_name_t *config_type_names;
 
 /**
- * Class representing an IKEv2-CP Payload.
- *
- * The CP Payload format is described in RFC section 3.15.
+ * Class representing an IKEv2 configuration / IKEv1 attribute payload.
  */
 struct cp_payload_t {
 
@@ -85,6 +78,20 @@ struct cp_payload_t {
 	config_type_t (*get_type) (cp_payload_t *this);
 
 	/**
+	 * Set the configuration payload identifier (IKEv1 only).
+	 *
+	 @param identifier	identifier to set
+	 */
+	void (*set_identifier) (cp_payload_t *this, u_int16_t identifier);
+
+	/**
+	 * Get the configuration payload identifier (IKEv1 only).
+	 *
+	 * @return			identifier
+	 */
+	u_int16_t (*get_identifier) (cp_payload_t *this);
+
+	/**
 	 * Destroys an cp_payload_t object.
 	 */
 	void (*destroy) (cp_payload_t *this);
@@ -93,16 +100,18 @@ struct cp_payload_t {
 /**
  * Creates an empty configuration payload
  *
- * @return		empty configuration payload
+ * @param type		payload type, CONFIGURATION or CONFIGURATION_V1
+ * @return			empty configuration payload
  */
-cp_payload_t *cp_payload_create();
+cp_payload_t *cp_payload_create(payload_type_t type);
 
 /**
  * Creates an cp_payload_t with type and value
  *
- * @param config_type	type of configuration payload to create
- * @return				created configuration payload
+ * @param type		payload type, CONFIGURATION or CONFIGURATION_V1
+ * @param cfg_type	type of configuration payload to create
+ * @return			created configuration payload
  */
-cp_payload_t *cp_payload_create_type(config_type_t config_type);
+cp_payload_t *cp_payload_create_type(payload_type_t type, config_type_t cfg_type);
 
 #endif /** CP_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/delete_payload.c b/src/libcharon/encoding/payloads/delete_payload.c
index e6ee07d39..007411f37 100644
--- a/src/libcharon/encoding/payloads/delete_payload.c
+++ b/src/libcharon/encoding/payloads/delete_payload.c
@@ -24,9 +24,9 @@ typedef struct private_delete_payload_t private_delete_payload_t;
 
 /**
  * Private data of an delete_payload_t object.
- *
  */
 struct private_delete_payload_t {
+
 	/**
 	 * Public delete_payload_t interface.
 	 */
@@ -45,7 +45,7 @@ struct private_delete_payload_t {
 	/**
 	 * reserved bits
 	 */
-	bool reserved[7];
+	bool reserved[8];
 
 	/**
 	 * Length of this payload.
@@ -53,6 +53,11 @@ struct private_delete_payload_t {
 	u_int16_t payload_length;
 
 	/**
+	 * IKEv1 Domain of Interpretation
+	 */
+	u_int32_t doi;
+
+	/**
 	 * Protocol ID.
 	 */
 	u_int8_t protocol_id;
@@ -71,19 +76,21 @@ struct private_delete_payload_t {
 	 * The contained SPI's.
 	 */
 	chunk_t spis;
+
+	/**
+	 * Payload type, DELETE or DELETE_V1
+	 */
+	payload_type_t type;
 };
 
 /**
- * Encoding rules to parse or generate a DELETE payload
- *
- * The defined offsets are the positions in a object of type
- * private_delete_payload_t.
+ * Encoding rules for an IKEv2 delete payload.
  */
-encoding_rule_t delete_payload_encodings[] = {
+static encoding_rule_t encodings_v2[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_delete_payload_t, next_payload) 	},
+	{ U_INT_8,			offsetof(private_delete_payload_t, next_payload)	},
 	/* the critical bit */
-	{ FLAG,				offsetof(private_delete_payload_t, critical) 		},
+	{ FLAG,				offsetof(private_delete_payload_t, critical)		},
 	/* 7 Bit reserved bits */
 	{ RESERVED_BIT,		offsetof(private_delete_payload_t, reserved[0])		},
 	{ RESERVED_BIT,		offsetof(private_delete_payload_t, reserved[1])		},
@@ -98,7 +105,47 @@ encoding_rule_t delete_payload_encodings[] = {
 	{ U_INT_8,			offsetof(private_delete_payload_t, spi_size)		},
 	{ U_INT_16,			offsetof(private_delete_payload_t, spi_count)		},
 	/* some delete data bytes, length is defined in PAYLOAD_LENGTH */
-	{ SPIS,				offsetof(private_delete_payload_t, spis) 			}
+	{ CHUNK_DATA,		offsetof(private_delete_payload_t, spis)			},
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Protocol ID   !   SPI Size    !           # of SPIs           !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~               Security Parameter Index(es) (SPI)              ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Encoding rules for an IKEv1 delete payload.
+ */
+static encoding_rule_t encodings_v1[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_delete_payload_t, next_payload)	},
+	/* 8 Bit reserved bits */
+	{ RESERVED_BIT,		offsetof(private_delete_payload_t, reserved[0])		},
+	{ RESERVED_BIT,		offsetof(private_delete_payload_t, reserved[1])		},
+	{ RESERVED_BIT,		offsetof(private_delete_payload_t, reserved[2])		},
+	{ RESERVED_BIT,		offsetof(private_delete_payload_t, reserved[3])		},
+	{ RESERVED_BIT,		offsetof(private_delete_payload_t, reserved[4])		},
+	{ RESERVED_BIT,		offsetof(private_delete_payload_t, reserved[5])		},
+	{ RESERVED_BIT,		offsetof(private_delete_payload_t, reserved[6])		},
+	{ RESERVED_BIT,		offsetof(private_delete_payload_t, reserved[7])		},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_delete_payload_t, payload_length)	},
+	/* Domain of interpretation */
+	{ U_INT_32,			offsetof(private_delete_payload_t, doi)				},
+	{ U_INT_8,			offsetof(private_delete_payload_t, protocol_id)		},
+	{ U_INT_8,			offsetof(private_delete_payload_t, spi_size)		},
+	{ U_INT_16,			offsetof(private_delete_payload_t, spi_count)		},
+	/* some delete data bytes, length is defined in PAYLOAD_LENGTH */
+	{ CHUNK_DATA,		offsetof(private_delete_payload_t, spis)			},
 };
 
 /*
@@ -107,6 +154,8 @@ encoding_rule_t delete_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       ! Next Payload  !C!  RESERVED   !         Payload Length        !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                          DOI                                  !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       ! Protocol ID   !   SPI Size    !           # of SPIs           !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       !                                                               !
@@ -129,10 +178,19 @@ METHOD(payload_t, verify, status_t,
 			break;
 		case PROTO_IKE:
 		case 0:
-			/* IKE deletion has no spi assigned! */
-			if (this->spi_size != 0)
-			{
-				return FAILED;
+			if (this->type == DELETE)
+			{	/* IKEv2 deletion has no spi assigned! */
+				if (this->spi_size != 0)
+				{
+					return FAILED;
+				}
+			}
+			else
+			{	/* IKEv1 uses the two concatenated ISAKMP cookies as SPI */
+				if (this->spi_size != 16)
+				{
+					return FAILED;
+				}
 			}
 			break;
 		default:
@@ -145,17 +203,32 @@ METHOD(payload_t, verify, status_t,
 	return SUCCESS;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_delete_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_delete_payload_t *this, encoding_rule_t **rules)
 {
-	*rules = delete_payload_encodings;
-	*rule_count = countof(delete_payload_encodings);
+	if (this->type == DELETE)
+	{
+		*rules = encodings_v2;
+		return countof(encodings_v2);
+	}
+	*rules = encodings_v1;
+	return countof(encodings_v1);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_delete_payload_t *this)
+{
+	if (this->type == DELETE)
+	{
+		return 8;
+	}
+	return 12;
 }
 
 METHOD(payload_t, get_payload_type, payload_type_t,
 	private_delete_payload_t *this)
 {
-	return DELETE;
+	return this->type;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -198,6 +271,16 @@ METHOD(delete_payload_t, add_spi, void,
 	}
 }
 
+METHOD(delete_payload_t, set_ike_spi, void,
+	private_delete_payload_t *this, u_int64_t spi_i, u_int64_t spi_r)
+{
+	free(this->spis.ptr);
+	this->spis = chunk_cat("cc", chunk_from_thing(spi_i),
+								 chunk_from_thing(spi_r));
+	this->spi_count = 1;
+	this->payload_length = get_header_length(this) + this->spi_size;
+}
+
 /**
  * SPI enumerator implementation
  */
@@ -249,7 +332,8 @@ METHOD2(payload_t, delete_payload_t, destroy, void,
 /*
  * Described in header
  */
-delete_payload_t *delete_payload_create(protocol_id_t protocol_id)
+delete_payload_t *delete_payload_create(payload_type_t type,
+										protocol_id_t protocol_id)
 {
 	private_delete_payload_t *this;
 
@@ -258,6 +342,7 @@ delete_payload_t *delete_payload_create(protocol_id_t protocol_id)
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
@@ -266,13 +351,27 @@ delete_payload_t *delete_payload_create(protocol_id_t protocol_id)
 			},
 			.get_protocol_id = _get_protocol_id,
 			.add_spi = _add_spi,
+			.set_ike_spi = _set_ike_spi,
 			.create_spi_enumerator = _create_spi_enumerator,
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
-		.payload_length = DELETE_PAYLOAD_HEADER_LENGTH,
 		.protocol_id = protocol_id,
-		.spi_size = protocol_id == PROTO_AH || protocol_id == PROTO_ESP ? 4 : 0,
+		.doi = IKEV1_DOI_IPSEC,
+		.type = type,
 	);
+	this->payload_length = get_header_length(this);
+
+	if (protocol_id == PROTO_IKE)
+	{
+		if (type == DELETE_V1)
+		{
+			this->spi_size = 16;
+		}
+	}
+	else
+	{
+		this->spi_size = 4;
+	}
 	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/delete_payload.h b/src/libcharon/encoding/payloads/delete_payload.h
index 026829f97..afce1ecf1 100644
--- a/src/libcharon/encoding/payloads/delete_payload.h
+++ b/src/libcharon/encoding/payloads/delete_payload.h
@@ -29,14 +29,7 @@ typedef struct delete_payload_t delete_payload_t;
 #include <encoding/payloads/proposal_substructure.h>
 
 /**
- * Length of a delete payload without the SPI in bytes.
- */
-#define DELETE_PAYLOAD_HEADER_LENGTH 8
-
-/**
- * Class representing an IKEv2 DELETE payload.
- *
- * The DELETE payload format is described in RFC section 3.11.
+ * Class representing an IKEv1 or a IKEv2 DELETE payload.
  */
 struct delete_payload_t {
 
@@ -60,6 +53,14 @@ struct delete_payload_t {
 	void (*add_spi) (delete_payload_t *this, u_int32_t spi);
 
 	/**
+	 * Set the IKE SPIs for an IKEv1 delete.
+	 *
+	 * @param spi_i			initiator SPI
+	 * @param spi_r			responder SPI
+	 */
+	void (*set_ike_spi)(delete_payload_t *this, u_int64_t spi_i, u_int64_t spi_r);
+
+	/**
 	 * Get an enumerator over the SPIs in network order.
 	 *
 	 * @return				enumerator over SPIs, u_int32_t
@@ -75,9 +76,11 @@ struct delete_payload_t {
 /**
  * Creates an empty delete_payload_t object.
  *
+ * @param type			DELETE or DELETE_V1
  * @param protocol_id	protocol, such as AH|ESP
  * @return 				delete_payload_t object
  */
-delete_payload_t *delete_payload_create(protocol_id_t protocol_id);
+delete_payload_t *delete_payload_create(payload_type_t type,
+										protocol_id_t protocol_id);
 
 #endif /** DELETE_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/eap_payload.c b/src/libcharon/encoding/payloads/eap_payload.c
index cacaef222..f2f35aa69 100644
--- a/src/libcharon/encoding/payloads/eap_payload.c
+++ b/src/libcharon/encoding/payloads/eap_payload.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -19,6 +20,8 @@
 #include "eap_payload.h"
 
 #include <daemon.h>
+#include <eap/eap.h>
+#include <bio/bio_writer.h>
 
 typedef struct private_eap_payload_t private_eap_payload_t;
 
@@ -65,7 +68,7 @@ struct private_eap_payload_t {
  * private_eap_payload_t.
  *
  */
-static encoding_rule_t eap_payload_encodings[] = {
+static encoding_rule_t encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_eap_payload_t, next_payload) 	},
 	/* the critical bit */
@@ -81,7 +84,7 @@ static encoding_rule_t eap_payload_encodings[] = {
 	/* Length of the whole payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_eap_payload_t, payload_length)	},
 	/* chunt to data, starting at "code" */
-	{ EAP_DATA,			offsetof(private_eap_payload_t, data)			},
+	{ CHUNK_DATA,		offsetof(private_eap_payload_t, data)			},
 };
 
 /*
@@ -143,11 +146,17 @@ METHOD(payload_t, verify, status_t,
 	return SUCCESS;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_eap_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_eap_payload_t *this, encoding_rule_t **rules)
 {
-	*rules = eap_payload_encodings;
-	*rule_count = sizeof(eap_payload_encodings) / sizeof(encoding_rule_t);
+	*rules = encodings;
+	return countof(encodings);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_eap_payload_t *this)
+{
+	return 4;
 }
 
 METHOD(payload_t, get_payload_type, payload_type_t,
@@ -210,28 +219,93 @@ METHOD(eap_payload_t, get_identifier, u_int8_t,
 	return 0;
 }
 
+/**
+ * Get the current type at the given offset into this->data.
+ * @return	the new offset or 0 if failed
+ */
+static size_t extract_type(private_eap_payload_t *this, size_t offset,
+					       eap_type_t *type, u_int32_t *vendor)
+{
+	if (this->data.len > offset)
+	{
+		*vendor = 0;
+		*type = this->data.ptr[offset];
+		if (*type != EAP_EXPANDED)
+		{
+			return offset + 1;
+		}
+		if (this->data.len >= offset + 8)
+		{
+			*vendor = untoh32(this->data.ptr + offset) & 0x00FFFFFF;
+			*type = untoh32(this->data.ptr + offset + 4);
+			return offset + 8;
+		}
+	}
+	return 0;
+}
+
 METHOD(eap_payload_t, get_type, eap_type_t,
 	private_eap_payload_t *this, u_int32_t *vendor)
 {
 	eap_type_t type;
 
 	*vendor = 0;
-	if (this->data.len > 4)
+	if (extract_type(this, 4, &type, vendor))
 	{
-		type = this->data.ptr[4];
-		if (type != EAP_EXPANDED)
-		{
-			return type;
-		}
-		if (this->data.len >= 12)
-		{
-			*vendor = untoh32(this->data.ptr + 4) & 0x00FFFFFF;
-			return untoh32(this->data.ptr + 8);
-		}
+		return type;
 	}
 	return 0;
 }
 
+/**
+ * Type enumerator
+ */
+typedef struct {
+	/** public interface */
+	enumerator_t public;
+	/** payload */
+	private_eap_payload_t *payload;
+	/** current offset in the data */
+	size_t offset;
+} type_enumerator_t;
+
+METHOD(enumerator_t, enumerate_types, bool,
+	type_enumerator_t *this, eap_type_t *type, u_int32_t *vendor)
+{
+	this->offset = extract_type(this->payload, this->offset, type, vendor);
+	return this->offset;
+}
+
+METHOD(eap_payload_t, get_types, enumerator_t*,
+	private_eap_payload_t *this)
+{
+	type_enumerator_t *enumerator;
+	eap_type_t type;
+	u_int32_t vendor;
+	size_t offset;
+
+	offset = extract_type(this, 4, &type, &vendor);
+	if (offset && type == EAP_NAK)
+	{
+		INIT(enumerator,
+			.public = {
+				.enumerate = (void*)_enumerate_types,
+				.destroy = (void*)free,
+			},
+			.payload = this,
+			.offset = offset,
+		);
+		return &enumerator->public;
+	}
+	return enumerator_create_empty();
+}
+
+METHOD(eap_payload_t, is_expanded, bool,
+	private_eap_payload_t *this)
+{
+	return this->data.len > 4 ? this->data.ptr[4] == EAP_EXPANDED : FALSE;
+}
+
 METHOD2(payload_t, eap_payload_t, destroy, void,
 	private_eap_payload_t *this)
 {
@@ -251,6 +325,7 @@ eap_payload_t *eap_payload_create()
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
@@ -262,10 +337,12 @@ eap_payload_t *eap_payload_create()
 			.get_code = _get_code,
 			.get_identifier = _get_identifier,
 			.get_type = _get_type,
+			.get_types = _get_types,
+			.is_expanded = _is_expanded,
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
-		.payload_length = EAP_PAYLOAD_HEADER_LENGTH,
+		.payload_length = get_header_length(this),
 	);
 	return &this->public;
 }
@@ -305,15 +382,81 @@ eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier)
 	return eap_payload_create_data(data);
 }
 
+/**
+ * Write the given type either expanded or not
+ */
+static void write_type(bio_writer_t *writer, eap_type_t type, u_int32_t vendor,
+					   bool expanded)
+{
+	if (expanded)
+	{
+		writer->write_uint8(writer, EAP_EXPANDED);
+		writer->write_uint24(writer, vendor);
+		writer->write_uint32(writer, type);
+	}
+	else
+	{
+		writer->write_uint8(writer, type);
+	}
+}
+
 /*
  * Described in header
  */
-eap_payload_t *eap_payload_create_nak(u_int8_t identifier)
+eap_payload_t *eap_payload_create_nak(u_int8_t identifier, eap_type_t type,
+									  u_int32_t vendor, bool expanded)
 {
+	enumerator_t *enumerator;
+	eap_type_t reg_type;
+	u_int32_t reg_vendor;
+	bio_writer_t *writer;
 	chunk_t data;
+	bool added_any = FALSE, found_vendor = FALSE;
+	eap_payload_t *payload;
 
-	data = chunk_from_chars(EAP_RESPONSE, identifier, 0, 0, EAP_NAK);
-	htoun16(data.ptr + 2, data.len);
-	return eap_payload_create_data(data);
-}
+	writer = bio_writer_create(12);
+	writer->write_uint8(writer, EAP_RESPONSE);
+	writer->write_uint8(writer, identifier);
+	/* write zero length, we update it once we know the length */
+	writer->write_uint16(writer, 0);
 
+	write_type(writer, EAP_NAK, 0, expanded);
+
+	enumerator = charon->eap->create_enumerator(charon->eap, EAP_PEER);
+	while (enumerator->enumerate(enumerator, &reg_type, &reg_vendor))
+	{
+		if ((type && type != reg_type) ||
+			(type && vendor && vendor != reg_vendor))
+		{	/* the preferred type is only sent if we actually find it */
+			continue;
+		}
+		if (!reg_vendor || expanded)
+		{
+			write_type(writer, reg_type, reg_vendor, expanded);
+			added_any = TRUE;
+		}
+		else if (reg_vendor)
+		{	/* found vendor specifc method, but this is not an expanded Nak */
+			found_vendor = TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (found_vendor)
+	{	/* request an expanded authentication type */
+		write_type(writer, EAP_EXPANDED, 0, expanded);
+		added_any = TRUE;
+	}
+	if (!added_any)
+	{	/* no methods added */
+		write_type(writer, 0, 0, expanded);
+	}
+
+	/* set length */
+	data = writer->get_buf(writer);
+	htoun16(data.ptr + offsetof(eap_packet_t, length), data.len);
+
+	payload = eap_payload_create_data(data);
+	writer->destroy(writer);
+	return payload;
+}
diff --git a/src/libcharon/encoding/payloads/eap_payload.h b/src/libcharon/encoding/payloads/eap_payload.h
index 60d9c99d2..e8ed1c5e7 100644
--- a/src/libcharon/encoding/payloads/eap_payload.h
+++ b/src/libcharon/encoding/payloads/eap_payload.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -25,13 +26,8 @@
 typedef struct eap_payload_t eap_payload_t;
 
 #include <library.h>
+#include <eap/eap.h>
 #include <encoding/payloads/payload.h>
-#include <sa/authenticators/eap/eap_method.h>
-
-/**
- * Length of a EAP payload without the EAP Message in bytes.
- */
-#define EAP_PAYLOAD_HEADER_LENGTH 4
 
 /**
  * Class representing an IKEv2 EAP payload.
@@ -87,6 +83,21 @@ struct eap_payload_t {
 	eap_type_t (*get_type) (eap_payload_t *this, u_int32_t *vendor);
 
 	/**
+	 * Enumerate the EAP method types contained in an EAP-Nak (i.e. get_type()
+	 * returns EAP_NAK).
+	 *
+	 * @return			enumerator over (eap_type_t type, u_int32_t vendor)
+	 */
+	enumerator_t* (*get_types) (eap_payload_t *this);
+
+	/**
+	 * Check if the EAP method type is encoded in the Expanded Type format.
+	 *
+	 * @return			TRUE if in Expanded Type format
+	 */
+	bool (*is_expanded) (eap_payload_t *this);
+
+	/**
 	 * Destroys an eap_payload_t object.
 	 */
 	void (*destroy) (eap_payload_t *this);
@@ -131,8 +142,12 @@ eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier);
  * Creates an eap_payload_t EAP_RESPONSE containing an EAP_NAK.
  *
  * @param identifier	EAP identifier to use in payload
+ * @param type			preferred auth type, 0 to send all supported types
+ * @param vendor		vendor identifier for auth type, 0 for default
+ * @param expanded		TRUE to send an expanded Nak
  * @return 				eap_payload_t object
  */
-eap_payload_t *eap_payload_create_nak(u_int8_t identifier);
+eap_payload_t *eap_payload_create_nak(u_int8_t identifier, eap_type_t type,
+									  u_int32_t vendor, bool expanded);
 
 #endif /** EAP_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/encodings.c b/src/libcharon/encoding/payloads/encodings.c
index 85caeda82..62de81120 100644
--- a/src/libcharon/encoding/payloads/encodings.c
+++ b/src/libcharon/encoding/payloads/encodings.c
@@ -29,30 +29,14 @@ ENUM(encoding_type_names, U_INT_4, ENCRYPTED_DATA,
 	"HEADER_LENGTH",
 	"SPI_SIZE",
 	"SPI",
-	"KEY_EXCHANGE_DATA",
-	"NOTIFICATION_DATA",
-	"PROPOSALS",
-	"TRANSFORMS",
-	"TRANSFORM_ATTRIBUTES",
-	"CONFIGURATION_ATTRIBUTES",
-	"CONFIGURATION_ATTRIBUTE_VALUE",
 	"ATTRIBUTE_FORMAT",
 	"ATTRIBUTE_TYPE",
 	"ATTRIBUTE_LENGTH_OR_VALUE",
-	"CONFIGURATION_ATTRIBUTE_LENGTH",
+	"ATTRIBUTE_LENGTH",
 	"ATTRIBUTE_VALUE",
-	"TRAFFIC_SELECTORS",
 	"TS_TYPE",
 	"ADDRESS",
-	"NONCE_DATA",
-	"ID_DATA",
-	"AUTH_DATA",
-	"CERT_DATA",
-	"CERTREQ_DATA",
-	"EAP_DATA",
-	"SPIS",
-	"VID_DATA",
-	"UNKNOWN_DATA",
+	"CHUNK_DATA",
 	"IKE_SPI",
 	"ENCRYPTED_DATA",
 );
diff --git a/src/libcharon/encoding/payloads/encodings.h b/src/libcharon/encoding/payloads/encodings.h
index 52af4a984..54830bc8c 100644
--- a/src/libcharon/encoding/payloads/encodings.h
+++ b/src/libcharon/encoding/payloads/encodings.h
@@ -187,87 +187,6 @@ enum encoding_type_t {
 	SPI,
 
 	/**
-	 * Representating a Key Exchange Data field.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
-	 */
-	KEY_EXCHANGE_DATA,
-
-	/**
-	 * Representating a Notification field.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - spi size - 8) bytes are read and written into the chunk pointing to.
-	 */
-	NOTIFICATION_DATA,
-
-	/**
-	 * Representating one or more proposal substructures.
-	 *
-	 * The offset points to a linked_list_t pointer.
-	 *
-	 * When generating the proposal_substructure_t objects are stored
-	 * in the pointed linked_list.
-	 *
-	 * When parsing the parsed proposal_substructure_t objects have
-	 * to be stored in the pointed linked_list.
-	 */
-	PROPOSALS,
-
-	/**
-	 * Representating one or more transform substructures.
-	 *
-	 * The offset points to a linked_list_t pointer.
-	 *
-	 * When generating the transform_substructure_t objects are stored
-	 * in the pointed linked_list.
-	 *
-	 * When parsing the parsed transform_substructure_t objects have
-	 * to be stored in the pointed linked_list.
-	 */
-	TRANSFORMS,
-
-	/**
-	 * Representating one or more Attributes of a transform substructure.
-	 *
-	 * The offset points to a linked_list_t pointer.
-	 *
-	 * When generating the transform_attribute_t objects are stored
-	 * in the pointed linked_list.
-	 *
-	 * When parsing the parsed transform_attribute_t objects have
-	 * to be stored in the pointed linked_list.
-	 */
-	TRANSFORM_ATTRIBUTES,
-
-	/**
-	 * Representating one or more Attributes of a configuration payload.
-	 *
-	 * The offset points to a linked_list_t pointer.
-	 *
-	 * When generating the configuration_attribute_t objects are stored
-	 * in the pointed linked_list.
-	 *
-	 * When parsing the parsed configuration_attribute_t objects have
-	 * to be stored in the pointed linked_list.
-	 */
-	CONFIGURATION_ATTRIBUTES,
-
-	/**
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
-	 */
-	CONFIGURATION_ATTRIBUTE_VALUE,
-
-	/**
 	 * Representing a 1 Bit flag specifying the format of a transform attribute.
 	 *
 	 * When generation, the next bit is set to 1 if the associated value
@@ -279,6 +198,7 @@ enum encoding_type_t {
 	 * is moved 1 bit forward afterwards.
 	 */
 	ATTRIBUTE_FORMAT,
+
 	/**
 	 * Representing a 15 Bit unsigned int value used as attribute type
 	 * in an attribute transform.
@@ -321,7 +241,7 @@ enum encoding_type_t {
 	 * The value is written to the associated data struct.
 	 * The current read pointer is moved 16 bit forward afterwards.
 	 */
-	CONFIGURATION_ATTRIBUTE_LENGTH,
+	ATTRIBUTE_LENGTH,
 
 	/**
 	 * Depending on the field of type ATTRIBUTE_FORMAT
@@ -336,19 +256,6 @@ enum encoding_type_t {
 	ATTRIBUTE_VALUE,
 
 	/**
-	 * Representating one or more Traffic selectors of a TS payload.
-	 *
-	 * The offset points to a linked_list_t pointer.
-	 *
-	 * When generating the traffic_selector_substructure_t objects are stored
-	 * in the pointed linked_list.
-	 *
-	 * When parsing the parsed traffic_selector_substructure_t objects have
-	 * to be stored in the pointed linked_list.
-	 */
-	TRAFFIC_SELECTORS,
-
-	/**
 	 * Representating a Traffic selector type field.
 	 *
 	 * When generating it must be changed from host to network order.
@@ -375,94 +282,9 @@ enum encoding_type_t {
 	ADDRESS,
 
 	/**
-	 * Representating a Nonce Data field.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
+	 * Representing a variable length byte field.
 	 */
-	NONCE_DATA,
-
-	/**
-	 * Representating a ID Data field.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
-	 */
-	ID_DATA,
-
-	/**
-	 * Representating a AUTH Data field.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
-	 */
-	AUTH_DATA,
-
-	/**
-	 * Representating a CERT Data field.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 5) bytes are read and written into the chunk pointing to.
-	 */
-	CERT_DATA,
-
-	/**
-	 * Representating a CERTREQ Data field.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 5) bytes are read and written into the chunk pointing to.
-	 */
-	CERTREQ_DATA,
-
-	/**
-	 * Representating an EAP message field.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
-	 */
-	EAP_DATA,
-
-	/**
-	 * Representating the SPIS field in a DELETE payload.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
-	 */
-	SPIS,
-
-	/**
-	 * Representating the VID DATA field in a VENDOR ID payload.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
-	 */
-	VID_DATA,
-
-	/**
-	 * Representating the DATA of an unknown payload.
-	 *
-	 * When generating the content of the chunkt pointing to
-	 * is written.
-	 *
-	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
-	 */
-	UNKNOWN_DATA,
+	CHUNK_DATA,
 
 	/**
 	 * Representating an IKE_SPI field in an IKEv2 Header.
@@ -475,9 +297,20 @@ enum encoding_type_t {
 	IKE_SPI,
 
 	/**
-	 * Representing the encrypted data body of a encryption payload.
+	 * Representating an encrypted IKEv1 message.
 	 */
 	ENCRYPTED_DATA,
+
+	/**
+	 * Reprensenting a field containing a set of wrapped payloads.
+	 *
+	 * This type is not used directly, but as an offset to the wrapped payloads.
+	 * The type of the wrapped payload is added to this encoding type.
+	 *
+	 * @note As payload types are added to this encoding type, it has
+	 * to be the last in encoding_type_t.
+	 */
+	PAYLOAD_LIST = 1000 /* no comma, read above! */
 };
 
 /**
diff --git a/src/libcharon/encoding/payloads/encryption_payload.c b/src/libcharon/encoding/payloads/encryption_payload.c
index e7b8063b7..6ba1b23a0 100644
--- a/src/libcharon/encoding/payloads/encryption_payload.c
+++ b/src/libcharon/encoding/payloads/encryption_payload.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2010 revosec AG
+ * Copyright (C) 2011 Tobias Brunner
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -22,7 +23,7 @@
 
 #include <daemon.h>
 #include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <encoding/generator.h>
 #include <encoding/parser.h>
 
@@ -71,6 +72,11 @@ struct private_encryption_payload_t {
 	 * Contained payloads
 	 */
 	linked_list_t *payloads;
+
+	/**
+	 * Type of payload, ENCRYPTED or ENCRYPTED_V1
+	 */
+	payload_type_t type;
 };
 
 /**
@@ -79,7 +85,7 @@ struct private_encryption_payload_t {
  * The defined offsets are the positions in a object of type
  * private_encryption_payload_t.
  */
-encoding_rule_t encryption_payload_encodings[] = {
+static encoding_rule_t encodings_v2[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_encryption_payload_t, next_payload)	},
 	/* Critical and 7 reserved bits, all stored for reconstruction */
@@ -87,7 +93,7 @@ encoding_rule_t encryption_payload_encodings[] = {
 	/* Length of the whole encryption payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_encryption_payload_t, payload_length)	},
 	/* encrypted data, stored in a chunk. contains iv, data, padding */
-	{ ENCRYPTED_DATA,	offsetof(private_encryption_payload_t, encrypted)		},
+	{ CHUNK_DATA,		offsetof(private_encryption_payload_t, encrypted)		},
 };
 
 /*
@@ -109,24 +115,59 @@ encoding_rule_t encryption_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
+/**
+ * Encoding rules to parse or generate a complete encrypted IKEv1 message.
+ *
+ * The defined offsets are the positions in a object of type
+ * private_encryption_payload_t.
+ */
+static encoding_rule_t encodings_v1[] = {
+	/* encrypted data, stored in a chunk */
+	{ ENCRYPTED_DATA,	offsetof(private_encryption_payload_t, encrypted)		},
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                    Encrypted IKE Payloads                     !
+      +               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !               !             Padding (0-255 octets)            !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
 METHOD(payload_t, verify, status_t,
 	private_encryption_payload_t *this)
 {
 	return SUCCESS;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_encryption_payload_t *this, encoding_rule_t **rules,
-	size_t *count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_encryption_payload_t *this, encoding_rule_t **rules)
+{
+	if (this->type == ENCRYPTED)
+	{
+		*rules = encodings_v2;
+		return countof(encodings_v2);
+	}
+	*rules = encodings_v1;
+	return countof(encodings_v1);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_encryption_payload_t *this)
 {
-	*rules = encryption_payload_encodings;
-	*count = countof(encryption_payload_encodings);
+	if (this->type == ENCRYPTED)
+	{
+		return 4;
+	}
+	return 0;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
 	private_encryption_payload_t *this)
 {
-	return ENCRYPTED;
+	return this->type;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -138,7 +179,8 @@ METHOD(payload_t, get_next_type, payload_type_t,
 METHOD(payload_t, set_next_type, void,
 	private_encryption_payload_t *this, payload_type_t type)
 {
-	/* the next payload is set during add */
+	/* the next payload is set during add, still allow this for IKEv1 */
+	this->next_payload = type;
 }
 
 /**
@@ -174,7 +216,7 @@ static void compute_length(private_encryption_payload_t *this)
 			length += this->aead->get_icv_size(this->aead);
 		}
 	}
-	length += ENCRYPTION_PAYLOAD_HEADER_LENGTH;
+	length += get_header_length(this);
 	this->payload_length = length;
 }
 
@@ -266,7 +308,7 @@ static chunk_t append_header(private_encryption_payload_t *this, chunk_t assoc)
 	return chunk_cat("cc", assoc, chunk_from_thing(header));
 }
 
-METHOD(encryption_payload_t, encrypt, bool,
+METHOD(encryption_payload_t, encrypt, status_t,
 	private_encryption_payload_t *this, chunk_t assoc)
 {
 	chunk_t iv, plain, padding, icv, crypt;
@@ -277,14 +319,14 @@ METHOD(encryption_payload_t, encrypt, bool,
 	if (this->aead == NULL)
 	{
 		DBG1(DBG_ENC, "encrypting encryption payload failed, transform missing");
-		return FALSE;
+		return INVALID_STATE;
 	}
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (!rng)
 	{
 		DBG1(DBG_ENC, "encrypting encryption payload failed, no RNG found");
-		return FALSE;
+		return NOT_SUPPORTED;
 	}
 
 	assoc = append_header(this, assoc);
@@ -314,8 +356,14 @@ METHOD(encryption_payload_t, encrypt, bool,
 	crypt = chunk_create(plain.ptr, plain.len + padding.len);
 	generator->destroy(generator);
 
-	rng->get_bytes(rng, iv.len, iv.ptr);
-	rng->get_bytes(rng, padding.len - 1, padding.ptr);
+	if (!rng->get_bytes(rng, iv.len, iv.ptr) ||
+		!rng->get_bytes(rng, padding.len - 1, padding.ptr))
+	{
+		DBG1(DBG_ENC, "encrypting encryption payload failed, no IV or padding");
+		rng->destroy(rng);
+		free(assoc.ptr);
+		return FAILED;
+	}
 	padding.ptr[padding.len - 1] = padding.len - 1;
 	rng->destroy(rng);
 
@@ -325,14 +373,60 @@ METHOD(encryption_payload_t, encrypt, bool,
 	DBG3(DBG_ENC, "padding %B", &padding);
 	DBG3(DBG_ENC, "assoc %B", &assoc);
 
-	this->aead->encrypt(this->aead, crypt, assoc, iv, NULL);
+	if (!this->aead->encrypt(this->aead, crypt, assoc, iv, NULL))
+	{
+		free(assoc.ptr);
+		return FAILED;
+	}
 
 	DBG3(DBG_ENC, "encrypted %B", &crypt);
 	DBG3(DBG_ENC, "ICV %B", &icv);
 
 	free(assoc.ptr);
 
-	return TRUE;
+	return SUCCESS;
+}
+
+METHOD(encryption_payload_t, encrypt_v1, status_t,
+	private_encryption_payload_t *this, chunk_t iv)
+{
+	generator_t *generator;
+	chunk_t plain, padding;
+	size_t bs;
+
+	if (this->aead == NULL)
+	{
+		DBG1(DBG_ENC, "encryption failed, transform missing");
+		return INVALID_STATE;
+	}
+
+	generator = generator_create();
+	plain = generate(this, generator);
+	bs = this->aead->get_block_size(this->aead);
+	padding.len = bs - (plain.len % bs);
+
+	/* prepare data to encrypt:
+	 * | plain | padding | */
+	free(this->encrypted.ptr);
+	this->encrypted = chunk_alloc(plain.len + padding.len);
+	memcpy(this->encrypted.ptr, plain.ptr, plain.len);
+	plain.ptr = this->encrypted.ptr;
+	padding.ptr = plain.ptr + plain.len;
+	memset(padding.ptr, 0, padding.len);
+	generator->destroy(generator);
+
+	DBG3(DBG_ENC, "encrypting payloads:");
+	DBG3(DBG_ENC, "plain %B", &plain);
+	DBG3(DBG_ENC, "padding %B", &padding);
+
+	if (!this->aead->encrypt(this->aead, this->encrypted, chunk_empty, iv, NULL))
+	{
+		return FAILED;
+	}
+
+	DBG3(DBG_ENC, "encrypted %B", &this->encrypted);
+
+	return SUCCESS;
 }
 
 /**
@@ -349,6 +443,13 @@ static status_t parse(private_encryption_payload_t *this, chunk_t plain)
 	{
 		payload_t *payload;
 
+		if (plain.len < 4 || untoh16(plain.ptr + 2) > plain.len)
+		{
+			DBG1(DBG_ENC, "invalid %N payload length, decryption failed?",
+				 payload_type_names, type);
+			parser->destroy(parser);
+			return PARSE_ERROR;
+		}
 		if (parser->parse_payload(parser, type, &payload) != SUCCESS)
 		{
 			parser->destroy(parser);
@@ -438,6 +539,36 @@ METHOD(encryption_payload_t, decrypt, status_t,
 	return parse(this, plain);
 }
 
+METHOD(encryption_payload_t, decrypt_v1, status_t,
+	private_encryption_payload_t *this, chunk_t iv)
+{
+	if (this->aead == NULL)
+	{
+		DBG1(DBG_ENC, "decryption failed, transform missing");
+		return INVALID_STATE;
+	}
+
+	/* data must be a multiple of block size */
+	if (iv.len != this->aead->get_block_size(this->aead) ||
+		this->encrypted.len < iv.len || this->encrypted.len % iv.len)
+	{
+		DBG1(DBG_ENC, "decryption failed, invalid length");
+		return FAILED;
+	}
+
+	DBG3(DBG_ENC, "decrypting payloads:");
+	DBG3(DBG_ENC, "encrypted %B", &this->encrypted);
+
+	if (!this->aead->decrypt(this->aead, this->encrypted, chunk_empty, iv, NULL))
+	{
+		return FAILED;
+	}
+
+	DBG3(DBG_ENC, "plain %B", &this->encrypted);
+
+	return parse(this, this->encrypted);
+}
+
 METHOD(encryption_payload_t, set_transform, void,
 	private_encryption_payload_t *this, aead_t* aead)
 {
@@ -455,7 +586,7 @@ METHOD2(payload_t, encryption_payload_t, destroy, void,
 /*
  * Described in header
  */
-encryption_payload_t *encryption_payload_create()
+encryption_payload_t *encryption_payload_create(payload_type_t type)
 {
 	private_encryption_payload_t *this;
 
@@ -464,6 +595,7 @@ encryption_payload_t *encryption_payload_create()
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
@@ -479,9 +611,16 @@ encryption_payload_t *encryption_payload_create()
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
-		.payload_length = ENCRYPTION_PAYLOAD_HEADER_LENGTH,
 		.payloads = linked_list_create(),
+		.type = type,
 	);
+	this->payload_length = get_header_length(this);
+
+	if (type == ENCRYPTED_V1)
+	{
+		this->public.encrypt = _encrypt_v1;
+		this->public.decrypt = _decrypt_v1;
+	}
 
 	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/encryption_payload.h b/src/libcharon/encoding/payloads/encryption_payload.h
index e99c42fb7..5c6069339 100644
--- a/src/libcharon/encoding/payloads/encryption_payload.h
+++ b/src/libcharon/encoding/payloads/encryption_payload.h
@@ -30,11 +30,6 @@ typedef struct encryption_payload_t encryption_payload_t;
 #include <encoding/payloads/payload.h>
 
 /**
- * Encrpytion payload length in bytes without IV and following data.
- */
-#define ENCRYPTION_PAYLOAD_HEADER_LENGTH 4
-
-/**
  * The encryption payload as described in RFC section 3.14.
  */
 struct encryption_payload_t {
@@ -77,14 +72,18 @@ struct encryption_payload_t {
 	 * Generate, encrypt and sign contained payloads.
 	 *
 	 * @param assoc			associated data
-	 * @return				TRUE if encrypted
+	 * @return
+	 * 						- SUCCESS if encryption successful
+	 * 						- FAILED if encryption failed
+	 * 						- INVALID_STATE if aead not supplied, but needed
 	 */
-	bool (*encrypt) (encryption_payload_t *this, chunk_t assoc);
+	status_t (*encrypt) (encryption_payload_t *this, chunk_t assoc);
 
 	/**
 	 * Decrypt, verify and parse contained payloads.
 	 *
 	 * @param assoc			associated data
+	 * @return
 	 * 						- SUCCESS if parsing successful
 	 *						- PARSE_ERROR if sub-payload parsing failed
 	 * 						- VERIFY_ERROR if sub-payload verification failed
@@ -102,8 +101,9 @@ struct encryption_payload_t {
 /**
  * Creates an empty encryption_payload_t object.
  *
+ * @param type		ENCRYPTED or ENCRYPTED_V1
  * @return			encryption_payload_t object
  */
-encryption_payload_t *encryption_payload_create(void);
+encryption_payload_t *encryption_payload_create(payload_type_t type);
 
 #endif /** ENCRYPTION_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/endpoint_notify.c b/src/libcharon/encoding/payloads/endpoint_notify.c
index 1ead0a052..25fb42acd 100644
--- a/src/libcharon/encoding/payloads/endpoint_notify.c
+++ b/src/libcharon/encoding/payloads/endpoint_notify.c
@@ -227,7 +227,7 @@ METHOD(endpoint_notify_t, build_notify, notify_payload_t*,
 	chunk_t data;
 	notify_payload_t *notify;
 
-	notify = notify_payload_create();
+	notify = notify_payload_create(NOTIFY);
 	notify->set_notify_type(notify, ME_ENDPOINT);
 	data = build_notification_data(this);
 	notify->set_notification_data(notify, data);
diff --git a/src/libcharon/encoding/payloads/fragment_payload.c b/src/libcharon/encoding/payloads/fragment_payload.c
new file mode 100644
index 000000000..1a6b3234b
--- /dev/null
+++ b/src/libcharon/encoding/payloads/fragment_payload.c
@@ -0,0 +1,225 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "fragment_payload.h"
+
+#include <encoding/payloads/encodings.h>
+
+/** Flag that is set in case the given fragment is the last for the message */
+#define LAST_FRAGMENT 0x01
+
+typedef struct private_fragment_payload_t private_fragment_payload_t;
+
+/**
+ * Private data of an fragment_payload_t object.
+ */
+struct private_fragment_payload_t {
+
+	/**
+	 * Public fragment_payload_t interface.
+	 */
+	fragment_payload_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t next_payload;
+
+	/**
+	 * Reserved byte
+	 */
+	u_int8_t reserved;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * Fragment ID.
+	 */
+	u_int16_t fragment_id;
+
+	/**
+	 * Fragment number.
+	 */
+	u_int8_t fragment_number;
+
+	/**
+	 * Flags
+	 */
+	u_int8_t flags;
+
+	/**
+	 * The contained fragment data.
+	 */
+	chunk_t data;
+};
+
+/**
+ * Encoding rules for an IKEv1 fragment payload
+ */
+static encoding_rule_t encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_fragment_payload_t, next_payload)		},
+	{ RESERVED_BYTE,	offsetof(private_fragment_payload_t, reserved)			},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_fragment_payload_t, payload_length)	},
+	{ U_INT_16,			offsetof(private_fragment_payload_t, fragment_id)		},
+	{ U_INT_8,			offsetof(private_fragment_payload_t, fragment_number)	},
+	{ U_INT_8,			offsetof(private_fragment_payload_t, flags)				},
+	/* Fragment data is of variable size */
+	{ CHUNK_DATA,		offsetof(private_fragment_payload_t, data)				},
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !    RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !         Fragment ID           !  Fragment Num !     Flags     !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                       Fragment Data                           ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+METHOD(payload_t, verify, status_t,
+	private_fragment_payload_t *this)
+{
+	if (this->fragment_number == 0)
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+METHOD(payload_t, get_encoding_rules, int,
+	private_fragment_payload_t *this, encoding_rule_t **rules)
+{
+	*rules = encodings;
+	return countof(encodings);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_fragment_payload_t *this)
+{
+	return 8;
+}
+
+METHOD(payload_t, get_type, payload_type_t,
+	private_fragment_payload_t *this)
+{
+	return FRAGMENT_V1;
+}
+
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_fragment_payload_t *this)
+{
+	return this->next_payload;
+}
+
+METHOD(payload_t, set_next_type, void,
+	private_fragment_payload_t *this, payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+METHOD(payload_t, get_length, size_t,
+	private_fragment_payload_t *this)
+{
+	return this->payload_length;
+}
+
+METHOD(fragment_payload_t, get_id, u_int16_t,
+	private_fragment_payload_t *this)
+{
+	return this->fragment_id;
+}
+
+METHOD(fragment_payload_t, get_number, u_int8_t,
+	private_fragment_payload_t *this)
+{
+	return this->fragment_number;
+}
+
+METHOD(fragment_payload_t, is_last, bool,
+	private_fragment_payload_t *this)
+{
+	return (this->flags & LAST_FRAGMENT) == LAST_FRAGMENT;
+}
+
+METHOD(fragment_payload_t, get_data, chunk_t,
+	private_fragment_payload_t *this)
+{
+	return this->data;
+}
+
+METHOD2(payload_t, fragment_payload_t, destroy, void,
+	private_fragment_payload_t *this)
+{
+	free(this->data.ptr);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+fragment_payload_t *fragment_payload_create()
+{
+	private_fragment_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.get_id = _get_id,
+			.get_number = _get_number,
+			.is_last = _is_last,
+			.get_data = _get_data,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+	);
+	this->payload_length = get_header_length(this);
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+fragment_payload_t *fragment_payload_create_from_data(u_int8_t num, bool last,
+													  chunk_t data)
+{
+	private_fragment_payload_t *this;
+
+	this = (private_fragment_payload_t*)fragment_payload_create();
+	this->fragment_id = 1;
+	this->fragment_number = num;
+	this->flags |= (last ? LAST_FRAGMENT : 0);
+	this->data = chunk_clone(data);
+	this->payload_length = get_header_length(this) + data.len;
+	return &this->public;
+}
\ No newline at end of file
diff --git a/src/libcharon/encoding/payloads/fragment_payload.h b/src/libcharon/encoding/payloads/fragment_payload.h
new file mode 100644
index 000000000..a49cf32dd
--- /dev/null
+++ b/src/libcharon/encoding/payloads/fragment_payload.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup fragment_payload fragment_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef FRAGMENT_PAYLOAD_H_
+#define FRAGMENT_PAYLOAD_H_
+
+typedef struct fragment_payload_t fragment_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Object representing an IKEv1 fragment payload.
+ */
+struct fragment_payload_t {
+
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Get the fragment ID. Identifies the fragments for a particular IKE
+	 * message.
+	 *
+	 * @return				fragment ID
+	 */
+	u_int16_t (*get_id)(fragment_payload_t *this);
+
+	/**
+	 * Get the fragment number. Defines the order of the fragments.
+	 *
+	 * @return				fragment number
+	 */
+	u_int8_t (*get_number)(fragment_payload_t *this);
+
+	/**
+	 * Check if this is the last fragment.
+	 *
+	 * @return				TRUE if this is the last fragment
+	 */
+	bool (*is_last)(fragment_payload_t *this);
+
+	/**
+	 * Get the fragment data.
+	 *
+	 * @return				chunkt to internal fragment data
+	 */
+	chunk_t (*get_data)(fragment_payload_t *this);
+
+	/**
+	 * Destroys an fragment_payload_t object.
+	 */
+	void (*destroy)(fragment_payload_t *this);
+};
+
+/**
+ * Creates an empty fragment_payload_t object.
+ *
+ * @return			fragment_payload_t object
+ */
+fragment_payload_t *fragment_payload_create();
+
+/**
+ * Creates a fragment payload from the given data.  All fragments currently
+ * have the same fragment ID (1), which seems what other implementations are
+ * doing.
+ *
+ * @param num		fragment number (first one should be 1)
+ * @param last		TRUE to indicate that this is the last fragment
+ * @param data		fragment data (gets cloned)
+ * @return			fragment_payload_t object
+ */
+fragment_payload_t *fragment_payload_create_from_data(u_int8_t num, bool last,
+													  chunk_t data);
+
+#endif /** FRAGMENT_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/hash_payload.c b/src/libcharon/encoding/payloads/hash_payload.c
new file mode 100644
index 000000000..0cf63ba67
--- /dev/null
+++ b/src/libcharon/encoding/payloads/hash_payload.c
@@ -0,0 +1,177 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "hash_payload.h"
+
+#include <encoding/payloads/encodings.h>
+
+typedef struct private_hash_payload_t private_hash_payload_t;
+
+/**
+ * Private data of an hash_payload_t object.
+ */
+struct private_hash_payload_t {
+
+	/**
+	 * Public hash_payload_t interface.
+	 */
+	hash_payload_t public;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t next_payload;
+
+	/**
+	 * Reserved byte
+	 */
+	u_int8_t reserved;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+
+	/**
+	 * The contained hash value.
+	 */
+	chunk_t hash;
+
+	/**
+	 * either HASH_V1 or NAT_D_V1
+	 */
+	payload_type_t type;
+};
+
+/**
+ * Encoding rules for an IKEv1 hash payload
+ */
+static encoding_rule_t encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_hash_payload_t, next_payload)		},
+	{ RESERVED_BYTE,	offsetof(private_hash_payload_t, reserved)			},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_hash_payload_t, payload_length)	},
+	/* Hash Data is from variable size */
+	{ CHUNK_DATA,		offsetof(private_hash_payload_t, hash)				},
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !    RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                       Hash Data                               ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+METHOD(payload_t, verify, status_t,
+	private_hash_payload_t *this)
+{
+	return SUCCESS;
+}
+
+METHOD(payload_t, get_encoding_rules, int,
+	private_hash_payload_t *this, encoding_rule_t **rules)
+{
+	*rules = encodings;
+	return countof(encodings);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_hash_payload_t *this)
+{
+	return 4;
+}
+
+METHOD(payload_t, get_type, payload_type_t,
+	private_hash_payload_t *this)
+{
+	return this->type;
+}
+
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_hash_payload_t *this)
+{
+	return this->next_payload;
+}
+
+METHOD(payload_t, set_next_type, void,
+	private_hash_payload_t *this, payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+METHOD(payload_t, get_length, size_t,
+	private_hash_payload_t *this)
+{
+	return this->payload_length;
+}
+
+METHOD(hash_payload_t, set_hash, void,
+	 private_hash_payload_t *this, chunk_t hash)
+{
+	free(this->hash.ptr);
+	this->hash = chunk_clone(hash);
+	this->payload_length = get_header_length(this) + hash.len;
+}
+
+METHOD(hash_payload_t, get_hash, chunk_t,
+	private_hash_payload_t *this)
+{
+	return this->hash;
+}
+
+METHOD2(payload_t, hash_payload_t, destroy, void,
+	private_hash_payload_t *this)
+{
+	free(this->hash.ptr);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+hash_payload_t *hash_payload_create(payload_type_t type)
+{
+	private_hash_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.set_hash = _set_hash,
+			.get_hash = _get_hash,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = get_header_length(this),
+		.type = type,
+	);
+	return &this->public;
+}
diff --git a/src/libcharon/encoding/payloads/hash_payload.h b/src/libcharon/encoding/payloads/hash_payload.h
new file mode 100644
index 000000000..cfe28460c
--- /dev/null
+++ b/src/libcharon/encoding/payloads/hash_payload.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup hash_payload hash_payload
+ * @{ @ingroup payloads
+ */
+
+#ifndef HASH_PAYLOAD_H_
+#define HASH_PAYLOAD_H_
+
+typedef struct hash_payload_t hash_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Object representing an IKEv1 hash payload.
+ */
+struct hash_payload_t {
+
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * Set the hash value.
+	 *
+	 * @param hash			chunk containing the hash, will be cloned
+	 */
+	void (*set_hash) (hash_payload_t *this, chunk_t hash);
+
+	/**
+	 * Get the hash value.
+	 *
+	 * @return				chunkt to internal hash data
+	 */
+	chunk_t (*get_hash) (hash_payload_t *this);
+
+	/**
+	 * Destroys an hash_payload_t object.
+	 */
+	void (*destroy) (hash_payload_t *this);
+};
+
+/**
+ * Creates an empty hash_payload_t object.
+ *
+ * @param type		either HASH_V1 or NAT_D_V1
+ * @return			hash_payload_t object
+ */
+hash_payload_t *hash_payload_create(payload_type_t type);
+
+#endif /** HASH_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c
index 3befadfe2..7470bb3b4 100644
--- a/src/libcharon/encoding/payloads/id_payload.c
+++ b/src/libcharon/encoding/payloads/id_payload.c
@@ -1,9 +1,8 @@
 /*
- * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2005-2011 Martin Willi
  * Copyright (C) 2010 revosec AG
- * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2007-2011 Tobias Brunner
  * Copyright (C) 2005 Jan Hutter
- *
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -28,20 +27,15 @@ typedef struct private_id_payload_t private_id_payload_t;
 
 /**
  * Private data of an id_payload_t object.
- *
  */
 struct private_id_payload_t {
+
 	/**
 	 * Public id_payload_t interface.
 	 */
 	id_payload_t public;
 
 	/**
-	 * one of ID_INITIATOR, ID_RESPONDER
-	 */
-	payload_type_t payload_type;
-
-	/**
 	 * Next payload type.
 	 */
 	u_int8_t next_payload;
@@ -75,19 +69,31 @@ struct private_id_payload_t {
 	 * The contained id data value.
 	 */
 	chunk_t id_data;
+
+	/**
+	 * Tunneled protocol ID for IKEv1 quick modes.
+	 */
+	u_int8_t protocol_id;
+
+	/**
+	 * Tunneled port for IKEv1 quick modes.
+	 */
+	u_int16_t port;
+
+	/**
+	 * one of ID_INITIATOR, ID_RESPONDER, IDv1 and NAT_OA_V1
+	 */
+	payload_type_t type;
 };
 
 /**
- * Encoding rules to parse or generate a ID payload
- *
- * The defined offsets are the positions in a object of type
- * private_id_payload_t.
+ * Encoding rules for an IKEv2 ID payload
  */
-encoding_rule_t id_payload_encodings[] = {
+static encoding_rule_t encodings_v2[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_id_payload_t, next_payload) 	},
+	{ U_INT_8,			offsetof(private_id_payload_t, next_payload)	},
 	/* the critical bit */
-	{ FLAG,				offsetof(private_id_payload_t, critical) 		},
+	{ FLAG,				offsetof(private_id_payload_t, critical)		},
 	/* 7 Bit reserved bits */
 	{ RESERVED_BIT,		offsetof(private_id_payload_t, reserved_bit[0])	},
 	{ RESERVED_BIT,		offsetof(private_id_payload_t, reserved_bit[1])	},
@@ -97,7 +103,7 @@ encoding_rule_t id_payload_encodings[] = {
 	{ RESERVED_BIT,		offsetof(private_id_payload_t, reserved_bit[5])	},
 	{ RESERVED_BIT,		offsetof(private_id_payload_t, reserved_bit[6])	},
 	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_id_payload_t, payload_length) 	},
+	{ PAYLOAD_LENGTH,	offsetof(private_id_payload_t, payload_length)	},
 	/* 1 Byte ID type*/
 	{ U_INT_8,			offsetof(private_id_payload_t, id_type)			},
 	/* 3 reserved bytes */
@@ -105,7 +111,7 @@ encoding_rule_t id_payload_encodings[] = {
 	{ RESERVED_BYTE,	offsetof(private_id_payload_t, reserved_byte[1])},
 	{ RESERVED_BYTE,	offsetof(private_id_payload_t, reserved_byte[2])},
 	/* some id data bytes, length is defined in PAYLOAD_LENGTH */
-	{ ID_DATA,			offsetof(private_id_payload_t, id_data)			}
+	{ CHUNK_DATA,		offsetof(private_id_payload_t, id_data)			},
 };
 
 /*
@@ -122,29 +128,93 @@ encoding_rule_t id_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
+/**
+ * Encoding rules for an IKEv1 ID payload
+ */
+static encoding_rule_t encodings_v1[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_id_payload_t, next_payload)	},
+	/* Reserved Byte is skipped */
+	{ RESERVED_BYTE,	offsetof(private_id_payload_t, reserved_byte[0])},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_id_payload_t, payload_length)	},
+	/* 1 Byte ID type*/
+	{ U_INT_8,			offsetof(private_id_payload_t, id_type)			},
+	{ U_INT_8,			offsetof(private_id_payload_t, protocol_id)		},
+	{ U_INT_16,			offsetof(private_id_payload_t, port)			},
+	/* some id data bytes, length is defined in PAYLOAD_LENGTH */
+	{ CHUNK_DATA,		offsetof(private_id_payload_t, id_data)			},
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !    RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !   ID Type     ! Protocol ID   !           Port                |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                   Identification Data                         ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
 METHOD(payload_t, verify, status_t,
 	private_id_payload_t *this)
 {
-	if (this->id_type == 0 || this->id_type == 4)
+	bool bad_length = FALSE;
+
+	if ((this->type == NAT_OA_V1 || this->type == NAT_OA_DRAFT_00_03_V1) &&
+		this->id_type != ID_IPV4_ADDR && this->id_type != ID_IPV6_ADDR)
+	{
+		DBG1(DBG_ENC, "invalid ID type %N for %N payload", id_type_names,
+			 this->id_type, payload_type_short_names, this->type);
+		return FAILED;
+	}
+	switch (this->id_type)
+	{
+		case ID_IPV4_ADDR_RANGE:
+		case ID_IPV4_ADDR_SUBNET:
+			bad_length = this->id_data.len != 8;
+			break;
+		case ID_IPV6_ADDR_RANGE:
+		case ID_IPV6_ADDR_SUBNET:
+			bad_length = this->id_data.len != 32;
+			break;
+	}
+	if (bad_length)
 	{
-		/* reserved IDs */
-		DBG1(DBG_ENC, "received ID with reserved type %d", this->id_type);
+		DBG1(DBG_ENC, "invalid %N length (%d bytes)",
+			 id_type_names, this->id_type, this->id_data.len);
 		return FAILED;
 	}
 	return SUCCESS;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_id_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_id_payload_t *this, encoding_rule_t **rules)
+{
+	if (this->type == ID_V1 ||
+		this->type == NAT_OA_V1 || this->type == NAT_OA_DRAFT_00_03_V1)
+	{
+		*rules = encodings_v1;
+		return countof(encodings_v1);
+	}
+	*rules = encodings_v2;
+	return countof(encodings_v2);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_id_payload_t *this)
 {
-	*rules = id_payload_encodings;
-	*rule_count = countof(id_payload_encodings);
+	return 8;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
 	private_id_payload_t *this)
 {
-	return this->payload_type;
+	return this->type;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -171,6 +241,102 @@ METHOD(id_payload_t, get_identification, identification_t*,
 	return identification_create_from_encoding(this->id_type, this->id_data);
 }
 
+/**
+ * Create a traffic selector from an range ID
+ */
+static traffic_selector_t *get_ts_from_range(private_id_payload_t *this,
+											 ts_type_t type)
+{
+	return traffic_selector_create_from_bytes(this->protocol_id, type,
+		chunk_create(this->id_data.ptr, this->id_data.len / 2), this->port,
+		chunk_skip(this->id_data, this->id_data.len / 2), this->port ?: 65535);
+}
+
+/**
+ * Create a traffic selector from an subnet ID
+ */
+static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
+											  ts_type_t type)
+{
+	chunk_t net, netmask;
+	int i;
+
+	net = chunk_create(this->id_data.ptr, this->id_data.len / 2);
+	netmask = chunk_skip(this->id_data, this->id_data.len / 2);
+	for (i = 0; i < net.len; i++)
+	{
+		netmask.ptr[i] = (netmask.ptr[i] ^ 0xFF) | net.ptr[i];
+	}
+	return traffic_selector_create_from_bytes(this->protocol_id, type,
+								net, this->port, netmask, this->port ?: 65535);
+}
+
+/**
+ * Create a traffic selector from an IP ID
+ */
+static traffic_selector_t *get_ts_from_ip(private_id_payload_t *this,
+										  ts_type_t type)
+{
+	return traffic_selector_create_from_bytes(this->protocol_id, type,
+				this->id_data, this->port, this->id_data, this->port ?: 65535);
+}
+
+METHOD(id_payload_t, get_ts, traffic_selector_t*,
+	private_id_payload_t *this)
+{
+	switch (this->id_type)
+	{
+		case ID_IPV4_ADDR_SUBNET:
+			if (this->id_data.len == 8)
+			{
+				return get_ts_from_subnet(this, TS_IPV4_ADDR_RANGE);
+			}
+			break;
+		case ID_IPV6_ADDR_SUBNET:
+			if (this->id_data.len == 32)
+			{
+				return get_ts_from_subnet(this, TS_IPV6_ADDR_RANGE);
+			}
+			break;
+		case ID_IPV4_ADDR_RANGE:
+			if (this->id_data.len == 8)
+			{
+				return get_ts_from_range(this, TS_IPV4_ADDR_RANGE);
+			}
+			break;
+		case ID_IPV6_ADDR_RANGE:
+			if (this->id_data.len == 32)
+			{
+				return get_ts_from_range(this, TS_IPV6_ADDR_RANGE);
+			}
+			break;
+		case ID_IPV4_ADDR:
+			if (this->id_data.len == 4)
+			{
+				return get_ts_from_ip(this, TS_IPV4_ADDR_RANGE);
+			}
+			break;
+		case ID_IPV6_ADDR:
+			if (this->id_data.len == 16)
+			{
+				return get_ts_from_ip(this, TS_IPV6_ADDR_RANGE);
+			}
+			break;
+		default:
+			break;
+	}
+	return NULL;
+}
+
+METHOD(id_payload_t, get_encoded, chunk_t,
+	private_id_payload_t *this)
+{
+	u_int16_t port = htons(this->port);
+	return chunk_cat("cccc", chunk_from_thing(this->id_type),
+					 chunk_from_thing(this->protocol_id),
+					 chunk_from_thing(port), this->id_data);
+}
+
 METHOD2(payload_t, id_payload_t, destroy, void,
 	private_id_payload_t *this)
 {
@@ -181,7 +347,7 @@ METHOD2(payload_t, id_payload_t, destroy, void,
 /*
  * Described in header.
  */
-id_payload_t *id_payload_create(payload_type_t payload_type)
+id_payload_t *id_payload_create(payload_type_t type)
 {
 	private_id_payload_t *this;
 
@@ -190,6 +356,7 @@ id_payload_t *id_payload_create(payload_type_t payload_type)
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
@@ -197,11 +364,13 @@ id_payload_t *id_payload_create(payload_type_t payload_type)
 				.destroy = _destroy,
 			},
 			.get_identification = _get_identification,
+			.get_encoded = _get_encoded,
+			.get_ts = _get_ts,
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
-		.payload_length = ID_PAYLOAD_HEADER_LENGTH,
-		.payload_type = payload_type,
+		.payload_length = get_header_length(this),
+		.type = type,
 	);
 	return &this->public;
 }
@@ -209,15 +378,89 @@ id_payload_t *id_payload_create(payload_type_t payload_type)
 /*
  * Described in header.
  */
-id_payload_t *id_payload_create_from_identification(payload_type_t payload_type,
+id_payload_t *id_payload_create_from_identification(payload_type_t type,
 													identification_t *id)
 {
 	private_id_payload_t *this;
 
-	this = (private_id_payload_t*)id_payload_create(payload_type);
+	this = (private_id_payload_t*)id_payload_create(type);
 	this->id_data = chunk_clone(id->get_encoding(id));
 	this->id_type = id->get_type(id);
 	this->payload_length += this->id_data.len;
 
 	return &this->public;
 }
+
+/*
+ * Described in header.
+ */
+id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
+{
+	private_id_payload_t *this;
+	u_int8_t mask;
+	host_t *net;
+
+	this = (private_id_payload_t*)id_payload_create(ID_V1);
+
+	if (ts->is_host(ts, NULL))
+	{
+		if (ts->get_type(ts) == TS_IPV4_ADDR_RANGE)
+		{
+			this->id_type = ID_IPV4_ADDR;
+		}
+		else
+		{
+			this->id_type = ID_IPV6_ADDR;
+		}
+		this->id_data = chunk_clone(ts->get_from_address(ts));
+	}
+	else if (ts->to_subnet(ts, &net, &mask))
+	{
+		u_int8_t netmask[16], len, byte;
+
+		if (ts->get_type(ts) == TS_IPV4_ADDR_RANGE)
+		{
+			this->id_type = ID_IPV4_ADDR_SUBNET;
+			len = 4;
+		}
+		else
+		{
+			this->id_type = ID_IPV6_ADDR_SUBNET;
+			len = 16;
+		}
+		memset(netmask, 0, sizeof(netmask));
+		for (byte = 0; byte < sizeof(netmask); byte++)
+		{
+			if (mask < 8)
+			{
+				netmask[byte] = 0xFF << (8 - mask);
+				break;
+			}
+			netmask[byte] = 0xFF;
+			mask -= 8;
+		}
+		this->id_data = chunk_cat("cc", net->get_address(net),
+								  chunk_create(netmask, len));
+		net->destroy(net);
+	}
+	else
+	{
+		if (ts->get_type(ts) == TS_IPV4_ADDR_RANGE)
+		{
+			this->id_type = ID_IPV4_ADDR_RANGE;
+		}
+		else
+		{
+			this->id_type = ID_IPV6_ADDR_RANGE;
+		}
+		this->id_data = chunk_cat("cc",
+							ts->get_from_address(ts), ts->get_to_address(ts));
+		net->destroy(net);
+	}
+	this->port = ts->get_from_port(ts);
+	this->protocol_id = ts->get_protocol(ts);
+	this->payload_length += this->id_data.len;
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/encoding/payloads/id_payload.h b/src/libcharon/encoding/payloads/id_payload.h
index 99831f85f..9a6249429 100644
--- a/src/libcharon/encoding/payloads/id_payload.h
+++ b/src/libcharon/encoding/payloads/id_payload.h
@@ -28,16 +28,10 @@ typedef struct id_payload_t id_payload_t;
 #include <library.h>
 #include <utils/identification.h>
 #include <encoding/payloads/payload.h>
+#include <selectors/traffic_selector.h>
 
 /**
- * Length of a id payload without the data in bytes.
- */
-#define ID_PAYLOAD_HEADER_LENGTH 8
-
-/**
- * Object representing an IKEv2 ID payload.
- *
- * The ID payload format is described in RFC section 3.5.
+ * Object representing an IKEv1 or an IKEv2 ID payload.
  */
 struct id_payload_t {
 
@@ -54,6 +48,20 @@ struct id_payload_t {
 	identification_t *(*get_identification) (id_payload_t *this);
 
 	/**
+	 * Creates a traffic selector form a ID_ADDR_SUBNET/RANGE identity.
+	 *
+	 * @return				traffic selector, NULL on failure
+	 */
+	traffic_selector_t* (*get_ts)(id_payload_t *this);
+
+	/**
+	 * Get encoded payload without fixed payload header (used for IKEv1).
+	 *
+	 * @return				encoded payload (gets allocated)
+	 */
+	chunk_t (*get_encoded)(id_payload_t *this);
+
+	/**
 	 * Destroys an id_payload_t object.
 	 */
 	void (*destroy) (id_payload_t *this);
@@ -62,19 +70,27 @@ struct id_payload_t {
 /**
  * Creates an empty id_payload_t object.
  *
- * @param payload_type	one of ID_INITIATOR, ID_RESPONDER
- * @return				id_payload_t object
+ * @param type		one of ID_INITIATOR, ID_RESPONDER, ID_V1 and NAT_OA_V1
+ * @return			id_payload_t object
  */
-id_payload_t *id_payload_create(payload_type_t payload_type);
+id_payload_t *id_payload_create(payload_type_t type);
 
 /**
  * Creates an id_payload_t from an existing identification_t object.
  *
- * @param payload_type		one of ID_INITIATOR, ID_RESPONDER
- * @param identification	identification_t object
- * @return					id_payload_t object
+ * @param type		one of ID_INITIATOR, ID_RESPONDER, ID_V1 and NAT_OA_V1
+ * @param id		identification_t object
+ * @return			id_payload_t object
+ */
+id_payload_t *id_payload_create_from_identification(payload_type_t type,
+													identification_t *id);
+
+/**
+ * Create an IKEv1 ID_ADDR_SUBNET/RANGE identity from a traffic selector.
+ *
+ * @param ts		traffic selector
+ * @return			ID_V1 id_paylad_t object.
  */
-id_payload_t *id_payload_create_from_identification(payload_type_t payload_type,
-											identification_t *identification);
+id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts);
 
 #endif /** ID_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/ike_header.c b/src/libcharon/encoding/payloads/ike_header.c
index 24d22f3a1..58b624192 100644
--- a/src/libcharon/encoding/payloads/ike_header.c
+++ b/src/libcharon/encoding/payloads/ike_header.c
@@ -81,12 +81,27 @@ struct private_ike_header_t {
 		 * TRUE, if this is a response, FALSE if its a Request.
 		 */
 		bool response;
+
+		/**
+		 * TRUE, if the packet is encrypted (IKEv1).
+		 */
+		bool encryption;
+
+		/**
+		 * TRUE, if the commit flag is set (IKEv1).
+		 */
+		bool commit;
+
+		/**
+		 * TRUE, if the auth only flag is set (IKEv1).
+		 */
+		bool authonly;
 	} flags;
 
 	/**
 	 * Reserved bits of IKE header
 	 */
-	bool reserved[5];
+	bool reserved[2];
 
 	/**
 	 * Associated Message-ID.
@@ -99,9 +114,15 @@ struct private_ike_header_t {
 	u_int32_t length;
 };
 
-ENUM_BEGIN(exchange_type_names, EXCHANGE_TYPE_UNDEFINED, EXCHANGE_TYPE_UNDEFINED,
-	"EXCHANGE_TYPE_UNDEFINED");
-ENUM_NEXT(exchange_type_names, IKE_SA_INIT, IKE_SESSION_RESUME, EXCHANGE_TYPE_UNDEFINED,
+ENUM_BEGIN(exchange_type_names, ID_PROT, TRANSACTION,
+	"ID_PROT",
+	"AUTH_ONLY",
+	"AGGRESSIVE",
+	"INFORMATIONAL_V1",
+	"TRANSACTION");
+ENUM_NEXT(exchange_type_names, QUICK_MODE, IKE_SESSION_RESUME, TRANSACTION,
+	"QUICK_MODE",
+	"NEW_GROUP_MODE",
 	"IKE_SA_INIT",
 	"IKE_AUTH",
 	"CREATE_CHILD_SA",
@@ -110,18 +131,23 @@ ENUM_NEXT(exchange_type_names, IKE_SA_INIT, IKE_SESSION_RESUME, EXCHANGE_TYPE_UN
 #ifdef ME
 ENUM_NEXT(exchange_type_names, ME_CONNECT, ME_CONNECT, IKE_SESSION_RESUME,
 	"ME_CONNECT");
-ENUM_END(exchange_type_names, ME_CONNECT);
+ENUM_NEXT(exchange_type_names, EXCHANGE_TYPE_UNDEFINED,
+							   EXCHANGE_TYPE_UNDEFINED, ME_CONNECT,
+	"EXCHANGE_TYPE_UNDEFINED");
 #else
-ENUM_END(exchange_type_names, IKE_SESSION_RESUME);
+ENUM_NEXT(exchange_type_names, EXCHANGE_TYPE_UNDEFINED,
+							   EXCHANGE_TYPE_UNDEFINED, IKE_SESSION_RESUME,
+	"EXCHANGE_TYPE_UNDEFINED");
 #endif /* ME */
+ENUM_END(exchange_type_names, EXCHANGE_TYPE_UNDEFINED);
 
 /**
- * Encoding rules to parse or generate a IKEv2-Header.
+ * Encoding rules to parse or generate a IKE-Header.
  *
  * The defined offsets are the positions in a object of type
  * ike_header_t.
  */
-encoding_rule_t ike_header_encodings[] = {
+static encoding_rule_t encodings[] = {
 	/* 8 Byte SPI, stored in the field initiator_spi */
 	{ IKE_SPI,		offsetof(private_ike_header_t, initiator_spi)	},
 	/* 8 Byte SPI, stored in the field responder_spi */
@@ -137,22 +163,20 @@ encoding_rule_t ike_header_encodings[] = {
 	/* 2 Bit reserved bits */
 	{ RESERVED_BIT,	offsetof(private_ike_header_t, reserved[0])		},
 	{ RESERVED_BIT,	offsetof(private_ike_header_t, reserved[1])		},
-	/* 3 Bit flags, stored in the fields response, version and initiator */
+	/* 6 flags  */
 	{ FLAG,			offsetof(private_ike_header_t, flags.response)	},
 	{ FLAG,			offsetof(private_ike_header_t, flags.version)	},
 	{ FLAG,			offsetof(private_ike_header_t, flags.initiator)	},
-	/* 3 Bit reserved bits */
-	{ RESERVED_BIT,	offsetof(private_ike_header_t, reserved[2])		},
-	{ RESERVED_BIT,	offsetof(private_ike_header_t, reserved[3])		},
-	{ RESERVED_BIT,	offsetof(private_ike_header_t, reserved[4])		},
+	{ FLAG,			offsetof(private_ike_header_t, flags.authonly)	},
+	{ FLAG,			offsetof(private_ike_header_t, flags.commit)	},
+	{ FLAG,			offsetof(private_ike_header_t, flags.encryption)},
 	/* 4 Byte message id, stored in the field message_id */
 	{ U_INT_32,		offsetof(private_ike_header_t, message_id)		},
 	/* 4 Byte length fied, stored in the field length */
-	{ HEADER_LENGTH,offsetof(private_ike_header_t, length)			},
+	{ HEADER_LENGTH,	offsetof(private_ike_header_t, length)			}
 };
 
-
-/*                           1                   2                   3
+/*                         1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       !                       IKE_SA Initiator's SPI                  !
@@ -172,35 +196,67 @@ encoding_rule_t ike_header_encodings[] = {
 METHOD(payload_t, verify, status_t,
 	private_ike_header_t *this)
 {
-	if ((this->exchange_type < IKE_SA_INIT) ||
-		((this->exchange_type > INFORMATIONAL)
+	switch (this->exchange_type)
+	{
+		case ID_PROT:
+		case AGGRESSIVE:
+			if (this->message_id != 0)
+			{
+				return FAILED;
+			}
+			/* fall */
+		case AUTH_ONLY:
+		case INFORMATIONAL_V1:
+		case TRANSACTION:
+		case QUICK_MODE:
+		case NEW_GROUP_MODE:
+			if (this->maj_version != IKEV1_MAJOR_VERSION)
+			{
+				return FAILED;
+			}
+			break;
+		case IKE_SA_INIT:
+		case IKE_AUTH:
+		case CREATE_CHILD_SA:
+		case INFORMATIONAL:
+		case IKE_SESSION_RESUME:
 #ifdef ME
-			&& (this->exchange_type != ME_CONNECT)
+		case ME_CONNECT:
 #endif /* ME */
-		))
-	{
-		/* unsupported exchange type */
-		return FAILED;
+			if (this->maj_version != IKEV2_MAJOR_VERSION)
+			{
+				return FAILED;
+			}
+			break;
+		default:
+			/* unsupported exchange type */
+			return FAILED;
 	}
-	if (this->initiator_spi == 0
+	if (this->initiator_spi == 0)
+	{
 #ifdef ME
-		/* we allow zero spi for INFORMATIONAL exchanges,
-		 * to allow connectivity checks */
-		&& this->exchange_type != INFORMATIONAL
+		if (this->exchange_type != INFORMATIONAL)
+			/* we allow zero spi for INFORMATIONAL exchanges,
+			 * to allow connectivity checks */
 #endif /* ME */
-		)
-	{
-		/* initiator spi not set */
-		return FAILED;
+		{
+			return FAILED;
+		}
 	}
 	return SUCCESS;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_ike_header_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_ike_header_t *this, encoding_rule_t **rules)
+{
+	*rules = encodings;
+	return countof(encodings);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_ike_header_t *this)
 {
-	*rules = ike_header_encodings;
-	*rule_count = sizeof(ike_header_encodings) / sizeof(encoding_rule_t);
+	return IKE_HEADER_LENGTH;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
@@ -311,6 +367,43 @@ METHOD(ike_header_t, set_initiator_flag, void,
 	this->flags.initiator = initiator;
 }
 
+METHOD(ike_header_t, get_encryption_flag, bool,
+	private_ike_header_t *this)
+{
+	return this->flags.encryption;
+}
+
+METHOD(ike_header_t, set_encryption_flag, void,
+	private_ike_header_t *this, bool encryption)
+{
+	this->flags.encryption = encryption;
+}
+
+
+METHOD(ike_header_t, get_commit_flag, bool,
+	private_ike_header_t *this)
+{
+	return this->flags.commit;
+}
+
+METHOD(ike_header_t, set_commit_flag, void,
+	private_ike_header_t *this, bool commit)
+{
+	this->flags.commit = commit;
+}
+
+METHOD(ike_header_t, get_authonly_flag, bool,
+	private_ike_header_t *this)
+{
+	return this->flags.authonly;
+}
+
+METHOD(ike_header_t, set_authonly_flag, void,
+	private_ike_header_t *this, bool authonly)
+{
+	this->flags.authonly = authonly;
+}
+
 METHOD(ike_header_t, get_exchange_type, u_int8_t,
 	private_ike_header_t *this)
 {
@@ -353,6 +446,7 @@ ike_header_t *ike_header_create()
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
@@ -373,21 +467,38 @@ ike_header_t *ike_header_create()
 			.set_version_flag = _set_version_flag,
 			.get_initiator_flag = _get_initiator_flag,
 			.set_initiator_flag = _set_initiator_flag,
+			.get_encryption_flag = _get_encryption_flag,
+			.set_encryption_flag = _set_encryption_flag,
+			.get_commit_flag = _get_commit_flag,
+			.set_commit_flag = _set_commit_flag,
+			.get_authonly_flag = _get_authonly_flag,
+			.set_authonly_flag = _set_authonly_flag,
 			.get_exchange_type = _get_exchange_type,
 			.set_exchange_type = _set_exchange_type,
 			.get_message_id = _get_message_id,
 			.set_message_id = _set_message_id,
 			.destroy = _destroy,
 		},
-		.maj_version = IKE_MAJOR_VERSION,
-		.min_version = IKE_MINOR_VERSION,
-		.exchange_type = EXCHANGE_TYPE_UNDEFINED,
-		.flags = {
-			.initiator = TRUE,
-			.version = HIGHER_VERSION_SUPPORTED_FLAG,
-		},
 		.length = IKE_HEADER_LENGTH,
+		.exchange_type = EXCHANGE_TYPE_UNDEFINED,
 	);
 
 	return &this->public;
 }
+
+/*
+ * Described in header.
+ */
+ike_header_t *ike_header_create_version(int major, int minor)
+{
+	ike_header_t *this = ike_header_create();
+
+	this->set_maj_version(this, major);
+	this->set_min_version(this, minor);
+	if (major == IKEV2_MAJOR_VERSION)
+	{
+		this->set_initiator_flag(this, TRUE);
+	}
+	return this;
+}
+
diff --git a/src/libcharon/encoding/payloads/ike_header.h b/src/libcharon/encoding/payloads/ike_header.h
index 5579a4961..d9a44dd0c 100644
--- a/src/libcharon/encoding/payloads/ike_header.h
+++ b/src/libcharon/encoding/payloads/ike_header.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2007 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2011 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -30,19 +30,24 @@ typedef struct ike_header_t ike_header_t;
 #include <encoding/payloads/payload.h>
 
 /**
- * Major Version of IKEv2.
+ * Major Version of IKEv1 we implement.
  */
-#define IKE_MAJOR_VERSION 2
+#define IKEV1_MAJOR_VERSION 1
 
 /**
- * Minor Version of IKEv2.
+ * Minor Version of IKEv1 we implement.
  */
-#define IKE_MINOR_VERSION 0
+#define IKEV1_MINOR_VERSION 0
 
 /**
- * Flag in IKEv2-Header. Always 0.
+ * Major Version of IKEv2 we implement.
  */
-#define HIGHER_VERSION_SUPPORTED_FLAG 0
+#define IKEV2_MAJOR_VERSION 2
+
+/**
+ * Minor Version of IKEv2 we implement.
+ */
+#define IKEV2_MINOR_VERSION 0
 
 /**
  * Length of IKE Header in Bytes.
@@ -57,9 +62,39 @@ typedef struct ike_header_t ike_header_t;
 enum exchange_type_t{
 
 	/**
-	 * EXCHANGE_TYPE_UNDEFINED. In private space, since not a official message type.
+	 * Identity Protection (Main mode).
 	 */
-	EXCHANGE_TYPE_UNDEFINED = 255,
+	ID_PROT = 2,
+
+	/**
+	 * Authentication Only.
+	 */
+	AUTH_ONLY = 3,
+
+	/**
+	 * Aggressive (Aggressive mode)
+	 */
+	AGGRESSIVE = 4,
+
+	/**
+	 * Informational in IKEv1
+	 */
+	INFORMATIONAL_V1 = 5,
+
+	/**
+	 * Transaction (ISAKMP Cfg Mode "draft-ietf-ipsec-isakmp-mode-cfg-05")
+	 */
+	TRANSACTION = 6,
+
+	/**
+	 * Quick Mode
+	 */
+	QUICK_MODE = 32,
+
+	/**
+	 * New Group Mode
+	 */
+	NEW_GROUP_MODE = 33,
 
 	/**
 	 * IKE_SA_INIT.
@@ -77,7 +112,7 @@ enum exchange_type_t{
 	CREATE_CHILD_SA = 36,
 
 	/**
-	 * INFORMATIONAL.
+	 * INFORMATIONAL in IKEv2.
 	 */
 	INFORMATIONAL = 37,
 
@@ -85,12 +120,18 @@ enum exchange_type_t{
 	 * IKE_SESSION_RESUME (RFC 5723).
 	 */
 	IKE_SESSION_RESUME = 38,
+
 #ifdef ME
 	/**
 	 * ME_CONNECT
 	 */
-	ME_CONNECT = 240
+	ME_CONNECT = 240,
 #endif /* ME */
+
+	/**
+	 * Undefined exchange type, in private space.
+	 */
+	EXCHANGE_TYPE_UNDEFINED = 255,
 };
 
 /**
@@ -99,12 +140,7 @@ enum exchange_type_t{
 extern enum_name_t *exchange_type_names;
 
 /**
- * An object of this type represents an IKEv2 header and is used to
- * generate and parse IKEv2 headers.
- *
- * The header format of an IKEv2-Message is compatible to the
- * ISAKMP-Header format to allow implementations supporting
- * both versions of the IKE-protocol.
+ * An object of this type represents an IKE header of either IKEv1 or IKEv2.
  */
 struct ike_header_t {
 	/**
@@ -115,7 +151,7 @@ struct ike_header_t {
 	/**
 	 * Get the initiator spi.
 	 *
-	 * @return 				initiator_spi
+	 * @return				initiator_spi
 	 */
 	u_int64_t (*get_initiator_spi) (ike_header_t *this);
 
@@ -129,7 +165,7 @@ struct ike_header_t {
 	/**
 	 * Get the responder spi.
 	 *
-	 * @return 				responder_spi
+	 * @return				responder_spi
 	 */
 	u_int64_t (*get_responder_spi) (ike_header_t *this);
 
@@ -143,7 +179,7 @@ struct ike_header_t {
 	/**
 	 * Get the major version.
 	 *
-	 * @return 				major version
+	 * @return				major version
 	 */
 	u_int8_t (*get_maj_version) (ike_header_t *this);
 
@@ -157,7 +193,7 @@ struct ike_header_t {
 	/**
 	 * Get the minor version.
 	 *
-	 * @return 				minor version
+	 * @return				minor version
 	 */
 	u_int8_t (*get_min_version) (ike_header_t *this);
 
@@ -171,7 +207,7 @@ struct ike_header_t {
 	/**
 	 * Get the response flag.
 	 *
-	 * @return 				response flag
+	 * @return				response flag
 	 */
 	bool (*get_response_flag) (ike_header_t *this);
 
@@ -185,7 +221,7 @@ struct ike_header_t {
 	/**
 	 * Get "higher version supported"-flag.
 	 *
-	 * @return 				version flag
+	 * @return				version flag
 	 */
 	bool (*get_version_flag) (ike_header_t *this);
 
@@ -199,7 +235,7 @@ struct ike_header_t {
 	/**
 	 * Get the initiator flag.
 	 *
-	 * @return 				initiator flag
+	 * @return				initiator flag
 	 */
 	bool (*get_initiator_flag) (ike_header_t *this);
 
@@ -211,9 +247,51 @@ struct ike_header_t {
 	void (*set_initiator_flag) (ike_header_t *this, bool initiator);
 
 	/**
+	 * Get the encryption flag.
+	 *
+	 * @return				encryption flag
+	 */
+	bool (*get_encryption_flag) (ike_header_t *this);
+
+	/**
+	 * Set the encryption flag.
+	 *
+	 * @param encryption		encryption flag
+	 */
+	void (*set_encryption_flag) (ike_header_t *this, bool encryption);
+
+	/**
+	 * Get the commit flag.
+	 *
+	 * @return				commit flag
+	 */
+	bool (*get_commit_flag) (ike_header_t *this);
+
+	/**
+	 * Set the commit flag.
+	 *
+	 * @param commit		commit flag
+	 */
+	void (*set_commit_flag) (ike_header_t *this, bool commit);
+
+	/**
+	 * Get the authentication only flag.
+	 *
+	 * @return				authonly flag
+	 */
+	bool (*get_authonly_flag) (ike_header_t *this);
+
+	/**
+	 * Set the authentication only flag.
+	 *
+	 * @param authonly		authonly flag
+	 */
+	void (*set_authonly_flag) (ike_header_t *this, bool authonly);
+
+	/**
 	 * Get the exchange type.
 	 *
-	 * @return 				exchange type
+	 * @return				exchange type
 	 */
 	u_int8_t (*get_exchange_type) (ike_header_t *this);
 
@@ -227,7 +305,7 @@ struct ike_header_t {
 	/**
 	 * Get the message id.
 	 *
-	 * @return 				message id
+	 * @return				message id
 	 */
 	u_int32_t (*get_message_id) (ike_header_t *this);
 
@@ -245,10 +323,17 @@ struct ike_header_t {
 };
 
 /**
- * Create an ike_header_t object
+ * Create an empty ike_header_t object.
  *
  * @return ike_header_t object
  */
 ike_header_t *ike_header_create(void);
 
+/**
+ * Create an ike_header_t object for a specific major/minor version
+ *
+ * @return ike_header_t object
+ */
+ike_header_t *ike_header_create_version(int major, int minor);
+
 #endif /** IKE_HEADER_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/ke_payload.c b/src/libcharon/encoding/payloads/ke_payload.c
index 999d73192..438ea46b9 100644
--- a/src/libcharon/encoding/payloads/ke_payload.c
+++ b/src/libcharon/encoding/payloads/ke_payload.c
@@ -67,15 +67,17 @@ struct private_ke_payload_t {
 	 * Key Exchange Data of this KE payload.
 	 */
 	chunk_t key_exchange_data;
+
+	/**
+	 * Payload type, KEY_EXCHANGE or KEY_EXCHANGE_V1
+	 */
+	payload_type_t type;
 };
 
 /**
- * Encoding rules to parse or generate a IKEv2-KE Payload.
- *
- * The defined offsets are the positions in a object of type
- * private_ke_payload_t.
+ * Encoding rules for IKEv2 key exchange payload.
  */
-encoding_rule_t ke_payload_encodings[] = {
+static encoding_rule_t encodings_v2[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,				offsetof(private_ke_payload_t, next_payload)	},
 	/* the critical bit */
@@ -96,7 +98,7 @@ encoding_rule_t ke_payload_encodings[] = {
 	{ RESERVED_BYTE,		offsetof(private_ke_payload_t, reserved_byte[0])},
 	{ RESERVED_BYTE,		offsetof(private_ke_payload_t, reserved_byte[1])},
 	/* Key Exchange Data is from variable size */
-	{ KEY_EXCHANGE_DATA,	offsetof(private_ke_payload_t, key_exchange_data)}
+	{ CHUNK_DATA,			offsetof(private_ke_payload_t, key_exchange_data)},
 };
 
 /*
@@ -113,23 +115,62 @@ encoding_rule_t ke_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
+static encoding_rule_t encodings_v1[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,				offsetof(private_ke_payload_t, next_payload) 	},
+	/* Reserved Byte */
+	{ RESERVED_BYTE,		offsetof(private_ke_payload_t, reserved_byte[0])},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,		offsetof(private_ke_payload_t, payload_length)	},
+	/* Key Exchange Data is from variable size */
+	{ CHUNK_DATA,			offsetof(private_ke_payload_t, key_exchange_data)},
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !    RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                       Key Exchange Data                       ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+
 METHOD(payload_t, verify, status_t,
 	private_ke_payload_t *this)
 {
 	return SUCCESS;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_ke_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_ke_payload_t *this, encoding_rule_t **rules)
+{
+	if (this->type == KEY_EXCHANGE)
+	{
+		*rules = encodings_v2;
+		return countof(encodings_v2);
+	}
+	*rules = encodings_v1;
+	return countof(encodings_v1);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_ke_payload_t *this)
 {
-	*rules = ke_payload_encodings;
-	*rule_count = countof(ke_payload_encodings);
+	if (this->type == KEY_EXCHANGE)
+	{
+		return 8;
+	}
+	return 4;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
 	private_ke_payload_t *this)
 {
-	return KEY_EXCHANGE;
+	return this->type;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -172,7 +213,7 @@ METHOD2(payload_t, ke_payload_t, destroy, void,
 /*
  * Described in header
  */
-ke_payload_t *ke_payload_create()
+ke_payload_t *ke_payload_create(payload_type_t type)
 {
 	private_ke_payload_t *this;
 
@@ -181,6 +222,7 @@ ke_payload_t *ke_payload_create()
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
@@ -192,22 +234,24 @@ ke_payload_t *ke_payload_create()
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
-		.payload_length = KE_PAYLOAD_HEADER_LENGTH,
 		.dh_group_number = MODP_NONE,
+		.type = type,
 	);
+	this->payload_length = get_header_length(this);
 	return &this->public;
 }
 
 /*
  * Described in header
  */
-ke_payload_t *ke_payload_create_from_diffie_hellman(diffie_hellman_t *dh)
+ke_payload_t *ke_payload_create_from_diffie_hellman(payload_type_t type,
+													diffie_hellman_t *dh)
 {
-	private_ke_payload_t *this = (private_ke_payload_t*)ke_payload_create();
+	private_ke_payload_t *this = (private_ke_payload_t*)ke_payload_create(type);
 
 	dh->get_my_public_value(dh, &this->key_exchange_data);
 	this->dh_group_number = dh->get_dh_group(dh);
-	this->payload_length = this->key_exchange_data.len + KE_PAYLOAD_HEADER_LENGTH;
+	this->payload_length += this->key_exchange_data.len;
 
 	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/ke_payload.h b/src/libcharon/encoding/payloads/ke_payload.h
index 65cc11883..d3aa18484 100644
--- a/src/libcharon/encoding/payloads/ke_payload.h
+++ b/src/libcharon/encoding/payloads/ke_payload.h
@@ -27,20 +27,14 @@ typedef struct ke_payload_t ke_payload_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/transform_substructure.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/diffie_hellman.h>
 
 /**
- * KE payload length in bytes without any key exchange data.
- */
-#define KE_PAYLOAD_HEADER_LENGTH 8
-
-/**
- * Class representing an IKEv2-KE Payload.
- *
- * The KE Payload format is described in RFC section 3.4.
+ * Class representing an IKEv1 or IKEv2 key exchange payload.
  */
 struct ke_payload_t {
+
 	/**
 	 * The payload_t interface.
 	 */
@@ -54,32 +48,34 @@ struct ke_payload_t {
 	chunk_t (*get_key_exchange_data) (ke_payload_t *this);
 
 	/**
-	 * Gets the Diffie-Hellman Group Number of this KE payload.
+	 * Gets the Diffie-Hellman Group Number of this KE payload (IKEv2 only).
 	 *
 	 * @return 					DH Group Number of this payload
 	 */
 	diffie_hellman_group_t (*get_dh_group_number) (ke_payload_t *this);
 
 	/**
-	 * Destroys an ke_payload_t object.
+	 * Destroys a ke_payload_t object.
 	 */
 	void (*destroy) (ke_payload_t *this);
 };
 
 /**
- * Creates an empty ke_payload_t object
+ * Creates an empty ke_payload_t object.
  *
- * @return ke_payload_t object
+ * @param type		KEY_EXCHANGE or KEY_EXCHANGE_V1
+ * @return			ke_payload_t object
  */
-ke_payload_t *ke_payload_create(void);
+ke_payload_t *ke_payload_create(payload_type_t type);
 
 /**
- * Creates a ke_payload_t from a diffie_hellman_t
+ * Creates a ke_payload_t from a diffie_hellman_t.
  *
- * @param diffie_hellman	diffie hellman object containing group and key
- * @return 					ke_payload_t object
+ * @param type		KEY_EXCHANGE or KEY_EXCHANGE_V1
+ * @param dh		diffie hellman object containing group and key
+ * @return 			ke_payload_t object
  */
-ke_payload_t *ke_payload_create_from_diffie_hellman(
-											diffie_hellman_t *diffie_hellman);
+ke_payload_t *ke_payload_create_from_diffie_hellman(payload_type_t type,
+													diffie_hellman_t *dh);
 
 #endif /** KE_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/nonce_payload.c b/src/libcharon/encoding/payloads/nonce_payload.c
index 78000b8c6..3c5eeb535 100644
--- a/src/libcharon/encoding/payloads/nonce_payload.c
+++ b/src/libcharon/encoding/payloads/nonce_payload.c
@@ -19,6 +19,7 @@
 
 #include "nonce_payload.h"
 
+#include <daemon.h>
 #include <encoding/payloads/encodings.h>
 
 typedef struct private_nonce_payload_t private_nonce_payload_t;
@@ -57,6 +58,11 @@ struct private_nonce_payload_t {
 	 * The contained nonce value.
 	 */
 	chunk_t nonce;
+
+	/**
+	 * Payload type, NONCE or NONCE_V1
+	 */
+	payload_type_t type;
 };
 
 /**
@@ -65,7 +71,7 @@ struct private_nonce_payload_t {
  * The defined offsets are the positions in a object of type
  * private_nonce_payload_t.
  */
-encoding_rule_t nonce_payload_encodings[] = {
+static encoding_rule_t encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_nonce_payload_t, next_payload)		},
 	/* the critical bit */
@@ -81,7 +87,7 @@ encoding_rule_t nonce_payload_encodings[] = {
 	/* Length of the whole nonce payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_nonce_payload_t, payload_length)	},
 	/* some nonce bytes, lenth is defined in PAYLOAD_LENGTH */
-	{ NONCE_DATA,		offsetof(private_nonce_payload_t, nonce)			},
+	{ CHUNK_DATA,		offsetof(private_nonce_payload_t, nonce)			},
 };
 
 /*                           1                   2                   3
@@ -98,24 +104,48 @@ encoding_rule_t nonce_payload_encodings[] = {
 METHOD(payload_t, verify, status_t,
 	private_nonce_payload_t *this)
 {
-	if (this->nonce.len < 16 || this->nonce.len > 256)
+	bool bad_length = FALSE;
+
+	if (this->nonce.len > 256)
+	{
+		bad_length = TRUE;
+	}
+	if (this->type == NONCE &&
+		this->nonce.len < 16)
+	{
+		bad_length = TRUE;
+	}
+	if (this->type == NONCE_V1 &&
+		this->nonce.len < 8)
+	{
+		bad_length = TRUE;
+	}
+	if (bad_length)
 	{
+		DBG1(DBG_ENC, "%N payload has invalid length (%d bytes)",
+			 payload_type_names, this->type, this->nonce.len);
 		return FAILED;
 	}
 	return SUCCESS;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_nonce_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_nonce_payload_t *this, encoding_rule_t **rules)
+{
+	*rules = encodings;
+	return countof(encodings);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_nonce_payload_t *this)
 {
-	*rules = nonce_payload_encodings;
-	*rule_count = countof(nonce_payload_encodings);
+	return 4;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
 	private_nonce_payload_t *this)
 {
-	return NONCE;
+	return this->type;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -140,7 +170,7 @@ METHOD(nonce_payload_t, set_nonce, void,
 	 private_nonce_payload_t *this, chunk_t nonce)
 {
 	this->nonce = chunk_clone(nonce);
-	this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + nonce.len;
+	this->payload_length = get_header_length(this) + nonce.len;
 }
 
 METHOD(nonce_payload_t, get_nonce, chunk_t,
@@ -159,7 +189,7 @@ METHOD2(payload_t, nonce_payload_t, destroy, void,
 /*
  * Described in header
  */
-nonce_payload_t *nonce_payload_create()
+nonce_payload_t *nonce_payload_create(payload_type_t type)
 {
 	private_nonce_payload_t *this;
 
@@ -168,6 +198,7 @@ nonce_payload_t *nonce_payload_create()
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
@@ -179,7 +210,8 @@ nonce_payload_t *nonce_payload_create()
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
-		.payload_length = NONCE_PAYLOAD_HEADER_LENGTH,
+		.payload_length = get_header_length(this),
+		.type = type,
 	);
 	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/nonce_payload.h b/src/libcharon/encoding/payloads/nonce_payload.h
index e9212202e..5c47f5f9f 100644
--- a/src/libcharon/encoding/payloads/nonce_payload.h
+++ b/src/libcharon/encoding/payloads/nonce_payload.h
@@ -33,14 +33,7 @@ typedef struct nonce_payload_t nonce_payload_t;
 #define NONCE_SIZE 32
 
 /**
- * Length of a nonce payload without a nonce in bytes.
- */
-#define NONCE_PAYLOAD_HEADER_LENGTH 4
-
-/**
- * Object representing an IKEv2 Nonce payload.
- *
- * The Nonce payload format is described in RFC section 3.3.
+ * Object representing an IKEv1/IKEv2 Nonce payload.
  */
 struct nonce_payload_t {
 	/**
@@ -71,8 +64,9 @@ struct nonce_payload_t {
 /**
  * Creates an empty nonce_payload_t object
  *
- * @return nonce_payload_t object
+ * @param type		NONCE or NONCE_V1
+ * @return			nonce_payload_t object
  */
-nonce_payload_t *nonce_payload_create(void);
+nonce_payload_t *nonce_payload_create(payload_type_t type);
 
 #endif /** NONCE_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c
index e03d1af67..f7a13d728 100644
--- a/src/libcharon/encoding/payloads/notify_payload.c
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@@ -36,11 +36,18 @@ ENUM_NEXT(notify_type_names, INVALID_MESSAGE_ID, INVALID_MESSAGE_ID, INVALID_SYN
 	"INVALID_MESSAGE_ID");
 ENUM_NEXT(notify_type_names, INVALID_SPI, INVALID_SPI, INVALID_MESSAGE_ID,
 	"INVALID_SPI");
-ENUM_NEXT(notify_type_names, NO_PROPOSAL_CHOSEN, NO_PROPOSAL_CHOSEN, INVALID_SPI,
+ENUM_NEXT(notify_type_names, ATTRIBUTES_NOT_SUPPORTED, NO_PROPOSAL_CHOSEN, INVALID_SPI,
+	"ATTRIBUTES_NOT_SUPPORTED",
 	"NO_PROPOSAL_CHOSEN");
-ENUM_NEXT(notify_type_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PROPOSAL_CHOSEN,
-	"INVALID_KE_PAYLOAD");
-ENUM_NEXT(notify_type_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
+ENUM_NEXT(notify_type_names, PAYLOAD_MALFORMED, AUTHENTICATION_FAILED, NO_PROPOSAL_CHOSEN,
+	"PAYLOAD_MALFORMED",
+	"INVALID_KE_PAYLOAD",
+	"INVALID_ID_INFORMATION",
+	"INVALID_CERT_ENCODING",
+	"INVALID_CERTIFICATE",
+	"CERT_TYPE_UNSUPPORTED",
+	"INVALID_CERT_AUTHORITY",
+	"INVALID_HASH_INFORMATION",
 	"AUTHENTICATION_FAILED");
 ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, CHILD_SA_NOT_FOUND, AUTHENTICATION_FAILED,
 	"SINGLE_PAIR_REQUIRED",
@@ -58,7 +65,7 @@ ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_
 	"ME_CONNECT_FAILED");
 ENUM_NEXT(notify_type_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
 	"MS_NOTIFY_STATUS");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STATUS,
 	"INITIAL_CONTACT",
 	"SET_WINDOW_SIZE",
 	"ADDITIONAL_TS_POSSIBLE",
@@ -101,8 +108,16 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATUS,
 	"IPSEC_REPLAY_COUNTER_SYNC",
 	"SECURE PASSWORD_METHOD",
 	"PSK_PERSIST",
-	"PSK_CONFIRM");
-ENUM_NEXT(notify_type_names, USE_BEET_MODE, USE_BEET_MODE, PSK_CONFIRM,
+	"PSK_CONFIRM",
+	"ERX_SUPPORTED");
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, ERX_SUPPORTED,
+	"INITIAL_CONTACT");
+ENUM_NEXT(notify_type_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
+	"DPD_R_U_THERE",
+	"DPD_R_U_THERE_ACK");
+ENUM_NEXT(notify_type_names, UNITY_LOAD_BALANCE, UNITY_LOAD_BALANCE, DPD_R_U_THERE_ACK,
+	"UNITY_LOAD_BALANCE");
+ENUM_NEXT(notify_type_names, USE_BEET_MODE, USE_BEET_MODE, UNITY_LOAD_BALANCE,
 	"USE_BEET_MODE");
 ENUM_NEXT(notify_type_names, ME_MEDIATION, RADIUS_ATTRIBUTE, USE_BEET_MODE,
 	"ME_MEDIATION",
@@ -127,11 +142,18 @@ ENUM_NEXT(notify_type_short_names, INVALID_MESSAGE_ID, INVALID_MESSAGE_ID, INVAL
 	"INVAL_MID");
 ENUM_NEXT(notify_type_short_names, INVALID_SPI, INVALID_SPI, INVALID_MESSAGE_ID,
 	"INVAL_SPI");
-ENUM_NEXT(notify_type_short_names, NO_PROPOSAL_CHOSEN, NO_PROPOSAL_CHOSEN, INVALID_SPI,
+ENUM_NEXT(notify_type_short_names, ATTRIBUTES_NOT_SUPPORTED, NO_PROPOSAL_CHOSEN, INVALID_SPI,
+	"ATTR_UNSUP",
 	"NO_PROP");
-ENUM_NEXT(notify_type_short_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PROPOSAL_CHOSEN,
-	"INVAL_KE");
-ENUM_NEXT(notify_type_short_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
+ENUM_NEXT(notify_type_short_names, PAYLOAD_MALFORMED, AUTHENTICATION_FAILED, NO_PROPOSAL_CHOSEN,
+	"PLD_MAL",
+	"INVAL_KE",
+	"INVAL_ID",
+	"INVAL_CERTEN",
+	"INVAL_CERT",
+	"CERT_UNSUP",
+	"INVAL_CA",
+	"INVAL_HASH",
 	"AUTH_FAILED");
 ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, CHILD_SA_NOT_FOUND, AUTHENTICATION_FAILED,
 	"SINGLE_PAIR",
@@ -149,7 +171,7 @@ ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_S
 	"ME_CONN_FAIL");
 ENUM_NEXT(notify_type_short_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
 	"MS_STATUS");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STATUS,
 	"INIT_CONTACT",
 	"SET_WINSIZE",
 	"ADD_TS_POSS",
@@ -192,8 +214,16 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATU
 	"RPL_CTR_SYN",
 	"SEC_PASSWD",
 	"PSK_PST",
-	"PSK_CFM");
-ENUM_NEXT(notify_type_short_names, USE_BEET_MODE, USE_BEET_MODE, PSK_CONFIRM,
+	"PSK_CFM",
+	"ERX_SUP");
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, ERX_SUPPORTED,
+	"INITIAL_CONTACT");
+ENUM_NEXT(notify_type_short_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
+	"DPD",
+	"DPD_ACK");
+ENUM_NEXT(notify_type_short_names, UNITY_LOAD_BALANCE, UNITY_LOAD_BALANCE, DPD_R_U_THERE_ACK,
+	"UNITY_LB");
+ENUM_NEXT(notify_type_short_names, USE_BEET_MODE, USE_BEET_MODE, UNITY_LOAD_BALANCE,
 	"BEET_MODE");
 ENUM_NEXT(notify_type_short_names, ME_MEDIATION, RADIUS_ATTRIBUTE, USE_BEET_MODE,
 	"ME_MED",
@@ -232,7 +262,7 @@ struct private_notify_payload_t {
 	/**
 	 * reserved bits
 	 */
-	bool reserved[7];
+	bool reserved[8];
 
 	/**
 	 * Length of this payload.
@@ -240,6 +270,11 @@ struct private_notify_payload_t {
 	u_int16_t payload_length;
 
 	/**
+	 * Domain of interpretation, IKEv1 only.
+	 */
+	u_int32_t doi;
+
+	/**
 	 * Protocol id.
 	 */
 	u_int8_t protocol_id;
@@ -262,40 +297,42 @@ struct private_notify_payload_t {
 	/**
 	 * Notification data.
 	 */
-	chunk_t notification_data;
+	chunk_t notify_data;
+
+	/**
+	 * Type of payload, NOTIFY or NOTIFY_V1
+	 */
+	payload_type_t type;
 };
 
 /**
- * Encoding rules to parse or generate a IKEv2-Notify Payload.
- *
- * The defined offsets are the positions in a object of type
- * private_notify_payload_t.
+ * Encoding rules for an IKEv2 notification payload
  */
-encoding_rule_t notify_payload_encodings[] = {
+static encoding_rule_t encodings_v2[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_notify_payload_t, next_payload)		},
+	{ U_INT_8,			offsetof(private_notify_payload_t, next_payload)	},
 	/* the critical bit */
-	{ FLAG,				offsetof(private_notify_payload_t, critical)			},
+	{ FLAG,				offsetof(private_notify_payload_t, critical)		},
 	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[0])			},
-	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[1])			},
-	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[2])			},
-	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[3])			},
-	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[4])			},
-	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[5])			},
-	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[6])			},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[0])		},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[1])		},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[2])		},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[3])		},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[4])		},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[5])		},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[6])		},
 	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_notify_payload_t, payload_length)		},
+	{ PAYLOAD_LENGTH,	offsetof(private_notify_payload_t, payload_length)	},
 	/* Protocol ID as 8 bit field*/
-	{ U_INT_8,			offsetof(private_notify_payload_t, protocol_id)			},
+	{ U_INT_8,			offsetof(private_notify_payload_t, protocol_id)		},
 	/* SPI Size as 8 bit field*/
-	{ SPI_SIZE,			offsetof(private_notify_payload_t, spi_size)			},
+	{ SPI_SIZE,			offsetof(private_notify_payload_t, spi_size)		},
 	/* Notify message type as 16 bit field*/
-	{ U_INT_16,			offsetof(private_notify_payload_t, notify_type)			},
+	{ U_INT_16,			offsetof(private_notify_payload_t, notify_type)		},
 	/* SPI as variable length field*/
-	{ SPI,				offsetof(private_notify_payload_t, spi)					},
+	{ SPI,				offsetof(private_notify_payload_t, spi)				},
 	/* Key Exchange Data is from variable size */
-	{ NOTIFICATION_DATA,offsetof(private_notify_payload_t, notification_data)	}
+	{ CHUNK_DATA,		offsetof(private_notify_payload_t, notify_data)		},
 };
 
 /*
@@ -315,6 +352,57 @@ encoding_rule_t notify_payload_encodings[] = {
       !                                                               !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
+/**
+ * Encoding rules for an IKEv1 notification payload
+ */
+static encoding_rule_t encodings_v1[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_notify_payload_t, next_payload)	},
+	/* 8 reserved bits */
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[0])		},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[1])		},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[2])		},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[3])		},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[4])		},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[5])		},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[6])		},
+	{ RESERVED_BIT,		offsetof(private_notify_payload_t, reserved[7])		},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_notify_payload_t, payload_length)	},
+	/* DOI as  32 bit field*/
+	{ U_INT_32,			offsetof(private_notify_payload_t, doi)				},
+	/* Protocol ID as 8 bit field*/
+	{ U_INT_8,			offsetof(private_notify_payload_t, protocol_id)		},
+	/* SPI Size as 8 bit field*/
+	{ SPI_SIZE,			offsetof(private_notify_payload_t, spi_size)		},
+	/* Notify message type as 16 bit field*/
+	{ U_INT_16,			offsetof(private_notify_payload_t, notify_type)		},
+	/* SPI as variable length field*/
+	{ SPI,				offsetof(private_notify_payload_t, spi)				},
+	/* Key Exchange Data is from variable size */
+	{ CHUNK_DATA,		offsetof(private_notify_payload_t, notify_data)		},
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !    RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                             DOI                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !  Protocol ID  !   SPI Size    !      Notify Message Type      !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                Security Parameter Index (SPI)                 ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                       Notification Data                       ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
 
 METHOD(payload_t, verify, status_t,
 	private_notify_payload_t *this)
@@ -337,7 +425,7 @@ METHOD(payload_t, verify, status_t,
 	{
 		case INVALID_KE_PAYLOAD:
 		{
-			if (this->notification_data.len != 2)
+			if (this->type == NOTIFY && this->notify_data.len != 2)
 			{
 				bad_length = TRUE;
 			}
@@ -347,7 +435,7 @@ METHOD(payload_t, verify, status_t,
 		case NAT_DETECTION_DESTINATION_IP:
 		case ME_CONNECTAUTH:
 		{
-			if (this->notification_data.len != HASH_SIZE_SHA1)
+			if (this->notify_data.len != HASH_SIZE_SHA1)
 			{
 				bad_length = TRUE;
 			}
@@ -357,7 +445,7 @@ METHOD(payload_t, verify, status_t,
 		case INVALID_MAJOR_VERSION:
 		case NO_PROPOSAL_CHOSEN:
 		{
-			if (this->notification_data.len != 0)
+			if (this->type == NOTIFY && this->notify_data.len != 0)
 			{
 				bad_length = TRUE;
 			}
@@ -365,7 +453,7 @@ METHOD(payload_t, verify, status_t,
 		}
 		case ADDITIONAL_IP4_ADDRESS:
 		{
-			if (this->notification_data.len != 4)
+			if (this->notify_data.len != 4)
 			{
 				bad_length = TRUE;
 			}
@@ -373,7 +461,7 @@ METHOD(payload_t, verify, status_t,
 		}
 		case ADDITIONAL_IP6_ADDRESS:
 		{
-			if (this->notification_data.len != 16)
+			if (this->notify_data.len != 16)
 			{
 				bad_length = TRUE;
 			}
@@ -381,7 +469,7 @@ METHOD(payload_t, verify, status_t,
 		}
 		case AUTH_LIFETIME:
 		{
-			if (this->notification_data.len != 4)
+			if (this->notify_data.len != 4)
 			{
 				bad_length = TRUE;
 			}
@@ -389,30 +477,37 @@ METHOD(payload_t, verify, status_t,
 		}
 		case IPCOMP_SUPPORTED:
 		{
-			if (this->notification_data.len != 3)
+			if (this->notify_data.len != 3)
 			{
 				bad_length = TRUE;
 			}
 			break;
 		}
 		case ME_ENDPOINT:
-			if (this->notification_data.len != 8 &&
-				this->notification_data.len != 12 &&
-				this->notification_data.len != 24)
+			if (this->notify_data.len != 8 &&
+				this->notify_data.len != 12 &&
+				this->notify_data.len != 24)
 			{
 				bad_length = TRUE;
 			}
 			break;
 		case ME_CONNECTID:
-			if (this->notification_data.len < 4 ||
-				this->notification_data.len > 16)
+			if (this->notify_data.len < 4 ||
+				this->notify_data.len > 16)
 			{
 				bad_length = TRUE;
 			}
 			break;
 		case ME_CONNECTKEY:
-			if (this->notification_data.len < 16 ||
-				this->notification_data.len > 32)
+			if (this->notify_data.len < 16 ||
+				this->notify_data.len > 32)
+			{
+				bad_length = TRUE;
+			}
+			break;
+		case DPD_R_U_THERE:
+		case DPD_R_U_THERE_ACK:
+			if (this->notify_data.len != 4)
 			{
 				bad_length = TRUE;
 			}
@@ -425,23 +520,38 @@ METHOD(payload_t, verify, status_t,
 	{
 		DBG1(DBG_ENC, "invalid notify data length for %N (%d)",
 			 notify_type_names, this->notify_type,
-			 this->notification_data.len);
+			 this->notify_data.len);
 		return FAILED;
 	}
 	return SUCCESS;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_notify_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_notify_payload_t *this, encoding_rule_t **rules)
+{
+	if (this->type == NOTIFY)
+	{
+		*rules = encodings_v2;
+		return countof(encodings_v2);
+	}
+	*rules = encodings_v1;
+	return countof(encodings_v1);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_notify_payload_t *this)
 {
-	*rules = notify_payload_encodings;
-	*rule_count = countof(notify_payload_encodings);
+	if (this->type == NOTIFY)
+	{
+		return 8 + this->spi_size;
+	}
+	return 12 + this->spi_size;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
 	private_notify_payload_t *this)
 {
-	return NOTIFY;
+	return this->type;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -459,19 +569,9 @@ METHOD(payload_t, set_next_type, void,
 /**
  * recompute the payloads length.
  */
-static void compute_length (private_notify_payload_t *this)
+static void compute_length(private_notify_payload_t *this)
 {
-	size_t length = NOTIFY_PAYLOAD_HEADER_LENGTH;
-
-	if (this->notification_data.ptr != NULL)
-	{
-		length += this->notification_data.len;
-	}
-	if (this->spi.ptr != NULL)
-	{
-		length += this->spi.len;
-	}
-	this->payload_length = length;
+	this->payload_length = get_header_length(this) + this->notify_data.len;
 }
 
 METHOD(payload_t, get_length, size_t,
@@ -539,24 +639,55 @@ METHOD(notify_payload_t, set_spi, void,
 	compute_length(this);
 }
 
+METHOD(notify_payload_t, get_spi_data, chunk_t,
+	private_notify_payload_t *this)
+{
+	switch (this->protocol_id)
+	{
+		case PROTO_IKE:
+			if (this->spi.len == 16)
+			{
+				return this->spi;
+			}
+		default:
+			break;
+	}
+	return chunk_empty;
+}
+
+METHOD(notify_payload_t, set_spi_data, void,
+	private_notify_payload_t *this, chunk_t spi)
+{
+	chunk_free(&this->spi);
+	switch (this->protocol_id)
+	{
+		case PROTO_IKE:
+			this->spi = chunk_clone(spi);
+		default:
+			break;
+	}
+	this->spi_size = this->spi.len;
+	compute_length(this);
+}
+
 METHOD(notify_payload_t, get_notification_data, chunk_t,
 	private_notify_payload_t *this)
 {
-	return this->notification_data;
+	return this->notify_data;
 }
 
 METHOD(notify_payload_t, set_notification_data, void,
 	private_notify_payload_t *this, chunk_t data)
 {
-	free(this->notification_data.ptr);
-	this->notification_data = chunk_clone(data);
+	free(this->notify_data.ptr);
+	this->notify_data = chunk_clone(data);
 	compute_length(this);
 }
 
 METHOD2(payload_t, notify_payload_t, destroy, void,
 	private_notify_payload_t *this)
 {
-	free(this->notification_data.ptr);
+	free(this->notify_data.ptr);
 	free(this->spi.ptr);
 	free(this);
 }
@@ -564,7 +695,7 @@ METHOD2(payload_t, notify_payload_t, destroy, void,
 /*
  * Described in header
  */
-notify_payload_t *notify_payload_create()
+notify_payload_t *notify_payload_create(payload_type_t type)
 {
 	private_notify_payload_t *this;
 
@@ -573,6 +704,7 @@ notify_payload_t *notify_payload_create()
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
@@ -585,13 +717,17 @@ notify_payload_t *notify_payload_create()
 			.set_notify_type = _set_notify_type,
 			.get_spi = _get_spi,
 			.set_spi = _set_spi,
+			.get_spi_data = _get_spi_data,
+			.set_spi_data = _set_spi_data,
 			.get_notification_data = _get_notification_data,
 			.set_notification_data = _set_notification_data,
 			.destroy = _destroy,
 		},
+		.doi = IKEV1_DOI_IPSEC,
 		.next_payload = NO_PAYLOAD,
-		.payload_length = NOTIFY_PAYLOAD_HEADER_LENGTH,
+		.type = type,
 	);
+	compute_length(this);
 	return &this->public;
 }
 
@@ -599,12 +735,12 @@ notify_payload_t *notify_payload_create()
  * Described in header.
  */
 notify_payload_t *notify_payload_create_from_protocol_and_type(
-						protocol_id_t protocol_id, notify_type_t notify_type)
+			payload_type_t type, protocol_id_t protocol, notify_type_t notify)
 {
-	notify_payload_t *notify = notify_payload_create();
+	notify_payload_t *this = notify_payload_create(type);
 
-	notify->set_notify_type(notify, notify_type);
-	notify->set_protocol_id(notify, protocol_id);
+	this->set_notify_type(this, notify);
+	this->set_protocol_id(this, protocol);
 
-	return notify;
+	return this;
 }
diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h
index ced282700..847fddc69 100644
--- a/src/libcharon/encoding/payloads/notify_payload.h
+++ b/src/libcharon/encoding/payloads/notify_payload.h
@@ -30,28 +30,39 @@ typedef struct notify_payload_t notify_payload_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/proposal_substructure.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
- * Notify payload length in bytes without any spi and notification data.
- */
-#define NOTIFY_PAYLOAD_HEADER_LENGTH 8
-
-/**
- * Notify message types.
- *
- * See IKEv2 RFC 3.10.1.
+ * Notify message types for IKEv2, and a subset for IKEv1.
  */
 enum notify_type_t {
 	/* notify error messages */
 	UNSUPPORTED_CRITICAL_PAYLOAD = 1,
+	/* IKEv1 alias */
+	INVALID_PAYLOAD_TYPE = 1,
 	INVALID_IKE_SPI = 4,
 	INVALID_MAJOR_VERSION = 5,
 	INVALID_SYNTAX = 7,
+	/* IKEv1 alias */
+	INVALID_EXCHANGE_TYPE = 7,
 	INVALID_MESSAGE_ID = 9,
 	INVALID_SPI = 11,
+	/* IKEv1 only */
+	ATTRIBUTES_NOT_SUPPORTED = 13,
+	/* IKEv1 alias */
 	NO_PROPOSAL_CHOSEN = 14,
+	/* IKEv1 only */
+	PAYLOAD_MALFORMED = 16,
 	INVALID_KE_PAYLOAD = 17,
+	/* IKEv1 alias */
+	INVALID_KEY_INFORMATION = 17,
+	/* IKEv1 only */
+	INVALID_ID_INFORMATION = 18,
+	INVALID_CERT_ENCODING = 19,
+	INVALID_CERTIFICATE = 20,
+	CERT_TYPE_UNSUPPORTED = 21,
+	INVALID_CERT_AUTHORITY = 22,
+	INVALID_HASH_INFORMATION = 23,
 	AUTHENTICATION_FAILED = 24,
 	SINGLE_PAIR_REQUIRED = 34,
 	NO_ADDITIONAL_SAS = 35,
@@ -129,9 +140,18 @@ enum notify_type_t {
 	IPSEC_REPLAY_COUNTER_SYNC = 16423,
 	/* Secure password methods, RFC 6467 */
 	SECURE_PASSWORD_METHOD = 16424,
-	/* PACE - draft-kuegler-ipsecme-pace-ikev2 */
+	/* PACE, RFC 6631 */
 	PSK_PERSIST = 16425,
 	PSK_CONFIRM = 16426,
+	/* EAP Re-authentication Extension, RFC 6867 */
+	ERX_SUPPORTED = 16427,
+	/* IKEv1 initial contact */
+	INITIAL_CONTACT_IKEV1 = 24578,
+	/* IKEv1 DPD */
+	DPD_R_U_THERE = 36136,
+	DPD_R_U_THERE_ACK = 36137,
+	/* IKEv1 Cisco High Availability */
+	UNITY_LOAD_BALANCE = 40501,
 	/* BEET mode, not even a draft yet. private use */
 	USE_BEET_MODE = 40961,
 	/* IKE-ME, private use */
@@ -214,6 +234,24 @@ struct notify_payload_t {
 	void (*set_spi) (notify_payload_t *this, u_int32_t spi);
 
 	/**
+	 * Returns the currently set spi of this payload.
+	 *
+	 * This is only valid for notifys with protocol ISAKMP
+	 *
+	 * @return		SPI value
+	 */
+	chunk_t (*get_spi_data) (notify_payload_t *this);
+
+	/**
+	 * Sets the spi of this payload.
+	 *
+	 * This is only valid for notifys with protocol ISAKMP
+	 *
+	 * @param spi	SPI value
+	 */
+	void (*set_spi_data) (notify_payload_t *this, chunk_t spi);
+
+	/**
 	 * Returns the currently set notification data of payload.
 	 *
 	 * Returned data are not copied.
@@ -241,18 +279,20 @@ struct notify_payload_t {
 /**
  * Creates an empty notify_payload_t object
  *
+ * @param type		payload type, NOTIFY or NOTIFY_V1
  * @return			created notify_payload_t object
  */
-notify_payload_t *notify_payload_create(void);
+notify_payload_t *notify_payload_create(payload_type_t type);
 
 /**
  * Creates an notify_payload_t object of specific type for specific protocol id.
  *
- * @param protocol_id			protocol id (IKE, AH or ESP)
- * @param type					notify type (see notify_type_t)
+ * @param type					payload type, NOTIFY or NOTIFY_V1
+ * @param protocol				protocol id (IKE, AH or ESP)
+ * @param notify				type of notify
  * @return						notify_payload_t object
  */
 notify_payload_t *notify_payload_create_from_protocol_and_type(
-								protocol_id_t protocol_id, notify_type_t type);
+			payload_type_t type, protocol_id_t protocol, notify_type_t notify);
 
 #endif /** NOTIFY_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c
index a2c0a4385..f9dd33edb 100644
--- a/src/libcharon/encoding/payloads/payload.c
+++ b/src/libcharon/encoding/payloads/payload.c
@@ -20,6 +20,7 @@
 
 #include <encoding/payloads/ike_header.h>
 #include <encoding/payloads/sa_payload.h>
+
 #include <encoding/payloads/nonce_payload.h>
 #include <encoding/payloads/id_payload.h>
 #include <encoding/payloads/ke_payload.h>
@@ -34,13 +35,31 @@
 #include <encoding/payloads/cp_payload.h>
 #include <encoding/payloads/configuration_attribute.h>
 #include <encoding/payloads/eap_payload.h>
+#include <encoding/payloads/hash_payload.h>
+#include <encoding/payloads/fragment_payload.h>
 #include <encoding/payloads/unknown_payload.h>
 
-
 ENUM_BEGIN(payload_type_names, NO_PAYLOAD, NO_PAYLOAD,
 	"NO_PAYLOAD");
-ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION,
-							  GENERIC_SECURE_PASSWORD_METHOD, NO_PAYLOAD,
+ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION_V1, CONFIGURATION_V1, NO_PAYLOAD,
+	"SECURITY_ASSOCIATION_V1",
+	"PROPOSAL_V1",
+	"TRANSFORM_V1",
+	"KEY_EXCHANGE_V1",
+	"ID_V1",
+	"CERTIFICATE_V1",
+	"CERTIFICATE_REQUEST_V1",
+	"HASH_V1",
+	"SIGNATURE_V1",
+	"NONCE_V1",
+	"NOTIFY_V1",
+	"DELETE_V1",
+	"VENDOR_ID_V1",
+	"CONFIGURATION_V1");
+ENUM_NEXT(payload_type_names, NAT_D_V1, NAT_OA_V1, CONFIGURATION_V1,
+	"NAT_D_V1",
+	"NAT_OA_V1");
+ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION, GENERIC_SECURE_PASSWORD_METHOD, NAT_OA_V1,
 	"SECURITY_ASSOCIATION",
 	"KEY_EXCHANGE",
 	"ID_INITIATOR",
@@ -61,30 +80,52 @@ ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION,
 #ifdef ME
 ENUM_NEXT(payload_type_names, ID_PEER, ID_PEER, GENERIC_SECURE_PASSWORD_METHOD,
 	"ID_PEER");
-ENUM_NEXT(payload_type_names, HEADER, CONFIGURATION_ATTRIBUTE, ID_PEER,
-	"HEADER",
-	"PROPOSAL_SUBSTRUCTURE",
-	"TRANSFORM_SUBSTRUCTURE",
-	"TRANSFORM_ATTRIBUTE",
-	"TRAFFIC_SELECTOR_SUBSTRUCTURE",
-	"CONFIGURATION_ATTRIBUTE");
+ENUM_NEXT(payload_type_names, NAT_D_DRAFT_00_03_V1, FRAGMENT_V1, ID_PEER,
+	"NAT_D_DRAFT_V1",
+	"NAT_OA_DRAFT_V1",
+	"FRAGMENT");
 #else
-ENUM_NEXT(payload_type_names, HEADER, CONFIGURATION_ATTRIBUTE,
-							  GENERIC_SECURE_PASSWORD_METHOD,
+ENUM_NEXT(payload_type_names, NAT_D_DRAFT_00_03_V1, FRAGMENT_V1, GENERIC_SECURE_PASSWORD_METHOD,
+	"NAT_D_DRAFT_V1",
+	"NAT_OA_DRAFT_V1",
+	"FRAGMENT");
+#endif /* ME */
+ENUM_NEXT(payload_type_names, HEADER, ENCRYPTED_V1, FRAGMENT_V1,
 	"HEADER",
 	"PROPOSAL_SUBSTRUCTURE",
+	"PROPOSAL_SUBSTRUCTURE_V1",
 	"TRANSFORM_SUBSTRUCTURE",
+	"TRANSFORM_SUBSTRUCTURE_V1",
 	"TRANSFORM_ATTRIBUTE",
+	"TRANSFORM_ATTRIBUTE_V1",
 	"TRAFFIC_SELECTOR_SUBSTRUCTURE",
-	"CONFIGURATION_ATTRIBUTE");
-#endif /* ME */
-ENUM_END(payload_type_names, CONFIGURATION_ATTRIBUTE);
+	"CONFIGURATION_ATTRIBUTE",
+	"CONFIGURATION_ATTRIBUTE_V1",
+	"ENCRYPTED_V1");
+ENUM_END(payload_type_names, ENCRYPTED_V1);
 
 /* short forms of payload names */
 ENUM_BEGIN(payload_type_short_names, NO_PAYLOAD, NO_PAYLOAD,
 	"--");
-ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION,
-									GENERIC_SECURE_PASSWORD_METHOD, NO_PAYLOAD,
+ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION_V1, CONFIGURATION_V1, NO_PAYLOAD,
+	"SA",
+	"PROP",
+	"TRANS",
+	"KE",
+	"ID",
+	"CERT",
+	"CERTREQ",
+	"HASH",
+	"SIG",
+	"No",
+	"N",
+	"D",
+	"V",
+	"CP");
+ENUM_NEXT(payload_type_short_names, NAT_D_V1, NAT_OA_V1, CONFIGURATION_V1,
+	"NAT-D",
+	"NAT-OA");
+ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION, GENERIC_SECURE_PASSWORD_METHOD, NAT_OA_V1,
 	"SA",
 	"KE",
 	"IDi",
@@ -103,27 +144,31 @@ ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION,
 	"EAP",
 	"GSPM");
 #ifdef ME
-ENUM_NEXT(payload_type_short_names, ID_PEER, ID_PEER,
-									GENERIC_SECURE_PASSWORD_METHOD,
+ENUM_NEXT(payload_type_short_names, ID_PEER, ID_PEER, GENERIC_SECURE_PASSWORD_METHOD,
 	"IDp");
-ENUM_NEXT(payload_type_short_names, HEADER, CONFIGURATION_ATTRIBUTE, ID_PEER,
-	"HDR",
-	"PROP",
-	"TRANS",
-	"TRANSATTR",
-	"TSSUB",
-	"CPATTR");
+ENUM_NEXT(payload_type_short_names, NAT_D_DRAFT_00_03_V1, FRAGMENT_V1, ID_PEER,
+	"NAT-D",
+	"NAT-OA",
+	"FRAG");
 #else
-ENUM_NEXT(payload_type_short_names, HEADER, CONFIGURATION_ATTRIBUTE,
-									GENERIC_SECURE_PASSWORD_METHOD,
+ENUM_NEXT(payload_type_short_names, NAT_D_DRAFT_00_03_V1, FRAGMENT_V1, GENERIC_SECURE_PASSWORD_METHOD,
+	"NAT-D",
+	"NAT-OA",
+	"FRAG");
+#endif /* ME */
+ENUM_NEXT(payload_type_short_names, HEADER, ENCRYPTED_V1, FRAGMENT_V1,
 	"HDR",
 	"PROP",
+	"PROP",
 	"TRANS",
+	"TRANS",
+	"TRANSATTR",
 	"TRANSATTR",
 	"TSSUB",
-	"CPATTR");
-#endif /* ME */
-ENUM_END(payload_type_short_names, CONFIGURATION_ATTRIBUTE);
+	"CATTR",
+	"CATTR",
+	"E");
+ENUM_END(payload_type_short_names, ENCRYPTED_V1);
 
 /*
  * see header
@@ -135,29 +180,37 @@ payload_t *payload_create(payload_type_t type)
 		case HEADER:
 			return (payload_t*)ike_header_create();
 		case SECURITY_ASSOCIATION:
-			return (payload_t*)sa_payload_create();
+		case SECURITY_ASSOCIATION_V1:
+			return (payload_t*)sa_payload_create(type);
 		case PROPOSAL_SUBSTRUCTURE:
-			return (payload_t*)proposal_substructure_create();
+		case PROPOSAL_SUBSTRUCTURE_V1:
+			return (payload_t*)proposal_substructure_create(type);
 		case TRANSFORM_SUBSTRUCTURE:
-			return (payload_t*)transform_substructure_create();
+		case TRANSFORM_SUBSTRUCTURE_V1:
+			return (payload_t*)transform_substructure_create(type);
 		case TRANSFORM_ATTRIBUTE:
-			return (payload_t*)transform_attribute_create();
+		case TRANSFORM_ATTRIBUTE_V1:
+			return (payload_t*)transform_attribute_create(type);
 		case NONCE:
-			return (payload_t*)nonce_payload_create();
+		case NONCE_V1:
+			return (payload_t*)nonce_payload_create(type);
 		case ID_INITIATOR:
-			return (payload_t*)id_payload_create(ID_INITIATOR);
 		case ID_RESPONDER:
-			return (payload_t*)id_payload_create(ID_RESPONDER);
+		case ID_V1:
+		case NAT_OA_V1:
+		case NAT_OA_DRAFT_00_03_V1:
 #ifdef ME
 		case ID_PEER:
-			return (payload_t*)id_payload_create(ID_PEER);
 #endif /* ME */
+			return (payload_t*)id_payload_create(type);
 		case AUTHENTICATION:
 			return (payload_t*)auth_payload_create();
 		case CERTIFICATE:
-			return (payload_t*)cert_payload_create();
+		case CERTIFICATE_V1:
+			return (payload_t*)cert_payload_create(type);
 		case CERTIFICATE_REQUEST:
-			return (payload_t*)certreq_payload_create();
+		case CERTIFICATE_REQUEST_V1:
+			return (payload_t*)certreq_payload_create(type);
 		case TRAFFIC_SELECTOR_SUBSTRUCTURE:
 			return (payload_t*)traffic_selector_substructure_create();
 		case TRAFFIC_SELECTOR_INITIATOR:
@@ -165,21 +218,35 @@ payload_t *payload_create(payload_type_t type)
 		case TRAFFIC_SELECTOR_RESPONDER:
 			return (payload_t*)ts_payload_create(FALSE);
 		case KEY_EXCHANGE:
-			return (payload_t*)ke_payload_create();
+		case KEY_EXCHANGE_V1:
+			return (payload_t*)ke_payload_create(type);
 		case NOTIFY:
-			return (payload_t*)notify_payload_create();
+		case NOTIFY_V1:
+			return (payload_t*)notify_payload_create(type);
 		case DELETE:
-			return (payload_t*)delete_payload_create(0);
+		case DELETE_V1:
+			return (payload_t*)delete_payload_create(type, 0);
 		case VENDOR_ID:
-			return (payload_t*)vendor_id_payload_create();
+		case VENDOR_ID_V1:
+			return (payload_t*)vendor_id_payload_create(type);
+		case HASH_V1:
+		case SIGNATURE_V1:
+		case NAT_D_V1:
+		case NAT_D_DRAFT_00_03_V1:
+			return (payload_t*)hash_payload_create(type);
 		case CONFIGURATION:
-			return (payload_t*)cp_payload_create();
+		case CONFIGURATION_V1:
+			return (payload_t*)cp_payload_create(type);
 		case CONFIGURATION_ATTRIBUTE:
-			return (payload_t*)configuration_attribute_create();
+		case CONFIGURATION_ATTRIBUTE_V1:
+			return (payload_t*)configuration_attribute_create(type);
 		case EXTENSIBLE_AUTHENTICATION:
 			return (payload_t*)eap_payload_create();
 		case ENCRYPTED:
-			return (payload_t*)encryption_payload_create();
+		case ENCRYPTED_V1:
+			return (payload_t*)encryption_payload_create(type);
+		case FRAGMENT_V1:
+			return (payload_t*)fragment_payload_create();
 		default:
 			return (payload_t*)unknown_payload_create(type);
 	}
@@ -190,8 +257,19 @@ payload_t *payload_create(payload_type_t type)
  */
 bool payload_is_known(payload_type_t type)
 {
-	if (type == HEADER ||
-		(type >= SECURITY_ASSOCIATION && type <= EXTENSIBLE_AUTHENTICATION))
+	if (type == HEADER)
+	{
+		return TRUE;
+	}
+	if (type >= SECURITY_ASSOCIATION && type <= EXTENSIBLE_AUTHENTICATION)
+	{
+		return TRUE;
+	}
+	if (type >= SECURITY_ASSOCIATION_V1 && type <= CONFIGURATION_V1)
+	{
+		return TRUE;
+	}
+	if (type >= NAT_D_V1 && type <= NAT_OA_V1)
 	{
 		return TRUE;
 	}
@@ -201,6 +279,10 @@ bool payload_is_known(payload_type_t type)
 		return TRUE;
 	}
 #endif
+	if (type >= NAT_D_DRAFT_00_03_V1 && type <= FRAGMENT_V1)
+	{
+		return TRUE;
+	}
 	return FALSE;
 }
 
@@ -210,10 +292,9 @@ bool payload_is_known(payload_type_t type)
 void* payload_get_field(payload_t *payload, encoding_type_t type, u_int skip)
 {
 	encoding_rule_t *rule;
-	size_t count;
-	int i;
+	int i, count;
 
-	payload->get_encoding_rules(payload, &rule, &count);
+	count = payload->get_encoding_rules(payload, &rule);
 	for (i = 0; i < count; i++)
 	{
 		if (rule[i].type == type && skip-- == 0)
diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h
index a9af29b5b..0e8a9267b 100644
--- a/src/libcharon/encoding/payloads/payload.h
+++ b/src/libcharon/encoding/payloads/payload.h
@@ -29,14 +29,18 @@ typedef struct payload_t payload_t;
 #include <library.h>
 #include <encoding/payloads/encodings.h>
 
+/**
+ * Domain of interpretation used by IPsec/IKEv1
+ */
+#define IKEV1_DOI_IPSEC 1
 
 /**
- * Payload-Types of a IKEv2-Message.
+ * Payload-Types of an IKE message.
  *
  * Header and substructures are also defined as
  * payload types with values from PRIVATE USE space.
  */
-enum payload_type_t{
+enum payload_type_t {
 
 	/**
 	 * End of payload list in next_payload
@@ -46,6 +50,86 @@ enum payload_type_t{
 	/**
 	 * The security association (SA) payload containing proposals.
 	 */
+	SECURITY_ASSOCIATION_V1 = 1,
+
+	/**
+	 * The proposal payload, containing transforms.
+	 */
+	PROPOSAL_V1 = 2,
+
+	/**
+	 * The transform payload.
+	 */
+	TRANSFORM_V1 = 3,
+
+	/**
+	 * The key exchange (KE) payload containing diffie-hellman values.
+	 */
+	KEY_EXCHANGE_V1 = 4,
+
+	/**
+	 * ID payload.
+	 */
+	ID_V1 = 5,
+
+	/**
+	 * Certificate payload with certificates (CERT).
+	 */
+	CERTIFICATE_V1 = 6,
+
+	/**
+	 * Certificate request payload.
+	 */
+	CERTIFICATE_REQUEST_V1 = 7,
+
+	/**
+	 * Hash payload.
+	 */
+	HASH_V1 = 8,
+
+	/**
+	 * Signature payload
+	 */
+	SIGNATURE_V1 = 9,
+
+	/**
+	 * Nonce payload.
+	 */
+	NONCE_V1 = 10,
+
+	/**
+	 * Notification payload.
+	 */
+	NOTIFY_V1 = 11,
+
+	/**
+	 * Delete payload.
+	 */
+	DELETE_V1 = 12,
+
+	/**
+	 * Vendor id payload.
+	 */
+	VENDOR_ID_V1 = 13,
+
+	/**
+	 * Attribute payload (ISAKMP Mode Config, aka configuration payload.
+	 */
+	CONFIGURATION_V1 = 14,
+
+	/**
+	 * NAT discovery payload (NAT-D).
+	 */
+	NAT_D_V1 = 20,
+
+	/**
+	 * NAT original address payload (NAT-OA).
+	 */
+	NAT_OA_V1 = 21,
+
+	/**
+	 * The security association (SA) payload containing proposals.
+	 */
 	SECURITY_ASSOCIATION = 33,
 
 	/**
@@ -137,52 +221,77 @@ enum payload_type_t{
 #endif /* ME */
 
 	/**
+	 * NAT discovery payload (NAT-D) (drafts).
+	 */
+	NAT_D_DRAFT_00_03_V1 = 130,
+
+	/**
+	 * NAT original address payload (NAT-OA) (drafts).
+	 */
+	NAT_OA_DRAFT_00_03_V1 = 131,
+
+	/**
+	 * IKE fragment (proprietary IKEv1 extension)
+	 */
+	FRAGMENT_V1 = 132,
+
+	/**
 	 * Header has a value of PRIVATE USE space.
 	 *
-	 * This payload type is not sent over wire and just
-	 * used internally to handle IKEv2-Header like a payload.
+	 * This type and all the following are never sent over wire and are
+	 * used internally only.
 	 */
 	HEADER = 256,
 
 	/**
-	 * PROPOSAL_SUBSTRUCTURE has a value of PRIVATE USE space.
-	 *
-	 * This payload type is not sent over wire and just
-	 * used internally to handle a proposal substructure like a payload.
+	 * PROPOSAL_SUBSTRUCTURE, IKEv2 proposals in a SA payload.
 	 */
-	PROPOSAL_SUBSTRUCTURE = 257,
+	PROPOSAL_SUBSTRUCTURE,
 
 	/**
-	 * TRANSFORM_SUBSTRUCTURE has a value of PRIVATE USE space.
-	 *
-	 * This payload type is not sent over wire and just
-	 * used internally to handle a transform substructure like a payload.
+	 * PROPOSAL_SUBSTRUCTURE_V1, IKEv1 proposals in a SA payload.
 	 */
-	TRANSFORM_SUBSTRUCTURE = 258,
+	PROPOSAL_SUBSTRUCTURE_V1,
 
 	/**
-	 * TRANSFORM_ATTRIBUTE has a value of PRIVATE USE space.
-	 *
-	 * This payload type is not sent over wire and just
-	 * used internally to handle a transform attribute like a payload.
+	 * TRANSFORM_SUBSTRUCTURE, IKEv2 transforms in a proposal substructure.
 	 */
-	TRANSFORM_ATTRIBUTE = 259,
+	TRANSFORM_SUBSTRUCTURE,
 
 	/**
-	 * TRAFFIC_SELECTOR_SUBSTRUCTURE has a value of PRIVATE USE space.
-	 *
-	 * This payload type is not sent over wire and just
-	 * used internally to handle a transform selector like a payload.
+	 * TRANSFORM_SUBSTRUCTURE_V1, IKEv1 transforms in a proposal substructure.
 	 */
-	TRAFFIC_SELECTOR_SUBSTRUCTURE = 260,
+	TRANSFORM_SUBSTRUCTURE_V1,
 
 	/**
-	 * CONFIGURATION_ATTRIBUTE has a value of PRIVATE USE space.
-	 *
-	 * This payload type is not sent over wire and just
-	 * used internally to handle a transform attribute like a payload.
+	 * TRANSFORM_ATTRIBUTE, IKEv2 attribute in a transform.
+	 */
+	TRANSFORM_ATTRIBUTE,
+
+	/**
+	 * TRANSFORM_ATTRIBUTE_V1, IKEv1 attribute in a transform.
+	 */
+	TRANSFORM_ATTRIBUTE_V1,
+
+	/**
+	 * TRAFFIC_SELECTOR_SUBSTRUCTURE, traffic selector in a TS payload.
+	 */
+	TRAFFIC_SELECTOR_SUBSTRUCTURE,
+
+	/**
+	 * CONFIGURATION_ATTRIBUTE, IKEv2 attribute in a configuration payload.
 	 */
-	CONFIGURATION_ATTRIBUTE = 261,
+	CONFIGURATION_ATTRIBUTE,
+
+	/**
+	 * CONFIGURATION_ATTRIBUTE_V1, IKEv1 attribute in a configuration payload.
+	 */
+	CONFIGURATION_ATTRIBUTE_V1,
+
+	/**
+	 * This is not really a payload, but rather the complete IKEv1 message.
+	 */
+	ENCRYPTED_V1,
 };
 
 /**
@@ -207,43 +316,50 @@ struct payload_t {
 	/**
 	 * Get encoding rules for this payload.
 	 *
-	 * @param rules			location to store pointer of first rule
-	 * @param rule_count	location to store number of rules
+	 * @param rules			location to store pointer to rules
+	 * @return				number of rules
+	 */
+	int (*get_encoding_rules) (payload_t *this, encoding_rule_t **rules);
+
+	/**
+	 * Get non-variable header length for a variable length payload.
+	 *
+	 * @return				fixed length of the payload
 	 */
-	void (*get_encoding_rules) (payload_t *this, encoding_rule_t **rules, size_t *rule_count);
+	int (*get_header_length)(payload_t *this);
 
 	/**
 	 * Get type of payload.
 	 *
-	 * @return 				type of this payload
+	 * @return				type of this payload
 	 */
 	payload_type_t (*get_type) (payload_t *this);
 
 	/**
 	 * Get type of next payload or NO_PAYLOAD (0) if this is the last one.
 	 *
-	 * @return 				type of next payload
+	 * @return				type of next payload
 	 */
 	payload_type_t (*get_next_type) (payload_t *this);
 
 	/**
 	 * Set type of next payload.
 	 *
-	 * @param type 			type of next payload
+	 * @param type			type of next payload
 	 */
 	void (*set_next_type) (payload_t *this,payload_type_t type);
 
 	/**
 	 * Get length of payload.
 	 *
-	 * @return 				length of this payload
+	 * @return				length of this payload
 	 */
 	size_t (*get_length) (payload_t *this);
 
 	/**
 	 * Verifies payload structure and makes consistence check.
 	 *
-	 * @return 				SUCCESS,  FAILED if consistence not given
+	 * @return				SUCCESS,  FAILED if consistence not given
 	 */
 	status_t (*verify) (payload_t *this);
 
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c
index 4753d574d..3cf22aefd 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.c
+++ b/src/libcharon/encoding/payloads/proposal_substructure.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -21,11 +22,11 @@
 #include <encoding/payloads/encodings.h>
 #include <encoding/payloads/transform_substructure.h>
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <daemon.h>
 
 /**
- * IKEv1 Value for a proposal payload.
+ * IKEv2 Value for a proposal payload.
  */
 #define PROPOSAL_TYPE_VALUE 2
 
@@ -84,16 +85,18 @@ struct private_proposal_substructure_t {
 	/**
 	 * Transforms are stored in a linked_list_t.
 	 */
-	linked_list_t * transforms;
+	linked_list_t *transforms;
+
+	/**
+	 * Type of this payload, PROPOSAL_SUBSTRUCTURE or PROPOSAL_SUBSTRUCTURE_V1
+	 */
+	payload_type_t type;
 };
 
 /**
- * Encoding rules to parse or generate a Proposal substructure.
- *
- * The defined offsets are the positions in a object of type
- * private_proposal_substructure_t.
+ * Encoding rules for a IKEv1 Proposal substructure.
  */
-encoding_rule_t proposal_substructure_encodings[] = {
+static encoding_rule_t encodings_v1[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_proposal_substructure_t, next_payload)		},
 	/* 1 Reserved Byte */
@@ -110,9 +113,34 @@ encoding_rule_t proposal_substructure_encodings[] = {
 	{ U_INT_8,			offsetof(private_proposal_substructure_t, transforms_count)	},
 	/* SPI is a chunk of variable size*/
 	{ SPI,				offsetof(private_proposal_substructure_t, spi)				},
-	/* Transforms are stored in a transform substructure,
-	   offset points to a linked_list_t pointer */
-	{ TRANSFORMS,		offsetof(private_proposal_substructure_t, transforms)		}
+	/* Transforms are stored in a transform substructure list */
+	{ PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE_V1,
+						offsetof(private_proposal_substructure_t, transforms)		},
+};
+
+/**
+ * Encoding rules for a IKEv2 Proposal substructure.
+ */
+static encoding_rule_t encodings_v2[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_proposal_substructure_t, next_payload)		},
+	/* 1 Reserved Byte */
+	{ RESERVED_BYTE,	offsetof(private_proposal_substructure_t, reserved)			},
+	/* Length of the whole proposal substructure payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_proposal_substructure_t, proposal_length)	},
+	/* proposal number is a number of 8 bit */
+	{ U_INT_8,			offsetof(private_proposal_substructure_t, proposal_number)	},
+	/* protocol ID is a number of 8 bit */
+	{ U_INT_8,			offsetof(private_proposal_substructure_t, protocol_id)		},
+	/* SPI Size has its own type */
+	{ SPI_SIZE,			offsetof(private_proposal_substructure_t, spi_size)			},
+	/* Number of transforms is a number of 8 bit */
+	{ U_INT_8,			offsetof(private_proposal_substructure_t, transforms_count)	},
+	/* SPI is a chunk of variable size*/
+	{ SPI,				offsetof(private_proposal_substructure_t, spi)				},
+	/* Transforms are stored in a transform substructure list */
+	{ PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE,
+						offsetof(private_proposal_substructure_t, transforms)		},
 };
 
 /*
@@ -131,6 +159,151 @@ encoding_rule_t proposal_substructure_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
+/**
+ * Encryption.
+ */
+typedef enum {
+	IKEV1_ENCR_DES_CBC = 1,
+	IKEV1_ENCR_IDEA_CBC = 2,
+	IKEV1_ENCR_BLOWFISH_CBC = 3,
+	IKEV1_ENCR_RC5_R16_B64_CBC = 4,
+	IKEV1_ENCR_3DES_CBC = 5,
+	IKEV1_ENCR_CAST_CBC = 6,
+	IKEV1_ENCR_AES_CBC = 7,
+	IKEV1_ENCR_CAMELLIA_CBC = 8,
+	/* FreeS/WAN proprietary */
+	IKEV1_ENCR_SERPENT_CBC = 65004,
+	IKEV1_ENCR_TWOFISH_CBC = 65005,
+} ikev1_encryption_t;
+
+/**
+ * IKEv1 hash.
+ */
+typedef enum {
+	IKEV1_HASH_MD5 = 1,
+	IKEV1_HASH_SHA1 = 2,
+	IKEV1_HASH_TIGER = 3,
+	IKEV1_HASH_SHA2_256 = 4,
+	IKEV1_HASH_SHA2_384 = 5,
+	IKEV1_HASH_SHA2_512 = 6,
+} ikev1_hash_t;
+
+/**
+ * IKEv1 Transform ID IKE.
+ */
+typedef enum {
+	IKEV1_TRANSID_KEY_IKE = 1,
+} ikev1_ike_transid_t;
+
+/**
+ * IKEv1 Transform ID ESP encryption algorithm.
+ */
+typedef enum {
+	IKEV1_ESP_ENCR_DES_IV64 = 1,
+	IKEV1_ESP_ENCR_DES = 2,
+	IKEV1_ESP_ENCR_3DES = 3,
+	IKEV1_ESP_ENCR_RC5 = 4,
+	IKEV1_ESP_ENCR_IDEA = 5,
+	IKEV1_ESP_ENCR_CAST = 6,
+	IKEV1_ESP_ENCR_BLOWFISH = 7,
+	IKEV1_ESP_ENCR_3IDEA = 8,
+	IKEV1_ESP_ENCR_DES_IV32 = 9,
+	IKEV1_ESP_ENCR_RC4 = 10,
+	IKEV1_ESP_ENCR_NULL = 11,
+	IKEV1_ESP_ENCR_AES_CBC = 12,
+	IKEV1_ESP_ENCR_AES_CTR = 13,
+	IKEV1_ESP_ENCR_AES_CCM_8 = 14,
+	IKEV1_ESP_ENCR_AES_CCM_12 = 15,
+	IKEV1_ESP_ENCR_AES_CCM_16 = 16,
+	IKEV1_ESP_ENCR_AES_GCM_8 = 18,
+	IKEV1_ESP_ENCR_AES_GCM_12 = 19,
+	IKEV1_ESP_ENCR_AES_GCM_16 = 20,
+	IKEV1_ESP_ENCR_SEED_CBC = 21,
+	IKEV1_ESP_ENCR_CAMELLIA = 22,
+	IKEV1_ESP_ENCR_NULL_AUTH_AES_GMAC = 23,
+	/* FreeS/WAN proprietary */
+	IKEV1_ESP_ENCR_SERPENT = 252,
+	IKEV1_ESP_ENCR_TWOFISH = 253,
+} ikev1_esp_encr_transid_t;
+
+/**
+ * IKEv1 Transform ID ESP authentication algorithm.
+ */
+typedef enum {
+	IKEV1_ESP_AUTH_HMAC_MD5 = 1,
+	IKEV1_ESP_AUTH_HMAC_SHA = 2,
+	IKEV1_ESP_AUTH_DES_MAC = 3,
+	IKEV1_ESP_AUTH_KPDK = 4,
+	IKEV1_ESP_AUTH_HMAC_SHA2_256 = 5,
+	IKEV1_ESP_AUTH_HMAC_SHA2_384 = 6,
+	IKEV1_ESP_AUTH_HMAC_SHA2_512 = 7,
+	IKEV1_ESP_AUTH_HMAC_RIPEMD = 8,
+	IKEV1_ESP_AUTH_AES_XCBC_MAC = 9,
+	IKEV1_ESP_AUTH_SIG_RSA = 10,
+	IKEV1_ESP_AUTH_AES_128_GMAC = 11,
+	IKEV1_ESP_AUTH_AES_192_GMAC = 12,
+	IKEV1_ESP_AUTH_AES_256_GMAC = 13,
+} ikev1_esp_auth_transid_it;
+
+/**
+ * IKEv1 ESP Encapsulation mode.
+ */
+typedef enum {
+  IKEV1_ENCAP_TUNNEL = 1,
+  IKEV1_ENCAP_TRANSPORT = 2,
+  IKEV1_ENCAP_UDP_TUNNEL = 3,
+  IKEV1_ENCAP_UDP_TRANSPORT = 4,
+  IKEV1_ENCAP_UDP_TUNNEL_DRAFT_00_03 = 61443,
+  IKEV1_ENCAP_UDP_TRANSPORT_DRAFT_00_03 = 61444,
+} ikev1_esp_encap_t;
+
+/**
+ * IKEv1 Life duration types.
+ */
+typedef enum {
+	IKEV1_LIFE_TYPE_SECONDS = 1,
+	IKEV1_LIFE_TYPE_KILOBYTES = 2,
+} ikev1_life_type_t;
+
+/**
+ * IKEv1 authentication methods
+ */
+typedef enum {
+	IKEV1_AUTH_PSK = 1,
+	IKEV1_AUTH_DSS_SIG = 2,
+	IKEV1_AUTH_RSA_SIG = 3,
+	IKEV1_AUTH_RSA_ENC = 4,
+	IKEV1_AUTH_RSA_ENC_REV = 5,
+	IKEV1_AUTH_ECDSA_256 = 9,
+	IKEV1_AUTH_ECDSA_384 = 10,
+	IKEV1_AUTH_ECDSA_521 = 11,
+	/* XAuth Modes */
+	IKEV1_AUTH_XAUTH_INIT_PSK = 65001,
+	IKEV1_AUTH_XAUTH_RESP_PSK = 65002,
+	IKEV1_AUTH_XAUTH_INIT_DSS = 65003,
+	IKEV1_AUTH_XAUTH_RESP_DSS = 65004,
+	IKEV1_AUTH_XAUTH_INIT_RSA = 65005,
+	IKEV1_AUTH_XAUTH_RESP_RSA = 65006,
+	IKEV1_AUTH_XAUTH_INIT_RSA_ENC = 65007,
+	IKEV1_AUTH_XAUTH_RESP_RSA_ENC = 65008,
+	IKEV1_AUTH_XAUTH_INIT_RSA_ENC_REV = 65009,
+	IKEV1_AUTH_XAUTH_RESP_RSA_ENC_REV = 65010,
+	/* Hybrid Modes */
+	IKEV1_AUTH_HYBRID_INIT_RSA = 64221,
+	IKEV1_AUTH_HYBRID_RESP_RSA = 64222,
+	IKEV1_AUTH_HYBRID_INIT_DSS = 64223,
+	IKEV1_AUTH_HYBRID_RESP_DSS = 64224,
+} ikev1_auth_method_t;
+
+/**
+ * IKEv1 IPComp transform IDs
+ */
+typedef enum {
+	IKEV1_IPCOMP_OUI = 1,
+	IKEV1_IPCOMP_DEFLATE = 2,
+	IKEV1_IPCOMP_LZS = 3,
+} ikev1_ipcomp_transform_t;
+
 METHOD(payload_t, verify, status_t,
 	private_proposal_substructure_t *this)
 {
@@ -153,12 +326,19 @@ METHOD(payload_t, verify, status_t,
 
 	switch (this->protocol_id)
 	{
+		case PROTO_IPCOMP:
+			if (this->spi.len != 2)
+			{
+				DBG1(DBG_ENC, "invalid CPI length in IPCOMP proposal");
+				return FAILED;
+			}
+			break;
 		case PROTO_AH:
 		case PROTO_ESP:
 			if (this->spi.len != 4)
 			{
 				DBG1(DBG_ENC, "invalid SPI length in %N proposal",
-								  protocol_id_names, this->protocol_id);
+					 protocol_id_names, this->protocol_id);
 				return FAILED;
 			}
 			break;
@@ -188,18 +368,28 @@ METHOD(payload_t, verify, status_t,
 	return status;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_proposal_substructure_t *this, encoding_rule_t **rules,
-	size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_proposal_substructure_t *this, encoding_rule_t **rules)
 {
-	*rules = proposal_substructure_encodings;
-	*rule_count = countof(proposal_substructure_encodings);
+	if (this->type == PROPOSAL_SUBSTRUCTURE)
+	{
+		*rules = encodings_v2;
+		return countof(encodings_v2);
+	}
+	*rules = encodings_v1;
+	return countof(encodings_v1);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_proposal_substructure_t *this)
+{
+	return 8 + this->spi_size;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
 	private_proposal_substructure_t *this)
 {
-	return PROPOSAL_SUBSTRUCTURE;
+	return this->type;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -222,7 +412,7 @@ static void compute_length(private_proposal_substructure_t *this)
 	payload_t *transform;
 
 	this->transforms_count = 0;
-	this->proposal_length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->spi.len;
+	this->proposal_length = get_header_length(this);
 	enumerator = this->transforms->create_enumerator(this->transforms);
 	while (enumerator->enumerate(enumerator, &transform))
 	{
@@ -301,45 +491,502 @@ METHOD(proposal_substructure_t, get_spi, chunk_t,
 	return this->spi;
 }
 
-METHOD(proposal_substructure_t, get_proposal, proposal_t*,
-	private_proposal_substructure_t *this)
+METHOD(proposal_substructure_t, get_cpi, bool,
+	private_proposal_substructure_t *this, u_int16_t *cpi)
 {
-	enumerator_t *enumerator;
+
 	transform_substructure_t *transform;
-	proposal_t *proposal;
-	u_int64_t spi;
+	enumerator_t *enumerator;
 
-	proposal = proposal_create(this->protocol_id, this->proposal_number);
+	if (this->protocol_id != PROTO_IPCOMP)
+	{
+		return FALSE;
+	}
 
 	enumerator = this->transforms->create_enumerator(this->transforms);
 	while (enumerator->enumerate(enumerator, &transform))
 	{
-		transform_type_t transform_type;
-		u_int16_t transform_id;
-		u_int16_t key_length = 0;
+		if (transform->get_transform_id(transform) == IKEV1_IPCOMP_DEFLATE)
+		{
+			if (cpi)
+			{
+				*cpi = *((u_int16_t*)this->spi.ptr);
+			}
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FALSE;
+}
 
-		transform_type = transform->get_transform_type(transform);
-		transform_id = transform->get_transform_id(transform);
-		transform->get_key_length(transform, &key_length);
+/**
+ * Add a transform to a proposal for IKEv2
+ */
+static void add_to_proposal_v2(proposal_t *proposal,
+							   transform_substructure_t *transform)
+{
+	transform_attribute_t *tattr;
+	enumerator_t *enumerator;
+	u_int16_t key_length = 0;
 
-		proposal->add_algorithm(proposal, transform_type, transform_id, key_length);
+	enumerator = transform->create_attribute_enumerator(transform);
+	while (enumerator->enumerate(enumerator, &tattr))
+	{
+		if (tattr->get_attribute_type(tattr) == TATTR_IKEV2_KEY_LENGTH)
+		{
+			key_length = tattr->get_value(tattr);
+			break;
+		}
 	}
 	enumerator->destroy(enumerator);
 
+	proposal->add_algorithm(proposal,
+						transform->get_transform_type_or_number(transform),
+						transform->get_transform_id(transform), key_length);
+}
+
+/**
+ * Map IKEv1 to IKEv2 algorithms
+ */
+typedef struct {
+	u_int16_t ikev1;
+	u_int16_t ikev2;
+} algo_map_t;
+
+/**
+ * Encryption algorithm mapping
+ */
+static algo_map_t map_encr[] = {
+	{ IKEV1_ENCR_DES_CBC,		ENCR_DES },
+	{ IKEV1_ENCR_IDEA_CBC,		ENCR_IDEA },
+	{ IKEV1_ENCR_BLOWFISH_CBC,	ENCR_BLOWFISH },
+	{ IKEV1_ENCR_3DES_CBC,		ENCR_3DES },
+	{ IKEV1_ENCR_CAST_CBC,		ENCR_CAST },
+	{ IKEV1_ENCR_AES_CBC,		ENCR_AES_CBC },
+	{ IKEV1_ENCR_CAMELLIA_CBC,	ENCR_CAMELLIA_CBC },
+	{ IKEV1_ENCR_SERPENT_CBC,	ENCR_SERPENT_CBC },
+	{ IKEV1_ENCR_TWOFISH_CBC,	ENCR_TWOFISH_CBC },
+};
+
+/**
+ * Integrity algorithm mapping
+ */
+static algo_map_t map_integ[] = {
+	{ IKEV1_HASH_MD5,			AUTH_HMAC_MD5_96 },
+	{ IKEV1_HASH_SHA1,			AUTH_HMAC_SHA1_96 },
+	{ IKEV1_HASH_SHA2_256,		AUTH_HMAC_SHA2_256_128 },
+	{ IKEV1_HASH_SHA2_384,		AUTH_HMAC_SHA2_384_192 },
+	{ IKEV1_HASH_SHA2_512,		AUTH_HMAC_SHA2_512_256 },
+};
+
+/**
+ * PRF algorithm mapping
+ */
+static algo_map_t map_prf[] = {
+	{ IKEV1_HASH_MD5,			PRF_HMAC_MD5 },
+	{ IKEV1_HASH_SHA1,			PRF_HMAC_SHA1 },
+	{ IKEV1_HASH_SHA2_256,		PRF_HMAC_SHA2_256 },
+	{ IKEV1_HASH_SHA2_384,		PRF_HMAC_SHA2_384 },
+	{ IKEV1_HASH_SHA2_512,		PRF_HMAC_SHA2_512 },
+};
+
+/**
+ * ESP encryption algorithm mapping
+ */
+static algo_map_t map_esp_encr[] = {
+	{ IKEV1_ESP_ENCR_DES_IV64,				ENCR_DES_IV64 },
+	{ IKEV1_ESP_ENCR_DES,					ENCR_DES },
+	{ IKEV1_ESP_ENCR_3DES,					ENCR_3DES },
+	{ IKEV1_ESP_ENCR_RC5,					ENCR_RC5 },
+	{ IKEV1_ESP_ENCR_IDEA,					ENCR_IDEA },
+	{ IKEV1_ESP_ENCR_CAST,					ENCR_CAST },
+	{ IKEV1_ESP_ENCR_BLOWFISH,				ENCR_BLOWFISH },
+	{ IKEV1_ESP_ENCR_3IDEA,					ENCR_3IDEA },
+	{ IKEV1_ESP_ENCR_DES_IV32,				ENCR_DES_IV32 },
+	{ IKEV1_ESP_ENCR_NULL,					ENCR_NULL },
+	{ IKEV1_ESP_ENCR_AES_CBC,				ENCR_AES_CBC },
+	{ IKEV1_ESP_ENCR_AES_CTR,				ENCR_AES_CTR },
+	{ IKEV1_ESP_ENCR_AES_CCM_8,				ENCR_AES_CCM_ICV8 },
+	{ IKEV1_ESP_ENCR_AES_CCM_12,			ENCR_AES_CCM_ICV12 },
+	{ IKEV1_ESP_ENCR_AES_CCM_16,			ENCR_AES_CCM_ICV16 },
+	{ IKEV1_ESP_ENCR_AES_GCM_8,				ENCR_AES_GCM_ICV8 },
+	{ IKEV1_ESP_ENCR_AES_GCM_12,			ENCR_AES_GCM_ICV12 },
+	{ IKEV1_ESP_ENCR_AES_GCM_16,			ENCR_AES_GCM_ICV16 },
+	{ IKEV1_ESP_ENCR_CAMELLIA,				ENCR_CAMELLIA_CBC },
+	{ IKEV1_ESP_ENCR_NULL_AUTH_AES_GMAC,	ENCR_NULL_AUTH_AES_GMAC },
+	{ IKEV1_ESP_ENCR_SERPENT,				ENCR_SERPENT_CBC },
+	{ IKEV1_ESP_ENCR_TWOFISH,				ENCR_TWOFISH_CBC },
+};
+
+/**
+ * ESP authentication algorithm mapping
+ */
+static algo_map_t map_esp_auth[] = {
+	{ IKEV1_ESP_AUTH_HMAC_MD5,			AUTH_HMAC_MD5_96 },
+	{ IKEV1_ESP_AUTH_HMAC_SHA,			AUTH_HMAC_SHA1_96 },
+	{ IKEV1_ESP_AUTH_DES_MAC,			AUTH_DES_MAC },
+	{ IKEV1_ESP_AUTH_KPDK,				AUTH_KPDK_MD5 },
+	{ IKEV1_ESP_AUTH_HMAC_SHA2_256,		AUTH_HMAC_SHA2_256_128 },
+	{ IKEV1_ESP_AUTH_HMAC_SHA2_384,		AUTH_HMAC_SHA2_384_192 },
+	{ IKEV1_ESP_AUTH_HMAC_SHA2_512,		AUTH_HMAC_SHA2_512_256 },
+	{ IKEV1_ESP_AUTH_AES_XCBC_MAC,		AUTH_AES_XCBC_96 },
+	{ IKEV1_ESP_AUTH_AES_128_GMAC,		AUTH_AES_128_GMAC },
+	{ IKEV1_ESP_AUTH_AES_192_GMAC,		AUTH_AES_192_GMAC },
+	{ IKEV1_ESP_AUTH_AES_256_GMAC,		AUTH_AES_256_GMAC },
+};
+
+/**
+ * Get IKEv2 algorithm from IKEv1 identifier
+ */
+static u_int16_t get_alg_from_ikev1(transform_type_t type, u_int16_t value)
+{
+	algo_map_t *map;
+	u_int16_t def;
+	int i, count;
+
+	switch (type)
+	{
+		case ENCRYPTION_ALGORITHM:
+			map = map_encr;
+			count = countof(map_encr);
+			def = ENCR_UNDEFINED;
+			break;
+		case INTEGRITY_ALGORITHM:
+			map = map_integ;
+			count = countof(map_integ);
+			def = AUTH_UNDEFINED;
+			break;
+		case PSEUDO_RANDOM_FUNCTION:
+			map = map_prf;
+			count = countof(map_prf);
+			def = PRF_UNDEFINED;
+			break;
+		default:
+			return 0;
+	}
+	for (i = 0; i < count; i++)
+	{
+		if (map[i].ikev1 == value)
+		{
+			return map[i].ikev2;
+		}
+	}
+	return def;
+}
+
+/**
+ * Get IKEv1 algorithm from IKEv2 identifier
+ */
+static u_int16_t get_ikev1_from_alg(transform_type_t type, u_int16_t value)
+{
+	algo_map_t *map;
+	int i, count;
+
+	switch (type)
+	{
+		case ENCRYPTION_ALGORITHM:
+			map = map_encr;
+			count = countof(map_encr);
+			break;
+		case INTEGRITY_ALGORITHM:
+			map = map_integ;
+			count = countof(map_integ);
+			break;
+		case PSEUDO_RANDOM_FUNCTION:
+			map = map_prf;
+			count = countof(map_prf);
+			break;
+		default:
+			return 0;
+	}
+	for (i = 0; i < count; i++)
+	{
+		if (map[i].ikev2 == value)
+		{
+			return map[i].ikev1;
+		}
+	}
+	return 0;
+}
+
+/**
+ * Get IKEv2 algorithm from IKEv1 ESP transaction ID
+ */
+static u_int16_t get_alg_from_ikev1_transid(transform_type_t type, u_int16_t value)
+{
+	algo_map_t *map;
+	u_int16_t def;
+	int i, count;
+
+	switch (type)
+	{
+		case ENCRYPTION_ALGORITHM:
+			map = map_esp_encr;
+			count = countof(map_esp_encr);
+			def = ENCR_UNDEFINED;
+			break;
+		case INTEGRITY_ALGORITHM:
+			map = map_esp_auth;
+			count = countof(map_esp_auth);
+			def = AUTH_UNDEFINED;
+			break;
+		default:
+			return 0;
+	}
+	for (i = 0; i < count; i++)
+	{
+		if (map[i].ikev1 == value)
+		{
+			return map[i].ikev2;
+		}
+	}
+	return def;
+}
+
+/**
+ * Get IKEv1 ESP transaction ID from IKEv2 identifier
+ */
+static u_int16_t get_ikev1_transid_from_alg(transform_type_t type, u_int16_t value)
+{
+	algo_map_t *map;
+	int i, count;
+
+	switch (type)
+	{
+		case ENCRYPTION_ALGORITHM:
+			map = map_esp_encr;
+			count = countof(map_esp_encr);
+			break;
+		case INTEGRITY_ALGORITHM:
+			map = map_esp_auth;
+			count = countof(map_esp_auth);
+			break;
+		default:
+			return 0;
+	}
+	for (i = 0; i < count; i++)
+	{
+		if (map[i].ikev2 == value)
+		{
+			return map[i].ikev1;
+		}
+	}
+	return 0;
+}
+/**
+ * Get IKEv1 authentication attribute from auth_method_t
+ */
+static u_int16_t get_ikev1_auth(auth_method_t method)
+{
+	switch (method)
+	{
+		case AUTH_RSA:
+			return IKEV1_AUTH_RSA_SIG;
+		case AUTH_DSS:
+			return IKEV1_AUTH_DSS_SIG;
+		case AUTH_XAUTH_INIT_PSK:
+			return IKEV1_AUTH_XAUTH_INIT_PSK;
+		case AUTH_XAUTH_RESP_PSK:
+			return IKEV1_AUTH_XAUTH_RESP_PSK;
+		case AUTH_XAUTH_INIT_RSA:
+			return IKEV1_AUTH_XAUTH_INIT_RSA;
+		case AUTH_XAUTH_RESP_RSA:
+			return IKEV1_AUTH_XAUTH_RESP_RSA;
+		case AUTH_HYBRID_INIT_RSA:
+			return IKEV1_AUTH_HYBRID_INIT_RSA;
+		case AUTH_HYBRID_RESP_RSA:
+			return IKEV1_AUTH_HYBRID_RESP_RSA;
+		case AUTH_ECDSA_256:
+			return IKEV1_AUTH_ECDSA_256;
+		case AUTH_ECDSA_384:
+			return IKEV1_AUTH_ECDSA_384;
+		case AUTH_ECDSA_521:
+			return IKEV1_AUTH_ECDSA_521;
+		case AUTH_PSK:
+		default:
+			return IKEV1_AUTH_PSK;
+	}
+}
+
+/**
+ * Get IKEv1 encapsulation mode
+ */
+static u_int16_t get_ikev1_mode(ipsec_mode_t mode, encap_t udp)
+{
+	switch (mode)
+	{
+		case MODE_TUNNEL:
+			switch (udp)
+			{
+				case ENCAP_UDP:
+					return IKEV1_ENCAP_UDP_TUNNEL;
+				case ENCAP_UDP_DRAFT_00_03:
+					return IKEV1_ENCAP_UDP_TUNNEL_DRAFT_00_03;
+				default:
+					return IKEV1_ENCAP_TUNNEL;
+			}
+		case MODE_TRANSPORT:
+			switch (udp)
+			{
+				case ENCAP_UDP:
+					return IKEV1_ENCAP_UDP_TRANSPORT;
+				case ENCAP_UDP_DRAFT_00_03:
+					return IKEV1_ENCAP_UDP_TRANSPORT_DRAFT_00_03;
+				default:
+					return IKEV1_ENCAP_TRANSPORT;
+			}
+		default:
+			return IKEV1_ENCAP_TUNNEL;
+	}
+}
+
+/**
+ * Add an IKE transform to a proposal for IKEv1
+ */
+static void add_to_proposal_v1_ike(proposal_t *proposal,
+								   transform_substructure_t *transform)
+{
+	transform_attribute_type_t type;
+	transform_attribute_t *tattr;
+	enumerator_t *enumerator;
+	u_int16_t value, key_length = 0;
+	u_int16_t encr = ENCR_UNDEFINED;
+
+	enumerator = transform->create_attribute_enumerator(transform);
+	while (enumerator->enumerate(enumerator, &tattr))
+	{
+		type = tattr->get_attribute_type(tattr);
+		value = tattr->get_value(tattr);
+		switch (type)
+		{
+			case TATTR_PH1_ENCRYPTION_ALGORITHM:
+				encr = get_alg_from_ikev1(ENCRYPTION_ALGORITHM, value);
+				break;
+			case TATTR_PH1_KEY_LENGTH:
+				key_length = value;
+				break;
+			case TATTR_PH1_HASH_ALGORITHM:
+				proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM,
+						get_alg_from_ikev1(INTEGRITY_ALGORITHM, value), 0);
+				proposal->add_algorithm(proposal, PSEUDO_RANDOM_FUNCTION,
+						get_alg_from_ikev1(PSEUDO_RANDOM_FUNCTION, value), 0);
+				break;
+			case TATTR_PH1_GROUP:
+				proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
+						value, 0);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (encr != ENCR_UNDEFINED)
+	{
+		proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr, key_length);
+	}
+}
+
+/**
+ * Add an ESP transform to a proposal for IKEv1
+ */
+static void add_to_proposal_v1_esp(proposal_t *proposal,
+								   transform_substructure_t *transform)
+{
+	transform_attribute_type_t type;
+	transform_attribute_t *tattr;
+	enumerator_t *enumerator;
+	u_int16_t encr, value, key_length = 0;
+
+	enumerator = transform->create_attribute_enumerator(transform);
+	while (enumerator->enumerate(enumerator, &tattr))
+	{
+		type = tattr->get_attribute_type(tattr);
+		value = tattr->get_value(tattr);
+		switch (type)
+		{
+			case TATTR_PH2_KEY_LENGTH:
+				key_length = value;
+				break;
+			case TATTR_PH2_AUTH_ALGORITHM:
+				proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM,
+						get_alg_from_ikev1_transid(INTEGRITY_ALGORITHM,
+												   value), 0);
+				break;
+			case TATTR_PH2_GROUP:
+				proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
+						value, 0);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* TODO-IKEv1: handle ESN attribute */
+	proposal->add_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS,
+							NO_EXT_SEQ_NUMBERS, 0);
+	encr = get_alg_from_ikev1_transid(ENCRYPTION_ALGORITHM,
+									  transform->get_transform_id(transform));
+	if (encr)
+	{
+		proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr,
+								key_length);
+	}
+}
+
+METHOD(proposal_substructure_t, get_proposals, void,
+	private_proposal_substructure_t *this, linked_list_t *proposals)
+{
+	transform_substructure_t *transform;
+	enumerator_t *enumerator;
+	proposal_t *proposal = NULL;
+	u_int64_t spi = 0;
+
 	switch (this->spi.len)
 	{
 		case 4:
-			spi = *((u_int32_t*)this->spi.ptr);
+			spi =  *((u_int32_t*)this->spi.ptr);
 			break;
 		case 8:
 			spi = *((u_int64_t*)this->spi.ptr);
 			break;
 		default:
-			spi = 0;
+			break;
 	}
-	proposal->set_spi(proposal, spi);
 
-	return proposal;
+	enumerator = this->transforms->create_enumerator(this->transforms);
+	while (enumerator->enumerate(enumerator, &transform))
+	{
+		if (!proposal)
+		{
+			proposal = proposal_create(this->protocol_id, this->proposal_number);
+			proposal->set_spi(proposal, spi);
+			proposals->insert_last(proposals, proposal);
+		}
+		if (this->type == PROPOSAL_SUBSTRUCTURE)
+		{
+			add_to_proposal_v2(proposal, transform);
+		}
+		else
+		{
+			switch (this->protocol_id)
+			{
+				case PROTO_IKE:
+					add_to_proposal_v1_ike(proposal, transform);
+					break;
+				case PROTO_ESP:
+					add_to_proposal_v1_esp(proposal, transform);
+					break;
+				default:
+					break;
+			}
+			/* create a new proposal for each transform in IKEv1 */
+			proposal = NULL;
+		}
+	}
+	enumerator->destroy(enumerator);
 }
 
 METHOD(proposal_substructure_t, create_substructure_enumerator, enumerator_t*,
@@ -348,11 +995,172 @@ METHOD(proposal_substructure_t, create_substructure_enumerator, enumerator_t*,
 	return this->transforms->create_enumerator(this->transforms);
 }
 
+/**
+ * Get an attribute from any transform, 0 if not found
+ */
+static u_int64_t get_attr(private_proposal_substructure_t *this,
+						  transform_attribute_type_t type)
+{
+	enumerator_t *transforms, *attributes;
+	transform_substructure_t *transform;
+	transform_attribute_t *attr;
+
+	transforms = this->transforms->create_enumerator(this->transforms);
+	while (transforms->enumerate(transforms, &transform))
+	{
+		attributes = transform->create_attribute_enumerator(transform);
+		while (attributes->enumerate(attributes, &attr))
+		{
+			if (attr->get_attribute_type(attr) == type)
+			{
+				attributes->destroy(attributes);
+				transforms->destroy(transforms);
+				return attr->get_value(attr);
+			}
+		}
+		attributes->destroy(attributes);
+	}
+	transforms->destroy(transforms);
+	return 0;
+}
+
+/**
+ * Look up a lifetime duration of a given kind in all transforms
+ */
+static u_int64_t get_life_duration(private_proposal_substructure_t *this,
+				transform_attribute_type_t type_attr, ikev1_life_type_t type,
+				transform_attribute_type_t dur_attr)
+{
+	enumerator_t *transforms, *attributes;
+	transform_substructure_t *transform;
+	transform_attribute_t *attr;
+
+	transforms = this->transforms->create_enumerator(this->transforms);
+	while (transforms->enumerate(transforms, &transform))
+	{
+		attributes = transform->create_attribute_enumerator(transform);
+		while (attributes->enumerate(attributes, &attr))
+		{
+			if (attr->get_attribute_type(attr) == type_attr &&
+				attr->get_value(attr) == type)
+			{	/* got type attribute, look for duration following next */
+				while (attributes->enumerate(attributes, &attr))
+				{
+					if (attr->get_attribute_type(attr) == dur_attr)
+					{
+						attributes->destroy(attributes);
+						transforms->destroy(transforms);
+						return attr->get_value(attr);
+					}
+				}
+			}
+		}
+		attributes->destroy(attributes);
+	}
+	transforms->destroy(transforms);
+	return 0;
+}
+
+METHOD(proposal_substructure_t, get_lifetime, u_int32_t,
+	private_proposal_substructure_t *this)
+{
+	u_int32_t duration;
+
+	switch (this->protocol_id)
+	{
+		case PROTO_IKE:
+			return get_life_duration(this, TATTR_PH1_LIFE_TYPE,
+						IKEV1_LIFE_TYPE_SECONDS, TATTR_PH1_LIFE_DURATION);
+		case PROTO_ESP:
+			duration = get_life_duration(this, TATTR_PH2_SA_LIFE_TYPE,
+						IKEV1_LIFE_TYPE_SECONDS, TATTR_PH2_SA_LIFE_DURATION);
+			if (!duration)
+			{	/* default to 8 hours, RFC 2407 */
+				return 28800;
+			}
+			return duration;
+		default:
+			return 0;
+	}
+}
+
+METHOD(proposal_substructure_t, get_lifebytes, u_int64_t,
+	private_proposal_substructure_t *this)
+{
+	switch (this->protocol_id)
+	{
+		case PROTO_ESP:
+			return 1000 * get_life_duration(this, TATTR_PH2_SA_LIFE_TYPE,
+					IKEV1_LIFE_TYPE_KILOBYTES, TATTR_PH2_SA_LIFE_DURATION);
+		case PROTO_IKE:
+		default:
+			return 0;
+	}
+}
+
+METHOD(proposal_substructure_t, get_auth_method, auth_method_t,
+	private_proposal_substructure_t *this)
+{
+	switch (get_attr(this, TATTR_PH1_AUTH_METHOD))
+	{
+		case IKEV1_AUTH_PSK:
+			return AUTH_PSK;
+		case IKEV1_AUTH_RSA_SIG:
+			return AUTH_RSA;
+		case IKEV1_AUTH_DSS_SIG:
+			return AUTH_DSS;
+		case IKEV1_AUTH_XAUTH_INIT_PSK:
+			return AUTH_XAUTH_INIT_PSK;
+		case IKEV1_AUTH_XAUTH_RESP_PSK:
+			return AUTH_XAUTH_RESP_PSK;
+		case IKEV1_AUTH_XAUTH_INIT_RSA:
+			return AUTH_XAUTH_INIT_RSA;
+		case IKEV1_AUTH_XAUTH_RESP_RSA:
+			return AUTH_XAUTH_RESP_RSA;
+		case IKEV1_AUTH_HYBRID_INIT_RSA:
+			return AUTH_HYBRID_INIT_RSA;
+		case IKEV1_AUTH_HYBRID_RESP_RSA:
+			return AUTH_HYBRID_RESP_RSA;
+		case IKEV1_AUTH_ECDSA_256:
+			return AUTH_ECDSA_256;
+		case IKEV1_AUTH_ECDSA_384:
+			return AUTH_ECDSA_384;
+		case IKEV1_AUTH_ECDSA_521:
+			return AUTH_ECDSA_521;
+		default:
+			return AUTH_NONE;
+	}
+}
+
+METHOD(proposal_substructure_t, get_encap_mode, ipsec_mode_t,
+	private_proposal_substructure_t *this, bool *udp)
+{
+	*udp = FALSE;
+	switch (get_attr(this, TATTR_PH2_ENCAP_MODE))
+	{
+		case IKEV1_ENCAP_TRANSPORT:
+			return MODE_TRANSPORT;
+		case IKEV1_ENCAP_TUNNEL:
+			return MODE_TUNNEL;
+		case IKEV1_ENCAP_UDP_TRANSPORT:
+		case IKEV1_ENCAP_UDP_TRANSPORT_DRAFT_00_03:
+			*udp = TRUE;
+			return MODE_TRANSPORT;
+		case IKEV1_ENCAP_UDP_TUNNEL:
+		case IKEV1_ENCAP_UDP_TUNNEL_DRAFT_00_03:
+			*udp = TRUE;
+			return MODE_TUNNEL;
+		default:
+			/* default to TUNNEL, RFC 2407 says implementation specific */
+			return MODE_TUNNEL;
+	}
+}
+
 METHOD2(payload_t, proposal_substructure_t, destroy, void,
 	private_proposal_substructure_t *this)
 {
 	this->transforms->destroy_offset(this->transforms,
-									 offsetof(transform_substructure_t, destroy));
+									 offsetof(payload_t, destroy));
 	chunk_free(&this->spi);
 	free(this);
 }
@@ -360,7 +1168,7 @@ METHOD2(payload_t, proposal_substructure_t, destroy, void,
 /*
  * Described in header.
  */
-proposal_substructure_t *proposal_substructure_create()
+proposal_substructure_t *proposal_substructure_create(payload_type_t type)
 {
 	private_proposal_substructure_t *this;
 
@@ -369,6 +1177,7 @@ proposal_substructure_t *proposal_substructure_create()
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
@@ -380,39 +1189,199 @@ proposal_substructure_t *proposal_substructure_create()
 			.set_protocol_id = _set_protocol_id,
 			.get_protocol_id = _get_protocol_id,
 			.set_is_last_proposal = _set_is_last_proposal,
-			.get_proposal = _get_proposal,
+			.get_proposals = _get_proposals,
 			.create_substructure_enumerator = _create_substructure_enumerator,
 			.set_spi = _set_spi,
 			.get_spi = _get_spi,
+			.get_cpi = _get_cpi,
+			.get_lifetime = _get_lifetime,
+			.get_lifebytes = _get_lifebytes,
+			.get_auth_method = _get_auth_method,
+			.get_encap_mode = _get_encap_mode,
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
-		.proposal_length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH,
 		.transforms = linked_list_create(),
+		.type = type,
 	);
+	compute_length(this);
 
 	return &this->public;
 }
 
-/*
- * Described in header.
+/**
+ * Add an IKEv1 IKE proposal to the substructure
  */
-proposal_substructure_t *proposal_substructure_create_from_proposal(
-														proposal_t *proposal)
+static void set_from_proposal_v1_ike(private_proposal_substructure_t *this,
+									 proposal_t *proposal, u_int32_t lifetime,
+									 auth_method_t method, int number)
 {
 	transform_substructure_t *transform;
-	private_proposal_substructure_t *this;
 	u_int16_t alg, key_size;
 	enumerator_t *enumerator;
 
-	this = (private_proposal_substructure_t*)proposal_substructure_create();
+	transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE_V1,
+												number, IKEV1_TRANSID_KEY_IKE);
+
+	enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
+	while (enumerator->enumerate(enumerator, &alg, &key_size))
+	{
+		alg = get_ikev1_from_alg(ENCRYPTION_ALGORITHM, alg);
+		if (alg)
+		{
+			transform->add_transform_attribute(transform,
+				transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+									TATTR_PH1_ENCRYPTION_ALGORITHM, alg));
+			if (key_size)
+			{
+				transform->add_transform_attribute(transform,
+					transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+										TATTR_PH1_KEY_LENGTH, key_size));
+			}
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* encode the integrity algorithm as hash and assume use the same PRF */
+	enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
+	while (enumerator->enumerate(enumerator, &alg, &key_size))
+	{
+		alg = get_ikev1_from_alg(INTEGRITY_ALGORITHM, alg);
+		if (alg)
+		{
+			transform->add_transform_attribute(transform,
+				transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+									TATTR_PH1_HASH_ALGORITHM, alg));
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP);
+	if (enumerator->enumerate(enumerator, &alg, &key_size))
+	{
+		transform->add_transform_attribute(transform,
+			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+								TATTR_PH1_GROUP, alg));
+	}
+	enumerator->destroy(enumerator);
+
+	transform->add_transform_attribute(transform,
+		transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+							TATTR_PH1_AUTH_METHOD, get_ikev1_auth(method)));
+	transform->add_transform_attribute(transform,
+		transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+							TATTR_PH1_LIFE_TYPE, IKEV1_LIFE_TYPE_SECONDS));
+	transform->add_transform_attribute(transform,
+		transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+							TATTR_PH1_LIFE_DURATION, lifetime));
+
+	add_transform_substructure(this, transform);
+}
+
+/**
+ * Add an IKEv1 ESP proposal to the substructure
+ */
+static void set_from_proposal_v1_esp(private_proposal_substructure_t *this,
+				proposal_t *proposal, u_int32_t lifetime, u_int64_t lifebytes,
+				ipsec_mode_t mode, encap_t udp, int number)
+{
+	transform_substructure_t *transform = NULL;
+	u_int16_t alg, key_size;
+	enumerator_t *enumerator;
+
+	enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
+	if (enumerator->enumerate(enumerator, &alg, &key_size))
+	{
+		alg = get_ikev1_transid_from_alg(ENCRYPTION_ALGORITHM, alg);
+		if (alg)
+		{
+			transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE_V1,
+														   number, alg);
+			if (key_size)
+			{
+				transform->add_transform_attribute(transform,
+					transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+											TATTR_PH2_KEY_LENGTH, key_size));
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!transform)
+	{
+		return;
+	}
+
+	enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
+	if (enumerator->enumerate(enumerator, &alg, &key_size))
+	{
+		alg = get_ikev1_transid_from_alg(INTEGRITY_ALGORITHM, alg);
+		if (alg)
+		{
+			transform->add_transform_attribute(transform,
+				transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+									TATTR_PH2_AUTH_ALGORITHM, alg));
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP);
+	if (enumerator->enumerate(enumerator, &alg, &key_size))
+	{
+		transform->add_transform_attribute(transform,
+			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+									TATTR_PH2_GROUP, alg));
+	}
+	enumerator->destroy(enumerator);
+
+	transform->add_transform_attribute(transform,
+		transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+							TATTR_PH2_ENCAP_MODE, get_ikev1_mode(mode, udp)));
+	if (lifetime)
+	{
+		transform->add_transform_attribute(transform,
+			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+							TATTR_PH2_SA_LIFE_TYPE, IKEV1_LIFE_TYPE_SECONDS));
+		transform->add_transform_attribute(transform,
+			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+							TATTR_PH2_SA_LIFE_DURATION, lifetime));
+	}
+	if (lifebytes)
+	{
+		transform->add_transform_attribute(transform,
+			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+							TATTR_PH2_SA_LIFE_TYPE, IKEV1_LIFE_TYPE_KILOBYTES));
+		transform->add_transform_attribute(transform,
+			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+							TATTR_PH2_SA_LIFE_DURATION, lifebytes / 1000));
+	}
+
+	add_transform_substructure(this, transform);
+}
+
+/**
+ * Add an IKEv2 proposal to the substructure
+ */
+static void set_from_proposal_v2(private_proposal_substructure_t *this,
+								 proposal_t *proposal)
+{
+	transform_substructure_t *transform;
+	u_int16_t alg, key_size;
+	enumerator_t *enumerator;
 
 	/* encryption algorithm is only available in ESP */
 	enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
 	while (enumerator->enumerate(enumerator, &alg, &key_size))
 	{
-		transform = transform_substructure_create_type(ENCRYPTION_ALGORITHM,
-													   alg, key_size);
+		transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
+												ENCRYPTION_ALGORITHM, alg);
+		if (key_size)
+		{
+			transform->add_transform_attribute(transform,
+				transform_attribute_create_value(TRANSFORM_ATTRIBUTE,
+											TATTR_IKEV2_KEY_LENGTH, key_size));
+		}
 		add_transform_substructure(this, transform);
 	}
 	enumerator->destroy(enumerator);
@@ -421,8 +1390,8 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(
 	enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
 	while (enumerator->enumerate(enumerator, &alg, &key_size))
 	{
-		transform = transform_substructure_create_type(INTEGRITY_ALGORITHM,
-													   alg, key_size);
+		transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
+												INTEGRITY_ALGORITHM, alg);
 		add_transform_substructure(this, transform);
 	}
 	enumerator->destroy(enumerator);
@@ -431,8 +1400,8 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(
 	enumerator = proposal->create_enumerator(proposal, PSEUDO_RANDOM_FUNCTION);
 	while (enumerator->enumerate(enumerator, &alg, &key_size))
 	{
-		transform = transform_substructure_create_type(PSEUDO_RANDOM_FUNCTION,
-													   alg, key_size);
+		transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
+												PSEUDO_RANDOM_FUNCTION, alg);
 		add_transform_substructure(this, transform);
 	}
 	enumerator->destroy(enumerator);
@@ -441,8 +1410,8 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(
 	enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP);
 	while (enumerator->enumerate(enumerator, &alg, NULL))
 	{
-		transform = transform_substructure_create_type(DIFFIE_HELLMAN_GROUP,
-													   alg, 0);
+		transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
+												DIFFIE_HELLMAN_GROUP, alg);
 		add_transform_substructure(this, transform);
 	}
 	enumerator->destroy(enumerator);
@@ -451,27 +1420,36 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(
 	enumerator = proposal->create_enumerator(proposal, EXTENDED_SEQUENCE_NUMBERS);
 	while (enumerator->enumerate(enumerator, &alg, NULL))
 	{
-		transform = transform_substructure_create_type(EXTENDED_SEQUENCE_NUMBERS,
-													   alg, 0);
+		transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
+												EXTENDED_SEQUENCE_NUMBERS, alg);
 		add_transform_substructure(this, transform);
 	}
 	enumerator->destroy(enumerator);
+}
+
+/**
+ * Set SPI and other data from proposal, compute length
+ */
+static void set_data(private_proposal_substructure_t *this, proposal_t *proposal)
+{
+	u_int64_t spi64;
+	u_int32_t spi32;
 
 	/* add SPI, if necessary */
 	switch (proposal->get_protocol(proposal))
 	{
 		case PROTO_AH:
 		case PROTO_ESP:
-			this->spi_size = this->spi.len = 4;
-			this->spi.ptr = malloc(this->spi_size);
-			*((u_int32_t*)this->spi.ptr) = proposal->get_spi(proposal);
+			spi32 = proposal->get_spi(proposal);
+			this->spi = chunk_clone(chunk_from_thing(spi32));
+			this->spi_size = this->spi.len;
 			break;
 		case PROTO_IKE:
-			if (proposal->get_spi(proposal))
+			spi64 = proposal->get_spi(proposal);
+			if (spi64)
 			{	/* IKE only uses SPIS when rekeying, but on initial setup */
-				this->spi_size = this->spi.len = 8;
-				this->spi.ptr = malloc(this->spi_size);
-				*((u_int64_t*)this->spi.ptr) = proposal->get_spi(proposal);
+				this->spi = chunk_clone(chunk_from_thing(spi64));
+				this->spi_size = this->spi.len;
 			}
 			break;
 		default:
@@ -480,6 +1458,144 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(
 	this->proposal_number = proposal->get_number(proposal);
 	this->protocol_id = proposal->get_protocol(proposal);
 	compute_length(this);
+}
+
+/*
+ * Described in header.
+ */
+proposal_substructure_t *proposal_substructure_create_from_proposal_v2(
+														proposal_t *proposal)
+{
+	private_proposal_substructure_t *this;
+
+	this = (private_proposal_substructure_t*)
+							proposal_substructure_create(SECURITY_ASSOCIATION);
+	set_from_proposal_v2(this, proposal);
+	set_data(this, proposal);
+
+	return &this->public;
+}
+
+/**
+ * See header.
+ */
+proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
+			proposal_t *proposal, u_int32_t lifetime, u_int64_t lifebytes,
+			auth_method_t auth, ipsec_mode_t mode, encap_t udp)
+{
+	private_proposal_substructure_t *this;
+
+	this = (private_proposal_substructure_t*)
+						proposal_substructure_create(PROPOSAL_SUBSTRUCTURE_V1);
+	switch (proposal->get_protocol(proposal))
+	{
+		case PROTO_IKE:
+			set_from_proposal_v1_ike(this, proposal, lifetime, auth, 1);
+			break;
+		case PROTO_ESP:
+			set_from_proposal_v1_esp(this, proposal, lifetime,
+									 lifebytes, mode, udp, 1);
+			break;
+		default:
+			break;
+	}
+	set_data(this, proposal);
+
+	return &this->public;
+}
+
+/**
+ * See header.
+ */
+proposal_substructure_t *proposal_substructure_create_from_proposals_v1(
+			linked_list_t *proposals, u_int32_t lifetime, u_int64_t lifebytes,
+			auth_method_t auth, ipsec_mode_t mode, encap_t udp)
+{
+	private_proposal_substructure_t *this = NULL;
+	enumerator_t *enumerator;
+	proposal_t *proposal;
+	int number = 0;
+
+	enumerator = proposals->create_enumerator(proposals);
+	while (enumerator->enumerate(enumerator, &proposal))
+	{
+		if (!this)
+		{
+			this = (private_proposal_substructure_t*)
+						proposal_substructure_create_from_proposal_v1(
+								proposal, lifetime, lifebytes, auth, mode, udp);
+			++number;
+		}
+		else
+		{
+			switch (proposal->get_protocol(proposal))
+			{
+				case PROTO_IKE:
+					set_from_proposal_v1_ike(this, proposal, lifetime,
+											 auth, ++number);
+					break;
+				case PROTO_ESP:
+					set_from_proposal_v1_esp(this, proposal, lifetime,
+											 lifebytes, mode, udp, ++number);
+					break;
+				default:
+					break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return &this->public;
+}
+
+/**
+ * See header.
+ */
+proposal_substructure_t *proposal_substructure_create_for_ipcomp_v1(
+			u_int32_t lifetime, u_int64_t lifebytes, u_int16_t cpi,
+			ipsec_mode_t mode, encap_t udp, u_int8_t proposal_number)
+{
+	private_proposal_substructure_t *this;
+	transform_substructure_t *transform;
+
+
+	this = (private_proposal_substructure_t*)
+						proposal_substructure_create(PROPOSAL_SUBSTRUCTURE_V1);
+
+	/* we currently support DEFLATE only */
+	transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE_V1,
+												   1, IKEV1_IPCOMP_DEFLATE);
+
+	transform->add_transform_attribute(transform,
+		transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+							TATTR_PH2_ENCAP_MODE, get_ikev1_mode(mode, udp)));
+	if (lifetime)
+	{
+		transform->add_transform_attribute(transform,
+			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+							TATTR_PH2_SA_LIFE_TYPE, IKEV1_LIFE_TYPE_SECONDS));
+		transform->add_transform_attribute(transform,
+			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+							TATTR_PH2_SA_LIFE_DURATION, lifetime));
+	}
+	if (lifebytes)
+	{
+		transform->add_transform_attribute(transform,
+			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+							TATTR_PH2_SA_LIFE_TYPE, IKEV1_LIFE_TYPE_KILOBYTES));
+		transform->add_transform_attribute(transform,
+			transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+							TATTR_PH2_SA_LIFE_DURATION, lifebytes / 1000));
+	}
+
+	add_transform_substructure(this, transform);
+
+	this->spi = chunk_clone(chunk_from_thing(cpi));
+	this->spi_size = this->spi.len;
+	this->protocol_id = PROTO_IPCOMP;
+	this->proposal_number = proposal_number;
+
+	compute_length(this);
 
 	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.h b/src/libcharon/encoding/payloads/proposal_substructure.h
index d0ba1fd2a..c8e7adfd8 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.h
+++ b/src/libcharon/encoding/payloads/proposal_substructure.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -22,24 +23,28 @@
 #ifndef PROPOSAL_SUBSTRUCTURE_H_
 #define PROPOSAL_SUBSTRUCTURE_H_
 
+typedef enum encap_t encap_t;
 typedef struct proposal_substructure_t proposal_substructure_t;
 
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/transform_substructure.h>
 #include <config/proposal.h>
-#include <utils/linked_list.h>
-
+#include <collections/linked_list.h>
+#include <kernel/kernel_ipsec.h>
+#include <sa/authenticator.h>
 
 /**
- * Length of the proposal substructure header (without spi).
+ * Encap type for proposal substructure
  */
-#define PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH 8
+enum encap_t {
+	ENCAP_NONE = 0,
+	ENCAP_UDP,
+	ENCAP_UDP_DRAFT_00_03,
+};
 
 /**
- * Class representing an IKEv2-PROPOSAL SUBSTRUCTURE.
- *
- * The PROPOSAL SUBSTRUCTURE format is described in RFC section 3.3.1.
+ * Class representing an IKEv1/IKEv2 proposal substructure.
  */
 struct proposal_substructure_t {
 
@@ -58,7 +63,7 @@ struct proposal_substructure_t {
 	/**
 	 * get proposal number of current proposal.
 	 *
-	 * @return 			proposal number of current proposal substructure.
+	 * @return			proposal number of current proposal substructure.
 	 */
 	u_int8_t (*get_proposal_number) (proposal_substructure_t *this);
 
@@ -73,7 +78,7 @@ struct proposal_substructure_t {
 	/**
 	 * get protocol id of current proposal.
 	 *
-	 * @return 			protocol id of current proposal substructure.
+	 * @return			protocol id of current proposal substructure.
 	 */
 	u_int8_t (*get_protocol_id) (proposal_substructure_t *this);
 
@@ -90,7 +95,7 @@ struct proposal_substructure_t {
 	/**
 	 * Returns the currently set SPI of this proposal.
 	 *
-	 * @return 			chunk_t pointing to the value
+	 * @return			chunk_t pointing to the value
 	 */
 	chunk_t (*get_spi) (proposal_substructure_t *this);
 
@@ -104,11 +109,19 @@ struct proposal_substructure_t {
 	void (*set_spi) (proposal_substructure_t *this, chunk_t spi);
 
 	/**
-	 * Get a proposal_t from the propsal_substructure_t.
+	 * Gets the CPI of the current proposal (IKEv1 only).
 	 *
-	 * @return			proposal_t
+	 * @param cpi		the CPI if a supported algorithm is proposed
+	 * @return			TRUE if a supported algorithm is proposed
 	 */
-	proposal_t * (*get_proposal) (proposal_substructure_t *this);
+	bool (*get_cpi) (proposal_substructure_t *this, u_int16_t *cpi);
+
+	/**
+	 * Get proposals contained in a propsal_substructure_t.
+	 *
+	 * @param list		list to add created proposals to
+	 */
+	void (*get_proposals) (proposal_substructure_t *this, linked_list_t *list);
 
 	/**
 	 * Create an enumerator over transform substructures.
@@ -118,6 +131,35 @@ struct proposal_substructure_t {
 	enumerator_t* (*create_substructure_enumerator)(proposal_substructure_t *this);
 
 	/**
+	 * Get the (shortest) lifetime of a proposal (IKEv1 only).
+	 *
+	 * @return					lifetime, in seconds
+	 */
+	u_int32_t (*get_lifetime)(proposal_substructure_t *this);
+
+	/**
+	 * Get the (shortest) life duration of a proposal (IKEv1 only).
+	 *
+	 * @return					life duration, in bytes
+	 */
+	u_int64_t (*get_lifebytes)(proposal_substructure_t *this);
+
+	/**
+	 * Get the first authentication method from the proposal (IKEv1 only).
+	 *
+	 * @return					auth method, or AUTH_NONE
+	 */
+	auth_method_t (*get_auth_method)(proposal_substructure_t *this);
+
+	/**
+	 * Get the (first) encapsulation mode from a proposal (IKEv1 only).
+	 *
+	 * @param udp				set to TRUE if UDP encapsulation used
+	 * @return					ipsec encapsulation mode
+	 */
+	ipsec_mode_t (*get_encap_mode)(proposal_substructure_t *this, bool *udp);
+
+	/**
 	 * Destroys an proposal_substructure_t object.
 	 */
 	void (*destroy) (proposal_substructure_t *this);
@@ -126,17 +168,63 @@ struct proposal_substructure_t {
 /**
  * Creates an empty proposal_substructure_t object
  *
- * @return proposal_substructure_t object
+ * @param type		PROPOSAL_SUBSTRUCTURE or PROPOSAL_SUBSTRUCTURE_V1
+ * @return			proposal_substructure_t object
  */
-proposal_substructure_t *proposal_substructure_create(void);
+proposal_substructure_t *proposal_substructure_create(payload_type_t type);
 
 /**
- * Creates a proposal_substructure_t from a proposal_t.
+ * Creates an IKEv2 proposal_substructure_t from a proposal_t.
  *
- * @param proposal		proposal to build a substruct out of it
- * @return 				proposal_substructure_t object
+ * @param proposal	proposal to build a substruct out of it
+ * @return			proposal_substructure_t PROPOSAL_SUBSTRUCTURE
  */
-proposal_substructure_t *proposal_substructure_create_from_proposal(
+proposal_substructure_t *proposal_substructure_create_from_proposal_v2(
 														proposal_t *proposal);
+/**
+ * Creates an IKEv1 proposal_substructure_t from a proposal_t.
+ *
+ * @param proposal	proposal to build a substruct out of it
+ * @param lifetime	lifetime in seconds
+ * @param lifebytes	lifebytes, in bytes
+ * @param auth		authentication method to use, or AUTH_NONE
+ * @param mode		IPsec encapsulation mode, TRANSPORT or TUNNEL
+ * @param udp		ENCAP_UDP to use UDP encapsulation
+ * @return			proposal_substructure_t object PROPOSAL_SUBSTRUCTURE_V1
+ */
+proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
+			proposal_t *proposal,  u_int32_t lifetime, u_int64_t lifebytes,
+			auth_method_t auth, ipsec_mode_t mode, encap_t udp);
+
+/**
+ * Creates an IKEv1 proposal_substructure_t from a list of proposal_t.
+ *
+ * @param proposals	list of proposal_t to encode in a substructure
+ * @param lifetime	lifetime in seconds
+ * @param lifebytes	lifebytes, in bytes
+ * @param auth		authentication method to use, or AUTH_NONE
+ * @param mode		IPsec encapsulation mode, TRANSPORT or TUNNEL
+ * @param udp		ENCAP_UDP to use UDP encapsulation
+ * @return			IKEv1 proposal_substructure_t PROPOSAL_SUBSTRUCTURE_V1
+ */
+proposal_substructure_t *proposal_substructure_create_from_proposals_v1(
+			linked_list_t *proposals, u_int32_t lifetime, u_int64_t lifebytes,
+			auth_method_t auth, ipsec_mode_t mode, encap_t udp);
+
+/**
+ * Creates an IKEv1 proposal_substructure_t for IPComp with the given
+ * proposal_number (e.g. of a ESP proposal to bundle them).
+ *
+ * @param lifetime			lifetime in seconds
+ * @param lifebytes			lifebytes, in bytes
+ * @param cpi				the CPI to be used
+ * @param mode				IPsec encapsulation mode, TRANSPORT or TUNNEL
+ * @param udp				ENCAP_UDP to use UDP encapsulation
+ * @param proposal_number	the proposal number of the proposal to be linked
+ * @return					IKEv1 proposal_substructure_t PROPOSAL_SUBSTRUCTURE_V1
+ */
+proposal_substructure_t *proposal_substructure_create_for_ipcomp_v1(
+			u_int32_t lifetime, u_int64_t lifebytes, u_int16_t cpi,
+			ipsec_mode_t mode, encap_t udp, u_int8_t proposal_number);
 
 #endif /** PROPOSAL_SUBSTRUCTURE_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/sa_payload.c b/src/libcharon/encoding/payloads/sa_payload.c
index 010f63cfd..613412014 100644
--- a/src/libcharon/encoding/payloads/sa_payload.c
+++ b/src/libcharon/encoding/payloads/sa_payload.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -19,9 +20,11 @@
 #include "sa_payload.h"
 
 #include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <daemon.h>
 
+/* IKEv1 situation */
+#define SIT_IDENTITY_ONLY 1
 
 typedef struct private_sa_payload_t private_sa_payload_t;
 
@@ -48,7 +51,7 @@ struct private_sa_payload_t {
 	/**
 	 * Reserved bits
 	 */
-	bool reserved[7];
+	bool reserved[8];
 
 	/**
 	 * Length of this payload.
@@ -58,21 +61,75 @@ struct private_sa_payload_t {
 	/**
 	 * Proposals in this payload are stored in a linked_list_t.
 	 */
-	linked_list_t * proposals;
+	linked_list_t *proposals;
+
+	/**
+	 * Type of this payload, V1 or V2
+	 */
+	payload_type_t type;
+
+	/**
+	 * IKEv1 DOI
+	 */
+	u_int32_t doi;
+
+	/**
+	 * IKEv1 situation
+	 */
+	u_int32_t situation;
 };
 
 /**
- * Encoding rules to parse or generate a IKEv2-SA Payload
- *
- * The defined offsets are the positions in a object of type
- * private_sa_payload_t.
+ * Encoding rules for IKEv1 SA payload
+ */
+static encoding_rule_t encodings_v1[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_sa_payload_t, next_payload)	},
+	/* 8 reserved bits */
+	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[0])			},
+	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[1])			},
+	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[2])			},
+	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[3])			},
+	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[4])			},
+	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[5])			},
+	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[6])			},
+	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[7])			},
+	/* Length of the whole SA payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_sa_payload_t, payload_length)	},
+	/* DOI*/
+	{ U_INT_32,			offsetof(private_sa_payload_t, doi)				},
+	/* Situation*/
+	{ U_INT_32,			offsetof(private_sa_payload_t, situation)		},
+	/* Proposals are stored in a proposal substructure list */
+	{ PAYLOAD_LIST + PROPOSAL_SUBSTRUCTURE_V1,
+						offsetof(private_sa_payload_t, proposals)		},
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !    RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                           DOI                                 !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                           Situation                           !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                          <Proposals>                          ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Encoding rules for IKEv2 SA payload
  */
-encoding_rule_t sa_payload_encodings[] = {
+static encoding_rule_t encodings_v2[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_sa_payload_t, next_payload)		},
 	/* the critical bit */
 	{ FLAG,				offsetof(private_sa_payload_t, critical)			},
-	/* 7 Bit reserved bits, nowhere stored */
+	/* 7 Bit reserved bits */
 	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[0])			},
 	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[1])			},
 	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[2])			},
@@ -82,9 +139,9 @@ encoding_rule_t sa_payload_encodings[] = {
 	{ RESERVED_BIT,		offsetof(private_sa_payload_t, reserved[6])			},
 	/* Length of the whole SA payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_sa_payload_t, payload_length)		},
-	/* Proposals are stored in a proposal substructure,
-	   offset points to a linked_list_t pointer */
-	{ PROPOSALS,		offsetof(private_sa_payload_t, proposals)			},
+	/* Proposals are stored in a proposal substructure list */
+	{ PAYLOAD_LIST + PROPOSAL_SUBSTRUCTURE,
+						offsetof(private_sa_payload_t, proposals)			},
 };
 
 /*
@@ -102,11 +159,16 @@ encoding_rule_t sa_payload_encodings[] = {
 METHOD(payload_t, verify, status_t,
 	private_sa_payload_t *this)
 {
-	int expected_number = 1, current_number;
+	int expected_number = 0, current_number;
 	status_t status = SUCCESS;
 	enumerator_t *enumerator;
 	proposal_substructure_t *substruct;
 
+	if (this->type == SECURITY_ASSOCIATION)
+	{
+		expected_number = 1;
+	}
+
 	/* check proposal numbering */
 	enumerator = this->proposals->create_enumerator(this->proposals);
 	while (enumerator->enumerate(enumerator, (void**)&substruct))
@@ -131,17 +193,32 @@ METHOD(payload_t, verify, status_t,
 	return status;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_sa_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_sa_payload_t *this, encoding_rule_t **rules)
 {
-	*rules = sa_payload_encodings;
-	*rule_count = countof(sa_payload_encodings);
+	if (this->type == SECURITY_ASSOCIATION_V1)
+	{
+		*rules = encodings_v1;
+		return countof(encodings_v1);
+	}
+	*rules = encodings_v2;
+	return countof(encodings_v2);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_sa_payload_t *this)
+{
+	if (this->type == SECURITY_ASSOCIATION_V1)
+	{
+		return 12;
+	}
+	return 4;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
 	private_sa_payload_t *this)
 {
-	return SECURITY_ASSOCIATION;
+	return this->type;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -163,16 +240,15 @@ static void compute_length(private_sa_payload_t *this)
 {
 	enumerator_t *enumerator;
 	payload_t *current;
-	size_t length = SA_PAYLOAD_HEADER_LENGTH;
+
+	this->payload_length = get_header_length(this);
 
 	enumerator = this->proposals->create_enumerator(this->proposals);
 	while (enumerator->enumerate(enumerator, (void **)&current))
 	{
-		length += current->get_length(current);
+		this->payload_length += current->get_length(current);
 	}
 	enumerator->destroy(enumerator);
-
-	this->payload_length = length;
 }
 
 METHOD(payload_t, get_length, size_t,
@@ -181,14 +257,16 @@ METHOD(payload_t, get_length, size_t,
 	return this->payload_length;
 }
 
-METHOD(sa_payload_t, add_proposal, void,
-	private_sa_payload_t *this, proposal_t *proposal)
+/**
+ * Create a transform substructure from a proposal, add to payload
+ */
+static void add_proposal_v2(private_sa_payload_t *this, proposal_t *proposal)
 {
 	proposal_substructure_t *substruct, *last;
 	u_int count;
 
+	substruct = proposal_substructure_create_from_proposal_v2(proposal);
 	count = this->proposals->get_count(this->proposals);
-	substruct = proposal_substructure_create_from_proposal(proposal);
 	if (count > 0)
 	{
 		this->proposals->get_last(this->proposals, (void**)&last);
@@ -215,15 +293,19 @@ METHOD(sa_payload_t, get_proposals, linked_list_t*,
 	int ignore_struct_number = 0;
 	enumerator_t *enumerator;
 	proposal_substructure_t *substruct;
-	linked_list_t *list;
-	proposal_t *proposal;
+	linked_list_t *substructs, *list;
+
+	if (this->type == SECURITY_ASSOCIATION_V1)
+	{	/* IKEv1 proposals start with 0 */
+		struct_number = ignore_struct_number = -1;
+	}
 
-	list = linked_list_create();
 	/* we do not support proposals split up to two proposal substructures, as
 	 * AH+ESP bundles are not supported in RFC4301 anymore.
 	 * To handle such structures safely, we just skip proposals with multiple
 	 * protocols.
 	 */
+	substructs = linked_list_create();
 	enumerator = this->proposals->create_enumerator(this->proposals);
 	while (enumerator->enumerate(enumerator, &substruct))
 	{
@@ -231,22 +313,80 @@ METHOD(sa_payload_t, get_proposals, linked_list_t*,
 		if (substruct->get_proposal_number(substruct) == struct_number)
 		{
 			if (ignore_struct_number < struct_number)
-			{
-				/* remove an already added, if first of series */
-				list->remove_last(list, (void**)&proposal);
-				proposal->destroy(proposal);
+			{	/* remove an already added, if first of series */
+				substructs->remove_last(substructs, (void**)&substruct);
 				ignore_struct_number = struct_number;
 			}
 			continue;
 		}
 		struct_number++;
-		proposal = substruct->get_proposal(substruct);
-		if (proposal)
+		substructs->insert_last(substructs, substruct);
+	}
+	enumerator->destroy(enumerator);
+
+	/* generate proposals from substructs */
+	list = linked_list_create();
+	enumerator = substructs->create_enumerator(substructs);
+	while (enumerator->enumerate(enumerator, &substruct))
+	{
+		substruct->get_proposals(substruct, list);
+	}
+	enumerator->destroy(enumerator);
+	substructs->destroy(substructs);
+	return list;
+}
+
+METHOD(sa_payload_t, get_ipcomp_proposals, linked_list_t*,
+	private_sa_payload_t *this, u_int16_t *cpi)
+{
+	int current_proposal = -1, unsupported_proposal = -1;
+	enumerator_t *enumerator;
+	proposal_substructure_t *substruct, *esp = NULL, *ipcomp = NULL;
+	linked_list_t *list;
+
+	/* we currently only support the combination ESP+IPComp, find the first */
+	enumerator = this->proposals->create_enumerator(this->proposals);
+	while (enumerator->enumerate(enumerator, &substruct))
+	{
+		u_int8_t proposal_number = substruct->get_proposal_number(substruct);
+		u_int8_t protocol_id = substruct->get_protocol_id(substruct);
+
+		if (proposal_number == unsupported_proposal)
+		{
+			continue;
+		}
+		if (protocol_id != PROTO_ESP && protocol_id != PROTO_IPCOMP)
+		{	/* unsupported combination */
+			esp = ipcomp = NULL;
+			unsupported_proposal = current_proposal;
+			continue;
+		}
+		if (proposal_number != current_proposal)
+		{	/* start of a new proposal */
+			if (esp && ipcomp)
+			{	/* previous proposal is valid */
+				break;
+			}
+			esp = ipcomp = NULL;
+			current_proposal = proposal_number;
+		}
+		switch (protocol_id)
 		{
-			list->insert_last(list, proposal);
+			case PROTO_ESP:
+				esp = substruct;
+				break;
+			case PROTO_IPCOMP:
+				ipcomp = substruct;
+				break;
 		}
 	}
 	enumerator->destroy(enumerator);
+
+	list = linked_list_create();
+	if (esp && ipcomp && ipcomp->get_cpi(ipcomp, cpi))
+	{
+		esp->get_proposals(esp, list);
+	}
 	return list;
 }
 
@@ -256,18 +396,86 @@ METHOD(sa_payload_t, create_substructure_enumerator, enumerator_t*,
 	return this->proposals->create_enumerator(this->proposals);
 }
 
+METHOD(sa_payload_t, get_lifetime, u_int32_t,
+	private_sa_payload_t *this)
+{
+	proposal_substructure_t *substruct;
+	enumerator_t *enumerator;
+	u_int32_t lifetime = 0;
+
+	enumerator = this->proposals->create_enumerator(this->proposals);
+	if (enumerator->enumerate(enumerator, &substruct))
+	{
+		lifetime = substruct->get_lifetime(substruct);
+	}
+	enumerator->destroy(enumerator);
+
+	return lifetime;
+}
+
+METHOD(sa_payload_t, get_lifebytes, u_int64_t,
+	private_sa_payload_t *this)
+{
+	proposal_substructure_t *substruct;
+	enumerator_t *enumerator;
+	u_int64_t lifebytes = 0;
+
+	enumerator = this->proposals->create_enumerator(this->proposals);
+	if (enumerator->enumerate(enumerator, &substruct))
+	{
+		lifebytes = substruct->get_lifebytes(substruct);
+	}
+	enumerator->destroy(enumerator);
+
+	return lifebytes;
+}
+
+METHOD(sa_payload_t, get_auth_method, auth_method_t,
+	private_sa_payload_t *this)
+{
+	proposal_substructure_t *substruct;
+	enumerator_t *enumerator;
+	auth_method_t method = AUTH_NONE;
+
+	enumerator = this->proposals->create_enumerator(this->proposals);
+	if (enumerator->enumerate(enumerator, &substruct))
+	{
+		method = substruct->get_auth_method(substruct);
+	}
+	enumerator->destroy(enumerator);
+
+	return method;
+}
+
+METHOD(sa_payload_t, get_encap_mode, ipsec_mode_t,
+	private_sa_payload_t *this, bool *udp)
+{
+	proposal_substructure_t *substruct;
+	enumerator_t *enumerator;
+	ipsec_mode_t mode = MODE_NONE;
+
+	enumerator = this->proposals->create_enumerator(this->proposals);
+	if (enumerator->enumerate(enumerator, &substruct))
+	{
+		mode = substruct->get_encap_mode(substruct, udp);
+	}
+	enumerator->destroy(enumerator);
+
+	return mode;
+}
+
 METHOD2(payload_t, sa_payload_t, destroy, void,
 	private_sa_payload_t *this)
 {
 	this->proposals->destroy_offset(this->proposals,
-									offsetof(proposal_substructure_t, destroy));
+									offsetof(payload_t, destroy));
 	free(this);
 }
 
 /*
  * Described in header.
  */
-sa_payload_t *sa_payload_create()
+sa_payload_t *sa_payload_create(payload_type_t type)
 {
 	private_sa_payload_t *this;
 
@@ -276,38 +484,49 @@ sa_payload_t *sa_payload_create()
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
 				.get_type = _get_type,
 				.destroy = _destroy,
 			},
-			.add_proposal = _add_proposal,
 			.get_proposals = _get_proposals,
+			.get_ipcomp_proposals = _get_ipcomp_proposals,
 			.create_substructure_enumerator = _create_substructure_enumerator,
+			.get_lifetime = _get_lifetime,
+			.get_lifebytes = _get_lifebytes,
+			.get_auth_method = _get_auth_method,
+			.get_encap_mode = _get_encap_mode,
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
-		.payload_length = SA_PAYLOAD_HEADER_LENGTH,
 		.proposals = linked_list_create(),
+		.type = type,
+		/* for IKEv1 only */
+		.doi = IKEV1_DOI_IPSEC,
+		.situation = SIT_IDENTITY_ONLY,
 	);
+
+	compute_length(this);
+
 	return &this->public;
 }
 
 /*
  * Described in header.
  */
-sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals)
+sa_payload_t *sa_payload_create_from_proposals_v2(linked_list_t *proposals)
 {
 	private_sa_payload_t *this;
 	enumerator_t *enumerator;
 	proposal_t *proposal;
 
-	this = (private_sa_payload_t*)sa_payload_create();
+	this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION);
 	enumerator = proposals->create_enumerator(proposals);
 	while (enumerator->enumerate(enumerator, &proposal))
 	{
-		add_proposal(this, proposal);
+		add_proposal_v2(this, proposal);
 	}
 	enumerator->destroy(enumerator);
 
@@ -317,12 +536,76 @@ sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals)
 /*
  * Described in header.
  */
-sa_payload_t *sa_payload_create_from_proposal(proposal_t *proposal)
+sa_payload_t *sa_payload_create_from_proposal_v2(proposal_t *proposal)
 {
 	private_sa_payload_t *this;
 
-	this = (private_sa_payload_t*)sa_payload_create();
-	add_proposal(this, proposal);
+	this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION);
+	add_proposal_v2(this, proposal);
+
+	return &this->public;
+
+}
+
+/*
+ * Described in header.
+ */
+sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
+								u_int32_t lifetime, u_int64_t lifebytes,
+								auth_method_t auth, ipsec_mode_t mode,
+								encap_t udp, u_int16_t cpi)
+{
+	proposal_substructure_t *substruct;
+	private_sa_payload_t *this;
+
+	this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION_V1);
+
+	if (!proposals || !proposals->get_count(proposals))
+	{
+		return &this->public;
+	}
+
+	/* IKEv1 encodes multiple proposals in a single substructure
+	 * TODO-IKEv1: Encode ESP+AH proposals in two substructs with same num */
+	substruct = proposal_substructure_create_from_proposals_v1(proposals,
+										lifetime, lifebytes, auth, mode, udp);
+	this->proposals->insert_last(this->proposals, substruct);
+	substruct->set_is_last_proposal(substruct, FALSE);
+	if (cpi)
+	{
+		u_int8_t proposal_number = substruct->get_proposal_number(substruct);
+
+		substruct = proposal_substructure_create_for_ipcomp_v1(lifetime,
+					lifebytes, cpi, mode, udp, proposal_number);
+		this->proposals->insert_last(this->proposals, substruct);
+		substruct->set_is_last_proposal(substruct, FALSE);
+		/* add the proposals again without IPComp */
+		substruct = proposal_substructure_create_from_proposals_v1(proposals,
+										lifetime, lifebytes, auth, mode, udp);
+		substruct->set_proposal_number(substruct, proposal_number + 1);
+		this->proposals->insert_last(this->proposals, substruct);
+	}
+	substruct->set_is_last_proposal(substruct, TRUE);
+	compute_length(this);
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+sa_payload_t *sa_payload_create_from_proposal_v1(proposal_t *proposal,
+								u_int32_t lifetime, u_int64_t lifebytes,
+								auth_method_t auth, ipsec_mode_t mode,
+								encap_t udp, u_int16_t cpi)
+{
+	private_sa_payload_t *this;
+	linked_list_t *proposals;
 
+	proposals = linked_list_create();
+	proposals->insert_last(proposals, proposal);
+	this = (private_sa_payload_t*)sa_payload_create_from_proposals_v1(proposals,
+									lifetime, lifebytes, auth, mode, udp, cpi);
+	proposals->destroy(proposals);
 	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/sa_payload.h b/src/libcharon/encoding/payloads/sa_payload.h
index cc8c481c8..b62a341d8 100644
--- a/src/libcharon/encoding/payloads/sa_payload.h
+++ b/src/libcharon/encoding/payloads/sa_payload.h
@@ -27,15 +27,12 @@ typedef struct sa_payload_t sa_payload_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/proposal_substructure.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
+#include <kernel/kernel_ipsec.h>
+#include <sa/authenticator.h>
 
 /**
- * SA_PAYLOAD length in bytes without any proposal substructure.
- */
-#define SA_PAYLOAD_HEADER_LENGTH 4
-
-/**
- * Class representing an IKEv2-SA Payload.
+ * Class representing an IKEv1 or IKEv2 SA Payload.
  *
  * The SA Payload format is described in RFC section 3.3.
  */
@@ -49,16 +46,47 @@ struct sa_payload_t {
 	/**
 	 * Gets the proposals in this payload as a list.
 	 *
-	 * @return					a list containing proposal_t s
+	 * @return				a list containing proposal_ts
 	 */
 	linked_list_t *(*get_proposals) (sa_payload_t *this);
 
 	/**
-	 * Add a child proposal (AH/ESP) to the payload.
+	 * Gets the proposals from the first proposal in this payload with IPComp
+	 * enabled (IKEv1 only).
+	 *
+	 * @param cpi			the CPI of the first IPComp (sub)proposal
+	 * @return				a list containing proposal_ts
+	 */
+	linked_list_t *(*get_ipcomp_proposals) (sa_payload_t *this, u_int16_t *cpi);
+
+	/**
+	 * Get the (shortest) lifetime of a proposal (IKEv1 only).
+	 *
+	 * @return					lifetime, in seconds
+	 */
+	u_int32_t (*get_lifetime)(sa_payload_t *this);
+
+	/**
+	 * Get the (shortest) life duration of a proposal (IKEv1 only).
+	 *
+	 * @return					life duration, in bytes
+	 */
+	u_int64_t (*get_lifebytes)(sa_payload_t *this);
+
+	/**
+	 * Get the first authentication method from the proposal (IKEv1 only).
 	 *
-	 * @param proposal			child proposal to add to the payload
+	 * @return					auth method, or AUTH_NONE
 	 */
-	void (*add_proposal) (sa_payload_t *this, proposal_t *proposal);
+	auth_method_t (*get_auth_method)(sa_payload_t *this);
+
+	/**
+	 * Get the (first) encapsulation mode from a proposal (IKEv1 only).
+	 *
+	 * @param udp				set to TRUE if UDP encapsulation used
+	 * @return					ipsec encapsulation mode
+	 */
+	ipsec_mode_t (*get_encap_mode)(sa_payload_t *this, bool *udp);
 
 	/**
 	 * Create an enumerator over all proposal substructures.
@@ -76,27 +104,59 @@ struct sa_payload_t {
 /**
  * Creates an empty sa_payload_t object
  *
+ * @param type				SECURITY_ASSOCIATION or SECURITY_ASSOCIATION_V1
  * @return					created sa_payload_t object
  */
-sa_payload_t *sa_payload_create(void);
+sa_payload_t *sa_payload_create(payload_type_t type);
 
 /**
- * Creates a sa_payload_t object from a list of proposals.
+ * Creates an IKEv2 sa_payload_t object from a list of proposals.
  *
  * @param proposals			list of proposals to build the payload from
  * @return					sa_payload_t object
  */
-sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals);
+sa_payload_t *sa_payload_create_from_proposals_v2(linked_list_t *proposals);
 
 /**
- * Creates a sa_payload_t object from a single proposal.
+ * Creates an IKEv2 sa_payload_t object from a single proposal.
  *
- * This is only for convenience. Use sa_payload_create_from_proposal_list
- * if you want to add more than one proposal.
+ * @param proposal			proposal from which the payload should be built.
+ * @return					sa_payload_t object
+ */
+sa_payload_t *sa_payload_create_from_proposal_v2(proposal_t *proposal);
+
+/**
+ * Creates an IKEv1 sa_payload_t object from a list of proposals.
+ *
+ * @param proposals			list of proposals to build the payload from
+ * @param lifetime			lifetime in seconds
+ * @param lifebytes			lifebytes, in bytes
+ * @param auth				authentication method to use, or AUTH_NONE
+ * @param mode				IPsec encapsulation mode, TRANSPORT or TUNNEL
+ * @param udp				ENCAP_UDP to use UDP encapsulation
+ * @param cpi				CPI in case IPComp should be used
+ * @return					sa_payload_t object
+ */
+sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
+							u_int32_t lifetime, u_int64_t lifebytes,
+							auth_method_t auth, ipsec_mode_t mode, encap_t udp,
+							u_int16_t cpi);
+
+/**
+ * Creates an IKEv1 sa_payload_t object from a single proposal.
  *
  * @param proposal			proposal from which the payload should be built.
+ * @param lifetime			lifetime in seconds
+ * @param lifebytes			lifebytes, in bytes
+ * @param auth				authentication method to use, or AUTH_NONE
+ * @param mode				IPsec encapsulation mode, TRANSPORT or TUNNEL
+ * @param udp				ENCAP_UDP to use UDP encapsulation
+ * @param cpi				CPI in case IPComp should be used
  * @return					sa_payload_t object
  */
-sa_payload_t *sa_payload_create_from_proposal(proposal_t *proposal);
+sa_payload_t *sa_payload_create_from_proposal_v1(proposal_t *proposal,
+							u_int32_t lifetime, u_int64_t lifebytes,
+							auth_method_t auth, ipsec_mode_t mode, encap_t udp,
+							u_int16_t cpi);
 
 #endif /** SA_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.c b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
index df36e4383..334823db9 100644
--- a/src/libcharon/encoding/payloads/traffic_selector_substructure.c
+++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
@@ -18,7 +18,7 @@
 #include "traffic_selector_substructure.h"
 
 #include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_traffic_selector_substructure_t private_traffic_selector_substructure_t;
 
@@ -74,7 +74,7 @@ struct private_traffic_selector_substructure_t {
  * The defined offsets are the positions in a object of type
  * private_traffic_selector_substructure_t.
  */
-encoding_rule_t traffic_selector_substructure_encodings[] = {
+static encoding_rule_t encodings[] = {
 	/* 1 Byte next ts type*/
 	{ TS_TYPE,		offsetof(private_traffic_selector_substructure_t, ts_type) 			},
 	/* 1 Byte IP protocol id*/
@@ -114,7 +114,11 @@ METHOD(payload_t, verify, status_t,
 {
 	if (this->start_port > this->end_port)
 	{
-		return FAILED;
+		/* OPAQUE ports are the only exception */
+		if (this->start_port != 0xffff && this->end_port != 0)
+		{
+			return FAILED;
+		}
 	}
 	switch (this->ts_type)
 	{
@@ -148,12 +152,17 @@ METHOD(payload_t, verify, status_t,
 	return SUCCESS;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_traffic_selector_substructure_t *this, encoding_rule_t **rules,
-	size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_traffic_selector_substructure_t *this, encoding_rule_t **rules)
+{
+	*rules = encodings;
+	return countof(encodings);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_traffic_selector_substructure_t *this)
 {
-	*rules = traffic_selector_substructure_encodings;
-	*rule_count = countof(traffic_selector_substructure_encodings);
+	return 8;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
@@ -208,6 +217,7 @@ traffic_selector_substructure_t *traffic_selector_substructure_create()
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
@@ -217,7 +227,7 @@ traffic_selector_substructure_t *traffic_selector_substructure_create()
 			.get_traffic_selector = _get_traffic_selector,
 			.destroy = _destroy,
 		},
-		.payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH,
+		.payload_length = get_header_length(this),
 		/* must be set to be valid */
 		.ts_type = TS_IPV4_ADDR_RANGE,
 	);
@@ -239,7 +249,7 @@ traffic_selector_substructure_t *traffic_selector_substructure_create_from_traff
 	this->end_port = ts->get_to_port(ts);
 	this->starting_address = chunk_clone(ts->get_from_address(ts));
 	this->ending_address = chunk_clone(ts->get_to_address(ts));
-	this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH +
+	this->payload_length = get_header_length(this) +
 						this->ending_address.len + this->starting_address.len;
 
 	return &this->public;
diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.h b/src/libcharon/encoding/payloads/traffic_selector_substructure.h
index 0109fd7f5..d3fbe8476 100644
--- a/src/libcharon/encoding/payloads/traffic_selector_substructure.h
+++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.h
@@ -25,16 +25,11 @@
 typedef struct traffic_selector_substructure_t traffic_selector_substructure_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <selectors/traffic_selector.h>
 #include <encoding/payloads/payload.h>
 
 /**
- * Length of a TRAFFIC SELECTOR SUBSTRUCTURE without start and end address.
- */
-#define TRAFFIC_SELECTOR_HEADER_LENGTH 8
-
-/**
  * Class representing an IKEv2 TRAFFIC SELECTOR.
  *
  * The TRAFFIC SELECTOR format is described in RFC section 3.13.1.
diff --git a/src/libcharon/encoding/payloads/transform_attribute.c b/src/libcharon/encoding/payloads/transform_attribute.c
index 7d21258b1..d20f77c59 100644
--- a/src/libcharon/encoding/payloads/transform_attribute.c
+++ b/src/libcharon/encoding/payloads/transform_attribute.c
@@ -17,12 +17,51 @@
 
 #include <string.h>
 #include <stddef.h>
+#include <stdint.h>
 
 #include "transform_attribute.h"
 
 #include <encoding/payloads/encodings.h>
 #include <library.h>
 
+ENUM(tattr_ph1_names, TATTR_PH1_ENCRYPTION_ALGORITHM, TATTR_PH1_GROUP_ORDER,
+	"ENCRYPTION_ALGORITHM",
+	"HASH_ALGORITHM",
+	"AUTH_METHOD",
+	"GROUP",
+	"GROUP_TYPE",
+	"GROUP_PRIME",
+	"GROUP_GENONE",
+	"GROUP_GENTWO",
+	"GROUP_CURVE_A",
+	"GROUP_CURVE_B",
+	"LIFE_TYPE",
+	"LIFE_DURATION",
+	"PRF",
+	"KEY_LENGTH",
+	"FIELD_SIZE",
+	"GROUP_ORDER",
+);
+
+ENUM(tattr_ph2_names, TATTR_PH2_SA_LIFE_TYPE, TATTR_PH2_EXT_SEQ_NUMBER,
+	"SA_LIFE_TYPE",
+	"SA_LIFE_DURATION",
+	"GROUP",
+	"ENCAP_MODE",
+	"AUTH_ALGORITHM",
+	"KEY_LENGTH",
+	"KEY_ROUNDS",
+	"COMP_DICT_SIZE",
+	"COMP_PRIV_ALGORITHM",
+	"ECN_TUNNEL",
+	"EXT_SEQ_NUMBER",
+);
+
+ENUM(tattr_ikev2_names, TATTR_IKEV2_KEY_LENGTH, TATTR_IKEV2_KEY_LENGTH,
+	"KEY_LENGTH",
+);
+
+
 typedef struct private_transform_attribute_t private_transform_attribute_t;
 
 /**
@@ -57,30 +96,25 @@ struct private_transform_attribute_t {
 	 * Attribute value as chunk if attribute_format is 0 (FALSE).
 	 */
 	chunk_t attribute_value;
-};
-
 
-ENUM_BEGIN(transform_attribute_type_name, ATTRIBUTE_UNDEFINED, ATTRIBUTE_UNDEFINED,
-	"ATTRIBUTE_UNDEFINED");
-ENUM_NEXT(transform_attribute_type_name, KEY_LENGTH, KEY_LENGTH, ATTRIBUTE_UNDEFINED,
-	"KEY_LENGTH");
-ENUM_END(transform_attribute_type_name, KEY_LENGTH);
+	/**
+	 * Payload type, TRANSFORM_ATTRIBUTE or TRANSFORM_ATTRIBUTE_V1
+	 */
+	payload_type_t type;
+};
 
 /**
- * Encoding rules to parse or generate a Transform attribute.
- *
- * The defined offsets are the positions in a object of type
- * private_transform_attribute_t.
+ * Encoding rules for IKEv1/IKEv2 transform attributes
  */
-encoding_rule_t transform_attribute_encodings[] = {
+static encoding_rule_t encodings[] = {
 	/* Flag defining the format of this payload */
-	{ ATTRIBUTE_FORMAT,			offsetof(private_transform_attribute_t, attribute_format) 			},
+	{ ATTRIBUTE_FORMAT,			offsetof(private_transform_attribute_t, attribute_format)			},
 	/* type of the attribute as 15 bit unsigned integer */
 	{ ATTRIBUTE_TYPE,			offsetof(private_transform_attribute_t, attribute_type)				},
 	/* Length or value, depending on the attribute format flag */
 	{ ATTRIBUTE_LENGTH_OR_VALUE,offsetof(private_transform_attribute_t, attribute_length_or_value)	},
 	/* Value of attribute if attribute format flag is zero */
-	{ ATTRIBUTE_VALUE,			offsetof(private_transform_attribute_t, attribute_value) 			}
+	{ ATTRIBUTE_VALUE,			offsetof(private_transform_attribute_t, attribute_value)			}
 };
 
 /*
@@ -101,18 +135,23 @@ METHOD(payload_t, verify, status_t,
 	return SUCCESS;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_transform_attribute_t *this, encoding_rule_t **rules,
-	size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_transform_attribute_t *this, encoding_rule_t **rules)
 {
-	*rules = transform_attribute_encodings;
-	*rule_count = countof(transform_attribute_encodings);
+	*rules = encodings;
+	return countof(encodings);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_transform_attribute_t *this)
+{
+	return 0;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
 	private_transform_attribute_t *this)
 {
-	return TRANSFORM_ATTRIBUTE;
+	return this->type;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -136,31 +175,6 @@ METHOD(payload_t, get_length, size_t,
 	return this->attribute_length_or_value + 4;
 }
 
-METHOD(transform_attribute_t, set_value_chunk, void,
-	private_transform_attribute_t *this, chunk_t value)
-{
-	chunk_free(&this->attribute_value);
-
-	if (value.len != 2)
-	{
-		this->attribute_value = chunk_clone(value);
-		this->attribute_length_or_value = value.len;
-		this->attribute_format = FALSE;
-	}
-	else
-	{
-		memcpy(&this->attribute_length_or_value, value.ptr, value.len);
-	}
-}
-
-METHOD(transform_attribute_t, set_value, void,
-	private_transform_attribute_t *this, u_int16_t value)
-{
-	chunk_free(&this->attribute_value);
-	this->attribute_length_or_value = value;
-	this->attribute_format = TRUE;
-}
-
 METHOD(transform_attribute_t, get_value_chunk, chunk_t,
 	private_transform_attribute_t *this)
 {
@@ -171,16 +185,22 @@ METHOD(transform_attribute_t, get_value_chunk, chunk_t,
 	return this->attribute_value;
 }
 
-METHOD(transform_attribute_t, get_value, u_int16_t,
+METHOD(transform_attribute_t, get_value, u_int64_t,
 	private_transform_attribute_t *this)
 {
-	return this->attribute_length_or_value;
-}
+	u_int64_t value = 0;
 
-METHOD(transform_attribute_t, set_attribute_type, void,
-	private_transform_attribute_t *this, u_int16_t type)
-{
-	this->attribute_type = type & 0x7FFF;
+	if (this->attribute_format)
+	{
+		return this->attribute_length_or_value;
+	}
+	if (this->attribute_value.len > sizeof(value))
+	{
+		return UINT64_MAX;
+	}
+	memcpy(((char*)&value) + sizeof(value) - this->attribute_value.len,
+		   this->attribute_value.ptr, this->attribute_value.len);
+	return untoh64((char*)&value);
 }
 
 METHOD(transform_attribute_t, get_attribute_type, u_int16_t,
@@ -189,24 +209,6 @@ METHOD(transform_attribute_t, get_attribute_type, u_int16_t,
 	return this->attribute_type;
 }
 
-METHOD(transform_attribute_t, clone_, transform_attribute_t*,
-	private_transform_attribute_t *this)
-{
-	private_transform_attribute_t *new_clone;
-
-	new_clone = (private_transform_attribute_t *)transform_attribute_create();
-
-	new_clone->attribute_format = this->attribute_format;
-	new_clone->attribute_type = this->attribute_type;
-	new_clone->attribute_length_or_value = this->attribute_length_or_value;
-
-	if (!new_clone->attribute_format)
-	{
-		new_clone->attribute_value = chunk_clone(this->attribute_value);
-	}
-	return &new_clone->public;
-}
-
 METHOD2(payload_t, transform_attribute_t, destroy, void,
 	private_transform_attribute_t *this)
 {
@@ -217,7 +219,7 @@ METHOD2(payload_t, transform_attribute_t, destroy, void,
 /*
  * Described in header.
  */
-transform_attribute_t *transform_attribute_create()
+transform_attribute_t *transform_attribute_create(payload_type_t type)
 {
 	private_transform_attribute_t *this;
 
@@ -226,22 +228,20 @@ transform_attribute_t *transform_attribute_create()
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
 				.get_type = _get_type,
 				.destroy = _destroy,
 			},
-			.set_value_chunk = _set_value_chunk,
-			.set_value = _set_value,
 			.get_value_chunk = _get_value_chunk,
 			.get_value = _get_value,
-			.set_attribute_type = _set_attribute_type,
 			.get_attribute_type = _get_attribute_type,
-			.clone = _clone_,
 			.destroy = _destroy,
 		},
-		.attribute_format = TRUE,
+		.attribute_format = FALSE,
+		.type = type,
 	);
 	return &this->public;
 }
@@ -249,10 +249,33 @@ transform_attribute_t *transform_attribute_create()
 /*
  * Described in header.
  */
-transform_attribute_t *transform_attribute_create_key_length(u_int16_t key_length)
+transform_attribute_t *transform_attribute_create_value(payload_type_t type,
+							transform_attribute_type_t kind, u_int64_t value)
 {
-	transform_attribute_t *attribute = transform_attribute_create();
-	attribute->set_attribute_type(attribute, KEY_LENGTH);
-	attribute->set_value(attribute, key_length);
-	return attribute;
+	private_transform_attribute_t *this;
+
+	this = (private_transform_attribute_t*)transform_attribute_create(type);
+
+	this->attribute_type = kind & 0x7FFF;
+
+	if (value <= UINT16_MAX)
+	{
+		this->attribute_length_or_value = value;
+		this->attribute_format = TRUE;
+	}
+	else if (value <= UINT32_MAX)
+	{
+		u_int32_t val32;
+
+		val32 = htonl(value);
+		this->attribute_value = chunk_clone(chunk_from_thing(val32));
+		this->attribute_length_or_value = sizeof(val32);
+	}
+	else
+	{
+		htoun64(&value, value);
+		this->attribute_value = chunk_clone(chunk_from_thing(value));
+		this->attribute_length_or_value = sizeof(value);
+	}
+	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/transform_attribute.h b/src/libcharon/encoding/payloads/transform_attribute.h
index a5fe0154b..23897a50a 100644
--- a/src/libcharon/encoding/payloads/transform_attribute.h
+++ b/src/libcharon/encoding/payloads/transform_attribute.h
@@ -28,26 +28,66 @@ typedef struct transform_attribute_t transform_attribute_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 
-
 /**
- * Type of the attribute, as in IKEv2 RFC 3.3.5.
+ * Type of the attribute.
  */
 enum transform_attribute_type_t {
-	ATTRIBUTE_UNDEFINED = 16384,
-	KEY_LENGTH = 14
+	/** IKEv1 Phase 1 attributes */
+	TATTR_PH1_ENCRYPTION_ALGORITHM = 1,
+	TATTR_PH1_HASH_ALGORITHM = 2,
+	TATTR_PH1_AUTH_METHOD = 3,
+	TATTR_PH1_GROUP = 4,
+	TATTR_PH1_GROUP_TYPE = 5,
+	TATTR_PH1_GROUP_PRIME = 6,
+	TATTR_PH1_GROUP_GENONE = 7,
+	TATTR_PH1_GROUP_GENTWO = 8,
+	TATTR_PH1_GROUP_CURVE_A = 9,
+	TATTR_PH1_GROUP_CURVE_B = 10,
+	TATTR_PH1_LIFE_TYPE = 11,
+	TATTR_PH1_LIFE_DURATION = 12,
+	TATTR_PH1_PRF = 13,
+	TATTR_PH1_KEY_LENGTH = 14,
+	TATTR_PH1_FIELD_SIZE = 15,
+	TATTR_PH1_GROUP_ORDER = 16,
+	/** IKEv1 Phase 2 attributes */
+	TATTR_PH2_SA_LIFE_TYPE = 1,
+	TATTR_PH2_SA_LIFE_DURATION = 2,
+	TATTR_PH2_GROUP = 3,
+	TATTR_PH2_ENCAP_MODE = 4,
+	TATTR_PH2_AUTH_ALGORITHM = 5,
+	TATTR_PH2_KEY_LENGTH = 6,
+	TATTR_PH2_KEY_ROUNDS = 7,
+	TATTR_PH2_COMP_DICT_SIZE = 8,
+	TATTR_PH2_COMP_PRIV_ALGORITHM = 9,
+	TATTR_PH2_ECN_TUNNEL = 10,
+	TATTR_PH2_EXT_SEQ_NUMBER = 11,
+	/* IKEv2 key length attribute */
+	TATTR_IKEV2_KEY_LENGTH = 14,
+	/* undefined, private use attribute */
+	TATTR_UNDEFINED = 16384,
 };
 
 /**
- * enum name for transform_attribute_type_t.
+ * Enum names for IKEv1 Phase 1 transform_attribute_type_t.
  */
-extern enum_name_t *transform_attribute_type_names;
+extern enum_name_t *tattr_ph1_names;
 
 /**
- * Class representing an IKEv2- TRANSFORM Attribute.
- *
- * The TRANSFORM ATTRIBUTE format is described in RFC section 3.3.5.
+ * Enum names for IKEv1 Phase 2 transform_attribute_type_t.
+ */
+extern enum_name_t *tattr_ph2_names;
+
+/**
+ * Enum names for IKEv2 transform_attribute_type_t.
+ */
+extern enum_name_t *tattr_ikev2_names;
+
+
+/**
+ * Class representing an IKEv1/IKEv2 TRANSFORM Attribute.
  */
 struct transform_attribute_t {
+
 	/**
 	 * The payload_t interface.
 	 */
@@ -58,7 +98,7 @@ struct transform_attribute_t {
 	 *
 	 * Returned data are not copied.
 	 *
-	 * @return 		chunk_t pointing to the value
+	 * @return 		chunk_t pointing to internal value
 	 */
 	chunk_t (*get_value_chunk) (transform_attribute_t *this);
 
@@ -69,30 +109,7 @@ struct transform_attribute_t {
 	 *
 	 * @return 		value
 	 */
-	u_int16_t (*get_value) (transform_attribute_t *this);
-
-	/**
-	 * Sets the value of the attribute.
-	 *
-	 * Value is getting copied.
-	 *
-	 * @param value chunk_t pointing to the value to set
-	 */
-	void (*set_value_chunk) (transform_attribute_t *this, chunk_t value);
-
-	/**
-	 * Sets the value of the attribute.
-	 *
-	 * @param value value to set
-	 */
-	void (*set_value) (transform_attribute_t *this, u_int16_t value);
-
-	/**
-	 * Sets the type of the attribute.
-	 *
-	 * @param type	type to set (most significant bit is set to zero)
-	 */
-	void (*set_attribute_type) (transform_attribute_t *this, u_int16_t type);
+	u_int64_t (*get_value) (transform_attribute_t *this);
 
 	/**
 	 * get the type of the attribute.
@@ -102,13 +119,6 @@ struct transform_attribute_t {
 	u_int16_t (*get_attribute_type) (transform_attribute_t *this);
 
 	/**
-	 * Clones an transform_attribute_t object.
-	 *
-	 * @return		cloned transform_attribute_t object
-	 */
-	transform_attribute_t * (*clone) (transform_attribute_t *this);
-
-	/**
 	 * Destroys an transform_attribute_t object.
 	 */
 	void (*destroy) (transform_attribute_t *this);
@@ -117,16 +127,20 @@ struct transform_attribute_t {
 /**
  * Creates an empty transform_attribute_t object.
  *
+ * @param type			TRANSFORM_ATTRIBUTE or TRANSFORM_ATTRIBUTE_V1
  * @return				transform_attribute_t object
  */
-transform_attribute_t *transform_attribute_create(void);
+transform_attribute_t *transform_attribute_create(payload_type_t type);
 
 /**
- * Creates an transform_attribute_t of type KEY_LENGTH.
+ * Creates a two byte value or a larger attribute for a given attribute kind.
  *
- * @param key_length	key length in bytes
+ * @param type			TRANSFORM_ATTRIBUTE or TRANSFORM_ATTRIBUTE_V1
+ * @param kind			attribute kind
+ * @param value			fixed two byte value
  * @return				transform_attribute_t object
  */
-transform_attribute_t *transform_attribute_create_key_length(u_int16_t key_length);
+transform_attribute_t *transform_attribute_create_value(payload_type_t type,
+							transform_attribute_type_t kind, u_int64_t value);
 
 #endif /** TRANSFORM_ATTRIBUTE_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/transform_substructure.c b/src/libcharon/encoding/payloads/transform_substructure.c
index 3f04b3539..a85027561 100644
--- a/src/libcharon/encoding/payloads/transform_substructure.c
+++ b/src/libcharon/encoding/payloads/transform_substructure.c
@@ -22,7 +22,7 @@
 #include <encoding/payloads/transform_attribute.h>
 #include <encoding/payloads/encodings.h>
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <daemon.h>
 
 typedef struct private_transform_substructure_t private_transform_substructure_t;
@@ -41,10 +41,11 @@ struct private_transform_substructure_t {
 	 * Next payload type.
 	 */
 	u_int8_t  next_payload;
+
 	/**
-	 * Reserved bytes
+	 * Reserved byte
 	 */
-	u_int8_t reserved[2];
+	u_int8_t reserved[3];
 
 	/**
 	 * Length of this payload.
@@ -52,43 +53,72 @@ struct private_transform_substructure_t {
 	u_int16_t transform_length;
 
 	/**
-	 * Type of the transform.
+	 * Type or number, Type of the transform in IKEv2, number in IKEv2.
+	 */
+	u_int8_t transform_ton;
+
+	/**
+	 * Transform ID, as encoded in IKEv1.
 	 */
-	u_int8_t transform_type;
+	u_int8_t transform_id_v1;
 
 	/**
-	 * Transform ID.
+	 * Transform ID, as encoded in IKEv2.
 	 */
-	u_int16_t transform_id;
+	u_int16_t transform_id_v2;
 
 	/**
 	 * Transforms Attributes are stored in a linked_list_t.
 	 */
 	linked_list_t *attributes;
+
+	/**
+	 * Payload type, TRANSFORM_SUBSTRUCTURE or TRANSFORM_SUBSTRUCTURE_V1
+	 */
+	payload_type_t type;
 };
 
 /**
- * Encoding rules to parse or generate a Transform substructure.
- *
- * The defined offsets are the positions in a object of type
- * private_transform_substructure_t.
+ * Encoding rules for TRANSFORM_SUBSTRUCTURE
  */
-encoding_rule_t transform_substructure_encodings[] = {
+static encoding_rule_t encodings_v2[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,				offsetof(private_transform_substructure_t, next_payload)	},
+	{ U_INT_8,			offsetof(private_transform_substructure_t, next_payload)	},
 	/* 1 Reserved Byte */
-	{ RESERVED_BYTE,		offsetof(private_transform_substructure_t, reserved[0])		},
+	{ RESERVED_BYTE,	offsetof(private_transform_substructure_t, reserved[0])		},
 	/* Length of the whole transform substructure*/
-	{ PAYLOAD_LENGTH,		offsetof(private_transform_substructure_t, transform_length)},
-	/* transform type is a number of 8 bit */
-	{ U_INT_8,				offsetof(private_transform_substructure_t, transform_type)	},
+	{ PAYLOAD_LENGTH,	offsetof(private_transform_substructure_t, transform_length)},
+	/* transform type */
+	{ U_INT_8,			offsetof(private_transform_substructure_t, transform_ton)	},
+	/* transform identifier, as used by IKEv1 */
+	{ RESERVED_BYTE,	offsetof(private_transform_substructure_t, reserved[1])		},
+	/* transform identifier, as used by IKEv2 */
+	{ U_INT_16,			offsetof(private_transform_substructure_t, transform_id_v2)	},
+	/* Attributes in a transform attribute list */
+	{ PAYLOAD_LIST + TRANSFORM_ATTRIBUTE,
+						offsetof(private_transform_substructure_t, attributes)		}
+};
+
+/**
+ * Encoding rules for TRANSFORM_SUBSTRUCTURE_V1
+ */
+static encoding_rule_t encodings_v1[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_transform_substructure_t, next_payload)	},
 	/* 1 Reserved Byte */
-	{ RESERVED_BYTE,		offsetof(private_transform_substructure_t, reserved[1])		},
-	/* transform ID is a number of 8 bit */
-	{ U_INT_16,				offsetof(private_transform_substructure_t, transform_id)	},
-	/* Attributes are stored in a transform attribute,
-	   offset points to a linked_list_t pointer */
-	{ TRANSFORM_ATTRIBUTES,	offsetof(private_transform_substructure_t, attributes)		}
+	{ RESERVED_BYTE,	offsetof(private_transform_substructure_t, reserved[0])		},
+	/* Length of the whole transform substructure*/
+	{ PAYLOAD_LENGTH,	offsetof(private_transform_substructure_t, transform_length)},
+	/* transform number */
+	{ U_INT_8,			offsetof(private_transform_substructure_t, transform_ton)},
+	/* transform identifier, as used by IKEv1 */
+	{ U_INT_8,			offsetof(private_transform_substructure_t, transform_id_v1)	},
+	/* transform identifier, as used by IKEv2 */
+	{ RESERVED_BYTE,	offsetof(private_transform_substructure_t, reserved[1])		},
+	{ RESERVED_BYTE,	offsetof(private_transform_substructure_t, reserved[2])		},
+	/* Attributes in a transform attribute list */
+	{ PAYLOAD_LIST + TRANSFORM_ATTRIBUTE_V1,
+						offsetof(private_transform_substructure_t, attributes)		}
 };
 
 /*
@@ -97,7 +127,7 @@ encoding_rule_t transform_substructure_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       ! 0 (last) or 3 !   RESERVED    !        Transform Length       !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      !Transform Type !   RESERVED    !          Transform ID         !
+      ! Tfrm Typ or # ! Tfrm ID IKEv1 !        Transform ID IKEv2     !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       !                                                               !
       ~                      Transform Attributes                     ~
@@ -118,23 +148,6 @@ METHOD(payload_t, verify, status_t,
 		return FAILED;
 	}
 
-	switch (this->transform_type)
-	{
-		case ENCRYPTION_ALGORITHM:
-		case PSEUDO_RANDOM_FUNCTION:
-		case INTEGRITY_ALGORITHM:
-		case DIFFIE_HELLMAN_GROUP:
-		case EXTENDED_SEQUENCE_NUMBERS:
-			/* we don't check transform ID, we want to reply
-			 * cleanly with NO_PROPOSAL_CHOSEN or so if we don't support it */
-			break;
-		default:
-		{
-			DBG1(DBG_ENC, "invalid transform type: %d", this->transform_type);
-			return FAILED;
-		}
-	}
-
 	enumerator = this->attributes->create_enumerator(this->attributes);
 	while (enumerator->enumerate(enumerator, &attribute))
 	{
@@ -151,18 +164,28 @@ METHOD(payload_t, verify, status_t,
 	return status;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_transform_substructure_t *this, encoding_rule_t **rules,
-	size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_transform_substructure_t *this, encoding_rule_t **rules)
 {
-	*rules = transform_substructure_encodings;
-	*rule_count = countof(transform_substructure_encodings);
+	if (this->type == TRANSFORM_SUBSTRUCTURE)
+	{
+		*rules = encodings_v2;
+		return countof(encodings_v2);
+	}
+	*rules = encodings_v1;
+	return countof(encodings_v1);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_transform_substructure_t *this)
+{
+	return 8;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
 	private_transform_substructure_t *this)
 {
-	return TRANSFORM_SUBSTRUCTURE;
+	return this->type;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -174,12 +197,12 @@ METHOD(payload_t, get_next_type, payload_type_t,
 /**
  * recompute the length of the payload.
  */
-static void compute_length (private_transform_substructure_t *this)
+static void compute_length(private_transform_substructure_t *this)
 {
 	enumerator_t *enumerator;
 	payload_t *attribute;
 
-	this->transform_length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
+	this->transform_length = get_header_length(this);
 	enumerator = this->attributes->create_enumerator(this->attributes);
 	while (enumerator->enumerate(enumerator, &attribute))
 	{
@@ -194,6 +217,13 @@ METHOD(payload_t, get_length, size_t,
 	return this->transform_length;
 }
 
+METHOD(transform_substructure_t, add_transform_attribute, void,
+	private_transform_substructure_t *this, transform_attribute_t *attribute)
+{
+	this->attributes->insert_last(this->attributes, attribute);
+	compute_length(this);
+}
+
 METHOD(transform_substructure_t, set_is_last_transform, void,
 	private_transform_substructure_t *this, bool is_last)
 {
@@ -205,50 +235,40 @@ METHOD(payload_t, set_next_type, void,
 {
 }
 
-METHOD(transform_substructure_t, get_transform_type, u_int8_t,
+METHOD(transform_substructure_t, get_transform_type_or_number, u_int8_t,
 	private_transform_substructure_t *this)
 {
-	return this->transform_type;
+	return this->transform_ton;
 }
 
 METHOD(transform_substructure_t, get_transform_id, u_int16_t,
 	private_transform_substructure_t *this)
 {
-	return this->transform_id;
+	if (this->type == TRANSFORM_SUBSTRUCTURE)
+	{
+		return this->transform_id_v2;
+	}
+	return this->transform_id_v1;
 }
 
-METHOD(transform_substructure_t, get_key_length, status_t,
-	private_transform_substructure_t *this, u_int16_t *key_length)
+METHOD(transform_substructure_t, create_attribute_enumerator, enumerator_t*,
+	private_transform_substructure_t *this)
 {
-	enumerator_t *enumerator;
-	transform_attribute_t *attribute;
-
-	enumerator = this->attributes->create_enumerator(this->attributes);
-	while (enumerator->enumerate(enumerator, &attribute))
-	{
-		if (attribute->get_attribute_type(attribute) == KEY_LENGTH)
-		{
-			*key_length = attribute->get_value(attribute);
-			enumerator->destroy(enumerator);
-			return SUCCESS;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return FAILED;
+	return this->attributes->create_enumerator(this->attributes);
 }
 
 METHOD2(payload_t, transform_substructure_t, destroy, void,
 	private_transform_substructure_t *this)
 {
 	this->attributes->destroy_offset(this->attributes,
-									 offsetof(transform_attribute_t, destroy));
+									 offsetof(payload_t, destroy));
 	free(this);
 }
 
 /*
  * Described in header.
  */
-transform_substructure_t *transform_substructure_create()
+transform_substructure_t *transform_substructure_create(payload_type_t type)
 {
 	private_transform_substructure_t *this;
 
@@ -257,21 +277,24 @@ transform_substructure_t *transform_substructure_create()
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
 				.get_type = _get_type,
 				.destroy = _destroy,
 			},
+			.add_transform_attribute = _add_transform_attribute,
 			.set_is_last_transform = _set_is_last_transform,
-			.get_transform_type = _get_transform_type,
+			.get_transform_type_or_number = _get_transform_type_or_number,
 			.get_transform_id = _get_transform_id,
-			.get_key_length = _get_key_length,
+			.create_attribute_enumerator = _create_attribute_enumerator,
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
-		.transform_length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH,
+		.transform_length = get_header_length(this),
 		.attributes = linked_list_create(),
+		.type = type,
 	);
 	return &this->public;
 }
@@ -279,20 +302,21 @@ transform_substructure_t *transform_substructure_create()
 /*
  * Described in header
  */
-transform_substructure_t *transform_substructure_create_type(
-					transform_type_t type, u_int16_t id, u_int16_t key_length)
+transform_substructure_t *transform_substructure_create_type(payload_type_t type,
+				u_int8_t type_or_number, u_int16_t id)
 {
 	private_transform_substructure_t *this;
 
-	this = (private_transform_substructure_t*)transform_substructure_create();
+	this = (private_transform_substructure_t*)transform_substructure_create(type);
 
-	this->transform_type = type;
-	this->transform_id = id;
-	if (key_length)
+	this->transform_ton = type_or_number;
+	if (type == TRANSFORM_SUBSTRUCTURE)
+	{
+		this->transform_id_v2 = id;
+	}
+	else
 	{
-		this->attributes->insert_last(this->attributes,
-					(void*)transform_attribute_create_key_length(key_length));
-		compute_length(this);
+		this->transform_id_v1 = id;
 	}
 	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/transform_substructure.h b/src/libcharon/encoding/payloads/transform_substructure.h
index 102dbb3d3..97717e65b 100644
--- a/src/libcharon/encoding/payloads/transform_substructure.h
+++ b/src/libcharon/encoding/payloads/transform_substructure.h
@@ -27,7 +27,7 @@ typedef struct transform_substructure_t transform_substructure_t;
 #include <library.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/transform_attribute.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/diffie_hellman.h>
 #include <crypto/signers/signer.h>
 #include <crypto/prfs/prf.h>
@@ -40,14 +40,7 @@ typedef struct transform_substructure_t transform_substructure_t;
 #define TRANSFORM_TYPE_VALUE 3
 
 /**
- * Length of the transform substructure header in bytes.
- */
-#define TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH 8
-
-/**
- * Class representing an IKEv2- TRANSFORM SUBSTRUCTURE.
- *
- * The TRANSFORM SUBSTRUCTURE format is described in RFC section 3.3.2.
+ * Class representing an IKEv1/IKEv2 transform substructure.
  */
 struct transform_substructure_t {
 
@@ -75,11 +68,11 @@ struct transform_substructure_t {
 	void (*set_is_last_transform) (transform_substructure_t *this, bool is_last);
 
 	/**
-	 * get transform type of the current transform.
+	 * Get transform type (IKEv2) or the transform number (IKEv1).
 	 *
 	 * @return 			Transform type of current transform substructure.
 	 */
-	u_int8_t (*get_transform_type) (transform_substructure_t *this);
+	u_int8_t (*get_transform_type_or_number) (transform_substructure_t *this);
 
 	/**
 	 * Get transform id of the current transform.
@@ -89,16 +82,11 @@ struct transform_substructure_t {
 	u_int16_t (*get_transform_id) (transform_substructure_t *this);
 
 	/**
-	 * Get transform id of the current transform.
+	 * Create an enumerator over transform attributes.
 	 *
-	 * @param key_length	The key length is written to this location
-	 * @return
-	 * 						- SUCCESS if a key length attribute is contained
-	 * 						- FAILED if no key length attribute is part of this
-	 * 						  transform or key length uses more then 16 bit!
+	 * @return			enumerator over transform_attribute_t*
 	 */
-	status_t (*get_key_length) (transform_substructure_t *this,
-								u_int16_t *key_length);
+	enumerator_t* (*create_attribute_enumerator)(transform_substructure_t *this);
 
 	/**
 	 * Destroys an transform_substructure_t object.
@@ -109,19 +97,20 @@ struct transform_substructure_t {
 /**
  * Creates an empty transform_substructure_t object.
  *
+ * @param type			TRANSFORM_SUBSTRUCTURE or TRANSFORM_SUBSTRUCTURE_V1
  * @return				created transform_substructure_t object
  */
-transform_substructure_t *transform_substructure_create(void);
+transform_substructure_t *transform_substructure_create(payload_type_t type);
 
 /**
  * Creates an empty transform_substructure_t object.
  *
- * @param type			type of transform to create
- * @param id			transform id specifc for the transform type
- * @param key_length	key length for key length attribute, 0 to omit
- * @return				transform_substructure_t object
+ * @param type				TRANSFORM_SUBSTRUCTURE or TRANSFORM_SUBSTRUCTURE_V1
+ * @param type_or_number	Type (IKEv2) or number (IKEv1) of transform
+ * @param id				transform id specifc for the transform type
+ * @return					transform_substructure_t object
  */
-transform_substructure_t *transform_substructure_create_type(
-					transform_type_t type, u_int16_t id, u_int16_t key_length);
+transform_substructure_t *transform_substructure_create_type(payload_type_t type,
+										u_int8_t type_or_number, u_int16_t id);
 
 #endif /** TRANSFORM_SUBSTRUCTURE_H_ @}*/
diff --git a/src/libcharon/encoding/payloads/ts_payload.c b/src/libcharon/encoding/payloads/ts_payload.c
index 28f760e40..8dfa47bc2 100644
--- a/src/libcharon/encoding/payloads/ts_payload.c
+++ b/src/libcharon/encoding/payloads/ts_payload.c
@@ -20,7 +20,7 @@
 #include "ts_payload.h"
 
 #include <encoding/payloads/encodings.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_ts_payload_t private_ts_payload_t;
 
@@ -81,7 +81,7 @@ struct private_ts_payload_t {
  * The defined offsets are the positions in a object of type
  * private_ts_payload_t.
  */
-encoding_rule_t ts_payload_encodings[] = {
+static encoding_rule_t encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_ts_payload_t, next_payload)	},
 	/* the critical bit */
@@ -102,8 +102,9 @@ encoding_rule_t ts_payload_encodings[] = {
 	{ RESERVED_BYTE,	offsetof(private_ts_payload_t, reserved_byte[0])},
 	{ RESERVED_BYTE,	offsetof(private_ts_payload_t, reserved_byte[1])},
 	{ RESERVED_BYTE,	offsetof(private_ts_payload_t, reserved_byte[2])},
-	/* some ts data bytes, length is defined in PAYLOAD_LENGTH */
-	{ TRAFFIC_SELECTORS,offsetof(private_ts_payload_t, substrs)			}
+	/* wrapped list of traffic selectors substructures */
+	{ PAYLOAD_LIST + TRAFFIC_SELECTOR_SUBSTRUCTURE,
+						offsetof(private_ts_payload_t, substrs)			},
 };
 
 /*
@@ -145,11 +146,17 @@ METHOD(payload_t, verify, status_t,
 	return status;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_ts_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_ts_payload_t *this, encoding_rule_t **rules)
 {
-	*rules = ts_payload_encodings;
-	*rule_count = countof(ts_payload_encodings);
+	*rules = encodings;
+	return countof(encodings);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_ts_payload_t *this)
+{
+	return 8;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
@@ -182,7 +189,7 @@ static void compute_length(private_ts_payload_t *this)
 	enumerator_t *enumerator;
 	payload_t *subst;
 
-	this->payload_length = TS_PAYLOAD_HEADER_LENGTH;
+	this->payload_length = get_header_length(this);
 	this->ts_num = 0;
 	enumerator = this->substrs->create_enumerator(this->substrs);
 	while (enumerator->enumerate(enumerator, &subst))
@@ -250,6 +257,7 @@ ts_payload_t *ts_payload_create(bool is_initiator)
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
@@ -262,7 +270,7 @@ ts_payload_t *ts_payload_create(bool is_initiator)
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
-		.payload_length = TS_PAYLOAD_HEADER_LENGTH,
+		.payload_length = get_header_length(this),
 		.is_initiator = is_initiator,
 		.substrs = linked_list_create(),
 	);
diff --git a/src/libcharon/encoding/payloads/ts_payload.h b/src/libcharon/encoding/payloads/ts_payload.h
index 88ca00bc9..933245c62 100644
--- a/src/libcharon/encoding/payloads/ts_payload.h
+++ b/src/libcharon/encoding/payloads/ts_payload.h
@@ -25,17 +25,12 @@
 typedef struct ts_payload_t ts_payload_t;
 
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <selectors/traffic_selector.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/traffic_selector_substructure.h>
 
 /**
- * Length of a TS payload without the Traffic selectors.
- */
-#define TS_PAYLOAD_HEADER_LENGTH 8
-
-/**
  * Class representing an IKEv2 TS payload.
  *
  * The TS payload format is described in RFC section 3.13.
diff --git a/src/libcharon/encoding/payloads/unknown_payload.c b/src/libcharon/encoding/payloads/unknown_payload.c
index 27af338b3..fe7ced20b 100644
--- a/src/libcharon/encoding/payloads/unknown_payload.c
+++ b/src/libcharon/encoding/payloads/unknown_payload.c
@@ -68,7 +68,7 @@ struct private_unknown_payload_t {
  * private_unknown_payload_t.
  *
  */
-encoding_rule_t unknown_payload_encodings[] = {
+static encoding_rule_t encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_unknown_payload_t, next_payload)	},
 	/* the critical bit */
@@ -84,7 +84,7 @@ encoding_rule_t unknown_payload_encodings[] = {
 	/* Length of the whole payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_unknown_payload_t, payload_length)	},
 	/* some unknown data bytes, length is defined in PAYLOAD_LENGTH */
-	{ UNKNOWN_DATA,		offsetof(private_unknown_payload_t, data)			},
+	{ CHUNK_DATA,		offsetof(private_unknown_payload_t, data)			},
 };
 
 /*
@@ -102,18 +102,20 @@ encoding_rule_t unknown_payload_encodings[] = {
 METHOD(payload_t, verify, status_t,
 	private_unknown_payload_t *this)
 {
-	if (this->payload_length != UNKNOWN_PAYLOAD_HEADER_LENGTH + this->data.len)
-	{
-		return FAILED;
-	}
 	return SUCCESS;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_unknown_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_unknown_payload_t *this, encoding_rule_t **rules)
 {
-	*rules = unknown_payload_encodings;
-	*rule_count = sizeof(unknown_payload_encodings) / sizeof(encoding_rule_t);
+	*rules = encodings;
+	return countof(encodings);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_unknown_payload_t *this)
+{
+	return 4;
 }
 
 METHOD(payload_t, get_payload_type, payload_type_t,
@@ -171,6 +173,7 @@ unknown_payload_t *unknown_payload_create(payload_type_t type)
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
@@ -182,7 +185,7 @@ unknown_payload_t *unknown_payload_create(payload_type_t type)
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
-		.payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH,
+		.payload_length = get_header_length(this),
 		.type = type,
 	);
 
@@ -201,7 +204,7 @@ unknown_payload_t *unknown_payload_create_data(payload_type_t type,
 	this = (private_unknown_payload_t*)unknown_payload_create(type);
 	this->data = data;
 	this->critical = critical;
-	this->payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH + data.len;
+	this->payload_length = get_header_length(this) + data.len;
 
 	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/unknown_payload.h b/src/libcharon/encoding/payloads/unknown_payload.h
index 5ae85331b..326b550cd 100644
--- a/src/libcharon/encoding/payloads/unknown_payload.h
+++ b/src/libcharon/encoding/payloads/unknown_payload.h
@@ -28,11 +28,6 @@ typedef struct unknown_payload_t unknown_payload_t;
 #include <encoding/payloads/payload.h>
 
 /**
- * Header length of the unknown payload.
- */
-#define UNKNOWN_PAYLOAD_HEADER_LENGTH 4
-
-/**
  * Payload which can't be processed further.
  *
  * When the parser finds an unknown payload, he builds an instance of
diff --git a/src/libcharon/encoding/payloads/vendor_id_payload.c b/src/libcharon/encoding/payloads/vendor_id_payload.c
index e9e80e989..0c1df56e2 100644
--- a/src/libcharon/encoding/payloads/vendor_id_payload.c
+++ b/src/libcharon/encoding/payloads/vendor_id_payload.c
@@ -55,6 +55,11 @@ struct private_vendor_id_payload_t {
 	 * The contained data.
 	 */
 	chunk_t data;
+
+	/**
+	 * Either a IKEv1 or a IKEv2 vendor ID payload
+	 */
+	payload_type_t type;
 };
 
 /**
@@ -63,7 +68,7 @@ struct private_vendor_id_payload_t {
  * The defined offsets are the positions in a object of type
  * private_vendor_id_payload_t.
  */
-encoding_rule_t vendor_id_payload_encodings[] = {
+static encoding_rule_t encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_vendor_id_payload_t, next_payload)	},
 	/* the critical bit */
@@ -79,7 +84,7 @@ encoding_rule_t vendor_id_payload_encodings[] = {
 	/* Length of the whole payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_vendor_id_payload_t, payload_length)},
 	/* some vendor_id data bytes, length is defined in PAYLOAD_LENGTH */
-	{ VID_DATA,			offsetof(private_vendor_id_payload_t, data)			}
+	{ CHUNK_DATA,		offsetof(private_vendor_id_payload_t, data)			}
 };
 
 /*
@@ -100,18 +105,23 @@ METHOD(payload_t, verify, status_t,
 	return SUCCESS;
 }
 
-METHOD(payload_t, get_encoding_rules, void,
-	private_vendor_id_payload_t *this, encoding_rule_t **rules,
-	size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, int,
+	private_vendor_id_payload_t *this, encoding_rule_t **rules)
+{
+	*rules = encodings;
+	return countof(encodings);
+}
+
+METHOD(payload_t, get_header_length, int,
+	private_vendor_id_payload_t *this)
 {
-	*rules = vendor_id_payload_encodings;
-	*rule_count = countof(vendor_id_payload_encodings);
+	return 4;
 }
 
 METHOD(payload_t, get_type, payload_type_t,
 	private_vendor_id_payload_t *this)
 {
-	return VENDOR_ID;
+	return this->type;
 }
 
 METHOD(payload_t, get_next_type, payload_type_t,
@@ -148,7 +158,8 @@ METHOD2(payload_t, vendor_id_payload_t, destroy, void,
 /*
  * Described in header
  */
-vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data)
+vendor_id_payload_t *vendor_id_payload_create_data(payload_type_t type,
+												   chunk_t data)
 {
 	private_vendor_id_payload_t *this;
 
@@ -157,6 +168,7 @@ vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data)
 			.payload_interface = {
 				.verify = _verify,
 				.get_encoding_rules = _get_encoding_rules,
+				.get_header_length = _get_header_length,
 				.get_length = _get_length,
 				.get_next_type = _get_next_type,
 				.set_next_type = _set_next_type,
@@ -167,8 +179,9 @@ vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data)
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
-		.payload_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH + data.len,
+		.payload_length = get_header_length(this) + data.len,
 		.data = data,
+		.type = type,
 	);
 	return &this->public;
 }
@@ -176,7 +189,7 @@ vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data)
 /*
  * Described in header
  */
-vendor_id_payload_t *vendor_id_payload_create()
+vendor_id_payload_t *vendor_id_payload_create(payload_type_t type)
 {
-	return vendor_id_payload_create_data(chunk_empty);
+	return vendor_id_payload_create_data(type, chunk_empty);
 }
diff --git a/src/libcharon/encoding/payloads/vendor_id_payload.h b/src/libcharon/encoding/payloads/vendor_id_payload.h
index 4e4e7d8eb..9a814777b 100644
--- a/src/libcharon/encoding/payloads/vendor_id_payload.h
+++ b/src/libcharon/encoding/payloads/vendor_id_payload.h
@@ -28,12 +28,7 @@ typedef struct vendor_id_payload_t vendor_id_payload_t;
 #include <encoding/payloads/payload.h>
 
 /**
- * Length of a VENDOR ID payload without the VID data in bytes.
- */
-#define VENDOR_ID_PAYLOAD_HEADER_LENGTH 4
-
-/**
- * Class representing an IKEv2 VENDOR ID payload.
+ * Class representing an IKEv1/IKEv2 VENDOR ID payload.
  *
  * The VENDOR ID payload format is described in RFC section 3.12.
  */
@@ -58,18 +53,21 @@ struct vendor_id_payload_t {
 };
 
 /**
- * Creates an empty Vendor ID payload.
+ * Creates an empty Vendor ID payload for IKEv1 or IKEv2.
  *
+ * @@param type		VENDOR_ID or VENDOR_ID_V1
  * @return			vendor ID payload
  */
-vendor_id_payload_t *vendor_id_payload_create();
+vendor_id_payload_t *vendor_id_payload_create(payload_type_t type);
 
 /**
  * Creates a vendor ID payload using a chunk of data
  *
+ * @param type		VENDOR_ID or VENDOR_ID_V1
  * @param data		data to use in vendor ID payload, gets owned by payload
  * @return			vendor ID payload
  */
-vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data);
+vendor_id_payload_t *vendor_id_payload_create_data(payload_type_t type,
+												   chunk_t data);
 
 #endif /** VENDOR_ID_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/kernel/kernel_handler.c b/src/libcharon/kernel/kernel_handler.c
index 51fccb1ac..aa5c4e059 100644
--- a/src/libcharon/kernel/kernel_handler.c
+++ b/src/libcharon/kernel/kernel_handler.c
@@ -84,7 +84,7 @@ METHOD(kernel_listener_t, expire, bool,
 				  protocol_id_names, proto, ntohl(spi), reqid);
 	if (hard)
 	{
-		job = (job_t*)delete_child_sa_job_create(reqid, proto, spi);
+		job = (job_t*)delete_child_sa_job_create(reqid, proto, spi, hard);
 	}
 	else
 	{
diff --git a/src/libcharon/network/packet.c b/src/libcharon/network/packet.c
deleted file mode 100644
index 19db362f7..000000000
--- a/src/libcharon/network/packet.c
+++ /dev/null
@@ -1,138 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "packet.h"
-
-typedef struct private_packet_t private_packet_t;
-
-/**
- * Private data of an packet_t object.
- */
-struct private_packet_t {
-
-	/**
-	 * Public part of a packet_t object.
-	 */
-	packet_t public;
-
-	/**
-	 * source address
-	 */
-	host_t *source;
-
-	/**
-	 * destination address
-	 */
-	host_t *destination;
-
-	 /**
-	  * message data
-	  */
-	chunk_t data;
-};
-
-METHOD(packet_t, set_source, void,
-	private_packet_t *this, host_t *source)
-{
-	DESTROY_IF(this->source);
-	this->source = source;
-}
-
-METHOD(packet_t, set_destination, void,
-	private_packet_t *this, host_t *destination)
-{
-	DESTROY_IF(this->destination);
-	this->destination = destination;
-}
-
-METHOD(packet_t, get_source, host_t*,
-	private_packet_t *this)
-{
-	return this->source;
-}
-
-METHOD(packet_t, get_destination, host_t*,
-	private_packet_t *this)
-{
-	return this->destination;
-}
-
-METHOD(packet_t, get_data, chunk_t,
-	private_packet_t *this)
-{
-	return this->data;
-}
-
-METHOD(packet_t, set_data, void,
-	private_packet_t *this, chunk_t data)
-{
-	free(this->data.ptr);
-	this->data = data;
-}
-
-METHOD(packet_t, destroy, void,
-	private_packet_t *this)
-{
-	DESTROY_IF(this->source);
-	DESTROY_IF(this->destination);
-	free(this->data.ptr);
-	free(this);
-}
-
-METHOD(packet_t, clone_, packet_t*,
-	private_packet_t *this)
-{
-	packet_t *other;
-
-	other = packet_create();
-	if (this->destination != NULL)
-	{
-		other->set_destination(other, this->destination->clone(this->destination));
-	}
-	if (this->source != NULL)
-	{
-		other->set_source(other, this->source->clone(this->source));
-	}
-	if (this->data.ptr != NULL)
-	{
-		other->set_data(other, chunk_clone(this->data));
-	}
-	return other;
-}
-
-/*
- * Documented in header
- */
-packet_t *packet_create(void)
-{
-	private_packet_t *this;
-
-	INIT(this,
-		.public = {
-			.set_data = _set_data,
-			.get_data = _get_data,
-			.set_source = _set_source,
-			.get_source = _get_source,
-			.set_destination = _set_destination,
-			.get_destination = _get_destination,
-			.clone = _clone_,
-			.destroy = _destroy,
-		},
-	);
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/network/packet.h b/src/libcharon/network/packet.h
deleted file mode 100644
index 18d82c6fc..000000000
--- a/src/libcharon/network/packet.h
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup packet packet
- * @{ @ingroup network
- */
-
-#ifndef PACKET_H_
-#define PACKET_H_
-
-typedef struct packet_t packet_t;
-
-#include <library.h>
-#include <utils/host.h>
-
-/**
- * Abstraction of an UDP-Packet, contains data, sender and receiver.
- */
-struct packet_t {
-
-	/**
-	 * Set the source address.
-	 *
-	 * Set host_t is now owned by packet_t, it will destroy
-	 * it if necessary.
-	 *
-	 * @param source	address to set as source
-	 */
-	void (*set_source) (packet_t *packet, host_t *source);
-
-	/**
-	 * Set the destination address.
-	 *
-	 * Set host_t is now owned by packet_t, it will destroy
-	 * it if necessary.
-	 *
-	 * @param source	address to set as destination
-	 */
-	void (*set_destination) (packet_t *packet, host_t *destination);
-
-	/**
-	 * Get the source address.
-	 *
-	 * Set host_t is still owned by packet_t, clone it
-	 * if needed.
-	 *
-	 * @return			source address
-	 */
-	host_t *(*get_source) (packet_t *packet);
-
-	/**
-	 * Get the destination address.
-	 *
-	 * Set host_t is still owned by packet_t, clone it
-	 * if needed.
-	 *
-	 * @return			destination address
-	 */
-	host_t *(*get_destination) (packet_t *packet);
-
-	/**
-	 * Get the data from the packet.
-	 *
-	 * The data pointed by the chunk is still owned
-	 * by the packet. Clone it if needed.
-	 *
-	 * @return			chunk containing the data
-	 */
-	chunk_t (*get_data) (packet_t *packet);
-
-	/**
-	 * Set the data in the packet.
-	 *
-	 * Supplied chunk data is now owned by the
-	 * packet. It will free it.
-	 *
-	 * @param data		chunk with data to set
-	 */
-	void (*set_data) (packet_t *packet, chunk_t data);
-
-	/**
-	 * Clones a packet_t object.
-	 *
-	 * @param clone		clone of the packet
-	 */
-	packet_t* (*clone) (packet_t *packet);
-
-	/**
-	 * Destroy the packet, freeing contained data.
-	 */
-	void (*destroy) (packet_t *packet);
-};
-
-/**
- * create an empty packet
- *
- * @return packet_t object
- */
-packet_t *packet_create(void);
-
-#endif /** PACKET_H_ @}*/
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index cfb1408ef..b8eb8419d 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2012 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -20,13 +20,15 @@
 
 #include "receiver.h"
 
+#include <hydra.h>
 #include <daemon.h>
 #include <network/socket.h>
-#include <network/packet.h>
 #include <processing/jobs/job.h>
 #include <processing/jobs/process_message_job.h>
 #include <processing/jobs/callback_job.h>
 #include <crypto/hashers/hasher.h>
+#include <threading/mutex.h>
+#include <networking/packet.h>
 
 /** lifetime of a cookie, in seconds */
 #define COOKIE_LIFETIME 10
@@ -40,6 +42,8 @@
 #define BLOCK_THRESHOLD_DEFAULT 5
 /** length of the secret to use for cookie calculation */
 #define SECRET_LENGTH 16
+/** Length of a notify payload header */
+#define NOTIFY_PAYLOAD_HEADER_LENGTH 8
 
 typedef struct private_receiver_t private_receiver_t;
 
@@ -53,9 +57,17 @@ struct private_receiver_t {
 	receiver_t public;
 
 	/**
-	 * Threads job receiving packets
+	 * Registered callback for ESP packets
 	 */
-	callback_job_t *job;
+	struct {
+		receiver_esp_cb_t cb;
+		void *data;
+	} esp_cb;
+
+	/**
+	 * Mutex for ESP callback
+	 */
+	mutex_t *esp_cb_mutex;
 
 	/**
 	 * current secret to use for cookie calculation
@@ -136,46 +148,52 @@ struct private_receiver_t {
 	 * Delay response messages?
 	 */
 	bool receive_delay_response;
+
+	/**
+	 * Endpoint is allowed to act as an initiator only
+	 */
+	bool initiator_only;
+
 };
 
 /**
  * send a notify back to the sender
  */
-static void send_notify(message_t *request, notify_type_t type, chunk_t data)
+static void send_notify(message_t *request, int major, exchange_type_t exchange,
+						notify_type_t type, chunk_t data)
 {
-	if (request->get_request(request) &&
-		request->get_exchange_type(request) == IKE_SA_INIT)
+	ike_sa_id_t *ike_sa_id;
+	message_t *response;
+	host_t *src, *dst;
+	packet_t *packet;
+
+	response = message_create(major, 0);
+	response->set_exchange_type(response, exchange);
+	response->add_notify(response, FALSE, type, data);
+	dst = request->get_source(request);
+	src = request->get_destination(request);
+	response->set_source(response, src->clone(src));
+	response->set_destination(response, dst->clone(dst));
+	if (major == IKEV2_MAJOR_VERSION)
 	{
-		message_t *response;
-		host_t *src, *dst;
-		packet_t *packet;
-		ike_sa_id_t *ike_sa_id;
-
-		response = message_create();
-		dst = request->get_source(request);
-		src = request->get_destination(request);
-		response->set_source(response, src->clone(src));
-		response->set_destination(response, dst->clone(dst));
-		response->set_exchange_type(response, request->get_exchange_type(request));
 		response->set_request(response, FALSE);
-		response->set_message_id(response, 0);
-		ike_sa_id = request->get_ike_sa_id(request);
-		ike_sa_id->switch_initiator(ike_sa_id);
-		response->set_ike_sa_id(response, ike_sa_id);
-		response->add_notify(response, FALSE, type, data);
-		if (response->generate(response, NULL, &packet) == SUCCESS)
-		{
-			charon->sender->send(charon->sender, packet);
-			response->destroy(response);
-		}
 	}
+	response->set_message_id(response, 0);
+	ike_sa_id = request->get_ike_sa_id(request);
+	ike_sa_id->switch_initiator(ike_sa_id);
+	response->set_ike_sa_id(response, ike_sa_id);
+	if (response->generate(response, NULL, &packet) == SUCCESS)
+	{
+		charon->sender->send(charon->sender, packet);
+	}
+	response->destroy(response);
 }
 
 /**
  * build a cookie
  */
-static chunk_t cookie_build(private_receiver_t *this, message_t *message,
-							u_int32_t t, chunk_t secret)
+static bool cookie_build(private_receiver_t *this, message_t *message,
+						 u_int32_t t, chunk_t secret, chunk_t *cookie)
 {
 	u_int64_t spi = message->get_initiator_spi(message);
 	host_t *ip = message->get_source(message);
@@ -185,8 +203,12 @@ static chunk_t cookie_build(private_receiver_t *this, message_t *message,
 	input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi),
 					  chunk_from_thing(t), secret);
 	hash = chunk_alloca(this->hasher->get_hash_size(this->hasher));
-	this->hasher->get_hash(this->hasher, input, hash.ptr);
-	return chunk_cat("cc", chunk_from_thing(t), hash);
+	if (!this->hasher->get_hash(this->hasher, input, hash.ptr))
+	{
+		return FALSE;
+	}
+	*cookie = chunk_cat("cc", chunk_from_thing(t), hash);
+	return TRUE;
 }
 
 /**
@@ -221,7 +243,10 @@ static bool cookie_verify(private_receiver_t *this, message_t *message,
 	}
 
 	/* compare own calculation against received */
-	reference = cookie_build(this, message, t, secret);
+	if (!cookie_build(this, message, t, secret, &reference))
+	{
+		return FALSE;
+	}
 	if (chunk_equals(reference, cookie))
 	{
 		chunk_free(&reference);
@@ -236,15 +261,13 @@ static bool cookie_verify(private_receiver_t *this, message_t *message,
  */
 static bool check_cookie(private_receiver_t *this, message_t *message)
 {
-	packet_t *packet;
 	chunk_t data;
 
 	/* check for a cookie. We don't use our parser here and do it
 	 * quick and dirty for performance reasons.
 	 * we assume the cookie is the first payload (which is a MUST), and
 	 * the cookie's SPI length is zero. */
-	packet = message->get_packet(message);
-	data = packet->get_data(packet);
+	data = message->get_packet_data(message);
 	if (data.len <
 		 IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH +
 		 sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) ||
@@ -252,7 +275,6 @@ static bool check_cookie(private_receiver_t *this, message_t *message)
 		*(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
 	{
 		/* no cookie found */
-		packet->destroy(packet);
 		return FALSE;
 	}
 	data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH;
@@ -260,7 +282,6 @@ static bool check_cookie(private_receiver_t *this, message_t *message)
 	if (!cookie_verify(this, message, data))
 	{
 		DBG2(DBG_NET, "found cookie, but content invalid");
-		packet->destroy(packet);
 		return FALSE;
 	}
 	return TRUE;
@@ -277,7 +298,7 @@ static bool cookie_required(private_receiver_t *this,
 		this->last_cookie = now;
 		return TRUE;
 	}
-	if (now < this->last_cookie + COOKIE_CALMDOWN_DELAY)
+	if (this->last_cookie && now < this->last_cookie + COOKIE_CALMDOWN_DELAY)
 	{
 		/* We don't disable cookies unless we haven't seen IKE_SA_INITs
 		 * for COOKIE_CALMDOWN_DELAY seconds. This avoids jittering between
@@ -308,29 +329,42 @@ static bool drop_ike_sa_init(private_receiver_t *this, message_t *message)
 	half_open = charon->ike_sa_manager->get_half_open_count(
 										charon->ike_sa_manager, NULL);
 
-	/* check for cookies */
-	if (cookie_required(this, half_open, now) && !check_cookie(this, message))
+	/* check for cookies in IKEv2 */
+	if (message->get_major_version(message) == IKEV2_MAJOR_VERSION &&
+		cookie_required(this, half_open, now) && !check_cookie(this, message))
 	{
 		chunk_t cookie;
 
-		cookie = cookie_build(this, message, now - this->secret_offset,
-							  chunk_from_thing(this->secret));
 		DBG2(DBG_NET, "received packet from: %#H to %#H",
 			 message->get_source(message),
 			 message->get_destination(message));
+		if (!cookie_build(this, message, now - this->secret_offset,
+						  chunk_from_thing(this->secret), &cookie))
+		{
+			return TRUE;
+		}
 		DBG2(DBG_NET, "sending COOKIE notify to %H",
 			 message->get_source(message));
-		send_notify(message, COOKIE, cookie);
+		send_notify(message, IKEV2_MAJOR_VERSION, IKE_SA_INIT, COOKIE, cookie);
 		chunk_free(&cookie);
 		if (++this->secret_used > COOKIE_REUSE)
 		{
-			/* create new cookie */
+			char secret[SECRET_LENGTH];
+
 			DBG1(DBG_NET, "generating new cookie secret after %d uses",
 				 this->secret_used);
-			memcpy(this->secret_old, this->secret, SECRET_LENGTH);
-			this->rng->get_bytes(this->rng,	SECRET_LENGTH, this->secret);
-			this->secret_switch = now;
-			this->secret_used = 0;
+			if (this->rng->get_bytes(this->rng, SECRET_LENGTH, secret))
+			{
+				memcpy(this->secret_old, this->secret, SECRET_LENGTH);
+				memcpy(this->secret, secret, SECRET_LENGTH);
+				memwipe(secret, SECRET_LENGTH);
+				this->secret_switch = now;
+				this->secret_used = 0;
+			}
+			else
+			{
+				DBG1(DBG_NET, "failed to allocated cookie secret, keeping old");
+			}
 		}
 		return TRUE;
 	}
@@ -380,16 +414,18 @@ static bool drop_ike_sa_init(private_receiver_t *this, message_t *message)
  */
 static job_requeue_t receive_packets(private_receiver_t *this)
 {
+	ike_sa_id_t *id;
 	packet_t *packet;
 	message_t *message;
+	host_t *src, *dst;
 	status_t status;
+	bool supported = TRUE;
+	chunk_t data, marker = chunk_from_chars(0x00, 0x00, 0x00, 0x00);
 
 	/* read in a packet */
 	status = charon->socket->receive(charon->socket, &packet);
 	if (status == NOT_SUPPORTED)
 	{
-		/* the processor destroys this job  */
-		this->job = NULL;
 		return JOB_REQUEUE_NONE;
 	}
 	else if (status != SUCCESS)
@@ -398,36 +434,133 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 		return JOB_REQUEUE_FAIR;
 	}
 
+	data = packet->get_data(packet);
+	if (data.len == 1 && data.ptr[0] == 0xFF)
+	{	/* silently drop NAT-T keepalives */
+		packet->destroy(packet);
+		return JOB_REQUEUE_DIRECT;
+	}
+	else if (data.len < marker.len)
+	{	/* drop packets that are too small */
+		DBG3(DBG_NET, "received packet is too short (%d bytes)", data.len);
+		packet->destroy(packet);
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	dst = packet->get_destination(packet);
+	src = packet->get_source(packet);
+	if (!hydra->kernel_interface->all_interfaces_usable(hydra->kernel_interface)
+		&& !hydra->kernel_interface->get_interface(hydra->kernel_interface,
+												   dst, NULL))
+	{
+		DBG3(DBG_NET, "received packet from %#H to %#H on ignored interface",
+			 src, dst);
+		packet->destroy(packet);
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	/* if neither source nor destination port is 500 we assume an IKE packet
+	 * with Non-ESP marker or an ESP packet */
+	if (dst->get_port(dst) != IKEV2_UDP_PORT &&
+		src->get_port(src) != IKEV2_UDP_PORT)
+	{
+		if (memeq(data.ptr, marker.ptr, marker.len))
+		{	/* remove Non-ESP marker */
+			packet->skip_bytes(packet, marker.len);
+		}
+		else
+		{	/* this seems to be an ESP packet */
+			this->esp_cb_mutex->lock(this->esp_cb_mutex);
+			if (this->esp_cb.cb)
+			{
+				this->esp_cb.cb(this->esp_cb.data, packet);
+			}
+			else
+			{
+				packet->destroy(packet);
+			}
+			this->esp_cb_mutex->unlock(this->esp_cb_mutex);
+			return JOB_REQUEUE_DIRECT;
+		}
+	}
+
 	/* parse message header */
 	message = message_create_from_packet(packet);
 	if (message->parse_header(message) != SUCCESS)
 	{
 		DBG1(DBG_NET, "received invalid IKE header from %H - ignored",
 			 packet->get_source(packet));
+		charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_HEADER, message);
 		message->destroy(message);
 		return JOB_REQUEUE_DIRECT;
 	}
 
 	/* check IKE major version */
-	if (message->get_major_version(message) != IKE_MAJOR_VERSION)
+	switch (message->get_major_version(message))
+	{
+		case IKEV2_MAJOR_VERSION:
+#ifndef USE_IKEV2
+			if (message->get_exchange_type(message) == IKE_SA_INIT &&
+				message->get_request(message))
+			{
+				send_notify(message, IKEV1_MAJOR_VERSION, INFORMATIONAL_V1,
+							INVALID_MAJOR_VERSION, chunk_empty);
+				supported = FALSE;
+			}
+#endif /* USE_IKEV2 */
+			break;
+		case IKEV1_MAJOR_VERSION:
+#ifndef USE_IKEV1
+			if (message->get_exchange_type(message) == ID_PROT ||
+				message->get_exchange_type(message) == AGGRESSIVE)
+			{
+				send_notify(message, IKEV2_MAJOR_VERSION, INFORMATIONAL,
+							INVALID_MAJOR_VERSION, chunk_empty);
+				supported = FALSE;
+			}
+#endif /* USE_IKEV1 */
+			break;
+		default:
+#ifdef USE_IKEV2
+			send_notify(message, IKEV2_MAJOR_VERSION, INFORMATIONAL,
+						INVALID_MAJOR_VERSION, chunk_empty);
+#endif /* USE_IKEV2 */
+#ifdef USE_IKEV1
+			send_notify(message, IKEV1_MAJOR_VERSION, INFORMATIONAL_V1,
+						INVALID_MAJOR_VERSION, chunk_empty);
+#endif /* USE_IKEV1 */
+			supported = FALSE;
+			break;
+	}
+	if (!supported)
 	{
-		DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, "
-			 "sending INVALID_MAJOR_VERSION", message->get_major_version(message),
+		DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, sending "
+			 "INVALID_MAJOR_VERSION", message->get_major_version(message),
 			 message->get_minor_version(message), packet->get_source(packet));
-		send_notify(message, INVALID_MAJOR_VERSION, chunk_empty);
 		message->destroy(message);
 		return JOB_REQUEUE_DIRECT;
 	}
-
 	if (message->get_request(message) &&
 		message->get_exchange_type(message) == IKE_SA_INIT)
 	{
-		if (drop_ike_sa_init(this, message))
+		if (this->initiator_only || drop_ike_sa_init(this, message))
 		{
 			message->destroy(message);
 			return JOB_REQUEUE_DIRECT;
 		}
 	}
+	if (message->get_exchange_type(message) == ID_PROT ||
+		message->get_exchange_type(message) == AGGRESSIVE)
+	{
+		id = message->get_ike_sa_id(message);
+		if (id->get_responder_spi(id) == 0 &&
+		   (this->initiator_only || drop_ike_sa_init(this, message)))
+		{
+			message->destroy(message);
+			return JOB_REQUEUE_DIRECT;
+		}
+	}
+
 	if (this->receive_delay)
 	{
 		if (this->receive_delay_type == 0 ||
@@ -450,15 +583,33 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 	return JOB_REQUEUE_DIRECT;
 }
 
-METHOD(receiver_t, destroy, void,
-	private_receiver_t *this)
+METHOD(receiver_t, add_esp_cb, void,
+	private_receiver_t *this, receiver_esp_cb_t callback, void *data)
+{
+	this->esp_cb_mutex->lock(this->esp_cb_mutex);
+	this->esp_cb.cb = callback;
+	this->esp_cb.data = data;
+	this->esp_cb_mutex->unlock(this->esp_cb_mutex);
+}
+
+METHOD(receiver_t, del_esp_cb, void,
+	private_receiver_t *this, receiver_esp_cb_t callback)
 {
-	if (this->job)
+	this->esp_cb_mutex->lock(this->esp_cb_mutex);
+	if (this->esp_cb.cb == callback)
 	{
-		this->job->cancel(this->job);
+		this->esp_cb.cb = NULL;
+		this->esp_cb.data = NULL;
 	}
+	this->esp_cb_mutex->unlock(this->esp_cb_mutex);
+}
+
+METHOD(receiver_t, destroy, void,
+	private_receiver_t *this)
+{
 	this->rng->destroy(this->rng);
 	this->hasher->destroy(this->hasher);
+	this->esp_cb_mutex->destroy(this->esp_cb_mutex);
 	free(this);
 }
 
@@ -472,53 +623,64 @@ receiver_t *receiver_create()
 
 	INIT(this,
 		.public = {
+			.add_esp_cb = _add_esp_cb,
+			.del_esp_cb = _del_esp_cb,
 			.destroy = _destroy,
 		},
+		.esp_cb_mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.secret_switch = now,
 		.secret_offset = random() % now,
 	);
 
-	if (lib->settings->get_bool(lib->settings, "charon.dos_protection", TRUE))
+	if (lib->settings->get_bool(lib->settings,
+				"%s.dos_protection", TRUE, charon->name))
 	{
 		this->cookie_threshold = lib->settings->get_int(lib->settings,
-						"charon.cookie_threshold", COOKIE_THRESHOLD_DEFAULT);
+				"%s.cookie_threshold", COOKIE_THRESHOLD_DEFAULT, charon->name);
 		this->block_threshold = lib->settings->get_int(lib->settings,
-						"charon.block_threshold", BLOCK_THRESHOLD_DEFAULT);
+				"%s.block_threshold", BLOCK_THRESHOLD_DEFAULT, charon->name);
 	}
 	this->init_limit_job_load = lib->settings->get_int(lib->settings,
-						"charon.init_limit_job_load", 0);
+				"%s.init_limit_job_load", 0, charon->name);
 	this->init_limit_half_open = lib->settings->get_int(lib->settings,
-						"charon.init_limit_half_open", 0);
+				"%s.init_limit_half_open", 0, charon->name);
 	this->receive_delay = lib->settings->get_int(lib->settings,
-						"charon.receive_delay", 0);
+				"%s.receive_delay", 0, charon->name);
 	this->receive_delay_type = lib->settings->get_int(lib->settings,
-						"charon.receive_delay_type", 0),
+				"%s.receive_delay_type", 0, charon->name),
 	this->receive_delay_request = lib->settings->get_bool(lib->settings,
-						"charon.receive_delay_request", TRUE),
-	this->receive_delay_response = lib->settings->get_int(lib->settings,
-						"charon.receive_delay_response", TRUE),
+				"%s.receive_delay_request", TRUE, charon->name),
+	this->receive_delay_response = lib->settings->get_bool(lib->settings,
+				"%s.receive_delay_response", TRUE, charon->name),
+	this->initiator_only = lib->settings->get_bool(lib->settings,
+				"%s.initiator_only", FALSE, charon->name),
 
 	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
-	if (this->hasher == NULL)
+	if (!this->hasher)
 	{
 		DBG1(DBG_NET, "creating cookie hasher failed, no hashers supported");
 		free(this);
 		return NULL;
 	}
 	this->rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
-	if (this->rng == NULL)
+	if (!this->rng)
 	{
 		DBG1(DBG_NET, "creating cookie RNG failed, no RNG supported");
 		this->hasher->destroy(this->hasher);
 		free(this);
 		return NULL;
 	}
-	this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
+	if (!this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret))
+	{
+		DBG1(DBG_NET, "creating cookie secret failed");
+		destroy(this);
+		return NULL;
+	}
 	memcpy(this->secret_old, this->secret, SECRET_LENGTH);
 
-	this->job = callback_job_create_with_prio((callback_job_cb_t)receive_packets,
-										this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive_packets,
+			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
 
 	return &this->public;
 }
diff --git a/src/libcharon/network/receiver.h b/src/libcharon/network/receiver.h
index 1d9d4871e..58bfe4a96 100644
--- a/src/libcharon/network/receiver.h
+++ b/src/libcharon/network/receiver.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -25,15 +26,28 @@
 typedef struct receiver_t receiver_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
+#include <networking/packet.h>
+
+/**
+ * Callback called for any received UDP encapsulated ESP packet.
+ *
+ * Implementation should be quick as the receiver doesn't receive any packets
+ * while calling this function.
+ *
+ * @param data			data supplied during registration of the callback
+ * @param packet		decapsulated ESP packet
+ */
+typedef void (*receiver_esp_cb_t)(void *data, packet_t *packet);
 
 /**
  * Receives packets from the socket and adds them to the job queue.
  *
- * The receiver starts a thread, which reads on the blocking socket. A received
- * packet is preparsed and a process_message_job is queued in the job queue.
+ * The receiver uses a callback job, which reads on the blocking socket.
+ * A received packet is preparsed and a process_message_job is queued in the
+ * job queue.
  *
- * To endure DoS attacks, cookies are enabled when to many IKE_SAs are half
+ * To endure DoS attacks, cookies are enabled when too many IKE_SAs are half
  * open. The calculation of cookies is slightly different from the proposed
  * method in RFC4306. We do not include a nonce, because we think the advantage
  * we gain does not justify the overhead to parse the whole message.
@@ -47,14 +61,32 @@ typedef struct receiver_t receiver_t;
  * secret is stored to allow a clean migration between secret changes.
  *
  * Further, the number of half-initiated IKE_SAs is limited per peer. This
- * mades it impossible for a peer to flood the server with its real IP address.
+ * makes it impossible for a peer to flood the server with its real IP address.
  */
 struct receiver_t {
 
 	/**
+	 * Register a callback which is called for any incoming ESP packets.
+	 *
+	 * @note Only the last callback registered will receive any packets.
+	 *
+	 * @param callback		callback to register
+	 * @param data			data provided to callback
+	 */
+	void (*add_esp_cb)(receiver_t *this, receiver_esp_cb_t callback,
+					   void *data);
+
+	/**
+	 * Unregister a previously registered callback for ESP packets.
+	 *
+	 * @param callback		previously registered callback
+	 */
+	void (*del_esp_cb)(receiver_t *this, receiver_esp_cb_t callback);
+
+	/**
 	 * Destroys a receiver_t object.
 	 */
-	void (*destroy) (receiver_t *receiver);
+	void (*destroy)(receiver_t *this);
 };
 
 /**
diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c
index 4df930b15..dd8efc1ec 100644
--- a/src/libcharon/network/sender.c
+++ b/src/libcharon/network/sender.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -39,11 +40,6 @@ struct private_sender_t {
 	sender_t public;
 
 	/**
-	 * Sender threads job.
-	 */
-	callback_job_t *job;
-
-	/**
 	 * The packets are stored in a linked list
 	 */
 	linked_list_t *list;
@@ -84,6 +80,15 @@ struct private_sender_t {
 	bool send_delay_response;
 };
 
+METHOD(sender_t, send_no_marker, void,
+	private_sender_t *this, packet_t *packet)
+{
+	this->mutex->lock(this->mutex);
+	this->list->insert_last(this->list, packet);
+	this->got->signal(this->got);
+	this->mutex->unlock(this->mutex);
+}
+
 METHOD(sender_t, send_, void,
 	private_sender_t *this, packet_t *packet)
 {
@@ -91,7 +96,9 @@ METHOD(sender_t, send_, void,
 
 	src = packet->get_source(packet);
 	dst = packet->get_destination(packet);
-	DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst);
+
+	DBG1(DBG_NET, "sending packet: from %#H to %#H (%zu bytes)", src, dst,
+		 packet->get_data(packet).len);
 
 	if (this->send_delay)
 	{
@@ -114,16 +121,23 @@ METHOD(sender_t, send_, void,
 		message->destroy(message);
 	}
 
-	this->mutex->lock(this->mutex);
-	this->list->insert_last(this->list, packet);
-	this->got->signal(this->got);
-	this->mutex->unlock(this->mutex);
+	/* if neither source nor destination port is 500 we add a Non-ESP marker */
+	if (dst->get_port(dst) != IKEV2_UDP_PORT &&
+		src->get_port(src) != IKEV2_UDP_PORT)
+	{
+		chunk_t data, marker = chunk_from_chars(0x00, 0x00, 0x00, 0x00);
+
+		data = chunk_cat("cc", marker, packet->get_data(packet));
+		packet->set_data(packet, data);
+	}
+
+	send_no_marker(this, packet);
 }
 
 /**
  * Job callback function to send packets
  */
-static job_requeue_t send_packets(private_sender_t * this)
+static job_requeue_t send_packets(private_sender_t *this)
 {
 	packet_t *packet;
 	bool oldstate;
@@ -149,7 +163,7 @@ static job_requeue_t send_packets(private_sender_t * this)
 	return JOB_REQUEUE_DIRECT;
 }
 
-METHOD(sender_t, destroy, void,
+METHOD(sender_t, flush, void,
 	private_sender_t *this)
 {
 	/* send all packets in the queue */
@@ -159,8 +173,12 @@ METHOD(sender_t, destroy, void,
 		this->sent->wait(this->sent, this->mutex);
 	}
 	this->mutex->unlock(this->mutex);
-	this->job->cancel(this->job);
-	this->list->destroy(this->list);
+}
+
+METHOD(sender_t, destroy, void,
+	private_sender_t *this)
+{
+	this->list->destroy_offset(this->list, offsetof(packet_t, destroy));
 	this->got->destroy(this->got);
 	this->sent->destroy(this->sent);
 	this->mutex->destroy(this->mutex);
@@ -177,25 +195,27 @@ sender_t * sender_create()
 	INIT(this,
 		.public = {
 			.send = _send_,
+			.send_no_marker = _send_no_marker,
+			.flush = _flush,
 			.destroy = _destroy,
 		},
 		.list = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.got = condvar_create(CONDVAR_TYPE_DEFAULT),
 		.sent = condvar_create(CONDVAR_TYPE_DEFAULT),
-		.job = callback_job_create_with_prio((callback_job_cb_t)send_packets,
-										this, NULL, NULL, JOB_PRIO_CRITICAL),
 		.send_delay = lib->settings->get_int(lib->settings,
-											"charon.send_delay", 0),
+								"%s.send_delay", 0, charon->name),
 		.send_delay_type = lib->settings->get_int(lib->settings,
-											"charon.send_delay_type", 0),
+								"%s.send_delay_type", 0, charon->name),
 		.send_delay_request = lib->settings->get_bool(lib->settings,
-											"charon.send_delay_request", TRUE),
-		.send_delay_response = lib->settings->get_int(lib->settings,
-											"charon.send_delay_response", TRUE),
+								"%s.send_delay_request", TRUE, charon->name),
+		.send_delay_response = lib->settings->get_bool(lib->settings,
+								"%s.send_delay_response", TRUE, charon->name),
 	);
 
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)send_packets,
+			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
 
 	return &this->public;
 }
diff --git a/src/libcharon/network/sender.h b/src/libcharon/network/sender.h
index f77fadab2..080559b89 100644
--- a/src/libcharon/network/sender.h
+++ b/src/libcharon/network/sender.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -25,10 +26,10 @@
 typedef struct sender_t sender_t;
 
 #include <library.h>
-#include <network/packet.h>
+#include <networking/packet.h>
 
 /**
- * Thread responsible for sending packets over the socket.
+ * Callback job responsible for sending IKE packets over the socket.
  */
 struct sender_t {
 
@@ -44,6 +45,20 @@ struct sender_t {
 	void (*send) (sender_t *this, packet_t *packet);
 
 	/**
+	 * The same as send() but does not add Non-ESP markers automatically.
+	 *
+	 * @param packet	packet to send
+	 */
+	void (*send_no_marker) (sender_t *this, packet_t *packet);
+
+	/**
+	 * Enforce a flush of the send queue.
+	 *
+	 * This function blocks until all queued packets have been sent.
+	 */
+	void (*flush)(sender_t *this);
+
+	/**
 	 * Destroys a sender object.
 	 */
 	void (*destroy) (sender_t *this);
diff --git a/src/libcharon/network/socket.h b/src/libcharon/network/socket.h
index be875035b..e3cda3bea 100644
--- a/src/libcharon/network/socket.h
+++ b/src/libcharon/network/socket.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2010 Tobias Brunner
+ * Copyright (C) 2006-2013 Tobias Brunner
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
@@ -25,10 +25,11 @@
 #define SOCKET_H_
 
 typedef struct socket_t socket_t;
+typedef enum socket_family_t socket_family_t;
 
 #include <library.h>
-#include <network/packet.h>
-#include <utils/enumerator.h>
+#include <networking/packet.h>
+#include <collections/enumerator.h>
 #include <plugins/plugin.h>
 
 /**
@@ -37,6 +38,31 @@ typedef struct socket_t socket_t;
 typedef socket_t *(*socket_constructor_t)();
 
 /**
+ * Address families supported by socket implementations.
+ */
+enum socket_family_t {
+	/**
+	 * No address families supported
+	 */
+	SOCKET_FAMILY_NONE = 0,
+
+	/**
+	 * IPv4
+	 */
+	SOCKET_FAMILY_IPV4 = (1 << 0),
+
+	/**
+	 * IPv6
+	 */
+	SOCKET_FAMILY_IPV6 = (1 << 1),
+
+	/**
+	 * Both address families supported
+	 */
+	SOCKET_FAMILY_BOTH = (1 << 2) - 1,
+};
+
+/**
  * Socket interface definition.
  */
 struct socket_t {
@@ -52,7 +78,7 @@ struct socket_t {
 	 *						- SUCCESS when packet successfully received
 	 *						- FAILED when unable to receive
 	 */
-	status_t (*receive) (socket_t *this, packet_t **packet);
+	status_t (*receive)(socket_t *this, packet_t **packet);
 
 	/**
 	 * Send a packet.
@@ -65,12 +91,27 @@ struct socket_t {
 	 *						- SUCCESS when packet successfully sent
 	 *						- FAILED when unable to send
 	 */
-	status_t (*send) (socket_t *this, packet_t *packet);
+	status_t (*send)(socket_t *this, packet_t *packet);
+
+	/**
+	 * Get the port this socket is listening on.
+	 *
+	 * @param nat_t			TRUE to get the port used to float in case of NAT-T
+	 * @return				the port
+	 */
+	u_int16_t (*get_port)(socket_t *this, bool nat_t);
+
+	/**
+	 * Get the address families this socket is listening on.
+	 *
+	 * @return				supported families
+	 */
+	socket_family_t (*supported_families)(socket_t *this);
 
 	/**
 	 * Destroy a socket implementation.
 	 */
-	void (*destroy) (socket_t *this);
+	void (*destroy)(socket_t *this);
 };
 
 /**
diff --git a/src/libcharon/network/socket_manager.c b/src/libcharon/network/socket_manager.c
index 72a454301..2a07e503c 100644
--- a/src/libcharon/network/socket_manager.c
+++ b/src/libcharon/network/socket_manager.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2010-2012 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
@@ -20,7 +20,7 @@
 #include <daemon.h>
 #include <threading/thread.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_socket_manager_t private_socket_manager_t;
 
@@ -89,6 +89,32 @@ METHOD(socket_manager_t, sender, status_t,
 	return status;
 }
 
+METHOD(socket_manager_t, get_port, u_int16_t,
+	private_socket_manager_t *this, bool nat_t)
+{
+	u_int16_t port = 0;
+	this->lock->read_lock(this->lock);
+	if (this->socket)
+	{
+		port = this->socket->get_port(this->socket, nat_t);
+	}
+	this->lock->unlock(this->lock);
+	return port;
+}
+
+METHOD(socket_manager_t, supported_families, socket_family_t,
+	private_socket_manager_t *this)
+{
+	socket_family_t families = SOCKET_FAMILY_NONE;
+	this->lock->read_lock(this->lock);
+	if (this->socket)
+	{
+		families = this->socket->supported_families(this->socket);
+	}
+	this->lock->unlock(this->lock);
+	return families;
+}
+
 static void create_socket(private_socket_manager_t *this)
 {
 	socket_constructor_t create;
@@ -153,6 +179,8 @@ socket_manager_t *socket_manager_create()
 		.public = {
 			.send = _sender,
 			.receive = _receiver,
+			.get_port = _get_port,
+			.supported_families = _supported_families,
 			.add_socket = _add_socket,
 			.remove_socket = _remove_socket,
 			.destroy = _destroy,
diff --git a/src/libcharon/network/socket_manager.h b/src/libcharon/network/socket_manager.h
index 94185d21c..a07d0804c 100644
--- a/src/libcharon/network/socket_manager.h
+++ b/src/libcharon/network/socket_manager.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2010-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
@@ -40,7 +40,7 @@ struct socket_manager_t {
 	 *						- SUCCESS when packet successfully received
 	 *						- FAILED when unable to receive
 	 */
-	status_t (*receive) (socket_manager_t *this, packet_t **packet);
+	status_t (*receive)(socket_manager_t *this, packet_t **packet);
 
 	/**
 	 * Send a packet using the registered socket.
@@ -50,7 +50,22 @@ struct socket_manager_t {
 	 *						- SUCCESS when packet successfully sent
 	 *						- FAILED when unable to send
 	 */
-	status_t (*send) (socket_manager_t *this, packet_t *packet);
+	status_t (*send)(socket_manager_t *this, packet_t *packet);
+
+	/**
+	 * Get the port the registered socket is listening on.
+	 *
+	 * @param nat_t			TRUE to get the port used to float in case of NAT-T
+	 * @return				the port, or 0, if no socket is registered
+	 */
+	u_int16_t (*get_port)(socket_manager_t *this, bool nat_t);
+
+	/**
+	 * Get the address families the registered socket is listening on.
+	 *
+	 * @return				address families
+	 */
+	socket_family_t (*supported_families)(socket_manager_t *this);
 
 	/**
 	 * Register a socket constructor.
diff --git a/src/libcharon/plugins/addrblock/Makefile.am b/src/libcharon/plugins/addrblock/Makefile.am
index 50d0457f8..407f22d71 100644
--- a/src/libcharon/plugins/addrblock/Makefile.am
+++ b/src/libcharon/plugins/addrblock/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-addrblock.la
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 3139e20b0..45df4ea24 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_addrblock_la_LIBADD =
@@ -79,49 +103,77 @@ am_libstrongswan_addrblock_la_OBJECTS = addrblock_plugin.lo \
 	addrblock_narrow.lo addrblock_validator.lo
 libstrongswan_addrblock_la_OBJECTS =  \
 	$(am_libstrongswan_addrblock_la_OBJECTS)
-libstrongswan_addrblock_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_addrblock_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_addrblock_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_addrblock_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_addrblock_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_addrblock_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_addrblock_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-addrblock.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-addrblock.la
 libstrongswan_addrblock_la_SOURCES = \
@@ -341,7 +406,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -349,6 +413,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -370,8 +436,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-addrblock.la: $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_DEPENDENCIES) 
-	$(libstrongswan_addrblock_la_LINK) $(am_libstrongswan_addrblock_la_rpath) $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_LIBADD) $(LIBS)
+libstrongswan-addrblock.la: $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_DEPENDENCIES) $(EXTRA_libstrongswan_addrblock_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_addrblock_la_LINK) $(am_libstrongswan_addrblock_la_rpath) $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -384,25 +450,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/addrblock_validator.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -509,10 +575,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/addrblock/addrblock_plugin.c b/src/libcharon/plugins/addrblock/addrblock_plugin.c
index 72c551f0f..723747d8e 100644
--- a/src/libcharon/plugins/addrblock/addrblock_plugin.c
+++ b/src/libcharon/plugins/addrblock/addrblock_plugin.c
@@ -16,6 +16,7 @@
 #include "addrblock_plugin.h"
 
 #include <daemon.h>
+#include <plugins/plugin_feature.h>
 
 #include "addrblock_validator.h"
 #include "addrblock_narrow.h"
@@ -49,11 +50,41 @@ METHOD(plugin_t, get_name, char*,
 	return "addrblock";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_addrblock_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+		charon->bus->add_listener(charon->bus, &this->narrower->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->narrower->listener);
+		lib->credmgr->remove_validator(lib->credmgr,
+									   &this->validator->validator);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_addrblock_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "addrblock"),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_addrblock_plugin_t *this)
 {
-	charon->bus->remove_listener(charon->bus, &this->narrower->listener);
-	lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
 	this->narrower->destroy(this->narrower);
 	this->validator->destroy(this->validator);
 	free(this);
@@ -70,15 +101,13 @@ plugin_t *addrblock_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.validator = addrblock_validator_create(),
 		.narrower = addrblock_narrow_create(),
 	);
-	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
-	charon->bus->add_listener(charon->bus, &this->narrower->listener);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c
index 1b07378f7..372c978a2 100644
--- a/src/libcharon/plugins/addrblock/addrblock_validator.c
+++ b/src/libcharon/plugins/addrblock/addrblock_validator.c
@@ -15,7 +15,7 @@
 
 #include "addrblock_validator.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 #include <selectors/traffic_selector.h>
 
@@ -94,7 +94,12 @@ METHOD(cert_validator_t, validate, bool,
 	if (subject->get_type(subject) == CERT_X509 &&
 		issuer->get_type(issuer) == CERT_X509)
 	{
-		return check_addrblock((x509_t*)subject, (x509_t*)issuer);
+		if (!check_addrblock((x509_t*)subject, (x509_t*)issuer))
+		{
+			lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
+									subject);
+			return FALSE;
+		}
 	}
 	return TRUE;
 }
diff --git a/src/libcharon/plugins/android/Makefile.am b/src/libcharon/plugins/android/Makefile.am
deleted file mode 100644
index b922ef4af..000000000
--- a/src/libcharon/plugins/android/Makefile.am
+++ /dev/null
@@ -1,21 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
-
-if MONOLITHIC
-noinst_LTLIBRARIES = libstrongswan-android.la
-else
-plugin_LTLIBRARIES = libstrongswan-android.la
-endif
-
-libstrongswan_android_la_SOURCES = \
-	android_plugin.c android_plugin.h \
-	android_service.c android_service.h \
-	android_handler.c android_handler.h \
-	android_logger.c android_logger.h \
-	android_creds.c android_creds.h
-
-libstrongswan_android_la_LDFLAGS = -module -avoid-version
-libstrongswan_android_la_LIBADD  = -lcutils
diff --git a/src/libcharon/plugins/android/Makefile.in b/src/libcharon/plugins/android/Makefile.in
deleted file mode 100644
index 50e5f638e..000000000
--- a/src/libcharon/plugins/android/Makefile.in
+++ /dev/null
@@ -1,623 +0,0 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/libcharon/plugins/android
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_android_la_DEPENDENCIES =
-am_libstrongswan_android_la_OBJECTS = android_plugin.lo \
-	android_service.lo android_handler.lo android_logger.lo \
-	android_creds.lo
-libstrongswan_android_la_OBJECTS =  \
-	$(am_libstrongswan_android_la_OBJECTS)
-libstrongswan_android_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_android_la_LDFLAGS) $(LDFLAGS) -o $@
-@MONOLITHIC_FALSE@am_libstrongswan_android_la_rpath = -rpath \
-@MONOLITHIC_FALSE@	$(plugindir)
-@MONOLITHIC_TRUE@am_libstrongswan_android_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_android_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_android_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-c_plugins = @c_plugins@
-clearsilver_LIBS = @clearsilver_LIBS@
-datadir = @datadir@
-datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-imcvdir = @imcvdir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgroup = @ipsecgroup@
-ipseclibdir = @ipseclibdir@
-ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
-libdir = @libdir@
-libexecdir = @libexecdir@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
-manager_plugins = @manager_plugins@
-mandir = @mandir@
-medsrv_plugins = @medsrv_plugins@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
-pcsclite_CFLAGS = @pcsclite_CFLAGS@
-pcsclite_LIBS = @pcsclite_LIBS@
-pdfdir = @pdfdir@
-piddir = @piddir@
-pki_plugins = @pki_plugins@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-pool_plugins = @pool_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-s_plugins = @s_plugins@
-sbindir = @sbindir@
-scepclient_plugins = @scepclient_plugins@
-scripts_plugins = @scripts_plugins@
-sharedstatedir = @sharedstatedir@
-soup_CFLAGS = @soup_CFLAGS@
-soup_LIBS = @soup_LIBS@
-srcdir = @srcdir@
-starter_plugins = @starter_plugins@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-systemdsystemunitdir = @systemdsystemunitdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
-@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-android.la
-@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-android.la
-libstrongswan_android_la_SOURCES = \
-	android_plugin.c android_plugin.h \
-	android_service.c android_service.h \
-	android_handler.c android_handler.h \
-	android_logger.c android_logger.h \
-	android_creds.c android_creds.h
-
-libstrongswan_android_la_LDFLAGS = -module -avoid-version
-libstrongswan_android_la_LIBADD = -lcutils
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/android/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libcharon/plugins/android/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-
-clean-noinstLTLIBRARIES:
-	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
-	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-android.la: $(libstrongswan_android_la_OBJECTS) $(libstrongswan_android_la_DEPENDENCIES) 
-	$(libstrongswan_android_la_LINK) $(am_libstrongswan_android_la_rpath) $(libstrongswan_android_la_OBJECTS) $(libstrongswan_android_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_creds.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_handler.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_logger.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_service.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
-	clean-pluginLTLIBRARIES mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
-	ctags distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-pluginLTLIBRARIES install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/libcharon/plugins/android/android_creds.c b/src/libcharon/plugins/android/android_creds.c
deleted file mode 100644
index 601c91e7b..000000000
--- a/src/libcharon/plugins/android/android_creds.c
+++ /dev/null
@@ -1,294 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <keystore_get.h>
-
-#include "android_creds.h"
-
-#include <daemon.h>
-#include <threading/rwlock.h>
-
-typedef struct private_android_creds_t private_android_creds_t;
-
-/**
- * Private data of an android_creds_t object
- */
-struct private_android_creds_t {
-
-	/**
-	 * Public interface
-	 */
-	android_creds_t public;
-
-	/**
-	 * List of trusted certificates, certificate_t*
-	 */
-	linked_list_t *certs;
-
-	/**
-	 * User name (ID)
-	 */
-	identification_t *user;
-
-	/**
-	 * User password
-	 */
-	char *pass;
-
-	/**
-	 * read/write lock
-	 */
-	rwlock_t *lock;
-
-};
-
-/**
- * Certificate enumerator data
- */
-typedef struct {
-	private_android_creds_t *this;
-	key_type_t key;
-	identification_t *id;
-} cert_data_t;
-
-/**
- * Filter function for certificates enumerator
- */
-static bool cert_filter(cert_data_t *data, certificate_t **in,
-						certificate_t **out)
-{
-	certificate_t *cert = *in;
-	public_key_t *public;
-
-	public = cert->get_public_key(cert);
-	if (!public)
-	{
-		return FALSE;
-	}
-	if (data->key != KEY_ANY && public->get_type(public) != data->key)
-	{
-		public->destroy(public);
-		return FALSE;
-	}
-	if (data->id && data->id->get_type(data->id) == ID_KEY_ID &&
-		public->has_fingerprint(public, data->id->get_encoding(data->id)))
-	{
-		public->destroy(public);
-		*out = cert;
-		return TRUE;
-	}
-	public->destroy(public);
-	if (data->id && !cert->has_subject(cert, data->id))
-	{
-		return FALSE;
-	}
-	*out = cert;
-	return TRUE;
-}
-
-/**
- * Destroy certificate enumerator data
- */
-static void cert_data_destroy(cert_data_t *this)
-{
-	this->this->lock->unlock(this->this->lock);
-	free(this);
-}
-
-METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
-	   private_android_creds_t *this, certificate_type_t cert, key_type_t key,
-	   identification_t *id, bool trusted)
-{
-	if (cert == CERT_X509 || cert == CERT_ANY)
-	{
-		cert_data_t *data;
-		this->lock->read_lock(this->lock);
-		INIT(data, .this = this, .id = id, .key = key);
-		return enumerator_create_filter(
-						this->certs->create_enumerator(this->certs),
-						(void*)cert_filter, data, (void*)cert_data_destroy);
-	}
-	return NULL;
-}
-
-/**
- * Shared key enumerator implementation
- */
-typedef struct {
-	enumerator_t public;
-	private_android_creds_t *this;
-	shared_key_t *key;
-	bool done;
-} shared_enumerator_t;
-
-METHOD(enumerator_t, shared_enumerate, bool,
-	   shared_enumerator_t *this, shared_key_t **key, id_match_t *me,
-	   id_match_t *other)
-{
-	if (this->done)
-	{
-		return FALSE;
-	}
-	*key = this->key;
-	*me = ID_MATCH_PERFECT;
-	*other = ID_MATCH_ANY;
-	this->done = TRUE;
-	return TRUE;
-}
-
-METHOD(enumerator_t, shared_destroy, void,
-	   shared_enumerator_t *this)
-{
-	this->key->destroy(this->key);
-	this->this->lock->unlock(this->this->lock);
-	free(this);
-}
-
-METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
-	   private_android_creds_t *this, shared_key_type_t type,
-	   identification_t *me, identification_t *other)
-{
-	shared_enumerator_t *enumerator;
-
-	this->lock->read_lock(this->lock);
-
-	if (!this->user || !this->pass)
-	{
-		this->lock->unlock(this->lock);
-		return NULL;
-	}
-	if (type != SHARED_EAP && type != SHARED_IKE)
-	{
-		this->lock->unlock(this->lock);
-		return NULL;
-	}
-	if (me && !me->equals(me, this->user))
-	{
-		this->lock->unlock(this->lock);
-		return NULL;
-	}
-
-	INIT(enumerator,
-		.public = {
-			.enumerate = (void*)_shared_enumerate,
-			.destroy = _shared_destroy,
-		},
-		.this = this,
-		.done = FALSE,
-		.key = shared_key_create(type, chunk_clone(chunk_create(this->pass,
-												   strlen(this->pass)))),
-	);
-	return &enumerator->public;
-}
-
-METHOD(android_creds_t, add_certificate, bool,
-	   private_android_creds_t *this, char *name)
-{
-	certificate_t *cert = NULL;
-	bool status = FALSE;
-	chunk_t chunk;
-#ifdef KEYSTORE_MESSAGE_SIZE
-	/* most current interface, the eclair interface (without key length) is
-	 * currently not supported */
-	char value[KEYSTORE_MESSAGE_SIZE];
-	chunk.ptr = value;
-	chunk.len = keystore_get(name, strlen(name), chunk.ptr);
-	if (chunk.len > 0)
-#else
-	/* 1.6 interface, allocates memory */
-	chunk.ptr = keystore_get(name, &chunk.len);
-	if (chunk.ptr)
-#endif /* KEYSTORE_MESSAGE_SIZE */
-	{
-		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-								  BUILD_BLOB_PEM, chunk, BUILD_END);
-		if (cert)
-		{
-			this->lock->write_lock(this->lock);
-			this->certs->insert_last(this->certs, cert);
-			this->lock->unlock(this->lock);
-			status = TRUE;
-		}
-#ifndef KEYSTORE_MESSAGE_SIZE
-		free(chunk.ptr);
-#endif /* KEYSTORE_MESSAGE_SIZE */
-	}
-	return status;
-}
-
-METHOD(android_creds_t, set_username_password, void,
-	   private_android_creds_t *this, identification_t *id, char *password)
-{
-	this->lock->write_lock(this->lock);
-	DESTROY_IF(this->user);
-	this->user = id->clone(id);
-	free(this->pass);
-	this->pass = strdupnull(password);
-	this->lock->unlock(this->lock);
-}
-
-METHOD(android_creds_t, clear, void,
-	   private_android_creds_t *this)
-{
-	certificate_t *cert;
-	this->lock->write_lock(this->lock);
-	while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
-	{
-		cert->destroy(cert);
-	}
-	DESTROY_IF(this->user);
-	free(this->pass);
-	this->user = NULL;
-	this->pass = NULL;
-	this->lock->unlock(this->lock);
-}
-
-METHOD(android_creds_t, destroy, void,
-	   private_android_creds_t *this)
-{
-	clear(this);
-	this->certs->destroy(this->certs);
-	this->lock->destroy(this->lock);
-	free(this);
-}
-
-/**
- * Described in header.
- */
-android_creds_t *android_creds_create()
-{
-	private_android_creds_t *this;
-
-	INIT(this,
-		.public = {
-			.set = {
-				.create_cert_enumerator = _create_cert_enumerator,
-				.create_shared_enumerator = _create_shared_enumerator,
-				.create_private_enumerator = (void*)return_null,
-				.create_cdp_enumerator = (void*)return_null,
-				.cache_cert = (void*)nop,
-			},
-			.add_certificate = _add_certificate,
-			.set_username_password = _set_username_password,
-			.clear = _clear,
-			.destroy = _destroy,
-		},
-		.certs = linked_list_create(),
-		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
-	);
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/plugins/android/android_creds.h b/src/libcharon/plugins/android/android_creds.h
deleted file mode 100644
index 0f7b8e0ea..000000000
--- a/src/libcharon/plugins/android/android_creds.h
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup android_creds android_creds
- * @{ @ingroup android
- */
-
-#ifndef ANDROID_CREDS_H_
-#define ANDROID_CREDS_H_
-
-#include <credentials/credential_set.h>
-
-typedef struct android_creds_t android_creds_t;
-
-/**
- * Android credentials helper.
- */
-struct android_creds_t {
-
-	/**
-	 * Implements credential_set_t
-	 */
-	credential_set_t set;
-
-	/**
-	 * Add a trusted CA certificate from the Android keystore to serve by
-	 * this set.
-	 *
-	 * @param name		name/ID of the certificate in the keystore
-	 * @return			FALSE if the certificate does not exist or is invalid
-	 */
-	bool (*add_certificate)(android_creds_t *this, char *name);
-
-	/**
-	 * Set the username and password for authentication.
-	 *
-	 * @param id		ID of the user
-	 * @param password	password to use for authentication
-	 */
-	void (*set_username_password)(android_creds_t *this, identification_t *id,
-								  char *password);
-
-	/**
-	 * Clear the stored credentials.
-	 */
-	void (*clear)(android_creds_t *this);
-
-	/**
-	 * Destroy a android_creds instance.
-	 */
-	void (*destroy)(android_creds_t *this);
-
-};
-
-/**
- * Create an android_creds instance.
- */
-android_creds_t *android_creds_create();
-
-#endif /** ANDROID_CREDS_H_ @}*/
diff --git a/src/libcharon/plugins/android/android_handler.c b/src/libcharon/plugins/android/android_handler.c
deleted file mode 100644
index a53962f16..000000000
--- a/src/libcharon/plugins/android/android_handler.c
+++ /dev/null
@@ -1,239 +0,0 @@
-/*
- * Copyright (C) 2010-2011 Tobias Brunner
- * Copyright (C) 2010 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "android_handler.h"
-
-#include <utils/linked_list.h>
-
-#include <cutils/properties.h>
-
-typedef struct private_android_handler_t private_android_handler_t;
-
-/**
- * Private data of an android_handler_t object.
- */
-struct private_android_handler_t {
-
-	/**
-	 * Public android_handler_t interface.
-	 */
-	android_handler_t public;
-
-	/**
-	 * List of registered DNS servers
-	 */
-	linked_list_t *dns;
-
-	/**
-	 * Whether the VPN frontend is used
-	 */
-	bool frontend;
-};
-
-/**
- * Prefixes to be used when installing DNS servers
- */
-#define DNS_PREFIX_DEFAULT  "net"
-#define DNS_PREFIX_FRONTEND "vpn"
-
-/**
- * Struct to store a pair of old and installed DNS servers
- */
-typedef struct {
-	/** installed dns server */
-	host_t *dns;
-	/** old dns server */
-	host_t *old;
-} dns_pair_t;
-
-/**
- * Destroy a pair of old and installed DNS servers
- */
-void destroy_dns_pair(dns_pair_t *this)
-{
-	DESTROY_IF(this->dns);
-	DESTROY_IF(this->old);
-	free(this);
-}
-
-/**
- * Filter pairs of DNS servers
- */
-bool filter_dns_pair(void *data, dns_pair_t **in, host_t **out)
-{
-	*out = (*in)->dns;
-	return TRUE;
-}
-
-/**
- * Read DNS server property with a given index
- */
-host_t *get_dns_server(private_android_handler_t *this, int index)
-{
-	host_t *dns = NULL;
-	char key[10], value[PROPERTY_VALUE_MAX],
-		 *prefix = this->frontend ? DNS_PREFIX_FRONTEND : DNS_PREFIX_DEFAULT;
-
-	if (snprintf(key, sizeof(key), "%s.dns%d", prefix, index) >= sizeof(key))
-	{
-		return NULL;
-	}
-
-	if (property_get(key, value, NULL) > 0)
-	{
-		dns = host_create_from_string(value, 0);
-	}
-	return dns;
-}
-
-/**
- * Set DNS server property with a given index
- */
-bool set_dns_server(private_android_handler_t *this, int index, host_t *dns)
-{
-	char key[10], value[PROPERTY_VALUE_MAX],
-		 *prefix = this->frontend ? DNS_PREFIX_FRONTEND : DNS_PREFIX_DEFAULT;
-
-	if (snprintf(key, sizeof(key), "%s.dns%d", prefix, index) >= sizeof(key))
-	{
-		return FALSE;
-	}
-
-	if (dns)
-	{
-		if (snprintf(value, sizeof(value), "%H", dns) >= sizeof(value))
-		{
-			return FALSE;
-		}
-	}
-	else
-	{
-		value[0] = '\0';
-	}
-
-	if (property_set(key, value) != 0)
-	{
-		return FALSE;
-	}
-	return TRUE;
-}
-
-METHOD(attribute_handler_t, handle, bool,
-	private_android_handler_t *this, identification_t *id,
-	configuration_attribute_type_t type, chunk_t data)
-{
-	switch (type)
-	{
-		case INTERNAL_IP4_DNS:
-		{
-			host_t *dns;
-			dns_pair_t *pair;
-			int index;
-
-			dns = host_create_from_chunk(AF_INET, data, 0);
-			if (dns)
-			{
-				pair = malloc_thing(dns_pair_t);
-				pair->dns = dns;
-				index = this->dns->get_count(this->dns) + 1;
-				pair->old = get_dns_server(this, index);
-				set_dns_server(this, index, dns);
-				this->dns->insert_last(this->dns, pair);
-				return TRUE;
-			}
-			return FALSE;
-		}
-		default:
-			return FALSE;
-	}
-}
-
-METHOD(attribute_handler_t, release, void,
-	private_android_handler_t *this, identification_t *server,
-	configuration_attribute_type_t type, chunk_t data)
-{
-	if (type == INTERNAL_IP4_DNS)
-	{
-		enumerator_t *enumerator;
-		dns_pair_t *pair;
-		int index;
-
-		enumerator = this->dns->create_enumerator(this->dns);
-		for (index = 1; enumerator->enumerate(enumerator, &pair); index++)
-		{
-			if (chunk_equals(pair->dns->get_address(pair->dns), data))
-			{
-				this->dns->remove_at(this->dns, enumerator);
-				set_dns_server(this, index, pair->old);
-				destroy_dns_pair(pair);
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-}
-
-METHOD(enumerator_t, enumerate_dns, bool,
-	enumerator_t *this, configuration_attribute_type_t *type, chunk_t *data)
-{
-	*type = INTERNAL_IP4_DNS;
-	*data = chunk_empty;
-	/* stop enumeration */
-	this->enumerate = (void*)return_false;
-	return TRUE;
-}
-
-METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
-	android_handler_t *this, identification_t *id, host_t *vip)
-{
-	enumerator_t *enumerator;
-
-	INIT(enumerator,
-		.enumerate = (void*)_enumerate_dns,
-		.destroy = (void*)free,
-	);
-	return enumerator;
-}
-
-METHOD(android_handler_t, destroy, void,
-	private_android_handler_t *this)
-{
-	this->dns->destroy_function(this->dns, (void*)destroy_dns_pair);
-	free(this);
-}
-
-/**
- * See header
- */
-android_handler_t *android_handler_create(bool frontend)
-{
-	private_android_handler_t *this;
-
-	INIT(this,
-		.public = {
-			.handler = {
-				.handle = _handle,
-				.release = _release,
-				.create_attribute_enumerator = _create_attribute_enumerator,
-			},
-			.destroy = _destroy,
-		},
-		.dns = linked_list_create(),
-		.frontend = frontend,
-	);
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/plugins/android/android_handler.h b/src/libcharon/plugins/android/android_handler.h
deleted file mode 100644
index 0170958ee..000000000
--- a/src/libcharon/plugins/android/android_handler.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2010-2011 Tobias Brunner
- * Copyright (C) 2010 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup android_handler android_handler
- * @{ @ingroup android
- */
-
-#ifndef ANDROID_HANDLER_H_
-#define ANDROID_HANDLER_H_
-
-#include <attributes/attribute_handler.h>
-
-typedef struct android_handler_t android_handler_t;
-
-/**
- * Android specific DNS attribute handler.
- */
-struct android_handler_t {
-
-	/**
-	 * Implements attribute_handler_t.
-	 */
-	attribute_handler_t handler;
-
-	/**
-	 * Destroy a android_handler_t.
-	 */
-	void (*destroy)(android_handler_t *this);
-};
-
-/**
- * Create a android_handler instance.
- *
- * @param frontend		TRUE if the VPN frontend is used
- */
-android_handler_t *android_handler_create(bool frontend);
-
-#endif /** ANDROID_HANDLER_H_ @}*/
diff --git a/src/libcharon/plugins/android/android_logger.c b/src/libcharon/plugins/android/android_logger.c
deleted file mode 100644
index f7624b2c7..000000000
--- a/src/libcharon/plugins/android/android_logger.c
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-#include <android/log.h>
-
-#include "android_logger.h"
-
-#include <library.h>
-#include <daemon.h>
-
-typedef struct private_android_logger_t private_android_logger_t;
-
-/**
- * Private data of an android_logger_t object
- */
-struct private_android_logger_t {
-
-	/**
-	 * Public interface
-	 */
-	android_logger_t public;
-
-	/**
-	 * logging level
-	 */
-	int level;
-
-};
-
-
-METHOD(listener_t, log_, bool,
-	   private_android_logger_t *this, debug_t group, level_t level,
-	   int thread, ike_sa_t* ike_sa, char *format, va_list args)
-{
-	if (level <= this->level)
-	{
-		int prio = level > 1 ? ANDROID_LOG_DEBUG : ANDROID_LOG_INFO;
-		char sgroup[16], buffer[8192];
-		char *current = buffer, *next;
-		snprintf(sgroup, sizeof(sgroup), "%N", debug_names, group);
-		vsnprintf(buffer, sizeof(buffer), format, args);
-		while (current)
-		{	/* log each line separately */
-			next = strchr(current, '\n');
-			if (next)
-			{
-				*(next++) = '\0';
-			}
-			__android_log_print(prio, "charon", "%.2d[%s] %s\n",
-								thread, sgroup, current);
-			current = next;
-		}
-	}
-	/* always stay registered */
-	return TRUE;
-}
-
-METHOD(android_logger_t, destroy, void,
-	   private_android_logger_t *this)
-{
-	free(this);
-}
-
-/**
- * Described in header.
- */
-android_logger_t *android_logger_create()
-{
-	private_android_logger_t *this;
-
-	INIT(this,
-		.public = {
-			.listener = {
-				.log = _log_,
-			},
-			.destroy = _destroy,
-		},
-		.level = lib->settings->get_int(lib->settings,
-										"charon.plugins.android.loglevel", 1),
-	);
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/plugins/android/android_logger.h b/src/libcharon/plugins/android/android_logger.h
deleted file mode 100644
index c6fe5aff3..000000000
--- a/src/libcharon/plugins/android/android_logger.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup android_logger android_logger
- * @{ @ingroup android
- */
-
-#ifndef ANDROID_LOGGER_H_
-#define ANDROID_LOGGER_H_
-
-#include <bus/bus.h>
-
-typedef struct android_logger_t android_logger_t;
-
-/**
- * Android specific logger.
- */
-struct android_logger_t {
-
-	/**
-	 * Implements bus_listener_t interface
-	 */
-	listener_t listener;
-
-	/**
-	 * Destroy the logger.
-	 */
-	void (*destroy)(android_logger_t *this);
-
-};
-
-/**
- * Create an Android specific logger instance.
- *
- * @return			logger instance
- */
-android_logger_t *android_logger_create();
-
-#endif /** ANDROID_LOGGER_H_ @}*/
diff --git a/src/libcharon/plugins/android/android_plugin.c b/src/libcharon/plugins/android/android_plugin.c
deleted file mode 100644
index 091f34a8e..000000000
--- a/src/libcharon/plugins/android/android_plugin.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Copyright (C) 2010 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "android_plugin.h"
-#include "android_logger.h"
-#include "android_handler.h"
-#include "android_creds.h"
-#include "android_service.h"
-
-#include <hydra.h>
-#include <daemon.h>
-
-typedef struct private_android_plugin_t private_android_plugin_t;
-
-/**
- * Private data of an android_plugin_t object.
- */
-struct private_android_plugin_t {
-
-	/**
-	 * Public android_plugin_t interface.
-	 */
-	android_plugin_t public;
-
-	/**
-	 * Android specific logger
-	 */
-	android_logger_t *logger;
-
-	/**
-	 * Android specific DNS handler
-	 */
-	android_handler_t *handler;
-
-	/**
-	 * Android specific credential set
-	 */
-	android_creds_t *creds;
-
-	/**
-	 * Service that interacts with the Android Settings frontend
-	 */
-	android_service_t *service;
-};
-
-METHOD(plugin_t, get_name, char*,
-	private_android_plugin_t *this)
-{
-	return "android";
-}
-
-METHOD(plugin_t, destroy, void,
-	private_android_plugin_t *this)
-{
-	hydra->attributes->remove_handler(hydra->attributes,
-									  &this->handler->handler);
-	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
-	charon->bus->remove_listener(charon->bus, &this->logger->listener);
-	this->creds->destroy(this->creds);
-	this->handler->destroy(this->handler);
-	this->logger->destroy(this->logger);
-	DESTROY_IF(this->service);
-	free(this);
-}
-
-/**
- * See header
- */
-plugin_t *android_plugin_create()
-{
-	private_android_plugin_t *this;
-
-	INIT(this,
-		.public = {
-			.plugin = {
-				.get_name = _get_name,
-				.reload = (void*)return_false,
-				.destroy = _destroy,
-			},
-		},
-		.logger = android_logger_create(),
-		.creds = android_creds_create(),
-	);
-
-	this->service = android_service_create(this->creds);
-	this->handler = android_handler_create(this->service != NULL);
-
-	charon->bus->add_listener(charon->bus, &this->logger->listener);
-	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
-	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/libcharon/plugins/android/android_plugin.h b/src/libcharon/plugins/android/android_plugin.h
deleted file mode 100644
index 987f2aa37..000000000
--- a/src/libcharon/plugins/android/android_plugin.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2010 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup android android
- * @ingroup cplugins
- *
- * @defgroup android_plugin android_plugin
- * @{ @ingroup android
- */
-
-#ifndef ANDROID_PLUGIN_H_
-#define ANDROID_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct android_plugin_t android_plugin_t;
-
-/**
- * Plugin providing functionality specific to the Android platform.
- */
-struct android_plugin_t {
-
-	/**
-	 * Implements plugin interface.
-	 */
-	plugin_t plugin;
-};
-
-#endif /** ANDROID_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c
deleted file mode 100644
index 487567f2a..000000000
--- a/src/libcharon/plugins/android/android_service.c
+++ /dev/null
@@ -1,385 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <unistd.h>
-#include <cutils/sockets.h>
-#include <cutils/properties.h>
-#include <signal.h>
-
-#include "android_service.h"
-
-#include <daemon.h>
-#include <threading/thread.h>
-#include <processing/jobs/callback_job.h>
-
-typedef struct private_android_service_t private_android_service_t;
-
-/**
- * private data of Android service
- */
-struct private_android_service_t {
-
-	/**
-	 * public interface
-	 */
-	android_service_t public;
-
-	/**
-	 * current IKE_SA
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * job that handles requests from the Android control socket
-	 */
-	callback_job_t *job;
-
-	/**
-	 * android credentials
-	 */
-	android_creds_t *creds;
-
-	/**
-	 * android control socket
-	 */
-	int control;
-
-};
-
-/**
- * Some of the error codes defined in VpnManager.java
- */
-typedef enum {
-	/** Error code to indicate an error from authentication. */
-	VPN_ERROR_AUTH = 51,
-	/** Error code to indicate the connection attempt failed. */
-	VPN_ERROR_CONNECTION_FAILED = 101,
-	/** Error code to indicate an error of remote server hanging up. */
-	VPN_ERROR_REMOTE_HUNG_UP = 7,
-	/** Error code to indicate an error of losing connectivity. */
-	VPN_ERROR_CONNECTION_LOST = 103,
-} android_vpn_errors_t;
-
-/**
- * send a status code back to the Android app
- */
-static void send_status(private_android_service_t *this, u_char code)
-{
-	DBG1(DBG_CFG, "status of Android plugin changed: %d", code);
-	send(this->control, &code, 1, 0);
-}
-
-METHOD(listener_t, ike_updown, bool,
-	   private_android_service_t *this, ike_sa_t *ike_sa, bool up)
-{
-	/* this callback is only registered during initiation, so if the IKE_SA
-	 * goes down we assume an authentication error */
-	if (this->ike_sa == ike_sa && !up)
-	{
-		send_status(this, VPN_ERROR_AUTH);
-		return FALSE;
-	}
-	return TRUE;
-}
-
-METHOD(listener_t, child_state_change, bool,
-	   private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
-	   child_sa_state_t state)
-{
-	/* this callback is only registered during initiation, so we still have
-	 * the control socket open */
-	if (this->ike_sa == ike_sa && state == CHILD_DESTROYING)
-	{
-		send_status(this, VPN_ERROR_CONNECTION_FAILED);
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/**
- * Callback used to shutdown the daemon
- */
-static job_requeue_t shutdown_callback(void *data)
-{
-	kill(0, SIGTERM);
-	return JOB_REQUEUE_NONE;
-}
-
-METHOD(listener_t, child_updown, bool,
-	   private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
-	   bool up)
-{
-	if (this->ike_sa == ike_sa)
-	{
-		if (up)
-		{
-			/* disable the hooks registered to catch initiation failures */
-			this->public.listener.ike_updown = NULL;
-			this->public.listener.child_state_change = NULL;
-			property_set("vpn.status", "ok");
-		}
-		else
-		{
-			callback_job_t *job;
-			/* the control socket is closed as soon as vpn.status is set to "ok"
-			 * and the daemon proxy then only checks for terminated daemons to
-			 * detect lost connections, so... */
-			DBG1(DBG_CFG, "connection lost, raising delayed SIGTERM");
-			/* to avoid any conflicts we send the SIGTERM not directly from this
-			 * callback, but from a different thread. we also delay it to avoid
-			 * a race condition during a regular shutdown */
-			job = callback_job_create(shutdown_callback, NULL, NULL, NULL);
-			lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, 1);
-			return FALSE;
-		}
-	}
-	return TRUE;
-}
-
-METHOD(listener_t, ike_rekey, bool,
-	   private_android_service_t *this, ike_sa_t *old, ike_sa_t *new)
-{
-	if (this->ike_sa == old)
-	{
-		this->ike_sa = new;
-	}
-	return TRUE;
-}
-
-/**
- * Read a string argument from the Android control socket
- */
-static char *read_argument(int fd, u_char length)
-{
-	int offset = 0;
-	char *data = malloc(length + 1);
-	while (offset < length)
-	{
-		int n = recv(fd, &data[offset], length - offset, 0);
-		if (n < 0)
-		{
-			DBG1(DBG_CFG, "failed to read argument from Android"
-				 " control socket: %s", strerror(errno));
-			free(data);
-			return NULL;
-		}
-		offset += n;
-	}
-	data[length] = '\0';
-	DBG3(DBG_CFG, "received argument from Android control socket: %s", data);
-	return data;
-}
-
-/**
- * handle the request received from the Android control socket
- */
-static job_requeue_t initiate(private_android_service_t *this)
-{
-	bool oldstate;
-	int fd, i = 0;
-	char *hostname = NULL, *cacert = NULL, *username = NULL, *password = NULL;
-	identification_t *gateway = NULL, *user = NULL;
-	ike_cfg_t *ike_cfg;
-	peer_cfg_t *peer_cfg;
-	child_cfg_t *child_cfg;
-	traffic_selector_t *ts;
-	ike_sa_t *ike_sa;
-	auth_cfg_t *auth;
-	lifetime_cfg_t lifetime = {
-		.time = {
-			.life = 10800, /* 3h */
-			.rekey = 10200, /* 2h50min */
-			.jitter = 300 /* 5min */
-		}
-	};
-
-	fd = accept(this->control, NULL, 0);
-	if (fd < 0)
-	{
-		DBG1(DBG_CFG, "accept on Android control socket failed: %s",
-			 strerror(errno));
-		return JOB_REQUEUE_NONE;
-	}
-	/* the original control socket is not used anymore */
-	close(this->control);
-	this->control = fd;
-
-	while (TRUE)
-	{
-		u_char length;
-		if (recv(fd, &length, 1, 0) != 1)
-		{
-			DBG1(DBG_CFG, "failed to read from Android control socket: %s",
-				 strerror(errno));
-			return JOB_REQUEUE_NONE;
-		}
-
-		if (length == 0xFF)
-		{	/* last argument */
-			break;
-		}
-		else
-		{
-			switch (i++)
-			{
-				case 0: /* gateway */
-					hostname = read_argument(fd, length);
-					break;
-				case 1: /* CA certificate name */
-					cacert = read_argument(fd, length);
-					break;
-				case 2: /* username */
-					username = read_argument(fd, length);
-					break;
-				case 3: /* password */
-					password = read_argument(fd, length);
-					break;
-			}
-		}
-	}
-
-	if (cacert)
-	{
-		if (!this->creds->add_certificate(this->creds, cacert))
-		{
-			DBG1(DBG_CFG, "failed to load CA certificate");
-		}
-		/* if this is a server cert we could use the cert subject as id
-		 * but we have to test first if that possible to configure */
-	}
-
-	gateway = identification_create_from_string(hostname);
-	DBG1(DBG_CFG, "using CA certificate, gateway identitiy '%Y'", gateway);
-
-	if (username)
-	{
-		user = identification_create_from_string(username);
-		this->creds->set_username_password(this->creds, user, password);
-	}
-
-	ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", IKEV2_UDP_PORT,
-							 hostname, IKEV2_UDP_PORT);
-	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
-
-	peer_cfg = peer_cfg_create("android", 2, ike_cfg, CERT_SEND_IF_ASKED,
-							   UNIQUE_REPLACE, 1, /* keyingtries */
-							   36000, 0, /* rekey 10h, reauth none */
-							   600, 600, /* jitter, over 10min */
-							   TRUE, 0, /* mobike, DPD */
-							   host_create_from_string("0.0.0.0", 0) /* virt */,
-							   NULL, FALSE, NULL, NULL); /* pool, mediation */
-
-	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-	auth->add(auth, AUTH_RULE_IDENTITY, user);
-	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
-	auth = auth_cfg_create();
-	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-	auth->add(auth, AUTH_RULE_IDENTITY, gateway);
-	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
-
-	child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,
-								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
-								 0, 0, NULL, NULL, 0);
-	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
-	ts = traffic_selector_create_dynamic(0, 0, 65535);
-	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
-	ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0",
-											 0, "255.255.255.255", 65535);
-	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
-	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
-	/* get an additional reference because initiate consumes one */
-	child_cfg->get_ref(child_cfg);
-
-	/* get us an IKE_SA */
-	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
-														peer_cfg);
-	if (!ike_sa->get_peer_cfg(ike_sa))
-	{
-		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
-	}
-	peer_cfg->destroy(peer_cfg);
-
-	/* store the IKE_SA so we can track its progress */
-	this->ike_sa = ike_sa;
-
-	/* confirm that we received the request */
-	send_status(this, i);
-
-	if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
-	{
-		DBG1(DBG_CFG, "failed to initiate tunnel");
-		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
-													ike_sa);
-		send_status(this, VPN_ERROR_CONNECTION_FAILED);
-		return JOB_REQUEUE_NONE;
-	}
-	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	return JOB_REQUEUE_NONE;
-}
-
-METHOD(android_service_t, destroy, void,
-	   private_android_service_t *this)
-{
-	charon->bus->remove_listener(charon->bus, &this->public.listener);
-	close(this->control);
-	free(this);
-}
-
-/**
- * See header
- */
-android_service_t *android_service_create(android_creds_t *creds)
-{
-	private_android_service_t *this;
-
-	INIT(this,
-		.public = {
-			.listener = {
-				.ike_updown = _ike_updown,
-				.child_state_change = _child_state_change,
-				.child_updown = _child_updown,
-				.ike_rekey = _ike_rekey,
-			},
-			.destroy = _destroy,
-		},
-		.creds = creds,
-	);
-
-	this->control = android_get_control_socket("charon");
-	if (this->control == -1)
-	{
-		DBG1(DBG_CFG, "failed to get Android control socket");
-		free(this);
-		return NULL;
-	}
-
-	if (listen(this->control, 1) < 0)
-	{
-		DBG1(DBG_CFG, "failed to listen on Android control socket: %s",
-			 strerror(errno));
-		close(this->control);
-		free(this);
-		return NULL;
-	}
-
-	charon->bus->add_listener(charon->bus, &this->public.listener);
-	this->job = callback_job_create((callback_job_cb_t)initiate, this,
-									NULL, NULL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/plugins/android/android_service.h b/src/libcharon/plugins/android/android_service.h
deleted file mode 100644
index d096d6cd5..000000000
--- a/src/libcharon/plugins/android/android_service.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup android_service android_service
- * @{ @ingroup android
- */
-
-#ifndef ANDROID_SERVICE_H_
-#define ANDROID_SERVICE_H_
-
-typedef struct android_service_t android_service_t;
-
-#include <bus/listeners/listener.h>
-
-#include "android_creds.h"
-
-/**
- * Service that interacts with the Android Settings frontend.
- */
-struct android_service_t {
-
-	/**
-	 * Implements listener_t.
-	 */
-	listener_t listener;
-
-	/**
-	 * Destroy a android_service_t.
-	 */
-	void (*destroy)(android_service_t *this);
-
-};
-
-/**
- * Create an Android service instance.
- *
- * @param creds		Android credentials
- */
-android_service_t *android_service_create(android_creds_t *creds);
-
-#endif /** ANDROID_SERVICE_H_ @}*/
diff --git a/src/libcharon/plugins/android_dns/Makefile.am b/src/libcharon/plugins/android_dns/Makefile.am
new file mode 100644
index 000000000..ebad963bb
--- /dev/null
+++ b/src/libcharon/plugins/android_dns/Makefile.am
@@ -0,0 +1,20 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-android-dns.la
+else
+plugin_LTLIBRARIES = libstrongswan-android-dns.la
+endif
+
+libstrongswan_android_dns_la_SOURCES = \
+	android_dns_plugin.c android_dns_plugin.h \
+	android_dns_handler.c android_dns_handler.h
+
+libstrongswan_android_dns_la_LDFLAGS = -module -avoid-version
+libstrongswan_android_dns_la_LIBADD  = -lcutils
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
new file mode 100644
index 000000000..dbc69b922
--- /dev/null
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -0,0 +1,688 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/android_dns
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_android_dns_la_DEPENDENCIES =
+am_libstrongswan_android_dns_la_OBJECTS = android_dns_plugin.lo \
+	android_dns_handler.lo
+libstrongswan_android_dns_la_OBJECTS =  \
+	$(am_libstrongswan_android_dns_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_android_dns_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_android_dns_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_android_dns_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_android_dns_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_android_dns_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_android_dns_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-android-dns.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-android-dns.la
+libstrongswan_android_dns_la_SOURCES = \
+	android_dns_plugin.c android_dns_plugin.h \
+	android_dns_handler.c android_dns_handler.h
+
+libstrongswan_android_dns_la_LDFLAGS = -module -avoid-version
+libstrongswan_android_dns_la_LIBADD = -lcutils
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/android_dns/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/android_dns/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-android-dns.la: $(libstrongswan_android_dns_la_OBJECTS) $(libstrongswan_android_dns_la_DEPENDENCIES) $(EXTRA_libstrongswan_android_dns_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_android_dns_la_LINK) $(am_libstrongswan_android_dns_la_rpath) $(libstrongswan_android_dns_la_OBJECTS) $(libstrongswan_android_dns_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_dns_handler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_dns_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/android_dns/android_dns_handler.c b/src/libcharon/plugins/android_dns/android_dns_handler.c
new file mode 100644
index 000000000..526810355
--- /dev/null
+++ b/src/libcharon/plugins/android_dns/android_dns_handler.c
@@ -0,0 +1,235 @@
+/*
+ * Copyright (C) 2010-2013 Tobias Brunner
+ * Copyright (C) 2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "android_dns_handler.h"
+
+#include <networking/host.h>
+#include <collections/linked_list.h>
+
+#include <cutils/properties.h>
+
+typedef struct private_android_dns_handler_t private_android_dns_handler_t;
+
+/**
+ * Private data of an android_dns_handler_t object.
+ */
+struct private_android_dns_handler_t {
+
+	/**
+	 * Public interface
+	 */
+	android_dns_handler_t public;
+
+	/**
+	 * List of registered DNS servers
+	 */
+	linked_list_t *dns;
+};
+
+/**
+ * Prefix to be used when installing DNS servers
+ */
+#define DNS_PREFIX_DEFAULT  "net"
+
+/**
+ * Struct to store a pair of old and installed DNS servers
+ */
+typedef struct {
+	/** installed dns server */
+	host_t *dns;
+	/** old dns server */
+	host_t *old;
+} dns_pair_t;
+
+/**
+ * Destroy a pair of old and installed DNS servers
+ */
+static void destroy_dns_pair(dns_pair_t *this)
+{
+	DESTROY_IF(this->dns);
+	DESTROY_IF(this->old);
+	free(this);
+}
+
+/**
+ * Filter pairs of DNS servers
+ */
+static bool filter_dns_pair(void *data, dns_pair_t **in, host_t **out)
+{
+	*out = (*in)->dns;
+	return TRUE;
+}
+
+/**
+ * Read DNS server property with a given index
+ */
+static host_t *get_dns_server(private_android_dns_handler_t *this, int index)
+{
+	host_t *dns = NULL;
+	char key[10], value[PROPERTY_VALUE_MAX],
+		 *prefix = DNS_PREFIX_DEFAULT;
+
+	if (snprintf(key, sizeof(key), "%s.dns%d", prefix, index) >= sizeof(key))
+	{
+		return NULL;
+	}
+
+	if (property_get(key, value, NULL) > 0)
+	{
+		dns = host_create_from_string(value, 0);
+	}
+	return dns;
+}
+
+/**
+ * Set DNS server property with a given index
+ */
+static bool set_dns_server(private_android_dns_handler_t *this, int index,
+						   host_t *dns)
+{
+	char key[10], value[PROPERTY_VALUE_MAX],
+		 *prefix = DNS_PREFIX_DEFAULT;
+
+	if (snprintf(key, sizeof(key), "%s.dns%d", prefix, index) >= sizeof(key))
+	{
+		return FALSE;
+	}
+
+	if (dns)
+	{
+		if (snprintf(value, sizeof(value), "%H", dns) >= sizeof(value))
+		{
+			return FALSE;
+		}
+	}
+	else
+	{
+		value[0] = '\0';
+	}
+
+	if (property_set(key, value) != 0)
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(attribute_handler_t, handle, bool,
+	private_android_dns_handler_t *this, identification_t *id,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+		{
+			host_t *dns;
+			dns_pair_t *pair;
+			int index;
+
+			dns = host_create_from_chunk(AF_INET, data, 0);
+			if (dns)
+			{
+				pair = malloc_thing(dns_pair_t);
+				pair->dns = dns;
+				index = this->dns->get_count(this->dns) + 1;
+				pair->old = get_dns_server(this, index);
+				set_dns_server(this, index, dns);
+				this->dns->insert_last(this->dns, pair);
+				return TRUE;
+			}
+			return FALSE;
+		}
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(attribute_handler_t, release, void,
+	private_android_dns_handler_t *this, identification_t *server,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	if (type == INTERNAL_IP4_DNS)
+	{
+		enumerator_t *enumerator;
+		dns_pair_t *pair;
+		int index;
+
+		enumerator = this->dns->create_enumerator(this->dns);
+		for (index = 1; enumerator->enumerate(enumerator, &pair); index++)
+		{
+			if (chunk_equals(pair->dns->get_address(pair->dns), data))
+			{
+				this->dns->remove_at(this->dns, enumerator);
+				set_dns_server(this, index, pair->old);
+				destroy_dns_pair(pair);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+METHOD(enumerator_t, enumerate_dns, bool,
+	enumerator_t *this, configuration_attribute_type_t *type, chunk_t *data)
+{
+	*type = INTERNAL_IP4_DNS;
+	*data = chunk_empty;
+	/* stop enumeration */
+	this->enumerate = (void*)return_false;
+	return TRUE;
+}
+
+METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
+	private_android_dns_handler_t *this, identification_t *id,
+	linked_list_t *vips)
+{
+	enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.enumerate = (void*)_enumerate_dns,
+		.destroy = (void*)free,
+	);
+	return enumerator;
+}
+
+METHOD(android_dns_handler_t, destroy, void,
+	private_android_dns_handler_t *this)
+{
+	this->dns->destroy_function(this->dns, (void*)destroy_dns_pair);
+	free(this);
+}
+
+/**
+ * See header
+ */
+android_dns_handler_t *android_dns_handler_create()
+{
+	private_android_dns_handler_t *this;
+
+	INIT(this,
+		.public = {
+			.handler = {
+				.handle = _handle,
+				.release = _release,
+				.create_attribute_enumerator = _create_attribute_enumerator,
+			},
+			.destroy = _destroy,
+		},
+		.dns = linked_list_create(),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/android_dns/android_dns_handler.h b/src/libcharon/plugins/android_dns/android_dns_handler.h
new file mode 100644
index 000000000..d7b089dca
--- /dev/null
+++ b/src/libcharon/plugins/android_dns/android_dns_handler.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2010-2011 Tobias Brunner
+ * Copyright (C) 2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup android_dns_handler android_dns_handler
+ * @{ @ingroup android_dns
+ */
+
+#ifndef ANDROID_DNS_HANDLER_H_
+#define ANDROID_DNS_HANDLER_H_
+
+#include <attributes/attribute_handler.h>
+
+typedef struct android_dns_handler_t android_dns_handler_t;
+
+/**
+ * Android specific DNS attribute handler.
+ */
+struct android_dns_handler_t {
+
+	/**
+	 * Implements attribute_handler_t.
+	 */
+	attribute_handler_t handler;
+
+	/**
+	 * Destroy a android_dns_handler_t.
+	 */
+	void (*destroy)(android_dns_handler_t *this);
+};
+
+/**
+ * Create an android_dns_handler_t instance.
+ */
+android_dns_handler_t *android_dns_handler_create();
+
+#endif /** ANDROID_DNS_HANDLER_H_ @}*/
diff --git a/src/libcharon/plugins/android_dns/android_dns_plugin.c b/src/libcharon/plugins/android_dns/android_dns_plugin.c
new file mode 100644
index 000000000..b8eb11b57
--- /dev/null
+++ b/src/libcharon/plugins/android_dns/android_dns_plugin.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2010-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "android_dns_plugin.h"
+#include "android_dns_handler.h"
+
+#include <hydra.h>
+#include <daemon.h>
+
+typedef struct private_android_dns_plugin_t private_android_dns_plugin_t;
+
+/**
+ * Private data of an android_dns_plugin_t object.
+ */
+struct private_android_dns_plugin_t {
+
+	/**
+	 * Public interface
+	 */
+	android_dns_plugin_t public;
+
+	/**
+	 * Android specific DNS handler
+	 */
+	android_dns_handler_t *handler;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_android_dns_plugin_t *this)
+{
+	return "android-dns";
+}
+
+/**
+ * Register handler
+ */
+static bool plugin_cb(private_android_dns_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		hydra->attributes->add_handler(hydra->attributes,
+									   &this->handler->handler);
+	}
+	else
+	{
+		hydra->attributes->remove_handler(hydra->attributes,
+										  &this->handler->handler);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_android_dns_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "android-dns"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_android_dns_plugin_t *this)
+{
+	this->handler->destroy(this->handler);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *android_dns_plugin_create()
+{
+	private_android_dns_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+		.handler = android_dns_handler_create(),
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/android_dns/android_dns_plugin.h b/src/libcharon/plugins/android_dns/android_dns_plugin.h
new file mode 100644
index 000000000..e9e57dc24
--- /dev/null
+++ b/src/libcharon/plugins/android_dns/android_dns_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup android_dns android_dns
+ * @ingroup cplugins
+ *
+ * @defgroup android_dns_plugin android_dns_plugin
+ * @{ @ingroup android_dns
+ */
+
+#ifndef ANDROID_DNS_PLUGIN_H_
+#define ANDROID_DNS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct android_dns_plugin_t android_dns_plugin_t;
+
+/**
+ * Plugin providing an Android-specific handler for DNS servers.
+ */
+struct android_dns_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** ANDROID_DNS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/android_log/Makefile.am b/src/libcharon/plugins/android_log/Makefile.am
new file mode 100644
index 000000000..4d8b4850b
--- /dev/null
+++ b/src/libcharon/plugins/android_log/Makefile.am
@@ -0,0 +1,19 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-android-log.la
+else
+plugin_LTLIBRARIES = libstrongswan-android-log.la
+endif
+
+libstrongswan_android_log_la_SOURCES = \
+	android_log_plugin.c android_log_plugin.h \
+	android_log_logger.c android_log_logger.h
+
+libstrongswan_android_log_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
new file mode 100644
index 000000000..3821f9afc
--- /dev/null
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -0,0 +1,687 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/android_log
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_android_log_la_LIBADD =
+am_libstrongswan_android_log_la_OBJECTS = android_log_plugin.lo \
+	android_log_logger.lo
+libstrongswan_android_log_la_OBJECTS =  \
+	$(am_libstrongswan_android_log_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_android_log_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_android_log_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_android_log_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_android_log_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_android_log_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_android_log_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-android-log.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-android-log.la
+libstrongswan_android_log_la_SOURCES = \
+	android_log_plugin.c android_log_plugin.h \
+	android_log_logger.c android_log_logger.h
+
+libstrongswan_android_log_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/android_log/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/android_log/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-android-log.la: $(libstrongswan_android_log_la_OBJECTS) $(libstrongswan_android_log_la_DEPENDENCIES) $(EXTRA_libstrongswan_android_log_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_android_log_la_LINK) $(am_libstrongswan_android_log_la_rpath) $(libstrongswan_android_log_la_OBJECTS) $(libstrongswan_android_log_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_log_logger.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_log_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/android_log/android_log_logger.c b/src/libcharon/plugins/android_log/android_log_logger.c
new file mode 100644
index 000000000..48bcaa577
--- /dev/null
+++ b/src/libcharon/plugins/android_log/android_log_logger.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2010-2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <android/log.h>
+
+#include "android_log_logger.h"
+
+#include <library.h>
+#include <daemon.h>
+#include <threading/mutex.h>
+
+typedef struct private_android_log_logger_t private_android_log_logger_t;
+
+/**
+ * Private data of an android_log_logger_t object
+ */
+struct private_android_log_logger_t {
+
+	/**
+	 * Public interface
+	 */
+	android_log_logger_t public;
+
+	/**
+	 * logging level
+	 */
+	int level;
+
+	/**
+	 * Mutex to ensure multi-line log messages are not torn apart
+	 */
+	mutex_t *mutex;
+};
+
+METHOD(logger_t, log_, void,
+	private_android_log_logger_t *this, debug_t group, level_t level,
+	int thread, ike_sa_t* ike_sa, const char *message)
+{
+	int prio = level > 1 ? ANDROID_LOG_DEBUG : ANDROID_LOG_INFO;
+	char sgroup[16];
+	const char *current = message, *next;
+	snprintf(sgroup, sizeof(sgroup), "%N", debug_names, group);
+	this->mutex->lock(this->mutex);
+	while (TRUE)
+	{	/* log each line separately */
+		next = strchr(current, '\n');
+		if (next == NULL)
+		{
+			__android_log_print(prio, "charon", "%.2d[%s] %s\n",
+								thread, sgroup, current);
+			break;
+		}
+		__android_log_print(prio, "charon", "%.2d[%s] %.*s\n",
+							thread, sgroup, (int)(next - current), current);
+		current = next + 1;
+	}
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(logger_t, get_level, level_t,
+	private_android_log_logger_t *this, debug_t group)
+{
+	return this->level;
+}
+
+METHOD(android_log_logger_t, destroy, void,
+	private_android_log_logger_t *this)
+{
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+android_log_logger_t *android_log_logger_create()
+{
+	private_android_log_logger_t *this;
+
+	INIT(this,
+		.public = {
+			.logger = {
+				.log = _log_,
+				.get_level = _get_level,
+			},
+			.destroy = _destroy,
+		},
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.level = lib->settings->get_int(lib->settings,
+							"%s.plugins.android_log.loglevel", 1, charon->name),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/android_log/android_log_logger.h b/src/libcharon/plugins/android_log/android_log_logger.h
new file mode 100644
index 000000000..ed271bf6c
--- /dev/null
+++ b/src/libcharon/plugins/android_log/android_log_logger.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup android_log_logger android_log_logger
+ * @{ @ingroup android_log
+ */
+
+#ifndef ANDROID_LOG_LOGGER_H_
+#define ANDROID_LOG_LOGGER_H_
+
+#include <bus/bus.h>
+
+typedef struct android_log_logger_t android_log_logger_t;
+
+/**
+ * Android specific logger.
+ */
+struct android_log_logger_t {
+
+	/**
+	 * Implements logger_t interface
+	 */
+	logger_t logger;
+
+	/**
+	 * Destroy the logger.
+	 */
+	void (*destroy)(android_log_logger_t *this);
+
+};
+
+/**
+ * Create an Android specific logger instance.
+ *
+ * @return			logger instance
+ */
+android_log_logger_t *android_log_logger_create();
+
+#endif /** ANDROID_LOG_LOGGER_H_ @}*/
diff --git a/src/libcharon/plugins/android_log/android_log_plugin.c b/src/libcharon/plugins/android_log/android_log_plugin.c
new file mode 100644
index 000000000..515917a22
--- /dev/null
+++ b/src/libcharon/plugins/android_log/android_log_plugin.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "android_log_plugin.h"
+#include "android_log_logger.h"
+
+#include <daemon.h>
+
+typedef struct private_android_log_plugin_t private_android_log_plugin_t;
+
+/**
+ * Private data of an android_log_plugin_t object.
+ */
+struct private_android_log_plugin_t {
+
+	/**
+	 * Public android_log_plugin_t interface.
+	 */
+	android_log_plugin_t public;
+
+	/**
+	 * Android specific logger
+	 */
+	android_log_logger_t *logger;
+
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_android_log_plugin_t *this)
+{
+	return "android-log";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_android_log_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_NOOP,
+			PLUGIN_PROVIDE(CUSTOM, "android-log"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_android_log_plugin_t *this)
+{
+	charon->bus->remove_logger(charon->bus, &this->logger->logger);
+	this->logger->destroy(this->logger);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *android_log_plugin_create()
+{
+	private_android_log_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+		.logger = android_log_logger_create(),
+	);
+
+	charon->bus->add_logger(charon->bus, &this->logger->logger);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/android_log/android_log_plugin.h b/src/libcharon/plugins/android_log/android_log_plugin.h
new file mode 100644
index 000000000..32c4dc10b
--- /dev/null
+++ b/src/libcharon/plugins/android_log/android_log_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup android_log android_log
+ * @ingroup cplugins
+ *
+ * @defgroup android_log_plugin android_log_plugin
+ * @{ @ingroup android_log
+ */
+
+#ifndef ANDROID_LOG_PLUGIN_H_
+#define ANDROID_LOG_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct android_log_plugin_t android_log_plugin_t;
+
+/**
+ * Plugin providing an Android specific logger implementation.
+ */
+struct android_log_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** ANDROID_LOG_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/certexpire/Makefile.am b/src/libcharon/plugins/certexpire/Makefile.am
index 9aa0daad3..2bfad9497 100644
--- a/src/libcharon/plugins/certexpire/Makefile.am
+++ b/src/libcharon/plugins/certexpire/Makefile.am
@@ -1,10 +1,12 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-certexpire.la
 else
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index 929cce20c..d74cb09f9 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_certexpire_la_LIBADD =
@@ -79,49 +103,77 @@ am_libstrongswan_certexpire_la_OBJECTS = certexpire_plugin.lo \
 	certexpire_listener.lo certexpire_export.lo certexpire_cron.lo
 libstrongswan_certexpire_la_OBJECTS =  \
 	$(am_libstrongswan_certexpire_la_OBJECTS)
-libstrongswan_certexpire_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_certexpire_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_certexpire_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_certexpire_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_certexpire_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_certexpire_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_certexpire_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,12 +345,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-certexpire.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-certexpire.la
 libstrongswan_certexpire_la_SOURCES = certexpire_plugin.h certexpire_plugin.c \
@@ -343,7 +407,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -351,6 +414,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -372,8 +437,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-certexpire.la: $(libstrongswan_certexpire_la_OBJECTS) $(libstrongswan_certexpire_la_DEPENDENCIES) 
-	$(libstrongswan_certexpire_la_LINK) $(am_libstrongswan_certexpire_la_rpath) $(libstrongswan_certexpire_la_OBJECTS) $(libstrongswan_certexpire_la_LIBADD) $(LIBS)
+libstrongswan-certexpire.la: $(libstrongswan_certexpire_la_OBJECTS) $(libstrongswan_certexpire_la_DEPENDENCIES) $(EXTRA_libstrongswan_certexpire_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_certexpire_la_LINK) $(am_libstrongswan_certexpire_la_rpath) $(libstrongswan_certexpire_la_OBJECTS) $(libstrongswan_certexpire_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -387,25 +452,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certexpire_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -512,10 +577,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/certexpire/certexpire_cron.c b/src/libcharon/plugins/certexpire/certexpire_cron.c
index e8cd4bfd8..5f2fd7ca4 100644
--- a/src/libcharon/plugins/certexpire/certexpire_cron.c
+++ b/src/libcharon/plugins/certexpire/certexpire_cron.c
@@ -17,7 +17,7 @@
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <processing/jobs/callback_job.h>
 
 typedef struct private_certexpire_cron_t private_certexpire_cron_t;
diff --git a/src/libcharon/plugins/certexpire/certexpire_export.c b/src/libcharon/plugins/certexpire/certexpire_export.c
index c73b0beda..f1205cfd8 100644
--- a/src/libcharon/plugins/certexpire/certexpire_export.c
+++ b/src/libcharon/plugins/certexpire/certexpire_export.c
@@ -21,8 +21,9 @@
 #include <limits.h>
 #include <errno.h>
 
-#include <debug.h>
-#include <utils/hashtable.h>
+#include <utils/debug.h>
+#include <daemon.h>
+#include <collections/hashtable.h>
 #include <threading/mutex.h>
 #include <credentials/certificates/x509.h>
 
@@ -87,6 +88,11 @@ struct private_certexpire_export_t {
 	 * String to use in empty fields, if using fixed_fields
 	 */
 	char *empty_string;
+
+	/**
+	 * Force export of all trustchains we have a private key for
+	 */
+	bool force;
 };
 
 /**
@@ -183,21 +189,6 @@ static void export_csv(private_certexpire_export_t *this, char *path,
 	}
 }
 
-/**
- * Export cached trustchain expiration dates to CSV files
- */
-static void cron_export(private_certexpire_export_t *this)
-{
-	if (this->local_path)
-	{
-		export_csv(this, this->local_path, this->local);
-	}
-	if (this->remote_path)
-	{
-		export_csv(this, this->remote_path, this->remote);
-	}
-}
-
 METHOD(certexpire_export_t, add, void,
 	private_certexpire_export_t *this, linked_list_t *trustchain, bool local)
 {
@@ -319,6 +310,81 @@ METHOD(certexpire_export_t, add, void,
 	enumerator->destroy(enumerator);
 }
 
+/**
+ * Add trustchains we have a private key for to the list
+ */
+static void add_local_certs(private_certexpire_export_t *this)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+
+	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+											CERT_X509, KEY_ANY, NULL, FALSE);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		linked_list_t *trustchain;
+		private_key_t *private;
+		public_key_t *public;
+		identification_t *keyid;
+		chunk_t chunk;
+		x509_t *x509 = (x509_t*)cert;
+
+		trustchain = linked_list_create();
+
+		public = cert->get_public_key(cert);
+		if (public)
+		{
+			if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk))
+			{
+				keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
+				private = lib->credmgr->get_private(lib->credmgr,
+										public->get_type(public), keyid, NULL);
+				keyid->destroy(keyid);
+				if (private)
+				{
+					trustchain->insert_last(trustchain, cert->get_ref(cert));
+
+					while (!(x509->get_flags(x509) & X509_SELF_SIGNED))
+					{
+						cert = lib->credmgr->get_cert(lib->credmgr, CERT_X509,
+										KEY_ANY, cert->get_issuer(cert), FALSE);
+						if (!cert)
+						{
+							break;
+						}
+						x509 = (x509_t*)cert;
+						trustchain->insert_last(trustchain, cert);
+					}
+					private->destroy(private);
+				}
+			}
+			public->destroy(public);
+		}
+		add(this, trustchain, TRUE);
+		trustchain->destroy_offset(trustchain, offsetof(certificate_t, destroy));
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Export cached trustchain expiration dates to CSV files
+ */
+static void cron_export(private_certexpire_export_t *this)
+{
+	if (this->local_path)
+	{
+		if (this->force)
+		{
+			add_local_certs(this);
+		}
+		export_csv(this, this->local_path, this->local);
+	}
+	if (this->remote_path)
+	{
+		export_csv(this, this->remote_path, this->remote);
+	}
+}
+
 METHOD(certexpire_export_t, destroy, void,
 	private_certexpire_export_t *this)
 {
@@ -364,21 +430,31 @@ certexpire_export_t *certexpire_export_create()
 								   (hashtable_equals_t)equals, 32),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.local_path = lib->settings->get_str(lib->settings,
-							"charon.plugins.certexpire.csv.local", NULL),
+								"%s.plugins.certexpire.csv.local",
+								NULL, charon->name),
 		.remote_path = lib->settings->get_str(lib->settings,
-							"charon.plugins.certexpire.csv.remote", NULL),
+								"%s.plugins.certexpire.csv.remote",
+								NULL, charon->name),
 		.separator = lib->settings->get_str(lib->settings,
-							"charon.plugins.certexpire.csv.separator", ","),
+								"%s.plugins.certexpire.csv.separator",
+								",", charon->name),
 		.format = lib->settings->get_str(lib->settings,
-							"charon.plugins.certexpire.csv.format", "%d:%m:%Y"),
+								"%s.plugins.certexpire.csv.format",
+								"%d:%m:%Y", charon->name),
 		.fixed_fields = lib->settings->get_bool(lib->settings,
-							"charon.plugins.certexpire.csv.fixed_fields", TRUE),
+								"%s.plugins.certexpire.csv.fixed_fields",
+								TRUE, charon->name),
 		.empty_string = lib->settings->get_str(lib->settings,
-							"charon.plugins.certexpire.csv.empty_string", ""),
+								"%s.plugins.certexpire.csv.empty_string",
+								"", charon->name),
+		.force = lib->settings->get_bool(lib->settings,
+								"%s.plugins.certexpire.csv.force",
+								TRUE, charon->name),
 	);
 
 	cron = lib->settings->get_str(lib->settings,
-								  "charon.plugins.certexpire.csv.cron", NULL);
+								  "%s.plugins.certexpire.csv.cron",
+								  NULL, charon->name);
 	if (cron)
 	{
 		this->cron = certexpire_cron_create(cron,
diff --git a/src/libcharon/plugins/certexpire/certexpire_export.h b/src/libcharon/plugins/certexpire/certexpire_export.h
index 64281d0bd..7b75f2c92 100644
--- a/src/libcharon/plugins/certexpire/certexpire_export.h
+++ b/src/libcharon/plugins/certexpire/certexpire_export.h
@@ -23,7 +23,7 @@
 
 typedef struct certexpire_export_t certexpire_export_t;
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * Caches and exports trustchain information to CSV files.
diff --git a/src/libcharon/plugins/certexpire/certexpire_plugin.c b/src/libcharon/plugins/certexpire/certexpire_plugin.c
index 2b4c0b68b..985fb0d76 100644
--- a/src/libcharon/plugins/certexpire/certexpire_plugin.c
+++ b/src/libcharon/plugins/certexpire/certexpire_plugin.c
@@ -49,10 +49,37 @@ METHOD(plugin_t, get_name, char*,
 	return "certexpire";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_certexpire_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_certexpire_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "certexpire"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_certexpire_plugin_t *this)
 {
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
 	this->listener->destroy(this->listener);
 	this->export->destroy(this->export);
 	free(this);
@@ -69,14 +96,13 @@ plugin_t *certexpire_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.export = certexpire_export_create(),
 	);
-	this->listener = certexpire_listener_create(this->export),
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
+	this->listener = certexpire_listener_create(this->export);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/coupling/Makefile.am b/src/libcharon/plugins/coupling/Makefile.am
index 642ce820c..cbc06a6b7 100644
--- a/src/libcharon/plugins/coupling/Makefile.am
+++ b/src/libcharon/plugins/coupling/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-coupling.la
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index df4420b04..12c1f331d 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_coupling_la_LIBADD =
@@ -79,49 +103,77 @@ am_libstrongswan_coupling_la_OBJECTS = coupling_plugin.lo \
 	coupling_validator.lo
 libstrongswan_coupling_la_OBJECTS =  \
 	$(am_libstrongswan_coupling_la_OBJECTS)
-libstrongswan_coupling_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_coupling_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_coupling_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_coupling_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_coupling_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_coupling_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_coupling_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-coupling.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-coupling.la
 libstrongswan_coupling_la_SOURCES = coupling_plugin.h coupling_plugin.c \
@@ -339,7 +404,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -347,6 +411,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -368,8 +434,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-coupling.la: $(libstrongswan_coupling_la_OBJECTS) $(libstrongswan_coupling_la_DEPENDENCIES) 
-	$(libstrongswan_coupling_la_LINK) $(am_libstrongswan_coupling_la_rpath) $(libstrongswan_coupling_la_OBJECTS) $(libstrongswan_coupling_la_LIBADD) $(LIBS)
+libstrongswan-coupling.la: $(libstrongswan_coupling_la_OBJECTS) $(libstrongswan_coupling_la_DEPENDENCIES) $(EXTRA_libstrongswan_coupling_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_coupling_la_LINK) $(am_libstrongswan_coupling_la_rpath) $(libstrongswan_coupling_la_OBJECTS) $(libstrongswan_coupling_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -381,25 +447,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/coupling_validator.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -506,10 +572,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/coupling/coupling_plugin.c b/src/libcharon/plugins/coupling/coupling_plugin.c
index 7ccc51db5..cd46ddd11 100644
--- a/src/libcharon/plugins/coupling/coupling_plugin.c
+++ b/src/libcharon/plugins/coupling/coupling_plugin.c
@@ -43,11 +43,48 @@ METHOD(plugin_t, get_name, char*,
 	return "coupling";
 }
 
+/**
+ * Since the validator instantiates a hasher we create it as plugin feature.
+ * The default is SHA1 which we soft depend but depending on the plugin order
+ * there is no guarantee that the configured algorithm is registered.
+ */
+static bool plugin_cb(private_coupling_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		this->validator = coupling_validator_create();
+
+		if (!this->validator)
+		{
+			return FALSE;
+		}
+		lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+	}
+	else
+	{
+		lib->credmgr->remove_validator(lib->credmgr,
+									   &this->validator->validator);
+		this->validator->destroy(this->validator);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_coupling_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "coupling"),
+				PLUGIN_SDEPEND(HASHER, HASH_SHA1),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_coupling_plugin_t *this)
 {
-	lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
-	this->validator->destroy(this->validator);
 	free(this);
 }
 
@@ -62,20 +99,11 @@ plugin_t *coupling_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
-		.validator = coupling_validator_create(),
 	);
 
-	if (!this->validator)
-	{
-		free(this);
-		return NULL;
-	}
-
-	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
-
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/coupling/coupling_validator.c b/src/libcharon/plugins/coupling/coupling_validator.c
index 06b6f7d86..958bd2b6d 100644
--- a/src/libcharon/plugins/coupling/coupling_validator.c
+++ b/src/libcharon/plugins/coupling/coupling_validator.c
@@ -70,7 +70,11 @@ static bool get_cert_hash(private_coupling_validator_t *this,
 	{
 		return FALSE;
 	}
-	this->hasher->get_hash(this->hasher, encoding, buf);
+	if (!this->hasher->get_hash(this->hasher, encoding, buf))
+	{
+		free(encoding.ptr);
+		return FALSE;
+	}
 	free(encoding.ptr);
 	chunk_to_hex(chunk_create(buf, this->hasher->get_hash_size(this->hasher)),
 				 hex, FALSE);
@@ -163,6 +167,8 @@ METHOD(cert_validator_t, validate, bool,
 			{
 				DBG1(DBG_CFG, "coupling new certificate '%Y' failed",
 					 subject->get_subject(subject));
+				lib->credmgr->call_hook(lib->credmgr,
+										CRED_HOOK_POLICY_VIOLATION, subject);
 			}
 		}
 		else
@@ -170,6 +176,8 @@ METHOD(cert_validator_t, validate, bool,
 			DBG1(DBG_CFG, "coupling new certificate '%Y' failed, limit of %d "
 				 "couplings reached", subject->get_subject(subject),
 				 this->max_couplings);
+			lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
+									subject);
 		}
 		this->mutex->unlock(this->mutex);
 	}
@@ -195,17 +203,6 @@ coupling_validator_t *coupling_validator_create()
 {
 	private_coupling_validator_t *this;
 	char *path, *hash;
-	int i;
-	struct {
-		hash_algorithm_t alg;
-		char *name;
-	} hash_types[] = {
-		{ HASH_MD5,		"md5"},
-		{ HASH_SHA1,	"sha1"},
-		{ HASH_SHA256,	"sha256"},
-		{ HASH_SHA384,	"sha384"},
-		{ HASH_SHA512,	"sha512"},
-	};
 
 	INIT(this,
 		.public = {
@@ -216,20 +213,15 @@ coupling_validator_t *coupling_validator_create()
 		},
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.max_couplings = lib->settings->get_int(lib->settings,
-									  "charon.plugins.coupling.max", 1),
+												"%s.plugins.coupling.max", 1,
+												charon->name),
 	);
 
 	hash = lib->settings->get_str(lib->settings,
-								  "charon.plugins.coupling.hash", "sha1");
-	for (i = 0; i < countof(hash_types); i++)
-	{
-		if (strcaseeq(hash_types[i].name, hash))
-		{
-			this->hasher = lib->crypto->create_hasher(lib->crypto,
-													  hash_types[i].alg);
-			break;
-		}
-	}
+								  "%s.plugins.coupling.hash", "sha1",
+								  charon->name);
+	this->hasher = lib->crypto->create_hasher(lib->crypto,
+							enum_from_name(hash_algorithm_short_names, hash));
 	if (!this->hasher)
 	{
 		DBG1(DBG_CFG, "unsupported coupling hash algorithm: %s", hash);
@@ -238,7 +230,8 @@ coupling_validator_t *coupling_validator_create()
 	}
 
 	path = lib->settings->get_str(lib->settings,
-								  "charon.plugins.coupling.file", NULL);
+								  "%s.plugins.coupling.file", NULL,
+								  charon->name);
 	if (!path)
 	{
 		DBG1(DBG_CFG, "coupling file path unspecified");
diff --git a/src/libcharon/plugins/dhcp/Makefile.am b/src/libcharon/plugins/dhcp/Makefile.am
index 45d7536be..e0e857eed 100644
--- a/src/libcharon/plugins/dhcp/Makefile.am
+++ b/src/libcharon/plugins/dhcp/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-dhcp.la
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 089afd39d..29aca266f 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,53 +90,88 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_dhcp_la_LIBADD =
 am_libstrongswan_dhcp_la_OBJECTS = dhcp_plugin.lo dhcp_provider.lo \
 	dhcp_socket.lo dhcp_transaction.lo
 libstrongswan_dhcp_la_OBJECTS = $(am_libstrongswan_dhcp_la_OBJECTS)
-libstrongswan_dhcp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_dhcp_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_dhcp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_dhcp_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_dhcp_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_dhcp_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_dhcp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_dhcp_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -127,13 +180,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -146,6 +202,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,11 +230,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -185,6 +244,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -193,8 +253,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -203,14 +261,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -224,17 +287,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -244,16 +307,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -281,10 +343,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-dhcp.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-dhcp.la
 libstrongswan_dhcp_la_SOURCES = dhcp_plugin.h dhcp_plugin.c \
@@ -338,7 +404,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -346,6 +411,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -367,8 +434,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-dhcp.la: $(libstrongswan_dhcp_la_OBJECTS) $(libstrongswan_dhcp_la_DEPENDENCIES) 
-	$(libstrongswan_dhcp_la_LINK) $(am_libstrongswan_dhcp_la_rpath) $(libstrongswan_dhcp_la_OBJECTS) $(libstrongswan_dhcp_la_LIBADD) $(LIBS)
+libstrongswan-dhcp.la: $(libstrongswan_dhcp_la_OBJECTS) $(libstrongswan_dhcp_la_DEPENDENCIES) $(EXTRA_libstrongswan_dhcp_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_dhcp_la_LINK) $(am_libstrongswan_dhcp_la_rpath) $(libstrongswan_dhcp_la_OBJECTS) $(libstrongswan_dhcp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -382,25 +449,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhcp_transaction.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -507,10 +574,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.c b/src/libcharon/plugins/dhcp/dhcp_plugin.c
index f8782c2a4..c36c60d28 100644
--- a/src/libcharon/plugins/dhcp/dhcp_plugin.c
+++ b/src/libcharon/plugins/dhcp/dhcp_plugin.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -17,6 +20,7 @@
 
 #include <hydra.h>
 #include <daemon.h>
+#include <plugins/plugin_feature.h>
 
 #include "dhcp_socket.h"
 #include "dhcp_provider.h"
@@ -50,13 +54,49 @@ METHOD(plugin_t, get_name, char*,
 	return "dhcp";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_dhcp_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		this->socket = dhcp_socket_create();
+
+		if (!this->socket)
+		{
+			return FALSE;
+		}
+		this->provider = dhcp_provider_create(this->socket);
+		hydra->attributes->add_provider(hydra->attributes,
+										&this->provider->provider);
+	}
+	else
+	{
+		hydra->attributes->remove_provider(hydra->attributes,
+										   &this->provider->provider);
+		this->provider->destroy(this->provider);
+		this->socket->destroy(this->socket);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_dhcp_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "dhcp"),
+				PLUGIN_DEPENDS(RNG, RNG_WEAK),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_dhcp_plugin_t *this)
 {
-	hydra->attributes->remove_provider(hydra->attributes,
-									   &this->provider->provider);
-	this->provider->destroy(this->provider);
-	this->socket->destroy(this->socket);
 	free(this);
 }
 
@@ -67,27 +107,27 @@ plugin_t *dhcp_plugin_create()
 {
 	private_dhcp_plugin_t *this;
 
+	if (!lib->caps->check(lib->caps, CAP_NET_BIND_SERVICE))
+	{	/* required to bind DHCP socket (port 68) */
+		DBG1(DBG_NET, "dhcp plugin requires CAP_NET_BIND_SERVICE capability");
+		return NULL;
+	}
+	else if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
+	{	/* required to open DHCP receive socket (AF_PACKET). according to
+		 * capabilities(7) it is also required to use the socket */
+		DBG1(DBG_NET, "dhcp plugin requires CAP_NET_RAW capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
-		.socket = dhcp_socket_create(),
 	);
 
-	if (!this->socket)
-	{
-		free(this);
-		return NULL;
-	}
-
-	this->provider = dhcp_provider_create(this->socket);
-	hydra->attributes->add_provider(hydra->attributes,
-									&this->provider->provider);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/dhcp/dhcp_provider.c b/src/libcharon/plugins/dhcp/dhcp_provider.c
index a6a887780..e092771f4 100644
--- a/src/libcharon/plugins/dhcp/dhcp_provider.c
+++ b/src/libcharon/plugins/dhcp/dhcp_provider.c
@@ -15,7 +15,7 @@
 
 #include "dhcp_provider.h"
 
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 #include <threading/mutex.h>
 
 typedef struct private_dhcp_provider_t private_dhcp_provider_t;
@@ -81,18 +81,29 @@ static uintptr_t hash_transaction(dhcp_transaction_t *transaction)
 }
 
 METHOD(attribute_provider_t, acquire_address, host_t*,
-	private_dhcp_provider_t *this, char *pool,
+	private_dhcp_provider_t *this, linked_list_t *pools,
 	identification_t *id, host_t *requested)
 {
-	if (streq(pool, "dhcp"))
-	{
-		dhcp_transaction_t *transaction, *old;
-		host_t *vip;
+	dhcp_transaction_t *transaction, *old;
+	enumerator_t *enumerator;
+	char *pool;
+	host_t *vip = NULL;
 
+	if (requested->get_family(requested) != AF_INET)
+	{
+		return NULL;
+	}
+	enumerator = pools->create_enumerator(pools);
+	while (enumerator->enumerate(enumerator, &pool))
+	{
+		if (!streq(pool, "dhcp"))
+		{
+			continue;
+		}
 		transaction = this->socket->enroll(this->socket, id);
 		if (!transaction)
 		{
-			return NULL;
+			continue;
 		}
 		vip = transaction->get_address(transaction);
 		vip = vip->clone(vip);
@@ -101,19 +112,32 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 							(void*)hash_transaction(transaction), transaction);
 		this->mutex->unlock(this->mutex);
 		DESTROY_IF(old);
-		return vip;
+		break;
 	}
-	return NULL;
+	enumerator->destroy(enumerator);
+	return vip;
 }
 
 METHOD(attribute_provider_t, release_address, bool,
-	private_dhcp_provider_t *this, char *pool,
+	private_dhcp_provider_t *this, linked_list_t *pools,
 	host_t *address, identification_t *id)
 {
-	if (streq(pool, "dhcp"))
-	{
-		dhcp_transaction_t *transaction;
+	dhcp_transaction_t *transaction;
+	enumerator_t *enumerator;
+	bool found = FALSE;
+	char *pool;
 
+	if (address->get_family(address) != AF_INET)
+	{
+		return FALSE;
+	}
+	enumerator = pools->create_enumerator(pools);
+	while (enumerator->enumerate(enumerator, &pool))
+	{
+		if (!streq(pool, "dhcp"))
+		{
+			continue;
+		}
 		this->mutex->lock(this->mutex);
 		transaction = this->transactions->remove(this->transactions,
 										(void*)hash_id_host(id, address));
@@ -122,25 +146,40 @@ METHOD(attribute_provider_t, release_address, bool,
 		{
 			this->socket->release(this->socket, transaction);
 			transaction->destroy(transaction);
-			return TRUE;
+			found = TRUE;
+			break;
 		}
 	}
-	return FALSE;
+	enumerator->destroy(enumerator);
+	return found;
 }
 
 METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
-	private_dhcp_provider_t *this, char *pool, identification_t *id,
-	host_t *vip)
+	private_dhcp_provider_t *this, linked_list_t *pools, identification_t *id,
+	linked_list_t *vips)
 {
-	dhcp_transaction_t *transaction;
+	dhcp_transaction_t *transaction = NULL;
+	enumerator_t *enumerator;
+	host_t *vip;
 
-	if (!vip)
+	if (pools->find_first(pools, (linked_list_match_t)streq,
+						  NULL, "dhcp") != SUCCESS)
 	{
 		return NULL;
 	}
+
 	this->mutex->lock(this->mutex);
-	transaction = this->transactions->get(this->transactions,
-										  (void*)hash_id_host(id, vip));
+	enumerator = vips->create_enumerator(vips);
+	while (enumerator->enumerate(enumerator, &vip))
+	{
+		transaction = this->transactions->get(this->transactions,
+											  (void*)hash_id_host(id, vip));
+		if (transaction)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
 	if (!transaction)
 	{
 		this->mutex->unlock(this->mutex);
@@ -192,4 +231,3 @@ dhcp_provider_t *dhcp_provider_create(dhcp_socket_t *socket)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
index 5d98e5b8d..044c8a819 100644
--- a/src/libcharon/plugins/dhcp/dhcp_socket.c
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -25,7 +25,7 @@
 #include <linux/if_ether.h>
 #include <linux/filter.h>
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 #include <threading/mutex.h>
 #include <threading/condvar.h>
@@ -107,9 +107,9 @@ struct private_dhcp_socket_t {
 	host_t *dst;
 
 	/**
-	 * Callback job receiving DHCP responses
+	 * Force configured destination address
 	 */
-	callback_job_t *job;
+	bool force_dst;
 };
 
 /**
@@ -227,7 +227,7 @@ static int prepare_dhcp(private_dhcp_socket_t *this,
 	/* with ID specific postfix */
 	if (this->identity_lease)
 	{
-		id = htonl(chunk_hash(chunk));
+		id = htonl(chunk_hash_static(chunk));
 	}
 	else
 	{
@@ -271,7 +271,7 @@ static bool send_dhcp(private_dhcp_socket_t *this,
 	ssize_t len;
 
 	dst = transaction->get_server(transaction);
-	if (!dst)
+	if (!dst || this->force_dst)
 	{
 		dst = this->dst;
 	}
@@ -371,7 +371,11 @@ METHOD(dhcp_socket_t, enroll, dhcp_transaction_t*,
 	u_int32_t id;
 	int try;
 
-	this->rng->get_bytes(this->rng, sizeof(id), (u_int8_t*)&id);
+	if (!this->rng->get_bytes(this->rng, sizeof(id), (u_int8_t*)&id))
+	{
+		DBG1(DBG_CFG, "DHCP DISCOVER failed, no transaction ID");
+		return NULL;
+	}
 	transaction = dhcp_transaction_create(id, identity);
 
 	this->mutex->lock(this->mutex);
@@ -558,7 +562,8 @@ static void handle_ack(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen)
 /**
  * Receive DHCP responses
  */
-static job_requeue_t receive_dhcp(private_dhcp_socket_t *this)
+static bool receive_dhcp(private_dhcp_socket_t *this, int fd,
+						 watcher_event_t event)
 {
 	struct sockaddr_ll addr;
 	socklen_t addr_len = sizeof(addr);
@@ -567,14 +572,12 @@ static job_requeue_t receive_dhcp(private_dhcp_socket_t *this)
 		struct udphdr udp;
 		dhcp_t dhcp;
 	} packet;
-	int oldstate, optlen, origoptlen, optsize, optpos = 0;
+	int optlen, origoptlen, optsize, optpos = 0;
 	ssize_t len;
 	dhcp_option_t *option;
 
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->receive, &packet, sizeof(packet), 0,
+	len = recvfrom(fd, &packet, sizeof(packet), MSG_DONTWAIT,
 					(struct sockaddr*)&addr, &addr_len);
-	thread_cancelability(oldstate);
 
 	if (len >= sizeof(struct iphdr) + sizeof(struct udphdr) +
 		offsetof(dhcp_t, options))
@@ -607,16 +610,12 @@ static job_requeue_t receive_dhcp(private_dhcp_socket_t *this)
 			optpos += optsize;
 		}
 	}
-	return JOB_REQUEUE_DIRECT;
+	return TRUE;
 }
 
 METHOD(dhcp_socket_t, destroy, void,
 	private_dhcp_socket_t *this)
 {
-	if (this->job)
-	{
-		this->job->cancel(this->job);
-	}
 	while (this->waiting)
 	{
 		this->condvar->signal(this->condvar);
@@ -627,6 +626,7 @@ METHOD(dhcp_socket_t, destroy, void,
 	}
 	if (this->receive > 0)
 	{
+		lib->watcher->remove(lib->watcher, this->receive);
 		close(this->receive);
 	}
 	this->mutex->destroy(this->mutex);
@@ -648,7 +648,13 @@ METHOD(dhcp_socket_t, destroy, void,
 dhcp_socket_t *dhcp_socket_create()
 {
 	private_dhcp_socket_t *this;
-	struct sockaddr_in src;
+	struct sockaddr_in src = {
+		.sin_family = AF_INET,
+		.sin_port = htons(DHCP_CLIENT_PORT),
+		.sin_addr = {
+			.s_addr = INADDR_ANY,
+		},
+	};
 	int on = 1;
 	struct sock_filter dhcp_filter_code[] = {
 		BPF_STMT(BPF_LD+BPF_B+BPF_ABS,
@@ -704,10 +710,14 @@ dhcp_socket_t *dhcp_socket_create()
 		return NULL;
 	}
 	this->identity_lease = lib->settings->get_bool(lib->settings,
-							"charon.plugins.dhcp.identity_lease", FALSE);
+								"%s.plugins.dhcp.identity_lease", FALSE,
+								charon->name);
+	this->force_dst = lib->settings->get_str(lib->settings,
+								"%s.plugins.dhcp.force_server_address", FALSE,
+								charon->name);
 	this->dst = host_create_from_string(lib->settings->get_str(lib->settings,
-							"charon.plugins.dhcp.server", "255.255.255.255"),
-							DHCP_SERVER_PORT);
+								"%s.plugins.dhcp.server", "255.255.255.255",
+								charon->name), DHCP_SERVER_PORT);
 	if (!this->dst)
 	{
 		DBG1(DBG_CFG, "configured DHCP server address invalid");
@@ -734,9 +744,6 @@ dhcp_socket_t *dhcp_socket_create()
 		destroy(this);
 		return NULL;
 	}
-	src.sin_family = AF_INET;
-	src.sin_port = htons(DHCP_CLIENT_PORT);
-	src.sin_addr.s_addr = INADDR_ANY;
 	if (bind(this->send, (struct sockaddr*)&src, sizeof(src)) == -1)
 	{
 		DBG1(DBG_CFG, "unable to bind DHCP send socket: %s", strerror(errno));
@@ -760,10 +767,8 @@ dhcp_socket_t *dhcp_socket_create()
 		return NULL;
 	}
 
-	this->job = callback_job_create_with_prio((callback_job_cb_t)receive_dhcp,
-									this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+	lib->watcher->add(lib->watcher, this->receive, WATCHER_READ,
+					  (watcher_cb_t)receive_dhcp, this);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/dhcp/dhcp_transaction.c b/src/libcharon/plugins/dhcp/dhcp_transaction.c
index 83f822dd8..22d3f3fdf 100644
--- a/src/libcharon/plugins/dhcp/dhcp_transaction.c
+++ b/src/libcharon/plugins/dhcp/dhcp_transaction.c
@@ -15,7 +15,7 @@
 
 #include "dhcp_transaction.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_dhcp_transaction_t private_dhcp_transaction_t;
 
diff --git a/src/libcharon/plugins/dhcp/dhcp_transaction.h b/src/libcharon/plugins/dhcp/dhcp_transaction.h
index 19c163f88..35f08e836 100644
--- a/src/libcharon/plugins/dhcp/dhcp_transaction.h
+++ b/src/libcharon/plugins/dhcp/dhcp_transaction.h
@@ -21,7 +21,7 @@
 #ifndef DHCP_TRANSACTION_H_
 #define DHCP_TRANSACTION_H_
 
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 #include <attributes/attributes.h>
 
diff --git a/src/libcharon/plugins/duplicheck/Makefile.am b/src/libcharon/plugins/duplicheck/Makefile.am
index 63c91dfab..4ea2becf3 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.am
+++ b/src/libcharon/plugins/duplicheck/Makefile.am
@@ -1,10 +1,12 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-duplicheck.la
 else
@@ -13,7 +15,8 @@ endif
 
 libstrongswan_duplicheck_la_SOURCES = duplicheck_plugin.h duplicheck_plugin.c \
 	duplicheck_listener.h duplicheck_listener.c \
-	duplicheck_notify.h duplicheck_notify.c
+	duplicheck_notify.h duplicheck_notify.c \
+	duplicheck_msg.h
 
 libstrongswan_duplicheck_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index 87984a182..7e480ffac 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -47,10 +64,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -74,6 +92,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_duplicheck_la_LIBADD =
@@ -81,7 +105,10 @@ am_libstrongswan_duplicheck_la_OBJECTS = duplicheck_plugin.lo \
 	duplicheck_listener.lo duplicheck_notify.lo
 libstrongswan_duplicheck_la_OBJECTS =  \
 	$(am_libstrongswan_duplicheck_la_OBJECTS)
-libstrongswan_duplicheck_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_duplicheck_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_duplicheck_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -92,43 +119,68 @@ PROGRAMS = $(ipsec_PROGRAMS)
 am_duplicheck_OBJECTS = duplicheck.$(OBJEXT)
 duplicheck_OBJECTS = $(am_duplicheck_OBJECTS)
 duplicheck_LDADD = $(LDADD)
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_duplicheck_la_SOURCES) $(duplicheck_SOURCES)
 DIST_SOURCES = $(libstrongswan_duplicheck_la_SOURCES) \
 	$(duplicheck_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -137,13 +189,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -156,6 +211,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -183,11 +239,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -195,6 +253,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -203,8 +262,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -213,14 +270,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -234,17 +296,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -254,16 +316,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -291,17 +352,21 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-duplicheck.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-duplicheck.la
 libstrongswan_duplicheck_la_SOURCES = duplicheck_plugin.h duplicheck_plugin.c \
 	duplicheck_listener.h duplicheck_listener.c \
-	duplicheck_notify.h duplicheck_notify.c
+	duplicheck_notify.h duplicheck_notify.c \
+	duplicheck_msg.h
 
 libstrongswan_duplicheck_la_LDFLAGS = -module -avoid-version
 duplicheck_SOURCES = duplicheck.c
@@ -350,7 +415,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -358,6 +422,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -379,12 +445,15 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-duplicheck.la: $(libstrongswan_duplicheck_la_OBJECTS) $(libstrongswan_duplicheck_la_DEPENDENCIES) 
-	$(libstrongswan_duplicheck_la_LINK) $(am_libstrongswan_duplicheck_la_rpath) $(libstrongswan_duplicheck_la_OBJECTS) $(libstrongswan_duplicheck_la_LIBADD) $(LIBS)
+libstrongswan-duplicheck.la: $(libstrongswan_duplicheck_la_OBJECTS) $(libstrongswan_duplicheck_la_DEPENDENCIES) $(EXTRA_libstrongswan_duplicheck_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_duplicheck_la_LINK) $(am_libstrongswan_duplicheck_la_rpath) $(libstrongswan_duplicheck_la_OBJECTS) $(libstrongswan_duplicheck_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -424,9 +493,9 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-duplicheck$(EXEEXT): $(duplicheck_OBJECTS) $(duplicheck_DEPENDENCIES) 
+duplicheck$(EXEEXT): $(duplicheck_OBJECTS) $(duplicheck_DEPENDENCIES) $(EXTRA_duplicheck_DEPENDENCIES) 
 	@rm -f duplicheck$(EXEEXT)
-	$(LINK) $(duplicheck_OBJECTS) $(duplicheck_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(duplicheck_OBJECTS) $(duplicheck_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -440,25 +509,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/duplicheck_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -565,10 +634,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/duplicheck/duplicheck.c b/src/libcharon/plugins/duplicheck/duplicheck.c
index 99731a22b..508e8e386 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck.c
@@ -16,44 +16,99 @@
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <unistd.h>
+#include <stdlib.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <errno.h>
+#include <arpa/inet.h>
 
-#define DUPLICHECK_SOCKET IPSEC_PIDDIR "/charon.dck"
+#include "duplicheck_msg.h"
 
-int main(int argc, char *argv[])
+/**
+ * Connect to the daemon, return FD
+ */
+static int make_connection()
 {
-	struct sockaddr_un addr;
-	char buf[128];
+	union {
+		struct sockaddr_un un;
+		struct sockaddr_in in;
+		struct sockaddr sa;
+	} addr;
 	int fd, len;
 
-	addr.sun_family = AF_UNIX;
-	strcpy(addr.sun_path, DUPLICHECK_SOCKET);
+	if (getenv("TCP_PORT"))
+	{
+		addr.in.sin_family = AF_INET;
+		addr.in.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+		addr.in.sin_port = htons(atoi(getenv("TCP_PORT")));
+		len = sizeof(addr.in);
+	}
+	else
+	{
+		addr.un.sun_family = AF_UNIX;
+		strcpy(addr.un.sun_path, DUPLICHECK_SOCKET);
 
-	fd = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+		len = offsetof(struct sockaddr_un, sun_path) + strlen(addr.un.sun_path);
+	}
+	fd = socket(addr.sa.sa_family, SOCK_STREAM, 0);
 	if (fd < 0)
 	{
 		fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
-		return 1;
+		return -1;
 	}
-	if (connect(fd, (struct sockaddr *)&addr,
-			offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path)) < 0)
+	if (connect(fd, &addr.sa, len) < 0)
 	{
-		fprintf(stderr, "connecting to %s failed: %s\n",
-				DUPLICHECK_SOCKET, strerror(errno));
+		fprintf(stderr, "connecting failed: %s\n", strerror(errno));
 		close(fd);
+		return -1;
+	}
+	return fd;
+}
+
+int main(int argc, char *argv[])
+{
+	char buf[128];
+	int fd, len;
+	u_int16_t msglen;
+
+	fd = make_connection();
+	if (fd < 0)
+	{
 		return 1;
 	}
 	while (1)
 	{
-		len = recv(fd, &buf, sizeof(buf) - 1, 0);
+		len = recv(fd, &msglen, sizeof(msglen), 0);
+		if (len != sizeof(msglen))
+		{
+			break;
+		}
+		msglen = ntohs(msglen);
+		while (msglen)
+		{
+			if (sizeof(buf) > msglen)
+			{
+				len = msglen;
+			}
+			else
+			{
+				len = sizeof(buf);
+			}
+			len = recv(fd, &buf, len, 0);
+			if (len < 0)
+			{
+				break;
+			}
+			msglen -= len;
+			printf("%.*s", len, buf);
+		}
+		printf("\n");
 		if (len < 0)
 		{
-			fprintf(stderr, "reading from socket failed: %s\n", strerror(errno));
-			close(fd);
-			return 1;
+			break;
 		}
-		printf("%.*s\n", len, buf);
 	}
+	fprintf(stderr, "reading from socket failed: %s\n", strerror(errno));
+	close(fd);
+	return 1;
 }
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_listener.c b/src/libcharon/plugins/duplicheck/duplicheck_listener.c
index 226b2bd4e..30a723d36 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_listener.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_listener.c
@@ -17,7 +17,7 @@
 
 #include <daemon.h>
 #include <threading/mutex.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 #include <encoding/payloads/delete_payload.h>
 #include <processing/jobs/delete_ike_sa_job.h>
 
@@ -60,8 +60,8 @@ struct private_duplicheck_listener_t {
 typedef struct {
 	/** peer identity */
 	identification_t *id;
-	/** IKE_SA identifier */
-	ike_sa_id_t *sa;
+	/** list of IKE_SA identifiers, ike_sa_id_t */
+	linked_list_t *sas;
 } entry_t;
 
 /**
@@ -70,7 +70,7 @@ typedef struct {
 static void entry_destroy(entry_t *this)
 {
 	this->id->destroy(this->id);
-	this->sa->destroy(this->sa);
+	this->sas->destroy_offset(this->sas, offsetof(ike_sa_id_t, destroy));
 	free(this);
 }
 
@@ -90,27 +90,101 @@ static bool equals(identification_t *a, identification_t *b)
 	return a->equals(a, b);
 }
 
-METHOD(listener_t, ike_rekey, bool,
-	private_duplicheck_listener_t *this, ike_sa_t *old, ike_sa_t *new)
+/**
+ * Put an IKE_SA identifier to hashtable
+ */
+static void put(hashtable_t *table, identification_t *id, ike_sa_id_t *sa)
 {
-	identification_t *id;
-	ike_sa_id_t *sa;
 	entry_t *entry;
 
-	sa = new->get_id(new);
-	id = new->get_other_id(new);
+	entry = table->get(table, id);
+	if (!entry)
+	{
+		INIT(entry,
+			.id = id->clone(id),
+			.sas = linked_list_create(),
+		);
+		table->put(table, entry->id, entry);
+	}
+	entry->sas->insert_last(entry->sas, sa->clone(sa));
+}
 
-	INIT(entry,
-		.id = id->clone(id),
-		.sa = sa->clone(sa),
-	);
-	this->mutex->lock(this->mutex);
-	entry = this->active->put(this->active, entry->id, entry);
-	this->mutex->unlock(this->mutex);
+/**
+ * Purge an entry from table if it has no IKE_SA identifiers
+ */
+static void remove_if_empty(hashtable_t *table, entry_t *entry)
+{
+	if (entry->sas->get_count(entry->sas) == 0)
+	{
+		entry = table->remove(table, entry->id);
+		if (entry)
+		{
+			entry_destroy(entry);
+		}
+	}
+}
+
+/**
+ * Remove the first entry found in the table for the given id
+ */
+static ike_sa_id_t *remove_first(hashtable_t *table, identification_t *id)
+{
+	ike_sa_id_t *sa = NULL;
+	entry_t *entry;
+
+	entry = table->get(table, id);
+	if (entry)
+	{
+		entry->sas->remove_first(entry->sas, (void**)&sa);
+		remove_if_empty(table, entry);
+	}
+	return sa;
+}
+
+/**
+ * Remove a specific IKE_SA ID for the given identity
+ */
+static bool remove_specific(hashtable_t *table, identification_t *id,
+							ike_sa_id_t *sa)
+{
+	enumerator_t *enumerator;
+	bool found = FALSE;
+	entry_t *entry;
+	ike_sa_id_t *current;
+
+	entry = table->get(table, id);
 	if (entry)
 	{
-		entry_destroy(entry);
+		enumerator = entry->sas->create_enumerator(entry->sas);
+		while (enumerator->enumerate(enumerator, &current))
+		{
+			if (sa->equals(sa, current))
+			{
+				entry->sas->remove_at(entry->sas, enumerator);
+				current->destroy(current);
+				found = TRUE;
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+		if (found)
+		{
+			remove_if_empty(table, entry);
+		}
 	}
+	return found;
+}
+
+METHOD(listener_t, ike_rekey, bool,
+	private_duplicheck_listener_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	this->mutex->lock(this->mutex);
+
+	remove_specific(this->active, old->get_other_id(old), old->get_id(old));
+	put(this->active, new->get_other_id(new), new->get_id(new));
+
+	this->mutex->unlock(this->mutex);
+
 	return TRUE;
 }
 
@@ -119,90 +193,77 @@ METHOD(listener_t, ike_updown, bool,
 {
 	identification_t *id;
 	ike_sa_id_t *sa;
-	entry_t *entry;
-	job_t *job;
 
-	sa = ike_sa->get_id(ike_sa);
 	id = ike_sa->get_other_id(ike_sa);
 
+	this->mutex->lock(this->mutex);
 	if (up)
 	{
-		INIT(entry,
-			.id = id->clone(id),
-			.sa = sa->clone(sa),
-		);
-		this->mutex->lock(this->mutex);
-		entry = this->active->put(this->active, entry->id, entry);
-		this->mutex->unlock(this->mutex);
-		if (entry)
+		/* another IKE_SA for this identity active? */
+		sa = remove_first(this->active, id);
+		if (sa)
 		{
 			DBG1(DBG_CFG, "detected duplicate IKE_SA for '%Y', "
 				 "triggering delete for old IKE_SA", id);
-			job = (job_t*)delete_ike_sa_job_create(entry->sa, TRUE);
-			this->mutex->lock(this->mutex);
-			entry = this->checking->put(this->checking, entry->id, entry);
-			this->mutex->unlock(this->mutex);
-			lib->processor->queue_job(lib->processor, job);
-			if (entry)
-			{
-				entry_destroy(entry);
-			}
+			put(this->checking, id, sa);
+			lib->processor->queue_job(lib->processor,
+								(job_t*)delete_ike_sa_job_create(sa, TRUE));
+			sa->destroy(sa);
 		}
+		/* register IKE_SA as the new active */
+		sa = ike_sa->get_id(ike_sa);
+		put(this->active, id, sa);
 	}
 	else
 	{
-		this->mutex->lock(this->mutex);
-		entry = this->checking->remove(this->checking, id);
-		this->mutex->unlock(this->mutex);
-		if (entry)
+		sa = ike_sa->get_id(ike_sa);
+		/* check if closing an IKE_SA currently in checking state */
+		if (remove_specific(this->checking, id, sa))
 		{
 			DBG1(DBG_CFG, "delete for duplicate IKE_SA '%Y' timed out, "
 				 "keeping new IKE_SA", id);
-			entry_destroy(entry);
-		}
-		else
-		{
-			this->mutex->lock(this->mutex);
-			entry = this->active->remove(this->active, id);
-			this->mutex->unlock(this->mutex);
-			if (entry)
-			{
-				entry_destroy(entry);
-			}
 		}
+		/* check normal close of IKE_SA */
+		remove_specific(this->active, id, sa);
 	}
+	this->mutex->unlock(this->mutex);
+
 	return TRUE;
 }
 
 METHOD(listener_t, message_hook, bool,
 	private_duplicheck_listener_t *this, ike_sa_t *ike_sa,
-	message_t *message, bool incoming)
+	message_t *message, bool incoming, bool plain)
 {
-	if (incoming && !message->get_request(message))
+	if (incoming && plain && !message->get_request(message))
 	{
 		identification_t *id;
-		entry_t *entry;
+		ike_sa_id_t *sa;
 
 		id = ike_sa->get_other_id(ike_sa);
+		sa = ike_sa->get_id(ike_sa);
+
 		this->mutex->lock(this->mutex);
-		entry = this->checking->remove(this->checking, id);
-		this->mutex->unlock(this->mutex);
-		if (entry)
+		if (remove_specific(this->checking, id, sa))
 		{
 			DBG1(DBG_CFG, "got a response on a duplicate IKE_SA for '%Y', "
 				 "deleting new IKE_SA", id);
-			entry_destroy(entry);
-			this->mutex->lock(this->mutex);
-			entry = this->active->remove(this->active, id);
-			this->mutex->unlock(this->mutex);
-			if (entry)
+			charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
+			sa = remove_first(this->active, id);
+			if (sa)
 			{
 				lib->processor->queue_job(lib->processor,
-						(job_t*)delete_ike_sa_job_create(entry->sa, TRUE));
-				entry_destroy(entry);
+								(job_t*)delete_ike_sa_job_create(sa, TRUE));
+				sa->destroy(sa);
 			}
+			this->mutex->unlock(this->mutex);
+
 			this->notify->send(this->notify, id);
 		}
+		else
+		{
+			this->mutex->unlock(this->mutex);
+		}
 	}
 	return TRUE;
 }
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_msg.h b/src/libcharon/plugins/duplicheck/duplicheck_msg.h
new file mode 100644
index 000000000..99e297104
--- /dev/null
+++ b/src/libcharon/plugins/duplicheck/duplicheck_msg.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup duplicheck_msg duplicheck_msg
+ * @{ @ingroup duplicheck
+ */
+
+#ifndef DUPLICHECK_MSG_H_
+#define DUPLICHECK_MSG_H_
+
+#include <sys/types.h>
+
+/**
+ * Default Unix socket to connect to
+ */
+#define DUPLICHECK_SOCKET IPSEC_PIDDIR "/charon.dck"
+
+typedef struct duplicheck_msg_t duplicheck_msg_t;
+
+/**
+ * Message exchanged over duplicheck socket
+ */
+struct duplicheck_msg_t {
+	/** length of the identity following, in network order (excluding len). */
+	u_int16_t len;
+	/** identity string, not null terminated */
+	char identity[];
+} __attribute__((__packed__));
+
+#endif /** DUPLICHECK_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_notify.c b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
index b86f1ef3d..e3a4e17b7 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_notify.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
@@ -14,6 +14,7 @@
  */
 
 #include "duplicheck_notify.h"
+#include "duplicheck_msg.h"
 
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -25,10 +26,9 @@
 #include <daemon.h>
 #include <threading/mutex.h>
 #include <threading/thread.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
 
-#define DUPLICHECK_SOCKET IPSEC_PIDDIR "/charon.dck"
 
 typedef struct private_duplicheck_notify_t private_duplicheck_notify_t;
 
@@ -43,117 +43,58 @@ struct private_duplicheck_notify_t {
 	duplicheck_notify_t public;
 
 	/**
-	 * Callback job dispatching connections
-	 */
-	callback_job_t *job;
-
-	/**
 	 * Mutex to lock list
 	 */
 	mutex_t *mutex;
 
 	/**
-	 * List of connected sockets
+	 * List of connected clients, as stream_t
 	 */
 	linked_list_t *connected;
 
 	/**
-	 * Socket dispatching connections
+	 * stream service accepting connections
 	 */
-	int socket;
+	stream_service_t *service;
 };
 
 /**
- * Open duplicheck unix socket
- */
-static bool open_socket(private_duplicheck_notify_t *this)
-{
-	struct sockaddr_un addr;
-	mode_t old;
-
-	addr.sun_family = AF_UNIX;
-	strcpy(addr.sun_path, DUPLICHECK_SOCKET);
-
-	this->socket = socket(AF_UNIX, SOCK_SEQPACKET, 0);
-	if (this->socket == -1)
-	{
-		DBG1(DBG_CFG, "creating duplicheck socket failed");
-		return FALSE;
-	}
-	unlink(addr.sun_path);
-	old = umask(~(S_IRWXU | S_IRWXG));
-	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)) < 0)
-	{
-		DBG1(DBG_CFG, "binding duplicheck socket failed: %s", strerror(errno));
-		close(this->socket);
-		return FALSE;
-	}
-	umask(old);
-	if (chown(addr.sun_path, charon->uid, charon->gid) != 0)
-	{
-		DBG1(DBG_CFG, "changing duplicheck socket permissions failed: %s",
-			 strerror(errno));
-	}
-	if (listen(this->socket, 3) < 0)
-	{
-		DBG1(DBG_CFG, "listening on duplicheck socket failed: %s",
-			 strerror(errno));
-		close(this->socket);
-		unlink(addr.sun_path);
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/**
  * Accept duplicheck notification connections
  */
-static job_requeue_t receive(private_duplicheck_notify_t *this)
+static bool on_accept(private_duplicheck_notify_t *this, stream_t *stream)
 {
-	struct sockaddr_un addr;
-	int len = sizeof(addr);
-	uintptr_t fd;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	fd = accept(this->socket, (struct sockaddr*)&addr, &len);
-	thread_cancelability(oldstate);
+	this->mutex->lock(this->mutex);
+	this->connected->insert_last(this->connected, stream);
+	this->mutex->unlock(this->mutex);
 
-	if (fd != -1)
-	{
-		this->mutex->lock(this->mutex);
-		this->connected->insert_last(this->connected, (void*)fd);
-		this->mutex->unlock(this->mutex);
-	 }
-	 else
-	 {
-		 DBG1(DBG_CFG, "accepting duplicheck connection failed: %s",
-			  strerror(errno));
-	 }
-	 return JOB_REQUEUE_FAIR;
+	return TRUE;
 }
 
 METHOD(duplicheck_notify_t, send_, void,
 	private_duplicheck_notify_t *this, identification_t *id)
 {
-	char buf[128];
 	enumerator_t *enumerator;
-	uintptr_t fd;
+	stream_t *stream;
+	u_int16_t nlen;
+	char buf[512];
 	int len;
 
 	len = snprintf(buf, sizeof(buf), "%Y", id);
 	if (len > 0 && len < sizeof(buf))
 	{
+		nlen = htons(len);
+
 		this->mutex->lock(this->mutex);
 		enumerator = this->connected->create_enumerator(this->connected);
-		while (enumerator->enumerate(enumerator, &fd))
+		while (enumerator->enumerate(enumerator, &stream))
 		{
-			if (send(fd, &buf, len + 1, 0) != len + 1)
+			if (!stream->write_all(stream, &nlen, sizeof(nlen)) ||
+				!stream->write_all(stream, buf, len))
 			{
 				DBG1(DBG_CFG, "sending duplicheck notify failed: %s",
 					 strerror(errno));
 				this->connected->remove_at(this->connected, enumerator);
-				close(fd);
+				stream->destroy(stream);
 			}
 		}
 		enumerator->destroy(enumerator);
@@ -164,20 +105,8 @@ METHOD(duplicheck_notify_t, send_, void,
 METHOD(duplicheck_notify_t, destroy, void,
 	private_duplicheck_notify_t *this)
 {
-	enumerator_t *enumerator;
-	uintptr_t fd;
-
-	if (this->job)
-	{
-		this->job->cancel(this->job);
-	}
-	enumerator = this->connected->create_enumerator(this->connected);
-	while (enumerator->enumerate(enumerator, &fd))
-	{
-		close(fd);
-	}
-	enumerator->destroy(enumerator);
-	this->connected->destroy(this->connected);
+	DESTROY_IF(this->service);
+	this->connected->destroy_offset(this->connected, offsetof(stream_t, destroy));
 	this->mutex->destroy(this->mutex);
 	free(this);
 }
@@ -188,6 +117,7 @@ METHOD(duplicheck_notify_t, destroy, void,
 duplicheck_notify_t *duplicheck_notify_create()
 {
 	private_duplicheck_notify_t *this;
+	char *uri;
 
 	INIT(this,
 		.public = {
@@ -198,14 +128,18 @@ duplicheck_notify_t *duplicheck_notify_create()
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
-	if (!open_socket(this))
+	uri = lib->settings->get_str(lib->settings,
+					"%s.plugins.duplicheck.socket", "unix://" DUPLICHECK_SOCKET,
+					charon->name);
+	this->service = lib->streams->create_service(lib->streams, uri, 3);
+	if (!this->service)
 	{
+		DBG1(DBG_CFG, "creating duplicheck socket failed");
 		destroy(this);
 		return NULL;
 	}
-	this->job = callback_job_create_with_prio((callback_job_cb_t)receive,
-									this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+	this->service->on_accept(this->service, (stream_service_cb_t)on_accept,
+							 this, JOB_PRIO_CRITICAL, 1);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
index df28e7f12..4d018dbef 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
@@ -49,10 +49,37 @@ METHOD(plugin_t, get_name, char*,
 	return "duplicheck";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_duplicheck_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_duplicheck_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "duplicheck"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_duplicheck_plugin_t *this)
 {
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
 	this->notify->destroy(this->notify);
 	this->listener->destroy(this->listener);
 	free(this);
@@ -66,7 +93,7 @@ plugin_t *duplicheck_plugin_create()
 	private_duplicheck_plugin_t *this;
 
 	if (!lib->settings->get_bool(lib->settings,
-								 "charon.plugins.duplicheck.enable", TRUE))
+							"%s.plugins.duplicheck.enable", TRUE, charon->name))
 	{
 		return NULL;
 	}
@@ -75,7 +102,7 @@ plugin_t *duplicheck_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
@@ -88,7 +115,6 @@ plugin_t *duplicheck_plugin_create()
 		return NULL;
 	}
 	this->listener = duplicheck_listener_create(this->notify);
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/eap_aka/Makefile.am b/src/libcharon/plugins/eap_aka/Makefile.am
index d37d1691c..ba6e66039 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.am
+++ b/src/libcharon/plugins/eap_aka/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-aka.la
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index e7a3d780a..7b2ac73c5 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_aka_la_DEPENDENCIES =  \
@@ -80,48 +104,77 @@ am_libstrongswan_eap_aka_la_OBJECTS = eap_aka_plugin.lo \
 	eap_aka_peer.lo eap_aka_server.lo
 libstrongswan_eap_aka_la_OBJECTS =  \
 	$(am_libstrongswan_eap_aka_la_OBJECTS)
-libstrongswan_eap_aka_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_aka_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_aka_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_aka_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_aka_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_aka_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_aka_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_aka_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +183,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +205,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +233,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +247,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +256,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +264,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +290,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +310,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,10 +346,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-aka.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-aka.la
 @MONOLITHIC_FALSE@libstrongswan_eap_aka_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
@@ -342,7 +409,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -350,6 +416,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -371,8 +439,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-aka.la: $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_DEPENDENCIES) 
-	$(libstrongswan_eap_aka_la_LINK) $(am_libstrongswan_eap_aka_la_rpath) $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_LIBADD) $(LIBS)
+libstrongswan-eap-aka.la: $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_aka_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_aka_la_LINK) $(am_libstrongswan_eap_aka_la_rpath) $(libstrongswan_eap_aka_la_OBJECTS) $(libstrongswan_eap_aka_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -385,25 +453,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_server.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -510,10 +578,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_peer.c b/src/libcharon/plugins/eap_aka/eap_aka_peer.c
index 8c392405e..810a19c55 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_peer.c
+++ b/src/libcharon/plugins/eap_aka/eap_aka_peer.c
@@ -81,12 +81,30 @@ struct private_eap_aka_peer_t {
 };
 
 /**
+ * Generate a payload from a message, destroy message
+ */
+static bool generate_payload(simaka_message_t *message, chunk_t data,
+							 eap_payload_t **out)
+{
+	chunk_t chunk;
+	bool ok;
+
+	ok = message->generate(message, data, &chunk);
+	if (ok)
+	{
+		*out = eap_payload_create_data_own(chunk);
+	}
+	message->destroy(message);
+	return ok;
+}
+
+/**
  * Create a AKA_CLIENT_ERROR: "Unable to process"
  */
-static eap_payload_t* create_client_error(private_eap_aka_peer_t *this)
+static bool create_client_error(private_eap_aka_peer_t *this,
+								eap_payload_t **out)
 {
 	simaka_message_t *message;
-	eap_payload_t *out;
 	u_int16_t encoded;
 
 	DBG1(DBG_IKE, "sending client error '%N'",
@@ -97,9 +115,8 @@ static eap_payload_t* create_client_error(private_eap_aka_peer_t *this)
 	encoded = htons(AKA_UNABLE_TO_PROCESS);
 	message->add_attribute(message, AT_CLIENT_ERROR_CODE,
 						   chunk_create((char*)&encoded, sizeof(encoded)));
-	out = eap_payload_create_data_own(message->generate(message, chunk_empty));
-	message->destroy(message);
-	return out;
+
+	return generate_payload(message, chunk_empty, out);
 }
 
 /**
@@ -134,8 +151,11 @@ static status_t process_identity(private_eap_aka_peer_t *this,
 			default:
 				if (!simaka_attribute_skippable(type))
 				{
-					*out = create_client_error(this);
 					enumerator->destroy(enumerator);
+					if (!create_client_error(this, out))
+					{
+						return FAILED;
+					}
 					return NEED_MORE;
 				}
 				break;
@@ -175,9 +195,10 @@ static status_t process_identity(private_eap_aka_peer_t *this,
 	{
 		message->add_attribute(message, AT_IDENTITY, id);
 	}
-	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
-	message->destroy(message);
-
+	if (!generate_payload(message, chunk_empty, out))
+	{
+		return FAILED;
+	}
 	return NEED_MORE;
 }
 
@@ -210,8 +231,11 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 			default:
 				if (!simaka_attribute_skippable(type))
 				{
-					*out = create_client_error(this);
 					enumerator->destroy(enumerator);
+					if (!create_client_error(this, out))
+					{
+						return FAILED;
+					}
 					return NEED_MORE;
 				}
 				break;
@@ -222,7 +246,10 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 	if (!rand.len || !autn.len)
 	{
 		DBG1(DBG_IKE, "received invalid EAP-AKA challenge message");
-		*out = create_client_error(this);
+		if (!create_client_error(this, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 
@@ -237,9 +264,10 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 									AKA_SYNCHRONIZATION_FAILURE, this->crypto);
 		message->add_attribute(message, AT_AUTS,
 							   chunk_create(auts, AKA_AUTS_LEN));
-		*out = eap_payload_create_data_own(message->generate(message,
-										   chunk_empty));
-		message->destroy(message);
+		if (!generate_payload(message, chunk_empty, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 	if (status != SUCCESS)
@@ -248,9 +276,10 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 			 this->permanent, simaka_subtype_names, AKA_AUTHENTICATION_REJECT);
 		message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
 										AKA_AUTHENTICATION_REJECT, this->crypto);
-		*out = eap_payload_create_data_own(message->generate(message,
-										   chunk_empty));
-		message->destroy(message);
+		if (!generate_payload(message, chunk_empty, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 
@@ -261,16 +290,22 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 	}
 	data = chunk_cata("cc", chunk_create(ik, AKA_IK_LEN),
 					  chunk_create(ck, AKA_CK_LEN));
-	free(this->msk.ptr);
-	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
+	chunk_clear(&this->msk);
+	if (!this->crypto->derive_keys_full(this->crypto, id, data, &mk, &this->msk))
+	{
+		return FAILED;
+	}
 	memcpy(this->mk, mk.ptr, mk.len);
-	free(mk.ptr);
+	chunk_clear(&mk);
 
 	/* Verify AT_MAC attribute and parse() again after key derivation,
 	 * reading encrypted attributes */
 	if (!in->verify(in, chunk_empty) || !in->parse(in))
 	{
-		*out = create_client_error(this);
+		if (!create_client_error(this, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 
@@ -300,8 +335,10 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 	message = simaka_message_create(FALSE, this->identifier, EAP_AKA,
 									AKA_CHALLENGE, this->crypto);
 	message->add_attribute(message, AT_RES, chunk_create(res, res_len));
-	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
-	message->destroy(message);
+	if (!generate_payload(message, chunk_empty, out))
+	{
+		return FAILED;
+	}
 	return NEED_MORE;
 }
 
@@ -332,17 +369,26 @@ static status_t process_reauthentication(private_eap_aka_peer_t *this,
 	{
 		DBG1(DBG_IKE, "received %N, but not expected",
 			 simaka_subtype_names, AKA_REAUTHENTICATION);
-		*out = create_client_error(this);
+		if (!create_client_error(this, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 
-	this->crypto->derive_keys_reauth(this->crypto,
-									 chunk_create(this->mk, HASH_SIZE_SHA1));
+	if (!this->crypto->derive_keys_reauth(this->crypto,
+								chunk_create(this->mk, HASH_SIZE_SHA1)))
+	{
+		return FAILED;
+	}
 
 	/* verify MAC and parse again with decryption key */
 	if (!in->verify(in, chunk_empty) || !in->parse(in))
 	{
-		*out = create_client_error(this);
+		if (!create_client_error(this, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 
@@ -363,8 +409,11 @@ static status_t process_reauthentication(private_eap_aka_peer_t *this,
 			default:
 				if (!simaka_attribute_skippable(type))
 				{
-					*out = create_client_error(this);
 					enumerator->destroy(enumerator);
+					if (!create_client_error(this, out))
+					{
+						return FAILED;
+					}
 					return NEED_MORE;
 				}
 				break;
@@ -375,7 +424,10 @@ static status_t process_reauthentication(private_eap_aka_peer_t *this,
 	if (!nonce.len || !counter.len)
 	{
 		DBG1(DBG_IKE, "EAP-AKA/Request/Reauthentication message incomplete");
-		*out = create_client_error(this);
+		if (!create_client_error(this, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 
@@ -388,10 +440,14 @@ static status_t process_reauthentication(private_eap_aka_peer_t *this,
 	}
 	else
 	{
-		free(this->msk.ptr);
-		this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
-										this->reauth, counter, nonce,
-										chunk_create(this->mk, HASH_SIZE_SHA1));
+		chunk_clear(&this->msk);
+		if (!this->crypto->derive_keys_reauth_msk(this->crypto,
+						this->reauth, counter, nonce,
+						chunk_create(this->mk, HASH_SIZE_SHA1), &this->msk))
+		{
+			message->destroy(message);
+			return FAILED;
+		}
 		if (id.len)
 		{
 			identification_t *reauth;
@@ -403,8 +459,10 @@ static status_t process_reauthentication(private_eap_aka_peer_t *this,
 		}
 	}
 	message->add_attribute(message, AT_COUNTER, counter);
-	*out = eap_payload_create_data_own(message->generate(message, nonce));
-	message->destroy(message);
+	if (!generate_payload(message, nonce, out))
+	{
+		return FAILED;
+	}
 	return NEED_MORE;
 }
 
@@ -454,13 +512,17 @@ static status_t process_notification(private_eap_aka_peer_t *this,
 	{	/* empty notification reply */
 		message = simaka_message_create(FALSE, this->identifier, EAP_AKA,
 										AKA_NOTIFICATION, this->crypto);
-		*out = eap_payload_create_data_own(message->generate(message,
-															 chunk_empty));
-		message->destroy(message);
+		if (!generate_payload(message, chunk_empty, out))
+		{
+			return FAILED;
+		}
 	}
 	else
 	{
-		*out = create_client_error(this);
+		if (!create_client_error(this, out))
+		{
+			return FAILED;
+		}
 	}
 	return NEED_MORE;
 }
@@ -478,13 +540,19 @@ METHOD(eap_method_t, process, status_t,
 	message = simaka_message_create_from_payload(in->get_data(in), this->crypto);
 	if (!message)
 	{
-		*out = create_client_error(this);
+		if (!create_client_error(this, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 	if (!message->parse(message))
 	{
 		message->destroy(message);
-		*out = create_client_error(this);
+		if (!create_client_error(this, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 	switch (message->get_subtype(message))
@@ -504,8 +572,14 @@ METHOD(eap_method_t, process, status_t,
 		default:
 			DBG1(DBG_IKE, "unable to process EAP-AKA subtype %N",
 				 simaka_subtype_names, message->get_subtype(message));
-			*out = create_client_error(this);
-			status = NEED_MORE;
+			if (!create_client_error(this, out))
+			{
+				status = FAILED;
+			}
+			else
+			{
+				status = NEED_MORE;
+			}
 			break;
 	}
 	message->destroy(message);
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_peer.h b/src/libcharon/plugins/eap_aka/eap_aka_peer.h
index 974ba2721..b6ab5cdc5 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_peer.h
+++ b/src/libcharon/plugins/eap_aka/eap_aka_peer.h
@@ -23,7 +23,7 @@
 
 typedef struct eap_aka_peer_t eap_aka_peer_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 /**
  * EAP-AKA peer implementation.
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_server.c b/src/libcharon/plugins/eap_aka/eap_aka_server.c
index d8e85ceef..b7608382d 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_server.c
+++ b/src/libcharon/plugins/eap_aka/eap_aka_server.c
@@ -119,6 +119,24 @@ struct private_eap_aka_server_t {
 };
 
 /**
+ * Generate a payload from a message, destroy message
+ */
+static bool generate_payload(simaka_message_t *message, chunk_t data,
+							 eap_payload_t **out)
+{
+	chunk_t chunk;
+	bool ok;
+
+	ok = message->generate(message, data, &chunk);
+	if (ok)
+	{
+		*out = eap_payload_create_data_own(chunk);
+	}
+	message->destroy(message);
+	return ok;
+}
+
+/**
  * Create EAP-AKA/Request/Identity message
  */
 static status_t identity(private_eap_aka_server_t *this, eap_payload_t **out)
@@ -139,9 +157,10 @@ static status_t identity(private_eap_aka_server_t *this, eap_payload_t **out)
 	{
 		message->add_attribute(message, AT_PERMANENT_ID_REQ, chunk_empty);
 	}
-	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
-	message->destroy(message);
-
+	if (!generate_payload(message, chunk_empty, out))
+	{
+		return FAILED;
+	}
 	this->pending = AKA_IDENTITY;
 	return NEED_MORE;
 }
@@ -180,8 +199,11 @@ static status_t challenge(private_eap_aka_server_t *this, eap_payload_t **out)
 	}
 	data = chunk_cata("cc", chunk_create(ik, AKA_IK_LEN),
 					  chunk_create(ck, AKA_CK_LEN));
-	free(this->msk.ptr);
-	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
+	chunk_clear(&this->msk);
+	if (!this->crypto->derive_keys_full(this->crypto, id, data, &mk, &this->msk))
+	{
+		return FAILED;
+	}
 	this->rand = chunk_clone(chunk_create(rand, AKA_RAND_LEN));
 	this->xres = chunk_clone(chunk_create(xres, xres_len));
 
@@ -190,6 +212,7 @@ static status_t challenge(private_eap_aka_server_t *this, eap_payload_t **out)
 	message->add_attribute(message, AT_RAND, this->rand);
 	message->add_attribute(message, AT_AUTN, chunk_create(autn, AKA_AUTN_LEN));
 	id = this->mgr->provider_gen_reauth(this->mgr, this->permanent, mk.ptr);
+	free(mk.ptr);
 	if (id)
 	{
 		message->add_attribute(message, AT_NEXT_REAUTH_ID,
@@ -203,10 +226,10 @@ static status_t challenge(private_eap_aka_server_t *this, eap_payload_t **out)
 							   id->get_encoding(id));
 		id->destroy(id);
 	}
-	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
-	message->destroy(message);
-
-	free(mk.ptr);
+	if (!generate_payload(message, chunk_empty, out))
+	{
+		return FAILED;
+	}
 	this->pending = AKA_CHALLENGE;
 	return NEED_MORE;
 }
@@ -226,15 +249,21 @@ static status_t reauthenticate(private_eap_aka_server_t *this,
 	DBG1(DBG_IKE, "initiating EAP-AKA reauthentication");
 
 	rng = this->crypto->get_rng(this->crypto);
-	rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
+	if (!rng->allocate_bytes(rng, NONCE_LEN, &this->nonce))
+	{
+		return FAILED;
+	}
 
 	mkc = chunk_create(mk, HASH_SIZE_SHA1);
 	counter = htons(counter);
 	this->counter = chunk_clone(chunk_create((char*)&counter, sizeof(counter)));
 
-	this->crypto->derive_keys_reauth(this->crypto, mkc);
-	this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
-								this->reauth, this->counter, this->nonce, mkc);
+	if (!this->crypto->derive_keys_reauth(this->crypto, mkc) ||
+		!this->crypto->derive_keys_reauth_msk(this->crypto,
+					this->reauth, this->counter, this->nonce, mkc, &this->msk))
+	{
+		return FAILED;
+	}
 
 	message = simaka_message_create(TRUE, this->identifier++, EAP_AKA,
 									AKA_REAUTHENTICATION, this->crypto);
@@ -247,9 +276,10 @@ static status_t reauthenticate(private_eap_aka_server_t *this,
 							   next->get_encoding(next));
 		next->destroy(next);
 	}
-	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
-	message->destroy(message);
-
+	if (!generate_payload(message, chunk_empty, out))
+	{
+		return FAILED;
+	}
 	this->pending = SIM_REAUTHENTICATION;
 	return NEED_MORE;
 }
@@ -691,7 +721,7 @@ eap_aka_server_t *eap_aka_server_create(identification_t *server,
 	this->permanent = peer->clone(peer);
 	this->use_reauth = this->use_pseudonym = this->use_permanent =
 		lib->settings->get_bool(lib->settings,
-								"charon.plugins.eap-aka.request_identity", TRUE);
+					"%s.plugins.eap-aka.request_identity", TRUE, charon->name);
 
 	/* generate a non-zero identifier */
 	do {
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_server.h b/src/libcharon/plugins/eap_aka/eap_aka_server.h
index 5ab1c4dfd..5c95180ac 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_server.h
+++ b/src/libcharon/plugins/eap_aka/eap_aka_server.h
@@ -23,7 +23,7 @@
 
 typedef struct eap_aka_server_t eap_aka_server_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 /**
  * EAP-AKA server implementation.
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
index b4d6dc1d2..4e2b207d2 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 libstrongswan_eap_aka_3gpp2_la_LDFLAGS = -module -avoid-version
 libstrongswan_eap_aka_3gpp2_la_LIBADD = -lgmp
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index b0890fb39..7718ea8a4 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -46,10 +63,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -73,6 +91,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES = $(am__append_1)
@@ -81,49 +105,77 @@ am_libstrongswan_eap_aka_3gpp2_la_OBJECTS = eap_aka_3gpp2_plugin.lo \
 	eap_aka_3gpp2_functions.lo
 libstrongswan_eap_aka_3gpp2_la_OBJECTS =  \
 	$(am_libstrongswan_eap_aka_3gpp2_la_OBJECTS)
-libstrongswan_eap_aka_3gpp2_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_aka_3gpp2_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_eap_aka_3gpp2_la_LDFLAGS) $(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_aka_3gpp2_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_aka_3gpp2_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_aka_3gpp2_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_aka_3gpp2_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -132,13 +184,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -151,6 +206,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,11 +234,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -190,6 +248,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -198,8 +257,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -208,14 +265,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -229,17 +291,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -249,16 +311,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -286,10 +347,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 libstrongswan_eap_aka_3gpp2_la_LDFLAGS = -module -avoid-version
 libstrongswan_eap_aka_3gpp2_la_LIBADD = -lgmp $(am__append_1)
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-aka-3gpp2.la
@@ -345,7 +411,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -353,6 +418,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -374,8 +441,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-aka-3gpp2.la: $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES) 
-	$(libstrongswan_eap_aka_3gpp2_la_LINK) $(am_libstrongswan_eap_aka_3gpp2_la_rpath) $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_LIBADD) $(LIBS)
+libstrongswan-eap-aka-3gpp2.la: $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_aka_3gpp2_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_aka_3gpp2_la_LINK) $(am_libstrongswan_eap_aka_3gpp2_la_rpath) $(libstrongswan_eap_aka_3gpp2_la_OBJECTS) $(libstrongswan_eap_aka_3gpp2_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -389,25 +456,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_aka_3gpp2_provider.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -514,10 +581,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
index cec06fbd7..1bfc39e5a 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
+++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c
@@ -74,13 +74,19 @@ METHOD(simaka_card_t, get_quintuplet, status_t,
 	mac = autn + AKA_SQN_LEN + AKA_AMF_LEN;
 
 	/* XOR anonymity key AK into SQN to decrypt it */
-	this->f->f5(this->f, k, rand, ak);
+	if (!this->f->f5(this->f, k, rand, ak))
+	{
+		return FAILED;
+	}
 	DBG3(DBG_IKE, "using ak %b", ak, AKA_AK_LEN);
 	memxor(sqn, ak, AKA_SQN_LEN);
 	DBG3(DBG_IKE, "using sqn %b", sqn, AKA_SQN_LEN);
 
 	/* calculate expected MAC and compare against received one */
-	this->f->f1(this->f, k, rand, sqn, amf, xmac);
+	if (!this->f->f1(this->f, k, rand, sqn, amf, xmac))
+	{
+		return FAILED;
+	}
 	if (!memeq(mac, xmac, AKA_MAC_LEN))
 	{
 		DBG1(DBG_IKE, "received MAC does not match XMAC");
@@ -98,11 +104,13 @@ METHOD(simaka_card_t, get_quintuplet, status_t,
 	/* update stored SQN to the received one */
 	memcpy(this->sqn, sqn, AKA_SQN_LEN);
 
-	/* CK/IK */
-	this->f->f3(this->f, k, rand, ck);
-	this->f->f4(this->f, k, rand, ik);
-	/* calculate RES */
-	this->f->f2(this->f, k, rand, res);
+	/* CK/IK, calculate RES */
+	if (!this->f->f3(this->f, k, rand, ck) ||
+		!this->f->f4(this->f, k, rand, ik) ||
+		!this->f->f2(this->f, k, rand, res))
+	{
+		return FAILED;
+	}
 	*res_len = AKA_RES_MAX;
 
 	return SUCCESS;
@@ -122,8 +130,11 @@ METHOD(simaka_card_t, resync, bool,
 
 	/* AMF is set to zero in resync */
 	memset(amf, 0, AKA_AMF_LEN);
-	this->f->f5star(this->f, k, rand, aks);
-	this->f->f1star(this->f, k, rand, this->sqn, amf, macs);
+	if (!this->f->f5star(this->f, k, rand, aks) ||
+		!this->f->f1star(this->f, k, rand, this->sqn, amf, macs))
+	{
+		return FALSE;
+	}
 	/* AUTS = SQN xor AKS | MACS */
 	memcpy(auts, this->sqn, AKA_SQN_LEN);
 	memxor(auts, aks, AKA_AK_LEN);
@@ -160,12 +171,13 @@ eap_aka_3gpp2_card_t *eap_aka_3gpp2_card_create(eap_aka_3gpp2_functions_t *f)
 		},
 		.f = f,
 		.seq_check = lib->settings->get_bool(lib->settings,
-									"charon.plugins.eap-aka-3gpp2.seq_check",
+									"%s.plugins.eap-aka-3gpp2.seq_check",
 #ifdef SEQ_CHECK /* handle legacy compile time configuration as default */
-									TRUE),
+									TRUE,
 #else /* !SEQ_CHECK */
-									FALSE),
+									FALSE,
 #endif /* SEQ_CHECK */
+									charon->name),
 	);
 
 	eap_aka_3gpp2_get_sqn(this->sqn, 0);
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c
index d000bebbb..93ea8d08c 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c
+++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c
@@ -170,12 +170,12 @@ static void mpz_mod_poly(mpz_t r, mpz_t a, mpz_t b)
  * Step 3 of the various fx() functions:
  * XOR the key into the SHA1 IV
  */
-static void step3(prf_t *prf, u_char k[AKA_K_LEN],
+static bool step3(prf_t *prf, u_char k[AKA_K_LEN],
 				  u_char payload[AKA_PAYLOAD_LEN], u_int8_t h[HASH_SIZE_SHA1])
 {
 	/* use the keyed hasher to build the hash */
-	prf->set_key(prf, chunk_create(k, AKA_K_LEN));
-	prf->get_bytes(prf, chunk_create(payload, AKA_PAYLOAD_LEN), h);
+	return prf->set_key(prf, chunk_create(k, AKA_K_LEN)) &&
+		   prf->get_bytes(prf, chunk_create(payload, AKA_PAYLOAD_LEN), h);
 }
 
 /**
@@ -211,7 +211,7 @@ static void step4(u_char x[HASH_SIZE_SHA1])
 /**
  * Calculation function for f2(), f3(), f4()
  */
-static void fx(prf_t *prf, u_char f, u_char k[AKA_K_LEN],
+static bool fx(prf_t *prf, u_char f, u_char k[AKA_K_LEN],
 			   u_char rand[AKA_RAND_LEN], u_char out[AKA_MAC_LEN])
 {
 	u_char payload[AKA_PAYLOAD_LEN];
@@ -230,16 +230,20 @@ static void fx(prf_t *prf, u_char f, u_char k[AKA_K_LEN],
 		payload[35] ^= i;
 		payload[51] ^= i;
 
-		step3(prf, k, payload, h);
+		if (!step3(prf, k, payload, h))
+		{
+			return FALSE;
+		}
 		step4(h);
 		memcpy(out + i * 8, h, 8);
 	}
+	return TRUE;
 }
 
 /**
  * Calculation function of f1() and f1star()
  */
-static void f1x(prf_t *prf, u_int8_t f, u_char k[AKA_K_LEN],
+static bool f1x(prf_t *prf, u_int8_t f, u_char k[AKA_K_LEN],
 				u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
 				u_char amf[AKA_AMF_LEN], u_char mac[AKA_MAC_LEN])
 {
@@ -257,15 +261,19 @@ static void f1x(prf_t *prf, u_int8_t f, u_char k[AKA_K_LEN],
 	memxor(payload + 34, sqn, AKA_SQN_LEN);
 	memxor(payload + 42, amf, AKA_AMF_LEN);
 
-	step3(prf, k, payload, h);
+	if (!step3(prf, k, payload, h))
+	{
+		return FALSE;
+	}
 	step4(h);
 	memcpy(mac, h, AKA_MAC_LEN);
+	return TRUE;
 }
 
 /**
  * Calculation function of f5() and f5star()
  */
-static void f5x(prf_t *prf, u_char f, u_char k[AKA_K_LEN],
+static bool f5x(prf_t *prf, u_char f, u_char k[AKA_K_LEN],
 				u_char rand[AKA_RAND_LEN], u_char ak[AKA_AK_LEN])
 {
 	u_char payload[AKA_PAYLOAD_LEN];
@@ -276,88 +284,120 @@ static void f5x(prf_t *prf, u_char f, u_char k[AKA_K_LEN],
 	memxor(payload + 12, fmk.ptr, fmk.len);
 	memxor(payload + 16, rand, AKA_RAND_LEN);
 
-	step3(prf, k, payload, h);
+	if (!step3(prf, k, payload, h))
+	{
+		return FALSE;
+	}
 	step4(h);
 	memcpy(ak, h, AKA_AK_LEN);
+	return TRUE;
 }
 
 /**
  * Calculate MAC from RAND, SQN, AMF using K
  */
-METHOD(eap_aka_3gpp2_functions_t, f1, void,
+METHOD(eap_aka_3gpp2_functions_t, f1, bool,
 	private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
 	u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
 	u_char amf[AKA_AMF_LEN], u_char mac[AKA_MAC_LEN])
 {
-	f1x(this->prf, F1, k, rand, sqn, amf, mac);
-	DBG3(DBG_IKE, "MAC %b", mac, AKA_MAC_LEN);
+	if (f1x(this->prf, F1, k, rand, sqn, amf, mac))
+	{
+		DBG3(DBG_IKE, "MAC %b", mac, AKA_MAC_LEN);
+		return TRUE;
+	}
+	return FALSE;
 }
 
 /**
  * Calculate MACS from RAND, SQN, AMF using K
  */
-METHOD(eap_aka_3gpp2_functions_t, f1star, void,
+METHOD(eap_aka_3gpp2_functions_t, f1star, bool,
 	private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
 	u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
 	u_char amf[AKA_AMF_LEN], u_char macs[AKA_MAC_LEN])
 {
-	f1x(this->prf, F1STAR, k, rand, sqn, amf, macs);
-	DBG3(DBG_IKE, "MACS %b", macs, AKA_MAC_LEN);
+	if (f1x(this->prf, F1STAR, k, rand, sqn, amf, macs))
+	{
+		DBG3(DBG_IKE, "MACS %b", macs, AKA_MAC_LEN);
+		return TRUE;
+	}
+	return FALSE;
 }
 
 /**
  * Calculate RES from RAND using K
  */
-METHOD(eap_aka_3gpp2_functions_t, f2, void,
+METHOD(eap_aka_3gpp2_functions_t, f2, bool,
 	private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
 	u_char rand[AKA_RAND_LEN], u_char res[AKA_RES_MAX])
 {
-	fx(this->prf, F2, k, rand, res);
-	DBG3(DBG_IKE, "RES %b", res, AKA_RES_MAX);
+	if (fx(this->prf, F2, k, rand, res))
+	{
+		DBG3(DBG_IKE, "RES %b", res, AKA_RES_MAX);
+		return TRUE;
+	}
+	return FALSE;
 }
 
 /**
  * Calculate CK from RAND using K
  */
-METHOD(eap_aka_3gpp2_functions_t, f3, void,
+METHOD(eap_aka_3gpp2_functions_t, f3, bool,
 	private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
 	u_char rand[AKA_RAND_LEN], u_char ck[AKA_CK_LEN])
 {
-	fx(this->prf, F3, k, rand, ck);
-	DBG3(DBG_IKE, "CK %b", ck, AKA_CK_LEN);
+	if (fx(this->prf, F3, k, rand, ck))
+	{
+		DBG3(DBG_IKE, "CK %b", ck, AKA_CK_LEN);
+		return TRUE;
+	}
+	return FALSE;
 }
 
 /**
  * Calculate IK from RAND using K
  */
-METHOD(eap_aka_3gpp2_functions_t, f4, void,
+METHOD(eap_aka_3gpp2_functions_t, f4, bool,
 	private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
 	u_char rand[AKA_RAND_LEN], u_char ik[AKA_IK_LEN])
 {
-	fx(this->prf, F4, k, rand, ik);
-	DBG3(DBG_IKE, "IK %b", ik, AKA_IK_LEN);
+	if (fx(this->prf, F4, k, rand, ik))
+	{
+		DBG3(DBG_IKE, "IK %b", ik, AKA_IK_LEN);
+		return TRUE;
+	}
+	return FALSE;
 }
 
 /**
  * Calculate AK from a RAND using K
  */
-METHOD(eap_aka_3gpp2_functions_t, f5, void,
+METHOD(eap_aka_3gpp2_functions_t, f5, bool,
 	private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
 	u_char rand[AKA_RAND_LEN], u_char ak[AKA_AK_LEN])
 {
-	f5x(this->prf, F5, k, rand, ak);
-	DBG3(DBG_IKE, "AK %b", ak, AKA_AK_LEN);
+	if (f5x(this->prf, F5, k, rand, ak))
+	{
+		DBG3(DBG_IKE, "AK %b", ak, AKA_AK_LEN);
+		return TRUE;
+	}
+	return FALSE;
 }
 
 /**
  * Calculate AKS from a RAND using K
  */
-METHOD(eap_aka_3gpp2_functions_t, f5star, void,
+METHOD(eap_aka_3gpp2_functions_t, f5star, bool,
 	private_eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
 	u_char rand[AKA_RAND_LEN], u_char aks[AKA_AK_LEN])
 {
-	f5x(this->prf, F5STAR, k, rand, aks);
-	DBG3(DBG_IKE, "AKS %b", aks, AKA_AK_LEN);
+	if (f5x(this->prf, F5STAR, k, rand, aks))
+	{
+		DBG3(DBG_IKE, "AKS %b", aks, AKA_AK_LEN);
+		return TRUE;
+	}
+	return FALSE;
 }
 
 METHOD(eap_aka_3gpp2_functions_t, destroy, void,
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h
index 855efec3e..2706da349 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h
+++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h
@@ -45,8 +45,9 @@ struct eap_aka_3gpp2_functions_t {
 	 * @param sqn	sequence number
 	 * @param amf	authentication management field
 	 * @param mac	buffer receiving mac MAC
+	 * @return		TRUE if calculations successful
 	 */
-	void (*f1)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+	bool (*f1)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
 				u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
 				u_char amf[AKA_AMF_LEN], u_char mac[AKA_MAC_LEN]);
 
@@ -58,8 +59,9 @@ struct eap_aka_3gpp2_functions_t {
 	 * @param sqn	sequence number
 	 * @param amf	authentication management field
 	 * @param macs	buffer receiving resynchronization mac MACS
+	 * @return		TRUE if calculations successful
 	 */
-	void (*f1star)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+	bool (*f1star)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
 				u_char rand[AKA_RAND_LEN], u_char sqn[AKA_SQN_LEN],
 				u_char amf[AKA_AMF_LEN], u_char macs[AKA_MAC_LEN]);
 
@@ -69,8 +71,9 @@ struct eap_aka_3gpp2_functions_t {
 	 * @param k		secret key K
 	 * @param rand	random value RAND
 	 * @param res	buffer receiving result RES, uses full 128 bit
+	 * @return		TRUE if calculations successful
 	 */
-	void (*f2)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+	bool (*f2)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
 				u_char rand[AKA_RAND_LEN], u_char res[AKA_RES_MAX]);
 	/**
 	 * Calculate CK from RAND using K
@@ -78,8 +81,9 @@ struct eap_aka_3gpp2_functions_t {
 	 * @param k		secret key K
 	 * @param rand	random value RAND
 	 * @param macs	buffer receiving encryption key CK
+	 * @return		TRUE if calculations successful
 	 */
-	void (*f3)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+	bool (*f3)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
 				u_char rand[AKA_RAND_LEN], u_char ck[AKA_CK_LEN]);
 	/**
 	 * Calculate IK from RAND using K
@@ -87,8 +91,9 @@ struct eap_aka_3gpp2_functions_t {
 	 * @param k		secret key K
 	 * @param rand	random value RAND
 	 * @param macs	buffer receiving integrity key IK
+	 * @return		TRUE if calculations successful
 	 */
-	void (*f4)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+	bool (*f4)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
 				u_char rand[AKA_RAND_LEN], u_char ik[AKA_IK_LEN]);
 	/**
 	 * Calculate AK from a RAND using K
@@ -96,8 +101,9 @@ struct eap_aka_3gpp2_functions_t {
 	 * @param k		secret key K
 	 * @param rand	random value RAND
 	 * @param macs	buffer receiving anonymity key AK
+	 * @return		TRUE if calculations successful
 	 */
-	void (*f5)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+	bool (*f5)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
 				u_char rand[AKA_RAND_LEN], u_char ak[AKA_AK_LEN]);
 	/**
 	 * Calculate AKS from a RAND using K
@@ -105,8 +111,9 @@ struct eap_aka_3gpp2_functions_t {
 	 * @param k		secret key K
 	 * @param rand	random value RAND
 	 * @param macs	buffer receiving resynchronization anonymity key AKS
+	 * @return		TRUE if calculations successful
 	 */
-	void (*f5star)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
+	bool (*f5star)(eap_aka_3gpp2_functions_t *this, u_char k[AKA_K_LEN],
 				u_char rand[AKA_RAND_LEN], u_char aks[AKA_AK_LEN]);
 
 	/**
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c
index b2b43da2a..0be122158 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c
+++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c
@@ -90,12 +90,12 @@ METHOD(simaka_provider_t, get_quintuplet, bool,
 
 	/* generate RAND: we use a registered RNG, not f0() proposed in S.S0055 */
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
+	if (!rng || !rng->get_bytes(rng, AKA_RAND_LEN, rand))
 	{
 		DBG1(DBG_IKE, "generating RAND for AKA failed");
+		DESTROY_IF(rng);
 		return FALSE;
 	}
-	rng->get_bytes(rng, AKA_RAND_LEN, rand);
 	rng->destroy(rng);
 
 	if (!eap_aka_3gpp2_get_k(id, k))
@@ -107,12 +107,13 @@ METHOD(simaka_provider_t, get_quintuplet, bool,
 	DBG3(DBG_IKE, "generated rand %b", rand, AKA_RAND_LEN);
 	DBG3(DBG_IKE, "using K %b", k, AKA_K_LEN);
 
-	/* MAC */
-	this->f->f1(this->f, k, rand, this->sqn, amf, mac);
-	/* AK */
-	this->f->f5(this->f, k, rand, ak);
-	/* XRES as expected from client */
-	this->f->f2(this->f, k, rand, xres);
+	/* MAC, AK, XRES as expected from client */
+	if (!this->f->f1(this->f, k, rand, this->sqn, amf, mac) ||
+		!this->f->f5(this->f, k, rand, ak) ||
+		!this->f->f2(this->f, k, rand, xres))
+	{
+		return FALSE;
+	}
 	*xres_len = AKA_RES_MAX;
 	/* AUTN = (SQN xor AK) || AMF || MAC */
 	memcpy(autn, this->sqn, AKA_SQN_LEN);
@@ -121,9 +122,11 @@ METHOD(simaka_provider_t, get_quintuplet, bool,
 	memcpy(autn + AKA_SQN_LEN + AKA_AMF_LEN, mac, AKA_MAC_LEN);
 	DBG3(DBG_IKE, "AUTN %b", autn, AKA_AUTN_LEN);
 	/* CK/IK */
-	this->f->f3(this->f, k, rand, ck);
-	this->f->f4(this->f, k, rand, ik);
-
+	if (!this->f->f3(this->f, k, rand, ck) ||
+		!this->f->f4(this->f, k, rand, ik))
+	{
+		return FALSE;
+	}
 	return TRUE;
 }
 
@@ -143,12 +146,18 @@ METHOD(simaka_provider_t, resync, bool,
 	/* AUTHS = (AK xor SQN) | MAC */
 	sqn = auts;
 	macs = auts + AKA_SQN_LEN;
-	this->f->f5star(this->f, k, rand, aks);
+	if (!this->f->f5star(this->f, k, rand, aks))
+	{
+		return FALSE;
+	}
 	memxor(sqn, aks, AKA_AK_LEN);
 
 	/* verify XMACS, AMF of zero is used in resynchronization */
 	memset(amf, 0, AKA_AMF_LEN);
-	this->f->f1star(this->f, k, rand, sqn, amf, xmacs);
+	if (!this->f->f1star(this->f, k, rand, sqn, amf, xmacs))
+	{
+		return FALSE;
+	}
 	if (!memeq(macs, xmacs, AKA_MAC_LEN))
 	{
 		DBG1(DBG_IKE, "received MACS does not match XMACS");
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.am b/src/libcharon/plugins/eap_dynamic/Makefile.am
new file mode 100644
index 000000000..13b4d10b1
--- /dev/null
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.am
@@ -0,0 +1,18 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-dynamic.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-dynamic.la
+endif
+
+libstrongswan_eap_dynamic_la_SOURCES = \
+	eap_dynamic_plugin.h eap_dynamic_plugin.c eap_dynamic.h eap_dynamic.c
+
+libstrongswan_eap_dynamic_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
new file mode 100644
index 000000000..a1bbb4bbb
--- /dev/null
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -0,0 +1,686 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_dynamic
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_eap_dynamic_la_LIBADD =
+am_libstrongswan_eap_dynamic_la_OBJECTS = eap_dynamic_plugin.lo \
+	eap_dynamic.lo
+libstrongswan_eap_dynamic_la_OBJECTS =  \
+	$(am_libstrongswan_eap_dynamic_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_dynamic_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_dynamic_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_dynamic_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_dynamic_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_eap_dynamic_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_dynamic_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-dynamic.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-dynamic.la
+libstrongswan_eap_dynamic_la_SOURCES = \
+	eap_dynamic_plugin.h eap_dynamic_plugin.c eap_dynamic.h eap_dynamic.c
+
+libstrongswan_eap_dynamic_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_dynamic/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_dynamic/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-dynamic.la: $(libstrongswan_eap_dynamic_la_OBJECTS) $(libstrongswan_eap_dynamic_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_dynamic_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_dynamic_la_LINK) $(am_libstrongswan_eap_dynamic_la_rpath) $(libstrongswan_eap_dynamic_la_OBJECTS) $(libstrongswan_eap_dynamic_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_dynamic.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_dynamic_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic.c b/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
new file mode 100644
index 000000000..d24cbd128
--- /dev/null
+++ b/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
@@ -0,0 +1,393 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_dynamic.h"
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_eap_dynamic_t private_eap_dynamic_t;
+
+/**
+ * Private data of an eap_dynamic_t object.
+ */
+struct private_eap_dynamic_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_dynamic_t public;
+
+	/**
+	 * ID of the server
+	 */
+	identification_t *server;
+
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+
+	/**
+	 * Our supported EAP types (as eap_vendor_type_t*)
+	 */
+	linked_list_t *types;
+
+	/**
+	 * EAP types supported by peer, if any
+	 */
+	linked_list_t *other_types;
+
+	/**
+	 * Prefer types sent by peer
+	 */
+	bool prefer_peer;
+
+	/**
+	 * The proxied EAP method
+	 */
+	eap_method_t *method;
+};
+
+/**
+ * Compare two eap_vendor_type_t objects
+ */
+static bool entry_matches(eap_vendor_type_t *item, eap_vendor_type_t *other)
+{
+	return item->type == other->type && item->vendor == other->vendor;
+}
+
+/**
+ * Load the given EAP method
+ */
+static eap_method_t *load_method(private_eap_dynamic_t *this,
+								 eap_type_t type, u_int32_t vendor)
+{
+	eap_method_t *method;
+
+	method = charon->eap->create_instance(charon->eap, type, vendor, EAP_SERVER,
+										  this->server, this->peer);
+	if (!method)
+	{
+		if (vendor)
+		{
+			DBG1(DBG_IKE, "loading vendor specific EAP method %d-%d failed",
+				 type, vendor);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "loading %N method failed", eap_type_names, type);
+		}
+	}
+	return method;
+}
+
+/**
+ * Select the first method we can instantiate and is supported by both peers.
+ */
+static void select_method(private_eap_dynamic_t *this)
+{
+	eap_vendor_type_t *entry;
+	linked_list_t *outer = this->types, *inner = this->other_types;
+	char *who = "peer";
+
+	if (this->other_types && this->prefer_peer)
+	{
+		outer = this->other_types;
+		inner = this->types;
+		who = "us";
+	}
+
+	while (outer->remove_first(outer, (void*)&entry) == SUCCESS)
+	{
+		if (inner)
+		{
+			if (inner->find_first(inner, (void*)entry_matches,
+								  NULL, entry) != SUCCESS)
+			{
+				if (entry->vendor)
+				{
+					DBG2(DBG_IKE, "proposed vendor specific EAP method %d-%d "
+						 "not supported by %s, skipped", entry->type,
+						  entry->vendor, who);
+				}
+				else
+				{
+					DBG2(DBG_IKE, "proposed %N method not supported by %s, "
+						 "skipped", eap_type_names, entry->type, who);
+				}
+				free(entry);
+				continue;
+			}
+		}
+		this->method = load_method(this, entry->type, entry->vendor);
+		if (this->method)
+		{
+			if (entry->vendor)
+			{
+				DBG1(DBG_IKE, "vendor specific EAP method %d-%d selected",
+					 entry->type, entry->vendor);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "%N method selected", eap_type_names,
+					 entry->type);
+			}
+			free(entry);
+			break;
+		}
+		free(entry);
+	}
+}
+
+METHOD(eap_method_t, initiate, status_t,
+	private_eap_dynamic_t *this, eap_payload_t **out)
+{
+	if (!this->method)
+	{
+		select_method(this);
+		if (!this->method)
+		{
+			DBG1(DBG_IKE, "no supported EAP method found");
+			return FAILED;
+		}
+	}
+	return this->method->initiate(this->method, out);
+}
+
+METHOD(eap_method_t, process, status_t,
+	private_eap_dynamic_t *this, eap_payload_t *in, eap_payload_t **out)
+{
+	eap_type_t received_type, type;
+	u_int32_t received_vendor, vendor;
+
+	received_type = in->get_type(in, &received_vendor);
+	if (received_vendor == 0 && received_type == EAP_NAK)
+	{
+		enumerator_t *enumerator;
+
+		DBG1(DBG_IKE, "received %N, selecting a different EAP method",
+			 eap_type_names, EAP_NAK);
+
+		if (this->other_types)
+		{	/* we already received a Nak or a proper response before */
+			DBG1(DBG_IKE, "%N is not supported in this state", eap_type_names,
+				 EAP_NAK);
+			return FAILED;
+		}
+
+		this->other_types = linked_list_create();
+		enumerator = in->get_types(in);
+		while (enumerator->enumerate(enumerator, &type, &vendor))
+		{
+			eap_vendor_type_t *entry;
+
+			if (!type)
+			{
+				DBG1(DBG_IKE, "peer does not support any other EAP methods");
+				enumerator->destroy(enumerator);
+				return FAILED;
+			}
+			INIT(entry,
+				.type = type,
+				.vendor = vendor,
+			);
+			this->other_types->insert_last(this->other_types, entry);
+		}
+		enumerator->destroy(enumerator);
+
+		/* restart with a different method */
+		this->method->destroy(this->method);
+		this->method = NULL;
+		return initiate(this, out);
+	}
+	if (!this->other_types)
+	{	/* so we don't handle EAP-Naks later */
+		this->other_types = linked_list_create();
+	}
+	if (this->method)
+	{
+		return this->method->process(this->method, in, out);
+	}
+	return FAILED;
+}
+
+METHOD(eap_method_t, get_type, eap_type_t,
+	private_eap_dynamic_t *this, u_int32_t *vendor)
+{
+	if (this->method)
+	{
+		return this->method->get_type(this->method, vendor);
+	}
+	*vendor = 0;
+	return EAP_DYNAMIC;
+}
+
+METHOD(eap_method_t, get_msk, status_t,
+	private_eap_dynamic_t *this, chunk_t *msk)
+{
+	if (this->method)
+	{
+		return this->method->get_msk(this->method, msk);
+	}
+	return FAILED;
+}
+
+METHOD(eap_method_t, get_identifier, u_int8_t,
+	private_eap_dynamic_t *this)
+{
+	if (this->method)
+	{
+		return this->method->get_identifier(this->method);
+	}
+	return 0;
+}
+
+METHOD(eap_method_t, set_identifier, void,
+	private_eap_dynamic_t *this, u_int8_t identifier)
+{
+	if (this->method)
+	{
+		this->method->set_identifier(this->method, identifier);
+	}
+}
+
+METHOD(eap_method_t, is_mutual, bool,
+	private_eap_dynamic_t *this)
+{
+	if (this->method)
+	{
+		return this->method->is_mutual(this->method);
+	}
+	return FALSE;
+}
+
+METHOD(eap_method_t, destroy, void,
+	private_eap_dynamic_t *this)
+{
+	DESTROY_IF(this->method);
+	this->types->destroy_function(this->types, (void*)free);
+	DESTROY_FUNCTION_IF(this->other_types, (void*)free);
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
+	free(this);
+}
+
+/**
+ * Parse preferred EAP types
+ */
+static void handle_preferred_eap_types(private_eap_dynamic_t *this,
+									   char *methods)
+{
+	enumerator_t *enumerator;
+	eap_vendor_type_t *type, *entry;
+	linked_list_t *preferred;
+	char *method;
+
+	/* parse preferred EAP methods, format: type[-vendor], ... */
+	preferred = linked_list_create();
+	enumerator = enumerator_create_token(methods, ",", " ");
+	while (enumerator->enumerate(enumerator, &method))
+	{
+		type = eap_vendor_type_from_string(method);
+		if (type)
+		{
+			preferred->insert_last(preferred, type);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = this->types->create_enumerator(this->types);
+	while (preferred->remove_last(preferred, (void**)&type) == SUCCESS)
+	{	/* move (supported) types to the front, maintain the preferred order */
+		this->types->reset_enumerator(this->types, enumerator);
+		while (enumerator->enumerate(enumerator, &entry))
+		{
+			if (entry_matches(entry, type))
+			{
+				this->types->remove_at(this->types, enumerator);
+				this->types->insert_first(this->types, entry);
+				break;
+			}
+		}
+		free(type);
+	}
+	enumerator->destroy(enumerator);
+	preferred->destroy(preferred);
+}
+
+/**
+ * Get all supported EAP methods
+ */
+static void get_supported_eap_types(private_eap_dynamic_t *this)
+{
+	enumerator_t *enumerator;
+	eap_type_t type;
+	u_int32_t vendor;
+
+	enumerator = charon->eap->create_enumerator(charon->eap, EAP_SERVER);
+	while (enumerator->enumerate(enumerator, &type, &vendor))
+	{
+		eap_vendor_type_t *entry;
+
+		INIT(entry,
+			.type = type,
+			.vendor = vendor,
+		);
+		this->types->insert_last(this->types, entry);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/*
+ * Defined in header
+ */
+eap_dynamic_t *eap_dynamic_create(identification_t *server,
+								  identification_t *peer)
+{
+	private_eap_dynamic_t *this;
+	char *preferred;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.initiate = _initiate,
+				.process = _process,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.get_identifier = _get_identifier,
+				.set_identifier = _set_identifier,
+				.destroy = _destroy,
+			},
+		},
+		.peer = peer->clone(peer),
+		.server = server->clone(server),
+		.types = linked_list_create(),
+		.prefer_peer = lib->settings->get_bool(lib->settings,
+					"%s.plugins.eap-dynamic.prefer_peer", FALSE, charon->name),
+	);
+
+	/* get all supported EAP methods */
+	get_supported_eap_types(this);
+	/* move preferred methods to the front */
+	preferred = lib->settings->get_str(lib->settings,
+					"%s.plugins.eap-dynamic.preferred", NULL, charon->name);
+	if (preferred)
+	{
+		handle_preferred_eap_types(this, preferred);
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic.h b/src/libcharon/plugins/eap_dynamic/eap_dynamic.h
new file mode 100644
index 000000000..35db4fa26
--- /dev/null
+++ b/src/libcharon/plugins/eap_dynamic/eap_dynamic.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_dynamic_i eap_dynamic
+ * @{ @ingroup eap_dynamic
+ */
+
+#ifndef EAP_DYNAMIC_H_
+#define EAP_DYNAMIC_H_
+
+typedef struct eap_dynamic_t eap_dynamic_t;
+
+#include <sa/eap/eap_method.h>
+
+/**
+ * Implementation of the eap_method_t interface for a virtual EAP method that
+ * proxies other EAP methods and supports the selection of the actual method
+ * by the client.
+ */
+struct eap_dynamic_t {
+
+	/**
+	 * Implemented eap_method_t interface
+	 */
+	eap_method_t interface;
+};
+
+/**
+ * Create a dynamic EAP proxy serving any supported real method which is also
+ * supported (or selected) by the client.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_dynamic_t object
+ */
+eap_dynamic_t *eap_dynamic_create(identification_t *server,
+								  identification_t *peer);
+
+#endif /** EAP_DYNAMIC_H_ @}*/
diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.c b/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.c
new file mode 100644
index 000000000..d6f38b666
--- /dev/null
+++ b/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_dynamic_plugin.h"
+
+#include "eap_dynamic.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, get_name, char*,
+	eap_dynamic_plugin_t *this)
+{
+	return "eap-dynamic";
+}
+
+METHOD(plugin_t, get_features, int,
+	eap_dynamic_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK(eap_method_register, eap_dynamic_create),
+			PLUGIN_PROVIDE(EAP_SERVER, EAP_DYNAMIC),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	eap_dynamic_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_dynamic_plugin_create()
+{
+	eap_dynamic_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.get_name = _get_name,
+			.get_features = _get_features,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.h b/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.h
new file mode 100644
index 000000000..9b124d8d2
--- /dev/null
+++ b/src/libcharon/plugins/eap_dynamic/eap_dynamic_plugin.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_dynamic eap_dynamic
+ * @ingroup cplugins
+ *
+ * @defgroup eap_dynamic_plugin eap_dynamic_plugin
+ * @{ @ingroup eap_dynamic
+ */
+
+#ifndef EAP_DYNAMIC_PLUGIN_H_
+#define EAP_DYNAMIC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_dynamic_plugin_t eap_dynamic_plugin_t;
+
+/**
+ * EAP plugin that can use any supported EAP method the client supports or
+ * prefers to use.
+ */
+struct eap_dynamic_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_DYNAMIC_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.am b/src/libcharon/plugins/eap_gtc/Makefile.am
index d8722bf9d..811366a94 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.am
+++ b/src/libcharon/plugins/eap_gtc/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-gtc.la
@@ -13,4 +15,4 @@ endif
 libstrongswan_eap_gtc_la_SOURCES = \
 	eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
 
-libstrongswan_eap_gtc_la_LDFLAGS = -module -avoid-version -lpam
+libstrongswan_eap_gtc_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index b3f989e38..9b53c539f 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,54 +90,89 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_gtc_la_LIBADD =
 am_libstrongswan_eap_gtc_la_OBJECTS = eap_gtc_plugin.lo eap_gtc.lo
 libstrongswan_eap_gtc_la_OBJECTS =  \
 	$(am_libstrongswan_eap_gtc_la_OBJECTS)
-libstrongswan_eap_gtc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_gtc_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_gtc_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_gtc_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_gtc_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_gtc_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_gtc_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_gtc_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -128,13 +181,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -147,6 +203,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,11 +231,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -186,6 +245,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -194,8 +254,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -204,14 +262,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -225,17 +288,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -245,16 +308,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -282,16 +344,20 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-gtc.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-gtc.la
 libstrongswan_eap_gtc_la_SOURCES = \
 	eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
 
-libstrongswan_eap_gtc_la_LDFLAGS = -module -avoid-version -lpam
+libstrongswan_eap_gtc_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
@@ -337,7 +403,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -345,6 +410,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -366,8 +433,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-gtc.la: $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_DEPENDENCIES) 
-	$(libstrongswan_eap_gtc_la_LINK) $(am_libstrongswan_eap_gtc_la_rpath) $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_LIBADD) $(LIBS)
+libstrongswan-eap-gtc.la: $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_gtc_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_gtc_la_LINK) $(am_libstrongswan_eap_gtc_la_rpath) $(libstrongswan_eap_gtc_la_OBJECTS) $(libstrongswan_eap_gtc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -379,25 +446,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_gtc_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -504,10 +571,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c
index c3ab07de0..f090e94a8 100644
--- a/src/libcharon/plugins/eap_gtc/eap_gtc.c
+++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2007 Martin Willi
+ * Copyright (C) 2007-2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -17,12 +18,8 @@
 
 #include <daemon.h>
 #include <library.h>
-#include <crypto/hashers/hasher.h>
-
-#include <security/pam_appl.h>
 
 #define GTC_REQUEST_MSG "password"
-#define GTC_PAM_SERVICE "login"
 
 typedef struct private_eap_gtc_t private_eap_gtc_t;
 
@@ -77,63 +74,6 @@ METHOD(eap_method_t, initiate_peer, status_t,
 	return FAILED;
 }
 
-/**
- * PAM conv callback function
- */
-static int auth_conv(int num_msg, const struct pam_message **msg,
-					 struct pam_response **resp, char *password)
-{
-	struct pam_response *response;
-
-	if (num_msg != 1)
-	{
-		return PAM_CONV_ERR;
-	}
-	response = malloc(sizeof(struct pam_response));
-	response->resp = strdup(password);
-	response->resp_retcode = 0;
-	*resp = response;
-	return PAM_SUCCESS;
-}
-
-/**
- * Authenticate a username/password using PAM
- */
-static bool authenticate(char *service, char *user, char *password)
-{
-	pam_handle_t *pamh = NULL;
-	static struct pam_conv conv;
-	int ret;
-
-	conv.conv = (void*)auth_conv;
-	conv.appdata_ptr = password;
-
-	ret = pam_start(service, user, &conv, &pamh);
-	if (ret != PAM_SUCCESS)
-	{
-		DBG1(DBG_IKE, "EAP-GTC pam_start failed: %s",
-			 pam_strerror(pamh, ret));
-		return FALSE;
-	}
-	ret = pam_authenticate(pamh, 0);
-	if (ret == PAM_SUCCESS)
-	{
-		ret = pam_acct_mgmt(pamh, 0);
-		if (ret != PAM_SUCCESS)
-		{
-			DBG1(DBG_IKE, "EAP-GTC pam_acct_mgmt failed: %s",
-				 pam_strerror(pamh, ret));
-		}
-	}
-	else
-	{
-		DBG1(DBG_IKE, "EAP-GTC pam_authenticate failed: %s",
-			 pam_strerror(pamh, ret));
-	}
-	pam_end(pamh, ret);
-	return ret == PAM_SUCCESS;
-}
-
 METHOD(eap_method_t, initiate_server, status_t,
 	private_eap_gtc_t *this, eap_payload_t **out)
 {
@@ -192,39 +132,57 @@ METHOD(eap_method_t, process_peer, status_t,
 METHOD(eap_method_t, process_server, status_t,
 	private_eap_gtc_t *this, eap_payload_t *in, eap_payload_t **out)
 {
-	chunk_t data, encoding;
-	char *user, *password, *service, *pos;
-
-	data = chunk_skip(in->get_data(in), 5);
-	if (this->identifier != in->get_identifier(in) || !data.len)
+	status_t status = FAILED;
+	chunk_t user, pass;
+	xauth_method_t *xauth;
+	cp_payload_t *ci, *co;
+	char *backend;
+
+	user = this->peer->get_encoding(this->peer);
+	pass = chunk_skip(in->get_data(in), 5);
+	if (this->identifier != in->get_identifier(in) || !pass.len)
 	{
 		DBG1(DBG_IKE, "received invalid EAP-GTC message");
 		return FAILED;
 	}
 
-	encoding = this->peer->get_encoding(this->peer);
-	/* if a RFC822_ADDR id is provided, we use the username part only */
-	pos = memchr(encoding.ptr, '@', encoding.len);
-	if (pos)
+	/* get XAuth backend to use for credential verification. Default to PAM
+	 * to support legacy EAP-GTC configurations */
+	backend = lib->settings->get_str(lib->settings,
+							"%s.plugins.eap-gtc.backend", "pam", charon->name);
+	xauth = charon->xauth->create_instance(charon->xauth, backend, XAUTH_SERVER,
+										   this->server, this->peer);
+	if (!xauth)
 	{
-		encoding.len = (u_char*)pos - encoding.ptr;
+		DBG1(DBG_IKE, "creating EAP-GTC XAuth backend '%s' failed", backend);
+		return FAILED;
 	}
-	user = alloca(encoding.len + 1);
-	memcpy(user, encoding.ptr, encoding.len);
-	user[encoding.len] = '\0';
-
-	password = alloca(data.len + 1);
-	memcpy(password, data.ptr, data.len);
-	password[data.len] = '\0';
-
-	service = lib->settings->get_str(lib->settings,
-						"charon.plugins.eap-gtc.pam_service", GTC_PAM_SERVICE);
-
-	if (!authenticate(service, user, password))
+	if (xauth->initiate(xauth, &co) == NEED_MORE)
 	{
-		return FAILED;
+		/* assume that "out" contains username/password attributes */
+		co->destroy(co);
+		ci = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY);
+		ci->add_attribute(ci, configuration_attribute_create_chunk(
+					CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, user));
+		ci->add_attribute(ci, configuration_attribute_create_chunk(
+					CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, pass));
+		switch (xauth->process(xauth, ci, &co))
+		{
+			case SUCCESS:
+				status = SUCCESS;
+				break;
+			case NEED_MORE:
+				/* TODO: multiple exchanges currently not supported */
+				co->destroy(co);
+				break;
+			case FAILED:
+			default:
+				break;
+		}
+		ci->destroy(ci);
 	}
-	return SUCCESS;
+	xauth->destroy(xauth);
+	return status;
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.h b/src/libcharon/plugins/eap_gtc/eap_gtc.h
index 2eb8482f8..4dac53cfb 100644
--- a/src/libcharon/plugins/eap_gtc/eap_gtc.h
+++ b/src/libcharon/plugins/eap_gtc/eap_gtc.h
@@ -23,7 +23,7 @@
 
 typedef struct eap_gtc_t eap_gtc_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 /**
  * Implementation of the eap_method_t interface using EAP-GTC.
diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc_plugin.c b/src/libcharon/plugins/eap_gtc/eap_gtc_plugin.c
index bd70b757a..d579eaa5a 100644
--- a/src/libcharon/plugins/eap_gtc/eap_gtc_plugin.c
+++ b/src/libcharon/plugins/eap_gtc/eap_gtc_plugin.c
@@ -19,9 +19,6 @@
 
 #include <daemon.h>
 
-/* missing in cababilities.h */
-#define CAP_AUDIT_WRITE 29
-
 METHOD(plugin_t, get_name, char*,
 	eap_gtc_plugin_t *this)
 {
@@ -62,14 +59,6 @@ plugin_t *eap_gtc_plugin_create()
 		},
 	);
 
-	/* required for PAM authentication */
-	charon->keep_cap(charon, CAP_AUDIT_WRITE);
-
-	charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_SERVER,
-							(eap_constructor_t)eap_gtc_create_server);
-	charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_PEER,
-							(eap_constructor_t)eap_gtc_create_peer);
-
 	return &this->plugin;
 }
 
diff --git a/src/libcharon/plugins/eap_identity/Makefile.am b/src/libcharon/plugins/eap_identity/Makefile.am
index 2a7c764b0..1c155866d 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.am
+++ b/src/libcharon/plugins/eap_identity/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS =  \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-identity.la
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index b348b5fb5..426f6d5e5 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_identity_la_LIBADD =
@@ -79,49 +103,77 @@ am_libstrongswan_eap_identity_la_OBJECTS = eap_identity_plugin.lo \
 	eap_identity.lo
 libstrongswan_eap_identity_la_OBJECTS =  \
 	$(am_libstrongswan_eap_identity_la_OBJECTS)
-libstrongswan_eap_identity_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_identity_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_eap_identity_la_LDFLAGS) $(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_identity_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_identity_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_identity_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_identity_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-identity.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-identity.la
 libstrongswan_eap_identity_la_SOURCES = \
@@ -339,7 +404,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -347,6 +411,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -368,8 +434,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-identity.la: $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_DEPENDENCIES) 
-	$(libstrongswan_eap_identity_la_LINK) $(am_libstrongswan_eap_identity_la_rpath) $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_LIBADD) $(LIBS)
+libstrongswan-eap-identity.la: $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_identity_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_identity_la_LINK) $(am_libstrongswan_eap_identity_la_rpath) $(libstrongswan_eap_identity_la_OBJECTS) $(libstrongswan_eap_identity_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -381,25 +447,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_identity_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -506,10 +572,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_identity/eap_identity.h b/src/libcharon/plugins/eap_identity/eap_identity.h
index 9a7f28574..4e7f6fd9d 100644
--- a/src/libcharon/plugins/eap_identity/eap_identity.h
+++ b/src/libcharon/plugins/eap_identity/eap_identity.h
@@ -23,7 +23,7 @@
 
 typedef struct eap_identity_t eap_identity_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 /**
  * Implementation of the eap_method_t interface using EAP Identity.
diff --git a/src/libcharon/plugins/eap_md5/Makefile.am b/src/libcharon/plugins/eap_md5/Makefile.am
index e9936c925..583598342 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.am
+++ b/src/libcharon/plugins/eap_md5/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-md5.la
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 209753b2d..7e0e01b3e 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,54 +90,89 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_md5_la_LIBADD =
 am_libstrongswan_eap_md5_la_OBJECTS = eap_md5_plugin.lo eap_md5.lo
 libstrongswan_eap_md5_la_OBJECTS =  \
 	$(am_libstrongswan_eap_md5_la_OBJECTS)
-libstrongswan_eap_md5_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_md5_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_md5_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_md5_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_md5_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_md5_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_md5_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_md5_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -128,13 +181,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -147,6 +203,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,11 +231,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -186,6 +245,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -194,8 +254,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -204,14 +262,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -225,17 +288,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -245,16 +308,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -282,10 +344,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-md5.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-md5.la
 libstrongswan_eap_md5_la_SOURCES = \
@@ -337,7 +403,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -345,6 +410,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -366,8 +433,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-md5.la: $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_DEPENDENCIES) 
-	$(libstrongswan_eap_md5_la_LINK) $(am_libstrongswan_eap_md5_la_rpath) $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_LIBADD) $(LIBS)
+libstrongswan-eap-md5.la: $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_md5_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_md5_la_LINK) $(am_libstrongswan_eap_md5_la_rpath) $(libstrongswan_eap_md5_la_OBJECTS) $(libstrongswan_eap_md5_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -379,25 +446,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_md5_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -504,10 +571,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c
index b0a234527..b2640d104 100644
--- a/src/libcharon/plugins/eap_md5/eap_md5.c
+++ b/src/libcharon/plugins/eap_md5/eap_md5.c
@@ -100,7 +100,11 @@ static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response,
 		DBG1(DBG_IKE, "EAP-MD5 failed, MD5 not supported");
 		return FAILED;
 	}
-	hasher->allocate_hash(hasher, concat, response);
+	if (!hasher->allocate_hash(hasher, concat, response))
+	{
+		hasher->destroy(hasher);
+		return FAILED;
+	}
 	hasher->destroy(hasher);
 	return SUCCESS;
 }
@@ -119,11 +123,11 @@ METHOD(eap_method_t, initiate_server, status_t,
 	eap_md5_header_t *req;
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
+	if (!rng || !rng->allocate_bytes(rng, CHALLENGE_LEN, &this->challenge))
 	{
+		DESTROY_IF(rng);
 		return FAILED;
 	}
-	rng->allocate_bytes(rng, CHALLENGE_LEN, &this->challenge);
 	rng->destroy(rng);
 
 	req = alloca(PAYLOAD_LEN);
diff --git a/src/libcharon/plugins/eap_md5/eap_md5.h b/src/libcharon/plugins/eap_md5/eap_md5.h
index c6687149a..5396535e1 100644
--- a/src/libcharon/plugins/eap_md5/eap_md5.h
+++ b/src/libcharon/plugins/eap_md5/eap_md5.h
@@ -23,7 +23,7 @@
 
 typedef struct eap_md5_t eap_md5_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 /**
  * Implementation of the eap_method_t interface using EAP-MD5 (CHAP).
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.am b/src/libcharon/plugins/eap_mschapv2/Makefile.am
index b9555b3c1..030682d3e 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.am
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-mschapv2.la
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index 6d3d7f8db..8f42f3a14 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_eap_mschapv2_la_LIBADD =
@@ -79,49 +103,77 @@ am_libstrongswan_eap_mschapv2_la_OBJECTS = eap_mschapv2_plugin.lo \
 	eap_mschapv2.lo
 libstrongswan_eap_mschapv2_la_OBJECTS =  \
 	$(am_libstrongswan_eap_mschapv2_la_OBJECTS)
-libstrongswan_eap_mschapv2_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_mschapv2_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_eap_mschapv2_la_LDFLAGS) $(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_mschapv2_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_mschapv2_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_mschapv2_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_mschapv2_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-mschapv2.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-mschapv2.la
 libstrongswan_eap_mschapv2_la_SOURCES = \
@@ -340,7 +405,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -348,6 +412,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -369,8 +435,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-mschapv2.la: $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_DEPENDENCIES) 
-	$(libstrongswan_eap_mschapv2_la_LINK) $(am_libstrongswan_eap_mschapv2_la_rpath) $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_LIBADD) $(LIBS)
+libstrongswan-eap-mschapv2.la: $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_mschapv2_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_mschapv2_la_LINK) $(am_libstrongswan_eap_mschapv2_la_rpath) $(libstrongswan_eap_mschapv2_la_OBJECTS) $(libstrongswan_eap_mschapv2_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -382,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_mschapv2_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -507,10 +573,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
index 9dfc69205..49e3dd142 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -21,7 +21,7 @@
 
 #include <daemon.h>
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/hashers/hasher.h>
 
@@ -281,7 +281,11 @@ static status_t NtPasswordHash(chunk_t password, chunk_t *password_hash)
 		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no MD4 hasher available");
 		return FAILED;
 	}
-	hasher->allocate_hash(hasher, password, password_hash);
+	if (!hasher->allocate_hash(hasher, password, password_hash))
+	{
+		hasher->destroy(hasher);
+		return FAILED;
+	}
 	hasher->destroy(hasher);
 	return SUCCESS;
 }
@@ -302,7 +306,11 @@ static status_t ChallengeHash(chunk_t peer_challenge, chunk_t server_challenge,
 		return FAILED;
 	}
 	concat = chunk_cata("ccc", peer_challenge, server_challenge, username);
-	hasher->allocate_hash(hasher, concat, challenge_hash);
+	if (!hasher->allocate_hash(hasher, concat, challenge_hash))
+	{
+		hasher->destroy(hasher);
+		return FAILED;
+	}
 	hasher->destroy(hasher);
 	/* we need only the first 8 octets */
 	challenge_hash->len = 8;
@@ -337,9 +345,15 @@ static status_t ChallengeResponse(chunk_t challenge_hash, chunk_t password_hash,
 	for (i = 0; i < 3; i++)
 	{
 		chunk_t expanded, encrypted;
+
 		expanded = ExpandDESKey(keys[i]);
-		crypter->set_key(crypter, expanded);
-		crypter->encrypt(crypter, challenge_hash, chunk_empty, &encrypted);
+		if (!crypter->set_key(crypter, expanded) ||
+			!crypter->encrypt(crypter, challenge_hash, chunk_empty, &encrypted))
+		{
+			chunk_clear(&expanded);
+			crypter->destroy(crypter);
+			return FAILED;
+		}
 		memcpy(&response->ptr[i * 8], encrypted.ptr, encrypted.len);
 		chunk_clear(&encrypted);
 		chunk_clear(&expanded);
@@ -376,10 +390,17 @@ static status_t AuthenticatorResponse(chunk_t password_hash_hash,
 	}
 
 	concat = chunk_cata("ccc", password_hash_hash, nt_response, magic1);
-	hasher->allocate_hash(hasher, concat, &digest);
+	if (!hasher->allocate_hash(hasher, concat, &digest))
+	{
+		hasher->destroy(hasher);
+		return FAILED;
+	}
 	concat = chunk_cata("ccc", digest, challenge_hash, magic2);
-	hasher->allocate_hash(hasher, concat, response);
-
+	if (!hasher->allocate_hash(hasher, concat, response))
+	{
+		hasher->destroy(hasher);
+		return FAILED;
+	}
 	hasher->destroy(hasher);
 	chunk_free(&digest);
 	return SUCCESS;
@@ -428,7 +449,9 @@ static status_t GenerateMSK(chunk_t password_hash_hash,
 	chunk_t keypad = chunk_from_chars(
 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00);
-	chunk_t concat, master_key, master_receive_key, master_send_key;
+	char master_key[HASH_SIZE_SHA1];
+	char master_receive_key[HASH_SIZE_SHA1], master_send_key[HASH_SIZE_SHA1];
+	chunk_t concat, master;
 	hasher_t *hasher;
 
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
@@ -439,23 +462,29 @@ static status_t GenerateMSK(chunk_t password_hash_hash,
 	}
 
 	concat = chunk_cata("ccc", password_hash_hash, nt_response, magic1);
-	hasher->allocate_hash(hasher, concat, &master_key);
-	master_key.len = 16;
-
-	concat = chunk_cata("cccc", master_key, shapad1, magic2, shapad2);
-	hasher->allocate_hash(hasher, concat, &master_receive_key);
-	master_receive_key.len = 16;
-
-	concat = chunk_cata("cccc", master_key, shapad1, magic3, shapad2);
-	hasher->allocate_hash(hasher, concat, &master_send_key);
-	master_send_key.len = 16;
+	if (!hasher->get_hash(hasher, concat, master_key))
+	{
+		hasher->destroy(hasher);
+		return FAILED;
+	}
+	master = chunk_create(master_key, 16);
+	concat = chunk_cata("cccc", master, shapad1, magic2, shapad2);
+	if (!hasher->get_hash(hasher, concat, master_receive_key))
+	{
+		hasher->destroy(hasher);
+		return FAILED;
+	}
+	concat = chunk_cata("cccc", master, shapad1, magic3, shapad2);
+	if (!hasher->get_hash(hasher, concat, master_send_key))
+	{
+		hasher->destroy(hasher);
+		return FAILED;
+	}
 
-	*msk = chunk_cat("cccc", master_receive_key, master_send_key, keypad, keypad);
+	*msk = chunk_cat("cccc", chunk_create(master_receive_key, 16),
+					 chunk_create(master_send_key, 16), keypad, keypad);
 
 	hasher->destroy(hasher);
-	chunk_free(&master_key);
-	chunk_free(&master_receive_key);
-	chunk_free(&master_send_key);
 	return SUCCESS;
 }
 
@@ -533,13 +562,12 @@ static char* sanitize(char *str)
 
 /**
  * Returns a chunk of just the username part of the given user identity.
- * Note: the chunk points to internal data of the identification.
+ * Note: the chunk points to internal data of the given chunk
  */
-static chunk_t extract_username(identification_t* identification)
+static chunk_t extract_username(chunk_t id)
 {
 	char *has_domain;
-	chunk_t id;
-	id = identification->get_encoding(identification);
+
 	has_domain = (char*)memchr(id.ptr, '\\', id.len);
 	if (has_domain)
 	{
@@ -577,12 +605,12 @@ METHOD(eap_method_t, initiate_server, status_t,
 	u_int16_t len = CHALLENGE_PAYLOAD_LEN + sizeof(MSCHAPV2_HOST_NAME) - 1;
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
+	if (!rng || !rng->allocate_bytes(rng, CHALLENGE_LEN, &this->challenge))
 	{
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no RNG");
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no challenge");
+		DESTROY_IF(rng);
 		return FAILED;
 	}
-	rng->allocate_bytes(rng, CHALLENGE_LEN, &this->challenge);
 	rng->destroy(rng);
 
 	eap = alloca(len);
@@ -645,7 +673,7 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
 	eap_mschapv2_header_t *eap;
 	eap_mschapv2_challenge_t *cha;
 	eap_mschapv2_response_t *res;
-	chunk_t data, peer_challenge, username, nt_hash;
+	chunk_t data, peer_challenge, userid, username, nt_hash;
 	u_int16_t len = RESPONSE_PAYLOAD_LEN;
 
 	data = in->get_data(in);
@@ -670,14 +698,14 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
 	this->mschapv2id = eap->ms_chapv2_id;
 	this->challenge = chunk_clone(chunk_create(cha->challenge, CHALLENGE_LEN));
 
+	peer_challenge = chunk_alloca(CHALLENGE_LEN);
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
+	if (!rng || !rng->get_bytes(rng, CHALLENGE_LEN, peer_challenge.ptr))
 	{
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no RNG");
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, allocating challenge failed");
+		DESTROY_IF(rng);
 		return FAILED;
 	}
-	peer_challenge = chunk_alloca(CHALLENGE_LEN);
-	rng->get_bytes(rng, CHALLENGE_LEN, peer_challenge.ptr);
 	rng->destroy(rng);
 
 	if (!get_nt_hash(this, this->peer, this->server, &nt_hash))
@@ -687,8 +715,11 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
 		return NOT_FOUND;
 	}
 
-	username = extract_username(this->peer);
-	len += username.len;
+	/* we transmit the whole user identity (including the domain part) but
+	 * only use the user part when calculating the challenge hash */
+	userid = this->peer->get_encoding(this->peer);
+	len += userid.len;
+	username = extract_username(userid);
 
 	if (GenerateStuff(this, this->challenge, peer_challenge,
 					  username, nt_hash) != SUCCESS)
@@ -713,9 +744,7 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
 	memset(&res->response, 0, RESPONSE_LEN);
 	memcpy(res->response.peer_challenge, peer_challenge.ptr, peer_challenge.len);
 	memcpy(res->response.nt_response, this->nt_response.ptr, this->nt_response.len);
-
-	username = this->peer->get_encoding(this->peer);
-	memcpy(res->name, username.ptr, username.len);
+	memcpy(res->name, userid.ptr, userid.len);
 
 	*out = eap_payload_create_data(chunk_create((void*) eap, len));
 	return NEED_MORE;
@@ -753,7 +782,7 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
 	enumerator = enumerator_create_token(message, " ", " ");
 	while (enumerator->enumerate(enumerator, &token))
 	{
-		if (strneq(token, "S=", 2))
+		if (strpfx(token, "S="))
 		{
 			chunk_t hex;
 			token += 2;
@@ -766,7 +795,7 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
 			hex = chunk_create(token, AUTH_RESPONSE_LEN - 2);
 			auth_string = chunk_from_hex(hex, NULL);
 		}
-		else if (strneq(token, "M=", 2))
+		else if (strpfx(token, "M="))
 		{
 			token += 2;
 			msg = strdup(token);
@@ -835,16 +864,16 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 	enumerator = enumerator_create_token(message, " ", " ");
 	while (enumerator->enumerate(enumerator, &token))
 	{
-		if (strneq(token, "E=", 2))
+		if (strpfx(token, "E="))
 		{
 			token += 2;
 			error = atoi(token);
 		}
-		else if (strneq(token, "R=", 2))
+		else if (strpfx(token, "R="))
 		{
 			/* ignore retriable */
 		}
-		else if (strneq(token, "C=", 2))
+		else if (strpfx(token, "C="))
 		{
 			chunk_t hex;
 			token += 2;
@@ -857,11 +886,11 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 			hex = chunk_create(token, 2 * CHALLENGE_LEN);
 			challenge = chunk_from_hex(hex, NULL);
 		}
-		else if (strneq(token, "V=", 2))
+		else if (strpfx(token, "V="))
 		{
 			/* ignore version */
 		}
-		else if (strneq(token, "M=", 2))
+		else if (strpfx(token, "M="))
 		{
 			token += 2;
 			msg = strdup(token);
@@ -964,12 +993,12 @@ static status_t process_server_retry(private_eap_mschapv2_t *this,
 	DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed, retry (%d)", this->retries);
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
+	if (!rng || !rng->get_bytes(rng, CHALLENGE_LEN, this->challenge.ptr))
 	{
-		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, no RNG");
+		DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, allocating challenge failed");
+		DESTROY_IF(rng);
 		return FAILED;
 	}
-	rng->get_bytes(rng, CHALLENGE_LEN, this->challenge.ptr);
 	rng->destroy(rng);
 
 	chunk_free(&this->nt_response);
@@ -1026,7 +1055,8 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
 	snprintf(buf, sizeof(buf), "%.*s", name_len, res->name);
 	userid = identification_create_from_string(buf);
 	DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid);
-	username = extract_username(userid);
+	/* userid can only be destroyed after the last use of username */
+	username = extract_username(userid->get_encoding(userid));
 
 	if (!get_nt_hash(this, this->server, userid, &nt_hash))
 	{
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.h b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.h
index 34cc1141e..0e7abc397 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.h
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.h
@@ -23,7 +23,7 @@
 
 typedef struct eap_mschapv2_t eap_mschapv2_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 /**
  * Implementation of the eap_method_t interface using EAP-MS-CHAPv2.
diff --git a/src/libcharon/plugins/eap_peap/Makefile.am b/src/libcharon/plugins/eap_peap/Makefile.am
index 81f2575c7..19410a408 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.am
+++ b/src/libcharon/plugins/eap_peap/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libtls
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-peap.la
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index 4f860e175..86c96925c 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_peap_la_DEPENDENCIES =  \
@@ -80,49 +104,77 @@ am_libstrongswan_eap_peap_la_OBJECTS = eap_peap_plugin.lo eap_peap.lo \
 	eap_peap_peer.lo eap_peap_server.lo eap_peap_avp.lo
 libstrongswan_eap_peap_la_OBJECTS =  \
 	$(am_libstrongswan_eap_peap_la_OBJECTS)
-libstrongswan_eap_peap_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_peap_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_peap_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_peap_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_peap_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_peap_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_peap_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -131,13 +183,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -150,6 +205,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,11 +233,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -189,6 +247,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -197,8 +256,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -207,14 +264,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -228,17 +290,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -248,16 +310,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -285,10 +346,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-peap.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-peap.la
 @MONOLITHIC_FALSE@libstrongswan_eap_peap_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
@@ -345,7 +411,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -353,6 +418,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -374,8 +441,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-peap.la: $(libstrongswan_eap_peap_la_OBJECTS) $(libstrongswan_eap_peap_la_DEPENDENCIES) 
-	$(libstrongswan_eap_peap_la_LINK) $(am_libstrongswan_eap_peap_la_rpath) $(libstrongswan_eap_peap_la_OBJECTS) $(libstrongswan_eap_peap_la_LIBADD) $(LIBS)
+libstrongswan-eap-peap.la: $(libstrongswan_eap_peap_la_OBJECTS) $(libstrongswan_eap_peap_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_peap_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_peap_la_LINK) $(am_libstrongswan_eap_peap_la_rpath) $(libstrongswan_eap_peap_la_OBJECTS) $(libstrongswan_eap_peap_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -390,25 +457,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_peap_server.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -515,10 +582,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_peap/eap_peap.c b/src/libcharon/plugins/eap_peap/eap_peap.c
index bd426bba7..8aba703c5 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap.c
@@ -156,16 +156,19 @@ static eap_peap_t *eap_peap_create(private_eap_peap_t * this,
 	tls_t *tls;
 
 	if (is_server && !lib->settings->get_bool(lib->settings,
-							"charon.plugins.eap-peap.request_peer_auth", FALSE))
+								"%s.plugins.eap-peap.request_peer_auth", FALSE,
+								charon->name))
 	{
 		peer = NULL;
 	}
 	frag_size = lib->settings->get_int(lib->settings,
-					"charon.plugins.eap-peap.fragment_size", MAX_FRAGMENT_LEN);
+					"%s.plugins.eap-peap.fragment_size", MAX_FRAGMENT_LEN,
+					charon->name);
 	max_msg_count = lib->settings->get_int(lib->settings,
-					"charon.plugins.eap-peap.max_message_count", MAX_MESSAGE_COUNT);
+					"%s.plugins.eap-peap.max_message_count", MAX_MESSAGE_COUNT,
+					charon->name);
 	include_length = lib->settings->get_bool(lib->settings,
-					"charon.plugins.eap-peap.include_length", FALSE);
+					"%s.plugins.eap-peap.include_length", FALSE, charon->name);
 	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_PEAP,
 					 application, NULL);
 	this->tls_eap = tls_eap_create(EAP_PEAP, tls, frag_size, max_msg_count,
@@ -180,7 +183,7 @@ static eap_peap_t *eap_peap_create(private_eap_peap_t * this,
 }
 
 eap_peap_t *eap_peap_create_server(identification_t *server,
-						  		   identification_t *peer)
+								   identification_t *peer)
 {
 	private_eap_peap_t *eap_peap;
 	eap_method_t *eap_method;
diff --git a/src/libcharon/plugins/eap_peap/eap_peap.h b/src/libcharon/plugins/eap_peap/eap_peap.h
index f47bad561..2756ad3e6 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap.h
+++ b/src/libcharon/plugins/eap_peap/eap_peap.h
@@ -23,7 +23,7 @@
 
 typedef struct eap_peap_t eap_peap_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 /**
  * Implementation of eap_method_t using EAP-PEAP.
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_avp.c b/src/libcharon/plugins/eap_peap/eap_peap_avp.c
index 10f6ec11c..f7f634a53 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_avp.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_avp.c
@@ -16,7 +16,7 @@
 #include "eap_peap_avp.h"
 
 #include <eap/eap.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Microsoft Success and Failure Result AVPs
@@ -78,7 +78,7 @@ METHOD(eap_peap_avp_t, build, void,
 	}
 	*/
 	else
-	{	
+	{
 		avp_data = chunk_skip(data, 4);
 	}
 	writer->write_data(writer, avp_data);
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_peer.c b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
index 72e201fb6..f482c5b54 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_peer.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
@@ -16,7 +16,7 @@
 #include "eap_peap_peer.h"
 #include "eap_peap_avp.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 
 typedef struct private_eap_peap_peer_t private_eap_peap_peer_t;
@@ -85,7 +85,7 @@ METHOD(tls_application_t, process, status_t,
 		default:
 			return FAILED;
 	}
- 		
+
 	in = eap_payload_create_data(data);
 	DBG3(DBG_IKE, "%B", &data);
 	chunk_free(&data);
@@ -151,7 +151,8 @@ METHOD(tls_application_t, process, status_t,
 		if (!this->ph2_method)
 		{
 			DBG1(DBG_IKE, "EAP method not supported");
-			this->out = eap_payload_create_nak(in->get_identifier(in));
+			this->out = eap_payload_create_nak(in->get_identifier(in), 0, 0,
+											   in->is_expanded(in));
 			in->destroy(in);
 			return NEED_MORE;
 		}
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_peer.h b/src/libcharon/plugins/eap_peap/eap_peap_peer.h
index a87544209..196d4e2c4 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_peer.h
+++ b/src/libcharon/plugins/eap_peap/eap_peap_peer.h
@@ -26,7 +26,7 @@ typedef struct eap_peap_peer_t eap_peap_peer_t;
 #include "tls_application.h"
 
 #include <library.h>
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 /**
  * TLS application data handler as peer.
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_plugin.h b/src/libcharon/plugins/eap_peap/eap_peap_plugin.h
index 75bb504e1..0c3c571ef 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_plugin.h
+++ b/src/libcharon/plugins/eap_peap/eap_peap_plugin.h
@@ -39,9 +39,4 @@ struct eap_peap_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a eap_peap_plugin instance.
- */
-plugin_t *eap_peap_plugin_create();
-
 #endif /** EAP_PEAP_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_server.c b/src/libcharon/plugins/eap_peap/eap_peap_server.c
index 4acdd9f07..5237cb62c 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_server.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_server.c
@@ -16,7 +16,7 @@
 #include "eap_peap_server.h"
 #include "eap_peap_avp.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 
 typedef struct private_eap_peap_server_t private_eap_peap_server_t;
@@ -91,7 +91,8 @@ static status_t start_phase2_auth(private_eap_peap_server_t *this)
 	eap_type_t type;
 
 	eap_type_str = lib->settings->get_str(lib->settings,
-					 	"charon.plugins.eap-peap.phase2_method", "mschapv2");
+							"%s.plugins.eap-peap.phase2_method", "mschapv2",
+							charon->name);
 	type = eap_type_from_string(eap_type_str);
 	if (type == 0)
 	{
@@ -128,7 +129,7 @@ static status_t start_phase2_auth(private_eap_peap_server_t *this)
 static status_t start_phase2_tnc(private_eap_peap_server_t *this)
 {
 	if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
-					 	"charon.plugins.eap-peap.phase2_tnc", FALSE))
+						"%s.plugins.eap-peap.phase2_tnc", FALSE, charon->name))
 	{
 		DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, EAP_TNC);
 		this->ph2_method = charon->eap->create_instance(charon->eap, EAP_TNC,
@@ -197,7 +198,7 @@ METHOD(tls_application_t, process, status_t,
 	{
 		received_type = in->get_type(in, &received_vendor);
 		DBG1(DBG_IKE, "received tunneled EAP-PEAP AVP [EAP/%N/%N]",
-						   		eap_code_short_names, code,
+								eap_code_short_names, code,
 								eap_type_short_names, received_type);
 		if (code != EAP_RESPONSE)
 		{
@@ -209,7 +210,7 @@ METHOD(tls_application_t, process, status_t,
 	else
 	{
 		DBG1(DBG_IKE, "received tunneled EAP-PEAP AVP [EAP/%N]",
-						   		eap_code_short_names, code);
+								eap_code_short_names, code);
 
 		/* if EAP_SUCCESS check if to continue phase2 with EAP-TNC */
 		return (this->phase2_result == EAP_SUCCESS && code == EAP_SUCCESS) ?
@@ -273,7 +274,7 @@ METHOD(tls_application_t, process, status_t,
 
 		/* Start Phase 2 of EAP-PEAP authentication */
 		if (lib->settings->get_bool(lib->settings,
-					 	"charon.plugins.eap-peap.request_peer_auth", FALSE))
+				"%s.plugins.eap-peap.request_peer_auth", FALSE, charon->name))
 		{
 			return start_phase2_tnc(this);
 		}
@@ -302,10 +303,10 @@ METHOD(tls_application_t, process, status_t,
 			this->ph2_method->destroy(this->ph2_method);
 			this->ph2_method = NULL;
 
-			/* EAP-PEAP requires the sending of an inner EAP_SUCCESS message */	
-			this->phase2_result = EAP_SUCCESS;		
+			/* EAP-PEAP requires the sending of an inner EAP_SUCCESS message */
+			this->phase2_result = EAP_SUCCESS;
 			this->out = eap_payload_create_code(this->phase2_result, 1 +
-				 			this->ph1_method->get_identifier(this->ph1_method));
+							this->ph1_method->get_identifier(this->ph1_method));
 			return NEED_MORE;
 		case NEED_MORE:
 			break;
@@ -321,9 +322,9 @@ METHOD(tls_application_t, process, status_t,
 				DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
 			}
 			/* EAP-PEAP requires the sending of an inner EAP_FAILURE message */
-			this->phase2_result = EAP_FAILURE;			
+			this->phase2_result = EAP_FAILURE;
 			this->out = eap_payload_create_code(this->phase2_result, 1 +
-				 			this->ph1_method->get_identifier(this->ph1_method));
+							this->ph1_method->get_identifier(this->ph1_method));
 			return NEED_MORE;
 	}
 	return status;
@@ -360,7 +361,7 @@ METHOD(tls_application_t, build, status_t,
 		this->ph2_method->initiate(this->ph2_method, &this->out);
 		this->start_phase2 = FALSE;
 	}
-	
+
 	this->start_phase2_id = TRUE;
 
 	if (this->out)
@@ -423,7 +424,8 @@ eap_peap_server_t *eap_peap_server_create(identification_t *server,
 		.start_phase2 = TRUE,
 		.start_phase2_tnc = TRUE,
 		.start_phase2_id = lib->settings->get_bool(lib->settings,
-			 				"charon.plugins.eap-peap.phase2_piggyback", FALSE),
+										"%s.plugins.eap-peap.phase2_piggyback",
+										FALSE, charon->name),
 		.phase2_result = EAP_FAILURE,
 		.avp = eap_peap_avp_create(TRUE),
 	);
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_server.h b/src/libcharon/plugins/eap_peap/eap_peap_server.h
index 93141d62b..4585a622a 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_server.h
+++ b/src/libcharon/plugins/eap_peap/eap_peap_server.h
@@ -26,7 +26,7 @@ typedef struct eap_peap_server_t eap_peap_server_t;
 #include "tls_application.h"
 
 #include <library.h>
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 /**
  * TLS application data handler as server.
diff --git a/src/libcharon/plugins/eap_radius/Makefile.am b/src/libcharon/plugins/eap_radius/Makefile.am
index 181497ab5..6fdb0d099 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.am
+++ b/src/libcharon/plugins/eap_radius/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libradius
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libradius
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-radius.la
@@ -14,7 +17,9 @@ endif
 libstrongswan_eap_radius_la_SOURCES = \
 	eap_radius_plugin.h eap_radius_plugin.c \
 	eap_radius.h eap_radius.c \
+	eap_radius_xauth.h eap_radius_xauth.c \
 	eap_radius_accounting.h eap_radius_accounting.c \
+	eap_radius_provider.h eap_radius_provider.c \
 	eap_radius_dae.h eap_radius_dae.c \
 	eap_radius_forward.h eap_radius_forward.c
 
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 0bef44042..24818d4fb 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,58 +90,92 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_radius_la_DEPENDENCIES =  \
 @MONOLITHIC_FALSE@	$(top_builddir)/src/libradius/libradius.la
 am_libstrongswan_eap_radius_la_OBJECTS = eap_radius_plugin.lo \
-	eap_radius.lo eap_radius_accounting.lo eap_radius_dae.lo \
-	eap_radius_forward.lo
+	eap_radius.lo eap_radius_xauth.lo eap_radius_accounting.lo \
+	eap_radius_provider.lo eap_radius_dae.lo eap_radius_forward.lo
 libstrongswan_eap_radius_la_OBJECTS =  \
 	$(am_libstrongswan_eap_radius_la_OBJECTS)
-libstrongswan_eap_radius_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_radius_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_radius_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_radius_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_radius_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_radius_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_radius_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -132,13 +184,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -151,6 +206,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,11 +234,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -190,6 +248,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -198,8 +257,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -208,14 +265,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -229,17 +291,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -249,16 +311,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -286,17 +347,24 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libradius
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libradius
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-radius.la
 @MONOLITHIC_FALSE@libstrongswan_eap_radius_la_LIBADD = $(top_builddir)/src/libradius/libradius.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-radius.la
 libstrongswan_eap_radius_la_SOURCES = \
 	eap_radius_plugin.h eap_radius_plugin.c \
 	eap_radius.h eap_radius.c \
+	eap_radius_xauth.h eap_radius_xauth.c \
 	eap_radius_accounting.h eap_radius_accounting.c \
+	eap_radius_provider.h eap_radius_provider.c \
 	eap_radius_dae.h eap_radius_dae.c \
 	eap_radius_forward.h eap_radius_forward.c
 
@@ -346,7 +414,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -354,6 +421,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -375,8 +444,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-radius.la: $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_DEPENDENCIES) 
-	$(libstrongswan_eap_radius_la_LINK) $(am_libstrongswan_eap_radius_la_rpath) $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_LIBADD) $(LIBS)
+libstrongswan-eap-radius.la: $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_radius_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_radius_la_LINK) $(am_libstrongswan_eap_radius_la_rpath) $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -389,27 +458,29 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_dae.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_forward.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_provider.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_xauth.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -516,10 +587,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index c0a3703b6..b06b6c392 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -16,6 +16,8 @@
 #include "eap_radius.h"
 #include "eap_radius_plugin.h"
 #include "eap_radius_forward.h"
+#include "eap_radius_provider.h"
+#include "eap_radius_accounting.h"
 
 #include <radius_message.h>
 #include <radius_client.h>
@@ -73,16 +75,6 @@ struct private_eap_radius_t {
 	 * Prefix to prepend to EAP identity
 	 */
 	char *id_prefix;
-
-	/**
-	 * Handle the Class attribute as group membership information?
-	 */
-	bool class_group;
-
-	/**
-	 * Handle the Filter-Id attribute as IPsec CHILD_SA name?
-	 */
-	bool filter_id;
 };
 
 /**
@@ -155,17 +147,86 @@ static bool radius2ike(private_eap_radius_t *this,
 	return FALSE;
 }
 
+/**
+ * See header.
+ */
+void eap_radius_build_attributes(radius_message_t *request)
+{
+	ike_sa_t *ike_sa;
+	host_t *host;
+	char buf[40], *station_id_fmt;;
+	u_int32_t value;
+	chunk_t chunk;
+
+	/* virtual NAS-Port-Type */
+	value = htonl(5);
+	request->add(request, RAT_NAS_PORT_TYPE, chunk_from_thing(value));
+	/* framed ServiceType */
+	value = htonl(2);
+	request->add(request, RAT_SERVICE_TYPE, chunk_from_thing(value));
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (ike_sa)
+	{
+		value = htonl(ike_sa->get_unique_id(ike_sa));
+		request->add(request, RAT_NAS_PORT, chunk_from_thing(value));
+		request->add(request, RAT_NAS_PORT_ID,
+					 chunk_from_str(ike_sa->get_name(ike_sa)));
+
+		host = ike_sa->get_my_host(ike_sa);
+		chunk = host->get_address(host);
+		switch (host->get_family(host))
+		{
+			case AF_INET:
+				request->add(request, RAT_NAS_IP_ADDRESS, chunk);
+				break;
+			case AF_INET6:
+				request->add(request, RAT_NAS_IPV6_ADDRESS, chunk);
+			default:
+				break;
+		}
+		if (lib->settings->get_bool(lib->settings,
+									"%s.plugins.eap-radius.station_id_with_port",
+									TRUE, charon->name))
+		{
+			station_id_fmt = "%#H";
+		}
+		else
+		{
+			station_id_fmt = "%H";
+		}
+		snprintf(buf, sizeof(buf), station_id_fmt, host);
+		request->add(request, RAT_CALLED_STATION_ID, chunk_from_str(buf));
+		host = ike_sa->get_other_host(ike_sa);
+		snprintf(buf, sizeof(buf), station_id_fmt, host);
+		request->add(request, RAT_CALLING_STATION_ID, chunk_from_str(buf));
+	}
+}
+
+/**
+ * Add a set of RADIUS attributes to a request message
+ */
+static void add_radius_request_attrs(private_eap_radius_t *this,
+									 radius_message_t *request)
+{
+	chunk_t chunk;
+
+	chunk = chunk_from_str(this->id_prefix);
+	chunk = chunk_cata("cc", chunk, this->peer->get_encoding(this->peer));
+	request->add(request, RAT_USER_NAME, chunk);
+
+	eap_radius_build_attributes(request);
+	eap_radius_forward_from_ike(request);
+}
+
 METHOD(eap_method_t, initiate, status_t,
 	private_eap_radius_t *this, eap_payload_t **out)
 {
 	radius_message_t *request, *response;
 	status_t status = FAILED;
-	chunk_t username;
 
 	request = radius_message_create(RMC_ACCESS_REQUEST);
-	username = chunk_create(this->id_prefix, strlen(this->id_prefix));
-	username = chunk_cata("cc", username, this->peer->get_encoding(this->peer));
-	request->add(request, RAT_USER_NAME, username);
+	add_radius_request_attrs(this, request);
 
 	if (this->eap_start)
 	{
@@ -175,21 +236,34 @@ METHOD(eap_method_t, initiate, status_t,
 	{
 		add_eap_identity(this, request);
 	}
-	eap_radius_forward_from_ike(request);
 
 	response = this->client->request(this->client, request);
 	if (response)
 	{
 		eap_radius_forward_to_ike(response);
-		if (radius2ike(this, response, out))
+		switch (response->get_code(response))
 		{
-			status = NEED_MORE;
+			case RMC_ACCESS_CHALLENGE:
+				if (radius2ike(this, response, out))
+				{
+					status = NEED_MORE;
+				}
+				break;
+			case RMC_ACCESS_ACCEPT:
+				/* Microsoft RADIUS servers can run in a mode where they respond
+				 * like this on the first request (i.e. without authentication),
+				 * we treat this as Access-Reject */
+			case RMC_ACCESS_REJECT:
+			default:
+				DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
+					 this->peer);
+				break;
 		}
 		response->destroy(response);
 	}
 	else
 	{
-		charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
+		eap_radius_handle_timeout(NULL);
 	}
 	request->destroy(request);
 	return status;
@@ -198,7 +272,7 @@ METHOD(eap_method_t, initiate, status_t,
 /**
  * Handle the Class attribute as group membership information
  */
-static void process_class(private_eap_radius_t *this, radius_message_t *msg)
+static void process_class(radius_message_t *msg)
 {
 	enumerator_t *enumerator;
 	chunk_t data;
@@ -235,7 +309,7 @@ static void process_class(private_eap_radius_t *this, radius_message_t *msg)
 /**
  * Handle the Filter-Id attribute as IPsec CHILD_SA name
  */
-static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg)
+static void process_filter_id(radius_message_t *msg)
 {
 	enumerator_t *enumerator;
 	int type;
@@ -264,7 +338,7 @@ static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg)
 			case RAT_FILTER_ID:
 				filter_id = data;
 				DBG1(DBG_IKE, "received RADIUS attribute Filter-Id: "
-							  "'%.*s'", filter_id.len, filter_id.ptr);
+							  "'%.*s'", (int)filter_id.len, filter_id.ptr);
 				break;
 			default:
 				break;
@@ -289,28 +363,107 @@ static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg)
 }
 
 /**
- * Handle Session-Timeout attribte
+ * Handle Session-Timeout attribte and Interim updates
  */
-static void process_timeout(private_eap_radius_t *this, radius_message_t *msg)
+static void process_timeout(radius_message_t *msg)
 {
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
 	chunk_t data;
 	int type;
 
-	enumerator = msg->create_enumerator(msg);
-	while (enumerator->enumerate(enumerator, &type, &data))
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (ike_sa)
 	{
-		if (type == RAT_SESSION_TIMEOUT && data.len == 4)
+		enumerator = msg->create_enumerator(msg);
+		while (enumerator->enumerate(enumerator, &type, &data))
 		{
-			ike_sa = charon->bus->get_sa(charon->bus);
-			if (ike_sa)
+			if (type == RAT_SESSION_TIMEOUT && data.len == 4)
 			{
 				ike_sa->set_auth_lifetime(ike_sa, untoh32(data.ptr));
 			}
+			else if (type == RAT_ACCT_INTERIM_INTERVAL && data.len == 4)
+			{
+				eap_radius_accounting_start_interim(ike_sa, untoh32(data.ptr));
+			}
 		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+/**
+ * Handle Framed-IP-Address and other IKE configuration attributes
+ */
+static void process_cfg_attributes(radius_message_t *msg)
+{
+	eap_radius_provider_t *provider;
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	host_t *host;
+	chunk_t data;
+	int type, vendor;
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	provider = eap_radius_provider_get();
+	if (provider && ike_sa)
+	{
+		enumerator = msg->create_enumerator(msg);
+		while (enumerator->enumerate(enumerator, &type, &data))
+		{
+			if (type == RAT_FRAMED_IP_ADDRESS && data.len == 4)
+			{
+				host = host_create_from_chunk(AF_INET, data, 0);
+				if (host)
+				{
+					provider->add_framed_ip(provider,
+									ike_sa->get_unique_id(ike_sa), host);
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		enumerator = msg->create_vendor_enumerator(msg);
+		while (enumerator->enumerate(enumerator, &vendor, &type, &data))
+		{
+			if (vendor == PEN_ALTIGA /* aka Cisco VPN3000 */)
+			{
+				switch (type)
+				{
+					case 15: /* CVPN3000-IPSec-Banner1 */
+					case 36: /* CVPN3000-IPSec-Banner2 */
+						if (ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY))
+						{
+							provider->add_attribute(provider,
+												ike_sa->get_unique_id(ike_sa),
+												UNITY_BANNER, data);
+						}
+						break;
+					default:
+						break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
 	}
-	enumerator->destroy(enumerator);
+}
+
+/**
+ * See header.
+ */
+void eap_radius_process_attributes(radius_message_t *message)
+{
+	if (lib->settings->get_bool(lib->settings,
+					"%s.plugins.eap-radius.class_group", FALSE, charon->name))
+	{
+		process_class(message);
+	}
+	if (lib->settings->get_bool(lib->settings,
+					"%s.plugins.eap-radius.filter_id", FALSE, charon->name))
+	{
+		process_filter_id(message);
+	}
+	process_timeout(message);
+	process_cfg_attributes(message);
 }
 
 METHOD(eap_method_t, process, status_t,
@@ -321,7 +474,8 @@ METHOD(eap_method_t, process, status_t,
 	chunk_t data;
 
 	request = radius_message_create(RMC_ACCESS_REQUEST);
-	request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
+	add_radius_request_attrs(this, request);
+
 	data = in->get_data(in);
 	DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &data);
 
@@ -334,7 +488,6 @@ METHOD(eap_method_t, process, status_t,
 	}
 	request->add(request, RAT_EAP_MESSAGE, data);
 
-	eap_radius_forward_from_ike(request);
 	response = this->client->request(this->client, request);
 	if (response)
 	{
@@ -350,22 +503,15 @@ METHOD(eap_method_t, process, status_t,
 				status = FAILED;
 				break;
 			case RMC_ACCESS_ACCEPT:
-				if (this->class_group)
-				{
-					process_class(this, response);
-				}
-				if (this->filter_id)
-				{
-					process_filter_id(this, response);
-				}
-				process_timeout(this, response);
+				eap_radius_process_attributes(response);
 				DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful",
 					 this->peer);
 				status = SUCCESS;
 				break;
 			case RMC_ACCESS_REJECT:
 			default:
-				DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed", this->peer);
+				DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
+					 this->peer);
 				status = FAILED;
 				break;
 		}
@@ -453,14 +599,11 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
 		/* initially EAP_RADIUS, but is set to the method selected by RADIUS */
 		.type = EAP_RADIUS,
 		.eap_start = lib->settings->get_bool(lib->settings,
-								"charon.plugins.eap-radius.eap_start", FALSE),
+									"%s.plugins.eap-radius.eap_start", FALSE,
+									charon->name),
 		.id_prefix = lib->settings->get_str(lib->settings,
-								"charon.plugins.eap-radius.id_prefix", ""),
-		.class_group = lib->settings->get_bool(lib->settings,
-								"charon.plugins.eap-radius.class_group", FALSE),
-		.filter_id = lib->settings->get_bool(lib->settings,
-								"charon.plugins.eap-radius.filter_id", FALSE),
-
+									"%s.plugins.eap-radius.id_prefix", "",
+									charon->name),
 	);
 	this->client = eap_radius_create_client();
 	if (!this->client)
@@ -472,4 +615,3 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
 	this->server = server->clone(server);
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.h b/src/libcharon/plugins/eap_radius/eap_radius.h
index e98cb06e3..ce583ac44 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius.h
@@ -23,7 +23,8 @@
 
 typedef struct eap_radius_t eap_radius_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
+#include <radius_message.h>
 
 /**
  * Implementation of the eap_method_t interface using a RADIUS server.
@@ -45,4 +46,25 @@ struct eap_radius_t {
  */
 eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer);
 
+/**
+ * Process additional attributes from an Access-Accept.
+ *
+ * Parses and applies additional authorization attributes from an Accept
+ * message, such as group membership information or IKE configuration
+ * attributes.
+ *
+ * @param message	Access-Accept message to process
+ */
+void eap_radius_process_attributes(radius_message_t *message);
+
+/**
+ * Build additional attributes for an Access-Request.
+ *
+ * Adds additional RADIUS attributes to use with Access-Request, such as
+ * different NAS specific attributes.
+ *
+ * @param message	Access-Request message to add attributes to
+ */
+void eap_radius_build_attributes(radius_message_t *message);
+
 #endif /** EAP_RADIUS_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index 45be22704..e004589da 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -21,8 +21,9 @@
 #include <radius_message.h>
 #include <radius_client.h>
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 #include <threading/mutex.h>
+#include <processing/jobs/callback_job.h>
 
 typedef struct private_eap_radius_accounting_t private_eap_radius_accounting_t;
 
@@ -37,7 +38,7 @@ struct private_eap_radius_accounting_t {
 	eap_radius_accounting_t public;
 
 	/**
-	 * Hashtable with sessions, IKE_SA unique id => entry_t
+	 * Hashtable with sessions, ike_sa_id_t => entry_t
 	 */
 	hashtable_t *sessions;
 
@@ -50,23 +51,83 @@ struct private_eap_radius_accounting_t {
 	 * Session ID prefix
 	 */
 	u_int32_t prefix;
+
+	/**
+	 * Format string we use for Called/Calling-Station-Id for a host
+	 */
+	char *station_id_fmt;
+
+	/**
+	 * Disable accounting unless IKE_SA has at least one virtual IP
+	 */
+	bool acct_req_vip;
 };
 
 /**
+ * Singleton instance of accounting
+ */
+static private_eap_radius_accounting_t *singleton = NULL;
+
+/**
+ * Acct-Terminate-Cause
+ */
+typedef enum {
+	ACCT_CAUSE_USER_REQUEST = 1,
+	ACCT_CAUSE_LOST_CARRIER = 2,
+	ACCT_CAUSE_LOST_SERVICE = 3,
+	ACCT_CAUSE_IDLE_TIMEOUT = 4,
+	ACCT_CAUSE_SESSION_TIMEOUT = 5,
+	ACCT_CAUSE_ADMIN_RESET = 6,
+	ACCT_CAUSE_ADMIN_REBOOT = 7,
+	ACCT_CAUSE_PORT_ERROR = 8,
+	ACCT_CAUSE_NAS_ERROR = 9,
+	ACCT_CAUSE_NAS_REQUEST = 10,
+	ACCT_CAUSE_NAS_REBOOT = 11,
+	ACCT_CAUSE_PORT_UNNEEDED = 12,
+	ACCT_CAUSE_PORT_PREEMPTED = 13,
+	ACCT_CAUSE_PORT_SUSPENDED = 14,
+	ACCT_CAUSE_SERVICE_UNAVAILABLE = 15,
+	ACCT_CAUSE_CALLBACK = 16,
+	ACCT_CAUSE_USER_ERROR = 17,
+	ACCT_CAUSE_HOST_REQUEST = 18,
+} radius_acct_terminate_cause_t;
+
+/**
  * Hashtable entry with usage stats
  */
 typedef struct {
+	/** IKE_SA identifier this entry is stored under */
+	ike_sa_id_t *id;
 	/** RADIUS accounting session ID */
 	char sid[16];
-	/** number of octets sent */
-	u_int64_t sent;
-	/** number of octets received */
-	u_int64_t received;
+	/** number of sent/received octets/packets */
+	struct {
+		u_int64_t sent;
+		u_int64_t received;
+	} bytes, packets;
 	/** session creation time */
 	time_t created;
+	/** terminate cause */
+	radius_acct_terminate_cause_t cause;
+	/* interim interval and timestamp of last update */
+	struct {
+		u_int32_t interval;
+		time_t last;
+	} interim;
+	/** did we send Accounting-Start */
+	bool start_sent;
 } entry_t;
 
 /**
+ * Destroy an entry_t
+ */
+static void destroy_entry(entry_t *this)
+{
+	this->id->destroy(this->id);
+	free(this);
+}
+
+/**
  * Accounting message status types
  */
 typedef enum {
@@ -80,17 +141,17 @@ typedef enum {
 /**
  * Hashtable hash function
  */
-static u_int hash(uintptr_t key)
+static u_int hash(ike_sa_id_t *key)
 {
-	return key;
+	return key->get_responder_spi(key);
 }
 
 /**
  * Hashtable equals function
  */
-static bool equals(uintptr_t a, uintptr_t b)
+static bool equals(ike_sa_id_t *a, ike_sa_id_t *b)
 {
-	return a == b;
+	return a->equals(a, b);
 }
 
 /**
@@ -99,19 +160,20 @@ static bool equals(uintptr_t a, uintptr_t b)
 static void update_usage(private_eap_radius_accounting_t *this,
 						 ike_sa_t *ike_sa, child_sa_t *child_sa)
 {
-	u_int64_t sent, received;
+	u_int64_t bytes_in, bytes_out, packets_in, packets_out;
 	entry_t *entry;
 
-	child_sa->get_usestats(child_sa, FALSE, NULL, &sent);
-	child_sa->get_usestats(child_sa, TRUE, NULL, &received);
+	child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, &packets_out);
+	child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in, &packets_in);
 
 	this->mutex->lock(this->mutex);
-	entry = this->sessions->get(this->sessions,
-								(void*)(uintptr_t)ike_sa->get_unique_id(ike_sa));
+	entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa));
 	if (entry)
 	{
-		entry->sent += sent;
-		entry->received += received;
+		entry->bytes.sent += bytes_out;
+		entry->bytes.received += bytes_in;
+		entry->packets.sent += packets_out;
+		entry->packets.received += packets_in;
 	}
 	this->mutex->unlock(this->mutex);
 }
@@ -135,10 +197,6 @@ static bool send_message(private_eap_radius_accounting_t *this,
 			ack = response->get_code(response) == RMC_ACCOUNTING_RESPONSE;
 			response->destroy(response);
 		}
-		else
-		{
-			charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
-		}
 		client->destroy(client);
 	}
 	return ack;
@@ -147,57 +205,291 @@ static bool send_message(private_eap_radius_accounting_t *this,
 /**
  * Add common IKE_SA parameters to RADIUS account message
  */
-static void add_ike_sa_parameters(radius_message_t *message, ike_sa_t *ike_sa)
+static void add_ike_sa_parameters(private_eap_radius_accounting_t *this,
+								  radius_message_t *message, ike_sa_t *ike_sa)
 {
-	host_t *vip;
+	enumerator_t *enumerator;
+	host_t *vip, *host;
 	char buf[64];
 	chunk_t data;
+	u_int32_t value;
+
+	/* virtual NAS-Port-Type */
+	value = htonl(5);
+	message->add(message, RAT_NAS_PORT_TYPE, chunk_from_thing(value));
+	/* framed ServiceType */
+	value = htonl(2);
+	message->add(message, RAT_SERVICE_TYPE, chunk_from_thing(value));
+
+	value = htonl(ike_sa->get_unique_id(ike_sa));
+	message->add(message, RAT_NAS_PORT, chunk_from_thing(value));
+	message->add(message, RAT_NAS_PORT_ID,
+				 chunk_from_str(ike_sa->get_name(ike_sa)));
+
+	host = ike_sa->get_my_host(ike_sa);
+	data = host->get_address(host);
+	switch (host->get_family(host))
+	{
+		case AF_INET:
+			message->add(message, RAT_NAS_IP_ADDRESS, data);
+			break;
+		case AF_INET6:
+			message->add(message, RAT_NAS_IPV6_ADDRESS, data);
+		default:
+			break;
+	}
+	snprintf(buf, sizeof(buf), this->station_id_fmt, host);
+	message->add(message, RAT_CALLED_STATION_ID, chunk_from_str(buf));
+	host = ike_sa->get_other_host(ike_sa);
+	snprintf(buf, sizeof(buf), this->station_id_fmt, host);
+	message->add(message, RAT_CALLING_STATION_ID, chunk_from_str(buf));
 
 	snprintf(buf, sizeof(buf), "%Y", ike_sa->get_other_eap_id(ike_sa));
-	message->add(message, RAT_USER_NAME, chunk_create(buf, strlen(buf)));
-	snprintf(buf, sizeof(buf), "%#H", ike_sa->get_other_host(ike_sa));
-	message->add(message, RAT_CALLING_STATION_ID, chunk_create(buf, strlen(buf)));
-	vip = ike_sa->get_virtual_ip(ike_sa, FALSE);
-	if (vip && vip->get_family(vip) == AF_INET)
+	message->add(message, RAT_USER_NAME, chunk_from_str(buf));
+
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+	while (enumerator->enumerate(enumerator, &vip))
+	{
+		switch (vip->get_family(vip))
+		{
+			case AF_INET:
+				message->add(message, RAT_FRAMED_IP_ADDRESS,
+							 vip->get_address(vip));
+				break;
+			case AF_INET6:
+				/* we currently assign /128 prefixes, only (reserved, length) */
+				data = chunk_from_chars(0, 128);
+				data = chunk_cata("cc", data, vip->get_address(vip));
+				message->add(message, RAT_FRAMED_IPV6_PREFIX, data);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Get an existing or create a new entry from the locked session table
+ */
+static entry_t* get_or_create_entry(private_eap_radius_accounting_t *this,
+									ike_sa_t *ike_sa)
+{
+	ike_sa_id_t *id;
+	entry_t *entry;
+	time_t now;
+
+	entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa));
+	if (!entry)
+	{
+		now = time_monotonic(NULL);
+		id = ike_sa->get_id(ike_sa);
+
+		INIT(entry,
+			.id = id->clone(id),
+			.created = now,
+			.interim = {
+				.last = now,
+			},
+			/* default terminate cause, if none other catched */
+			.cause = ACCT_CAUSE_USER_REQUEST,
+		);
+		snprintf(entry->sid, sizeof(entry->sid), "%u-%u",
+				 this->prefix, ike_sa->get_unique_id(ike_sa));
+		this->sessions->put(this->sessions, entry->id, entry);
+	}
+	return entry;
+}
+
+/* forward declaration */
+static void schedule_interim(private_eap_radius_accounting_t *this,
+							 entry_t *entry);
+
+/**
+ * Data passed to send_interim() using callback job
+ */
+typedef struct {
+	/** reference to radius accounting */
+	private_eap_radius_accounting_t *this;
+	/** IKE_SA identifier to send interim update to */
+	ike_sa_id_t *id;
+} interim_data_t;
+
+/**
+ * Clean up interim data
+ */
+void destroy_interim_data(interim_data_t *this)
+{
+	this->id->destroy(this->id);
+	free(this);
+}
+
+/**
+ * Send an interim update for entry of given IKE_SA identifier
+ */
+static job_requeue_t send_interim(interim_data_t *data)
+{
+	private_eap_radius_accounting_t *this = data->this;
+	u_int64_t bytes_in = 0, bytes_out = 0, packets_in = 0, packets_out = 0;
+	u_int64_t bytes, packets;
+	radius_message_t *message = NULL;
+	enumerator_t *enumerator;
+	child_sa_t *child_sa;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	u_int32_t value;
+
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, data->id);
+	if (!ike_sa)
+	{
+		return JOB_REQUEUE_NONE;
+	}
+	enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
+	while (enumerator->enumerate(enumerator, &child_sa))
+	{
+		child_sa->get_usestats(child_sa, FALSE, NULL, &bytes, &packets);
+		bytes_out += bytes;
+		packets_out += packets;
+		child_sa->get_usestats(child_sa, TRUE, NULL, &bytes, &packets);
+		bytes_in += bytes;
+		packets_in += packets;
+	}
+	enumerator->destroy(enumerator);
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+
+	/* avoid any races by returning IKE_SA before acquiring lock */
+
+	this->mutex->lock(this->mutex);
+	entry = this->sessions->get(this->sessions, data->id);
+	if (entry)
+	{
+		entry->interim.last = time_monotonic(NULL);
+
+		bytes_in += entry->bytes.received;
+		bytes_out += entry->bytes.sent;
+		packets_in += entry->packets.received;
+		packets_out += entry->packets.sent;
+
+		message = radius_message_create(RMC_ACCOUNTING_REQUEST);
+		value = htonl(ACCT_STATUS_INTERIM_UPDATE);
+		message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value));
+		message->add(message, RAT_ACCT_SESSION_ID,
+					 chunk_create(entry->sid, strlen(entry->sid)));
+		add_ike_sa_parameters(this, message, ike_sa);
+
+		value = htonl(bytes_out);
+		message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value));
+		value = htonl(bytes_out >> 32);
+		if (value)
+		{
+			message->add(message, RAT_ACCT_OUTPUT_GIGAWORDS,
+						 chunk_from_thing(value));
+		}
+		value = htonl(packets_out);
+		message->add(message, RAT_ACCT_OUTPUT_PACKETS, chunk_from_thing(value));
+
+		value = htonl(bytes_in);
+		message->add(message, RAT_ACCT_INPUT_OCTETS, chunk_from_thing(value));
+		value = htonl(bytes_in >> 32);
+		if (value)
+		{
+			message->add(message, RAT_ACCT_INPUT_GIGAWORDS,
+						 chunk_from_thing(value));
+		}
+		value = htonl(packets_in);
+		message->add(message, RAT_ACCT_INPUT_PACKETS, chunk_from_thing(value));
+
+		value = htonl(entry->interim.last - entry->created);
+		message->add(message, RAT_ACCT_SESSION_TIME, chunk_from_thing(value));
+
+		schedule_interim(this, entry);
+	}
+	this->mutex->unlock(this->mutex);
+
+	if (message)
 	{
-		message->add(message, RAT_FRAMED_IP_ADDRESS, vip->get_address(vip));
+		if (!send_message(this, message))
+		{
+			eap_radius_handle_timeout(data->id);
+		}
+		message->destroy(message);
 	}
-	if (vip && vip->get_family(vip) == AF_INET6)
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Schedule interim update for given entry
+ */
+static void schedule_interim(private_eap_radius_accounting_t *this,
+							 entry_t *entry)
+{
+	if (entry->interim.interval)
 	{
-		/* we currently assign /128 prefixes, only (reserved, length) */
-		data = chunk_from_chars(0, 128);
-		data = chunk_cata("cc", data, vip->get_address(vip));
-		message->add(message, RAT_FRAMED_IPV6_PREFIX, data);
+		interim_data_t *data;
+		timeval_t tv = {
+			.tv_sec = entry->interim.last + entry->interim.interval,
+		};
+
+		INIT(data,
+			.this = this,
+			.id = entry->id->clone(entry->id),
+		);
+		lib->scheduler->schedule_job_tv(lib->scheduler,
+			(job_t*)callback_job_create_with_prio(
+				(callback_job_cb_t)send_interim,
+				data, (void*)destroy_interim_data,
+				(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL), tv);
 	}
 }
 
 /**
+ * Check if an IKE_SA has assigned a virtual IP (to peer)
+ */
+static bool has_vip(ike_sa_t *ike_sa)
+{
+	enumerator_t *enumerator;
+	host_t *host;
+	bool found;
+
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+	found = enumerator->enumerate(enumerator, &host);
+	enumerator->destroy(enumerator);
+
+	return found;
+}
+
+/**
  * Send an accounting start message
  */
 static void send_start(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
 {
 	radius_message_t *message;
 	entry_t *entry;
-	u_int32_t id, value;
+	u_int32_t value;
 
-	id = ike_sa->get_unique_id(ike_sa);
-	INIT(entry,
-		.created = time_monotonic(NULL),
-	);
-	snprintf(entry->sid, sizeof(entry->sid), "%u-%u", this->prefix, id);
+	if (this->acct_req_vip && !has_vip(ike_sa))
+	{
+		return;
+	}
+
+	this->mutex->lock(this->mutex);
+
+	entry = get_or_create_entry(this, ike_sa);
+	entry->start_sent = TRUE;
 
 	message = radius_message_create(RMC_ACCOUNTING_REQUEST);
 	value = htonl(ACCT_STATUS_START);
 	message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value));
 	message->add(message, RAT_ACCT_SESSION_ID,
 				 chunk_create(entry->sid, strlen(entry->sid)));
-	add_ike_sa_parameters(message, ike_sa);
-	if (send_message(this, message))
+
+	schedule_interim(this, entry);
+	this->mutex->unlock(this->mutex);
+
+	add_ike_sa_parameters(this, message, ike_sa);
+	if (!send_message(this, message))
 	{
-		this->mutex->lock(this->mutex);
-		entry = this->sessions->put(this->sessions, (void*)(uintptr_t)id, entry);
-		this->mutex->unlock(this->mutex);
-		free(entry);
+		eap_radius_handle_timeout(ike_sa->get_id(ike_sa));
 	}
 	message->destroy(message);
 }
@@ -209,45 +501,91 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
 {
 	radius_message_t *message;
 	entry_t *entry;
-	u_int32_t id, value;
+	u_int32_t value;
 
-	id = ike_sa->get_unique_id(ike_sa);
 	this->mutex->lock(this->mutex);
-	entry = this->sessions->remove(this->sessions, (void*)(uintptr_t)id);
+	entry = this->sessions->remove(this->sessions, ike_sa->get_id(ike_sa));
 	this->mutex->unlock(this->mutex);
 	if (entry)
 	{
+		if (!entry->start_sent)
+		{	/* we tried to authenticate this peer, but never sent a start */
+			destroy_entry(entry);
+			return;
+		}
 		message = radius_message_create(RMC_ACCOUNTING_REQUEST);
 		value = htonl(ACCT_STATUS_STOP);
 		message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value));
 		message->add(message, RAT_ACCT_SESSION_ID,
 					 chunk_create(entry->sid, strlen(entry->sid)));
-		add_ike_sa_parameters(message, ike_sa);
-		value = htonl(entry->sent);
+		add_ike_sa_parameters(this, message, ike_sa);
+
+		value = htonl(entry->bytes.sent);
 		message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value));
-		value = htonl(entry->sent >> 32);
+		value = htonl(entry->bytes.sent >> 32);
 		if (value)
 		{
 			message->add(message, RAT_ACCT_OUTPUT_GIGAWORDS,
 						 chunk_from_thing(value));
 		}
-		value = htonl(entry->received);
+		value = htonl(entry->packets.sent);
+		message->add(message, RAT_ACCT_OUTPUT_PACKETS, chunk_from_thing(value));
+
+		value = htonl(entry->bytes.received);
 		message->add(message, RAT_ACCT_INPUT_OCTETS, chunk_from_thing(value));
-		value = htonl(entry->received >> 32);
+		value = htonl(entry->bytes.received >> 32);
 		if (value)
 		{
 			message->add(message, RAT_ACCT_INPUT_GIGAWORDS,
 						 chunk_from_thing(value));
 		}
+		value = htonl(entry->packets.received);
+		message->add(message, RAT_ACCT_INPUT_PACKETS, chunk_from_thing(value));
+
 		value = htonl(time_monotonic(NULL) - entry->created);
 		message->add(message, RAT_ACCT_SESSION_TIME, chunk_from_thing(value));
 
-		send_message(this, message);
+
+		value = htonl(entry->cause);
+		message->add(message, RAT_ACCT_TERMINATE_CAUSE, chunk_from_thing(value));
+
+		if (!send_message(this, message))
+		{
+			eap_radius_handle_timeout(NULL);
+		}
 		message->destroy(message);
-		free(entry);
+		destroy_entry(entry);
 	}
 }
 
+METHOD(listener_t, alert, bool,
+	private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, alert_t alert,
+	va_list args)
+{
+	radius_acct_terminate_cause_t cause;
+	entry_t *entry;
+
+	switch (alert)
+	{
+		case ALERT_IKE_SA_EXPIRED:
+			cause = ACCT_CAUSE_SESSION_TIMEOUT;
+			break;
+		case ALERT_RETRANSMIT_SEND_TIMEOUT:
+			cause = ACCT_CAUSE_LOST_SERVICE;
+			break;
+		default:
+			return TRUE;
+	}
+	this->mutex->lock(this->mutex);
+	entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa));
+	if (entry)
+	{
+		entry->cause = cause;
+	}
+	this->mutex->unlock(this->mutex);
+	return TRUE;
+}
+
 METHOD(listener_t, ike_updown, bool,
 	private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, bool up)
 {
@@ -271,15 +609,50 @@ METHOD(listener_t, ike_updown, bool,
 
 METHOD(listener_t, message_hook, bool,
 	private_eap_radius_accounting_t *this, ike_sa_t *ike_sa,
-	message_t *message, bool incoming)
+	message_t *message, bool incoming, bool plain)
 {
 	/* start accounting here, virtual IP now is set */
-	if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
-		message->get_exchange_type(message) == IKE_AUTH &&
+	if (plain && ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
 		!incoming && !message->get_request(message))
 	{
-		send_start(this, ike_sa);
+		if (ike_sa->get_version(ike_sa) == IKEV1 &&
+			message->get_exchange_type(message) == TRANSACTION)
+		{
+			send_start(this, ike_sa);
+		}
+		if (ike_sa->get_version(ike_sa) == IKEV2 &&
+			message->get_exchange_type(message) == IKE_AUTH)
+		{
+			send_start(this, ike_sa);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_rekey, bool,
+	private_eap_radius_accounting_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	entry_t *entry;
+
+	this->mutex->lock(this->mutex);
+	entry = this->sessions->remove(this->sessions, old->get_id(old));
+	if (entry)
+	{
+		/* update IKE_SA identifier */
+		entry->id->destroy(entry->id);
+		entry->id = new->get_id(new);
+		entry->id = entry->id->clone(entry->id);
+		/* fire new interim update job, old gets invalid */
+		schedule_interim(this, entry);
+
+		entry = this->sessions->put(this->sessions, entry->id, entry);
+		if (entry)
+		{
+			destroy_entry(entry);
+		}
 	}
+	this->mutex->unlock(this->mutex);
+
 	return TRUE;
 }
 
@@ -306,6 +679,8 @@ METHOD(listener_t, child_updown, bool,
 METHOD(eap_radius_accounting_t, destroy, void,
 	private_eap_radius_accounting_t *this)
 {
+	charon->bus->remove_listener(charon->bus, &this->public.listener);
+	singleton = NULL;
 	this->mutex->destroy(this->mutex);
 	this->sessions->destroy(this->sessions);
 	free(this);
@@ -321,7 +696,9 @@ eap_radius_accounting_t *eap_radius_accounting_create()
 	INIT(this,
 		.public = {
 			.listener = {
+				.alert = _alert,
 				.ike_updown = _ike_updown,
+				.ike_rekey = _ike_rekey,
 				.message = _message_hook,
 				.child_updown = _child_updown,
 				.child_rekey = _child_rekey,
@@ -334,6 +711,41 @@ eap_radius_accounting_t *eap_radius_accounting_create()
 									 (hashtable_equals_t)equals, 32),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
+	if (lib->settings->get_bool(lib->settings,
+			"%s.plugins.eap-radius.station_id_with_port", TRUE, charon->name))
+	{
+		this->station_id_fmt = "%#H";
+	}
+	else
+	{
+		this->station_id_fmt = "%H";
+	}
+	if (lib->settings->get_bool(lib->settings,
+					"%s.plugins.eap-radius.accounting", FALSE, charon->name))
+	{
+		singleton = this;
+		charon->bus->add_listener(charon->bus, &this->public.listener);
+	}
+	this->acct_req_vip = lib->settings->get_bool(lib->settings,
+							"%s.plugins.eap-radius.accounting_requires_vip",
+							FALSE, charon->name);
 
 	return &this->public;
 }
+
+/**
+ * See header
+ */
+void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, u_int32_t interval)
+{
+	if (singleton)
+	{
+		entry_t *entry;
+
+		DBG1(DBG_CFG, "scheduling RADIUS Interim-Updates every %us", interval);
+		singleton->mutex->lock(singleton->mutex);
+		entry = get_or_create_entry(singleton, ike_sa);
+		entry->interim.interval = interval;
+		singleton->mutex->unlock(singleton->mutex);
+	}
+}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
index 811a5bb90..8d4f9a0e1 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
@@ -46,4 +46,12 @@ struct eap_radius_accounting_t {
  */
 eap_radius_accounting_t *eap_radius_accounting_create();
 
+/**
+ * Schedule Accounting interim updates for the given IKE_SA.
+ *
+ * @param ike_sa			IKE_SA to send updates for
+ * @param interval			interval for interim updates
+ */
+void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, u_int32_t interval);
+
 #endif /** EAP_RADIUS_ACCOUNTING_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_dae.c b/src/libcharon/plugins/eap_radius/eap_radius_dae.c
index e84fe5b9c..f22ddc56f 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_dae.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_dae.c
@@ -53,11 +53,6 @@ struct private_eap_radius_dae_t {
 	int fd;
 
 	/**
-	 * Listen job
-	 */
-	callback_job_t *job;
-
-	/**
 	 * RADIUS shared secret for DAE exchanges
 	 */
 	chunk_t secret;
@@ -189,11 +184,16 @@ static void send_response(private_eap_radius_dae_t *this,
 
 	response = radius_message_create(code);
 	response->set_identifier(response, request->get_identifier(request));
-	response->sign(response, request->get_authenticator(request),
-				   this->secret, this->hasher, this->signer, NULL, FALSE);
-
-	send_message(this, response, client);
-	save_retransmit(this, response, client);
+	if (response->sign(response, request->get_authenticator(request),
+					   this->secret, this->hasher, this->signer, NULL, FALSE))
+	{
+		send_message(this, response, client);
+		save_retransmit(this, response, client);
+	}
+	else
+	{
+		response->destroy(response);
+	}
 }
 
 /**
@@ -379,21 +379,17 @@ static void process_coa(private_eap_radius_dae_t *this,
 /**
  * Receive RADIUS DAE requests
  */
-static job_requeue_t receive(private_eap_radius_dae_t *this)
+static bool receive(private_eap_radius_dae_t *this)
 {
 	struct sockaddr_storage addr;
 	socklen_t addr_len = sizeof(addr);
 	radius_message_t *request;
 	char buf[2048];
 	ssize_t len;
-	bool oldstate;
 	host_t *client;
 
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->fd, buf, sizeof(buf), 0,
+	len = recvfrom(this->fd, buf, sizeof(buf), MSG_DONTWAIT,
 				   (struct sockaddr*)&addr, &addr_len);
-	thread_cancelability(oldstate);
-
 	if (len > 0)
 	{
 		request = radius_message_parse(chunk_create(buf, len));
@@ -433,11 +429,11 @@ static job_requeue_t receive(private_eap_radius_dae_t *this)
 			DBG1(DBG_NET, "ignoring invalid RADIUS DAE request");
 		}
 	}
-	else
+	else if (errno != EWOULDBLOCK)
 	{
 		DBG1(DBG_NET, "receiving RADIUS DAE request failed: %s", strerror(errno));
 	}
-	return JOB_REQUEUE_DIRECT;
+	return TRUE;
 }
 
 /**
@@ -456,9 +452,11 @@ static bool open_socket(private_eap_radius_dae_t *this)
 
 	host = host_create_from_string(
 				lib->settings->get_str(lib->settings,
-					"charon.plugins.eap-radius.dae.listen", "0.0.0.0"),
+						"%s.plugins.eap-radius.dae.listen", "0.0.0.0",
+						charon->name),
 				lib->settings->get_int(lib->settings,
-					"charon.plugins.eap-radius.dae.port", RADIUS_DAE_PORT));
+						"%s.plugins.eap-radius.dae.port", RADIUS_DAE_PORT,
+						charon->name));
 	if (!host)
 	{
 		DBG1(DBG_CFG, "invalid RADIUS DAE listen address");
@@ -479,12 +477,9 @@ static bool open_socket(private_eap_radius_dae_t *this)
 METHOD(eap_radius_dae_t, destroy, void,
 	private_eap_radius_dae_t *this)
 {
-	if (this->job)
-	{
-		this->job->cancel(this->job);
-	}
 	if (this->fd != -1)
 	{
+		lib->watcher->remove(lib->watcher, this->fd);
 		close(this->fd);
 	}
 	DESTROY_IF(this->signer);
@@ -508,7 +503,8 @@ eap_radius_dae_t *eap_radius_dae_create(eap_radius_accounting_t *accounting)
 		.fd = -1,
 		.secret = {
 			.ptr = lib->settings->get_str(lib->settings,
-							"charon.plugins.eap-radius.dae.secret", NULL),
+									"%s.plugins.eap-radius.dae.secret", NULL,
+									charon->name),
 		},
 		.hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5),
 		.signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128),
@@ -527,17 +523,15 @@ eap_radius_dae_t *eap_radius_dae_create(eap_radius_accounting_t *accounting)
 		return NULL;
 	}
 	this->secret.len = strlen(this->secret.ptr);
-	this->signer->set_key(this->signer, this->secret);
-
-	if (!open_socket(this))
+	if (!this->signer->set_key(this->signer, this->secret) ||
+		!open_socket(this))
 	{
 		destroy(this);
 		return NULL;
 	}
 
-	this->job = callback_job_create_with_prio((callback_job_cb_t)receive,
-										this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+	lib->watcher->add(lib->watcher, this->fd, WATCHER_READ,
+					  (watcher_cb_t)receive, this);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_forward.c b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
index cb4ca74e3..3e80e8918 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_forward.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_forward.c
@@ -16,8 +16,8 @@
 #include "eap_radius_forward.h"
 
 #include <daemon.h>
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
 #include <threading/mutex.h>
 
 typedef struct private_eap_radius_forward_t private_eap_radius_forward_t;
@@ -248,7 +248,8 @@ static void ike2queue(message_t *message, linked_list_t *queue,
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
-		if (payload->get_type(payload) == NOTIFY)
+		if (payload->get_type(payload) == NOTIFY ||
+			payload->get_type(payload) == NOTIFY_V1)
 		{
 			notify = (notify_payload_t*)payload;
 			if (notify->get_notify_type(notify) == RADIUS_ATTRIBUTE)
@@ -319,11 +320,11 @@ void eap_radius_forward_to_ike(radius_message_t *response)
 
 METHOD(listener_t, message, bool,
 	private_eap_radius_forward_t *this,
-	ike_sa_t *ike_sa, message_t *message, bool incoming)
+	ike_sa_t *ike_sa, message_t *message, bool incoming, bool plain)
 {
 	linked_list_t *queue;
 
-	if (message->get_exchange_type(message) == IKE_AUTH)
+	if (plain && message->get_exchange_type(message) == IKE_AUTH)
 	{
 		if (incoming)
 		{
@@ -436,9 +437,11 @@ eap_radius_forward_t *eap_radius_forward_create()
 			.destroy = _destroy,
 		},
 		.from_attr = parse_selector(lib->settings->get_str(lib->settings,
-						"charon.plugins.eap-radius.forward.ike_to_radius", "")),
+							"%s.plugins.eap-radius.forward.ike_to_radius", "",
+							charon->name)),
 		.to_attr = parse_selector(lib->settings->get_str(lib->settings,
-						"charon.plugins.eap-radius.forward.radius_to_ike", "")),
+							"%s.plugins.eap-radius.forward.radius_to_ike", "",
+							charon->name)),
 		.from = hashtable_create((hashtable_hash_t)hash,
 						(hashtable_equals_t)equals, 8),
 		.to = hashtable_create((hashtable_hash_t)hash,
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
index 8ee0ab81a..90a4ef6de 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -16,15 +17,19 @@
 #include "eap_radius_plugin.h"
 
 #include "eap_radius.h"
+#include "eap_radius_xauth.h"
 #include "eap_radius_accounting.h"
 #include "eap_radius_dae.h"
 #include "eap_radius_forward.h"
+#include "eap_radius_provider.h"
 
 #include <radius_client.h>
 #include <radius_config.h>
 
-#include <daemon.h>
+#include <hydra.h>
 #include <threading/rwlock.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
 
 /**
  * Default RADIUS server port for authentication
@@ -64,6 +69,11 @@ struct private_eap_radius_plugin_t {
 	eap_radius_accounting_t *accounting;
 
 	/**
+	 * IKE attribute provider
+	 */
+	eap_radius_provider_t *provider;
+
+	/**
 	 * Dynamic authorization extensions
 	 */
 	eap_radius_dae_t *dae;
@@ -90,22 +100,23 @@ static void load_configs(private_eap_radius_plugin_t *this)
 	int auth_port, acct_port, sockets, preference;
 
 	address = lib->settings->get_str(lib->settings,
-					"charon.plugins.eap-radius.server", NULL);
+					"%s.plugins.eap-radius.server", NULL, charon->name);
 	if (address)
 	{	/* legacy configuration */
 		secret = lib->settings->get_str(lib->settings,
-					"charon.plugins.eap-radius.secret", NULL);
+					"%s.plugins.eap-radius.secret", NULL, charon->name);
 		if (!secret)
 		{
-			DBG1(DBG_CFG, "no RADUIS secret defined");
+			DBG1(DBG_CFG, "no RADIUS secret defined");
 			return;
 		}
 		nas_identifier = lib->settings->get_str(lib->settings,
-					"charon.plugins.eap-radius.nas_identifier", "strongSwan");
+					"%s.plugins.eap-radius.nas_identifier", "strongSwan",
+					charon->name);
 		auth_port = lib->settings->get_int(lib->settings,
-					"charon.plugins.eap-radius.port", AUTH_PORT);
+					"%s.plugins.eap-radius.port", AUTH_PORT, charon->name);
 		sockets = lib->settings->get_int(lib->settings,
-					"charon.plugins.eap-radius.sockets", 1);
+					"%s.plugins.eap-radius.sockets", 1, charon->name);
 		config = radius_config_create(address, address, auth_port, ACCT_PORT,
 									  nas_identifier, secret, sockets, 0);
 		if (!config)
@@ -118,38 +129,43 @@ static void load_configs(private_eap_radius_plugin_t *this)
 	}
 
 	enumerator = lib->settings->create_section_enumerator(lib->settings,
-										"charon.plugins.eap-radius.servers");
+								"%s.plugins.eap-radius.servers", charon->name);
 	while (enumerator->enumerate(enumerator, &section))
 	{
 		address = lib->settings->get_str(lib->settings,
-			"charon.plugins.eap-radius.servers.%s.address", NULL, section);
+							"%s.plugins.eap-radius.servers.%s.address", NULL,
+							charon->name, section);
 		if (!address)
 		{
 			DBG1(DBG_CFG, "RADIUS server '%s' misses address, skipped", section);
 			continue;
 		}
 		secret = lib->settings->get_str(lib->settings,
-			"charon.plugins.eap-radius.servers.%s.secret", NULL, section);
+							"%s.plugins.eap-radius.servers.%s.secret", NULL,
+							charon->name, section);
 		if (!secret)
 		{
 			DBG1(DBG_CFG, "RADIUS server '%s' misses secret, skipped", section);
 			continue;
 		}
 		nas_identifier = lib->settings->get_str(lib->settings,
-			"charon.plugins.eap-radius.servers.%s.nas_identifier",
-			"strongSwan", section);
+				"%s.plugins.eap-radius.servers.%s.nas_identifier", "strongSwan",
+				charon->name, section);
 		auth_port = lib->settings->get_int(lib->settings,
-			"charon.plugins.eap-radius.servers.%s.auth_port",
+			"%s.plugins.eap-radius.servers.%s.auth_port",
 				lib->settings->get_int(lib->settings,
-					"charon.plugins.eap-radius.servers.%s.port",
-					AUTH_PORT, section),
-			section);
+					"%s.plugins.eap-radius.servers.%s.port",
+					AUTH_PORT, charon->name, section),
+			charon->name, section);
 		acct_port = lib->settings->get_int(lib->settings,
-			"charon.plugins.eap-radius.servers.%s.acct_port", ACCT_PORT, section);
+				"%s.plugins.eap-radius.servers.%s.acct_port", ACCT_PORT,
+				charon->name, section);
 		sockets = lib->settings->get_int(lib->settings,
-			"charon.plugins.eap-radius.servers.%s.sockets", 1, section);
+				"%s.plugins.eap-radius.servers.%s.sockets", 1,
+				charon->name, section);
 		preference = lib->settings->get_int(lib->settings,
-			"charon.plugins.eap-radius.servers.%s.preference", 0, section);
+				"%s.plugins.eap-radius.servers.%s.preference", 0,
+				charon->name, section);
 		config = radius_config_create(section, address, auth_port, acct_port,
 								nas_identifier, secret, sockets, preference);
 		if (!config)
@@ -172,12 +188,60 @@ METHOD(plugin_t, get_name, char*,
 	return "eap-radius";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_eap_radius_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		this->accounting = eap_radius_accounting_create();
+		this->forward = eap_radius_forward_create();
+		this->provider = eap_radius_provider_create();
+
+		load_configs(this);
+
+		if (lib->settings->get_bool(lib->settings,
+					"%s.plugins.eap-radius.dae.enable", FALSE, charon->name))
+		{
+			this->dae = eap_radius_dae_create(this->accounting);
+		}
+		if (this->forward)
+		{
+			charon->bus->add_listener(charon->bus, &this->forward->listener);
+		}
+		hydra->attributes->add_provider(hydra->attributes,
+										&this->provider->provider);
+	}
+	else
+	{
+		hydra->attributes->remove_provider(hydra->attributes,
+										   &this->provider->provider);
+		if (this->forward)
+		{
+			charon->bus->remove_listener(charon->bus, &this->forward->listener);
+			this->forward->destroy(this->forward);
+		}
+		DESTROY_IF(this->dae);
+		this->provider->destroy(this->provider);
+		this->accounting->destroy(this->accounting);
+	}
+	return TRUE;
+}
+
 METHOD(plugin_t, get_features, int,
-	eap_radius_plugin_t *this, plugin_feature_t *features[])
+	private_eap_radius_plugin_t *this, plugin_feature_t *features[])
 {
 	static plugin_feature_t f[] = {
 		PLUGIN_CALLBACK(eap_method_register, eap_radius_create),
 			PLUGIN_PROVIDE(EAP_SERVER, EAP_RADIUS),
+				PLUGIN_DEPENDS(CUSTOM, "eap-radius"),
+		PLUGIN_CALLBACK(xauth_method_register, eap_radius_xauth_create_server),
+			PLUGIN_PROVIDE(XAUTH_SERVER, "radius"),
+				PLUGIN_DEPENDS(CUSTOM, "eap-radius"),
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "eap-radius"),
 				PLUGIN_DEPENDS(HASHER, HASH_MD5),
 				PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_MD5_128),
 				PLUGIN_DEPENDS(RNG, RNG_WEAK),
@@ -201,17 +265,9 @@ METHOD(plugin_t, reload, bool,
 METHOD(plugin_t, destroy, void,
 	private_eap_radius_plugin_t *this)
 {
-	if (this->forward)
-	{
-		charon->bus->remove_listener(charon->bus, &this->forward->listener);
-		this->forward->destroy(this->forward);
-	}
-	DESTROY_IF(this->dae);
 	this->configs->destroy_offset(this->configs,
 								  offsetof(radius_config_t, destroy));
 	this->lock->destroy(this->lock);
-	charon->bus->remove_listener(charon->bus, &this->accounting->listener);
-	this->accounting->destroy(this->accounting);
 	free(this);
 	instance = NULL;
 }
@@ -234,28 +290,9 @@ plugin_t *eap_radius_plugin_create()
 		},
 		.configs = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
-		.accounting = eap_radius_accounting_create(),
-		.forward = eap_radius_forward_create(),
 	);
-
-	load_configs(this);
 	instance = this;
 
-	if (lib->settings->get_bool(lib->settings,
-						"charon.plugins.eap-radius.accounting", FALSE))
-	{
-		charon->bus->add_listener(charon->bus, &this->accounting->listener);
-	}
-	if (lib->settings->get_bool(lib->settings,
-						"charon.plugins.eap-radius.dae.enable", FALSE))
-	{
-		this->dae = eap_radius_dae_create(this->accounting);
-	}
-	if (this->forward)
-	{
-		charon->bus->add_listener(charon->bus, &this->forward->listener);
-	}
-
 	return &this->public.plugin;
 }
 
@@ -302,3 +339,47 @@ radius_client_t *eap_radius_create_client()
 	return NULL;
 }
 
+/**
+ * Job to delete all active IKE_SAs
+ */
+static job_requeue_t delete_all_async(void *data)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+
+	enumerator = charon->ike_sa_manager->create_enumerator(
+												charon->ike_sa_manager, TRUE);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		lib->processor->queue_job(lib->processor,
+				(job_t*)delete_ike_sa_job_create(ike_sa->get_id(ike_sa), TRUE));
+	}
+	enumerator->destroy(enumerator);
+
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * See header.
+ */
+void eap_radius_handle_timeout(ike_sa_id_t *id)
+{
+	charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
+
+	if (lib->settings->get_bool(lib->settings,
+								"%s.plugins.eap-radius.close_all_on_timeout",
+								FALSE, charon->name))
+	{
+		DBG1(DBG_CFG, "deleting all IKE_SAs after RADIUS timeout");
+		lib->processor->queue_job(lib->processor,
+				(job_t*)callback_job_create_with_prio(
+						(callback_job_cb_t)delete_all_async, NULL, NULL,
+						(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+	}
+	else if (id)
+	{
+		DBG1(DBG_CFG, "deleting IKE_SA after RADIUS timeout");
+		lib->processor->queue_job(lib->processor,
+				(job_t*)delete_ike_sa_job_create(id, TRUE));
+	}
+}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.h b/src/libcharon/plugins/eap_radius/eap_radius_plugin.h
index 1570bd566..80fa209d6 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.h
@@ -27,6 +27,7 @@
 #include <plugins/plugin.h>
 
 #include <radius_client.h>
+#include <daemon.h>
 
 typedef struct eap_radius_plugin_t eap_radius_plugin_t;
 
@@ -51,4 +52,14 @@ struct eap_radius_plugin_t {
  */
 radius_client_t *eap_radius_create_client();
 
+/**
+ * Handle a RADIUS request timeout.
+ *
+ * If an IKE_SA is given, it gets deleted (unless the policy says to delete
+ * any established IKE_SA).
+ *
+ * @param id		associated IKE_SA where timeout happened, or NULL
+ */
+void eap_radius_handle_timeout(ike_sa_id_t *id);
+
 #endif /** EAP_RADIUS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
new file mode 100644
index 000000000..7c794616b
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
@@ -0,0 +1,550 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_radius_provider.h"
+
+#include <daemon.h>
+#include <collections/hashtable.h>
+#include <threading/mutex.h>
+
+typedef struct private_eap_radius_provider_t private_eap_radius_provider_t;
+typedef struct private_listener_t private_listener_t;
+
+/**
+ * Private data of registered listener
+ */
+struct private_listener_t {
+
+	/**
+	 * Implements listener_t interface
+	 */
+	listener_t public;
+
+	/**
+	 * Leases not acquired yet, identification_t => entry_t
+	 */
+	hashtable_t *unclaimed;
+
+	/**
+	 * Leases acquired, identification_t => entry_t
+	 */
+	hashtable_t *claimed;
+
+	/**
+	 * Mutex to lock leases
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Private data of an eap_radius_provider_t object.
+ */
+struct private_eap_radius_provider_t {
+
+	/**
+	 * Public eap_radius_provider_t interface.
+	 */
+	eap_radius_provider_t public;
+
+	/**
+	 * Additionally implements the listener_t interface
+	 */
+	private_listener_t listener;
+};
+
+/**
+ * Singleton instance of provider
+ */
+static eap_radius_provider_t *singleton = NULL;
+
+/**
+ * Configuration attribute in an entry
+ */
+typedef struct {
+	/** type of attribute */
+	configuration_attribute_type_t type;
+	/** attribute data */
+	chunk_t data;
+} attr_t;
+
+/**
+ * Destroy an attr_t
+ */
+static void destroy_attr(attr_t *this)
+{
+	free(this->data.ptr);
+	free(this);
+}
+
+/**
+ * Hashtable entry with leases and attributes
+ */
+typedef struct {
+	/** IKE_SA uniqe id we assign the IP lease */
+	uintptr_t id;
+	/** list of IP leases received from AAA, as host_t */
+	linked_list_t *addrs;
+	/** list of configuration attributes, as attr_t */
+	linked_list_t *attrs;
+} entry_t;
+
+/**
+ * destroy an entry_t
+ */
+static void destroy_entry(entry_t *this)
+{
+	this->addrs->destroy_offset(this->addrs, offsetof(host_t, destroy));
+	this->attrs->destroy_function(this->attrs, (void*)destroy_attr);
+	free(this);
+}
+
+/**
+ * Get or create an entry from a locked hashtable
+ */
+static entry_t* get_or_create_entry(hashtable_t *hashtable, uintptr_t id)
+{
+	entry_t *entry;
+
+	entry = hashtable->get(hashtable, (void*)id);
+	if (!entry)
+	{
+		INIT(entry,
+			.id = id,
+			.addrs = linked_list_create(),
+			.attrs = linked_list_create(),
+		);
+		hashtable->put(hashtable, (void*)id, entry);
+	}
+	return entry;
+}
+
+/**
+ * Put an entry to hashtable, or destroy it ife empty
+ */
+static void put_or_destroy_entry(hashtable_t *hashtable, entry_t *entry)
+{
+	if (entry->addrs->get_count(entry->addrs) > 0 ||
+		entry->attrs->get_count(entry->attrs) > 0)
+	{
+		hashtable->put(hashtable, (void*)entry->id, entry);
+	}
+	else
+	{
+		destroy_entry(entry);
+	}
+}
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(uintptr_t id)
+{
+	return id;
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool equals(uintptr_t a, uintptr_t b)
+{
+	return a == b;
+}
+
+/**
+ * Insert an address entry to a locked claimed/unclaimed hashtable
+ */
+static void add_addr(private_eap_radius_provider_t *this,
+					 hashtable_t *hashtable, uintptr_t id, host_t *host)
+{
+	entry_t *entry;
+
+	entry = get_or_create_entry(hashtable, id);
+	entry->addrs->insert_last(entry->addrs, host);
+}
+
+/**
+ * Remove the next address from the locked hashtable stored for given id
+ */
+static host_t* remove_addr(private_eap_radius_provider_t *this,
+						   hashtable_t *hashtable, uintptr_t id)
+{
+	entry_t *entry;
+	host_t *addr = NULL;
+
+	entry = hashtable->remove(hashtable, (void*)id);
+	if (entry)
+	{
+		entry->addrs->remove_first(entry->addrs, (void**)&addr);
+		put_or_destroy_entry(hashtable, entry);
+	}
+	return addr;
+}
+
+/**
+ * Insert an attribute entry to a locked claimed/unclaimed hashtable
+ */
+static void add_attr(private_eap_radius_provider_t *this,
+					 hashtable_t *hashtable, uintptr_t id, attr_t *attr)
+{
+	entry_t *entry;
+
+	entry = get_or_create_entry(hashtable, id);
+	entry->attrs->insert_last(entry->attrs, attr);
+}
+
+/**
+ * Remove the next attribute from the locked hashtable stored for given id
+ */
+static attr_t* remove_attr(private_eap_radius_provider_t *this,
+						   hashtable_t *hashtable, uintptr_t id)
+{
+	entry_t *entry;
+	attr_t *attr = NULL;
+
+	entry = hashtable->remove(hashtable, (void*)id);
+	if (entry)
+	{
+		entry->attrs->remove_first(entry->attrs, (void**)&attr);
+		put_or_destroy_entry(hashtable, entry);
+	}
+	return attr;
+}
+
+/**
+ * Clean up unclaimed leases assigned for an IKE_SA
+ */
+static void release_unclaimed(private_listener_t *this, ike_sa_t *ike_sa)
+{
+	uintptr_t id;
+	entry_t *entry;
+
+	id = ike_sa->get_unique_id(ike_sa);
+	this->mutex->lock(this->mutex);
+	entry = this->unclaimed->remove(this->unclaimed, (void*)id);
+	this->mutex->unlock(this->mutex);
+	if (entry)
+	{
+		destroy_entry(entry);
+	}
+}
+
+METHOD(listener_t, message_hook, bool,
+	private_listener_t *this, ike_sa_t *ike_sa,
+	message_t *message, bool incoming, bool plain)
+{
+	if (plain && ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+		!incoming && !message->get_request(message))
+	{
+		if ((ike_sa->get_version(ike_sa) == IKEV1 &&
+			 message->get_exchange_type(message) == TRANSACTION) ||
+			(ike_sa->get_version(ike_sa) == IKEV2 &&
+			 message->get_exchange_type(message) == IKE_AUTH))
+		{
+			/* if the addresses have not been claimed yet, they won't. Release
+			 * these resources. */
+			release_unclaimed(this, ike_sa);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_updown, bool,
+	private_listener_t *this, ike_sa_t *ike_sa, bool up)
+{
+	if (!up)
+	{
+		/* if the message hook does not apply because of a failed exchange
+		 * or something, make sure we release any resources now */
+		release_unclaimed(this, ike_sa);
+	}
+	return TRUE;
+}
+
+/**
+ * Migrate an entry in hashtable from old to new id
+ */
+static void migrate_entry(hashtable_t *table, uintptr_t old, uintptr_t new)
+{
+	entry_t *entry;
+
+	entry = table->remove(table, (void*)old);
+	if (entry)
+	{
+		entry->id = new;
+		entry = table->put(table, (void*)new, entry);
+		if (entry)
+		{	/* shouldn't happen */
+			destroy_entry(entry);
+		}
+	}
+}
+
+METHOD(listener_t, ike_rekey, bool,
+	private_listener_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	uintptr_t old_id, new_id;
+
+	old_id = old->get_unique_id(old);
+	new_id = new->get_unique_id(new);
+
+	this->mutex->lock(this->mutex);
+
+	migrate_entry(this->unclaimed, old_id, new_id);
+	migrate_entry(this->claimed, old_id, new_id);
+
+	this->mutex->unlock(this->mutex);
+
+	return TRUE;
+}
+
+METHOD(attribute_provider_t, acquire_address, host_t*,
+	private_eap_radius_provider_t *this, linked_list_t *pools,
+	identification_t *id, host_t *requested)
+{
+	enumerator_t *enumerator;
+	host_t *addr = NULL;
+	ike_sa_t *ike_sa;
+	uintptr_t sa;
+	char *name;
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (!ike_sa)
+	{
+		return NULL;
+	}
+	sa = ike_sa->get_unique_id(ike_sa);
+
+	enumerator = pools->create_enumerator(pools);
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		if (streq(name, "radius"))
+		{
+			this->listener.mutex->lock(this->listener.mutex);
+			addr = remove_addr(this, this->listener.unclaimed, sa);
+			if (addr)
+			{
+				add_addr(this, this->listener.claimed, sa, addr->clone(addr));
+			}
+			this->listener.mutex->unlock(this->listener.mutex);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return addr;
+}
+
+METHOD(attribute_provider_t, release_address, bool,
+	private_eap_radius_provider_t *this, linked_list_t *pools, host_t *address,
+	identification_t *id)
+{
+	enumerator_t *enumerator;
+	host_t *found = NULL;
+	ike_sa_t *ike_sa;
+	uintptr_t sa;
+	char *name;
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (!ike_sa)
+	{
+		return FALSE;
+	}
+	sa = ike_sa->get_unique_id(ike_sa);
+
+	enumerator = pools->create_enumerator(pools);
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		if (streq(name, "radius"))
+		{
+			this->listener.mutex->lock(this->listener.mutex);
+			found = remove_addr(this, this->listener.claimed, sa);
+			this->listener.mutex->unlock(this->listener.mutex);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (found)
+	{
+		found->destroy(found);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Enumerator implementation over attributes
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** list of attributes to enumerate */
+	linked_list_t *list;
+	/** currently enumerating attribute */
+	attr_t *current;
+} attribute_enumerator_t;
+
+
+METHOD(enumerator_t, attribute_enumerate, bool,
+	attribute_enumerator_t *this, configuration_attribute_type_t *type,
+	chunk_t *data)
+{
+	if (this->current)
+	{
+		destroy_attr(this->current);
+		this->current = NULL;
+	}
+	if (this->list->remove_first(this->list, (void**)&this->current) == SUCCESS)
+	{
+		*type = this->current->type;
+		*data = this->current->data;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, attribute_destroy, void,
+	attribute_enumerator_t *this)
+{
+	if (this->current)
+	{
+		destroy_attr(this->current);
+	}
+	this->list->destroy_function(this->list, (void*)destroy_attr);
+	free(this);
+}
+
+METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
+	private_eap_radius_provider_t *this, linked_list_t *pools,
+	identification_t *id, linked_list_t *vips)
+{
+	attribute_enumerator_t *enumerator;
+	attr_t *attr;
+	ike_sa_t *ike_sa;
+	uintptr_t sa;
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (!ike_sa)
+	{
+		return NULL;
+	}
+	sa = ike_sa->get_unique_id(ike_sa);
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_attribute_enumerate,
+			.destroy = _attribute_destroy,
+		},
+		.list = linked_list_create(),
+	);
+
+	/* we forward attributes regardless of pool configurations */
+	this->listener.mutex->lock(this->listener.mutex);
+	while (TRUE)
+	{
+		attr = remove_attr(this, this->listener.unclaimed, sa);
+		if (!attr)
+		{
+			break;
+		}
+		enumerator->list->insert_last(enumerator->list, attr);
+	}
+	this->listener.mutex->unlock(this->listener.mutex);
+
+	return &enumerator->public;
+}
+
+METHOD(eap_radius_provider_t, add_framed_ip, void,
+	private_eap_radius_provider_t *this, u_int32_t id, host_t *ip)
+{
+	this->listener.mutex->lock(this->listener.mutex);
+	add_addr(this, this->listener.unclaimed, id, ip);
+	this->listener.mutex->unlock(this->listener.mutex);
+}
+
+METHOD(eap_radius_provider_t, add_attribute, void,
+	private_eap_radius_provider_t *this, u_int32_t id,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	attr_t *attr;
+
+	INIT(attr,
+		.type = type,
+		.data = chunk_clone(data),
+	);
+	this->listener.mutex->lock(this->listener.mutex);
+	add_attr(this, this->listener.unclaimed, id, attr);
+	this->listener.mutex->unlock(this->listener.mutex);
+}
+
+METHOD(eap_radius_provider_t, destroy, void,
+	private_eap_radius_provider_t *this)
+{
+	singleton = NULL;
+	charon->bus->remove_listener(charon->bus, &this->listener.public);
+	this->listener.mutex->destroy(this->listener.mutex);
+	this->listener.claimed->destroy(this->listener.claimed);
+	this->listener.unclaimed->destroy(this->listener.unclaimed);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_radius_provider_t *eap_radius_provider_create()
+{
+	if (!singleton)
+	{
+		private_eap_radius_provider_t *this;
+
+		INIT(this,
+			.public = {
+				.provider = {
+					.acquire_address = _acquire_address,
+					.release_address = _release_address,
+					.create_attribute_enumerator = _create_attribute_enumerator,
+				},
+				.add_framed_ip = _add_framed_ip,
+				.add_attribute = _add_attribute,
+				.destroy = _destroy,
+			},
+			.listener = {
+				.public = {
+					.ike_updown = _ike_updown,
+					.ike_rekey = _ike_rekey,
+					.message = _message_hook,
+				},
+				.claimed = hashtable_create((hashtable_hash_t)hash,
+										(hashtable_equals_t)equals, 32),
+				.unclaimed = hashtable_create((hashtable_hash_t)hash,
+										(hashtable_equals_t)equals, 32),
+				.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+			},
+		);
+
+		charon->bus->add_listener(charon->bus, &this->listener.public);
+
+		singleton = &this->public;
+	}
+	return singleton;
+}
+
+/**
+ * See header
+ */
+eap_radius_provider_t *eap_radius_provider_get()
+{
+	return singleton;
+}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.h b/src/libcharon/plugins/eap_radius/eap_radius_provider.h
new file mode 100644
index 000000000..5a62f4a38
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_radius_provider eap_radius_provider
+ * @{ @ingroup eap_radius
+ */
+
+#ifndef EAP_RADIUS_PROVIDER_H_
+#define EAP_RADIUS_PROVIDER_H_
+
+#include <attributes/attributes.h>
+#include <attributes/attribute_provider.h>
+
+typedef struct eap_radius_provider_t eap_radius_provider_t;
+
+/**
+ * IKE configuration attribute fed by RADIUS attributes
+ */
+struct eap_radius_provider_t {
+
+	/**
+	 * Implements attribute_provider_t
+	 */
+	attribute_provider_t provider;
+
+	/**
+	 * Add a received Framed-IP-Address to the provider to serve to client.
+	 *
+	 * @param id			IKE_SA unique identifier
+	 * @param ip			IP address received from RADIUS server, gets owned
+	 */
+	void (*add_framed_ip)(eap_radius_provider_t *this, u_int32_t id,
+						  host_t *ip);
+
+	/**
+	 * Add a configuration attribute received from RADIUS to forward.
+	 *
+	 * @param id			IKE_SA unique identifier
+	 * @param type			attribute type
+	 * @param data			attribute data
+	 */
+	void (*add_attribute)(eap_radius_provider_t *this, u_int32_t id,
+						  configuration_attribute_type_t type, chunk_t data);
+
+	/**
+	 * Destroy a eap_radius_provider_t.
+	 */
+	void (*destroy)(eap_radius_provider_t *this);
+};
+
+/**
+ * Create a eap_radius_provider instance.
+ */
+eap_radius_provider_t *eap_radius_provider_create();
+
+/**
+ * Get singleton instance previously created with eap_radius_provider_create().
+ */
+eap_radius_provider_t *eap_radius_provider_get();
+
+#endif /** EAP_RADIUS_PROVIDER_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_xauth.c b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c
new file mode 100644
index 000000000..bd960d2bc
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c
@@ -0,0 +1,202 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_radius_xauth.h"
+#include "eap_radius_plugin.h"
+#include "eap_radius.h"
+#include "eap_radius_forward.h"
+
+#include <daemon.h>
+#include <radius_client.h>
+
+
+typedef struct private_eap_radius_xauth_t private_eap_radius_xauth_t;
+
+/**
+ * Private data of an eap_radius_xauth_t object.
+ */
+struct private_eap_radius_xauth_t {
+
+	/**
+	 * Public interface.
+	 */
+	eap_radius_xauth_t public;
+
+	/**
+	 * ID of the server
+	 */
+	identification_t *server;
+
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+
+	/**
+	 * RADIUS connection
+	 */
+	radius_client_t *client;
+};
+
+METHOD(xauth_method_t, initiate, status_t,
+	private_eap_radius_xauth_t *this, cp_payload_t **out)
+{
+	cp_payload_t *cp;
+
+	cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REQUEST);
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, chunk_empty));
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, chunk_empty));
+	*out = cp;
+	return NEED_MORE;
+}
+
+/**
+ * Verify a password using RADIUS User-Name/User-Password attributes
+ */
+static status_t verify_radius(private_eap_radius_xauth_t *this, chunk_t pass)
+{
+	radius_message_t *request, *response;
+	status_t status = FAILED;
+
+	request = radius_message_create(RMC_ACCESS_REQUEST);
+	request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
+	request->add(request, RAT_USER_PASSWORD, pass);
+
+	eap_radius_build_attributes(request);
+	eap_radius_forward_from_ike(request);
+
+	response = this->client->request(this->client, request);
+	if (response)
+	{
+		eap_radius_forward_to_ike(response);
+		switch (response->get_code(response))
+		{
+			case RMC_ACCESS_ACCEPT:
+				eap_radius_process_attributes(response);
+				status = SUCCESS;
+				break;
+			case RMC_ACCESS_CHALLENGE:
+				DBG1(DBG_IKE, "RADIUS Access-Challenge not supported");
+				/* FALL */
+			case RMC_ACCESS_REJECT:
+			default:
+				DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
+					 this->peer);
+				break;
+		}
+		response->destroy(response);
+	}
+	else
+	{
+		eap_radius_handle_timeout(NULL);
+	}
+	request->destroy(request);
+	return status;
+}
+
+METHOD(xauth_method_t, process, status_t,
+	private_eap_radius_xauth_t *this, cp_payload_t *in, cp_payload_t **out)
+{
+	configuration_attribute_t *attr;
+	enumerator_t *enumerator;
+	identification_t *id;
+	chunk_t user = chunk_empty, pass = chunk_empty;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		switch (attr->get_type(attr))
+		{
+			case XAUTH_USER_NAME:
+				user = attr->get_chunk(attr);
+				break;
+			case XAUTH_USER_PASSWORD:
+				pass = attr->get_chunk(attr);
+				/* trim password to any null termination. As User-Password
+				 * uses null padding, we can't have any null in it, and some
+				 * clients actually send null terminated strings (Android). */
+				pass.len = strnlen(pass.ptr, pass.len);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!user.ptr || !pass.ptr)
+	{
+		DBG1(DBG_IKE, "peer did not respond to our XAuth request");
+		return FAILED;
+	}
+	if (user.len)
+	{
+		id = identification_create_from_data(user);
+		if (!id)
+		{
+			DBG1(DBG_IKE, "failed to parse provided XAuth username");
+			return FAILED;
+		}
+		this->peer->destroy(this->peer);
+		this->peer = id;
+	}
+	return verify_radius(this, pass);
+}
+
+METHOD(xauth_method_t, get_identity, identification_t*,
+	private_eap_radius_xauth_t *this)
+{
+	return this->peer;
+}
+
+METHOD(xauth_method_t, destroy, void,
+	private_eap_radius_xauth_t *this)
+{
+	DESTROY_IF(this->client);
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+eap_radius_xauth_t *eap_radius_xauth_create_server(identification_t *server,
+												   identification_t *peer)
+{
+	private_eap_radius_xauth_t *this;
+
+	INIT(this,
+		.public = {
+			.xauth_method = {
+				.initiate = _initiate,
+				.process = _process,
+				.get_identity = _get_identity,
+				.destroy = _destroy,
+			},
+		},
+		.server = server->clone(server),
+		.peer = peer->clone(peer),
+		.client = eap_radius_create_client(),
+	);
+
+	if (!this->client)
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_xauth.h b/src/libcharon/plugins/eap_radius/eap_radius_xauth.h
new file mode 100644
index 000000000..8571bbc9f
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/eap_radius_xauth.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_radius_xauth eap_radius_xauth
+ * @{ @ingroup eap_radius
+ */
+
+#ifndef EAP_RADIUS_XAUTH_H_
+#define EAP_RADIUS_XAUTH_H_
+
+#include <sa/xauth/xauth_method.h>
+
+typedef struct eap_radius_xauth_t eap_radius_xauth_t;
+
+/**
+ * XAuth backend using plain RADIUS authentication (no EAP involved).
+ */
+struct eap_radius_xauth_t {
+
+	/**
+	 * Implements XAuth module interface
+	 */
+	xauth_method_t xauth_method;
+};
+
+/**
+ * Creates the RADIUS XAuth method, acting as server.
+ *
+ * @param server	ID of the XAuth server
+ * @param peer		ID of the XAuth client
+ * @return			xauth_generic_t object
+ */
+eap_radius_xauth_t *eap_radius_xauth_create_server(identification_t *server,
+												   identification_t *peer);
+
+#endif /** EAP_RADIUS_XAUTH_H_ @}*/
diff --git a/src/libcharon/plugins/eap_sim/Makefile.am b/src/libcharon/plugins/eap_sim/Makefile.am
index a0cb72f5f..2e9dad1b8 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.am
+++ b/src/libcharon/plugins/eap_sim/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-sim.la
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index d06929522..da96c1976 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_sim_la_DEPENDENCIES =  \
@@ -80,48 +104,77 @@ am_libstrongswan_eap_sim_la_OBJECTS = eap_sim_plugin.lo \
 	eap_sim_peer.lo eap_sim_server.lo
 libstrongswan_eap_sim_la_OBJECTS =  \
 	$(am_libstrongswan_eap_sim_la_OBJECTS)
-libstrongswan_eap_sim_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_sim_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_sim_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_sim_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_sim_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_sim_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_sim_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_sim_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +183,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +205,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +233,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +247,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +256,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +264,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +290,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +310,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,10 +346,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-sim.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-sim.la
 @MONOLITHIC_FALSE@libstrongswan_eap_sim_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
@@ -342,7 +409,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -350,6 +416,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -371,8 +439,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-sim.la: $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_DEPENDENCIES) 
-	$(libstrongswan_eap_sim_la_LINK) $(am_libstrongswan_eap_sim_la_rpath) $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_LIBADD) $(LIBS)
+libstrongswan-eap-sim.la: $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_sim_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_sim_la_LINK) $(am_libstrongswan_eap_sim_la_rpath) $(libstrongswan_eap_sim_la_OBJECTS) $(libstrongswan_eap_sim_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -385,25 +453,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_server.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -510,10 +578,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_peer.c b/src/libcharon/plugins/eap_sim/eap_sim_peer.c
index 1d1ab99e0..ff96e9279 100644
--- a/src/libcharon/plugins/eap_sim/eap_sim_peer.c
+++ b/src/libcharon/plugins/eap_sim/eap_sim_peer.c
@@ -106,13 +106,30 @@ struct private_eap_sim_peer_t {
 static chunk_t version = chunk_from_chars(0x00,0x01);
 
 /**
+ * Generate a payload from a message, destroy message
+ */
+static bool generate_payload(simaka_message_t *message, chunk_t data,
+							 eap_payload_t **out)
+{
+	chunk_t chunk;
+	bool ok;
+
+	ok = message->generate(message, data, &chunk);
+	if (ok)
+	{
+		*out = eap_payload_create_data_own(chunk);
+	}
+	message->destroy(message);
+	return ok;
+}
+
+/**
  * Create a SIM_CLIENT_ERROR
  */
-static eap_payload_t* create_client_error(private_eap_sim_peer_t *this,
-										  simaka_client_error_t code)
+static bool create_client_error(private_eap_sim_peer_t *this,
+								simaka_client_error_t code, eap_payload_t **out)
 {
 	simaka_message_t *message;
-	eap_payload_t *out;
 	u_int16_t encoded;
 
 	DBG1(DBG_IKE, "sending client error '%N'", simaka_client_error_names, code);
@@ -122,9 +139,7 @@ static eap_payload_t* create_client_error(private_eap_sim_peer_t *this,
 	encoded = htons(code);
 	message->add_attribute(message, AT_CLIENT_ERROR_CODE,
 						   chunk_create((char*)&encoded, sizeof(encoded)));
-	out = eap_payload_create_data_own(message->generate(message, chunk_empty));
-	message->destroy(message);
-	return out;
+	return generate_payload(message, chunk_empty, out);
 }
 
 /**
@@ -175,8 +190,11 @@ static status_t process_start(private_eap_sim_peer_t *this,
 			default:
 				if (!simaka_attribute_skippable(type))
 				{
-					*out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
 					enumerator->destroy(enumerator);
+					if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out))
+					{
+						return FAILED;
+					}
 					return NEED_MORE;
 				}
 				break;
@@ -187,7 +205,10 @@ static status_t process_start(private_eap_sim_peer_t *this,
 	if (!supported)
 	{
 		DBG1(DBG_IKE, "server does not support EAP-SIM version number 1");
-		*out = create_client_error(this, SIM_UNSUPPORTED_VERSION);
+		if (!create_client_error(this, SIM_UNSUPPORTED_VERSION, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 
@@ -221,7 +242,10 @@ static status_t process_start(private_eap_sim_peer_t *this,
 	/* generate AT_NONCE_MT value */
 	rng = this->crypto->get_rng(this->crypto);
 	free(this->nonce.ptr);
-	rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
+	if (!rng->allocate_bytes(rng, NONCE_LEN, &this->nonce))
+	{
+		return FAILED;
+	}
 
 	message = simaka_message_create(FALSE, this->identifier, EAP_SIM,
 									SIM_START, this->crypto);
@@ -234,9 +258,10 @@ static status_t process_start(private_eap_sim_peer_t *this,
 	{
 		message->add_attribute(message, AT_IDENTITY, id);
 	}
-	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
-	message->destroy(message);
-
+	if (!generate_payload(message, chunk_empty, out))
+	{
+		return FAILED;
+	}
 	return NEED_MORE;
 }
 
@@ -270,8 +295,11 @@ static status_t process_challenge(private_eap_sim_peer_t *this,
 			default:
 				if (!simaka_attribute_skippable(type))
 				{
-					*out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
 					enumerator->destroy(enumerator);
+					if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out))
+					{
+						return FAILED;
+					}
 					return NEED_MORE;
 				}
 				break;
@@ -285,7 +313,10 @@ static status_t process_challenge(private_eap_sim_peer_t *this,
 		memeq(rands.ptr, rands.ptr + SIM_RAND_LEN, SIM_RAND_LEN))
 	{
 		DBG1(DBG_IKE, "no valid AT_RAND received");
-		*out = create_client_error(this, SIM_INSUFFICIENT_CHALLENGES);
+		if (!create_client_error(this, SIM_INSUFFICIENT_CHALLENGES, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 	/* get two or three KCs/SRESes from SIM using RANDs */
@@ -297,7 +328,10 @@ static status_t process_challenge(private_eap_sim_peer_t *this,
 										 rands.ptr, sres.ptr, kc.ptr))
 		{
 			DBG1(DBG_IKE, "unable to get EAP-SIM triplet");
-			*out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
+			if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out))
+			{
+				return FAILED;
+			}
 			return NEED_MORE;
 		}
 		DBG3(DBG_IKE, "got triplet for RAND %b\n  Kc %b\n  SRES %b",
@@ -313,16 +347,22 @@ static status_t process_challenge(private_eap_sim_peer_t *this,
 		id = this->pseudonym;
 	}
 	data = chunk_cata("cccc", kcs, this->nonce, this->version_list, version);
-	free(this->msk.ptr);
-	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
+	chunk_clear(&this->msk);
+	if (!this->crypto->derive_keys_full(this->crypto, id, data, &mk, &this->msk))
+	{
+		return FAILED;
+	}
 	memcpy(this->mk, mk.ptr, mk.len);
-	free(mk.ptr);
+	chunk_clear(&mk);
 
 	/* Verify AT_MAC attribute, signature is over "EAP packet | NONCE_MT", and
 	 * parse() again after key derivation, reading encrypted attributes */
 	if (!in->verify(in, this->nonce) || !in->parse(in))
 	{
-		*out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
+		if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 
@@ -352,8 +392,10 @@ static status_t process_challenge(private_eap_sim_peer_t *this,
 	/* build response with AT_MAC, built over "EAP packet | n*SRES" */
 	message = simaka_message_create(FALSE, this->identifier, EAP_SIM,
 									SIM_CHALLENGE, this->crypto);
-	*out = eap_payload_create_data_own(message->generate(message, sreses));
-	message->destroy(message);
+	if (!generate_payload(message, sreses, out))
+	{
+		return FAILED;
+	}
 	return NEED_MORE;
 }
 
@@ -384,17 +426,26 @@ static status_t process_reauthentication(private_eap_sim_peer_t *this,
 	{
 		DBG1(DBG_IKE, "received %N, but not expected",
 			 simaka_subtype_names, SIM_REAUTHENTICATION);
-		*out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
+		if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 
-	this->crypto->derive_keys_reauth(this->crypto,
-									 chunk_create(this->mk, HASH_SIZE_SHA1));
+	if (!this->crypto->derive_keys_reauth(this->crypto,
+									chunk_create(this->mk, HASH_SIZE_SHA1)))
+	{
+		return FAILED;
+	}
 
 	/* verify MAC and parse again with decryption key */
 	if (!in->verify(in, chunk_empty) || !in->parse(in))
 	{
-		*out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
+		if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 
@@ -415,8 +466,11 @@ static status_t process_reauthentication(private_eap_sim_peer_t *this,
 			default:
 				if (!simaka_attribute_skippable(type))
 				{
-					*out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
 					enumerator->destroy(enumerator);
+					if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out))
+					{
+						return FAILED;
+					}
 					return NEED_MORE;
 				}
 				break;
@@ -427,7 +481,10 @@ static status_t process_reauthentication(private_eap_sim_peer_t *this,
 	if (!nonce.len || !counter.len)
 	{
 		DBG1(DBG_IKE, "EAP-SIM/Request/Re-Authentication message incomplete");
-		*out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
+		if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 
@@ -440,10 +497,14 @@ static status_t process_reauthentication(private_eap_sim_peer_t *this,
 	}
 	else
 	{
-		free(this->msk.ptr);
-		this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
-										this->reauth, counter, nonce,
-										chunk_create(this->mk, HASH_SIZE_SHA1));
+		chunk_clear(&this->msk);
+		if (!this->crypto->derive_keys_reauth_msk(this->crypto,
+						this->reauth, counter, nonce,
+						chunk_create(this->mk, HASH_SIZE_SHA1), &this->msk))
+		{
+			message->destroy(message);
+			return FAILED;
+		}
 		if (id.len)
 		{
 			identification_t *reauth;
@@ -455,8 +516,10 @@ static status_t process_reauthentication(private_eap_sim_peer_t *this,
 		}
 	}
 	message->add_attribute(message, AT_COUNTER, counter);
-	*out = eap_payload_create_data_own(message->generate(message, nonce));
-	message->destroy(message);
+	if (!generate_payload(message, nonce, out))
+	{
+		return FAILED;
+	}
 	return NEED_MORE;
 }
 
@@ -506,13 +569,17 @@ static status_t process_notification(private_eap_sim_peer_t *this,
 	{	/* empty notification reply */
 		message = simaka_message_create(FALSE, this->identifier, EAP_SIM,
 										SIM_NOTIFICATION, this->crypto);
-		*out = eap_payload_create_data_own(message->generate(message,
-										   chunk_empty));
-		message->destroy(message);
+		if (!generate_payload(message, chunk_empty, out))
+		{
+			return FAILED;
+		}
 	}
 	else
 	{
-		*out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
+		if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out))
+		{
+			return FAILED;
+		}
 	}
 	return NEED_MORE;
 }
@@ -529,13 +596,19 @@ METHOD(eap_method_t, process, status_t,
 	message = simaka_message_create_from_payload(in->get_data(in), this->crypto);
 	if (!message)
 	{
-		*out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
+		if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 	if (!message->parse(message))
 	{
 		message->destroy(message);
-		*out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
+		if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out))
+		{
+			return FAILED;
+		}
 		return NEED_MORE;
 	}
 	switch (message->get_subtype(message))
@@ -555,8 +628,14 @@ METHOD(eap_method_t, process, status_t,
 		default:
 			DBG1(DBG_IKE, "unable to process EAP-SIM subtype %N",
 				 simaka_subtype_names, message->get_subtype(message));
-			*out = create_client_error(this, SIM_UNABLE_TO_PROCESS);
-			status = NEED_MORE;
+			if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out))
+			{
+				status = FAILED;
+			}
+			else
+			{
+				status = NEED_MORE;
+			}
 			break;
 	}
 	message->destroy(message);
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_peer.h b/src/libcharon/plugins/eap_sim/eap_sim_peer.h
index ba72ce484..38315b75a 100644
--- a/src/libcharon/plugins/eap_sim/eap_sim_peer.h
+++ b/src/libcharon/plugins/eap_sim/eap_sim_peer.h
@@ -21,7 +21,7 @@
 #ifndef EAP_SIM_PEER_H_
 #define EAP_SIM_PEER_H_
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 typedef struct eap_sim_peer_t eap_sim_peer_t;
 
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_server.c b/src/libcharon/plugins/eap_sim/eap_sim_server.c
index e0f7e92ad..334e2df1d 100644
--- a/src/libcharon/plugins/eap_sim/eap_sim_server.c
+++ b/src/libcharon/plugins/eap_sim/eap_sim_server.c
@@ -113,6 +113,24 @@ struct private_eap_sim_server_t {
 /* version of SIM protocol we speak */
 static chunk_t version = chunk_from_chars(0x00,0x01);
 
+/**
+ * Generate a payload from a message, destroy message
+ */
+static bool generate_payload(simaka_message_t *message, chunk_t data,
+							 eap_payload_t **out)
+{
+	chunk_t chunk;
+	bool ok;
+
+	ok = message->generate(message, data, &chunk);
+	if (ok)
+	{
+		*out = eap_payload_create_data_own(chunk);
+	}
+	message->destroy(message);
+	return ok;
+}
+
 METHOD(eap_method_t, initiate, status_t,
 	private_eap_sim_server_t *this, eap_payload_t **out)
 {
@@ -133,9 +151,10 @@ METHOD(eap_method_t, initiate, status_t,
 	{
 		message->add_attribute(message, AT_PERMANENT_ID_REQ, chunk_empty);
 	}
-	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
-	message->destroy(message);
-
+	if (!generate_payload(message, chunk_empty, out))
+	{
+		return FAILED;
+	}
 	this->pending = SIM_START;
 	return NEED_MORE;
 }
@@ -155,15 +174,21 @@ static status_t reauthenticate(private_eap_sim_server_t *this,
 	DBG1(DBG_IKE, "initiating EAP-SIM reauthentication");
 
 	rng = this->crypto->get_rng(this->crypto);
-	rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
+	if (!rng->allocate_bytes(rng, NONCE_LEN, &this->nonce))
+	{
+		return FAILED;
+	}
 
 	mkc = chunk_create(mk, HASH_SIZE_SHA1);
 	counter = htons(counter);
 	this->counter = chunk_clone(chunk_create((char*)&counter, sizeof(counter)));
 
-	this->crypto->derive_keys_reauth(this->crypto, mkc);
-	this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
-								this->reauth, this->counter, this->nonce, mkc);
+	if (!this->crypto->derive_keys_reauth(this->crypto, mkc) ||
+		!this->crypto->derive_keys_reauth_msk(this->crypto,
+					this->reauth, this->counter, this->nonce, mkc, &this->msk))
+	{
+		return FAILED;
+	}
 
 	message = simaka_message_create(TRUE, this->identifier++, EAP_SIM,
 									SIM_REAUTHENTICATION, this->crypto);
@@ -176,9 +201,10 @@ static status_t reauthenticate(private_eap_sim_server_t *this,
 							   next->get_encoding(next));
 		next->destroy(next);
 	}
-	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
-	message->destroy(message);
-
+	if (!generate_payload(message, chunk_empty, out))
+	{
+		return FAILED;
+	}
 	this->pending = SIM_REAUTHENTICATION;
 	return NEED_MORE;
 }
@@ -386,13 +412,17 @@ static status_t process_start(private_eap_sim_server_t *this,
 	{
 		id = this->pseudonym;
 	}
-	this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
+	if (!this->crypto->derive_keys_full(this->crypto, id, data, &mk, &this->msk))
+	{
+		return FAILED;
+	}
 
 	/* build response with AT_MAC, built over "EAP packet | NONCE_MT" */
 	message = simaka_message_create(TRUE, this->identifier++, EAP_SIM,
 									SIM_CHALLENGE, this->crypto);
 	message->add_attribute(message, AT_RAND, rands);
 	id = this->mgr->provider_gen_reauth(this->mgr, this->permanent, mk.ptr);
+	free(mk.ptr);
 	if (id)
 	{
 		message->add_attribute(message, AT_NEXT_REAUTH_ID,
@@ -406,10 +436,10 @@ static status_t process_start(private_eap_sim_server_t *this,
 							   id->get_encoding(id));
 		id->destroy(id);
 	}
-	*out = eap_payload_create_data_own(message->generate(message, nonce));
-	message->destroy(message);
-
-	free(mk.ptr);
+	if (!generate_payload(message, nonce, out))
+	{
+		return FAILED;
+	}
 	this->pending = SIM_CHALLENGE;
 	return NEED_MORE;
 }
@@ -604,7 +634,8 @@ eap_sim_server_t *eap_sim_server_create(identification_t *server,
 	this->permanent = peer->clone(peer);
 	this->use_reauth = this->use_pseudonym = this->use_permanent =
 		lib->settings->get_bool(lib->settings,
-								"charon.plugins.eap-sim.request_identity", TRUE);
+								"%s.plugins.eap-sim.request_identity", TRUE,
+								charon->name);
 
 	/* generate a non-zero identifier */
 	do {
diff --git a/src/libcharon/plugins/eap_sim/eap_sim_server.h b/src/libcharon/plugins/eap_sim/eap_sim_server.h
index c0ed64ff2..84408c43c 100644
--- a/src/libcharon/plugins/eap_sim/eap_sim_server.h
+++ b/src/libcharon/plugins/eap_sim/eap_sim_server.h
@@ -21,7 +21,7 @@
 #ifndef EAP_SIM_SERVER_H_
 #define EAP_SIM_SERVER_H_
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 typedef struct eap_sim_server_t eap_sim_server_t;
 
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.am b/src/libcharon/plugins/eap_sim_file/Makefile.am
index d76cdc5ca..0d4da07d5 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.am
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.am
@@ -1,8 +1,12 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\"
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-sim-file.la
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index bebf62e5b..c98a44d50 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_sim_file_la_DEPENDENCIES =  \
@@ -81,49 +105,77 @@ am_libstrongswan_eap_sim_file_la_OBJECTS = eap_sim_file_plugin.lo \
 	eap_sim_file_triplets.lo
 libstrongswan_eap_sim_file_la_OBJECTS =  \
 	$(am_libstrongswan_eap_sim_file_la_OBJECTS)
-libstrongswan_eap_sim_file_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_sim_file_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_eap_sim_file_la_LDFLAGS) $(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_sim_file_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_sim_file_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_sim_file_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_sim_file_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -132,13 +184,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -151,6 +206,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,11 +234,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -190,6 +248,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -198,8 +257,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -208,14 +265,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -229,17 +291,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -249,16 +311,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -286,10 +347,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\"
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-sim-file.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-sim-file.la
 @MONOLITHIC_FALSE@libstrongswan_eap_sim_file_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
@@ -345,7 +412,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -353,6 +419,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -374,8 +442,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-sim-file.la: $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_DEPENDENCIES) 
-	$(libstrongswan_eap_sim_file_la_LINK) $(am_libstrongswan_eap_sim_file_la_rpath) $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_LIBADD) $(LIBS)
+libstrongswan-eap-sim-file.la: $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_sim_file_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_sim_file_la_LINK) $(am_libstrongswan_eap_sim_file_la_rpath) $(libstrongswan_eap_sim_file_la_OBJECTS) $(libstrongswan_eap_sim_file_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -389,25 +457,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_file_triplets.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -514,10 +582,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c
index de3b69382..ec1686910 100644
--- a/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.c
@@ -19,7 +19,7 @@
 #include <errno.h>
 
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 #include <simaka_manager.h>
 
diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.h b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.h
index c8e9e0359..3fa0ea381 100644
--- a/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.h
+++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_triplets.h
@@ -21,7 +21,7 @@
 #ifndef EAP_SIM_FILE_TRIPLETS_H_
 #define EAP_SIM_FILE_TRIPLETS_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct eap_sim_file_triplets_t eap_sim_file_triplets_t;
 
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.am b/src/libcharon/plugins/eap_sim_pcsc/Makefile.am
index fae6fccfc..e5e9d01ca 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.am
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.am
@@ -1,8 +1,12 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic ${pcsclite_CFLAGS}
+AM_CFLAGS = \
+	${pcsclite_CFLAGS} \
+	-rdynamic
 
 libstrongswan_eap_sim_pcsc_la_LDFLAGS = -module -avoid-version
 libstrongswan_eap_sim_pcsc_la_LIBADD  = ${pcsclite_LIBS}
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index 5c05b2bf1..9f5d709bc 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -46,10 +63,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -73,6 +91,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
@@ -82,49 +106,77 @@ am_libstrongswan_eap_sim_pcsc_la_OBJECTS = eap_sim_pcsc_plugin.lo \
 	eap_sim_pcsc_card.lo
 libstrongswan_eap_sim_pcsc_la_OBJECTS =  \
 	$(am_libstrongswan_eap_sim_pcsc_la_OBJECTS)
-libstrongswan_eap_sim_pcsc_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_sim_pcsc_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_eap_sim_pcsc_la_LDFLAGS) $(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_sim_pcsc_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_sim_pcsc_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_sim_pcsc_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_sim_pcsc_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -133,13 +185,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -152,6 +207,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,11 +235,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -191,6 +249,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -199,8 +258,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -209,14 +266,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -230,17 +292,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -250,16 +312,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -287,10 +348,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = \
+	${pcsclite_CFLAGS} \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic ${pcsclite_CFLAGS}
 libstrongswan_eap_sim_pcsc_la_LDFLAGS = -module -avoid-version
 libstrongswan_eap_sim_pcsc_la_LIBADD = ${pcsclite_LIBS} \
 	$(am__append_1)
@@ -345,7 +412,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -353,6 +419,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -374,8 +442,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-sim-pcsc.la: $(libstrongswan_eap_sim_pcsc_la_OBJECTS) $(libstrongswan_eap_sim_pcsc_la_DEPENDENCIES) 
-	$(libstrongswan_eap_sim_pcsc_la_LINK) $(am_libstrongswan_eap_sim_pcsc_la_rpath) $(libstrongswan_eap_sim_pcsc_la_OBJECTS) $(libstrongswan_eap_sim_pcsc_la_LIBADD) $(LIBS)
+libstrongswan-eap-sim-pcsc.la: $(libstrongswan_eap_sim_pcsc_la_OBJECTS) $(libstrongswan_eap_sim_pcsc_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_sim_pcsc_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_sim_pcsc_la_LINK) $(am_libstrongswan_eap_sim_pcsc_la_rpath) $(libstrongswan_eap_sim_pcsc_la_OBJECTS) $(libstrongswan_eap_sim_pcsc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -387,25 +455,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_pcsc_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -512,10 +580,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.c b/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.c
index c3f0f24b3..dbf660889 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.c
+++ b/src/libcharon/plugins/eap_sim_pcsc/eap_sim_pcsc_card.c
@@ -133,7 +133,7 @@ METHOD(simaka_card_t, get_triplet, bool,
 		 cur_reader += strlen(cur_reader) + 1)
 	{
 		DWORD dwActiveProtocol = -1;
-		SCARD_IO_REQUEST *pioSendPci;
+		const SCARD_IO_REQUEST *pioSendPci;
 		SCARD_IO_REQUEST pioRecvPci;
 		BYTE pbRecvBuffer[64];
 		DWORD dwRecvLength;
@@ -394,4 +394,3 @@ eap_sim_pcsc_card_t *eap_sim_pcsc_card_create()
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
index a8e03f650..0f21c6849 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-simaka-pseudonym.la
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 0d7c32c14..835b865e0 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_simaka_pseudonym_la_DEPENDENCIES =  \
@@ -81,50 +105,78 @@ am_libstrongswan_eap_simaka_pseudonym_la_OBJECTS =  \
 	eap_simaka_pseudonym_provider.lo
 libstrongswan_eap_simaka_pseudonym_la_OBJECTS =  \
 	$(am_libstrongswan_eap_simaka_pseudonym_la_OBJECTS)
-libstrongswan_eap_simaka_pseudonym_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_simaka_pseudonym_la_LINK = $(LIBTOOL) $(AM_V_lt) \
+	--tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link \
+	$(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_eap_simaka_pseudonym_la_LDFLAGS) $(LDFLAGS) -o \
 	$@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_simaka_pseudonym_la_rpath =  \
 @MONOLITHIC_FALSE@	-rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_simaka_pseudonym_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_simaka_pseudonym_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_simaka_pseudonym_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -133,13 +185,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -152,6 +207,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,11 +235,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -191,6 +249,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -199,8 +258,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -209,14 +266,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -230,17 +292,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -250,16 +312,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -287,10 +348,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-simaka-pseudonym.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-simaka-pseudonym.la
 @MONOLITHIC_FALSE@libstrongswan_eap_simaka_pseudonym_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
@@ -345,7 +411,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -353,6 +418,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -374,8 +441,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-simaka-pseudonym.la: $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_DEPENDENCIES) 
-	$(libstrongswan_eap_simaka_pseudonym_la_LINK) $(am_libstrongswan_eap_simaka_pseudonym_la_rpath) $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_LIBADD) $(LIBS)
+libstrongswan-eap-simaka-pseudonym.la: $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_simaka_pseudonym_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_simaka_pseudonym_la_LINK) $(am_libstrongswan_eap_simaka_pseudonym_la_rpath) $(libstrongswan_eap_simaka_pseudonym_la_OBJECTS) $(libstrongswan_eap_simaka_pseudonym_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -388,25 +455,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_pseudonym_provider.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -513,10 +580,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
index 5f78c967a..b5bbdd60f 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_card.c
@@ -16,7 +16,7 @@
 #include "eap_simaka_pseudonym_card.h"
 
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 
 typedef struct private_eap_simaka_pseudonym_card_t private_eap_simaka_pseudonym_card_t;
 
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
index 49c3ad328..3c63e82a9 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/eap_simaka_pseudonym_provider.c
@@ -15,7 +15,8 @@
 
 #include "eap_simaka_pseudonym_provider.h"
 
-#include <utils/hashtable.h>
+#include <utils/debug.h>
+#include <collections/hashtable.h>
 
 typedef struct private_eap_simaka_pseudonym_provider_t private_eap_simaka_pseudonym_provider_t;
 
@@ -82,7 +83,10 @@ static identification_t *gen_identity(
 {
 	char buf[8], hex[sizeof(buf) * 2 + 1];
 
-	this->rng->get_bytes(this->rng, sizeof(buf), buf);
+	if (!this->rng->get_bytes(this->rng, sizeof(buf), buf))
+	{
+		return NULL;
+	}
 	chunk_to_hex(chunk_create(buf, sizeof(buf)), hex, FALSE);
 
 	return identification_create_from_string(hex);
@@ -106,6 +110,11 @@ METHOD(simaka_provider_t, gen_pseudonym, identification_t*,
 	}
 
 	pseudonym = gen_identity(this);
+	if (!pseudonym)
+	{
+		DBG1(DBG_CFG, "failed to generate pseudonym");
+		return NULL;
+	}
 
 	/* create new entries */
 	id = id->clone(id);
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.am b/src/libcharon/plugins/eap_simaka_reauth/Makefile.am
index 0b35c7521..be000c6d5 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.am
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-simaka-reauth.la
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index 6177f3b3a..6581531ba 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_simaka_reauth_la_DEPENDENCIES =  \
@@ -81,49 +105,77 @@ am_libstrongswan_eap_simaka_reauth_la_OBJECTS =  \
 	eap_simaka_reauth_provider.lo
 libstrongswan_eap_simaka_reauth_la_OBJECTS =  \
 	$(am_libstrongswan_eap_simaka_reauth_la_OBJECTS)
-libstrongswan_eap_simaka_reauth_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_simaka_reauth_la_LINK = $(LIBTOOL) $(AM_V_lt) \
+	--tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link \
+	$(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_eap_simaka_reauth_la_LDFLAGS) $(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_simaka_reauth_la_rpath =  \
 @MONOLITHIC_FALSE@	-rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_simaka_reauth_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_simaka_reauth_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_simaka_reauth_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -132,13 +184,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -151,6 +206,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,11 +234,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -190,6 +248,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -198,8 +257,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -208,14 +265,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -229,17 +291,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -249,16 +311,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -286,10 +347,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-simaka-reauth.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-simaka-reauth.la
 @MONOLITHIC_FALSE@libstrongswan_eap_simaka_reauth_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
@@ -344,7 +410,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -352,6 +417,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -373,8 +440,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-simaka-reauth.la: $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_DEPENDENCIES) 
-	$(libstrongswan_eap_simaka_reauth_la_LINK) $(am_libstrongswan_eap_simaka_reauth_la_rpath) $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_LIBADD) $(LIBS)
+libstrongswan-eap-simaka-reauth.la: $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_simaka_reauth_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_simaka_reauth_la_LINK) $(am_libstrongswan_eap_simaka_reauth_la_rpath) $(libstrongswan_eap_simaka_reauth_la_OBJECTS) $(libstrongswan_eap_simaka_reauth_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -387,25 +454,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_reauth_provider.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -512,10 +579,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
index 870d72781..5bc5fd382 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
+++ b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_card.c
@@ -16,7 +16,7 @@
 #include "eap_simaka_reauth_card.h"
 
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 
 typedef struct private_eap_simaka_reauth_card_t private_eap_simaka_reauth_card_t;
 
diff --git a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
index ba1a32778..937095ec1 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
+++ b/src/libcharon/plugins/eap_simaka_reauth/eap_simaka_reauth_provider.c
@@ -16,7 +16,7 @@
 #include "eap_simaka_reauth_provider.h"
 
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 
 typedef struct private_eap_simaka_reauth_provider_t private_eap_simaka_reauth_provider_t;
 
@@ -81,7 +81,10 @@ static identification_t *gen_identity(private_eap_simaka_reauth_provider_t *this
 {
 	char buf[8], hex[sizeof(buf) * 2 + 1];
 
-	this->rng->get_bytes(this->rng, sizeof(buf), buf);
+	if (!this->rng->get_bytes(this->rng, sizeof(buf), buf))
+	{
+		return NULL;
+	}
 	chunk_to_hex(chunk_create(buf, sizeof(buf)), hex, FALSE);
 
 	return identification_create_from_string(hex);
@@ -116,7 +119,14 @@ METHOD(simaka_provider_t, gen_reauth, identification_t*,
 	char mk[HASH_SIZE_SHA1])
 {
 	reauth_data_t *data;
-	identification_t *permanent;
+	identification_t *permanent, *new_id;
+
+	new_id = gen_identity(this);
+	if (!new_id)
+	{
+		DBG1(DBG_CFG, "failed to generate identity");
+		return NULL;
+	}
 
 	data = this->reauth->get(this->reauth, id);
 	if (data)
@@ -125,14 +135,18 @@ METHOD(simaka_provider_t, gen_reauth, identification_t*,
 		if (permanent)
 		{
 			data->id->destroy(data->id);
-			data->id = gen_identity(this);
+			data->id = new_id;
 			this->permanent->put(this->permanent, data->id, permanent);
 		}
+		else
+		{
+			new_id->destroy(new_id);
+		}
 	}
 	else
 	{	/* generate new entry */
 		INIT(data,
-			.id = gen_identity(this),
+			.id = new_id,
 		);
 		id = id->clone(id);
 		this->reauth->put(this->reauth, id, data);
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.am b/src/libcharon/plugins/eap_simaka_sql/Makefile.am
index c83267e67..9a52bd8ab 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.am
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.am
@@ -1,8 +1,12 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\"
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
-
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-simaka-sql.la
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index 3639e24e8..33e685f08 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_simaka_sql_la_DEPENDENCIES =  \
@@ -80,49 +104,77 @@ am_libstrongswan_eap_simaka_sql_la_OBJECTS = eap_simaka_sql_plugin.lo \
 	eap_simaka_sql_card.lo eap_simaka_sql_provider.lo
 libstrongswan_eap_simaka_sql_la_OBJECTS =  \
 	$(am_libstrongswan_eap_simaka_sql_la_OBJECTS)
-libstrongswan_eap_simaka_sql_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_simaka_sql_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_eap_simaka_sql_la_LDFLAGS) $(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_simaka_sql_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_simaka_sql_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_simaka_sql_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_simaka_sql_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -131,13 +183,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -150,6 +205,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,11 +233,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -189,6 +247,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -197,8 +256,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -207,14 +264,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -228,17 +290,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -248,16 +310,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -285,10 +346,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libsimaka
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\"
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-simaka-sql.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-simaka-sql.la
 @MONOLITHIC_FALSE@libstrongswan_eap_simaka_sql_la_LIBADD = $(top_builddir)/src/libsimaka/libsimaka.la
@@ -343,7 +410,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -351,6 +417,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -372,8 +440,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-simaka-sql.la: $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_DEPENDENCIES) 
-	$(libstrongswan_eap_simaka_sql_la_LINK) $(am_libstrongswan_eap_simaka_sql_la_rpath) $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_LIBADD) $(LIBS)
+libstrongswan-eap-simaka-sql.la: $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_simaka_sql_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_simaka_sql_la_LINK) $(am_libstrongswan_eap_simaka_sql_la_rpath) $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -386,25 +454,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_sql_provider.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -511,10 +579,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
index 6e590fae7..6bcc58e66 100644
--- a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
+++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
@@ -65,7 +65,8 @@ static bool load_db(private_eap_simaka_sql_t *this,
 		char *uri;
 
 		uri = lib->settings->get_str(lib->settings,
-							"charon.plugins.eap-simaka-sql.database", NULL);
+									 "%s.plugins.eap-simaka-sql.database", NULL,
+									 charon->name);
 		if (!uri)
 		{
 			DBG1(DBG_CFG, "eap-simaka-sql database URI missing");
@@ -78,7 +79,8 @@ static bool load_db(private_eap_simaka_sql_t *this,
 			return FALSE;
 		}
 		remove_used = lib->settings->get_bool(lib->settings,
-							"charon.plugins.eap-simaka-sql.remove_used", FALSE);
+								"%s.plugins.eap-simaka-sql.remove_used", FALSE,
+								charon->name);
 
 		this->provider = eap_simaka_sql_provider_create(this->db, remove_used);
 		this->card = eap_simaka_sql_card_create(this->db, remove_used);
diff --git a/src/libcharon/plugins/eap_tls/Makefile.am b/src/libcharon/plugins/eap_tls/Makefile.am
index 29ddd822b..c4944fca1 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.am
+++ b/src/libcharon/plugins/eap_tls/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libtls
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-tls.la
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index 67e2c0cb0..3158e67b6 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_tls_la_DEPENDENCIES =  \
@@ -79,48 +103,77 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am_libstrongswan_eap_tls_la_OBJECTS = eap_tls_plugin.lo eap_tls.lo
 libstrongswan_eap_tls_la_OBJECTS =  \
 	$(am_libstrongswan_eap_tls_la_OBJECTS)
-libstrongswan_eap_tls_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_tls_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_tls_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_tls_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_tls_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_tls_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_tls_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_tls_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -129,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -148,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -187,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -195,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -205,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -226,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -246,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -283,10 +345,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-tls.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-tls.la
 @MONOLITHIC_FALSE@libstrongswan_eap_tls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
@@ -339,7 +406,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -347,6 +413,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -368,8 +436,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-tls.la: $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_DEPENDENCIES) 
-	$(libstrongswan_eap_tls_la_LINK) $(am_libstrongswan_eap_tls_la_rpath) $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_LIBADD) $(LIBS)
+libstrongswan-eap-tls.la: $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_tls_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_tls_la_LINK) $(am_libstrongswan_eap_tls_la_rpath) $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -381,25 +449,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tls_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -506,10 +574,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c
index dc0289ba2..48e38755d 100644
--- a/src/libcharon/plugins/eap_tls/eap_tls.c
+++ b/src/libcharon/plugins/eap_tls/eap_tls.c
@@ -144,11 +144,13 @@ static eap_tls_t *eap_tls_create(identification_t *server,
 	);
 
 	frag_size = lib->settings->get_int(lib->settings,
-					"charon.plugins.eap-tls.fragment_size", MAX_FRAGMENT_LEN);
+					"%s.plugins.eap-tls.fragment_size", MAX_FRAGMENT_LEN,
+					charon->name);
 	max_msg_count = lib->settings->get_int(lib->settings,
-					"charon.plugins.eap-tls.max_message_count", MAX_MESSAGE_COUNT);
+					"%s.plugins.eap-tls.max_message_count", MAX_MESSAGE_COUNT,
+					charon->name);
 	include_length = lib->settings->get_bool(lib->settings,
-					"charon.plugins.eap-tls.include_length", TRUE);
+					"%s.plugins.eap-tls.include_length", TRUE, charon->name);
 	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL, NULL);
 	this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size, max_msg_count,
 												 include_length);
diff --git a/src/libcharon/plugins/eap_tls/eap_tls.h b/src/libcharon/plugins/eap_tls/eap_tls.h
index 7e080230a..6779c3994 100644
--- a/src/libcharon/plugins/eap_tls/eap_tls.h
+++ b/src/libcharon/plugins/eap_tls/eap_tls.h
@@ -23,7 +23,7 @@
 
 typedef struct eap_tls_t eap_tls_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 /**
  * Implementation of eap_method_t using EAP-TLS.
diff --git a/src/libcharon/plugins/eap_tls/eap_tls_plugin.h b/src/libcharon/plugins/eap_tls/eap_tls_plugin.h
index 5ea719603..33d0dfbaf 100644
--- a/src/libcharon/plugins/eap_tls/eap_tls_plugin.h
+++ b/src/libcharon/plugins/eap_tls/eap_tls_plugin.h
@@ -39,9 +39,4 @@ struct eap_tls_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a eap_tls_plugin instance.
- */
-plugin_t *eap_tls_plugin_create();
-
 #endif /** EAP_TLS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.am b/src/libcharon/plugins/eap_tnc/Makefile.am
index 0e10f7d9c..9586bef14 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.am
+++ b/src/libcharon/plugins/eap_tnc/Makefile.am
@@ -1,5 +1,4 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
@@ -7,7 +6,8 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-tnc.la
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index 62278f835..89571ad86 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_tnc_la_DEPENDENCIES =  \
@@ -80,48 +104,77 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am_libstrongswan_eap_tnc_la_OBJECTS = eap_tnc_plugin.lo eap_tnc.lo
 libstrongswan_eap_tnc_la_OBJECTS =  \
 	$(am_libstrongswan_eap_tnc_la_OBJECTS)
-libstrongswan_eap_tnc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_eap_tnc_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_tnc_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_tnc_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_tnc_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_tnc_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_tnc_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_tnc_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +183,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +205,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +233,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +247,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +256,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +264,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +290,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +310,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,7 +346,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
@@ -292,7 +354,9 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-tnc.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-tnc.la
 @MONOLITHIC_FALSE@libstrongswan_eap_tnc_la_LIBADD = \
@@ -348,7 +412,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -356,6 +419,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -377,8 +442,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-tnc.la: $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_DEPENDENCIES) 
-	$(libstrongswan_eap_tnc_la_LINK) $(am_libstrongswan_eap_tnc_la_rpath) $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_LIBADD) $(LIBS)
+libstrongswan-eap-tnc.la: $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_tnc_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_tnc_la_LINK) $(am_libstrongswan_eap_tnc_la_rpath) $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -390,25 +455,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tnc_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -515,10 +580,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
index 33a83ba18..839425d59 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,7 +18,20 @@
 #include <tnc/tnc.h>
 #include <tnc/tnccs/tnccs_manager.h>
 #include <tls_eap.h>
-#include <debug.h>
+#include <utils/debug.h>
+#include <daemon.h>
+
+#include <tncifimv.h>
+
+/**
+ * Maximum size of an EAP-TNC message
+ */
+#define EAP_TNC_MAX_MESSAGE_LEN 65535
+
+/**
+ * Maximum number of EAP-TNC messages allowed
+ */
+#define EAP_TNC_MAX_MESSAGE_COUNT 10
 
 typedef struct private_eap_tnc_t private_eap_tnc_t;
 
@@ -33,21 +46,50 @@ struct private_eap_tnc_t {
 	eap_tnc_t public;
 
 	/**
+	 * Outer EAP authentication type
+	 */
+	eap_type_t auth_type;
+
+	/**
 	 * TLS stack, wrapped by EAP helper
 	 */
 	tls_eap_t *tls_eap;
-};
 
+	/**
+	 * TNCCS instance running over EAP-TNC
+	 */
+	tnccs_t *tnccs;
 
-/** Maximum number of EAP-TNC messages/fragments allowed */
-#define MAX_MESSAGE_COUNT 10 
-/** Default size of a EAP-TNC fragment */
-#define MAX_FRAGMENT_LEN 50000
+};
 
 METHOD(eap_method_t, initiate, status_t,
 	private_eap_tnc_t *this, eap_payload_t **out)
 {
 	chunk_t data;
+	u_int32_t auth_type;
+
+	/* Determine TNC Client Authentication Type */
+	switch (this->auth_type)
+	{
+		case EAP_TLS:
+		case EAP_TTLS:
+		case EAP_PEAP:
+			auth_type = TNC_AUTH_X509_CERT;
+			break;
+		case EAP_MD5:
+		case EAP_MSCHAPV2:
+		case EAP_GTC:
+		case EAP_OTP:
+			auth_type = TNC_AUTH_PASSWORD;
+			break;
+		case EAP_SIM:
+		case EAP_AKA:
+			auth_type = TNC_AUTH_SIM;
+			break;
+		default:
+			auth_type = TNC_AUTH_UNKNOWN;
+	}
+	this->tnccs->set_auth_type(this->tnccs, auth_type);
 
 	if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
 	{
@@ -117,6 +159,18 @@ METHOD(eap_method_t, destroy, void,
 	free(this);
 }
 
+METHOD(eap_inner_method_t, get_auth_type, eap_type_t,
+	private_eap_tnc_t *this)
+{
+	return this->auth_type;
+}
+
+METHOD(eap_inner_method_t, set_auth_type, void,
+	private_eap_tnc_t *this, eap_type_t type)
+{
+	this->auth_type = type;
+}
+
 /**
  * Generic private constructor
  */
@@ -124,36 +178,34 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 								 identification_t *peer, bool is_server)
 {
 	private_eap_tnc_t *this;
-	size_t frag_size;
 	int max_msg_count;
-	bool include_length;
 	char* protocol;
 	tnccs_type_t type;
-	tnccs_t *tnccs;
 
 	INIT(this,
 		.public = {
-			.eap_method = {
-				.initiate = _initiate,
-				.process = _process,
-				.get_type = _get_type,
-				.is_mutual = _is_mutual,
-				.get_msk = _get_msk,
-				.get_identifier = _get_identifier,
-				.set_identifier = _set_identifier,
-				.destroy = _destroy,
+			.eap_inner_method = {
+				.eap_method = {
+					.initiate = _initiate,
+					.process = _process,
+					.get_type = _get_type,
+					.is_mutual = _is_mutual,
+					.get_msk = _get_msk,
+					.get_identifier = _get_identifier,
+					.set_identifier = _set_identifier,
+					.destroy = _destroy,
+				},
+				.get_auth_type = _get_auth_type,
+				.set_auth_type = _set_auth_type,
 			},
 		},
 	);
 
-	frag_size = lib->settings->get_int(lib->settings,
-					"charon.plugins.eap-tnc.fragment_size", MAX_FRAGMENT_LEN);
 	max_msg_count = lib->settings->get_int(lib->settings,
-					"charon.plugins.eap-tnc.max_message_count", MAX_MESSAGE_COUNT);
-	include_length = lib->settings->get_bool(lib->settings,
-					"charon.plugins.eap-tnc.include_length", TRUE);
- 	protocol = lib->settings->get_str(lib->settings,
-					"charon.plugins.eap-tnc.protocol", "tnccs-1.1");
+					"%s.plugins.eap-tnc.max_message_count",
+					EAP_TNC_MAX_MESSAGE_COUNT, charon->name);
+	protocol = lib->settings->get_str(lib->settings,
+					"%s.plugins.eap-tnc.protocol", "tnccs-1.1", charon->name);
 	if (strcaseeq(protocol, "tnccs-2.0"))
 	{
 		type = TNCCS_2_0;
@@ -172,9 +224,11 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 		free(this);
 		return NULL;
 	}
-	tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server);
-	this->tls_eap = tls_eap_create(EAP_TNC, (tls_t*)tnccs, frag_size,
-											 max_msg_count, include_length);
+	this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server,
+											  server, peer, TNC_IFT_EAP_1_1);
+	this->tls_eap = tls_eap_create(EAP_TNC, &this->tnccs->tls,
+								   EAP_TNC_MAX_MESSAGE_LEN,
+								   max_msg_count, FALSE);
 	if (!this->tls_eap)
 	{
 		free(this);
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.h b/src/libcharon/plugins/eap_tnc/eap_tnc.h
index 7e166fb60..8c881f6cf 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.h
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2012 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 typedef struct eap_tnc_t eap_tnc_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_inner_method.h>
 
 /**
  * Implementation of the eap_method_t interface using EAP-TNC.
@@ -31,9 +31,9 @@ typedef struct eap_tnc_t eap_tnc_t;
 struct eap_tnc_t {
 
 	/**
-	 * Implemented eap_method_t interface.
+	 * Implemented eap_inner_method_t interface.
 	 */
-	eap_method_t eap_method;
+	eap_inner_method_t eap_inner_method;
 };
 
 /**
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.am b/src/libcharon/plugins/eap_ttls/Makefile.am
index 8cc82cc2e..81776d800 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.am
+++ b/src/libcharon/plugins/eap_ttls/Makefile.am
@@ -1,9 +1,12 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libradius
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-ttls.la
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index b41fbd719..c9eb76e10 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_ttls_la_DEPENDENCIES =  \
@@ -81,49 +105,77 @@ am_libstrongswan_eap_ttls_la_OBJECTS = eap_ttls_plugin.lo \
 	eap_ttls_server.lo
 libstrongswan_eap_ttls_la_OBJECTS =  \
 	$(am_libstrongswan_eap_ttls_la_OBJECTS)
-libstrongswan_eap_ttls_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_eap_ttls_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_ttls_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_eap_ttls_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_eap_ttls_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_eap_ttls_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_ttls_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -132,13 +184,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -151,6 +206,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,11 +234,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -190,6 +248,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -198,8 +257,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -208,14 +265,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -229,17 +291,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -249,16 +311,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -286,11 +347,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libradius
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-ttls.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-ttls.la
 @MONOLITHIC_FALSE@libstrongswan_eap_ttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
@@ -347,7 +413,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -355,6 +420,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -376,8 +443,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-eap-ttls.la: $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_DEPENDENCIES) 
-	$(libstrongswan_eap_ttls_la_LINK) $(am_libstrongswan_eap_ttls_la_rpath) $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_LIBADD) $(LIBS)
+libstrongswan-eap-ttls.la: $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_ttls_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_eap_ttls_la_LINK) $(am_libstrongswan_eap_ttls_la_rpath) $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -392,25 +459,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_server.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -517,10 +584,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c
index ace62f6b9..ebd1c5479 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c
@@ -146,16 +146,19 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
 		},
 	);
 	if (is_server && !lib->settings->get_bool(lib->settings,
-							"charon.plugins.eap-ttls.request_peer_auth", FALSE))
+								"%s.plugins.eap-ttls.request_peer_auth", FALSE,
+								charon->name))
 	{
 		peer = NULL;
 	}
 	frag_size = lib->settings->get_int(lib->settings,
-					"charon.plugins.eap-ttls.fragment_size", MAX_FRAGMENT_LEN);
+					"%s.plugins.eap-ttls.fragment_size", MAX_FRAGMENT_LEN,
+					charon->name);
 	max_msg_count = lib->settings->get_int(lib->settings,
-					"charon.plugins.eap-ttls.max_message_count", MAX_MESSAGE_COUNT);
+					"%s.plugins.eap-ttls.max_message_count", MAX_MESSAGE_COUNT,
+					charon->name);
 	include_length = lib->settings->get_bool(lib->settings,
-					"charon.plugins.eap-ttls.include_length", TRUE);
+					"%s.plugins.eap-ttls.include_length", TRUE, charon->name);
 	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS,
 					 application, NULL);
 	this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size, max_msg_count,
@@ -170,7 +173,7 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
 }
 
 eap_ttls_t *eap_ttls_create_server(identification_t *server,
-						  		   identification_t *peer)
+								   identification_t *peer)
 {
 	return eap_ttls_create(server, peer, TRUE,
 						   &eap_ttls_server_create(server, peer)->application);
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.h b/src/libcharon/plugins/eap_ttls/eap_ttls.h
index 6e3bf2ceb..84b1a2d19 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls.h
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls.h
@@ -23,7 +23,7 @@
 
 typedef struct eap_ttls_t eap_ttls_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 /**
  * Implementation of eap_method_t using EAP-TTLS.
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
index 0d531c437..47e0f8afb 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
@@ -15,7 +15,7 @@
 
 #include "eap_ttls_avp.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #define AVP_EAP_MESSAGE		79
 #define AVP_HEADER_LEN		 8
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
index 4b6897b1d..66c9deed8 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
@@ -16,10 +16,10 @@
 #include "eap_ttls_peer.h"
 #include "eap_ttls_avp.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 #include <radius_message.h>
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 typedef struct private_eap_ttls_peer_t private_eap_ttls_peer_t;
 
@@ -138,7 +138,7 @@ METHOD(tls_application_t, process, status_t,
 		chunk_free(&avp_data);
 	}
 	while (eap_pos < eap_data.len);
- 		
+
 	in = eap_payload_create_data(eap_data);
 	chunk_free(&eap_data);
 	payload = (payload_t*)in;
@@ -192,7 +192,8 @@ METHOD(tls_application_t, process, status_t,
 		if (!this->method)
 		{
 			DBG1(DBG_IKE, "EAP method not supported");
-			this->out = eap_payload_create_nak(in->get_identifier(in));
+			this->out = eap_payload_create_nak(in->get_identifier(in), 0, 0,
+											   in->is_expanded(in));
 			in->destroy(in);
 			return NEED_MORE;
 		}
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h
index 2abc82931..ca84ad7bb 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h
@@ -39,9 +39,4 @@ struct eap_ttls_plugin_t {
 	plugin_t plugin;
 };
 
-/**
- * Create a eap_ttls_plugin instance.
- */
-plugin_t *eap_ttls_plugin_create();
-
 #endif /** EAP_TTLS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
index 3c46993b7..eef8d6682 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
@@ -16,10 +16,11 @@
 #include "eap_ttls_server.h"
 #include "eap_ttls_avp.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <daemon.h>
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
+#include <sa/eap/eap_inner_method.h>
 
 typedef struct private_eap_ttls_server_t private_eap_ttls_server_t;
 
@@ -78,7 +79,8 @@ static status_t start_phase2_auth(private_eap_ttls_server_t *this)
 	eap_type_t type;
 
 	eap_type_str = lib->settings->get_str(lib->settings,
-					 	"charon.plugins.eap-ttls.phase2_method", "md5");
+									"%s.plugins.eap-ttls.phase2_method", "md5",
+									charon->name);
 	type = eap_type_from_string(eap_type_str);
 	if (type == 0)
 	{
@@ -107,10 +109,13 @@ static status_t start_phase2_auth(private_eap_ttls_server_t *this)
 /**
  * If configured, start EAP-TNC protocol
  */
-static status_t start_phase2_tnc(private_eap_ttls_server_t *this)
+static status_t start_phase2_tnc(private_eap_ttls_server_t *this,
+								 eap_type_t auth_type)
 {
+	eap_inner_method_t *inner_method;
+
 	if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
-					 	"charon.plugins.eap-ttls.phase2_tnc", FALSE))
+						"%s.plugins.eap-ttls.phase2_tnc", FALSE, charon->name))
 	{
 		DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, EAP_TNC);
 		this->method = charon->eap->create_instance(charon->eap, EAP_TNC,
@@ -120,6 +125,9 @@ static status_t start_phase2_tnc(private_eap_ttls_server_t *this)
 			DBG1(DBG_IKE, "%N method not available", eap_type_names, EAP_TNC);
 			return FAILED;
 		}
+		inner_method = (eap_inner_method_t *)this->method;
+		inner_method->set_auth_type(inner_method, auth_type);
+
 		this->start_phase2_tnc = FALSE;
 		if (this->method->initiate(this->method, &this->out) == NEED_MORE)
 		{
@@ -168,7 +176,7 @@ METHOD(tls_application_t, process, status_t,
 	code = in->get_code(in);
 	received_type = in->get_type(in, &received_vendor);
 	DBG1(DBG_IKE, "received tunneled EAP-TTLS AVP [EAP/%N/%N]",
-					   		eap_code_short_names, code,
+							eap_code_short_names, code,
 							eap_type_short_names, received_type);
 	if (code != EAP_RESPONSE)
 	{
@@ -234,9 +242,9 @@ METHOD(tls_application_t, process, status_t,
 
 		/* Start Phase 2 of EAP-TTLS authentication */
 		if (lib->settings->get_bool(lib->settings,
-					 	"charon.plugins.eap-ttls.request_peer_auth", FALSE))
+				"%s.plugins.eap-ttls.request_peer_auth", FALSE, charon->name))
 		{
-			return start_phase2_tnc(this);
+			return start_phase2_tnc(this, EAP_TLS);
 		}
 		else
 		{
@@ -264,7 +272,7 @@ METHOD(tls_application_t, process, status_t,
 			this->method = NULL;
 
 			/* continue phase2 with EAP-TNC? */
-			return start_phase2_tnc(this);
+			return start_phase2_tnc(this, type);
 		case NEED_MORE:
 			break;
 		case FAILED:
@@ -279,7 +287,7 @@ METHOD(tls_application_t, process, status_t,
 				DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
 			}
 			return FAILED;
- 	}
+	}
 	return status;
 }
 
@@ -293,7 +301,7 @@ METHOD(tls_application_t, build, status_t,
 
 	if (this->method == NULL && this->start_phase2 &&
 		lib->settings->get_bool(lib->settings,
-			 	"charon.plugins.eap-ttls.phase2_piggyback", FALSE))
+				"%s.plugins.eap-ttls.phase2_piggyback", FALSE, charon->name))
 	{
 		/* generate an EAP Identity request which will be piggybacked right
 		 * onto the TLS Finished message thus initiating EAP-TTLS phase2
diff --git a/src/libcharon/plugins/error_notify/Makefile.am b/src/libcharon/plugins/error_notify/Makefile.am
new file mode 100644
index 000000000..980fe1fbd
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/Makefile.am
@@ -0,0 +1,25 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-error-notify.la
+else
+plugin_LTLIBRARIES = libstrongswan-error-notify.la
+endif
+
+libstrongswan_error_notify_la_SOURCES = \
+	error_notify_plugin.h error_notify_plugin.c \
+	error_notify_socket.h error_notify_socket.c \
+	error_notify_listener.h error_notify_listener.c \
+	error_notify_msg.h
+
+libstrongswan_error_notify_la_LDFLAGS = -module -avoid-version
+
+ipsec_PROGRAMS = error-notify
+error_notify_SOURCES = error_notify.c
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
new file mode 100644
index 000000000..db20f0532
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -0,0 +1,751 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = error-notify$(EXEEXT)
+subdir = src/libcharon/plugins/error_notify
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_error_notify_la_LIBADD =
+am_libstrongswan_error_notify_la_OBJECTS = error_notify_plugin.lo \
+	error_notify_socket.lo error_notify_listener.lo
+libstrongswan_error_notify_la_OBJECTS =  \
+	$(am_libstrongswan_error_notify_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_error_notify_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_error_notify_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_error_notify_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_error_notify_la_rpath =
+PROGRAMS = $(ipsec_PROGRAMS)
+am_error_notify_OBJECTS = error_notify.$(OBJEXT)
+error_notify_OBJECTS = $(am_error_notify_OBJECTS)
+error_notify_LDADD = $(LDADD)
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_error_notify_la_SOURCES) \
+	$(error_notify_SOURCES)
+DIST_SOURCES = $(libstrongswan_error_notify_la_SOURCES) \
+	$(error_notify_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-error-notify.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-error-notify.la
+libstrongswan_error_notify_la_SOURCES = \
+	error_notify_plugin.h error_notify_plugin.c \
+	error_notify_socket.h error_notify_socket.c \
+	error_notify_listener.h error_notify_listener.c \
+	error_notify_msg.h
+
+libstrongswan_error_notify_la_LDFLAGS = -module -avoid-version
+error_notify_SOURCES = error_notify.c
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/error_notify/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/error_notify/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-error-notify.la: $(libstrongswan_error_notify_la_OBJECTS) $(libstrongswan_error_notify_la_DEPENDENCIES) $(EXTRA_libstrongswan_error_notify_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_error_notify_la_LINK) $(am_libstrongswan_error_notify_la_rpath) $(libstrongswan_error_notify_la_OBJECTS) $(libstrongswan_error_notify_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+error-notify$(EXEEXT): $(error_notify_OBJECTS) $(error_notify_DEPENDENCIES) $(EXTRA_error_notify_DEPENDENCIES) 
+	@rm -f error-notify$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(error_notify_OBJECTS) $(error_notify_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error_notify.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error_notify_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error_notify_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error_notify_socket.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES ctags distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-ipsecPROGRAMS install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/error_notify/error_notify.c b/src/libcharon/plugins/error_notify/error_notify.c
new file mode 100644
index 000000000..e68f8a4a5
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify.c
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "error_notify_msg.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <errno.h>
+#include <arpa/inet.h>
+
+/**
+ * Connect to the daemon, return FD
+ */
+static int make_connection()
+{
+	union {
+		struct sockaddr_un un;
+		struct sockaddr_in in;
+		struct sockaddr sa;
+	} addr;
+	int fd, len;
+
+	if (getenv("TCP_PORT"))
+	{
+		addr.in.sin_family = AF_INET;
+		addr.in.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+		addr.in.sin_port = htons(atoi(getenv("TCP_PORT")));
+		len = sizeof(addr.in);
+	}
+	else
+	{
+		addr.un.sun_family = AF_UNIX;
+		strcpy(addr.un.sun_path, ERROR_NOTIFY_SOCKET);
+
+		len = offsetof(struct sockaddr_un, sun_path) + strlen(addr.un.sun_path);
+	}
+	fd = socket(addr.sa.sa_family, SOCK_STREAM, 0);
+	if (fd < 0)
+	{
+		fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
+		return -1;
+	}
+	if (connect(fd, &addr.sa, len) < 0)
+	{
+		fprintf(stderr, "connecting failed: %s\n", strerror(errno));
+		close(fd);
+		return -1;
+	}
+	return fd;
+}
+
+/**
+ * Example of a simple notification listener
+ */
+int main(int argc, char *argv[])
+{
+	error_notify_msg_t msg;
+	int s, len, total;
+	void *pos;
+
+	s = make_connection();
+	if (s < 0)
+	{
+		return 1;
+	}
+	while (1)
+	{
+		total = 0;
+		pos = &msg;
+
+		while (total < sizeof(msg))
+		{
+			len = read(s, pos, sizeof(msg) - total);
+			if (len < 0)
+			{
+				fprintf(stderr, "read failed: %s\n", strerror(errno));
+				close(s);
+				return 1;
+			}
+			total += len;
+			pos += len;
+		}
+		printf("%d %s %s %s %s\n",
+			   ntohl(msg.type), msg.name, msg.id, msg.ip, msg.str);
+	}
+	close(s);
+	return 0;
+}
diff --git a/src/libcharon/plugins/error_notify/error_notify_listener.c b/src/libcharon/plugins/error_notify/error_notify_listener.c
new file mode 100644
index 000000000..13860fe50
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_listener.c
@@ -0,0 +1,225 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "error_notify_listener.h"
+
+#include <daemon.h>
+
+typedef struct private_error_notify_listener_t private_error_notify_listener_t;
+
+/**
+ * Private data of an error_notify_listener_t object.
+ */
+struct private_error_notify_listener_t {
+
+	/**
+	 * Public error_notify_listener_t interface.
+	 */
+	error_notify_listener_t public;
+
+	/**
+	 * Socket to send notifications over
+	 */
+	error_notify_socket_t *socket;
+};
+
+METHOD(listener_t, alert, bool,
+	private_error_notify_listener_t *this, ike_sa_t *ike_sa,
+	alert_t alert, va_list args)
+{
+	error_notify_msg_t msg;
+	message_t *message;
+	host_t *host;
+	identification_t *id;
+	linked_list_t *list, *list2;
+	peer_cfg_t *peer_cfg;
+	certificate_t *cert;
+	time_t not_before, not_after;
+
+	if (!this->socket->has_listeners(this->socket))
+	{
+		return TRUE;
+	}
+
+	memset(&msg, 0, sizeof(msg));
+
+	switch (alert)
+	{
+		case ALERT_RADIUS_NOT_RESPONDING:
+			msg.type = htonl(ERROR_NOTIFY_RADIUS_NOT_RESPONDING);
+			snprintf(msg.str, sizeof(msg.str),
+					 "a RADIUS request message timed out");
+			break;
+		case ALERT_LOCAL_AUTH_FAILED:
+			msg.type = htonl(ERROR_NOTIFY_LOCAL_AUTH_FAILED);
+			snprintf(msg.str, sizeof(msg.str),
+					 "creating local authentication data failed");
+			break;
+		case ALERT_PEER_AUTH_FAILED:
+			msg.type = htonl(ERROR_NOTIFY_PEER_AUTH_FAILED);
+			snprintf(msg.str, sizeof(msg.str), "peer authentication failed");
+			break;
+		case ALERT_PARSE_ERROR_HEADER:
+			msg.type = htonl(ERROR_NOTIFY_PARSE_ERROR_HEADER);
+			message = va_arg(args, message_t*);
+			snprintf(msg.str, sizeof(msg.str), "parsing IKE header from "
+					 "%#H failed", message->get_source(message));
+			break;
+		case ALERT_PARSE_ERROR_BODY:
+			msg.type = htonl(ERROR_NOTIFY_PARSE_ERROR_BODY);
+			message = va_arg(args, message_t*);
+			snprintf(msg.str, sizeof(msg.str), "parsing IKE message from "
+					 "%#H failed", message->get_source(message));
+			break;
+		case ALERT_RETRANSMIT_SEND_TIMEOUT:
+			msg.type = htonl(ERROR_NOTIFY_RETRANSMIT_SEND_TIMEOUT);
+			snprintf(msg.str, sizeof(msg.str),
+					 "IKE message retransmission timed out");
+			break;
+		case ALERT_HALF_OPEN_TIMEOUT:
+			msg.type = htonl(ERROR_NOTIFY_HALF_OPEN_TIMEOUT);
+			snprintf(msg.str, sizeof(msg.str), "IKE_SA timed out before it "
+					 "could be established");
+			break;
+		case ALERT_PROPOSAL_MISMATCH_IKE:
+			msg.type = htonl(ERROR_NOTIFY_PROPOSAL_MISMATCH_IKE);
+			list = va_arg(args, linked_list_t*);
+			snprintf(msg.str, sizeof(msg.str), "the received IKE_SA poposals "
+					 "did not match: %#P", list);
+			break;
+		case ALERT_PROPOSAL_MISMATCH_CHILD:
+			msg.type = htonl(ERROR_NOTIFY_PROPOSAL_MISMATCH_CHILD);
+			list = va_arg(args, linked_list_t*);
+			snprintf(msg.str, sizeof(msg.str), "the received CHILD_SA poposals "
+					 "did not match: %#P", list);
+			break;
+		case ALERT_TS_MISMATCH:
+			msg.type = htonl(ERROR_NOTIFY_TS_MISMATCH);
+			list = va_arg(args, linked_list_t*);
+			list2 = va_arg(args, linked_list_t*);
+			snprintf(msg.str, sizeof(msg.str), "the received traffic selectors "
+					 "did not match: %#R=== %#R", list, list2);
+			break;
+		case ALERT_INSTALL_CHILD_SA_FAILED:
+			msg.type = htonl(ERROR_NOTIFY_INSTALL_CHILD_SA_FAILED);
+			snprintf(msg.str, sizeof(msg.str), "installing IPsec SA failed");
+			break;
+		case ALERT_INSTALL_CHILD_POLICY_FAILED:
+			msg.type = htonl(ERROR_NOTIFY_INSTALL_CHILD_POLICY_FAILED);
+			snprintf(msg.str, sizeof(msg.str), "installing IPsec policy failed");
+			break;
+		case ALERT_UNIQUE_REPLACE:
+			msg.type = htonl(ERROR_NOTIFY_UNIQUE_REPLACE);
+			snprintf(msg.str, sizeof(msg.str),
+					 "replaced old IKE_SA due to uniqueness policy");
+			break;
+		case ALERT_UNIQUE_KEEP:
+			msg.type = htonl(ERROR_NOTIFY_UNIQUE_KEEP);
+			snprintf(msg.str, sizeof(msg.str), "keep existing in favor of "
+					 "rejected new IKE_SA due to uniqueness policy");
+			break;
+		case ALERT_VIP_FAILURE:
+			msg.type = htonl(ERROR_NOTIFY_VIP_FAILURE);
+			list = va_arg(args, linked_list_t*);
+			if (list->get_first(list, (void**)&host) == SUCCESS)
+			{
+				snprintf(msg.str, sizeof(msg.str),
+					"allocating a virtual IP failed, requested was %H", host);
+			}
+			else
+			{
+				snprintf(msg.str, sizeof(msg.str),
+					"expected a virtual IP request, but none found");
+			}
+			break;
+		case ALERT_AUTHORIZATION_FAILED:
+			msg.type = htonl(ERROR_NOTIFY_AUTHORIZATION_FAILED);
+			snprintf(msg.str, sizeof(msg.str), "an authorization plugin "
+					 "prevented establishment of an IKE_SA");
+			break;
+		case ALERT_CERT_EXPIRED:
+			msg.type = htonl(ERROR_NOTIFY_CERT_EXPIRED);
+			cert = va_arg(args, certificate_t*);
+			cert->get_validity(cert, NULL, &not_before, &not_after);
+			snprintf(msg.str, sizeof(msg.str), "certificiate expired: '%Y' "
+					 "(valid from %T to %T)", cert->get_subject(cert),
+					 &not_before, TRUE, &not_after, TRUE);
+			break;
+		case ALERT_CERT_REVOKED:
+			msg.type = htonl(ERROR_NOTIFY_CERT_REVOKED);
+			cert = va_arg(args, certificate_t*);
+			snprintf(msg.str, sizeof(msg.str), "certificiate revoked: '%Y'",
+					 cert->get_subject(cert));
+			break;
+		case ALERT_CERT_NO_ISSUER:
+			msg.type = htonl(ERROR_NOTIFY_NO_ISSUER_CERT);
+			cert = va_arg(args, certificate_t*);
+			snprintf(msg.str, sizeof(msg.str), "no trusted issuer certificate "
+					 "found: '%Y'", cert->get_issuer(cert));
+			break;
+		default:
+			return TRUE;
+	}
+
+	if (ike_sa)
+	{
+		id = ike_sa->get_other_eap_id(ike_sa);
+		if (id->get_type(id) != ID_ANY)
+		{
+			snprintf(msg.id, sizeof(msg.id), "%Y", id);
+		}
+		host = ike_sa->get_other_host(ike_sa);
+		if (!host->is_anyaddr(host))
+		{
+			snprintf(msg.ip, sizeof(msg.ip), "%#H", host);
+		}
+		peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+		if (peer_cfg)
+		{
+			snprintf(msg.name, sizeof(msg.name), "%s",
+					 peer_cfg->get_name(peer_cfg));
+		}
+	}
+
+	this->socket->notify(this->socket, &msg);
+
+	return TRUE;
+}
+
+METHOD(error_notify_listener_t, destroy, void,
+	private_error_notify_listener_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+error_notify_listener_t *error_notify_listener_create(error_notify_socket_t *s)
+{
+	private_error_notify_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.alert = _alert,
+			},
+			.destroy = _destroy,
+		},
+		.socket = s,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/error_notify/error_notify_listener.h b/src/libcharon/plugins/error_notify/error_notify_listener.h
new file mode 100644
index 000000000..70be9d1ad
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_listener.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup error_notify_listener error_notify_listener
+ * @{ @ingroup error_notify
+ */
+
+#ifndef ERROR_NOTIFY_LISTENER_H_
+#define ERROR_NOTIFY_LISTENER_H_
+
+typedef struct error_notify_listener_t error_notify_listener_t;
+
+#include <bus/listeners/listener.h>
+
+#include "error_notify_socket.h"
+
+/**
+ * Listener catching bus alerts.
+ */
+struct error_notify_listener_t {
+
+	/**
+	 * Implements listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a error_notify_listener_t.
+	 */
+	void (*destroy)(error_notify_listener_t *this);
+};
+
+/**
+ * Create a error_notify_listener instance.
+ */
+error_notify_listener_t *error_notify_listener_create(error_notify_socket_t *s);
+
+#endif /** ERROR_NOTIFY_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/error_notify/error_notify_msg.h b/src/libcharon/plugins/error_notify/error_notify_msg.h
new file mode 100644
index 000000000..c66080276
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_msg.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup error_notify_msg error_notify_msg
+ * @{ @ingroup error_notify
+ */
+
+#ifndef ERROR_NOTIFY_MSG_H_
+#define ERROR_NOTIFY_MSG_H_
+
+#define ERROR_NOTIFY_SOCKET IPSEC_PIDDIR "/charon.enfy"
+
+typedef struct error_notify_msg_t error_notify_msg_t;
+
+/**
+ * Message type, these are mapped to ALERT_* types.
+ */
+enum {
+	ERROR_NOTIFY_RADIUS_NOT_RESPONDING = 1,
+	ERROR_NOTIFY_LOCAL_AUTH_FAILED = 2,
+	ERROR_NOTIFY_PEER_AUTH_FAILED = 3,
+	ERROR_NOTIFY_PARSE_ERROR_HEADER = 4,
+	ERROR_NOTIFY_PARSE_ERROR_BODY = 5,
+	ERROR_NOTIFY_RETRANSMIT_SEND_TIMEOUT = 6,
+	ERROR_NOTIFY_HALF_OPEN_TIMEOUT = 7,
+	ERROR_NOTIFY_PROPOSAL_MISMATCH_IKE = 8,
+	ERROR_NOTIFY_PROPOSAL_MISMATCH_CHILD = 9,
+	ERROR_NOTIFY_TS_MISMATCH = 10,
+	ERROR_NOTIFY_INSTALL_CHILD_SA_FAILED = 11,
+	ERROR_NOTIFY_INSTALL_CHILD_POLICY_FAILED = 12,
+	ERROR_NOTIFY_UNIQUE_REPLACE = 13,
+	ERROR_NOTIFY_UNIQUE_KEEP = 14,
+	ERROR_NOTIFY_VIP_FAILURE = 15,
+	ERROR_NOTIFY_AUTHORIZATION_FAILED = 16,
+	ERROR_NOTIFY_CERT_EXPIRED = 17,
+	ERROR_NOTIFY_CERT_REVOKED = 18,
+	ERROR_NOTIFY_NO_ISSUER_CERT = 19,
+};
+
+/**
+ * Message to exchange over notify socket, strings are null-terminated.
+ */
+struct error_notify_msg_t {
+	/** message type */
+	int type;
+	/** string with an error description */
+	char str[384];
+	/** connection name, if known */
+	char name[64];
+	/** peer identity, if known */
+	char id[256];
+	/** peer address and port, if known */
+	char ip[60];
+} __attribute__((packed));
+
+#endif /** ERROR_NOTIFY_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/error_notify/error_notify_plugin.c b/src/libcharon/plugins/error_notify/error_notify_plugin.c
new file mode 100644
index 000000000..40ace6014
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_plugin.c
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "error_notify_plugin.h"
+
+#include "error_notify_listener.h"
+#include "error_notify_socket.h"
+
+#include <daemon.h>
+
+typedef struct private_error_notify_plugin_t private_error_notify_plugin_t;
+
+/**
+ * private data of error_notify plugin
+ */
+struct private_error_notify_plugin_t {
+
+	/**
+	 * Implements plugin interface
+	 */
+	error_notify_plugin_t public;
+
+	/**
+	 * Listener catching error alerts
+	 */
+	error_notify_listener_t *listener;
+
+	/**
+	 * Socket sending notifications
+	 */
+	error_notify_socket_t *socket;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_error_notify_plugin_t *this)
+{
+	return "error-notify";
+}
+
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_error_notify_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_error_notify_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "error-notify"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_error_notify_plugin_t *this)
+{
+	this->listener->destroy(this->listener);
+	this->socket->destroy(this->socket);
+	free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *error_notify_plugin_create()
+{
+	private_error_notify_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+		.socket = error_notify_socket_create(),
+	);
+
+	if (!this->socket)
+	{
+		free(this);
+		return NULL;
+	}
+
+	this->listener = error_notify_listener_create(this->socket);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/error_notify/error_notify_plugin.h b/src/libcharon/plugins/error_notify/error_notify_plugin.h
new file mode 100644
index 000000000..ed5303a91
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup error_notify error_notify
+ * @ingroup cplugins
+ *
+ * @defgroup error_notify_plugin error_notify_plugin
+ * @{ @ingroup error_notify
+ */
+
+#ifndef ERROR_NOTIFY_PLUGIN_H_
+#define ERROR_NOTIFY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct error_notify_plugin_t error_notify_plugin_t;
+
+/**
+ * Plugin sending error notifications over a UNIX socket.
+ */
+struct error_notify_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** ERROR_NOTIFY_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/error_notify/error_notify_socket.c b/src/libcharon/plugins/error_notify/error_notify_socket.c
new file mode 100644
index 000000000..aafd0a4cd
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_socket.c
@@ -0,0 +1,157 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "error_notify_socket.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <collections/linked_list.h>
+#include <processing/jobs/callback_job.h>
+
+#include "error_notify_msg.h"
+
+typedef struct private_error_notify_socket_t private_error_notify_socket_t;
+
+/**
+ * Private data of an error_notify_socket_t object.
+ */
+struct private_error_notify_socket_t {
+
+	/**
+	 * Public error_notify_socket_t interface.
+	 */
+	error_notify_socket_t public;
+
+	/**
+	 * Service accepting connections
+	 */
+	stream_service_t *service;
+
+	/**
+	 * List of connected clients, as stream_t
+	 */
+	linked_list_t *connected;
+
+	/**
+	 * Mutex to lock clients list
+	 */
+	mutex_t *mutex;
+};
+
+METHOD(error_notify_socket_t, has_listeners, bool,
+	private_error_notify_socket_t *this)
+{
+	int count;
+
+	this->mutex->lock(this->mutex);
+	count = this->connected->get_count(this->connected);
+	this->mutex->unlock(this->mutex);
+
+	return count != 0;
+}
+
+METHOD(error_notify_socket_t, notify, void,
+	private_error_notify_socket_t *this, error_notify_msg_t *msg)
+{
+	enumerator_t *enumerator;
+	stream_t *stream;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->connected->create_enumerator(this->connected);
+	while (enumerator->enumerate(enumerator, &stream))
+	{
+		if (!stream->write_all(stream, msg, sizeof(*msg)))
+		{
+			switch (errno)
+			{
+				case ECONNRESET:
+				case EPIPE:
+					/* disconnect, remove this listener */
+					this->connected->remove_at(this->connected, enumerator);
+					stream->destroy(stream);
+					break;
+				default:
+					DBG1(DBG_CFG, "sending notify failed: %s", strerror(errno));
+					break;
+			}
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Accept client connections
+ */
+static bool on_accept(private_error_notify_socket_t *this, stream_t *stream)
+{
+	this->mutex->lock(this->mutex);
+	this->connected->insert_last(this->connected, stream);
+	this->mutex->unlock(this->mutex);
+
+	return TRUE;
+}
+
+METHOD(error_notify_socket_t, destroy, void,
+	private_error_notify_socket_t *this)
+{
+	DESTROY_IF(this->service);
+	this->connected->destroy_offset(this->connected, offsetof(stream_t, destroy));
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * See header
+ */
+error_notify_socket_t *error_notify_socket_create()
+{
+	private_error_notify_socket_t *this;
+	char *uri;
+
+	INIT(this,
+		.public = {
+			.notify = _notify,
+			.has_listeners = _has_listeners,
+			.destroy = _destroy,
+		},
+		.connected = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	uri = lib->settings->get_str(lib->settings,
+				"%s.plugins.error-notify.socket", "unix://" ERROR_NOTIFY_SOCKET,
+				charon->name);
+	this->service = lib->streams->create_service(lib->streams, uri, 10);
+	if (!this->service)
+	{
+		DBG1(DBG_CFG, "creating duplicheck socket failed");
+		destroy(this);
+		return NULL;
+	}
+	this->service->on_accept(this->service, (stream_service_cb_t)on_accept,
+							 this, JOB_PRIO_CRITICAL, 1);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/error_notify/error_notify_socket.h b/src/libcharon/plugins/error_notify/error_notify_socket.h
new file mode 100644
index 000000000..cb35b5584
--- /dev/null
+++ b/src/libcharon/plugins/error_notify/error_notify_socket.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup error_notify_socket error_notify_socket
+ * @{ @ingroup error_notify
+ */
+
+#ifndef ERROR_NOTIFY_SOCKET_H_
+#define ERROR_NOTIFY_SOCKET_H_
+
+typedef struct error_notify_socket_t error_notify_socket_t;
+
+#include "error_notify_listener.h"
+#include "error_notify_msg.h"
+
+/**
+ * Error notification socket.
+ */
+struct error_notify_socket_t {
+
+	/**
+	 * Send an error notification message to all registered listeners.
+	 *
+	 * @param msg		msg to send
+	 */
+	void (*notify)(error_notify_socket_t *this, error_notify_msg_t *msg);
+
+	/**
+	 * Check if we have active listeners on the socket.
+	 *
+	 * @return			TRUE if listeners active
+	 */
+	bool (*has_listeners)(error_notify_socket_t *this);
+
+	/**
+	 * Destroy a error_notify_socket_t.
+	 */
+	void (*destroy)(error_notify_socket_t *this);
+};
+
+/**
+ * Create a error_notify_socket instance.
+ */
+error_notify_socket_t *error_notify_socket_create();
+
+#endif /** ERROR_NOTIFY_SOCKET_H_ @}*/
diff --git a/src/libcharon/plugins/farp/Makefile.am b/src/libcharon/plugins/farp/Makefile.am
index 42cd31879..95e57d8e6 100644
--- a/src/libcharon/plugins/farp/Makefile.am
+++ b/src/libcharon/plugins/farp/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-farp.la
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index cfb51933c..47d82502a 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,53 +90,88 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_farp_la_LIBADD =
 am_libstrongswan_farp_la_OBJECTS = farp_plugin.lo farp_listener.lo \
 	farp_spoofer.lo
 libstrongswan_farp_la_OBJECTS = $(am_libstrongswan_farp_la_OBJECTS)
-libstrongswan_farp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_farp_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_farp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_farp_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_farp_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_farp_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_farp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_farp_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -127,13 +180,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -146,6 +202,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,11 +230,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -185,6 +244,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -193,8 +253,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -203,14 +261,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -224,17 +287,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -244,16 +307,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -281,10 +343,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-farp.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-farp.la
 libstrongswan_farp_la_SOURCES = farp_plugin.h farp_plugin.c \
@@ -336,7 +402,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -344,6 +409,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -365,8 +432,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-farp.la: $(libstrongswan_farp_la_OBJECTS) $(libstrongswan_farp_la_DEPENDENCIES) 
-	$(libstrongswan_farp_la_LINK) $(am_libstrongswan_farp_la_rpath) $(libstrongswan_farp_la_OBJECTS) $(libstrongswan_farp_la_LIBADD) $(LIBS)
+libstrongswan-farp.la: $(libstrongswan_farp_la_OBJECTS) $(libstrongswan_farp_la_DEPENDENCIES) $(EXTRA_libstrongswan_farp_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_farp_la_LINK) $(am_libstrongswan_farp_la_rpath) $(libstrongswan_farp_la_OBJECTS) $(libstrongswan_farp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -379,25 +446,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/farp_spoofer.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -504,10 +571,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/farp/farp_listener.c b/src/libcharon/plugins/farp/farp_listener.c
index d1df4cc27..87c84359c 100644
--- a/src/libcharon/plugins/farp/farp_listener.c
+++ b/src/libcharon/plugins/farp/farp_listener.c
@@ -15,7 +15,7 @@
 
 #include "farp_listener.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_farp_listener_t private_farp_listener_t;
@@ -58,19 +58,30 @@ METHOD(listener_t, child_updown, bool,
 	bool up)
 {
 	enumerator_t *enumerator;
+	traffic_selector_t *ts;
 	entry_t *entry;
 
 	if (up)
 	{
 		INIT(entry,
-			.local = child_sa->get_traffic_selectors(child_sa, TRUE),
-			.remote = child_sa->get_traffic_selectors(child_sa, FALSE),
+			.local = linked_list_create(),
+			.remote = linked_list_create(),
 			.reqid = child_sa->get_reqid(child_sa),
 		);
-		entry->local = entry->local->clone_offset(entry->local,
-										offsetof(traffic_selector_t, clone));
-		entry->remote = entry->remote->clone_offset(entry->remote,
-										offsetof(traffic_selector_t, clone));
+
+		enumerator = child_sa->create_ts_enumerator(child_sa, TRUE);
+		while (enumerator->enumerate(enumerator, &ts))
+		{
+			entry->local->insert_last(entry->local, ts->clone(ts));
+		}
+		enumerator->destroy(enumerator);
+
+		enumerator = child_sa->create_ts_enumerator(child_sa, FALSE);
+		while (enumerator->enumerate(enumerator, &ts))
+		{
+			entry->remote->insert_last(entry->remote, ts->clone(ts));
+		}
+		enumerator->destroy(enumerator);
 
 		this->lock->write_lock(this->lock);
 		this->entries->insert_last(this->entries, entry);
@@ -160,4 +171,3 @@ farp_listener_t *farp_listener_create()
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/farp/farp_listener.h b/src/libcharon/plugins/farp/farp_listener.h
index 3155f60e2..c7dc56a10 100644
--- a/src/libcharon/plugins/farp/farp_listener.h
+++ b/src/libcharon/plugins/farp/farp_listener.h
@@ -21,7 +21,7 @@
 #ifndef FARP_LISTENER_H_
 #define FARP_LISTENER_H_
 
-#include <utils/host.h>
+#include <networking/host.h>
 #include <bus/listeners/listener.h>
 
 typedef struct farp_listener_t farp_listener_t;
diff --git a/src/libcharon/plugins/farp/farp_plugin.c b/src/libcharon/plugins/farp/farp_plugin.c
index a30c11962..4b74da3b9 100644
--- a/src/libcharon/plugins/farp/farp_plugin.c
+++ b/src/libcharon/plugins/farp/farp_plugin.c
@@ -49,11 +49,38 @@ METHOD(plugin_t, get_name, char*,
 	return "farp";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_farp_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_farp_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "farp"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_farp_plugin_t *this)
 {
 	DESTROY_IF(this->spoofer);
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
 	this->listener->destroy(this->listener);
 	free(this);
 }
@@ -65,19 +92,24 @@ plugin_t *farp_plugin_create()
 {
 	private_farp_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
+	{	/* required to open ARP socket (AF_PACKET). according to capabilities(7)
+		 * it is also require to use the socket */
+		DBG1(DBG_NET, "farp plugin requires CAP_NET_RAW capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.listener = farp_listener_create(),
 	);
 
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
-
 	this->spoofer = farp_spoofer_create(this->listener);
 	if (!this->spoofer)
 	{
@@ -86,4 +118,3 @@ plugin_t *farp_plugin_create()
 	}
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/farp/farp_spoofer.c b/src/libcharon/plugins/farp/farp_spoofer.c
index 587a3a74e..9f66d7407 100644
--- a/src/libcharon/plugins/farp/farp_spoofer.c
+++ b/src/libcharon/plugins/farp/farp_spoofer.c
@@ -45,11 +45,6 @@ struct private_farp_spoofer_t {
 	farp_listener_t *listener;
 
 	/**
-	 * Callback job to read ARP requests
-	 */
-	callback_job_t *job;
-
-	/**
 	 * RAW socket for ARP requests
 	 */
 	int skt;
@@ -101,20 +96,16 @@ static void send_arp(private_farp_spoofer_t *this,
 /**
  * ARP request receiving
  */
-static job_requeue_t receive_arp(private_farp_spoofer_t *this)
+static bool receive_arp(private_farp_spoofer_t *this)
 {
 	struct sockaddr_ll addr;
 	socklen_t addr_len = sizeof(addr);
 	arp_t arp;
-	int oldstate;
 	ssize_t len;
 	host_t *local, *remote;
 
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->skt, &arp, sizeof(arp), 0,
+	len = recvfrom(this->skt, &arp, sizeof(arp), MSG_DONTWAIT,
 				   (struct sockaddr*)&addr, &addr_len);
-	thread_cancelability(oldstate);
-
 	if (len == sizeof(arp))
 	{
 		local = host_create_from_chunk(AF_INET,
@@ -129,13 +120,13 @@ static job_requeue_t receive_arp(private_farp_spoofer_t *this)
 		remote->destroy(remote);
 	}
 
-	return JOB_REQUEUE_DIRECT;
+	return TRUE;
 }
 
 METHOD(farp_spoofer_t, destroy, void,
 	private_farp_spoofer_t *this)
 {
-	this->job->cancel(this->job);
+	lib->watcher->remove(lib->watcher, this->skt);
 	close(this->skt);
 	free(this);
 }
@@ -189,10 +180,8 @@ farp_spoofer_t *farp_spoofer_create(farp_listener_t *listener)
 		return NULL;
 	}
 
-	this->job = callback_job_create_with_prio((callback_job_cb_t)receive_arp,
-									this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+	lib->watcher->add(lib->watcher, this->skt, WATCHER_READ,
+					  (watcher_cb_t)receive_arp, this);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/ha/Makefile.am b/src/libcharon/plugins/ha/Makefile.am
index bc1b49d48..c10f7f903 100644
--- a/src/libcharon/plugins/ha/Makefile.am
+++ b/src/libcharon/plugins/ha/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_PIDDIR=\"${piddir}\"
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-ha.la
@@ -24,4 +27,3 @@ libstrongswan_ha_la_SOURCES = \
   ha_child.h ha_child.c \
   ha_attribute.h ha_attribute.c
 libstrongswan_ha_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index c66a550cd..302ad0fab 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ha_la_LIBADD =
@@ -80,47 +104,76 @@ am_libstrongswan_ha_la_OBJECTS = ha_plugin.lo ha_message.lo \
 	ha_cache.lo ha_kernel.lo ha_ctl.lo ha_ike.lo ha_child.lo \
 	ha_attribute.lo
 libstrongswan_ha_la_OBJECTS = $(am_libstrongswan_ha_la_OBJECTS)
-libstrongswan_ha_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_ha_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_ha_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_ha_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_ha_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_ha_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_ha_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_ha_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -129,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -148,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -187,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -195,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -205,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -226,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -246,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -283,10 +345,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ha.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ha.la
 libstrongswan_ha_la_SOURCES = \
@@ -349,7 +416,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -357,6 +423,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -378,8 +446,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-ha.la: $(libstrongswan_ha_la_OBJECTS) $(libstrongswan_ha_la_DEPENDENCIES) 
-	$(libstrongswan_ha_la_LINK) $(am_libstrongswan_ha_la_rpath) $(libstrongswan_ha_la_OBJECTS) $(libstrongswan_ha_la_LIBADD) $(LIBS)
+libstrongswan-ha.la: $(libstrongswan_ha_la_OBJECTS) $(libstrongswan_ha_la_DEPENDENCIES) $(EXTRA_libstrongswan_ha_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_ha_la_LINK) $(am_libstrongswan_ha_la_rpath) $(libstrongswan_ha_la_OBJECTS) $(libstrongswan_ha_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -401,25 +469,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_tunnel.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -526,10 +594,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
index b08abe1a9..d26c38325 100644
--- a/src/libcharon/plugins/ha/ha_attribute.c
+++ b/src/libcharon/plugins/ha/ha_attribute.c
@@ -15,7 +15,7 @@
 
 #include "ha_attribute.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 
 typedef struct private_ha_attribute_t private_ha_attribute_t;
@@ -170,17 +170,29 @@ static bool responsible_for(private_ha_attribute_t *this, int bit)
 }
 
 METHOD(attribute_provider_t, acquire_address, host_t*,
-	private_ha_attribute_t *this, char *name, identification_t *id,
+	private_ha_attribute_t *this, linked_list_t *pools, identification_t *id,
 	host_t *requested)
 {
-	pool_t *pool;
+	enumerator_t *enumerator;
+	pool_t *pool = NULL;
 	int offset = -1, byte, bit;
 	host_t *address;
+	char *name;
 
+	enumerator = pools->create_enumerator(pools);
 	this->mutex->lock(this->mutex);
-	pool = get_pool(this, name);
-	if (pool)
+	while (enumerator->enumerate(enumerator, &name))
 	{
+		pool = get_pool(this, name);
+		if (!pool)
+		{
+			continue;
+		}
+		if (pool->base->get_family(pool->base) !=
+			requested->get_family(requested))
+		{
+			continue;
+		}
 		for (byte = 0; byte < pool->size / 8; byte++)
 		{
 			if (pool->mask[byte] != 0xFF)
@@ -208,6 +220,8 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 		}
 	}
 	this->mutex->unlock(this->mutex);
+	enumerator->destroy(enumerator);
+
 	if (offset != -1)
 	{
 		address = offset2host(pool, offset);
@@ -218,26 +232,40 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 }
 
 METHOD(attribute_provider_t, release_address, bool,
-	private_ha_attribute_t *this, char *name, host_t *address,
+	private_ha_attribute_t *this, linked_list_t *pools, host_t *address,
 	identification_t *id)
 {
+	enumerator_t *enumerator;
 	pool_t *pool;
 	int offset;
+	char *name;
 	bool found = FALSE;
 
+	enumerator = pools->create_enumerator(pools);
 	this->mutex->lock(this->mutex);
-	pool = get_pool(this, name);
-	if (pool)
+	while (enumerator->enumerate(enumerator, &name))
 	{
+		pool = get_pool(this, name);
+		if (!pool)
+		{
+			continue;
+		}
+		if (pool->base->get_family(pool->base) != address->get_family(address))
+		{
+			continue;
+		}
 		offset = host2offset(pool, address);
 		if (offset > 0 && offset < pool->size)
 		{
 			pool->mask[offset / 8] &= ~(1 << (offset % 8));
 			DBG1(DBG_CFG, "released address %H to HA pool '%s'", address, name);
 			found = TRUE;
+			break;
 		}
 	}
 	this->mutex->unlock(this->mutex);
+	enumerator->destroy(enumerator);
+
 	return found;
 }
 
@@ -281,7 +309,7 @@ static void load_pools(private_ha_attribute_t *this)
 	pool_t *pool;
 
 	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
-													"charon.plugins.ha.pools");
+										"%s.plugins.ha.pools", charon->name);
 	while (enumerator->enumerate(enumerator, &name, &net))
 	{
 		net = strdup(net);
diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c
index 970a8a2b9..ce1afe6f9 100644
--- a/src/libcharon/plugins/ha/ha_cache.c
+++ b/src/libcharon/plugins/ha/ha_cache.c
@@ -15,8 +15,8 @@
 
 #include "ha_cache.h"
 
-#include <utils/hashtable.h>
-#include <utils/linked_list.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 #include <processing/jobs/callback_job.h>
 
@@ -88,6 +88,8 @@ typedef struct {
 	ha_message_t *midi;
 	/* last responder mid */
 	ha_message_t *midr;
+	/* last IV update */
+	ha_message_t *iv;
 } entry_t;
 
 /**
@@ -114,6 +116,7 @@ static void entry_destroy(entry_t *entry)
 	entry->add->destroy(entry->add);
 	DESTROY_IF(entry->midi);
 	DESTROY_IF(entry->midr);
+	DESTROY_IF(entry->iv);
 	free(entry);
 }
 
@@ -164,6 +167,16 @@ METHOD(ha_cache_t, cache, void,
 			}
 			message->destroy(message);
 			break;
+		case HA_IKE_IV:
+			entry = this->cache->get(this->cache, ike_sa);
+			if (entry)
+			{
+				DESTROY_IF(entry->iv);
+				entry->iv = message;
+				break;
+			}
+			message->destroy(message);
+			break;
 		case HA_IKE_DELETE:
 			entry = this->cache->remove(this->cache, ike_sa);
 			if (entry)
@@ -212,7 +225,8 @@ static status_t rekey_children(ike_sa_t *ike_sa)
 			DBG1(DBG_CFG, "resyncing CHILD_SA using a delete");
 			status = ike_sa->delete_child_sa(ike_sa,
 											 child_sa->get_protocol(child_sa),
-											 child_sa->get_spi(child_sa, TRUE));
+											 child_sa->get_spi(child_sa, TRUE),
+											 FALSE);
 		}
 		else
 		{
@@ -308,6 +322,10 @@ METHOD(ha_cache_t, resync, void,
 			{
 				this->socket->push(this->socket, entry->midr);
 			}
+			if (entry->iv)
+			{
+				this->socket->push(this->socket, entry->iv);
+			}
 		}
 	}
 	enumerator->destroy(enumerator);
diff --git a/src/libcharon/plugins/ha/ha_cache.h b/src/libcharon/plugins/ha/ha_cache.h
index 39f1947a8..5e3936a20 100644
--- a/src/libcharon/plugins/ha/ha_cache.h
+++ b/src/libcharon/plugins/ha/ha_cache.h
@@ -27,7 +27,7 @@ typedef struct ha_cache_t ha_cache_t;
 #include "ha_kernel.h"
 #include "ha_socket.h"
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 #include <sa/ike_sa.h>
 
diff --git a/src/libcharon/plugins/ha/ha_child.c b/src/libcharon/plugins/ha/ha_child.c
index 707add94d..c166d72ac 100644
--- a/src/libcharon/plugins/ha/ha_child.c
+++ b/src/libcharon/plugins/ha/ha_child.c
@@ -103,18 +103,22 @@ METHOD(listener_t, child_keys, bool,
 		chunk_clear(&secret);
 	}
 
-	local_ts = child_sa->get_traffic_selectors(child_sa, TRUE);
-	enumerator = local_ts->create_enumerator(local_ts);
+	local_ts = linked_list_create();
+	remote_ts = linked_list_create();
+
+	enumerator = child_sa->create_ts_enumerator(child_sa, TRUE);
 	while (enumerator->enumerate(enumerator, &ts))
 	{
 		m->add_attribute(m, HA_LOCAL_TS, ts);
+		local_ts->insert_last(local_ts, ts);
 	}
 	enumerator->destroy(enumerator);
-	remote_ts = child_sa->get_traffic_selectors(child_sa, FALSE);
-	enumerator = remote_ts->create_enumerator(remote_ts);
+
+	enumerator = child_sa->create_ts_enumerator(child_sa, FALSE);
 	while (enumerator->enumerate(enumerator, &ts))
 	{
 		m->add_attribute(m, HA_REMOTE_TS, ts);
+		remote_ts->insert_last(remote_ts, ts);
 	}
 	enumerator->destroy(enumerator);
 
@@ -128,6 +132,9 @@ METHOD(listener_t, child_keys, bool,
 		seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "",
 		seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : "");
 
+	local_ts->destroy(local_ts);
+	remote_ts->destroy(remote_ts);
+
 	this->socket->push(this->socket, m);
 	m->destroy(m);
 
@@ -195,4 +202,3 @@ ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel,
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c
index 9c99807ed..178a0349b 100644
--- a/src/libcharon/plugins/ha/ha_ctl.c
+++ b/src/libcharon/plugins/ha/ha_ctl.c
@@ -48,11 +48,6 @@ struct private_ha_ctl_t {
 	 * Resynchronization message cache
 	 */
 	ha_cache_t *cache;
-
-	/**
-	 * FIFO reader thread
-	 */
-	callback_job_t *job;
 };
 
 /**
@@ -105,7 +100,6 @@ static job_requeue_t dispatch_fifo(private_ha_ctl_t *this)
 METHOD(ha_ctl_t, destroy, void,
 	private_ha_ctl_t *this)
 {
-	this->job->cancel(this->job);
 	free(this);
 }
 
@@ -135,15 +129,16 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache)
 		}
 		umask(old);
 	}
-	if (chown(HA_FIFO, charon->uid, charon->gid) != 0)
+	if (chown(HA_FIFO, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing HA FIFO permissions failed: %s",
 			 strerror(errno));
 	}
 
-	this->job = callback_job_create_with_prio((callback_job_cb_t)dispatch_fifo,
-										this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch_fifo,
+			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
 	return &this->public;
 }
 
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index 994f91d20..1ce9d3a16 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -16,9 +16,13 @@
 #include "ha_dispatcher.h"
 
 #include <daemon.h>
+#include <sa/ikev2/keymat_v2.h>
+#include <sa/ikev1/keymat_v1.h>
 #include <processing/jobs/callback_job.h>
+#include <processing/jobs/adopt_children_job.h>
 
 typedef struct private_ha_dispatcher_t private_ha_dispatcher_t;
+typedef struct ha_diffie_hellman_t ha_diffie_hellman_t;
 
 /**
  * Private data of an ha_dispatcher_t object.
@@ -54,20 +58,66 @@ struct private_ha_dispatcher_t {
 	 * HA enabled pool
 	 */
 	ha_attribute_t *attr;
+};
+
+/**
+ * DH implementation for HA synced DH values
+ */
+struct ha_diffie_hellman_t {
+
+	/**
+	 * Implements diffie_hellman_t
+	 */
+	diffie_hellman_t dh;
 
 	/**
-	 * Dispatcher job
+	 * Shared secret
 	 */
-	callback_job_t *job;
+	chunk_t secret;
+
+	/**
+	 * Own public value
+	 */
+	chunk_t pub;
 };
 
+METHOD(diffie_hellman_t, dh_get_shared_secret, status_t,
+	ha_diffie_hellman_t *this, chunk_t *secret)
+{
+	*secret = chunk_clone(this->secret);
+	return SUCCESS;
+}
+
+METHOD(diffie_hellman_t, dh_get_my_public_value, void,
+	ha_diffie_hellman_t *this, chunk_t *value)
+{
+	*value = chunk_clone(this->pub);
+}
+
+METHOD(diffie_hellman_t, dh_destroy, void,
+	ha_diffie_hellman_t *this)
+{
+	free(this);
+}
+
 /**
- * Quick and dirty hack implementation of diffie_hellman_t.get_shared_secret
+ * Create a HA synced DH implementation
  */
-static status_t get_shared_secret(diffie_hellman_t *this, chunk_t *secret)
+static diffie_hellman_t *ha_diffie_hellman_create(chunk_t secret, chunk_t pub)
 {
-	*secret = chunk_clone((*(chunk_t*)this->destroy));
-	return SUCCESS;
+	ha_diffie_hellman_t *this;
+
+	INIT(this,
+		.dh = {
+			.get_shared_secret = _dh_get_shared_secret,
+			.get_my_public_value = _dh_get_my_public_value,
+			.destroy = _dh_destroy,
+		},
+		.secret = secret,
+		.pub = pub,
+	);
+
+	return &this->dh;
 }
 
 /**
@@ -79,9 +129,12 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 	ha_message_value_t value;
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa = NULL, *old_sa = NULL;
+	ike_version_t version = IKEV2;
 	u_int16_t encr = 0, len = 0, integ = 0, prf = 0, old_prf = PRF_UNDEFINED;
 	chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty;
 	chunk_t secret = chunk_empty, old_skd = chunk_empty;
+	chunk_t dh_local = chunk_empty, dh_remote = chunk_empty, psk = chunk_empty;
+	bool ok = FALSE;
 
 	enumerator = message->create_attribute_enumerator(message);
 	while (enumerator->enumerate(enumerator, &attribute, &value))
@@ -89,12 +142,16 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 		switch (attribute)
 		{
 			case HA_IKE_ID:
-				ike_sa = ike_sa_create(value.ike_sa_id);
+				ike_sa = ike_sa_create(value.ike_sa_id,
+						value.ike_sa_id->is_initiator(value.ike_sa_id), version);
 				break;
 			case HA_IKE_REKEY_ID:
 				old_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
 														  value.ike_sa_id);
 				break;
+			case HA_IKE_VERSION:
+				version = value.u8;
+				break;
 			case HA_NONCE_I:
 				nonce_i = value.chunk;
 				break;
@@ -104,6 +161,15 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 			case HA_SECRET:
 				secret = value.chunk;
 				break;
+			case HA_LOCAL_DH:
+				dh_local = value.chunk;
+				break;
+			case HA_REMOTE_DH:
+				dh_remote = value.chunk;
+				break;
+			case HA_PSK:
+				psk = value.chunk;
+				break;
 			case HA_OLD_SKD:
 				old_skd = value.chunk;
 				break;
@@ -131,13 +197,9 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 	if (ike_sa)
 	{
 		proposal_t *proposal;
-		keymat_t *keymat;
-		/* quick and dirty hack of a DH implementation ;-) */
-		diffie_hellman_t dh = { .get_shared_secret = get_shared_secret,
-								.destroy = (void*)&secret };
+		diffie_hellman_t *dh;
 
 		proposal = proposal_create(PROTO_IKE, 0);
-		keymat = ike_sa->get_keymat(ike_sa);
 		if (integ)
 		{
 			proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, integ, 0);
@@ -151,8 +213,35 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 			proposal->add_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, prf, 0);
 		}
 		charon->bus->set_sa(charon->bus, ike_sa);
-		if (keymat->derive_ike_keys(keymat, proposal, &dh, nonce_i, nonce_r,
-									 ike_sa->get_id(ike_sa), old_prf, old_skd))
+		dh = ha_diffie_hellman_create(secret, dh_local);
+		if (ike_sa->get_version(ike_sa) == IKEV2)
+		{
+			keymat_v2_t *keymat_v2 = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
+
+			ok = keymat_v2->derive_ike_keys(keymat_v2, proposal, dh, nonce_i,
+							nonce_r, ike_sa->get_id(ike_sa), old_prf, old_skd);
+		}
+		if (ike_sa->get_version(ike_sa) == IKEV1)
+		{
+			keymat_v1_t *keymat_v1 = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
+			shared_key_t *shared = NULL;
+			auth_method_t method = AUTH_RSA;
+
+			if (psk.len)
+			{
+				method = AUTH_PSK;
+				shared = shared_key_create(SHARED_IKE, chunk_clone(psk));
+			}
+			if (keymat_v1->create_hasher(keymat_v1, proposal))
+			{
+				ok = keymat_v1->derive_ike_keys(keymat_v1, proposal,
+								dh, dh_remote, nonce_i, nonce_r,
+								ike_sa->get_id(ike_sa), method, shared);
+			}
+			DESTROY_IF(shared);
+		}
+		dh->destroy(dh);
+		if (ok)
 		{
 			if (old_sa)
 			{
@@ -168,6 +257,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 				old_sa = NULL;
 			}
 			ike_sa->set_state(ike_sa, IKE_CONNECTING);
+			ike_sa->set_proposal(ike_sa, proposal);
 			this->cache->cache(this->cache, ike_sa, message);
 			message = NULL;
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
@@ -220,7 +310,7 @@ static void process_ike_update(private_ha_dispatcher_t *this,
 	ike_sa_t *ike_sa = NULL;
 	peer_cfg_t *peer_cfg = NULL;
 	auth_cfg_t *auth;
-	bool received_vip = FALSE, first_peer_addr = TRUE;
+	bool received_vip = FALSE, first_local_vip = TRUE, first_peer_addr = TRUE;
 
 	enumerator = message->create_attribute_enumerator(message);
 	while (enumerator->enumerate(enumerator, &attribute, &value))
@@ -254,10 +344,19 @@ static void process_ike_update(private_ha_dispatcher_t *this,
 				ike_sa->set_other_host(ike_sa, value.host->clone(value.host));
 				break;
 			case HA_LOCAL_VIP:
-				ike_sa->set_virtual_ip(ike_sa, TRUE, value.host);
+				if (first_local_vip)
+				{
+					ike_sa->clear_virtual_ips(ike_sa, TRUE);
+					first_local_vip = FALSE;
+				}
+				ike_sa->add_virtual_ip(ike_sa, TRUE, value.host);
 				break;
 			case HA_REMOTE_VIP:
-				ike_sa->set_virtual_ip(ike_sa, FALSE, value.host);
+				if (!received_vip)
+				{
+					ike_sa->clear_virtual_ips(ike_sa, FALSE);
+				}
+				ike_sa->add_virtual_ip(ike_sa, FALSE, value.host);
 				received_vip = TRUE;
 				break;
 			case HA_PEER_ADDR:
@@ -289,6 +388,8 @@ static void process_ike_update(private_ha_dispatcher_t *this,
 				set_extension(ike_sa, value.u32, EXT_STRONGSWAN);
 				set_extension(ike_sa, value.u32, EXT_EAP_ONLY_AUTHENTICATION);
 				set_extension(ike_sa, value.u32, EXT_MS_WINDOWS);
+				set_extension(ike_sa, value.u32, EXT_XAUTH);
+				set_extension(ike_sa, value.u32, EXT_DPD);
 				break;
 			case HA_CONDITIONS:
 				set_condition(ike_sa, value.u32, COND_NAT_ANY);
@@ -299,6 +400,8 @@ static void process_ike_update(private_ha_dispatcher_t *this,
 				set_condition(ike_sa, value.u32, COND_CERTREQ_SEEN);
 				set_condition(ike_sa, value.u32, COND_ORIGINAL_INITIATOR);
 				set_condition(ike_sa, value.u32, COND_STALE);
+				set_condition(ike_sa, value.u32, COND_INIT_CONTACT_SEEN);
+				set_condition(ike_sa, value.u32, COND_XAUTH_AUTHENTICATED);
 				break;
 			default:
 				break;
@@ -319,20 +422,31 @@ static void process_ike_update(private_ha_dispatcher_t *this,
 		}
 		if (received_vip)
 		{
+			enumerator_t *pools, *vips;
 			host_t *vip;
 			char *pool;
 
 			peer_cfg = ike_sa->get_peer_cfg(ike_sa);
-			vip = ike_sa->get_virtual_ip(ike_sa, FALSE);
-			if (peer_cfg && vip)
+			if (peer_cfg)
 			{
-				pool = peer_cfg->get_pool(peer_cfg);
-				if (pool)
+				pools = peer_cfg->create_pool_enumerator(peer_cfg);
+				while (pools->enumerate(pools, &pool))
 				{
-					this->attr->reserve(this->attr, pool, vip);
+					vips = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+					while (vips->enumerate(vips, &vip))
+					{
+						this->attr->reserve(this->attr, pool, vip);
+					}
+					vips->destroy(vips);
 				}
+				pools->destroy(pools);
 			}
 		}
+		if (ike_sa->get_version(ike_sa) == IKEV1)
+		{
+			lib->processor->queue_job(lib->processor, (job_t*)
+							adopt_children_job_create(ike_sa->get_id(ike_sa)));
+		}
 		this->cache->cache(this->cache, ike_sa, message);
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
@@ -389,6 +503,59 @@ static void process_ike_mid(private_ha_dispatcher_t *this,
 }
 
 /**
+ * Process messages of type IKE_IV
+ */
+static void process_ike_iv(private_ha_dispatcher_t *this, ha_message_t *message)
+{
+	ha_message_attribute_t attribute;
+	ha_message_value_t value;
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa = NULL;
+	chunk_t iv = chunk_empty;
+
+	enumerator = message->create_attribute_enumerator(message);
+	while (enumerator->enumerate(enumerator, &attribute, &value))
+	{
+		switch (attribute)
+		{
+			case HA_IKE_ID:
+				ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+														  value.ike_sa_id);
+				break;
+			case HA_IV:
+				iv = value.chunk;
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (ike_sa)
+	{
+		if (ike_sa->get_version(ike_sa) == IKEV1)
+		{
+			if (iv.len)
+			{
+				keymat_v1_t *keymat;
+
+				keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
+				if (keymat->update_iv(keymat, 0, iv))
+				{
+					keymat->confirm_iv(keymat, 0);
+				}
+			}
+		}
+		this->cache->cache(this->cache, ike_sa, message);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+	else
+	{
+		message->destroy(message);
+	}
+}
+
+/**
  * Process messages of type IKE_DELETE
  */
 static void process_ike_delete(private_ha_dispatcher_t *this,
@@ -465,8 +632,7 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	child_cfg_t *config = NULL;
 	child_sa_t *child_sa;
 	proposal_t *proposal;
-	keymat_t *keymat;
-	bool initiator = FALSE, failed = FALSE;
+	bool initiator = FALSE, failed = FALSE, ok = FALSE;
 	u_int32_t inbound_spi = 0, outbound_spi = 0;
 	u_int16_t inbound_cpi = 0, outbound_cpi = 0;
 	u_int8_t mode = MODE_TUNNEL, ipcomp = 0;
@@ -476,9 +642,7 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty, secret = chunk_empty;
 	chunk_t encr_i, integ_i, encr_r, integ_r;
 	linked_list_t *local_ts, *remote_ts;
-	/* quick and dirty hack of a DH implementation */
-	diffie_hellman_t dh = { .get_shared_secret = get_shared_secret,
-							.destroy = (void*)&secret };
+	diffie_hellman_t *dh = NULL;
 
 	enumerator = message->create_attribute_enumerator(message);
 	while (enumerator->enumerate(enumerator, &attribute, &value))
@@ -572,10 +736,30 @@ static void process_child_add(private_ha_dispatcher_t *this,
 		proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr, len);
 	}
 	proposal->add_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, esn, 0);
-	keymat = ike_sa->get_keymat(ike_sa);
+	if (secret.len)
+	{
+		dh = ha_diffie_hellman_create(secret, chunk_empty);
+	}
+	if (ike_sa->get_version(ike_sa) == IKEV2)
+	{
+		keymat_v2_t *keymat_v2 = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
 
-	if (!keymat->derive_child_keys(keymat, proposal, secret.ptr ? &dh : NULL,
-					nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r))
+		ok = keymat_v2->derive_child_keys(keymat_v2, proposal, dh,
+						nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r);
+	}
+	if (ike_sa->get_version(ike_sa) == IKEV1)
+	{
+		keymat_v1_t *keymat_v1 = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
+		u_int32_t spi_i, spi_r;
+
+		spi_i = initiator ? inbound_spi : outbound_spi;
+		spi_r = initiator ? outbound_spi : inbound_spi;
+
+		ok = keymat_v1->derive_child_keys(keymat_v1, proposal, dh, spi_i, spi_r,
+						nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r);
+	}
+	DESTROY_IF(dh);
+	if (!ok)
 	{
 		DBG1(DBG_CHD, "HA CHILD_SA key derivation failed");
 		child_sa->destroy(child_sa);
@@ -610,9 +794,11 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	if (initiator)
 	{
 		if (child_sa->install(child_sa, encr_r, integ_r, inbound_spi,
-					inbound_cpi, TRUE, TRUE, local_ts, remote_ts) != SUCCESS ||
+							  inbound_cpi, initiator, TRUE, TRUE,
+							  local_ts, remote_ts) != SUCCESS ||
 			child_sa->install(child_sa, encr_i, integ_i, outbound_spi,
-					outbound_cpi, FALSE, TRUE, local_ts, remote_ts) != SUCCESS)
+							  outbound_cpi, initiator, FALSE, TRUE,
+							  local_ts, remote_ts) != SUCCESS)
 		{
 			failed = TRUE;
 		}
@@ -620,9 +806,11 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	else
 	{
 		if (child_sa->install(child_sa, encr_i, integ_i, inbound_spi,
-					inbound_cpi, TRUE, TRUE, local_ts, remote_ts) != SUCCESS ||
+							  inbound_cpi, initiator, TRUE, TRUE,
+							  local_ts, remote_ts) != SUCCESS ||
 			child_sa->install(child_sa, encr_r, integ_r, outbound_spi,
-					outbound_cpi, FALSE, TRUE, local_ts, remote_ts) != SUCCESS)
+							  outbound_cpi, initiator, FALSE, TRUE,
+							  local_ts, remote_ts) != SUCCESS)
 		{
 			failed = TRUE;
 		}
@@ -825,6 +1013,9 @@ static job_requeue_t dispatch(private_ha_dispatcher_t *this)
 		case HA_IKE_MID_RESPONDER:
 			process_ike_mid(this, message, FALSE);
 			break;
+		case HA_IKE_IV:
+			process_ike_iv(this, message);
+			break;
 		case HA_IKE_DELETE:
 			process_ike_delete(this, message);
 			break;
@@ -857,7 +1048,6 @@ static job_requeue_t dispatch(private_ha_dispatcher_t *this)
 METHOD(ha_dispatcher_t, destroy, void,
 	private_ha_dispatcher_t *this)
 {
-	this->job->cancel(this->job);
 	free(this);
 }
 
@@ -881,9 +1071,9 @@ ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket,
 		.kernel = kernel,
 		.attr = attr,
 	);
-	this->job = callback_job_create_with_prio((callback_job_cb_t)dispatch,
-										this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch, this,
+				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c
index e818aec9c..442a3a23d 100644
--- a/src/libcharon/plugins/ha/ha_ike.c
+++ b/src/libcharon/plugins/ha/ha_ike.c
@@ -15,6 +15,9 @@
 
 #include "ha_ike.h"
 
+#include <sa/ikev2/keymat_v2.h>
+#include <sa/ikev1/keymat_v1.h>
+
 typedef struct private_ha_ike_t private_ha_ike_t;
 
 /**
@@ -69,7 +72,8 @@ static ike_extension_t copy_extension(ike_sa_t *ike_sa, ike_extension_t ext)
 
 METHOD(listener_t, ike_keys, bool,
 	private_ha_ike_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
-	chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey)
+	chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey,
+	shared_key_t *shared)
 {
 	ha_message_t *m;
 	chunk_t secret;
@@ -86,14 +90,15 @@ METHOD(listener_t, ike_keys, bool,
 	}
 
 	m = ha_message_create(HA_IKE_ADD);
+	m->add_attribute(m, HA_IKE_VERSION, ike_sa->get_version(ike_sa));
 	m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
 
-	if (rekey)
+	if (rekey && rekey->get_version(rekey) == IKEV2)
 	{
 		chunk_t skd;
-		keymat_t *keymat;
+		keymat_v2_t *keymat;
 
-		keymat = rekey->get_keymat(rekey);
+		keymat = (keymat_v2_t*)rekey->get_keymat(rekey);
 		m->add_attribute(m, HA_IKE_REKEY_ID, rekey->get_id(rekey));
 		m->add_attribute(m, HA_ALG_OLD_PRF, keymat->get_skd(keymat, &skd));
 		m->add_attribute(m, HA_OLD_SKD, skd);
@@ -120,6 +125,17 @@ METHOD(listener_t, ike_keys, bool,
 	m->add_attribute(m, HA_NONCE_R, nonce_r);
 	m->add_attribute(m, HA_SECRET, secret);
 	chunk_clear(&secret);
+	if (ike_sa->get_version(ike_sa) == IKEV1)
+	{
+		dh->get_my_public_value(dh, &secret);
+		m->add_attribute(m, HA_LOCAL_DH, secret);
+		chunk_free(&secret);
+		m->add_attribute(m, HA_REMOTE_DH, dh_other);
+		if (shared)
+		{
+			m->add_attribute(m, HA_PSK, shared->get_key(shared));
+		}
+	}
 
 	this->socket->push(this->socket, m);
 	this->cache->cache(this->cache, ike_sa, m);
@@ -159,7 +175,9 @@ METHOD(listener_t, ike_updown, bool,
 				  | copy_condition(ike_sa, COND_EAP_AUTHENTICATED)
 				  | copy_condition(ike_sa, COND_CERTREQ_SEEN)
 				  | copy_condition(ike_sa, COND_ORIGINAL_INITIATOR)
-				  | copy_condition(ike_sa, COND_STALE);
+				  | copy_condition(ike_sa, COND_STALE)
+				  | copy_condition(ike_sa, COND_INIT_CONTACT_SEEN)
+				  | copy_condition(ike_sa, COND_XAUTH_AUTHENTICATED);
 
 		extension = copy_extension(ike_sa, EXT_NATT)
 				  | copy_extension(ike_sa, EXT_MOBIKE)
@@ -167,7 +185,9 @@ METHOD(listener_t, ike_updown, bool,
 				  | copy_extension(ike_sa, EXT_MULTIPLE_AUTH)
 				  | copy_extension(ike_sa, EXT_STRONGSWAN)
 				  | copy_extension(ike_sa, EXT_EAP_ONLY_AUTHENTICATION)
-				  | copy_extension(ike_sa, EXT_MS_WINDOWS);
+				  | copy_extension(ike_sa, EXT_MS_WINDOWS)
+				  | copy_extension(ike_sa, EXT_XAUTH)
+				  | copy_extension(ike_sa, EXT_DPD);
 
 		id = ike_sa->get_id(ike_sa);
 
@@ -221,49 +241,125 @@ METHOD(listener_t, ike_state_change, bool,
 	return TRUE;
 }
 
+/**
+ * Send a virtual IP sync message for remote VIPs
+ */
+static void sync_vips(private_ha_ike_t *this, ike_sa_t *ike_sa)
+{
+	ha_message_t *m = NULL;
+	enumerator_t *enumerator;
+	host_t *vip;
+
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+	while (enumerator->enumerate(enumerator, &vip))
+	{
+		if (!m)
+		{
+			m = ha_message_create(HA_IKE_UPDATE);
+			m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
+		}
+		m->add_attribute(m, HA_REMOTE_VIP, vip);
+	}
+	enumerator->destroy(enumerator);
+
+	if (m)
+	{
+		this->socket->push(this->socket, m);
+		this->cache->cache(this->cache, ike_sa, m);
+	}
+}
+
 METHOD(listener_t, message_hook, bool,
-	private_ha_ike_t *this, ike_sa_t *ike_sa, message_t *message, bool incoming)
+	private_ha_ike_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming, bool plain)
 {
 	if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
 	{	/* do not sync SA between nodes */
 		return TRUE;
 	}
 
-	if (message->get_exchange_type(message) != IKE_SA_INIT &&
-		message->get_request(message))
-	{	/* we sync on requests, but skip it on IKE_SA_INIT */
+	if (plain && ike_sa->get_version(ike_sa) == IKEV2)
+	{
+		if (message->get_exchange_type(message) != IKE_SA_INIT &&
+			message->get_request(message))
+		{	/* we sync on requests, but skip it on IKE_SA_INIT */
+			ha_message_t *m;
+
+			if (incoming)
+			{
+				m = ha_message_create(HA_IKE_MID_RESPONDER);
+			}
+			else
+			{
+				m = ha_message_create(HA_IKE_MID_INITIATOR);
+			}
+			m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
+			m->add_attribute(m, HA_MID, message->get_message_id(message) + 1);
+			this->socket->push(this->socket, m);
+			this->cache->cache(this->cache, ike_sa, m);
+		}
+		if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+			message->get_exchange_type(message) == IKE_AUTH &&
+			!message->get_request(message))
+		{	/* After IKE_SA has been established, sync peers virtual IP.
+			 * We cannot sync it in the state_change hook, it is installed later.
+			 * TODO: where to sync local VIP? */
+			sync_vips(this, ike_sa);
+		}
+	}
+	if (!plain && ike_sa->get_version(ike_sa) == IKEV1)
+	{
 		ha_message_t *m;
+		keymat_v1_t *keymat;
+		u_int32_t mid;
+		chunk_t iv;
 
-		if (incoming)
+		mid = message->get_message_id(message);
+		if (mid == 0)
 		{
-			m = ha_message_create(HA_IKE_MID_RESPONDER);
+			keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
+			if (keymat->get_iv(keymat, mid, &iv))
+			{
+				m = ha_message_create(HA_IKE_IV);
+				m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
+				m->add_attribute(m, HA_IV, iv);
+				this->socket->push(this->socket, m);
+				this->cache->cache(this->cache, ike_sa, m);
+			}
 		}
-		else
+		if (!incoming && message->get_exchange_type(message) == TRANSACTION)
 		{
-			m = ha_message_create(HA_IKE_MID_INITIATOR);
+			sync_vips(this, ike_sa);
 		}
-		m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
-		m->add_attribute(m, HA_MID, message->get_message_id(message) + 1);
-		this->socket->push(this->socket, m);
-		this->cache->cache(this->cache, ike_sa, m);
 	}
-	if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
-		message->get_exchange_type(message) == IKE_AUTH &&
-		!message->get_request(message))
-	{	/* After IKE_SA has been established, sync peers virtual IP.
-		 * We cannot sync it in the state_change hook, it is installed later.
-		 * TODO: where to sync local VIP? */
+	if (plain && ike_sa->get_version(ike_sa) == IKEV1 &&
+		message->get_exchange_type(message) == INFORMATIONAL_V1)
+	{
 		ha_message_t *m;
-		host_t *vip;
+		notify_payload_t *notify;
+		chunk_t data;
+		u_int32_t seq;
 
-		vip = ike_sa->get_virtual_ip(ike_sa, FALSE);
-		if (vip)
+		notify = message->get_notify(message, DPD_R_U_THERE);
+		if (notify)
 		{
-			m = ha_message_create(HA_IKE_UPDATE);
-			m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
-			m->add_attribute(m, HA_REMOTE_VIP, vip);
-			this->socket->push(this->socket, m);
-			this->cache->cache(this->cache, ike_sa, m);
+			data = notify->get_notification_data(notify);
+			if (data.len == 4)
+			{
+				seq = untoh32(data.ptr);
+				if (incoming)
+				{
+					m = ha_message_create(HA_IKE_MID_RESPONDER);
+				}
+				else
+				{
+					m = ha_message_create(HA_IKE_MID_INITIATOR);
+				}
+				m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
+				m->add_attribute(m, HA_MID, seq + 1);
+				this->socket->push(this->socket, m);
+				this->cache->cache(this->cache, ike_sa, m);
+			}
 		}
 	}
 	return TRUE;
diff --git a/src/libcharon/plugins/ha/ha_kernel.c b/src/libcharon/plugins/ha/ha_kernel.c
index 2377a2630..eed89e0bf 100644
--- a/src/libcharon/plugins/ha/ha_kernel.c
+++ b/src/libcharon/plugins/ha/ha_kernel.c
@@ -316,7 +316,8 @@ static void disable_all(private_ha_kernel_t *this)
 	{
 		while (enumerator->enumerate(enumerator, NULL, &file, NULL))
 		{
-			if (chown(file, charon->uid, charon->gid) != 0)
+			if (chown(file, lib->caps->get_uid(lib->caps),
+					  lib->caps->get_gid(lib->caps)) != 0)
 			{
 				DBG1(DBG_CFG, "changing ClusterIP permissions failed: %s",
 					 strerror(errno));
diff --git a/src/libcharon/plugins/ha/ha_message.c b/src/libcharon/plugins/ha/ha_message.c
index 810109a5d..6b00ed83f 100644
--- a/src/libcharon/plugins/ha/ha_message.c
+++ b/src/libcharon/plugins/ha/ha_message.c
@@ -46,7 +46,7 @@ struct private_ha_message_t {
 	chunk_t buf;
 };
 
-ENUM(ha_message_type_names, HA_IKE_ADD, HA_RESYNC,
+ENUM(ha_message_type_names, HA_IKE_ADD, HA_IKE_IV,
 	"IKE_ADD",
 	"IKE_UPDATE",
 	"IKE_MID_INITIATOR",
@@ -58,6 +58,7 @@ ENUM(ha_message_type_names, HA_IKE_ADD, HA_RESYNC,
 	"SEGMENT_TAKE",
 	"STATUS",
 	"RESYNC",
+	"IKE_IV",
 );
 
 typedef struct ike_sa_id_encoding_t ike_sa_id_encoding_t;
@@ -66,6 +67,7 @@ typedef struct ike_sa_id_encoding_t ike_sa_id_encoding_t;
  * Encoding if an ike_sa_id_t
  */
 struct ike_sa_id_encoding_t {
+	u_int8_t ike_version;
 	u_int64_t initiator_spi;
 	u_int64_t responder_spi;
 	u_int8_t initiator;
@@ -156,6 +158,7 @@ METHOD(ha_message_t, add_attribute, void,
 			enc = (ike_sa_id_encoding_t*)(this->buf.ptr + this->buf.len);
 			this->buf.len += sizeof(ike_sa_id_encoding_t);
 			enc->initiator = id->is_initiator(id);
+			enc->ike_version = id->get_ike_version(id);
 			enc->initiator_spi = id->get_initiator_spi(id);
 			enc->responder_spi = id->get_responder_spi(id);
 			break;
@@ -213,6 +216,7 @@ METHOD(ha_message_t, add_attribute, void,
 			break;
 		}
 		/* u_int8_t */
+		case HA_IKE_VERSION:
 		case HA_INITIATOR:
 		case HA_IPSEC_MODE:
 		case HA_IPCOMP:
@@ -263,6 +267,10 @@ METHOD(ha_message_t, add_attribute, void,
 		case HA_NONCE_I:
 		case HA_NONCE_R:
 		case HA_SECRET:
+		case HA_LOCAL_DH:
+		case HA_REMOTE_DH:
+		case HA_PSK:
+		case HA_IV:
 		case HA_OLD_SKD:
 		{
 			chunk_t chunk;
@@ -351,8 +359,9 @@ METHOD(enumerator_t, attribute_enumerate, bool,
 				return FALSE;
 			}
 			enc = (ike_sa_id_encoding_t*)(this->buf.ptr);
-			value->ike_sa_id = ike_sa_id_create(enc->initiator_spi,
-											enc->responder_spi, enc->initiator);
+			value->ike_sa_id = ike_sa_id_create(enc->ike_version,
+										enc->initiator_spi, enc->responder_spi,
+										enc->initiator);
 			*attr_out = attr;
 			this->cleanup = (void*)value->ike_sa_id->destroy;
 			this->cleanup_data = value->ike_sa_id;
@@ -426,6 +435,7 @@ METHOD(enumerator_t, attribute_enumerate, bool,
 			return TRUE;
 		}
 		/* u_int8_t */
+		case HA_IKE_VERSION:
 		case HA_INITIATOR:
 		case HA_IPSEC_MODE:
 		case HA_IPCOMP:
@@ -479,6 +489,10 @@ METHOD(enumerator_t, attribute_enumerate, bool,
 		case HA_NONCE_I:
 		case HA_NONCE_R:
 		case HA_SECRET:
+		case HA_LOCAL_DH:
+		case HA_REMOTE_DH:
+		case HA_PSK:
+		case HA_IV:
 		case HA_OLD_SKD:
 		{
 			size_t len;
diff --git a/src/libcharon/plugins/ha/ha_message.h b/src/libcharon/plugins/ha/ha_message.h
index d0323d7a0..2ccb1fc55 100644
--- a/src/libcharon/plugins/ha/ha_message.h
+++ b/src/libcharon/plugins/ha/ha_message.h
@@ -22,7 +22,7 @@
 #define HA_MESSAGE_H_
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 #include <sa/ike_sa_id.h>
 #include <selectors/traffic_selector.h>
@@ -30,7 +30,7 @@
 /**
  * Protocol version of this implementation
  */
-#define HA_MESSAGE_VERSION 2
+#define HA_MESSAGE_VERSION 3
 
 typedef struct ha_message_t ha_message_t;
 typedef enum ha_message_type_t ha_message_type_t;
@@ -63,6 +63,8 @@ enum ha_message_type_t {
 	HA_STATUS,
 	/** segments the receiving node is requested to resync */
 	HA_RESYNC,
+	/** IV synchronization for IKEv1 Main/Aggressive mode */
+	HA_IKE_IV,
 };
 
 /**
@@ -76,7 +78,7 @@ extern enum_name_t *ha_message_type_names;
 enum ha_message_attribute_t {
 	/** ike_sa_id_t*, to identify IKE_SA */
 	HA_IKE_ID = 1,
-	/** ike_Sa_id_t*, identifies IKE_SA which gets rekeyed */
+	/** ike_sa_id_t*, identifies IKE_SA which gets rekeyed */
 	HA_IKE_REKEY_ID,
 	/** identification_t*, local identity */
 	HA_LOCAL_ID,
@@ -142,6 +144,16 @@ enum ha_message_attribute_t {
 	HA_SEGMENT,
 	/** u_int16_t, Extended Sequence numbers */
 	HA_ESN,
+	/** u_int8_t, IKE version */
+	HA_IKE_VERSION,
+	/** chunk_t, own DH public value */
+	HA_LOCAL_DH,
+	/** chunk_t, remote DH public value */
+	HA_REMOTE_DH,
+	/** chunk_t, shared secret for IKEv1 key derivation */
+	HA_PSK,
+	/** chunk_t, IV for next IKEv1 message */
+	HA_IV,
 };
 
 /**
diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c
index b4bde5ea5..5d4cc6184 100644
--- a/src/libcharon/plugins/ha/ha_plugin.c
+++ b/src/libcharon/plugins/ha/ha_plugin.c
@@ -97,14 +97,46 @@ METHOD(plugin_t, get_name, char*,
 	return "ha";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_ha_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->segments->listener);
+		charon->bus->add_listener(charon->bus, &this->ike->listener);
+		charon->bus->add_listener(charon->bus, &this->child->listener);
+		hydra->attributes->add_provider(hydra->attributes,
+										&this->attr->provider);
+	}
+	else
+	{
+		hydra->attributes->remove_provider(hydra->attributes,
+										   &this->attr->provider);
+		charon->bus->remove_listener(charon->bus, &this->segments->listener);
+		charon->bus->remove_listener(charon->bus, &this->ike->listener);
+		charon->bus->remove_listener(charon->bus, &this->child->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_ha_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "ha"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_ha_plugin_t *this)
 {
 	DESTROY_IF(this->ctl);
-	hydra->attributes->remove_provider(hydra->attributes, &this->attr->provider);
-	charon->bus->remove_listener(charon->bus, &this->segments->listener);
-	charon->bus->remove_listener(charon->bus, &this->ike->listener);
-	charon->bus->remove_listener(charon->bus, &this->child->listener);
 	this->ike->destroy(this->ike);
 	this->child->destroy(this->child);
 	this->dispatcher->destroy(this->dispatcher);
@@ -128,30 +160,37 @@ plugin_t *ha_plugin_create()
 	bool fifo, monitor, resync;
 
 	local = lib->settings->get_str(lib->settings,
-								"charon.plugins.ha.local", NULL);
+							"%s.plugins.ha.local", NULL, charon->name);
 	remote = lib->settings->get_str(lib->settings,
-								"charon.plugins.ha.remote", NULL);
+							"%s.plugins.ha.remote", NULL, charon->name);
 	secret = lib->settings->get_str(lib->settings,
-								"charon.plugins.ha.secret", NULL);
+							"%s.plugins.ha.secret", NULL, charon->name);
 	fifo = lib->settings->get_bool(lib->settings,
-								"charon.plugins.ha.fifo_interface", TRUE);
+							"%s.plugins.ha.fifo_interface", TRUE, charon->name);
 	monitor = lib->settings->get_bool(lib->settings,
-								"charon.plugins.ha.monitor", TRUE);
+							"%s.plugins.ha.monitor", TRUE, charon->name);
 	resync = lib->settings->get_bool(lib->settings,
-								"charon.plugins.ha.resync", TRUE);
+							"%s.plugins.ha.resync", TRUE, charon->name);
 	count = min(SEGMENTS_MAX, lib->settings->get_int(lib->settings,
-								"charon.plugins.ha.segment_count", 1));
+							"%s.plugins.ha.segment_count", 1, charon->name));
 	if (!local || !remote)
 	{
 		DBG1(DBG_CFG, "HA config misses local/remote address");
 		return NULL;
 	}
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) control socket, ha_kernel also needs it at
+		 * runtime */
+		DBG1(DBG_CFG, "ha plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
@@ -182,10 +221,6 @@ plugin_t *ha_plugin_create()
 	this->ike = ha_ike_create(this->socket, this->tunnel, this->cache);
 	this->child = ha_child_create(this->socket, this->tunnel, this->segments,
 								  this->kernel);
-	charon->bus->add_listener(charon->bus, &this->segments->listener);
-	charon->bus->add_listener(charon->bus, &this->ike->listener);
-	charon->bus->add_listener(charon->bus, &this->child->listener);
-	hydra->attributes->add_provider(hydra->attributes, &this->attr->provider);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
index c5a180683..cab38c63d 100644
--- a/src/libcharon/plugins/ha/ha_segments.c
+++ b/src/libcharon/plugins/ha/ha_segments.c
@@ -17,7 +17,7 @@
 
 #include <threading/mutex.h>
 #include <threading/condvar.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/thread.h>
 #include <processing/jobs/callback_job.h>
 
@@ -62,11 +62,6 @@ struct private_ha_segments_t {
 	condvar_t *condvar;
 
 	/**
-	 * Job checking for heartbeats
-	 */
-	callback_job_t *job;
-
-	/**
 	 * Total number of ClusterIP segments
 	 */
 	u_int count;
@@ -82,6 +77,11 @@ struct private_ha_segments_t {
 	u_int node;
 
 	/**
+	 * Are we checking for heartbeats?
+	 */
+	bool heartbeat_active;
+
+	/**
 	 * Interval we send hearbeats
 	 */
 	int heartbeat_delay;
@@ -90,6 +90,11 @@ struct private_ha_segments_t {
 	 * Timeout for heartbeats received from other node
 	 */
 	int heartbeat_timeout;
+
+	/**
+	 * Interval to check for autobalance, 0 to disable
+	 */
+	int autobalance;
 };
 
 /**
@@ -237,7 +242,7 @@ METHOD(listener_t, alert_hook, bool,
 {
 	if (alert == ALERT_SHUTDOWN_SIGNAL)
 	{
-		if (this->job)
+		if (this->heartbeat_active)
 		{
 			DBG1(DBG_CFG, "HA heartbeat active, dropping all segments");
 			deactivate(this, 0, TRUE);
@@ -269,7 +274,7 @@ static job_requeue_t watchdog(private_ha_segments_t *this)
 		DBG1(DBG_CFG, "no heartbeat received, taking all segments");
 		activate(this, 0, TRUE);
 		/* disable heartbeat detection util we get one */
-		this->job = NULL;
+		this->heartbeat_active = FALSE;
 		return JOB_REQUEUE_NONE;
 	}
 	return JOB_REQUEUE_DIRECT;
@@ -280,20 +285,22 @@ static job_requeue_t watchdog(private_ha_segments_t *this)
  */
 static void start_watchdog(private_ha_segments_t *this)
 {
-	this->job = callback_job_create_with_prio((callback_job_cb_t)watchdog,
-									this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+	this->heartbeat_active = TRUE;
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)watchdog, this,
+				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
 }
 
 METHOD(ha_segments_t, handle_status, void,
 	private_ha_segments_t *this, segment_mask_t mask)
 {
-	segment_mask_t missing;
+	segment_mask_t missing, twice;
 	int i;
 
 	this->mutex->lock(this->mutex);
 
 	missing = ~(this->active | mask);
+	twice = this->active & mask;
 
 	for (i = 1; i <= this->count; i++)
 	{
@@ -310,12 +317,25 @@ METHOD(ha_segments_t, handle_status, void,
 				enable_disable(this, i, FALSE, TRUE);
 			}
 		}
+		if (twice & SEGMENTS_BIT(i))
+		{
+			if (this->node == i % 2)
+			{
+				DBG1(DBG_CFG, "HA segment %d was handled twice, taking", i);
+				enable_disable(this, i, TRUE, TRUE);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "HA segment %d was handled twice, dropping", i);
+				enable_disable(this, i, FALSE, TRUE);
+			}
+		}
 	}
 
-	this->mutex->unlock(this->mutex);
 	this->condvar->signal(this->condvar);
+	this->mutex->unlock(this->mutex);
 
-	if (!this->job)
+	if (!this->heartbeat_active)
 	{
 		DBG1(DBG_CFG, "received heartbeat, reenabling watchdog");
 		start_watchdog(this);
@@ -332,6 +352,7 @@ static job_requeue_t send_status(private_ha_segments_t *this)
 
 	message = ha_message_create(HA_STATUS);
 
+	this->mutex->lock(this->mutex);
 	for (i = 1; i <= this->count; i++)
 	{
 		if (this->active & SEGMENTS_BIT(i))
@@ -339,17 +360,71 @@ static job_requeue_t send_status(private_ha_segments_t *this)
 			message->add_attribute(message, HA_SEGMENT, i);
 		}
 	}
+	this->mutex->unlock(this->mutex);
 
 	this->socket->push(this->socket, message);
 	message->destroy(message);
 
 	/* schedule next invocation */
-	lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
-									callback_job_create((callback_job_cb_t)
-										send_status, this, NULL, NULL),
-									this->heartbeat_delay);
+	return JOB_RESCHEDULE_MS(this->heartbeat_delay);
+}
+
+/**
+ * Start the heartbeat sending task
+ */
+static void start_heartbeat(private_ha_segments_t *this)
+{
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)send_status,
+			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+}
+
+/**
+ * Take a segment if we are handling less than half of segments
+ */
+static job_requeue_t autobalance(private_ha_segments_t *this)
+{
+	int i, active = 0;
+
+	this->mutex->lock(this->mutex);
 
-	return JOB_REQUEUE_NONE;
+	for (i = 1; i <= this->count; i++)
+	{
+		if (this->active & SEGMENTS_BIT(i))
+		{
+			active++;
+		}
+	}
+	if (active < this->count / 2)
+	{
+		for (i = 1; i <= this->count; i++)
+		{
+			if (!(this->active & SEGMENTS_BIT(i)))
+			{
+				DBG1(DBG_CFG, "autobalancing HA (%d/%d active), taking %d",
+					 active, this->count, i);
+				enable_disable(this, i, TRUE, TRUE);
+				/* we claim only one in each interval */
+				break;
+			}
+		}
+	}
+
+	this->mutex->unlock(this->mutex);
+
+	return JOB_RESCHEDULE(this->autobalance);
+}
+
+/**
+ * Schedule autobalancing
+ */
+static void start_autobalance(private_ha_segments_t *this)
+{
+	DBG1(DBG_CFG, "scheduling HA autobalance every %ds", this->autobalance);
+	lib->scheduler->schedule_job(lib->scheduler,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)autobalance,
+			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL),
+		this->autobalance);
 }
 
 METHOD(ha_segments_t, is_active, bool,
@@ -361,10 +436,6 @@ METHOD(ha_segments_t, is_active, bool,
 METHOD(ha_segments_t, destroy, void,
 	private_ha_segments_t *this)
 {
-	if (this->job)
-	{
-		this->job->cancel(this->job);
-	}
 	this->mutex->destroy(this->mutex);
 	this->condvar->destroy(this->condvar);
 	free(this);
@@ -398,19 +469,26 @@ ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel,
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
 		.heartbeat_delay = lib->settings->get_int(lib->settings,
-			"charon.plugins.ha.heartbeat_delay", DEFAULT_HEARTBEAT_DELAY),
+				"%s.plugins.ha.heartbeat_delay", DEFAULT_HEARTBEAT_DELAY,
+				charon->name),
 		.heartbeat_timeout = lib->settings->get_int(lib->settings,
-			"charon.plugins.ha.heartbeat_timeout", DEFAULT_HEARTBEAT_TIMEOUT),
+				"%s.plugins.ha.heartbeat_timeout", DEFAULT_HEARTBEAT_TIMEOUT,
+				charon->name),
+		.autobalance = lib->settings->get_int(lib->settings,
+				"%s.plugins.ha.autobalance", 0, charon->name),
 	);
 
 	if (monitor)
 	{
 		DBG1(DBG_CFG, "starting HA heartbeat, delay %dms, timeout %dms",
 			 this->heartbeat_delay, this->heartbeat_timeout);
-		send_status(this);
+		start_heartbeat(this);
 		start_watchdog(this);
 	}
+	if (this->autobalance)
+	{
+		start_autobalance(this);
+	}
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c
index c02cf1021..e41e78bbf 100644
--- a/src/libcharon/plugins/ha/ha_socket.c
+++ b/src/libcharon/plugins/ha/ha_socket.c
@@ -22,7 +22,7 @@
 #include <unistd.h>
 
 #include <daemon.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <threading/thread.h>
 #include <processing/jobs/callback_job.h>
 
@@ -138,6 +138,7 @@ METHOD(ha_socket_t, pull, ha_message_t*,
 					DBG1(DBG_CFG, "pulling HA message failed: %s",
 						 strerror(errno));
 					sleep(1);
+					continue;
 			}
 		}
 		message = ha_message_parse(chunk_create(buf, len));
diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c
index 299053ec1..4e656e73b 100644
--- a/src/libcharon/plugins/ha/ha_tunnel.c
+++ b/src/libcharon/plugins/ha/ha_tunnel.c
@@ -203,12 +203,13 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 	lib->credmgr->add_set(lib->credmgr, &this->creds.public);
 
 	/* create config and backend */
-	ike_cfg = ike_cfg_create(FALSE, FALSE, local, IKEV2_UDP_PORT,
-							 remote, IKEV2_UDP_PORT);
+	ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE, local, FALSE,
+							 charon->socket->get_port(charon->socket, FALSE),
+							 remote, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
-	peer_cfg = peer_cfg_create("ha", 2, ike_cfg, CERT_NEVER_SEND,
-						UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, 30,
-						NULL, NULL, FALSE, NULL, NULL);
+	peer_cfg = peer_cfg_create("ha", ike_cfg, CERT_NEVER_SEND,
+						UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, FALSE, 30,
+						0, FALSE, NULL, NULL);
 
 	auth_cfg = auth_cfg_create();
 	auth_cfg->add(auth_cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
@@ -244,7 +245,7 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 	charon->backends->add_backend(charon->backends, &this->backend.public);
 
 	/* install an acquiring trap */
-	this->trap = charon->traps->install(charon->traps, peer_cfg, child_cfg);
+	this->trap = charon->traps->install(charon->traps, peer_cfg, child_cfg, 0);
 }
 
 METHOD(ha_tunnel_t, destroy, void,
@@ -287,4 +288,3 @@ ha_tunnel_t *ha_tunnel_create(char *local, char *remote, char *secret)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/ipseckey/Makefile.am b/src/libcharon/plugins/ipseckey/Makefile.am
new file mode 100644
index 000000000..3a69e521f
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/Makefile.am
@@ -0,0 +1,20 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-ipseckey.la
+else
+plugin_LTLIBRARIES = libstrongswan-ipseckey.la
+endif
+
+libstrongswan_ipseckey_la_SOURCES = \
+	ipseckey_plugin.h ipseckey_plugin.c \
+	ipseckey_cred.h ipseckey_cred.c \
+	ipseckey.h ipseckey.c
+
+libstrongswan_ipseckey_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
new file mode 100644
index 000000000..cb9e9a82e
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -0,0 +1,689 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/ipseckey
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_ipseckey_la_LIBADD =
+am_libstrongswan_ipseckey_la_OBJECTS = ipseckey_plugin.lo \
+	ipseckey_cred.lo ipseckey.lo
+libstrongswan_ipseckey_la_OBJECTS =  \
+	$(am_libstrongswan_ipseckey_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_ipseckey_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_ipseckey_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_ipseckey_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_ipseckey_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_ipseckey_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_ipseckey_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ipseckey.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ipseckey.la
+libstrongswan_ipseckey_la_SOURCES = \
+	ipseckey_plugin.h ipseckey_plugin.c \
+	ipseckey_cred.h ipseckey_cred.c \
+	ipseckey.h ipseckey.c
+
+libstrongswan_ipseckey_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/ipseckey/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/ipseckey/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-ipseckey.la: $(libstrongswan_ipseckey_la_OBJECTS) $(libstrongswan_ipseckey_la_DEPENDENCIES) $(EXTRA_libstrongswan_ipseckey_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_ipseckey_la_LINK) $(am_libstrongswan_ipseckey_la_rpath) $(libstrongswan_ipseckey_la_OBJECTS) $(libstrongswan_ipseckey_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipseckey.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipseckey_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipseckey_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/ipseckey/ipseckey.c b/src/libcharon/plugins/ipseckey/ipseckey.c
new file mode 100644
index 000000000..ca126d772
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey.c
@@ -0,0 +1,209 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipseckey.h"
+
+#include <library.h>
+#include <utils/debug.h>
+#include <bio/bio_reader.h>
+
+typedef struct private_ipseckey_t private_ipseckey_t;
+
+/**
+* private data of the ipseckey
+*/
+struct private_ipseckey_t {
+
+	/**
+	 * public functions
+	 */
+	ipseckey_t public;
+
+	/**
+	 * Precedence
+	 */
+	u_int8_t precedence;
+
+	/**
+	 * Gateway type
+	 */
+	u_int8_t gateway_type;
+
+	/**
+	 * Algorithm
+	 */
+	u_int8_t algorithm;
+
+	/**
+	 * Gateway
+	 */
+	chunk_t gateway;
+
+	/**
+	 * Public key
+	 */
+	chunk_t public_key;
+};
+
+METHOD(ipseckey_t, get_precedence, u_int8_t,
+	private_ipseckey_t *this)
+{
+	return this->precedence;
+}
+
+METHOD(ipseckey_t, get_gateway_type, ipseckey_gw_type_t,
+	private_ipseckey_t *this)
+{
+	return this->gateway_type;
+}
+
+METHOD(ipseckey_t, get_algorithm, ipseckey_algorithm_t,
+	private_ipseckey_t *this)
+{
+	return this->algorithm;
+}
+
+METHOD(ipseckey_t, get_gateway, chunk_t,
+	private_ipseckey_t *this)
+{
+	return this->gateway;
+}
+
+METHOD(ipseckey_t, get_public_key, chunk_t,
+	private_ipseckey_t *this)
+{
+	return this->public_key;
+}
+
+METHOD(ipseckey_t, destroy, void,
+	private_ipseckey_t *this)
+{
+	chunk_free(&this->gateway);
+	chunk_free(&this->public_key);
+	free(this);
+}
+
+/*
+ * See header
+ */
+ipseckey_t *ipseckey_create_frm_rr(rr_t *rr)
+{
+	private_ipseckey_t *this;
+	bio_reader_t *reader = NULL;
+	u_int8_t label;
+	chunk_t tmp;
+
+	INIT(this,
+			.public = {
+				.get_precedence = _get_precedence,
+				.get_gateway_type = _get_gateway_type,
+				.get_algorithm = _get_algorithm,
+				.get_gateway = _get_gateway,
+				.get_public_key = _get_public_key,
+				.destroy = _destroy,
+			},
+	);
+
+	if (rr->get_type(rr) != RR_TYPE_IPSECKEY)
+	{
+		DBG1(DBG_CFG, "unable to create an ipseckey out of an RR "
+					  "whose type is not IPSECKEY");
+		free(this);
+		return NULL;
+	}
+
+	/** Parse the content (RDATA field) of the RR */
+	reader = bio_reader_create(rr->get_rdata(rr));
+	if (!reader->read_uint8(reader, &this->precedence) ||
+		!reader->read_uint8(reader, &this->gateway_type) ||
+		!reader->read_uint8(reader, &this->algorithm))
+	{
+		DBG1(DBG_CFG, "ipseckey RR has a wrong format");
+		reader->destroy(reader);
+		free(this);
+		return NULL;
+	}
+
+	switch (this->gateway_type)
+	{
+		case IPSECKEY_GW_TP_NOT_PRESENT:
+			break;
+
+		case IPSECKEY_GW_TP_IPV4:
+			if (!reader->read_data(reader, 4, &this->gateway))
+			{
+				DBG1(DBG_CFG, "ipseckey gateway field does not contain an "
+							  "IPv4 address as expected");
+				reader->destroy(reader);
+				free(this);
+				return NULL;
+			}
+			this->gateway = chunk_clone(this->gateway);
+			break;
+
+		case IPSECKEY_GW_TP_IPV6:
+			if (!reader->read_data(reader, 16, &this->gateway))
+			{
+				DBG1(DBG_CFG, "ipseckey gateway field does not contain an "
+							  "IPv6 address as expected");
+				reader->destroy(reader);
+				free(this);
+				return NULL;
+			}
+			this->gateway = chunk_clone(this->gateway);
+			break;
+
+		case IPSECKEY_GW_TP_WR_ENC_DNAME:
+			/**
+			 * Uncompressed domain name as defined in RFC 1035 chapter 3.
+			 *
+			 * TODO: Currently we ignore wire encoded domain names.
+			 *
+			 */
+			while (reader->read_uint8(reader, &label) &&
+				   label != 0 && label < 192)
+			{
+				if (!reader->read_data(reader, label, &tmp))
+				{
+					DBG1(DBG_CFG, "wrong wire encoded domain name format "
+								  "in ipseckey gateway field");
+					reader->destroy(reader);
+					free(this);
+					return NULL;
+				}
+			}
+			break;
+
+		default:
+			DBG1(DBG_CFG, "unable to parse ipseckey gateway field");
+			reader->destroy(reader);
+			free(this);
+			return NULL;
+	}
+
+	if (!reader->read_data(reader, reader->remaining(reader),
+						   &this->public_key))
+	{
+		DBG1(DBG_CFG, "failed to read ipseckey public key field");
+		reader->destroy(reader);
+		chunk_free(&this->gateway);
+		free(this);
+		return NULL;
+	}
+	this->public_key = chunk_clone(this->public_key);
+	reader->destroy(reader);
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/ipseckey/ipseckey.h b/src/libcharon/plugins/ipseckey/ipseckey.h
new file mode 100644
index 000000000..5885daeee
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey.h
@@ -0,0 +1,149 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipseckey_i ipseckey
+ * @{ @ingroup ipseckey
+ */
+
+#ifndef IPSECKEY_H_
+#define IPSECKEY_H_
+
+typedef struct ipseckey_t ipseckey_t;
+typedef enum ipseckey_algorithm_t ipseckey_algorithm_t;
+typedef enum ipseckey_gw_type_t ipseckey_gw_type_t;
+
+#include <library.h>
+
+/**
+ * IPSECKEY gateway types as defined in RFC 4025.
+ */
+enum ipseckey_gw_type_t {
+	/** No gateway is present */
+	IPSECKEY_GW_TP_NOT_PRESENT = 0,
+	/** A 4-byte IPv4 address is present */
+	IPSECKEY_GW_TP_IPV4 = 1,
+	/** A 16-byte IPv6 address is present */
+	IPSECKEY_GW_TP_IPV6 = 2,
+	/** A wire-encoded domain name is present */
+	IPSECKEY_GW_TP_WR_ENC_DNAME = 3,
+};
+
+/**
+ * IPSECKEY algorithms as defined in RFC 4025.
+ */
+enum ipseckey_algorithm_t {
+	/** No key present */
+	IPSECKEY_ALGORITHM_NONE = 0,
+	/** DSA key */
+	IPSECKEY_ALGORITHM_DSA = 1,
+	/** RSA key */
+	IPSECKEY_ALGORITHM_RSA = 2,
+};
+
+/**
+ * An IPSECKEY.
+ *
+ * Represents an IPSECKEY as defined in RFC 4025:
+ *
+ *      0                   1                   2                   3
+ *    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *   |  precedence   | gateway type  |  algorithm  |     gateway     |
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------+                 +
+ *   ~                            gateway                            ~
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *   |                                                               /
+ *   /                          public key                           /
+ *   /                                                               /
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+ *
+ *
+ * Note: RFC 4025 defines that the algorithm field has a length of 7 bits.
+ * 		 We use 8 bits instead, because the use of 7 bits is very uncommon
+ * 		 in internet protocols and might be an error in RFC 4025
+ * 		 (also the BIND DNS server uses 8 bits for the algorithm field of the
+ * 		 IPSECKEY resource records).
+ *
+ */
+struct ipseckey_t {
+
+	/**
+	 * Get the precedence of the IPSECKEY.
+	 *
+	 * @return		precedence
+	 */
+	u_int8_t (*get_precedence)(ipseckey_t *this);
+
+	/**
+	 * Get the type of the gateway.
+	 *
+	 * The "gateway type" determines the format of the gateway field
+	 * of the IPSECKEY.
+	 *
+	 * @return		gateway type
+	 */
+	ipseckey_gw_type_t (*get_gateway_type)(ipseckey_t *this);
+
+	/**
+	 * Get the algorithm.
+	 *
+	 * The "algorithm" determines the format of the public key field
+	 * of the IPSECKEY.
+	 *
+	 * @return			algorithm
+	 */
+	ipseckey_algorithm_t (*get_algorithm)(ipseckey_t *this);
+
+	/**
+	 * Get the content of the gateway field as chunk.
+	 *
+	 * The content is in network byte order and its format depends on the
+	 * gateway type.
+	 *
+	 * The data pointed by the chunk is still owned by the IPSECKEY.
+	 * Clone it if necessary.
+	 *
+	 * @return			gateway field as chunk
+	 */
+	chunk_t (*get_gateway)(ipseckey_t *this);
+
+	/**
+	 * Get the content of the public key field as chunk.
+	 *
+	 * The format of the public key depends on the algorithm type.
+	 *
+	 * The data pointed by the chunk is still owned by the IPSECKEY.
+	 * Clone it if necessary.
+	 *
+	 * @return			public key field as chunk
+	 */
+	chunk_t (*get_public_key)(ipseckey_t *this);
+
+	/**
+	 * Destroy the IPSECKEY.
+	 */
+	void (*destroy) (ipseckey_t *this);
+};
+
+/**
+ * Create an ipseckey instance out of a resource record.
+ *
+ * @param	rr		resource record which contains an IPSECKEY
+ * @return			ipseckey, NULL on failure
+ */
+ipseckey_t *ipseckey_create_frm_rr(rr_t *rr);
+
+#endif /** IPSECKEY_H_ @}*/
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_cred.c b/src/libcharon/plugins/ipseckey/ipseckey_cred.c
new file mode 100644
index 000000000..e8722f12c
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey_cred.c
@@ -0,0 +1,263 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <string.h>
+
+#include "ipseckey_cred.h"
+#include "ipseckey.h"
+
+#include <bio/bio_reader.h>
+#include <daemon.h>
+
+typedef struct private_ipseckey_cred_t private_ipseckey_cred_t;
+
+/**
+ * Private data of an ipseckey_cred_t object
+ */
+struct private_ipseckey_cred_t {
+
+	/**
+	 * Public part
+	 */
+	ipseckey_cred_t public;
+
+	/**
+	 * DNS resolver
+	 */
+	resolver_t *res;
+};
+
+/**
+ * enumerator over certificates
+ */
+typedef struct {
+	/** implements enumerator interface */
+	enumerator_t public;
+	/** inner enumerator (enumerates IPSECKEY resource records) */
+	enumerator_t *inner;
+	/** response of the DNS resolver which contains the IPSECKEYs */
+	resolver_response_t *response;
+	/* IPSECKEYs are not valid before this point in time */
+	time_t notBefore;
+	/* IPSECKEYs are not valid after this point in time */
+	time_t notAfter;
+	/* identity to which the IPSECKEY belongs */
+	identification_t *identity;
+} cert_enumerator_t;
+
+METHOD(enumerator_t, cert_enumerator_enumerate, bool,
+	cert_enumerator_t *this, certificate_t **cert)
+{
+	rr_t *cur_rr = NULL;
+	ipseckey_t *cur_ipseckey = NULL;
+	chunk_t pub_key;
+	public_key_t * key = NULL;
+	bool supported_ipseckey_found = FALSE;
+
+	/* Get the next supported IPSECKEY using the inner enumerator. */
+	while (this->inner->enumerate(this->inner, &cur_rr) &&
+		   !supported_ipseckey_found)
+	{
+		supported_ipseckey_found = TRUE;
+
+		cur_ipseckey = ipseckey_create_frm_rr(cur_rr);
+
+		if (!cur_ipseckey)
+		{
+			DBG1(DBG_CFG, "failed to parse ipseckey - skipping this key");
+			supported_ipseckey_found = FALSE;
+		}
+
+		if (cur_ipseckey &&
+			cur_ipseckey->get_algorithm(cur_ipseckey) != IPSECKEY_ALGORITHM_RSA)
+		{
+			DBG1(DBG_CFG, "unsupported ipseckey algorithm -skipping this key");
+			cur_ipseckey->destroy(cur_ipseckey);
+			supported_ipseckey_found = FALSE;
+		}
+	}
+
+	if (supported_ipseckey_found)
+	{
+		/*
+		 * Wrap the key of the IPSECKEY in a certificate and return this
+		 * certificate.
+		 */
+		pub_key = cur_ipseckey->get_public_key(cur_ipseckey);
+
+		key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+								 BUILD_BLOB_DNSKEY, pub_key,
+								 BUILD_END);
+
+		if (!key)
+		{
+			DBG1(DBG_CFG, "failed to create public key from ipseckey");
+			cur_ipseckey->destroy(cur_ipseckey);
+			return FALSE;
+		}
+
+		*cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+								   CERT_TRUSTED_PUBKEY,
+								   BUILD_PUBLIC_KEY, key,
+								   BUILD_SUBJECT, this->identity,
+								   BUILD_NOT_BEFORE_TIME, this->notBefore,
+								   BUILD_NOT_AFTER_TIME, this->notAfter,
+								   BUILD_END);
+		return TRUE;
+	}
+
+	return FALSE;
+}
+
+METHOD(enumerator_t, cert_enumerator_destroy, void,
+	cert_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	this->response->destroy(this->response);
+	free(this);
+}
+
+METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
+	private_ipseckey_cred_t *this, certificate_type_t cert, key_type_t key,
+	identification_t *id, bool trusted)
+{
+	char *fqdn = NULL;
+	resolver_response_t *response = NULL;
+	rr_set_t *rrset = NULL;
+	enumerator_t *rrsig_enum = NULL;
+	rr_t *rrsig = NULL;
+	bio_reader_t *reader = NULL;
+	chunk_t ignore;
+	u_int32_t nBefore, nAfter;
+	cert_enumerator_t *e;
+
+	if (id && id->get_type(id) == ID_FQDN)
+	{
+		/**	Query the DNS for the required IPSECKEY RRs */
+
+		if (0 >= asprintf(&fqdn, "%Y", id))
+		{
+			DBG1(DBG_CFG, "empty FQDN string");
+			return enumerator_create_empty();
+		}
+
+		DBG1(DBG_CFG, "performing a DNS query for IPSECKEY RRs of '%s'",
+					   fqdn);
+		response = this->res->query(this->res, fqdn, RR_CLASS_IN,
+									RR_TYPE_IPSECKEY);
+		if (!response)
+		{
+			DBG1(DBG_CFG, "  query for IPSECKEY RRs failed");
+			free(fqdn);
+			return enumerator_create_empty();
+		}
+
+		if (!response->has_data(response) ||
+			!response->query_name_exist(response))
+		{
+			DBG1(DBG_CFG, "  unable to retrieve IPSECKEY RRs from the DNS");
+			response->destroy(response);
+			free(fqdn);
+			return enumerator_create_empty();
+		}
+
+		if (!(response->get_security_state(response) == SECURE))
+		{
+			DBG1(DBG_CFG, "  DNSSEC state of IPSECKEY RRs is not secure");
+			response->destroy(response);
+			free(fqdn);
+			return enumerator_create_empty();
+		}
+
+		free(fqdn);
+
+		/** Determine the validity period of the retrieved IPSECKEYs
+		 *
+		 * We use the "Signature Inception" and "Signature Expiration" field
+		 * of the first RRSIG RR to determine the validity period of the
+		 * IPSECKEY RRs. TODO: Take multiple RRSIGs into account.
+		 */
+		rrset = response->get_rr_set(response);
+		rrsig_enum = rrset->create_rrsig_enumerator(rrset);
+		if (!rrsig_enum || !rrsig_enum->enumerate(rrsig_enum, &rrsig))
+		{
+			DBG1(DBG_CFG, "  unable to determine the validity period of "
+						  "IPSECKEY RRs because no RRSIGs are present");
+			DESTROY_IF(rrsig_enum);
+			response->destroy(response);
+			return enumerator_create_empty();
+		}
+
+		/**
+		 * Parse the RRSIG for its validity period (RFC 4034)
+		 */
+		reader = bio_reader_create(rrsig->get_rdata(rrsig));
+		reader->read_data(reader, 8, &ignore);
+		reader->read_uint32(reader, &nAfter);
+		reader->read_uint32(reader, &nBefore);
+		reader->destroy(reader);
+
+		/*Create and return an iterator over the retrieved IPSECKEYs */
+		INIT(e,
+			.public = {
+				.enumerate = (void*)_cert_enumerator_enumerate,
+				.destroy = _cert_enumerator_destroy,
+			},
+			.inner = response->get_rr_set(response)->create_rr_enumerator(
+										  response->get_rr_set(response)),
+			.response = response,
+			.notBefore = nBefore,
+			.notAfter = nAfter,
+			.identity = id,
+		);
+
+		return &e->public;
+	}
+
+
+	return enumerator_create_empty();
+}
+
+METHOD(ipseckey_cred_t, destroy, void,
+	private_ipseckey_cred_t *this)
+{
+	this->res->destroy(this->res);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+ipseckey_cred_t *ipseckey_cred_create(resolver_t *res)
+{
+	private_ipseckey_cred_t *this;
+
+	INIT(this,
+		.public = {
+			.set = {
+				.create_private_enumerator = (void*)return_null,
+				.create_cert_enumerator = _create_cert_enumerator,
+				.create_shared_enumerator = (void*)return_null,
+				.create_cdp_enumerator = (void*)return_null,
+				.cache_cert = (void*)nop,
+			},
+			.destroy = _destroy,
+		},
+		.res = res,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_cred.h b/src/libcharon/plugins/ipseckey/ipseckey_cred.h
new file mode 100644
index 000000000..f0f52fd6a
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey_cred.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipseckey_cred_i ipseckey_cred
+ * @{ @ingroup ipseckey
+ */
+
+#ifndef IPSECKEY_CRED_H_
+#define IPSECKEY_CRED_H_
+
+#include <credentials/credential_set.h>
+#include <resolver/resolver.h>
+
+typedef struct ipseckey_cred_t ipseckey_cred_t;
+
+/**
+ * IPSECKEY credential set.
+ *
+ * The ipseckey credential set contains IPSECKEYs as certificates of type
+ * pubkey_cert_t.
+ */
+struct ipseckey_cred_t {
+
+	/**
+	 * Implements credential_set_t interface
+	 */
+	credential_set_t set;
+
+	/**
+	 * Destroy the ipseckey_cred.
+	 */
+	void (*destroy)(ipseckey_cred_t *this);
+};
+
+/**
+ * Create an ipseckey_cred instance which uses the given resolver
+ * to query the DNS for IPSECKEY resource records.
+ *
+ * @param res		resolver to use (gets adopted)
+ * @return			credential set
+ */
+ipseckey_cred_t *ipseckey_cred_create(resolver_t *res);
+
+#endif /** IPSECKEY_CRED_H_ @}*/
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_plugin.c b/src/libcharon/plugins/ipseckey/ipseckey_plugin.c
new file mode 100644
index 000000000..2fd820f94
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey_plugin.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipseckey_plugin.h"
+
+#include <daemon.h>
+#include "ipseckey_cred.h"
+
+typedef struct private_ipseckey_plugin_t private_ipseckey_plugin_t;
+
+
+/**
+ * private data of the ipseckey plugin
+ */
+struct private_ipseckey_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	ipseckey_plugin_t public;
+
+	/**
+	 * credential set
+	 */
+	ipseckey_cred_t *cred;
+
+	/**
+	 * IPSECKEY based authentication enabled
+	 */
+	bool enabled;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_ipseckey_plugin_t *this)
+{
+	return "ipseckey";
+}
+
+METHOD(plugin_t, reload, bool,
+	private_ipseckey_plugin_t *this)
+{
+	bool enabled = lib->settings->get_bool(lib->settings,
+							"%s.plugins.ipseckey.enable", FALSE, charon->name);
+
+	if (enabled != this->enabled)
+	{
+		if (enabled)
+		{
+			lib->credmgr->add_set(lib->credmgr, &this->cred->set);
+		}
+		else
+		{
+			lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
+		}
+		this->enabled = enabled;
+	}
+	DBG1(DBG_CFG, "ipseckey plugin is %sabled", this->enabled ? "en" : "dis");
+	return TRUE;
+}
+
+/**
+ * Create resolver and register credential set
+ */
+static bool plugin_cb(private_ipseckey_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		resolver_t *res;
+
+		res = lib->resolver->create(lib->resolver);
+		if (!res)
+		{
+			DBG1(DBG_CFG, "failed to create a DNS resolver instance");
+			return FALSE;
+		}
+
+		this->cred = ipseckey_cred_create(res);
+		reload(this);
+	}
+	else
+	{
+		if (this->enabled)
+		{
+			lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
+		}
+		this->cred->destroy(this->cred);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_ipseckey_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "ipseckey"),
+				PLUGIN_DEPENDS(RESOLVER),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_ipseckey_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *ipseckey_plugin_create()
+{
+	private_ipseckey_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.reload = _reload,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_plugin.h b/src/libcharon/plugins/ipseckey/ipseckey_plugin.h
new file mode 100644
index 000000000..95acc79dd
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey_plugin.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipseckey ipseckey
+ * @ingroup cplugins
+ *
+ * @defgroup ipseckey_plugin ipseckey_plugin
+ * @{ @ingroup ipseckey
+ */
+
+#ifndef IPSECKEY_PLUGIN_H_
+#define IPSECKEY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct ipseckey_plugin_t ipseckey_plugin_t;
+
+/**
+ * IPSECKEY plugin
+ *
+ * The IPSECKEY plugin registers a credential set for IPSECKEYs.
+ *
+ * With this credential set it is possible to authenticate tunnel endpoints
+ * using IPSECKEY resource records which are retrieved from the DNS in a secure
+ * way (DNSSEC).
+ */
+struct ipseckey_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** IPSECKEY_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.am b/src/libcharon/plugins/kernel_libipsec/Makefile.am
new file mode 100644
index 000000000..a39d06753
--- /dev/null
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.am
@@ -0,0 +1,23 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libipsec
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-kernel-libipsec.la
+else
+plugin_LTLIBRARIES = libstrongswan-kernel-libipsec.la
+endif
+
+libstrongswan_kernel_libipsec_la_SOURCES = \
+	kernel_libipsec_plugin.h kernel_libipsec_plugin.c \
+	kernel_libipsec_ipsec.h kernel_libipsec_ipsec.c \
+	kernel_libipsec_router.h kernel_libipsec_router.c
+
+libstrongswan_kernel_libipsec_la_LIBADD = $(top_builddir)/src/libipsec/libipsec.la
+
+libstrongswan_kernel_libipsec_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in
new file mode 100644
index 000000000..e5af6e089
--- /dev/null
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in
@@ -0,0 +1,693 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/kernel_libipsec
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_kernel_libipsec_la_DEPENDENCIES =  \
+	$(top_builddir)/src/libipsec/libipsec.la
+am_libstrongswan_kernel_libipsec_la_OBJECTS =  \
+	kernel_libipsec_plugin.lo kernel_libipsec_ipsec.lo \
+	kernel_libipsec_router.lo
+libstrongswan_kernel_libipsec_la_OBJECTS =  \
+	$(am_libstrongswan_kernel_libipsec_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_kernel_libipsec_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_kernel_libipsec_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_kernel_libipsec_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_kernel_libipsec_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_kernel_libipsec_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_libipsec_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libipsec
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-libipsec.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-libipsec.la
+libstrongswan_kernel_libipsec_la_SOURCES = \
+	kernel_libipsec_plugin.h kernel_libipsec_plugin.c \
+	kernel_libipsec_ipsec.h kernel_libipsec_ipsec.c \
+	kernel_libipsec_router.h kernel_libipsec_router.c
+
+libstrongswan_kernel_libipsec_la_LIBADD = $(top_builddir)/src/libipsec/libipsec.la
+libstrongswan_kernel_libipsec_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_libipsec/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_libipsec/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-kernel-libipsec.la: $(libstrongswan_kernel_libipsec_la_OBJECTS) $(libstrongswan_kernel_libipsec_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_libipsec_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_kernel_libipsec_la_LINK) $(am_libstrongswan_kernel_libipsec_la_rpath) $(libstrongswan_kernel_libipsec_la_OBJECTS) $(libstrongswan_kernel_libipsec_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_libipsec_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_libipsec_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_libipsec_router.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
new file mode 100644
index 000000000..40f253d5a
--- /dev/null
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
@@ -0,0 +1,701 @@
+/*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.  *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "kernel_libipsec_ipsec.h"
+#include "kernel_libipsec_router.h"
+
+#include <library.h>
+#include <ipsec.h>
+#include <hydra.h>
+#include <networking/tun_device.h>
+#include <threading/mutex.h>
+#include <utils/debug.h>
+
+typedef struct private_kernel_libipsec_ipsec_t private_kernel_libipsec_ipsec_t;
+
+struct private_kernel_libipsec_ipsec_t {
+
+	/**
+	 * Public libipsec_ipsec interface
+	 */
+	kernel_libipsec_ipsec_t public;
+
+	/**
+	 * Listener for lifetime expire events
+	 */
+	ipsec_event_listener_t ipsec_listener;
+
+	/**
+	 * Mutex to lock access to various lists
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * List of installed policies (policy_entry_t)
+	 */
+	linked_list_t *policies;
+
+	/**
+	 * List of exclude routes (exclude_route_t)
+	 */
+	linked_list_t *excludes;
+};
+
+typedef struct exclude_route_t exclude_route_t;
+
+/**
+ * Exclude route definition
+ */
+struct exclude_route_t {
+	/** Destination address to exclude */
+	host_t *dst;
+	/** Source address for route */
+	host_t *src;
+	/** Nexthop exclude has been installed */
+	host_t *gtw;
+	/** References to this route */
+	int refs;
+};
+
+/**
+ * Clean up an exclude route entry
+ */
+static void exclude_route_destroy(exclude_route_t *this)
+{
+	this->dst->destroy(this->dst);
+	this->src->destroy(this->src);
+	this->gtw->destroy(this->gtw);
+	free(this);
+}
+
+/**
+ * Find an exclude route entry by destination address
+ */
+static bool exclude_route_match(exclude_route_t *current,
+								host_t *dst)
+{
+	return dst->ip_equals(dst, current->dst);
+}
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * Installed routing entry
+ */
+struct route_entry_t {
+	/** Name of the interface the route is bound to */
+	char *if_name;
+	/** Source IP of the route */
+	host_t *src_ip;
+	/** Gateway of the route */
+	host_t *gateway;
+	/** Destination net */
+	chunk_t dst_net;
+	/** Destination net prefixlen */
+	u_int8_t prefixlen;
+	/** Reference to exclude route, if any */
+	exclude_route_t *exclude;
+};
+
+/**
+ * Destroy a route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+	free(this->if_name);
+	DESTROY_IF(this->src_ip);
+	DESTROY_IF(this->gateway);
+	chunk_free(&this->dst_net);
+	free(this);
+}
+
+/**
+ * Compare two route_entry_t objects
+ */
+static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
+{
+	if ((!a->src_ip && !b->src_ip) || (a->src_ip && b->src_ip &&
+		  a->src_ip->ip_equals(a->src_ip, b->src_ip)))
+	{
+		if ((!a->gateway && !b->gateway) || (a->gateway && b->gateway &&
+			  a->gateway->ip_equals(a->gateway, b->gateway)))
+		{
+			return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
+				   chunk_equals(a->dst_net, b->dst_net) &&
+				   a->prefixlen == b->prefixlen;
+		}
+	}
+	return FALSE;
+}
+
+typedef struct policy_entry_t policy_entry_t;
+
+/**
+ * Installed policy
+ */
+struct policy_entry_t {
+	/** Direction of this policy: in, out, forward */
+	u_int8_t direction;
+	/** Parameters of installed policy */
+	struct {
+		/** Subnet and port */
+		host_t *net;
+		/** Subnet mask */
+		u_int8_t mask;
+		/** Protocol */
+		u_int8_t proto;
+	} src, dst;
+	/** Associated route installed for this policy */
+	route_entry_t *route;
+	/** References to this policy */
+	int refs;
+};
+
+/**
+ * Create a policy_entry_t object
+ */
+static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
+										   traffic_selector_t *dst_ts,
+										   policy_dir_t dir)
+{
+	policy_entry_t *this;
+	INIT(this,
+		.direction = dir,
+	);
+
+	src_ts->to_subnet(src_ts, &this->src.net, &this->src.mask);
+	dst_ts->to_subnet(dst_ts, &this->dst.net, &this->dst.mask);
+
+	/* src or dest proto may be "any" (0), use more restrictive one */
+	this->src.proto = max(src_ts->get_protocol(src_ts),
+						  dst_ts->get_protocol(dst_ts));
+	this->src.proto = this->src.proto ? this->src.proto : 0;
+	this->dst.proto = this->src.proto;
+	return this;
+}
+
+/**
+ * Destroy a policy_entry_t object
+ */
+static void policy_entry_destroy(policy_entry_t *this)
+{
+	if (this->route)
+	{
+		route_entry_destroy(this->route);
+	}
+	DESTROY_IF(this->src.net);
+	DESTROY_IF(this->dst.net);
+	free(this);
+}
+
+/**
+ * Compare two policy_entry_t objects
+ */
+static inline bool policy_entry_equals(policy_entry_t *a,
+									   policy_entry_t *b)
+{
+	return a->direction == b->direction &&
+		   a->src.proto == b->src.proto &&
+		   a->dst.proto == b->dst.proto &&
+		   a->src.mask == b->src.mask &&
+		   a->dst.mask == b->dst.mask &&
+		   a->src.net->equals(a->src.net, b->src.net) &&
+		   a->dst.net->equals(a->dst.net, b->dst.net);
+}
+
+/**
+ * Expiration callback
+ */
+static void expire(u_int32_t reqid, u_int8_t protocol, u_int32_t spi, bool hard)
+{
+	hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
+									spi, hard);
+}
+
+METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
+	private_kernel_libipsec_ipsec_t *this)
+{
+	return KERNEL_REQUIRE_UDP_ENCAPSULATION;
+}
+
+METHOD(kernel_ipsec_t, get_spi, status_t,
+	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
+	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+{
+	return ipsec->sas->get_spi(ipsec->sas, src, dst, protocol, reqid, spi);
+}
+
+METHOD(kernel_ipsec_t, get_cpi, status_t,
+	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t reqid, u_int16_t *cpi)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, add_sa, status_t,
+	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
+	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
+	u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+{
+	return ipsec->sas->add_sa(ipsec->sas, src, dst, spi, protocol, reqid, mark,
+							  tfc, lifetime, enc_alg, enc_key, int_alg, int_key,
+							  mode, ipcomp, cpi, initiator, encap, esn, inbound,
+							  src_ts, dst_ts);
+}
+
+METHOD(kernel_ipsec_t, update_sa, status_t,
+	private_kernel_libipsec_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
+	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
+	bool encap, bool new_encap, mark_t mark)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, query_sa, status_t,
+	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes,
+	u_int64_t *packets, u_int32_t *time)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, del_sa, status_t,
+	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
+	u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
+{
+	return ipsec->sas->del_sa(ipsec->sas, src, dst, spi, protocol, cpi, mark);
+}
+
+METHOD(kernel_ipsec_t, flush_sas, status_t,
+	private_kernel_libipsec_ipsec_t *this)
+{
+	return ipsec->sas->flush_sas(ipsec->sas);
+}
+
+/**
+ * Add an explicit exclude route to a routing entry
+ */
+static void add_exclude_route(private_kernel_libipsec_ipsec_t *this,
+							  route_entry_t *route, host_t *src, host_t *dst)
+{
+	exclude_route_t *exclude;
+	host_t *gtw;
+
+	if (this->excludes->find_first(this->excludes,
+								  (linked_list_match_t)exclude_route_match,
+								  (void**)&exclude, dst) == SUCCESS)
+	{
+		route->exclude = exclude;
+		exclude->refs++;
+	}
+
+	if (!route->exclude)
+	{
+		DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src);
+		gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface,
+												   dst, NULL);
+		if (gtw)
+		{
+			char *if_name = NULL;
+
+			if (hydra->kernel_interface->get_interface(
+									hydra->kernel_interface, src, &if_name) &&
+				hydra->kernel_interface->add_route(hydra->kernel_interface,
+									dst->get_address(dst),
+									dst->get_family(dst) == AF_INET ? 32 : 128,
+									gtw, src, if_name) == SUCCESS)
+			{
+				INIT(exclude,
+					.dst = dst->clone(dst),
+					.src = src->clone(src),
+					.gtw = gtw->clone(gtw),
+					.refs = 1,
+				);
+				route->exclude = exclude;
+				this->excludes->insert_last(this->excludes, exclude);
+			}
+			else
+			{
+				DBG1(DBG_KNL, "installing exclude route for %H failed", dst);
+			}
+			gtw->destroy(gtw);
+			free(if_name);
+		}
+		else
+		{
+			DBG1(DBG_KNL, "gateway lookup for %H failed", dst);
+		}
+	}
+}
+
+/**
+ * Remove an exclude route attached to a routing entry
+ */
+static void remove_exclude_route(private_kernel_libipsec_ipsec_t *this,
+								 route_entry_t *route)
+{
+	char *if_name = NULL;
+	host_t *dst;
+
+	if (!route->exclude || --route->exclude->refs > 0)
+	{
+		return;
+	}
+	this->excludes->remove(this->excludes, route->exclude, NULL);
+
+	dst = route->exclude->dst;
+	DBG2(DBG_KNL, "uninstalling exclude route for %H src %H",
+		 dst, route->exclude->src);
+	if (hydra->kernel_interface->get_interface(
+									hydra->kernel_interface,
+									route->exclude->src, &if_name) &&
+		hydra->kernel_interface->del_route(hydra->kernel_interface,
+									dst->get_address(dst),
+									dst->get_family(dst) == AF_INET ? 32 : 128,
+									route->exclude->gtw, route->exclude->src,
+									if_name) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "uninstalling exclude route for %H failed", dst);
+	}
+	exclude_route_destroy(route->exclude);
+	route->exclude = NULL;
+	free(if_name);
+}
+
+/**
+ * Install a route for the given policy
+ *
+ * this->mutex is released by this function
+ */
+static bool install_route(private_kernel_libipsec_ipsec_t *this,
+	host_t *src, host_t *dst, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_entry_t *policy)
+{
+	route_entry_t *route, *old;
+	host_t *src_ip;
+	bool is_virtual;
+
+	if (policy->direction != POLICY_OUT)
+	{
+		this->mutex->unlock(this->mutex);
+		return TRUE;
+	}
+
+	if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
+									src_ts, &src_ip, &is_virtual) != SUCCESS)
+	{
+		traffic_selector_t *multicast, *broadcast = NULL;
+		bool ignore = FALSE;
+
+		this->mutex->unlock(this->mutex);
+		switch (src_ts->get_type(src_ts))
+		{
+			case TS_IPV4_ADDR_RANGE:
+				multicast = traffic_selector_create_from_cidr("224.0.0.0/4",
+															  0, 0, 0xffff);
+				broadcast = traffic_selector_create_from_cidr("255.255.255.255/32",
+															  0, 0, 0xffff);
+				break;
+			case TS_IPV6_ADDR_RANGE:
+				multicast = traffic_selector_create_from_cidr("ff00::/8",
+															  0, 0, 0xffff);
+				break;
+			default:
+				return FALSE;
+		}
+		ignore = src_ts->is_contained_in(src_ts, multicast);
+		ignore |= broadcast && src_ts->is_contained_in(src_ts, broadcast);
+		multicast->destroy(multicast);
+		DESTROY_IF(broadcast);
+		if (!ignore)
+		{
+			DBG1(DBG_KNL, "error installing route with policy %R === %R %N",
+				 src_ts, dst_ts, policy_dir_names, policy->direction);
+		}
+		return ignore;
+	}
+
+	INIT(route,
+		.if_name = router->get_tun_name(router, is_virtual ? src_ip : NULL),
+		.src_ip = src_ip,
+		.dst_net = chunk_clone(policy->dst.net->get_address(policy->dst.net)),
+		.prefixlen = policy->dst.mask,
+	);
+#ifndef __linux__
+	/* on Linux we cant't install a gateway */
+	route->gateway = hydra->kernel_interface->get_nexthop(
+											hydra->kernel_interface, dst, src);
+#endif
+
+	if (policy->route)
+	{
+		old = policy->route;
+
+		if (route_entry_equals(old, route))
+		{	/* such a route already exists */
+			route_entry_destroy(route);
+			this->mutex->unlock(this->mutex);
+			return TRUE;
+		}
+		/* uninstall previously installed route */
+		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
+									old->dst_net, old->prefixlen, old->gateway,
+									old->src_ip, old->if_name) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "error uninstalling route installed with policy "
+				 "%R === %R %N", src_ts, dst_ts, policy_dir_names,
+				 policy->direction);
+		}
+		route_entry_destroy(old);
+		policy->route = NULL;
+	}
+
+	if (dst_ts->is_host(dst_ts, dst))
+	{
+		DBG1(DBG_KNL, "can't install route for %R === %R %N, conflicts with "
+			 "IKE traffic", src_ts, dst_ts, policy_dir_names,
+			 policy->direction);
+		route_entry_destroy(route);
+		this->mutex->unlock(this->mutex);
+		return FALSE;
+	}
+	/* if remote traffic selector covers the IKE peer, add an exclude route */
+	if (dst_ts->includes(dst_ts, dst))
+	{
+		/* add exclude route for peer */
+		add_exclude_route(this, route, src, dst);
+	}
+
+	DBG2(DBG_KNL, "installing route: %R src %H dev %s",
+		 dst_ts, route->src_ip, route->if_name);
+
+	switch (hydra->kernel_interface->add_route(hydra->kernel_interface,
+							route->dst_net, route->prefixlen, route->gateway,
+							route->src_ip, route->if_name))
+	{
+		case ALREADY_DONE:
+			/* route exists, do not uninstall */
+			remove_exclude_route(this, route);
+			route_entry_destroy(route);
+			this->mutex->unlock(this->mutex);
+			return TRUE;
+		case SUCCESS:
+			/* cache the installed route */
+			policy->route = route;
+			this->mutex->unlock(this->mutex);
+			return TRUE;
+		default:
+			DBG1(DBG_KNL, "installing route failed: %R src %H dev %s",
+				 dst_ts, route->src_ip, route->if_name);
+			remove_exclude_route(this, route);
+			route_entry_destroy(route);
+			this->mutex->unlock(this->mutex);
+			return FALSE;
+	}
+}
+
+METHOD(kernel_ipsec_t, add_policy, status_t,
+	private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
+	policy_priority_t priority)
+{
+	policy_entry_t *policy, *found = NULL;
+	status_t status;
+
+	if (type != POLICY_IPSEC)
+	{
+		return SUCCESS;
+	}
+
+	status = ipsec->policies->add_policy(ipsec->policies, src, dst, src_ts,
+								dst_ts, direction, type, sa, mark, priority);
+	if (status != SUCCESS)
+	{
+		return status;
+	}
+	/* we track policies in order to install routes */
+	policy = create_policy_entry(src_ts, dst_ts, direction);
+
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+								  (linked_list_match_t)policy_entry_equals,
+								  (void**)&found, policy) == SUCCESS)
+	{
+		policy_entry_destroy(policy);
+		policy = found;
+	}
+	else
+	{	/* use the new one, if we have no such policy */
+		this->policies->insert_last(this->policies, policy);
+	}
+	policy->refs++;
+
+	if (!install_route(this, src, dst, src_ts, dst_ts, policy))
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_policy, status_t,
+	private_kernel_libipsec_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+	u_int32_t *use_time)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, del_policy, status_t,
+	private_kernel_libipsec_ipsec_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
+	mark_t mark, policy_priority_t priority)
+{
+	policy_entry_t *policy, *found = NULL;
+	status_t status;
+
+	status = ipsec->policies->del_policy(ipsec->policies, src_ts, dst_ts,
+										 direction, reqid, mark, priority);
+
+	policy = create_policy_entry(src_ts, dst_ts, direction);
+
+	this->mutex->lock(this->mutex);
+	if (this->policies->find_first(this->policies,
+								  (linked_list_match_t)policy_entry_equals,
+								  (void**)&found, policy) != SUCCESS)
+	{
+		policy_entry_destroy(policy);
+		this->mutex->unlock(this->mutex);
+		return status;
+	}
+	policy_entry_destroy(policy);
+	policy = found;
+
+	if (--policy->refs > 0)
+	{	/* policy is still in use */
+		this->mutex->unlock(this->mutex);
+		return status;
+	}
+
+	if (policy->route)
+	{
+		route_entry_t *route = policy->route;
+
+		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
+				route->dst_net, route->prefixlen, route->gateway, route->src_ip,
+				route->if_name) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "error uninstalling route installed with "
+						  "policy %R === %R %N", src_ts, dst_ts,
+						   policy_dir_names, direction);
+		}
+		remove_exclude_route(this, route);
+	}
+	this->policies->remove(this->policies, policy, NULL);
+	policy_entry_destroy(policy);
+	this->mutex->unlock(this->mutex);
+	return status;
+}
+
+METHOD(kernel_ipsec_t, flush_policies, status_t,
+	private_kernel_libipsec_ipsec_t *this)
+{
+	policy_entry_t *pol;
+	status_t status;
+
+	status = ipsec->policies->flush_policies(ipsec->policies);
+
+	this->mutex->lock(this->mutex);
+	while (this->policies->remove_first(this->policies, (void*)&pol) == SUCCESS)
+	{
+		if (pol->route)
+		{
+			route_entry_t *route = pol->route;
+
+			hydra->kernel_interface->del_route(hydra->kernel_interface,
+					route->dst_net, route->prefixlen, route->gateway,
+					route->src_ip, route->if_name);
+			remove_exclude_route(this, route);
+		}
+		policy_entry_destroy(pol);
+	}
+	this->mutex->unlock(this->mutex);
+	return status;
+}
+
+METHOD(kernel_ipsec_t, bypass_socket, bool,
+	private_kernel_libipsec_ipsec_t *this, int fd, int family)
+{
+	/* we use exclude routes for this */
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, enable_udp_decap, bool,
+	private_kernel_libipsec_ipsec_t *this, int fd, int family, u_int16_t port)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, destroy, void,
+	private_kernel_libipsec_ipsec_t *this)
+{
+	ipsec->events->unregister_listener(ipsec->events, &this->ipsec_listener);
+	this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
+	this->excludes->destroy(this->excludes);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_libipsec_ipsec_t *kernel_libipsec_ipsec_create()
+{
+	private_kernel_libipsec_ipsec_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_features = _get_features,
+				.get_spi = _get_spi,
+				.get_cpi = _get_cpi,
+				.add_sa  = _add_sa,
+				.update_sa = _update_sa,
+				.query_sa = _query_sa,
+				.del_sa = _del_sa,
+				.flush_sas = _flush_sas,
+				.add_policy = _add_policy,
+				.query_policy = _query_policy,
+				.del_policy = _del_policy,
+				.flush_policies = _flush_policies,
+				.bypass_socket = _bypass_socket,
+				.enable_udp_decap = _enable_udp_decap,
+				.destroy = _destroy,
+			},
+		},
+		.ipsec_listener = {
+			.expire = expire,
+		},
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.policies = linked_list_create(),
+		.excludes = linked_list_create(),
+	);
+
+	ipsec->events->register_listener(ipsec->events, &this->ipsec_listener);
+
+	return &this->public;
+};
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.h b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.h
new file mode 100644
index 000000000..0a4936706
--- /dev/null
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_libipsec_ipsec kernel_libipsec_ipsec
+ * @{ @ingroup kernel_libipsec
+ */
+
+#ifndef KERNEL_LIBIPSEC_IPSEC_H_
+#define KERNEL_LIBIPSEC_IPSEC_H_
+
+#include <library.h>
+#include <kernel/kernel_ipsec.h>
+
+typedef struct kernel_libipsec_ipsec_t kernel_libipsec_ipsec_t;
+
+/**
+ * Implementation of the ipsec interface using libipsec
+ */
+struct kernel_libipsec_ipsec_t {
+
+	/**
+	 * Implements kernel_ipsec_t interface
+	 */
+	kernel_ipsec_t interface;
+};
+
+/**
+ * Create a libipsec ipsec interface instance.
+ *
+ * @return			kernel_libipsec_ipsec_t instance
+ */
+kernel_libipsec_ipsec_t *kernel_libipsec_ipsec_create();
+
+#endif /** KERNEL_LIBIPSEC_IPSEC_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
new file mode 100644
index 000000000..56f526217
--- /dev/null
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "kernel_libipsec_plugin.h"
+#include "kernel_libipsec_ipsec.h"
+#include "kernel_libipsec_router.h"
+
+#include <daemon.h>
+#include <ipsec.h>
+#include <networking/tun_device.h>
+
+#define TUN_DEFAULT_MTU 1400
+
+typedef struct private_kernel_libipsec_plugin_t private_kernel_libipsec_plugin_t;
+
+/**
+ * private data of "kernel" libipsec plugin
+ */
+struct private_kernel_libipsec_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	kernel_libipsec_plugin_t public;
+
+	/**
+	 * TUN device created by this plugin
+	 */
+	tun_device_t *tun;
+
+	/**
+	 * Packet router
+	 */
+	kernel_libipsec_router_t *router;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_kernel_libipsec_plugin_t *this)
+{
+	return "kernel-libipsec";
+}
+
+/**
+ * Create the kernel_libipsec_router_t instance
+ */
+static bool create_router(private_kernel_libipsec_plugin_t *this,
+						  plugin_feature_t *feature, bool reg, void *arg)
+{
+	if (reg)
+	{	/* registers as packet handler etc. */
+		this->router = kernel_libipsec_router_create();
+	}
+	else
+	{
+		DESTROY_IF(this->router);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_kernel_libipsec_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK(kernel_ipsec_register, kernel_libipsec_ipsec_create),
+			PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
+		PLUGIN_CALLBACK((plugin_feature_callback_t)create_router, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "kernel-libipsec-router"),
+				PLUGIN_DEPENDS(CUSTOM, "libcharon-receiver"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_kernel_libipsec_plugin_t *this)
+{
+	if (this->tun)
+	{
+		lib->set(lib, "kernel-libipsec-tun", NULL);
+		this->tun->destroy(this->tun);
+	}
+	libipsec_deinit();
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *kernel_libipsec_plugin_create()
+{
+	private_kernel_libipsec_plugin_t *this;
+
+	if (!lib->caps->check(lib->caps, CAP_NET_ADMIN))
+	{	/* required to create TUN devices */
+		DBG1(DBG_KNL, "kernel-libipsec plugin requires CAP_NET_ADMIN "
+			 "capability");
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	if (!libipsec_init())
+	{
+		DBG1(DBG_LIB, "initialization of libipsec failed");
+		destroy(this);
+		return NULL;
+	}
+
+	this->tun = tun_device_create("ipsec%d");
+	if (!this->tun)
+	{
+		DBG1(DBG_KNL, "failed to create TUN device");
+		destroy(this);
+		return NULL;
+	}
+	if (!this->tun->set_mtu(this->tun, TUN_DEFAULT_MTU) ||
+		!this->tun->up(this->tun))
+	{
+		DBG1(DBG_KNL, "failed to configure TUN device");
+		destroy(this);
+		return NULL;
+	}
+	lib->set(lib, "kernel-libipsec-tun", this->tun);
+
+	/* set TUN device as default to install VIPs */
+	lib->settings->set_str(lib->settings, "%s.install_virtual_ip_on",
+						   this->tun->get_name(this->tun), charon->name);
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.h b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.h
new file mode 100644
index 000000000..a14426b4e
--- /dev/null
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_libipsec kernel_libipsec
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_libipsec_plugin kernel_libipsec_plugin
+ * @{ @ingroup kernel_libipsec
+ */
+
+#ifndef KERNEL_LIBIPSEC_PLUGIN_H_
+#define KERNEL_LIBIPSEC_PLUGIN_H_
+
+#include <library.h>
+#include <plugins/plugin.h>
+
+typedef struct kernel_libipsec_plugin_t kernel_libipsec_plugin_t;
+
+/**
+ * libipsec "kernel" interface plugin
+ */
+struct kernel_libipsec_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+
+};
+
+#endif /** KERNEL_LIBIPSEC_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
new file mode 100644
index 000000000..6ce1d4eb0
--- /dev/null
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
@@ -0,0 +1,365 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <unistd.h>
+#include <fcntl.h>
+
+#include "kernel_libipsec_router.h"
+
+#include <daemon.h>
+#include <hydra.h>
+#include <ipsec.h>
+#include <collections/hashtable.h>
+#include <networking/tun_device.h>
+#include <threading/rwlock.h>
+#include <threading/thread.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_kernel_libipsec_router_t private_kernel_libipsec_router_t;
+
+/**
+ * Entry in the TUN device map
+ */
+typedef struct {
+	/** virtual IP (points to internal data of tun) */
+	host_t *addr;
+	/** underlying TUN file descriptor (cached from tun) */
+	int fd;
+	/** TUN device */
+	tun_device_t *tun;
+} tun_entry_t;
+
+/**
+ * Single instance of the router
+ */
+kernel_libipsec_router_t *router;
+
+/**
+ * Private data
+ */
+struct private_kernel_libipsec_router_t {
+
+	/**
+	 * Public interface
+	 */
+	kernel_libipsec_router_t public;
+
+	/**
+	 * Default TUN device if kernel interface does not require separate TUN
+	 * devices per VIP or for tunnels without VIP.
+	 */
+	tun_entry_t tun;
+
+	/**
+	 * Hashtable that maps virtual IPs to TUN devices (tun_entry_t).
+	 */
+	hashtable_t *tuns;
+
+	/**
+	 * Lock for TUN device map
+	 */
+	rwlock_t *lock;
+
+	/**
+	 * Pipe to signal handle_plain() about changes regarding TUN devices
+	 */
+	int notify[2];
+};
+
+/**
+ * Hash function for TUN device map
+ */
+static u_int tun_entry_hash(tun_entry_t *entry)
+{
+	return chunk_hash(entry->addr->get_address(entry->addr));
+}
+
+/**
+ * Comparison function for TUN device map
+ */
+static bool tun_entry_equals(tun_entry_t *a, tun_entry_t *b)
+{
+	return a->addr->ip_equals(a->addr, b->addr);
+}
+
+/**
+ * Outbound callback
+ */
+static void send_esp(void *data, esp_packet_t *packet)
+{
+	charon->sender->send_no_marker(charon->sender, (packet_t*)packet);
+}
+
+/**
+ * Receiver callback
+ */
+static void receiver_esp_cb(void *data, packet_t *packet)
+{
+	ipsec->processor->queue_inbound(ipsec->processor,
+									esp_packet_create_from_packet(packet));
+}
+
+/**
+ * Inbound callback
+ */
+static void deliver_plain(private_kernel_libipsec_router_t *this,
+						  ip_packet_t *packet)
+{
+	tun_device_t *tun;
+	tun_entry_t *entry, lookup = {
+		.addr = packet->get_destination(packet),
+	};
+
+	this->lock->read_lock(this->lock);
+	entry = this->tuns->get(this->tuns, &lookup);
+	tun = entry ? entry->tun : this->tun.tun;
+	tun->write_packet(tun, packet->get_encoding(packet));
+	this->lock->unlock(this->lock);
+	packet->destroy(packet);
+}
+
+/**
+ * Create an FD set covering all TUN devices and the read end of the notify pipe
+ */
+static int collect_fds(private_kernel_libipsec_router_t *this, fd_set *fds)
+{
+	enumerator_t *enumerator;
+	tun_entry_t *entry;
+	int maxfd;
+
+	FD_ZERO(fds);
+	FD_SET(this->notify[0], fds);
+	maxfd = this->notify[0];
+
+	FD_SET(this->tun.fd, fds);
+	maxfd = max(maxfd, this->tun.fd);
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->tuns->create_enumerator(this->tuns);
+	while (enumerator->enumerate(enumerator, NULL, &entry))
+	{
+		FD_SET(entry->fd, fds);
+		maxfd = max(maxfd, entry->fd);
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	return maxfd + 1;
+}
+
+/**
+ * Read and process outbound plaintext packet for the given TUN device
+ */
+static void process_plain(tun_device_t *tun)
+{
+	chunk_t raw;
+
+	if (tun->read_packet(tun, &raw))
+	{
+		ip_packet_t *packet;
+
+		packet = ip_packet_create(raw);
+		if (packet)
+		{
+			ipsec->processor->queue_outbound(ipsec->processor, packet);
+		}
+		else
+		{
+			DBG1(DBG_KNL, "invalid IP packet read from TUN device");
+		}
+	}
+}
+
+/**
+ * Handle waiting data for any TUN device
+ */
+static void handle_tuns(private_kernel_libipsec_router_t *this, fd_set *fds)
+{
+	enumerator_t *enumerator;
+	tun_entry_t *entry;
+
+	if (FD_ISSET(this->tun.fd, fds))
+	{
+		process_plain(this->tun.tun);
+	}
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->tuns->create_enumerator(this->tuns);
+	while (enumerator->enumerate(enumerator, NULL, &entry))
+	{
+		if (FD_ISSET(entry->fd, fds))
+		{
+			process_plain(entry->tun);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Job handling outbound plaintext packets
+ */
+static job_requeue_t handle_plain(private_kernel_libipsec_router_t *this)
+{
+	bool oldstate;
+	fd_set fds;
+	int maxfd;
+
+	maxfd = collect_fds(this, &fds);
+
+	oldstate = thread_cancelability(TRUE);
+	if (select(maxfd, &fds, NULL, NULL, NULL) <= 0)
+	{
+		thread_cancelability(oldstate);
+		return JOB_REQUEUE_FAIR;
+	}
+	thread_cancelability(oldstate);
+
+	if (FD_ISSET(this->notify[0], &fds))
+	{	/* list of TUN devices changed, read notification data, rebuild FDs */
+		char buf[1];
+		while (read(this->notify[0], &buf, sizeof(buf)) == sizeof(buf));
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	handle_tuns(this, &fds);
+	return JOB_REQUEUE_DIRECT;
+}
+
+METHOD(kernel_listener_t, tun, bool,
+	private_kernel_libipsec_router_t *this, tun_device_t *tun, bool created)
+{
+	tun_entry_t *entry, lookup;
+	char buf[] = {0x01};
+
+	this->lock->write_lock(this->lock);
+	if (created)
+	{
+		INIT(entry,
+			.addr = tun->get_address(tun, NULL),
+			.fd = tun->get_fd(tun),
+			.tun = tun,
+		);
+		this->tuns->put(this->tuns, entry, entry);
+	}
+	else
+	{
+		lookup.addr = tun->get_address(tun, NULL);
+		entry = this->tuns->remove(this->tuns, &lookup);
+		free(entry);
+	}
+	/* notify handler thread to recreate FD set */
+	ignore_result(write(this->notify[1], buf, sizeof(buf)));
+	this->lock->unlock(this->lock);
+	return TRUE;
+}
+
+METHOD(kernel_libipsec_router_t, get_tun_name, char*,
+	private_kernel_libipsec_router_t *this, host_t *vip)
+{
+	tun_entry_t *entry, lookup = {
+		.addr = vip,
+	};
+	tun_device_t *tun;
+	char *name;
+
+	if (!vip)
+	{
+		return strdup(this->tun.tun->get_name(this->tun.tun));
+	}
+	this->lock->read_lock(this->lock);
+	entry = this->tuns->get(this->tuns, &lookup);
+	tun = entry ? entry->tun : this->tun.tun;
+	name = strdup(tun->get_name(tun));
+	this->lock->unlock(this->lock);
+	return name;
+}
+
+METHOD(kernel_libipsec_router_t, destroy, void,
+	private_kernel_libipsec_router_t *this)
+{
+	charon->receiver->del_esp_cb(charon->receiver,
+								(receiver_esp_cb_t)receiver_esp_cb);
+	ipsec->processor->unregister_outbound(ipsec->processor,
+										 (ipsec_outbound_cb_t)send_esp);
+	ipsec->processor->unregister_inbound(ipsec->processor,
+										 (ipsec_inbound_cb_t)deliver_plain);
+	hydra->kernel_interface->remove_listener(hydra->kernel_interface,
+											 &this->public.listener);
+	this->lock->destroy(this->lock);
+	this->tuns->destroy(this->tuns);
+	close(this->notify[0]);
+	close(this->notify[1]);
+	router = NULL;
+	free(this);
+}
+
+/**
+ * Set O_NONBLOCK on the given socket.
+ */
+static bool set_nonblock(int socket)
+{
+	int flags = fcntl(socket, F_GETFL);
+	return flags != -1 && fcntl(socket, F_SETFL, flags | O_NONBLOCK) != -1;
+}
+
+/*
+ * See header file
+ */
+kernel_libipsec_router_t *kernel_libipsec_router_create()
+{
+	private_kernel_libipsec_router_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.tun = _tun,
+			},
+			.get_tun_name = _get_tun_name,
+			.destroy = _destroy,
+		},
+		.tun = {
+			.tun = lib->get(lib, "kernel-libipsec-tun"),
+		}
+	);
+
+	if (pipe(this->notify) != 0 ||
+		!set_nonblock(this->notify[0]) || !set_nonblock(this->notify[1]))
+	{
+		DBG1(DBG_KNL, "creating notify pipe for kernel-libipsec router failed");
+		free(this);
+		return NULL;
+	}
+
+	this->tun.fd = this->tun.tun->get_fd(this->tun.tun);
+
+	this->tuns = hashtable_create((hashtable_hash_t)tun_entry_hash,
+								  (hashtable_equals_t)tun_entry_equals, 4);
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+
+	hydra->kernel_interface->add_listener(hydra->kernel_interface,
+										  &this->public.listener);
+	ipsec->processor->register_outbound(ipsec->processor, send_esp, NULL);
+	ipsec->processor->register_inbound(ipsec->processor,
+									(ipsec_inbound_cb_t)deliver_plain, this);
+	charon->receiver->add_esp_cb(charon->receiver,
+									(receiver_esp_cb_t)receiver_esp_cb, NULL);
+	lib->processor->queue_job(lib->processor,
+			(job_t*)callback_job_create((callback_job_cb_t)handle_plain, this,
+									NULL, (callback_job_cancel_t)return_false));
+
+	router = &this->public;
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.h b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.h
new file mode 100644
index 000000000..7b2f3c6c5
--- /dev/null
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_libipsec_router kernel_libipsec_router
+ * @{ @ingroup kernel_libipsec
+ */
+
+#ifndef KERNEL_LIBIPSEC_ROUTER_H_
+#define KERNEL_LIBIPSEC_ROUTER_H_
+
+#include <kernel/kernel_listener.h>
+
+typedef struct kernel_libipsec_router_t kernel_libipsec_router_t;
+
+/**
+ * Class that routes the network packets between TUN device, libipsec and
+ * charon's IKE socket.
+ */
+struct kernel_libipsec_router_t {
+
+	/**
+	 * Implements kernel_listener_t interface
+	 */
+	kernel_listener_t listener;
+
+	/**
+	 * Get the name of the TUN device to be used with the given virtual IP.
+	 *
+	 * @param vip	virtual IP
+	 * @return		allocated name
+	 */
+	char *(*get_tun_name)(kernel_libipsec_router_t *this, host_t *vip);
+
+	/**
+	 * Destroy the given instance
+	 */
+	void (*destroy)(kernel_libipsec_router_t *this);
+};
+
+/**
+ * Single instance of this class, if created
+ */
+extern kernel_libipsec_router_t *router;
+
+/**
+ * Create a kernel_libipsec_router_t instance.
+ *
+ * @return			kernel_libipsec_router_t instance
+ */
+kernel_libipsec_router_t *kernel_libipsec_router_create();
+
+#endif /** KERNEL_LIBIPSEC_ROUTER_H_ @}*/
diff --git a/src/libcharon/plugins/led/Makefile.am b/src/libcharon/plugins/led/Makefile.am
index 6428361fc..fbe779dd6 100644
--- a/src/libcharon/plugins/led/Makefile.am
+++ b/src/libcharon/plugins/led/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-led.la
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index 56684ee11..e16ac801d 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,52 +90,87 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_led_la_LIBADD =
 am_libstrongswan_led_la_OBJECTS = led_plugin.lo led_listener.lo
 libstrongswan_led_la_OBJECTS = $(am_libstrongswan_led_la_OBJECTS)
-libstrongswan_led_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_led_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_led_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_led_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_led_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_led_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_led_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_led_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -126,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -145,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -172,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -184,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -192,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -202,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -223,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -243,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -280,10 +342,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-led.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-led.la
 libstrongswan_led_la_SOURCES = led_plugin.h led_plugin.c \
@@ -335,7 +401,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -343,6 +408,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -364,8 +431,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-led.la: $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_DEPENDENCIES) 
-	$(libstrongswan_led_la_LINK) $(am_libstrongswan_led_la_rpath) $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_LIBADD) $(LIBS)
+libstrongswan-led.la: $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_DEPENDENCIES) $(EXTRA_libstrongswan_led_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_led_la_LINK) $(am_libstrongswan_led_la_rpath) $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -377,25 +444,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/led_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -502,10 +569,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/led/led_listener.c b/src/libcharon/plugins/led/led_listener.c
index 4aae2abe5..be80bcde2 100644
--- a/src/libcharon/plugins/led/led_listener.c
+++ b/src/libcharon/plugins/led/led_listener.c
@@ -189,9 +189,9 @@ METHOD(listener_t, ike_state_change, bool,
 
 METHOD(listener_t, message_hook, bool,
 	private_led_listener_t *this, ike_sa_t *ike_sa,
-	message_t *message, bool incoming)
+	message_t *message, bool incoming, bool plain)
 {
-	if (incoming || message->get_request(message))
+	if (plain && (incoming || message->get_request(message)))
 	{
 		blink_activity(this);
 	}
@@ -230,11 +230,12 @@ led_listener_t *led_listener_create()
 		},
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.blink_time = lib->settings->get_int(lib->settings,
-				"charon.plugins.led.blink_time", 50),
+							"%s.plugins.led.blink_time", 50, charon->name),
 	);
 
 	this->activity = open_led(lib->settings->get_str(lib->settings,
-				"charon.plugins.led.activity_led", NULL), &this->activity_max);
+							"%s.plugins.led.activity_led", NULL, charon->name),
+							&this->activity_max);
 	set_led(this->activity, 0);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/led/led_plugin.c b/src/libcharon/plugins/led/led_plugin.c
index b6b69b466..9149fb263 100644
--- a/src/libcharon/plugins/led/led_plugin.c
+++ b/src/libcharon/plugins/led/led_plugin.c
@@ -43,10 +43,37 @@ METHOD(plugin_t, get_name, char*,
 	return "led";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_led_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_led_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "led"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_led_plugin_t *this)
 {
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
 	this->listener->destroy(this->listener);
 	free(this);
 }
@@ -62,14 +89,12 @@ plugin_t *led_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.listener = led_listener_create(),
 	);
 
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
-
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/load_tester/Makefile.am b/src/libcharon/plugins/load_tester/Makefile.am
index cdd0445a9..e7c08783f 100644
--- a/src/libcharon/plugins/load_tester/Makefile.am
+++ b/src/libcharon/plugins/load_tester/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_PIDDIR=\"${piddir}\"
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-load-tester.la
@@ -16,6 +19,10 @@ libstrongswan_load_tester_la_SOURCES = \
 	load_tester_creds.c load_tester_creds.h \
 	load_tester_ipsec.c load_tester_ipsec.h \
 	load_tester_listener.c load_tester_listener.h \
+	load_tester_control.c load_tester_control.h \
 	load_tester_diffie_hellman.c load_tester_diffie_hellman.h
 
 libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version
+
+ipsec_PROGRAMS = load-tester
+load_tester_SOURCES = load_tester.c
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index bbd20d4b9..2e1ebc800 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -15,7 +15,25 @@
 
 @SET_MAKE@
 
+
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -34,6 +52,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
+ipsec_PROGRAMS = load-tester$(EXEEXT)
 subdir = src/libcharon/plugins/load_tester
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -45,10 +64,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,58 +92,98 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_load_tester_la_LIBADD =
 am_libstrongswan_load_tester_la_OBJECTS = load_tester_plugin.lo \
 	load_tester_config.lo load_tester_creds.lo \
 	load_tester_ipsec.lo load_tester_listener.lo \
-	load_tester_diffie_hellman.lo
+	load_tester_control.lo load_tester_diffie_hellman.lo
 libstrongswan_load_tester_la_OBJECTS =  \
 	$(am_libstrongswan_load_tester_la_OBJECTS)
-libstrongswan_load_tester_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_load_tester_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_load_tester_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_load_tester_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_load_tester_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+PROGRAMS = $(ipsec_PROGRAMS)
+am_load_tester_OBJECTS = load_tester.$(OBJEXT)
+load_tester_OBJECTS = $(am_load_tester_OBJECTS)
+load_tester_LDADD = $(LDADD)
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_load_tester_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_load_tester_la_SOURCES)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_load_tester_la_SOURCES) \
+	$(load_tester_SOURCES)
+DIST_SOURCES = $(libstrongswan_load_tester_la_SOURCES) \
+	$(load_tester_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -132,13 +192,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -151,6 +214,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,11 +242,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -190,6 +256,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -198,8 +265,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -208,14 +273,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -229,17 +299,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -249,16 +319,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -286,10 +355,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-load-tester.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-load-tester.la
 libstrongswan_load_tester_la_SOURCES = \
@@ -298,9 +372,11 @@ libstrongswan_load_tester_la_SOURCES = \
 	load_tester_creds.c load_tester_creds.h \
 	load_tester_ipsec.c load_tester_ipsec.h \
 	load_tester_listener.c load_tester_listener.h \
+	load_tester_control.c load_tester_control.h \
 	load_tester_diffie_hellman.c load_tester_diffie_hellman.h
 
 libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version
+load_tester_SOURCES = load_tester.c
 all: all-am
 
 .SUFFIXES:
@@ -346,7 +422,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -354,6 +429,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -375,8 +452,57 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-load-tester.la: $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_DEPENDENCIES) 
-	$(libstrongswan_load_tester_la_LINK) $(am_libstrongswan_load_tester_la_rpath) $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_LIBADD) $(LIBS)
+libstrongswan-load-tester.la: $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_DEPENDENCIES) $(EXTRA_libstrongswan_load_tester_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_load_tester_la_LINK) $(am_libstrongswan_load_tester_la_rpath) $(libstrongswan_load_tester_la_OBJECTS) $(libstrongswan_load_tester_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+load-tester$(EXEEXT): $(load_tester_OBJECTS) $(load_tester_DEPENDENCIES) $(EXTRA_load_tester_DEPENDENCIES) 
+	@rm -f load-tester$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(load_tester_OBJECTS) $(load_tester_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -384,7 +510,9 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_config.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_control.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_creds.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_diffie_hellman.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_ipsec.Plo@am__quote@
@@ -392,25 +520,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/load_tester_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -502,9 +630,9 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(LTLIBRARIES)
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
 installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
+	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -517,10 +645,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -534,8 +667,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
-	clean-pluginLTLIBRARIES mostlyclean-am
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -555,7 +688,7 @@ info: info-am
 
 info-am:
 
-install-data-am: install-pluginLTLIBRARIES
+install-data-am: install-ipsecPROGRAMS install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
@@ -601,23 +734,24 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-pluginLTLIBRARIES
+uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
 
 .MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
-	ctags distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-pluginLTLIBRARIES install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	clean-ipsecPROGRAMS clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES ctags distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-ipsecPROGRAMS install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
 	uninstall-pluginLTLIBRARIES
 
 
diff --git a/src/libcharon/plugins/load_tester/load_tester.c b/src/libcharon/plugins/load_tester/load_tester.c
new file mode 100644
index 000000000..b7b971ee8
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "load_tester_control.h"
+
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+
+/**
+ * Connect to the daemon, return stream
+ */
+static FILE* make_connection()
+{
+	struct sockaddr_un addr;
+	FILE *stream;
+	int fd;
+
+	addr.sun_family = AF_UNIX;
+	strcpy(addr.sun_path, LOAD_TESTER_SOCKET);
+
+	fd = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (fd < 0)
+	{
+		fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
+		return NULL;
+	}
+	if (connect(fd, (struct sockaddr *)&addr,
+			offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path)) < 0)
+	{
+		fprintf(stderr, "connecting to %s failed: %s\n",
+				LOAD_TESTER_SOCKET, strerror(errno));
+		close(fd);
+		return NULL;
+	}
+	stream = fdopen(fd, "r+");
+	if (!stream)
+	{
+		close(fd);
+		return NULL;
+	}
+	return stream;
+}
+
+/**
+ * Initiate load-tests
+ */
+static int initiate(unsigned int count, unsigned int delay)
+{
+	FILE *stream;
+	char c;
+
+	stream = make_connection();
+	if (!stream)
+	{
+		return 1;
+	}
+
+	fprintf(stream, "%u %u\n", count, delay);
+
+	while (1)
+	{
+		fflush(stream);
+		c = fgetc(stream);
+		if (c == EOF)
+		{
+			break;
+		}
+		if (fputc(c, stdout) == EOF)
+		{
+			break;
+		}
+		fflush(stdout);
+	}
+	fclose(stream);
+	return 0;
+}
+
+int main(int argc, char *argv[])
+{
+	if (argc >= 3 && strcmp(argv[1], "initiate") == 0)
+	{
+		return initiate(atoi(argv[2]), argc > 3 ? atoi(argv[3]) : 0);
+	}
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "  %s initiate <count> [<delay in ms>]\n", argv[0]);
+	return 1;
+}
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index 6bc6f91e4..ebadf44ca 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -16,6 +16,10 @@
 #include "load_tester_config.h"
 
 #include <daemon.h>
+#include <hydra.h>
+#include <attributes/mem_pool.h>
+#include <collections/hashtable.h>
+#include <threading/mutex.h>
 
 typedef struct private_load_tester_config_t private_load_tester_config_t;
 
@@ -40,9 +44,14 @@ struct private_load_tester_config_t {
 	host_t *vip;
 
 	/**
-	 * Remote address
+	 * Initiator address
 	 */
-	char *remote;
+	char *initiator;
+
+	/**
+	 * Responder address
+	 */
+	char *responder;
 
 	/**
 	 * IP address pool
@@ -55,6 +64,11 @@ struct private_load_tester_config_t {
 	proposal_t *proposal;
 
 	/**
+	 * ESP proposal
+	 */
+	proposal_t *esp;
+
+	/**
 	 * Authentication method(s) to use/expect from initiator
 	 */
 	char *initiator_auth;
@@ -70,11 +84,36 @@ struct private_load_tester_config_t {
 	char *initiator_id;
 
 	/**
+	 * Initiator ID to to match against as responder
+	 */
+	char *initiator_match;
+
+	/**
 	 * Responder ID to enforce
 	 */
 	char *responder_id;
 
 	/**
+	 * Traffic Selector on initiator side, as proposed from initiator
+	 */
+	char *initiator_tsi;
+
+	/**
+	 * Traffic Selector on responder side, as proposed from initiator
+	 */
+	char *initiator_tsr;
+
+	/**
+	 * Traffic Selector on initiator side, as narrowed by responder
+	 */
+	char *responder_tsi;
+
+	/**
+	 * Traffic Selector on responder side, as narrowed by responder
+	 */
+	char *responder_tsr;
+
+	/**
 	 * IKE_SA rekeying delay
 	 */
 	u_int ike_rekey;
@@ -90,6 +129,11 @@ struct private_load_tester_config_t {
 	u_int dpd_delay;
 
 	/**
+	 * DPD timeout (IKEv1 only)
+	 */
+	u_int dpd_timeout;
+
+	/**
 	 * incremental numbering of generated configs
 	 */
 	u_int num;
@@ -98,9 +142,155 @@ struct private_load_tester_config_t {
 	 * Dynamic source port, if used
 	 */
 	u_int16_t port;
+
+	/**
+	 * IKE version to use for load testing
+	 */
+	ike_version_t version;
+
+	/**
+	 * List of pools to allocate external addresses dynamically, as mem_pool_t
+	 */
+	linked_list_t *pools;
+
+	/**
+	 * Address prefix to use when installing dynamic addresses
+	 */
+	int prefix;
+
+	/**
+	 * Keep addresses until shutdown?
+	 */
+	bool keep;
+
+	/**
+	 * Hashtable with leases in "pools", host_t => entry_t
+	 */
+	hashtable_t *leases;
+
+	/**
+	 * Mutex for leases hashtable
+	 */
+	mutex_t *mutex;
 };
 
 /**
+ * Lease entry
+ */
+typedef struct {
+	/** host reference, equal to key */
+	host_t *host;
+	/** associated identity */
+	identification_t *id;
+} entry_t;
+
+/**
+ * Destroy an entry_t
+ */
+static void entry_destroy(entry_t *this)
+{
+	this->host->destroy(this->host);
+	this->id->destroy(this->id);
+	free(this);
+}
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(host_t *key)
+{
+	return chunk_hash(key->get_address(key));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool equals(host_t *a, host_t *b)
+{
+	return a->ip_equals(a, b);
+}
+
+/**
+ * Load external addresses to use, if any
+ */
+static void load_addrs(private_load_tester_config_t *this)
+{
+	enumerator_t *enumerator, *tokens;
+	host_t *from, *to;
+	int bits;
+	char *iface, *token, *pos;
+	mem_pool_t *pool;
+
+	this->keep = lib->settings->get_bool(lib->settings,
+						"%s.plugins.load-tester.addrs_keep", FALSE, charon->name);
+	this->prefix = lib->settings->get_int(lib->settings,
+						"%s.plugins.load-tester.addrs_prefix", 16, charon->name);
+	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
+						"%s.plugins.load-tester.addrs", charon->name);
+	while (enumerator->enumerate(enumerator, &iface, &token))
+	{
+		tokens = enumerator_create_token(token, ",", " ");
+		while (tokens->enumerate(tokens, &token))
+		{
+			pos = strchr(token, '-');
+			if (pos)
+			{	/* range */
+				*(pos++) = '\0';
+				/* trim whitespace */
+				while (*pos == ' ')
+				{
+					pos++;
+				}
+				while (token[strlen(token) - 1] == ' ')
+				{
+					token[strlen(token) - 1] = '\0';
+				}
+				from = host_create_from_string(token, 0);
+				to = host_create_from_string(pos, 0);
+				if (from && to)
+				{
+					pool = mem_pool_create_range(iface, from, to);
+					if (pool)
+					{
+						DBG1(DBG_CFG, "loaded load-tester address range "
+							 "%H-%H on %s", from, to, iface);
+						this->pools->insert_last(this->pools, pool);
+					}
+					from->destroy(from);
+					to->destroy(to);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "parsing load-tester address range %s-%s "
+						 "failed, skipped", token, pos);
+					DESTROY_IF(from);
+					DESTROY_IF(to);
+				}
+			}
+			else
+			{	/* subnet */
+				from = host_create_from_subnet(token, &bits);
+				if (from)
+				{
+					DBG1(DBG_CFG, "loaded load-tester address pool %H/%d on %s",
+						 from, bits, iface);
+					pool = mem_pool_create(iface, from, bits);
+					from->destroy(from);
+					this->pools->insert_last(this->pools, pool);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "parsing load-tester address %s failed, "
+						 "skipped", token);
+				}
+			}
+		}
+		tokens->destroy(tokens);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
  * Generate auth config from string
  */
 static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
@@ -123,8 +313,14 @@ static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
 
 		if (this->initiator_id)
 		{
-			if ((local && num) || (!local && !num))
-			{
+			if (this->initiator_match && (!local && !num))
+			{	/* as responder, use the secified identity that matches
+				 * all used initiator identities, if given. */
+				snprintf(buf, sizeof(buf), this->initiator_match, rnd);
+				id = identification_create_from_string(buf);
+			}
+			else if ((local && num) || (!local && !num))
+			{	/* as initiator, create peer specific identities */
 				snprintf(buf, sizeof(buf), this->initiator_id, num, rnd);
 				id = identification_create_from_string(buf);
 			}
@@ -159,7 +355,7 @@ static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
 				}
 			}
 		}
-		else if (strneq(str, "eap", strlen("eap")))
+		else if (strpfx(str, "eap"))
 		{	/* EAP authentication, use a NAI */
 			class = AUTH_CLASS_EAP;
 			if (*(str + strlen("eap")) == '-')
@@ -221,6 +417,88 @@ static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
 }
 
 /**
+ * Add a TS from a string to a child_cfg
+ */
+static void add_ts(char *string, child_cfg_t *cfg, bool local)
+{
+	traffic_selector_t *ts;
+
+	if (string)
+	{
+		ts = traffic_selector_create_from_cidr(string, 0, 0, 65535);
+		if (!ts)
+		{
+			DBG1(DBG_CFG, "parsing TS string '%s' failed", string);
+		}
+	}
+	else
+	{
+		ts = traffic_selector_create_dynamic(0, 0, 65535);
+	}
+	if (ts)
+	{
+		cfg->add_traffic_selector(cfg, local, ts);
+	}
+}
+
+/**
+ * Allocate and install a dynamic external address to use
+ */
+static host_t *allocate_addr(private_load_tester_config_t *this, uint num)
+{
+	enumerator_t *enumerator;
+	mem_pool_t *pool;
+	host_t *found = NULL, *requested;
+	identification_t *id;
+	char *iface = NULL, buf[32];
+	entry_t *entry;
+
+	requested = host_create_any(AF_INET);
+	snprintf(buf, sizeof(buf), "ext-%d", num);
+	id = identification_create_from_string(buf);
+	enumerator = this->pools->create_enumerator(this->pools);
+	while (enumerator->enumerate(enumerator, &pool))
+	{
+		found = pool->acquire_address(pool, id, requested, MEM_POOL_NEW);
+		if (found)
+		{
+			iface = (char*)pool->get_name(pool);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	requested->destroy(requested);
+
+	if (!found)
+	{
+		DBG1(DBG_CFG, "no address found to install as load-tester external IP");
+		id->destroy(id);
+		return NULL;
+	}
+	if (hydra->kernel_interface->add_ip(hydra->kernel_interface,
+										found, this->prefix, iface) != SUCCESS)
+	{
+		DBG1(DBG_CFG, "installing load-tester IP %H on %s failed", found, iface);
+		found->destroy(found);
+		id->destroy(id);
+		return NULL;
+	}
+	DBG1(DBG_CFG, "installed load-tester IP %H on %s", found, iface);
+	INIT(entry,
+		.host = found->clone(found),
+		.id = id,
+	);
+	this->mutex->lock(this->mutex);
+	entry = this->leases->put(this->leases, entry->host, entry);
+	this->mutex->unlock(this->mutex);
+	if (entry)
+	{	/* shouldn't actually happen */
+		entry_destroy(entry);
+	}
+	return found;
+}
+
+/**
  * Generate a new initiator config, num = 0 for responder config
  */
 static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
@@ -228,8 +506,8 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 	ike_cfg_t *ike_cfg;
 	child_cfg_t *child_cfg;
 	peer_cfg_t *peer_cfg;
-	traffic_selector_t *ts;
-	proposal_t *proposal;
+	char local[32], *remote;
+	host_t *addr;
 	lifetime_cfg_t lifetime = {
 		.time = {
 			.life = this->child_rekey * 2,
@@ -238,24 +516,63 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 		}
 	};
 
+	if (num)
+	{	/* initiator */
+		if (this->pools->get_count(this->pools))
+		{	/* using dynamically installed external addresses */
+			addr = allocate_addr(this, num);
+			if (!addr)
+			{
+				DBG1(DBG_CFG, "allocating external address failed");
+				return NULL;
+			}
+			snprintf(local, sizeof(local), "%H", addr);
+			addr->destroy(addr);
+		}
+		else
+		{
+			snprintf(local, sizeof(local), "%s", this->initiator);
+		}
+		remote = this->responder;
+	}
+	else
+	{
+		snprintf(local, sizeof(local), "%s", this->responder);
+		remote = this->initiator;
+	}
+
 	if (this->port && num)
 	{
-		ike_cfg = ike_cfg_create(FALSE, FALSE,
-				"0.0.0.0", this->port + num - 1, this->remote, IKEV2_NATT_PORT);
+		ike_cfg = ike_cfg_create(this->version, TRUE, FALSE,
+								 local, FALSE, this->port + num - 1,
+								 remote, FALSE, IKEV2_NATT_PORT,
+								 FRAGMENTATION_NO, 0);
 	}
 	else
 	{
-		ike_cfg = ike_cfg_create(FALSE, FALSE,
-				"0.0.0.0", IKEV2_UDP_PORT, this->remote, IKEV2_UDP_PORT);
+		ike_cfg = ike_cfg_create(this->version, TRUE, FALSE,
+								 local, FALSE,
+								 charon->socket->get_port(charon->socket, FALSE),
+								 remote, FALSE, IKEV2_UDP_PORT,
+								 FRAGMENTATION_NO, 0);
 	}
 	ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
-	peer_cfg = peer_cfg_create("load-test", 2, ike_cfg,
+	peer_cfg = peer_cfg_create("load-test", ike_cfg,
 							   CERT_SEND_IF_ASKED, UNIQUE_NO, 1, /* keytries */
 							   this->ike_rekey, 0, /* rekey, reauth */
 							   0, this->ike_rekey, /* jitter, overtime */
-							   FALSE, this->dpd_delay, /* mobike, dpddelay */
-							   this->vip ? this->vip->clone(this->vip) : NULL,
-							   this->pool, FALSE, NULL, NULL);
+							   FALSE, FALSE, /* mobike, aggressive mode */
+							   this->dpd_delay,   /* dpd_delay */
+							   this->dpd_timeout, /* dpd_timeout */
+							   FALSE, NULL, NULL);
+	if (this->vip)
+	{
+		peer_cfg->add_virtual_ip(peer_cfg, this->vip->clone(this->vip));
+	}
+	if (this->pool)
+	{
+		peer_cfg->add_pool(peer_cfg, this->pool);
+	}
 	if (num)
 	{	/* initiator */
 		generate_auth_cfg(this, this->initiator_auth, peer_cfg, TRUE, num);
@@ -270,12 +587,25 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 	child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, MODE_TUNNEL,
 								 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
 								 0, 0, NULL, NULL, 0);
-	proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
-	child_cfg->add_proposal(child_cfg, proposal);
-	ts = traffic_selector_create_dynamic(0, 0, 65535);
-	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
-	ts = traffic_selector_create_dynamic(0, 0, 65535);
-	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+	child_cfg->add_proposal(child_cfg, this->esp->clone(this->esp));
+
+	if (num)
+	{	/* initiator */
+		if (this->vip)
+		{
+			add_ts(NULL, child_cfg, TRUE);
+		}
+		else
+		{
+			add_ts(this->initiator_tsi, child_cfg, TRUE);
+		}
+		add_ts(this->initiator_tsr, child_cfg, FALSE);
+	}
+	else
+	{	/* responder */
+		add_ts(this->responder_tsr, child_cfg, TRUE);
+		add_ts(this->responder_tsi, child_cfg, FALSE);
+	}
 	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
 	return peer_cfg;
 }
@@ -306,11 +636,86 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 	return NULL;
 }
 
+METHOD(load_tester_config_t, delete_ip, void,
+	private_load_tester_config_t *this, host_t *ip)
+{
+	enumerator_t *enumerator;
+	mem_pool_t *pool;
+	entry_t *entry;
+
+	if (this->keep)
+	{
+		return;
+	}
+
+	this->mutex->lock(this->mutex);
+	entry = this->leases->remove(this->leases, ip);
+	this->mutex->unlock(this->mutex);
+
+	if (entry)
+	{
+		enumerator = this->pools->create_enumerator(this->pools);
+		while (enumerator->enumerate(enumerator, &pool))
+		{
+			if (pool->release_address(pool, entry->host, entry->id))
+			{
+				hydra->kernel_interface->del_ip(hydra->kernel_interface,
+											entry->host, this->prefix, FALSE);
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+		entry_destroy(entry);
+	}
+}
+
+/**
+ * Clean up leases for allocated external addresses, if have been kept
+ */
+static void cleanup_leases(private_load_tester_config_t *this)
+{
+	enumerator_t *pools, *leases;
+	mem_pool_t *pool;
+	identification_t *id;
+	host_t *addr;
+	entry_t *entry;
+	bool online;
+
+	pools = this->pools->create_enumerator(this->pools);
+	while (pools->enumerate(pools, &pool))
+	{
+		leases = pool->create_lease_enumerator(pool);
+		while (leases->enumerate(leases, &id, &addr, &online))
+		{
+			if (online)
+			{
+				hydra->kernel_interface->del_ip(hydra->kernel_interface,
+												addr, this->prefix, FALSE);
+				entry = this->leases->remove(this->leases, addr);
+				if (entry)
+				{
+					entry_destroy(entry);
+				}
+			}
+		}
+		leases->destroy(leases);
+	}
+	pools->destroy(pools);
+}
+
 METHOD(load_tester_config_t, destroy, void,
 	private_load_tester_config_t *this)
 {
+	if (this->keep)
+	{
+		cleanup_leases(this);
+	}
+	this->mutex->destroy(this->mutex);
+	this->leases->destroy(this->leases);
+	this->pools->destroy_offset(this->pools, offsetof(mem_pool_t, destroy));
 	this->peer_cfg->destroy(this->peer_cfg);
 	DESTROY_IF(this->proposal);
+	DESTROY_IF(this->esp);
 	DESTROY_IF(this->vip);
 	free(this);
 }
@@ -329,50 +734,85 @@ load_tester_config_t *load_tester_config_create()
 				.create_ike_cfg_enumerator = _create_ike_cfg_enumerator,
 				.get_peer_cfg_by_name = _get_peer_cfg_by_name,
 			},
+			.delete_ip = _delete_ip,
 			.destroy = _destroy,
 		},
+		.pools = linked_list_create(),
+		.leases = hashtable_create((hashtable_hash_t)hash,
+								   (hashtable_equals_t)equals, 256),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.num = 1,
 	);
 
 	if (lib->settings->get_bool(lib->settings,
-				"charon.plugins.load-tester.request_virtual_ip", FALSE))
+			"%s.plugins.load-tester.request_virtual_ip", FALSE, charon->name))
 	{
 		this->vip = host_create_from_string("0.0.0.0", 0);
 	}
 	this->pool = lib->settings->get_str(lib->settings,
-				"charon.plugins.load-tester.pool", NULL);
-	this->remote = lib->settings->get_str(lib->settings,
-				"charon.plugins.load-tester.remote", "127.0.0.1");
+			"%s.plugins.load-tester.pool", NULL, charon->name);
+	this->initiator = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.initiator", "0.0.0.0", charon->name);
+	this->responder = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.responder", "127.0.0.1", charon->name);
 
 	this->proposal = proposal_create_from_string(PROTO_IKE,
-			lib->settings->get_str(lib->settings,
-				"charon.plugins.load-tester.proposal", "aes128-sha1-modp768"));
+				lib->settings->get_str(lib->settings,
+					"%s.plugins.load-tester.proposal", "aes128-sha1-modp768",
+					charon->name));
 	if (!this->proposal)
 	{	/* fallback */
 		this->proposal = proposal_create_from_string(PROTO_IKE,
 													 "aes128-sha1-modp768");
 	}
+	this->esp = proposal_create_from_string(PROTO_ESP,
+			lib->settings->get_str(lib->settings,
+				"%s.plugins.load-tester.esp", "aes128-sha1",
+				charon->name));
+	if (!this->esp)
+	{	/* fallback */
+		this->esp = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
+	}
+
 	this->ike_rekey = lib->settings->get_int(lib->settings,
-				"charon.plugins.load-tester.ike_rekey", 0);
+			"%s.plugins.load-tester.ike_rekey", 0, charon->name);
 	this->child_rekey = lib->settings->get_int(lib->settings,
-				"charon.plugins.load-tester.child_rekey", 600);
+			"%s.plugins.load-tester.child_rekey", 600, charon->name);
 	this->dpd_delay = lib->settings->get_int(lib->settings,
-				"charon.plugins.load-tester.dpd_delay", 0);
+			"%s.plugins.load-tester.dpd_delay", 0, charon->name);
+	this->dpd_timeout = lib->settings->get_int(lib->settings,
+			"%s.plugins.load-tester.dpd_timeout", 0, charon->name);
 
 	this->initiator_auth = lib->settings->get_str(lib->settings,
-				"charon.plugins.load-tester.initiator_auth", "pubkey");
+			"%s.plugins.load-tester.initiator_auth", "pubkey", charon->name);
 	this->responder_auth = lib->settings->get_str(lib->settings,
-				"charon.plugins.load-tester.responder_auth", "pubkey");
+			"%s.plugins.load-tester.responder_auth", "pubkey", charon->name);
 	this->initiator_id = lib->settings->get_str(lib->settings,
-				"charon.plugins.load-tester.initiator_id", NULL);
+			"%s.plugins.load-tester.initiator_id", NULL, charon->name);
+	this->initiator_match = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.initiator_match", NULL, charon->name);
 	this->responder_id = lib->settings->get_str(lib->settings,
-				"charon.plugins.load-tester.responder_id", NULL);
+			"%s.plugins.load-tester.responder_id", NULL, charon->name);
+
+	this->initiator_tsi = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.initiator_tsi", NULL, charon->name);
+	this->responder_tsi =lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.responder_tsi",
+			this->initiator_tsi, charon->name);
+	this->initiator_tsr = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.initiator_tsr", NULL, charon->name);
+	this->responder_tsr =lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.responder_tsr",
+			this->initiator_tsr, charon->name);
 
 	this->port = lib->settings->get_int(lib->settings,
-				"charon.plugins.load-tester.dynamic_port", 0);
+			"%s.plugins.load-tester.dynamic_port", 0, charon->name);
+	this->version = lib->settings->get_int(lib->settings,
+			"%s.plugins.load-tester.version", IKE_ANY, charon->name);
+
+	load_addrs(this);
 
 	this->peer_cfg = generate_config(this, 0);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.h b/src/libcharon/plugins/load_tester/load_tester_config.h
index c22387743..cfa4b1edc 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.h
+++ b/src/libcharon/plugins/load_tester/load_tester_config.h
@@ -36,6 +36,13 @@ struct load_tester_config_t {
 	backend_t backend;
 
 	/**
+	 * Delete external IP if it was dynamically installed.
+	 *
+	 * @param ip			external IP
+	 */
+	void (*delete_ip)(load_tester_config_t *this, host_t *ip);
+
+	/**
 	 * Destroy the backend.
 	 */
 	void (*destroy)(load_tester_config_t *this);
diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c
new file mode 100644
index 000000000..f9ec9142f
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_control.c
@@ -0,0 +1,317 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "load_tester_control.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <daemon.h>
+#include <collections/hashtable.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <threading/condvar.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_load_tester_control_t private_load_tester_control_t;
+typedef struct init_listener_t init_listener_t;
+
+/**
+ * Private data of an load_tester_control_t object.
+ */
+struct private_load_tester_control_t {
+
+	/**
+	 * Public load_tester_control_t interface.
+	 */
+	load_tester_control_t public;
+
+	/**
+	 * Load tester control stream service
+	 */
+	stream_service_t *service;
+};
+
+/**
+ * Listener to follow initiation progress
+ */
+struct init_listener_t {
+
+	/**
+	 * implements listener_t
+	 */
+	listener_t listener;
+
+	/**
+	 * Output stream to log to
+	 */
+	FILE *stream;
+
+	/**
+	 * IKE_SAs we have started to initiate
+	 */
+	hashtable_t *initiated;
+
+	/**
+	 * IKE_SAs we have completed to initate (success or failure)
+	 */
+	hashtable_t *completed;
+
+	/**
+	 * Mutex to lock IKE_SA tables
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar to wait for completion
+	 */
+	condvar_t *condvar;
+};
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(uintptr_t id)
+{
+	return id;
+}
+
+/**
+ * Hashtable hash function
+ */
+static bool equals(uintptr_t a, uintptr_t b)
+{
+	return a == b;
+}
+
+METHOD(listener_t, alert, bool,
+	init_listener_t *this, ike_sa_t *ike_sa, alert_t alert, va_list args)
+{
+	if (alert == ALERT_RETRANSMIT_SEND)
+	{
+		uintptr_t id;
+		bool match = FALSE;
+
+		id = ike_sa->get_unique_id(ike_sa);
+		this->mutex->lock(this->mutex);
+		if (this->initiated->get(this->initiated, (void*)id))
+		{
+			match = TRUE;
+		}
+		this->mutex->unlock(this->mutex);
+
+		if (match)
+		{
+			fprintf(this->stream, "*");
+			fflush(this->stream);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_state_change, bool,
+	init_listener_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
+{
+	if (state == IKE_ESTABLISHED || state == IKE_DESTROYING)
+	{
+		uintptr_t id;
+		bool match = FALSE;
+
+		id = ike_sa->get_unique_id(ike_sa);
+		this->mutex->lock(this->mutex);
+		if (this->initiated->get(this->initiated, (void*)id))
+		{
+			match = !this->completed->put(this->completed, (void*)id, (void*)id);
+		}
+		this->mutex->unlock(this->mutex);
+
+		if (match)
+		{
+			this->condvar->signal(this->condvar);
+			fprintf(this->stream, state == IKE_ESTABLISHED ? "+" : "-");
+			fflush(this->stream);
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Logging callback function used during initiate
+ */
+static bool initiate_cb(init_listener_t *this, debug_t group, level_t level,
+						ike_sa_t *ike_sa, const char *message)
+{
+	uintptr_t id;
+
+	if (ike_sa)
+	{
+		id = ike_sa->get_unique_id(ike_sa);
+		this->mutex->lock(this->mutex);
+		this->initiated->put(this->initiated, (void*)id, (void*)id);
+		this->mutex->unlock(this->mutex);
+
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+/**
+ * Accept connections, initiate load-test, write progress to stream
+ */
+static bool on_accept(private_load_tester_control_t *this, stream_t *io)
+{
+	init_listener_t *listener;
+	enumerator_t *enumerator;
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	u_int i, count, failed = 0, delay = 0;
+	char buf[16] = "";
+	FILE *stream;
+
+	stream = io->get_file(io);
+	if (!stream)
+	{
+		return FALSE;
+	}
+	fflush(stream);
+	if (fgets(buf, sizeof(buf), stream) == NULL)
+	{
+		fclose(stream);
+		return FALSE;
+	}
+	if (sscanf(buf, "%u %u", &count, &delay) < 1)
+	{
+		fclose(stream);
+		return FALSE;
+	}
+
+	INIT(listener,
+		.listener = {
+			.ike_state_change = _ike_state_change,
+			.alert = _alert,
+		},
+		.stream = stream,
+		.initiated = hashtable_create((void*)hash, (void*)equals, count),
+		.completed = hashtable_create((void*)hash, (void*)equals, count),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+	);
+
+	charon->bus->add_listener(charon->bus, &listener->listener);
+
+	for (i = 0; i < count; i++)
+	{
+		peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
+														  "load-test");
+		if (!peer_cfg)
+		{
+			failed++;
+			fprintf(stream, "!");
+			continue;
+		}
+		enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+		if (!enumerator->enumerate(enumerator, &child_cfg))
+		{
+			enumerator->destroy(enumerator);
+			peer_cfg->destroy(peer_cfg);
+			failed++;
+			fprintf(stream, "!");
+			continue;
+		}
+		enumerator->destroy(enumerator);
+
+		switch (charon->controller->initiate(charon->controller,
+										peer_cfg, child_cfg->get_ref(child_cfg),
+										(void*)initiate_cb, listener, 0))
+		{
+			case NEED_MORE:
+				/* Callback returns FALSE once it got track of this IKE_SA.
+				 * FALL */
+			case SUCCESS:
+				fprintf(stream, ".");
+				break;
+			default:
+				fprintf(stream, "!");
+				break;
+		}
+		if (delay)
+		{
+			usleep(delay * 1000);
+		}
+		fflush(stream);
+	}
+
+	listener->mutex->lock(listener->mutex);
+	while (listener->completed->get_count(listener->completed) < count - failed)
+	{
+		listener->condvar->wait(listener->condvar, listener->mutex);
+	}
+	listener->mutex->unlock(listener->mutex);
+
+	charon->bus->remove_listener(charon->bus, &listener->listener);
+
+	listener->initiated->destroy(listener->initiated);
+	listener->completed->destroy(listener->completed);
+	listener->mutex->destroy(listener->mutex);
+	listener->condvar->destroy(listener->condvar);
+	free(listener);
+
+	fprintf(stream, "\n");
+	fclose(stream);
+
+	return FALSE;
+}
+
+METHOD(load_tester_control_t, destroy, void,
+	private_load_tester_control_t *this)
+{
+	DESTROY_IF(this->service);
+	free(this);
+}
+
+/**
+ * See header
+ */
+load_tester_control_t *load_tester_control_create()
+{
+	private_load_tester_control_t *this;
+	char *uri;
+
+	INIT(this,
+		.public = {
+			.destroy = _destroy,
+		},
+	);
+
+	uri = lib->settings->get_str(lib->settings,
+				"%s.plugins.load-tester.socket", "unix://" LOAD_TESTER_SOCKET,
+				charon->name);
+	this->service = lib->streams->create_service(lib->streams, uri, 10);
+	if (this->service)
+	{
+		this->service->on_accept(this->service, (stream_service_cb_t)on_accept,
+								 this, JOB_PRIO_CRITICAL, 0);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "creating load-tester control socket failed");
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/load_tester/load_tester_control.h b/src/libcharon/plugins/load_tester/load_tester_control.h
new file mode 100644
index 000000000..5d280f0a0
--- /dev/null
+++ b/src/libcharon/plugins/load_tester/load_tester_control.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup load_tester_control load_tester_control
+ * @{ @ingroup load_tester
+ */
+
+#ifndef LOAD_TESTER_CONTROL_H_
+#define LOAD_TESTER_CONTROL_H_
+
+/**
+ * Socket to accept connections.
+ */
+#define LOAD_TESTER_SOCKET IPSEC_PIDDIR "/charon.ldt"
+
+typedef struct load_tester_control_t load_tester_control_t;
+
+/**
+ * Unix control socket to initiate batches of load-tests.
+ */
+struct load_tester_control_t {
+
+	/**
+	 * Destroy a load_tester_control_t.
+	 */
+	void (*destroy)(load_tester_control_t *this);
+};
+
+/**
+ * Create a load_tester_control instance.
+ */
+load_tester_control_t *load_tester_control_create();
+
+#endif /** LOAD_TESTER_CONTROL_H_ @}*/
diff --git a/src/libcharon/plugins/load_tester/load_tester_creds.c b/src/libcharon/plugins/load_tester/load_tester_creds.c
index c34ea73c5..946d62021 100644
--- a/src/libcharon/plugins/load_tester/load_tester_creds.c
+++ b/src/libcharon/plugins/load_tester/load_tester_creds.c
@@ -16,6 +16,7 @@
 #include "load_tester_creds.h"
 
 #include <time.h>
+#include <sys/stat.h>
 
 #include <daemon.h>
 #include <credentials/keys/shared_key.h>
@@ -44,6 +45,16 @@ struct private_load_tester_creds_t {
 	certificate_t *ca;
 
 	/**
+	 * Trusted CA certificates, including issuer CA
+	 */
+	linked_list_t *cas;
+
+	/**
+	 * Digest algorithm to issue certificates
+	 */
+	hash_algorithm_t digest;
+
+	/**
 	 * serial number to issue certificates
 	 */
 	u_int32_t serial;
@@ -182,6 +193,84 @@ static char *default_psk = "default-psk";
  */
 static char *default_pwd = "default-pwd";
 
+
+/**
+ * Load the private key, hard-coded or from a file
+ */
+static private_key_t *load_issuer_key()
+{
+	char *path;
+
+	path = lib->settings->get_str(lib->settings,
+					"%s.plugins.load-tester.issuer_key", NULL, charon->name);
+	if (!path)
+	{
+		return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+					BUILD_BLOB_ASN1_DER, chunk_create(private, sizeof(private)),
+					BUILD_END);
+	}
+	DBG1(DBG_CFG, "loading load-tester private key from '%s'", path);
+	return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+					BUILD_FROM_FILE, path, BUILD_END);
+}
+
+/**
+ * Load the issuing certificate, hard-coded or from a file
+ */
+static certificate_t *load_issuer_cert()
+{
+	char *path;
+
+	path = lib->settings->get_str(lib->settings,
+					"%s.plugins.load-tester.issuer_cert", NULL, charon->name);
+	if (!path)
+	{
+		return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+					BUILD_BLOB_ASN1_DER, chunk_create(cert, sizeof(cert)),
+					BUILD_X509_FLAG, X509_CA,
+					BUILD_END);
+	}
+	DBG1(DBG_CFG, "loading load-tester issuer cert from '%s'", path);
+	return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+					BUILD_FROM_FILE, path, BUILD_END);
+}
+
+/**
+ * Load (intermediate) CA certificates, hard-coded or from a file
+ */
+static void load_ca_certs(private_load_tester_creds_t *this)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	struct stat st;
+	char *path;
+
+	path = lib->settings->get_str(lib->settings,
+						"%s.plugins.load-tester.ca_dir", NULL, charon->name);
+	if (path)
+	{
+		enumerator = enumerator_create_directory(path);
+		if (enumerator)
+		{
+			while (enumerator->enumerate(enumerator, NULL, &path, &st))
+			{
+				if (S_ISREG(st.st_mode))
+				{
+					DBG1(DBG_CFG, "loading load-tester CA cert from '%s'", path);
+					cert = lib->creds->create(lib->creds,
+											CRED_CERTIFICATE, CERT_X509,
+											BUILD_FROM_FILE, path, BUILD_END);
+					if (cert)
+					{
+						this->cas->insert_last(this->cas, cert);
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+	}
+}
+
 METHOD(credential_set_t, create_private_enumerator, enumerator_t*,
 	private_load_tester_creds_t *this, key_type_t type, identification_t *id)
 {
@@ -207,8 +296,12 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
 	private_load_tester_creds_t *this, certificate_type_t cert, key_type_t key,
 	identification_t *id, bool trusted)
 {
-	certificate_t *peer_cert;
+	enumerator_t *enumerator;
+	certificate_t *peer_cert, *ca_cert;
 	public_key_t *peer_key, *ca_key;
+	identification_t *dn = NULL;
+	linked_list_t *sans;
+	char buf[128];
 	u_int32_t serial;
 	time_t now;
 
@@ -226,7 +319,7 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
 	}
 	if (!id)
 	{
-		return enumerator_create_single(this->ca, NULL);
+		return this->cas->create_enumerator(this->cas);
 	}
 	ca_key = this->ca->get_public_key(this->ca);
 	if (ca_key)
@@ -238,26 +331,56 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
 		}
 		ca_key->destroy(ca_key);
 	}
-	if (this->ca->has_subject(this->ca, id))
+	enumerator = this->cas->create_enumerator(this->cas);
+	while (enumerator->enumerate(enumerator, &ca_cert))
 	{
-		return enumerator_create_single(this->ca, NULL);
+		if (ca_cert->has_subject(ca_cert, id))
+		{
+			enumerator->destroy(enumerator);
+			return enumerator_create_single(ca_cert, NULL);
+		}
 	}
+	enumerator->destroy(enumerator);
+
 	if (!trusted)
 	{
 		/* peer certificate, generate on demand */
 		serial = htonl(++this->serial);
 		now = time(NULL);
+		sans = linked_list_create();
+
+		switch (id->get_type(id))
+		{
+			case ID_DER_ASN1_DN:
+				break;
+			case ID_FQDN:
+			case ID_RFC822_ADDR:
+			case ID_IPV4_ADDR:
+			case ID_IPV6_ADDR:
+				/* encode as subjectAltName, construct a sane DN */
+				sans->insert_last(sans, id);
+				snprintf(buf, sizeof(buf), "CN=%Y", id);
+				dn = identification_create_from_string(buf);
+				break;
+			default:
+				sans->destroy(sans);
+				return NULL;
+		}
 		peer_key = this->private->get_public_key(this->private);
 		peer_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 									BUILD_SIGNING_KEY, this->private,
 									BUILD_SIGNING_CERT, this->ca,
+									BUILD_DIGEST_ALG, this->digest,
 									BUILD_PUBLIC_KEY, peer_key,
-									BUILD_SUBJECT, id,
+									BUILD_SUBJECT, dn ?: id,
+									BUILD_SUBJECT_ALTNAMES, sans,
 									BUILD_NOT_BEFORE_TIME, now - 60 * 60 * 24,
 									BUILD_NOT_AFTER_TIME, now + 60 * 60 * 24,
 									BUILD_SERIAL, chunk_from_thing(serial),
 									BUILD_END);
 		peer_key->destroy(peer_key);
+		sans->destroy(sans);
+		DESTROY_IF(dn);
 		if (peer_cert)
 		{
 			return enumerator_create_single(peer_cert, (void*)peer_cert->destroy);
@@ -308,6 +431,7 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
 METHOD(load_tester_creds_t, destroy, void,
 	private_load_tester_creds_t *this)
 {
+	this->cas->destroy_offset(this->cas, offsetof(certificate_t, destroy));
 	DESTROY_IF(this->private);
 	DESTROY_IF(this->ca);
 	this->psk->destroy(this->psk);
@@ -318,12 +442,14 @@ METHOD(load_tester_creds_t, destroy, void,
 load_tester_creds_t *load_tester_creds_create()
 {
 	private_load_tester_creds_t *this;
-	char *pwd, *psk;
+	char *pwd, *psk, *digest;
 
 	psk = lib->settings->get_str(lib->settings,
-					"charon.plugins.load-tester.preshared_key", default_psk);
+			"%s.plugins.load-tester.preshared_key", default_psk, charon->name);
 	pwd = lib->settings->get_str(lib->settings,
-					"charon.plugins.load-tester.eap_password", default_pwd);
+			"%s.plugins.load-tester.eap_password", default_pwd, charon->name);
+	digest = lib->settings->get_str(lib->settings,
+			"%s.plugins.load-tester.digest", "sha1", charon->name);
 
 	INIT(this,
 		.public = {
@@ -336,18 +462,29 @@ load_tester_creds_t *load_tester_creds_create()
 			},
 			.destroy = _destroy,
 		},
-		.private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-					BUILD_BLOB_ASN1_DER, chunk_create(private, sizeof(private)),
-					BUILD_END),
-		.ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-					BUILD_BLOB_ASN1_DER, chunk_create(cert, sizeof(cert)),
-					BUILD_X509_FLAG, X509_CA,
-					BUILD_END),
+		.private = load_issuer_key(),
+		.ca = load_issuer_cert(),
+		.cas = linked_list_create(),
+		.digest = enum_from_name(hash_algorithm_short_names, digest),
 		.psk = shared_key_create(SHARED_IKE,
 								 chunk_clone(chunk_create(psk, strlen(psk)))),
 		.pwd = shared_key_create(SHARED_EAP,
 								 chunk_clone(chunk_create(pwd, strlen(pwd)))),
 	);
+
+	if (this->ca)
+	{
+		this->cas->insert_last(this->cas, this->ca->get_ref(this->ca));
+	}
+
+	if (this->digest == -1)
+	{
+		DBG1(DBG_CFG, "invalid load-tester digest: '%s', using sha1", digest);
+		this->digest = HASH_SHA1;
+	}
+
+	load_ca_certs(this);
+
 	return &this->public;
 }
 
diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
index 440197260..bf08d2c9c 100644
--- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
@@ -54,7 +54,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
 	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool encap, bool esn, bool inbound,
+	u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
 	return SUCCESS;
@@ -70,7 +70,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
+	u_int32_t spi, u_int8_t protocol, mark_t mark,
+	u_int64_t *bytes, u_int64_t *packets, u_int32_t *time)
 {
 	return NOT_SUPPORTED;
 }
@@ -108,12 +109,6 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	return SUCCESS;
 }
 
-METHOD(kernel_ipsec_t, bypass_socket, bool,
-	private_load_tester_ipsec_t *this, int fd, int family)
-{
-	return TRUE;
-}
-
 METHOD(kernel_ipsec_t, destroy, void,
 	private_load_tester_ipsec_t *this)
 {
@@ -141,7 +136,8 @@ load_tester_ipsec_t *load_tester_ipsec_create()
 				.query_policy = _query_policy,
 				.del_policy = _del_policy,
 				.flush_policies = (void*)return_failed,
-				.bypass_socket = _bypass_socket,
+				.bypass_socket = (void*)return_true,
+				.enable_udp_decap = (void*)return_true,
 				.destroy = _destroy,
 			},
 		},
@@ -150,4 +146,3 @@ load_tester_ipsec_t *load_tester_ipsec_create()
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/load_tester/load_tester_listener.c b/src/libcharon/plugins/load_tester/load_tester_listener.c
index 7c96f7d97..7e832ddc0 100644
--- a/src/libcharon/plugins/load_tester/load_tester_listener.c
+++ b/src/libcharon/plugins/load_tester/load_tester_listener.c
@@ -50,6 +50,11 @@ struct private_load_tester_listener_t {
 	 * Shutdown the daemon if we have established this SA count
 	 */
 	u_int shutdown_on;
+
+	/**
+	 * Configuration backend
+	 */
+	load_tester_config_t *config;
 };
 
 METHOD(listener_t, ike_updown, bool,
@@ -83,6 +88,16 @@ METHOD(listener_t, ike_updown, bool,
 	return TRUE;
 }
 
+METHOD(listener_t, ike_state_change, bool,
+	private_load_tester_listener_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
+{
+	if (state == IKE_DESTROYING)
+	{
+		this->config->delete_ip(this->config, ike_sa->get_my_host(ike_sa));
+	}
+	return TRUE;
+}
+
 METHOD(load_tester_listener_t, get_established, u_int,
 	private_load_tester_listener_t *this)
 {
@@ -95,7 +110,8 @@ METHOD(load_tester_listener_t, destroy, void,
 	free(this);
 }
 
-load_tester_listener_t *load_tester_listener_create(u_int shutdown_on)
+load_tester_listener_t *load_tester_listener_create(u_int shutdown_on,
+													load_tester_config_t *config)
 {
 	private_load_tester_listener_t *this;
 
@@ -103,15 +119,17 @@ load_tester_listener_t *load_tester_listener_create(u_int shutdown_on)
 		.public = {
 			.listener = {
 				.ike_updown = _ike_updown,
+				.ike_state_change = _ike_state_change,
 			},
 			.get_established = _get_established,
 			.destroy = _destroy,
 		},
 		.delete_after_established = lib->settings->get_bool(lib->settings,
-				"charon.plugins.load-tester.delete_after_established", FALSE),
+					"%s.plugins.load-tester.delete_after_established", FALSE,
+					charon->name),
 		.shutdown_on = shutdown_on,
+		.config = config,
 	);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/load_tester/load_tester_listener.h b/src/libcharon/plugins/load_tester/load_tester_listener.h
index 2621798c8..eba4afcf1 100644
--- a/src/libcharon/plugins/load_tester/load_tester_listener.h
+++ b/src/libcharon/plugins/load_tester/load_tester_listener.h
@@ -23,6 +23,8 @@
 
 #include <bus/bus.h>
 
+#include "load_tester_config.h"
+
 typedef struct load_tester_listener_t load_tester_listener_t;
 
 /**
@@ -52,8 +54,10 @@ struct load_tester_listener_t {
  * Create a listener to handle special events during load test
  *
  * @param shutdown_on	shut down the daemon after this many SAs are established
+ * @param config		configuration backend
  * @return				listener
  */
-load_tester_listener_t *load_tester_listener_create(u_int shutdown_on);
+load_tester_listener_t *load_tester_listener_create(u_int shutdown_on,
+													load_tester_config_t *config);
 
 #endif /** LOAD_TESTER_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index b260a9741..03557a269 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -18,6 +18,7 @@
 #include "load_tester_creds.h"
 #include "load_tester_ipsec.h"
 #include "load_tester_listener.h"
+#include "load_tester_control.h"
 #include "load_tester_diffie_hellman.h"
 
 #include <unistd.h>
@@ -28,8 +29,6 @@
 #include <threading/condvar.h>
 #include <threading/mutex.h>
 
-static const char *plugin_name = "load_tester";
-
 typedef struct private_load_tester_plugin_t private_load_tester_plugin_t;
 
 /**
@@ -53,6 +52,11 @@ struct private_load_tester_plugin_t {
 	load_tester_creds_t *creds;
 
 	/**
+	 * Unix control socket to initiate load-tests
+	 */
+	load_tester_control_t *control;
+
+	/**
 	 * event handler, listens on bus
 	 */
 	load_tester_listener_t *listener;
@@ -171,26 +175,81 @@ METHOD(plugin_t, get_name, char*,
 	return "load-tester";
 }
 
-METHOD(plugin_t, destroy, void,
-	private_load_tester_plugin_t *this)
+/**
+ * Register load_tester plugin features
+ */
+static bool register_load_tester(private_load_tester_plugin_t *this,
+								 plugin_feature_t *feature, bool reg, void *data)
 {
-	this->iterations = -1;
-	this->mutex->lock(this->mutex);
-	while (this->running)
+	if (reg)
 	{
-		this->condvar->wait(this->condvar, this->mutex);
+		u_int i, shutdown_on = 0;
+
+		this->config = load_tester_config_create();
+		this->creds = load_tester_creds_create();
+		this->control = load_tester_control_create();
+
+		charon->backends->add_backend(charon->backends, &this->config->backend);
+		lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set);
+
+		if (lib->settings->get_bool(lib->settings,
+				"%s.plugins.load-tester.shutdown_when_complete", 0, charon->name))
+		{
+			shutdown_on = this->iterations * this->initiators;
+		}
+		this->listener = load_tester_listener_create(shutdown_on, this->config);
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+
+		for (i = 0; i < this->initiators; i++)
+		{
+			lib->processor->queue_job(lib->processor, (job_t*)
+				callback_job_create_with_prio((callback_job_cb_t)do_load_test,
+										this, NULL, NULL, JOB_PRIO_CRITICAL));
+		}
 	}
-	this->mutex->unlock(this->mutex);
+	else
+	{
+		this->iterations = -1;
+		this->mutex->lock(this->mutex);
+		while (this->running)
+		{
+			this->condvar->wait(this->condvar, this->mutex);
+		}
+		this->mutex->unlock(this->mutex);
+		charon->backends->remove_backend(charon->backends, &this->config->backend);
+		lib->credmgr->remove_set(lib->credmgr, &this->creds->credential_set);
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+		this->config->destroy(this->config);
+		this->creds->destroy(this->creds);
+		this->listener->destroy(this->listener);
+		this->control->destroy(this->control);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_load_tester_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(DH, load_tester_diffie_hellman_create),
+			PLUGIN_PROVIDE(DH, MODP_NULL),
+				PLUGIN_DEPENDS(CUSTOM, "load-tester"),
+		PLUGIN_CALLBACK((plugin_feature_callback_t)register_load_tester, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "load-tester"),
+				PLUGIN_DEPENDS(CUSTOM, "kernel-net"),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_RSA),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_ANY),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_load_tester_plugin_t *this)
+{
 	hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface,
 						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
-	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	lib->credmgr->remove_set(lib->credmgr, &this->creds->credential_set);
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
-	this->config->destroy(this->config);
-	this->creds->destroy(this->creds);
-	this->listener->destroy(this->listener);
-	lib->crypto->remove_dh(lib->crypto,
-						(dh_constructor_t)load_tester_diffie_hellman_create);
 	this->mutex->destroy(this->mutex);
 	this->condvar->destroy(this->condvar);
 	free(this);
@@ -202,10 +261,9 @@ METHOD(plugin_t, destroy, void,
 plugin_t *load_tester_plugin_create()
 {
 	private_load_tester_plugin_t *this;
-	u_int i, shutdown_on = 0;
 
 	if (!lib->settings->get_bool(lib->settings,
-								 "charon.plugins.load-tester.enable", FALSE))
+						"%s.plugins.load-tester.enable", FALSE, charon->name))
 	{
 		DBG1(DBG_CFG, "disabling load-tester plugin, not configured");
 		return NULL;
@@ -215,49 +273,28 @@ plugin_t *load_tester_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
+				.get_features = _get_features,
 				.reload = (void*)return_false,
 				.destroy = _destroy,
 			},
 		},
 		.delay = lib->settings->get_int(lib->settings,
-					"charon.plugins.load-tester.delay", 0),
+						"%s.plugins.load-tester.delay", 0, charon->name),
 		.iterations = lib->settings->get_int(lib->settings,
-					"charon.plugins.load-tester.iterations", 1),
+						"%s.plugins.load-tester.iterations", 1, charon->name),
 		.initiators = lib->settings->get_int(lib->settings,
-					"charon.plugins.load-tester.initiators", 0),
+						"%s.plugins.load-tester.initiators", 0, charon->name),
 		.init_limit = lib->settings->get_int(lib->settings,
-					"charon.plugins.load-tester.init_limit", 0),
+						"%s.plugins.load-tester.init_limit", 0, charon->name),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
-		.config = load_tester_config_create(),
-		.creds = load_tester_creds_create(),
 	);
 
-	lib->crypto->add_dh(lib->crypto, MODP_NULL, plugin_name,
-						(dh_constructor_t)load_tester_diffie_hellman_create);
-	charon->backends->add_backend(charon->backends, &this->config->backend);
-	lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set);
-
-	if (lib->settings->get_bool(lib->settings,
-					"charon.plugins.load-tester.shutdown_when_complete", 0))
-	{
-		shutdown_on = this->iterations * this->initiators;
-	}
-	this->listener = load_tester_listener_create(shutdown_on);
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
-
 	if (lib->settings->get_bool(lib->settings,
-					"charon.plugins.load-tester.fake_kernel", FALSE))
+			"%s.plugins.load-tester.fake_kernel", FALSE, charon->name))
 	{
 		hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
 						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
 	}
-	for (i = 0; i < this->initiators; i++)
-	{
-		lib->processor->queue_job(lib->processor, (job_t*)
-				callback_job_create_with_prio((callback_job_cb_t)do_load_test,
-										this, NULL, NULL, JOB_PRIO_CRITICAL));
-	}
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/lookip/Makefile.am b/src/libcharon/plugins/lookip/Makefile.am
new file mode 100644
index 000000000..6d71c8c13
--- /dev/null
+++ b/src/libcharon/plugins/lookip/Makefile.am
@@ -0,0 +1,23 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-lookip.la
+else
+plugin_LTLIBRARIES = libstrongswan-lookip.la
+endif
+
+libstrongswan_lookip_la_SOURCES = lookip_plugin.h lookip_plugin.c \
+	lookip_listener.h lookip_listener.c lookip_msg.h \
+	lookip_socket.h lookip_socket.c
+
+libstrongswan_lookip_la_LDFLAGS = -module -avoid-version
+
+ipsec_PROGRAMS = lookip
+lookip_SOURCES = lookip.c
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
new file mode 100644
index 000000000..630ec4a1c
--- /dev/null
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -0,0 +1,747 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = lookip$(EXEEXT)
+subdir = src/libcharon/plugins/lookip
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_lookip_la_LIBADD =
+am_libstrongswan_lookip_la_OBJECTS = lookip_plugin.lo \
+	lookip_listener.lo lookip_socket.lo
+libstrongswan_lookip_la_OBJECTS =  \
+	$(am_libstrongswan_lookip_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_lookip_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_lookip_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_lookip_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_lookip_la_rpath =
+PROGRAMS = $(ipsec_PROGRAMS)
+am_lookip_OBJECTS = lookip.$(OBJEXT)
+lookip_OBJECTS = $(am_lookip_OBJECTS)
+lookip_LDADD = $(LDADD)
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_lookip_la_SOURCES) $(lookip_SOURCES)
+DIST_SOURCES = $(libstrongswan_lookip_la_SOURCES) $(lookip_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-lookip.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-lookip.la
+libstrongswan_lookip_la_SOURCES = lookip_plugin.h lookip_plugin.c \
+	lookip_listener.h lookip_listener.c lookip_msg.h \
+	lookip_socket.h lookip_socket.c
+
+libstrongswan_lookip_la_LDFLAGS = -module -avoid-version
+lookip_SOURCES = lookip.c
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/lookip/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/lookip/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-lookip.la: $(libstrongswan_lookip_la_OBJECTS) $(libstrongswan_lookip_la_DEPENDENCIES) $(EXTRA_libstrongswan_lookip_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_lookip_la_LINK) $(am_libstrongswan_lookip_la_rpath) $(libstrongswan_lookip_la_OBJECTS) $(libstrongswan_lookip_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+lookip$(EXEEXT): $(lookip_OBJECTS) $(lookip_DEPENDENCIES) $(EXTRA_lookip_DEPENDENCIES) 
+	@rm -f lookip$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(lookip_OBJECTS) $(lookip_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lookip.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lookip_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lookip_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lookip_socket.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipsecPROGRAMS uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES ctags distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-ipsecPROGRAMS install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/lookip/lookip.c b/src/libcharon/plugins/lookip/lookip.c
new file mode 100644
index 000000000..d473c7022
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip.c
@@ -0,0 +1,322 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "lookip_msg.h"
+
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <getopt.h>
+#include <arpa/inet.h>
+
+/**
+ * Connect to the daemon, return FD
+ */
+static int make_connection()
+{
+	union {
+		struct sockaddr_un un;
+		struct sockaddr_in in;
+		struct sockaddr sa;
+	} addr;
+	int fd, len;
+
+	if (getenv("TCP_PORT"))
+	{
+		addr.in.sin_family = AF_INET;
+		addr.in.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+		addr.in.sin_port = htons(atoi(getenv("TCP_PORT")));
+		len = sizeof(addr.in);
+	}
+	else
+	{
+		addr.un.sun_family = AF_UNIX;
+		strcpy(addr.un.sun_path, LOOKIP_SOCKET);
+
+		len = offsetof(struct sockaddr_un, sun_path) + strlen(addr.un.sun_path);
+	}
+	fd = socket(addr.sa.sa_family, SOCK_STREAM, 0);
+	if (fd < 0)
+	{
+		fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
+		return -1;
+	}
+	if (connect(fd, &addr.sa, len) < 0)
+	{
+		fprintf(stderr, "connecting failed: %s\n", strerror(errno));
+		close(fd);
+		return -1;
+	}
+	return fd;
+}
+
+static int read_all(int fd, void *buf, size_t len, int flags)
+{
+	ssize_t ret, done = 0;
+
+	while (done < len)
+	{
+		ret = recv(fd, buf, len - done, flags);
+		if (ret == -1 && errno == EINTR)
+		{	/* interrupted, try again */
+			continue;
+		}
+		if (ret == 0)
+		{
+			return 0;
+		}
+		if (ret < 0)
+		{
+			return -1;
+		}
+		done += ret;
+		buf += ret;
+	}
+	return len;
+}
+
+static int write_all(int fd, void *buf, size_t len)
+{
+	ssize_t ret, done = 0;
+
+	while (done < len)
+	{
+		ret = write(fd, buf, len - done);
+		if (ret == -1 && errno == EINTR)
+		{	/* interrupted, try again */
+			continue;
+		}
+		if (ret < 0)
+		{
+			return -1;
+		}
+		done += ret;
+		buf += ret;
+	}
+	return len;
+}
+
+/**
+ * Send a request message
+ */
+static int send_request(int fd, int type, char *vip)
+{
+	lookip_request_t req = {
+		.type = htonl(type),
+	};
+
+	if (vip)
+	{
+		snprintf(req.vip, sizeof(req.vip), "%s", vip);
+	}
+	if (write_all(fd, &req, sizeof(req)) != sizeof(req))
+	{
+		fprintf(stderr, "writing to socket failed: %s\n", strerror(errno));
+		return 2;
+	}
+	return 0;
+}
+
+/**
+ * Receive entries from fd. If block is != 0, the call blocks until closed
+ */
+static int receive(int fd, int block, int loop)
+{
+	lookip_response_t resp;
+	char *label, name[32];
+	int res;
+
+	do
+	{
+		res = read_all(fd, &resp, sizeof(resp), block ? 0 : MSG_DONTWAIT);
+		if (res == 0)
+		{	/* closed by server */
+			return 0;
+		}
+		if (res != sizeof(resp))
+		{
+			if (!block && (errno == EAGAIN || errno == EWOULDBLOCK))
+			{	/* call would block, but we don't */
+				return 0;
+			}
+			fprintf(stderr, "reading from socket failed: %s\n", strerror(errno));
+			return 1;
+		}
+		switch (ntohl(resp.type))
+		{
+			case LOOKIP_ENTRY:
+				label = "lookup:";
+				break;
+			case LOOKIP_NOT_FOUND:
+				label = "not found:";
+				break;
+			case LOOKIP_NOTIFY_UP:
+				label = "up:";
+				break;
+			case LOOKIP_NOTIFY_DOWN:
+				label = "down:";
+				break;
+			default:
+				fprintf(stderr, "received invalid message type: %d\n", resp.type);
+				return 1;
+		}
+		resp.vip[sizeof(resp.vip) - 1] = '\0';
+		resp.ip[sizeof(resp.ip) - 1] = '\0';
+		resp.id[sizeof(resp.id) - 1] = '\0';
+		resp.name[sizeof(resp.name) - 1] = '\0';
+
+		snprintf(name, sizeof(name), "%s[%u]", resp.name, ntohl(resp.unique_id));
+		printf("%-12s %16s %16s %20s %s\n",
+			   label, resp.vip, resp.ip, name, resp.id);
+	}
+	while (loop);
+
+	return 0;
+}
+
+/**
+ * Interactive IP lookup shell
+ */
+static int interactive(int fd)
+{
+	printf("Enter IP address or 'quit'\n");
+
+	while (1)
+	{
+		char line[64], *pos;
+		int res;
+
+		printf("> ");
+		fflush(stdout);
+
+		if (fgets(line, sizeof(line), stdin))
+		{
+			pos = strchr(line, '\n');
+			if (pos)
+			{
+				*pos = '\0';
+			}
+			if (strlen(line) == 0)
+			{
+				continue;
+			}
+			if (strcmp(line, "quit") == 0)
+			{
+				return send_request(fd, LOOKIP_END, NULL);
+			}
+			res = send_request(fd, LOOKIP_LOOKUP, line);
+			if (res != 0)
+			{
+				return res;
+			}
+			res = receive(fd, 1, 0);
+			if (res != 0)
+			{
+				return res;
+			}
+		}
+	}
+}
+
+/**
+ * Print usage information
+ */
+static void usage(char *cmd)
+{
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "  %s --help\n", cmd);
+	fprintf(stderr, "  %s --dump\n", cmd);
+	fprintf(stderr, "  %s --lookup <IP>\n", cmd);
+	fprintf(stderr, "  %s --listen-up\n", cmd);
+	fprintf(stderr, "  %s --listen-down\n", cmd);
+	fprintf(stderr, "Any combination of options is allowed.\n");
+}
+
+int main(int argc, char *argv[])
+{
+	int fd, res = 0, end = 0;
+	struct option long_opts[] = {
+		{ "help", no_argument, NULL, 'h' },
+		{ "dump", no_argument, NULL, 'd' },
+		{ "lookup", required_argument, NULL, 'l' },
+		{ "listen-up", no_argument, NULL, 'u' },
+		{ "listen-down", no_argument, NULL, 'c' },
+		{ 0,0,0,0 }
+	};
+
+	fd = make_connection();
+	if (fd == -1)
+	{
+		return 1;
+	}
+
+	if (argc == 1)
+	{
+		res = interactive(fd);
+		close(fd);
+		return res;
+	}
+
+	while (res == 0)
+	{
+		switch (getopt_long(argc, argv, "", long_opts, NULL))
+		{
+			case EOF:
+				end = 1;
+				break;
+			case 'h':
+				usage(argv[0]);
+				break;
+			case 'd':
+				res = send_request(fd, LOOKIP_DUMP, NULL);
+				break;
+			case 'l':
+				res = send_request(fd, LOOKIP_LOOKUP, optarg);
+				break;
+			case 'u':
+				res = send_request(fd, LOOKIP_REGISTER_UP, NULL);
+				break;
+			case 'c':
+				res = send_request(fd, LOOKIP_REGISTER_DOWN, NULL);
+				break;
+			default:
+				usage(argv[0]);
+				res = 1;
+				break;
+		}
+		if (end)
+		{
+			break;
+		}
+		if (res == 0)
+		{	/* read all currently available results */
+			res = receive(fd, 0, 1);
+		}
+	}
+	if (res == 0)
+	{
+		/* send close message */
+		send_request(fd, LOOKIP_END, NULL);
+		/* read until socket gets closed */
+		res = receive(fd, 1, 1);
+	}
+	close(fd);
+
+	return res;
+}
diff --git a/src/libcharon/plugins/lookip/lookip_listener.c b/src/libcharon/plugins/lookip/lookip_listener.c
new file mode 100644
index 000000000..d5eab1f6c
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_listener.c
@@ -0,0 +1,348 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "lookip_listener.h"
+
+#include <daemon.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_lookip_listener_t private_lookip_listener_t;
+
+/**
+ * Private data of an lookip_listener_t object.
+ */
+struct private_lookip_listener_t {
+
+	/**
+	 * Public lookip_listener_t interface.
+	 */
+	lookip_listener_t public;
+
+	/**
+	 * Lock for hashtable
+	 */
+	rwlock_t *lock;
+
+	/**
+	 * Hashtable with entries: host_t => entry_t
+	 */
+	hashtable_t *entries;
+
+	/**
+	 * List of registered listeners
+	 */
+	linked_list_t *listeners;
+};
+
+/**
+ * Listener entry
+ */
+typedef struct {
+	/** callback function */
+	lookip_callback_t cb;
+	/** user data for callback */
+	void *user;
+} listener_entry_t;
+
+/**
+ * Hashtable entry
+ */
+typedef struct {
+	/** virtual IP, serves as lookup key */
+	host_t *vip;
+	/** peers external address */
+	host_t *other;
+	/** peer (EAP-)Identity */
+	identification_t *id;
+	/** associated connection name */
+	char *name;
+	/** IKE_SA unique identifier */
+	u_int unique_id;
+} entry_t;
+
+/**
+ * Destroy a hashtable entry
+ */
+static void entry_destroy(entry_t *entry)
+{
+	entry->vip->destroy(entry->vip);
+	entry->other->destroy(entry->other);
+	entry->id->destroy(entry->id);
+	free(entry->name);
+	free(entry);
+}
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(host_t *key)
+{
+	return chunk_hash(key->get_address(key));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool equals(host_t *a, host_t *b)
+{
+	return a->ip_equals(a, b);
+}
+
+/**
+ * Compare callback that invokes up callback of all registered listeners
+ */
+static bool notify_up(listener_entry_t *listener, entry_t *entry)
+{
+	if (!listener->cb(listener->user, TRUE, entry->vip, entry->other,
+					  entry->id, entry->name, entry->unique_id))
+	{
+		free(listener);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Compare callback that invokes down callback of all registered listeners
+ */
+static bool notify_down(listener_entry_t *listener, entry_t *entry)
+{
+	if (!listener->cb(listener->user, FALSE, entry->vip, entry->other,
+					  entry->id, entry->name, entry->unique_id))
+	{
+		free(listener);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Add a new entry to the hashtable
+ */
+static void add_entry(private_lookip_listener_t *this, ike_sa_t *ike_sa)
+{
+	enumerator_t *enumerator;
+	host_t *vip, *other;
+	identification_t *id;
+	entry_t *entry;
+
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+	while (enumerator->enumerate(enumerator, &vip))
+	{
+		other = ike_sa->get_other_host(ike_sa);
+		id = ike_sa->get_other_eap_id(ike_sa);
+
+		INIT(entry,
+			.vip = vip->clone(vip),
+			.other = other->clone(other),
+			.id = id->clone(id),
+			.name = strdup(ike_sa->get_name(ike_sa)),
+			.unique_id = ike_sa->get_unique_id(ike_sa),
+		);
+
+		this->lock->read_lock(this->lock);
+		this->listeners->remove(this->listeners, entry, (void*)notify_up);
+		this->lock->unlock(this->lock);
+
+		this->lock->write_lock(this->lock);
+		entry = this->entries->put(this->entries, entry->vip, entry);
+		this->lock->unlock(this->lock);
+		if (entry)
+		{
+			entry_destroy(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Remove an entry from the hashtable
+ */
+static void remove_entry(private_lookip_listener_t *this, ike_sa_t *ike_sa)
+{
+	enumerator_t *enumerator;
+	host_t *vip;
+	entry_t *entry;
+
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+	while (enumerator->enumerate(enumerator, &vip))
+	{
+		this->lock->write_lock(this->lock);
+		entry = this->entries->remove(this->entries, vip);
+		this->lock->unlock(this->lock);
+		if (entry)
+		{
+			this->lock->read_lock(this->lock);
+			this->listeners->remove(this->listeners, entry, (void*)notify_down);
+			this->lock->unlock(this->lock);
+
+			entry_destroy(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(listener_t, message_hook, bool,
+	private_lookip_listener_t *this, ike_sa_t *ike_sa,
+	message_t *message, bool incoming, bool plain)
+{
+	if (plain && ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+		!incoming && !message->get_request(message))
+	{
+		if (ike_sa->get_version(ike_sa) == IKEV1 &&
+			message->get_exchange_type(message) == TRANSACTION)
+		{
+			add_entry(this, ike_sa);
+		}
+		if (ike_sa->get_version(ike_sa) == IKEV2 &&
+			message->get_exchange_type(message) == IKE_AUTH)
+		{
+			add_entry(this, ike_sa);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_updown, bool,
+	private_lookip_listener_t *this, ike_sa_t *ike_sa, bool up)
+{
+	if (!up)
+	{
+		remove_entry(this, ike_sa);
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_rekey, bool,
+	private_lookip_listener_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	/* During IKE_SA rekey, the unique identifier changes. Fire update events
+	 * and update the cached entry. During the invocation of this hook, the
+	 * virtual IPs have been migrated to new, hence remove that entry. */
+	remove_entry(this, new);
+	add_entry(this, new);
+
+	return TRUE;
+}
+
+METHOD(lookip_listener_t, lookup, int,
+	private_lookip_listener_t *this, host_t *vip,
+	lookip_callback_t cb, void *user)
+{
+	entry_t *entry;
+	int matches = 0;
+
+	this->lock->read_lock(this->lock);
+	if (vip)
+	{
+		entry = this->entries->get(this->entries, vip);
+		if (entry)
+		{
+			cb(user, TRUE, entry->vip, entry->other, entry->id,
+			   entry->name, entry->unique_id);
+			matches ++;
+		}
+	}
+	else
+	{
+		enumerator_t *enumerator;
+
+		enumerator = this->entries->create_enumerator(this->entries);
+		while (enumerator->enumerate(enumerator, &vip, &entry))
+		{
+			cb(user, TRUE, entry->vip, entry->other, entry->id,
+			   entry->name, entry->unique_id);
+			matches++;
+		}
+		enumerator->destroy(enumerator);
+	}
+	this->lock->unlock(this->lock);
+
+	return matches;
+}
+
+METHOD(lookip_listener_t, add_listener, void,
+	private_lookip_listener_t *this, lookip_callback_t cb, void *user)
+{
+	listener_entry_t *listener;
+
+	INIT(listener,
+		.cb = cb,
+		.user = user,
+	);
+
+	this->lock->write_lock(this->lock);
+	this->listeners->insert_last(this->listeners, listener);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(lookip_listener_t, remove_listener, void,
+	private_lookip_listener_t *this, void *user)
+{
+	listener_entry_t *listener;
+	enumerator_t *enumerator;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &listener))
+	{
+		if (listener->user == user)
+		{
+			this->listeners->remove_at(this->listeners, enumerator);
+			free(listener);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(lookip_listener_t, destroy, void,
+	private_lookip_listener_t *this)
+{
+	this->listeners->destroy_function(this->listeners, free);
+	this->entries->destroy(this->entries);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+lookip_listener_t *lookip_listener_create()
+{
+	private_lookip_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.message = _message_hook,
+				.ike_updown = _ike_updown,
+				.ike_rekey = _ike_rekey,
+			},
+			.lookup = _lookup,
+			.add_listener = _add_listener,
+			.remove_listener = _remove_listener,
+			.destroy = _destroy,
+		},
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.entries = hashtable_create((hashtable_hash_t)hash,
+									(hashtable_equals_t)equals, 32),
+		.listeners = linked_list_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/lookip/lookip_listener.h b/src/libcharon/plugins/lookip/lookip_listener.h
new file mode 100644
index 000000000..f6612b324
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_listener.h
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup lookip_listener lookip_listener
+ * @{ @ingroup lookip
+ */
+
+#ifndef LOOKIP_LISTENER_H_
+#define LOOKIP_LISTENER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct lookip_listener_t lookip_listener_t;
+
+/**
+ * Callback function to query virtual IP entries
+ *
+ * @param user		user supplied pointer
+ * @param up		TRUE if tunnels established, FALSE if closed
+ * @param vip		virtual IP of remote peer
+ * @param other		peer external IP
+ * @param id		peer identity
+ * @param name		associated connection name
+ * @param unique_id	unique IKE_SA identifier
+ * @return			TRUE to receive more results, FALSE to cancel
+ */
+typedef bool (*lookip_callback_t)(void *user, bool up, host_t *vip,
+								  host_t *other, identification_t *id,
+								  char *name, u_int unique_id);
+
+/**
+ * Listener collecting virtual IPs.
+ */
+struct lookip_listener_t {
+
+	/**
+	 * Implements listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Perform a lookup for a given virtual IP, invoke callback for matches.
+	 *
+	 * The "up" parameter is always TRUE when the callback is invoked using
+	 * lookup().
+	 *
+	 * @param vip		virtual IP to look up, NULL to get all entries
+	 * @param cb		callback function to invoke
+	 * @param user		user data to pass to callback function
+	 * @return			number of matches
+	 */
+	int (*lookup)(lookip_listener_t *this, host_t *vip,
+				  lookip_callback_t cb, void *user);
+
+	/**
+	 * Register a listener function that gets notified about virtual IP changes.
+	 *
+	 * @param cb		callback function to invoke
+	 * @param user		user data to pass to callback function
+	 */
+	void (*add_listener)(lookip_listener_t *this,
+						 lookip_callback_t cb, void *user);
+
+	/**
+	 * Unregister a listener by the user data.
+	 *
+	 * @param user		user data, as passed during add_listener()
+	 */
+	void (*remove_listener)(lookip_listener_t *this, void *user);
+
+	/**
+	 * Destroy a lookip_listener_t.
+	 */
+	void (*destroy)(lookip_listener_t *this);
+};
+
+/**
+ * Create a lookip_listener instance.
+ */
+lookip_listener_t *lookip_listener_create();
+
+#endif /** LOOKIP_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/lookip/lookip_msg.h b/src/libcharon/plugins/lookip/lookip_msg.h
new file mode 100644
index 000000000..83b765ece
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_msg.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup lookip_msg lookip_msg
+ * @{ @ingroup lookip
+ */
+
+#ifndef LOOKIP_MSG_H_
+#define LOOKIP_MSG_H_
+
+#define LOOKIP_SOCKET IPSEC_PIDDIR "/charon.lkp"
+
+typedef struct lookip_request_t lookip_request_t;
+typedef struct lookip_response_t lookip_response_t;
+
+/**
+ * Message type.
+ *
+ * The client can send a batch of request messages, containing DUMP, LOOKUP or
+ * REGISTER_* messages. The server immediately starts sending responses for
+ * these messages, using ENTRY or NOTIFY_* messages.
+ * A client MUST send an END message to complete a batch. The server will
+ * send any remaining responses, but will not accept new requests and closes
+ * the connection when complete.
+ */
+enum {
+	/** request a dump of all entries */
+	LOOKIP_DUMP = 1,
+	/** lookup a specific virtual IP */
+	LOOKIP_LOOKUP,
+	/** reply message for DUMP and LOOKUP */
+	LOOKIP_ENTRY,
+	/** reply message for LOOKUP if no such IP found */
+	LOOKIP_NOT_FOUND,
+	/** register for notifications about new virtual IPs */
+	LOOKIP_REGISTER_UP,
+	/** register for notifications about virtual IPs released */
+	LOOKIP_REGISTER_DOWN,
+	/** notify reply message for REGISTER_UP */
+	LOOKIP_NOTIFY_UP,
+	/** notify reply message for REGISTER_DOWN */
+	LOOKIP_NOTIFY_DOWN,
+	/** end of request batch */
+	LOOKIP_END,
+};
+
+/**
+ * Request message sent from client.
+ *
+ * Valid request message types are DUMP, LOOKUP, REGISTER_UP/DOWN and END.
+ *
+ * The vip field is used only in LOOKUP requests, but ignored otherwise.
+ */
+struct lookip_request_t {
+	/** request message type */
+	int type;
+	/** null terminated string representation of virtual IP */
+	char vip[40];
+} __attribute__((packed));
+
+/**
+ * Response message sent to client.
+ *
+ * Valid response message types are ENTRY, NOT_FOUND and NOTIFY_UP/DOWN.
+ *
+ * All fields are set in all messages, except in NOT_FOUND: Only vip is set.
+ */
+struct lookip_response_t {
+	/** response message type */
+	int type;
+	/** null terminated string representation of virtual IP */
+	char vip[40];
+	/** null terminated string representation of outer IP */
+	char ip[40];
+	/** null terminated peer identity */
+	char id[256];
+	/** null terminated connection name */
+	char name[40];
+	/** unique connection id */
+	unsigned int unique_id;
+} __attribute__((packed));
+
+#endif /** LOOKIP_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/lookip/lookip_plugin.c b/src/libcharon/plugins/lookip/lookip_plugin.c
new file mode 100644
index 000000000..a6c32d65d
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_plugin.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "lookip_plugin.h"
+
+#include "lookip_listener.h"
+#include "lookip_socket.h"
+
+#include <daemon.h>
+
+typedef struct private_lookip_plugin_t private_lookip_plugin_t;
+
+/**
+ * private data of lookip plugin
+ */
+struct private_lookip_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	lookip_plugin_t public;
+
+	/**
+	 * Listener collecting virtual IP assignements
+	 */
+	lookip_listener_t *listener;
+
+	/**
+	 * UNIX socket to serve client queries
+	 */
+	lookip_socket_t *socket;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_lookip_plugin_t *this)
+{
+	return "lookip";
+}
+
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_lookip_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_lookip_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "lookip"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_lookip_plugin_t *this)
+{
+	DESTROY_IF(this->socket);
+	this->listener->destroy(this->listener);
+	free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *lookip_plugin_create()
+{
+	private_lookip_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+		.listener = lookip_listener_create(),
+	);
+
+	this->socket = lookip_socket_create(this->listener);
+	if (!this->socket)
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/lookip/lookip_plugin.h b/src/libcharon/plugins/lookip/lookip_plugin.h
new file mode 100644
index 000000000..ea780ebe7
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup lookip lookip
+ * @ingroup cplugins
+ *
+ * @defgroup lookip_plugin lookip_plugin
+ * @{ @ingroup lookip
+ */
+
+#ifndef LOOKIP_PLUGIN_H_
+#define LOOKIP_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct lookip_plugin_t lookip_plugin_t;
+
+/**
+ * Plugin providing fast connection lookup and notification for virtual IPs.
+ */
+struct lookip_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** LOOKIP_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/lookip/lookip_socket.c b/src/libcharon/plugins/lookip/lookip_socket.c
new file mode 100644
index 000000000..d25573bf4
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_socket.c
@@ -0,0 +1,410 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "lookip_socket.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <collections/linked_list.h>
+#include <processing/jobs/callback_job.h>
+
+#include "lookip_msg.h"
+
+typedef struct private_lookip_socket_t private_lookip_socket_t;
+
+/**
+ * Private data of an lookip_socket_t object.
+ */
+struct private_lookip_socket_t {
+
+	/**
+	 * Public lookip_socket_t interface.
+	 */
+	lookip_socket_t public;
+
+	/**
+	 * lookip
+	 */
+	lookip_listener_t *listener;
+
+	/**
+	 * stream service accepting connections
+	 */
+	stream_service_t *service;
+
+	/**
+	 * List of connected clients, as entry_t
+	 */
+	linked_list_t *connected;
+
+	/**
+	 * Mutex to lock clients list
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * List entry for a connected stream
+ */
+typedef struct {
+	/* stream to write to */
+	stream_t *stream;
+	/* registered for up events? */
+	bool up;
+	/* registered for down events? */
+	bool down;
+	/** backref to this for unregistration */
+	private_lookip_socket_t *this;
+} entry_t;
+
+/**
+ * Clean up a connection entry
+ */
+static void entry_destroy(entry_t *entry)
+{
+	entry->stream->destroy(entry->stream);
+	free(entry);
+}
+
+/**
+ * Disconnect a stream, remove connection entry
+ */
+static void disconnect(private_lookip_socket_t *this, stream_t *stream)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->connected->create_enumerator(this->connected);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->stream == stream)
+		{
+			this->connected->remove_at(this->connected, enumerator);
+			if (entry->up || entry->down)
+			{
+				this->listener->remove_listener(this->listener, entry);
+			}
+			entry_destroy(entry);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Callback function for listener up/down events
+ */
+static bool event_cb(entry_t *entry, bool up, host_t *vip, host_t *other,
+					 identification_t *id, char *name, u_int unique_id)
+{
+	lookip_response_t resp = {
+		.unique_id = htonl(unique_id),
+	};
+
+	if (up)
+	{
+		if (!entry->up)
+		{
+			return TRUE;
+		}
+		resp.type = htonl(LOOKIP_NOTIFY_UP);
+	}
+	else
+	{
+		if (!entry->down)
+		{
+			return TRUE;
+		}
+		resp.type = htonl(LOOKIP_NOTIFY_DOWN);
+	}
+
+	snprintf(resp.vip, sizeof(resp.vip), "%H", vip);
+	snprintf(resp.ip, sizeof(resp.ip), "%H", other);
+	snprintf(resp.id, sizeof(resp.id), "%Y", id);
+	snprintf(resp.name, sizeof(resp.name), "%s", name);
+
+	if (entry->stream->write_all(entry->stream, &resp, sizeof(resp)))
+	{
+		return TRUE;
+	}
+	switch (errno)
+	{
+		case ECONNRESET:
+		case EPIPE:
+			/* client disconnected, adios */
+			break;
+		default:
+			DBG1(DBG_CFG, "sending lookip event failed: %s", strerror(errno));
+			break;
+	}
+	/* don't unregister, as we return FALSE */
+	entry->up = entry->down = FALSE;
+	disconnect(entry->this, entry->stream);
+	return FALSE;
+}
+
+/**
+ * Callback function for queries
+ */
+static bool query_cb(stream_t *stream, bool up, host_t *vip, host_t *other,
+					 identification_t *id, char *name, u_int unique_id)
+{
+	lookip_response_t resp = {
+		.type = htonl(LOOKIP_ENTRY),
+		.unique_id = htonl(unique_id),
+	};
+
+	snprintf(resp.vip, sizeof(resp.vip), "%H", vip);
+	snprintf(resp.ip, sizeof(resp.ip), "%H", other);
+	snprintf(resp.id, sizeof(resp.id), "%Y", id);
+	snprintf(resp.name, sizeof(resp.name), "%s", name);
+
+	if (stream->write_all(stream, &resp, sizeof(resp)))
+	{
+		return TRUE;
+	}
+	switch (errno)
+	{
+		case ECONNRESET:
+		case EPIPE:
+			/* client disconnected, adios */
+			break;
+		default:
+			DBG1(DBG_CFG, "sending lookip response failed: %s", strerror(errno));
+			break;
+	}
+	return FALSE;
+}
+
+/**
+ * Perform a lookup
+ */
+static void query(private_lookip_socket_t *this, stream_t *stream,
+				  lookip_request_t *req)
+{
+
+	host_t *vip = NULL;
+	int matches = 0;
+
+	if (req)
+	{	/* lookup */
+		req->vip[sizeof(req->vip) - 1] = 0;
+		vip = host_create_from_string(req->vip, 0);
+		if (vip)
+		{
+			matches = this->listener->lookup(this->listener, vip,
+											 (void*)query_cb, stream);
+			vip->destroy(vip);
+		}
+		if (matches == 0)
+		{
+			lookip_response_t resp = {
+				.type = htonl(LOOKIP_NOT_FOUND),
+			};
+
+			snprintf(resp.vip, sizeof(resp.vip), "%s", req->vip);
+			if (!stream->write_all(stream, &resp, sizeof(resp)))
+			{
+				DBG1(DBG_CFG, "sending lookip not-found failed: %s",
+					 strerror(errno));
+			}
+		}
+	}
+	else
+	{	/* dump */
+		this->listener->lookup(this->listener, NULL,
+							   (void*)query_cb, stream);
+	}
+}
+
+/**
+ * Subscribe to virtual IP events
+ */
+static void subscribe(private_lookip_socket_t *this, stream_t *stream, bool up)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->connected->create_enumerator(this->connected);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->stream == stream)
+		{
+			if (!entry->up && !entry->down)
+			{	/* newly registered */
+				this->listener->add_listener(this->listener,
+											 (void*)event_cb, entry);
+			}
+			if (up)
+			{
+				entry->up = TRUE;
+			}
+			else
+			{
+				entry->down = TRUE;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Check if a client is subscribed for notifications
+ */
+static bool subscribed(private_lookip_socket_t *this, stream_t *stream)
+{
+	enumerator_t *enumerator;
+	bool subscribed = FALSE;
+	entry_t *entry;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->connected->create_enumerator(this->connected);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->stream == stream)
+		{
+			subscribed = entry->up || entry->down;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	return subscribed;
+}
+
+/**
+ * Dispatch from a socket, on-read callback
+ */
+static bool on_read(private_lookip_socket_t *this, stream_t *stream)
+{
+	lookip_request_t req;
+
+	if (stream->read_all(stream, &req, sizeof(req)))
+	{
+		switch (ntohl(req.type))
+		{
+			case LOOKIP_LOOKUP:
+				query(this, stream, &req);
+				return TRUE;
+			case LOOKIP_DUMP:
+				query(this, stream, NULL);
+				return TRUE;
+			case LOOKIP_REGISTER_UP:
+				subscribe(this, stream, TRUE);
+				return TRUE;
+			case LOOKIP_REGISTER_DOWN:
+				subscribe(this, stream, FALSE);
+				return TRUE;
+			case LOOKIP_END:
+				break;
+			default:
+				DBG1(DBG_CFG, "received unknown lookip command");
+				break;
+		}
+	}
+	else
+	{
+		if (errno != ECONNRESET)
+		{
+			DBG1(DBG_CFG, "receiving lookip request failed: %s",
+				 strerror(errno));
+		}
+		disconnect(this, stream);
+		return FALSE;
+	}
+	if (subscribed(this, stream))
+	{
+		return TRUE;
+	}
+	disconnect(this, stream);
+	return FALSE;
+}
+
+/**
+ * Accept client connections, dispatch
+ */
+static bool on_accept(private_lookip_socket_t *this, stream_t *stream)
+{
+	entry_t *entry;
+
+	INIT(entry,
+		.stream = stream,
+		.this = this,
+	);
+
+	this->mutex->lock(this->mutex);
+	this->connected->insert_last(this->connected, entry);
+	this->mutex->unlock(this->mutex);
+
+	stream->on_read(stream, (void*)on_read, this);
+
+	return TRUE;
+}
+
+METHOD(lookip_socket_t, destroy, void,
+	private_lookip_socket_t *this)
+{
+	DESTROY_IF(this->service);
+	this->connected->destroy_function(this->connected, (void*)entry_destroy);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * See header
+ */
+lookip_socket_t *lookip_socket_create(lookip_listener_t *listener)
+{
+	private_lookip_socket_t *this;
+	char *uri;
+
+	INIT(this,
+		.public = {
+			.destroy = _destroy,
+		},
+		.listener = listener,
+		.connected = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	uri = lib->settings->get_str(lib->settings,
+				"%s.plugins.lookip.socket", "unix://" LOOKIP_SOCKET,
+				charon->name);
+	this->service = lib->streams->create_service(lib->streams, uri, 10);
+	if (!this->service)
+	{
+		DBG1(DBG_CFG, "creating lookip socket failed");
+		destroy(this);
+		return NULL;
+	}
+
+	this->service->on_accept(this->service, (stream_service_cb_t)on_accept,
+							 this, JOB_PRIO_CRITICAL, 1);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/lookip/lookip_socket.h b/src/libcharon/plugins/lookip/lookip_socket.h
new file mode 100644
index 000000000..c1c50246d
--- /dev/null
+++ b/src/libcharon/plugins/lookip/lookip_socket.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup lookip_socket lookip_socket
+ * @{ @ingroup lookip
+ */
+
+#ifndef LOOKIP_SOCKET_H_
+#define LOOKIP_SOCKET_H_
+
+#include "lookip_listener.h"
+
+typedef struct lookip_socket_t lookip_socket_t;
+
+/**
+ * Lookip plugin UNIX query socket.
+ */
+struct lookip_socket_t {
+
+	/**
+	 * Destroy a lookip_socket_t.
+	 */
+	void (*destroy)(lookip_socket_t *this);
+};
+
+/**
+ * Create a lookip_socket instance.
+ */
+lookip_socket_t *lookip_socket_create(lookip_listener_t *listener);
+
+#endif /** LOOKIP_SOCKET_H_ @}*/
diff --git a/src/libcharon/plugins/maemo/Makefile.am b/src/libcharon/plugins/maemo/Makefile.am
index 0bf7fad5d..c3c55ba41 100644
--- a/src/libcharon/plugins/maemo/Makefile.am
+++ b/src/libcharon/plugins/maemo/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon ${maemo_CFLAGS}
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	${maemo_CFLAGS} \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-maemo.la
@@ -20,8 +23,8 @@ libstrongswan_maemo_la_LIBADD  = ${maemo_LIBS}
 dbusservice_DATA = org.strongswan.charon.service
 
 org.strongswan.charon.service: $(srcdir)/org.strongswan.charon.service.in
+	$(AM_V_GEN) \
 	sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' $< >$@
 
 EXTRA_DIST = org.strongswan.charon.service.in
 CLEANFILES = $(dbusservice_DATA)
-
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index d2b9d9a34..f4d78bfb9 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -46,10 +63,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -73,6 +91,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)" \
 	"$(DESTDIR)$(dbusservicedir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
@@ -80,27 +104,49 @@ am__DEPENDENCIES_1 =
 libstrongswan_maemo_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
 am_libstrongswan_maemo_la_OBJECTS = maemo_plugin.lo maemo_service.lo
 libstrongswan_maemo_la_OBJECTS = $(am_libstrongswan_maemo_la_OBJECTS)
-libstrongswan_maemo_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_maemo_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_maemo_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_maemo_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_maemo_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_maemo_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_maemo_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_maemo_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 DATA = $(dbusservice_DATA)
 ETAGS = etags
 CTAGS = ctags
@@ -108,21 +154,28 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -131,13 +184,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -150,6 +206,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,11 +234,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -189,6 +248,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -197,8 +257,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -207,14 +265,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -228,17 +291,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -248,16 +311,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -285,10 +347,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon ${maemo_CFLAGS}
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	${maemo_CFLAGS} \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-maemo.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-maemo.la
 libstrongswan_maemo_la_SOURCES = \
@@ -345,7 +412,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -353,6 +419,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -374,8 +442,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-maemo.la: $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_DEPENDENCIES) 
-	$(libstrongswan_maemo_la_LINK) $(am_libstrongswan_maemo_la_rpath) $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_LIBADD) $(LIBS)
+libstrongswan-maemo.la: $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_DEPENDENCIES) $(EXTRA_libstrongswan_maemo_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_maemo_la_LINK) $(am_libstrongswan_maemo_la_rpath) $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -387,25 +455,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/maemo_service.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -414,8 +482,11 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-dbusserviceDATA: $(dbusservice_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(dbusservicedir)" || $(MKDIR_P) "$(DESTDIR)$(dbusservicedir)"
 	@list='$(dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(dbusservicedir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(dbusservicedir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -429,9 +500,7 @@ uninstall-dbusserviceDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(dbusservicedir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(dbusservicedir)" && rm -f $$files
+	dir='$(DESTDIR)$(dbusservicedir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -532,10 +601,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -639,6 +713,7 @@ uninstall-am: uninstall-dbusserviceDATA uninstall-pluginLTLIBRARIES
 
 
 org.strongswan.charon.service: $(srcdir)/org.strongswan.charon.service.in
+	$(AM_V_GEN) \
 	sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' $< >$@
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libcharon/plugins/maemo/maemo_plugin.c b/src/libcharon/plugins/maemo/maemo_plugin.c
index 38cb031b5..ddf9cdb5b 100644
--- a/src/libcharon/plugins/maemo/maemo_plugin.c
+++ b/src/libcharon/plugins/maemo/maemo_plugin.c
@@ -42,6 +42,17 @@ METHOD(plugin_t, get_name, char*,
 	return "maemo";
 }
 
+METHOD(plugin_t, get_features, int,
+	private_maemo_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_NOOP,
+			PLUGIN_PROVIDE(CUSTOM, "maemo"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_maemo_plugin_t *this)
 {
@@ -60,7 +71,7 @@ plugin_t *maemo_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
@@ -74,4 +85,3 @@ plugin_t *maemo_plugin_create()
 
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c
index 6675e1d21..d7539c2da 100644
--- a/src/libcharon/plugins/maemo/maemo_service.c
+++ b/src/libcharon/plugins/maemo/maemo_service.c
@@ -323,17 +323,21 @@ static gboolean initiate_connection(private_maemo_service_t *this,
 								NULL);
 	}
 
-	ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", IKEV2_UDP_PORT,
-							 hostname, IKEV2_UDP_PORT);
+	ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0", FALSE,
+							 charon->socket->get_port(charon->socket, FALSE),
+							 hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO,
+							 0);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 
-	peer_cfg = peer_cfg_create(this->current, 2, ike_cfg, CERT_SEND_IF_ASKED,
+	peer_cfg = peer_cfg_create(this->current, ike_cfg,
+							   CERT_SEND_IF_ASKED,
 							   UNIQUE_REPLACE, 1, /* keyingtries */
 							   36000, 0, /* rekey 10h, reauth none */
 							   600, 600, /* jitter, over 10min */
-							   TRUE, 0, /* mobike, DPD */
-							   host_create_from_string("0.0.0.0", 0) /* virt */,
-							   NULL, FALSE, NULL, NULL); /* pool, mediation */
+							   TRUE, FALSE, /* mobike, aggressive */
+							   0, 0, /* DPD delay, timeout */
+							   FALSE, NULL, NULL); /* mediation */
+	peer_cfg->add_virtual_ip(peer_cfg,  host_create_from_string("0.0.0.0", 0));
 
 	auth = auth_cfg_create();
 	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
@@ -354,12 +358,16 @@ static gboolean initiate_connection(private_maemo_service_t *this,
 											 0, "255.255.255.255", 65535);
 	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
 	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
-	/* get an additional reference because initiate consumes one */
-	child_cfg->get_ref(child_cfg);
 
 	/* get us an IKE_SA */
 	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
 														peer_cfg);
+	if (!ike_sa)
+	{
+		peer_cfg->destroy(peer_cfg);
+		this->status = VPN_STATUS_CONNECTION_FAILED;
+		return FALSE;
+	}
 	if (!ike_sa->get_peer_cfg(ike_sa))
 	{
 		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
@@ -373,6 +381,8 @@ static gboolean initiate_connection(private_maemo_service_t *this,
 	this->public.listener.ike_state_change = _ike_state_change;
 	charon->bus->add_listener(charon->bus, &this->public.listener);
 
+	/* get an additional reference because initiate consumes one */
+	child_cfg->get_ref(child_cfg);
 	if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
 	{
 		DBG1(DBG_CFG, "failed to initiate tunnel");
@@ -423,8 +433,10 @@ static job_requeue_t run(private_maemo_service_t *this)
 	return JOB_REQUEUE_NONE;
 }
 
-METHOD(maemo_service_t, destroy, void,
-	   private_maemo_service_t *this)
+/**
+ * Cancel the GLib Main Event Loop
+ */
+static bool cancel(private_maemo_service_t *this)
 {
 	if (this->loop)
 	{
@@ -434,6 +446,12 @@ METHOD(maemo_service_t, destroy, void,
 		}
 		g_main_loop_unref(this->loop);
 	}
+	return TRUE;
+}
+
+METHOD(maemo_service_t, destroy, void,
+	   private_maemo_service_t *this)
+{
 	if (this->context)
 	{
 		osso_rpc_unset_cb_f(this->context,
@@ -502,9 +520,8 @@ maemo_service_t *maemo_service_create()
 	}
 
 	lib->processor->queue_job(lib->processor,
-				(job_t*)callback_job_create_with_prio((callback_job_cb_t)run,
-										this, NULL, NULL, JOB_PRIO_CRITICAL));
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this,
+				NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL));
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/medcli/Makefile.am b/src/libcharon/plugins/medcli/Makefile.am
index cdff8d854..f645be27e 100644
--- a/src/libcharon/plugins/medcli/Makefile.am
+++ b/src/libcharon/plugins/medcli/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-medcli.la
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index b8983ad21..01368050a 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_medcli_la_LIBADD =
@@ -79,48 +103,77 @@ am_libstrongswan_medcli_la_OBJECTS = medcli_plugin.lo medcli_creds.lo \
 	medcli_config.lo medcli_listener.lo
 libstrongswan_medcli_la_OBJECTS =  \
 	$(am_libstrongswan_medcli_la_OBJECTS)
-libstrongswan_medcli_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_medcli_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_medcli_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_medcli_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_medcli_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_medcli_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_medcli_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_medcli_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -129,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -148,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -187,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -195,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -205,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -226,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -246,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -283,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-medcli.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-medcli.la
 libstrongswan_medcli_la_SOURCES = \
@@ -341,7 +407,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -349,6 +414,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -370,8 +437,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-medcli.la: $(libstrongswan_medcli_la_OBJECTS) $(libstrongswan_medcli_la_DEPENDENCIES) 
-	$(libstrongswan_medcli_la_LINK) $(am_libstrongswan_medcli_la_rpath) $(libstrongswan_medcli_la_OBJECTS) $(libstrongswan_medcli_la_LIBADD) $(LIBS)
+libstrongswan-medcli.la: $(libstrongswan_medcli_la_OBJECTS) $(libstrongswan_medcli_la_DEPENDENCIES) $(EXTRA_libstrongswan_medcli_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_medcli_la_LINK) $(am_libstrongswan_medcli_la_rpath) $(libstrongswan_medcli_la_OBJECTS) $(libstrongswan_medcli_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -385,25 +452,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medcli_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -510,10 +577,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
index ee3e95422..2bff70307 100644
--- a/src/libcharon/plugins/medcli/medcli_config.c
+++ b/src/libcharon/plugins/medcli/medcli_config.c
@@ -61,28 +61,12 @@ static traffic_selector_t *ts_from_string(char *str)
 {
 	if (str)
 	{
-		int netbits = 32;
-		host_t *net;
-		char *pos;
+		traffic_selector_t *ts;
 
-		str = strdupa(str);
-		pos = strchr(str, '/');
-		if (pos)
+		ts = traffic_selector_create_from_cidr(str, 0, 0, 65535);
+		if (ts)
 		{
-			*pos++ = '\0';
-			netbits = atoi(pos);
-		}
-		else
-		{
-			if (strchr(str, ':'))
-			{
-				netbits = 128;
-			}
-		}
-		net = host_create_from_string(str, 0);
-		if (net)
-		{
-			return traffic_selector_create_from_subnet(net, netbits, 0, 0);
+			return ts;
 		}
 	}
 	return traffic_selector_create_dynamic(0, 0, 65535);
@@ -118,16 +102,18 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 		DESTROY_IF(e);
 		return NULL;
 	}
-	ike_cfg = ike_cfg_create(FALSE, FALSE,
-						"0.0.0.0", IKEV2_UDP_PORT, address, IKEV2_UDP_PORT);
+	ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE,
+							 "0.0.0.0", FALSE,
+							 charon->socket->get_port(charon->socket, FALSE),
+							 address, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 	med_cfg = peer_cfg_create(
-		"mediation", 2, ike_cfg,
+		"mediation", ike_cfg,
 		CERT_NEVER_SEND, UNIQUE_REPLACE,
 		1, this->rekey*60, 0,			/* keytries, rekey, reauth */
 		this->rekey*5, this->rekey*3,	/* jitter, overtime */
-		TRUE, this->dpd,				/* mobike, dpddelay */
-		NULL, NULL,						/* vip, pool */
+		TRUE, FALSE,					/* mobike, aggressive */
+		this->dpd, 0,					/* DPD delay, timeout */
 		TRUE, NULL, NULL);				/* mediation, med by, peer id */
 	e->destroy(e);
 
@@ -159,12 +145,12 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 		return NULL;
 	}
 	peer_cfg = peer_cfg_create(
-		name, 2, this->ike->get_ref(this->ike),
+		name, this->ike->get_ref(this->ike),
 		CERT_NEVER_SEND, UNIQUE_REPLACE,
 		1, this->rekey*60, 0,			/* keytries, rekey, reauth */
 		this->rekey*5, this->rekey*3,	/* jitter, overtime */
-		TRUE, this->dpd,				/* mobike, dpddelay */
-		NULL, NULL,						/* vip, pool */
+		TRUE, FALSE,					/* mobike, aggressive */
+		this->dpd, 0,					/* DPD delay, timeout */
 		FALSE, med_cfg,					/* mediation, med by */
 		identification_create_from_encoding(ID_KEY_ID, other));
 
@@ -234,12 +220,12 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
 		return FALSE;
 	}
 	this->current = peer_cfg_create(
-				name, 2, this->ike->get_ref(this->ike),
+				name, this->ike->get_ref(this->ike),
 				CERT_NEVER_SEND, UNIQUE_REPLACE,
 				1, this->rekey*60, 0,			/* keytries, rekey, reauth */
 				this->rekey*5, this->rekey*3,	/* jitter, overtime */
-				TRUE, this->dpd,				/* mobike, dpddelay */
-				NULL, NULL,						/* vip, pool */
+				TRUE, FALSE,					/* mobike, aggressive */
+				this->dpd, 0,					/* DPD delay, timeout */
 				FALSE, NULL, NULL);				/* mediation, med by, peer id */
 
 	auth = auth_cfg_create();
@@ -391,8 +377,11 @@ medcli_config_t *medcli_config_create(database_t *db)
 		.db = db,
 		.rekey = lib->settings->get_time(lib->settings, "medcli.rekey", 1200),
 		.dpd = lib->settings->get_time(lib->settings, "medcli.dpd", 300),
-		.ike = ike_cfg_create(FALSE, FALSE, "0.0.0.0", IKEV2_UDP_PORT,
-							  "0.0.0.0", IKEV2_UDP_PORT),
+		.ike = ike_cfg_create(IKEV2, FALSE, FALSE,
+							  "0.0.0.0", FALSE,
+							  charon->socket->get_port(charon->socket, FALSE),
+							  "0.0.0.0", FALSE, IKEV2_UDP_PORT,
+							  FRAGMENTATION_NO, 0),
 	);
 	this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
 
@@ -400,4 +389,3 @@ medcli_config_t *medcli_config_create(database_t *db)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/medcli/medcli_creds.c b/src/libcharon/plugins/medcli/medcli_creds.c
index 9c4a0b756..677229b9f 100644
--- a/src/libcharon/plugins/medcli/medcli_creds.c
+++ b/src/libcharon/plugins/medcli/medcli_creds.c
@@ -17,7 +17,7 @@
 
 #include <daemon.h>
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct private_medcli_creds_t private_medcli_creds_t;
 
diff --git a/src/libcharon/plugins/medcli/medcli_plugin.c b/src/libcharon/plugins/medcli/medcli_plugin.c
index 469915476..e6a8a8981 100644
--- a/src/libcharon/plugins/medcli/medcli_plugin.c
+++ b/src/libcharon/plugins/medcli/medcli_plugin.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -60,16 +61,67 @@ METHOD(plugin_t, get_name, char*,
 	return "medcli";
 }
 
+/**
+ * Connect to database
+ */
+static bool open_database(private_medcli_plugin_t *this,
+						  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		char *uri;
+
+		uri = lib->settings->get_str(lib->settings,
+									 "medcli.database", NULL);
+		if (!uri)
+		{
+			DBG1(DBG_CFG, "mediation client database URI not defined, skipped");
+			return FALSE;
+		}
+
+		this->db = lib->db->create(lib->db, uri);
+		if (this->db == NULL)
+		{
+			DBG1(DBG_CFG, "opening mediation client database failed");
+			return FALSE;
+		}
+
+		this->creds = medcli_creds_create(this->db);
+		this->config = medcli_config_create(this->db);
+		this->listener = medcli_listener_create(this->db);
+
+		lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+		charon->backends->add_backend(charon->backends, &this->config->backend);
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+		charon->backends->remove_backend(charon->backends, &this->config->backend);
+		lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+		this->listener->destroy(this->listener);
+		this->config->destroy(this->config);
+		this->creds->destroy(this->creds);
+		this->db->destroy(this->db);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_medcli_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)open_database, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "medcli"),
+				PLUGIN_DEPENDS(DATABASE, DB_ANY),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_medcli_plugin_t *this)
 {
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
-	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
-	this->listener->destroy(this->listener);
-	this->config->destroy(this->config);
-	this->creds->destroy(this->creds);
-	this->db->destroy(this->db);
 	free(this);
 }
 
@@ -78,44 +130,17 @@ METHOD(plugin_t, destroy, void,
  */
 plugin_t *medcli_plugin_create()
 {
-	char *uri;
 	private_medcli_plugin_t *this;
 
 	INIT(this,
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 	);
 
-	uri = lib->settings->get_str(lib->settings,
-								 "medcli.database", NULL);
-	if (!uri)
-	{
-		DBG1(DBG_CFG, "mediation client database URI not defined, skipped");
-		free(this);
-		return NULL;
-	}
-
-	this->db = lib->db->create(lib->db, uri);
-	if (this->db == NULL)
-	{
-		DBG1(DBG_CFG, "opening mediation client database failed");
-		free(this);
-		return NULL;
-	}
-
-	this->creds = medcli_creds_create(this->db);
-	this->config = medcli_config_create(this->db);
-	this->listener = medcli_listener_create(this->db);
-
-	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
-	charon->backends->add_backend(charon->backends, &this->config->backend);
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/medsrv/Makefile.am b/src/libcharon/plugins/medsrv/Makefile.am
index 7f5c8e2b3..ec305da21 100644
--- a/src/libcharon/plugins/medsrv/Makefile.am
+++ b/src/libcharon/plugins/medsrv/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-medsrv.la
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index 91df95cf0..3582acbcc 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_medsrv_la_LIBADD =
@@ -79,48 +103,77 @@ am_libstrongswan_medsrv_la_OBJECTS = medsrv_plugin.lo medsrv_creds.lo \
 	medsrv_config.lo
 libstrongswan_medsrv_la_OBJECTS =  \
 	$(am_libstrongswan_medsrv_la_OBJECTS)
-libstrongswan_medsrv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_medsrv_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_medsrv_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_medsrv_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_medsrv_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_medsrv_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_medsrv_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_medsrv_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -129,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -148,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -187,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -195,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -205,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -226,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -246,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -283,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-medsrv.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-medsrv.la
 libstrongswan_medsrv_la_SOURCES = \
@@ -340,7 +406,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -348,6 +413,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -369,8 +436,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-medsrv.la: $(libstrongswan_medsrv_la_OBJECTS) $(libstrongswan_medsrv_la_DEPENDENCIES) 
-	$(libstrongswan_medsrv_la_LINK) $(am_libstrongswan_medsrv_la_rpath) $(libstrongswan_medsrv_la_OBJECTS) $(libstrongswan_medsrv_la_LIBADD) $(LIBS)
+libstrongswan-medsrv.la: $(libstrongswan_medsrv_la_OBJECTS) $(libstrongswan_medsrv_la_DEPENDENCIES) $(EXTRA_libstrongswan_medsrv_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_medsrv_la_LINK) $(am_libstrongswan_medsrv_la_rpath) $(libstrongswan_medsrv_la_OBJECTS) $(libstrongswan_medsrv_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -383,25 +450,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/medsrv_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -508,10 +575,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/medsrv/medsrv_config.c b/src/libcharon/plugins/medsrv/medsrv_config.c
index 6cacb34f6..06339220a 100644
--- a/src/libcharon/plugins/medsrv/medsrv_config.c
+++ b/src/libcharon/plugins/medsrv/medsrv_config.c
@@ -88,12 +88,12 @@ METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
 		if (e->enumerate(e, &name))
 		{
 			peer_cfg = peer_cfg_create(
-				name, 2, this->ike->get_ref(this->ike),
+				name, this->ike->get_ref(this->ike),
 				CERT_NEVER_SEND, UNIQUE_REPLACE,
 				1, this->rekey*60, 0,			/* keytries, rekey, reauth */
 				this->rekey*5, this->rekey*3,	/* jitter, overtime */
-				TRUE, this->dpd,				/* mobike, dpddelay */
-				NULL, NULL,						/* vip, pool */
+				TRUE, FALSE,					/* mobike, aggressiv */
+				this->dpd, 0,					/* DPD delay, timeout */
 				TRUE, NULL, NULL);				/* mediation, med by, peer id */
 			e->destroy(e);
 
@@ -139,11 +139,13 @@ medsrv_config_t *medsrv_config_create(database_t *db)
 		.db = db,
 		.rekey = lib->settings->get_time(lib->settings, "medsrv.rekey", 1200),
 		.dpd = lib->settings->get_time(lib->settings, "medsrv.dpd", 300),
-		.ike = ike_cfg_create(FALSE, FALSE,
-						"0.0.0.0", IKEV2_UDP_PORT, "0.0.0.0", IKEV2_UDP_PORT),
+		.ike = ike_cfg_create(IKEV2, FALSE, FALSE,
+							  "0.0.0.0", FALSE,
+							  charon->socket->get_port(charon->socket, FALSE),
+							  "0.0.0.0", FALSE, IKEV2_UDP_PORT,
+							  FRAGMENTATION_NO, 0),
 	);
 	this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/medsrv/medsrv_config.h b/src/libcharon/plugins/medsrv/medsrv_config.h
index fc8b0e972..03a41a7ce 100644
--- a/src/libcharon/plugins/medsrv/medsrv_config.h
+++ b/src/libcharon/plugins/medsrv/medsrv_config.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup medsrv_config_i medsrv_config
- * @{ @ingroup medsrv
+ * @{ @ingroup medsrv_p
  */
 
 #ifndef MEDSRV_CONFIG_H_
diff --git a/src/libcharon/plugins/medsrv/medsrv_creds.c b/src/libcharon/plugins/medsrv/medsrv_creds.c
index 3ae80f64c..0d99c4f77 100644
--- a/src/libcharon/plugins/medsrv/medsrv_creds.c
+++ b/src/libcharon/plugins/medsrv/medsrv_creds.c
@@ -17,7 +17,7 @@
 
 #include <daemon.h>
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct private_medsrv_creds_t private_medsrv_creds_t;
 
diff --git a/src/libcharon/plugins/medsrv/medsrv_creds.h b/src/libcharon/plugins/medsrv/medsrv_creds.h
index d08adf3bf..2079601af 100644
--- a/src/libcharon/plugins/medsrv/medsrv_creds.h
+++ b/src/libcharon/plugins/medsrv/medsrv_creds.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup medsrv_creds_i medsrv_creds
- * @{ @ingroup medsrv
+ * @{ @ingroup medsrv_p
  */
 
 #ifndef MEDSRV_CREDS_H_
diff --git a/src/libcharon/plugins/medsrv/medsrv_plugin.c b/src/libcharon/plugins/medsrv/medsrv_plugin.c
index 5df46d04f..fcc8502f8 100644
--- a/src/libcharon/plugins/medsrv/medsrv_plugin.c
+++ b/src/libcharon/plugins/medsrv/medsrv_plugin.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -54,14 +55,63 @@ METHOD(plugin_t, get_name, char*,
 	return "medsrv";
 }
 
+/**
+ * Connect to database
+ */
+static bool open_database(private_medsrv_plugin_t *this,
+						  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		char *uri;
+
+		uri = lib->settings->get_str(lib->settings,
+									 "medsrv.database", NULL);
+		if (!uri)
+		{
+			DBG1(DBG_CFG, "mediation database URI not defined, skipped");
+			return FALSE;
+		}
+
+		this->db = lib->db->create(lib->db, uri);
+		if (this->db == NULL)
+		{
+			DBG1(DBG_CFG, "opening mediation server database failed");
+			return FALSE;
+		}
+
+		this->creds = medsrv_creds_create(this->db);
+		this->config = medsrv_config_create(this->db);
+
+		lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+		charon->backends->add_backend(charon->backends, &this->config->backend);
+	}
+	else
+	{
+		charon->backends->remove_backend(charon->backends, &this->config->backend);
+		lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+		this->config->destroy(this->config);
+		this->creds->destroy(this->creds);
+		this->db->destroy(this->db);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_medsrv_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)open_database, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "medsrv"),
+				PLUGIN_DEPENDS(DATABASE, DB_ANY),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_medsrv_plugin_t *this)
 {
-	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
-	this->config->destroy(this->config);
-	this->creds->destroy(this->creds);
-	this->db->destroy(this->db);
 	free(this);
 }
 
@@ -70,42 +120,17 @@ METHOD(plugin_t, destroy, void,
  */
 plugin_t *medsrv_plugin_create()
 {
-	char *uri;
 	private_medsrv_plugin_t *this;
 
 	INIT(this,
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 	);
 
-	uri = lib->settings->get_str(lib->settings,
-								 "medsrv.database", NULL);
-	if (!uri)
-	{
-		DBG1(DBG_CFG, "mediation database URI not defined, skipped");
-		free(this);
-		return NULL;
-	}
-
-	this->db = lib->db->create(lib->db, uri);
-	if (this->db == NULL)
-	{
-		DBG1(DBG_CFG, "opening mediation server database failed");
-		free(this);
-		return NULL;
-	}
-
-	this->creds = medsrv_creds_create(this->db);
-	this->config = medsrv_config_create(this->db);
-
-	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
-	charon->backends->add_backend(charon->backends, &this->config->backend);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/medsrv/medsrv_plugin.h b/src/libcharon/plugins/medsrv/medsrv_plugin.h
index 8736822ee..179fa3b3a 100644
--- a/src/libcharon/plugins/medsrv/medsrv_plugin.h
+++ b/src/libcharon/plugins/medsrv/medsrv_plugin.h
@@ -14,11 +14,11 @@
  */
 
 /**
- * @defgroup medsrv medsrv
+ * @defgroup medsrv_p medsrv
  * @ingroup cplugins
  *
  * @defgroup medsrv_plugin medsrv_plugin
- * @{ @ingroup medsrv
+ * @{ @ingroup medsrv_p
  */
 
 #ifndef MEDSRV_PLUGIN_H_
diff --git a/src/libcharon/plugins/nm/Makefile.am b/src/libcharon/plugins/nm/Makefile.am
deleted file mode 100644
index 8e12a72be..000000000
--- a/src/libcharon/plugins/nm/Makefile.am
+++ /dev/null
@@ -1,21 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon ${nm_CFLAGS}
-
-AM_CFLAGS = -rdynamic \
-  -DNM_CA_DIR=\"${nm_ca_dir}\"
-
-if MONOLITHIC
-noinst_LTLIBRARIES = libstrongswan-nm.la
-else
-plugin_LTLIBRARIES = libstrongswan-nm.la
-endif
-
-libstrongswan_nm_la_SOURCES = \
-	nm_plugin.h nm_plugin.c \
-	nm_service.h nm_service.c \
-	nm_creds.h nm_creds.c \
-	nm_handler.h nm_handler.c
-
-libstrongswan_nm_la_LDFLAGS = -module -avoid-version
-libstrongswan_nm_la_LIBADD  = ${nm_LIBS}
diff --git a/src/libcharon/plugins/nm/Makefile.in b/src/libcharon/plugins/nm/Makefile.in
deleted file mode 100644
index d9ad2388e..000000000
--- a/src/libcharon/plugins/nm/Makefile.in
+++ /dev/null
@@ -1,621 +0,0 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/libcharon/plugins/nm
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-am__DEPENDENCIES_1 =
-libstrongswan_nm_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
-am_libstrongswan_nm_la_OBJECTS = nm_plugin.lo nm_service.lo \
-	nm_creds.lo nm_handler.lo
-libstrongswan_nm_la_OBJECTS = $(am_libstrongswan_nm_la_OBJECTS)
-libstrongswan_nm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_nm_la_LDFLAGS) $(LDFLAGS) -o $@
-@MONOLITHIC_FALSE@am_libstrongswan_nm_la_rpath = -rpath $(plugindir)
-@MONOLITHIC_TRUE@am_libstrongswan_nm_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_nm_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_nm_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-c_plugins = @c_plugins@
-clearsilver_LIBS = @clearsilver_LIBS@
-datadir = @datadir@
-datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-imcvdir = @imcvdir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgroup = @ipsecgroup@
-ipseclibdir = @ipseclibdir@
-ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
-libdir = @libdir@
-libexecdir = @libexecdir@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
-manager_plugins = @manager_plugins@
-mandir = @mandir@
-medsrv_plugins = @medsrv_plugins@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
-pcsclite_CFLAGS = @pcsclite_CFLAGS@
-pcsclite_LIBS = @pcsclite_LIBS@
-pdfdir = @pdfdir@
-piddir = @piddir@
-pki_plugins = @pki_plugins@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-pool_plugins = @pool_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-s_plugins = @s_plugins@
-sbindir = @sbindir@
-scepclient_plugins = @scepclient_plugins@
-scripts_plugins = @scripts_plugins@
-sharedstatedir = @sharedstatedir@
-soup_CFLAGS = @soup_CFLAGS@
-soup_LIBS = @soup_LIBS@
-srcdir = @srcdir@
-starter_plugins = @starter_plugins@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-systemdsystemunitdir = @systemdsystemunitdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon ${nm_CFLAGS}
-
-AM_CFLAGS = -rdynamic \
-  -DNM_CA_DIR=\"${nm_ca_dir}\"
-
-@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-nm.la
-@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-nm.la
-libstrongswan_nm_la_SOURCES = \
-	nm_plugin.h nm_plugin.c \
-	nm_service.h nm_service.c \
-	nm_creds.h nm_creds.c \
-	nm_handler.h nm_handler.c
-
-libstrongswan_nm_la_LDFLAGS = -module -avoid-version
-libstrongswan_nm_la_LIBADD = ${nm_LIBS}
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/nm/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libcharon/plugins/nm/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-
-clean-noinstLTLIBRARIES:
-	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
-	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-nm.la: $(libstrongswan_nm_la_OBJECTS) $(libstrongswan_nm_la_DEPENDENCIES) 
-	$(libstrongswan_nm_la_LINK) $(am_libstrongswan_nm_la_rpath) $(libstrongswan_nm_la_OBJECTS) $(libstrongswan_nm_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_creds.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_handler.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_service.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
-	clean-pluginLTLIBRARIES mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
-	ctags distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-pluginLTLIBRARIES install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/libcharon/plugins/nm/nm_plugin.c b/src/libcharon/plugins/nm/nm_plugin.c
deleted file mode 100644
index 84b7c810a..000000000
--- a/src/libcharon/plugins/nm/nm_plugin.c
+++ /dev/null
@@ -1,142 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "nm_plugin.h"
-#include "nm_service.h"
-#include "nm_creds.h"
-#include "nm_handler.h"
-
-#include <hydra.h>
-#include <daemon.h>
-#include <processing/jobs/callback_job.h>
-
-#define CAP_DAC_OVERRIDE 1
-
-typedef struct private_nm_plugin_t private_nm_plugin_t;
-
-/**
- * private data of nm plugin
- */
-struct private_nm_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	nm_plugin_t public;
-
-	/**
-	 * NetworkManager service (VPNPlugin)
-	 */
-	NMStrongswanPlugin *plugin;
-
-	/**
-	 * Glib main loop for a thread, handles DBUS calls
-	 */
-	GMainLoop *loop;
-
-	/**
-	 * credential set registered at the daemon
-	 */
-	nm_creds_t *creds;
-
-	/**
-	 * attribute handler regeisterd at the daemon
-	 */
-	nm_handler_t *handler;
-};
-
-/**
- * NM plugin processing routine, creates and handles NMVPNPlugin
- */
-static job_requeue_t run(private_nm_plugin_t *this)
-{
-	this->loop = g_main_loop_new(NULL, FALSE);
-	g_main_loop_run(this->loop);
-	return JOB_REQUEUE_NONE;
-}
-
-METHOD(plugin_t, get_name, char*,
-	private_nm_plugin_t *this)
-{
-	return "nm";
-}
-
-METHOD(plugin_t, destroy, void,
-	private_nm_plugin_t *this)
-{
-	if (this->loop)
-	{
-		if (g_main_loop_is_running(this->loop))
-		{
-			g_main_loop_quit(this->loop);
-		}
-		g_main_loop_unref(this->loop);
-	}
-	if (this->plugin)
-	{
-		g_object_unref(this->plugin);
-	}
-	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
-	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
-	this->creds->destroy(this->creds);
-	this->handler->destroy(this->handler);
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *nm_plugin_create()
-{
-	private_nm_plugin_t *this;
-
-	g_type_init ();
-	if (!g_thread_supported())
-	{
-		g_thread_init(NULL);
-	}
-
-	INIT(this,
-		.public = {
-			.plugin = {
-				.get_name = _get_name,
-				.reload = (void*)return_false,
-				.destroy = _destroy,
-			},
-		},
-		.creds = nm_creds_create(),
-		.handler = nm_handler_create(),
-	);
-	this->plugin = nm_strongswan_plugin_new(this->creds, this->handler);
-
-	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
-	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
-	if (!this->plugin)
-	{
-		DBG1(DBG_CFG, "DBUS binding failed");
-		destroy(this);
-		return NULL;
-	}
-
-	/* bypass file permissions to read from users ssh-agent */
-	charon->keep_cap(charon, CAP_DAC_OVERRIDE);
-
-	lib->processor->queue_job(lib->processor,
-				(job_t*)callback_job_create_with_prio((callback_job_cb_t)run,
-										this, NULL, NULL, JOB_PRIO_CRITICAL));
-
-	return &this->public.plugin;
-}
-
diff --git a/src/libcharon/plugins/nm/nm_plugin.h b/src/libcharon/plugins/nm/nm_plugin.h
deleted file mode 100644
index b64b3edf6..000000000
--- a/src/libcharon/plugins/nm/nm_plugin.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup nm nm
- * @ingroup cplugins
- *
- * @defgroup nm_plugin nm_plugin
- * @{ @ingroup nm
- */
-
-#ifndef NM_PLUGIN_H_
-#define NM_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct nm_plugin_t nm_plugin_t;
-
-/**
- * NetworkManager integration plugin.
- */
-struct nm_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-#endif /** NM_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/osx_attr/Makefile.am b/src/libcharon/plugins/osx_attr/Makefile.am
new file mode 100644
index 000000000..f1ff22e60
--- /dev/null
+++ b/src/libcharon/plugins/osx_attr/Makefile.am
@@ -0,0 +1,20 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-osx-attr.la
+else
+plugin_LTLIBRARIES = libstrongswan-osx-attr.la
+endif
+
+libstrongswan_osx_attr_la_SOURCES = \
+	osx_attr_plugin.c osx_attr_plugin.h \
+	osx_attr_handler.c osx_attr_handler.h
+
+libstrongswan_osx_attr_la_LDFLAGS = -module -avoid-version \
+	-framework SystemConfiguration -framework CoreFoundation
diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in
new file mode 100644
index 000000000..2e21111c7
--- /dev/null
+++ b/src/libcharon/plugins/osx_attr/Makefile.in
@@ -0,0 +1,689 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/osx_attr
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_osx_attr_la_LIBADD =
+am_libstrongswan_osx_attr_la_OBJECTS = osx_attr_plugin.lo \
+	osx_attr_handler.lo
+libstrongswan_osx_attr_la_OBJECTS =  \
+	$(am_libstrongswan_osx_attr_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_osx_attr_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_osx_attr_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_osx_attr_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_osx_attr_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_osx_attr_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_osx_attr_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-osx-attr.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-osx-attr.la
+libstrongswan_osx_attr_la_SOURCES = \
+	osx_attr_plugin.c osx_attr_plugin.h \
+	osx_attr_handler.c osx_attr_handler.h
+
+libstrongswan_osx_attr_la_LDFLAGS = -module -avoid-version \
+	-framework SystemConfiguration -framework CoreFoundation
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/osx_attr/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/osx_attr/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-osx-attr.la: $(libstrongswan_osx_attr_la_OBJECTS) $(libstrongswan_osx_attr_la_DEPENDENCIES) $(EXTRA_libstrongswan_osx_attr_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_osx_attr_la_LINK) $(am_libstrongswan_osx_attr_la_rpath) $(libstrongswan_osx_attr_la_OBJECTS) $(libstrongswan_osx_attr_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/osx_attr_handler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/osx_attr_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/osx_attr/osx_attr_handler.c b/src/libcharon/plugins/osx_attr/osx_attr_handler.c
new file mode 100644
index 000000000..9a3b2701d
--- /dev/null
+++ b/src/libcharon/plugins/osx_attr/osx_attr_handler.c
@@ -0,0 +1,246 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "osx_attr_handler.h"
+
+#include <networking/host.h>
+#include <utils/debug.h>
+
+#include <SystemConfiguration/SCDynamicStore.h>
+
+typedef struct private_osx_attr_handler_t private_osx_attr_handler_t;
+
+/**
+ * Private data of an osx_attr_handler_t object.
+ */
+struct private_osx_attr_handler_t {
+
+	/**
+	 * Public interface
+	 */
+	osx_attr_handler_t public;
+};
+
+/**
+ * Create a path to the DNS configuration of the Primary IPv4 Service
+ */
+static CFStringRef create_dns_path(SCDynamicStoreRef store)
+{
+	CFStringRef service, path = NULL;
+	CFDictionaryRef dict;
+
+	/* get primary service */
+	dict = SCDynamicStoreCopyValue(store, CFSTR("State:/Network/Global/IPv4"));
+	if (dict)
+	{
+		service = CFDictionaryGetValue(dict, CFSTR("PrimaryService"));
+		if (service)
+		{
+			path = CFStringCreateWithFormat(NULL, NULL,
+								CFSTR("State:/Network/Service/%@/DNS"), service);
+		}
+		else
+		{
+			DBG1(DBG_CFG, "SystemConfiguration PrimaryService not known");
+		}
+		CFRelease(dict);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "getting global IPv4 SystemConfiguration failed");
+	}
+	return path;
+}
+
+/**
+ * Create a mutable dictionary from path, a new one if not found
+ */
+static CFMutableDictionaryRef get_dictionary(SCDynamicStoreRef store,
+											 CFStringRef path)
+{
+	CFDictionaryRef dict;
+	CFMutableDictionaryRef mut = NULL;
+
+	dict = SCDynamicStoreCopyValue(store, path);
+	if (dict)
+	{
+		if (CFGetTypeID(dict) == CFDictionaryGetTypeID())
+		{
+			mut = CFDictionaryCreateMutableCopy(NULL, 0, dict);
+		}
+		CFRelease(dict);
+	}
+	if (!mut)
+	{
+		mut = CFDictionaryCreateMutable(NULL, 0,
+										&kCFTypeDictionaryKeyCallBacks,
+										&kCFTypeDictionaryValueCallBacks);
+	}
+	return mut;
+}
+
+/**
+ * Create a mutable array from dictionary path, a new one if not found
+ */
+static CFMutableArrayRef get_array_from_dict(CFDictionaryRef dict,
+											 CFStringRef name)
+{
+	CFArrayRef arr;
+
+	arr = CFDictionaryGetValue(dict, name);
+	if (arr && CFGetTypeID(arr) == CFArrayGetTypeID())
+	{
+		return CFArrayCreateMutableCopy(NULL, 0, arr);
+	}
+	return CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+}
+
+/**
+ * Add/Remove a DNS server to the configuration
+ */
+static bool manage_dns(int family, chunk_t data, bool add)
+{
+	SCDynamicStoreRef store;
+	CFStringRef path, dns;
+	CFMutableArrayRef arr;
+	CFMutableDictionaryRef dict;
+	CFIndex i;
+	host_t *server;
+	char buf[64];
+	bool success = FALSE;
+
+	server = host_create_from_chunk(family, data, 0);
+	if (!server)
+	{
+		return FALSE;
+	}
+	snprintf(buf, sizeof(buf), "%H", server);
+	server->destroy(server);
+
+	store = SCDynamicStoreCreate(NULL, CFSTR("osx-attr"), NULL, NULL);
+	path = create_dns_path(store);
+	if (path)
+	{
+		dict = get_dictionary(store, path);
+		arr = get_array_from_dict(dict, CFSTR("ServerAddresses"));
+		dns = CFStringCreateWithCString(NULL, buf, kCFStringEncodingUTF8);
+		if (add)
+		{
+			DBG1(DBG_CFG, "installing %s as DNS server", buf);
+			CFArrayInsertValueAtIndex(arr, 0, dns);
+		}
+		else
+		{
+			i = CFArrayGetFirstIndexOfValue(arr,
+									CFRangeMake(0, CFArrayGetCount(arr)), dns);
+			if (i >= 0)
+			{
+				DBG1(DBG_CFG, "removing %s from DNS servers (%d)", buf, i);
+				CFArrayRemoveValueAtIndex(arr, i);
+			}
+		}
+		CFRelease(dns);
+		CFDictionarySetValue(dict, CFSTR("ServerAddresses"), arr);
+		CFRelease(arr);
+
+		success = SCDynamicStoreSetValue(store, path, dict);
+		CFRelease(dict);
+		CFRelease(path);
+	}
+	CFRelease(store);
+
+	if (!success)
+	{
+		DBG1(DBG_CFG, "adding DNS server to SystemConfiguration failed");
+	}
+	return success;
+}
+
+METHOD(attribute_handler_t, handle, bool,
+	private_osx_attr_handler_t *this, identification_t *id,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			return manage_dns(AF_INET, data, TRUE);
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(attribute_handler_t, release, void,
+	private_osx_attr_handler_t *this, identification_t *server,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			manage_dns(AF_INET, data, FALSE);
+			break;
+		default:
+			break;
+	}
+}
+
+METHOD(enumerator_t, enumerate_dns, bool,
+	enumerator_t *this, configuration_attribute_type_t *type, chunk_t *data)
+{
+	*type = INTERNAL_IP4_DNS;
+	*data = chunk_empty;
+	/* stop enumeration */
+	this->enumerate = (void*)return_false;
+	return TRUE;
+}
+
+METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
+	private_osx_attr_handler_t *this, identification_t *id,
+	linked_list_t *vips)
+{
+	enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.enumerate = (void*)_enumerate_dns,
+		.destroy = (void*)free,
+	);
+	return enumerator;
+}
+
+METHOD(osx_attr_handler_t, destroy, void,
+	private_osx_attr_handler_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+osx_attr_handler_t *osx_attr_handler_create()
+{
+	private_osx_attr_handler_t *this;
+
+	INIT(this,
+		.public = {
+			.handler = {
+				.handle = _handle,
+				.release = _release,
+				.create_attribute_enumerator = _create_attribute_enumerator,
+			},
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/osx_attr/osx_attr_handler.h b/src/libcharon/plugins/osx_attr/osx_attr_handler.h
new file mode 100644
index 000000000..c1f979bcd
--- /dev/null
+++ b/src/libcharon/plugins/osx_attr/osx_attr_handler.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup osx_attr_handler osx_attr_handler
+ * @{ @ingroup osx_attr
+ */
+
+#ifndef OSX_ATTR_HANDLER_H_
+#define OSX_ATTR_HANDLER_H_
+
+#include <attributes/attribute_handler.h>
+
+typedef struct osx_attr_handler_t osx_attr_handler_t;
+
+/**
+ * OS X specific attribute handler, using SystemConfiguration framework.
+ */
+struct osx_attr_handler_t {
+
+	/**
+	 * Implements attribute_handler_t.
+	 */
+	attribute_handler_t handler;
+
+	/**
+	 * Destroy a osx_attr_handler_t.
+	 */
+	void (*destroy)(osx_attr_handler_t *this);
+};
+
+/**
+ * Create an osx_attr_handler_t instance.
+ */
+osx_attr_handler_t *osx_attr_handler_create();
+
+#endif /** OSX_ATTR_HANDLER_H_ @}*/
diff --git a/src/libcharon/plugins/osx_attr/osx_attr_plugin.c b/src/libcharon/plugins/osx_attr/osx_attr_plugin.c
new file mode 100644
index 000000000..380483c23
--- /dev/null
+++ b/src/libcharon/plugins/osx_attr/osx_attr_plugin.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "osx_attr_plugin.h"
+#include "osx_attr_handler.h"
+
+#include <hydra.h>
+#include <daemon.h>
+
+typedef struct private_osx_attr_plugin_t private_osx_attr_plugin_t;
+
+/**
+ * Private data of an osx_attr_plugin_t object.
+ */
+struct private_osx_attr_plugin_t {
+
+	/**
+	 * Public interface
+	 */
+	osx_attr_plugin_t public;
+
+	/**
+	 * Android specific DNS handler
+	 */
+	osx_attr_handler_t *handler;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_osx_attr_plugin_t *this)
+{
+	return "osx-attr";
+}
+
+/**
+ * Register handler
+ */
+static bool plugin_cb(private_osx_attr_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		hydra->attributes->add_handler(hydra->attributes,
+									   &this->handler->handler);
+	}
+	else
+	{
+		hydra->attributes->remove_handler(hydra->attributes,
+										  &this->handler->handler);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_osx_attr_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "osx-attr"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_osx_attr_plugin_t *this)
+{
+	this->handler->destroy(this->handler);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *osx_attr_plugin_create()
+{
+	private_osx_attr_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+		.handler = osx_attr_handler_create(),
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/osx_attr/osx_attr_plugin.h b/src/libcharon/plugins/osx_attr/osx_attr_plugin.h
new file mode 100644
index 000000000..761379386
--- /dev/null
+++ b/src/libcharon/plugins/osx_attr/osx_attr_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup osx_attr osx_attr
+ * @ingroup cplugins
+ *
+ * @defgroup osx_attr_plugin osx_attr_plugin
+ * @{ @ingroup osx_attr
+ */
+
+#ifndef OSX_ATTR_PLUGIN_H_
+#define OSX_ATTR_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct osx_attr_plugin_t osx_attr_plugin_t;
+
+/**
+ * Plugin providing an OS X specific configuration attribute handler.
+ */
+struct osx_attr_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** OSX_ATTR_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/radattr/Makefile.am b/src/libcharon/plugins/radattr/Makefile.am
index 0ea8df5d1..a0b0584d6 100644
--- a/src/libcharon/plugins/radattr/Makefile.am
+++ b/src/libcharon/plugins/radattr/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libradius
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libradius
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-radattr.la
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index ecea0df16..36052f025 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_radattr_la_DEPENDENCIES =  \
@@ -80,48 +104,77 @@ am_libstrongswan_radattr_la_OBJECTS = radattr_plugin.lo \
 	radattr_listener.lo
 libstrongswan_radattr_la_OBJECTS =  \
 	$(am_libstrongswan_radattr_la_OBJECTS)
-libstrongswan_radattr_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_radattr_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_radattr_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_radattr_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_radattr_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_radattr_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_radattr_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_radattr_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +183,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +205,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +233,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +247,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +256,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +264,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +290,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +310,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,10 +346,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libradius
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libradius
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-radattr.la
 @MONOLITHIC_FALSE@libstrongswan_radattr_la_LIBADD = $(top_builddir)/src/libradius/libradius.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-radattr.la
@@ -340,7 +407,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -348,6 +414,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -369,8 +437,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-radattr.la: $(libstrongswan_radattr_la_OBJECTS) $(libstrongswan_radattr_la_DEPENDENCIES) 
-	$(libstrongswan_radattr_la_LINK) $(am_libstrongswan_radattr_la_rpath) $(libstrongswan_radattr_la_OBJECTS) $(libstrongswan_radattr_la_LIBADD) $(LIBS)
+libstrongswan-radattr.la: $(libstrongswan_radattr_la_OBJECTS) $(libstrongswan_radattr_la_DEPENDENCIES) $(EXTRA_libstrongswan_radattr_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_radattr_la_LINK) $(am_libstrongswan_radattr_la_rpath) $(libstrongswan_radattr_la_OBJECTS) $(libstrongswan_radattr_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -382,25 +450,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radattr_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -507,10 +575,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/radattr/radattr_listener.c b/src/libcharon/plugins/radattr/radattr_listener.c
index 94b718a1b..5443800e5 100644
--- a/src/libcharon/plugins/radattr/radattr_listener.c
+++ b/src/libcharon/plugins/radattr/radattr_listener.c
@@ -172,9 +172,9 @@ static void add_radius_attribute(private_radattr_listener_t *this,
 
 METHOD(listener_t, message, bool,
 	private_radattr_listener_t *this,
-	ike_sa_t *ike_sa, message_t *message, bool incoming)
+	ike_sa_t *ike_sa, message_t *message, bool incoming, bool plain)
 {
-	if (ike_sa->supports_extension(ike_sa, EXT_STRONGSWAN) &&
+	if (plain && ike_sa->supports_extension(ike_sa, EXT_STRONGSWAN) &&
 		message->get_exchange_type(message) == IKE_AUTH &&
 		message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
 	{
@@ -212,9 +212,9 @@ radattr_listener_t *radattr_listener_create()
 			.destroy = _destroy,
 		},
 		.dir = lib->settings->get_str(lib->settings,
-									  "charon.plugins.radattr.dir", NULL),
+							"%s.plugins.radattr.dir", NULL, charon->name),
 		.mid = lib->settings->get_int(lib->settings,
-									  "charon.plugins.radattr.message_id", -1),
+							"%s.plugins.radattr.message_id", -1, charon->name),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/radattr/radattr_plugin.c b/src/libcharon/plugins/radattr/radattr_plugin.c
index 85ea326ac..0400449ab 100644
--- a/src/libcharon/plugins/radattr/radattr_plugin.c
+++ b/src/libcharon/plugins/radattr/radattr_plugin.c
@@ -43,10 +43,37 @@ METHOD(plugin_t, get_name, char*,
 	return "radattr";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_radattr_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_radattr_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "radattr"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_radattr_plugin_t *this)
 {
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
 	this->listener->destroy(this->listener);
 	free(this);
 }
@@ -62,14 +89,12 @@ plugin_t *radattr_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.listener = radattr_listener_create(),
 	);
 
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
-
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/smp/Makefile.am b/src/libcharon/plugins/smp/Makefile.am
index f17235835..67b4b2a6d 100644
--- a/src/libcharon/plugins/smp/Makefile.am
+++ b/src/libcharon/plugins/smp/Makefile.am
@@ -1,8 +1,12 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_PIDDIR=\"${piddir}\"
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon ${xml_CFLAGS}
-
-AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
+AM_CFLAGS = \
+	${xml_CFLAGS} \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-smp.la
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 59a560b86..84848db54 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,53 +90,88 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libstrongswan_smp_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
 am_libstrongswan_smp_la_OBJECTS = smp.lo
 libstrongswan_smp_la_OBJECTS = $(am_libstrongswan_smp_la_OBJECTS)
-libstrongswan_smp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_smp_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_smp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_smp_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_smp_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_smp_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_smp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_smp_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -127,13 +180,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -146,6 +202,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,11 +230,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -185,6 +244,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -193,8 +253,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -203,14 +261,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -224,17 +287,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -244,16 +307,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -281,10 +343,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon ${xml_CFLAGS}
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
+AM_CFLAGS = \
+	${xml_CFLAGS} \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-smp.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-smp.la
 libstrongswan_smp_la_SOURCES = \
@@ -337,7 +405,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -345,6 +412,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -366,8 +435,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-smp.la: $(libstrongswan_smp_la_OBJECTS) $(libstrongswan_smp_la_DEPENDENCIES) 
-	$(libstrongswan_smp_la_LINK) $(am_libstrongswan_smp_la_rpath) $(libstrongswan_smp_la_OBJECTS) $(libstrongswan_smp_la_LIBADD) $(LIBS)
+libstrongswan-smp.la: $(libstrongswan_smp_la_OBJECTS) $(libstrongswan_smp_la_DEPENDENCIES) $(EXTRA_libstrongswan_smp_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_smp_la_LINK) $(am_libstrongswan_smp_la_rpath) $(libstrongswan_smp_la_OBJECTS) $(libstrongswan_smp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -378,25 +447,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/smp.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -503,10 +572,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
index 2b830012d..a92e571de 100644
--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
@@ -49,11 +49,6 @@ struct private_smp_t {
 	 * XML unix socket fd
 	 */
 	int socket;
-
-	/**
-	 * job accepting stroke messages
-	 */
-	callback_job_t *job;
 };
 
 ENUM(ike_sa_state_lower_names, IKE_CREATED, IKE_DELETING,
@@ -168,10 +163,12 @@ static void write_childend(xmlTextWriterPtr writer, child_sa_t *child, bool loca
 {
 	linked_list_t *list;
 
-	xmlTextWriterWriteFormatElement(writer, "spi", "%lx",
+	xmlTextWriterWriteFormatElement(writer, "spi", "%x",
 									htonl(child->get_spi(child, local)));
-	list = child->get_traffic_selectors(child, local);
+	list = linked_list_create_from_enumerator(
+									child->create_ts_enumerator(child, local));
 	write_networks(writer, "networks", list);
+	list->destroy(list);
 }
 
 /**
@@ -294,7 +291,7 @@ static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr write
 	xmlTextWriterStartElement(writer, "configlist");
 
 	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
-														NULL, NULL, NULL, NULL);
+											NULL, NULL, NULL, NULL, IKE_ANY);
 	while (enumerator->enumerate(enumerator, &peer_cfg))
 	{
 		enumerator_t *children;
@@ -302,11 +299,6 @@ static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr write
 		ike_cfg_t *ike_cfg;
 		linked_list_t *list;
 
-		if (peer_cfg->get_ike_version(peer_cfg) != 2)
-		{	/* only IKEv2 connections yet */
-			continue;
-		}
-
 		/* <peerconfig> */
 		xmlTextWriterStartElement(writer, "peerconfig");
 		xmlTextWriterWriteElement(writer, "name", peer_cfg->get_name(peer_cfg));
@@ -316,8 +308,10 @@ static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr write
 		/* <ikeconfig> */
 		ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
 		xmlTextWriterStartElement(writer, "ikeconfig");
-		xmlTextWriterWriteElement(writer, "local", ike_cfg->get_my_addr(ike_cfg));
-		xmlTextWriterWriteElement(writer, "remote", ike_cfg->get_other_addr(ike_cfg));
+		xmlTextWriterWriteElement(writer, "local",
+								  ike_cfg->get_my_addr(ike_cfg, NULL));
+		xmlTextWriterWriteElement(writer, "remote",
+								  ike_cfg->get_other_addr(ike_cfg, NULL));
 		xmlTextWriterEndElement(writer);
 		/* </ikeconfig> */
 
@@ -354,7 +348,7 @@ static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr write
  * callback which logs to a XML writer
  */
 static bool xml_callback(xmlTextWriterPtr writer, debug_t group, level_t level,
-						 ike_sa_t* ike_sa, char* format, va_list args)
+						 ike_sa_t* ike_sa, char* message)
 {
 	if (level <= 1)
 	{
@@ -363,7 +357,7 @@ static bool xml_callback(xmlTextWriterPtr writer, debug_t group, level_t level,
 		xmlTextWriterWriteFormatAttribute(writer, "level", "%d", level);
 		xmlTextWriterWriteFormatAttribute(writer, "source", "%N", debug_names, group);
 		xmlTextWriterWriteFormatAttribute(writer, "thread", "%u", thread_current_id());
-		xmlTextWriterWriteVFormatString(writer, format, args);
+		xmlTextWriterWriteString(writer, message);
 		xmlTextWriterEndElement(writer);
 		/* </item> */
 	}
@@ -707,7 +701,8 @@ static job_requeue_t dispatch(private_smp_t *this)
 
 	fdp = malloc_thing(int);
 	*fdp = fd;
-	job = callback_job_create((callback_job_cb_t)process, fdp, free, this->job);
+	job = callback_job_create((callback_job_cb_t)process, fdp, free,
+							  (callback_job_cancel_t)return_false);
 	lib->processor->queue_job(lib->processor, (job_t*)job);
 
 	return JOB_REQUEUE_DIRECT;
@@ -719,10 +714,20 @@ METHOD(plugin_t, get_name, char*,
 	return "smp";
 }
 
+METHOD(plugin_t, get_features, int,
+	private_smp_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_NOOP,
+			PLUGIN_PROVIDE(CUSTOM, "smp"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_smp_t *this)
 {
-	this->job->cancel(this->job);
 	close(this->socket);
 	free(this);
 }
@@ -736,11 +741,17 @@ plugin_t *smp_plugin_create()
 	private_smp_t *this;
 	mode_t old;
 
+	if (!lib->caps->check(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) control socket */
+		DBG1(DBG_CFG, "smp plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
@@ -765,7 +776,8 @@ plugin_t *smp_plugin_create()
 		return NULL;
 	}
 	umask(old);
-	if (chown(unix_addr.sun_path, charon->uid, charon->gid) != 0)
+	if (chown(unix_addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing XML socket permissions failed: %s", strerror(errno));
 	}
@@ -778,10 +790,9 @@ plugin_t *smp_plugin_create()
 		return NULL;
 	}
 
-	this->job = callback_job_create_with_prio((callback_job_cb_t)dispatch,
-										this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch, this,
+				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
 
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/socket_default/Makefile.am b/src/libcharon/plugins/socket_default/Makefile.am
index 635a1c548..d734b313f 100644
--- a/src/libcharon/plugins/socket_default/Makefile.am
+++ b/src/libcharon/plugins/socket_default/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
 
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-socket-default.la
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index 9c4e5e7b4..2e0140298 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_socket_default_la_LIBADD =
@@ -79,49 +103,77 @@ am_libstrongswan_socket_default_la_OBJECTS = socket_default_socket.lo \
 	socket_default_plugin.lo
 libstrongswan_socket_default_la_OBJECTS =  \
 	$(am_libstrongswan_socket_default_la_OBJECTS)
-libstrongswan_socket_default_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_socket_default_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_socket_default_la_LDFLAGS) $(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_socket_default_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_socket_default_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_socket_default_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_socket_default_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,10 +345,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-socket-default.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-socket-default.la
 libstrongswan_socket_default_la_SOURCES = \
@@ -340,7 +406,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -348,6 +413,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -369,8 +436,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-socket-default.la: $(libstrongswan_socket_default_la_OBJECTS) $(libstrongswan_socket_default_la_DEPENDENCIES) 
-	$(libstrongswan_socket_default_la_LINK) $(am_libstrongswan_socket_default_la_rpath) $(libstrongswan_socket_default_la_OBJECTS) $(libstrongswan_socket_default_la_LIBADD) $(LIBS)
+libstrongswan-socket-default.la: $(libstrongswan_socket_default_la_OBJECTS) $(libstrongswan_socket_default_la_DEPENDENCIES) $(EXTRA_libstrongswan_socket_default_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_socket_default_la_LINK) $(am_libstrongswan_socket_default_la_rpath) $(libstrongswan_socket_default_la_OBJECTS) $(libstrongswan_socket_default_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -382,25 +449,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket_default_socket.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -507,10 +574,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/socket_default/socket_default_plugin.c b/src/libcharon/plugins/socket_default/socket_default_plugin.c
index 01d9473bf..e89b74279 100644
--- a/src/libcharon/plugins/socket_default/socket_default_plugin.c
+++ b/src/libcharon/plugins/socket_default/socket_default_plugin.c
@@ -52,6 +52,7 @@ METHOD(plugin_t, get_features, int,
 	static plugin_feature_t f[] = {
 		PLUGIN_CALLBACK(socket_register, socket_default_socket_create),
 			PLUGIN_PROVIDE(CUSTOM, "socket"),
+				PLUGIN_SDEPEND(CUSTOM, "kernel-ipsec"),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index 76ca1df42..4139afe5a 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2010 Tobias Brunner
+ * Copyright (C) 2006-2013 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -22,6 +22,8 @@
 #define _XPG4_2
 #define __EXTENSIONS__
 #endif
+/* make sure to use the proper defs on Mac OS X */
+#define __APPLE_USE_RFC_3542
 
 #include "socket_default_socket.h"
 
@@ -38,9 +40,6 @@
 #include <netinet/ip.h>
 #include <netinet/udp.h>
 #include <net/if.h>
-#ifdef __APPLE__
-#include <sys/sysctl.h>
-#endif
 
 #include <hydra.h>
 #include <daemon.h>
@@ -49,18 +48,6 @@
 /* Maximum size of a packet */
 #define MAX_PACKET 10000
 
-/* length of non-esp marker */
-#define MARKER_LEN sizeof(u_int32_t)
-
-/* from linux/udp.h */
-#ifndef UDP_ENCAP
-#define UDP_ENCAP 100
-#endif /*UDP_ENCAP*/
-
-#ifndef UDP_ENCAP_ESPINUDP
-#define UDP_ENCAP_ESPINUDP 2
-#endif /*UDP_ENCAP_ESPINUDP*/
-
 /* these are not defined on some platforms */
 #ifndef SOL_IP
 #define SOL_IP IPPROTO_IP
@@ -68,8 +55,8 @@
 #ifndef SOL_IPV6
 #define SOL_IPV6 IPPROTO_IPV6
 #endif
-#ifndef SOL_UDP
-#define SOL_UDP IPPROTO_UDP
+#ifndef IPV6_TCLASS
+#define IPV6_TCLASS 67
 #endif
 
 /* IPV6_RECVPKTINFO is defined in RFC 3542 which obsoletes RFC 2292 that
@@ -99,29 +86,64 @@ struct private_socket_default_socket_t {
 	socket_default_socket_t public;
 
 	/**
-	 * IPv4 socket (500)
+	 * Configured port (or random, if initially 0)
+	 */
+	u_int16_t port;
+
+	/**
+	 * Configured port for NAT-T (or random, if initially 0)
+	 */
+	u_int16_t natt;
+
+	/**
+	 * IPv4 socket (500 or port)
 	 */
 	int ipv4;
 
 	/**
-	 * IPv4 socket for NATT (4500)
+	 * IPv4 socket for NAT-T (4500 or natt)
 	 */
 	int ipv4_natt;
 
 	/**
-	 * IPv6 socket (500)
+	 * IPv6 socket (500 or port)
 	 */
 	int ipv6;
 
 	/**
-	 * IPv6 socket for NATT (4500)
+	 * IPv6 socket for NAT-T (4500 or natt)
 	 */
 	int ipv6_natt;
 
 	/**
+	 * DSCP value set on IPv4 socket
+	 */
+	u_int8_t dscp4;
+
+	/**
+	 * DSCP value set on IPv4 socket for NAT-T (4500 or natt)
+	 */
+	u_int8_t dscp4_natt;
+
+	/**
+	 * DSCP value set on IPv6 socket (500 or port)
+	 */
+	u_int8_t dscp6;
+
+	/**
+	 * DSCP value set on IPv6 socket for NAT-T (4500 or natt)
+	 */
+	u_int8_t dscp6_natt;
+
+	/**
 	 * Maximum packet size to receive
 	 */
 	int max_packet;
+
+	/**
+	 * TRUE if the source address should be set on outbound packets
+	 */
+	bool set_source;
 };
 
 METHOD(socket_t, receiver, status_t,
@@ -131,7 +153,7 @@ METHOD(socket_t, receiver, status_t,
 	chunk_t data;
 	packet_t *pkt;
 	host_t *source = NULL, *dest = NULL;
-	int bytes_read = 0, data_offset;
+	int bytes_read = 0;
 	bool oldstate;
 
 	fd_set rfds;
@@ -140,23 +162,26 @@ METHOD(socket_t, receiver, status_t,
 
 	FD_ZERO(&rfds);
 
-	if (this->ipv4)
+	if (this->ipv4 != -1)
 	{
 		FD_SET(this->ipv4, &rfds);
+		max_fd = max(max_fd, this->ipv4);
 	}
-	if (this->ipv4_natt)
+	if (this->ipv4_natt != -1)
 	{
 		FD_SET(this->ipv4_natt, &rfds);
+		max_fd = max(max_fd, this->ipv4_natt);
 	}
-	if (this->ipv6)
+	if (this->ipv6 != -1)
 	{
 		FD_SET(this->ipv6, &rfds);
+		max_fd = max(max_fd, this->ipv6);
 	}
-	if (this->ipv6_natt)
+	if (this->ipv6_natt != -1)
 	{
 		FD_SET(this->ipv6_natt, &rfds);
+		max_fd = max(max_fd, this->ipv6_natt);
 	}
-	max_fd = max(max(this->ipv4, this->ipv4_natt), max(this->ipv6, this->ipv6_natt));
 
 	DBG2(DBG_NET, "waiting for data on sockets");
 	oldstate = thread_cancelability(TRUE);
@@ -167,24 +192,24 @@ METHOD(socket_t, receiver, status_t,
 	}
 	thread_cancelability(oldstate);
 
-	if (FD_ISSET(this->ipv4, &rfds))
+	if (this->ipv4 != -1 && FD_ISSET(this->ipv4, &rfds))
 	{
-		port = IKEV2_UDP_PORT;
+		port = this->port;
 		selected = this->ipv4;
 	}
-	if (FD_ISSET(this->ipv4_natt, &rfds))
+	if (this->ipv4_natt != -1 && FD_ISSET(this->ipv4_natt, &rfds))
 	{
-		port = IKEV2_NATT_PORT;
+		port = this->natt;
 		selected = this->ipv4_natt;
 	}
-	if (FD_ISSET(this->ipv6, &rfds))
+	if (this->ipv6 != -1 && FD_ISSET(this->ipv6, &rfds))
 	{
-		port = IKEV2_UDP_PORT;
+		port = this->port;
 		selected = this->ipv6;
 	}
-	if (FD_ISSET(this->ipv6_natt, &rfds))
+	if (this->ipv6_natt != -1 && FD_ISSET(this->ipv6_natt, &rfds))
 	{
-		port = IKEV2_NATT_PORT;
+		port = this->natt;
 		selected = this->ipv6_natt;
 	}
 	if (selected)
@@ -220,13 +245,6 @@ METHOD(socket_t, receiver, status_t,
 		}
 		DBG3(DBG_NET, "received packet %b", buffer, bytes_read);
 
-		if (bytes_read < MARKER_LEN)
-		{
-			DBG3(DBG_NET, "received packet too short (%d bytes)",
-				 bytes_read);
-			return FAILED;
-		}
-
 		/* read ancillary data to get destination address */
 		for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
 			 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
@@ -295,17 +313,8 @@ METHOD(socket_t, receiver, status_t,
 		pkt->set_source(pkt, source);
 		pkt->set_destination(pkt, dest);
 		DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
-		data_offset = 0;
-		/* remove non esp marker */
-		if (dest->get_port(dest) == IKEV2_NATT_PORT)
-		{
-			data_offset += MARKER_LEN;
-		}
-		/* fill in packet */
-		data.len = bytes_read - data_offset;
-		data.ptr = malloc(data.len);
-		memcpy(data.ptr, buffer + data_offset, data.len);
-		pkt->set_data(pkt, data);
+		data = chunk_create(buffer, bytes_read);
+		pkt->set_data(pkt, chunk_clone(data));
 	}
 	else
 	{
@@ -320,13 +329,14 @@ METHOD(socket_t, receiver, status_t,
 METHOD(socket_t, sender, status_t,
 	private_socket_default_socket_t *this, packet_t *packet)
 {
-	int sport, skt, family;
+	int sport, skt = -1, family;
 	ssize_t bytes_sent;
-	chunk_t data, marked;
+	chunk_t data;
 	host_t *src, *dst;
 	struct msghdr msg;
 	struct cmsghdr *cmsg;
 	struct iovec iov;
+	u_int8_t *dscp;
 
 	src = packet->get_source(packet);
 	dst = packet->get_destination(packet);
@@ -337,44 +347,81 @@ METHOD(socket_t, sender, status_t,
 	/* send data */
 	sport = src->get_port(src);
 	family = dst->get_family(dst);
-	if (sport == IKEV2_UDP_PORT)
+	if (sport == 0 || sport == this->port)
 	{
-		if (family == AF_INET)
+		switch (family)
 		{
-			skt = this->ipv4;
+			case AF_INET:
+				skt = this->ipv4;
+				dscp = &this->dscp4;
+				break;
+			case AF_INET6:
+				skt = this->ipv6;
+				dscp = &this->dscp6;
+				break;
+			default:
+				return FAILED;
 		}
-		else
+	}
+	else if (sport == this->natt)
+	{
+		switch (family)
 		{
-			skt = this->ipv6;
+			case AF_INET:
+				skt = this->ipv4_natt;
+				dscp = &this->dscp4_natt;
+				break;
+			case AF_INET6:
+				skt = this->ipv6_natt;
+				dscp = &this->dscp6_natt;
+				break;
+			default:
+				return FAILED;
 		}
 	}
-	else if (sport == IKEV2_NATT_PORT)
+	if (skt == -1)
+	{
+		DBG1(DBG_NET, "no socket found to send IPv%d packet from port %d",
+			 family == AF_INET ? 4 : 6, sport);
+		return FAILED;
+	}
+
+	/* setting DSCP values per-packet in a cmsg seems not to be supported
+	 * on Linux. We instead setsockopt() before sending it, this should be
+	 * safe as only a single thread calls send(). */
+	if (*dscp != packet->get_dscp(packet))
 	{
 		if (family == AF_INET)
 		{
-			skt = this->ipv4_natt;
+			u_int8_t ds4;
+
+			ds4 = packet->get_dscp(packet) << 2;
+			if (setsockopt(skt, SOL_IP, IP_TOS, &ds4, sizeof(ds4)) == 0)
+			{
+				*dscp = packet->get_dscp(packet);
+			}
+			else
+			{
+				DBG1(DBG_NET, "unable to set IP_TOS on socket: %s",
+					 strerror(errno));
+			}
 		}
 		else
 		{
-			skt = this->ipv6_natt;
-		}
-		/* NAT keepalives without marker */
-		if (data.len != 1 || data.ptr[0] != 0xFF)
-		{
-			/* add non esp marker to packet */
-			marked = chunk_alloc(data.len + MARKER_LEN);
-			memset(marked.ptr, 0, MARKER_LEN);
-			memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
-			/* let the packet do the clean up for us */
-			packet->set_data(packet, marked);
-			data = marked;
+			u_int ds6;
+
+			ds6 = packet->get_dscp(packet) << 2;
+			if (setsockopt(skt, SOL_IPV6, IPV6_TCLASS, &ds6, sizeof(ds6)) == 0)
+			{
+				*dscp = packet->get_dscp(packet);
+			}
+			else
+			{
+				DBG1(DBG_NET, "unable to set IPV6_TCLASS on socket: %s",
+					 strerror(errno));
+			}
 		}
 	}
-	else
-	{
-		DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
-		return FAILED;
-	}
 
 	memset(&msg, 0, sizeof(struct msghdr));
 	msg.msg_name = dst->get_sockaddr(dst);;
@@ -385,7 +432,7 @@ METHOD(socket_t, sender, status_t,
 	msg.msg_iovlen = 1;
 	msg.msg_flags = 0;
 
-	if (!src->is_anyaddr(src))
+	if (this->set_source && !src->is_anyaddr(src))
 	{
 		if (family == AF_INET)
 		{
@@ -448,29 +495,53 @@ METHOD(socket_t, sender, status_t,
 	return SUCCESS;
 }
 
+METHOD(socket_t, get_port, u_int16_t,
+	private_socket_default_socket_t *this, bool nat_t)
+{
+	return nat_t ? this->natt : this->port;
+}
+
+METHOD(socket_t, supported_families, socket_family_t,
+	private_socket_default_socket_t *this)
+{
+	socket_family_t families = SOCKET_FAMILY_NONE;
+
+	if (this->ipv4 != -1 || this->ipv4_natt != -1)
+	{
+		families |= SOCKET_FAMILY_IPV4;
+	}
+	if (this->ipv6 != -1 || this->ipv6_natt != -1)
+	{
+		families |= SOCKET_FAMILY_IPV6;
+	}
+	return families;
+}
+
 /**
  * open a socket to send and receive packets
  */
 static int open_socket(private_socket_default_socket_t *this,
-					   int family, u_int16_t port)
+					   int family, u_int16_t *port)
 {
 	int on = TRUE;
-	struct sockaddr_storage addr;
+	union {
+		struct sockaddr sockaddr;
+		struct sockaddr_in sin;
+		struct sockaddr_in6 sin6;
+	} addr;
 	socklen_t addrlen;
 	u_int sol, pktinfo = 0;
 	int skt;
 
 	memset(&addr, 0, sizeof(addr));
-	addr.ss_family = family;
+	addr.sockaddr.sa_family = family;
 	/* precalculate constants depending on address family */
 	switch (family)
 	{
 		case AF_INET:
-		{
-			struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
-			htoun32(&sin->sin_addr.s_addr, INADDR_ANY);
-			htoun16(&sin->sin_port, port);
-			addrlen = sizeof(struct sockaddr_in);
+			addr.sin.sin_addr.s_addr = htonl(INADDR_ANY);
+			addr.sin.sin_port = htons(*port);
+			addrlen = sizeof(addr.sin);
 			sol = SOL_IP;
 #ifdef IP_PKTINFO
 			pktinfo = IP_PKTINFO;
@@ -478,40 +549,56 @@ static int open_socket(private_socket_default_socket_t *this,
 			pktinfo = IP_RECVDSTADDR;
 #endif
 			break;
-		}
 		case AF_INET6:
-		{
-			struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
-			memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
-			htoun16(&sin6->sin6_port, port);
-			addrlen = sizeof(struct sockaddr_in6);
+			memcpy(&addr.sin6.sin6_addr, &in6addr_any, sizeof(in6addr_any));
+			addr.sin6.sin6_port = htons(*port);
+			addrlen = sizeof(addr.sin6);
 			sol = SOL_IPV6;
 			pktinfo = IPV6_RECVPKTINFO;
 			break;
-		}
 		default:
-			return 0;
+			return -1;
 	}
 
 	skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
 	if (skt < 0)
 	{
 		DBG1(DBG_NET, "could not open socket: %s", strerror(errno));
-		return 0;
+		return -1;
 	}
 	if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
 	{
 		DBG1(DBG_NET, "unable to set SO_REUSEADDR on socket: %s", strerror(errno));
 		close(skt);
-		return 0;
+		return -1;
 	}
 
 	/* bind the socket */
-	if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0)
+	if (bind(skt, &addr.sockaddr, addrlen) < 0)
 	{
 		DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
 		close(skt);
-		return 0;
+		return -1;
+	}
+
+	/* retrieve randomly allocated port if needed */
+	if (*port == 0)
+	{
+		if (getsockname(skt, &addr.sockaddr, &addrlen) < 0)
+		{
+			DBG1(DBG_NET, "unable to determine port: %s", strerror(errno));
+			close(skt);
+			return -1;
+		}
+		switch (family)
+		{
+			case AF_INET:
+				*port = ntohs(addr.sin.sin_port);
+				break;
+			case AF_INET6:
+				*port = ntohs(addr.sin6.sin6_port);
+				break;
+		}
 	}
 
 	/* get additional packet info on receive */
@@ -521,7 +608,7 @@ static int open_socket(private_socket_default_socket_t *this,
 		{
 			DBG1(DBG_NET, "unable to set IP_PKTINFO on socket: %s", strerror(errno));
 			close(skt);
-			return 0;
+			return -1;
 		}
 	}
 
@@ -531,36 +618,81 @@ static int open_socket(private_socket_default_socket_t *this,
 		DBG1(DBG_NET, "installing IKE bypass policy failed");
 	}
 
-#ifndef __APPLE__
+	/* enable UDP decapsulation for NAT-T sockets */
+	if (port == &this->natt &&
+		!hydra->kernel_interface->enable_udp_decap(hydra->kernel_interface,
+												   skt, family, this->natt))
 	{
-		/* enable UDP decapsulation globally, only for one socket needed */
-		int type = UDP_ENCAP_ESPINUDP;
-		if (family == AF_INET && port == IKEV2_NATT_PORT &&
-			setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
+		DBG1(DBG_NET, "enabling UDP decapsulation for %s on port %d failed",
+			 family == AF_INET ? "IPv4" : "IPv6", this->natt);
+	}
+
+	return skt;
+}
+
+/**
+ * Check if we should use the given family
+ */
+static bool use_family(int family)
+{
+	switch (family)
+	{
+		case AF_INET:
+			return lib->settings->get_bool(lib->settings,
+					"%s.plugins.socket-default.use_ipv4", TRUE, charon->name);
+		case AF_INET6:
+			return lib->settings->get_bool(lib->settings,
+					"%s.plugins.socket-default.use_ipv6", TRUE, charon->name);
+		default:
+			return FALSE;
+	}
+}
+
+/**
+ * Open a socket pair (normal and NAT traversal) for a given address family
+ */
+static void open_socketpair(private_socket_default_socket_t *this, int family,
+							int *skt, int *skt_natt, char *label)
+{
+	if (!use_family(family))
+	{
+		*skt = -1;
+		*skt_natt = -1;
+		return;
+	}
+
+	*skt = open_socket(this, family, &this->port);
+	if (*skt == -1)
+	{
+		*skt_natt = -1;
+		DBG1(DBG_NET, "could not open %s socket, %s disabled", label, label);
+	}
+	else
+	{
+		*skt_natt = open_socket(this, family, &this->natt);
+		if (*skt_natt == -1)
 		{
-			DBG1(DBG_NET, "unable to set UDP_ENCAP: %s", strerror(errno));
+			DBG1(DBG_NET, "could not open %s NAT-T socket", label);
 		}
 	}
-#endif
-	return skt;
 }
 
 METHOD(socket_t, destroy, void,
 	private_socket_default_socket_t *this)
 {
-	if (this->ipv4)
+	if (this->ipv4 != -1)
 	{
 		close(this->ipv4);
 	}
-	if (this->ipv4_natt)
+	if (this->ipv4_natt != -1)
 	{
 		close(this->ipv4_natt);
 	}
-	if (this->ipv6)
+	if (this->ipv6 != -1)
 	{
 		close(this->ipv6);
 	}
-	if (this->ipv6_natt)
+	if (this->ipv6_natt != -1)
 	{
 		close(this->ipv6_natt);
 	}
@@ -579,59 +711,58 @@ socket_default_socket_t *socket_default_socket_create()
 			.socket = {
 				.send = _sender,
 				.receive = _receiver,
+				.get_port = _get_port,
+				.supported_families = _supported_families,
 				.destroy = _destroy,
 			},
 		},
+		.port = lib->settings->get_int(lib->settings,
+							"%s.port", CHARON_UDP_PORT, charon->name),
+		.natt = lib->settings->get_int(lib->settings,
+							"%s.port_nat_t", CHARON_NATT_PORT, charon->name),
 		.max_packet = lib->settings->get_int(lib->settings,
-										"charon.max_packet", MAX_PACKET),
+							"%s.max_packet", MAX_PACKET, charon->name),
+		.set_source = lib->settings->get_bool(lib->settings,
+							"%s.plugins.socket-default.set_source", TRUE,
+							charon->name),
 	);
 
-#ifdef __APPLE__
+	if (this->port && this->port == this->natt)
 	{
-		int natt_port = IKEV2_NATT_PORT;
-		if (sysctlbyname("net.inet.ipsec.esp_port", NULL, NULL, &natt_port,
-						 sizeof(natt_port)) != 0)
-		{
-			DBG1(DBG_NET, "could not set net.inet.ipsec.esp_port to %d: %s",
-				 natt_port, strerror(errno));
-		}
+		DBG1(DBG_NET, "IKE ports can't be equal, will allocate NAT-T "
+			 "port randomly");
+		this->natt = 0;
 	}
-#endif
 
-	this->ipv4 = open_socket(this, AF_INET, IKEV2_UDP_PORT);
-	if (this->ipv4 == 0)
-	{
-		DBG1(DBG_NET, "could not open IPv4 socket, IPv4 disabled");
-	}
-	else
+	if ((this->port && this->port < 1024) || (this->natt && this->natt < 1024))
 	{
-		this->ipv4_natt = open_socket(this, AF_INET, IKEV2_NATT_PORT);
-		if (this->ipv4_natt == 0)
+		if (!lib->caps->check(lib->caps, CAP_NET_BIND_SERVICE))
 		{
-			DBG1(DBG_NET, "could not open IPv4 NAT-T socket");
+			/* required to bind ports < 1024 */
+			DBG1(DBG_NET, "socket-default plugin requires CAP_NET_BIND_SERVICE "
+				 "capability");
+			destroy(this);
+			return NULL;
 		}
 	}
 
-	this->ipv6 = open_socket(this, AF_INET6, IKEV2_UDP_PORT);
-	if (this->ipv6 == 0)
-	{
-		DBG1(DBG_NET, "could not open IPv6 socket, IPv6 disabled");
-	}
-	else
-	{
-		this->ipv6_natt = open_socket(this, AF_INET6, IKEV2_NATT_PORT);
-		if (this->ipv6_natt == 0)
-		{
-			DBG1(DBG_NET, "could not open IPv6 NAT-T socket");
-		}
-	}
+	/* we allocate IPv6 sockets first as that will reserve randomly allocated
+	 * ports also for IPv4. On OS X, we have to do it the other way round
+	 * for the same effect. */
+#ifdef __APPLE__
+	open_socketpair(this, AF_INET, &this->ipv4, &this->ipv4_natt, "IPv4");
+	open_socketpair(this, AF_INET6, &this->ipv6, &this->ipv6_natt, "IPv6");
+#else /* !__APPLE__ */
+	open_socketpair(this, AF_INET6, &this->ipv6, &this->ipv6_natt, "IPv6");
+	open_socketpair(this, AF_INET, &this->ipv4, &this->ipv4_natt, "IPv4");
+#endif /* __APPLE__ */
 
-	if (!this->ipv4 && !this->ipv6)
+	if (this->ipv4 == -1 && this->ipv6 == -1)
 	{
 		DBG1(DBG_NET, "could not create any sockets");
 		destroy(this);
 		return NULL;
 	}
+
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.am b/src/libcharon/plugins/socket_dynamic/Makefile.am
index 914945535..04973e5ba 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.am
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
 
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-socket-dynamic.la
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index f45e3d255..e976e9902 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_socket_dynamic_la_LIBADD =
@@ -79,49 +103,77 @@ am_libstrongswan_socket_dynamic_la_OBJECTS = socket_dynamic_plugin.lo \
 	socket_dynamic_socket.lo
 libstrongswan_socket_dynamic_la_OBJECTS =  \
 	$(am_libstrongswan_socket_dynamic_la_OBJECTS)
-libstrongswan_socket_dynamic_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_socket_dynamic_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_socket_dynamic_la_LDFLAGS) $(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_socket_dynamic_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_socket_dynamic_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_socket_dynamic_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_socket_dynamic_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,10 +345,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-socket-dynamic.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-socket-dynamic.la
 libstrongswan_socket_dynamic_la_SOURCES = \
@@ -340,7 +406,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -348,6 +413,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -369,8 +436,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-socket-dynamic.la: $(libstrongswan_socket_dynamic_la_OBJECTS) $(libstrongswan_socket_dynamic_la_DEPENDENCIES) 
-	$(libstrongswan_socket_dynamic_la_LINK) $(am_libstrongswan_socket_dynamic_la_rpath) $(libstrongswan_socket_dynamic_la_OBJECTS) $(libstrongswan_socket_dynamic_la_LIBADD) $(LIBS)
+libstrongswan-socket-dynamic.la: $(libstrongswan_socket_dynamic_la_OBJECTS) $(libstrongswan_socket_dynamic_la_DEPENDENCIES) $(EXTRA_libstrongswan_socket_dynamic_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_socket_dynamic_la_LINK) $(am_libstrongswan_socket_dynamic_la_rpath) $(libstrongswan_socket_dynamic_la_OBJECTS) $(libstrongswan_socket_dynamic_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -382,25 +449,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket_dynamic_socket.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -507,10 +574,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
index c21d5240e..fdc9a7cf9 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
@@ -40,6 +40,7 @@ METHOD(plugin_t, get_features, int,
 	static plugin_feature_t f[] = {
 		PLUGIN_CALLBACK(socket_register, socket_dynamic_socket_create),
 			PLUGIN_PROVIDE(CUSTOM, "socket"),
+				PLUGIN_SDEPEND(CUSTOM, "kernel-ipsec"),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
index eee3814a8..abbc8bad2 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2010 Tobias Brunner
+ * Copyright (C) 2006-2013 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -40,23 +40,11 @@
 #include <daemon.h>
 #include <threading/thread.h>
 #include <threading/rwlock.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 
 /* Maximum size of a packet */
 #define MAX_PACKET 10000
 
-/* length of non-esp marker */
-#define MARKER_LEN sizeof(u_int32_t)
-
-/* from linux/udp.h */
-#ifndef UDP_ENCAP
-#define UDP_ENCAP 100
-#endif /*UDP_ENCAP*/
-
-#ifndef UDP_ENCAP_ESPINUDP
-#define UDP_ENCAP_ESPINUDP 2
-#endif /*UDP_ENCAP_ESPINUDP*/
-
 /* these are not defined on some platforms */
 #ifndef SOL_IP
 #define SOL_IP IPPROTO_IP
@@ -64,9 +52,6 @@
 #ifndef SOL_IPV6
 #define SOL_IPV6 IPPROTO_IPV6
 #endif
-#ifndef SOL_UDP
-#define SOL_UDP IPPROTO_UDP
-#endif
 
 /* IPV6_RECVPKTINFO is defined in RFC 3542 which obsoletes RFC 2292 that
  * previously defined IPV6_PKTINFO */
@@ -237,12 +222,6 @@ static packet_t *receive_packet(private_socket_dynamic_socket_t *this,
 	}
 	DBG3(DBG_NET, "received packet %b", buffer, (u_int)len);
 
-	if (len < MARKER_LEN)
-	{
-		DBG3(DBG_NET, "received packet too short (%d bytes)", len);
-		return NULL;
-	}
-
 	/* read ancillary data to get destination address */
 	for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
 		 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
@@ -297,12 +276,6 @@ static packet_t *receive_packet(private_socket_dynamic_socket_t *this,
 	packet = packet_create();
 	packet->set_source(packet, source);
 	packet->set_destination(packet, dest);
-	/* we assume a non-ESP marker if none of the ports is on 500 */
-	if (dest->get_port(dest) != IKEV2_UDP_PORT &&
-		source->get_port(source) != IKEV2_UDP_PORT)
-	{
-		data = chunk_skip(data, MARKER_LEN);
-	}
 	packet->set_data(packet, chunk_clone(data));
 	return packet;
 }
@@ -353,13 +326,60 @@ METHOD(socket_t, receiver, status_t,
 }
 
 /**
+ * Get the port allocated dynamically using bind()
+ */
+static bool get_dynamic_port(int fd, int family, u_int16_t *port)
+{
+	union {
+		struct sockaddr_storage ss;
+		struct sockaddr s;
+		struct sockaddr_in sin;
+		struct sockaddr_in6 sin6;
+	} addr;
+	socklen_t addrlen;
+
+	addrlen = sizeof(addr);
+	if (getsockname(fd, &addr.s, &addrlen) != 0)
+	{
+		DBG1(DBG_NET, "unable to getsockname: %s", strerror(errno));
+		return FALSE;
+	}
+	switch (family)
+	{
+		case AF_INET:
+			if (addrlen != sizeof(addr.sin) || addr.sin.sin_family != family)
+			{
+				break;
+			}
+			*port = ntohs(addr.sin.sin_port);
+			return TRUE;
+		case AF_INET6:
+			if (addrlen != sizeof(addr.sin6) || addr.sin6.sin6_family != family)
+			{
+				break;
+			}
+			*port = ntohs(addr.sin6.sin6_port);
+			return TRUE;
+		default:
+			return FALSE;
+	}
+	DBG1(DBG_NET, "received invalid getsockname() result");
+	return FALSE;
+}
+
+/**
  * open a socket to send and receive packets
  */
 static int open_socket(private_socket_dynamic_socket_t *this,
-					   int family, u_int16_t port)
+					   int family, u_int16_t *port)
 {
-	int on = TRUE, type = UDP_ENCAP_ESPINUDP;
-	struct sockaddr_storage addr;
+	union {
+		struct sockaddr_storage ss;
+		struct sockaddr s;
+		struct sockaddr_in sin;
+		struct sockaddr_in6 sin6;
+	} addr;
+	int on = TRUE;
 	socklen_t addrlen;
 	u_int sol, pktinfo = 0;
 	int fd;
@@ -369,27 +389,21 @@ static int open_socket(private_socket_dynamic_socket_t *this,
 	switch (family)
 	{
 		case AF_INET:
-		{
-			struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
-			sin->sin_family = AF_INET;
-			sin->sin_addr.s_addr = INADDR_ANY;
-			sin->sin_port = htons(port);
-			addrlen = sizeof(struct sockaddr_in);
+			addr.sin.sin_family = AF_INET;
+			addr.sin.sin_addr.s_addr = INADDR_ANY;
+			addr.sin.sin_port = htons(*port);
+			addrlen = sizeof(addr.sin);
 			sol = SOL_IP;
 			pktinfo = IP_PKTINFO;
 			break;
-		}
 		case AF_INET6:
-		{
-			struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
-			sin6->sin6_family = AF_INET6;
-			memset(&sin6->sin6_addr, 0, sizeof(sin6->sin6_addr));
-			sin6->sin6_port = htons(port);
-			addrlen = sizeof(struct sockaddr_in6);
+			addr.sin6.sin6_family = AF_INET6;
+			memset(&addr.sin6.sin6_addr, 0, sizeof(addr.sin6.sin6_addr));
+			addr.sin6.sin6_port = htons(*port);
+			addrlen = sizeof(addr.sin6);
 			sol = SOL_IPV6;
 			pktinfo = IPV6_RECVPKTINFO;
 			break;
-		}
 		default:
 			return 0;
 	}
@@ -407,13 +421,17 @@ static int open_socket(private_socket_dynamic_socket_t *this,
 		return 0;
 	}
 
-	/* bind the socket */
-	if (bind(fd, (struct sockaddr *)&addr, addrlen) < 0)
+	if (bind(fd, &addr.s, addrlen) < 0)
 	{
 		DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
 		close(fd);
 		return 0;
 	}
+	if (*port == 0 && !get_dynamic_port(fd, family, port))
+	{
+		close(fd);
+		return 0;
+	}
 
 	/* get additional packet info on receive */
 	if (setsockopt(fd, sol, pktinfo, &on, sizeof(on)) < 0)
@@ -430,14 +448,42 @@ static int open_socket(private_socket_dynamic_socket_t *this,
 	}
 
 	/* enable UDP decapsulation on each socket */
-	if (setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
+	if (!hydra->kernel_interface->enable_udp_decap(hydra->kernel_interface,
+												   fd, family, *port))
 	{
-		DBG1(DBG_NET, "unable to set UDP_ENCAP: %s", strerror(errno));
+		DBG1(DBG_NET, "enabling UDP decapsulation for %s on port %d failed",
+			 family == AF_INET ? "IPv4" : "IPv6", *port);
 	}
+
 	return fd;
 }
 
 /**
+ * Get the first usable socket for an address family
+ */
+static dynsock_t *get_any_socket(private_socket_dynamic_socket_t *this,
+								 int family)
+{
+	dynsock_t *key, *value, *found = NULL;
+	enumerator_t *enumerator;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->sockets->create_enumerator(this->sockets);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		if (value->family == family)
+		{
+			found = value;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	return found;
+}
+
+/**
  * Find/Create a socket to send from host
  */
 static dynsock_t *find_socket(private_socket_dynamic_socket_t *this,
@@ -457,7 +503,15 @@ static dynsock_t *find_socket(private_socket_dynamic_socket_t *this,
 	{
 		return skt;
 	}
-	fd = open_socket(this, family, port);
+	if (!port)
+	{
+		skt = get_any_socket(this, family);
+		if (skt)
+		{
+			return skt;
+		}
+	}
+	fd = open_socket(this, family, &port);
 	if (!fd)
 	{
 		return NULL;
@@ -481,9 +535,9 @@ METHOD(socket_t, sender, status_t,
 {
 	dynsock_t *skt;
 	host_t *src, *dst;
-	int port, family;
+	int family;
 	ssize_t len;
-	chunk_t data, marked;
+	chunk_t data;
 	struct msghdr msg;
 	struct cmsghdr *cmsg;
 	struct iovec iov;
@@ -491,8 +545,7 @@ METHOD(socket_t, sender, status_t,
 	src = packet->get_source(packet);
 	dst = packet->get_destination(packet);
 	family = src->get_family(src);
-	port = src->get_port(src);
-	skt = find_socket(this, family, port);
+	skt = find_socket(this, family, src->get_port(src));
 	if (!skt)
 	{
 		return FAILED;
@@ -501,19 +554,6 @@ METHOD(socket_t, sender, status_t,
 	data = packet->get_data(packet);
 	DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
 
-	/* use non-ESP marker if none of the ports is 500, not for keep alives */
-	if (port != IKEV2_UDP_PORT && dst->get_port(dst) != IKEV2_UDP_PORT &&
-		!(data.len == 1 && data.ptr[0] == 0xFF))
-	{
-		/* add non esp marker to packet */
-		marked = chunk_alloc(data.len + MARKER_LEN);
-		memset(marked.ptr, 0, MARKER_LEN);
-		memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
-		/* let the packet do the clean up for us */
-		packet->set_data(packet, marked);
-		data = marked;
-	}
-
 	memset(&msg, 0, sizeof(struct msghdr));
 	msg.msg_name = dst->get_sockaddr(dst);;
 	msg.msg_namelen = *dst->get_sockaddr_len(dst);
@@ -572,6 +612,22 @@ METHOD(socket_t, sender, status_t,
 	return SUCCESS;
 }
 
+METHOD(socket_t, get_port, u_int16_t,
+	private_socket_dynamic_socket_t *this, bool nat_t)
+{
+	/* we return 0 here for users that have no explicit port configured, the
+	 * sender will default to the default port in this case */
+	return 0;
+}
+
+METHOD(socket_t, supported_families, socket_family_t,
+	private_socket_dynamic_socket_t *this)
+{
+	/* we could return only the families of the opened sockets, but it could
+	 * be that both families are supported even if no socket is yet open */
+	return SOCKET_FAMILY_BOTH;
+}
+
 METHOD(socket_t, destroy, void,
 	private_socket_dynamic_socket_t *this)
 {
@@ -605,12 +661,14 @@ socket_dynamic_socket_t *socket_dynamic_socket_create()
 			.socket = {
 				.send = _sender,
 				.receive = _receiver,
+				.get_port = _get_port,
+				.supported_families = _supported_families,
 				.destroy = _destroy,
 			},
 		},
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 		.max_packet = lib->settings->get_int(lib->settings,
-										"charon.max_packet", MAX_PACKET),
+									"%s.max_packet", MAX_PACKET, charon->name),
 	);
 
 	if (pipe(this->notify) != 0)
@@ -624,4 +682,3 @@ socket_dynamic_socket_t *socket_dynamic_socket_create()
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/socket_raw/Makefile.am b/src/libcharon/plugins/socket_raw/Makefile.am
deleted file mode 100644
index 2109ae5f3..000000000
--- a/src/libcharon/plugins/socket_raw/Makefile.am
+++ /dev/null
@@ -1,17 +0,0 @@
-
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
-
-if MONOLITHIC
-noinst_LTLIBRARIES = libstrongswan-socket-raw.la
-else
-plugin_LTLIBRARIES = libstrongswan-socket-raw.la
-endif
-
-libstrongswan_socket_raw_la_SOURCES = \
-	socket_raw_plugin.h socket_raw_plugin.c \
-	socket_raw_socket.h socket_raw_socket.c
-
-libstrongswan_socket_raw_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/socket_raw/Makefile.in b/src/libcharon/plugins/socket_raw/Makefile.in
deleted file mode 100644
index 5abceb6c3..000000000
--- a/src/libcharon/plugins/socket_raw/Makefile.in
+++ /dev/null
@@ -1,616 +0,0 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/libcharon/plugins/socket_raw
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_socket_raw_la_LIBADD =
-am_libstrongswan_socket_raw_la_OBJECTS = socket_raw_plugin.lo \
-	socket_raw_socket.lo
-libstrongswan_socket_raw_la_OBJECTS =  \
-	$(am_libstrongswan_socket_raw_la_OBJECTS)
-libstrongswan_socket_raw_la_LINK = $(LIBTOOL) --tag=CC \
-	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
-	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_socket_raw_la_LDFLAGS) \
-	$(LDFLAGS) -o $@
-@MONOLITHIC_FALSE@am_libstrongswan_socket_raw_la_rpath = -rpath \
-@MONOLITHIC_FALSE@	$(plugindir)
-@MONOLITHIC_TRUE@am_libstrongswan_socket_raw_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_socket_raw_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_socket_raw_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-c_plugins = @c_plugins@
-clearsilver_LIBS = @clearsilver_LIBS@
-datadir = @datadir@
-datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-imcvdir = @imcvdir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgroup = @ipsecgroup@
-ipseclibdir = @ipseclibdir@
-ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
-libdir = @libdir@
-libexecdir = @libexecdir@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
-manager_plugins = @manager_plugins@
-mandir = @mandir@
-medsrv_plugins = @medsrv_plugins@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
-pcsclite_CFLAGS = @pcsclite_CFLAGS@
-pcsclite_LIBS = @pcsclite_LIBS@
-pdfdir = @pdfdir@
-piddir = @piddir@
-pki_plugins = @pki_plugins@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-pool_plugins = @pool_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-s_plugins = @s_plugins@
-sbindir = @sbindir@
-scepclient_plugins = @scepclient_plugins@
-scripts_plugins = @scripts_plugins@
-sharedstatedir = @sharedstatedir@
-soup_CFLAGS = @soup_CFLAGS@
-soup_LIBS = @soup_LIBS@
-srcdir = @srcdir@
-starter_plugins = @starter_plugins@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-systemdsystemunitdir = @systemdsystemunitdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
-@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-socket-raw.la
-@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-socket-raw.la
-libstrongswan_socket_raw_la_SOURCES = \
-	socket_raw_plugin.h socket_raw_plugin.c \
-	socket_raw_socket.h socket_raw_socket.c
-
-libstrongswan_socket_raw_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/socket_raw/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libcharon/plugins/socket_raw/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-
-clean-noinstLTLIBRARIES:
-	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
-	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-socket-raw.la: $(libstrongswan_socket_raw_la_OBJECTS) $(libstrongswan_socket_raw_la_DEPENDENCIES) 
-	$(libstrongswan_socket_raw_la_LINK) $(am_libstrongswan_socket_raw_la_rpath) $(libstrongswan_socket_raw_la_OBJECTS) $(libstrongswan_socket_raw_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket_raw_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket_raw_socket.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
-	clean-pluginLTLIBRARIES mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
-	ctags distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-pluginLTLIBRARIES install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/libcharon/plugins/socket_raw/socket_raw_plugin.c b/src/libcharon/plugins/socket_raw/socket_raw_plugin.c
deleted file mode 100644
index 1299c30ca..000000000
--- a/src/libcharon/plugins/socket_raw/socket_raw_plugin.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- * Copyright (C) 2010 Martin Willi
- * Copyright (C) 2010 revosec AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "socket_raw_plugin.h"
-
-#include "socket_raw_socket.h"
-
-#include <daemon.h>
-
-typedef struct private_socket_raw_plugin_t private_socket_raw_plugin_t;
-
-/**
- * Private data of socket plugin
- */
-struct private_socket_raw_plugin_t {
-
-	/**
-	 * Implements plugin interface
-	 */
-	socket_raw_plugin_t public;
-};
-
-METHOD(plugin_t, get_name, char*,
-	private_socket_raw_plugin_t *this)
-{
-	return "socket-raw";
-}
-
-METHOD(plugin_t, get_features, int,
-	private_socket_raw_plugin_t *this, plugin_feature_t *features[])
-{
-	static plugin_feature_t f[] = {
-		PLUGIN_CALLBACK(socket_register, socket_raw_socket_create),
-			PLUGIN_PROVIDE(CUSTOM, "socket"),
-	};
-	*features = f;
-	return countof(f);
-}
-
-METHOD(plugin_t, destroy, void,
-	private_socket_raw_plugin_t *this)
-{
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *socket_raw_plugin_create()
-{
-	private_socket_raw_plugin_t *this;
-
-	INIT(this,
-		.public = {
-			.plugin = {
-				.get_name = _get_name,
-				.get_features = _get_features,
-				.destroy = _destroy,
-			},
-		},
-	);
-
-	return &this->public.plugin;
-}
-
diff --git a/src/libcharon/plugins/socket_raw/socket_raw_plugin.h b/src/libcharon/plugins/socket_raw/socket_raw_plugin.h
deleted file mode 100644
index a692b7594..000000000
--- a/src/libcharon/plugins/socket_raw/socket_raw_plugin.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2010 Martin Willi
- * Copyright (C) 2010 revosec AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup socket_raw socket_raw
- * @ingroup cplugins
- *
- * @defgroup socket_raw_plugin socket_raw_plugin
- * @{ @ingroup socket_raw
- */
-
-#ifndef SOCKET_RAW_PLUGIN_H_
-#define SOCKET_RAW_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct socket_raw_plugin_t socket_raw_plugin_t;
-
-/**
- * RAW socket implementation plugin.
- */
-struct socket_raw_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-#endif /** SOCKET_RAW_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/socket_raw/socket_raw_socket.c b/src/libcharon/plugins/socket_raw/socket_raw_socket.c
deleted file mode 100644
index ae37d8f2b..000000000
--- a/src/libcharon/plugins/socket_raw/socket_raw_socket.c
+++ /dev/null
@@ -1,717 +0,0 @@
-/*
- * Copyright (C) 2006-2010 Tobias Brunner
- * Copyright (C) 2005-2010 Martin Willi
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/* for struct in6_pktinfo */
-#define _GNU_SOURCE
-
-#include "socket_raw_socket.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <string.h>
-#include <errno.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <fcntl.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-#include <netinet/udp.h>
-#include <linux/types.h>
-#include <linux/filter.h>
-#include <net/if.h>
-
-#include <hydra.h>
-#include <daemon.h>
-#include <threading/thread.h>
-
-/* Maximum size of a packet */
-#define MAX_PACKET 10000
-
-/* constants for packet handling */
-#define IP_LEN sizeof(struct iphdr)
-#define IP6_LEN sizeof(struct ip6_hdr)
-#define UDP_LEN sizeof(struct udphdr)
-#define MARKER_LEN sizeof(u_int32_t)
-
-/* offsets for packet handling */
-#define IP_PROTO_OFFSET 9
-#define IP6_PROTO_OFFSET 6
-#define IKE_VERSION_OFFSET 17
-#define IKE_LENGTH_OFFSET 24
-
-/* from linux/udp.h */
-#ifndef UDP_ENCAP
-#define UDP_ENCAP 100
-#endif /*UDP_ENCAP*/
-
-#ifndef UDP_ENCAP_ESPINUDP
-#define UDP_ENCAP_ESPINUDP 2
-#endif /*UDP_ENCAP_ESPINUDP*/
-
-/* needed for older kernel headers */
-#ifndef IPV6_2292PKTINFO
-#define IPV6_2292PKTINFO 2
-#endif /*IPV6_2292PKTINFO*/
-
-typedef struct private_socket_raw_socket_t private_socket_raw_socket_t;
-
-/**
- * Private data of an socket_t object
- */
-struct private_socket_raw_socket_t {
-
-	/**
-	 * public functions
-	 */
-	 socket_raw_socket_t public;
-
-	/**
-	 * regular port
-	 */
-	int port;
-
-	/**
-	 * port used for nat-t
-	 */
-	int natt_port;
-
-	/**
-	 * raw receiver socket for IPv4
-	 */
-	int recv4;
-
-	/**
-	 * raw receiver socket for IPv6
-	 */
-	int recv6;
-
-	/**
-	 * send socket on regular port for IPv4
-	 */
-	int send4;
-
-	/**
-	 * send socket on regular port for IPv6
-	 */
-	int send6;
-
-	/**
-	 * send socket on nat-t port for IPv4
-	 */
-	int send4_natt;
-
-	/**
-	 * send socket on nat-t port for IPv6
-	 */
-	int send6_natt;
-
-	/**
-	 * Maximum packet size to receive
-	 */
-	int max_packet;
-};
-
-METHOD(socket_t, receiver, status_t,
-	private_socket_raw_socket_t *this, packet_t **packet)
-{
-	char buffer[this->max_packet];
-	chunk_t data;
-	packet_t *pkt;
-	struct udphdr *udp;
-	host_t *source = NULL, *dest = NULL;
-	int bytes_read = 0, data_offset;
-	bool oldstate;
-	fd_set rfds;
-
-	FD_ZERO(&rfds);
-
-	if (this->recv4)
-	{
-		FD_SET(this->recv4, &rfds);
-	}
-	if (this->recv6)
-	{
-		FD_SET(this->recv6, &rfds);
-	}
-
-	DBG2(DBG_NET, "waiting for data on raw sockets");
-
-	oldstate = thread_cancelability(TRUE);
-	if (select(max(this->recv4, this->recv6) + 1, &rfds, NULL, NULL, NULL) <= 0)
-	{
-		thread_cancelability(oldstate);
-		return FAILED;
-	}
-	thread_cancelability(oldstate);
-
-	if (this->recv4 && FD_ISSET(this->recv4, &rfds))
-	{
-		/* IPv4 raw sockets return the IP header. We read src/dest
-		 * information directly from the raw header */
-		struct iphdr *ip;
-		struct sockaddr_in src, dst;
-
-		bytes_read = recv(this->recv4, buffer, this->max_packet, 0);
-		if (bytes_read < 0)
-		{
-			DBG1(DBG_NET, "error reading from IPv4 socket: %s", strerror(errno));
-			return FAILED;
-		}
-		if (bytes_read == this->max_packet)
-		{
-			DBG1(DBG_NET, "receive buffer too small, packet discarded");
-			return FAILED;
-		}
-		DBG3(DBG_NET, "received IPv4 packet %b", buffer, bytes_read);
-
-		/* read source/dest from raw IP/UDP header */
-		if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
-		{
-			DBG1(DBG_NET, "received IPv4 packet too short (%d bytes)",
-				 bytes_read);
-			return FAILED;
-		}
-		ip = (struct iphdr*) buffer;
-		udp = (struct udphdr*) (buffer + IP_LEN);
-		src.sin_family = AF_INET;
-		src.sin_addr.s_addr = ip->saddr;
-		src.sin_port = udp->source;
-		dst.sin_family = AF_INET;
-		dst.sin_addr.s_addr = ip->daddr;
-		dst.sin_port = udp->dest;
-		source = host_create_from_sockaddr((sockaddr_t*)&src);
-		dest = host_create_from_sockaddr((sockaddr_t*)&dst);
-
-		pkt = packet_create();
-		pkt->set_source(pkt, source);
-		pkt->set_destination(pkt, dest);
-		DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
-		data_offset = IP_LEN + UDP_LEN;
-		/* remove non esp marker */
-		if (dest->get_port(dest) == IKEV2_NATT_PORT)
-		{
-			data_offset += MARKER_LEN;
-		}
-		/* fill in packet */
-		data.len = bytes_read - data_offset;
-		data.ptr = malloc(data.len);
-		memcpy(data.ptr, buffer + data_offset, data.len);
-		pkt->set_data(pkt, data);
-	}
-	else if (this->recv6 && FD_ISSET(this->recv6, &rfds))
-	{
-		/* IPv6 raw sockets return no IP header. We must query
-		 * src/dest via socket options/ancillary data */
-		struct msghdr msg;
-		struct cmsghdr *cmsgptr;
-		struct sockaddr_in6 src, dst;
-		struct iovec iov;
-		char ancillary[64];
-
-		msg.msg_name = &src;
-		msg.msg_namelen = sizeof(src);
-		iov.iov_base = buffer;
-		iov.iov_len = this->max_packet;
-		msg.msg_iov = &iov;
-		msg.msg_iovlen = 1;
-		msg.msg_control = ancillary;
-		msg.msg_controllen = sizeof(ancillary);
-		msg.msg_flags = 0;
-
-		bytes_read = recvmsg(this->recv6, &msg, 0);
-		if (bytes_read < 0)
-		{
-			DBG1(DBG_NET, "error reading from IPv6 socket: %s", strerror(errno));
-			return FAILED;
-		}
-		DBG3(DBG_NET, "received IPv6 packet %b", buffer, bytes_read);
-
-		if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
-		{
-			DBG3(DBG_NET, "received IPv6 packet too short (%d bytes)",
-				 bytes_read);
-			return FAILED;
-		}
-
-		/* read ancillary data to get destination address */
-		for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
-			 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
-		{
-			if (cmsgptr->cmsg_len == 0)
-			{
-				DBG1(DBG_NET, "error reading IPv6 ancillary data");
-				return FAILED;
-			}
-
-#ifdef HAVE_IN6_PKTINFO
-			if (cmsgptr->cmsg_level == SOL_IPV6 &&
-				cmsgptr->cmsg_type == IPV6_2292PKTINFO)
-			{
-				struct in6_pktinfo *pktinfo;
-				pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
-
-				memset(&dst, 0, sizeof(dst));
-				memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
-				dst.sin6_family = AF_INET6;
-				udp = (struct udphdr*) (buffer);
-				dst.sin6_port = udp->dest;
-				src.sin6_port = udp->source;
-				dest = host_create_from_sockaddr((sockaddr_t*)&dst);
-			}
-#endif /* HAVE_IN6_PKTINFO */
-		}
-		/* ancillary data missing? */
-		if (dest == NULL)
-		{
-			DBG1(DBG_NET, "error reading IPv6 packet header");
-			return FAILED;
-		}
-
-		source = host_create_from_sockaddr((sockaddr_t*)&src);
-
-		pkt = packet_create();
-		pkt->set_source(pkt, source);
-		pkt->set_destination(pkt, dest);
-		DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
-		data_offset = UDP_LEN;
-		/* remove non esp marker */
-		if (dest->get_port(dest) == IKEV2_NATT_PORT)
-		{
-			data_offset += MARKER_LEN;
-		}
-		/* fill in packet */
-		data.len = bytes_read - data_offset;
-		data.ptr = malloc(data.len);
-		memcpy(data.ptr, buffer + data_offset, data.len);
-		pkt->set_data(pkt, data);
-	}
-	else
-	{
-		/* oops, shouldn't happen */
-		return FAILED;
-	}
-
-	/* return packet */
-	*packet = pkt;
-	return SUCCESS;
-}
-
-METHOD(socket_t, sender, status_t,
-	private_socket_raw_socket_t *this, packet_t *packet)
-{
-	int sport, skt, family;
-	ssize_t bytes_sent;
-	chunk_t data, marked;
-	host_t *src, *dst;
-	struct msghdr msg;
-	struct cmsghdr *cmsg;
-	struct iovec iov;
-
-	src = packet->get_source(packet);
-	dst = packet->get_destination(packet);
-	data = packet->get_data(packet);
-
-	DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
-
-	/* send data */
-	sport = src->get_port(src);
-	family = dst->get_family(dst);
-	if (sport == IKEV2_UDP_PORT)
-	{
-		if (family == AF_INET)
-		{
-			skt = this->send4;
-		}
-		else
-		{
-			skt = this->send6;
-		}
-	}
-	else if (sport == IKEV2_NATT_PORT)
-	{
-		if (family == AF_INET)
-		{
-			skt = this->send4_natt;
-		}
-		else
-		{
-			skt = this->send6_natt;
-		}
-		/* NAT keepalives without marker */
-		if (data.len != 1 || data.ptr[0] != 0xFF)
-		{
-			/* add non esp marker to packet */
-			marked = chunk_alloc(data.len + MARKER_LEN);
-			memset(marked.ptr, 0, MARKER_LEN);
-			memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
-			/* let the packet do the clean up for us */
-			packet->set_data(packet, marked);
-			data = marked;
-		}
-	}
-	else
-	{
-		DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
-		return FAILED;
-	}
-
-	memset(&msg, 0, sizeof(struct msghdr));
-	msg.msg_name = dst->get_sockaddr(dst);;
-	msg.msg_namelen = *dst->get_sockaddr_len(dst);
-	iov.iov_base = data.ptr;
-	iov.iov_len = data.len;
-	msg.msg_iov = &iov;
-	msg.msg_iovlen = 1;
-	msg.msg_flags = 0;
-
-	if (!src->is_anyaddr(src))
-	{
-		if (family == AF_INET)
-		{
-			char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
-			struct in_pktinfo *pktinfo;
-			struct sockaddr_in *sin;
-
-			msg.msg_control = buf;
-			msg.msg_controllen = sizeof(buf);
-			cmsg = CMSG_FIRSTHDR(&msg);
-			cmsg->cmsg_level = SOL_IP;
-			cmsg->cmsg_type = IP_PKTINFO;
-			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
-			pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
-			memset(pktinfo, 0, sizeof(struct in_pktinfo));
-			sin = (struct sockaddr_in*)src->get_sockaddr(src);
-			memcpy(&pktinfo->ipi_spec_dst, &sin->sin_addr, sizeof(struct in_addr));
-		}
-#ifdef HAVE_IN6_PKTINFO
-		else
-		{
-			char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
-			struct in6_pktinfo *pktinfo;
-			struct sockaddr_in6 *sin;
-
-			msg.msg_control = buf;
-			msg.msg_controllen = sizeof(buf);
-			cmsg = CMSG_FIRSTHDR(&msg);
-			cmsg->cmsg_level = SOL_IPV6;
-			cmsg->cmsg_type = IPV6_2292PKTINFO;
-			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
-			pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
-			memset(pktinfo, 0, sizeof(struct in6_pktinfo));
-			sin = (struct sockaddr_in6*)src->get_sockaddr(src);
-			memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
-		}
-#endif /* HAVE_IN6_PKTINFO */
-	}
-
-	bytes_sent = sendmsg(skt, &msg, 0);
-
-	if (bytes_sent != data.len)
-	{
-		DBG1(DBG_NET, "error writing to socket: %s", strerror(errno));
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * open a socket to send packets
- */
-static int open_send_socket(private_socket_raw_socket_t *this,
-							int family, u_int16_t port)
-{
-	int on = TRUE;
-	int type = UDP_ENCAP_ESPINUDP;
-	struct sockaddr_storage addr;
-	int skt;
-
-	memset(&addr, 0, sizeof(addr));
-	addr.ss_family = family;
-	/* precalculate constants depending on address family */
-	switch (family)
-	{
-		case AF_INET:
-		{
-			struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
-			htoun32(&sin->sin_addr.s_addr, INADDR_ANY);
-			htoun16(&sin->sin_port, port);
-			break;
-		}
-		case AF_INET6:
-		{
-			struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
-			memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
-			htoun16(&sin6->sin6_port, port);
-			break;
-		}
-		default:
-			return 0;
-	}
-
-	skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
-	if (skt < 0)
-	{
-		DBG1(DBG_NET, "could not open send socket: %s", strerror(errno));
-		return 0;
-	}
-
-	if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
-	{
-		DBG1(DBG_NET, "unable to set SO_REUSEADDR on send socket: %s",
-			 strerror(errno));
-		close(skt);
-		return 0;
-	}
-
-	/* bind the send socket */
-	if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
-	{
-		DBG1(DBG_NET, "unable to bind send socket: %s",
-			 strerror(errno));
-		close(skt);
-		return 0;
-	}
-
-	if (family == AF_INET)
-	{
-		/* enable UDP decapsulation globally, only for one socket needed */
-		if (setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
-		{
-			DBG1(DBG_NET, "unable to set UDP_ENCAP: %s; NAT-T may fail",
-				 strerror(errno));
-		}
-	}
-
-	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
-												skt, family))
-	{
-		DBG1(DBG_NET, "installing bypass policy on send socket failed");
-	}
-
-	return skt;
-}
-
-/**
- * open a socket to receive packets
- */
-static int open_recv_socket(private_socket_raw_socket_t *this, int family)
-{
-	int skt;
-	int on = TRUE;
-	u_int ip_len, sol, udp_header, ike_header;
-
-	/* precalculate constants depending on address family */
-	switch (family)
-	{
-		case AF_INET:
-			ip_len = IP_LEN;
-			sol = SOL_IP;
-			break;
-		case AF_INET6:
-			ip_len = 0; /* IPv6 raw sockets contain no IP header */
-			sol = SOL_IPV6;
-			break;
-		default:
-			return 0;
-	}
-	udp_header = ip_len;
-	ike_header = ip_len + UDP_LEN;
-
-	/* This filter code filters out all non-IKEv2 traffic on
-	 * a SOCK_RAW IP_PROTP_UDP socket. Handling of other
-	 * IKE versions is done in pluto.
-	 */
-	struct sock_filter ikev2_filter_code[] =
-	{
-		/* Destination Port must be either port or natt_port */
-		BPF_STMT(BPF_LD+BPF_H+BPF_ABS, udp_header + 2),
-		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IKEV2_UDP_PORT, 1, 0),
-		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IKEV2_NATT_PORT, 6, 14),
-		/* port */
-			/* IKE version must be 2.x */
-			BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + IKE_VERSION_OFFSET),
-			BPF_STMT(BPF_ALU+BPF_RSH+BPF_K, 4),
-			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 2, 0, 11),
-			/* packet length is length in IKEv2 header + ip header + udp header */
-			BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + IKE_LENGTH_OFFSET),
-			BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN),
-			BPF_STMT(BPF_RET+BPF_A, 0),
-		/* natt_port */
-			/* nat-t: check for marker */
-			BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header),
-			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 6),
-			/* nat-t: IKE version must be 2.x */
-			BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + MARKER_LEN + IKE_VERSION_OFFSET),
-			BPF_STMT(BPF_ALU+BPF_RSH+BPF_K, 4),
-			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 2, 0, 3),
-			/* nat-t: packet length is length in IKEv2 header + ip header + udp header + non esp marker */
-			BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + MARKER_LEN + IKE_LENGTH_OFFSET),
-			BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN + MARKER_LEN),
-			BPF_STMT(BPF_RET+BPF_A, 0),
-		/* packet doesn't match, ignore */
-		BPF_STMT(BPF_RET+BPF_K, 0),
-	};
-
-	/* Filter struct to use with setsockopt */
-	struct sock_fprog ikev2_filter = {
-		sizeof(ikev2_filter_code) / sizeof(struct sock_filter),
-		ikev2_filter_code
-	};
-
-	/* set up a raw socket */
-	skt = socket(family, SOCK_RAW, IPPROTO_UDP);
-	if (skt < 0)
-	{
-		DBG1(DBG_NET, "unable to create raw socket: %s", strerror(errno));
-		return 0;
-	}
-
-	if (setsockopt(skt, SOL_SOCKET, SO_ATTACH_FILTER,
-				   &ikev2_filter, sizeof(ikev2_filter)) < 0)
-	{
-		DBG1(DBG_NET, "unable to attach IKEv2 filter to raw socket: %s",
-			 strerror(errno));
-		close(skt);
-		return 0;
-	}
-
-	if (family == AF_INET6 &&
-		/* we use IPV6_2292PKTINFO, as IPV6_PKTINFO is defined as
-		 * 2 or 50 depending on kernel header version */
-		setsockopt(skt, sol, IPV6_2292PKTINFO, &on, sizeof(on)) < 0)
-	{
-		DBG1(DBG_NET, "unable to set IPV6_PKTINFO on raw socket: %s",
-			 strerror(errno));
-		close(skt);
-		return 0;
-	}
-
-	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
-												skt, family))
-	{
-		DBG1(DBG_NET, "installing bypass policy on receive socket failed");
-	}
-
-	return skt;
-}
-
-METHOD(socket_t, destroy, void,
-	private_socket_raw_socket_t *this)
-{
-	if (this->recv4)
-	{
-		close(this->recv4);
-	}
-	if (this->recv6)
-	{
-		close(this->recv6);
-	}
-	if (this->send4)
-	{
-		close(this->send4);
-	}
-	if (this->send6)
-	{
-		close(this->send6);
-	}
-	if (this->send4_natt)
-	{
-		close(this->send4_natt);
-	}
-	if (this->send6_natt)
-	{
-		close(this->send6_natt);
-	}
-	free(this);
-}
-
-/*
- * See header for description
- */
-socket_raw_socket_t *socket_raw_socket_create()
-{
-	private_socket_raw_socket_t *this;
-
-	INIT(this,
-		.public = {
-			.socket = {
-				.send = _sender,
-				.receive = _receiver,
-				.destroy = _destroy,
-			},
-		},
-		.max_packet = lib->settings->get_int(lib->settings,
-										"charon.max_packet", MAX_PACKET),
-	);
-
-	this->recv4 = open_recv_socket(this, AF_INET);
-	if (this->recv4 == 0)
-	{
-		DBG1(DBG_NET, "could not open IPv4 receive socket, IPv4 disabled");
-	}
-	else
-	{
-		this->send4 = open_send_socket(this, AF_INET, IKEV2_UDP_PORT);
-		if (this->send4 == 0)
-		{
-			DBG1(DBG_NET, "could not open IPv4 send socket, IPv4 disabled");
-			close(this->recv4);
-		}
-		else
-		{
-			this->send4_natt = open_send_socket(this, AF_INET, IKEV2_NATT_PORT);
-			if (this->send4_natt == 0)
-			{
-				DBG1(DBG_NET, "could not open IPv4 NAT-T send socket");
-			}
-		}
-	}
-
-	this->recv6 = open_recv_socket(this, AF_INET6);
-	if (this->recv6 == 0)
-	{
-		DBG1(DBG_NET, "could not open IPv6 receive socket, IPv6 disabled");
-	}
-	else
-	{
-		this->send6 = open_send_socket(this, AF_INET6, IKEV2_UDP_PORT);
-		if (this->send6 == 0)
-		{
-			DBG1(DBG_NET, "could not open IPv6 send socket, IPv6 disabled");
-			close(this->recv6);
-		}
-		else
-		{
-			this->send6_natt = open_send_socket(this, AF_INET6, IKEV2_NATT_PORT);
-			if (this->send6_natt == 0)
-			{
-				DBG1(DBG_NET, "could not open IPv6 NAT-T send socket");
-			}
-		}
-	}
-
-	if (!(this->send4 || this->send6) || !(this->recv4 || this->recv6))
-	{
-		DBG1(DBG_NET, "could not create any sockets");
-		destroy(this);
-		return NULL;
-	}
-
-	return &this->public;
-}
diff --git a/src/libcharon/plugins/socket_raw/socket_raw_socket.h b/src/libcharon/plugins/socket_raw/socket_raw_socket.h
deleted file mode 100644
index 23ff304a8..000000000
--- a/src/libcharon/plugins/socket_raw/socket_raw_socket.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2010 Martin Willi
- * Copyright (C) 2010 revosec AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup socket_raw_socket socket_raw_socket
- * @{ @ingroup socket_raw
- */
-
-#ifndef SOCKET_RAW_SOCKET_H_
-#define SOCKET_RAW_SOCKET_H_
-
-typedef struct socket_raw_socket_t socket_raw_socket_t;
-
-#include <network/socket.h>
-
-/**
- * Raw socket, binds to port 500/4500 using any IPv4/IPv6 address.
- *
- * This imeplementation uses raw sockets to allow binding of other daemons
- * (pluto) to UDP/500/4500. An installed "Linux socket filter" filters out
- * all non-IKEv2 traffic and handles just IKEv2 messages. An other daemon
- * must handle all traffic separately, e.g. ignore IKEv2 traffic, since charon
- * handles that.
- */
-struct socket_raw_socket_t {
-
-	/**
-	 * Implements the socket_t interface.
-	 */
-	socket_t socket;
-
-};
-
-/**
- * Create a socket_raw_socket instance.
- */
-socket_raw_socket_t *socket_raw_socket_create();
-
-#endif /** SOCKET_RAW_SOCKET_H_ @}*/
diff --git a/src/libcharon/plugins/sql/Makefile.am b/src/libcharon/plugins/sql/Makefile.am
index 37b87117c..fd5693123 100644
--- a/src/libcharon/plugins/sql/Makefile.am
+++ b/src/libcharon/plugins/sql/Makefile.am
@@ -1,7 +1,11 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
+AM_CFLAGS = \
+	-rdynamic
+
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-sql.la
 else
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index d04c7f6c9..dd3c2e165 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,53 +90,88 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_sql_la_LIBADD =
 am_libstrongswan_sql_la_OBJECTS = sql_plugin.lo sql_config.lo \
 	sql_cred.lo sql_logger.lo
 libstrongswan_sql_la_OBJECTS = $(am_libstrongswan_sql_la_OBJECTS)
-libstrongswan_sql_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_sql_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_sql_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_sql_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_sql_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_sql_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_sql_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_sql_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -127,13 +180,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -146,6 +202,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,11 +230,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -185,6 +244,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -193,8 +253,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -203,14 +261,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -224,17 +287,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -244,16 +307,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -281,9 +343,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sql.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sql.la
 libstrongswan_sql_la_SOURCES = \
@@ -336,7 +403,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -344,6 +410,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -365,8 +433,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-sql.la: $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_DEPENDENCIES) 
-	$(libstrongswan_sql_la_LINK) $(am_libstrongswan_sql_la_rpath) $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_LIBADD) $(LIBS)
+libstrongswan-sql.la: $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_DEPENDENCIES) $(EXTRA_libstrongswan_sql_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_sql_la_LINK) $(am_libstrongswan_sql_la_rpath) $(libstrongswan_sql_la_OBJECTS) $(libstrongswan_sql_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -380,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -505,10 +573,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c
index dc016012c..c3471a078 100644
--- a/src/libcharon/plugins/sql/sql_config.c
+++ b/src/libcharon/plugins/sql/sql_config.c
@@ -258,8 +258,11 @@ static ike_cfg_t *build_ike_cfg(private_sql_config_t *this, enumerator_t *e,
 	{
 		ike_cfg_t *ike_cfg;
 
-		ike_cfg = ike_cfg_create(certreq, force_encap,
-								 local, IKEV2_UDP_PORT, remote, IKEV2_UDP_PORT);
+		ike_cfg = ike_cfg_create(IKEV2, certreq, force_encap,
+								 local, FALSE,
+								 charon->socket->get_port(charon->socket, FALSE),
+								 remote, FALSE, IKEV2_UDP_PORT,
+								 FRAGMENTATION_NO, 0);
 		add_ike_proposals(this, ike_cfg, id);
 		return ike_cfg;
 	}
@@ -332,6 +335,7 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 		mediation, mediated_by, p_type;
 	chunk_t l_data, r_data, p_data;
 	char *name, *virtual, *pool;
+	enumerator_t *enumerator;
 
 	while (e->enumerate(e,
 			&id, &name, &ike_cfg, &l_type, &l_data, &r_type, &r_data,
@@ -368,10 +372,25 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 		if (ike)
 		{
 			peer_cfg = peer_cfg_create(
-					name, 2, ike, cert_policy, uniqueid,
+					name, ike, cert_policy, uniqueid,
 					keyingtries, rekeytime, reauthtime, jitter, overtime,
-					mobike,	dpd_delay, vip, pool,
+					mobike, FALSE, dpd_delay, 0,
 					mediation, mediated_cfg, peer_id);
+			if (vip)
+			{
+				peer_cfg->add_virtual_ip(peer_cfg, vip);
+			}
+			if (pool)
+			{
+				/* attr-sql used comma separated pools, but we now completely
+				 * support multiple pools directly. Support old SQL configs: */
+				enumerator = enumerator_create_token(pool, ",", " ");
+				while (enumerator->enumerate(enumerator, &pool))
+				{
+					peer_cfg->add_pool(peer_cfg, pool);
+				}
+				enumerator->destroy(enumerator);
+			}
 			auth = auth_cfg_create();
 			auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_method);
 			auth->add(auth, AUTH_RULE_IDENTITY, local_id);
@@ -601,4 +620,3 @@ sql_config_t *sql_config_create(database_t *db)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/sql/sql_logger.c b/src/libcharon/plugins/sql/sql_logger.c
index 10ceacb00..547e7691e 100644
--- a/src/libcharon/plugins/sql/sql_logger.c
+++ b/src/libcharon/plugins/sql/sql_logger.c
@@ -18,6 +18,7 @@
 #include "sql_logger.h"
 
 #include <daemon.h>
+#include <threading/thread_value.h>
 
 typedef struct private_sql_logger_t private_sql_logger_t;
 
@@ -42,24 +43,23 @@ struct private_sql_logger_t {
 	int level;
 
 	/**
-	 * avoid recursive logging
+	 * avoid recursive calls by the same thread
 	 */
-	bool recursive;
+	thread_value_t *recursive;
 };
 
-METHOD(listener_t, log_, bool,
+METHOD(logger_t, log_, void,
 	private_sql_logger_t *this, debug_t group, level_t level, int thread,
-	ike_sa_t* ike_sa, char *format, va_list args)
+	ike_sa_t* ike_sa, const char *message)
 {
-	if (this->recursive)
+	if (this->recursive->get(this->recursive))
 	{
-		return TRUE;
+		return;
 	}
-	this->recursive = TRUE;
+	this->recursive->set(this->recursive, this->recursive);
 
-	if (ike_sa && level <= this->level)
+	if (ike_sa)
 	{
-		char buffer[8192];
 		chunk_t local_spi, remote_spi;
 		host_t *local_host, *remote_host;
 		identification_t *local_id, *remote_id;
@@ -85,8 +85,6 @@ METHOD(listener_t, log_, bool,
 		local_host = ike_sa->get_my_host(ike_sa);
 		remote_host = ike_sa->get_other_host(ike_sa);
 
-		vsnprintf(buffer, sizeof(buffer), format, args);
-
 		this->db->execute(this->db, NULL, "REPLACE INTO ike_sas ("
 						  "local_spi, remote_spi, id, initiator, "
 						  "local_id_type, local_id_data, "
@@ -104,13 +102,19 @@ METHOD(listener_t, log_, bool,
 						  DB_BLOB, local_host->get_address(local_host),
 						  DB_BLOB, remote_host->get_address(remote_host));
 		this->db->execute(this->db, NULL, "INSERT INTO logs ("
-						  "local_spi, signal, level, msg) VALUES (?, ?, ?, ?)",
+						  "local_spi, `signal`, level, msg) "
+						  "VALUES (?, ?, ?, ?)",
 						  DB_BLOB, local_spi, DB_INT, group, DB_INT, level,
-						  DB_TEXT, buffer);
+						  DB_TEXT, message);
 	}
-	this->recursive = FALSE;
-	/* always stay registered */
-	return TRUE;
+
+	this->recursive->set(this->recursive, NULL);
+}
+
+METHOD(logger_t, get_level, level_t,
+	private_sql_logger_t *this, debug_t group)
+{
+	return this->level;
 }
 
 METHOD(sql_logger_t, destroy, void,
@@ -128,14 +132,16 @@ sql_logger_t *sql_logger_create(database_t *db)
 
 	INIT(this,
 		.public = {
-			.listener = {
+			.logger = {
 				.log = _log_,
+				.get_level = _get_level,
 			},
 			.destroy = _destroy,
 		},
 		.db = db,
+		.recursive = thread_value_create(NULL),
 		.level = lib->settings->get_int(lib->settings,
-										"charon.plugins.sql.loglevel", -1),
+								"%s.plugins.sql.loglevel", -1, charon->name),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/sql/sql_logger.h b/src/libcharon/plugins/sql/sql_logger.h
index a933705da..62dc3f361 100644
--- a/src/libcharon/plugins/sql/sql_logger.h
+++ b/src/libcharon/plugins/sql/sql_logger.h
@@ -32,9 +32,9 @@ typedef struct sql_logger_t sql_logger_t;
 struct sql_logger_t {
 
 	/**
-	 * Implements bus_listener_t interface
+	 * Implements logger_t interface
 	 */
-	listener_t listener;
+	logger_t logger;
 
 	/**
 	 * Destry the backend.
diff --git a/src/libcharon/plugins/sql/sql_plugin.c b/src/libcharon/plugins/sql/sql_plugin.c
index d915d4696..c1b4461d2 100644
--- a/src/libcharon/plugins/sql/sql_plugin.c
+++ b/src/libcharon/plugins/sql/sql_plugin.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -16,6 +17,8 @@
 #include "sql_plugin.h"
 
 #include <daemon.h>
+#include <plugins/plugin_feature.h>
+
 #include "sql_config.h"
 #include "sql_cred.h"
 #include "sql_logger.h"
@@ -59,16 +62,67 @@ METHOD(plugin_t, get_name, char*,
 	return "sql";
 }
 
+/**
+ * Connect to database
+ */
+static bool open_database(private_sql_plugin_t *this,
+						  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		char *uri;
+
+		uri = lib->settings->get_str(lib->settings, "%s.plugins.sql.database",
+									 NULL, charon->name);
+		if (!uri)
+		{
+			DBG1(DBG_CFG, "sql plugin: database URI not set");
+			return FALSE;
+		}
+
+		this->db = lib->db->create(lib->db, uri);
+		if (!this->db)
+		{
+			DBG1(DBG_CFG, "sql plugin failed to connect to database");
+			return FALSE;
+		}
+		this->config = sql_config_create(this->db);
+		this->cred = sql_cred_create(this->db);
+		this->logger = sql_logger_create(this->db);
+
+		charon->backends->add_backend(charon->backends, &this->config->backend);
+		lib->credmgr->add_set(lib->credmgr, &this->cred->set);
+		charon->bus->add_logger(charon->bus, &this->logger->logger);
+	}
+	else
+	{
+		charon->backends->remove_backend(charon->backends,
+										 &this->config->backend);
+		lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
+		charon->bus->remove_logger(charon->bus, &this->logger->logger);
+		this->config->destroy(this->config);
+		this->cred->destroy(this->cred);
+		this->logger->destroy(this->logger);
+		this->db->destroy(this->db);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_sql_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)open_database, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "sql"),
+				PLUGIN_DEPENDS(DATABASE, DB_ANY),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_sql_plugin_t *this)
 {
-	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
-	charon->bus->remove_listener(charon->bus, &this->logger->listener);
-	this->config->destroy(this->config);
-	this->cred->destroy(this->cred);
-	this->logger->destroy(this->logger);
-	this->db->destroy(this->db);
 	free(this);
 }
 
@@ -77,41 +131,17 @@ METHOD(plugin_t, destroy, void,
  */
 plugin_t *sql_plugin_create()
 {
-	char *uri;
 	private_sql_plugin_t *this;
 
-	uri = lib->settings->get_str(lib->settings, "charon.plugins.sql.database", NULL);
-	if (!uri)
-	{
-		DBG1(DBG_CFG, "sql plugin: database URI not set");
-		return NULL;
-	}
-
 	INIT(this,
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
-		.db = lib->db->create(lib->db, uri),
 	);
 
-	if (!this->db)
-	{
-		DBG1(DBG_CFG, "sql plugin failed to connect to database");
-		free(this);
-		return NULL;
-	}
-	this->config = sql_config_create(this->db);
-	this->cred = sql_cred_create(this->db);
-	this->logger = sql_logger_create(this->db);
-
-	charon->backends->add_backend(charon->backends, &this->config->backend);
-	lib->credmgr->add_set(lib->credmgr, &this->cred->set);
-	charon->bus->add_listener(charon->bus, &this->logger->listener);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/stroke/Makefile.am b/src/libcharon/plugins/stroke/Makefile.am
index e561224e9..9509b1bd3 100644
--- a/src/libcharon/plugins/stroke/Makefile.am
+++ b/src/libcharon/plugins/stroke/Makefile.am
@@ -1,11 +1,13 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/stroke
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/stroke \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \
--rdynamic \
--DIPSEC_CONFDIR=\"${sysconfdir}\" \
--DIPSEC_PIDDIR=\"${piddir}\"
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-stroke.la
@@ -21,6 +23,8 @@ libstrongswan_stroke_la_SOURCES = \
 	stroke_cred.h stroke_cred.c \
 	stroke_ca.h stroke_ca.c \
 	stroke_attribute.h stroke_attribute.c \
+	stroke_handler.h stroke_handler.c \
+	stroke_counter.h stroke_counter.c \
 	stroke_list.h stroke_list.c
 
 libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index 60f5f535a..151e7ba69 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,56 +90,92 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_stroke_la_LIBADD =
 am_libstrongswan_stroke_la_OBJECTS = stroke_plugin.lo stroke_socket.lo \
 	stroke_config.lo stroke_control.lo stroke_cred.lo stroke_ca.lo \
-	stroke_attribute.lo stroke_list.lo
+	stroke_attribute.lo stroke_handler.lo stroke_counter.lo \
+	stroke_list.lo
 libstrongswan_stroke_la_OBJECTS =  \
 	$(am_libstrongswan_stroke_la_OBJECTS)
-libstrongswan_stroke_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_stroke_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_stroke_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_stroke_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_stroke_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_stroke_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_stroke_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_stroke_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +184,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +206,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +234,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +248,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +257,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +265,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +291,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +311,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,13 +347,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/stroke
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/stroke \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \
--rdynamic \
--DIPSEC_CONFDIR=\"${sysconfdir}\" \
--DIPSEC_PIDDIR=\"${piddir}\"
+	-rdynamic
 
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-stroke.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-stroke.la
@@ -302,6 +368,8 @@ libstrongswan_stroke_la_SOURCES = \
 	stroke_cred.h stroke_cred.c \
 	stroke_ca.h stroke_ca.c \
 	stroke_attribute.h stroke_attribute.c \
+	stroke_handler.h stroke_handler.c \
+	stroke_counter.h stroke_counter.c \
 	stroke_list.h stroke_list.c
 
 libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
@@ -350,7 +418,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -358,6 +425,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -379,8 +448,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-stroke.la: $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_DEPENDENCIES) 
-	$(libstrongswan_stroke_la_LINK) $(am_libstrongswan_stroke_la_rpath) $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_LIBADD) $(LIBS)
+libstrongswan-stroke.la: $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_DEPENDENCIES) $(EXTRA_libstrongswan_stroke_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_stroke_la_LINK) $(am_libstrongswan_stroke_la_rpath) $(libstrongswan_stroke_la_OBJECTS) $(libstrongswan_stroke_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -392,31 +461,33 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_ca.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_config.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_control.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_counter.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_handler.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_list.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_plugin.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_socket.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -523,10 +594,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/stroke/stroke_attribute.c b/src/libcharon/plugins/stroke/stroke_attribute.c
index 1e4615e12..0f3c38986 100644
--- a/src/libcharon/plugins/stroke/stroke_attribute.c
+++ b/src/libcharon/plugins/stroke/stroke_attribute.c
@@ -17,8 +17,7 @@
 #include "stroke_attribute.h"
 
 #include <daemon.h>
-#include <attributes/mem_pool.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_stroke_attribute_t private_stroke_attribute_t;
@@ -39,12 +38,37 @@ struct private_stroke_attribute_t {
 	linked_list_t *pools;
 
 	/**
+	 * List of connection specific attributes, as attributes_t
+	 */
+	linked_list_t *attrs;
+
+	/**
 	 * rwlock to lock access to pools
 	 */
 	rwlock_t *lock;
 };
 
 /**
+ * Attributes assigned to a connection
+ */
+typedef struct {
+	/** name of the connection */
+	char *name;
+	/** list of DNS attributes, as host_t */
+	linked_list_t *dns;
+} attributes_t;
+
+/**
+ * Destroy an attributes_t entry
+ */
+static void attributes_destroy(attributes_t *this)
+{
+	this->dns->destroy_offset(this->dns, offsetof(host_t, destroy));
+	free(this->name);
+	free(this);
+}
+
+/**
  * find a pool by name
  */
 static mem_pool_t *find_pool(private_stroke_attribute_t *this, char *name)
@@ -65,88 +89,246 @@ static mem_pool_t *find_pool(private_stroke_attribute_t *this, char *name)
 	return found;
 }
 
-METHOD(attribute_provider_t, acquire_address, host_t*,
-	   private_stroke_attribute_t *this, char *name, identification_t *id,
-	   host_t *requested)
+/**
+ * Find an existing or not yet existing lease
+ */
+static host_t *find_addr(private_stroke_attribute_t *this, linked_list_t *pools,
+						 identification_t *id, host_t *requested,
+						 mem_pool_op_t operation)
 {
-	mem_pool_t *pool;
 	host_t *addr = NULL;
+	enumerator_t *enumerator;
+	mem_pool_t *pool;
+	char *name;
+
+	enumerator = pools->create_enumerator(pools);
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		pool = find_pool(this, name);
+		if (pool)
+		{
+			addr = pool->acquire_address(pool, id, requested, operation);
+			if (addr)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return addr;
+}
+
+METHOD(attribute_provider_t, acquire_address, host_t*,
+	private_stroke_attribute_t *this, linked_list_t *pools, identification_t *id,
+	host_t *requested)
+{
+	host_t *addr;
+
 	this->lock->read_lock(this->lock);
-	pool = find_pool(this, name);
-	if (pool)
+
+	addr = find_addr(this, pools, id, requested, MEM_POOL_EXISTING);
+	if (!addr)
 	{
-		addr = pool->acquire_address(pool, id, requested);
+		addr = find_addr(this, pools, id, requested, MEM_POOL_NEW);
+		if (!addr)
+		{
+			addr = find_addr(this, pools, id, requested, MEM_POOL_REASSIGN);
+		}
 	}
+
 	this->lock->unlock(this->lock);
+
 	return addr;
 }
 
 METHOD(attribute_provider_t, release_address, bool,
-	   private_stroke_attribute_t *this, char *name, host_t *address,
-	   identification_t *id)
+	private_stroke_attribute_t *this, linked_list_t *pools, host_t *address,
+	identification_t *id)
 {
+	enumerator_t *enumerator;
 	mem_pool_t *pool;
 	bool found = FALSE;
+	char *name;
+
+	enumerator = pools->create_enumerator(pools);
 	this->lock->read_lock(this->lock);
-	pool = find_pool(this, name);
-	if (pool)
+	while (enumerator->enumerate(enumerator, &name))
 	{
-		found = pool->release_address(pool, address, id);
+		pool = find_pool(this, name);
+		if (pool)
+		{
+			found = pool->release_address(pool, address, id);
+			if (found)
+			{
+				break;
+			}
+		}
 	}
 	this->lock->unlock(this->lock);
+	enumerator->destroy(enumerator);
+
 	return found;
 }
 
-METHOD(stroke_attribute_t, add_pool, void,
-	   private_stroke_attribute_t *this, stroke_msg_t *msg)
+/**
+ * Filter function to convert host to DNS configuration attributes
+ */
+static bool attr_filter(void *lock, host_t **in,
+						configuration_attribute_type_t *type,
+						void *dummy, chunk_t *data)
 {
-	if (msg->add_conn.other.sourceip_mask)
+	host_t *host = *in;
+
+	switch (host->get_family(host))
 	{
-		mem_pool_t *pool;
-		host_t *base = NULL;
-		u_int32_t bits = 0;
+		case AF_INET:
+			*type = INTERNAL_IP4_DNS;
+			break;
+		case AF_INET6:
+			*type = INTERNAL_IP6_DNS;
+			break;
+		default:
+			return FALSE;
+	}
+	*data = host->get_address(host);
+	return TRUE;
+}
+
+METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
+	private_stroke_attribute_t *this, linked_list_t *pools,
+	identification_t *id, linked_list_t *vips)
+{
+	ike_sa_t *ike_sa;
+	peer_cfg_t *peer_cfg;
+	enumerator_t *enumerator;
+	attributes_t *attr;
 
-		/* if %config, add an empty pool, otherwise */
-		if (msg->add_conn.other.sourceip)
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (ike_sa)
+	{
+		peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+		this->lock->read_lock(this->lock);
+		enumerator = this->attrs->create_enumerator(this->attrs);
+		while (enumerator->enumerate(enumerator, &attr))
 		{
-			DBG1(DBG_CFG, "adding virtual IP address pool '%s': %s/%d",
-				 msg->add_conn.name, msg->add_conn.other.sourceip,
-				 msg->add_conn.other.sourceip_mask);
-			base = host_create_from_string(msg->add_conn.other.sourceip, 0);
-			if (!base)
+			if (streq(attr->name, peer_cfg->get_name(peer_cfg)))
 			{
-				DBG1(DBG_CFG, "virtual IP address invalid, discarded");
-				return;
+				enumerator->destroy(enumerator);
+				return enumerator_create_filter(
+									attr->dns->create_enumerator(attr->dns),
+									(void*)attr_filter, this->lock,
+									(void*)this->lock->unlock);
 			}
-			bits = msg->add_conn.other.sourceip_mask;
 		}
-		pool = mem_pool_create(msg->add_conn.name, base, bits);
-		DESTROY_IF(base);
-
-		this->lock->write_lock(this->lock);
-		this->pools->insert_last(this->pools, pool);
+		enumerator->destroy(enumerator);
 		this->lock->unlock(this->lock);
 	}
+	return enumerator_create_empty();
 }
 
-METHOD(stroke_attribute_t, del_pool, void,
-	   private_stroke_attribute_t *this, stroke_msg_t *msg)
+METHOD(stroke_attribute_t, add_pool, void,
+	private_stroke_attribute_t *this, mem_pool_t *pool)
 {
 	enumerator_t *enumerator;
-	mem_pool_t *pool;
+	mem_pool_t *current;
+	host_t *base;
+	int size;
+
+	base = pool->get_base(pool);
+	size = pool->get_size(pool);
 
 	this->lock->write_lock(this->lock);
+
 	enumerator = this->pools->create_enumerator(this->pools);
-	while (enumerator->enumerate(enumerator, &pool))
+	while (enumerator->enumerate(enumerator, &current))
 	{
-		if (streq(msg->del_conn.name, pool->get_name(pool)))
+		if (base && current->get_base(current) &&
+			base->ip_equals(base, current->get_base(current)) &&
+			size == current->get_size(current))
 		{
-			this->pools->remove_at(this->pools, enumerator);
+			DBG1(DBG_CFG, "reusing virtual IP address pool %s",
+				 current->get_name(current));
 			pool->destroy(pool);
+			pool = NULL;
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
+
+	if (pool)
+	{
+		if (base)
+		{
+			DBG1(DBG_CFG, "adding virtual IP address pool %s",
+				 pool->get_name(pool));
+		}
+		this->pools->insert_last(this->pools, pool);
+	}
+
+	this->lock->unlock(this->lock);
+}
+
+METHOD(stroke_attribute_t, add_dns, void,
+	private_stroke_attribute_t *this, stroke_msg_t *msg)
+{
+	if (msg->add_conn.other.dns)
+	{
+		enumerator_t *enumerator;
+		attributes_t *attr = NULL;
+		host_t *host;
+		char *token;
+
+		enumerator = enumerator_create_token(msg->add_conn.other.dns, ",", " ");
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			host = host_create_from_string(token, 0);
+			if (host)
+			{
+				if (!attr)
+				{
+					INIT(attr,
+						.name = strdup(msg->add_conn.name),
+						.dns = linked_list_create(),
+					);
+				}
+				attr->dns->insert_last(attr->dns, host);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "ignoring invalid DNS address '%s'", token);
+			}
+		}
+		enumerator->destroy(enumerator);
+		if (attr)
+		{
+			this->lock->write_lock(this->lock);
+			this->attrs->insert_last(this->attrs, attr);
+			this->lock->unlock(this->lock);
+		}
+	}
+}
+
+METHOD(stroke_attribute_t, del_dns, void,
+	private_stroke_attribute_t *this, stroke_msg_t *msg)
+{
+	enumerator_t *enumerator;
+	attributes_t *attr;
+
+	this->lock->write_lock(this->lock);
+
+	enumerator = this->attrs->create_enumerator(this->attrs);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		if (streq(msg->del_conn.name, attr->name))
+		{
+			this->attrs->remove_at(this->attrs, enumerator);
+			attributes_destroy(attr);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
 	this->lock->unlock(this->lock);
 }
 
@@ -158,6 +340,11 @@ static bool pool_filter(void *lock, mem_pool_t **poolp, const char **name,
 						void *d3, u_int *offline)
 {
 	mem_pool_t *pool = *poolp;
+
+	if (pool->get_size(pool) == 0)
+	{
+		return FALSE;
+	}
 	*name = pool->get_name(pool);
 	*size = pool->get_size(pool);
 	*online = pool->get_online(pool);
@@ -166,7 +353,7 @@ static bool pool_filter(void *lock, mem_pool_t **poolp, const char **name,
 }
 
 METHOD(stroke_attribute_t, create_pool_enumerator, enumerator_t*,
-	   private_stroke_attribute_t *this)
+	private_stroke_attribute_t *this)
 {
 	this->lock->read_lock(this->lock);
 	return enumerator_create_filter(this->pools->create_enumerator(this->pools),
@@ -175,7 +362,7 @@ METHOD(stroke_attribute_t, create_pool_enumerator, enumerator_t*,
 }
 
 METHOD(stroke_attribute_t, create_lease_enumerator, enumerator_t*,
-	   private_stroke_attribute_t *this, char *name)
+	private_stroke_attribute_t *this, char *name)
 {
 	mem_pool_t *pool;
 	this->lock->read_lock(this->lock);
@@ -190,10 +377,11 @@ METHOD(stroke_attribute_t, create_lease_enumerator, enumerator_t*,
 }
 
 METHOD(stroke_attribute_t, destroy, void,
-	   private_stroke_attribute_t *this)
+	private_stroke_attribute_t *this)
 {
 	this->lock->destroy(this->lock);
 	this->pools->destroy_offset(this->pools, offsetof(mem_pool_t, destroy));
+	this->attrs->destroy_function(this->attrs, (void*)attributes_destroy);
 	free(this);
 }
 
@@ -209,15 +397,17 @@ stroke_attribute_t *stroke_attribute_create()
 			.provider = {
 				.acquire_address = _acquire_address,
 				.release_address = _release_address,
-				.create_attribute_enumerator = enumerator_create_empty,
+				.create_attribute_enumerator = _create_attribute_enumerator,
 			},
 			.add_pool = _add_pool,
-			.del_pool = _del_pool,
+			.add_dns = _add_dns,
+			.del_dns = _del_dns,
 			.create_pool_enumerator = _create_pool_enumerator,
 			.create_lease_enumerator = _create_lease_enumerator,
 			.destroy = _destroy,
 		},
 		.pools = linked_list_create(),
+		.attrs = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 	);
 
diff --git a/src/libcharon/plugins/stroke/stroke_attribute.h b/src/libcharon/plugins/stroke/stroke_attribute.h
index 249a9899b..f1b9d135b 100644
--- a/src/libcharon/plugins/stroke/stroke_attribute.h
+++ b/src/libcharon/plugins/stroke/stroke_attribute.h
@@ -23,6 +23,7 @@
 
 #include <stroke_msg.h>
 #include <attributes/attribute_provider.h>
+#include <attributes/mem_pool.h>
 
 typedef struct stroke_attribute_t stroke_attribute_t;
 
@@ -37,18 +38,28 @@ struct stroke_attribute_t {
 	attribute_provider_t provider;
 
 	/**
-	 * Add a virtual IP address pool.
+	 * Add a memory pool to this virtual IP backend.
 	 *
-	 * @param msg		stroke message
+	 * The pool gets owned by the provider, or destroyed if such a pool
+	 * is already registered.
+	 *
+	 * @param pool		virtual IP pool to add
+	 */
+	void (*add_pool)(stroke_attribute_t *this, mem_pool_t *pool);
+
+	/**
+	 * Add connection specific DNS servers.
+	 *
+	 * @param msg		stroke add message
 	 */
-	void (*add_pool)(stroke_attribute_t *this, stroke_msg_t *msg);
+	void (*add_dns)(stroke_attribute_t *this, stroke_msg_t *msg);
 
 	/**
-	 * Remove a virtual IP address pool.
+	 * Remove connection specific DNS servers.
 	 *
-	 * @param msg		stroke message
+	 * @param msg		stroke del message
 	 */
-	void (*del_pool)(stroke_attribute_t *this, stroke_msg_t *msg);
+	void (*del_dns)(stroke_attribute_t *this, stroke_msg_t *msg);
 
 	/**
 	 * Create an enumerator over installed pools.
diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c
index bec35a661..f8026875f 100644
--- a/src/libcharon/plugins/stroke/stroke_ca.c
+++ b/src/libcharon/plugins/stroke/stroke_ca.c
@@ -18,7 +18,7 @@
 #include "stroke_cred.h"
 
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/hashers/hasher.h>
 
 #include <daemon.h>
@@ -348,16 +348,18 @@ METHOD(stroke_ca_t, check_for_hash_and_url, void,
 	enumerator = this->sections->create_enumerator(this->sections);
 	while (enumerator->enumerate(enumerator, (void**)&section))
 	{
-		if (section->certuribase && cert->issued_by(cert, section->cert))
+		if (section->certuribase && cert->issued_by(cert, section->cert, NULL))
 		{
 			chunk_t hash, encoded;
 
 			if (cert->get_encoding(cert, CERT_ASN1_DER, &encoded))
 			{
-				hasher->allocate_hash(hasher, encoded, &hash);
-				section->hashes->insert_last(section->hashes,
+				if (hasher->allocate_hash(hasher, encoded, &hash))
+				{
+					section->hashes->insert_last(section->hashes,
 						identification_create_from_encoding(ID_KEY_ID, hash));
-				chunk_free(&hash);
+					chunk_free(&hash);
+				}
 				chunk_free(&encoded);
 			}
 			break;
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 483e3d253..079e65f11 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -21,6 +21,8 @@
 #include <threading/mutex.h>
 #include <utils/lexparser.h>
 
+#include <netdb.h>
+
 typedef struct private_stroke_config_t private_stroke_config_t;
 
 /**
@@ -52,6 +54,11 @@ struct private_stroke_config_t {
 	 * credentials
 	 */
 	stroke_cred_t *cred;
+
+	/**
+	 * Virtual IP pool / DNS backend
+	 */
+	stroke_attribute_t *attributes;
 };
 
 METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
@@ -186,48 +193,51 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
 {
 	stroke_end_t tmp_end;
 	ike_cfg_t *ike_cfg;
-	char *interface;
 	host_t *host;
+	u_int16_t ikeport;
 
 	host = host_create_from_dns(msg->add_conn.other.address, 0, 0);
 	if (host)
 	{
-		interface = hydra->kernel_interface->get_interface(
-												hydra->kernel_interface, host);
-		host->destroy(host);
-		if (interface)
+		if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
+												   host, NULL))
 		{
 			DBG2(DBG_CFG, "left is other host, swapping ends");
 			tmp_end = msg->add_conn.me;
 			msg->add_conn.me = msg->add_conn.other;
 			msg->add_conn.other = tmp_end;
-			free(interface);
+			host->destroy(host);
 		}
 		else
 		{
+			host->destroy(host);
 			host = host_create_from_dns(msg->add_conn.me.address, 0, 0);
 			if (host)
 			{
-				interface = hydra->kernel_interface->get_interface(
-												hydra->kernel_interface, host);
-				host->destroy(host);
-				if (!interface)
+				if (!hydra->kernel_interface->get_interface(
+										hydra->kernel_interface, host, NULL))
 				{
 					DBG1(DBG_CFG, "left nor right host is our side, "
 						 "assuming left=local");
 				}
-				else
-				{
-					free(interface);
-				}
-
+				host->destroy(host);
 			}
 		}
 	}
-	ike_cfg = ike_cfg_create(msg->add_conn.other.sendcert != CERT_NEVER_SEND,
-					msg->add_conn.force_encap,
-					msg->add_conn.me.address, msg->add_conn.me.ikeport,
-					msg->add_conn.other.address, msg->add_conn.other.ikeport);
+	ikeport = msg->add_conn.me.ikeport;
+	ikeport = (ikeport == IKEV2_UDP_PORT) ?
+			   charon->socket->get_port(charon->socket, FALSE) : ikeport;
+	ike_cfg = ike_cfg_create(msg->add_conn.version,
+							 msg->add_conn.other.sendcert != CERT_NEVER_SEND,
+							 msg->add_conn.force_encap,
+							 msg->add_conn.me.address,
+							 msg->add_conn.me.allow_any,
+							 ikeport,
+							 msg->add_conn.other.address,
+							 msg->add_conn.other.allow_any,
+							 msg->add_conn.other.ikeport,
+							 msg->add_conn.fragmentation,
+							 msg->add_conn.ikedscp);
 	add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
 	return ike_cfg;
 }
@@ -257,6 +267,103 @@ static void build_crl_policy(auth_cfg_t *cfg, bool local, int policy)
 }
 
 /**
+ * Parse public key / signature strength constraints
+ */
+static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg)
+{
+	enumerator_t *enumerator;
+	bool rsa = FALSE, ecdsa = FALSE, rsa_len = FALSE, ecdsa_len = FALSE;
+	int strength;
+	char *token;
+
+	enumerator = enumerator_create_token(auth, "-", "");
+	while (enumerator->enumerate(enumerator, &token))
+	{
+		bool found = FALSE;
+		int i;
+		struct {
+			char *name;
+			signature_scheme_t scheme;
+			key_type_t key;
+		} schemes[] = {
+			{ "md5",		SIGN_RSA_EMSA_PKCS1_MD5,		KEY_RSA,	},
+			{ "sha1",		SIGN_RSA_EMSA_PKCS1_SHA1,		KEY_RSA,	},
+			{ "sha224",		SIGN_RSA_EMSA_PKCS1_SHA224,		KEY_RSA,	},
+			{ "sha256",		SIGN_RSA_EMSA_PKCS1_SHA256,		KEY_RSA,	},
+			{ "sha384",		SIGN_RSA_EMSA_PKCS1_SHA384,		KEY_RSA,	},
+			{ "sha512",		SIGN_RSA_EMSA_PKCS1_SHA512,		KEY_RSA,	},
+			{ "sha1",		SIGN_ECDSA_WITH_SHA1_DER,		KEY_ECDSA,	},
+			{ "sha256",		SIGN_ECDSA_WITH_SHA256_DER,		KEY_ECDSA,	},
+			{ "sha384",		SIGN_ECDSA_WITH_SHA384_DER,		KEY_ECDSA,	},
+			{ "sha512",		SIGN_ECDSA_WITH_SHA512_DER,		KEY_ECDSA,	},
+			{ "sha256",		SIGN_ECDSA_256,					KEY_ECDSA,	},
+			{ "sha384",		SIGN_ECDSA_384,					KEY_ECDSA,	},
+			{ "sha512",		SIGN_ECDSA_521,					KEY_ECDSA,	},
+		};
+
+		if (rsa_len || ecdsa_len)
+		{	/* expecting a key strength token */
+			strength = atoi(token);
+			if (strength)
+			{
+				if (rsa_len)
+				{
+					cfg->add(cfg, AUTH_RULE_RSA_STRENGTH, (uintptr_t)strength);
+				}
+				else if (ecdsa_len)
+				{
+					cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength);
+				}
+			}
+			rsa_len = ecdsa_len = FALSE;
+			if (strength)
+			{
+				continue;
+			}
+		}
+		if (streq(token, "rsa"))
+		{
+			rsa = rsa_len = TRUE;
+			continue;
+		}
+		if (streq(token, "ecdsa"))
+		{
+			ecdsa = ecdsa_len = TRUE;
+			continue;
+		}
+		if (streq(token, "pubkey"))
+		{
+			continue;
+		}
+
+		for (i = 0; i < countof(schemes); i++)
+		{
+			if (streq(schemes[i].name, token))
+			{
+				/* for each matching string, allow the scheme, if:
+				 * - it is an RSA scheme, and we enforced RSA
+				 * - it is an ECDSA scheme, and we enforced ECDSA
+				 * - it is not a key type specific scheme
+				 */
+				if ((rsa && schemes[i].key == KEY_RSA) ||
+					(ecdsa && schemes[i].key == KEY_ECDSA) ||
+					(!rsa && !ecdsa))
+				{
+					cfg->add(cfg, AUTH_RULE_SIGNATURE_SCHEME,
+							 (uintptr_t)schemes[i].scheme);
+				}
+				found = TRUE;
+			}
+		}
+		if (!found)
+		{
+			DBG1(DBG_CFG, "ignoring invalid auth token: '%s'", token);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
  * build authentication config
  */
 static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
@@ -264,10 +371,10 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 {
 	identification_t *identity;
 	certificate_t *certificate;
-	char *auth, *id, *pubkey, *cert, *ca;
+	char *auth, *id, *pubkey, *cert, *ca, *groups;
 	stroke_end_t *end, *other_end;
 	auth_cfg_t *cfg;
-	char eap_buf[32];
+	bool loose = FALSE;
 
 	/* select strings */
 	if (local)
@@ -310,52 +417,17 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 			ca = other_end->ca2;
 		}
 	}
+	if (id && *id == '%' && !streq(id, "%any") && !streq(id, "%any6"))
+	{	/* has only an effect on rightid/2 */
+		loose = !local;
+		id++;
+	}
 
 	if (!auth)
 	{
 		if (primary)
 		{
-			if (local)
-			{	/* "leftauth" not defined, fall back to deprecated "authby" */
-				switch (msg->add_conn.auth_method)
-				{
-					default:
-					case AUTH_CLASS_PUBKEY:
-						auth = "pubkey";
-						break;
-					case AUTH_CLASS_PSK:
-						auth = "psk";
-						break;
-					case AUTH_CLASS_EAP:
-						auth = "eap";
-						break;
-					case AUTH_CLASS_ANY:
-						auth = "any";
-						break;
-				}
-			}
-			else
-			{	/* "rightauth" not defined, fall back to deprecated "eap" */
-				if (msg->add_conn.eap_type)
-				{
-					if (msg->add_conn.eap_vendor)
-					{
-						snprintf(eap_buf, sizeof(eap_buf), "eap-%d-%d",
-								 msg->add_conn.eap_type,
-								 msg->add_conn.eap_vendor);
-					}
-					else
-					{
-						snprintf(eap_buf, sizeof(eap_buf), "eap-%d",
-								 msg->add_conn.eap_type);
-					}
-					auth = eap_buf;
-				}
-				else
-				{	/* not EAP => no constraints for this peer */
-					auth = "any";
-				}
-			}
+			auth = "pubkey";
 		}
 		else
 		{	/* no second authentication round, fine. But load certificates
@@ -374,43 +446,69 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 
 	cfg = auth_cfg_create();
 
-	/* add identity and peer certifcate */
+	/* add identity and peer certificate */
 	identity = identification_create_from_string(id);
 	if (cert)
 	{
-		certificate = this->cred->load_peer(this->cred, cert);
-		if (certificate)
+		enumerator_t *enumerator;
+		bool has_subject = FALSE;
+		certificate_t *first = NULL;
+
+		enumerator = enumerator_create_token(cert, ",", " ");
+		while (enumerator->enumerate(enumerator, &cert))
 		{
-			if (local)
-			{
-				this->ca->check_for_hash_and_url(this->ca, certificate);
-			}
-			cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
-			if (identity->get_type(identity) == ID_ANY ||
-				!certificate->has_subject(certificate, identity))
+			certificate = this->cred->load_peer(this->cred, cert);
+			if (certificate)
 			{
-				DBG1(DBG_CFG, "  id '%Y' not confirmed by certificate, "
-					 "defaulting to '%Y'", identity,
-					 certificate->get_subject(certificate));
-				identity->destroy(identity);
-				identity = certificate->get_subject(certificate);
-				identity = identity->clone(identity);
+				if (local)
+				{
+					this->ca->check_for_hash_and_url(this->ca, certificate);
+				}
+				cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
+				if (!first)
+				{
+					first = certificate;
+				}
+				if (identity->get_type(identity) != ID_ANY &&
+					certificate->has_subject(certificate, identity))
+				{
+					has_subject = TRUE;
+				}
 			}
 		}
-	}
-	cfg->add(cfg, AUTH_RULE_IDENTITY, identity);
+		enumerator->destroy(enumerator);
 
+		if (first && !has_subject)
+		{
+			DBG1(DBG_CFG, "  id '%Y' not confirmed by certificate, "
+				 "defaulting to '%Y'", identity, first->get_subject(first));
+			identity->destroy(identity);
+			identity = first->get_subject(first);
+			identity = identity->clone(identity);
+		}
+	}
 	/* add raw RSA public key */
 	pubkey = end->rsakey;
 	if (pubkey && !streq(pubkey, "") && !streq(pubkey, "%cert"))
 	{
-		certificate = this->cred->load_pubkey(this->cred, KEY_RSA, pubkey,
-											  identity);
+		certificate = this->cred->load_pubkey(this->cred, pubkey, identity);
 		if (certificate)
 		{
 			cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
 		}
 	}
+	if (identity->get_type(identity) != ID_ANY)
+	{
+		cfg->add(cfg, AUTH_RULE_IDENTITY, identity);
+		if (loose)
+		{
+			cfg->add(cfg, AUTH_RULE_IDENTITY_LOOSE, TRUE);
+		}
+	}
+	else
+	{
+		identity->destroy(identity);
+	}
 
 	/* CA constraint */
 	if (ca)
@@ -431,12 +529,13 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	}
 
 	/* groups */
-	if (end->groups)
+	groups = primary ? end->groups : end->groups2;
+	if (groups)
 	{
 		enumerator_t *enumerator;
 		char *group;
 
-		enumerator = enumerator_create_token(end->groups, ",", " ");
+		enumerator = enumerator_create_token(groups, ",", " ");
 		while (enumerator->enumerate(enumerator, &group))
 		{
 			cfg->add(cfg, AUTH_RULE_GROUP,
@@ -460,75 +559,51 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	}
 
 	/* authentication metod (class, actually) */
-	if (streq(auth, "pubkey") ||
-		strneq(auth, "rsa", strlen("rsa")) ||
-		strneq(auth, "ecdsa", strlen("ecdsa")))
+	if (strpfx(auth, "pubkey") ||
+		strpfx(auth, "rsa") ||
+		strpfx(auth, "ecdsa"))
 	{
-		u_int strength;
-
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 		build_crl_policy(cfg, local, msg->add_conn.crl_policy);
 
-		if (sscanf(auth, "rsa-%d", &strength) == 1)
-		{
-			cfg->add(cfg, AUTH_RULE_RSA_STRENGTH, (uintptr_t)strength);
-		}
-		if (sscanf(auth, "ecdsa-%d", &strength) == 1)
-		{
-			cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength);
-		}
+		parse_pubkey_constraints(auth, cfg);
 	}
 	else if (streq(auth, "psk") || streq(auth, "secret"))
 	{
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
 	}
-	else if (strneq(auth, "eap", 3))
+	else if (strpfx(auth, "xauth"))
 	{
-		enumerator_t *enumerator;
-		char *str;
-		int i = 0, type = 0, vendor;
+		char *pos;
+
+		pos = strchr(auth, '-');
+		if (pos)
+		{
+			cfg->add(cfg, AUTH_RULE_XAUTH_BACKEND, strdup(++pos));
+		}
+		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_XAUTH);
+		if (msg->add_conn.xauth_identity)
+		{
+			cfg->add(cfg, AUTH_RULE_XAUTH_IDENTITY,
+				identification_create_from_string(msg->add_conn.xauth_identity));
+		}
+	}
+	else if (strpfx(auth, "eap"))
+	{
+		eap_vendor_type_t *type;
 
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
 
-		/* parse EAP string, format: eap[-type[-vendor]] */
-		enumerator = enumerator_create_token(auth, "-", " ");
-		while (enumerator->enumerate(enumerator, &str))
+		type = eap_vendor_type_from_string(auth);
+		if (type)
 		{
-			switch (i)
+			cfg->add(cfg, AUTH_RULE_EAP_TYPE, type->type);
+			if (type->vendor)
 			{
-				case 1:
-					type = eap_type_from_string(str);
-					if (!type)
-					{
-						type = atoi(str);
-						if (!type)
-						{
-							DBG1(DBG_CFG, "unknown EAP method: %s", str);
-							break;
-						}
-					}
-					cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
-					break;
-				case 2:
-					if (type)
-					{
-						vendor = atoi(str);
-						if (vendor)
-						{
-							cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
-						}
-						else
-						{
-							DBG1(DBG_CFG, "unknown EAP vendor: %s", str);
-						}
-					}
-					break;
-				default:
-					break;
+				cfg->add(cfg, AUTH_RULE_EAP_VENDOR, type->vendor);
 			}
-			i++;
+			free(type);
 		}
-		enumerator->destroy(enumerator);
 
 		if (msg->add_conn.eap_identity)
 		{
@@ -570,7 +645,6 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 {
 	identification_t *peer_id = NULL;
 	peer_cfg_t *mediated_by = NULL;
-	host_t *vip = NULL;
 	unique_policy_t unique;
 	u_int32_t rekey = 0, reauth = 0, over, jitter;
 	peer_cfg_t *peer_cfg;
@@ -629,38 +703,6 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 	{
 		rekey = msg->add_conn.rekey.ike_lifetime - over;
 	}
-	if (msg->add_conn.me.sourceip_mask)
-	{
-		if (msg->add_conn.me.sourceip)
-		{
-			vip = host_create_from_string(msg->add_conn.me.sourceip, 0);
-		}
-		if (!vip)
-		{	/* if it is set to something like %poolname, request an address */
-			if (msg->add_conn.me.subnets)
-			{	/* use the same address as in subnet, if any */
-				if (strchr(msg->add_conn.me.subnets, '.'))
-				{
-					vip = host_create_any(AF_INET);
-				}
-				else
-				{
-					vip = host_create_any(AF_INET6);
-				}
-			}
-			else
-			{
-				if (strchr(ike_cfg->get_my_addr(ike_cfg), ':'))
-				{
-					vip = host_create_any(AF_INET6);
-				}
-				else
-				{
-					vip = host_create_any(AF_INET);
-				}
-			}
-		}
-	}
 	switch (msg->add_conn.unique)
 	{
 		case 1: /* yes */
@@ -670,6 +712,9 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 		case 3: /* keep */
 			unique = UNIQUE_KEEP;
 			break;
+		case 4: /* never */
+			unique = UNIQUE_NEVER;
+			break;
 		default: /* no */
 			unique = UNIQUE_NO;
 			break;
@@ -682,15 +727,131 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 	/* other.sourceip is managed in stroke_attributes. If it is set, we define
 	 * the pool name as the connection name, which the attribute provider
 	 * uses to serve pool addresses. */
-	peer_cfg = peer_cfg_create(msg->add_conn.name,
-		msg->add_conn.ikev2 ? 2 : 1, ike_cfg,
+	peer_cfg = peer_cfg_create(msg->add_conn.name, ike_cfg,
 		msg->add_conn.me.sendcert, unique,
 		msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
-		msg->add_conn.mobike, msg->add_conn.dpd.delay,
-		vip, msg->add_conn.other.sourceip_mask ?
-							msg->add_conn.name : msg->add_conn.other.sourceip,
+		msg->add_conn.mobike, msg->add_conn.aggressive,
+		msg->add_conn.dpd.delay, msg->add_conn.dpd.timeout,
 		msg->add_conn.ikeme.mediation, mediated_by, peer_id);
 
+	if (msg->add_conn.other.sourceip)
+	{
+		enumerator_t *enumerator;
+		char *token;
+
+		enumerator = enumerator_create_token(msg->add_conn.other.sourceip,
+											 ",", " ");
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			if (streq(token, "%modeconfig") || streq(token, "%modecfg") ||
+				streq(token, "%config") || streq(token, "%cfg") ||
+				streq(token, "%config4") || streq(token, "%config6"))
+			{
+				/* empty pool, uses connection name */
+				this->attributes->add_pool(this->attributes,
+								mem_pool_create(msg->add_conn.name, NULL, 0));
+				peer_cfg->add_pool(peer_cfg, msg->add_conn.name);
+			}
+			else if (*token == '%')
+			{
+				/* external named pool */
+				peer_cfg->add_pool(peer_cfg, token + 1);
+			}
+			else
+			{
+				/* in-memory pool, named using CIDR notation */
+				host_t *base;
+				int bits;
+
+				base = host_create_from_subnet(token, &bits);
+				if (base)
+				{
+					this->attributes->add_pool(this->attributes,
+										mem_pool_create(token, base, bits));
+					peer_cfg->add_pool(peer_cfg, token);
+					base->destroy(base);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "IP pool %s invalid, ignored", token);
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	if (msg->add_conn.me.sourceip)
+	{
+		enumerator_t *enumerator;
+		char *token;
+
+		enumerator = enumerator_create_token(msg->add_conn.me.sourceip, ",", " ");
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			host_t *vip = NULL;
+
+			if (streq(token, "%modeconfig") || streq(token, "%modecfg") ||
+				streq(token, "%config") || streq(token, "%cfg"))
+			{	/* try to deduce an address family */
+				if (msg->add_conn.me.subnets)
+				{	/* use the same family as in local subnet, if any */
+					if (strchr(msg->add_conn.me.subnets, '.'))
+					{
+						vip = host_create_any(AF_INET);
+					}
+					else
+					{
+						vip = host_create_any(AF_INET6);
+					}
+				}
+				else if (msg->add_conn.other.subnets)
+				{	/* use the same family as in remote subnet, if any */
+					if (strchr(msg->add_conn.other.subnets, '.'))
+					{
+						vip = host_create_any(AF_INET);
+					}
+					else
+					{
+						vip = host_create_any(AF_INET6);
+					}
+				}
+				else
+				{
+					if (strchr(ike_cfg->get_my_addr(ike_cfg, NULL), ':'))
+					{
+						vip = host_create_any(AF_INET6);
+					}
+					else
+					{
+						vip = host_create_any(AF_INET);
+					}
+				}
+			}
+			else if (streq(token, "%config4"))
+			{
+				vip = host_create_any(AF_INET);
+			}
+			else if (streq(token, "%config6"))
+			{
+				vip = host_create_any(AF_INET6);
+			}
+			else
+			{
+				vip = host_create_from_string(token, 0);
+				if (vip)
+				{
+					DBG1(DBG_CFG, "ignored invalid subnet token: %s", token);
+				}
+			}
+
+			if (vip)
+			{
+				peer_cfg->add_virtual_ip(peer_cfg, vip);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+
 	/* build leftauth= */
 	auth_cfg = build_auth_cfg(this, msg, TRUE, TRUE);
 	if (auth_cfg)
@@ -724,6 +885,96 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 }
 
 /**
+ * Parse a protoport specifier
+ */
+static bool parse_protoport(char *token, u_int16_t *from_port,
+							u_int16_t *to_port, u_int8_t *protocol)
+{
+	char *sep, *port = "", *endptr;
+	struct protoent *proto;
+	struct servent *svc;
+	long int p;
+
+	sep = strrchr(token, ']');
+	if (!sep)
+	{
+		return FALSE;
+	}
+	*sep = '\0';
+
+	sep = strchr(token, '/');
+	if (sep)
+	{	/* protocol/port */
+		*sep = '\0';
+		port = sep + 1;
+	}
+
+	if (streq(token, "%any"))
+	{
+		*protocol = 0;
+	}
+	else
+	{
+		proto = getprotobyname(token);
+		if (proto)
+		{
+			*protocol = proto->p_proto;
+		}
+		else
+		{
+			p = strtol(token, &endptr, 0);
+			if ((*token && *endptr) || p < 0 || p > 0xff)
+			{
+				return FALSE;
+			}
+			*protocol = (u_int8_t)p;
+		}
+	}
+	if (streq(port, "%any"))
+	{
+		*from_port = 0;
+		*to_port = 0xffff;
+	}
+	else if (streq(port, "%opaque"))
+	{
+		*from_port = 0xffff;
+		*to_port = 0;
+	}
+	else if (*port)
+	{
+		svc = getservbyname(port, NULL);
+		if (svc)
+		{
+			*from_port = *to_port = ntohs(svc->s_port);
+		}
+		else
+		{
+			p = strtol(port, &endptr, 0);
+			if (p < 0 || p > 0xffff)
+			{
+				return FALSE;
+			}
+			*from_port = p;
+			if (*endptr == '-')
+			{
+				port = endptr + 1;
+				p = strtol(port, &endptr, 0);
+				if (p < 0 || p > 0xffff)
+				{
+					return FALSE;
+				}
+			}
+			*to_port = p;
+			if (*endptr)
+			{
+				return FALSE;
+			}
+		}
+	}
+	return TRUE;
+}
+
+/**
  * build a traffic selector from a stroke_end
  */
 static void add_ts(private_stroke_config_t *this,
@@ -734,58 +985,68 @@ static void add_ts(private_stroke_config_t *this,
 	if (end->tohost)
 	{
 		ts = traffic_selector_create_dynamic(end->protocol,
-					end->port ? end->port : 0, end->port ? end->port : 65535);
+											 end->from_port, end->to_port);
 		child_cfg->add_traffic_selector(child_cfg, local, ts);
 	}
 	else
 	{
-		host_t *net;
-
 		if (!end->subnets)
 		{
+			host_t *net;
+
 			net = host_create_from_string(end->address, 0);
 			if (net)
 			{
 				ts = traffic_selector_create_from_subnet(net, 0, end->protocol,
-														 end->port);
+												end->from_port, end->to_port);
 				child_cfg->add_traffic_selector(child_cfg, local, ts);
 			}
 		}
 		else
 		{
-			char *del, *start, *bits;
+			enumerator_t *enumerator;
+			char *subnet, *pos;
+			u_int16_t from_port, to_port;
+			u_int8_t proto;
 
-			start = end->subnets;
-			do
+			enumerator = enumerator_create_token(end->subnets, ",", " ");
+			while (enumerator->enumerate(enumerator, &subnet))
 			{
-				int intbits = 0;
+				from_port = end->from_port;
+				to_port = end->to_port;
+				proto = end->protocol;
 
-				del = strchr(start, ',');
-				if (del)
+				pos = strchr(subnet, '[');
+				if (pos)
 				{
-					*del = '\0';
+					*(pos++) = '\0';
+					if (!parse_protoport(pos, &from_port, &to_port, &proto))
+					{
+						DBG1(DBG_CFG, "invalid proto/port: %s, skipped subnet",
+							 pos);
+						continue;
+					}
 				}
-				bits = strchr(start, '/');
-				if (bits)
+				if (streq(subnet, "%dynamic"))
 				{
-					*bits = '\0';
-					intbits = atoi(bits + 1);
+					ts = traffic_selector_create_dynamic(proto,
+														 from_port, to_port);
 				}
-
-				net = host_create_from_string(start, 0);
-				if (net)
+				else
+				{
+					ts = traffic_selector_create_from_cidr(subnet, proto,
+														   from_port, to_port);
+				}
+				if (ts)
 				{
-					ts = traffic_selector_create_from_subnet(net, intbits,
-												end->protocol, end->port);
 					child_cfg->add_traffic_selector(child_cfg, local, ts);
 				}
 				else
 				{
-					DBG1(DBG_CFG, "invalid subnet: %s, skipped", start);
+					DBG1(DBG_CFG, "invalid subnet: %s, skipped", subnet);
 				}
-				start = del + 1;
 			}
-			while (del);
+			enumerator->destroy(enumerator);
 		}
 	}
 }
@@ -1029,8 +1290,8 @@ METHOD(stroke_config_t, set_user_credentials, void,
 		return;
 	}
 
-	/* replace/set the username in the first EAP auth_cfg, also look for a
-	 * suitable remote ID.
+	/* replace/set the username in the first EAP/XAuth auth_cfg, also look for
+	 * a suitable remote ID.
 	 * note that adding the identity here is not fully thread-safe as the
 	 * peer_cfg and in turn the auth_cfg could be in use. for the default use
 	 * case (setting user credentials before upping the connection) this will
@@ -1049,16 +1310,25 @@ METHOD(stroke_config_t, set_user_credentials, void,
 		}
 
 		auth_class = (uintptr_t)auth_cfg->get(auth_cfg, AUTH_RULE_AUTH_CLASS);
-		if (auth_class == AUTH_CLASS_EAP)
+		if (auth_class == AUTH_CLASS_EAP || auth_class == AUTH_CLASS_XAUTH)
 		{
-			auth_cfg->add(auth_cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
-			/* if aaa_identity is specified use that as remote ID */
-			identity = auth_cfg->get(auth_cfg, AUTH_RULE_AAA_IDENTITY);
-			if (identity && identity->get_type(identity) != ID_ANY)
+			if (auth_class == AUTH_CLASS_EAP)
 			{
-				gw = identity;
+				auth_cfg->add(auth_cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
+				/* if aaa_identity is specified use that as remote ID */
+				identity = auth_cfg->get(auth_cfg, AUTH_RULE_AAA_IDENTITY);
+				if (identity && identity->get_type(identity) != ID_ANY)
+				{
+					gw = identity;
+				}
+				DBG1(DBG_CFG, "  configured EAP-Identity %Y", id);
+			}
+			else
+			{
+				auth_cfg->add(auth_cfg, AUTH_RULE_XAUTH_IDENTITY,
+							  id->clone(id));
+				DBG1(DBG_CFG, "  configured XAuth username %Y", id);
 			}
-			DBG1(DBG_CFG, "  configured EAP-Identity %Y", id);
 			type = SHARED_EAP;
 			break;
 		}
@@ -1149,7 +1419,8 @@ METHOD(stroke_config_t, destroy, void,
 /*
  * see header file
  */
-stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred)
+stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred,
+									  stroke_attribute_t *attributes)
 {
 	private_stroke_config_t *this;
 
@@ -1169,8 +1440,8 @@ stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred)
 		.mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
 		.ca = ca,
 		.cred = cred,
+		.attributes = attributes,
 	);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/stroke/stroke_config.h b/src/libcharon/plugins/stroke/stroke_config.h
index 450d517f3..894e03ce4 100644
--- a/src/libcharon/plugins/stroke/stroke_config.h
+++ b/src/libcharon/plugins/stroke/stroke_config.h
@@ -26,6 +26,7 @@
 #include <stroke_msg.h>
 #include "stroke_ca.h"
 #include "stroke_cred.h"
+#include "stroke_attribute.h"
 
 typedef struct stroke_config_t stroke_config_t;
 
@@ -71,6 +72,7 @@ struct stroke_config_t {
 /**
  * Create a stroke_config instance.
  */
-stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred);
+stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred,
+									  stroke_attribute_t *attributes);
 
 #endif /** STROKE_CONFIG_H_ @}*/
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index 729e9d757..fdd1635a6 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -33,6 +33,11 @@ struct private_stroke_control_t {
 	 * public functions
 	 */
 	stroke_control_t public;
+
+	/**
+	 * Timeout for stroke commands, im ms
+	 */
+	u_int timeout;
 };
 
 
@@ -58,11 +63,11 @@ struct stroke_log_info_t {
  * logging to the stroke interface
  */
 static bool stroke_log(stroke_log_info_t *info, debug_t group, level_t level,
-					   ike_sa_t *ike_sa, char *format, va_list args)
+					   ike_sa_t *ike_sa, char *message)
 {
 	if (level <= info->level)
 	{
-		if (vfprintf(info->out, format, args) < 0 ||
+		if (fprintf(info->out, "%s", message) < 0 ||
 			fprintf(info->out, "\n") < 0 ||
 			fflush(info->out) != 0)
 		{
@@ -97,8 +102,8 @@ static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name)
 /**
  * call the charon controller to initiate the connection
  */
-static void charon_initiate(peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
-							stroke_msg_t *msg, FILE *out)
+static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg,
+							child_cfg_t *child_cfg, stroke_msg_t *msg, FILE *out)
 {
 	if (msg->output_verbosity < 0)
 	{
@@ -108,9 +113,27 @@ static void charon_initiate(peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
 	else
 	{
 		stroke_log_info_t info = { msg->output_verbosity, out };
+		status_t status;
 
-		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
-									 (controller_cb_t)stroke_log, &info, 0);
+		status = charon->controller->initiate(charon->controller,
+							peer_cfg, child_cfg, (controller_cb_t)stroke_log,
+							&info, this->timeout);
+		switch (status)
+		{
+			case SUCCESS:
+				fprintf(out, "connection '%s' established successfully\n",
+						msg->initiate.name);
+				break;
+			case OUT_OF_RES:
+				fprintf(out, "connection '%s' not established after %dms, "
+						"detaching\n", msg->initiate.name, this->timeout);
+				break;
+			default:
+			case FAILED:
+				fprintf(out, "establishing connection '%s' failed\n",
+						msg->initiate.name);
+				break;
+		}
 	}
 }
 
@@ -126,14 +149,6 @@ METHOD(stroke_control_t, initiate, void,
 													  msg->initiate.name);
 	if (peer_cfg)
 	{
-		if (peer_cfg->get_ike_version(peer_cfg) != 2)
-		{
-			DBG1(DBG_CFG, "ignoring initiation request for IKEv%d config",
-				 peer_cfg->get_ike_version(peer_cfg));
-			peer_cfg->destroy(peer_cfg);
-			return;
-		}
-
 		child_cfg = get_child_from_peer(peer_cfg, msg->initiate.name);
 		if (child_cfg == NULL)
 		{
@@ -141,7 +156,7 @@ METHOD(stroke_control_t, initiate, void,
 			while (enumerator->enumerate(enumerator, &child_cfg))
 			{
 				empty = FALSE;
-				charon_initiate(peer_cfg->get_ref(peer_cfg),
+				charon_initiate(this, peer_cfg->get_ref(peer_cfg),
 								child_cfg->get_ref(child_cfg), msg, out);
 			}
 			enumerator->destroy(enumerator);
@@ -157,14 +172,10 @@ METHOD(stroke_control_t, initiate, void,
 	}
 	else
 	{
-		enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
-													NULL, NULL, NULL, NULL);
+		enumerator = charon->backends->create_peer_cfg_enumerator(
+							charon->backends, NULL, NULL, NULL, NULL, IKE_ANY);
 		while (enumerator->enumerate(enumerator, &peer_cfg))
 		{
-			if (peer_cfg->get_ike_version(peer_cfg) != 2)
-			{
-				continue;
-			}
 			child_cfg = get_child_from_peer(peer_cfg, msg->initiate.name);
 			if (child_cfg)
 			{
@@ -181,7 +192,7 @@ METHOD(stroke_control_t, initiate, void,
 			return;
 		}
 	}
-	charon_initiate(peer_cfg, child_cfg, msg, out);
+	charon_initiate(this, peer_cfg, child_cfg, msg, out);
 }
 
 /**
@@ -251,6 +262,41 @@ static bool parse_specifier(char *string, u_int32_t *id,
 	return TRUE;
 }
 
+/**
+ * Report the result of a terminate() call to console
+ */
+static void report_terminate_status(private_stroke_control_t *this,
+						status_t status, FILE *out, u_int32_t id, bool child)
+{
+	char *prefix, *postfix;
+
+	if (child)
+	{
+		prefix = "CHILD_SA {";
+		postfix = "}";
+	}
+	else
+	{
+		prefix = "IKE_SA [";
+		postfix = "]";
+	}
+
+	switch (status)
+	{
+		case SUCCESS:
+			fprintf(out, "%s%d%s closed successfully\n", prefix, id, postfix);
+			break;
+		case OUT_OF_RES:
+			fprintf(out, "%s%d%s not closed after %dms, detaching\n",
+					prefix, id, postfix, this->timeout);
+			break;
+		default:
+		case FAILED:
+			fprintf(out, "closing %s%d%s failed\n", prefix, id, postfix);
+			break;
+	}
+}
+
 METHOD(stroke_control_t, terminate, void,
 	private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 {
@@ -262,6 +308,7 @@ METHOD(stroke_control_t, terminate, void,
 	linked_list_t *ike_list, *child_list;
 	stroke_log_info_t info;
 	uintptr_t del;
+	status_t status;
 
 	if (!parse_specifier(msg->terminate.name, &id, &name, &child, &all))
 	{
@@ -276,15 +323,15 @@ METHOD(stroke_control_t, terminate, void,
 	{
 		if (child)
 		{
-			charon->controller->terminate_child(charon->controller, id,
-									(controller_cb_t)stroke_log, &info, 0);
+			status = charon->controller->terminate_child(charon->controller, id,
+							(controller_cb_t)stroke_log, &info, this->timeout);
 		}
 		else
 		{
-			charon->controller->terminate_ike(charon->controller, id,
-									(controller_cb_t)stroke_log, &info, 0);
+			status = charon->controller->terminate_ike(charon->controller, id,
+							(controller_cb_t)stroke_log, &info, this->timeout);
 		}
-		return;
+		return report_terminate_status(this, status, out, id, child);
 	}
 
 	ike_list = linked_list_create();
@@ -332,16 +379,18 @@ METHOD(stroke_control_t, terminate, void,
 	enumerator = child_list->create_enumerator(child_list);
 	while (enumerator->enumerate(enumerator, &del))
 	{
-		charon->controller->terminate_child(charon->controller, del,
-									(controller_cb_t)stroke_log, &info, 0);
+		status = charon->controller->terminate_child(charon->controller, del,
+							(controller_cb_t)stroke_log, &info, this->timeout);
+		report_terminate_status(this, status, out, del, TRUE);
 	}
 	enumerator->destroy(enumerator);
 
 	enumerator = ike_list->create_enumerator(ike_list);
 	while (enumerator->enumerate(enumerator, &del))
 	{
-		charon->controller->terminate_ike(charon->controller, del,
-									(controller_cb_t)stroke_log, &info, 0);
+		status = charon->controller->terminate_ike(charon->controller, del,
+							(controller_cb_t)stroke_log, &info, this->timeout);
+		report_terminate_status(this, status, out, del, FALSE);
 	}
 	enumerator->destroy(enumerator);
 
@@ -419,10 +468,10 @@ METHOD(stroke_control_t, rekey, void,
 METHOD(stroke_control_t, terminate_srcip, void,
 	private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 {
-	enumerator_t *enumerator;
+	enumerator_t *enumerator, *vips;
 	ike_sa_t *ike_sa;
 	host_t *start = NULL, *end = NULL, *vip;
-	chunk_t chunk_start, chunk_end = chunk_empty, chunk_vip;
+	chunk_t chunk_start, chunk_end = chunk_empty, chunk;
 
 	if (msg->terminate_srcip.start)
 	{
@@ -450,33 +499,40 @@ METHOD(stroke_control_t, terminate_srcip, void,
 													charon->controller, TRUE);
 	while (enumerator->enumerate(enumerator, &ike_sa))
 	{
-		vip = ike_sa->get_virtual_ip(ike_sa, FALSE);
-		if (!vip)
-		{
-			continue;
-		}
-		if (!end)
+		bool match = FALSE;
+
+		vips = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+		while (vips->enumerate(vips, &vip))
 		{
-			if (!vip->ip_equals(vip, start))
+			if (!end)
 			{
-				continue;
+				if (vip->ip_equals(vip, start))
+				{
+					match = TRUE;
+					break;
+				}
 			}
-		}
-		else
-		{
-			chunk_vip = vip->get_address(vip);
-			if (chunk_vip.len != chunk_start.len ||
-				chunk_vip.len != chunk_end.len ||
-				memcmp(chunk_vip.ptr, chunk_start.ptr, chunk_vip.len) < 0 ||
-				memcmp(chunk_vip.ptr, chunk_end.ptr, chunk_vip.len) > 0)
+			else
 			{
-				continue;
+				chunk = vip->get_address(vip);
+				if (chunk.len == chunk_start.len &&
+					chunk.len == chunk_end.len &&
+					memcmp(chunk.ptr, chunk_start.ptr, chunk.len) >= 0 &&
+					memcmp(chunk.ptr, chunk_end.ptr, chunk.len) <= 0)
+				{
+					match = TRUE;
+					break;
+				}
 			}
 		}
+		vips->destroy(vips);
 
-		/* schedule delete asynchronously */
-		lib->processor->queue_job(lib->processor, (job_t*)
+		if (match)
+		{
+			/* schedule delete asynchronously */
+			lib->processor->queue_job(lib->processor, (job_t*)
 						delete_ike_sa_job_create(ike_sa->get_id(ike_sa), TRUE));
+		}
 	}
 	enumerator->destroy(enumerator);
 	start->destroy(start);
@@ -492,6 +548,7 @@ METHOD(stroke_control_t, purge_ike, void,
 	linked_list_t *list;
 	uintptr_t del;
 	stroke_log_info_t info;
+	status_t status;
 
 	info.out = out;
 	info.level = msg->output_verbosity;
@@ -514,8 +571,9 @@ METHOD(stroke_control_t, purge_ike, void,
 	enumerator = list->create_enumerator(list);
 	while (enumerator->enumerate(enumerator, &del))
 	{
-		charon->controller->terminate_ike(charon->controller, del,
-									(controller_cb_t)stroke_log, &info, 0);
+		status = charon->controller->terminate_ike(charon->controller, del,
+							(controller_cb_t)stroke_log, &info, this->timeout);
+		report_terminate_status(this, status, out, del, TRUE);
 	}
 	enumerator->destroy(enumerator);
 	list->destroy(list);
@@ -545,7 +603,7 @@ static void charon_route(peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
 	}
 	else
 	{
-		if (charon->traps->install(charon->traps, peer_cfg, child_cfg))
+		if (charon->traps->install(charon->traps, peer_cfg, child_cfg, 0))
 		{
 			fprintf(out, "'%s' routed\n", name);
 		}
@@ -568,14 +626,6 @@ METHOD(stroke_control_t, route, void,
 													  msg->route.name);
 	if (peer_cfg)
 	{
-		if (peer_cfg->get_ike_version(peer_cfg) != 2)
-		{
-			DBG1(DBG_CFG, "ignoring initiation request for IKEv%d config",
-				 peer_cfg->get_ike_version(peer_cfg));
-			peer_cfg->destroy(peer_cfg);
-			return;
-		}
-
 		child_cfg = get_child_from_peer(peer_cfg, msg->route.name);
 		if (child_cfg == NULL)
 		{
@@ -599,14 +649,10 @@ METHOD(stroke_control_t, route, void,
 	}
 	else
 	{
-		enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
-													NULL, NULL, NULL, NULL);
+		enumerator = charon->backends->create_peer_cfg_enumerator(
+							charon->backends, NULL, NULL, NULL, NULL, IKE_ANY);
 		while (enumerator->enumerate(enumerator, &peer_cfg))
 		{
-			if (peer_cfg->get_ike_version(peer_cfg) != 2)
-			{
-				continue;
-			}
 			child_cfg = get_child_from_peer(peer_cfg, msg->route.name);
 			if (child_cfg)
 			{
@@ -687,8 +733,9 @@ stroke_control_t *stroke_control_create()
 			.unroute = _unroute,
 			.destroy = _destroy,
 		},
+		.timeout = lib->settings->get_int(lib->settings,
+								"%s.plugins.stroke.timeout", 0, charon->name),
 	);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/stroke/stroke_counter.c b/src/libcharon/plugins/stroke/stroke_counter.c
new file mode 100644
index 000000000..5fa1fb165
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_counter.c
@@ -0,0 +1,464 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "stroke_counter.h"
+
+#include <threading/spinlock.h>
+#include <collections/hashtable.h>
+
+ENUM(stroke_counter_type_names,
+	COUNTER_INIT_IKE_SA_REKEY, COUNTER_OUT_INFORMATIONAL_RSP,
+	"ikeInitRekey",
+	"ikeRspRekey",
+	"ikeChildSaRekey",
+	"ikeInInvalid",
+	"ikeInInvalidSpi",
+	"ikeInInitReq",
+	"ikeInInitRsp",
+	"ikeOutInitReq",
+	"ikeOutInitRsp",
+	"ikeInAuthReq",
+	"ikeInAuthRsp",
+	"ikeOutAuthReq",
+	"ikeOutAuthRsp",
+	"ikeInCrChildReq",
+	"ikeInCrChildRsp",
+	"ikeOutCrChildReq",
+	"ikeOutCrChildRsp",
+	"ikeInInfoReq",
+	"ikeInInfoRsp",
+	"ikeOutInfoReq",
+	"ikeOutInfoRsp",
+);
+
+typedef struct private_stroke_counter_t private_stroke_counter_t;
+
+/**
+ * Private data of an stroke_counter_t object.
+ */
+struct private_stroke_counter_t {
+
+	/**
+	 * Public stroke_counter_t interface.
+	 */
+	stroke_counter_t public;
+
+	/**
+	 * Global counter values
+	 */
+	u_int64_t counter[COUNTER_MAX];
+
+	/**
+	 * Counters for specific connection names, char* => entry_t
+	 */
+	hashtable_t *conns;
+
+	/**
+	 * Lock for counter values
+	 */
+	spinlock_t *lock;
+};
+
+/**
+ * Counters for a specific connection name
+ */
+typedef struct {
+	/** connection name */
+	char *name;
+	/** counter values for connection */
+	u_int64_t counter[COUNTER_MAX];
+} entry_t;
+
+/**
+ * Destroy named entry
+ */
+static void destroy_entry(entry_t *this)
+{
+	free(this->name);
+	free(this);
+}
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(char *name)
+{
+	return chunk_hash(chunk_from_str(name));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool equals(char *a, char *b)
+{
+	return streq(a, b);
+}
+
+/**
+ * Get the name of an IKE_SA, but return NULL if it is not known yet
+ */
+static char *get_ike_sa_name(ike_sa_t *ike_sa)
+{
+	peer_cfg_t *peer_cfg;
+
+	if (ike_sa)
+	{
+		peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+		if (peer_cfg)
+		{
+			return peer_cfg->get_name(peer_cfg);
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Increase a counter for a named entry
+ */
+static void count_named(private_stroke_counter_t *this,
+						ike_sa_t *ike_sa, stroke_counter_type_t type)
+{
+	entry_t *entry;
+	char *name;
+
+	name = get_ike_sa_name(ike_sa);
+	if (name)
+	{
+		entry = this->conns->get(this->conns, name);
+		if (!entry)
+		{
+			INIT(entry,
+				.name = strdup(name),
+			);
+			this->conns->put(this->conns, entry->name, entry);
+		}
+		entry->counter[type]++;
+	}
+}
+
+METHOD(listener_t, alert, bool,
+	private_stroke_counter_t *this, ike_sa_t *ike_sa,
+	alert_t alert, va_list args)
+{
+	stroke_counter_type_t type;
+
+	switch (alert)
+	{
+		case ALERT_INVALID_IKE_SPI:
+			type = COUNTER_IN_INVALID_IKE_SPI;
+			break;
+		case ALERT_PARSE_ERROR_HEADER:
+		case ALERT_PARSE_ERROR_BODY:
+			type = COUNTER_IN_INVALID;
+			break;
+		default:
+			return TRUE;
+	}
+
+	this->lock->lock(this->lock);
+	this->counter[type]++;
+	count_named(this, ike_sa, type);
+	this->lock->unlock(this->lock);
+
+	return TRUE;
+}
+
+METHOD(listener_t, ike_rekey, bool,
+	private_stroke_counter_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	stroke_counter_type_t type;
+	ike_sa_id_t *id;
+
+	id = new->get_id(new);
+	if (id->is_initiator(id))
+	{
+		type = COUNTER_INIT_IKE_SA_REKEY;
+	}
+	else
+	{
+		type = COUNTER_RESP_IKE_SA_REKEY;
+	}
+
+	this->lock->lock(this->lock);
+	this->counter[type]++;
+	count_named(this, old, type);
+	this->lock->unlock(this->lock);
+
+	return TRUE;
+}
+
+METHOD(listener_t, child_rekey, bool,
+	private_stroke_counter_t *this, ike_sa_t *ike_sa,
+	child_sa_t *old, child_sa_t *new)
+{
+	this->lock->lock(this->lock);
+	this->counter[COUNTER_CHILD_SA_REKEY]++;
+	count_named(this, ike_sa, COUNTER_CHILD_SA_REKEY);
+	this->lock->unlock(this->lock);
+
+	return TRUE;
+}
+
+METHOD(listener_t, message_hook, bool,
+	private_stroke_counter_t *this, ike_sa_t *ike_sa, message_t *message,
+	bool incoming, bool plain)
+{
+	stroke_counter_type_t type;
+	bool request;
+
+	if ((incoming && !plain) || (!incoming && !plain))
+	{	/* handle each message only once */
+		return TRUE;
+	}
+
+	request = message->get_request(message);
+	switch (message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+			if (incoming)
+			{
+				type = request ? COUNTER_IN_IKE_SA_INIT_REQ
+							   : COUNTER_IN_IKE_SA_INIT_RSP;
+			}
+			else
+			{
+				type = request ? COUNTER_OUT_IKE_SA_INIT_REQ
+							   : COUNTER_OUT_IKE_SA_INIT_RES;
+			}
+			break;
+		case IKE_AUTH:
+			if (incoming)
+			{
+				type = request ? COUNTER_IN_IKE_AUTH_REQ
+							   : COUNTER_IN_IKE_AUTH_RSP;
+			}
+			else
+			{
+				type = request ? COUNTER_OUT_IKE_AUTH_REQ
+							   : COUNTER_OUT_IKE_AUTH_RSP;
+			}
+			break;
+		case CREATE_CHILD_SA:
+			if (incoming)
+			{
+				type = request ? COUNTER_IN_CREATE_CHILD_SA_REQ
+							   : COUNTER_IN_CREATE_CHILD_SA_RSP;
+			}
+			else
+			{
+				type = request ? COUNTER_OUT_CREATE_CHILD_SA_REQ
+							   : COUNTER_OUT_CREATE_CHILD_SA_RSP;
+			}
+			break;
+		case INFORMATIONAL:
+			if (incoming)
+			{
+				type = request ? COUNTER_IN_INFORMATIONAL_REQ
+							   : COUNTER_IN_INFORMATIONAL_RSP;
+			}
+			else
+			{
+				type = request ? COUNTER_OUT_INFORMATIONAL_REQ
+							   : COUNTER_OUT_INFORMATIONAL_RSP;
+			}
+			break;
+		default:
+			return TRUE;
+	}
+
+	this->lock->lock(this->lock);
+	this->counter[type]++;
+	count_named(this, ike_sa, type);
+	this->lock->unlock(this->lock);
+
+	return TRUE;
+}
+
+/**
+ * Print a single counter value to out
+ */
+static void print_counter(FILE *out, stroke_counter_type_t type,
+						  u_int64_t counter)
+{
+	fprintf(out, "%-18N %12llu\n", stroke_counter_type_names, type, counter);
+}
+
+/**
+ * Print IKE counters for a specific connection
+ */
+static void print_one(private_stroke_counter_t *this, FILE *out, char *name)
+{
+	u_int64_t counter[COUNTER_MAX];
+	entry_t *entry;
+	int i;
+
+	this->lock->lock(this->lock);
+	entry = this->conns->get(this->conns, name);
+	if (entry)
+	{
+		for (i = 0; i < countof(this->counter); i++)
+		{
+			counter[i] = entry->counter[i];
+		}
+	}
+	this->lock->unlock(this->lock);
+
+	if (entry)
+	{
+		fprintf(out, "\nList of IKE counters for '%s':\n\n", name);
+		for (i = 0; i < countof(this->counter); i++)
+		{
+			print_counter(out, i, counter[i]);
+		}
+	}
+	else
+	{
+		fprintf(out, "No IKE counters found for '%s'\n", name);
+	}
+}
+
+/**
+ * Print counters for all connections
+ */
+static void print_all(private_stroke_counter_t *this, FILE *out)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	linked_list_t *list;
+	char *name;
+
+	list = linked_list_create();
+
+	this->lock->lock(this->lock);
+	enumerator = this->conns->create_enumerator(this->conns);
+	while (enumerator->enumerate(enumerator, &name, &entry))
+	{
+		list->insert_last(list, strdup(name));
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		print_one(this, out, name);
+	}
+	enumerator->destroy(enumerator);
+
+	list->destroy_function(list, free);
+}
+
+/**
+ * Print global counters
+ */
+static void print_global(private_stroke_counter_t *this, FILE *out)
+{
+	u_int64_t counter[COUNTER_MAX];
+	int i;
+
+	this->lock->lock(this->lock);
+	for (i = 0; i < countof(this->counter); i++)
+	{
+		counter[i] = this->counter[i];
+	}
+	this->lock->unlock(this->lock);
+
+	fprintf(out, "\nList of IKE counters:\n\n");
+
+	for (i = 0; i < countof(this->counter); i++)
+	{
+		print_counter(out, i, counter[i]);
+	}
+}
+
+METHOD(stroke_counter_t, print, void,
+	private_stroke_counter_t *this, FILE *out, char *name)
+{
+	if (name)
+	{
+		if (streq(name, "all"))
+		{
+			return print_all(this, out);
+		}
+		return print_one(this, out, name);
+	}
+	return print_global(this, out);
+}
+
+METHOD(stroke_counter_t, reset, void,
+	private_stroke_counter_t *this, char *name)
+{
+	this->lock->lock(this->lock);
+	if (name)
+	{
+		entry_t *entry;
+
+		entry = this->conns->remove(this->conns, name);
+		if (entry)
+		{
+			destroy_entry(entry);
+		}
+	}
+	else
+	{
+		memset(&this->counter, 0, sizeof(this->counter));
+	}
+	this->lock->unlock(this->lock);
+}
+
+METHOD(stroke_counter_t, destroy, void,
+	private_stroke_counter_t *this)
+{
+	enumerator_t *enumerator;
+	char *name;
+	entry_t *entry;
+
+	enumerator = this->conns->create_enumerator(this->conns);
+	while (enumerator->enumerate(enumerator, &name, &entry))
+	{
+		destroy_entry(entry);
+	}
+	enumerator->destroy(enumerator);
+	this->conns->destroy(this->conns);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+stroke_counter_t *stroke_counter_create()
+{
+	private_stroke_counter_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.alert = _alert,
+				.ike_rekey = _ike_rekey,
+				.child_rekey = _child_rekey,
+				.message = _message_hook,
+			},
+			.print = _print,
+			.reset = _reset,
+			.destroy = _destroy,
+		},
+		.conns = hashtable_create((hashtable_hash_t)hash,
+								  (hashtable_equals_t)equals, 4),
+		.lock = spinlock_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/stroke/stroke_counter.h b/src/libcharon/plugins/stroke/stroke_counter.h
new file mode 100644
index 000000000..fecf39f56
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_counter.h
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stroke_counter stroke_counter
+ * @{ @ingroup stroke
+ */
+
+#ifndef STROKE_COUNTER_H_
+#define STROKE_COUNTER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct stroke_counter_t stroke_counter_t;
+typedef enum stroke_counter_type_t stroke_counter_type_t;
+
+enum stroke_counter_type_t {
+	/** initiated IKE_SA rekeyings */
+	COUNTER_INIT_IKE_SA_REKEY,
+	/** responded IKE_SA rekeyings */
+	COUNTER_RESP_IKE_SA_REKEY,
+	/** completed CHILD_SA rekeyings */
+	COUNTER_CHILD_SA_REKEY,
+	/** messages with invalid types, length, or a value out of range */
+	COUNTER_IN_INVALID,
+	/** messages with an invalid IKE SPI */
+	COUNTER_IN_INVALID_IKE_SPI,
+	/** received IKE_SA_INIT requests */
+	COUNTER_IN_IKE_SA_INIT_REQ,
+	/** received IKE_SA_INIT responses */
+	COUNTER_IN_IKE_SA_INIT_RSP,
+	/** sent IKE_SA_INIT requests */
+	COUNTER_OUT_IKE_SA_INIT_REQ,
+	/** sent IKE_SA_INIT responses */
+	COUNTER_OUT_IKE_SA_INIT_RES,
+	/** received IKE_AUTH requests */
+	COUNTER_IN_IKE_AUTH_REQ,
+	/** received IKE_AUTH responses */
+	COUNTER_IN_IKE_AUTH_RSP,
+	/** sent IKE_AUTH requests */
+	COUNTER_OUT_IKE_AUTH_REQ,
+	/** sent IKE_AUTH responses */
+	COUNTER_OUT_IKE_AUTH_RSP,
+	/** received CREATE_CHILD_SA requests */
+	COUNTER_IN_CREATE_CHILD_SA_REQ,
+	/** received CREATE_CHILD_SA responses */
+	COUNTER_IN_CREATE_CHILD_SA_RSP,
+	/** sent CREATE_CHILD_SA requests */
+	COUNTER_OUT_CREATE_CHILD_SA_REQ,
+	/** sent CREATE_CHILD_SA responses */
+	COUNTER_OUT_CREATE_CHILD_SA_RSP,
+	/** received INFORMATIONAL requests */
+	COUNTER_IN_INFORMATIONAL_REQ,
+	/** received INFORMATIONAL responses */
+	COUNTER_IN_INFORMATIONAL_RSP,
+	/** sent INFORMATIONAL requests */
+	COUNTER_OUT_INFORMATIONAL_REQ,
+	/** sent INFORMATIONAL responses */
+	COUNTER_OUT_INFORMATIONAL_RSP,
+	/** number of counter types */
+	COUNTER_MAX
+};
+
+/**
+ * Collection of counter values for different IKE events.
+ */
+struct stroke_counter_t {
+
+	/**
+	 * Implements listener_t.
+	 */
+	listener_t listener;
+
+	/**
+	 * Print counter values to an output stream.
+	 *
+	 * @param out		output stream to write to
+	 * @param name		connection name to get counters for, NULL for global
+	 */
+	void (*print)(stroke_counter_t *this, FILE *out, char *name);
+
+	/**
+	 * Reset global or connection specific counters.
+	 *
+	 * @param name		name of connection counters to reset, NULL for global
+	 */
+	void (*reset)(stroke_counter_t *this, char *name);
+
+	/**
+	 * Destroy a stroke_counter_t.
+	 */
+	void (*destroy)(stroke_counter_t *this);
+};
+
+/**
+ * Create a stroke_counter instance.
+ */
+stroke_counter_t *stroke_counter_create();
+
+#endif /** STROKE_COUNTER_H_ @}*/
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index a2a6d6d9f..8d0001271 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -32,9 +32,10 @@
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/crl.h>
 #include <credentials/certificates/ac.h>
+#include <credentials/containers/pkcs12.h>
 #include <credentials/sets/mem_cred.h>
 #include <credentials/sets/callback_cred.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/lexparser.h>
 #include <threading/rwlock.h>
 #include <daemon.h>
@@ -72,7 +73,7 @@ struct private_stroke_cred_t {
 
 	/**
 	 * ignore missing CA basic constraint (i.e. treat all certificates in
-	 * ipsec.conf ca sections and ipsec.d/cacert as CA certificates)
+	 * ipsec.conf ca sections and ipsec.d/cacerts as CA certificates)
 	 */
 	bool force_ca_cert;
 
@@ -82,35 +83,137 @@ struct private_stroke_cred_t {
 	bool cachecrl;
 };
 
-METHOD(stroke_cred_t, load_ca, certificate_t*,
-	private_stroke_cred_t *this, char *filename)
+/** Length of smartcard specifier parts (module, keyid) */
+#define SC_PART_LEN 128
+
+/**
+ * Kind of smartcard specifier token
+ */
+typedef enum {
+	SC_FORMAT_SLOT_MODULE_KEYID,
+	SC_FORMAT_SLOT_KEYID,
+	SC_FORMAT_KEYID,
+	SC_FORMAT_INVALID,
+} smartcard_format_t;
+
+/**
+ * Parse a smartcard specifier token
+ */
+static smartcard_format_t parse_smartcard(char *smartcard, u_int *slot,
+										  char *module, char *keyid)
 {
-	certificate_t *cert;
-	char path[PATH_MAX];
+	/* The token has one of the following three formats:
+	 * - %smartcard<slot>@<module>:<keyid>
+	 * - %smartcard<slot>:<keyid>
+	 * - %smartcard:<keyid>
+	 */
+	char buf[2 * SC_PART_LEN], *pos;
 
-	if (*filename == '/')
+	if (sscanf(smartcard, "%%smartcard%u@%255s", slot, buf) == 2)
 	{
-		snprintf(path, sizeof(path), "%s", filename);
+		pos = strchr(buf, ':');
+		if (!pos)
+		{
+			return SC_FORMAT_INVALID;
+		}
+		*pos++ = '\0';
+		snprintf(module, SC_PART_LEN, "%s", buf);
+		snprintf(keyid, SC_PART_LEN, "%s", pos);
+		return SC_FORMAT_SLOT_MODULE_KEYID;
 	}
-	else
+	if (sscanf(smartcard, "%%smartcard%u:%127s", slot, keyid) == 2)
+	{
+		return SC_FORMAT_SLOT_KEYID;
+	}
+	if (sscanf(smartcard, "%%smartcard:%127s", keyid) == 1)
 	{
-		snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
+		return SC_FORMAT_KEYID;
 	}
+	return SC_FORMAT_INVALID;
+}
 
-	if (this->force_ca_cert)
-	{	/* we treat this certificate as a CA certificate even if it has no
-		 * CA basic constraint */
-		cert = lib->creds->create(lib->creds,
-							  CRED_CERTIFICATE, CERT_X509,
-							  BUILD_FROM_FILE, path, BUILD_X509_FLAG, X509_CA,
-							  BUILD_END);
+/**
+ * Load a credential from a smartcard
+ */
+static certificate_t *load_from_smartcard(smartcard_format_t format,
+										  u_int slot, char *module, char *keyid,
+										  credential_type_t type, int subtype)
+{
+	chunk_t chunk;
+	void *cred;
+
+	chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+	switch (format)
+	{
+		case SC_FORMAT_SLOT_MODULE_KEYID:
+			cred = lib->creds->create(lib->creds, type, subtype,
+							BUILD_PKCS11_SLOT, slot,
+							BUILD_PKCS11_MODULE, module,
+							BUILD_PKCS11_KEYID, chunk, BUILD_END);
+			break;
+		case SC_FORMAT_SLOT_KEYID:
+			cred = lib->creds->create(lib->creds, type, subtype,
+							BUILD_PKCS11_SLOT, slot,
+							BUILD_PKCS11_KEYID, chunk, BUILD_END);
+			break;
+		case SC_FORMAT_KEYID:
+			cred = lib->creds->create(lib->creds, type, subtype,
+							BUILD_PKCS11_KEYID, chunk, BUILD_END);
+			break;
+		default:
+			cred = NULL;
+			break;
+	}
+	free(chunk.ptr);
+
+	return cred;
+}
+
+METHOD(stroke_cred_t, load_ca, certificate_t*,
+	private_stroke_cred_t *this, char *filename)
+{
+	certificate_t *cert = NULL;
+	char path[PATH_MAX];
+
+	if (strpfx(filename, "%smartcard"))
+	{
+		smartcard_format_t format;
+		char module[SC_PART_LEN], keyid[SC_PART_LEN];
+		u_int slot;
+
+		format = parse_smartcard(filename, &slot, module, keyid);
+		if (format != SC_FORMAT_INVALID)
+		{
+			cert = (certificate_t*)load_from_smartcard(format,
+							slot, module, keyid, CRED_CERTIFICATE, CERT_X509);
+		}
 	}
 	else
 	{
-		cert = lib->creds->create(lib->creds,
-							  CRED_CERTIFICATE, CERT_X509,
-							  BUILD_FROM_FILE, path,
-							  BUILD_END);
+		if (*filename == '/')
+		{
+			snprintf(path, sizeof(path), "%s", filename);
+		}
+		else
+		{
+			snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
+		}
+
+		if (this->force_ca_cert)
+		{	/* we treat this certificate as a CA certificate even if it has no
+			 * CA basic constraint */
+			cert = lib->creds->create(lib->creds,
+								  CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, path, BUILD_X509_FLAG, X509_CA,
+								  BUILD_END);
+		}
+		else
+		{
+			cert = lib->creds->create(lib->creds,
+								  CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, path,
+								  BUILD_END);
+		}
 	}
 	if (cert)
 	{
@@ -123,6 +226,8 @@ METHOD(stroke_cred_t, load_ca, certificate_t*,
 			cert->destroy(cert);
 			return NULL;
 		}
+		DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" from '%s'",
+			 cert->get_subject(cert), filename);
 		return this->creds->add_cert_ref(this->creds, TRUE, cert);
 	}
 	return NULL;
@@ -131,22 +236,38 @@ METHOD(stroke_cred_t, load_ca, certificate_t*,
 METHOD(stroke_cred_t, load_peer, certificate_t*,
 	private_stroke_cred_t *this, char *filename)
 {
-	certificate_t *cert;
+	certificate_t *cert = NULL;
 	char path[PATH_MAX];
 
-	if (*filename == '/')
+	if (strpfx(filename, "%smartcard"))
 	{
-		snprintf(path, sizeof(path), "%s", filename);
+		smartcard_format_t format;
+		char module[SC_PART_LEN], keyid[SC_PART_LEN];
+		u_int slot;
+
+		format = parse_smartcard(filename, &slot, module, keyid);
+		if (format != SC_FORMAT_INVALID)
+		{
+			cert = (certificate_t*)load_from_smartcard(format,
+							slot, module, keyid, CRED_CERTIFICATE, CERT_X509);
+		}
 	}
 	else
 	{
-		snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
-	}
+		if (*filename == '/')
+		{
+			snprintf(path, sizeof(path), "%s", filename);
+		}
+		else
+		{
+			snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
+		}
 
-	cert = lib->creds->create(lib->creds,
-							  CRED_CERTIFICATE, CERT_ANY,
-							  BUILD_FROM_FILE, path,
-							  BUILD_END);
+		cert = lib->creds->create(lib->creds,
+								  CRED_CERTIFICATE, CERT_ANY,
+								  BUILD_FROM_FILE, path,
+								  BUILD_END);
+	}
 	if (cert)
 	{
 		cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
@@ -159,29 +280,45 @@ METHOD(stroke_cred_t, load_peer, certificate_t*,
 }
 
 METHOD(stroke_cred_t, load_pubkey, certificate_t*,
-	private_stroke_cred_t *this, key_type_t type, char *filename,
-	identification_t *identity)
+	private_stroke_cred_t *this, char *filename, identification_t *identity)
 {
 	certificate_t *cert;
+	public_key_t *key;
 	char path[PATH_MAX];
+	builder_part_t build_part;
+	key_type_t type = KEY_ANY;
 
 	if (streq(filename, "%dns"))
 	{
-
+		return NULL;
+	}
+	if (strncaseeq(filename, "dns:", 4))
+	{	/* RFC 3110 format */
+		build_part = BUILD_BLOB_DNSKEY;
+		/* not a complete RR, only RSA supported */
+		type = KEY_RSA;
+		filename += 4;
+	}
+	else if (strncaseeq(filename, "ssh:", 4))
+	{	/* SSH key */
+		build_part = BUILD_BLOB_SSHKEY;
+		filename += 4;
 	}
-	else if (strncaseeq(filename, "0x", 2) || strncaseeq(filename, "0s", 2))
+	else
+	{	/* try PKCS#1 by default */
+		build_part = BUILD_BLOB_ASN1_DER;
+	}
+	if (strncaseeq(filename, "0x", 2) || strncaseeq(filename, "0s", 2))
 	{
-		chunk_t printable_key, rfc3110_key;
-		public_key_t *key;
+		chunk_t printable_key, raw_key;
 
 		printable_key = chunk_create(filename + 2, strlen(filename) - 2);
-		rfc3110_key = strncaseeq(filename, "0x", 2) ?
+		raw_key = strncaseeq(filename, "0x", 2) ?
 								 chunk_from_hex(printable_key, NULL) :
 								 chunk_from_base64(printable_key, NULL);
-		key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
-								 BUILD_BLOB_DNSKEY, rfc3110_key,
-								 BUILD_END);
-		free(rfc3110_key.ptr);
+		key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, type,
+								 build_part, raw_key, BUILD_END);
+		chunk_free(&raw_key);
 		if (key)
 		{
 			cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
@@ -189,6 +326,7 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
 									  BUILD_PUBLIC_KEY, key,
 									  BUILD_SUBJECT, identity,
 									  BUILD_END);
+			type = key->get_type(key);
 			key->destroy(key);
 			if (cert)
 			{
@@ -198,8 +336,7 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
 				return cert;
 			}
 		}
-		DBG1(DBG_CFG, "  loading %N public key for \"%Y\" failed",
-			 key_type_names, type, identity);
+		DBG1(DBG_CFG, "  loading public key for \"%Y\" failed", identity);
 	}
 	else
 	{
@@ -220,12 +357,15 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
 		if (cert)
 		{
 			cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
+			key = cert->get_public_key(cert);
+			type = key->get_type(key);
+			key->destroy(key);
 			DBG1(DBG_CFG, "  loaded %N public key for \"%Y\" from '%s'",
 				 key_type_names, type, identity, filename);
 			return cert;
 		}
-		DBG1(DBG_CFG, "  loading %N public key for \"%Y\" from '%s' failed",
-			 key_type_names, type, identity, filename);
+		DBG1(DBG_CFG, "  loading public key for \"%Y\" from '%s' failed",
+			 identity, filename);
 	}
 	return NULL;
 }
@@ -460,8 +600,12 @@ static err_t extract_secret(chunk_t *secret, chunk_t *line)
  * Data for passphrase callback
  */
 typedef struct {
+	/** cached passphrases */
+	mem_cred_t *cache;
 	/** socket we use for prompting */
 	FILE *prompt;
+	/** type of secret to unlock */
+	int type;
 	/** private key file */
 	char *path;
 	/** number of tries */
@@ -469,13 +613,15 @@ typedef struct {
 } passphrase_cb_data_t;
 
 /**
- * Callback function to receive Passphrases
+ * Callback function to receive passphrases
  */
 static shared_key_t* passphrase_cb(passphrase_cb_data_t *data,
-								shared_key_type_t type,
-								identification_t *me, identification_t *other,
-								id_match_t *match_me, id_match_t *match_other)
+								   shared_key_type_t type, identification_t *me,
+								   identification_t *other, id_match_t *match_me,
+								   id_match_t *match_other)
 {
+	static const int max_tries = 3;
+	shared_key_t *shared;
 	chunk_t secret;
 	char buf[256];
 
@@ -484,17 +630,23 @@ static shared_key_t* passphrase_cb(passphrase_cb_data_t *data,
 		return NULL;
 	}
 
+	data->try++;
+	if (data->try > max_tries + 1)
+	{	/* another builder might call this after we gave up, fail silently */
+		return NULL;
+	}
+	if (data->try > max_tries)
+	{
+		fprintf(data->prompt, "Passphrase invalid, giving up.\n");
+		return NULL;
+	}
 	if (data->try > 1)
 	{
-		if (data->try > 5)
-		{
-			fprintf(data->prompt, "PIN invalid, giving up.\n");
-			return NULL;
-		}
-		fprintf(data->prompt, "PIN invalid!\n");
+		fprintf(data->prompt, "Passphrase invalid!\n");
 	}
-	data->try++;
-	fprintf(data->prompt, "Private key '%s' is encrypted.\n", data->path);
+	fprintf(data->prompt, "%s '%s' is encrypted.\n",
+			data->type == CRED_PRIVATE_KEY ? "Private key" : "PKCS#12 file",
+			data->path);
 	fprintf(data->prompt, "Passphrase:\n");
 	if (fgets(buf, sizeof(buf), data->prompt))
 	{
@@ -510,7 +662,10 @@ static shared_key_t* passphrase_cb(passphrase_cb_data_t *data,
 			{
 				*match_other = ID_MATCH_NONE;
 			}
-			return shared_key_create(SHARED_PRIVATE_KEY_PASS, chunk_clone(secret));
+			shared = shared_key_create(SHARED_PRIVATE_KEY_PASS,
+									   chunk_clone(secret));
+			data->cache->add_shared(data->cache, shared->get_ref(shared), NULL);
+			return shared;
 		}
 	}
 	return NULL;
@@ -550,12 +705,12 @@ static shared_key_t* pin_cb(pin_cb_data_t *data, shared_key_type_t type,
 		return NULL;
 	}
 
+	data->try++;
 	if (data->try > 1)
 	{
 		fprintf(data->prompt, "PIN invalid, aborting.\n");
 		return NULL;
 	}
-	data->try++;
 	fprintf(data->prompt, "Login to '%s' required\n", data->card);
 	fprintf(data->prompt, "PIN:\n");
 	if (fgets(buf, sizeof(buf), data->prompt))
@@ -581,11 +736,11 @@ static shared_key_t* pin_cb(pin_cb_data_t *data, shared_key_type_t type,
 /**
  * Load a smartcard with a PIN
  */
-static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
+static bool load_pin(mem_cred_t *secrets, chunk_t line, int line_nr,
 					 FILE *prompt)
 {
 	chunk_t sc = chunk_empty, secret = chunk_empty;
-	char smartcard[64], keyid[64], module[64], *pos;
+	char smartcard[BUF_LEN], keyid[SC_PART_LEN], module[SC_PART_LEN];
 	private_key_t *key = NULL;
 	u_int slot;
 	chunk_t chunk;
@@ -594,11 +749,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 	mem_cred_t *mem = NULL;
 	callback_cred_t *cb = NULL;
 	pin_cb_data_t pin_data;
-	enum {
-		SC_FORMAT_SLOT_MODULE_KEYID,
-		SC_FORMAT_SLOT_KEYID,
-		SC_FORMAT_KEYID,
-	} format;
+	smartcard_format_t format;
 
 	err_t ugh = extract_value(&sc, &line);
 
@@ -615,33 +766,8 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 	snprintf(smartcard, sizeof(smartcard), "%.*s", (int)sc.len, sc.ptr);
 	smartcard[sizeof(smartcard) - 1] = '\0';
 
-	/* parse slot and key id. Three formats are supported:
-	 * - %smartcard<slot>@<module>:<keyid>
-	 * - %smartcard<slot>:<keyid>
-	 * - %smartcard:<keyid>
-	 */
-	if (sscanf(smartcard, "%%smartcard%u@%s", &slot, module) == 2)
-	{
-		pos = strchr(module, ':');
-		if (!pos)
-		{
-			DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is "
-				 "invalid", line_nr);
-			return FALSE;
-		}
-		*pos = '\0';
-		strncpy(keyid, pos + 1, sizeof(keyid));
-		format = SC_FORMAT_SLOT_MODULE_KEYID;
-	}
-	else if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2)
-	{
-		format = SC_FORMAT_SLOT_KEYID;
-	}
-	else if (sscanf(smartcard, "%%smartcard:%s", keyid) == 1)
-	{
-		format = SC_FORMAT_KEYID;
-	}
-	else
+	format = parse_smartcard(smartcard, &slot, module, keyid);
+	if (format == SC_FORMAT_INVALID)
 	{
 		DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is not"
 				" supported or invalid", line_nr);
@@ -661,21 +787,21 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 	}
 
 	chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
-	if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
+	if (secret.len == 7 && strpfx(secret.ptr, "%prompt"))
 	{
 		free(secret.ptr);
 		if (!prompt)
 		{	/* no IO channel to prompt, skip */
-			free(chunk.ptr);
+			chunk_clear(&chunk);
 			return TRUE;
 		}
 		/* use callback credential set to prompt for the pin */
 		pin_data.prompt = prompt;
 		pin_data.card = smartcard;
 		pin_data.keyid = chunk;
-		pin_data.try = 1;
+		pin_data.try = 0;
 		cb = callback_cred_create_shared((void*)pin_cb, &pin_data);
-		lib->credmgr->add_local_set(lib->credmgr, &cb->set);
+		lib->credmgr->add_local_set(lib->credmgr, &cb->set, FALSE);
 	}
 	else
 	{
@@ -684,31 +810,12 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 		id = identification_create_from_encoding(ID_KEY_ID, chunk);
 		mem = mem_cred_create();
 		mem->add_shared(mem, shared, id, NULL);
-		lib->credmgr->add_local_set(lib->credmgr, &mem->set);
+		lib->credmgr->add_local_set(lib->credmgr, &mem->set, FALSE);
 	}
 
 	/* unlock: smartcard needs the pin and potentially calls public set */
-	switch (format)
-	{
-		case SC_FORMAT_SLOT_MODULE_KEYID:
-			key = lib->creds->create(lib->creds,
-							CRED_PRIVATE_KEY, KEY_ANY,
-							BUILD_PKCS11_SLOT, slot,
-							BUILD_PKCS11_MODULE, module,
-							BUILD_PKCS11_KEYID, chunk, BUILD_END);
-			break;
-		case SC_FORMAT_SLOT_KEYID:
-			key = lib->creds->create(lib->creds,
-							CRED_PRIVATE_KEY, KEY_ANY,
-							BUILD_PKCS11_SLOT, slot,
-							BUILD_PKCS11_KEYID, chunk, BUILD_END);
-			break;
-		case SC_FORMAT_KEYID:
-			key = lib->creds->create(lib->creds,
-							CRED_PRIVATE_KEY, KEY_ANY,
-							BUILD_PKCS11_KEYID, chunk, BUILD_END);
-			break;
-	}
+	key = (private_key_t*)load_from_smartcard(format, slot, module, keyid,
+											  CRED_PRIVATE_KEY, KEY_ANY);
 	if (mem)
 	{
 		lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
@@ -719,25 +826,25 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
 		lib->credmgr->remove_local_set(lib->credmgr, &cb->set);
 		cb->destroy(cb);
 	}
+	chunk_clear(&chunk);
 
 	if (key)
 	{
-		DBG1(DBG_CFG, "  loaded private key from %.*s", sc.len, sc.ptr);
-		this->creds->add_key(this->creds, key);
+		DBG1(DBG_CFG, "  loaded private key from %.*s", (int)sc.len, sc.ptr);
+		secrets->add_key(secrets, key);
 	}
 	return TRUE;
 }
 
 /**
- * Load a private key
+ * Load a private key or PKCS#12 container from a file
  */
-static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr,
-						 FILE *prompt, key_type_t key_type)
+static bool load_from_file(chunk_t line, int line_nr, FILE *prompt,
+						   char *path, int type, int subtype,
+						   void **result)
 {
-	char path[PATH_MAX];
 	chunk_t filename;
 	chunk_t secret = chunk_empty;
-	private_key_t *key;
 
 	err_t ugh = extract_value(&filename, &line);
 
@@ -754,12 +861,12 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr,
 	if (*filename.ptr == '/')
 	{
 		/* absolute path name */
-		snprintf(path, sizeof(path), "%.*s", (int)filename.len, filename.ptr);
+		snprintf(path, PATH_MAX, "%.*s", (int)filename.len, filename.ptr);
 	}
 	else
 	{
 		/* relative path name */
-		snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR,
+		snprintf(path, PATH_MAX, "%s/%.*s", PRIVATE_KEY_DIR,
 				 (int)filename.len, filename.ptr);
 	}
 
@@ -773,32 +880,37 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr,
 			return FALSE;
 		}
 	}
-	if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
+	if (secret.len == 7 && strpfx(secret.ptr, "%prompt"))
 	{
-		callback_cred_t *cb = NULL;
+		callback_cred_t *cb;
 		passphrase_cb_data_t pp_data = {
 			.prompt = prompt,
+			.type = type,
 			.path = path,
-			.try = 1,
+			.try = 0,
 		};
 
 		free(secret.ptr);
 		if (!prompt)
 		{
+			*result = NULL;
 			return TRUE;
 		}
+		/* add cache first so if valid passphrases are needed multiple times
+		 * the callback is not called anymore */
+		pp_data.cache = mem_cred_create();
+		lib->credmgr->add_local_set(lib->credmgr, &pp_data.cache->set, FALSE);
 		/* use callback credential set to prompt for the passphrase */
-		pp_data.prompt = prompt;
-		pp_data.path = path;
-		pp_data.try = 1;
 		cb = callback_cred_create_shared((void*)passphrase_cb, &pp_data);
-		lib->credmgr->add_local_set(lib->credmgr, &cb->set);
+		lib->credmgr->add_local_set(lib->credmgr, &cb->set, FALSE);
 
-		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
-								 BUILD_FROM_FILE, path, BUILD_END);
+		*result = lib->creds->create(lib->creds, type, subtype,
+									 BUILD_FROM_FILE, path, BUILD_END);
 
 		lib->credmgr->remove_local_set(lib->credmgr, &cb->set);
 		cb->destroy(cb);
+		lib->credmgr->remove_local_set(lib->credmgr, &pp_data.cache->set);
+		pp_data.cache->destroy(pp_data.cache);
 	}
 	else
 	{
@@ -809,19 +921,49 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr,
 		shared = shared_key_create(SHARED_PRIVATE_KEY_PASS, secret);
 		mem = mem_cred_create();
 		mem->add_shared(mem, shared, NULL);
-		lib->credmgr->add_local_set(lib->credmgr, &mem->set);
+		if (eat_whitespace(&line))
+		{	/* if there is a second passphrase add that too, could be needed for
+			 * PKCS#12 files using different passwords for MAC and encryption */
+			ugh = extract_secret(&secret, &line);
+			if (ugh != NULL)
+			{
+				DBG1(DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh);
+				mem->destroy(mem);
+				return FALSE;
+			}
+			shared = shared_key_create(SHARED_PRIVATE_KEY_PASS, secret);
+			mem->add_shared(mem, shared, NULL);
+		}
+		lib->credmgr->add_local_set(lib->credmgr, &mem->set, FALSE);
 
-		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
-								 BUILD_FROM_FILE, path, BUILD_END);
+		*result = lib->creds->create(lib->creds, type, subtype,
+									 BUILD_FROM_FILE, path, BUILD_END);
 
 		lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
 		mem->destroy(mem);
 	}
+	return TRUE;
+}
+
+/**
+ * Load a private key
+ */
+static bool load_private(mem_cred_t *secrets, chunk_t line, int line_nr,
+						 FILE *prompt, key_type_t key_type)
+{
+	char path[PATH_MAX];
+	private_key_t *key;
+
+	if (!load_from_file(line, line_nr, prompt, path, CRED_PRIVATE_KEY,
+						key_type, (void**)&key))
+	{
+		return FALSE;
+	}
 	if (key)
 	{
 		DBG1(DBG_CFG, "  loaded %N private key from '%s'",
 			 key_type_names, key->get_type(key), path);
-		this->creds->add_key(this->creds, key);
+		secrets->add_key(secrets, key);
 	}
 	else
 	{
@@ -831,9 +973,61 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr,
 }
 
 /**
+ * Load a PKCS#12 container
+ */
+static bool load_pkcs12(private_stroke_cred_t *this, mem_cred_t *secrets,
+						chunk_t line, int line_nr, FILE *prompt)
+{
+	enumerator_t *enumerator;
+	char path[PATH_MAX];
+	certificate_t *cert;
+	private_key_t *key;
+	pkcs12_t *pkcs12;
+
+	if (!load_from_file(line, line_nr, prompt, path, CRED_CONTAINER,
+						CONTAINER_PKCS12, (void**)&pkcs12))
+	{
+		return FALSE;
+	}
+	if (!pkcs12)
+	{
+		DBG1(DBG_CFG, "  loading credentials from '%s' failed", path);
+		return TRUE;
+	}
+	enumerator = pkcs12->create_cert_enumerator(pkcs12);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		x509_t *x509 = (x509_t*)cert;
+
+		if (x509->get_flags(x509) & X509_CA)
+		{
+			DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" from '%s'",
+				 cert->get_subject(cert), path);
+		}
+		else
+		{
+			DBG1(DBG_CFG, "  loaded certificate \"%Y\" from '%s'",
+				 cert->get_subject(cert), path);
+		}
+		this->creds->add_cert(this->creds, TRUE, cert->get_ref(cert));
+	}
+	enumerator->destroy(enumerator);
+	enumerator = pkcs12->create_key_enumerator(pkcs12);
+	while (enumerator->enumerate(enumerator, &key))
+	{
+		DBG1(DBG_CFG, "  loaded %N private key from '%s'",
+			 key_type_names, key->get_type(key), path);
+		secrets->add_key(secrets, key->get_ref(key));
+	}
+	enumerator->destroy(enumerator);
+	pkcs12->container.destroy(&pkcs12->container);
+	return TRUE;
+}
+
+/**
  * Load a shared key
  */
-static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr,
+static bool load_shared(mem_cred_t *secrets, chunk_t line, int line_nr,
 						shared_key_type_t type, chunk_t ids)
 {
 	shared_key_t *shared_key;
@@ -888,15 +1082,15 @@ static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr,
 		owners->insert_last(owners,
 					identification_create_from_encoding(ID_ANY, chunk_empty));
 	}
-	this->creds->add_shared_list(this->creds, shared_key, owners);
+	secrets->add_shared_list(secrets, shared_key, owners);
 	return TRUE;
 }
 
 /**
  * reload ipsec.secrets
  */
-static void load_secrets(private_stroke_cred_t *this, char *file, int level,
-						 FILE *prompt)
+static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
+						 char *file, int level, FILE *prompt)
 {
 	int line_nr = 0, fd;
 	chunk_t src, line;
@@ -918,6 +1112,11 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 		close(fd);
 		return;
 	}
+	if (sb.st_size == 0)
+	{	/* skip empty files, as mmap() complains */
+		close(fd);
+		return;
+	}
 	addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
 	if (addr == MAP_FAILED)
 	{
@@ -927,9 +1126,9 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 	}
 	src = chunk_create(addr, sb.st_size);
 
-	if (level == 0)
-	{	/* flush secrets on non-recursive invocation */
-		this->creds->clear_secrets(this->creds);
+	if (!secrets)
+	{
+		secrets = mem_cred_create();
 	}
 
 	while (fetchline(&src, &line))
@@ -943,8 +1142,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 		{
 			continue;
 		}
-		if (line.len > strlen("include ") &&
-			strneq(line.ptr, "include ", strlen("include ")))
+		if (line.len > strlen("include ") && strpfx(line.ptr, "include "))
 		{
 			char **expanded, *dir, pattern[PATH_MAX];
 			u_char *pos;
@@ -999,19 +1197,20 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 				{
 					for (expanded = buf.gl_pathv; *expanded != NULL; expanded++)
 					{
-						load_secrets(this, *expanded, level + 1, prompt);
+						load_secrets(this, secrets, *expanded, level + 1,
+									 prompt);
 					}
 				}
 				globfree(&buf);
 			}
 #else /* HAVE_GLOB_H */
 			/* if glob(3) is not available, try to load pattern directly */
-			load_secrets(this, pattern, level + 1, prompt);
+			load_secrets(this, secrets, pattern, level + 1, prompt);
 #endif /* HAVE_GLOB_H */
 			continue;
 		}
 
-		if (line.len > 2 && strneq(": ", line.ptr, 2))
+		if (line.len > 2 && strpfx(line.ptr, ": "))
 		{
 			/* no ids, skip the ':' */
 			ids = chunk_empty;
@@ -1036,15 +1235,22 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 		}
 		if (match("RSA", &token) || match("ECDSA", &token))
 		{
-			if (!load_private(this, line, line_nr, prompt,
+			if (!load_private(secrets, line, line_nr, prompt,
 							  match("RSA", &token) ? KEY_RSA : KEY_ECDSA))
 			{
 				break;
 			}
 		}
+		else if (match("P12", &token))
+		{
+			if (!load_pkcs12(this, secrets, line, line_nr, prompt))
+			{
+				break;
+			}
+		}
 		else if (match("PIN", &token))
 		{
-			if (!load_pin(this, line, line_nr, prompt))
+			if (!load_pin(secrets, line, line_nr, prompt))
 			{
 				break;
 			}
@@ -1054,7 +1260,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 				 (match("NTLM", &token) && (type = SHARED_NT_HASH)) ||
 				 (match("XAUTH", &token) && (type = SHARED_EAP)))
 		{
-			if (!load_shared(this, line, line_nr, type, ids))
+			if (!load_shared(secrets, line, line_nr, type, ids))
 			{
 				break;
 			}
@@ -1062,12 +1268,18 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 		else
 		{
 			DBG1(DBG_CFG, "line %d: token must be either "
-				 "RSA, ECDSA, PSK, EAP, XAUTH or PIN", line_nr);
+				 "RSA, ECDSA, P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr);
 			break;
 		}
 	}
 	munmap(addr, sb.st_size);
 	close(fd);
+
+	if (level == 0)
+	{	/* replace secrets in active credential set */
+		this->creds->replace_secrets(this->creds, secrets, FALSE);
+		secrets->destroy(secrets);
+	}
 }
 
 /**
@@ -1102,7 +1314,7 @@ METHOD(stroke_cred_t, reread, void,
 	if (msg->reread.flags & REREAD_SECRETS)
 	{
 		DBG1(DBG_CFG, "rereading secrets");
-		load_secrets(this, SECRETS_FILE, 0, prompt);
+		load_secrets(this, NULL, SECRETS_FILE, 0, prompt);
 	}
 	if (msg->reread.flags & REREAD_CACERTS)
 	{
@@ -1181,11 +1393,11 @@ stroke_cred_t *stroke_cred_create()
 	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
 
 	this->force_ca_cert = lib->settings->get_bool(lib->settings,
-			"charon.plugins.stroke.ignore_missing_ca_basic_constraint", FALSE);
+						"%s.plugins.stroke.ignore_missing_ca_basic_constraint",
+						FALSE, charon->name);
 
 	load_certs(this);
-	load_secrets(this, SECRETS_FILE, 0, NULL);
+	load_secrets(this, NULL, SECRETS_FILE, 0, NULL);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/stroke/stroke_cred.h b/src/libcharon/plugins/stroke/stroke_cred.h
index 83e648819..f6fbb96d3 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.h
+++ b/src/libcharon/plugins/stroke/stroke_cred.h
@@ -27,7 +27,7 @@
 #include <stroke_msg.h>
 #include <credentials/credential_set.h>
 #include <credentials/certificates/certificate.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct stroke_cred_t stroke_cred_t;
 
@@ -68,13 +68,12 @@ struct stroke_cred_t {
 	/**
 	 * Load a raw public key and serve it through the credential_set.
 	 *
-	 * @param type			type of the raw public key (RSA or ECDSA)
-	 * @param filename		file to load raw public key from
+	 * @param filename		encoding or file to load raw public key from
 	 * @param identity		identity of the raw public key owner
 	 * @return				reference to loaded raw public key, or NULL
 	 */
-	certificate_t* (*load_pubkey)(stroke_cred_t *this, key_type_t type,
-								  char *filename, identification_t *identity);
+	certificate_t* (*load_pubkey)(stroke_cred_t *this, char *filename,
+								  identification_t *identity);
 
 	/**
 	 * Add a shared secret to serve through the credential_set.
diff --git a/src/libcharon/plugins/stroke/stroke_handler.c b/src/libcharon/plugins/stroke/stroke_handler.c
new file mode 100644
index 000000000..fef8cab67
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_handler.c
@@ -0,0 +1,231 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "stroke_handler.h"
+
+#include <daemon.h>
+#include <collections/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_stroke_handler_t private_stroke_handler_t;
+
+/**
+ * Private data of an stroke_handler_t object.
+ */
+struct private_stroke_handler_t {
+
+	/**
+	 * Public stroke_handler_t interface.
+	 */
+	stroke_handler_t public;
+
+	/**
+	 * List of connection specific attributes, as attributes_t
+	 */
+	linked_list_t *attrs;
+
+	/**
+	 * rwlock to lock access to pools
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * Attributes assigned to a connection
+ */
+typedef struct {
+	/** name of the connection */
+	char *name;
+	/** list of DNS attributes, as host_t */
+	linked_list_t *dns;
+} attributes_t;
+
+/**
+ * Destroy an attributes_t entry
+ */
+static void attributes_destroy(attributes_t *this)
+{
+	this->dns->destroy_offset(this->dns, offsetof(host_t, destroy));
+	free(this->name);
+	free(this);
+}
+
+/**
+ * Filter function to convert host to DNS configuration attributes
+ */
+static bool attr_filter(void *lock, host_t **in,
+						configuration_attribute_type_t *type,
+						void *dummy, chunk_t *data)
+{
+	host_t *host = *in;
+
+	switch (host->get_family(host))
+	{
+		case AF_INET:
+			*type = INTERNAL_IP4_DNS;
+			break;
+		case AF_INET6:
+			*type = INTERNAL_IP6_DNS;
+			break;
+		default:
+			return FALSE;
+	}
+	if (host->is_anyaddr(host))
+	{
+		*data = chunk_empty;
+	}
+	else
+	{
+		*data = host->get_address(host);
+	}
+	return TRUE;
+}
+
+METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*,
+	private_stroke_handler_t *this, identification_t *server,
+	linked_list_t *vips)
+{
+	ike_sa_t *ike_sa;
+	peer_cfg_t *peer_cfg;
+	enumerator_t *enumerator;
+	attributes_t *attr;
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (ike_sa)
+	{
+		peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+		this->lock->read_lock(this->lock);
+		enumerator = this->attrs->create_enumerator(this->attrs);
+		while (enumerator->enumerate(enumerator, &attr))
+		{
+			if (streq(attr->name, peer_cfg->get_name(peer_cfg)))
+			{
+				enumerator->destroy(enumerator);
+				return enumerator_create_filter(
+									attr->dns->create_enumerator(attr->dns),
+									(void*)attr_filter, this->lock,
+									(void*)this->lock->unlock);
+			}
+		}
+		enumerator->destroy(enumerator);
+		this->lock->unlock(this->lock);
+	}
+	return enumerator_create_empty();
+}
+
+METHOD(stroke_handler_t, add_attributes, void,
+	private_stroke_handler_t *this, stroke_msg_t *msg)
+{
+	if (msg->add_conn.me.dns)
+	{
+		enumerator_t *enumerator;
+		attributes_t *attr = NULL;
+		host_t *host;
+		char *token;
+
+		enumerator = enumerator_create_token(msg->add_conn.me.dns, ",", " ");
+		while (enumerator->enumerate(enumerator, &token))
+		{
+			if (streq(token, "%config") || streq(token, "%config4"))
+			{
+				host = host_create_any(AF_INET);
+			}
+			else if (streq(token, "%config6"))
+			{
+				host = host_create_any(AF_INET6);
+			}
+			else
+			{
+				host = host_create_from_string(token, 0);
+			}
+			if (host)
+			{
+				if (!attr)
+				{
+					INIT(attr,
+						.name = strdup(msg->add_conn.name),
+						.dns = linked_list_create(),
+					);
+				}
+				attr->dns->insert_last(attr->dns, host);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "ignoring invalid DNS address '%s'", token);
+			}
+		}
+		enumerator->destroy(enumerator);
+		if (attr)
+		{
+			this->lock->write_lock(this->lock);
+			this->attrs->insert_last(this->attrs, attr);
+			this->lock->unlock(this->lock);
+		}
+	}
+}
+
+METHOD(stroke_handler_t, del_attributes, void,
+	private_stroke_handler_t *this, stroke_msg_t *msg)
+{
+	enumerator_t *enumerator;
+	attributes_t *attr;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->attrs->create_enumerator(this->attrs);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		if (streq(msg->del_conn.name, attr->name))
+		{
+			this->attrs->remove_at(this->attrs, enumerator);
+			attributes_destroy(attr);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(stroke_handler_t, destroy, void,
+	private_stroke_handler_t *this)
+{
+	this->lock->destroy(this->lock);
+	this->attrs->destroy_function(this->attrs, (void*)attributes_destroy);
+	free(this);
+}
+
+/**
+ * See header
+ */
+stroke_handler_t *stroke_handler_create()
+{
+	private_stroke_handler_t *this;
+
+	INIT(this,
+		.public = {
+			.handler = {
+				.handle = (void*)return_false,
+				.release = (void*)return_false,
+				.create_attribute_enumerator = _create_attribute_enumerator,
+			},
+			.add_attributes = _add_attributes,
+			.del_attributes = _del_attributes,
+			.destroy = _destroy,
+		},
+		.attrs = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/stroke/stroke_handler.h b/src/libcharon/plugins/stroke/stroke_handler.h
new file mode 100644
index 000000000..ab76f80b0
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_handler.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stroke_handler stroke_handler
+ * @{ @ingroup stroke
+ */
+
+#ifndef STROKE_HANDLER_H_
+#define STROKE_HANDLER_H_
+
+#include <stroke_msg.h>
+#include <attributes/attribute_handler.h>
+
+typedef struct stroke_handler_t stroke_handler_t;
+
+/**
+ * Handler requesting DNS attributes as defined with leftdns option.
+ */
+struct stroke_handler_t {
+
+	/**
+	 * Implements the attribute_handler_t interface
+	 */
+	attribute_handler_t handler;
+
+	/**
+	 * Add connection specific configuration attributes.
+	 *
+	 * @param msg		stroke message
+	 */
+	void (*add_attributes)(stroke_handler_t *this, stroke_msg_t *msg);
+
+	/**
+	 * Remove connection specific configuration attributes.
+	 *
+	 * @param msg		stroke message
+	 */
+	void (*del_attributes)(stroke_handler_t *this, stroke_msg_t *msg);
+
+	/**
+	 * Destroy a stroke_handler_t.
+	 */
+	void (*destroy)(stroke_handler_t *this);
+};
+
+/**
+ * Create a stroke_handler instance.
+ */
+stroke_handler_t *stroke_handler_create();
+
+#endif /** STROKE_HANDLER_H_ @}*/
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index 514a91e2b..e81f3fc32 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -17,6 +17,7 @@
 
 #include <inttypes.h>
 #include <time.h>
+#include <sys/utsname.h>
 
 #ifdef HAVE_MALLINFO
 #include <malloc.h>
@@ -24,7 +25,7 @@
 
 #include <hydra.h>
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <plugins/plugin.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/ac.h>
@@ -51,6 +52,11 @@ struct private_stroke_list_t {
 	stroke_list_t public;
 
 	/**
+	 * Kind of *swan we run
+	 */
+	char *swan;
+
+	/**
 	 * timestamp of daemon start
 	 */
 	time_t uptime;
@@ -115,11 +121,23 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 	if (all)
 	{
 		proposal_t *ike_proposal;
+		identification_t *eap_id;
+
+		eap_id = ike_sa->get_other_eap_id(ike_sa);
+
+		if (!eap_id->equals(eap_id, ike_sa->get_other_id(ike_sa)))
+		{
+			fprintf(out, "%12s[%d]: Remote %s identity: %Y\n",
+					ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
+					ike_sa->get_version(ike_sa) == IKEV1 ? "XAuth" : "EAP",
+					eap_id);
+		}
 
 		ike_proposal = ike_sa->get_proposal(ike_sa);
 
-		fprintf(out, "%12s[%d]: IKE SPIs: %.16"PRIx64"_i%s %.16"PRIx64"_r%s",
+		fprintf(out, "%12s[%d]: %N SPIs: %.16"PRIx64"_i%s %.16"PRIx64"_r%s",
 				ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
+				ike_version_names, ike_sa->get_version(ike_sa),
 				id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "",
 				id->get_responder_spi(id), id->is_initiator(id) ? "" : "*");
 
@@ -187,10 +205,13 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 {
 	time_t use_in, use_out, rekey, now;
-	u_int64_t bytes_in, bytes_out;
+	u_int64_t bytes_in, bytes_out, packets_in, packets_out;
 	proposal_t *proposal;
-	child_cfg_t *config = child_sa->get_config(child_sa);
+	linked_list_t *my_ts, *other_ts;
+	child_cfg_t *config;
 
+	config = child_sa->get_config(child_sa);
+	now = time_monotonic(NULL);
 
 	fprintf(out, "%12s{%d}:  %N, %N%s",
 			child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
@@ -254,19 +275,24 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 				}
 			}
 
-			now = time_monotonic(NULL);
-			child_sa->get_usestats(child_sa, TRUE, &use_in, &bytes_in);
+			child_sa->get_usestats(child_sa, TRUE,
+								   &use_in, &bytes_in, &packets_in);
 			fprintf(out, ", %" PRIu64 " bytes_i", bytes_in);
 			if (use_in)
 			{
-				fprintf(out, " (%" PRIu64 "s ago)", (u_int64_t)(now - use_in));
+				fprintf(out, " (%" PRIu64 " pkt%s, %" PRIu64 "s ago)",
+						packets_in, (packets_in == 1) ? "": "s",
+						(u_int64_t)(now - use_in));
 			}
 
-			child_sa->get_usestats(child_sa, FALSE, &use_out, &bytes_out);
+			child_sa->get_usestats(child_sa, FALSE,
+								   &use_out, &bytes_out, &packets_out);
 			fprintf(out, ", %" PRIu64 " bytes_o", bytes_out);
 			if (use_out)
 			{
-				fprintf(out, " (%" PRIu64 "s ago)", (u_int64_t)(now - use_out));
+				fprintf(out, " (%" PRIu64 " pkt%s, %" PRIu64 "s ago)",
+						packets_out, (packets_out == 1) ? "": "s",
+						(u_int64_t)(now - use_out));
 			}
 			fprintf(out, ", rekeying ");
 
@@ -289,11 +315,21 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 
 		}
 	}
+	else if (child_sa->get_state(child_sa) == CHILD_REKEYING)
+	{
+		rekey = child_sa->get_lifetime(child_sa, TRUE);
+		fprintf(out, ", expires in %V", &now, &rekey);
+	}
 
+	my_ts = linked_list_create_from_enumerator(
+							child_sa->create_ts_enumerator(child_sa, TRUE));
+	other_ts = linked_list_create_from_enumerator(
+							child_sa->create_ts_enumerator(child_sa, FALSE));
 	fprintf(out, "\n%12s{%d}:   %#R=== %#R\n",
 			child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
-			child_sa->get_traffic_selectors(child_sa, TRUE),
-			child_sa->get_traffic_selectors(child_sa, FALSE));
+			my_ts, other_ts);
+	my_ts->destroy(my_ts);
+	other_ts->destroy(other_ts);
 }
 
 /**
@@ -315,15 +351,16 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
 	enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
 	while (enumerator->enumerate(enumerator, &auth))
 	{
-		fprintf(out, "%12s:   %s [%Y] uses ", name,	local ? "local: " : "remote:",
-				auth->get(auth, AUTH_RULE_IDENTITY));
-
-		auth_class = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
-		if (auth_class != AUTH_CLASS_EAP)
+		fprintf(out, "%12s:   %s", name, local ? "local: " : "remote:");
+		id = auth->get(auth, AUTH_RULE_IDENTITY);
+		if (id)
 		{
-			fprintf(out, "%N authentication\n", auth_class_names, auth_class);
+			fprintf(out, " [%Y]", id);
 		}
-		else
+		fprintf(out, " uses ");
+
+		auth_class = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
+		if (auth_class == AUTH_CLASS_EAP)
 		{
 			if ((uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE) == EAP_NAK)
 			{
@@ -350,6 +387,21 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
 			}
 			fprintf(out, "\n");
 		}
+		else if (auth_class == AUTH_CLASS_XAUTH)
+		{
+			fprintf(out, "%N authentication: %s", auth_class_names, auth_class,
+					auth->get(auth, AUTH_RULE_XAUTH_BACKEND) ?: "any");
+			id = auth->get(auth, AUTH_RULE_XAUTH_IDENTITY);
+			if (id)
+			{
+				fprintf(out, " with XAuth identity '%Y'", id);
+			}
+			fprintf(out, "\n");
+		}
+		else
+		{
+			fprintf(out, "%N authentication\n", auth_class_names, auth_class);
+		}
 
 		cert = auth->get(auth, AUTH_RULE_CA_CERT);
 		if (cert)
@@ -414,16 +466,25 @@ METHOD(stroke_list_t, status, void,
 	if (all)
 	{
 		peer_cfg_t *peer_cfg;
+		ike_version_t ike_version;
 		char *pool;
 		host_t *host;
 		u_int32_t dpd;
 		time_t since, now;
 		u_int size, online, offline, i;
+		struct utsname utsname;
+
 		now = time_monotonic(NULL);
 		since = time(NULL) - (now - this->uptime);
 
-		fprintf(out, "Status of IKEv2 charon daemon (strongSwan "VERSION"):\n");
-		fprintf(out, "  uptime: %V, since %T\n", &now, &this->uptime, &since, FALSE);
+		fprintf(out, "Status of IKE charon daemon (%sSwan "VERSION, this->swan);
+		if (uname(&utsname) == 0)
+		{
+			fprintf(out, ", %s %s, %s",
+					utsname.sysname, utsname.release, utsname.machine);
+		}
+		fprintf(out, "):\n  uptime: %V, since %T\n", &now, &this->uptime, &since,
+				FALSE);
 #ifdef HAVE_MALLINFO
 		{
 			struct mallinfo mi = mallinfo();
@@ -469,7 +530,7 @@ METHOD(stroke_list_t, status, void,
 		enumerator->destroy(enumerator);
 
 		enumerator = hydra->kernel_interface->create_address_enumerator(
-									hydra->kernel_interface, FALSE, FALSE);
+								hydra->kernel_interface, ADDR_TYPE_REGULAR);
 		fprintf(out, "Listening IP addresses:\n");
 		while (enumerator->enumerate(enumerator, (void**)&host))
 		{
@@ -479,18 +540,30 @@ METHOD(stroke_list_t, status, void,
 
 		fprintf(out, "Connections:\n");
 		enumerator = charon->backends->create_peer_cfg_enumerator(
-									charon->backends, NULL, NULL, NULL, NULL);
+							charon->backends, NULL, NULL, NULL, NULL, IKE_ANY);
 		while (enumerator->enumerate(enumerator, &peer_cfg))
 		{
-			if (peer_cfg->get_ike_version(peer_cfg) != 2 ||
-				(name && !streq(name, peer_cfg->get_name(peer_cfg))))
+			char *my_addr, *other_addr;
+			bool my_allow_any, other_allow_any;
+
+			if (name && !streq(name, peer_cfg->get_name(peer_cfg)))
 			{
 				continue;
 			}
 
 			ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
-			fprintf(out, "%12s:  %s...%s", peer_cfg->get_name(peer_cfg),
-				ike_cfg->get_my_addr(ike_cfg), ike_cfg->get_other_addr(ike_cfg));
+			ike_version = peer_cfg->get_ike_version(peer_cfg);
+			my_addr = ike_cfg->get_my_addr(ike_cfg, &my_allow_any);
+			other_addr = ike_cfg->get_other_addr(ike_cfg, &other_allow_any);
+			fprintf(out, "%12s:  %s%s...%s%s  %N", peer_cfg->get_name(peer_cfg),
+					my_allow_any ? "%":"", my_addr,
+					other_allow_any ? "%":"", other_addr,
+					ike_version_names, ike_version);
+
+			if (ike_version == IKEV1 && peer_cfg->use_aggressive(peer_cfg))
+			{
+				fprintf(out, " Aggressive");
+			}
 
 			dpd = peer_cfg->get_dpd(peer_cfg);
 			if (dpd)
@@ -666,15 +739,12 @@ static void list_public_key(public_key_t *public, FILE *out)
 	private_key_t *private = NULL;
 	chunk_t keyid;
 	identification_t *id;
-	auth_cfg_t *auth;
 
 	if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
 	{
 		id = identification_create_from_encoding(ID_KEY_ID, keyid);
-		auth = auth_cfg_create();
 		private = lib->credmgr->get_private(lib->credmgr,
-									public->get_type(public), id, auth);
-		auth->destroy(auth);
+									public->get_type(public), id, NULL);
 		id->destroy(id);
 	}
 
@@ -819,8 +889,8 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 	x509_flag_t flag_mask;
 
 	/* mask all auxiliary flags */
-	flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH |
-				  X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS );
+	flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH | X509_IKE_INTERMEDIATE |
+				  X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS);
 
 	enumerator = list->create_enumerator(list);
 	while (enumerator->enumerate(enumerator, (void**)&cert))
@@ -1059,7 +1129,7 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
 		}
 		if (crl->is_delta_crl(crl, &chunk))
 		{
-			chunk = chunk_skip_zero(chunk);		
+			chunk = chunk_skip_zero(chunk);
 			fprintf(out, "  delta for: %#B\n", &chunk);
 		}
 
@@ -1151,7 +1221,15 @@ static void print_alg(FILE *out, int *len, enum_name_t *alg_names, int alg_type,
 	char alg_name[BUF_LEN];
 	int alg_name_len;
 
-	alg_name_len = sprintf(alg_name, " %N[%s]", alg_names, alg_type, plugin_name);
+	if (alg_names)
+	{
+		alg_name_len = sprintf(alg_name, " %N[%s]", alg_names, alg_type,
+							   plugin_name);
+	}
+	else
+	{
+		alg_name_len = sprintf(alg_name, " [%s]", plugin_name);
+	}
 	if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE)
 	{
 		fprintf(out, "\n             ");
@@ -1177,7 +1255,7 @@ static void list_algs(FILE *out)
 	int len;
 
 	fprintf(out, "\n");
-	fprintf(out, "List of registered IKEv2 Algorithms:\n");
+	fprintf(out, "List of registered IKE algorithms:\n");
 	fprintf(out, "\n  encryption:");
 	len = 13;
 	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
@@ -1234,6 +1312,14 @@ static void list_algs(FILE *out)
 		print_alg(out, &len, rng_quality_names, quality, plugin_name);
 	}
 	enumerator->destroy(enumerator);
+	fprintf(out, "\n  nonce-gen: ");
+	len = 13;
+	enumerator = lib->crypto->create_nonce_gen_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &plugin_name))
+	{
+		print_alg(out, &len, NULL, 0, plugin_name);
+	}
+	enumerator->destroy(enumerator);
 	fprintf(out, "\n");
 }
 
@@ -1277,7 +1363,7 @@ static void list_plugins(FILE *out)
 						fprintf(out, "        %s\n", str);
 						break;
 					case FEATURE_SDEPEND:
-						fprintf(out, "        %s(soft)\n", str);
+						fprintf(out, "        %s (soft)\n", str);
 						break;
 					default:
 						break;
@@ -1285,6 +1371,7 @@ static void list_plugins(FILE *out)
 				free(str);
 			}
 		}
+		list->destroy(list);
 	}
 	enumerator->destroy(enumerator);
 }
@@ -1450,16 +1537,21 @@ stroke_list_t *stroke_list_create(stroke_attribute_t *attribute)
 
 	INIT(this,
 		.public = {
-
 			.list = _list,
 			.status = _status,
 			.leases = _leases,
 			.destroy = _destroy,
 		},
 		.uptime = time_monotonic(NULL),
+		.swan = "strong",
 		.attribute = attribute,
 	);
 
+	if (lib->settings->get_bool(lib->settings,
+		"charon.i_dont_care_about_security_and_use_aggressive_mode_psk", FALSE))
+	{
+		this->swan = "weak";
+	}
+
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c
index 2884db4bf..31df1f99b 100644
--- a/src/libcharon/plugins/stroke/stroke_plugin.c
+++ b/src/libcharon/plugins/stroke/stroke_plugin.c
@@ -42,10 +42,46 @@ METHOD(plugin_t, get_name, char*,
 	return "stroke";
 }
 
+/**
+ * Register stroke plugin features
+ */
+static bool register_stroke(private_stroke_plugin_t *this,
+							plugin_feature_t *feature, bool reg, void *data)
+{
+	if (reg)
+	{
+		this->socket = stroke_socket_create();
+		return this->socket != NULL;
+	}
+	else
+	{
+		DESTROY_IF(this->socket);
+		return TRUE;
+	}
+}
+
+METHOD(plugin_t, get_features, int,
+	private_stroke_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)register_stroke, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "stroke"),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_RSA),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_DSA),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_ANY),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509_CRL),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509_AC),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_TRUSTED_PUBKEY),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_stroke_plugin_t *this)
 {
-	this->socket->destroy(this->socket);
 	free(this);
 }
 
@@ -61,17 +97,11 @@ plugin_t *stroke_plugin_create()
 			.plugin = {
 				.get_name = _get_name,
 				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
-		.socket = stroke_socket_create(),
 	);
 
-	if (this->socket == NULL)
-	{
-		free(this);
-		return NULL;
-	}
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 57648feb8..88f73f3b0 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -26,18 +26,15 @@
 
 #include <hydra.h>
 #include <daemon.h>
-#include <threading/mutex.h>
-#include <threading/thread.h>
-#include <threading/condvar.h>
-#include <utils/linked_list.h>
-#include <processing/jobs/callback_job.h>
 
 #include "stroke_config.h"
 #include "stroke_control.h"
 #include "stroke_cred.h"
 #include "stroke_ca.h"
 #include "stroke_attribute.h"
+#include "stroke_handler.h"
 #include "stroke_list.h"
+#include "stroke_counter.h"
 
 /**
  * To avoid clogging the thread pool with (blocking) jobs, we limit the number
@@ -59,44 +56,9 @@ struct private_stroke_socket_t {
 	stroke_socket_t public;
 
 	/**
-	 * Unix socket to listen for strokes
+	 * Service accepting stroke connections
 	 */
-	int socket;
-
-	/**
-	 * job accepting stroke messages
-	 */
-	callback_job_t *receiver;
-
-	/**
-	 * job handling stroke messages
-	 */
-	callback_job_t *handler;
-
-	/**
-	 * queued stroke commands
-	 */
-	linked_list_t *commands;
-
-	/**
-	 * lock for command list
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * condvar to signal the arrival or completion of commands
-	 */
-	condvar_t *condvar;
-
-	/**
-	 * the number of currently handled commands
-	 */
-	u_int handling;
-
-	/**
-	 * the maximum number of concurrently handled commands
-	 */
-	u_int max_concurrent;
+	stream_service_t *service;
 
 	/**
 	 * configuration backend
@@ -109,6 +71,11 @@ struct private_stroke_socket_t {
 	stroke_attribute_t *attribute;
 
 	/**
+	 * attribute handler (requests only)
+	 */
+	stroke_handler_t *handler;
+
+	/**
 	 * controller to control daemon
 	 */
 	stroke_control_t *control;
@@ -127,22 +94,11 @@ struct private_stroke_socket_t {
 	 * status information logging
 	 */
 	stroke_list_t *list;
-};
-
-/**
- * job context to pass to processing thread
- */
-struct stroke_job_context_t {
 
 	/**
-	 * file descriptor to read from
+	 * Counter values for IKE events
 	 */
-	int fd;
-
-	/**
-	 * global stroke interface
-	 */
-	private_stroke_socket_t *this;
+	stroke_counter_t *counter;
 };
 
 /**
@@ -181,6 +137,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
 	pop_string(msg, &end->address);
 	pop_string(msg, &end->subnets);
 	pop_string(msg, &end->sourceip);
+	pop_string(msg, &end->dns);
 	pop_string(msg, &end->auth);
 	pop_string(msg, &end->auth2);
 	pop_string(msg, &end->id);
@@ -191,12 +148,14 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
 	pop_string(msg, &end->ca);
 	pop_string(msg, &end->ca2);
 	pop_string(msg, &end->groups);
+	pop_string(msg, &end->groups2);
 	pop_string(msg, &end->cert_policy);
 	pop_string(msg, &end->updown);
 
 	DBG2(DBG_CFG, "  %s=%s", label, end->address);
 	DBG2(DBG_CFG, "  %ssubnet=%s", label, end->subnets);
 	DBG2(DBG_CFG, "  %ssourceip=%s", label, end->sourceip);
+	DBG2(DBG_CFG, "  %sdns=%s", label, end->dns);
 	DBG2(DBG_CFG, "  %sauth=%s", label, end->auth);
 	DBG2(DBG_CFG, "  %sauth2=%s", label, end->auth2);
 	DBG2(DBG_CFG, "  %sid=%s", label, end->id);
@@ -207,6 +166,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
 	DBG2(DBG_CFG, "  %sca=%s", label, end->ca);
 	DBG2(DBG_CFG, "  %sca2=%s", label, end->ca2);
 	DBG2(DBG_CFG, "  %sgroups=%s", label, end->groups);
+	DBG2(DBG_CFG, "  %sgroups2=%s", label, end->groups2);
 	DBG2(DBG_CFG, "  %supdown=%s", label, end->updown);
 }
 
@@ -223,23 +183,28 @@ static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
 	pop_end(msg, "right", &msg->add_conn.other);
 	pop_string(msg, &msg->add_conn.eap_identity);
 	pop_string(msg, &msg->add_conn.aaa_identity);
+	pop_string(msg, &msg->add_conn.xauth_identity);
 	pop_string(msg, &msg->add_conn.algorithms.ike);
 	pop_string(msg, &msg->add_conn.algorithms.esp);
 	pop_string(msg, &msg->add_conn.ikeme.mediated_by);
 	pop_string(msg, &msg->add_conn.ikeme.peerid);
 	DBG2(DBG_CFG, "  eap_identity=%s", msg->add_conn.eap_identity);
 	DBG2(DBG_CFG, "  aaa_identity=%s", msg->add_conn.aaa_identity);
+	DBG2(DBG_CFG, "  xauth_identity=%s", msg->add_conn.xauth_identity);
 	DBG2(DBG_CFG, "  ike=%s", msg->add_conn.algorithms.ike);
 	DBG2(DBG_CFG, "  esp=%s", msg->add_conn.algorithms.esp);
 	DBG2(DBG_CFG, "  dpddelay=%d", msg->add_conn.dpd.delay);
+	DBG2(DBG_CFG, "  dpdtimeout=%d", msg->add_conn.dpd.timeout);
 	DBG2(DBG_CFG, "  dpdaction=%d", msg->add_conn.dpd.action);
 	DBG2(DBG_CFG, "  closeaction=%d", msg->add_conn.close_action);
 	DBG2(DBG_CFG, "  mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no");
 	DBG2(DBG_CFG, "  mediated_by=%s", msg->add_conn.ikeme.mediated_by);
 	DBG2(DBG_CFG, "  me_peerid=%s", msg->add_conn.ikeme.peerid);
+	DBG2(DBG_CFG, "  keyexchange=ikev%u", msg->add_conn.version);
 
 	this->config->add(this->config, msg);
-	this->attribute->add_pool(this->attribute, msg);
+	this->attribute->add_dns(this->attribute, msg);
+	this->handler->add_attributes(this->handler, msg);
 }
 
 /**
@@ -251,7 +216,8 @@ static void stroke_del_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
 	DBG1(DBG_CFG, "received stroke: delete connection '%s'", msg->del_conn.name);
 
 	this->config->del(this->config, msg);
-	this->attribute->del_pool(this->attribute, msg);
+	this->attribute->del_dns(this->attribute, msg);
+	this->handler->del_attributes(this->handler, msg);
 }
 
 /**
@@ -376,7 +342,8 @@ static void stroke_status(private_stroke_socket_t *this,
 /**
  * list various information
  */
-static void stroke_list(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+static void stroke_list(private_stroke_socket_t *this, stroke_msg_t *msg,
+						FILE *out)
 {
 	if (msg->list.flags & LIST_CAINFOS)
 	{
@@ -419,6 +386,20 @@ static void stroke_purge(private_stroke_socket_t *this,
 }
 
 /**
+ * Print a certificate in PEM to out
+ */
+static void print_pem_cert(FILE *out, certificate_t *cert)
+{
+	chunk_t encoded;
+
+	if (cert->get_encoding(cert, CERT_PEM, &encoded))
+	{
+		fprintf(out, "%.*s", (int)encoded.len, encoded.ptr);
+		free(encoded.ptr);
+	}
+}
+
+/**
  * Export in-memory credentials
  */
 static void stroke_export(private_stroke_socket_t *this,
@@ -431,22 +412,67 @@ static void stroke_export(private_stroke_socket_t *this,
 		enumerator_t *enumerator;
 		identification_t *id;
 		certificate_t *cert;
-		chunk_t encoded;
 
 		id = identification_create_from_string(msg->export.selector);
 		enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
 												CERT_X509, KEY_ANY, id, FALSE);
 		while (enumerator->enumerate(enumerator, &cert))
 		{
-			if (cert->get_encoding(cert, CERT_PEM, &encoded))
-			{
-				fprintf(out, "%.*s", (int)encoded.len, encoded.ptr);
-				free(encoded.ptr);
-			}
+			print_pem_cert(out, cert);
 		}
 		enumerator->destroy(enumerator);
 		id->destroy(id);
 	}
+
+	if (msg->export.flags & (EXPORT_CONN_CERT | EXPORT_CONN_CHAIN))
+	{
+		enumerator_t *sas, *auths, *certs;
+		ike_sa_t *ike_sa;
+		auth_cfg_t *auth;
+		certificate_t *cert;
+		auth_rule_t rule;
+
+		sas = charon->ike_sa_manager->create_enumerator(
+												charon->ike_sa_manager, TRUE);
+		while (sas->enumerate(sas, &ike_sa))
+		{
+			if (streq(msg->export.selector, ike_sa->get_name(ike_sa)))
+			{
+				auths = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
+				while (auths->enumerate(auths, &auth))
+				{
+					bool got_subject = FALSE;
+
+					certs = auth->create_enumerator(auth);
+					while (certs->enumerate(certs, &rule, &cert))
+					{
+						switch (rule)
+						{
+							case AUTH_RULE_CA_CERT:
+							case AUTH_RULE_IM_CERT:
+								if (msg->export.flags & EXPORT_CONN_CHAIN)
+								{
+									print_pem_cert(out, cert);
+								}
+								break;
+							case AUTH_RULE_SUBJECT_CERT:
+								if (!got_subject)
+								{
+									print_pem_cert(out, cert);
+									got_subject = TRUE;
+								}
+								break;
+							default:
+								break;
+						}
+					}
+					certs->destroy(certs);
+				}
+				auths->destroy(auths);
+			}
+		}
+		sas->destroy(sas);
+	}
 }
 
 /**
@@ -489,39 +515,49 @@ static void stroke_user_creds(private_stroke_socket_t *this,
 }
 
 /**
+ * Print stroke counter values
+ */
+static void stroke_counters(private_stroke_socket_t *this,
+							  stroke_msg_t *msg, FILE *out)
+{
+	pop_string(msg, &msg->counters.name);
+
+	if (msg->counters.reset)
+	{
+		this->counter->reset(this->counter, msg->counters.name);
+	}
+	else
+	{
+		this->counter->print(this->counter, out, msg->counters.name);
+	}
+}
+
+/**
  * set the verbosity debug output
  */
 static void stroke_loglevel(private_stroke_socket_t *this,
 							stroke_msg_t *msg, FILE *out)
 {
-	enumerator_t *enumerator;
-	sys_logger_t *sys_logger;
-	file_logger_t *file_logger;
 	debug_t group;
 
 	pop_string(msg, &(msg->loglevel.type));
 	DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
 		 msg->loglevel.level, msg->loglevel.type);
 
-	group = enum_from_name(debug_names, msg->loglevel.type);
-	if ((int)group < 0)
+	if (strcaseeq(msg->loglevel.type, "any"))
 	{
-		fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
-		return;
-	}
-	/* we set the loglevel on ALL sys- and file-loggers */
-	enumerator = charon->sys_loggers->create_enumerator(charon->sys_loggers);
-	while (enumerator->enumerate(enumerator, &sys_logger))
-	{
-		sys_logger->set_level(sys_logger, group, msg->loglevel.level);
+		group = DBG_ANY;
 	}
-	enumerator->destroy(enumerator);
-	enumerator = charon->file_loggers->create_enumerator(charon->file_loggers);
-	while (enumerator->enumerate(enumerator, &file_logger))
+	else
 	{
-		file_logger->set_level(file_logger, group, msg->loglevel.level);
+		group = enum_from_name(debug_names, msg->loglevel.type);
+		if ((int)group < 0)
+		{
+			fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
+			return;
+		}
 	}
-	enumerator->destroy(enumerator);
+	charon->set_level(charon, group, msg->loglevel.level);
 }
 
 /**
@@ -534,68 +570,47 @@ static void stroke_config(private_stroke_socket_t *this,
 }
 
 /**
- * destroy a job context
+ * process a stroke request
  */
-static void stroke_job_context_destroy(stroke_job_context_t *this)
-{
-	if (this->fd)
-	{
-		close(this->fd);
-	}
-	free(this);
-}
-
-/**
- * called to signal the completion of a command
- */
-static inline job_requeue_t job_processed(private_stroke_socket_t *this)
-{
-	this->mutex->lock(this->mutex);
-	this->handling--;
-	this->condvar->signal(this->condvar);
-	this->mutex->unlock(this->mutex);
-	return JOB_REQUEUE_NONE;
-}
-
-/**
- * process a stroke request from the socket pointed by "fd"
- */
-static job_requeue_t process(stroke_job_context_t *ctx)
+static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
 {
 	stroke_msg_t *msg;
-	u_int16_t msg_length;
-	ssize_t bytes_read;
+	u_int16_t len;
 	FILE *out;
-	private_stroke_socket_t *this = ctx->this;
-	int strokefd = ctx->fd;
 
-	/* peek the length */
-	bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK);
-	if (bytes_read != sizeof(msg_length))
+	/* read length */
+	if (!stream->read_all(stream, &len, sizeof(len)))
 	{
-		DBG1(DBG_CFG, "reading length of stroke message failed: %s",
-			 strerror(errno));
-		return job_processed(this);
+		if (errno != EWOULDBLOCK)
+		{
+			DBG1(DBG_CFG, "reading length of stroke message failed: %s",
+				 strerror(errno));
+		}
+		return FALSE;
 	}
 
 	/* read message */
-	msg = alloca(msg_length);
-	bytes_read = recv(strokefd, msg, msg_length, 0);
-	if (bytes_read != msg_length)
+	msg = malloc(len);
+	msg->length = len;
+	if (!stream->read_all(stream, (char*)msg + sizeof(len), len - sizeof(len)))
 	{
-		DBG1(DBG_CFG, "reading stroke message failed: %s", strerror(errno));
-		return job_processed(this);
+		if (errno != EWOULDBLOCK)
+		{
+			DBG1(DBG_CFG, "reading stroke message failed: %s", strerror(errno));
+		}
+		free(msg);
+		return FALSE;
 	}
 
-	out = fdopen(strokefd, "w+");
-	if (out == NULL)
+	DBG3(DBG_CFG, "stroke message %b", (void*)msg, len);
+
+	out = stream->get_file(stream);
+	if (!out)
 	{
-		DBG1(DBG_CFG, "opening stroke output channel failed: %s", strerror(errno));
-		return job_processed(this);
+		DBG1(DBG_CFG, "creating stroke output stream failed");
+		free(msg);
+		return FALSE;
 	}
-
-	DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length);
-
 	switch (msg->type)
 	{
 		case STR_INITIATE:
@@ -664,138 +679,36 @@ static job_requeue_t process(stroke_job_context_t *ctx)
 		case STR_USER_CREDS:
 			stroke_user_creds(this, msg, out);
 			break;
+		case STR_COUNTERS:
+			stroke_counters(this, msg, out);
+			break;
 		default:
 			DBG1(DBG_CFG, "received unknown stroke");
 			break;
 	}
+	free(msg);
 	fclose(out);
-	/* fclose() closes underlying FD */
-	ctx->fd = 0;
-	return job_processed(this);
-}
-
-/**
- * Handle queued stroke commands
- */
-static job_requeue_t handle(private_stroke_socket_t *this)
-{
-	stroke_job_context_t *ctx;
-	callback_job_t *job;
-	bool oldstate;
-
-	this->mutex->lock(this->mutex);
-	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
-	oldstate = thread_cancelability(TRUE);
-	while (this->commands->get_count(this->commands) == 0 ||
-		   this->handling >= this->max_concurrent)
-	{
-		this->condvar->wait(this->condvar, this->mutex);
-	}
-	thread_cancelability(oldstate);
-	this->commands->remove_first(this->commands, (void**)&ctx);
-	this->handling++;
-	thread_cleanup_pop(TRUE);
-	job = callback_job_create_with_prio((callback_job_cb_t)process, ctx,
-			(void*)stroke_job_context_destroy, this->handler, JOB_PRIO_HIGH);
-	lib->processor->queue_job(lib->processor, (job_t*)job);
-	return JOB_REQUEUE_DIRECT;
-}
-
-/**
- * Accept stroke commands and queue them to be handled
- */
-static job_requeue_t receive(private_stroke_socket_t *this)
-{
-	struct sockaddr_un strokeaddr;
-	int strokeaddrlen = sizeof(strokeaddr);
-	int strokefd;
-	bool oldstate;
-	stroke_job_context_t *ctx;
-
-	oldstate = thread_cancelability(TRUE);
-	strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
-	thread_cancelability(oldstate);
-
-	if (strokefd < 0)
-	{
-		DBG1(DBG_CFG, "accepting stroke connection failed: %s", strerror(errno));
-		return JOB_REQUEUE_FAIR;
-	}
-
-	INIT(ctx,
-		.fd = strokefd,
-		.this = this,
-	);
-	this->mutex->lock(this->mutex);
-	this->commands->insert_last(this->commands, ctx);
-	this->condvar->signal(this->condvar);
-	this->mutex->unlock(this->mutex);
-
-	return JOB_REQUEUE_FAIR;
-}
-
-/**
- * initialize and open stroke socket
- */
-static bool open_socket(private_stroke_socket_t *this)
-{
-	struct sockaddr_un socket_addr;
-	mode_t old;
-
-	socket_addr.sun_family = AF_UNIX;
-	strcpy(socket_addr.sun_path, STROKE_SOCKET);
-
-	/* set up unix socket */
-	this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
-	if (this->socket == -1)
-	{
-		DBG1(DBG_CFG, "could not create stroke socket");
-		return FALSE;
-	}
-
-	unlink(socket_addr.sun_path);
-	old = umask(~(S_IRWXU | S_IRWXG));
-	if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0)
-	{
-		DBG1(DBG_CFG, "could not bind stroke socket: %s", strerror(errno));
-		close(this->socket);
-		return FALSE;
-	}
-	umask(old);
-	if (chown(socket_addr.sun_path, charon->uid, charon->gid) != 0)
-	{
-		DBG1(DBG_CFG, "changing stroke socket permissions failed: %s",
-			 strerror(errno));
-	}
-
-	if (listen(this->socket, 10) < 0)
-	{
-		DBG1(DBG_CFG, "could not listen on stroke socket: %s", strerror(errno));
-		close(this->socket);
-		unlink(socket_addr.sun_path);
-		return FALSE;
-	}
-	return TRUE;
+	return FALSE;
 }
 
 METHOD(stroke_socket_t, destroy, void,
 	private_stroke_socket_t *this)
 {
-	this->handler->cancel(this->handler);
-	this->receiver->cancel(this->receiver);
-	this->commands->destroy_function(this->commands, (void*)stroke_job_context_destroy);
-	this->condvar->destroy(this->condvar);
-	this->mutex->destroy(this->mutex);
+	DESTROY_IF(this->service);
 	lib->credmgr->remove_set(lib->credmgr, &this->ca->set);
 	lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
 	hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider);
+	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
+	charon->bus->remove_listener(charon->bus, &this->counter->listener);
 	this->cred->destroy(this->cred);
 	this->ca->destroy(this->ca);
 	this->config->destroy(this->config);
 	this->attribute->destroy(this->attribute);
+	this->handler->destroy(this->handler);
 	this->control->destroy(this->control);
 	this->list->destroy(this->list);
+	this->counter->destroy(this->counter);
 	free(this);
 }
 
@@ -805,6 +718,8 @@ METHOD(stroke_socket_t, destroy, void,
 stroke_socket_t *stroke_socket_create()
 {
 	private_stroke_socket_t *this;
+	int max_concurrent;
+	char *uri;
 
 	INIT(this,
 		.public = {
@@ -812,38 +727,36 @@ stroke_socket_t *stroke_socket_create()
 		},
 	);
 
-	if (!open_socket(this))
-	{
-		free(this);
-		return NULL;
-	}
-
 	this->cred = stroke_cred_create();
 	this->attribute = stroke_attribute_create();
+	this->handler = stroke_handler_create();
 	this->ca = stroke_ca_create(this->cred);
-	this->config = stroke_config_create(this->ca, this->cred);
+	this->config = stroke_config_create(this->ca, this->cred, this->attribute);
 	this->control = stroke_control_create();
 	this->list = stroke_list_create(this->attribute);
-
-	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-	this->commands = linked_list_create();
-	this->max_concurrent = lib->settings->get_int(lib->settings,
-				"charon.plugins.stroke.max_concurrent", MAX_CONCURRENT_DEFAULT);
+	this->counter = stroke_counter_create();
 
 	lib->credmgr->add_set(lib->credmgr, &this->ca->set);
 	lib->credmgr->add_set(lib->credmgr, &this->cred->set);
 	charon->backends->add_backend(charon->backends, &this->config->backend);
 	hydra->attributes->add_provider(hydra->attributes, &this->attribute->provider);
-
-	this->receiver = callback_job_create_with_prio((callback_job_cb_t)receive,
-										this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->receiver);
-
-	this->handler = callback_job_create_with_prio((callback_job_cb_t)handle,
-										this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->handler);
+	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
+	charon->bus->add_listener(charon->bus, &this->counter->listener);
+
+	max_concurrent = lib->settings->get_int(lib->settings,
+			"%s.plugins.stroke.max_concurrent", MAX_CONCURRENT_DEFAULT,
+			charon->name);
+	uri = lib->settings->get_str(lib->settings,
+			"%s.plugins.stroke.socket", "unix://" STROKE_SOCKET, charon->name);
+	this->service = lib->streams->create_service(lib->streams, uri, 10);
+	if (!this->service)
+	{
+		DBG1(DBG_CFG, "creating stroke socket failed");
+		destroy(this);
+		return NULL;
+	}
+	this->service->on_accept(this->service, (stream_service_cb_t)on_accept,
+							 this, JOB_PRIO_CRITICAL, max_concurrent);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/systime_fix/Makefile.am b/src/libcharon/plugins/systime_fix/Makefile.am
new file mode 100644
index 000000000..40a346440
--- /dev/null
+++ b/src/libcharon/plugins/systime_fix/Makefile.am
@@ -0,0 +1,16 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-systime-fix.la
+else
+plugin_LTLIBRARIES = libstrongswan-systime-fix.la
+endif
+
+libstrongswan_systime_fix_la_SOURCES = \
+	systime_fix_validator.h systime_fix_validator.c \
+	systime_fix_plugin.h systime_fix_plugin.c
+
+libstrongswan_systime_fix_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in
new file mode 100644
index 000000000..de4ef8b36
--- /dev/null
+++ b/src/libcharon/plugins/systime_fix/Makefile.in
@@ -0,0 +1,684 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/systime_fix
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_systime_fix_la_LIBADD =
+am_libstrongswan_systime_fix_la_OBJECTS = systime_fix_validator.lo \
+	systime_fix_plugin.lo
+libstrongswan_systime_fix_la_OBJECTS =  \
+	$(am_libstrongswan_systime_fix_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_systime_fix_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_systime_fix_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_systime_fix_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_systime_fix_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_systime_fix_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_systime_fix_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-systime-fix.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-systime-fix.la
+libstrongswan_systime_fix_la_SOURCES = \
+	systime_fix_validator.h systime_fix_validator.c \
+	systime_fix_plugin.h systime_fix_plugin.c
+
+libstrongswan_systime_fix_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/systime_fix/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/systime_fix/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-systime-fix.la: $(libstrongswan_systime_fix_la_OBJECTS) $(libstrongswan_systime_fix_la_DEPENDENCIES) $(EXTRA_libstrongswan_systime_fix_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_systime_fix_la_LINK) $(am_libstrongswan_systime_fix_la_rpath) $(libstrongswan_systime_fix_la_OBJECTS) $(libstrongswan_systime_fix_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/systime_fix_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/systime_fix_validator.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/systime_fix/systime_fix_plugin.c b/src/libcharon/plugins/systime_fix/systime_fix_plugin.c
new file mode 100644
index 000000000..c8596114c
--- /dev/null
+++ b/src/libcharon/plugins/systime_fix/systime_fix_plugin.c
@@ -0,0 +1,283 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "systime_fix_plugin.h"
+#include "systime_fix_validator.h"
+
+#include <daemon.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+#include <processing/jobs/rekey_ike_sa_job.h>
+
+#include <time.h>
+
+/**
+ * Defining _XOPEN_SOURCE is difficult with libstrongswan includes,
+ * declare function explicitly.
+ */
+char *strptime(const char *s, const char *format, struct tm *tm);
+
+typedef struct private_systime_fix_plugin_t private_systime_fix_plugin_t;
+
+/**
+ * Private data of systime_fix plugin
+ */
+struct private_systime_fix_plugin_t {
+
+	/**
+	 * Implements plugin interface
+	 */
+	systime_fix_plugin_t public;
+
+	/**
+	 * Certificate lifetime validator
+	 */
+	systime_fix_validator_t *validator;
+
+	/**
+	 * Interval we check for a now-valid system time, in seconds. 0 if disabled
+	 */
+	u_int interval;
+
+	/**
+	 * Timestamp where we start considering system time valid
+	 */
+	time_t threshold;
+
+	/**
+	 * Do we trigger reauth or delete when finding expired certificates?
+	 */
+	bool reauth;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_systime_fix_plugin_t *this)
+{
+	return "systime-fix";
+}
+
+/**
+ * Check if all certificates associated to an IKE_SA have valid lifetimes
+ */
+static bool has_invalid_certs(ike_sa_t *ike_sa)
+{
+	enumerator_t *cfgs, *items;
+	certificate_t *cert;
+	auth_rule_t type;
+	auth_cfg_t *auth;
+	time_t not_before, not_after;
+	bool valid = TRUE;
+
+	cfgs = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
+	while (valid && cfgs->enumerate(cfgs, &auth))
+	{
+		items = auth->create_enumerator(auth);
+		while (valid && items->enumerate(items, &type, &cert))
+		{
+			switch (type)
+			{
+				case AUTH_RULE_SUBJECT_CERT:
+				case AUTH_RULE_IM_CERT:
+				case AUTH_RULE_CA_CERT:
+					if (!cert->get_validity(cert, NULL, &not_before, &not_after))
+					{
+						DBG1(DBG_CFG, "certificate '%Y' invalid "
+							"(valid from %T to %T)", cert->get_subject(cert),
+							 &not_before, FALSE, &not_after, FALSE);
+						valid = FALSE;
+					}
+					break;
+				default:
+					break;
+			}
+		}
+		items->destroy(items);
+	}
+	cfgs->destroy(cfgs);
+
+	if (valid)
+	{
+		DBG1(DBG_CFG, "all certificates have valid lifetimes");
+	}
+	return !valid;
+}
+
+/**
+ * Check system time, reevaluate certificates
+ */
+static job_requeue_t check_systime(private_systime_fix_plugin_t *this)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	char *action;
+	job_t *job;
+
+	if (time(NULL) < this->threshold)
+	{
+		DBG2(DBG_CFG, "systime not valid, rechecking in %ds", this->interval);
+		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
+					callback_job_create((callback_job_cb_t)check_systime, this,
+										NULL, NULL), this->interval);
+		return JOB_REQUEUE_NONE;
+	}
+
+	DBG1(DBG_CFG, "system time got valid, rechecking certificates");
+
+	enumerator = charon->ike_sa_manager->create_enumerator(
+												charon->ike_sa_manager, TRUE);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		if (has_invalid_certs(ike_sa))
+		{
+			if (this->reauth)
+			{
+				action = "reauthenticating";
+				job = &rekey_ike_sa_job_create(ike_sa->get_id(ike_sa),
+											   TRUE)->job_interface;
+			}
+			else
+			{
+				action = "deleting";
+				job = &delete_ike_sa_job_create(ike_sa->get_id(ike_sa),
+												TRUE)->job_interface;
+			}
+			DBG1(DBG_CFG, "%s[%d] has certificates not valid, %s IKE_SA",
+				 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
+				 action);
+			lib->processor->queue_job(lib->processor, job);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Load cert lifetime validator configuration
+ */
+static bool load_validator(private_systime_fix_plugin_t *this)
+{
+	struct tm tm = {
+		.tm_mday = 1,
+	};
+	char *str, *fmt;
+
+	fmt = lib->settings->get_str(lib->settings,
+			"%s.plugins.%s.threshold_format", "%Y", charon->name, get_name(this));
+	str = lib->settings->get_str(lib->settings,
+			"%s.plugins.%s.threshold", NULL, charon->name, get_name(this));
+	if (!str)
+	{
+		DBG1(DBG_CFG, "no threshold configured for %s, disabled",
+			 get_name(this));
+		return FALSE;
+	}
+	if (strptime(str, fmt, &tm) == NULL)
+	{
+		DBG1(DBG_CFG, "threshold for %s invalid, disabled", get_name(this));
+		return FALSE;
+	}
+	this->threshold = mktime(&tm);
+	if (this->threshold == -1)
+	{
+		DBG1(DBG_CFG, "converting threshold for %s failed, disabled",
+			 get_name(this));
+		return FALSE;
+	}
+	if (time(NULL) >= this->threshold)
+	{
+		DBG1(DBG_CFG, "system time looks good, disabling %s", get_name(this));
+		return FALSE;
+	}
+
+	DBG1(DBG_CFG, "enabling %s, threshold: %s", get_name(this), asctime(&tm));
+	this->validator = systime_fix_validator_create(this->threshold);
+	return TRUE;
+}
+
+/**
+ * Load validator
+ */
+static bool plugin_cb(private_systime_fix_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		if (!load_validator(this))
+		{
+			return FALSE;
+		}
+		lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+		if (this->interval != 0)
+		{
+			DBG1(DBG_CFG, "starting systime check, interval: %ds",
+				 this->interval);
+			lib->scheduler->schedule_job(lib->scheduler, (job_t*)
+					callback_job_create((callback_job_cb_t)check_systime,
+										this, NULL, NULL), this->interval);
+		}
+	}
+	else
+	{
+		lib->credmgr->remove_validator(lib->credmgr,
+									   &this->validator->validator);
+		this->validator->destroy(this->validator);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_systime_fix_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "systime-fix"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_systime_fix_plugin_t *this)
+{
+	free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *systime_fix_plugin_create()
+{
+	private_systime_fix_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+		.interval = lib->settings->get_int(lib->settings,
+				"%s.plugins.%s.interval", 0, charon->name, get_name(this)),
+		.reauth = lib->settings->get_bool(lib->settings,
+				"%s.plugins.%s.reauth", FALSE, charon->name, get_name(this)),
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/systime_fix/systime_fix_plugin.h b/src/libcharon/plugins/systime_fix/systime_fix_plugin.h
new file mode 100644
index 000000000..402659539
--- /dev/null
+++ b/src/libcharon/plugins/systime_fix/systime_fix_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup systime_fix systime_fix
+ * @ingroup cplugins
+ *
+ * @defgroup systime_fix_plugin systime_fix_plugin
+ * @{ @ingroup systime_fix
+ */
+
+#ifndef SYSTIME_FIX_PLUGIN_H_
+#define SYSTIME_FIX_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct systime_fix_plugin_t systime_fix_plugin_t;
+
+/**
+ * Plugin handling cert lifetimes gracefully if system time is out of sync.
+ */
+struct systime_fix_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** SYSTIME_FIX_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/systime_fix/systime_fix_validator.c b/src/libcharon/plugins/systime_fix/systime_fix_validator.c
new file mode 100644
index 000000000..340e86cbc
--- /dev/null
+++ b/src/libcharon/plugins/systime_fix/systime_fix_validator.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "systime_fix_validator.h"
+
+#include <errno.h>
+#include <time.h>
+
+#include <daemon.h>
+
+typedef struct private_systime_fix_validator_t private_systime_fix_validator_t;
+
+/**
+ * Private data of an systime_fix_validator_t object.
+ */
+struct private_systime_fix_validator_t {
+
+	/**
+	 * Public systime_fix_validator_t interface.
+	 */
+	systime_fix_validator_t public;
+
+	/**
+	 * Timestamp where we start to consider system time valid
+	 */
+	time_t threshold;
+};
+
+METHOD(cert_validator_t, check_lifetime, status_t,
+	private_systime_fix_validator_t *this, certificate_t *cert,
+	int pathlen, bool anchor, auth_cfg_t *auth)
+{
+	if (time(NULL) < this->threshold)
+	{
+		/* our system time seems to be invalid, accept certificate */
+		if (pathlen)
+		{	/* report only once per validated chain */
+			DBG1(DBG_CFG, "system time out of sync, skipping certificate "
+				 "lifetime check");
+		}
+		return SUCCESS;
+	}
+	/* validate this certificate normally */
+	return NEED_MORE;
+}
+
+METHOD(systime_fix_validator_t, destroy, void,
+	private_systime_fix_validator_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+systime_fix_validator_t *systime_fix_validator_create(time_t threshold)
+{
+	private_systime_fix_validator_t *this;
+
+	INIT(this,
+		.public = {
+			.validator = {
+				.check_lifetime = _check_lifetime,
+			},
+			.destroy = _destroy,
+		},
+		.threshold = threshold,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/systime_fix/systime_fix_validator.h b/src/libcharon/plugins/systime_fix/systime_fix_validator.h
new file mode 100644
index 000000000..3e651fd91
--- /dev/null
+++ b/src/libcharon/plugins/systime_fix/systime_fix_validator.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup systime_fix_validator systime_fix_validator
+ * @{ @ingroup systime_fix
+ */
+
+#ifndef SYSTIME_FIX_VALIDATOR_H_
+#define SYSTIME_FIX_VALIDATOR_H_
+
+#include <credentials/cert_validator.h>
+
+typedef struct systime_fix_validator_t systime_fix_validator_t;
+
+/**
+ * Validator that accepts cert lifetimes if system time is out of sync.
+ */
+struct systime_fix_validator_t {
+
+	/**
+	 * Implements cert_validator_t interface.
+	 */
+	cert_validator_t validator;
+
+	/**
+	 * Destroy a systime_fix_validator_t.
+	 */
+	void (*destroy)(systime_fix_validator_t *this);
+};
+
+/**
+ * Create a systime_fix_validator instance.
+ */
+systime_fix_validator_t *systime_fix_validator_create();
+
+#endif /** SYSTIME_FIX_VALIDATOR_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.am b/src/libcharon/plugins/tnc_ifmap/Makefile.am
index b8a57b119..dfbb1b632 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.am
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.am
@@ -1,10 +1,12 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtls \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon ${axis2c_CFLAGS}
-
-AM_CFLAGS = -rdynamic
-
-libstrongswan_tnc_ifmap_la_LIBADD = ${axis2c_LIBS} -laxutil -laxis2_engine -laxis2_http_sender
+AM_CFLAGS = \
+	${xml_CFLAGS} \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnc-ifmap.la
@@ -12,10 +14,15 @@ else
 plugin_LTLIBRARIES = libstrongswan-tnc-ifmap.la
 endif
 
+libstrongswan_tnc_ifmap_la_LIBADD = \
+	$(top_builddir)/src/libtls/libtls.la ${xml_LIBS}
+
 libstrongswan_tnc_ifmap_la_SOURCES = \
 	tnc_ifmap_plugin.h tnc_ifmap_plugin.c \
 	tnc_ifmap_listener.h tnc_ifmap_listener.c \
-	tnc_ifmap_soap.h tnc_ifmap_soap.c
+	tnc_ifmap_soap.h tnc_ifmap_soap.c \
+	tnc_ifmap_soap_msg.h tnc_ifmap_soap_msg.c \
+	tnc_ifmap_http.h tnc_ifmap_http.c \
+	tnc_ifmap_renew_session_job.h tnc_ifmap_renew_session_job.c
 
 libstrongswan_tnc_ifmap_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index 54deb7cd7..6bb68b32c 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,57 +90,93 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
-libstrongswan_tnc_ifmap_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+libstrongswan_tnc_ifmap_la_DEPENDENCIES =  \
+	$(top_builddir)/src/libtls/libtls.la $(am__DEPENDENCIES_1)
 am_libstrongswan_tnc_ifmap_la_OBJECTS = tnc_ifmap_plugin.lo \
-	tnc_ifmap_listener.lo tnc_ifmap_soap.lo
+	tnc_ifmap_listener.lo tnc_ifmap_soap.lo tnc_ifmap_soap_msg.lo \
+	tnc_ifmap_http.lo tnc_ifmap_renew_session_job.lo
 libstrongswan_tnc_ifmap_la_OBJECTS =  \
 	$(am_libstrongswan_tnc_ifmap_la_OBJECTS)
-libstrongswan_tnc_ifmap_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_tnc_ifmap_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnc_ifmap_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_tnc_ifmap_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_tnc_ifmap_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_tnc_ifmap_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnc_ifmap_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -131,13 +185,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -150,6 +207,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,11 +235,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -189,6 +249,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -197,8 +258,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -207,14 +266,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -228,17 +292,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -248,16 +312,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -285,17 +348,28 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon ${axis2c_CFLAGS}
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtls \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	${xml_CFLAGS} \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
-libstrongswan_tnc_ifmap_la_LIBADD = ${axis2c_LIBS} -laxutil -laxis2_engine -laxis2_http_sender
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-ifmap.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-ifmap.la
+libstrongswan_tnc_ifmap_la_LIBADD = \
+	$(top_builddir)/src/libtls/libtls.la ${xml_LIBS}
+
 libstrongswan_tnc_ifmap_la_SOURCES = \
 	tnc_ifmap_plugin.h tnc_ifmap_plugin.c \
 	tnc_ifmap_listener.h tnc_ifmap_listener.c \
-	tnc_ifmap_soap.h tnc_ifmap_soap.c
+	tnc_ifmap_soap.h tnc_ifmap_soap.c \
+	tnc_ifmap_soap_msg.h tnc_ifmap_soap_msg.c \
+	tnc_ifmap_http.h tnc_ifmap_http.c \
+	tnc_ifmap_renew_session_job.h tnc_ifmap_renew_session_job.c
 
 libstrongswan_tnc_ifmap_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -343,7 +417,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -351,6 +424,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -372,8 +447,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnc-ifmap.la: $(libstrongswan_tnc_ifmap_la_OBJECTS) $(libstrongswan_tnc_ifmap_la_DEPENDENCIES) 
-	$(libstrongswan_tnc_ifmap_la_LINK) $(am_libstrongswan_tnc_ifmap_la_rpath) $(libstrongswan_tnc_ifmap_la_OBJECTS) $(libstrongswan_tnc_ifmap_la_LIBADD) $(LIBS)
+libstrongswan-tnc-ifmap.la: $(libstrongswan_tnc_ifmap_la_OBJECTS) $(libstrongswan_tnc_ifmap_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_ifmap_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_tnc_ifmap_la_LINK) $(am_libstrongswan_tnc_ifmap_la_rpath) $(libstrongswan_tnc_ifmap_la_OBJECTS) $(libstrongswan_tnc_ifmap_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -381,30 +456,33 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_ifmap_http.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_ifmap_listener.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_ifmap_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_ifmap_renew_session_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_ifmap_soap.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_ifmap_soap_msg.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -511,10 +589,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.c
new file mode 100644
index 000000000..001a3fbee
--- /dev/null
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.c
@@ -0,0 +1,245 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE /* for asprintf() */
+
+#include "tnc_ifmap_http.h"
+
+#include <utils/debug.h>
+#include <utils/lexparser.h>
+
+#include <stdio.h>
+
+typedef struct private_tnc_ifmap_http_t private_tnc_ifmap_http_t;
+
+/**
+ * Private data of an tnc_ifmap_http_t object.
+ */
+struct private_tnc_ifmap_http_t {
+
+	/**
+	 * Public tnc_ifmap_http_t interface.
+	 */
+	tnc_ifmap_http_t public;
+
+	/**
+	 * HTTPS Server URI with https:// prefix removed
+	 */
+	char *uri;
+
+	/**
+	 * Optional base64-encoded username:password for HTTP Basic Authentication
+	 */
+	chunk_t user_pass;
+
+	/**
+	 * HTTP chunked mode
+	 */
+	bool chunked;
+
+};
+
+METHOD(tnc_ifmap_http_t, build, status_t,
+	private_tnc_ifmap_http_t *this, chunk_t *in, chunk_t *out)
+{
+	char *host, *path, *request, auth[128];
+	int len;
+
+	/* Duplicate host[/path] string since we are going to manipulate it */
+	len = strlen(this->uri) + 2;
+	host = malloc(len);
+	memset(host, '\0', len);
+	strcpy(host, this->uri);
+
+	/* Extract appended path or set to root */
+	path = strchr(host, '/');
+	if (!path)
+	{
+		path = host + len - 2;
+		*path = '/';
+	}
+
+	/* Use Basic Authentication? */
+	if (this->user_pass.len)
+	{
+		snprintf(auth, sizeof(auth), "Authorization: Basic %.*s\r\n",
+				(int)this->user_pass.len, this->user_pass.ptr);
+	}
+	else
+	{
+		*auth = '\0';
+	}
+
+	/* Write HTTP POST request, TODO break up into chunks */
+	len = asprintf(&request,
+			"POST %s HTTP/1.1\r\n"
+			"Host: %.*s\r\n"
+			"%s"
+			"Content-Type: application/soap+xml;charset=utf-8\r\n"
+			"Content-Length: %d\r\n"
+			"\r\n"
+			"%.*s", path, (int)(path-host), host, auth, (int)in->len,
+			(int)in->len, in->ptr);
+	free(host);
+
+	if (len == -1)
+	{
+		return FAILED;
+	}
+	*out = chunk_create(request, len);
+	DBG3(DBG_TLS, "sending HTTP POST request %B", out);
+
+	return SUCCESS;
+}
+
+static bool process_header(chunk_t *in, bool *chunked, u_int *content_len)
+{
+	chunk_t line, version, parameter;
+	int code;
+	u_int len;
+
+	/* Process HTTP protocol version */
+	if (!fetchline(in, &line) || !extract_token(&version, ' ', &line) ||
+		!match("HTTP/1.1", &version) || sscanf(line.ptr, "%d", &code) != 1)
+	{
+		DBG1(DBG_TNC, "malformed http response header");
+		return FALSE;
+	}
+	if (code != 200)
+	{
+		DBG1(DBG_TNC, "http response returns error code %d", code);
+		return FALSE;
+	}
+
+	*content_len = 0;
+	*chunked = FALSE;
+
+	/* Process HTTP header line by line until the HTTP body is reached */
+	while (fetchline(in, &line))
+	{
+		if (line.len == 0)
+		{
+			break;
+		}
+		if (extract_token(&parameter, ':', &line) && eat_whitespace(&line))
+		{
+			if (match("Content-Length", &parameter))
+			{
+				if (sscanf(line.ptr, "%u", &len) == 1)
+	 			{
+					*content_len = len;
+				}
+			}
+			else if (match("Transfer-Encoding", &parameter) &&
+					 match("chunked", &line))
+			{
+				*chunked = TRUE;
+			}
+		}
+	}
+
+	return TRUE;
+}
+
+METHOD(tnc_ifmap_http_t, process, status_t,
+	private_tnc_ifmap_http_t *this, chunk_t *in, chunk_t *out)
+{
+	u_int len = 0;
+	chunk_t line, out_chunk;
+
+	DBG3(DBG_TLS, "receiving HTTP response %B", in);
+
+	if (!this->chunked)
+	{
+		if (!process_header(in, &this->chunked, &len))
+		{
+			return FAILED;
+		}
+	}
+
+	while (in->len)
+	{
+		if (this->chunked)
+		{
+			if (!fetchline(in, &line) || sscanf(line.ptr, "%x", &len) != 1)
+			{
+				return FAILED;
+			}
+			DBG3(DBG_TLS, "received HTTP response is chunked (%u bytes)", len);
+
+			/* Received last chunk? */
+			if (len == 0)
+			{
+				return SUCCESS;
+			}
+		}
+
+		/* Check size of of remaining HTTP body */
+		if (len > in->len)
+		{
+			DBG1(DBG_TNC, "insufficient data in HTTP body");
+			return FAILED;
+		}
+
+		if (this->chunked)
+		{
+			out_chunk = *in;
+			out_chunk.len = len;
+			*out = chunk_cat("mc", *out, out_chunk);
+			*in = chunk_skip(*in, len);
+			if (!fetchline(in, &line) || line.len > 0)
+			{
+				return FAILED;
+			}
+		}
+		else
+		{
+			if (len)
+			{
+				in->len = len;
+			}
+			*out = chunk_clone(*in);
+			return SUCCESS;
+		}
+	}
+	return NEED_MORE;
+}
+
+METHOD(tnc_ifmap_http_t, destroy, void,
+	private_tnc_ifmap_http_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+tnc_ifmap_http_t *tnc_ifmap_http_create(char *uri, chunk_t user_pass)
+{
+	private_tnc_ifmap_http_t *this;
+
+	INIT(this,
+		.public = {
+			.build = _build,
+			.process = _process,
+			.destroy = _destroy,
+		},
+		.uri = uri,
+		.user_pass = user_pass,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.h
new file mode 100644
index 000000000..3d3084744
--- /dev/null
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_http.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnc_ifmap_http tnc_ifmap_http
+ * @{ @ingroup tnc_ifmap 
+ */
+
+#ifndef TNC_IFMAP_HTTP_H_
+#define TNC_IFMAP_HTTP_H_
+
+#include <library.h>
+#include <tls_socket.h>
+
+#include <libxml/parser.h>
+
+typedef struct tnc_ifmap_http_t tnc_ifmap_http_t;
+
+/**
+ * Interface for building and processing HTTP messages
+ */
+struct tnc_ifmap_http_t {
+
+	/**
+	 * Build a HTTP POST message
+	 *
+	 * @param in			input data
+	 * @param out			HTTP POST request
+	 * @result				status return code
+	 */
+	status_t (*build)(tnc_ifmap_http_t *this, chunk_t *in, chunk_t *out);
+
+	/**
+	 * Receive a HTTP [chunked] response
+	 *
+	 * @param in			[chunked] HTTP response
+	 * @param out			output data
+	 * @result				status return code
+	 */
+	status_t (*process)(tnc_ifmap_http_t *this, chunk_t *in, chunk_t *out);
+
+	/**
+	 * Destroy a tnc_ifmap_http_t object.
+	 */
+	void (*destroy)(tnc_ifmap_http_t *this);
+};
+
+/**
+ * Create a tnc_ifmap_http instance.
+ *
+ * @param uri			HTTPS URI with https:// prefix removed
+ * @param user_pass		Optional username:password for HTTP Basic Authentication
+ */
+tnc_ifmap_http_t *tnc_ifmap_http_create(char *uri, chunk_t user_pass);
+
+#endif /** TNC_IFMAP_HTTP_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
index 4fd33696c..4ad19c530 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen 
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,10 +15,13 @@
 
 #include "tnc_ifmap_listener.h"
 #include "tnc_ifmap_soap.h"
+#include "tnc_ifmap_renew_session_job.h"
 
 #include <daemon.h>
 #include <hydra.h>
-#include <debug.h>
+#include <utils/debug.h>
+
+#define IFMAP_RENEW_SESSION_INTERVAL	150
 
 typedef struct private_tnc_ifmap_listener_t private_tnc_ifmap_listener_t;
 
@@ -49,7 +52,7 @@ static bool publish_device_ip_addresses(private_tnc_ifmap_listener_t *this)
 	bool success = TRUE;
 
 	enumerator = hydra->kernel_interface->create_address_enumerator(
-							hydra->kernel_interface, FALSE, FALSE);
+									hydra->kernel_interface, ADDR_TYPE_REGULAR);
 	while (enumerator->enumerate(enumerator, &host))
 	{
 		if (!this->ifmap->publish_device_ip(this->ifmap, host))
@@ -68,8 +71,8 @@ static bool publish_device_ip_addresses(private_tnc_ifmap_listener_t *this)
  */
 static bool reload_metadata(private_tnc_ifmap_listener_t *this)
 {
-	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
+	enumerator_t *enumerator;
 	bool success = TRUE;
 
 	enumerator = charon->controller->create_ike_sa_enumerator(
@@ -80,14 +83,15 @@ static bool reload_metadata(private_tnc_ifmap_listener_t *this)
 		{
 			continue;
 		}
-		if (!this->ifmap->publish_ike_sa(this->ifmap, ike_sa, TRUE))
+		if (!this->ifmap->publish_ike_sa(this->ifmap, ike_sa, TRUE) ||
+			!this->ifmap->publish_virtual_ips(this->ifmap, ike_sa, TRUE))
 		{
 			success = FALSE;
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+
 	return success;
 }
 
@@ -101,6 +105,13 @@ METHOD(listener_t, ike_updown, bool,
 	return TRUE;
 }
 
+METHOD(listener_t, assign_vips, bool,
+	private_tnc_ifmap_listener_t *this, ike_sa_t *ike_sa, bool assign)
+{
+	this->ifmap->publish_virtual_ips(this->ifmap, ike_sa, assign);
+	return TRUE;
+}
+
 METHOD(listener_t, alert, bool,
 	private_tnc_ifmap_listener_t *this, ike_sa_t *ike_sa, alert_t alert,
 	va_list args)
@@ -117,7 +128,14 @@ METHOD(listener_t, alert, bool,
 METHOD(tnc_ifmap_listener_t, destroy, void,
 	private_tnc_ifmap_listener_t *this)
 {
-	DESTROY_IF(this->ifmap);
+	if (this->ifmap)
+	{
+		if (this->ifmap->get_session_id(this->ifmap))
+		{
+			this->ifmap->endSession(this->ifmap);
+		}
+		this->ifmap->destroy(this->ifmap);
+	}
 	free(this);
 }
 
@@ -127,11 +145,14 @@ METHOD(tnc_ifmap_listener_t, destroy, void,
 tnc_ifmap_listener_t *tnc_ifmap_listener_create(bool reload)
 {
 	private_tnc_ifmap_listener_t *this;
+	job_t *job;
+	u_int32_t reschedule;
 
 	INIT(this,
 		.public = {
 			.listener = {
 				.ike_updown = _ike_updown,
+				.assign_vips = _assign_vips,
 				.alert = _alert,
 			},
 			.destroy = _destroy,
@@ -168,6 +189,15 @@ tnc_ifmap_listener_t *tnc_ifmap_listener_create(bool reload)
 		}
 	}
 
+	/* schedule periodic transmission of IF-MAP renewSession request */
+	reschedule =  lib->settings->get_int(lib->settings,
+						"%s.plugins.tnc-ifmap.renew_session_interval",
+						 IFMAP_RENEW_SESSION_INTERVAL, charon->name);
+
+	job = (job_t*)tnc_ifmap_renew_session_job_create(
+						this->ifmap->get_ref(this->ifmap), reschedule);
+	lib->scheduler->schedule_job(lib->scheduler, job, reschedule);
+
 	return &this->public;
 }
 
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.h
index 878505b38..4ecccf4df 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.h
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.c
index de4d12e0b..85ad49bd8 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -42,6 +42,46 @@ METHOD(plugin_t, get_name, char*,
 	return "tnc-ifmap";
 }
 
+/**
+ * Register tnc_ifmap plugin features
+ */
+static bool register_tnc_ifmap(private_tnc_ifmap_plugin_t *this,
+								plugin_feature_t *feature, bool reg, void *data)
+{
+	if (reg)
+	{
+		this->listener = tnc_ifmap_listener_create(FALSE);
+		if (!this->listener)
+		{
+			return FALSE;
+		}
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		if (this->listener)
+		{
+			charon->bus->remove_listener(charon->bus, &this->listener->listener);
+			this->listener->destroy(this->listener);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	tnc_ifmap_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)register_tnc_ifmap, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "tnc-ifmap-2.1"),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_RSA),
+				PLUGIN_SDEPEND(CUSTOM, "stroke"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, reload, bool,
 	private_tnc_ifmap_plugin_t *this)
 {
@@ -56,19 +96,14 @@ METHOD(plugin_t, reload, bool,
 	{
 		return FALSE;
 	}
-
 	charon->bus->add_listener(charon->bus, &this->listener->listener);
+
 	return TRUE;
 }
 
 METHOD(plugin_t, destroy, void,
 	private_tnc_ifmap_plugin_t *this)
 {
-	if (this->listener)
-	{
-		charon->bus->remove_listener(charon->bus, &this->listener->listener);
-		this->listener->destroy(this->listener);
-	}
 	free(this);
 }
 
@@ -83,17 +118,13 @@ plugin_t *tnc_ifmap_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
+				.get_features = _get_features,
 				.reload = _reload,
 				.destroy = _destroy,
 			},
 		},
-		.listener = tnc_ifmap_listener_create(FALSE),
 	);
 
-	if (this->listener)
-	{
-		charon->bus->add_listener(charon->bus, &this->listener->listener);
-	}
 	return &this->public.plugin;
 }
 
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.h
index 8172be7c9..d3bba7f9c 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.h
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_plugin.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.c
new file mode 100644
index 000000000..f2c00a528
--- /dev/null
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+
+#include "tnc_ifmap_renew_session_job.h"
+
+#include <daemon.h>
+
+
+typedef struct private_tnc_ifmap_renew_session_job_t private_tnc_ifmap_renew_session_job_t;
+
+/**
+ * Private data
+ */
+struct private_tnc_ifmap_renew_session_job_t {
+
+	/**
+	 * public tnc_ifmap_renew_session_job_t interface
+	 */
+	tnc_ifmap_renew_session_job_t public;
+
+	/**
+	 * TNC IF-MAP 2.0 SOAP interface
+	 */
+	tnc_ifmap_soap_t *ifmap;
+
+	/**
+	 * Reschedule time interval in seconds
+	 */
+	u_int32_t reschedule;
+};
+
+METHOD(job_t, destroy, void,
+	private_tnc_ifmap_renew_session_job_t *this)
+{
+	this->ifmap->destroy(this->ifmap);
+	free(this);
+}
+
+METHOD(job_t, execute, job_requeue_t,
+	private_tnc_ifmap_renew_session_job_t *this)
+{
+	char *session_id;
+
+	if (this->ifmap->orphaned(this->ifmap))
+	{
+		session_id = this->ifmap->get_session_id(this->ifmap);
+		DBG2(DBG_TNC, "removing orphaned ifmap renewSession job for '%s'",
+					   session_id);
+		return JOB_REQUEUE_NONE;
+	}
+	else
+	{
+		if (!this->ifmap->renewSession(this->ifmap))
+		{
+			DBG1(DBG_TNC, "sending ifmap renewSession failed");
+			/* TODO take some action */
+		}
+		return JOB_RESCHEDULE(this->reschedule);
+	}
+}
+
+METHOD(job_t, get_priority, job_priority_t,
+	private_tnc_ifmap_renew_session_job_t *this)
+{
+	return JOB_PRIO_MEDIUM;
+}
+
+/*
+ * Described in header
+ */
+tnc_ifmap_renew_session_job_t *tnc_ifmap_renew_session_job_create(
+								tnc_ifmap_soap_t *ifmap, u_int32_t reschedule)
+{
+	private_tnc_ifmap_renew_session_job_t *this;
+
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.get_priority = _get_priority,
+				.destroy = _destroy,
+			},
+		},
+		.ifmap = ifmap,
+		.reschedule = reschedule,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.h
new file mode 100644
index 000000000..91e8fe404
--- /dev/null
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnc_ifmap_renew_session_job tnc_ifmap_renew_session_job
+ * @{ @ingroup cjobs
+ */
+
+#ifndef TNC_IFMAP_RENEW_SESSION_JOB_H_
+#define TNC_IFMAP_RENEW_SESSION_JOB_H_
+
+typedef struct tnc_ifmap_renew_session_job_t tnc_ifmap_renew_session_job_t;
+
+#include "tnc_ifmap_soap.h"
+
+#include <library.h>
+#include <processing/jobs/job.h>
+
+/**
+ * Job periodically sending an IF-MAP RenewSession request.
+ */
+struct tnc_ifmap_renew_session_job_t {
+
+	/**
+	 * implements job_t interface
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates an tnc_ifmap_renew_session job.
+ *
+ * @param ifmap		TNC IF-MAP object
+ * @param reschedule	reschedule time in seconds
+ */
+tnc_ifmap_renew_session_job_t *tnc_ifmap_renew_session_job_create(
+								tnc_ifmap_soap_t *ifmap, u_int32_t reschedule);
+
+#endif /** TNC_IFMAP_RENEW_SESSION_JOB_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
index 913cdab12..df7d2e2a1 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen 
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -14,20 +14,24 @@
  */
 
 #include "tnc_ifmap_soap.h"
+#include "tnc_ifmap_soap_msg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
+#include <credentials/sets/mem_cred.h>
+#include <daemon.h>
 
-#include <axis2_util.h>
-#include <axis2_client.h>
-#include <axis2_http_transport.h>
-#include <axis2_http_transport_sender.h>
-#include <axiom_soap.h>
+#include <tls_socket.h>
+
+#include <errno.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#define IFMAP_NS		"http://www.trustedcomputinggroup.org/2010/IFMAP/2"
+#define IFMAP_META_NS	"http://www.trustedcomputinggroup.org/2010/IFMAP-METADATA/2"
+#define IFMAP_URI		"https://localhost:8444/imap"
+#define IFMAP_NO_FD		-1
 
-#define IFMAP_NS	  "http://www.trustedcomputinggroup.org/2010/IFMAP/2"
-#define IFMAP_META_NS "http://www.trustedcomputinggroup.org/2010/IFMAP-METADATA/2"
-#define IFMAP_LOGFILE "strongswan_ifmap.log"
-#define IFMAP_SERVER  "https://localhost:8443/"
-	
 typedef struct private_tnc_ifmap_soap_t private_tnc_ifmap_soap_t;
 
 /**
@@ -41,169 +45,156 @@ struct private_tnc_ifmap_soap_t {
 	tnc_ifmap_soap_t public;
 
 	/**
-	 * Axis2/C environment 
+	 * SOAP Session ID
 	 */
-	axutil_env_t *env;
+	xmlChar *session_id;
 
 	/**
-	 * Axis2 service client
+	 * IF-MAP Publisher ID
 	 */
-	axis2_svc_client_t* svc_client;
+	xmlChar *ifmap_publisher_id;
 
 	/**
-	 * SOAP Session ID
+	 * IF-MAP namespace
 	 */
-	char *session_id;
+	xmlNsPtr ns;
 
 	/**
-	 * IF-MAP Publisher ID
+	 * IF-MAP metadata namespace
 	 */
-	char *ifmap_publisher_id;
+	xmlNsPtr ns_meta;
 
 	/**
 	 * PEP and PDP device name
 	 */
 	char *device_name;
 
-};
-
-/**
- * Send request and receive result via SOAP
- */
-static axiom_element_t* send_receive(private_tnc_ifmap_soap_t *this,
-									 char *request_qname, axiom_node_t *request,
-									 char *receipt_qname, axiom_node_t **result)
-
-{
-    axiom_node_t *parent, *node;
-    axiom_element_t *parent_el, *el;
-	axutil_qname_t *qname;
+	/**
+	 * HTTPS Server URI with https:// prefix removed
+	 */
+	char *uri;
 
-	/* send request and receive result */
-	DBG2(DBG_TNC, "sending  ifmap %s", request_qname);
+	/**
+	 * Optional base64-encoded username:password for HTTP Basic Authentication
+	 */
+	chunk_t user_pass;
 
-	parent = axis2_svc_client_send_receive(this->svc_client, this->env, request);
-	if (!parent)
-	{
-		DBG1(DBG_TNC, "no ifmap %s received from MAP server", receipt_qname);
-		return NULL;
-	}
-	DBG2(DBG_TNC, "received ifmap %s", receipt_qname);
+	/**
+	 * IF-MAP Server (IP address and port)
+	 */
+	host_t *host;
 
-	/* extract the parent element */
-	parent_el = (axiom_element_t*)axiom_node_get_data_element(parent, this->env);
+	/**
+	 * TLS socket
+	 */
+	tls_socket_t *tls;
 
-	/* look for a child node with the given receipt qname */
-	qname = axutil_qname_create_from_string(this->env, strdup(receipt_qname));
-	el = axiom_element_get_first_child_with_qname(parent_el, this->env, qname,
-												  parent, &node);
-	axutil_qname_free(qname, this->env);
+	/**
+	 * File descriptor for secure TCP socket
+	 */
+	int fd;
 
-	if (el)
-	{
-		if (result)
-		{
-			*result = parent;
-		}
-		else
-		{
-			/* no further processing requested */
-			axiom_node_free_tree(parent, this->env);
-		}
-		return el;
-	}
-	DBG1(DBG_TNC, "child node with qname '%s' not found", receipt_qname);
+	/**
+	 * In memory credential set
+	 */
+	mem_cred_t *creds;
 
-	/* free parent in the error case */
-	axiom_node_free_tree(parent, this->env);
+	/**
+	 * reference count
+	 */
+	refcount_t ref;
 
-	return NULL;
-}
+};
 
 METHOD(tnc_ifmap_soap_t, newSession, bool,
 	private_tnc_ifmap_soap_t *this)
 {
-    axiom_node_t *request, *result;
-    axiom_element_t *el;
-	axiom_namespace_t *ns;
-	axis2_char_t *value;
-
+	tnc_ifmap_soap_msg_t *soap_msg;
+	xmlNodePtr request, result;
 
-	/* build newSession request */
-    ns = axiom_namespace_create(this->env, IFMAP_NS, "ifmap");
-    el = axiom_element_create(this->env, NULL, "newSession", ns, &request);
+	/*build newSession request */
+	request = xmlNewNode(NULL, "newSession");
+	this->ns = xmlNewNs(request, IFMAP_NS, "ifmap");
+	xmlSetNs(request, this->ns);
 
-	/* send newSession request and receive newSessionResult */
-	el = send_receive(this, "newSession", request, "newSessionResult", &result);
-	if (!el)
+	soap_msg = tnc_ifmap_soap_msg_create(this->uri, this->user_pass, this->tls);
+	if (!soap_msg->post(soap_msg, request, "newSessionResult", &result))
 	{
+		soap_msg->destroy(soap_msg);
 		return FALSE;
 	}
 
-	/* get session-id */
-	value = axiom_element_get_attribute_value_by_name(el, this->env,
-								 "session-id");
-	this->session_id = strdup(value);
+	/* get session-id and ifmap-publisher-id properties */
+	this->session_id = xmlGetProp(result, "session-id");
+	this->ifmap_publisher_id = xmlGetProp(result, "ifmap-publisher-id");
+	soap_msg->destroy(soap_msg);
 
-	/* get ifmap-publisher-id */
-	value = axiom_element_get_attribute_value_by_name(el, this->env,
-								 "ifmap-publisher-id");
-	this->ifmap_publisher_id = strdup(value);
-
-	DBG1(DBG_TNC, "session-id: %s, ifmap-publisher-id: %s",
+	DBG1(DBG_TNC, "created ifmap session '%s' as publisher '%s'",
 				   this->session_id, this->ifmap_publisher_id);
 
 	/* set PEP and PDP device name (defaults to IF-MAP Publisher ID) */
 	this->device_name = lib->settings->get_str(lib->settings,
-								"charon.plugins.tnc-ifmap.device_name",
-								 this->ifmap_publisher_id);
+									"%s.plugins.tnc-ifmap.device_name",
+									 this->ifmap_publisher_id, charon->name);
 	this->device_name = strdup(this->device_name);
 
-	/* free result */
-	axiom_node_free_tree(result, this->env);
-
     return this->session_id && this->ifmap_publisher_id;
 }
 
+METHOD(tnc_ifmap_soap_t, renewSession, bool,
+	private_tnc_ifmap_soap_t *this)
+{
+	tnc_ifmap_soap_msg_t *soap_msg;
+	xmlNodePtr request;
+	bool success;
+
+	/* build renewSession request */
+	request = xmlNewNode(NULL, "renewSession");
+	this->ns = xmlNewNs(request, IFMAP_NS, "ifmap");
+	xmlSetNs(request, this->ns);
+	xmlNewProp(request, "session-id", this->session_id);
+
+	soap_msg = tnc_ifmap_soap_msg_create(this->uri, this->user_pass, this->tls);
+	success = soap_msg->post(soap_msg, request, "renewSessionResult", NULL);
+	soap_msg->destroy(soap_msg);
+
+	return success;
+}
+
 METHOD(tnc_ifmap_soap_t, purgePublisher, bool,
 	private_tnc_ifmap_soap_t *this)
 {
-	axiom_node_t *request;
-	axiom_element_t *el;
-	axiom_namespace_t *ns;
-	axiom_attribute_t *attr;
+	tnc_ifmap_soap_msg_t *soap_msg;
+	xmlNodePtr request;
+	bool success;
 
 	/* build purgePublisher request */
- 	ns = axiom_namespace_create(this->env, IFMAP_NS, "ifmap");
-	el = axiom_element_create(this->env, NULL, "purgePublisher", ns, &request);
-	attr = axiom_attribute_create(this->env, "session-id",
-								  this->session_id, NULL);	
-	axiom_element_add_attribute(el, this->env, attr, request);
-	attr = axiom_attribute_create(this->env, "ifmap-publisher-id",
-								  this->ifmap_publisher_id, NULL);	
-	axiom_element_add_attribute(el, this->env, attr, request);
-
-	/* send purgePublisher request and receive purgePublisherReceived */
-	return send_receive(this, "purgePublisher", request,
-							  "purgePublisherReceived", NULL);
+	request = xmlNewNode(NULL, "purgePublisher");
+	this->ns = xmlNewNs(request, IFMAP_NS, "ifmap");
+	xmlSetNs(request, this->ns);
+	xmlNewProp(request, "session-id", this->session_id);
+	xmlNewProp(request, "ifmap-publisher-id", this->ifmap_publisher_id);
+
+	soap_msg = tnc_ifmap_soap_msg_create(this->uri, this->user_pass, this->tls);
+	success = soap_msg->post(soap_msg, request, "purgePublisherReceived", NULL);
+	soap_msg->destroy(soap_msg);
+
+	return success;
 }
 
 /**
  * Create an access-request based on device_name and ike_sa_id
  */
-static axiom_node_t* create_access_request(private_tnc_ifmap_soap_t *this,
-										   u_int32_t id)
+static xmlNodePtr create_access_request(private_tnc_ifmap_soap_t *this,
+										u_int32_t id)
 {
-	axiom_element_t *el;
-	axiom_node_t *node;
-	axiom_attribute_t *attr;
+	xmlNodePtr node;
 	char buf[BUF_LEN];
 
-	el = axiom_element_create(this->env, NULL, "access-request", NULL, &node);
+	node = xmlNewNode(NULL, "access-request");
 
 	snprintf(buf, BUF_LEN, "%s:%d", this->device_name, id);
-	attr = axiom_attribute_create(this->env, "name", buf, NULL);	
-	axiom_element_add_attribute(el, this->env, attr, node);
+	xmlNewProp(node, "name", buf);
 
 	return node;
 }
@@ -211,27 +202,22 @@ static axiom_node_t* create_access_request(private_tnc_ifmap_soap_t *this,
 /**
  * Create an identity
  */
-static axiom_node_t* create_identity(private_tnc_ifmap_soap_t *this,
-									 identification_t *id, bool is_user)
+static xmlNodePtr create_identity(private_tnc_ifmap_soap_t *this,
+								  identification_t *id, bool is_user)
 {
-	axiom_element_t *el;
-	axiom_node_t *node;
-	axiom_attribute_t *attr;
+	xmlNodePtr node;
 	char buf[BUF_LEN], *id_type;
 
-	el = axiom_element_create(this->env, NULL, "identity", NULL, &node);
+	node = xmlNewNode(NULL, "identity");
 
 	snprintf(buf, BUF_LEN, "%Y", id);
-	attr = axiom_attribute_create(this->env, "name", buf, NULL);	
-	axiom_element_add_attribute(el, this->env, attr, node);
+	xmlNewProp(node, "name", buf);
 
 	switch (id->get_type(id))
 	{
 		case ID_IPV4_ADDR:
 			id_type = "other";
-			attr = axiom_attribute_create(this->env, "other-type-definition",
-										  "36906:ipv4-address", NULL);
-			axiom_element_add_attribute(el, this->env, attr, node);
+			xmlNewProp(node, "other-type-definition", "36906:ipv4-address");
 			break;
 		case ID_FQDN:
 			id_type = is_user ? "username" : "dns-name";
@@ -241,27 +227,93 @@ static axiom_node_t* create_identity(private_tnc_ifmap_soap_t *this,
 			break;
 		case ID_IPV6_ADDR:
 			id_type = "other";
-			attr = axiom_attribute_create(this->env, "other-type-definition",
-										  "36906:ipv6-address", NULL);
-			axiom_element_add_attribute(el, this->env, attr, node);
+			xmlNewProp(node, "other-type-definition", "36906:ipv6-address");
 			break;
 		case ID_DER_ASN1_DN:
 			id_type = "distinguished-name";
 			break;
 		case ID_KEY_ID:
 			id_type = "other";
-			attr = axiom_attribute_create(this->env, "other-type-definition",
-										  "36906:key-id", NULL);
-			axiom_element_add_attribute(el, this->env, attr, node);
+			xmlNewProp(node, "other-type-definition", "36906:key-id");
 			break;
 		default:
 			id_type = "other";
-			attr = axiom_attribute_create(this->env, "other-type-definition",
-										  "36906:other", NULL);
-			axiom_element_add_attribute(el, this->env, attr, node);
+			xmlNewProp(node, "other-type-definition", "36906:other");
 	}
-	attr = axiom_attribute_create(this->env, "type", id_type, NULL);	
-	axiom_element_add_attribute(el, this->env, attr, node);
+	xmlNewProp(node, "type", id_type);
+
+	return node;
+}
+
+/**
+ * Create enforcement-report metadata
+ */
+static xmlNodePtr create_enforcement_report(private_tnc_ifmap_soap_t *this,
+											xmlChar *action, xmlChar *reason)
+{
+	xmlNodePtr node, node2, node3;
+
+	node = xmlNewNode(NULL, "metadata");
+	node2 = xmlNewNode(this->ns_meta, "enforcement-report");
+	xmlAddChild(node, node2);
+	xmlNewProp(node2, "ifmap-cardinality", "multiValue");
+
+	node3 = xmlNewNode(NULL, "enforcement-action");
+	xmlAddChild(node2, node3);
+	xmlNodeAddContent(node3, action);
+
+	node3 = xmlNewNode(NULL, "enforcement-reason");
+	xmlAddChild(node2, node3);
+	xmlNodeAddContent(node3, reason);
+
+    return node;
+}
+
+/**
+ * Create delete filter
+ */
+static xmlNodePtr create_delete_filter(private_tnc_ifmap_soap_t *this,
+									   char *metadata)
+{
+	xmlNodePtr node;
+	char buf[BUF_LEN];
+
+	node = xmlNewNode(NULL, "delete");
+
+	snprintf(buf, BUF_LEN, "meta:%s[@ifmap-publisher-id='%s']",
+			 metadata, this->ifmap_publisher_id);
+	xmlNewProp(node, "filter", buf);
+
+	return node;
+}
+
+/**
+ * Create a publish request
+ */
+static xmlNodePtr create_publish_request(private_tnc_ifmap_soap_t *this)
+{
+	xmlNodePtr request;
+
+	request = xmlNewNode(NULL, "publish");
+	this->ns = xmlNewNs(request, IFMAP_NS, "ifmap");
+	xmlSetNs(request, this->ns);
+	this->ns_meta = xmlNewNs(request, IFMAP_META_NS, "meta");
+	xmlNewProp(request, "session-id", this->session_id);
+
+	return request;
+}
+
+/**
+ * Create a device
+ */
+static xmlNodePtr create_device(private_tnc_ifmap_soap_t *this)
+{
+	xmlNodePtr node, node2;
+
+	node = xmlNewNode(NULL, "device");
+	node2 = xmlNewNode(NULL, "name");
+	xmlAddChild(node, node2);
+	xmlNodeAddContent(node2, this->device_name);
 
 	return node;
 }
@@ -269,15 +321,13 @@ static axiom_node_t* create_identity(private_tnc_ifmap_soap_t *this,
 /**
  * Create an ip-address
  */
-static axiom_node_t* create_ip_address(private_tnc_ifmap_soap_t *this,
-									   host_t *host)
+static xmlNodePtr create_ip_address(private_tnc_ifmap_soap_t *this,
+									host_t *host)
 {
-	axiom_element_t *el;
-	axiom_node_t *node;
-	axiom_attribute_t *attr;
+	xmlNodePtr node;
 	char buf[BUF_LEN];
 
-	el = axiom_element_create(this->env, NULL, "ip-address", NULL, &node);
+	node = xmlNewNode(NULL, "ip-address");
 
 	if (host->get_family(host) == AF_INET6)
 	{
@@ -295,7 +345,7 @@ static axiom_node_t* create_ip_address(private_tnc_ifmap_soap_t *this,
 		{
 			written = snprintf(pos, len, "%s%x", first ? "" : ":",
 							   256*address.ptr[i] +  address.ptr[i+1]);
-			if (written < 0 || written > len)
+			if (written < 0 || written >= len)
 			{
 				break;
 			}
@@ -308,29 +358,9 @@ static axiom_node_t* create_ip_address(private_tnc_ifmap_soap_t *this,
 	{
 		snprintf(buf, BUF_LEN, "%H", host);
 	}
-	attr = axiom_attribute_create(this->env, "value", buf, NULL);	
-	axiom_element_add_attribute(el, this->env, attr, node);
 
-	attr = axiom_attribute_create(this->env, "type",
-				 host->get_family(host) == AF_INET ? "IPv4" : "IPv6", NULL);	
-	axiom_element_add_attribute(el, this->env, attr, node);
-
-	return node;
-}
-
-/**
- * Create a device
- */
-static axiom_node_t* create_device(private_tnc_ifmap_soap_t *this)
-{
-	axiom_element_t *el;
-	axiom_node_t *node, *node2, *node3;
-	axiom_text_t *text;
-
-	el = axiom_element_create(this->env, NULL, "device", NULL, &node);
-	el = axiom_element_create(this->env, NULL, "name", NULL, &node2);
-	axiom_node_add_child(node, this->env, node2);
-	text = axiom_text_create(this->env, node2, this->device_name, &node3);
+	xmlNewProp(node, "value", buf);
+	xmlNewProp(node, "type", host->get_family(host) == AF_INET ? "IPv4" : "IPv6");
 
 	return node;
 }
@@ -338,22 +368,15 @@ static axiom_node_t* create_device(private_tnc_ifmap_soap_t *this)
 /**
  * Create metadata
  */
-static axiom_node_t* create_metadata(private_tnc_ifmap_soap_t *this,
-									 char *metadata)
+static xmlNodePtr create_metadata(private_tnc_ifmap_soap_t *this,
+								  xmlChar *metadata)
 {
-	axiom_element_t *el;
-	axiom_node_t *node, *node2;
-	axiom_attribute_t *attr;
-	axiom_namespace_t *ns_meta;
+	xmlNodePtr node, node2;
 
-	el = axiom_element_create(this->env, NULL, "metadata", NULL, &node);
-	ns_meta = axiom_namespace_create(this->env, IFMAP_META_NS, "meta");
-
-	el = axiom_element_create(this->env, NULL, metadata, ns_meta, &node2);
-	axiom_node_add_child(node, this->env, node2);
-	attr = axiom_attribute_create(this->env, "ifmap-cardinality", "singleValue",
-								  NULL);	
-	axiom_element_add_attribute(el, this->env, attr, node2);
+	node = xmlNewNode(NULL, "metadata");
+	node2 = xmlNewNode(this->ns_meta, metadata);
+	xmlAddChild(node, node2);
+	xmlNewProp(node2, "ifmap-cardinality", "singleValue");
 
 	return node;
 }
@@ -361,130 +384,45 @@ static axiom_node_t* create_metadata(private_tnc_ifmap_soap_t *this,
 /**
  * Create capability metadata
  */
-static axiom_node_t* create_capability(private_tnc_ifmap_soap_t *this,
-									   identification_t *name)
+static xmlNodePtr create_capability(private_tnc_ifmap_soap_t *this,
+									identification_t *name)
 {
-	axiom_element_t *el;
-	axiom_node_t *node, *node2, *node3;
-	axiom_namespace_t *ns_meta;
-	axiom_attribute_t *attr;
-	axiom_text_t *text;
+	xmlNodePtr node, node2;
 	char buf[BUF_LEN];
 
-	ns_meta = axiom_namespace_create(this->env, IFMAP_META_NS, "meta");
-	el = axiom_element_create(this->env, NULL, "capability", ns_meta, &node);
-	attr = axiom_attribute_create(this->env, "ifmap-cardinality", "multiValue",
-								  NULL);	
-	axiom_element_add_attribute(el, this->env, attr, node);
+	node = xmlNewNode(this->ns_meta, "capability");
+	xmlNewProp(node, "ifmap-cardinality", "multiValue");
 
-	el = axiom_element_create(this->env, NULL, "name", NULL, &node2);
-	axiom_node_add_child(node, this->env, node2);
+	node2 = xmlNewNode(NULL, "name");
+	xmlAddChild(node, node2);
 	snprintf(buf, BUF_LEN, "%Y", name);
-	text = axiom_text_create(this->env, node2, buf, &node3);
+	xmlNodeAddContent(node2, buf);
 
-	el = axiom_element_create(this->env, NULL, "administrative-domain", NULL, &node2);
-	axiom_node_add_child(node, this->env, node2);
-	text = axiom_text_create(this->env, node2, "strongswan", &node3);
-	
-	return node;
-}
-
-/**
- * Create enforcement-report metadata
- */
-static axiom_node_t* create_enforcement_report(private_tnc_ifmap_soap_t *this,
-											   char *action, char *reason)
-{
-	axiom_element_t *el;
-	axiom_node_t *node, *node2, *node3, *node4;
-	axiom_namespace_t *ns_meta;
-	axiom_attribute_t *attr;
-	axiom_text_t *text;
-
-	el = axiom_element_create(this->env, NULL, "metadata", NULL, &node);
-
-	ns_meta = axiom_namespace_create(this->env, IFMAP_META_NS, "meta");
-	el = axiom_element_create(this->env, NULL, "enforcement-report", ns_meta,
-							  &node2);
-	attr = axiom_attribute_create(this->env, "ifmap-cardinality",
-								  "multiValue", NULL);
-	axiom_element_add_attribute(el, this->env, attr, node2);
-	axiom_node_add_child(node, this->env, node2);
-
-	el = axiom_element_create(this->env, NULL, "enforcement-action", NULL,
-							  &node3);
-	axiom_node_add_child(node2, this->env, node3);
-	text = axiom_text_create(this->env, node3, action, &node4);
-
-	el = axiom_element_create(this->env, NULL, "enforcement-reason", NULL,
-							  &node3);
-	axiom_node_add_child(node2, this->env, node3);
-	text = axiom_text_create(this->env, node3, reason, &node4);
-
-    return node;
-}
-
-/**
- * Create delete filter
- */
-static axiom_node_t* create_delete_filter(private_tnc_ifmap_soap_t *this,
-										  char *metadata)
-{
-	axiom_element_t *el;
-	axiom_node_t *node;
-	axiom_attribute_t *attr;
-	char buf[BUF_LEN];
-
-	el = axiom_element_create(this->env, NULL, "delete", NULL, &node);
-
-	snprintf(buf, BUF_LEN, "meta:%s[@ifmap-publisher-id='%s']",
-			 metadata, this->ifmap_publisher_id);
-	attr = axiom_attribute_create(this->env, "filter", buf, NULL);	
-	axiom_element_add_attribute(el, this->env, attr, node);
+	node2 = xmlNewNode(NULL, "administrative-domain");
+	xmlAddChild(node, node2);
+	xmlNodeAddContent(node2, "strongswan");
 
 	return node;
 }
 
-/**
- * Create a publish request
- */
-static axiom_node_t* create_publish_request(private_tnc_ifmap_soap_t *this)
-{
-	axiom_element_t *el;
-	axiom_node_t *request;
-	axiom_namespace_t *ns, *ns_meta;
-	axiom_attribute_t *attr;
-
-	ns = axiom_namespace_create(this->env, IFMAP_NS, "ifmap");
-	el = axiom_element_create(this->env, NULL, "publish", ns, &request);
-	ns_meta = axiom_namespace_create(this->env, IFMAP_META_NS, "meta");
-	axiom_element_declare_namespace(el, this->env, request, ns_meta);
-	attr = axiom_attribute_create(this->env, "session-id", this->session_id,
-								  NULL);
-	axiom_element_add_attribute(el, this->env, attr, request);
-
-	return request;
-}
-
 METHOD(tnc_ifmap_soap_t, publish_ike_sa, bool,
 	private_tnc_ifmap_soap_t *this, ike_sa_t *ike_sa, bool up)
 {
-	axiom_node_t *request, *node, *node2;
-	axiom_element_t *el;
-
+	tnc_ifmap_soap_msg_t *soap_msg;
+	xmlNodePtr request, node, node2 = NULL;
 	enumerator_t *e1, *e2;
 	auth_rule_t type;
 	identification_t *id, *eap_id, *group;
 	host_t *host;
 	auth_cfg_t *auth;
 	u_int32_t ike_sa_id;
-	bool is_user = FALSE, first = TRUE;
+	bool is_user = FALSE, first = TRUE, success;
 
 	/* extract relevant data from IKE_SA*/
 	ike_sa_id = ike_sa->get_unique_id(ike_sa);
+	host = ike_sa->get_other_host(ike_sa);
 	id = ike_sa->get_other_id(ike_sa);
 	eap_id = ike_sa->get_other_eap_id(ike_sa);
-	host = ike_sa->get_other_host(ike_sa);
 
 	/* in the presence of an EAP Identity, treat it as a username */
 	if (!id->equals(id, eap_id))
@@ -500,90 +438,79 @@ METHOD(tnc_ifmap_soap_t, publish_ike_sa, bool,
 	if (up)
 	{
 		node = create_delete_filter(this, "enforcement-report");
-		axiom_node_add_child(request, this->env, node);
-		axiom_node_add_child(node, this->env,
-							 create_ip_address(this, host));
-		axiom_node_add_child(node, this->env,
-							 create_device(this));
+		xmlAddChild(request, node);
+		xmlAddChild(node, create_ip_address(this, host));
+		xmlAddChild(node, create_device(this));
 	}
-	
+
 	/**
 	 * update or delete authenticated-as metadata
 	 */
- 	if (up)
+	if (up)
 	{
-		el = axiom_element_create(this->env, NULL, "update", NULL, &node);
+		node = xmlNewNode(NULL, "update");
 	}
 	else
 	{
 		node = create_delete_filter(this, "authenticated-as");
 	}
-	axiom_node_add_child(request, this->env, node);
+	xmlAddChild(request, node);
 
 	/* add access-request, identity and [if up] metadata */
-	axiom_node_add_child(node, this->env,
-							 create_access_request(this, ike_sa_id));
-	axiom_node_add_child(node, this->env,
-							 create_identity(this, id, is_user));
+	xmlAddChild(node, create_access_request(this, ike_sa_id));
+	xmlAddChild(node, create_identity(this, id, is_user));
 	if (up)
 	{
-		axiom_node_add_child(node, this->env,
-							 create_metadata(this, "authenticated-as"));
+		xmlAddChild(node, create_metadata(this, "authenticated-as"));
 	}
 
 	/**
-	 * update or delete access-request-ip metadata
+	 * update or delete access-request-ip metadata for physical IP address
 	 */
- 	if (up)
+	if (up)
 	{
-		el = axiom_element_create(this->env, NULL, "update", NULL, &node);
+		node = xmlNewNode(NULL, "update");
 	}
 	else
 	{
 		node = create_delete_filter(this, "access-request-ip");
 	}
-	axiom_node_add_child(request, this->env, node);
+	xmlAddChild(request, node);
 
 	/* add access-request, ip-address and [if up] metadata */
-	axiom_node_add_child(node, this->env,
-							 create_access_request(this, ike_sa_id));
-	axiom_node_add_child(node, this->env,
-							 create_ip_address(this, host));
+	xmlAddChild(node, create_access_request(this, ike_sa_id));
+	xmlAddChild(node, create_ip_address(this, host));
 	if (up)
 	{
-		axiom_node_add_child(node, this->env,
-							 create_metadata(this, "access-request-ip"));
+		xmlAddChild(node, create_metadata(this, "access-request-ip"));
 	}
 
 	/**
 	 * update or delete authenticated-by metadata
 	 */
- 	if (up)
+	if (up)
 	{
-		el = axiom_element_create(this->env, NULL, "update", NULL, &node);
+		node = xmlNewNode(NULL, "update");
 	}
 	else
 	{
 		node = create_delete_filter(this, "authenticated-by");
 	}
-	axiom_node_add_child(request, this->env, node);
+	xmlAddChild(request, node);
 
 	/* add access-request, device and [if up] metadata */
-	axiom_node_add_child(node, this->env,
-							 create_access_request(this, ike_sa_id));
-	axiom_node_add_child(node, this->env,
-							 create_device(this));
+	xmlAddChild(node, create_access_request(this, ike_sa_id));
+	xmlAddChild(node, create_device(this));
 	if (up)
 	{
-		axiom_node_add_child(node, this->env,
-							 create_metadata(this, "authenticated-by"));
+		xmlAddChild(node, create_metadata(this, "authenticated-by"));
 	}
 
 	/**
 	 * update or delete capability metadata
 	 */
 	e1 = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
-	while (e1->enumerate(e1, &auth))
+	while (e1->enumerate(e1, &auth) && (first || up))
 	{
 		e2 = auth->create_enumerator(auth);
 		while (e2->enumerate(e2, &type, &group))
@@ -597,234 +524,364 @@ METHOD(tnc_ifmap_soap_t, publish_ike_sa, bool,
 
 					if (up)
 					{
-						el = axiom_element_create(this->env, NULL, "update",
-												  NULL, &node);
+						node = xmlNewNode(NULL, "update");
 					}
 					else
 					{
 						node = create_delete_filter(this, "capability");
 					}
-					axiom_node_add_child(request, this->env, node);
- 
+					xmlAddChild(request, node);
+
 					/* add access-request */
-					axiom_node_add_child(node, this->env,
-									 create_access_request(this, ike_sa_id));
+					xmlAddChild(node, create_access_request(this, ike_sa_id));
 					if (!up)
 					{
 						break;
 					}
-					el = axiom_element_create(this->env, NULL, "metadata", NULL,
-											  &node2);
-					axiom_node_add_child(node, this->env, node2);
+					node2 = xmlNewNode(NULL, "metadata");
+					xmlAddChild(node, node2);
 				}
-				axiom_node_add_child(node2, this->env,
-									 create_capability(this, group));
-			}
-			if (!first && !up)
-			{
-				break;
+				xmlAddChild(node2, create_capability(this, group));
 			}
 		}
 		e2->destroy(e2);
 	}
 	e1->destroy(e1);
 
-	/* send publish request and receive publishReceived */
-	return send_receive(this, "publish", request, "publishReceived", NULL);
+	soap_msg = tnc_ifmap_soap_msg_create(this->uri, this->user_pass, this->tls);
+	success = soap_msg->post(soap_msg, request, "publishReceived", NULL);
+	soap_msg->destroy(soap_msg);
+
+	return success;
 }
 
 METHOD(tnc_ifmap_soap_t, publish_device_ip, bool,
 	private_tnc_ifmap_soap_t *this, host_t *host)
 {
-	axiom_node_t *request, *node;
-	axiom_element_t *el;
+	tnc_ifmap_soap_msg_t *soap_msg;
+	xmlNodePtr request, update;
+	bool success;
 
 	/* build publish update request */
 	request = create_publish_request(this);
-	el = axiom_element_create(this->env, NULL, "update", NULL, &node);
-	axiom_node_add_child(request, this->env, node);
+	update = xmlNewNode(NULL, "update");
+	xmlAddChild(request, update);
 
 	/* add device, ip-address and metadata */
-	axiom_node_add_child(node, this->env,
-						 create_device(this));
-	axiom_node_add_child(node, this->env,
-						 create_ip_address(this, host));
-	axiom_node_add_child(node, this->env,
-						 create_metadata(this, "device-ip"));
-
-	/* send publish request and receive publishReceived */
-	return send_receive(this, "publish", request, "publishReceived", NULL);
+	xmlAddChild(update, create_device(this));
+	xmlAddChild(update, create_ip_address(this, host));
+	xmlAddChild(update, create_metadata(this, "device-ip"));
+
+	soap_msg = tnc_ifmap_soap_msg_create(this->uri, this->user_pass, this->tls);
+	success = soap_msg->post(soap_msg, request, "publishReceived", NULL);
+	soap_msg->destroy(soap_msg);
+
+	return success;
+}
+
+METHOD(tnc_ifmap_soap_t, publish_virtual_ips, bool,
+	private_tnc_ifmap_soap_t *this, ike_sa_t *ike_sa, bool assign)
+{
+	tnc_ifmap_soap_msg_t *soap_msg;
+	xmlNodePtr request, node;
+	u_int32_t ike_sa_id;
+	enumerator_t *enumerator;
+	host_t *vip;
+	bool success;
+
+	/* extract relevant data from IKE_SA*/
+	ike_sa_id = ike_sa->get_unique_id(ike_sa);
+
+	/* build publish request */
+	request = create_publish_request(this);
+
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+	while (enumerator->enumerate(enumerator, &vip))
+	{
+		/**
+		 * update or delete access-request-ip metadata for a virtual IP address
+		 */
+		if (assign)
+		{
+			node = xmlNewNode(NULL, "update");
+		}
+		else
+		{
+			node = create_delete_filter(this, "access-request-ip");
+		}
+		xmlAddChild(request, node);
+
+		/* add access-request, virtual ip-address and [if assign] metadata */
+			xmlAddChild(node, create_access_request(this, ike_sa_id));
+			xmlAddChild(node, create_ip_address(this, vip));
+			if (assign)
+		{
+			xmlAddChild(node, create_metadata(this, "access-request-ip"));
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	soap_msg = tnc_ifmap_soap_msg_create(this->uri, this->user_pass, this->tls);
+	success = soap_msg->post(soap_msg, request, "publishReceived", NULL);
+	soap_msg->destroy(soap_msg);
+
+	return success;
 }
 
 METHOD(tnc_ifmap_soap_t, publish_enforcement_report, bool,
 	private_tnc_ifmap_soap_t *this, host_t *host, char *action, char *reason)
 {
-	axiom_node_t *request, *node;
-	axiom_element_t *el;
+	tnc_ifmap_soap_msg_t *soap_msg;
+	xmlNodePtr request, update;
+	bool success;
 
 	/* build publish update request */
 	request = create_publish_request(this);
-	el = axiom_element_create(this->env, NULL, "update", NULL, &node);
-	axiom_node_add_child(request, this->env, node);
+	update = xmlNewNode(NULL, "update");
+	xmlAddChild(request, update);
 
 	/* add ip-address and metadata */
-	axiom_node_add_child(node, this->env,
-						 create_ip_address(this, host));
-	axiom_node_add_child(node, this->env,
-						 create_device(this));
-	axiom_node_add_child(node, this->env,
-						 create_enforcement_report(this, action, reason));
-
-	/* send publish request and receive publishReceived */
-	return send_receive(this, "publish", request, "publishReceived", NULL);
+	xmlAddChild(update, create_ip_address(this, host));
+	xmlAddChild(update, create_device(this));
+	xmlAddChild(update, create_enforcement_report(this, action, reason));
+
+	soap_msg = tnc_ifmap_soap_msg_create(this->uri, this->user_pass, this->tls);
+	success = soap_msg->post(soap_msg, request, "publishReceived", NULL);
+	soap_msg->destroy(soap_msg);
+
+	return success;
 }
 
 METHOD(tnc_ifmap_soap_t, endSession, bool,
 	private_tnc_ifmap_soap_t *this)
 {
-	axiom_node_t *request;
-	axiom_element_t *el;
-	axiom_namespace_t *ns;
-	axiom_attribute_t *attr;
+	tnc_ifmap_soap_msg_t *soap_msg;
+	xmlNodePtr request;
+	bool success;
 
 	/* build endSession request */
- 	ns = axiom_namespace_create(this->env, IFMAP_NS, "ifmap");
-	el = axiom_element_create(this->env, NULL, "endSession", ns, &request);
-	attr = axiom_attribute_create(this->env, "session-id", this->session_id, NULL);	
-	axiom_element_add_attribute(el, this->env, attr, request);
+	request = xmlNewNode(NULL, "endSession");
+	this->ns = xmlNewNs(request, IFMAP_NS, "ifmap");
+	xmlSetNs(request, this->ns);
+	xmlNewProp(request, "session-id", this->session_id);
+
+	soap_msg = tnc_ifmap_soap_msg_create(this->uri, this->user_pass, this->tls);
+	success = soap_msg->post(soap_msg, request, "endSessionResult", NULL);
+	soap_msg->destroy(soap_msg);
+
+	DBG1(DBG_TNC, "ended ifmap session '%s' as publisher '%s'",
+				   this->session_id, this->ifmap_publisher_id);
+
+	return success;
+}
+
+METHOD(tnc_ifmap_soap_t, get_session_id, char*,
+	private_tnc_ifmap_soap_t *this)
+{
+	return this->session_id;
+}
+
+METHOD(tnc_ifmap_soap_t, orphaned, bool,
+	private_tnc_ifmap_soap_t *this)
+{
+	return this->ref == 1;
+}
 
-	/* send endSession request and receive end SessionResult */
-	return send_receive(this, "endSession", request, "endSessionResult", NULL);
+METHOD(tnc_ifmap_soap_t, get_ref, tnc_ifmap_soap_t*,
+	private_tnc_ifmap_soap_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public;
 }
 
 METHOD(tnc_ifmap_soap_t, destroy, void,
 	private_tnc_ifmap_soap_t *this)
 {
-	if (this->session_id)
+	if (ref_put(&this->ref))
 	{
-		endSession(this);
-		free(this->session_id);
-		free(this->ifmap_publisher_id);
-		free(this->device_name);	
-	}
-	if (this->svc_client)
-	{
-		axis2_svc_client_free(this->svc_client, this->env);
-	}
-	if (this->env)
-	{
-		axutil_env_free(this->env);
+		if (this->session_id)
+		{
+			xmlFree(this->session_id);
+			xmlFree(this->ifmap_publisher_id);
+			free(this->device_name);
+		}
+		DESTROY_IF(this->tls);
+		DESTROY_IF(this->host);
+
+		if (this->fd != IFMAP_NO_FD)
+		{
+			close(this->fd);
+		}
+		lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+		this->creds->destroy(this->creds);
+		free(this->user_pass.ptr);
+		free(this);
 	}
-	free(this);
 }
 
-static bool axis2c_init(private_tnc_ifmap_soap_t *this)
+static bool soap_init(private_tnc_ifmap_soap_t *this)
 {
-	axis2_char_t *server, *server_cert, *key_file, *client_home;
-	axis2_char_t *ssl_passphrase, *username, *password;
-	axis2_endpoint_ref_t* endpoint_ref = NULL;
-	axis2_options_t *options = NULL;
-	axis2_transport_in_desc_t *transport_in;
-	axis2_transport_out_desc_t *transport_out;
-	axis2_transport_sender_t *transport_sender;
-	axutil_property_t* property;
-
-	/* Getting configuration parameters from strongswan.conf */
-	client_home = lib->settings->get_str(lib->settings,
-					"charon.plugins.tnc-ifmap.client_home",
-					AXIS2_GETENV("AXIS2C_HOME"));
-	server = lib->settings->get_str(lib->settings,
-					"charon.plugins.tnc-ifmap.server", IFMAP_SERVER);
-	server_cert = lib->settings->get_str(lib->settings,
-					"charon.plugins.tnc-ifmap.server_cert", NULL);
-	key_file = lib->settings->get_str(lib->settings,
-					"charon.plugins.tnc-ifmap.key_file", NULL);
-	ssl_passphrase = lib->settings->get_str(lib->settings,
-					"charon.plugins.tnc-ifmap.ssl_passphrase", NULL);
-	username = lib->settings->get_str(lib->settings,
-					"charon.plugins.tnc-ifmap.username", NULL);
-	password = lib->settings->get_str(lib->settings,
-					"charon.plugins.tnc-ifmap.password", NULL);
+	char *server_uri, *server_str, *port_str, *uri_str;
+	char *server_cert, *client_cert, *client_key, *user_pass;
+	int port;
+	auth_cfg_t *auth;
+	certificate_t *cert;
+	private_key_t *key;
+	identification_t *server_id, *client_id = NULL;
 
+	/* getting configuration parameters from strongswan.conf */
+	server_uri =  lib->settings->get_str(lib->settings,
+					"%s.plugins.tnc-ifmap.server_uri", IFMAP_URI, charon->name);
+	server_cert = lib->settings->get_str(lib->settings,
+					"%s.plugins.tnc-ifmap.server_cert", NULL, charon->name);
+	client_cert = lib->settings->get_str(lib->settings,
+					"%s.plugins.tnc-ifmap.client_cert", NULL, charon->name);
+	client_key =  lib->settings->get_str(lib->settings,
+					"%s.plugins.tnc-ifmap.client_key", NULL, charon->name);
+	user_pass =   lib->settings->get_str(lib->settings,
+					"%s.plugins.tnc-ifmap.username_password", NULL, charon->name);
+
+	/* load [self-signed] MAP server certificate */
 	if (!server_cert)
 	{
 		DBG1(DBG_TNC, "MAP server certificate not defined");
 		return FALSE;
 	}
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							  BUILD_FROM_FILE, server_cert, BUILD_END);
+	if (!cert)
+	{
+		DBG1(DBG_TNC, "loading MAP server certificate from '%s' failed",
+					   server_cert);
+		return FALSE;
+	}
+	DBG1(DBG_TNC, "loaded MAP server certificate from '%s'", server_cert);
+	server_id = cert->get_subject(cert);
+	this->creds->add_cert(this->creds, TRUE, cert);
 
-	if (!key_file && (!username || !password))
+	/* check availability of client credentials */
+	if (!client_cert && !user_pass)
 	{
-		DBG1(DBG_TNC, "MAP client keyfile or %s%s%s not defined",
-			(!username) ? "username" : "",
-			(!username && ! password) ? " and " : "",
-			(!password) ? "password" : "");
+		DBG1(DBG_TNC, "neither MAP client certificate "
+					  "nor username:password defined");
 		return FALSE;
 	}
 
-	/* Create Axis2/C environment and options */
-	this->env = axutil_env_create_all(IFMAP_LOGFILE, AXIS2_LOG_LEVEL_TRACE);
-	options = axis2_options_create(this->env);
+	if (client_cert)
+	{
+		/* load MAP client certificate */
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, client_cert, BUILD_END);
+		if (!cert)
+		{
+			DBG1(DBG_TNC, "loading MAP client certificate from '%s' failed",
+						   client_cert);
+			return FALSE;
+		}
+		DBG1(DBG_TNC, "loaded MAP client certificate from '%s'", client_cert);
+		this->creds->add_cert(this->creds, TRUE, cert);
 
-	/* Set path to the MAP server certificate */
-	property =axutil_property_create_with_args(this->env, 0, 0, 0,
-											   server_cert);
-	axis2_options_set_property(options, this->env,
-							   AXIS2_SSL_SERVER_CERT, property);
+		/* load MAP client private key */
+		if (client_key)
+		{
+			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+									  BUILD_FROM_FILE, client_key, BUILD_END);
+			if (!key)
+			{
+				DBG1(DBG_TNC, "loading MAP client private key from '%s' failed",
+							   client_key);
+				return FALSE;
+			}
+			DBG1(DBG_TNC, "loaded MAP client RSA private key from '%s'",
+						   client_key);
+			this->creds->add_key(this->creds, key);
+		}
 
-	if (key_file)
+		/* set client ID to certificate distinguished name */
+		client_id = cert->get_subject(cert);
+
+		/* check if we have a private key matching the certificate */
+		auth = auth_cfg_create();
+		auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
+		key = lib->credmgr->get_private(lib->credmgr, KEY_RSA, client_id, auth);
+		auth->destroy(auth);
+		if (!key)
+		{
+			DBG1(DBG_TNC, "no RSA private key matching MAP client certificate");
+			return FALSE;
+		}
+	}
+	else
+	{
+		/* set base64-encoded username:password for HTTP Basic Authentication */
+		this->user_pass = chunk_to_base64(chunk_from_str(user_pass), NULL);
+	}
+
+	/* remove HTTPS prefix if any */
+	if (strlen(server_uri) >= 8 && strncaseeq(server_uri, "https://", 8))
 	{
-		/* Set path to the MAP client certificate */
-		property =axutil_property_create_with_args(this->env, 0, 0, 0,
-												   key_file);
-		axis2_options_set_property(options, this->env,
-								   AXIS2_SSL_KEY_FILE, property);
-		if (ssl_passphrase)
+		server_uri += 8;
+	}
+	this->uri = server_uri;
+
+	/* duplicate server string since we are going to manipulate it */
+	server_str = strdup(server_uri);
+
+	/* extract server name and port from server URI */
+	port_str = strchr(server_str, ':');
+	if (port_str)
+	{
+		*port_str++ = '\0';
+		if (sscanf(port_str, "%d", &port) != 1)
 		{
-			/* Provide SSL passphrase */
-			property =axutil_property_create_with_args(this->env, 0, 0, 0,
-                                                   ssl_passphrase);
-			axis2_options_set_property(options, this->env,
-									   AXIS2_SSL_PASSPHRASE, property);
-		} 
+			DBG1(DBG_TNC, "parsing server port %s failed", port_str);
+			free(server_str);
+			return FALSE;
+		}
 	}
-	else 
+	else
 	{
-		/* Set up HTTP Basic MAP client authentication */
-		axis2_options_set_http_auth_info(options, this->env,
-										 username, password, "Basic");
+		/* use default https port */
+		port = 443;
+		uri_str = strchr(server_str, '/');
+		if (uri_str)
+		{
+			*uri_str = '\0';
+		}
 	}
 
-	/* Define the MAP server as the to endpoint reference */
-	endpoint_ref = axis2_endpoint_ref_create(this->env, server);
-	axis2_options_set_to(options, this->env, endpoint_ref);
-
-	/* Set up https transport */
-	transport_in = axis2_transport_in_desc_create(this->env,
-												  AXIS2_TRANSPORT_ENUM_HTTPS); 
-	transport_out = axis2_transport_out_desc_create(this->env,
-												  AXIS2_TRANSPORT_ENUM_HTTPS);
-	transport_sender = axis2_http_transport_sender_create(this->env);
-	axis2_transport_out_desc_set_sender(transport_out, this->env,
-										transport_sender);
-	axis2_options_set_transport_in(options, this->env, transport_in);
-	axis2_options_set_transport_out(options, this->env, transport_out); 
-
-	/* Create the axis2 service client */
-	this->svc_client = axis2_svc_client_create(this->env, client_home);
-	if (!this->svc_client)
+	/* open TCP socket and connect to MAP server */
+	this->host = host_create_from_dns(server_str, 0, port);
+	if (!this->host)
 	{
-		DBG1(DBG_TNC, "could not create axis2 service client");
-		AXIS2_LOG_ERROR(this->env->log, AXIS2_LOG_SI,
-					    "Stub invoke FAILED: Error code: %d :: %s",
-						this->env->error->error_number,
-						AXIS2_ERROR_GET_MESSAGE(this->env->error));
-		destroy(this);
+		DBG1(DBG_TNC, "resolving hostname %s failed", server_str);
+		free(server_str);
+		return FALSE;
+	}
+	free(server_str);
+
+	this->fd = socket(this->host->get_family(this->host), SOCK_STREAM, 0);
+	if (this->fd == IFMAP_NO_FD)
+	{
+		DBG1(DBG_TNC, "opening socket failed: %s", strerror(errno));
+		return FALSE;
+	}
+
+	if (connect(this->fd, this->host->get_sockaddr(this->host),
+						 *this->host->get_sockaddr_len(this->host)) == -1)
+	{
+		DBG1(DBG_TNC, "connecting to %#H failed: %s",
+					   this->host, strerror(errno));
 		return FALSE;
 	}
 
-	axis2_svc_client_set_options(this->svc_client, this->env, options);
-	DBG1(DBG_TNC, "connecting as MAP client '%s' to MAP server at '%s'",
-				   username, server);
+	/* open TLS socket */
+	this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd, NULL);
+	if (!this->tls)
+	{
+		DBG1(DBG_TNC, "creating TLS socket failed");
+		return FALSE;
+	}
 
 	return TRUE;
 }
@@ -839,16 +896,26 @@ tnc_ifmap_soap_t *tnc_ifmap_soap_create()
 	INIT(this,
 		.public = {
 			.newSession = _newSession,
+			.renewSession = _renewSession,
 			.purgePublisher = _purgePublisher,
 			.publish_ike_sa = _publish_ike_sa,
 			.publish_device_ip = _publish_device_ip,
+			.publish_virtual_ips = _publish_virtual_ips,
 			.publish_enforcement_report = _publish_enforcement_report,
 			.endSession = _endSession,
+			.get_session_id = _get_session_id,
+			.orphaned = _orphaned,
+			.get_ref = _get_ref,
 			.destroy = _destroy,
 		},
+		.fd = IFMAP_NO_FD,
+		.creds = mem_cred_create(),
+		.ref = 1,
 	);
 
-	if (!axis2c_init(this))
+	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+
+	if (!soap_init(this))
 	{
 		destroy(this);
 		return NULL;
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h
index 4bf421e33..fbc65a2b1 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,14 +15,14 @@
 
 /**
  * @defgroup tnc_ifmap_soap tnc_ifmap_soap
- * @{ @ingroup tnc_ifmap 
+ * @{ @ingroup tnc_ifmap
  */
 
 #ifndef TNC_IFMAP_SOAP_H_
 #define TNC_IFMAP_SOAP_H_
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <sa/ike_sa.h>
 
 typedef struct tnc_ifmap_soap_t tnc_ifmap_soap_t;
@@ -40,6 +40,13 @@ struct tnc_ifmap_soap_t {
 	bool (*newSession)(tnc_ifmap_soap_t *this);
 
 	/**
+	 * Check if the IF-MAP session is still active
+	 *
+	 * @return				TRUE if command was successful
+	 */
+	bool (*renewSession)(tnc_ifmap_soap_t *this);
+
+	/**
 	 * Purges all metadata published by this publisher
 	 *
 	 * @return				TRUE if command was successful
@@ -47,16 +54,16 @@ struct tnc_ifmap_soap_t {
 	bool (*purgePublisher)(tnc_ifmap_soap_t *this);
 
 	/**
-	 * Publish metadata about established/deleted IKE_SAs 
+	 * Publish metadata about established/deleted IKE_SAs
 	 *
-	 * @param ike_sa		IKE_SA for which metadate is published
+	 * @param ike_sa		IKE_SA for which metadata is published
 	 * @param up			TRUE if IKE_SEA is up, FALSE if down
 	 * @return				TRUE if command was successful
 	 */
 	bool (*publish_ike_sa)(tnc_ifmap_soap_t *this, ike_sa_t *ike_sa, bool up);
 
 	/**
-	 * Publish PEP device-ip metadata 
+	 * Publish PEP device-ip metadata
 	 *
 	 * @param host			IP address of local endpoint
 	 * @return				TRUE if command was successful
@@ -64,6 +71,16 @@ struct tnc_ifmap_soap_t {
 	bool (*publish_device_ip)(tnc_ifmap_soap_t *this, host_t *host);
 
 	/**
+	 * Publish Virtual IP access-request-ip metadata
+	 *
+	 * @param ike_sa		IKE_SA for which Virtual IP metadata is published
+	 * @param assign		TRUE if assigned, FALSE if removed
+	 * @return				TRUE if command was successful
+	 */
+	bool (*publish_virtual_ips)(tnc_ifmap_soap_t *this, ike_sa_t *ike_sa,
+								bool assign);
+
+	/**
 	 * Publish enforcement-report metadata
 	 *
 	 * @param host			Host to be enforced
@@ -82,6 +99,27 @@ struct tnc_ifmap_soap_t {
 	bool (*endSession)(tnc_ifmap_soap_t *this);
 
 	/**
+	 * Get ID of IF-MAP session
+	 *
+	 * @return				IF-MAP session ID
+	 */
+	char* (*get_session_id)(tnc_ifmap_soap_t *this);
+
+	/**
+	 * Check for an orphaned IF-MAP session
+	 *
+	 * @return				TRUE if IF-MAP session is orphaned
+	 */
+	bool (*orphaned)(tnc_ifmap_soap_t *this);
+
+	/**
+	 * Get a reference to an IF-MAP session
+	 *
+	 * @return				referenced IF-MAP session
+	 */
+	tnc_ifmap_soap_t* (*get_ref)(tnc_ifmap_soap_t *this);
+
+	/**
 	 * Destroy a tnc_ifmap_soap_t.
 	 */
 	void (*destroy)(tnc_ifmap_soap_t *this);
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap_msg.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap_msg.c
new file mode 100644
index 000000000..b86288683
--- /dev/null
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap_msg.c
@@ -0,0 +1,256 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_ifmap_soap_msg.h"
+#include "tnc_ifmap_http.h"
+
+#include <utils/debug.h>
+
+#define SOAP_NS		"http://www.w3.org/2003/05/soap-envelope"
+
+typedef struct private_tnc_ifmap_soap_msg_t private_tnc_ifmap_soap_msg_t;
+
+/**
+ * Private data of an tnc_ifmap_soap_msg_t object.
+ */
+struct private_tnc_ifmap_soap_msg_t {
+
+	/**
+	 * Public tnc_ifmap_soap_msg_t interface.
+	 */
+	tnc_ifmap_soap_msg_t public;
+
+	/**
+	 * HTTP POST request builder and response processing
+	 */
+	tnc_ifmap_http_t *http;
+
+	/**
+	 * TLS socket
+	 */
+	tls_socket_t *tls;
+
+	/**
+	 * XML Document
+	 */
+	xmlDocPtr doc;
+
+};
+
+/**
+ * Find a child node with a given name
+ */
+static xmlNodePtr find_child(xmlNodePtr parent, const xmlChar* name)
+{
+	xmlNodePtr child;
+	
+	child = parent->xmlChildrenNode;
+	while (child)
+	{
+		if (xmlStrcmp(child->name, name) == 0)
+		{
+			return child;
+		}
+		child = child->next;
+	}
+
+	DBG1(DBG_TNC, "child node \"%s\" not found", name);
+	return NULL;
+}
+
+METHOD(tnc_ifmap_soap_msg_t, post, bool,
+	private_tnc_ifmap_soap_msg_t *this, xmlNodePtr request, char *result_name,
+	xmlNodePtr *result)
+{
+	xmlDocPtr doc;
+	xmlNodePtr env, body, cur, response;
+	xmlNsPtr ns;
+	xmlChar *xml_str, *errorCode, *errorString;
+	int xml_len, len, written;
+	chunk_t xml, http;
+	char buf[4096];
+	status_t status;
+
+	DBG2(DBG_TNC, "sending ifmap %s", request->name);
+
+	/* Generate XML Document containing SOAP Envelope */
+	doc = xmlNewDoc("1.0");
+	env =xmlNewNode(NULL, "Envelope");
+	ns = xmlNewNs(env, SOAP_NS, "env");
+	xmlSetNs(env, ns);
+	xmlDocSetRootElement(doc, env);
+
+	/* Add SOAP Body containing IF-MAP request */
+	body = xmlNewNode(ns, "Body");
+	xmlAddChild(body, request);
+	xmlAddChild(env, body);
+
+	/* Convert XML Document into a character string */
+	xmlDocDumpFormatMemory(doc, &xml_str, &xml_len, 1);
+	xmlFreeDoc(doc);
+	DBG3(DBG_TNC, "%.*s", xml_len, xml_str);
+	xml = chunk_create(xml_str, xml_len);
+
+	/* Send SOAP-XML request via HTTPS POST */
+	do
+	{
+		status = this->http->build(this->http, &xml, &http);
+		if (status == FAILED)
+		{
+			break;
+		}
+		written = this->tls->write(this->tls, http.ptr, http.len);
+		free(http.ptr);
+		if (written != http.len)
+		{
+			status = FAILED;
+			break;
+		}
+	}
+	while (status == NEED_MORE);
+
+	xmlFree(xml_str);
+	if (status != SUCCESS)
+	{
+		return FALSE;
+	}
+
+	/* Receive SOAP-XML response via [chunked] HTTPS */
+	xml = chunk_empty;
+	do
+	{
+		len = this->tls->read(this->tls, buf, sizeof(buf), TRUE);
+		if (len <= 0)
+		{
+			return FALSE;
+		}
+		http = chunk_create(buf, len);
+
+		status = this->http->process(this->http, &http, &xml);
+		if (status == FAILED)
+		{
+			free(xml.ptr);
+			return FALSE;
+		}
+	}
+	while (status == NEED_MORE);
+
+	DBG3(DBG_TNC, "parsing XML message %B", &xml);
+	this->doc = xmlParseMemory(xml.ptr, xml.len);
+	free(xml.ptr);
+	
+	if (!this->doc)
+	{
+		DBG1(DBG_TNC, "failed to parse XML message");
+		return FALSE;
+	}
+
+	/* check out XML document */
+	cur = xmlDocGetRootElement(this->doc);
+	if (!cur)
+	{
+		DBG1(DBG_TNC, "empty XML message");
+		return FALSE;
+	}
+
+	/* get XML Document type is a SOAP Envelope */
+	if (xmlStrcmp(cur->name, "Envelope"))
+	{
+		DBG1(DBG_TNC, "XML message does not contain a SOAP Envelope");
+		return FALSE;
+	}
+
+	/* get SOAP Body */
+	cur = find_child(cur, "Body");
+	if (!cur)
+	{
+		return FALSE;
+	}
+
+	/* get IF-MAP response */
+	response = find_child(cur, "response");
+	if (!response)
+	{
+		return FALSE;
+	}
+
+	/* get IF-MAP result */
+	cur = find_child(response, result_name);
+	if (!cur)
+	{
+		cur = find_child(response, "errorResult");
+		if (cur)
+		{
+			DBG1(DBG_TNC, "received errorResult");
+
+			errorCode = xmlGetProp(cur, "errorCode");
+			if (errorCode)
+			{
+				DBG1(DBG_TNC, "  %s", errorCode);
+				xmlFree(errorCode);
+			}
+
+			cur = find_child(cur, "errorString");
+			if (cur)
+			{
+				errorString = xmlNodeGetContent(cur);
+				if (errorString)
+				{
+					DBG1(DBG_TNC, "  %s", errorString);
+					xmlFree(errorString);
+				}
+			}
+		}
+		return FALSE;
+	}
+
+	if (result)
+	{
+		*result = cur;
+	}
+	return TRUE;
+}
+
+METHOD(tnc_ifmap_soap_msg_t, destroy, void,
+	private_tnc_ifmap_soap_msg_t *this)
+{
+	this->http->destroy(this->http);
+	if (this->doc)
+	{
+		xmlFreeDoc(this->doc);
+	}
+	free(this);
+}
+
+/**
+ * See header
+ */
+tnc_ifmap_soap_msg_t *tnc_ifmap_soap_msg_create(char *uri, chunk_t user_pass,
+												tls_socket_t *tls)
+{
+	private_tnc_ifmap_soap_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.post = _post,
+			.destroy = _destroy,
+		},
+		.http = tnc_ifmap_http_create(uri, user_pass),
+		.tls = tls,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap_msg.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap_msg.h
new file mode 100644
index 000000000..4f809ba1a
--- /dev/null
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap_msg.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnc_ifmap_soap_msg tnc_ifmap_soap_msg
+ * @{ @ingroup tnc_ifmap 
+ */
+
+#ifndef TNC_IFMAP_SOAP_MSG_H_
+#define TNC_IFMAP_SOAP_MSG_H_
+
+#include <library.h>
+#include <tls_socket.h>
+
+#include <libxml/parser.h>
+
+typedef struct tnc_ifmap_soap_msg_t tnc_ifmap_soap_msg_t;
+
+/**
+ * Interface for sending and receiving SOAP-XML messages
+ */
+struct tnc_ifmap_soap_msg_t {
+
+	/**
+	 * Post an IF-MAP request in a SOAP-XML message and return a result
+	 *
+	 * @param request		XML-encoded IF-MAP request
+	 * @param result_name	name of the IF-MAP result
+	 * @param result		XML-encoded IF-MAP result
+	 */
+	bool (*post)(tnc_ifmap_soap_msg_t *this, xmlNodePtr request,
+				 char *result_name, xmlNodePtr* result);
+
+	/**
+	 * Destroy a tnc_ifmap_soap_msg_t object.
+	 */
+	void (*destroy)(tnc_ifmap_soap_msg_t *this);
+};
+
+/**
+ * Create a tnc_ifmap_soap_msg instance.
+ *
+ * @param uri			HTTPS URI with https:// prefix removed
+ * @param user_pass		Optional username:password for HTTP Basic Authentication
+ * @param tls			TLS socket protecting the SOAP message
+ */
+tnc_ifmap_soap_msg_t *tnc_ifmap_soap_msg_create(char *uri, chunk_t user_pass,
+												tls_socket_t *tls);
+
+#endif /** TNC_IFMAP_SOAP_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_imc/Makefile.am b/src/libcharon/plugins/tnc_imc/Makefile.am
index fc1979525..6e2b83fa0 100644
--- a/src/libcharon/plugins/tnc_imc/Makefile.am
+++ b/src/libcharon/plugins/tnc_imc/Makefile.am
@@ -1,10 +1,13 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libtnccs
+	-I$(top_srcdir)/src/libtnccs \
+	-I$(top_srcdir)/src/libtls
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnc-imc.la
@@ -20,4 +23,3 @@ libstrongswan_tnc_imc_la_SOURCES = \
 	tnc_imc_manager.h tnc_imc_manager.c tnc_imc_bind_function.c
 
 libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libcharon/plugins/tnc_imc/Makefile.in b/src/libcharon/plugins/tnc_imc/Makefile.in
index 550c0516c..538af847a 100644
--- a/src/libcharon/plugins/tnc_imc/Makefile.in
+++ b/src/libcharon/plugins/tnc_imc/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnc_imc_la_DEPENDENCIES =  \
@@ -81,48 +105,77 @@ am_libstrongswan_tnc_imc_la_OBJECTS = tnc_imc_plugin.lo tnc_imc.lo \
 	tnc_imc_manager.lo tnc_imc_bind_function.lo
 libstrongswan_tnc_imc_la_OBJECTS =  \
 	$(am_libstrongswan_tnc_imc_la_OBJECTS)
-libstrongswan_tnc_imc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_tnc_imc_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_tnc_imc_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnc_imc_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_tnc_imc_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_tnc_imc_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_tnc_imc_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnc_imc_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -131,13 +184,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -150,6 +206,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,11 +234,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -189,6 +248,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -197,8 +257,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -207,14 +265,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -228,17 +291,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -248,16 +311,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -285,12 +347,17 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libtnccs
+	-I$(top_srcdir)/src/libtnccs \
+	-I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imc.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imc.la
 @MONOLITHIC_FALSE@libstrongswan_tnc_imc_la_LIBADD = \
@@ -347,7 +414,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -355,6 +421,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -376,8 +444,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnc-imc.la: $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_DEPENDENCIES) 
-	$(libstrongswan_tnc_imc_la_LINK) $(am_libstrongswan_tnc_imc_la_rpath) $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_LIBADD) $(LIBS)
+libstrongswan-tnc-imc.la: $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_imc_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_tnc_imc_la_LINK) $(am_libstrongswan_tnc_imc_la_rpath) $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -391,25 +459,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -516,10 +584,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc.c b/src/libcharon/plugins/tnc_imc/tnc_imc.c
index a1f2d770f..9ac578401 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc.c
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc.c
@@ -20,9 +20,10 @@
 
 #include <tncif_pa_subtypes.h>
 
-#include <debug.h>
+#include <utils/debug.h>
+#include <daemon.h>
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 
 typedef struct private_tnc_imc_t private_tnc_imc_t;
@@ -38,11 +39,6 @@ struct private_tnc_imc_t {
 	imc_t public;
 
 	/**
-	 * Path of loaded IMC
-	 */
-	char *path;
-
-	/**
 	 * Name of loaded IMC
 	 */
 	char *name;
@@ -291,10 +287,10 @@ METHOD(imc_t, type_supported, bool,
 
 	for (i = 0; i < this->type_count; i++)
 	{
-	    vid = this->supported_vids[i];
-	    subtype = this->supported_subtypes[i];
+		vid = this->supported_vids[i];
+		subtype = this->supported_subtypes[i];
 
-	    if ((vid == TNC_VENDORID_ANY && subtype == TNC_SUBTYPE_ANY) ||
+		if ((vid == TNC_VENDORID_ANY && subtype == TNC_SUBTYPE_ANY) ||
 			(vid == msg_vid && (subtype == TNC_SUBTYPE_ANY ||
 			 subtype == msg_subtype)))
 		{
@@ -307,20 +303,23 @@ METHOD(imc_t, type_supported, bool,
 METHOD(imc_t, destroy, void,
 	private_tnc_imc_t *this)
 {
-	dlclose(this->handle);
+	if (this->handle && lib->settings->get_bool(lib->settings,
+		"%s.plugins.tnc-imc.dlclose", TRUE, charon->name))
+	{
+		dlclose(this->handle);
+	}
 	this->mutex->destroy(this->mutex);
 	this->additional_ids->destroy(this->additional_ids);
 	free(this->supported_vids);
 	free(this->supported_subtypes);
 	free(this->name);
-	free(this->path);
 	free(this);
 }
 
 /**
- * Described in header.
+ * Generic constructor
  */
-imc_t* tnc_imc_create(char *name, char *path)
+static private_tnc_imc_t* tnc_imc_create_empty(char *name)
 {
 	private_tnc_imc_t *this;
 
@@ -335,59 +334,96 @@ imc_t* tnc_imc_create(char *name, char *path)
 			.set_message_types_long = _set_message_types_long,
 			.type_supported = _type_supported,
 			.destroy = _destroy,
-        },
-		.name = name,
-		.path = path,
+		},
+		.name = strdup(name),
 		.additional_ids = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
+	return this;
+}
+
+/**
+ * See header
+ */
+imc_t* tnc_imc_create(char *name, char *path)
+{
+	private_tnc_imc_t *this;
+
+	this = tnc_imc_create_empty(name);
+
 	this->handle = dlopen(path, RTLD_LAZY);
 	if (!this->handle)
 	{
 		DBG1(DBG_TNC, "IMC \"%s\" failed to load: %s", name, dlerror());
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 
 	this->public.initialize = dlsym(this->handle, "TNC_IMC_Initialize");
 	if (!this->public.initialize)
-    {
+	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMC_Initialize in %s: %s\n",
 					   path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 	this->public.notify_connection_change =
 						 dlsym(this->handle, "TNC_IMC_NotifyConnectionChange");
-    this->public.begin_handshake = dlsym(this->handle, "TNC_IMC_BeginHandshake");
+	this->public.begin_handshake = dlsym(this->handle, "TNC_IMC_BeginHandshake");
 	if (!this->public.begin_handshake)
-    {
+	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMC_BeginHandshake in %s: %s\n",
 					   path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
-    this->public.receive_message =
+	this->public.receive_message =
 						dlsym(this->handle, "TNC_IMC_ReceiveMessage");
-    this->public.receive_message_long =
+	this->public.receive_message_long =
 						dlsym(this->handle, "TNC_IMC_ReceiveMessageLong");
-    this->public.batch_ending =
+	this->public.batch_ending =
 						dlsym(this->handle, "TNC_IMC_BatchEnding");
-    this->public.terminate =
+	this->public.terminate =
 						dlsym(this->handle, "TNC_IMC_Terminate");
-    this->public.provide_bind_function =
+	this->public.provide_bind_function =
 						dlsym(this->handle, "TNC_IMC_ProvideBindFunction");
-    if (!this->public.provide_bind_function)
+	if (!this->public.provide_bind_function)
 	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMC_ProvideBindFunction in %s: %s\n",
 					  path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 
 	return &this->public;
 }
+
+/**
+ * See header
+ */
+imc_t* tnc_imc_create_from_functions(char *name,
+				TNC_IMC_InitializePointer initialize,
+				TNC_IMC_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMC_BeginHandshakePointer begin_handshake,
+				TNC_IMC_ReceiveMessagePointer receive_message,
+				TNC_IMC_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMC_BatchEndingPointer batch_ending,
+				TNC_IMC_TerminatePointer terminate,
+				TNC_IMC_ProvideBindFunctionPointer provide_bind_function)
+{
+	private_tnc_imc_t *this;
+
+	this = tnc_imc_create_empty(name);
+
+	this->public.initialize = initialize;
+	this->public.notify_connection_change = notify_connection_change;
+	this->public.begin_handshake = begin_handshake;
+	this->public.receive_message = receive_message;
+	this->public.receive_message_long = receive_message_long;
+	this->public.batch_ending = batch_ending;
+	this->public.terminate = terminate;
+	this->public.provide_bind_function = provide_bind_function;
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc.h b/src/libcharon/plugins/tnc_imc/tnc_imc.h
index 10a67f90b..2d4607e77 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc.h
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc.h
@@ -25,7 +25,7 @@
 #include <tnc/imc/imc.h>
 
 /**
- * Create an Integrity Measurement Collector.
+ * Create an Integrity Measurement Collector loaded from a library.
  *
  * @param name			name of the IMC
  * @param filename		path to the dynamic IMC library
@@ -33,4 +33,28 @@
  */
 imc_t* tnc_imc_create(char *name, char *filename);
 
+/**
+ * Create an Integrity Measurement Collector from a set of IMC functions.
+ *
+ * @param name						name of the IMC
+ * @param initialize				TNC_IMC_InitializePointer
+ * @param notify_connection_change	TNC_IMC_NotifyConnectionChangePointer
+ * @param begin_handshake			TNC_IMC_BeginHandshakePointer
+ * @param receive_message			TNC_IMC_ReceiveMessagePointer
+ * @param receive_message_long		TNC_IMC_ReceiveMessageLongPointer
+ * @param batch_ending				TNC_IMC_BatchEndingPointer
+ * @param terminate					TNC_IMC_TerminatePointer
+ * @param provide_bind_function		TNC_IMC_ProvideBindFunctionPointer
+ * @return							instance of the imc_t interface
+ */
+imc_t* tnc_imc_create_from_functions(char *name,
+				TNC_IMC_InitializePointer initialize,
+				TNC_IMC_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMC_BeginHandshakePointer begin_handshake,
+				TNC_IMC_ReceiveMessagePointer receive_message,
+				TNC_IMC_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMC_BatchEndingPointer batch_ending,
+				TNC_IMC_TerminatePointer terminate,
+				TNC_IMC_ProvideBindFunctionPointer provide_bind_function);
+
 #endif /** TNC_IMC_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c b/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c
index 90a607ccc..26a5ed2b4 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c
@@ -17,7 +17,7 @@
 #include <tnc/imc/imc_manager.h>
 #include <tnc/tnccs/tnccs_manager.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Called by the IMC to inform a TNCC about the set of message types the IMC
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c
index e101cf974..078f7bc34 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c
@@ -19,8 +19,11 @@
 
 #include <tncifimc.h>
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <daemon.h>
+#include <utils/debug.h>
+#include <threading/rwlock.h>
+#include <threading/mutex.h>
+#include <collections/linked_list.h>
 
 typedef struct private_tnc_imc_manager_t private_tnc_imc_manager_t;
 
@@ -40,36 +43,56 @@ struct private_tnc_imc_manager_t {
 	linked_list_t *imcs;
 
 	/**
+	 * Lock to access IMC list
+	 */
+	rwlock_t *lock;
+
+	/**
 	 * Next IMC ID to be assigned
 	 */
 	TNC_IMCID next_imc_id;
+
+	/**
+	 * Mutex to access next IMC ID
+	 */
+	mutex_t *id_mutex;
 };
 
 METHOD(imc_manager_t, add, bool,
 	private_tnc_imc_manager_t *this, imc_t *imc)
 {
 	TNC_Version version;
+	TNC_IMCID imc_id;
+
+	this->id_mutex->lock(this->id_mutex);
+	imc_id = this->next_imc_id++;
+	this->id_mutex->unlock(this->id_mutex);
 
-	/* Initialize the module */
-	imc->set_id(imc, this->next_imc_id);
-	if (imc->initialize(imc->get_id(imc), TNC_IFIMC_VERSION_1,
-			TNC_IFIMC_VERSION_1, &version) != TNC_RESULT_SUCCESS)
+	imc->set_id(imc, imc_id);
+	if (imc->initialize(imc_id, TNC_IFIMC_VERSION_1,
+						TNC_IFIMC_VERSION_1, &version) != TNC_RESULT_SUCCESS)
 	{
 		DBG1(DBG_TNC, "IMC \"%s\" failed to initialize", imc->get_name(imc));
 		return FALSE;
 	}
+	this->lock->write_lock(this->lock);
 	this->imcs->insert_last(this->imcs, imc);
-	this->next_imc_id++;
+	this->lock->unlock(this->lock);
 
-	if (imc->provide_bind_function(imc->get_id(imc), TNC_TNCC_BindFunction)
-			!= TNC_RESULT_SUCCESS)
+	if (imc->provide_bind_function(imc->get_id(imc),
+								   TNC_TNCC_BindFunction) != TNC_RESULT_SUCCESS)
 	{
+		if (imc->terminate)
+		{
+			imc->terminate(imc->get_id(imc));
+		}
 		DBG1(DBG_TNC, "IMC \"%s\" failed to obtain bind function",
-					   imc->get_name(imc));
+			 imc->get_name(imc));
+		this->lock->write_lock(this->lock);
 		this->imcs->remove_last(this->imcs, (void**)&imc);
+		this->lock->unlock(this->lock);
 		return FALSE;
 	}
-
 	return TRUE;
 }
 
@@ -79,6 +102,7 @@ METHOD(imc_manager_t, remove_, imc_t*,
 	enumerator_t *enumerator;
 	imc_t *imc, *removed_imc = NULL;
 
+	this->lock->write_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -90,6 +114,7 @@ METHOD(imc_manager_t, remove_, imc_t*,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return removed_imc;
 }
@@ -102,18 +127,10 @@ METHOD(imc_manager_t, load, bool,
 	imc = tnc_imc_create(name, path);
 	if (!imc)
 	{
-		free(name);
-		free(path);
 		return FALSE;
 	}
 	if (!add(this, imc))
 	{
-		if (imc->terminate &&
-			imc->terminate(imc->get_id(imc)) != TNC_RESULT_SUCCESS)
-		{
-			DBG1(DBG_TNC, "IMC \"%s\" not terminated successfully",
-						   imc->get_name(imc));
-		}
 		imc->destroy(imc);
 		return FALSE;
 	}
@@ -121,6 +138,37 @@ METHOD(imc_manager_t, load, bool,
 	return TRUE;
 }
 
+METHOD(imc_manager_t, load_from_functions, bool,
+	private_tnc_imc_manager_t *this, char *name,
+	TNC_IMC_InitializePointer initialize,
+	TNC_IMC_NotifyConnectionChangePointer notify_connection_change,
+	TNC_IMC_BeginHandshakePointer begin_handshake,
+	TNC_IMC_ReceiveMessagePointer receive_message,
+	TNC_IMC_ReceiveMessageLongPointer receive_message_long,
+	TNC_IMC_BatchEndingPointer batch_ending,
+	TNC_IMC_TerminatePointer terminate,
+	TNC_IMC_ProvideBindFunctionPointer provide_bind_function)
+{
+	imc_t *imc;
+
+	imc = tnc_imc_create_from_functions(name,
+										initialize, notify_connection_change,
+										begin_handshake, receive_message,
+										receive_message_long, batch_ending,
+										terminate, provide_bind_function);
+	if (!imc)
+	{
+		return FALSE;
+	}
+	if (!add(this, imc))
+	{
+		imc->destroy(imc);
+		return FALSE;
+	}
+	DBG1(DBG_TNC, "IMC %u \"%s\" loaded", imc->get_id(imc), name);
+	return TRUE;
+}
+
 METHOD(imc_manager_t, is_registered, bool,
 	private_tnc_imc_manager_t *this, TNC_IMCID id)
 {
@@ -128,6 +176,7 @@ METHOD(imc_manager_t, is_registered, bool,
 	imc_t *imc;
 	bool found = FALSE;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -138,6 +187,7 @@ METHOD(imc_manager_t, is_registered, bool,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return found;
 }
@@ -149,13 +199,16 @@ METHOD(imc_manager_t, reserve_id, bool,
 	imc_t *imc;
 	bool found = FALSE;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
-		if (imc->get_id(imc))
+		if (id == imc->get_id(imc))
 		{
 			found = TRUE;
+			this->id_mutex->lock(this->id_mutex);
 			*new_id = this->next_imc_id++;
+			this->id_mutex->unlock(this->id_mutex);
 			imc->add_id(imc, *new_id);
 			DBG2(DBG_TNC, "additional ID %u reserved for IMC with primary ID %u",
 						  *new_id, id);
@@ -163,6 +216,7 @@ METHOD(imc_manager_t, reserve_id, bool,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return found;
 }
@@ -171,7 +225,7 @@ METHOD(imc_manager_t, get_preferred_language, char*,
 	private_tnc_imc_manager_t *this)
 {
 	return lib->settings->get_str(lib->settings,
-					"charon.plugins.tnc-imc.preferred_language", "en");
+				"%s.plugins.tnc-imc.preferred_language", "en", charon->name);
 }
 
 METHOD(imc_manager_t, notify_connection_change, void,
@@ -181,6 +235,7 @@ METHOD(imc_manager_t, notify_connection_change, void,
 	enumerator_t *enumerator;
 	imc_t *imc;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -190,6 +245,7 @@ METHOD(imc_manager_t, notify_connection_change, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(imc_manager_t, begin_handshake, void,
@@ -198,12 +254,14 @@ METHOD(imc_manager_t, begin_handshake, void,
 	enumerator_t *enumerator;
 	imc_t *imc;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
 		imc->begin_handshake(imc->get_id(imc), id);
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(imc_manager_t, set_message_types, TNC_Result,
@@ -215,6 +273,7 @@ METHOD(imc_manager_t, set_message_types, TNC_Result,
 	imc_t *imc;
 	TNC_Result result = TNC_RESULT_FATAL;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -226,6 +285,7 @@ METHOD(imc_manager_t, set_message_types, TNC_Result,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 	return result;
 }
 
@@ -239,6 +299,7 @@ METHOD(imc_manager_t, set_message_types_long, TNC_Result,
 	imc_t *imc;
 	TNC_Result result = TNC_RESULT_FATAL;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -251,6 +312,7 @@ METHOD(imc_manager_t, set_message_types_long, TNC_Result,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 	return result;
 }
 
@@ -270,11 +332,12 @@ METHOD(imc_manager_t, receive_message, void,
 	enumerator_t *enumerator;
 	imc_t *imc;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
 		if (imc->type_supported(imc, msg_vid, msg_subtype) &&
-		   (!excl || (excl && imc->has_id(imc, dst_imc_id)) ))
+			(!excl || (excl && imc->has_id(imc, dst_imc_id))))
 		{
 			if (imc->receive_message_long && src_imv_id)
 			{
@@ -296,6 +359,8 @@ METHOD(imc_manager_t, receive_message, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
 	if (!type_supported)
 	{
 		DBG2(DBG_TNC, "message type 0x%06x/0x%08x not supported by any IMC",
@@ -309,6 +374,7 @@ METHOD(imc_manager_t, batch_ending, void,
 	enumerator_t *enumerator;
 	imc_t *imc;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imcs->create_enumerator(this->imcs);
 	while (enumerator->enumerate(enumerator, &imc))
 	{
@@ -318,6 +384,7 @@ METHOD(imc_manager_t, batch_ending, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(imc_manager_t, destroy, void,
@@ -336,6 +403,8 @@ METHOD(imc_manager_t, destroy, void,
 		imc->destroy(imc);
 	}
 	this->imcs->destroy(this->imcs);
+	this->lock->destroy(this->lock);
+	this->id_mutex->destroy(this->id_mutex);
 	free(this);
 }
 
@@ -351,6 +420,7 @@ imc_manager_t* tnc_imc_manager_create(void)
 			.add = _add,
 			.remove = _remove_, /* avoid name conflict with stdio.h */
 			.load = _load,
+			.load_from_functions = _load_from_functions,
 			.is_registered = _is_registered,
 			.reserve_id = _reserve_id,
 			.get_preferred_language = _get_preferred_language,
@@ -363,6 +433,8 @@ imc_manager_t* tnc_imc_manager_create(void)
 			.destroy = _destroy,
 		},
 		.imcs = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.id_mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.next_imc_id = 1,
 	);
 
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c
index a25b1843c..859dded79 100644
--- a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c
@@ -44,6 +44,8 @@ METHOD(plugin_t, get_features, int,
 		PLUGIN_CALLBACK(tnc_manager_register, tnc_imc_manager_create),
 			PLUGIN_PROVIDE(CUSTOM, "imc-manager"),
 				PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_TRUSTED_PUBKEY),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.am b/src/libcharon/plugins/tnc_imv/Makefile.am
index eca3b377b..49efe3be4 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.am
+++ b/src/libcharon/plugins/tnc_imv/Makefile.am
@@ -1,12 +1,13 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libtnccs
+	-I$(top_srcdir)/src/libtnccs \
+	-I$(top_srcdir)/src/libtls
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
@@ -23,4 +24,3 @@ libstrongswan_tnc_imv_la_SOURCES = \
 	tnc_imv_recommendations.h tnc_imv_recommendations.c
 
 libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in
index cf58f0dc3..118dd6d2d 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.in
+++ b/src/libcharon/plugins/tnc_imv/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnc_imv_la_DEPENDENCIES =  \
@@ -82,48 +106,77 @@ am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo tnc_imv.lo \
 	tnc_imv_recommendations.lo
 libstrongswan_tnc_imv_la_OBJECTS =  \
 	$(am_libstrongswan_tnc_imv_la_OBJECTS)
-libstrongswan_tnc_imv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_tnc_imv_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_tnc_imv_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnc_imv_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_tnc_imv_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_tnc_imv_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_tnc_imv_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnc_imv_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -132,13 +185,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -151,6 +207,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,11 +235,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -190,6 +249,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -198,8 +258,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -208,14 +266,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -229,17 +292,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -249,16 +312,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -286,14 +348,17 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libtnccs
+	-I$(top_srcdir)/src/libtnccs \
+	-I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imv.la
 @MONOLITHIC_FALSE@libstrongswan_tnc_imv_la_LIBADD = \
@@ -351,7 +416,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -359,6 +423,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -380,8 +446,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnc-imv.la: $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_DEPENDENCIES) 
-	$(libstrongswan_tnc_imv_la_LINK) $(am_libstrongswan_tnc_imv_la_rpath) $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_LIBADD) $(LIBS)
+libstrongswan-tnc-imv.la: $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_imv_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_tnc_imv_la_LINK) $(am_libstrongswan_tnc_imv_la_rpath) $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -396,25 +462,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_recommendations.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -521,10 +587,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.c b/src/libcharon/plugins/tnc_imv/tnc_imv.c
index f0b150743..ef0387d70 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv.c
@@ -20,9 +20,10 @@
 
 #include <tncif_pa_subtypes.h>
 
-#include <debug.h>
+#include <utils/debug.h>
+#include <daemon.h>
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 
 typedef struct private_tnc_imv_t private_tnc_imv_t;
@@ -38,11 +39,6 @@ struct private_tnc_imv_t {
 	imv_t public;
 
 	/**
-	 * Path of loaded IMV
-	 */
-	char *path;
-
-	/**
 	 * Name of loaded IMV
 	 */
 	char *name;
@@ -287,10 +283,10 @@ METHOD(imv_t, type_supported, bool,
 
 	for (i = 0; i < this->type_count; i++)
 	{
-	    vid = this->supported_vids[i];
-	    subtype = this->supported_subtypes[i];
+		vid = this->supported_vids[i];
+		subtype = this->supported_subtypes[i];
 
-	    if ((vid == TNC_VENDORID_ANY && subtype == TNC_SUBTYPE_ANY) ||
+		if ((vid == TNC_VENDORID_ANY && subtype == TNC_SUBTYPE_ANY) ||
 			(vid == msg_vid && (subtype == TNC_SUBTYPE_ANY ||
 			 subtype == msg_subtype)))
 		{
@@ -303,20 +299,23 @@ METHOD(imv_t, type_supported, bool,
 METHOD(imv_t, destroy, void,
 	private_tnc_imv_t *this)
 {
-	dlclose(this->handle);
+	if (this->handle && lib->settings->get_bool(lib->settings,
+		"%s.plugins.tnc-imv.dlclose", TRUE, charon->name))
+	{
+		dlclose(this->handle);
+	}
 	this->mutex->destroy(this->mutex);
 	this->additional_ids->destroy_function(this->additional_ids, free);
 	free(this->supported_vids);
 	free(this->supported_subtypes);
 	free(this->name);
-	free(this->path);
 	free(this);
 }
 
 /**
- * Described in header.
+ * Generic constructor.
  */
-imv_t* tnc_imv_create(char *name, char *path)
+static private_tnc_imv_t* tnc_imv_create_empty(char *name)
 {
 	private_tnc_imv_t *this;
 
@@ -332,17 +331,28 @@ imv_t* tnc_imv_create(char *name, char *path)
 			.type_supported = _type_supported,
 			.destroy = _destroy,
 		},
-		.name = name,
-		.path = path,
+		.name = strdup(name),
 		.additional_ids = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
+	return this;
+}
+
+/**
+ * Described in header.
+ */
+imv_t* tnc_imv_create(char *name, char *path)
+{
+	private_tnc_imv_t *this;
+
+	this = tnc_imv_create_empty(name);
+
 	this->handle = dlopen(path, RTLD_LAZY);
 	if (!this->handle)
 	{
 		DBG1(DBG_TNC, "IMV \"%s\" failed to load: %s", name, dlerror());
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 
@@ -351,8 +361,7 @@ imv_t* tnc_imv_create(char *name, char *path)
 	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMV_Initialize in %s: %s\n",
 					   path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 	this->public.notify_connection_change =
@@ -363,8 +372,7 @@ imv_t* tnc_imv_create(char *name, char *path)
 	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMV_SolicitRecommendation in %s: %s\n",
 					   path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 	this->public.receive_message =
@@ -381,10 +389,38 @@ imv_t* tnc_imv_create(char *name, char *path)
 	{
 		DBG1(DBG_TNC, "could not resolve TNC_IMV_ProvideBindFunction in %s: %s\n",
 					  path, dlerror());
-		dlclose(this->handle);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 
 	return &this->public;
 }
+
+/**
+ * Described in header.
+ */
+imv_t* tnc_imv_create_from_functions(char *name,
+				TNC_IMV_InitializePointer initialize,
+				TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMV_ReceiveMessagePointer receive_message,
+				TNC_IMV_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
+				TNC_IMV_BatchEndingPointer batch_ending,
+				TNC_IMV_TerminatePointer terminate,
+				TNC_IMV_ProvideBindFunctionPointer provide_bind_function)
+{
+	private_tnc_imv_t *this;
+
+	this = tnc_imv_create_empty(name);
+
+	this->public.initialize = initialize;
+	this->public.notify_connection_change = notify_connection_change;
+	this->public.receive_message = receive_message;
+	this->public.receive_message_long = receive_message_long;
+	this->public.solicit_recommendation = solicit_recommendation;
+	this->public.batch_ending = batch_ending;
+	this->public.terminate = terminate;
+	this->public.provide_bind_function = provide_bind_function;
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.h b/src/libcharon/plugins/tnc_imv/tnc_imv.h
index 75939e54c..e7c7b8b4f 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv.h
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv.h
@@ -25,7 +25,7 @@
 #include <tnc/imv/imv.h>
 
 /**
- * Create an Integrity Measurement Verifier.
+ * Create an Integrity Measurement Verifier loaded from a library.
  *
  * @param name			name of the IMV
  * @param filename		path to the dynamic IMV library
@@ -33,4 +33,28 @@
  */
 imv_t* tnc_imv_create(char *name, char *filename);
 
+/**
+ * Create an Integrity Measurement Verifier from a set of IMV functions.
+ *
+ * @param name						name of the IMV
+ * @param initialize				TNC_IMV_InitializePointer
+ * @param notify_connection_change	TNC_IMV_NotifyConnectionChangePointer
+ * @param receive_message			TNC_IMV_ReceiveMessagePointer
+ * @param receive_message_long		TNC_IMV_ReceiveMessageLongPointer
+ * @param solicit_recommendation	TNC_IMV_SolicitRecommendationPointer
+ * @param batch_ending				TNC_IMV_BatchEndingPointer
+ * @param terminate					TNC_IMV_TerminatePointer
+ * @param provide_bind_function		TNC_IMV_ProvideBindFunctionPointer
+ * @return							instance of the imv_t interface
+ */
+imv_t* tnc_imv_create_from_functions(char *name,
+				TNC_IMV_InitializePointer initialize,
+				TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMV_ReceiveMessagePointer receive_message,
+				TNC_IMV_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
+				TNC_IMV_BatchEndingPointer batch_ending,
+				TNC_IMV_TerminatePointer terminate,
+				TNC_IMV_ProvideBindFunctionPointer provide_bind_function);
+
 #endif /** TNC_IMV_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
index dd11c5009..36cdb7fbb 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
@@ -18,7 +18,7 @@
 #include <tnc/imv/imv_manager.h>
 #include <tnc/tnccs/tnccs_manager.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Called by the IMV to inform a TNCS about the set of message types the IMV
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
index b1da73156..b950e3119 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
@@ -29,13 +29,13 @@
 #include <fcntl.h>
 
 #include <daemon.h>
-#include <utils/lexparser.h>
-#include <debug.h>
+#include <utils/debug.h>
+#include <threading/rwlock.h>
 #include <threading/mutex.h>
+#include <collections/linked_list.h>
 
 typedef struct private_tnc_imv_manager_t private_tnc_imv_manager_t;
 
-
 /**
  * Private data of an imv_manager_t object.
  */
@@ -52,11 +52,21 @@ struct private_tnc_imv_manager_t {
 	linked_list_t *imvs;
 
 	/**
+	 * Lock for IMV list
+	 */
+	rwlock_t *lock;
+
+	/**
 	 * Next IMV ID to be assigned
 	 */
 	TNC_IMVID next_imv_id;
 
 	/**
+	 * Mutex to access next IMV ID
+	 */
+	mutex_t *id_mutex;
+
+	/**
 	 * Policy defining how to derive final recommendation from individual ones
 	 */
 	recommendation_policy_t policy;
@@ -66,27 +76,37 @@ METHOD(imv_manager_t, add, bool,
 	private_tnc_imv_manager_t *this, imv_t *imv)
 {
 	TNC_Version version;
+	TNC_IMVID imv_id;
 
-	/* Initialize the IMV module */
-	imv->set_id(imv, this->next_imv_id);
-	if (imv->initialize(imv->get_id(imv), TNC_IFIMV_VERSION_1,
-		TNC_IFIMV_VERSION_1, &version) != TNC_RESULT_SUCCESS)
+	this->id_mutex->lock(this->id_mutex);
+	imv_id = this->next_imv_id++;
+	this->id_mutex->unlock(this->id_mutex);
+
+	imv->set_id(imv, imv_id);
+	if (imv->initialize(imv_id, TNC_IFIMV_VERSION_1,
+						TNC_IFIMV_VERSION_1, &version) != TNC_RESULT_SUCCESS)
 	{
 		DBG1(DBG_TNC, "IMV \"%s\" failed to initialize", imv->get_name(imv));
 		return FALSE;
 	}
+	this->lock->write_lock(this->lock);
 	this->imvs->insert_last(this->imvs, imv);
-	this->next_imv_id++;
+	this->lock->unlock(this->lock);
 
-	if (imv->provide_bind_function(imv->get_id(imv), TNC_TNCS_BindFunction)
-			!= TNC_RESULT_SUCCESS)
+	if (imv->provide_bind_function(imv->get_id(imv),
+								   TNC_TNCS_BindFunction) != TNC_RESULT_SUCCESS)
 	{
-		DBG1(DBG_TNC, "IMV \"%s\" could failed to obtain bind function",
-					   imv->get_name(imv));
+		if (imv->terminate)
+		{
+			imv->terminate(imv->get_id(imv));
+		}
+		DBG1(DBG_TNC, "IMV \"%s\" failed to obtain bind function",
+			 imv->get_name(imv));
+		this->lock->write_lock(this->lock);
 		this->imvs->remove_last(this->imvs, (void**)&imv);
+		this->lock->unlock(this->lock);
 		return FALSE;
 	}
-
 	return TRUE;
 }
 
@@ -96,6 +116,7 @@ METHOD(imv_manager_t, remove_, imv_t*,
 	enumerator_t *enumerator;
 	imv_t *imv, *removed_imv = NULL;
 
+	this->lock->write_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -107,6 +128,7 @@ METHOD(imv_manager_t, remove_, imv_t*,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return removed_imv;
 }
@@ -119,18 +141,10 @@ METHOD(imv_manager_t, load, bool,
 	imv = tnc_imv_create(name, path);
 	if (!imv)
 	{
-		free(name);
-		free(path);
 		return FALSE;
 	}
 	if (!add(this, imv))
 	{
-		if (imv->terminate &&
-			imv->terminate(imv->get_id(imv)) != TNC_RESULT_SUCCESS)
-		{
-			DBG1(DBG_TNC, "IMV \"%s\" not terminated successfully",
-						   imv->get_name(imv));
-		}
 		imv->destroy(imv);
 		return FALSE;
 	}
@@ -138,6 +152,37 @@ METHOD(imv_manager_t, load, bool,
 	return TRUE;
 }
 
+METHOD(imv_manager_t, load_from_functions, bool,
+	private_tnc_imv_manager_t *this, char *name,
+	TNC_IMV_InitializePointer initialize,
+	TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
+	TNC_IMV_ReceiveMessagePointer receive_message,
+	TNC_IMV_ReceiveMessageLongPointer receive_message_long,
+	TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
+	TNC_IMV_BatchEndingPointer batch_ending,
+	TNC_IMV_TerminatePointer terminate,
+	TNC_IMV_ProvideBindFunctionPointer provide_bind_function)
+{
+	imv_t *imv;
+
+	imv = tnc_imv_create_from_functions(name,
+										initialize,notify_connection_change,
+										receive_message, receive_message_long,
+										solicit_recommendation, batch_ending,
+										terminate, provide_bind_function);
+	if (!imv)
+	{
+		return FALSE;
+	}
+	if (!add(this, imv))
+	{
+		imv->destroy(imv);
+		return FALSE;
+	}
+	DBG1(DBG_TNC, "IMV %u \"%s\" loaded", imv->get_id(imv), name);
+	return TRUE;
+}
+
 METHOD(imv_manager_t, is_registered, bool,
 	private_tnc_imv_manager_t *this, TNC_IMVID id)
 {
@@ -145,6 +190,7 @@ METHOD(imv_manager_t, is_registered, bool,
 	imv_t *imv;
 	bool found = FALSE;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -155,6 +201,7 @@ METHOD(imv_manager_t, is_registered, bool,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return found;
 }
@@ -166,13 +213,16 @@ METHOD(imv_manager_t, reserve_id, bool,
 	imv_t *imv;
 	bool found = FALSE;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
-		if (imv->get_id(imv))
+		if (id == imv->get_id(imv))
 		{
 			found = TRUE;
+			this->id_mutex->lock(this->id_mutex);
 			*new_id = this->next_imv_id++;
+			this->id_mutex->unlock(this->id_mutex);
 			imv->add_id(imv, *new_id);
 			DBG2(DBG_TNC, "additional ID %u reserved for IMV with primary ID %u",
 						  *new_id, id);
@@ -180,6 +230,7 @@ METHOD(imv_manager_t, reserve_id, bool,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
 	return found;
 }
@@ -241,7 +292,7 @@ METHOD(imv_manager_t, enforce_recommendation, bool,
 		return FALSE;
 	}
 	else
-	{	
+	{
 		auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
 		id = identification_create_from_string(group);
 		auth->add(auth, AUTH_RULE_GROUP, id);
@@ -259,6 +310,7 @@ METHOD(imv_manager_t, notify_connection_change, void,
 	enumerator_t *enumerator;
 	imv_t *imv;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -268,6 +320,7 @@ METHOD(imv_manager_t, notify_connection_change, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(imv_manager_t, set_message_types, TNC_Result,
@@ -279,6 +332,7 @@ METHOD(imv_manager_t, set_message_types, TNC_Result,
 	imv_t *imv;
 	TNC_Result result = TNC_RESULT_FATAL;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -290,6 +344,7 @@ METHOD(imv_manager_t, set_message_types, TNC_Result,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 	return result;
 }
 
@@ -303,6 +358,7 @@ METHOD(imv_manager_t, set_message_types_long, TNC_Result,
 	imv_t *imv;
 	TNC_Result result = TNC_RESULT_FATAL;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -315,6 +371,7 @@ METHOD(imv_manager_t, set_message_types_long, TNC_Result,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 	return result;
 }
 
@@ -324,12 +381,14 @@ METHOD(imv_manager_t, solicit_recommendation, void,
 	enumerator_t *enumerator;
 	imv_t *imv;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
 		imv->solicit_recommendation(imv->get_id(imv), id);
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(imv_manager_t, receive_message, void,
@@ -350,11 +409,12 @@ METHOD(imv_manager_t, receive_message, void,
 
 	msg_type = (msg_vid << 8) | msg_subtype;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
 		if (imv->type_supported(imv, msg_vid, msg_subtype) &&
-		   (!excl || (excl && imv->has_id(imv, dst_imv_id)) ))
+			(!excl || (excl && imv->has_id(imv, dst_imv_id))))
 		{
 			if (imv->receive_message_long && src_imc_id)
 			{
@@ -376,6 +436,8 @@ METHOD(imv_manager_t, receive_message, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
 	if (!type_supported)
 	{
 		DBG2(DBG_TNC, "message type 0x%06x/0x%08x not supported by any IMV",
@@ -389,6 +451,7 @@ METHOD(imv_manager_t, batch_ending, void,
 	enumerator_t *enumerator;
 	imv_t *imv;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
 	{
@@ -398,9 +461,9 @@ METHOD(imv_manager_t, batch_ending, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
-
 METHOD(imv_manager_t, destroy, void,
 	private_tnc_imv_manager_t *this)
 {
@@ -417,6 +480,8 @@ METHOD(imv_manager_t, destroy, void,
 		imv->destroy(imv);
 	}
 	this->imvs->destroy(this->imvs);
+	this->lock->destroy(this->lock);
+	this->id_mutex->destroy(this->id_mutex);
 	free(this);
 }
 
@@ -433,6 +498,7 @@ imv_manager_t* tnc_imv_manager_create(void)
 			.add = _add,
 			.remove = _remove_, /* avoid name conflict with stdio.h */
 			.load = _load,
+			.load_from_functions = _load_from_functions,
 			.is_registered = _is_registered,
 			.reserve_id = _reserve_id,
 			.get_recommendation_policy = _get_recommendation_policy,
@@ -447,12 +513,15 @@ imv_manager_t* tnc_imv_manager_create(void)
 			.destroy = _destroy,
 		},
 		.imvs = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.id_mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.next_imv_id = 1,
 	);
 
 	policy = enum_from_name(recommendation_policy_names,
 				lib->settings->get_str(lib->settings,
-					"charon.plugins.tnc-imv.recommendation_policy", "default"));
+					"%s.plugins.tnc-imv.recommendation_policy", "default",
+					charon->name));
 	this->policy = (policy != -1) ? policy : RECOMMENDATION_POLICY_DEFAULT;
 	DBG1(DBG_TNC, "TNC recommendation policy is '%N'",
 				   recommendation_policy_names, this->policy);
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
index c16f6b9e1..d06c2fcaf 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
@@ -47,6 +47,9 @@ METHOD(plugin_t, get_features, int,
 		PLUGIN_CALLBACK(tnc_manager_register, tnc_imv_manager_create),
 			PLUGIN_PROVIDE(CUSTOM, "imv-manager"),
 				PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_TRUSTED_PUBKEY),
+				PLUGIN_SDEPEND(DATABASE, DB_ANY),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
index 7843293a1..a9dbb2b9f 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2010-2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -14,14 +15,15 @@
 
 #include <tncifimv.h>
 #include <tncif_names.h>
+#include <tncif_policy.h>
 
 #include <tnc/tnc.h>
 #include <tnc/imv/imv.h>
 #include <tnc/imv/imv_manager.h>
 #include <tnc/imv/imv_recommendations.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 typedef struct private_tnc_imv_recommendations_t private_tnc_imv_recommendations_t;
 typedef struct recommendation_entry_t recommendation_entry_t;
@@ -123,8 +125,13 @@ METHOD(recommendations_t, have_recommendation, bool,
 	TNC_IMV_Evaluation_Result final_eval;
 	bool first = TRUE, incomplete = FALSE;
 
-	*rec = final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
-	*eval = final_eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+	final_rec  = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
+	final_eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+	if (rec && eval)
+	{
+		*rec  = final_rec;
+		*eval = final_eval;
+	}
 
 	if (this->recs->get_count(this->recs) == 0)
 	{
@@ -151,53 +158,10 @@ METHOD(recommendations_t, have_recommendation, bool,
 		switch (policy)
 		{
 			case RECOMMENDATION_POLICY_DEFAULT:
-				switch (entry->rec)
-				{
-					case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
-						final_rec = entry->rec;
-						break;
-					case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
-						if (final_rec != TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS)
-						{
-							final_rec = entry->rec;
-						};
-						break;
-					case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
-						if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
-						{
-							final_rec = entry->rec;
-						};
-						break;
-					case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
-						break;
-				}
-				switch (entry->eval)
-				{
-					case TNC_IMV_EVALUATION_RESULT_ERROR:
-						final_eval = entry->eval;
-						break;
-					case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR:
-						if (final_eval != TNC_IMV_EVALUATION_RESULT_ERROR)
-						{
-							final_eval = entry->eval;
-						}
-						break;
-					case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR:
-						if (final_eval != TNC_IMV_EVALUATION_RESULT_ERROR &&
-							final_eval != TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR)
-						{
-							final_eval = entry->eval;
-						}
-						break;
-					case TNC_IMV_EVALUATION_RESULT_COMPLIANT:
-						if (final_eval == TNC_IMV_EVALUATION_RESULT_DONT_KNOW)
-						{
-							final_eval = entry->eval;
-						}
-						break;
-					case TNC_IMV_EVALUATION_RESULT_DONT_KNOW:
-						break;
-				}
+				final_rec = tncif_policy_update_recommendation(final_rec,
+															   entry->rec);
+				final_eval = tncif_policy_update_evaluation(final_eval,
+															entry->eval);
 				break;
 
 			case RECOMMENDATION_POLICY_ALL:
@@ -267,11 +231,32 @@ METHOD(recommendations_t, have_recommendation, bool,
 	{
 		return FALSE;
 	}
-	*rec = final_rec;
-	*eval = final_eval;
+	if (rec && eval)
+	{
+		*rec  = final_rec;
+		*eval = final_eval;
+	}
 	return TRUE;
 }
 
+METHOD(recommendations_t, clear_recommendation, void,
+	private_tnc_imv_recommendations_t *this)
+{
+	enumerator_t *enumerator;
+	recommendation_entry_t *entry;
+
+	enumerator = this->recs->create_enumerator(this->recs);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		entry->have_recommendation = FALSE;
+		entry->rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
+		entry->eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+		chunk_clear(&entry->reason);
+		chunk_clear(&entry->reason_language);
+	}
+	enumerator->destroy(enumerator);
+}
+
 METHOD(recommendations_t, get_preferred_language, chunk_t,
 	private_tnc_imv_recommendations_t *this)
 {
@@ -293,7 +278,7 @@ METHOD(recommendations_t, set_reason_string, TNC_Result,
 	bool found = FALSE;
 
 	DBG2(DBG_TNC, "IMV %u is setting reason string to '%.*s'",
-		 id, reason.len, reason.ptr);
+		 id, (int)reason.len, reason.ptr);
 
 	enumerator = this->recs->create_enumerator(this->recs);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -318,7 +303,7 @@ METHOD(recommendations_t, set_reason_language, TNC_Result,
 	bool found = FALSE;
 
 	DBG2(DBG_TNC, "IMV %u is setting reason language to '%.*s'",
-		 id, reason_lang.len, reason_lang.ptr);
+		 id, (int)reason_lang.len, reason_lang.ptr);
 
 	enumerator = this->recs->create_enumerator(this->recs);
 	while (enumerator->enumerate(enumerator, &entry))
@@ -362,21 +347,6 @@ METHOD(recommendations_t, create_reason_enumerator, enumerator_t*,
 					(void*)reason_filter, NULL, NULL);
 }
 
-METHOD(recommendations_t, clear_reasons, void,
-	private_tnc_imv_recommendations_t *this)
-{
-	enumerator_t *enumerator;
-	recommendation_entry_t *entry;
-
-	enumerator = this->recs->create_enumerator(this->recs);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		chunk_clear(&entry->reason);
-		chunk_clear(&entry->reason_language);
-	}
-	enumerator->destroy(enumerator);
-}
-
 METHOD(recommendations_t, destroy, void,
 	private_tnc_imv_recommendations_t *this)
 {
@@ -407,12 +377,12 @@ recommendations_t* tnc_imv_recommendations_create(linked_list_t *imv_list)
 		.public = {
 			.provide_recommendation = _provide_recommendation,
 			.have_recommendation = _have_recommendation,
+			.clear_recommendation = _clear_recommendation,
 			.get_preferred_language = _get_preferred_language,
 			.set_preferred_language = _set_preferred_language,
 			.set_reason_string = _set_reason_string,
 			.set_reason_language = _set_reason_language,
 			.create_reason_enumerator = _create_reason_enumerator,
-			.clear_reasons = _clear_reasons,
 			.destroy = _destroy,
 		},
 		.recs = linked_list_create(),
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h
index 6d65a2521..66d03b2f8 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h
@@ -23,7 +23,7 @@
 #define TNC_IMV_RECOMMENDATIONS_H_
 
 #include <tnc/imv/imv_recommendations.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * Create an IMV empty recommendations instance
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.am b/src/libcharon/plugins/tnc_pdp/Makefile.am
index 2d4c4d55a..ce0ddce06 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.am
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.am
@@ -1,11 +1,11 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libradius
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnc-pdp.la
@@ -19,6 +19,6 @@ endif
 
 libstrongswan_tnc_pdp_la_SOURCES = \
 	tnc_pdp_plugin.h tnc_pdp_plugin.c \
-	tnc_pdp.h tnc_pdp.c tnc_pdp_connections.h tnc_pdp_connections.c 
+	tnc_pdp.h tnc_pdp.c tnc_pdp_connections.h tnc_pdp_connections.c
 
 libstrongswan_tnc_pdp_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index 70d3d6249..76607081a 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnc_pdp_la_DEPENDENCIES =  \
@@ -82,48 +106,77 @@ am_libstrongswan_tnc_pdp_la_OBJECTS = tnc_pdp_plugin.lo tnc_pdp.lo \
 	tnc_pdp_connections.lo
 libstrongswan_tnc_pdp_la_OBJECTS =  \
 	$(am_libstrongswan_tnc_pdp_la_OBJECTS)
-libstrongswan_tnc_pdp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_tnc_pdp_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_tnc_pdp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnc_pdp_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_tnc_pdp_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_tnc_pdp_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_tnc_pdp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnc_pdp_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -132,13 +185,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -151,6 +207,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,11 +235,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -190,6 +249,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -198,8 +258,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -208,14 +266,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -229,17 +292,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -249,16 +312,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -286,13 +348,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libradius
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-pdp.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-pdp.la
 @MONOLITHIC_FALSE@libstrongswan_tnc_pdp_la_LIBADD = \
@@ -302,7 +366,7 @@ AM_CFLAGS = -rdynamic
 
 libstrongswan_tnc_pdp_la_SOURCES = \
 	tnc_pdp_plugin.h tnc_pdp_plugin.c \
-	tnc_pdp.h tnc_pdp.c tnc_pdp_connections.h tnc_pdp_connections.c 
+	tnc_pdp.h tnc_pdp.c tnc_pdp_connections.h tnc_pdp_connections.c
 
 libstrongswan_tnc_pdp_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -350,7 +414,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -358,6 +421,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -379,8 +444,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnc-pdp.la: $(libstrongswan_tnc_pdp_la_OBJECTS) $(libstrongswan_tnc_pdp_la_DEPENDENCIES) 
-	$(libstrongswan_tnc_pdp_la_LINK) $(am_libstrongswan_tnc_pdp_la_rpath) $(libstrongswan_tnc_pdp_la_OBJECTS) $(libstrongswan_tnc_pdp_la_LIBADD) $(LIBS)
+libstrongswan-tnc-pdp.la: $(libstrongswan_tnc_pdp_la_OBJECTS) $(libstrongswan_tnc_pdp_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_pdp_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_tnc_pdp_la_LINK) $(am_libstrongswan_tnc_pdp_la_rpath) $(libstrongswan_tnc_pdp_la_OBJECTS) $(libstrongswan_tnc_pdp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -393,25 +458,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_pdp_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -518,10 +583,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
index 0625baa90..a30d89535 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
@@ -23,11 +23,11 @@
 #include <radius_mppe.h>
 
 #include <daemon.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <pen/pen.h>
 #include <threading/thread.h>
 #include <processing/jobs/callback_job.h>
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 typedef struct private_tnc_pdp_t private_tnc_pdp_t;
 
@@ -67,11 +67,6 @@ struct private_tnc_pdp_t {
 	int ipv6;
 
 	/**
-	 * Callback job dispatching commands
-	 */
-	callback_job_t *job;
-
-	/**
 	 * RADIUS shared secret
 	 */
 	chunk_t secret;
@@ -87,9 +82,9 @@ struct private_tnc_pdp_t {
 	signer_t *signer;
 
 	/**
-	 * Random number generator for MS-MPPE salt values
+	 * Nonce generator for MS-MPPE salt values
 	 */
-	rng_t *rng;
+	nonce_gen_t *ng;
 
 	/**
 	 * List of registered TNC-PDP connections
@@ -221,7 +216,11 @@ static chunk_t encrypt_mppe_key(private_tnc_pdp_t *this, u_int8_t type,
 	a = chunk_create((u_char*)&(mppe_key->salt), sizeof(mppe_key->salt));
 	do
 	{
-		this->rng->get_bytes(this->rng, a.len, a.ptr);
+		if (!this->ng->get_nonce(this->ng, a.len, a.ptr))
+		{
+			free(data.ptr);
+			return chunk_empty;
+		}
 		*a.ptr |= 0x80;
 	}
 	while (mppe_key->salt == *salt);
@@ -236,8 +235,12 @@ static chunk_t encrypt_mppe_key(private_tnc_pdp_t *this, u_int8_t type,
 	while (c < data.ptr + data.len)
 	{
 		/* b(i) = MD5(S + c(i-1)) */
-		this->hasher->get_hash(this->hasher, this->secret, NULL);
-		this->hasher->get_hash(this->hasher, seed, b);
+		if (!this->hasher->get_hash(this->hasher, this->secret, NULL) ||
+			!this->hasher->get_hash(this->hasher, seed, b))
+		{
+			free(data.ptr);
+			return chunk_empty;
+		}
 
 		/* c(i) = b(i) xor p(1) */
 		memxor(c, b, HASH_SIZE_MD5);
@@ -263,20 +266,18 @@ static void send_response(private_tnc_pdp_t *this, radius_message_t *request,
 	u_int16_t salt = 0;
 
 	response = radius_message_create(code);
-	if (eap)
-	{
-		data = eap->get_data(eap);
-		DBG3(DBG_CFG, "%N payload %B", eap_type_names, this->type, &data);
+	data = eap->get_data(eap);
+	DBG3(DBG_CFG, "%N payload %B", eap_type_names, this->type, &data);
 
-		/* fragment data suitable for RADIUS */
-		while (data.len > MAX_RADIUS_ATTRIBUTE_SIZE)
-		{
-			response->add(response, RAT_EAP_MESSAGE,
-						  chunk_create(data.ptr, MAX_RADIUS_ATTRIBUTE_SIZE));
-			data = chunk_skip(data, MAX_RADIUS_ATTRIBUTE_SIZE);
-		}
-		response->add(response, RAT_EAP_MESSAGE, data);
+	/* fragment data suitable for RADIUS */
+	while (data.len > MAX_RADIUS_ATTRIBUTE_SIZE)
+	{
+		response->add(response, RAT_EAP_MESSAGE,
+					  chunk_create(data.ptr, MAX_RADIUS_ATTRIBUTE_SIZE));
+		data = chunk_skip(data, MAX_RADIUS_ATTRIBUTE_SIZE);
 	}
+	response->add(response, RAT_EAP_MESSAGE, data);
+
 	if (group)
 	{
 		tunnel_type = RADIUS_TUNNEL_TYPE_ESP;
@@ -291,19 +292,20 @@ static void send_response(private_tnc_pdp_t *this, radius_message_t *request,
 		data = encrypt_mppe_key(this, MS_MPPE_RECV_KEY, recv, &salt, request);
 		response->add(response, RAT_VENDOR_SPECIFIC, data);
 		chunk_free(&data);
-		
+
 		send = chunk_create(msk.ptr + recv.len, msk.len - recv.len);
 		data = encrypt_mppe_key(this, MS_MPPE_SEND_KEY, send, &salt, request);
 		response->add(response, RAT_VENDOR_SPECIFIC, data);
 		chunk_free(&data);
 	}
 	response->set_identifier(response, request->get_identifier(request));
-	response->sign(response, request->get_authenticator(request),
-				   this->secret, this->hasher, this->signer, NULL, TRUE);
-
-	DBG1(DBG_CFG, "sending RADIUS %N to client '%H'", radius_message_code_names,
-		 code, client);
-	send_message(this, response, client);
+	if (response->sign(response, request->get_authenticator(request),
+					   this->secret, this->hasher, this->signer, NULL, TRUE))
+	{
+		DBG1(DBG_CFG, "sending RADIUS %N to client '%H'",
+			 radius_message_code_names, code, client);
+		send_message(this, response, client);
+	}
 	response->destroy(response);
 }
 
@@ -368,7 +370,7 @@ static void process_eap(private_tnc_pdp_t *this, radius_message_t *request,
 			eap_identity = chunk_create(message.ptr + 5, message.len - 5);
 			peer = identification_create_from_data(eap_identity);
 			method = charon->eap->create_instance(charon->eap, this->type,
-										0, EAP_SERVER, this->server, peer); 
+										0, EAP_SERVER, this->server, peer);
 			if (!method)
 			{
 				peer->destroy(peer);
@@ -376,7 +378,10 @@ static void process_eap(private_tnc_pdp_t *this, radius_message_t *request,
 			}
 			this->connections->add(this->connections, nas_id, user_name, peer,
 								   method);
-			method->initiate(method, &out);
+			if (method->initiate(method, &out) == NEED_MORE)
+			{
+				send_response(this, request, code, out, group, msk, source);
+			}
 		}
 		else
 		{
@@ -426,16 +431,16 @@ static void process_eap(private_tnc_pdp_t *this, radius_message_t *request,
 												  in->get_identifier(in));
 			}
 			charon->bus->set_sa(charon->bus, NULL);
+			send_response(this, request, code, out, group, msk, source);
+			this->connections->unlock(this->connections);
 		}
 
-		send_response(this, request, code, out, group, msk, source);
-		out->destroy(out);
-
 		if (code == RMC_ACCESS_ACCEPT || code == RMC_ACCESS_REJECT)
 		{
 			this->connections->remove(this->connections, nas_id, user_name);
 		}
 
+		out->destroy(out);
 end:
 		free(message.ptr);
 		in->destroy(in);
@@ -445,123 +450,80 @@ end:
 /**
  * Process packets received on the RADIUS socket
  */
-static job_requeue_t receive(private_tnc_pdp_t *this)
+static bool receive(private_tnc_pdp_t *this, int fd, watcher_event_t event)
 {
-	while (TRUE)
+	radius_message_t *request;
+	char buffer[MAX_PACKET];
+	int bytes_read = 0;
+	host_t *source;
+	union {
+		struct sockaddr_in in4;
+		struct sockaddr_in6 in6;
+	} src;
+	struct iovec iov = {
+		.iov_base = buffer,
+		.iov_len = MAX_PACKET,
+	};
+	struct msghdr msg = {
+		.msg_name = &src,
+		.msg_namelen = sizeof(src),
+		.msg_iov = &iov,
+		.msg_iovlen = 1,
+	};
+
+	/* read received packet */
+	bytes_read = recvmsg(fd, &msg, 0);
+	if (bytes_read < 0)
 	{
-		radius_message_t *request;
-		char buffer[MAX_PACKET];
-		int max_fd = 0, selected = 0, bytes_read = 0;
-		fd_set rfds;
-		bool oldstate;
-		host_t *source;
-		struct msghdr msg;
-		struct iovec iov;
-		union {
-			struct sockaddr_in in4;
-			struct sockaddr_in6 in6;
-		} src;
-
-		FD_ZERO(&rfds);
-
-		if (this->ipv4)
-		{
-			FD_SET(this->ipv4, &rfds);
-		}
-		if (this->ipv6)
-		{
-			FD_SET(this->ipv6, &rfds);
-		}
-		max_fd = max(this->ipv4, this->ipv6);
-
-		DBG2(DBG_CFG, "waiting for data on RADIUS sockets");
-		oldstate = thread_cancelability(TRUE);
-		if (select(max_fd + 1, &rfds, NULL, NULL, NULL) <= 0)
-		{
-			thread_cancelability(oldstate);
-			continue;
-		}
-		thread_cancelability(oldstate);
-
-		if (FD_ISSET(this->ipv4, &rfds))
-		{
-			selected = this->ipv4;
-		}
-		else if (FD_ISSET(this->ipv6, &rfds))
-		{
-			selected = this->ipv6;
-		}
-		else
-		{
-			/* oops, shouldn't happen */
-			continue;
-		}
-
-		/* read received packet */
-		msg.msg_name = &src;
-		msg.msg_namelen = sizeof(src);
-		iov.iov_base = buffer;
-		iov.iov_len = MAX_PACKET;
-		msg.msg_iov = &iov;
-		msg.msg_iovlen = 1;
-		msg.msg_flags = 0;
-
-		bytes_read = recvmsg(selected, &msg, 0);
-		if (bytes_read < 0)
-		{
-			DBG1(DBG_CFG, "error reading RADIUS socket: %s", strerror(errno));
-			continue;
-		}
-		if (msg.msg_flags & MSG_TRUNC)
-		{
-			DBG1(DBG_CFG, "receive buffer too small, RADIUS packet discarded");
-			continue;
-		}
-		source = host_create_from_sockaddr((sockaddr_t*)&src);
-		DBG2(DBG_CFG, "received RADIUS packet from %#H", source);
-		DBG3(DBG_CFG, "%b", buffer, bytes_read);
-		request = radius_message_parse(chunk_create(buffer, bytes_read));
-		if (request)
-		{
-			DBG1(DBG_CFG, "received RADIUS %N from client '%H'",
-			 	 radius_message_code_names, request->get_code(request), source);
+		DBG1(DBG_CFG, "error reading RADIUS socket: %s", strerror(errno));
+		return FALSE;
+	}
+	if (msg.msg_flags & MSG_TRUNC)
+	{
+		DBG1(DBG_CFG, "receive buffer too small, RADIUS packet discarded");
+		return FALSE;
+	}
+	source = host_create_from_sockaddr((sockaddr_t*)&src);
+	DBG2(DBG_CFG, "received RADIUS packet from %#H", source);
+	DBG3(DBG_CFG, "%b", buffer, bytes_read);
+	request = radius_message_parse(chunk_create(buffer, bytes_read));
+	if (request)
+	{
+		DBG1(DBG_CFG, "received RADIUS %N from client '%H'",
+		radius_message_code_names, request->get_code(request), source);
 
-			if (request->verify(request, NULL, this->secret, this->hasher,
-											   this->signer))
-			{
-				process_eap(this, request, source);
-			}
-			request->destroy(request);
-			
-		}
-		else
+		if (request->verify(request, NULL, this->secret, this->hasher,
+										   this->signer))
 		{
-			DBG1(DBG_CFG, "received invalid RADIUS message, ignored");
+			process_eap(this, request, source);
 		}
-		source->destroy(source);
+		request->destroy(request);
 	}
-	return JOB_REQUEUE_FAIR;
+	else
+	{
+		DBG1(DBG_CFG, "received invalid RADIUS message, ignored");
+	}
+	source->destroy(source);
+	return TRUE;
 }
 
 METHOD(tnc_pdp_t, destroy, void,
 	private_tnc_pdp_t *this)
 {
-	if (this->job)
-	{
-		this->job->cancel(this->job);
-	}
 	if (this->ipv4)
 	{
+		lib->watcher->remove(lib->watcher, this->ipv4);
 		close(this->ipv4);
 	}
 	if (this->ipv6)
 	{
+		lib->watcher->remove(lib->watcher, this->ipv6);
 		close(this->ipv6);
 	}
 	DESTROY_IF(this->server);
 	DESTROY_IF(this->signer);
 	DESTROY_IF(this->hasher);
-	DESTROY_IF(this->rng);
+	DESTROY_IF(this->ng);
 	DESTROY_IF(this->connections);
 	free(this);
 }
@@ -582,13 +544,13 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
 		.ipv6 = open_socket(AF_INET6, port),
 		.hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5),
 		.signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128),
-		.rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
+		.ng = lib->crypto->create_nonce_gen(lib->crypto),
 		.connections = tnc_pdp_connections_create(),
 	);
 
-	if (!this->hasher || !this->signer || !this->rng)
+	if (!this->hasher || !this->signer || !this->ng)
 	{
-		DBG1(DBG_CFG, "RADIUS initialization failed, HMAC/MD5/RNG required");
+		DBG1(DBG_CFG, "RADIUS initialization failed, HMAC/MD5/NG required");
 		destroy(this);
 		return NULL;
 	}
@@ -598,17 +560,27 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
 		destroy(this);
 		return NULL;
 	}
-	if (!this->ipv4)
+	if (this->ipv4)
+	{
+		lib->watcher->add(lib->watcher, this->ipv4, WATCHER_READ,
+						 (watcher_cb_t)receive, this);
+	}
+	else
 	{
 		DBG1(DBG_NET, "could not open IPv4 RADIUS socket, IPv4 disabled");
 	}
-	if (!this->ipv6)
+	if (this->ipv6)
+	{
+		lib->watcher->add(lib->watcher, this->ipv6, WATCHER_READ,
+						 (watcher_cb_t)receive, this);
+	}
+	else
 	{
 		DBG1(DBG_NET, "could not open IPv6 RADIUS socket, IPv6 disabled");
 	}
 
 	server = lib->settings->get_str(lib->settings,
-						"charon.plugins.tnc-pdp.server", NULL);
+						"%s.plugins.tnc-pdp.server", NULL, charon->name);
 	if (!server)
 	{
 		DBG1(DBG_CFG, "missing PDP server name, PDP disabled");
@@ -618,7 +590,7 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
 	this->server = identification_create_from_string(server);
 
 	secret = lib->settings->get_str(lib->settings,
-						"charon.plugins.tnc-pdp.secret", NULL);
+						"%s.plugins.tnc-pdp.secret", NULL, charon->name);
 	if (!secret)
 	{
 		DBG1(DBG_CFG, "missing RADIUS secret, PDP disabled");
@@ -626,10 +598,15 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
 		return NULL;
 	}
 	this->secret = chunk_create(secret, strlen(secret));
-	this->signer->set_key(this->signer, this->secret);
+	if (!this->signer->set_key(this->signer, this->secret))
+	{
+		DBG1(DBG_CFG, "could not set signer key");
+		destroy(this);
+		return NULL;
+	}
 
 	eap_type_str = lib->settings->get_str(lib->settings,
-						"charon.plugins.tnc-pdp.method", "ttls");
+						"%s.plugins.tnc-pdp.method", "ttls", charon->name);
 	this->type = eap_type_from_string(eap_type_str);
 	if (this->type == 0)
 	{
@@ -639,10 +616,5 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
 	}
 	DBG1(DBG_IKE, "eap method %N selected", eap_type_names, this->type);
 
-	this->job = callback_job_create_with_prio((callback_job_cb_t)receive,
-										this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
-
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
index 175a57aba..f789c31d2 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
@@ -15,8 +15,17 @@
 
 #include "tnc_pdp_connections.h"
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+#include <threading/rwlock.h>
+#include <processing/jobs/callback_job.h>
+
+#include <daemon.h>
+
+/**
+ * Default PDP connection timeout, in s
+ */
+#define DEFAULT_TIMEOUT 30
 
 typedef struct private_tnc_pdp_connections_t private_tnc_pdp_connections_t;
 typedef struct entry_t entry_t;
@@ -32,9 +41,19 @@ struct private_tnc_pdp_connections_t {
 	tnc_pdp_connections_t public;
 
 	/**
-	 * List of TNC PEP RADIUS Connections
-	 */ 
+	 * TNC PEP RADIUS Connections
+	 */
 	linked_list_t *list;
+
+	/**
+	 * Lock to access PEP connection list
+	 */
+	rwlock_t *lock;
+
+	/**
+	 * Connection timeout before we kill non-completed connections, in s
+	 */
+	int timeout;
 };
 
 /**
@@ -61,6 +80,11 @@ struct entry_t {
 	 * IKE SA used for bus communication
 	 */
 	ike_sa_t *ike_sa;
+
+	/**
+	 * Timestamp this entry has been created
+	 */
+	time_t created;
 };
 
 /**
@@ -94,14 +118,44 @@ static void dbg_nas_user(chunk_t nas_id, chunk_t user_name, bool not, char *op)
 	if (nas_id.len)
 	{
 		DBG1(DBG_CFG, "%s RADIUS connection for user '%.*s' NAS '%.*s'",
-			 		   not ? "could not find" : op, user_name.len, user_name.ptr,
-					   nas_id.len, nas_id.ptr);
+					   not ? "could not find" : op, (int)user_name.len,
+					   user_name.ptr, (int)nas_id.len, nas_id.ptr);
 	}
 	else
 	{
-		DBG1(DBG_CFG, "%s RADIUS connection for user '%.*s'", 
-					   not ? "could not find" : op, user_name.len, user_name.ptr);
+		DBG1(DBG_CFG, "%s RADIUS connection for user '%.*s'",
+					   not ? "could not find" : op, (int)user_name.len,
+					   user_name.ptr);
+	}
+}
+
+/**
+ * Check if any connection has timed out
+ */
+static job_requeue_t check_timeouts(private_tnc_pdp_connections_t *this)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	time_t now;
+
+	now = time_monotonic(NULL);
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->list->create_enumerator(this->list);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->created + this->timeout <= now)
+		{
+			DBG1(DBG_CFG, "RADIUS connection timed out after %d seconds",
+				 this->timeout);
+			this->list->remove_at(this->list, enumerator);
+			free_entry(entry);
+		}
 	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(tnc_pdp_connections_t, add, void,
@@ -114,11 +168,12 @@ METHOD(tnc_pdp_connections_t, add, void,
 	ike_sa_t *ike_sa;
 	bool found = FALSE;
 
-	ike_sa_id = ike_sa_id_create(0, 0, FALSE);
-	ike_sa = ike_sa_create(ike_sa_id);
+	ike_sa_id = ike_sa_id_create(IKEV2_MAJOR_VERSION, 0, 0, FALSE);
+	ike_sa = ike_sa_create(ike_sa_id, FALSE, IKEV2);
 	ike_sa_id->destroy(ike_sa_id);
 	ike_sa->set_other_id(ike_sa, peer);
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->list->create_enumerator(this->list);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -130,20 +185,33 @@ METHOD(tnc_pdp_connections_t, add, void,
 			DBG1(DBG_CFG, "removed stale RADIUS connection");
 			entry->method = method;
 			entry->ike_sa = ike_sa;
+			entry->created = time_monotonic(NULL);
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
-	
+	this->lock->unlock(this->lock);
+
 	if (!found)
 	{
-		entry = malloc_thing(entry_t);
-		entry->nas_id = chunk_clone(nas_id);
-		entry->user_name = chunk_clone(user_name);
-		entry->method = method;
-		entry->ike_sa = ike_sa;
+		INIT(entry,
+			.nas_id = chunk_clone(nas_id),
+			.user_name = chunk_clone(user_name),
+			.method = method,
+			.ike_sa = ike_sa,
+			.created = time_monotonic(NULL),
+		);
+		this->lock->write_lock(this->lock);
 		this->list->insert_last(this->list, entry);
+		this->lock->unlock(this->lock);
 	}
+
+	/* schedule timeout checking */
+	lib->scheduler->schedule_job_ms(lib->scheduler,
+				(job_t*)callback_job_create((callback_job_cb_t)check_timeouts,
+					this, NULL, (callback_job_cancel_t)return_false),
+				this->timeout * 1000);
+
 	dbg_nas_user(nas_id, user_name, FALSE, "created");
 }
 
@@ -153,6 +221,7 @@ METHOD(tnc_pdp_connections_t, remove_, void,
 	enumerator_t *enumerator;
 	entry_t *entry;
 
+	this->lock->write_lock(this->lock);
 	enumerator = this->list->create_enumerator(this->list);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -165,6 +234,7 @@ METHOD(tnc_pdp_connections_t, remove_, void,
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
 METHOD(tnc_pdp_connections_t, get_state, eap_method_t*,
@@ -175,6 +245,7 @@ METHOD(tnc_pdp_connections_t, get_state, eap_method_t*,
 	entry_t *entry;
 	eap_method_t *found = NULL;
 
+	this->lock->read_lock(this->lock);
 	enumerator = this->list->create_enumerator(this->list);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
@@ -186,14 +257,25 @@ METHOD(tnc_pdp_connections_t, get_state, eap_method_t*,
 		}
 	}
 	enumerator->destroy(enumerator);
+	if (!found)
+	{
+		this->lock->unlock(this->lock);
+	}
 
 	dbg_nas_user(nas_id, user_name, !found, "found");
 	return found;
 }
 
+METHOD(tnc_pdp_connections_t, unlock, void,
+	private_tnc_pdp_connections_t *this)
+{
+	this->lock->unlock(this->lock);
+}
+
 METHOD(tnc_pdp_connections_t, destroy, void,
 	private_tnc_pdp_connections_t *this)
 {
+	this->lock->destroy(this->lock);
 	this->list->destroy_function(this->list, (void*)free_entry);
 	free(this);
 }
@@ -210,11 +292,14 @@ tnc_pdp_connections_t *tnc_pdp_connections_create(void)
 			.add = _add,
 			.remove = _remove_,
 			.get_state = _get_state,
+			.unlock = _unlock,
 			.destroy = _destroy,
 		},
 		.list = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.timeout = lib->settings->get_int(lib->settings,
+				"%s.plugins.tnc-pdp.timeout", DEFAULT_TIMEOUT, charon->name),
 	);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.h b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.h
index b9f5d097b..442f29ce9 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.h
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.h
@@ -25,7 +25,7 @@ typedef struct tnc_pdp_connections_t tnc_pdp_connections_t;
 
 #include <library.h>
 #include <sa/ike_sa.h>
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 /**
  * Public interface of a tnc_pdp_connections object
@@ -53,7 +53,10 @@ struct tnc_pdp_connections_t {
 				   chunk_t user_name);
 
 	/**
-	 * Get the EAP method and IKE_SA of a registered TNC PEP RADIUS Connection
+	 * Get the EAP method and IKE_SA of a registered TNC PEP RADIUS Connection.
+	 *
+	 * If this call succeeds, the connection manager is locked. Call unlock
+	 * after using the return objects.
 	 *
 	 * @param nas_id		NAS identifier of Policy Enforcement Point
 	 * @param user_name		User name of TNC Client
@@ -64,6 +67,11 @@ struct tnc_pdp_connections_t {
 							   chunk_t user_name, ike_sa_t **ike_sa);
 
 	/**
+	 * Unlock connections after successfully calling get_state().
+	 */
+	void (*unlock)(tnc_pdp_connections_t *this);
+
+	/**
 	 * Destroys a tnc_pdp_connections_t object.
 	 */
 	void (*destroy)(tnc_pdp_connections_t *this);
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_plugin.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp_plugin.c
index 9abe02aec..e35ba9ead 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_plugin.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_plugin.c
@@ -16,6 +16,8 @@
 #include "tnc_pdp_plugin.h"
 #include "tnc_pdp.h"
 
+#include <daemon.h>
+
 typedef struct private_tnc_pdp_plugin_t private_tnc_pdp_plugin_t;
 
 /**
@@ -46,12 +48,37 @@ METHOD(plugin_t, get_name, char*,
 	return "tnc-pdp";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_tnc_pdp_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		int port;
+
+		port = lib->settings->get_int(lib->settings,
+						"%s.plugins.tnc-pdp.port", RADIUS_PORT, charon->name);
+		this->pdp = tnc_pdp_create(port);
+	}
+	else
+	{
+		DESTROY_IF(this->pdp);
+	}
+	return TRUE;
+}
+
 METHOD(plugin_t, get_features, int,
 	private_tnc_pdp_plugin_t *this, plugin_feature_t *features[])
 {
 	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
 			PLUGIN_PROVIDE(CUSTOM, "tnc-pdp"),
 				PLUGIN_DEPENDS(CUSTOM, "imv-manager"),
+				PLUGIN_DEPENDS(HASHER, HASH_MD5),
+				PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_MD5_128),
+				PLUGIN_DEPENDS(NONCE_GEN),
 	};
 	*features = f;
 	return countof(f);
@@ -60,7 +87,6 @@ METHOD(plugin_t, get_features, int,
 METHOD(plugin_t, destroy, void,
 	private_tnc_pdp_plugin_t *this)
 {
-	DESTROY_IF(this->pdp);
 	free(this);
 }
 
@@ -70,10 +96,6 @@ METHOD(plugin_t, destroy, void,
 plugin_t *tnc_pdp_plugin_create()
 {
 	private_tnc_pdp_plugin_t *this;
-	int port;
-
-	port = lib->settings->get_int(lib->settings,
-						"charon.plugins.tnc_pdp.port", RADIUS_PORT);
 
 	INIT(this,
 		.public = {
@@ -83,7 +105,6 @@ plugin_t *tnc_pdp_plugin_create()
 				.destroy = _destroy,
 			},
 		},
-		.pdp = tnc_pdp_create(port),
 	);
 
 	return &this->public.plugin;
diff --git a/src/libcharon/plugins/tnc_tnccs/Makefile.am b/src/libcharon/plugins/tnc_tnccs/Makefile.am
index c7fc02f7c..f16bf8e1b 100644
--- a/src/libcharon/plugins/tnc_tnccs/Makefile.am
+++ b/src/libcharon/plugins/tnc_tnccs/Makefile.am
@@ -1,10 +1,11 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnc-tnccs.la
diff --git a/src/libcharon/plugins/tnc_tnccs/Makefile.in b/src/libcharon/plugins/tnc_tnccs/Makefile.in
index c12a837d1..eea0044a0 100644
--- a/src/libcharon/plugins/tnc_tnccs/Makefile.in
+++ b/src/libcharon/plugins/tnc_tnccs/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnc_tnccs_la_DEPENDENCIES =  \
@@ -81,49 +105,77 @@ am_libstrongswan_tnc_tnccs_la_OBJECTS = tnc_tnccs_plugin.lo \
 	tnc_tnccs_manager.lo
 libstrongswan_tnc_tnccs_la_OBJECTS =  \
 	$(am_libstrongswan_tnc_tnccs_la_OBJECTS)
-libstrongswan_tnc_tnccs_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_tnc_tnccs_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnc_tnccs_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_tnc_tnccs_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_tnc_tnccs_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_tnc_tnccs_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnc_tnccs_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -132,13 +184,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -151,6 +206,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,11 +234,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -190,6 +248,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -198,8 +257,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -208,14 +265,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -229,17 +291,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -249,16 +311,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -286,12 +347,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-tnccs.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-tnccs.la
 @MONOLITHIC_FALSE@libstrongswan_tnc_tnccs_la_LIBADD = \
@@ -348,7 +412,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -356,6 +419,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -377,8 +442,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnc-tnccs.la: $(libstrongswan_tnc_tnccs_la_OBJECTS) $(libstrongswan_tnc_tnccs_la_DEPENDENCIES) 
-	$(libstrongswan_tnc_tnccs_la_LINK) $(am_libstrongswan_tnc_tnccs_la_rpath) $(libstrongswan_tnc_tnccs_la_OBJECTS) $(libstrongswan_tnc_tnccs_la_LIBADD) $(LIBS)
+libstrongswan-tnc-tnccs.la: $(libstrongswan_tnc_tnccs_la_OBJECTS) $(libstrongswan_tnc_tnccs_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnc_tnccs_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_tnc_tnccs_la_LINK) $(am_libstrongswan_tnc_tnccs_la_rpath) $(libstrongswan_tnc_tnccs_la_OBJECTS) $(libstrongswan_tnc_tnccs_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -390,25 +455,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_tnccs_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -515,10 +580,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
index 64ed160d9..60f6bc3c1 100644
--- a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
+++ b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,6 +13,8 @@
  * for more details.
  */
 
+#define _GNU_SOURCE /* for asprintf() */
+
 #include "tnc_tnccs_manager.h"
 
 #include <tnc/tnc.h>
@@ -20,10 +22,18 @@
 #include <tnc/imc/imc_manager.h>
 #include <tnc/imv/imv_manager.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <tncif_identity.h>
+
+#include <tls.h>
+
+#include <utils/debug.h>
+#include <pen/pen.h>
+#include <bio/bio_writer.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
+#include <stdio.h>
+
 typedef struct private_tnc_tnccs_manager_t private_tnc_tnccs_manager_t;
 typedef struct tnccs_entry_t tnccs_entry_t;
 typedef struct tnccs_connection_entry_t tnccs_connection_entry_t;
@@ -75,6 +85,11 @@ struct tnccs_connection_entry_t {
 	bool *request_handshake_retry;
 
 	/**
+	 * Maximum size of a PA-TNC message
+	 */
+	u_int32_t max_msg_len;
+
+	/**
 	 * collection of IMV recommendations
 	 */
 	recommendations_t *recs;
@@ -153,7 +168,9 @@ METHOD(tnccs_manager_t, remove_method, void,
 }
 
 METHOD(tnccs_manager_t, create_instance, tnccs_t*,
-	private_tnc_tnccs_manager_t *this, tnccs_type_t type, bool is_server)
+	private_tnc_tnccs_manager_t *this, tnccs_type_t type, bool is_server,
+	identification_t *server, identification_t *peer,
+	tnc_ift_type_t transport)
 {
 	enumerator_t *enumerator;
 	tnccs_entry_t *entry;
@@ -165,7 +182,7 @@ METHOD(tnccs_manager_t, create_instance, tnccs_t*,
 	{
 		if (type == entry->type)
 		{
-			protocol = entry->constructor(is_server);
+			protocol = entry->constructor(is_server, server, peer, transport);
 			if (protocol)
 			{
 				break;
@@ -181,7 +198,7 @@ METHOD(tnccs_manager_t, create_instance, tnccs_t*,
 METHOD(tnccs_manager_t, create_connection, TNC_ConnectionID,
 	private_tnc_tnccs_manager_t *this, tnccs_type_t type, tnccs_t *tnccs,
 	tnccs_send_message_t send_message, bool* request_handshake_retry,
-	recommendations_t **recs)
+	u_int32_t max_msg_len, recommendations_t **recs)
 {
 	tnccs_connection_entry_t *entry;
 
@@ -190,6 +207,7 @@ METHOD(tnccs_manager_t, create_connection, TNC_ConnectionID,
 	entry->tnccs = tnccs;
 	entry->send_message = send_message;
 	entry->request_handshake_retry = request_handshake_retry;
+	entry->max_msg_len = max_msg_len;
 	if (recs)
 	{
 		/* we assume a TNC Server needing recommendations from IMVs */
@@ -436,6 +454,44 @@ static TNC_Result str_attribute(TNC_UInt32 buffer_len,
 	}
 }
 
+/**
+ * Write the value of a TNC identity list into the buffer
+ */
+static TNC_Result identity_attribute(TNC_UInt32 buffer_len,
+									 TNC_BufferReference buffer,
+									 TNC_UInt32 *value_len,
+									 linked_list_t *list)
+{
+	bio_writer_t *writer;
+	enumerator_t *enumerator;
+	u_int32_t count;
+	chunk_t value;
+	tncif_identity_t *tnc_id;
+	TNC_Result result = TNC_RESULT_INVALID_PARAMETER;
+
+	count = list->get_count(list);
+	writer = bio_writer_create(4 + TNCIF_IDENTITY_MIN_SIZE * count);
+	writer->write_uint32(writer, count);
+
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &tnc_id))
+	{
+		tnc_id->build(tnc_id, writer);
+	}
+	enumerator->destroy(enumerator);
+
+	value = writer->get_buf(writer);
+	*value_len = value.len;
+	if (buffer && buffer_len >= value.len)
+	{
+		memcpy(buffer, value.ptr, value.len);
+		result = TNC_RESULT_SUCCESS;
+	}
+	writer->destroy(writer);
+
+	return result;
+}
+
 METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 	private_tnc_tnccs_manager_t *this, bool is_imc,
 									   TNC_UInt32 imcv_id,
@@ -448,7 +504,7 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 	enumerator_t *enumerator;
 	tnccs_connection_entry_t *entry;
 	bool attribute_match = FALSE, entry_found = FALSE;
-	
+
 	if (is_imc)
 	{
 		switch (attribute_id)
@@ -481,6 +537,7 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 
 			/* these attributes are supported */
 			case TNC_ATTRIBUTEID_PRIMARY_IMV_ID:
+			case TNC_ATTRIBUTEID_AR_IDENTITIES:
 				attribute_match = TRUE;
 				break;
 
@@ -514,7 +571,7 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 				return TNC_RESULT_INVALID_PARAMETER;
 		}
 	}
-	
+
 	/* attributes specific to the TNCC or TNCS are unsupported */
 	if (id == TNC_CONNECTIONID_ANY)
 	{
@@ -564,16 +621,18 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 			return TNC_RESULT_SUCCESS;
 		}
 		case TNC_ATTRIBUTEID_MAX_ROUND_TRIPS:
-			return uint_attribute(buffer_len, buffer, value_len, 0xffffffff);
+			return uint_attribute(buffer_len, buffer, value_len,
+								  0xffffffff);
 		case TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE:
-			return uint_attribute(buffer_len, buffer, value_len, 0x00000000);
+			return uint_attribute(buffer_len, buffer, value_len,
+								  entry->max_msg_len);
 		case TNC_ATTRIBUTEID_HAS_LONG_TYPES:
 		case TNC_ATTRIBUTEID_HAS_EXCLUSIVE:
-			return bool_attribute(buffer_len, buffer, value_len, 
-								 	 entry->type == TNCCS_2_0);
+			return bool_attribute(buffer_len, buffer, value_len,
+								  entry->type == TNCCS_2_0);
 		case TNC_ATTRIBUTEID_HAS_SOH:
-			return bool_attribute(buffer_len, buffer, value_len, 
-								  	entry->type == TNCCS_SOH);
+			return bool_attribute(buffer_len, buffer, value_len,
+								  entry->type == TNCCS_SOH);
 		case TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL:
 		{
 			char *protocol;
@@ -608,15 +667,110 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 					version = "1.0";
 					break;
 				default:
-				return TNC_RESULT_INVALID_PARAMETER;
+					return TNC_RESULT_INVALID_PARAMETER;
 			}
 			return str_attribute(buffer_len, buffer, value_len, version);
 		}
 		case TNC_ATTRIBUTEID_IFT_PROTOCOL:
-			return str_attribute(buffer_len, buffer, value_len,
-										 "IF-T for Tunneled EAP");
+		{
+			char *protocol;
+
+			switch (entry->tnccs->get_transport(entry->tnccs))
+			{
+				case TNC_IFT_EAP_1_0:
+				case TNC_IFT_EAP_1_1:
+				case TNC_IFT_EAP_2_0:
+					protocol = "IF-T for Tunneled EAP";
+					break;
+				case TNC_IFT_TLS_1_0:
+				case TNC_IFT_TLS_2_0:
+					protocol = "IF-T for TLS";
+					break;
+				default:
+					return TNC_RESULT_INVALID_PARAMETER;
+			}
+			return str_attribute(buffer_len, buffer, value_len, protocol);
+		}
  		case TNC_ATTRIBUTEID_IFT_VERSION:
-			return str_attribute(buffer_len, buffer, value_len, "1.1");
+		{
+			char *version;
+
+			switch (entry->tnccs->get_transport(entry->tnccs))
+			{
+				case TNC_IFT_EAP_1_0:
+				case TNC_IFT_TLS_1_0:
+					version = "1.0";
+					break;
+				case TNC_IFT_EAP_1_1:
+					version = "1.1";
+					break;
+				case TNC_IFT_EAP_2_0:
+				case TNC_IFT_TLS_2_0:
+					version = "2.0";
+					break;
+				default:
+					return TNC_RESULT_INVALID_PARAMETER;
+			}
+			return str_attribute(buffer_len, buffer, value_len, version);
+		}
+		case TNC_ATTRIBUTEID_AR_IDENTITIES:
+		{
+			linked_list_t *list;
+			identification_t *peer;
+			tnccs_t *tnccs;
+			tncif_identity_t *tnc_id;
+			u_int32_t id_type, subject_type;
+			chunk_t id_value;
+			char *id_str;
+			TNC_Result result;
+
+			list = linked_list_create();
+			tnccs = entry->tnccs;
+			peer = tnccs->tls.get_peer_id(&tnccs->tls);
+			if (peer)
+			{
+				switch (peer->get_type(peer))
+				{
+					case ID_IPV4_ADDR:
+						id_type = TNC_ID_IPV4_ADDR;
+						subject_type = TNC_SUBJECT_MACHINE;
+						break;
+					case ID_IPV6_ADDR:
+						id_type = TNC_ID_IPV6_ADDR;
+						subject_type = TNC_SUBJECT_MACHINE;
+						break;
+					case ID_FQDN:
+						id_type = TNC_ID_USERNAME;
+						subject_type = TNC_SUBJECT_USER;
+						break;
+					case ID_RFC822_ADDR:
+						id_type = TNC_ID_EMAIL_ADDR;
+						subject_type = TNC_SUBJECT_USER;
+						break;
+					case ID_DER_ASN1_DN:
+						id_type = TNC_ID_X500_DN;
+						subject_type = TNC_SUBJECT_USER;
+						break;
+					default:
+						id_type = TNC_ID_UNKNOWN;
+						subject_type = TNC_SUBJECT_UNKNOWN;
+				}
+				if (id_type != TNC_ID_UNKNOWN &&
+					asprintf(&id_str, "%Y", peer) >= 0)
+				{
+					id_value = chunk_from_str(id_str);
+					tnc_id = tncif_identity_create(
+								pen_type_create(PEN_TCG, id_type), id_value,
+								pen_type_create(PEN_TCG, subject_type),
+								pen_type_create(PEN_TCG,
+												tnccs->get_auth_type(tnccs)));
+					list->insert_last(list, tnc_id);
+				}
+			}
+			result = identity_attribute(buffer_len, buffer, value_len, list);
+			list->destroy_offset(list, offsetof(tncif_identity_t, destroy));
+			return result;
+		}
 		default:
 			return TNC_RESULT_INVALID_PARAMETER;
 	 }
diff --git a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_plugin.c b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_plugin.c
index a44319ed1..1e4ddc195 100644
--- a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_plugin.c
+++ b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_plugin.c
@@ -18,7 +18,7 @@
 
 #include <tnc/tnc.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnc_tnccs_plugin_t private_tnc_tnccs_plugin_t;
 
diff --git a/src/libcharon/plugins/tnccs_11/Makefile.am b/src/libcharon/plugins/tnccs_11/Makefile.am
index c205692d4..4c0e0f7c8 100644
--- a/src/libcharon/plugins/tnccs_11/Makefile.am
+++ b/src/libcharon/plugins/tnccs_11/Makefile.am
@@ -1,12 +1,14 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libtnccs \
-	${xml_CFLAGS}
+	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	${xml_CFLAGS} \
+	-rdynamic
 
 libstrongswan_tnccs_11_la_LIBADD = ${xml_LIBS}
 
@@ -31,4 +33,3 @@ libstrongswan_tnccs_11_la_SOURCES = \
 	messages/tnccs_tncs_contact_info_msg.h messages/tnccs_tncs_contact_info_msg.c
 
 libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libcharon/plugins/tnccs_11/Makefile.in b/src/libcharon/plugins/tnccs_11/Makefile.in
index 1902d1f93..8d572b74a 100644
--- a/src/libcharon/plugins/tnccs_11/Makefile.in
+++ b/src/libcharon/plugins/tnccs_11/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -49,10 +66,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -76,6 +94,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
@@ -87,49 +111,77 @@ am_libstrongswan_tnccs_11_la_OBJECTS = tnccs_11_plugin.lo tnccs_11.lo \
 	tnccs_recommendation_msg.lo tnccs_tncs_contact_info_msg.lo
 libstrongswan_tnccs_11_la_OBJECTS =  \
 	$(am_libstrongswan_tnccs_11_la_OBJECTS)
-libstrongswan_tnccs_11_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_tnccs_11_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnccs_11_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_tnccs_11_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_tnccs_11_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_tnccs_11_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnccs_11_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -138,13 +190,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -157,6 +212,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -184,11 +240,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -196,6 +254,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -204,8 +263,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -214,14 +271,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -235,17 +297,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -255,16 +317,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -292,14 +353,18 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libtnccs \
-	${xml_CFLAGS}
+	-I$(top_srcdir)/src/libtnccs
+
+AM_CFLAGS = \
+	${xml_CFLAGS} \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 libstrongswan_tnccs_11_la_LIBADD = ${xml_LIBS} $(am__append_1)
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-11.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-11.la
@@ -360,7 +425,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -368,6 +432,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -389,8 +455,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnccs-11.la: $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_DEPENDENCIES) 
-	$(libstrongswan_tnccs_11_la_LINK) $(am_libstrongswan_tnccs_11_la_rpath) $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_LIBADD) $(LIBS)
+libstrongswan-tnccs-11.la: $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnccs_11_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_tnccs_11_la_LINK) $(am_libstrongswan_tnccs_11_la_rpath) $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -410,81 +476,81 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_tncs_contact_info_msg.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 tnccs_batch.lo: batch/tnccs_batch.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_batch.lo -MD -MP -MF $(DEPDIR)/tnccs_batch.Tpo -c -o tnccs_batch.lo `test -f 'batch/tnccs_batch.c' || echo '$(srcdir)/'`batch/tnccs_batch.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_batch.Tpo $(DEPDIR)/tnccs_batch.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='batch/tnccs_batch.c' object='tnccs_batch.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_batch.lo -MD -MP -MF $(DEPDIR)/tnccs_batch.Tpo -c -o tnccs_batch.lo `test -f 'batch/tnccs_batch.c' || echo '$(srcdir)/'`batch/tnccs_batch.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs_batch.Tpo $(DEPDIR)/tnccs_batch.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='batch/tnccs_batch.c' object='tnccs_batch.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_batch.lo `test -f 'batch/tnccs_batch.c' || echo '$(srcdir)/'`batch/tnccs_batch.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_batch.lo `test -f 'batch/tnccs_batch.c' || echo '$(srcdir)/'`batch/tnccs_batch.c
 
 tnccs_msg.lo: messages/tnccs_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_msg.Tpo -c -o tnccs_msg.lo `test -f 'messages/tnccs_msg.c' || echo '$(srcdir)/'`messages/tnccs_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_msg.Tpo $(DEPDIR)/tnccs_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_msg.c' object='tnccs_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_msg.Tpo -c -o tnccs_msg.lo `test -f 'messages/tnccs_msg.c' || echo '$(srcdir)/'`messages/tnccs_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs_msg.Tpo $(DEPDIR)/tnccs_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/tnccs_msg.c' object='tnccs_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_msg.lo `test -f 'messages/tnccs_msg.c' || echo '$(srcdir)/'`messages/tnccs_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_msg.lo `test -f 'messages/tnccs_msg.c' || echo '$(srcdir)/'`messages/tnccs_msg.c
 
 imc_imv_msg.lo: messages/imc_imv_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imc_imv_msg.lo -MD -MP -MF $(DEPDIR)/imc_imv_msg.Tpo -c -o imc_imv_msg.lo `test -f 'messages/imc_imv_msg.c' || echo '$(srcdir)/'`messages/imc_imv_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imc_imv_msg.Tpo $(DEPDIR)/imc_imv_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/imc_imv_msg.c' object='imc_imv_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imc_imv_msg.lo -MD -MP -MF $(DEPDIR)/imc_imv_msg.Tpo -c -o imc_imv_msg.lo `test -f 'messages/imc_imv_msg.c' || echo '$(srcdir)/'`messages/imc_imv_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imc_imv_msg.Tpo $(DEPDIR)/imc_imv_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/imc_imv_msg.c' object='imc_imv_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_imv_msg.lo `test -f 'messages/imc_imv_msg.c' || echo '$(srcdir)/'`messages/imc_imv_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_imv_msg.lo `test -f 'messages/imc_imv_msg.c' || echo '$(srcdir)/'`messages/imc_imv_msg.c
 
 tnccs_error_msg.lo: messages/tnccs_error_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_error_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_error_msg.Tpo -c -o tnccs_error_msg.lo `test -f 'messages/tnccs_error_msg.c' || echo '$(srcdir)/'`messages/tnccs_error_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_error_msg.Tpo $(DEPDIR)/tnccs_error_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_error_msg.c' object='tnccs_error_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_error_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_error_msg.Tpo -c -o tnccs_error_msg.lo `test -f 'messages/tnccs_error_msg.c' || echo '$(srcdir)/'`messages/tnccs_error_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs_error_msg.Tpo $(DEPDIR)/tnccs_error_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/tnccs_error_msg.c' object='tnccs_error_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_error_msg.lo `test -f 'messages/tnccs_error_msg.c' || echo '$(srcdir)/'`messages/tnccs_error_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_error_msg.lo `test -f 'messages/tnccs_error_msg.c' || echo '$(srcdir)/'`messages/tnccs_error_msg.c
 
 tnccs_preferred_language_msg.lo: messages/tnccs_preferred_language_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_preferred_language_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_preferred_language_msg.Tpo -c -o tnccs_preferred_language_msg.lo `test -f 'messages/tnccs_preferred_language_msg.c' || echo '$(srcdir)/'`messages/tnccs_preferred_language_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_preferred_language_msg.Tpo $(DEPDIR)/tnccs_preferred_language_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_preferred_language_msg.c' object='tnccs_preferred_language_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_preferred_language_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_preferred_language_msg.Tpo -c -o tnccs_preferred_language_msg.lo `test -f 'messages/tnccs_preferred_language_msg.c' || echo '$(srcdir)/'`messages/tnccs_preferred_language_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs_preferred_language_msg.Tpo $(DEPDIR)/tnccs_preferred_language_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/tnccs_preferred_language_msg.c' object='tnccs_preferred_language_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_preferred_language_msg.lo `test -f 'messages/tnccs_preferred_language_msg.c' || echo '$(srcdir)/'`messages/tnccs_preferred_language_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_preferred_language_msg.lo `test -f 'messages/tnccs_preferred_language_msg.c' || echo '$(srcdir)/'`messages/tnccs_preferred_language_msg.c
 
 tnccs_reason_strings_msg.lo: messages/tnccs_reason_strings_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_reason_strings_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_reason_strings_msg.Tpo -c -o tnccs_reason_strings_msg.lo `test -f 'messages/tnccs_reason_strings_msg.c' || echo '$(srcdir)/'`messages/tnccs_reason_strings_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_reason_strings_msg.Tpo $(DEPDIR)/tnccs_reason_strings_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_reason_strings_msg.c' object='tnccs_reason_strings_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_reason_strings_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_reason_strings_msg.Tpo -c -o tnccs_reason_strings_msg.lo `test -f 'messages/tnccs_reason_strings_msg.c' || echo '$(srcdir)/'`messages/tnccs_reason_strings_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs_reason_strings_msg.Tpo $(DEPDIR)/tnccs_reason_strings_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/tnccs_reason_strings_msg.c' object='tnccs_reason_strings_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_reason_strings_msg.lo `test -f 'messages/tnccs_reason_strings_msg.c' || echo '$(srcdir)/'`messages/tnccs_reason_strings_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_reason_strings_msg.lo `test -f 'messages/tnccs_reason_strings_msg.c' || echo '$(srcdir)/'`messages/tnccs_reason_strings_msg.c
 
 tnccs_recommendation_msg.lo: messages/tnccs_recommendation_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_recommendation_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_recommendation_msg.Tpo -c -o tnccs_recommendation_msg.lo `test -f 'messages/tnccs_recommendation_msg.c' || echo '$(srcdir)/'`messages/tnccs_recommendation_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_recommendation_msg.Tpo $(DEPDIR)/tnccs_recommendation_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_recommendation_msg.c' object='tnccs_recommendation_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_recommendation_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_recommendation_msg.Tpo -c -o tnccs_recommendation_msg.lo `test -f 'messages/tnccs_recommendation_msg.c' || echo '$(srcdir)/'`messages/tnccs_recommendation_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs_recommendation_msg.Tpo $(DEPDIR)/tnccs_recommendation_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/tnccs_recommendation_msg.c' object='tnccs_recommendation_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_recommendation_msg.lo `test -f 'messages/tnccs_recommendation_msg.c' || echo '$(srcdir)/'`messages/tnccs_recommendation_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_recommendation_msg.lo `test -f 'messages/tnccs_recommendation_msg.c' || echo '$(srcdir)/'`messages/tnccs_recommendation_msg.c
 
 tnccs_tncs_contact_info_msg.lo: messages/tnccs_tncs_contact_info_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_tncs_contact_info_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_tncs_contact_info_msg.Tpo -c -o tnccs_tncs_contact_info_msg.lo `test -f 'messages/tnccs_tncs_contact_info_msg.c' || echo '$(srcdir)/'`messages/tnccs_tncs_contact_info_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_tncs_contact_info_msg.Tpo $(DEPDIR)/tnccs_tncs_contact_info_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/tnccs_tncs_contact_info_msg.c' object='tnccs_tncs_contact_info_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_tncs_contact_info_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_tncs_contact_info_msg.Tpo -c -o tnccs_tncs_contact_info_msg.lo `test -f 'messages/tnccs_tncs_contact_info_msg.c' || echo '$(srcdir)/'`messages/tnccs_tncs_contact_info_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs_tncs_contact_info_msg.Tpo $(DEPDIR)/tnccs_tncs_contact_info_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/tnccs_tncs_contact_info_msg.c' object='tnccs_tncs_contact_info_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_tncs_contact_info_msg.lo `test -f 'messages/tnccs_tncs_contact_info_msg.c' || echo '$(srcdir)/'`messages/tnccs_tncs_contact_info_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_tncs_contact_info_msg.lo `test -f 'messages/tnccs_tncs_contact_info_msg.c' || echo '$(srcdir)/'`messages/tnccs_tncs_contact_info_msg.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -591,10 +657,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c
index c9397722b..660ba179d 100644
--- a/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c
+++ b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c
@@ -18,11 +18,15 @@
 
 #include <tnc/tnccs/tnccs.h>
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 #include <libxml/parser.h>
 
+#define TNCCS_NS	"http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS#"
+#define SCHEMA_NS	"http://www.w3.org/2001/XMLSchema-instance"
+#define TNCCS_XSD	"https://www.trustedcomputinggroup.org/XML/SCHEMA/TNCCS_1.0.xsd"
+
 typedef struct private_tnccs_batch_t private_tnccs_batch_t;
 
 /**
@@ -91,7 +95,7 @@ METHOD(tnccs_batch_t, build, void,
 	int buf_size;
 
 	xmlDocDumpFormatMemory(this->doc, &xmlbuf, &buf_size, 1);
-	this->encoding = chunk_create((u_char*)xmlbuf, buf_size);
+	this->encoding = chunk_create(xmlbuf, buf_size);
 	this->encoding = chunk_clone(this->encoding);
 	xmlFree(xmlbuf);
 }
@@ -125,8 +129,7 @@ METHOD(tnccs_batch_t, process, status_t,
 	}
 
 	/* check TNCCS namespace */
-	ns = xmlSearchNsByHref(this->doc, cur, (const xmlChar*)
-				"http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS#");
+	ns = xmlSearchNsByHref(this->doc, cur, TNCCS_NS);
 	if (!ns)
 	{
 		error_type = TNCCS_ERROR_MALFORMED_BATCH;
@@ -135,7 +138,7 @@ METHOD(tnccs_batch_t, process, status_t,
 	}
 
 	/* check XML document type */
-	if (xmlStrcmp(cur->name, (const xmlChar*)"TNCCS-Batch"))
+	if (xmlStrcmp(cur->name, "TNCCS-Batch"))
 	{
 		error_type = TNCCS_ERROR_MALFORMED_BATCH;
 		error_msg = buf;
@@ -145,7 +148,7 @@ METHOD(tnccs_batch_t, process, status_t,
 	}
 
 	/* check presence of BatchID property */
-	batchid = xmlGetProp(cur, (const xmlChar*)"BatchId");
+	batchid = xmlGetProp(cur, "BatchId");
 	if (!batchid)
 	{
 		error_type = TNCCS_ERROR_INVALID_BATCH_ID;
@@ -166,7 +169,7 @@ METHOD(tnccs_batch_t, process, status_t,
 	}
 
 	/* check presence of Recipient property */
-	recipient = xmlGetProp(cur, (const xmlChar*)"Recipient");
+	recipient = xmlGetProp(cur, "Recipient");
 	if (!recipient)
 	{
 		error_type = TNCCS_ERROR_INVALID_RECIPIENT_TYPE;
@@ -175,12 +178,12 @@ METHOD(tnccs_batch_t, process, status_t,
 	}
 
 	/* check recipient */
-	if (!streq((char*)recipient, this->is_server ? "TNCS" : "TNCC"))
+	if (!streq(recipient, this->is_server ? "TNCS" : "TNCC"))
 	{
 		error_type = TNCCS_ERROR_INVALID_RECIPIENT_TYPE;
 		error_msg =	buf;
 		snprintf(buf, BUF_LEN, "message recipient expected '%s', got '%s'",
-				 this->is_server ? "TNCS" : "TNCC", (char*)recipient);
+				 this->is_server ? "TNCS" : "TNCC", recipient);
 		xmlFree(recipient);
 		goto fatal;
 	}
@@ -201,7 +204,7 @@ METHOD(tnccs_batch_t, process, status_t,
 		if (cur->ns != ns)
 		{
 			DBG1(DBG_TNC, "ignoring message node '%s' having wrong namespace",
-						  (char*)cur->name);
+						  cur->name);
 			continue;
 		}
 
@@ -260,8 +263,8 @@ tnccs_batch_t* tnccs_batch_create(bool is_server, int batch_id)
 {
 	private_tnccs_batch_t *this;
 	xmlNodePtr n;
+	xmlNsPtr ns_xsi;
 	char buf[12];
-	const char *recipient;
 
 	INIT(this,
 		.public = {
@@ -277,19 +280,17 @@ tnccs_batch_t* tnccs_batch_create(bool is_server, int batch_id)
 		.messages = linked_list_create(),
 		.errors = linked_list_create(),
 		.batch_id = batch_id,
-		.doc = xmlNewDoc(BAD_CAST "1.0"),
+		.doc = xmlNewDoc("1.0"),
 	);
 
 	DBG2(DBG_TNC, "creating TNCCS Batch #%d", this->batch_id);
-	n = xmlNewNode(NULL, BAD_CAST "TNCCS-Batch");
+	n = xmlNewNode(NULL, "TNCCS-Batch");
+	xmlNewNs(n, TNCCS_NS, NULL);
+	ns_xsi = xmlNewNs(n, SCHEMA_NS, "xsi");
 	snprintf(buf, sizeof(buf), "%d", batch_id);
-	recipient = this->is_server ? "TNCC" : "TNCS";
-	xmlNewProp(n, BAD_CAST "BatchId", BAD_CAST buf);
-	xmlNewProp(n, BAD_CAST "Recipient", BAD_CAST recipient);
-	xmlNewProp(n, BAD_CAST "xmlns", BAD_CAST "http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS#");
-	xmlNewProp(n, BAD_CAST "xmlns:xsi", BAD_CAST "http://www.w3.org/2001/XMLSchema-instance");
-	xmlNewProp(n, BAD_CAST "xsi:schemaLocation", BAD_CAST "http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS# "
-														  "https://www.trustedcomputinggroup.org/XML/SCHEMA/TNCCS_1.0.xsd");
+	xmlNewProp(n, "BatchId", buf);
+	xmlNewProp(n, "Recipient", this->is_server ? "TNCC" : "TNCS");
+	xmlNewNsProp(n, ns_xsi, "schemaLocation", TNCCS_NS " " TNCCS_XSD);
 	xmlDocSetRootElement(this->doc, n);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c
index fa570aae9..f0e821c8c 100644
--- a/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c
@@ -18,7 +18,7 @@
 #include <tnc/tnccs/tnccs.h>
 
 #include <utils/lexparser.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_imc_imv_msg_t private_imc_imv_msg_t;
 
@@ -181,16 +181,16 @@ tnccs_msg_t *imc_imv_msg_create_from_node(xmlNodePtr node, linked_list_t *errors
 	cur = node->xmlChildrenNode;
 	while (cur)
 	{
-		if (streq((char*)cur->name, "Type") && cur->ns == ns)
+		if (streq(cur->name, "Type") && cur->ns == ns)
 		{
 			content = xmlNodeGetContent(cur);
-			this->msg_type = strtoul((char*)content, NULL, 16);
+			this->msg_type = strtoul(content, NULL, 16);
 			xmlFree(content);
 		}
-		else if (streq((char*)cur->name, "Base64") && cur->ns == ns)
+		else if (streq(cur->name, "Base64") && cur->ns == ns)
 		{
 			content = xmlNodeGetContent(cur);
-			b64_body = chunk_create((char*)content, strlen((char*)content));
+			b64_body = chunk_create(content, strlen(content));
 			this->msg_body = decode_base64(b64_body);
 			xmlFree(content);
 		}
@@ -221,21 +221,21 @@ tnccs_msg_t *imc_imv_msg_create(TNC_MessageType msg_type, chunk_t msg_body)
 			.get_msg_body = _get_msg_body,
 		},
 		.type = IMC_IMV_MSG,
-		.node = xmlNewNode(NULL, BAD_CAST "IMC-IMV-Message"),
+		.node = xmlNewNode(NULL, "IMC-IMV-Message"),
 		.msg_type = msg_type,
 		.msg_body = chunk_clone(msg_body),
 	);
 
 	/* add the message type number in hex */
-	n = xmlNewNode(NULL, BAD_CAST "Type");
+	n = xmlNewNode(NULL, "Type");
 	snprintf(buf, 10, "%08x", this->msg_type);
-	xmlNodeSetContent(n, BAD_CAST buf);
+	xmlNodeSetContent(n, buf);
 	xmlAddChild(this->node, n);
 
 	/* encode the message as a Base64 node */
-	n = xmlNewNode(NULL, BAD_CAST "Base64");
+	n = xmlNewNode(NULL, "Base64");
 	b64_body = encode_base64(this->msg_body);
-	xmlNodeSetContent(n, BAD_CAST b64_body.ptr);
+	xmlNodeSetContent(n, b64_body.ptr);
 	xmlAddChild(this->node, n);
 	free(b64_body.ptr);
 
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c
index d0df4e7ca..86b7c6aa5 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c
@@ -15,7 +15,7 @@
 
 #include "tnccs_error_msg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(tnccs_error_type_names, TNCCS_ERROR_BATCH_TOO_LONG, TNCCS_ERROR_OTHER,
 	"batch-too-long",
@@ -108,7 +108,7 @@ tnccs_msg_t *tnccs_error_msg_create_from_node(xmlNodePtr node)
 {
 	private_tnccs_error_msg_t *this;
 	xmlChar *error_type_name, *error_msg;
-	
+
 	INIT(this,
 		.public = {
 			.tnccs_msg_interface = {
@@ -125,11 +125,11 @@ tnccs_msg_t *tnccs_error_msg_create_from_node(xmlNodePtr node)
 		.error_type = TNCCS_ERROR_OTHER,
 	);
 
-	error_type_name = xmlGetProp(node, (const xmlChar*)"type");
+	error_type_name = xmlGetProp(node, "type");
 	if (error_type_name)
 	{
 		this->error_type = enum_from_name(tnccs_error_type_names,
-										  (char*)error_type_name);
+										  error_type_name);
 		if (this->error_type == -1)
 		{
 			this->error_type = TNCCS_ERROR_OTHER;
@@ -140,7 +140,7 @@ tnccs_msg_t *tnccs_error_msg_create_from_node(xmlNodePtr node)
 	error_msg = xmlNodeGetContent(node);
 	if (error_msg)
 	{
-		this->error_msg = strdup((char*)error_msg);
+		this->error_msg = strdup(error_msg);
 		xmlFree(error_msg);
 	}
 
@@ -167,24 +167,23 @@ tnccs_msg_t *tnccs_error_msg_create(tnccs_error_type_t type, char *msg)
 		},
 		.type = TNCCS_MSG_ERROR,
 		.ref = 1,
-		.node =  xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"),
+		.node =  xmlNewNode(NULL, "TNCC-TNCS-Message"),
 		.error_type = type,
 		.error_msg  = strdup(msg),
 	);
 
 	DBG1(DBG_TNC, "%s", msg);
 
-	n = xmlNewNode(NULL, BAD_CAST "Type");
-	xmlNodeSetContent(n, BAD_CAST "00000002");
+	n = xmlNewNode(NULL, "Type");
+	xmlNodeSetContent(n, "00000002");
 	xmlAddChild(this->node, n);
 
-	n = xmlNewNode(NULL, BAD_CAST "XML");
+	n = xmlNewNode(NULL, "XML");
 	xmlAddChild(this->node, n);
 
-	n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type));
-	xmlNewProp(n2, BAD_CAST "type",
-				   BAD_CAST enum_to_name(tnccs_error_type_names, type));
-	xmlNodeSetContent(n2, BAD_CAST msg);
+	n2 = xmlNewNode(NULL, enum_to_name(tnccs_msg_type_names, this->type));
+	xmlNewProp(n2, "type", enum_to_name(tnccs_error_type_names, type));
+	xmlNodeSetContent(n2, msg);
 	xmlAddChild(n, n2);
 
 	return &this->public.tnccs_msg_interface;
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c
index 5a050393a..fa5ce8239 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c
@@ -22,7 +22,7 @@
 #include "tnccs_tncs_contact_info_msg.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(tnccs_msg_type_names, IMC_IMV_MSG, TNCCS_MSG_ROOF,
 	"IMC-IMV",
@@ -57,15 +57,15 @@ tnccs_msg_t* tnccs_msg_create_from_node(xmlNodePtr node, linked_list_t *errors)
 
 		while (cur)
 		{
-			if (streq((char*)cur->name, "Type") && cur->ns == ns)
+			if (streq(cur->name, "Type") && cur->ns == ns)
 			{
 				xmlChar *content = xmlNodeGetContent(cur);
 
-				type = strtol((char*)content, NULL, 16);
+				type = strtol(content, NULL, 16);
 				xmlFree(content);
 				found = TRUE;
 			}
-			else if (streq((char*)cur->name, "XML") && cur->ns == ns)
+			else if (streq(cur->name, "XML") && cur->ns == ns)
 			{
 				xml_msg_node = cur->xmlChildrenNode;
 			}
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h
index e0b54449a..88d6f07aa 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h
@@ -25,7 +25,7 @@ typedef enum tnccs_msg_type_t tnccs_msg_type_t;
 typedef struct tnccs_msg_t tnccs_msg_t;
 
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <libxml/parser.h>
 
 /**
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c
index fd85350b5..710269ba9 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c
@@ -15,7 +15,7 @@
 
 #include "tnccs_preferred_language_msg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnccs_preferred_language_msg_t private_tnccs_preferred_language_msg_t;
 
@@ -93,7 +93,7 @@ tnccs_msg_t *tnccs_preferred_language_msg_create_from_node(xmlNodePtr node,
 	);
 
 	language = xmlNodeGetContent(node);
-	this->preferred_language = strdup((char*)language);
+	this->preferred_language = strdup(language);
 	xmlFree(language);
 
 	return &this->public.tnccs_msg_interface;
@@ -117,20 +117,20 @@ tnccs_msg_t *tnccs_preferred_language_msg_create(char *language)
 			.get_preferred_language = _get_preferred_language,
 		},
 		.type = TNCCS_MSG_PREFERRED_LANGUAGE,
-		.node =  xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"),
+		.node =  xmlNewNode(NULL, "TNCC-TNCS-Message"),
 		.preferred_language = strdup(language),
 	);
 
 	/* add the message type number in hex */
-	n = xmlNewNode(NULL, BAD_CAST "Type");
-	xmlNodeSetContent(n, BAD_CAST "00000003");
+	n = xmlNewNode(NULL, "Type");
+	xmlNodeSetContent(n, "00000003");
 	xmlAddChild(this->node, n);
 
-	n = xmlNewNode(NULL, BAD_CAST "XML");
+	n = xmlNewNode(NULL, "XML");
 	xmlAddChild(this->node, n);
 
-	n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type));
-	xmlNodeSetContent(n2, BAD_CAST language);
+	n2 = xmlNewNode(NULL, enum_to_name(tnccs_msg_type_names, this->type));
+	xmlNodeSetContent(n2, language);
 	xmlAddChild(n, n2);
 
 	return &this->public.tnccs_msg_interface;
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c
index af60a4b3a..7c2f9b3f9 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c
@@ -16,7 +16,7 @@
 #include "tnccs_reason_strings_msg.h"
 #include "tnccs_error_msg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnccs_reason_strings_msg_t private_tnccs_reason_strings_msg_t;
 
@@ -104,7 +104,7 @@ tnccs_msg_t *tnccs_reason_strings_msg_create_from_node(xmlNodePtr node,
 		.node = node,
 	);
 
-	if (xmlStrcmp(node->name, (const xmlChar*)"TNCCS-ReasonStrings"))
+	if (xmlStrcmp(node->name, "TNCCS-ReasonStrings"))
 	{
 		error_msg = "TNCCS-ReasonStrings tag expected";
 		goto fatal;
@@ -118,7 +118,7 @@ tnccs_msg_t *tnccs_reason_strings_msg_create_from_node(xmlNodePtr node,
 			child = child->next;
 			continue;
 		}
-		if (xmlStrcmp(child->name, (const xmlChar*)"ReasonString"))
+		if (xmlStrcmp(child->name, "ReasonString"))
 		{
 			error_msg = "ReasonString tag expected";
 			goto fatal;
@@ -126,15 +126,17 @@ tnccs_msg_t *tnccs_reason_strings_msg_create_from_node(xmlNodePtr node,
 		break;
 	}
 
-	lang_string = (char*)xmlGetProp(child, (const xmlChar*)"lang");
+	lang_string = xmlGetProp(child, "lang");
 	if (!lang_string)
 	{
-		lang_string = "";
+		lang_string = strdup("");
 	}
-	this->language = chunk_create(strdup(lang_string), strlen(lang_string));
+	this->language = chunk_clone(chunk_from_str(lang_string));
+	xmlFree(lang_string);
 
-	reason_string = (char*)xmlNodeGetContent(child);
-	this->reason = chunk_create(strdup(reason_string), strlen(reason_string));
+	reason_string = xmlNodeGetContent(child);
+	this->reason = chunk_clone(chunk_from_str(reason_string));
+	xmlFree(reason_string);
 
 	return &this->public.tnccs_msg_interface;
 
@@ -163,7 +165,7 @@ tnccs_msg_t *tnccs_reason_strings_msg_create(chunk_t reason, chunk_t language)
 			.get_reason = _get_reason,
 		},
 		.type = TNCCS_MSG_REASON_STRINGS,
-		.node =  xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"),
+		.node =  xmlNewNode(NULL, "TNCC-TNCS-Message"),
 		.reason = chunk_create_clone(malloc(reason.len + 1), reason),
 		.language = chunk_create_clone(malloc(language.len + 1), language),
 	);
@@ -173,20 +175,20 @@ tnccs_msg_t *tnccs_reason_strings_msg_create(chunk_t reason, chunk_t language)
 	this->language.ptr[this->language.len] = '\0';
 
 	/* add the message type number in hex */
-	n = xmlNewNode(NULL, BAD_CAST "Type");
-	xmlNodeSetContent(n, BAD_CAST "00000004");
+	n = xmlNewNode(NULL, "Type");
+	xmlNodeSetContent(n, "00000004");
 	xmlAddChild(this->node, n);
 
-	n = xmlNewNode(NULL, BAD_CAST "XML");
+	n = xmlNewNode(NULL, "XML");
 	xmlAddChild(this->node, n);
 
-	n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type));
+	n2 = xmlNewNode(NULL, enum_to_name(tnccs_msg_type_names, this->type));
 
 	/* could add multiple reasons here, if we had them */
 
-	n3 = xmlNewNode(NULL, BAD_CAST "ReasonString");
-	xmlNewProp(n3, BAD_CAST "xml:lang", BAD_CAST this->language.ptr);
-	xmlNodeSetContent(n3, BAD_CAST this->reason.ptr);
+	n3 = xmlNewNode(NULL, "ReasonString");
+	xmlNewProp(n3, "xml:lang", this->language.ptr);
+	xmlNodeSetContent(n3, this->reason.ptr);
 	xmlAddChild(n2, n3);
 	xmlAddChild(n, n2);
 
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c
index 610224242..013e0c7ed 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c
@@ -16,7 +16,7 @@
 #include "tnccs_recommendation_msg.h"
 #include "tnccs_error_msg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnccs_recommendation_msg_t private_tnccs_recommendation_msg_t;
 
@@ -95,21 +95,21 @@ tnccs_msg_t *tnccs_recommendation_msg_create_from_node(xmlNodePtr node,
 		.node = node,
 	);
 
-	rec_string = xmlGetProp(node, (const xmlChar*)"type");
+	rec_string = xmlGetProp(node, "type");
 	if (!rec_string)
 	{
 		error_msg = "type property in TNCCS-Recommendation is missing";
 		goto fatal;
 	}
-	else if (streq((char*)rec_string, "allow"))
+	else if (streq(rec_string, "allow"))
 	{
 		this->rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW;
 	}
-	else if (streq((char*)rec_string, "isolate"))
+	else if (streq(rec_string, "isolate"))
 	{
 		this->rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE;
 	}
-	else if (streq((char*)rec_string, "none"))
+	else if (streq(rec_string, "none"))
 	{
 		this->rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS;
 	}
@@ -151,16 +151,16 @@ tnccs_msg_t *tnccs_recommendation_msg_create(TNC_IMV_Action_Recommendation rec)
 			.get_recommendation = _get_recommendation,
 		},
 		.type = TNCCS_MSG_RECOMMENDATION,
-		.node =  xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"),
+		.node =  xmlNewNode(NULL, "TNCC-TNCS-Message"),
 		.rec = rec,
 	);
 
 	/* add the message type number in hex */
-	n = xmlNewNode(NULL, BAD_CAST "Type");
-	xmlNodeSetContent(n, BAD_CAST "00000001");
+	n = xmlNewNode(NULL, "Type");
+	xmlNodeSetContent(n, "00000001");
 	xmlAddChild(this->node, n);
 
-	n = xmlNewNode(NULL, BAD_CAST "XML");
+	n = xmlNewNode(NULL, "XML");
 	xmlAddChild(this->node, n);
 
 	switch (rec)
@@ -177,8 +177,8 @@ tnccs_msg_t *tnccs_recommendation_msg_create(TNC_IMV_Action_Recommendation rec)
 			rec_string = "none";
 	}
 
-	n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type));
-	xmlNewProp(n2, BAD_CAST "type", BAD_CAST rec_string);
+	n2 = xmlNewNode(NULL, enum_to_name(tnccs_msg_type_names, this->type));
+	xmlNewProp(n2, BAD_CAST "type", rec_string);
 	xmlNodeSetContent(n2, "");
 	xmlAddChild(n, n2);
 
diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c
index b8aac30fa..0d3e1c2a0 100644
--- a/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c
+++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c
@@ -14,7 +14,7 @@
 
 #include "tnccs_tncs_contact_info_msg.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnccs_tncs_contact_info_msg_t private_tnccs_tncs_contact_info_msg_t;
 
@@ -97,20 +97,20 @@ tnccs_msg_t *tnccs_tncs_contact_info_msg_create(void)
 			},
 		},
 		.type = TNCCS_MSG_TNCS_CONTACT_INFO,
-		.node =  xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"),
+		.node =  xmlNewNode(NULL, "TNCC-TNCS-Message"),
 	);
 
 	/* add the message type number in hex */
-	n = xmlNewNode(NULL, BAD_CAST "Type");
-	xmlNodeSetContent(n, BAD_CAST "00000005");
+	n = xmlNewNode(NULL, "Type");
+	xmlNodeSetContent(n, "00000005");
 	xmlAddChild(this->node, n);
 
-	n = xmlNewNode(NULL, BAD_CAST "XML");
+	n = xmlNewNode(NULL, "XML");
 	xmlAddChild(this->node, n);
 
 /* TODO
-	n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type));
-	xmlNodeSetContent(n2, BAD_CAST language);
+	n2 = xmlNewNode(NULL, enum_to_name(tnccs_msg_type_names, this->type));
+	xmlNodeSetContent(n2, language);
 	xmlAddChild(n, n2);
 */
 
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.c b/src/libcharon/plugins/tnccs_11/tnccs_11.c
index 3673221e5..53817c710 100644
--- a/src/libcharon/plugins/tnccs_11/tnccs_11.c
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -31,7 +31,8 @@
 #include <tnc/tnccs/tnccs.h>
 #include <tnc/tnccs/tnccs_manager.h>
 
-#include <debug.h>
+#include <utils/debug.h>
+#include <daemon.h>
 #include <threading/mutex.h>
 
 typedef struct private_tnccs_11_t private_tnccs_11_t;
@@ -42,9 +43,9 @@ typedef struct private_tnccs_11_t private_tnccs_11_t;
 struct private_tnccs_11_t {
 
 	/**
-	 * Public tls_t interface.
+	 * Public tnccs_t interface.
 	 */
-	tls_t public;
+	tnccs_t public;
 
 	/**
 	 * TNCC if TRUE, TNCS if FALSE
@@ -52,6 +53,26 @@ struct private_tnccs_11_t {
 	bool is_server;
 
 	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Client identity
+	 */
+	identification_t *peer;
+
+	/**
+	 * Underlying TNC IF-T transport protocol
+	 */
+	tnc_ift_type_t transport;
+
+	/**
+	 * Type of TNC client authentication
+	 */
+	u_int32_t auth_type;
+
+	/**
 	 * Connection ID assigned to this TNCCS connection
 	 */
 	TNC_ConnectionID connection_id;
@@ -67,6 +88,11 @@ struct private_tnccs_11_t {
 	tnccs_batch_t *batch;
 
 	/**
+	 * Maximum PA-TNC message size
+	 */
+	size_t max_msg_len;
+
+	/**
 	 * Mutex locking the batch in construction
 	 */
 	mutex_t *mutex;
@@ -122,7 +148,7 @@ METHOD(tnccs_t, send_msg, TNC_Result,
 		return TNC_RESULT_NO_LONG_MESSAGE_TYPES;
 	}
 	msg_type = (msg_vid << 8) | msg_subtype;
- 
+
 	pa_subtype_names = get_pa_subtype_names(msg_vid);
 	if (pa_subtype_names)
 	{
@@ -266,10 +292,10 @@ static void handle_message(private_tnccs_11_t *this, tnccs_msg_t *msg)
 
 			reason_msg = (tnccs_reason_strings_msg_t*)msg;
 			reason_string = reason_msg->get_reason(reason_msg, &reason_lang);
-			DBG2(DBG_TNC, "reason string is '%.*s'",   reason_string.len,
-													  reason_string.ptr);
-			DBG2(DBG_TNC, "reason language is '%.*s'", reason_lang.len,
-													  reason_lang.ptr);
+			DBG2(DBG_TNC, "reason string is '%.*s'", (int)reason_string.len,
+													 reason_string.ptr);
+			DBG2(DBG_TNC, "language code is '%.*s'", (int)reason_lang.len,
+													 reason_lang.ptr);
 			break;
 		}
 		default:
@@ -289,8 +315,9 @@ METHOD(tls_t, process, status_t,
 	if (this->is_server && !this->connection_id)
 	{
 		this->connection_id = tnc->tnccs->create_connection(tnc->tnccs,
-								TNCCS_1_1, (tnccs_t*)this, _send_msg,
-								&this->request_handshake_retry, &this->recs);
+									TNCCS_1_1, (tnccs_t*)this, _send_msg,
+									&this->request_handshake_retry,
+									this->max_msg_len, &this->recs);
 		if (!this->connection_id)
 		{
 			return FAILED;
@@ -304,7 +331,7 @@ METHOD(tls_t, process, status_t,
 	data = chunk_create(buf, buflen);
 	DBG1(DBG_TNC, "received TNCCS Batch (%u bytes) for Connection ID %u",
 				   data.len, this->connection_id);
-	DBG3(DBG_TNC, "%.*s", data.len, data.ptr);
+	DBG3(DBG_TNC, "%.*s", (int)data.len, data.ptr);
 	batch = tnccs_batch_create_from_data(this->is_server, ++this->batch_id, data);
 	status = batch->process(batch);
 
@@ -396,7 +423,6 @@ static void check_and_build_recommendation(private_tnccs_11_t *this)
 			this->batch->add_msg(this->batch, msg);
 		}
 		enumerator->destroy(enumerator);
-		this->recs->clear_reasons(this->recs);
 
 		/* we have reache the final state */
 		this->delete_state = TRUE;
@@ -416,7 +442,8 @@ METHOD(tls_t, build, status_t,
 
 		this->connection_id = tnc->tnccs->create_connection(tnc->tnccs,
 										TNCCS_1_1, (tnccs_t*)this, _send_msg,
-										&this->request_handshake_retry, NULL);
+										&this->request_handshake_retry,
+										this->max_msg_len, NULL);
 		if (!this->connection_id)
 		{
 			return FAILED;
@@ -456,8 +483,8 @@ METHOD(tls_t, build, status_t,
 		data = this->batch->get_encoding(this->batch);
 		DBG1(DBG_TNC, "sending TNCCS Batch (%d bytes) for Connection ID %u",
 					   data.len, this->connection_id);
-		DBG3(DBG_TNC, "%.*s", data.len, data.ptr);
-		*msglen = data.len;
+		DBG3(DBG_TNC, "%.*s", (int)data.len, data.ptr);
+		*msglen = 0;
 
 		if (data.len > *buflen)
 		{
@@ -488,6 +515,18 @@ METHOD(tls_t, is_server, bool,
 	return this->is_server;
 }
 
+METHOD(tls_t, get_server_id, identification_t*,
+	private_tnccs_11_t *this)
+{
+	return this->server;
+}
+
+METHOD(tls_t, get_peer_id, identification_t*,
+	private_tnccs_11_t *this)
+{
+	return this->peer;
+}
+
 METHOD(tls_t, get_purpose, tls_purpose_t,
 	private_tnccs_11_t *this)
 {
@@ -521,30 +560,73 @@ METHOD(tls_t, destroy, void,
 {
 	tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id,
 											  this->is_server);
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
 	this->mutex->destroy(this->mutex);
 	DESTROY_IF(this->batch);
 	free(this);
 }
 
+METHOD(tnccs_t, get_transport, tnc_ift_type_t,
+	private_tnccs_11_t *this)
+{
+	return this->transport;
+}
+
+METHOD(tnccs_t, set_transport, void,
+	private_tnccs_11_t *this, tnc_ift_type_t transport)
+{
+	this->transport = transport;
+}
+
+METHOD(tnccs_t, get_auth_type, u_int32_t,
+	private_tnccs_11_t *this)
+{
+	return this->auth_type;
+}
+
+METHOD(tnccs_t, set_auth_type, void,
+	private_tnccs_11_t *this, u_int32_t auth_type)
+{
+	this->auth_type = auth_type;
+}
+
 /**
  * See header
  */
-tls_t *tnccs_11_create(bool is_server)
+tnccs_t* tnccs_11_create(bool is_server,
+						 identification_t *server,
+						 identification_t *peer,
+						 tnc_ift_type_t transport)
 {
 	private_tnccs_11_t *this;
 
 	INIT(this,
 		.public = {
-			.process = _process,
-			.build = _build,
-			.is_server = _is_server,
-			.get_purpose = _get_purpose,
-			.is_complete = _is_complete,
-			.get_eap_msk = _get_eap_msk,
-			.destroy = _destroy,
+			.tls = {
+				.process = _process,
+				.build = _build,
+				.is_server = _is_server,
+				.get_server_id = _get_server_id,
+				.get_peer_id = _get_peer_id,
+				.get_purpose = _get_purpose,
+				.is_complete = _is_complete,
+				.get_eap_msk = _get_eap_msk,
+				.destroy = _destroy,
+			},
+			.get_transport = _get_transport,
+			.set_transport = _set_transport,
+			.get_auth_type = _get_auth_type,
+			.set_auth_type = _set_auth_type,
 		},
 		.is_server = is_server,
+		.server = server->clone(server),
+		.peer = peer->clone(peer),
+		.transport = transport,
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.max_msg_len = lib->settings->get_int(lib->settings,
+								"%s.plugins.tnccs-11.max_message_size", 45000,
+								charon->name),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.h b/src/libcharon/plugins/tnccs_11/tnccs_11.h
index 7331fc8cd..531ebb611 100644
--- a/src/libcharon/plugins/tnccs_11/tnccs_11.h
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -23,14 +23,20 @@
 
 #include <library.h>
 
-#include <tls.h>
+#include <tnc/tnccs/tnccs.h>
 
 /**
  * Create an instance of the TNC IF-TNCCS 1.1 protocol handler.
  *
- * @param is_server			TRUE to act as TNC Server, FALSE for TNC Client
- * @return					TNC_IF_TNCCS 1.1 protocol stack
+ * @param is_server		TRUE to act as TNC Server, FALSE for TNC Client
+ * @param server		Server identity
+ * @param peer			Client identity
+ * @param transport		Underlying IF-T transport protocol
+ * @return				TNC_IF_TNCCS 1.1 protocol stack
  */
-tls_t *tnccs_11_create(bool is_server);
+tnccs_t* tnccs_11_create(bool is_server,
+						 identification_t *server,
+						 identification_t *peer,
+						 tnc_ift_type_t transport);
 
 #endif /** TNCCS_11_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c
index cd95afb1e..f534af008 100644
--- a/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c
@@ -30,8 +30,6 @@ METHOD(plugin_t, get_features, int,
 	static plugin_feature_t f[] = {
 		PLUGIN_CALLBACK(tnccs_method_register, tnccs_11_create),
 			PLUGIN_PROVIDE(CUSTOM, "tnccs-1.1"),
-				PLUGIN_DEPENDS(EAP_SERVER, EAP_TNC),
-				PLUGIN_DEPENDS(EAP_PEER, EAP_TNC),
 				PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
 	};
 	*features = f;
@@ -61,4 +59,3 @@ plugin_t *tnccs_11_plugin_create()
 
 	return &this->plugin;
 }
-
diff --git a/src/libcharon/plugins/tnccs_20/Makefile.am b/src/libcharon/plugins/tnccs_20/Makefile.am
index ec17e6412..7a2b6c9c2 100644
--- a/src/libcharon/plugins/tnccs_20/Makefile.am
+++ b/src/libcharon/plugins/tnccs_20/Makefile.am
@@ -1,11 +1,13 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnccs-20.la
diff --git a/src/libcharon/plugins/tnccs_20/Makefile.in b/src/libcharon/plugins/tnccs_20/Makefile.in
index b0078f338..9bf68ea53 100644
--- a/src/libcharon/plugins/tnccs_20/Makefile.in
+++ b/src/libcharon/plugins/tnccs_20/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnccs_20_la_DEPENDENCIES =  \
@@ -85,49 +109,77 @@ am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo \
 	pb_remediation_parameters_msg.lo pb_tnc_state_machine.lo
 libstrongswan_tnccs_20_la_OBJECTS =  \
 	$(am_libstrongswan_tnccs_20_la_OBJECTS)
-libstrongswan_tnccs_20_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_tnccs_20_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnccs_20_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_tnccs_20_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_tnccs_20_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_tnccs_20_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnccs_20_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -136,13 +188,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -155,6 +210,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -182,11 +238,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -194,6 +252,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -202,8 +261,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -212,14 +269,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -233,17 +295,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -253,16 +315,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -290,13 +351,17 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-20.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-20.la
 @MONOLITHIC_FALSE@libstrongswan_tnccs_20_la_LIBADD = \
@@ -363,7 +428,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -371,6 +435,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -392,8 +458,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnccs-20.la: $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_DEPENDENCIES) 
-	$(libstrongswan_tnccs_20_la_LINK) $(am_libstrongswan_tnccs_20_la_rpath) $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_LIBADD) $(LIBS)
+libstrongswan-tnccs-20.la: $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnccs_20_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_tnccs_20_la_LINK) $(am_libstrongswan_tnccs_20_la_rpath) $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -416,102 +482,102 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 pb_tnc_batch.lo: batch/pb_tnc_batch.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_batch.lo -MD -MP -MF $(DEPDIR)/pb_tnc_batch.Tpo -c -o pb_tnc_batch.lo `test -f 'batch/pb_tnc_batch.c' || echo '$(srcdir)/'`batch/pb_tnc_batch.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_tnc_batch.Tpo $(DEPDIR)/pb_tnc_batch.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='batch/pb_tnc_batch.c' object='pb_tnc_batch.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_batch.lo -MD -MP -MF $(DEPDIR)/pb_tnc_batch.Tpo -c -o pb_tnc_batch.lo `test -f 'batch/pb_tnc_batch.c' || echo '$(srcdir)/'`batch/pb_tnc_batch.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_tnc_batch.Tpo $(DEPDIR)/pb_tnc_batch.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='batch/pb_tnc_batch.c' object='pb_tnc_batch.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_batch.lo `test -f 'batch/pb_tnc_batch.c' || echo '$(srcdir)/'`batch/pb_tnc_batch.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_batch.lo `test -f 'batch/pb_tnc_batch.c' || echo '$(srcdir)/'`batch/pb_tnc_batch.c
 
 pb_tnc_msg.lo: messages/pb_tnc_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_msg.lo -MD -MP -MF $(DEPDIR)/pb_tnc_msg.Tpo -c -o pb_tnc_msg.lo `test -f 'messages/pb_tnc_msg.c' || echo '$(srcdir)/'`messages/pb_tnc_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_tnc_msg.Tpo $(DEPDIR)/pb_tnc_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_tnc_msg.c' object='pb_tnc_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_msg.lo -MD -MP -MF $(DEPDIR)/pb_tnc_msg.Tpo -c -o pb_tnc_msg.lo `test -f 'messages/pb_tnc_msg.c' || echo '$(srcdir)/'`messages/pb_tnc_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_tnc_msg.Tpo $(DEPDIR)/pb_tnc_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_tnc_msg.c' object='pb_tnc_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_msg.lo `test -f 'messages/pb_tnc_msg.c' || echo '$(srcdir)/'`messages/pb_tnc_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_msg.lo `test -f 'messages/pb_tnc_msg.c' || echo '$(srcdir)/'`messages/pb_tnc_msg.c
 
 pb_experimental_msg.lo: messages/pb_experimental_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_experimental_msg.lo -MD -MP -MF $(DEPDIR)/pb_experimental_msg.Tpo -c -o pb_experimental_msg.lo `test -f 'messages/pb_experimental_msg.c' || echo '$(srcdir)/'`messages/pb_experimental_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_experimental_msg.Tpo $(DEPDIR)/pb_experimental_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_experimental_msg.c' object='pb_experimental_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_experimental_msg.lo -MD -MP -MF $(DEPDIR)/pb_experimental_msg.Tpo -c -o pb_experimental_msg.lo `test -f 'messages/pb_experimental_msg.c' || echo '$(srcdir)/'`messages/pb_experimental_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_experimental_msg.Tpo $(DEPDIR)/pb_experimental_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_experimental_msg.c' object='pb_experimental_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_experimental_msg.lo `test -f 'messages/pb_experimental_msg.c' || echo '$(srcdir)/'`messages/pb_experimental_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_experimental_msg.lo `test -f 'messages/pb_experimental_msg.c' || echo '$(srcdir)/'`messages/pb_experimental_msg.c
 
 pb_pa_msg.lo: messages/pb_pa_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_pa_msg.lo -MD -MP -MF $(DEPDIR)/pb_pa_msg.Tpo -c -o pb_pa_msg.lo `test -f 'messages/pb_pa_msg.c' || echo '$(srcdir)/'`messages/pb_pa_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_pa_msg.Tpo $(DEPDIR)/pb_pa_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_pa_msg.c' object='pb_pa_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_pa_msg.lo -MD -MP -MF $(DEPDIR)/pb_pa_msg.Tpo -c -o pb_pa_msg.lo `test -f 'messages/pb_pa_msg.c' || echo '$(srcdir)/'`messages/pb_pa_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_pa_msg.Tpo $(DEPDIR)/pb_pa_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_pa_msg.c' object='pb_pa_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_pa_msg.lo `test -f 'messages/pb_pa_msg.c' || echo '$(srcdir)/'`messages/pb_pa_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_pa_msg.lo `test -f 'messages/pb_pa_msg.c' || echo '$(srcdir)/'`messages/pb_pa_msg.c
 
 pb_assessment_result_msg.lo: messages/pb_assessment_result_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_assessment_result_msg.lo -MD -MP -MF $(DEPDIR)/pb_assessment_result_msg.Tpo -c -o pb_assessment_result_msg.lo `test -f 'messages/pb_assessment_result_msg.c' || echo '$(srcdir)/'`messages/pb_assessment_result_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_assessment_result_msg.Tpo $(DEPDIR)/pb_assessment_result_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_assessment_result_msg.c' object='pb_assessment_result_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_assessment_result_msg.lo -MD -MP -MF $(DEPDIR)/pb_assessment_result_msg.Tpo -c -o pb_assessment_result_msg.lo `test -f 'messages/pb_assessment_result_msg.c' || echo '$(srcdir)/'`messages/pb_assessment_result_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_assessment_result_msg.Tpo $(DEPDIR)/pb_assessment_result_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_assessment_result_msg.c' object='pb_assessment_result_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_assessment_result_msg.lo `test -f 'messages/pb_assessment_result_msg.c' || echo '$(srcdir)/'`messages/pb_assessment_result_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_assessment_result_msg.lo `test -f 'messages/pb_assessment_result_msg.c' || echo '$(srcdir)/'`messages/pb_assessment_result_msg.c
 
 pb_access_recommendation_msg.lo: messages/pb_access_recommendation_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_access_recommendation_msg.lo -MD -MP -MF $(DEPDIR)/pb_access_recommendation_msg.Tpo -c -o pb_access_recommendation_msg.lo `test -f 'messages/pb_access_recommendation_msg.c' || echo '$(srcdir)/'`messages/pb_access_recommendation_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_access_recommendation_msg.Tpo $(DEPDIR)/pb_access_recommendation_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_access_recommendation_msg.c' object='pb_access_recommendation_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_access_recommendation_msg.lo -MD -MP -MF $(DEPDIR)/pb_access_recommendation_msg.Tpo -c -o pb_access_recommendation_msg.lo `test -f 'messages/pb_access_recommendation_msg.c' || echo '$(srcdir)/'`messages/pb_access_recommendation_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_access_recommendation_msg.Tpo $(DEPDIR)/pb_access_recommendation_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_access_recommendation_msg.c' object='pb_access_recommendation_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_access_recommendation_msg.lo `test -f 'messages/pb_access_recommendation_msg.c' || echo '$(srcdir)/'`messages/pb_access_recommendation_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_access_recommendation_msg.lo `test -f 'messages/pb_access_recommendation_msg.c' || echo '$(srcdir)/'`messages/pb_access_recommendation_msg.c
 
 pb_error_msg.lo: messages/pb_error_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_error_msg.lo -MD -MP -MF $(DEPDIR)/pb_error_msg.Tpo -c -o pb_error_msg.lo `test -f 'messages/pb_error_msg.c' || echo '$(srcdir)/'`messages/pb_error_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_error_msg.Tpo $(DEPDIR)/pb_error_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_error_msg.c' object='pb_error_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_error_msg.lo -MD -MP -MF $(DEPDIR)/pb_error_msg.Tpo -c -o pb_error_msg.lo `test -f 'messages/pb_error_msg.c' || echo '$(srcdir)/'`messages/pb_error_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_error_msg.Tpo $(DEPDIR)/pb_error_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_error_msg.c' object='pb_error_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_error_msg.lo `test -f 'messages/pb_error_msg.c' || echo '$(srcdir)/'`messages/pb_error_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_error_msg.lo `test -f 'messages/pb_error_msg.c' || echo '$(srcdir)/'`messages/pb_error_msg.c
 
 pb_language_preference_msg.lo: messages/pb_language_preference_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_language_preference_msg.lo -MD -MP -MF $(DEPDIR)/pb_language_preference_msg.Tpo -c -o pb_language_preference_msg.lo `test -f 'messages/pb_language_preference_msg.c' || echo '$(srcdir)/'`messages/pb_language_preference_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_language_preference_msg.Tpo $(DEPDIR)/pb_language_preference_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_language_preference_msg.c' object='pb_language_preference_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_language_preference_msg.lo -MD -MP -MF $(DEPDIR)/pb_language_preference_msg.Tpo -c -o pb_language_preference_msg.lo `test -f 'messages/pb_language_preference_msg.c' || echo '$(srcdir)/'`messages/pb_language_preference_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_language_preference_msg.Tpo $(DEPDIR)/pb_language_preference_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_language_preference_msg.c' object='pb_language_preference_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_language_preference_msg.lo `test -f 'messages/pb_language_preference_msg.c' || echo '$(srcdir)/'`messages/pb_language_preference_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_language_preference_msg.lo `test -f 'messages/pb_language_preference_msg.c' || echo '$(srcdir)/'`messages/pb_language_preference_msg.c
 
 pb_reason_string_msg.lo: messages/pb_reason_string_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_reason_string_msg.lo -MD -MP -MF $(DEPDIR)/pb_reason_string_msg.Tpo -c -o pb_reason_string_msg.lo `test -f 'messages/pb_reason_string_msg.c' || echo '$(srcdir)/'`messages/pb_reason_string_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_reason_string_msg.Tpo $(DEPDIR)/pb_reason_string_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_reason_string_msg.c' object='pb_reason_string_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_reason_string_msg.lo -MD -MP -MF $(DEPDIR)/pb_reason_string_msg.Tpo -c -o pb_reason_string_msg.lo `test -f 'messages/pb_reason_string_msg.c' || echo '$(srcdir)/'`messages/pb_reason_string_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_reason_string_msg.Tpo $(DEPDIR)/pb_reason_string_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_reason_string_msg.c' object='pb_reason_string_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_reason_string_msg.lo `test -f 'messages/pb_reason_string_msg.c' || echo '$(srcdir)/'`messages/pb_reason_string_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_reason_string_msg.lo `test -f 'messages/pb_reason_string_msg.c' || echo '$(srcdir)/'`messages/pb_reason_string_msg.c
 
 pb_remediation_parameters_msg.lo: messages/pb_remediation_parameters_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_remediation_parameters_msg.lo -MD -MP -MF $(DEPDIR)/pb_remediation_parameters_msg.Tpo -c -o pb_remediation_parameters_msg.lo `test -f 'messages/pb_remediation_parameters_msg.c' || echo '$(srcdir)/'`messages/pb_remediation_parameters_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_remediation_parameters_msg.Tpo $(DEPDIR)/pb_remediation_parameters_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='messages/pb_remediation_parameters_msg.c' object='pb_remediation_parameters_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_remediation_parameters_msg.lo -MD -MP -MF $(DEPDIR)/pb_remediation_parameters_msg.Tpo -c -o pb_remediation_parameters_msg.lo `test -f 'messages/pb_remediation_parameters_msg.c' || echo '$(srcdir)/'`messages/pb_remediation_parameters_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_remediation_parameters_msg.Tpo $(DEPDIR)/pb_remediation_parameters_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='messages/pb_remediation_parameters_msg.c' object='pb_remediation_parameters_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_remediation_parameters_msg.lo `test -f 'messages/pb_remediation_parameters_msg.c' || echo '$(srcdir)/'`messages/pb_remediation_parameters_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_remediation_parameters_msg.lo `test -f 'messages/pb_remediation_parameters_msg.c' || echo '$(srcdir)/'`messages/pb_remediation_parameters_msg.c
 
 pb_tnc_state_machine.lo: state_machine/pb_tnc_state_machine.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_state_machine.lo -MD -MP -MF $(DEPDIR)/pb_tnc_state_machine.Tpo -c -o pb_tnc_state_machine.lo `test -f 'state_machine/pb_tnc_state_machine.c' || echo '$(srcdir)/'`state_machine/pb_tnc_state_machine.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pb_tnc_state_machine.Tpo $(DEPDIR)/pb_tnc_state_machine.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='state_machine/pb_tnc_state_machine.c' object='pb_tnc_state_machine.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_state_machine.lo -MD -MP -MF $(DEPDIR)/pb_tnc_state_machine.Tpo -c -o pb_tnc_state_machine.lo `test -f 'state_machine/pb_tnc_state_machine.c' || echo '$(srcdir)/'`state_machine/pb_tnc_state_machine.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pb_tnc_state_machine.Tpo $(DEPDIR)/pb_tnc_state_machine.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='state_machine/pb_tnc_state_machine.c' object='pb_tnc_state_machine.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_state_machine.lo `test -f 'state_machine/pb_tnc_state_machine.c' || echo '$(srcdir)/'`state_machine/pb_tnc_state_machine.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_state_machine.lo `test -f 'state_machine/pb_tnc_state_machine.c' || echo '$(srcdir)/'`state_machine/pb_tnc_state_machine.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -618,10 +684,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
index c6a4bb599..d87e0ccea 100644
--- a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
+++ b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010 Sansar Choinyanbuu
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -20,11 +20,11 @@
 
 #include <tnc/tnccs/tnccs.h>
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pb_tnc_batch_type_names, PB_BATCH_CDATA, PB_BATCH_CLOSE,
 	"CDATA",
@@ -96,6 +96,16 @@ struct private_pb_tnc_batch_t {
 	pb_tnc_batch_type_t type;
 
 	/**
+	 * Current PB-TNC Batch size
+	 */
+	size_t batch_len;
+
+	/**
+	 * Maximum PB-TNC Batch size
+	 */
+	size_t max_batch_len;
+
+	/**
 	 * linked list of PB-TNC messages
 	 */
 	linked_list_t *messages;
@@ -128,42 +138,46 @@ METHOD(pb_tnc_batch_t, get_encoding, chunk_t,
 	return this->encoding;
 }
 
-METHOD(pb_tnc_batch_t, add_msg, void,
+METHOD(pb_tnc_batch_t, add_msg, bool,
 	private_pb_tnc_batch_t *this, pb_tnc_msg_t* msg)
 {
+	chunk_t msg_value;
+	size_t msg_len;
+
+	msg->build(msg);
+	msg_value = msg->get_encoding(msg);
+	msg_len = PB_TNC_HEADER_SIZE + msg_value.len;
+
+	if (this->batch_len + msg_len > this->max_batch_len)
+	{
+		/* message just does not fit into this batch */
+		return FALSE;
+	}
+	this->batch_len += msg_len;
+
 	DBG2(DBG_TNC, "adding %N message", pb_tnc_msg_type_names,
 									   msg->get_type(msg));
 	this->messages->insert_last(this->messages, msg);
+	return TRUE;
 }
 
 METHOD(pb_tnc_batch_t, build, void,
 	private_pb_tnc_batch_t *this)
 {
-	u_int32_t batch_len, msg_len;
+	u_int32_t msg_len;
 	chunk_t msg_value;
 	enumerator_t *enumerator;
 	pb_tnc_msg_type_t msg_type;
 	pb_tnc_msg_t *msg;
 	bio_writer_t *writer;
 
-	/* compute total PB-TNC batch size by summing over all messages */
-	batch_len = PB_TNC_BATCH_HEADER_SIZE;
-	enumerator = this->messages->create_enumerator(this->messages);
-	while (enumerator->enumerate(enumerator, &msg))
-	{
-		msg->build(msg);
-		msg_value = msg->get_encoding(msg);
-		batch_len += PB_TNC_HEADER_SIZE + msg_value.len;
-	}
-	enumerator->destroy(enumerator);
-
 	/* build PB-TNC batch header */
-	writer = bio_writer_create(batch_len);	
+	writer = bio_writer_create(this->batch_len);
 	writer->write_uint8 (writer, PB_TNC_VERSION);
 	writer->write_uint8 (writer, this->is_server ?
 								 PB_TNC_BATCH_FLAG_D : PB_TNC_BATCH_FLAG_NONE);
 	writer->write_uint16(writer, this->type);
-	writer->write_uint32(writer, batch_len); 
+	writer->write_uint32(writer, this->batch_len);
 
 	/* build PB-TNC messages */
 	enumerator = this->messages->create_enumerator(this->messages);
@@ -187,7 +201,7 @@ METHOD(pb_tnc_batch_t, build, void,
 	}
 	enumerator->destroy(enumerator);
 
-	this->encoding = chunk_clone(writer->get_buf(writer));
+	this->encoding = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -221,7 +235,7 @@ static status_t process_batch_header(private_pb_tnc_batch_t *this,
 	/* Version */
 	if (version != PB_TNC_VERSION)
 	{
-		DBG1(DBG_TNC, "unsupported TNCCS batch version 0x%01x", version);
+		DBG1(DBG_TNC, "unsupported TNCCS batch version 0x%02x", version);
 		msg = pb_error_msg_create(TRUE, PEN_IETF,
 								  PB_ERROR_VERSION_NOT_SUPPORTED);
 		err_msg = (pb_error_msg_t*)msg;
@@ -258,6 +272,8 @@ static status_t process_batch_header(private_pb_tnc_batch_t *this,
 								  PB_ERROR_UNEXPECTED_BATCH_TYPE);
 		goto fatal;
 	}
+	DBG1(DBG_TNC, "processing PB-TNC %N batch", pb_tnc_batch_type_names,
+												this->type);
 
 	/* Batch Length */
 	if (this->encoding.len != batch_len)
@@ -270,11 +286,18 @@ static status_t process_batch_header(private_pb_tnc_batch_t *this,
 	}
 
 	this->offset = PB_TNC_BATCH_HEADER_SIZE;
+
+	/* Register an empty CDATA batch with the state machine */
+	if (this->type == PB_BATCH_CDATA)
+	{
+		state_machine->set_empty_cdata(state_machine,
+									   this->offset == this->encoding.len);
+	}
 	return SUCCESS;
 
 fatal:
 	this->errors->insert_last(this->errors, msg);
-	return FAILED;	
+	return FAILED;
 }
 
 static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
@@ -306,7 +329,7 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
 	reader->destroy(reader);
 
 	noskip_flag = (flags & PB_TNC_FLAG_NOSKIP) != PB_TNC_FLAG_NONE;
-	
+
 	if (msg_len > data.len)
 	{
 		DBG1(DBG_TNC, "%u bytes insufficient to parse PB-TNC message", data.len);
@@ -363,6 +386,13 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
 	}
 	else
 	{
+		if (msg_type == PB_MSG_EXPERIMENTAL && noskip_flag)
+		{
+			DBG1(DBG_TNC, "reject PB-Experimental message with NOSKIP flag set");
+			msg = pb_error_msg_create_with_offset(TRUE, PEN_IETF,
+							PB_ERROR_UNSUPPORTED_MANDATORY_MSG, this->offset);
+			goto fatal;
+		}
 		if (pb_tnc_msg_infos[msg_type].has_noskip_flag != TRUE_OR_FALSE &&
 			pb_tnc_msg_infos[msg_type].has_noskip_flag != noskip_flag)
 		{
@@ -432,7 +462,7 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
 
 fatal:
 	this->errors->insert_last(this->errors, msg);
-	return FAILED;	
+	return FAILED;
 }
 
 METHOD(pb_tnc_batch_t, process, status_t,
@@ -445,8 +475,7 @@ METHOD(pb_tnc_batch_t, process, status_t,
 	{
 		return FAILED;
 	}
-	DBG1(DBG_TNC, "processing PB-TNC %N batch", pb_tnc_batch_type_names,
-												this->type);
+
 	while (this->offset < this->encoding.len)
 	{
 		switch (process_tnc_msg(this))
@@ -490,7 +519,8 @@ METHOD(pb_tnc_batch_t, destroy, void,
 /**
  * See header
  */
-pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type)
+pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type,
+									size_t max_batch_len)
 {
 	private_pb_tnc_batch_t *this;
 
@@ -507,6 +537,8 @@ pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type)
 		},
 		.is_server = is_server,
 		.type = type,
+		.max_batch_len = max_batch_len,
+		.batch_len = PB_TNC_BATCH_HEADER_SIZE,
 		.messages = linked_list_create(),
 		.errors = linked_list_create(),
 	);
diff --git a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h
index 17e5fff4c..60cef7735 100644
--- a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h
+++ b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -33,6 +33,7 @@ typedef struct pb_tnc_batch_t pb_tnc_batch_t;
   * PB-TNC Batch Types as defined in section 4.1 of RFC 5793
  */
 enum pb_tnc_batch_type_t {
+	PB_BATCH_NONE =		0,	/* for internal use only */
 	PB_BATCH_CDATA =	1,
 	PB_BATCH_SDATA =	2,
 	PB_BATCH_RESULT =	3,
@@ -70,8 +71,9 @@ struct pb_tnc_batch_t {
 	 * Add a PB-TNC Message
 	 *
 	 * @param msg			PB-TNC message to be addedd
+	 * @return				TRUE if message fit into batch and was added
 	 */
-	void (*add_msg)(pb_tnc_batch_t *this, pb_tnc_msg_t* msg);
+	bool (*add_msg)(pb_tnc_batch_t *this, pb_tnc_msg_t* msg);
 
 	/**
 	 * Build the PB-TNC Batch
@@ -112,8 +114,10 @@ struct pb_tnc_batch_t {
  *
  * @param is_server			TRUE if server, FALSE if client
  * @param type				PB-TNC batch type
+ * @param max_batch_len		maximum size the PB-TNC batch
  */
-pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type);
+pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type,
+									size_t max_batch_len);
 
 /**
  * Create an unprocessed PB-TNC Batch from data
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c
index fa3deddf6..cdd0d0d0d 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c
@@ -17,7 +17,7 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pb_access_recommendation_code_names, PB_REC_ACCESS_ALLOWED, PB_REC_QUARANTINED,
 	"Access Allowed",
@@ -82,11 +82,13 @@ METHOD(pb_tnc_msg_t, build, void,
 {
 	bio_writer_t *writer;
 
-	/* build message */
+	if (this->encoding.ptr)
+	{
+		return;
+	}
 	writer = bio_writer_create(ACCESS_RECOMMENDATION_MSG_SIZE);
 	writer->write_uint16(writer, ACCESS_RECOMMENDATION_RESERVED);
 	writer->write_uint16(writer, this->recommendation);
-	free(this->encoding.ptr);
 	this->encoding = writer->get_buf(writer);
 	this->encoding = chunk_clone(this->encoding);
 	writer->destroy(writer);
@@ -98,7 +100,6 @@ METHOD(pb_tnc_msg_t, process, status_t,
 	bio_reader_t *reader;
 	u_int16_t reserved;
 
-	/* process message */
 	reader = bio_reader_create(this->encoding);
 	reader->read_uint16(reader, &reserved);
 	reader->read_uint16(reader, &this->recommendation);
@@ -112,7 +113,7 @@ METHOD(pb_tnc_msg_t, process, status_t,
 		*offset = 2;
 		return FAILED;
 	}
-		
+
 	return SUCCESS;
 }
 
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c
index 0d558c0d4..4e50446be 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c
@@ -19,7 +19,7 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pb_assessment_result_msg_t private_pb_assessment_result_msg_t;
 
@@ -78,10 +78,12 @@ METHOD(pb_tnc_msg_t, build, void,
 {
 	bio_writer_t *writer;
 
-	/* build message */
+	if (this->encoding.ptr)
+	{
+		return;
+	}
 	writer = bio_writer_create(ASSESSMENT_RESULT_MSG_SIZE);
 	writer->write_uint32(writer, this->assessment_result);
-	free(this->encoding.ptr);
 	this->encoding = writer->get_buf(writer);
 	this->encoding = chunk_clone(this->encoding);
 	writer->destroy(writer);
@@ -92,7 +94,6 @@ METHOD(pb_tnc_msg_t, process, status_t,
 {
 	bio_reader_t *reader;
 
-	/* process message */
 	reader = bio_reader_create(this->encoding);
 	reader->read_uint32(reader, &this->assessment_result);
 	reader->destroy(reader);
@@ -105,7 +106,7 @@ METHOD(pb_tnc_msg_t, process, status_t,
 		*offset = 0;
 		return FAILED;
 	}
-		
+
 	return SUCCESS;
 }
 
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c
index 03e3cec92..d048f437c 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c
@@ -20,7 +20,7 @@
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pb_tnc_error_code_names, PB_ERROR_UNEXPECTED_BATCH_TYPE,
 							  PB_ERROR_VERSION_NOT_SUPPORTED,
@@ -88,7 +88,7 @@ struct private_pb_error_msg_t {
 	u_int32_t error_offset;
 
 	/**
-	 * Bad PB-TNC version received 
+	 * Bad PB-TNC version received
 	 */
 	u_int8_t bad_version;
 
@@ -120,6 +120,11 @@ METHOD(pb_tnc_msg_t, build, void,
 {
 	bio_writer_t *writer;
 
+	if (this->encoding.ptr)
+	{
+		return;
+	}
+
 	/* build message header */
 	writer = bio_writer_create(ERROR_HEADER_SIZE);
 	writer->write_uint8 (writer, this->fatal ?
@@ -142,8 +147,6 @@ METHOD(pb_tnc_msg_t, build, void,
 		/* Error Offset */
 		writer->write_uint32(writer, this->error_offset);
 	}
-
-	free(this->encoding.ptr);
 	this->encoding = writer->get_buf(writer);
 	this->encoding = chunk_clone(this->encoding);
 	writer->destroy(writer);
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c
index 297cc8df7..70a03cdc5 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c
@@ -17,7 +17,7 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pb_language_preference_msg_t private_pb_language_preference_msg_t;
 
@@ -75,6 +75,10 @@ METHOD(pb_tnc_msg_t, get_encoding, chunk_t,
 METHOD(pb_tnc_msg_t, build, void,
 	private_pb_language_preference_msg_t *this)
 {
+	if (this->encoding.ptr)
+	{
+		return;
+	}
 	this->encoding = chunk_cat("cc",
 		 	 			chunk_create(PB_LANG_PREFIX, PB_LANG_PREFIX_LEN),
 						this->language_preference);
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c
index 1c4913e5e..aa5e9c723 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c
@@ -22,7 +22,7 @@
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pb_pa_msg_t private_pb_pa_msg_t;
 
@@ -68,14 +68,9 @@ struct private_pb_pa_msg_t {
 	bool excl;
 
 	/**
-	 * PA Message Vendor ID
+	 * Vendor-specific PA Subtype
 	 */
-	u_int32_t vendor_id;
-
-	/**
-	 * PA Subtype
-	 */
-	u_int32_t subtype;
+	pen_type_t subtype;
 
 	/**
 	 * Posture Validator Identifier
@@ -116,17 +111,21 @@ METHOD(pb_tnc_msg_t, build, void,
 	chunk_t msg_header;
 	bio_writer_t *writer;
 
+	if (this->encoding.ptr)
+	{
+		return;
+	}
+
 	/* build message header */
 	writer = bio_writer_create(64);
 	writer->write_uint8 (writer, this->excl ? PA_FLAG_EXCL : PA_FLAG_NONE);
-	writer->write_uint24(writer, this->vendor_id);
-	writer->write_uint32(writer, this->subtype);
+	writer->write_uint24(writer, this->subtype.vendor_id);
+	writer->write_uint32(writer, this->subtype.type);
 	writer->write_uint16(writer, this->collector_id);
 	writer->write_uint16(writer, this->validator_id);
 	msg_header = writer->get_buf(writer);
 
 	/* create encoding by concatenating message header and message body */
-	free(this->encoding.ptr);
 	this->encoding = chunk_cat("cc", msg_header, this->msg_body);
 	writer->destroy(writer);
 }
@@ -141,8 +140,8 @@ METHOD(pb_tnc_msg_t, process, status_t,
 	/* process message header */
 	reader = bio_reader_create(this->encoding);
 	reader->read_uint8 (reader, &flags);
-	reader->read_uint24(reader, &this->vendor_id);
-	reader->read_uint32(reader, &this->subtype);
+	reader->read_uint24(reader, &this->subtype.vendor_id);
+	reader->read_uint32(reader, &this->subtype.type);
 	reader->read_uint16(reader, &this->collector_id);
 	reader->read_uint16(reader, &this->validator_id);
 	this->excl = ((flags & PA_FLAG_EXCL) != PA_FLAG_NONE);
@@ -156,17 +155,18 @@ METHOD(pb_tnc_msg_t, process, status_t,
 	}
 	reader->destroy(reader);
 
-	if (this->vendor_id == PEN_RESERVED)
+	if (this->subtype.vendor_id == PEN_RESERVED)
 	{
 		DBG1(DBG_TNC, "Vendor ID 0x%06x is reserved", PEN_RESERVED);
 		*offset = 1;
 		return FAILED;
 	}
 
-	if (this->subtype == PA_RESERVED_SUBTYPE)
+	if (this->subtype.type == PA_RESERVED_SUBTYPE)
 	{
 		DBG1(DBG_TNC, "PA Subtype 0x%08x is reserved", PA_RESERVED_SUBTYPE);
 		*offset = 4;
+		return FAILED;
 	}
 
 	return SUCCESS;
@@ -180,11 +180,10 @@ METHOD(pb_tnc_msg_t, destroy, void,
 	free(this);
 }
 
-METHOD(pb_pa_msg_t, get_vendor_id, u_int32_t,
-	private_pb_pa_msg_t *this, u_int32_t *subtype)
+METHOD(pb_pa_msg_t, get_subtype, pen_type_t,
+	private_pb_pa_msg_t *this)
 {
-	*subtype = this->subtype;
-	return this->vendor_id;
+	return this->subtype;
 }
 
 METHOD(pb_pa_msg_t, get_collector_id, u_int16_t,
@@ -226,7 +225,7 @@ pb_tnc_msg_t *pb_pa_msg_create_from_data(chunk_t data)
 				.process = _process,
 				.destroy = _destroy,
 			},
-			.get_vendor_id = _get_vendor_id,
+			.get_subtype = _get_subtype,
 			.get_collector_id = _get_collector_id,
 			.get_validator_id = _get_validator_id,
 			.get_body = _get_body,
@@ -257,15 +256,14 @@ pb_tnc_msg_t *pb_pa_msg_create(u_int32_t vendor_id, u_int32_t subtype,
 				.process = _process,
 				.destroy = _destroy,
 			},
-			.get_vendor_id = _get_vendor_id,
+			.get_subtype= _get_subtype,
 			.get_collector_id = _get_collector_id,
 			.get_validator_id = _get_validator_id,
 			.get_body = _get_body,
 			.get_exclusive_flag = _get_exclusive_flag,
 		},
 		.type = PB_MSG_PA,
-		.vendor_id = vendor_id,
-		.subtype = subtype,
+		.subtype = { vendor_id, subtype },
 		.collector_id = collector_id,
 		.validator_id = validator_id,
 		.excl = excl,
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h
index d9db9a1ce..5c9b7c0bf 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h
@@ -25,6 +25,8 @@ typedef struct pb_pa_msg_t pb_pa_msg_t;
 
 #include "pb_tnc_msg.h"
 
+#include <pen/pen.h>
+
 /**
  * Class representing the PB-PA message type.
  */
@@ -38,10 +40,9 @@ struct pb_pa_msg_t {
 	/**
 	 * Get PA Message Vendor ID and Subtype
 	 *
-	 * @param subtype		PA Subtype
-	 * @return				PA Message Vendor ID
+	 * @return				Vendor-specific PA Subtype
 	 */
-	u_int32_t (*get_vendor_id)(pb_pa_msg_t *this, u_int32_t *subtype);
+	pen_type_t (*get_subtype)(pb_pa_msg_t *this);
 
 	/**
 	 * Get Posture Collector ID
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c
index 181ecf61b..935c52d7b 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c
@@ -17,7 +17,7 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pb_reason_string_msg_t private_pb_reason_string_msg_t;
 
@@ -83,12 +83,14 @@ METHOD(pb_tnc_msg_t, build, void,
 {
 	bio_writer_t *writer;
 
-	/* build message */
+	if (this->encoding.ptr)
+	{
+		return;
+	}
 	writer = bio_writer_create(64);
 	writer->write_data32(writer, this->reason_string);
 	writer->write_data8 (writer, this->language_code);
 
-	free(this->encoding.ptr);
 	this->encoding = writer->get_buf(writer);
 	this->encoding = chunk_clone(this->encoding);
 	writer->destroy(writer);
@@ -99,7 +101,6 @@ METHOD(pb_tnc_msg_t, process, status_t,
 {
 	bio_reader_t *reader;
 
-	/* process message */
 	reader = bio_reader_create(this->encoding);
 	if (!reader->read_data32(reader, &this->reason_string))
 	{
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c
index d213db313..2ef8dd6cd 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c
@@ -17,7 +17,7 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pb_tnc_remed_param_type_names, PB_REMEDIATION_URI, PB_REMEDIATION_STRING,
 	"Remediation-URI",
@@ -66,24 +66,24 @@ struct private_pb_remediation_parameters_msg_t {
 	pb_tnc_msg_type_t type;
 
 	/**
-	 * Remediation Parameters Vendor ID
+	 * Remediation Parameters Type
 	 */
-	u_int32_t vendor_id;
+	pen_type_t parameters_type;
 
 	/**
-	 * Remediation Parameters Type
+	 * Remediation Parameters
 	 */
-	u_int32_t parameters_type;
+	chunk_t parameters;
 
 	/**
-	 * Remediation Parameters string
+	 * Remediation String
 	 */
-	chunk_t remediation_string;
+	chunk_t string;
 
 	/**
-	 * Language code
+	 * Remediation Language Code
 	 */
-	chunk_t language_code;
+	chunk_t lang_code;
 
 	/**
 	 * Encoded message
@@ -108,14 +108,15 @@ METHOD(pb_tnc_msg_t, build, void,
 {
 	bio_writer_t *writer;
 
-	/* build message */
+	if (this->encoding.ptr)
+	{
+		return;
+	}
 	writer = bio_writer_create(64);
-	writer->write_uint32(writer, this->vendor_id);
-	writer->write_uint32(writer, this->parameters_type);
-	writer->write_data32(writer, this->remediation_string);
-	writer->write_data8 (writer, this->language_code);
+	writer->write_uint32(writer, this->parameters_type.vendor_id);
+	writer->write_uint32(writer, this->parameters_type.type);
+	writer->write_data32(writer, this->parameters);
 
-	free(this->encoding.ptr);
 	this->encoding = writer->get_buf(writer);
 	this->encoding = chunk_clone(this->encoding);
 	writer->destroy(writer);
@@ -125,83 +126,103 @@ METHOD(pb_tnc_msg_t, process, status_t,
 	private_pb_remediation_parameters_msg_t *this, u_int32_t *offset)
 {
 	bio_reader_t *reader;
+	u_int8_t reserved;
+	status_t status = SUCCESS;
+	u_char *pos;
+
+	*offset = 0;
 
 	/* process message */
 	reader = bio_reader_create(this->encoding);
-	reader->read_uint32(reader, &this->vendor_id);
-	reader->read_uint32(reader, &this->parameters_type);
+	reader->read_uint8 (reader, &reserved);
+	reader->read_uint24(reader, &this->parameters_type.vendor_id);
+	reader->read_uint32(reader, &this->parameters_type.type);
+	reader->read_data  (reader, reader->remaining(reader), &this->parameters);
 
-	if (!reader->read_data32(reader, &this->remediation_string))
-	{
-		DBG1(DBG_TNC, "could not parse remediation string");
-		reader->destroy(reader);
-		*offset = 8;
-		return FAILED;
-	};
-	this->remediation_string = chunk_clone(this->remediation_string);
+	this->parameters = chunk_clone(this->parameters);
+	reader->destroy(reader);
 
-	if (this->remediation_string.len &&
-		this->remediation_string.ptr[this->remediation_string.len-1] == '\0')
+	if (this->parameters_type.vendor_id == PEN_IETF &&
+		this->parameters_type.type == PB_REMEDIATION_STRING)
 	{
-		DBG1(DBG_TNC, "remediation string must not be null terminated");
-		reader->destroy(reader);
-		*offset = 11 + this->remediation_string.len;
-		return FAILED;
-	}
+		reader = bio_reader_create(this->parameters);
+		status = FAILED;
+		*offset = 8;
 
-	if (!reader->read_data8(reader, &this->language_code))
-	{
-		DBG1(DBG_TNC, "could not parse language code");
+		if (!reader->read_data32(reader, &this->string))
+		{
+			DBG1(DBG_TNC, "insufficient data for remediation string");
+			goto end;
+		};
+		*offset += 4;
+
+		pos = memchr(this->string.ptr, '\0', this->string.len);
+		if (pos)
+		{
+			DBG1(DBG_TNC, "nul termination in remediation string");
+			*offset += (pos - this->string.ptr);
+			goto end;
+		}
+		*offset += this->string.len;
+
+		if (!reader->read_data8(reader, &this->lang_code))
+		{
+			DBG1(DBG_TNC, "insufficient data for remediation string lang code");
+			goto end;
+		};
+		*offset += 1;
+
+		pos = memchr(this->lang_code.ptr, '\0', this->lang_code.len);
+
+		if (pos)
+		{
+			DBG1(DBG_TNC, "nul termination in remediation string lang code");
+			*offset += (pos - this->lang_code.ptr);
+			goto end;
+		}
+		status = SUCCESS;
+
+end:
 		reader->destroy(reader);
-		*offset = 12 + this->remediation_string.len;
-		return FAILED;
-	};
-	this->language_code = chunk_clone(this->language_code);
-	reader->destroy(reader);
-
-	if (this->language_code.len &&
-		this->language_code.ptr[this->language_code.len-1] == '\0')
-	{
-		DBG1(DBG_TNC, "language code must not be null terminated");
-		*offset = 12 + this->remediation_string.len + this->language_code.len;
-		return FAILED;
 	}
-
-	return SUCCESS;
+	return status;
 }
 
 METHOD(pb_tnc_msg_t, destroy, void,
 	private_pb_remediation_parameters_msg_t *this)
 {
 	free(this->encoding.ptr);
-	free(this->remediation_string.ptr);
-	free(this->language_code.ptr);
+	free(this->parameters.ptr);
 	free(this);
 }
 
-METHOD(pb_remediation_parameters_msg_t, get_vendor_id, u_int32_t,
-	private_pb_remediation_parameters_msg_t *this, u_int32_t *type)
+METHOD(pb_remediation_parameters_msg_t, get_parameters_type, pen_type_t,
+	private_pb_remediation_parameters_msg_t *this)
 {
-	*type = this->parameters_type;
-	return this->vendor_id;
+	return this->parameters_type;
 }
 
-METHOD(pb_remediation_parameters_msg_t, get_remediation_string, chunk_t,
+METHOD(pb_remediation_parameters_msg_t, get_parameters, chunk_t,
 	private_pb_remediation_parameters_msg_t *this)
 {
-	return this->remediation_string;
+	return this->parameters;
 }
 
-METHOD(pb_remediation_parameters_msg_t, get_language_code, chunk_t,
-	private_pb_remediation_parameters_msg_t *this)
+METHOD(pb_remediation_parameters_msg_t, get_string, chunk_t,
+	private_pb_remediation_parameters_msg_t *this, chunk_t *lang_code)
 {
-	return this->language_code;
+	if (lang_code)
+	{
+		*lang_code = this->lang_code;
+	}
+	return this->string;
 }
 
 /**
  * See header
  */
-pb_tnc_msg_t *pb_remediation_parameters_msg_create_from_data(chunk_t data)
+pb_tnc_msg_t* pb_remediation_parameters_msg_create(pen_type_t parameters_type,
+												   chunk_t parameters)
 {
 	private_pb_remediation_parameters_msg_t *this;
 
@@ -214,24 +235,56 @@ pb_tnc_msg_t *pb_remediation_parameters_msg_create_from_data(chunk_t data)
 				.process = _process,
 				.destroy = _destroy,
 			},
-			.get_vendor_id = _get_vendor_id,
-			.get_remediation_string = _get_remediation_string,
-			.get_language_code = _get_language_code,
+			.get_parameters_type = _get_parameters_type,
+			.get_parameters = _get_parameters,
+			.get_uri = _get_parameters,
+			.get_string = _get_string,
 		},
-		.type = PB_MSG_REASON_STRING,
-		.encoding = chunk_clone(data),
+		.type = PB_MSG_REMEDIATION_PARAMETERS,
+		.parameters_type = parameters_type,
+		.parameters = chunk_clone(parameters),
 	);
 
 	return &this->public.pb_interface;
 }
 
 /**
+ * Described in header.
+ */
+pb_tnc_msg_t* pb_remediation_parameters_msg_create_from_uri(chunk_t uri)
+{
+	pen_type_t type = { PEN_IETF, PB_REMEDIATION_URI };
+
+	return pb_remediation_parameters_msg_create(type, uri);
+}
+
+/**
+ * Described in header.
+ */
+pb_tnc_msg_t* pb_remediation_parameters_msg_create_from_string(chunk_t string,
+															   chunk_t lang_code)
+{
+	pb_tnc_msg_t *msg;
+	bio_writer_t *writer;
+	pen_type_t type = { PEN_IETF, PB_REMEDIATION_STRING };
+
+	/* limit language code to 255 octets */
+	lang_code.len = min(255, lang_code.len);
+
+	writer = bio_writer_create(4 + string.len + 1 + lang_code.len);
+	writer->write_data32(writer, string);
+	writer->write_data8 (writer, lang_code);
+
+	msg = pb_remediation_parameters_msg_create(type, writer->get_buf(writer));
+	writer->destroy(writer);
+
+	return msg;
+}
+
+/**
  * See header
  */
-pb_tnc_msg_t* pb_remediation_parameters_msg_create(u_int32_t vendor_id,
-												   u_int32_t type,
-												   chunk_t remediation_string,
-												   chunk_t language_code)
+pb_tnc_msg_t *pb_remediation_parameters_msg_create_from_data(chunk_t data)
 {
 	private_pb_remediation_parameters_msg_t *this;
 
@@ -244,16 +297,15 @@ pb_tnc_msg_t* pb_remediation_parameters_msg_create(u_int32_t vendor_id,
 				.process = _process,
 				.destroy = _destroy,
 			},
-			.get_vendor_id = _get_vendor_id,
-			.get_remediation_string = _get_remediation_string,
-			.get_language_code = _get_language_code,
+			.get_parameters_type = _get_parameters_type,
+			.get_parameters = _get_parameters,
+			.get_uri = _get_parameters,
+			.get_string = _get_string,
 		},
-		.type = PB_MSG_REASON_STRING,
-		.vendor_id = vendor_id,
-		.parameters_type = type,
-		.remediation_string = chunk_clone(remediation_string),
-		.language_code = chunk_clone(language_code),
+		.type = PB_MSG_REMEDIATION_PARAMETERS,
+		.encoding = chunk_clone(data),
 	);
 
 	return &this->public.pb_interface;
 }
+
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h
index 258d495ec..f3a1c1009 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -26,6 +26,8 @@ typedef struct pb_remediation_parameters_msg_t pb_remediation_parameters_msg_t;
 
 #include "pb_tnc_msg.h"
 
+#include <pen/pen.h>
+
 /**
  * PB-TNC Remediation Parameter Types as defined in section 4.8.1 of RFC 5793
  */
@@ -50,41 +52,61 @@ struct pb_remediation_parameters_msg_t {
 	pb_tnc_msg_t pb_interface;
 
 	/**
-	 * Get Remediation Parameters Vendor ID and Type
+	 * Get the Remediation Parameters Type (Vendor ID and Type)
 	 *
-	 * @param type				Remediation Parameters Type
-	 * @return					Remediation Parameters Vendor ID
+	 * @return				Remediation Parameters Type
 	 */
-	u_int32_t (*get_vendor_id)(pb_remediation_parameters_msg_t *this,
-							   u_int32_t *type);
+	pen_type_t (*get_parameters_type)(pb_remediation_parameters_msg_t *this);
 
 	/**
-	 * Get Remediation String
+	 * Get the Remediation Parameters
 	 *
-	 * @return					Remediation String
+	 * @return				Remediation Parameters
 	 */
-	chunk_t (*get_remediation_string)(pb_remediation_parameters_msg_t *this);
+	chunk_t (*get_parameters)(pb_remediation_parameters_msg_t *this);
 
 	/**
-	 * Get Reason String Language Code
+	 * Get the Remediation URI
 	 *
-	 * @return					Language Code
+	 * @return				Remediation URI
 	 */
-	chunk_t (*get_language_code)(pb_remediation_parameters_msg_t *this);
+	chunk_t (*get_uri)(pb_remediation_parameters_msg_t *this);
+
+	/**
+	 * Get the Remediation String
+	 *
+	 * @param lang_code		Optional Language Code
+	 * @return				Remediation String
+	 */
+	chunk_t (*get_string)(pb_remediation_parameters_msg_t *this,
+						  chunk_t *lang_code);
+
 };
 
 /**
- * Create a PB-Remediation-Parameters message from parameters
+ * Create a general PB-Remediation-Parameters message
+ *
+ * @param parameters_type	Remediation Parameters Type
+ * @param parameters		Remediation Parameters
+ */
+pb_tnc_msg_t* pb_remediation_parameters_msg_create(pen_type_t parameters_type,
+												   chunk_t parameters);
+
+/**
+ * Create a PB-Remediation-Parameters message of IETF Type Remediation URI
+ *
+ * @param uri				Remediation URI
+ */
+pb_tnc_msg_t* pb_remediation_parameters_msg_create_from_uri(chunk_t uri);
+
+/**
+ * Create a PB-Remediation-Parameters message of IETF Type Remediation String
  *
- * @param vendor_id				Remediation Parameters Vendor ID
- * @param type					Remediation Parameters Type		
- * @param remediation_string	Remediation String
- * @param language_code			Language Code
+ * @param string			Remediation String
+ * @param lang_code			Remediation String Language Code
  */
-pb_tnc_msg_t* pb_remediation_parameters_msg_create(u_int32_t vendor_id,
-												   u_int32_t type,
-												   chunk_t remediation_string,
-												   chunk_t language_code);
+pb_tnc_msg_t* pb_remediation_parameters_msg_create_from_string(chunk_t string,
+															   chunk_t lang_code);
 
 /**
  * Create an unprocessed PB-Remediation-Parameters message from raw data
diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h
index e20c8d8ff..97ebed27f 100644
--- a/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h
+++ b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h
@@ -56,7 +56,7 @@ struct pb_tnc_msg_info_t {
 	u_int32_t min_size;
 	bool exact_size;
 	bool in_result_batch;
-	bool has_noskip_flag;
+	signed char has_noskip_flag;
 };
 
 #define	TRUE_OR_FALSE	2
diff --git a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c
index f0cf14ac1..43f185440 100644
--- a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c
+++ b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c
@@ -15,7 +15,7 @@
 
 #include "pb_tnc_state_machine.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pb_tnc_state_names, PB_STATE_INIT, PB_STATE_END,
 	"Init",
@@ -71,6 +71,11 @@ struct private_pb_tnc_state_machine_t {
 	bool is_server;
 
 	/**
+	 * Informs whether last received PB-TNC CDATA Batch was empty
+	 */
+	bool empty_cdata;
+
+	/**
 	 * Current PB-TNC state
 	 */
 	pb_tnc_state_t state;
@@ -265,6 +270,22 @@ METHOD(pb_tnc_state_machine_t, send_batch, bool,
 	return TRUE;
 }
 
+METHOD(pb_tnc_state_machine_t, get_empty_cdata, bool,
+	private_pb_tnc_state_machine_t *this)
+{
+	return this->empty_cdata;
+}
+
+METHOD(pb_tnc_state_machine_t, set_empty_cdata, void,
+	private_pb_tnc_state_machine_t *this, bool empty)
+{
+	if (empty)
+	{
+		DBG2(DBG_TNC, "received empty PB-TNC CDATA batch");
+	}
+	this->empty_cdata = empty;
+}
+
 METHOD(pb_tnc_state_machine_t, destroy, void,
 	private_pb_tnc_state_machine_t *this)
 {
@@ -283,6 +304,8 @@ pb_tnc_state_machine_t* pb_tnc_state_machine_create(bool is_server)
 			.get_state = _get_state,
 			.receive_batch = _receive_batch,
 			.send_batch = _send_batch,
+			.get_empty_cdata = _get_empty_cdata,
+			.set_empty_cdata = _set_empty_cdata,
 			.destroy = _destroy,
 		},
 		.is_server = is_server,
diff --git a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h
index 8076b6ded..aa317041e 100644
--- a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h
+++ b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h
@@ -73,6 +73,20 @@ struct pb_tnc_state_machine_t {
 	bool (*send_batch)(pb_tnc_state_machine_t *this, pb_tnc_batch_type_t type);
 
 	/**
+	 * Informs whether the last received PB-TNC CDATA Batch was empty
+	 *
+	 * @result				TRUE if last received PB-TNC CDATA Batch was empty
+	 */
+	bool (*get_empty_cdata)(pb_tnc_state_machine_t *this);
+
+	/**
+	 * Store information whether the received PB-TNC CDATA Batch was empty
+	 *
+	 * @param empty			set to TRUE if received PB-TNC CDATA Batch was empty
+	 */
+	void (*set_empty_cdata)(pb_tnc_state_machine_t *this, bool empty);
+
+	/**
 	 * Destroys a pb_tnc_state_machine_t object.
 	 */
 	void (*destroy)(pb_tnc_state_machine_t *this);
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c
index 606fc529b..4c8f3a925 100644
--- a/src/libcharon/plugins/tnccs_20/tnccs_20.c
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010 Sansar Choinyanbuu
- * Copyright (C) 2010-2011 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -34,8 +34,10 @@
 #include <tnc/imc/imc_manager.h>
 #include <tnc/imv/imv_manager.h>
 
-#include <debug.h>
+#include <utils/debug.h>
+#include <daemon.h>
 #include <threading/mutex.h>
+#include <collections/linked_list.h>
 #include <pen/pen.h>
 
 typedef struct private_tnccs_20_t private_tnccs_20_t;
@@ -46,9 +48,9 @@ typedef struct private_tnccs_20_t private_tnccs_20_t;
 struct private_tnccs_20_t {
 
 	/**
-	 * Public tls_t interface.
+	 * Public tnccs_t interface.
 	 */
-	tls_t public;
+	tnccs_t public;
 
 	/**
 	 * TNCC if TRUE, TNCS if FALSE
@@ -56,6 +58,26 @@ struct private_tnccs_20_t {
 	bool is_server;
 
 	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Client identity
+	 */
+	identification_t *peer;
+
+	/**
+	 * Underlying TNC IF-T transport protocol
+	 */
+	tnc_ift_type_t transport;
+
+	/**
+	 * Type of TNC client authentication
+	 */
+	u_int32_t auth_type;
+
+	/**
 	 * PB-TNC State Machine
 	 */
 	pb_tnc_state_machine_t *state_machine;
@@ -66,9 +88,24 @@ struct private_tnccs_20_t {
 	TNC_ConnectionID connection_id;
 
 	/**
-	 * PB-TNC batch being constructed
+	 * PB-TNC messages to be sent
 	 */
-	pb_tnc_batch_t *batch;
+	linked_list_t *messages;
+
+	/**
+	 * Type of PB-TNC batch being constructed
+	 */
+	pb_tnc_batch_type_t batch_type;
+
+	/**
+	 * Maximum PB-TNC batch size
+	 */
+	size_t max_batch_len;
+
+	/**
+	 * Maximum PA-TNC message size
+	 */
+	size_t max_msg_len;
 
 	/**
 	 * Mutex locking the batch in construction
@@ -97,6 +134,30 @@ struct private_tnccs_20_t {
 
 };
 
+/**
+ * If the batch type changes then delete all accumulated PB-TNC messages
+ */
+void change_batch_type(private_tnccs_20_t *this, pb_tnc_batch_type_t batch_type)
+{
+	pb_tnc_msg_t *msg;
+
+	if (batch_type != this->batch_type)
+	{
+		if (this->batch_type != PB_BATCH_NONE)
+		{
+			DBG1(DBG_TNC, "cancelling PB-TNC %N batch",
+				 pb_tnc_batch_type_names, this->batch_type);
+
+			while (this->messages->remove_last(this->messages,
+											  (void**)&msg) == SUCCESS)
+			{
+				msg->destroy(msg);
+			}
+		}
+		this->batch_type = batch_type;
+	}
+}
+
 METHOD(tnccs_t, send_msg, TNC_Result,
 	private_tnccs_20_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id,
 						      TNC_UInt32 msg_flags,
@@ -138,13 +199,13 @@ METHOD(tnccs_t, send_msg, TNC_Result,
 	/* adding PA message to SDATA or CDATA batch only */
 	batch_type = this->is_server ? PB_BATCH_SDATA : PB_BATCH_CDATA;
 	this->mutex->lock(this->mutex);
-	if (!this->batch)
+	if (this->batch_type == PB_BATCH_NONE)
 	{
-		this->batch = pb_tnc_batch_create(this->is_server, batch_type);
+		this->batch_type = batch_type;
 	}
-	if (this->batch->get_type(this->batch) == batch_type)
+	if (this->batch_type == batch_type)
 	{
-		this->batch->add_msg(this->batch, pb_tnc_msg);
+		this->messages->insert_last(this->messages, pb_tnc_msg);
 	}
 	else
 	{
@@ -167,30 +228,31 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
 		case PB_MSG_PA:
 		{
 			pb_pa_msg_t *pa_msg;
-			u_int32_t msg_vid, msg_subtype;
+			pen_type_t msg_subtype;
 			u_int16_t imc_id, imv_id;
 			chunk_t msg_body;
 			bool excl;
 			enum_name_t *pa_subtype_names;
 
 			pa_msg = (pb_pa_msg_t*)msg;
-			msg_vid = pa_msg->get_vendor_id(pa_msg, &msg_subtype);
+			msg_subtype = pa_msg->get_subtype(pa_msg);
 			msg_body = pa_msg->get_body(pa_msg);
 			imc_id = pa_msg->get_collector_id(pa_msg);
 			imv_id = pa_msg->get_validator_id(pa_msg);
 			excl = pa_msg->get_exclusive_flag(pa_msg);
 
-			pa_subtype_names = get_pa_subtype_names(msg_vid);
+			pa_subtype_names = get_pa_subtype_names(msg_subtype.vendor_id);
 			if (pa_subtype_names)
 			{
 				DBG2(DBG_TNC, "handling PB-PA message type '%N/%N' 0x%06x/0x%08x",
-					 pen_names, msg_vid, pa_subtype_names, msg_subtype,
-					 msg_vid, msg_subtype);
+					 pen_names, msg_subtype.vendor_id, pa_subtype_names,
+					 msg_subtype.type, msg_subtype.vendor_id, msg_subtype.type);
 			}
 			else
 			{
 				DBG2(DBG_TNC, "handling PB-PA message type '%N' 0x%06x/0x%08x",
-					 pen_names, msg_vid, msg_vid, msg_subtype);
+					 pen_names, msg_subtype.vendor_id, msg_subtype.vendor_id,
+					 msg_subtype.type);
 			}
 
 			this->send_msg = TRUE;
@@ -198,13 +260,15 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
 			{
 				tnc->imvs->receive_message(tnc->imvs, this->connection_id,
 										   excl, msg_body.ptr, msg_body.len,
-										   msg_vid, msg_subtype, imc_id, imv_id);
+										   msg_subtype.vendor_id,
+										   msg_subtype.type, imc_id, imv_id);
 			}
 			else
 			{
 				tnc->imcs->receive_message(tnc->imcs, this->connection_id,
 										   excl, msg_body.ptr, msg_body.len,
-										   msg_vid, msg_subtype, imv_id, imc_id);
+										   msg_subtype.vendor_id,
+										   msg_subtype.type, imv_id, imc_id);
 			}
 			this->send_msg = FALSE;
 			break;
@@ -247,7 +311,36 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
 		}
 		case PB_MSG_REMEDIATION_PARAMETERS:
 		{
-			/* TODO : Remediation parameters message processing */
+			pb_remediation_parameters_msg_t *rem_msg;
+			pen_type_t parameters_type;
+			chunk_t parameters, string, lang_code;
+
+			rem_msg = (pb_remediation_parameters_msg_t*)msg;
+			parameters_type = rem_msg->get_parameters_type(rem_msg);
+			parameters = rem_msg->get_parameters(rem_msg);
+
+			if (parameters_type.vendor_id == PEN_IETF)
+			{
+				switch (parameters_type.type)
+				{
+					case PB_REMEDIATION_URI:
+						DBG1(DBG_TNC, "remediation uri: %.*s",
+									   parameters.len, parameters.ptr);
+						break;
+					case PB_REMEDIATION_STRING:
+						string = rem_msg->get_string(rem_msg, &lang_code);
+						DBG1(DBG_TNC, "remediation string: [%.*s]\n%.*s",
+									   lang_code.len, lang_code.ptr,
+									   string.len, string.ptr);
+						break;
+					default:
+						DBG1(DBG_TNC, "remediation parameters: %B", &parameters);
+				}
+			}
+			else
+			{
+				DBG1(DBG_TNC, "remediation parameters: %B", &parameters);
+			}
 			break;
 		}
 		case PB_MSG_ERROR:
@@ -312,9 +405,12 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
 			lang_msg = (pb_language_preference_msg_t*)msg;
 			lang = lang_msg->get_language_preference(lang_msg);
 
-			DBG2(DBG_TNC, "setting language preference to '%.*s'",
-						   lang.len, lang.ptr);
-			this->recs->set_preferred_language(this->recs, lang);
+			if (this->recs)
+			{
+				DBG2(DBG_TNC, "setting language preference to '%.*s'",
+					 (int)lang.len, lang.ptr);
+				this->recs->set_preferred_language(this->recs, lang);
+			}
 			break;
 		}
 		case PB_MSG_REASON_STRING:
@@ -325,10 +421,9 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
 			reason_msg = (pb_reason_string_msg_t*)msg;
 			reason_string = reason_msg->get_reason_string(reason_msg);
 			language_code = reason_msg->get_language_code(reason_msg);
-			DBG2(DBG_TNC, "reason string is '%.*s'", reason_string.len,
-													 reason_string.ptr);
-			DBG2(DBG_TNC, "language code is '%.*s'", language_code.len,
-													 language_code.ptr);
+			DBG1(DBG_TNC, "reason string is '%.*s' [%.*s]",
+				 (int)reason_string.len, reason_string.ptr,
+				 (int)language_code.len, language_code.ptr);
 			break;
 		}
 		default:
@@ -344,23 +439,20 @@ static void build_retry_batch(private_tnccs_20_t *this)
 	pb_tnc_batch_type_t batch_retry_type;
 
 	batch_retry_type = this->is_server ? PB_BATCH_SRETRY : PB_BATCH_CRETRY;
-	if (this->batch)
+	if (this->batch_type == batch_retry_type)
 	{
-		if (this->batch->get_type(this->batch) == batch_retry_type)
-		{
-			/* retry batch has already been created */
-			return;
-		}
-		DBG1(DBG_TNC, "cancelling PB-TNC %N batch",
-			pb_tnc_batch_type_names, this->batch->get_type(this->batch));
-		this->batch->destroy(this->batch);
-	 }
+		/* retry batch has already been selected */
+		return;
+	}
+
+	change_batch_type(this, batch_retry_type);
+
 	if (this->is_server)
 	{
+		this->recs->clear_recommendation(this->recs);
 		tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
 											TNC_CONNECTION_STATE_HANDSHAKE);
 	}
-	this->batch = pb_tnc_batch_create(this->is_server, batch_retry_type);
 }
 
 METHOD(tls_t, process, status_t,
@@ -375,8 +467,9 @@ METHOD(tls_t, process, status_t,
 	if (this->is_server && !this->connection_id)
 	{
 		this->connection_id = tnc->tnccs->create_connection(tnc->tnccs,
-								TNCCS_2_0, (tnccs_t*)this, _send_msg,
-								&this->request_handshake_retry, &this->recs);
+									TNCCS_2_0, (tnccs_t*)this, _send_msg,
+									&this->request_handshake_retry,
+									this->max_msg_len, &this->recs);
 		if (!this->connection_id)
 		{
 			return FAILED;
@@ -461,13 +554,7 @@ METHOD(tls_t, process, status_t,
 		case FAILED:
 			this->fatal_error = TRUE;
 			this->mutex->lock(this->mutex);
-			if (this->batch)
-			{
-				DBG1(DBG_TNC, "cancelling PB-TNC %N batch",
-					pb_tnc_batch_type_names, this->batch->get_type(this->batch));
-				this->batch->destroy(this->batch);
-			 }
-			this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_CLOSE);
+			change_batch_type(this, PB_BATCH_CLOSE);
 			this->mutex->unlock(this->mutex);
 			/* fall through to add error messages to outbound batch */
 		case VERIFY_ERROR:
@@ -475,7 +562,7 @@ METHOD(tls_t, process, status_t,
 			while (enumerator->enumerate(enumerator, &msg))
 			{
 				this->mutex->lock(this->mutex);
-				this->batch->add_msg(this->batch, msg->get_ref(msg));
+				this->messages->insert_last(this->messages, msg->get_ref(msg));
 				this->mutex->unlock(this->mutex);
 			}
 			enumerator->destroy(enumerator);
@@ -496,6 +583,7 @@ static void check_and_build_recommendation(private_tnccs_20_t *this)
 {
 	TNC_IMV_Action_Recommendation rec;
 	TNC_IMV_Evaluation_Result eval;
+	TNC_ConnectionState state;
 	TNC_IMVID id;
 	chunk_t reason, language;
 	enumerator_t *enumerator;
@@ -508,38 +596,44 @@ static void check_and_build_recommendation(private_tnccs_20_t *this)
 	}
 	if (this->recs->have_recommendation(this->recs, &rec, &eval))
 	{
-		this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_RESULT);
+		this->batch_type = PB_BATCH_RESULT;
 
 		msg = pb_assessment_result_msg_create(eval);
-		this->batch->add_msg(this->batch, msg);
+		this->messages->insert_last(this->messages, msg);
 
 		/**
 		 * Map IMV Action Recommendation codes to PB Access Recommendation codes
+		 * and communicate Access Recommendation to IMVs
 		 */
 		switch (rec)
 		{
 			case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+				state = TNC_CONNECTION_STATE_ACCESS_ALLOWED;
 				pb_rec = PB_REC_ACCESS_ALLOWED;
 				break;
 			case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+				state = TNC_CONNECTION_STATE_ACCESS_ISOLATED;
 				pb_rec = PB_REC_QUARANTINED;
 				break;
 			case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
 			case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
 			default:
+				state = TNC_CONNECTION_STATE_ACCESS_NONE;
 				pb_rec = PB_REC_ACCESS_DENIED;
 		}
+		tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
+											state);
+
 		msg = pb_access_recommendation_msg_create(pb_rec);
-		this->batch->add_msg(this->batch, msg);
+		this->messages->insert_last(this->messages, msg);
 
 		enumerator = this->recs->create_reason_enumerator(this->recs);
 		while (enumerator->enumerate(enumerator, &id, &reason, &language))
 		{
 			msg = pb_reason_string_msg_create(reason, language);
-			this->batch->add_msg(this->batch, msg);
+			this->messages->insert_last(this->messages, msg);
 		}
 		enumerator->destroy(enumerator);
-		this->recs->clear_reasons(this->recs);
 	}
 }
 
@@ -557,7 +651,8 @@ METHOD(tls_t, build, status_t,
 
 		this->connection_id = tnc->tnccs->create_connection(tnc->tnccs,
 										TNCCS_2_0, (tnccs_t*)this, _send_msg,
-										&this->request_handshake_retry, NULL);
+										&this->request_handshake_retry,
+										this->max_msg_len, NULL);
 		if (!this->connection_id)
 		{
 			return FAILED;
@@ -568,8 +663,8 @@ METHOD(tls_t, build, status_t,
 		msg = pb_language_preference_msg_create(chunk_create(pref_lang,
 													strlen(pref_lang)));
 		this->mutex->lock(this->mutex);
-		this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_CDATA);
-		this->batch->add_msg(this->batch, msg);
+		this->batch_type = PB_BATCH_CDATA;
+		this->messages->insert_last(this->messages, msg);
 		this->mutex->unlock(this->mutex);
 
 		tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id,
@@ -583,7 +678,7 @@ METHOD(tls_t, build, status_t,
 
 	state = this->state_machine->get_state(this->state_machine);
 
-	if (this->is_server && this->fatal_error && state == PB_STATE_END)
+	if (this->fatal_error && state == PB_STATE_END)
 	{
 		DBG1(DBG_TNC, "a fatal PB-TNC error occurred, terminating connection");
 		return FAILED;
@@ -603,66 +698,110 @@ METHOD(tls_t, build, status_t,
 		this->request_handshake_retry = FALSE;
 	}
 
-	if (!this->batch)
+	if (this->is_server &&  state == PB_STATE_SERVER_WORKING &&
+		this->recs->have_recommendation(this->recs, NULL, NULL))
+	{
+		check_and_build_recommendation(this);
+	}
+
+	if (this->batch_type == PB_BATCH_NONE)
 	{
 		if (this->is_server)
 		{
 			if (state == PB_STATE_SERVER_WORKING)
 			{
-				check_and_build_recommendation(this);
+				if (this->state_machine->get_empty_cdata(this->state_machine))
+				{
+					check_and_build_recommendation(this);
+				}
+				else
+				{
+					DBG2(DBG_TNC, "no recommendation available yet, "
+								  "sending empty PB-TNC SDATA batch");
+					this->batch_type = PB_BATCH_SDATA;
+				}
 			}
 		}
 		else
 		{
-			/**
-			 * if the DECIDED state has been reached and no CRETRY is under way
-			 * or if a CLOSE batch with error messages has been received,
-			 * a PB-TNC client replies with an empty CLOSE batch.
-			 */
-			if (state == PB_STATE_DECIDED || state == PB_STATE_END)
+			switch (state)
 			{
-				this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_CLOSE);
+				case PB_STATE_CLIENT_WORKING:
+					DBG2(DBG_TNC, "no client data to send, "
+								  "sending empty PB-TNC CDATA batch");
+					this->batch_type = PB_BATCH_CDATA;
+					break;
+				case PB_STATE_DECIDED:
+					/**
+					 * In the DECIDED state and if no CRETRY is under way,
+					 * a PB-TNC client replies with an empty CLOSE batch.
+					 */
+					this->batch_type = PB_BATCH_CLOSE;
+					break;
+				default:
+					break;
 			}
 		}
 	}
 
-	if (this->batch)
+	if (this->batch_type != PB_BATCH_NONE)
 	{
-		pb_tnc_batch_type_t batch_type;
+		pb_tnc_batch_t *batch;
+		pb_tnc_msg_t *msg;
 		chunk_t data;
+		int msg_count;
+		enumerator_t *enumerator;
 
-		batch_type = this->batch->get_type(this->batch);
-
-		if (this->state_machine->send_batch(this->state_machine, batch_type))
+		if (this->state_machine->send_batch(this->state_machine, this->batch_type))
 		{
-			this->batch->build(this->batch);
-			data = this->batch->get_encoding(this->batch);
+			batch = pb_tnc_batch_create(this->is_server, this->batch_type,
+										min(this->max_batch_len, *buflen));
+
+			enumerator = this->messages->create_enumerator(this->messages);
+			while (enumerator->enumerate(enumerator, &msg))
+			{
+				if (batch->add_msg(batch, msg))
+				{
+					this->messages->remove_at(this->messages, enumerator);
+				}
+				else
+				{
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+
+			batch->build(batch);
+			data = batch->get_encoding(batch);
 			DBG1(DBG_TNC, "sending PB-TNC %N batch (%d bytes) for Connection ID %u",
-						   pb_tnc_batch_type_names, batch_type, data.len,
+						   pb_tnc_batch_type_names, this->batch_type, data.len,
 						   this->connection_id);
 			DBG3(DBG_TNC, "%B", &data);
-			*msglen = data.len;
 
-			if (data.len > *buflen)
+			*buflen = data.len;
+			*msglen = 0;
+			memcpy(buf, data.ptr, *buflen);
+			batch->destroy(batch);
+
+			msg_count = this->messages->get_count(this->messages);
+			if (msg_count)
 			{
-				DBG1(DBG_TNC, "fragmentation of PB-TNC batch not supported yet");
+				DBG2(DBG_TNC, "queued %d PB-TNC message%s for next %N batch",
+					 msg_count, (msg_count == 1) ? "" : "s",
+					 pb_tnc_batch_type_names, this->batch_type);
 			}
 			else
 			{
-				*buflen = data.len;
+				this->batch_type = PB_BATCH_NONE;
 			}
-			memcpy(buf, data.ptr, *buflen);
+
 			status = ALREADY_DONE;
 		}
 		else
 		{
-			DBG1(DBG_TNC, "cancelling unexpected PB-TNC batch type: %N",
-				 pb_tnc_batch_type_names, batch_type);
+			change_batch_type(this, PB_BATCH_NONE);
 			status = INVALID_STATE;
 		}
-
-		this->batch->destroy(this->batch);
-		this->batch = NULL;
 	}
 	else
 	{
@@ -680,6 +819,18 @@ METHOD(tls_t, is_server, bool,
 	return this->is_server;
 }
 
+METHOD(tls_t, get_server_id, identification_t*,
+	private_tnccs_20_t *this)
+{
+	return this->server;
+}
+
+METHOD(tls_t, get_peer_id, identification_t*,
+	private_tnccs_20_t *this)
+{
+	return this->peer;
+}
+
 METHOD(tls_t, get_purpose, tls_purpose_t,
 	private_tnccs_20_t *this)
 {
@@ -713,32 +864,80 @@ METHOD(tls_t, destroy, void,
 {
 	tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id,
 											  this->is_server);
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
 	this->state_machine->destroy(this->state_machine);
 	this->mutex->destroy(this->mutex);
-	DESTROY_IF(this->batch);
+	this->messages->destroy_offset(this->messages,
+								   offsetof(pb_tnc_msg_t, destroy));
 	free(this);
 }
 
+METHOD(tnccs_t, get_transport, tnc_ift_type_t,
+	private_tnccs_20_t *this)
+{
+	return this->transport;
+}
+
+METHOD(tnccs_t, set_transport, void,
+	private_tnccs_20_t *this, tnc_ift_type_t transport)
+{
+	this->transport = transport;
+}
+
+METHOD(tnccs_t, get_auth_type, u_int32_t,
+	private_tnccs_20_t *this)
+{
+	return this->auth_type;
+}
+
+METHOD(tnccs_t, set_auth_type, void,
+	private_tnccs_20_t *this, u_int32_t auth_type)
+{
+	this->auth_type = auth_type;
+}
+
 /**
  * See header
  */
-tls_t *tnccs_20_create(bool is_server)
+tnccs_t* tnccs_20_create(bool is_server,
+						 identification_t *server,
+						 identification_t *peer,
+						 tnc_ift_type_t transport)
 {
 	private_tnccs_20_t *this;
 
 	INIT(this,
 		.public = {
-			.process = _process,
-			.build = _build,
-			.is_server = _is_server,
-			.get_purpose = _get_purpose,
-			.is_complete = _is_complete,
-			.get_eap_msk = _get_eap_msk,
-			.destroy = _destroy,
+			.tls = {
+				.process = _process,
+				.build = _build,
+				.is_server = _is_server,
+				.get_server_id = _get_server_id,
+				.get_peer_id = _get_peer_id,
+				.get_purpose = _get_purpose,
+				.is_complete = _is_complete,
+				.get_eap_msk = _get_eap_msk,
+				.destroy = _destroy,
+			},
+			.get_transport = _get_transport,
+			.set_transport = _set_transport,
+			.get_auth_type = _get_auth_type,
+			.set_auth_type = _set_auth_type,
 		},
 		.is_server = is_server,
+		.server = server->clone(server),
+		.peer = peer->clone(peer),
+		.transport = transport,
 		.state_machine = pb_tnc_state_machine_create(is_server),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.messages = linked_list_create(),
+		.max_batch_len = lib->settings->get_int(lib->settings,
+								"%s.plugins.tnccs-20.max_batch_size", 65522,
+								charon->name),
+		.max_msg_len = lib->settings->get_int(lib->settings,
+								"%s.plugins.tnccs-20.max_message_size", 65490,
+								charon->name),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.h b/src/libcharon/plugins/tnccs_20/tnccs_20.h
index 400d1dc12..314935069 100644
--- a/src/libcharon/plugins/tnccs_20/tnccs_20.h
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -23,14 +23,20 @@
 
 #include <library.h>
 
-#include <tls.h>
+#include <tnc/tnccs/tnccs.h>
 
 /**
  * Create an instance of the TNC IF-TNCCS 2.0 protocol handler.
  *
- * @param is_server			TRUE to act as TNC Server, FALSE for TNC Client
- * @return					TNC_IF_TNCCS 2.0 protocol stack
+ * @param is_server		TRUE to act as TNC Server, FALSE for TNC Client
+ * @param server		Server identity
+ * @param peer			Client identity
+ * @param transport		Underlying IF-T transport protocol
+ * @return				TNC_IF_TNCCS 2.0 protocol stack
  */
-tls_t *tnccs_20_create(bool is_server);
+tnccs_t* tnccs_20_create(bool is_server,
+						 identification_t *server,
+						 identification_t *peer,
+						 tnc_ift_type_t transport);
 
 #endif /** TNCCS_20_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c
index 4f419ecf0..f74306c8c 100644
--- a/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c
@@ -30,8 +30,6 @@ METHOD(plugin_t, get_features, int,
 	static plugin_feature_t f[] = {
 		PLUGIN_CALLBACK(tnccs_method_register, tnccs_20_create),
 			PLUGIN_PROVIDE(CUSTOM, "tnccs-2.0"),
-				PLUGIN_DEPENDS(EAP_SERVER, EAP_TNC),
-				PLUGIN_DEPENDS(EAP_PEER, EAP_TNC),
 				PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
 	};
 	*features = f;
@@ -61,4 +59,3 @@ plugin_t *tnccs_20_plugin_create()
 
 	return &this->plugin;
 }
-
diff --git a/src/libcharon/plugins/tnccs_dynamic/Makefile.am b/src/libcharon/plugins/tnccs_dynamic/Makefile.am
index 57c2baaf0..1a2887816 100644
--- a/src/libcharon/plugins/tnccs_dynamic/Makefile.am
+++ b/src/libcharon/plugins/tnccs_dynamic/Makefile.am
@@ -1,11 +1,11 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnccs-dynamic.la
diff --git a/src/libcharon/plugins/tnccs_dynamic/Makefile.in b/src/libcharon/plugins/tnccs_dynamic/Makefile.in
index ab24d32d3..bf5e9c1b8 100644
--- a/src/libcharon/plugins/tnccs_dynamic/Makefile.in
+++ b/src/libcharon/plugins/tnccs_dynamic/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_tnccs_dynamic_la_DEPENDENCIES =  \
@@ -81,49 +105,77 @@ am_libstrongswan_tnccs_dynamic_la_OBJECTS = tnccs_dynamic_plugin.lo \
 	tnccs_dynamic.lo
 libstrongswan_tnccs_dynamic_la_OBJECTS =  \
 	$(am_libstrongswan_tnccs_dynamic_la_OBJECTS)
-libstrongswan_tnccs_dynamic_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_tnccs_dynamic_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_tnccs_dynamic_la_LDFLAGS) $(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_tnccs_dynamic_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_tnccs_dynamic_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_tnccs_dynamic_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_tnccs_dynamic_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -132,13 +184,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -151,6 +206,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -178,11 +234,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -190,6 +248,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -198,8 +257,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -208,14 +265,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -229,17 +291,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -249,16 +311,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -286,13 +347,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-dynamic.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-dynamic.la
 @MONOLITHIC_FALSE@libstrongswan_tnccs_dynamic_la_LIBADD = \
@@ -348,7 +411,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -356,6 +418,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -377,8 +441,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-tnccs-dynamic.la: $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_DEPENDENCIES) 
-	$(libstrongswan_tnccs_dynamic_la_LINK) $(am_libstrongswan_tnccs_dynamic_la_rpath) $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_LIBADD) $(LIBS)
+libstrongswan-tnccs-dynamic.la: $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_DEPENDENCIES) $(EXTRA_libstrongswan_tnccs_dynamic_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_tnccs_dynamic_la_LINK) $(am_libstrongswan_tnccs_dynamic_la_rpath) $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -390,25 +454,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_dynamic_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -515,10 +579,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
index b68d2dd6b..d4fc6a6f7 100644
--- a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
+++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -17,7 +17,7 @@
 
 #include <tnc/tnc.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnccs_dynamic_t private_tnccs_dynamic_t;
 
@@ -27,14 +27,35 @@ typedef struct private_tnccs_dynamic_t private_tnccs_dynamic_t;
 struct private_tnccs_dynamic_t {
 
 	/**
-	 * Public tls_t interface.
+	 * Public tnccs_t interface.
 	 */
-	tls_t public;
+	tnccs_t public;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Client identity
+	 */
+	identification_t *peer;
 
 	/**
 	 * Detected TNC IF-TNCCS stack
 	 */
 	tls_t *tls;
+
+	/**
+	 * Underlying TNC IF-T transport protocol
+	 */
+	tnc_ift_type_t transport;
+
+	/**
+	 * Type of TNC client authentication
+	 */
+	u_int32_t auth_type;
+
 };
 
 /**
@@ -66,6 +87,7 @@ METHOD(tls_t, process, status_t,
 	private_tnccs_dynamic_t *this, void *buf, size_t buflen)
 {
 	tnccs_type_t type;
+	tnccs_t *tnccs;
 
 	if (!this->tls)
 	{
@@ -76,12 +98,15 @@ METHOD(tls_t, process, status_t,
 		type = determine_tnccs_protocol(*(char*)buf);
 		DBG1(DBG_TNC, "%N protocol detected dynamically",
 					   tnccs_type_names, type);
-		this->tls = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, type, TRUE);
-		if (!this->tls)
+		tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, TRUE,
+							this->server, this->peer, this->transport);
+		if (!tnccs)
 		{
 			DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type);
 			return FAILED;
 		}
+		tnccs->set_auth_type(tnccs, this->auth_type);
+		this->tls = &tnccs->tls;
 	}
 	return this->tls->process(this->tls, buf, buflen);
 }
@@ -98,6 +123,18 @@ METHOD(tls_t, is_server, bool,
 	return TRUE;
 }
 
+METHOD(tls_t, get_server_id, identification_t*,
+	private_tnccs_dynamic_t *this)
+{
+	return this->server;
+}
+
+METHOD(tls_t, get_peer_id, identification_t*,
+	private_tnccs_dynamic_t *this)
+{
+	return this->peer;
+}
+
 METHOD(tls_t, get_purpose, tls_purpose_t,
 	private_tnccs_dynamic_t *this)
 {
@@ -120,26 +157,66 @@ METHOD(tls_t, destroy, void,
 	private_tnccs_dynamic_t *this)
 {
 	DESTROY_IF(this->tls);
-	free(this);	
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
+	free(this);
+}
+
+METHOD(tnccs_t, get_transport, tnc_ift_type_t,
+	private_tnccs_dynamic_t *this)
+{
+	return this->transport;
+}
+
+METHOD(tnccs_t, set_transport, void,
+	private_tnccs_dynamic_t *this, tnc_ift_type_t transport)
+{
+	this->transport = transport;
+}
+
+METHOD(tnccs_t, get_auth_type, u_int32_t,
+	private_tnccs_dynamic_t *this)
+{
+	return this->auth_type;
+}
+
+METHOD(tnccs_t, set_auth_type, void,
+	private_tnccs_dynamic_t *this, u_int32_t auth_type)
+{
+	this->auth_type = auth_type;
 }
 
 /**
  * See header
  */
-tls_t *tnccs_dynamic_create(bool is_server)
+tnccs_t* tnccs_dynamic_create(bool is_server,
+							  identification_t *server,
+							  identification_t *peer,
+							  tnc_ift_type_t transport)
 {
 	private_tnccs_dynamic_t *this;
 
 	INIT(this,
 		.public = {
-			.process = _process,
-			.build = _build,
-			.is_server = _is_server,
-			.get_purpose = _get_purpose,
-			.is_complete = _is_complete,
-			.get_eap_msk = _get_eap_msk,
-			.destroy = _destroy,
+			.tls = {
+				.process = _process,
+				.build = _build,
+				.is_server = _is_server,
+				.get_server_id = _get_server_id,
+				.get_peer_id = _get_peer_id,
+				.get_purpose = _get_purpose,
+				.is_complete = _is_complete,
+				.get_eap_msk = _get_eap_msk,
+				.destroy = _destroy,
+			},
+			.get_transport = _get_transport,
+			.set_transport = _set_transport,
+			.get_auth_type = _get_auth_type,
+			.set_auth_type = _set_auth_type,
 		},
+		.server = server->clone(server),
+		.peer = peer->clone(peer),
+		.transport = transport,
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h
index 42410b17f..e4cff74b8 100644
--- a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h
+++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -23,14 +23,20 @@
 
 #include <library.h>
 
-#include <tls.h>
+#include <tnc/tnccs/tnccs.h>
 
 /**
  * Create an instance of a dynamic TNC IF-TNCCS protocol handler.
  *
- * @param is_server			TRUE to act as TNC Server, FALSE for TNC Client
- * @return					dynamic TNC IF-TNCCS protocol stack
+ * @param is_server		TRUE to act as TNC Server, FALSE for TNC Client
+ * @param server		Server identity
+ * @param peer			Client identity
+ * @param transport		Underlying IF-T transport protocol
+ * @return				dynamic TNC IF-TNCCS protocol stack
  */
-tls_t *tnccs_dynamic_create(bool is_server);
+tnccs_t* tnccs_dynamic_create(bool is_server,
+							  identification_t *server,
+							  identification_t *peer,
+							  tnc_ift_type_t transport);
 
 #endif /** TNCCS_DYNAMIC_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c
index 6f581c543..aac57813a 100644
--- a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c
+++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c
@@ -32,8 +32,6 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(CUSTOM, "tnccs-dynamic"),
 				PLUGIN_DEPENDS(CUSTOM, "tnccs-1.1"),
 				PLUGIN_DEPENDS(CUSTOM, "tnccs-2.0"),
-				PLUGIN_DEPENDS(EAP_SERVER, EAP_TNC),
-				PLUGIN_DEPENDS(EAP_PEER, EAP_TNC),
 	};
 	*features = f;
 	return countof(f);
@@ -62,4 +60,3 @@ plugin_t *tnccs_dynamic_plugin_create()
 
 	return &this->plugin;
 }
-
diff --git a/src/libcharon/plugins/uci/Makefile.am b/src/libcharon/plugins/uci/Makefile.am
index 6decdb9da..1fcd9ed25 100644
--- a/src/libcharon/plugins/uci/Makefile.am
+++ b/src/libcharon/plugins/uci/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-uci.la
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index dd001e0bd..224b3e67f 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,53 +90,88 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_uci_la_DEPENDENCIES =
 am_libstrongswan_uci_la_OBJECTS = uci_plugin.lo uci_parser.lo \
 	uci_config.lo uci_creds.lo uci_control.lo
 libstrongswan_uci_la_OBJECTS = $(am_libstrongswan_uci_la_OBJECTS)
-libstrongswan_uci_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_uci_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_uci_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_uci_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_uci_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_uci_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_uci_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_uci_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -127,13 +180,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -146,6 +202,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,11 +230,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -185,6 +244,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -193,8 +253,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -203,14 +261,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -224,17 +287,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -244,16 +307,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -281,10 +343,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-uci.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-uci.la
 libstrongswan_uci_la_SOURCES = \
@@ -339,7 +405,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -347,6 +412,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -368,8 +435,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-uci.la: $(libstrongswan_uci_la_OBJECTS) $(libstrongswan_uci_la_DEPENDENCIES) 
-	$(libstrongswan_uci_la_LINK) $(am_libstrongswan_uci_la_rpath) $(libstrongswan_uci_la_OBJECTS) $(libstrongswan_uci_la_LIBADD) $(LIBS)
+libstrongswan-uci.la: $(libstrongswan_uci_la_OBJECTS) $(libstrongswan_uci_la_DEPENDENCIES) $(EXTRA_libstrongswan_uci_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_uci_la_LINK) $(am_libstrongswan_uci_la_rpath) $(libstrongswan_uci_la_OBJECTS) $(libstrongswan_uci_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -384,25 +451,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uci_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -509,10 +576,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c
index 2f5e59b89..b58d120c1 100644
--- a/src/libcharon/plugins/uci/uci_config.c
+++ b/src/libcharon/plugins/uci/uci_config.c
@@ -87,28 +87,12 @@ static traffic_selector_t *create_ts(char *string)
 {
 	if (string)
 	{
-		int netbits = 32;
-		host_t *net;
-		char *pos;
+		traffic_selector_t *ts;
 
-		string = strdupa(string);
-		pos = strchr(string, '/');
-		if (pos)
+		ts = traffic_selector_create_from_cidr(string, 0, 0, 65535);
+		if (ts)
 		{
-			*pos++ = '\0';
-			netbits = atoi(pos);
-		}
-		else
-		{
-			if (strchr(string, ':'))
-			{
-				netbits = 128;
-			}
-		}
-		net = host_create_from_string(string, 0);
-		if (net)
-		{
-			return traffic_selector_create_from_subnet(net, netbits, 0, 0);
+			return ts;
 		}
 	}
 	return traffic_selector_create_dynamic(0, 0, 65535);
@@ -168,15 +152,18 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
 			&ike_proposal, &esp_proposal, &ike_rekey, &esp_rekey))
 	{
 		DESTROY_IF(this->peer_cfg);
-		ike_cfg = ike_cfg_create(FALSE, FALSE,
-					local_addr, IKEV2_UDP_PORT, remote_addr, IKEV2_UDP_PORT);
+		ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE,
+								 local_addr, FALSE,
+								 charon->socket->get_port(charon->socket, FALSE),
+								 remote_addr, FALSE, IKEV2_UDP_PORT,
+								 FRAGMENTATION_NO, 0);
 		ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE));
 		this->peer_cfg = peer_cfg_create(
-					name, 2, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
+					name, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
 					1, create_rekey(ike_rekey), 0,  /* keytries, rekey, reauth */
 					1800, 900,						/* jitter, overtime */
-					TRUE, 60,						/* mobike, dpddelay */
-					NULL, NULL,					/* vip, pool */
+					TRUE, FALSE,				/* mobike, aggressive */
+					60, 0,						/* DPD delay, timeout */
 					FALSE, NULL, NULL);			/* mediation, med by, peer id */
 		auth = auth_cfg_create();
 		auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
@@ -264,8 +251,11 @@ METHOD(enumerator_t, ike_enumerator_enumerate, bool,
 							   &local_addr, &remote_addr, &ike_proposal))
 	{
 		DESTROY_IF(this->ike_cfg);
-		this->ike_cfg = ike_cfg_create(FALSE, FALSE, local_addr, IKEV2_UDP_PORT,
-										remote_addr, IKEV2_UDP_PORT);
+		this->ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE,
+								local_addr, FALSE,
+								charon->socket->get_port(charon->socket, FALSE),
+								remote_addr, FALSE, IKEV2_UDP_PORT,
+								FRAGMENTATION_NO, 0);
 		this->ike_cfg->add_proposal(this->ike_cfg,
 									create_proposal(ike_proposal, PROTO_IKE));
 
@@ -353,4 +343,3 @@ uci_config_t *uci_config_create(uci_parser_t *parser)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c
index af4a6a711..cebc389e7 100644
--- a/src/libcharon/plugins/uci/uci_control.c
+++ b/src/libcharon/plugins/uci/uci_control.c
@@ -42,11 +42,6 @@ struct private_uci_control_t {
 	 * Public part
 	 */
 	uci_control_t public;
-
-	/**
-	 * Job
-	 */
-	callback_job_t *job;
 };
 
 /**
@@ -77,6 +72,7 @@ static void write_fifo(private_uci_control_t *this, char *format, ...)
 static void status(private_uci_control_t *this, char *name)
 {
 	enumerator_t *configs, *sas, *children;
+	linked_list_t *list;
 	ike_sa_t *ike_sa;
 	child_sa_t *child_sa;
 	peer_cfg_t *peer_cfg;
@@ -84,7 +80,7 @@ static void status(private_uci_control_t *this, char *name)
 	FILE *out = NULL;
 
 	configs = charon->backends->create_peer_cfg_enumerator(charon->backends,
-														NULL, NULL, NULL, NULL);
+											NULL, NULL, NULL, NULL, IKE_ANY);
 	while (configs->enumerate(configs, &peer_cfg))
 	{
 		if (name && !streq(name, peer_cfg->get_name(peer_cfg)))
@@ -113,8 +109,10 @@ static void status(private_uci_control_t *this, char *name)
 			children = ike_sa->create_child_sa_enumerator(ike_sa);
 			while (children->enumerate(children, (void**)&child_sa))
 			{
-				fprintf(out, "%#R",
-						child_sa->get_traffic_selectors(child_sa, FALSE));
+				list = linked_list_create_from_enumerator(
+							child_sa->create_ts_enumerator(child_sa, FALSE));
+				fprintf(out, "%#R", list);
+				list->destroy(list);
 			}
 			children->destroy(children);
 			fprintf(out, "\n");
@@ -269,7 +267,6 @@ static job_requeue_t receive(private_uci_control_t *this)
 METHOD(uci_control_t, destroy, void,
 	private_uci_control_t *this)
 {
-	this->job->cancel(this->job);
 	unlink(FIFO_FILE);
 	free(this);
 }
@@ -295,10 +292,10 @@ uci_control_t *uci_control_create()
 	}
 	else
 	{
-		this->job = callback_job_create_with_prio((callback_job_cb_t)receive,
-										this, NULL, NULL, JOB_PRIO_CRITICAL);
-		lib->processor->queue_job(lib->processor, (job_t*)this->job);
+		lib->processor->queue_job(lib->processor,
+			(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive,
+							this, NULL, (callback_job_cancel_t)return_false,
+							JOB_PRIO_CRITICAL));
 	}
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/uci/uci_parser.h b/src/libcharon/plugins/uci/uci_parser.h
index 7217e507a..230c35e86 100644
--- a/src/libcharon/plugins/uci/uci_parser.h
+++ b/src/libcharon/plugins/uci/uci_parser.h
@@ -22,7 +22,7 @@
 #ifndef UCI_PARSER_H_
 #define UCI_PARSER_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct uci_parser_t uci_parser_t;
 
diff --git a/src/libcharon/plugins/uci/uci_plugin.c b/src/libcharon/plugins/uci/uci_plugin.c
index 497c473a4..cc0836b7a 100644
--- a/src/libcharon/plugins/uci/uci_plugin.c
+++ b/src/libcharon/plugins/uci/uci_plugin.c
@@ -64,11 +64,40 @@ METHOD(plugin_t, get_name, char*,
 	return "uci";
 }
 
+/**
+ * Register backend
+ */
+static bool plugin_cb(private_uci_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->backends->add_backend(charon->backends, &this->config->backend);
+		lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set);
+	}
+	else
+	{
+		charon->backends->remove_backend(charon->backends,
+										 &this->config->backend);
+		lib->credmgr->remove_set(lib->credmgr, &this->creds->credential_set);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_uci_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "uci"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_uci_plugin_t *this)
 {
-	charon->backends->remove_backend(charon->backends, &this->config->backend);
-	lib->credmgr->remove_set(lib->credmgr, &this->creds->credential_set);
 	this->config->destroy(this->config);
 	this->creds->destroy(this->creds);
 	this->parser->destroy(this->parser);
@@ -87,7 +116,7 @@ plugin_t *uci_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
@@ -97,9 +126,5 @@ plugin_t *uci_plugin_create()
 	this->config = uci_config_create(this->parser);
 	this->creds = uci_creds_create(this->parser);
 
-	charon->backends->add_backend(charon->backends, &this->config->backend);
-	lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/unit_tester/Makefile.am b/src/libcharon/plugins/unit_tester/Makefile.am
index c46d2b85d..21cf08c61 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.am
+++ b/src/libcharon/plugins/unit_tester/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-unit-tester.la
@@ -12,19 +14,13 @@ endif
 
 libstrongswan_unit_tester_la_SOURCES = \
 	unit_tester.c unit_tester.h tests.h \
-	tests/test_enumerator.c \
 	tests/test_auth_info.c \
 	tests/test_curl.c \
 	tests/test_mysql.c \
 	tests/test_sqlite.c \
-	tests/test_mutex.c \
-	tests/test_rsa_gen.c \
 	tests/test_cert.c \
 	tests/test_med_db.c \
-	tests/test_chunk.c \
 	tests/test_pool.c \
-	tests/test_agent.c \
-	tests/test_id.c \
-	tests/test_hashtable.c
+	tests/test_agent.c
 
 libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in
index 106c9b1fe..0e22c1db1 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/unit_tester/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,59 +90,91 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_unit_tester_la_LIBADD =
 am_libstrongswan_unit_tester_la_OBJECTS = unit_tester.lo \
-	test_enumerator.lo test_auth_info.lo test_curl.lo \
-	test_mysql.lo test_sqlite.lo test_mutex.lo test_rsa_gen.lo \
-	test_cert.lo test_med_db.lo test_chunk.lo test_pool.lo \
-	test_agent.lo test_id.lo test_hashtable.lo
+	test_auth_info.lo test_curl.lo test_mysql.lo test_sqlite.lo \
+	test_cert.lo test_med_db.lo test_pool.lo test_agent.lo
 libstrongswan_unit_tester_la_OBJECTS =  \
 	$(am_libstrongswan_unit_tester_la_OBJECTS)
-libstrongswan_unit_tester_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_unit_tester_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_unit_tester_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_unit_tester_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_unit_tester_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_unit_tester_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_unit_tester_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -133,13 +183,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -152,6 +205,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,11 +233,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -191,6 +247,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -199,8 +256,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -209,14 +264,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -230,17 +290,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -250,16 +310,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -287,28 +346,26 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-unit-tester.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-unit-tester.la
 libstrongswan_unit_tester_la_SOURCES = \
 	unit_tester.c unit_tester.h tests.h \
-	tests/test_enumerator.c \
 	tests/test_auth_info.c \
 	tests/test_curl.c \
 	tests/test_mysql.c \
 	tests/test_sqlite.c \
-	tests/test_mutex.c \
-	tests/test_rsa_gen.c \
 	tests/test_cert.c \
 	tests/test_med_db.c \
-	tests/test_chunk.c \
 	tests/test_pool.c \
-	tests/test_agent.c \
-	tests/test_id.c \
-	tests/test_hashtable.c
+	tests/test_agent.c
 
 libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -356,7 +413,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -364,6 +420,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -385,8 +443,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-unit-tester.la: $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_DEPENDENCIES) 
-	$(libstrongswan_unit_tester_la_LINK) $(am_libstrongswan_unit_tester_la_rpath) $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_LIBADD) $(LIBS)
+libstrongswan-unit-tester.la: $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_DEPENDENCIES) $(EXTRA_libstrongswan_unit_tester_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_unit_tester_la_LINK) $(am_libstrongswan_unit_tester_la_rpath) $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -397,137 +455,89 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_agent.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_auth_info.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_cert.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_chunk.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_curl.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_enumerator.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_hashtable.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_id.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_med_db.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mutex.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mysql.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pool.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_rsa_gen.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_sqlite.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unit_tester.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-test_enumerator.lo: tests/test_enumerator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_enumerator.lo -MD -MP -MF $(DEPDIR)/test_enumerator.Tpo -c -o test_enumerator.lo `test -f 'tests/test_enumerator.c' || echo '$(srcdir)/'`tests/test_enumerator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_enumerator.Tpo $(DEPDIR)/test_enumerator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_enumerator.c' object='test_enumerator.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_enumerator.lo `test -f 'tests/test_enumerator.c' || echo '$(srcdir)/'`tests/test_enumerator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 test_auth_info.lo: tests/test_auth_info.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_auth_info.lo -MD -MP -MF $(DEPDIR)/test_auth_info.Tpo -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_auth_info.Tpo $(DEPDIR)/test_auth_info.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_auth_info.c' object='test_auth_info.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_auth_info.lo -MD -MP -MF $(DEPDIR)/test_auth_info.Tpo -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_auth_info.Tpo $(DEPDIR)/test_auth_info.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests/test_auth_info.c' object='test_auth_info.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
 
 test_curl.lo: tests/test_curl.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_curl.lo -MD -MP -MF $(DEPDIR)/test_curl.Tpo -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_curl.Tpo $(DEPDIR)/test_curl.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_curl.c' object='test_curl.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_curl.lo -MD -MP -MF $(DEPDIR)/test_curl.Tpo -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_curl.Tpo $(DEPDIR)/test_curl.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests/test_curl.c' object='test_curl.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
 
 test_mysql.lo: tests/test_mysql.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_mysql.lo -MD -MP -MF $(DEPDIR)/test_mysql.Tpo -c -o test_mysql.lo `test -f 'tests/test_mysql.c' || echo '$(srcdir)/'`tests/test_mysql.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_mysql.Tpo $(DEPDIR)/test_mysql.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_mysql.c' object='test_mysql.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_mysql.lo -MD -MP -MF $(DEPDIR)/test_mysql.Tpo -c -o test_mysql.lo `test -f 'tests/test_mysql.c' || echo '$(srcdir)/'`tests/test_mysql.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_mysql.Tpo $(DEPDIR)/test_mysql.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests/test_mysql.c' object='test_mysql.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_mysql.lo `test -f 'tests/test_mysql.c' || echo '$(srcdir)/'`tests/test_mysql.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_mysql.lo `test -f 'tests/test_mysql.c' || echo '$(srcdir)/'`tests/test_mysql.c
 
 test_sqlite.lo: tests/test_sqlite.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_sqlite.lo -MD -MP -MF $(DEPDIR)/test_sqlite.Tpo -c -o test_sqlite.lo `test -f 'tests/test_sqlite.c' || echo '$(srcdir)/'`tests/test_sqlite.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_sqlite.Tpo $(DEPDIR)/test_sqlite.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_sqlite.c' object='test_sqlite.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_sqlite.lo `test -f 'tests/test_sqlite.c' || echo '$(srcdir)/'`tests/test_sqlite.c
-
-test_mutex.lo: tests/test_mutex.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_mutex.lo -MD -MP -MF $(DEPDIR)/test_mutex.Tpo -c -o test_mutex.lo `test -f 'tests/test_mutex.c' || echo '$(srcdir)/'`tests/test_mutex.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_mutex.Tpo $(DEPDIR)/test_mutex.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_mutex.c' object='test_mutex.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_mutex.lo `test -f 'tests/test_mutex.c' || echo '$(srcdir)/'`tests/test_mutex.c
-
-test_rsa_gen.lo: tests/test_rsa_gen.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_rsa_gen.lo -MD -MP -MF $(DEPDIR)/test_rsa_gen.Tpo -c -o test_rsa_gen.lo `test -f 'tests/test_rsa_gen.c' || echo '$(srcdir)/'`tests/test_rsa_gen.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_rsa_gen.Tpo $(DEPDIR)/test_rsa_gen.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_rsa_gen.c' object='test_rsa_gen.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_sqlite.lo -MD -MP -MF $(DEPDIR)/test_sqlite.Tpo -c -o test_sqlite.lo `test -f 'tests/test_sqlite.c' || echo '$(srcdir)/'`tests/test_sqlite.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_sqlite.Tpo $(DEPDIR)/test_sqlite.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests/test_sqlite.c' object='test_sqlite.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_rsa_gen.lo `test -f 'tests/test_rsa_gen.c' || echo '$(srcdir)/'`tests/test_rsa_gen.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_sqlite.lo `test -f 'tests/test_sqlite.c' || echo '$(srcdir)/'`tests/test_sqlite.c
 
 test_cert.lo: tests/test_cert.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_cert.lo -MD -MP -MF $(DEPDIR)/test_cert.Tpo -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_cert.Tpo $(DEPDIR)/test_cert.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_cert.c' object='test_cert.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_cert.lo -MD -MP -MF $(DEPDIR)/test_cert.Tpo -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_cert.Tpo $(DEPDIR)/test_cert.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests/test_cert.c' object='test_cert.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_cert.lo `test -f 'tests/test_cert.c' || echo '$(srcdir)/'`tests/test_cert.c
 
 test_med_db.lo: tests/test_med_db.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_med_db.lo -MD -MP -MF $(DEPDIR)/test_med_db.Tpo -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_med_db.Tpo $(DEPDIR)/test_med_db.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_med_db.c' object='test_med_db.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_med_db.lo -MD -MP -MF $(DEPDIR)/test_med_db.Tpo -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_med_db.Tpo $(DEPDIR)/test_med_db.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests/test_med_db.c' object='test_med_db.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
-
-test_chunk.lo: tests/test_chunk.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_chunk.lo -MD -MP -MF $(DEPDIR)/test_chunk.Tpo -c -o test_chunk.lo `test -f 'tests/test_chunk.c' || echo '$(srcdir)/'`tests/test_chunk.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_chunk.Tpo $(DEPDIR)/test_chunk.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_chunk.c' object='test_chunk.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_chunk.lo `test -f 'tests/test_chunk.c' || echo '$(srcdir)/'`tests/test_chunk.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
 
 test_pool.lo: tests/test_pool.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_pool.lo -MD -MP -MF $(DEPDIR)/test_pool.Tpo -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_pool.Tpo $(DEPDIR)/test_pool.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_pool.c' object='test_pool.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_pool.lo -MD -MP -MF $(DEPDIR)/test_pool.Tpo -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_pool.Tpo $(DEPDIR)/test_pool.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests/test_pool.c' object='test_pool.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_pool.lo `test -f 'tests/test_pool.c' || echo '$(srcdir)/'`tests/test_pool.c
 
 test_agent.lo: tests/test_agent.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_agent.lo -MD -MP -MF $(DEPDIR)/test_agent.Tpo -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_agent.Tpo $(DEPDIR)/test_agent.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_agent.c' object='test_agent.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
-
-test_id.lo: tests/test_id.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_id.lo -MD -MP -MF $(DEPDIR)/test_id.Tpo -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_id.Tpo $(DEPDIR)/test_id.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_id.c' object='test_id.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_agent.lo -MD -MP -MF $(DEPDIR)/test_agent.Tpo -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_agent.Tpo $(DEPDIR)/test_agent.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tests/test_agent.c' object='test_agent.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c
-
-test_hashtable.lo: tests/test_hashtable.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_hashtable.lo -MD -MP -MF $(DEPDIR)/test_hashtable.Tpo -c -o test_hashtable.lo `test -f 'tests/test_hashtable.c' || echo '$(srcdir)/'`tests/test_hashtable.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_hashtable.Tpo $(DEPDIR)/test_hashtable.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tests/test_hashtable.c' object='test_hashtable.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_hashtable.lo `test -f 'tests/test_hashtable.c' || echo '$(srcdir)/'`tests/test_hashtable.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -634,10 +644,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/unit_tester/tests.h b/src/libcharon/plugins/unit_tester/tests.h
index cd38c8a99..169292e9b 100644
--- a/src/libcharon/plugins/unit_tester/tests.h
+++ b/src/libcharon/plugins/unit_tester/tests.h
@@ -18,27 +18,13 @@
  * @{ @ingroup unit_tester
  */
 
-DEFINE_TEST("linked_list_t->remove()", test_list_remove, FALSE)
-DEFINE_TEST("hashtable_t->remove_at()", test_hashtable_remove_at, FALSE)
-DEFINE_TEST("simple enumerator", test_enumerate, FALSE)
-DEFINE_TEST("nested enumerator", test_enumerate_nested, FALSE)
-DEFINE_TEST("filtered enumerator", test_enumerate_filtered, FALSE)
-DEFINE_TEST("token enumerator", test_enumerate_token, FALSE)
 DEFINE_TEST("auth cfg", test_auth_cfg, FALSE)
 DEFINE_TEST("CURL get", test_curl_get, FALSE)
 DEFINE_TEST("MySQL operations", test_mysql, FALSE)
 DEFINE_TEST("SQLite operations", test_sqlite, FALSE)
-DEFINE_TEST("mutex primitive", test_mutex, FALSE)
-DEFINE_TEST("RSA key generation", test_rsa_gen, FALSE)
-DEFINE_TEST("RSA subjectPublicKeyInfo loading", test_rsa_load_any, FALSE)
 DEFINE_TEST("X509 certificate", test_cert_x509, FALSE)
 DEFINE_TEST("Mediation database key fetch", test_med_db, FALSE)
-DEFINE_TEST("Base64 converter", test_chunk_base64, FALSE)
 DEFINE_TEST("IP pool", test_pool, FALSE)
 DEFINE_TEST("SSH agent", test_agent, FALSE)
-DEFINE_TEST("ID parts", test_id_parts, FALSE)
-DEFINE_TEST("ID wildcards", test_id_wildcards, FALSE)
-DEFINE_TEST("ID equals", test_id_equals, FALSE)
-DEFINE_TEST("ID matches", test_id_matches, FALSE)
 
 /** @}*/
diff --git a/src/libcharon/plugins/unit_tester/tests/test_cert.c b/src/libcharon/plugins/unit_tester/tests/test_cert.c
index 342194a4c..f4410a688 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_cert.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_cert.c
@@ -60,7 +60,7 @@ bool test_cert_x509()
 	{
 		return FALSE;
 	}
-	if (!parsed->issued_by(parsed, ca_cert))
+	if (!parsed->issued_by(parsed, ca_cert, NULL))
 	{
 		return FALSE;
 	}
@@ -90,7 +90,7 @@ bool test_cert_x509()
 	{
 		return FALSE;
 	}
-	if (!parsed->issued_by(parsed, ca_cert))
+	if (!parsed->issued_by(parsed, ca_cert, NULL))
 	{
 		return FALSE;
 	}
diff --git a/src/libcharon/plugins/unit_tester/tests/test_chunk.c b/src/libcharon/plugins/unit_tester/tests/test_chunk.c
deleted file mode 100644
index 2e0905b2c..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_chunk.c
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-
-/*******************************************************************************
- * Base64 encoding/decoding test
- ******************************************************************************/
-bool test_chunk_base64()
-{
-	/* test vectors from RFC4648:
-	 *
-	 * BASE64("") = ""
-	 * BASE64("f") = "Zg=="
-	 * BASE64("fo") = "Zm8="
-	 * BASE64("foo") = "Zm9v"
-	 * BASE64("foob") = "Zm9vYg=="
-	 * BASE64("fooba") = "Zm9vYmE="
-	 * BASE64("foobar") = "Zm9vYmFy"
-	 */
-
-	typedef struct {
-		char *in;
-		char *out;
-	} testdata_t;
-
-	testdata_t test[] = {
-		{"", ""},
-		{"f", "Zg=="},
-		{"fo", "Zm8="},
-		{"foo", "Zm9v"},
-		{"foob", "Zm9vYg=="},
-		{"fooba", "Zm9vYmE="},
-		{"foobar", "Zm9vYmFy"},
-	};
-	int i;
-
-	for (i = 0; i < countof(test); i++)
-	{
-		chunk_t out;
-
-		out = chunk_to_base64(chunk_create(test[i].in, strlen(test[i].in)), NULL);
-
-		if (!streq(out.ptr, test[i].out))
-		{
-			DBG1(DBG_CFG, "base64 conversion error - should %s, is %s",
-				test[i].out, out.ptr);
-			return FALSE;
-		}
-		free(out.ptr);
-	}
-
-	for (i = 0; i < countof(test); i++)
-	{
-		chunk_t out;
-
-		out = chunk_from_base64(chunk_create(test[i].out, strlen(test[i].out)), NULL);
-
-		if (!strneq(out.ptr, test[i].in, out.len))
-		{
-			DBG1(DBG_CFG, "base64 conversion error - should %s, is %#B",
-				test[i].in, &out);
-			return FALSE;
-		}
-		free(out.ptr);
-	}
-	return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_enumerator.c b/src/libcharon/plugins/unit_tester/tests/test_enumerator.c
deleted file mode 100644
index edbf0f5bb..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_enumerator.c
+++ /dev/null
@@ -1,306 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <utils/linked_list.h>
-
-
-/*******************************************************************************
- * linked list remove test
- ******************************************************************************/
-bool test_list_remove()
-{
-	void *a = (void*)1, *b = (void*)2;
-	linked_list_t *list;
-
-	list = linked_list_create();
-	list->insert_last(list, a);
-	if (list->remove(list, a, NULL) != 1)
-	{
-		return FALSE;
-	}
-	list->insert_last(list, a);
-	list->insert_first(list, a);
-	list->insert_last(list, a);
-	list->insert_last(list, b);
-	if (list->remove(list, a, NULL) != 3)
-	{
-		return FALSE;
-	}
-	if (list->remove(list, a, NULL) != 0)
-	{
-		return FALSE;
-	}
-	if (list->get_count(list) != 1)
-	{
-		return FALSE;
-	}
-	if (list->remove(list, b, NULL) != 1)
-	{
-		return FALSE;
-	}
-	if (list->remove(list, b, NULL) != 0)
-	{
-		return FALSE;
-	}
-	list->destroy(list);
-	return TRUE;
-}
-
-/*******************************************************************************
- * Simple insert first/last and enumerate test
- ******************************************************************************/
-bool test_enumerate()
-{
-	int round, x;
-	void *a = (void*)4, *b = (void*)3, *c = (void*)2, *d = (void*)5, *e = (void*)1;
-	linked_list_t *list;
-	enumerator_t *enumerator;
-
-	list = linked_list_create();
-
-	list->insert_last(list, a);
-	list->insert_first(list, b);
-	list->insert_first(list, c);
-	list->insert_last(list, d);
-	list->insert_first(list, e);
-
-	round = 1;
-	enumerator = list->create_enumerator(list);
-	while (enumerator->enumerate(enumerator, &x))
-	{
-		if (round != x)
-		{
-			return FALSE;
-		}
-		round++;
-	}
-	enumerator->destroy(enumerator);
-
-	list->destroy(list);
-	return TRUE;
-}
-
-/*******************************************************************************
- * nested enumerator test
- ******************************************************************************/
-
-static bool bad_data;
-
-static enumerator_t* create_inner(linked_list_t *outer, void *data)
-{
-	if (data != (void*)101)
-	{
-		bad_data = TRUE;
-	}
-	return outer->create_enumerator(outer);
-}
-
-
-static void destroy_data(void *data)
-{
-	if (data != (void*)101)
-	{
-		bad_data = TRUE;
-	}
-}
-
-bool test_enumerate_nested()
-{
-	int round, x;
-	void *a = (void*)1, *b = (void*)2, *c = (void*)3, *d = (void*)4, *e = (void*)5;
-	linked_list_t *list, *l1, *l2, *l3;
-	enumerator_t *enumerator;
-
-	bad_data = FALSE;
-	list = linked_list_create();
-	l1 = linked_list_create();
-	l2 = linked_list_create();
-	l3 = linked_list_create();
-	list->insert_last(list, l1);
-	list->insert_last(list, l2);
-	list->insert_last(list, l3);
-
-	l1->insert_last(l1, a);
-	l1->insert_last(l1, b);
-	l3->insert_last(l3, c);
-	l3->insert_last(l3, d);
-	l3->insert_last(l3, e);
-
-	round = 1;
-	enumerator = enumerator_create_nested(list->create_enumerator(list),
-					(void*)create_inner, (void*)101, destroy_data);
-	while (enumerator->enumerate(enumerator, &x))
-	{
-		if (round != x)
-		{
-			return FALSE;
-		}
-		round++;
-	}
-	enumerator->destroy(enumerator);
-
-	list->destroy(list);
-	l1->destroy(l1);
-	l2->destroy(l2);
-	l3->destroy(l3);
-	return !bad_data;
-}
-
-
-/*******************************************************************************
- * filtered enumerator test
- ******************************************************************************/
-static bool filter(void *data, int *v, int *vo, int *w, int *wo,
-				   int *x, int *xo, int *y, int *yo, int *z, int *zo)
-{
-	int val = *v;
-
-	*vo = val++;
-	*wo = val++;
-	*xo = val++;
-	*yo = val++;
-	*zo = val++;
-	if (data != (void*)101)
-	{
-		return FALSE;
-	}
-	return TRUE;
-}
-
-bool test_enumerate_filtered()
-{
-	int round, v, w, x, y, z;
-	void *a = (void*)1, *b = (void*)2, *c = (void*)3, *d = (void*)4, *e = (void*)5;
-	linked_list_t *list;
-	enumerator_t *enumerator;
-
-	bad_data = FALSE;
-	list = linked_list_create();
-
-	list->insert_last(list, a);
-	list->insert_last(list, b);
-	list->insert_last(list, c);
-	list->insert_last(list, d);
-	list->insert_last(list, e);
-
-	round = 1;
-	enumerator = enumerator_create_filter(list->create_enumerator(list),
-									(void*)filter, (void*)101, destroy_data);
-	while (enumerator->enumerate(enumerator, &v, &w, &x, &y, &z))
-	{
-		if (v != round || w != round + 1 || x != round + 2 ||
-			y != round + 3 || z != round + 4)
-		{
-			return FALSE;
-		}
-		round++;
-	}
-	enumerator->destroy(enumerator);
-
-	list->destroy(list);
-	return !bad_data;
-}
-
-/*******************************************************************************
- * token parser test
- ******************************************************************************/
-
-bool test_enumerate_token()
-{
-	enumerator_t *enumerator;
-	char *token;
-	int i, num;
-	struct {
-		char *string;
-		char *sep;
-		char *trim;
-	} tests1[] = {
-		{"abc, cde, efg", ",", " "},
-		{" abc 1:2 cde;3  4efg5.  ", ":;.,", " 12345"},
-		{"abc.cde,efg", ",.", ""},
-		{"  abc   cde  efg  ", " ", " "},
-		{"a'abc' c 'cde' cefg", " ", " abcd"},
-		{"'abc' abc 'cde'd 'efg'", " ", " abcd"},
-	}, tests2[] = {
-		{"a, b, c", ",", " "},
-		{"a,b,c", ",", " "},
-		{" a 1:2 b;3  4c5.  ", ":;.,", " 12345"},
-		{"a.b,c", ",.", ""},
-		{"  a   b  c  ", " ", " "},
-	};
-
-	for (num = 0; num < countof(tests1); num++)
-	{
-		i = 0;
-		enumerator = enumerator_create_token(tests1[num].string,
-											 tests1[num].sep, tests1[num].trim);
-		while (enumerator->enumerate(enumerator, &token))
-		{
-			switch (i)
-			{
-				case 0:
-					if (!streq(token, "abc")) return FALSE;
-					break;
-				case 1:
-					if (!streq(token, "cde")) return FALSE;
-					break;
-				case 2:
-					if (!streq(token, "efg")) return FALSE;
-					break;
-				default:
-					return FALSE;
-			}
-			i++;
-		}
-		if (i != 3)
-		{
-			return FALSE;
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	for (num = 0; num < countof(tests2); num++)
-	{
-		i = 0;
-		enumerator = enumerator_create_token(tests2[num].string,
-											 tests2[num].sep, tests2[num].trim);
-		while (enumerator->enumerate(enumerator, &token))
-		{
-			switch (i)
-			{
-				case 0:
-					if (!streq(token, "a")) return FALSE;
-					break;
-				case 1:
-					if (!streq(token, "b")) return FALSE;
-					break;
-				case 2:
-					if (!streq(token, "c")) return FALSE;
-					break;
-				default:
-					return FALSE;
-			}
-			i++;
-		}
-		if (i != 3)
-		{
-			return FALSE;
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_hashtable.c b/src/libcharon/plugins/unit_tester/tests/test_hashtable.c
deleted file mode 100644
index bd79e12f7..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_hashtable.c
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <utils/hashtable.h>
-
-static u_int hash(char *key)
-{
-	return chunk_hash(chunk_create(key, strlen(key)));
-}
-
-static u_int equals(char *key1, char *key2)
-{
-	return streq(key1, key2);
-}
-
-/**
- * Test the remove_at method
- */
-bool test_hashtable_remove_at()
-{
-	char *k1 = "key1", *k2 = "key2", *k3 = "key3", *key;
-	char *v1 = "val1", *v2 = "val2", *v3 = "val3", *value;
-	enumerator_t *enumerator;
-	hashtable_t *ht = hashtable_create((hashtable_hash_t)hash,
-									   (hashtable_equals_t)equals, 0);
-
-	ht->put(ht, k1, v1);
-	ht->put(ht, k2, v2);
-	ht->put(ht, k3, v3);
-
-	if (ht->get_count(ht) != 3)
-	{
-		return FALSE;
-	}
-
-	enumerator = ht->create_enumerator(ht);
-	while (enumerator->enumerate(enumerator, &key, &value))
-	{
-		if (streq(key, k2))
-		{
-			ht->remove_at(ht, enumerator);
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (ht->get_count(ht) != 2)
-	{
-		return FALSE;
-	}
-
-	if (ht->get(ht, k1) == NULL ||
-		ht->get(ht, k3) == NULL)
-	{
-		return FALSE;
-	}
-
-	if (ht->get(ht, k2) != NULL)
-	{
-		return FALSE;
-	}
-
-	ht->put(ht, k2, v2);
-
-	if (ht->get_count(ht) != 3)
-	{
-		return FALSE;
-	}
-
-	if (ht->get(ht, k1) == NULL ||
-		ht->get(ht, k2) == NULL ||
-		ht->get(ht, k3) == NULL)
-	{
-		return FALSE;
-	}
-
-	enumerator = ht->create_enumerator(ht);
-	while (enumerator->enumerate(enumerator, &key, &value))
-	{
-		ht->remove_at(ht, enumerator);
-	}
-	enumerator->destroy(enumerator);
-
-	if (ht->get_count(ht) != 0)
-	{
-		return FALSE;
-	}
-
-	if (ht->get(ht, k1) != NULL ||
-		ht->get(ht, k2) != NULL ||
-		ht->get(ht, k3) != NULL)
-	{
-		return FALSE;
-	}
-
-	ht->destroy(ht);
-
-	return TRUE;
-}
diff --git a/src/libcharon/plugins/unit_tester/tests/test_id.c b/src/libcharon/plugins/unit_tester/tests/test_id.c
deleted file mode 100644
index 868a2ca8b..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_id.c
+++ /dev/null
@@ -1,249 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <daemon.h>
-
-/*******************************************************************************
- * identification part enumeration test
- ******************************************************************************/
-bool test_id_parts()
-{
-	identification_t *id;
-	enumerator_t *enumerator;
-	id_part_t part;
-	chunk_t data;
-	int i = 0;
-
-	id = identification_create_from_string("C=CH, O=strongSwan, CN=tester");
-
-	enumerator = id->create_part_enumerator(id);
-	while (enumerator->enumerate(enumerator, &part, &data))
-	{
-		switch (i++)
-		{
-			case 0:
-				if (part != ID_PART_RDN_C ||
-					!chunk_equals(data, chunk_create("CH", 2)))
-				{
-					return FALSE;
-				}
-				break;
-			case 1:
-				if (part != ID_PART_RDN_O ||
-					!chunk_equals(data, chunk_create("strongSwan", 10)))
-				{
-					return FALSE;
-				}
-				break;
-			case 2:
-				if (part != ID_PART_RDN_CN ||
-					!chunk_equals(data, chunk_create("tester", 6)))
-				{
-					return FALSE;
-				}
-				break;
-			default:
-				return FALSE;
-		}
-	}
-	if (i < 3)
-	{
-		return FALSE;
-	}
-	enumerator->destroy(enumerator);
-	id->destroy(id);
-	return TRUE;
-}
-
-/*******************************************************************************
- * identification contains_wildcards() test
- ******************************************************************************/
-
-static bool test_id_wildcards_has(char *string)
-{
-	identification_t *id;
-	bool contains;
-
-	id = identification_create_from_string(string);
-	contains = id->contains_wildcards(id);
-	id->destroy(id);
-	return contains;
-}
-
-bool test_id_wildcards()
-{
-	if (!test_id_wildcards_has("C=*, O=strongSwan, CN=gw"))
-	{
-		return FALSE;
-	}
-	if (!test_id_wildcards_has("C=CH, O=strongSwan, CN=*"))
-	{
-		return FALSE;
-	}
-	if (test_id_wildcards_has("C=**, O=a*, CN=*a"))
-	{
-		return FALSE;
-	}
-	if (!test_id_wildcards_has("*@strongswan.org"))
-	{
-		return FALSE;
-	}
-	if (!test_id_wildcards_has("*.strongswan.org"))
-	{
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/*******************************************************************************
- * identification equals test
- ******************************************************************************/
-
-static bool test_id_equals_one(identification_t *a, char *b_str)
-{
-	identification_t *b;
-	bool equals;
-
-	b = identification_create_from_string(b_str);
-	equals = a->equals(a, b);
-	b->destroy(b);
-	return equals;
-}
-
-bool test_id_equals()
-{
-	identification_t *a;
-	chunk_t encoding, fuzzed;
-	int i;
-
-	a = identification_create_from_string(
-							   "C=CH, E=martin@strongswan.org, CN=martin");
-
-	if (!test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
-	{
-		return FALSE;
-	}
-	if (!test_id_equals_one(a, "C=ch, E=martin@STRONGSWAN.ORG, CN=Martin"))
-	{
-		return FALSE;
-	}
-	if (test_id_equals_one(a, "C=CN, E=martin@strongswan.org, CN=martin"))
-	{
-		return FALSE;
-	}
-	if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin"))
-	{
-		return FALSE;
-	}
-	if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin"))
-	{
-		return FALSE;
-	}
-	encoding = chunk_clone(a->get_encoding(a));
-	a->destroy(a);
-
-	/* simple fuzzing, increment each byte of encoding */
-	for (i = 0; i < encoding.len; i++)
-	{
-		if (i == 11 || i == 30 || i == 62)
-		{	/* skip ASN.1 type fields, as equals() handles them graceful */
-			continue;
-		}
-		fuzzed = chunk_clone(encoding);
-		fuzzed.ptr[i]++;
-		a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed);
-		if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
-		{
-			return FALSE;
-		}
-		a->destroy(a);
-		free(fuzzed.ptr);
-	}
-
-	/* and decrement each byte of encoding */
-	for (i = 0; i < encoding.len; i++)
-	{
-		if (i == 11 || i == 30 || i == 62)
-		{
-			continue;
-		}
-		fuzzed = chunk_clone(encoding);
-		fuzzed.ptr[i]--;
-		a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed);
-		if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
-		{
-			return FALSE;
-		}
-		a->destroy(a);
-		free(fuzzed.ptr);
-	}
-	free(encoding.ptr);
-	return TRUE;
-}
-
-/*******************************************************************************
- * identification matches test
- ******************************************************************************/
-
-static id_match_t test_id_matches_one(identification_t *a, char *b_str)
-{
-	identification_t *b;
-	id_match_t match;
-
-	b = identification_create_from_string(b_str);
-	match = a->matches(a, b);
-	b->destroy(b);
-	return match;
-}
-
-bool test_id_matches()
-{
-	identification_t *a;
-
-	a = identification_create_from_string(
-							   "C=CH, E=martin@strongswan.org, CN=martin");
-
-	if (test_id_matches_one(a, "C=CH, E=martin@strongswan.org, CN=martin")
-															!= ID_MATCH_PERFECT)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=CH, E=*, CN=martin") != ID_MATCH_ONE_WILDCARD)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=CH, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 1)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=*, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 2)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=*, E=*, CN=*, O=BADInc") != ID_MATCH_NONE)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=*, E=*") != ID_MATCH_NONE)
-	{
-		return FALSE;
-	}
-	if (test_id_matches_one(a, "C=*, E=a@b.c, CN=*") != ID_MATCH_NONE)
-	{
-		return FALSE;
-	}
-	a->destroy(a);
-	return TRUE;
-}
diff --git a/src/libcharon/plugins/unit_tester/tests/test_med_db.c b/src/libcharon/plugins/unit_tester/tests/test_med_db.c
index ae1d08e15..75244ab8f 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_med_db.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_med_db.c
@@ -15,7 +15,7 @@
 
 #include <library.h>
 #include <daemon.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 #include <unistd.h>
 
diff --git a/src/libcharon/plugins/unit_tester/tests/test_mutex.c b/src/libcharon/plugins/unit_tester/tests/test_mutex.c
deleted file mode 100644
index 77085cb2f..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_mutex.c
+++ /dev/null
@@ -1,100 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <threading/mutex.h>
-
-#include <unistd.h>
-#include <sched.h>
-#include <pthread.h>
-
-
-static mutex_t *mutex;
-
-static int locked = 0;
-
-static bool failed = FALSE;
-
-static pthread_barrier_t barrier;
-
-static void* run(void* null)
-{
-	int i;
-
-	/* wait for all threads before getting in action */
-	pthread_barrier_wait(&barrier);
-
-	for (i = 0; i < 100; i++)
-	{
-		mutex->lock(mutex);
-		mutex->lock(mutex);
-		mutex->lock(mutex);
-		locked++;
-		sched_yield();
-		if (locked > 1)
-		{
-			failed = TRUE;
-		}
-		locked--;
-		mutex->unlock(mutex);
-		mutex->unlock(mutex);
-		mutex->unlock(mutex);
-	}
-	return NULL;
-}
-
-#define THREADS 20
-
-/*******************************************************************************
- * mutex test
- ******************************************************************************/
-bool test_mutex()
-{
-	int i;
-	pthread_t threads[THREADS];
-
-	mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-
-	for (i = 0; i < 10; i++)
-	{
-		mutex->lock(mutex);
-		mutex->unlock(mutex);
-	}
-	for (i = 0; i < 10; i++)
-	{
-		mutex->lock(mutex);
-	}
-	for (i = 0; i < 10; i++)
-	{
-		mutex->unlock(mutex);
-	}
-
-	pthread_barrier_init(&barrier, NULL, THREADS);
-
-	for (i = 0; i < THREADS; i++)
-	{
-		pthread_create(&threads[i], NULL, run, NULL);
-	}
-	for (i = 0; i < THREADS; i++)
-	{
-		pthread_join(threads[i], NULL);
-	}
-	pthread_barrier_destroy(&barrier);
-
-	mutex->destroy(mutex);
-
-	return !failed;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_mysql.c b/src/libcharon/plugins/unit_tester/tests/test_mysql.c
index 252441ef8..eda238623 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_mysql.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_mysql.c
@@ -15,7 +15,7 @@
 
 #include <library.h>
 #include <daemon.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 /*******************************************************************************
  * mysql simple test
diff --git a/src/libcharon/plugins/unit_tester/tests/test_pool.c b/src/libcharon/plugins/unit_tester/tests/test_pool.c
index a68246fff..f36953f3a 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_pool.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_pool.c
@@ -27,6 +27,7 @@ static void* testing(void *thread)
 	int i;
 	host_t *addr[ALLOCS];
 	identification_t *id[ALLOCS];
+	linked_list_t *pools;
 
 	/* prepare identities */
 	for (i = 0; i < ALLOCS; i++)
@@ -37,13 +38,17 @@ static void* testing(void *thread)
 		id[i] = identification_create_from_string(buf);
 	}
 
+	pools = linked_list_create();
+	pools->insert_last(pools, "test");
+
 	/* allocate addresses */
 	for (i = 0; i < ALLOCS; i++)
 	{
 		addr[i] = hydra->attributes->acquire_address(hydra->attributes,
-													 "test", id[i], NULL);
+													 pools, id[i], NULL);
 		if (!addr[i])
 		{
+			pools->destroy(pools);
 			return (void*)FALSE;
 		}
 	}
@@ -52,9 +57,11 @@ static void* testing(void *thread)
 	for (i = 0; i < ALLOCS; i++)
 	{
 		hydra->attributes->release_address(hydra->attributes,
-										   "test", addr[i], id[i]);
+										   pools, addr[i], id[i]);
 	}
 
+	pools->destroy(pools);
+
 	/* cleanup */
 	for (i = 0; i < ALLOCS; i++)
 	{
diff --git a/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c b/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c
deleted file mode 100644
index 6ba5769b5..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c
+++ /dev/null
@@ -1,120 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-
-/*******************************************************************************
- * RSA key generation and signature
- ******************************************************************************/
-bool test_rsa_gen()
-{
-	chunk_t data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
-	chunk_t sig, crypt, plain;
-	private_key_t *private;
-	public_key_t *public;
-	u_int key_size;
-
-	for (key_size = 512; key_size <= 2048; key_size *= 2)
-	{
-		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-									 BUILD_KEY_SIZE, key_size, BUILD_END);
-		if (!private)
-		{
-			DBG1(DBG_CFG, "generating %d bit RSA key failed");
-			return FALSE;
-		}
-		public = private->get_public_key(private);
-		if (!public)
-		{
-			DBG1(DBG_CFG, "generating public from private key failed");
-			return FALSE;
-		}
-		if (!private->sign(private, SIGN_RSA_EMSA_PKCS1_SHA1, data, &sig))
-		{
-			DBG1(DBG_CFG, "creating RSA signature failed");
-			return FALSE;
-		}
-		if (!public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
-		{
-			DBG1(DBG_CFG, "verifying RSA signature failed");
-			return FALSE;
-		}
-		sig.ptr[sig.len-1]++;
-		if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
-		{
-			DBG1(DBG_CFG, "verifying faked RSA signature succeeded!");
-			return FALSE;
-		}
-		free(sig.ptr);
-		if (!public->encrypt(public, ENCRYPT_RSA_PKCS1, data, &crypt))
-		{
-			DBG1(DBG_CFG, "encrypting data with RSA failed");
-			return FALSE;
-		}
-		if (!private->decrypt(private, ENCRYPT_RSA_PKCS1, crypt, &plain))
-		{
-			DBG1(DBG_CFG, "decrypting data with RSA failed");
-			return FALSE;
-		}
-		if (!chunk_equals(data, plain))
-		{
-			DBG1(DBG_CFG, "decrpyted data invalid, expected %B, got %B", &
-				 data, &plain);
-			return FALSE;
-		}
-		chunk_clear(&crypt);
-		chunk_clear(&plain);
-		public->destroy(public);
-		private->destroy(private);
-	}
-	return TRUE;
-}
-
-bool test_rsa_load_any()
-{
-	chunk_t chunk = chunk_from_chars(
-		0x30,0x82,0x01,0x20,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
-		0x01,0x05,0x00,0x03,0x82,0x01,0x0d,0x00,0x30,0x82,0x01,0x08,0x02,0x82,0x01,0x01,
-		0x00,0xc6,0x68,0x99,0x1d,0xc8,0x06,0xdb,0xcf,0x1c,0x66,0xbb,0x91,0xc3,0xd4,0x10,
-		0xb2,0x08,0xa9,0xc5,0x71,0x39,0x1c,0xbe,0x5b,0x1d,0xce,0xfd,0x1b,0xfa,0xec,0x04,
-		0x89,0x9f,0x79,0xc8,0x46,0x00,0xd2,0x71,0xfb,0x22,0x16,0x52,0x2f,0xda,0xbf,0x0f,
-		0xe7,0x16,0xb1,0xd7,0x6a,0xa5,0xa5,0xfc,0xee,0xff,0x84,0x4c,0x81,0x3f,0xab,0x84,
-		0x0e,0xed,0x4a,0x26,0x59,0xd0,0x9b,0xb5,0xe1,0xec,0x61,0xc4,0xd3,0x15,0x4c,0x29,
-		0x51,0xa0,0xde,0x33,0x07,0x58,0x6c,0x36,0x1b,0x18,0x61,0xd9,0x56,0x18,0x39,0x54,
-		0x8b,0xd2,0xea,0x4e,0x87,0x28,0x58,0xb9,0x88,0x3d,0x30,0xbc,0xfc,0x6d,0xad,0xab,
-		0x43,0x26,0x09,0x48,0x4e,0x6e,0x8a,0x8b,0x88,0xb3,0xf0,0x29,0x25,0x79,0xb6,0xb6,
-		0x71,0x3c,0x93,0x59,0xd2,0x36,0x94,0xd5,0xfc,0xf3,0x62,0x2b,0x69,0xa3,0x7a,0x47,
-		0x4e,0x53,0xa2,0x35,0x1b,0x26,0x89,0xaa,0x09,0xfd,0x56,0xd7,0x75,0x2a,0xd4,0x91,
-		0xc0,0xf2,0x78,0xd7,0x05,0xca,0x12,0x1d,0xd9,0xd4,0x81,0x23,0xb2,0x3c,0x38,0xd9,
-		0xb4,0xdc,0x21,0xe0,0xe5,0x2d,0xd4,0xbe,0x61,0x39,0x8a,0x46,0x90,0x46,0x73,0x31,
-		0xba,0x48,0xbb,0x51,0xbb,0x91,0xd5,0x62,0xad,0xd1,0x53,0x5b,0x85,0xc9,0x1d,0xa7,
-		0xf6,0xa0,0xe1,0x0e,0x6c,0x22,0x5d,0x29,0x9a,0xe7,0x0f,0xe8,0x0a,0x50,0xa7,0x19,
-		0x11,0xc2,0x8b,0xe0,0x8a,0xfd,0x2b,0x94,0x31,0x7a,0x78,0x9c,0x9b,0x75,0x63,0x49,
-		0xa9,0xe5,0x58,0xe6,0x3a,0x99,0xcb,0x2b,0xdd,0x0e,0xdc,0x7d,0x1b,0x98,0x80,0xc3,
-		0x9f,0x02,0x01,0x23);
-	public_key_t *public;
-
-	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
-								BUILD_BLOB_ASN1_DER, chunk,
-								BUILD_END);
-	if (!public || public->get_keysize(public) != 2048)
-	{
-		return FALSE;
-	}
-	public->destroy(public);
-	return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_sqlite.c b/src/libcharon/plugins/unit_tester/tests/test_sqlite.c
index dd8d1955e..99490b566 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_sqlite.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_sqlite.c
@@ -15,7 +15,7 @@
 
 #include <library.h>
 #include <daemon.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 #include <unistd.h>
 
diff --git a/src/libcharon/plugins/unit_tester/unit_tester.c b/src/libcharon/plugins/unit_tester/unit_tester.c
index ad7dba7a5..ea7ffca04 100644
--- a/src/libcharon/plugins/unit_tester/unit_tester.c
+++ b/src/libcharon/plugins/unit_tester/unit_tester.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -98,6 +99,32 @@ METHOD(plugin_t, get_name, char*,
 	return "unit-tester";
 }
 
+/**
+ * We currently don't depend explicitly on any plugin features.  But in case
+ * activated tests depend on such features we at least try to run them in plugin
+ * order.
+ */
+static bool plugin_cb(private_unit_tester_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		run_tests(this);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_unit_tester_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "unit-tester"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_unit_tester_t *this)
 {
@@ -115,14 +142,11 @@ plugin_t *unit_tester_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 	);
 
-	run_tests(this);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/unity/Makefile.am b/src/libcharon/plugins/unity/Makefile.am
new file mode 100644
index 000000000..b50dc9a03
--- /dev/null
+++ b/src/libcharon/plugins/unity/Makefile.am
@@ -0,0 +1,21 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-unity.la
+else
+plugin_LTLIBRARIES = libstrongswan-unity.la
+endif
+
+libstrongswan_unity_la_SOURCES = \
+	unity_plugin.h unity_plugin.c \
+	unity_handler.h unity_handler.c \
+	unity_narrow.h unity_narrow.c \
+	unity_provider.h unity_provider.c
+
+libstrongswan_unity_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
new file mode 100644
index 000000000..09ea080bf
--- /dev/null
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -0,0 +1,690 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/unity
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_unity_la_LIBADD =
+am_libstrongswan_unity_la_OBJECTS = unity_plugin.lo unity_handler.lo \
+	unity_narrow.lo unity_provider.lo
+libstrongswan_unity_la_OBJECTS = $(am_libstrongswan_unity_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_unity_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_unity_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_unity_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_unity_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_unity_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_unity_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-unity.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-unity.la
+libstrongswan_unity_la_SOURCES = \
+	unity_plugin.h unity_plugin.c \
+	unity_handler.h unity_handler.c \
+	unity_narrow.h unity_narrow.c \
+	unity_provider.h unity_provider.c
+
+libstrongswan_unity_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/unity/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/unity/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-unity.la: $(libstrongswan_unity_la_OBJECTS) $(libstrongswan_unity_la_DEPENDENCIES) $(EXTRA_libstrongswan_unity_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_unity_la_LINK) $(am_libstrongswan_unity_la_rpath) $(libstrongswan_unity_la_OBJECTS) $(libstrongswan_unity_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unity_handler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unity_narrow.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unity_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unity_provider.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/unity/unity_handler.c b/src/libcharon/plugins/unity/unity_handler.c
new file mode 100644
index 000000000..bcef0dc25
--- /dev/null
+++ b/src/libcharon/plugins/unity/unity_handler.c
@@ -0,0 +1,476 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "unity_handler.h"
+
+#include <daemon.h>
+#include <threading/mutex.h>
+#include <collections/linked_list.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_unity_handler_t private_unity_handler_t;
+
+/**
+ * Private data of an unity_handler_t object.
+ */
+struct private_unity_handler_t {
+
+	/**
+	 * Public unity_handler_t interface.
+	 */
+	unity_handler_t public;
+
+	/**
+	 * List of subnets to include, as entry_t
+	 */
+	linked_list_t *include;
+
+	/**
+	 * Mutex for concurrent access to lists
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Traffic selector entry for networks to include under a given IKE_SA
+ */
+typedef struct {
+	/** associated IKE_SA, unique ID */
+	u_int32_t sa;
+	/** traffic selector to include/exclude */
+	traffic_selector_t *ts;
+} entry_t;
+
+/**
+ * Clean up an entry
+ */
+static void entry_destroy(entry_t *this)
+{
+	this->ts->destroy(this->ts);
+	free(this);
+}
+
+/**
+ * Create a traffic selector from a unity subnet definition
+ */
+static traffic_selector_t *create_ts(chunk_t subnet)
+{
+	chunk_t net, mask;
+	int i;
+
+	net = chunk_create(subnet.ptr, 4);
+	mask = chunk_clonea(chunk_create(subnet.ptr + 4, 4));
+	for (i = 0; i < net.len; i++)
+	{
+		mask.ptr[i] = (mask.ptr[i] ^ 0xFF) | net.ptr[i];
+	}
+	return traffic_selector_create_from_bytes(0, TS_IPV4_ADDR_RANGE,
+											  net, 0, mask, 65535);
+}
+
+/**
+ * Parse a unity attribute and extract all subnets as traffic selectors
+ */
+static linked_list_t *parse_subnets(chunk_t data)
+{
+	linked_list_t *list = NULL;
+	traffic_selector_t *ts;
+
+	while (data.len >= 8)
+	{	/* the padding is optional */
+		ts = create_ts(data);
+		if (ts)
+		{
+			if (!list)
+			{
+				list = linked_list_create();
+			}
+			list->insert_last(list, ts);
+		}
+		/* skip address, mask and 6 bytes of padding */
+		data = chunk_skip(data, 14);
+	}
+	return list;
+}
+
+/**
+ * Store a list of subnets to include in tunnels under this IKE_SA
+ */
+static bool add_include(private_unity_handler_t *this, chunk_t data)
+{
+	traffic_selector_t *ts;
+	linked_list_t *list;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (!ike_sa)
+	{
+		return FALSE;
+	}
+	list = parse_subnets(data);
+	if (!list)
+	{
+		return FALSE;
+	}
+	while (list->remove_first(list, (void**)&ts) == SUCCESS)
+	{
+		INIT(entry,
+			.sa = ike_sa->get_unique_id(ike_sa),
+			.ts = ts,
+		);
+
+		this->mutex->lock(this->mutex);
+		this->include->insert_last(this->include, entry);
+		this->mutex->unlock(this->mutex);
+	}
+	list->destroy(list);
+	return TRUE;
+}
+
+/**
+ * Remove a list of subnets from the inclusion list for this IKE_SA
+ */
+static bool remove_include(private_unity_handler_t *this, chunk_t data)
+{
+	enumerator_t *enumerator;
+	traffic_selector_t *ts;
+	linked_list_t *list;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (!ike_sa)
+	{
+		return FALSE;
+	}
+	list = parse_subnets(data);
+	if (!list)
+	{
+		return FALSE;
+	}
+
+	this->mutex->lock(this->mutex);
+	while (list->remove_first(list, (void**)&ts) == SUCCESS)
+	{
+		enumerator = this->include->create_enumerator(this->include);
+		while (enumerator->enumerate(enumerator, &entry))
+		{
+			if (entry->sa == ike_sa->get_unique_id(ike_sa) &&
+				ts->equals(ts, entry->ts))
+			{
+				this->include->remove_at(this->include, enumerator);
+				entry_destroy(entry);
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+		ts->destroy(ts);
+	}
+	this->mutex->unlock(this->mutex);
+	list->destroy(list);
+	return TRUE;
+}
+
+/**
+ * Create a unique shunt name for a bypass policy
+ */
+static void create_shunt_name(ike_sa_t *ike_sa, traffic_selector_t *ts,
+							  char *buf, size_t len)
+{
+	snprintf(buf, len, "Unity (%s[%u]: %R)", ike_sa->get_name(ike_sa),
+			 ike_sa->get_unique_id(ike_sa), ts);
+}
+
+/**
+ * Install entry as a shunt policy
+ */
+static job_requeue_t add_exclude_async(entry_t *entry)
+{
+	enumerator_t *enumerator;
+	child_cfg_t *child_cfg;
+	lifetime_cfg_t lft = { .time = { .life = 0 } };
+	ike_sa_t *ike_sa;
+	char name[128];
+	host_t *host;
+
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													entry->sa, FALSE);
+	if (ike_sa)
+	{
+		create_shunt_name(ike_sa, entry->ts, name, sizeof(name));
+
+		child_cfg = child_cfg_create(name, &lft, NULL, TRUE, MODE_PASS,
+									 ACTION_NONE, ACTION_NONE, ACTION_NONE,
+									 FALSE, 0, 0, NULL, NULL, FALSE);
+		child_cfg->add_traffic_selector(child_cfg, FALSE,
+										entry->ts->clone(entry->ts));
+		host = ike_sa->get_my_host(ike_sa);
+		child_cfg->add_traffic_selector(child_cfg, TRUE,
+				traffic_selector_create_from_subnet(host->clone(host),
+													32, 0, 0, 65535));
+		enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
+		while (enumerator->enumerate(enumerator, &host))
+		{
+			child_cfg->add_traffic_selector(child_cfg, TRUE,
+				traffic_selector_create_from_subnet(host->clone(host),
+													32, 0, 0, 65535));
+		}
+		enumerator->destroy(enumerator);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+
+		charon->shunts->install(charon->shunts, child_cfg);
+		child_cfg->destroy(child_cfg);
+
+		DBG1(DBG_IKE, "installed %N bypass policy for %R",
+			 configuration_attribute_type_names, UNITY_LOCAL_LAN, entry->ts);
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Add a bypass policy for a given subnet
+ */
+static bool add_exclude(private_unity_handler_t *this, chunk_t data)
+{
+	traffic_selector_t *ts;
+	linked_list_t *list;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (!ike_sa)
+	{
+		return FALSE;
+	}
+	list = parse_subnets(data);
+	if (!list)
+	{
+		return FALSE;
+	}
+
+	while (list->remove_first(list, (void**)&ts) == SUCCESS)
+	{
+		INIT(entry,
+			.sa = ike_sa->get_unique_id(ike_sa),
+			.ts = ts,
+		);
+
+		/* we can't install the shunt policy yet, as we don't know the virtual IP.
+		 * Defer installation using an async callback. */
+		lib->processor->queue_job(lib->processor, (job_t*)
+							callback_job_create((void*)add_exclude_async, entry,
+												(void*)entry_destroy, NULL));
+	}
+	list->destroy(list);
+	return TRUE;
+}
+
+/**
+ * Remove a bypass policy for a given subnet
+ */
+static bool remove_exclude(private_unity_handler_t *this, chunk_t data)
+{
+	traffic_selector_t *ts;
+	linked_list_t *list;
+	ike_sa_t *ike_sa;
+	char name[128];
+	bool success = TRUE;
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (!ike_sa)
+	{
+		return FALSE;
+	}
+	list = parse_subnets(data);
+	if (!list)
+	{
+		return FALSE;
+	}
+	while (list->remove_first(list, (void**)&ts) == SUCCESS)
+	{
+		create_shunt_name(ike_sa, ts, name, sizeof(name));
+		DBG1(DBG_IKE, "uninstalling %N bypass policy for %R",
+			 configuration_attribute_type_names, UNITY_LOCAL_LAN, ts);
+		ts->destroy(ts);
+		success = charon->shunts->uninstall(charon->shunts, name) && success;
+	}
+	list->destroy(list);
+	return success;
+}
+
+METHOD(attribute_handler_t, handle, bool,
+	private_unity_handler_t *this, identification_t *id,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	switch (type)
+	{
+		case UNITY_SPLIT_INCLUDE:
+			return add_include(this, data);
+		case UNITY_LOCAL_LAN:
+			return add_exclude(this, data);
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(attribute_handler_t, release, void,
+	private_unity_handler_t *this, identification_t *server,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	switch (type)
+	{
+		case UNITY_SPLIT_INCLUDE:
+			remove_include(this, data);
+			break;
+		case UNITY_LOCAL_LAN:
+			remove_exclude(this, data);
+			break;
+		default:
+			break;
+	}
+}
+
+/**
+ * Configuration attributes to request
+ */
+static configuration_attribute_type_t attributes[] = {
+	UNITY_SPLIT_INCLUDE,
+	UNITY_LOCAL_LAN,
+};
+
+/**
+ * Attribute enumerator implementation
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** position in attributes[] */
+	int i;
+} attribute_enumerator_t;
+
+METHOD(enumerator_t, enumerate_attributes, bool,
+	attribute_enumerator_t *this, configuration_attribute_type_t *type,
+	chunk_t *data)
+{
+	if (this->i < countof(attributes))
+	{
+		*type = attributes[this->i++];
+		*data = chunk_empty;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
+	unity_handler_t *this, identification_t *id, linked_list_t *vips)
+{
+	attribute_enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (!ike_sa || ike_sa->get_version(ike_sa) != IKEV1 ||
+		!ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY))
+	{
+		return enumerator_create_empty();
+	}
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_enumerate_attributes,
+			.destroy = (void*)free,
+		},
+	);
+	return &enumerator->public;
+}
+
+typedef struct {
+	/** mutex to unlock */
+	mutex_t *mutex;
+	/** IKE_SA ID to filter for */
+	u_int32_t id;
+} include_filter_t;
+
+/**
+ * Include enumerator filter function
+ */
+static bool include_filter(include_filter_t *data,
+						   entry_t **entry, traffic_selector_t **ts)
+{
+	if ((*entry)->sa == data->id)
+	{
+		*ts = (*entry)->ts;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Destroy include filter data, unlock mutex
+ */
+static void destroy_filter(include_filter_t *data)
+{
+	data->mutex->unlock(data->mutex);
+	free(data);
+}
+
+METHOD(unity_handler_t, create_include_enumerator, enumerator_t*,
+	private_unity_handler_t *this, u_int32_t id)
+{
+	include_filter_t *data;
+
+	INIT(data,
+		.mutex = this->mutex,
+		.id = id,
+	);
+	data->mutex->lock(data->mutex);
+	return enumerator_create_filter(
+					this->include->create_enumerator(this->include),
+					(void*)include_filter, data, (void*)destroy_filter);
+}
+
+METHOD(unity_handler_t, destroy, void,
+	private_unity_handler_t *this)
+{
+	this->include->destroy(this->include);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * See header
+ */
+unity_handler_t *unity_handler_create()
+{
+	private_unity_handler_t *this;
+
+	INIT(this,
+		.public = {
+			.handler = {
+				.handle = _handle,
+				.release = _release,
+				.create_attribute_enumerator = _create_attribute_enumerator,
+			},
+			.create_include_enumerator = _create_include_enumerator,
+			.destroy = _destroy,
+		},
+		.include = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/unity/unity_handler.h b/src/libcharon/plugins/unity/unity_handler.h
new file mode 100644
index 000000000..8656fd372
--- /dev/null
+++ b/src/libcharon/plugins/unity/unity_handler.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unity_handler unity_handler
+ * @{ @ingroup unity
+ */
+
+#ifndef UNITY_HANDLER_H_
+#define UNITY_HANDLER_H_
+
+#include <attributes/attribute_handler.h>
+
+typedef struct unity_handler_t unity_handler_t;
+
+/**
+ * Cisco Unity attribute handling.
+ */
+struct unity_handler_t {
+
+	/**
+	 * Implements attribute_handler_t.
+	 */
+	attribute_handler_t handler;
+
+	/**
+	 * Create an enumerator over Split-Include attributes received for an IKE_SA.
+	 *
+	 * @param id			IKE_SA unique ID to get Split-Includes for
+	 * @return				enumerator over traffic_selector_t*
+	 */
+	enumerator_t* (*create_include_enumerator)(unity_handler_t *this,
+											   u_int32_t id);
+
+	/**
+	 * Destroy a unity_handler_t.
+	 */
+	void (*destroy)(unity_handler_t *this);
+};
+
+/**
+ * Create a unity_handler instance.
+ */
+unity_handler_t *unity_handler_create();
+
+#endif /** UNITY_HANDLER_H_ @}*/
diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c
new file mode 100644
index 000000000..edff51a08
--- /dev/null
+++ b/src/libcharon/plugins/unity/unity_narrow.c
@@ -0,0 +1,192 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "unity_narrow.h"
+
+#include <daemon.h>
+
+typedef struct private_unity_narrow_t private_unity_narrow_t;
+
+/**
+ * Private data of an unity_narrow_t object.
+ */
+struct private_unity_narrow_t {
+
+	/**
+	 * Public unity_narrow_t interface.
+	 */
+	unity_narrow_t public;
+
+	/**
+	 * Unity attribute handler
+	 */
+	unity_handler_t *handler;
+};
+
+/**
+ * Narrow the given received traffic selector with the child configuration and
+ * put them into the given list of TS
+ */
+static void narrow_ts(child_cfg_t *cfg, traffic_selector_t *ts,
+					  linked_list_t *list)
+{
+	linked_list_t *received, *selected;
+
+	received = linked_list_create();
+	received->insert_last(received, ts);
+	selected = cfg->get_traffic_selectors(cfg, FALSE, received, NULL);
+	while (selected->remove_first(selected, (void**)&ts) == SUCCESS)
+	{
+		list->insert_last(list, ts);
+	}
+	selected->destroy(selected);
+	received->destroy(received);
+}
+
+/**
+ * Narrow TS as initiator to Unity Split-Include/Local-LAN
+ */
+static void narrow_initiator(private_unity_narrow_t *this, ike_sa_t *ike_sa,
+							 child_cfg_t *cfg, linked_list_t *remote)
+{
+	traffic_selector_t *current, *orig = NULL;
+	enumerator_t *enumerator;
+
+	enumerator = this->handler->create_include_enumerator(this->handler,
+											ike_sa->get_unique_id(ike_sa));
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (orig == NULL)
+		{	/* got one, replace original TS */
+			if (remote->remove_first(remote, (void**)&orig) != SUCCESS)
+			{
+				break;
+			}
+		}
+		narrow_ts(cfg, current, remote);
+	}
+	enumerator->destroy(enumerator);
+	if (orig)
+	{
+		DBG1(DBG_CFG, "narrowed CHILD_SA to %N %#R",
+			 configuration_attribute_type_names,
+			 UNITY_SPLIT_INCLUDE, remote);
+		orig->destroy(orig);
+	}
+	else
+	{	/* since we originally changed the traffic selector to 0.0.0.0/0 local
+		 * narrowing is not applied if no Split-Include attrs are received */
+		if (remote->remove_first(remote, (void**)&orig) == SUCCESS)
+		{
+			narrow_ts(cfg, orig, remote);
+			orig->destroy(orig);
+		}
+	}
+}
+
+/**
+ * As initiator, bump up TS to 0.0.0.0/0 for on-the-wire bits
+ */
+static void narrow_initiator_pre(linked_list_t *list)
+{
+	traffic_selector_t *ts;
+
+	while (list->remove_first(list, (void**)&ts) == SUCCESS)
+	{
+		ts->destroy(ts);
+	}
+	ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
+											 "0.0.0.0", 0,
+											 "255.255.255.255", 65535);
+	if (ts)
+	{
+		DBG2(DBG_CFG, "changing proposed traffic selectors for other:");
+		DBG2(DBG_CFG, " %R", ts);
+		list->insert_last(list, ts);
+	}
+}
+
+/**
+ * As responder, narrow down TS to configuration for installation
+ */
+static void narrow_responder_post(child_cfg_t *child_cfg, linked_list_t *local)
+{
+	traffic_selector_t *ts;
+	linked_list_t *configured;
+
+	while (local->remove_first(local, (void**)&ts) == SUCCESS)
+	{
+		ts->destroy(ts);
+	}
+	configured = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
+
+	while (configured->remove_first(configured, (void**)&ts) == SUCCESS)
+	{
+		local->insert_last(local, ts);
+	}
+	configured->destroy(configured);
+}
+
+METHOD(listener_t, narrow, bool,
+	private_unity_narrow_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+	narrow_hook_t type, linked_list_t *local, linked_list_t *remote)
+{
+	if (ike_sa->get_version(ike_sa) == IKEV1 &&
+		ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY))
+	{
+		switch (type)
+		{
+			case NARROW_INITIATOR_PRE_AUTH:
+				narrow_initiator_pre(remote);
+				break;
+			case NARROW_INITIATOR_POST_AUTH:
+				narrow_initiator(this, ike_sa,
+								 child_sa->get_config(child_sa), remote);
+				break;
+			case NARROW_RESPONDER_POST:
+				narrow_responder_post(child_sa->get_config(child_sa), local);
+				break;
+			default:
+				break;
+		}
+	}
+	return TRUE;
+}
+
+METHOD(unity_narrow_t, destroy, void,
+	private_unity_narrow_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+unity_narrow_t *unity_narrow_create(unity_handler_t *handler)
+{
+	private_unity_narrow_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.narrow = _narrow,
+			},
+			.destroy = _destroy,
+		},
+		.handler = handler,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/unity/unity_narrow.h b/src/libcharon/plugins/unity/unity_narrow.h
new file mode 100644
index 000000000..5e0968518
--- /dev/null
+++ b/src/libcharon/plugins/unity/unity_narrow.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unity_narrow unity_narrow
+ * @{ @ingroup unity
+ */
+
+#ifndef UNITY_NARROW_H_
+#define UNITY_NARROW_H_
+
+#include <bus/listeners/listener.h>
+
+#include "unity_handler.h"
+
+typedef struct unity_narrow_t unity_narrow_t;
+
+/**
+ * Listener that narrows Quick Modes to the Unity Split-Include subnets.
+ */
+struct unity_narrow_t {
+
+	/**
+	 * Implements listener_t.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a unity_narrow_t.
+	 */
+	void (*destroy)(unity_narrow_t *this);
+};
+
+/**
+ * Create a unity_narrow instance.
+ */
+unity_narrow_t *unity_narrow_create(unity_handler_t *handler);
+
+#endif /** UNITY_NARROW_H_ @}*/
diff --git a/src/libcharon/plugins/unity/unity_plugin.c b/src/libcharon/plugins/unity/unity_plugin.c
new file mode 100644
index 000000000..9e4571d34
--- /dev/null
+++ b/src/libcharon/plugins/unity/unity_plugin.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "unity_plugin.h"
+#include "unity_handler.h"
+#include "unity_narrow.h"
+#include "unity_provider.h"
+
+#include <daemon.h>
+#include <hydra.h>
+
+typedef struct private_unity_plugin_t private_unity_plugin_t;
+
+/**
+ * private data of unity_plugin
+ */
+struct private_unity_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	unity_plugin_t public;
+
+	/**
+	 * Handler for UNITY configuration attributes
+	 */
+	unity_handler_t *handler;
+
+	/**
+	 * Responder Unity configuration attribute provider
+	 */
+	unity_provider_t *provider;
+
+	/**
+	 * Traffic selector narrower, for Unity Split-Includes
+	 */
+	unity_narrow_t *narrower;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_unity_plugin_t *this)
+{
+	return "unity";
+}
+
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_unity_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		hydra->attributes->add_handler(hydra->attributes,
+									   &this->handler->handler);
+		hydra->attributes->add_provider(hydra->attributes,
+										&this->provider->provider);
+		charon->bus->add_listener(charon->bus, &this->narrower->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->narrower->listener);
+		hydra->attributes->remove_handler(hydra->attributes,
+										  &this->handler->handler);
+		hydra->attributes->remove_provider(hydra->attributes,
+										   &this->provider->provider);
+
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_unity_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "unity"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_unity_plugin_t *this)
+{
+	this->narrower->destroy(this->narrower);
+	this->handler->destroy(this->handler);
+	this->provider->destroy(this->provider);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *unity_plugin_create()
+{
+	private_unity_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+		.handler = unity_handler_create(),
+		.provider = unity_provider_create(),
+	);
+	this->narrower = unity_narrow_create(this->handler);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/unity/unity_plugin.h b/src/libcharon/plugins/unity/unity_plugin.h
new file mode 100644
index 000000000..0d407b561
--- /dev/null
+++ b/src/libcharon/plugins/unity/unity_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unity unity
+ * @ingroup cplugins
+ *
+ * @defgroup unity_plugin unity_plugin
+ * @{ @ingroup unity
+ */
+
+#ifndef UNITY_PLUGIN_H_
+#define UNITY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct unity_plugin_t unity_plugin_t;
+
+/**
+ * IKEv1 Cisco Unity extension support.
+ */
+struct unity_plugin_t {
+
+	/**
+	 * Implements plugin_t. interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** UNITY_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/unity/unity_provider.c b/src/libcharon/plugins/unity/unity_provider.c
new file mode 100644
index 000000000..ac6f93d69
--- /dev/null
+++ b/src/libcharon/plugins/unity/unity_provider.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "unity_provider.h"
+
+#include <daemon.h>
+
+typedef struct private_unity_provider_t private_unity_provider_t;
+
+/**
+ * Private data of an unity_provider_t object.
+ */
+struct private_unity_provider_t {
+
+	/**
+	 * Public unity_provider_t interface.
+	 */
+	unity_provider_t public;
+};
+
+/**
+ * Attribute enumerator for traffic selector list
+ */
+typedef struct {
+	/** Implements enumerator_t */
+	enumerator_t public;
+	/** list of traffic selectors to enumerate */
+	linked_list_t *list;
+	/** currently enumerating subnet */
+	u_char subnet[4];
+	/** currently enumerating subnet mask */
+	u_char mask[4];
+} attribute_enumerator_t;
+
+METHOD(enumerator_t, attribute_enumerate, bool,
+	attribute_enumerator_t *this, configuration_attribute_type_t *type,
+	chunk_t *attr)
+{
+	traffic_selector_t *ts;
+	u_int8_t i, mask;
+	host_t *net;
+
+	while (TRUE)
+	{
+		if (this->list->remove_first(this->list, (void**)&ts) != SUCCESS)
+		{
+			return FALSE;
+		}
+		if (ts->to_subnet(ts, &net, &mask))
+		{
+			ts->destroy(ts);
+			break;
+		}
+		ts->destroy(ts);
+	}
+
+	memset(this->mask, 0, sizeof(this->mask));
+	for (i = 0; i < sizeof(this->mask); i++)
+	{
+		if (mask < 8)
+		{
+			this->mask[i] = 0xFF << (8 - mask);
+			break;
+		}
+		this->mask[i] = 0xFF;
+		mask -= 8;
+	}
+	memcpy(this->subnet, net->get_address(net).ptr, sizeof(this->subnet));
+	net->destroy(net);
+
+	*type = UNITY_SPLIT_INCLUDE;
+	*attr = chunk_create(this->subnet, sizeof(this->subnet) + sizeof(this->mask));
+
+	return TRUE;
+}
+
+METHOD(enumerator_t, attribute_destroy, void,
+	attribute_enumerator_t *this)
+{
+	this->list->destroy_offset(this->list, offsetof(traffic_selector_t, destroy));
+	free(this);
+}
+
+/**
+ * Check if we should send a configured TS as Split-Include attribute
+ */
+static bool use_ts(traffic_selector_t *ts)
+{
+	u_int8_t mask;
+	host_t *net;
+
+	if (ts->get_type(ts) != TS_IPV4_ADDR_RANGE)
+	{
+		return FALSE;
+	}
+	if (ts->is_dynamic(ts))
+	{
+		return FALSE;
+	}
+	if (!ts->to_subnet(ts, &net, &mask))
+	{
+		return FALSE;
+	}
+	net->destroy(net);
+	return mask > 0;
+}
+
+METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
+	private_unity_provider_t *this, linked_list_t *pools, identification_t *id,
+	linked_list_t *vips)
+{
+	attribute_enumerator_t *attr_enum;
+	enumerator_t *enumerator;
+	linked_list_t *list, *current;
+	traffic_selector_t *ts;
+	ike_sa_t *ike_sa;
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (!ike_sa || ike_sa->get_version(ike_sa) != IKEV1 ||
+		!ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY) ||
+		!vips->get_count(vips))
+	{
+		return NULL;
+	}
+
+	list = linked_list_create();
+	peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+	enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
+	while (enumerator->enumerate(enumerator, &child_cfg))
+	{
+		current = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
+		while (current->remove_first(current, (void**)&ts) == SUCCESS)
+		{
+			if (use_ts(ts))
+			{
+				list->insert_last(list, ts);
+			}
+			else
+			{
+				ts->destroy(ts);
+			}
+		}
+		current->destroy(current);
+	}
+	enumerator->destroy(enumerator);
+
+	if (list->get_count(list) == 0)
+	{
+		list->destroy(list);
+		return NULL;
+	}
+	DBG1(DBG_CFG, "sending %N: %#R",
+		 configuration_attribute_type_names, UNITY_SPLIT_INCLUDE, list);
+
+	INIT(attr_enum,
+		.public = {
+			.enumerate = (void*)_attribute_enumerate,
+			.destroy = _attribute_destroy,
+		},
+		.list = list,
+	);
+
+	return &attr_enum->public;
+}
+
+METHOD(unity_provider_t, destroy, void,
+	private_unity_provider_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+unity_provider_t *unity_provider_create()
+{
+	private_unity_provider_t *this;
+
+	INIT(this,
+		.public = {
+			.provider = {
+				.acquire_address = (void*)return_null,
+				.release_address = (void*)return_false,
+				.create_attribute_enumerator = _create_attribute_enumerator,
+			},
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/unity/unity_provider.h b/src/libcharon/plugins/unity/unity_provider.h
new file mode 100644
index 000000000..a25df5df0
--- /dev/null
+++ b/src/libcharon/plugins/unity/unity_provider.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unity_provider unity_provider
+ * @{ @ingroup unity
+ */
+
+#ifndef UNITY_PROVIDER_H_
+#define UNITY_PROVIDER_H_
+
+typedef struct unity_provider_t unity_provider_t;
+
+#include <attributes/attribute_provider.h>
+
+/**
+ * Cisco Unity extension attribute provider.
+ */
+struct unity_provider_t {
+
+	/**
+	 * Implements attribute_provier_t interface.
+	 */
+	attribute_provider_t provider;
+
+	/**
+	 * Destroy a unity_provider_t.
+	 */
+	void (*destroy)(unity_provider_t *this);
+};
+
+/**
+ * Create a unity_provider instance.
+ */
+unity_provider_t *unity_provider_create();
+
+#endif /** UNITY_PROVIDER_H_ @}*/
diff --git a/src/libcharon/plugins/updown/Makefile.am b/src/libcharon/plugins/updown/Makefile.am
index 312c8d7e8..a35909408 100644
--- a/src/libcharon/plugins/updown/Makefile.am
+++ b/src/libcharon/plugins/updown/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-updown.la
@@ -12,6 +14,7 @@ endif
 
 libstrongswan_updown_la_SOURCES = \
 	updown_plugin.h updown_plugin.c \
+	updown_handler.h updown_handler.c \
 	updown_listener.h updown_listener.c
 
 libstrongswan_updown_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index fb7b38f65..b8ceceae4 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,55 +90,90 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_updown_la_LIBADD =
 am_libstrongswan_updown_la_OBJECTS = updown_plugin.lo \
-	updown_listener.lo
+	updown_handler.lo updown_listener.lo
 libstrongswan_updown_la_OBJECTS =  \
 	$(am_libstrongswan_updown_la_OBJECTS)
-libstrongswan_updown_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_updown_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_updown_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_updown_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_updown_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_updown_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_updown_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_updown_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -129,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -148,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -187,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -195,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -205,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -226,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -246,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -283,14 +345,19 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-updown.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-updown.la
 libstrongswan_updown_la_SOURCES = \
 	updown_plugin.h updown_plugin.c \
+	updown_handler.h updown_handler.c \
 	updown_listener.h updown_listener.c
 
 libstrongswan_updown_la_LDFLAGS = -module -avoid-version
@@ -339,7 +406,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -347,6 +413,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -368,8 +436,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-updown.la: $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_DEPENDENCIES) 
-	$(libstrongswan_updown_la_LINK) $(am_libstrongswan_updown_la_rpath) $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_LIBADD) $(LIBS)
+libstrongswan-updown.la: $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_DEPENDENCIES) $(EXTRA_libstrongswan_updown_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_updown_la_LINK) $(am_libstrongswan_updown_la_rpath) $(libstrongswan_updown_la_OBJECTS) $(libstrongswan_updown_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -377,29 +445,30 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/updown_handler.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/updown_listener.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/updown_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -506,10 +575,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/updown/updown_handler.c b/src/libcharon/plugins/updown/updown_handler.c
new file mode 100644
index 000000000..3a644380a
--- /dev/null
+++ b/src/libcharon/plugins/updown/updown_handler.c
@@ -0,0 +1,243 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "updown_handler.h"
+
+#include <daemon.h>
+#include <collections/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_updown_handler_t private_updown_handler_t;
+
+/**
+ * Private data of an updown_handler_t object.
+ */
+struct private_updown_handler_t {
+
+	/**
+	 * Public updown_handler_t interface.
+	 */
+	updown_handler_t public;
+
+	/**
+	 * List of connection specific attributes, as attributes_t
+	 */
+	linked_list_t *attrs;
+
+	/**
+	 * rwlock to lock access to pools
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * Attributes assigned to an IKE_SA
+ */
+typedef struct {
+	/** unique IKE_SA identifier */
+	u_int id;
+	/** list of DNS attributes, as host_t */
+	linked_list_t *dns;
+} attributes_t;
+
+/**
+ * Destroy an attributes_t entry
+ */
+static void attributes_destroy(attributes_t *this)
+{
+	this->dns->destroy_offset(this->dns, offsetof(host_t, destroy));
+	free(this);
+}
+
+METHOD(attribute_handler_t, handle, bool,
+	private_updown_handler_t *this, identification_t *server,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	attributes_t *current, *attr = NULL;
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	host_t *host;
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (!ike_sa)
+	{
+		return FALSE;
+	}
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			host = host_create_from_chunk(AF_INET, data, 0);
+			break;
+		case INTERNAL_IP6_DNS:
+			host = host_create_from_chunk(AF_INET6, data, 0);
+			break;
+		default:
+			return FALSE;
+	}
+	if (!host)
+	{
+		return FALSE;
+	}
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->attrs->create_enumerator(this->attrs);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (current->id == ike_sa->get_unique_id(ike_sa))
+		{
+			attr = current;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!attr)
+	{
+		INIT(attr,
+			.id = ike_sa->get_unique_id(ike_sa),
+			.dns = linked_list_create(),
+		);
+		this->attrs->insert_last(this->attrs, attr);
+	}
+	attr->dns->insert_last(attr->dns, host);
+	this->lock->unlock(this->lock);
+
+	return TRUE;
+}
+
+METHOD(attribute_handler_t, release, void,
+	private_updown_handler_t *this, identification_t *server,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	attributes_t *attr;
+	enumerator_t *enumerator, *servers;
+	ike_sa_t *ike_sa;
+	host_t *host;
+	bool found = FALSE;
+	int family;
+
+	switch (type)
+	{
+		case INTERNAL_IP4_DNS:
+			family = AF_INET;
+			break;
+		case INTERNAL_IP6_DNS:
+			family = AF_INET6;
+			break;
+		default:
+			return;
+	}
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (ike_sa)
+	{
+		this->lock->write_lock(this->lock);
+		enumerator = this->attrs->create_enumerator(this->attrs);
+		while (enumerator->enumerate(enumerator, &attr))
+		{
+			if (attr->id == ike_sa->get_unique_id(ike_sa))
+			{
+				servers = attr->dns->create_enumerator(attr->dns);
+				while (servers->enumerate(servers, &host))
+				{
+					if (host->get_family(host) == family &&
+						chunk_equals(data, host->get_address(host)))
+					{
+						attr->dns->remove_at(attr->dns, servers);
+						host->destroy(host);
+						found = TRUE;
+						break;
+					}
+				}
+				servers->destroy(servers);
+				if (attr->dns->get_count(attr->dns) == 0)
+				{
+					this->attrs->remove_at(this->attrs, enumerator);
+					attributes_destroy(attr);
+					break;
+				}
+			}
+			if (found)
+			{
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+		this->lock->unlock(this->lock);
+	}
+}
+
+METHOD(updown_handler_t, create_dns_enumerator, enumerator_t*,
+	private_updown_handler_t *this, u_int id)
+{
+	attributes_t *attr;
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (!ike_sa)
+	{
+		return FALSE;
+	}
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->attrs->create_enumerator(this->attrs);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		if (attr->id == ike_sa->get_unique_id(ike_sa))
+		{
+			enumerator->destroy(enumerator);
+			return enumerator_create_cleaner(
+										attr->dns->create_enumerator(attr->dns),
+										(void*)this->lock->unlock, this->lock);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	return enumerator_create_empty();
+}
+
+
+METHOD(updown_handler_t, destroy, void,
+	private_updown_handler_t *this)
+{
+	this->lock->destroy(this->lock);
+	this->attrs->destroy_function(this->attrs, (void*)attributes_destroy);
+	free(this);
+}
+
+/**
+ * See header
+ */
+updown_handler_t *updown_handler_create()
+{
+	private_updown_handler_t *this;
+
+	INIT(this,
+		.public = {
+			.handler = {
+				.handle = _handle,
+				.release = _release,
+				.create_attribute_enumerator = enumerator_create_empty,
+			},
+			.create_dns_enumerator = _create_dns_enumerator,
+			.destroy = _destroy,
+		},
+		.attrs = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/updown/updown_handler.h b/src/libcharon/plugins/updown/updown_handler.h
new file mode 100644
index 000000000..d4de880b8
--- /dev/null
+++ b/src/libcharon/plugins/updown/updown_handler.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup updown_handler updown_handler
+ * @{ @ingroup updown
+ */
+
+#ifndef UPDOWN_HANDLER_H_
+#define UPDOWN_HANDLER_H_
+
+#include <attributes/attribute_handler.h>
+
+typedef struct updown_handler_t updown_handler_t;
+
+/**
+ * Handler storing configuration attributes to pass to updown script.
+ */
+struct updown_handler_t {
+
+	/**
+	 * Implements the attribute_handler_t interface
+	 */
+	attribute_handler_t handler;
+
+	/**
+	 * Create an enumerator over received DNS servers.
+	 *
+	 * @param id		unique IKE_SA identifier to get attributes for
+	 * @return			enumerator over host_t*
+	 */
+	enumerator_t* (*create_dns_enumerator)(updown_handler_t *this, u_int id);
+
+	/**
+	 * Destroy a updown_handler_t.
+	 */
+	void (*destroy)(updown_handler_t *this);
+};
+
+/**
+ * Create a updown_handler instance.
+ */
+updown_handler_t *updown_handler_create();
+
+#endif /** UPDOWN_HANDLER_H_ @}*/
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index 2bd757ec7..2a6933e12 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -38,6 +38,11 @@ struct private_updown_listener_t {
 	 * List of cached interface names
 	 */
 	linked_list_t *iface_cache;
+
+	/**
+	 * DNS attribute handler
+	 */
+	updown_handler_t *handler;
 };
 
 typedef struct cache_entry_t cache_entry_t;
@@ -90,6 +95,85 @@ static char* uncache_iface(private_updown_listener_t *this, u_int32_t reqid)
 	return iface;
 }
 
+/**
+ * Create variables for handled DNS attributes
+ */
+static char *make_dns_vars(private_updown_listener_t *this, ike_sa_t *ike_sa)
+{
+	enumerator_t *enumerator;
+	host_t *host;
+	int v4 = 0, v6 = 0;
+	char total[512] = "", current[64];
+
+	if (!this->handler)
+	{
+		return strdup("");
+	}
+
+	enumerator = this->handler->create_dns_enumerator(this->handler,
+												ike_sa->get_unique_id(ike_sa));
+	while (enumerator->enumerate(enumerator, &host))
+	{
+		switch (host->get_family(host))
+		{
+			case AF_INET:
+				snprintf(current, sizeof(current),
+						 "PLUTO_DNS4_%d='%H' ", ++v4, host);
+				break;
+			case AF_INET6:
+				snprintf(current, sizeof(current),
+						 "PLUTO_DNS6_%d='%H' ", ++v6, host);
+				break;
+			default:
+				continue;
+		}
+		strncat(total, current, sizeof(total) - strlen(total) - 1);
+	}
+	enumerator->destroy(enumerator);
+
+	return strdup(total);
+}
+
+/**
+ * Create variables for local virtual IPs
+ */
+static char *make_vip_vars(private_updown_listener_t *this, ike_sa_t *ike_sa)
+{
+	enumerator_t *enumerator;
+	host_t *host;
+	int v4 = 0, v6 = 0;
+	char total[512] = "", current[64];
+	bool first = TRUE;
+
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
+	while (enumerator->enumerate(enumerator, &host))
+	{
+		if (first)
+		{	/* legacy variable for first VIP */
+			snprintf(current, sizeof(current),
+						 "PLUTO_MY_SOURCEIP='%H' ", host);
+			strncat(total, current, sizeof(total) - strlen(total) - 1);
+		}
+		switch (host->get_family(host))
+		{
+			case AF_INET:
+				snprintf(current, sizeof(current),
+						 "PLUTO_MY_SOURCEIP4_%d='%H' ", ++v4, host);
+				break;
+			case AF_INET6:
+				snprintf(current, sizeof(current),
+						 "PLUTO_MY_SOURCEIP6_%d='%H' ", ++v6, host);
+				break;
+			default:
+				continue;
+		}
+		strncat(total, current, sizeof(total) - strlen(total) - 1);
+	}
+	enumerator->destroy(enumerator);
+
+	return strdup(total);
+}
+
 METHOD(listener_t, child_updown, bool,
 	private_updown_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
 	bool up)
@@ -97,11 +181,10 @@ METHOD(listener_t, child_updown, bool,
 	traffic_selector_t *my_ts, *other_ts;
 	enumerator_t *enumerator;
 	child_cfg_t *config;
-	host_t *vip, *me, *other;
+	host_t *me, *other;
 	char *script;
 
 	config = child_sa->get_config(child_sa);
-	vip = ike_sa->get_virtual_ip(ike_sa, TRUE);
 	script = config->get_updown(config);
 	me = ike_sa->get_my_host(ike_sa);
 	other = ike_sa->get_other_host(ike_sa);
@@ -117,7 +200,7 @@ METHOD(listener_t, child_updown, bool,
 		char command[1024];
 		host_t *my_client, *other_client;
 		u_int8_t my_client_mask, other_client_mask;
-		char *virtual_ip, *iface, *mark_in, *mark_out, *udp_enc;
+		char *virtual_ip, *iface, *mark_in, *mark_out, *udp_enc, *dns, *xauth;
 		mark_t mark;
 		bool is_host, is_ipv6;
 		FILE *shell;
@@ -125,20 +208,7 @@ METHOD(listener_t, child_updown, bool,
 		my_ts->to_subnet(my_ts, &my_client, &my_client_mask);
 		other_ts->to_subnet(other_ts, &other_client, &other_client_mask);
 
-		if (vip)
-		{
-			if (asprintf(&virtual_ip, "PLUTO_MY_SOURCEIP='%H' ", vip) < 0)
-			{
-				virtual_ip = NULL;
-			}
-		}
-		else
-		{
-			if (asprintf(&virtual_ip, "") < 0)
-			{
-				virtual_ip = NULL;
-			}
-		}
+		virtual_ip = make_vip_vars(this, ike_sa);
 
 		/* check for the presence of an inbound mark */
 		mark = config->get_mark(config, TRUE);
@@ -195,11 +265,27 @@ METHOD(listener_t, child_updown, bool,
 
 		}
 
+		if (ike_sa->has_condition(ike_sa, COND_EAP_AUTHENTICATED) ||
+			ike_sa->has_condition(ike_sa, COND_XAUTH_AUTHENTICATED))
+		{
+			if (asprintf(&xauth, "PLUTO_XAUTH_ID='%Y' ",
+						 ike_sa->get_other_eap_id(ike_sa)) < 0)
+			{
+				xauth = NULL;
+			}
+		}
+		else
+		{
+			if (asprintf(&xauth, "") < 0)
+			{
+				xauth = NULL;
+			}
+		}
+
 		if (up)
 		{
-			iface = hydra->kernel_interface->get_interface(
-												hydra->kernel_interface, me);
-			if (iface)
+			if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
+													   me, &iface))
 			{
 				cache_iface(this, child_sa->get_reqid(child_sa), iface);
 			}
@@ -209,6 +295,8 @@ METHOD(listener_t, child_updown, bool,
 			iface = uncache_iface(this, child_sa->get_reqid(child_sa));
 		}
 
+		dns = make_dns_vars(this, ike_sa);
+
 		/* determine IPv4/IPv6 and client/host situation */
 		is_host = my_ts->is_host(my_ts, me);
 		is_ipv6 = is_host ? (me->get_family(me) == AF_INET6) :
@@ -224,6 +312,7 @@ METHOD(listener_t, child_updown, bool,
 				"PLUTO_CONNECTION='%s' "
 				"PLUTO_INTERFACE='%s' "
 				"PLUTO_REQID='%u' "
+				"PLUTO_UNIQUEID='%u' "
 				"PLUTO_ME='%H' "
 				"PLUTO_MY_ID='%Y' "
 				"PLUTO_MY_CLIENT='%H/%u' "
@@ -239,6 +328,8 @@ METHOD(listener_t, child_updown, bool,
 				"%s"
 				"%s"
 				"%s"
+				"%s"
+				"%s"
 				"%s",
 				 up ? "up" : "down",
 				 is_host ? "-host" : "-client",
@@ -246,6 +337,7 @@ METHOD(listener_t, child_updown, bool,
 				 config->get_name(config),
 				 iface ? iface : "unknown",
 				 child_sa->get_reqid(child_sa),
+				 ike_sa->get_unique_id(ike_sa),
 				 me, ike_sa->get_my_id(ike_sa),
 				 my_client, my_client_mask,
 				 my_ts->get_from_port(my_ts),
@@ -254,11 +346,13 @@ METHOD(listener_t, child_updown, bool,
 				 other_client, other_client_mask,
 				 other_ts->get_from_port(other_ts),
 				 other_ts->get_protocol(other_ts),
+				 xauth,
 				 virtual_ip,
 				 mark_in,
 				 mark_out,
 				 udp_enc,
 				 config->get_hostaccess(config) ? "PLUTO_HOST_ACCESS='1' " : "",
+				 dns,
 				 script);
 		my_client->destroy(my_client);
 		other_client->destroy(other_client);
@@ -266,7 +360,9 @@ METHOD(listener_t, child_updown, bool,
 		free(mark_in);
 		free(mark_out);
 		free(udp_enc);
+		free(dns);
 		free(iface);
+		free(xauth);
 
 		DBG3(DBG_CHD, "running updown script: %s", command);
 		shell = popen(command, "r");
@@ -315,7 +411,7 @@ METHOD(updown_listener_t, destroy, void,
 /**
  * See header
  */
-updown_listener_t *updown_listener_create()
+updown_listener_t *updown_listener_create(updown_handler_t *handler)
 {
 	private_updown_listener_t *this;
 
@@ -327,8 +423,8 @@ updown_listener_t *updown_listener_create()
 			.destroy = _destroy,
 		},
 		.iface_cache = linked_list_create(),
+		.handler = handler,
 	);
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/updown/updown_listener.h b/src/libcharon/plugins/updown/updown_listener.h
index 5b866c4e5..2d9b56ade 100644
--- a/src/libcharon/plugins/updown/updown_listener.h
+++ b/src/libcharon/plugins/updown/updown_listener.h
@@ -23,6 +23,8 @@
 
 #include <bus/bus.h>
 
+#include "updown_handler.h"
+
 typedef struct updown_listener_t updown_listener_t;
 
 /**
@@ -44,6 +46,6 @@ struct updown_listener_t {
 /**
  * Create a updown_listener instance.
  */
-updown_listener_t *updown_listener_create();
+updown_listener_t *updown_listener_create(updown_handler_t *handler);
 
 #endif /** UPDOWN_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/updown/updown_plugin.c b/src/libcharon/plugins/updown/updown_plugin.c
index 2ce2d3257..3c1aba5cc 100644
--- a/src/libcharon/plugins/updown/updown_plugin.c
+++ b/src/libcharon/plugins/updown/updown_plugin.c
@@ -15,8 +15,10 @@
 
 #include "updown_plugin.h"
 #include "updown_listener.h"
+#include "updown_handler.h"
 
 #include <daemon.h>
+#include <hydra.h>
 
 typedef struct private_updown_plugin_t private_updown_plugin_t;
 
@@ -34,6 +36,11 @@ struct private_updown_plugin_t {
 	 * Listener interface, listens to CHILD_SA state changes
 	 */
 	updown_listener_t *listener;
+
+	/**
+	 * Attribute handler, to pass DNS servers to updown
+	 */
+	updown_handler_t *handler;
 };
 
 METHOD(plugin_t, get_name, char*,
@@ -42,11 +49,52 @@ METHOD(plugin_t, get_name, char*,
 	return "updown";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_updown_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		if (lib->settings->get_bool(lib->settings,
+									"charon.plugins.updown.dns_handler", FALSE))
+		{
+			this->handler = updown_handler_create();
+			hydra->attributes->add_handler(hydra->attributes,
+										   &this->handler->handler);
+		}
+		this->listener = updown_listener_create(this->handler);
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+		this->listener->destroy(this->listener);
+		if (this->handler)
+		{
+			this->handler->destroy(this->handler);
+			hydra->attributes->remove_handler(hydra->attributes,
+											  &this->handler->handler);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_updown_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "updown"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_updown_plugin_t *this)
 {
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
-	this->listener->destroy(this->listener);
 	free(this);
 }
 
@@ -61,15 +109,11 @@ plugin_t *updown_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
-		.listener = updown_listener_create(),
 	);
 
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/whitelist/Makefile.am b/src/libcharon/plugins/whitelist/Makefile.am
index 064a759dd..e02b4a041 100644
--- a/src/libcharon/plugins/whitelist/Makefile.am
+++ b/src/libcharon/plugins/whitelist/Makefile.am
@@ -1,10 +1,12 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-whitelist.la
 else
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index 2534f4bec..1f1377ccc 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -47,10 +64,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -74,6 +92,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_whitelist_la_LIBADD =
@@ -81,7 +105,10 @@ am_libstrongswan_whitelist_la_OBJECTS = whitelist_plugin.lo \
 	whitelist_listener.lo whitelist_control.lo
 libstrongswan_whitelist_la_OBJECTS =  \
 	$(am_libstrongswan_whitelist_la_OBJECTS)
-libstrongswan_whitelist_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_whitelist_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_whitelist_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -92,43 +119,68 @@ PROGRAMS = $(ipsec_PROGRAMS)
 am_whitelist_OBJECTS = whitelist.$(OBJEXT)
 whitelist_OBJECTS = $(am_whitelist_OBJECTS)
 whitelist_LDADD = $(LDADD)
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_whitelist_la_SOURCES) $(whitelist_SOURCES)
 DIST_SOURCES = $(libstrongswan_whitelist_la_SOURCES) \
 	$(whitelist_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -137,13 +189,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -156,6 +211,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -183,11 +239,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -195,6 +253,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -203,8 +262,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -213,14 +270,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -234,17 +296,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -254,16 +316,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -291,12 +352,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-whitelist.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-whitelist.la
 libstrongswan_whitelist_la_SOURCES = whitelist_plugin.h whitelist_plugin.c \
@@ -350,7 +414,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -358,6 +421,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -379,12 +444,15 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-whitelist.la: $(libstrongswan_whitelist_la_OBJECTS) $(libstrongswan_whitelist_la_DEPENDENCIES) 
-	$(libstrongswan_whitelist_la_LINK) $(am_libstrongswan_whitelist_la_rpath) $(libstrongswan_whitelist_la_OBJECTS) $(libstrongswan_whitelist_la_LIBADD) $(LIBS)
+libstrongswan-whitelist.la: $(libstrongswan_whitelist_la_OBJECTS) $(libstrongswan_whitelist_la_DEPENDENCIES) $(EXTRA_libstrongswan_whitelist_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_whitelist_la_LINK) $(am_libstrongswan_whitelist_la_rpath) $(libstrongswan_whitelist_la_OBJECTS) $(libstrongswan_whitelist_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -424,9 +492,9 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-whitelist$(EXEEXT): $(whitelist_OBJECTS) $(whitelist_DEPENDENCIES) 
+whitelist$(EXEEXT): $(whitelist_OBJECTS) $(whitelist_DEPENDENCIES) $(EXTRA_whitelist_DEPENDENCIES) 
 	@rm -f whitelist$(EXEEXT)
-	$(LINK) $(whitelist_OBJECTS) $(whitelist_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(whitelist_OBJECTS) $(whitelist_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -440,25 +508,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/whitelist_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -565,10 +633,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libcharon/plugins/whitelist/whitelist.c b/src/libcharon/plugins/whitelist/whitelist.c
index 5f511f2c5..ef1ed9c3a 100644
--- a/src/libcharon/plugins/whitelist/whitelist.c
+++ b/src/libcharon/plugins/whitelist/whitelist.c
@@ -18,45 +18,104 @@
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <unistd.h>
+#include <stdlib.h>
 #include <stddef.h>
 #include <stdio.h>
+#include <string.h>
 #include <errno.h>
+#include <arpa/inet.h>
+#include <netinet/in.h>
 
 /**
  * Connect to the daemon, return FD
  */
 static int make_connection()
 {
-	struct sockaddr_un addr;
-	int fd;
+	union {
+		struct sockaddr_un un;
+		struct sockaddr_in in;
+		struct sockaddr sa;
+	} addr;
+	int fd, len;
 
-	addr.sun_family = AF_UNIX;
-	strcpy(addr.sun_path, WHITELIST_SOCKET);
+	if (getenv("TCP_PORT"))
+	{
+		addr.in.sin_family = AF_INET;
+		addr.in.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+		addr.in.sin_port = htons(atoi(getenv("TCP_PORT")));
+		len = sizeof(addr.in);
+	}
+	else
+	{
+		addr.un.sun_family = AF_UNIX;
+		strcpy(addr.un.sun_path, WHITELIST_SOCKET);
 
-	fd = socket(AF_UNIX, SOCK_SEQPACKET, 0);
+		len = offsetof(struct sockaddr_un, sun_path) + strlen(addr.un.sun_path);
+	}
+	fd = socket(addr.sa.sa_family, SOCK_STREAM, 0);
 	if (fd < 0)
 	{
 		fprintf(stderr, "opening socket failed: %s\n", strerror(errno));
 		return -1;
 	}
-	if (connect(fd, (struct sockaddr *)&addr,
-			offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path)) < 0)
+	if (connect(fd, &addr.sa, len) < 0)
 	{
-		fprintf(stderr, "connecting to %s failed: %s\n",
-				WHITELIST_SOCKET, strerror(errno));
+		fprintf(stderr, "connecting failed: %s\n", strerror(errno));
 		close(fd);
 		return -1;
 	}
 	return fd;
 }
 
+static int read_all(int fd, void *buf, size_t len)
+{
+	ssize_t ret, done = 0;
+
+	while (done < len)
+	{
+		ret = read(fd, buf, len - done);
+		if (ret == -1 && errno == EINTR)
+		{	/* interrupted, try again */
+			continue;
+		}
+		if (ret < 0)
+		{
+			return -1;
+		}
+		done += ret;
+		buf += ret;
+	}
+	return len;
+}
+
+static int write_all(int fd, void *buf, size_t len)
+{
+	ssize_t ret, done = 0;
+
+	while (done < len)
+	{
+		ret = write(fd, buf, len - done);
+		if (ret == -1 && errno == EINTR)
+		{	/* interrupted, try again */
+			continue;
+		}
+		if (ret < 0)
+		{
+			return -1;
+		}
+		done += ret;
+		buf += ret;
+	}
+	return len;
+}
+
 /**
  * Send a single message
  */
 static int send_msg(int type, char *id)
 {
 	whitelist_msg_t msg = {
-		.type = type,
+		.type = htonl(type),
 	};
 	int fd;
 
@@ -66,7 +125,7 @@ static int send_msg(int type, char *id)
 		return 2;
 	}
 	snprintf(msg.id, sizeof(msg.id), "%s", id);
-	if (send(fd, &msg, sizeof(msg), 0) != sizeof(msg))
+	if (write_all(fd, &msg, sizeof(msg)) != sizeof(msg))
 	{
 		fprintf(stderr, "writing to socket failed: %s\n", strerror(errno));
 		close(fd);
@@ -74,12 +133,19 @@ static int send_msg(int type, char *id)
 	}
 	if (type == WHITELIST_LIST)
 	{
-		while (recv(fd, &msg, sizeof(msg), 0) == sizeof(msg))
+		while (1)
 		{
-			if (msg.type != WHITELIST_LIST)
+			if (read_all(fd, &msg, sizeof(msg)) != sizeof(msg))
+			{
+				fprintf(stderr, "reading failed: %s\n", strerror(errno));
+				close(fd);
+				return 2;
+			}
+			if (ntohl(msg.type) != WHITELIST_LIST)
 			{
 				break;
 			}
+			msg.id[sizeof(msg.id) - 1] = '\0';
 			printf("%s\n", msg.id);
 		}
 	}
@@ -93,7 +159,7 @@ static int send_msg(int type, char *id)
 static int send_batch(int type, char *file)
 {
 	whitelist_msg_t msg = {
-		.type = type,
+		.type = htonl(type),
 	};
 	FILE *f = stdin;
 	int fd, len;
@@ -124,7 +190,7 @@ static int send_batch(int type, char *file)
 		{
 			msg.id[len-1] = '\0';
 		}
-		if (send(fd, &msg, sizeof(msg), 0) != sizeof(msg))
+		if (write_all(fd, &msg, sizeof(msg)) != sizeof(msg))
 		{
 			fprintf(stderr, "writing to socket failed: %s\n", strerror(errno));
 			if (f != stdin)
diff --git a/src/libcharon/plugins/whitelist/whitelist_control.c b/src/libcharon/plugins/whitelist/whitelist_control.c
index 202c9a418..e97885c8f 100644
--- a/src/libcharon/plugins/whitelist/whitelist_control.c
+++ b/src/libcharon/plugins/whitelist/whitelist_control.c
@@ -23,8 +23,7 @@
 #include <errno.h>
 
 #include <daemon.h>
-#include <threading/thread.h>
-#include <processing/jobs/callback_job.h>
+#include <collections/linked_list.h>
 
 #include "whitelist_msg.h"
 
@@ -46,69 +45,68 @@ struct private_whitelist_control_t {
 	whitelist_listener_t *listener;
 
 	/**
-	 * Whitelist unix socket file descriptor
+	 * Whitelist stream service
 	 */
-	int socket;
-
-	/**
-	 * Callback job dispatching commands
-	 */
-	callback_job_t *job;
+	stream_service_t *service;
 };
 
-/**
- * Open whitelist unix socket
+/*
+ * List whitelist entries using a read-copy
  */
-static bool open_socket(private_whitelist_control_t *this)
+static void list(private_whitelist_control_t *this,
+				 stream_t *stream, identification_t *id)
 {
-	struct sockaddr_un addr;
-	mode_t old;
-
-	addr.sun_family = AF_UNIX;
-	strcpy(addr.sun_path, WHITELIST_SOCKET);
-
-	this->socket = socket(AF_UNIX, SOCK_SEQPACKET, 0);
-	if (this->socket == -1)
-	{
-		DBG1(DBG_CFG, "creating whitelist socket failed");
-		return FALSE;
-	}
-	unlink(addr.sun_path);
-	old = umask(~(S_IRWXU | S_IRWXG));
-	if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)) < 0)
-	{
-		DBG1(DBG_CFG, "binding whitelist socket failed: %s", strerror(errno));
-		close(this->socket);
-		return FALSE;
-	}
-	umask(old);
-	if (chown(addr.sun_path, charon->uid, charon->gid) != 0)
+	identification_t *current;
+	enumerator_t *enumerator;
+	linked_list_t *list;
+	whitelist_msg_t msg = {
+		.type = htonl(WHITELIST_LIST),
+	};
+
+	list = linked_list_create();
+	enumerator = this->listener->create_enumerator(this->listener);
+	while (enumerator->enumerate(enumerator, &current))
 	{
-		DBG1(DBG_CFG, "changing whitelist socket permissions failed: %s",
-			 strerror(errno));
+		if (current->matches(current, id))
+		{
+			list->insert_last(list, current->clone(current));
+		}
 	}
-	if (listen(this->socket, 10) < 0)
+	enumerator->destroy(enumerator);
+
+	while (list->remove_first(list, (void**)&current) == SUCCESS)
 	{
-		DBG1(DBG_CFG, "listening on whitelist socket failed: %s", strerror(errno));
-		close(this->socket);
-		unlink(addr.sun_path);
-		return FALSE;
+		snprintf(msg.id, sizeof(msg.id), "%Y", current);
+		current->destroy(current);
+		if (!stream->write_all(stream, &msg, sizeof(msg)))
+		{
+			DBG1(DBG_CFG, "listing whitelist failed: %s", strerror(errno));
+			break;
+		}
 	}
-	return TRUE;
+	list->destroy_offset(list, offsetof(identification_t, destroy));
+
+	msg.type = htonl(WHITELIST_END);
+	memset(msg.id, 0, sizeof(msg.id));
+	stream->write_all(stream, &msg, sizeof(msg));
 }
 
 /**
  * Dispatch a received message
  */
-static void dispatch(private_whitelist_control_t *this,
-					 int fd, whitelist_msg_t *msg)
+static bool on_accept(private_whitelist_control_t *this, stream_t *stream)
 {
-	identification_t *id, *current;
-	enumerator_t *enumerator;
+	identification_t *id;
+	whitelist_msg_t msg;
 
-	msg->id[sizeof(msg->id)-1] = 0;
-	id = identification_create_from_string(msg->id);
-	switch (msg->type)
+	if (!stream->read_all(stream, &msg, sizeof(msg)))
+	{
+		return FALSE;
+	}
+
+	msg.id[sizeof(msg.id) - 1] = 0;
+	id = identification_create_from_string(msg.id);
+	switch (ntohl(msg.type))
 	{
 		case WHITELIST_ADD:
 			this->listener->add(this->listener, id);
@@ -117,23 +115,7 @@ static void dispatch(private_whitelist_control_t *this,
 			this->listener->remove(this->listener, id);
 			break;
 		case WHITELIST_LIST:
-			enumerator = this->listener->create_enumerator(this->listener);
-			while (enumerator->enumerate(enumerator, &current))
-			{
-				if (current->matches(current, id))
-				{
-					snprintf(msg->id, sizeof(msg->id), "%Y", current);
-					if (send(fd, msg, sizeof(*msg), 0) != sizeof(*msg))
-					{
-						DBG1(DBG_CFG, "listing whitelist failed");
-						break;
-					}
-				}
-			}
-			enumerator->destroy(enumerator);
-			msg->type = WHITELIST_END;
-			memset(msg->id, 0, sizeof(msg->id));
-			send(fd, msg, sizeof(*msg), 0);
+			list(this, stream, id);
 			break;
 		case WHITELIST_FLUSH:
 			this->listener->flush(this->listener, id);
@@ -149,59 +131,14 @@ static void dispatch(private_whitelist_control_t *this,
 			break;
 	}
 	id->destroy(id);
-}
 
-/**
- * Accept whitelist control connections, dispatch
- */
-static job_requeue_t receive(private_whitelist_control_t *this)
-{
-	struct sockaddr_un addr;
-	int fd, len = sizeof(addr);
-	whitelist_msg_t msg;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	fd = accept(this->socket, (struct sockaddr*)&addr, &len);
-	thread_cancelability(oldstate);
-
-	if (fd != -1)
-	{
-		while (TRUE)
-		{
-			oldstate = thread_cancelability(TRUE);
-			len = recv(fd, &msg, sizeof(msg), 0);
-			thread_cancelability(oldstate);
-
-			if (len == sizeof(msg))
-			{
-				dispatch(this, fd, &msg);
-			}
-			else
-			{
-				if (len != 0)
-				{
-					DBG1(DBG_CFG, "receiving whitelist msg failed: %s",
-						 strerror(errno));
-				}
-				break;
-			}
-		}
-		close(fd);
-	}
-	else
-	{
-		DBG1(DBG_CFG, "accepting whitelist connection failed: %s",
-			 strerror(errno));
-	}
-	return JOB_REQUEUE_FAIR;
+	return FALSE;
 }
 
 METHOD(whitelist_control_t, destroy, void,
 	private_whitelist_control_t *this)
 {
-	this->job->cancel(this->job);
-	close(this->socket);
+	this->service->destroy(this->service);
 	free(this);
 }
 
@@ -211,6 +148,7 @@ METHOD(whitelist_control_t, destroy, void,
 whitelist_control_t *whitelist_control_create(whitelist_listener_t *listener)
 {
 	private_whitelist_control_t *this;
+	char *uri;
 
 	INIT(this,
 		.public = {
@@ -219,15 +157,19 @@ whitelist_control_t *whitelist_control_create(whitelist_listener_t *listener)
 		.listener = listener,
 	);
 
-	if (!open_socket(this))
+	uri = lib->settings->get_str(lib->settings,
+				"%s.plugins.whitelist.socket", "unix://" WHITELIST_SOCKET,
+				charon->name);
+	this->service = lib->streams->create_service(lib->streams, uri, 10);
+	if (!this->service)
 	{
+		DBG1(DBG_CFG, "creating whitelist socket failed");
 		free(this);
 		return NULL;
 	}
 
-	this->job = callback_job_create_with_prio((callback_job_cb_t)receive,
-										this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+	this->service->on_accept(this->service, (stream_service_cb_t)on_accept,
+							 this, JOB_PRIO_CRITICAL, 0);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/whitelist/whitelist_listener.c b/src/libcharon/plugins/whitelist/whitelist_listener.c
index 5634e3ef8..382ee3b8b 100644
--- a/src/libcharon/plugins/whitelist/whitelist_listener.c
+++ b/src/libcharon/plugins/whitelist/whitelist_listener.c
@@ -16,7 +16,7 @@
 #include "whitelist_listener.h"
 
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
 #include <threading/rwlock.h>
 
 typedef struct private_whitelist_listener_t private_whitelist_listener_t;
@@ -206,7 +206,7 @@ whitelist_listener_t *whitelist_listener_create()
 		.ids = hashtable_create((hashtable_hash_t)hash,
 								(hashtable_equals_t)equals, 32),
 		.enabled = lib->settings->get_bool(lib->settings,
-								"charon.plugins.whitelist.enable", FALSE),
+								"%s.plugins.whitelist.enable", FALSE, charon->name),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/whitelist/whitelist_msg.h b/src/libcharon/plugins/whitelist/whitelist_msg.h
index 65b922996..595fb6ffb 100644
--- a/src/libcharon/plugins/whitelist/whitelist_msg.h
+++ b/src/libcharon/plugins/whitelist/whitelist_msg.h
@@ -53,6 +53,6 @@ struct whitelist_msg_t {
 	int type;
 	/** null terminated identity */
 	char id[128];
-};
+} __attribute__((packed));
 
 #endif /** WHITELIST_MSG_H_ @}*/
diff --git a/src/libcharon/plugins/whitelist/whitelist_plugin.c b/src/libcharon/plugins/whitelist/whitelist_plugin.c
index fca9d293f..3ea45723c 100644
--- a/src/libcharon/plugins/whitelist/whitelist_plugin.c
+++ b/src/libcharon/plugins/whitelist/whitelist_plugin.c
@@ -49,10 +49,37 @@ METHOD(plugin_t, get_name, char*,
 	return "whitelist";
 }
 
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_whitelist_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_whitelist_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "whitelist"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_whitelist_plugin_t *this)
 {
-	charon->bus->remove_listener(charon->bus, &this->listener->listener);
 	this->listener->destroy(this->listener);
 	DESTROY_IF(this->control);
 	free(this);
@@ -69,15 +96,19 @@ plugin_t *whitelist_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.listener = whitelist_listener_create(),
 	);
-	this->control = whitelist_control_create(this->listener);
 
-	charon->bus->add_listener(charon->bus, &this->listener->listener);
+	this->control = whitelist_control_create(this->listener);
+	if (!this->control)
+	{
+		destroy(this);
+		return NULL;
+	}
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.am b/src/libcharon/plugins/xauth_eap/Makefile.am
new file mode 100644
index 000000000..21f8d0297
--- /dev/null
+++ b/src/libcharon/plugins/xauth_eap/Makefile.am
@@ -0,0 +1,19 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-xauth-eap.la
+else
+plugin_LTLIBRARIES = libstrongswan-xauth-eap.la
+endif
+
+libstrongswan_xauth_eap_la_SOURCES = \
+	xauth_eap_plugin.h xauth_eap_plugin.c \
+	xauth_eap.h xauth_eap.c
+
+libstrongswan_xauth_eap_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
new file mode 100644
index 000000000..600a99bf9
--- /dev/null
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -0,0 +1,687 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/xauth_eap
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_xauth_eap_la_LIBADD =
+am_libstrongswan_xauth_eap_la_OBJECTS = xauth_eap_plugin.lo \
+	xauth_eap.lo
+libstrongswan_xauth_eap_la_OBJECTS =  \
+	$(am_libstrongswan_xauth_eap_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_xauth_eap_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_xauth_eap_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_xauth_eap_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_xauth_eap_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_xauth_eap_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_xauth_eap_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-xauth-eap.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-xauth-eap.la
+libstrongswan_xauth_eap_la_SOURCES = \
+	xauth_eap_plugin.h xauth_eap_plugin.c \
+	xauth_eap.h xauth_eap.c
+
+libstrongswan_xauth_eap_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_eap/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_eap/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-xauth-eap.la: $(libstrongswan_xauth_eap_la_OBJECTS) $(libstrongswan_xauth_eap_la_DEPENDENCIES) $(EXTRA_libstrongswan_xauth_eap_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_xauth_eap_la_LINK) $(am_libstrongswan_xauth_eap_la_rpath) $(libstrongswan_xauth_eap_la_OBJECTS) $(libstrongswan_xauth_eap_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_eap.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_eap_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/xauth_eap/xauth_eap.c b/src/libcharon/plugins/xauth_eap/xauth_eap.c
new file mode 100644
index 000000000..1da1d9f85
--- /dev/null
+++ b/src/libcharon/plugins/xauth_eap/xauth_eap.c
@@ -0,0 +1,289 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_eap.h"
+
+#include <daemon.h>
+
+#include <library.h>
+#include <credentials/sets/callback_cred.h>
+
+typedef struct private_xauth_eap_t private_xauth_eap_t;
+
+/**
+ * Private data of an xauth_eap_t object.
+ */
+struct private_xauth_eap_t {
+
+	/**
+	 * Public interface.
+	 */
+	xauth_eap_t public;
+
+	/**
+	 * ID of the server
+	 */
+	identification_t *server;
+
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+
+	/**
+	 * Callback credential set
+	 */
+	callback_cred_t *cred;
+
+	/**
+	 * XAuth password
+	 */
+	chunk_t pass;
+};
+
+/**
+ * Callback credential set function
+ */
+static shared_key_t* shared_cb(private_xauth_eap_t *this, shared_key_type_t type,
+							   identification_t *me, identification_t *other,
+							   id_match_t *match_me, id_match_t *match_other)
+{
+	shared_key_t *shared;
+
+	if (!this->pass.len)
+	{
+		return NULL;
+	}
+	if (type != SHARED_EAP && type != SHARED_ANY)
+	{
+		return NULL;
+	}
+	if (me)
+	{
+		if (!this->peer->equals(this->peer, me))
+		{
+			return NULL;
+		}
+		if (match_me)
+		{
+			*match_me = ID_MATCH_PERFECT;
+		}
+	}
+	else if (match_me)
+	{
+		*match_me = ID_MATCH_ANY;
+	}
+	if (other)
+	{
+		if (!this->server->equals(this->server, other))
+		{
+			return NULL;
+		}
+		if (match_other)
+		{
+			*match_other = ID_MATCH_PERFECT;
+		}
+	}
+	else if (match_other)
+	{
+		*match_other = ID_MATCH_ANY;
+	}
+	shared = shared_key_create(SHARED_EAP, chunk_clone(this->pass));
+	this->pass = chunk_empty;
+	return shared;
+}
+
+/**
+ * Do EAP exchanges to verify secret
+ */
+static bool verify_eap(private_xauth_eap_t *this, eap_method_t *backend)
+{
+	eap_payload_t *request, *response;
+	eap_method_t *frontend;
+	eap_type_t type;
+	u_int32_t vendor;
+	status_t status;
+
+	if (backend->initiate(backend, &request) != NEED_MORE)
+	{
+		return FALSE;
+	}
+	type = request->get_type(request, &vendor);
+	frontend = charon->eap->create_instance(charon->eap, type, vendor,
+											EAP_PEER, this->server, this->peer);
+	if (!frontend)
+	{
+		DBG1(DBG_IKE, "XAuth-EAP backend requested %N, but not supported",
+			 eap_type_names, type);
+		request->destroy(request);
+		return FALSE;
+	}
+	while (TRUE)
+	{
+		/* credential set is active in frontend only, but not in backend */
+		lib->credmgr->add_local_set(lib->credmgr, &this->cred->set, TRUE);
+		status = frontend->process(frontend, request, &response);
+		lib->credmgr->remove_local_set(lib->credmgr, &this->cred->set);
+		request->destroy(request);
+		if (status != NEED_MORE)
+		{	/* clients should never return SUCCESS */
+			frontend->destroy(frontend);
+			return FALSE;
+		}
+		status = backend->process(backend, response, &request);
+		response->destroy(response);
+		switch (status)
+		{
+			case SUCCESS:
+				frontend->destroy(frontend);
+				return TRUE;
+			case NEED_MORE:
+				break;
+			default:
+				frontend->destroy(frontend);
+				return FALSE;
+		}
+	}
+}
+
+METHOD(xauth_method_t, initiate, status_t,
+	private_xauth_eap_t *this, cp_payload_t **out)
+{
+	cp_payload_t *cp;
+
+	cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REQUEST);
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, chunk_empty));
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, chunk_empty));
+	*out = cp;
+	return NEED_MORE;
+}
+
+METHOD(xauth_method_t, process, status_t,
+	private_xauth_eap_t *this, cp_payload_t *in, cp_payload_t **out)
+{
+	configuration_attribute_t *attr;
+	enumerator_t *enumerator;
+	identification_t *id;
+	chunk_t user = chunk_empty;
+	eap_method_t *backend;
+	eap_type_t type;
+	char *name;
+	bool ok;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		switch (attr->get_type(attr))
+		{
+			case XAUTH_USER_NAME:
+				user = attr->get_chunk(attr);
+				break;
+			case XAUTH_USER_PASSWORD:
+				this->pass = attr->get_chunk(attr);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!user.ptr || !this->pass.ptr)
+	{
+		DBG1(DBG_IKE, "peer did not respond to our XAuth request");
+		return FAILED;
+	}
+	if (user.len)
+	{
+		id = identification_create_from_data(user);
+		if (!id)
+		{
+			DBG1(DBG_IKE, "failed to parse provided XAuth username");
+			return FAILED;
+		}
+		this->peer->destroy(this->peer);
+		this->peer = id;
+	}
+	if (this->pass.len && this->pass.ptr[this->pass.len - 1] == 0)
+	{	/* fix null-terminated passwords (Android etc.) */
+		this->pass.len -= 1;
+	}
+
+	name = lib->settings->get_str(lib->settings,
+								  "%s.plugins.xauth-eap.backend", "radius",
+								  charon->name);
+	type = eap_type_from_string(name);
+	if (!type)
+	{
+		DBG1(DBG_CFG, "Unknown XAuth-EAP method: %s", name);
+		return FAILED;
+	}
+	backend = charon->eap->create_instance(charon->eap, type, 0, EAP_SERVER,
+										   this->server, this->peer);
+	if (!backend)
+	{
+		DBG1(DBG_CFG, "XAuth-EAP method backend not supported: %s", name);
+		return FAILED;
+	}
+	ok = verify_eap(this, backend);
+	backend->destroy(backend);
+	if (ok)
+	{
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+METHOD(xauth_method_t, get_identity, identification_t*,
+	private_xauth_eap_t *this)
+{
+	return this->peer;
+}
+
+METHOD(xauth_method_t, destroy, void,
+	private_xauth_eap_t *this)
+{
+	this->cred->destroy(this->cred);
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+xauth_eap_t *xauth_eap_create_server(identification_t *server,
+									 identification_t *peer)
+{
+	private_xauth_eap_t *this;
+
+	INIT(this,
+		.public = {
+			.xauth_method = {
+				.initiate = _initiate,
+				.process = _process,
+				.get_identity = _get_identity,
+				.destroy = _destroy,
+			},
+		},
+		.server = server->clone(server),
+		.peer = peer->clone(peer),
+	);
+
+	this->cred = callback_cred_create_shared((void*)shared_cb, this);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/xauth_eap/xauth_eap.h b/src/libcharon/plugins/xauth_eap/xauth_eap.h
new file mode 100644
index 000000000..70927247e
--- /dev/null
+++ b/src/libcharon/plugins/xauth_eap/xauth_eap.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_eap_i xauth_eap
+ * @{ @ingroup xauth_eap
+ */
+
+#ifndef XAUTH_EAP_H_
+#define XAUTH_EAP_H_
+
+typedef struct xauth_eap_t xauth_eap_t;
+
+#include <sa/xauth/xauth_method.h>
+
+/**
+ * XAuth method that verifies XAuth credentials using EAP methods.
+ *
+ * To reuse existing authentication infrastructure, this XAuth method uses
+ * EAP to verify XAuth Username/Passwords. It is primarily designed to work
+ * with the EAP-RADIUS backend and can use any password-based EAP method
+ * over it. The credentials are fed locally on the IKE responder to a EAP
+ * client which talks to the backend instance, usually a RADIUS server.
+ */
+struct xauth_eap_t {
+
+	/**
+	 * Implemented xauth_method_t interface.
+	 */
+	xauth_method_t xauth_method;
+};
+
+/**
+ * Creates the XAuth method using EAP, acting as server.
+ *
+ * @param server	ID of the XAuth server
+ * @param peer		ID of the XAuth client
+ * @return			xauth_eap_t object
+ */
+xauth_eap_t *xauth_eap_create_server(identification_t *server,
+									 identification_t *peer);
+
+#endif /** XAUTH_EAP_H_ @}*/
diff --git a/src/libcharon/plugins/xauth_eap/xauth_eap_plugin.c b/src/libcharon/plugins/xauth_eap/xauth_eap_plugin.c
new file mode 100644
index 000000000..b776ec8ea
--- /dev/null
+++ b/src/libcharon/plugins/xauth_eap/xauth_eap_plugin.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_eap_plugin.h"
+#include "xauth_eap.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, get_name, char*,
+	xauth_eap_plugin_t *this)
+{
+	return "xauth-eap";
+}
+
+METHOD(plugin_t, get_features, int,
+	xauth_eap_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK(xauth_method_register, xauth_eap_create_server),
+			PLUGIN_PROVIDE(XAUTH_SERVER, "eap"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	xauth_eap_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *xauth_eap_plugin_create()
+{
+	xauth_eap_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.get_name = _get_name,
+			.get_features = _get_features,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->plugin;
+}
diff --git a/src/libcharon/plugins/xauth_eap/xauth_eap_plugin.h b/src/libcharon/plugins/xauth_eap/xauth_eap_plugin.h
new file mode 100644
index 000000000..8ba0628b0
--- /dev/null
+++ b/src/libcharon/plugins/xauth_eap/xauth_eap_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_eap xauth_eap
+ * @ingroup cplugins
+ *
+ * @defgroup xauth_eap_plugin xauth_eap_plugin
+ * @{ @ingroup xauth_eap
+ */
+
+#ifndef XAUTH_EAP_PLUGIN_H_
+#define XAUTH_EAP_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct xauth_eap_plugin_t xauth_eap_plugin_t;
+
+/**
+ * XAuth plugin using EAP to verify credentials.
+ */
+struct xauth_eap_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** XAUTH_EAP_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.am b/src/libcharon/plugins/xauth_generic/Makefile.am
new file mode 100644
index 000000000..d48e52ddd
--- /dev/null
+++ b/src/libcharon/plugins/xauth_generic/Makefile.am
@@ -0,0 +1,19 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-xauth-generic.la
+else
+plugin_LTLIBRARIES = libstrongswan-xauth-generic.la
+endif
+
+libstrongswan_xauth_generic_la_SOURCES = \
+	xauth_generic_plugin.h xauth_generic_plugin.c \
+	xauth_generic.h xauth_generic.c
+
+libstrongswan_xauth_generic_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
new file mode 100644
index 000000000..27d891d14
--- /dev/null
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -0,0 +1,687 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/xauth_generic
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_xauth_generic_la_LIBADD =
+am_libstrongswan_xauth_generic_la_OBJECTS = xauth_generic_plugin.lo \
+	xauth_generic.lo
+libstrongswan_xauth_generic_la_OBJECTS =  \
+	$(am_libstrongswan_xauth_generic_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_xauth_generic_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_xauth_generic_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_xauth_generic_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_xauth_generic_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_xauth_generic_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_xauth_generic_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-xauth-generic.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-xauth-generic.la
+libstrongswan_xauth_generic_la_SOURCES = \
+	xauth_generic_plugin.h xauth_generic_plugin.c \
+	xauth_generic.h xauth_generic.c
+
+libstrongswan_xauth_generic_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_generic/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_generic/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-xauth-generic.la: $(libstrongswan_xauth_generic_la_OBJECTS) $(libstrongswan_xauth_generic_la_DEPENDENCIES) $(EXTRA_libstrongswan_xauth_generic_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_xauth_generic_la_LINK) $(am_libstrongswan_xauth_generic_la_rpath) $(libstrongswan_xauth_generic_la_OBJECTS) $(libstrongswan_xauth_generic_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_generic.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_generic_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/xauth_generic/xauth_generic.c b/src/libcharon/plugins/xauth_generic/xauth_generic.c
new file mode 100644
index 000000000..f0e675ac0
--- /dev/null
+++ b/src/libcharon/plugins/xauth_generic/xauth_generic.c
@@ -0,0 +1,232 @@
+/*
+ * Copyright (C) 2011 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_generic.h"
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_xauth_generic_t private_xauth_generic_t;
+
+/**
+ * Private data of an xauth_generic_t object.
+ */
+struct private_xauth_generic_t {
+
+	/**
+	 * Public interface.
+	 */
+	xauth_generic_t public;
+
+	/**
+	 * ID of the server
+	 */
+	identification_t *server;
+
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+
+};
+
+METHOD(xauth_method_t, initiate_peer, status_t,
+	private_xauth_generic_t *this, cp_payload_t **out)
+{
+	/* peer never initiates */
+	return FAILED;
+}
+
+METHOD(xauth_method_t, process_peer, status_t,
+	private_xauth_generic_t *this, cp_payload_t *in, cp_payload_t **out)
+{
+	shared_key_t *shared;
+	cp_payload_t *cp;
+	chunk_t user, pass;
+
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, this->peer,
+									  this->server);
+	if (!shared)
+	{
+		DBG1(DBG_IKE, "no XAuth secret found for '%Y' - '%Y'", this->peer,
+			 this->server);
+		return FAILED;
+	}
+
+	user = this->peer->get_encoding(this->peer);
+	pass = shared->get_key(shared);
+
+	cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY);
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, user));
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, pass));
+	shared->destroy(shared);
+	*out = cp;
+	return NEED_MORE;
+}
+
+METHOD(xauth_method_t, initiate_server, status_t,
+	private_xauth_generic_t *this, cp_payload_t **out)
+{
+	cp_payload_t *cp;
+
+	cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REQUEST);
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, chunk_empty));
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, chunk_empty));
+	*out = cp;
+	return NEED_MORE;
+}
+
+METHOD(xauth_method_t, process_server, status_t,
+	private_xauth_generic_t *this, cp_payload_t *in, cp_payload_t **out)
+{
+	configuration_attribute_t *attr;
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	identification_t *id;
+	chunk_t user = chunk_empty, pass = chunk_empty;
+	status_t status = FAILED;
+	int tried = 0;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		switch (attr->get_type(attr))
+		{
+			case XAUTH_USER_NAME:
+				user = attr->get_chunk(attr);
+				break;
+			case XAUTH_USER_PASSWORD:
+				pass = attr->get_chunk(attr);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!user.ptr || !pass.ptr)
+	{
+		DBG1(DBG_IKE, "peer did not respond to our XAuth request");
+		return FAILED;
+	}
+	if (user.len)
+	{
+		id = identification_create_from_data(user);
+		if (!id)
+		{
+			DBG1(DBG_IKE, "failed to parse provided XAuth username");
+			return FAILED;
+		}
+		this->peer->destroy(this->peer);
+		this->peer = id;
+	}
+	if (pass.len && pass.ptr[pass.len - 1] == 0)
+	{	/* fix null-terminated passwords (Android etc.) */
+		pass.len -= 1;
+	}
+
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+										SHARED_EAP, this->server, this->peer);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+	{
+		if (chunk_equals(shared->get_key(shared), pass))
+		{
+			status = SUCCESS;
+			break;
+		}
+		tried++;
+	}
+	enumerator->destroy(enumerator);
+	if (status != SUCCESS)
+	{
+		if (!tried)
+		{
+			DBG1(DBG_IKE, "no XAuth secret found for '%Y' - '%Y'",
+				 this->server, this->peer);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "none of %d found XAuth secrets for '%Y' - '%Y' "
+				 "matched", tried, this->server, this->peer);
+		}
+	}
+	return status;
+}
+
+METHOD(xauth_method_t, get_identity, identification_t*,
+	private_xauth_generic_t *this)
+{
+	return this->peer;
+}
+
+METHOD(xauth_method_t, destroy, void,
+	private_xauth_generic_t *this)
+{
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+xauth_generic_t *xauth_generic_create_peer(identification_t *server,
+										   identification_t *peer)
+{
+	private_xauth_generic_t *this;
+
+	INIT(this,
+		.public =  {
+			.xauth_method = {
+				.initiate = _initiate_peer,
+				.process = _process_peer,
+				.get_identity = _get_identity,
+				.destroy = _destroy,
+			},
+		},
+		.server = server->clone(server),
+		.peer = peer->clone(peer),
+	);
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+xauth_generic_t *xauth_generic_create_server(identification_t *server,
+											 identification_t *peer)
+{
+	private_xauth_generic_t *this;
+
+	INIT(this,
+		.public = {
+			.xauth_method = {
+				.initiate = _initiate_server,
+				.process = _process_server,
+				.get_identity = _get_identity,
+				.destroy = _destroy,
+			},
+		},
+		.server = server->clone(server),
+		.peer = peer->clone(peer),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/xauth_generic/xauth_generic.h b/src/libcharon/plugins/xauth_generic/xauth_generic.h
new file mode 100644
index 000000000..5773589cb
--- /dev/null
+++ b/src/libcharon/plugins/xauth_generic/xauth_generic.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2011 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_generic_i xauth_generic
+ * @{ @ingroup xauth_generic
+ */
+
+#ifndef XAUTH_GENERIC_H_
+#define XAUTH_GENERIC_H_
+
+typedef struct xauth_generic_t xauth_generic_t;
+
+#include <sa/xauth/xauth_method.h>
+
+/**
+ * Implementation of the xauth_method_t interface using cleartext secrets
+ * from any credential set.
+ */
+struct xauth_generic_t {
+
+	/**
+	 * Implemented xauth_method_t interface.
+	 */
+	xauth_method_t xauth_method;
+};
+
+/**
+ * Creates the generic XAuth method, acting as server.
+ *
+ * @param server	ID of the XAuth server
+ * @param peer		ID of the XAuth client
+ * @return			xauth_generic_t object
+ */
+xauth_generic_t *xauth_generic_create_server(identification_t *server,
+											 identification_t *peer);
+
+/**
+ * Creates the generic XAuth method, acting as peer.
+ *
+ * @param server	ID of the XAuth server
+ * @param peer		ID of the XAuth client
+ * @return			xauth_generic_t object
+ */
+xauth_generic_t *xauth_generic_create_peer(identification_t *server,
+										   identification_t *peer);
+
+#endif /** XAUTH_GENERIC_H_ @}*/
diff --git a/src/libcharon/plugins/xauth_generic/xauth_generic_plugin.c b/src/libcharon/plugins/xauth_generic/xauth_generic_plugin.c
new file mode 100644
index 000000000..a87084e20
--- /dev/null
+++ b/src/libcharon/plugins/xauth_generic/xauth_generic_plugin.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2011 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_generic_plugin.h"
+#include "xauth_generic.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, get_name, char*,
+	xauth_generic_plugin_t *this)
+{
+	return "xauth-generic";
+}
+
+METHOD(plugin_t, get_features, int,
+	xauth_generic_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK(xauth_method_register, xauth_generic_create_server),
+			PLUGIN_PROVIDE(XAUTH_SERVER, "generic"),
+		PLUGIN_CALLBACK(xauth_method_register, xauth_generic_create_peer),
+			PLUGIN_PROVIDE(XAUTH_PEER, "generic"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	xauth_generic_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *xauth_generic_plugin_create()
+{
+	xauth_generic_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.get_name = _get_name,
+			.get_features = _get_features,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->plugin;
+}
diff --git a/src/libcharon/plugins/xauth_generic/xauth_generic_plugin.h b/src/libcharon/plugins/xauth_generic/xauth_generic_plugin.h
new file mode 100644
index 000000000..426f806a7
--- /dev/null
+++ b/src/libcharon/plugins/xauth_generic/xauth_generic_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2011 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_generic xauth_generic
+ * @ingroup cplugins
+ *
+ * @defgroup xauth_generic_plugin xauth_generic_plugin
+ * @{ @ingroup xauth_generic
+ */
+
+#ifndef XAUTH_GENERIC_PLUGIN_H_
+#define XAUTH_GENERIC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct xauth_generic_plugin_t xauth_generic_plugin_t;
+
+/**
+ * XAuth generic plugin using secrets defined in ipsec.secrets.
+ */
+struct xauth_generic_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** XAUTH_GENERIC_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.am b/src/libcharon/plugins/xauth_noauth/Makefile.am
new file mode 100644
index 000000000..f1581ba67
--- /dev/null
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.am
@@ -0,0 +1,19 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-xauth-noauth.la
+else
+plugin_LTLIBRARIES = libstrongswan-xauth-noauth.la
+endif
+
+libstrongswan_xauth_noauth_la_SOURCES = \
+	xauth_noauth_plugin.h xauth_noauth_plugin.c \
+	xauth_noauth.h xauth_noauth.c
+
+libstrongswan_xauth_noauth_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in
new file mode 100644
index 000000000..a806aee79
--- /dev/null
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.in
@@ -0,0 +1,687 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/xauth_noauth
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_xauth_noauth_la_LIBADD =
+am_libstrongswan_xauth_noauth_la_OBJECTS = xauth_noauth_plugin.lo \
+	xauth_noauth.lo
+libstrongswan_xauth_noauth_la_OBJECTS =  \
+	$(am_libstrongswan_xauth_noauth_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_xauth_noauth_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_xauth_noauth_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_xauth_noauth_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_xauth_noauth_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_xauth_noauth_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_xauth_noauth_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-xauth-noauth.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-xauth-noauth.la
+libstrongswan_xauth_noauth_la_SOURCES = \
+	xauth_noauth_plugin.h xauth_noauth_plugin.c \
+	xauth_noauth.h xauth_noauth.c
+
+libstrongswan_xauth_noauth_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_noauth/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_noauth/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-xauth-noauth.la: $(libstrongswan_xauth_noauth_la_OBJECTS) $(libstrongswan_xauth_noauth_la_DEPENDENCIES) $(EXTRA_libstrongswan_xauth_noauth_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_xauth_noauth_la_LINK) $(am_libstrongswan_xauth_noauth_la_rpath) $(libstrongswan_xauth_noauth_la_OBJECTS) $(libstrongswan_xauth_noauth_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_noauth.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_noauth_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth.c b/src/libcharon/plugins/xauth_noauth/xauth_noauth.c
new file mode 100644
index 000000000..a9d95126a
--- /dev/null
+++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_noauth.h"
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_xauth_noauth_t private_xauth_noauth_t;
+
+/**
+ * Private data of an xauth_noauth_t object.
+ */
+struct private_xauth_noauth_t {
+
+	/**
+	 * Public interface.
+	 */
+	xauth_noauth_t public;
+
+	/**
+	 * ID of the peer (not really used here)
+	 */
+	identification_t *peer;
+
+};
+
+METHOD(xauth_method_t, initiate, status_t,
+	private_xauth_noauth_t *this, cp_payload_t **out)
+{
+	/* XAuth task handles the details for us */
+	return SUCCESS;
+}
+
+METHOD(xauth_method_t, process, status_t,
+	private_xauth_noauth_t *this, cp_payload_t *in, cp_payload_t **out)
+{
+	/* this should never be called */
+	return FAILED;
+}
+
+METHOD(xauth_method_t, get_identity, identification_t*,
+	private_xauth_noauth_t *this)
+{
+	/* this should never be called, but lets still return a valid ID */
+	return this->peer;
+}
+
+METHOD(xauth_method_t, destroy, void,
+	private_xauth_noauth_t *this)
+{
+	this->peer->destroy(this->peer);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+xauth_noauth_t *xauth_noauth_create_server(identification_t *server,
+										   identification_t *peer)
+{
+	private_xauth_noauth_t *this;
+
+	INIT(this,
+		.public = {
+			.xauth_method = {
+				.initiate = _initiate,
+				.process = _process,
+				.get_identity = _get_identity,
+				.destroy = _destroy,
+			},
+		},
+		.peer = identification_create_from_string("%any"),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth.h b/src/libcharon/plugins/xauth_noauth/xauth_noauth.h
new file mode 100644
index 000000000..8984b0a7c
--- /dev/null
+++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_noauth_i xauth_noauth
+ * @{ @ingroup xauth_noauth
+ */
+
+#ifndef XAUTH_NOAUTH_H_
+#define XAUTH_NOAUTH_H_
+
+typedef struct xauth_noauth_t xauth_noauth_t;
+
+#include <sa/xauth/xauth_method.h>
+
+/**
+ * Implementation of the xauth_method_t interface that does not actually do
+ * any authentication but simply concludes the XAuth exchange successfully.
+ */
+struct xauth_noauth_t {
+
+	/**
+	 * Implemented xauth_method_t interface.
+	 */
+	xauth_method_t xauth_method;
+};
+
+/**
+ * Creates the noauth XAuth method, acting as server.
+ *
+ * @param server	ID of the XAuth server
+ * @param peer		ID of the XAuth client
+ * @return			xauth_noauth_t object
+ */
+xauth_noauth_t *xauth_noauth_create_server(identification_t *server,
+										   identification_t *peer);
+
+#endif /** XAUTH_NOAUTH_H_ @}*/
diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c
new file mode 100644
index 000000000..e7ee4dfe3
--- /dev/null
+++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_noauth_plugin.h"
+#include "xauth_noauth.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, get_name, char*,
+	xauth_noauth_plugin_t *this)
+{
+	return "xauth-noauth";
+}
+
+METHOD(plugin_t, get_features, int,
+	xauth_noauth_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK(xauth_method_register, xauth_noauth_create_server),
+			PLUGIN_PROVIDE(XAUTH_SERVER, "noauth"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	xauth_noauth_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *xauth_noauth_plugin_create()
+{
+	xauth_noauth_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.get_name = _get_name,
+			.get_features = _get_features,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->plugin;
+}
diff --git a/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h
new file mode 100644
index 000000000..d174ac29c
--- /dev/null
+++ b/src/libcharon/plugins/xauth_noauth/xauth_noauth_plugin.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_noauth xauth_noauth
+ * @ingroup cplugins
+ *
+ * @defgroup xauth_noauth_plugin xauth_noauth_plugin
+ * @{ @ingroup xauth_noauth
+ */
+
+#ifndef XAUTH_NOAUTH_PLUGIN_H_
+#define XAUTH_NOAUTH_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct xauth_noauth_plugin_t xauth_noauth_plugin_t;
+
+/**
+ * XAuth plugin that does not actually do any authentication but simply
+ * concludes the XAuth exchange successfully.  This could be used to implement
+ * basic RSA authentication in cases where the client does not offer an option
+ * to disable XAuth.
+ */
+struct xauth_noauth_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** XAUTH_NOAUTH_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.am b/src/libcharon/plugins/xauth_pam/Makefile.am
new file mode 100644
index 000000000..a7d4f6436
--- /dev/null
+++ b/src/libcharon/plugins/xauth_pam/Makefile.am
@@ -0,0 +1,19 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-xauth-pam.la
+else
+plugin_LTLIBRARIES = libstrongswan-xauth-pam.la
+endif
+
+libstrongswan_xauth_pam_la_SOURCES = \
+	xauth_pam_plugin.h xauth_pam_plugin.c \
+	xauth_pam.h xauth_pam.c
+
+libstrongswan_xauth_pam_la_LDFLAGS = -module -avoid-version -lpam
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
new file mode 100644
index 000000000..68afa861b
--- /dev/null
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -0,0 +1,687 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/xauth_pam
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_xauth_pam_la_LIBADD =
+am_libstrongswan_xauth_pam_la_OBJECTS = xauth_pam_plugin.lo \
+	xauth_pam.lo
+libstrongswan_xauth_pam_la_OBJECTS =  \
+	$(am_libstrongswan_xauth_pam_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_xauth_pam_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_xauth_pam_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_xauth_pam_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_xauth_pam_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_xauth_pam_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_xauth_pam_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-xauth-pam.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-xauth-pam.la
+libstrongswan_xauth_pam_la_SOURCES = \
+	xauth_pam_plugin.h xauth_pam_plugin.c \
+	xauth_pam.h xauth_pam.c
+
+libstrongswan_xauth_pam_la_LDFLAGS = -module -avoid-version -lpam
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_pam/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/xauth_pam/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-xauth-pam.la: $(libstrongswan_xauth_pam_la_OBJECTS) $(libstrongswan_xauth_pam_la_DEPENDENCIES) $(EXTRA_libstrongswan_xauth_pam_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_xauth_pam_la_LINK) $(am_libstrongswan_xauth_pam_la_rpath) $(libstrongswan_xauth_pam_la_OBJECTS) $(libstrongswan_xauth_pam_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_pam.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_pam_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam.c b/src/libcharon/plugins/xauth_pam/xauth_pam.c
new file mode 100644
index 000000000..98c1a97a4
--- /dev/null
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam.c
@@ -0,0 +1,215 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_pam.h"
+
+#include <daemon.h>
+#include <library.h>
+
+#include <security/pam_appl.h>
+
+typedef struct private_xauth_pam_t private_xauth_pam_t;
+
+/**
+ * Private data of an xauth_pam_t object.
+ */
+struct private_xauth_pam_t {
+
+	/**
+	 * Public interface.
+	 */
+	xauth_pam_t public;
+
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+};
+
+METHOD(xauth_method_t, initiate, status_t,
+	private_xauth_pam_t *this, cp_payload_t **out)
+{
+	cp_payload_t *cp;
+
+	cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REQUEST);
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, chunk_empty));
+	cp->add_attribute(cp, configuration_attribute_create_chunk(
+				CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, chunk_empty));
+	*out = cp;
+	return NEED_MORE;
+}
+
+/**
+ * PAM conv callback function
+ */
+static int auth_conv(int num_msg, const struct pam_message **msg,
+					 struct pam_response **resp, char *password)
+{
+	struct pam_response *response;
+
+	if (num_msg != 1)
+	{
+		return PAM_CONV_ERR;
+	}
+	response = malloc(sizeof(struct pam_response));
+	response->resp = strdup(password);
+	response->resp_retcode = 0;
+	*resp = response;
+	return PAM_SUCCESS;
+}
+
+/**
+ * Authenticate a username/password using PAM
+ */
+static bool authenticate(char *service, char *user, char *password)
+{
+	pam_handle_t *pamh = NULL;
+	static struct pam_conv conv;
+	int ret;
+
+	conv.conv = (void*)auth_conv;
+	conv.appdata_ptr = password;
+
+	ret = pam_start(service, user, &conv, &pamh);
+	if (ret != PAM_SUCCESS)
+	{
+		DBG1(DBG_IKE, "XAuth pam_start for '%s' failed: %s",
+			 user, pam_strerror(pamh, ret));
+		return FALSE;
+	}
+	ret = pam_authenticate(pamh, 0);
+	if (ret == PAM_SUCCESS)
+	{
+		ret = pam_acct_mgmt(pamh, 0);
+		if (ret != PAM_SUCCESS)
+		{
+			DBG1(DBG_IKE, "XAuth pam_acct_mgmt for '%s' failed: %s",
+				 user, pam_strerror(pamh, ret));
+		}
+	}
+	else
+	{
+		DBG1(DBG_IKE, "XAuth pam_authenticate for '%s' failed: %s",
+			 user, pam_strerror(pamh, ret));
+	}
+	pam_end(pamh, ret);
+	return ret == PAM_SUCCESS;
+}
+
+/**
+ * Convert configuration attribute content to a null-terminated string
+ */
+static void attr2string(char *buf, size_t len, chunk_t chunk)
+{
+	if (chunk.len && chunk.len < len)
+	{
+		snprintf(buf, len, "%.*s", (int)chunk.len, chunk.ptr);
+	}
+}
+
+METHOD(xauth_method_t, process, status_t,
+	private_xauth_pam_t *this, cp_payload_t *in, cp_payload_t **out)
+{
+	char *service, user[128] = "", pass[128] = "", *pos;
+	configuration_attribute_t *attr;
+	enumerator_t *enumerator;
+	chunk_t chunk;
+
+	enumerator = in->create_attribute_enumerator(in);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		switch (attr->get_type(attr))
+		{
+			case XAUTH_USER_NAME:
+				/* trim to username part if email address given */
+				chunk = attr->get_chunk(attr);
+				pos = memchr(chunk.ptr, '@', chunk.len);
+				if (pos)
+				{
+					chunk.len = (u_char*)pos - chunk.ptr;
+				}
+				attr2string(user, sizeof(user), chunk);
+				break;
+			case XAUTH_USER_PASSWORD:
+				attr2string(pass, sizeof(pass), attr->get_chunk(attr));
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!user[0] || !pass[0])
+	{
+		DBG1(DBG_IKE, "peer did not respond to our XAuth request");
+		return FAILED;
+	}
+
+	this->peer->destroy(this->peer);
+	this->peer = identification_create_from_string(user);
+
+	/* Look for PAM service, with a legacy fallback for the eap-gtc plugin.
+	 * Default to "login". */
+	service = lib->settings->get_str(lib->settings,
+				"%s.plugins.xauth-pam.pam_service",
+					lib->settings->get_str(lib->settings,
+						"%s.plugins.eap-gtc.pam_service",
+						"login", charon->name),
+				charon->name);
+
+	if (authenticate(service, user, pass))
+	{
+		DBG1(DBG_IKE, "PAM authentication of '%s' successful", user);
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+METHOD(xauth_method_t, get_identity, identification_t*,
+	private_xauth_pam_t *this)
+{
+	return this->peer;
+}
+
+METHOD(xauth_method_t, destroy, void,
+	private_xauth_pam_t *this)
+{
+	this->peer->destroy(this->peer);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+xauth_pam_t *xauth_pam_create_server(identification_t *server,
+									 identification_t *peer)
+{
+	private_xauth_pam_t *this;
+
+	INIT(this,
+		.public = {
+			.xauth_method = {
+				.initiate = _initiate,
+				.process = _process,
+				.get_identity = _get_identity,
+				.destroy = _destroy,
+			},
+		},
+		.peer = peer->clone(peer),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam.h b/src/libcharon/plugins/xauth_pam/xauth_pam.h
new file mode 100644
index 000000000..f2d310c0d
--- /dev/null
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_pam_i xauth_pam
+ * @{ @ingroup xauth_pam
+ */
+
+#ifndef XAUTH_PAM_H_
+#define XAUTH_PAM_H_
+
+typedef struct xauth_pam_t xauth_pam_t;
+
+#include <sa/xauth/xauth_method.h>
+
+/**
+ * XAuth plugin using Pluggable Authentication Modules to verify credentials.
+ */
+struct xauth_pam_t {
+
+	/**
+	 * Implemented xauth_method_t interface.
+	 */
+	xauth_method_t xauth_method;
+};
+
+/**
+ * Creates the XAuth method using PAM, acting as server.
+ *
+ * @param server	ID of the XAuth server
+ * @param peer		ID of the XAuth client
+ * @return			xauth_pam_t object
+ */
+xauth_pam_t *xauth_pam_create_server(identification_t *server,
+									 identification_t *peer);
+
+#endif /** XAUTH_PAM_H_ @}*/
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
new file mode 100644
index 000000000..2ef9a6c8f
--- /dev/null
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_pam_plugin.h"
+#include "xauth_pam.h"
+
+#include <daemon.h>
+
+#ifndef CAP_AUDIT_WRITE
+#define CAP_AUDIT_WRITE 29
+#endif
+
+METHOD(plugin_t, get_name, char*,
+	xauth_pam_plugin_t *this)
+{
+	return "xauth-pam";
+}
+
+METHOD(plugin_t, get_features, int,
+	xauth_pam_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK(xauth_method_register, xauth_pam_create_server),
+			PLUGIN_PROVIDE(XAUTH_SERVER, "pam"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	xauth_pam_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *xauth_pam_plugin_create()
+{
+	xauth_pam_plugin_t *this;
+
+	/* required for PAM authentication */
+	if (!lib->caps->keep(lib->caps, CAP_AUDIT_WRITE))
+	{
+		DBG1(DBG_DMN, "xauth-pam plugin requires CAP_AUDIT_WRITE capability");
+		return NULL;
+	}
+
+	INIT(this,
+		.plugin = {
+			.get_name = _get_name,
+			.get_features = _get_features,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->plugin;
+}
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.h b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.h
new file mode 100644
index 000000000..b75268880
--- /dev/null
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_pam xauth_pam
+ * @ingroup cplugins
+ *
+ * @defgroup xauth_pam_plugin xauth_pam_plugin
+ * @{ @ingroup xauth_pam
+ */
+
+#ifndef XAUTH_PAM_PLUGIN_H_
+#define XAUTH_PAM_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct xauth_pam_plugin_t xauth_pam_plugin_t;
+
+/**
+ * XAuth plugin using Pluggable Authentication Modules to verify credentials.
+ */
+struct xauth_pam_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** XAUTH_PAM_PLUGIN_H_ @}*/
diff --git a/src/libcharon/processing/jobs/acquire_job.c b/src/libcharon/processing/jobs/acquire_job.c
index 2d836b002..207f534ba 100644
--- a/src/libcharon/processing/jobs/acquire_job.c
+++ b/src/libcharon/processing/jobs/acquire_job.c
@@ -53,12 +53,12 @@ METHOD(job_t, destroy, void,
 	free(this);
 }
 
-METHOD(job_t, execute, void,
+METHOD(job_t, execute, job_requeue_t,
 	private_acquire_job_t *this)
 {
 	charon->traps->acquire(charon->traps, this->reqid,
 						   this->src_ts, this->dst_ts);
-	destroy(this);
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(job_t, get_priority, job_priority_t,
diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c
new file mode 100644
index 000000000..df5b70c0f
--- /dev/null
+++ b/src/libcharon/processing/jobs/adopt_children_job.c
@@ -0,0 +1,177 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "adopt_children_job.h"
+
+#include <daemon.h>
+#include <hydra.h>
+
+typedef struct private_adopt_children_job_t private_adopt_children_job_t;
+
+/**
+ * Private data of an adopt_children_job_t object.
+ */
+struct private_adopt_children_job_t {
+
+	/**
+	 * Public adopt_children_job_t interface.
+	 */
+	adopt_children_job_t public;
+
+	/**
+	 * IKE_SA id to adopt children from
+	 */
+	ike_sa_id_t *id;
+};
+
+METHOD(job_t, destroy, void,
+	private_adopt_children_job_t *this)
+{
+	this->id->destroy(this->id);
+	free(this);
+}
+
+METHOD(job_t, execute, job_requeue_t,
+	private_adopt_children_job_t *this)
+{
+	identification_t *my_id, *other_id, *xauth;
+	host_t *me, *other;
+	peer_cfg_t *cfg;
+	linked_list_t *children;
+	enumerator_t *enumerator, *childenum;
+	ike_sa_id_t *id;
+	ike_sa_t *ike_sa;
+	child_sa_t *child_sa;
+
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, this->id);
+	if (ike_sa)
+	{
+		/* get what we need from new SA */
+		me = ike_sa->get_my_host(ike_sa);
+		me = me->clone(me);
+		other = ike_sa->get_other_host(ike_sa);
+		other = other->clone(other);
+		my_id = ike_sa->get_my_id(ike_sa);
+		my_id = my_id->clone(my_id);
+		other_id = ike_sa->get_other_id(ike_sa);
+		other_id = other_id->clone(other_id);
+		xauth = ike_sa->get_other_eap_id(ike_sa);
+		xauth = xauth->clone(xauth);
+		cfg = ike_sa->get_peer_cfg(ike_sa);
+		cfg->get_ref(cfg);
+
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+
+		/* find old SA to adopt children from */
+		children = linked_list_create();
+		enumerator = charon->ike_sa_manager->create_id_enumerator(
+									charon->ike_sa_manager, my_id, xauth,
+									other->get_family(other));
+		while (enumerator->enumerate(enumerator, &id))
+		{
+			if (id->equals(id, this->id))
+			{	/* not from self */
+				continue;
+			}
+			ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id);
+			if (ike_sa)
+			{
+				if ((ike_sa->get_state(ike_sa) == IKE_ESTABLISHED ||
+					 ike_sa->get_state(ike_sa) == IKE_PASSIVE) &&
+					me->equals(me, ike_sa->get_my_host(ike_sa)) &&
+					other->equals(other, ike_sa->get_other_host(ike_sa)) &&
+					other_id->equals(other_id, ike_sa->get_other_id(ike_sa)) &&
+					cfg->equals(cfg, ike_sa->get_peer_cfg(ike_sa)))
+				{
+					childenum = ike_sa->create_child_sa_enumerator(ike_sa);
+					while (childenum->enumerate(childenum, &child_sa))
+					{
+						ike_sa->remove_child_sa(ike_sa, childenum);
+						children->insert_last(children, child_sa);
+					}
+					childenum->destroy(childenum);
+					DBG1(DBG_IKE, "detected reauth of existing IKE_SA, "
+						 "adopting %d children", children->get_count(children));
+					ike_sa->set_state(ike_sa, IKE_DELETING);
+					charon->bus->ike_updown(charon->bus, ike_sa, FALSE);
+					charon->ike_sa_manager->checkin_and_destroy(
+											charon->ike_sa_manager, ike_sa);
+				}
+				else
+				{
+					charon->ike_sa_manager->checkin(
+											charon->ike_sa_manager, ike_sa);
+				}
+				if (children->get_count(children))
+				{
+					break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		me->destroy(me);
+		other->destroy(other);
+		my_id->destroy(my_id);
+		other_id->destroy(other_id);
+		xauth->destroy(xauth);
+		cfg->destroy(cfg);
+
+		if (children->get_count(children))
+		{
+			/* adopt children by new SA */
+			ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+													  this->id);
+			if (ike_sa)
+			{
+				while (children->remove_last(children,
+											 (void**)&child_sa) == SUCCESS)
+				{
+					ike_sa->add_child_sa(ike_sa, child_sa);
+				}
+				charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+			}
+		}
+		children->destroy_offset(children, offsetof(child_sa_t, destroy));
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+METHOD(job_t, get_priority, job_priority_t,
+	private_adopt_children_job_t *this)
+{
+	return JOB_PRIO_HIGH;
+}
+
+/**
+ * See header
+ */
+adopt_children_job_t *adopt_children_job_create(ike_sa_id_t *id)
+{
+	private_adopt_children_job_t *this;
+
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.get_priority = _get_priority,
+				.destroy = _destroy,
+			},
+		},
+		.id = id->clone(id),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/processing/jobs/adopt_children_job.h b/src/libcharon/processing/jobs/adopt_children_job.h
new file mode 100644
index 000000000..073504abd
--- /dev/null
+++ b/src/libcharon/processing/jobs/adopt_children_job.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup adopt_children_job adopt_children_job
+ * @{ @ingroup cjobs
+ */
+
+#ifndef ADOPT_CHILDREN_JOB_H_
+#define ADOPT_CHILDREN_JOB_H_
+
+#include <library.h>
+#include <processing/jobs/job.h>
+#include <sa/ike_sa_id.h>
+
+typedef struct adopt_children_job_t adopt_children_job_t;
+
+/**
+ * Job adopting children after IKEv1 reauthentication from old SA.
+ */
+struct adopt_children_job_t {
+
+	/**
+	 * Implements job_t.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Create a adopt_children_job instance.
+ *
+ * @param id		ike_sa_id_t of old ISAKMP SA to adopt children from
+ * @return			job
+ */
+adopt_children_job_t *adopt_children_job_create(ike_sa_id_t *id);
+
+#endif /** ADOPT_CHILDREN_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.c b/src/libcharon/processing/jobs/delete_child_sa_job.c
index bd8bb9562..9afbac02b 100644
--- a/src/libcharon/processing/jobs/delete_child_sa_job.c
+++ b/src/libcharon/processing/jobs/delete_child_sa_job.c
@@ -44,6 +44,11 @@ struct private_delete_child_sa_job_t {
 	 * inbound SPI of the CHILD_SA
 	 */
 	u_int32_t spi;
+
+	/**
+	 * Delete for an expired CHILD_SA
+	 */
+	bool expired;
 };
 
 METHOD(job_t, destroy, void,
@@ -52,7 +57,7 @@ METHOD(job_t, destroy, void,
 	free(this);
 }
 
-METHOD(job_t, execute, void,
+METHOD(job_t, execute, job_requeue_t,
 	private_delete_child_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
@@ -66,11 +71,11 @@ METHOD(job_t, execute, void,
 	}
 	else
 	{
-		ike_sa->delete_child_sa(ike_sa, this->protocol, this->spi);
+		ike_sa->delete_child_sa(ike_sa, this->protocol, this->spi, this->expired);
 
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
-	destroy(this);
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(job_t, get_priority, job_priority_t,
@@ -83,8 +88,7 @@ METHOD(job_t, get_priority, job_priority_t,
  * Described in header
  */
 delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
-												  protocol_id_t protocol,
-												  u_int32_t spi)
+							protocol_id_t protocol, u_int32_t spi, bool expired)
 {
 	private_delete_child_sa_job_t *this;
 
@@ -99,6 +103,7 @@ delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
 		.reqid = reqid,
 		.protocol = protocol,
 		.spi = spi,
+		.expired = expired,
 	);
 
 	return &this->public;
diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.h b/src/libcharon/processing/jobs/delete_child_sa_job.h
index fc0e2b518..be6d578bc 100644
--- a/src/libcharon/processing/jobs/delete_child_sa_job.h
+++ b/src/libcharon/processing/jobs/delete_child_sa_job.h
@@ -50,10 +50,10 @@ struct delete_child_sa_job_t {
  * @param reqid		reqid of the CHILD_SA, as used in kernel
  * @param protocol	protocol of the CHILD_SA
  * @param spi		security parameter index of the CHILD_SA
+ * @param expired	TRUE if CHILD_SA already expired
  * @return			delete_child_sa_job_t object
  */
 delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
-												  protocol_id_t protocol,
-												  u_int32_t spi);
+							protocol_id_t protocol, u_int32_t spi, bool expired);
 
 #endif /** DELETE_CHILD_SA_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/delete_ike_sa_job.c b/src/libcharon/processing/jobs/delete_ike_sa_job.c
index c29b72230..a394e9df9 100644
--- a/src/libcharon/processing/jobs/delete_ike_sa_job.c
+++ b/src/libcharon/processing/jobs/delete_ike_sa_job.c
@@ -48,7 +48,7 @@ METHOD(job_t, destroy, void,
 	free(this);
 }
 
-METHOD(job_t, execute, void,
+METHOD(job_t, execute, job_requeue_t,
 	private_delete_ike_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
@@ -60,7 +60,7 @@ METHOD(job_t, execute, void,
 		if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
 		{
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-			return destroy(this);
+			return JOB_REQUEUE_NONE;
 		}
 		if (this->delete_if_established)
 		{
@@ -76,20 +76,31 @@ METHOD(job_t, execute, void,
 		}
 		else
 		{
-			/* destroy IKE_SA did not complete connecting phase */
+			/* destroy IKE_SA only if it did not complete connecting phase */
 			if (ike_sa->get_state(ike_sa) != IKE_CONNECTING)
 			{
 				charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 			}
+			else if (ike_sa->get_version(ike_sa) == IKEV1 &&
+					 ike_sa->has_condition(ike_sa, COND_ORIGINAL_INITIATOR))
+			{	/* as initiator we waited for the peer to initiate e.g. an
+				 * XAuth exchange, reauth the SA to eventually trigger DPD */
+				DBG1(DBG_JOB, "peer did not initiate expected exchange, "
+					 "reestablishing IKE_SA");
+				ike_sa->reauth(ike_sa);
+				charon->ike_sa_manager->checkin_and_destroy(
+												charon->ike_sa_manager, ike_sa);
+			}
 			else
 			{
 				DBG1(DBG_JOB, "deleting half open IKE_SA after timeout");
+				charon->bus->alert(charon->bus, ALERT_HALF_OPEN_TIMEOUT);
 				charon->ike_sa_manager->checkin_and_destroy(
 												charon->ike_sa_manager, ike_sa);
 			}
 		}
 	}
-	destroy(this);
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(job_t, get_priority, job_priority_t,
diff --git a/src/libcharon/processing/jobs/dpd_timeout_job.c b/src/libcharon/processing/jobs/dpd_timeout_job.c
new file mode 100644
index 000000000..9cdce5cab
--- /dev/null
+++ b/src/libcharon/processing/jobs/dpd_timeout_job.c
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+
+#include "dpd_timeout_job.h"
+
+#include <sa/ike_sa.h>
+#include <daemon.h>
+
+
+typedef struct private_dpd_timeout_job_t private_dpd_timeout_job_t;
+
+/**
+ * Private data
+ */
+struct private_dpd_timeout_job_t {
+
+	/**
+	 * public dpd_timeout_job_t interface
+	 */
+	dpd_timeout_job_t public;
+
+	/**
+	 * IKE_SA identifier
+	 */
+	ike_sa_id_t *ike_sa_id;
+
+	/**
+	 * Timestamp of first DPD check
+	 */
+	time_t check;
+};
+
+METHOD(job_t, destroy, void,
+	private_dpd_timeout_job_t *this)
+{
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
+}
+
+METHOD(job_t, execute, job_requeue_t,
+	private_dpd_timeout_job_t *this)
+{
+	time_t use_time, current;
+	enumerator_t *enumerator;
+	child_sa_t *child_sa;
+	ike_sa_t *ike_sa;
+
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+											  this->ike_sa_id);
+	if (ike_sa)
+	{
+		use_time = ike_sa->get_statistic(ike_sa, STAT_INBOUND);
+
+		enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
+		while (enumerator->enumerate(enumerator, &child_sa))
+		{
+			child_sa->get_usestats(child_sa, TRUE, &current, NULL, NULL);
+			use_time = max(use_time, current);
+		}
+		enumerator->destroy(enumerator);
+
+		/* check if no incoming packet during timeout, reestablish SA */
+		if (use_time < this->check)
+		{
+			DBG1(DBG_JOB, "DPD check timed out, enforcing DPD action");
+			charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT, NULL);
+			charon->bus->ike_updown(charon->bus, ike_sa, FALSE);
+			ike_sa->reestablish(ike_sa);
+			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+														ike_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+METHOD(job_t, get_priority, job_priority_t,
+	private_dpd_timeout_job_t *this)
+{
+	return JOB_PRIO_HIGH;
+}
+
+/*
+ * Described in header
+ */
+dpd_timeout_job_t *dpd_timeout_job_create(ike_sa_id_t *ike_sa_id)
+{
+	private_dpd_timeout_job_t *this;
+
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.get_priority = _get_priority,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa_id = ike_sa_id->clone(ike_sa_id),
+		.check = time_monotonic(NULL),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/processing/jobs/dpd_timeout_job.h b/src/libcharon/processing/jobs/dpd_timeout_job.h
new file mode 100644
index 000000000..573eb192d
--- /dev/null
+++ b/src/libcharon/processing/jobs/dpd_timeout_job.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup dpd_timeout_job dpd_timeout_job
+ * @{ @ingroup cjobs
+ */
+
+#ifndef DPD_TIMEOUT_JOB_H_
+#define DPD_TIMEOUT_JOB_H_
+
+typedef struct dpd_timeout_job_t dpd_timeout_job_t;
+
+#include <library.h>
+#include <processing/jobs/job.h>
+#include <sa/ike_sa_id.h>
+
+/**
+ * Job enforcing DPD timeout.
+ *
+ * This job detects if a DPD response has been received during the DPD timeout
+ * interval, and if not, enforced the DPD action.
+ */
+struct dpd_timeout_job_t {
+
+	/**
+	 * implements job_t interface
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a DPD timeout job.
+ *
+ * @param ike_sa_id		ike_sa_id_t, gets cloned
+ * @return				initiate_ike_sa_job_t object
+ */
+dpd_timeout_job_t *dpd_timeout_job_create(ike_sa_id_t *ike_sa_id);
+
+#endif /** DPD_TIMEOUT_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/inactivity_job.c b/src/libcharon/processing/jobs/inactivity_job.c
index 251b9ab03..9ab69b417 100644
--- a/src/libcharon/processing/jobs/inactivity_job.c
+++ b/src/libcharon/processing/jobs/inactivity_job.c
@@ -51,11 +51,11 @@ METHOD(job_t, destroy, void,
 	free(this);
 }
 
-METHOD(job_t, execute, void,
+METHOD(job_t, execute, job_requeue_t,
 	private_inactivity_job_t *this)
 {
 	ike_sa_t *ike_sa;
-	bool rescheduled = FALSE;
+	u_int32_t reschedule = 0;
 
 	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
 													this->reqid, TRUE);
@@ -75,8 +75,8 @@ METHOD(job_t, execute, void,
 			{
 				time_t in, out, diff;
 
-				child_sa->get_usestats(child_sa, TRUE, &in, NULL);
-				child_sa->get_usestats(child_sa, FALSE, &out, NULL);
+				child_sa->get_usestats(child_sa, TRUE, &in, NULL, NULL);
+				child_sa->get_usestats(child_sa, FALSE, &out, NULL, NULL);
 
 				diff = time_monotonic(NULL) - max(in, out);
 
@@ -87,9 +87,7 @@ METHOD(job_t, execute, void,
 				}
 				else
 				{
-					lib->scheduler->schedule_job(lib->scheduler,
-							&this->public.job_interface, this->timeout - diff);
-					rescheduled = TRUE;
+					reschedule = this->timeout - diff;
 				}
 			}
 			children++;
@@ -108,7 +106,7 @@ METHOD(job_t, execute, void,
 			{
 				DBG1(DBG_JOB, "deleting CHILD_SA after %d seconds "
 					 "of inactivity", this->timeout);
-				status = ike_sa->delete_child_sa(ike_sa, proto, delete);
+				status = ike_sa->delete_child_sa(ike_sa, proto, delete, FALSE);
 			}
 		}
 		if (status == DESTROY_ME)
@@ -121,10 +119,11 @@ METHOD(job_t, execute, void,
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 		}
 	}
-	if (!rescheduled)
+	if (reschedule)
 	{
-		destroy(this);
+		return JOB_RESCHEDULE(reschedule);
 	}
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(job_t, get_priority, job_priority_t,
@@ -156,4 +155,3 @@ inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout,
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.c b/src/libcharon/processing/jobs/initiate_mediation_job.c
index e52f3c6df..17ab83053 100644
--- a/src/libcharon/processing/jobs/initiate_mediation_job.c
+++ b/src/libcharon/processing/jobs/initiate_mediation_job.c
@@ -54,7 +54,7 @@ METHOD(job_t, destroy, void,
  */
 static bool initiate_callback(private_initiate_mediation_job_t *this,
 			debug_t group, level_t level, ike_sa_t *ike_sa,
-			char *format, va_list args)
+			char *message)
 {
 	if (ike_sa && !this->mediation_sa_id)
 	{
@@ -64,7 +64,7 @@ static bool initiate_callback(private_initiate_mediation_job_t *this,
 	return TRUE;
 }
 
-METHOD(job_t, initiate, void,
+METHOD(job_t, initiate, job_requeue_t,
 	private_initiate_mediation_job_t *this)
 {
 	ike_sa_t *mediated_sa, *mediation_sa;
@@ -93,8 +93,7 @@ METHOD(job_t, initiate, void,
 			mediated_cfg->destroy(mediated_cfg);
 			mediation_cfg->destroy(mediation_cfg);
 			enumerator->destroy(enumerator);
-			destroy(this);
-			return;
+			return JOB_REQUEUE_NONE;
 		}
 		enumerator->destroy(enumerator);
 
@@ -115,8 +114,7 @@ METHOD(job_t, initiate, void,
 				charon->ike_sa_manager->checkin(
 								charon->ike_sa_manager, mediated_sa);
 			}
-			destroy(this);
-			return;
+			return JOB_REQUEUE_NONE;
 		}
 		/* we need an additional reference because initiate consumes one */
 		mediation_cfg->get_ref(mediation_cfg);
@@ -134,8 +132,7 @@ METHOD(job_t, initiate, void,
 				charon->ike_sa_manager->checkin_and_destroy(
 									charon->ike_sa_manager, mediated_sa);
 			}
-			destroy(this);
-			return;
+			return JOB_REQUEUE_NONE;
 		}
 		mediation_cfg->destroy(mediation_cfg);
 
@@ -157,18 +154,17 @@ METHOD(job_t, initiate, void,
 					charon->ike_sa_manager->checkin_and_destroy(
 										charon->ike_sa_manager, mediated_sa);
 				}
-				destroy(this);
-				return;
+				return JOB_REQUEUE_NONE;
 			}
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager,
 											mediation_sa);
 		}
 		mediated_cfg->destroy(mediated_cfg);
 	}
-	destroy(this);
+	return JOB_REQUEUE_NONE;
 }
 
-METHOD(job_t, reinitiate, void,
+METHOD(job_t, reinitiate, job_requeue_t,
 	private_initiate_mediation_job_t *this)
 {
 	ike_sa_t *mediated_sa, *mediation_sa;
@@ -205,8 +201,7 @@ METHOD(job_t, reinitiate, void,
 										charon->ike_sa_manager,
 										mediated_sa);
 				}
-				destroy(this);
-				return;
+				return JOB_REQUEUE_NONE;
 			}
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager,
 											mediation_sa);
@@ -214,7 +209,7 @@ METHOD(job_t, reinitiate, void,
 
 		mediated_cfg->destroy(mediated_cfg);
 	}
-	destroy(this);
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(job_t, get_priority, job_priority_t,
diff --git a/src/libcharon/processing/jobs/mediation_job.c b/src/libcharon/processing/jobs/mediation_job.c
index 6f02f2a0a..759aad003 100644
--- a/src/libcharon/processing/jobs/mediation_job.c
+++ b/src/libcharon/processing/jobs/mediation_job.c
@@ -77,7 +77,7 @@ METHOD(job_t, destroy, void,
 	free(this);
 }
 
-METHOD(job_t, execute, void,
+METHOD(job_t, execute, job_requeue_t,
 	private_mediation_job_t *this)
 {
 	ike_sa_id_t *target_sa_id;
@@ -98,8 +98,7 @@ METHOD(job_t, execute, void,
 					DBG1(DBG_JOB, "callback for '%Y' to '%Y' failed",
 							this->source, this->target);
 					charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
-					destroy(this);
-					return;
+					return JOB_REQUEUE_NONE;
 				}
 			}
 			else
@@ -112,8 +111,7 @@ METHOD(job_t, execute, void,
 							this->source, this->target);
 					charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
 					/* FIXME: notify the initiator */
-					destroy(this);
-					return;
+					return JOB_REQUEUE_NONE;
 				}
 			}
 
@@ -130,7 +128,7 @@ METHOD(job_t, execute, void,
 		DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: "
 				"peer is not online anymore", this->source, this->target);
 	}
-	destroy(this);
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(job_t, get_priority, job_priority_t,
diff --git a/src/libcharon/processing/jobs/mediation_job.h b/src/libcharon/processing/jobs/mediation_job.h
index 41485cbc6..6a1475102 100644
--- a/src/libcharon/processing/jobs/mediation_job.h
+++ b/src/libcharon/processing/jobs/mediation_job.h
@@ -26,7 +26,7 @@ typedef struct mediation_job_t mediation_job_t;
 #include <library.h>
 #include <processing/jobs/job.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * Class representing a MEDIATION Job.
diff --git a/src/libcharon/processing/jobs/migrate_job.c b/src/libcharon/processing/jobs/migrate_job.c
index eb10e2e46..2ebfc6714 100644
--- a/src/libcharon/processing/jobs/migrate_job.c
+++ b/src/libcharon/processing/jobs/migrate_job.c
@@ -67,7 +67,7 @@ METHOD(job_t, destroy, void,
 	free(this);
 }
 
-METHOD(job_t, execute, void,
+METHOD(job_t, execute, job_requeue_t,
 	private_migrate_job_t *this)
 {
 	ike_sa_t *ike_sa = NULL;
@@ -79,9 +79,10 @@ METHOD(job_t, execute, void,
 	}
 	if (ike_sa)
 	{
-		enumerator_t *children;
+		enumerator_t *children, *enumerator;
 		child_sa_t *child_sa;
 		host_t *host;
+		linked_list_t *vips;
 
 		children = ike_sa->create_child_sa_enumerator(ike_sa);
 		while (children->enumerate(children, (void**)&child_sa))
@@ -97,27 +98,35 @@ METHOD(job_t, execute, void,
 		ike_sa->set_kmaddress(ike_sa, this->local, this->remote);
 
 		host = this->local->clone(this->local);
-		host->set_port(host, IKEV2_UDP_PORT);
+		host->set_port(host, charon->socket->get_port(charon->socket, FALSE));
 		ike_sa->set_my_host(ike_sa, host);
 
 		host = this->remote->clone(this->remote);
 		host->set_port(host, IKEV2_UDP_PORT);
 		ike_sa->set_other_host(ike_sa, host);
 
-		if (child_sa->update(child_sa, this->local, this->remote,
-				ike_sa->get_virtual_ip(ike_sa, TRUE),
+		vips = linked_list_create();
+		enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
+		while (enumerator->enumerate(enumerator, &host))
+		{
+			vips->insert_last(vips, host);
+		}
+		enumerator->destroy(enumerator);
+
+		if (child_sa->update(child_sa, this->local, this->remote, vips,
 				ike_sa->has_condition(ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
 		{
 			ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa),
 								   child_sa->get_spi(child_sa, TRUE));
 		}
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		vips->destroy(vips);
 	}
 	else
 	{
 		DBG1(DBG_JOB, "no CHILD_SA found with reqid {%d}", this->reqid);
 	}
-	destroy(this);
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(job_t, get_priority, job_priority_t,
diff --git a/src/libcharon/processing/jobs/migrate_job.h b/src/libcharon/processing/jobs/migrate_job.h
index 09679c734..30c0ad0ac 100644
--- a/src/libcharon/processing/jobs/migrate_job.h
+++ b/src/libcharon/processing/jobs/migrate_job.h
@@ -24,7 +24,7 @@
 typedef struct migrate_job_t migrate_job_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <selectors/traffic_selector.h>
 #include <kernel/kernel_ipsec.h>
 #include <processing/jobs/job.h>
diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c
index a4924d001..606135b0b 100644
--- a/src/libcharon/processing/jobs/process_message_job.c
+++ b/src/libcharon/processing/jobs/process_message_job.c
@@ -42,7 +42,7 @@ METHOD(job_t, destroy, void,
 	free(this);
 }
 
-METHOD(job_t, execute, void,
+METHOD(job_t, execute, job_requeue_t,
 	private_process_message_job_t *this)
 {
 	ike_sa_t *ike_sa;
@@ -59,8 +59,7 @@ METHOD(job_t, execute, void,
 			 this->message->get_source(this->message),
 			 this->message->get_destination(this->message));
 		charon->connect_manager->process_check(charon->connect_manager, this->message);
-		destroy(this);
-		return;
+		return JOB_REQUEUE_NONE;
 	}
 #endif /* ME */
 
@@ -68,9 +67,10 @@ METHOD(job_t, execute, void,
 														 this->message);
 	if (ike_sa)
 	{
-		DBG1(DBG_NET, "received packet: from %#H to %#H",
+		DBG1(DBG_NET, "received packet: from %#H to %#H (%zu bytes)",
 			 this->message->get_source(this->message),
-			 this->message->get_destination(this->message));
+			 this->message->get_destination(this->message),
+			 this->message->get_packet_data(this->message).len);
 		if (ike_sa->process_message(ike_sa, this->message) == DESTROY_ME)
 		{
 			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
@@ -81,7 +81,7 @@ METHOD(job_t, execute, void,
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 		}
 	}
-	destroy(this);
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(job_t, get_priority, job_priority_t,
diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.c b/src/libcharon/processing/jobs/rekey_child_sa_job.c
index 5855f1bc9..1bf8dc0cb 100644
--- a/src/libcharon/processing/jobs/rekey_child_sa_job.c
+++ b/src/libcharon/processing/jobs/rekey_child_sa_job.c
@@ -51,7 +51,7 @@ METHOD(job_t, destroy, void,
 	free(this);
 }
 
-METHOD(job_t, execute, void,
+METHOD(job_t, execute, job_requeue_t,
 	private_rekey_child_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
@@ -68,7 +68,7 @@ METHOD(job_t, execute, void,
 		ike_sa->rekey_child_sa(ike_sa, this->protocol, this->spi);
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
-	destroy(this);
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(job_t, get_priority, job_priority_t,
diff --git a/src/libcharon/processing/jobs/rekey_ike_sa_job.c b/src/libcharon/processing/jobs/rekey_ike_sa_job.c
index 5366195fd..712c7c2c1 100644
--- a/src/libcharon/processing/jobs/rekey_ike_sa_job.c
+++ b/src/libcharon/processing/jobs/rekey_ike_sa_job.c
@@ -46,7 +46,7 @@ METHOD(job_t, destroy, void,
 	free(this);
 }
 
-METHOD(job_t, execute, void,
+METHOD(job_t, execute, job_requeue_t,
 	private_rekey_ike_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
@@ -78,7 +78,7 @@ METHOD(job_t, execute, void,
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 		}
 	}
-	destroy(this);
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(job_t, get_priority, job_priority_t,
diff --git a/src/libcharon/processing/jobs/retransmit_job.c b/src/libcharon/processing/jobs/retransmit_job.c
index 050f7005a..48c326804 100644
--- a/src/libcharon/processing/jobs/retransmit_job.c
+++ b/src/libcharon/processing/jobs/retransmit_job.c
@@ -47,7 +47,7 @@ METHOD(job_t, destroy, void,
 	free(this);
 }
 
-METHOD(job_t, execute, void,
+METHOD(job_t, execute, job_requeue_t,
 	private_retransmit_job_t *this)
 {
 	ike_sa_t *ike_sa;
@@ -67,7 +67,7 @@ METHOD(job_t, execute, void,
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 		}
 	}
-	destroy(this);
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(job_t, get_priority, job_priority_t,
diff --git a/src/libcharon/processing/jobs/retry_initiate_job.c b/src/libcharon/processing/jobs/retry_initiate_job.c
new file mode 100644
index 000000000..1cdc3058a
--- /dev/null
+++ b/src/libcharon/processing/jobs/retry_initiate_job.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "retry_initiate_job.h"
+
+#include <daemon.h>
+
+typedef struct private_retry_initiate_job_t private_retry_initiate_job_t;
+
+/**
+ * Private data of an retry_initiate_job_t object.
+ */
+struct private_retry_initiate_job_t {
+	/**
+	 * Public retry_initiate_job_t interface.
+	 */
+	retry_initiate_job_t public;
+
+	/**
+	 * ID of the IKE_SA to re-initiate
+	 */
+	ike_sa_id_t *ike_sa_id;
+};
+
+METHOD(job_t, destroy, void,
+	private_retry_initiate_job_t *this)
+{
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
+}
+
+METHOD(job_t, execute, job_requeue_t,
+	private_retry_initiate_job_t *this)
+{
+	ike_sa_t *ike_sa;
+
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+											  this->ike_sa_id);
+	if (ike_sa == NULL)
+	{
+		DBG2(DBG_JOB, "IKE_SA to initiate not found");
+	}
+	else
+	{
+		if (ike_sa->retry_initiate(ike_sa) == DESTROY_ME)
+		{
+			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+														ike_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+METHOD(job_t, get_priority, job_priority_t,
+	private_retry_initiate_job_t *this)
+{
+	return JOB_PRIO_HIGH;
+}
+
+/*
+ * Described in header
+ */
+retry_initiate_job_t *retry_initiate_job_create(ike_sa_id_t *ike_sa_id)
+{
+	private_retry_initiate_job_t *this;
+
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.get_priority = _get_priority,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa_id = ike_sa_id->clone(ike_sa_id),
+	);
+
+	return &(this->public);
+}
diff --git a/src/libcharon/processing/jobs/retry_initiate_job.h b/src/libcharon/processing/jobs/retry_initiate_job.h
new file mode 100644
index 000000000..29f79f23b
--- /dev/null
+++ b/src/libcharon/processing/jobs/retry_initiate_job.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup retry_initiate_job retry_initiate_job
+ * @{ @ingroup cjobs
+ */
+
+#ifndef RETRY_INITIATE_JOB_H_
+#define RETRY_INITIATE_JOB_H_
+
+typedef struct retry_initiate_job_t retry_initiate_job_t;
+
+#include <library.h>
+#include <sa/ike_sa_id.h>
+#include <processing/jobs/job.h>
+
+/**
+ * This job retries initiating an IKE_SA in case of e.g. a failed DNS lookup.
+ */
+struct retry_initiate_job_t {
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a retry_initiate_job_t object.
+ *
+ * @param ike_sa_id		ID of the IKE_SA to initiate
+ * @return				retry_initiate_job_t object
+ */
+retry_initiate_job_t *retry_initiate_job_create(ike_sa_id_t *ike_sa_id);
+
+#endif /** RETRY_INITIATE_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/roam_job.c b/src/libcharon/processing/jobs/roam_job.c
index 951ac5ad3..0af4c6c39 100644
--- a/src/libcharon/processing/jobs/roam_job.c
+++ b/src/libcharon/processing/jobs/roam_job.c
@@ -44,7 +44,7 @@ METHOD(job_t, destroy, void,
 	free(this);
 }
 
-METHOD(job_t, execute, void,
+METHOD(job_t, execute, job_requeue_t,
 	private_roam_job_t *this)
 {
 	ike_sa_t *ike_sa;
@@ -82,8 +82,7 @@ METHOD(job_t, execute, void,
 		id->destroy(id);
 	}
 	list->destroy(list);
-
-	destroy(this);
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(job_t, get_priority, job_priority_t,
diff --git a/src/libcharon/processing/jobs/send_dpd_job.c b/src/libcharon/processing/jobs/send_dpd_job.c
index ab00d013d..d2f38b803 100644
--- a/src/libcharon/processing/jobs/send_dpd_job.c
+++ b/src/libcharon/processing/jobs/send_dpd_job.c
@@ -45,7 +45,7 @@ METHOD(job_t, destroy, void,
 	free(this);
 }
 
-METHOD(job_t, execute, void,
+METHOD(job_t, execute, job_requeue_t,
 	private_send_dpd_job_t *this)
 {
 	ike_sa_t *ike_sa;
@@ -63,7 +63,7 @@ METHOD(job_t, execute, void,
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 		}
 	}
-	destroy(this);
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(job_t, get_priority, job_priority_t,
diff --git a/src/libcharon/processing/jobs/send_keepalive_job.c b/src/libcharon/processing/jobs/send_keepalive_job.c
index 5e128d478..3e3477679 100644
--- a/src/libcharon/processing/jobs/send_keepalive_job.c
+++ b/src/libcharon/processing/jobs/send_keepalive_job.c
@@ -45,7 +45,7 @@ METHOD(job_t, destroy, void,
 	free(this);
 }
 
-METHOD(job_t, execute, void,
+METHOD(job_t, execute, job_requeue_t,
 	private_send_keepalive_job_t *this)
 {
 	ike_sa_t *ike_sa;
@@ -57,7 +57,7 @@ METHOD(job_t, execute, void,
 		ike_sa->send_keepalive(ike_sa);
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
-	destroy(this);
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(job_t, get_priority, job_priority_t,
diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c
index b65181ef8..981473b5c 100644
--- a/src/libcharon/processing/jobs/start_action_job.c
+++ b/src/libcharon/processing/jobs/start_action_job.c
@@ -36,7 +36,7 @@ METHOD(job_t, destroy, void,
 	free(this);
 }
 
-METHOD(job_t, execute, void,
+METHOD(job_t, execute, job_requeue_t,
 	private_start_action_job_t *this)
 {
 	enumerator_t *enumerator, *children;
@@ -46,14 +46,9 @@ METHOD(job_t, execute, void,
 	char *name;
 
 	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
-													NULL, NULL, NULL, NULL);
+											NULL, NULL, NULL, NULL, IKE_ANY);
 	while (enumerator->enumerate(enumerator, &peer_cfg))
 	{
-		if (peer_cfg->get_ike_version(peer_cfg) != 2)
-		{
-			continue;
-		}
-
 		children = peer_cfg->create_child_cfg_enumerator(peer_cfg);
 		while (children->enumerate(children, &child_cfg))
 		{
@@ -78,7 +73,7 @@ METHOD(job_t, execute, void,
 					else
 					{
 						charon->traps->install(charon->traps, peer_cfg,
-															  child_cfg);
+											   child_cfg, 0);
 					}
 					break;
 				case ACTION_NONE:
@@ -88,7 +83,7 @@ METHOD(job_t, execute, void,
 		children->destroy(children);
 	}
 	enumerator->destroy(enumerator);
-	destroy(this);
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(job_t, get_priority, job_priority_t,
diff --git a/src/libcharon/processing/jobs/update_sa_job.c b/src/libcharon/processing/jobs/update_sa_job.c
index c4f6e4782..694318522 100644
--- a/src/libcharon/processing/jobs/update_sa_job.c
+++ b/src/libcharon/processing/jobs/update_sa_job.c
@@ -50,7 +50,7 @@ METHOD(job_t, destroy, void,
 	free(this);
 }
 
-METHOD(job_t, execute, void,
+METHOD(job_t, execute, job_requeue_t,
 	private_update_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
@@ -71,7 +71,7 @@ METHOD(job_t, execute, void,
 		}
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
-	destroy(this);
+	return JOB_REQUEUE_NONE;
 }
 
 METHOD(job_t, get_priority, job_priority_t,
diff --git a/src/libcharon/processing/jobs/update_sa_job.h b/src/libcharon/processing/jobs/update_sa_job.h
index e2344fcc4..55a3df83e 100644
--- a/src/libcharon/processing/jobs/update_sa_job.h
+++ b/src/libcharon/processing/jobs/update_sa_job.h
@@ -24,7 +24,7 @@
 typedef struct update_sa_job_t update_sa_job_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <processing/jobs/job.h>
 
 /**
diff --git a/src/libcharon/sa/authenticator.c b/src/libcharon/sa/authenticator.c
new file mode 100644
index 000000000..a32b6ab12
--- /dev/null
+++ b/src/libcharon/sa/authenticator.c
@@ -0,0 +1,154 @@
+/*
+ * Copyright (C) 2006-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "authenticator.h"
+
+#include <sa/ikev2/authenticators/pubkey_authenticator.h>
+#include <sa/ikev2/authenticators/psk_authenticator.h>
+#include <sa/ikev2/authenticators/eap_authenticator.h>
+#include <sa/ikev1/authenticators/psk_v1_authenticator.h>
+#include <sa/ikev1/authenticators/pubkey_v1_authenticator.h>
+#include <sa/ikev1/authenticators/hybrid_authenticator.h>
+#include <encoding/payloads/auth_payload.h>
+
+
+ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS,
+	"RSA signature",
+	"pre-shared key",
+	"DSS signature");
+ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_GSPM, AUTH_DSS,
+	"ECDSA-256 signature",
+	"ECDSA-384 signature",
+	"ECDSA-521 signature",
+	"secure password method");
+ENUM_NEXT(auth_method_names, AUTH_XAUTH_INIT_PSK, AUTH_HYBRID_RESP_RSA, AUTH_GSPM,
+	"XAuthInitPSK",
+	"XAuthRespPSK",
+	"XAuthInitRSA",
+	"XauthRespRSA",
+	"HybridInitRSA",
+	"HybridRespRSA",
+);
+ENUM_END(auth_method_names, AUTH_HYBRID_RESP_RSA);
+
+#ifdef USE_IKEV2
+
+/**
+ * Described in header.
+ */
+authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init,
+									char reserved[3])
+{
+	switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
+	{
+		case AUTH_CLASS_ANY:
+			/* defaults to PUBKEY */
+		case AUTH_CLASS_PUBKEY:
+			return (authenticator_t*)pubkey_authenticator_create_builder(ike_sa,
+										received_nonce, sent_init, reserved);
+		case AUTH_CLASS_PSK:
+			return (authenticator_t*)psk_authenticator_create_builder(ike_sa,
+										received_nonce, sent_init, reserved);
+		case AUTH_CLASS_EAP:
+			return (authenticator_t*)eap_authenticator_create_builder(ike_sa,
+										received_nonce, sent_nonce,
+										received_init, sent_init, reserved);
+		default:
+			return NULL;
+	}
+}
+
+/**
+ * Described in header.
+ */
+authenticator_t *authenticator_create_verifier(
+									ike_sa_t *ike_sa, message_t *message,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init,
+									char reserved[3])
+{
+	auth_payload_t *auth_payload;
+
+	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+	if (auth_payload == NULL)
+	{
+		return (authenticator_t*)eap_authenticator_create_verifier(ike_sa,
+										received_nonce, sent_nonce,
+										received_init, sent_init, reserved);
+	}
+	switch (auth_payload->get_auth_method(auth_payload))
+	{
+		case AUTH_RSA:
+		case AUTH_ECDSA_256:
+		case AUTH_ECDSA_384:
+		case AUTH_ECDSA_521:
+			return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa,
+										sent_nonce, received_init, reserved);
+		case AUTH_PSK:
+			return (authenticator_t*)psk_authenticator_create_verifier(ike_sa,
+										sent_nonce, received_init, reserved);
+		default:
+			return NULL;
+	}
+}
+
+#endif /* USE_IKEV2 */
+
+#ifdef USE_IKEV1
+
+/**
+ * Described in header.
+ */
+authenticator_t *authenticator_create_v1(ike_sa_t *ike_sa, bool initiator,
+								auth_method_t auth_method, diffie_hellman_t *dh,
+								chunk_t dh_value, chunk_t sa_payload,
+								chunk_t id_payload)
+{
+	switch (auth_method)
+	{
+		case AUTH_PSK:
+		case AUTH_XAUTH_INIT_PSK:
+		case AUTH_XAUTH_RESP_PSK:
+			return (authenticator_t*)psk_v1_authenticator_create(ike_sa,
+										initiator, dh, dh_value, sa_payload,
+										id_payload, FALSE);
+		case AUTH_RSA:
+		case AUTH_XAUTH_INIT_RSA:
+		case AUTH_XAUTH_RESP_RSA:
+			return (authenticator_t*)pubkey_v1_authenticator_create(ike_sa,
+										initiator, dh, dh_value, sa_payload,
+										id_payload, KEY_RSA);
+		case AUTH_ECDSA_256:
+		case AUTH_ECDSA_384:
+		case AUTH_ECDSA_521:
+			return (authenticator_t*)pubkey_v1_authenticator_create(ike_sa,
+										initiator, dh, dh_value, sa_payload,
+										id_payload, KEY_ECDSA);
+		case AUTH_HYBRID_INIT_RSA:
+		case AUTH_HYBRID_RESP_RSA:
+			return (authenticator_t*)hybrid_authenticator_create(ike_sa,
+										initiator, dh, dh_value, sa_payload,
+										id_payload);
+		default:
+			return NULL;
+	}
+}
+
+#endif /* USE_IKEV1 */
diff --git a/src/libcharon/sa/authenticator.h b/src/libcharon/sa/authenticator.h
new file mode 100644
index 000000000..914f42d9d
--- /dev/null
+++ b/src/libcharon/sa/authenticator.h
@@ -0,0 +1,223 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup authenticator authenticator
+ * @{ @ingroup sa
+ */
+
+#ifndef AUTHENTICATOR_H_
+#define AUTHENTICATOR_H_
+
+typedef enum auth_method_t auth_method_t;
+typedef struct authenticator_t authenticator_t;
+
+#include <library.h>
+#include <credentials/auth_cfg.h>
+#include <sa/ike_sa.h>
+
+/**
+ * Method to use for authentication, as defined in IKEv2.
+ */
+enum auth_method_t {
+
+	/**
+	 * No authentication used.
+	 */
+	AUTH_NONE = 0,
+
+	/**
+	 * Computed as specified in section 2.15 of RFC using
+	 * an RSA private key over a PKCS#1 padded hash.
+	 */
+	AUTH_RSA = 1,
+
+	/**
+	 * Computed as specified in section 2.15 of RFC using the
+	 * shared key associated with the identity in the ID payload
+	 * and the negotiated prf function
+	 */
+	AUTH_PSK = 2,
+
+	/**
+	 * Computed as specified in section 2.15 of RFC using a
+	 * DSS private key over a SHA-1 hash.
+	 */
+	AUTH_DSS = 3,
+
+	/**
+	 * ECDSA with SHA-256 on the P-256 curve as specified in RFC 4754
+	 */
+	AUTH_ECDSA_256 = 9,
+
+	/**
+	 * ECDSA with SHA-384 on the P-384 curve as specified in RFC 4754
+	 */
+	AUTH_ECDSA_384 = 10,
+
+	/**
+	 * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
+	 */
+	AUTH_ECDSA_521 = 11,
+
+	/**
+	 * Generic Secure Password Authentication Method as specified in RFC 6467
+	 */
+	AUTH_GSPM = 12,
+
+	/**
+	 * IKEv1 initiator XAUTH with PSK, outside of IANA range
+	 */
+	AUTH_XAUTH_INIT_PSK = 256,
+
+	/**
+	 * IKEv1 responder XAUTH with PSK, outside of IANA range
+	 */
+	AUTH_XAUTH_RESP_PSK,
+
+	/**
+	 * IKEv1 initiator XAUTH with RSA, outside of IANA range
+	 */
+	AUTH_XAUTH_INIT_RSA,
+
+	/**
+	 * IKEv1 responder XAUTH with RSA, outside of IANA range
+	 */
+	AUTH_XAUTH_RESP_RSA,
+
+	/**
+	 * IKEv1 initiator XAUTH, responder RSA, outside of IANA range
+	 */
+	AUTH_HYBRID_INIT_RSA,
+
+	/**
+	 * IKEv1 responder XAUTH, initiator RSA, outside of IANA range
+	 */
+	AUTH_HYBRID_RESP_RSA,
+};
+
+/**
+ * enum names for auth_method_t.
+ */
+extern enum_name_t *auth_method_names;
+
+/**
+ * Authenticator interface implemented by the various authenticators.
+ *
+ * An authenticator implementation handles AUTH and EAP payloads. Received
+ * messages are passed to the process() method, to send authentication data
+ * the message is passed to the build() method.
+ */
+struct authenticator_t {
+
+	/**
+	 * Process an incoming message using the authenticator.
+	 *
+	 * @param message		message containing authentication payloads
+	 * @return
+	 *						- SUCCESS if authentication successful
+	 *						- FAILED if authentication failed
+	 *						- NEED_MORE if another exchange required
+	 */
+	status_t (*process)(authenticator_t *this, message_t *message);
+
+	/**
+	 * Attach authentication data to an outgoing message.
+	 *
+	 * @param message		message to add authentication data to
+	 * @return
+	 *						- SUCCESS if authentication successful
+	 *						- FAILED if authentication failed
+	 *						- NEED_MORE if another exchange required
+	 */
+	status_t (*build)(authenticator_t *this, message_t *message);
+
+	/**
+	 * Check if the authenticator is capable of mutual authentication.
+	 *
+	 * Some authenticator authenticate both peers, e.g. EAP. To support
+	 * mutual authentication with only a single authenticator (EAP-only
+	 * authentication), it must be mutual. This method is invoked in ike_auth
+	 * to check if the given authenticator is capable of doing so.
+	 */
+	bool (*is_mutual)(authenticator_t *this);
+
+	/**
+	 * Destroy authenticator instance.
+	 */
+	void (*destroy) (authenticator_t *this);
+};
+
+/**
+ * Create an IKEv2 authenticator to build signatures.
+ *
+ * @param ike_sa			associated ike_sa
+ * @param cfg				authentication configuration
+ * @param received_nonce	nonce received in IKE_SA_INIT
+ * @param sent_nonce		nonce sent in IKE_SA_INIT
+ * @param received_init		received IKE_SA_INIT message data
+ * @param sent_init			sent IKE_SA_INIT message data
+ * @param reserved			reserved bytes of the ID payload
+ * @return					authenticator, NULL if not supported
+ */
+authenticator_t *authenticator_create_builder(
+									ike_sa_t *ike_sa, auth_cfg_t *cfg,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init,
+									char reserved[3]);
+
+/**
+ * Create an IKEv2 authenticator to verify signatures.
+ *
+ * @param ike_sa			associated ike_sa
+ * @param message			message containing authentication data
+ * @param received_nonce	nonce received in IKE_SA_INIT
+ * @param sent_nonce		nonce sent in IKE_SA_INIT
+ * @param received_init		received IKE_SA_INIT message data
+ * @param sent_init			sent IKE_SA_INIT message data
+ * @param reserved			reserved bytes of the ID payload
+ * @return					authenticator, NULL if not supported
+ */
+authenticator_t *authenticator_create_verifier(
+									ike_sa_t *ike_sa, message_t *message,
+									chunk_t received_nonce, chunk_t sent_nonce,
+									chunk_t received_init, chunk_t sent_init,
+									char reserved[3]);
+
+/**
+ * Create an IKEv1 authenticator to build and verify signatures or hash
+ * payloads.
+ *
+ * @note Due to the fixed ID, these authenticators can only be used in one
+ * direction at a time.
+ *
+ * @param ike_sa			associated IKE_SA
+ * @param initiator			TRUE if we are the IKE_SA initiator
+ * @param auth_method		negotiated authentication method to use
+ * @param dh				diffie hellman key exchange
+ * @param dh_value			others public diffie hellman value
+ * @param sa_payload		generated SA payload data, without payload header
+ * @param id_payload		encoded ID payload of peer to authenticate or verify
+ *							without payload header (gets owned)
+ * @return					authenticator, NULL if not supported
+ */
+authenticator_t *authenticator_create_v1(ike_sa_t *ike_sa, bool initiator,
+								auth_method_t auth_method, diffie_hellman_t *dh,
+								chunk_t dh_value, chunk_t sa_payload,
+								chunk_t id_payload);
+
+#endif /** AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/authenticator.c b/src/libcharon/sa/authenticators/authenticator.c
deleted file mode 100644
index 9ffe661cc..000000000
--- a/src/libcharon/sa/authenticators/authenticator.c
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "authenticator.h"
-
-#include <sa/authenticators/pubkey_authenticator.h>
-#include <sa/authenticators/psk_authenticator.h>
-#include <sa/authenticators/eap_authenticator.h>
-#include <encoding/payloads/auth_payload.h>
-
-
-ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS,
-	"RSA signature",
-	"pre-shared key",
-	"DSS signature");
-ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_GSPM, AUTH_DSS,
-	"ECDSA-256 signature",
-	"ECDSA-384 signature",
-	"ECDSA-521 signature",
-	"secure password method");
-ENUM_END(auth_method_names, AUTH_GSPM);
-
-/**
- * Described in header.
- */
-authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
-									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init,
-									char reserved[3])
-{
-	switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
-	{
-		case AUTH_CLASS_ANY:
-			/* defaults to PUBKEY */
-		case AUTH_CLASS_PUBKEY:
-			return (authenticator_t*)pubkey_authenticator_create_builder(ike_sa,
-										received_nonce, sent_init, reserved);
-		case AUTH_CLASS_PSK:
-			return (authenticator_t*)psk_authenticator_create_builder(ike_sa,
-										received_nonce, sent_init, reserved);
-		case AUTH_CLASS_EAP:
-			return (authenticator_t*)eap_authenticator_create_builder(ike_sa,
-										received_nonce, sent_nonce,
-										received_init, sent_init, reserved);
-		default:
-			return NULL;
-	}
-}
-
-/**
- * Described in header.
- */
-authenticator_t *authenticator_create_verifier(
-									ike_sa_t *ike_sa, message_t *message,
-									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init,
-									char reserved[3])
-{
-	auth_payload_t *auth_payload;
-
-	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
-	if (auth_payload == NULL)
-	{
-		return (authenticator_t*)eap_authenticator_create_verifier(ike_sa,
-										received_nonce, sent_nonce,
-										received_init, sent_init, reserved);
-	}
-	switch (auth_payload->get_auth_method(auth_payload))
-	{
-		case AUTH_RSA:
-		case AUTH_ECDSA_256:
-		case AUTH_ECDSA_384:
-		case AUTH_ECDSA_521:
-			return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa,
-										sent_nonce, received_init, reserved);
-		case AUTH_PSK:
-			return (authenticator_t*)psk_authenticator_create_verifier(ike_sa,
-										sent_nonce, received_init, reserved);
-		default:
-			return NULL;
-	}
-}
-
diff --git a/src/libcharon/sa/authenticators/authenticator.h b/src/libcharon/sa/authenticators/authenticator.h
deleted file mode 100644
index 5042e4a73..000000000
--- a/src/libcharon/sa/authenticators/authenticator.h
+++ /dev/null
@@ -1,166 +0,0 @@
-/*
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup authenticator authenticator
- * @{ @ingroup authenticators
- */
-
-#ifndef AUTHENTICATOR_H_
-#define AUTHENTICATOR_H_
-
-typedef enum auth_method_t auth_method_t;
-typedef struct authenticator_t authenticator_t;
-
-#include <library.h>
-#include <credentials/auth_cfg.h>
-#include <sa/ike_sa.h>
-
-/**
- * Method to use for authentication, as defined in IKEv2.
- */
-enum auth_method_t {
-	/**
-	 * Computed as specified in section 2.15 of RFC using
-	 * an RSA private key over a PKCS#1 padded hash.
-	 */
-	AUTH_RSA = 1,
-
-	/**
-	 * Computed as specified in section 2.15 of RFC using the
-	 * shared key associated with the identity in the ID payload
-	 * and the negotiated prf function
-	 */
-	AUTH_PSK = 2,
-
-	/**
-	 * Computed as specified in section 2.15 of RFC using a
-	 * DSS private key over a SHA-1 hash.
-	 */
-	AUTH_DSS = 3,
-
-	/**
-	 * ECDSA with SHA-256 on the P-256 curve as specified in RFC 4754
-	 */
-	AUTH_ECDSA_256 = 9,
-
-	/**
-	 * ECDSA with SHA-384 on the P-384 curve as specified in RFC 4754
-	 */
-	AUTH_ECDSA_384 = 10,
-
-	/**
-	 * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
-	 */
-	AUTH_ECDSA_521 = 11,
-
-	/**
-	 * Generic Secure Password Authentication Method as specified in RFC 6467
-	 */
-	AUTH_GSPM = 12,
-
-};
-
-/**
- * enum names for auth_method_t.
- */
-extern enum_name_t *auth_method_names;
-
-/**
- * Authenticator interface implemented by the various authenticators.
- *
- * An authenticator implementation handles AUTH and EAP payloads. Received
- * messages are passed to the process() method, to send authentication data
- * the message is passed to the build() method.
- */
-struct authenticator_t {
-
-	/**
-	 * Process an incoming message using the authenticator.
-	 *
-	 * @param message		message containing authentication payloads
-	 * @return
-	 *						- SUCCESS if authentication successful
-	 *						- FAILED if authentication failed
-	 *						- NEED_MORE if another exchange required
-	 */
-	status_t (*process)(authenticator_t *this, message_t *message);
-
-	/**
-	 * Attach authentication data to an outgoing message.
-	 *
-	 * @param message		message to add authentication data to
-	 * @return
-	 *						- SUCCESS if authentication successful
-	 *						- FAILED if authentication failed
-	 *						- NEED_MORE if another exchange required
-	 */
-	status_t (*build)(authenticator_t *this, message_t *message);
-
-	/**
-	 * Check if the authenticator is capable of mutual authentication.
-	 *
-	 * Some authenticator authenticate both peers, e.g. EAP. To support
-	 * mutual authentication with only a single authenticator (EAP-only
-	 * authentication), it must be mutual. This method is invoked in ike_auth
-	 * to check if the given authenticator is capable of doing so.
-	 */
-	bool (*is_mutual)(authenticator_t *this);
-
-	/**
-	 * Destroy authenticator instance.
-	 */
-	void (*destroy) (authenticator_t *this);
-};
-
-/**
- * Create an authenticator to build signatures.
- *
- * @param ike_sa			associated ike_sa
- * @param cfg				authentication configuration
- * @param received_nonce	nonce received in IKE_SA_INIT
- * @param sent_nonce		nonce sent in IKE_SA_INIT
- * @param received_init		received IKE_SA_INIT message data
- * @param sent_init			sent IKE_SA_INIT message data
- * @param reserved			reserved bytes of the ID payload
- * @return					authenticator, NULL if not supported
- */
-authenticator_t *authenticator_create_builder(
-									ike_sa_t *ike_sa, auth_cfg_t *cfg,
-									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init,
-									char reserved[3]);
-
-/**
- * Create an authenticator to verify signatures.
- *
- * @param ike_sa			associated ike_sa
- * @param message			message containing authentication data
- * @param received_nonce	nonce received in IKE_SA_INIT
- * @param sent_nonce		nonce sent in IKE_SA_INIT
- * @param received_init		received IKE_SA_INIT message data
- * @param sent_init			sent IKE_SA_INIT message data
- * @param reserved			reserved bytes of the ID payload
- * @return					authenticator, NULL if not supported
- */
-authenticator_t *authenticator_create_verifier(
-									ike_sa_t *ike_sa, message_t *message,
-									chunk_t received_nonce, chunk_t sent_nonce,
-									chunk_t received_init, chunk_t sent_init,
-									char reserved[3]);
-
-#endif /** AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 2130a5998..46e4b6f7b 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -25,6 +25,7 @@
 
 #include <hydra.h>
 #include <daemon.h>
+#include <collections/array.h>
 
 ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DESTROYING,
 	"CREATED",
@@ -79,14 +80,14 @@ struct private_child_sa_t {
 	u_int16_t other_cpi;
 
 	/**
-	 * List for local traffic selectors
+	 * Array for local traffic selectors
 	 */
-	linked_list_t *my_ts;
+	array_t *my_ts;
 
 	/**
-	 * List for remote traffic selectors
+	 * Array for remote traffic selectors
 	 */
-	linked_list_t *other_ts;
+	array_t *other_ts;
 
 	/**
 	 * Protocol used to protect this SA, ESP|AH
@@ -124,6 +125,11 @@ struct private_child_sa_t {
 	child_sa_state_t state;
 
 	/**
+	 * TRUE if this CHILD_SA is used to install trap policies
+	 */
+	bool trap;
+
+	/**
 	 * Specifies if UDP encapsulation is enabled (NAT traversal)
 	 */
 	bool encap;
@@ -177,6 +183,16 @@ struct private_child_sa_t {
 	 * last number of outbound bytes
 	 */
 	u_int64_t other_usebytes;
+
+	/**
+	 * last number of inbound packets
+	 */
+	u_int64_t my_usepackets;
+
+	/**
+	 * last number of outbound bytes
+	 */
+	u_int64_t other_usepackets;
 };
 
 /**
@@ -316,10 +332,14 @@ METHOD(child_sa_t, set_proposal, void,
 	this->proposal = proposal->clone(proposal);
 }
 
-METHOD(child_sa_t, get_traffic_selectors, linked_list_t*,
-	   private_child_sa_t *this, bool local)
+METHOD(child_sa_t, create_ts_enumerator, enumerator_t*,
+	private_child_sa_t *this, bool local)
 {
-	return local ? this->my_ts : this->other_ts;
+	if (local)
+	{
+		return array_create_enumerator(this->my_ts);
+	}
+	return array_create_enumerator(this->other_ts);
 }
 
 typedef struct policy_enumerator_t policy_enumerator_t;
@@ -334,8 +354,8 @@ struct policy_enumerator_t {
 	enumerator_t *mine;
 	/** enumerator over others TS */
 	enumerator_t *other;
-	/** list of others TS, to recreate enumerator */
-	linked_list_t *list;
+	/** array of others TS, to recreate enumerator */
+	array_t *array;
 	/** currently enumerating TS for "me" side */
 	traffic_selector_t *ts;
 };
@@ -351,7 +371,7 @@ METHOD(enumerator_t, policy_enumerate, bool,
 		if (!this->other->enumerate(this->other, &other_ts))
 		{	/* end of others list, restart with new of mine */
 			this->other->destroy(this->other);
-			this->other = this->list->create_enumerator(this->list);
+			this->other = array_create_enumerator(this->array);
 			this->ts = NULL;
 			continue;
 		}
@@ -390,9 +410,9 @@ METHOD(child_sa_t, create_policy_enumerator, enumerator_t*,
 			.enumerate = (void*)_policy_enumerate,
 			.destroy = _policy_destroy,
 		},
-		.mine = this->my_ts->create_enumerator(this->my_ts),
-		.other = this->other_ts->create_enumerator(this->other_ts),
-		.list = this->other_ts,
+		.mine = array_create_enumerator(this->my_ts),
+		.other = array_create_enumerator(this->other_ts),
+		.array = this->other_ts,
 		.ts = NULL,
 	);
 
@@ -408,7 +428,8 @@ METHOD(child_sa_t, create_policy_enumerator, enumerator_t*,
 static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 {
 	status_t status = FAILED;
-	u_int64_t bytes;
+	u_int64_t bytes, packets;
+	u_int32_t time;
 
 	if (inbound)
 	{
@@ -417,12 +438,17 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 			status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
 							this->other_addr, this->my_addr, this->my_spi,
 							proto_ike2ip(this->protocol), this->mark_in,
-							&bytes);
+							&bytes, &packets, &time);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->my_usebytes)
 				{
 					this->my_usebytes = bytes;
+					this->my_usepackets = packets;
+					if (time)
+					{
+						this->my_usetime = time;
+					}
 					return SUCCESS;
 				}
 				return FAILED;
@@ -436,12 +462,17 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 			status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
 							this->my_addr, this->other_addr, this->other_spi,
 							proto_ike2ip(this->protocol), this->mark_out,
-							&bytes);
+							&bytes, &packets, &time);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->other_usebytes)
 				{
 					this->other_usebytes = bytes;
+					this->other_usepackets = packets;
+					if (time)
+					{
+						this->other_usetime = time;
+					}
 					return SUCCESS;
 				}
 				return FAILED;
@@ -454,7 +485,7 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 /**
  * updates the cached usetime
  */
-static void update_usetime(private_child_sa_t *this, bool inbound)
+static bool update_usetime(private_child_sa_t *this, bool inbound)
 {
 	enumerator_t *enumerator;
 	traffic_selector_t *my_ts, *other_ts;
@@ -494,7 +525,7 @@ static void update_usetime(private_child_sa_t *this, bool inbound)
 
 	if (last_use == 0)
 	{
-		return;
+		return FALSE;
 	}
 	if (inbound)
 	{
@@ -504,17 +535,26 @@ static void update_usetime(private_child_sa_t *this, bool inbound)
 	{
 		this->other_usetime = last_use;
 	}
+	return TRUE;
 }
 
 METHOD(child_sa_t, get_usestats, void,
-	   private_child_sa_t *this, bool inbound, time_t *time, u_int64_t *bytes)
+	private_child_sa_t *this, bool inbound,
+	time_t *time, u_int64_t *bytes, u_int64_t *packets)
 {
-	if (update_usebytes(this, inbound) != FAILED)
+	if ((!bytes && !packets) || update_usebytes(this, inbound) != FAILED)
 	{
 		/* there was traffic since last update or the kernel interface
 		 * does not support querying the number of usebytes.
 		 */
-		update_usetime(this, inbound);
+		if (time)
+		{
+			if (!update_usetime(this, inbound) && !bytes && !packets)
+			{
+				/* if policy query did not yield a usetime, query SAs instead */
+				update_usebytes(this, inbound);
+			}
+		}
 	}
 	if (time)
 	{
@@ -524,6 +564,20 @@ METHOD(child_sa_t, get_usestats, void,
 	{
 		*bytes = inbound ? this->my_usebytes : this->other_usebytes;
 	}
+	if (packets)
+	{
+		*packets = inbound ? this->my_usepackets : this->other_usepackets;
+	}
+}
+
+METHOD(child_sa_t, get_mark, mark_t,
+	private_child_sa_t *this, bool inbound)
+{
+	if (inbound)
+	{
+		return this->mark_in;
+	}
+	return this->mark_out;
 }
 
 METHOD(child_sa_t, get_lifetime, time_t,
@@ -558,9 +612,9 @@ METHOD(child_sa_t, alloc_cpi, u_int16_t,
 }
 
 METHOD(child_sa_t, install, status_t,
-	   private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi,
-	   u_int16_t cpi, bool inbound, bool tfcv3, linked_list_t *my_ts,
-	   linked_list_t *other_ts)
+	private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi,
+	u_int16_t cpi, bool initiator, bool inbound, bool tfcv3,
+	linked_list_t *my_ts, linked_list_t *other_ts)
 {
 	u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
 	u_int16_t esn = NO_EXT_SEQ_NUMBERS;
@@ -617,7 +671,14 @@ METHOD(child_sa_t, install, status_t,
 	now = time_monotonic(NULL);
 	if (lifetime->time.rekey)
 	{
-		this->rekey_time = now + lifetime->time.rekey;
+		if (this->rekey_time)
+		{
+			this->rekey_time = min(this->rekey_time, now + lifetime->time.rekey);
+		}
+		else
+		{
+			this->rekey_time = now + lifetime->time.rekey;
+		}
 	}
 	if (lifetime->time.life)
 	{
@@ -629,28 +690,26 @@ METHOD(child_sa_t, install, status_t,
 		lifetime->time.rekey = 0;
 	}
 
-	if (this->mode == MODE_BEET || this->mode == MODE_TRANSPORT)
+	/* BEET requires the bound address from the traffic selectors.
+	 * TODO: We add just the first traffic selector for now, as the
+	 * kernel accepts a single TS per SA only */
+	if (inbound)
 	{
-		/* BEET requires the bound address from the traffic selectors.
-		 * TODO: We add just the first traffic selector for now, as the
-		 * kernel accepts a single TS per SA only */
-		if (inbound)
-		{
-			my_ts->get_first(my_ts, (void**)&dst_ts);
-			other_ts->get_first(other_ts, (void**)&src_ts);
-		}
-		else
-		{
-			my_ts->get_first(my_ts, (void**)&src_ts);
-			other_ts->get_first(other_ts, (void**)&dst_ts);
-		}
+		my_ts->get_first(my_ts, (void**)&dst_ts);
+		other_ts->get_first(other_ts, (void**)&src_ts);
+	}
+	else
+	{
+		my_ts->get_first(my_ts, (void**)&src_ts);
+		other_ts->get_first(other_ts, (void**)&dst_ts);
 	}
 
 	status = hydra->kernel_interface->add_sa(hydra->kernel_interface,
 				src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
 				inbound ? this->mark_in : this->mark_out, tfc,
 				lifetime, enc_alg, encr, int_alg, integ, this->mode,
-				this->ipcomp, cpi, this->encap, esn, update, src_ts, dst_ts);
+				this->ipcomp, cpi, initiator, this->encap, esn, update,
+				src_ts, dst_ts);
 
 	free(lifetime);
 
@@ -718,13 +777,13 @@ METHOD(child_sa_t, add_policies, status_t,
 	enumerator = my_ts_list->create_enumerator(my_ts_list);
 	while (enumerator->enumerate(enumerator, &my_ts))
 	{
-		this->my_ts->insert_last(this->my_ts, my_ts->clone(my_ts));
+		array_insert(this->my_ts, ARRAY_TAIL, my_ts->clone(my_ts));
 	}
 	enumerator->destroy(enumerator);
 	enumerator = other_ts_list->create_enumerator(other_ts_list);
 	while (enumerator->enumerate(enumerator, &other_ts))
 	{
-		this->other_ts->insert_last(this->other_ts, other_ts->clone(other_ts));
+		array_insert(this->other_ts, ARRAY_TAIL, other_ts->clone(other_ts));
 	}
 	enumerator->destroy(enumerator);
 
@@ -757,8 +816,11 @@ METHOD(child_sa_t, add_policies, status_t,
 			other_sa.ah.spi = this->other_spi;
 		}
 
-		priority = this->state == CHILD_CREATED ? POLICY_PRIORITY_ROUTED
-												: POLICY_PRIORITY_DEFAULT;
+		/* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD
+		 * entry) we install a trap policy */
+		this->trap = this->state == CHILD_CREATED;
+		priority = this->trap ? POLICY_PRIORITY_ROUTED
+							  : POLICY_PRIORITY_DEFAULT;
 
 		/* enumerate pairs of traffic selectors */
 		enumerator = create_policy_enumerator(this);
@@ -787,16 +849,32 @@ METHOD(child_sa_t, add_policies, status_t,
 		enumerator->destroy(enumerator);
 	}
 
-	if (status == SUCCESS && this->state == CHILD_CREATED)
-	{	/* switch to routed state if no SAD entry set up */
+	if (status == SUCCESS && this->trap)
+	{
 		set_state(this, CHILD_ROUTED);
 	}
 	return status;
 }
 
+/**
+ * Callback to reinstall a virtual IP
+ */
+static void reinstall_vip(host_t *vip, host_t *me)
+{
+	char *iface;
+
+	if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
+											   me, &iface))
+	{
+		hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE);
+		hydra->kernel_interface->add_ip(hydra->kernel_interface, vip, -1, iface);
+		free(iface);
+	}
+}
+
 METHOD(child_sa_t, update, status_t,
-	   private_child_sa_t *this,  host_t *me, host_t *other, host_t *vip,
-	   bool encap)
+	private_child_sa_t *this,  host_t *me, host_t *other, linked_list_t *vips,
+	bool encap)
 {
 	child_sa_state_t old;
 	bool transport_proxy_mode;
@@ -902,13 +980,7 @@ METHOD(child_sa_t, update, status_t,
 
 				/* we reinstall the virtual IP to handle interface roaming
 				 * correctly */
-				if (vip)
-				{
-					hydra->kernel_interface->del_ip(hydra->kernel_interface,
-													vip);
-					hydra->kernel_interface->add_ip(hydra->kernel_interface,
-													vip, me);
-				}
+				vips->invoke_function(vips, (void*)reinstall_vip, me);
 
 				/* reinstall updated policies */
 				install_policies_internal(this, me, other, my_ts, other_ts,
@@ -960,8 +1032,7 @@ METHOD(child_sa_t, destroy, void,
 	traffic_selector_t *my_ts, *other_ts;
 	policy_priority_t priority;
 
-	priority = this->state == CHILD_ROUTED ? POLICY_PRIORITY_ROUTED
-										   : POLICY_PRIORITY_DEFAULT;
+	priority = this->trap ? POLICY_PRIORITY_ROUTED : POLICY_PRIORITY_DEFAULT;
 
 	set_state(this, CHILD_DESTROYING);
 
@@ -1003,8 +1074,8 @@ METHOD(child_sa_t, destroy, void,
 		enumerator->destroy(enumerator);
 	}
 
-	this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
-	this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
+	array_destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
+	array_destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
 	this->my_addr->destroy(this->my_addr);
 	this->other_addr->destroy(this->other_addr);
 	DESTROY_IF(this->proposal);
@@ -1013,12 +1084,47 @@ METHOD(child_sa_t, destroy, void,
 }
 
 /**
+ * Get proxy address for one side, if any
+ */
+static host_t* get_proxy_addr(child_cfg_t *config, host_t *ike, bool local)
+{
+	host_t *host = NULL;
+	u_int8_t mask;
+	enumerator_t *enumerator;
+	linked_list_t *ts_list, *list;
+	traffic_selector_t *ts;
+
+	list = linked_list_create_with_items(ike, NULL);
+	ts_list = config->get_traffic_selectors(config, local, NULL, list);
+	list->destroy(list);
+
+	enumerator = ts_list->create_enumerator(ts_list);
+	while (enumerator->enumerate(enumerator, &ts))
+	{
+		if (ts->is_host(ts, NULL) && ts->to_subnet(ts, &host, &mask))
+		{
+			DBG1(DBG_CHD, "%s address: %H is a transport mode proxy for %H",
+				 local ? "my" : "other", ike, host);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	ts_list->destroy_offset(ts_list, offsetof(traffic_selector_t, destroy));
+
+	if (!host)
+	{
+		host = ike->clone(ike);
+	}
+	return host;
+}
+
+/**
  * Described in header.
  */
 child_sa_t * child_sa_create(host_t *me, host_t* other,
 							 child_cfg_t *config, u_int32_t rekey, bool encap)
 {
-	static u_int32_t reqid = 0;
+	static refcount_t reqid = 0;
 	private_child_sa_t *this;
 
 	INIT(this,
@@ -1038,6 +1144,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 			.set_proposal = _set_proposal,
 			.get_lifetime = _get_lifetime,
 			.get_usestats = _get_usestats,
+			.get_mark = _get_mark,
 			.has_encap = _has_encap,
 			.get_ipcomp = _get_ipcomp,
 			.set_ipcomp = _set_ipcomp,
@@ -1050,17 +1157,15 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 			.install = _install,
 			.update = _update,
 			.add_policies = _add_policies,
-			.get_traffic_selectors = _get_traffic_selectors,
+			.create_ts_enumerator = _create_ts_enumerator,
 			.create_policy_enumerator = _create_policy_enumerator,
 			.destroy = _destroy,
 		},
-		.my_addr = me->clone(me),
-		.other_addr = other->clone(other),
 		.encap = encap,
 		.ipcomp = IPCOMP_NONE,
 		.state = CHILD_CREATED,
-		.my_ts = linked_list_create(),
-		.other_ts = linked_list_create(),
+		.my_ts = array_create(0, 0),
+		.other_ts = array_create(0, 0),
 		.protocol = PROTO_NONE,
 		.mode = MODE_TUNNEL,
 		.close_action = config->get_close_action(config),
@@ -1076,65 +1181,42 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	if (!this->reqid)
 	{
 		/* reuse old reqid if we are rekeying an existing CHILD_SA */
-		this->reqid = rekey ? rekey : ++reqid;
+		if (rekey)
+		{
+			this->reqid = rekey;
+		}
+		else
+		{
+			this->reqid = charon->traps->find_reqid(charon->traps, config);
+			if (!this->reqid)
+			{
+				this->reqid = ref_get(&reqid);
+			}
+		}
+	}
+
+	if (this->mark_in.value == MARK_REQID)
+	{
+		this->mark_in.value = this->reqid;
+	}
+	if (this->mark_out.value == MARK_REQID)
+	{
+		this->mark_out.value = this->reqid;
 	}
 
 	/* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
 	if (config->get_mode(config) == MODE_TRANSPORT &&
 		config->use_proxy_mode(config))
 	{
-		ts_type_t type;
-		int family;
-		chunk_t addr;
-		host_t *host;
-		enumerator_t *enumerator;
-		linked_list_t *my_ts_list, *other_ts_list;
-		traffic_selector_t *my_ts, *other_ts;
-
 		this->mode = MODE_TRANSPORT;
 
-		my_ts_list = config->get_traffic_selectors(config, TRUE, NULL, me);
-		enumerator = my_ts_list->create_enumerator(my_ts_list);
-		if (enumerator->enumerate(enumerator, &my_ts))
-		{
-			if (my_ts->is_host(my_ts, NULL) &&
-			   !my_ts->is_host(my_ts, this->my_addr))
-			{
-				type = my_ts->get_type(my_ts);
-				family = (type == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
-				addr = my_ts->get_from_address(my_ts);
-				host = host_create_from_chunk(family, addr, 0);
-				free(addr.ptr);
-				DBG1(DBG_CHD, "my address: %H is a transport mode proxy for %H",
-							   this->my_addr, host);
-				this->my_addr->destroy(this->my_addr);
-				this->my_addr = host;
-			}
-		}
-		enumerator->destroy(enumerator);
-		my_ts_list->destroy_offset(my_ts_list, offsetof(traffic_selector_t, destroy));
-
-		other_ts_list = config->get_traffic_selectors(config, FALSE, NULL, other);
-		enumerator = other_ts_list->create_enumerator(other_ts_list);
-		if (enumerator->enumerate(enumerator, &other_ts))
-		{
-			if (other_ts->is_host(other_ts, NULL) &&
-			   !other_ts->is_host(other_ts, this->other_addr))
-			{
-				type = other_ts->get_type(other_ts);
-				family = (type == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
-				addr = other_ts->get_from_address(other_ts);
-				host = host_create_from_chunk(family, addr, 0);
-				free(addr.ptr);
-				DBG1(DBG_CHD, "other address: %H is a transport mode proxy for %H",
-							   this->other_addr, host);
-				this->other_addr->destroy(this->other_addr);
-				this->other_addr = host;
-			}
-		}
-		enumerator->destroy(enumerator);
-		other_ts_list->destroy_offset(other_ts_list, offsetof(traffic_selector_t, destroy));
+		this->my_addr = get_proxy_addr(config, me, TRUE);
+		this->other_addr = get_proxy_addr(config, other, FALSE);
+	}
+	else
+	{
+		this->my_addr = me->clone(me);
+		this->other_addr = other->clone(other);
 	}
-
 	return &this->public;
 }
diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index f17ef01ac..ed52d60b1 100644
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -231,7 +231,7 @@ struct child_sa_t {
 	/**
 	 * Override the DPD action specified by the CHILD_SA config.
 	 *
-	 * @param			close action to enforce
+	 * @param			dpd action to enforce
 	 */
 	void (*set_dpd_action)(child_sa_t *this, action_t action);
 
@@ -270,22 +270,34 @@ struct child_sa_t {
 	 * @param inbound		TRUE for inbound traffic, FALSE for outbound
 	 * @param[out] time		time of last use in seconds (NULL to ignore)
 	 * @param[out] bytes	number of processed bytes (NULL to ignore)
+	 * @param[out] packets	number of processed packets (NULL to ignore)
 	 */
 	void (*get_usestats)(child_sa_t *this, bool inbound, time_t *time,
-						 u_int64_t *bytes);
+						 u_int64_t *bytes, u_int64_t *packets);
+
+	/**
+	 * Get the mark used with this CHILD_SA.
+	 *
+	 * @param inbound		TRUE to get inbound mark, FALSE for outbound
+	 * @return				mark used with this CHILD_SA
+	 */
+	mark_t (*get_mark)(child_sa_t *this, bool inbound);
 
 	/**
-	 * Get the traffic selectors list added for one side.
+	 * Create an enumerator over traffic selectors of one side.
 	 *
-	 * @param local		TRUE for own traffic selectors, FALSE for remote
-	 * @return			list of traffic selectors
+	 * @param local		TRUE for own traffic selectors, FALSE for remote.
+	 * @return			enumerator over traffic_selector_t*
 	 */
-	linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local);
+	enumerator_t* (*create_ts_enumerator)(child_sa_t *this, bool local);
 
 	/**
 	 * Create an enumerator over installed policies.
 	 *
-	 * @return			enumerator over pairs of traffic selectors.
+	 * The enumerated traffic selectors is a full mesh of compatible local
+	 * and remote traffic selectors.
+	 *
+	 * @return			enumerator over a pair of traffic_selector_t*
 	 */
 	enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
 
@@ -312,6 +324,7 @@ struct child_sa_t {
 	 * @param integ		integrity key
 	 * @param spi		SPI to use, allocated for inbound
 	 * @param cpi		CPI to use, allocated for outbound
+	 * @param initiator	TRUE if initiator of exchange resulting in this SA
 	 * @param inbound	TRUE to install an inbound SA, FALSE for outbound
 	 * @param tfcv3		TRUE if peer supports ESPv3 TFC
 	 * @param my_ts		negotiated local traffic selector list
@@ -319,7 +332,8 @@ struct child_sa_t {
 	 * @return			SUCCESS or FAILED
 	 */
 	status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ,
-						u_int32_t spi, u_int16_t cpi, bool inbound, bool tfcv3,
+						u_int32_t spi, u_int16_t cpi,
+						bool initiator, bool inbound, bool tfcv3,
 						linked_list_t *my_ts, linked_list_t *other_ts);
 	/**
 	 * Install the policies using some traffic selectors.
@@ -338,12 +352,12 @@ struct child_sa_t {
 	 *
 	 * @param me		the new local host
 	 * @param other		the new remote host
-	 * @param vip		virtual IP, if any
-	 * @param			TRUE to use UDP encapsulation for NAT traversal
+	 * @param vips		list of local virtual IPs
+	 * @param encap		TRUE to use UDP encapsulation for NAT traversal
 	 * @return			SUCCESS or FAILED
 	 */
 	status_t (*update)(child_sa_t *this, host_t *me, host_t *other,
-					   host_t *vip, bool encap);
+					   linked_list_t *vips, bool encap);
 	/**
 	 * Destroys a child_sa.
 	 */
diff --git a/src/libcharon/sa/eap/eap_inner_method.h b/src/libcharon/sa/eap/eap_inner_method.h
new file mode 100644
index 000000000..500852965
--- /dev/null
+++ b/src/libcharon/sa/eap/eap_inner_method.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_inner_method eap_inner_method
+ * @{ @ingroup eap
+ */
+
+#ifndef EAP_INNER_METHOD_H_
+#define EAP_INNER_METHOD_H_
+
+typedef struct eap_inner_method_t eap_inner_method_t;
+
+#include <library.h>
+
+#include "eap_method.h"
+
+/**
+ * Interface of a weak inner EAP method like EAP-TNC or PT-EAP
+ * that must be encapsulated in a strong TLS-based EAP method 
+ */
+struct eap_inner_method_t {
+
+	/*
+	 * Public EAP method interface
+	 */
+	eap_method_t eap_method;
+
+	/*
+	 * Get type of outer EAP authentication method
+	 *
+	 * @return			outer EAP authentication type
+	 */
+	eap_type_t (*get_auth_type)(eap_inner_method_t *this); 
+
+	/*
+	 * Set type of outer EAP Client/Server authentication
+	 *
+	 * @param type		outer EAP authentication type
+	 */
+	void (*set_auth_type)(eap_inner_method_t *this, eap_type_t type); 
+
+};
+
+#endif /** EAP_INNER_METHOD_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/eap/eap_manager.c b/src/libcharon/sa/eap/eap_manager.c
index bc2c4a617..1886307e9 100644
--- a/src/libcharon/sa/authenticators/eap/eap_manager.c
+++ b/src/libcharon/sa/eap/eap_manager.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -15,7 +16,7 @@
 
 #include "eap_manager.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_eap_manager_t private_eap_manager_t;
@@ -104,6 +105,44 @@ METHOD(eap_manager_t, remove_method, void,
 	this->lock->unlock(this->lock);
 }
 
+/**
+ * filter the registered methods
+ */
+static bool filter_methods(uintptr_t role, eap_entry_t **entry,
+						   eap_type_t *type, void *in, u_int32_t *vendor)
+{
+	if ((*entry)->role != (eap_role_t)role)
+	{
+		return FALSE;
+	}
+	if ((*entry)->vendor == 0 &&
+	   ((*entry)->type < 4 || (*entry)->type == EAP_EXPANDED ||
+	    (*entry)->type > EAP_EXPERIMENTAL))
+	{	/* filter invalid types */
+		return FALSE;
+	}
+	if (type)
+	{
+		*type = (*entry)->type;
+	}
+	if (vendor)
+	{
+		*vendor = (*entry)->vendor;
+	}
+	return TRUE;
+}
+
+METHOD(eap_manager_t, create_enumerator, enumerator_t*,
+	private_eap_manager_t *this, eap_role_t role)
+{
+	this->lock->read_lock(this->lock);
+	return enumerator_create_cleaner(
+				enumerator_create_filter(
+					this->methods->create_enumerator(this->methods),
+					(void*)filter_methods, (void*)(uintptr_t)role, NULL),
+				(void*)this->lock->unlock, this->lock);
+}
+
 METHOD(eap_manager_t, create_instance, eap_method_t*,
 	private_eap_manager_t *this, eap_type_t type, u_int32_t vendor,
 	eap_role_t role, identification_t *server, identification_t *peer)
@@ -150,6 +189,7 @@ eap_manager_t *eap_manager_create()
 			.public = {
 				.add_method = _add_method,
 				.remove_method = _remove_method,
+				.create_enumerator = _create_enumerator,
 				.create_instance = _create_instance,
 				.destroy = _destroy,
 			},
@@ -159,4 +199,3 @@ eap_manager_t *eap_manager_create()
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/sa/authenticators/eap/eap_manager.h b/src/libcharon/sa/eap/eap_manager.h
index 0333fb6da..e318ef57a 100644
--- a/src/libcharon/sa/authenticators/eap/eap_manager.h
+++ b/src/libcharon/sa/eap/eap_manager.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -21,7 +22,7 @@
 #ifndef EAP_MANAGER_H_
 #define EAP_MANAGER_H_
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/eap/eap_method.h>
 
 typedef struct eap_manager_t eap_manager_t;
 
@@ -54,6 +55,17 @@ struct eap_manager_t {
 	void (*remove_method)(eap_manager_t *this, eap_constructor_t constructor);
 
 	/**
+	 * Enumerate the registered EAP authentication methods for the given role.
+	 *
+	 * @note Only authentication types are enumerated (e.g. EAP-Identity is not
+	 * even though it is registered as method with this manager).
+	 *
+	 * @param role			EAP role of methods to enumerate
+	 * @return				enumerator over (eap_type_t type, u_int32_t vendor)
+	 */
+	enumerator_t* (*create_enumerator)(eap_manager_t *this, eap_role_t role);
+
+	/**
 	 * Create a new EAP method instance.
 	 *
 	 * @param type			type of the EAP method
diff --git a/src/libcharon/sa/authenticators/eap/eap_method.c b/src/libcharon/sa/eap/eap_method.c
index a05e8c59a..a05e8c59a 100644
--- a/src/libcharon/sa/authenticators/eap/eap_method.c
+++ b/src/libcharon/sa/eap/eap_method.c
diff --git a/src/libcharon/sa/authenticators/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h
index 6242a5a6e..6242a5a6e 100644
--- a/src/libcharon/sa/authenticators/eap/eap_method.h
+++ b/src/libcharon/sa/eap/eap_method.h
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 07d19381d..2f4e1123c 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2012 Tobias Brunner
+ * Copyright (C) 2006-2013 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -26,34 +26,18 @@
 #include <library.h>
 #include <hydra.h>
 #include <daemon.h>
-#include <utils/linked_list.h>
+#include <collections/array.h>
 #include <utils/lexparser.h>
-#include <sa/task_manager.h>
-#include <sa/tasks/ike_init.h>
-#include <sa/tasks/ike_natd.h>
-#include <sa/tasks/ike_mobike.h>
-#include <sa/tasks/ike_auth.h>
-#include <sa/tasks/ike_auth_lifetime.h>
-#include <sa/tasks/ike_config.h>
-#include <sa/tasks/ike_cert_pre.h>
-#include <sa/tasks/ike_cert_post.h>
-#include <sa/tasks/ike_rekey.h>
-#include <sa/tasks/ike_reauth.h>
-#include <sa/tasks/ike_delete.h>
-#include <sa/tasks/ike_dpd.h>
-#include <sa/tasks/ike_vendor.h>
-#include <sa/tasks/child_create.h>
-#include <sa/tasks/child_delete.h>
-#include <sa/tasks/child_rekey.h>
 #include <processing/jobs/retransmit_job.h>
 #include <processing/jobs/delete_ike_sa_job.h>
 #include <processing/jobs/send_dpd_job.h>
 #include <processing/jobs/send_keepalive_job.h>
 #include <processing/jobs/rekey_ike_sa_job.h>
-#include <encoding/payloads/unknown_payload.h>
+#include <processing/jobs/retry_initiate_job.h>
+#include <sa/ikev2/tasks/ike_auth_lifetime.h>
 
 #ifdef ME
-#include <sa/tasks/ike_me.h>
+#include <sa/ikev2/tasks/ike_me.h>
 #include <processing/jobs/initiate_mediation_job.h>
 #endif
 
@@ -86,6 +70,11 @@ struct private_ike_sa_t {
 	ike_sa_id_t *ike_sa_id;
 
 	/**
+	 * IKE version of this SA.
+	 */
+	ike_version_t version;
+
+	/**
 	 * unique numerical ID for this IKE_SA.
 	 */
 	u_int32_t unique_id;
@@ -106,24 +95,24 @@ struct private_ike_sa_t {
 	peer_cfg_t *peer_cfg;
 
 	/**
-	 * currently used authentication ruleset, local (as auth_cfg_t)
+	 * currently used authentication ruleset, local
 	 */
 	auth_cfg_t *my_auth;
 
 	/**
-	 * list of completed local authentication rounds
+	 * currently used authentication constraints, remote
 	 */
-	linked_list_t *my_auths;
+	auth_cfg_t *other_auth;
 
 	/**
-	 * list of completed remote authentication rounds
+	 * Array of completed local authentication rounds (as auth_cfg_t)
 	 */
-	linked_list_t *other_auths;
+	array_t *my_auths;
 
 	/**
-	 * currently used authentication constraints, remote (as auth_cfg_t)
+	 * Array of completed remote authentication rounds (as auth_cfg_t)
 	 */
-	auth_cfg_t *other_auth;
+	array_t *other_auths;
 
 	/**
 	 * Selected IKE proposal
@@ -183,9 +172,9 @@ struct private_ike_sa_t {
 	ike_condition_t conditions;
 
 	/**
-	 * Linked List containing the child sa's of the current IKE_SA.
+	 * Array containing the child sa's of the current IKE_SA.
 	 */
-	linked_list_t *child_sas;
+	array_t *child_sas;
 
 	/**
 	 * keymat of this IKE_SA
@@ -193,24 +182,24 @@ struct private_ike_sa_t {
 	keymat_t *keymat;
 
 	/**
-	 * Virtual IP on local host, if any
+	 * Virtual IPs on local host
 	 */
-	host_t *my_virtual_ip;
+	array_t *my_vips;
 
 	/**
-	 * Virtual IP on remote host, if any
+	 * Virtual IPs on remote host
 	 */
-	host_t *other_virtual_ip;
+	array_t *other_vips;
 
 	/**
 	 * List of configuration attributes (attribute_entry_t)
 	 */
-	linked_list_t *attributes;
+	array_t *attributes;
 
 	/**
 	 * list of peer's addresses, additional ones transmitted via MOBIKE
 	 */
-	linked_list_t *peer_addresses;
+	array_t *peer_addresses;
 
 	/**
 	 * previously value of received DESTINATION_IP hash
@@ -228,6 +217,17 @@ struct private_ike_sa_t {
 	u_int32_t keepalive_interval;
 
 	/**
+	 * interval for retries during initiation (e.g. if DNS resolution failed),
+	 * 0 to disable (default)
+	 */
+	u_int32_t retry_initiate_interval;
+
+	/**
+	 * TRUE if a retry_initiate_job has been queued
+	 */
+	bool retry_initiate_queued;
+
+	/**
 	 * Timestamps for this IKE_SA
 	 */
 	u_int32_t stats[STAT_MAX];
@@ -248,9 +248,9 @@ struct private_ike_sa_t {
 	host_t *remote_host;
 
 	/**
-	 * TRUE if we are currently reauthenticating this IKE_SA
+	 * Flush auth configs once established?
 	 */
-	bool is_reauthenticating;
+	bool flush_auth_cfg;
 };
 
 /**
@@ -282,10 +282,11 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound)
 	{
 		use_time = this->stats[STAT_OUTBOUND];
 	}
-	enumerator = this->child_sas->create_enumerator(this->child_sas);
+
+	enumerator = array_create_enumerator(this->child_sas);
 	while (enumerator->enumerate(enumerator, &child_sa))
 	{
-		child_sa->get_usestats(child_sa, inbound, &current, NULL);
+		child_sa->get_usestats(child_sa, inbound, &current, NULL, NULL);
 		use_time = max(use_time, current);
 	}
 	enumerator->destroy(enumerator);
@@ -319,6 +320,15 @@ METHOD(ike_sa_t, get_statistic, u_int32_t,
 	return 0;
 }
 
+METHOD(ike_sa_t, set_statistic, void,
+	private_ike_sa_t *this, statistic_t kind, u_int32_t value)
+{
+	if (kind < STAT_MAX)
+	{
+		this->stats[kind] = value;
+	}
+}
+
 METHOD(ike_sa_t, get_my_host, host_t*,
 	private_ike_sa_t *this)
 {
@@ -380,11 +390,11 @@ METHOD(ike_sa_t, add_auth_cfg, void,
 {
 	if (local)
 	{
-		this->my_auths->insert_last(this->my_auths, cfg);
+		array_insert(this->my_auths, ARRAY_TAIL, cfg);
 	}
 	else
 	{
-		this->other_auths->insert_last(this->other_auths, cfg);
+		array_insert(this->other_auths, ARRAY_TAIL, cfg);
 	}
 }
 
@@ -393,9 +403,9 @@ METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
 {
 	if (local)
 	{
-		return this->my_auths->create_enumerator(this->my_auths);
+		return array_create_enumerator(this->my_auths);
 	}
-	return this->other_auths->create_enumerator(this->other_auths);
+	return array_create_enumerator(this->other_auths);
 }
 
 /**
@@ -405,13 +415,14 @@ static void flush_auth_cfgs(private_ike_sa_t *this)
 {
 	auth_cfg_t *cfg;
 
-	while (this->my_auths->remove_last(this->my_auths,
-									   (void**)&cfg) == SUCCESS)
+	this->my_auth->purge(this->my_auth, FALSE);
+	this->other_auth->purge(this->other_auth, FALSE);
+
+	while (array_remove(this->my_auths, ARRAY_TAIL, &cfg))
 	{
 		cfg->destroy(cfg);
 	}
-	while (this->other_auths->remove_last(this->other_auths,
-										  (void**)&cfg) == SUCCESS)
+	while (array_remove(this->other_auths, ARRAY_TAIL, &cfg))
 	{
 		cfg->destroy(cfg);
 	}
@@ -471,8 +482,8 @@ METHOD(ike_sa_t, send_keepalive, void,
 		data.ptr[0] = 0xFF;
 		data.len = 1;
 		packet->set_data(packet, data);
-		DBG1(DBG_IKE, "sending keep alive");
-		charon->sender->send(charon->sender, packet);
+		DBG1(DBG_IKE, "sending keep alive to %#H", this->other_host);
+		charon->sender->send_no_marker(charon->sender, packet);
 		diff = 0;
 	}
 	job = send_keepalive_job_create(this->ike_sa_id);
@@ -563,6 +574,7 @@ METHOD(ike_sa_t, send_dpd, status_t,
 {
 	job_t *job;
 	time_t diff, delay;
+	bool task_queued = FALSE;
 
 	if (this->state == IKE_PASSIVE)
 	{
@@ -583,27 +595,11 @@ METHOD(ike_sa_t, send_dpd, status_t,
 		diff = now - last_in;
 		if (!delay || diff >= delay)
 		{
-			/* to long ago, initiate dead peer detection */
-			task_t *task;
-			ike_mobike_t *mobike;
-
-			if (supports_extension(this, EXT_MOBIKE) &&
-				has_condition(this, COND_NAT_HERE))
-			{
-				/* use mobike enabled DPD to detect NAT mapping changes */
-				mobike = ike_mobike_create(&this->public, TRUE);
-				mobike->dpd(mobike);
-				task = &mobike->task;
-			}
-			else
-			{
-				task = (task_t*)ike_dpd_create(TRUE);
-			}
-			diff = 0;
+			/* too long ago, initiate dead peer detection */
 			DBG1(DBG_IKE, "sending DPD request");
-
-			this->task_manager->queue_task(this->task_manager, task);
-			this->task_manager->initiate(this->task_manager);
+			this->task_manager->queue_dpd(this->task_manager);
+			task_queued = TRUE;
+			diff = 0;
 		}
 	}
 	/* recheck in "interval" seconds */
@@ -612,6 +608,10 @@ METHOD(ike_sa_t, send_dpd, status_t,
 		job = (job_t*)send_dpd_job_create(this->ike_sa_id);
 		lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
 	}
+	if (task_queued)
+	{
+		return this->task_manager->initiate(this->task_manager);
+	}
 	return SUCCESS;
 }
 
@@ -646,7 +646,7 @@ METHOD(ike_sa_t, set_state, void,
 
 				/* schedule rekeying if we have a time which is smaller than
 				 * an already scheduled rekeying */
-				t = this->peer_cfg->get_rekey_time(this->peer_cfg);
+				t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE);
 				if (t && (this->stats[STAT_REKEY] == 0 ||
 					(this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
 				{
@@ -655,7 +655,7 @@ METHOD(ike_sa_t, set_state, void,
 					lib->scheduler->schedule_job(lib->scheduler, job, t);
 					DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
 				}
-				t = this->peer_cfg->get_reauth_time(this->peer_cfg);
+				t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE);
 				if (t && (this->stats[STAT_REAUTH] == 0 ||
 					(this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
 				{
@@ -698,7 +698,14 @@ METHOD(ike_sa_t, set_state, void,
 
 	if (trigger_dpd)
 	{
-		send_dpd(this);
+		if (supports_extension(this, EXT_DPD))
+		{
+			send_dpd(this);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "DPD not supported by peer, disabled");
+		}
 	}
 }
 
@@ -716,7 +723,8 @@ METHOD(ike_sa_t, reset, void,
 	flush_auth_cfgs(this);
 
 	this->keymat->destroy(this->keymat);
-	this->keymat = keymat_create(this->ike_sa_id->is_initiator(this->ike_sa_id));
+	this->keymat = keymat_create(this->version,
+							this->ike_sa_id->is_initiator(this->ike_sa_id));
 
 	this->task_manager->reset(this->task_manager, 0, 0);
 }
@@ -727,62 +735,84 @@ METHOD(ike_sa_t, get_keymat, keymat_t*,
 	return this->keymat;
 }
 
-METHOD(ike_sa_t, set_virtual_ip, void,
+METHOD(ike_sa_t, add_virtual_ip, void,
 	private_ike_sa_t *this, bool local, host_t *ip)
 {
 	if (local)
 	{
-		DBG1(DBG_IKE, "installing new virtual IP %H", ip);
-		if (hydra->kernel_interface->add_ip(hydra->kernel_interface, ip,
-											this->my_host) == SUCCESS)
+		char *iface;
+
+		if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
+												   this->my_host, &iface))
 		{
-			if (this->my_virtual_ip)
+			DBG1(DBG_IKE, "installing new virtual IP %H", ip);
+			if (hydra->kernel_interface->add_ip(hydra->kernel_interface,
+												ip, -1, iface) == SUCCESS)
+			{
+				array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip));
+			}
+			else
 			{
-				DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
-				hydra->kernel_interface->del_ip(hydra->kernel_interface,
-												this->my_virtual_ip);
+				DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
 			}
-			DESTROY_IF(this->my_virtual_ip);
-			this->my_virtual_ip = ip->clone(ip);
+			free(iface);
 		}
 		else
 		{
-			DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
-			this->my_virtual_ip = NULL;
+			DBG1(DBG_IKE, "looking up interface for virtual IP %H failed", ip);
 		}
 	}
 	else
 	{
-		DESTROY_IF(this->other_virtual_ip);
-		this->other_virtual_ip = ip->clone(ip);
+		array_insert_create(&this->other_vips, ARRAY_TAIL, ip->clone(ip));
 	}
 }
 
-METHOD(ike_sa_t, get_virtual_ip, host_t*,
+
+METHOD(ike_sa_t, clear_virtual_ips, void,
 	private_ike_sa_t *this, bool local)
 {
-	if (local)
+	array_t *vips;
+	host_t *vip;
+
+	vips = local ? this->my_vips : this->other_vips;
+	if (!local && array_count(vips))
 	{
-		return this->my_virtual_ip;
+		charon->bus->assign_vips(charon->bus, &this->public, FALSE);
 	}
-	else
+	while (array_remove(vips, ARRAY_HEAD, &vip))
+	{
+		if (local)
+		{
+			hydra->kernel_interface->del_ip(hydra->kernel_interface,
+											vip, -1, TRUE);
+		}
+		vip->destroy(vip);
+	}
+}
+
+METHOD(ike_sa_t, create_virtual_ip_enumerator, enumerator_t*,
+	private_ike_sa_t *this, bool local)
+{
+	if (local)
 	{
-		return this->other_virtual_ip;
+		return array_create_enumerator(this->my_vips);
 	}
+	return array_create_enumerator(this->other_vips);
 }
 
 METHOD(ike_sa_t, add_peer_address, void,
 	private_ike_sa_t *this, host_t *host)
 {
-	this->peer_addresses->insert_last(this->peer_addresses, host);
+	array_insert_create(&this->peer_addresses, ARRAY_TAIL, host);
 }
 
 METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*,
 	private_ike_sa_t *this)
 {
-	if (this->peer_addresses->get_count(this->peer_addresses))
+	if (this->peer_addresses)
 	{
-		return this->peer_addresses->create_enumerator(this->peer_addresses);
+		return array_create_enumerator(this->peer_addresses);
 	}
 	/* in case we don't have MOBIKE */
 	return enumerator_create_single(this->other_host, NULL);
@@ -791,17 +821,8 @@ METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*,
 METHOD(ike_sa_t, clear_peer_addresses, void,
 	private_ike_sa_t *this)
 {
-	enumerator_t *enumerator;
-	host_t *host;
-
-	enumerator = this->peer_addresses->create_enumerator(this->peer_addresses);
-	while (enumerator->enumerate(enumerator, (void**)&host))
-	{
-		this->peer_addresses->remove_at(this->peer_addresses,
-										enumerator);
-		host->destroy(host);
-	}
-	enumerator->destroy(enumerator);
+	array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
+	this->peer_addresses = NULL;
 }
 
 METHOD(ike_sa_t, has_mapping_changed, bool,
@@ -837,9 +858,11 @@ METHOD(ike_sa_t, float_ports, void,
 	   private_ike_sa_t *this)
 {
 	/* do not switch if we have a custom port from MOBIKE/NAT */
-	if (this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
+	if (this->my_host->get_port(this->my_host) ==
+			charon->socket->get_port(charon->socket, FALSE))
 	{
-		this->my_host->set_port(this->my_host, IKEV2_NATT_PORT);
+		this->my_host->set_port(this->my_host,
+								charon->socket->get_port(charon->socket, TRUE));
 	}
 	if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT)
 	{
@@ -872,7 +895,7 @@ METHOD(ike_sa_t, update_hosts, void,
 	else
 	{
 		/* update our address in any case */
-		if (!me->equals(me, this->my_host))
+		if (force && !me->equals(me, this->my_host))
 		{
 			set_my_host(this, me->clone(me));
 			update = TRUE;
@@ -881,7 +904,8 @@ METHOD(ike_sa_t, update_hosts, void,
 		if (!other->equals(other, this->other_host))
 		{
 			/* update others address if we are NOT NATed */
-			if (force || !has_condition(this, COND_NAT_HERE))
+			if ((has_condition(this, COND_NAT_THERE) &&
+				 !has_condition(this, COND_NAT_HERE)) || force )
 			{
 				set_other_host(this, other->clone(other));
 				update = TRUE;
@@ -894,13 +918,16 @@ METHOD(ike_sa_t, update_hosts, void,
 	{
 		enumerator_t *enumerator;
 		child_sa_t *child_sa;
+		linked_list_t *vips;
 
-		enumerator = this->child_sas->create_enumerator(this->child_sas);
-		while (enumerator->enumerate(enumerator, (void**)&child_sa))
+		vips = linked_list_create_from_enumerator(
+									array_create_enumerator(this->my_vips));
+
+		enumerator = array_create_enumerator(this->child_sas);
+		while (enumerator->enumerate(enumerator, &child_sa))
 		{
-			if (child_sa->update(child_sa, this->my_host,
-						this->other_host, this->my_virtual_ip,
-						has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
+			if (child_sa->update(child_sa, this->my_host, this->other_host,
+					vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
 			{
 				this->public.rekey_child_sa(&this->public,
 						child_sa->get_protocol(child_sa),
@@ -908,57 +935,55 @@ METHOD(ike_sa_t, update_hosts, void,
 			}
 		}
 		enumerator->destroy(enumerator);
-	}
-}
 
-METHOD(ike_sa_t, generate_message, status_t,
-	private_ike_sa_t *this, message_t *message, packet_t **packet)
-{
-	if (message->is_encoded(message))
-	{	/* already done */
-		*packet = message->get_packet(message);
-		return SUCCESS;
+		vips->destroy(vips);
 	}
-	this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
-	message->set_ike_sa_id(message, this->ike_sa_id);
-	charon->bus->message(charon->bus, message, FALSE);
-	return message->generate(message,
-				this->keymat->get_aead(this->keymat, FALSE), packet);
 }
 
 /**
- * send a notify back to the sender
+ * Set configured DSCP value on packet
  */
-static void send_notify_response(private_ike_sa_t *this, message_t *request,
-								 notify_type_t type, chunk_t data)
+static void set_dscp(private_ike_sa_t *this, packet_t *packet)
 {
-	message_t *response;
-	packet_t *packet;
+	ike_cfg_t *ike_cfg;
 
-	response = message_create();
-	response->set_exchange_type(response, request->get_exchange_type(request));
-	response->set_request(response, FALSE);
-	response->set_message_id(response, request->get_message_id(request));
-	response->add_notify(response, FALSE, type, data);
-	if (this->my_host->is_anyaddr(this->my_host))
+	/* prefer IKE config on peer_cfg, as its selection is more accurate
+	 * then the initial IKE config */
+	if (this->peer_cfg)
 	{
-		this->my_host->destroy(this->my_host);
-		this->my_host = request->get_destination(request);
-		this->my_host = this->my_host->clone(this->my_host);
+		ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg);
 	}
-	if (this->other_host->is_anyaddr(this->other_host))
+	else
 	{
-		this->other_host->destroy(this->other_host);
-		this->other_host = request->get_source(request);
-		this->other_host = this->other_host->clone(this->other_host);
+		ike_cfg = this->ike_cfg;
+	}
+	if (ike_cfg)
+	{
+		packet->set_dscp(packet, ike_cfg->get_dscp(ike_cfg));
+	}
+}
+
+METHOD(ike_sa_t, generate_message, status_t,
+	private_ike_sa_t *this, message_t *message, packet_t **packet)
+{
+	status_t status;
+
+	if (message->is_encoded(message))
+	{	/* already encoded in task, but set DSCP value */
+		*packet = message->get_packet(message);
+		set_dscp(this, *packet);
+		return SUCCESS;
 	}
-	response->set_source(response, this->my_host->clone(this->my_host));
-	response->set_destination(response, this->other_host->clone(this->other_host));
-	if (generate_message(this, response, &packet) == SUCCESS)
+	this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
+	message->set_ike_sa_id(message, this->ike_sa_id);
+	charon->bus->message(charon->bus, message, FALSE, TRUE);
+	status = message->generate(message, this->keymat, packet);
+	if (status == SUCCESS)
 	{
-		charon->sender->send(charon->sender, packet);
+		set_dscp(this, *packet);
+		charon->bus->message(charon->bus, message, FALSE, FALSE);
 	}
-	response->destroy(response);
+	return status;
 }
 
 METHOD(ike_sa_t, set_kmaddress, void,
@@ -1052,6 +1077,20 @@ METHOD(ike_sa_t, initiate_mediated, status_t,
 static void resolve_hosts(private_ike_sa_t *this)
 {
 	host_t *host;
+	int family = 0;
+
+	switch (charon->socket->supported_families(charon->socket))
+	{
+		case SOCKET_FAMILY_IPV4:
+			family = AF_INET;
+			break;
+		case SOCKET_FAMILY_IPV6:
+			family = AF_INET6;
+			break;
+		case SOCKET_FAMILY_BOTH:
+		case SOCKET_FAMILY_NONE:
+			break;
+	}
 
 	if (this->remote_host)
 	{
@@ -1060,8 +1099,12 @@ static void resolve_hosts(private_ike_sa_t *this)
 	}
 	else
 	{
-		host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
-								0, this->ike_cfg->get_other_port(this->ike_cfg));
+		char *other_addr;
+		u_int16_t other_port;
+
+		other_addr = this->ike_cfg->get_other_addr(this->ike_cfg, NULL);
+		other_port = this->ike_cfg->get_other_port(this->ike_cfg);
+		host = host_create_from_dns(other_addr, family, other_port);
 	}
 	if (host)
 	{
@@ -1071,19 +1114,21 @@ static void resolve_hosts(private_ike_sa_t *this)
 	if (this->local_host)
 	{
 		host = this->local_host->clone(this->local_host);
-		host->set_port(host, IKEV2_UDP_PORT);
+		host->set_port(host, charon->socket->get_port(charon->socket, FALSE));
 	}
 	else
 	{
-		int family = 0;
+		char *my_addr;
+		u_int16_t my_port;
 
 		/* use same address family as for other */
 		if (!this->other_host->is_anyaddr(this->other_host))
 		{
 			family = this->other_host->get_family(this->other_host);
 		}
-		host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
-							family, this->ike_cfg->get_my_port(this->ike_cfg));
+		my_addr = this->ike_cfg->get_my_addr(this->ike_cfg, NULL);
+		my_port = this->ike_cfg->get_my_port(this->ike_cfg);
+		host = host_create_from_dns(my_addr, family, my_port);
 
 		if (host && host->is_anyaddr(host) &&
 			!this->other_host->is_anyaddr(this->other_host))
@@ -1097,9 +1142,7 @@ static void resolve_hosts(private_ike_sa_t *this)
 			}
 			else
 			{	/* fallback to address family specific %any(6), if configured */
-				host = host_create_from_dns(
-								this->ike_cfg->get_my_addr(this->ike_cfg),
-								0, this->ike_cfg->get_my_port(this->ike_cfg));
+				host = host_create_from_dns(my_addr, family, my_port);
 			}
 		}
 	}
@@ -1113,7 +1156,7 @@ METHOD(ike_sa_t, initiate, status_t,
 	private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid,
 	traffic_selector_t *tsi, traffic_selector_t *tsr)
 {
-	task_t *task;
+	bool defer_initiate = FALSE;
 
 	if (this->state == IKE_CREATED)
 	{
@@ -1129,39 +1172,31 @@ METHOD(ike_sa_t, initiate, status_t,
 #endif /* ME */
 			)
 		{
-			child_cfg->destroy(child_cfg);
-			DBG1(DBG_IKE, "unable to initiate to %%any");
-			charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
-			return DESTROY_ME;
+			char *addr = this->ike_cfg->get_other_addr(this->ike_cfg, NULL);
+			bool is_anyaddr = streq(addr, "%any") || streq(addr, "%any6");
+
+			if (is_anyaddr || !this->retry_initiate_interval)
+			{
+				if (is_anyaddr)
+				{
+					DBG1(DBG_IKE, "unable to initiate to %s", addr);
+				}
+				else
+				{
+					DBG1(DBG_IKE, "unable to resolve %s, initiate aborted",
+						 addr);
+				}
+				DESTROY_IF(child_cfg);
+				charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
+				return DESTROY_ME;
+			}
+			DBG1(DBG_IKE, "unable to resolve %s, retrying in %ds",
+				 addr, this->retry_initiate_interval);
+			defer_initiate = TRUE;
 		}
 
 		set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
-
-		task = (task_t*)ike_vendor_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
-		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_natd_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_cert_pre_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_auth_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_cert_post_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_config_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-		if (this->peer_cfg->use_mobike(this->peer_cfg))
-		{
-			task = (task_t*)ike_mobike_create(&this->public, TRUE);
-			this->task_manager->queue_task(this->task_manager, task);
-		}
-#ifdef ME
-		task = (task_t*)ike_me_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-#endif /* ME */
+		this->task_manager->queue_ike(this->task_manager);
 	}
 
 #ifdef ME
@@ -1178,18 +1213,11 @@ METHOD(ike_sa_t, initiate, status_t,
 	}
 	else
 #endif /* ME */
+	if (child_cfg)
 	{
 		/* normal IKE_SA with CHILD_SA */
-		task = (task_t*)child_create_create(&this->public, child_cfg, FALSE,
-											tsi, tsr);
-		child_cfg->destroy(child_cfg);
-		if (reqid)
-		{
-			child_create_t *child_create = (child_create_t*)task;
-			child_create->use_reqid(child_create, reqid);
-		}
-		this->task_manager->queue_task(this->task_manager, task);
-
+		this->task_manager->queue_child(this->task_manager, child_cfg, reqid,
+										tsi, tsr);
 #ifdef ME
 		if (this->peer_cfg->get_mediated_by(this->peer_cfg))
 		{
@@ -1201,135 +1229,57 @@ METHOD(ike_sa_t, initiate, status_t,
 #endif /* ME */
 	}
 
+	if (defer_initiate)
+	{
+		if (!this->retry_initiate_queued)
+		{
+			job_t *job = (job_t*)retry_initiate_job_create(this->ike_sa_id);
+			lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
+										 this->retry_initiate_interval);
+			this->retry_initiate_queued = TRUE;
+		}
+		return SUCCESS;
+	}
+	this->retry_initiate_queued = FALSE;
 	return this->task_manager->initiate(this->task_manager);
 }
 
+METHOD(ike_sa_t, retry_initiate, status_t,
+	private_ike_sa_t *this)
+{
+	if (this->retry_initiate_queued)
+	{
+		this->retry_initiate_queued = FALSE;
+		return initiate(this, NULL, 0, NULL, NULL);
+	}
+	return SUCCESS;
+}
+
 METHOD(ike_sa_t, process_message, status_t,
 	private_ike_sa_t *this, message_t *message)
 {
 	status_t status;
-	bool is_request;
-	u_int8_t type = 0;
 
 	if (this->state == IKE_PASSIVE)
 	{	/* do not handle messages in passive state */
 		return FAILED;
 	}
-
-	is_request = message->get_request(message);
-
-	status = message->parse_body(message,
-								 this->keymat->get_aead(this->keymat, TRUE));
-	if (status == SUCCESS)
-	{	/* check for unsupported critical payloads */
-		enumerator_t *enumerator;
-		unknown_payload_t *unknown;
-		payload_t *payload;
-
-		enumerator = message->create_payload_enumerator(message);
-		while (enumerator->enumerate(enumerator, &payload))
-		{
-			unknown = (unknown_payload_t*)payload;
-			type = payload->get_type(payload);
-			if (!payload_is_known(type) &&
-				unknown->is_critical(unknown))
-			{
-				DBG1(DBG_ENC, "payload type %N is not supported, "
-					 "but its critical!", payload_type_names, type);
-				status = NOT_SUPPORTED;
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	if (status != SUCCESS)
+	if (message->get_major_version(message) != this->version)
 	{
-		if (is_request)
-		{
-			switch (status)
-			{
-				case NOT_SUPPORTED:
-					DBG1(DBG_IKE, "critical unknown payloads found");
-					if (is_request)
-					{
-						send_notify_response(this, message,
-											 UNSUPPORTED_CRITICAL_PAYLOAD,
-											 chunk_from_thing(type));
-						this->task_manager->incr_mid(this->task_manager, FALSE);
-					}
-					break;
-				case PARSE_ERROR:
-					DBG1(DBG_IKE, "message parsing failed");
-					if (is_request)
-					{
-						send_notify_response(this, message,
-											 INVALID_SYNTAX, chunk_empty);
-						this->task_manager->incr_mid(this->task_manager, FALSE);
-					}
-					break;
-				case VERIFY_ERROR:
-					DBG1(DBG_IKE, "message verification failed");
-					if (is_request)
-					{
-						send_notify_response(this, message,
-											 INVALID_SYNTAX, chunk_empty);
-						this->task_manager->incr_mid(this->task_manager, FALSE);
-					}
-					break;
-				case FAILED:
-					DBG1(DBG_IKE, "integrity check failed");
-					/* ignored */
-					break;
-				case INVALID_STATE:
-					DBG1(DBG_IKE, "found encrypted message, but no keys available");
-				default:
-					break;
-			}
-		}
-		DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
+		DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
 			 exchange_type_names, message->get_exchange_type(message),
-			 message->get_request(message) ? "request" : "response",
-			 message->get_message_id(message));
-
-		if (this->state == IKE_CREATED)
-		{	/* invalid initiation attempt, close SA */
-			return DESTROY_ME;
-		}
+			 message->get_major_version(message),
+			 ike_version_names, this->version);
+		/* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
+		 * INVALID_MAJOR_VERSION on an IKEv2 SA. */
+		return FAILED;
 	}
-	else
+	status = this->task_manager->process_message(this->task_manager, message);
+	if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
 	{
-		/* if this IKE_SA is virgin, we check for a config */
-		if (this->ike_cfg == NULL)
-		{
-			job_t *job;
-			host_t *me = message->get_destination(message),
-				   *other = message->get_source(message);
-			this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
-														  me, other);
-			if (this->ike_cfg == NULL)
-			{
-				/* no config found for these hosts, destroy */
-				DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
-					 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
-				send_notify_response(this, message,
-									 NO_PROPOSAL_CHOSEN, chunk_empty);
-				return DESTROY_ME;
-			}
-			/* add a timeout if peer does not establish it completely */
-			job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
-			lib->scheduler->schedule_job(lib->scheduler, job,
-					lib->settings->get_int(lib->settings,
-						"charon.half_open_timeout",  HALF_OPEN_IKE_SA_TIMEOUT));
-		}
-		this->stats[STAT_INBOUND] = time_monotonic(NULL);
-		status = this->task_manager->process_message(this->task_manager,
-													 message);
-		if (message->get_exchange_type(message) == IKE_AUTH &&
-			this->state == IKE_ESTABLISHED &&
-			lib->settings->get_bool(lib->settings,
-									"charon.flush_auth_cfg", FALSE))
-		{	/* authentication completed */
-			flush_auth_cfgs(this);
-		}
+		/* authentication completed */
+		this->flush_auth_cfg = FALSE;
+		flush_auth_cfgs(this);
 	}
 	return status;
 }
@@ -1340,6 +1290,12 @@ METHOD(ike_sa_t, get_id, ike_sa_id_t*,
 	return this->ike_sa_id;
 }
 
+METHOD(ike_sa_t, get_version, ike_version_t,
+	private_ike_sa_t *this)
+{
+	return this->version;
+}
+
 METHOD(ike_sa_t, get_my_id, identification_t*,
 	private_ike_sa_t *this)
 {
@@ -1366,13 +1322,17 @@ METHOD(ike_sa_t, get_other_eap_id, identification_t*,
 	enumerator_t *enumerator;
 	auth_cfg_t *cfg;
 
-	enumerator = this->other_auths->create_enumerator(this->other_auths);
+	enumerator = array_create_enumerator(this->other_auths);
 	while (enumerator->enumerate(enumerator, &cfg))
 	{
 		/* prefer EAP-Identity of last round */
 		current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
 		if (!current || current->get_type(current) == ID_ANY)
 		{
+			current = cfg->get(cfg, AUTH_RULE_XAUTH_IDENTITY);
+		}
+		if (!current || current->get_type(current) == ID_ANY)
+		{
 			current = cfg->get(cfg, AUTH_RULE_IDENTITY);
 		}
 		if (current && current->get_type(current) != ID_ANY)
@@ -1399,7 +1359,7 @@ METHOD(ike_sa_t, set_other_id, void,
 METHOD(ike_sa_t, add_child_sa, void,
 	private_ike_sa_t *this, child_sa_t *child_sa)
 {
-	this->child_sas->insert_last(this->child_sas, child_sa);
+	array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
 }
 
 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
@@ -1408,7 +1368,7 @@ METHOD(ike_sa_t, get_child_sa, child_sa_t*,
 	enumerator_t *enumerator;
 	child_sa_t *current, *found = NULL;
 
-	enumerator = this->child_sas->create_enumerator(this->child_sas);
+	enumerator = array_create_enumerator(this->child_sas);
 	while (enumerator->enumerate(enumerator, (void**)&current))
 	{
 		if (current->get_spi(current, inbound) == spi &&
@@ -1424,48 +1384,41 @@ METHOD(ike_sa_t, get_child_sa, child_sa_t*,
 METHOD(ike_sa_t, get_child_count, int,
 	private_ike_sa_t *this)
 {
-	return this->child_sas->get_count(this->child_sas);
+	return array_count(this->child_sas);
 }
 
 METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
 	private_ike_sa_t *this)
 {
-	return this->child_sas->create_enumerator(this->child_sas);
+	return array_create_enumerator(this->child_sas);
 }
 
 METHOD(ike_sa_t, remove_child_sa, void,
 	private_ike_sa_t *this, enumerator_t *enumerator)
 {
-	this->child_sas->remove_at(this->child_sas, enumerator);
+	array_remove_at(this->child_sas, enumerator);
 }
 
 METHOD(ike_sa_t, rekey_child_sa, status_t,
 	private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
 {
-	child_rekey_t *child_rekey;
-
 	if (this->state == IKE_PASSIVE)
 	{
 		return INVALID_STATE;
 	}
-
-	child_rekey = child_rekey_create(&this->public, protocol, spi);
-	this->task_manager->queue_task(this->task_manager, &child_rekey->task);
+	this->task_manager->queue_child_rekey(this->task_manager, protocol, spi);
 	return this->task_manager->initiate(this->task_manager);
 }
 
 METHOD(ike_sa_t, delete_child_sa, status_t,
-	private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
+	private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool expired)
 {
-	child_delete_t *child_delete;
-
 	if (this->state == IKE_PASSIVE)
 	{
 		return INVALID_STATE;
 	}
-
-	child_delete = child_delete_create(&this->public, protocol, spi);
-	this->task_manager->queue_task(this->task_manager, &child_delete->task);
+	this->task_manager->queue_child_delete(this->task_manager,
+										   protocol, spi, expired);
 	return this->task_manager->initiate(this->task_manager);
 }
 
@@ -1476,13 +1429,13 @@ METHOD(ike_sa_t, destroy_child_sa, status_t,
 	child_sa_t *child_sa;
 	status_t status = NOT_FOUND;
 
-	enumerator = this->child_sas->create_enumerator(this->child_sas);
+	enumerator = array_create_enumerator(this->child_sas);
 	while (enumerator->enumerate(enumerator, (void**)&child_sa))
 	{
 		if (child_sa->get_protocol(child_sa) == protocol &&
 			child_sa->get_spi(child_sa, TRUE) == spi)
 		{
-			this->child_sas->remove_at(this->child_sas, enumerator);
+			array_remove_at(this->child_sas, enumerator);
 			child_sa->destroy(child_sa);
 			status = SUCCESS;
 			break;
@@ -1495,14 +1448,21 @@ METHOD(ike_sa_t, destroy_child_sa, status_t,
 METHOD(ike_sa_t, delete_, status_t,
 	private_ike_sa_t *this)
 {
-	ike_delete_t *ike_delete;
-
 	switch (this->state)
 	{
-		case IKE_ESTABLISHED:
 		case IKE_REKEYING:
-			ike_delete = ike_delete_create(&this->public, TRUE);
-			this->task_manager->queue_task(this->task_manager, &ike_delete->task);
+			if (this->version == IKEV1)
+			{	/* SA has been reauthenticated, delete */
+				charon->bus->ike_updown(charon->bus, &this->public, FALSE);
+				break;
+			}
+			/* FALL */
+		case IKE_ESTABLISHED:
+			if (time_monotonic(NULL) >= this->stats[STAT_DELETE])
+			{	/* IKE_SA hard lifetime hit */
+				charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED);
+			}
+			this->task_manager->queue_ike_delete(this->task_manager);
 			return this->task_manager->initiate(this->task_manager);
 		case IKE_CREATED:
 			DBG1(DBG_IKE, "deleting unestablished IKE_SA");
@@ -1521,23 +1481,17 @@ METHOD(ike_sa_t, delete_, status_t,
 METHOD(ike_sa_t, rekey, status_t,
 	private_ike_sa_t *this)
 {
-	ike_rekey_t *ike_rekey;
-
 	if (this->state == IKE_PASSIVE)
 	{
 		return INVALID_STATE;
 	}
-	ike_rekey = ike_rekey_create(&this->public, TRUE);
-
-	this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
+	this->task_manager->queue_ike_rekey(this->task_manager);
 	return this->task_manager->initiate(this->task_manager);
 }
 
 METHOD(ike_sa_t, reauth, status_t,
 	private_ike_sa_t *this)
 {
-	task_t *task;
-
 	if (this->state == IKE_PASSIVE)
 	{
 		return INVALID_STATE;
@@ -1548,7 +1502,8 @@ METHOD(ike_sa_t, reauth, status_t,
 	if (!has_condition(this, COND_ORIGINAL_INITIATOR))
 	{
 		DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
-		if (this->other_virtual_ip != NULL ||
+		if (array_count(this->other_vips) != 0 ||
+			has_condition(this, COND_XAUTH_AUTHENTICATED) ||
 			has_condition(this, COND_EAP_AUTHENTICATED)
 #ifdef ME
 			/* as mediation server we too cannot reauth the IKE_SA */
@@ -1575,13 +1530,35 @@ METHOD(ike_sa_t, reauth, status_t,
 		DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d]",
 			 get_name(this), this->unique_id);
 	}
-	this->is_reauthenticating = TRUE;
-	task = (task_t*)ike_reauth_create(&this->public);
-	this->task_manager->queue_task(this->task_manager, task);
-
+	set_condition(this, COND_REAUTHENTICATING, TRUE);
+	this->task_manager->queue_ike_reauth(this->task_manager);
 	return this->task_manager->initiate(this->task_manager);
 }
 
+/**
+ * Check if tasks to create CHILD_SAs are queued in the given queue
+ */
+static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+	bool found = FALSE;
+
+	enumerator = this->task_manager->create_task_enumerator(this->task_manager,
+															queue);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (task->get_type(task) == TASK_CHILD_CREATE ||
+			task->get_type(task) == TASK_QUICK_MODE)
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
 METHOD(ike_sa_t, reestablish, status_t,
 	private_ike_sa_t *this)
 {
@@ -1594,9 +1571,9 @@ METHOD(ike_sa_t, reestablish, status_t,
 	bool restart = FALSE;
 	status_t status = FAILED;
 
-	if (this->is_reauthenticating)
+	if (has_condition(this, COND_REAUTHENTICATING))
 	{	/* only reauthenticate if we have children */
-		if (this->child_sas->get_count(this->child_sas) == 0
+		if (array_count(this->child_sas) == 0
 #ifdef ME
 			/* allow reauth of mediation connections without CHILD_SAs */
 			&& !this->peer_cfg->is_mediation(this->peer_cfg)
@@ -1613,7 +1590,7 @@ METHOD(ike_sa_t, reestablish, status_t,
 	}
 	else
 	{	/* check if we have children to keep up at all */
-		enumerator = this->child_sas->create_enumerator(this->child_sas);
+		enumerator = array_create_enumerator(this->child_sas);
 		while (enumerator->enumerate(enumerator, (void**)&child_sa))
 		{
 			if (this->state == IKE_DELETING)
@@ -1631,13 +1608,20 @@ METHOD(ike_sa_t, reestablish, status_t,
 					break;
 				case ACTION_ROUTE:
 					charon->traps->install(charon->traps, this->peer_cfg,
-										   child_sa->get_config(child_sa));
+										   child_sa->get_config(child_sa),
+										   child_sa->get_reqid(child_sa));
 					break;
 				default:
 					break;
 			}
 		}
 		enumerator->destroy(enumerator);
+		/* check if we have tasks that recreate children */
+		if (!restart)
+		{
+			restart = is_child_queued(this, TASK_QUEUE_ACTIVE) ||
+					  is_child_queued(this, TASK_QUEUE_QUEUED);
+		}
 #ifdef ME
 		/* mediation connections have no children, keep them up anyway */
 		if (this->peer_cfg->is_mediation(this->peer_cfg))
@@ -1653,7 +1637,7 @@ METHOD(ike_sa_t, reestablish, status_t,
 
 	/* check if we are able to reestablish this IKE_SA */
 	if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
-		(this->other_virtual_ip != NULL ||
+		(array_count(this->other_vips) != 0 ||
 		 has_condition(this, COND_EAP_AUTHENTICATED)
 #ifdef ME
 		 || this->is_mediation_server
@@ -1664,18 +1648,24 @@ METHOD(ike_sa_t, reestablish, status_t,
 		return FAILED;
 	}
 
-	new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
+	new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+											   this->version, TRUE);
+	if (!new)
+	{
+		return FAILED;
+	}
 	new->set_peer_cfg(new, this->peer_cfg);
 	host = this->other_host;
 	new->set_other_host(new, host->clone(host));
 	host = this->my_host;
 	new->set_my_host(new, host->clone(host));
 	/* if we already have a virtual IP, we reuse it */
-	host = this->my_virtual_ip;
-	if (host)
+	enumerator = array_create_enumerator(this->my_vips);
+	while (enumerator->enumerate(enumerator, &host))
 	{
-		new->set_virtual_ip(new, TRUE, host);
+		new->add_virtual_ip(new, TRUE, host);
 	}
+	enumerator->destroy(enumerator);
 
 #ifdef ME
 	if (this->peer_cfg->is_mediation(this->peer_cfg))
@@ -1685,16 +1675,17 @@ METHOD(ike_sa_t, reestablish, status_t,
 	else
 #endif /* ME */
 	{
-		enumerator = this->child_sas->create_enumerator(this->child_sas);
+		/* handle existing CHILD_SAs */
+		enumerator = array_create_enumerator(this->child_sas);
 		while (enumerator->enumerate(enumerator, (void**)&child_sa))
 		{
-			if (this->is_reauthenticating)
+			if (has_condition(this, COND_REAUTHENTICATING))
 			{
 				switch (child_sa->get_state(child_sa))
 				{
 					case CHILD_ROUTED:
 					{	/* move routed child directly */
-						this->child_sas->remove_at(this->child_sas, enumerator);
+						array_remove_at(this->child_sas, enumerator);
 						new->add_child_sa(new, child_sa);
 						action = ACTION_NONE;
 						break;
@@ -1724,7 +1715,8 @@ METHOD(ike_sa_t, reestablish, status_t,
 					DBG1(DBG_IKE, "restarting CHILD_SA %s",
 						 child_cfg->get_name(child_cfg));
 					child_cfg->get_ref(child_cfg);
-					status = new->initiate(new, child_cfg, 0, NULL, NULL);
+					status = new->initiate(new, child_cfg,
+									child_sa->get_reqid(child_sa), NULL, NULL);
 					break;
 				default:
 					continue;
@@ -1735,6 +1727,16 @@ METHOD(ike_sa_t, reestablish, status_t,
 			}
 		}
 		enumerator->destroy(enumerator);
+		/* adopt any active or queued CHILD-creating tasks */
+		if (status != DESTROY_ME)
+		{
+			task_manager_t *other_tasks = ((private_ike_sa_t*)new)->task_manager;
+			other_tasks->adopt_child_tasks(other_tasks, this->task_manager);
+			if (new->get_state(new) == IKE_CREATED)
+			{
+				status = new->initiate(new, NULL, 0, NULL, NULL);
+			}
+		}
 	}
 
 	if (status == DESTROY_ME)
@@ -1744,6 +1746,7 @@ METHOD(ike_sa_t, reestablish, status_t,
 	}
 	else
 	{
+		charon->bus->ike_reestablish(charon->bus, &this->public, new);
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
 		status = SUCCESS;
 	}
@@ -1751,40 +1754,6 @@ METHOD(ike_sa_t, reestablish, status_t,
 	return status;
 }
 
-/**
- * Requeue the IKE_SA_INIT tasks for initiation, if required
- */
-static void requeue_init_tasks(private_ike_sa_t *this)
-{
-	enumerator_t *enumerator;
-	bool has_init = FALSE;
-	task_t *task;
-
-	/* if we have advanced to IKE_AUTH, the IKE_INIT and related tasks
-	 * have already completed. Recreate them if necessary. */
-	enumerator = this->task_manager->create_task_enumerator(
-										this->task_manager, TASK_QUEUE_QUEUED);
-	while (enumerator->enumerate(enumerator, &task))
-	{
-		if (task->get_type(task) == IKE_INIT)
-		{
-			has_init = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (!has_init)
-	{
-		task = (task_t*)ike_vendor_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_natd_create(&this->public, TRUE);
-		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
-		this->task_manager->queue_task(this->task_manager, task);
-	}
-}
-
 METHOD(ike_sa_t, retransmit, status_t,
 	private_ike_sa_t *this, u_int32_t message_id)
 {
@@ -1800,8 +1769,10 @@ METHOD(ike_sa_t, retransmit, status_t,
 		{
 			case IKE_CONNECTING:
 			{
-				/* retry IKE_SA_INIT if we have multiple keyingtries */
+				/* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
 				u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
+				charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE,
+								   this->keyingtry);
 				this->keyingtry++;
 				if (tries == 0 || tries > this->keyingtry)
 				{
@@ -1809,7 +1780,7 @@ METHOD(ike_sa_t, retransmit, status_t,
 						 this->keyingtry + 1, tries);
 					reset(this);
 					resolve_hosts(this);
-					requeue_init_tasks(this);
+					this->task_manager->queue_ike(this->task_manager);
 					return this->task_manager->initiate(this->task_manager);
 				}
 				DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
@@ -1817,7 +1788,7 @@ METHOD(ike_sa_t, retransmit, status_t,
 			}
 			case IKE_DELETING:
 				DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
-				if (this->is_reauthenticating)
+				if (has_condition(this, COND_REAUTHENTICATING))
 				{
 					DBG1(DBG_IKE, "delete during reauthentication failed, "
 						 "trying to reestablish IKE_SA anyway");
@@ -1831,6 +1802,10 @@ METHOD(ike_sa_t, retransmit, status_t,
 				reestablish(this);
 				break;
 		}
+		if (this->state != IKE_CONNECTING)
+		{
+			charon->bus->ike_updown(charon->bus, &this->public, FALSE);
+		}
 		return DESTROY_ME;
 	}
 	return SUCCESS;
@@ -1840,7 +1815,6 @@ METHOD(ike_sa_t, set_auth_lifetime, status_t,
 	private_ike_sa_t *this, u_int32_t lifetime)
 {
 	u_int32_t diff, hard, soft, now;
-	ike_auth_lifetime_t *task;
 	bool send_update;
 
 	diff = this->peer_cfg->get_over_time(this->peer_cfg);
@@ -1850,9 +1824,9 @@ METHOD(ike_sa_t, set_auth_lifetime, status_t,
 
 	/* check if we have to send an AUTH_LIFETIME to enforce the new lifetime.
 	 * We send the notify in IKE_AUTH if not yet ESTABLISHED. */
-	send_update = this->state == IKE_ESTABLISHED &&
+	send_update = this->state == IKE_ESTABLISHED && this->version == IKEV2 &&
 				  !has_condition(this, COND_ORIGINAL_INITIATOR) &&
-				  (this->other_virtual_ip != NULL ||
+				  (array_count(this->other_vips) != 0 ||
 				  has_condition(this, COND_EAP_AUTHENTICATED));
 
 	if (lifetime < diff)
@@ -1890,12 +1864,16 @@ METHOD(ike_sa_t, set_auth_lifetime, status_t,
 	/* give at least some seconds to reauthenticate */
 	this->stats[STAT_DELETE] = max(hard, now + 10);
 
+#ifdef USE_IKEV2
 	if (send_update)
 	{
+		ike_auth_lifetime_t *task;
+
 		task = ike_auth_lifetime_create(&this->public, TRUE);
 		this->task_manager->queue_task(this->task_manager, &task->task);
 		return this->task_manager->initiate(this->task_manager);
 	}
+#endif
 	return SUCCESS;
 }
 
@@ -1953,8 +1931,6 @@ static bool is_any_path_valid(private_ike_sa_t *this)
 METHOD(ike_sa_t, roam, status_t,
 	private_ike_sa_t *this, bool address)
 {
-	ike_mobike_t *mobike;
-
 	switch (this->state)
 	{
 		case IKE_CREATED:
@@ -1976,10 +1952,7 @@ METHOD(ike_sa_t, roam, status_t,
 		if (supports_extension(this, EXT_MOBIKE) && address)
 		{	/* if any addresses changed, send an updated list */
 			DBG1(DBG_IKE, "sending address list update using MOBIKE");
-			mobike = ike_mobike_create(&this->public, TRUE);
-			mobike->addresses(mobike);
-			this->task_manager->queue_task(this->task_manager,
-										   (task_t*)mobike);
+			this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE);
 			return this->task_manager->initiate(this->task_manager);
 		}
 		return SUCCESS;
@@ -2007,9 +1980,7 @@ METHOD(ike_sa_t, roam, status_t,
 		{
 			DBG1(DBG_IKE, "requesting address change using MOBIKE");
 		}
-		mobike = ike_mobike_create(&this->public, TRUE);
-		mobike->roam(mobike, address);
-		this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
+		this->task_manager->queue_mobike(this->task_manager, TRUE, address);
 		return this->task_manager->initiate(this->task_manager);
 	}
 
@@ -2029,13 +2000,12 @@ METHOD(ike_sa_t, add_configuration_attribute, void,
 	private_ike_sa_t *this, attribute_handler_t *handler,
 	configuration_attribute_type_t type, chunk_t data)
 {
-	attribute_entry_t *entry = malloc_thing(attribute_entry_t);
-
-	entry->handler = handler;
-	entry->type = type;
-	entry->data = chunk_clone(data);
-
-	this->attributes->insert_last(this->attributes, entry);
+	attribute_entry_t entry = {
+		.handler = handler,
+		.type = type,
+		.data = chunk_clone(data),
+	};
+	array_insert(this->attributes, ARRAY_TAIL, &entry);
 }
 
 METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
@@ -2044,14 +2014,27 @@ METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
 	return this->task_manager->create_task_enumerator(this->task_manager, queue);
 }
 
+METHOD(ike_sa_t, flush_queue, void,
+	private_ike_sa_t *this, task_queue_t queue)
+{
+	this->task_manager->flush_queue(this->task_manager, queue);
+}
+
+METHOD(ike_sa_t, queue_task, void,
+	private_ike_sa_t *this, task_t *task)
+{
+	this->task_manager->queue_task(this->task_manager, task);
+}
+
 METHOD(ike_sa_t, inherit, void,
 	private_ike_sa_t *this, ike_sa_t *other_public)
 {
 	private_ike_sa_t *other = (private_ike_sa_t*)other_public;
 	child_sa_t *child_sa;
-	attribute_entry_t *entry;
 	enumerator_t *enumerator;
+	attribute_entry_t entry;
 	auth_cfg_t *cfg;
+	host_t *vip;
 
 	/* apply hosts and ids */
 	this->my_host->destroy(this->my_host);
@@ -2063,37 +2046,34 @@ METHOD(ike_sa_t, inherit, void,
 	this->my_id = other->my_id->clone(other->my_id);
 	this->other_id = other->other_id->clone(other->other_id);
 
-	/* apply virtual assigned IPs... */
-	if (other->my_virtual_ip)
+	/* apply assigned virtual IPs... */
+	while (array_remove(other->my_vips, ARRAY_HEAD, &vip))
 	{
-		this->my_virtual_ip = other->my_virtual_ip;
-		other->my_virtual_ip = NULL;
+		array_insert_create(&this->my_vips, ARRAY_TAIL, vip);
 	}
-	if (other->other_virtual_ip)
+	while (array_remove(other->other_vips, ARRAY_HEAD, &vip))
 	{
-		this->other_virtual_ip = other->other_virtual_ip;
-		other->other_virtual_ip = NULL;
+		array_insert_create(&this->other_vips, ARRAY_TAIL, vip);
 	}
 
 	/* authentication information */
-	enumerator = other->my_auths->create_enumerator(other->my_auths);
+	enumerator = array_create_enumerator(other->my_auths);
 	while (enumerator->enumerate(enumerator, &cfg))
 	{
-		this->my_auths->insert_last(this->my_auths, cfg->clone(cfg));
+		array_insert(this->my_auths, ARRAY_TAIL, cfg->clone(cfg));
 	}
 	enumerator->destroy(enumerator);
-	enumerator = other->other_auths->create_enumerator(other->other_auths);
+	enumerator = array_create_enumerator(other->other_auths);
 	while (enumerator->enumerate(enumerator, &cfg))
 	{
-		this->other_auths->insert_last(this->other_auths, cfg->clone(cfg));
+		array_insert(this->other_auths, ARRAY_TAIL, cfg->clone(cfg));
 	}
 	enumerator->destroy(enumerator);
 
 	/* ... and configuration attributes */
-	while (other->attributes->remove_last(other->attributes,
-										  (void**)&entry) == SUCCESS)
+	while (array_remove(other->attributes, ARRAY_HEAD, &entry))
 	{
-		this->attributes->insert_first(this->attributes, entry);
+		array_insert(this->attributes, ARRAY_TAIL, &entry);
 	}
 
 	/* inherit all conditions */
@@ -2116,10 +2096,9 @@ METHOD(ike_sa_t, inherit, void,
 #endif /* ME */
 
 	/* adopt all children */
-	while (other->child_sas->remove_last(other->child_sas,
-										 (void**)&child_sa) == SUCCESS)
+	while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa))
 	{
-		this->child_sas->insert_first(this->child_sas, (void*)child_sa);
+		array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
 	}
 
 	/* move pending tasks to the new IKE_SA */
@@ -2146,49 +2125,62 @@ METHOD(ike_sa_t, inherit, void,
 METHOD(ike_sa_t, destroy, void,
 	private_ike_sa_t *this)
 {
-	attribute_entry_t *entry;
+	attribute_entry_t entry;
+	child_sa_t *child_sa;
+	host_t *vip;
 
 	charon->bus->set_sa(charon->bus, &this->public);
 
 	set_state(this, IKE_DESTROYING);
-	this->task_manager->destroy(this->task_manager);
+	DESTROY_IF(this->task_manager);
 
 	/* remove attributes first, as we pass the IKE_SA to the handler */
-	while (this->attributes->remove_last(this->attributes,
-										 (void**)&entry) == SUCCESS)
+	while (array_remove(this->attributes, ARRAY_TAIL, &entry))
 	{
-		hydra->attributes->release(hydra->attributes, entry->handler,
-								   this->other_id, entry->type, entry->data);
-		free(entry->data.ptr);
-		free(entry);
+		hydra->attributes->release(hydra->attributes, entry.handler,
+								   this->other_id, entry.type, entry.data);
+		free(entry.data.ptr);
 	}
-	this->attributes->destroy(this->attributes);
-
-	this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
-
-	/* unset SA after here to avoid usage by the listeners */
-	charon->bus->set_sa(charon->bus, NULL);
-
-	this->keymat->destroy(this->keymat);
-
-	if (this->my_virtual_ip)
+	/* uninstall CHILD_SAs before virtual IPs, otherwise we might kill
+	 * routes that the CHILD_SA tries to uninstall. */
+	while (array_remove(this->child_sas, ARRAY_TAIL, &child_sa))
 	{
-		hydra->kernel_interface->del_ip(hydra->kernel_interface,
-										this->my_virtual_ip);
-		this->my_virtual_ip->destroy(this->my_virtual_ip);
+		child_sa->destroy(child_sa);
 	}
-	if (this->other_virtual_ip)
+	while (array_remove(this->my_vips, ARRAY_TAIL, &vip))
 	{
-		if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
+		hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE);
+		vip->destroy(vip);
+	}
+	if (array_count(this->other_vips))
+	{
+		charon->bus->assign_vips(charon->bus, &this->public, FALSE);
+	}
+	while (array_remove(this->other_vips, ARRAY_TAIL, &vip))
+	{
+		if (this->peer_cfg)
 		{
-			hydra->attributes->release_address(hydra->attributes,
-							this->peer_cfg->get_pool(this->peer_cfg),
-							this->other_virtual_ip, get_other_eap_id(this));
+			linked_list_t *pools;
+			identification_t *id;
+
+			id = get_other_eap_id(this);
+			pools = linked_list_create_from_enumerator(
+						this->peer_cfg->create_pool_enumerator(this->peer_cfg));
+			hydra->attributes->release_address(hydra->attributes, pools, vip, id);
+			pools->destroy(pools);
 		}
-		this->other_virtual_ip->destroy(this->other_virtual_ip);
+		vip->destroy(vip);
 	}
-	this->peer_addresses->destroy_offset(this->peer_addresses,
-										 offsetof(host_t, destroy));
+
+	/* unset SA after here to avoid usage by the listeners */
+	charon->bus->set_sa(charon->bus, NULL);
+
+	array_destroy(this->child_sas);
+	DESTROY_IF(this->keymat);
+	array_destroy(this->attributes);
+	array_destroy(this->my_vips);
+	array_destroy(this->other_vips);
+	array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
 #ifdef ME
 	if (this->is_mediation_server)
 	{
@@ -2212,10 +2204,8 @@ METHOD(ike_sa_t, destroy, void,
 	DESTROY_IF(this->proposal);
 	this->my_auth->destroy(this->my_auth);
 	this->other_auth->destroy(this->other_auth);
-	this->my_auths->destroy_offset(this->my_auths,
-								   offsetof(auth_cfg_t, destroy));
-	this->other_auths->destroy_offset(this->other_auths,
-									  offsetof(auth_cfg_t, destroy));
+	array_destroy_offset(this->my_auths, offsetof(auth_cfg_t, destroy));
+	array_destroy_offset(this->other_auths, offsetof(auth_cfg_t, destroy));
 
 	this->ike_sa_id->destroy(this->ike_sa_id);
 	free(this);
@@ -2224,19 +2214,32 @@ METHOD(ike_sa_t, destroy, void,
 /*
  * Described in header.
  */
-ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
+ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
+						 ike_version_t version)
 {
 	private_ike_sa_t *this;
-	static u_int32_t unique_id = 0;
+	static refcount_t unique_id = 0;
+
+	if (version == IKE_ANY)
+	{	/* prefer IKEv2 if protocol not specified */
+#ifdef USE_IKEV2
+		version = IKEV2;
+#else
+		version = IKEV1;
+#endif
+	}
 
 	INIT(this,
 		.public = {
+			.get_version = _get_version,
 			.get_state = _get_state,
 			.set_state = _set_state,
 			.get_name = _get_name,
 			.get_statistic = _get_statistic,
+			.set_statistic = _set_statistic,
 			.process_message = _process_message,
 			.initiate = _initiate,
+			.retry_initiate = _retry_initiate,
 			.get_ike_cfg = _get_ike_cfg,
 			.set_ike_cfg = _set_ike_cfg,
 			.get_peer_cfg = _get_peer_cfg,
@@ -2292,11 +2295,14 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 			.generate_message = _generate_message,
 			.reset = _reset,
 			.get_unique_id = _get_unique_id,
-			.set_virtual_ip = _set_virtual_ip,
-			.get_virtual_ip = _get_virtual_ip,
+			.add_virtual_ip = _add_virtual_ip,
+			.clear_virtual_ips = _clear_virtual_ips,
+			.create_virtual_ip_enumerator = _create_virtual_ip_enumerator,
 			.add_configuration_attribute = _add_configuration_attribute,
 			.set_kmaddress = _set_kmaddress,
 			.create_task_enumerator = _create_task_enumerator,
+			.flush_queue = _flush_queue,
+			.queue_task = _queue_task,
 #ifdef ME
 			.act_as_mediation_server = _act_as_mediation_server,
 			.get_server_reflexive_host = _get_server_reflexive_host,
@@ -2310,27 +2316,43 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 #endif /* ME */
 		},
 		.ike_sa_id = ike_sa_id->clone(ike_sa_id),
-		.child_sas = linked_list_create(),
+		.version = version,
 		.my_host = host_create_any(AF_INET),
 		.other_host = host_create_any(AF_INET),
 		.my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
 		.other_id = identification_create_from_encoding(ID_ANY, chunk_empty),
-		.keymat = keymat_create(ike_sa_id->is_initiator(ike_sa_id)),
+		.keymat = keymat_create(version, initiator),
 		.state = IKE_CREATED,
 		.stats[STAT_INBOUND] = time_monotonic(NULL),
 		.stats[STAT_OUTBOUND] = time_monotonic(NULL),
 		.my_auth = auth_cfg_create(),
 		.other_auth = auth_cfg_create(),
-		.my_auths = linked_list_create(),
-		.other_auths = linked_list_create(),
-		.unique_id = ++unique_id,
-		.peer_addresses = linked_list_create(),
-		.attributes = linked_list_create(),
+		.my_auths = array_create(0, 0),
+		.other_auths = array_create(0, 0),
+		.attributes = array_create(sizeof(attribute_entry_t), 0),
+		.unique_id = ref_get(&unique_id),
 		.keepalive_interval = lib->settings->get_time(lib->settings,
-									"charon.keep_alive", KEEPALIVE_INTERVAL),
+							"%s.keep_alive", KEEPALIVE_INTERVAL, charon->name),
+		.retry_initiate_interval = lib->settings->get_time(lib->settings,
+							"%s.retry_initiate_interval", 0, charon->name),
+		.flush_auth_cfg = lib->settings->get_bool(lib->settings,
+							"%s.flush_auth_cfg", FALSE, charon->name),
 	);
+
+	if (version == IKEV2)
+	{	/* always supported with IKEv2 */
+		enable_extension(this, EXT_DPD);
+	}
+
 	this->task_manager = task_manager_create(&this->public);
-	this->my_host->set_port(this->my_host, IKEV2_UDP_PORT);
+	this->my_host->set_port(this->my_host,
+							charon->socket->get_port(charon->socket, FALSE));
 
+	if (!this->task_manager || !this->keymat)
+	{
+		DBG1(DBG_IKE, "IKE version %d not supported", this->version);
+		destroy(this);
+		return NULL;
+	}
 	return &this->public;
 }
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index 537565e89..00c16c05e 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -37,11 +37,13 @@ typedef struct ike_sa_t ike_sa_t;
 #include <encoding/payloads/configuration_attribute.h>
 #include <sa/ike_sa_id.h>
 #include <sa/child_sa.h>
+#include <sa/task.h>
 #include <sa/task_manager.h>
 #include <sa/keymat.h>
 #include <config/peer_cfg.h>
 #include <config/ike_cfg.h>
 #include <credentials/auth_cfg.h>
+#include <networking/packet.h>
 
 /**
  * Timeout in seconds after that a half open IKE_SA gets deleted.
@@ -69,7 +71,8 @@ typedef struct ike_sa_t ike_sa_t;
 enum ike_extension_t {
 
 	/**
-	 * peer supports NAT traversal as specified in RFC4306
+	 * peer supports NAT traversal as specified in RFC4306 or RFC3947
+	 * including some RFC3947 drafts
 	 */
 	EXT_NATT = (1<<0),
 
@@ -102,6 +105,32 @@ enum ike_extension_t {
 	 * peer is probably a Windows 7 RAS client
 	 */
 	EXT_MS_WINDOWS = (1<<6),
+
+	/**
+	 * peer supports XAuth authentication, draft-ietf-ipsec-isakmp-xauth-06
+	 */
+	EXT_XAUTH = (1<<7),
+
+	/**
+	 * peer supports DPD detection, RFC 3706 (or IKEv2)
+	 */
+	EXT_DPD = (1<<8),
+
+	/**
+	 * peer supports Cisco Unity configuration attributes
+	 */
+	EXT_CISCO_UNITY = (1<<9),
+
+	/**
+	 * peer supports NAT traversal as specified in
+	 * draft-ietf-ipsec-nat-t-ike-02 .. -03
+	 */
+	EXT_NATT_DRAFT_02_03 = (1<<10),
+
+	/**
+	 * peer support proprietary IKE fragmentation
+	 */
+	EXT_IKE_FRAGMENTATION = (1<<11),
 };
 
 /**
@@ -148,6 +177,21 @@ enum ike_condition_t {
 	 * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
 	 */
 	COND_STALE = (1<<7),
+
+	/**
+	 * Initial contact received
+	 */
+	COND_INIT_CONTACT_SEEN = (1<<8),
+
+	/**
+	 * Peer has been authenticated using XAuth
+	 */
+	COND_XAUTH_AUTHENTICATED = (1<<9),
+
+	/**
+	 * This IKE_SA is currently being reauthenticated
+	 */
+	COND_REAUTHENTICATING = (1<<10),
 };
 
 /**
@@ -156,11 +200,11 @@ enum ike_condition_t {
 enum statistic_t {
 	/** Timestamp of SA establishement */
 	STAT_ESTABLISHED = 0,
-	/** Timestamp of scheudled rekeying */
+	/** Timestamp of scheduled rekeying */
 	STAT_REKEY,
-	/** Timestamp of scheudled reauthentication */
+	/** Timestamp of scheduled reauthentication */
 	STAT_REAUTH,
-	/** Timestamp of scheudled delete */
+	/** Timestamp of scheduled delete */
 	STAT_DELETE,
 	/** Timestamp of last inbound IKE packet */
 	STAT_INBOUND,
@@ -270,6 +314,11 @@ struct ike_sa_t {
 	ike_sa_id_t* (*get_id) (ike_sa_t *this);
 
 	/**
+	 * Gets the IKE version of the SA
+	 */
+	ike_version_t (*get_version)(ike_sa_t *this);
+
+	/**
 	 * Get the numerical ID uniquely defining this IKE_SA.
 	 *
 	 * @return				unique ID
@@ -288,7 +337,7 @@ struct ike_sa_t {
 	 *
 	 * @param state			state to set for the IKE_SA
 	 */
-	void (*set_state) (ike_sa_t *this, ike_sa_state_t ike_sa);
+	void (*set_state) (ike_sa_t *this, ike_sa_state_t state);
 
 	/**
 	 * Get the name of the connection this IKE_SA uses.
@@ -306,6 +355,14 @@ struct ike_sa_t {
 	u_int32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
 
 	/**
+	 * Set statistic value of the IKE_SA.
+	 *
+	 * @param kind			kind of value to update
+	 * @param value			value as integer
+	 */
+	void (*set_statistic)(ike_sa_t *this, statistic_t kind, u_int32_t value);
+
+	/**
 	 * Get the own host address.
 	 *
 	 * @return				host address
@@ -661,6 +718,15 @@ struct ike_sa_t {
 						  traffic_selector_t *tsr);
 
 	/**
+	 * Retry initiation of this IKE_SA after it got deferred previously.
+	 *
+	 * @return
+	 *						- SUCCESS if initiation deferred or started
+	 *						- DESTROY_ME if initiation failed
+	 */
+	status_t (*retry_initiate) (ike_sa_t *this);
+
+	/**
 	 * Initiates the deletion of an IKE_SA.
 	 *
 	 * Sends a delete message to the remote peer and waits for
@@ -746,10 +812,8 @@ struct ike_sa_t {
 	/**
 	 * Sends a keep alive packet.
 	 *
-	 * To refresh NAT tables in a NAT router
-	 * between the peers, periodic empty
-	 * UDP packets are sent if no other traffic
-	 * was sent.
+	 * To refresh NAT tables in a NAT router between the peers, periodic empty
+	 * UDP packets are sent if no other traffic was sent.
 	 */
 	void (*send_keepalive) (ike_sa_t *this);
 
@@ -821,11 +885,13 @@ struct ike_sa_t {
 	 *
 	 * @param protocol		protocol of the SA
 	 * @param spi			inbound SPI of the CHILD_SA
+	 * @param expired		TRUE if CHILD_SA is expired
 	 * @return
 	 *						- NOT_FOUND, if IKE_SA has no such CHILD_SA
 	 *						- SUCCESS, if delete message sent
 	 */
-	status_t (*delete_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
+	status_t (*delete_child_sa)(ike_sa_t *this, protocol_id_t protocol,
+								u_int32_t spi, bool expired);
 
 	/**
 	 * Destroy a CHILD SA with the specified protocol/SPI.
@@ -880,7 +946,7 @@ struct ike_sa_t {
 	status_t (*set_auth_lifetime)(ike_sa_t *this, u_int32_t lifetime);
 
 	/**
-	 * Set the virtual IP to use for this IKE_SA and its children.
+	 * Add a virtual IP to use for this IKE_SA and its children.
 	 *
 	 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
 	 * lifetime as the IKE_SA.
@@ -888,15 +954,22 @@ struct ike_sa_t {
 	 * @param local			TRUE to set local address, FALSE for remote
 	 * @param ip			IP to set as virtual IP
 	 */
-	void (*set_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
+	void (*add_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
 
 	/**
-	 * Get the virtual IP configured.
+	 * Clear all virtual IPs stored on this IKE_SA.
+	 *
+	 * @param local			TRUE to clear local addresses, FALSE for remote
+	 */
+	void (*clear_virtual_ips) (ike_sa_t *this, bool local);
+
+	/**
+	 * Create an enumerator over virtual IPs.
 	 *
 	 * @param local			TRUE to get local virtual IP, FALSE for remote
-	 * @return				host_t *virtual IP
+	 * @return				enumerator over host_t*
 	 */
-	host_t* (*get_virtual_ip) (ike_sa_t *this, bool local);
+	enumerator_t* (*create_virtual_ip_enumerator) (ike_sa_t *this, bool local);
 
 	/**
 	 * Register a configuration attribute to the IKE_SA.
@@ -933,13 +1006,26 @@ struct ike_sa_t {
 	enumerator_t* (*create_task_enumerator)(ike_sa_t *this, task_queue_t queue);
 
 	/**
+	 * Flush a task queue, cancelling all tasks in it.
+	 *
+	 * @param queue			queue type to flush
+	 */
+	void (*flush_queue)(ike_sa_t *this, task_queue_t queue);
+
+	/**
+	 * Queue a task for initiaton to the task manager.
+	 *
+	 * @param task			task to queue
+	 */
+	void (*queue_task)(ike_sa_t *this, task_t *task);
+
+	/**
 	 * Inherit all attributes of other to this after rekeying.
 	 *
 	 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
 	 * outstanding tasks are moved from other to this.
-	 * As this call may initiate inherited tasks, a status is returned.
 	 *
-	 * @param other			other task to inherit from
+	 * @param other			other IKE SA to inherit from
 	 */
 	void (*inherit) (ike_sa_t *this, ike_sa_t *other);
 
@@ -955,11 +1041,14 @@ struct ike_sa_t {
 };
 
 /**
- * Creates an ike_sa_t object with a specific ID.
+ * Creates an ike_sa_t object with a specific ID and IKE version.
  *
- * @param ike_sa_id		ike_sa_id_t object to associate with new IKE_SA
+ * @param ike_sa_id		ike_sa_id_t to associate with new IKE_SA/ISAKMP_SA
+ * @param initiator		TRUE to create this IKE_SA as initiator
+ * @param version		IKE version of this SA
  * @return				ike_sa_t object
  */
-ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id);
+ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
+						ike_version_t version);
 
 #endif /** IKE_SA_H_ @}*/
diff --git a/src/libcharon/sa/ike_sa_id.c b/src/libcharon/sa/ike_sa_id.c
index bea4c2124..0f0f1ab63 100644
--- a/src/libcharon/sa/ike_sa_id.c
+++ b/src/libcharon/sa/ike_sa_id.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -30,13 +31,18 @@ struct private_ike_sa_id_t {
 	 */
 	ike_sa_id_t public;
 
+	/**
+	 * Major IKE version of IKE_SA.
+	 */
+	u_int8_t ike_version;
+
 	 /**
-	  * SPI of Initiator.
+	  * SPI of initiator.
 	  */
 	u_int64_t initiator_spi;
 
 	 /**
-	  * SPI of Responder.
+	  * SPI of responder.
 	  */
 	u_int64_t responder_spi;
 
@@ -46,6 +52,12 @@ struct private_ike_sa_id_t {
 	bool is_initiator_flag;
 };
 
+METHOD(ike_sa_id_t, get_ike_version, u_int8_t,
+	private_ike_sa_id_t *this)
+{
+	return this->ike_version;
+}
+
 METHOD(ike_sa_id_t, set_responder_spi, void,
 	private_ike_sa_id_t *this, u_int64_t responder_spi)
 {
@@ -77,23 +89,15 @@ METHOD(ike_sa_id_t, equals, bool,
 	{
 		return FALSE;
 	}
-	if ((this->is_initiator_flag == other->is_initiator_flag) &&
-		(this->initiator_spi == other->initiator_spi) &&
-		(this->responder_spi == other->responder_spi))
-	{
-		/* private_ike_sa_id's are equal */
-		return TRUE;
-	}
-	else
-	{
-		/* private_ike_sa_id's are not equal */
-		return FALSE;
-	}
+	return this->ike_version == other->ike_version &&
+		   this->initiator_spi == other->initiator_spi &&
+		   this->responder_spi == other->responder_spi;
 }
 
 METHOD(ike_sa_id_t, replace_values, void,
 	private_ike_sa_id_t *this, private_ike_sa_id_t *other)
 {
+	this->ike_version = other->ike_version;
 	this->initiator_spi = other->initiator_spi;
 	this->responder_spi = other->responder_spi;
 	this->is_initiator_flag = other->is_initiator_flag;
@@ -108,22 +112,15 @@ METHOD(ike_sa_id_t, is_initiator, bool,
 METHOD(ike_sa_id_t, switch_initiator, bool,
 	private_ike_sa_id_t *this)
 {
-	if (this->is_initiator_flag)
-	{
-		this->is_initiator_flag = FALSE;
-	}
-	else
-	{
-		this->is_initiator_flag = TRUE;
-	}
+	this->is_initiator_flag = !this->is_initiator_flag;
 	return this->is_initiator_flag;
 }
 
 METHOD(ike_sa_id_t, clone_, ike_sa_id_t*,
 	private_ike_sa_id_t *this)
 {
-	return ike_sa_id_create(this->initiator_spi, this->responder_spi,
-							this->is_initiator_flag);
+	return ike_sa_id_create(this->ike_version, this->initiator_spi,
+							this->responder_spi, this->is_initiator_flag);
 }
 
 METHOD(ike_sa_id_t, destroy, void,
@@ -135,13 +132,14 @@ METHOD(ike_sa_id_t, destroy, void,
 /*
  * Described in header.
  */
-ike_sa_id_t * ike_sa_id_create(u_int64_t initiator_spi, u_int64_t responder_spi,
-							   bool is_initiator_flag)
+ike_sa_id_t * ike_sa_id_create(u_int8_t ike_version, u_int64_t initiator_spi,
+							   u_int64_t responder_spi, bool is_initiator_flag)
 {
 	private_ike_sa_id_t *this;
 
 	INIT(this,
 		.public = {
+			.get_ike_version = _get_ike_version,
 			.set_responder_spi = _set_responder_spi,
 			.set_initiator_spi = _set_initiator_spi,
 			.get_responder_spi = _get_responder_spi,
@@ -153,6 +151,7 @@ ike_sa_id_t * ike_sa_id_create(u_int64_t initiator_spi, u_int64_t responder_spi,
 			.clone = _clone_,
 			.destroy = _destroy,
 		},
+		.ike_version = ike_version,
 		.initiator_spi = initiator_spi,
 		.responder_spi = responder_spi,
 		.is_initiator_flag = is_initiator_flag,
diff --git a/src/libcharon/sa/ike_sa_id.h b/src/libcharon/sa/ike_sa_id.h
index fb55359bc..5eb754e95 100644
--- a/src/libcharon/sa/ike_sa_id.h
+++ b/src/libcharon/sa/ike_sa_id.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -29,13 +30,20 @@ typedef struct ike_sa_id_t ike_sa_id_t;
 /**
  * An object of type ike_sa_id_t is used to identify an IKE_SA.
  *
- * An IKE_SA is identified by its initiator and responder spi's.
- * Additionally it contains the role of the actual running IKEv2 daemon
- * for the specific IKE_SA (original initiator or responder).
+ * An IKE_SA is identified by its initiator and responder SPIs.
+ * Additionally, it contains the major IKE version of the IKE_SA and, for IKEv2,
+ * the role of the daemon (original initiator or responder).
  */
 struct ike_sa_id_t {
 
 	/**
+	 * Get the major IKE version of this IKE_SA.
+	 *
+	 * @return					IKE version
+	 */
+	u_int8_t (*get_ike_version) (ike_sa_id_t *this);
+
+	/**
 	 * Set the SPI of the responder.
 	 *
 	 * This function is called when a request or reply of a IKE_SA_INIT is received.
@@ -68,15 +76,17 @@ struct ike_sa_id_t {
 	/**
 	 * Check if two ike_sa_id_t objects are equal.
 	 *
-	 * Two ike_sa_id_t objects are equal if both SPI values and the role matches.
+	 * Two ike_sa_id_t objects are equal if version and both SPI values match.
+	 * The role is not compared.
 	 *
 	 * @param other				ike_sa_id_t object to check if equal
-	 * @return					TRUE if given ike_sa_id_t are equal, FALSE otherwise
+	 * @return					TRUE if given ike_sa_id_t are equal,
+	 *							FALSE otherwise
 	 */
 	bool (*equals) (ike_sa_id_t *this, ike_sa_id_t *other);
 
 	/**
-	 * Replace all values of a given ike_sa_id_t object with values.
+	 * Replace all values of a given ike_sa_id_t object with values
 	 * from another ike_sa_id_t object.
 	 *
 	 * After calling this function, both objects are equal.
@@ -93,9 +103,9 @@ struct ike_sa_id_t {
 	bool (*is_initiator) (ike_sa_id_t *this);
 
 	/**
-	 * Switche the original initiator flag.
+	 * Switch the original initiator flag.
 	 *
-	 * @return					TRUE if we are the original initiator after switch, FALSE otherwise
+	 * @return					new value if initiator flag.
 	 */
 	bool (*switch_initiator) (ike_sa_id_t *this);
 
@@ -113,14 +123,15 @@ struct ike_sa_id_t {
 };
 
 /**
- * Creates an ike_sa_id_t object with specific SPI's and defined role.
+ * Creates an ike_sa_id_t object.
  *
+ * @param ike_version			major IKE version
  * @param initiator_spi			initiators SPI
  * @param responder_spi			responders SPI
  * @param is_initiaor			TRUE if we are the original initiator
  * @return						ike_sa_id_t object
  */
-ike_sa_id_t * ike_sa_id_create(u_int64_t initiator_spi, u_int64_t responder_spi,
-							   bool is_initiaor);
+ike_sa_id_t * ike_sa_id_create(u_int8_t ike_version, u_int64_t initiator_spi,
+							   u_int64_t responder_spi, bool is_initiaor);
 
 #endif /** IKE_SA_ID_H_ @}*/
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 731ae6007..4fbc4da8e 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2005-2011 Martin Willi
  * Copyright (C) 2011 revosec AG
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2012 Tobias Brunner
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -26,7 +26,7 @@
 #include <threading/condvar.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/hashers/hasher.h>
 
 /* the default size of the hash table (MUST be a power of 2) */
@@ -108,9 +108,9 @@ struct entry_t {
 	identification_t *other_id;
 
 	/**
-	 * message ID currently processing, if any
+	 * message ID or hash of currently processing message, -1 if none
 	 */
-	u_int32_t message_id;
+	u_int32_t processing;
 };
 
 /**
@@ -135,37 +135,14 @@ static status_t entry_destroy(entry_t *this)
  */
 static entry_t *entry_create()
 {
-	entry_t *this = malloc_thing(entry_t);
-
-	this->waiting_threads = 0;
-	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-
-	/* we set checkout flag when we really give it out */
-	this->checked_out = FALSE;
-	this->driveout_new_threads = FALSE;
-	this->driveout_waiting_threads = FALSE;
-	this->message_id = -1;
-	this->init_hash = chunk_empty;
-	this->other = NULL;
-	this->half_open = FALSE;
-	this->my_id = NULL;
-	this->other_id = NULL;
-	this->ike_sa_id = NULL;
-	this->ike_sa = NULL;
+	entry_t *this;
 
-	return this;
-}
+	INIT(this,
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.processing = -1,
+	);
 
-/**
- * Function that matches entry_t objects by initiator SPI and the hash of the
- * IKE_SA_INIT message.
- */
-static bool entry_match_by_hash(entry_t *entry, ike_sa_id_t *id, chunk_t *hash)
-{
-	return id->get_responder_spi(id) == 0 &&
-		id->is_initiator(id) == entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
-		id->get_initiator_spi(id) == entry->ike_sa_id->get_initiator_spi(entry->ike_sa_id) &&
-		chunk_equals(*hash, entry->init_hash);
+	return this;
 }
 
 /**
@@ -179,7 +156,6 @@ static bool entry_match_by_id(entry_t *entry, ike_sa_id_t *id)
 	}
 	if ((id->get_responder_spi(id) == 0 ||
 		 entry->ike_sa_id->get_responder_spi(entry->ike_sa_id) == 0) &&
-		id->is_initiator(id) == entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
 		id->get_initiator_spi(id) == entry->ike_sa_id->get_initiator_spi(entry->ike_sa_id))
 	{
 		/* this is TRUE for IKE_SAs that we initiated but have not yet received a response */
@@ -201,8 +177,19 @@ static bool entry_match_by_sa(entry_t *entry, ike_sa_t *ike_sa)
  */
 static u_int ike_sa_id_hash(ike_sa_id_t *ike_sa_id)
 {
-	/* we always use initiator spi as key */
-	return ike_sa_id->get_initiator_spi(ike_sa_id);
+	/* IKEv2 does not mandate random SPIs (RFC 5996, 2.6), they just have to be
+	 * locally unique, so we use our randomly allocated SPI whether we are
+	 * initiator or responder to ensure a good distribution.  The latter is not
+	 * possible for IKEv1 as we don't know whether we are original initiator or
+	 * not (based on the IKE header).  But as RFC 2408, section 2.5.3 proposes
+	 * SPIs (Cookies) to be allocated near random (we allocate them randomly
+	 * anyway) it seems safe to always use the initiator SPI. */
+	if (ike_sa_id->get_ike_version(ike_sa_id) == IKEV1_MAJOR_VERSION ||
+		ike_sa_id->is_initiator(ike_sa_id))
+	{
+		return ike_sa_id->get_initiator_spi(ike_sa_id);
+	}
+	return ike_sa_id->get_responder_spi(ike_sa_id);
 }
 
 typedef struct half_open_t half_open_t;
@@ -227,14 +214,6 @@ static void half_open_destroy(half_open_t *this)
 	free(this);
 }
 
-/**
- * Function that matches half_open_t objects by the given IP address chunk.
- */
-static bool half_open_match(half_open_t *half_open, chunk_t *addr)
-{
-	return chunk_equals(*addr, half_open->other);
-}
-
 typedef struct connected_peers_t connected_peers_t;
 
 struct connected_peers_t {
@@ -262,15 +241,25 @@ static void connected_peers_destroy(connected_peers_t *this)
 /**
  * Function that matches connected_peers_t objects by the given ids.
  */
-static bool connected_peers_match(connected_peers_t *connected_peers,
+static inline bool connected_peers_match(connected_peers_t *connected_peers,
 							identification_t *my_id, identification_t *other_id,
-							uintptr_t family)
+							int family)
 {
 	return my_id->equals(my_id, connected_peers->my_id) &&
 		   other_id->equals(other_id, connected_peers->other_id) &&
-		   family == connected_peers->family;
+		   (!family || family == connected_peers->family);
 }
 
+typedef struct init_hash_t init_hash_t;
+
+struct init_hash_t {
+	/** hash of IKE_SA_INIT or initial phase1 message (data is not cloned) */
+	chunk_t hash;
+
+	/** our SPI allocated for the IKE_SA based on this message */
+	u_int64_t our_spi;
+};
+
 typedef struct segment_t segment_t;
 
 /**
@@ -298,6 +287,20 @@ struct shareable_segment_t {
 	u_int count;
 };
 
+typedef struct table_item_t table_item_t;
+
+/**
+ * Instead of using linked_list_t for each bucket we store the data in our own
+ * list to save memory.
+ */
+struct table_item_t {
+	/** data of this item */
+	void *value;
+
+	/** next item in the overflow list */
+	table_item_t *next;
+};
+
 typedef struct private_ike_sa_manager_t private_ike_sa_manager_t;
 
 /**
@@ -312,7 +315,7 @@ struct private_ike_sa_manager_t {
 	/**
 	 * Hash table with entries for the ike_sa_t objects.
 	 */
-	linked_list_t **ike_sa_table;
+	table_item_t **ike_sa_table;
 
 	/**
 	 * The size of the hash table.
@@ -342,7 +345,7 @@ struct private_ike_sa_manager_t {
 	/**
 	 * Hash table with half_open_t objects.
 	 */
-	linked_list_t **half_open_table;
+	table_item_t **half_open_table;
 
 	/**
 	  * Segments of the "half-open" hash table.
@@ -352,7 +355,7 @@ struct private_ike_sa_manager_t {
 	/**
 	 * Hash table with connected_peers_t objects.
 	 */
-	linked_list_t **connected_peers_table;
+	table_item_t **connected_peers_table;
 
 	/**
 	 * Segments of the "connected peers" hash table.
@@ -360,6 +363,16 @@ struct private_ike_sa_manager_t {
 	shareable_segment_t *connected_peers_segments;
 
 	/**
+	 * Hash table with init_hash_t objects.
+	 */
+	table_item_t **init_hashes_table;
+
+	/**
+	  * Segments of the "hashes" hash table.
+	 */
+	segment_t *init_hashes_segments;
+
+	/**
 	 * RNG to get random SPIs for our side
 	 */
 	rng_t *rng;
@@ -373,16 +386,21 @@ struct private_ike_sa_manager_t {
 	 * reuse existing IKE_SAs in checkout_by_config
 	 */
 	bool reuse_ikesa;
+
+	/**
+	 * Configured IKE_SA limit, if any
+	 */
+	u_int ikesa_limit;
 };
 
 /**
  * Acquire a lock to access the segment of the table row with the given index.
  * It also works with the segment index directly.
  */
-static void lock_single_segment(private_ike_sa_manager_t *this, u_int index)
+static inline void lock_single_segment(private_ike_sa_manager_t *this,
+									   u_int index)
 {
 	mutex_t *lock = this->segments[index & this->segment_mask].mutex;
-
 	lock->lock(lock);
 }
 
@@ -390,10 +408,10 @@ static void lock_single_segment(private_ike_sa_manager_t *this, u_int index)
  * Release the lock required to access the segment of the table row with the given index.
  * It also works with the segment index directly.
  */
-static void unlock_single_segment(private_ike_sa_manager_t *this, u_int index)
+static inline void unlock_single_segment(private_ike_sa_manager_t *this,
+										 u_int index)
 {
 	mutex_t *lock = this->segments[index & this->segment_mask].mutex;
-
 	lock->unlock(lock);
 }
 
@@ -456,9 +474,14 @@ struct private_enumerator_t {
 	u_int row;
 
 	/**
-	 * enumerator for the current table row
+	 * current table item
 	 */
-	enumerator_t *current;
+	table_item_t *current;
+
+	/**
+	 * previous table item
+	 */
+	table_item_t *prev;
 };
 
 METHOD(enumerator_t, enumerate, bool,
@@ -473,33 +496,23 @@ METHOD(enumerator_t, enumerate, bool,
 	{
 		while (this->row < this->manager->table_size)
 		{
+			this->prev = this->current;
 			if (this->current)
 			{
-				entry_t *item;
-
-				if (this->current->enumerate(this->current, &item))
-				{
-					*entry = this->entry = item;
-					*segment = this->segment;
-					return TRUE;
-				}
-				this->current->destroy(this->current);
-				this->current = NULL;
-				unlock_single_segment(this->manager, this->segment);
+				this->current = this->current->next;
 			}
 			else
 			{
-				linked_list_t *list;
-
 				lock_single_segment(this->manager, this->segment);
-				if ((list = this->manager->ike_sa_table[this->row]) != NULL &&
-					 list->get_count(list))
-				{
-					this->current = list->create_enumerator(list);
-					continue;
-				}
-				unlock_single_segment(this->manager, this->segment);
+				this->current = this->manager->ike_sa_table[this->row];
+			}
+			if (this->current)
+			{
+				*entry = this->entry = this->current->value;
+				*segment = this->segment;
+				return TRUE;
 			}
+			unlock_single_segment(this->manager, this->segment);
 			this->row += this->manager->segment_count;
 		}
 		this->segment++;
@@ -517,7 +530,6 @@ METHOD(enumerator_t, enumerator_destroy, void,
 	}
 	if (this->current)
 	{
-		this->current->destroy(this->current);
 		unlock_single_segment(this->manager, this->segment);
 	}
 	free(this);
@@ -546,19 +558,23 @@ static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this)
  */
 static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry)
 {
-	linked_list_t *list;
+	table_item_t *current, *item;
 	u_int row, segment;
 
+	INIT(item,
+		.value = entry,
+	);
+
 	row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
 	segment = row & this->segment_mask;
 
 	lock_single_segment(this, segment);
-	list = this->ike_sa_table[row];
-	if (!list)
-	{
-		list = this->ike_sa_table[row] = linked_list_create();
+	current = this->ike_sa_table[row];
+	if (current)
+	{	/* insert at the front of current bucket */
+		item->next = current;
 	}
-	list->insert_last(list, entry);
+	this->ike_sa_table[row] = item;
 	this->segments[segment].count++;
 	return segment;
 }
@@ -569,28 +585,30 @@ static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry)
  */
 static void remove_entry(private_ike_sa_manager_t *this, entry_t *entry)
 {
-	linked_list_t *list;
+	table_item_t *item, *prev = NULL;
 	u_int row, segment;
 
 	row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
 	segment = row & this->segment_mask;
-	list = this->ike_sa_table[row];
-	if (list)
+	item = this->ike_sa_table[row];
+	while (item)
 	{
-		entry_t *current;
-		enumerator_t *enumerator;
-
-		enumerator = list->create_enumerator(list);
-		while (enumerator->enumerate(enumerator, &current))
+		if (item->value == entry)
 		{
-			if (current == entry)
+			if (prev)
 			{
-				list->remove_at(list, enumerator);
-				this->segments[segment].count--;
-				break;
+				prev->next = item->next;
+			}
+			else
+			{
+				this->ike_sa_table[row] = item->next;
 			}
+			this->segments[segment].count--;
+			free(item);
+			break;
 		}
-		enumerator->destroy(enumerator);
+		prev = item;
+		item = item->next;
 	}
 }
 
@@ -602,9 +620,21 @@ static void remove_entry_at(private_enumerator_t *this)
 	this->entry = NULL;
 	if (this->current)
 	{
-		linked_list_t *list = this->manager->ike_sa_table[this->row];
-		list->remove_at(list, this->current);
+		table_item_t *current = this->current;
+
 		this->manager->segments[this->segment].count--;
+		this->current = this->prev;
+
+		if (this->prev)
+		{
+			this->prev->next = current->next;
+		}
+		else
+		{
+			this->manager->ike_sa_table[this->row] = current->next;
+			unlock_single_segment(this->manager, this->segment);
+		}
+		free(current);
 	}
 }
 
@@ -614,26 +644,26 @@ static void remove_entry_at(private_enumerator_t *this)
  */
 static status_t get_entry_by_match_function(private_ike_sa_manager_t *this,
 					ike_sa_id_t *ike_sa_id, entry_t **entry, u_int *segment,
-					linked_list_match_t match, void *p1, void *p2)
+					linked_list_match_t match, void *param)
 {
-	entry_t *current;
-	linked_list_t *list;
+	table_item_t *item;
 	u_int row, seg;
 
 	row = ike_sa_id_hash(ike_sa_id) & this->table_mask;
 	seg = row & this->segment_mask;
 
 	lock_single_segment(this, seg);
-	list = this->ike_sa_table[row];
-	if (list)
+	item = this->ike_sa_table[row];
+	while (item)
 	{
-		if (list->find_first(list, match, (void**)&current, p1, p2) == SUCCESS)
+		if (match(item->value, param))
 		{
-			*entry = current;
+			*entry = item->value;
 			*segment = seg;
 			/* the locked segment has to be unlocked by the caller */
 			return SUCCESS;
 		}
+		item = item->next;
 	}
 	unlock_single_segment(this, seg);
 	return NOT_FOUND;
@@ -647,18 +677,7 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this,
 						ike_sa_id_t *ike_sa_id, entry_t **entry, u_int *segment)
 {
 	return get_entry_by_match_function(this, ike_sa_id, entry, segment,
-				(linked_list_match_t)entry_match_by_id, ike_sa_id, NULL);
-}
-
-/**
- * Find an entry by initiator SPI and IKE_SA_INIT hash.
- * Note: On SUCCESS, the caller has to unlock the segment.
- */
-static status_t get_entry_by_hash(private_ike_sa_manager_t *this,
-			ike_sa_id_t *ike_sa_id, chunk_t hash, entry_t **entry, u_int *segment)
-{
-	return get_entry_by_match_function(this, ike_sa_id, entry, segment,
-				(linked_list_match_t)entry_match_by_hash, ike_sa_id, &hash);
+				(linked_list_match_t)entry_match_by_id, ike_sa_id);
 }
 
 /**
@@ -669,7 +688,7 @@ static status_t get_entry_by_sa(private_ike_sa_manager_t *this,
 			ike_sa_id_t *ike_sa_id, ike_sa_t *ike_sa, entry_t **entry, u_int *segment)
 {
 	return get_entry_by_match_function(this, ike_sa_id, entry, segment,
-				(linked_list_match_t)entry_match_by_sa, ike_sa, NULL);
+				(linked_list_match_t)entry_match_by_sa, ike_sa);
 }
 
 /**
@@ -707,44 +726,43 @@ static bool wait_for_entry(private_ike_sa_manager_t *this, entry_t *entry,
  */
 static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry)
 {
-	half_open_t *half_open = NULL;
-	linked_list_t *list;
-	chunk_t addr;
+	table_item_t *item;
 	u_int row, segment;
 	rwlock_t *lock;
+	half_open_t *half_open;
+	chunk_t addr;
 
 	addr = entry->other->get_address(entry->other);
 	row = chunk_hash(addr) & this->table_mask;
 	segment = row & this->segment_mask;
 	lock = this->half_open_segments[segment].lock;
 	lock->write_lock(lock);
-	list = this->half_open_table[row];
-	if (list)
+	item = this->half_open_table[row];
+	while (item)
 	{
-		half_open_t *current;
+		half_open = item->value;
 
-		if (list->find_first(list, (linked_list_match_t)half_open_match,
-							 (void**)&current, &addr) == SUCCESS)
+		if (chunk_equals(addr, half_open->other))
 		{
-			half_open = current;
 			half_open->count++;
-			this->half_open_segments[segment].count++;
+			break;
 		}
-	}
-	else
-	{
-		list = this->half_open_table[row] = linked_list_create();
+		item = item->next;
 	}
 
-	if (!half_open)
+	if (!item)
 	{
 		INIT(half_open,
 			.other = chunk_clone(addr),
 			.count = 1,
 		);
-		list->insert_last(list, half_open);
-		this->half_open_segments[segment].count++;
+		INIT(item,
+			.value = half_open,
+			.next = this->half_open_table[row],
+		);
+		this->half_open_table[row] = item;
 	}
+	this->half_open_segments[segment].count++;
 	lock->unlock(lock);
 }
 
@@ -753,37 +771,41 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry)
  */
 static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry)
 {
-	linked_list_t *list;
-	chunk_t addr;
+	table_item_t *item, *prev = NULL;
 	u_int row, segment;
 	rwlock_t *lock;
+	chunk_t addr;
 
 	addr = entry->other->get_address(entry->other);
 	row = chunk_hash(addr) & this->table_mask;
 	segment = row & this->segment_mask;
 	lock = this->half_open_segments[segment].lock;
 	lock->write_lock(lock);
-	list = this->half_open_table[row];
-	if (list)
+	item = this->half_open_table[row];
+	while (item)
 	{
-		half_open_t *current;
-		enumerator_t *enumerator;
+		half_open_t *half_open = item->value;
 
-		enumerator = list->create_enumerator(list);
-		while (enumerator->enumerate(enumerator, &current))
+		if (chunk_equals(addr, half_open->other))
 		{
-			if (half_open_match(current, &addr))
+			if (--half_open->count == 0)
 			{
-				if (--current->count == 0)
+				if (prev)
 				{
-					list->remove_at(list, enumerator);
-					half_open_destroy(current);
+					prev->next = item->next;
 				}
-				this->half_open_segments[segment].count--;
-				break;
+				else
+				{
+					this->half_open_table[row] = item->next;
+				}
+				half_open_destroy(half_open);
+				free(item);
 			}
+			this->half_open_segments[segment].count--;
+			break;
 		}
-		enumerator->destroy(enumerator);
+		prev = item;
+		item = item->next;
 	}
 	lock->unlock(lock);
 }
@@ -793,28 +815,28 @@ static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry)
  */
 static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
 {
-	connected_peers_t *connected_peers = NULL;
-	chunk_t my_id, other_id;
-	linked_list_t *list;
+	table_item_t *item;
 	u_int row, segment;
 	rwlock_t *lock;
+	connected_peers_t *connected_peers;
+	chunk_t my_id, other_id;
+	int family;
 
 	my_id = entry->my_id->get_encoding(entry->my_id);
 	other_id = entry->other_id->get_encoding(entry->other_id);
+	family = entry->other->get_family(entry->other);
 	row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
 	segment = row & this->segment_mask;
 	lock = this->connected_peers_segments[segment].lock;
 	lock->write_lock(lock);
-	list = this->connected_peers_table[row];
-	if (list)
+	item = this->connected_peers_table[row];
+	while (item)
 	{
-		connected_peers_t *current;
+		connected_peers = item->value;
 
-		if (list->find_first(list, (linked_list_match_t)connected_peers_match,
-				(void**)&current, entry->my_id, entry->other_id,
-				(uintptr_t)entry->other->get_family(entry->other)) == SUCCESS)
+		if (connected_peers_match(connected_peers, entry->my_id,
+								  entry->other_id, family))
 		{
-			connected_peers = current;
 			if (connected_peers->sas->find_first(connected_peers->sas,
 					(linked_list_match_t)entry->ike_sa_id->equals,
 					NULL, entry->ike_sa_id) == SUCCESS)
@@ -822,22 +844,24 @@ static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
 				lock->unlock(lock);
 				return;
 			}
+			break;
 		}
-	}
-	else
-	{
-		list = this->connected_peers_table[row] = linked_list_create();
+		item = item->next;
 	}
 
-	if (!connected_peers)
+	if (!item)
 	{
 		INIT(connected_peers,
 			.my_id = entry->my_id->clone(entry->my_id),
 			.other_id = entry->other_id->clone(entry->other_id),
-			.family = entry->other->get_family(entry->other),
+			.family = family,
 			.sas = linked_list_create(),
 		);
-		list->insert_last(list, connected_peers);
+		INIT(item,
+			.value = connected_peers,
+			.next = this->connected_peers_table[row],
+		);
+		this->connected_peers_table[row] = item;
 	}
 	connected_peers->sas->insert_last(connected_peers->sas,
 									  entry->ike_sa_id->clone(entry->ike_sa_id));
@@ -850,54 +874,61 @@ static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
  */
 static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
 {
-	chunk_t my_id, other_id;
-	linked_list_t *list;
+	table_item_t *item, *prev = NULL;
 	u_int row, segment;
 	rwlock_t *lock;
+	chunk_t my_id, other_id;
+	int family;
 
 	my_id = entry->my_id->get_encoding(entry->my_id);
 	other_id = entry->other_id->get_encoding(entry->other_id);
+	family = entry->other->get_family(entry->other);
+
 	row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
 	segment = row & this->segment_mask;
 
 	lock = this->connected_peers_segments[segment].lock;
 	lock->write_lock(lock);
-	list = this->connected_peers_table[row];
-	if (list)
+	item = this->connected_peers_table[row];
+	while (item)
 	{
-		connected_peers_t *current;
-		enumerator_t *enumerator;
+		connected_peers_t *current = item->value;
 
-		enumerator = list->create_enumerator(list);
-		while (enumerator->enumerate(enumerator, &current))
+		if (connected_peers_match(current, entry->my_id, entry->other_id,
+								  family))
 		{
-			if (connected_peers_match(current, entry->my_id, entry->other_id,
-						(uintptr_t)entry->other->get_family(entry->other)))
-			{
-				ike_sa_id_t *ike_sa_id;
-				enumerator_t *inner;
+			enumerator_t *enumerator;
+			ike_sa_id_t *ike_sa_id;
 
-				inner = current->sas->create_enumerator(current->sas);
-				while (inner->enumerate(inner, &ike_sa_id))
+			enumerator = current->sas->create_enumerator(current->sas);
+			while (enumerator->enumerate(enumerator, &ike_sa_id))
+			{
+				if (ike_sa_id->equals(ike_sa_id, entry->ike_sa_id))
 				{
-					if (ike_sa_id->equals(ike_sa_id, entry->ike_sa_id))
-					{
-						current->sas->remove_at(current->sas, inner);
-						ike_sa_id->destroy(ike_sa_id);
-						this->connected_peers_segments[segment].count--;
-						break;
-					}
+					current->sas->remove_at(current->sas, enumerator);
+					ike_sa_id->destroy(ike_sa_id);
+					this->connected_peers_segments[segment].count--;
+					break;
 				}
-				inner->destroy(inner);
-				if (current->sas->get_count(current->sas) == 0)
+			}
+			enumerator->destroy(enumerator);
+			if (current->sas->get_count(current->sas) == 0)
+			{
+				if (prev)
 				{
-					list->remove_at(list, enumerator);
-					connected_peers_destroy(current);
+					prev->next = item->next;
 				}
-				break;
+				else
+				{
+					this->connected_peers_table[row] = item->next;
+				}
+				connected_peers_destroy(current);
+				free(item);
 			}
+			break;
 		}
-		enumerator->destroy(enumerator);
+		prev = item;
+		item = item->next;
 	}
 	lock->unlock(lock);
 }
@@ -907,13 +938,166 @@ static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entr
  */
 static u_int64_t get_spi(private_ike_sa_manager_t *this)
 {
-	u_int64_t spi = 0;
+	u_int64_t spi;
+
+	if (this->rng &&
+		this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi))
+	{
+		return spi;
+	}
+	return 0;
+}
+
+/**
+ * Calculate the hash of the initial IKE message.  Memory for the hash is
+ * allocated on success.
+ *
+ * @returns TRUE on success
+ */
+static bool get_init_hash(private_ike_sa_manager_t *this, message_t *message,
+						  chunk_t *hash)
+{
+	host_t *src;
+
+	if (!this->hasher)
+	{	/* this might be the case when flush() has been called */
+		return FALSE;
+	}
+	if (message->get_first_payload_type(message) == FRAGMENT_V1)
+	{	/* only hash the source IP, port and SPI for fragmented init messages */
+		u_int16_t port;
+		u_int64_t spi;
+
+		src = message->get_source(message);
+		if (!this->hasher->allocate_hash(this->hasher,
+										 src->get_address(src), NULL))
+		{
+			return FALSE;
+		}
+		port = src->get_port(src);
+		if (!this->hasher->allocate_hash(this->hasher,
+										 chunk_from_thing(port), NULL))
+		{
+			return FALSE;
+		}
+		spi = message->get_initiator_spi(message);
+		return this->hasher->allocate_hash(this->hasher,
+										   chunk_from_thing(spi), hash);
+	}
+	if (message->get_exchange_type(message) == ID_PROT)
+	{	/* include the source for Main Mode as the hash will be the same if
+		 * SPIs are reused by two initiators that use the same proposal */
+		src = message->get_source(message);
+
+		if (!this->hasher->allocate_hash(this->hasher,
+										 src->get_address(src), NULL))
+		{
+			return FALSE;
+		}
+	}
+	return this->hasher->allocate_hash(this->hasher,
+									   message->get_packet_data(message), hash);
+}
+
+/**
+ * Check if we already have created an IKE_SA based on the initial IKE message
+ * with the given hash.
+ * If not the hash is stored, the hash data is not(!) cloned.
+ *
+ * Also, the local SPI is returned.  In case of a retransmit this is already
+ * stored together with the hash, otherwise it is newly allocated and should
+ * be used to create the IKE_SA.
+ *
+ * @returns ALREADY_DONE if the message with the given hash has been seen before
+ *			NOT_FOUND if the message hash was not found
+ *			FAILED if the SPI allocation failed
+ */
+static status_t check_and_put_init_hash(private_ike_sa_manager_t *this,
+										chunk_t init_hash, u_int64_t *our_spi)
+{
+	table_item_t *item;
+	u_int row, segment;
+	mutex_t *mutex;
+	init_hash_t *init;
+	u_int64_t spi;
+
+	row = chunk_hash(init_hash) & this->table_mask;
+	segment = row & this->segment_mask;
+	mutex = this->init_hashes_segments[segment].mutex;
+	mutex->lock(mutex);
+	item = this->init_hashes_table[row];
+	while (item)
+	{
+		init_hash_t *current = item->value;
+
+		if (chunk_equals(init_hash, current->hash))
+		{
+			*our_spi = current->our_spi;
+			mutex->unlock(mutex);
+			return ALREADY_DONE;
+		}
+		item = item->next;
+	}
+
+	spi = get_spi(this);
+	if (!spi)
+	{
+		return FAILED;
+	}
+
+	INIT(init,
+		.hash = {
+			.len = init_hash.len,
+			.ptr = init_hash.ptr,
+		},
+		.our_spi = spi,
+	);
+	INIT(item,
+		.value = init,
+		.next = this->init_hashes_table[row],
+	);
+	this->init_hashes_table[row] = item;
+	*our_spi = init->our_spi;
+	mutex->unlock(mutex);
+	return NOT_FOUND;
+}
+
+/**
+ * Remove the hash of an initial IKE message from the cache.
+ */
+static void remove_init_hash(private_ike_sa_manager_t *this, chunk_t init_hash)
+{
+	table_item_t *item, *prev = NULL;
+	u_int row, segment;
+	mutex_t *mutex;
 
-	if (this->rng)
+	row = chunk_hash(init_hash) & this->table_mask;
+	segment = row & this->segment_mask;
+	mutex = this->init_hashes_segments[segment].mutex;
+	mutex->lock(mutex);
+	item = this->init_hashes_table[row];
+	while (item)
 	{
-		this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi);
+		init_hash_t *current = item->value;
+
+		if (chunk_equals(init_hash, current->hash))
+		{
+			if (prev)
+			{
+				prev->next = item->next;
+			}
+			else
+			{
+				this->init_hashes_table[row] = item->next;
+			}
+			free(current);
+			free(item);
+			break;
+		}
+		prev = item;
+		item = item->next;
 	}
-	return spi;
+	mutex->unlock(mutex);
 }
 
 METHOD(ike_sa_manager_t, checkout, ike_sa_t*,
@@ -941,28 +1125,55 @@ METHOD(ike_sa_manager_t, checkout, ike_sa_t*,
 }
 
 METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*,
-	private_ike_sa_manager_t* this, bool initiator)
+	private_ike_sa_manager_t* this, ike_version_t version, bool initiator)
 {
 	ike_sa_id_t *ike_sa_id;
 	ike_sa_t *ike_sa;
+	u_int8_t ike_version;
+	u_int64_t spi;
+
+	ike_version = version == IKEV1 ? IKEV1_MAJOR_VERSION : IKEV2_MAJOR_VERSION;
+
+	spi = get_spi(this);
+	if (!spi)
+	{
+		DBG1(DBG_MGR, "failed to allocate SPI for new IKE_SA");
+		return NULL;
+	}
 
 	if (initiator)
 	{
-		ike_sa_id = ike_sa_id_create(get_spi(this), 0, TRUE);
+		ike_sa_id = ike_sa_id_create(ike_version, spi, 0, TRUE);
 	}
 	else
 	{
-		ike_sa_id = ike_sa_id_create(0, get_spi(this), FALSE);
+		ike_sa_id = ike_sa_id_create(ike_version, 0, spi, FALSE);
 	}
-	ike_sa = ike_sa_create(ike_sa_id);
+	ike_sa = ike_sa_create(ike_sa_id, initiator, version);
 	ike_sa_id->destroy(ike_sa_id);
 
-	DBG2(DBG_MGR, "created IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
-			ike_sa->get_unique_id(ike_sa));
-
+	if (ike_sa)
+	{
+		DBG2(DBG_MGR, "created IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
+			 ike_sa->get_unique_id(ike_sa));
+	}
 	return ike_sa;
 }
 
+/**
+ * Get the message ID or message hash to detect early retransmissions
+ */
+static u_int32_t get_message_id_or_hash(message_t *message)
+{
+	/* Use the message ID, or the message hash in IKEv1 Main/Aggressive mode */
+	if (message->get_major_version(message) == IKEV1_MAJOR_VERSION &&
+		message->get_message_id(message) == 0)
+	{
+		return chunk_hash(message->get_packet_data(message));
+	}
+	return message->get_message_id(message);
+}
+
 METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 	private_ike_sa_manager_t* this, message_t *message)
 {
@@ -970,96 +1181,134 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 	entry_t *entry;
 	ike_sa_t *ike_sa = NULL;
 	ike_sa_id_t *id;
+	ike_version_t ike_version;
+	bool is_init = FALSE;
 
 	id = message->get_ike_sa_id(message);
+	/* clone the IKE_SA ID so we can modify the initiator flag */
 	id = id->clone(id);
 	id->switch_initiator(id);
 
 	DBG2(DBG_MGR, "checkout IKE_SA by message");
 
-	if (message->get_request(message) &&
-		message->get_exchange_type(message) == IKE_SA_INIT &&
-		this->hasher)
+	if (id->get_responder_spi(id) == 0)
 	{
-		/* IKE_SA_INIT request. Check for an IKE_SA with such a message hash. */
-		chunk_t data, hash;
-
-		data = message->get_packet_data(message);
-		this->hasher->allocate_hash(this->hasher, data, &hash);
-		chunk_free(&data);
-
-		if (get_entry_by_hash(this, id, hash, &entry, &segment) == SUCCESS)
+		if (message->get_major_version(message) == IKEV2_MAJOR_VERSION)
 		{
-			if (entry->message_id == 0)
+			if (message->get_exchange_type(message) == IKE_SA_INIT &&
+				message->get_request(message))
 			{
-				unlock_single_segment(this, segment);
-				chunk_free(&hash);
-				id->destroy(id);
-				DBG1(DBG_MGR, "ignoring IKE_SA_INIT, already processing");
-				return NULL;
+				ike_version = IKEV2;
+				is_init = TRUE;
 			}
-			else if (wait_for_entry(this, entry, segment))
+		}
+		else
+		{
+			if (message->get_exchange_type(message) == ID_PROT ||
+				message->get_exchange_type(message) == AGGRESSIVE)
 			{
-				entry->checked_out = TRUE;
-				entry->message_id = message->get_message_id(message);
-				ike_sa = entry->ike_sa;
-				DBG2(DBG_MGR, "IKE_SA %s[%u] checked out by hash",
-						ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
+				ike_version = IKEV1;
+				is_init = TRUE;
+				if (id->is_initiator(id))
+				{	/* not set in IKEv1, switch back before applying to new SA */
+					id->switch_initiator(id);
+				}
 			}
-			unlock_single_segment(this, segment);
 		}
+	}
 
-		if (ike_sa == NULL)
+	if (is_init)
+	{
+		u_int64_t our_spi;
+		chunk_t hash;
+
+		if (!get_init_hash(this, message, &hash))
 		{
-			if (id->get_responder_spi(id) == 0 &&
-				message->get_exchange_type(message) == IKE_SA_INIT)
-			{
-				/* no IKE_SA found, create a new one */
-				id->set_responder_spi(id, get_spi(this));
-				entry = entry_create();
-				entry->ike_sa = ike_sa_create(id);
-				entry->ike_sa_id = id->clone(id);
+			DBG1(DBG_MGR, "ignoring message, failed to hash message");
+			id->destroy(id);
+			return NULL;
+		}
 
-				segment = put_entry(this, entry);
-				entry->checked_out = TRUE;
-				unlock_single_segment(this, segment);
+		/* ensure this is not a retransmit of an already handled init message */
+		switch (check_and_put_init_hash(this, hash, &our_spi))
+		{
+			case NOT_FOUND:
+			{	/* we've not seen this packet yet, create a new IKE_SA */
+				if (!this->ikesa_limit ||
+					this->public.get_count(&this->public) < this->ikesa_limit)
+				{
+					id->set_responder_spi(id, our_spi);
+					ike_sa = ike_sa_create(id, FALSE, ike_version);
+					if (ike_sa)
+					{
+						entry = entry_create();
+						entry->ike_sa = ike_sa;
+						entry->ike_sa_id = id;
 
-				entry->message_id = message->get_message_id(message);
-				entry->init_hash = hash;
-				ike_sa = entry->ike_sa;
+						segment = put_entry(this, entry);
+						entry->checked_out = TRUE;
+						unlock_single_segment(this, segment);
 
-				DBG2(DBG_MGR, "created IKE_SA %s[%u]",
-						ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
+						entry->processing = get_message_id_or_hash(message);
+						entry->init_hash = hash;
+
+						DBG2(DBG_MGR, "created IKE_SA %s[%u]",
+							 ike_sa->get_name(ike_sa),
+							 ike_sa->get_unique_id(ike_sa));
+
+						charon->bus->set_sa(charon->bus, ike_sa);
+						return ike_sa;
+					}
+					else
+					{
+						DBG1(DBG_MGR, "creating IKE_SA failed, ignoring message");
+					}
+				}
+				else
+				{
+					DBG1(DBG_MGR, "ignoring %N, hitting IKE_SA limit (%u)",
+						 exchange_type_names, message->get_exchange_type(message),
+						 this->ikesa_limit);
+				}
+				remove_init_hash(this, hash);
+				chunk_free(&hash);
+				id->destroy(id);
+				return NULL;
 			}
-			else
-			{
+			case FAILED:
+			{	/* we failed to allocate an SPI */
 				chunk_free(&hash);
-				DBG1(DBG_MGR, "ignoring message, no such IKE_SA");
+				id->destroy(id);
+				DBG1(DBG_MGR, "ignoring message, failed to allocate SPI");
+				return NULL;
 			}
+			case ALREADY_DONE:
+			default:
+				break;
 		}
-		else
-		{
-			chunk_free(&hash);
-		}
-		id->destroy(id);
-		charon->bus->set_sa(charon->bus, ike_sa);
-		return ike_sa;
+		/* it looks like we already handled this init message to some degree */
+		id->set_responder_spi(id, our_spi);
+		chunk_free(&hash);
 	}
 
 	if (get_entry_by_id(this, id, &entry, &segment) == SUCCESS)
 	{
-		/* only check out if we are not processing this request */
-		if (message->get_request(message) &&
-			message->get_message_id(message) == entry->message_id)
+		/* only check out if we are not already processing it. */
+		if (entry->processing == get_message_id_or_hash(message))
 		{
-			DBG1(DBG_MGR, "ignoring request with ID %d, already processing",
-				 entry->message_id);
+			DBG1(DBG_MGR, "ignoring request with ID %u, already processing",
+				 entry->processing);
 		}
 		else if (wait_for_entry(this, entry, segment))
 		{
-			ike_sa_id_t *ike_id = entry->ike_sa->get_id(entry->ike_sa);
+			ike_sa_id_t *ike_id;
+
+			ike_id = entry->ike_sa->get_id(entry->ike_sa);
 			entry->checked_out = TRUE;
-			entry->message_id = message->get_message_id(message);
+			if (message->get_first_payload_type(message) != FRAGMENT_V1)
+			{
+				entry->processing = get_message_id_or_hash(message);
+			}
 			if (ike_id->get_responder_spi(ike_id) == 0)
 			{
 				ike_id->set_responder_spi(ike_id, id->get_responder_spi(id));
@@ -1070,6 +1319,10 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 		}
 		unlock_single_segment(this, segment);
 	}
+	else
+	{
+		charon->bus->alert(charon->bus, ALERT_INVALID_IKE_SPI, message);
+	}
 	id->destroy(id);
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
@@ -1089,7 +1342,7 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 
 	if (!this->reuse_ikesa)
 	{	/* IKE_SA reuse disable by config */
-		ike_sa = checkout_new(this, TRUE);
+		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
 		charon->bus->set_sa(charon->bus, ike_sa);
 		return ike_sa;
 	}
@@ -1125,7 +1378,7 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 
 	if (!ike_sa)
 	{	/* no IKE_SA using such a config, hand out a new */
-		ike_sa = checkout_new(this, TRUE);
+		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
 	}
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
@@ -1244,6 +1497,7 @@ static bool enumerator_filter_wait(private_ike_sa_manager_t *this,
 	if (wait_for_entry(this, *in, *segment))
 	{
 		*out = (*in)->ike_sa;
+		charon->bus->set_sa(charon->bus, *out);
 		return TRUE;
 	}
 	return FALSE;
@@ -1260,17 +1514,26 @@ static bool enumerator_filter_skip(private_ike_sa_manager_t *this,
 		!(*in)->checked_out)
 	{
 		*out = (*in)->ike_sa;
+		charon->bus->set_sa(charon->bus, *out);
 		return TRUE;
 	}
 	return FALSE;
 }
 
+/**
+ * Reset threads SA after enumeration
+ */
+static void reset_sa(void *data)
+{
+	charon->bus->set_sa(charon->bus, NULL);
+}
+
 METHOD(ike_sa_manager_t, create_enumerator, enumerator_t*,
 	private_ike_sa_manager_t* this, bool wait)
 {
 	return enumerator_create_filter(create_table_enumerator(this),
 			wait ? (void*)enumerator_filter_wait : (void*)enumerator_filter_skip,
-			this, NULL);
+			this, reset_sa);
 }
 
 METHOD(ike_sa_manager_t, checkin, void,
@@ -1290,7 +1553,7 @@ METHOD(ike_sa_manager_t, checkin, void,
 
 	ike_sa_id = ike_sa->get_id(ike_sa);
 	my_id = ike_sa->get_my_id(ike_sa);
-	other_id = ike_sa->get_other_id(ike_sa);
+	other_id = ike_sa->get_other_eap_id(ike_sa);
 	other = ike_sa->get_other_host(ike_sa);
 
 	DBG2(DBG_MGR, "checkin IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
@@ -1303,7 +1566,7 @@ METHOD(ike_sa_manager_t, checkin, void,
 		entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa));
 		/* signal waiting threads */
 		entry->checked_out = FALSE;
-		entry->message_id = -1;
+		entry->processing = -1;
 		/* check if this SA is half-open */
 		if (entry->half_open && ike_sa->get_state(ike_sa) != IKE_CONNECTING)
 		{
@@ -1340,9 +1603,21 @@ METHOD(ike_sa_manager_t, checkin, void,
 	}
 
 	/* apply identities for duplicate test */
-	if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+	if ((ike_sa->get_state(ike_sa) == IKE_ESTABLISHED ||
+		 ike_sa->get_state(ike_sa) == IKE_PASSIVE) &&
 		entry->my_id == NULL && entry->other_id == NULL)
 	{
+		if (ike_sa->get_version(ike_sa) == IKEV1)
+		{
+			/* If authenticated and received INITIAL_CONTACT,
+			 * delete any existing IKE_SAs with that peer. */
+			if (ike_sa->has_condition(ike_sa, COND_INIT_CONTACT_SEEN))
+			{
+				this->public.check_uniqueness(&this->public, ike_sa, TRUE);
+				ike_sa->set_condition(ike_sa, COND_INIT_CONTACT_SEEN, FALSE);
+			}
+		}
+
 		entry->my_id = my_id->clone(my_id);
 		entry->other_id = other_id->clone(other_id);
 		if (!entry->other)
@@ -1376,6 +1651,16 @@ METHOD(ike_sa_manager_t, checkin_and_destroy, void,
 
 	if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
 	{
+		if (entry->driveout_waiting_threads && entry->driveout_new_threads)
+		{	/* it looks like flush() has been called and the SA is being deleted
+			 * anyway, just check it in */
+			DBG2(DBG_MGR, "ignored check-in and destroy of IKE_SA during shutdown");
+			entry->checked_out = FALSE;
+			entry->condvar->broadcast(entry->condvar);
+			unlock_single_segment(this, segment);
+			return;
+		}
+
 		/* drive out waiting threads, as we are in hurry */
 		entry->driveout_waiting_threads = TRUE;
 		/* mark it, so no new threads can get this entry */
@@ -1399,6 +1684,10 @@ METHOD(ike_sa_manager_t, checkin_and_destroy, void,
 		{
 			remove_connected_peers(this, entry);
 		}
+		if (entry->init_hash.ptr)
+		{
+			remove_init_hash(this, entry->init_hash);
+		}
 
 		entry_destroy(entry);
 
@@ -1412,65 +1701,98 @@ METHOD(ike_sa_manager_t, checkin_and_destroy, void,
 	charon->bus->set_sa(charon->bus, NULL);
 }
 
-METHOD(ike_sa_manager_t, check_uniqueness, bool,
-	private_ike_sa_manager_t *this, ike_sa_t *ike_sa, bool force_replace)
+/**
+ * Cleanup function for create_id_enumerator
+ */
+static void id_enumerator_cleanup(linked_list_t *ids)
 {
-	bool cancel = FALSE;
-	peer_cfg_t *peer_cfg;
-	unique_policy_t policy;
-	linked_list_t *list, *duplicate_ids = NULL;
-	enumerator_t *enumerator;
-	ike_sa_id_t *duplicate_id = NULL;
-	identification_t *me, *other;
+	ids->destroy_offset(ids, offsetof(ike_sa_id_t, destroy));
+}
+
+METHOD(ike_sa_manager_t, create_id_enumerator, enumerator_t*,
+	private_ike_sa_manager_t *this, identification_t *me,
+	identification_t *other, int family)
+{
+	table_item_t *item;
 	u_int row, segment;
 	rwlock_t *lock;
-
-	peer_cfg = ike_sa->get_peer_cfg(ike_sa);
-	policy = peer_cfg->get_unique_policy(peer_cfg);
-	if (policy == UNIQUE_NO && !force_replace)
-	{
-		return FALSE;
-	}
-
-	me = ike_sa->get_my_id(ike_sa);
-	other = ike_sa->get_other_id(ike_sa);
+	linked_list_t *ids = NULL;
 
 	row = chunk_hash_inc(other->get_encoding(other),
 						 chunk_hash(me->get_encoding(me))) & this->table_mask;
 	segment = row & this->segment_mask;
 
-	lock = this->connected_peers_segments[segment & this->segment_mask].lock;
+	lock = this->connected_peers_segments[segment].lock;
 	lock->read_lock(lock);
-	list = this->connected_peers_table[row];
-	if (list)
+	item = this->connected_peers_table[row];
+	while (item)
 	{
-		connected_peers_t *current;
-		host_t *other_host;
+		connected_peers_t *current = item->value;
 
-		other_host = ike_sa->get_other_host(ike_sa);
-		if (list->find_first(list, (linked_list_match_t)connected_peers_match,
-					(void**)&current, me, other,
-					(uintptr_t)other_host->get_family(other_host)) == SUCCESS)
+		if (connected_peers_match(current, me, other, family))
 		{
-			/* clone the list, so we can release the lock */
-			duplicate_ids = current->sas->clone_offset(current->sas,
-												offsetof(ike_sa_id_t, clone));
+			ids = current->sas->clone_offset(current->sas,
+											 offsetof(ike_sa_id_t, clone));
+			break;
 		}
+		item = item->next;
 	}
 	lock->unlock(lock);
 
-	if (!duplicate_ids)
+	if (!ids)
+	{
+		return enumerator_create_empty();
+	}
+	return enumerator_create_cleaner(ids->create_enumerator(ids),
+									 (void*)id_enumerator_cleanup, ids);
+}
+
+/**
+ * Move all CHILD_SAs from old to new
+ */
+static void adopt_children(ike_sa_t *old, ike_sa_t *new)
+{
+	enumerator_t *enumerator;
+	child_sa_t *child_sa;
+
+	enumerator = old->create_child_sa_enumerator(old);
+	while (enumerator->enumerate(enumerator, &child_sa))
+	{
+		old->remove_child_sa(old, enumerator);
+		new->add_child_sa(new, child_sa);
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(ike_sa_manager_t, check_uniqueness, bool,
+	private_ike_sa_manager_t *this, ike_sa_t *ike_sa, bool force_replace)
+{
+	bool cancel = FALSE;
+	peer_cfg_t *peer_cfg;
+	unique_policy_t policy;
+	enumerator_t *enumerator;
+	ike_sa_id_t *id = NULL;
+	identification_t *me, *other;
+	host_t *other_host;
+
+	peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+	policy = peer_cfg->get_unique_policy(peer_cfg);
+	if (policy == UNIQUE_NEVER || (policy == UNIQUE_NO && !force_replace))
 	{
 		return FALSE;
 	}
+	me = ike_sa->get_my_id(ike_sa);
+	other = ike_sa->get_other_eap_id(ike_sa);
+	other_host = ike_sa->get_other_host(ike_sa);
 
-	enumerator = duplicate_ids->create_enumerator(duplicate_ids);
-	while (enumerator->enumerate(enumerator, &duplicate_id))
+	enumerator = create_id_enumerator(this, me, other,
+									  other_host->get_family(other_host));
+	while (enumerator->enumerate(enumerator, &id))
 	{
 		status_t status = SUCCESS;
 		ike_sa_t *duplicate;
 
-		duplicate = checkout(this, duplicate_id);
+		duplicate = checkout(this, id);
 		if (!duplicate)
 		{
 			continue;
@@ -1479,6 +1801,7 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool,
 		{
 			DBG1(DBG_IKE, "destroying duplicate IKE_SA for peer '%Y', "
 				 "received INITIAL_CONTACT", other);
+			charon->bus->ike_updown(charon->bus, duplicate, FALSE);
 			checkin_and_destroy(this, duplicate);
 			continue;
 		}
@@ -1492,6 +1815,11 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool,
 					switch (policy)
 					{
 						case UNIQUE_REPLACE:
+							charon->bus->alert(charon->bus, ALERT_UNIQUE_REPLACE);
+							if (duplicate->get_version(duplicate) == IKEV1)
+							{
+								adopt_children(duplicate, ike_sa);
+							}
 							DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer "
 									"'%Y' due to uniqueness policy", other);
 							status = duplicate->delete(duplicate);
@@ -1520,7 +1848,6 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool,
 		}
 	}
 	enumerator->destroy(enumerator);
-	duplicate_ids->destroy_offset(duplicate_ids, offsetof(ike_sa_id_t, destroy));
 	/* reset thread's current IKE_SA after checkin */
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return cancel;
@@ -1530,7 +1857,7 @@ METHOD(ike_sa_manager_t, has_contact, bool,
 	private_ike_sa_manager_t *this, identification_t *me,
 	identification_t *other, int family)
 {
-	linked_list_t *list;
+	table_item_t *item;
 	u_int row, segment;
 	rwlock_t *lock;
 	bool found = FALSE;
@@ -1538,16 +1865,17 @@ METHOD(ike_sa_manager_t, has_contact, bool,
 	row = chunk_hash_inc(other->get_encoding(other),
 						 chunk_hash(me->get_encoding(me))) & this->table_mask;
 	segment = row & this->segment_mask;
-	lock = this->connected_peers_segments[segment & this->segment_mask].lock;
+	lock = this->connected_peers_segments[segment].lock;
 	lock->read_lock(lock);
-	list = this->connected_peers_table[row];
-	if (list)
+	item = this->connected_peers_table[row];
+	while (item)
 	{
-		if (list->find_first(list, (linked_list_match_t)connected_peers_match,
-							 NULL, me, other, family) == SUCCESS)
+		if (connected_peers_match(item->value, me, other, family))
 		{
 			found = TRUE;
+			break;
 		}
+		item = item->next;
 	}
 	lock->unlock(lock);
 
@@ -1573,8 +1901,8 @@ METHOD(ike_sa_manager_t, get_count, u_int,
 METHOD(ike_sa_manager_t, get_half_open_count, u_int,
 	private_ike_sa_manager_t *this, host_t *ip)
 {
-	linked_list_t *list;
-	u_int segment, row;
+	table_item_t *item;
+	u_int row, segment;
 	rwlock_t *lock;
 	chunk_t addr;
 	u_int count = 0;
@@ -1584,17 +1912,19 @@ METHOD(ike_sa_manager_t, get_half_open_count, u_int,
 		addr = ip->get_address(ip);
 		row = chunk_hash(addr) & this->table_mask;
 		segment = row & this->segment_mask;
-		lock = this->half_open_segments[segment & this->segment_mask].lock;
+		lock = this->half_open_segments[segment].lock;
 		lock->read_lock(lock);
-		if ((list = this->half_open_table[row]) != NULL)
+		item = this->half_open_table[row];
+		while (item)
 		{
-			half_open_t *current;
+			half_open_t *half_open = item->value;
 
-			if (list->find_first(list, (linked_list_match_t)half_open_match,
-								 (void**)&current, &addr) == SUCCESS)
+			if (chunk_equals(addr, half_open->other))
 			{
-				count = current->count;
+				count = half_open->count;
+				break;
 			}
+			item = item->next;
 		}
 		lock->unlock(lock);
 	}
@@ -1602,7 +1932,7 @@ METHOD(ike_sa_manager_t, get_half_open_count, u_int,
 	{
 		for (segment = 0; segment < this->segment_count; segment++)
 		{
-			lock = this->half_open_segments[segment & this->segment_mask].lock;
+			lock = this->half_open_segments[segment].lock;
 			lock->read_lock(lock);
 			count += this->half_open_segments[segment].count;
 			lock->unlock(lock);
@@ -1651,16 +1981,18 @@ METHOD(ike_sa_manager_t, flush, void,
 	while (enumerator->enumerate(enumerator, &entry, &segment))
 	{
 		charon->bus->set_sa(charon->bus, entry->ike_sa);
-		/* as the delete never gets processed, fire down events */
-		switch (entry->ike_sa->get_state(entry->ike_sa))
-		{
-			case IKE_ESTABLISHED:
-			case IKE_REKEYING:
-			case IKE_DELETING:
-				charon->bus->ike_updown(charon->bus, entry->ike_sa, FALSE);
-				break;
-			default:
-				break;
+		if (entry->ike_sa->get_version(entry->ike_sa) == IKEV2)
+		{	/* as the delete never gets processed, fire down events */
+			switch (entry->ike_sa->get_state(entry->ike_sa))
+			{
+				case IKE_ESTABLISHED:
+				case IKE_REKEYING:
+				case IKE_DELETING:
+					charon->bus->ike_updown(charon->bus, entry->ike_sa, FALSE);
+					break;
+				default:
+					break;
+			}
 		}
 		entry->ike_sa->delete(entry->ike_sa);
 	}
@@ -1680,6 +2012,10 @@ METHOD(ike_sa_manager_t, flush, void,
 		{
 			remove_connected_peers(this, entry);
 		}
+		if (entry->init_hash.ptr)
+		{
+			remove_init_hash(this, entry->init_hash);
+		}
 		remove_entry_at((private_enumerator_t*)enumerator);
 		entry_destroy(entry);
 	}
@@ -1698,24 +2034,22 @@ METHOD(ike_sa_manager_t, destroy, void,
 {
 	u_int i;
 
-	for (i = 0; i < this->table_size; i++)
-	{
-		DESTROY_IF(this->ike_sa_table[i]);
-		DESTROY_IF(this->half_open_table[i]);
-		DESTROY_IF(this->connected_peers_table[i]);
-	}
+	/* these are already cleared in flush() above */
 	free(this->ike_sa_table);
 	free(this->half_open_table);
 	free(this->connected_peers_table);
+	free(this->init_hashes_table);
 	for (i = 0; i < this->segment_count; i++)
 	{
 		this->segments[i].mutex->destroy(this->segments[i].mutex);
 		this->half_open_segments[i].lock->destroy(this->half_open_segments[i].lock);
 		this->connected_peers_segments[i].lock->destroy(this->connected_peers_segments[i].lock);
+		this->init_hashes_segments[i].mutex->destroy(this->init_hashes_segments[i].mutex);
 	}
 	free(this->segments);
 	free(this->half_open_segments);
 	free(this->connected_peers_segments);
+	free(this->init_hashes_segments);
 
 	free(this);
 }
@@ -1757,6 +2091,7 @@ ike_sa_manager_t *ike_sa_manager_create()
 			.check_uniqueness = _check_uniqueness,
 			.has_contact = _has_contact,
 			.create_enumerator = _create_enumerator,
+			.create_id_enumerator = _create_id_enumerator,
 			.checkin = _checkin,
 			.checkin_and_destroy = _checkin_and_destroy,
 			.get_count = _get_count,
@@ -1782,17 +2117,22 @@ ike_sa_manager_t *ike_sa_manager_create()
 		return NULL;
 	}
 
-	this->table_size = get_nearest_powerof2(lib->settings->get_int(lib->settings,
-						"charon.ikesa_table_size", DEFAULT_HASHTABLE_SIZE));
+	this->ikesa_limit = lib->settings->get_int(lib->settings,
+									"%s.ikesa_limit", 0, charon->name);
+
+	this->table_size = get_nearest_powerof2(lib->settings->get_int(
+									lib->settings, "%s.ikesa_table_size",
+									DEFAULT_HASHTABLE_SIZE, charon->name));
 	this->table_size = max(1, min(this->table_size, MAX_HASHTABLE_SIZE));
 	this->table_mask = this->table_size - 1;
 
-	this->segment_count = get_nearest_powerof2(lib->settings->get_int(lib->settings,
-						"charon.ikesa_table_segments", DEFAULT_SEGMENT_COUNT));
+	this->segment_count = get_nearest_powerof2(lib->settings->get_int(
+									lib->settings, "%s.ikesa_table_segments",
+									DEFAULT_SEGMENT_COUNT, charon->name));
 	this->segment_count = max(1, min(this->segment_count, this->table_size));
 	this->segment_mask = this->segment_count - 1;
-	this->ike_sa_table = calloc(this->table_size, sizeof(linked_list_t*));
 
+	this->ike_sa_table = calloc(this->table_size, sizeof(table_item_t*));
 	this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t));
 	for (i = 0; i < this->segment_count; i++)
 	{
@@ -1801,7 +2141,7 @@ ike_sa_manager_t *ike_sa_manager_create()
 	}
 
 	/* we use the same table parameters for the table to track half-open SAs */
-	this->half_open_table = calloc(this->table_size, sizeof(linked_list_t*));
+	this->half_open_table = calloc(this->table_size, sizeof(table_item_t*));
 	this->half_open_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
 	for (i = 0; i < this->segment_count; i++)
 	{
@@ -1810,7 +2150,7 @@ ike_sa_manager_t *ike_sa_manager_create()
 	}
 
 	/* also for the hash table used for duplicate tests */
-	this->connected_peers_table = calloc(this->table_size, sizeof(linked_list_t*));
+	this->connected_peers_table = calloc(this->table_size, sizeof(table_item_t*));
 	this->connected_peers_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
 	for (i = 0; i < this->segment_count; i++)
 	{
@@ -1818,7 +2158,16 @@ ike_sa_manager_t *ike_sa_manager_create()
 		this->connected_peers_segments[i].count = 0;
 	}
 
+	/* and again for the table of hashes of seen initial IKE messages */
+	this->init_hashes_table = calloc(this->table_size, sizeof(table_item_t*));
+	this->init_hashes_segments = calloc(this->segment_count, sizeof(segment_t));
+	for (i = 0; i < this->segment_count; i++)
+	{
+		this->init_hashes_segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
+		this->init_hashes_segments[i].count = 0;
+	}
+
 	this->reuse_ikesa = lib->settings->get_bool(lib->settings,
-												"charon.reuse_ikesa", TRUE);
+										"%s.reuse_ikesa", TRUE, charon->name);
 	return &this->public;
 }
diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
index 5e542e7df..a68ae7763 100644
--- a/src/libcharon/sa/ike_sa_manager.h
+++ b/src/libcharon/sa/ike_sa_manager.h
@@ -52,10 +52,12 @@ struct ike_sa_manager_t {
 	/**
 	 * Create and check out a new IKE_SA.
 	 *
+	 * @param version			IKE version of this SA
 	 * @param initiator			TRUE for initiator, FALSE otherwise
 	 * @returns 				created and checked out IKE_SA
 	 */
-	ike_sa_t* (*checkout_new) (ike_sa_manager_t* this, bool initiator);
+	ike_sa_t* (*checkout_new) (ike_sa_manager_t* this, ike_version_t version,
+							   bool initiator);
 
 	/**
 	 * Checkout an IKE_SA by a message.
@@ -168,6 +170,20 @@ struct ike_sa_manager_t {
 	enumerator_t *(*create_enumerator) (ike_sa_manager_t* this, bool wait);
 
 	/**
+	 * Create an enumerator over ike_sa_id_t*, matching peer identities.
+	 *
+	 * The remote peer is identified by its XAuth or EAP identity, if available.
+	 *
+	 * @param me				local peer identity to match
+	 * @param other				remote peer identity to match
+	 * @param family			address family to match, 0 for any
+	 * @return					enumerator over ike_sa_id_t*
+	 */
+	enumerator_t* (*create_id_enumerator)(ike_sa_manager_t *this,
+								identification_t *me, identification_t *other,
+								int family);
+
+	/**
 	 * Checkin the SA after usage.
 	 *
 	 * If the IKE_SA is not registered in the manager, a new entry is created.
diff --git a/src/libcharon/sa/ikev1/authenticators/hybrid_authenticator.c b/src/libcharon/sa/ikev1/authenticators/hybrid_authenticator.c
new file mode 100644
index 000000000..689f5f376
--- /dev/null
+++ b/src/libcharon/sa/ikev1/authenticators/hybrid_authenticator.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hybrid_authenticator.h"
+
+#include <daemon.h>
+#include <sa/ikev1/authenticators/psk_v1_authenticator.h>
+
+typedef struct private_hybrid_authenticator_t private_hybrid_authenticator_t;
+
+/**
+ * Private data of an hybrid_authenticator_t object.
+ */
+struct private_hybrid_authenticator_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	hybrid_authenticator_t public;
+
+	/**
+	 * Public key authenticator
+	 */
+	authenticator_t *sig;
+
+	/**
+	 * HASH payload authenticator without credentials
+	 */
+	authenticator_t *hash;
+};
+
+METHOD(authenticator_t, build_i, status_t,
+	private_hybrid_authenticator_t *this, message_t *message)
+{
+	return this->hash->build(this->hash, message);
+}
+
+METHOD(authenticator_t, process_r, status_t,
+	private_hybrid_authenticator_t *this, message_t *message)
+{
+	return this->hash->process(this->hash, message);
+}
+
+METHOD(authenticator_t, build_r, status_t,
+	private_hybrid_authenticator_t *this, message_t *message)
+{
+	return this->sig->build(this->sig, message);
+}
+
+METHOD(authenticator_t, process_i, status_t,
+	private_hybrid_authenticator_t *this, message_t *message)
+{
+	return this->sig->process(this->sig, message);
+}
+
+METHOD(authenticator_t, destroy, void,
+	private_hybrid_authenticator_t *this)
+{
+	DESTROY_IF(this->hash);
+	DESTROY_IF(this->sig);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+hybrid_authenticator_t *hybrid_authenticator_create(ike_sa_t *ike_sa,
+										bool initiator, diffie_hellman_t *dh,
+										chunk_t dh_value, chunk_t sa_payload,
+										chunk_t id_payload)
+{
+	private_hybrid_authenticator_t *this;
+
+	INIT(this,
+		.public = {
+			.authenticator = {
+				.is_mutual = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.hash = (authenticator_t*)psk_v1_authenticator_create(ike_sa, initiator,
+						dh, dh_value, sa_payload, id_payload, TRUE),
+		.sig = authenticator_create_v1(ike_sa, initiator, AUTH_RSA, dh,
+						dh_value, sa_payload, chunk_clone(id_payload)),
+	);
+	if (!this->sig || !this->hash)
+	{
+		destroy(this);
+		return NULL;
+	}
+	if (initiator)
+	{
+		this->public.authenticator.build = _build_i;
+		this->public.authenticator.process = _process_i;
+	}
+	else
+	{
+		this->public.authenticator.build = _build_r;
+		this->public.authenticator.process = _process_r;
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/authenticators/hybrid_authenticator.h b/src/libcharon/sa/ikev1/authenticators/hybrid_authenticator.h
new file mode 100644
index 000000000..69e596959
--- /dev/null
+++ b/src/libcharon/sa/ikev1/authenticators/hybrid_authenticator.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup hybrid_authenticator hybrid_authenticator
+ * @{ @ingroup authenticators_v1
+ */
+
+#ifndef HYBRID_AUTHENTICATOR_H_
+#define HYBRID_AUTHENTICATOR_H_
+
+typedef struct hybrid_authenticator_t hybrid_authenticator_t;
+
+#include <sa/authenticator.h>
+
+/**
+ * Implementation of authenticator_t using IKEv1 hybrid authentication.
+ */
+struct hybrid_authenticator_t {
+
+	/**
+	 * Implemented authenticator_t interface.
+	 */
+	authenticator_t authenticator;
+};
+
+/**
+ * Create an authenticator to build hybrid signatures.
+ *
+ * @param ike_sa			associated IKE_SA
+ * @param initiator			TRUE if we are the IKE_SA initiator
+ * @param dh				diffie hellman key exchange
+ * @param dh_value			others public diffie hellman value
+ * @param sa_payload		generated SA payload data, without payload header
+ * @param id_payload		encoded ID payload of peer to authenticate or verify
+ *							without payload header (gets owned)
+ * @return					hybrid authenticator
+ */
+hybrid_authenticator_t *hybrid_authenticator_create(ike_sa_t *ike_sa,
+										bool initiator, diffie_hellman_t *dh,
+										chunk_t dh_value, chunk_t sa_payload,
+										chunk_t id_payload);
+
+#endif /** HYBRID_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
new file mode 100644
index 000000000..ee15408c7
--- /dev/null
+++ b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
@@ -0,0 +1,172 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "psk_v1_authenticator.h"
+
+#include <daemon.h>
+#include <sa/ikev1/keymat_v1.h>
+#include <encoding/payloads/hash_payload.h>
+
+typedef struct private_psk_v1_authenticator_t private_psk_v1_authenticator_t;
+
+/**
+ * Private data of an psk_v1_authenticator_t object.
+ */
+struct private_psk_v1_authenticator_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	psk_v1_authenticator_t public;
+
+	/**
+	 * Assigned IKE_SA
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * TRUE if we are initiator
+	 */
+	bool initiator;
+
+	/**
+	 * DH key exchange
+	 */
+	diffie_hellman_t *dh;
+
+	/**
+	 * Others DH public value
+	 */
+	chunk_t dh_value;
+
+	/**
+	 * Encoded SA payload, without fixed header
+	 */
+	chunk_t sa_payload;
+
+	/**
+	 * Encoded ID payload, without fixed header
+	 */
+	chunk_t id_payload;
+
+	/**
+	 * Used for Hybrid authentication to build hash without PSK?
+	 */
+	bool hybrid;
+};
+
+METHOD(authenticator_t, build, status_t,
+	private_psk_v1_authenticator_t *this, message_t *message)
+{
+	hash_payload_t *hash_payload;
+	keymat_v1_t *keymat;
+	chunk_t hash, dh;
+
+	this->dh->get_my_public_value(this->dh, &dh);
+	keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
+	if (!keymat->get_hash(keymat, this->initiator, dh, this->dh_value,
+					this->ike_sa->get_id(this->ike_sa), this->sa_payload,
+					this->id_payload, &hash))
+	{
+		free(dh.ptr);
+		return FAILED;
+	}
+	free(dh.ptr);
+
+	hash_payload = hash_payload_create(HASH_V1);
+	hash_payload->set_hash(hash_payload, hash);
+	message->add_payload(message, &hash_payload->payload_interface);
+	free(hash.ptr);
+
+	return SUCCESS;
+}
+
+METHOD(authenticator_t, process, status_t,
+	private_psk_v1_authenticator_t *this, message_t *message)
+{
+	hash_payload_t *hash_payload;
+	keymat_v1_t *keymat;
+	chunk_t hash, dh;
+	auth_cfg_t *auth;
+
+	hash_payload = (hash_payload_t*)message->get_payload(message, HASH_V1);
+	if (!hash_payload)
+	{
+		DBG1(DBG_IKE, "HASH payload missing in message");
+		return FAILED;
+	}
+
+	this->dh->get_my_public_value(this->dh, &dh);
+	keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
+	if (!keymat->get_hash(keymat, !this->initiator, this->dh_value, dh,
+					this->ike_sa->get_id(this->ike_sa), this->sa_payload,
+					this->id_payload, &hash))
+	{
+		free(dh.ptr);
+		return FAILED;
+	}
+	free(dh.ptr);
+	if (chunk_equals(hash, hash_payload->get_hash(hash_payload)))
+	{
+		free(hash.ptr);
+		if (!this->hybrid)
+		{
+			auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+		}
+		return SUCCESS;
+	}
+	free(hash.ptr);
+	DBG1(DBG_IKE, "calculated HASH does not match HASH payload");
+	return FAILED;
+}
+
+METHOD(authenticator_t, destroy, void,
+	private_psk_v1_authenticator_t *this)
+{
+	chunk_free(&this->id_payload);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+psk_v1_authenticator_t *psk_v1_authenticator_create(ike_sa_t *ike_sa,
+										bool initiator, diffie_hellman_t *dh,
+										chunk_t dh_value, chunk_t sa_payload,
+										chunk_t id_payload, bool hybrid)
+{
+	private_psk_v1_authenticator_t *this;
+
+	INIT(this,
+		.public = {
+			.authenticator = {
+				.build = _build,
+				.process = _process,
+				.is_mutual = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.initiator = initiator,
+		.dh = dh,
+		.dh_value = dh_value,
+		.sa_payload = sa_payload,
+		.id_payload = id_payload,
+		.hybrid = hybrid,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.h b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.h
new file mode 100644
index 000000000..cc9e18ba1
--- /dev/null
+++ b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup psk_v1_authenticator psk_v1_authenticator
+ * @{ @ingroup authenticators_v1
+ */
+
+#ifndef PSK_V1_AUTHENTICATOR_H_
+#define PSK_V1_AUTHENTICATOR_H_
+
+typedef struct psk_v1_authenticator_t psk_v1_authenticator_t;
+
+#include <sa/authenticator.h>
+
+/**
+ * Implementation of authenticator_t using pre-shared keys for IKEv1.
+ */
+struct psk_v1_authenticator_t {
+
+	/**
+	 * Implemented authenticator_t interface.
+	 */
+	authenticator_t authenticator;
+};
+
+/**
+ * Create an authenticator to build PSK signatures.
+ *
+ * @param ike_sa			associated IKE_SA
+ * @param initiator			TRUE if we are the IKE_SA initiator
+ * @param dh				diffie hellman key exchange
+ * @param dh_value			others public diffie hellman value
+ * @param sa_payload		generated SA payload data, without payload header
+ * @param id_payload		encoded ID payload of peer to authenticate or verify
+ *							without payload header (gets owned)
+ * @param hybrid			TRUE if used for hybrid authentication without PSK
+ * @return					PSK authenticator
+ */
+psk_v1_authenticator_t *psk_v1_authenticator_create(ike_sa_t *ike_sa,
+										bool initiator, diffie_hellman_t *dh,
+										chunk_t dh_value, chunk_t sa_payload,
+										chunk_t id_payload, bool hybrid);
+
+#endif /** PSK_V1_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
new file mode 100644
index 000000000..d81c77f0d
--- /dev/null
+++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pubkey_v1_authenticator.h"
+
+#include <daemon.h>
+#include <sa/ikev1/keymat_v1.h>
+#include <encoding/payloads/hash_payload.h>
+
+typedef struct private_pubkey_v1_authenticator_t private_pubkey_v1_authenticator_t;
+
+/**
+ * Private data of an pubkey_v1_authenticator_t object.
+ */
+struct private_pubkey_v1_authenticator_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	pubkey_v1_authenticator_t public;
+
+	/**
+	 * Assigned IKE_SA
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * TRUE if we are initiator
+	 */
+	bool initiator;
+
+	/**
+	 * DH key exchange
+	 */
+	diffie_hellman_t *dh;
+
+	/**
+	 * Others DH public value
+	 */
+	chunk_t dh_value;
+
+	/**
+	 * Encoded SA payload, without fixed header
+	 */
+	chunk_t sa_payload;
+
+	/**
+	 * Encoded ID payload, without fixed header
+	 */
+	chunk_t id_payload;
+
+	/**
+	 * Key type to use
+	 */
+	key_type_t type;
+};
+
+METHOD(authenticator_t, build, status_t,
+	private_pubkey_v1_authenticator_t *this, message_t *message)
+{
+	hash_payload_t *sig_payload;
+	chunk_t hash, sig, dh;
+	keymat_v1_t *keymat;
+	status_t status;
+	private_key_t *private;
+	identification_t *id;
+	auth_cfg_t *auth;
+	signature_scheme_t scheme = SIGN_RSA_EMSA_PKCS1_NULL;
+
+	if (this->type == KEY_ECDSA)
+	{
+		scheme = SIGN_ECDSA_WITH_NULL;
+	}
+
+	id = this->ike_sa->get_my_id(this->ike_sa);
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+	private = lib->credmgr->get_private(lib->credmgr, this->type, id, auth);
+	if (!private)
+	{
+		DBG1(DBG_IKE, "no %N private key found for '%Y'",
+			 key_type_names, this->type, id);
+		return NOT_FOUND;
+	}
+
+	this->dh->get_my_public_value(this->dh, &dh);
+	keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
+	if (!keymat->get_hash(keymat, this->initiator, dh, this->dh_value,
+					this->ike_sa->get_id(this->ike_sa), this->sa_payload,
+					this->id_payload, &hash))
+	{
+		private->destroy(private);
+		free(dh.ptr);
+		return FAILED;
+	}
+	free(dh.ptr);
+
+	if (private->sign(private, scheme, hash, &sig))
+	{
+		sig_payload = hash_payload_create(SIGNATURE_V1);
+		sig_payload->set_hash(sig_payload, sig);
+		free(sig.ptr);
+		message->add_payload(message, &sig_payload->payload_interface);
+		status = SUCCESS;
+		DBG1(DBG_IKE, "authentication of '%Y' (myself) successful", id);
+	}
+	else
+	{
+		DBG1(DBG_IKE, "authentication of '%Y' (myself) failed", id);
+		status = FAILED;
+	}
+	private->destroy(private);
+	free(hash.ptr);
+
+	return status;
+}
+
+METHOD(authenticator_t, process, status_t,
+	private_pubkey_v1_authenticator_t *this, message_t *message)
+{
+	chunk_t hash, sig, dh;
+	keymat_v1_t *keymat;
+	public_key_t *public;
+	hash_payload_t *sig_payload;
+	auth_cfg_t *auth, *current_auth;
+	enumerator_t *enumerator;
+	status_t status = NOT_FOUND;
+	identification_t *id;
+	signature_scheme_t scheme = SIGN_RSA_EMSA_PKCS1_NULL;
+
+	if (this->type == KEY_ECDSA)
+	{
+		scheme = SIGN_ECDSA_WITH_NULL;
+	}
+
+	sig_payload = (hash_payload_t*)message->get_payload(message, SIGNATURE_V1);
+	if (!sig_payload)
+	{
+		DBG1(DBG_IKE, "SIG payload missing in message");
+		return FAILED;
+	}
+
+	id = this->ike_sa->get_other_id(this->ike_sa);
+	this->dh->get_my_public_value(this->dh, &dh);
+	keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
+	if (!keymat->get_hash(keymat, !this->initiator, this->dh_value, dh,
+					this->ike_sa->get_id(this->ike_sa), this->sa_payload,
+					this->id_payload, &hash))
+	{
+		free(dh.ptr);
+		return FAILED;
+	}
+	free(dh.ptr);
+
+	sig = sig_payload->get_hash(sig_payload);
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+	enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, this->type,
+														id, auth);
+	while (enumerator->enumerate(enumerator, &public, &current_auth))
+	{
+		if (public->verify(public, scheme, hash, sig))
+		{
+			DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
+				 id, key_type_names, this->type);
+			status = SUCCESS;
+			auth->merge(auth, current_auth, FALSE);
+			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+			break;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "signature validation failed, looking for another key");
+			status = FAILED;
+		}
+	}
+	enumerator->destroy(enumerator);
+	free(hash.ptr);
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
+			 key_type_names, this->type, id);
+	}
+	return status;
+}
+
+METHOD(authenticator_t, destroy, void,
+	private_pubkey_v1_authenticator_t *this)
+{
+	chunk_free(&this->id_payload);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+pubkey_v1_authenticator_t *pubkey_v1_authenticator_create(ike_sa_t *ike_sa,
+										bool initiator, diffie_hellman_t *dh,
+										chunk_t dh_value, chunk_t sa_payload,
+										chunk_t id_payload, key_type_t type)
+{
+	private_pubkey_v1_authenticator_t *this;
+
+	INIT(this,
+		.public = {
+			.authenticator = {
+				.build = _build,
+				.process = _process,
+				.is_mutual = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.initiator = initiator,
+		.dh = dh,
+		.dh_value = dh_value,
+		.sa_payload = sa_payload,
+		.id_payload = id_payload,
+		.type = type,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.h b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.h
new file mode 100644
index 000000000..385664cf3
--- /dev/null
+++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pubkey_v1_authenticator pubkey_v1_authenticator
+ * @{ @ingroup authenticators_v1
+ */
+
+#ifndef PUBKEY_V1_AUTHENTICATOR_H_
+#define PUBKEY_V1_AUTHENTICATOR_H_
+
+typedef struct pubkey_v1_authenticator_t pubkey_v1_authenticator_t;
+
+#include <sa/authenticator.h>
+
+/**
+ * Implementation of authenticator_t using public keys for IKEv1.
+ */
+struct pubkey_v1_authenticator_t {
+
+	/**
+	 * Implemented authenticator_t interface.
+	 */
+	authenticator_t authenticator;
+};
+
+/**
+ * Create an authenticator to build and verify public key signatures.
+ *
+ * @param ike_sa			associated IKE_SA
+ * @param initiator			TRUE if we are IKE_SA initiator
+ * @param dh				diffie hellman key exchange
+ * @param dh_value			others public diffie hellman value
+ * @param sa_payload		generated SA payload data, without payload header
+ * @param id_payload		encoded ID payload of peer to authenticate or verify
+ *							without payload header (gets owned)
+ * @param type				key type to use, KEY_RSA or KEY_ECDSA
+ * @return					pubkey authenticator
+ */
+pubkey_v1_authenticator_t *pubkey_v1_authenticator_create(ike_sa_t *ike_sa,
+										bool initiator, diffie_hellman_t *dh,
+										chunk_t dh_value, chunk_t sa_payload,
+										chunk_t id_payload, key_type_t type);
+
+#endif /** PUBKEY_V1_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
new file mode 100644
index 000000000..39e4cad20
--- /dev/null
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -0,0 +1,1158 @@
+/*
+ * Copyright (C) 2011 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "keymat_v1.h"
+
+#include <daemon.h>
+#include <encoding/generator.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <collections/linked_list.h>
+
+typedef struct private_keymat_v1_t private_keymat_v1_t;
+
+/**
+ * Max. number of IVs to track.
+ */
+#define MAX_IV 3
+
+/**
+ * Max. number of Quick Modes to track.
+ */
+#define MAX_QM 2
+
+/**
+ * Data stored for IVs
+ */
+typedef struct {
+	/** message ID */
+	u_int32_t mid;
+	/** current IV */
+	chunk_t iv;
+	/** last block of encrypted message */
+	chunk_t last_block;
+} iv_data_t;
+
+/**
+ * Private data of an keymat_t object.
+ */
+struct private_keymat_v1_t {
+
+	/**
+	 * Public keymat_v1_t interface.
+	 */
+	keymat_v1_t public;
+
+	/**
+	 * IKE_SA Role, initiator or responder
+	 */
+	bool initiator;
+
+	/**
+	 * General purpose PRF
+	 */
+	prf_t *prf;
+
+	/**
+	 * PRF to create Phase 1 HASH payloads
+	 */
+	prf_t *prf_auth;
+
+	/**
+	 * Crypter wrapped in an aead_t interface
+	 */
+	aead_t *aead;
+
+	/**
+	 * Hasher used for IV generation (and other things like e.g. NAT-T)
+	 */
+	hasher_t *hasher;
+
+	/**
+	 * Key used for authentication during main mode
+	 */
+	chunk_t skeyid;
+
+	/**
+	 * Key to derive key material from for non-ISAKMP SAs, rekeying
+	 */
+	chunk_t skeyid_d;
+
+	/**
+	 * Key used for authentication after main mode
+	 */
+	chunk_t skeyid_a;
+
+	/**
+	 * Phase 1 IV
+	 */
+	iv_data_t phase1_iv;
+
+	/**
+	 * Keep track of IVs for exchanges after phase 1. We store only a limited
+	 * number of IVs in an MRU sort of way. Stores iv_data_t objects.
+	 */
+	linked_list_t *ivs;
+
+	/**
+	 * Keep track of Nonces during Quick Mode exchanges. Only a limited number
+	 * of QMs are tracked at the same time. Stores qm_data_t objects.
+	 */
+	linked_list_t *qms;
+};
+
+
+/**
+ * Destroy an iv_data_t object.
+ */
+static void iv_data_destroy(iv_data_t *this)
+{
+	chunk_free(&this->last_block);
+	chunk_free(&this->iv);
+	free(this);
+}
+
+/**
+ * Data stored for Quick Mode exchanges
+ */
+typedef struct {
+	/** message ID */
+	u_int32_t mid;
+	/** Ni_b (Nonce from first message) */
+	chunk_t n_i;
+	/** Nr_b (Nonce from second message) */
+	chunk_t n_r;
+} qm_data_t;
+
+/**
+ * Destroy a qm_data_t object.
+ */
+static void qm_data_destroy(qm_data_t *this)
+{
+	chunk_free(&this->n_i);
+	chunk_free(&this->n_r);
+	free(this);
+}
+
+/**
+ * Constants used in key derivation.
+ */
+static const chunk_t octet_0 = chunk_from_chars(0x00);
+static const chunk_t octet_1 = chunk_from_chars(0x01);
+static const chunk_t octet_2 = chunk_from_chars(0x02);
+
+/**
+ * Simple aead_t implementation without support for authentication.
+ */
+typedef struct {
+	/** implements aead_t interface */
+	aead_t aead;
+	/** crypter to be used */
+	crypter_t *crypter;
+} private_aead_t;
+
+
+METHOD(aead_t, encrypt, bool,
+	private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+	chunk_t *encrypted)
+{
+	return this->crypter->encrypt(this->crypter, plain, iv, encrypted);
+}
+
+METHOD(aead_t, decrypt, bool,
+	private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
+	chunk_t *plain)
+{
+	return this->crypter->decrypt(this->crypter, encrypted, iv, plain);
+}
+
+METHOD(aead_t, get_block_size, size_t,
+	private_aead_t *this)
+{
+	return this->crypter->get_block_size(this->crypter);
+}
+
+METHOD(aead_t, get_icv_size, size_t,
+	private_aead_t *this)
+{
+	return 0;
+}
+
+METHOD(aead_t, get_iv_size, size_t,
+	private_aead_t *this)
+{
+	/* in order to create the messages properly we return 0 here */
+	return 0;
+}
+
+METHOD(aead_t, get_key_size, size_t,
+	private_aead_t *this)
+{
+	return this->crypter->get_key_size(this->crypter);
+}
+
+METHOD(aead_t, set_key, bool,
+	private_aead_t *this, chunk_t key)
+{
+	return this->crypter->set_key(this->crypter, key);
+}
+
+METHOD(aead_t, aead_destroy, void,
+	private_aead_t *this)
+{
+	this->crypter->destroy(this->crypter);
+	free(this);
+}
+
+/**
+ * Expand SKEYID_e according to Appendix B in RFC 2409.
+ * TODO-IKEv1: verify keys (e.g. for weak keys, see Appendix B)
+ */
+static bool expand_skeyid_e(chunk_t skeyid_e, size_t key_size, prf_t *prf,
+							chunk_t *ka)
+{
+	size_t block_size;
+	chunk_t seed;
+	int i;
+
+	if (skeyid_e.len >= key_size)
+	{	/* no expansion required, reduce to key_size */
+		skeyid_e.len = key_size;
+		*ka = skeyid_e;
+		return TRUE;
+	}
+	block_size = prf->get_block_size(prf);
+	*ka = chunk_alloc((key_size / block_size + 1) * block_size);
+	ka->len = key_size;
+
+	/* Ka = K1 | K2 | ..., K1 = prf(SKEYID_e, 0), K2 = prf(SKEYID_e, K1) ... */
+	if (!prf->set_key(prf, skeyid_e))
+	{
+		chunk_clear(ka);
+		chunk_clear(&skeyid_e);
+		return FALSE;
+	}
+	seed = octet_0;
+	for (i = 0; i < key_size; i += block_size)
+	{
+		if (!prf->get_bytes(prf, seed, ka->ptr + i))
+		{
+			chunk_clear(ka);
+			chunk_clear(&skeyid_e);
+			return FALSE;
+		}
+		seed = chunk_create(ka->ptr + i, block_size);
+	}
+	chunk_clear(&skeyid_e);
+	return TRUE;
+}
+
+/**
+ * Create a simple implementation of the aead_t interface which only encrypts
+ * or decrypts data.
+ */
+static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e)
+{
+	private_aead_t *this;
+	u_int16_t alg, key_size;
+	crypter_t *crypter;
+	chunk_t ka;
+
+	if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg,
+								 &key_size))
+	{
+		DBG1(DBG_IKE, "no %N selected",
+			 transform_type_names, ENCRYPTION_ALGORITHM);
+		return NULL;
+	}
+	crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
+	if (!crypter)
+	{
+		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
+			 transform_type_names, ENCRYPTION_ALGORITHM,
+			 encryption_algorithm_names, alg, key_size);
+		return NULL;
+	}
+	key_size = crypter->get_key_size(crypter);
+	if (!expand_skeyid_e(skeyid_e, crypter->get_key_size(crypter), prf, &ka))
+	{
+		return NULL;
+	}
+	DBG4(DBG_IKE, "encryption key Ka %B", &ka);
+	if (!crypter->set_key(crypter, ka))
+	{
+		chunk_clear(&ka);
+		return NULL;
+	}
+	chunk_clear(&ka);
+
+	INIT(this,
+		.aead = {
+			.encrypt = _encrypt,
+			.decrypt = _decrypt,
+			.get_block_size = _get_block_size,
+			.get_icv_size = _get_icv_size,
+			.get_iv_size = _get_iv_size,
+			.get_key_size = _get_key_size,
+			.set_key = _set_key,
+			.destroy = _aead_destroy,
+		},
+		.crypter = crypter,
+	);
+	return &this->aead;
+}
+
+/**
+ * Converts integrity algorithm to PRF algorithm
+ */
+static u_int16_t auth_to_prf(u_int16_t alg)
+{
+	switch (alg)
+	{
+		case AUTH_HMAC_SHA1_96:
+			return PRF_HMAC_SHA1;
+		case AUTH_HMAC_SHA2_256_128:
+			return PRF_HMAC_SHA2_256;
+		case AUTH_HMAC_SHA2_384_192:
+			return PRF_HMAC_SHA2_384;
+		case AUTH_HMAC_SHA2_512_256:
+			return PRF_HMAC_SHA2_512;
+		case AUTH_HMAC_MD5_96:
+			return PRF_HMAC_MD5;
+		case AUTH_AES_XCBC_96:
+			return PRF_AES128_XCBC;
+		default:
+			return PRF_UNDEFINED;
+	}
+}
+
+/**
+ * Converts integrity algorithm to hash algorithm
+ */
+static u_int16_t auth_to_hash(u_int16_t alg)
+{
+	switch (alg)
+	{
+		case AUTH_HMAC_SHA1_96:
+			return HASH_SHA1;
+		case AUTH_HMAC_SHA2_256_128:
+			return HASH_SHA256;
+		case AUTH_HMAC_SHA2_384_192:
+			return HASH_SHA384;
+		case AUTH_HMAC_SHA2_512_256:
+			return HASH_SHA512;
+		case AUTH_HMAC_MD5_96:
+			return HASH_MD5;
+		default:
+			return HASH_UNKNOWN;
+	}
+}
+
+/**
+ * Adjust the key length for PRF algorithms that expect a fixed key length.
+ */
+static void adjust_keylen(u_int16_t alg, chunk_t *key)
+{
+	switch (alg)
+	{
+		case PRF_AES128_XCBC:
+			/* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
+			 * not and therefore fixed key semantics apply to XCBC for key
+			 * derivation. */
+			key->len = min(key->len, 16);
+			break;
+		default:
+			/* all other algorithms use variable key length */
+			break;
+	}
+}
+
+METHOD(keymat_v1_t, derive_ike_keys, bool,
+	private_keymat_v1_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+	chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
+	auth_method_t auth, shared_key_t *shared_key)
+{
+	chunk_t g_xy, g_xi, g_xr, dh_me, spi_i, spi_r, nonces, data, skeyid_e;
+	chunk_t skeyid;
+	u_int16_t alg;
+
+	spi_i = chunk_alloca(sizeof(u_int64_t));
+	spi_r = chunk_alloca(sizeof(u_int64_t));
+
+	if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
+	{	/* no PRF negotiated, use HMAC version of integrity algorithm instead */
+		if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL)
+			|| (alg = auth_to_prf(alg)) == PRF_UNDEFINED)
+		{
+			DBG1(DBG_IKE, "no %N selected",
+				 transform_type_names, PSEUDO_RANDOM_FUNCTION);
+			return FALSE;
+		}
+	}
+	this->prf = lib->crypto->create_prf(lib->crypto, alg);
+	if (!this->prf)
+	{
+		DBG1(DBG_IKE, "%N %N not supported!",
+			 transform_type_names, PSEUDO_RANDOM_FUNCTION,
+			 pseudo_random_function_names, alg);
+		return FALSE;
+	}
+	if (this->prf->get_block_size(this->prf) <
+		this->prf->get_key_size(this->prf))
+	{	/* TODO-IKEv1: support PRF output expansion (RFC 2409, Appendix B) */
+		DBG1(DBG_IKE, "expansion of %N %N output not supported!",
+			 transform_type_names, PSEUDO_RANDOM_FUNCTION,
+			 pseudo_random_function_names, alg);
+		return FALSE;
+	}
+
+	if (dh->get_shared_secret(dh, &g_xy) != SUCCESS)
+	{
+		return FALSE;
+	}
+	DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &g_xy);
+
+	*((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
+	*((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
+	nonces = chunk_cata("cc", nonce_i, nonce_r);
+
+	switch (auth)
+	{
+		case AUTH_PSK:
+		case AUTH_XAUTH_INIT_PSK:
+		case AUTH_XAUTH_RESP_PSK:
+		{	/* SKEYID = prf(pre-shared-key, Ni_b | Nr_b) */
+			chunk_t psk;
+			if (!shared_key)
+			{
+				chunk_clear(&g_xy);
+				return FALSE;
+			}
+			psk = shared_key->get_key(shared_key);
+			adjust_keylen(alg, &psk);
+			if (!this->prf->set_key(this->prf, psk) ||
+				!this->prf->allocate_bytes(this->prf, nonces, &skeyid))
+			{
+				chunk_clear(&g_xy);
+				return FALSE;
+			}
+			break;
+		}
+		case AUTH_RSA:
+		case AUTH_ECDSA_256:
+		case AUTH_ECDSA_384:
+		case AUTH_ECDSA_521:
+		case AUTH_XAUTH_INIT_RSA:
+		case AUTH_XAUTH_RESP_RSA:
+		case AUTH_HYBRID_INIT_RSA:
+		case AUTH_HYBRID_RESP_RSA:
+		{
+			if (!this->prf->set_key(this->prf, nonces) ||
+				!this->prf->allocate_bytes(this->prf, g_xy, &skeyid))
+			{
+				chunk_clear(&g_xy);
+				return FALSE;
+			}
+			break;
+		}
+		default:
+			/* TODO-IKEv1: implement key derivation for other schemes */
+			/* authentication class not supported */
+			chunk_clear(&g_xy);
+			return FALSE;
+	}
+	adjust_keylen(alg, &skeyid);
+	DBG4(DBG_IKE, "SKEYID %B", &skeyid);
+
+	/* SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) */
+	data = chunk_cat("cccc", g_xy, spi_i, spi_r, octet_0);
+	if (!this->prf->set_key(this->prf, skeyid) ||
+		!this->prf->allocate_bytes(this->prf, data, &this->skeyid_d))
+	{
+		chunk_clear(&g_xy);
+		chunk_clear(&data);
+		return FALSE;
+	}
+	chunk_clear(&data);
+	DBG4(DBG_IKE, "SKEYID_d %B", &this->skeyid_d);
+
+	/* SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1) */
+	data = chunk_cat("ccccc", this->skeyid_d, g_xy, spi_i, spi_r, octet_1);
+	if (!this->prf->allocate_bytes(this->prf, data, &this->skeyid_a))
+	{
+		chunk_clear(&g_xy);
+		chunk_clear(&data);
+		return FALSE;
+	}
+	chunk_clear(&data);
+	DBG4(DBG_IKE, "SKEYID_a %B", &this->skeyid_a);
+
+	/* SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) */
+	data = chunk_cat("ccccc", this->skeyid_a, g_xy, spi_i, spi_r, octet_2);
+	if (!this->prf->allocate_bytes(this->prf, data, &skeyid_e))
+	{
+		chunk_clear(&g_xy);
+		chunk_clear(&data);
+		return FALSE;
+	}
+	chunk_clear(&data);
+	DBG4(DBG_IKE, "SKEYID_e %B", &skeyid_e);
+
+	chunk_clear(&g_xy);
+
+	switch (auth)
+	{
+		case AUTH_ECDSA_256:
+			alg = PRF_HMAC_SHA2_256;
+			break;
+		case AUTH_ECDSA_384:
+			alg =  PRF_HMAC_SHA2_384;
+			break;
+		case AUTH_ECDSA_521:
+			alg = PRF_HMAC_SHA2_512;
+			break;
+		default:
+			/* use proposal algorithm */
+			break;
+	}
+	this->prf_auth = lib->crypto->create_prf(lib->crypto, alg);
+	if (!this->prf_auth)
+	{
+		DBG1(DBG_IKE, "%N %N not supported!",
+			 transform_type_names, PSEUDO_RANDOM_FUNCTION,
+			 pseudo_random_function_names, alg);
+		chunk_clear(&skeyid);
+		return FALSE;
+	}
+	if (!this->prf_auth->set_key(this->prf_auth, skeyid))
+	{
+		chunk_clear(&skeyid);
+		return FALSE;
+	}
+	chunk_clear(&skeyid);
+
+	this->aead = create_aead(proposal, this->prf, skeyid_e);
+	if (!this->aead)
+	{
+		return FALSE;
+	}
+	if (!this->hasher && !this->public.create_hasher(&this->public, proposal))
+	{
+		return FALSE;
+	}
+
+	dh->get_my_public_value(dh, &dh_me);
+	g_xi = this->initiator ? dh_me : dh_other;
+	g_xr = this->initiator ? dh_other : dh_me;
+
+	/* initial IV = hash(g^xi | g^xr) */
+	data = chunk_cata("cc", g_xi, g_xr);
+	chunk_free(&dh_me);
+	if (!this->hasher->allocate_hash(this->hasher, data, &this->phase1_iv.iv))
+	{
+		return FALSE;
+	}
+	if (this->phase1_iv.iv.len > this->aead->get_block_size(this->aead))
+	{
+		this->phase1_iv.iv.len = this->aead->get_block_size(this->aead);
+	}
+	DBG4(DBG_IKE, "initial IV %B", &this->phase1_iv.iv);
+
+	return TRUE;
+}
+
+METHOD(keymat_v1_t, derive_child_keys, bool,
+	private_keymat_v1_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+	u_int32_t spi_i, u_int32_t spi_r, chunk_t nonce_i, chunk_t nonce_r,
+	chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r)
+{
+	u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
+	u_int8_t protocol;
+	prf_plus_t *prf_plus;
+	chunk_t seed, secret = chunk_empty;
+	bool success = FALSE;
+
+	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
+								&enc_alg, &enc_size))
+	{
+		DBG2(DBG_CHD, "  using %N for encryption",
+			 encryption_algorithm_names, enc_alg);
+
+		if (!enc_size)
+		{
+			enc_size = keymat_get_keylen_encr(enc_alg);
+		}
+		if (enc_alg != ENCR_NULL && !enc_size)
+		{
+			DBG1(DBG_CHD, "no keylength defined for %N",
+				 encryption_algorithm_names, enc_alg);
+			return FALSE;
+		}
+		/* to bytes */
+		enc_size /= 8;
+
+		/* CCM/GCM/CTR/GMAC needs additional bytes */
+		switch (enc_alg)
+		{
+			case ENCR_AES_CCM_ICV8:
+			case ENCR_AES_CCM_ICV12:
+			case ENCR_AES_CCM_ICV16:
+			case ENCR_CAMELLIA_CCM_ICV8:
+			case ENCR_CAMELLIA_CCM_ICV12:
+			case ENCR_CAMELLIA_CCM_ICV16:
+				enc_size += 3;
+				break;
+			case ENCR_AES_GCM_ICV8:
+			case ENCR_AES_GCM_ICV12:
+			case ENCR_AES_GCM_ICV16:
+			case ENCR_AES_CTR:
+			case ENCR_NULL_AUTH_AES_GMAC:
+				enc_size += 4;
+				break;
+			default:
+				break;
+		}
+	}
+
+	if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
+								&int_alg, &int_size))
+	{
+		DBG2(DBG_CHD, "  using %N for integrity",
+			 integrity_algorithm_names, int_alg);
+
+		if (!int_size)
+		{
+			int_size = keymat_get_keylen_integ(int_alg);
+		}
+		if (!int_size)
+		{
+			DBG1(DBG_CHD, "no keylength defined for %N",
+				 integrity_algorithm_names, int_alg);
+			return FALSE;
+		}
+		/* to bytes */
+		int_size /= 8;
+	}
+
+	/* KEYMAT = prf+(SKEYID_d, [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b) */
+	if (!this->prf->set_key(this->prf, this->skeyid_d))
+	{
+		return FALSE;
+	}
+	protocol = proposal->get_protocol(proposal);
+	if (dh)
+	{
+		if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+		{
+			return FALSE;
+		}
+		DBG4(DBG_CHD, "DH secret %B", &secret);
+	}
+
+	*encr_r = *integ_r = *encr_i = *integ_i = chunk_empty;
+	seed = chunk_cata("ccccc", secret, chunk_from_thing(protocol),
+					  chunk_from_thing(spi_r), nonce_i, nonce_r);
+	DBG4(DBG_CHD, "initiator SA seed %B", &seed);
+
+	prf_plus = prf_plus_create(this->prf, FALSE, seed);
+	if (!prf_plus ||
+		!prf_plus->allocate_bytes(prf_plus, enc_size, encr_i) ||
+		!prf_plus->allocate_bytes(prf_plus, int_size, integ_i))
+	{
+		goto failure;
+	}
+
+	seed = chunk_cata("ccccc", secret, chunk_from_thing(protocol),
+					  chunk_from_thing(spi_i), nonce_i, nonce_r);
+	DBG4(DBG_CHD, "responder SA seed %B", &seed);
+	prf_plus->destroy(prf_plus);
+	prf_plus = prf_plus_create(this->prf, FALSE, seed);
+	if (!prf_plus ||
+		!prf_plus->allocate_bytes(prf_plus, enc_size, encr_r) ||
+		!prf_plus->allocate_bytes(prf_plus, int_size, integ_r))
+	{
+		goto failure;
+	}
+
+	if (enc_size)
+	{
+		DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
+		DBG4(DBG_CHD, "encryption responder key %B", encr_r);
+	}
+	if (int_size)
+	{
+		DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
+		DBG4(DBG_CHD, "integrity responder key %B", integ_r);
+	}
+	success = TRUE;
+
+failure:
+	if (!success)
+	{
+		chunk_clear(encr_i);
+		chunk_clear(integ_i);
+		chunk_clear(encr_r);
+		chunk_clear(integ_r);
+	}
+	DESTROY_IF(prf_plus);
+	chunk_clear(&secret);
+
+	return success;
+}
+
+METHOD(keymat_v1_t, create_hasher, bool,
+	private_keymat_v1_t *this, proposal_t *proposal)
+{
+	u_int16_t alg;
+	if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL) ||
+		(alg = auth_to_hash(alg)) == HASH_UNKNOWN)
+	{
+		DBG1(DBG_IKE, "no %N selected", transform_type_names, HASH_ALGORITHM);
+		return FALSE;
+	}
+	this->hasher = lib->crypto->create_hasher(lib->crypto, alg);
+	if (!this->hasher)
+	{
+		DBG1(DBG_IKE, "%N %N not supported!",
+			 transform_type_names, HASH_ALGORITHM,
+			 hash_algorithm_names, alg);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(keymat_v1_t, get_hasher, hasher_t*,
+	private_keymat_v1_t *this)
+{
+	return this->hasher;
+}
+
+METHOD(keymat_v1_t, get_hash, bool,
+	private_keymat_v1_t *this, bool initiator, chunk_t dh, chunk_t dh_other,
+	ike_sa_id_t *ike_sa_id, chunk_t sa_i, chunk_t id, chunk_t *hash)
+{
+	chunk_t data;
+	u_int64_t spi, spi_other;
+
+	/* HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b )
+	 * HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b )
+	 */
+	if (initiator)
+	{
+		spi = ike_sa_id->get_initiator_spi(ike_sa_id);
+		spi_other = ike_sa_id->get_responder_spi(ike_sa_id);
+	}
+	else
+	{
+		spi_other = ike_sa_id->get_initiator_spi(ike_sa_id);
+		spi = ike_sa_id->get_responder_spi(ike_sa_id);
+	}
+	data = chunk_cat("cccccc", dh, dh_other,
+					 chunk_from_thing(spi), chunk_from_thing(spi_other),
+					 sa_i, id);
+
+	DBG3(DBG_IKE, "HASH_%c data %B", initiator ? 'I' : 'R', &data);
+
+	if (!this->prf_auth->allocate_bytes(this->prf_auth, data, hash))
+	{
+		free(data.ptr);
+		return FALSE;
+	}
+
+	DBG3(DBG_IKE, "HASH_%c %B", initiator ? 'I' : 'R', hash);
+
+	free(data.ptr);
+	return TRUE;
+}
+
+/**
+ * Get the nonce value found in the given message.
+ * Returns FALSE if none is found.
+ */
+static bool get_nonce(message_t *message, chunk_t *n)
+{
+	nonce_payload_t *nonce;
+	nonce = (nonce_payload_t*)message->get_payload(message, NONCE_V1);
+	if (nonce)
+	{
+		*n = nonce->get_nonce(nonce);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Generate the message data in order to generate the hashes.
+ */
+static chunk_t get_message_data(message_t *message, generator_t *generator)
+{
+	payload_t *payload, *next;
+	enumerator_t *enumerator;
+	u_int32_t *lenpos;
+
+	if (message->is_encoded(message))
+	{	/* inbound, although the message is generated, we cannot access the
+		 * cleartext message data, so generate it anyway */
+		enumerator = message->create_payload_enumerator(message);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			if (payload->get_type(payload) == HASH_V1)
+			{
+				continue;
+			}
+			generator->generate_payload(generator, payload);
+		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{
+		/* outbound, generate the payloads (there is no HASH payload yet) */
+		enumerator = message->create_payload_enumerator(message);
+		if (enumerator->enumerate(enumerator, &payload))
+		{
+			while (enumerator->enumerate(enumerator, &next))
+			{
+				payload->set_next_type(payload, next->get_type(next));
+				generator->generate_payload(generator, payload);
+				payload = next;
+			}
+			payload->set_next_type(payload, NO_PAYLOAD);
+			generator->generate_payload(generator, payload);
+		}
+		enumerator->destroy(enumerator);
+	}
+	return generator->get_chunk(generator, &lenpos);
+}
+
+/**
+ * Try to find data about a Quick Mode with the given message ID,
+ * if none is found, state is generated.
+ */
+static qm_data_t *lookup_quick_mode(private_keymat_v1_t *this, u_int32_t mid)
+{
+	enumerator_t *enumerator;
+	qm_data_t *qm, *found = NULL;
+
+	enumerator = this->qms->create_enumerator(this->qms);
+	while (enumerator->enumerate(enumerator, &qm))
+	{
+		if (qm->mid == mid)
+		{	/* state gets moved to the front of the list */
+			this->qms->remove_at(this->qms, enumerator);
+			found = qm;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!found)
+	{
+		INIT(found,
+			.mid = mid,
+		);
+	}
+	this->qms->insert_first(this->qms, found);
+	/* remove least recently used state if maximum reached */
+	if (this->qms->get_count(this->qms) > MAX_QM &&
+		this->qms->remove_last(this->qms, (void**)&qm) == SUCCESS)
+	{
+		qm_data_destroy(qm);
+	}
+	return found;
+}
+
+METHOD(keymat_v1_t, get_hash_phase2, bool,
+	private_keymat_v1_t *this, message_t *message, chunk_t *hash)
+{
+	u_int32_t mid, mid_n;
+	chunk_t data = chunk_empty;
+	bool add_message = TRUE;
+	char *name = "Hash";
+
+	if (!this->prf)
+	{	/* no keys derived yet */
+		return FALSE;
+	}
+
+	mid = message->get_message_id(message);
+	mid_n = htonl(mid);
+
+	/* Hashes are simple for most exchanges in Phase 2:
+	 *   Hash = prf(SKEYID_a, M-ID | Complete message after HASH payload)
+	 * For Quick Mode there are three hashes:
+	 *   Hash(1) = same as above
+	 *   Hash(2) = prf(SKEYID_a, M-ID | Ni_b | Message after HASH payload)
+	 *   Hash(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b)
+	 * So, for Quick Mode we keep track of the nonce values.
+	 */
+	switch (message->get_exchange_type(message))
+	{
+		case QUICK_MODE:
+		{
+			qm_data_t *qm = lookup_quick_mode(this, mid);
+			if (!qm->n_i.ptr)
+			{	/* Hash(1) = prf(SKEYID_a, M-ID | Message after HASH payload) */
+				name = "Hash(1)";
+				if (!get_nonce(message, &qm->n_i))
+				{
+					return FALSE;
+				}
+				data = chunk_from_thing(mid_n);
+			}
+			else if (!qm->n_r.ptr)
+			{	/* Hash(2) = prf(SKEYID_a, M-ID | Ni_b | Message after HASH) */
+				name = "Hash(2)";
+				if (!get_nonce(message, &qm->n_r))
+				{
+					return FALSE;
+				}
+				data = chunk_cata("cc", chunk_from_thing(mid_n), qm->n_i);
+			}
+			else
+			{	/* Hash(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
+				name = "Hash(3)";
+				data = chunk_cata("cccc", octet_0, chunk_from_thing(mid_n),
+								  qm->n_i, qm->n_r);
+				add_message = FALSE;
+				/* we don't need the state anymore */
+				this->qms->remove(this->qms, qm, NULL);
+				qm_data_destroy(qm);
+			}
+			break;
+		}
+		case TRANSACTION:
+		case INFORMATIONAL_V1:
+			/* Hash = prf(SKEYID_a, M-ID | Message after HASH payload) */
+			data = chunk_from_thing(mid_n);
+			break;
+		default:
+			return FALSE;
+	}
+	if (!this->prf->set_key(this->prf, this->skeyid_a))
+	{
+		return FALSE;
+	}
+	if (add_message)
+	{
+		generator_t *generator;
+		chunk_t msg;
+
+		generator = generator_create_no_dbg();
+		msg = get_message_data(message, generator);
+		if (!this->prf->allocate_bytes(this->prf, data, NULL) ||
+			!this->prf->allocate_bytes(this->prf, msg, hash))
+		{
+			generator->destroy(generator);
+			return FALSE;
+		}
+		generator->destroy(generator);
+	}
+	else
+	{
+		if (!this->prf->allocate_bytes(this->prf, data, hash))
+		{
+			return FALSE;
+		}
+	}
+	DBG3(DBG_IKE, "%s %B", name, hash);
+	return TRUE;
+}
+
+/**
+ * Generate an IV
+ */
+static bool generate_iv(private_keymat_v1_t *this, iv_data_t *iv)
+{
+	if (iv->mid == 0 || iv->iv.ptr)
+	{	/* use last block of previous encrypted message */
+		chunk_free(&iv->iv);
+		iv->iv = iv->last_block;
+		iv->last_block = chunk_empty;
+	}
+	else
+	{
+		/* initial phase 2 IV = hash(last_phase1_block | mid) */
+		u_int32_t net;;
+		chunk_t data;
+
+		net = htonl(iv->mid);
+		data = chunk_cata("cc", this->phase1_iv.iv, chunk_from_thing(net));
+		if (!this->hasher->allocate_hash(this->hasher, data, &iv->iv))
+		{
+			return FALSE;
+		}
+		if (iv->iv.len > this->aead->get_block_size(this->aead))
+		{
+			iv->iv.len = this->aead->get_block_size(this->aead);
+		}
+	}
+	DBG4(DBG_IKE, "next IV for MID %u %B", iv->mid, &iv->iv);
+	return TRUE;
+}
+
+/**
+ * Try to find an IV for the given message ID, if not found, generate it.
+ */
+static iv_data_t *lookup_iv(private_keymat_v1_t *this, u_int32_t mid)
+{
+	enumerator_t *enumerator;
+	iv_data_t *iv, *found = NULL;
+
+	if (mid == 0)
+	{
+		return &this->phase1_iv;
+	}
+
+	enumerator = this->ivs->create_enumerator(this->ivs);
+	while (enumerator->enumerate(enumerator, &iv))
+	{
+		if (iv->mid == mid)
+		{	/* IV gets moved to the front of the list */
+			this->ivs->remove_at(this->ivs, enumerator);
+			found = iv;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!found)
+	{
+		INIT(found,
+			.mid = mid,
+		);
+		if (!generate_iv(this, found))
+		{
+			iv_data_destroy(found);
+			return NULL;
+		}
+	}
+	this->ivs->insert_first(this->ivs, found);
+	/* remove least recently used IV if maximum reached */
+	if (this->ivs->get_count(this->ivs) > MAX_IV &&
+		this->ivs->remove_last(this->ivs, (void**)&iv) == SUCCESS)
+	{
+		iv_data_destroy(iv);
+	}
+	return found;
+}
+
+METHOD(keymat_v1_t, get_iv, bool,
+	private_keymat_v1_t *this, u_int32_t mid, chunk_t *out)
+{
+	iv_data_t *iv;
+
+	iv = lookup_iv(this, mid);
+	if (iv)
+	{
+		*out = iv->iv;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(keymat_v1_t, update_iv, bool,
+	private_keymat_v1_t *this, u_int32_t mid, chunk_t last_block)
+{
+	iv_data_t *iv = lookup_iv(this, mid);
+	if (iv)
+	{	/* update last block */
+		chunk_free(&iv->last_block);
+		iv->last_block = chunk_clone(last_block);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(keymat_v1_t, confirm_iv, bool,
+	private_keymat_v1_t *this, u_int32_t mid)
+{
+	iv_data_t *iv = lookup_iv(this, mid);
+	if (iv)
+	{
+		return generate_iv(this, iv);
+	}
+	return FALSE;
+}
+
+METHOD(keymat_t, get_version, ike_version_t,
+	private_keymat_v1_t *this)
+{
+	return IKEV1;
+}
+
+METHOD(keymat_t, create_dh, diffie_hellman_t*,
+	private_keymat_v1_t *this, diffie_hellman_group_t group)
+{
+	return lib->crypto->create_dh(lib->crypto, group);
+}
+
+METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
+	private_keymat_v1_t *this)
+{
+	return lib->crypto->create_nonce_gen(lib->crypto);
+}
+
+METHOD(keymat_t, get_aead, aead_t*,
+	private_keymat_v1_t *this, bool in)
+{
+	return this->aead;
+}
+
+METHOD(keymat_t, destroy, void,
+	private_keymat_v1_t *this)
+{
+	DESTROY_IF(this->prf);
+	DESTROY_IF(this->prf_auth);
+	DESTROY_IF(this->aead);
+	DESTROY_IF(this->hasher);
+	chunk_clear(&this->skeyid_d);
+	chunk_clear(&this->skeyid_a);
+	chunk_free(&this->phase1_iv.iv);
+	chunk_free(&this->phase1_iv.last_block);
+	this->ivs->destroy_function(this->ivs, (void*)iv_data_destroy);
+	this->qms->destroy_function(this->qms, (void*)qm_data_destroy);
+	free(this);
+}
+
+/**
+ * See header
+ */
+keymat_v1_t *keymat_v1_create(bool initiator)
+{
+	private_keymat_v1_t *this;
+
+	INIT(this,
+		.public = {
+			.keymat = {
+				.get_version = _get_version,
+				.create_dh = _create_dh,
+				.create_nonce_gen = _create_nonce_gen,
+				.get_aead = _get_aead,
+				.destroy = _destroy,
+			},
+			.derive_ike_keys = _derive_ike_keys,
+			.derive_child_keys = _derive_child_keys,
+			.create_hasher = _create_hasher,
+			.get_hasher = _get_hasher,
+			.get_hash = _get_hash,
+			.get_hash_phase2 = _get_hash_phase2,
+			.get_iv = _get_iv,
+			.update_iv = _update_iv,
+			.confirm_iv = _confirm_iv,
+		},
+		.ivs = linked_list_create(),
+		.qms = linked_list_create(),
+		.initiator = initiator,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/keymat_v1.h b/src/libcharon/sa/ikev1/keymat_v1.h
new file mode 100644
index 000000000..cc9f3b339
--- /dev/null
+++ b/src/libcharon/sa/ikev1/keymat_v1.h
@@ -0,0 +1,166 @@
+/*
+ * Copyright (C) 2011 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup keymat_v1 keymat_v1
+ * @{ @ingroup ikev1
+ */
+
+#ifndef KEYMAT_V1_H_
+#define KEYMAT_V1_H_
+
+#include <sa/keymat.h>
+#include <sa/authenticator.h>
+
+typedef struct keymat_v1_t keymat_v1_t;
+
+/**
+ * Derivation and management of sensitive keying material, IKEv1 variant.
+ */
+struct keymat_v1_t {
+
+	/**
+	 * Implements keymat_t.
+	 */
+	keymat_t keymat;
+
+	/**
+	 * Derive keys for the IKE_SA.
+	 *
+	 * These keys are not handed out, but are used by the associated signers,
+	 * crypters and authentication functions.
+	 *
+	 * @param proposal		selected algorithms
+	 * @param dh			diffie hellman key allocated by create_dh()
+	 * @param dh_other		public DH value from other peer
+	 * @param nonce_i		initiators nonce value
+	 * @param nonce_r		responders nonce value
+	 * @param id			IKE_SA identifier
+	 * @param auth			authentication method
+	 * @param shared_key	PSK in case of AUTH_CLASS_PSK, NULL otherwise
+	 * @return				TRUE on success
+	 */
+	bool (*derive_ike_keys)(keymat_v1_t *this, proposal_t *proposal,
+							diffie_hellman_t *dh, chunk_t dh_other,
+							chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
+							auth_method_t auth, shared_key_t *shared_key);
+
+	/**
+	 * Derive keys for the CHILD_SA.
+	 *
+	 * @param proposal		selected algorithms
+	 * @param dh			diffie hellman key, NULL if none used
+	 * @param spi_i			SPI chosen by initiatior
+	 * @param spi_r			SPI chosen by responder
+	 * @param nonce_i		quick mode initiator nonce
+	 * @param nonce_r		quick mode responder nonce
+	 * @param encr_i		allocated initiators encryption key
+	 * @param integ_i		allocated initiators integrity key
+	 * @param encr_r		allocated responders encryption key
+	 * @param integ_r		allocated responders integrity key
+	 */
+	bool (*derive_child_keys)(keymat_v1_t *this, proposal_t *proposal,
+						diffie_hellman_t *dh, u_int32_t spi_i, u_int32_t spi_r,
+						chunk_t nonce_i, chunk_t nonce_r,
+						chunk_t *encr_i, chunk_t *integ_i,
+						chunk_t *encr_r, chunk_t *integ_r);
+
+	/**
+	 * Create the negotiated hasher.
+	 *
+	 * @param proposal		selected algorithms
+	 * @return				TRUE, if creation was successful
+	 */
+	bool (*create_hasher)(keymat_v1_t *this, proposal_t *proposal);
+
+	/**
+	 * Get the negotiated hasher.
+	 *
+	 * @return				allocated hasher or NULL
+	 */
+	hasher_t *(*get_hasher)(keymat_v1_t *this);
+
+	/**
+	 * Get HASH data for authentication.
+	 *
+	 * @param initiatior	TRUE to create HASH_I, FALSE for HASH_R
+	 * @param dh			public DH value of peer to create HASH for
+	 * @param dh_other		others public DH value
+	 * @param ike_sa_id		IKE_SA identifier
+	 * @param sa_i			encoded SA payload of initiator
+	 * @param id			encoded IDii payload for HASH_I (IDir for HASH_R)
+	 * @param hash			chunk receiving allocated HASH data
+	 * @return				TRUE if hash allocated successfully
+	 */
+	bool (*get_hash)(keymat_v1_t *this, bool initiator,
+						chunk_t dh, chunk_t dh_other, ike_sa_id_t *ike_sa_id,
+						chunk_t sa_i, chunk_t id, chunk_t *hash);
+
+	/**
+	 * Get HASH data for integrity/authentication in Phase 2 exchanges.
+	 *
+	 * @param message		message to generate the HASH data for
+	 * @param hash			chunk receiving allocated hash data
+	 * @return				TRUE if hash allocated successfully
+	 */
+	bool (*get_hash_phase2)(keymat_v1_t *this, message_t *message, chunk_t *hash);
+
+	/**
+	 * Returns the IV for a message with the given message ID.
+	 *
+	 * The return chunk contains internal data and is valid until the next
+	 * get_iv/udpate_iv/confirm_iv call.
+	 *
+	 * @param mid			message ID
+	 * @param iv			chunk receiving IV, internal data
+	 * @return				TRUE if IV allocated successfully
+	 */
+	bool (*get_iv)(keymat_v1_t *this, u_int32_t mid, chunk_t *iv);
+
+	/**
+	 * Updates the IV for the next message with the given message ID.
+	 *
+	 * A call of confirm_iv() is required in order to actually make the IV
+	 * available.  This is needed for the inbound case where we store the last
+	 * block of the encrypted message but want to update the IV only after
+	 * verification of the decrypted message.
+	 *
+	 * @param mid			message ID
+	 * @param last_block	last block of encrypted message (gets cloned)
+	 * @return				TRUE if IV updated successfully
+	 */
+	bool (*update_iv)(keymat_v1_t *this, u_int32_t mid, chunk_t last_block);
+
+	/**
+	 * Confirms the updated IV for the given message ID.
+	 *
+	 * To actually make the new IV available via get_iv this method has to
+	 * be called after update_iv.
+	 *
+	 * @param mid			message ID
+	 * @return				TRUE if IV confirmed successfully
+	 */
+	bool (*confirm_iv)(keymat_v1_t *this, u_int32_t mid);
+};
+
+/**
+ * Create a keymat instance.
+ *
+ * @param initiator			TRUE if we are the initiator
+ * @return					keymat instance
+ */
+keymat_v1_t *keymat_v1_create(bool initiator);
+
+#endif /** KEYMAT_V1_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c
new file mode 100644
index 000000000..1189d3c69
--- /dev/null
+++ b/src/libcharon/sa/ikev1/phase1.c
@@ -0,0 +1,795 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "phase1.h"
+
+#include <daemon.h>
+#include <sa/ikev1/keymat_v1.h>
+#include <encoding/payloads/ke_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <collections/linked_list.h>
+
+typedef struct private_phase1_t private_phase1_t;
+
+/**
+ * Private data of an phase1_t object.
+ */
+struct private_phase1_t {
+
+	/**
+	 * Public phase1_t interface.
+	 */
+	phase1_t public;
+
+	/**
+	 * IKE_SA we negotiate
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Currently selected peer config
+	 */
+	peer_cfg_t *peer_cfg;
+
+	/**
+	 * Other possible peer config candidates
+	 */
+	linked_list_t *candidates;
+
+	/**
+	 * Acting as initiator
+	 */
+	bool initiator;
+
+	/**
+	 * Extracted SA payload bytes
+	 */
+	chunk_t sa_payload;
+
+	/**
+	 * DH exchange
+	 */
+	diffie_hellman_t *dh;
+
+	/**
+	 * Keymat derivation (from SA)
+	 */
+	keymat_v1_t *keymat;
+
+	/**
+	 * Received public DH value from peer
+	 */
+	chunk_t dh_value;
+
+	/**
+	 * Initiators nonce
+	 */
+	chunk_t nonce_i;
+
+	/**
+	 * Responder nonce
+	 */
+	chunk_t nonce_r;
+};
+
+/**
+ * Get the first authentcation config from peer config
+ */
+static auth_cfg_t *get_auth_cfg(peer_cfg_t *peer_cfg, bool local)
+{
+	enumerator_t *enumerator;
+	auth_cfg_t *cfg = NULL;
+
+	enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
+	enumerator->enumerate(enumerator, &cfg);
+	enumerator->destroy(enumerator);
+	return cfg;
+}
+
+/**
+ * Lookup a shared secret for this IKE_SA
+ */
+static shared_key_t *lookup_shared_key(private_phase1_t *this,
+									   peer_cfg_t *peer_cfg)
+{
+	host_t *me, *other;
+	identification_t *my_id, *other_id;
+	shared_key_t *shared_key = NULL;
+	auth_cfg_t *my_auth, *other_auth;
+	enumerator_t *enumerator;
+
+	/* try to get a PSK for IP addresses */
+	me = this->ike_sa->get_my_host(this->ike_sa);
+	other = this->ike_sa->get_other_host(this->ike_sa);
+	my_id = identification_create_from_sockaddr(me->get_sockaddr(me));
+	other_id = identification_create_from_sockaddr(other->get_sockaddr(other));
+	if (my_id && other_id)
+	{
+		shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
+											  my_id, other_id);
+	}
+	DESTROY_IF(my_id);
+	DESTROY_IF(other_id);
+	if (shared_key)
+	{
+		return shared_key;
+	}
+
+	if (peer_cfg)
+	{	/* as initiator or aggressive responder, use identities */
+		my_auth = get_auth_cfg(peer_cfg, TRUE);
+		other_auth = get_auth_cfg(peer_cfg, FALSE);
+		if (my_auth && other_auth)
+		{
+			my_id = my_auth->get(my_auth, AUTH_RULE_IDENTITY);
+			if (peer_cfg->use_aggressive(peer_cfg))
+			{
+				other_id = this->ike_sa->get_other_id(this->ike_sa);
+			}
+			else
+			{
+				other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY);
+			}
+			if (my_id && other_id)
+			{
+				shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
+													  my_id, other_id);
+				if (!shared_key)
+				{
+					DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]",
+						 my_id, me, other_id, other);
+				}
+			}
+		}
+		return shared_key;
+	}
+	/* as responder, we try to find a config by IP */
+	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
+												me, other, NULL, NULL, IKEV1);
+	while (enumerator->enumerate(enumerator, &peer_cfg))
+	{
+		my_auth = get_auth_cfg(peer_cfg, TRUE);
+		other_auth = get_auth_cfg(peer_cfg, FALSE);
+		if (my_auth && other_auth)
+		{
+			my_id = my_auth->get(my_auth, AUTH_RULE_IDENTITY);
+			other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY);
+			if (my_id)
+			{
+				shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
+													  my_id, other_id);
+				if (shared_key)
+				{
+					break;
+				}
+				else
+				{
+					DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]",
+						 my_id, me, other_id, other);
+				}
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!shared_key)
+	{
+		DBG1(DBG_IKE, "no shared key found for %H - %H", me, other);
+	}
+	return shared_key;
+}
+
+METHOD(phase1_t, create_hasher, bool,
+	private_phase1_t *this)
+{
+	return this->keymat->create_hasher(this->keymat,
+							this->ike_sa->get_proposal(this->ike_sa));
+}
+
+METHOD(phase1_t, create_dh, bool,
+	private_phase1_t *this, diffie_hellman_group_t group)
+{
+	this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, group);
+	return this->dh != NULL;
+}
+
+METHOD(phase1_t, derive_keys, bool,
+	private_phase1_t *this, peer_cfg_t *peer_cfg, auth_method_t method)
+{
+	shared_key_t *shared_key = NULL;
+
+	switch (method)
+	{
+		case AUTH_PSK:
+		case AUTH_XAUTH_INIT_PSK:
+		case AUTH_XAUTH_RESP_PSK:
+			shared_key = lookup_shared_key(this, peer_cfg);
+			if (!shared_key)
+			{
+				return FALSE;
+			}
+			break;
+		default:
+			break;
+	}
+
+	if (!this->keymat->derive_ike_keys(this->keymat,
+						this->ike_sa->get_proposal(this->ike_sa),
+						this->dh, this->dh_value, this->nonce_i, this->nonce_r,
+						this->ike_sa->get_id(this->ike_sa), method, shared_key))
+	{
+		DESTROY_IF(shared_key);
+		DBG1(DBG_IKE, "key derivation for %N failed", auth_method_names, method);
+		return FALSE;
+	}
+	charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, this->dh_value,
+						  this->nonce_i, this->nonce_r, NULL, shared_key);
+	DESTROY_IF(shared_key);
+	return TRUE;
+}
+
+/**
+ * Check if a peer skipped authentication by using Hybrid authentication
+ */
+static bool skipped_auth(private_phase1_t *this,
+						 auth_method_t method, bool local)
+{
+	bool initiator;
+
+	initiator = local == this->initiator;
+	if (initiator && method == AUTH_HYBRID_INIT_RSA)
+	{
+		return TRUE;
+	}
+	if (!initiator && method == AUTH_HYBRID_RESP_RSA)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Check if remote authentication constraints fulfilled
+ */
+static bool check_constraints(private_phase1_t *this, auth_method_t method)
+{
+	identification_t *id;
+	auth_cfg_t *auth, *cfg;
+	peer_cfg_t *peer_cfg;
+
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+	/* auth identity to comply */
+	id = this->ike_sa->get_other_id(this->ike_sa);
+	auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id));
+	if (skipped_auth(this, method, FALSE))
+	{
+		return TRUE;
+	}
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	cfg = get_auth_cfg(peer_cfg, FALSE);
+	return cfg && auth->complies(auth, cfg, TRUE);
+}
+
+/**
+ * Save authentication information after authentication succeeded
+ */
+static void save_auth_cfg(private_phase1_t *this,
+						  auth_method_t method, bool local)
+{
+	auth_cfg_t *auth;
+
+	if (skipped_auth(this, method, local))
+	{
+		return;
+	}
+	auth = auth_cfg_create();
+	/* for local config, we _copy_ entires from the config, as it contains
+	 * certificates we must send later. */
+	auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), local);
+	this->ike_sa->add_auth_cfg(this->ike_sa, local, auth);
+}
+
+/**
+ * Create an authenticator instance
+ */
+static authenticator_t* create_authenticator(private_phase1_t *this,
+											 auth_method_t method, chunk_t id)
+{
+	authenticator_t *authenticator;
+
+	authenticator = authenticator_create_v1(this->ike_sa, this->initiator,
+						method, this->dh, this->dh_value, this->sa_payload, id);
+	if (!authenticator)
+	{
+		DBG1(DBG_IKE, "negotiated authentication method %N not supported",
+			 auth_method_names, method);
+	}
+	return authenticator;
+}
+
+METHOD(phase1_t, verify_auth, bool,
+	private_phase1_t *this, auth_method_t method, message_t *message,
+	chunk_t id_data)
+{
+	authenticator_t *authenticator;
+	status_t status;
+
+	authenticator = create_authenticator(this, method, id_data);
+	if (authenticator)
+	{
+		status = authenticator->process(authenticator, message);
+		authenticator->destroy(authenticator);
+		if (status == SUCCESS && check_constraints(this, method))
+		{
+			save_auth_cfg(this, method, FALSE);
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(phase1_t, build_auth, bool,
+	private_phase1_t *this, auth_method_t method, message_t *message,
+	chunk_t id_data)
+{
+	authenticator_t *authenticator;
+	status_t status;
+
+	authenticator = create_authenticator(this, method, id_data);
+	if (authenticator)
+	{
+		status = authenticator->build(authenticator, message);
+		authenticator->destroy(authenticator);
+		if (status == SUCCESS)
+		{
+			save_auth_cfg(this, method, TRUE);
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Get the two auth classes from local or remote config
+ */
+static void get_auth_class(peer_cfg_t *peer_cfg, bool local,
+						   auth_class_t *c1, auth_class_t *c2)
+{
+	enumerator_t *enumerator;
+	auth_cfg_t *auth;
+
+	*c1 = *c2 = AUTH_CLASS_ANY;
+
+	enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
+	while (enumerator->enumerate(enumerator, &auth))
+	{
+		if (*c1 == AUTH_CLASS_ANY)
+		{
+			*c1 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
+		}
+		else
+		{
+			*c2 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Select an auth method to use by checking what key we have
+ */
+static auth_method_t get_pubkey_method(private_phase1_t *this, auth_cfg_t *auth)
+{
+	auth_method_t method = AUTH_NONE;
+	identification_t *id;
+	private_key_t *private;
+
+	if (auth)
+	{
+		id = (identification_t*)auth->get(auth, AUTH_RULE_IDENTITY);
+		if (id)
+		{
+			private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, NULL);
+			if (private)
+			{
+				switch (private->get_type(private))
+				{
+					case KEY_RSA:
+						method = AUTH_RSA;
+						break;
+					case KEY_ECDSA:
+						switch (private->get_keysize(private))
+						{
+							case 256:
+								method = AUTH_ECDSA_256;
+								break;
+							case 384:
+								method = AUTH_ECDSA_384;
+								break;
+							case 521:
+								method = AUTH_ECDSA_521;
+								break;
+							default:
+								DBG1(DBG_IKE, "%d bit ECDSA private key size not "
+									 "supported", private->get_keysize(private));
+								break;
+						}
+						break;
+					default:
+						DBG1(DBG_IKE, "private key of type %N not supported",
+							 key_type_names, private->get_type(private));
+						break;
+				}
+				private->destroy(private);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "no private key found for '%Y'", id);
+			}
+		}
+	}
+	return method;
+}
+
+/**
+ * Calculate authentication method from a peer config
+ */
+static auth_method_t calc_auth_method(private_phase1_t *this,
+									  peer_cfg_t *peer_cfg)
+{
+	auth_class_t i1, i2, r1, r2;
+
+	get_auth_class(peer_cfg, this->initiator, &i1, &i2);
+	get_auth_class(peer_cfg, !this->initiator, &r1, &r2);
+
+	if (i1 == AUTH_CLASS_PUBKEY && r1 == AUTH_CLASS_PUBKEY)
+	{
+		if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY)
+		{
+			/* for any pubkey method, return RSA */
+			return AUTH_RSA;
+		}
+		if (i2 == AUTH_CLASS_XAUTH)
+		{
+			return AUTH_XAUTH_INIT_RSA;
+		}
+		if (r2 == AUTH_CLASS_XAUTH)
+		{
+			return AUTH_XAUTH_RESP_RSA;
+		}
+	}
+	if (i1 == AUTH_CLASS_PSK && r1 == AUTH_CLASS_PSK)
+	{
+		if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY)
+		{
+			return AUTH_PSK;
+		}
+		if (i2 == AUTH_CLASS_XAUTH)
+		{
+			return AUTH_XAUTH_INIT_PSK;
+		}
+		if (r2 == AUTH_CLASS_XAUTH)
+		{
+			return AUTH_XAUTH_RESP_PSK;
+		}
+	}
+	if (i1 == AUTH_CLASS_XAUTH && r1 == AUTH_CLASS_PUBKEY &&
+		i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY)
+	{
+		return AUTH_HYBRID_INIT_RSA;
+	}
+	return AUTH_NONE;
+}
+
+METHOD(phase1_t, get_auth_method, auth_method_t,
+	private_phase1_t *this, peer_cfg_t *peer_cfg)
+{
+	auth_method_t method;
+
+	method = calc_auth_method(this, peer_cfg);
+	if (method == AUTH_RSA)
+	{
+		return get_pubkey_method(this, get_auth_cfg(peer_cfg, TRUE));
+	}
+	return method;
+}
+
+/**
+ * Check if a peer config can be used with a given auth method
+ */
+static bool check_auth_method(private_phase1_t *this, peer_cfg_t *peer_cfg,
+							  auth_method_t given)
+{
+	auth_method_t method;
+
+	method = calc_auth_method(this, peer_cfg);
+	switch (given)
+	{
+		case AUTH_ECDSA_256:
+		case AUTH_ECDSA_384:
+		case AUTH_ECDSA_521:
+			return method == AUTH_RSA;
+		default:
+			return method == given;
+	}
+}
+
+METHOD(phase1_t, select_config, peer_cfg_t*,
+	private_phase1_t *this, auth_method_t method, bool aggressive,
+	identification_t *id)
+{
+	enumerator_t *enumerator;
+	peer_cfg_t *current;
+	host_t *me, *other;
+
+	if (this->peer_cfg)
+	{	/* try to find an alternative config */
+		if (this->candidates->remove_first(this->candidates,
+										  (void**)&current) != SUCCESS)
+		{
+			DBG1(DBG_CFG, "no alternative config found");
+			return NULL;
+		}
+		DBG1(DBG_CFG, "switching to peer config '%s'",
+			 current->get_name(current));
+		return current;
+	}
+
+	me = this->ike_sa->get_my_host(this->ike_sa);
+	other = this->ike_sa->get_other_host(this->ike_sa);
+	DBG1(DBG_CFG, "looking for %N peer configs matching %H...%H[%Y]",
+		 auth_method_names, method, me, other, id);
+	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
+													me, other, NULL, id, IKEV1);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (check_auth_method(this, current, method) &&
+			current->use_aggressive(current) == aggressive)
+		{
+			current->get_ref(current);
+			if (!this->peer_cfg)
+			{
+				this->peer_cfg = current;
+			}
+			else
+			{
+				this->candidates->insert_last(this->candidates, current);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (this->peer_cfg)
+	{
+		DBG1(DBG_CFG, "selected peer config \"%s\"",
+			 this->peer_cfg->get_name(this->peer_cfg));
+		return this->peer_cfg->get_ref(this->peer_cfg);
+	}
+	DBG1(DBG_IKE, "no peer config found");
+	return NULL;
+}
+
+METHOD(phase1_t, get_id, identification_t*,
+	private_phase1_t *this, peer_cfg_t *peer_cfg, bool local)
+{
+	identification_t *id = NULL;
+	auth_cfg_t *auth;
+
+	auth = get_auth_cfg(peer_cfg, local);
+	if (auth)
+	{
+		id = auth->get(auth, AUTH_RULE_IDENTITY);
+		if (local && (!id || id->get_type(id) == ID_ANY))
+		{	/* no ID configured, use local IP address */
+			host_t *me;
+
+			me = this->ike_sa->get_my_host(this->ike_sa);
+			if (!me->is_anyaddr(me))
+			{
+				id = identification_create_from_sockaddr(me->get_sockaddr(me));
+				auth->add(auth, AUTH_RULE_IDENTITY, id);
+			}
+		}
+	}
+	return id;
+}
+
+METHOD(phase1_t, has_virtual_ip, bool,
+	private_phase1_t *this, peer_cfg_t *peer_cfg)
+{
+	enumerator_t *enumerator;
+	bool found = FALSE;
+	host_t *host;
+
+	enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg);
+	found = enumerator->enumerate(enumerator, &host);
+	enumerator->destroy(enumerator);
+
+	return found;
+}
+
+METHOD(phase1_t, has_pool, bool,
+	private_phase1_t *this, peer_cfg_t *peer_cfg)
+{
+	enumerator_t *enumerator;
+	bool found = FALSE;
+	char *pool;
+
+	enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
+	found = enumerator->enumerate(enumerator, &pool);
+	enumerator->destroy(enumerator);
+
+	return found;
+}
+
+METHOD(phase1_t, save_sa_payload, bool,
+	private_phase1_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload, *sa = NULL;
+	chunk_t data;
+	size_t offset = IKE_HEADER_LENGTH;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == SECURITY_ASSOCIATION_V1)
+		{
+			sa = payload;
+			break;
+		}
+		else
+		{
+			offset += payload->get_length(payload);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	data = message->get_packet_data(message);
+	if (sa && data.len >= offset + sa->get_length(sa))
+	{
+		/* Get SA payload without 4 byte fixed header */
+		data = chunk_skip(data, offset);
+		data.len = sa->get_length(sa);
+		data = chunk_skip(data, 4);
+		this->sa_payload = chunk_clone(data);
+		return TRUE;
+	}
+	DBG1(DBG_IKE, "unable to extract SA payload encoding");
+	return FALSE;
+}
+
+METHOD(phase1_t, add_nonce_ke, bool,
+	private_phase1_t *this, message_t *message)
+{
+	nonce_payload_t *nonce_payload;
+	ke_payload_t *ke_payload;
+	nonce_gen_t *nonceg;
+	chunk_t nonce;
+
+	ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE_V1, this->dh);
+	message->add_payload(message, &ke_payload->payload_interface);
+
+	nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
+	if (!nonceg)
+	{
+		DBG1(DBG_IKE, "no nonce generator found to create nonce");
+		return FALSE;
+	}
+	if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &nonce))
+	{
+		DBG1(DBG_IKE, "nonce allocation failed");
+		nonceg->destroy(nonceg);
+		return FALSE;
+	}
+	nonceg->destroy(nonceg);
+
+	nonce_payload = nonce_payload_create(NONCE_V1);
+	nonce_payload->set_nonce(nonce_payload, nonce);
+	message->add_payload(message, &nonce_payload->payload_interface);
+
+	if (this->initiator)
+	{
+		this->nonce_i = nonce;
+	}
+	else
+	{
+		this->nonce_r = nonce;
+	}
+	return TRUE;
+}
+
+METHOD(phase1_t, get_nonce_ke, bool,
+	private_phase1_t *this, message_t *message)
+{
+	nonce_payload_t *nonce_payload;
+	ke_payload_t *ke_payload;
+
+	ke_payload = (ke_payload_t*)message->get_payload(message, KEY_EXCHANGE_V1);
+	if (!ke_payload)
+	{
+		DBG1(DBG_IKE, "KE payload missing in message");
+		return FALSE;
+	}
+	this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload));
+	this->dh->set_other_public_value(this->dh, this->dh_value);
+
+	nonce_payload = (nonce_payload_t*)message->get_payload(message, NONCE_V1);
+	if (!nonce_payload)
+	{
+		DBG1(DBG_IKE, "NONCE payload missing in message");
+		return FALSE;
+	}
+
+	if (this->initiator)
+	{
+		this->nonce_r = nonce_payload->get_nonce(nonce_payload);
+	}
+	else
+	{
+		this->nonce_i = nonce_payload->get_nonce(nonce_payload);
+	}
+	return TRUE;
+}
+
+METHOD(phase1_t, destroy, void,
+	private_phase1_t *this)
+{
+	DESTROY_IF(this->peer_cfg);
+	this->candidates->destroy_offset(this->candidates,
+									 offsetof(peer_cfg_t, destroy));
+	chunk_free(&this->sa_payload);
+	DESTROY_IF(this->dh);
+	free(this->dh_value.ptr);
+	free(this->nonce_i.ptr);
+	free(this->nonce_r.ptr);
+	free(this);
+}
+
+/**
+ * See header
+ */
+phase1_t *phase1_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_phase1_t *this;
+
+	INIT(this,
+		.public = {
+			.create_hasher = _create_hasher,
+			.create_dh = _create_dh,
+			.derive_keys = _derive_keys,
+			.get_auth_method = _get_auth_method,
+			.get_id = _get_id,
+			.select_config = _select_config,
+			.has_virtual_ip = _has_virtual_ip,
+			.has_pool = _has_pool,
+			.verify_auth = _verify_auth,
+			.build_auth = _build_auth,
+			.save_sa_payload = _save_sa_payload,
+			.add_nonce_ke = _add_nonce_ke,
+			.get_nonce_ke = _get_nonce_ke,
+			.destroy = _destroy,
+		},
+		.candidates = linked_list_create(),
+		.ike_sa = ike_sa,
+		.initiator = initiator,
+		.keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/phase1.h b/src/libcharon/sa/ikev1/phase1.h
new file mode 100644
index 000000000..eaf8908e7
--- /dev/null
+++ b/src/libcharon/sa/ikev1/phase1.h
@@ -0,0 +1,166 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup phase1 phase1
+ * @{ @ingroup ikev1
+ */
+
+#ifndef PHASE1_H_
+#define PHASE1_H_
+
+typedef struct phase1_t phase1_t;
+
+#include <sa/ike_sa.h>
+#include <crypto/diffie_hellman.h>
+
+/**
+ * Common phase 1 helper for main and aggressive mode.
+ */
+struct phase1_t {
+
+	/**
+	 * Create keymat hasher.
+	 *
+	 * @return				TRUE if hasher created
+	 */
+	bool (*create_hasher)(phase1_t *this);
+
+	/**
+	 * Create DH object using SA keymat.
+	 *
+	 * @param group			negotiated DH group
+	 * @return				TRUE if group supported
+	 */
+	bool (*create_dh)(phase1_t *this, diffie_hellman_group_t group);
+
+	/**
+	 * Derive key material.
+	 *
+	 * @param peer_cfg		peer config to look up shared key for, or NULL
+	 * @param method		negotiated authenticated method
+	 * @return				TRUE if successful
+	 */
+	bool (*derive_keys)(phase1_t *this, peer_cfg_t *peer_cfg,
+						auth_method_t method);
+	/**
+	 * Verify a HASH or SIG payload in message.
+	 *
+	 * @param method		negotiated auth method
+	 * @param message		message containing HASH or SIG payload
+	 * @param id_data		encoded identity, including protocol/port fields
+	 * @return				TRUE if verified successfully
+	 */
+	bool (*verify_auth)(phase1_t *this, auth_method_t method,
+						message_t *message, chunk_t id_data);
+
+	/**
+	 * Build a HASH or SIG payload and add it to message.
+	 *
+	 * @param method		negotiated auth method
+	 * @param message		message to add payload to
+	 * @param id_data		encoded identity, including protocol/port fields
+	 * @return				TRUE if built successfully
+	 */
+	bool (*build_auth)(phase1_t *this, auth_method_t method,
+					   message_t *message, chunk_t id_data);
+
+	/**
+	 * Get the IKEv1 authentication method defined by peer config.
+	 *
+	 * @param peer_cfg		peer config to get auth method from
+	 * @return				auth method, or AUTH_NONE
+	 */
+	auth_method_t (*get_auth_method)(phase1_t *this, peer_cfg_t *peer_cfg);
+
+	/**
+	 * Select a peer config as responder.
+	 *
+	 * If called after the first successful call the next alternative config
+	 * is returned, if any.
+	 *
+	 * @param method		used authentication method
+	 * @param aggressive	TRUE to get an aggressive mode config
+	 * @param id			initiator identity
+	 * @return				selected peer config, NULL if none found
+	 */
+	peer_cfg_t* (*select_config)(phase1_t *this, auth_method_t method,
+								 bool aggressive, identification_t *id);
+
+	/**
+	 * Get configured identity from peer config.
+	 *
+	 * @param peer_cfg		peer config to get identity from
+	 * @param local			TRUE to get own identity, FALSE for remote
+	 * @return				identity, pointing to internal config data
+	 */
+	identification_t* (*get_id)(phase1_t *this, peer_cfg_t *peer_cfg, bool local);
+
+	/**
+	 * Check if peer config has virtual IPs pool assigned.
+	 *
+	 * @param peer_cfg		peer_config to check
+	 * @return				TRUE if peer config contains at least one pool
+	 */
+	bool (*has_pool)(phase1_t *this, peer_cfg_t *peer_cfg);
+
+	/**
+	 * Check if peer config has virtual IPs to request
+	 *
+	 * @param peer_cfg		peer_config to check
+	 * @return				TRUE if peer config contains at least one virtual IP
+	 */
+	bool (*has_virtual_ip)(phase1_t *this, peer_cfg_t *peer_cfg);
+
+	/**
+	 * Extract and store SA payload bytes from encoded message.
+	 *
+	 * @param message		message to extract SA payload bytes from
+	 * @return				TRUE if SA payload found
+	 */
+	bool (*save_sa_payload)(phase1_t *this, message_t *message);
+
+	/**
+	 * Add Nonce and KE payload to message.
+	 *
+	 * @param message		message to add payloads
+	 * @return				TRUE if payloads added successfully
+	 */
+	bool (*add_nonce_ke)(phase1_t *this, message_t *message);
+
+	/**
+	 * Extract Nonce and KE payload from message.
+	 *
+	 * @param message		message to get payloads from
+	 * @return				TRUE if payloads extracted successfully
+	 */
+	bool (*get_nonce_ke)(phase1_t *this, message_t *message);
+
+	/**
+	 * Destroy a phase1_t.
+	 */
+	void (*destroy)(phase1_t *this);
+};
+
+/**
+ * Create a phase1 instance.
+ *
+ * @param ike_sa		IKE_SA to set up
+ * @param initiator		TRUE if initiating actively
+ * @return				Phase 1 helper
+ */
+phase1_t *phase1_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** PHASE1_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
new file mode 100644
index 000000000..857cb027e
--- /dev/null
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -0,0 +1,2099 @@
+/*
+ * Copyright (C) 2007-2013 Tobias Brunner
+ * Copyright (C) 2007-2011 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "task_manager_v1.h"
+
+#include <math.h>
+
+#include <daemon.h>
+#include <sa/ikev1/tasks/main_mode.h>
+#include <sa/ikev1/tasks/aggressive_mode.h>
+#include <sa/ikev1/tasks/quick_mode.h>
+#include <sa/ikev1/tasks/quick_delete.h>
+#include <sa/ikev1/tasks/xauth.h>
+#include <sa/ikev1/tasks/mode_config.h>
+#include <sa/ikev1/tasks/informational.h>
+#include <sa/ikev1/tasks/isakmp_natd.h>
+#include <sa/ikev1/tasks/isakmp_vendor.h>
+#include <sa/ikev1/tasks/isakmp_cert_pre.h>
+#include <sa/ikev1/tasks/isakmp_cert_post.h>
+#include <sa/ikev1/tasks/isakmp_delete.h>
+#include <sa/ikev1/tasks/isakmp_dpd.h>
+
+#include <processing/jobs/retransmit_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+#include <processing/jobs/dpd_timeout_job.h>
+#include <processing/jobs/process_message_job.h>
+
+#include <encoding/payloads/fragment_payload.h>
+#include <bio/bio_writer.h>
+
+/**
+ * Number of old messages hashes we keep for retransmission.
+ *
+ * In Main Mode, we must ignore messages from a previous message pair if
+ * we already continued to the next. Otherwise a late retransmission
+ * could be considered as a reply to the newer request.
+ */
+#define MAX_OLD_HASHES 2
+
+/**
+ * Maximum packet size for fragmented packets (same as in sockets)
+ */
+#define MAX_PACKET 10000
+
+/**
+ * Maximum size of fragment data when sending packets (currently the same is
+ * used for IPv4 and IPv6, even though the latter has a higher minimum datagram
+ * size).  576 (= min. IPv4) - 20 (= IP header) - 8 (= UDP header) -
+ *  - 28 (= IKE header) - 8 (= fragment header) = 512
+ * This is reduced by 4 in case of NAT-T (due to the non-ESP marker).
+ */
+#define MAX_FRAGMENT_SIZE 512
+
+/**
+ * First sequence number of responding packets.
+ *
+ * To distinguish retransmission jobs for initiating and responding packets,
+ * we split up the sequence counter and use the upper half for responding.
+ */
+#define RESPONDING_SEQ INT_MAX
+
+typedef struct exchange_t exchange_t;
+
+/**
+ * An exchange in the air, used do detect and handle retransmission
+ */
+struct exchange_t {
+
+	/**
+	 * Message ID used for this transaction
+	 */
+	u_int32_t mid;
+
+	/**
+	 * generated packet for retransmission
+	 */
+	packet_t *packet;
+};
+
+typedef struct private_task_manager_t private_task_manager_t;
+
+/**
+ * private data of the task manager
+ */
+struct private_task_manager_t {
+
+	/**
+	 * public functions
+	 */
+	task_manager_v1_t public;
+
+	/**
+	 * associated IKE_SA we are serving
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * RNG to create message IDs
+	 */
+	rng_t *rng;
+
+	/**
+	 * Exchange we are currently handling as responder
+	 */
+	struct {
+		/**
+		 * Message ID of the last response
+		 */
+		u_int32_t mid;
+
+		/**
+		 * Hash of a previously received message
+		 */
+		u_int32_t hash;
+
+		/**
+		 * packet for retransmission
+		 */
+		packet_t *packet;
+
+		/**
+		 * Sequence number of the last sent message
+		 */
+		u_int32_t seqnr;
+
+		/**
+		 * how many times we have retransmitted so far
+		 */
+		u_int retransmitted;
+
+	} responding;
+
+	/**
+	 * Exchange we are currently handling as initiator
+	 */
+	struct {
+		/**
+		 * Message ID of the exchange
+		 */
+		u_int32_t mid;
+
+		/**
+		 * Hashes of old responses we can ignore
+		 */
+		u_int32_t old_hashes[MAX_OLD_HASHES];
+
+		/**
+		 * Position in old hash array
+		 */
+		int old_hash_pos;
+
+		/**
+		 * Sequence number of the last sent message
+		 */
+		u_int32_t seqnr;
+
+		/**
+		 * how many times we have retransmitted so far
+		 */
+		u_int retransmitted;
+
+		/**
+		 * packet for retransmission
+		 */
+		packet_t *packet;
+
+		/**
+		 * type of the initiated exchange
+		 */
+		exchange_type_t type;
+
+	} initiating;
+
+	/**
+	 * Data used to reassemble a fragmented message
+	 */
+	struct {
+
+		/**
+		 * Fragment ID (currently only one is supported at a time)
+		 */
+		u_int16_t id;
+
+		/**
+		 * The number of the last fragment (in case we receive the fragments out
+		 * of order), since the first starts with 1 this defines the number of
+		 * fragments we expect
+		 */
+		u_int8_t last;
+
+		/**
+		 * List of fragments (fragment_t*)
+		 */
+		linked_list_t *list;
+
+		/**
+		 * Length of all currently received fragments
+		 */
+		size_t len;
+
+		/**
+		 * Maximum length of a fragmented packet
+		 */
+		size_t max_packet;
+
+		/**
+		 * Maximum length of a single fragment (when sending)
+		 */
+		size_t size;
+
+		/**
+		 * The exchange type we use for fragments. Always the initial type even
+		 * for fragmented quick mode or transaction messages (i.e. either
+		 * ID_PROT or AGGRESSIVE)
+		 */
+		exchange_type_t exchange;
+
+	} frag;
+
+	/**
+	 * List of queued tasks not yet in action
+	 */
+	linked_list_t *queued_tasks;
+
+	/**
+	 * List of active tasks, initiated by ourselves
+	 */
+	linked_list_t *active_tasks;
+
+	/**
+	 * List of tasks initiated by peer
+	 */
+	linked_list_t *passive_tasks;
+
+	/**
+	 * Queued messages not yet ready to process
+	 */
+	message_t *queued;
+
+	/**
+	 * Number of times we retransmit messages before giving up
+	 */
+	u_int retransmit_tries;
+
+	/**
+	 * Retransmission timeout
+	 */
+	double retransmit_timeout;
+
+	/**
+	 * Base to calculate retransmission timeout
+	 */
+	double retransmit_base;
+
+	/**
+	 * Sequence number for sending DPD requests
+	 */
+	u_int32_t dpd_send;
+
+	/**
+	 * Sequence number for received DPD requests
+	 */
+	u_int32_t dpd_recv;
+};
+
+/**
+ * A single fragment within a fragmented message
+ */
+typedef struct {
+
+	/** fragment number */
+	u_int8_t num;
+
+	/** fragment data */
+	chunk_t data;
+
+} fragment_t;
+
+static void fragment_destroy(fragment_t *this)
+{
+	chunk_free(&this->data);
+	free(this);
+}
+
+static void clear_fragments(private_task_manager_t *this, u_int16_t id)
+{
+	DESTROY_FUNCTION_IF(this->frag.list, (void*)fragment_destroy);
+	this->frag.list = NULL;
+	this->frag.last = 0;
+	this->frag.len = 0;
+	this->frag.id = id;
+}
+
+METHOD(task_manager_t, flush_queue, void,
+	private_task_manager_t *this, task_queue_t queue)
+{
+	linked_list_t *list;
+	task_t *task;
+
+	if (this->queued)
+	{
+		this->queued->destroy(this->queued);
+		this->queued = NULL;
+	}
+	switch (queue)
+	{
+		case TASK_QUEUE_ACTIVE:
+			list = this->active_tasks;
+			/* cancel pending retransmits */
+			this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
+			DESTROY_IF(this->initiating.packet);
+			this->initiating.packet = NULL;
+			break;
+		case TASK_QUEUE_PASSIVE:
+			list = this->passive_tasks;
+			break;
+		case TASK_QUEUE_QUEUED:
+			list = this->queued_tasks;
+			break;
+		default:
+			return;
+	}
+	while (list->remove_last(list, (void**)&task) == SUCCESS)
+	{
+		task->destroy(task);
+	}
+}
+
+/**
+ * flush all tasks in the task manager
+ */
+static void flush(private_task_manager_t *this)
+{
+	flush_queue(this, TASK_QUEUE_QUEUED);
+	flush_queue(this, TASK_QUEUE_PASSIVE);
+	flush_queue(this, TASK_QUEUE_ACTIVE);
+}
+
+/**
+ * move a task of a specific type from the queue to the active list
+ */
+static bool activate_task(private_task_manager_t *this, task_type_t type)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+	bool found = FALSE;
+
+	enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
+	while (enumerator->enumerate(enumerator, (void**)&task))
+	{
+		if (task->get_type(task) == type)
+		{
+			DBG2(DBG_IKE, "  activating %N task", task_type_names, type);
+			this->queued_tasks->remove_at(this->queued_tasks, enumerator);
+			this->active_tasks->insert_last(this->active_tasks, task);
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * Send a single fragment with the given data
+ */
+static bool send_fragment(private_task_manager_t *this, bool request,
+					host_t *src, host_t *dst, fragment_payload_t *fragment)
+{
+	message_t *message;
+	packet_t *packet;
+	status_t status;
+
+	message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
+	/* other implementations seem to just use 0 as message ID, so here we go */
+	message->set_message_id(message, 0);
+	message->set_request(message, request);
+	message->set_source(message, src->clone(src));
+	message->set_destination(message, dst->clone(dst));
+	message->set_exchange_type(message, this->frag.exchange);
+	message->add_payload(message, (payload_t*)fragment);
+
+	status = this->ike_sa->generate_message(this->ike_sa, message, &packet);
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_IKE, "failed to generate IKE fragment");
+		message->destroy(message);
+		return FALSE;
+	}
+	charon->sender->send(charon->sender, packet);
+	message->destroy(message);
+	return TRUE;
+}
+
+/**
+ * Send a packet, if supported and required do so in fragments
+ */
+static bool send_packet(private_task_manager_t *this, bool request,
+						packet_t *packet)
+{
+	bool use_frags = FALSE;
+	ike_cfg_t *ike_cfg;
+	host_t *src, *dst;
+	chunk_t data;
+
+	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+	if (ike_cfg)
+	{
+		switch (ike_cfg->fragmentation(ike_cfg))
+		{
+			case FRAGMENTATION_FORCE:
+				use_frags = TRUE;
+				break;
+			case FRAGMENTATION_YES:
+				use_frags = this->ike_sa->supports_extension(this->ike_sa,
+														EXT_IKE_FRAGMENTATION);
+				break;
+			default:
+				break;
+		}
+	}
+	data = packet->get_data(packet);
+	if (data.len > this->frag.size && use_frags)
+	{
+		fragment_payload_t *fragment;
+		u_int8_t num, count;
+		size_t len, frag_size;
+		bool nat;
+
+		/* reduce size due to non-ESP marker */
+		nat = this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY);
+		frag_size = this->frag.size - (nat ? 4 : 0);
+
+		src = packet->get_source(packet);
+		dst = packet->get_destination(packet);
+		count = (data.len / (frag_size + 1)) + 1;
+
+		DBG1(DBG_IKE, "sending IKE message with length of %zu bytes in "
+			 "%hhu fragments", data.len, count);
+		for (num = 1; num <= count; num++)
+		{
+			len = min(data.len, frag_size);
+			fragment = fragment_payload_create_from_data(num, num == count,
+												chunk_create(data.ptr, len));
+			if (!send_fragment(this, request, src, dst, fragment))
+			{
+				packet->destroy(packet);
+				return FALSE;
+			}
+			data = chunk_skip(data, len);
+		}
+		packet->destroy(packet);
+		return TRUE;
+	}
+	charon->sender->send(charon->sender, packet);
+	return TRUE;
+}
+
+/**
+ * Retransmit a packet, either as initiator or as responder
+ */
+static status_t retransmit_packet(private_task_manager_t *this, bool request,
+			u_int32_t seqnr, u_int mid, u_int retransmitted, packet_t *packet)
+{
+	u_int32_t t;
+
+	if (retransmitted > this->retransmit_tries)
+	{
+		DBG1(DBG_IKE, "giving up after %u retransmits", retransmitted - 1);
+		charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT, packet);
+		return DESTROY_ME;
+	}
+	t = (u_int32_t)(this->retransmit_timeout * 1000.0 *
+					pow(this->retransmit_base, retransmitted));
+	if (retransmitted)
+	{
+		DBG1(DBG_IKE, "sending retransmit %u of %s message ID %u, seq %u",
+			 retransmitted, seqnr < RESPONDING_SEQ ? "request" : "response",
+			 mid, seqnr < RESPONDING_SEQ ? seqnr : seqnr - RESPONDING_SEQ);
+		charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet);
+	}
+	if (!send_packet(this, request, packet->clone(packet)))
+	{
+		return DESTROY_ME;
+	}
+	lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
+			retransmit_job_create(seqnr, this->ike_sa->get_id(this->ike_sa)), t);
+	return NEED_MORE;
+}
+
+METHOD(task_manager_t, retransmit, status_t,
+	private_task_manager_t *this, u_int32_t seqnr)
+{
+	status_t status = SUCCESS;
+
+	if (seqnr == this->initiating.seqnr && this->initiating.packet)
+	{
+		status = retransmit_packet(this, TRUE, seqnr, this->initiating.mid,
+					this->initiating.retransmitted, this->initiating.packet);
+		if (status == NEED_MORE)
+		{
+			this->initiating.retransmitted++;
+			status = SUCCESS;
+		}
+	}
+	if (seqnr == this->responding.seqnr && this->responding.packet)
+	{
+		status = retransmit_packet(this, FALSE, seqnr, this->responding.mid,
+					this->responding.retransmitted, this->responding.packet);
+		if (status == NEED_MORE)
+		{
+			this->responding.retransmitted++;
+			status = SUCCESS;
+		}
+	}
+	return status;
+}
+
+/**
+ * Check if we have to wait for a mode config before starting a quick mode
+ */
+static bool mode_config_expected(private_task_manager_t *this)
+{
+	enumerator_t *enumerator;
+	peer_cfg_t *peer_cfg;
+	char *pool;
+	host_t *host;
+
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (peer_cfg)
+	{
+		enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
+		if (!enumerator->enumerate(enumerator, &pool))
+		{	/* no pool configured */
+			enumerator->destroy(enumerator);
+			return FALSE;
+		}
+		enumerator->destroy(enumerator);
+
+		enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa,
+																FALSE);
+		if (!enumerator->enumerate(enumerator, &host))
+		{	/* have a pool, but no VIP assigned yet */
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+		enumerator->destroy(enumerator);
+	}
+	return FALSE;
+}
+
+METHOD(task_manager_t, initiate, status_t,
+	private_task_manager_t *this)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+	message_t *message;
+	host_t *me, *other;
+	status_t status;
+	exchange_type_t exchange = EXCHANGE_TYPE_UNDEFINED;
+	bool new_mid = FALSE, expect_response = FALSE, cancelled = FALSE, keep = FALSE;
+
+	if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED &&
+		this->initiating.type != INFORMATIONAL_V1)
+	{
+		DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
+				exchange_type_names, this->initiating.type);
+		/* do not initiate if we already have a message in the air */
+		return SUCCESS;
+	}
+
+	if (this->active_tasks->get_count(this->active_tasks) == 0)
+	{
+		DBG2(DBG_IKE, "activating new tasks");
+		switch (this->ike_sa->get_state(this->ike_sa))
+		{
+			case IKE_CREATED:
+				activate_task(this, TASK_ISAKMP_VENDOR);
+				activate_task(this, TASK_ISAKMP_CERT_PRE);
+				if (activate_task(this, TASK_MAIN_MODE))
+				{
+					exchange = ID_PROT;
+				}
+				else if (activate_task(this, TASK_AGGRESSIVE_MODE))
+				{
+					exchange = AGGRESSIVE;
+				}
+				activate_task(this, TASK_ISAKMP_CERT_POST);
+				activate_task(this, TASK_ISAKMP_NATD);
+				break;
+			case IKE_CONNECTING:
+				if (activate_task(this, TASK_ISAKMP_DELETE))
+				{
+					exchange = INFORMATIONAL_V1;
+					new_mid = TRUE;
+					break;
+				}
+				if (activate_task(this, TASK_XAUTH))
+				{
+					exchange = TRANSACTION;
+					new_mid = TRUE;
+					break;
+				}
+				if (activate_task(this, TASK_INFORMATIONAL))
+				{
+					exchange = INFORMATIONAL_V1;
+					new_mid = TRUE;
+					break;
+				}
+				break;
+			case IKE_ESTABLISHED:
+				if (activate_task(this, TASK_MODE_CONFIG))
+				{
+					exchange = TRANSACTION;
+					new_mid = TRUE;
+					break;
+				}
+				if (!mode_config_expected(this) &&
+					activate_task(this, TASK_QUICK_MODE))
+				{
+					exchange = QUICK_MODE;
+					new_mid = TRUE;
+					break;
+				}
+				if (activate_task(this, TASK_INFORMATIONAL))
+				{
+					exchange = INFORMATIONAL_V1;
+					new_mid = TRUE;
+					break;
+				}
+				if (activate_task(this, TASK_QUICK_DELETE))
+				{
+					exchange = INFORMATIONAL_V1;
+					new_mid = TRUE;
+					break;
+				}
+				if (activate_task(this, TASK_ISAKMP_DELETE))
+				{
+					exchange = INFORMATIONAL_V1;
+					new_mid = TRUE;
+					break;
+				}
+				if (activate_task(this, TASK_ISAKMP_DPD))
+				{
+					exchange = INFORMATIONAL_V1;
+					new_mid = TRUE;
+					break;
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	else
+	{
+		DBG2(DBG_IKE, "reinitiating already active tasks");
+		enumerator = this->active_tasks->create_enumerator(this->active_tasks);
+		while (enumerator->enumerate(enumerator, (void**)&task))
+		{
+			DBG2(DBG_IKE, "  %N task", task_type_names, task->get_type(task));
+			switch (task->get_type(task))
+			{
+				case TASK_MAIN_MODE:
+					exchange = ID_PROT;
+					break;
+				case TASK_AGGRESSIVE_MODE:
+					exchange = AGGRESSIVE;
+					break;
+				case TASK_QUICK_MODE:
+					exchange = QUICK_MODE;
+					break;
+				case TASK_XAUTH:
+					exchange = TRANSACTION;
+					new_mid = TRUE;
+					break;
+				default:
+					continue;
+			}
+			break;
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	if (exchange == EXCHANGE_TYPE_UNDEFINED)
+	{
+		DBG2(DBG_IKE, "nothing to initiate");
+		/* nothing to do yet... */
+		return SUCCESS;
+	}
+
+	me = this->ike_sa->get_my_host(this->ike_sa);
+	other = this->ike_sa->get_other_host(this->ike_sa);
+
+	if (new_mid)
+	{
+		if (!this->rng->get_bytes(this->rng, sizeof(this->initiating.mid),
+								 (void*)&this->initiating.mid))
+		{
+			DBG1(DBG_IKE, "failed to allocate message ID, destroying IKE_SA");
+			flush(this);
+			return DESTROY_ME;
+		}
+	}
+	message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
+	message->set_message_id(message, this->initiating.mid);
+	message->set_source(message, me->clone(me));
+	message->set_destination(message, other->clone(other));
+	message->set_exchange_type(message, exchange);
+	this->initiating.type = exchange;
+	this->initiating.retransmitted = 0;
+
+	enumerator = this->active_tasks->create_enumerator(this->active_tasks);
+	while (enumerator->enumerate(enumerator, (void*)&task))
+	{
+		switch (task->build(task, message))
+		{
+			case SUCCESS:
+				/* task completed, remove it */
+				this->active_tasks->remove_at(this->active_tasks, enumerator);
+				if (task->get_type(task) == TASK_AGGRESSIVE_MODE ||
+					task->get_type(task) == TASK_QUICK_MODE)
+				{	/* last message of three message exchange */
+					keep = TRUE;
+				}
+				task->destroy(task);
+				continue;
+			case NEED_MORE:
+				expect_response = TRUE;
+				/* processed, but task needs another exchange */
+				continue;
+			case ALREADY_DONE:
+				cancelled = TRUE;
+				break;
+			case FAILED:
+			default:
+				if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
+				{
+					charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				}
+				/* FALL */
+			case DESTROY_ME:
+				/* critical failure, destroy IKE_SA */
+				enumerator->destroy(enumerator);
+				message->destroy(message);
+				flush(this);
+				return DESTROY_ME;
+		}
+		break;
+	}
+	enumerator->destroy(enumerator);
+
+	if (this->active_tasks->get_count(this->active_tasks) == 0 &&
+		(exchange == QUICK_MODE || exchange == AGGRESSIVE))
+	{	/* tasks completed, no exchange active anymore */
+		this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
+	}
+	if (cancelled)
+	{
+		message->destroy(message);
+		return initiate(this);
+	}
+
+	DESTROY_IF(this->initiating.packet);
+	status = this->ike_sa->generate_message(this->ike_sa, message,
+											&this->initiating.packet);
+	if (status != SUCCESS)
+	{
+		/* message generation failed. There is nothing more to do than to
+		 * close the SA */
+		message->destroy(message);
+		flush(this);
+		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+		return DESTROY_ME;
+	}
+
+	this->initiating.seqnr++;
+	if (expect_response)
+	{
+		message->destroy(message);
+		return retransmit(this, this->initiating.seqnr);
+	}
+	if (keep)
+	{	/* keep the packet for retransmission, the responder might request it */
+		send_packet(this, TRUE,
+					this->initiating.packet->clone(this->initiating.packet));
+	}
+	else
+	{
+		send_packet(this, TRUE, this->initiating.packet);
+		this->initiating.packet = NULL;
+	}
+	message->destroy(message);
+
+	if (exchange == INFORMATIONAL_V1)
+	{
+		switch (this->ike_sa->get_state(this->ike_sa))
+		{
+			case IKE_CONNECTING:
+				/* close after sending an INFORMATIONAL when unestablished */
+				return FAILED;
+			case IKE_DELETING:
+				/* close after sending a DELETE */
+				return DESTROY_ME;
+			default:
+				break;
+		}
+	}
+	return initiate(this);
+}
+
+/**
+ * build a response depending on the "passive" task list
+ */
+static status_t build_response(private_task_manager_t *this, message_t *request)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+	message_t *message;
+	host_t *me, *other;
+	bool delete = FALSE, cancelled = FALSE, expect_request = FALSE;
+	status_t status;
+
+	me = request->get_destination(request);
+	other = request->get_source(request);
+
+	message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
+	message->set_exchange_type(message, request->get_exchange_type(request));
+	/* send response along the path the request came in */
+	message->set_source(message, me->clone(me));
+	message->set_destination(message, other->clone(other));
+	message->set_message_id(message, request->get_message_id(request));
+	message->set_request(message, FALSE);
+
+	this->responding.mid = request->get_message_id(request);
+	this->responding.retransmitted = 0;
+	this->responding.seqnr++;
+
+	enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
+	while (enumerator->enumerate(enumerator, (void*)&task))
+	{
+		switch (task->build(task, message))
+		{
+			case SUCCESS:
+				/* task completed, remove it */
+				this->passive_tasks->remove_at(this->passive_tasks, enumerator);
+				task->destroy(task);
+				continue;
+			case NEED_MORE:
+				/* processed, but task needs another exchange */
+				if (task->get_type(task) == TASK_QUICK_MODE ||
+					task->get_type(task) == TASK_AGGRESSIVE_MODE)
+				{	/* we rely on initiator retransmission, except for
+					 * three-message exchanges */
+					expect_request = TRUE;
+				}
+				continue;
+			case ALREADY_DONE:
+				cancelled = TRUE;
+				break;
+			case FAILED:
+			default:
+				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				/* FALL */
+			case DESTROY_ME:
+				/* destroy IKE_SA, but SEND response first */
+				delete = TRUE;
+				break;
+		}
+		break;
+	}
+	enumerator->destroy(enumerator);
+
+	DESTROY_IF(this->responding.packet);
+	this->responding.packet = NULL;
+	if (cancelled)
+	{
+		message->destroy(message);
+		return initiate(this);
+	}
+	status = this->ike_sa->generate_message(this->ike_sa, message,
+											&this->responding.packet);
+	message->destroy(message);
+	if (status != SUCCESS)
+	{
+		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+		return DESTROY_ME;
+	}
+
+	if (expect_request && !delete)
+	{
+		return retransmit(this, this->responding.seqnr);
+	}
+	send_packet(this, FALSE,
+				this->responding.packet->clone(this->responding.packet));
+	if (delete)
+	{
+		return DESTROY_ME;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Send a notify in a separate INFORMATIONAL exchange back to the sender.
+ * The notify protocol_id is set to ISAKMP
+ */
+static void send_notify(private_task_manager_t *this, message_t *request,
+						notify_type_t type)
+{
+	message_t *response;
+	packet_t *packet;
+	host_t *me, *other;
+	u_int32_t mid;
+
+	if (request->get_exchange_type(request) == INFORMATIONAL_V1)
+	{	/* don't respond to INFORMATIONAL requests to avoid a notify war */
+		DBG1(DBG_IKE, "ignore malformed INFORMATIONAL request");
+		return;
+	}
+	if (!this->rng->get_bytes(this->rng, sizeof(mid), (void*)&mid))
+	{
+		DBG1(DBG_IKE, "failed to allocate message ID");
+		return;
+	}
+	response = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
+	response->set_exchange_type(response, INFORMATIONAL_V1);
+	response->set_request(response, TRUE);
+	response->set_message_id(response, mid);
+	response->add_payload(response, (payload_t*)
+				notify_payload_create_from_protocol_and_type(NOTIFY_V1,
+													PROTO_IKE, type));
+
+	me = this->ike_sa->get_my_host(this->ike_sa);
+	if (me->is_anyaddr(me))
+	{
+		me = request->get_destination(request);
+		this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
+	}
+	other = this->ike_sa->get_other_host(this->ike_sa);
+	if (other->is_anyaddr(other))
+	{
+		other = request->get_source(request);
+		this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
+	}
+	response->set_source(response, me->clone(me));
+	response->set_destination(response, other->clone(other));
+	if (this->ike_sa->generate_message(this->ike_sa, response,
+									   &packet) == SUCCESS)
+	{
+		send_packet(this, TRUE, packet);
+	}
+	response->destroy(response);
+}
+
+/**
+ * Process a DPD request/response
+ */
+static bool process_dpd(private_task_manager_t *this, message_t *message)
+{
+	notify_payload_t *notify;
+	notify_type_t type;
+	u_int32_t seq;
+	chunk_t data;
+
+	type = DPD_R_U_THERE;
+	notify = message->get_notify(message, type);
+	if (!notify)
+	{
+		type = DPD_R_U_THERE_ACK;
+		notify = message->get_notify(message, type);
+	}
+	if (!notify)
+	{
+		return FALSE;
+	}
+	data = notify->get_notification_data(notify);
+	if (data.len != 4)
+	{
+		return FALSE;
+	}
+	seq = untoh32(data.ptr);
+
+	if (type == DPD_R_U_THERE)
+	{
+		if (this->dpd_recv == 0 || seq == this->dpd_recv)
+		{	/* check sequence validity */
+			this->dpd_recv = seq + 1;
+			this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
+										time_monotonic(NULL));
+		}
+		/* but respond anyway */
+		this->ike_sa->queue_task(this->ike_sa,
+				&isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE_ACK, seq)->task);
+	}
+	else /* DPD_R_U_THERE_ACK */
+	{
+		if (seq == this->dpd_send - 1)
+		{
+			this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
+										time_monotonic(NULL));
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received invalid DPD sequence number %u "
+				 "(expected %u), ignored", seq, this->dpd_send - 1);
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * handle an incoming request message
+ */
+static status_t process_request(private_task_manager_t *this,
+								message_t *message)
+{
+	enumerator_t *enumerator;
+	task_t *task = NULL;
+	bool send_response = FALSE, dpd = FALSE;
+
+	if (message->get_exchange_type(message) == INFORMATIONAL_V1 ||
+		this->passive_tasks->get_count(this->passive_tasks) == 0)
+	{	/* create tasks depending on request type, if not already some queued */
+		switch (message->get_exchange_type(message))
+		{
+			case ID_PROT:
+				task = (task_t *)isakmp_vendor_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)isakmp_cert_pre_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t *)main_mode_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)isakmp_cert_post_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				break;
+			case AGGRESSIVE:
+				task = (task_t *)isakmp_vendor_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)isakmp_cert_pre_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t *)aggressive_mode_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t*)isakmp_cert_post_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				this->frag.exchange = AGGRESSIVE;
+				break;
+			case QUICK_MODE:
+				if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+				{
+					DBG1(DBG_IKE, "received quick mode request for "
+						 "unestablished IKE_SA, ignored");
+					return FAILED;
+				}
+				task = (task_t *)quick_mode_create(this->ike_sa, NULL,
+												   NULL, NULL);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				break;
+			case INFORMATIONAL_V1:
+				if (process_dpd(this, message))
+				{
+					dpd = TRUE;
+				}
+				else
+				{
+					task = (task_t *)informational_create(this->ike_sa, NULL);
+					this->passive_tasks->insert_first(this->passive_tasks, task);
+				}
+				break;
+			case TRANSACTION:
+				if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
+				{
+					task = (task_t *)mode_config_create(this->ike_sa, FALSE);
+				}
+				else
+				{
+					task = (task_t *)xauth_create(this->ike_sa, FALSE);
+				}
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+				break;
+			default:
+				return FAILED;
+		}
+	}
+	if (dpd)
+	{
+		return initiate(this);
+	}
+	this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, time_monotonic(NULL));
+
+	/* let the tasks process the message */
+	enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
+	while (enumerator->enumerate(enumerator, (void*)&task))
+	{
+		switch (task->process(task, message))
+		{
+			case SUCCESS:
+				/* task completed, remove it */
+				this->passive_tasks->remove_at(this->passive_tasks, enumerator);
+				task->destroy(task);
+				continue;
+			case NEED_MORE:
+				/* processed, but task needs at least another call to build() */
+				send_response = TRUE;
+				continue;
+			case ALREADY_DONE:
+				send_response = FALSE;
+				break;
+			case FAILED:
+			default:
+				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				/* FALL */
+			case DESTROY_ME:
+				/* critical failure, destroy IKE_SA */
+				this->passive_tasks->remove_at(this->passive_tasks, enumerator);
+				enumerator->destroy(enumerator);
+				task->destroy(task);
+				return DESTROY_ME;
+		}
+		break;
+	}
+	enumerator->destroy(enumerator);
+
+	if (send_response)
+	{
+		if (build_response(this, message) != SUCCESS)
+		{
+			return DESTROY_ME;
+		}
+	}
+	else
+	{	/* We don't send a response, so don't retransmit one if we get
+		 * the same message again. */
+		DESTROY_IF(this->responding.packet);
+		this->responding.packet = NULL;
+	}
+	if (this->passive_tasks->get_count(this->passive_tasks) == 0 &&
+		this->queued_tasks->get_count(this->queued_tasks) > 0)
+	{
+		/* passive tasks completed, check if an active task has been queued,
+		 * such as XAUTH or modeconfig push */
+		return initiate(this);
+	}
+	return SUCCESS;
+}
+
+/**
+ * handle an incoming response message
+ */
+static status_t process_response(private_task_manager_t *this,
+								 message_t *message)
+{
+	enumerator_t *enumerator;
+	message_t *queued;
+	status_t status;
+	task_t *task;
+
+	if (message->get_exchange_type(message) != this->initiating.type)
+	{
+		/* Windows server sends a fourth quick mode message having an initial
+		 * contact notify. Ignore this message for compatibility. */
+		if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED &&
+			message->get_exchange_type(message) == QUICK_MODE &&
+			message->get_notify(message, INITIAL_CONTACT))
+		{
+			DBG1(DBG_IKE, "ignoring fourth Quick Mode message");
+			return SUCCESS;
+		}
+		DBG1(DBG_IKE, "received %N response, but expected %N",
+			 exchange_type_names, message->get_exchange_type(message),
+			 exchange_type_names, this->initiating.type);
+		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+		return DESTROY_ME;
+	}
+
+	enumerator = this->active_tasks->create_enumerator(this->active_tasks);
+	while (enumerator->enumerate(enumerator, (void*)&task))
+	{
+		switch (task->process(task, message))
+		{
+			case SUCCESS:
+				/* task completed, remove it */
+				this->active_tasks->remove_at(this->active_tasks, enumerator);
+				task->destroy(task);
+				continue;
+			case NEED_MORE:
+				/* processed, but task needs another exchange */
+				continue;
+			case ALREADY_DONE:
+				break;
+			case FAILED:
+			default:
+				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				/* FALL */
+			case DESTROY_ME:
+				/* critical failure, destroy IKE_SA */
+				this->active_tasks->remove_at(this->active_tasks, enumerator);
+				enumerator->destroy(enumerator);
+				task->destroy(task);
+				return DESTROY_ME;
+		}
+		break;
+	}
+	enumerator->destroy(enumerator);
+
+	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
+	DESTROY_IF(this->initiating.packet);
+	this->initiating.packet = NULL;
+
+	if (this->queued && this->active_tasks->get_count(this->active_tasks) == 0)
+	{
+		queued = this->queued;
+		this->queued = NULL;
+		status = this->public.task_manager.process_message(
+											&this->public.task_manager, queued);
+		queued->destroy(queued);
+		if (status == DESTROY_ME)
+		{
+			return status;
+		}
+	}
+
+	return initiate(this);
+}
+
+static status_t handle_fragment(private_task_manager_t *this, message_t *msg)
+{
+	fragment_payload_t *payload;
+	enumerator_t *enumerator;
+	fragment_t *fragment;
+	status_t status = SUCCESS;
+	chunk_t data;
+	u_int8_t num;
+
+	payload = (fragment_payload_t*)msg->get_payload(msg, FRAGMENT_V1);
+	if (!payload)
+	{
+		return FAILED;
+	}
+
+	if (this->frag.id != payload->get_id(payload))
+	{
+		clear_fragments(this, payload->get_id(payload));
+		this->frag.list = linked_list_create();
+	}
+
+	num = payload->get_number(payload);
+	if (!this->frag.last && payload->is_last(payload))
+	{
+		this->frag.last = num;
+	}
+
+	enumerator = this->frag.list->create_enumerator(this->frag.list);
+	while (enumerator->enumerate(enumerator, &fragment))
+	{
+		if (fragment->num == num)
+		{	/* ignore a duplicate fragment */
+			DBG1(DBG_IKE, "received duplicate fragment #%hhu", num);
+			enumerator->destroy(enumerator);
+			return NEED_MORE;
+		}
+		if (fragment->num > num)
+		{
+			break;
+		}
+	}
+
+	data = payload->get_data(payload);
+	this->frag.len += data.len;
+	if (this->frag.len > this->frag.max_packet)
+	{
+		DBG1(DBG_IKE, "fragmented IKE message is too large");
+		enumerator->destroy(enumerator);
+		clear_fragments(this, 0);
+		return FAILED;
+	}
+
+	INIT(fragment,
+		.num = num,
+		.data = chunk_clone(data),
+	);
+
+	this->frag.list->insert_before(this->frag.list, enumerator, fragment);
+	enumerator->destroy(enumerator);
+
+	if (this->frag.list->get_count(this->frag.list) == this->frag.last)
+	{
+		message_t *message;
+		packet_t *pkt;
+		host_t *src, *dst;
+		bio_writer_t *writer;
+
+		writer = bio_writer_create(this->frag.len);
+		DBG1(DBG_IKE, "received fragment #%hhu, reassembling fragmented IKE "
+			 "message", num);
+		enumerator = this->frag.list->create_enumerator(this->frag.list);
+		while (enumerator->enumerate(enumerator, &fragment))
+		{
+			writer->write_data(writer, fragment->data);
+		}
+		enumerator->destroy(enumerator);
+
+		src = msg->get_source(msg);
+		dst = msg->get_destination(msg);
+		pkt = packet_create_from_data(src->clone(src), dst->clone(dst),
+									  writer->extract_buf(writer));
+		writer->destroy(writer);
+
+		message = message_create_from_packet(pkt);
+		if (message->parse_header(message) != SUCCESS)
+		{
+			DBG1(DBG_IKE, "failed to parse header of reassembled IKE message");
+			message->destroy(message);
+			status = FAILED;
+		}
+		else
+		{
+			lib->processor->queue_job(lib->processor,
+								(job_t*)process_message_job_create(message));
+			status = NEED_MORE;
+
+		}
+		clear_fragments(this, 0);
+	}
+	else
+	{	/* there are some fragments missing */
+		DBG1(DBG_IKE, "received fragment #%hhu, waiting for complete IKE "
+			 "message", num);
+		status = NEED_MORE;
+	}
+	return status;
+}
+
+/**
+ * Parse the given message and verify that it is valid.
+ */
+static status_t parse_message(private_task_manager_t *this, message_t *msg)
+{
+	status_t status;
+
+	status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
+
+	if (status != SUCCESS)
+	{
+		switch (status)
+		{
+			case NOT_SUPPORTED:
+				DBG1(DBG_IKE, "unsupported exchange type");
+				send_notify(this, msg, INVALID_EXCHANGE_TYPE);
+				break;
+			case PARSE_ERROR:
+				DBG1(DBG_IKE, "message parsing failed");
+				send_notify(this, msg, PAYLOAD_MALFORMED);
+				break;
+			case VERIFY_ERROR:
+				DBG1(DBG_IKE, "message verification failed");
+				send_notify(this, msg, PAYLOAD_MALFORMED);
+				break;
+			case FAILED:
+				DBG1(DBG_IKE, "integrity check failed");
+				send_notify(this, msg, INVALID_HASH_INFORMATION);
+				break;
+			case INVALID_STATE:
+				DBG1(DBG_IKE, "found encrypted message, but no keys available");
+				send_notify(this, msg, PAYLOAD_MALFORMED);
+			default:
+				break;
+		}
+		DBG1(DBG_IKE, "%N %s with message ID %u processing failed",
+			 exchange_type_names, msg->get_exchange_type(msg),
+			 msg->get_request(msg) ? "request" : "response",
+			 msg->get_message_id(msg));
+
+		charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status);
+
+		if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
+		{	/* invalid initiation attempt, close SA */
+			return DESTROY_ME;
+		}
+	}
+
+	if (msg->get_first_payload_type(msg) == FRAGMENT_V1)
+	{
+		return handle_fragment(this, msg);
+	}
+	return status;
+}
+
+METHOD(task_manager_t, process_message, status_t,
+	private_task_manager_t *this, message_t *msg)
+{
+	u_int32_t hash, mid, i;
+	host_t *me, *other;
+	status_t status;
+
+	/* TODO-IKEv1: update hosts more selectively */
+	me = msg->get_destination(msg);
+	other = msg->get_source(msg);
+	mid = msg->get_message_id(msg);
+	hash = chunk_hash(msg->get_packet_data(msg));
+	for (i = 0; i < MAX_OLD_HASHES; i++)
+	{
+		if (this->initiating.old_hashes[i] == hash)
+		{
+			if (this->initiating.packet &&
+				i == (this->initiating.old_hash_pos % MAX_OLD_HASHES) &&
+				(msg->get_exchange_type(msg) == QUICK_MODE ||
+				 msg->get_exchange_type(msg) == AGGRESSIVE))
+			{
+				DBG1(DBG_IKE, "received retransmit of response with ID %u, "
+					 "resending last request", mid);
+				send_packet(this, TRUE,
+					this->initiating.packet->clone(this->initiating.packet));
+				return SUCCESS;
+			}
+			DBG1(DBG_IKE, "received retransmit of response with ID %u, "
+				 "but next request already sent", mid);
+			return SUCCESS;
+		}
+	}
+
+	if ((mid && mid == this->initiating.mid) ||
+		(this->initiating.mid == 0 &&
+		 msg->get_exchange_type(msg) == this->initiating.type &&
+		 this->active_tasks->get_count(this->active_tasks)))
+	{
+		msg->set_request(msg, FALSE);
+		charon->bus->message(charon->bus, msg, TRUE, FALSE);
+		status = parse_message(this, msg);
+		if (status == NEED_MORE)
+		{
+			return SUCCESS;
+		}
+		if (status != SUCCESS)
+		{
+			return status;
+		}
+		this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
+									time_monotonic(NULL));
+		this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
+		charon->bus->message(charon->bus, msg, TRUE, TRUE);
+		if (process_response(this, msg) != SUCCESS)
+		{
+			flush(this);
+			return DESTROY_ME;
+		}
+		this->initiating.old_hashes[(++this->initiating.old_hash_pos) %
+									MAX_OLD_HASHES] = hash;
+	}
+	else
+	{
+		if (hash == this->responding.hash)
+		{
+			if (this->responding.packet)
+			{
+				DBG1(DBG_IKE, "received retransmit of request with ID %u, "
+					 "retransmitting response", mid);
+				send_packet(this, FALSE,
+						this->responding.packet->clone(this->responding.packet));
+			}
+			else if (this->initiating.packet &&
+					 this->initiating.type == INFORMATIONAL_V1)
+			{
+				DBG1(DBG_IKE, "received retransmit of DPD request, "
+					 "retransmitting response");
+				send_packet(this, TRUE,
+						this->initiating.packet->clone(this->initiating.packet));
+			}
+			else
+			{
+				DBG1(DBG_IKE, "received retransmit of request with ID %u, "
+					 "but no response to retransmit", mid);
+			}
+			charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
+			return SUCCESS;
+		}
+
+		/* reject Main/Aggressive Modes once established */
+		if (msg->get_exchange_type(msg) == ID_PROT ||
+			msg->get_exchange_type(msg) == AGGRESSIVE)
+		{
+			if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
+				this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING &&
+				msg->get_first_payload_type(msg) != FRAGMENT_V1)
+			{
+				DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
+					 exchange_type_names, msg->get_exchange_type(msg));
+				return FAILED;
+			}
+		}
+
+		if (msg->get_exchange_type(msg) == TRANSACTION &&
+			this->active_tasks->get_count(this->active_tasks))
+		{	/* main mode not yet complete, queue XAuth/Mode config tasks */
+			if (this->queued)
+			{
+				DBG1(DBG_IKE, "ignoring additional %N request, queue full",
+					 exchange_type_names, TRANSACTION);
+				return SUCCESS;
+			}
+			this->queued = message_create_from_packet(msg->get_packet(msg));
+			if (this->queued->parse_header(this->queued) != SUCCESS)
+			{
+				this->queued->destroy(this->queued);
+				this->queued = NULL;
+				return FAILED;
+			}
+			DBG1(DBG_IKE, "queueing %N request as tasks still active",
+				 exchange_type_names, TRANSACTION);
+			return SUCCESS;
+		}
+
+		msg->set_request(msg, TRUE);
+		charon->bus->message(charon->bus, msg, TRUE, FALSE);
+		status = parse_message(this, msg);
+		if (status == NEED_MORE)
+		{
+			return SUCCESS;
+		}
+		if (status != SUCCESS)
+		{
+			return status;
+		}
+		/* if this IKE_SA is virgin, we check for a config */
+		if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
+		{
+			ike_sa_id_t *ike_sa_id;
+			ike_cfg_t *ike_cfg;
+			job_t *job;
+
+			ike_cfg = charon->backends->get_ike_cfg(charon->backends,
+													me, other, IKEV1);
+			if (ike_cfg == NULL)
+			{
+				/* no config found for these hosts, destroy */
+				DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
+					 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
+				send_notify(this, msg, NO_PROPOSAL_CHOSEN);
+				return DESTROY_ME;
+			}
+			this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
+			ike_cfg->destroy(ike_cfg);
+			/* add a timeout if peer does not establish it completely */
+			ike_sa_id = this->ike_sa->get_id(this->ike_sa);
+			job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
+			lib->scheduler->schedule_job(lib->scheduler, job,
+					lib->settings->get_int(lib->settings,
+							"%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
+							charon->name));
+		}
+		this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
+		charon->bus->message(charon->bus, msg, TRUE, TRUE);
+		if (process_request(this, msg) != SUCCESS)
+		{
+			flush(this);
+			return DESTROY_ME;
+		}
+		this->responding.hash = hash;
+	}
+	return SUCCESS;
+}
+
+METHOD(task_manager_t, queue_task, void,
+	private_task_manager_t *this, task_t *task)
+{
+	DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
+	this->queued_tasks->insert_last(this->queued_tasks, task);
+}
+
+/**
+ * Check if a given task has been queued already
+ */
+static bool has_queued(private_task_manager_t *this, task_type_t type)
+{
+	enumerator_t *enumerator;
+	bool found = FALSE;
+	task_t *task;
+
+	enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (task->get_type(task) == type)
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+METHOD(task_manager_t, queue_ike, void,
+	private_task_manager_t *this)
+{
+	peer_cfg_t *peer_cfg;
+
+	if (!has_queued(this, TASK_ISAKMP_VENDOR))
+	{
+		queue_task(this, (task_t*)isakmp_vendor_create(this->ike_sa, TRUE));
+	}
+	if (!has_queued(this, TASK_ISAKMP_CERT_PRE))
+	{
+		queue_task(this, (task_t*)isakmp_cert_pre_create(this->ike_sa, TRUE));
+	}
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (peer_cfg->use_aggressive(peer_cfg))
+	{
+		if (!has_queued(this, TASK_AGGRESSIVE_MODE))
+		{
+			queue_task(this, (task_t*)aggressive_mode_create(this->ike_sa, TRUE));
+		}
+		this->frag.exchange = AGGRESSIVE;
+	}
+	else
+	{
+		if (!has_queued(this, TASK_MAIN_MODE))
+		{
+			queue_task(this, (task_t*)main_mode_create(this->ike_sa, TRUE));
+		}
+	}
+	if (!has_queued(this, TASK_ISAKMP_CERT_POST))
+	{
+		queue_task(this, (task_t*)isakmp_cert_post_create(this->ike_sa, TRUE));
+	}
+	if (!has_queued(this, TASK_ISAKMP_NATD))
+	{
+		queue_task(this, (task_t*)isakmp_natd_create(this->ike_sa, TRUE));
+	}
+}
+
+METHOD(task_manager_t, queue_ike_reauth, void,
+	private_task_manager_t *this)
+{
+	enumerator_t *enumerator;
+	child_sa_t *child_sa;
+	ike_sa_t *new;
+	host_t *host;
+
+	new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+								this->ike_sa->get_version(this->ike_sa), TRUE);
+	if (!new)
+	{	/* shouldn't happen */
+		return;
+	}
+
+	new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
+	host = this->ike_sa->get_other_host(this->ike_sa);
+	new->set_other_host(new, host->clone(host));
+	host = this->ike_sa->get_my_host(this->ike_sa);
+	new->set_my_host(new, host->clone(host));
+	enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
+	while (enumerator->enumerate(enumerator, &host))
+	{
+		new->add_virtual_ip(new, TRUE, host);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
+	while (enumerator->enumerate(enumerator, &child_sa))
+	{
+		this->ike_sa->remove_child_sa(this->ike_sa, enumerator);
+		new->add_child_sa(new, child_sa);
+	}
+	enumerator->destroy(enumerator);
+
+	if (!new->get_child_count(new))
+	{	/* check if a Quick Mode task is queued (UNITY_LOAD_BALANCE case) */
+		task_t *task;
+
+		enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
+		while (enumerator->enumerate(enumerator, &task))
+		{
+			if (task->get_type(task) == TASK_QUICK_MODE)
+			{
+				this->queued_tasks->remove_at(this->queued_tasks, enumerator);
+				task->migrate(task, new);
+				new->queue_task(new, task);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
+	{
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
+		this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
+	}
+	else
+	{
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
+		DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
+	}
+	charon->bus->set_sa(charon->bus, this->ike_sa);
+}
+
+METHOD(task_manager_t, queue_ike_rekey, void,
+	private_task_manager_t *this)
+{
+	queue_ike_reauth(this);
+}
+
+METHOD(task_manager_t, queue_ike_delete, void,
+	private_task_manager_t *this)
+{
+	enumerator_t *enumerator;
+	child_sa_t *child_sa;
+
+	enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
+	while (enumerator->enumerate(enumerator, &child_sa))
+	{
+		queue_task(this, (task_t*)
+			quick_delete_create(this->ike_sa, child_sa->get_protocol(child_sa),
+								child_sa->get_spi(child_sa, TRUE), FALSE, FALSE));
+	}
+	enumerator->destroy(enumerator);
+
+	queue_task(this, (task_t*)isakmp_delete_create(this->ike_sa, TRUE));
+}
+
+METHOD(task_manager_t, queue_mobike, void,
+	private_task_manager_t *this, bool roam, bool address)
+{
+	/* Not supported in IKEv1 */
+}
+
+METHOD(task_manager_t, queue_child, void,
+	private_task_manager_t *this, child_cfg_t *cfg, u_int32_t reqid,
+	traffic_selector_t *tsi, traffic_selector_t *tsr)
+{
+	quick_mode_t *task;
+
+	task = quick_mode_create(this->ike_sa, cfg, tsi, tsr);
+	task->use_reqid(task, reqid);
+
+	queue_task(this, &task->task);
+}
+
+/**
+ * Check if two CHILD_SAs have the same traffic selector
+ */
+static bool have_equal_ts(child_sa_t *child1, child_sa_t *child2, bool local)
+{
+	enumerator_t *e1, *e2;
+	traffic_selector_t *ts1, *ts2;
+	bool equal = FALSE;
+
+	e1 = child1->create_ts_enumerator(child1, local);
+	e2 = child2->create_ts_enumerator(child2, local);
+	if (e1->enumerate(e1, &ts1) && e2->enumerate(e2, &ts2))
+	{
+		equal = ts1->equals(ts1, ts2);
+	}
+	e1->destroy(e1);
+	e1->destroy(e1);
+
+	return equal;
+}
+
+/**
+ * Check if a CHILD_SA is redundant and we should delete instead of rekey
+ */
+static bool is_redundant(private_task_manager_t *this, child_sa_t *child_sa)
+{
+	enumerator_t *enumerator;
+	child_sa_t *current;
+	bool redundant = FALSE;
+
+	enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (current->get_state(current) == CHILD_INSTALLED &&
+			streq(current->get_name(current), child_sa->get_name(child_sa)) &&
+			have_equal_ts(current, child_sa, TRUE) &&
+			have_equal_ts(current, child_sa, FALSE) &&
+			current->get_lifetime(current, FALSE) >
+				child_sa->get_lifetime(child_sa, FALSE))
+		{
+			DBG1(DBG_IKE, "deleting redundant CHILD_SA %s{%d}",
+				 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa));
+			redundant = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return redundant;
+}
+
+/**
+ * Get the first traffic selector of a CHILD_SA, local or remote
+ */
+static traffic_selector_t* get_first_ts(child_sa_t *child_sa, bool local)
+{
+	traffic_selector_t *ts = NULL;
+	enumerator_t *enumerator;
+
+	enumerator = child_sa->create_ts_enumerator(child_sa, local);
+	enumerator->enumerate(enumerator, &ts);
+	enumerator->destroy(enumerator);
+
+	return ts;
+}
+
+METHOD(task_manager_t, queue_child_rekey, void,
+	private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi)
+{
+	child_sa_t *child_sa;
+	child_cfg_t *cfg;
+	quick_mode_t *task;
+
+	child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, TRUE);
+	if (!child_sa)
+	{
+		child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, FALSE);
+	}
+	if (child_sa && child_sa->get_state(child_sa) == CHILD_INSTALLED)
+	{
+		if (is_redundant(this, child_sa))
+		{
+			queue_task(this, (task_t*)quick_delete_create(this->ike_sa,
+												protocol, spi, FALSE, FALSE));
+		}
+		else
+		{
+			child_sa->set_state(child_sa, CHILD_REKEYING);
+			cfg = child_sa->get_config(child_sa);
+			task = quick_mode_create(this->ike_sa, cfg->get_ref(cfg),
+				get_first_ts(child_sa, TRUE), get_first_ts(child_sa, FALSE));
+			task->use_reqid(task, child_sa->get_reqid(child_sa));
+			task->rekey(task, child_sa->get_spi(child_sa, TRUE));
+
+			queue_task(this, &task->task);
+		}
+	}
+}
+
+METHOD(task_manager_t, queue_child_delete, void,
+	private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi,
+	bool expired)
+{
+	queue_task(this, (task_t*)quick_delete_create(this->ike_sa, protocol,
+												  spi, FALSE, expired));
+}
+
+METHOD(task_manager_t, queue_dpd, void,
+	private_task_manager_t *this)
+{
+	peer_cfg_t *peer_cfg;
+	u_int32_t t, retransmit;
+
+	queue_task(this, (task_t*)isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE,
+												this->dpd_send++));
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+
+	/* compute timeout in milliseconds */
+	t = 1000 * peer_cfg->get_dpd_timeout(peer_cfg);
+	if (t == 0)
+	{
+		/* use the same timeout as a retransmitting IKE message would have */
+		for (retransmit = 0; retransmit <= this->retransmit_tries; retransmit++)
+		{
+			t += (u_int32_t)(this->retransmit_timeout * 1000.0 *
+							pow(this->retransmit_base, retransmit));
+		}
+	}
+
+	/* schedule DPD timeout job */
+	lib->scheduler->schedule_job_ms(lib->scheduler,
+		(job_t*)dpd_timeout_job_create(this->ike_sa->get_id(this->ike_sa)), t);
+}
+
+METHOD(task_manager_t, adopt_tasks, void,
+	private_task_manager_t *this, task_manager_t *other_public)
+{
+	private_task_manager_t *other = (private_task_manager_t*)other_public;
+	task_t *task;
+
+	/* move queued tasks from other to this */
+	while (other->queued_tasks->remove_last(other->queued_tasks,
+												(void**)&task) == SUCCESS)
+	{
+		DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
+		task->migrate(task, this->ike_sa);
+		this->queued_tasks->insert_first(this->queued_tasks, task);
+	}
+}
+
+/**
+ * Migrates child-creating tasks from src to dst
+ */
+static void migrate_child_tasks(private_task_manager_t *this,
+								linked_list_t *src, linked_list_t *dst)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+
+	enumerator = src->create_enumerator(src);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (task->get_type(task) == TASK_QUICK_MODE)
+		{
+			src->remove_at(src, enumerator);
+			task->migrate(task, this->ike_sa);
+			dst->insert_last(dst, task);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(task_manager_t, adopt_child_tasks, void,
+	private_task_manager_t *this, task_manager_t *other_public)
+{
+	private_task_manager_t *other = (private_task_manager_t*)other_public;
+
+	/* move active child tasks from other to this */
+	migrate_child_tasks(this, other->active_tasks, this->queued_tasks);
+	/* do the same for queued tasks */
+	migrate_child_tasks(this, other->queued_tasks, this->queued_tasks);
+}
+
+METHOD(task_manager_t, busy, bool,
+	private_task_manager_t *this)
+{
+	return (this->active_tasks->get_count(this->active_tasks) > 0);
+}
+
+METHOD(task_manager_t, incr_mid, void,
+	private_task_manager_t *this, bool initiate)
+{
+}
+
+METHOD(task_manager_t, reset, void,
+	private_task_manager_t *this, u_int32_t initiate, u_int32_t respond)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+
+	/* reset message counters and retransmit packets */
+	DESTROY_IF(this->responding.packet);
+	DESTROY_IF(this->initiating.packet);
+	this->responding.packet = NULL;
+	this->responding.seqnr = RESPONDING_SEQ;
+	this->responding.retransmitted = 0;
+	this->initiating.packet = NULL;
+	this->initiating.mid = 0;
+	this->initiating.seqnr = 0;
+	this->initiating.retransmitted = 0;
+	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
+	clear_fragments(this, 0);
+	if (initiate != UINT_MAX)
+	{
+		this->dpd_send = initiate;
+	}
+	if (respond != UINT_MAX)
+	{
+		this->dpd_recv = respond;
+	}
+
+	/* reset queued tasks */
+	enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		task->migrate(task, this->ike_sa);
+	}
+	enumerator->destroy(enumerator);
+
+	/* reset active tasks */
+	while (this->active_tasks->remove_last(this->active_tasks,
+										   (void**)&task) == SUCCESS)
+	{
+		task->migrate(task, this->ike_sa);
+		this->queued_tasks->insert_first(this->queued_tasks, task);
+	}
+}
+
+METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
+	private_task_manager_t *this, task_queue_t queue)
+{
+	switch (queue)
+	{
+		case TASK_QUEUE_ACTIVE:
+			return this->active_tasks->create_enumerator(this->active_tasks);
+		case TASK_QUEUE_PASSIVE:
+			return this->passive_tasks->create_enumerator(this->passive_tasks);
+		case TASK_QUEUE_QUEUED:
+			return this->queued_tasks->create_enumerator(this->queued_tasks);
+		default:
+			return enumerator_create_empty();
+	}
+}
+
+METHOD(task_manager_t, destroy, void,
+	private_task_manager_t *this)
+{
+	flush(this);
+
+	this->active_tasks->destroy(this->active_tasks);
+	this->queued_tasks->destroy(this->queued_tasks);
+	this->passive_tasks->destroy(this->passive_tasks);
+	clear_fragments(this, 0);
+
+	DESTROY_IF(this->queued);
+	DESTROY_IF(this->responding.packet);
+	DESTROY_IF(this->initiating.packet);
+	DESTROY_IF(this->rng);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
+{
+	private_task_manager_t *this;
+
+	INIT(this,
+		.public = {
+			.task_manager = {
+				.process_message = _process_message,
+				.queue_task = _queue_task,
+				.queue_ike = _queue_ike,
+				.queue_ike_rekey = _queue_ike_rekey,
+				.queue_ike_reauth = _queue_ike_reauth,
+				.queue_ike_delete = _queue_ike_delete,
+				.queue_mobike = _queue_mobike,
+				.queue_child = _queue_child,
+				.queue_child_rekey = _queue_child_rekey,
+				.queue_child_delete = _queue_child_delete,
+				.queue_dpd = _queue_dpd,
+				.initiate = _initiate,
+				.retransmit = _retransmit,
+				.incr_mid = _incr_mid,
+				.reset = _reset,
+				.adopt_tasks = _adopt_tasks,
+				.adopt_child_tasks = _adopt_child_tasks,
+				.busy = _busy,
+				.create_task_enumerator = _create_task_enumerator,
+				.flush_queue = _flush_queue,
+				.destroy = _destroy,
+			},
+		},
+		.initiating = {
+			.type = EXCHANGE_TYPE_UNDEFINED,
+		},
+		.responding = {
+			.seqnr = RESPONDING_SEQ,
+		},
+		.frag = {
+			.exchange = ID_PROT,
+			.max_packet = lib->settings->get_int(lib->settings,
+					"%s.max_packet", MAX_PACKET, charon->name),
+			.size = lib->settings->get_int(lib->settings,
+					"%s.fragment_size", MAX_FRAGMENT_SIZE, charon->name),
+		},
+		.ike_sa = ike_sa,
+		.rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
+		.queued_tasks = linked_list_create(),
+		.active_tasks = linked_list_create(),
+		.passive_tasks = linked_list_create(),
+		.retransmit_tries = lib->settings->get_int(lib->settings,
+					"%s.retransmit_tries", RETRANSMIT_TRIES, charon->name),
+		.retransmit_timeout = lib->settings->get_double(lib->settings,
+					"%s.retransmit_timeout", RETRANSMIT_TIMEOUT, charon->name),
+		.retransmit_base = lib->settings->get_double(lib->settings,
+					"%s.retransmit_base", RETRANSMIT_BASE, charon->name),
+	);
+
+	if (!this->rng)
+	{
+		DBG1(DBG_IKE, "no RNG found, unable to create IKE_SA");
+		destroy(this);
+		return NULL;
+	}
+	if (!this->rng->get_bytes(this->rng, sizeof(this->dpd_send),
+							  (void*)&this->dpd_send))
+	{
+		DBG1(DBG_IKE, "failed to allocate message ID, unable to create IKE_SA");
+		destroy(this);
+		return NULL;
+	}
+	this->dpd_send &= 0x7FFFFFFF;
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.h b/src/libcharon/sa/ikev1/task_manager_v1.h
new file mode 100644
index 000000000..61e409bbe
--- /dev/null
+++ b/src/libcharon/sa/ikev1/task_manager_v1.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup task_manager_v1 task_manager_v1
+ * @{ @ingroup ikev1
+ */
+
+#ifndef TASK_MANAGER_V1_H_
+#define TASK_MANAGER_V1_H_
+
+typedef struct task_manager_v1_t task_manager_v1_t;
+
+#include <sa/task_manager.h>
+
+/**
+ * Task manager, IKEv1 variant.
+ */
+struct task_manager_v1_t {
+
+	/**
+	 * Implements task_manager_t.
+	 */
+	task_manager_t task_manager;
+};
+
+/**
+ * Create an instance of the task manager.
+ *
+ * @param ike_sa		IKE_SA to manage.
+ */
+task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa);
+
+#endif /** TASK_MANAGER_V1_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
new file mode 100644
index 000000000..6b00706bf
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -0,0 +1,723 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "aggressive_mode.h"
+
+#include <string.h>
+
+#include <daemon.h>
+#include <sa/ikev1/phase1.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/id_payload.h>
+#include <encoding/payloads/hash_payload.h>
+#include <sa/ikev1/tasks/xauth.h>
+#include <sa/ikev1/tasks/mode_config.h>
+#include <sa/ikev1/tasks/informational.h>
+#include <sa/ikev1/tasks/isakmp_delete.h>
+#include <processing/jobs/adopt_children_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+
+typedef struct private_aggressive_mode_t private_aggressive_mode_t;
+
+/**
+ * Private members of a aggressive_mode_t task.
+ */
+struct private_aggressive_mode_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	aggressive_mode_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * Common phase 1 helper class
+	 */
+	phase1_t *ph1;
+
+	/**
+	 * IKE config to establish
+	 */
+	ike_cfg_t *ike_cfg;
+
+	/**
+	 * Peer config to use
+	 */
+	peer_cfg_t *peer_cfg;
+
+	/**
+	 * selected IKE proposal
+	 */
+	proposal_t *proposal;
+
+	/**
+	 * Negotiated SA lifetime
+	 */
+	u_int32_t lifetime;
+
+	/**
+	 * Negotiated authentication method
+	 */
+	auth_method_t method;
+
+	/**
+	 * Encoded ID payload, without fixed header
+	 */
+	chunk_t id_data;
+
+	/** states of aggressive mode */
+	enum {
+		AM_INIT,
+		AM_AUTH,
+	} state;
+};
+
+/**
+ * Set IKE_SA to established state
+ */
+static bool establish(private_aggressive_mode_t *this)
+{
+	if (!charon->bus->authorize(charon->bus, TRUE))
+	{
+		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+		return FALSE;
+	}
+
+	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
+
+	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+	charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+	return TRUE;
+}
+
+/**
+ * Check for notify errors, return TRUE if error found
+ */
+static bool has_notify_errors(private_aggressive_mode_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	bool err = FALSE;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == NOTIFY_V1)
+		{
+			notify_payload_t *notify;
+			notify_type_t type;
+
+			notify = (notify_payload_t*)payload;
+			type = notify->get_notify_type(notify);
+			if (type < 16384)
+			{
+				DBG1(DBG_IKE, "received %N error notify",
+					 notify_type_names, type);
+				err = TRUE;
+			}
+			else
+			{
+				DBG1(DBG_IKE, "received %N notify", notify_type_names, type);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return err;
+}
+
+/**
+ * Queue a task sending a notify in an INFORMATIONAL exchange
+ */
+static status_t send_notify(private_aggressive_mode_t *this, notify_type_t type)
+{
+	notify_payload_t *notify;
+	ike_sa_id_t *ike_sa_id;
+	u_int64_t spi_i, spi_r;
+	chunk_t spi;
+
+	notify = notify_payload_create_from_protocol_and_type(NOTIFY_V1,
+														  PROTO_IKE, type);
+	ike_sa_id = this->ike_sa->get_id(this->ike_sa);
+	spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
+	spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
+	spi = chunk_cata("cc", chunk_from_thing(spi_i), chunk_from_thing(spi_r));
+	notify->set_spi_data(notify, spi);
+
+	this->ike_sa->queue_task(this->ike_sa,
+						(task_t*)informational_create(this->ike_sa, notify));
+	/* cancel all active/passive tasks in favour of informational */
+	this->ike_sa->flush_queue(this->ike_sa,
+					this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
+	return ALREADY_DONE;
+}
+
+/**
+ * Queue a delete task if authentication failed as initiator
+ */
+static status_t send_delete(private_aggressive_mode_t *this)
+{
+	this->ike_sa->queue_task(this->ike_sa,
+						(task_t*)isakmp_delete_create(this->ike_sa, TRUE));
+	/* cancel all active tasks in favour of informational */
+	this->ike_sa->flush_queue(this->ike_sa,
+					this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
+	return ALREADY_DONE;
+}
+
+METHOD(task_t, build_i, status_t,
+	private_aggressive_mode_t *this, message_t *message)
+{
+	switch (this->state)
+	{
+		case AM_INIT:
+		{
+			sa_payload_t *sa_payload;
+			id_payload_t *id_payload;
+			linked_list_t *proposals;
+			identification_t *id;
+			packet_t *packet;
+			u_int16_t group;
+
+			DBG0(DBG_IKE, "initiating Aggressive Mode IKE_SA %s[%d] to %H",
+				 this->ike_sa->get_name(this->ike_sa),
+				 this->ike_sa->get_unique_id(this->ike_sa),
+				 this->ike_sa->get_other_host(this->ike_sa));
+			this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
+
+			this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+			this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+			this->peer_cfg->get_ref(this->peer_cfg);
+
+			this->method = this->ph1->get_auth_method(this->ph1, this->peer_cfg);
+			if (this->method == AUTH_NONE)
+			{
+				DBG1(DBG_CFG, "configuration uses unsupported authentication");
+				return FAILED;
+			}
+			this->lifetime = this->peer_cfg->get_reauth_time(this->peer_cfg,
+															 FALSE);
+			if (!this->lifetime)
+			{	/* fall back to rekey time of no rekey time configured */
+				this->lifetime = this->peer_cfg->get_rekey_time(this->peer_cfg,
+																 FALSE);
+			}
+			this->lifetime += this->peer_cfg->get_over_time(this->peer_cfg);
+			proposals = this->ike_cfg->get_proposals(this->ike_cfg);
+			sa_payload = sa_payload_create_from_proposals_v1(proposals,
+									this->lifetime, 0, this->method, MODE_NONE,
+									ENCAP_NONE, 0);
+			proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
+
+			message->add_payload(message, &sa_payload->payload_interface);
+
+			group = this->ike_cfg->get_dh_group(this->ike_cfg);
+			if (group == MODP_NONE)
+			{
+				DBG1(DBG_IKE, "DH group selection failed");
+				return FAILED;
+			}
+			if (!this->ph1->create_dh(this->ph1, group))
+			{
+				DBG1(DBG_IKE, "DH group %N not supported",
+					 diffie_hellman_group_names, group);
+				return FAILED;
+			}
+			if (!this->ph1->add_nonce_ke(this->ph1, message))
+			{
+				return FAILED;
+			}
+			id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE);
+			if (!id)
+			{
+				DBG1(DBG_CFG, "own identity not known");
+				return FAILED;
+			}
+			this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
+			id_payload = id_payload_create_from_identification(ID_V1, id);
+			this->id_data = id_payload->get_encoded(id_payload);
+			message->add_payload(message, &id_payload->payload_interface);
+
+			/* pregenerate message to store SA payload */
+			if (this->ike_sa->generate_message(this->ike_sa, message,
+											   &packet) != SUCCESS)
+			{
+				DBG1(DBG_IKE, "pregenerating SA payload failed");
+				return FAILED;
+			}
+			packet->destroy(packet);
+			if (!this->ph1->save_sa_payload(this->ph1, message))
+			{
+				DBG1(DBG_IKE, "SA payload invalid");
+				return FAILED;
+			}
+			this->state = AM_AUTH;
+			return NEED_MORE;
+		}
+		case AM_AUTH:
+		{
+			if (!this->ph1->build_auth(this->ph1, this->method, message,
+									   this->id_data))
+			{
+				this->id_data = chunk_empty;
+				return send_notify(this, AUTHENTICATION_FAILED);
+			}
+			this->id_data = chunk_empty;
+
+			switch (this->method)
+			{
+				case AUTH_XAUTH_INIT_PSK:
+				case AUTH_XAUTH_INIT_RSA:
+				case AUTH_HYBRID_INIT_RSA:
+				{	/* wait for XAUTH request, since this may never come,
+					 * we queue a timeout */
+					job_t *job = (job_t*)delete_ike_sa_job_create(
+									this->ike_sa->get_id(this->ike_sa), FALSE);
+					lib->scheduler->schedule_job(lib->scheduler, job,
+												 HALF_OPEN_IKE_SA_TIMEOUT);
+					break;
+				}
+				case AUTH_XAUTH_RESP_PSK:
+				case AUTH_XAUTH_RESP_RSA:
+				case AUTH_HYBRID_RESP_RSA:
+					this->ike_sa->queue_task(this->ike_sa,
+									(task_t*)xauth_create(this->ike_sa, TRUE));
+					return SUCCESS;
+				default:
+					if (charon->ike_sa_manager->check_uniqueness(
+								charon->ike_sa_manager, this->ike_sa, FALSE))
+					{
+						DBG1(DBG_IKE, "cancelling Aggressive Mode due to "
+							 "uniqueness policy");
+						return send_notify(this, AUTHENTICATION_FAILED);
+					}
+					if (!establish(this))
+					{
+						return send_notify(this, AUTHENTICATION_FAILED);
+					}
+					break;
+			}
+			if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
+			{
+				this->ike_sa->queue_task(this->ike_sa,
+							(task_t*)mode_config_create(this->ike_sa, TRUE));
+			}
+			return SUCCESS;
+		}
+		default:
+			return FAILED;
+	}
+}
+
+METHOD(task_t, process_r, status_t,
+	private_aggressive_mode_t *this, message_t *message)
+{
+	switch (this->state)
+	{
+		case AM_INIT:
+		{
+			sa_payload_t *sa_payload;
+			id_payload_t *id_payload;
+			identification_t *id;
+			linked_list_t *list;
+			u_int16_t group;
+
+			this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+			DBG0(DBG_IKE, "%H is initiating a Aggressive Mode IKE_SA",
+				 message->get_source(message));
+			this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
+
+			this->ike_sa->update_hosts(this->ike_sa,
+									   message->get_destination(message),
+									   message->get_source(message), TRUE);
+
+			sa_payload = (sa_payload_t*)message->get_payload(message,
+													SECURITY_ASSOCIATION_V1);
+			if (!sa_payload)
+			{
+				DBG1(DBG_IKE, "SA payload missing");
+				return send_notify(this, INVALID_PAYLOAD_TYPE);
+			}
+			if (!this->ph1->save_sa_payload(this->ph1, message))
+			{
+				return send_notify(this, INVALID_PAYLOAD_TYPE);
+			}
+
+			list = sa_payload->get_proposals(sa_payload);
+			this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
+															list, FALSE);
+			list->destroy_offset(list, offsetof(proposal_t, destroy));
+			if (!this->proposal)
+			{
+				DBG1(DBG_IKE, "no proposal found");
+				return send_notify(this, NO_PROPOSAL_CHOSEN);
+			}
+			this->ike_sa->set_proposal(this->ike_sa, this->proposal);
+
+			this->method = sa_payload->get_auth_method(sa_payload);
+			this->lifetime = sa_payload->get_lifetime(sa_payload);
+
+			switch (this->method)
+			{
+				case AUTH_XAUTH_INIT_PSK:
+				case AUTH_XAUTH_RESP_PSK:
+				case AUTH_PSK:
+					if (!lib->settings->get_bool(lib->settings, "%s.i_dont_care"
+						"_about_security_and_use_aggressive_mode_psk",
+						FALSE, charon->name))
+					{
+						DBG1(DBG_IKE, "Aggressive Mode PSK disabled for "
+							 "security reasons");
+						return send_notify(this, AUTHENTICATION_FAILED);
+					}
+					break;
+				default:
+					break;
+			}
+
+			if (!this->proposal->get_algorithm(this->proposal,
+										DIFFIE_HELLMAN_GROUP, &group, NULL))
+			{
+				DBG1(DBG_IKE, "DH group selection failed");
+				return send_notify(this, INVALID_KEY_INFORMATION);
+			}
+			if (!this->ph1->create_dh(this->ph1, group))
+			{
+				DBG1(DBG_IKE, "negotiated DH group not supported");
+				return send_notify(this, INVALID_KEY_INFORMATION);
+			}
+			if (!this->ph1->get_nonce_ke(this->ph1, message))
+			{
+				return send_notify(this, INVALID_PAYLOAD_TYPE);
+			}
+
+			id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
+			if (!id_payload)
+			{
+				DBG1(DBG_IKE, "IDii payload missing");
+				return send_notify(this, INVALID_PAYLOAD_TYPE);
+			}
+
+			id = id_payload->get_identification(id_payload);
+			this->id_data = id_payload->get_encoded(id_payload);
+			this->ike_sa->set_other_id(this->ike_sa, id);
+			this->peer_cfg = this->ph1->select_config(this->ph1,
+													  this->method, TRUE, id);
+			if (!this->peer_cfg)
+			{
+				return send_notify(this, AUTHENTICATION_FAILED);
+			}
+			this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
+
+			this->state = AM_AUTH;
+			if (has_notify_errors(this, message))
+			{
+				return FAILED;
+			}
+			return NEED_MORE;
+		}
+		case AM_AUTH:
+		{
+			while (TRUE)
+			{
+				if (this->ph1->verify_auth(this->ph1, this->method, message,
+										   this->id_data))
+				{
+					break;
+				}
+				this->peer_cfg->destroy(this->peer_cfg);
+				this->peer_cfg = this->ph1->select_config(this->ph1,
+													this->method, TRUE, NULL);
+				if (!this->peer_cfg)
+				{
+					this->id_data = chunk_empty;
+					return send_delete(this);
+				}
+				this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
+			}
+			this->id_data = chunk_empty;
+
+			if (!charon->bus->authorize(charon->bus, FALSE))
+			{
+				DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids "
+					 "IKE_SA, cancelling");
+				return send_delete(this);
+			}
+
+			switch (this->method)
+			{
+				case AUTH_XAUTH_INIT_PSK:
+				case AUTH_XAUTH_INIT_RSA:
+				case AUTH_HYBRID_INIT_RSA:
+					this->ike_sa->queue_task(this->ike_sa,
+									(task_t*)xauth_create(this->ike_sa, TRUE));
+					return SUCCESS;
+				case AUTH_XAUTH_RESP_PSK:
+				case AUTH_XAUTH_RESP_RSA:
+				case AUTH_HYBRID_RESP_RSA:
+					/* wait for XAUTH request */
+					break;
+				default:
+					if (charon->ike_sa_manager->check_uniqueness(
+								charon->ike_sa_manager, this->ike_sa, FALSE))
+					{
+						DBG1(DBG_IKE, "cancelling Aggressive Mode due to "
+							 "uniqueness policy");
+						return send_delete(this);
+					}
+					if (!establish(this))
+					{
+						return send_delete(this);
+					}
+					lib->processor->queue_job(lib->processor, (job_t*)
+									adopt_children_job_create(
+										this->ike_sa->get_id(this->ike_sa)));
+					break;
+			}
+			if (!this->ph1->has_pool(this->ph1, this->peer_cfg) &&
+				this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
+			{
+				this->ike_sa->queue_task(this->ike_sa,
+							(task_t*)mode_config_create(this->ike_sa, TRUE));
+			}
+			return SUCCESS;
+		}
+		default:
+			return FAILED;
+	}
+}
+
+METHOD(task_t, build_r, status_t,
+	private_aggressive_mode_t *this, message_t *message)
+{
+	if (this->state == AM_AUTH)
+	{
+		sa_payload_t *sa_payload;
+		id_payload_t *id_payload;
+		identification_t *id;
+
+		sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
+									this->lifetime, 0, this->method, MODE_NONE,
+									ENCAP_NONE, 0);
+		message->add_payload(message, &sa_payload->payload_interface);
+
+		if (!this->ph1->add_nonce_ke(this->ph1, message))
+		{
+			return send_notify(this, INVALID_KEY_INFORMATION);
+		}
+		if (!this->ph1->create_hasher(this->ph1))
+		{
+			return send_notify(this, NO_PROPOSAL_CHOSEN);
+		}
+		if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method))
+		{
+			return send_notify(this, INVALID_KEY_INFORMATION);
+		}
+
+		id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE);
+		if (!id)
+		{
+			DBG1(DBG_CFG, "own identity not known");
+			return send_notify(this, INVALID_ID_INFORMATION);
+		}
+		this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
+
+		id_payload = id_payload_create_from_identification(ID_V1, id);
+		message->add_payload(message, &id_payload->payload_interface);
+
+		if (!this->ph1->build_auth(this->ph1, this->method, message,
+								   id_payload->get_encoded(id_payload)))
+		{
+			return send_notify(this, AUTHENTICATION_FAILED);
+		}
+		return NEED_MORE;
+	}
+	return FAILED;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_aggressive_mode_t *this, message_t *message)
+{
+	if (this->state == AM_AUTH)
+	{
+		auth_method_t method;
+		sa_payload_t *sa_payload;
+		id_payload_t *id_payload;
+		identification_t *id, *cid;
+		linked_list_t *list;
+		u_int32_t lifetime;
+
+		sa_payload = (sa_payload_t*)message->get_payload(message,
+												SECURITY_ASSOCIATION_V1);
+		if (!sa_payload)
+		{
+			DBG1(DBG_IKE, "SA payload missing");
+			return send_notify(this, INVALID_PAYLOAD_TYPE);
+		}
+		list = sa_payload->get_proposals(sa_payload);
+		this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
+														list, FALSE);
+		list->destroy_offset(list, offsetof(proposal_t, destroy));
+		if (!this->proposal)
+		{
+			DBG1(DBG_IKE, "no proposal found");
+			return send_notify(this, NO_PROPOSAL_CHOSEN);
+		}
+		this->ike_sa->set_proposal(this->ike_sa, this->proposal);
+
+		lifetime = sa_payload->get_lifetime(sa_payload);
+		if (lifetime != this->lifetime)
+		{
+			DBG1(DBG_IKE, "received lifetime %us does not match configured "
+				 "lifetime %us", lifetime, this->lifetime);
+		}
+		this->lifetime = lifetime;
+		method = sa_payload->get_auth_method(sa_payload);
+		if (method != this->method)
+		{
+			DBG1(DBG_IKE, "received %N authentication, but configured %N, "
+				 "continue with configured", auth_method_names, method,
+				 auth_method_names, this->method);
+		}
+		if (!this->ph1->get_nonce_ke(this->ph1, message))
+		{
+			return send_notify(this, INVALID_PAYLOAD_TYPE);
+		}
+		if (!this->ph1->create_hasher(this->ph1))
+		{
+			return send_notify(this, NO_PROPOSAL_CHOSEN);
+		}
+
+		id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
+		if (!id_payload)
+		{
+			DBG1(DBG_IKE, "IDir payload missing");
+			return send_delete(this);
+		}
+		id = id_payload->get_identification(id_payload);
+		cid = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE);
+		if (cid && !id->matches(id, cid))
+		{
+			DBG1(DBG_IKE, "IDir '%Y' does not match to '%Y'", id, cid);
+			id->destroy(id);
+			return send_notify(this, INVALID_ID_INFORMATION);
+		}
+		this->ike_sa->set_other_id(this->ike_sa, id);
+
+		if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method))
+		{
+			return send_notify(this, INVALID_KEY_INFORMATION);
+		}
+		if (!this->ph1->verify_auth(this->ph1, this->method, message,
+									id_payload->get_encoded(id_payload)))
+		{
+			return send_notify(this, AUTHENTICATION_FAILED);
+		}
+		if (!charon->bus->authorize(charon->bus, FALSE))
+		{
+			DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids IKE_SA, "
+				 "cancelling");
+			return send_notify(this, AUTHENTICATION_FAILED);
+		}
+
+		return NEED_MORE;
+	}
+	return FAILED;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_aggressive_mode_t *this)
+{
+	return TASK_AGGRESSIVE_MODE;
+}
+
+METHOD(task_t, migrate, void,
+	private_aggressive_mode_t *this, ike_sa_t *ike_sa)
+{
+	DESTROY_IF(this->peer_cfg);
+	DESTROY_IF(this->proposal);
+	this->ph1->destroy(this->ph1);
+	chunk_free(&this->id_data);
+
+	this->ike_sa = ike_sa;
+	this->state = AM_INIT;
+	this->peer_cfg = NULL;
+	this->proposal = NULL;
+	this->ph1 = phase1_create(ike_sa, this->initiator);
+}
+
+METHOD(task_t, destroy, void,
+	private_aggressive_mode_t *this)
+{
+	DESTROY_IF(this->peer_cfg);
+	DESTROY_IF(this->proposal);
+	this->ph1->destroy(this->ph1);
+	chunk_free(&this->id_data);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+aggressive_mode_t *aggressive_mode_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_aggressive_mode_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.ph1 = phase1_create(ike_sa, initiator),
+		.initiator = initiator,
+		.state = AM_INIT,
+	);
+
+	if (initiator)
+	{
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+	else
+	{
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.h b/src/libcharon/sa/ikev1/tasks/aggressive_mode.h
new file mode 100644
index 000000000..d0666f41c
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup aggressive_mode aggressive_mode
+ * @{ @ingroup tasks_v1
+ */
+
+#ifndef AGGRESSIVE_MODE_H_
+#define AGGRESSIVE_MODE_H_
+
+typedef struct aggressive_mode_t aggressive_mode_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * IKEv1 aggressive mode, establishes an IKE_SA without identity protection.
+ */
+struct aggressive_mode_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new AGGRESSIVE_MODE task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if task initiated locally
+ * @return				task to handle by the task_manager
+ */
+aggressive_mode_t *aggressive_mode_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** AGGRESSIVE_MODE_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/informational.c b/src/libcharon/sa/ikev1/tasks/informational.c
new file mode 100644
index 000000000..bda1d2afb
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/informational.c
@@ -0,0 +1,253 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "informational.h"
+
+#include <daemon.h>
+#include <sa/ikev1/tasks/isakmp_delete.h>
+#include <sa/ikev1/tasks/quick_delete.h>
+
+#include <encoding/payloads/delete_payload.h>
+
+typedef struct private_informational_t private_informational_t;
+
+/**
+ * Private members of a informational_t task.
+ */
+struct private_informational_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	informational_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Notify payload to send
+	 */
+	notify_payload_t *notify;
+
+	/**
+	 * Delete subtask
+	 */
+	task_t *del;
+};
+
+/**
+ * Cancel active quick mode after receiving an error
+ */
+static void cancel_quick_mode(private_informational_t *this)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+
+	enumerator = this->ike_sa->create_task_enumerator(this->ike_sa,
+													  TASK_QUEUE_ACTIVE);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (task->get_type(task) == TASK_QUICK_MODE)
+		{
+			this->ike_sa->flush_queue(this->ike_sa, TASK_QUEUE_ACTIVE);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(task_t, build_i, status_t,
+	private_informational_t *this, message_t *message)
+{
+	message->add_payload(message, &this->notify->payload_interface);
+	this->notify = NULL;
+	return SUCCESS;
+}
+
+METHOD(task_t, process_r, status_t,
+	private_informational_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	delete_payload_t *delete;
+	notify_payload_t *notify;
+	notify_type_t type;
+	payload_t *payload;
+	status_t status = SUCCESS;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		switch (payload->get_type(payload))
+		{
+			case NOTIFY_V1:
+				notify = (notify_payload_t*)payload;
+				type = notify->get_notify_type(notify);
+
+				if (type == INITIAL_CONTACT_IKEV1)
+				{
+					this->ike_sa->set_condition(this->ike_sa,
+												COND_INIT_CONTACT_SEEN, TRUE);
+				}
+				else if (type == UNITY_LOAD_BALANCE)
+				{
+					host_t *redirect, *me;
+					chunk_t data;
+
+					data = notify->get_notification_data(notify);
+					redirect = host_create_from_chunk(AF_INET, data,
+													  IKEV2_UDP_PORT);
+					if (redirect)
+					{	/* treat the redirect as reauthentication */
+						DBG1(DBG_IKE, "received %N notify. redirected to %H",
+							 notify_type_names, type, redirect);
+						/* Cisco boxes reject the first message from 4500 */
+						me = this->ike_sa->get_my_host(this->ike_sa);
+						me->set_port(me, charon->socket->get_port(
+														charon->socket, FALSE));
+						this->ike_sa->set_other_host(this->ike_sa, redirect);
+						this->ike_sa->reauth(this->ike_sa);
+						enumerator->destroy(enumerator);
+						return DESTROY_ME;
+					}
+					else
+					{
+						DBG1(DBG_IKE, "received %N notify, invalid address");
+					}
+				}
+				else if (type < 16384)
+				{
+					DBG1(DBG_IKE, "received %N error notify",
+						 notify_type_names, type);
+					if (this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING)
+					{	/* only critical during main mode */
+						status = FAILED;
+					}
+					switch (type)
+					{
+						case INVALID_ID_INFORMATION:
+						case NO_PROPOSAL_CHOSEN:
+							cancel_quick_mode(this);
+							break;
+						default:
+							break;
+					}
+					break;
+				}
+				else
+				{
+					DBG1(DBG_IKE, "received %N notify",
+						 notify_type_names, type);
+				}
+				continue;
+			case DELETE_V1:
+				if (!this->del)
+				{
+					delete = (delete_payload_t*)payload;
+					if (delete->get_protocol_id(delete) == PROTO_IKE)
+					{
+						this->del = (task_t*)isakmp_delete_create(this->ike_sa,
+																  FALSE);
+					}
+					else
+					{
+						this->del = (task_t*)quick_delete_create(this->ike_sa,
+												PROTO_NONE, 0, FALSE, FALSE);
+					}
+				}
+				break;
+			default:
+				continue;
+		}
+		break;
+	}
+	enumerator->destroy(enumerator);
+
+	if (this->del && status == SUCCESS)
+	{
+		return this->del->process(this->del, message);
+	}
+	return status;
+}
+
+METHOD(task_t, build_r, status_t,
+	private_informational_t *this, message_t *message)
+{
+	if (this->del)
+	{
+		return this->del->build(this->del, message);
+	}
+	return FAILED;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_informational_t *this, message_t *message)
+{
+	return FAILED;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_informational_t *this)
+{
+	return TASK_INFORMATIONAL;
+}
+
+METHOD(task_t, migrate, void,
+	private_informational_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, destroy, void,
+	private_informational_t *this)
+{
+	DESTROY_IF(this->notify);
+	DESTROY_IF(this->del);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+informational_t *informational_create(ike_sa_t *ike_sa, notify_payload_t *notify)
+{
+	private_informational_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.notify = notify,
+	);
+
+	if (notify)
+	{
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+	else
+	{
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/tasks/informational.h b/src/libcharon/sa/ikev1/tasks/informational.h
new file mode 100644
index 000000000..52938ffbc
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/informational.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup informational informational
+ * @{ @ingroup tasks_v1
+ */
+
+#ifndef INFORMATIONAL_H_
+#define INFORMATIONAL_H_
+
+typedef struct informational_t informational_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+#include <encoding/payloads/notify_payload.h>
+
+/**
+ * IKEv1 informational exchange, negotiates errors.
+ */
+struct informational_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new informational task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param notify		notify to send as initiator, NULL if responder
+ * @return				task to handle by the task_manager
+ */
+informational_t *informational_create(ike_sa_t *ike_sa, notify_payload_t *notify);
+
+#endif /** INFORMATIONAL_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c b/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c
new file mode 100644
index 000000000..edad3b2fa
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c
@@ -0,0 +1,359 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "isakmp_cert_post.h"
+
+#include <daemon.h>
+#include <sa/ike_sa.h>
+#include <encoding/payloads/cert_payload.h>
+#include <encoding/payloads/certreq_payload.h>
+#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/sa_payload.h>
+#include <credentials/certificates/x509.h>
+
+
+typedef struct private_isakmp_cert_post_t private_isakmp_cert_post_t;
+
+/**
+ * Private members of a isakmp_cert_post_t task.
+ */
+struct private_isakmp_cert_post_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	isakmp_cert_post_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * States of ike cert pre
+	 */
+	enum {
+		CR_SA,
+		CR_KE,
+		CR_AUTH,
+	} state;
+};
+
+/**
+ * Check if we actually use certificates for authentication
+ */
+static bool use_certs(private_isakmp_cert_post_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	bool use = FALSE;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == SECURITY_ASSOCIATION_V1)
+		{
+			sa_payload_t *sa_payload = (sa_payload_t*)payload;
+
+			switch (sa_payload->get_auth_method(sa_payload))
+			{
+				case AUTH_RSA:
+				case AUTH_ECDSA_256:
+				case AUTH_ECDSA_384:
+				case AUTH_ECDSA_521:
+				case AUTH_XAUTH_INIT_RSA:
+				case AUTH_XAUTH_RESP_RSA:
+				case AUTH_HYBRID_INIT_RSA:
+				case AUTH_HYBRID_RESP_RSA:
+					use = TRUE;
+					break;
+				default:
+					break;
+			}
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return use;
+}
+
+/**
+ * Add certificates to message
+ */
+static void build_certs(private_isakmp_cert_post_t *this, message_t *message)
+{
+	peer_cfg_t *peer_cfg;
+
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (!peer_cfg)
+	{
+		return;
+	}
+
+	switch (peer_cfg->get_cert_policy(peer_cfg))
+	{
+		case CERT_NEVER_SEND:
+			break;
+		case CERT_SEND_IF_ASKED:
+			if (!this->ike_sa->has_condition(this->ike_sa, COND_CERTREQ_SEEN))
+			{
+				break;
+			}
+			/* FALL */
+		case CERT_ALWAYS_SEND:
+		{
+			cert_payload_t *payload;
+			enumerator_t *enumerator;
+			certificate_t *cert;
+			auth_rule_t type;
+			auth_cfg_t *auth;
+
+			auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+			cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+			if (!cert)
+			{
+				break;
+			}
+			payload = cert_payload_create_from_cert(CERTIFICATE_V1, cert);
+			if (!payload)
+			{
+				break;
+			}
+			DBG1(DBG_IKE, "sending end entity cert \"%Y\"",
+				 cert->get_subject(cert));
+			message->add_payload(message, (payload_t*)payload);
+
+			enumerator = auth->create_enumerator(auth);
+			while (enumerator->enumerate(enumerator, &type, &cert))
+			{
+				if (type == AUTH_RULE_IM_CERT)
+				{
+					payload = cert_payload_create_from_cert(CERTIFICATE_V1, cert);
+					if (payload)
+					{
+						DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
+							 cert->get_subject(cert));
+						message->add_payload(message, (payload_t*)payload);
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+	}
+}
+
+METHOD(task_t, build_i, status_t,
+	private_isakmp_cert_post_t *this, message_t *message)
+{
+	switch (message->get_exchange_type(message))
+	{
+		case ID_PROT:
+			if (this->state == CR_AUTH)
+			{
+				build_certs(this, message);
+				return SUCCESS;
+			}
+			return NEED_MORE;
+		case AGGRESSIVE:
+			if (this->state == CR_AUTH)
+			{
+				build_certs(this, message);
+				return SUCCESS;
+			}
+			return NEED_MORE;
+		default:
+			return FAILED;
+	}
+}
+
+METHOD(task_t, process_r, status_t,
+	private_isakmp_cert_post_t *this, message_t *message)
+{
+	switch (message->get_exchange_type(message))
+	{
+		case ID_PROT:
+		{
+			switch (this->state)
+			{
+				case CR_SA:
+					if (!use_certs(this, message))
+					{
+						return SUCCESS;
+					}
+					return NEED_MORE;
+				case CR_KE:
+					return NEED_MORE;
+				case CR_AUTH:
+					return NEED_MORE;
+				default:
+					return FAILED;
+			}
+		}
+		case AGGRESSIVE:
+		{
+			switch (this->state)
+			{
+				case CR_SA:
+					if (!use_certs(this, message))
+					{
+						return SUCCESS;
+					}
+					return NEED_MORE;
+				case CR_AUTH:
+					return SUCCESS;
+				default:
+					return FAILED;
+			}
+		}
+		default:
+			return FAILED;
+	}
+}
+
+METHOD(task_t, build_r, status_t,
+	private_isakmp_cert_post_t *this, message_t *message)
+{
+	switch (message->get_exchange_type(message))
+	{
+		case ID_PROT:
+			switch (this->state)
+			{
+				case CR_SA:
+					this->state = CR_KE;
+					return NEED_MORE;
+				case CR_KE:
+					this->state = CR_AUTH;
+					return NEED_MORE;
+				case CR_AUTH:
+					build_certs(this, message);
+					return SUCCESS;
+			}
+		case AGGRESSIVE:
+			switch (this->state)
+			{
+				case CR_SA:
+					build_certs(this, message);
+					this->state = CR_AUTH;
+					return NEED_MORE;
+				case CR_AUTH:
+					return SUCCESS;
+				default:
+					return FAILED;
+			}
+		default:
+			return FAILED;
+	}
+}
+
+METHOD(task_t, process_i, status_t,
+	private_isakmp_cert_post_t *this, message_t *message)
+{
+	switch (message->get_exchange_type(message))
+	{
+		case ID_PROT:
+		{
+			switch (this->state)
+			{
+				case CR_SA:
+					if (!use_certs(this, message))
+					{
+						return SUCCESS;
+					}
+					this->state = CR_KE;
+					return NEED_MORE;
+				case CR_KE:
+					this->state = CR_AUTH;
+					return NEED_MORE;
+				case CR_AUTH:
+					return SUCCESS;
+				default:
+					return FAILED;
+			}
+			break;
+		}
+		case AGGRESSIVE:
+		{
+			if (this->state == CR_SA)
+			{
+				if (!use_certs(this, message))
+				{
+					return SUCCESS;
+				}
+				this->state = CR_AUTH;
+				return NEED_MORE;
+			}
+			return SUCCESS;
+		}
+		default:
+			return FAILED;
+	}
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_isakmp_cert_post_t *this)
+{
+	return TASK_ISAKMP_CERT_POST;
+}
+
+METHOD(task_t, migrate, void,
+	private_isakmp_cert_post_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+	this->state = CR_SA;
+}
+
+METHOD(task_t, destroy, void,
+	private_isakmp_cert_post_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+isakmp_cert_post_t *isakmp_cert_post_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_isakmp_cert_post_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.initiator = initiator,
+		.state = CR_SA,
+	);
+	if (initiator)
+	{
+		this->public.task.process = _process_i;
+		this->public.task.build = _build_i;
+	}
+	else
+	{
+		this->public.task.process = _process_r;
+		this->public.task.build = _build_r;
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.h b/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.h
new file mode 100644
index 000000000..3a155cb68
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup isakmp_cert_post isakmp_cert_post
+ * @{ @ingroup tasks_v1
+ */
+
+#ifndef ISAKMP_CERT_POST_H_
+#define ISAKMP_CERT_POST_H_
+
+typedef struct isakmp_cert_post_t isakmp_cert_post_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * ISAKMP_CERT_POST, IKEv1 certificate processing after authentication.
+ */
+struct isakmp_cert_post_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new isakmp_cert_post task.
+ *
+ * The initiator parameter means the original initiator, not the initiator
+ * of the certificate request.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if task is the original initiator
+ * @return				isakmp_cert_post task to handle by the task_manager
+ */
+isakmp_cert_post_t *isakmp_cert_post_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** ISAKMP_CERT_POST_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
new file mode 100644
index 000000000..43a0aaa36
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c
@@ -0,0 +1,677 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/*
+ * Copyright (C) 2013 Volker Rümelin
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "isakmp_cert_pre.h"
+
+#include <daemon.h>
+#include <sa/ike_sa.h>
+#include <encoding/payloads/cert_payload.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/certreq_payload.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/containers/pkcs7.h>
+
+
+typedef struct private_isakmp_cert_pre_t private_isakmp_cert_pre_t;
+
+/**
+ * Private members of a isakmp_cert_pre_t task.
+ */
+struct private_isakmp_cert_pre_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	isakmp_cert_pre_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * Send certificate requests?
+	 */
+	bool send_req;
+
+	/** next message we expect */
+	enum {
+		CR_SA,
+		CR_KE,
+		CR_AUTH,
+	} state;
+};
+
+/**
+ * Find the CA certificate for a given certreq payload
+ */
+static certificate_t* find_certificate(private_isakmp_cert_pre_t *this,
+									   certreq_payload_t *certreq)
+{
+	identification_t *id;
+	certificate_t *cert;
+
+	if (certreq->get_cert_type(certreq) != CERT_X509)
+	{
+		DBG1(DBG_IKE, "%N CERTREQ not supported - ignored",
+			 certificate_type_names, certreq->get_cert_type(certreq));
+		return NULL;
+	}
+	id = certreq->get_dn(certreq);
+	if (!id)
+	{
+		DBG1(DBG_IKE, "ignoring certificate request without data",
+			 certificate_type_names, certreq->get_cert_type(certreq));
+		return NULL;
+	}
+	cert = lib->credmgr->get_cert(lib->credmgr, CERT_X509, KEY_ANY, id, TRUE);
+	if (cert)
+	{
+		DBG1(DBG_IKE, "received cert request for '%Y'",
+			 cert->get_subject(cert));
+	}
+	else
+	{
+		DBG1(DBG_IKE, "received cert request for unknown ca '%Y'", id);
+	}
+	id->destroy(id);
+
+	return cert;
+}
+
+/**
+ * read certificate requests
+ */
+static void process_certreqs(private_isakmp_cert_pre_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	auth_cfg_t *auth;
+
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		switch (payload->get_type(payload))
+		{
+			case CERTIFICATE_REQUEST_V1:
+			{
+				certificate_t *cert;
+
+				this->ike_sa->set_condition(this->ike_sa,
+											COND_CERTREQ_SEEN, TRUE);
+				cert = find_certificate(this, (certreq_payload_t*)payload);
+				if (cert)
+				{
+					auth->add(auth, AUTH_RULE_CA_CERT, cert);
+				}
+				break;
+			}
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Process an X509 certificate payload
+ */
+static void process_x509(cert_payload_t *payload, auth_cfg_t *auth, bool *first)
+{
+	certificate_t *cert;
+
+	cert = payload->get_cert(payload);
+	if (cert)
+	{
+		if (*first)
+		{	/* the first is an end entity certificate */
+			DBG1(DBG_IKE, "received end entity cert \"%Y\"",
+				 cert->get_subject(cert));
+			auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
+			*first = FALSE;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received issuer cert \"%Y\"",
+				 cert->get_subject(cert));
+			auth->add(auth, AUTH_HELPER_IM_CERT, cert);
+		}
+	}
+}
+
+/**
+ * Process a CRL certificate payload
+ */
+static void process_crl(cert_payload_t *payload, auth_cfg_t *auth)
+{
+	certificate_t *cert;
+
+	cert = payload->get_cert(payload);
+	if (cert)
+	{
+		DBG1(DBG_IKE, "received CRL \"%Y\"", cert->get_subject(cert));
+		auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
+	}
+}
+
+/**
+ * Process a PKCS7 certificate payload
+ */
+static void process_pkcs7(cert_payload_t *payload, auth_cfg_t *auth)
+{
+	enumerator_t *enumerator;
+	container_t *container;
+	certificate_t *cert;
+	pkcs7_t *pkcs7;
+
+	container = payload->get_container(payload);
+	if (!container)
+	{
+		return;
+	}
+	switch (container->get_type(container))
+	{
+		case CONTAINER_PKCS7_DATA:
+		case CONTAINER_PKCS7_SIGNED_DATA:
+		case CONTAINER_PKCS7_ENVELOPED_DATA:
+			break;
+		default:
+			container->destroy(container);
+			return;
+	}
+
+	pkcs7 = (pkcs7_t *)container;
+	enumerator = pkcs7->create_cert_enumerator(pkcs7);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		if (cert->get_type(cert) == CERT_X509)
+		{
+			x509_t *x509 = (x509_t*)cert;
+
+			if (x509->get_flags(x509) & X509_CA)
+			{
+				DBG1(DBG_IKE, "received issuer cert \"%Y\"",
+					 cert->get_subject(cert));
+				auth->add(auth, AUTH_HELPER_IM_CERT, cert->get_ref(cert));
+			}
+			else
+			{
+				DBG1(DBG_IKE, "received end entity cert \"%Y\"",
+					 cert->get_subject(cert));
+				auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert->get_ref(cert));
+			}
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received unsupported cert type %N",
+				 certificate_type_names, cert->get_type(cert));
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	container->destroy(container);
+}
+
+/**
+ * Import received certificates
+ */
+static void process_certs(private_isakmp_cert_pre_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	auth_cfg_t *auth;
+	bool first = TRUE;
+
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == CERTIFICATE_V1)
+		{
+			cert_payload_t *cert_payload;
+			cert_encoding_t encoding;
+
+			cert_payload = (cert_payload_t*)payload;
+			encoding = cert_payload->get_cert_encoding(cert_payload);
+
+			switch (encoding)
+			{
+				case ENC_X509_SIGNATURE:
+					process_x509(cert_payload, auth, &first);
+					break;
+				case ENC_CRL:
+					process_crl(cert_payload, auth);
+					break;
+				case ENC_PKCS7_WRAPPED_X509:
+					process_pkcs7(cert_payload, auth);
+					break;
+				case ENC_PGP:
+				case ENC_DNS_SIGNED_KEY:
+				case ENC_KERBEROS_TOKEN:
+				case ENC_ARL:
+				case ENC_SPKI:
+				case ENC_X509_ATTRIBUTE:
+				case ENC_RAW_RSA_KEY:
+				case ENC_X509_HASH_AND_URL_BUNDLE:
+				case ENC_OCSP_CONTENT:
+				default:
+					DBG1(DBG_ENC, "certificate encoding %N not supported",
+						 cert_encoding_names, encoding);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Add the subject of a CA certificate a message
+ */
+static void add_certreq(private_isakmp_cert_pre_t *this, message_t *message,
+						certificate_t *cert)
+{
+	if (cert->get_type(cert) == CERT_X509)
+	{
+		x509_t *x509 = (x509_t*)cert;
+
+		if (x509->get_flags(x509) & X509_CA)
+		{
+			DBG1(DBG_IKE, "sending cert request for \"%Y\"",
+				 cert->get_subject(cert));
+			message->add_payload(message, (payload_t*)
+							certreq_payload_create_dn(cert->get_subject(cert)));
+		}
+	}
+}
+
+/**
+ * Add auth_cfg's CA certificates to the certificate request
+ */
+static void add_certreqs(private_isakmp_cert_pre_t *this,
+						 auth_cfg_t *auth, message_t *message)
+{
+	enumerator_t *enumerator;
+	auth_rule_t type;
+	void *value;
+
+	enumerator = auth->create_enumerator(auth);
+	while (enumerator->enumerate(enumerator, &type, &value))
+	{
+		switch (type)
+		{
+			case AUTH_RULE_CA_CERT:
+				add_certreq(this, message, (certificate_t*)value);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Build certificate requests
+ */
+static void build_certreqs(private_isakmp_cert_pre_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	ike_cfg_t *ike_cfg;
+	peer_cfg_t *peer_cfg;
+	certificate_t *cert;
+	auth_cfg_t *auth;
+
+	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+	if (!ike_cfg->send_certreq(ike_cfg))
+	{
+		return;
+	}
+	/* check if we require a specific CA for that peer */
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (peer_cfg)
+	{
+		enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, FALSE);
+		if (enumerator->enumerate(enumerator, &auth))
+		{
+			add_certreqs(this, auth, message);
+		}
+		enumerator->destroy(enumerator);
+	}
+	if (!message->get_payload(message, CERTIFICATE_REQUEST_V1))
+	{
+		/* otherwise add all trusted CA certificates */
+		enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+												CERT_ANY, KEY_ANY, NULL, TRUE);
+		while (enumerator->enumerate(enumerator, &cert))
+		{
+			add_certreq(this, message, cert);
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+/**
+ * Check if we actually use certificates for authentication
+ */
+static bool use_certs(private_isakmp_cert_pre_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	bool use = FALSE;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == SECURITY_ASSOCIATION_V1)
+		{
+			sa_payload_t *sa_payload = (sa_payload_t*)payload;
+
+			switch (sa_payload->get_auth_method(sa_payload))
+			{
+				case AUTH_HYBRID_INIT_RSA:
+				case AUTH_HYBRID_RESP_RSA:
+					if (!this->initiator)
+					{
+						this->send_req = FALSE;
+					}
+					/* FALL */
+				case AUTH_RSA:
+				case AUTH_ECDSA_256:
+				case AUTH_ECDSA_384:
+				case AUTH_ECDSA_521:
+				case AUTH_XAUTH_INIT_RSA:
+				case AUTH_XAUTH_RESP_RSA:
+					use = TRUE;
+					break;
+				default:
+					break;
+			}
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return use;
+}
+
+/**
+ * Check if we should send a certificate request
+ */
+static bool send_certreq(private_isakmp_cert_pre_t *this)
+{
+	enumerator_t *enumerator;
+	peer_cfg_t *peer_cfg;
+	auth_cfg_t *auth;
+	bool req = FALSE;
+	auth_class_t class;
+
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (peer_cfg)
+	{
+		enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, FALSE);
+		if (enumerator->enumerate(enumerator, &auth))
+		{
+			class = (intptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
+			if (class == AUTH_CLASS_PUBKEY)
+			{
+				req = TRUE;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	return req;
+}
+
+METHOD(task_t, build_i, status_t,
+	private_isakmp_cert_pre_t *this, message_t *message)
+{
+	switch (message->get_exchange_type(message))
+	{
+		case ID_PROT:
+			if (this->state == CR_AUTH)
+			{
+				build_certreqs(this, message);
+			}
+			return NEED_MORE;
+		case AGGRESSIVE:
+			if (this->state == CR_SA)
+			{
+				if (send_certreq(this))
+				{
+					build_certreqs(this, message);
+				}
+			}
+			return NEED_MORE;
+		default:
+			return FAILED;
+	}
+}
+
+METHOD(task_t, process_r, status_t,
+	private_isakmp_cert_pre_t *this, message_t *message)
+{
+	switch (message->get_exchange_type(message))
+	{
+		case ID_PROT:
+		{
+			switch (this->state)
+			{
+				case CR_SA:
+					if (!use_certs(this, message))
+					{
+						return SUCCESS;
+					}
+					return NEED_MORE;
+				case CR_KE:
+					process_certreqs(this, message);
+					return NEED_MORE;
+				case CR_AUTH:
+					process_certreqs(this, message);
+					process_certs(this, message);
+					return SUCCESS;
+				default:
+					return FAILED;
+			}
+		}
+		case AGGRESSIVE:
+		{
+			switch (this->state)
+			{
+				case CR_SA:
+					if (!use_certs(this, message))
+					{
+						return SUCCESS;
+					}
+					process_certreqs(this, message);
+					return NEED_MORE;
+				case CR_AUTH:
+					process_certs(this, message);
+					return SUCCESS;
+				default:
+					return FAILED;
+			}
+		}
+		default:
+			return FAILED;
+	}
+}
+
+METHOD(task_t, build_r, status_t,
+	private_isakmp_cert_pre_t *this, message_t *message)
+{
+	switch (message->get_exchange_type(message))
+	{
+		case ID_PROT:
+			switch (this->state)
+			{
+				case CR_SA:
+					this->state = CR_KE;
+					return NEED_MORE;
+				case CR_KE:
+					if (this->send_req)
+					{
+						build_certreqs(this, message);
+					}
+					this->state = CR_AUTH;
+					return NEED_MORE;
+				case CR_AUTH:
+					return NEED_MORE;
+				default:
+					return FAILED;
+			}
+		case AGGRESSIVE:
+			switch (this->state)
+			{
+				case CR_SA:
+					if (this->send_req)
+					{
+						build_certreqs(this, message);
+					}
+					this->state = CR_AUTH;
+					return NEED_MORE;
+				case CR_AUTH:
+					return SUCCESS;
+				default:
+					return FAILED;
+			}
+		default:
+			return FAILED;
+	}
+}
+
+METHOD(task_t, process_i, status_t,
+	private_isakmp_cert_pre_t *this, message_t *message)
+{
+	switch (message->get_exchange_type(message))
+	{
+		case ID_PROT:
+		{
+			switch (this->state)
+			{
+				case CR_SA:
+					if (!use_certs(this, message))
+					{
+						return SUCCESS;
+					}
+					this->state = CR_KE;
+					return NEED_MORE;
+				case CR_KE:
+					process_certreqs(this, message);
+					this->state = CR_AUTH;
+					return NEED_MORE;
+				case CR_AUTH:
+					process_certs(this, message);
+					return SUCCESS;
+				default:
+					return FAILED;
+			}
+			break;
+		}
+		case AGGRESSIVE:
+		{
+			if (!use_certs(this, message))
+			{
+				return SUCCESS;
+			}
+			process_certreqs(this, message);
+			process_certs(this, message);
+			this->state = CR_AUTH;
+			return SUCCESS;
+		}
+		default:
+			return FAILED;
+	}
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_isakmp_cert_pre_t *this)
+{
+	return TASK_ISAKMP_CERT_PRE;
+}
+
+METHOD(task_t, migrate, void,
+	private_isakmp_cert_pre_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+	this->state = CR_SA;
+	this->send_req = TRUE;
+}
+
+METHOD(task_t, destroy, void,
+	private_isakmp_cert_pre_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+isakmp_cert_pre_t *isakmp_cert_pre_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_isakmp_cert_pre_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.initiator = initiator,
+		.state = CR_SA,
+		.send_req = TRUE,
+	);
+	if (initiator)
+	{
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+	else
+	{
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.h b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.h
new file mode 100644
index 000000000..8e1a94b97
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup isakmp_cert_pre isakmp_cert_pre
+ * @{ @ingroup tasks_v1
+ */
+
+#ifndef ISAKMP_CERT_PRE_H_
+#define ISAKMP_CERT_PRE_H_
+
+typedef struct isakmp_cert_pre_t isakmp_cert_pre_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * ISAKMP_CERT_PRE task, IKEv1 certificate processing before authentication.
+ */
+struct isakmp_cert_pre_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new ISAKMP_CERT_PRE task.
+ *
+ * The initiator parameter means the original initiator, not the initiator
+ * of the certificate request.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if task is the original initiator
+ * @return				isakmp_cert_pre task to handle by the task_manager
+ */
+isakmp_cert_pre_t *isakmp_cert_pre_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** ISAKMP_CERT_PRE_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
new file mode 100644
index 000000000..a44f3c4a9
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
@@ -0,0 +1,152 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "isakmp_delete.h"
+
+#include <daemon.h>
+#include <encoding/payloads/delete_payload.h>
+
+typedef struct private_isakmp_delete_t private_isakmp_delete_t;
+
+/**
+ * Private members of a isakmp_delete_t task.
+ */
+struct private_isakmp_delete_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	isakmp_delete_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+};
+
+METHOD(task_t, build_i, status_t,
+	private_isakmp_delete_t *this, message_t *message)
+{
+	delete_payload_t *delete_payload;
+	ike_sa_id_t *id;
+
+	DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
+
+	delete_payload = delete_payload_create(DELETE_V1, PROTO_IKE);
+	id = this->ike_sa->get_id(this->ike_sa);
+	delete_payload->set_ike_spi(delete_payload, id->get_initiator_spi(id),
+								id->get_responder_spi(id));
+	message->add_payload(message, (payload_t*)delete_payload);
+
+	DBG1(DBG_IKE, "sending DELETE for IKE_SA %s[%d]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa));
+
+	this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
+	charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+	return SUCCESS;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_isakmp_delete_t *this, message_t *message)
+{
+	return FAILED;
+}
+
+METHOD(task_t, process_r, status_t,
+	private_isakmp_delete_t *this, message_t *message)
+{
+	DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa));
+	DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
+
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+	{
+		this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
+		this->ike_sa->reestablish(this->ike_sa);
+	}
+	this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
+	charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+	return DESTROY_ME;
+}
+
+METHOD(task_t, build_r, status_t,
+	private_isakmp_delete_t *this, message_t *message)
+{
+	return FAILED;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_isakmp_delete_t *this)
+{
+	return TASK_ISAKMP_DELETE;
+}
+
+METHOD(task_t, migrate, void,
+	private_isakmp_delete_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, destroy, void,
+	private_isakmp_delete_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+isakmp_delete_t *isakmp_delete_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_isakmp_delete_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+	);
+
+	if (initiator)
+	{
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+	else
+	{
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_delete.h b/src/libcharon/sa/ikev1/tasks/isakmp_delete.h
new file mode 100644
index 000000000..1a7a62207
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_delete.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup isakmp_delete isakmp_delete
+ * @{ @ingroup tasks_v1
+ */
+
+#ifndef ISAKMP_DELETE_H_
+#define ISAKMP_DELETE_H_
+
+typedef struct isakmp_delete_t isakmp_delete_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type ISAKMP_DELETE, delete an IKEv1 IKE_SA.
+ */
+struct isakmp_delete_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new isakmp_delete task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if we initiate the delete
+ * @return				isakmp_delete task to handle by the task_manager
+ */
+isakmp_delete_t *isakmp_delete_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** ISAKMP_DELETE_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_dpd.c b/src/libcharon/sa/ikev1/tasks/isakmp_dpd.c
new file mode 100644
index 000000000..a3395a043
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_dpd.c
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "isakmp_dpd.h"
+
+#include <daemon.h>
+#include <encoding/payloads/notify_payload.h>
+
+typedef struct private_isakmp_dpd_t private_isakmp_dpd_t;
+
+/**
+ * Private members of a isakmp_dpd_t task.
+ */
+struct private_isakmp_dpd_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	isakmp_dpd_t public;
+
+	/**
+	 * Sequence number.
+	 */
+	u_int32_t seqnr;
+
+	/**
+	 * DPD notify type
+	 */
+	notify_type_t type;
+
+	/**
+	 * IKE SA we are serving.
+	 */
+	ike_sa_t *ike_sa;
+};
+
+METHOD(task_t, build, status_t,
+	private_isakmp_dpd_t *this, message_t *message)
+{
+	notify_payload_t *notify;
+	ike_sa_id_t *ike_sa_id;
+	u_int64_t spi_i, spi_r;
+	u_int32_t seqnr;
+	chunk_t spi;
+
+	notify = notify_payload_create_from_protocol_and_type(NOTIFY_V1,
+														  PROTO_IKE, this->type);
+	seqnr = htonl(this->seqnr);
+	ike_sa_id = this->ike_sa->get_id(this->ike_sa);
+	spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
+	spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
+	spi = chunk_cata("cc", chunk_from_thing(spi_i), chunk_from_thing(spi_r));
+
+	notify->set_spi_data(notify, spi);
+	notify->set_notification_data(notify, chunk_from_thing(seqnr));
+
+	message->add_payload(message, (payload_t*)notify);
+
+	return SUCCESS;
+}
+
+METHOD(task_t, process, status_t,
+	private_isakmp_dpd_t *this, message_t *message)
+{
+	/* done in task manager */
+	return FAILED;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_isakmp_dpd_t *this)
+{
+	return TASK_ISAKMP_DPD;
+}
+
+METHOD(task_t, migrate, void,
+	private_isakmp_dpd_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, destroy, void,
+	private_isakmp_dpd_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+isakmp_dpd_t *isakmp_dpd_create(ike_sa_t *ike_sa, notify_type_t type,
+								u_int32_t seqnr)
+{
+	private_isakmp_dpd_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.build = _build,
+				.process = _process,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.seqnr = seqnr,
+		.type = type,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_dpd.h b/src/libcharon/sa/ikev1/tasks/isakmp_dpd.h
new file mode 100644
index 000000000..06a0175eb
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_dpd.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup isakmp_dpd isakmp_dpd
+ * @{ @ingroup tasks_v1
+ */
+
+#ifndef ISAKMP_DPD_H_
+#define ISAKMP_DPD_H_
+
+typedef struct isakmp_dpd_t isakmp_dpd_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * IKEv1 dead peer detection task.
+ */
+struct isakmp_dpd_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new ISAKMP_DPD task.
+ *
+ * @param ike_sa		associated IKE_SA
+ * @param type			DPD notify to use, DPD_R_U_THERE | DPD_R_U_THERE_ACK
+ * @param seqnr			DPD sequence number to use/expect
+ * @return				ISAKMP_DPD task to handle by the task_manager
+ */
+isakmp_dpd_t *isakmp_dpd_create(ike_sa_t *ike_sa, notify_type_t type,
+								u_int32_t seqnr);
+
+#endif /** ISAKMP_DPD_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
new file mode 100644
index 000000000..fc6ac0771
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
@@ -0,0 +1,505 @@
+/*
+ * Copyright (C) 2006-2011 Tobias Brunner,
+ * Copyright (C) 2006-2007 Martin Willi
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/*
+ * Copyright (C) 2012 Volker Rümelin
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "isakmp_natd.h"
+
+#include <string.h>
+
+#include <hydra.h>
+#include <daemon.h>
+#include <sa/ikev1/keymat_v1.h>
+#include <config/peer_cfg.h>
+#include <crypto/hashers/hasher.h>
+#include <encoding/payloads/hash_payload.h>
+
+typedef struct private_isakmp_natd_t private_isakmp_natd_t;
+
+/**
+ * Private members of a ike_natt_t task.
+ */
+struct private_isakmp_natd_t {
+
+	/**
+	 * Public interface.
+	 */
+	isakmp_natd_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * Keymat derivation (from SA)
+	 */
+	keymat_v1_t *keymat;
+
+	/**
+	 * Did we process any NAT detection payloads for a source address?
+	 */
+	bool src_seen;
+
+	/**
+	 * Did we process any NAT detection payloads for a destination address?
+	 */
+	bool dst_seen;
+
+	/**
+	 * Have we found a matching source address NAT hash?
+	 */
+	bool src_matched;
+
+	/**
+	 * Have we found a matching destination address NAT hash?
+	 */
+	bool dst_matched;
+};
+
+/**
+ * Check if UDP encapsulation has to be forced either by config or required
+ * by the kernel interface
+ */
+static bool force_encap(ike_cfg_t *ike_cfg)
+{
+	if (!ike_cfg->force_encap(ike_cfg))
+	{
+		return hydra->kernel_interface->get_features(hydra->kernel_interface) &
+					KERNEL_REQUIRE_UDP_ENCAPSULATION;
+	}
+	return TRUE;
+}
+
+/**
+ * Get NAT-D payload type (RFC 3947 or RFC 3947 drafts).
+ */
+static payload_type_t get_nat_d_payload_type(ike_sa_t *ike_sa)
+{
+	if (ike_sa->supports_extension(ike_sa, EXT_NATT_DRAFT_02_03))
+	{
+		return NAT_D_DRAFT_00_03_V1;
+	}
+	return NAT_D_V1;
+}
+
+/**
+ * Build NAT detection hash for a host.
+ */
+static chunk_t generate_natd_hash(private_isakmp_natd_t *this,
+								  ike_sa_id_t *ike_sa_id, host_t *host)
+{
+	hasher_t *hasher;
+	chunk_t natd_chunk, natd_hash;
+	u_int64_t spi_i, spi_r;
+	u_int16_t port;
+
+	hasher = this->keymat->get_hasher(this->keymat);
+	if (!hasher)
+	{
+		DBG1(DBG_IKE, "no hasher available to build NAT-D payload");
+		return chunk_empty;
+	}
+
+	spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
+	spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
+	port = htons(host->get_port(host));
+
+	/*  natd_hash = HASH(CKY-I | CKY-R | IP | Port) */
+	natd_chunk = chunk_cata("cccc", chunk_from_thing(spi_i),
+						    chunk_from_thing(spi_r), host->get_address(host),
+						    chunk_from_thing(port));
+	if (!hasher->allocate_hash(hasher, natd_chunk, &natd_hash))
+	{
+		DBG1(DBG_IKE, "creating NAT-D payload hash failed");
+		return chunk_empty;
+	}
+	DBG3(DBG_IKE, "natd_chunk %B", &natd_chunk);
+	DBG3(DBG_IKE, "natd_hash %B", &natd_hash);
+
+	return natd_hash;
+}
+
+/**
+ * Build a faked NAT-D payload to enforce UDP encapsulation.
+ */
+static chunk_t generate_natd_hash_faked(private_isakmp_natd_t *this)
+{
+	hasher_t *hasher;
+	chunk_t chunk;
+	rng_t *rng;
+
+	hasher = this->keymat->get_hasher(this->keymat);
+	if (!hasher)
+	{
+		DBG1(DBG_IKE, "no hasher available to build NAT-D payload");
+		return chunk_empty;
+	}
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng ||
+		!rng->allocate_bytes(rng, hasher->get_hash_size(hasher), &chunk))
+	{
+		DBG1(DBG_IKE, "unable to get random bytes for NAT-D fake");
+		DESTROY_IF(rng);
+		return chunk_empty;
+	}
+	rng->destroy(rng);
+	return chunk;
+}
+
+/**
+ * Build a NAT-D payload.
+ */
+static hash_payload_t *build_natd_payload(private_isakmp_natd_t *this, bool src,
+										  host_t *host)
+{
+	hash_payload_t *payload;
+	ike_cfg_t *config;
+	chunk_t hash;
+
+	config = this->ike_sa->get_ike_cfg(this->ike_sa);
+	if (src && force_encap(config))
+	{
+		hash = generate_natd_hash_faked(this);
+	}
+	else
+	{
+		ike_sa_id_t *ike_sa_id = this->ike_sa->get_id(this->ike_sa);
+		hash = generate_natd_hash(this, ike_sa_id, host);
+	}
+	if (!hash.len)
+	{
+		return NULL;
+	}
+	payload = hash_payload_create(get_nat_d_payload_type(this->ike_sa));
+	payload->set_hash(payload, hash);
+	chunk_free(&hash);
+	return payload;
+}
+
+/**
+ * Add NAT-D payloads to the message.
+ */
+static void add_natd_payloads(private_isakmp_natd_t *this, message_t *message)
+{
+	hash_payload_t *payload;
+	host_t *host;
+
+	/* destination has to be added first */
+	host = message->get_destination(message);
+	payload = build_natd_payload(this, FALSE, host);
+	if (payload)
+	{
+		message->add_payload(message, (payload_t*)payload);
+	}
+
+	/* source is added second, compared with IKEv2 we always know the source,
+	 * as these payloads are added in the second Phase 1 exchange or the
+	 * response to the first */
+	host = message->get_source(message);
+	payload = build_natd_payload(this, TRUE, host);
+	if (payload)
+	{
+		message->add_payload(message, (payload_t*)payload);
+	}
+}
+
+/**
+ * Read NAT-D payloads from message and evaluate them.
+ */
+static void process_payloads(private_isakmp_natd_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	hash_payload_t *hash_payload;
+	chunk_t hash, src_hash, dst_hash;
+	ike_sa_id_t *ike_sa_id;
+	host_t *me, *other;
+	ike_cfg_t *config;
+
+	/* precompute hashes for incoming NAT-D comparison */
+	ike_sa_id = message->get_ike_sa_id(message);
+	me = message->get_destination(message);
+	other = message->get_source(message);
+	dst_hash = generate_natd_hash(this, ike_sa_id, me);
+	src_hash = generate_natd_hash(this, ike_sa_id, other);
+
+	DBG3(DBG_IKE, "precalculated src_hash %B", &src_hash);
+	DBG3(DBG_IKE, "precalculated dst_hash %B", &dst_hash);
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) != NAT_D_V1 &&
+			payload->get_type(payload) != NAT_D_DRAFT_00_03_V1)
+		{
+			continue;
+		}
+		hash_payload = (hash_payload_t*)payload;
+		if (!this->dst_seen)
+		{	/* the first NAT-D payload contains the destination hash */
+			this->dst_seen = TRUE;
+			hash = hash_payload->get_hash(hash_payload);
+			DBG3(DBG_IKE, "received dst_hash %B", &hash);
+			if (chunk_equals(hash, dst_hash))
+			{
+				this->dst_matched = TRUE;
+			}
+			continue;
+		}
+		/* the other NAT-D payloads contain source hashes */
+		this->src_seen = TRUE;
+		if (!this->src_matched)
+		{
+			hash = hash_payload->get_hash(hash_payload);
+			DBG3(DBG_IKE, "received src_hash %B", &hash);
+			if (chunk_equals(hash, src_hash))
+			{
+				this->src_matched = TRUE;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	chunk_free(&src_hash);
+	chunk_free(&dst_hash);
+
+	if (this->src_seen && this->dst_seen)
+	{
+		this->ike_sa->set_condition(this->ike_sa, COND_NAT_HERE,
+									!this->dst_matched);
+		this->ike_sa->set_condition(this->ike_sa, COND_NAT_THERE,
+									!this->src_matched);
+		config = this->ike_sa->get_ike_cfg(this->ike_sa);
+		if (this->dst_matched && this->src_matched &&
+			force_encap(config))
+		{
+			this->ike_sa->set_condition(this->ike_sa, COND_NAT_FAKE, TRUE);
+		}
+	}
+}
+
+METHOD(task_t, build_i, status_t,
+	private_isakmp_natd_t *this, message_t *message)
+{
+	status_t result = NEED_MORE;
+
+	switch (message->get_exchange_type(message))
+	{
+		case AGGRESSIVE:
+		{	/* add NAT-D payloads to the second request, already processed
+			 * those by the responder contained in the first response */
+			result = SUCCESS;
+			/* fall */
+		}
+		case ID_PROT:
+		{	/* add NAT-D payloads to the second request, need to process
+			 * those by the responder contained in the second response */
+			if (message->get_payload(message, SECURITY_ASSOCIATION_V1))
+			{	/* wait for the second exchange */
+				return NEED_MORE;
+			}
+			add_natd_payloads(this, message);
+			return result;
+		}
+		default:
+			break;
+	}
+	return SUCCESS;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_isakmp_natd_t *this, message_t *message)
+{
+	status_t result = NEED_MORE;
+
+	if (!this->ike_sa->supports_extension(this->ike_sa, EXT_NATT))
+	{	/* we didn't receive VIDs inidcating support for NAT-T */
+		return SUCCESS;
+	}
+
+	switch (message->get_exchange_type(message))
+	{
+		case ID_PROT:
+		{	/* process NAT-D payloads in the second response, added them in the
+			 * second request already, so we're done afterwards */
+			if (message->get_payload(message, SECURITY_ASSOCIATION_V1))
+			{	/* wait for the second exchange */
+				return NEED_MORE;
+			}
+			result = SUCCESS;
+			/* fall */
+		}
+		case AGGRESSIVE:
+		{	/* process NAT-D payloads in the first response, add them in the
+			 * following second request */
+			process_payloads(this, message);
+
+			if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
+			{
+				this->ike_sa->float_ports(this->ike_sa);
+			}
+			return result;
+		}
+		default:
+			break;
+	}
+	return SUCCESS;
+}
+
+METHOD(task_t, process_r, status_t,
+	private_isakmp_natd_t *this, message_t *message)
+{
+	status_t result = NEED_MORE;
+
+	if (!this->ike_sa->supports_extension(this->ike_sa, EXT_NATT))
+	{	/* we didn't receive VIDs indicating NAT-T support */
+		return SUCCESS;
+	}
+
+	switch (message->get_exchange_type(message))
+	{
+		case AGGRESSIVE:
+		{	/* process NAT-D payloads in the second request, already added ours
+			 * in the first response */
+			result = SUCCESS;
+			/* fall */
+		}
+		case ID_PROT:
+		{	/* process NAT-D payloads in the second request, need to add ours
+			 * to the second response */
+			if (message->get_payload(message, SECURITY_ASSOCIATION_V1))
+			{	/* wait for the second exchange */
+				return NEED_MORE;
+			}
+			process_payloads(this, message);
+			return result;
+		}
+		default:
+			break;
+	}
+	return SUCCESS;
+}
+
+METHOD(task_t, build_r, status_t,
+	private_isakmp_natd_t *this, message_t *message)
+{
+	switch (message->get_exchange_type(message))
+	{
+		case ID_PROT:
+		{	/* add NAT-D payloads to second response, already processed those
+			 * contained in the second request */
+			if (message->get_payload(message, SECURITY_ASSOCIATION_V1))
+			{	/* wait for the second exchange */
+				return NEED_MORE;
+			}
+			add_natd_payloads(this, message);
+			return SUCCESS;
+		}
+		case AGGRESSIVE:
+		{	/* add NAT-D payloads to the first response, process those contained
+			 * in the following second request */
+			add_natd_payloads(this, message);
+			return NEED_MORE;
+		}
+		default:
+			break;
+	}
+	return SUCCESS;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_isakmp_natd_t *this)
+{
+	return TASK_ISAKMP_NATD;
+}
+
+METHOD(task_t, migrate, void,
+	private_isakmp_natd_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+	this->keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
+	this->src_seen = FALSE;
+	this->dst_seen = FALSE;
+	this->src_matched = FALSE;
+	this->dst_matched = FALSE;
+}
+
+METHOD(task_t, destroy, void,
+	private_isakmp_natd_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+isakmp_natd_t *isakmp_natd_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_isakmp_natd_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa),
+		.initiator = initiator,
+	);
+
+	if (initiator)
+	{
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+	else
+	{
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.h b/src/libcharon/sa/ikev1/tasks/isakmp_natd.h
new file mode 100644
index 000000000..63947fc73
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2011 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup isakmp_natd isakmp_natd
+ * @{ @ingroup tasks_v1
+ */
+
+#ifndef ISAKMP_NATD_H_
+#define ISAKMP_NATD_H_
+
+typedef struct isakmp_natd_t isakmp_natd_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type ISAKMP_NATD, detects NAT situation in IKEv1 Phase 1.
+ */
+struct isakmp_natd_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new ISAKMP_NATD task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if task is the original initiator
+ * @return				isakmp_natd task to handle by the task_manager
+ */
+isakmp_natd_t *isakmp_natd_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** ISAKMP_NATD_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
new file mode 100644
index 000000000..11155b287
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@@ -0,0 +1,404 @@
+/*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/*
+ * Copyright (C) 2012 Volker Rümelin
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "isakmp_vendor.h"
+
+#include <daemon.h>
+#include <encoding/payloads/vendor_id_payload.h>
+
+typedef struct private_isakmp_vendor_t private_isakmp_vendor_t;
+
+/**
+ * Private data of an isakmp_vendor_t object.
+ */
+struct private_isakmp_vendor_t {
+
+	/**
+	 * Public isakmp_vendor_t interface.
+	 */
+	isakmp_vendor_t public;
+
+	/**
+	 * Associated IKE_SA
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the inititator of this task
+	 */
+	bool initiator;
+
+	/**
+	 * Index of best nat traversal VID found
+	 */
+	int best_natt_ext;
+
+	/**
+	 * Number of times we have been invoked
+	 */
+	int count;
+};
+
+/**
+ * IKEv1 Vendor ID database
+ */
+static struct {
+	/* Description */
+	char *desc;
+	/* extension flag negotiated with vendor ID, if any */
+	ike_extension_t extension;
+	/* send yourself? */
+	bool send;
+	/* length of vendor ID string */
+	int len;
+	/* vendor ID string */
+	char *id;
+} vendor_ids[] = {
+
+	/* strongSwan MD5("strongSwan") */
+	{ "strongSwan", EXT_STRONGSWAN, FALSE, 16,
+	  "\x88\x2f\xe5\x6d\x6f\xd2\x0d\xbc\x22\x51\x61\x3b\x2e\xbe\x5b\xeb"},
+
+	/* XAuth, MD5("draft-ietf-ipsra-isakmp-xauth-06.txt") */
+	{ "XAuth", EXT_XAUTH, TRUE, 8,
+	  "\x09\x00\x26\x89\xdf\xd6\xb7\x12"},
+
+	/* Dead peer detection, RFC 3706 */
+	{ "DPD", EXT_DPD, TRUE, 16,
+	  "\xaf\xca\xd7\x13\x68\xa1\xf1\xc9\x6b\x86\x96\xfc\x77\x57\x01\x00"},
+
+	{ "Cisco Unity", EXT_CISCO_UNITY, FALSE, 16,
+	  "\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00"},
+
+	/* Proprietary IKE fragmentation extension. Capabilities are handled
+	 * specially on receipt of this VID. */
+	{ "FRAGMENTATION", EXT_IKE_FRAGMENTATION, FALSE, 20,
+	  "\x40\x48\xb7\xd5\x6e\xbc\xe8\x85\x25\xe7\xde\x7f\x00\xd6\xc2\xd3\x80\x00\x00\x00"},
+
+}, vendor_natt_ids[] = {
+
+	/* NAT-Traversal VIDs ordered by preference */
+
+	/* NAT-Traversal, MD5("RFC 3947") */
+	{ "NAT-T (RFC 3947)", EXT_NATT, TRUE, 16,
+	  "\x4a\x13\x1c\x81\x07\x03\x58\x45\x5c\x57\x28\xf2\x0e\x95\x45\x2f"},
+
+	{ "draft-ietf-ipsec-nat-t-ike-03", EXT_NATT | EXT_NATT_DRAFT_02_03,
+	  FALSE, 16,
+	  "\x7d\x94\x19\xa6\x53\x10\xca\x6f\x2c\x17\x9d\x92\x15\x52\x9d\x56"},
+
+	{ "draft-ietf-ipsec-nat-t-ike-02", EXT_NATT | EXT_NATT_DRAFT_02_03,
+	  FALSE, 16,
+	  "\xcd\x60\x46\x43\x35\xdf\x21\xf8\x7c\xfd\xb2\xfc\x68\xb6\xa4\x48"},
+
+	{ "draft-ietf-ipsec-nat-t-ike-02\\n", EXT_NATT | EXT_NATT_DRAFT_02_03,
+	  TRUE, 16,
+	  "\x90\xcb\x80\x91\x3e\xbb\x69\x6e\x08\x63\x81\xb5\xec\x42\x7b\x1f"},
+
+	{ "draft-ietf-ipsec-nat-t-ike-08", 0, FALSE, 16,
+	  "\x8f\x8d\x83\x82\x6d\x24\x6b\x6f\xc7\xa8\xa6\xa4\x28\xc1\x1d\xe8"},
+
+	{ "draft-ietf-ipsec-nat-t-ike-07", 0, FALSE, 16,
+	  "\x43\x9b\x59\xf8\xba\x67\x6c\x4c\x77\x37\xae\x22\xea\xb8\xf5\x82"},
+
+	{ "draft-ietf-ipsec-nat-t-ike-06", 0, FALSE, 16,
+	  "\x4d\x1e\x0e\x13\x6d\xea\xfa\x34\xc4\xf3\xea\x9f\x02\xec\x72\x85"},
+
+	{ "draft-ietf-ipsec-nat-t-ike-05", 0, FALSE, 16,
+	  "\x80\xd0\xbb\x3d\xef\x54\x56\x5e\xe8\x46\x45\xd4\xc8\x5c\xe3\xee"},
+
+	{ "draft-ietf-ipsec-nat-t-ike-04", 0, FALSE, 16,
+	  "\x99\x09\xb6\x4e\xed\x93\x7c\x65\x73\xde\x52\xac\xe9\x52\xfa\x6b"},
+
+	{ "draft-ietf-ipsec-nat-t-ike-00", 0, FALSE, 16,
+	  "\x44\x85\x15\x2d\x18\xb6\xbb\xcd\x0b\xe8\xa8\x46\x95\x79\xdd\xcc"},
+
+	{ "draft-ietf-ipsec-nat-t-ike", 0, FALSE, 16,
+	  "\x4d\xf3\x79\x28\xe9\xfc\x4f\xd1\xb3\x26\x21\x70\xd5\x15\xc6\x62"},
+
+	{ "draft-stenberg-ipsec-nat-traversal-02", 0, FALSE, 16,
+	  "\x61\x05\xc4\x22\xe7\x68\x47\xe4\x3f\x96\x84\x80\x12\x92\xae\xcd"},
+
+	{ "draft-stenberg-ipsec-nat-traversal-01", 0, FALSE, 16,
+	  "\x27\xba\xb5\xdc\x01\xea\x07\x60\xea\x4e\x31\x90\xac\x27\xc0\xd0"},
+
+};
+
+/**
+ * According to racoon 0x80000000 seems to indicate support for fragmentation
+ * of Aggressive and Main mode messages.  0x40000000 seems to indicate support
+ * for fragmentation of base ISAKMP messages (Cisco adds that and thus sends
+ * 0xc0000000)
+ */
+static const u_int32_t fragmentation_ike = 0x80000000;
+
+/**
+ * Check if the given vendor ID indicate support for fragmentation
+ */
+static bool fragmentation_supported(chunk_t data, int i)
+{
+	if (vendor_ids[i].extension  == EXT_IKE_FRAGMENTATION &&
+		data.len == 20 && memeq(data.ptr, vendor_ids[i].id, 16))
+	{
+		return untoh32(&data.ptr[16]) & fragmentation_ike;
+	}
+	return FALSE;
+}
+
+/**
+ * Add supported vendor ID payloads
+ */
+static void build(private_isakmp_vendor_t *this, message_t *message)
+{
+	vendor_id_payload_t *vid_payload;
+	bool strongswan, cisco_unity, fragmentation;
+	ike_cfg_t *ike_cfg;
+	int i;
+
+	strongswan = lib->settings->get_bool(lib->settings,
+								"%s.send_vendor_id", FALSE, charon->name);
+	cisco_unity = lib->settings->get_bool(lib->settings,
+								"%s.cisco_unity", FALSE, charon->name);
+	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+	fragmentation = ike_cfg->fragmentation(ike_cfg) != FRAGMENTATION_NO;
+	if (!this->initiator && fragmentation)
+	{
+		fragmentation = this->ike_sa->supports_extension(this->ike_sa,
+														 EXT_IKE_FRAGMENTATION);
+	}
+	for (i = 0; i < countof(vendor_ids); i++)
+	{
+		if (vendor_ids[i].send ||
+		   (vendor_ids[i].extension == EXT_STRONGSWAN && strongswan) ||
+		   (vendor_ids[i].extension == EXT_CISCO_UNITY && cisco_unity) ||
+		   (vendor_ids[i].extension == EXT_IKE_FRAGMENTATION && fragmentation))
+		{
+			DBG2(DBG_IKE, "sending %s vendor ID", vendor_ids[i].desc);
+			vid_payload = vendor_id_payload_create_data(VENDOR_ID_V1,
+				chunk_clone(chunk_create(vendor_ids[i].id, vendor_ids[i].len)));
+			message->add_payload(message, &vid_payload->payload_interface);
+		}
+	}
+	for (i = 0; i < countof(vendor_natt_ids); i++)
+	{
+		if ((this->initiator && vendor_natt_ids[i].send) ||
+			this->best_natt_ext == i)
+		{
+			DBG2(DBG_IKE, "sending %s vendor ID", vendor_natt_ids[i].desc);
+			vid_payload = vendor_id_payload_create_data(VENDOR_ID_V1,
+							chunk_clone(chunk_create(vendor_natt_ids[i].id,
+													 vendor_natt_ids[i].len)));
+			message->add_payload(message, &vid_payload->payload_interface);
+		}
+	}
+}
+
+/**
+ * Process vendor ID payloads
+ */
+static void process(private_isakmp_vendor_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	int i;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == VENDOR_ID_V1)
+		{
+			vendor_id_payload_t *vid;
+			bool found = FALSE;
+			chunk_t data;
+
+			vid = (vendor_id_payload_t*)payload;
+			data = vid->get_data(vid);
+
+			for (i = 0; i < countof(vendor_ids); i++)
+			{
+				if (chunk_equals(data, chunk_create(vendor_ids[i].id,
+													vendor_ids[i].len)) ||
+					fragmentation_supported(data, i))
+				{
+					DBG1(DBG_IKE, "received %s vendor ID", vendor_ids[i].desc);
+					if (vendor_ids[i].extension)
+					{
+						this->ike_sa->enable_extension(this->ike_sa,
+													   vendor_ids[i].extension);
+					}
+					found = TRUE;
+					break;
+				}
+			}
+			if (!found)
+			{
+				for (i = 0; i < countof(vendor_natt_ids); i++)
+				{
+					if (chunk_equals(data, chunk_create(vendor_natt_ids[i].id,
+													vendor_natt_ids[i].len)))
+					{
+						DBG1(DBG_IKE, "received %s vendor ID",
+							 vendor_natt_ids[i].desc);
+						if (vendor_natt_ids[i].extension &&
+						   (i < this->best_natt_ext || this->best_natt_ext < 0))
+						{
+							this->best_natt_ext = i;
+						}
+						found = TRUE;
+						break;
+					}
+				}
+			}
+			if (!found)
+			{
+				DBG1(DBG_ENC, "received unknown vendor ID: %#B", &data);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (this->best_natt_ext >= 0)
+	{
+		this->ike_sa->enable_extension(this->ike_sa,
+								vendor_natt_ids[this->best_natt_ext].extension);
+	}
+}
+
+METHOD(task_t, build_i, status_t,
+	private_isakmp_vendor_t *this, message_t *message)
+{
+	if (this->count++ == 0)
+	{
+		build(this, message);
+	}
+	if (message->get_exchange_type(message) == AGGRESSIVE && this->count > 1)
+	{
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+	private_isakmp_vendor_t *this, message_t *message)
+{
+	this->count++;
+	process(this, message);
+	if (message->get_exchange_type(message) == AGGRESSIVE && this->count > 1)
+	{
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+	private_isakmp_vendor_t *this, message_t *message)
+{
+	if (this->count == 1)
+	{
+		build(this, message);
+	}
+	if (message->get_exchange_type(message) == ID_PROT && this->count > 2)
+	{
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_isakmp_vendor_t *this, message_t *message)
+{
+	process(this, message);
+	if (message->get_exchange_type(message) == ID_PROT && this->count > 2)
+	{
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+METHOD(task_t, migrate, void,
+	private_isakmp_vendor_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+	this->count = 0;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_isakmp_vendor_t *this)
+{
+	return TASK_ISAKMP_VENDOR;
+}
+
+METHOD(task_t, destroy, void,
+	private_isakmp_vendor_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+isakmp_vendor_t *isakmp_vendor_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_isakmp_vendor_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.migrate = _migrate,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+		},
+		.initiator = initiator,
+		.ike_sa = ike_sa,
+		.best_natt_ext = -1,
+	);
+
+	if (initiator)
+	{
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+	else
+	{
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.h b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.h
new file mode 100644
index 000000000..91891085b
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup isakmp_vendor isakmp_vendor
+ * @{ @ingroup tasks_v1
+ */
+
+#ifndef ISAKMP_VENDOR_H_
+#define ISAKMP_VENDOR_H_
+
+typedef struct isakmp_vendor_t isakmp_vendor_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Vendor ID processing task for IKEv1.
+ */
+struct isakmp_vendor_t {
+
+	/**
+	 * Implements task interface.
+	 */
+	task_t task;
+};
+
+/**
+ * Create a isakmp_vendor instance.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if task is the original initiator
+ */
+isakmp_vendor_t *isakmp_vendor_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** ISAKMP_VENDOR_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
new file mode 100644
index 000000000..441bd7a78
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -0,0 +1,744 @@
+/*
+ * Copyright (C) 2011-2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "main_mode.h"
+
+#include <string.h>
+
+#include <daemon.h>
+#include <sa/ikev1/phase1.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/id_payload.h>
+#include <encoding/payloads/hash_payload.h>
+#include <sa/ikev1/tasks/xauth.h>
+#include <sa/ikev1/tasks/mode_config.h>
+#include <sa/ikev1/tasks/informational.h>
+#include <sa/ikev1/tasks/isakmp_delete.h>
+#include <processing/jobs/adopt_children_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+
+typedef struct private_main_mode_t private_main_mode_t;
+
+/**
+ * Private members of a main_mode_t task.
+ */
+struct private_main_mode_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	main_mode_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * Common phase 1 helper class
+	 */
+	phase1_t *ph1;
+
+	/**
+	 * IKE config to establish
+	 */
+	ike_cfg_t *ike_cfg;
+
+	/**
+	 * Peer config to use
+	 */
+	peer_cfg_t *peer_cfg;
+
+	/**
+	 * selected IKE proposal
+	 */
+	proposal_t *proposal;
+
+	/**
+	 * Negotiated SA lifetime
+	 */
+	u_int32_t lifetime;
+
+	/**
+	 * Negotiated authentication method
+	 */
+	auth_method_t method;
+
+	/** states of main mode */
+	enum {
+		MM_INIT,
+		MM_SA,
+		MM_KE,
+		MM_AUTH,
+	} state;
+};
+
+/**
+ * Set IKE_SA to established state
+ */
+static bool establish(private_main_mode_t *this)
+{
+	if (!charon->bus->authorize(charon->bus, TRUE))
+	{
+		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+		return FALSE;
+	}
+
+	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
+
+	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+	charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+	return TRUE;
+}
+
+/**
+ * Check for notify errors, return TRUE if error found
+ */
+static bool has_notify_errors(private_main_mode_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	bool err = FALSE;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == NOTIFY_V1)
+		{
+			notify_payload_t *notify;
+			notify_type_t type;
+
+			notify = (notify_payload_t*)payload;
+			type = notify->get_notify_type(notify);
+			if (type < 16384)
+			{
+				DBG1(DBG_IKE, "received %N error notify",
+					 notify_type_names, type);
+				err = TRUE;
+			}
+			else if (type == INITIAL_CONTACT_IKEV1)
+			{
+				if (!this->initiator && this->state == MM_AUTH)
+				{
+					/* If authenticated and received INITIAL_CONTACT,
+					 * delete any existing IKE_SAs with that peer.
+					 * The delete takes place when the SA is checked in due
+					 * to other id not known until the 3rd message.*/
+					this->ike_sa->set_condition(this->ike_sa,
+												COND_INIT_CONTACT_SEEN, TRUE);
+				}
+			}
+			else
+			{
+				DBG1(DBG_IKE, "received %N notify", notify_type_names, type);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return err;
+}
+
+/**
+ * Queue a task sending a notify in an INFORMATIONAL exchange
+ */
+static status_t send_notify(private_main_mode_t *this, notify_type_t type)
+{
+	notify_payload_t *notify;
+	ike_sa_id_t *ike_sa_id;
+	u_int64_t spi_i, spi_r;
+	chunk_t spi;
+
+	notify = notify_payload_create_from_protocol_and_type(NOTIFY_V1,
+														  PROTO_IKE, type);
+	ike_sa_id = this->ike_sa->get_id(this->ike_sa);
+	spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
+	spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
+	spi = chunk_cata("cc", chunk_from_thing(spi_i), chunk_from_thing(spi_r));
+	notify->set_spi_data(notify, spi);
+
+	this->ike_sa->queue_task(this->ike_sa,
+						(task_t*)informational_create(this->ike_sa, notify));
+	/* cancel all active/passive tasks in favour of informational */
+	this->ike_sa->flush_queue(this->ike_sa,
+					this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
+	return ALREADY_DONE;
+}
+
+/**
+ * Queue a delete task if authentication failed as initiator
+ */
+static status_t send_delete(private_main_mode_t *this)
+{
+	this->ike_sa->queue_task(this->ike_sa,
+						(task_t*)isakmp_delete_create(this->ike_sa, TRUE));
+	/* cancel all active tasks in favour of informational */
+	this->ike_sa->flush_queue(this->ike_sa,
+					this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
+	return ALREADY_DONE;
+}
+
+METHOD(task_t, build_i, status_t,
+	private_main_mode_t *this, message_t *message)
+{
+	switch (this->state)
+	{
+		case MM_INIT:
+		{
+			sa_payload_t *sa_payload;
+			linked_list_t *proposals;
+			packet_t *packet;
+
+			DBG0(DBG_IKE, "initiating Main Mode IKE_SA %s[%d] to %H",
+				 this->ike_sa->get_name(this->ike_sa),
+				 this->ike_sa->get_unique_id(this->ike_sa),
+				 this->ike_sa->get_other_host(this->ike_sa));
+			this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
+
+			this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+			this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+			this->peer_cfg->get_ref(this->peer_cfg);
+
+			this->method = this->ph1->get_auth_method(this->ph1, this->peer_cfg);
+			if (this->method == AUTH_NONE)
+			{
+				DBG1(DBG_CFG, "configuration uses unsupported authentication");
+				return FAILED;
+			}
+			this->lifetime = this->peer_cfg->get_reauth_time(this->peer_cfg,
+															 FALSE);
+			if (!this->lifetime)
+			{	/* fall back to rekey time of no rekey time configured */
+				this->lifetime = this->peer_cfg->get_rekey_time(this->peer_cfg,
+																 FALSE);
+			}
+			this->lifetime += this->peer_cfg->get_over_time(this->peer_cfg);
+			proposals = this->ike_cfg->get_proposals(this->ike_cfg);
+			sa_payload = sa_payload_create_from_proposals_v1(proposals,
+									this->lifetime, 0, this->method, MODE_NONE,
+									ENCAP_NONE, 0);
+			proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
+
+			message->add_payload(message, &sa_payload->payload_interface);
+
+			/* pregenerate message to store SA payload */
+			if (this->ike_sa->generate_message(this->ike_sa, message,
+											   &packet) != SUCCESS)
+			{
+				DBG1(DBG_IKE, "pregenerating SA payload failed");
+				return FAILED;
+			}
+			packet->destroy(packet);
+			if (!this->ph1->save_sa_payload(this->ph1, message))
+			{
+				return FAILED;
+			}
+
+			this->state = MM_SA;
+			return NEED_MORE;
+		}
+		case MM_SA:
+		{
+			u_int16_t group;
+
+			if (!this->ph1->create_hasher(this->ph1))
+			{
+				return send_notify(this, NO_PROPOSAL_CHOSEN);
+			}
+			if (!this->proposal->get_algorithm(this->proposal,
+										DIFFIE_HELLMAN_GROUP, &group, NULL))
+			{
+				DBG1(DBG_IKE, "DH group selection failed");
+				return send_notify(this, NO_PROPOSAL_CHOSEN);
+			}
+			if (!this->ph1->create_dh(this->ph1, group))
+			{
+				DBG1(DBG_IKE, "negotiated DH group not supported");
+				return send_notify(this, INVALID_KEY_INFORMATION);
+			}
+			if (!this->ph1->add_nonce_ke(this->ph1, message))
+			{
+				return send_notify(this, INVALID_KEY_INFORMATION);
+			}
+			this->state = MM_KE;
+			return NEED_MORE;
+		}
+		case MM_KE:
+		{
+			id_payload_t *id_payload;
+			identification_t *id;
+
+			id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE);
+			if (!id)
+			{
+				DBG1(DBG_CFG, "own identity not known");
+				return send_notify(this, INVALID_ID_INFORMATION);
+			}
+			this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
+			id_payload = id_payload_create_from_identification(ID_V1, id);
+			message->add_payload(message, &id_payload->payload_interface);
+
+			if (!this->ph1->build_auth(this->ph1, this->method, message,
+									   id_payload->get_encoded(id_payload)))
+			{
+				return send_notify(this, AUTHENTICATION_FAILED);
+			}
+
+			this->state = MM_AUTH;
+			return NEED_MORE;
+		}
+		default:
+			return FAILED;
+	}
+}
+
+METHOD(task_t, process_r, status_t,
+	private_main_mode_t *this, message_t *message)
+{
+	switch (this->state)
+	{
+		case MM_INIT:
+		{
+			linked_list_t *list;
+			sa_payload_t *sa_payload;
+			bool private;
+
+			this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+			DBG0(DBG_IKE, "%H is initiating a Main Mode IKE_SA",
+				 message->get_source(message));
+			this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
+
+			this->ike_sa->update_hosts(this->ike_sa,
+									   message->get_destination(message),
+									   message->get_source(message), TRUE);
+
+			sa_payload = (sa_payload_t*)message->get_payload(message,
+													SECURITY_ASSOCIATION_V1);
+			if (!sa_payload)
+			{
+				DBG1(DBG_IKE, "SA payload missing");
+				return send_notify(this, INVALID_PAYLOAD_TYPE);
+			}
+			if (!this->ph1->save_sa_payload(this->ph1, message))
+			{
+				return send_notify(this, INVALID_PAYLOAD_TYPE);
+			}
+
+			list = sa_payload->get_proposals(sa_payload);
+			private = this->ike_sa->supports_extension(this->ike_sa,
+														   EXT_STRONGSWAN);
+			this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
+															list, private);
+			list->destroy_offset(list, offsetof(proposal_t, destroy));
+			if (!this->proposal)
+			{
+				DBG1(DBG_IKE, "no proposal found");
+				return send_notify(this, NO_PROPOSAL_CHOSEN);
+			}
+			this->ike_sa->set_proposal(this->ike_sa, this->proposal);
+
+			this->method = sa_payload->get_auth_method(sa_payload);
+			this->lifetime = sa_payload->get_lifetime(sa_payload);
+
+			this->state = MM_SA;
+			return NEED_MORE;
+		}
+		case MM_SA:
+		{
+			u_int16_t group;
+
+			if (!this->ph1->create_hasher(this->ph1))
+			{
+				return send_notify(this, INVALID_KEY_INFORMATION);
+			}
+			if (!this->proposal->get_algorithm(this->proposal,
+										DIFFIE_HELLMAN_GROUP, &group, NULL))
+			{
+				DBG1(DBG_IKE, "DH group selection failed");
+				return send_notify(this, INVALID_KEY_INFORMATION);
+			}
+			if (!this->ph1->create_dh(this->ph1, group))
+			{
+				DBG1(DBG_IKE, "negotiated DH group not supported");
+				return send_notify(this, INVALID_KEY_INFORMATION);
+			}
+			if (!this->ph1->get_nonce_ke(this->ph1, message))
+			{
+				return send_notify(this, INVALID_PAYLOAD_TYPE);
+			}
+			this->state = MM_KE;
+			return NEED_MORE;
+		}
+		case MM_KE:
+		{
+			id_payload_t *id_payload;
+			identification_t *id;
+
+			id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
+			if (!id_payload)
+			{
+				DBG1(DBG_IKE, "IDii payload missing");
+				return send_notify(this, INVALID_PAYLOAD_TYPE);
+			}
+			id = id_payload->get_identification(id_payload);
+			this->ike_sa->set_other_id(this->ike_sa, id);
+
+			while (TRUE)
+			{
+				DESTROY_IF(this->peer_cfg);
+				this->peer_cfg = this->ph1->select_config(this->ph1,
+													this->method, FALSE, id);
+				if (!this->peer_cfg)
+				{
+					return send_notify(this, AUTHENTICATION_FAILED);
+				}
+				this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
+
+				if (this->ph1->verify_auth(this->ph1, this->method, message,
+										   id_payload->get_encoded(id_payload)))
+				{
+					break;
+				}
+			}
+
+			if (!charon->bus->authorize(charon->bus, FALSE))
+			{
+				DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
+					 "cancelling");
+				return send_notify(this, AUTHENTICATION_FAILED);
+			}
+
+			this->state = MM_AUTH;
+			if (has_notify_errors(this, message))
+			{
+				return FAILED;
+			}
+			return NEED_MORE;
+		}
+		default:
+			return FAILED;
+	}
+}
+
+METHOD(task_t, build_r, status_t,
+	private_main_mode_t *this, message_t *message)
+{
+	switch (this->state)
+	{
+		case MM_SA:
+		{
+			sa_payload_t *sa_payload;
+
+			sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
+									this->lifetime, 0, this->method, MODE_NONE,
+									ENCAP_NONE, 0);
+			message->add_payload(message, &sa_payload->payload_interface);
+
+			return NEED_MORE;
+		}
+		case MM_KE:
+		{
+			if (!this->ph1->add_nonce_ke(this->ph1, message))
+			{
+				return send_notify(this, INVALID_KEY_INFORMATION);
+			}
+			if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method))
+			{
+				return send_notify(this, INVALID_KEY_INFORMATION);
+			}
+			return NEED_MORE;
+		}
+		case MM_AUTH:
+		{
+			id_payload_t *id_payload;
+			identification_t *id;
+
+			id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE);
+			if (!id)
+			{
+				DBG1(DBG_CFG, "own identity not known");
+				return send_notify(this, INVALID_ID_INFORMATION);
+			}
+			this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
+
+			id_payload = id_payload_create_from_identification(ID_V1, id);
+			message->add_payload(message, &id_payload->payload_interface);
+
+			if (!this->ph1->build_auth(this->ph1, this->method, message,
+									   id_payload->get_encoded(id_payload)))
+			{
+				return send_notify(this, AUTHENTICATION_FAILED);
+			}
+
+			switch (this->method)
+			{
+				case AUTH_XAUTH_INIT_PSK:
+				case AUTH_XAUTH_INIT_RSA:
+				case AUTH_HYBRID_INIT_RSA:
+					this->ike_sa->queue_task(this->ike_sa,
+									(task_t*)xauth_create(this->ike_sa, TRUE));
+					return SUCCESS;
+				case AUTH_XAUTH_RESP_PSK:
+				case AUTH_XAUTH_RESP_RSA:
+				case AUTH_HYBRID_RESP_RSA:
+					/* wait for XAUTH request */
+					break;
+				default:
+					if (charon->ike_sa_manager->check_uniqueness(
+								charon->ike_sa_manager, this->ike_sa, FALSE))
+					{
+						DBG1(DBG_IKE, "cancelling Main Mode due to uniqueness "
+							 "policy");
+						return send_notify(this, AUTHENTICATION_FAILED);
+					}
+					if (!establish(this))
+					{
+						return send_notify(this, AUTHENTICATION_FAILED);
+					}
+					lib->processor->queue_job(lib->processor, (job_t*)
+									adopt_children_job_create(
+										this->ike_sa->get_id(this->ike_sa)));
+					break;
+			}
+			if (!this->ph1->has_pool(this->ph1, this->peer_cfg) &&
+				this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
+			{
+				this->ike_sa->queue_task(this->ike_sa,
+							(task_t*)mode_config_create(this->ike_sa, TRUE));
+			}
+			return SUCCESS;
+		}
+		default:
+			return FAILED;
+	}
+}
+
+METHOD(task_t, process_i, status_t,
+	private_main_mode_t *this, message_t *message)
+{
+	switch (this->state)
+	{
+		case MM_SA:
+		{
+			linked_list_t *list;
+			sa_payload_t *sa_payload;
+			auth_method_t method;
+			u_int32_t lifetime;
+			bool private;
+
+			sa_payload = (sa_payload_t*)message->get_payload(message,
+													SECURITY_ASSOCIATION_V1);
+			if (!sa_payload)
+			{
+				DBG1(DBG_IKE, "SA payload missing");
+				return send_notify(this, INVALID_PAYLOAD_TYPE);
+			}
+			list = sa_payload->get_proposals(sa_payload);
+			private = this->ike_sa->supports_extension(this->ike_sa,
+														   EXT_STRONGSWAN);
+			this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
+															list, private);
+			list->destroy_offset(list, offsetof(proposal_t, destroy));
+			if (!this->proposal)
+			{
+				DBG1(DBG_IKE, "no proposal found");
+				return send_notify(this, NO_PROPOSAL_CHOSEN);
+			}
+			this->ike_sa->set_proposal(this->ike_sa, this->proposal);
+
+			lifetime = sa_payload->get_lifetime(sa_payload);
+			if (lifetime != this->lifetime)
+			{
+				DBG1(DBG_IKE, "received lifetime %us does not match configured "
+					 "lifetime %us", lifetime, this->lifetime);
+			}
+			this->lifetime = lifetime;
+			method = sa_payload->get_auth_method(sa_payload);
+			if (method != this->method)
+			{
+				DBG1(DBG_IKE, "received %N authentication, but configured %N, "
+					 "continue with configured", auth_method_names, method,
+					 auth_method_names, this->method);
+			}
+			return NEED_MORE;
+		}
+		case MM_KE:
+		{
+			if (!this->ph1->get_nonce_ke(this->ph1, message))
+			{
+				return send_notify(this, INVALID_PAYLOAD_TYPE);
+			}
+			if (!this->ph1->derive_keys(this->ph1, this->peer_cfg, this->method))
+			{
+				return send_notify(this, INVALID_KEY_INFORMATION);
+			}
+			return NEED_MORE;
+		}
+		case MM_AUTH:
+		{
+			id_payload_t *id_payload;
+			identification_t *id, *cid;
+
+			id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
+			if (!id_payload)
+			{
+				DBG1(DBG_IKE, "IDir payload missing");
+				return send_delete(this);
+			}
+			id = id_payload->get_identification(id_payload);
+			cid = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE);
+			if (cid && !id->matches(id, cid))
+			{
+				DBG1(DBG_IKE, "IDir '%Y' does not match to '%Y'", id, cid);
+				id->destroy(id);
+				return send_delete(this);
+			}
+			this->ike_sa->set_other_id(this->ike_sa, id);
+
+			if (!this->ph1->verify_auth(this->ph1, this->method, message,
+										id_payload->get_encoded(id_payload)))
+			{
+				return send_delete(this);
+			}
+			if (!charon->bus->authorize(charon->bus, FALSE))
+			{
+				DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
+					 "cancelling");
+				return send_delete(this);
+			}
+
+			switch (this->method)
+			{
+				case AUTH_XAUTH_INIT_PSK:
+				case AUTH_XAUTH_INIT_RSA:
+				case AUTH_HYBRID_INIT_RSA:
+				{	/* wait for XAUTH request, since this may never come,
+					 * we queue a timeout */
+					job_t *job = (job_t*)delete_ike_sa_job_create(
+									this->ike_sa->get_id(this->ike_sa), FALSE);
+					lib->scheduler->schedule_job(lib->scheduler, job,
+												 HALF_OPEN_IKE_SA_TIMEOUT);
+					break;
+				}
+				case AUTH_XAUTH_RESP_PSK:
+				case AUTH_XAUTH_RESP_RSA:
+				case AUTH_HYBRID_RESP_RSA:
+					this->ike_sa->queue_task(this->ike_sa,
+									(task_t*)xauth_create(this->ike_sa, TRUE));
+					return SUCCESS;
+				default:
+					if (charon->ike_sa_manager->check_uniqueness(
+								charon->ike_sa_manager, this->ike_sa, FALSE))
+					{
+						DBG1(DBG_IKE, "cancelling Main Mode due to uniqueness "
+							 "policy");
+						return send_delete(this);
+					}
+					if (!establish(this))
+					{
+						return send_delete(this);
+					}
+					break;
+			}
+			if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
+			{
+				this->ike_sa->queue_task(this->ike_sa,
+							(task_t*)mode_config_create(this->ike_sa, TRUE));
+			}
+			return SUCCESS;
+		}
+		default:
+			return FAILED;
+	}
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_main_mode_t *this)
+{
+	return TASK_MAIN_MODE;
+}
+
+METHOD(task_t, migrate, void,
+	private_main_mode_t *this, ike_sa_t *ike_sa)
+{
+	DESTROY_IF(this->peer_cfg);
+	DESTROY_IF(this->proposal);
+	this->ph1->destroy(this->ph1);
+
+	this->ike_sa = ike_sa;
+	this->state = MM_INIT;
+	this->peer_cfg = NULL;
+	this->proposal = NULL;
+	this->ph1 = phase1_create(ike_sa, this->initiator);
+}
+
+METHOD(task_t, destroy, void,
+	private_main_mode_t *this)
+{
+	DESTROY_IF(this->peer_cfg);
+	DESTROY_IF(this->proposal);
+	this->ph1->destroy(this->ph1);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+main_mode_t *main_mode_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_main_mode_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.ph1 = phase1_create(ike_sa, initiator),
+		.initiator = initiator,
+		.state = MM_INIT,
+	);
+
+	if (initiator)
+	{
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+	else
+	{
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.h b/src/libcharon/sa/ikev1/tasks/main_mode.h
new file mode 100644
index 000000000..141701f75
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup main_mode main_mode
+ * @{ @ingroup tasks_v1
+ */
+
+#ifndef MAIN_MODE_H_
+#define MAIN_MODE_H_
+
+typedef struct main_mode_t main_mode_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * IKEv1 main mode, establishes a mainmode including authentication.
+ */
+struct main_mode_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new main_mode task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if task initiated locally
+ * @return				task to handle by the task_manager
+ */
+main_mode_t *main_mode_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** MAIN_MODE_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c
new file mode 100644
index 000000000..ce897727a
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/mode_config.c
@@ -0,0 +1,459 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mode_config.h"
+
+#include <daemon.h>
+#include <hydra.h>
+#include <encoding/payloads/cp_payload.h>
+
+typedef struct private_mode_config_t private_mode_config_t;
+
+/**
+ * Private members of a mode_config_t task.
+ */
+struct private_mode_config_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	mode_config_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * Received list of virtual IPs, host_t*
+	 */
+	linked_list_t *vips;
+
+	/**
+	 * list of attributes requested and its handler, entry_t
+	 */
+	linked_list_t *requested;
+
+	/**
+	 * Identifier to include in response
+	 */
+	u_int16_t identifier;
+};
+
+/**
+ * Entry for a requested attribute and the requesting handler
+ */
+typedef struct {
+	/** attribute requested */
+	configuration_attribute_type_t type;
+	/** handler requesting this attribute */
+	attribute_handler_t *handler;
+} entry_t;
+
+/**
+ * build INTERNAL_IPV4/6_ADDRESS attribute from virtual ip
+ */
+static configuration_attribute_t *build_vip(host_t *vip)
+{
+	configuration_attribute_type_t type;
+	chunk_t chunk, prefix;
+
+	if (vip->get_family(vip) == AF_INET)
+	{
+		type = INTERNAL_IP4_ADDRESS;
+		if (vip->is_anyaddr(vip))
+		{
+			chunk = chunk_empty;
+		}
+		else
+		{
+			chunk = vip->get_address(vip);
+		}
+	}
+	else
+	{
+		type = INTERNAL_IP6_ADDRESS;
+		if (vip->is_anyaddr(vip))
+		{
+			chunk = chunk_empty;
+		}
+		else
+		{
+			prefix = chunk_alloca(1);
+			*prefix.ptr = 64;
+			chunk = vip->get_address(vip);
+			chunk = chunk_cata("cc", chunk, prefix);
+		}
+	}
+	return configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE_V1,
+												type, chunk);
+}
+
+/**
+ * Handle a received attribute as initiator
+ */
+static void handle_attribute(private_mode_config_t *this,
+							 configuration_attribute_t *ca)
+{
+	attribute_handler_t *handler = NULL;
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	/* find the handler which requested this attribute */
+	enumerator = this->requested->create_enumerator(this->requested);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->type == ca->get_type(ca))
+		{
+			handler = entry->handler;
+			this->requested->remove_at(this->requested, enumerator);
+			free(entry);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* and pass it to the handle function */
+	handler = hydra->attributes->handle(hydra->attributes,
+							this->ike_sa->get_other_id(this->ike_sa), handler,
+							ca->get_type(ca), ca->get_chunk(ca));
+	if (handler)
+	{
+		this->ike_sa->add_configuration_attribute(this->ike_sa,
+				handler, ca->get_type(ca), ca->get_chunk(ca));
+	}
+}
+
+/**
+ * process a single configuration attribute
+ */
+static void process_attribute(private_mode_config_t *this,
+							  configuration_attribute_t *ca)
+{
+	host_t *ip;
+	chunk_t addr;
+	int family = AF_INET6;
+
+	switch (ca->get_type(ca))
+	{
+		case INTERNAL_IP4_ADDRESS:
+			family = AF_INET;
+			/* fall */
+		case INTERNAL_IP6_ADDRESS:
+		{
+			addr = ca->get_chunk(ca);
+			if (addr.len == 0)
+			{
+				ip = host_create_any(family);
+			}
+			else
+			{
+				/* skip prefix byte in IPv6 payload*/
+				if (family == AF_INET6)
+				{
+					addr.len--;
+				}
+				ip = host_create_from_chunk(family, addr, 0);
+			}
+			if (ip)
+			{
+				this->vips->insert_last(this->vips, ip);
+			}
+			break;
+		}
+		default:
+		{
+			if (this->initiator)
+			{
+				handle_attribute(this, ca);
+			}
+		}
+	}
+}
+
+/**
+ * Scan for configuration payloads and attributes
+ */
+static void process_payloads(private_mode_config_t *this, message_t *message)
+{
+	enumerator_t *enumerator, *attributes;
+	payload_t *payload;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == CONFIGURATION_V1)
+		{
+			cp_payload_t *cp = (cp_payload_t*)payload;
+			configuration_attribute_t *ca;
+
+			switch (cp->get_type(cp))
+			{
+				case CFG_REQUEST:
+					this->identifier = cp->get_identifier(cp);
+					/* FALL */
+				case CFG_REPLY:
+					attributes = cp->create_attribute_enumerator(cp);
+					while (attributes->enumerate(attributes, &ca))
+					{
+						DBG2(DBG_IKE, "processing %N attribute",
+							 configuration_attribute_type_names, ca->get_type(ca));
+						process_attribute(this, ca);
+					}
+					attributes->destroy(attributes);
+					break;
+				default:
+					DBG1(DBG_IKE, "ignoring %N config payload",
+						 config_type_names, cp->get_type(cp));
+					break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(task_t, build_i, status_t,
+	private_mode_config_t *this, message_t *message)
+{
+	cp_payload_t *cp;
+	enumerator_t *enumerator;
+	attribute_handler_t *handler;
+	peer_cfg_t *config;
+	configuration_attribute_type_t type;
+	chunk_t data;
+	linked_list_t *vips;
+	host_t *host;
+
+	cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REQUEST);
+
+	vips = linked_list_create();
+
+	/* reuse virtual IP if we already have one */
+	enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
+	while (enumerator->enumerate(enumerator, &host))
+	{
+		vips->insert_last(vips, host);
+	}
+	enumerator->destroy(enumerator);
+
+	if (vips->get_count(vips) == 0)
+	{
+		config = this->ike_sa->get_peer_cfg(this->ike_sa);
+		enumerator = config->create_virtual_ip_enumerator(config);
+		while (enumerator->enumerate(enumerator, &host))
+		{
+			vips->insert_last(vips, host);
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	if (vips->get_count(vips))
+	{
+		enumerator = vips->create_enumerator(vips);
+		while (enumerator->enumerate(enumerator, &host))
+		{
+			cp->add_attribute(cp, build_vip(host));
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	enumerator = hydra->attributes->create_initiator_enumerator(
+								hydra->attributes,
+								this->ike_sa->get_other_id(this->ike_sa), vips);
+	while (enumerator->enumerate(enumerator, &handler, &type, &data))
+	{
+		entry_t *entry;
+
+		DBG2(DBG_IKE, "building %N attribute",
+			 configuration_attribute_type_names, type);
+		cp->add_attribute(cp,
+				configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE_V1,
+													 type, data));
+		INIT(entry,
+			.type = type,
+			.handler = handler,
+		);
+		this->requested->insert_last(this->requested, entry);
+	}
+	enumerator->destroy(enumerator);
+
+	vips->destroy(vips);
+
+	message->add_payload(message, (payload_t*)cp);
+
+	return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+	private_mode_config_t *this, message_t *message)
+{
+	process_payloads(this, message);
+	return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+	private_mode_config_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	configuration_attribute_type_t type;
+	chunk_t value;
+	cp_payload_t *cp;
+	peer_cfg_t *config;
+	identification_t *id;
+	linked_list_t *vips, *pools;
+	host_t *requested;
+
+	cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY);
+
+	id = this->ike_sa->get_other_eap_id(this->ike_sa);
+	config = this->ike_sa->get_peer_cfg(this->ike_sa);
+	vips = linked_list_create();
+	pools = linked_list_create_from_enumerator(
+									config->create_pool_enumerator(config));
+
+	this->ike_sa->clear_virtual_ips(this->ike_sa, FALSE);
+
+	enumerator = this->vips->create_enumerator(this->vips);
+	while (enumerator->enumerate(enumerator, &requested))
+	{
+		host_t *found = NULL;
+
+		/* query all pools until we get an address */
+		DBG1(DBG_IKE, "peer requested virtual IP %H", requested);
+
+		found = hydra->attributes->acquire_address(hydra->attributes,
+												   pools, id, requested);
+		if (found)
+		{
+			DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id);
+			this->ike_sa->add_virtual_ip(this->ike_sa, FALSE, found);
+			cp->add_attribute(cp, build_vip(found));
+			vips->insert_last(vips, found);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "no virtual IP found for %H requested by '%Y'",
+				 requested, id);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* query registered providers for additional attributes to include */
+	enumerator = hydra->attributes->create_responder_enumerator(
+											hydra->attributes, pools, id, vips);
+	while (enumerator->enumerate(enumerator, &type, &value))
+	{
+		DBG2(DBG_IKE, "building %N attribute",
+			 configuration_attribute_type_names, type);
+		cp->add_attribute(cp,
+			configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE_V1,
+												 type, value));
+	}
+	enumerator->destroy(enumerator);
+	vips->destroy_offset(vips, offsetof(host_t, destroy));
+	pools->destroy(pools);
+
+	cp->set_identifier(cp, this->identifier);
+	message->add_payload(message, (payload_t*)cp);
+
+	return SUCCESS;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_mode_config_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	host_t *host;
+
+	process_payloads(this, message);
+
+	this->ike_sa->clear_virtual_ips(this->ike_sa, TRUE);
+
+	enumerator = this->vips->create_enumerator(this->vips);
+	while (enumerator->enumerate(enumerator, &host))
+	{
+		if (!host->is_anyaddr(host))
+		{
+			this->ike_sa->add_virtual_ip(this->ike_sa, TRUE, host);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return SUCCESS;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_mode_config_t *this)
+{
+	return TASK_MODE_CONFIG;
+}
+
+METHOD(task_t, migrate, void,
+	private_mode_config_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+	this->vips->destroy_offset(this->vips, offsetof(host_t, destroy));
+	this->vips = linked_list_create();
+	this->requested->destroy_function(this->requested, free);
+	this->requested = linked_list_create();
+}
+
+METHOD(task_t, destroy, void,
+	private_mode_config_t *this)
+{
+	this->vips->destroy_offset(this->vips, offsetof(host_t, destroy));
+	this->requested->destroy_function(this->requested, free);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+mode_config_t *mode_config_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_mode_config_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.initiator = initiator,
+		.ike_sa = ike_sa,
+		.requested = linked_list_create(),
+		.vips = linked_list_create(),
+	);
+
+	if (initiator)
+	{
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+	else
+	{
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.h b/src/libcharon/sa/ikev1/tasks/mode_config.h
new file mode 100644
index 000000000..462bee374
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/mode_config.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mode_config mode_config
+ * @{ @ingroup tasks_v1
+ */
+
+#ifndef MODE_CONFIG_H_
+#define MODE_CONFIG_H_
+
+typedef struct mode_config_t mode_config_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type TASK_MODE_COFNIG, IKEv1 configuration attribute exchange.
+ */
+struct mode_config_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new mode_config task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE for initiator
+ * @return				mode_config task to handle by the task_manager
+ */
+mode_config_t *mode_config_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** MODE_CONFIG_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.c b/src/libcharon/sa/ikev1/tasks/quick_delete.c
new file mode 100644
index 000000000..1a2cdb777
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/quick_delete.c
@@ -0,0 +1,293 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+/*
+ * Copyright (C) 2013 Oliver Smith
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "quick_delete.h"
+
+#include <daemon.h>
+#include <encoding/payloads/delete_payload.h>
+
+typedef struct private_quick_delete_t private_quick_delete_t;
+
+/**
+ * Private members of a quick_delete_t task.
+ */
+struct private_quick_delete_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	quick_delete_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * Protocol of CHILD_SA to delete
+	 */
+	protocol_id_t protocol;
+
+	/**
+	 * Inbound SPI of CHILD_SA to delete
+	 */
+	u_int32_t spi;
+
+	/**
+	 * Send delete even if SA does not exist
+	 */
+	bool force;
+
+	/**
+	 * SA already expired?
+	 */
+	bool expired;
+};
+
+/**
+ * Delete the specified CHILD_SA, if found
+ */
+static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol,
+						 u_int32_t spi, bool remote_close)
+{
+	u_int64_t bytes_in, bytes_out;
+	child_sa_t *child_sa;
+	linked_list_t *my_ts, *other_ts;
+	child_cfg_t *child_cfg;
+	bool rekeyed;
+
+	child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, TRUE);
+	if (!child_sa)
+	{	/* fallback and check for outbound SA */
+		child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, FALSE);
+		if (!child_sa)
+		{
+			return FALSE;
+		}
+		this->spi = spi = child_sa->get_spi(child_sa, TRUE);
+	}
+
+	rekeyed = child_sa->get_state(child_sa) == CHILD_REKEYING;
+	child_sa->set_state(child_sa, CHILD_DELETING);
+
+	my_ts = linked_list_create_from_enumerator(
+							child_sa->create_ts_enumerator(child_sa, TRUE));
+	other_ts = linked_list_create_from_enumerator(
+							child_sa->create_ts_enumerator(child_sa, FALSE));
+	if (this->expired)
+	{
+		DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} "
+			 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+			 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+			 ntohl(child_sa->get_spi(child_sa, TRUE)),
+			 ntohl(child_sa->get_spi(child_sa, FALSE)), my_ts, other_ts);
+	}
+	else
+	{
+		child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in, NULL);
+		child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, NULL);
+
+		DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs "
+			 "%.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
+			 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+			 ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in,
+			 ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out,
+			 my_ts, other_ts);
+	}
+	my_ts->destroy(my_ts);
+	other_ts->destroy(other_ts);
+
+	if (!rekeyed)
+	{
+		charon->bus->child_updown(charon->bus, child_sa, FALSE);
+
+		if (remote_close)
+		{
+			child_cfg = child_sa->get_config(child_sa);
+			child_cfg->get_ref(child_cfg);
+
+			switch (child_sa->get_close_action(child_sa))
+			{
+				case ACTION_RESTART:
+					child_cfg->get_ref(child_cfg);
+					this->ike_sa->initiate(this->ike_sa, child_cfg,
+									child_sa->get_reqid(child_sa), NULL, NULL);
+					break;
+				case ACTION_ROUTE:
+					charon->traps->install(charon->traps,
+									this->ike_sa->get_peer_cfg(this->ike_sa),
+									child_cfg, child_sa->get_reqid(child_sa));
+					break;
+				default:
+					break;
+			}
+			child_cfg->destroy(child_cfg);
+		}
+	}
+	this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
+
+	return TRUE;
+}
+
+METHOD(task_t, build_i, status_t,
+	private_quick_delete_t *this, message_t *message)
+{
+	if (delete_child(this, this->protocol, this->spi, FALSE) || this->force)
+	{
+		delete_payload_t *delete_payload;
+
+		DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
+			 protocol_id_names, this->protocol, ntohl(this->spi));
+
+		delete_payload = delete_payload_create(DELETE_V1, PROTO_ESP);
+		delete_payload->add_spi(delete_payload, this->spi);
+		message->add_payload(message, &delete_payload->payload_interface);
+
+		return SUCCESS;
+	}
+	this->ike_sa->flush_queue(this->ike_sa, TASK_QUEUE_ACTIVE);
+	return ALREADY_DONE;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_quick_delete_t *this, message_t *message)
+{
+	return FAILED;
+}
+
+METHOD(task_t, process_r, status_t,
+	private_quick_delete_t *this, message_t *message)
+{
+	enumerator_t *payloads, *spis;
+	payload_t *payload;
+	delete_payload_t *delete_payload;
+	protocol_id_t protocol;
+	u_int32_t spi;
+
+	payloads = message->create_payload_enumerator(message);
+	while (payloads->enumerate(payloads, &payload))
+	{
+		if (payload->get_type(payload) == DELETE_V1)
+		{
+			delete_payload = (delete_payload_t*)payload;
+			protocol = delete_payload->get_protocol_id(delete_payload);
+			if (protocol != PROTO_ESP && protocol != PROTO_AH)
+			{
+				continue;
+			}
+			spis = delete_payload->create_spi_enumerator(delete_payload);
+			while (spis->enumerate(spis, &spi))
+			{
+				DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x",
+					 protocol_id_names, protocol, ntohl(spi));
+				if (!delete_child(this, protocol, spi, TRUE))
+				{
+					DBG1(DBG_IKE, "CHILD_SA not found, ignored");
+					continue;
+				}
+			}
+			spis->destroy(spis);
+		}
+	}
+	payloads->destroy(payloads);
+
+	return SUCCESS;
+}
+
+METHOD(task_t, build_r, status_t,
+	private_quick_delete_t *this, message_t *message)
+{
+	return FAILED;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_quick_delete_t *this)
+{
+	return TASK_QUICK_DELETE;
+}
+
+METHOD(task_t, migrate, void,
+	private_quick_delete_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, destroy, void,
+	private_quick_delete_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+quick_delete_t *quick_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
+									u_int32_t spi, bool force, bool expired)
+{
+	private_quick_delete_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.protocol = protocol,
+		.spi = spi,
+		.force = force,
+		.expired = expired,
+	);
+
+	if (protocol != PROTO_NONE)
+	{
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+	else
+	{
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.h b/src/libcharon/sa/ikev1/tasks/quick_delete.h
new file mode 100644
index 000000000..4df30c8fe
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/quick_delete.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup quick_delete quick_delete
+ * @{ @ingroup tasks_v1
+ */
+
+#ifndef QUICK_DELETE_H_
+#define QUICK_DELETE_H_
+
+typedef struct quick_delete_t quick_delete_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+#include <sa/child_sa.h>
+
+/**
+ * Task of type QUICK_DELETE, delete an IKEv1 quick mode SA.
+ */
+struct quick_delete_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new quick_delete task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param protocol		protocol of CHILD_SA to delete, PROTO_NONE as responder
+ * @param spi			inbound SPI of CHILD_SA to delete
+ * @param force			send delete even if SA does not exist
+ * @param expired		TRUE if SA already expired
+ * @return				quick_delete task to handle by the task_manager
+ */
+quick_delete_t *quick_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
+									u_int32_t spi, bool force, bool expired);
+
+#endif /** QUICK_DELETE_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
new file mode 100644
index 000000000..6271e5b05
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -0,0 +1,1328 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/*
+ * Copyright (C) 2012 Volker Rümelin
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "quick_mode.h"
+
+#include <string.h>
+
+#include <daemon.h>
+#include <sa/ikev1/keymat_v1.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <encoding/payloads/ke_payload.h>
+#include <encoding/payloads/id_payload.h>
+#include <encoding/payloads/payload.h>
+#include <sa/ikev1/tasks/informational.h>
+#include <sa/ikev1/tasks/quick_delete.h>
+#include <processing/jobs/inactivity_job.h>
+
+typedef struct private_quick_mode_t private_quick_mode_t;
+
+/**
+ * Private members of a quick_mode_t task.
+ */
+struct private_quick_mode_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	quick_mode_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * TRUE if we are initiating quick mode
+	 */
+	bool initiator;
+
+	/**
+	 * Traffic selector of initiator
+	 */
+	traffic_selector_t *tsi;
+
+	/**
+	 * Traffic selector of responder
+	 */
+	traffic_selector_t *tsr;
+
+	/**
+	 * Initiators nonce
+	 */
+	chunk_t nonce_i;
+
+	/**
+	 * Responder nonce
+	 */
+	chunk_t nonce_r;
+
+	/**
+	 * Initiators ESP SPI
+	 */
+	u_int32_t spi_i;
+
+	/**
+	 * Responder ESP SPI
+	 */
+	u_int32_t spi_r;
+
+	/**
+	 * Initiators IPComp CPI
+	 */
+	u_int16_t cpi_i;
+
+	/**
+	 * Responders IPComp CPI
+	 */
+	u_int16_t cpi_r;
+
+	/**
+	 * selected CHILD_SA proposal
+	 */
+	proposal_t *proposal;
+
+	/**
+	 * Config of CHILD_SA to establish
+	 */
+	child_cfg_t *config;
+
+	/**
+	 * CHILD_SA we are about to establish
+	 */
+	child_sa_t *child_sa;
+
+	/**
+	 * IKEv1 keymat
+	 */
+	keymat_v1_t *keymat;
+
+	/**
+	 * DH exchange, when PFS is in use
+	 */
+	diffie_hellman_t *dh;
+
+	/**
+	 * Negotiated lifetime of new SA
+	 */
+	u_int32_t lifetime;
+
+	/**
+	 * Negotaited lifebytes of new SA
+	 */
+	u_int64_t lifebytes;
+
+	/**
+	 * Reqid to use, 0 for auto-allocate
+	 */
+	u_int32_t reqid;
+
+	/**
+	 * SPI of SA we rekey
+	 */
+	u_int32_t rekey;
+
+	/**
+	 * Negotiated mode, tunnel or transport
+	 */
+	ipsec_mode_t mode;
+
+	/**
+	 * Use UDP encapsulation
+	 */
+	bool udp;
+
+	/** states of quick mode */
+	enum {
+		QM_INIT,
+		QM_NEGOTIATED,
+	} state;
+};
+
+/**
+ * Schedule inactivity timeout for CHILD_SA with reqid, if enabled
+ */
+static void schedule_inactivity_timeout(private_quick_mode_t *this)
+{
+	u_int32_t timeout;
+	bool close_ike;
+
+	timeout = this->config->get_inactivity(this->config);
+	if (timeout)
+	{
+		close_ike = lib->settings->get_bool(lib->settings,
+								"%s.inactivity_close_ike", FALSE, charon->name);
+		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
+				inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
+									  timeout, close_ike), timeout);
+	}
+}
+
+/**
+ * Check if we have a an address pool configured
+ */
+static bool have_pool(ike_sa_t *ike_sa)
+{
+	enumerator_t *enumerator;
+	peer_cfg_t *peer_cfg;
+	char *pool;
+	bool found = FALSE;
+
+	peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+	if (peer_cfg)
+	{
+		enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
+		if (enumerator->enumerate(enumerator, &pool))
+		{
+			found = TRUE;
+		}
+		enumerator->destroy(enumerator);
+	}
+	return found;
+}
+
+/**
+ * Get hosts to use for dynamic traffic selectors
+ */
+static linked_list_t *get_dynamic_hosts(ike_sa_t *ike_sa, bool local)
+{
+	enumerator_t *enumerator;
+	linked_list_t *list;
+	host_t *host;
+
+	list = linked_list_create();
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, local);
+	while (enumerator->enumerate(enumerator, &host))
+	{
+		list->insert_last(list, host);
+	}
+	enumerator->destroy(enumerator);
+
+	if (list->get_count(list) == 0)
+	{	/* no virtual IPs assigned */
+		if (local)
+		{
+			host = ike_sa->get_my_host(ike_sa);
+			list->insert_last(list, host);
+		}
+		else if (!have_pool(ike_sa))
+		{	/* use host only if we don't have a pool configured */
+			host = ike_sa->get_other_host(ike_sa);
+			list->insert_last(list, host);
+		}
+	}
+	return list;
+}
+
+/**
+ * Install negotiated CHILD_SA
+ */
+static bool install(private_quick_mode_t *this)
+{
+	status_t status, status_i, status_o;
+	chunk_t encr_i, encr_r, integ_i, integ_r;
+	linked_list_t *tsi, *tsr, *my_ts, *other_ts;
+	child_sa_t *old = NULL;
+
+	this->child_sa->set_proposal(this->child_sa, this->proposal);
+	this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
+	this->child_sa->set_mode(this->child_sa, this->mode);
+
+	if (this->cpi_i && this->cpi_r)
+	{	/* DEFLATE is the only transform we currently support */
+		this->child_sa->set_ipcomp(this->child_sa, IPCOMP_DEFLATE);
+	}
+	else
+	{
+		this->cpi_i = this->cpi_r = 0;
+	}
+
+	this->child_sa->set_protocol(this->child_sa,
+								 this->proposal->get_protocol(this->proposal));
+
+	status_i = status_o = FAILED;
+	encr_i = encr_r = integ_i = integ_r = chunk_empty;
+	tsi = linked_list_create_with_items(this->tsi->clone(this->tsi), NULL);
+	tsr = linked_list_create_with_items(this->tsr->clone(this->tsr), NULL);
+	if (this->initiator)
+	{
+		charon->bus->narrow(charon->bus, this->child_sa,
+							NARROW_INITIATOR_POST_AUTH, tsi, tsr);
+	}
+	else
+	{
+		charon->bus->narrow(charon->bus, this->child_sa,
+							NARROW_RESPONDER_POST, tsr, tsi);
+	}
+	if (tsi->get_count(tsi) == 0 || tsr->get_count(tsr) == 0)
+	{
+		tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
+		tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
+		DBG1(DBG_IKE, "no acceptable traffic selectors found");
+		return FALSE;
+	}
+
+	if (this->keymat->derive_child_keys(this->keymat, this->proposal, this->dh,
+						this->spi_i, this->spi_r, this->nonce_i, this->nonce_r,
+						&encr_i, &integ_i, &encr_r, &integ_r))
+	{
+		if (this->initiator)
+		{
+			status_i = this->child_sa->install(this->child_sa,
+									encr_r, integ_r, this->spi_i, this->cpi_i,
+									this->initiator, TRUE, FALSE, tsi, tsr);
+			status_o = this->child_sa->install(this->child_sa,
+									encr_i, integ_i, this->spi_r, this->cpi_r,
+									this->initiator, FALSE, FALSE, tsi, tsr);
+		}
+		else
+		{
+			status_i = this->child_sa->install(this->child_sa,
+									encr_i, integ_i, this->spi_r, this->cpi_r,
+									this->initiator, TRUE, FALSE, tsr, tsi);
+			status_o = this->child_sa->install(this->child_sa,
+									encr_r, integ_r, this->spi_i, this->cpi_i,
+									this->initiator, FALSE, FALSE, tsr, tsi);
+		}
+	}
+	chunk_clear(&integ_i);
+	chunk_clear(&integ_r);
+	chunk_clear(&encr_i);
+	chunk_clear(&encr_r);
+
+	if (status_i != SUCCESS || status_o != SUCCESS)
+	{
+		DBG1(DBG_IKE, "unable to install %s%s%sIPsec SA (SAD) in kernel",
+			(status_i != SUCCESS) ? "inbound " : "",
+			(status_i != SUCCESS && status_o != SUCCESS) ? "and ": "",
+			(status_o != SUCCESS) ? "outbound " : "");
+		tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
+		tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
+		return FALSE;
+	}
+
+	if (this->initiator)
+	{
+		status = this->child_sa->add_policies(this->child_sa, tsi, tsr);
+	}
+	else
+	{
+		status = this->child_sa->add_policies(this->child_sa, tsr, tsi);
+	}
+	tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
+	tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
+		return FALSE;
+	}
+
+	charon->bus->child_keys(charon->bus, this->child_sa, this->initiator,
+							this->dh, this->nonce_i, this->nonce_r);
+
+	/* add to IKE_SA, and remove from task */
+	this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+	this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
+
+	my_ts = linked_list_create_from_enumerator(
+				this->child_sa->create_ts_enumerator(this->child_sa, TRUE));
+	other_ts = linked_list_create_from_enumerator(
+				this->child_sa->create_ts_enumerator(this->child_sa, FALSE));
+
+	DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
+		 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+		 this->child_sa->get_name(this->child_sa),
+		 this->child_sa->get_reqid(this->child_sa),
+		 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
+		 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)), my_ts, other_ts);
+
+	my_ts->destroy(my_ts);
+	other_ts->destroy(other_ts);
+
+	if (this->rekey)
+	{
+		old = this->ike_sa->get_child_sa(this->ike_sa,
+								this->proposal->get_protocol(this->proposal),
+								this->rekey, TRUE);
+	}
+	if (old)
+	{
+		charon->bus->child_rekey(charon->bus, old, this->child_sa);
+	}
+	else
+	{
+		charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
+	}
+	if (!this->rekey)
+	{
+		schedule_inactivity_timeout(this);
+	}
+	this->child_sa = NULL;
+	return TRUE;
+}
+
+/**
+ * Generate and add NONCE
+ */
+static bool add_nonce(private_quick_mode_t *this, chunk_t *nonce,
+					  message_t *message)
+{
+	nonce_payload_t *nonce_payload;
+	nonce_gen_t *nonceg;
+
+	nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
+	if (!nonceg)
+	{
+		DBG1(DBG_IKE, "no nonce generator found to create nonce");
+		return FALSE;
+	}
+	if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, nonce))
+	{
+		DBG1(DBG_IKE, "nonce allocation failed");
+		nonceg->destroy(nonceg);
+		return FALSE;
+	}
+	nonceg->destroy(nonceg);
+
+	nonce_payload = nonce_payload_create(NONCE_V1);
+	nonce_payload->set_nonce(nonce_payload, *nonce);
+	message->add_payload(message, &nonce_payload->payload_interface);
+
+	return TRUE;
+}
+
+/**
+ * Extract nonce from NONCE payload
+ */
+static bool get_nonce(private_quick_mode_t *this, chunk_t *nonce,
+					  message_t *message)
+{
+	nonce_payload_t *nonce_payload;
+
+	nonce_payload = (nonce_payload_t*)message->get_payload(message, NONCE_V1);
+	if (!nonce_payload)
+	{
+		DBG1(DBG_IKE, "NONCE payload missing in message");
+		return FALSE;
+	}
+	*nonce = nonce_payload->get_nonce(nonce_payload);
+
+	return TRUE;
+}
+
+/**
+ * Add KE payload to message
+ */
+static void add_ke(private_quick_mode_t *this, message_t *message)
+{
+	ke_payload_t *ke_payload;
+
+	ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE_V1, this->dh);
+	message->add_payload(message, &ke_payload->payload_interface);
+}
+
+/**
+ * Get DH value from a KE payload
+ */
+static bool get_ke(private_quick_mode_t *this, message_t *message)
+{
+	ke_payload_t *ke_payload;
+
+	ke_payload = (ke_payload_t*)message->get_payload(message, KEY_EXCHANGE_V1);
+	if (!ke_payload)
+	{
+		DBG1(DBG_IKE, "KE payload missing");
+		return FALSE;
+	}
+	this->dh->set_other_public_value(this->dh,
+								ke_payload->get_key_exchange_data(ke_payload));
+	return TRUE;
+}
+
+/**
+ * Select a traffic selector from configuration
+ */
+static traffic_selector_t* select_ts(private_quick_mode_t *this, bool local,
+									 linked_list_t *supplied)
+{
+	traffic_selector_t *ts;
+	linked_list_t *list, *hosts;
+
+	hosts = get_dynamic_hosts(this->ike_sa, local);
+	list = this->config->get_traffic_selectors(this->config,
+											   local, supplied, hosts);
+	hosts->destroy(hosts);
+	if (list->get_first(list, (void**)&ts) == SUCCESS)
+	{
+		ts = ts->clone(ts);
+	}
+	else
+	{
+		DBG1(DBG_IKE, "%s traffic selector missing in configuration",
+			 local ? "local" : "local");
+		ts = NULL;
+	}
+	list->destroy_offset(list, offsetof(traffic_selector_t, destroy));
+	return ts;
+}
+
+/**
+ * Add selected traffic selectors to message
+ */
+static void add_ts(private_quick_mode_t *this, message_t *message)
+{
+	id_payload_t *id_payload;
+
+	id_payload = id_payload_create_from_ts(this->tsi);
+	message->add_payload(message, &id_payload->payload_interface);
+	id_payload = id_payload_create_from_ts(this->tsr);
+	message->add_payload(message, &id_payload->payload_interface);
+}
+
+/**
+ * Get traffic selectors from received message
+ */
+static bool get_ts(private_quick_mode_t *this, message_t *message)
+{
+	traffic_selector_t *tsi = NULL, *tsr = NULL;
+	enumerator_t *enumerator;
+	id_payload_t *id_payload;
+	payload_t *payload;
+	host_t *hsi, *hsr;
+	bool first = TRUE;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == ID_V1)
+		{
+			id_payload = (id_payload_t*)payload;
+
+			if (first)
+			{
+				tsi = id_payload->get_ts(id_payload);
+				first = FALSE;
+			}
+			else
+			{
+				tsr = id_payload->get_ts(id_payload);
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* create host2host selectors if ID payloads missing */
+	if (this->initiator)
+	{
+		hsi = this->ike_sa->get_my_host(this->ike_sa);
+		hsr = this->ike_sa->get_other_host(this->ike_sa);
+	}
+	else
+	{
+		hsr = this->ike_sa->get_my_host(this->ike_sa);
+		hsi = this->ike_sa->get_other_host(this->ike_sa);
+	}
+	if (!tsi)
+	{
+		tsi = traffic_selector_create_from_subnet(hsi->clone(hsi),
+					hsi->get_family(hsi) == AF_INET ? 32 : 128, 0, 0, 65535);
+	}
+	if (!tsr)
+	{
+		tsr = traffic_selector_create_from_subnet(hsr->clone(hsr),
+					hsr->get_family(hsr) == AF_INET ? 32 : 128, 0, 0, 65535);
+	}
+	if (this->mode == MODE_TRANSPORT && this->udp &&
+	   (!tsi->is_host(tsi, hsi) || !tsr->is_host(tsr, hsr)))
+	{	/* change TS in case of a NAT in transport mode */
+		DBG2(DBG_IKE, "changing received traffic selectors %R=== %R due to NAT",
+			 tsi, tsr);
+		tsi->set_address(tsi, hsi);
+		tsr->set_address(tsr, hsr);
+	}
+
+	if (this->initiator)
+	{
+		traffic_selector_t *tsisub, *tsrsub;
+
+		/* check if peer selection is valid */
+		tsisub = this->tsi->get_subset(this->tsi, tsi);
+		tsrsub = this->tsr->get_subset(this->tsr, tsr);
+		if (!tsisub || !tsrsub)
+		{
+			DBG1(DBG_IKE, "peer selected invalid traffic selectors: "
+				 "%R for %R, %R for %R", tsi, this->tsi, tsr, this->tsr);
+			DESTROY_IF(tsisub);
+			DESTROY_IF(tsrsub);
+			tsi->destroy(tsi);
+			tsr->destroy(tsr);
+			return FALSE;
+		}
+		tsi->destroy(tsi);
+		tsr->destroy(tsr);
+		this->tsi->destroy(this->tsi);
+		this->tsr->destroy(this->tsr);
+		this->tsi = tsisub;
+		this->tsr = tsrsub;
+	}
+	else
+	{
+		this->tsi = tsi;
+		this->tsr = tsr;
+	}
+	return TRUE;
+}
+
+/**
+ * Get encap
+ */
+static encap_t get_encap(ike_sa_t* ike_sa, bool udp)
+{
+	if (!udp)
+	{
+		return ENCAP_NONE;
+	}
+	if (ike_sa->supports_extension(ike_sa, EXT_NATT_DRAFT_02_03))
+	{
+		return ENCAP_UDP_DRAFT_00_03;
+	}
+	return ENCAP_UDP;
+}
+
+/**
+ * Get NAT-OA payload type (RFC 3947 or RFC 3947 drafts).
+ */
+static payload_type_t get_nat_oa_payload_type(ike_sa_t *ike_sa)
+{
+	if (ike_sa->supports_extension(ike_sa, EXT_NATT_DRAFT_02_03))
+	{
+		return NAT_OA_DRAFT_00_03_V1;
+	}
+	return NAT_OA_V1;
+}
+
+/**
+ * Add NAT-OA payloads
+ */
+static void add_nat_oa_payloads(private_quick_mode_t *this, message_t *message)
+{
+	identification_t *id;
+	id_payload_t *nat_oa;
+	host_t *src, *dst;
+	payload_type_t nat_oa_payload_type;
+
+	src = message->get_source(message);
+	dst = message->get_destination(message);
+
+	src = this->initiator ? src : dst;
+	dst = this->initiator ? dst : src;
+
+	nat_oa_payload_type = get_nat_oa_payload_type(this->ike_sa);
+
+	/* first NAT-OA is the initiator's address */
+	id = identification_create_from_sockaddr(src->get_sockaddr(src));
+	nat_oa = id_payload_create_from_identification(nat_oa_payload_type, id);
+	message->add_payload(message, (payload_t*)nat_oa);
+	id->destroy(id);
+
+	/* second NAT-OA is that of the responder */
+	id = identification_create_from_sockaddr(dst->get_sockaddr(dst));
+	nat_oa = id_payload_create_from_identification(nat_oa_payload_type, id);
+	message->add_payload(message, (payload_t*)nat_oa);
+	id->destroy(id);
+}
+
+/**
+ * Look up lifetimes
+ */
+static void get_lifetimes(private_quick_mode_t *this)
+{
+	lifetime_cfg_t *lft;
+
+	lft = this->config->get_lifetime(this->config);
+	if (lft->time.life)
+	{
+		this->lifetime = lft->time.life;
+	}
+	else if (lft->bytes.life)
+	{
+		this->lifebytes = lft->bytes.life;
+	}
+	free(lft);
+}
+
+/**
+ * Check and apply lifetimes
+ */
+static void apply_lifetimes(private_quick_mode_t *this, sa_payload_t *sa_payload)
+{
+	u_int32_t lifetime;
+	u_int64_t lifebytes;
+
+	lifetime = sa_payload->get_lifetime(sa_payload);
+	lifebytes = sa_payload->get_lifebytes(sa_payload);
+	if (this->lifetime != lifetime)
+	{
+		DBG1(DBG_IKE, "received %us lifetime, configured %us",
+			 lifetime, this->lifetime);
+		this->lifetime = lifetime;
+	}
+	if (this->lifebytes != lifebytes)
+	{
+		DBG1(DBG_IKE, "received %llu lifebytes, configured %llu",
+			 lifebytes, this->lifebytes);
+		this->lifebytes = lifebytes;
+	}
+}
+
+/**
+ * Set the task ready to build notify error message
+ */
+static status_t send_notify(private_quick_mode_t *this, notify_type_t type)
+{
+	notify_payload_t *notify;
+
+	notify = notify_payload_create_from_protocol_and_type(NOTIFY_V1,
+														  PROTO_ESP, type);
+	notify->set_spi(notify, this->spi_i);
+
+	this->ike_sa->queue_task(this->ike_sa,
+						(task_t*)informational_create(this->ike_sa, notify));
+	/* cancel all active/passive tasks in favour of informational */
+	this->ike_sa->flush_queue(this->ike_sa,
+					this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
+	return ALREADY_DONE;
+}
+
+METHOD(task_t, build_i, status_t,
+	private_quick_mode_t *this, message_t *message)
+{
+	switch (this->state)
+	{
+		case QM_INIT:
+		{
+			enumerator_t *enumerator;
+			sa_payload_t *sa_payload;
+			linked_list_t *list, *tsi, *tsr;
+			proposal_t *proposal;
+			diffie_hellman_group_t group;
+			encap_t encap;
+
+			this->udp = this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY);
+			this->mode = this->config->get_mode(this->config);
+			this->child_sa = child_sa_create(
+									this->ike_sa->get_my_host(this->ike_sa),
+									this->ike_sa->get_other_host(this->ike_sa),
+									this->config, this->reqid, this->udp);
+
+			if (this->udp && this->mode == MODE_TRANSPORT)
+			{
+				/* TODO-IKEv1: disable NAT-T for TRANSPORT mode by default? */
+				add_nat_oa_payloads(this, message);
+			}
+
+			if (this->config->use_ipcomp(this->config))
+			{
+				this->cpi_i = this->child_sa->alloc_cpi(this->child_sa);
+				if (!this->cpi_i)
+				{
+					DBG1(DBG_IKE, "unable to allocate a CPI from kernel, "
+						 "IPComp disabled");
+				}
+			}
+
+			this->spi_i = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
+			if (!this->spi_i)
+			{
+				DBG1(DBG_IKE, "allocating SPI from kernel failed");
+				return FAILED;
+			}
+			group = this->config->get_dh_group(this->config);
+			if (group != MODP_NONE)
+			{
+				this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+														  group);
+				if (!this->dh)
+				{
+					DBG1(DBG_IKE, "configured DH group %N not supported",
+						 diffie_hellman_group_names, group);
+					return FAILED;
+				}
+			}
+
+			list = this->config->get_proposals(this->config, FALSE);
+			enumerator = list->create_enumerator(list);
+			while (enumerator->enumerate(enumerator, &proposal))
+			{
+				if (group != MODP_NONE)
+				{
+					if (!proposal->has_dh_group(proposal, group))
+					{
+						list->remove_at(list, enumerator);
+						proposal->destroy(proposal);
+						continue;
+					}
+					proposal->strip_dh(proposal, group);
+				}
+				proposal->set_spi(proposal, this->spi_i);
+			}
+			enumerator->destroy(enumerator);
+
+			get_lifetimes(this);
+			encap = get_encap(this->ike_sa, this->udp);
+			sa_payload = sa_payload_create_from_proposals_v1(list,
+								this->lifetime, this->lifebytes, AUTH_NONE,
+								this->mode, encap, this->cpi_i);
+			list->destroy_offset(list, offsetof(proposal_t, destroy));
+			message->add_payload(message, &sa_payload->payload_interface);
+
+			if (!add_nonce(this, &this->nonce_i, message))
+			{
+				return FAILED;
+			}
+			if (group != MODP_NONE)
+			{
+				add_ke(this, message);
+			}
+			if (!this->tsi)
+			{
+				this->tsi = select_ts(this, TRUE, NULL);
+			}
+			if (!this->tsr)
+			{
+				this->tsr = select_ts(this, FALSE, NULL);
+			}
+			tsi = linked_list_create_with_items(this->tsi, NULL);
+			tsr = linked_list_create_with_items(this->tsr, NULL);
+			this->tsi = this->tsr = NULL;
+			charon->bus->narrow(charon->bus, this->child_sa,
+								NARROW_INITIATOR_PRE_AUTH, tsi, tsr);
+			tsi->remove_first(tsi, (void**)&this->tsi);
+			tsr->remove_first(tsr, (void**)&this->tsr);
+			tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
+			tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
+			if (!this->tsi || !this->tsr)
+			{
+				return FAILED;
+			}
+			add_ts(this, message);
+			return NEED_MORE;
+		}
+		case QM_NEGOTIATED:
+		{
+			return SUCCESS;
+		}
+		default:
+			return FAILED;
+	}
+}
+
+/**
+ * Check for notify errors, return TRUE if error found
+ */
+static bool has_notify_errors(private_quick_mode_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	bool err = FALSE;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == NOTIFY_V1)
+		{
+			notify_payload_t *notify;
+			notify_type_t type;
+
+			notify = (notify_payload_t*)payload;
+			type = notify->get_notify_type(notify);
+			if (type < 16384)
+			{
+
+				DBG1(DBG_IKE, "received %N error notify",
+					 notify_type_names, type);
+				err = TRUE;
+			}
+			else
+			{
+				DBG1(DBG_IKE, "received %N notify", notify_type_names, type);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return err;
+}
+
+/**
+ * Check if this is a rekey for an existing CHILD_SA, reuse reqid if so
+ */
+static void check_for_rekeyed_child(private_quick_mode_t *this)
+{
+	enumerator_t *enumerator, *policies;
+	traffic_selector_t *local, *remote;
+	child_sa_t *child_sa;
+	proposal_t *proposal;
+	char *name;
+
+	name = this->config->get_name(this->config);
+	enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
+	while (this->reqid == 0 && enumerator->enumerate(enumerator, &child_sa))
+	{
+		if (streq(child_sa->get_name(child_sa), name))
+		{
+			proposal = child_sa->get_proposal(child_sa);
+			switch (child_sa->get_state(child_sa))
+			{
+				case CHILD_INSTALLED:
+				case CHILD_REKEYING:
+					policies = child_sa->create_policy_enumerator(child_sa);
+					if (policies->enumerate(policies, &local, &remote) &&
+						local->equals(local, this->tsr) &&
+						remote->equals(remote, this->tsi) &&
+						this->proposal->equals(this->proposal, proposal))
+					{
+						this->reqid = child_sa->get_reqid(child_sa);
+						this->rekey = child_sa->get_spi(child_sa, TRUE);
+						child_sa->set_state(child_sa, CHILD_REKEYING);
+						DBG1(DBG_IKE, "detected rekeying of CHILD_SA %s{%u}",
+							 child_sa->get_name(child_sa), this->reqid);
+					}
+					policies->destroy(policies);
+				break;
+			default:
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(task_t, process_r, status_t,
+	private_quick_mode_t *this, message_t *message)
+{
+	switch (this->state)
+	{
+		case QM_INIT:
+		{
+			sa_payload_t *sa_payload;
+			linked_list_t *tsi, *tsr, *hostsi, *hostsr, *list = NULL;
+			peer_cfg_t *peer_cfg;
+			u_int16_t group;
+			bool private;
+
+			sa_payload = (sa_payload_t*)message->get_payload(message,
+													SECURITY_ASSOCIATION_V1);
+			if (!sa_payload)
+			{
+				DBG1(DBG_IKE, "sa payload missing");
+				return send_notify(this, INVALID_PAYLOAD_TYPE);
+			}
+
+			this->mode = sa_payload->get_encap_mode(sa_payload, &this->udp);
+
+			if (!get_ts(this, message))
+			{
+				return FAILED;
+			}
+			peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+			tsi = linked_list_create_with_items(this->tsi, NULL);
+			tsr = linked_list_create_with_items(this->tsr, NULL);
+			this->tsi = this->tsr = NULL;
+			hostsi = get_dynamic_hosts(this->ike_sa, FALSE);
+			hostsr = get_dynamic_hosts(this->ike_sa, TRUE);
+			this->config = peer_cfg->select_child_cfg(peer_cfg, tsr, tsi,
+													  hostsr, hostsi);
+			hostsi->destroy(hostsi);
+			hostsr->destroy(hostsr);
+			if (this->config)
+			{
+				this->tsi = select_ts(this, FALSE, tsi);
+				this->tsr = select_ts(this, TRUE, tsr);
+			}
+			tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
+			tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
+			if (!this->config || !this->tsi || !this->tsr)
+			{
+				DBG1(DBG_IKE, "no matching CHILD_SA config found");
+				return send_notify(this, INVALID_ID_INFORMATION);
+			}
+
+			if (this->config->use_ipcomp(this->config))
+			{
+				list = sa_payload->get_ipcomp_proposals(sa_payload,
+														&this->cpi_i);
+				if (!list->get_count(list))
+				{
+					DBG1(DBG_IKE, "expected IPComp proposal but peer did "
+						 "not send one, IPComp disabled");
+					this->cpi_i = 0;
+				}
+			}
+			if (!list || !list->get_count(list))
+			{
+				DESTROY_IF(list);
+				list = sa_payload->get_proposals(sa_payload);
+			}
+			private = this->ike_sa->supports_extension(this->ike_sa,
+													   EXT_STRONGSWAN);
+			this->proposal = this->config->select_proposal(this->config,
+														   list, FALSE, private);
+			list->destroy_offset(list, offsetof(proposal_t, destroy));
+
+			get_lifetimes(this);
+			apply_lifetimes(this, sa_payload);
+
+			if (!this->proposal)
+			{
+				DBG1(DBG_IKE, "no matching proposal found, sending %N",
+					 notify_type_names, NO_PROPOSAL_CHOSEN);
+				return send_notify(this, NO_PROPOSAL_CHOSEN);
+			}
+			this->spi_i = this->proposal->get_spi(this->proposal);
+
+			if (!get_nonce(this, &this->nonce_i, message))
+			{
+				return send_notify(this, INVALID_PAYLOAD_TYPE);
+			}
+
+			if (this->proposal->get_algorithm(this->proposal,
+										DIFFIE_HELLMAN_GROUP, &group, NULL))
+			{
+				this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+														  group);
+				if (!this->dh)
+				{
+					DBG1(DBG_IKE, "negotiated DH group %N not supported",
+						 diffie_hellman_group_names, group);
+					return send_notify(this, INVALID_KEY_INFORMATION);
+				}
+				if (!get_ke(this, message))
+				{
+					return send_notify(this, INVALID_PAYLOAD_TYPE);
+				}
+			}
+
+			check_for_rekeyed_child(this);
+
+			this->child_sa = child_sa_create(
+									this->ike_sa->get_my_host(this->ike_sa),
+									this->ike_sa->get_other_host(this->ike_sa),
+									this->config, this->reqid, this->udp);
+
+			tsi = linked_list_create_with_items(this->tsi, NULL);
+			tsr = linked_list_create_with_items(this->tsr, NULL);
+			this->tsi = this->tsr = NULL;
+			charon->bus->narrow(charon->bus, this->child_sa,
+								NARROW_RESPONDER, tsr, tsi);
+			if (tsi->remove_first(tsi, (void**)&this->tsi) != SUCCESS ||
+				tsr->remove_first(tsr, (void**)&this->tsr) != SUCCESS)
+			{
+				tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
+				tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
+				return send_notify(this, INVALID_ID_INFORMATION);
+			}
+			tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
+			tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
+
+			return NEED_MORE;
+		}
+		case QM_NEGOTIATED:
+		{
+			if (message->get_exchange_type(message) == INFORMATIONAL_V1 ||
+				has_notify_errors(this, message))
+			{
+				return SUCCESS;
+			}
+			if (!install(this))
+			{
+				ike_sa_t *ike_sa = this->ike_sa;
+				task_t *task;
+
+				task = (task_t*)quick_delete_create(this->ike_sa,
+								this->proposal->get_protocol(this->proposal),
+								this->spi_i, TRUE, TRUE);
+				/* flush_queue() destroys the current task */
+				ike_sa->flush_queue(ike_sa, TASK_QUEUE_PASSIVE);
+				ike_sa->queue_task(ike_sa, task);
+				return ALREADY_DONE;
+			}
+			return SUCCESS;
+		}
+		default:
+			return FAILED;
+	}
+}
+
+METHOD(task_t, build_r, status_t,
+	private_quick_mode_t *this, message_t *message)
+{
+	switch (this->state)
+	{
+		case QM_INIT:
+		{
+			sa_payload_t *sa_payload;
+			encap_t encap;
+
+			this->spi_r = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
+			if (!this->spi_r)
+			{
+				DBG1(DBG_IKE, "allocating SPI from kernel failed");
+				return send_notify(this, NO_PROPOSAL_CHOSEN);
+			}
+			this->proposal->set_spi(this->proposal, this->spi_r);
+
+			if (this->cpi_i)
+			{
+				this->cpi_r = this->child_sa->alloc_cpi(this->child_sa);
+				if (!this->cpi_r)
+				{
+					DBG1(DBG_IKE, "unable to allocate a CPI from "
+						 "kernel, IPComp disabled");
+					return send_notify(this, NO_PROPOSAL_CHOSEN);
+				}
+			}
+
+			if (this->udp && this->mode == MODE_TRANSPORT)
+			{
+				/* TODO-IKEv1: disable NAT-T for TRANSPORT mode by default? */
+				add_nat_oa_payloads(this, message);
+			}
+
+			encap = get_encap(this->ike_sa, this->udp);
+			sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
+								this->lifetime, this->lifebytes, AUTH_NONE,
+								this->mode, encap, this->cpi_r);
+			message->add_payload(message, &sa_payload->payload_interface);
+
+			if (!add_nonce(this, &this->nonce_r, message))
+			{
+				return FAILED;
+			}
+			if (this->dh)
+			{
+				add_ke(this, message);
+			}
+
+			add_ts(this, message);
+
+			this->state = QM_NEGOTIATED;
+			return NEED_MORE;
+		}
+		default:
+			return FAILED;
+	}
+}
+
+METHOD(task_t, process_i, status_t,
+	private_quick_mode_t *this, message_t *message)
+{
+	switch (this->state)
+	{
+		case QM_INIT:
+		{
+			sa_payload_t *sa_payload;
+			linked_list_t *list = NULL;
+			bool private;
+
+			sa_payload = (sa_payload_t*)message->get_payload(message,
+													SECURITY_ASSOCIATION_V1);
+			if (!sa_payload)
+			{
+				DBG1(DBG_IKE, "sa payload missing");
+				return send_notify(this, NO_PROPOSAL_CHOSEN);
+			}
+			if (this->cpi_i)
+			{
+				list = sa_payload->get_ipcomp_proposals(sa_payload,
+														&this->cpi_r);
+				if (!list->get_count(list))
+				{
+					DBG1(DBG_IKE, "peer did not acccept our IPComp proposal, "
+						 "IPComp disabled");
+					this->cpi_i = 0;
+				}
+			}
+			if (!list || !list->get_count(list))
+			{
+				DESTROY_IF(list);
+				list = sa_payload->get_proposals(sa_payload);
+			}
+			private = this->ike_sa->supports_extension(this->ike_sa,
+													   EXT_STRONGSWAN);
+			this->proposal = this->config->select_proposal(this->config,
+														   list, FALSE, private);
+			list->destroy_offset(list, offsetof(proposal_t, destroy));
+			if (!this->proposal)
+			{
+				DBG1(DBG_IKE, "no matching proposal found");
+				return send_notify(this, NO_PROPOSAL_CHOSEN);
+			}
+			this->spi_r = this->proposal->get_spi(this->proposal);
+
+			apply_lifetimes(this, sa_payload);
+
+			if (!get_nonce(this, &this->nonce_r, message))
+			{
+				return send_notify(this, INVALID_PAYLOAD_TYPE);
+			}
+			if (this->dh && !get_ke(this, message))
+			{
+				return send_notify(this, INVALID_KEY_INFORMATION);
+			}
+			if (!get_ts(this, message))
+			{
+				return send_notify(this, INVALID_PAYLOAD_TYPE);
+			}
+			if (!install(this))
+			{
+				return send_notify(this, NO_PROPOSAL_CHOSEN);
+			}
+			this->state = QM_NEGOTIATED;
+			return NEED_MORE;
+		}
+		default:
+			return FAILED;
+	}
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_quick_mode_t *this)
+{
+	return TASK_QUICK_MODE;
+}
+
+METHOD(quick_mode_t, use_reqid, void,
+	private_quick_mode_t *this, u_int32_t reqid)
+{
+	this->reqid = reqid;
+}
+
+METHOD(quick_mode_t, rekey, void,
+	private_quick_mode_t *this, u_int32_t spi)
+{
+	this->rekey = spi;
+}
+
+METHOD(task_t, migrate, void,
+	private_quick_mode_t *this, ike_sa_t *ike_sa)
+{
+	chunk_free(&this->nonce_i);
+	chunk_free(&this->nonce_r);
+	DESTROY_IF(this->tsi);
+	DESTROY_IF(this->tsr);
+	DESTROY_IF(this->proposal);
+	DESTROY_IF(this->child_sa);
+	DESTROY_IF(this->dh);
+
+	this->ike_sa = ike_sa;
+	this->keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
+	this->state = QM_INIT;
+	this->tsi = NULL;
+	this->tsr = NULL;
+	this->proposal = NULL;
+	this->child_sa = NULL;
+	this->dh = NULL;
+	this->spi_i = 0;
+	this->spi_r = 0;
+
+	if (!this->initiator)
+	{
+		DESTROY_IF(this->config);
+		this->config = NULL;
+	}
+}
+
+METHOD(task_t, destroy, void,
+	private_quick_mode_t *this)
+{
+	chunk_free(&this->nonce_i);
+	chunk_free(&this->nonce_r);
+	DESTROY_IF(this->tsi);
+	DESTROY_IF(this->tsr);
+	DESTROY_IF(this->proposal);
+	DESTROY_IF(this->child_sa);
+	DESTROY_IF(this->config);
+	DESTROY_IF(this->dh);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+quick_mode_t *quick_mode_create(ike_sa_t *ike_sa, child_cfg_t *config,
+							traffic_selector_t *tsi, traffic_selector_t *tsr)
+{
+	private_quick_mode_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+			.use_reqid = _use_reqid,
+			.rekey = _rekey,
+		},
+		.ike_sa = ike_sa,
+		.initiator = config != NULL,
+		.config = config,
+		.keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa),
+		.state = QM_INIT,
+		.tsi = tsi ? tsi->clone(tsi) : NULL,
+		.tsr = tsr ? tsr->clone(tsr) : NULL,
+	);
+
+	if (config)
+	{
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+	else
+	{
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.h b/src/libcharon/sa/ikev1/tasks/quick_mode.h
new file mode 100644
index 000000000..0b80cb836
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup quick_mode quick_mode
+ * @{ @ingroup tasks_v1
+ */
+
+#ifndef QUICK_MODE_H_
+#define QUICK_MODE_H_
+
+typedef struct quick_mode_t quick_mode_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * IKEv1 quick mode, establishes a CHILD_SA in IKEv1.
+ */
+struct quick_mode_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+
+	/**
+	 * Use a specific reqid to install this CHILD_SA.
+	 *
+	 * @param reqid			reqid to use
+	 */
+	void (*use_reqid)(quick_mode_t *this, u_int32_t reqid);
+
+	/**
+	 * Set the SPI of the old SA, if rekeying.
+	 *
+	 * @param spi			spi of SA to rekey
+	 */
+	void (*rekey)(quick_mode_t *this, u_int32_t spi);
+};
+
+/**
+ * Create a new quick_mode task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param config		child_cfg if task initiator, NULL if responder
+ * @param tsi			source of triggering packet, or NULL
+ * @param tsr			destination of triggering packet, or NULL
+ * @return				task to handle by the task_manager
+ */
+quick_mode_t *quick_mode_create(ike_sa_t *ike_sa, child_cfg_t *config,
+							traffic_selector_t *tsi, traffic_selector_t *tsr);
+
+#endif /** QUICK_MODE_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c
new file mode 100644
index 000000000..31114e592
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/xauth.c
@@ -0,0 +1,559 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth.h"
+
+#include <daemon.h>
+#include <hydra.h>
+#include <encoding/payloads/cp_payload.h>
+#include <processing/jobs/adopt_children_job.h>
+
+typedef struct private_xauth_t private_xauth_t;
+
+/**
+ * Status types exchanged
+ */
+typedef enum {
+	XAUTH_FAILED = 0,
+	XAUTH_OK = 1,
+} xauth_status_t;
+
+/**
+ * Private members of a xauth_t task.
+ */
+struct private_xauth_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	xauth_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the XAUTH initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * XAuth backend to use
+	 */
+	xauth_method_t *xauth;
+
+	/**
+	 * XAuth username
+	 */
+	identification_t *user;
+
+	/**
+	 * Generated configuration payload
+	 */
+	cp_payload_t *cp;
+
+	/**
+	 * received identifier
+	 */
+	u_int16_t identifier;
+
+	/**
+	 * status of Xauth exchange
+	 */
+	xauth_status_t status;
+};
+
+/**
+ * Load XAuth backend
+ */
+static xauth_method_t *load_method(private_xauth_t* this)
+{
+	identification_t *server, *peer;
+	enumerator_t *enumerator;
+	xauth_method_t *xauth;
+	xauth_role_t role;
+	peer_cfg_t *peer_cfg;
+	auth_cfg_t *auth;
+	char *name;
+
+	if (this->initiator)
+	{
+		server = this->ike_sa->get_my_id(this->ike_sa);
+		peer = this->ike_sa->get_other_id(this->ike_sa);
+		role = XAUTH_SERVER;
+	}
+	else
+	{
+		peer = this->ike_sa->get_my_id(this->ike_sa);
+		server = this->ike_sa->get_other_id(this->ike_sa);
+		role = XAUTH_PEER;
+	}
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, !this->initiator);
+	if (!enumerator->enumerate(enumerator, &auth) ||
+		(uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS) != AUTH_CLASS_XAUTH)
+	{
+		if (!enumerator->enumerate(enumerator, &auth) ||
+			(uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS) != AUTH_CLASS_XAUTH)
+		{
+			DBG1(DBG_CFG, "no XAuth authentication round found");
+			enumerator->destroy(enumerator);
+			return NULL;
+		}
+	}
+	name = auth->get(auth, AUTH_RULE_XAUTH_BACKEND);
+	this->user = auth->get(auth, AUTH_RULE_XAUTH_IDENTITY);
+	enumerator->destroy(enumerator);
+	if (!this->initiator && this->user)
+	{	/* use XAUTH username, if configured */
+		peer = this->user;
+	}
+	xauth = charon->xauth->create_instance(charon->xauth, name, role,
+										   server, peer);
+	if (!xauth)
+	{
+		if (name)
+		{
+			DBG1(DBG_CFG, "no XAuth method found named '%s'", name);
+		}
+		else
+		{
+			DBG1(DBG_CFG, "no XAuth method found");
+		}
+	}
+	return xauth;
+}
+
+/**
+ * Check if XAuth connection is allowed to succeed
+ */
+static bool allowed(private_xauth_t *this)
+{
+	if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
+												 this->ike_sa, FALSE))
+	{
+		DBG1(DBG_IKE, "cancelling XAuth due to uniqueness policy");
+		return FALSE;
+	}
+	if (!charon->bus->authorize(charon->bus, FALSE))
+	{
+		DBG1(DBG_IKE, "XAuth authorization hook forbids IKE_SA, cancelling");
+		return FALSE;
+	}
+	if (!charon->bus->authorize(charon->bus, TRUE))
+	{
+		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Set IKE_SA to established state
+ */
+static bool establish(private_xauth_t *this)
+{
+	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
+
+	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+	charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+	return TRUE;
+}
+
+/**
+ * Check if we are compliant to a given peer config
+ */
+static bool is_compliant(private_xauth_t *this, peer_cfg_t *peer_cfg, bool log)
+{
+	bool complies = TRUE;
+	enumerator_t *e1, *e2;
+	auth_cfg_t *c1, *c2;
+
+	e1 = peer_cfg->create_auth_cfg_enumerator(peer_cfg, FALSE);
+	e2 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
+	while (e1->enumerate(e1, &c1))
+	{
+		if (!e2->enumerate(e2, &c2) || !c2->complies(c2, c1, log))
+		{
+			complies = FALSE;
+			break;
+		}
+	}
+	e1->destroy(e1);
+	e2->destroy(e2);
+
+	return complies;
+}
+
+/**
+ * Check if we are compliant to current config, switch to another if not
+ */
+static bool select_compliant_config(private_xauth_t *this)
+{
+	peer_cfg_t *peer_cfg = NULL, *old, *current;
+	identification_t *my_id, *other_id;
+	host_t *my_host, *other_host;
+	enumerator_t *enumerator;
+	bool aggressive;
+
+	old = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (is_compliant(this, old, TRUE))
+	{	/* current config is fine */
+		return TRUE;
+	}
+	DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
+		 old->get_name(old));
+	aggressive = old->use_aggressive(old);
+
+	my_host = this->ike_sa->get_my_host(this->ike_sa);
+	other_host = this->ike_sa->get_other_host(this->ike_sa);
+	my_id = this->ike_sa->get_my_id(this->ike_sa);
+	other_id = this->ike_sa->get_other_id(this->ike_sa);
+	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
+								my_host, other_host, my_id, other_id, IKEV1);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (!current->equals(current, old) &&
+			current->use_aggressive(current) == aggressive &&
+			is_compliant(this, current, FALSE))
+		{
+			peer_cfg = current;
+			break;
+		}
+	}
+	if (peer_cfg)
+	{
+		DBG1(DBG_CFG, "switching to peer config '%s'",
+			 peer_cfg->get_name(peer_cfg));
+		this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "no alternative config found");
+	}
+	enumerator->destroy(enumerator);
+
+	return peer_cfg != NULL;
+}
+
+/**
+ * Create auth config after successful authentication
+ */
+static bool add_auth_cfg(private_xauth_t *this, identification_t *id, bool local)
+{
+	auth_cfg_t *auth;
+
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_XAUTH);
+	auth->add(auth, AUTH_RULE_XAUTH_IDENTITY, id->clone(id));
+	auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), FALSE);
+	this->ike_sa->add_auth_cfg(this->ike_sa, local, auth);
+
+	return select_compliant_config(this);
+}
+
+METHOD(task_t, build_i_status, status_t,
+	private_xauth_t *this, message_t *message)
+{
+	cp_payload_t *cp;
+
+	cp = cp_payload_create_type(CONFIGURATION_V1, CFG_SET);
+	cp->add_attribute(cp,
+			configuration_attribute_create_value(XAUTH_STATUS, this->status));
+
+	message->add_payload(message, (payload_t *)cp);
+
+	return NEED_MORE;
+}
+
+METHOD(task_t, process_i_status, status_t,
+	private_xauth_t *this, message_t *message)
+{
+	cp_payload_t *cp;
+
+	cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1);
+	if (!cp || cp->get_type(cp) != CFG_ACK)
+	{
+		DBG1(DBG_IKE, "received invalid XAUTH status response");
+		return FAILED;
+	}
+	if (this->status != XAUTH_OK)
+	{
+		DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication");
+		return FAILED;
+	}
+	if (!establish(this))
+	{
+		return FAILED;
+	}
+	this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
+	lib->processor->queue_job(lib->processor, (job_t*)
+				adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
+	return SUCCESS;
+}
+
+METHOD(task_t, build_i, status_t,
+	private_xauth_t *this, message_t *message)
+{
+	if (!this->xauth)
+	{
+		cp_payload_t *cp = NULL;
+
+		this->xauth = load_method(this);
+		if (!this->xauth)
+		{
+			return FAILED;
+		}
+		switch (this->xauth->initiate(this->xauth, &cp))
+		{
+			case NEED_MORE:
+				break;
+			case SUCCESS:
+				DESTROY_IF(cp);
+				this->status = XAUTH_OK;
+				this->public.task.process = _process_i_status;
+				return build_i_status(this, message);
+			default:
+				return FAILED;
+		}
+		message->add_payload(message, (payload_t *)cp);
+		return NEED_MORE;
+	}
+
+	if (this->cp)
+	{	/* send previously generated payload */
+		message->add_payload(message, (payload_t *)this->cp);
+		this->cp = NULL;
+		return NEED_MORE;
+	}
+	return FAILED;
+}
+
+METHOD(task_t, build_r_ack, status_t,
+	private_xauth_t *this, message_t *message)
+{
+	cp_payload_t *cp;
+
+	cp = cp_payload_create_type(CONFIGURATION_V1, CFG_ACK);
+	cp->set_identifier(cp, this->identifier);
+	cp->add_attribute(cp,
+			configuration_attribute_create_chunk(
+					CONFIGURATION_ATTRIBUTE_V1, XAUTH_STATUS, chunk_empty));
+
+	message->add_payload(message, (payload_t *)cp);
+
+	if (this->status == XAUTH_OK && allowed(this) && establish(this))
+	{
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+METHOD(task_t, process_r, status_t,
+	private_xauth_t *this, message_t *message)
+{
+	cp_payload_t *cp;
+
+	if (!this->xauth)
+	{
+		this->xauth = load_method(this);
+		if (!this->xauth)
+		{	/* send empty reply */
+			return NEED_MORE;
+		}
+	}
+	cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1);
+	if (!cp)
+	{
+		DBG1(DBG_IKE, "configuration payload missing in XAuth request");
+		return FAILED;
+	}
+	if (cp->get_type(cp) == CFG_REQUEST)
+	{
+		switch (this->xauth->process(this->xauth, cp, &this->cp))
+		{
+			case NEED_MORE:
+				return NEED_MORE;
+			case SUCCESS:
+			case FAILED:
+			default:
+				break;
+		}
+		this->cp = NULL;
+		return NEED_MORE;
+	}
+	if (cp->get_type(cp) == CFG_SET)
+	{
+		configuration_attribute_t *attribute;
+		enumerator_t *enumerator;
+
+		enumerator = cp->create_attribute_enumerator(cp);
+		while (enumerator->enumerate(enumerator, &attribute))
+		{
+			if (attribute->get_type(attribute) == XAUTH_STATUS)
+			{
+				this->status = attribute->get_value(attribute);
+			}
+		}
+		enumerator->destroy(enumerator);
+		if (this->status == XAUTH_OK &&
+			add_auth_cfg(this, this->xauth->get_identity(this->xauth), TRUE))
+		{
+			DBG1(DBG_IKE, "XAuth authentication of '%Y' (myself) successful",
+				 this->xauth->get_identity(this->xauth));
+		}
+		else
+		{
+			DBG1(DBG_IKE, "XAuth authentication of '%Y' (myself) failed",
+				 this->xauth->get_identity(this->xauth));
+		}
+	}
+	this->identifier = cp->get_identifier(cp);
+	this->public.task.build = _build_r_ack;
+	return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+	private_xauth_t *this, message_t *message)
+{
+	if (!this->cp)
+	{	/* send empty reply if building data failed */
+		this->cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY);
+	}
+	message->add_payload(message, (payload_t *)this->cp);
+	this->cp = NULL;
+	return NEED_MORE;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_xauth_t *this, message_t *message)
+{
+	identification_t *id;
+	cp_payload_t *cp;
+
+	cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1);
+	if (!cp)
+	{
+		DBG1(DBG_IKE, "configuration payload missing in XAuth response");
+		return FAILED;
+	}
+	switch (this->xauth->process(this->xauth, cp, &this->cp))
+	{
+		case NEED_MORE:
+			return NEED_MORE;
+		case SUCCESS:
+			id = this->xauth->get_identity(this->xauth);
+			if (this->user && !id->matches(id, this->user))
+			{
+				DBG1(DBG_IKE, "XAuth username '%Y' does not match to "
+					 "configured username '%Y'", id, this->user);
+				break;
+			}
+			DBG1(DBG_IKE, "XAuth authentication of '%Y' successful", id);
+			if (add_auth_cfg(this, id, FALSE) && allowed(this))
+			{
+				this->status = XAUTH_OK;
+			}
+			break;
+		case FAILED:
+			DBG1(DBG_IKE, "XAuth authentication of '%Y' failed",
+				 this->xauth->get_identity(this->xauth));
+			break;
+		default:
+			return FAILED;
+	}
+	this->public.task.build = _build_i_status;
+	this->public.task.process = _process_i_status;
+	return NEED_MORE;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_xauth_t *this)
+{
+	return TASK_XAUTH;
+}
+
+METHOD(task_t, migrate, void,
+	private_xauth_t *this, ike_sa_t *ike_sa)
+{
+	DESTROY_IF(this->xauth);
+	DESTROY_IF(this->cp);
+
+	this->ike_sa = ike_sa;
+	this->xauth = NULL;
+	this->cp = NULL;
+	this->user = NULL;
+	this->status = XAUTH_FAILED;
+
+	if (this->initiator)
+	{
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+	else
+	{
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
+	}
+}
+
+METHOD(task_t, destroy, void,
+	private_xauth_t *this)
+{
+	DESTROY_IF(this->xauth);
+	DESTROY_IF(this->cp);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+xauth_t *xauth_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_xauth_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.initiator = initiator,
+		.ike_sa = ike_sa,
+		.status = XAUTH_FAILED,
+	);
+
+	if (initiator)
+	{
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+	else
+	{
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/tasks/xauth.h b/src/libcharon/sa/ikev1/tasks/xauth.h
new file mode 100644
index 000000000..303eb31ce
--- /dev/null
+++ b/src/libcharon/sa/ikev1/tasks/xauth.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_t xauth
+ * @{ @ingroup tasks_v1
+ */
+
+#ifndef XAUTH_H_
+#define XAUTH_H_
+
+typedef struct xauth_t xauth_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type TASK_XAUTH, additional authentication after main/aggressive mode.
+ */
+struct xauth_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new xauth task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE for initiator
+ * @return				xauth task to handle by the task_manager
+ */
+xauth_t *xauth_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** XAUTH_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
index 5c8f0b6ce..b8359cc88 100644
--- a/src/libcharon/sa/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2006-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -16,7 +17,8 @@
 #include "eap_authenticator.h"
 
 #include <daemon.h>
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/keymat_v2.h>
+#include <sa/eap/eap_method.h>
 #include <encoding/payloads/auth_payload.h>
 #include <encoding/payloads/eap_payload.h>
 
@@ -185,9 +187,9 @@ static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this,
 	if (this->method)
 	{
 		action = "initiating";
-		type = this->method->get_type(this->method, &vendor);
 		if (this->method->initiate(this->method, &out) == NEED_MORE)
 		{
+			type = this->method->get_type(this->method, &vendor);
 			if (vendor)
 			{
 				DBG1(DBG_IKE, "initiating EAP vendor type %d-%d method (id 0x%02X)",
@@ -200,6 +202,8 @@ static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this,
 			}
 			return out;
 		}
+		/* type might have changed for virtual methods */
+		type = this->method->get_type(this->method, &vendor);
 	}
 	if (vendor)
 	{
@@ -232,9 +236,10 @@ static void replace_eap_identity(private_eap_authenticator_t *this)
 static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
 										 eap_payload_t *in)
 {
-	eap_type_t type, received_type;
-	u_int32_t vendor, received_vendor;
+	eap_type_t type, received_type, conf_type;
+	u_int32_t vendor, received_vendor, conf_vendor;
 	eap_payload_t *out;
+	auth_cfg_t *auth;
 
 	if (in->get_code(in) != EAP_RESPONSE)
 	{
@@ -249,15 +254,25 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
 	{
 		if (received_vendor == 0 && received_type == EAP_NAK)
 		{
-			DBG1(DBG_IKE, "received %N, sending %N",
-				 eap_type_names, EAP_NAK, eap_code_names, EAP_FAILURE);
+			auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+			conf_type = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE);
+			conf_vendor = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR);
+			if ((type == EAP_IDENTITY && !vendor) ||
+				(type == conf_type && vendor == conf_vendor))
+			{
+				DBG1(DBG_IKE, "received %N, sending %N",
+					 eap_type_names, EAP_NAK, eap_code_names, EAP_FAILURE);
+				return eap_payload_create_code(EAP_FAILURE,
+											   in->get_identifier(in));
+			}
+			/* virtual methods handle NAKs in process() */
 		}
 		else
 		{
 			DBG1(DBG_IKE, "received invalid EAP response, sending %N",
 				 eap_code_names, EAP_FAILURE);
+			return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
 		}
-		return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
 	}
 
 	switch (this->method->process(this->method, in, &out))
@@ -301,6 +316,8 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
 			return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
 		case FAILED:
 		default:
+			/* type might have changed for virtual methods */
+			type = this->method->get_type(this->method, &vendor);
 			if (vendor)
 			{
 				DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
@@ -323,8 +340,8 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
 static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
 										 eap_payload_t *in)
 {
-	eap_type_t type;
-	u_int32_t vendor;
+	eap_type_t type, conf_type;
+	u_int32_t vendor, conf_vendor;
 	auth_cfg_t *auth;
 	eap_payload_t *out;
 	identification_t *id;
@@ -356,27 +373,49 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
 			this->method->destroy(this->method);
 			this->method = NULL;
 		}
+		/* FIXME: sending a Nak is not correct here as EAP_IDENTITY (1) is no
+		 * EAP method (types 3-253, 255) */
 		DBG1(DBG_IKE, "%N not supported, sending EAP_NAK",
 			 eap_type_names, type);
-		return eap_payload_create_nak(in->get_identifier(in));
+		return eap_payload_create_nak(in->get_identifier(in), 0, 0, FALSE);
 	}
 	if (this->method == NULL)
 	{
 		if (vendor)
 		{
 			DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d ",
-				 		  "(id 0x%02X)", type, vendor, in->get_identifier(in));
+						  "(id 0x%02X)", type, vendor, in->get_identifier(in));
 		}
 		else
 		{
 			DBG1(DBG_IKE, "server requested %N authentication (id 0x%02X)",
 				 eap_type_names, type, in->get_identifier(in));
 		}
+		auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+		conf_type = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE);
+		conf_vendor = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR);
+		if (conf_type != EAP_NAK &&
+		   (conf_type != type || conf_vendor != vendor))
+		{
+			if (conf_vendor)
+			{
+				DBG1(DBG_IKE, "requesting EAP method %d-%d, sending EAP_NAK",
+					 conf_type, conf_vendor);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "requesting %N authentication, sending EAP_NAK",
+					 eap_type_names, conf_type);
+			}
+			return eap_payload_create_nak(in->get_identifier(in), conf_type,
+										  conf_vendor, in->is_expanded(in));
+		}
 		this->method = load_method(this, type, vendor, EAP_PEER);
 		if (!this->method)
 		{
 			DBG1(DBG_IKE, "EAP method not supported, sending EAP_NAK");
-			return eap_payload_create_nak(in->get_identifier(in));
+			return eap_payload_create_nak(in->get_identifier(in), 0, 0,
+										  in->is_expanded(in));
 		}
 	}
 
@@ -408,7 +447,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
 	chunk_t auth_data, recv_auth_data;
 	identification_t *other_id;
 	auth_cfg_t *auth;
-	keymat_t *keymat;
+	keymat_v2_t *keymat;
 
 	auth_payload = (auth_payload_t*)message->get_payload(message,
 														 AUTHENTICATION);
@@ -418,9 +457,12 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
 		return FALSE;
 	}
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
-	keymat = this->ike_sa->get_keymat(this->ike_sa);
-	auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce,
-									this->msk, other_id, this->reserved);
+	keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
+	if (!keymat->get_psk_sig(keymat, TRUE, init, nonce,
+							 this->msk, other_id, this->reserved, &auth_data))
+	{
+		return FALSE;
+	}
 	recv_auth_data = auth_payload->get_data(auth_payload);
 	if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
 	{
@@ -442,27 +484,31 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
 /**
  * Build AUTH payload
  */
-static void build_auth(private_eap_authenticator_t *this, message_t *message,
+static bool build_auth(private_eap_authenticator_t *this, message_t *message,
 					   chunk_t nonce, chunk_t init)
 {
 	auth_payload_t *auth_payload;
 	identification_t *my_id;
 	chunk_t auth_data;
-	keymat_t *keymat;
+	keymat_v2_t *keymat;
 
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
-	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
 
 	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
 		 my_id, auth_class_names, AUTH_CLASS_EAP);
 
-	auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce,
-									this->msk, my_id, this->reserved);
+	if (!keymat->get_psk_sig(keymat, FALSE, init, nonce,
+							this->msk, my_id, this->reserved, &auth_data))
+	{
+		return FALSE;
+	}
 	auth_payload = auth_payload_create();
 	auth_payload->set_auth_method(auth_payload, AUTH_PSK);
 	auth_payload->set_data(auth_payload, auth_data);
 	message->add_payload(message, (payload_t*)auth_payload);
 	chunk_free(&auth_data);
+	return TRUE;
 }
 
 METHOD(authenticator_t, process_server, status_t,
@@ -512,9 +558,9 @@ METHOD(authenticator_t, build_server, status_t,
 		}
 		return NEED_MORE;
 	}
-	if (this->eap_complete && this->auth_complete)
+	if (this->eap_complete && this->auth_complete &&
+		build_auth(this, message, this->received_nonce, this->sent_init))
 	{
-		build_auth(this, message, this->received_nonce, this->sent_init);
 		return SUCCESS;
 	}
 	return FAILED;
@@ -610,9 +656,9 @@ METHOD(authenticator_t, build_client, status_t,
 		this->eap_payload = NULL;
 		return NEED_MORE;
 	}
-	if (this->eap_complete)
+	if (this->eap_complete &&
+		build_auth(this, message, this->received_nonce, this->sent_init))
 	{
-		build_auth(this, message, this->received_nonce, this->sent_init);
 		return NEED_MORE;
 	}
 	return NEED_MORE;
@@ -621,6 +667,16 @@ METHOD(authenticator_t, build_client, status_t,
 METHOD(authenticator_t, is_mutual, bool,
 	private_eap_authenticator_t *this)
 {
+	if (this->method)
+	{
+		u_int32_t vendor;
+
+		if (this->method->get_type(this->method, &vendor) != EAP_IDENTITY ||
+			vendor != 0)
+		{
+			return this->method->is_mutual(this->method);
+		}
+	}
 	/* we don't know yet, but insist on it after EAP is complete */
 	this->require_mutual = TRUE;
 	return TRUE;
@@ -695,4 +751,3 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/sa/authenticators/eap_authenticator.h b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.h
index 726411a18..d81ebd562 100644
--- a/src/libcharon/sa/authenticators/eap_authenticator.h
+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup eap_authenticator eap_authenticator
- * @{ @ingroup authenticators
+ * @{ @ingroup authenticators_v2
  */
 
 #ifndef EAP_AUTHENTICATOR_H_
@@ -23,7 +23,7 @@
 
 typedef struct eap_authenticator_t eap_authenticator_t;
 
-#include <sa/authenticators/authenticator.h>
+#include <sa/authenticator.h>
 
 /**
  * Implementation of authenticator_t using EAP authentication.
diff --git a/src/libcharon/sa/authenticators/psk_authenticator.c b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c
index 21fc0f9b8..997efe359 100644
--- a/src/libcharon/sa/authenticators/psk_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c
@@ -18,6 +18,7 @@
 
 #include <daemon.h>
 #include <encoding/payloads/auth_payload.h>
+#include <sa/ikev2/keymat_v2.h>
 
 typedef struct private_psk_authenticator_t private_psk_authenticator_t;
 
@@ -59,9 +60,9 @@ METHOD(authenticator_t, build, status_t,
 	auth_payload_t *auth_payload;
 	shared_key_t *key;
 	chunk_t auth_data;
-	keymat_t *keymat;
+	keymat_v2_t *keymat;
 
-	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
 	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
@@ -72,8 +73,12 @@ METHOD(authenticator_t, build, status_t,
 		DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
 		return NOT_FOUND;
 	}
-	auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
-						this->nonce, key->get_key(key), my_id, this->reserved);
+	if (!keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, this->nonce,
+						key->get_key(key), my_id, this->reserved, &auth_data))
+	{
+		key->destroy(key);
+		return FAILED;
+	}
 	key->destroy(key);
 	DBG2(DBG_IKE, "successfully created shared key MAC");
 	auth_payload = auth_payload_create();
@@ -96,14 +101,14 @@ METHOD(authenticator_t, process, status_t,
 	enumerator_t *enumerator;
 	bool authenticated = FALSE;
 	int keys_found = 0;
-	keymat_t *keymat;
+	keymat_v2_t *keymat;
 
 	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
 	if (!auth_payload)
 	{
 		return FAILED;
 	}
-	keymat = this->ike_sa->get_keymat(this->ike_sa);
+	keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
 	recv_auth_data = auth_payload->get_data(auth_payload);
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
@@ -113,8 +118,11 @@ METHOD(authenticator_t, process, status_t,
 	{
 		keys_found++;
 
-		auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
-				this->nonce, key->get_key(key), other_id, this->reserved);
+		if (!keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init, this->nonce,
+					key->get_key(key), other_id, this->reserved, &auth_data))
+		{
+			continue;
+		}
 		if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
 		{
 			DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
@@ -201,4 +209,3 @@ psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/sa/authenticators/psk_authenticator.h b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.h
index 8cf1a0f98..91c534145 100644
--- a/src/libcharon/sa/authenticators/psk_authenticator.h
+++ b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup psk_authenticator psk_authenticator
- * @{ @ingroup authenticators
+ * @{ @ingroup authenticators_v2
  */
 
 #ifndef PSK_AUTHENTICATOR_H_
@@ -23,7 +23,7 @@
 
 typedef struct psk_authenticator_t psk_authenticator_t;
 
-#include <sa/authenticators/authenticator.h>
+#include <sa/authenticator.h>
 
 /**
  * Implementation of authenticator_t using pre-shared keys.
diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 247891670..5ceff40ba 100644
--- a/src/libcharon/sa/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -19,6 +19,7 @@
 
 #include <daemon.h>
 #include <encoding/payloads/auth_payload.h>
+#include <sa/ikev2/keymat_v2.h>
 
 typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
 
@@ -56,7 +57,7 @@ struct private_pubkey_authenticator_t {
 METHOD(authenticator_t, build, status_t,
 	private_pubkey_authenticator_t *this, message_t *message)
 {
-	chunk_t octets, auth_data;
+	chunk_t octets = chunk_empty, auth_data;
 	status_t status = FAILED;
 	private_key_t *private;
 	identification_t *id;
@@ -64,7 +65,7 @@ METHOD(authenticator_t, build, status_t,
 	auth_payload_t *auth_payload;
 	auth_method_t auth_method;
 	signature_scheme_t scheme;
-	keymat_t *keymat;
+	keymat_v2_t *keymat;
 
 	id = this->ike_sa->get_my_id(this->ike_sa);
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
@@ -110,10 +111,10 @@ METHOD(authenticator_t, build, status_t,
 					key_type_names, private->get_type(private));
 			return status;
 	}
-	keymat = this->ike_sa->get_keymat(this->ike_sa);
-	octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
-									 this->nonce, id, this->reserved);
-	if (private->sign(private, scheme, octets, &auth_data))
+	keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
+	if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
+								this->nonce, id, this->reserved, &octets) &&
+		private->sign(private, scheme, octets, &auth_data))
 	{
 		auth_payload = auth_payload_create();
 		auth_payload->set_auth_method(auth_payload, auth_method);
@@ -144,7 +145,7 @@ METHOD(authenticator_t, process, status_t,
 	key_type_t key_type = KEY_ECDSA;
 	signature_scheme_t scheme;
 	status_t status = NOT_FOUND;
-	keymat_t *keymat;
+	keymat_v2_t *keymat;
 
 	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
 	if (!auth_payload)
@@ -174,9 +175,12 @@ METHOD(authenticator_t, process, status_t,
 	}
 	auth_data = auth_payload->get_data(auth_payload);
 	id = this->ike_sa->get_other_id(this->ike_sa);
-	keymat = this->ike_sa->get_keymat(this->ike_sa);
-	octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
-									 this->nonce, id, this->reserved);
+	keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
+	if (!keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
+								 this->nonce, id, this->reserved, &octets))
+	{
+		return FAILED;
+	}
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
 	enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
 														key_type, id, auth);
diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.h b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.h
index 4c3937ecc..82bfea23b 100644
--- a/src/libcharon/sa/authenticators/pubkey_authenticator.h
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup pubkey_authenticator pubkey_authenticator
- * @{ @ingroup authenticators
+ * @{ @ingroup authenticators_v2
  */
 
 #ifndef PUBKEY_AUTHENTICATOR_H_
@@ -24,7 +24,7 @@
 
 typedef struct pubkey_authenticator_t pubkey_authenticator_t;
 
-#include <sa/authenticators/authenticator.h>
+#include <sa/authenticator.h>
 
 /**
  * Implementation of authenticator_t using public key authenitcation.
diff --git a/src/libcharon/sa/connect_manager.c b/src/libcharon/sa/ikev2/connect_manager.c
index 7b6ca430f..c4e5ea7a0 100644
--- a/src/libcharon/sa/connect_manager.c
+++ b/src/libcharon/sa/ikev2/connect_manager.c
@@ -19,7 +19,7 @@
 
 #include <daemon.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/hashers/hasher.h>
 
 #include <processing/jobs/callback_job.h>
@@ -839,7 +839,10 @@ static chunk_t build_signature(private_connect_manager_t *this,
 	/* signature = SHA1( MID | ME_CONNECTID | ME_ENDPOINT | ME_CONNECTKEY ) */
 	sig_chunk = chunk_cat("cccc", mid_chunk, check->connect_id,
 						  check->endpoint_raw, key_chunk);
-	this->hasher->allocate_hash(this->hasher, sig_chunk, &sig_hash);
+	if (!this->hasher->allocate_hash(this->hasher, sig_chunk, &sig_hash))
+	{
+		sig_hash = chunk_empty;
+	}
 	DBG3(DBG_IKE, "sig_chunk %#B", &sig_chunk);
 	DBG3(DBG_IKE, "sig_hash %#B", &sig_hash);
 
@@ -919,8 +922,10 @@ static void update_checklist_state(private_connect_manager_t *this,
 			 &checklist->connect_id);
 
 		callback_data_t *data = callback_data_create(this, checklist->connect_id);
-		job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiator_finish, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
-		lib->scheduler->schedule_job_ms(lib->scheduler, job, ME_WAIT_TO_FINISH);
+		lib->scheduler->schedule_job_ms(lib->scheduler,
+				(job_t*)callback_job_create((callback_job_cb_t)initiator_finish,
+					data, (callback_job_cleanup_t)callback_data_destroy, NULL),
+				ME_WAIT_TO_FINISH);
 		checklist->is_finishing = TRUE;
 	}
 
@@ -1007,8 +1012,12 @@ retransmit_end:
  */
 static void queue_retransmission(private_connect_manager_t *this, check_list_t *checklist, endpoint_pair_t *pair)
 {
-	callback_data_t *data = retransmit_data_create(this, checklist->connect_id, pair->id);
-	job_t *job = (job_t*)callback_job_create((callback_job_cb_t)retransmit, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
+	callback_data_t *data;
+	job_t *job;
+
+	data = retransmit_data_create(this, checklist->connect_id, pair->id);
+	job = (job_t*)callback_job_create((callback_job_cb_t)retransmit, data,
+						(callback_job_cleanup_t)callback_data_destroy, NULL);
 
 	u_int32_t retransmission = pair->retransmitted + 1;
 	u_int32_t rto = ME_INTERVAL;
@@ -1028,14 +1037,15 @@ static void queue_retransmission(private_connect_manager_t *this, check_list_t *
 static void send_check(private_connect_manager_t *this, check_list_t *checklist,
 		check_t *check, endpoint_pair_t *pair, bool request)
 {
-	message_t *message = message_create();
+	message_t *message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
 	message->set_message_id(message, check->mid);
 	message->set_exchange_type(message, INFORMATIONAL);
 	message->set_request(message, request);
 	message->set_destination(message, check->dst->clone(check->dst));
 	message->set_source(message, check->src->clone(check->src));
 
-	ike_sa_id_t *ike_sa_id = ike_sa_id_create(0, 0, request);
+	ike_sa_id_t *ike_sa_id = ike_sa_id_create(IKEV2_MAJOR_VERSION, 0, 0,
+											  request);
 	message->set_ike_sa_id(message, ike_sa_id);
 	ike_sa_id->destroy(ike_sa_id);
 
@@ -1154,10 +1164,12 @@ static job_requeue_t sender(callback_data_t *data)
 /**
  * Schedules checks for a checklist (time in ms)
  */
-static void schedule_checks(private_connect_manager_t *this, check_list_t *checklist, u_int32_t time)
+static void schedule_checks(private_connect_manager_t *this,
+							check_list_t *checklist, u_int32_t time)
 {
 	callback_data_t *data = callback_data_create(this, checklist->connect_id);
-	checklist->sender = (job_t*)callback_job_create((callback_job_cb_t)sender, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
+	checklist->sender = (job_t*)callback_job_create((callback_job_cb_t)sender,
+					data, (callback_job_cleanup_t)callback_data_destroy, NULL);
 	lib->scheduler->schedule_job_ms(lib->scheduler, checklist->sender, time);
 }
 
@@ -1209,12 +1221,15 @@ static void finish_checks(private_connect_manager_t *this, check_list_t *checkli
 		if (get_initiated_by_ids(this, checklist->initiator.id,
 				checklist->responder.id, &initiated) == SUCCESS)
 		{
+			callback_job_t *job;
+
 			remove_checklist(this, checklist);
 			remove_initiated(this, initiated);
 
 			initiate_data_t *data = initiate_data_create(checklist, initiated);
-			job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiate_mediated, data, (callback_job_cleanup_t)initiate_data_destroy, NULL);
-			lib->processor->queue_job(lib->processor, job);
+			job = callback_job_create((callback_job_cb_t)initiate_mediated,
+					data, (callback_job_cleanup_t)initiate_data_destroy, NULL);
+			lib->processor->queue_job(lib->processor, (job_t*)job);
 			return;
 		}
 		else
diff --git a/src/libcharon/sa/connect_manager.h b/src/libcharon/sa/ikev2/connect_manager.h
index 8fa8ff697..e667e1f70 100644
--- a/src/libcharon/sa/connect_manager.h
+++ b/src/libcharon/sa/ikev2/connect_manager.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup connect_manager connect_manager
- * @{ @ingroup sa
+ * @{ @ingroup ikev2
  */
 
 #ifndef CONNECT_MANAGER_H_
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
new file mode 100644
index 000000000..4d0683f0a
--- /dev/null
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -0,0 +1,687 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "keymat_v2.h"
+
+#include <daemon.h>
+#include <crypto/prf_plus.h>
+
+typedef struct private_keymat_v2_t private_keymat_v2_t;
+
+/**
+ * Private data of an keymat_t object.
+ */
+struct private_keymat_v2_t {
+
+	/**
+	 * Public keymat_v2_t interface.
+	 */
+	keymat_v2_t public;
+
+	/**
+	 * IKE_SA Role, initiator or responder
+	 */
+	bool initiator;
+
+	/**
+	 * inbound AEAD
+	 */
+	aead_t *aead_in;
+
+	/**
+	 * outbound AEAD
+	 */
+	aead_t *aead_out;
+
+	/**
+	 * General purpose PRF
+	 */
+	prf_t *prf;
+
+	/**
+	 * Negotiated PRF algorithm
+	 */
+	pseudo_random_function_t prf_alg;
+
+	/**
+	 * Key to derive key material from for CHILD_SAs, rekeying
+	 */
+	chunk_t skd;
+
+	/**
+	 * Key to build outging authentication data (SKp)
+	 */
+	chunk_t skp_build;
+
+	/**
+	 * Key to verify incoming authentication data (SKp)
+	 */
+	chunk_t skp_verify;
+};
+
+METHOD(keymat_t, get_version, ike_version_t,
+	private_keymat_v2_t *this)
+{
+	return IKEV2;
+}
+
+METHOD(keymat_t, create_dh, diffie_hellman_t*,
+	private_keymat_v2_t *this, diffie_hellman_group_t group)
+{
+	return lib->crypto->create_dh(lib->crypto, group);
+}
+
+METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
+	private_keymat_v2_t *this)
+{
+	return lib->crypto->create_nonce_gen(lib->crypto);
+}
+
+/**
+ * Derive IKE keys for a combined AEAD algorithm
+ */
+static bool derive_ike_aead(private_keymat_v2_t *this, u_int16_t alg,
+							u_int16_t key_size, prf_plus_t *prf_plus)
+{
+	aead_t *aead_i, *aead_r;
+	chunk_t key = chunk_empty;
+
+	/* SK_ei/SK_er used for encryption */
+	aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
+	aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
+	if (aead_i == NULL || aead_r == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
+			 transform_type_names, ENCRYPTION_ALGORITHM,
+			 encryption_algorithm_names, alg, key_size);
+		goto failure;
+	}
+	key_size = aead_i->get_key_size(aead_i);
+	if (key_size != aead_r->get_key_size(aead_r))
+	{
+		goto failure;
+	}
+	if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
+	{
+		goto failure;
+	}
+	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
+	if (!aead_i->set_key(aead_i, key))
+	{
+		goto failure;
+	}
+	chunk_clear(&key);
+
+	if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
+	{
+		goto failure;
+	}
+	DBG4(DBG_IKE, "Sk_er secret %B", &key);
+	if (!aead_r->set_key(aead_r, key))
+	{
+		goto failure;
+	}
+
+	if (this->initiator)
+	{
+		this->aead_in = aead_r;
+		this->aead_out = aead_i;
+	}
+	else
+	{
+		this->aead_in = aead_i;
+		this->aead_out = aead_r;
+	}
+	aead_i = aead_r = NULL;
+
+failure:
+	DESTROY_IF(aead_i);
+	DESTROY_IF(aead_r);
+	chunk_clear(&key);
+	return this->aead_in && this->aead_out;
+}
+
+/**
+ * Derive IKE keys for traditional encryption and MAC algorithms
+ */
+static bool derive_ike_traditional(private_keymat_v2_t *this, u_int16_t enc_alg,
+					u_int16_t enc_size, u_int16_t int_alg, prf_plus_t *prf_plus)
+{
+	crypter_t *crypter_i = NULL, *crypter_r = NULL;
+	signer_t *signer_i, *signer_r;
+	size_t key_size;
+	chunk_t key = chunk_empty;
+
+	signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
+	signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
+	crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
+	crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
+	if (signer_i == NULL || signer_r == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N not supported!",
+			 transform_type_names, INTEGRITY_ALGORITHM,
+			 integrity_algorithm_names, int_alg);
+		goto failure;
+	}
+	if (crypter_i == NULL || crypter_r == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
+			 transform_type_names, ENCRYPTION_ALGORITHM,
+			 encryption_algorithm_names, enc_alg, enc_size);
+		goto failure;
+	}
+
+	/* SK_ai/SK_ar used for integrity protection */
+	key_size = signer_i->get_key_size(signer_i);
+
+	if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
+	{
+		goto failure;
+	}
+	DBG4(DBG_IKE, "Sk_ai secret %B", &key);
+	if (!signer_i->set_key(signer_i, key))
+	{
+		goto failure;
+	}
+	chunk_clear(&key);
+
+	if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
+	{
+		goto failure;
+	}
+	DBG4(DBG_IKE, "Sk_ar secret %B", &key);
+	if (!signer_r->set_key(signer_r, key))
+	{
+		goto failure;
+	}
+	chunk_clear(&key);
+
+	/* SK_ei/SK_er used for encryption */
+	key_size = crypter_i->get_key_size(crypter_i);
+
+	if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
+	{
+		goto failure;
+	}
+	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
+	if (!crypter_i->set_key(crypter_i, key))
+	{
+		goto failure;
+	}
+	chunk_clear(&key);
+
+	if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
+	{
+		goto failure;
+	}
+	DBG4(DBG_IKE, "Sk_er secret %B", &key);
+	if (!crypter_r->set_key(crypter_r, key))
+	{
+		goto failure;
+	}
+
+	if (this->initiator)
+	{
+		this->aead_in = aead_create(crypter_r, signer_r);
+		this->aead_out = aead_create(crypter_i, signer_i);
+	}
+	else
+	{
+		this->aead_in = aead_create(crypter_i, signer_i);
+		this->aead_out = aead_create(crypter_r, signer_r);
+	}
+	signer_i = signer_r = NULL;
+	crypter_i = crypter_r = NULL;
+
+failure:
+	chunk_clear(&key);
+	DESTROY_IF(signer_i);
+	DESTROY_IF(signer_r);
+	DESTROY_IF(crypter_i);
+	DESTROY_IF(crypter_r);
+	return this->aead_in && this->aead_out;
+}
+
+METHOD(keymat_v2_t, derive_ike_keys, bool,
+	private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+	chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
+	pseudo_random_function_t rekey_function, chunk_t rekey_skd)
+{
+	chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
+	chunk_t spi_i, spi_r;
+	prf_plus_t *prf_plus = NULL;
+	u_int16_t alg, key_size, int_alg;
+	prf_t *rekey_prf = NULL;
+
+	spi_i = chunk_alloca(sizeof(u_int64_t));
+	spi_r = chunk_alloca(sizeof(u_int64_t));
+
+	if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+	{
+		return FALSE;
+	}
+
+	/* Create SAs general purpose PRF first, we may use it here */
+	if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
+	{
+		DBG1(DBG_IKE, "no %N selected",
+			 transform_type_names, PSEUDO_RANDOM_FUNCTION);
+		return FALSE;
+	}
+	this->prf_alg = alg;
+	this->prf = lib->crypto->create_prf(lib->crypto, alg);
+	if (this->prf == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N not supported!",
+			 transform_type_names, PSEUDO_RANDOM_FUNCTION,
+			 pseudo_random_function_names, alg);
+		return FALSE;
+	}
+	DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
+	/* full nonce is used as seed for PRF+ ... */
+	full_nonce = chunk_cat("cc", nonce_i, nonce_r);
+	/* but the PRF may need a fixed key which only uses the first bytes of
+	 * the nonces. */
+	switch (alg)
+	{
+		case PRF_AES128_XCBC:
+			/* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
+			 * not and therefore fixed key semantics apply to XCBC for key
+			 * derivation. */
+		case PRF_CAMELLIA128_XCBC:
+			/* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we
+			 * assume fixed key length. */
+			key_size = this->prf->get_key_size(this->prf)/2;
+			nonce_i.len = min(nonce_i.len, key_size);
+			nonce_r.len = min(nonce_r.len, key_size);
+			break;
+		default:
+			/* all other algorithms use variable key length, full nonce */
+			break;
+	}
+	fixed_nonce = chunk_cat("cc", nonce_i, nonce_r);
+	*((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
+	*((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
+	prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
+
+	/* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
+	 *
+	 * if we are rekeying, SKEYSEED is built on another way
+	 */
+	if (rekey_function == PRF_UNDEFINED) /* not rekeying */
+	{
+		/* SKEYSEED = prf(Ni | Nr, g^ir) */
+		if (this->prf->set_key(this->prf, fixed_nonce) &&
+			this->prf->allocate_bytes(this->prf, secret, &skeyseed) &&
+			this->prf->set_key(this->prf, skeyseed))
+		{
+			prf_plus = prf_plus_create(this->prf, TRUE, prf_plus_seed);
+		}
+	}
+	else
+	{
+		/* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
+		 * use OLD SAs PRF functions for both prf_plus and prf */
+		rekey_prf = lib->crypto->create_prf(lib->crypto, rekey_function);
+		if (!rekey_prf)
+		{
+			DBG1(DBG_IKE, "PRF of old SA %N not supported!",
+				 pseudo_random_function_names, rekey_function);
+			chunk_free(&full_nonce);
+			chunk_free(&fixed_nonce);
+			chunk_clear(&prf_plus_seed);
+			return FALSE;
+		}
+		secret = chunk_cat("mc", secret, full_nonce);
+		if (rekey_prf->set_key(rekey_prf, rekey_skd) &&
+			rekey_prf->allocate_bytes(rekey_prf, secret, &skeyseed) &&
+			rekey_prf->set_key(rekey_prf, skeyseed))
+		{
+			prf_plus = prf_plus_create(rekey_prf, TRUE, prf_plus_seed);
+		}
+	}
+	DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
+
+	chunk_clear(&skeyseed);
+	chunk_clear(&secret);
+	chunk_free(&full_nonce);
+	chunk_free(&fixed_nonce);
+	chunk_clear(&prf_plus_seed);
+
+	if (!prf_plus)
+	{
+		goto failure;
+	}
+
+	/* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
+
+	/* SK_d is used for generating CHILD_SA key mat => store for later use */
+	key_size = this->prf->get_key_size(this->prf);
+	if (!prf_plus->allocate_bytes(prf_plus, key_size, &this->skd))
+	{
+		goto failure;
+	}
+	DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
+
+	if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
+	{
+		DBG1(DBG_IKE, "no %N selected",
+			 transform_type_names, ENCRYPTION_ALGORITHM);
+		goto failure;
+	}
+
+	if (encryption_algorithm_is_aead(alg))
+	{
+		if (!derive_ike_aead(this, alg, key_size, prf_plus))
+		{
+			goto failure;
+		}
+	}
+	else
+	{
+		if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
+									 &int_alg, NULL))
+		{
+			DBG1(DBG_IKE, "no %N selected",
+				 transform_type_names, INTEGRITY_ALGORITHM);
+			goto failure;
+		}
+		if (!derive_ike_traditional(this, alg, key_size, int_alg, prf_plus))
+		{
+			goto failure;
+		}
+	}
+
+	/* SK_pi/SK_pr used for authentication => stored for later */
+	key_size = this->prf->get_key_size(this->prf);
+	if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
+	{
+		goto failure;
+	}
+	DBG4(DBG_IKE, "Sk_pi secret %B", &key);
+	if (this->initiator)
+	{
+		this->skp_build = key;
+	}
+	else
+	{
+		this->skp_verify = key;
+	}
+	if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
+	{
+		goto failure;
+	}
+	DBG4(DBG_IKE, "Sk_pr secret %B", &key);
+	if (this->initiator)
+	{
+		this->skp_verify = key;
+	}
+	else
+	{
+		this->skp_build = key;
+	}
+
+	/* all done, prf_plus not needed anymore */
+failure:
+	DESTROY_IF(prf_plus);
+	DESTROY_IF(rekey_prf);
+
+	return this->skp_build.len && this->skp_verify.len;
+}
+
+METHOD(keymat_v2_t, derive_child_keys, bool,
+	private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+	chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
+	chunk_t *encr_r, chunk_t *integ_r)
+{
+	u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
+	chunk_t seed, secret = chunk_empty;
+	prf_plus_t *prf_plus;
+
+	if (dh)
+	{
+		if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+		{
+			return FALSE;
+		}
+		DBG4(DBG_CHD, "DH secret %B", &secret);
+	}
+	seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
+	DBG4(DBG_CHD, "seed %B", &seed);
+
+	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
+								&enc_alg, &enc_size))
+	{
+		DBG2(DBG_CHD, "  using %N for encryption",
+			 encryption_algorithm_names, enc_alg);
+
+		if (!enc_size)
+		{
+			enc_size = keymat_get_keylen_encr(enc_alg);
+		}
+		if (enc_alg != ENCR_NULL && !enc_size)
+		{
+			DBG1(DBG_CHD, "no keylength defined for %N",
+				 encryption_algorithm_names, enc_alg);
+			return FALSE;
+		}
+		/* to bytes */
+		enc_size /= 8;
+
+		/* CCM/GCM/CTR/GMAC needs additional bytes */
+		switch (enc_alg)
+		{
+			case ENCR_AES_CCM_ICV8:
+			case ENCR_AES_CCM_ICV12:
+			case ENCR_AES_CCM_ICV16:
+			case ENCR_CAMELLIA_CCM_ICV8:
+			case ENCR_CAMELLIA_CCM_ICV12:
+			case ENCR_CAMELLIA_CCM_ICV16:
+				enc_size += 3;
+				break;
+			case ENCR_AES_GCM_ICV8:
+			case ENCR_AES_GCM_ICV12:
+			case ENCR_AES_GCM_ICV16:
+			case ENCR_AES_CTR:
+			case ENCR_NULL_AUTH_AES_GMAC:
+				enc_size += 4;
+				break;
+			default:
+				break;
+		}
+	}
+
+	if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
+								&int_alg, &int_size))
+	{
+		DBG2(DBG_CHD, "  using %N for integrity",
+			 integrity_algorithm_names, int_alg);
+
+		if (!int_size)
+		{
+			int_size = keymat_get_keylen_integ(int_alg);
+		}
+		if (!int_size)
+		{
+			DBG1(DBG_CHD, "no keylength defined for %N",
+				 integrity_algorithm_names, int_alg);
+			return FALSE;
+		}
+		/* to bytes */
+		int_size /= 8;
+	}
+
+	if (!this->prf->set_key(this->prf, this->skd))
+	{
+		return FALSE;
+	}
+	prf_plus = prf_plus_create(this->prf, TRUE, seed);
+	if (!prf_plus)
+	{
+		return FALSE;
+	}
+
+	*encr_i = *integ_i = *encr_r = *integ_r = chunk_empty;
+	if (!prf_plus->allocate_bytes(prf_plus, enc_size, encr_i) ||
+		!prf_plus->allocate_bytes(prf_plus, int_size, integ_i) ||
+		!prf_plus->allocate_bytes(prf_plus, enc_size, encr_r) ||
+		!prf_plus->allocate_bytes(prf_plus, int_size, integ_r))
+	{
+		chunk_free(encr_i);
+		chunk_free(integ_i);
+		chunk_free(encr_r);
+		chunk_free(integ_r);
+		prf_plus->destroy(prf_plus);
+		return FALSE;
+	}
+
+	prf_plus->destroy(prf_plus);
+
+	if (enc_size)
+	{
+		DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
+		DBG4(DBG_CHD, "encryption responder key %B", encr_r);
+	}
+	if (int_size)
+	{
+		DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
+		DBG4(DBG_CHD, "integrity responder key %B", integ_r);
+	}
+	return TRUE;
+}
+
+METHOD(keymat_v2_t, get_skd, pseudo_random_function_t,
+	private_keymat_v2_t *this, chunk_t *skd)
+{
+	*skd = this->skd;
+	return this->prf_alg;
+}
+
+METHOD(keymat_t, get_aead, aead_t*,
+	private_keymat_v2_t *this, bool in)
+{
+	return in ? this->aead_in : this->aead_out;
+}
+
+METHOD(keymat_v2_t, get_auth_octets, bool,
+	private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
+	chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
+{
+	chunk_t chunk, idx;
+	chunk_t skp;
+
+	skp = verify ? this->skp_verify : this->skp_build;
+
+	chunk = chunk_alloca(4);
+	chunk.ptr[0] = id->get_type(id);
+	memcpy(chunk.ptr + 1, reserved, 3);
+	idx = chunk_cata("cc", chunk, id->get_encoding(id));
+
+	DBG3(DBG_IKE, "IDx' %B", &idx);
+	DBG3(DBG_IKE, "SK_p %B", &skp);
+	if (!this->prf->set_key(this->prf, skp) ||
+		!this->prf->allocate_bytes(this->prf, idx, &chunk))
+	{
+		return FALSE;
+	}
+	*octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
+	DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", octets);
+	return TRUE;
+}
+
+/**
+ * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
+ */
+#define IKEV2_KEY_PAD "Key Pad for IKEv2"
+#define IKEV2_KEY_PAD_LENGTH 17
+
+METHOD(keymat_v2_t, get_psk_sig, bool,
+	private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
+	chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
+{
+	chunk_t key_pad, key, octets;
+
+	if (!secret.len)
+	{	/* EAP uses SK_p if no MSK has been established */
+		secret = verify ? this->skp_verify : this->skp_build;
+	}
+	if (!get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved, &octets))
+	{
+		return FALSE;
+	}
+	/* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
+	key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
+	if (!this->prf->set_key(this->prf, secret) ||
+		!this->prf->allocate_bytes(this->prf, key_pad, &key))
+	{
+		chunk_free(&octets);
+		return FALSE;
+	}
+	if (!this->prf->set_key(this->prf, key) ||
+		!this->prf->allocate_bytes(this->prf, octets, sig))
+	{
+		chunk_free(&key);
+		chunk_free(&octets);
+		return FALSE;
+	}
+	DBG4(DBG_IKE, "secret %B", &secret);
+	DBG4(DBG_IKE, "prf(secret, keypad) %B", &key);
+	DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", sig);
+	chunk_free(&octets);
+	chunk_free(&key);
+
+	return TRUE;
+}
+
+METHOD(keymat_t, destroy, void,
+	private_keymat_v2_t *this)
+{
+	DESTROY_IF(this->aead_in);
+	DESTROY_IF(this->aead_out);
+	DESTROY_IF(this->prf);
+	chunk_clear(&this->skd);
+	chunk_clear(&this->skp_verify);
+	chunk_clear(&this->skp_build);
+	free(this);
+}
+
+/**
+ * See header
+ */
+keymat_v2_t *keymat_v2_create(bool initiator)
+{
+	private_keymat_v2_t *this;
+
+	INIT(this,
+		.public = {
+			.keymat = {
+				.get_version = _get_version,
+				.create_dh = _create_dh,
+				.create_nonce_gen = _create_nonce_gen,
+				.get_aead = _get_aead,
+				.destroy = _destroy,
+			},
+			.derive_ike_keys = _derive_ike_keys,
+			.derive_child_keys = _derive_child_keys,
+			.get_skd = _get_skd,
+			.get_auth_octets = _get_auth_octets,
+			.get_psk_sig = _get_psk_sig,
+		},
+		.initiator = initiator,
+		.prf_alg = PRF_UNDEFINED,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/keymat_v2.h b/src/libcharon/sa/ikev2/keymat_v2.h
new file mode 100644
index 000000000..04432f05b
--- /dev/null
+++ b/src/libcharon/sa/ikev2/keymat_v2.h
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2011 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup keymat_v2 keymat_v2
+ * @{ @ingroup ikev2
+ */
+
+#ifndef KEYMAT_V2_H_
+#define KEYMAT_V2_H_
+
+#include <sa/keymat.h>
+
+typedef struct keymat_v2_t keymat_v2_t;
+
+/**
+ * Derivation and management of sensitive keying material, IKEv2 variant.
+ */
+struct keymat_v2_t {
+
+	/**
+	 * Implements keymat_t.
+	 */
+	keymat_t keymat;
+
+	/**
+	 * Derive keys for the IKE_SA.
+	 *
+	 * These keys are not handed out, but are used by the associated signers,
+	 * crypters and authentication functions.
+	 *
+	 * @param proposal	selected algorithms
+	 * @param dh		diffie hellman key allocated by create_dh()
+	 * @param nonce_i	initiators nonce value
+	 * @param nonce_r	responders nonce value
+	 * @param id		IKE_SA identifier
+	 * @param rekey_prf	PRF of old SA if rekeying, PRF_UNDEFINED otherwise
+	 * @param rekey_sdk	SKd of old SA if rekeying
+	 * @return			TRUE on success
+	 */
+	bool (*derive_ike_keys)(keymat_v2_t *this, proposal_t *proposal,
+							diffie_hellman_t *dh, chunk_t nonce_i,
+							chunk_t nonce_r, ike_sa_id_t *id,
+							pseudo_random_function_t rekey_function,
+							chunk_t rekey_skd);
+
+	/**
+	 * Derive keys for a CHILD_SA.
+	 *
+	 * The keys for the CHILD_SA are allocated in the integ and encr chunks.
+	 * An implementation might hand out encrypted keys only, which are
+	 * decrypted in the kernel before use.
+	 * If no PFS is used for the CHILD_SA, dh can be NULL.
+	 *
+	 * @param proposal	selected algorithms
+	 * @param dh		diffie hellman key allocated by create_dh(), or NULL
+	 * @param nonce_i	initiators nonce value
+	 * @param nonce_r	responders nonce value
+	 * @param encr_i	chunk to write initiators encryption key to
+	 * @param integ_i	chunk to write initiators integrity key to
+	 * @param encr_r	chunk to write responders encryption key to
+	 * @param integ_r	chunk to write responders integrity key to
+	 * @return			TRUE on success
+	 */
+	bool (*derive_child_keys)(keymat_v2_t *this,
+							  proposal_t *proposal, diffie_hellman_t *dh,
+							  chunk_t nonce_i, chunk_t nonce_r,
+							  chunk_t *encr_i, chunk_t *integ_i,
+							  chunk_t *encr_r, chunk_t *integ_r);
+	/**
+	 * Get SKd to pass to derive_ikey_keys() during rekeying.
+	 *
+	 * @param skd		chunk to write SKd to (internal data)
+	 * @return			PRF function to derive keymat
+	 */
+	pseudo_random_function_t (*get_skd)(keymat_v2_t *this, chunk_t *skd);
+
+	/**
+	 * Generate octets to use for authentication procedure (RFC4306 2.15).
+	 *
+	 * This method creates the plain octets and is usually signed by a private
+	 * key. PSK and EAP authentication include a secret into the data, use
+	 * the get_psk_sig() method instead.
+	 *
+	 * @param verify		TRUE to create for verfification, FALSE to sign
+	 * @param ike_sa_init	encoded ike_sa_init message
+	 * @param nonce			nonce value
+	 * @param id			identity
+	 * @param reserved		reserved bytes of id_payload
+	 * @param octests		chunk receiving allocated auth octets
+	 * @return				TRUE if octets created successfully
+	 */
+	bool (*get_auth_octets)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
+							chunk_t nonce, identification_t *id,
+							char reserved[3], chunk_t *octets);
+	/**
+	 * Build the shared secret signature used for PSK and EAP authentication.
+	 *
+	 * This method wraps the get_auth_octets() method and additionally
+	 * includes the secret into the signature. If no secret is given, SK_p is
+	 * used as secret (used for EAP methods without MSK).
+	 *
+	 * @param verify		TRUE to create for verfification, FALSE to sign
+	 * @param ike_sa_init	encoded ike_sa_init message
+	 * @param nonce			nonce value
+	 * @param secret		optional secret to include into signature
+	 * @param id			identity
+	 * @param reserved		reserved bytes of id_payload
+	 * @param sign			chunk receiving allocated signature octets
+	 * @return				TRUE if signature created successfully
+	 */
+	bool (*get_psk_sig)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
+						chunk_t nonce, chunk_t secret,
+						identification_t *id, char reserved[3], chunk_t *sig);
+};
+
+/**
+ * Create a keymat instance.
+ *
+ * @param initiator			TRUE if we are the initiator
+ * @return					keymat instance
+ */
+keymat_v2_t *keymat_v2_create(bool initiator);
+
+#endif /** KEYMAT_V2_H_ @}*/
diff --git a/src/libcharon/sa/mediation_manager.c b/src/libcharon/sa/ikev2/mediation_manager.c
index 60eeb5d4b..bf5b2f4b3 100644
--- a/src/libcharon/sa/mediation_manager.c
+++ b/src/libcharon/sa/ikev2/mediation_manager.c
@@ -17,7 +17,7 @@
 
 #include <daemon.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/mediation_job.h>
 
 typedef struct peer_t peer_t;
diff --git a/src/libcharon/sa/mediation_manager.h b/src/libcharon/sa/ikev2/mediation_manager.h
index 31a16f69c..5212bdb86 100644
--- a/src/libcharon/sa/mediation_manager.h
+++ b/src/libcharon/sa/ikev2/mediation_manager.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup mediation_manager mediation_manager
- * @{ @ingroup sa
+ * @{ @ingroup ikev2
  */
 
 #ifndef MEDIATION_MANAGER_H_
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
new file mode 100644
index 000000000..a6af744fc
--- /dev/null
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -0,0 +1,1592 @@
+/*
+ * Copyright (C) 2007-2011 Tobias Brunner
+ * Copyright (C) 2007-2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "task_manager_v2.h"
+
+#include <math.h>
+
+#include <collections/array.h>
+#include <daemon.h>
+#include <sa/ikev2/tasks/ike_init.h>
+#include <sa/ikev2/tasks/ike_natd.h>
+#include <sa/ikev2/tasks/ike_mobike.h>
+#include <sa/ikev2/tasks/ike_auth.h>
+#include <sa/ikev2/tasks/ike_auth_lifetime.h>
+#include <sa/ikev2/tasks/ike_cert_pre.h>
+#include <sa/ikev2/tasks/ike_cert_post.h>
+#include <sa/ikev2/tasks/ike_rekey.h>
+#include <sa/ikev2/tasks/ike_reauth.h>
+#include <sa/ikev2/tasks/ike_delete.h>
+#include <sa/ikev2/tasks/ike_config.h>
+#include <sa/ikev2/tasks/ike_dpd.h>
+#include <sa/ikev2/tasks/ike_vendor.h>
+#include <sa/ikev2/tasks/child_create.h>
+#include <sa/ikev2/tasks/child_rekey.h>
+#include <sa/ikev2/tasks/child_delete.h>
+#include <encoding/payloads/delete_payload.h>
+#include <encoding/payloads/unknown_payload.h>
+#include <processing/jobs/retransmit_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+
+#ifdef ME
+#include <sa/ikev2/tasks/ike_me.h>
+#endif
+
+typedef struct exchange_t exchange_t;
+
+/**
+ * An exchange in the air, used do detect and handle retransmission
+ */
+struct exchange_t {
+
+	/**
+	 * Message ID used for this transaction
+	 */
+	u_int32_t mid;
+
+	/**
+	 * generated packet for retransmission
+	 */
+	packet_t *packet;
+};
+
+typedef struct private_task_manager_t private_task_manager_t;
+
+/**
+ * private data of the task manager
+ */
+struct private_task_manager_t {
+
+	/**
+	 * public functions
+	 */
+	task_manager_v2_t public;
+
+	/**
+	 * associated IKE_SA we are serving
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Exchange we are currently handling as responder
+	 */
+	struct {
+		/**
+		 * Message ID of the exchange
+		 */
+		u_int32_t mid;
+
+		/**
+		 * packet for retransmission
+		 */
+		packet_t *packet;
+
+	} responding;
+
+	/**
+	 * Exchange we are currently handling as initiator
+	 */
+	struct {
+		/**
+		 * Message ID of the exchange
+		 */
+		u_int32_t mid;
+
+		/**
+		 * how many times we have retransmitted so far
+		 */
+		u_int retransmitted;
+
+		/**
+		 * packet for retransmission
+		 */
+		packet_t *packet;
+
+		/**
+		 * type of the initated exchange
+		 */
+		exchange_type_t type;
+
+	} initiating;
+
+	/**
+	 * Array of queued tasks not yet in action
+	 */
+	array_t *queued_tasks;
+
+	/**
+	 * Array of active tasks, initiated by ourselve
+	 */
+	array_t *active_tasks;
+
+	/**
+	 * Array of tasks initiated by peer
+	 */
+	array_t *passive_tasks;
+
+	/**
+	 * the task manager has been reset
+	 */
+	bool reset;
+
+	/**
+	 * Number of times we retransmit messages before giving up
+	 */
+	u_int retransmit_tries;
+
+	/**
+	 * Retransmission timeout
+	 */
+	double retransmit_timeout;
+
+	/**
+	 * Base to calculate retransmission timeout
+	 */
+	double retransmit_base;
+};
+
+METHOD(task_manager_t, flush_queue, void,
+	private_task_manager_t *this, task_queue_t queue)
+{
+	array_t *array;
+	task_t *task;
+
+	switch (queue)
+	{
+		case TASK_QUEUE_ACTIVE:
+			array = this->active_tasks;
+			break;
+		case TASK_QUEUE_PASSIVE:
+			array = this->passive_tasks;
+			break;
+		case TASK_QUEUE_QUEUED:
+			array = this->queued_tasks;
+			break;
+		default:
+			return;
+	}
+	while (array_remove(array, ARRAY_TAIL, &task))
+	{
+		task->destroy(task);
+	}
+}
+
+/**
+ * flush all tasks in the task manager
+ */
+static void flush(private_task_manager_t *this)
+{
+	flush_queue(this, TASK_QUEUE_QUEUED);
+	flush_queue(this, TASK_QUEUE_PASSIVE);
+	flush_queue(this, TASK_QUEUE_ACTIVE);
+}
+
+/**
+ * move a task of a specific type from the queue to the active list
+ */
+static bool activate_task(private_task_manager_t *this, task_type_t type)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+	bool found = FALSE;
+
+	enumerator = array_create_enumerator(this->queued_tasks);
+	while (enumerator->enumerate(enumerator, (void**)&task))
+	{
+		if (task->get_type(task) == type)
+		{
+			DBG2(DBG_IKE, "  activating %N task", task_type_names, type);
+			array_remove_at(this->queued_tasks, enumerator);
+			array_insert(this->active_tasks, ARRAY_TAIL, task);
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+METHOD(task_manager_t, retransmit, status_t,
+	private_task_manager_t *this, u_int32_t message_id)
+{
+	if (this->initiating.packet && message_id == this->initiating.mid)
+	{
+		u_int32_t timeout;
+		job_t *job;
+		enumerator_t *enumerator;
+		packet_t *packet;
+		task_t *task;
+		ike_mobike_t *mobike = NULL;
+
+		/* check if we are retransmitting a MOBIKE routability check */
+		enumerator = array_create_enumerator(this->active_tasks);
+		while (enumerator->enumerate(enumerator, (void*)&task))
+		{
+			if (task->get_type(task) == TASK_IKE_MOBIKE)
+			{
+				mobike = (ike_mobike_t*)task;
+				if (!mobike->is_probing(mobike))
+				{
+					mobike = NULL;
+				}
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		if (mobike == NULL)
+		{
+			if (this->initiating.retransmitted <= this->retransmit_tries)
+			{
+				timeout = (u_int32_t)(this->retransmit_timeout * 1000.0 *
+					pow(this->retransmit_base, this->initiating.retransmitted));
+			}
+			else
+			{
+				DBG1(DBG_IKE, "giving up after %d retransmits",
+					 this->initiating.retransmitted - 1);
+				charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT,
+								   this->initiating.packet);
+				return DESTROY_ME;
+			}
+
+			if (this->initiating.retransmitted)
+			{
+				DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
+					 this->initiating.retransmitted, message_id);
+				charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND,
+								   this->initiating.packet);
+			}
+			packet = this->initiating.packet->clone(this->initiating.packet);
+			charon->sender->send(charon->sender, packet);
+		}
+		else
+		{	/* for routeability checks, we use a more aggressive behavior */
+			if (this->initiating.retransmitted <= ROUTEABILITY_CHECK_TRIES)
+			{
+				timeout = ROUTEABILITY_CHECK_INTERVAL;
+			}
+			else
+			{
+				DBG1(DBG_IKE, "giving up after %d path probings",
+					 this->initiating.retransmitted - 1);
+				return DESTROY_ME;
+			}
+
+			if (this->initiating.retransmitted)
+			{
+				DBG1(DBG_IKE, "path probing attempt %d",
+					 this->initiating.retransmitted);
+			}
+			mobike->transmit(mobike, this->initiating.packet);
+		}
+
+		this->initiating.retransmitted++;
+		job = (job_t*)retransmit_job_create(this->initiating.mid,
+											this->ike_sa->get_id(this->ike_sa));
+		lib->scheduler->schedule_job_ms(lib->scheduler, job, timeout);
+	}
+	return SUCCESS;
+}
+
+METHOD(task_manager_t, initiate, status_t,
+	private_task_manager_t *this)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+	message_t *message;
+	host_t *me, *other;
+	status_t status;
+	exchange_type_t exchange = 0;
+
+	if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
+	{
+		DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
+				exchange_type_names, this->initiating.type);
+		/* do not initiate if we already have a message in the air */
+		return SUCCESS;
+	}
+
+	if (array_count(this->active_tasks) == 0)
+	{
+		DBG2(DBG_IKE, "activating new tasks");
+		switch (this->ike_sa->get_state(this->ike_sa))
+		{
+			case IKE_CREATED:
+				activate_task(this, TASK_IKE_VENDOR);
+				if (activate_task(this, TASK_IKE_INIT))
+				{
+					this->initiating.mid = 0;
+					exchange = IKE_SA_INIT;
+					activate_task(this, TASK_IKE_NATD);
+					activate_task(this, TASK_IKE_CERT_PRE);
+#ifdef ME
+					/* this task has to be activated before the TASK_IKE_AUTH
+					 * task, because that task pregenerates the packet after
+					 * which no payloads can be added to the message anymore.
+					 */
+					activate_task(this, TASK_IKE_ME);
+#endif /* ME */
+					activate_task(this, TASK_IKE_AUTH);
+					activate_task(this, TASK_IKE_CERT_POST);
+					activate_task(this, TASK_IKE_CONFIG);
+					activate_task(this, TASK_CHILD_CREATE);
+					activate_task(this, TASK_IKE_AUTH_LIFETIME);
+					activate_task(this, TASK_IKE_MOBIKE);
+				}
+				break;
+			case IKE_ESTABLISHED:
+				if (activate_task(this, TASK_CHILD_CREATE))
+				{
+					exchange = CREATE_CHILD_SA;
+					break;
+				}
+				if (activate_task(this, TASK_CHILD_DELETE))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+				if (activate_task(this, TASK_CHILD_REKEY))
+				{
+					exchange = CREATE_CHILD_SA;
+					break;
+				}
+				if (activate_task(this, TASK_IKE_DELETE))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+				if (activate_task(this, TASK_IKE_REKEY))
+				{
+					exchange = CREATE_CHILD_SA;
+					break;
+				}
+				if (activate_task(this, TASK_IKE_REAUTH))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+				if (activate_task(this, TASK_IKE_MOBIKE))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+				if (activate_task(this, TASK_IKE_DPD))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+				if (activate_task(this, TASK_IKE_AUTH_LIFETIME))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+#ifdef ME
+				if (activate_task(this, TASK_IKE_ME))
+				{
+					exchange = ME_CONNECT;
+					break;
+				}
+#endif /* ME */
+			case IKE_REKEYING:
+				if (activate_task(this, TASK_IKE_DELETE))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+			case IKE_DELETING:
+			default:
+				break;
+		}
+	}
+	else
+	{
+		DBG2(DBG_IKE, "reinitiating already active tasks");
+		enumerator = array_create_enumerator(this->active_tasks);
+		while (enumerator->enumerate(enumerator, &task))
+		{
+			DBG2(DBG_IKE, "  %N task", task_type_names, task->get_type(task));
+			switch (task->get_type(task))
+			{
+				case TASK_IKE_INIT:
+					exchange = IKE_SA_INIT;
+					break;
+				case TASK_IKE_AUTH:
+					exchange = IKE_AUTH;
+					break;
+				case TASK_CHILD_CREATE:
+				case TASK_CHILD_REKEY:
+				case TASK_IKE_REKEY:
+					exchange = CREATE_CHILD_SA;
+					break;
+				case TASK_IKE_MOBIKE:
+					exchange = INFORMATIONAL;
+					break;
+				default:
+					continue;
+			}
+			break;
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	if (exchange == 0)
+	{
+		DBG2(DBG_IKE, "nothing to initiate");
+		/* nothing to do yet... */
+		return SUCCESS;
+	}
+
+	me = this->ike_sa->get_my_host(this->ike_sa);
+	other = this->ike_sa->get_other_host(this->ike_sa);
+
+	message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
+	message->set_message_id(message, this->initiating.mid);
+	message->set_source(message, me->clone(me));
+	message->set_destination(message, other->clone(other));
+	message->set_exchange_type(message, exchange);
+	this->initiating.type = exchange;
+	this->initiating.retransmitted = 0;
+
+	enumerator = array_create_enumerator(this->active_tasks);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		switch (task->build(task, message))
+		{
+			case SUCCESS:
+				/* task completed, remove it */
+				array_remove_at(this->active_tasks, enumerator);
+				task->destroy(task);
+				break;
+			case NEED_MORE:
+				/* processed, but task needs another exchange */
+				break;
+			case FAILED:
+			default:
+				this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
+				if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
+				{
+					charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				}
+				/* FALL */
+			case DESTROY_ME:
+				/* critical failure, destroy IKE_SA */
+				enumerator->destroy(enumerator);
+				message->destroy(message);
+				flush(this);
+				return DESTROY_ME;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* update exchange type if a task changed it */
+	this->initiating.type = message->get_exchange_type(message);
+
+	status = this->ike_sa->generate_message(this->ike_sa, message,
+											&this->initiating.packet);
+	if (status != SUCCESS)
+	{
+		/* message generation failed. There is nothing more to do than to
+		 * close the SA */
+		message->destroy(message);
+		flush(this);
+		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+		return DESTROY_ME;
+	}
+	message->destroy(message);
+
+	array_compress(this->active_tasks);
+	array_compress(this->queued_tasks);
+
+	return retransmit(this, this->initiating.mid);
+}
+
+/**
+ * handle an incoming response message
+ */
+static status_t process_response(private_task_manager_t *this,
+								 message_t *message)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+
+	if (message->get_exchange_type(message) != this->initiating.type)
+	{
+		DBG1(DBG_IKE, "received %N response, but expected %N",
+			 exchange_type_names, message->get_exchange_type(message),
+			 exchange_type_names, this->initiating.type);
+		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+		return DESTROY_ME;
+	}
+
+	/* catch if we get resetted while processing */
+	this->reset = FALSE;
+	enumerator = array_create_enumerator(this->active_tasks);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		switch (task->process(task, message))
+		{
+			case SUCCESS:
+				/* task completed, remove it */
+				array_remove_at(this->active_tasks, enumerator);
+				task->destroy(task);
+				break;
+			case NEED_MORE:
+				/* processed, but task needs another exchange */
+				break;
+			case FAILED:
+			default:
+				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				/* FALL */
+			case DESTROY_ME:
+				/* critical failure, destroy IKE_SA */
+				array_remove_at(this->active_tasks, enumerator);
+				enumerator->destroy(enumerator);
+				task->destroy(task);
+				return DESTROY_ME;
+		}
+		if (this->reset)
+		{	/* start all over again if we were reset */
+			this->reset = FALSE;
+			enumerator->destroy(enumerator);
+			return initiate(this);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	this->initiating.mid++;
+	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
+	this->initiating.packet->destroy(this->initiating.packet);
+	this->initiating.packet = NULL;
+
+	array_compress(this->active_tasks);
+
+	return initiate(this);
+}
+
+/**
+ * handle exchange collisions
+ */
+static bool handle_collisions(private_task_manager_t *this, task_t *task)
+{
+	enumerator_t *enumerator;
+	task_t *active;
+	task_type_t type;
+
+	type = task->get_type(task);
+
+	/* do we have to check  */
+	if (type == TASK_IKE_REKEY || type == TASK_CHILD_REKEY ||
+		type == TASK_CHILD_DELETE || type == TASK_IKE_DELETE ||
+		type == TASK_IKE_REAUTH)
+	{
+		/* find an exchange collision, and notify these tasks */
+		enumerator = array_create_enumerator(this->active_tasks);
+		while (enumerator->enumerate(enumerator, &active))
+		{
+			switch (active->get_type(active))
+			{
+				case TASK_IKE_REKEY:
+					if (type == TASK_IKE_REKEY || type == TASK_IKE_DELETE ||
+						type == TASK_IKE_REAUTH)
+					{
+						ike_rekey_t *rekey = (ike_rekey_t*)active;
+						rekey->collide(rekey, task);
+						break;
+					}
+					continue;
+				case TASK_CHILD_REKEY:
+					if (type == TASK_CHILD_REKEY || type == TASK_CHILD_DELETE)
+					{
+						child_rekey_t *rekey = (child_rekey_t*)active;
+						rekey->collide(rekey, task);
+						break;
+					}
+					continue;
+				default:
+					continue;
+			}
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+		enumerator->destroy(enumerator);
+	}
+	return FALSE;
+}
+
+/**
+ * build a response depending on the "passive" task list
+ */
+static status_t build_response(private_task_manager_t *this, message_t *request)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+	message_t *message;
+	host_t *me, *other;
+	bool delete = FALSE, hook = FALSE;
+	ike_sa_id_t *id = NULL;
+	u_int64_t responder_spi;
+	status_t status;
+
+	me = request->get_destination(request);
+	other = request->get_source(request);
+
+	message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
+	message->set_exchange_type(message, request->get_exchange_type(request));
+	/* send response along the path the request came in */
+	message->set_source(message, me->clone(me));
+	message->set_destination(message, other->clone(other));
+	message->set_message_id(message, this->responding.mid);
+	message->set_request(message, FALSE);
+
+	enumerator = array_create_enumerator(this->passive_tasks);
+	while (enumerator->enumerate(enumerator, (void*)&task))
+	{
+		switch (task->build(task, message))
+		{
+			case SUCCESS:
+				/* task completed, remove it */
+				array_remove_at(this->passive_tasks, enumerator);
+				if (!handle_collisions(this, task))
+				{
+					task->destroy(task);
+				}
+				break;
+			case NEED_MORE:
+				/* processed, but task needs another exchange */
+				if (handle_collisions(this, task))
+				{
+					array_remove_at(this->passive_tasks, enumerator);
+				}
+				break;
+			case FAILED:
+			default:
+				hook = TRUE;
+				/* FALL */
+			case DESTROY_ME:
+				/* destroy IKE_SA, but SEND response first */
+				delete = TRUE;
+				break;
+		}
+		if (delete)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* RFC 5996, section 2.6 mentions that in the event of a failure during
+	 * IKE_SA_INIT the responder's SPI will be 0 in the response, while it
+	 * actually explicitly allows it to be non-zero.  Since we use the responder
+	 * SPI to create hashes in the IKE_SA manager we can only set the SPI to
+	 * zero temporarily, otherwise checking the SA in would fail. */
+	if (delete && request->get_exchange_type(request) == IKE_SA_INIT)
+	{
+		id = this->ike_sa->get_id(this->ike_sa);
+		responder_spi = id->get_responder_spi(id);
+		id->set_responder_spi(id, 0);
+	}
+
+	/* message complete, send it */
+	DESTROY_IF(this->responding.packet);
+	this->responding.packet = NULL;
+	status = this->ike_sa->generate_message(this->ike_sa, message,
+											&this->responding.packet);
+	message->destroy(message);
+	if (id)
+	{
+		id->set_responder_spi(id, responder_spi);
+	}
+	if (status != SUCCESS)
+	{
+		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+		return DESTROY_ME;
+	}
+
+	charon->sender->send(charon->sender,
+						 this->responding.packet->clone(this->responding.packet));
+	if (delete)
+	{
+		if (hook)
+		{
+			charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+		}
+		return DESTROY_ME;
+	}
+
+	array_compress(this->passive_tasks);
+
+	return SUCCESS;
+}
+
+/**
+ * handle an incoming request message
+ */
+static status_t process_request(private_task_manager_t *this,
+								message_t *message)
+{
+	enumerator_t *enumerator;
+	task_t *task = NULL;
+	payload_t *payload;
+	notify_payload_t *notify;
+	delete_payload_t *delete;
+
+	if (array_count(this->passive_tasks) == 0)
+	{	/* create tasks depending on request type, if not already some queued */
+		switch (message->get_exchange_type(message))
+		{
+			case IKE_SA_INIT:
+			{
+				task = (task_t*)ike_vendor_create(this->ike_sa, FALSE);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
+				task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
+				task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
+				task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
+#ifdef ME
+				task = (task_t*)ike_me_create(this->ike_sa, FALSE);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
+#endif /* ME */
+				task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
+				task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
+				task = (task_t*)ike_config_create(this->ike_sa, FALSE);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
+				task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE,
+													NULL, NULL);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
+				task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
+				task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
+				break;
+			}
+			case CREATE_CHILD_SA:
+			{	/* FIXME: we should prevent this on mediation connections */
+				bool notify_found = FALSE, ts_found = FALSE;
+				enumerator = message->create_payload_enumerator(message);
+				while (enumerator->enumerate(enumerator, &payload))
+				{
+					switch (payload->get_type(payload))
+					{
+						case NOTIFY:
+						{	/* if we find a rekey notify, its CHILD_SA rekeying */
+							notify = (notify_payload_t*)payload;
+							if (notify->get_notify_type(notify) == REKEY_SA &&
+								(notify->get_protocol_id(notify) == PROTO_AH ||
+								 notify->get_protocol_id(notify) == PROTO_ESP))
+							{
+								notify_found = TRUE;
+							}
+							break;
+						}
+						case TRAFFIC_SELECTOR_INITIATOR:
+						case TRAFFIC_SELECTOR_RESPONDER:
+						{	/* if we don't find a TS, its IKE rekeying */
+							ts_found = TRUE;
+							break;
+						}
+						default:
+							break;
+					}
+				}
+				enumerator->destroy(enumerator);
+
+				if (ts_found)
+				{
+					if (notify_found)
+					{
+						task = (task_t*)child_rekey_create(this->ike_sa,
+														   PROTO_NONE, 0);
+					}
+					else
+					{
+						task = (task_t*)child_create_create(this->ike_sa, NULL,
+															FALSE, NULL, NULL);
+					}
+				}
+				else
+				{
+					task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
+				}
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
+				break;
+			}
+			case INFORMATIONAL:
+			{
+				enumerator = message->create_payload_enumerator(message);
+				while (enumerator->enumerate(enumerator, &payload))
+				{
+					switch (payload->get_type(payload))
+					{
+						case NOTIFY:
+						{
+							notify = (notify_payload_t*)payload;
+							switch (notify->get_notify_type(notify))
+							{
+								case ADDITIONAL_IP4_ADDRESS:
+								case ADDITIONAL_IP6_ADDRESS:
+								case NO_ADDITIONAL_ADDRESSES:
+								case UPDATE_SA_ADDRESSES:
+								case NO_NATS_ALLOWED:
+								case UNACCEPTABLE_ADDRESSES:
+								case UNEXPECTED_NAT_DETECTED:
+								case COOKIE2:
+								case NAT_DETECTION_SOURCE_IP:
+								case NAT_DETECTION_DESTINATION_IP:
+									task = (task_t*)ike_mobike_create(
+															this->ike_sa, FALSE);
+									break;
+								case AUTH_LIFETIME:
+									task = (task_t*)ike_auth_lifetime_create(
+															this->ike_sa, FALSE);
+									break;
+								case AUTHENTICATION_FAILED:
+									/* initiator failed to authenticate us.
+									 * We use ike_delete to handle this, which
+									 * invokes all the required hooks. */
+									task = (task_t*)ike_delete_create(
+														this->ike_sa, FALSE);
+								default:
+									break;
+							}
+							break;
+						}
+						case DELETE:
+						{
+							delete = (delete_payload_t*)payload;
+							if (delete->get_protocol_id(delete) == PROTO_IKE)
+							{
+								task = (task_t*)ike_delete_create(this->ike_sa,
+																FALSE);
+							}
+							else
+							{
+								task = (task_t*)child_delete_create(this->ike_sa,
+														PROTO_NONE, 0, FALSE);
+							}
+							break;
+						}
+						default:
+							break;
+					}
+					if (task)
+					{
+						break;
+					}
+				}
+				enumerator->destroy(enumerator);
+
+				if (task == NULL)
+				{
+					task = (task_t*)ike_dpd_create(FALSE);
+				}
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
+				break;
+			}
+#ifdef ME
+			case ME_CONNECT:
+			{
+				task = (task_t*)ike_me_create(this->ike_sa, FALSE);
+				array_insert(this->passive_tasks, ARRAY_TAIL, task);
+			}
+#endif /* ME */
+			default:
+				break;
+		}
+	}
+
+	/* let the tasks process the message */
+	enumerator = array_create_enumerator(this->passive_tasks);
+	while (enumerator->enumerate(enumerator, (void*)&task))
+	{
+		switch (task->process(task, message))
+		{
+			case SUCCESS:
+				/* task completed, remove it */
+				array_remove_at(this->passive_tasks, enumerator);
+				task->destroy(task);
+				break;
+			case NEED_MORE:
+				/* processed, but task needs at least another call to build() */
+				break;
+			case FAILED:
+			default:
+				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+				/* FALL */
+			case DESTROY_ME:
+				/* critical failure, destroy IKE_SA */
+				array_remove_at(this->passive_tasks, enumerator);
+				enumerator->destroy(enumerator);
+				task->destroy(task);
+				return DESTROY_ME;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return build_response(this, message);
+}
+
+METHOD(task_manager_t, incr_mid, void,
+	private_task_manager_t *this, bool initiate)
+{
+	if (initiate)
+	{
+		this->initiating.mid++;
+	}
+	else
+	{
+		this->responding.mid++;
+	}
+}
+
+/**
+ * Send a notify back to the sender
+ */
+static void send_notify_response(private_task_manager_t *this,
+								 message_t *request, notify_type_t type,
+								 chunk_t data)
+{
+	message_t *response;
+	packet_t *packet;
+	host_t *me, *other;
+
+	response = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
+	response->set_exchange_type(response, request->get_exchange_type(request));
+	response->set_request(response, FALSE);
+	response->set_message_id(response, request->get_message_id(request));
+	response->add_notify(response, FALSE, type, data);
+	me = this->ike_sa->get_my_host(this->ike_sa);
+	if (me->is_anyaddr(me))
+	{
+		me = request->get_destination(request);
+		this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
+	}
+	other = this->ike_sa->get_other_host(this->ike_sa);
+	if (other->is_anyaddr(other))
+	{
+		other = request->get_source(request);
+		this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
+	}
+	response->set_source(response, me->clone(me));
+	response->set_destination(response, other->clone(other));
+	if (this->ike_sa->generate_message(this->ike_sa, response,
+									   &packet) == SUCCESS)
+	{
+		charon->sender->send(charon->sender, packet);
+	}
+	response->destroy(response);
+}
+
+/**
+ * Parse the given message and verify that it is valid.
+ */
+static status_t parse_message(private_task_manager_t *this, message_t *msg)
+{
+	status_t status;
+	u_int8_t type = 0;
+
+	status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
+
+	if (status == SUCCESS)
+	{	/* check for unsupported critical payloads */
+		enumerator_t *enumerator;
+		unknown_payload_t *unknown;
+		payload_t *payload;
+
+		enumerator = msg->create_payload_enumerator(msg);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			unknown = (unknown_payload_t*)payload;
+			type = payload->get_type(payload);
+			if (!payload_is_known(type) &&
+				unknown->is_critical(unknown))
+			{
+				DBG1(DBG_ENC, "payload type %N is not supported, "
+					 "but its critical!", payload_type_names, type);
+				status = NOT_SUPPORTED;
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	if (status != SUCCESS)
+	{
+		bool is_request = msg->get_request(msg);
+
+		switch (status)
+		{
+			case NOT_SUPPORTED:
+				DBG1(DBG_IKE, "critical unknown payloads found");
+				if (is_request)
+				{
+					send_notify_response(this, msg,
+										 UNSUPPORTED_CRITICAL_PAYLOAD,
+										 chunk_from_thing(type));
+					incr_mid(this, FALSE);
+				}
+				break;
+			case PARSE_ERROR:
+				DBG1(DBG_IKE, "message parsing failed");
+				if (is_request)
+				{
+					send_notify_response(this, msg,
+										 INVALID_SYNTAX, chunk_empty);
+					incr_mid(this, FALSE);
+				}
+				break;
+			case VERIFY_ERROR:
+				DBG1(DBG_IKE, "message verification failed");
+				if (is_request)
+				{
+					send_notify_response(this, msg,
+										 INVALID_SYNTAX, chunk_empty);
+					incr_mid(this, FALSE);
+				}
+				break;
+			case FAILED:
+				DBG1(DBG_IKE, "integrity check failed");
+				/* ignored */
+				break;
+			case INVALID_STATE:
+				DBG1(DBG_IKE, "found encrypted message, but no keys available");
+			default:
+				break;
+		}
+		DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
+			 exchange_type_names, msg->get_exchange_type(msg),
+			 is_request ? "request" : "response",
+			 msg->get_message_id(msg));
+
+		charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status);
+
+		if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
+		{	/* invalid initiation attempt, close SA */
+			return DESTROY_ME;
+		}
+	}
+	return status;
+}
+
+
+METHOD(task_manager_t, process_message, status_t,
+	private_task_manager_t *this, message_t *msg)
+{
+	host_t *me, *other;
+	status_t status;
+	u_int32_t mid;
+	bool schedule_delete_job = FALSE;
+
+	charon->bus->message(charon->bus, msg, TRUE, FALSE);
+	status = parse_message(this, msg);
+	if (status != SUCCESS)
+	{
+		return status;
+	}
+
+	me = msg->get_destination(msg);
+	other = msg->get_source(msg);
+
+	/* if this IKE_SA is virgin, we check for a config */
+	if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
+	{
+		ike_cfg_t *ike_cfg;
+
+		ike_cfg = charon->backends->get_ike_cfg(charon->backends,
+												me, other, IKEV2);
+		if (ike_cfg == NULL)
+		{
+			/* no config found for these hosts, destroy */
+			DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
+				 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
+			send_notify_response(this, msg,
+								 NO_PROPOSAL_CHOSEN, chunk_empty);
+			return DESTROY_ME;
+		}
+		this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
+		ike_cfg->destroy(ike_cfg);
+		/* add a timeout if peer does not establish it completely */
+		schedule_delete_job = TRUE;
+	}
+	this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
+								time_monotonic(NULL));
+
+	mid = msg->get_message_id(msg);
+	if (msg->get_request(msg))
+	{
+		if (mid == this->responding.mid)
+		{
+			/* reject initial messages once established */
+			if (msg->get_exchange_type(msg) == IKE_SA_INIT ||
+				msg->get_exchange_type(msg) == IKE_AUTH)
+			{
+				if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
+					this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
+				{
+					DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
+						 exchange_type_names, msg->get_exchange_type(msg));
+					return FAILED;
+				}
+			}
+			if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
+				this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
+				msg->get_exchange_type(msg) != IKE_SA_INIT)
+			{	/* only do host updates based on verified messages */
+				if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
+				{	/* with MOBIKE, we do no implicit updates */
+					this->ike_sa->update_hosts(this->ike_sa, me, other, mid == 1);
+				}
+			}
+			charon->bus->message(charon->bus, msg, TRUE, TRUE);
+			if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
+			{	/* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
+				return SUCCESS;
+			}
+			if (process_request(this, msg) != SUCCESS)
+			{
+				flush(this);
+				return DESTROY_ME;
+			}
+			this->responding.mid++;
+		}
+		else if ((mid == this->responding.mid - 1) && this->responding.packet)
+		{
+			packet_t *clone;
+			host_t *host;
+
+			DBG1(DBG_IKE, "received retransmit of request with ID %d, "
+				 "retransmitting response", mid);
+			charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
+			clone = this->responding.packet->clone(this->responding.packet);
+			host = msg->get_destination(msg);
+			clone->set_source(clone, host->clone(host));
+			host = msg->get_source(msg);
+			clone->set_destination(clone, host->clone(host));
+			charon->sender->send(charon->sender, clone);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
+				 mid, this->responding.mid);
+			if (msg->get_exchange_type(msg) == IKE_SA_INIT)
+			{	/* clean up IKE_SA state if IKE_SA_INIT has invalid msg ID */
+				return DESTROY_ME;
+			}
+		}
+	}
+	else
+	{
+		if (mid == this->initiating.mid)
+		{
+			if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
+				this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
+				msg->get_exchange_type(msg) != IKE_SA_INIT)
+			{	/* only do host updates based on verified messages */
+				if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
+				{	/* with MOBIKE, we do no implicit updates */
+					this->ike_sa->update_hosts(this->ike_sa, me, other, FALSE);
+				}
+			}
+			charon->bus->message(charon->bus, msg, TRUE, TRUE);
+			if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
+			{	/* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
+				return SUCCESS;
+			}
+			if (process_response(this, msg) != SUCCESS)
+			{
+				flush(this);
+				return DESTROY_ME;
+			}
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
+				 mid, this->initiating.mid);
+			return SUCCESS;
+		}
+	}
+
+	if (schedule_delete_job)
+	{
+		ike_sa_id_t *ike_sa_id;
+		job_t *job;
+
+		ike_sa_id = this->ike_sa->get_id(this->ike_sa);
+		job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
+		lib->scheduler->schedule_job(lib->scheduler, job,
+				lib->settings->get_int(lib->settings,
+						"%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
+						charon->name));
+	}
+	return SUCCESS;
+}
+
+METHOD(task_manager_t, queue_task, void,
+	private_task_manager_t *this, task_t *task)
+{
+	if (task->get_type(task) == TASK_IKE_MOBIKE)
+	{	/*  there is no need to queue more than one mobike task */
+		enumerator_t *enumerator;
+		task_t *current;
+
+		enumerator = array_create_enumerator(this->queued_tasks);
+		while (enumerator->enumerate(enumerator, &current))
+		{
+			if (current->get_type(current) == TASK_IKE_MOBIKE)
+			{
+				enumerator->destroy(enumerator);
+				task->destroy(task);
+				return;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
+	array_insert(this->queued_tasks, ARRAY_TAIL, task);
+}
+
+/**
+ * Check if a given task has been queued already
+ */
+static bool has_queued(private_task_manager_t *this, task_type_t type)
+{
+	enumerator_t *enumerator;
+	bool found = FALSE;
+	task_t *task;
+
+	enumerator = array_create_enumerator(this->queued_tasks);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (task->get_type(task) == type)
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+METHOD(task_manager_t, queue_ike, void,
+	private_task_manager_t *this)
+{
+	if (!has_queued(this, TASK_IKE_VENDOR))
+	{
+		queue_task(this, (task_t*)ike_vendor_create(this->ike_sa, TRUE));
+	}
+	if (!has_queued(this, TASK_IKE_INIT))
+	{
+		queue_task(this, (task_t*)ike_init_create(this->ike_sa, TRUE, NULL));
+	}
+	if (!has_queued(this, TASK_IKE_NATD))
+	{
+		queue_task(this, (task_t*)ike_natd_create(this->ike_sa, TRUE));
+	}
+	if (!has_queued(this, TASK_IKE_CERT_PRE))
+	{
+		queue_task(this, (task_t*)ike_cert_pre_create(this->ike_sa, TRUE));
+	}
+	if (!has_queued(this, TASK_IKE_AUTH))
+	{
+		queue_task(this, (task_t*)ike_auth_create(this->ike_sa, TRUE));
+	}
+	if (!has_queued(this, TASK_IKE_CERT_POST))
+	{
+		queue_task(this, (task_t*)ike_cert_post_create(this->ike_sa, TRUE));
+	}
+	if (!has_queued(this, TASK_IKE_CONFIG))
+	{
+		queue_task(this, (task_t*)ike_config_create(this->ike_sa, TRUE));
+	}
+	if (!has_queued(this, TASK_IKE_AUTH_LIFETIME))
+	{
+		queue_task(this, (task_t*)ike_auth_lifetime_create(this->ike_sa, TRUE));
+	}
+	if (!has_queued(this, TASK_IKE_MOBIKE))
+	{
+		peer_cfg_t *peer_cfg;
+
+		peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+		if (peer_cfg->use_mobike(peer_cfg))
+		{
+			queue_task(this, (task_t*)ike_mobike_create(this->ike_sa, TRUE));
+		}
+	}
+#ifdef ME
+	if (!has_queued(this, TASK_IKE_ME))
+	{
+		queue_task(this, (task_t*)ike_me_create(this->ike_sa, TRUE));
+	}
+#endif /* ME */
+}
+
+METHOD(task_manager_t, queue_ike_rekey, void,
+	private_task_manager_t *this)
+{
+	queue_task(this, (task_t*)ike_rekey_create(this->ike_sa, TRUE));
+}
+
+METHOD(task_manager_t, queue_ike_reauth, void,
+	private_task_manager_t *this)
+{
+	queue_task(this, (task_t*)ike_reauth_create(this->ike_sa));
+}
+
+METHOD(task_manager_t, queue_ike_delete, void,
+	private_task_manager_t *this)
+{
+	queue_task(this, (task_t*)ike_delete_create(this->ike_sa, TRUE));
+}
+
+METHOD(task_manager_t, queue_mobike, void,
+	private_task_manager_t *this, bool roam, bool address)
+{
+	ike_mobike_t *mobike;
+
+	mobike = ike_mobike_create(this->ike_sa, TRUE);
+	if (roam)
+	{
+		mobike->roam(mobike, address);
+	}
+	else
+	{
+		mobike->addresses(mobike);
+	}
+	queue_task(this, &mobike->task);
+}
+
+METHOD(task_manager_t, queue_child, void,
+	private_task_manager_t *this, child_cfg_t *cfg, u_int32_t reqid,
+	traffic_selector_t *tsi, traffic_selector_t *tsr)
+{
+	child_create_t *task;
+
+	task = child_create_create(this->ike_sa, cfg, FALSE, tsi, tsr);
+	if (reqid)
+	{
+		task->use_reqid(task, reqid);
+	}
+	queue_task(this, &task->task);
+}
+
+METHOD(task_manager_t, queue_child_rekey, void,
+	private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi)
+{
+	queue_task(this, (task_t*)child_rekey_create(this->ike_sa, protocol, spi));
+}
+
+METHOD(task_manager_t, queue_child_delete, void,
+	private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi,
+	bool expired)
+{
+	queue_task(this, (task_t*)child_delete_create(this->ike_sa,
+												  protocol, spi, expired));
+}
+
+METHOD(task_manager_t, queue_dpd, void,
+	private_task_manager_t *this)
+{
+	ike_mobike_t *mobike;
+
+	if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE) &&
+		this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
+	{
+		/* use mobike enabled DPD to detect NAT mapping changes */
+		mobike = ike_mobike_create(this->ike_sa, TRUE);
+		mobike->dpd(mobike);
+		queue_task(this, &mobike->task);
+	}
+	else
+	{
+		queue_task(this, (task_t*)ike_dpd_create(TRUE));
+	}
+}
+
+METHOD(task_manager_t, adopt_tasks, void,
+	private_task_manager_t *this, task_manager_t *other_public)
+{
+	private_task_manager_t *other = (private_task_manager_t*)other_public;
+	task_t *task;
+
+	/* move queued tasks from other to this */
+	while (array_remove(other->queued_tasks, ARRAY_TAIL, &task))
+	{
+		DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
+		task->migrate(task, this->ike_sa);
+		array_insert(this->queued_tasks, ARRAY_HEAD, task);
+	}
+}
+
+/**
+ * Migrates child-creating tasks from src to dst
+ */
+static void migrate_child_tasks(private_task_manager_t *this,
+								array_t *src, array_t *dst)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+
+	enumerator = array_create_enumerator(src);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (task->get_type(task) == TASK_CHILD_CREATE)
+		{
+			array_remove_at(src, enumerator);
+			task->migrate(task, this->ike_sa);
+			array_insert(dst, ARRAY_TAIL, task);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(task_manager_t, adopt_child_tasks, void,
+	private_task_manager_t *this, task_manager_t *other_public)
+{
+	private_task_manager_t *other = (private_task_manager_t*)other_public;
+
+	/* move active child tasks from other to this */
+	migrate_child_tasks(this, other->active_tasks, this->queued_tasks);
+	/* do the same for queued tasks */
+	migrate_child_tasks(this, other->queued_tasks, this->queued_tasks);
+}
+
+METHOD(task_manager_t, busy, bool,
+	private_task_manager_t *this)
+{
+	return array_count(this->active_tasks) > 0;
+}
+
+METHOD(task_manager_t, reset, void,
+	private_task_manager_t *this, u_int32_t initiate, u_int32_t respond)
+{
+	enumerator_t *enumerator;
+	task_t *task;
+
+	/* reset message counters and retransmit packets */
+	DESTROY_IF(this->responding.packet);
+	DESTROY_IF(this->initiating.packet);
+	this->responding.packet = NULL;
+	this->initiating.packet = NULL;
+	if (initiate != UINT_MAX)
+	{
+		this->initiating.mid = initiate;
+	}
+	if (respond != UINT_MAX)
+	{
+		this->responding.mid = respond;
+	}
+	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
+
+	/* reset queued tasks */
+	enumerator = array_create_enumerator(this->queued_tasks);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		task->migrate(task, this->ike_sa);
+	}
+	enumerator->destroy(enumerator);
+
+	/* reset active tasks */
+	while (array_remove(this->active_tasks, ARRAY_TAIL, &task))
+	{
+		task->migrate(task, this->ike_sa);
+		array_insert(this->queued_tasks, ARRAY_HEAD, task);
+	}
+
+	this->reset = TRUE;
+}
+
+METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
+	private_task_manager_t *this, task_queue_t queue)
+{
+	switch (queue)
+	{
+		case TASK_QUEUE_ACTIVE:
+			return array_create_enumerator(this->active_tasks);
+		case TASK_QUEUE_PASSIVE:
+			return array_create_enumerator(this->passive_tasks);
+		case TASK_QUEUE_QUEUED:
+			return array_create_enumerator(this->queued_tasks);
+		default:
+			return enumerator_create_empty();
+	}
+}
+
+METHOD(task_manager_t, destroy, void,
+	private_task_manager_t *this)
+{
+	flush(this);
+
+	array_destroy(this->active_tasks);
+	array_destroy(this->queued_tasks);
+	array_destroy(this->passive_tasks);
+
+	DESTROY_IF(this->responding.packet);
+	DESTROY_IF(this->initiating.packet);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
+{
+	private_task_manager_t *this;
+
+	INIT(this,
+		.public = {
+			.task_manager = {
+				.process_message = _process_message,
+				.queue_task = _queue_task,
+				.queue_ike = _queue_ike,
+				.queue_ike_rekey = _queue_ike_rekey,
+				.queue_ike_reauth = _queue_ike_reauth,
+				.queue_ike_delete = _queue_ike_delete,
+				.queue_mobike = _queue_mobike,
+				.queue_child = _queue_child,
+				.queue_child_rekey = _queue_child_rekey,
+				.queue_child_delete = _queue_child_delete,
+				.queue_dpd = _queue_dpd,
+				.initiate = _initiate,
+				.retransmit = _retransmit,
+				.incr_mid = _incr_mid,
+				.reset = _reset,
+				.adopt_tasks = _adopt_tasks,
+				.adopt_child_tasks = _adopt_child_tasks,
+				.busy = _busy,
+				.create_task_enumerator = _create_task_enumerator,
+				.flush_queue = _flush_queue,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.initiating.type = EXCHANGE_TYPE_UNDEFINED,
+		.queued_tasks = array_create(0, 0),
+		.active_tasks = array_create(0, 0),
+		.passive_tasks = array_create(0, 0),
+		.retransmit_tries = lib->settings->get_int(lib->settings,
+					"%s.retransmit_tries", RETRANSMIT_TRIES, charon->name),
+		.retransmit_timeout = lib->settings->get_double(lib->settings,
+					"%s.retransmit_timeout", RETRANSMIT_TIMEOUT, charon->name),
+		.retransmit_base = lib->settings->get_double(lib->settings,
+					"%s.retransmit_base", RETRANSMIT_BASE, charon->name),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.h b/src/libcharon/sa/ikev2/task_manager_v2.h
new file mode 100644
index 000000000..70444ae27
--- /dev/null
+++ b/src/libcharon/sa/ikev2/task_manager_v2.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup task_manager_v2 task_manager_v2
+ * @{ @ingroup ikev2
+ */
+
+#ifndef TASK_MANAGER_V2_H_
+#define TASK_MANAGER_V2_H_
+
+typedef struct task_manager_v2_t task_manager_v2_t;
+
+#include <sa/task_manager.h>
+
+/**
+ * Task manager, IKEv2 variant.
+ */
+struct task_manager_v2_t {
+
+	/**
+	 * Implements task_manager_t.
+	 */
+	task_manager_t task_manager;
+};
+
+/**
+ * Create an instance of the task manager.
+ *
+ * @param ike_sa		IKE_SA to manage.
+ */
+task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa);
+
+#endif /** TASK_MANAGER_V2_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
new file mode 100644
index 000000000..8ae36af84
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -0,0 +1,1609 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "child_create.h"
+
+#include <daemon.h>
+#include <hydra.h>
+#include <sa/ikev2/keymat_v2.h>
+#include <crypto/diffie_hellman.h>
+#include <credentials/certificates/x509.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/ke_payload.h>
+#include <encoding/payloads/ts_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <encoding/payloads/notify_payload.h>
+#include <encoding/payloads/delete_payload.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+#include <processing/jobs/inactivity_job.h>
+
+
+typedef struct private_child_create_t private_child_create_t;
+
+/**
+ * Private members of a child_create_t task.
+ */
+struct private_child_create_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	child_create_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * nonce chosen by us
+	 */
+	chunk_t my_nonce;
+
+	/**
+	 * nonce chosen by peer
+	 */
+	chunk_t other_nonce;
+
+	/**
+	 * config to create the CHILD_SA from
+	 */
+	child_cfg_t *config;
+
+	/**
+	 * list of proposal candidates
+	 */
+	linked_list_t *proposals;
+
+	/**
+	 * selected proposal to use for CHILD_SA
+	 */
+	proposal_t *proposal;
+
+	/**
+	 * traffic selectors for initiators side
+	 */
+	linked_list_t *tsi;
+
+	/**
+	 * traffic selectors for responders side
+	 */
+	linked_list_t *tsr;
+
+	/**
+	 * source of triggering packet
+	 */
+	traffic_selector_t *packet_tsi;
+
+	/**
+	 * destination of triggering packet
+	 */
+	traffic_selector_t *packet_tsr;
+
+	/**
+	 * optional diffie hellman exchange
+	 */
+	diffie_hellman_t *dh;
+
+	/**
+	 * group used for DH exchange
+	 */
+	diffie_hellman_group_t dh_group;
+
+	/**
+	 * IKE_SAs keymat
+	 */
+	keymat_v2_t *keymat;
+
+	/**
+	 * mode the new CHILD_SA uses (transport/tunnel/beet)
+	 */
+	ipsec_mode_t mode;
+
+	/**
+	 * peer accepts TFC padding for this SA
+	 */
+	bool tfcv3;
+
+	/**
+	 * IPComp transform to use
+	 */
+	ipcomp_transform_t ipcomp;
+
+	/**
+	 * IPComp transform proposed or accepted by the other peer
+	 */
+	ipcomp_transform_t ipcomp_received;
+
+	/**
+	 * Own allocated SPI
+	 */
+	u_int32_t my_spi;
+
+	/**
+	 * SPI received in proposal
+	 */
+	u_int32_t other_spi;
+
+	/**
+	 * Own allocated Compression Parameter Index (CPI)
+	 */
+	u_int16_t my_cpi;
+
+	/**
+	 * Other Compression Parameter Index (CPI), received via IPCOMP_SUPPORTED
+	 */
+	u_int16_t other_cpi;
+
+	/**
+	 * reqid to use if we are rekeying
+	 */
+	u_int32_t reqid;
+
+	/**
+	 * CHILD_SA which gets established
+	 */
+	child_sa_t *child_sa;
+
+	/**
+	 * successfully established the CHILD?
+	 */
+	bool established;
+
+	/**
+	 * whether the CHILD_SA rekeys an existing one
+	 */
+	bool rekey;
+
+	/**
+	 * whether we are retrying with another DH group
+	 */
+	bool retry;
+};
+
+/**
+ * get the nonce from a message
+ */
+static status_t get_nonce(message_t *message, chunk_t *nonce)
+{
+	nonce_payload_t *payload;
+
+	payload = (nonce_payload_t*)message->get_payload(message, NONCE);
+	if (payload == NULL)
+	{
+		return FAILED;
+	}
+	*nonce = payload->get_nonce(payload);
+	return NEED_MORE;
+}
+
+/**
+ * generate a new nonce to include in a CREATE_CHILD_SA message
+ */
+static status_t generate_nonce(private_child_create_t *this)
+{
+	nonce_gen_t *nonceg;
+
+	nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
+	if (!nonceg)
+	{
+		DBG1(DBG_IKE, "no nonce generator found to create nonce");
+		return FAILED;
+	}
+	if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &this->my_nonce))
+	{
+		DBG1(DBG_IKE, "nonce allocation failed");
+		nonceg->destroy(nonceg);
+		return FAILED;
+	}
+	nonceg->destroy(nonceg);
+
+	return SUCCESS;
+}
+
+/**
+ * Check a list of traffic selectors if any selector belongs to host
+ */
+static bool ts_list_is_host(linked_list_t *list, host_t *host)
+{
+	traffic_selector_t *ts;
+	bool is_host = TRUE;
+	enumerator_t *enumerator = list->create_enumerator(list);
+
+	while (is_host && enumerator->enumerate(enumerator, (void**)&ts))
+	{
+		is_host = is_host && ts->is_host(ts, host);
+	}
+	enumerator->destroy(enumerator);
+	return is_host;
+}
+
+/**
+ * Allocate SPIs and update proposals
+ */
+static bool allocate_spi(private_child_create_t *this)
+{
+	enumerator_t *enumerator;
+	proposal_t *proposal;
+
+	/* TODO: allocate additional SPI for AH if we have such proposals */
+	this->my_spi = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
+	if (this->my_spi)
+	{
+		if (this->initiator)
+		{
+			enumerator = this->proposals->create_enumerator(this->proposals);
+			while (enumerator->enumerate(enumerator, &proposal))
+			{
+				proposal->set_spi(proposal, this->my_spi);
+			}
+			enumerator->destroy(enumerator);
+		}
+		else
+		{
+			this->proposal->set_spi(this->proposal, this->my_spi);
+		}
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Schedule inactivity timeout for CHILD_SA with reqid, if enabled
+ */
+static void schedule_inactivity_timeout(private_child_create_t *this)
+{
+	u_int32_t timeout;
+	bool close_ike;
+
+	timeout = this->config->get_inactivity(this->config);
+	if (timeout)
+	{
+		close_ike = lib->settings->get_bool(lib->settings,
+								"%s.inactivity_close_ike", FALSE, charon->name);
+		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
+				inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
+									  timeout, close_ike), timeout);
+	}
+}
+
+/**
+ * Check if we have a an address pool configured
+ */
+static bool have_pool(ike_sa_t *ike_sa)
+{
+	enumerator_t *enumerator;
+	peer_cfg_t *peer_cfg;
+	char *pool;
+	bool found = FALSE;
+
+	peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+	if (peer_cfg)
+	{
+		enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
+		if (enumerator->enumerate(enumerator, &pool))
+		{
+			found = TRUE;
+		}
+		enumerator->destroy(enumerator);
+	}
+	return found;
+}
+
+/**
+ * Get hosts to use for dynamic traffic selectors
+ */
+static linked_list_t *get_dynamic_hosts(ike_sa_t *ike_sa, bool local)
+{
+	enumerator_t *enumerator;
+	linked_list_t *list;
+	host_t *host;
+
+	list = linked_list_create();
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, local);
+	while (enumerator->enumerate(enumerator, &host))
+	{
+		list->insert_last(list, host);
+	}
+	enumerator->destroy(enumerator);
+
+	if (list->get_count(list) == 0)
+	{	/* no virtual IPs assigned */
+		if (local)
+		{
+			host = ike_sa->get_my_host(ike_sa);
+			list->insert_last(list, host);
+		}
+		else if (!have_pool(ike_sa))
+		{	/* use host only if we don't have a pool configured */
+			host = ike_sa->get_other_host(ike_sa);
+			list->insert_last(list, host);
+		}
+	}
+	return list;
+}
+
+/**
+ * Substitude any host address with NATed address in traffic selector
+ */
+static linked_list_t* get_transport_nat_ts(private_child_create_t *this,
+										   bool local, linked_list_t *in)
+{
+	enumerator_t *enumerator;
+	linked_list_t *out;
+	traffic_selector_t *ts;
+	host_t *ike, *first = NULL;
+	u_int8_t mask;
+
+	if (local)
+	{
+		ike = this->ike_sa->get_my_host(this->ike_sa);
+	}
+	else
+	{
+		ike = this->ike_sa->get_other_host(this->ike_sa);
+	}
+
+	out = linked_list_create();
+
+	enumerator = in->create_enumerator(in);
+	while (enumerator->enumerate(enumerator, &ts))
+	{
+		/* require that all selectors match the first "host" selector */
+		if (ts->is_host(ts, first))
+		{
+			if (!first)
+			{
+				ts->to_subnet(ts, &first, &mask);
+			}
+			ts = ts->clone(ts);
+			ts->set_address(ts, ike);
+			out->insert_last(out, ts);
+		}
+	}
+	enumerator->destroy(enumerator);
+	DESTROY_IF(first);
+
+	return out;
+}
+
+/**
+ * Narrow received traffic selectors with configuration
+ */
+static linked_list_t* narrow_ts(private_child_create_t *this, bool local,
+								linked_list_t *in)
+{
+	linked_list_t *hosts, *nat, *ts;
+	ike_condition_t cond;
+
+	cond = local ? COND_NAT_HERE : COND_NAT_THERE;
+	hosts = get_dynamic_hosts(this->ike_sa, local);
+
+	if (this->mode == MODE_TRANSPORT &&
+		this->ike_sa->has_condition(this->ike_sa, cond))
+	{
+		nat = get_transport_nat_ts(this, local, in);
+		ts = this->config->get_traffic_selectors(this->config, local, nat, hosts);
+		nat->destroy_offset(nat, offsetof(traffic_selector_t, destroy));
+	}
+	else
+	{
+		ts = this->config->get_traffic_selectors(this->config, local, in, hosts);
+	}
+
+	hosts->destroy(hosts);
+
+	return ts;
+}
+
+/**
+ * Install a CHILD_SA for usage, return value:
+ * - FAILED: no acceptable proposal
+ * - INVALID_ARG: diffie hellman group inacceptable
+ * - NOT_FOUND: TS inacceptable
+ */
+static status_t select_and_install(private_child_create_t *this,
+								   bool no_dh, bool ike_auth)
+{
+	status_t status, status_i, status_o;
+	chunk_t nonce_i, nonce_r;
+	chunk_t encr_i = chunk_empty, encr_r = chunk_empty;
+	chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
+	linked_list_t *my_ts, *other_ts;
+	host_t *me, *other;
+	bool private;
+
+	if (this->proposals == NULL)
+	{
+		DBG1(DBG_IKE, "SA payload missing in message");
+		return FAILED;
+	}
+	if (this->tsi == NULL || this->tsr == NULL)
+	{
+		DBG1(DBG_IKE, "TS payloads missing in message");
+		return NOT_FOUND;
+	}
+
+	me = this->ike_sa->get_my_host(this->ike_sa);
+	other = this->ike_sa->get_other_host(this->ike_sa);
+
+	private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
+	this->proposal = this->config->select_proposal(this->config,
+											this->proposals, no_dh, private);
+	if (this->proposal == NULL)
+	{
+		DBG1(DBG_IKE, "no acceptable proposal found");
+		charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_CHILD,
+						   this->proposals);
+		return FAILED;
+	}
+	this->other_spi = this->proposal->get_spi(this->proposal);
+
+	if (!this->initiator && !allocate_spi(this))
+	{	/* responder has no SPI allocated yet */
+		DBG1(DBG_IKE, "allocating SPI failed");
+		return FAILED;
+	}
+	this->child_sa->set_proposal(this->child_sa, this->proposal);
+
+	if (!this->proposal->has_dh_group(this->proposal, this->dh_group))
+	{
+		u_int16_t group;
+
+		if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
+										  &group, NULL))
+		{
+			DBG1(DBG_IKE, "DH group %N inacceptable, requesting %N",
+				 diffie_hellman_group_names, this->dh_group,
+				 diffie_hellman_group_names, group);
+			this->dh_group = group;
+			return INVALID_ARG;
+		}
+		/* the selected proposal does not use a DH group */
+		DBG1(DBG_IKE, "ignoring KE exchange, agreed on a non-PFS proposal");
+		DESTROY_IF(this->dh);
+		this->dh = NULL;
+		this->dh_group = MODP_NONE;
+	}
+
+	if (this->initiator)
+	{
+		nonce_i = this->my_nonce;
+		nonce_r = this->other_nonce;
+		my_ts = narrow_ts(this, TRUE, this->tsi);
+		other_ts = narrow_ts(this, FALSE, this->tsr);
+	}
+	else
+	{
+		nonce_r = this->my_nonce;
+		nonce_i = this->other_nonce;
+		my_ts = narrow_ts(this, TRUE, this->tsr);
+		other_ts = narrow_ts(this, FALSE, this->tsi);
+	}
+
+	if (this->initiator)
+	{
+		if (ike_auth)
+		{
+			charon->bus->narrow(charon->bus, this->child_sa,
+								NARROW_INITIATOR_POST_NOAUTH, my_ts, other_ts);
+		}
+		else
+		{
+			charon->bus->narrow(charon->bus, this->child_sa,
+								NARROW_INITIATOR_POST_AUTH, my_ts, other_ts);
+		}
+	}
+	else
+	{
+		charon->bus->narrow(charon->bus, this->child_sa,
+							NARROW_RESPONDER, my_ts, other_ts);
+	}
+
+	if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
+	{
+		charon->bus->alert(charon->bus, ALERT_TS_MISMATCH, this->tsi, this->tsr);
+		my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
+		other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
+		DBG1(DBG_IKE, "no acceptable traffic selectors found");
+		return NOT_FOUND;
+	}
+
+	this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+	this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+	if (this->initiator)
+	{
+		this->tsi = my_ts;
+		this->tsr = other_ts;
+	}
+	else
+	{
+		this->tsr = my_ts;
+		this->tsi = other_ts;
+	}
+
+	if (!this->initiator)
+	{
+		/* check if requested mode is acceptable, downgrade if required */
+		switch (this->mode)
+		{
+			case MODE_TRANSPORT:
+				if (!this->config->use_proxy_mode(this->config) &&
+					   (!ts_list_is_host(this->tsi, other) ||
+						!ts_list_is_host(this->tsr, me))
+				   )
+				{
+					this->mode = MODE_TUNNEL;
+					DBG1(DBG_IKE, "not using transport mode, not host-to-host");
+				}
+				if (this->config->get_mode(this->config) != MODE_TRANSPORT)
+				{
+					this->mode = MODE_TUNNEL;
+				}
+				break;
+			case MODE_BEET:
+				if (!ts_list_is_host(this->tsi, NULL) ||
+					!ts_list_is_host(this->tsr, NULL))
+				{
+					this->mode = MODE_TUNNEL;
+					DBG1(DBG_IKE, "not using BEET mode, not host-to-host");
+				}
+				if (this->config->get_mode(this->config) != MODE_BEET)
+				{
+					this->mode = MODE_TUNNEL;
+				}
+				break;
+			default:
+				break;
+		}
+	}
+
+	this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
+	this->child_sa->set_ipcomp(this->child_sa, this->ipcomp);
+	this->child_sa->set_mode(this->child_sa, this->mode);
+	this->child_sa->set_protocol(this->child_sa,
+								 this->proposal->get_protocol(this->proposal));
+
+	if (this->my_cpi == 0 || this->other_cpi == 0 || this->ipcomp == IPCOMP_NONE)
+	{
+		this->my_cpi = this->other_cpi = 0;
+		this->ipcomp = IPCOMP_NONE;
+	}
+	status_i = status_o = FAILED;
+	if (this->keymat->derive_child_keys(this->keymat, this->proposal,
+			this->dh, nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r))
+	{
+		if (this->initiator)
+		{
+			status_i = this->child_sa->install(this->child_sa, encr_r, integ_r,
+							this->my_spi, this->my_cpi, this->initiator,
+							TRUE, this->tfcv3, my_ts, other_ts);
+			status_o = this->child_sa->install(this->child_sa, encr_i, integ_i,
+							this->other_spi, this->other_cpi, this->initiator,
+							FALSE, this->tfcv3, my_ts, other_ts);
+		}
+		else
+		{
+			status_i = this->child_sa->install(this->child_sa, encr_i, integ_i,
+							this->my_spi, this->my_cpi, this->initiator,
+							TRUE, this->tfcv3, my_ts, other_ts);
+			status_o = this->child_sa->install(this->child_sa, encr_r, integ_r,
+							this->other_spi, this->other_cpi, this->initiator,
+							FALSE, this->tfcv3, my_ts, other_ts);
+		}
+	}
+	chunk_clear(&integ_i);
+	chunk_clear(&integ_r);
+	chunk_clear(&encr_i);
+	chunk_clear(&encr_r);
+
+	if (status_i != SUCCESS || status_o != SUCCESS)
+	{
+		DBG1(DBG_IKE, "unable to install %s%s%sIPsec SA (SAD) in kernel",
+			(status_i != SUCCESS) ? "inbound " : "",
+			(status_i != SUCCESS && status_o != SUCCESS) ? "and ": "",
+			(status_o != SUCCESS) ? "outbound " : "");
+		charon->bus->alert(charon->bus, ALERT_INSTALL_CHILD_SA_FAILED,
+						   this->child_sa);
+		return FAILED;
+	}
+
+	if (this->initiator)
+	{
+		status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts);
+	}
+	else
+	{
+		/* use a copy of the traffic selectors, as the POST hook should not
+		 * change payloads */
+		my_ts = this->tsr->clone_offset(this->tsr,
+										offsetof(traffic_selector_t, clone));
+		other_ts = this->tsi->clone_offset(this->tsi,
+										offsetof(traffic_selector_t, clone));
+		charon->bus->narrow(charon->bus, this->child_sa,
+							NARROW_RESPONDER_POST, my_ts, other_ts);
+		if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
+		{
+			status = FAILED;
+		}
+		else
+		{
+			status = this->child_sa->add_policies(this->child_sa,
+												   my_ts, other_ts);
+		}
+		my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
+		other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
+	}
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
+		charon->bus->alert(charon->bus, ALERT_INSTALL_CHILD_POLICY_FAILED,
+						   this->child_sa);
+		return NOT_FOUND;
+	}
+
+	charon->bus->child_keys(charon->bus, this->child_sa, this->initiator,
+							this->dh, nonce_i, nonce_r);
+
+	/* add to IKE_SA, and remove from task */
+	this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+	this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
+	this->established = TRUE;
+
+	if (!this->rekey)
+	{	/* a rekeyed SA uses the same reqid, no need for a new job */
+		schedule_inactivity_timeout(this);
+	}
+
+	my_ts = linked_list_create_from_enumerator(
+				this->child_sa->create_ts_enumerator(this->child_sa, TRUE));
+	other_ts = linked_list_create_from_enumerator(
+				this->child_sa->create_ts_enumerator(this->child_sa, FALSE));
+
+	DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
+		 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+		 this->child_sa->get_name(this->child_sa),
+		 this->child_sa->get_reqid(this->child_sa),
+		 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
+		 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)), my_ts, other_ts);
+
+	my_ts->destroy(my_ts);
+	other_ts->destroy(other_ts);
+
+	return SUCCESS;
+}
+
+/**
+ * build the payloads for the message
+ */
+static void build_payloads(private_child_create_t *this, message_t *message)
+{
+	sa_payload_t *sa_payload;
+	nonce_payload_t *nonce_payload;
+	ke_payload_t *ke_payload;
+	ts_payload_t *ts_payload;
+	kernel_feature_t features;
+
+	/* add SA payload */
+	if (this->initiator)
+	{
+		sa_payload = sa_payload_create_from_proposals_v2(this->proposals);
+	}
+	else
+	{
+		sa_payload = sa_payload_create_from_proposal_v2(this->proposal);
+	}
+	message->add_payload(message, (payload_t*)sa_payload);
+
+	/* add nonce payload if not in IKE_AUTH */
+	if (message->get_exchange_type(message) == CREATE_CHILD_SA)
+	{
+		nonce_payload = nonce_payload_create(NONCE);
+		nonce_payload->set_nonce(nonce_payload, this->my_nonce);
+		message->add_payload(message, (payload_t*)nonce_payload);
+	}
+
+	/* diffie hellman exchange, if PFS enabled */
+	if (this->dh)
+	{
+		ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE,
+														   this->dh);
+		message->add_payload(message, (payload_t*)ke_payload);
+	}
+
+	/* add TSi/TSr payloads */
+	ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
+	message->add_payload(message, (payload_t*)ts_payload);
+	ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
+	message->add_payload(message, (payload_t*)ts_payload);
+
+	/* add a notify if we are not in tunnel mode */
+	switch (this->mode)
+	{
+		case MODE_TRANSPORT:
+			message->add_notify(message, FALSE, USE_TRANSPORT_MODE, chunk_empty);
+			break;
+		case MODE_BEET:
+			message->add_notify(message, FALSE, USE_BEET_MODE, chunk_empty);
+			break;
+		default:
+			break;
+	}
+
+	features = hydra->kernel_interface->get_features(hydra->kernel_interface);
+	if (!(features & KERNEL_ESP_V3_TFC))
+	{
+		message->add_notify(message, FALSE, ESP_TFC_PADDING_NOT_SUPPORTED,
+							chunk_empty);
+	}
+}
+
+/**
+ * Adds an IPCOMP_SUPPORTED notify to the message, allocating a CPI
+ */
+static void add_ipcomp_notify(private_child_create_t *this,
+								  message_t *message, u_int8_t ipcomp)
+{
+	this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
+	if (this->my_cpi)
+	{
+		this->ipcomp = ipcomp;
+		message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
+							chunk_cata("cc", chunk_from_thing(this->my_cpi),
+									   chunk_from_thing(ipcomp)));
+	}
+	else
+	{
+		DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp disabled");
+	}
+}
+
+/**
+ * handle a received notify payload
+ */
+static void handle_notify(private_child_create_t *this, notify_payload_t *notify)
+{
+	switch (notify->get_notify_type(notify))
+	{
+		case USE_TRANSPORT_MODE:
+			this->mode = MODE_TRANSPORT;
+			break;
+		case USE_BEET_MODE:
+			if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+			{	/* handle private use notify only if we know its meaning */
+				this->mode = MODE_BEET;
+			}
+			else
+			{
+				DBG1(DBG_IKE, "received a notify strongSwan uses for BEET "
+					 "mode, but peer implementation unknown, skipped");
+			}
+			break;
+		case IPCOMP_SUPPORTED:
+		{
+			ipcomp_transform_t ipcomp;
+			u_int16_t cpi;
+			chunk_t data;
+
+			data = notify->get_notification_data(notify);
+			cpi = *(u_int16_t*)data.ptr;
+			ipcomp = (ipcomp_transform_t)(*(data.ptr + 2));
+			switch (ipcomp)
+			{
+				case IPCOMP_DEFLATE:
+					this->other_cpi = cpi;
+					this->ipcomp_received = ipcomp;
+					break;
+				case IPCOMP_LZS:
+				case IPCOMP_LZJH:
+				default:
+					DBG1(DBG_IKE, "received IPCOMP_SUPPORTED notify with a "
+						 "transform ID we don't support %N",
+						 ipcomp_transform_names, ipcomp);
+					break;
+			}
+			break;
+		}
+		case ESP_TFC_PADDING_NOT_SUPPORTED:
+			DBG1(DBG_IKE, "received %N, not using ESPv3 TFC padding",
+				 notify_type_names, notify->get_notify_type(notify));
+			this->tfcv3 = FALSE;
+			break;
+		default:
+			break;
+	}
+}
+
+/**
+ * Read payloads from message
+ */
+static void process_payloads(private_child_create_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	sa_payload_t *sa_payload;
+	ke_payload_t *ke_payload;
+	ts_payload_t *ts_payload;
+
+	/* defaults to TUNNEL mode */
+	this->mode = MODE_TUNNEL;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		switch (payload->get_type(payload))
+		{
+			case SECURITY_ASSOCIATION:
+				sa_payload = (sa_payload_t*)payload;
+				this->proposals = sa_payload->get_proposals(sa_payload);
+				break;
+			case KEY_EXCHANGE:
+				ke_payload = (ke_payload_t*)payload;
+				if (!this->initiator)
+				{
+					this->dh_group = ke_payload->get_dh_group_number(ke_payload);
+					this->dh = this->keymat->keymat.create_dh(
+										&this->keymat->keymat, this->dh_group);
+				}
+				if (this->dh)
+				{
+					this->dh->set_other_public_value(this->dh,
+								ke_payload->get_key_exchange_data(ke_payload));
+				}
+				break;
+			case TRAFFIC_SELECTOR_INITIATOR:
+				ts_payload = (ts_payload_t*)payload;
+				this->tsi = ts_payload->get_traffic_selectors(ts_payload);
+				break;
+			case TRAFFIC_SELECTOR_RESPONDER:
+				ts_payload = (ts_payload_t*)payload;
+				this->tsr = ts_payload->get_traffic_selectors(ts_payload);
+				break;
+			case NOTIFY:
+				handle_notify(this, (notify_payload_t*)payload);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(task_t, build_i, status_t,
+	private_child_create_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	host_t *vip;
+	peer_cfg_t *peer_cfg;
+	linked_list_t *list;
+
+	switch (message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+			return get_nonce(message, &this->my_nonce);
+		case CREATE_CHILD_SA:
+			if (generate_nonce(this) != SUCCESS)
+			{
+				message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
+				return SUCCESS;
+			}
+			if (!this->retry)
+			{
+				this->dh_group = this->config->get_dh_group(this->config);
+			}
+			break;
+		case IKE_AUTH:
+			if (message->get_message_id(message) != 1)
+			{
+				/* send only in the first request, not in subsequent rounds */
+				return NEED_MORE;
+			}
+			break;
+		default:
+			break;
+	}
+
+	if (this->reqid)
+	{
+		DBG0(DBG_IKE, "establishing CHILD_SA %s{%d}",
+			 this->config->get_name(this->config), this->reqid);
+	}
+	else
+	{
+		DBG0(DBG_IKE, "establishing CHILD_SA %s",
+			 this->config->get_name(this->config));
+	}
+
+	/* check if we want a virtual IP, but don't have one */
+	list = linked_list_create();
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (!this->reqid)
+	{
+		enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg);
+		while (enumerator->enumerate(enumerator, &vip))
+		{
+			/* propose a 0.0.0.0/0 or ::/0 subnet when we use virtual ip */
+			vip = host_create_any(vip->get_family(vip));
+			list->insert_last(list, vip);
+		}
+		enumerator->destroy(enumerator);
+	}
+	if (list->get_count(list))
+	{
+		this->tsi = this->config->get_traffic_selectors(this->config,
+														TRUE, NULL, list);
+		list->destroy_offset(list, offsetof(host_t, destroy));
+	}
+	else
+	{	/* no virtual IPs configured */
+		list->destroy(list);
+		list = get_dynamic_hosts(this->ike_sa, TRUE);
+		this->tsi = this->config->get_traffic_selectors(this->config,
+														TRUE, NULL, list);
+		list->destroy(list);
+	}
+	list = get_dynamic_hosts(this->ike_sa, FALSE);
+	this->tsr = this->config->get_traffic_selectors(this->config,
+													FALSE, NULL, list);
+	list->destroy(list);
+
+	if (this->packet_tsi)
+	{
+		this->tsi->insert_first(this->tsi,
+								this->packet_tsi->clone(this->packet_tsi));
+	}
+	if (this->packet_tsr)
+	{
+		this->tsr->insert_first(this->tsr,
+								this->packet_tsr->clone(this->packet_tsr));
+	}
+	this->proposals = this->config->get_proposals(this->config,
+												  this->dh_group == MODP_NONE);
+	this->mode = this->config->get_mode(this->config);
+
+	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
+			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
+			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
+
+	if (!allocate_spi(this))
+	{
+		DBG1(DBG_IKE, "unable to allocate SPIs from kernel");
+		return FAILED;
+	}
+
+	if (this->dh_group != MODP_NONE)
+	{
+		this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+												  this->dh_group);
+	}
+
+	if (this->config->use_ipcomp(this->config))
+	{
+		/* IPCOMP_DEFLATE is the only transform we support at the moment */
+		add_ipcomp_notify(this, message, IPCOMP_DEFLATE);
+	}
+
+	if (message->get_exchange_type(message) == IKE_AUTH)
+	{
+		charon->bus->narrow(charon->bus, this->child_sa,
+							NARROW_INITIATOR_PRE_NOAUTH, this->tsi, this->tsr);
+	}
+	else
+	{
+		charon->bus->narrow(charon->bus, this->child_sa,
+							NARROW_INITIATOR_PRE_AUTH, this->tsi, this->tsr);
+	}
+
+	build_payloads(this, message);
+
+	this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+	this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+	this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
+	this->tsi = NULL;
+	this->tsr = NULL;
+	this->proposals = NULL;
+
+	return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+	private_child_create_t *this, message_t *message)
+{
+	switch (message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+			return get_nonce(message, &this->other_nonce);
+		case CREATE_CHILD_SA:
+			get_nonce(message, &this->other_nonce);
+			break;
+		case IKE_AUTH:
+			if (message->get_message_id(message) != 1)
+			{
+				/* only handle first AUTH payload, not additional rounds */
+				return NEED_MORE;
+			}
+		default:
+			break;
+	}
+
+	process_payloads(this, message);
+
+	return NEED_MORE;
+}
+
+/**
+ * handle CHILD_SA setup failure
+ */
+static void handle_child_sa_failure(private_child_create_t *this,
+									message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		lib->settings->get_bool(lib->settings,
+								"%s.close_ike_on_child_failure", FALSE, charon->name))
+	{
+		/* we delay the delete for 100ms, as the IKE_AUTH response must arrive
+		 * first */
+		DBG1(DBG_IKE, "closing IKE_SA due CHILD_SA setup failure");
+		lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
+			delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE),
+			100);
+	}
+	else
+	{
+		DBG1(DBG_IKE, "failed to establish CHILD_SA, keeping IKE_SA");
+		charon->bus->alert(charon->bus, ALERT_KEEP_ON_CHILD_SA_FAILURE);
+	}
+}
+
+/**
+ * Substitute transport mode NAT selectors, if applicable
+ */
+static linked_list_t* get_ts_if_nat_transport(private_child_create_t *this,
+											  bool local, linked_list_t *in)
+{
+	linked_list_t *out = NULL;
+	ike_condition_t cond;
+
+	if (this->mode == MODE_TRANSPORT)
+	{
+		cond = local ? COND_NAT_HERE : COND_NAT_THERE;
+		if (this->ike_sa->has_condition(this->ike_sa, cond))
+		{
+			out = get_transport_nat_ts(this, local, in);
+			if (out->get_count(out) == 0)
+			{
+				out->destroy(out);
+				out = NULL;
+			}
+		}
+	}
+	return out;
+}
+
+/**
+ * Select a matching CHILD config as responder
+ */
+static child_cfg_t* select_child_cfg(private_child_create_t *this)
+{
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg = NULL;;
+
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (peer_cfg && this->tsi && this->tsr)
+	{
+		linked_list_t *listr, *listi, *tsr, *tsi;
+
+		tsr = get_ts_if_nat_transport(this, TRUE, this->tsr);
+		tsi = get_ts_if_nat_transport(this, FALSE, this->tsi);
+
+		listr = get_dynamic_hosts(this->ike_sa, TRUE);
+		listi = get_dynamic_hosts(this->ike_sa, FALSE);
+		child_cfg = peer_cfg->select_child_cfg(peer_cfg,
+											tsr ?: this->tsr, tsi ?: this->tsi,
+											listr, listi);
+		if ((tsi || tsr) && child_cfg &&
+			child_cfg->get_mode(child_cfg) != MODE_TRANSPORT)
+		{
+			/* found a CHILD config, but it doesn't use transport mode */
+			child_cfg->destroy(child_cfg);
+			child_cfg = NULL;
+		}
+		if (!child_cfg && (tsi || tsr))
+		{
+			/* no match for the substituted NAT selectors, try it without */
+			child_cfg = peer_cfg->select_child_cfg(peer_cfg,
+											this->tsr, this->tsi, listr, listi);
+		}
+		listr->destroy(listr);
+		listi->destroy(listi);
+		DESTROY_OFFSET_IF(tsi, offsetof(traffic_selector_t, destroy));
+		DESTROY_OFFSET_IF(tsr, offsetof(traffic_selector_t, destroy));
+	}
+
+	return child_cfg;
+}
+
+METHOD(task_t, build_r, status_t,
+	private_child_create_t *this, message_t *message)
+{
+	payload_t *payload;
+	enumerator_t *enumerator;
+	bool no_dh = TRUE, ike_auth = FALSE;
+
+	switch (message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+			return get_nonce(message, &this->my_nonce);
+		case CREATE_CHILD_SA:
+			if (generate_nonce(this) != SUCCESS)
+			{
+				message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
+									chunk_empty);
+				return SUCCESS;
+			}
+			no_dh = FALSE;
+			break;
+		case IKE_AUTH:
+			if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+			{	/* wait until all authentication round completed */
+				return NEED_MORE;
+			}
+			ike_auth = TRUE;
+		default:
+			break;
+	}
+
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
+	{
+		DBG1(DBG_IKE, "unable to create CHILD_SA while rekeying IKE_SA");
+		message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty);
+		return SUCCESS;
+	}
+
+	if (this->config == NULL)
+	{
+		this->config = select_child_cfg(this);
+	}
+	if (this->config == NULL)
+	{
+		DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable",
+			 this->tsr, this->tsi);
+		charon->bus->alert(charon->bus, ALERT_TS_MISMATCH, this->tsi, this->tsr);
+		message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
+		handle_child_sa_failure(this, message);
+		return SUCCESS;
+	}
+
+	/* check if ike_config_t included non-critical error notifies */
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == NOTIFY)
+		{
+			notify_payload_t *notify = (notify_payload_t*)payload;
+
+			switch (notify->get_notify_type(notify))
+			{
+				case INTERNAL_ADDRESS_FAILURE:
+				case FAILED_CP_REQUIRED:
+				{
+					DBG1(DBG_IKE,"configuration payload negotiation "
+						 "failed, no CHILD_SA built");
+					enumerator->destroy(enumerator);
+					handle_child_sa_failure(this, message);
+					return SUCCESS;
+				}
+				default:
+					break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
+			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
+			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
+
+	if (this->ipcomp_received != IPCOMP_NONE)
+	{
+		if (this->config->use_ipcomp(this->config))
+		{
+			add_ipcomp_notify(this, message, this->ipcomp_received);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received %N notify but IPComp is disabled, ignoring",
+				 notify_type_names, IPCOMP_SUPPORTED);
+		}
+	}
+
+	switch (select_and_install(this, no_dh, ike_auth))
+	{
+		case SUCCESS:
+			break;
+		case NOT_FOUND:
+			message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
+			handle_child_sa_failure(this, message);
+			return SUCCESS;
+		case INVALID_ARG:
+		{
+			u_int16_t group = htons(this->dh_group);
+			message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
+								chunk_from_thing(group));
+			handle_child_sa_failure(this, message);
+			return SUCCESS;
+		}
+		case FAILED:
+		default:
+			message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
+			handle_child_sa_failure(this, message);
+			return SUCCESS;
+	}
+
+	build_payloads(this, message);
+
+	if (!this->rekey)
+	{	/* invoke the child_up() hook if we are not rekeying */
+		charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
+	}
+	return SUCCESS;
+}
+
+/**
+ * Raise alerts for received notify errors
+ */
+static void raise_alerts(private_child_create_t *this, notify_type_t type)
+{
+	linked_list_t *list;
+
+	switch (type)
+	{
+		case NO_PROPOSAL_CHOSEN:
+			list = this->config->get_proposals(this->config, FALSE);
+			charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_CHILD, list);
+			list->destroy_offset(list, offsetof(proposal_t, destroy));
+			break;
+		default:
+			break;
+	}
+}
+
+METHOD(task_t, build_i_delete, status_t,
+	private_child_create_t *this, message_t *message)
+{
+	message->set_exchange_type(message, INFORMATIONAL);
+	if (this->child_sa && this->proposal)
+	{
+		protocol_id_t proto;
+		delete_payload_t *del;
+		u_int32_t spi;
+
+		proto = this->proposal->get_protocol(this->proposal);
+		spi = this->child_sa->get_spi(this->child_sa, TRUE);
+		del = delete_payload_create(DELETE, proto);
+		del->add_spi(del, spi);
+		message->add_payload(message, (payload_t*)del);
+
+		DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
+			 protocol_id_names, proto, ntohl(spi));
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Change task to delete the failed CHILD_SA as initiator
+ */
+static status_t delete_failed_sa(private_child_create_t *this)
+{
+	this->public.task.build = _build_i_delete;
+	this->public.task.process = (void*)return_success;
+	return NEED_MORE;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_child_create_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	bool no_dh = TRUE, ike_auth = FALSE;
+
+	switch (message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+			return get_nonce(message, &this->other_nonce);
+		case CREATE_CHILD_SA:
+			get_nonce(message, &this->other_nonce);
+			no_dh = FALSE;
+			break;
+		case IKE_AUTH:
+			if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+			{	/* wait until all authentication round completed */
+				return NEED_MORE;
+			}
+			ike_auth = TRUE;
+		default:
+			break;
+	}
+
+	/* check for erroneous notifies */
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == NOTIFY)
+		{
+			notify_payload_t *notify = (notify_payload_t*)payload;
+			notify_type_t type = notify->get_notify_type(notify);
+
+			switch (type)
+			{
+				/* handle notify errors related to CHILD_SA only */
+				case NO_PROPOSAL_CHOSEN:
+				case SINGLE_PAIR_REQUIRED:
+				case NO_ADDITIONAL_SAS:
+				case INTERNAL_ADDRESS_FAILURE:
+				case FAILED_CP_REQUIRED:
+				case TS_UNACCEPTABLE:
+				case INVALID_SELECTORS:
+				{
+					DBG1(DBG_IKE, "received %N notify, no CHILD_SA built",
+						 notify_type_names, type);
+					enumerator->destroy(enumerator);
+					raise_alerts(this, type);
+					handle_child_sa_failure(this, message);
+					/* an error in CHILD_SA creation is not critical */
+					return SUCCESS;
+				}
+				case INVALID_KE_PAYLOAD:
+				{
+					chunk_t data;
+					u_int16_t group = MODP_NONE;
+
+					data = notify->get_notification_data(notify);
+					if (data.len == sizeof(group))
+					{
+						memcpy(&group, data.ptr, data.len);
+						group = ntohs(group);
+					}
+					DBG1(DBG_IKE, "peer didn't accept DH group %N, "
+						 "it requested %N", diffie_hellman_group_names,
+						 this->dh_group, diffie_hellman_group_names, group);
+					this->retry = TRUE;
+					this->dh_group = group;
+					this->public.task.migrate(&this->public.task, this->ike_sa);
+					enumerator->destroy(enumerator);
+					return NEED_MORE;
+				}
+				default:
+				{
+					if (message->get_exchange_type(message) == CREATE_CHILD_SA)
+					{	/* handle notifies if not handled in IKE_AUTH */
+						if (type <= 16383)
+						{
+							DBG1(DBG_IKE, "received %N notify error",
+								 notify_type_names, type);
+							enumerator->destroy(enumerator);
+							return SUCCESS;
+						}
+						DBG2(DBG_IKE, "received %N notify",
+							 notify_type_names, type);
+					}
+					break;
+				}
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	process_payloads(this, message);
+
+	if (this->ipcomp == IPCOMP_NONE && this->ipcomp_received != IPCOMP_NONE)
+	{
+		DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify without requesting"
+			 " one, no CHILD_SA built");
+		handle_child_sa_failure(this, message);
+		return delete_failed_sa(this);
+	}
+	else if (this->ipcomp != IPCOMP_NONE && this->ipcomp_received == IPCOMP_NONE)
+	{
+		DBG1(DBG_IKE, "peer didn't accept our proposed IPComp transforms, "
+			 "IPComp is disabled");
+		this->ipcomp = IPCOMP_NONE;
+	}
+	else if (this->ipcomp != IPCOMP_NONE && this->ipcomp != this->ipcomp_received)
+	{
+		DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify we didn't propose, "
+			 "no CHILD_SA built");
+		handle_child_sa_failure(this, message);
+		return delete_failed_sa(this);
+	}
+
+	if (select_and_install(this, no_dh, ike_auth) == SUCCESS)
+	{
+		if (!this->rekey)
+		{	/* invoke the child_up() hook if we are not rekeying */
+			charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
+		}
+	}
+	else
+	{
+		handle_child_sa_failure(this, message);
+		return delete_failed_sa(this);
+	}
+	return SUCCESS;
+}
+
+METHOD(child_create_t, use_reqid, void,
+	private_child_create_t *this, u_int32_t reqid)
+{
+	this->reqid = reqid;
+}
+
+METHOD(child_create_t, get_child, child_sa_t*,
+	private_child_create_t *this)
+{
+	return this->child_sa;
+}
+
+METHOD(child_create_t, set_config, void,
+	private_child_create_t *this, child_cfg_t *cfg)
+{
+	DESTROY_IF(this->config);
+	this->config = cfg;
+}
+
+METHOD(child_create_t, get_lower_nonce, chunk_t,
+	private_child_create_t *this)
+{
+	if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
+			   min(this->my_nonce.len, this->other_nonce.len)) < 0)
+	{
+		return this->my_nonce;
+	}
+	else
+	{
+		return this->other_nonce;
+	}
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_child_create_t *this)
+{
+	return TASK_CHILD_CREATE;
+}
+
+METHOD(task_t, migrate, void,
+	private_child_create_t *this, ike_sa_t *ike_sa)
+{
+	chunk_free(&this->my_nonce);
+	chunk_free(&this->other_nonce);
+	if (this->tsr)
+	{
+		this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+	}
+	if (this->tsi)
+	{
+		this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+	}
+	DESTROY_IF(this->child_sa);
+	DESTROY_IF(this->proposal);
+	DESTROY_IF(this->dh);
+	if (this->proposals)
+	{
+		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
+	}
+
+	this->ike_sa = ike_sa;
+	this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
+	this->proposal = NULL;
+	this->proposals = NULL;
+	this->tsi = NULL;
+	this->tsr = NULL;
+	this->dh = NULL;
+	this->child_sa = NULL;
+	this->mode = MODE_TUNNEL;
+	this->ipcomp = IPCOMP_NONE;
+	this->ipcomp_received = IPCOMP_NONE;
+	this->other_cpi = 0;
+	this->reqid = 0;
+	this->established = FALSE;
+}
+
+METHOD(task_t, destroy, void,
+	private_child_create_t *this)
+{
+	chunk_free(&this->my_nonce);
+	chunk_free(&this->other_nonce);
+	if (this->tsr)
+	{
+		this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+	}
+	if (this->tsi)
+	{
+		this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+	}
+	if (!this->established)
+	{
+		DESTROY_IF(this->child_sa);
+	}
+	DESTROY_IF(this->packet_tsi);
+	DESTROY_IF(this->packet_tsr);
+	DESTROY_IF(this->proposal);
+	DESTROY_IF(this->dh);
+	if (this->proposals)
+	{
+		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
+	}
+
+	DESTROY_IF(this->config);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+child_create_t *child_create_create(ike_sa_t *ike_sa,
+							child_cfg_t *config, bool rekey,
+							traffic_selector_t *tsi, traffic_selector_t *tsr)
+{
+	private_child_create_t *this;
+
+	INIT(this,
+		.public = {
+			.get_child = _get_child,
+			.set_config = _set_config,
+			.get_lower_nonce = _get_lower_nonce,
+			.use_reqid = _use_reqid,
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.config = config,
+		.packet_tsi = tsi ? tsi->clone(tsi) : NULL,
+		.packet_tsr = tsr ? tsr->clone(tsr) : NULL,
+		.dh_group = MODP_NONE,
+		.keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa),
+		.mode = MODE_TUNNEL,
+		.tfcv3 = TRUE,
+		.ipcomp = IPCOMP_NONE,
+		.ipcomp_received = IPCOMP_NONE,
+		.rekey = rekey,
+		.retry = FALSE,
+	);
+
+	if (config)
+	{
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+		this->initiator = TRUE;
+	}
+	else
+	{
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
+		this->initiator = FALSE;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/tasks/child_create.h b/src/libcharon/sa/ikev2/tasks/child_create.h
index 5dedeb8b1..d29ba3d98 100644
--- a/src/libcharon/sa/tasks/child_create.h
+++ b/src/libcharon/sa/ikev2/tasks/child_create.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup child_create child_create
- * @{ @ingroup tasks
+ * @{ @ingroup tasks_v2
  */
 
 #ifndef CHILD_CREATE_H_
@@ -25,11 +25,11 @@ typedef struct child_create_t child_create_t;
 
 #include <library.h>
 #include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 #include <config/child_cfg.h>
 
 /**
- * Task of type CHILD_CREATE, established a new CHILD_SA.
+ * Task of type TASK_CHILD_CREATE, established a new CHILD_SA.
  *
  * This task may be included in the IKE_AUTH message or in a separate
  * CREATE_CHILD_SA exchange.
@@ -64,6 +64,13 @@ struct child_create_t {
 	 * @return			child_sa
 	 */
 	child_sa_t* (*get_child) (child_create_t *this);
+
+	/**
+	 * Enforce a specific CHILD_SA config as responder.
+	 *
+	 * @param cfg		configuration to enforce, reference gets owned
+	 */
+	void (*set_config)(child_create_t *this, child_cfg_t *cfg);
 };
 
 /**
diff --git a/src/libcharon/sa/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
index dc4b30dd3..eaaca2039 100644
--- a/src/libcharon/sa/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -62,6 +62,11 @@ struct private_child_delete_t {
 	bool rekeyed;
 
 	/**
+	 * CHILD_SA already expired?
+	 */
+	bool expired;
+
+	/**
 	 * CHILD_SAs which get deleted
 	 */
 	linked_list_t *child_sas;
@@ -87,7 +92,7 @@ static void build_payloads(private_child_delete_t *this, message_t *message)
 			case PROTO_ESP:
 				if (esp == NULL)
 				{
-					esp = delete_payload_create(PROTO_ESP);
+					esp = delete_payload_create(DELETE, PROTO_ESP);
 					message->add_payload(message, (payload_t*)esp);
 				}
 				esp->add_spi(esp, spi);
@@ -97,7 +102,7 @@ static void build_payloads(private_child_delete_t *this, message_t *message)
 			case PROTO_AH:
 				if (ah == NULL)
 				{
-					ah = delete_payload_create(PROTO_AH);
+					ah = delete_payload_create(DELETE, PROTO_AH);
 					message->add_payload(message, (payload_t*)ah);
 				}
 				ah->add_spi(ah, spi);
@@ -172,8 +177,11 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
 					default:
 						break;
 				}
-
-				this->child_sas->insert_last(this->child_sas, child_sa);
+				if (this->child_sas->find_first(this->child_sas, NULL,
+												(void**)&child_sa) != SUCCESS)
+				{
+					this->child_sas->insert_last(this->child_sas, child_sa);
+				}
 			}
 			spis->destroy(spis);
 		}
@@ -214,12 +222,13 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
 			{
 				case ACTION_RESTART:
 					child_cfg->get_ref(child_cfg);
-					status = this->ike_sa->initiate(this->ike_sa, child_cfg, 0,
-													NULL, NULL);
+					status = this->ike_sa->initiate(this->ike_sa, child_cfg,
+									child_sa->get_reqid(child_sa), NULL, NULL);
 					break;
 				case ACTION_ROUTE:
 					charon->traps->install(charon->traps,
-							this->ike_sa->get_peer_cfg(this->ike_sa), child_cfg);
+							this->ike_sa->get_peer_cfg(this->ike_sa), child_cfg,
+							child_sa->get_reqid(child_sa));
 					break;
 				default:
 					break;
@@ -240,6 +249,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
  */
 static void log_children(private_child_delete_t *this)
 {
+	linked_list_t *my_ts, *other_ts;
 	enumerator_t *enumerator;
 	child_sa_t *child_sa;
 	u_int64_t bytes_in, bytes_out;
@@ -247,16 +257,32 @@ static void log_children(private_child_delete_t *this)
 	enumerator = this->child_sas->create_enumerator(this->child_sas);
 	while (enumerator->enumerate(enumerator, (void**)&child_sa))
 	{
-		child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in);
-		child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out);
-
-		DBG0(DBG_IKE, "closing CHILD_SA %s{%d} "
-			 "with SPIs %.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
-			 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
-			 ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in,
-			 ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out,
-			 child_sa->get_traffic_selectors(child_sa, TRUE),
-			 child_sa->get_traffic_selectors(child_sa, FALSE));
+		my_ts = linked_list_create_from_enumerator(
+							child_sa->create_ts_enumerator(child_sa, TRUE));
+		other_ts = linked_list_create_from_enumerator(
+							child_sa->create_ts_enumerator(child_sa, FALSE));
+		if (this->expired)
+		{
+			DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} "
+				 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+				 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+				 ntohl(child_sa->get_spi(child_sa, TRUE)),
+				 ntohl(child_sa->get_spi(child_sa, FALSE)), my_ts, other_ts);
+		}
+		else
+		{
+			child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in, NULL);
+			child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, NULL);
+
+			DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs %.8x_i "
+				 "(%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
+				 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+				 ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in,
+				 ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out,
+				 my_ts, other_ts);
+		}
+		my_ts->destroy(my_ts);
+		other_ts->destroy(other_ts);
 	}
 	enumerator->destroy(enumerator);
 }
@@ -292,10 +318,6 @@ METHOD(task_t, build_i, status_t,
 METHOD(task_t, process_i, status_t,
 	private_child_delete_t *this, message_t *message)
 {
-	/* flush the list before adding new SAs */
-	this->child_sas->destroy(this->child_sas);
-	this->child_sas = linked_list_create();
-
 	process_payloads(this, message);
 	DBG1(DBG_IKE, "CHILD_SA closed");
 	return destroy_and_reestablish(this);
@@ -324,7 +346,7 @@ METHOD(task_t, build_r, status_t,
 METHOD(task_t, get_type, task_type_t,
 	private_child_delete_t *this)
 {
-	return CHILD_DELETE;
+	return TASK_CHILD_DELETE;
 }
 
 METHOD(child_delete_t , get_child, child_sa_t*,
@@ -356,7 +378,7 @@ METHOD(task_t, destroy, void,
  * Described in header.
  */
 child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
-									u_int32_t spi)
+									u_int32_t spi, bool expired)
 {
 	private_child_delete_t *this;
 
@@ -373,6 +395,7 @@ child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
 		.child_sas = linked_list_create(),
 		.protocol = protocol,
 		.spi = spi,
+		.expired = expired,
 	);
 
 	if (protocol != PROTO_NONE)
diff --git a/src/libcharon/sa/tasks/child_delete.h b/src/libcharon/sa/ikev2/tasks/child_delete.h
index 365807c68..1ada0699e 100644
--- a/src/libcharon/sa/tasks/child_delete.h
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup child_delete child_delete
- * @{ @ingroup tasks
+ * @{ @ingroup tasks_v2
  */
 
 #ifndef CHILD_DELETE_H_
@@ -25,7 +25,7 @@ typedef struct child_delete_t child_delete_t;
 
 #include <library.h>
 #include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 #include <sa/child_sa.h>
 
 /**
@@ -52,9 +52,10 @@ struct child_delete_t {
  * @param ike_sa		IKE_SA this task works for
  * @param protocol		protocol of CHILD_SA to delete, PROTO_NONE as responder
  * @param spi			inbound SPI of CHILD_SA to delete
+ * @param expired		TRUE if CHILD_SA already expired
  * @return				child_delete task to handle by the task_manager
  */
 child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
-									u_int32_t spi);
+									u_int32_t spi, bool expired);
 
 #endif /** CHILD_DELETE_H_ @}*/
diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c
index 76d185590..d2003bb45 100644
--- a/src/libcharon/sa/tasks/child_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
@@ -18,8 +18,8 @@
 
 #include <daemon.h>
 #include <encoding/payloads/notify_payload.h>
-#include <sa/tasks/child_create.h>
-#include <sa/tasks/child_delete.h>
+#include <sa/ikev2/tasks/child_create.h>
+#include <sa/ikev2/tasks/child_delete.h>
 #include <processing/jobs/rekey_child_sa_job.h>
 #include <processing/jobs/rekey_ike_sa_job.h>
 
@@ -87,6 +87,24 @@ struct private_child_rekey_t {
 };
 
 /**
+ * Schedule a retry if rekeying temporary failed
+ */
+static void schedule_delayed_rekey(private_child_rekey_t *this)
+{
+	u_int32_t retry;
+	job_t *job;
+
+	retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
+	job = (job_t*)rekey_child_sa_job_create(
+						this->child_sa->get_reqid(this->child_sa),
+						this->child_sa->get_protocol(this->child_sa),
+						this->child_sa->get_spi(this->child_sa, TRUE));
+	DBG1(DBG_IKE, "CHILD_SA rekeying failed, trying again in %d seconds", retry);
+	this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+	lib->scheduler->schedule_job(lib->scheduler, job, retry);
+}
+
+/**
  * Implementation of task_t.build for initiator, after rekeying
  */
 static status_t build_i_delete(private_child_rekey_t *this, message_t *message)
@@ -153,21 +171,26 @@ METHOD(task_t, build_i, status_t,
 	config = this->child_sa->get_config(this->child_sa);
 
 	/* we just need the rekey notify ... */
-	notify = notify_payload_create_from_protocol_and_type(this->protocol,
-														  REKEY_SA);
+	notify = notify_payload_create_from_protocol_and_type(NOTIFY,
+													this->protocol, REKEY_SA);
 	notify->set_spi(notify, this->spi);
 	message->add_payload(message, (payload_t*)notify);
 
 	/* ... our CHILD_CREATE task does the hard work for us. */
 	if (!this->child_create)
 	{
-		this->child_create = child_create_create(this->ike_sa, config, TRUE,
-												 NULL, NULL);
+		this->child_create = child_create_create(this->ike_sa,
+									config->get_ref(config), TRUE, NULL, NULL);
 	}
 	reqid = this->child_sa->get_reqid(this->child_sa);
 	this->child_create->use_reqid(this->child_create, reqid);
-	this->child_create->task.build(&this->child_create->task, message);
 
+	if (this->child_create->task.build(&this->child_create->task,
+									   message) != NEED_MORE)
+	{
+		schedule_delayed_rekey(this);
+		return FAILED;
+	}
 	this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
 
 	return NEED_MORE;
@@ -187,6 +210,7 @@ METHOD(task_t, process_r, status_t,
 METHOD(task_t, build_r, status_t,
 	private_child_rekey_t *this, message_t *message)
 {
+	child_cfg_t *config;
 	u_int32_t reqid;
 
 	if (this->child_sa == NULL ||
@@ -200,6 +224,8 @@ METHOD(task_t, build_r, status_t,
 	/* let the CHILD_CREATE task build the response */
 	reqid = this->child_sa->get_reqid(this->child_sa);
 	this->child_create->use_reqid(this->child_create, reqid);
+	config = this->child_sa->get_config(this->child_sa);
+	this->child_create->set_config(this->child_create, config->get_ref(config));
 	this->child_create->task.build(&this->child_create->task, message);
 
 	if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
@@ -224,7 +250,7 @@ static child_sa_t *handle_collision(private_child_rekey_t *this)
 {
 	child_sa_t *to_delete;
 
-	if (this->collision->get_type(this->collision) == CHILD_REKEY)
+	if (this->collision->get_type(this->collision) == TASK_CHILD_REKEY)
 	{
 		chunk_t this_nonce, other_nonce;
 		private_child_rekey_t *other = (private_child_rekey_t*)this->collision;
@@ -311,19 +337,9 @@ METHOD(task_t, process_i, status_t,
 		/* establishing new child failed, reuse old. but not when we
 		 * received a delete in the meantime */
 		if (!(this->collision &&
-			  this->collision->get_type(this->collision) == CHILD_DELETE))
+			  this->collision->get_type(this->collision) == TASK_CHILD_DELETE))
 		{
-			job_t *job;
-			u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
-
-			job = (job_t*)rekey_child_sa_job_create(
-								this->child_sa->get_reqid(this->child_sa),
-								this->child_sa->get_protocol(this->child_sa),
-								this->child_sa->get_spi(this->child_sa, TRUE));
-			DBG1(DBG_IKE, "CHILD_SA rekeying failed, "
-								"trying again in %d seconds", retry);
-			this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
-			lib->scheduler->schedule_job(lib->scheduler, job, retry);
+			schedule_delayed_rekey(this);
 		}
 		return SUCCESS;
 	}
@@ -352,7 +368,7 @@ METHOD(task_t, process_i, status_t,
 	protocol = to_delete->get_protocol(to_delete);
 
 	/* rekeying done, delete the obsolete CHILD_SA using a subtask */
-	this->child_delete = child_delete_create(this->ike_sa, protocol, spi);
+	this->child_delete = child_delete_create(this->ike_sa, protocol, spi, FALSE);
 	this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_delete;
 	this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_delete;
 
@@ -362,7 +378,7 @@ METHOD(task_t, process_i, status_t,
 METHOD(task_t, get_type, task_type_t,
 	private_child_rekey_t *this)
 {
-	return CHILD_REKEY;
+	return TASK_CHILD_REKEY;
 }
 
 METHOD(child_rekey_t, collide, void,
@@ -370,7 +386,7 @@ METHOD(child_rekey_t, collide, void,
 {
 	/* the task manager only detects exchange collision, but not if
 	 * the collision is for the same child. we check it here. */
-	if (other->get_type(other) == CHILD_REKEY)
+	if (other->get_type(other) == TASK_CHILD_REKEY)
 	{
 		private_child_rekey_t *rekey = (private_child_rekey_t*)other;
 		if (rekey->child_sa != this->child_sa)
@@ -380,15 +396,22 @@ METHOD(child_rekey_t, collide, void,
 			return;
 		}
 	}
-	else if (other->get_type(other) == CHILD_DELETE)
+	else if (other->get_type(other) == TASK_CHILD_DELETE)
 	{
 		child_delete_t *del = (child_delete_t*)other;
-		if (del->get_child(del) == this->child_create->get_child(this->child_create))
+		if (this->collision &&
+			this->collision->get_type(this->collision) == TASK_CHILD_REKEY)
 		{
-			/* peer deletes redundant child created in collision */
-			this->other_child_destroyed = TRUE;
-			other->destroy(other);
-			return;
+			private_child_rekey_t *rekey;
+
+			rekey = (private_child_rekey_t*)this->collision;
+			if (del->get_child(del) == rekey->child_create->get_child(rekey->child_create))
+			{
+				/* peer deletes redundant child created in collision */
+				this->other_child_destroyed = TRUE;
+				other->destroy(other);
+				return;
+			}
 		}
 		if (del->get_child(del) != this->child_sa)
 		{
@@ -403,8 +426,8 @@ METHOD(child_rekey_t, collide, void,
 		other->destroy(other);
 		return;
 	}
-	DBG1(DBG_IKE, "detected %N collision with %N", task_type_names, CHILD_REKEY,
-		 task_type_names, other->get_type(other));
+	DBG1(DBG_IKE, "detected %N collision with %N", task_type_names,
+		 TASK_CHILD_REKEY, task_type_names, other->get_type(other));
 	DESTROY_IF(this->collision);
 	this->collision = other;
 }
@@ -462,7 +485,7 @@ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
 		.protocol = protocol,
 		.spi = spi,
 	);
- 
+
 	if (protocol != PROTO_NONE)
 	{
 		this->public.task.build = _build_i;
diff --git a/src/libcharon/sa/tasks/child_rekey.h b/src/libcharon/sa/ikev2/tasks/child_rekey.h
index 9b1aea5fa..23384653d 100644
--- a/src/libcharon/sa/tasks/child_rekey.h
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup child_rekey child_rekey
- * @{ @ingroup tasks
+ * @{ @ingroup tasks_v2
  */
 
 #ifndef CHILD_REKEY_H_
@@ -26,10 +26,10 @@ typedef struct child_rekey_t child_rekey_t;
 #include <library.h>
 #include <sa/ike_sa.h>
 #include <sa/child_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 
 /**
- * Task of type CHILD_REKEY, rekey an established CHILD_SA.
+ * Task of type TASK_CHILD_REKEY, rekey an established CHILD_SA.
  */
 struct child_rekey_t {
 
@@ -51,7 +51,7 @@ struct child_rekey_t {
 };
 
 /**
- * Create a new CHILD_REKEY task.
+ * Create a new TASK_CHILD_REKEY task.
  *
  * @param ike_sa		IKE_SA this task works for
  * @param protocol		protocol of CHILD_SA to rekey, PROTO_NONE as responder
diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index 665468fe8..8f83c4884 100644
--- a/src/libcharon/sa/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -12,7 +12,7 @@
  * This program is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details
+ * for more details.
  */
 
 #include "ike_auth.h"
@@ -24,7 +24,7 @@
 #include <encoding/payloads/auth_payload.h>
 #include <encoding/payloads/eap_payload.h>
 #include <encoding/payloads/nonce_payload.h>
-#include <sa/authenticators/eap_authenticator.h>
+#include <sa/ikev2/authenticators/eap_authenticator.h>
 
 typedef struct private_ike_auth_t private_ike_auth_t;
 
@@ -120,7 +120,7 @@ struct private_ike_auth_t {
 static bool multiple_auth_enabled()
 {
 	return lib->settings->get_bool(lib->settings,
-								   "charon.multiple_authentication", TRUE);
+							"%s.multiple_authentication", TRUE, charon->name);
 }
 
 /**
@@ -223,6 +223,18 @@ static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
 }
 
 /**
+ * Move the currently active auth config to the auth configs completed
+ */
+static void apply_auth_cfg(private_ike_auth_t *this, bool local)
+{
+	auth_cfg_t *cfg;
+
+	cfg = auth_cfg_create();
+	cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, local), local);
+	this->ike_sa->add_auth_cfg(this->ike_sa, local, cfg);
+}
+
+/**
  * Check if we have should initiate another authentication round
  */
 static bool do_another_auth(private_ike_auth_t *this)
@@ -270,8 +282,10 @@ static bool load_cfg_candidates(private_ike_auth_t *this)
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
 
+	DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
+		 me, my_id, other, other_id);
 	enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
-													me, other, my_id, other_id);
+											me, other, my_id, other_id, IKEV2);
 	while (enumerator->enumerate(enumerator, &peer_cfg))
 	{
 		peer_cfg->get_ref(peer_cfg);
@@ -305,7 +319,7 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
 	{
 		if (this->peer_cfg)
 		{
-			bool complies = TRUE;
+			char *comply_error = NULL;
 			enumerator_t *e1, *e2, *tmp;
 			auth_cfg_t *c1, *c2;
 
@@ -322,22 +336,30 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
 			while (e1->enumerate(e1, &c1))
 			{
 				/* check if done authentications comply to configured ones */
-				if ((!e2->enumerate(e2, &c2)) ||
-					(!strict && !c1->complies(c1, c2, TRUE)) ||
-					(strict && !c2->complies(c2, c1, TRUE)))
+				if (!e2->enumerate(e2, &c2))
 				{
-					complies = FALSE;
+					comply_error = "insufficient authentication rounds";
+					break;
+				}
+				if (!strict && !c1->complies(c1, c2, TRUE))
+				{
+					comply_error = "non-matching authentication done";
+					break;
+				}
+				if (strict && !c2->complies(c2, c1, TRUE))
+				{
+					comply_error = "constraint checking failed";
 					break;
 				}
 			}
 			e1->destroy(e1);
 			e2->destroy(e2);
-			if (complies)
+			if (!comply_error)
 			{
 				break;
 			}
-			DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
-				 this->peer_cfg->get_name(this->peer_cfg));
+			DBG1(DBG_CFG, "selected peer config '%s' inacceptable: %s",
+				 this->peer_cfg->get_name(this->peer_cfg), comply_error);
 			this->peer_cfg->destroy(this->peer_cfg);
 		}
 		if (this->candidates->remove_first(this->candidates,
@@ -406,7 +428,8 @@ METHOD(task_t, build_i, status_t,
 		if (cfg)
 		{
 			idr = cfg->get(cfg, AUTH_RULE_IDENTITY);
-			if (idr && !idr->contains_wildcards(idr))
+			if (!cfg->get(cfg, AUTH_RULE_IDENTITY_LOOSE) && idr &&
+				!idr->contains_wildcards(idr))
 			{
 				this->ike_sa->set_other_id(this->ike_sa, idr->clone(idr));
 				id_payload = id_payload_create_from_identification(
@@ -433,7 +456,8 @@ METHOD(task_t, build_i, status_t,
 		message->add_payload(message, (payload_t*)id_payload);
 
 		if (idr && message->get_message_id(message) == 1 &&
-			this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO)
+			this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO &&
+			this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
 		{
 			host_t *host;
 
@@ -453,22 +477,21 @@ METHOD(task_t, build_i, status_t,
 							this->reserved);
 		if (!this->my_auth)
 		{
+			charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
 			return FAILED;
 		}
 	}
 	switch (this->my_auth->build(this->my_auth, message))
 	{
 		case SUCCESS:
-			/* authentication step complete, reset authenticator */
-			cfg = auth_cfg_create();
-			cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
-			this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
+			apply_auth_cfg(this, TRUE);
 			this->my_auth->destroy(this->my_auth);
 			this->my_auth = NULL;
 			break;
 		case NEED_MORE:
 			break;
 		default:
+			charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
 			return FAILED;
 	}
 
@@ -634,10 +657,7 @@ METHOD(task_t, process_r, status_t,
 		return NEED_MORE;
 	}
 
-	/* store authentication information */
-	cfg = auth_cfg_create();
-	cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
-	this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
+	apply_auth_cfg(this, FALSE);
 
 	if (!update_cfg_candidates(this, FALSE))
 	{
@@ -744,7 +764,7 @@ METHOD(task_t, build_r, status_t,
 								this->reserved);
 			if (!this->my_auth)
 			{
-				goto peer_auth_failed;
+				goto local_auth_failed;
 			}
 		}
 	}
@@ -772,19 +792,14 @@ METHOD(task_t, build_r, status_t,
 		switch (this->my_auth->build(this->my_auth, message))
 		{
 			case SUCCESS:
-				cfg = auth_cfg_create();
-				cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
-						   TRUE);
-				this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
+				apply_auth_cfg(this, TRUE);
 				this->my_auth->destroy(this->my_auth);
 				this->my_auth = NULL;
 				break;
 			case NEED_MORE:
 				break;
 			default:
-				message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-									chunk_empty);
-				return FAILED;
+				goto local_auth_failed;
 		}
 	}
 
@@ -803,6 +818,7 @@ METHOD(task_t, build_r, status_t,
 													 this->ike_sa, FALSE))
 		{
 			DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy");
+			charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
 			message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
 								chunk_empty);
 			return FAILED;
@@ -826,11 +842,41 @@ METHOD(task_t, build_r, status_t,
 	return NEED_MORE;
 
 peer_auth_failed:
-	message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-						chunk_empty);
+	message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
 peer_auth_failed_no_notify:
 	charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
 	return FAILED;
+local_auth_failed:
+	message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
+	charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
+	return FAILED;
+}
+
+/**
+ * Send an INFORMATIONAL message with an AUTH_FAILED before closing IKE_SA
+ */
+static void send_auth_failed_informational(private_ike_auth_t *this,
+										   message_t *reply)
+{
+	message_t *message;
+	packet_t *packet;
+	host_t *host;
+
+	message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
+	message->set_message_id(message, reply->get_message_id(reply) + 1);
+	host = this->ike_sa->get_my_host(this->ike_sa);
+	message->set_source(message, host->clone(host));
+	host = this->ike_sa->get_other_host(this->ike_sa);
+	message->set_destination(message, host->clone(host));
+	message->set_exchange_type(message, INFORMATIONAL);
+	message->add_notify(message, FALSE, AUTHENTICATION_FAILED, chunk_empty);
+
+	if (this->ike_sa->generate_message(this->ike_sa, message,
+									   &packet) == SUCCESS)
+	{
+		charon->sender->send(charon->sender, packet);
+	}
+	message->destroy(message);
 }
 
 METHOD(task_t, process_i, status_t,
@@ -889,6 +935,7 @@ METHOD(task_t, process_i, status_t,
 						DBG1(DBG_IKE, "received %N notify error",
 							 notify_type_names, type);
 						enumerator->destroy(enumerator);
+						charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
 						return FAILED;
 					}
 					DBG2(DBG_IKE, "received %N notify",
@@ -961,10 +1008,10 @@ METHOD(task_t, process_i, status_t,
 			goto peer_auth_failed;
 		}
 
-		/* store authentication information, reset authenticator */
-		cfg = auth_cfg_create();
-		cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
-		this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
+		if (!mutual_eap)
+		{
+			apply_auth_cfg(this, FALSE);
+		}
 	}
 
 	if (this->my_auth)
@@ -972,10 +1019,11 @@ METHOD(task_t, process_i, status_t,
 		switch (this->my_auth->process(this->my_auth, message))
 		{
 			case SUCCESS:
-				cfg = auth_cfg_create();
-				cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
-						   TRUE);
-				this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
+				apply_auth_cfg(this, TRUE);
+				if (this->my_auth->is_mutual(this->my_auth))
+				{
+					apply_auth_cfg(this, FALSE);
+				}
 				this->my_auth->destroy(this->my_auth);
 				this->my_auth = NULL;
 				this->do_another_auth = do_another_auth(this);
@@ -983,6 +1031,8 @@ METHOD(task_t, process_i, status_t,
 			case NEED_MORE:
 				break;
 			default:
+				charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
+				send_auth_failed_informational(this, message);
 				return FAILED;
 		}
 	}
@@ -1027,13 +1077,14 @@ METHOD(task_t, process_i, status_t,
 
 peer_auth_failed:
 	charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
+	send_auth_failed_informational(this, message);
 	return FAILED;
 }
 
 METHOD(task_t, get_type, task_type_t,
 	private_ike_auth_t *this)
 {
-	return IKE_AUTHENTICATE;
+	return TASK_IKE_AUTH;
 }
 
 METHOD(task_t, migrate, void,
@@ -1104,4 +1155,3 @@ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
 	}
 	return &this->public;
 }
-
diff --git a/src/libcharon/sa/tasks/ike_auth.h b/src/libcharon/sa/ikev2/tasks/ike_auth.h
index 132907941..ca864a710 100644
--- a/src/libcharon/sa/tasks/ike_auth.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ike_auth ike_auth
- * @{ @ingroup tasks
+ * @{ @ingroup tasks_v2
  */
 
 #ifndef IKE_AUTH_H_
@@ -25,7 +25,7 @@ typedef struct ike_auth_t ike_auth_t;
 
 #include <library.h>
 #include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 
 /**
  * Task of type ike_auth, authenticates an IKE_SA using authenticators.
@@ -46,7 +46,7 @@ struct ike_auth_t {
 };
 
 /**
- * Create a new task of type IKE_AUTHENTICATE.
+ * Create a new task of type TASK_IKE_AUTH.
  *
  * @param ike_sa		IKE_SA this task works for
  * @param initiator		TRUE if task is the initiator of an exchange
diff --git a/src/libcharon/sa/tasks/ike_auth_lifetime.c b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c
index a57cfd075..a7d162e68 100644
--- a/src/libcharon/sa/tasks/ike_auth_lifetime.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c
@@ -124,7 +124,7 @@ METHOD(task_t, process_i, status_t,
 METHOD(task_t, get_type, task_type_t,
 	private_ike_auth_lifetime_t *this)
 {
-	return IKE_AUTH_LIFETIME;
+	return TASK_IKE_AUTH_LIFETIME;
 }
 
 METHOD(task_t, migrate, void,
@@ -170,4 +170,3 @@ ike_auth_lifetime_t *ike_auth_lifetime_create(ike_sa_t *ike_sa, bool initiator)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/sa/tasks/ike_auth_lifetime.h b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h
index 3b129b9e3..4d5087ff5 100644
--- a/src/libcharon/sa/tasks/ike_auth_lifetime.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ike_auth_lifetime ike_auth_lifetime
- * @{ @ingroup tasks
+ * @{ @ingroup tasks_v2
  */
 
 #ifndef IKE_AUTH_LIFETIME_H_
@@ -25,10 +25,10 @@ typedef struct ike_auth_lifetime_t ike_auth_lifetime_t;
 
 #include <library.h>
 #include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 
 /**
- * Task of type IKE_AUTH_LIFETIME, implements RFC4478.
+ * Task of type TASK_IKE_AUTH_LIFETIME, implements RFC4478.
  *
  * This task exchanges lifetimes for IKE_AUTH to force a client to
  * reauthenticate before the responders lifetime reaches the limit.
@@ -42,7 +42,7 @@ struct ike_auth_lifetime_t {
 };
 
 /**
- * Create a new IKE_AUTH_LIFETIME task.
+ * Create a new TASK_IKE_AUTH_LIFETIME task.
  *
  * @param ike_sa		IKE_SA this task works for
  * @param initiator		TRUE if taks is initiated by us
@@ -50,4 +50,4 @@ struct ike_auth_lifetime_t {
  */
 ike_auth_lifetime_t *ike_auth_lifetime_create(ike_sa_t *ike_sa, bool initiator);
 
-#endif /** IKE_MOBIKE_H_ @}*/
+#endif /** IKE_AUTH_LIFETIME_H_ @}*/
diff --git a/src/libcharon/sa/tasks/ike_cert_post.c b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
index 94af50eae..a93e5137e 100644
--- a/src/libcharon/sa/tasks/ike_cert_post.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
@@ -62,14 +62,14 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this,
 
 	if (!this->ike_sa->supports_extension(this->ike_sa, EXT_HASH_AND_URL))
 	{
-		return cert_payload_create_from_cert(cert);
+		return cert_payload_create_from_cert(CERTIFICATE, cert);
 	}
 
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (!hasher)
 	{
 		DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported");
-		return cert_payload_create_from_cert(cert);
+		return cert_payload_create_from_cert(CERTIFICATE, cert);
 	}
 
 	if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoded))
@@ -78,7 +78,12 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this,
 		hasher->destroy(hasher);
 		return NULL;
 	}
-	hasher->allocate_hash(hasher, encoded, &hash);
+	if (!hasher->allocate_hash(hasher, encoded, &hash))
+	{
+		hasher->destroy(hasher);
+		chunk_free(&encoded);
+		return cert_payload_create_from_cert(CERTIFICATE, cert);
+	}
 	chunk_free(&encoded);
 	hasher->destroy(hasher);
 	id = identification_create_from_encoding(ID_KEY_ID, hash);
@@ -91,7 +96,7 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this,
 	}
 	else
 	{
-		payload = cert_payload_create_from_cert(cert);
+		payload = cert_payload_create_from_cert(CERTIFICATE, cert);
 	}
 	enumerator->destroy(enumerator);
 	chunk_free(&hash);
@@ -154,7 +159,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
 			{
 				if (type == AUTH_RULE_IM_CERT)
 				{
-					payload = cert_payload_create_from_cert(cert);
+					payload = cert_payload_create_from_cert(CERTIFICATE, cert);
 					if (payload)
 					{
 						DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
@@ -207,7 +212,7 @@ METHOD(task_t, process_i, status_t,
 METHOD(task_t, get_type, task_type_t,
 	private_ike_cert_post_t *this)
 {
-	return IKE_CERT_POST;
+	return TASK_IKE_CERT_POST;
 }
 
 METHOD(task_t, migrate, void,
@@ -254,4 +259,3 @@ ike_cert_post_t *ike_cert_post_create(ike_sa_t *ike_sa, bool initiator)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/sa/tasks/ike_cert_post.h b/src/libcharon/sa/ikev2/tasks/ike_cert_post.h
index b3881a01a..34606b1e8 100644
--- a/src/libcharon/sa/tasks/ike_cert_post.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ike_cert_post ike_cert_post
- * @{ @ingroup tasks
+ * @{ @ingroup tasks_v2
  */
 
 #ifndef IKE_CERT_POST_H_
@@ -25,7 +25,7 @@ typedef struct ike_cert_post_t ike_cert_post_t;
 
 #include <library.h>
 #include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 
 /**
  * Task of type ike_cert_post, certificate processing after authentication.
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
new file mode 100644
index 000000000..2cbe8f8c5
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
@@ -0,0 +1,558 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_cert_pre.h"
+
+#include <daemon.h>
+#include <sa/ike_sa.h>
+#include <encoding/payloads/cert_payload.h>
+#include <encoding/payloads/certreq_payload.h>
+#include <credentials/certificates/x509.h>
+
+
+typedef struct private_ike_cert_pre_t private_ike_cert_pre_t;
+
+/**
+ * Private members of a ike_cert_pre_t task.
+ */
+struct private_ike_cert_pre_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_cert_pre_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * Do we accept HTTP certificate lookup requests
+	 */
+	bool do_http_lookup;
+
+	/**
+	 * whether this is the final authentication round
+	 */
+	bool final;
+};
+
+/**
+ * Process a single certificate request payload
+ */
+static void process_certreq(private_ike_cert_pre_t *this,
+							certreq_payload_t *certreq, auth_cfg_t *auth)
+{
+	enumerator_t *enumerator;
+	u_int unknown = 0;
+	chunk_t keyid;
+
+	this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE);
+
+	if (certreq->get_cert_type(certreq) != CERT_X509)
+	{
+		DBG1(DBG_IKE, "cert payload %N not supported - ignored",
+			 certificate_type_names, certreq->get_cert_type(certreq));
+		return;
+	}
+
+	enumerator = certreq->create_keyid_enumerator(certreq);
+	while (enumerator->enumerate(enumerator, &keyid))
+	{
+		identification_t *id;
+		certificate_t *cert;
+
+		id = identification_create_from_encoding(ID_KEY_ID, keyid);
+		cert = lib->credmgr->get_cert(lib->credmgr,
+									  CERT_X509, KEY_ANY, id, TRUE);
+		if (cert)
+		{
+			DBG1(DBG_IKE, "received cert request for \"%Y\"",
+				 cert->get_subject(cert));
+			auth->add(auth, AUTH_RULE_CA_CERT, cert);
+		}
+		else
+		{
+			DBG2(DBG_IKE, "received cert request for unknown ca with keyid %Y",
+				 id);
+			unknown++;
+		}
+		id->destroy(id);
+	}
+	enumerator->destroy(enumerator);
+	if (unknown)
+	{
+		DBG1(DBG_IKE, "received %u cert requests for an unknown ca",
+			 unknown);
+	}
+}
+
+/**
+ * Process a single notify payload
+ */
+static void process_notify(private_ike_cert_pre_t *this,
+						   notify_payload_t *notify)
+{
+	switch (notify->get_notify_type(notify))
+	{
+		case HTTP_CERT_LOOKUP_SUPPORTED:
+			this->ike_sa->enable_extension(this->ike_sa, EXT_HASH_AND_URL);
+			break;
+		default:
+			break;
+	}
+}
+
+/**
+ * read certificate requests
+ */
+static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	auth_cfg_t *auth;
+
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		switch (payload->get_type(payload))
+		{
+			case CERTIFICATE_REQUEST:
+				process_certreq(this, (certreq_payload_t*)payload, auth);
+				break;
+			case NOTIFY:
+				process_notify(this, (notify_payload_t*)payload);
+				break;
+			default:
+				/* ignore other payloads here, these are handled elsewhere */
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * tries to extract a certificate from the cert payload or the credential
+ * manager (based on the hash of a "Hash and URL" encoded cert).
+ * Note: the returned certificate (if any) has to be destroyed
+ */
+static certificate_t *try_get_cert(cert_payload_t *cert_payload)
+{
+	certificate_t *cert = NULL;
+
+	switch (cert_payload->get_cert_encoding(cert_payload))
+	{
+		case ENC_X509_SIGNATURE:
+		{
+			cert = cert_payload->get_cert(cert_payload);
+			break;
+		}
+		case ENC_X509_HASH_AND_URL:
+		{
+			identification_t *id;
+			chunk_t hash = cert_payload->get_hash(cert_payload);
+			if (!hash.ptr)
+			{
+				/* invalid "Hash and URL" data (logged elsewhere) */
+				break;
+			}
+			id = identification_create_from_encoding(ID_KEY_ID, hash);
+			cert = lib->credmgr->get_cert(lib->credmgr,
+										  CERT_X509, KEY_ANY, id, FALSE);
+			id->destroy(id);
+			break;
+		}
+		default:
+		{
+			break;
+		}
+	}
+	return cert;
+}
+
+/**
+ * Process a X509 certificate payload
+ */
+static void process_x509(cert_payload_t *payload, auth_cfg_t *auth,
+						 cert_encoding_t encoding, bool *first)
+{
+	certificate_t *cert;
+	char *url;
+
+	cert = try_get_cert(payload);
+	if (cert)
+	{
+		if (*first)
+		{	/* the first is an end entity certificate */
+			DBG1(DBG_IKE, "received end entity cert \"%Y\"",
+				 cert->get_subject(cert));
+			auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
+			*first = FALSE;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received issuer cert \"%Y\"",
+				 cert->get_subject(cert));
+			auth->add(auth, AUTH_HELPER_IM_CERT, cert);
+		}
+	}
+	else if (encoding == ENC_X509_HASH_AND_URL)
+	{
+		/* we fetch the certificate not yet, but only if
+		 * it is really needed during authentication */
+		url = payload->get_url(payload);
+		if (!url)
+		{
+			DBG1(DBG_IKE, "received invalid hash-and-url "
+				 "encoded cert, ignore");
+			return;
+		}
+		url = strdup(url);
+		if (first)
+		{	/* first URL is for an end entity certificate */
+			DBG1(DBG_IKE, "received hash-and-url for end entity cert \"%s\"",
+				 url);
+			auth->add(auth, AUTH_HELPER_SUBJECT_HASH_URL, url);
+			first = FALSE;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received hash-and-url for issuer cert \"%s\"", url);
+			auth->add(auth, AUTH_HELPER_IM_HASH_URL, url);
+		}
+	}
+}
+
+/**
+ * Process a CRL certificate payload
+ */
+static void process_crl(cert_payload_t *payload, auth_cfg_t *auth)
+{
+	certificate_t *cert;
+
+	cert = payload->get_cert(payload);
+	if (cert)
+	{
+		DBG1(DBG_IKE, "received CRL \"%Y\"", cert->get_subject(cert));
+		auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
+	}
+}
+
+/**
+ * Process certificate payloads
+ */
+static void process_certs(private_ike_cert_pre_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+	auth_cfg_t *auth;
+	bool first = TRUE;
+
+	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == CERTIFICATE)
+		{
+			cert_payload_t *cert_payload;
+			cert_encoding_t encoding;
+
+			cert_payload = (cert_payload_t*)payload;
+			encoding = cert_payload->get_cert_encoding(cert_payload);
+
+			switch (encoding)
+			{
+				case ENC_X509_HASH_AND_URL:
+					if (!this->do_http_lookup)
+					{
+						DBG1(DBG_IKE, "received hash-and-url encoded cert, but "
+							 "we don't accept them, ignore");
+						break;
+					}
+					/* FALL */
+				case ENC_X509_SIGNATURE:
+					process_x509(cert_payload, auth, encoding, &first);
+					break;
+				case ENC_CRL:
+					process_crl(cert_payload, auth);
+					break;
+				case ENC_PKCS7_WRAPPED_X509:
+				case ENC_PGP:
+				case ENC_DNS_SIGNED_KEY:
+				case ENC_KERBEROS_TOKEN:
+				case ENC_ARL:
+				case ENC_SPKI:
+				case ENC_X509_ATTRIBUTE:
+				case ENC_RAW_RSA_KEY:
+				case ENC_X509_HASH_AND_URL_BUNDLE:
+				case ENC_OCSP_CONTENT:
+				default:
+					DBG1(DBG_ENC, "certificate encoding %N not supported",
+						 cert_encoding_names, encoding);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * add the keyid of a certificate to the certificate request payload
+ */
+static void add_certreq(certreq_payload_t **req, certificate_t *cert)
+{
+	switch (cert->get_type(cert))
+	{
+		case CERT_X509:
+		{
+			public_key_t *public;
+			chunk_t keyid;
+			x509_t *x509 = (x509_t*)cert;
+
+			if (!(x509->get_flags(x509) & X509_CA))
+			{	/* no CA cert, skip */
+				break;
+			}
+			public = cert->get_public_key(cert);
+			if (!public)
+			{
+				break;
+			}
+			if (*req == NULL)
+			{
+				*req = certreq_payload_create_type(CERT_X509);
+			}
+			if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
+			{
+				(*req)->add_keyid(*req, keyid);
+				DBG1(DBG_IKE, "sending cert request for \"%Y\"",
+					 cert->get_subject(cert));
+			}
+			public->destroy(public);
+			break;
+		}
+		default:
+			break;
+	}
+}
+
+/**
+ * add a auth_cfg's CA certificates to the certificate request
+ */
+static void add_certreqs(certreq_payload_t **req, auth_cfg_t *auth)
+{
+	enumerator_t *enumerator;
+	auth_rule_t type;
+	void *value;
+
+	enumerator = auth->create_enumerator(auth);
+	while (enumerator->enumerate(enumerator, &type, &value))
+	{
+		switch (type)
+		{
+			case AUTH_RULE_CA_CERT:
+				add_certreq(req, (certificate_t*)value);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * build certificate requests
+ */
+static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	ike_cfg_t *ike_cfg;
+	peer_cfg_t *peer_cfg;
+	certificate_t *cert;
+	auth_cfg_t *auth;
+	certreq_payload_t *req = NULL;
+
+	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+	if (!ike_cfg->send_certreq(ike_cfg))
+	{
+		return;
+	}
+
+	/* check if we require a specific CA for that peer */
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (peer_cfg)
+	{
+		enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, FALSE);
+		while (enumerator->enumerate(enumerator, &auth))
+		{
+			add_certreqs(&req, auth);
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	if (!req)
+	{
+		/* otherwise add all trusted CA certificates */
+		enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+												CERT_ANY, KEY_ANY, NULL, TRUE);
+		while (enumerator->enumerate(enumerator, &cert))
+		{
+			add_certreq(&req, cert);
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	if (req)
+	{
+		message->add_payload(message, (payload_t*)req);
+
+		if (lib->settings->get_bool(lib->settings,
+									"%s.hash_and_url", FALSE, charon->name))
+		{
+			message->add_notify(message, FALSE, HTTP_CERT_LOOKUP_SUPPORTED,
+								chunk_empty);
+			this->do_http_lookup = TRUE;
+		}
+	}
+}
+
+/**
+ * Check if this is the final authentication round
+ */
+static bool final_auth(message_t *message)
+{
+	/* we check for an AUTH payload without a ANOTHER_AUTH_FOLLOWS notify */
+	if (message->get_payload(message, AUTHENTICATION) == NULL)
+	{
+		return FALSE;
+	}
+	if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS))
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(task_t, build_i, status_t,
+	private_ike_cert_pre_t *this, message_t *message)
+{
+	if (message->get_message_id(message) == 1)
+	{	/* initiator sends CERTREQs in first IKE_AUTH */
+		build_certreqs(this, message);
+	}
+	return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+	private_ike_cert_pre_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) != IKE_SA_INIT)
+	{	/* handle certreqs/certs in any IKE_AUTH, just in case */
+		process_certreqs(this, message);
+		process_certs(this, message);
+	}
+	this->final = final_auth(message);
+	return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+	private_ike_cert_pre_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		build_certreqs(this, message);
+	}
+	if (this->final)
+	{
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_ike_cert_pre_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		process_certreqs(this, message);
+	}
+	process_certs(this, message);
+
+	if (final_auth(message))
+	{
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_ike_cert_pre_t *this)
+{
+	return TASK_IKE_CERT_PRE;
+}
+
+METHOD(task_t, migrate, void,
+	private_ike_cert_pre_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, destroy, void,
+	private_ike_cert_pre_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_cert_pre_t *ike_cert_pre_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_cert_pre_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.initiator = initiator,
+	);
+
+	if (initiator)
+	{
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+	else
+	{
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/tasks/ike_cert_pre.h b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.h
index 4b2d0d470..c1f8635ce 100644
--- a/src/libcharon/sa/tasks/ike_cert_pre.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ike_cert_pre ike_cert_pre
- * @{ @ingroup tasks
+ * @{ @ingroup tasks_v2
  */
 
 #ifndef IKE_CERT_PRE_H_
@@ -25,10 +25,10 @@ typedef struct ike_cert_pre_t ike_cert_pre_t;
 
 #include <library.h>
 #include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 
 /**
- * Task of type ike_cert_post, certificate processing before authentication.
+ * Task of type ike_cert_pre, certificate processing before authentication.
  */
 struct ike_cert_pre_t {
 
diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.c b/src/libcharon/sa/ikev2/tasks/ike_config.c
new file mode 100644
index 000000000..17132feee
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_config.c
@@ -0,0 +1,514 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_config.h"
+
+#include <daemon.h>
+#include <hydra.h>
+#include <encoding/payloads/cp_payload.h>
+
+typedef struct private_ike_config_t private_ike_config_t;
+
+/**
+ * Private members of a ike_config_t task.
+ */
+struct private_ike_config_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_config_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+
+	/**
+	 * Received list of virtual IPs, host_t*
+	 */
+	linked_list_t *vips;
+
+	/**
+	 * list of attributes requested and its handler, entry_t
+	 */
+	linked_list_t *requested;
+};
+
+/**
+ * Entry for a requested attribute and the requesting handler
+ */
+typedef struct {
+	/** attribute requested */
+	configuration_attribute_type_t type;
+	/** handler requesting this attribute */
+	attribute_handler_t *handler;
+} entry_t;
+
+/**
+ * build INTERNAL_IPV4/6_ADDRESS attribute from virtual ip
+ */
+static configuration_attribute_t *build_vip(host_t *vip)
+{
+	configuration_attribute_type_t type;
+	chunk_t chunk, prefix;
+
+	if (vip->get_family(vip) == AF_INET)
+	{
+		type = INTERNAL_IP4_ADDRESS;
+		if (vip->is_anyaddr(vip))
+		{
+			chunk = chunk_empty;
+		}
+		else
+		{
+			chunk = vip->get_address(vip);
+		}
+	}
+	else
+	{
+		type = INTERNAL_IP6_ADDRESS;
+		if (vip->is_anyaddr(vip))
+		{
+			chunk = chunk_empty;
+		}
+		else
+		{
+			prefix = chunk_alloca(1);
+			*prefix.ptr = 64;
+			chunk = vip->get_address(vip);
+			chunk = chunk_cata("cc", chunk, prefix);
+		}
+	}
+	return configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE,
+												type, chunk);
+}
+
+/**
+ * Handle a received attribute as initiator
+ */
+static void handle_attribute(private_ike_config_t *this,
+							 configuration_attribute_t *ca)
+{
+	attribute_handler_t *handler = NULL;
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	/* find the handler which requested this attribute */
+	enumerator = this->requested->create_enumerator(this->requested);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->type == ca->get_type(ca))
+		{
+			handler = entry->handler;
+			this->requested->remove_at(this->requested, enumerator);
+			free(entry);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* and pass it to the handle function */
+	handler = hydra->attributes->handle(hydra->attributes,
+							this->ike_sa->get_other_id(this->ike_sa), handler,
+							ca->get_type(ca), ca->get_chunk(ca));
+	if (handler)
+	{
+		this->ike_sa->add_configuration_attribute(this->ike_sa,
+				handler, ca->get_type(ca), ca->get_chunk(ca));
+	}
+}
+
+/**
+ * process a single configuration attribute
+ */
+static void process_attribute(private_ike_config_t *this,
+							  configuration_attribute_t *ca)
+{
+	host_t *ip;
+	chunk_t addr;
+	int family = AF_INET6;
+
+	switch (ca->get_type(ca))
+	{
+		case INTERNAL_IP4_ADDRESS:
+			family = AF_INET;
+			/* fall */
+		case INTERNAL_IP6_ADDRESS:
+		{
+			addr = ca->get_chunk(ca);
+			if (addr.len == 0)
+			{
+				ip = host_create_any(family);
+			}
+			else
+			{
+				/* skip prefix byte in IPv6 payload*/
+				if (family == AF_INET6)
+				{
+					addr.len--;
+				}
+				ip = host_create_from_chunk(family, addr, 0);
+			}
+			if (ip)
+			{
+				this->vips->insert_last(this->vips, ip);
+			}
+			break;
+		}
+		case INTERNAL_IP4_SERVER:
+		case INTERNAL_IP6_SERVER:
+			/* assume it's a Windows client if we see proprietary attributes */
+			this->ike_sa->enable_extension(this->ike_sa, EXT_MS_WINDOWS);
+			/* fall */
+		default:
+		{
+			if (this->initiator)
+			{
+				handle_attribute(this, ca);
+			}
+		}
+	}
+}
+
+/**
+ * Scan for configuration payloads and attributes
+ */
+static void process_payloads(private_ike_config_t *this, message_t *message)
+{
+	enumerator_t *enumerator, *attributes;
+	payload_t *payload;
+
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == CONFIGURATION)
+		{
+			cp_payload_t *cp = (cp_payload_t*)payload;
+			configuration_attribute_t *ca;
+
+			switch (cp->get_type(cp))
+			{
+				case CFG_REQUEST:
+				case CFG_REPLY:
+				{
+					attributes = cp->create_attribute_enumerator(cp);
+					while (attributes->enumerate(attributes, &ca))
+					{
+						DBG2(DBG_IKE, "processing %N attribute",
+							 configuration_attribute_type_names, ca->get_type(ca));
+						process_attribute(this, ca);
+					}
+					attributes->destroy(attributes);
+					break;
+				}
+				default:
+					DBG1(DBG_IKE, "ignoring %N config payload",
+						 config_type_names, cp->get_type(cp));
+					break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+METHOD(task_t, build_i, status_t,
+	private_ike_config_t *this, message_t *message)
+{
+	if (message->get_message_id(message) == 1)
+	{	/* in first IKE_AUTH only */
+		cp_payload_t *cp = NULL;
+		enumerator_t *enumerator;
+		attribute_handler_t *handler;
+		peer_cfg_t *config;
+		configuration_attribute_type_t type;
+		chunk_t data;
+		linked_list_t *vips;
+		host_t *host;
+
+		vips = linked_list_create();
+
+		/* reuse virtual IP if we already have one */
+		enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa,
+																TRUE);
+		while (enumerator->enumerate(enumerator, &host))
+		{
+			vips->insert_last(vips, host);
+		}
+		enumerator->destroy(enumerator);
+
+		if (vips->get_count(vips) == 0)
+		{
+			config = this->ike_sa->get_peer_cfg(this->ike_sa);
+			enumerator = config->create_virtual_ip_enumerator(config);
+			while (enumerator->enumerate(enumerator, &host))
+			{
+				vips->insert_last(vips, host);
+			}
+			enumerator->destroy(enumerator);
+		}
+
+		if (vips->get_count(vips))
+		{
+			cp = cp_payload_create_type(CONFIGURATION, CFG_REQUEST);
+			enumerator = vips->create_enumerator(vips);
+			while (enumerator->enumerate(enumerator, &host))
+			{
+				cp->add_attribute(cp, build_vip(host));
+			}
+			enumerator->destroy(enumerator);
+		}
+
+		enumerator = hydra->attributes->create_initiator_enumerator(
+								hydra->attributes,
+								this->ike_sa->get_other_id(this->ike_sa), vips);
+		while (enumerator->enumerate(enumerator, &handler, &type, &data))
+		{
+			configuration_attribute_t *ca;
+			entry_t *entry;
+
+			/* create configuration attribute */
+			DBG2(DBG_IKE, "building %N attribute",
+				 configuration_attribute_type_names, type);
+			ca = configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE,
+													  type, data);
+			if (!cp)
+			{
+				cp = cp_payload_create_type(CONFIGURATION, CFG_REQUEST);
+			}
+			cp->add_attribute(cp, ca);
+
+			/* save handler along with requested type */
+			entry = malloc_thing(entry_t);
+			entry->type = type;
+			entry->handler = handler;
+
+			this->requested->insert_last(this->requested, entry);
+		}
+		enumerator->destroy(enumerator);
+
+		vips->destroy(vips);
+
+		if (cp)
+		{
+			message->add_payload(message, (payload_t*)cp);
+		}
+	}
+	return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+	private_ike_config_t *this, message_t *message)
+{
+	if (message->get_message_id(message) == 1)
+	{	/* in first IKE_AUTH only */
+		process_payloads(this, message);
+	}
+	return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+	private_ike_config_t *this, message_t *message)
+{
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+	{	/* in last IKE_AUTH exchange */
+		enumerator_t *enumerator;
+		configuration_attribute_type_t type;
+		chunk_t value;
+		cp_payload_t *cp = NULL;
+		peer_cfg_t *config;
+		identification_t *id;
+		linked_list_t *vips, *pools;
+		host_t *requested;
+
+		id = this->ike_sa->get_other_eap_id(this->ike_sa);
+		config = this->ike_sa->get_peer_cfg(this->ike_sa);
+		vips = linked_list_create();
+		pools = linked_list_create_from_enumerator(
+									config->create_pool_enumerator(config));
+
+		this->ike_sa->clear_virtual_ips(this->ike_sa, FALSE);
+
+		enumerator = this->vips->create_enumerator(this->vips);
+		while (enumerator->enumerate(enumerator, &requested))
+		{
+			host_t *found = NULL;
+
+			/* query all pools until we get an address */
+			DBG1(DBG_IKE, "peer requested virtual IP %H", requested);
+
+			found = hydra->attributes->acquire_address(hydra->attributes,
+													   pools, id, requested);
+			if (found)
+			{
+				DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id);
+				this->ike_sa->add_virtual_ip(this->ike_sa, FALSE, found);
+				if (!cp)
+				{
+					cp = cp_payload_create_type(CONFIGURATION, CFG_REPLY);
+				}
+				cp->add_attribute(cp, build_vip(found));
+				vips->insert_last(vips, found);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "no virtual IP found for %H requested by '%Y'",
+					 requested, id);
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		if (this->vips->get_count(this->vips) && !vips->get_count(vips))
+		{
+			DBG1(DBG_IKE, "no virtual IP found, sending %N",
+				 notify_type_names, INTERNAL_ADDRESS_FAILURE);
+			charon->bus->alert(charon->bus, ALERT_VIP_FAILURE, this->vips);
+			message->add_notify(message, FALSE, INTERNAL_ADDRESS_FAILURE,
+								chunk_empty);
+			vips->destroy_offset(vips, offsetof(host_t, destroy));
+			pools->destroy(pools);
+			return SUCCESS;
+		}
+		charon->bus->assign_vips(charon->bus, this->ike_sa, TRUE);
+
+		if (pools->get_count(pools) && !this->vips->get_count(this->vips))
+		{
+			DBG1(DBG_IKE, "expected a virtual IP request, sending %N",
+				 notify_type_names, FAILED_CP_REQUIRED);
+			charon->bus->alert(charon->bus, ALERT_VIP_FAILURE, this->vips);
+			message->add_notify(message, FALSE, FAILED_CP_REQUIRED, chunk_empty);
+			vips->destroy_offset(vips, offsetof(host_t, destroy));
+			pools->destroy(pools);
+			return SUCCESS;
+		}
+
+		/* query registered providers for additional attributes to include */
+		enumerator = hydra->attributes->create_responder_enumerator(
+											hydra->attributes, pools, id, vips);
+		while (enumerator->enumerate(enumerator, &type, &value))
+		{
+			if (!cp)
+			{
+				cp = cp_payload_create_type(CONFIGURATION, CFG_REPLY);
+			}
+			DBG2(DBG_IKE, "building %N attribute",
+				 configuration_attribute_type_names, type);
+			cp->add_attribute(cp,
+				configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE,
+													 type, value));
+		}
+		enumerator->destroy(enumerator);
+		vips->destroy_offset(vips, offsetof(host_t, destroy));
+		pools->destroy(pools);
+
+		if (cp)
+		{
+			message->add_payload(message, (payload_t*)cp);
+		}
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_ike_config_t *this, message_t *message)
+{
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+	{	/* in last IKE_AUTH exchange */
+		enumerator_t *enumerator;
+		host_t *host;
+
+		process_payloads(this, message);
+
+		this->ike_sa->clear_virtual_ips(this->ike_sa, TRUE);
+
+		enumerator = this->vips->create_enumerator(this->vips);
+		while (enumerator->enumerate(enumerator, &host))
+		{
+			if (!host->is_anyaddr(host))
+			{
+				this->ike_sa->add_virtual_ip(this->ike_sa, TRUE, host);
+			}
+		}
+		enumerator->destroy(enumerator);
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_ike_config_t *this)
+{
+	return TASK_IKE_CONFIG;
+}
+
+METHOD(task_t, migrate, void,
+	private_ike_config_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+	this->vips->destroy_offset(this->vips, offsetof(host_t, destroy));
+	this->vips = linked_list_create();
+	this->requested->destroy_function(this->requested, free);
+	this->requested = linked_list_create();
+}
+
+METHOD(task_t, destroy, void,
+	private_ike_config_t *this)
+{
+	this->vips->destroy_offset(this->vips, offsetof(host_t, destroy));
+	this->requested->destroy_function(this->requested, free);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_config_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.initiator = initiator,
+		.ike_sa = ike_sa,
+		.vips = linked_list_create(),
+		.requested = linked_list_create(),
+	);
+
+	if (initiator)
+	{
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+	else
+	{
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/tasks/ike_config.h b/src/libcharon/sa/ikev2/tasks/ike_config.h
index 8cef08697..e35457645 100644
--- a/src/libcharon/sa/tasks/ike_config.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_config.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ike_config ike_config
- * @{ @ingroup tasks
+ * @{ @ingroup tasks_v2
  */
 
 #ifndef IKE_CONFIG_H_
@@ -25,10 +25,10 @@ typedef struct ike_config_t ike_config_t;
 
 #include <library.h>
 #include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 
 /**
- * Task of type IKE_CONFIG, sets up a virtual IP and other
+ * Task of type TASK_IKE_CONFIG, sets up a virtual IP and other
  * configurations for an IKE_SA.
  */
 struct ike_config_t {
diff --git a/src/libcharon/sa/tasks/ike_delete.c b/src/libcharon/sa/ikev2/tasks/ike_delete.c
index d79674fe4..9bc62bf2a 100644
--- a/src/libcharon/sa/tasks/ike_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_delete.c
@@ -65,7 +65,7 @@ METHOD(task_t, build_i, status_t,
 		 this->ike_sa->get_other_host(this->ike_sa),
 		 this->ike_sa->get_other_id(this->ike_sa));
 
-	delete_payload = delete_payload_create(PROTO_IKE);
+	delete_payload = delete_payload_create(DELETE, PROTO_IKE);
 	message->add_payload(message, (payload_t*)delete_payload);
 
 	if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
@@ -109,6 +109,14 @@ METHOD(task_t, process_r, status_t,
 		 this->ike_sa->get_other_host(this->ike_sa),
 		 this->ike_sa->get_other_id(this->ike_sa));
 
+	if (message->get_exchange_type(message) == INFORMATIONAL &&
+		message->get_notify(message, AUTHENTICATION_FAILED))
+	{
+		/* a late AUTHENTICATION_FAILED notify from the initiator after
+		 * we have established the IKE_SA: signal auth failure */
+		charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
+	}
+
 	switch (this->ike_sa->get_state(this->ike_sa))
 	{
 		case IKE_ESTABLISHED:
@@ -149,7 +157,7 @@ METHOD(task_t, build_r, status_t,
 METHOD(task_t, get_type, task_type_t,
 	private_ike_delete_t *this)
 {
-	return IKE_DELETE;
+	return TASK_IKE_DELETE;
 }
 
 METHOD(task_t, migrate, void,
diff --git a/src/libcharon/sa/tasks/ike_delete.h b/src/libcharon/sa/ikev2/tasks/ike_delete.h
index 82782f393..2d5d7cb3a 100644
--- a/src/libcharon/sa/tasks/ike_delete.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_delete.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ike_delete ike_delete
- * @{ @ingroup tasks
+ * @{ @ingroup tasks_v2
  */
 
 #ifndef IKE_DELETE_H_
@@ -25,7 +25,7 @@ typedef struct ike_delete_t ike_delete_t;
 
 #include <library.h>
 #include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 
 /**
  * Task of type ike_delete, delete an IKE_SA.
diff --git a/src/libcharon/sa/tasks/ike_dpd.c b/src/libcharon/sa/ikev2/tasks/ike_dpd.c
index 106eff87c..7a33f7938 100644
--- a/src/libcharon/sa/tasks/ike_dpd.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_dpd.c
@@ -37,16 +37,10 @@ METHOD(task_t, return_need_more, status_t,
 	return NEED_MORE;
 }
 
-METHOD(task_t, return_success, status_t,
-	private_ike_dpd_t *this, message_t *message)
-{
-	return SUCCESS;
-}
-
 METHOD(task_t, get_type, task_type_t,
 	private_ike_dpd_t *this)
 {
-	return IKE_DPD;
+	return TASK_IKE_DPD;
 }
 
 
@@ -82,11 +76,11 @@ ike_dpd_t *ike_dpd_create(bool initiator)
 	if (initiator)
 	{
 		this->public.task.build = _return_need_more;
-		this->public.task.process = _return_success;
+		this->public.task.process = (void*)return_success;
 	}
 	else
 	{
-		this->public.task.build = _return_success;
+		this->public.task.build = (void*)return_success;
 		this->public.task.process = _return_need_more;
 	}
 
diff --git a/src/libcharon/sa/tasks/ike_dpd.h b/src/libcharon/sa/ikev2/tasks/ike_dpd.h
index a9f68c31c..026871610 100644
--- a/src/libcharon/sa/tasks/ike_dpd.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_dpd.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ike_dpd ike_dpd
- * @{ @ingroup tasks
+ * @{ @ingroup tasks_v2
  */
 
 #ifndef IKE_DPD_H_
@@ -25,7 +25,7 @@ typedef struct ike_dpd_t ike_dpd_t;
 
 #include <library.h>
 #include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 
 /**
  * Task of type ike_dpd, detects dead peers.
diff --git a/src/libcharon/sa/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index dd8a4b086..278bdc3f2 100644
--- a/src/libcharon/sa/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -20,6 +20,7 @@
 #include <string.h>
 
 #include <daemon.h>
+#include <sa/ikev2/keymat_v2.h>
 #include <crypto/diffie_hellman.h>
 #include <encoding/payloads/sa_payload.h>
 #include <encoding/payloads/ke_payload.h>
@@ -68,7 +69,7 @@ struct private_ike_init_t {
 	/**
 	 * Keymat derivation (from IKE_SA)
 	 */
-	keymat_t *keymat;
+	keymat_v2_t *keymat;
 
 	/**
 	 * nonce chosen by us
@@ -132,7 +133,7 @@ static void build_payloads(private_ike_init_t *this, message_t *message)
 			enumerator->destroy(enumerator);
 		}
 
-		sa_payload = sa_payload_create_from_proposal_list(proposal_list);
+		sa_payload = sa_payload_create_from_proposals_v2(proposal_list);
 		proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
 	}
 	else
@@ -142,13 +143,13 @@ static void build_payloads(private_ike_init_t *this, message_t *message)
 			/* include SPI of new IKE_SA when we are rekeying */
 			this->proposal->set_spi(this->proposal, id->get_responder_spi(id));
 		}
-		sa_payload = sa_payload_create_from_proposal(this->proposal);
+		sa_payload = sa_payload_create_from_proposal_v2(this->proposal);
 	}
 	message->add_payload(message, (payload_t*)sa_payload);
 
-	nonce_payload = nonce_payload_create();
+	nonce_payload = nonce_payload_create(NONCE);
 	nonce_payload->set_nonce(nonce_payload, this->my_nonce);
-	ke_payload = ke_payload_create_from_diffie_hellman(this->dh);
+	ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE, this->dh);
 
 	if (this->old_sa)
 	{	/* payload order differs if we are rekeying */
@@ -186,6 +187,11 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 														   EXT_STRONGSWAN);
 				this->proposal = this->config->select_proposal(this->config,
 														proposal_list, private);
+				if (!this->proposal)
+				{
+					charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_IKE,
+									   proposal_list);
+				}
 				proposal_list->destroy_offset(proposal_list,
 											  offsetof(proposal_t, destroy));
 				break;
@@ -197,8 +203,8 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 				this->dh_group = ke_payload->get_dh_group_number(ke_payload);
 				if (!this->initiator)
 				{
-					this->dh = this->keymat->create_dh(this->keymat,
-													   this->dh_group);
+					this->dh = this->keymat->keymat.create_dh(
+										&this->keymat->keymat, this->dh_group);
 				}
 				if (this->dh)
 				{
@@ -224,8 +230,6 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 METHOD(task_t, build_i, status_t,
 	private_ike_init_t *this, message_t *message)
 {
-	rng_t *rng;
-
 	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
 	DBG0(DBG_IKE, "initiating IKE_SA %s[%d] to %H",
 		 this->ike_sa->get_name(this->ike_sa),
@@ -243,7 +247,8 @@ METHOD(task_t, build_i, status_t,
 	if (!this->dh)
 	{
 		this->dh_group = this->config->get_dh_group(this->config);
-		this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
+		this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+												  this->dh_group);
 		if (!this->dh)
 		{
 			DBG1(DBG_IKE, "configured DH group %N not supported",
@@ -255,14 +260,21 @@ METHOD(task_t, build_i, status_t,
 	/* generate nonce only when we are trying the first time */
 	if (this->my_nonce.ptr == NULL)
 	{
-		rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-		if (!rng)
+		nonce_gen_t *nonceg;
+
+		nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
+		if (!nonceg)
 		{
-			DBG1(DBG_IKE, "error generating nonce");
+			DBG1(DBG_IKE, "no nonce generator found to create nonce");
 			return FAILED;
 		}
-		rng->allocate_bytes(rng, NONCE_SIZE, &this->my_nonce);
-		rng->destroy(rng);
+		if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &this->my_nonce))
+		{
+			DBG1(DBG_IKE, "nonce allocation failed");
+			nonceg->destroy(nonceg);
+			return FAILED;
+		}
+		nonceg->destroy(nonceg);
 	}
 
 	if (this->cookie.ptr)
@@ -288,20 +300,25 @@ METHOD(task_t, build_i, status_t,
 METHOD(task_t, process_r,  status_t,
 	private_ike_init_t *this, message_t *message)
 {
-	rng_t *rng;
+	nonce_gen_t *nonceg;
 
 	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
 	DBG0(DBG_IKE, "%H is initiating an IKE_SA", message->get_source(message));
 	this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
 
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
+	nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
+	if (!nonceg)
+	{
+		DBG1(DBG_IKE, "no nonce generator found to create nonce");
+		return FAILED;
+	}
+	if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &this->my_nonce))
 	{
-		DBG1(DBG_IKE, "error generating nonce");
+		DBG1(DBG_IKE, "nonce allocation failed");
+		nonceg->destroy(nonceg);
 		return FAILED;
 	}
-	rng->allocate_bytes(rng, NONCE_SIZE, &this->my_nonce);
-	rng->destroy(rng);
+	nonceg->destroy(nonceg);
 
 #ifdef ME
 	{
@@ -327,7 +344,7 @@ METHOD(task_t, process_r,  status_t,
 static bool derive_keys(private_ike_init_t *this,
 						chunk_t nonce_i, chunk_t nonce_r)
 {
-	keymat_t *old_keymat;
+	keymat_v2_t *old_keymat;
 	pseudo_random_function_t prf_alg = PRF_UNDEFINED;
 	chunk_t skd = chunk_empty;
 	ike_sa_id_t *id;
@@ -336,7 +353,7 @@ static bool derive_keys(private_ike_init_t *this,
 	if (this->old_sa)
 	{
 		/* rekeying: Include old SKd, use old PRF, apply SPI */
-		old_keymat = this->old_sa->get_keymat(this->old_sa);
+		old_keymat = (keymat_v2_t*)this->old_sa->get_keymat(this->old_sa);
 		prf_alg = old_keymat->get_skd(old_keymat, &skd);
 		if (this->initiator)
 		{
@@ -352,8 +369,8 @@ static bool derive_keys(private_ike_init_t *this,
 	{
 		return FALSE;
 	}
-	charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh,
-						  nonce_i, nonce_r, this->old_sa);
+	charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, chunk_empty,
+						  nonce_i, nonce_r, this->old_sa, NULL);
 	return TRUE;
 }
 
@@ -403,13 +420,32 @@ METHOD(task_t, build_r, status_t,
 	return SUCCESS;
 }
 
+/**
+ * Raise alerts for received notify errors
+ */
+static void raise_alerts(private_ike_init_t *this, notify_type_t type)
+{
+	linked_list_t *list;
+
+	switch (type)
+	{
+		case NO_PROPOSAL_CHOSEN:
+			list = this->config->get_proposals(this->config);
+			charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_IKE, list);
+			list->destroy_offset(list, offsetof(proposal_t, destroy));
+			break;
+		default:
+			break;
+	}
+}
+
 METHOD(task_t, process_i, status_t,
 	private_ike_init_t *this, message_t *message)
 {
 	enumerator_t *enumerator;
 	payload_t *payload;
 
-	/* check for erronous notifies */
+	/* check for erroneous notifies */
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
@@ -465,6 +501,7 @@ METHOD(task_t, process_i, status_t,
 						DBG1(DBG_IKE, "received %N notify error",
 							 notify_type_names, type);
 						enumerator->destroy(enumerator);
+						raise_alerts(this, type);
 						return FAILED;
 					}
 					DBG2(DBG_IKE, "received %N notify",
@@ -505,7 +542,7 @@ METHOD(task_t, process_i, status_t,
 METHOD(task_t, get_type, task_type_t,
 	private_ike_init_t *this)
 {
-	return IKE_INIT;
+	return TASK_IKE_INIT;
 }
 
 METHOD(task_t, migrate, void,
@@ -515,12 +552,13 @@ METHOD(task_t, migrate, void,
 	chunk_free(&this->other_nonce);
 
 	this->ike_sa = ike_sa;
-	this->keymat = ike_sa->get_keymat(ike_sa);
+	this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
 	this->proposal = NULL;
 	if (this->dh && this->dh->get_dh_group(this->dh) != this->dh_group)
 	{	/* reset DH value only if group changed (INVALID_KE_PAYLOAD) */
 		this->dh->destroy(this->dh);
-		this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
+		this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+												  this->dh_group);
 	}
 }
 
@@ -568,7 +606,7 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
 		.ike_sa = ike_sa,
 		.initiator = initiator,
 		.dh_group = MODP_NONE,
-		.keymat = ike_sa->get_keymat(ike_sa),
+		.keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa),
 		.old_sa = old_sa,
 	);
 
diff --git a/src/libcharon/sa/tasks/ike_init.h b/src/libcharon/sa/ikev2/tasks/ike_init.h
index 4b7f60416..ab169954d 100644
--- a/src/libcharon/sa/tasks/ike_init.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ike_init ike_init
- * @{ @ingroup tasks
+ * @{ @ingroup tasks_v2
  */
 
 #ifndef IKE_INIT_H_
@@ -25,10 +25,10 @@ typedef struct ike_init_t ike_init_t;
 
 #include <library.h>
 #include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 
 /**
- * Task of type IKE_INIT, creates an IKE_SA without authentication.
+ * Task of type TASK_IKE_INIT, creates an IKE_SA without authentication.
  *
  * The authentication of is handle in the ike_auth task.
  */
@@ -48,7 +48,7 @@ struct ike_init_t {
 };
 
 /**
- * Create a new IKE_INIT task.
+ * Create a new TASK_IKE_INIT task.
  *
  * @param ike_sa		IKE_SA this task works for (new one when rekeying)
  * @param initiator		TRUE if task is the original initiator
diff --git a/src/libcharon/sa/tasks/ike_me.c b/src/libcharon/sa/ikev2/tasks/ike_me.c
index 8f90efcc3..135c06d19 100644
--- a/src/libcharon/sa/tasks/ike_me.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_me.c
@@ -136,7 +136,7 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
 	port = host->get_port(host);
 
 	enumerator = hydra->kernel_interface->create_address_enumerator(
-										hydra->kernel_interface, FALSE, FALSE);
+									hydra->kernel_interface, ADDR_TYPE_REGULAR);
 	while (enumerator->enumerate(enumerator, (void**)&addr))
 	{
 		host = addr->clone(addr);
@@ -291,9 +291,21 @@ METHOD(task_t, build_i, status_t,
 			{
 				/* only the initiator creates a connect ID. the responder
 				 * returns the connect ID that it received from the initiator */
-				rng->allocate_bytes(rng, ME_CONNECTID_LEN, &this->connect_id);
+				if (!rng->allocate_bytes(rng, ME_CONNECTID_LEN,
+										 &this->connect_id))
+				{
+					DBG1(DBG_IKE, "unable to generate ID for ME_CONNECT");
+					rng->destroy(rng);
+					return FAILED;
+				}
+			}
+			if (!rng->allocate_bytes(rng, ME_CONNECTKEY_LEN,
+									 &this->connect_key))
+			{
+				DBG1(DBG_IKE, "unable to generate connect key for ME_CONNECT");
+				rng->destroy(rng);
+				return FAILED;
 			}
-			rng->allocate_bytes(rng, ME_CONNECTKEY_LEN, &this->connect_key);
 			rng->destroy(rng);
 
 			message->add_notify(message, FALSE, ME_CONNECTID, this->connect_id);
@@ -750,7 +762,7 @@ METHOD(ike_me_t, relay, void,
 METHOD(task_t, get_type, task_type_t,
 	private_ike_me_t *this)
 {
-	return IKE_ME;
+	return TASK_IKE_ME;
 }
 
 METHOD(task_t, migrate, void,
diff --git a/src/libcharon/sa/tasks/ike_me.h b/src/libcharon/sa/ikev2/tasks/ike_me.h
index 31285a426..44a4ce69c 100644
--- a/src/libcharon/sa/tasks/ike_me.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_me.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ike_me ike_me
- * @{ @ingroup tasks
+ * @{ @ingroup tasks_v2
  */
 
 #ifndef IKE_ME_H_
@@ -25,10 +25,10 @@ typedef struct ike_me_t ike_me_t;
 
 #include <library.h>
 #include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 
 /**
- * Task of type IKE_ME, detects and handles IKE-ME extensions.
+ * Task of type TASK_IKE_ME, detects and handles IKE-ME extensions.
  *
  * This tasks handles the ME_MEDIATION Notify exchange to setup a mediation
  * connection, allows to initiate mediated connections using ME_CONNECT
diff --git a/src/libcharon/sa/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
index fb1100028..ae3526f42 100644
--- a/src/libcharon/sa/tasks/ike_mobike.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
@@ -20,7 +20,7 @@
 
 #include <hydra.h>
 #include <daemon.h>
-#include <sa/tasks/ike_natd.h>
+#include <sa/ikev2/tasks/ike_natd.h>
 #include <encoding/payloads/notify_payload.h>
 
 #define COOKIE2_SIZE 16
@@ -54,7 +54,7 @@ struct private_ike_mobike_t {
 	chunk_t cookie2;
 
 	/**
-	 * NAT discovery reusing the IKE_NATD task
+	 * NAT discovery reusing the TASK_IKE_NATD task
 	 */
 	ike_natd_t *natd;
 
@@ -192,7 +192,7 @@ static void build_address_list(private_ike_mobike_t *this, message_t *message)
 
 	me = this->ike_sa->get_my_host(this->ike_sa);
 	enumerator = hydra->kernel_interface->create_address_enumerator(
-										hydra->kernel_interface, FALSE, FALSE);
+									hydra->kernel_interface, ADDR_TYPE_REGULAR);
 	while (enumerator->enumerate(enumerator, (void**)&host))
 	{
 		if (me->ip_equals(me, host))
@@ -227,18 +227,20 @@ static void build_address_list(private_ike_mobike_t *this, message_t *message)
 /**
  * build a cookie and add it to the message
  */
-static void build_cookie(private_ike_mobike_t *this, message_t *message)
+static bool build_cookie(private_ike_mobike_t *this, message_t *message)
 {
 	rng_t *rng;
 
 	chunk_free(&this->cookie2);
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
-	if (rng)
+	if (!rng || !rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2))
 	{
-		rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2);
-		rng->destroy(rng);
-		message->add_notify(message, FALSE, COOKIE2, this->cookie2);
+		DESTROY_IF(rng);
+		return FALSE;
 	}
+	message->add_notify(message, FALSE, COOKIE2, this->cookie2);
+	rng->destroy(rng);
+	return TRUE;
 }
 
 /**
@@ -248,15 +250,26 @@ static void update_children(private_ike_mobike_t *this)
 {
 	enumerator_t *enumerator;
 	child_sa_t *child_sa;
+	linked_list_t *vips;
+	host_t *host;
+
+	vips = linked_list_create();
+
+	enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
+	while (enumerator->enumerate(enumerator, &host))
+	{
+		vips->insert_last(vips, host);
+	}
+	enumerator->destroy(enumerator);
 
 	enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
 	while (enumerator->enumerate(enumerator, (void**)&child_sa))
 	{
 		if (child_sa->update(child_sa,
 				this->ike_sa->get_my_host(this->ike_sa),
-				this->ike_sa->get_other_host(this->ike_sa),
-				this->ike_sa->get_virtual_ip(this->ike_sa, TRUE),
-				this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
+				this->ike_sa->get_other_host(this->ike_sa), vips,
+				this->ike_sa->has_condition(this->ike_sa,
+											COND_NAT_ANY)) == NOT_SUPPORTED)
 		{
 			this->ike_sa->rekey_child_sa(this->ike_sa,
 					child_sa->get_protocol(child_sa),
@@ -264,18 +277,24 @@ static void update_children(private_ike_mobike_t *this)
 		}
 	}
 	enumerator->destroy(enumerator);
+
+	vips->destroy(vips);
 }
 
 /**
  * Apply the port of the old host, if its ip equals the new, use port otherwise.
  */
-static void apply_port(host_t *host, host_t *old, u_int16_t port)
+static void apply_port(host_t *host, host_t *old, u_int16_t port, bool local)
 {
 	if (host->ip_equals(host, old))
 	{
 		port = old->get_port(old);
 	}
-	else if (port == IKEV2_UDP_PORT)
+	else if (local && port == charon->socket->get_port(charon->socket, FALSE))
+	{
+		port = charon->socket->get_port(charon->socket, TRUE);
+	}
+	else if (!local && port == IKEV2_UDP_PORT)
 	{
 		port = IKEV2_NATT_PORT;
 	}
@@ -312,9 +331,9 @@ METHOD(ike_mobike_t, transmit, void,
 				continue;
 			}
 			/* reuse port for an active address, 4500 otherwise */
-			apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg));
+			apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg), TRUE);
 			other = other->clone(other);
-			apply_port(other, other_old, ike_cfg->get_other_port(ike_cfg));
+			apply_port(other, other_old, ike_cfg->get_other_port(ike_cfg), FALSE);
 			DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
 			copy = packet->clone(packet);
 			copy->set_source(copy, me);
@@ -358,7 +377,10 @@ METHOD(task_t, build_i, status_t,
 		{
 			message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES,
 								chunk_empty);
-			build_cookie(this, message);
+			if (!build_cookie(this, message))
+			{
+				return FAILED;
+			}
 			update_children(this);
 		}
 		if (this->address && !this->check)
@@ -584,7 +606,7 @@ METHOD(ike_mobike_t, is_probing, bool,
 METHOD(task_t, get_type, task_type_t,
 	   private_ike_mobike_t *this)
 {
-	return IKE_MOBIKE;
+	return TASK_IKE_MOBIKE;
 }
 
 METHOD(task_t, migrate, void,
@@ -646,4 +668,3 @@ ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/sa/tasks/ike_mobike.h b/src/libcharon/sa/ikev2/tasks/ike_mobike.h
index 16611939e..b145a9a8b 100644
--- a/src/libcharon/sa/tasks/ike_mobike.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ike_mobike ike_mobike
- * @{ @ingroup tasks
+ * @{ @ingroup tasks_v2
  */
 
 #ifndef IKE_MOBIKE_H_
@@ -25,8 +25,8 @@ typedef struct ike_mobike_t ike_mobike_t;
 
 #include <library.h>
 #include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
-#include <network/packet.h>
+#include <sa/task.h>
+#include <networking/packet.h>
 
 /**
  * Task of type ike_mobike, detects and handles MOBIKE extension.
diff --git a/src/libcharon/sa/tasks/ike_natd.c b/src/libcharon/sa/ikev2/tasks/ike_natd.c
index f06a518fa..4fc968f25 100644
--- a/src/libcharon/sa/tasks/ike_natd.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_natd.c
@@ -78,6 +78,19 @@ struct private_ike_natd_t {
 	bool mapping_changed;
 };
 
+/**
+ * Check if UDP encapsulation has to be forced either by config or required
+ * by the kernel interface
+ */
+static bool force_encap(ike_cfg_t *ike_cfg)
+{
+	if (!ike_cfg->force_encap(ike_cfg))
+	{
+		return hydra->kernel_interface->get_features(hydra->kernel_interface) &
+					KERNEL_REQUIRE_UDP_ENCAPSULATION;
+	}
+	return TRUE;
+}
 
 /**
  * Build NAT detection hash for a host
@@ -104,7 +117,10 @@ static chunk_t generate_natd_hash(private_ike_natd_t *this,
 
 	/*  natd_hash = SHA1( spi_i | spi_r | address | port ) */
 	natd_chunk = chunk_cat("cccc", spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk);
-	this->hasher->allocate_hash(this->hasher, natd_chunk, &natd_hash);
+	if (!this->hasher->allocate_hash(this->hasher, natd_chunk, &natd_hash))
+	{
+		natd_hash = chunk_empty;
+	}
 	DBG3(DBG_IKE, "natd_chunk %B", &natd_chunk);
 	DBG3(DBG_IKE, "natd_hash %B", &natd_hash);
 
@@ -121,12 +137,12 @@ static chunk_t generate_natd_hash_faked(private_ike_natd_t *this)
 	chunk_t chunk;
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
+	if (!rng || !rng->allocate_bytes(rng, HASH_SIZE_SHA1, &chunk))
 	{
 		DBG1(DBG_IKE, "unable to get random bytes for NATD fake");
+		DESTROY_IF(rng);
 		return chunk_empty;
 	}
-	rng->allocate_bytes(rng, HASH_SIZE_SHA1, &chunk);
 	rng->destroy(rng);
 	return chunk;
 }
@@ -144,7 +160,7 @@ static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
 
 	ike_sa_id = this->ike_sa->get_id(this->ike_sa);
 	config = this->ike_sa->get_ike_cfg(this->ike_sa);
-	if (config->force_encap(config) && type == NAT_DETECTION_SOURCE_IP)
+	if (force_encap(config) && type == NAT_DETECTION_SOURCE_IP)
 	{
 		hash = generate_natd_hash_faked(this);
 	}
@@ -152,7 +168,11 @@ static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
 	{
 		hash = generate_natd_hash(this, ike_sa_id, host);
 	}
-	notify = notify_payload_create();
+	if (!hash.len)
+	{
+		return NULL;
+	}
+	notify = notify_payload_create(NOTIFY);
 	notify->set_notify_type(notify, type);
 	notify->set_notification_data(notify, hash);
 	chunk_free(&hash);
@@ -249,7 +269,7 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
 									!this->src_matched);
 		config = this->ike_sa->get_ike_cfg(this->ike_sa);
 		if (this->dst_matched && this->src_matched &&
-			config->force_encap(config))
+			force_encap(config))
 		{
 			this->ike_sa->set_condition(this->ike_sa, COND_NAT_FAKE, TRUE);
 		}
@@ -298,7 +318,10 @@ METHOD(task_t, build_i, status_t,
 	/* destination is always set */
 	host = message->get_destination(message);
 	notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, host);
-	message->add_payload(message, (payload_t*)notify);
+	if (notify)
+	{
+		message->add_payload(message, (payload_t*)notify);
+	}
 
 	/* source may be any, we have 3 possibilities to get our source address:
 	 * 1. It is defined in the config => use the one of the IKE_SA
@@ -306,10 +329,13 @@ METHOD(task_t, build_i, status_t,
 	 * 3. Include all possbile addresses
 	 */
 	host = message->get_source(message);
-	if (!host->is_anyaddr(host))
-	{	/* 1. */
+	if (!host->is_anyaddr(host) || force_encap(ike_cfg))
+	{	/* 1. or if we force UDP encap, as it doesn't matter if it's %any */
 		notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
-		message->add_payload(message, (payload_t*)notify);
+		if (notify)
+		{
+			message->add_payload(message, (payload_t*)notify);
+		}
 	}
 	else
 	{
@@ -319,13 +345,16 @@ METHOD(task_t, build_i, status_t,
 		{	/* 2. */
 			host->set_port(host, ike_cfg->get_my_port(ike_cfg));
 			notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
-			message->add_payload(message, (payload_t*)notify);
+			if (notify)
+			{
+				message->add_payload(message, (payload_t*)notify);
+			}
 			host->destroy(host);
 		}
 		else
 		{	/* 3. */
 			enumerator = hydra->kernel_interface->create_address_enumerator(
-										hydra->kernel_interface, FALSE, FALSE);
+									hydra->kernel_interface, ADDR_TYPE_REGULAR);
 			while (enumerator->enumerate(enumerator, (void**)&host))
 			{
 				/* apply port 500 to host, but work on a copy */
@@ -333,7 +362,10 @@ METHOD(task_t, build_i, status_t,
 				host->set_port(host, ike_cfg->get_my_port(ike_cfg));
 				notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
 				host->destroy(host);
-				message->add_payload(message, (payload_t*)notify);
+				if (notify)
+				{
+					message->add_payload(message, (payload_t*)notify);
+				}
 			}
 			enumerator->destroy(enumerator);
 		}
@@ -365,11 +397,16 @@ METHOD(task_t, build_r, status_t,
 		/* initiator seems to support NAT detection, add response */
 		me = message->get_source(message);
 		notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, me);
-		message->add_payload(message, (payload_t*)notify);
-
+		if (notify)
+		{
+			message->add_payload(message, (payload_t*)notify);
+		}
 		other = message->get_destination(message);
 		notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, other);
-		message->add_payload(message, (payload_t*)notify);
+		if (notify)
+		{
+			message->add_payload(message, (payload_t*)notify);
+		}
 	}
 	return SUCCESS;
 }
@@ -385,7 +422,7 @@ METHOD(task_t, process_r, status_t,
 METHOD(task_t, get_type, task_type_t,
 	private_ike_natd_t *this)
 {
-	return IKE_NATD;
+	return TASK_IKE_NATD;
 }
 
 METHOD(task_t, migrate, void,
diff --git a/src/libcharon/sa/tasks/ike_natd.h b/src/libcharon/sa/ikev2/tasks/ike_natd.h
index 68114af42..9c571b8e6 100644
--- a/src/libcharon/sa/tasks/ike_natd.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_natd.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ike_natd ike_natd
- * @{ @ingroup tasks
+ * @{ @ingroup tasks_v2
  */
 
 #ifndef IKE_NATD_H_
@@ -25,7 +25,7 @@ typedef struct ike_natd_t ike_natd_t;
 
 #include <library.h>
 #include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 
 /**
  * Task of type ike_natd, detects NAT situation in IKE_SA_INIT exchange.
@@ -42,7 +42,7 @@ struct ike_natd_t {
 	 *
 	 * MOBIKE uses NAT payloads in DPD to detect changes in the NAT mappings.
 	 *
-	 * @return 	TRUE if mappings have changed
+	 * @return	TRUE if mappings have changed
 	 */
 	bool (*has_mapping_changed)(ike_natd_t *this);
 };
diff --git a/src/libcharon/sa/tasks/ike_reauth.c b/src/libcharon/sa/ikev2/tasks/ike_reauth.c
index 48002d81c..6f90339ea 100644
--- a/src/libcharon/sa/tasks/ike_reauth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_reauth.c
@@ -16,7 +16,7 @@
 #include "ike_reauth.h"
 
 #include <daemon.h>
-#include <sa/tasks/ike_delete.h>
+#include <sa/ikev2/tasks/ike_delete.h>
 
 
 typedef struct private_ike_reauth_t private_ike_reauth_t;
@@ -68,7 +68,7 @@ METHOD(task_t, process_i, status_t,
 METHOD(task_t, get_type, task_type_t,
 	private_ike_reauth_t *this)
 {
-	return IKE_REAUTH;
+	return TASK_IKE_REAUTH;
 }
 
 METHOD(task_t, migrate, void,
@@ -108,4 +108,3 @@ ike_reauth_t *ike_reauth_create(ike_sa_t *ike_sa)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/sa/tasks/ike_reauth.h b/src/libcharon/sa/ikev2/tasks/ike_reauth.h
index 5e97b719c..781b463a7 100644
--- a/src/libcharon/sa/tasks/ike_reauth.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_reauth.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ike_reauth ike_reauth
- * @{ @ingroup tasks
+ * @{ @ingroup tasks_v2
  */
 
 #ifndef IKE_REAUTH_H_
@@ -25,7 +25,7 @@ typedef struct ike_reauth_t ike_reauth_t;
 
 #include <library.h>
 #include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 
 /**
  * Task of type ike_reauth, reestablishes an IKE_SA.
diff --git a/src/libcharon/sa/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
index 826d6e192..c3c6cf00e 100644
--- a/src/libcharon/sa/tasks/ike_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
@@ -18,8 +18,8 @@
 
 #include <daemon.h>
 #include <encoding/payloads/notify_payload.h>
-#include <sa/tasks/ike_init.h>
-#include <sa/tasks/ike_delete.h>
+#include <sa/ikev2/tasks/ike_init.h>
+#include <sa/ikev2/tasks/ike_delete.h>
 #include <processing/jobs/delete_ike_sa_job.h>
 #include <processing/jobs/rekey_ike_sa_job.h>
 
@@ -52,7 +52,7 @@ struct private_ike_rekey_t {
 	bool initiator;
 
 	/**
-	 * the IKE_INIT task which is reused to simplify rekeying
+	 * the TASK_IKE_INIT task which is reused to simplify rekeying
 	 */
 	ike_init_t *ike_init;
 
@@ -123,15 +123,20 @@ METHOD(task_t, process_i_delete, status_t,
 METHOD(task_t, build_i, status_t,
 	private_ike_rekey_t *this, message_t *message)
 {
+	ike_version_t version;
 	peer_cfg_t *peer_cfg;
 	host_t *other_host;
 
 	/* create new SA only on first try */
 	if (this->new_sa == NULL)
 	{
-		this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
-															TRUE);
-
+		version = this->ike_sa->get_version(this->ike_sa);
+		this->new_sa = charon->ike_sa_manager->checkout_new(
+										charon->ike_sa_manager, version, TRUE);
+		if (!this->new_sa)
+		{	/* shouldn't happen */
+			return FAILED;
+		}
 		peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
 		other_host = this->ike_sa->get_other_host(this->ike_sa);
 		this->new_sa->set_peer_cfg(this->new_sa, peer_cfg);
@@ -176,7 +181,11 @@ METHOD(task_t, process_r, status_t,
 	enumerator->destroy(enumerator);
 
 	this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
-														FALSE);
+							this->ike_sa->get_version(this->ike_sa), FALSE);
+	if (!this->new_sa)
+	{	/* shouldn't happen */
+		return FAILED;
+	}
 
 	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
 	this->new_sa->set_peer_cfg(this->new_sa, peer_cfg);
@@ -230,8 +239,8 @@ METHOD(task_t, process_i, status_t,
 		case FAILED:
 			/* rekeying failed, fallback to old SA */
 			if (!(this->collision && (
-				this->collision->get_type(this->collision) == IKE_DELETE ||
-				this->collision->get_type(this->collision) == IKE_REAUTH)))
+				this->collision->get_type(this->collision) == TASK_IKE_DELETE ||
+				this->collision->get_type(this->collision) == TASK_IKE_REAUTH)))
 			{
 				job_t *job;
 				u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
@@ -253,7 +262,7 @@ METHOD(task_t, process_i, status_t,
 
 	/* check for collisions */
 	if (this->collision &&
-		this->collision->get_type(this->collision) == IKE_REKEY)
+		this->collision->get_type(this->collision) == TASK_IKE_REKEY)
 	{
 		private_ike_rekey_t *other = (private_ike_rekey_t*)this->collision;
 
@@ -323,14 +332,14 @@ METHOD(task_t, process_i, status_t,
 METHOD(task_t, get_type, task_type_t,
 	private_ike_rekey_t *this)
 {
-	return IKE_REKEY;
+	return TASK_IKE_REKEY;
 }
 
 METHOD(ike_rekey_t, collide, void,
 	private_ike_rekey_t* this, task_t *other)
 {
-	DBG1(DBG_IKE, "detected %N collision with %N", task_type_names, IKE_REKEY,
-		 task_type_names, other->get_type(other));
+	DBG1(DBG_IKE, "detected %N collision with %N", task_type_names,
+		 TASK_IKE_REKEY, task_type_names, other->get_type(other));
 	DESTROY_IF(this->collision);
 	this->collision = other;
 }
diff --git a/src/libcharon/sa/tasks/ike_rekey.h b/src/libcharon/sa/ikev2/tasks/ike_rekey.h
index 1c9550768..6a12e9034 100644
--- a/src/libcharon/sa/tasks/ike_rekey.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ike_rekey ike_rekey
- * @{ @ingroup tasks
+ * @{ @ingroup tasks_v2
  */
 
 #ifndef IKE_REKEY_H_
@@ -25,10 +25,10 @@ typedef struct ike_rekey_t ike_rekey_t;
 
 #include <library.h>
 #include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 
 /**
- * Task of type IKE_REKEY, rekey an established IKE_SA.
+ * Task of type TASK_IKE_REKEY, rekey an established IKE_SA.
  */
 struct ike_rekey_t {
 
@@ -50,11 +50,11 @@ struct ike_rekey_t {
 };
 
 /**
- * Create a new IKE_REKEY task.
+ * Create a new TASK_IKE_REKEY task.
  *
  * @param ike_sa		IKE_SA this task works for
  * @param initiator		TRUE for initiator, FALSE for responder
- * @return				IKE_REKEY task to handle by the task_manager
+ * @return				TASK_IKE_REKEY task to handle by the task_manager
  */
 ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator);
 
diff --git a/src/libcharon/sa/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
index 1c14ee06b..2730f5876 100644
--- a/src/libcharon/sa/tasks/ike_vendor.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
@@ -53,11 +53,12 @@ METHOD(task_t, build, status_t,
 	private_ike_vendor_t *this, message_t *message)
 {
 	if (lib->settings->get_bool(lib->settings,
-								"charon.send_vendor_id", FALSE))
+								"%s.send_vendor_id", FALSE, charon->name))
 	{
 		vendor_id_payload_t *vid;
 
-		vid = vendor_id_payload_create_data(chunk_clone(strongswan_vid));
+		vid = vendor_id_payload_create_data(VENDOR_ID,
+											chunk_clone(strongswan_vid));
 		message->add_payload(message, &vid->payload_interface);
 	}
 
@@ -83,12 +84,12 @@ METHOD(task_t, process, status_t,
 
 			if (chunk_equals(data, strongswan_vid))
 			{
-				DBG1(DBG_IKE, "received strongSwan vendor id");
+				DBG1(DBG_IKE, "received strongSwan vendor ID");
 				this->ike_sa->enable_extension(this->ike_sa, EXT_STRONGSWAN);
 			}
 			else
 			{
-				DBG1(DBG_ENC, "received unknown vendor id: %#B", &data);
+				DBG1(DBG_ENC, "received unknown vendor ID: %#B", &data);
 			}
 		}
 	}
@@ -106,7 +107,7 @@ METHOD(task_t, migrate, void,
 METHOD(task_t, get_type, task_type_t,
 	private_ike_vendor_t *this)
 {
-	return IKE_VENDOR;
+	return TASK_IKE_VENDOR;
 }
 
 METHOD(task_t, destroy, void,
@@ -138,4 +139,3 @@ ike_vendor_t *ike_vendor_create(ike_sa_t *ike_sa, bool initiator)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/sa/tasks/ike_vendor.h b/src/libcharon/sa/ikev2/tasks/ike_vendor.h
index 6c353c447..86c711636 100644
--- a/src/libcharon/sa/tasks/ike_vendor.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ike_vendor ike_vendor
- * @{ @ingroup tasks
+ * @{ @ingroup tasks_v2
  */
 
 #ifndef IKE_VENDOR_H_
@@ -25,7 +25,7 @@ typedef struct ike_vendor_t ike_vendor_t;
 
 #include <library.h>
 #include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 
 /**
  * Vendor ID processing task.
diff --git a/src/libcharon/sa/keymat.c b/src/libcharon/sa/keymat.c
index d762fa34e..26c305f77 100644
--- a/src/libcharon/sa/keymat.c
+++ b/src/libcharon/sa/keymat.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2011 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,621 +15,112 @@
 
 #include "keymat.h"
 
-#include <daemon.h>
-#include <crypto/prf_plus.h>
+#include <sa/ikev1/keymat_v1.h>
+#include <sa/ikev2/keymat_v2.h>
 
-typedef struct private_keymat_t private_keymat_t;
+static keymat_constructor_t keymat_v1_ctor = NULL, keymat_v2_ctor = NULL;
 
 /**
- * Private data of an keymat_t object.
+ * See header
  */
-struct private_keymat_t {
-
-	/**
-	 * Public keymat_t interface.
-	 */
-	keymat_t public;
-
-	/**
-	 * IKE_SA Role, initiator or responder
-	 */
-	bool initiator;
-
-	/**
-	 * inbound AEAD
-	 */
-	aead_t *aead_in;
-
-	/**
-	 * outbound AEAD
-	 */
-	aead_t *aead_out;
-
-	/**
-	 * General purpose PRF
-	 */
-	prf_t *prf;
-
-	/**
-	 * Negotiated PRF algorithm
-	 */
-	pseudo_random_function_t prf_alg;
-
-	/**
-	 * Key to derive key material from for CHILD_SAs, rekeying
-	 */
-	chunk_t skd;
-
-	/**
-	 * Key to build outging authentication data (SKp)
-	 */
-	chunk_t skp_build;
-
-	/**
-	 * Key to verify incoming authentication data (SKp)
-	 */
-	chunk_t skp_verify;
-};
+keymat_t *keymat_create(ike_version_t version, bool initiator)
+{
+	keymat_t *keymat = NULL;
 
-typedef struct keylen_entry_t keylen_entry_t;
+	switch (version)
+	{
+		case IKEV1:
+#ifdef USE_IKEV1
+			keymat = keymat_v1_ctor ? keymat_v1_ctor(initiator)
+									: &keymat_v1_create(initiator)->keymat;
+#endif
+			break;
+		case IKEV2:
+#ifdef USE_IKEV2
+			keymat = keymat_v2_ctor ? keymat_v2_ctor(initiator)
+									: &keymat_v2_create(initiator)->keymat;
+#endif
+			break;
+		default:
+			break;
+	}
+	return keymat;
+}
 
 /**
  * Implicit key length for an algorithm
  */
-struct keylen_entry_t {
+typedef struct {
 	/** IKEv2 algorithm identifier */
-	int algo;
+	int alg;
 	/** key length in bits */
 	int len;
-};
-
-#define END_OF_LIST -1
-
-/**
- * Keylen for encryption algos
- */
-keylen_entry_t keylen_enc[] = {
-	{ENCR_DES,					 64},
-	{ENCR_3DES,					192},
-	{END_OF_LIST,				  0}
-};
+} keylen_entry_t;
 
 /**
- * Keylen for integrity algos
+ * See header.
  */
-keylen_entry_t keylen_int[] = {
-	{AUTH_HMAC_MD5_96,			128},
-	{AUTH_HMAC_MD5_128,			128},
-	{AUTH_HMAC_SHA1_96,			160},
-	{AUTH_HMAC_SHA1_160,		160},
-	{AUTH_HMAC_SHA2_256_96,		256},
-	{AUTH_HMAC_SHA2_256_128,	256},
-	{AUTH_HMAC_SHA2_384_192,	384},
-	{AUTH_HMAC_SHA2_512_256,	512},
-	{AUTH_AES_XCBC_96,			128},
-	{END_OF_LIST,				  0}
-};
-
-/**
- * Lookup key length of an algorithm
- */
-static int lookup_keylen(keylen_entry_t *list, int algo)
+int keymat_get_keylen_encr(encryption_algorithm_t alg)
 {
-	while (list->algo != END_OF_LIST)
+	keylen_entry_t map[] = {
+		{ENCR_DES,					 64},
+		{ENCR_3DES,					192},
+	};
+	int i;
+
+	for (i = 0; i < countof(map); i++)
 	{
-		if (algo == list->algo)
+		if (map[i].alg == alg)
 		{
-			return list->len;
+			return map[i].len;
 		}
-		list++;
 	}
 	return 0;
 }
 
-METHOD(keymat_t, create_dh, diffie_hellman_t*,
-	private_keymat_t *this, diffie_hellman_group_t group)
-{
-	return lib->crypto->create_dh(lib->crypto, group);;
-}
-
 /**
- * Derive IKE keys for a combined AEAD algorithm
+ * See header.
  */
-static bool derive_ike_aead(private_keymat_t *this, u_int16_t alg,
-							u_int16_t key_size, prf_plus_t *prf_plus)
+int keymat_get_keylen_integ(integrity_algorithm_t alg)
 {
-	aead_t *aead_i, *aead_r;
-	chunk_t key;
-
-	/* SK_ei/SK_er used for encryption */
-	aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
-	aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
-	if (aead_i == NULL || aead_r == NULL)
-	{
-		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
-			 transform_type_names, ENCRYPTION_ALGORITHM,
-			 encryption_algorithm_names, alg, key_size);
-		return FALSE;
-	}
-	key_size = aead_i->get_key_size(aead_i);
-
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
-	aead_i->set_key(aead_i, key);
-	chunk_clear(&key);
-
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_er secret %B", &key);
-	aead_r->set_key(aead_r, key);
-	chunk_clear(&key);
-
-	if (this->initiator)
-	{
-		this->aead_in = aead_r;
-		this->aead_out = aead_i;
-	}
-	else
-	{
-		this->aead_in = aead_i;
-		this->aead_out = aead_r;
+	keylen_entry_t map[] = {
+		{AUTH_HMAC_MD5_96,			128},
+		{AUTH_HMAC_MD5_128,			128},
+		{AUTH_HMAC_SHA1_96,			160},
+		{AUTH_HMAC_SHA1_160,		160},
+		{AUTH_HMAC_SHA2_256_96,		256},
+		{AUTH_HMAC_SHA2_256_128,	256},
+		{AUTH_HMAC_SHA2_384_192,	384},
+		{AUTH_HMAC_SHA2_512_256,	512},
+		{AUTH_AES_XCBC_96,			128},
+	};
+	int i;
+
+	for (i = 0; i < countof(map); i++)
+	{
+		if (map[i].alg == alg)
+		{
+			return map[i].len;
+		}
 	}
-	return TRUE;
+	return 0;
 }
 
 /**
- * Derive IKE keys for traditional encryption and MAC algorithms
+ * See header.
  */
-static bool derive_ike_traditional(private_keymat_t *this, u_int16_t enc_alg,
-					u_int16_t enc_size, u_int16_t int_alg, prf_plus_t *prf_plus)
+void keymat_register_constructor(ike_version_t version,
+								 keymat_constructor_t create)
 {
-	crypter_t *crypter_i, *crypter_r;
-	signer_t *signer_i, *signer_r;
-	size_t key_size;
-	chunk_t key;
-
-	/* SK_ai/SK_ar used for integrity protection */
-	signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
-	signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
-	if (signer_i == NULL || signer_r == NULL)
+	switch (version)
 	{
-		DBG1(DBG_IKE, "%N %N not supported!",
-			 transform_type_names, INTEGRITY_ALGORITHM,
-			 integrity_algorithm_names, int_alg);
-		return FALSE;
-	}
-	key_size = signer_i->get_key_size(signer_i);
-
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_ai secret %B", &key);
-	signer_i->set_key(signer_i, key);
-	chunk_clear(&key);
-
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_ar secret %B", &key);
-	signer_r->set_key(signer_r, key);
-	chunk_clear(&key);
-
-	/* SK_ei/SK_er used for encryption */
-	crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
-	crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
-	if (crypter_i == NULL || crypter_r == NULL)
-	{
-		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
-			 transform_type_names, ENCRYPTION_ALGORITHM,
-			 encryption_algorithm_names, enc_alg, enc_size);
-		signer_i->destroy(signer_i);
-		signer_r->destroy(signer_r);
-		return FALSE;
-	}
-	key_size = crypter_i->get_key_size(crypter_i);
-
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
-	crypter_i->set_key(crypter_i, key);
-	chunk_clear(&key);
-
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_er secret %B", &key);
-	crypter_r->set_key(crypter_r, key);
-	chunk_clear(&key);
-
-	if (this->initiator)
-	{
-		this->aead_in = aead_create(crypter_r, signer_r);
-		this->aead_out = aead_create(crypter_i, signer_i);
-	}
-	else
-	{
-		this->aead_in = aead_create(crypter_i, signer_i);
-		this->aead_out = aead_create(crypter_r, signer_r);
-	}
-	return TRUE;
-}
-
-METHOD(keymat_t, derive_ike_keys, bool,
-	private_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
-	chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
-	pseudo_random_function_t rekey_function, chunk_t rekey_skd)
-{
-	chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
-	chunk_t spi_i, spi_r;
-	prf_plus_t *prf_plus;
-	u_int16_t alg, key_size, int_alg;
-	prf_t *rekey_prf = NULL;
-
-	spi_i = chunk_alloca(sizeof(u_int64_t));
-	spi_r = chunk_alloca(sizeof(u_int64_t));
-
-	if (dh->get_shared_secret(dh, &secret) != SUCCESS)
-	{
-		return FALSE;
-	}
-
-	/* Create SAs general purpose PRF first, we may use it here */
-	if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
-	{
-		DBG1(DBG_IKE, "no %N selected",
-			 transform_type_names, PSEUDO_RANDOM_FUNCTION);
-		return FALSE;
-	}
-	this->prf_alg = alg;
-	this->prf = lib->crypto->create_prf(lib->crypto, alg);
-	if (this->prf == NULL)
-	{
-		DBG1(DBG_IKE, "%N %N not supported!",
-			 transform_type_names, PSEUDO_RANDOM_FUNCTION,
-			 pseudo_random_function_names, alg);
-		return FALSE;
-	}
-	DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
-	/* full nonce is used as seed for PRF+ ... */
-	full_nonce = chunk_cat("cc", nonce_i, nonce_r);
-	/* but the PRF may need a fixed key which only uses the first bytes of
-	 * the nonces. */
-	switch (alg)
-	{
-		case PRF_AES128_XCBC:
-			/* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
-			 * not and therefore fixed key semantics apply to XCBC for key
-			 * derivation. */
-		case PRF_CAMELLIA128_XCBC:
-			/* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we
-			 * assume fixed key length. */
-			key_size = this->prf->get_key_size(this->prf)/2;
-			nonce_i.len = min(nonce_i.len, key_size);
-			nonce_r.len = min(nonce_r.len, key_size);
+		case IKEV1:
+			keymat_v1_ctor = create;
+			break;
+		case IKEV2:
+			keymat_v2_ctor = create;
 			break;
 		default:
-			/* all other algorithms use variable key length, full nonce */
 			break;
 	}
-	fixed_nonce = chunk_cat("cc", nonce_i, nonce_r);
-	*((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
-	*((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
-	prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
-
-	/* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
-	 *
-	 * if we are rekeying, SKEYSEED is built on another way
-	 */
-	if (rekey_function == PRF_UNDEFINED) /* not rekeying */
-	{
-		/* SKEYSEED = prf(Ni | Nr, g^ir) */
-		this->prf->set_key(this->prf, fixed_nonce);
-		this->prf->allocate_bytes(this->prf, secret, &skeyseed);
-		this->prf->set_key(this->prf, skeyseed);
-		prf_plus = prf_plus_create(this->prf, prf_plus_seed);
-	}
-	else
-	{
-		/* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
-		 * use OLD SAs PRF functions for both prf_plus and prf */
-		rekey_prf = lib->crypto->create_prf(lib->crypto, rekey_function);
-		if (!rekey_prf)
-		{
-			DBG1(DBG_IKE, "PRF of old SA %N not supported!",
-				 pseudo_random_function_names, rekey_function);
-			chunk_free(&full_nonce);
-			chunk_free(&fixed_nonce);
-			chunk_clear(&prf_plus_seed);
-			return FALSE;
-		}
-		secret = chunk_cat("mc", secret, full_nonce);
-		rekey_prf->set_key(rekey_prf, rekey_skd);
-		rekey_prf->allocate_bytes(rekey_prf, secret, &skeyseed);
-		rekey_prf->set_key(rekey_prf, skeyseed);
-		prf_plus = prf_plus_create(rekey_prf, prf_plus_seed);
-	}
-	DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
-
-	chunk_clear(&skeyseed);
-	chunk_clear(&secret);
-	chunk_free(&full_nonce);
-	chunk_free(&fixed_nonce);
-	chunk_clear(&prf_plus_seed);
-
-	/* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
-
-	/* SK_d is used for generating CHILD_SA key mat => store for later use */
-	key_size = this->prf->get_key_size(this->prf);
-	prf_plus->allocate_bytes(prf_plus, key_size, &this->skd);
-	DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
-
-	if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
-	{
-		DBG1(DBG_IKE, "no %N selected",
-			 transform_type_names, ENCRYPTION_ALGORITHM);
-		prf_plus->destroy(prf_plus);
-		DESTROY_IF(rekey_prf);
-		return FALSE;
-	}
-
-	if (encryption_algorithm_is_aead(alg))
-	{
-		if (!derive_ike_aead(this, alg, key_size, prf_plus))
-		{
-			prf_plus->destroy(prf_plus);
-			DESTROY_IF(rekey_prf);
-			return FALSE;
-		}
-	}
-	else
-	{
-		if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
-									 &int_alg, NULL))
-		{
-			DBG1(DBG_IKE, "no %N selected",
-				 transform_type_names, INTEGRITY_ALGORITHM);
-			prf_plus->destroy(prf_plus);
-			DESTROY_IF(rekey_prf);
-			return FALSE;
-		}
-		if (!derive_ike_traditional(this, alg, key_size, int_alg, prf_plus))
-		{
-			prf_plus->destroy(prf_plus);
-			DESTROY_IF(rekey_prf);
-			return FALSE;
-		}
-	}
-
-	/* SK_pi/SK_pr used for authentication => stored for later */
-	key_size = this->prf->get_key_size(this->prf);
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_pi secret %B", &key);
-	if (this->initiator)
-	{
-		this->skp_build = key;
-	}
-	else
-	{
-		this->skp_verify = key;
-	}
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_pr secret %B", &key);
-	if (this->initiator)
-	{
-		this->skp_verify = key;
-	}
-	else
-	{
-		this->skp_build = key;
-	}
-
-	/* all done, prf_plus not needed anymore */
-	prf_plus->destroy(prf_plus);
-	DESTROY_IF(rekey_prf);
-
-	return TRUE;
-}
-
-METHOD(keymat_t, derive_child_keys, bool,
-	private_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
-	chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
-	chunk_t *encr_r, chunk_t *integ_r)
-{
-	u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
-	chunk_t seed, secret = chunk_empty;
-	prf_plus_t *prf_plus;
-
-	if (dh)
-	{
-		if (dh->get_shared_secret(dh, &secret) != SUCCESS)
-		{
-			return FALSE;
-		}
-		DBG4(DBG_CHD, "DH secret %B", &secret);
-	}
-	seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
-	DBG4(DBG_CHD, "seed %B", &seed);
-
-	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
-								&enc_alg, &enc_size))
-	{
-		DBG2(DBG_CHD, "  using %N for encryption",
-			 encryption_algorithm_names, enc_alg);
-
-		if (!enc_size)
-		{
-			enc_size = lookup_keylen(keylen_enc, enc_alg);
-		}
-		if (enc_alg != ENCR_NULL && !enc_size)
-		{
-			DBG1(DBG_CHD, "no keylength defined for %N",
-				 encryption_algorithm_names, enc_alg);
-			return FALSE;
-		}
-		/* to bytes */
-		enc_size /= 8;
-
-		/* CCM/GCM/CTR/GMAC needs additional bytes */
-		switch (enc_alg)
-		{
-			case ENCR_AES_CCM_ICV8:
-			case ENCR_AES_CCM_ICV12:
-			case ENCR_AES_CCM_ICV16:
-			case ENCR_CAMELLIA_CCM_ICV8:
-			case ENCR_CAMELLIA_CCM_ICV12:
-			case ENCR_CAMELLIA_CCM_ICV16:
-				enc_size += 3;
-				break;
-			case ENCR_AES_GCM_ICV8:
-			case ENCR_AES_GCM_ICV12:
-			case ENCR_AES_GCM_ICV16:
-			case ENCR_AES_CTR:
-			case ENCR_NULL_AUTH_AES_GMAC:
-				enc_size += 4;
-				break;
-			default:
-				break;
-		}
-	}
-
-	if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
-								&int_alg, &int_size))
-	{
-		DBG2(DBG_CHD, "  using %N for integrity",
-			 integrity_algorithm_names, int_alg);
-
-		if (!int_size)
-		{
-			int_size = lookup_keylen(keylen_int, int_alg);
-		}
-		if (!int_size)
-		{
-			DBG1(DBG_CHD, "no keylength defined for %N",
-				 integrity_algorithm_names, int_alg);
-			return FALSE;
-		}
-		/* to bytes */
-		int_size /= 8;
-	}
-
-	this->prf->set_key(this->prf, this->skd);
-	prf_plus = prf_plus_create(this->prf, seed);
-
-	prf_plus->allocate_bytes(prf_plus, enc_size, encr_i);
-	prf_plus->allocate_bytes(prf_plus, int_size, integ_i);
-	prf_plus->allocate_bytes(prf_plus, enc_size, encr_r);
-	prf_plus->allocate_bytes(prf_plus, int_size, integ_r);
-
-	prf_plus->destroy(prf_plus);
-
-	if (enc_size)
-	{
-		DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
-		DBG4(DBG_CHD, "encryption responder key %B", encr_r);
-	}
-	if (int_size)
-	{
-		DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
-		DBG4(DBG_CHD, "integrity responder key %B", integ_r);
-	}
-	return TRUE;
-}
-
-METHOD(keymat_t, get_skd, pseudo_random_function_t,
-	private_keymat_t *this, chunk_t *skd)
-{
-	*skd = this->skd;
-	return this->prf_alg;
-}
-
-METHOD(keymat_t, get_aead, aead_t*,
-	private_keymat_t *this, bool in)
-{
-	return in ? this->aead_in : this->aead_out;
-}
-
-METHOD(keymat_t, get_auth_octets, chunk_t,
-	private_keymat_t *this, bool verify, chunk_t ike_sa_init,
-	chunk_t nonce, identification_t *id, char reserved[3])
-{
-	chunk_t chunk, idx, octets;
-	chunk_t skp;
-
-	skp = verify ? this->skp_verify : this->skp_build;
-
-	chunk = chunk_alloca(4);
-	chunk.ptr[0] = id->get_type(id);
-	memcpy(chunk.ptr + 1, reserved, 3);
-	idx = chunk_cata("cc", chunk, id->get_encoding(id));
-
-	DBG3(DBG_IKE, "IDx' %B", &idx);
-	DBG3(DBG_IKE, "SK_p %B", &skp);
-	this->prf->set_key(this->prf, skp);
-	this->prf->allocate_bytes(this->prf, idx, &chunk);
-
-	octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
-	DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
-	return octets;
 }
-
-/**
- * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
- */
-#define IKEV2_KEY_PAD "Key Pad for IKEv2"
-#define IKEV2_KEY_PAD_LENGTH 17
-
-METHOD(keymat_t, get_psk_sig, chunk_t,
-	private_keymat_t *this, bool verify, chunk_t ike_sa_init,
-	chunk_t nonce, chunk_t secret, identification_t *id, char reserved[3])
-{
-	chunk_t key_pad, key, sig, octets;
-
-	if (!secret.len)
-	{	/* EAP uses SK_p if no MSK has been established */
-		secret = verify ? this->skp_verify : this->skp_build;
-	}
-	octets = get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved);
-	/* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
-	key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
-	this->prf->set_key(this->prf, secret);
-	this->prf->allocate_bytes(this->prf, key_pad, &key);
-	this->prf->set_key(this->prf, key);
-	this->prf->allocate_bytes(this->prf, octets, &sig);
-	DBG4(DBG_IKE, "secret %B", &secret);
-	DBG4(DBG_IKE, "prf(secret, keypad) %B", &key);
-	DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &sig);
-	chunk_free(&octets);
-	chunk_free(&key);
-
-	return sig;
-}
-
-METHOD(keymat_t, destroy, void,
-	private_keymat_t *this)
-{
-	DESTROY_IF(this->aead_in);
-	DESTROY_IF(this->aead_out);
-	DESTROY_IF(this->prf);
-	chunk_clear(&this->skd);
-	chunk_clear(&this->skp_verify);
-	chunk_clear(&this->skp_build);
-	free(this);
-}
-
-/**
- * See header
- */
-keymat_t *keymat_create(bool initiator)
-{
-	private_keymat_t *this;
-
-	INIT(this,
-		.public = {
-			.create_dh = _create_dh,
-			.derive_ike_keys = _derive_ike_keys,
-			.derive_child_keys = _derive_child_keys,
-			.get_skd = _get_skd,
-			.get_aead = _get_aead,
-			.get_auth_octets = _get_auth_octets,
-			.get_psk_sig = _get_psk_sig,
-			.destroy = _destroy,
-		},
-		.initiator = initiator,
-		.prf_alg = PRF_UNDEFINED,
-	);
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/sa/keymat.h b/src/libcharon/sa/keymat.h
index 6c2b5d4b5..bc40b3d92 100644
--- a/src/libcharon/sa/keymat.h
+++ b/src/libcharon/sa/keymat.h
@@ -21,14 +21,23 @@
 #ifndef KEYMAT_H_
 #define KEYMAT_H_
 
+typedef struct keymat_t keymat_t;
+
 #include <library.h>
 #include <utils/identification.h>
 #include <crypto/prfs/prf.h>
 #include <crypto/aead.h>
 #include <config/proposal.h>
+#include <config/peer_cfg.h>
 #include <sa/ike_sa_id.h>
 
-typedef struct keymat_t keymat_t;
+/**
+ * Constructor function for custom keymat implementations
+ *
+ * @param initiator		TRUE if the keymat is used as initiator
+ * @return				keymat_t implementation
+ */
+typedef keymat_t* (*keymat_constructor_t)(bool initiator);
 
 /**
  * Derivation an management of sensitive keying material.
@@ -36,6 +45,13 @@ typedef struct keymat_t keymat_t;
 struct keymat_t {
 
 	/**
+	 * Get IKE version of this keymat.
+	 *
+	 * @return			IKEV1 for keymat_v1_t, IKEV2 for keymat_v2_t
+	 */
+	ike_version_t (*get_version)(keymat_t *this);
+
+	/**
 	 * Create a diffie hellman object for key agreement.
 	 *
 	 * The diffie hellman is either for IKE negotiation/rekeying or
@@ -50,60 +66,20 @@ struct keymat_t {
 	 * @param group			diffie hellman group
 	 * @return				DH object, NULL if group not supported
 	 */
-	diffie_hellman_t* (*create_dh)(keymat_t *this, diffie_hellman_group_t group);
+	diffie_hellman_t* (*create_dh)(keymat_t *this,
+								   diffie_hellman_group_t group);
 
 	/**
-	 * Derive keys for the IKE_SA.
+	 * Create a nonce generator object.
 	 *
-	 * These keys are not handed out, but are used by the associated signers,
-	 * crypters and authentication functions.
+	 * The nonce generator can be used to create nonces needed during IKE/CHILD
+	 * SA establishment or rekeying.
 	 *
-	 * @param proposal	selected algorithms
-	 * @param dh		diffie hellman key allocated by create_dh()
-	 * @param nonce_i	initiators nonce value
-	 * @param nonce_r	responders nonce value
-	 * @param id		IKE_SA identifier
-	 * @param rekey_prf	PRF of old SA if rekeying, PRF_UNDEFINED otherwise
-	 * @param rekey_sdk	SKd of old SA if rekeying
-	 * @return			TRUE on success
+	 * @return				nonce generator object
 	 */
-	bool (*derive_ike_keys)(keymat_t *this, proposal_t *proposal,
-							diffie_hellman_t *dh, chunk_t nonce_i,
-							chunk_t nonce_r, ike_sa_id_t *id,
-							pseudo_random_function_t rekey_function,
-							chunk_t rekey_skd);
-	/**
-	 * Derive keys for a CHILD_SA.
-	 *
-	 * The keys for the CHILD_SA are allocated in the integ and encr chunks.
-	 * An implementation might hand out encrypted keys only, which are
-	 * decrypted in the kernel before use.
-	 * If no PFS is used for the CHILD_SA, dh can be NULL.
-	 *
-	 * @param proposal	selected algorithms
-	 * @param dh		diffie hellman key allocated by create_dh(), or NULL
-	 * @param nonce_i	initiators nonce value
-	 * @param nonce_r	responders nonce value
-	 * @param encr_i	chunk to write initiators encryption key to
-	 * @param integ_i	chunk to write initiators integrity key to
-	 * @param encr_r	chunk to write responders encryption key to
-	 * @param integ_r	chunk to write responders integrity key to
-	 * @return			TRUE on success
-	 */
-	bool (*derive_child_keys)(keymat_t *this,
-							  proposal_t *proposal, diffie_hellman_t *dh,
-							  chunk_t nonce_i, chunk_t nonce_r,
-							  chunk_t *encr_i, chunk_t *integ_i,
-							  chunk_t *encr_r, chunk_t *integ_r);
-	/**
-	 * Get SKd to pass to derive_ikey_keys() during rekeying.
-	 *
-	 * @param skd		chunk to write SKd to (internal data)
-	 * @return			PRF function to derive keymat
-	 */
-	pseudo_random_function_t (*get_skd)(keymat_t *this, chunk_t *skd);
+	nonce_gen_t* (*create_nonce_gen)(keymat_t *this);
 
-	/*
+	/**
 	 * Get a AEAD transform to en-/decrypt and sign/verify IKE messages.
 	 *
 	 * @param in		TRUE for inbound (decrypt), FALSE for outbound (encrypt)
@@ -112,52 +88,43 @@ struct keymat_t {
 	aead_t* (*get_aead)(keymat_t *this, bool in);
 
 	/**
-	 * Generate octets to use for authentication procedure (RFC4306 2.15).
-	 *
-	 * This method creates the plain octets and is usually signed by a private
-	 * key. PSK and EAP authentication include a secret into the data, use
-	 * the get_psk_sig() method instead.
-	 *
-	 * @param verify		TRUE to create for verfification, FALSE to sign
-	 * @param ike_sa_init	encoded ike_sa_init message
-	 * @param nonce			nonce value
-	 * @param id			identity
-	 * @param reserved		reserved bytes of id_payload
-	 * @return				authentication octets
-	 */
-	chunk_t (*get_auth_octets)(keymat_t *this, bool verify, chunk_t ike_sa_init,
-							   chunk_t nonce, identification_t *id,
-							   char reserved[3]);
-	/**
-	 * Build the shared secret signature used for PSK and EAP authentication.
-	 *
-	 * This method wraps the get_auth_octets() method and additionally
-	 * includes the secret into the signature. If no secret is given, SK_p is
-	 * used as secret (used for EAP methods without MSK).
-	 *
-	 * @param verify		TRUE to create for verfification, FALSE to sign
-	 * @param ike_sa_init	encoded ike_sa_init message
-	 * @param nonce			nonce value
-	 * @param secret		optional secret to include into signature
-	 * @param id			identity
-	 * @param reserved		reserved bytes of id_payload
-	 * @return				signature octets
-	 */
-	chunk_t (*get_psk_sig)(keymat_t *this, bool verify, chunk_t ike_sa_init,
-						   chunk_t nonce, chunk_t secret,
-						   identification_t *id, char reserved[3]);
-	/**
 	 * Destroy a keymat_t.
 	 */
 	void (*destroy)(keymat_t *this);
 };
 
 /**
- * Create a keymat instance.
+ * Create the appropriate keymat_t implementation based on the IKE version.
+ *
+ * @param version			requested IKE version
+ * @param initiator			TRUE if we are initiator
+ * @return					keymat_t implmenetation
+ */
+keymat_t *keymat_create(ike_version_t version, bool initiator);
+
+/**
+ * Look up the key length of an encryption algorithm.
+ *
+ * @param alg				algorithm to get key length for
+ * @return					key length in bits
+ */
+int keymat_get_keylen_encr(encryption_algorithm_t alg);
+
+/**
+ * Look up the key length of an integrity algorithm.
+ *
+ * @param alg				algorithm to get key length for
+ * @return					key length in bits
+ */
+int keymat_get_keylen_integ(integrity_algorithm_t alg);
+
+/**
+ * Register keymat_t constructor for given IKE version.
  *
- * @param initiator		TRUE if we are the initiator
- * @return				keymat instance
+ * @param version			IKE version of given keymat constructor
+ * @param create			keymat constructor function, NULL to unregister
  */
-keymat_t *keymat_create(bool initiator);
+void keymat_register_constructor(ike_version_t version,
+								 keymat_constructor_t create);
 
 #endif /** KEYMAT_H_ @}*/
diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c
index 52b2ecd62..94be7d433 100644
--- a/src/libcharon/sa/shunt_manager.c
+++ b/src/libcharon/sa/shunt_manager.c
@@ -18,7 +18,7 @@
 #include <hydra.h>
 #include <daemon.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 
 typedef struct private_shunt_manager_t private_shunt_manager_t;
@@ -206,6 +206,7 @@ METHOD(shunt_manager_t, uninstall, bool,
 		return FALSE;
 	}
 	uninstall_shunt_policy(child);
+	child->destroy(child);
 	return TRUE;
 }
 
diff --git a/src/libcharon/sa/shunt_manager.h b/src/libcharon/sa/shunt_manager.h
index 12ff08558..28a795dc9 100644
--- a/src/libcharon/sa/shunt_manager.h
+++ b/src/libcharon/sa/shunt_manager.h
@@ -22,7 +22,7 @@
 #define SHUNT_MANAGER_H_
 
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <config/child_cfg.h>
 
 typedef struct shunt_manager_t shunt_manager_t;
diff --git a/src/libcharon/sa/task.c b/src/libcharon/sa/task.c
new file mode 100644
index 000000000..4336b23ff
--- /dev/null
+++ b/src/libcharon/sa/task.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "task.h"
+
+ENUM(task_type_names, TASK_IKE_INIT, TASK_ISAKMP_CERT_POST,
+	"IKE_INIT",
+	"IKE_NATD",
+	"IKE_MOBIKE",
+	"IKE_AUTH",
+	"IKE_AUTH_LIFETIME",
+	"IKE_CERT_PRE",
+	"IKE_CERT_POST",
+	"IKE_CONFIG",
+	"IKE_REKEY",
+	"IKE_REAUTH",
+	"IKE_DELETE",
+	"IKE_DPD",
+	"IKE_VENDOR",
+#ifdef ME
+	"IKE_ME",
+#endif /* ME */
+	"CHILD_CREATE",
+	"CHILD_DELETE",
+	"CHILD_REKEY",
+	"MAIN_MODE",
+	"AGGRESSIVE_MODE",
+	"INFORMATIONAL",
+	"ISAKMP_DELETE",
+	"XAUTH",
+	"MODE_CONFIG",
+	"QUICK_MODE",
+	"QUICK_DELETE",
+	"ISAKMP_VENDOR",
+	"ISAKMP_NATD",
+	"ISAKMP_DPD",
+	"ISAKMP_CERT_PRE",
+	"ISAKMP_CERT_POST",
+);
diff --git a/src/libcharon/sa/tasks/task.h b/src/libcharon/sa/task.h
index d57085954..f2c4299cc 100644
--- a/src/libcharon/sa/tasks/task.h
+++ b/src/libcharon/sa/task.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup task task
- * @{ @ingroup tasks
+ * @{ @ingroup sa
  */
 
 #ifndef TASK_H_
@@ -34,41 +34,67 @@ typedef struct task_t task_t;
  */
 enum task_type_t {
 	/** establish an unauthenticated IKE_SA */
-	IKE_INIT,
+	TASK_IKE_INIT,
 	/** detect NAT situation */
-	IKE_NATD,
+	TASK_IKE_NATD,
 	/** handle MOBIKE stuff */
-	IKE_MOBIKE,
+	TASK_IKE_MOBIKE,
 	/** authenticate the initiated IKE_SA */
-	IKE_AUTHENTICATE,
+	TASK_IKE_AUTH,
 	/** AUTH_LIFETIME negotiation, RFC4478 */
-	IKE_AUTH_LIFETIME,
+	TASK_IKE_AUTH_LIFETIME,
 	/** certificate processing before authentication (certreqs, cert parsing) */
-	IKE_CERT_PRE,
+	TASK_IKE_CERT_PRE,
 	/** certificate processing after authentication (certs payload generation) */
-	IKE_CERT_POST,
+	TASK_IKE_CERT_POST,
 	/** Configuration payloads, virtual IP and such */
-	IKE_CONFIG,
+	TASK_IKE_CONFIG,
 	/** rekey an IKE_SA */
-	IKE_REKEY,
+	TASK_IKE_REKEY,
 	/** reestablish a complete IKE_SA */
-	IKE_REAUTH,
+	TASK_IKE_REAUTH,
 	/** delete an IKE_SA */
-	IKE_DELETE,
+	TASK_IKE_DELETE,
 	/** liveness check */
-	IKE_DPD,
+	TASK_IKE_DPD,
 	/** Vendor ID processing */
-	IKE_VENDOR,
+	TASK_IKE_VENDOR,
 #ifdef ME
 	/** handle ME stuff */
-	IKE_ME,
+	TASK_IKE_ME,
 #endif /* ME */
 	/** establish a CHILD_SA within an IKE_SA */
-	CHILD_CREATE,
+	TASK_CHILD_CREATE,
 	/** delete an established CHILD_SA */
-	CHILD_DELETE,
-	/** rekey an CHILD_SA */
-	CHILD_REKEY,
+	TASK_CHILD_DELETE,
+	/** rekey a CHILD_SA */
+	TASK_CHILD_REKEY,
+	/** IKEv1 main mode */
+	TASK_MAIN_MODE,
+	/** IKEv1 aggressive mode */
+	TASK_AGGRESSIVE_MODE,
+	/** IKEv1 informational exchange */
+	TASK_INFORMATIONAL,
+	/** IKEv1 delete using an informational */
+	TASK_ISAKMP_DELETE,
+	/** IKEv1 XAUTH authentication */
+	TASK_XAUTH,
+	/** IKEv1 Mode Config */
+	TASK_MODE_CONFIG,
+	/** IKEv1 quick mode */
+	TASK_QUICK_MODE,
+	/** IKEv1 delete of a quick mode SA */
+	TASK_QUICK_DELETE,
+	/** IKEv1 vendor ID payload handling */
+	TASK_ISAKMP_VENDOR,
+	/** IKEv1 NAT detection */
+	TASK_ISAKMP_NATD,
+	/** IKEv1 DPD */
+	TASK_ISAKMP_DPD,
+	/** IKEv1 pre-authentication certificate handling */
+	TASK_ISAKMP_CERT_PRE,
+	/** IKEv1 post-authentication certificate handling */
+	TASK_ISAKMP_CERT_POST,
 };
 
 /**
@@ -105,6 +131,7 @@ struct task_t {
 	 *						- FAILED if a critical error occurred
 	 *						- DESTROY_ME if IKE_SA has been properly deleted
 	 *						- NEED_MORE if another call to build/process needed
+	 *						- ALREADY_DONE to cancel task processing
 	 *						- SUCCESS if task completed
 	 */
 	status_t (*build) (task_t *this, message_t *message);
@@ -114,9 +141,10 @@ struct task_t {
 	 *
 	 * @param message		message to read payloads from
 	 * @return
-	 * 						- FAILED if a critical error occurred
+	 *						- FAILED if a critical error occurred
 	 *						- DESTROY_ME if IKE_SA has been properly deleted
 	 *						- NEED_MORE if another call to build/process needed
+	 *						- ALREADY_DONE to cancel task processing
 	 *						- SUCCESS if task completed
 	 */
 	status_t (*process) (task_t *this, message_t *message);
diff --git a/src/libcharon/sa/task_manager.c b/src/libcharon/sa/task_manager.c
index 022a5e3d6..c42008ba9 100644
--- a/src/libcharon/sa/task_manager.c
+++ b/src/libcharon/sa/task_manager.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2007 Tobias Brunner
- * Copyright (C) 2007-2010 Martin Willi
+ * Copyright (C) 2011 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -16,1135 +15,29 @@
 
 #include "task_manager.h"
 
-#include <math.h>
-
-#include <daemon.h>
-#include <sa/tasks/ike_init.h>
-#include <sa/tasks/ike_natd.h>
-#include <sa/tasks/ike_mobike.h>
-#include <sa/tasks/ike_auth.h>
-#include <sa/tasks/ike_auth_lifetime.h>
-#include <sa/tasks/ike_cert_pre.h>
-#include <sa/tasks/ike_cert_post.h>
-#include <sa/tasks/ike_rekey.h>
-#include <sa/tasks/ike_delete.h>
-#include <sa/tasks/ike_config.h>
-#include <sa/tasks/ike_dpd.h>
-#include <sa/tasks/ike_vendor.h>
-#include <sa/tasks/child_create.h>
-#include <sa/tasks/child_rekey.h>
-#include <sa/tasks/child_delete.h>
-#include <encoding/payloads/delete_payload.h>
-#include <processing/jobs/retransmit_job.h>
-
-#ifdef ME
-#include <sa/tasks/ike_me.h>
-#endif
-
-typedef struct exchange_t exchange_t;
+#include <sa/ikev1/task_manager_v1.h>
+#include <sa/ikev2/task_manager_v2.h>
 
 /**
- * An exchange in the air, used do detect and handle retransmission
+ * See header
  */
-struct exchange_t {
-
-	/**
-	 * Message ID used for this transaction
-	 */
-	u_int32_t mid;
-
-	/**
-	 * generated packet for retransmission
-	 */
-	packet_t *packet;
-};
-
-typedef struct private_task_manager_t private_task_manager_t;
-
-/**
- * private data of the task manager
- */
-struct private_task_manager_t {
-
-	/**
-	 * public functions
-	 */
-	task_manager_t public;
-
-	/**
-	 * associated IKE_SA we are serving
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Exchange we are currently handling as responder
-	 */
-	struct {
-		/**
-		 * Message ID of the exchange
-		 */
-		u_int32_t mid;
-
-		/**
-		 * packet for retransmission
-		 */
-		packet_t *packet;
-
-	} responding;
-
-	/**
-	 * Exchange we are currently handling as initiator
-	 */
-	struct {
-		/**
-		 * Message ID of the exchange
-		 */
-		u_int32_t mid;
-
-		/**
-		 * how many times we have retransmitted so far
-		 */
-		u_int retransmitted;
-
-		/**
-		 * packet for retransmission
-		 */
-		packet_t *packet;
-
-		/**
-		 * type of the initated exchange
-		 */
-		exchange_type_t type;
-
-	} initiating;
-
-	/**
-	 * List of queued tasks not yet in action
-	 */
-	linked_list_t *queued_tasks;
-
-	/**
-	 * List of active tasks, initiated by ourselve
-	 */
-	linked_list_t *active_tasks;
-
-	/**
-	 * List of tasks initiated by peer
-	 */
-	linked_list_t *passive_tasks;
-
-	/**
-	 * the task manager has been reset
-	 */
-	bool reset;
-
-	/**
-	 * Number of times we retransmit messages before giving up
-	 */
-	u_int retransmit_tries;
-
-	/**
-	 * Retransmission timeout
-	 */
-	double retransmit_timeout;
-
-	/**
-	 * Base to calculate retransmission timeout
-	 */
-	double retransmit_base;
-};
-
-/**
- * flush all tasks in the task manager
- */
-static void flush(private_task_manager_t *this)
-{
-	this->passive_tasks->destroy_offset(this->passive_tasks,
-										offsetof(task_t, destroy));
-	this->passive_tasks = linked_list_create();
-	this->active_tasks->destroy_offset(this->active_tasks,
-										offsetof(task_t, destroy));
-	this->active_tasks = linked_list_create();
-	this->queued_tasks->destroy_offset(this->queued_tasks,
-										offsetof(task_t, destroy));
-	this->queued_tasks = linked_list_create();
-}
-
-/**
- * move a task of a specific type from the queue to the active list
- */
-static bool activate_task(private_task_manager_t *this, task_type_t type)
-{
-	enumerator_t *enumerator;
-	task_t *task;
-	bool found = FALSE;
-
-	enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
-	while (enumerator->enumerate(enumerator, (void**)&task))
-	{
-		if (task->get_type(task) == type)
-		{
-			DBG2(DBG_IKE, "  activating %N task", task_type_names, type);
-			this->queued_tasks->remove_at(this->queued_tasks, enumerator);
-			this->active_tasks->insert_last(this->active_tasks, task);
-			found = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-METHOD(task_manager_t, retransmit, status_t,
-	private_task_manager_t *this, u_int32_t message_id)
-{
-	if (message_id == this->initiating.mid)
-	{
-		u_int32_t timeout;
-		job_t *job;
-		enumerator_t *enumerator;
-		packet_t *packet;
-		task_t *task;
-		ike_mobike_t *mobike = NULL;
-
-		/* check if we are retransmitting a MOBIKE routability check */
-		enumerator = this->active_tasks->create_enumerator(this->active_tasks);
-		while (enumerator->enumerate(enumerator, (void*)&task))
-		{
-			if (task->get_type(task) == IKE_MOBIKE)
-			{
-				mobike = (ike_mobike_t*)task;
-				if (!mobike->is_probing(mobike))
-				{
-					mobike = NULL;
-				}
-				break;
-			}
-		}
-		enumerator->destroy(enumerator);
-
-		if (mobike == NULL)
-		{
-			if (this->initiating.retransmitted <= this->retransmit_tries)
-			{
-				timeout = (u_int32_t)(this->retransmit_timeout * 1000.0 *
-					pow(this->retransmit_base, this->initiating.retransmitted));
-			}
-			else
-			{
-				DBG1(DBG_IKE, "giving up after %d retransmits",
-					 this->initiating.retransmitted - 1);
-				if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
-				{
-					charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-				}
-				return DESTROY_ME;
-			}
-
-			if (this->initiating.retransmitted)
-			{
-				DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
-					 this->initiating.retransmitted, message_id);
-			}
-			packet = this->initiating.packet->clone(this->initiating.packet);
-			charon->sender->send(charon->sender, packet);
-		}
-		else
-		{	/* for routeability checks, we use a more aggressive behavior */
-			if (this->initiating.retransmitted <= ROUTEABILITY_CHECK_TRIES)
-			{
-				timeout = ROUTEABILITY_CHECK_INTERVAL;
-			}
-			else
-			{
-				DBG1(DBG_IKE, "giving up after %d path probings",
-					 this->initiating.retransmitted - 1);
-				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-				return DESTROY_ME;
-			}
-
-			if (this->initiating.retransmitted)
-			{
-				DBG1(DBG_IKE, "path probing attempt %d",
-					 this->initiating.retransmitted);
-			}
-			mobike->transmit(mobike, this->initiating.packet);
-		}
-
-		this->initiating.retransmitted++;
-		job = (job_t*)retransmit_job_create(this->initiating.mid,
-											this->ike_sa->get_id(this->ike_sa));
-		lib->scheduler->schedule_job_ms(lib->scheduler, job, timeout);
-	}
-	return SUCCESS;
-}
-
-METHOD(task_manager_t, initiate, status_t,
-	private_task_manager_t *this)
+task_manager_t *task_manager_create(ike_sa_t *ike_sa)
 {
-	enumerator_t *enumerator;
-	task_t *task;
-	message_t *message;
-	host_t *me, *other;
-	status_t status;
-	exchange_type_t exchange = 0;
-
-	if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
-	{
-		DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
-				exchange_type_names, this->initiating.type);
-		/* do not initiate if we already have a message in the air */
-		return SUCCESS;
-	}
-
-	if (this->active_tasks->get_count(this->active_tasks) == 0)
-	{
-		DBG2(DBG_IKE, "activating new tasks");
-		switch (this->ike_sa->get_state(this->ike_sa))
-		{
-			case IKE_CREATED:
-				activate_task(this, IKE_VENDOR);
-				if (activate_task(this, IKE_INIT))
-				{
-					this->initiating.mid = 0;
-					exchange = IKE_SA_INIT;
-					activate_task(this, IKE_NATD);
-					activate_task(this, IKE_CERT_PRE);
-#ifdef ME
-					/* this task has to be activated before the IKE_AUTHENTICATE
-					 * task, because that task pregenerates the packet after
-					 * which no payloads can be added to the message anymore.
-					 */
-					activate_task(this, IKE_ME);
-#endif /* ME */
-					activate_task(this, IKE_AUTHENTICATE);
-					activate_task(this, IKE_CERT_POST);
-					activate_task(this, IKE_CONFIG);
-					activate_task(this, CHILD_CREATE);
-					activate_task(this, IKE_AUTH_LIFETIME);
-					activate_task(this, IKE_MOBIKE);
-				}
-				break;
-			case IKE_ESTABLISHED:
-				if (activate_task(this, CHILD_CREATE))
-				{
-					exchange = CREATE_CHILD_SA;
-					break;
-				}
-				if (activate_task(this, CHILD_DELETE))
-				{
-					exchange = INFORMATIONAL;
-					break;
-				}
-				if (activate_task(this, CHILD_REKEY))
-				{
-					exchange = CREATE_CHILD_SA;
-					break;
-				}
-				if (activate_task(this, IKE_DELETE))
-				{
-					exchange = INFORMATIONAL;
-					break;
-				}
-				if (activate_task(this, IKE_REKEY))
-				{
-					exchange = CREATE_CHILD_SA;
-					break;
-				}
-				if (activate_task(this, IKE_REAUTH))
-				{
-					exchange = INFORMATIONAL;
-					break;
-				}
-				if (activate_task(this, IKE_MOBIKE))
-				{
-					exchange = INFORMATIONAL;
-					break;
-				}
-				if (activate_task(this, IKE_DPD))
-				{
-					exchange = INFORMATIONAL;
-					break;
-				}
-				if (activate_task(this, IKE_AUTH_LIFETIME))
-				{
-					exchange = INFORMATIONAL;
-					break;
-				}
-#ifdef ME
-				if (activate_task(this, IKE_ME))
-				{
-					exchange = ME_CONNECT;
-					break;
-				}
-#endif /* ME */
-			case IKE_REKEYING:
-				if (activate_task(this, IKE_DELETE))
-				{
-					exchange = INFORMATIONAL;
-					break;
-				}
-			case IKE_DELETING:
-			default:
-				break;
-		}
-	}
-	else
+	switch (ike_sa->get_version(ike_sa))
 	{
-		DBG2(DBG_IKE, "reinitiating already active tasks");
-		enumerator = this->active_tasks->create_enumerator(this->active_tasks);
-		while (enumerator->enumerate(enumerator, (void**)&task))
-		{
-			DBG2(DBG_IKE, "  %N task", task_type_names, task->get_type(task));
-			switch (task->get_type(task))
-			{
-				case IKE_INIT:
-					exchange = IKE_SA_INIT;
-					break;
-				case IKE_AUTHENTICATE:
-					exchange = IKE_AUTH;
-					break;
-				case CHILD_CREATE:
-				case CHILD_REKEY:
-				case IKE_REKEY:
-					exchange = CREATE_CHILD_SA;
-					break;
-				case IKE_MOBIKE:
-					exchange = INFORMATIONAL;
-					break;
-				default:
-					continue;
-			}
+		case IKEV1:
+#ifdef USE_IKEV1
+			return &task_manager_v1_create(ike_sa)->task_manager;
+#endif
 			break;
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	if (exchange == 0)
-	{
-		DBG2(DBG_IKE, "nothing to initiate");
-		/* nothing to do yet... */
-		return SUCCESS;
-	}
-
-	me = this->ike_sa->get_my_host(this->ike_sa);
-	other = this->ike_sa->get_other_host(this->ike_sa);
-
-	message = message_create();
-	message->set_message_id(message, this->initiating.mid);
-	message->set_source(message, me->clone(me));
-	message->set_destination(message, other->clone(other));
-	message->set_exchange_type(message, exchange);
-	this->initiating.type = exchange;
-	this->initiating.retransmitted = 0;
-
-	enumerator = this->active_tasks->create_enumerator(this->active_tasks);
-	while (enumerator->enumerate(enumerator, (void*)&task))
-	{
-		switch (task->build(task, message))
-		{
-			case SUCCESS:
-				/* task completed, remove it */
-				this->active_tasks->remove_at(this->active_tasks, enumerator);
-				task->destroy(task);
-				break;
-			case NEED_MORE:
-				/* processed, but task needs another exchange */
-				break;
-			case FAILED:
-			default:
-				if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
-				{
-					charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-				}
-				/* FALL */
-			case DESTROY_ME:
-				/* critical failure, destroy IKE_SA */
-				enumerator->destroy(enumerator);
-				message->destroy(message);
-				flush(this);
-				return DESTROY_ME;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	/* update exchange type if a task changed it */
-	this->initiating.type = message->get_exchange_type(message);
-
-	status = this->ike_sa->generate_message(this->ike_sa, message,
-											&this->initiating.packet);
-	if (status != SUCCESS)
-	{
-		/* message generation failed. There is nothing more to do than to
-		 * close the SA */
-		message->destroy(message);
-		flush(this);
-		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-		return DESTROY_ME;
-	}
-	message->destroy(message);
-
-	return retransmit(this, this->initiating.mid);
-}
-
-/**
- * handle an incoming response message
- */
-static status_t process_response(private_task_manager_t *this,
-								 message_t *message)
-{
-	enumerator_t *enumerator;
-	task_t *task;
-
-	if (message->get_exchange_type(message) != this->initiating.type)
-	{
-		DBG1(DBG_IKE, "received %N response, but expected %N",
-			 exchange_type_names, message->get_exchange_type(message),
-			 exchange_type_names, this->initiating.type);
-		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-		return DESTROY_ME;
-	}
-
-	/* catch if we get resetted while processing */
-	this->reset = FALSE;
-	enumerator = this->active_tasks->create_enumerator(this->active_tasks);
-	while (enumerator->enumerate(enumerator, (void*)&task))
-	{
-		switch (task->process(task, message))
-		{
-			case SUCCESS:
-				/* task completed, remove it */
-				this->active_tasks->remove_at(this->active_tasks, enumerator);
-				task->destroy(task);
-				break;
-			case NEED_MORE:
-				/* processed, but task needs another exchange */
-				break;
-			case FAILED:
-			default:
-				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-				/* FALL */
-			case DESTROY_ME:
-				/* critical failure, destroy IKE_SA */
-				this->active_tasks->remove_at(this->active_tasks, enumerator);
-				enumerator->destroy(enumerator);
-				task->destroy(task);
-				return DESTROY_ME;
-		}
-		if (this->reset)
-		{	/* start all over again if we were reset */
-			this->reset = FALSE;
-			enumerator->destroy(enumerator);
-			return initiate(this);
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	this->initiating.mid++;
-	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
-	this->initiating.packet->destroy(this->initiating.packet);
-	this->initiating.packet = NULL;
-
-	return initiate(this);
-}
-
-/**
- * handle exchange collisions
- */
-static bool handle_collisions(private_task_manager_t *this, task_t *task)
-{
-	enumerator_t *enumerator;
-	task_t *active;
-	task_type_t type;
-
-	type = task->get_type(task);
-
-	/* do we have to check  */
-	if (type == IKE_REKEY || type == CHILD_REKEY ||
-		type == CHILD_DELETE || type == IKE_DELETE || type == IKE_REAUTH)
-	{
-		/* find an exchange collision, and notify these tasks */
-		enumerator = this->active_tasks->create_enumerator(this->active_tasks);
-		while (enumerator->enumerate(enumerator, (void**)&active))
-		{
-			switch (active->get_type(active))
-			{
-				case IKE_REKEY:
-					if (type == IKE_REKEY || type == IKE_DELETE ||
-						type == IKE_REAUTH)
-					{
-						ike_rekey_t *rekey = (ike_rekey_t*)active;
-						rekey->collide(rekey, task);
-						break;
-					}
-					continue;
-				case CHILD_REKEY:
-					if (type == CHILD_REKEY || type == CHILD_DELETE)
-					{
-						child_rekey_t *rekey = (child_rekey_t*)active;
-						rekey->collide(rekey, task);
-						break;
-					}
-					continue;
-				default:
-					continue;
-			}
-			enumerator->destroy(enumerator);
-			return TRUE;
-		}
-		enumerator->destroy(enumerator);
-	}
-	return FALSE;
-}
-
-/**
- * build a response depending on the "passive" task list
- */
-static status_t build_response(private_task_manager_t *this, message_t *request)
-{
-	enumerator_t *enumerator;
-	task_t *task;
-	message_t *message;
-	host_t *me, *other;
-	bool delete = FALSE, hook = FALSE;
-	status_t status;
-
-	me = request->get_destination(request);
-	other = request->get_source(request);
-
-	message = message_create();
-	message->set_exchange_type(message, request->get_exchange_type(request));
-	/* send response along the path the request came in */
-	message->set_source(message, me->clone(me));
-	message->set_destination(message, other->clone(other));
-	message->set_message_id(message, this->responding.mid);
-	message->set_request(message, FALSE);
-
-	enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
-	while (enumerator->enumerate(enumerator, (void*)&task))
-	{
-		switch (task->build(task, message))
-		{
-			case SUCCESS:
-				/* task completed, remove it */
-				this->passive_tasks->remove_at(this->passive_tasks, enumerator);
-				if (!handle_collisions(this, task))
-				{
-					task->destroy(task);
-				}
-				break;
-			case NEED_MORE:
-				/* processed, but task needs another exchange */
-				if (handle_collisions(this, task))
-				{
-					this->passive_tasks->remove_at(this->passive_tasks,
-												   enumerator);
-				}
-				break;
-			case FAILED:
-			default:
-				hook = TRUE;
-				/* FALL */
-			case DESTROY_ME:
-				/* destroy IKE_SA, but SEND response first */
-				delete = TRUE;
-				break;
-		}
-		if (delete)
-		{
+		case IKEV2:
+#ifdef USE_IKEV2
+			return &task_manager_v2_create(ike_sa)->task_manager;
+#endif
 			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	/* remove resonder SPI if IKE_SA_INIT failed */
-	if (delete && request->get_exchange_type(request) == IKE_SA_INIT)
-	{
-		ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa);
-		id->set_responder_spi(id, 0);
-	}
-
-	/* message complete, send it */
-	DESTROY_IF(this->responding.packet);
-	this->responding.packet = NULL;
-	status = this->ike_sa->generate_message(this->ike_sa, message,
-											&this->responding.packet);
-	message->destroy(message);
-	if (status != SUCCESS)
-	{
-		charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-		return DESTROY_ME;
-	}
-
-	charon->sender->send(charon->sender,
-						 this->responding.packet->clone(this->responding.packet));
-	if (delete)
-	{
-		if (hook)
-		{
-			charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-		}
-		return DESTROY_ME;
-	}
-	return SUCCESS;
-}
-
-/**
- * handle an incoming request message
- */
-static status_t process_request(private_task_manager_t *this,
-								message_t *message)
-{
-	enumerator_t *enumerator;
-	task_t *task = NULL;
-	payload_t *payload;
-	notify_payload_t *notify;
-	delete_payload_t *delete;
-
-	if (this->passive_tasks->get_count(this->passive_tasks) == 0)
-	{	/* create tasks depending on request type, if not already some queued */
-		switch (message->get_exchange_type(message))
-		{
-			case IKE_SA_INIT:
-			{
-				task = (task_t*)ike_vendor_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-#ifdef ME
-				task = (task_t*)ike_me_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-#endif /* ME */
-				task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				task = (task_t*)ike_config_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE,
-													NULL, NULL);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				break;
-			}
-			case CREATE_CHILD_SA:
-			{	/* FIXME: we should prevent this on mediation connections */
-				bool notify_found = FALSE, ts_found = FALSE;
-				enumerator = message->create_payload_enumerator(message);
-				while (enumerator->enumerate(enumerator, &payload))
-				{
-					switch (payload->get_type(payload))
-					{
-						case NOTIFY:
-						{	/* if we find a rekey notify, its CHILD_SA rekeying */
-							notify = (notify_payload_t*)payload;
-							if (notify->get_notify_type(notify) == REKEY_SA &&
-								(notify->get_protocol_id(notify) == PROTO_AH ||
-								 notify->get_protocol_id(notify) == PROTO_ESP))
-							{
-								notify_found = TRUE;
-							}
-							break;
-						}
-						case TRAFFIC_SELECTOR_INITIATOR:
-						case TRAFFIC_SELECTOR_RESPONDER:
-						{	/* if we don't find a TS, its IKE rekeying */
-							ts_found = TRUE;
-							break;
-						}
-						default:
-							break;
-					}
-				}
-				enumerator->destroy(enumerator);
-
-				if (ts_found)
-				{
-					if (notify_found)
-					{
-						task = (task_t*)child_rekey_create(this->ike_sa,
-														   PROTO_NONE, 0);
-					}
-					else
-					{
-						task = (task_t*)child_create_create(this->ike_sa, NULL,
-															FALSE, NULL, NULL);
-					}
-				}
-				else
-				{
-					task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
-				}
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				break;
-			}
-			case INFORMATIONAL:
-			{
-				enumerator = message->create_payload_enumerator(message);
-				while (enumerator->enumerate(enumerator, &payload))
-				{
-					switch (payload->get_type(payload))
-					{
-						case NOTIFY:
-						{
-							notify = (notify_payload_t*)payload;
-							switch (notify->get_notify_type(notify))
-							{
-								case ADDITIONAL_IP4_ADDRESS:
-								case ADDITIONAL_IP6_ADDRESS:
-								case NO_ADDITIONAL_ADDRESSES:
-								case UPDATE_SA_ADDRESSES:
-								case NO_NATS_ALLOWED:
-								case UNACCEPTABLE_ADDRESSES:
-								case UNEXPECTED_NAT_DETECTED:
-								case COOKIE2:
-								case NAT_DETECTION_SOURCE_IP:
-								case NAT_DETECTION_DESTINATION_IP:
-									task = (task_t*)ike_mobike_create(
-															this->ike_sa, FALSE);
-									break;
-								case AUTH_LIFETIME:
-									task = (task_t*)ike_auth_lifetime_create(
-															this->ike_sa, FALSE);
-									break;
-								default:
-									break;
-							}
-							break;
-						}
-						case DELETE:
-						{
-							delete = (delete_payload_t*)payload;
-							if (delete->get_protocol_id(delete) == PROTO_IKE)
-							{
-								task = (task_t*)ike_delete_create(this->ike_sa,
-																FALSE);
-							}
-							else
-							{
-								task = (task_t*)child_delete_create(this->ike_sa,
-																PROTO_NONE, 0);
-							}
-							break;
-						}
-						default:
-							break;
-					}
-					if (task)
-					{
-						break;
-					}
-				}
-				enumerator->destroy(enumerator);
-
-				if (task == NULL)
-				{
-					task = (task_t*)ike_dpd_create(FALSE);
-				}
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-				break;
-			}
-#ifdef ME
-			case ME_CONNECT:
-			{
-				task = (task_t*)ike_me_create(this->ike_sa, FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
-			}
-#endif /* ME */
-			default:
-				break;
-		}
-	}
-
-	/* let the tasks process the message */
-	enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
-	while (enumerator->enumerate(enumerator, (void*)&task))
-	{
-		switch (task->process(task, message))
-		{
-			case SUCCESS:
-				/* task completed, remove it */
-				this->passive_tasks->remove_at(this->passive_tasks, enumerator);
-				task->destroy(task);
-				break;
-			case NEED_MORE:
-				/* processed, but task needs at least another call to build() */
-				break;
-			case FAILED:
-			default:
-				charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
-				/* FALL */
-			case DESTROY_ME:
-				/* critical failure, destroy IKE_SA */
-				this->passive_tasks->remove_at(this->passive_tasks, enumerator);
-				enumerator->destroy(enumerator);
-				task->destroy(task);
-				return DESTROY_ME;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	return build_response(this, message);
-}
-
-METHOD(task_manager_t, process_message, status_t,
-	private_task_manager_t *this, message_t *msg)
-{
-	host_t *me, *other;
-	u_int32_t mid;
-
-	mid = msg->get_message_id(msg);
-	me = msg->get_destination(msg);
-	other = msg->get_source(msg);
-
-	if (msg->get_request(msg))
-	{
-		if (mid == this->responding.mid)
-		{
-			if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
-				this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
-				msg->get_exchange_type(msg) != IKE_SA_INIT)
-			{	/* only do host updates based on verified messages */
-				if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
-				{	/* with MOBIKE, we do no implicit updates */
-					this->ike_sa->update_hosts(this->ike_sa, me, other, mid == 1);
-				}
-			}
-			charon->bus->message(charon->bus, msg, TRUE);
-			if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
-			{	/* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
-				return SUCCESS;
-			}
-			if (process_request(this, msg) != SUCCESS)
-			{
-				flush(this);
-				return DESTROY_ME;
-			}
-			this->responding.mid++;
-		}
-		else if ((mid == this->responding.mid - 1) && this->responding.packet)
-		{
-			packet_t *clone;
-			host_t *host;
-
-			DBG1(DBG_IKE, "received retransmit of request with ID %d, "
-				 "retransmitting response", mid);
-			clone = this->responding.packet->clone(this->responding.packet);
-			host = msg->get_destination(msg);
-			clone->set_source(clone, host->clone(host));
-			host = msg->get_source(msg);
-			clone->set_destination(clone, host->clone(host));
-			charon->sender->send(charon->sender, clone);
-		}
-		else
-		{
-			DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
-				 mid, this->responding.mid);
-		}
-	}
-	else
-	{
-		if (mid == this->initiating.mid)
-		{
-			if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
-				this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
-				msg->get_exchange_type(msg) != IKE_SA_INIT)
-			{	/* only do host updates based on verified messages */
-				if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
-				{	/* with MOBIKE, we do no implicit updates */
-					this->ike_sa->update_hosts(this->ike_sa, me, other, FALSE);
-				}
-			}
-			charon->bus->message(charon->bus, msg, TRUE);
-			if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
-			{	/* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
-				return SUCCESS;
-			}
-			if (process_response(this, msg) != SUCCESS)
-			{
-				flush(this);
-				return DESTROY_ME;
-			}
-		}
-		else
-		{
-			DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
-				 mid, this->initiating.mid);
-			return SUCCESS;
-		}
-	}
-	return SUCCESS;
-}
-
-METHOD(task_manager_t, queue_task, void,
-	private_task_manager_t *this, task_t *task)
-{
-	if (task->get_type(task) == IKE_MOBIKE)
-	{	/*  there is no need to queue more than one mobike task */
-		enumerator_t *enumerator;
-		task_t *current;
-
-		enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
-		while (enumerator->enumerate(enumerator, (void**)&current))
-		{
-			if (current->get_type(current) == IKE_MOBIKE)
-			{
-				enumerator->destroy(enumerator);
-				task->destroy(task);
-				return;
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
-	this->queued_tasks->insert_last(this->queued_tasks, task);
-}
-
-METHOD(task_manager_t, adopt_tasks, void,
-	private_task_manager_t *this, task_manager_t *other_public)
-{
-	private_task_manager_t *other = (private_task_manager_t*)other_public;
-	task_t *task;
-
-	/* move queued tasks from other to this */
-	while (other->queued_tasks->remove_last(other->queued_tasks,
-												(void**)&task) == SUCCESS)
-	{
-		DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
-		task->migrate(task, this->ike_sa);
-		this->queued_tasks->insert_first(this->queued_tasks, task);
-	}
-}
-
-METHOD(task_manager_t, busy, bool,
-	private_task_manager_t *this)
-{
-	return (this->active_tasks->get_count(this->active_tasks) > 0);
-}
-
-METHOD(task_manager_t, incr_mid, void,
-	private_task_manager_t *this, bool initiate)
-{
-	if (initiate)
-	{
-		this->initiating.mid++;
-	}
-	else
-	{
-		this->responding.mid++;
-	}
-}
-
-METHOD(task_manager_t, reset, void,
-	private_task_manager_t *this, u_int32_t initiate, u_int32_t respond)
-{
-	enumerator_t *enumerator;
-	task_t *task;
-
-	/* reset message counters and retransmit packets */
-	DESTROY_IF(this->responding.packet);
-	DESTROY_IF(this->initiating.packet);
-	this->responding.packet = NULL;
-	this->initiating.packet = NULL;
-	if (initiate != UINT_MAX)
-	{
-		this->initiating.mid = initiate;
-	}
-	if (respond != UINT_MAX)
-	{
-		this->responding.mid = respond;
-	}
-	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
-
-	/* reset queued tasks */
-	enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
-	while (enumerator->enumerate(enumerator, &task))
-	{
-		task->migrate(task, this->ike_sa);
-	}
-	enumerator->destroy(enumerator);
-
-	/* reset active tasks */
-	while (this->active_tasks->remove_last(this->active_tasks,
-										   (void**)&task) == SUCCESS)
-	{
-		task->migrate(task, this->ike_sa);
-		this->queued_tasks->insert_first(this->queued_tasks, task);
-	}
-
-	this->reset = TRUE;
-}
-
-METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
-	private_task_manager_t *this, task_queue_t queue)
-{
-	switch (queue)
-	{
-		case TASK_QUEUE_ACTIVE:
-			return this->active_tasks->create_enumerator(this->active_tasks);
-		case TASK_QUEUE_PASSIVE:
-			return this->passive_tasks->create_enumerator(this->passive_tasks);
-		case TASK_QUEUE_QUEUED:
-			return this->queued_tasks->create_enumerator(this->queued_tasks);
 		default:
-			return enumerator_create_empty();
+			break;
 	}
-}
-
-METHOD(task_manager_t, destroy, void,
-	private_task_manager_t *this)
-{
-	flush(this);
-
-	this->active_tasks->destroy(this->active_tasks);
-	this->queued_tasks->destroy(this->queued_tasks);
-	this->passive_tasks->destroy(this->passive_tasks);
-
-	DESTROY_IF(this->responding.packet);
-	DESTROY_IF(this->initiating.packet);
-	free(this);
-}
-
-/*
- * see header file
- */
-task_manager_t *task_manager_create(ike_sa_t *ike_sa)
-{
-	private_task_manager_t *this;
-
-	INIT(this,
-		.public = {
-			.process_message = _process_message,
-			.queue_task = _queue_task,
-			.initiate = _initiate,
-			.retransmit = _retransmit,
-			.incr_mid = _incr_mid,
-			.reset = _reset,
-			.adopt_tasks = _adopt_tasks,
-			.busy = _busy,
-			.create_task_enumerator = _create_task_enumerator,
-			.destroy = _destroy,
-		},
-		.ike_sa = ike_sa,
-		.initiating.type = EXCHANGE_TYPE_UNDEFINED,
-		.queued_tasks = linked_list_create(),
-		.active_tasks = linked_list_create(),
-		.passive_tasks = linked_list_create(),
-		.retransmit_tries = lib->settings->get_int(lib->settings,
-								"charon.retransmit_tries", RETRANSMIT_TRIES),
-		.retransmit_timeout = lib->settings->get_double(lib->settings,
-								"charon.retransmit_timeout", RETRANSMIT_TIMEOUT),
-		.retransmit_base = lib->settings->get_double(lib->settings,
-								"charon.retransmit_base", RETRANSMIT_BASE),
-	);
-
-	return &this->public;
+	return NULL;
 }
 
diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h
index 5bc6c80c4..a1ebb4117 100644
--- a/src/libcharon/sa/task_manager.h
+++ b/src/libcharon/sa/task_manager.h
@@ -29,7 +29,7 @@ typedef enum task_queue_t task_queue_t;
 #include <library.h>
 #include <encoding/message.h>
 #include <sa/ike_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 
 /**
  * First retransmit timeout in seconds.
@@ -125,6 +125,69 @@ struct task_manager_t {
 	void (*queue_task) (task_manager_t *this, task_t *task);
 
 	/**
+	 * Queue IKE_SA establishing tasks.
+	 */
+	void (*queue_ike)(task_manager_t *this);
+
+	/**
+	 * Queue IKE_SA rekey tasks.
+	 */
+	void (*queue_ike_rekey)(task_manager_t *this);
+
+	/**
+	 * Queue IKE_SA reauth tasks.
+	 */
+	void (*queue_ike_reauth)(task_manager_t *this);
+
+	/**
+	 * Queue MOBIKE task
+	 *
+	 * @param roam			TRUE to switch to new address
+	 * @param address		TRUE to include address list update
+	 */
+	void (*queue_mobike)(task_manager_t *this, bool roam, bool address);
+
+	/**
+	 * Queue IKE_SA delete tasks.
+	 */
+	void (*queue_ike_delete)(task_manager_t *this);
+
+	/**
+	 * Queue CHILD_SA establishing tasks.
+	 *
+	 * @param cfg			CHILD_SA config to establish
+	 * @param reqid			reqid to use for CHILD_SA
+	 * @param tsi			initiator traffic selector, if packet-triggered
+	 * @param tsr			responder traffic selector, if packet-triggered
+	 */
+	void (*queue_child)(task_manager_t *this, child_cfg_t *cfg, u_int32_t reqid,
+						traffic_selector_t *tsi, traffic_selector_t *tsr);
+
+	/**
+	 * Queue CHILD_SA rekeying tasks.
+	 *
+	 * @param protocol		CHILD_SA protocol, AH|ESP
+	 * @param spi			CHILD_SA SPI to rekey
+	 */
+	void (*queue_child_rekey)(task_manager_t *this, protocol_id_t protocol,
+							  u_int32_t spi);
+
+	/**
+	 * Queue CHILD_SA delete tasks.
+	 *
+	 * @param protocol		CHILD_SA protocol, AH|ESP
+	 * @param spi			CHILD_SA SPI to rekey
+	 * @param expired		TRUE if SA already expired
+	 */
+	void (*queue_child_delete)(task_manager_t *this, protocol_id_t protocol,
+							   u_int32_t spi, bool expired);
+
+	/**
+	 * Queue liveness checking tasks.
+	 */
+	void (*queue_dpd)(task_manager_t *this);
+
+	/**
 	 * Retransmit a request if it hasn't been acknowledged yet.
 	 *
 	 * A return value of INVALID_STATE means that the message was already
@@ -139,7 +202,7 @@ struct task_manager_t {
 	status_t (*retransmit) (task_manager_t *this, u_int32_t message_id);
 
 	/**
-	 * Migrate all tasks from other to this.
+	 * Migrate all queued tasks from other to this.
 	 *
 	 * To rekey or reestablish an IKE_SA completely, all queued or active
 	 * tasks should get migrated to the new IKE_SA.
@@ -149,6 +212,13 @@ struct task_manager_t {
 	void (*adopt_tasks) (task_manager_t *this, task_manager_t *other);
 
 	/**
+	 * Migrate all active or queued CHILD_SA-creating tasks from other to this.
+	 *
+	 * @param other			manager which gives away its tasks
+	 */
+	void (*adopt_child_tasks) (task_manager_t *this, task_manager_t *other);
+
+	/**
 	 * Increment a message ID counter, in- or outbound.
 	 *
 	 * If a message is processed outside of the manager, this call increments
@@ -166,9 +236,11 @@ struct task_manager_t {
 	 * resets the message IDs and resets all active tasks using the migrate()
 	 * method.
 	 * Use a value of UINT_MAX to keep the current message ID.
+	 * For IKEv1, the arguments do not set the message ID, but the DPD sequence
+	 * number counters.
 	 *
-	 * @param initiate		message ID to initiate exchanges (send)
-	 * @param respond		message ID to respond to exchanges (expect)
+	 * @param initiate		message ID / DPD seq to initiate exchanges (send)
+	 * @param respond		message ID / DPD seq to respond to exchanges (expect)
 	 */
 	void (*reset) (task_manager_t *this, u_int32_t initiate, u_int32_t respond);
 
@@ -189,15 +261,23 @@ struct task_manager_t {
 											task_queue_t queue);
 
 	/**
+	 * Flush a queue, cancelling all tasks.
+	 *
+	 * @param queue			queue to flush
+	 */
+	void (*flush_queue)(task_manager_t *this, task_queue_t queue);
+
+	/**
 	 * Destroy the task_manager_t.
 	 */
 	void (*destroy) (task_manager_t *this);
 };
 
 /**
- * Create an instance of the task manager.
+ * Create a task manager instance for the correct IKE version.
  *
- * @param ike_sa		IKE_SA to manage.
+ * @param ike_sa			IKE_SA to create a task manager for
+ * @return					task manager implementation for IKE version
  */
 task_manager_t *task_manager_create(ike_sa_t *ike_sa);
 
diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c
deleted file mode 100644
index 67c29d31f..000000000
--- a/src/libcharon/sa/tasks/child_create.c
+++ /dev/null
@@ -1,1330 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "child_create.h"
-
-#include <daemon.h>
-#include <crypto/diffie_hellman.h>
-#include <credentials/certificates/x509.h>
-#include <encoding/payloads/sa_payload.h>
-#include <encoding/payloads/ke_payload.h>
-#include <encoding/payloads/ts_payload.h>
-#include <encoding/payloads/nonce_payload.h>
-#include <encoding/payloads/notify_payload.h>
-#include <processing/jobs/delete_ike_sa_job.h>
-#include <processing/jobs/inactivity_job.h>
-
-
-typedef struct private_child_create_t private_child_create_t;
-
-/**
- * Private members of a child_create_t task.
- */
-struct private_child_create_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	child_create_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Are we the initiator?
-	 */
-	bool initiator;
-
-	/**
-	 * nonce chosen by us
-	 */
-	chunk_t my_nonce;
-
-	/**
-	 * nonce chosen by peer
-	 */
-	chunk_t other_nonce;
-
-	/**
-	 * config to create the CHILD_SA from
-	 */
-	child_cfg_t *config;
-
-	/**
-	 * list of proposal candidates
-	 */
-	linked_list_t *proposals;
-
-	/**
-	 * selected proposal to use for CHILD_SA
-	 */
-	proposal_t *proposal;
-
-	/**
-	 * traffic selectors for initiators side
-	 */
-	linked_list_t *tsi;
-
-	/**
-	 * traffic selectors for responders side
-	 */
-	linked_list_t *tsr;
-
-	/**
-	 * source of triggering packet
-	 */
-	traffic_selector_t *packet_tsi;
-
-	/**
-	 * destination of triggering packet
-	 */
-	traffic_selector_t *packet_tsr;
-
-	/**
-	 * optional diffie hellman exchange
-	 */
-	diffie_hellman_t *dh;
-
-	/**
-	 * group used for DH exchange
-	 */
-	diffie_hellman_group_t dh_group;
-
-	/**
-	 * IKE_SAs keymat
-	 */
-	keymat_t *keymat;
-
-	/**
-	 * mode the new CHILD_SA uses (transport/tunnel/beet)
-	 */
-	ipsec_mode_t mode;
-
-	/**
-	 * peer accepts TFC padding for this SA
-	 */
-	bool tfcv3;
-
-	/**
-	 * IPComp transform to use
-	 */
-	ipcomp_transform_t ipcomp;
-
-	/**
-	 * IPComp transform proposed or accepted by the other peer
-	 */
-	ipcomp_transform_t ipcomp_received;
-
-	/**
-	 * Own allocated SPI
-	 */
-	u_int32_t my_spi;
-
-	/**
-	 * SPI received in proposal
-	 */
-	u_int32_t other_spi;
-
-	/**
-	 * Own allocated Compression Parameter Index (CPI)
-	 */
-	u_int16_t my_cpi;
-
-	/**
-	 * Other Compression Parameter Index (CPI), received via IPCOMP_SUPPORTED
-	 */
-	u_int16_t other_cpi;
-
-	/**
-	 * reqid to use if we are rekeying
-	 */
-	u_int32_t reqid;
-
-	/**
-	 * CHILD_SA which gets established
-	 */
-	child_sa_t *child_sa;
-
-	/**
-	 * successfully established the CHILD?
-	 */
-	bool established;
-
-	/**
-	 * whether the CHILD_SA rekeys an existing one
-	 */
-	bool rekey;
-};
-
-/**
- * get the nonce from a message
- */
-static status_t get_nonce(message_t *message, chunk_t *nonce)
-{
-	nonce_payload_t *payload;
-
-	payload = (nonce_payload_t*)message->get_payload(message, NONCE);
-	if (payload == NULL)
-	{
-		return FAILED;
-	}
-	*nonce = payload->get_nonce(payload);
-	return NEED_MORE;
-}
-
-/**
- * generate a new nonce to include in a CREATE_CHILD_SA message
- */
-static status_t generate_nonce(chunk_t *nonce)
-{
-	rng_t *rng;
-
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
-	{
-		DBG1(DBG_IKE, "error generating nonce value, no RNG found");
-		return FAILED;
-	}
-	rng->allocate_bytes(rng, NONCE_SIZE, nonce);
-	rng->destroy(rng);
-	return SUCCESS;
-}
-
-/**
- * Check a list of traffic selectors if any selector belongs to host
- */
-static bool ts_list_is_host(linked_list_t *list, host_t *host)
-{
-	traffic_selector_t *ts;
-	bool is_host = TRUE;
-	enumerator_t *enumerator = list->create_enumerator(list);
-
-	while (is_host && enumerator->enumerate(enumerator, (void**)&ts))
-	{
-		is_host = is_host && ts->is_host(ts, host);
-	}
-	enumerator->destroy(enumerator);
-	return is_host;
-}
-
-/**
- * Allocate SPIs and update proposals
- */
-static bool allocate_spi(private_child_create_t *this)
-{
-	enumerator_t *enumerator;
-	proposal_t *proposal;
-
-	/* TODO: allocate additional SPI for AH if we have such proposals */
-	this->my_spi = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
-	if (this->my_spi)
-	{
-		if (this->initiator)
-		{
-			enumerator = this->proposals->create_enumerator(this->proposals);
-			while (enumerator->enumerate(enumerator, &proposal))
-			{
-				proposal->set_spi(proposal, this->my_spi);
-			}
-			enumerator->destroy(enumerator);
-		}
-		else
-		{
-			this->proposal->set_spi(this->proposal, this->my_spi);
-		}
-		return TRUE;
-	}
-	return FALSE;
-}
-
-/**
- * Schedule inactivity timeout for CHILD_SA with reqid, if enabled
- */
-static void schedule_inactivity_timeout(private_child_create_t *this)
-{
-	u_int32_t timeout;
-	bool close_ike;
-
-	timeout = this->config->get_inactivity(this->config);
-	if (timeout)
-	{
-		close_ike = lib->settings->get_bool(lib->settings,
-										"charon.inactivity_close_ike", FALSE);
-		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
-				inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
-									  timeout, close_ike), timeout);
-	}
-}
-
-/**
- * Install a CHILD_SA for usage, return value:
- * - FAILED: no acceptable proposal
- * - INVALID_ARG: diffie hellman group inacceptable
- * - NOT_FOUND: TS inacceptable
- */
-static status_t select_and_install(private_child_create_t *this,
-								   bool no_dh, bool ike_auth)
-{
-	status_t status, status_i, status_o;
-	chunk_t nonce_i, nonce_r;
-	chunk_t encr_i = chunk_empty, encr_r = chunk_empty;
-	chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
-	linked_list_t *my_ts, *other_ts;
-	host_t *me, *other, *other_vip, *my_vip;
-	bool private;
-
-	if (this->proposals == NULL)
-	{
-		DBG1(DBG_IKE, "SA payload missing in message");
-		return FAILED;
-	}
-	if (this->tsi == NULL || this->tsr == NULL)
-	{
-		DBG1(DBG_IKE, "TS payloads missing in message");
-		return NOT_FOUND;
-	}
-
-	me = this->ike_sa->get_my_host(this->ike_sa);
-	other = this->ike_sa->get_other_host(this->ike_sa);
-	my_vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
-	other_vip = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
-
-	private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
-	this->proposal = this->config->select_proposal(this->config,
-											this->proposals, no_dh, private);
-	if (this->proposal == NULL)
-	{
-		DBG1(DBG_IKE, "no acceptable proposal found");
-		return FAILED;
-	}
-	this->other_spi = this->proposal->get_spi(this->proposal);
-
-	if (!this->initiator && !allocate_spi(this))
-	{	/* responder has no SPI allocated yet */
-		DBG1(DBG_IKE, "allocating SPI failed");
-		return FAILED;
-	}
-	this->child_sa->set_proposal(this->child_sa, this->proposal);
-
-	if (!this->proposal->has_dh_group(this->proposal, this->dh_group))
-	{
-		u_int16_t group;
-
-		if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
-										  &group, NULL))
-		{
-			DBG1(DBG_IKE, "DH group %N inacceptable, requesting %N",
-				 diffie_hellman_group_names, this->dh_group,
-				 diffie_hellman_group_names, group);
-			this->dh_group = group;
-			return INVALID_ARG;
-		}
-		/* the selected proposal does not use a DH group */
-		DBG1(DBG_IKE, "ignoring KE exchange, agreed on a non-PFS proposal");
-		DESTROY_IF(this->dh);
-		this->dh = NULL;
-		this->dh_group = MODP_NONE;
-	}
-
-	if (my_vip == NULL)
-	{
-		my_vip = me;
-	}
-	if (other_vip == NULL)
-	{
-		other_vip = other;
-	}
-
-	if (this->initiator)
-	{
-		nonce_i = this->my_nonce;
-		nonce_r = this->other_nonce;
-		my_ts = this->tsi;
-		other_ts = this->tsr;
-	}
-	else
-	{
-		nonce_r = this->my_nonce;
-		nonce_i = this->other_nonce;
-		my_ts = this->tsr;
-		other_ts = this->tsi;
-	}
-	my_ts = this->config->get_traffic_selectors(this->config, TRUE, my_ts,
-												my_vip);
-	other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts,
-												   other_vip);
-
-	if (this->initiator)
-	{
-		if (ike_auth)
-		{
-			charon->bus->narrow(charon->bus, this->child_sa,
-								NARROW_INITIATOR_POST_NOAUTH, my_ts, other_ts);
-		}
-		else
-		{
-			charon->bus->narrow(charon->bus, this->child_sa,
-								NARROW_INITIATOR_POST_AUTH, my_ts, other_ts);
-		}
-	}
-	else
-	{
-		charon->bus->narrow(charon->bus, this->child_sa,
-							NARROW_RESPONDER, my_ts, other_ts);
-	}
-
-	if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
-	{
-		my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
-		other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
-		DBG1(DBG_IKE, "no acceptable traffic selectors found");
-		return NOT_FOUND;
-	}
-
-	this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
-	this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
-	if (this->initiator)
-	{
-		this->tsi = my_ts;
-		this->tsr = other_ts;
-	}
-	else
-	{
-		this->tsr = my_ts;
-		this->tsi = other_ts;
-	}
-
-	if (!this->initiator)
-	{
-		/* check if requested mode is acceptable, downgrade if required */
-		switch (this->mode)
-		{
-			case MODE_TRANSPORT:
-				if (!this->config->use_proxy_mode(this->config) &&
-					   (!ts_list_is_host(this->tsi, other) ||
-						!ts_list_is_host(this->tsr, me))
-				   )
-				{
-					this->mode = MODE_TUNNEL;
-					DBG1(DBG_IKE, "not using transport mode, not host-to-host");
-				}
-				else if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
-				{
-					this->mode = MODE_TUNNEL;
-					DBG1(DBG_IKE, "not using transport mode, connection NATed");
-				}
-				break;
-			case MODE_BEET:
-				if (!ts_list_is_host(this->tsi, NULL) ||
-					!ts_list_is_host(this->tsr, NULL))
-				{
-					this->mode = MODE_TUNNEL;
-					DBG1(DBG_IKE, "not using BEET mode, not host-to-host");
-				}
-				break;
-			default:
-				break;
-		}
-	}
-
-	this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
-	this->child_sa->set_ipcomp(this->child_sa, this->ipcomp);
-	this->child_sa->set_mode(this->child_sa, this->mode);
-	this->child_sa->set_protocol(this->child_sa,
-								 this->proposal->get_protocol(this->proposal));
-
-	if (this->my_cpi == 0 || this->other_cpi == 0 || this->ipcomp == IPCOMP_NONE)
-	{
-		this->my_cpi = this->other_cpi = 0;
-		this->ipcomp = IPCOMP_NONE;
-	}
-	status_i = status_o = FAILED;
-	if (this->keymat->derive_child_keys(this->keymat, this->proposal,
-			this->dh, nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r))
-	{
-		if (this->initiator)
-		{
-			status_i = this->child_sa->install(this->child_sa,
-							encr_r, integ_r, this->my_spi, this->my_cpi,
-							TRUE, this->tfcv3, my_ts, other_ts);
-			status_o = this->child_sa->install(this->child_sa,
-							encr_i, integ_i, this->other_spi, this->other_cpi,
-							FALSE, this->tfcv3, my_ts, other_ts);
-		}
-		else
-		{
-			status_i = this->child_sa->install(this->child_sa,
-							encr_i, integ_i, this->my_spi, this->my_cpi,
-							TRUE, this->tfcv3, my_ts, other_ts);
-			status_o = this->child_sa->install(this->child_sa,
-							encr_r, integ_r, this->other_spi, this->other_cpi,
-							FALSE, this->tfcv3, my_ts, other_ts);
-		}
-	}
-	chunk_clear(&integ_i);
-	chunk_clear(&integ_r);
-	chunk_clear(&encr_i);
-	chunk_clear(&encr_r);
-
-	if (status_i != SUCCESS || status_o != SUCCESS)
-	{
-		DBG1(DBG_IKE, "unable to install %s%s%sIPsec SA (SAD) in kernel",
-			(status_i != SUCCESS) ? "inbound " : "",
-			(status_i != SUCCESS && status_o != SUCCESS) ? "and ": "",
-			(status_o != SUCCESS) ? "outbound " : "");
-		return FAILED;
-	}
-
-	status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts);
-	if (status != SUCCESS)
-	{
-		DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
-		return NOT_FOUND;
-	}
-
-	charon->bus->child_keys(charon->bus, this->child_sa, this->initiator,
-							this->dh, nonce_i, nonce_r);
-
-	/* add to IKE_SA, and remove from task */
-	this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
-	this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
-	this->established = TRUE;
-
-	if (!this->rekey)
-	{	/* a rekeyed SA uses the same reqid, no need for a new job */
-		schedule_inactivity_timeout(this);
-	}
-	return SUCCESS;
-}
-
-/**
- * build the payloads for the message
- */
-static void build_payloads(private_child_create_t *this, message_t *message)
-{
-	sa_payload_t *sa_payload;
-	nonce_payload_t *nonce_payload;
-	ke_payload_t *ke_payload;
-	ts_payload_t *ts_payload;
-
-	/* add SA payload */
-	if (this->initiator)
-	{
-		sa_payload = sa_payload_create_from_proposal_list(this->proposals);
-	}
-	else
-	{
-		sa_payload = sa_payload_create_from_proposal(this->proposal);
-	}
-	message->add_payload(message, (payload_t*)sa_payload);
-
-	/* add nonce payload if not in IKE_AUTH */
-	if (message->get_exchange_type(message) == CREATE_CHILD_SA)
-	{
-		nonce_payload = nonce_payload_create();
-		nonce_payload->set_nonce(nonce_payload, this->my_nonce);
-		message->add_payload(message, (payload_t*)nonce_payload);
-	}
-
-	/* diffie hellman exchange, if PFS enabled */
-	if (this->dh)
-	{
-		ke_payload = ke_payload_create_from_diffie_hellman(this->dh);
-		message->add_payload(message, (payload_t*)ke_payload);
-	}
-
-	/* add TSi/TSr payloads */
-	ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
-	message->add_payload(message, (payload_t*)ts_payload);
-	ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
-	message->add_payload(message, (payload_t*)ts_payload);
-
-	/* add a notify if we are not in tunnel mode */
-	switch (this->mode)
-	{
-		case MODE_TRANSPORT:
-			message->add_notify(message, FALSE, USE_TRANSPORT_MODE, chunk_empty);
-			break;
-		case MODE_BEET:
-			message->add_notify(message, FALSE, USE_BEET_MODE, chunk_empty);
-			break;
-		default:
-			break;
-	}
-}
-
-/**
- * Adds an IPCOMP_SUPPORTED notify to the message, allocating a CPI
- */
-static void add_ipcomp_notify(private_child_create_t *this,
-								  message_t *message, u_int8_t ipcomp)
-{
-	if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
-	{
-		DBG1(DBG_IKE, "IPComp is not supported if either peer is natted, "
-			 "IPComp disabled");
-		return;
-	}
-
-	this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
-	if (this->my_cpi)
-	{
-		this->ipcomp = ipcomp;
-		message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
-							chunk_cata("cc", chunk_from_thing(this->my_cpi),
-									   chunk_from_thing(ipcomp)));
-	}
-	else
-	{
-		DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp disabled");
-	}
-}
-
-/**
- * handle a received notify payload
- */
-static void handle_notify(private_child_create_t *this, notify_payload_t *notify)
-{
-	switch (notify->get_notify_type(notify))
-	{
-		case USE_TRANSPORT_MODE:
-			this->mode = MODE_TRANSPORT;
-			break;
-		case USE_BEET_MODE:
-			if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
-			{	/* handle private use notify only if we know its meaning */
-				this->mode = MODE_BEET;
-			}
-			else
-			{
-				DBG1(DBG_IKE, "received a notify strongSwan uses for BEET "
-					 "mode, but peer implementation unknown, skipped");
-			}
-			break;
-		case IPCOMP_SUPPORTED:
-		{
-			ipcomp_transform_t ipcomp;
-			u_int16_t cpi;
-			chunk_t data;
-
-			data = notify->get_notification_data(notify);
-			cpi = *(u_int16_t*)data.ptr;
-			ipcomp = (ipcomp_transform_t)(*(data.ptr + 2));
-			switch (ipcomp)
-			{
-				case IPCOMP_DEFLATE:
-					this->other_cpi = cpi;
-					this->ipcomp_received = ipcomp;
-					break;
-				case IPCOMP_LZS:
-				case IPCOMP_LZJH:
-				default:
-					DBG1(DBG_IKE, "received IPCOMP_SUPPORTED notify with a "
-						 "transform ID we don't support %N",
-						 ipcomp_transform_names, ipcomp);
-					break;
-			}
-			break;
-		}
-		case ESP_TFC_PADDING_NOT_SUPPORTED:
-			DBG1(DBG_IKE, "received %N, not using ESPv3 TFC padding",
-				 notify_type_names, notify->get_notify_type(notify));
-			this->tfcv3 = FALSE;
-			break;
-		default:
-			break;
-	}
-}
-
-/**
- * Read payloads from message
- */
-static void process_payloads(private_child_create_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-	sa_payload_t *sa_payload;
-	ke_payload_t *ke_payload;
-	ts_payload_t *ts_payload;
-
-	/* defaults to TUNNEL mode */
-	this->mode = MODE_TUNNEL;
-
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		switch (payload->get_type(payload))
-		{
-			case SECURITY_ASSOCIATION:
-				sa_payload = (sa_payload_t*)payload;
-				this->proposals = sa_payload->get_proposals(sa_payload);
-				break;
-			case KEY_EXCHANGE:
-				ke_payload = (ke_payload_t*)payload;
-				if (!this->initiator)
-				{
-					this->dh_group = ke_payload->get_dh_group_number(ke_payload);
-					this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
-				}
-				if (this->dh)
-				{
-					this->dh->set_other_public_value(this->dh,
-								ke_payload->get_key_exchange_data(ke_payload));
-				}
-				break;
-			case TRAFFIC_SELECTOR_INITIATOR:
-				ts_payload = (ts_payload_t*)payload;
-				this->tsi = ts_payload->get_traffic_selectors(ts_payload);
-				break;
-			case TRAFFIC_SELECTOR_RESPONDER:
-				ts_payload = (ts_payload_t*)payload;
-				this->tsr = ts_payload->get_traffic_selectors(ts_payload);
-				break;
-			case NOTIFY:
-				handle_notify(this, (notify_payload_t*)payload);
-				break;
-			default:
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-METHOD(task_t, build_i, status_t,
-	private_child_create_t *this, message_t *message)
-{
-	host_t *me, *other, *vip;
-	peer_cfg_t *peer_cfg;
-
-	switch (message->get_exchange_type(message))
-	{
-		case IKE_SA_INIT:
-			return get_nonce(message, &this->my_nonce);
-		case CREATE_CHILD_SA:
-			if (generate_nonce(&this->my_nonce) != SUCCESS)
-			{
-				message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
-				return SUCCESS;
-			}
-			if (this->dh_group == MODP_NONE)
-			{
-				this->dh_group = this->config->get_dh_group(this->config);
-			}
-			break;
-		case IKE_AUTH:
-			if (message->get_message_id(message) != 1)
-			{
-				/* send only in the first request, not in subsequent rounds */
-				return NEED_MORE;
-			}
-			break;
-		default:
-			break;
-	}
-
-	if (this->reqid)
-	{
-		DBG0(DBG_IKE, "establishing CHILD_SA %s{%d}",
-			 this->config->get_name(this->config), this->reqid);
-	}
-	else
-	{
-		DBG0(DBG_IKE, "establishing CHILD_SA %s",
-			 this->config->get_name(this->config));
-	}
-
-	/* reuse virtual IP if we already have one */
-	me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
-	if (me == NULL)
-	{
-		me = this->ike_sa->get_my_host(this->ike_sa);
-	}
-	other = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
-	if (other == NULL)
-	{
-		other = this->ike_sa->get_other_host(this->ike_sa);
-	}
-
-	/* check if we want a virtual IP, but don't have one */
-	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-	vip = peer_cfg->get_virtual_ip(peer_cfg);
-	if (!this->reqid && vip)
-	{
-		/* propose a 0.0.0.0/0 or ::/0 subnet when we use virtual ip */
-		vip = host_create_any(vip->get_family(vip));
-		this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
-														NULL, vip);
-		vip->destroy(vip);
-	}
-	else
-	{	/* but narrow it for host2host / if we already have a vip */
-		this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
-														NULL, me);
-	}
-	this->tsr = this->config->get_traffic_selectors(this->config, FALSE,
-													NULL, other);
-
-	if (this->packet_tsi)
-	{
-		this->tsi->insert_first(this->tsi,
-								this->packet_tsi->clone(this->packet_tsi));
-	}
-	if (this->packet_tsr)
-	{
-		this->tsr->insert_first(this->tsr,
-								this->packet_tsr->clone(this->packet_tsr));
-	}
-	this->proposals = this->config->get_proposals(this->config,
-												  this->dh_group == MODP_NONE);
-	this->mode = this->config->get_mode(this->config);
-	if (this->mode == MODE_TRANSPORT &&
-		this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
-	{
-		this->mode = MODE_TUNNEL;
-		DBG1(DBG_IKE, "not using transport mode, connection NATed");
-	}
-
-	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
-			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
-			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
-
-	if (!allocate_spi(this))
-	{
-		DBG1(DBG_IKE, "unable to allocate SPIs from kernel");
-		return FAILED;
-	}
-
-	if (this->dh_group != MODP_NONE)
-	{
-		this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
-	}
-
-	if (this->config->use_ipcomp(this->config))
-	{
-		/* IPCOMP_DEFLATE is the only transform we support at the moment */
-		add_ipcomp_notify(this, message, IPCOMP_DEFLATE);
-	}
-
-	if (message->get_exchange_type(message) == IKE_AUTH)
-	{
-		charon->bus->narrow(charon->bus, this->child_sa,
-							NARROW_INITIATOR_PRE_NOAUTH, this->tsi, this->tsr);
-	}
-	else
-	{
-		charon->bus->narrow(charon->bus, this->child_sa,
-							NARROW_INITIATOR_PRE_AUTH, this->tsi, this->tsr);
-	}
-
-	build_payloads(this, message);
-
-	this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
-	this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
-	this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
-	this->tsi = NULL;
-	this->tsr = NULL;
-	this->proposals = NULL;
-
-	return NEED_MORE;
-}
-
-METHOD(task_t, process_r, status_t,
-	private_child_create_t *this, message_t *message)
-{
-	switch (message->get_exchange_type(message))
-	{
-		case IKE_SA_INIT:
-			return get_nonce(message, &this->other_nonce);
-		case CREATE_CHILD_SA:
-			get_nonce(message, &this->other_nonce);
-			break;
-		case IKE_AUTH:
-			if (message->get_message_id(message) != 1)
-			{
-				/* only handle first AUTH payload, not additional rounds */
-				return NEED_MORE;
-			}
-		default:
-			break;
-	}
-
-	process_payloads(this, message);
-
-	return NEED_MORE;
-}
-
-/**
- * handle CHILD_SA setup failure
- */
-static void handle_child_sa_failure(private_child_create_t *this,
-									message_t *message)
-{
-	if (message->get_exchange_type(message) == IKE_AUTH &&
-		lib->settings->get_bool(lib->settings,
-								"charon.close_ike_on_child_failure", FALSE))
-	{
-		/* we delay the delete for 100ms, as the IKE_AUTH response must arrive
-		 * first */
-		DBG1(DBG_IKE, "closing IKE_SA due CHILD_SA setup failure");
-		lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
-			delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE),
-			100);
-	}
-	else
-	{
-		DBG1(DBG_IKE, "failed to establish CHILD_SA, keeping IKE_SA");
-	}
-}
-
-METHOD(task_t, build_r, status_t,
-	private_child_create_t *this, message_t *message)
-{
-	peer_cfg_t *peer_cfg;
-	payload_t *payload;
-	enumerator_t *enumerator;
-	bool no_dh = TRUE, ike_auth = FALSE;
-
-	switch (message->get_exchange_type(message))
-	{
-		case IKE_SA_INIT:
-			return get_nonce(message, &this->my_nonce);
-		case CREATE_CHILD_SA:
-			if (generate_nonce(&this->my_nonce) != SUCCESS)
-			{
-				message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
-									chunk_empty);
-				return SUCCESS;
-			}
-			no_dh = FALSE;
-			break;
-		case IKE_AUTH:
-			if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
-			{	/* wait until all authentication round completed */
-				return NEED_MORE;
-			}
-			ike_auth = TRUE;
-		default:
-			break;
-	}
-
-	if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
-	{
-		DBG1(DBG_IKE, "unable to create CHILD_SA while rekeying IKE_SA");
-		message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty);
-		return SUCCESS;
-	}
-
-	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-	if (peer_cfg && this->tsi && this->tsr)
-	{
-		host_t *me, *other;
-
-		me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
-		if (me == NULL)
-		{
-			me = this->ike_sa->get_my_host(this->ike_sa);
-		}
-		other = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
-		if (other == NULL)
-		{
-			other = this->ike_sa->get_other_host(this->ike_sa);
-		}
-		this->config = peer_cfg->select_child_cfg(peer_cfg, this->tsr,
-												  this->tsi, me, other);
-	}
-
-	if (this->config == NULL)
-	{
-		DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable",
-			 this->tsr, this->tsi);
-		message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
-		handle_child_sa_failure(this, message);
-		return SUCCESS;
-	}
-
-	/* check if ike_config_t included non-critical error notifies */
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		if (payload->get_type(payload) == NOTIFY)
-		{
-			notify_payload_t *notify = (notify_payload_t*)payload;
-
-			switch (notify->get_notify_type(notify))
-			{
-				case INTERNAL_ADDRESS_FAILURE:
-				case FAILED_CP_REQUIRED:
-				{
-					DBG1(DBG_IKE,"configuration payload negotiation "
-						 "failed, no CHILD_SA built");
-					enumerator->destroy(enumerator);
-					handle_child_sa_failure(this, message);
-					return SUCCESS;
-				}
-				default:
-					break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
-			this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
-			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
-
-	if (this->ipcomp_received != IPCOMP_NONE)
-	{
-		if (this->config->use_ipcomp(this->config))
-		{
-			add_ipcomp_notify(this, message, this->ipcomp_received);
-		}
-		else
-		{
-			DBG1(DBG_IKE, "received %N notify but IPComp is disabled, ignoring",
-				 notify_type_names, IPCOMP_SUPPORTED);
-		}
-	}
-
-	switch (select_and_install(this, no_dh, ike_auth))
-	{
-		case SUCCESS:
-			break;
-		case NOT_FOUND:
-			message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
-			handle_child_sa_failure(this, message);
-			return SUCCESS;
-		case INVALID_ARG:
-		{
-			u_int16_t group = htons(this->dh_group);
-			message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
-								chunk_from_thing(group));
-			handle_child_sa_failure(this, message);
-			return SUCCESS;
-		}
-		case FAILED:
-		default:
-			message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
-			handle_child_sa_failure(this, message);
-			return SUCCESS;
-	}
-
-	build_payloads(this, message);
-
-	DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
-		 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
-		 this->child_sa->get_name(this->child_sa),
-		 this->child_sa->get_reqid(this->child_sa),
-		 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
-		 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
-		 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
-		 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
-
-	if (!this->rekey)
-	{	/* invoke the child_up() hook if we are not rekeying */
-		charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
-	}
-	return SUCCESS;
-}
-
-METHOD(task_t, process_i, status_t,
-	private_child_create_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-	bool no_dh = TRUE, ike_auth = FALSE;
-
-	switch (message->get_exchange_type(message))
-	{
-		case IKE_SA_INIT:
-			return get_nonce(message, &this->other_nonce);
-		case CREATE_CHILD_SA:
-			get_nonce(message, &this->other_nonce);
-			no_dh = FALSE;
-			break;
-		case IKE_AUTH:
-			if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
-			{	/* wait until all authentication round completed */
-				return NEED_MORE;
-			}
-			ike_auth = TRUE;
-		default:
-			break;
-	}
-
-	/* check for erronous notifies */
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		if (payload->get_type(payload) == NOTIFY)
-		{
-			notify_payload_t *notify = (notify_payload_t*)payload;
-			notify_type_t type = notify->get_notify_type(notify);
-
-			switch (type)
-			{
-				/* handle notify errors related to CHILD_SA only */
-				case NO_PROPOSAL_CHOSEN:
-				case SINGLE_PAIR_REQUIRED:
-				case NO_ADDITIONAL_SAS:
-				case INTERNAL_ADDRESS_FAILURE:
-				case FAILED_CP_REQUIRED:
-				case TS_UNACCEPTABLE:
-				case INVALID_SELECTORS:
-				{
-					DBG1(DBG_IKE, "received %N notify, no CHILD_SA built",
-						 notify_type_names, type);
-					enumerator->destroy(enumerator);
-					handle_child_sa_failure(this, message);
-					/* an error in CHILD_SA creation is not critical */
-					return SUCCESS;
-				}
-				case INVALID_KE_PAYLOAD:
-				{
-					chunk_t data;
-					u_int16_t group = MODP_NONE;
-
-					data = notify->get_notification_data(notify);
-					if (data.len == sizeof(group))
-					{
-						memcpy(&group, data.ptr, data.len);
-						group = ntohs(group);
-					}
-					DBG1(DBG_IKE, "peer didn't accept DH group %N, "
-						 "it requested %N", diffie_hellman_group_names,
-						 this->dh_group, diffie_hellman_group_names, group);
-					this->dh_group = group;
-					this->public.task.migrate(&this->public.task, this->ike_sa);
-					enumerator->destroy(enumerator);
-					return NEED_MORE;
-				}
-				default:
-				{
-					if (message->get_exchange_type(message) == CREATE_CHILD_SA)
-					{	/* handle notifies if not handled in IKE_AUTH */
-						if (type <= 16383)
-						{
-							DBG1(DBG_IKE, "received %N notify error",
-								 notify_type_names, type);
-							enumerator->destroy(enumerator);
-							return SUCCESS;
-						}
-						DBG2(DBG_IKE, "received %N notify",
-							 notify_type_names, type);
-					}
-					break;
-				}
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	process_payloads(this, message);
-
-	if (this->ipcomp == IPCOMP_NONE && this->ipcomp_received != IPCOMP_NONE)
-	{
-		DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify without requesting"
-			 " one, no CHILD_SA built");
-		handle_child_sa_failure(this, message);
-		return SUCCESS;
-	}
-	else if (this->ipcomp != IPCOMP_NONE && this->ipcomp_received == IPCOMP_NONE)
-	{
-		DBG1(DBG_IKE, "peer didn't accept our proposed IPComp transforms, "
-			 "IPComp is disabled");
-		this->ipcomp = IPCOMP_NONE;
-	}
-	else if (this->ipcomp != IPCOMP_NONE && this->ipcomp != this->ipcomp_received)
-	{
-		DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify we didn't propose, "
-			 "no CHILD_SA built");
-		handle_child_sa_failure(this, message);
-		return SUCCESS;
-	}
-
-	if (select_and_install(this, no_dh, ike_auth) == SUCCESS)
-	{
-		DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
-			 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
-			 this->child_sa->get_name(this->child_sa),
-			 this->child_sa->get_reqid(this->child_sa),
-			 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
-			 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
-			 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
-			 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
-
-		if (!this->rekey)
-		{	/* invoke the child_up() hook if we are not rekeying */
-			charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
-		}
-	}
-	else
-	{
-		handle_child_sa_failure(this, message);
-	}
-	return SUCCESS;
-}
-
-METHOD(child_create_t, use_reqid, void,
-	private_child_create_t *this, u_int32_t reqid)
-{
-	this->reqid = reqid;
-}
-
-METHOD(child_create_t, get_child, child_sa_t*,
-	private_child_create_t *this)
-{
-	return this->child_sa;
-}
-
-METHOD(child_create_t, get_lower_nonce, chunk_t,
-	private_child_create_t *this)
-{
-	if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
-			   min(this->my_nonce.len, this->other_nonce.len)) < 0)
-	{
-		return this->my_nonce;
-	}
-	else
-	{
-		return this->other_nonce;
-	}
-}
-
-METHOD(task_t, get_type, task_type_t,
-	private_child_create_t *this)
-{
-	return CHILD_CREATE;
-}
-
-METHOD(task_t, migrate, void,
-	private_child_create_t *this, ike_sa_t *ike_sa)
-{
-	chunk_free(&this->my_nonce);
-	chunk_free(&this->other_nonce);
-	if (this->tsr)
-	{
-		this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
-	}
-	if (this->tsi)
-	{
-		this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
-	}
-	DESTROY_IF(this->child_sa);
-	DESTROY_IF(this->proposal);
-	DESTROY_IF(this->dh);
-	if (this->proposals)
-	{
-		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
-	}
-
-	this->ike_sa = ike_sa;
-	this->keymat = ike_sa->get_keymat(ike_sa);
-	this->proposal = NULL;
-	this->proposals = NULL;
-	this->tsi = NULL;
-	this->tsr = NULL;
-	this->dh = NULL;
-	this->child_sa = NULL;
-	this->mode = MODE_TUNNEL;
-	this->ipcomp = IPCOMP_NONE;
-	this->ipcomp_received = IPCOMP_NONE;
-	this->other_cpi = 0;
-	this->reqid = 0;
-	this->established = FALSE;
-}
-
-METHOD(task_t, destroy, void,
-	private_child_create_t *this)
-{
-	chunk_free(&this->my_nonce);
-	chunk_free(&this->other_nonce);
-	if (this->tsr)
-	{
-		this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
-	}
-	if (this->tsi)
-	{
-		this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
-	}
-	if (!this->established)
-	{
-		DESTROY_IF(this->child_sa);
-	}
-	DESTROY_IF(this->packet_tsi);
-	DESTROY_IF(this->packet_tsr);
-	DESTROY_IF(this->proposal);
-	DESTROY_IF(this->dh);
-	if (this->proposals)
-	{
-		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
-	}
-
-	DESTROY_IF(this->config);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-child_create_t *child_create_create(ike_sa_t *ike_sa,
-							child_cfg_t *config, bool rekey,
-							traffic_selector_t *tsi, traffic_selector_t *tsr)
-{
-	private_child_create_t *this;
-
-	INIT(this,
-		.public = {
-			.get_child = _get_child,
-			.get_lower_nonce = _get_lower_nonce,
-			.use_reqid = _use_reqid,
-			.task = {
-				.get_type = _get_type,
-				.migrate = _migrate,
-				.destroy = _destroy,
-			},
-		},
-		.ike_sa = ike_sa,
-		.config = config,
-		.packet_tsi = tsi ? tsi->clone(tsi) : NULL,
-		.packet_tsr = tsr ? tsr->clone(tsr) : NULL,
-		.dh_group = MODP_NONE,
-		.keymat = ike_sa->get_keymat(ike_sa),
-		.mode = MODE_TUNNEL,
-		.tfcv3 = TRUE,
-		.ipcomp = IPCOMP_NONE,
-		.ipcomp_received = IPCOMP_NONE,
-		.rekey = rekey,
-	);
-
-	if (config)
-	{
-		this->public.task.build = _build_i;
-		this->public.task.process = _process_i;
-		this->initiator = TRUE;
-		config->get_ref(config);
-	}
-	else
-	{
-		this->public.task.build = _build_r;
-		this->public.task.process = _process_r;
-		this->initiator = FALSE;
-	}
-
-	return &this->public;
-}
diff --git a/src/libcharon/sa/tasks/ike_cert_pre.c b/src/libcharon/sa/tasks/ike_cert_pre.c
deleted file mode 100644
index b33aebe46..000000000
--- a/src/libcharon/sa/tasks/ike_cert_pre.c
+++ /dev/null
@@ -1,528 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ike_cert_pre.h"
-
-#include <daemon.h>
-#include <sa/ike_sa.h>
-#include <encoding/payloads/cert_payload.h>
-#include <encoding/payloads/certreq_payload.h>
-#include <credentials/certificates/x509.h>
-
-
-typedef struct private_ike_cert_pre_t private_ike_cert_pre_t;
-
-/**
- * Private members of a ike_cert_pre_t task.
- */
-struct private_ike_cert_pre_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	ike_cert_pre_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Are we the initiator?
-	 */
-	bool initiator;
-
-	/**
-	 * Do we accept HTTP certificate lookup requests
-	 */
-	bool do_http_lookup;
-
-	/**
-	 * whether this is the final authentication round
-	 */
-	bool final;
-};
-
-/**
- * read certificate requests
- */
-static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-	auth_cfg_t *auth;
-
-	auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		switch (payload->get_type(payload))
-		{
-			case CERTIFICATE_REQUEST:
-			{
-				certreq_payload_t *certreq = (certreq_payload_t*)payload;
-				enumerator_t *enumerator;
-				u_int unknown = 0;
-				chunk_t keyid;
-
-				this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE);
-
-				if (certreq->get_cert_type(certreq) != CERT_X509)
-				{
-					DBG1(DBG_IKE, "cert payload %N not supported - ignored",
-						 certificate_type_names, certreq->get_cert_type(certreq));
-					break;
-				}
-				enumerator = certreq->create_keyid_enumerator(certreq);
-				while (enumerator->enumerate(enumerator, &keyid))
-				{
-					identification_t *id;
-					certificate_t *cert;
-
-					id = identification_create_from_encoding(ID_KEY_ID, keyid);
-					cert = lib->credmgr->get_cert(lib->credmgr,
-												  CERT_X509, KEY_ANY, id, TRUE);
-					if (cert)
-					{
-						DBG1(DBG_IKE, "received cert request for \"%Y\"",
-							 cert->get_subject(cert));
-						auth->add(auth, AUTH_RULE_CA_CERT, cert);
-					}
-					else
-					{
-						DBG2(DBG_IKE, "received cert request for unknown ca "
-									  "with keyid %Y", id);
-						unknown++;
-					}
-					id->destroy(id);
-				}
-				enumerator->destroy(enumerator);
-				if (unknown)
-				{
-					DBG1(DBG_IKE, "received %u cert requests for an unknown ca",
-						 unknown);
-				}
-				break;
-			}
-			case NOTIFY:
-			{
-				notify_payload_t *notify = (notify_payload_t*)payload;
-
-				/* we only handle one type of notify here */
-				if (notify->get_notify_type(notify) == HTTP_CERT_LOOKUP_SUPPORTED)
-				{
-					this->ike_sa->enable_extension(this->ike_sa, EXT_HASH_AND_URL);
-				}
-				break;
-			}
-			default:
-				/* ignore other payloads here, these are handled elsewhere */
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * tries to extract a certificate from the cert payload or the credential
- * manager (based on the hash of a "Hash and URL" encoded cert).
- * Note: the returned certificate (if any) has to be destroyed
- */
-static certificate_t *try_get_cert(cert_payload_t *cert_payload)
-{
-	certificate_t *cert = NULL;
-
-	switch (cert_payload->get_cert_encoding(cert_payload))
-	{
-		case ENC_X509_SIGNATURE:
-		{
-			cert = cert_payload->get_cert(cert_payload);
-			break;
-		}
-		case ENC_X509_HASH_AND_URL:
-		{
-			identification_t *id;
-			chunk_t hash = cert_payload->get_hash(cert_payload);
-			if (!hash.ptr)
-			{
-				/* invalid "Hash and URL" data (logged elsewhere) */
-				break;
-			}
-			id = identification_create_from_encoding(ID_KEY_ID, hash);
-			cert = lib->credmgr->get_cert(lib->credmgr,
-										  CERT_X509, KEY_ANY, id, FALSE);
-			id->destroy(id);
-			break;
-		}
-		default:
-		{
-			break;
-		}
-	}
-	return cert;
-}
-
-/**
- * import certificates
- */
-static void process_certs(private_ike_cert_pre_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	payload_t *payload;
-	auth_cfg_t *auth;
-	bool first = TRUE;
-
-	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		if (payload->get_type(payload) == CERTIFICATE)
-		{
-			cert_payload_t *cert_payload;
-			cert_encoding_t encoding;
-			certificate_t *cert;
-			char *url;
-
-			cert_payload = (cert_payload_t*)payload;
-			encoding = cert_payload->get_cert_encoding(cert_payload);
-
-			switch (encoding)
-			{
-				case ENC_X509_HASH_AND_URL:
-				{
-					if (!this->do_http_lookup)
-					{
-						DBG1(DBG_IKE, "received hash-and-url encoded cert, but"
-								" we don't accept them, ignore");
-						break;
-					}
-					/* FALL */
-				}
-				case ENC_X509_SIGNATURE:
-				{
-					cert = try_get_cert(cert_payload);
-					if (cert)
-					{
-						if (first)
-						{	/* the first is an end entity certificate */
-							DBG1(DBG_IKE, "received end entity cert \"%Y\"",
-								 cert->get_subject(cert));
-							auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
-							first = FALSE;
-						}
-						else
-						{
-							DBG1(DBG_IKE, "received issuer cert \"%Y\"",
-								 cert->get_subject(cert));
-							auth->add(auth, AUTH_HELPER_IM_CERT, cert);
-						}
-					}
-					else if (encoding == ENC_X509_HASH_AND_URL)
-					{
-						/* we fetch the certificate not yet, but only if
-						 * it is really needed during authentication */
-						url = cert_payload->get_url(cert_payload);
-						if (!url)
-						{
-							DBG1(DBG_IKE, "received invalid hash-and-url "
-								 "encoded cert, ignore");
-							break;
-						}
-						url = strdup(url);
-						if (first)
-						{	/* first URL is for an end entity certificate */
-							DBG1(DBG_IKE, "received hash-and-url for end"
-								 " entity cert \"%s\"", url);
-							auth->add(auth, AUTH_HELPER_SUBJECT_HASH_URL, url);
-							first = FALSE;
-						}
-						else
-						{
-							DBG1(DBG_IKE, "received hash-and-url for issuer"
-									" cert \"%s\"", url);
-							auth->add(auth, AUTH_HELPER_IM_HASH_URL, url);
-						}
-					}
-					break;
-				}
-				case ENC_CRL:
-					cert = cert_payload->get_cert(cert_payload);
-					if (cert)
-					{
-						DBG1(DBG_IKE, "received CRL \"%Y\"",
-							 cert->get_subject(cert));
-						auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
-					}
-					break;
-				case ENC_PKCS7_WRAPPED_X509:
-				case ENC_PGP:
-				case ENC_DNS_SIGNED_KEY:
-				case ENC_KERBEROS_TOKEN:
-				case ENC_ARL:
-				case ENC_SPKI:
-				case ENC_X509_ATTRIBUTE:
-				case ENC_RAW_RSA_KEY:
-				case ENC_X509_HASH_AND_URL_BUNDLE:
-				case ENC_OCSP_CONTENT:
-				default:
-					DBG1(DBG_ENC, "certificate encoding %N not supported",
-						 cert_encoding_names, encoding);
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * add the keyid of a certificate to the certificate request payload
- */
-static void add_certreq(certreq_payload_t **req, certificate_t *cert)
-{
-	switch (cert->get_type(cert))
-	{
-		case CERT_X509:
-		{
-			public_key_t *public;
-			chunk_t keyid;
-			x509_t *x509 = (x509_t*)cert;
-
-			if (!(x509->get_flags(x509) & X509_CA))
-			{	/* no CA cert, skip */
-				break;
-			}
-			public = cert->get_public_key(cert);
-			if (!public)
-			{
-				break;
-			}
-			if (*req == NULL)
-			{
-				*req = certreq_payload_create_type(CERT_X509);
-			}
-			if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
-			{
-				(*req)->add_keyid(*req, keyid);
-				DBG1(DBG_IKE, "sending cert request for \"%Y\"",
-					 cert->get_subject(cert));
-			}
-			public->destroy(public);
-			break;
-		}
-		default:
-			break;
-	}
-}
-
-/**
- * add a auth_cfg's CA certificates to the certificate request
- */
-static void add_certreqs(certreq_payload_t **req, auth_cfg_t *auth)
-{
-	enumerator_t *enumerator;
-	auth_rule_t type;
-	void *value;
-
-	enumerator = auth->create_enumerator(auth);
-	while (enumerator->enumerate(enumerator, &type, &value))
-	{
-		switch (type)
-		{
-			case AUTH_RULE_CA_CERT:
-				add_certreq(req, (certificate_t*)value);
-				break;
-			default:
-				break;
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * build certificate requests
- */
-static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
-{
-	enumerator_t *enumerator;
-	ike_cfg_t *ike_cfg;
-	peer_cfg_t *peer_cfg;
-	certificate_t *cert;
-	auth_cfg_t *auth;
-	certreq_payload_t *req = NULL;
-
-	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
-	if (!ike_cfg->send_certreq(ike_cfg))
-	{
-		return;
-	}
-
-	/* check if we require a specific CA for that peer */
-	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-	if (peer_cfg)
-	{
-		enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, FALSE);
-		while (enumerator->enumerate(enumerator, &auth))
-		{
-			add_certreqs(&req, auth);
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	if (!req)
-	{
-		/* otherwise add all trusted CA certificates */
-		enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
-												CERT_ANY, KEY_ANY, NULL, TRUE);
-		while (enumerator->enumerate(enumerator, &cert))
-		{
-			add_certreq(&req, cert);
-		}
-		enumerator->destroy(enumerator);
-	}
-
-	if (req)
-	{
-		message->add_payload(message, (payload_t*)req);
-
-		if (lib->settings->get_bool(lib->settings, "charon.hash_and_url", FALSE))
-		{
-			message->add_notify(message, FALSE, HTTP_CERT_LOOKUP_SUPPORTED,
-								chunk_empty);
-			this->do_http_lookup = TRUE;
-		}
-	}
-}
-
-/**
- * Check if this is the final authentication round
- */
-static bool final_auth(message_t *message)
-{
-	/* we check for an AUTH payload without a ANOTHER_AUTH_FOLLOWS notify */
-	if (message->get_payload(message, AUTHENTICATION) == NULL)
-	{
-		return FALSE;
-	}
-	if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS))
-	{
-		return FALSE;
-	}
-	return TRUE;
-}
-
-METHOD(task_t, build_i, status_t,
-	private_ike_cert_pre_t *this, message_t *message)
-{
-	if (message->get_message_id(message) == 1)
-	{	/* initiator sends CERTREQs in first IKE_AUTH */
-		build_certreqs(this, message);
-	}
-	return NEED_MORE;
-}
-
-METHOD(task_t, process_r, status_t,
-	private_ike_cert_pre_t *this, message_t *message)
-{
-	if (message->get_exchange_type(message) != IKE_SA_INIT)
-	{	/* handle certreqs/certs in any IKE_AUTH, just in case */
-		process_certreqs(this, message);
-		process_certs(this, message);
-	}
-	this->final = final_auth(message);
-	return NEED_MORE;
-}
-
-METHOD(task_t, build_r, status_t,
-	private_ike_cert_pre_t *this, message_t *message)
-{
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
-	{
-		build_certreqs(this, message);
-	}
-	if (this->final)
-	{
-		return SUCCESS;
-	}
-	return NEED_MORE;
-}
-
-METHOD(task_t, process_i, status_t,
-	private_ike_cert_pre_t *this, message_t *message)
-{
-	if (message->get_exchange_type(message) == IKE_SA_INIT)
-	{
-		process_certreqs(this, message);
-	}
-	process_certs(this, message);
-
-	if (final_auth(message))
-	{
-		return SUCCESS;
-	}
-	return NEED_MORE;
-}
-
-METHOD(task_t, get_type, task_type_t,
-	private_ike_cert_pre_t *this)
-{
-	return IKE_CERT_PRE;
-}
-
-METHOD(task_t, migrate, void,
-	private_ike_cert_pre_t *this, ike_sa_t *ike_sa)
-{
-	this->ike_sa = ike_sa;
-}
-
-METHOD(task_t, destroy, void,
-	private_ike_cert_pre_t *this)
-{
-	free(this);
-}
-
-/*
- * Described in header.
- */
-ike_cert_pre_t *ike_cert_pre_create(ike_sa_t *ike_sa, bool initiator)
-{
-	private_ike_cert_pre_t *this;
-
-	INIT(this,
-		.public = {
-			.task = {
-				.get_type = _get_type,
-				.migrate = _migrate,
-				.destroy = _destroy,
-			},
-		},
-		.ike_sa = ike_sa,
-		.initiator = initiator,
-	);
-
-	if (initiator)
-	{
-		this->public.task.build = _build_i;
-		this->public.task.process = _process_i;
-	}
-	else
-	{
-		this->public.task.build = _build_r;
-		this->public.task.process = _process_r;
-	}
-
-	return &this->public;
-}
diff --git a/src/libcharon/sa/tasks/ike_config.c b/src/libcharon/sa/tasks/ike_config.c
deleted file mode 100644
index 4ef9c56a5..000000000
--- a/src/libcharon/sa/tasks/ike_config.c
+++ /dev/null
@@ -1,443 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "ike_config.h"
-
-#include <daemon.h>
-#include <hydra.h>
-#include <encoding/payloads/cp_payload.h>
-
-typedef struct private_ike_config_t private_ike_config_t;
-
-/**
- * Private members of a ike_config_t task.
- */
-struct private_ike_config_t {
-
-	/**
-	 * Public methods and task_t interface.
-	 */
-	ike_config_t public;
-
-	/**
-	 * Assigned IKE_SA.
-	 */
-	ike_sa_t *ike_sa;
-
-	/**
-	 * Are we the initiator?
-	 */
-	bool initiator;
-
-	/**
-	 * virtual ip
-	 */
-	host_t *virtual_ip;
-
-	/**
-	 * list of attributes requested and its handler, entry_t
-	 */
-	linked_list_t *requested;
-};
-
-/**
- * Entry for a requested attribute and the requesting handler
- */
-typedef struct {
-	/** attribute requested */
-	configuration_attribute_type_t type;
-	/** handler requesting this attribute */
-	attribute_handler_t *handler;
-} entry_t;
-
-/**
- * build INTERNAL_IPV4/6_ADDRESS attribute from virtual ip
- */
-static configuration_attribute_t *build_vip(host_t *vip)
-{
-	configuration_attribute_type_t type;
-	chunk_t chunk, prefix;
-
-	if (vip->get_family(vip) == AF_INET)
-	{
-		type = INTERNAL_IP4_ADDRESS;
-		if (vip->is_anyaddr(vip))
-		{
-			chunk = chunk_empty;
-		}
-		else
-		{
-			chunk = vip->get_address(vip);
-		}
-	}
-	else
-	{
-		type = INTERNAL_IP6_ADDRESS;
-		if (vip->is_anyaddr(vip))
-		{
-			chunk = chunk_empty;
-		}
-		else
-		{
-			prefix = chunk_alloca(1);
-			*prefix.ptr = 64;
-			chunk = vip->get_address(vip);
-			chunk = chunk_cata("cc", chunk, prefix);
-		}
-	}
-	return configuration_attribute_create_value(type, chunk);
-}
-
-/**
- * Handle a received attribute as initiator
- */
-static void handle_attribute(private_ike_config_t *this,
-							 configuration_attribute_t *ca)
-{
-	attribute_handler_t *handler = NULL;
-	enumerator_t *enumerator;
-	entry_t *entry;
-
-	/* find the handler which requested this attribute */
-	enumerator = this->requested->create_enumerator(this->requested);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->type == ca->get_type(ca))
-		{
-			handler = entry->handler;
-			this->requested->remove_at(this->requested, enumerator);
-			free(entry);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	/* and pass it to the handle function */
-	handler = hydra->attributes->handle(hydra->attributes,
-							this->ike_sa->get_other_id(this->ike_sa), handler,
-							ca->get_type(ca), ca->get_value(ca));
-	if (handler)
-	{
-		this->ike_sa->add_configuration_attribute(this->ike_sa,
-				handler, ca->get_type(ca), ca->get_value(ca));
-	}
-}
-
-/**
- * process a single configuration attribute
- */
-static void process_attribute(private_ike_config_t *this,
-							  configuration_attribute_t *ca)
-{
-	host_t *ip;
-	chunk_t addr;
-	int family = AF_INET6;
-
-	switch (ca->get_type(ca))
-	{
-		case INTERNAL_IP4_ADDRESS:
-			family = AF_INET;
-			/* fall */
-		case INTERNAL_IP6_ADDRESS:
-		{
-			addr = ca->get_value(ca);
-			if (addr.len == 0)
-			{
-				ip = host_create_any(family);
-			}
-			else
-			{
-				/* skip prefix byte in IPv6 payload*/
-				if (family == AF_INET6)
-				{
-					addr.len--;
-				}
-				ip = host_create_from_chunk(family, addr, 0);
-			}
-			if (ip)
-			{
-				DESTROY_IF(this->virtual_ip);
-				this->virtual_ip = ip;
-			}
-			break;
-		}
-		case INTERNAL_IP4_SERVER:
-		case INTERNAL_IP6_SERVER:
-			/* assume it's a Windows client if we see proprietary attributes */
-			this->ike_sa->enable_extension(this->ike_sa, EXT_MS_WINDOWS);
-			/* fall */
-		default:
-		{
-			if (this->initiator)
-			{
-				handle_attribute(this, ca);
-			}
-		}
-	}
-}
-
-/**
- * Scan for configuration payloads and attributes
- */
-static void process_payloads(private_ike_config_t *this, message_t *message)
-{
-	enumerator_t *enumerator, *attributes;
-	payload_t *payload;
-
-	enumerator = message->create_payload_enumerator(message);
-	while (enumerator->enumerate(enumerator, &payload))
-	{
-		if (payload->get_type(payload) == CONFIGURATION)
-		{
-			cp_payload_t *cp = (cp_payload_t*)payload;
-			configuration_attribute_t *ca;
-
-			switch (cp->get_type(cp))
-			{
-				case CFG_REQUEST:
-				case CFG_REPLY:
-				{
-					attributes = cp->create_attribute_enumerator(cp);
-					while (attributes->enumerate(attributes, &ca))
-					{
-						DBG2(DBG_IKE, "processing %N attribute",
-							 configuration_attribute_type_names, ca->get_type(ca));
-						process_attribute(this, ca);
-					}
-					attributes->destroy(attributes);
-					break;
-				}
-				default:
-					DBG1(DBG_IKE, "ignoring %N config payload",
-						 config_type_names, cp->get_type(cp));
-					break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-METHOD(task_t, build_i, status_t,
-	private_ike_config_t *this, message_t *message)
-{
-	if (message->get_message_id(message) == 1)
-	{	/* in first IKE_AUTH only */
-		cp_payload_t *cp = NULL;
-		enumerator_t *enumerator;
-		attribute_handler_t *handler;
-		peer_cfg_t *config;
-		configuration_attribute_type_t type;
-		chunk_t data;
-		host_t *vip;
-
-		/* reuse virtual IP if we already have one */
-		vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
-		if (!vip)
-		{
-			config = this->ike_sa->get_peer_cfg(this->ike_sa);
-			vip = config->get_virtual_ip(config);
-		}
-		if (vip)
-		{
-			cp = cp_payload_create_type(CFG_REQUEST);
-			cp->add_attribute(cp, build_vip(vip));
-		}
-
-		enumerator = hydra->attributes->create_initiator_enumerator(hydra->attributes,
-								this->ike_sa->get_other_id(this->ike_sa), vip);
-		while (enumerator->enumerate(enumerator, &handler, &type, &data))
-		{
-			configuration_attribute_t *ca;
-			entry_t *entry;
-
-			/* create configuration attribute */
-			DBG2(DBG_IKE, "building %N attribute",
-				 configuration_attribute_type_names, type);
-			ca = configuration_attribute_create_value(type, data);
-			if (!cp)
-			{
-				cp = cp_payload_create_type(CFG_REQUEST);
-			}
-			cp->add_attribute(cp, ca);
-
-			/* save handler along with requested type */
-			entry = malloc_thing(entry_t);
-			entry->type = type;
-			entry->handler = handler;
-
-			this->requested->insert_last(this->requested, entry);
-		}
-		enumerator->destroy(enumerator);
-
-		if (cp)
-		{
-			message->add_payload(message, (payload_t*)cp);
-		}
-	}
-	return NEED_MORE;
-}
-
-METHOD(task_t, process_r, status_t,
-	private_ike_config_t *this, message_t *message)
-{
-	if (message->get_message_id(message) == 1)
-	{	/* in first IKE_AUTH only */
-		process_payloads(this, message);
-	}
-	return NEED_MORE;
-}
-
-METHOD(task_t, build_r, status_t,
-	private_ike_config_t *this, message_t *message)
-{
-	if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
-	{	/* in last IKE_AUTH exchange */
-		enumerator_t *enumerator;
-		configuration_attribute_type_t type;
-		chunk_t value;
-		host_t *vip = NULL;
-		cp_payload_t *cp = NULL;
-		peer_cfg_t *config;
-		identification_t *id;
-
-		id = this->ike_sa->get_other_eap_id(this->ike_sa);
-
-		config = this->ike_sa->get_peer_cfg(this->ike_sa);
-		if (this->virtual_ip)
-		{
-			DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip);
-			if (config->get_pool(config))
-			{
-				vip = hydra->attributes->acquire_address(hydra->attributes,
-							config->get_pool(config), id, this->virtual_ip);
-			}
-			if (vip == NULL)
-			{
-				DBG1(DBG_IKE, "no virtual IP found, sending %N",
-					 notify_type_names, INTERNAL_ADDRESS_FAILURE);
-				message->add_notify(message, FALSE, INTERNAL_ADDRESS_FAILURE,
-									chunk_empty);
-				return SUCCESS;
-			}
-			DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", vip, id);
-			this->ike_sa->set_virtual_ip(this->ike_sa, FALSE, vip);
-
-			cp = cp_payload_create_type(CFG_REPLY);
-			cp->add_attribute(cp, build_vip(vip));
-		}
-
-		/* query registered providers for additional attributes to include */
-		enumerator = hydra->attributes->create_responder_enumerator(
-						hydra->attributes, config->get_pool(config), id, vip);
-		while (enumerator->enumerate(enumerator, &type, &value))
-		{
-			if (!cp)
-			{
-				cp = cp_payload_create_type(CFG_REPLY);
-			}
-			DBG2(DBG_IKE, "building %N attribute",
-				 configuration_attribute_type_names, type);
-			cp->add_attribute(cp,
-						configuration_attribute_create_value(type, value));
-		}
-		enumerator->destroy(enumerator);
-
-		if (cp)
-		{
-			message->add_payload(message, (payload_t*)cp);
-		}
-		DESTROY_IF(vip);
-		return SUCCESS;
-	}
-	return NEED_MORE;
-}
-
-METHOD(task_t, process_i, status_t,
-	private_ike_config_t *this, message_t *message)
-{
-	if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
-	{	/* in last IKE_AUTH exchange */
-
-		process_payloads(this, message);
-
-		if (this->virtual_ip)
-		{
-			this->ike_sa->set_virtual_ip(this->ike_sa, TRUE, this->virtual_ip);
-		}
-		return SUCCESS;
-	}
-	return NEED_MORE;
-}
-
-METHOD(task_t, get_type, task_type_t,
-	private_ike_config_t *this)
-{
-	return IKE_CONFIG;
-}
-
-METHOD(task_t, migrate, void,
-	private_ike_config_t *this, ike_sa_t *ike_sa)
-{
-	DESTROY_IF(this->virtual_ip);
-
-	this->ike_sa = ike_sa;
-	this->virtual_ip = NULL;
-	this->requested->destroy_function(this->requested, free);
-	this->requested = linked_list_create();
-}
-
-METHOD(task_t, destroy, void,
-	private_ike_config_t *this)
-{
-	DESTROY_IF(this->virtual_ip);
-	this->requested->destroy_function(this->requested, free);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
-{
-	private_ike_config_t *this;
-
-	INIT(this,
-		.public = {
-			.task = {
-				.get_type = _get_type,
-				.migrate = _migrate,
-				.destroy = _destroy,
-			},
-		},
-		.initiator = initiator,
-		.ike_sa = ike_sa,
-		.requested = linked_list_create(),
-	);
-
-	if (initiator)
-	{
-		this->public.task.build = _build_i;
-		this->public.task.process = _process_i;
-	}
-	else
-	{
-		this->public.task.build = _build_r;
-		this->public.task.process = _process_r;
-	}
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/sa/tasks/task.c b/src/libcharon/sa/tasks/task.c
deleted file mode 100644
index 0d7383141..000000000
--- a/src/libcharon/sa/tasks/task.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright (C) 2007 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "task.h"
-
-#ifdef ME
-ENUM(task_type_names, IKE_INIT, CHILD_REKEY,
-	"IKE_INIT",
-	"IKE_NATD",
-	"IKE_MOBIKE",
-	"IKE_AUTHENTICATE",
-	"IKE_AUTH_LIFETIME",
-	"IKE_CERT_PRE",
-	"IKE_CERT_POST",
-	"IKE_CONFIG",
-	"IKE_REKEY",
-	"IKE_REAUTH",
-	"IKE_DELETE",
-	"IKE_DPD",
-	"IKE_VENDOR",
-	"IKE_ME",
-	"CHILD_CREATE",
-	"CHILD_DELETE",
-	"CHILD_REKEY",
-);
-#else
-ENUM(task_type_names, IKE_INIT, CHILD_REKEY,
-	"IKE_INIT",
-	"IKE_NATD",
-	"IKE_MOBIKE",
-	"IKE_AUTHENTICATE",
-	"IKE_AUTH_LIFETIME",
-	"IKE_CERT_PRE",
-	"IKE_CERT_POST",
-	"IKE_CONFIG",
-	"IKE_REKEY",
-	"IKE_REAUTH",
-	"IKE_DELETE",
-	"IKE_DPD",
-	"IKE_VENDOR",
-	"CHILD_CREATE",
-	"CHILD_DELETE",
-	"CHILD_REKEY",
-);
-#endif /* ME */
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index 86d9f4c22..37426fc47 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Tobias Brunner
+ * Copyright (C) 2011-2012 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -19,7 +19,7 @@
 #include <hydra.h>
 #include <daemon.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 
 typedef struct private_trap_manager_t private_trap_manager_t;
@@ -92,49 +92,28 @@ static void destroy_entry(entry_t *entry)
 }
 
 METHOD(trap_manager_t, install, u_int32_t,
-	private_trap_manager_t *this, peer_cfg_t *peer, child_cfg_t *child)
+	private_trap_manager_t *this, peer_cfg_t *peer, child_cfg_t *child,
+	u_int32_t reqid)
 {
-	entry_t *entry;
+	entry_t *entry, *found = NULL;
 	ike_cfg_t *ike_cfg;
 	child_sa_t *child_sa;
 	host_t *me, *other;
-	linked_list_t *my_ts, *other_ts;
+	linked_list_t *my_ts, *other_ts, *list;
 	enumerator_t *enumerator;
-	bool found = FALSE;
 	status_t status;
-	u_int32_t reqid;
-
-	/* check if not already done */
-	this->lock->read_lock(this->lock);
-	enumerator = this->traps->create_enumerator(this->traps);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (streq(entry->child_sa->get_name(entry->child_sa),
-				  child->get_name(child)))
-		{
-			found = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-	if (found)
-	{
-		DBG1(DBG_CFG, "CHILD_SA named '%s' already routed",
-			 child->get_name(child));
-		return 0;
-	}
 
 	/* try to resolve addresses */
 	ike_cfg = peer->get_ike_cfg(peer);
-	other = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg),
+	other = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg, NULL),
 								 0, ike_cfg->get_other_port(ike_cfg));
 	if (!other || other->is_anyaddr(other))
 	{
+		DESTROY_IF(other);
 		DBG1(DBG_CFG, "installing trap failed, remote address unknown");
 		return 0;
 	}
-	me = host_create_from_dns(ike_cfg->get_my_addr(ike_cfg),
+	me = host_create_from_dns(ike_cfg->get_my_addr(ike_cfg, NULL),
 					other->get_family(other), ike_cfg->get_my_port(ike_cfg));
 	if (!me || me->is_anyaddr(me))
 	{
@@ -150,12 +129,38 @@ METHOD(trap_manager_t, install, u_int32_t,
 		me->set_port(me, ike_cfg->get_my_port(ike_cfg));
 	}
 
+	this->lock->write_lock(this->lock);
+	enumerator = this->traps->create_enumerator(this->traps);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (streq(entry->child_sa->get_name(entry->child_sa),
+				  child->get_name(child)))
+		{
+			this->traps->remove_at(this->traps, enumerator);
+			found = entry;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	if (found)
+	{	/* config might have changed so update everything */
+		DBG1(DBG_CFG, "updating already routed CHILD_SA '%s'",
+			 child->get_name(child));
+		reqid = found->child_sa->get_reqid(found->child_sa);
+	}
+
 	/* create and route CHILD_SA */
-	child_sa = child_sa_create(me, other, child, 0, FALSE);
-	my_ts = child->get_traffic_selectors(child, TRUE, NULL, me);
-	other_ts = child->get_traffic_selectors(child, FALSE, NULL, other);
-	me->destroy(me);
-	other->destroy(other);
+	child_sa = child_sa_create(me, other, child, reqid, FALSE);
+
+	list = linked_list_create_with_items(me, NULL);
+	my_ts = child->get_traffic_selectors(child, TRUE, NULL, list);
+	list->destroy_offset(list, offsetof(host_t, destroy));
+
+	list = linked_list_create_with_items(other, NULL);
+	other_ts = child->get_traffic_selectors(child, FALSE, NULL, list);
+	list->destroy_offset(list, offsetof(host_t, destroy));
 
 	/* while we don't know the finally negotiated protocol (ESP|AH), we
 	 * could iterate all proposals for a best guess (TODO). But as we
@@ -167,21 +172,30 @@ METHOD(trap_manager_t, install, u_int32_t,
 	other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
 	if (status != SUCCESS)
 	{
-		child_sa->destroy(child_sa);
 		DBG1(DBG_CFG, "installing trap failed");
-		return 0;
+		reqid = 0;
+		/* hold off destroying the CHILD_SA until we released the lock */
+	}
+	else
+	{
+		INIT(entry,
+			.child_sa = child_sa,
+			.peer_cfg = peer->get_ref(peer),
+		);
+		this->lock->write_lock(this->lock);
+		this->traps->insert_last(this->traps, entry);
+		this->lock->unlock(this->lock);
+		reqid = child_sa->get_reqid(child_sa);
 	}
 
-	reqid = child_sa->get_reqid(child_sa);
-	INIT(entry,
-		.child_sa = child_sa,
-		.peer_cfg = peer->get_ref(peer),
-	);
-
-	this->lock->write_lock(this->lock);
-	this->traps->insert_last(this->traps, entry);
-	this->lock->unlock(this->lock);
-
+	if (status != SUCCESS)
+	{
+		child_sa->destroy(child_sa);
+	}
+	if (found)
+	{
+		destroy_entry(found);
+	}
 	return reqid;
 }
 
@@ -241,6 +255,31 @@ METHOD(trap_manager_t, create_enumerator, enumerator_t*,
 									(void*)this->lock->unlock);
 }
 
+METHOD(trap_manager_t, find_reqid, u_int32_t,
+	private_trap_manager_t *this, child_cfg_t *child)
+{
+	enumerator_t *enumerator;
+	child_cfg_t *current;
+	entry_t *entry;
+	u_int32_t reqid = 0;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->traps->create_enumerator(this->traps);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		current = entry->child_sa->get_config(entry->child_sa);
+		if (streq(current->get_name(current), child->get_name(child)))
+		{
+			reqid = entry->child_sa->get_reqid(entry->child_sa);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	return reqid;
+}
+
 METHOD(trap_manager_t, acquire, void,
 	private_trap_manager_t *this, u_int32_t reqid,
 	traffic_selector_t *src, traffic_selector_t *dst)
@@ -284,26 +323,33 @@ METHOD(trap_manager_t, acquire, void,
 
 	ike_sa = charon->ike_sa_manager->checkout_by_config(
 											charon->ike_sa_manager, peer);
-	if (ike_sa->get_peer_cfg(ike_sa) == NULL)
-	{
-		ike_sa->set_peer_cfg(ike_sa, peer);
-	}
-	if (ike_sa->initiate(ike_sa, child, reqid, src, dst) != DESTROY_ME)
+	if (ike_sa)
 	{
-		/* make sure the entry is still there */
-		this->lock->read_lock(this->lock);
-		if (this->traps->find_first(this->traps, NULL,
-									(void**)&found) == SUCCESS)
+		if (ike_sa->get_peer_cfg(ike_sa) == NULL)
 		{
-			found->ike_sa = ike_sa;
+			ike_sa->set_peer_cfg(ike_sa, peer);
+		}
+		if (ike_sa->get_version(ike_sa) == IKEV1)
+		{	/* in IKEv1, don't prepend the acquiring packet TS, as we only
+			 * have a single TS that we can establish in a Quick Mode. */
+			src = dst = NULL;
+		}
+		if (ike_sa->initiate(ike_sa, child, reqid, src, dst) != DESTROY_ME)
+		{
+			/* make sure the entry is still there */
+			this->lock->read_lock(this->lock);
+			if (this->traps->find_first(this->traps, NULL,
+										(void**)&found) == SUCCESS)
+			{
+				found->ike_sa = ike_sa;
+			}
+			this->lock->unlock(this->lock);
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
+		else
+		{
+			ike_sa->destroy(ike_sa);
 		}
-		this->lock->unlock(this->lock);
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	}
-	else
-	{
-		charon->ike_sa_manager->checkin_and_destroy(
-											charon->ike_sa_manager, ike_sa);
 	}
 	peer->destroy(peer);
 }
@@ -399,6 +445,7 @@ trap_manager_t *trap_manager_create(void)
 			.install = _install,
 			.uninstall = _uninstall,
 			.create_enumerator = _create_enumerator,
+			.find_reqid = _find_reqid,
 			.acquire = _acquire,
 			.flush = _flush,
 			.destroy = _destroy,
@@ -417,4 +464,3 @@ trap_manager_t *trap_manager_create(void)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/sa/trap_manager.h b/src/libcharon/sa/trap_manager.h
index 928b2a49f..0491107fd 100644
--- a/src/libcharon/sa/trap_manager.h
+++ b/src/libcharon/sa/trap_manager.h
@@ -22,7 +22,7 @@
 #define TRAP_MANAGER_H_
 
 #include <library.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <config/peer_cfg.h>
 
 typedef struct trap_manager_t trap_manager_t;
@@ -37,10 +37,11 @@ struct trap_manager_t {
 	 *
 	 * @param peer		peer configuration to initiate on trap
 	 * @param child 	child configuration to install as a trap
+	 * @param reqid		optional reqid to use
 	 * @return			reqid of installed CHILD_SA, 0 if failed
 	 */
 	u_int32_t (*install)(trap_manager_t *this, peer_cfg_t *peer,
-						 child_cfg_t *child);
+						 child_cfg_t *child, u_int32_t reqid);
 
 	/**
 	 * Uninstall a trap policy.
@@ -58,6 +59,14 @@ struct trap_manager_t {
 	enumerator_t* (*create_enumerator)(trap_manager_t *this);
 
 	/**
+	 * Find the reqid of a child config installed as a trap.
+	 *
+	 * @param child		CHILD_SA config to get the reqid for
+	 * @return			reqid of trap, 0 if not found
+	 */
+	u_int32_t (*find_reqid)(trap_manager_t *this, child_cfg_t *child);
+
+	/**
 	 * Acquire an SA triggered by an installed trap.
 	 *
 	 * @param reqid		requid of the triggering CHILD_SA
diff --git a/src/libcharon/sa/xauth/xauth_manager.c b/src/libcharon/sa/xauth/xauth_manager.c
new file mode 100644
index 000000000..5709dc652
--- /dev/null
+++ b/src/libcharon/sa/xauth/xauth_manager.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_manager.h"
+
+#include <collections/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_xauth_manager_t private_xauth_manager_t;
+typedef struct xauth_entry_t xauth_entry_t;
+
+/**
+ * XAuth constructor entry
+ */
+struct xauth_entry_t {
+
+	/**
+	 * Xauth backend name
+	 */
+	char *name;
+
+	/**
+	 * Role of the method, XAUTH_SERVER or XAUTH_PEER
+	 */
+	xauth_role_t role;
+
+	/**
+	 * constructor function to create instance
+	 */
+	xauth_constructor_t constructor;
+};
+
+/**
+ * private data of xauth_manager
+ */
+struct private_xauth_manager_t {
+
+	/**
+	 * public functions
+	 */
+	xauth_manager_t public;
+
+	/**
+	 * list of eap_entry_t's
+	 */
+	linked_list_t *methods;
+
+	/**
+	 * rwlock to lock methods
+	 */
+	rwlock_t *lock;
+};
+
+METHOD(xauth_manager_t, add_method, void,
+	private_xauth_manager_t *this, char *name, xauth_role_t role,
+	xauth_constructor_t constructor)
+{
+	xauth_entry_t *entry;
+
+	INIT(entry,
+		.name = name,
+		.role = role,
+		.constructor = constructor,
+	);
+
+	this->lock->write_lock(this->lock);
+	this->methods->insert_last(this->methods, entry);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(xauth_manager_t, remove_method, void,
+	private_xauth_manager_t *this, xauth_constructor_t constructor)
+{
+	enumerator_t *enumerator;
+	xauth_entry_t *entry;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->methods->create_enumerator(this->methods);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (constructor == entry->constructor)
+		{
+			this->methods->remove_at(this->methods, enumerator);
+			free(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(xauth_manager_t, create_instance, xauth_method_t*,
+	private_xauth_manager_t *this, char *name, xauth_role_t role,
+	identification_t *server, identification_t *peer)
+{
+	enumerator_t *enumerator;
+	xauth_entry_t *entry;
+	xauth_method_t *method = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->methods->create_enumerator(this->methods);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (!name && streq(entry->name, "noauth"))
+		{	/* xauth-noauth has to be configured explicitly */
+			continue;
+		}
+		if (role == entry->role && (!name || streq(name, entry->name)))
+		{
+			method = entry->constructor(server, peer);
+			if (method)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return method;
+}
+
+METHOD(xauth_manager_t, destroy, void,
+	private_xauth_manager_t *this)
+{
+	this->methods->destroy_function(this->methods, free);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/*
+ * See header
+ */
+xauth_manager_t *xauth_manager_create()
+{
+	private_xauth_manager_t *this;
+
+	INIT(this,
+		.public = {
+			.add_method = _add_method,
+			.remove_method = _remove_method,
+			.create_instance = _create_instance,
+			.destroy = _destroy,
+		},
+		.methods = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/xauth/xauth_manager.h b/src/libcharon/sa/xauth/xauth_manager.h
new file mode 100644
index 000000000..929d5de8f
--- /dev/null
+++ b/src/libcharon/sa/xauth/xauth_manager.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_manager xauth_manager
+ * @{ @ingroup xauth
+ */
+
+#ifndef XAUTH_MANAGER_H_
+#define XAUTH_MANAGER_H_
+
+#include <sa/xauth/xauth_method.h>
+
+typedef struct xauth_manager_t xauth_manager_t;
+
+/**
+ * The XAuth manager manages all XAuth implementations and creates instances.
+ *
+ * A plugin registers it's implemented XAuth method at the manager by
+ * providing type and a contructor function. The manager then instanciates
+ * xauth_method_t instances through the provided constructor to handle
+ * XAuth authentication.
+ */
+struct xauth_manager_t {
+
+	/**
+	 * Register a XAuth method implementation.
+	 *
+	 * @param name			backend name to register
+	 * @param role			XAUTH_SERVER or XAUTH_PEER
+	 * @param constructor	constructor function, returns an xauth_method_t
+	 */
+	void (*add_method)(xauth_manager_t *this, char *name,
+					   xauth_role_t role, xauth_constructor_t constructor);
+
+	/**
+	 * Unregister a XAuth method implementation using it's constructor.
+	 *
+	 * @param constructor	constructor function, as added in add_method
+	 */
+	void (*remove_method)(xauth_manager_t *this, xauth_constructor_t constructor);
+
+	/**
+	 * Create a new XAuth method instance.
+	 *
+	 * @param name			backend name, as it was registered with
+	 * @param role			XAUTH_SERVER or XAUTH_PEER
+	 * @param server		identity of the server
+	 * @param peer			identity of the peer (client)
+	 * @return				XAUTH method instance, NULL if no constructor found
+	 */
+	xauth_method_t* (*create_instance)(xauth_manager_t *this,
+							char *name, xauth_role_t role,
+							identification_t *server, identification_t *peer);
+
+	/**
+	 * Destroy a eap_manager instance.
+	 */
+	void (*destroy)(xauth_manager_t *this);
+};
+
+/**
+ * Create a eap_manager instance.
+ */
+xauth_manager_t *xauth_manager_create();
+
+#endif /** XAUTH_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/xauth/xauth_method.c b/src/libcharon/sa/xauth/xauth_method.c
new file mode 100644
index 000000000..838822d1e
--- /dev/null
+++ b/src/libcharon/sa/xauth/xauth_method.c
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "xauth_method.h"
+
+#include <daemon.h>
+
+ENUM(xauth_role_names, XAUTH_SERVER, XAUTH_PEER,
+	"XAUTH_SERVER",
+	"XAUTH_PEER",
+);
+
+/**
+ * See header
+ */
+bool xauth_method_register(plugin_t *plugin, plugin_feature_t *feature,
+						 bool reg, void *data)
+{
+	if (reg)
+	{
+		charon->xauth->add_method(charon->xauth, feature->arg.xauth,
+			feature->type == FEATURE_XAUTH_SERVER ? XAUTH_SERVER : XAUTH_PEER,
+			(xauth_constructor_t)data);
+	}
+	else
+	{
+		charon->xauth->remove_method(charon->xauth, (xauth_constructor_t)data);
+	}
+	return TRUE;
+}
diff --git a/src/libcharon/sa/xauth/xauth_method.h b/src/libcharon/sa/xauth/xauth_method.h
new file mode 100644
index 000000000..9f6067dbf
--- /dev/null
+++ b/src/libcharon/sa/xauth/xauth_method.h
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_method xauth_method
+ * @{ @ingroup xauth
+ */
+
+#ifndef XAUTH_METHOD_H_
+#define XAUTH_METHOD_H_
+
+typedef struct xauth_method_t xauth_method_t;
+typedef enum xauth_role_t xauth_role_t;
+
+#include <library.h>
+#include <plugins/plugin.h>
+#include <utils/identification.h>
+#include <encoding/payloads/cp_payload.h>
+
+/**
+ * Role of an xauth_method, SERVER or PEER (client)
+ */
+enum xauth_role_t {
+	XAUTH_SERVER,
+	XAUTH_PEER,
+};
+
+/**
+ * enum names for xauth_role_t.
+ */
+extern enum_name_t *xauth_role_names;
+
+/**
+ * Interface of an XAuth method for server and client side.
+ *
+ * An XAuth method initiates an XAuth exchange and processes requests and
+ * responses. An XAuth method may need multiple exchanges before succeeding.
+ * Sending of XAUTH(STATUS) message is done by the framework, not a method.
+ */
+struct xauth_method_t {
+
+	/**
+	 * Initiate the XAuth exchange.
+	 *
+	 * initiate() is only useable for server implementations, as clients only
+	 * reply to server requests.
+	 * A cp_payload is created in "out" if result is NEED_MORE.
+	 *
+	 * @param out		cp_payload to send to the client
+	 * @return
+	 * 					- NEED_MORE, if an other exchange is required
+	 * 					- FAILED, if unable to create XAuth request payload
+	 */
+	status_t (*initiate) (xauth_method_t *this, cp_payload_t **out);
+
+	/**
+	 * Process a received XAuth message.
+	 *
+	 * A cp_payload is created in "out" if result is NEED_MORE.
+	 *
+	 * @param in		cp_payload response received
+	 * @param out		created cp_payload to send
+	 * @return
+	 * 					- NEED_MORE, if an other exchange is required
+	 * 					- FAILED, if XAuth method failed
+	 * 					- SUCCESS, if XAuth method succeeded
+	 */
+	status_t (*process) (xauth_method_t *this, cp_payload_t *in,
+						 cp_payload_t **out);
+
+	/**
+	 * Get the XAuth username received as XAuth initiator.
+	 *
+	 * @return			used XAuth username, pointer to internal data
+	 */
+	identification_t* (*get_identity)(xauth_method_t *this);
+
+	/**
+	 * Destroys a eap_method_t object.
+	 */
+	void (*destroy) (xauth_method_t *this);
+};
+
+/**
+ * Constructor definition for a pluggable XAuth method.
+ *
+ * Each XAuth module must define a constructor function which will return
+ * an initialized object with the methods defined in xauth_method_t.
+ * Constructors for server and peers are identical, to support both roles
+ * of a XAuth method, a plugin needs register two constructors in the
+ * xauth_manager_t.
+ *
+ * @param server		ID of the server to use for credential lookup
+ * @param peer			ID of the peer to use for credential lookup
+ * @return				implementation of the eap_method_t interface
+ */
+typedef xauth_method_t *(*xauth_constructor_t)(identification_t *server,
+											   identification_t *peer);
+
+/**
+ * Helper function to (un-)register XAuth methods from plugin features.
+ *
+ * This function is a plugin_feature_callback_t and can be used with the
+ * PLUGIN_CALLBACK macro to register a XAuth method constructor.
+ *
+ * @param plugin		plugin registering the XAuth method constructor
+ * @param feature		associated plugin feature
+ * @param reg			TRUE to register, FALSE to unregister.
+ * @param data			data passed to callback, an xauth_constructor_t
+ */
+bool xauth_method_register(plugin_t *plugin, plugin_feature_t *feature,
+						   bool reg, void *data);
+
+#endif /** XAUTH_METHOD_H_ @}*/
diff --git a/src/libfast/Makefile.am b/src/libfast/Makefile.am
index 35d102109..edc2ab1ca 100644
--- a/src/libfast/Makefile.am
+++ b/src/libfast/Makefile.am
@@ -1,8 +1,21 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I/usr/include/ClearSilver
+
+AM_CFLAGS = \
+	-rdynamic
+
 ipseclib_LTLIBRARIES = libfast.la
 
-libfast_la_SOURCES = context.h dispatcher.c request.h session.h \
-  controller.h dispatcher.h request.c session.c filter.h smtp.c smtp.h
+libfast_la_SOURCES = \
+	fast_dispatcher.c fast_request.c fast_session.c fast_smtp.c
+
+if USE_DEV_HEADERS
+fast_includedir = ${dev_headers}/fast
+nobase_fast_include_HEADERS = \
+	fast_context.h fast_controller.h fast_dispatcher.h fast_filter.h \
+	fast_request.h fast_session.h fast_smtp.h
+endif
+
 libfast_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
   -lfcgi $(clearsilver_LIBS) $(PTHREADLIB)
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I/usr/include/ClearSilver
-AM_CFLAGS = -rdynamic
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index abb721758..d5b511e56 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -15,7 +15,25 @@
 
 @SET_MAKE@
 
+
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -35,7 +53,8 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libfast
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+DIST_COMMON = $(am__nobase_fast_include_HEADERS_DIST) \
+	$(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -45,10 +64,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,50 +92,90 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(ipseclibdir)"
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(ipseclibdir)" \
+	"$(DESTDIR)$(fast_includedir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libfast_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-am_libfast_la_OBJECTS = dispatcher.lo request.lo session.lo smtp.lo
+am_libfast_la_OBJECTS = fast_dispatcher.lo fast_request.lo \
+	fast_session.lo fast_smtp.lo
 libfast_la_OBJECTS = $(am_libfast_la_OBJECTS)
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libfast_la_SOURCES)
 DIST_SOURCES = $(libfast_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__nobase_fast_include_HEADERS_DIST = fast_context.h \
+	fast_controller.h fast_dispatcher.h fast_filter.h \
+	fast_request.h fast_session.h fast_smtp.h
+HEADERS = $(nobase_fast_include_HEADERS)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -124,13 +184,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -143,6 +206,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -170,11 +234,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -182,6 +248,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -190,8 +257,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -200,14 +265,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -221,17 +291,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -241,16 +311,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -278,15 +347,25 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I/usr/include/ClearSilver
+
+AM_CFLAGS = \
+	-rdynamic
+
 ipseclib_LTLIBRARIES = libfast.la
-libfast_la_SOURCES = context.h dispatcher.c request.h session.h \
-  controller.h dispatcher.h request.c session.c filter.h smtp.c smtp.h
+libfast_la_SOURCES = \
+	fast_dispatcher.c fast_request.c fast_session.c fast_smtp.c
+
+@USE_DEV_HEADERS_TRUE@fast_includedir = ${dev_headers}/fast
+@USE_DEV_HEADERS_TRUE@nobase_fast_include_HEADERS = \
+@USE_DEV_HEADERS_TRUE@	fast_context.h fast_controller.h fast_dispatcher.h fast_filter.h \
+@USE_DEV_HEADERS_TRUE@	fast_request.h fast_session.h fast_smtp.h
 
 libfast_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
   -lfcgi $(clearsilver_LIBS) $(PTHREADLIB)
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I/usr/include/ClearSilver
-AM_CFLAGS = -rdynamic
 all: all-am
 
 .SUFFIXES:
@@ -323,7 +402,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -331,6 +409,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -352,8 +432,8 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libfast.la: $(libfast_la_OBJECTS) $(libfast_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libfast_la_OBJECTS) $(libfast_la_LIBADD) $(LIBS)
+libfast.la: $(libfast_la_OBJECTS) $(libfast_la_DEPENDENCIES) $(EXTRA_libfast_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libfast_la_OBJECTS) $(libfast_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -361,37 +441,61 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dispatcher.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/request.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/session.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/smtp.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fast_dispatcher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fast_request.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fast_session.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fast_smtp.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
+install-nobase_fast_includeHEADERS: $(nobase_fast_include_HEADERS)
+	@$(NORMAL_INSTALL)
+	@list='$(nobase_fast_include_HEADERS)'; test -n "$(fast_includedir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(fast_includedir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(fast_includedir)" || exit 1; \
+	fi; \
+	$(am__nobase_list) | while read dir files; do \
+	  xfiles=; for file in $$files; do \
+	    if test -f "$$file"; then xfiles="$$xfiles $$file"; \
+	    else xfiles="$$xfiles $(srcdir)/$$file"; fi; done; \
+	  test -z "$$xfiles" || { \
+	    test "x$$dir" = x. || { \
+	      echo " $(MKDIR_P) '$(DESTDIR)$(fast_includedir)/$$dir'"; \
+	      $(MKDIR_P) "$(DESTDIR)$(fast_includedir)/$$dir"; }; \
+	    echo " $(INSTALL_HEADER) $$xfiles '$(DESTDIR)$(fast_includedir)/$$dir'"; \
+	    $(INSTALL_HEADER) $$xfiles "$(DESTDIR)$(fast_includedir)/$$dir" || exit $$?; }; \
+	done
+
+uninstall-nobase_fast_includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(nobase_fast_include_HEADERS)'; test -n "$(fast_includedir)" || list=; \
+	$(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \
+	dir='$(DESTDIR)$(fast_includedir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -477,9 +581,9 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(LTLIBRARIES)
+all-am: Makefile $(LTLIBRARIES) $(HEADERS)
 installdirs:
-	for dir in "$(DESTDIR)$(ipseclibdir)"; do \
+	for dir in "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(fast_includedir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -492,10 +596,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -530,7 +639,8 @@ info: info-am
 
 info-am:
 
-install-data-am: install-ipseclibLTLIBRARIES
+install-data-am: install-ipseclibLTLIBRARIES \
+	install-nobase_fast_includeHEADERS
 
 install-dvi: install-dvi-am
 
@@ -576,7 +686,8 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-ipseclibLTLIBRARIES
+uninstall-am: uninstall-ipseclibLTLIBRARIES \
+	uninstall-nobase_fast_includeHEADERS
 
 .MAKE: install-am install-strip
 
@@ -587,12 +698,14 @@ uninstall-am: uninstall-ipseclibLTLIBRARIES
 	install install-am install-data install-data-am install-dvi \
 	install-dvi-am install-exec install-exec-am install-html \
 	install-html-am install-info install-info-am \
-	install-ipseclibLTLIBRARIES install-man install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
+	install-ipseclibLTLIBRARIES install-man \
+	install-nobase_fast_includeHEADERS install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-ipseclibLTLIBRARIES
+	tags uninstall uninstall-am uninstall-ipseclibLTLIBRARIES \
+	uninstall-nobase_fast_includeHEADERS
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libfast/context.h b/src/libfast/context.h
deleted file mode 100644
index 4f8d11d2c..000000000
--- a/src/libfast/context.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup context context
- * @{ @ingroup libfast
- */
-
-#ifndef CONTEXT_H_
-#define CONTEXT_H_
-
-typedef struct context_t context_t;
-
-/**
- * Constructor function for a user specific context.
- */
-typedef context_t *(*context_constructor_t)(void *param);
-
-/**
- * User specific session context, to extend.
- */
-struct context_t {
-
-	/**
-	 * Destroy the context_t.
-	 */
-	void (*destroy) (context_t *this);
-};
-
-#endif /** CONTEXT_H_ @}*/
diff --git a/src/libfast/controller.h b/src/libfast/controller.h
deleted file mode 100644
index 1edf72e90..000000000
--- a/src/libfast/controller.h
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup controller_i controller
- * @{ @ingroup libfast
- */
-
-#ifndef CONTROLLER_H_
-#define CONTROLLER_H_
-
-#include "request.h"
-#include "context.h"
-
-typedef struct controller_t controller_t;
-
-/**
- * Constructor function for a controller.
- *
- * @param context		session specific context, implements context_t
- * @param param			user supplied param, as registered to the dispatcher
- */
-typedef controller_t *(*controller_constructor_t)(context_t* context, void *param);
-
-/**
- * Controller interface, to be implemented by users controllers.
- *
- * Controller instances get created per session, so each session has an
- * associated set of private controller instances.
- * The controller handle function is called for each incoming request.
- */
-struct controller_t {
-
-	/**
-	 * Get the name of the controller.
-	 *
-	 * @return				name of the controller
-	 */
-	char* (*get_name)(controller_t *this);
-
-	/**
-	 * Handle a HTTP request for that controller.
-	 *
-	 * Request URLs are parsed in the form
-	 * controller_name/p1/p2/p3/p4/p5 with a maximum of 5 parameters. Each
-	 * parameter not found in the request URL is set to NULL.
-	 *
-	 * @param request		HTTP request
-	 * @param p1			first parameter
-	 * @param p2			second parameter
-	 * @param p3			third parameter
-	 * @param p4			forth parameter
-	 * @param p5			fifth parameter
-	 * @return
-	 */
-	void (*handle)(controller_t *this, request_t *request,
-				   char *p1, char *p2, char *p3, char *p4, char *p5);
-
-	/**
-	 * Destroy the controller instance.
-	 */
-	void (*destroy) (controller_t *this);
-};
-
-#endif /** CONTROLLER_H_ @}*/
diff --git a/src/libfast/dispatcher.c b/src/libfast/dispatcher.c
deleted file mode 100644
index e5fca7074..000000000
--- a/src/libfast/dispatcher.c
+++ /dev/null
@@ -1,444 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "dispatcher.h"
-
-#include "request.h"
-#include "session.h"
-
-#include <fcgiapp.h>
-#include <signal.h>
-#include <unistd.h>
-
-#include <debug.h>
-#include <threading/thread.h>
-#include <threading/condvar.h>
-#include <threading/mutex.h>
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
-
-/** Intervall to check for expired sessions, in seconds */
-#define CLEANUP_INTERVAL 30
-
-typedef struct private_dispatcher_t private_dispatcher_t;
-
-/**
- * private data of the task manager
- */
-struct private_dispatcher_t {
-
-	/**
-	 * public functions
-	 */
-	dispatcher_t public;
-
-	/**
-	 * fcgi socket fd
-	 */
-	int fd;
-
-	/**
-	 * thread list
-	 */
-	thread_t **threads;
-
-	/**
-	 * number of threads in "threads"
-	 */
-	int thread_count;
-
-	/**
-	 * session locking mutex
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * Hahstable with active sessions
-	 */
-	hashtable_t *sessions;
-
-	/**
-	 * session timeout
-	 */
-	time_t timeout;
-
-	/**
-	 * timestamp of last session cleanup round
-	 */
-	time_t last_cleanup;
-
-	/**
-	 * running in debug mode?
-	 */
-	bool debug;
-
-	/**
-	 * List of controllers controller_constructor_t
-	 */
-	linked_list_t *controllers;
-
-	/**
-	 * List of filters filter_constructor_t
-	 */
-	linked_list_t *filters;
-
-	/**
-	 * constructor function to create session context (in controller_entry_t)
-	 */
-	context_constructor_t context_constructor;
-
-	/**
-	 * user param to context constructor
-	 */
-	void *param;
-};
-
-typedef struct {
-	/** constructor function */
-	controller_constructor_t constructor;
-	/** parameter to constructor */
-	void *param;
-} controller_entry_t;
-
-typedef struct {
-	/** constructor function */
-	filter_constructor_t constructor;
-	/** parameter to constructor */
-	void *param;
-} filter_entry_t;
-
-typedef struct {
-	/** session instance */
-	session_t *session;
-	/** condvar to wait for session */
-	condvar_t *cond;
-	/** client host address, to prevent session hijacking */
-	char *host;
-	/** TRUE if session is in use */
-	bool in_use;
-	/** last use of the session */
-	time_t used;
-	/** has the session been closed by the handler? */
-	bool closed;
-} session_entry_t;
-
-/**
- * create a session and instanciate controllers
- */
-static session_t* load_session(private_dispatcher_t *this)
-{
-	enumerator_t *enumerator;
-	controller_entry_t *centry;
-	filter_entry_t *fentry;
-	session_t *session;
-	context_t *context = NULL;
-	controller_t *controller;
-	filter_t *filter;
-
-	if (this->context_constructor)
-	{
-		context = this->context_constructor(this->param);
-	}
-	session = session_create(context);
-
-	enumerator = this->controllers->create_enumerator(this->controllers);
-	while (enumerator->enumerate(enumerator, &centry))
-	{
-		controller = centry->constructor(context, centry->param);
-		session->add_controller(session, controller);
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = this->filters->create_enumerator(this->filters);
-	while (enumerator->enumerate(enumerator, &fentry))
-	{
-		filter = fentry->constructor(context, fentry->param);
-		session->add_filter(session, filter);
-	}
-	enumerator->destroy(enumerator);
-
-	return session;
-}
-
-/**
- * create a new session entry
- */
-static session_entry_t *session_entry_create(private_dispatcher_t *this,
-											 char *host)
-{
-	session_entry_t *entry;
-
-	INIT(entry,
-		.cond = condvar_create(CONDVAR_TYPE_DEFAULT),
-		.session = load_session(this),
-		.host = strdup(host),
-		.used = time_monotonic(NULL),
-	);
-	return entry;
-}
-
-/**
- * destroy a session
- */
-static void session_entry_destroy(session_entry_t *entry)
-{
-	entry->session->destroy(entry->session);
-	entry->cond->destroy(entry->cond);
-	free(entry->host);
-	free(entry);
-}
-
-METHOD(dispatcher_t, add_controller, void,
-	private_dispatcher_t *this, controller_constructor_t constructor,
-	void *param)
-{
-	controller_entry_t *entry;
-
-	INIT(entry,
-		.constructor = constructor,
-		.param = param,
-	);
-	this->controllers->insert_last(this->controllers, entry);
-}
-
-METHOD(dispatcher_t, add_filter, void,
-	private_dispatcher_t *this, filter_constructor_t constructor, void *param)
-{
-	filter_entry_t *entry;
-
-	INIT(entry,
-		.constructor = constructor,
-		.param = param,
-	);
-	this->filters->insert_last(this->filters, entry);
-}
-
-/**
- * Hashtable hash function
- */
-static u_int session_hash(char *sid)
-{
-	return chunk_hash(chunk_create(sid, strlen(sid)));
-}
-
-/**
- * Hashtable equals function
- */
-static bool session_equals(char *sid1, char *sid2)
-{
-	return streq(sid1, sid2);
-}
-
-/**
- * Cleanup unused sessions
- */
-static void cleanup_sessions(private_dispatcher_t *this, time_t now)
-{
-	if (this->last_cleanup < now - CLEANUP_INTERVAL)
-	{
-		char *sid;
-		session_entry_t *entry;
-		enumerator_t *enumerator;
-		linked_list_t *remove;
-
-		this->last_cleanup = now;
-		remove = linked_list_create();
-		enumerator = this->sessions->create_enumerator(this->sessions);
-		while (enumerator->enumerate(enumerator, &sid, &entry))
-		{
-			/* check all sessions for timeout or close flag */
-			if (!entry->in_use &&
-				(entry->used < now - this->timeout || entry->closed))
-			{
-				remove->insert_last(remove, sid);
-			}
-		}
-		enumerator->destroy(enumerator);
-
-		while (remove->remove_last(remove, (void**)&sid) == SUCCESS)
-		{
-			entry = this->sessions->remove(this->sessions, sid);
-			if (entry)
-			{
-				session_entry_destroy(entry);
-			}
-		}
-		remove->destroy(remove);
-	}
-}
-
-/**
- * Actual dispatching code
- */
-static void dispatch(private_dispatcher_t *this)
-{
-	thread_cancelability(FALSE);
-
-	while (TRUE)
-	{
-		request_t *request;
-		session_entry_t *found = NULL;
-		time_t now;
-		char *sid;
-
-		thread_cancelability(TRUE);
-		request = request_create(this->fd, this->debug);
-		thread_cancelability(FALSE);
-
-		if (request == NULL)
-		{
-			continue;
-		}
-		now = time_monotonic(NULL);
-		sid = request->get_cookie(request, "SID");
-
-		this->mutex->lock(this->mutex);
-		if (sid)
-		{
-			found = this->sessions->get(this->sessions, sid);
-		}
-		if (found && !streq(found->host, request->get_host(request)))
-		{
-			found = NULL;
-		}
-		if (found)
-		{
-			/* wait until session is unused */
-			while (found->in_use)
-			{
-				found->cond->wait(found->cond, this->mutex);
-			}
-		}
-		else
-		{	/* create a new session if not found */
-			found = session_entry_create(this, request->get_host(request));
-			sid = found->session->get_sid(found->session);
-			this->sessions->put(this->sessions, sid, found);
-		}
-		found->in_use = TRUE;
-		this->mutex->unlock(this->mutex);
-
-		/* start processing */
-		found->session->process(found->session, request);
-		found->used = time_monotonic(NULL);
-
-		/* release session */
-		this->mutex->lock(this->mutex);
-		found->in_use = FALSE;
-		found->closed = request->session_closed(request);
-		found->cond->signal(found->cond);
-		cleanup_sessions(this, now);
-		this->mutex->unlock(this->mutex);
-
-		request->destroy(request);
-	}
-}
-
-METHOD(dispatcher_t, run, void,
-	private_dispatcher_t *this, int threads)
-{
-	this->thread_count = threads;
-	this->threads = malloc(sizeof(thread_t*) * threads);
-	while (threads)
-	{
-		this->threads[threads - 1] = thread_create((thread_main_t)dispatch,
-												   this);
-		if (this->threads[threads - 1])
-		{
-			threads--;
-		}
-	}
-}
-
-METHOD(dispatcher_t, waitsignal, void,
-	private_dispatcher_t *this)
-{
-	sigset_t set;
-	int sig;
-
-	sigemptyset(&set);
-	sigaddset(&set, SIGINT);
-	sigaddset(&set, SIGTERM);
-	sigaddset(&set, SIGHUP);
-	sigprocmask(SIG_BLOCK, &set, NULL);
-	sigwait(&set, &sig);
-}
-
-METHOD(dispatcher_t, destroy, void,
-	private_dispatcher_t *this)
-{
-	char *sid;
-	session_entry_t *entry;
-	enumerator_t *enumerator;
-
-	FCGX_ShutdownPending();
-	while (this->thread_count--)
-	{
-		thread_t *thread = this->threads[this->thread_count];
-		thread->cancel(thread);
-		thread->join(thread);
-	}
-	enumerator = this->sessions->create_enumerator(this->sessions);
-	while (enumerator->enumerate(enumerator, &sid, &entry))
-	{
-		session_entry_destroy(entry);
-	}
-	enumerator->destroy(enumerator);
-	this->sessions->destroy(this->sessions);
-	this->controllers->destroy_function(this->controllers, free);
-	this->filters->destroy_function(this->filters, free);
-	this->mutex->destroy(this->mutex);
-	free(this->threads);
-	free(this);
-}
-
-/*
- * see header file
- */
-dispatcher_t *dispatcher_create(char *socket, bool debug, int timeout,
-								context_constructor_t constructor, void *param)
-{
-	private_dispatcher_t *this;
-
-	INIT(this,
-		.public = {
-			.add_controller = _add_controller,
-			.add_filter = _add_filter,
-			.run = _run,
-			.waitsignal = _waitsignal,
-			.destroy = _destroy,
-		},
-		.sessions = hashtable_create((void*)session_hash,
-									 (void*)session_equals, 4096),
-		.controllers = linked_list_create(),
-		.filters = linked_list_create(),
-		.context_constructor = constructor,
-		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
-		.param = param,
-		.timeout = timeout,
-		.last_cleanup = time_monotonic(NULL),
-		.debug = debug,
-	);
-
-	FCGX_Init();
-
-	if (socket)
-	{
-		unlink(socket);
-		this->fd = FCGX_OpenSocket(socket, 10);
-	}
-	return &this->public;
-}
-
diff --git a/src/libfast/dispatcher.h b/src/libfast/dispatcher.h
deleted file mode 100644
index 16223fe76..000000000
--- a/src/libfast/dispatcher.h
+++ /dev/null
@@ -1,137 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup libfast libfast
- * @{
- * FastCGI Application Server w/ templates.
- *
- * Libfast is a framework to write web applications in an MVC fashion. It uses
- * the ClearSilver template engine and communicates through FastCGI with
- * the webserver. It is multithreaded and really fast.
- *
- * The application has a global context and a session context. The global
- * context is accessed from all sessions simultaneously and therefore
- * needs to be threadsave. Often a database wrapper is the global context.
- * The session context is instanciated per session. Sessions are managed
- * automatically through session cookies. The session context is kept alive
- * until the session times out. It must implement the context_t interface and
- * a #context_constructor_t is needed to create instances. To each session,
- * a set of controllers gets instanciated. The controller instances are per
- * session, so you can hold private data for each user.
- * Controllers need to implement the controller_t interface and need a
- * #controller_constructor_t function to create instances.
- *
- * A small example shows how to set up libfast:
- * @code
-	dispatcher_t *dispatcher;
-	your_global_context_implementation_t *global;
-
-	global = initialize_your_global_context();
-
-	dispatcher = dispatcher_create(NULL, FALSE, 180,
-			(context_constructor_t)your_session_context_create, global);
-	dispatcher->add_controller(dispatcher, your_controller1_create, param1);
-	dispatcher->add_controller(dispatcher, your_controller2_create, param2);
-
-	dispatcher->run(dispatcher, 20);
-
-	dispatcher->waitsignal(dispatcher);
-
-	dispatcher->destroy(dispatcher);
-	global->destroy();
-   @endcode
- * @}
- *
- * @defgroup dispatcher dispatcher
- * @{ @ingroup libfast
- */
-
-#ifndef DISPATCHER_H_
-#define DISPATCHER_H_
-
-#include "controller.h"
-#include "filter.h"
-
-typedef struct dispatcher_t dispatcher_t;
-
-/**
- * Dispatcher, accepts connections using multiple threads.
- *
- * The dispatcher creates a session for each client (using SID cookies). In
- * each session, a session context is created using the context constructor.
- * Each controller is instanciated in the session using the controller
- * constructor added with add_controller.
- */
-struct dispatcher_t {
-
-	/**
-	 * Register a controller to the dispatcher.
-	 *
-	 * The first controller added serves as default controller. Client's
-	 * get redirected to it if no other controller matches.
-	 *
-	 * @param constructor	constructor function to the conntroller
-	 * @param param			param to pass to constructor
-	 */
-	void (*add_controller)(dispatcher_t *this,
-						   controller_constructor_t constructor, void *param);
-
-	/**
-	 * Add a filter to the dispatcher.
-	 *
-	 * @param constructor	constructor to create filter in session
-	 * @param param			param to pass to constructor
-	 */
-	void (*add_filter)(dispatcher_t *this,
-					   filter_constructor_t constructor, void *param);
-
-	/**
-	 * Start with dispatching.
-	 *
-	 * Instanciate a constant thread pool and start dispatching requests.
-	 *
-	 * @param threads		number of dispatching threads
-	 */
-	void (*run)(dispatcher_t *this, int threads);
-
-	/**
-	 * Wait for a relevant signal action.
-	 *
-	 */
-	void (*waitsignal)(dispatcher_t *this);
-
-	/**
-	 * Destroy the dispatcher_t.
-	 */
-	void (*destroy) (dispatcher_t *this);
-};
-
-/**
- * Create a dispatcher.
- *
- * The context constructor is invoked to create a session context for
- * each session.
- *
- * @param socket		FastCGI socket path, NULL for dynamic
- * @param debug			no stripping, no compression, timing information
- * @param timeout		session timeout
- * @param constructor	construction function for session context
- * @param param			parameter to supply to context constructor
- */
-dispatcher_t *dispatcher_create(char *socket, bool debug, int timeout,
-								context_constructor_t constructor, void *param);
-
-#endif /** DISPATCHER_H_ @}*/
diff --git a/src/libfast/fast_context.h b/src/libfast/fast_context.h
new file mode 100644
index 000000000..4922703ca
--- /dev/null
+++ b/src/libfast/fast_context.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup fast_context fast_context
+ * @{ @ingroup libfast
+ */
+
+#ifndef FAST_CONTEXT_H_
+#define FAST_CONTEXT_H_
+
+typedef struct fast_context_t fast_context_t;
+
+/**
+ * Constructor function for a user specific context.
+ */
+typedef fast_context_t *(*fast_context_constructor_t)(void *param);
+
+/**
+ * User specific session context, to extend.
+ */
+struct fast_context_t {
+
+	/**
+	 * Destroy the fast_context_t.
+	 */
+	void (*destroy) (fast_context_t *this);
+};
+
+#endif /** FAST_CONTEXT_H_ @}*/
diff --git a/src/libfast/fast_controller.h b/src/libfast/fast_controller.h
new file mode 100644
index 000000000..bbd0214fc
--- /dev/null
+++ b/src/libfast/fast_controller.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup fast_controller fast_controller
+ * @{ @ingroup libfast
+ */
+
+#ifndef FAST_CONTROLLER_H_
+#define FAST_CONTROLLER_H_
+
+#include "fast_request.h"
+#include "fast_context.h"
+
+typedef struct fast_controller_t fast_controller_t;
+
+/**
+ * Constructor function for a controller.
+ *
+ * @param context		session specific context, implements context_t
+ * @param param			user supplied param, as registered to the dispatcher
+ */
+typedef fast_controller_t *(*fast_controller_constructor_t)(
+										fast_context_t* context, void *param);
+
+/**
+ * Controller interface, to be implemented by users controllers.
+ *
+ * Controller instances get created per session, so each session has an
+ * associated set of private controller instances.
+ * The controller handle function is called for each incoming request.
+ */
+struct fast_controller_t {
+
+	/**
+	 * Get the name of the controller.
+	 *
+	 * @return				name of the controller
+	 */
+	char* (*get_name)(fast_controller_t *this);
+
+	/**
+	 * Handle a HTTP request for that controller.
+	 *
+	 * Request URLs are parsed in the form
+	 * controller_name/p1/p2/p3/p4/p5 with a maximum of 5 parameters. Each
+	 * parameter not found in the request URL is set to NULL.
+	 *
+	 * @param request		HTTP request
+	 * @param p1			first parameter
+	 * @param p2			second parameter
+	 * @param p3			third parameter
+	 * @param p4			forth parameter
+	 * @param p5			fifth parameter
+	 * @return
+	 */
+	void (*handle)(fast_controller_t *this, fast_request_t *request,
+				   char *p1, char *p2, char *p3, char *p4, char *p5);
+
+	/**
+	 * Destroy the controller instance.
+	 */
+	void (*destroy) (fast_controller_t *this);
+};
+
+#endif /** FAST_CONTROLLER_H_ @}*/
diff --git a/src/libfast/fast_dispatcher.c b/src/libfast/fast_dispatcher.c
new file mode 100644
index 000000000..4daf91905
--- /dev/null
+++ b/src/libfast/fast_dispatcher.c
@@ -0,0 +1,460 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "fast_dispatcher.h"
+
+#include "fast_request.h"
+#include "fast_session.h"
+
+#include <fcgiapp.h>
+#include <signal.h>
+#include <unistd.h>
+
+#include <utils/debug.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
+
+/** Intervall to check for expired sessions, in seconds */
+#define CLEANUP_INTERVAL 30
+
+typedef struct private_fast_dispatcher_t private_fast_dispatcher_t;
+
+/**
+ * private data of the task manager
+ */
+struct private_fast_dispatcher_t {
+
+	/**
+	 * public functions
+	 */
+	fast_dispatcher_t public;
+
+	/**
+	 * fcgi socket fd
+	 */
+	int fd;
+
+	/**
+	 * thread list
+	 */
+	thread_t **threads;
+
+	/**
+	 * number of threads in "threads"
+	 */
+	int thread_count;
+
+	/**
+	 * session locking mutex
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Hahstable with active sessions
+	 */
+	hashtable_t *sessions;
+
+	/**
+	 * session timeout
+	 */
+	time_t timeout;
+
+	/**
+	 * timestamp of last session cleanup round
+	 */
+	time_t last_cleanup;
+
+	/**
+	 * running in debug mode?
+	 */
+	bool debug;
+
+	/**
+	 * List of controllers controller_constructor_t
+	 */
+	linked_list_t *controllers;
+
+	/**
+	 * List of filters filter_constructor_t
+	 */
+	linked_list_t *filters;
+
+	/**
+	 * constructor function to create session context (in controller_entry_t)
+	 */
+	fast_context_constructor_t context_constructor;
+
+	/**
+	 * user param to context constructor
+	 */
+	void *param;
+};
+
+typedef struct {
+	/** constructor function */
+	fast_controller_constructor_t constructor;
+	/** parameter to constructor */
+	void *param;
+} controller_entry_t;
+
+typedef struct {
+	/** constructor function */
+	fast_filter_constructor_t constructor;
+	/** parameter to constructor */
+	void *param;
+} filter_entry_t;
+
+typedef struct {
+	/** session instance */
+	fast_session_t *session;
+	/** condvar to wait for session */
+	condvar_t *cond;
+	/** client host address, to prevent session hijacking */
+	char *host;
+	/** TRUE if session is in use */
+	bool in_use;
+	/** last use of the session */
+	time_t used;
+	/** has the session been closed by the handler? */
+	bool closed;
+} session_entry_t;
+
+/**
+ * create a session and instanciate controllers
+ */
+static fast_session_t* load_session(private_fast_dispatcher_t *this)
+{
+	enumerator_t *enumerator;
+	controller_entry_t *centry;
+	filter_entry_t *fentry;
+	fast_session_t *session;
+	fast_context_t *context = NULL;
+	fast_controller_t *controller;
+	fast_filter_t *filter;
+
+	if (this->context_constructor)
+	{
+		context = this->context_constructor(this->param);
+	}
+	session = fast_session_create(context);
+	if (!session)
+	{
+		return NULL;
+	}
+
+	enumerator = this->controllers->create_enumerator(this->controllers);
+	while (enumerator->enumerate(enumerator, &centry))
+	{
+		controller = centry->constructor(context, centry->param);
+		session->add_controller(session, controller);
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = this->filters->create_enumerator(this->filters);
+	while (enumerator->enumerate(enumerator, &fentry))
+	{
+		filter = fentry->constructor(context, fentry->param);
+		session->add_filter(session, filter);
+	}
+	enumerator->destroy(enumerator);
+
+	return session;
+}
+
+/**
+ * create a new session entry
+ */
+static session_entry_t *session_entry_create(private_fast_dispatcher_t *this,
+											 char *host)
+{
+	session_entry_t *entry;
+	fast_session_t *session;
+
+	session = load_session(this);
+	if (!session)
+	{
+		return NULL;
+	}
+	INIT(entry,
+		.cond = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.session = session,
+		.host = strdup(host),
+		.used = time_monotonic(NULL),
+	);
+	return entry;
+}
+
+/**
+ * destroy a session
+ */
+static void session_entry_destroy(session_entry_t *entry)
+{
+	entry->session->destroy(entry->session);
+	entry->cond->destroy(entry->cond);
+	free(entry->host);
+	free(entry);
+}
+
+METHOD(fast_dispatcher_t, add_controller, void,
+	private_fast_dispatcher_t *this, fast_controller_constructor_t constructor,
+	void *param)
+{
+	controller_entry_t *entry;
+
+	INIT(entry,
+		.constructor = constructor,
+		.param = param,
+	);
+	this->controllers->insert_last(this->controllers, entry);
+}
+
+METHOD(fast_dispatcher_t, add_filter, void,
+	private_fast_dispatcher_t *this, fast_filter_constructor_t constructor,
+	void *param)
+{
+	filter_entry_t *entry;
+
+	INIT(entry,
+		.constructor = constructor,
+		.param = param,
+	);
+	this->filters->insert_last(this->filters, entry);
+}
+
+/**
+ * Hashtable hash function
+ */
+static u_int session_hash(char *sid)
+{
+	return chunk_hash(chunk_create(sid, strlen(sid)));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool session_equals(char *sid1, char *sid2)
+{
+	return streq(sid1, sid2);
+}
+
+/**
+ * Cleanup unused sessions
+ */
+static void cleanup_sessions(private_fast_dispatcher_t *this, time_t now)
+{
+	if (this->last_cleanup < now - CLEANUP_INTERVAL)
+	{
+		char *sid;
+		session_entry_t *entry;
+		enumerator_t *enumerator;
+		linked_list_t *remove;
+
+		this->last_cleanup = now;
+		remove = linked_list_create();
+		enumerator = this->sessions->create_enumerator(this->sessions);
+		while (enumerator->enumerate(enumerator, &sid, &entry))
+		{
+			/* check all sessions for timeout or close flag */
+			if (!entry->in_use &&
+				(entry->used < now - this->timeout || entry->closed))
+			{
+				remove->insert_last(remove, sid);
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		while (remove->remove_last(remove, (void**)&sid) == SUCCESS)
+		{
+			entry = this->sessions->remove(this->sessions, sid);
+			if (entry)
+			{
+				session_entry_destroy(entry);
+			}
+		}
+		remove->destroy(remove);
+	}
+}
+
+/**
+ * Actual dispatching code
+ */
+static void dispatch(private_fast_dispatcher_t *this)
+{
+	thread_cancelability(FALSE);
+
+	while (TRUE)
+	{
+		fast_request_t *request;
+		session_entry_t *found = NULL;
+		time_t now;
+		char *sid;
+
+		thread_cancelability(TRUE);
+		request = fast_request_create(this->fd, this->debug);
+		thread_cancelability(FALSE);
+
+		if (request == NULL)
+		{
+			break;
+		}
+		now = time_monotonic(NULL);
+		sid = request->get_cookie(request, "SID");
+
+		this->mutex->lock(this->mutex);
+		if (sid)
+		{
+			found = this->sessions->get(this->sessions, sid);
+		}
+		if (found && !streq(found->host, request->get_host(request)))
+		{
+			found = NULL;
+		}
+		if (found)
+		{
+			/* wait until session is unused */
+			while (found->in_use)
+			{
+				found->cond->wait(found->cond, this->mutex);
+			}
+		}
+		else
+		{	/* create a new session if not found */
+			found = session_entry_create(this, request->get_host(request));
+			if (!found)
+			{
+				request->destroy(request);
+				this->mutex->unlock(this->mutex);
+				continue;
+			}
+			sid = found->session->get_sid(found->session);
+			this->sessions->put(this->sessions, sid, found);
+		}
+		found->in_use = TRUE;
+		this->mutex->unlock(this->mutex);
+
+		/* start processing */
+		found->session->process(found->session, request);
+		found->used = time_monotonic(NULL);
+
+		/* release session */
+		this->mutex->lock(this->mutex);
+		found->in_use = FALSE;
+		found->closed = request->session_closed(request);
+		found->cond->signal(found->cond);
+		cleanup_sessions(this, now);
+		this->mutex->unlock(this->mutex);
+
+		request->destroy(request);
+	}
+}
+
+METHOD(fast_dispatcher_t, run, void,
+	private_fast_dispatcher_t *this, int threads)
+{
+	this->thread_count = threads;
+	this->threads = malloc(sizeof(thread_t*) * threads);
+	while (threads)
+	{
+		this->threads[threads - 1] = thread_create((thread_main_t)dispatch,
+												   this);
+		if (this->threads[threads - 1])
+		{
+			threads--;
+		}
+	}
+}
+
+METHOD(fast_dispatcher_t, waitsignal, void,
+	private_fast_dispatcher_t *this)
+{
+	sigset_t set;
+	int sig;
+
+	sigemptyset(&set);
+	sigaddset(&set, SIGINT);
+	sigaddset(&set, SIGTERM);
+	sigaddset(&set, SIGHUP);
+	sigprocmask(SIG_BLOCK, &set, NULL);
+	sigwait(&set, &sig);
+}
+
+METHOD(fast_dispatcher_t, destroy, void,
+	private_fast_dispatcher_t *this)
+{
+	char *sid;
+	session_entry_t *entry;
+	enumerator_t *enumerator;
+
+	FCGX_ShutdownPending();
+	while (this->thread_count--)
+	{
+		thread_t *thread = this->threads[this->thread_count];
+		thread->cancel(thread);
+		thread->join(thread);
+	}
+	enumerator = this->sessions->create_enumerator(this->sessions);
+	while (enumerator->enumerate(enumerator, &sid, &entry))
+	{
+		session_entry_destroy(entry);
+	}
+	enumerator->destroy(enumerator);
+	this->sessions->destroy(this->sessions);
+	this->controllers->destroy_function(this->controllers, free);
+	this->filters->destroy_function(this->filters, free);
+	this->mutex->destroy(this->mutex);
+	free(this->threads);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+fast_dispatcher_t *fast_dispatcher_create(char *socket, bool debug, int timeout,
+							fast_context_constructor_t constructor, void *param)
+{
+	private_fast_dispatcher_t *this;
+
+	INIT(this,
+		.public = {
+			.add_controller = _add_controller,
+			.add_filter = _add_filter,
+			.run = _run,
+			.waitsignal = _waitsignal,
+			.destroy = _destroy,
+		},
+		.sessions = hashtable_create((void*)session_hash,
+									 (void*)session_equals, 4096),
+		.controllers = linked_list_create(),
+		.filters = linked_list_create(),
+		.context_constructor = constructor,
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.param = param,
+		.timeout = timeout,
+		.last_cleanup = time_monotonic(NULL),
+		.debug = debug,
+	);
+
+	FCGX_Init();
+
+	if (socket)
+	{
+		unlink(socket);
+		this->fd = FCGX_OpenSocket(socket, 10);
+	}
+	return &this->public;
+}
diff --git a/src/libfast/fast_dispatcher.h b/src/libfast/fast_dispatcher.h
new file mode 100644
index 000000000..6546385c6
--- /dev/null
+++ b/src/libfast/fast_dispatcher.h
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup libfast libfast
+ * @{
+ * FastCGI Application Server w/ templates.
+ *
+ * Libfast is a framework to write web applications in an MVC fashion. It uses
+ * the ClearSilver template engine and communicates through FastCGI with
+ * the webserver. It is multithreaded and really fast.
+ *
+ * The application has a global context and a session context. The global
+ * context is accessed from all sessions simultaneously and therefore
+ * needs to be threadsave. Often a database wrapper is the global context.
+ * The session context is instanciated per session. Sessions are managed
+ * automatically through session cookies. The session context is kept alive
+ * until the session times out. It must implement the context_t interface and
+ * a #fast_context_constructor_t is needed to create instances. To each session,
+ * a set of controllers gets instanciated. The controller instances are per
+ * session, so you can hold private data for each user.
+ * Controllers need to implement the controller_t interface and need a
+ * #fast_controller_constructor_t function to create instances.
+ *
+ * A small example shows how to set up libfast:
+ * @code
+	fast_fast_dispatcher_t *dispatcher;
+	your_global_context_implementation_t *global;
+
+	global = initialize_your_global_context();
+
+	dispatcher = fast_dispatcher_create(NULL, FALSE, 180,
+			(context_constructor_t)your_session_context_create, global);
+	dispatcher->add_controller(dispatcher, your_controller1_create, param1);
+	dispatcher->add_controller(dispatcher, your_controller2_create, param2);
+
+	dispatcher->run(dispatcher, 20);
+
+	dispatcher->waitsignal(dispatcher);
+
+	dispatcher->destroy(dispatcher);
+	global->destroy();
+   @endcode
+ * @}
+ *
+ * @defgroup fast_dispatcher fast_dispatcher
+ * @{ @ingroup libfast
+ */
+
+#ifndef FAST_DISPATCHER_H_
+#define FAST_DISPATCHER_H_
+
+#include "fast_controller.h"
+#include "fast_filter.h"
+
+typedef struct fast_dispatcher_t fast_dispatcher_t;
+
+/**
+ * Dispatcher, accepts connections using multiple threads.
+ *
+ * The dispatcher creates a session for each client (using SID cookies). In
+ * each session, a session context is created using the context constructor.
+ * Each controller is instanciated in the session using the controller
+ * constructor added with add_controller.
+ */
+struct fast_dispatcher_t {
+
+	/**
+	 * Register a controller to the dispatcher.
+	 *
+	 * The first controller added serves as default controller. Client's
+	 * get redirected to it if no other controller matches.
+	 *
+	 * @param constructor	constructor function to the conntroller
+	 * @param param			param to pass to constructor
+	 */
+	void (*add_controller)(fast_dispatcher_t *this,
+						   fast_controller_constructor_t constructor,
+						   void *param);
+
+	/**
+	 * Add a filter to the dispatcher.
+	 *
+	 * @param constructor	constructor to create filter in session
+	 * @param param			param to pass to constructor
+	 */
+	void (*add_filter)(fast_dispatcher_t *this,
+					   fast_filter_constructor_t constructor, void *param);
+
+	/**
+	 * Start with dispatching.
+	 *
+	 * Instanciate a constant thread pool and start dispatching requests.
+	 *
+	 * @param threads		number of dispatching threads
+	 */
+	void (*run)(fast_dispatcher_t *this, int threads);
+
+	/**
+	 * Wait for a relevant signal action.
+	 */
+	void (*waitsignal)(fast_dispatcher_t *this);
+
+	/**
+	 * Destroy the fast_dispatcher_t.
+	 */
+	void (*destroy) (fast_dispatcher_t *this);
+};
+
+/**
+ * Create a dispatcher.
+ *
+ * The context constructor is invoked to create a session context for
+ * each session.
+ *
+ * @param socket		FastCGI socket path, NULL for dynamic
+ * @param debug			no stripping, no compression, timing information
+ * @param timeout		session timeout
+ * @param constructor	construction function for session context
+ * @param param			parameter to supply to context constructor
+ */
+fast_dispatcher_t *fast_dispatcher_create(char *socket, bool debug, int timeout,
+							fast_context_constructor_t constructor, void *param);
+
+#endif /** FAST_DISPATCHER_H_ @}*/
diff --git a/src/libfast/fast_filter.h b/src/libfast/fast_filter.h
new file mode 100644
index 000000000..57367bd5a
--- /dev/null
+++ b/src/libfast/fast_filter.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/*
+ * @defgroup fast_filter fast_filter
+ * @{ @ingroup libfast
+ */
+
+#ifndef FAST_FILTER_H_
+#define FAST_FILTER_H_
+
+#include "fast_request.h"
+#include "fast_context.h"
+#include "fast_controller.h"
+
+typedef struct fast_filter_t fast_filter_t;
+
+/**
+ * Constructor function for a filter
+ *
+ * @param context		session specific context
+ * @param param			user supplied param
+ */
+typedef fast_filter_t *(*fast_filter_constructor_t)(fast_context_t* context,
+													void *param);
+
+/**
+ * Filter interface, to be implemented by users filters.
+ */
+struct fast_filter_t {
+
+	/**
+	 * Called before the controller handles the request.
+	 *
+	 * @param request		HTTP request
+	 * @param p1			first parameter
+	 * @param p2			second parameter
+	 * @param p3			third parameter
+	 * @param p4			forth parameter
+	 * @param p5			fifth parameter
+	 * @return				TRUE to continue request handling
+	 */
+	bool (*run)(fast_filter_t *this, fast_request_t *request,
+				char *p0, char *p1, char *p2, char *p3, char *p4, char *p5);
+
+	/**
+	 * Destroy the filter instance.
+	 */
+	void (*destroy) (fast_filter_t *this);
+};
+
+#endif /* FAST_FILTER_H_ @} */
diff --git a/src/libfast/fast_request.c b/src/libfast/fast_request.c
new file mode 100644
index 000000000..0673750b7
--- /dev/null
+++ b/src/libfast/fast_request.c
@@ -0,0 +1,509 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+
+#include "fast_request.h"
+
+#include <library.h>
+#include <utils/debug.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include <ClearSilver/ClearSilver.h>
+
+#include <threading/thread.h>
+#include <threading/thread_value.h>
+
+typedef struct private_fast_request_t private_fast_request_t;
+
+/**
+ * private data of the task manager
+ */
+struct private_fast_request_t {
+
+	/**
+	 * public functions
+	 */
+	fast_request_t public;
+
+	/**
+	 * FastCGI request object
+	 */
+	FCGX_Request req;
+
+	/**
+	 * length of the req.envp array
+	 */
+	int req_env_len;
+
+	/**
+	 * ClearSilver CGI Kit context
+	 */
+	CGI *cgi;
+
+	/**
+	 * ClearSilver HDF dataset for this request
+	 */
+	HDF *hdf;
+
+	/**
+	 * close the session?
+	 */
+	bool closed;
+
+	/**
+	 * reference count
+	 */
+	refcount_t ref;
+};
+
+/**
+ * ClearSilver cgiwrap is not threadsave, so we use a private
+ * context for each thread.
+ */
+static thread_value_t *thread_this;
+
+/**
+ * control variable for pthread_once
+ */
+pthread_once_t once = PTHREAD_ONCE_INIT;
+
+/**
+ * fcgiwrap read callback
+ */
+static int read_cb(void *null, char *buf, int size)
+{
+	private_fast_request_t *this;
+
+	this = (private_fast_request_t*)thread_this->get(thread_this);
+
+	return FCGX_GetStr(buf, size, this->req.in);
+}
+
+/**
+ * fcgiwrap writef callback
+ */
+static int writef_cb(void *null, const char *format, va_list args)
+{
+	private_fast_request_t *this;
+
+	this = (private_fast_request_t*)thread_this->get(thread_this);
+
+	FCGX_VFPrintF(this->req.out, format, args);
+	return 0;
+}
+/**
+ * fcgiwrap write callback
+ */
+static int write_cb(void *null, const char *buf, int size)
+{
+	private_fast_request_t *this;
+
+	this = (private_fast_request_t*)thread_this->get(thread_this);
+
+	return FCGX_PutStr(buf, size, this->req.out);
+}
+
+/**
+ * fcgiwrap getenv callback
+ */
+static char *getenv_cb(void *null, const char *key)
+{
+	char *value;
+	private_fast_request_t *this;
+
+	this = (private_fast_request_t*)thread_this->get(thread_this);
+
+	value = FCGX_GetParam(key, this->req.envp);
+	return strdupnull(value);
+}
+
+/**
+ * fcgiwrap getenv callback
+ */
+static int putenv_cb(void *null, const char *key, const char *value)
+{
+	/* not supported */
+	return 1;
+}
+
+/**
+ * fcgiwrap iterenv callback
+ */
+static int iterenv_cb(void *null, int num, char **key, char **value)
+{
+	private_fast_request_t *this;
+
+	*key = NULL;
+	*value = NULL;
+	this = (private_fast_request_t*)thread_this->get(thread_this);
+
+	if (num < this->req_env_len)
+	{
+		char *eq;
+
+		eq = strchr(this->req.envp[num], '=');
+		if (eq)
+		{
+			*key = strndup(this->req.envp[num], eq - this->req.envp[num]);
+			*value = strdup(eq + 1);
+		}
+		if (*key == NULL || *value == NULL)
+		{
+			free(*key);
+			free(*value);
+			return 1;
+		}
+	}
+	return 0;
+}
+
+METHOD(fast_request_t, get_cookie, char*,
+	private_fast_request_t *this, char *name)
+{
+	return hdf_get_valuef(this->hdf, "Cookie.%s", name);
+}
+
+METHOD(fast_request_t, get_path, char*,
+	private_fast_request_t *this)
+{
+	char *path = FCGX_GetParam("PATH_INFO", this->req.envp);
+	return path ? path : "";
+}
+
+METHOD(fast_request_t, get_host, char*,
+	private_fast_request_t *this)
+{
+	char *addr = FCGX_GetParam("REMOTE_ADDR", this->req.envp);
+	return addr ? addr : "";
+}
+
+METHOD(fast_request_t, get_user_agent, char*,
+	private_fast_request_t *this)
+{
+	char *agent = FCGX_GetParam("HTTP_USER_AGENT", this->req.envp);
+	return agent ? agent : "";
+}
+
+METHOD(fast_request_t, get_query_data, char*,
+	private_fast_request_t *this, char *name)
+{
+	return hdf_get_valuef(this->hdf, "Query.%s", name);
+}
+
+METHOD(fast_request_t, get_env_var, char*,
+	private_fast_request_t *this, char *name)
+{
+	return FCGX_GetParam(name, this->req.envp);
+}
+
+METHOD(fast_request_t, read_data, int,
+	private_fast_request_t *this, char *buf, int len)
+{
+	return FCGX_GetStr(buf, len, this->req.in);
+}
+
+METHOD(fast_request_t, get_base, char*,
+	private_fast_request_t *this)
+{
+	return FCGX_GetParam("SCRIPT_NAME", this->req.envp);
+}
+
+METHOD(fast_request_t, add_cookie, void,
+	private_fast_request_t *this, char *name, char *value)
+{
+	thread_this->set(thread_this, this);
+	cgi_cookie_set(this->cgi, name, value, NULL, NULL, NULL, 0, 0);
+}
+
+METHOD(fast_request_t, redirect, void,
+	private_fast_request_t *this, char *fmt, ...)
+{
+	va_list args;
+
+	FCGX_FPrintF(this->req.out, "Status: 303 See Other\n");
+	FCGX_FPrintF(this->req.out, "Location: %s%s", get_base(this),
+				 *fmt == '/' ? "" : "/");
+	va_start(args, fmt);
+	FCGX_VFPrintF(this->req.out, fmt, args);
+	va_end(args);
+	FCGX_FPrintF(this->req.out, "\n\n");
+}
+
+METHOD(fast_request_t, get_referer, char*,
+	private_fast_request_t *this)
+{
+	return FCGX_GetParam("HTTP_REFERER", this->req.envp);
+}
+
+METHOD(fast_request_t, to_referer, void,
+	private_fast_request_t *this)
+{
+	char *referer;
+
+	referer = get_referer(this);
+	if (referer)
+	{
+		FCGX_FPrintF(this->req.out, "Status: 303 See Other\n");
+		FCGX_FPrintF(this->req.out, "Location: %s\n\n", referer);
+	}
+	else
+	{
+		redirect(this, "/");
+	}
+}
+
+METHOD(fast_request_t, session_closed, bool,
+	private_fast_request_t *this)
+{
+	return this->closed;
+}
+
+METHOD(fast_request_t, close_session, void,
+	private_fast_request_t *this)
+{
+	this->closed = TRUE;
+}
+
+METHOD(fast_request_t, serve, void,
+	private_fast_request_t *this, char *headers, chunk_t chunk)
+{
+	FCGX_FPrintF(this->req.out, "%s\n\n", headers);
+
+	FCGX_PutStr(chunk.ptr, chunk.len, this->req.out);
+}
+
+METHOD(fast_request_t, sendfile, bool,
+	private_fast_request_t *this, char *path, char *mime)
+{
+	struct stat sb;
+	chunk_t data;
+	void *addr;
+	int fd, written;
+	char buf[24];
+
+	fd = open(path, O_RDONLY);
+	if (fd == -1)
+	{
+		return FALSE;
+	}
+	if (fstat(fd, &sb) == -1)
+	{
+		close(fd);
+		return FALSE;
+	}
+	addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
+	if (addr == MAP_FAILED)
+	{
+		close(fd);
+		return FALSE;
+	}
+
+	/* FCGX does not like large integers, print to a buffer using libc */
+	snprintf(buf, sizeof(buf), "%lld", (int64_t)sb.st_size);
+	FCGX_FPrintF(this->req.out, "Content-Length: %s\n", buf);
+	if (mime)
+	{
+		FCGX_FPrintF(this->req.out, "Content-Type: %s\n", mime);
+	}
+	FCGX_FPrintF(this->req.out, "\n");
+
+	data = chunk_create(addr, sb.st_size);
+
+	while (data.len)
+	{
+		written = FCGX_PutStr(data.ptr, data.len, this->req.out);
+		if (written == -1)
+		{
+			munmap(addr, sb.st_size);
+			close(fd);
+			return FALSE;
+		}
+		data = chunk_skip(data, written);
+	}
+
+	munmap(addr, sb.st_size);
+	close(fd);
+	return TRUE;
+}
+
+METHOD(fast_request_t, render, void,
+	private_fast_request_t *this, char *template)
+{
+	NEOERR* err;
+
+	thread_this->set(thread_this, this);
+	err = cgi_display(this->cgi, template);
+	if (err)
+	{
+		cgi_neo_error(this->cgi, err);
+		nerr_log_error(err);
+	}
+}
+
+METHOD(fast_request_t, streamf, int,
+	private_fast_request_t *this, char *format, ...)
+{
+	va_list args;
+	int written;
+
+	va_start(args, format);
+	written = FCGX_VFPrintF(this->req.out, format, args);
+	va_end(args);
+	if (written >= 0 &&
+		FCGX_FFlush(this->req.out) == -1)
+	{
+		return -1;
+	}
+	return written;
+}
+
+METHOD(fast_request_t, set, void,
+	private_fast_request_t *this, char *key, char *value)
+{
+	hdf_set_value(this->hdf, key, value);
+}
+
+METHOD(fast_request_t, setf, void,
+	private_fast_request_t *this, char *format, ...)
+{
+	va_list args;
+
+	va_start(args, format);
+	hdf_set_valuevf(this->hdf, format, args);
+	va_end(args);
+}
+
+METHOD(fast_request_t, get_ref, fast_request_t*,
+	private_fast_request_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public;
+}
+
+METHOD(fast_request_t, destroy, void,
+	private_fast_request_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		thread_this->set(thread_this, this);
+		cgi_destroy(&this->cgi);
+		FCGX_Finish_r(&this->req);
+		free(this);
+	}
+}
+
+/**
+ * This initialization method is guaranteed to run only once
+ * for all threads.
+ */
+static void init(void)
+{
+	cgiwrap_init_emu(NULL, read_cb, writef_cb, write_cb,
+					 getenv_cb, putenv_cb, iterenv_cb);
+	thread_this = thread_value_create(NULL);
+}
+
+/*
+ * see header file
+ */
+fast_request_t *fast_request_create(int fd, bool debug)
+{
+	NEOERR* err;
+	private_fast_request_t *this;
+	bool failed = FALSE;
+
+	INIT(this,
+		.public = {
+			.get_path = _get_path,
+			.get_base = _get_base,
+			.get_host = _get_host,
+			.get_user_agent = _get_user_agent,
+			.add_cookie = _add_cookie,
+			.get_cookie = _get_cookie,
+			.get_query_data = _get_query_data,
+			.get_env_var = _get_env_var,
+			.read_data = _read_data,
+			.session_closed = _session_closed,
+			.close_session = _close_session,
+			.redirect = _redirect,
+			.get_referer = _get_referer,
+			.to_referer = _to_referer,
+			.render = _render,
+			.streamf = _streamf,
+			.serve = _serve,
+			.sendfile = _sendfile,
+			.set = _set,
+			.setf = _setf,
+			.get_ref = _get_ref,
+			.destroy = _destroy,
+		},
+		.ref = 1,
+	);
+
+	thread_cleanup_push(free, this);
+	if (FCGX_InitRequest(&this->req, fd, 0) != 0 ||
+		FCGX_Accept_r(&this->req) != 0)
+	{
+		failed = TRUE;
+	}
+	thread_cleanup_pop(failed);
+	if (failed)
+	{
+		return NULL;
+	}
+
+	pthread_once(&once, init);
+	thread_this->set(thread_this, this);
+
+	while (this->req.envp[this->req_env_len] != NULL)
+	{
+		this->req_env_len++;
+	}
+
+	err = hdf_init(&this->hdf);
+	if (!err)
+	{
+		hdf_set_value(this->hdf, "base", get_base(this));
+		hdf_set_value(this->hdf, "Config.NoCache", "true");
+		if (!debug)
+		{
+			hdf_set_value(this->hdf, "Config.TimeFooter", "0");
+			hdf_set_value(this->hdf, "Config.CompressionEnabled", "1");
+			hdf_set_value(this->hdf, "Config.WhiteSpaceStrip", "2");
+		}
+
+		err = cgi_init(&this->cgi, this->hdf);
+		if (!err)
+		{
+			err = cgi_parse(this->cgi);
+			if (!err)
+			{
+				return &this->public;
+			}
+			cgi_destroy(&this->cgi);
+		}
+	}
+	nerr_log_error(err);
+	FCGX_Finish_r(&this->req);
+	free(this);
+	return NULL;
+}
diff --git a/src/libfast/fast_request.h b/src/libfast/fast_request.h
new file mode 100644
index 000000000..678cf54d5
--- /dev/null
+++ b/src/libfast/fast_request.h
@@ -0,0 +1,217 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup fast_request fast_request
+ * @{ @ingroup libfast
+ */
+
+#ifndef FAST_REQUEST_H_
+#define FAST_REQUEST_H_
+
+#include <fcgiapp.h>
+#include <library.h>
+
+typedef struct fast_request_t fast_request_t;
+
+/**
+ * A HTTP request, encapsulates FCGX_Request.
+ *
+ * The response is also handled through the request object.
+ */
+struct fast_request_t {
+
+	/**
+	 * Add a cookie to the reply (Set-Cookie header).
+	 *
+	 * @param name		name of the cookie to set
+	 * @param value		value of the cookie
+	 */
+	void (*add_cookie)(fast_request_t *this, char *name, char *value);
+
+	/**
+	 * Get a cookie the client sent in the request.
+	 *
+	 * @param name		name of the cookie
+	 * @return			cookie value, NULL if no such cookie found
+	 */
+	char* (*get_cookie)(fast_request_t *this, char *name);
+
+	/**
+	 * Get the request path relative to the application.
+	 *
+	 * @return			path
+	 */
+	char* (*get_path)(fast_request_t *this);
+
+	/**
+	 * Get the base path of the application.
+	 *
+	 * @return			base path
+	 */
+	char* (*get_base)(fast_request_t *this);
+
+	/**
+	 * Get the remote host address of this request.
+	 *
+	 * @return			host address as string
+	 */
+	char* (*get_host)(fast_request_t *this);
+
+	/**
+	 * Get the user agent string.
+	 *
+	 * @return			user agent string
+	 */
+	char* (*get_user_agent)(fast_request_t *this);
+
+	/**
+	 * Get a post/get variable included in the request.
+	 *
+	 * @param name		name of the POST/GET variable
+	 * @return			value, NULL if not found
+	 */
+	char* (*get_query_data)(fast_request_t *this, char *name);
+
+	/**
+	 * Get an arbitrary environment variable.
+	 *
+	 * @param name		name of the environment variable
+	 * @return			value, NULL if not found
+	 */
+	char* (*get_env_var)(fast_request_t *this, char *name);
+
+	/**
+	 * Read raw POST/PUT data from HTTP request.
+	 *
+	 * @param buf		buffer to read data into
+	 * @param len		size of the supplied buffer
+	 * @return			number of bytes read, < 0 on error
+	 */
+	int (*read_data)(fast_request_t *this, char *buf, int len);
+
+	/**
+	 * Close the session and it's context after handling.
+	 */
+	void (*close_session)(fast_request_t *this);
+
+	/**
+	 * Has the session been closed by close_session()?
+	 *
+	 * @return			TRUE if session has been closed
+	 */
+	bool (*session_closed)(fast_request_t *this);
+
+	/**
+	 * Redirect the client to another location.
+	 *
+	 * @param fmt		location format string
+	 * @param ...		variable argument for fmt
+	 */
+	void (*redirect)(fast_request_t *this, char *fmt, ...);
+
+	/**
+	 * Get the HTTP referer.
+	 *
+	 * @return			HTTP referer
+	 */
+	char* (*get_referer)(fast_request_t *this);
+
+	/**
+	 * Redirect back to the referer.
+	 */
+	void (*to_referer)(fast_request_t *this);
+
+	/**
+	 * Set a template value.
+	 *
+	 * @param key		key to set
+	 * @param value		value to set key to
+	 */
+	void (*set)(fast_request_t *this, char *key, char *value);
+
+	/**
+	 * Set a template value using format strings.
+	 *
+	 * Format string is in the form "key=value", where printf like format
+	 * substitution occurs over the whole string.
+	 *
+	 * @param format	printf like format string
+	 * @param ...		variable argument list
+	 */
+	void (*setf)(fast_request_t *this, char *format, ...);
+
+	/**
+	 * Render a template.
+	 *
+	 * The render() function additionally sets a HDF variable "base"
+	 * which points to the root of the web application and allows to point to
+	 * other targets without to worry about path location.
+	 *
+	 * @param template	clearsilver template file location
+	 */
+	void (*render)(fast_request_t *this, char *template);
+
+	/**
+	 * Stream a format string to the client.
+	 *
+	 * Stream is not closed and may be called multiple times to allow
+	 * server-push functionality.
+	 *
+	 * @param format	printf like format string
+	 * @param ...		argmuent list to format string
+	 * @return			number of streamed bytes, < 0 if stream closed
+	 */
+	int (*streamf)(fast_request_t *this, char *format, ...);
+
+	/**
+	 * Serve a request with headers and a body.
+	 *
+	 * @param headers	HTTP headers, \n separated
+	 * @param chunk		body to write to output
+	 */
+	void (*serve)(fast_request_t *this, char *headers, chunk_t chunk);
+
+	/**
+	 * Send a file from the file system.
+	 *
+	 * @param path		path to file to serve
+	 * @param mime		mime type of file to send, or NULL
+	 * @return			TRUE if file served successfully
+	 */
+	bool (*sendfile)(fast_request_t *this, char *path, char *mime);
+
+	/**
+	 * Increase the reference count to the stream.
+	 *
+	 * @return			this with increased refcount
+	 */
+	fast_request_t* (*get_ref)(fast_request_t *this);
+
+	/**
+	 * Destroy the fast_request_t.
+	 */
+	void (*destroy) (fast_request_t *this);
+};
+
+/**
+ * Create a request from the fastcgi struct.
+ *
+ * @param fd			file descripter opened with FCGX_OpenSocket
+ * @param debug			no stripping, no compression, timing information
+ */
+fast_request_t *fast_request_create(int fd, bool debug);
+
+#endif /** REQUEST_H_ @}*/
diff --git a/src/libfast/fast_session.c b/src/libfast/fast_session.c
new file mode 100644
index 000000000..56d4a0443
--- /dev/null
+++ b/src/libfast/fast_session.c
@@ -0,0 +1,228 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+
+#include "fast_session.h"
+
+#include <string.h>
+#include <fcgiapp.h>
+#include <stdio.h>
+
+#include <collections/linked_list.h>
+
+#define COOKIE_LEN 16
+
+typedef struct private_fast_session_t private_fast_session_t;
+
+/**
+ * private data of the task manager
+ */
+struct private_fast_session_t {
+
+	/**
+	 * public functions
+	 */
+	fast_session_t public;
+
+	/**
+	 * session ID
+	 */
+	char sid[COOKIE_LEN * 2 + 1];
+
+	/**
+	 * have we sent the session cookie?
+	 */
+	bool cookie_sent;
+
+	/**
+	 * list of controller instances controller_t
+	 */
+	linked_list_t *controllers;
+
+	/**
+	 * list of filter instances filter_t
+	 */
+	linked_list_t *filters;
+
+	/**
+	 * user defined session context
+	 */
+	fast_context_t *context;
+};
+
+METHOD(fast_session_t, add_controller, void,
+	private_fast_session_t *this, fast_controller_t *controller)
+{
+	this->controllers->insert_last(this->controllers, controller);
+}
+
+METHOD(fast_session_t, add_filter, void,
+	private_fast_session_t *this, fast_filter_t *filter)
+{
+	this->filters->insert_last(this->filters, filter);
+}
+
+/**
+ * Create a session ID and a cookie
+ */
+static bool create_sid(private_fast_session_t *this)
+{
+	char buf[COOKIE_LEN];
+	rng_t *rng;
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		return FALSE;
+	}
+	if (!rng->get_bytes(rng, sizeof(buf), buf))
+	{
+		rng->destroy(rng);
+		return FALSE;
+	}
+	rng->destroy(rng);
+	chunk_to_hex(chunk_create(buf, sizeof(buf)), this->sid, FALSE);
+	return TRUE;
+}
+
+/**
+ * run all registered filters
+ */
+static bool run_filter(private_fast_session_t *this, fast_request_t *request,
+					char *p0, char *p1, char *p2, char *p3, char *p4, char *p5)
+{
+	enumerator_t *enumerator;
+	fast_filter_t *filter;
+
+	enumerator = this->filters->create_enumerator(this->filters);
+	while (enumerator->enumerate(enumerator, &filter))
+	{
+		if (!filter->run(filter, request, p0, p1, p2, p3, p4, p5))
+		{
+			enumerator->destroy(enumerator);
+			return FALSE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return TRUE;
+}
+
+METHOD(fast_session_t, process, void,
+	private_fast_session_t *this, fast_request_t *request)
+{
+	char *pos, *start, *param[6] = {NULL, NULL, NULL, NULL, NULL, NULL};
+	enumerator_t *enumerator;
+	bool handled = FALSE;
+	fast_controller_t *current;
+	int i = 0;
+
+	if (!this->cookie_sent)
+	{
+		request->add_cookie(request, "SID", this->sid);
+		this->cookie_sent = TRUE;
+	}
+
+	start = request->get_path(request);
+	if (start)
+	{
+		if (*start == '/')
+		{
+			start++;
+		}
+		while ((pos = strchr(start, '/')) != NULL && i < 5)
+		{
+			param[i++] = strndupa(start, pos - start);
+			start = pos + 1;
+		}
+		param[i] = strdupa(start);
+
+		if (run_filter(this, request, param[0], param[1], param[2], param[3],
+						param[4], param[5]))
+		{
+			enumerator = this->controllers->create_enumerator(this->controllers);
+			while (enumerator->enumerate(enumerator, &current))
+			{
+				if (streq(current->get_name(current), param[0]))
+				{
+					current->handle(current, request, param[1], param[2],
+									param[3], param[4], param[5]);
+					handled = TRUE;
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		else
+		{
+			handled = TRUE;
+		}
+	}
+	if (!handled)
+	{
+		if (this->controllers->get_first(this->controllers,
+										 (void**)&current) == SUCCESS)
+		{
+			request->streamf(request,
+				"Status: 301 Moved permanently\nLocation: %s/%s\n\n",
+				request->get_base(request), current->get_name(current));
+		}
+	}
+}
+
+METHOD(fast_session_t, get_sid, char*,
+	private_fast_session_t *this)
+{
+	return this->sid;
+}
+
+METHOD(fast_session_t, destroy, void,
+	private_fast_session_t *this)
+{
+	this->controllers->destroy_offset(this->controllers,
+									  offsetof(fast_controller_t, destroy));
+	this->filters->destroy_offset(this->filters,
+									  offsetof(fast_filter_t, destroy));
+	DESTROY_IF(this->context);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+fast_session_t *fast_session_create(fast_context_t *context)
+{
+	private_fast_session_t *this;
+
+	INIT(this,
+		.public = {
+			.add_controller = _add_controller,
+			.add_filter = _add_filter,
+			.process = _process,
+			.get_sid = _get_sid,
+			.destroy = _destroy,
+		},
+		.controllers = linked_list_create(),
+		.filters = linked_list_create(),
+		.context = context,
+	);
+	if (!create_sid(this))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libfast/fast_session.h b/src/libfast/fast_session.h
new file mode 100644
index 000000000..2ff450b93
--- /dev/null
+++ b/src/libfast/fast_session.h
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup fast_session fast_session
+ * @{ @ingroup libfast
+ */
+
+#ifndef FAST_SESSION_H_
+#define FAST_SESSION_H_
+
+#include "fast_request.h"
+#include "fast_controller.h"
+#include "fast_filter.h"
+
+typedef struct fast_session_t fast_session_t;
+
+/**
+ * Session handling class, instanciated for each user session.
+ */
+struct fast_session_t {
+
+	/**
+	 * Get the session ID of the session.
+	 *
+	 * @return				session ID
+	 */
+	char* (*get_sid)(fast_session_t *this);
+
+	/**
+	 * Add a controller instance to the session.
+	 *
+	 * @param controller	controller to add
+	 */
+	void (*add_controller)(fast_session_t *this, fast_controller_t *controller);
+
+	/**
+	 * Add a filter instance to the session.
+	 *
+	 * @param filter		filter to add
+	 */
+	void (*add_filter)(fast_session_t *this, fast_filter_t *filter);
+
+	/**
+	 * Process a request in this session.
+	 *
+	 * @param request		request to process
+	 */
+	void (*process)(fast_session_t *this, fast_request_t *request);
+
+	/**
+	 * Destroy the fast_session_t.
+	 */
+	void (*destroy) (fast_session_t *this);
+};
+
+/**
+ * Create a session new session.
+ *
+ * @param context		user defined session context instance
+ * @return				client session, NULL on error
+ */
+fast_session_t *fast_session_create(fast_context_t *context);
+
+#endif /** SESSION_H_ @}*/
diff --git a/src/libfast/fast_smtp.c b/src/libfast/fast_smtp.c
new file mode 100644
index 000000000..89e74d79b
--- /dev/null
+++ b/src/libfast/fast_smtp.c
@@ -0,0 +1,187 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "fast_smtp.h"
+
+#include <unistd.h>
+#include <errno.h>
+
+#include <utils/debug.h>
+
+typedef struct private_fast_smtp_t private_fast_smtp_t;
+
+/**
+ * Private data of an fast_smtp_t object.
+ */
+struct private_fast_smtp_t {
+
+	/**
+	 * Public fast_smtp_t interface.
+	 */
+	fast_smtp_t public;
+
+	/**
+	 * file stream to SMTP server
+	 */
+	FILE *f;
+};
+
+/**
+ * Read the response code from an SMTP server
+ */
+static int read_response(private_fast_smtp_t *this)
+{
+	char buf[256], *end;
+	int res = 0;
+
+	while (TRUE)
+	{
+		if (!fgets(buf, sizeof(buf), this->f))
+		{
+			return 0;
+		}
+		res = strtol(buf, &end, 10);
+		switch (*end)
+		{
+			case '-':
+				continue;
+			case ' ':
+			case '\0':
+			case '\n':
+				break;
+			default:
+				return 0;
+		}
+		break;
+	}
+	return res;
+}
+
+/**
+ * write a SMTP command to the server, read response code
+ */
+static int write_cmd(private_fast_smtp_t *this, char *fmt, ...)
+{
+	char buf[256];
+	va_list args;
+
+	va_start(args, fmt);
+	vsnprintf(buf, sizeof(buf), fmt, args);
+	va_end(args);
+
+	if (fprintf(this->f, "%s\n", buf) < 1)
+	{
+		DBG1(DBG_LIB, "sending SMTP command failed");
+		return 0;
+	}
+	return read_response(this);
+}
+
+METHOD(fast_smtp_t, send_mail, bool,
+	private_fast_smtp_t *this, char *from, char *to, char *subject, char *fmt, ...)
+{
+	va_list args;
+
+	if (write_cmd(this, "MAIL FROM:<%s>", from) != 250)
+	{
+		DBG1(DBG_LIB, "SMTP MAIL FROM failed");
+		return FALSE;
+	}
+	if (write_cmd(this, "RCPT TO:<%s>", to) != 250)
+	{
+		DBG1(DBG_LIB, "SMTP RCPT TO failed");
+		return FALSE;
+	}
+	if (write_cmd(this, "DATA") != 354)
+	{
+		DBG1(DBG_LIB, "SMTP DATA failed");
+		return FALSE;
+	}
+
+	fprintf(this->f, "From: %s\n", from);
+	fprintf(this->f, "To: %s\n", to);
+	fprintf(this->f, "Subject: %s\n", subject);
+	fprintf(this->f, "\n");
+	va_start(args, fmt);
+	vfprintf(this->f, fmt, args);
+	va_end(args);
+	fprintf(this->f, "\n.\n");
+	return read_response(this) == 250;
+}
+
+
+METHOD(fast_smtp_t, destroy, void,
+	private_fast_smtp_t *this)
+{
+	write_cmd(this, "QUIT");
+	fclose(this->f);
+	free(this);
+}
+
+/**
+ * See header
+ */
+fast_smtp_t *fast_smtp_create()
+{
+	private_fast_smtp_t *this;
+	struct sockaddr_in addr = {
+		.sin_family = AF_INET,
+		.sin_port = htons(25),
+		.sin_addr = {
+			.s_addr = htonl(INADDR_LOOPBACK),
+		},
+	};
+	int s;
+
+	INIT(this,
+		.public = {
+			.send_mail = _send_mail,
+			.destroy = _destroy,
+		},
+	);
+
+	s = socket(AF_INET, SOCK_STREAM, 0);
+	if (s < 0)
+	{
+		DBG1(DBG_LIB, "opening SMTP socket failed: %s", strerror(errno));
+		free(this);
+		return NULL;
+	}
+	if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) < 0)
+	{
+		DBG1(DBG_LIB, "connecting to SMTP server failed: %s", strerror(errno));
+		close(s);
+		free(this);
+		return NULL;
+	}
+	this->f = fdopen(s, "a+");
+	if (!this->f)
+	{
+		DBG1(DBG_LIB, "opening stream to SMTP server failed: %s",
+			 strerror(errno));
+		close(s);
+		free(this);
+		return NULL;
+	}
+	if (read_response(this) != 220 ||
+		write_cmd(this, "EHLO localhost") != 250)
+	{
+		DBG1(DBG_LIB, "SMTP EHLO failed");
+		fclose(this->f);
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libfast/fast_smtp.h b/src/libfast/fast_smtp.h
new file mode 100644
index 000000000..962ba2cc7
--- /dev/null
+++ b/src/libfast/fast_smtp.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup fast_smtp fast_smtp
+ * @{ @ingroup libfast
+ */
+
+#ifndef FAST_SMTP_H_
+#define FAST_SMTP_H_
+
+typedef struct fast_smtp_t fast_smtp_t;
+
+#include <library.h>
+
+/**
+ * Ultra-minimalistic SMTP client. Works at most with Exim on localhost.
+ */
+struct fast_smtp_t {
+
+	/**
+	 * Send an e-mail message.
+	 *
+	 * @param from		sender address
+	 * @param to		recipient address
+	 * @param subject	mail subject
+	 * @param fmt		mail body format string
+	 * @param ...		arguments for body format string
+	 */
+	bool (*send_mail)(fast_smtp_t *this, char *from, char *to,
+					  char *subject, char *fmt, ...);
+
+	/**
+	 * Destroy a fast_smtp_t.
+	 */
+	void (*destroy)(fast_smtp_t *this);
+};
+
+/**
+ * Create a smtp instance.
+ */
+fast_smtp_t *fast_smtp_create();
+
+#endif /** FAST_SMTP_H_ @}*/
diff --git a/src/libfast/filter.h b/src/libfast/filter.h
deleted file mode 100644
index 305a8bb6e..000000000
--- a/src/libfast/filter.h
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/*
- * @defgroup filter filter
- * @{ @ingroup libfast
- */
-
-#ifndef FILTER_H_
-#define FILTER_H_
-
-#include "request.h"
-#include "context.h"
-#include "controller.h"
-
-typedef struct filter_t filter_t;
-
-/**
- * Constructor function for a filter
- *
- * @param context		session specific context
- * @param param			user supplied param
- */
-typedef filter_t *(*filter_constructor_t)(context_t* context, void *param);
-
-/**
- * Filter interface, to be implemented by users filters.
- */
-struct filter_t {
-
-	/**
-	 * Called before the controller handles the request.
-	 *
-	 * @param request		HTTP request
-	 * @param p1			first parameter
-	 * @param p2			second parameter
-	 * @param p3			third parameter
-	 * @param p4			forth parameter
-	 * @param p5			fifth parameter
-	 * @return				TRUE to continue request handling
-	 */
-	bool (*run)(filter_t *this, request_t *request,
-				char *p0, char *p1, char *p2, char *p3, char *p4, char *p5);
-
-	/**
-	 * Destroy the filter instance.
-	 */
-	void (*destroy) (filter_t *this);
-};
-
-#endif /* FILTER_H_ @} */
diff --git a/src/libfast/request.c b/src/libfast/request.c
deleted file mode 100644
index 3acd831b2..000000000
--- a/src/libfast/request.c
+++ /dev/null
@@ -1,439 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-
-#include "request.h"
-
-#include <library.h>
-#include <debug.h>
-#include <stdlib.h>
-#include <pthread.h>
-#include <string.h>
-#include <ClearSilver/ClearSilver.h>
-
-#include <threading/thread.h>
-#include <threading/thread_value.h>
-
-typedef struct private_request_t private_request_t;
-
-/**
- * private data of the task manager
- */
-struct private_request_t {
-
-	/**
-	 * public functions
-	 */
-	request_t public;
-
-	/**
-	 * FastCGI request object
-	 */
-	FCGX_Request req;
-
-	/**
-	 * length of the req.envp array
-	 */
-	int req_env_len;
-
-	/**
-	 * ClearSilver CGI Kit context
-	 */
-	CGI *cgi;
-
-	/**
-	 * ClearSilver HDF dataset for this request
-	 */
-	HDF *hdf;
-
-	/**
-	 * close the session?
-	 */
-	bool closed;
-
-	/**
-	 * reference count
-	 */
-	refcount_t ref;
-};
-
-/**
- * ClearSilver cgiwrap is not threadsave, so we use a private
- * context for each thread.
- */
-static thread_value_t *thread_this;
-
-/**
- * control variable for pthread_once
- */
-pthread_once_t once = PTHREAD_ONCE_INIT;
-
-/**
- * fcgiwrap read callback
- */
-static int read_cb(void *null, char *buf, int size)
-{
-	private_request_t *this = (private_request_t*)thread_this->get(thread_this);
-
-	return FCGX_GetStr(buf, size, this->req.in);
-}
-
-/**
- * fcgiwrap writef callback
- */
-static int writef_cb(void *null, const char *format, va_list args)
-{
-	private_request_t *this = (private_request_t*)thread_this->get(thread_this);
-
-	FCGX_VFPrintF(this->req.out, format, args);
-	return 0;
-}
-/**
- * fcgiwrap write callback
- */
-static int write_cb(void *null, const char *buf, int size)
-{
-	private_request_t *this = (private_request_t*)thread_this->get(thread_this);
-
-	return FCGX_PutStr(buf, size, this->req.out);
-}
-
-/**
- * fcgiwrap getenv callback
- */
-static char *getenv_cb(void *null, const char *key)
-{
-	char *value;
-	private_request_t *this = (private_request_t*)thread_this->get(thread_this);
-
-	value = FCGX_GetParam(key, this->req.envp);
-	return strdupnull(value);
-}
-
-/**
- * fcgiwrap getenv callback
- */
-static int putenv_cb(void *null, const char *key, const char *value)
-{
-	/* not supported */
-	return 1;
-}
-
-/**
- * fcgiwrap iterenv callback
- */
-static int iterenv_cb(void *null, int num, char **key, char **value)
-{
-	*key = NULL;
-	*value = NULL;
-	private_request_t *this = (private_request_t*)thread_this->get(thread_this);
-	if (num < this->req_env_len)
-	{
-		char *eq;
-
-		eq = strchr(this->req.envp[num], '=');
-		if (eq)
-		{
-			*key = strndup(this->req.envp[num], eq - this->req.envp[num]);
-			*value = strdup(eq + 1);
-		}
-		if (*key == NULL || *value == NULL)
-		{
-			free(*key);
-			free(*value);
-			return 1;
-		}
-	}
-	return 0;
-}
-
-METHOD(request_t, get_cookie, char*,
-	private_request_t *this, char *name)
-{
-	return hdf_get_valuef(this->hdf, "Cookie.%s", name);
-}
-
-METHOD(request_t, get_path, char*,
-	private_request_t *this)
-{
-	char * path = FCGX_GetParam("PATH_INFO", this->req.envp);
-	return path ? path : "";
-}
-
-METHOD(request_t, get_host, char*,
-	private_request_t *this)
-{
-	char *addr = FCGX_GetParam("REMOTE_ADDR", this->req.envp);
-	return addr ? addr : "";
-}
-
-METHOD(request_t, get_user_agent, char*,
-	private_request_t *this)
-{
-	char *agent = FCGX_GetParam("HTTP_USER_AGENT", this->req.envp);
-	return agent ? agent : "";
-}
-
-METHOD(request_t, get_query_data, char*,
-	private_request_t *this, char *name)
-{
-	return hdf_get_valuef(this->hdf, "Query.%s", name);
-}
-
-METHOD(request_t, get_env_var, char*,
-	private_request_t *this, char *name)
-{
-	return FCGX_GetParam(name, this->req.envp);
-}
-
-METHOD(request_t, read_data, int,
-	private_request_t *this, char *buf, int len)
-{
-	return FCGX_GetStr(buf, len, this->req.in);
-}
-
-METHOD(request_t, get_base, char*,
-	private_request_t *this)
-{
-	return FCGX_GetParam("SCRIPT_NAME", this->req.envp);
-}
-
-METHOD(request_t, add_cookie, void,
-	private_request_t *this, char *name, char *value)
-{
-	thread_this->set(thread_this, this);
-	cgi_cookie_set(this->cgi, name, value, NULL, NULL, NULL, 0, 0);
-}
-
-METHOD(request_t, redirect, void,
-	private_request_t *this, char *fmt, ...)
-{
-	va_list args;
-
-	FCGX_FPrintF(this->req.out, "Status: 303 See Other\n");
-	FCGX_FPrintF(this->req.out, "Location: %s%s", get_base(this),
-				 *fmt == '/' ? "" : "/");
-	va_start(args, fmt);
-	FCGX_VFPrintF(this->req.out, fmt, args);
-	va_end(args);
-	FCGX_FPrintF(this->req.out, "\n\n");
-}
-
-METHOD(request_t, get_referer, char*,
-	private_request_t *this)
-{
-	return FCGX_GetParam("HTTP_REFERER", this->req.envp);
-}
-
-METHOD(request_t, to_referer, void,
-	private_request_t *this)
-{
-	char *referer;
-
-	referer = get_referer(this);
-	if (referer)
-	{
-		FCGX_FPrintF(this->req.out, "Status: 303 See Other\n");
-		FCGX_FPrintF(this->req.out, "Location: %s\n\n", referer);
-	}
-	else
-	{
-		redirect(this, "/");
-	}
-}
-
-METHOD(request_t, session_closed, bool,
-	private_request_t *this)
-{
-	return this->closed;
-}
-
-METHOD(request_t, close_session, void,
-	private_request_t *this)
-{
-	this->closed = TRUE;
-}
-
-METHOD(request_t, serve, void,
-	private_request_t *this, char *headers, chunk_t chunk)
-{
-	FCGX_FPrintF(this->req.out, "%s\n\n", headers);
-
-	FCGX_PutStr(chunk.ptr, chunk.len, this->req.out);
-}
-
-METHOD(request_t, render, void,
-	private_request_t *this, char *template)
-{
-	NEOERR* err;
-
-	thread_this->set(thread_this, this);
-	err = cgi_display(this->cgi, template);
-	if (err)
-	{
-		cgi_neo_error(this->cgi, err);
-		nerr_log_error(err);
-	}
-}
-
-METHOD(request_t, streamf, int,
-	private_request_t *this, char *format, ...)
-{
-	va_list args;
-	int written;
-
-	va_start(args, format);
-	written = FCGX_VFPrintF(this->req.out, format, args);
-	va_end(args);
-	if (written >= 0 &&
-		FCGX_FFlush(this->req.out) == -1)
-	{
-		return -1;
-	}
-	return written;
-}
-
-METHOD(request_t, set, void,
-	private_request_t *this, char *key, char *value)
-{
-	hdf_set_value(this->hdf, key, value);
-}
-
-METHOD(request_t, setf, void,
-	private_request_t *this, char *format, ...)
-{
-	va_list args;
-
-	va_start(args, format);
-	hdf_set_valuevf(this->hdf, format, args);
-	va_end(args);
-}
-
-METHOD(request_t, get_ref, request_t*,
-	private_request_t *this)
-{
-	ref_get(&this->ref);
-	return &this->public;
-}
-
-METHOD(request_t, destroy, void,
-	private_request_t *this)
-{
-	if (ref_put(&this->ref))
-	{
-		thread_this->set(thread_this, this);
-		cgi_destroy(&this->cgi);
-		FCGX_Finish_r(&this->req);
-		free(this);
-	}
-}
-
-/**
- * This initialization method is guaranteed to run only once
- * for all threads.
- */
-static void init(void)
-{
-	cgiwrap_init_emu(NULL, read_cb, writef_cb, write_cb,
-					 getenv_cb, putenv_cb, iterenv_cb);
-	thread_this = thread_value_create(NULL);
-}
-
-/*
- * see header file
- */
-request_t *request_create(int fd, bool debug)
-{
-	NEOERR* err;
-	private_request_t *this;
-	bool failed = FALSE;
-
-	INIT(this,
-		.public = {
-			.get_path = _get_path,
-			.get_base = _get_base,
-			.get_host = _get_host,
-			.get_user_agent = _get_user_agent,
-			.add_cookie = _add_cookie,
-			.get_cookie = _get_cookie,
-			.get_query_data = _get_query_data,
-			.get_env_var = _get_env_var,
-			.read_data = _read_data,
-			.session_closed = _session_closed,
-			.close_session = _close_session,
-			.redirect = _redirect,
-			.get_referer = _get_referer,
-			.to_referer = _to_referer,
-			.render = _render,
-			.streamf = _streamf,
-			.serve = _serve,
-			.set = _set,
-			.setf = _setf,
-			.get_ref = _get_ref,
-			.destroy = _destroy,
-		},
-		.ref = 1,
-	);
-
-	thread_cleanup_push(free, this);
-	if (FCGX_InitRequest(&this->req, fd, 0) != 0 ||
-		FCGX_Accept_r(&this->req) != 0)
-	{
-		failed = TRUE;
-	}
-	thread_cleanup_pop(failed);
-	if (failed)
-	{
-		return NULL;
-	}
-
-	pthread_once(&once, init);
-	thread_this->set(thread_this, this);
-
-	while (this->req.envp[this->req_env_len] != NULL)
-	{
-		this->req_env_len++;
-	}
-
-	err = hdf_init(&this->hdf);
-	if (!err)
-	{
-		hdf_set_value(this->hdf, "base", get_base(this));
-		hdf_set_value(this->hdf, "Config.NoCache", "true");
-		if (!debug)
-		{
-			hdf_set_value(this->hdf, "Config.TimeFooter", "0");
-			hdf_set_value(this->hdf, "Config.CompressionEnabled", "1");
-			hdf_set_value(this->hdf, "Config.WhiteSpaceStrip", "2");
-		}
-
-		err = cgi_init(&this->cgi, this->hdf);
-		if (!err)
-		{
-			err = cgi_parse(this->cgi);
-			if (!err)
-			{
-				return &this->public;
-			}
-			cgi_destroy(&this->cgi);
-		}
-	}
-	nerr_log_error(err);
-	FCGX_Finish_r(&this->req);
-	free(this);
-	return NULL;
-}
-
diff --git a/src/libfast/request.h b/src/libfast/request.h
deleted file mode 100644
index c9c1f13e2..000000000
--- a/src/libfast/request.h
+++ /dev/null
@@ -1,208 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup request request
- * @{ @ingroup libfast
- */
-
-#ifndef REQUEST_H_
-#define REQUEST_H_
-
-#include <fcgiapp.h>
-#include <library.h>
-
-typedef struct request_t request_t;
-
-/**
- * A HTTP request, encapsulates FCGX_Request.
- *
- * The response is also handled through the request object.
- */
-struct request_t {
-
-	/**
-	 * Add a cookie to the reply (Set-Cookie header).
-	 *
-	 * @param name		name of the cookie to set
-	 * @param value		value of the cookie
-	 */
-	void (*add_cookie)(request_t *this, char *name, char *value);
-
-	/**
-	 * Get a cookie the client sent in the request.
-	 *
-	 * @param name		name of the cookie
-	 * @return			cookie value, NULL if no such cookie found
-	 */
-	char* (*get_cookie)(request_t *this, char *name);
-
-	/**
-	 * Get the request path relative to the application.
-	 *
-	 * @return			path
-	 */
-	char* (*get_path)(request_t *this);
-
-	/**
-	 * Get the base path of the application.
-	 *
-	 * @return			base path
-	 */
-	char* (*get_base)(request_t *this);
-
-	/**
-	 * Get the remote host address of this request.
-	 *
-	 * @return			host address as string
-	 */
-	char* (*get_host)(request_t *this);
-
-	/**
-	 * Get the user agent string.
-	 *
-	 * @return			user agent string
-	 */
-	char* (*get_user_agent)(request_t *this);
-
-	/**
-	 * Get a post/get variable included in the request.
-	 *
-	 * @param name		name of the POST/GET variable
-	 * @return			value, NULL if not found
-	 */
-	char* (*get_query_data)(request_t *this, char *name);
-
-	/**
-	 * Get an arbitrary environment variable.
-	 *
-	 * @param name		name of the environment variable
-	 * @return			value, NULL if not found
-	 */
-	char* (*get_env_var)(request_t *this, char *name);
-
-	/**
-	 * Read raw POST/PUT data from HTTP request.
-	 *
-	 * @param buf		buffer to read data into
-	 * @param len		size of the supplied buffer
-	 * @return			number of bytes read, < 0 on error
-	 */
-	int (*read_data)(request_t *this, char *buf, int len);
-
-	/**
-	 * Close the session and it's context after handling.
-	 */
-	void (*close_session)(request_t *this);
-
-	/**
-	 * Has the session been closed by close_session()?
-	 *
-	 * @return			TRUE if session has been closed
-	 */
-	bool (*session_closed)(request_t *this);
-
-	/**
-	 * Redirect the client to another location.
-	 *
-	 * @param fmt		location format string
-	 * @param ...		variable argument for fmt
-	 */
-	void (*redirect)(request_t *this, char *fmt, ...);
-
-	/**
-	 * Get the HTTP referer.
-	 *
-	 * @return			HTTP referer
-	 */
-	char* (*get_referer)(request_t *this);
-
-	/**
-	 * Redirect back to the referer.
-	 */
-	void (*to_referer)(request_t *this);
-
-	/**
-	 * Set a template value.
-	 *
-	 * @param key		key to set
-	 * @param value		value to set key to
-	 */
-	void (*set)(request_t *this, char *key, char *value);
-
-	/**
-	 * Set a template value using format strings.
-	 *
-	 * Format string is in the form "key=value", where printf like format
-	 * substitution occurs over the whole string.
-	 *
-	 * @param format	printf like format string
-	 * @param ...		variable argument list
-	 */
-	void (*setf)(request_t *this, char *format, ...);
-
-	/**
-	 * Render a template.
-	 *
-	 * The render() function additionally sets a HDF variable "base"
-	 * which points to the root of the web application and allows to point to
-	 * other targets without to worry about path location.
-	 *
-	 * @param template	clearsilver template file location
-	 */
-	void (*render)(request_t *this, char *template);
-
-	/**
-	 * Stream a format string to the client.
-	 *
-	 * Stream is not closed and may be called multiple times to allow
-	 * server-push functionality.
-	 *
-	 * @param format	printf like format string
-	 * @param ...		argmuent list to format string
-	 * @return			number of streamed bytes, < 0 if stream closed
-	 */
-	int (*streamf)(request_t *this, char *format, ...);
-
-	/**
-	 * Serve a request with headers and a body.
-	 *
-	 * @param headers	HTTP headers, \n separated
-	 * @param chunk		body to write to output
-	 */
-	void (*serve)(request_t *this, char *headers, chunk_t chunk);
-
-	/**
-	 * Increase the reference count to the stream.
-	 *
-	 * @return			this with increased refcount
-	 */
-	request_t* (*get_ref)(request_t *this);
-
-	/**
-	 * Destroy the request_t.
-	 */
-	void (*destroy) (request_t *this);
-};
-
-/**
- * Create a request from the fastcgi struct.
- *
- * @param fd			file descripter opened with FCGX_OpenSocket
- * @param debug			no stripping, no compression, timing information
- */
-request_t *request_create(int fd, bool debug);
-
-#endif /** REQUEST_H_ @}*/
diff --git a/src/libfast/session.c b/src/libfast/session.c
deleted file mode 100644
index 1d9ed0107..000000000
--- a/src/libfast/session.c
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-
-#include "session.h"
-
-#include <string.h>
-#include <fcgiapp.h>
-#include <stdio.h>
-
-#include <utils/linked_list.h>
-
-#define COOKIE_LEN 16
-
-typedef struct private_session_t private_session_t;
-
-/**
- * private data of the task manager
- */
-struct private_session_t {
-
-	/**
-	 * public functions
-	 */
-	session_t public;
-
-	/**
-	 * session ID
-	 */
-	char sid[COOKIE_LEN * 2 + 1];
-
-	/**
-	 * have we sent the session cookie?
-	 */
-	bool cookie_sent;
-
-	/**
-	 * list of controller instances controller_t
-	 */
-	linked_list_t *controllers;
-
-	/**
-	 * list of filter instances filter_t
-	 */
-	linked_list_t *filters;
-
-	/**
-	 * user defined session context
-	 */
-	context_t *context;
-};
-
-METHOD(session_t, add_controller, void,
-	private_session_t *this, controller_t *controller)
-{
-	this->controllers->insert_last(this->controllers, controller);
-}
-
-METHOD(session_t, add_filter, void,
-	private_session_t *this, filter_t *filter)
-{
-	this->filters->insert_last(this->filters, filter);
-}
-
-/**
- * Create a session ID and a cookie
- */
-static void create_sid(private_session_t *this)
-{
-	char buf[COOKIE_LEN];
-	rng_t *rng;
-
-	memset(buf, 0, sizeof(buf));
-	memset(this->sid, 0, sizeof(this->sid));
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (rng)
-	{
-		rng->get_bytes(rng, sizeof(buf), buf);
-		rng->destroy(rng);
-	}
-	chunk_to_hex(chunk_create(buf, sizeof(buf)), this->sid, FALSE);
-}
-
-/**
- * run all registered filters
- */
-static bool run_filter(private_session_t *this, request_t *request, char *p0,
-					   char *p1, char *p2, char *p3, char *p4, char *p5)
-{
-	enumerator_t *enumerator;
-	filter_t *filter;
-
-	enumerator = this->filters->create_enumerator(this->filters);
-	while (enumerator->enumerate(enumerator, &filter))
-	{
-		if (!filter->run(filter, request, p0, p1, p2, p3, p4, p5))
-		{
-			enumerator->destroy(enumerator);
-			return FALSE;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return TRUE;
-}
-
-METHOD(session_t, process, void,
-	private_session_t *this, request_t *request)
-{
-	char *pos, *start, *param[6] = {NULL, NULL, NULL, NULL, NULL, NULL};
-	enumerator_t *enumerator;
-	bool handled = FALSE;
-	controller_t *current;
-	int i = 0;
-
-	if (!this->cookie_sent)
-	{
-		request->add_cookie(request, "SID", this->sid);
-		this->cookie_sent = TRUE;
-	}
-
-	start = request->get_path(request);
-	if (start)
-	{
-		if (*start == '/')
-		{
-			start++;
-		}
-		while ((pos = strchr(start, '/')) != NULL && i < 5)
-		{
-			param[i++] = strndupa(start, pos - start);
-			start = pos + 1;
-		}
-		param[i] = strdupa(start);
-
-		if (run_filter(this, request, param[0], param[1], param[2], param[3],
-						param[4], param[5]))
-		{
-			enumerator = this->controllers->create_enumerator(this->controllers);
-			while (enumerator->enumerate(enumerator, &current))
-			{
-				if (streq(current->get_name(current), param[0]))
-				{
-					current->handle(current, request, param[1], param[2],
-									param[3], param[4], param[5]);
-					handled = TRUE;
-					break;
-				}
-			}
-			enumerator->destroy(enumerator);
-		}
-		else
-		{
-			handled = TRUE;
-		}
-	}
-	if (!handled)
-	{
-		if (this->controllers->get_first(this->controllers,
-										 (void**)&current) == SUCCESS)
-		{
-			request->streamf(request,
-				"Status: 301 Moved permanently\nLocation: %s/%s\n\n",
-				request->get_base(request), current->get_name(current));
-		}
-	}
-}
-
-METHOD(session_t, get_sid, char*,
-	private_session_t *this)
-{
-	return this->sid;
-}
-
-METHOD(session_t, destroy, void,
-	private_session_t *this)
-{
-	this->controllers->destroy_offset(this->controllers, offsetof(controller_t, destroy));
-	this->filters->destroy_offset(this->filters, offsetof(filter_t, destroy));
-	DESTROY_IF(this->context);
-	free(this);
-}
-
-/*
- * see header file
- */
-session_t *session_create(context_t *context)
-{
-	private_session_t *this;
-
-	INIT(this,
-		.public = {
-			.add_controller = _add_controller,
-			.add_filter = _add_filter,
-			.process = _process,
-			.get_sid = _get_sid,
-			.destroy = _destroy,
-		},
-		.controllers = linked_list_create(),
-		.filters = linked_list_create(),
-		.context = context,
-	);
-	create_sid(this);
-
-	return &this->public;
-}
-
diff --git a/src/libfast/session.h b/src/libfast/session.h
deleted file mode 100644
index f60fa9ef2..000000000
--- a/src/libfast/session.h
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup session session
- * @{ @ingroup libfast
- */
-
-#ifndef SESSION_H_
-#define SESSION_H_
-
-#include "request.h"
-#include "controller.h"
-#include "filter.h"
-
-typedef struct session_t session_t;
-
-/**
- * Session handling class, instanciated for each user session.
- */
-struct session_t {
-
-	/**
-	 * Get the session ID of the session.
-	 *
-	 * @return				session ID
-	 */
-	char* (*get_sid)(session_t *this);
-
-	/**
-	 * Add a controller instance to the session.
-	 *
-	 * @param controller	controller to add
-	 */
-	void (*add_controller)(session_t *this, controller_t *controller);
-
-	/**
-	 * Add a filter instance to the session.
-	 *
-	 * @param filter		filter to add
-	 */
-	void (*add_filter)(session_t *this, filter_t *filter);
-
-	/**
-	 * Process a request in this session.
-	 *
-	 * @param request		request to process
-	 */
-	void (*process)(session_t *this, request_t *request);
-
-	/**
-	 * Destroy the session_t.
-	 */
-	void (*destroy) (session_t *this);
-};
-
-/**
- * Create a session new session.
- *
- * @param context		user defined session context instance
- */
-session_t *session_create(context_t *context);
-
-#endif /** SESSION_H_ @}*/
diff --git a/src/libfast/smtp.c b/src/libfast/smtp.c
deleted file mode 100644
index 4118c74a6..000000000
--- a/src/libfast/smtp.c
+++ /dev/null
@@ -1,185 +0,0 @@
-/*
- * Copyright (C) 2010 Martin Willi
- * Copyright (C) 2010 revosec AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "smtp.h"
-
-#include <unistd.h>
-#include <errno.h>
-
-#include <debug.h>
-
-typedef struct private_smtp_t private_smtp_t;
-
-/**
- * Private data of an smtp_t object.
- */
-struct private_smtp_t {
-
-	/**
-	 * Public smtp_t interface.
-	 */
-	smtp_t public;
-
-	/**
-	 * file stream to SMTP server
-	 */
-	FILE *f;
-};
-
-/**
- * Read the response code from an SMTP server
- */
-static int read_response(private_smtp_t *this)
-{
-	char buf[256], *end;
-	int res = 0;
-
-	while (TRUE)
-	{
-		if (!fgets(buf, sizeof(buf), this->f))
-		{
-			return 0;
-		}
-		res = strtol(buf, &end, 10);
-		switch (*end)
-		{
-			case '-':
-				continue;
-			case ' ':
-			case '\0':
-			case '\n':
-				break;
-			default:
-				return 0;
-		}
-		break;
-	}
-	return res;
-}
-
-/**
- * write a SMTP command to the server, read response code
- */
-static int write_cmd(private_smtp_t *this, char *fmt, ...)
-{
-	char buf[256];
-	va_list args;
-
-	va_start(args, fmt);
-	vsnprintf(buf, sizeof(buf), fmt, args);
-	va_end(args);
-
-	if (fprintf(this->f, "%s\n", buf) < 1)
-	{
-		DBG1(DBG_LIB, "sending SMTP command failed");
-		return 0;
-	}
-	return read_response(this);
-}
-
-METHOD(smtp_t, send_mail, bool,
-	private_smtp_t *this, char *from, char *to, char *subject, char *fmt, ...)
-{
-	va_list args;
-
-	if (write_cmd(this, "MAIL FROM:<%s>", from) != 250)
-	{
-		DBG1(DBG_LIB, "SMTP MAIL FROM failed");
-		return FALSE;
-	}
-	if (write_cmd(this, "RCPT TO:<%s>", to) != 250)
-	{
-		DBG1(DBG_LIB, "SMTP RCPT TO failed");
-		return FALSE;
-	}
-	if (write_cmd(this, "DATA") != 354)
-	{
-		DBG1(DBG_LIB, "SMTP DATA failed");
-		return FALSE;
-	}
-
-	fprintf(this->f, "From: %s\n", from);
-	fprintf(this->f, "To: %s\n", to);
-	fprintf(this->f, "Subject: %s\n", subject);
-	fprintf(this->f, "\n");
-	va_start(args, fmt);
-	vfprintf(this->f, fmt, args);
-	va_end(args);
-	fprintf(this->f, "\n.\n");
-	return read_response(this) == 250;
-}
-
-
-METHOD(smtp_t, destroy, void,
-	private_smtp_t *this)
-{
-	write_cmd(this, "QUIT");
-	fclose(this->f);
-	free(this);
-}
-
-/**
- * See header
- */
-smtp_t *smtp_create()
-{
-	private_smtp_t *this;
-	struct sockaddr_in addr;
-	int s;
-
-	INIT(this,
-		.public = {
-			.send_mail = _send_mail,
-			.destroy = _destroy,
-		},
-	);
-
-	s = socket(AF_INET, SOCK_STREAM, 0);
-	if (s < 0)
-	{
-		DBG1(DBG_LIB, "opening SMTP socket failed: %s", strerror(errno));
-		free(this);
-		return NULL;
-	}
-	addr.sin_family = AF_INET;
-	addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
-	addr.sin_port = htons(25);
-	if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) < 0)
-	{
-		DBG1(DBG_LIB, "connecting to SMTP server failed: %s", strerror(errno));
-		close(s);
-		free(this);
-		return NULL;
-	}
-	this->f = fdopen(s, "a+");
-	if (!this->f)
-	{
-		DBG1(DBG_LIB, "opening stream to SMTP server failed: %s",
-			 strerror(errno));
-		close(s);
-		free(this);
-		return NULL;
-	}
-	if (read_response(this) != 220 ||
-		write_cmd(this, "EHLO localhost") != 250)
-	{
-		DBG1(DBG_LIB, "SMTP EHLO failed");
-		fclose(this->f);
-		free(this);
-		return NULL;
-	}
-	return &this->public;
-}
-
diff --git a/src/libfast/smtp.h b/src/libfast/smtp.h
deleted file mode 100644
index 9589ea2a6..000000000
--- a/src/libfast/smtp.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2010 Martin Willi
- * Copyright (C) 2010 revosec AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup smtp smtp
- * @{ @ingroup libfast
- */
-
-#ifndef SMTP_H_
-#define SMTP_H_
-
-typedef struct smtp_t smtp_t;
-
-#include <library.h>
-
-/**
- * Ultra-minimalistic SMTP client. Works at most with Exim on localhost.
- */
-struct smtp_t {
-
-	/**
-	 * Send an e-mail message.
-	 *
-	 * @param from		sender address
-	 * @param to		recipient address
-	 * @param subject	mail subject
-	 * @param fmt		mail body format string
-	 * @param ...		arguments for body format string
-	 */
-	bool (*send_mail)(smtp_t *this, char *from, char *to,
-					  char *subject, char *fmt, ...);
-
-	/**
-	 * Destroy a smtp_t.
-	 */
-	void (*destroy)(smtp_t *this);
-};
-
-/**
- * Create a smtp instance.
- */
-smtp_t *smtp_create();
-
-#endif /** SMTP_H_ @}*/
diff --git a/src/libfreeswan/Android.mk b/src/libfreeswan/Android.mk
deleted file mode 100644
index a834d4846..000000000
--- a/src/libfreeswan/Android.mk
+++ /dev/null
@@ -1,38 +0,0 @@
-LOCAL_PATH := $(call my-dir)
-include $(CLEAR_VARS)
-
-# copy-n-paste from Makefile.am
-LOCAL_SRC_FILES := \
-addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \
-atosubnet.c atoul.c copyright.c datatot.c freeswan.h \
-goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipsec_param.h \
-pfkey_v2_build.c pfkey_v2_debug.c \
-pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c rangetoa.c \
-pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c \
-satot.c subnetof.c subnettoa.c subnettot.c \
-subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \
-ultoa.c ultot.c
-
-# build libfreeswan ------------------------------------------------------------
-
-LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
-	$(strongswan_PATH)/src/include \
-	$(strongswan_PATH)/src/libstrongswan \
-	$(strongswan_PATH)/src/libhydra \
-	$(strongswan_PATH)/src/pluto
-
-LOCAL_CFLAGS := $(strongswan_CFLAGS)
-
-LOCAL_MODULE := libfreeswan
-
-LOCAL_MODULE_TAGS := optional
-
-LOCAL_ARM_MODE := arm
-
-LOCAL_PRELINK_MODULE := false
-
-LOCAL_SHARED_LIBRARIES += libstrongswan
-
-include $(BUILD_SHARED_LIBRARY)
-
diff --git a/src/libfreeswan/Makefile.am b/src/libfreeswan/Makefile.am
deleted file mode 100644
index b38343d34..000000000
--- a/src/libfreeswan/Makefile.am
+++ /dev/null
@@ -1,22 +0,0 @@
-noinst_LIBRARIES = libfreeswan.a
-libfreeswan_a_SOURCES = \
-addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \
-atosubnet.c atoul.c copyright.c datatot.c freeswan.h \
-goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipsec_param.h \
-pfkey_v2_build.c pfkey_v2_debug.c \
-pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c rangetoa.c \
-pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c \
-satot.c subnetof.c subnettoa.c subnettot.c \
-subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \
-ultoa.c ultot.c
-
-INCLUDES = \
--I$(top_srcdir)/src/libstrongswan \
--I$(top_srcdir)/src/libhydra \
--I$(top_srcdir)/src/pluto
-
-dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \
-                 portof.3 rangetosubnet.3 sameaddr.3 subnetof.3 \
-                 ttoaddr.3 ttodata.3 ttosa.3 ttoul.3
-
-EXTRA_DIST = Android.mk
diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in
deleted file mode 100644
index b6ee06630..000000000
--- a/src/libfreeswan/Makefile.in
+++ /dev/null
@@ -1,682 +0,0 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/libfreeswan
-DIST_COMMON = $(dist_man3_MANS) $(srcdir)/Makefile.am \
-	$(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-LIBRARIES = $(noinst_LIBRARIES)
-ARFLAGS = cru
-libfreeswan_a_AR = $(AR) $(ARFLAGS)
-libfreeswan_a_LIBADD =
-am_libfreeswan_a_OBJECTS = addrtoa.$(OBJEXT) addrtot.$(OBJEXT) \
-	addrtypeof.$(OBJEXT) anyaddr.$(OBJEXT) atoaddr.$(OBJEXT) \
-	atoasr.$(OBJEXT) atosubnet.$(OBJEXT) atoul.$(OBJEXT) \
-	copyright.$(OBJEXT) datatot.$(OBJEXT) goodmask.$(OBJEXT) \
-	initaddr.$(OBJEXT) initsaid.$(OBJEXT) initsubnet.$(OBJEXT) \
-	pfkey_v2_build.$(OBJEXT) pfkey_v2_debug.$(OBJEXT) \
-	pfkey_v2_ext_bits.$(OBJEXT) pfkey_v2_parse.$(OBJEXT) \
-	portof.$(OBJEXT) rangetoa.$(OBJEXT) rangetosubnet.$(OBJEXT) \
-	sameaddr.$(OBJEXT) satot.$(OBJEXT) subnetof.$(OBJEXT) \
-	subnettoa.$(OBJEXT) subnettot.$(OBJEXT) subnettypeof.$(OBJEXT) \
-	ttoaddr.$(OBJEXT) ttodata.$(OBJEXT) ttoprotoport.$(OBJEXT) \
-	ttosa.$(OBJEXT) ttosubnet.$(OBJEXT) ttoul.$(OBJEXT) \
-	ultoa.$(OBJEXT) ultot.$(OBJEXT)
-libfreeswan_a_OBJECTS = $(am_libfreeswan_a_OBJECTS)
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libfreeswan_a_SOURCES)
-DIST_SOURCES = $(libfreeswan_a_SOURCES)
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-man3dir = $(mandir)/man3
-am__installdirs = "$(DESTDIR)$(man3dir)"
-NROFF = nroff
-MANS = $(dist_man3_MANS)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-c_plugins = @c_plugins@
-clearsilver_LIBS = @clearsilver_LIBS@
-datadir = @datadir@
-datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-imcvdir = @imcvdir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgroup = @ipsecgroup@
-ipseclibdir = @ipseclibdir@
-ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
-libdir = @libdir@
-libexecdir = @libexecdir@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
-manager_plugins = @manager_plugins@
-mandir = @mandir@
-medsrv_plugins = @medsrv_plugins@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
-pcsclite_CFLAGS = @pcsclite_CFLAGS@
-pcsclite_LIBS = @pcsclite_LIBS@
-pdfdir = @pdfdir@
-piddir = @piddir@
-pki_plugins = @pki_plugins@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-pool_plugins = @pool_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-s_plugins = @s_plugins@
-sbindir = @sbindir@
-scepclient_plugins = @scepclient_plugins@
-scripts_plugins = @scripts_plugins@
-sharedstatedir = @sharedstatedir@
-soup_CFLAGS = @soup_CFLAGS@
-soup_LIBS = @soup_LIBS@
-srcdir = @srcdir@
-starter_plugins = @starter_plugins@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-systemdsystemunitdir = @systemdsystemunitdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-noinst_LIBRARIES = libfreeswan.a
-libfreeswan_a_SOURCES = \
-addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \
-atosubnet.c atoul.c copyright.c datatot.c freeswan.h \
-goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipsec_param.h \
-pfkey_v2_build.c pfkey_v2_debug.c \
-pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c rangetoa.c \
-pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c \
-satot.c subnetof.c subnettoa.c subnettot.c \
-subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \
-ultoa.c ultot.c
-
-INCLUDES = \
--I$(top_srcdir)/src/libstrongswan \
--I$(top_srcdir)/src/libhydra \
--I$(top_srcdir)/src/pluto
-
-dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \
-                 portof.3 rangetosubnet.3 sameaddr.3 subnetof.3 \
-                 ttoaddr.3 ttodata.3 ttosa.3 ttoul.3
-
-EXTRA_DIST = Android.mk
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libfreeswan/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libfreeswan/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-
-clean-noinstLIBRARIES:
-	-test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES)
-libfreeswan.a: $(libfreeswan_a_OBJECTS) $(libfreeswan_a_DEPENDENCIES) 
-	-rm -f libfreeswan.a
-	$(libfreeswan_a_AR) libfreeswan.a $(libfreeswan_a_OBJECTS) $(libfreeswan_a_LIBADD)
-	$(RANLIB) libfreeswan.a
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/addrtoa.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/addrtot.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/addrtypeof.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/anyaddr.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoaddr.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoasr.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atosubnet.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoul.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/copyright.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/datatot.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/goodmask.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initaddr.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initsaid.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initsubnet.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_build.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_debug.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_ext_bits.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_parse.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/portof.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rangetoa.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rangetosubnet.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sameaddr.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/satot.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/subnetof.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/subnettoa.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/subnettot.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/subnettypeof.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttoaddr.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttodata.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttoprotoport.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttosa.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttosubnet.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttoul.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ultoa.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ultot.Po@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-install-man3: $(dist_man3_MANS)
-	@$(NORMAL_INSTALL)
-	test -z "$(man3dir)" || $(MKDIR_P) "$(DESTDIR)$(man3dir)"
-	@list='$(dist_man3_MANS)'; test -n "$(man3dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man3dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man3dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man3:
-	@$(NORMAL_UNINSTALL)
-	@list='$(dist_man3_MANS)'; test -n "$(man3dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man3dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man3dir)" && rm -f $$files; }
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@list='$(MANS)'; if test -n "$$list"; then \
-	  list=`for p in $$list; do \
-	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
-	  if test -n "$$list" && \
-	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
-	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
-	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
-	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
-	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
-	    exit 1; \
-	  else :; fi; \
-	else :; fi
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LIBRARIES) $(MANS)
-installdirs:
-	for dir in "$(DESTDIR)$(man3dir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-noinstLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-man
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man: install-man3
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-man
-
-uninstall-man: uninstall-man3
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-noinstLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-man3 install-pdf install-pdf-am install-ps \
-	install-ps-am install-strip installcheck installcheck-am \
-	installdirs maintainer-clean maintainer-clean-generic \
-	mostlyclean mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
-	uninstall-am uninstall-man uninstall-man3
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/libfreeswan/addrtoa.c b/src/libfreeswan/addrtoa.c
deleted file mode 100644
index e1c71da3c..000000000
--- a/src/libfreeswan/addrtoa.c
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * addresses to ASCII
- * Copyright (C) 1998, 1999  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-#define	NBYTES	4		/* bytes in an address */
-#define	PERBYTE	4		/* three digits plus a dot or NUL */
-#define	BUFLEN	(NBYTES*PERBYTE)
-
-#if BUFLEN != ADDRTOA_BUF
-#error	"ADDRTOA_BUF in freeswan.h inconsistent with addrtoa() code"
-#endif
-
-/*
- - addrtoa - convert binary address to ASCII dotted decimal
- */
-size_t				/* space needed for full conversion */
-addrtoa(addr, format, dst, dstlen)
-struct in_addr addr;
-int format;			/* character */
-char *dst;			/* need not be valid if dstlen is 0 */
-size_t dstlen;
-{
-	unsigned long a = ntohl(addr.s_addr);
-	int i;
-	size_t n;
-	unsigned long byte;
-	char buf[BUFLEN];
-	char *p;
-
-	switch (format) {
-	case 0:
-		break;
-	default:
-		return 0;
-		break;
-	}
-
-	p = buf;
-	for (i = NBYTES-1; i >= 0; i--) {
-		byte = (a >> (i*8)) & 0xff;
-		p += ultoa(byte, 10, p, PERBYTE);
-		if (i != 0)
-			*(p-1) = '.';
-	}
-	n = p - buf;
-
-	if (dstlen > 0) {
-		if (n > dstlen)
-			buf[dstlen - 1] = '\0';
-		strcpy(dst, buf);
-	}
-	return n;
-}
diff --git a/src/libfreeswan/addrtot.c b/src/libfreeswan/addrtot.c
deleted file mode 100644
index d1a338730..000000000
--- a/src/libfreeswan/addrtot.c
+++ /dev/null
@@ -1,302 +0,0 @@
-/*
- * addresses to text
- * Copyright (C) 2000  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include <sys/socket.h>
-
-#include "internal.h"
-#include "freeswan.h"
-
-#define	IP4BYTES	4	/* bytes in an IPv4 address */
-#define	PERBYTE		4	/* three digits plus a dot or NUL */
-#define	IP6BYTES	16	/* bytes in an IPv6 address */
-
-/* forwards */
-static size_t normal4(const unsigned char *s, size_t len, char *b, char **dp);
-static size_t normal6(const unsigned char *s, size_t len, char *b, char **dp, int squish);
-static size_t reverse4(const unsigned char *s, size_t len, char *b, char **dp);
-static size_t reverse6(const unsigned char *s, size_t len, char *b, char **dp);
-
-/*
- - addrtot - convert binary address to text (dotted decimal or IPv6 string)
- */
-size_t				/* space needed for full conversion */
-addrtot(src, format, dst, dstlen)
-const ip_address *src;
-int format;			/* character */
-char *dst;			/* need not be valid if dstlen is 0 */
-size_t dstlen;
-{
-	const unsigned char *b;
-	size_t n;
-	char buf[1+ADDRTOT_BUF+1];	/* :address: */
-	char *p;
-	int t = addrtypeof(src);
-#	define	TF(t, f)	(((t)<<8) | (f))
-
-	n = addrbytesptr(src, &b);
-	if (n == 0)
-		return 0;
-
-	switch (TF(t, format)) {
-	case TF(AF_INET, 0):
-		n = normal4(b, n, buf, &p);
-		break;
-	case TF(AF_INET6, 0):
-		n = normal6(b, n, buf, &p, 1);
-		break;
-	case TF(AF_INET, 'Q'):
-		n = normal4(b, n, buf, &p);
-		break;
-	case TF(AF_INET6, 'Q'):
-		n = normal6(b, n, buf, &p, 0);
-		break;
-	case TF(AF_INET, 'r'):
-		n = reverse4(b, n, buf, &p);
-		break;
-	case TF(AF_INET6, 'r'):
-		n = reverse6(b, n, buf, &p);
-		break;
-	default:		/* including (AF_INET, 'R') */
-		return 0;
-		break;
-	}
-
-	if (dstlen > 0) {
-		if (dstlen < n)
-			p[dstlen - 1] = '\0';
-		strcpy(dst, p);
-	}
-	return n;
-}
-
-/*
- - normal4 - normal IPv4 address-text conversion
- */
-static size_t			/* size of text, including NUL */
-normal4(srcp, srclen, buf, dstp)
-const unsigned char *srcp;
-size_t srclen;
-char *buf;			/* guaranteed large enough */
-char **dstp;			/* where to put result pointer */
-{
-	int i;
-	char *p;
-
-	if (srclen != IP4BYTES)	/* "can't happen" */
-		return 0;
-	p = buf;
-	for (i = 0; i < IP4BYTES; i++) {
-		p += ultot(srcp[i], 10, p, PERBYTE);
-		if (i != IP4BYTES - 1)
-			*(p-1) = '.';	/* overwrites the NUL */
-	}
-	*dstp = buf;
-	return p - buf;
-}
-
-/*
- - normal6 - normal IPv6 address-text conversion
- */
-static size_t			/* size of text, including NUL */
-normal6(srcp, srclen, buf, dstp, squish)
-const unsigned char *srcp;
-size_t srclen;
-char *buf;			/* guaranteed large enough, plus 2 */
-char **dstp;			/* where to put result pointer */
-int    squish;                  /* whether to squish out 0:0 */
-{
-	int i;
-	unsigned long piece;
-	char *p;
-	char *q;
-
-	if (srclen != IP6BYTES)	/* "can't happen" */
-		return 0;
-	p = buf;
-	*p++ = ':';
-	for (i = 0; i < IP6BYTES/2; i++) {
-		piece = (srcp[2*i] << 8) + srcp[2*i + 1];
-		p += ultot(piece, 16, p, 5);	/* 5 = abcd + NUL */
-		*(p-1) = ':';	/* overwrites the NUL */
-	}
-	*p = '\0';
-	q = strstr(buf, ":0:0:");
-	if (squish && q != NULL) {	/* zero squishing is possible */
-		p = q + 1;
-		while (*p == '0' && *(p+1) == ':')
-			p += 2;
-		q++;
-		*q++ = ':';	/* overwrite first 0 */
-		while (*p != '\0')
-			*q++ = *p++;
-		*q = '\0';
-		if (!(*(q-1) == ':' && *(q-2) == ':'))
-			*--q = '\0';	/* strip final : unless :: */
-		p = buf;
-		if (!(*p == ':' && *(p+1) == ':'))
-			p++;	/* skip initial : unless :: */
-	} else {
-		q = p;
-		*--q = '\0';	/* strip final : */
-		p = buf + 1;	/* skip initial : */
-	}
-	*dstp = p;
-	return q - p + 1;
-}
-
-/*
- - reverse4 - IPv4 reverse-lookup conversion
- */
-static size_t			/* size of text, including NUL */
-reverse4(srcp, srclen, buf, dstp)
-const unsigned char *srcp;
-size_t srclen;
-char *buf;			/* guaranteed large enough */
-char **dstp;			/* where to put result pointer */
-{
-	int i;
-	char *p;
-
-	if (srclen != IP4BYTES)	/* "can't happen" */
-		return 0;
-	p = buf;
-	for (i = IP4BYTES-1; i >= 0; i--) {
-		p += ultot(srcp[i], 10, p, PERBYTE);
-		*(p-1) = '.';	/* overwrites the NUL */
-	}
-	strcpy(p, "IN-ADDR.ARPA.");
-	*dstp = buf;
-	return strlen(buf) + 1;
-}
-
-/*
- - reverse6 - IPv6 reverse-lookup conversion (RFC 1886)
- * A trifle inefficient, really shouldn't use ultot...
- */
-static size_t			/* size of text, including NUL */
-reverse6(srcp, srclen, buf, dstp)
-const unsigned char *srcp;
-size_t srclen;
-char *buf;			/* guaranteed large enough */
-char **dstp;			/* where to put result pointer */
-{
-	int i;
-	unsigned long piece;
-	char *p;
-
-	if (srclen != IP6BYTES)	/* "can't happen" */
-		return 0;
-	p = buf;
-	for (i = IP6BYTES-1; i >= 0; i--) {
-		piece = srcp[i];
-		p += ultot(piece&0xf, 16, p, 2);
-		*(p-1) = '.';
-		p += ultot(piece>>4, 16, p, 2);
-		*(p-1) = '.';
-	}
-	strcpy(p, "IP6.ARPA.");
-	*dstp = buf;
-	return strlen(buf) + 1;
-}
-
-/*
- - reverse6 - modern IPv6 reverse-lookup conversion (RFC 2874)
- * this version removed as it was obsoleted in the end.
- */
-
-#ifdef ADDRTOT_MAIN
-
-#include <stdio.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-void regress(void);
-
-int
-main(int argc, char *argv[])
-{
-	if (argc < 2) {
-		fprintf(stderr, "Usage: %s {addr|net/mask|begin...end|-r}\n",
-								argv[0]);
-		exit(2);
-	}
-
-	if (strcmp(argv[1], "-r") == 0) {
-		regress();
-		fprintf(stderr, "regress() returned?!?\n");
-		exit(1);
-	}
-	exit(0);
-}
-
-struct rtab {
-	char *input;
-        char  format;
-	char *output;			/* NULL means error expected */
-} rtab[] = {
-	{"1.2.3.0",			0, "1.2.3.0"},
-	{"1:2::3:4",                    0, "1:2::3:4"},
-	{"1:2::3:4",                   'Q', "1:2:0:0:0:0:3:4"},
-	{"1:2:0:0:3:4:0:0",             0, "1:2::3:4:0:0"},
-	{"1.2.3.4",                    'r' , "4.3.2.1.IN-ADDR.ARPA."},
-	/*                                    0 1 2 3 4 5 6 7 8 9 a b c d e f 0 1 2 3 4 5 6 7 8 9 a b c d e f */
-	{"1:2::3:4",                   'r', "4.0.0.0.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.1.0.0.0.IP6.ARPA."},
-	 {NULL,				0, NULL}
-};
-
-void
-regress()
-{
-	struct rtab *r;
-	int status = 0;
-	ip_address a;
-	char in[100];
-	char buf[100];
-	const char *oops;
-	size_t n;
-
-	for (r = rtab; r->input != NULL; r++) {
-		strcpy(in, r->input);
-
-		/* convert it *to* internal format */
-		oops = ttoaddr(in, strlen(in), 0, &a);
-
-		/* now convert it back */
-
-		n = addrtot(&a, r->format, buf, sizeof(buf));
-
-		if (n == 0 && r->output == NULL)
-			{}		/* okay, error expected */
-
-		else if (n == 0) {
-			printf("`%s' atoasr failed\n", r->input);
-			status = 1;
-
-		} else if (r->output == NULL) {
-			printf("`%s' atoasr succeeded unexpectedly '%c'\n",
-							r->input, r->format);
-			status = 1;
-		} else {
-		  if (strcasecmp(r->output, buf) != 0) {
-		    printf("`%s' '%c' gave `%s', expected `%s'\n",
-			   r->input, r->format, buf, r->output);
-		    status = 1;
-		  }
-		}
-	}
-	exit(status);
-}
-
-#endif /* ADDRTOT_MAIN */
diff --git a/src/libfreeswan/addrtypeof.c b/src/libfreeswan/addrtypeof.c
deleted file mode 100644
index ee3cc998f..000000000
--- a/src/libfreeswan/addrtypeof.c
+++ /dev/null
@@ -1,94 +0,0 @@
-/*
- * extract parts of an ip_address
- * Copyright (C) 2000  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include <sys/socket.h>
-
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - addrtypeof - get the type of an ip_address
- */
-int
-addrtypeof(src)
-const ip_address *src;
-{
-	return src->u.v4.sin_family;
-}
-
-/*
- - addrbytesptr - get pointer to the address bytes of an ip_address
- */
-size_t				/* 0 for error */
-addrbytesptr(src, dstp)
-const ip_address *src;
-const unsigned char **dstp;	/* NULL means just a size query */
-{
-	const unsigned char *p;
-	size_t n;
-
-	switch (src->u.v4.sin_family) {
-	case AF_INET:
-		p = (const unsigned char *)&src->u.v4.sin_addr.s_addr;
-		n = 4;
-		break;
-	case AF_INET6:
-		p = (const unsigned char *)&src->u.v6.sin6_addr;
-		n = 16;
-		break;
-	default:
-		return 0;
-		break;
-	}
-
-	if (dstp != NULL)
-		*dstp = p;
-	return n;
-}
-
-/*
- - addrlenof - get length of the address bytes of an ip_address
- */
-size_t				/* 0 for error */
-addrlenof(src)
-const ip_address *src;
-{
-	return addrbytesptr(src, NULL);
-}
-
-/*
- - addrbytesof - get the address bytes of an ip_address
- */
-size_t				/* 0 for error */
-addrbytesof(src, dst, dstlen)
-const ip_address *src;
-unsigned char *dst;
-size_t dstlen;
-{
-	const unsigned char *p;
-	size_t n;
-	size_t ncopy;
-
-	n = addrbytesptr(src, &p);
-	if (n == 0)
-		return 0;
-
-	if (dstlen > 0) {
-		ncopy = n;
-		if (ncopy > dstlen)
-			ncopy = dstlen;
-		memcpy(dst, p, ncopy);
-	}
-	return n;
-}
diff --git a/src/libfreeswan/anyaddr.3 b/src/libfreeswan/anyaddr.3
deleted file mode 100644
index 58789cf6c..000000000
--- a/src/libfreeswan/anyaddr.3
+++ /dev/null
@@ -1,86 +0,0 @@
-.TH IPSEC_ANYADDR 3 "8 Sept 2000"
-.SH NAME
-ipsec anyaddr \- get "any" address
-.br
-ipsec isanyaddr \- test address for equality to "any" address
-.br
-ipsec unspecaddr \- get "unspecified" address
-.br
-ipsec isunspecaddr \- test address for equality to "unspecified" address
-.br
-ipsec loopbackaddr \- get loopback address
-.br
-ipsec isloopbackaddr \- test address for equality to loopback address
-.SH SYNOPSIS
-.B "#include <freeswan.h>
-.sp
-.B "const char *anyaddr(int af, ip_address *dst);"
-.br
-.B "int isanyaddr(const ip_address *src);"
-.br
-.B "const char *unspecaddr(int af, ip_address *dst);"
-.br
-.B "int isunspecaddr(const ip_address *src);"
-.br
-.B "const char *loopbackaddr(int af, ip_address *dst);"
-.br
-.B "int isloopbackaddr(const ip_address *src);"
-.SH DESCRIPTION
-These functions fill in, and test for, special values of the
-.I ip_address
-type.
-.PP
-.I Anyaddr
-fills in the destination
-.I *dst
-with the ``any'' address of address family
-.IR af
-(normally
-.B AF_INET
-or
-.BR AF_INET6 ).
-The IPv4 ``any'' address is the one embodied in the old
-.B INADDR_ANY
-macro.
-.PP
-.I Isanyaddr
-returns
-.B 1
-if the
-.I src
-address equals the ``any'' address,
-and
-.B 0
-otherwise.
-.PP
-Similarly,
-.I unspecaddr
-supplies, and
-.I isunspecaddr
-tests for,
-the ``unspecified'' address,
-which may be the same as the ``any'' address.
-.PP
-Similarly,
-.I loopbackaddr
-supplies, and
-.I islookbackaddr
-tests for,
-the loopback address.
-.PP
-.IR Anyaddr ,
-.IR unspecaddr ,
-and
-.I loopbackaddr
-return
-.B NULL
-for success and
-a pointer to a string-literal error message for failure;
-see DIAGNOSTICS.
-.SH SEE ALSO
-inet(3), ipsec_addrtot(3), ipsec_sameaddr(3)
-.SH DIAGNOSTICS
-Fatal errors in the address-supplying functions are:
-unknown address family.
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
diff --git a/src/libfreeswan/anyaddr.c b/src/libfreeswan/anyaddr.c
deleted file mode 100644
index 5b7691b7b..000000000
--- a/src/libfreeswan/anyaddr.c
+++ /dev/null
@@ -1,147 +0,0 @@
-/*
- * special addresses
- * Copyright (C) 2000  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include <sys/socket.h>
-
-#include "internal.h"
-#include "freeswan.h"
-
-/* OpenSolaris defines strange versions of these macros */
-#ifdef __sun
-#undef	IN6ADDR_ANY_INIT
-#define	IN6ADDR_ANY_INIT		{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}}
-
-#undef	IN6ADDR_LOOPBACK_INIT
-#define	IN6ADDR_LOOPBACK_INIT	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}}
-#endif
-
-static struct in6_addr v6any = IN6ADDR_ANY_INIT;
-static struct in6_addr v6loop = IN6ADDR_LOOPBACK_INIT;
-
-/*
- - anyaddr - initialize to the any-address value
- */
-err_t				/* NULL for success, else string literal */
-anyaddr(af, dst)
-int af;				/* address family */
-ip_address *dst;
-{
-	uint32_t v4any = htonl(INADDR_ANY);
-
-	switch (af) {
-	case AF_INET:
-		return initaddr((unsigned char *)&v4any, sizeof(v4any), af, dst);
-		break;
-	case AF_INET6:
-		return initaddr((unsigned char *)&v6any, sizeof(v6any), af, dst);
-		break;
-	default:
-		return "unknown address family in anyaddr/unspecaddr";
-		break;
-	}
-}
-
-/*
- - unspecaddr - initialize to the unspecified-address value
- */
-err_t				/* NULL for success, else string literal */
-unspecaddr(af, dst)
-int af;				/* address family */
-ip_address *dst;
-{
-	return anyaddr(af, dst);
-}
-
-/*
- - loopbackaddr - initialize to the loopback-address value
- */
-err_t				/* NULL for success, else string literal */
-loopbackaddr(af, dst)
-int af;				/* address family */
-ip_address *dst;
-{
-	uint32_t v4loop = htonl(INADDR_LOOPBACK);
-
-	switch (af) {
-	case AF_INET:
-		return initaddr((unsigned char *)&v4loop, sizeof(v4loop), af, dst);
-		break;
-	case AF_INET6:
-		return initaddr((unsigned char *)&v6loop, sizeof(v6loop), af, dst);
-		break;
-	default:
-		return "unknown address family in loopbackaddr";
-		break;
-	}
-}
-
-/*
- - isanyaddr - test for the any-address value
- */
-int
-isanyaddr(src)
-const ip_address *src;
-{
-	uint32_t v4any = htonl(INADDR_ANY);
-	int cmp;
-
-	switch (src->u.v4.sin_family) {
-	case AF_INET:
-		cmp = memcmp(&src->u.v4.sin_addr.s_addr, &v4any, sizeof(v4any));
-		break;
-	case AF_INET6:
-		cmp = memcmp(&src->u.v6.sin6_addr, &v6any, sizeof(v6any));
-		break;
-	default:
-		return 0;
-		break;
-	}
-
-	return (cmp == 0) ? 1 : 0;
-}
-
-/*
- - isunspecaddr - test for the unspecified-address value
- */
-int
-isunspecaddr(src)
-const ip_address *src;
-{
-	return isanyaddr(src);
-}
-
-/*
- - isloopbackaddr - test for the loopback-address value
- */
-int
-isloopbackaddr(src)
-const ip_address *src;
-{
-	uint32_t v4loop = htonl(INADDR_LOOPBACK);
-	int cmp;
-
-	switch (src->u.v4.sin_family) {
-	case AF_INET:
-		cmp = memcmp(&src->u.v4.sin_addr.s_addr, &v4loop, sizeof(v4loop));
-		break;
-	case AF_INET6:
-		cmp = memcmp(&src->u.v6.sin6_addr, &v6loop, sizeof(v6loop));
-		break;
-	default:
-		return 0;
-		break;
-	}
-
-	return (cmp == 0) ? 1 : 0;
-}
diff --git a/src/libfreeswan/atoaddr.3 b/src/libfreeswan/atoaddr.3
deleted file mode 100644
index 10da2691c..000000000
--- a/src/libfreeswan/atoaddr.3
+++ /dev/null
@@ -1,291 +0,0 @@
-.TH IPSEC_ATOADDR 3 "11 June 2001"
-.SH NAME
-ipsec atoaddr, addrtoa \- convert Internet addresses to and from ASCII
-.br
-ipsec atosubnet, subnettoa \- convert subnet/mask ASCII form to and from addresses
-.SH SYNOPSIS
-.B "#include <freeswan.h>
-.sp
-.B "const char *atoaddr(const char *src, size_t srclen,"
-.ti +1c
-.B "struct in_addr *addr);"
-.br
-.B "size_t addrtoa(struct in_addr addr, int format,"
-.ti +1c
-.B "char *dst, size_t dstlen);"
-.sp
-.B "const char *atosubnet(const char *src, size_t srclen,"
-.ti +1c
-.B "struct in_addr *addr, struct in_addr *mask);"
-.br
-.B "size_t subnettoa(struct in_addr addr, struct in_addr mask,"
-.ti +1c
-.B "int format, char *dst, size_t dstlen);"
-.SH DESCRIPTION
-These functions are obsolete; see
-.IR ipsec_ttoaddr (3)
-for their replacements.
-.PP
-.I Atoaddr
-converts an ASCII name or dotted-decimal address into a binary address
-(in network byte order).
-.I Addrtoa
-does the reverse conversion, back to an ASCII dotted-decimal address.
-.I Atosubnet
-and
-.I subnettoa
-do likewise for the ``address/mask'' ASCII form used to write a
-specification of a subnet.
-.PP
-An address is specified in ASCII as a
-dotted-decimal address (e.g.
-.BR 1.2.3.4 ),
-an eight-digit network-order hexadecimal number with the usual C prefix (e.g.
-.BR 0x01020304 ,
-which is synonymous with
-.BR 1.2.3.4 ),
-an eight-digit host-order hexadecimal number with a
-.B 0h
-prefix (e.g.
-.BR 0h01020304 ,
-which is synonymous with
-.B 1.2.3.4
-on a big-endian host and
-.B 4.3.2.1
-on a little-endian host),
-a DNS name to be looked up via
-.IR getaddrinfo (3),
-or an old-style network name to be looked up via
-.IR getnetbyname (3).
-.PP
-A dotted-decimal address may be incomplete, in which case
-ASCII-to-binary conversion implicitly appends
-as many instances of
-.B .0
-as necessary to bring it up to four components.
-The components of a dotted-decimal address are always taken as
-decimal, and leading zeros are ignored.
-For example,
-.B 10
-is synonymous with
-.BR 10.0.0.0 ,
-and
-.B 128.009.000.032
-is synonymous with
-.BR 128.9.0.32
-(the latter example is verbatim from RFC 1166).
-The result of
-.I addrtoa
-is always complete and does not contain leading zeros.
-.PP
-The letters in
-a hexadecimal address may be uppercase or lowercase or any mixture thereof.
-Use of hexadecimal addresses is
-.B strongly
-.BR discouraged ;
-they are included only to save hassles when dealing with
-the handful of perverted programs which already print 
-network addresses in hexadecimal.
-.PP
-DNS names may be complete (optionally terminated with a ``.'')
-or incomplete, and are looked up as specified by local system configuration
-(see
-.IR resolver (5)).
-The first value returned by
-.IR getaddrinfo (3)
-is used,
-so with current DNS implementations,
-the result when the name corresponds to more than one address is
-difficult to predict.
-Name lookup resorts to
-.IR getnetbyname (3)
-only if
-.IR getaddrinfo (3)
-fails.
-.PP
-A subnet specification is of the form \fInetwork\fB/\fImask\fR.
-The
-.I network
-and
-.I mask
-can be any form acceptable to
-.IR atoaddr .
-In addition, the
-.I mask
-can be a decimal integer (leading zeros ignored) giving a bit count,
-in which case
-it stands for a mask with that number of high bits on and all others off
-(e.g.,
-.B 24
-means
-.BR 255.255.255.0 ).
-In any case, the mask must be contiguous
-(a sequence of high bits on and all remaining low bits off).
-As a special case, the subnet specification
-.B %default
-is a synonym for
-.BR 0.0.0.0/0 .
-.PP
-.I Atosubnet
-ANDs the mask with the address before returning,
-so that any non-network bits in the address are turned off
-(e.g.,
-.B 10.1.2.3/24
-is synonymous with
-.BR 10.1.2.0/24 ).
-.I Subnettoa
-generates the decimal-integer-bit-count
-form of the mask,
-with no leading zeros,
-unless the mask is non-contiguous.
-.PP
-The
-.I srclen
-parameter of
-.I atoaddr
-and
-.I atosubnet
-specifies the length of the ASCII string pointed to by
-.IR src ;
-it is an error for there to be anything else
-(e.g., a terminating NUL) within that length.
-As a convenience for cases where an entire NUL-terminated string is
-to be converted,
-a
-.I srclen
-value of
-.B 0
-is taken to mean
-.BR strlen(src) .
-.PP
-The
-.I dstlen
-parameter of
-.I addrtoa
-and
-.I subnettoa
-specifies the size of the
-.I dst
-parameter;
-under no circumstances are more than
-.I dstlen
-bytes written to
-.IR dst .
-A result which will not fit is truncated.
-.I Dstlen
-can be zero, in which case
-.I dst
-need not be valid and no result is written,
-but the return value is unaffected;
-in all other cases, the (possibly truncated) result is NUL-terminated.
-The
-.I freeswan.h
-header file defines constants,
-.B ADDRTOA_BUF
-and
-.BR SUBNETTOA_BUF ,
-which are the sizes of buffers just large enough for worst-case results.
-.PP
-The
-.I format
-parameter of
-.I addrtoa
-and
-.I subnettoa
-specifies what format is to be used for the conversion.
-The value
-.B 0
-(not the ASCII character
-.BR '0' ,
-but a zero value)
-specifies a reasonable default,
-and is in fact the only format currently available.
-This parameter is a hedge against future needs.
-.PP
-The ASCII-to-binary functions return NULL for success and
-a pointer to a string-literal error message for failure;
-see DIAGNOSTICS.
-The binary-to-ASCII functions return
-.B 0
-for a failure, and otherwise
-always return the size of buffer which would 
-be needed to
-accommodate the full conversion result, including terminating NUL;
-it is the caller's responsibility to check this against the size of
-the provided buffer to determine whether truncation has occurred.
-.SH SEE ALSO
-inet(3)
-.SH DIAGNOSTICS
-Fatal errors in
-.I atoaddr
-are:
-empty input;
-attempt to allocate temporary storage for a very long name failed;
-name lookup failed;
-syntax error in dotted-decimal form;
-dotted-decimal component too large to fit in 8 bits.
-.PP
-Fatal errors in
-.I atosubnet
-are:
-no
-.B /
-in
-.IR src ;
-.I atoaddr
-error in conversion of
-.I network
-or
-.IR mask ;
-bit-count mask too big;
-mask non-contiguous.
-.PP
-Fatal errors in
-.I addrtoa
-and
-.I subnettoa
-are:
-unknown format.
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
-.SH BUGS
-The interpretation of incomplete dotted-decimal addresses
-(e.g.
-.B 10/24
-means
-.BR 10.0.0.0/24 )
-differs from that of some older conversion
-functions, e.g. those of
-.IR inet (3).
-The behavior of the older functions has never been
-particularly consistent or particularly useful.
-.PP
-Ignoring leading zeros in dotted-decimal components and bit counts
-is arguably the most useful behavior in this application,
-but it might occasionally cause confusion with the historical use of leading 
-zeros to denote octal numbers.
-.PP
-It is barely possible that somebody, somewhere,
-might have a legitimate use for non-contiguous subnet masks.
-.PP
-.IR Getnetbyname (3)
-is a historical dreg.
-.PP
-The restriction of ASCII-to-binary error reports to literal strings
-(so that callers don't need to worry about freeing them or copying them)
-does limit the precision of error reporting.
-.PP
-The ASCII-to-binary error-reporting convention lends itself
-to slightly obscure code,
-because many readers will not think of NULL as signifying success.
-A good way to make it clearer is to write something like:
-.PP
-.RS
-.nf
-.B "const char *error;"
-.sp
-.B "error = atoaddr( /* ... */ );"
-.B "if (error != NULL) {"
-.B "        /* something went wrong */"
-.fi
-.RE
diff --git a/src/libfreeswan/atoaddr.c b/src/libfreeswan/atoaddr.c
deleted file mode 100644
index a3643801e..000000000
--- a/src/libfreeswan/atoaddr.c
+++ /dev/null
@@ -1,261 +0,0 @@
-/*
- * conversion from ASCII forms of addresses to internal ones
- * Copyright (C) 1998, 1999  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include <sys/socket.h>
-
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- * Define NOLEADINGZEROS to interpret 032 as an error, not as 32.  There
- * is deliberately no way to interpret it as 26 (i.e., as octal).
- */
-
-/*
- * Legal characters in a domain name.  Underscore technically is not,
- * but is a common misunderstanding.
- */
-static const char namechars[] = "abcdefghijklmnopqrstuvwxyz0123456789"
-				"ABCDEFGHIJKLMNOPQRSTUVWXYZ-_.";
-
-static const char *try8hex(const char *, size_t, struct in_addr *);
-static const char *try8hosthex(const char *, size_t, struct in_addr *);
-static const char *trydotted(const char *, size_t, struct in_addr *);
-static const char *getbyte(const char **, const char *, int *);
-
-/*
- - atoaddr - convert ASCII name or dotted-decimal address to binary address
- */
-const char *			/* NULL for success, else string literal */
-atoaddr(src, srclen, addrp)
-const char *src;
-size_t srclen;			/* 0 means "apply strlen" */
-struct in_addr *addrp;
-{
-	struct addrinfo hints, *res;
-	struct netent *ne = NULL;
-	const char *oops, *msg = NULL;
-#	define	HEXLEN	10	/* strlen("0x11223344") */
-#	ifndef ATOADDRBUF
-#	define	ATOADDRBUF	100
-#	endif
-	char namebuf[ATOADDRBUF];
-	char *p = namebuf;
-	char *q;
-	int error;
-
-	if (srclen == 0)
-		srclen = strlen(src);
-	if (srclen == 0)
-		return "empty string";
-
-	/* might it be hex? */
-	if (srclen == HEXLEN && *src == '0' && CIEQ(*(src+1), 'x'))
-		return try8hex(src+2, srclen-2, addrp);
-	if (srclen == HEXLEN && *src == '0' && CIEQ(*(src+1), 'h'))
-		return try8hosthex(src+2, srclen-2, addrp);
-
-	/* try it as dotted decimal */
-	oops = trydotted(src, srclen, addrp);
-	if (oops == NULL)
-		return NULL;		/* it worked */
-	if (*oops != '?')
-		return oops;		/* it *was* probably meant as a d.q. */
-
-	/* try it as a name -- first, NUL-terminate it */
-	if (srclen > sizeof(namebuf)-1) {
-		p = (char *) MALLOC(srclen+1);
-		if (p == NULL)
-			return "unable to allocate temporary space for name";
-	}
-	p[0] = '\0';
-	strncat(p, src, srclen);
-
-	/* next, check that it's a vaguely legal name */
-	for (q = p; *q != '\0'; q++)
-	{
-		if (!isprint(*q))
-		{
-			msg = "unprintable character in name";
-			goto error;
-		}
-	}
-	if (strspn(p, namechars) != srclen)
-	{
-		msg = "illegal (non-DNS-name) character in name";
-		goto error;
-	}
-
-	/* try as host name, failing that as /etc/networks network name */
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = AF_INET;
-	error = getaddrinfo(p, NULL, &hints, &res);
-	if (error != 0)
-	{
-		ne = getnetbyname(p);
-		if (ne == NULL)
-		{
-			msg = "name lookup failed";
-			goto error;
-		}
-		addrp->s_addr = htonl(ne->n_net);
-	}
-	else
-	{
-		struct sockaddr_in *in = (struct sockaddr_in*)res->ai_addr;
-		memcpy(&addrp->s_addr, &in->sin_addr.s_addr, sizeof(addrp->s_addr));
-		freeaddrinfo(res);
-	}
-
-error:
-	if (p != namebuf)
-	{
-		FREE(p);
-	}
-
-	return msg;
-}
-
-/*
- - try8hosthex - try conversion as an eight-digit host-order hex number
- */
-const char *			/* NULL for success, else string literal */
-try8hosthex(src, srclen, addrp)
-const char *src;
-size_t srclen;			/* should be 8 */
-struct in_addr *addrp;
-{
-	const char *oops;
-	unsigned long addr;
-
-	if (srclen != 8)
-		return "internal error, try8hex called with bad length";
-
-	oops = atoul(src, srclen, 16, &addr);
-	if (oops != NULL)
-		return oops;
-
-	addrp->s_addr = addr;
-	return NULL;
-}
-
-/*
- - try8hex - try conversion as an eight-digit network-order hex number
- */
-const char *			/* NULL for success, else string literal */
-try8hex(src, srclen, addrp)
-const char *src;
-size_t srclen;			/* should be 8 */
-struct in_addr *addrp;
-{
-	const char *oops;
-
-	oops = try8hosthex(src, srclen, addrp);
-	if (oops != NULL)
-		return oops;
-
-	addrp->s_addr = htonl(addrp->s_addr);
-	return NULL;
-}
-
-/*
- - trydotted - try conversion as dotted decimal
- *
- * If the first char of a complaint is '?', that means "didn't look like
- * dotted decimal at all".
- */
-const char *			/* NULL for success, else string literal */
-trydotted(src, srclen, addrp)
-const char *src;
-size_t srclen;
-struct in_addr *addrp;
-{
-	const char *stop = src + srclen;	/* just past end */
-	int byte;
-	const char *oops;
-	unsigned long addr;
-	int i;
-#	define	NBYTES	4
-#	define	BYTE	8
-
-	addr = 0;
-	for (i = 0; i < NBYTES && src < stop; i++) {
-		oops = getbyte(&src, stop, &byte);
-		if (oops != NULL) {
-			if (*oops != '?')
-				return oops;	/* bad number */
-			if (i > 1)
-				return oops+1;	/* failed number */
-			return oops;		/* with leading '?' */
-		}
-		addr = (addr << BYTE) | byte;
-		if (i < 3 && src < stop && *src++ != '.') {
-			if (i == 0)
-				return "?syntax error in dotted-decimal address";
-			else
-				return "syntax error in dotted-decimal address";
-		}
-	}
-	addr <<= (NBYTES - i) * BYTE;
-	if (src != stop)
-		return "extra garbage on end of dotted-decimal address";
-
-	addrp->s_addr = htonl(addr);
-	return NULL;
-}
-
-/*
- - getbyte - try to scan a byte in dotted decimal
- * A subtlety here is that all this arithmetic on ASCII digits really is
- * highly portable -- ANSI C guarantees that digits 0-9 are contiguous.
- * It's easier to just do it ourselves than set up for a call to atoul().
- *
- * If the first char of a complaint is '?', that means "didn't look like a
- * number at all".
- */
-const char *			/* NULL for success, else string literal */
-getbyte(srcp, stop, retp)
-const char **srcp;		/* *srcp is updated */
-const char *stop;		/* first untouchable char */
-int *retp;			/* return-value pointer */
-{
-	char c;
-	const char *p;
-	int no;
-
-	if (*srcp >= stop)
-		return "?empty number in dotted-decimal address";
-
-	if (stop - *srcp >= 3 && **srcp == '0' && CIEQ(*(*srcp+1), 'x'))
-		return "hex numbers not supported in dotted-decimal addresses";
-#ifdef NOLEADINGZEROS
-	if (stop - *srcp >= 2 && **srcp == '0' && isdigit(*(*srcp+1)))
-		return "octal numbers not supported in dotted-decimal addresses";
-#endif /* NOLEADINGZEROS */
-
-	/* must be decimal, if it's numeric at all */
-	no = 0;
-	p = *srcp;
-	while (p < stop && no <= 255 && (c = *p) >= '0' && c <= '9') {
-		no = no*10 + (c - '0');
-		p++;
-	}
-	if (p == *srcp)
-		return "?non-numeric component in dotted-decimal address";
-	*srcp = p;
-	if (no > 255)
-		return "byte overflow in dotted-decimal address";
-	*retp = no;
-	return NULL;
-}
diff --git a/src/libfreeswan/atoasr.3 b/src/libfreeswan/atoasr.3
deleted file mode 100644
index 0b9a5fea3..000000000
--- a/src/libfreeswan/atoasr.3
+++ /dev/null
@@ -1,185 +0,0 @@
-.TH IPSEC_ATOASR 3 "11 June 2001"
-.SH NAME
-ipsec atoasr \- convert ASCII to Internet address, subnet, or range
-.br
-ipsec rangetoa \- convert Internet address range to ASCII
-.SH SYNOPSIS
-.B "#include <freeswan.h>
-.sp
-.B "const char *atoasr(const char *src, size_t srclen,"
-.ti +1c
-.B "char *type, struct in_addr *addrs);"
-.br
-.B "size_t rangetoa(struct in_addr *addrs, int format,
-.ti +1c
-.B "char *dst, size_t dstlen);"
-.SH DESCRIPTION
-These functions are obsolete;
-there is no current equivalent,
-because so far they have not proved useful.
-.PP
-.I Atoasr
-converts an ASCII address, subnet, or address range
-into a suitable combination of binary addresses
-(in network byte order).
-.I Rangetoa
-converts an address range back into ASCII,
-using dotted-decimal form for the addresses
-(the other reverse conversions are handled by
-.IR ipsec_addrtoa (3)
-and
-.IR ipsec_subnettoa (3)).
-.PP
-A single address can be any form acceptable to
-.IR ipsec_atoaddr (3):
-dotted decimal, DNS name, or hexadecimal number.
-A subnet
-specification uses the form \fInetwork\fB/\fImask\fR
-interpreted by
-.IR ipsec_atosubnet (3).
-.PP
-An address range is two
-.IR ipsec_atoaddr (3)
-addresses separated by a
-.B ...
-delimiter.
-If there are four dots rather than three, the first is taken as
-part of the begin address,
-e.g. for a complete DNS name which ends with
-.B .
-to suppress completion attempts.
-The begin address of a range must be
-less than or equal to the end address.
-.PP
-The
-.I srclen
-parameter of
-.I atoasr
-specifies the length of the ASCII string pointed to by
-.IR src ;
-it is an error for there to be anything else
-(e.g., a terminating NUL) within that length.
-As a convenience for cases where an entire NUL-terminated string is
-to be converted,
-a
-.I srclen
-value of
-.B 0
-is taken to mean
-.BR strlen(src) .
-.PP
-The
-.I type
-parameter of
-.I atoasr
-must point to a
-.B char
-variable used to record which form was found.
-The
-.I addrs
-parameter must point to a two-element array of
-.B "struct in_addr"
-which receives the results.
-The values stored into
-.BR *type ,
-and the corresponding values in the array, are:
-.PP
-.ta 3c +2c +3c
-	*type	addrs[0]	addrs[1]
-.sp 0.8
-address	\&\fB'a'\fR	address	-
-.br
-subnet	\&\fB's'\fR	network	mask
-.br
-range	\&\fB'r'\fR	begin	end
-.PP
-The
-.I dstlen
-parameter of
-.I rangetoa
-specifies the size of the
-.I dst
-parameter;
-under no circumstances are more than
-.I dstlen
-bytes written to
-.IR dst .
-A result which will not fit is truncated.
-.I Dstlen
-can be zero, in which case
-.I dst
-need not be valid and no result is written,
-but the return value is unaffected;
-in all other cases, the (possibly truncated) result is NUL-terminated.
-The
-.I freeswan.h
-header file defines a constant,
-.BR RANGETOA_BUF ,
-which is the size of a buffer just large enough for worst-case results.
-.PP
-The
-.I format
-parameter of
-.I rangetoa
-specifies what format is to be used for the conversion.
-The value
-.B 0
-(not the ASCII character
-.BR '0' ,
-but a zero value)
-specifies a reasonable default,
-and is in fact the only format currently available.
-This parameter is a hedge against future needs.
-.PP
-.I Atoasr
-returns NULL for success and
-a pointer to a string-literal error message for failure;
-see DIAGNOSTICS.
-.I Rangetoa
-returns
-.B 0
-for a failure, and otherwise
-always returns the size of buffer which would 
-be needed to
-accommodate the full conversion result, including terminating NUL;
-it is the caller's responsibility to check this against the size of
-the provided buffer to determine whether truncation has occurred.
-.SH SEE ALSO
-ipsec_atoaddr(3), ipsec_atosubnet(3)
-.SH DIAGNOSTICS
-Fatal errors in
-.I atoasr
-are:
-empty input;
-error in
-.IR ipsec_atoaddr (3)
-or
-.IR ipsec_atosubnet (3)
-during conversion;
-begin address of range exceeds end address.
-.PP
-Fatal errors in
-.I rangetoa
-are:
-unknown format.
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
-.SH BUGS
-The restriction of error reports to literal strings
-(so that callers don't need to worry about freeing them or copying them)
-does limit the precision of error reporting.
-.PP
-The error-reporting convention lends itself
-to slightly obscure code,
-because many readers will not think of NULL as signifying success.
-A good way to make it clearer is to write something like:
-.PP
-.RS
-.nf
-.B "const char *error;"
-.sp
-.B "error = atoasr( /* ... */ );"
-.B "if (error != NULL) {"
-.B "        /* something went wrong */"
-.fi
-.RE
diff --git a/src/libfreeswan/atoasr.c b/src/libfreeswan/atoasr.c
deleted file mode 100644
index ad62ef46b..000000000
--- a/src/libfreeswan/atoasr.c
+++ /dev/null
@@ -1,210 +0,0 @@
-/*
- * convert from ASCII form of address/subnet/range to binary
- * Copyright (C) 1998, 1999  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - atoasr - convert ASCII to address, subnet, or range
- */
-const char *			/* NULL for success, else string literal */
-atoasr(src, srclen, typep, addrsp)
-const char *src;
-size_t srclen;			/* 0 means "apply strlen" */
-char *typep;			/* return type code:  'a', 's', 'r' */
-struct in_addr addrsp[2];
-{
-	const char *punct;
-	const char *stop;
-	const char *oops;
-
-	if (srclen == 0)
-		srclen = strlen(src);
-	if (srclen == 0)
-		return "empty string";
-
-	/* subnet is easy to spot */
-	punct = memchr(src, '/', srclen);
-	if (punct != NULL) {
-		*typep = 's';
-		return atosubnet(src, srclen, &addrsp[0], &addrsp[1]);
-	}
-
-	/* try for a range */
-	stop = src + srclen;
-	for (punct = src; (punct = memchr(punct, '.', stop - punct)) != NULL;
-									punct++)
-		if (stop - punct > 3 && *(punct+1) == '.' && *(punct+2) == '.')
-			break;			/* NOTE BREAK OUT */
-	if (punct == NULL) {
-		/* didn't find the range delimiter, must be plain address */
-		*typep = 'a';
-		return atoaddr(src, srclen, &addrsp[0]);
-	}
-
-	/* looks like a range */
-	*typep = 'r';
-	if (stop - punct > 4 && *(punct+3) == '.')
-		punct++;		/* first dot is trailing dot of name */
-	oops = atoaddr(src, punct - src, &addrsp[0]);
-	if (oops != NULL)
-		return oops;
-	oops = atoaddr(punct+3, stop - (punct+3), &addrsp[1]);
-	if (oops != NULL)
-		return oops;
-	if (ntohl(addrsp[0].s_addr) > ntohl(addrsp[1].s_addr))
-		return "invalid range, begin > end";
-	return NULL;
-}
-
-
-
-#ifdef ATOASR_MAIN
-
-#include <stdio.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-void regress(void);
-
-int
-main(int argc, char *argv[])
-{
-	struct in_addr a[2];
-	char buf[100];
-	const char *oops;
-	size_t n;
-	char type;
-
-	if (argc < 2) {
-		fprintf(stderr, "Usage: %s {addr|net/mask|begin...end|-r}\n",
-								argv[0]);
-		exit(2);
-	}
-
-	if (strcmp(argv[1], "-r") == 0) {
-		regress();
-		fprintf(stderr, "regress() returned?!?\n");
-		exit(1);
-	}
-
-	oops = atoasr(argv[1], 0, &type, a);
-	if (oops != NULL) {
-		fprintf(stderr, "%s: conversion failed: %s\n", argv[0], oops);
-		exit(1);
-	}
-	switch (type) {
-	case 'a':
-		n = addrtoa(a[0], 0, buf, sizeof(buf));
-		break;
-	case 's':
-		n = subnettoa(a[0], a[1], 0, buf, sizeof(buf));
-		break;
-	case 'r':
-		n = rangetoa(a, 0, buf, sizeof(buf));
-		break;
-	default:
-		fprintf(stderr, "%s: unknown type '%c'\n", argv[0], type);
-		exit(1);
-		break;
-	}
-	if (n > sizeof(buf)) {
-		fprintf(stderr, "%s: reverse conversion of ", argv[0]);
-		fprintf(stderr, "%s ", inet_ntoa(a[0]));
-		fprintf(stderr, "%s", inet_ntoa(a[1]));
-		fprintf(stderr, " failed: need %ld bytes, have only %ld\n",
-						(long)n, (long)sizeof(buf));
-		exit(1);
-	}
-	printf("%s\n", buf);
-
-	exit(0);
-}
-
-struct rtab {
-	char *input;
-	char *output;			/* NULL means error expected */
-} rtab[] = {
-	{"1.2.3.0",			"1.2.3.0"},
-	{"1.2.3.0/255.255.255.0",	"1.2.3.0/24"},
-	{"1.2.3.0...1.2.3.5",		"1.2.3.0...1.2.3.5"},
-	{"1.2.3.4.5",			NULL},
-	{"1.2.3.4/",			NULL},
-	{"1.2.3.4...",			NULL},
-	{"1.2.3.4....",			NULL},
-	{"localhost/32",		        "127.0.0.1/32"},
-	{"localhost...127.0.0.3",	"127.0.0.1...127.0.0.3"},
-	{"127.0.0.0...localhost",	"127.0.0.0...127.0.0.1"},
-	{"127.0.0.3...localhost",	NULL},
-	{NULL,				NULL}
-};
-
-void
-regress(void)
-{
-	struct rtab *r;
-	int status = 0;
-	struct in_addr a[2];
-	char in[100];
-	char buf[100];
-	const char *oops;
-	size_t n;
-	char type;
-
-	for (r = rtab; r->input != NULL; r++) {
-		strcpy(in, r->input);
-		oops = atoasr(in, 0, &type, a);
-		if (oops != NULL && r->output == NULL)
-			{}		/* okay, error expected */
-		else if (oops != NULL) {
-			printf("`%s' atoasr failed: %s\n", r->input, oops);
-			status = 1;
-		} else if (r->output == NULL) {
-			printf("`%s' atoasr succeeded unexpectedly '%c'\n",
-							r->input, type);
-			status = 1;
-		} else {
-			switch (type) {
-			case 'a':
-				n = addrtoa(a[0], 0, buf, sizeof(buf));
-				break;
-			case 's':
-				n = subnettoa(a[0], a[1], 0, buf, sizeof(buf));
-				break;
-			case 'r':
-				n = rangetoa(a, 0, buf, sizeof(buf));
-				break;
-			default:
-				fprintf(stderr, "`%s' unknown type '%c'\n",
-							r->input, type);
-				n = 0;
-				status = 1;
-				break;
-			}
-			if (n > sizeof(buf)) {
-				printf("`%s' '%c' reverse failed:  need %ld\n",
-						r->input, type, (long)n);
-				status = 1;
-			} else if (n > 0 && strcmp(r->output, buf) != 0) {
-				printf("`%s' '%c' gave `%s', expected `%s'\n",
-					r->input, type, buf, r->output);
-				status = 1;
-			}
-		}
-	}
-	exit(status);
-}
-
-#endif /* ATOASR_MAIN */
diff --git a/src/libfreeswan/atosubnet.c b/src/libfreeswan/atosubnet.c
deleted file mode 100644
index 8b2bfa17e..000000000
--- a/src/libfreeswan/atosubnet.c
+++ /dev/null
@@ -1,214 +0,0 @@
-/*
- * convert from ASCII form of subnet specification to binary
- * Copyright (C) 1998, 1999  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-#ifndef DEFAULTSUBNET
-#define	DEFAULTSUBNET	"%default"
-#endif
-
-/*
- - atosubnet - convert ASCII "addr/mask" to address and mask
- * Mask can be integer bit count.
- */
-const char *			/* NULL for success, else string literal */
-atosubnet(src, srclen, addrp, maskp)
-const char *src;
-size_t srclen;			/* 0 means "apply strlen" */
-struct in_addr *addrp;
-struct in_addr *maskp;
-{
-	const char *slash;
-	const char *mask;
-	size_t mlen;
-	const char *oops;
-	unsigned long bc;
-	static char def[] = DEFAULTSUBNET;
-#	define	DEFLEN	(sizeof(def) - 1)	/* -1 for NUL */
-	static char defis[] = "0/0";
-#	define	DEFILEN	(sizeof(defis) - 1)
-
-	if (srclen == 0)
-		srclen = strlen(src);
-	if (srclen == 0)
-		return "empty string";
-
-	if (srclen == DEFLEN && strncmp(src, def, srclen) == 0) {
-		src = defis;
-		srclen = DEFILEN;
-	}
-
-	slash = memchr(src, '/', srclen);
-	if (slash == NULL)
-		return "no / in subnet specification";
-	mask = slash + 1;
-	mlen = srclen - (mask - src);
-
-	oops = atoaddr(src, slash-src, addrp);
-	if (oops != NULL)
-		return oops;
-
-	oops = atoul(mask, mlen, 10, &bc);
-	if (oops == NULL) {
-		/* atoul succeeded, it's a bit-count mask */
-		if (bc > ABITS)
-			return "bit-count mask too large";
-#ifdef NOLEADINGZEROS
-		if (mlen > 1 && *mask == '0')
-			return "octal not allowed in mask";
-#endif /* NOLEADINGZEROS */
-		*maskp = bitstomask((int)bc);
-	} else {
-		oops = atoaddr(mask, mlen, maskp);
-		if (oops != NULL)
-			return oops;
-		if (!goodmask(*maskp))
-			return "non-contiguous mask";
-	}
-
-	addrp->s_addr &= maskp->s_addr;
-	return NULL;
-}
-
-
-
-#ifdef ATOSUBNET_MAIN
-
-#include <stdio.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-void regress(void);
-
-int
-main(int argc, char *argv[])
-{
-	struct in_addr a;
-	struct in_addr m;
-	char buf[100];
-	const char *oops;
-	size_t n;
-
-	if (argc < 2) {
-		fprintf(stderr, "Usage: %s {addr/mask|-r}\n", argv[0]);
-		exit(2);
-	}
-
-	if (strcmp(argv[1], "-r") == 0) {
-		regress();
-		fprintf(stderr, "regress() returned?!?\n");
-		exit(1);
-	}
-
-	oops = atosubnet(argv[1], 0, &a, &m);
-	if (oops != NULL) {
-		fprintf(stderr, "%s: conversion failed: %s\n", argv[0], oops);
-		exit(1);
-	}
-	n = subnettoa(a, m, 0, buf, sizeof(buf));
-	if (n > sizeof(buf)) {
-		fprintf(stderr, "%s: reverse conversion of ", argv[0]);
-		fprintf(stderr, "%s/", inet_ntoa(a));
-		fprintf(stderr, "%s", inet_ntoa(m));
-		fprintf(stderr, " failed: need %ld bytes, have only %ld\n",
-						(long)n, (long)sizeof(buf));
-		exit(1);
-	}
-	printf("%s\n", buf);
-
-	exit(0);
-}
-
-struct rtab {
-	char *input;
-	char *output;			/* NULL means error expected */
-} rtab[] = {
-	{"1.2.3.0/255.255.255.0",	"1.2.3.0/24"},
-	{"1.2.3.0/24",			"1.2.3.0/24"},
-	{"1.2.3.1/255.255.255.240",	"1.2.3.0/28"},
-	{"1.2.3.1/32",			"1.2.3.1/32"},
-	{"1.2.3.1/0",			"0.0.0.0/0"},
-/*	"1.2.3.1/255.255.127.0",	"1.2.3.0/255.255.127.0",	*/
-	{"1.2.3.1/255.255.127.0",	NULL},
-	{"128.009.000.032/32",		"128.9.0.32/32"},
-	{"128.0x9.0.32/32",		NULL},
-	{"0x80090020/32",		"128.9.0.32/32"},
-	{"0x800x0020/32",		NULL},
-	{"128.9.0.32/0xffFF0000",	"128.9.0.0/16"},
-	{"128.9.0.32/0xff0000FF",	NULL},
-	{"128.9.0.32/0x0000ffFF",	NULL},
-	{"128.9.0.32/0x00ffFF0000",	NULL},
-	{"128.9.0.32/0xffFF",		NULL},
-	{"128.9.0.32.27/32",		NULL},
-	{"128.9.0k32/32",		NULL},
-	{"328.9.0.32/32",		NULL},
-	{"128.9..32/32",		NULL},
-	{"10/8",			"10.0.0.0/8"},
-	{"10.0/8",			"10.0.0.0/8"},
-	{"10.0.0/8",			"10.0.0.0/8"},
-	{"10.0.1/24",			"10.0.1.0/24"},
-	{"_",				NULL},
-	{"_/_",				NULL},
-	{"1.2.3.1",			NULL},
-	{"1.2.3.1/_",			NULL},
-	{"1.2.3.1/24._",		NULL},
-	{"1.2.3.1/99",			NULL},
-	{"localhost/32",		"127.0.0.1/32"},
-	{"%default",			"0.0.0.0/0"},
-	{NULL,				NULL}
-};
-
-void
-regress()
-{
-	struct rtab *r;
-	int status = 0;
-	struct in_addr a;
-	struct in_addr m;
-	char in[100];
-	char buf[100];
-	const char *oops;
-	size_t n;
-
-	for (r = rtab; r->input != NULL; r++) {
-		strcpy(in, r->input);
-		oops = atosubnet(in, 0, &a, &m);
-		if (oops != NULL && r->output == NULL)
-			{}		/* okay, error expected */
-		else if (oops != NULL) {
-			printf("`%s' atosubnet failed: %s\n", r->input, oops);
-			status = 1;
-		} else if (r->output == NULL) {
-			printf("`%s' atosubnet succeeded unexpectedly\n",
-								r->input);
-			status = 1;
-		} else {
-			n = subnettoa(a, m, 0, buf, sizeof(buf));
-			if (n > sizeof(buf)) {
-				printf("`%s' subnettoa failed:  need %ld\n",
-							r->input, (long)n);
-				status = 1;
-			} else if (strcmp(r->output, buf) != 0) {
-				printf("`%s' gave `%s', expected `%s'\n",
-						r->input, buf, r->output);
-				status = 1;
-			}
-		}
-	}
-	exit(status);
-}
-
-#endif /* ATOSUBNET_MAIN */
diff --git a/src/libfreeswan/atoul.3 b/src/libfreeswan/atoul.3
deleted file mode 100644
index 6737b6b54..000000000
--- a/src/libfreeswan/atoul.3
+++ /dev/null
@@ -1,160 +0,0 @@
-.TH IPSEC_ATOUL 3 "11 June 2001"
-.SH NAME
-ipsec atoul, ultoa \- convert unsigned-long numbers to and from ASCII
-.SH SYNOPSIS
-.B "#include <freeswan.h>
-.sp
-.B "const char *atoul(const char *src, size_t srclen,"
-.ti +1c
-.B "int base, unsigned long *n);"
-.br
-.B "size_t ultoa(unsigned long n, int base, char *dst,"
-.ti +1c
-.B "size_t dstlen);"
-.SH DESCRIPTION
-These functions are obsolete; see
-.IR ipsec_ttoul (3)
-for their replacements.
-.PP
-.I Atoul
-converts an ASCII number into a binary
-.B "unsigned long"
-value.
-.I Ultoa
-does the reverse conversion, back to an ASCII version.
-.PP
-Numbers are specified in ASCII as
-decimal (e.g.
-.BR 123 ),
-octal with a leading zero (e.g.
-.BR 012 ,
-which has value 10),
-or hexadecimal with a leading
-.B 0x
-(e.g.
-.BR 0x1f ,
-which has value 31)
-in either upper or lower case.
-.PP
-The
-.I srclen
-parameter of
-.I atoul
-specifies the length of the ASCII string pointed to by
-.IR src ;
-it is an error for there to be anything else
-(e.g., a terminating NUL) within that length.
-As a convenience for cases where an entire NUL-terminated string is
-to be converted,
-a
-.I srclen
-value of
-.B 0
-is taken to mean
-.BR strlen(src) .
-.PP
-The
-.I base
-parameter of
-.I atoul
-can be
-.BR 8 ,
-.BR 10 ,
-or
-.BR 16 ,
-in which case the number supplied is assumed to be of that form
-(and in the case of
-.BR 16 ,
-to lack any
-.B 0x
-prefix).
-It can also be
-.BR 0 ,
-in which case the number is examined for a leading zero
-or a leading
-.B 0x
-to determine its base,
-or
-.B 13
-(halfway between 10 and 16),
-which has the same effect as
-.B 0
-except that a non-hexadecimal
-number is considered decimal regardless of any leading zero.
-.PP
-The
-.I dstlen
-parameter of
-.I ultoa
-specifies the size of the
-.I dst
-parameter;
-under no circumstances are more than
-.I dstlen
-bytes written to
-.IR dst .
-A result which will not fit is truncated.
-.I Dstlen
-can be zero, in which case
-.I dst
-need not be valid and no result is written,
-but the return value is unaffected;
-in all other cases, the (possibly truncated) result is NUL-terminated.
-.PP
-The
-.I base
-parameter of
-.I ultoa
-must be
-.BR 8 ,
-.BR 10 ,
-or
-.BR 16 .
-.PP
-.I Atoul
-returns NULL for success and
-a pointer to a string-literal error message for failure;
-see DIAGNOSTICS.
-.I Ultoa
-returns the size of buffer which would 
-be needed to
-accommodate the full conversion result, including terminating NUL;
-it is the caller's responsibility to check this against the size of
-the provided buffer to determine whether truncation has occurred.
-.SH SEE ALSO
-atol(3), strtoul(3)
-.SH DIAGNOSTICS
-Fatal errors in
-.I atoul
-are:
-empty input;
-unknown
-.IR base ;
-non-digit character found;
-number too large for an
-.BR "unsigned long" .
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
-.SH BUGS
-There is no provision for reporting an invalid
-.I base
-parameter given to
-.IR ultoa .
-.PP
-The restriction of error reports to literal strings
-(so that callers don't need to worry about freeing them or copying them)
-does limit the precision of error reporting.
-.PP
-The error-reporting convention lends itself to slightly obscure code,
-because many readers will not think of NULL as signifying success.
-A good way to make it clearer is to write something like:
-.PP
-.RS
-.nf
-.B "const char *error;"
-.sp
-.B "error = atoul( /* ... */ );"
-.B "if (error != NULL) {"
-.B "        /* something went wrong */"
-.fi
-.RE
diff --git a/src/libfreeswan/atoul.c b/src/libfreeswan/atoul.c
deleted file mode 100644
index d8e1528cb..000000000
--- a/src/libfreeswan/atoul.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * convert from ASCII form of unsigned long to binary
- * Copyright (C) 1998, 1999  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - atoul - convert ASCII substring to unsigned long number
- */
-const char *			/* NULL for success, else string literal */
-atoul(src, srclen, base, resultp)
-const char *src;
-size_t srclen;			/* 0 means strlen(src) */
-int base;			/* 0 means figure it out */
-unsigned long *resultp;
-{
-	const char *stop;
-	static char hex[] = "0123456789abcdef";
-	static char uchex[] = "0123456789ABCDEF";
-	int d;
-	char c;
-	char *p;
-	unsigned long r;
-	unsigned long rlimit;
-	int dlimit;
-
-	if (srclen == 0)
-		srclen = strlen(src);
-	if (srclen == 0)
-		return "empty string";
-
-	if (base == 0 || base == 13) {
-		if (srclen > 2 && *src == '0' && CIEQ(*(src+1), 'x'))
-			return atoul(src+2, srclen-2, 16, resultp);
-		if (srclen > 1 && *src == '0' && base != 13)
-			return atoul(src+1, srclen-1, 8, resultp);
-		return atoul(src, srclen, 10, resultp);
-	}
-	if (base != 8 && base != 10 && base != 16)
-		return "unsupported number base";
-
-	r = 0;
-	stop = src + srclen;
-	if (base == 16) {
-		while (src < stop) {
-			c = *src++;
-			p = strchr(hex, c);
-			if (p != NULL)
-				d = p - hex;
-			else {
-				p = strchr(uchex, c);
-				if (p == NULL)
-					return "non-hex-digit in hex number";
-				d = p - uchex;
-			}
-			r = (r << 4) | d;
-		}
-		/* defer length check to catch invalid digits first */
-		if (srclen > sizeof(unsigned long) * 2)
-			return "hex number too long";
-	} else {
-		rlimit = ULONG_MAX / base;
-		dlimit = (int)(ULONG_MAX - rlimit*base);
-		while (src < stop) {
-			c = *src++;
-			d = c - '0';
-			if (d < 0 || d >= base)
-				return "non-digit in number";
-			if (r > rlimit || (r == rlimit && d > dlimit))
-				return "unsigned-long overflow";
-			r = r*base + d;
-		}
-	}
-
-	*resultp = r;
-	return NULL;
-}
diff --git a/src/libfreeswan/copyright.c b/src/libfreeswan/copyright.c
deleted file mode 100644
index e55e849f7..000000000
--- a/src/libfreeswan/copyright.c
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * return IPsec copyright notice
- * Copyright (C) 2001, 2002  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-static const char *co[] = {
- "Copyright (C) 1999-2009  Henry Spencer, Richard Guy Briggs,",
- "    D. Hugh Redelmeier, Sandy Harris, Claudia Schmeing,",
- "    Michael Richardson, Angelos D. Keromytis, John Ioannidis,",
- "",
- "    Ken Bantoft, Stephen J. Bevan, JuanJo Ciarlante, Mathieu Lafon,",
- "    Stephane Laroche, Kai Martius, Stephan Scholz, Tuomo Soini, Herbert Xu,",
- "",
- "    Martin Berner, Marco Bertossa, David Buechi, Ueli Galizzi,",
- "    Christoph Gysin, Andreas Hess, Patric Lichtsteiner, Michael Meier,",
- "    Andreas Schleiss, Ariane Seiler, Mario Strasser, Lukas Suter,",
- "    Roger Wegmann, Simon Zwahlen,",
- "    ZHW Zuercher Hochschule Winterthur (Switzerland).",
- "",
- "    Philip Boetschi, Tobias Brunner, Sansar Choinyambuu, Adrian Doerig,",
- "    Andreas Eigenmann, Fabian Hartmann, Noah Heusser, Jan Hutter,",
- "    Thomas Kallenberg, Daniel Roethlisberger, Joel Stillhart, Martin Willi,",
- "    Daniel Wydler, Andreas Steffen,",
- "    HSR Hochschule fuer Technik Rapperswil (Switzerland).",
- "",
- "This program is free software; you can redistribute it and/or modify it",
- "under the terms of the GNU General Public License as published by the",
- "Free Software Foundation; either version 2 of the License, or (at your",
- "option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.",
- "",
- "This program is distributed in the hope that it will be useful, but",
- "WITHOUT ANY WARRANTY; without even the implied warranty of",
- "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General",
- "Public License (file COPYING in the distribution) for more details.",
- NULL
-};
-
-/*
- - ipsec_copyright_notice - return copyright notice, as a vector of strings
- */
-const char **
-ipsec_copyright_notice()
-{
-	return co;
-}
diff --git a/src/libfreeswan/datatot.c b/src/libfreeswan/datatot.c
deleted file mode 100644
index e3b9d6417..000000000
--- a/src/libfreeswan/datatot.c
+++ /dev/null
@@ -1,230 +0,0 @@
-/*
- * convert from binary data (e.g. key) to text form
- * Copyright (C) 2000  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-static void convert(const char *src, size_t nreal, int format, char *out);
-
-/*
- - datatot - convert data bytes to text
- */
-size_t				/* true length (with NUL) for success */
-datatot(src, srclen, format, dst, dstlen)
-const char *src;
-size_t srclen;
-int format;			/* character indicating what format */
-char *dst;			/* need not be valid if dstlen is 0 */
-size_t dstlen;
-{
-	size_t inblocksize;	/* process this many bytes at a time */
-	size_t outblocksize;	/* producing this many */
-	size_t breakevery;	/* add a _ every this many (0 means don't) */
-	size_t sincebreak;	/* output bytes since last _ */
-	char breakchar;		/* character used to break between groups */
-	char inblock[10];	/* enough for any format */
-	char outblock[10];	/* enough for any format */
-	char fake[1];		/* fake output area for dstlen == 0 */
-	size_t needed;		/* return value */
-	char *stop;		/* where the terminating NUL will go */
-	size_t ntodo;		/* remaining input */
-	size_t nreal;
-	char *out;
-	char *prefix;
-
-	breakevery = 0;
-	breakchar = '_';
-
-	switch (format) {
-	case 0:
-	case 'h':
-		format = 'x';
-		breakevery = 8;
-		/* FALLTHROUGH */
-	case 'x':
-		inblocksize = 1;
-		outblocksize = 2;
-		prefix = "0x";
-		break;
-	case ':':
-		breakevery = 2;
-		breakchar = ':';
-		/* FALLTHROUGH */
-	case 16:
-		inblocksize = 1;
-		outblocksize = 2;
-		prefix = "";
-		format = 'x';
-		break;
-	case 's':
-		inblocksize = 3;
-		outblocksize = 4;
-		prefix = "0s";
-		break;
-	case 64:		/* beware, equals ' ' */
-		inblocksize = 3;
-		outblocksize = 4;
-		prefix = "";
-		format = 's';
-		break;
-	default:
-		return 0;
-		break;
-	}
-	assert(inblocksize < sizeof(inblock));
-	assert(outblocksize < sizeof(outblock));
-	assert(breakevery % outblocksize == 0);
-
-	if (srclen == 0)
-		return 0;
-	ntodo = srclen;
-
-	if (dstlen == 0) {	/* dispose of awkward special case */
-		dst = fake;
-		dstlen = 1;
-	}
-	stop = dst + dstlen - 1;
-
-	nreal = strlen(prefix);
-	needed = nreal;			/* for starters */
-	if (dstlen <= nreal) {		/* prefix won't fit */
-		strncpy(dst, prefix, dstlen - 1);
-		dst += dstlen - 1;
-	} else {
-		strcpy(dst, prefix);
-		dst += nreal;
-	}
-	assert(dst <= stop);
-	sincebreak = 0;
-
-	while (ntodo > 0) {
-		if (ntodo < inblocksize) {	/* incomplete input */
-			memset(inblock, 0, sizeof(inblock));
-			memcpy(inblock, src, ntodo);
-			src = inblock;
-			nreal = ntodo;
-			ntodo = inblocksize;
-		} else
-			nreal = inblocksize;
-		out = (outblocksize > stop - dst) ? outblock : dst;
-
-		convert(src, nreal, format, out);
-		needed += outblocksize;
-		sincebreak += outblocksize;
-		if (dst < stop) {
-			if (out != dst) {
-				assert(outblocksize > stop - dst);
-				memcpy(dst, out, stop - dst);
-				dst = stop;
-			} else
-				dst += outblocksize;
-		}
-
-		src += inblocksize;
-		ntodo -= inblocksize;
-		if (breakevery != 0 && sincebreak >= breakevery && ntodo > 0) {
-			if (dst < stop)
-				*dst++ = breakchar;
-			needed++;
-			sincebreak = 0;
-		}
-	}
-
-	assert(dst <= stop);
-	*dst++ = '\0';
-	needed++;
-
-	return needed;
-}
-
-/*
- - convert - convert one input block to one output block
- */
-static void
-convert(src, nreal, format, out)
-const char *src;
-size_t nreal;			/* how much of the input block is real */
-int format;
-char *out;
-{
-	static char hex[] = "0123456789abcdef";
-	static char base64[] =	"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
-				"abcdefghijklmnopqrstuvwxyz"
-				"0123456789+/";
-	unsigned char c;
-	unsigned char c1, c2, c3;
-
-	assert(nreal > 0);
-	switch (format) {
-	case 'x':
-		assert(nreal == 1);
-		c = (unsigned char)*src;
-		*out++ = hex[c >> 4];
-		*out++ = hex[c & 0xf];
-		break;
-	case 's':
-		c1 = (unsigned char)*src++;
-		c2 = (unsigned char)*src++;
-		c3 = (unsigned char)*src++;
-		*out++ = base64[c1 >> 2];	/* top 6 bits of c1 */
-		c = (c1 & 0x3) << 4;		/* bottom 2 of c1... */
-		c |= c2 >> 4;			/* ...top 4 of c2 */
-		*out++ = base64[c];
-		if (nreal == 1)
-			*out++ = '=';
-		else {
-			c = (c2 & 0xf) << 2;	/* bottom 4 of c2... */
-			c |= c3 >> 6;		/* ...top 2 of c3 */
-			*out++ = base64[c];
-		}
-		if (nreal <= 2)
-			*out++ = '=';
-		else
-			*out++ = base64[c3 & 0x3f];	/* bottom 6 of c3 */
-		break;
-	default:
-		assert(nreal == 0);	/* unknown format */
-		break;
-	}
-}
-
-/*
- - datatoa - convert data to ASCII
- * backward-compatibility synonym for datatot
- */
-size_t				/* true length (with NUL) for success */
-datatoa(src, srclen, format, dst, dstlen)
-const char *src;
-size_t srclen;
-int format;			/* character indicating what format */
-char *dst;			/* need not be valid if dstlen is 0 */
-size_t dstlen;
-{
-	return datatot(src, srclen, format, dst, dstlen);
-}
-
-/*
- - bytestoa - convert data bytes to ASCII
- * backward-compatibility synonym for datatot
- */
-size_t				/* true length (with NUL) for success */
-bytestoa(src, srclen, format, dst, dstlen)
-const char *src;
-size_t srclen;
-int format;			/* character indicating what format */
-char *dst;			/* need not be valid if dstlen is 0 */
-size_t dstlen;
-{
-	return datatot(src, srclen, format, dst, dstlen);
-}
diff --git a/src/libfreeswan/freeswan.h b/src/libfreeswan/freeswan.h
deleted file mode 100644
index 724165bde..000000000
--- a/src/libfreeswan/freeswan.h
+++ /dev/null
@@ -1,371 +0,0 @@
-#ifndef _FREESWAN_H
-/*
- * header file for FreeS/WAN library functions
- * Copyright (C) 1998, 1999, 2000  Henry Spencer.
- * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#define	_FREESWAN_H	/* seen it, no need to see it again */
-
-#  include <sys/types.h>
-#  include <stdio.h>
-#  include <netinet/in.h>
-
-#  define DEBUG_NO_STATIC static
-
-#include <ipsec_param.h>
-#include <utils.h>
-
-/*
- * We assume header files have IPv6 (i.e. kernel version >= 2.1.0)
- */
-#define NET_21
-
-#ifndef IPPROTO_COMP
-#  define IPPROTO_COMP 108
-#endif /* !IPPROTO_COMP */
-
-#ifndef IPPROTO_INT
-#  define IPPROTO_INT 61
-#endif /* !IPPROTO_INT */
-
-#ifdef CONFIG_IPSEC_DEBUG
-#  define DEBUG_NO_STATIC
-#else /* CONFIG_IPSEC_DEBUG */
-#  define DEBUG_NO_STATIC static
-#endif /* CONFIG_IPSEC_DEBUG */
-
-#define ESPINUDP_WITH_NON_IKE   1  /* draft-ietf-ipsec-nat-t-ike-00/01 */
-#define ESPINUDP_WITH_NON_ESP   2  /* draft-ietf-ipsec-nat-t-ike-02    */
-
-/*
- * Basic data types for the address-handling functions.
- * ip_address and ip_subnet are supposed to be opaque types; do not
- * use their definitions directly, they are subject to change!
- */
-
-/* then the main types */
-typedef struct {
-	union {
-		struct sockaddr_in v4;
-		struct sockaddr_in6 v6;
-	} u;
-} ip_address;
-typedef struct {
-	ip_address addr;
-	int maskbits;
-} ip_subnet;
-
-/* and the SA ID stuff */
-typedef u_int32_t ipsec_spi_t;
-typedef struct {		/* to identify an SA, we need: */
-        ip_address dst;		/* A. destination host */
-        ipsec_spi_t spi;	/* B. 32-bit SPI, assigned by dest. host */
-#		define	SPI_PASS	256	/* magic values... */
-#		define	SPI_DROP	257	/* ...for use... */
-#		define	SPI_REJECT	258	/* ...with SA_INT */
-#		define	SPI_HOLD	259
-#		define	SPI_TRAP	260
-#		define  SPI_TRAPSUBNET  261
-	int proto;		/* C. protocol */
-#		define	SA_ESP	50	/* IPPROTO_ESP */
-#		define	SA_AH	51	/* IPPROTO_AH */
-#		define	SA_IPIP	4	/* IPPROTO_IPIP */
-#		define	SA_COMP	108	/* IPPROTO_COMP */
-#		define	SA_INT	61	/* IANA reserved for internal use */
-} ip_said;
-struct sa_id {			/* old v4-only version */
-        struct in_addr dst;
-        ipsec_spi_t spi;
-	int proto;
-};
-
-/* misc */
-struct prng {			/* pseudo-random-number-generator guts */
-	unsigned char sbox[256];
-	int i, j;
-	unsigned long count;
-};
-
-
-/*
- * definitions for user space, taken from freeswan/ipsec_sa.h
- */
-typedef uint32_t IPsecSAref_t;
-
-#define IPSEC_SA_REF_TABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH)
-
-#define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t))
-
-#define IPsecSAref2NFmark(x) ((x) << (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
-#define NFmark2IPsecSAref(x) ((x) >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
-
-#define IPSEC_SAREF_NULL (~((IPsecSAref_t)0))
-
-/* GCC magic for use in function definitions! */
-#ifdef GCC_LINT
-# define PRINTF_LIKE(n) __attribute__ ((format(printf, n, n+1)))
-# define NEVER_RETURNS __attribute__ ((noreturn))
-# define UNUSED __attribute__ ((unused))
-# define BLANK_FORMAT " "	/* GCC_LINT whines about empty formats */
-#else
-# define PRINTF_LIKE(n)	/* ignore */
-# define NEVER_RETURNS /* ignore */
-# define UNUSED /* ignore */
-# define BLANK_FORMAT ""
-#endif
-
-
-
-
-
-/*
- * new IPv6-compatible functions
- */
-
-/* text conversions */
-err_t ttoul(const char *src, size_t srclen, int format, unsigned long *dst);
-size_t ultot(unsigned long src, int format, char *buf, size_t buflen);
-#define	ULTOT_BUF	(22+1)	/* holds 64 bits in octal */
-err_t ttoaddr(const char *src, size_t srclen, int af, ip_address *dst);
-err_t tnatoaddr(const char *src, size_t srclen, int af, ip_address *dst);
-size_t addrtot(const ip_address *src, int format, char *buf, size_t buflen);
-/* RFC 1886 old IPv6 reverse-lookup format is the bulkiest */
-#define	ADDRTOT_BUF	(32*2 + 3 + 1 + 3 + 1 + 1)
-err_t ttosubnet(const char *src, size_t srclen, int af, ip_subnet *dst);
-size_t subnettot(const ip_subnet *src, int format, char *buf, size_t buflen);
-#define	SUBNETTOT_BUF	(ADDRTOT_BUF + 1 + 3)
-err_t ttosa(const char *src, size_t srclen, ip_said *dst);
-size_t satot(const ip_said *src, int format, char *bufptr, size_t buflen);
-#define	SATOT_BUF	(5 + ULTOA_BUF + 1 + ADDRTOT_BUF)
-err_t ttodata(const char *src, size_t srclen, int base, char *buf,
-						size_t buflen, size_t *needed);
-err_t ttodatav(const char *src, size_t srclen, int base,
-	       char *buf,  size_t buflen, size_t *needed,
-	       char *errp, size_t errlen, unsigned int flags);
-#define	TTODATAV_BUF	40	/* ttodatav's largest non-literal message */
-#define TTODATAV_IGNORESPACE  (1<<1)  /* ignore spaces in base64 encodings*/
-#define TTODATAV_SPACECOUNTS  0       /* do not ignore spaces in base64   */
-
-size_t datatot(const char *src, size_t srclen, int format, char *buf,
-								size_t buflen);
-err_t ttoprotoport(char *src, size_t src_len, u_int8_t *proto, u_int16_t *port,
-							bool *has_port_wildcard);
-
-/* initializations */
-void initsaid(const ip_address *addr, ipsec_spi_t spi, int proto, ip_said *dst);
-err_t loopbackaddr(int af, ip_address *dst);
-err_t unspecaddr(int af, ip_address *dst);
-err_t anyaddr(int af, ip_address *dst);
-err_t initaddr(const unsigned char *src, size_t srclen, int af, ip_address *dst);
-err_t initsubnet(const ip_address *addr, int maskbits, int clash, ip_subnet *dst);
-err_t addrtosubnet(const ip_address *addr, ip_subnet *dst);
-
-/* misc. conversions and related */
-err_t rangetosubnet(const ip_address *from, const ip_address *to, ip_subnet *dst);
-int addrtypeof(const ip_address *src);
-int subnettypeof(const ip_subnet *src);
-size_t addrlenof(const ip_address *src);
-size_t addrbytesptr(const ip_address *src, const unsigned char **dst);
-size_t addrbytesof(const ip_address *src, unsigned char *dst, size_t dstlen);
-int masktocount(const ip_address *src);
-void networkof(const ip_subnet *src, ip_address *dst);
-void maskof(const ip_subnet *src, ip_address *dst);
-
-/* tests */
-int sameaddr(const ip_address *a, const ip_address *b);
-int addrcmp(const ip_address *a, const ip_address *b);
-int samesubnet(const ip_subnet *a, const ip_subnet *b);
-int addrinsubnet(const ip_address *a, const ip_subnet *s);
-int subnetinsubnet(const ip_subnet *a, const ip_subnet *b);
-int subnetishost(const ip_subnet *s);
-int samesaid(const ip_said *a, const ip_said *b);
-int sameaddrtype(const ip_address *a, const ip_address *b);
-int samesubnettype(const ip_subnet *a, const ip_subnet *b);
-int isanyaddr(const ip_address *src);
-int isunspecaddr(const ip_address *src);
-int isloopbackaddr(const ip_address *src);
-
-/* low-level grot */
-int portof(const ip_address *src);
-void setportof(int port, ip_address *dst);
-struct sockaddr *sockaddrof(ip_address *src);
-size_t sockaddrlenof(const ip_address *src);
-
-/* odds and ends */
-const char **ipsec_copyright_notice(void);
-
-const char *dns_string_rr(int rr, char *buf, int bufsize);
-const char *dns_string_datetime(time_t seconds,
-				char *buf,
-				int bufsize);
-
-
-/*
- * old functions, to be deleted eventually
- */
-
-/* unsigned long */
-const char *			/* NULL for success, else string literal */
-atoul(
-	const char *src,
-	size_t srclen,		/* 0 means strlen(src) */
-	int base,		/* 0 means figure it out */
-	unsigned long *resultp
-);
-size_t				/* space needed for full conversion */
-ultoa(
-	unsigned long n,
-	int base,
-	char *dst,
-	size_t dstlen
-);
-#define	ULTOA_BUF	21	/* just large enough for largest result, */
-				/* assuming 64-bit unsigned long! */
-
-/* Internet addresses */
-const char *			/* NULL for success, else string literal */
-atoaddr(
-	const char *src,
-	size_t srclen,		/* 0 means strlen(src) */
-	struct in_addr *addr
-);
-size_t				/* space needed for full conversion */
-addrtoa(
-	struct in_addr addr,
-	int format,		/* character; 0 means default */
-	char *dst,
-	size_t dstlen
-);
-#define	ADDRTOA_BUF	16	/* just large enough for largest result */
-
-/* subnets */
-const char *			/* NULL for success, else string literal */
-atosubnet(
-	const char *src,
-	size_t srclen,		/* 0 means strlen(src) */
-	struct in_addr *addr,
-	struct in_addr *mask
-);
-size_t				/* space needed for full conversion */
-subnettoa(
-	struct in_addr addr,
-	struct in_addr mask,
-	int format,		/* character; 0 means default */
-	char *dst,
-	size_t dstlen
-);
-#define	SUBNETTOA_BUF	32	/* large enough for worst case result */
-
-/* ranges */
-const char *			/* NULL for success, else string literal */
-atoasr(
-	const char *src,
-	size_t srclen,		/* 0 means strlen(src) */
-	char *type,		/* 'a', 's', 'r' */
-	struct in_addr *addrs	/* two-element array */
-);
-size_t				/* space needed for full conversion */
-rangetoa(
-	struct in_addr *addrs,	/* two-element array */
-	int format,		/* character; 0 means default */
-	char *dst,
-	size_t dstlen
-);
-#define	RANGETOA_BUF	34	/* large enough for worst case result */
-
-/* generic data, e.g. keys */
-const char *			/* NULL for success, else string literal */
-atobytes(
-	const char *src,
-	size_t srclen,		/* 0 means strlen(src) */
-	char *dst,
-	size_t dstlen,
-	size_t *lenp		/* NULL means don't bother telling me */
-);
-size_t				/* 0 failure, else true size */
-bytestoa(
-	const char *src,
-	size_t srclen,
-	int format,		/* character; 0 means default */
-	char *dst,
-	size_t dstlen
-);
-
-/* old versions of generic-data functions; deprecated */
-size_t				/* 0 failure, else true size */
-atodata(
-	const char *src,
-	size_t srclen,		/* 0 means strlen(src) */
-	char *dst,
-	size_t dstlen
-);
-size_t				/* 0 failure, else true size */
-datatoa(
-	const char *src,
-	size_t srclen,
-	int format,		/* character; 0 means default */
-	char *dst,
-	size_t dstlen
-);
-
-/* part extraction and special addresses */
-struct in_addr
-subnetof(
-	struct in_addr addr,
-	struct in_addr mask
-);
-struct in_addr
-hostof(
-	struct in_addr addr,
-	struct in_addr mask
-);
-struct in_addr
-broadcastof(
-	struct in_addr addr,
-	struct in_addr mask
-);
-
-/* mask handling */
-int
-goodmask(
-	struct in_addr mask
-);
-int
-masktobits(
-	struct in_addr mask
-);
-struct in_addr
-bitstomask(
-	int n
-);
-
-/*
- * Debugging levels for pfkey_lib_debug
- */
-#define PF_KEY_DEBUG_PARSE_NONE    0
-#define PF_KEY_DEBUG_PARSE_PROBLEM 1
-#define PF_KEY_DEBUG_PARSE_STRUCT  2
-#define PF_KEY_DEBUG_PARSE_FLOW    4
-#define PF_KEY_DEBUG_PARSE_MAX     7
-
-extern unsigned int pfkey_lib_debug;  /* bits selecting what to report */
-
-/*
- * pluto and lwdnsq need to know the maximum size of the commands to,
- * and replies from lwdnsq.
- */
-
-#define LWDNSQ_CMDBUF_LEN      1024
-#define LWDNSQ_RESULT_LEN_MAX  4096
-
-#endif /* _FREESWAN_H */
diff --git a/src/libfreeswan/goodmask.3 b/src/libfreeswan/goodmask.3
deleted file mode 100644
index b76d431ca..000000000
--- a/src/libfreeswan/goodmask.3
+++ /dev/null
@@ -1,56 +0,0 @@
-.TH IPSEC_GOODMASK 3 "11 June 2001"
-.SH NAME
-ipsec goodmask \- is this Internet subnet mask a valid one?
-.br
-ipsec masktobits \- convert Internet subnet mask to bit count
-.br
-ipsec bitstomask \- convert bit count to Internet subnet mask
-.SH SYNOPSIS
-.B "#include <freeswan.h>
-.sp
-.B "int goodmask(struct in_addr mask);"
-.br
-.B "int masktobits(struct in_addr mask);"
-.br
-.B "struct in_addr bitstomask(int n);"
-.SH DESCRIPTION
-These functions are obsolete;
-see
-.IR ipsec_masktocount (3)
-for a partial replacement.
-.PP
-.I Goodmask
-reports whether the subnet
-.I mask
-is a valid one,
-i.e. consists of a (possibly empty) sequence of
-.BR 1 s
-followed by a (possibly empty) sequence of
-.BR 0 s.
-.I Masktobits
-takes a (valid) subnet mask and returns the number of
-.B 1
-bits in it.
-.I Bitstomask
-reverses this,
-returning the subnet mask corresponding to bit count
-.IR n .
-.PP
-All masks are in network byte order.
-.SH SEE ALSO
-inet(3), ipsec_atosubnet(3)
-.SH DIAGNOSTICS
-.I Masktobits
-returns
-.B \-1
-for an invalid mask.
-.I Bitstomask
-returns an all-zeros mask for a negative or out-of-range
-.IR n .
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
-.SH BUGS
-The error-reporting convention of
-.I bitstomask
-is less than ideal;
-zero is sometimes a legitimate mask.
diff --git a/src/libfreeswan/goodmask.c b/src/libfreeswan/goodmask.c
deleted file mode 100644
index 66edae20f..000000000
--- a/src/libfreeswan/goodmask.c
+++ /dev/null
@@ -1,95 +0,0 @@
-/*
- * minor utilities for subnet-mask manipulation
- * Copyright (C) 1998, 1999  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - goodmask - is this a good (^1*0*$) subnet mask?
- * You are not expected to understand this.  See Henry S. Warren Jr,
- * "Functions realizable with word-parallel logical and two's-complement
- * addition instructions", CACM 20.6 (June 1977), p.439.
- */
-int				/* predicate */
-goodmask(mask)
-struct in_addr mask;
-{
-	unsigned long x = ntohl(mask.s_addr);
-	/* clear rightmost contiguous string of 1-bits */
-#	define	CRCS1B(x)	(((x|(x-1))+1)&x)
-#	define	TOPBIT		(1UL << 31)
-
-	/* either zero, or has one string of 1-bits which is left-justified */
-	if (x == 0 || (CRCS1B(x) == 0 && (x&TOPBIT)))
-		return 1;
-	return 0;
-}
-
-/*
- - masktobits - how many bits in this mask?
- * The algorithm is essentially a binary search, but highly optimized
- * for this particular task.
- */
-int				/* -1 means !goodmask() */
-masktobits(mask)
-struct in_addr mask;
-{
-	unsigned long m = ntohl(mask.s_addr);
-	int masklen;
-
-	if (!goodmask(mask))
-		return -1;
-
-	if (m&0x00000001UL)
-		return 32;
-	masklen = 0;
-	if (m&(0x0000ffffUL<<1)) {	/* <<1 for 1-origin numbering */
-		masklen |= 0x10;
-		m <<= 16;
-	}
-	if (m&(0x00ff0000UL<<1)) {
-		masklen |= 0x08;
-		m <<= 8;
-	}
-	if (m&(0x0f000000UL<<1)) {
-		masklen |= 0x04;
-		m <<= 4;
-	}
-	if (m&(0x30000000UL<<1)) {
-		masklen |= 0x02;
-		m <<= 2;
-	}
-	if (m&(0x40000000UL<<1))
-		masklen |= 0x01;
-
-	return masklen;
-}
-
-/*
- - bitstomask - return a mask with this many high bits on
- */
-struct in_addr
-bitstomask(n)
-int n;
-{
-	struct in_addr result;
-
-	if (n > 0 && n <= ABITS)
-		result.s_addr = htonl(~((1UL << (ABITS - n)) - 1));
-	else if (n == 0)
-		result.s_addr = 0;
-	else
-		result.s_addr = 0;	/* best error report we can do */
-	return result;
-}
diff --git a/src/libfreeswan/initaddr.3 b/src/libfreeswan/initaddr.3
deleted file mode 100644
index 071e507aa..000000000
--- a/src/libfreeswan/initaddr.3
+++ /dev/null
@@ -1,128 +0,0 @@
-.TH IPSEC_INITADDR 3 "11 Sept 2000"
-.SH NAME
-ipsec initaddr \- initialize an ip_address
-.br
-ipsec addrtypeof \- get address type of an ip_address
-.br
-ipsec addrlenof \- get length of address within an ip_address
-.br
-ipsec addrbytesof \- get copy of address within an ip_address
-.br
-ipsec addrbytesptr \- get pointer to address within an ip_address
-.SH SYNOPSIS
-.B "#include <freeswan.h>"
-.sp
-.B "const char *initaddr(const char *src, size_t srclen,"
-.ti +1c
-.B "int af, ip_address *dst);"
-.br
-.B "int addrtypeof(const ip_address *src);"
-.br
-.B "size_t addrlenof(const ip_address *src);"
-.br
-.B "size_t addrbytesof(const ip_address *src,"
-.ti +1c
-.B "unsigned char *dst, size_t dstlen);"
-.br
-.B "size_t addrbytesptr(const ip_address *src,"
-.ti +1c
-.B "const unsigned char **dst);"
-.SH DESCRIPTION
-The
-.B <freeswan.h>
-library uses an internal type
-.I ip_address
-to contain one of the (currently two) types of IP address.
-These functions provide basic tools for creating and examining this type.
-.PP
-.I Initaddr
-initializes a variable
-.I *dst
-of type
-.I ip_address
-from an address
-(in network byte order,
-indicated by a pointer
-.I src
-and a length
-.IR srclen )
-and an address family
-.I af
-(typically
-.B AF_INET
-or
-.BR AF_INET6 ).
-The length must be consistent with the address family.
-.PP
-.I Addrtypeof
-returns the address type of an address,
-normally
-.B AF_INET
-or
-.BR AF_INET6 .
-(The
-.B <freeswan.h>
-header file arranges to include the necessary headers for these
-names to be known.)
-.PP
-.I Addrlenof
-returns the size (in bytes) of the address within an
-.IR ip_address ,
-to permit storage allocation etc.
-.PP
-.I Addrbytesof
-copies the address within the
-.I ip_address
-.I src
-to the buffer indicated by the pointer
-.I dst
-and the length
-.IR dstlen ,
-and returns the address length (in bytes).
-If the address will not fit,
-as many bytes as will fit are copied;
-the returned length is still the full length.
-It is the caller's responsibility to check the
-returned value to ensure that there was enough room.
-.PP
-.I Addrbytesptr
-sets
-.I *dst
-to a pointer to the internal address within the
-.IR ip_address ,
-and returns the address length (in bytes).
-If
-.I dst
-is
-.BR NULL ,
-it just returns the address length.
-The pointer points to
-.B const
-to discourage misuse.
-.PP
-.I Initaddr
-returns
-.B NULL
-for success and
-a pointer to a string-literal error message for failure;
-see DIAGNOSTICS.
-.PP
-The functions which return
-.I size_t
-return
-.B 0
-for a failure.
-.SH SEE ALSO
-inet(3), ipsec_ttoaddr(3)
-.SH DIAGNOSTICS
-An unknown address family is a fatal error for any of these functions
-except
-.IR addrtypeof .
-An address-size mismatch is a fatal error for
-.IR initaddr .
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
-.SH BUGS
-.I Addrtypeof
-should probably have been named
-.IR addrfamilyof .
diff --git a/src/libfreeswan/initaddr.c b/src/libfreeswan/initaddr.c
deleted file mode 100644
index c84006f47..000000000
--- a/src/libfreeswan/initaddr.c
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * initialize address structure
- * Copyright (C) 2000  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include <sys/socket.h>
-
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - initaddr - initialize ip_address from bytes
- */
-err_t				/* NULL for success, else string literal */
-initaddr(src, srclen, af, dst)
-const unsigned char *src;
-size_t srclen;
-int af;				/* address family */
-ip_address *dst;
-{
-	switch (af) {
-	case AF_INET:
-		if (srclen != 4)
-			return "IPv4 address must be exactly 4 bytes";
-		dst->u.v4.sin_family = af;
-		dst->u.v4.sin_port = 0;		/* unused */
-		memcpy((char *)&dst->u.v4.sin_addr.s_addr, src, srclen);
-		break;
-	case AF_INET6:
-		if (srclen != 16)
-			return "IPv6 address must be exactly 16 bytes";
-		dst->u.v6.sin6_family = af;
-		dst->u.v6.sin6_flowinfo = 0;		/* unused */
-		dst->u.v6.sin6_port = 0;		/* unused */
-		memcpy((char *)&dst->u.v6.sin6_addr, src, srclen);
-		break;
-	default:
-		return "unknown address family in initaddr";
-		break;
-	}
-	return NULL;
-}
diff --git a/src/libfreeswan/initsaid.c b/src/libfreeswan/initsaid.c
deleted file mode 100644
index 4e4bc9a35..000000000
--- a/src/libfreeswan/initsaid.c
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * initialize SA ID structure
- * Copyright (C) 2000  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - initsaid - initialize SA ID from bits
- */
-void
-initsaid(addr, spi, proto, dst)
-const ip_address *addr;
-ipsec_spi_t spi;
-int proto;
-ip_said *dst;
-{
-	dst->dst = *addr;
-	dst->spi = spi;
-	dst->proto = proto;
-}
diff --git a/src/libfreeswan/initsubnet.3 b/src/libfreeswan/initsubnet.3
deleted file mode 100644
index 3545fd426..000000000
--- a/src/libfreeswan/initsubnet.3
+++ /dev/null
@@ -1,136 +0,0 @@
-.TH IPSEC_INITSUBNET 3 "12 March 2002"
-.SH NAME
-ipsec initsubnet \- initialize an ip_subnet
-.br
-ipsec addrtosubnet \- initialize a singleton ip_subnet
-.br
-ipsec subnettypeof \- get address type of an ip_subnet
-.br
-ipsec masktocount \- convert subnet mask to bit count
-.br
-ipsec networkof \- get base address of an ip_subnet
-.br
-ipsec maskof \- get subnet mask of an ip_subnet
-.SH SYNOPSIS
-.B "#include <freeswan.h>"
-.sp
-.B "const char *initsubnet(const ip_address *addr,"
-.ti +1c
-.B "int maskbits, int clash, ip_subnet *dst);"
-.br
-.B "const char *addrtosubnet(const ip_address *addr,"
-.ti +1c
-.B "ip_subnet *dst);"
-.sp
-.B "int subnettypeof(const ip_subnet *src);"
-.br
-.B "int masktocount(const ip_address *src);"
-.br
-.B "void networkof(const ip_subnet *src, ip_address *dst);"
-.br
-.B "void maskof(const ip_subnet *src, ip_address *dst);"
-.SH DESCRIPTION
-The
-.B <freeswan.h>
-library uses an internal type
-.I ip_subnet
-to contain a description of an IP subnet
-(base address plus mask).
-These functions provide basic tools for creating and examining this type.
-.PP
-.I Initsubnet
-initializes a variable
-.I *dst
-of type
-.I ip_subnet
-from a base address and
-a count of mask bits.
-The
-.I clash
-parameter specifies what to do if the base address includes
-.B 1
-bits outside the prefix specified by the mask
-(that is, in the ``host number'' part of the address):
-.RS
-.IP '0' 5
-zero out host-number bits
-.IP 'x'
-non-zero host-number bits are an error
-.RE
-.PP
-.I Initsubnet
-returns
-.B NULL
-for success and
-a pointer to a string-literal error message for failure;
-see DIAGNOSTICS.
-.PP
-.I Addrtosubnet
-initializes an
-.I ip_subnet
-variable
-.I *dst
-to a ``singleton subnet'' containing the single address
-.IR *addr .
-It returns
-.B NULL
-for success and
-a pointer to a string-literal error message for failure.
-.PP
-.I Subnettypeof
-returns the address type of a subnet,
-normally
-.B AF_INET
-or
-.BR AF_INET6 .
-(The
-.B <freeswan.h>
-header file arranges to include the necessary headers for these
-names to be known.)
-.PP
-.I Masktocount
-converts a subnet mask, expressed as an address, to a bit count
-suitable for use with
-.IR initsubnet .
-It returns
-.B \-1
-for error; see DIAGNOSTICS.
-.PP
-.I Networkof
-fills in
-.I *dst
-with the base address of subnet
-.IR src .
-.PP
-.I Maskof
-fills in
-.I *dst
-with the subnet mask of subnet
-.IR src ,
-expressed as an address.
-.SH SEE ALSO
-inet(3), ipsec_ttosubnet(3), ipsec_rangetosubnet(3)
-.SH DIAGNOSTICS
-Fatal errors in
-.I initsubnet
-are:
-unknown address family;
-unknown
-.I clash
-value;
-impossible mask bit count;
-non-zero host-number bits and
-.I clash
-is
-.BR 'x' .
-Fatal errors in
-.I addrtosubnet
-are:
-unknown address family.
-Fatal errors in
-.I masktocount
-are:
-unknown address family;
-mask bits not contiguous.
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
diff --git a/src/libfreeswan/initsubnet.c b/src/libfreeswan/initsubnet.c
deleted file mode 100644
index 27faddabc..000000000
--- a/src/libfreeswan/initsubnet.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * initialize subnet structure
- * Copyright (C) 2000, 2002  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - initsubnet - initialize ip_subnet from address and count
- *
- * The only hard part is checking for host-part bits turned on.
- */
-err_t				/* NULL for success, else string literal */
-initsubnet(addr, count, clash, dst)
-const ip_address *addr;
-int count;
-int clash;			/* '0' zero host-part bits, 'x' die on them */
-ip_subnet *dst;
-{
-	unsigned char *p;
-	int n;
-	int c;
-	unsigned m;
-	int die;
-
-	dst->addr = *addr;
-	n = addrbytesptr(&dst->addr, (const unsigned char **)&p);
-	if (n == 0)
-		return "unknown address family";
-
-	switch (clash) {
-	case '0':
-		die = 0;
-		break;
-	case 'x':
-		die = 1;
-		break;
-	default:
-		return "unknown clash-control value in initsubnet";
-		break;
-	}
-
-	c = count / 8;
-	if (c > n)
-		return "impossible mask count";
-	p += c;
-	n -= c;
-
-	m = 0xff;
-	c = count % 8;
-	if (n > 0 && c != 0)	/* partial byte */
-		m >>= c;
-	for (; n > 0; n--) {
-		if ((*p & m) != 0) {
-			if (die)
-				return "improper subnet, host-part bits on";
-			*p &= ~m;
-		}
-		m = 0xff;
-		p++;
-	}
-
-	dst->maskbits = count;
-	return NULL;
-}
-
-/*
- - addrtosubnet - initialize ip_subnet from a single address
- */
-err_t				/* NULL for success, else string literal */
-addrtosubnet(addr, dst)
-const ip_address *addr;
-ip_subnet *dst;
-{
-	int n;
-
-	dst->addr = *addr;
-	n = addrbytesptr(&dst->addr, (const unsigned char **)NULL);
-	if (n == 0)
-		return "unknown address family";
-	dst->maskbits = n*8;
-	return NULL;
-}
diff --git a/src/libfreeswan/internal.h b/src/libfreeswan/internal.h
deleted file mode 100644
index 832c8a53d..000000000
--- a/src/libfreeswan/internal.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * internal definitions for use within the library; do not export!
- * Copyright (C) 1998, 1999  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-
-#ifndef ABITS
-#define	ABITS	32	/* bits in an IPv4 address */
-#endif
-
-/* case-independent ASCII character equality comparison */
-#define	CIEQ(c1, c2)	( ((c1)&~040) == ((c2)&~040) )
-
-/* syntax for passthrough SA */
-#ifndef PASSTHROUGHNAME
-#define	PASSTHROUGHNAME	"%passthrough"
-#define	PASSTHROUGH4NAME	"%passthrough4"
-#define	PASSTHROUGH6NAME	"%passthrough6"
-#define	PASSTHROUGHIS	"tun0@0.0.0.0"
-#define	PASSTHROUGH4IS	"tun0@0.0.0.0"
-#define	PASSTHROUGH6IS	"tun0@::"
-#define	PASSTHROUGHTYPE	"tun"
-#define	PASSTHROUGHSPI	0
-#define	PASSTHROUGHDST	0
-#endif
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <string.h>
-#include <ctype.h>
-#include <assert.h>
-#include <limits.h>
-#include <netdb.h>
-#include <stdlib.h>
-#define	MALLOC(n)	malloc(n)
-#define	FREE(p)		free(p)
-
diff --git a/src/libfreeswan/ipsec_param.h b/src/libfreeswan/ipsec_param.h
deleted file mode 100644
index 93426b8ee..000000000
--- a/src/libfreeswan/ipsec_param.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * @(#) FreeSWAN tunable paramaters
- *
- * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
- *                 and Michael Richardson  <mcr@freeswan.org>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/*
- * This file provides a set of #define's which may be tuned by various
- * people/configurations. It keeps all compile-time tunables in one place.
- *
- * This file should be included before all other IPsec kernel-only files.
- *
- */
-
-#ifndef _IPSEC_PARAM_H_
-
-/*
- * This is for the SA reference table. This number is related to the
- * maximum number of SAs that KLIPS can concurrently deal with, plus enough
- * space for keeping expired SAs around.
- *
- * TABLE_MAX_WIDTH is the number of bits that we will use.
- * MAIN_TABLE_WIDTH is the number of bits used for the primary index table.
- *
- */
-#ifndef IPSEC_SA_REF_TABLE_IDX_WIDTH
-# define IPSEC_SA_REF_TABLE_IDX_WIDTH 16
-#endif
-
-#ifndef IPSEC_SA_REF_MAINTABLE_IDX_WIDTH
-# define IPSEC_SA_REF_MAINTABLE_IDX_WIDTH 4
-#endif
-
-#ifndef IPSEC_SA_REF_FREELIST_NUM_ENTRIES
-# define IPSEC_SA_REF_FREELIST_NUM_ENTRIES 256
-#endif
-
-#ifndef IPSEC_SA_REF_CODE
-# define IPSEC_SA_REF_CODE 1
-#endif
-
-#define _IPSEC_PARAM_H_
-#endif /* _IPSEC_PARAM_H_ */
diff --git a/src/libfreeswan/pfkey.h b/src/libfreeswan/pfkey.h
deleted file mode 100644
index 993678c8b..000000000
--- a/src/libfreeswan/pfkey.h
+++ /dev/null
@@ -1,205 +0,0 @@
-/*
- * FreeS/WAN specific PF_KEY headers
- * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef __NET_IPSEC_PF_KEY_H
-#define __NET_IPSEC_PF_KEY_H
-
-extern void (*pfkey_debug_func)(const char *message, ...);
-
-extern uint8_t satype2proto(uint8_t satype);
-extern uint8_t proto2satype(uint8_t proto);
-extern char* satype2name(uint8_t satype);
-extern char* proto2name(uint8_t proto);
-
-struct key_opt
-{
-	uint32_t	key_pid;	/* process ID */
-	struct sock	*sk;
-};
-
-#define key_pid(sk) ((struct key_opt*)&((sk)->protinfo))->key_pid
-
-#define IPSEC_PFKEYv2_ALIGN (sizeof(uint64_t)/sizeof(uint8_t))
-#define BITS_PER_OCTET 8
-#define OCTETBITS 8
-#define PFKEYBITS 64
-#define DIVUP(x,y) ((x + y -1) / y) /* divide, rounding upwards */
-#define ALIGN_N(x,y) (DIVUP(x,y) * y) /* align on y boundary */
-
-#define PFKEYv2_MAX_MSGSIZE 4096
-
-/*
- * PF_KEYv2 permitted and required extensions in and out bitmaps
- */
-struct pf_key_ext_parsers_def {
-	int  (*parser)(struct sadb_ext*);
-	char  *parser_name;
-};
-
-
-extern unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_MAX + 1/*ext*/];
-#define EXT_BITS_IN 0
-#define EXT_BITS_OUT 1
-#define EXT_BITS_PERM 0
-#define EXT_BITS_REQ 1
-
-extern void pfkey_extensions_init(struct sadb_ext *extensions[SADB_EXT_MAX + 1]);
-extern void pfkey_extensions_free(struct sadb_ext *extensions[SADB_EXT_MAX + 1]);
-extern void pfkey_msg_free(struct sadb_msg **pfkey_msg);
-
-extern int pfkey_msg_parse(struct sadb_msg *pfkey_msg,
-			   struct pf_key_ext_parsers_def *ext_parsers[],
-			   struct sadb_ext **extensions,
-			   int dir);
-
-/*
- * PF_KEYv2 build function prototypes
- */
-
-int
-pfkey_msg_hdr_build(struct sadb_ext**	pfkey_ext,
-		    uint8_t		msg_type,
-		    uint8_t		satype,
-		    uint8_t		msg_errno,
-		    uint32_t		seq,
-		    uint32_t		pid);
-
-int
-pfkey_sa_ref_build(struct sadb_ext **	pfkey_ext,
-	       uint16_t			exttype,
-	       uint32_t			spi, /* in network order */
-	       uint8_t			replay_window,
-	       uint8_t			sa_state,
-	       uint8_t			auth,
-	       uint8_t			encrypt,
-	       uint32_t			flags,
-	       uint32_t/*IPsecSAref_t*/	ref);
-
-int
-pfkey_sa_build(struct sadb_ext **	pfkey_ext,
-	       uint16_t			exttype,
-	       uint32_t			spi, /* in network order */
-	       uint8_t			replay_window,
-	       uint8_t			sa_state,
-	       uint8_t			auth,
-	       uint8_t			encrypt,
-	       uint32_t			flags);
-
-int
-pfkey_lifetime_build(struct sadb_ext **	pfkey_ext,
-		     uint16_t		exttype,
-		     uint32_t		allocations,
-		     uint64_t		bytes,
-		     uint64_t		addtime,
-		     uint64_t		usetime,
-		     uint32_t		packets);
-
-int
-pfkey_address_build(struct sadb_ext**	pfkey_ext,
-		    uint16_t		exttype,
-		    uint8_t		proto,
-		    uint8_t		prefixlen,
-		    struct sockaddr*	address);
-
-int
-pfkey_key_build(struct sadb_ext**	pfkey_ext,
-		uint16_t		exttype,
-		uint16_t		key_bits,
-		char*			key);
-
-int
-pfkey_ident_build(struct sadb_ext**	pfkey_ext,
-		  uint16_t		exttype,
-		  uint16_t		ident_type,
-		  uint64_t		ident_id,
-		  uint8_t               ident_len,
-		  char*			ident_string);
-
-int
-pfkey_x_nat_t_type_build(struct sadb_ext**  pfkey_ext,
-            uint8_t         type);
-int
-pfkey_x_nat_t_port_build(struct sadb_ext**  pfkey_ext,
-            uint16_t         exttype,
-            uint16_t         port);
-
-int
-pfkey_sens_build(struct sadb_ext**	pfkey_ext,
-		 uint32_t		dpd,
-		 uint8_t		sens_level,
-		 uint8_t		sens_len,
-		 uint64_t*		sens_bitmap,
-		 uint8_t		integ_level,
-		 uint8_t		integ_len,
-		 uint64_t*		integ_bitmap);
-
-int
-pfkey_x_protocol_build(struct sadb_ext **, uint8_t);
-
-
-int
-pfkey_prop_build(struct sadb_ext**	pfkey_ext,
-		 uint8_t		replay,
-		 unsigned int		comb_num,
-		 struct sadb_comb*	comb);
-
-int
-pfkey_supported_build(struct sadb_ext**	pfkey_ext,
-		      uint16_t		exttype,
-		      unsigned int	alg_num,
-		      struct sadb_alg*	alg);
-
-int
-pfkey_spirange_build(struct sadb_ext**	pfkey_ext,
-		     uint16_t		exttype,
-		     uint32_t		min,
-		     uint32_t		max);
-
-int
-pfkey_x_kmprivate_build(struct sadb_ext**	pfkey_ext);
-
-int
-pfkey_x_satype_build(struct sadb_ext**	pfkey_ext,
-		     uint8_t		satype);
-
-int
-pfkey_x_debug_build(struct sadb_ext**	pfkey_ext,
-		    uint32_t            tunnel,
-		    uint32_t		netlink,
-		    uint32_t		xform,
-		    uint32_t		eroute,
-		    uint32_t		spi,
-		    uint32_t		radij,
-		    uint32_t		esp,
-		    uint32_t		ah,
-		    uint32_t		rcv,
-		    uint32_t            pfkey,
-		    uint32_t            ipcomp,
-		    uint32_t            verbose);
-
-int
-pfkey_msg_build(struct sadb_msg**	pfkey_msg,
-		struct sadb_ext*	extensions[],
-		int			dir);
-
-/* in pfkey_v2_debug.c - routines to decode numbers -> strings */
-const char *
-pfkey_v2_sadb_ext_string(int extnum);
-
-const char *
-pfkey_v2_sadb_type_string(int sadb_type);
-
-
-#endif /* __NET_IPSEC_PF_KEY_H */
diff --git a/src/libfreeswan/pfkey_v2_build.c b/src/libfreeswan/pfkey_v2_build.c
deleted file mode 100644
index c0bb369cb..000000000
--- a/src/libfreeswan/pfkey_v2_build.c
+++ /dev/null
@@ -1,1388 +0,0 @@
-/*
- * RFC2367 PF_KEYv2 Key management API message parser
- * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/*
- *		Template from klips/net/ipsec/ipsec/ipsec_parser.c.
- */
-
-char pfkey_v2_build_c_version[] = "";
-
-# include <sys/types.h>
-# include <sys/socket.h>
-# include <stdlib.h>
-# include <errno.h>
-# include <string.h> /* memset */
-
-# include <freeswan.h>
-unsigned int pfkey_lib_debug = 0;
-
-void (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1);
-
-#define DEBUGGING(args...)  if(pfkey_lib_debug) { \
-                              if(pfkey_debug_func != NULL) { \
-                                (*pfkey_debug_func)("pfkey_lib_debug:" args); \
-                              } else { \
-                                printf("pfkey_lib_debug:" args); \
-                              } }
-# define MALLOC(size) malloc(size)
-# define FREE(obj) free(obj)
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
-
-void
-pfkey_extensions_init(struct sadb_ext *extensions[SADB_EXT_MAX + 1])
-{
-	int i;
-
-	for (i = 0; i != SADB_EXT_MAX + 1; i++) {
-		extensions[i] = NULL;
-	}
-}
-
-void
-pfkey_extensions_free(struct sadb_ext *extensions[SADB_EXT_MAX + 1])
-{
-	int i;
-
-	if (!extensions) {
-		return;
-	}
-
-	if (extensions[0]) {
-		memset(extensions[0], 0, sizeof(struct sadb_msg));
-		FREE(extensions[0]);
-		extensions[0] = NULL;
-	}
-
-	for (i = 1; i != SADB_EXT_MAX + 1; i++) {
-		if(extensions[i]) {
-			memset(extensions[i], 0, extensions[i]->sadb_ext_len * IPSEC_PFKEYv2_ALIGN);
-			FREE(extensions[i]);
-			extensions[i] = NULL;
-		}
-	}
-}
-
-void
-pfkey_msg_free(struct sadb_msg **pfkey_msg)
-{
-	if (*pfkey_msg) {
-		memset(*pfkey_msg, 0, (*pfkey_msg)->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
-		FREE(*pfkey_msg);
-		*pfkey_msg = NULL;
-	}
-}
-
-/* Default extension builders taken from the KLIPS code */
-
-int
-pfkey_msg_hdr_build(struct sadb_ext**	pfkey_ext,
-		    uint8_t		msg_type,
-		    uint8_t		satype,
-		    uint8_t		msg_errno,
-		    uint32_t		seq,
-		    uint32_t		pid)
-{
-	int error = 0;
-	struct sadb_msg *pfkey_msg = (struct sadb_msg *)*pfkey_ext;
-
-	DEBUGGING(
-		"pfkey_msg_hdr_build:\n");
-	DEBUGGING(
-		"pfkey_msg_hdr_build: "
-		"on_entry &pfkey_ext=0p%p pfkey_ext=0p%p *pfkey_ext=0p%p.\n",
-		&pfkey_ext,
-		pfkey_ext,
-		*pfkey_ext);
-	/* sanity checks... */
-	if (pfkey_msg) {
-		DEBUGGING(
-			"pfkey_msg_hdr_build: "
-			"why is pfkey_msg already pointing to something?\n");
-		SENDERR(EINVAL);
-	}
-
-	if (!msg_type) {
-		DEBUGGING(
-			"pfkey_msg_hdr_build: "
-			"msg type not set, must be non-zero..\n");
-		SENDERR(EINVAL);
-	}
-
-	if (msg_type > SADB_MAX) {
-		DEBUGGING(
-			"pfkey_msg_hdr_build: "
-			"msg type too large:%d.\n",
-			msg_type);
-		SENDERR(EINVAL);
-	}
-
-	if (satype > SADB_SATYPE_MAX) {
-		DEBUGGING(
-			"pfkey_msg_hdr_build: "
-			"satype %d > max %d\n",
-			satype, SADB_SATYPE_MAX);
-		SENDERR(EINVAL);
-	}
-
-	pfkey_msg = (struct sadb_msg*)MALLOC(sizeof(struct sadb_msg));
-	*pfkey_ext = (struct sadb_ext*)pfkey_msg;
-
-	if (pfkey_msg == NULL) {
-		DEBUGGING(
-			"pfkey_msg_hdr_build: "
-			"memory allocation failed\n");
-		SENDERR(ENOMEM);
-	}
-	memset(pfkey_msg, 0, sizeof(struct sadb_msg));
-
-	pfkey_msg->sadb_msg_len = sizeof(struct sadb_msg) / IPSEC_PFKEYv2_ALIGN;
-
-	pfkey_msg->sadb_msg_type = msg_type;
-	pfkey_msg->sadb_msg_satype = satype;
-
-	pfkey_msg->sadb_msg_version = PF_KEY_V2;
-	pfkey_msg->sadb_msg_errno = msg_errno;
-	pfkey_msg->sadb_msg_reserved = 0;
-	pfkey_msg->sadb_msg_seq = seq;
-	pfkey_msg->sadb_msg_pid = pid;
-	DEBUGGING(
-		"pfkey_msg_hdr_build: "
-		"on_exit &pfkey_ext=0p%p pfkey_ext=0p%p *pfkey_ext=0p%p.\n",
-		&pfkey_ext,
-		pfkey_ext,
-		*pfkey_ext);
-errlab:
-	return error;
-}
-
-int
-pfkey_sa_ref_build(struct sadb_ext **		pfkey_ext,
-		   uint16_t			exttype,
-		   uint32_t			spi,
-		   uint8_t			replay_window,
-		   uint8_t			sa_state,
-		   uint8_t			auth,
-		   uint8_t			encrypt,
-		   uint32_t			flags,
-		   uint32_t/*IPsecSAref_t*/	ref)
-{
-	int error = 0;
-	struct sadb_sa *pfkey_sa = (struct sadb_sa *)*pfkey_ext;
-
-	DEBUGGING(
-		    "pfkey_sa_build: "
-		    "spi=%08x replay=%d sa_state=%d auth=%d encrypt=%d flags=%d\n",
-		    ntohl(spi), /* in network order */
-		    replay_window,
-		    sa_state,
-		    auth,
-		    encrypt,
-		    flags);
-	/* sanity checks... */
-	if (pfkey_sa) {
-		DEBUGGING(
-			"pfkey_sa_build: "
-			"why is pfkey_sa already pointing to something?\n");
-		SENDERR(EINVAL);
-	}
-
-	if (exttype != SADB_EXT_SA
-	&&  exttype != SADB_X_EXT_SA2) {
-		DEBUGGING(
-			"pfkey_sa_build: "
-			"invalid exttype=%d.\n",
-			exttype);
-		SENDERR(EINVAL);
-	}
-
-	if (replay_window > 64) {
-		DEBUGGING(
-			"pfkey_sa_build: "
-			"replay window size: %d -- must be 0 <= size <= 64\n",
-			replay_window);
-		SENDERR(EINVAL);
-	}
-
-	if (auth > SADB_AALG_MAX) {
-		DEBUGGING(
-			"pfkey_sa_build: "
-			"auth=%d > SADB_AALG_MAX=%d.\n",
-			auth,
-			SADB_AALG_MAX);
-		SENDERR(EINVAL);
-	}
-
-	if (encrypt > SADB_EALG_MAX) {
-		DEBUGGING(
-			"pfkey_sa_build: "
-			"encrypt=%d > SADB_EALG_MAX=%d.\n",
-			encrypt,
-			SADB_EALG_MAX);
-		SENDERR(EINVAL);
-	}
-
-	if (sa_state > SADB_SASTATE_MAX) {
-		DEBUGGING(
-			"pfkey_sa_build: "
-			"sa_state=%d exceeds MAX=%d.\n",
-			sa_state,
-			SADB_SASTATE_MAX);
-		SENDERR(EINVAL);
-	}
-
-	if (sa_state == SADB_SASTATE_DEAD) {
-		DEBUGGING(
-			"pfkey_sa_build: "
-			"sa_state=%d is DEAD=%d is not allowed.\n",
-			sa_state,
-			SADB_SASTATE_DEAD);
-		SENDERR(EINVAL);
-	}
-
-	if ((IPSEC_SAREF_NULL != ref) && (ref >= (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH))) {
-		DEBUGGING(
-			  "pfkey_sa_build: "
-			  "SAref=%d must be (SAref == IPSEC_SAREF_NULL(%d) || SAref < IPSEC_SA_REF_TABLE_NUM_ENTRIES(%d)).\n",
-			  ref,
-			  IPSEC_SAREF_NULL,
-			  IPSEC_SA_REF_TABLE_NUM_ENTRIES);
-		SENDERR(EINVAL);
-	}
-
-	pfkey_sa = (struct sadb_sa*)MALLOC(sizeof(struct sadb_sa));
-	*pfkey_ext = (struct sadb_ext*)pfkey_sa;
-
-	if (pfkey_sa == NULL) {
-		DEBUGGING(
-			"pfkey_sa_build: "
-			"memory allocation failed\n");
-		SENDERR(ENOMEM);
-	}
-	memset(pfkey_sa, 0, sizeof(struct sadb_sa));
-
-	pfkey_sa->sadb_sa_len = sizeof(*pfkey_sa) / IPSEC_PFKEYv2_ALIGN;
-	pfkey_sa->sadb_sa_exttype = exttype;
-	pfkey_sa->sadb_sa_spi = spi;
-	pfkey_sa->sadb_sa_replay = replay_window;
-	pfkey_sa->sadb_sa_state = sa_state;
-	pfkey_sa->sadb_sa_auth = auth;
-	pfkey_sa->sadb_sa_encrypt = encrypt;
-	pfkey_sa->sadb_sa_flags = flags;
-	pfkey_sa->sadb_x_sa_ref = ref;
-
-errlab:
-	return error;
-}
-
-int
-pfkey_sa_build(struct sadb_ext **	pfkey_ext,
-	       uint16_t			exttype,
-	       uint32_t			spi,
-	       uint8_t			replay_window,
-	       uint8_t			sa_state,
-	       uint8_t			auth,
-	       uint8_t			encrypt,
-	       uint32_t			flags)
-{
-	return pfkey_sa_ref_build(pfkey_ext,
-			   exttype,
-			   spi,
-			   replay_window,
-			   sa_state,
-			   auth,
-			   encrypt,
-			   flags,
-			   IPSEC_SAREF_NULL);
-}
-
-int
-pfkey_lifetime_build(struct sadb_ext **	pfkey_ext,
-		     uint16_t		exttype,
-		     uint32_t		allocations,
-		     uint64_t		bytes,
-		     uint64_t		addtime,
-		     uint64_t		usetime,
-		     uint32_t		packets)
-{
-	int error = 0;
-	struct sadb_lifetime *pfkey_lifetime = (struct sadb_lifetime *)*pfkey_ext;
-
-	DEBUGGING(
-		"pfkey_lifetime_build:\n");
-	/* sanity checks... */
-	if (pfkey_lifetime) {
-		DEBUGGING(
-			"pfkey_lifetime_build: "
-			"why is pfkey_lifetime already pointing to something?\n");
-		SENDERR(EINVAL);
-	}
-
-	if (exttype != SADB_EXT_LIFETIME_CURRENT
-	&&  exttype != SADB_EXT_LIFETIME_HARD
-	&&  exttype != SADB_EXT_LIFETIME_SOFT) {
-		DEBUGGING(
-			"pfkey_lifetime_build: "
-			"invalid exttype=%d.\n",
-			exttype);
-		SENDERR(EINVAL);
-	}
-
-	pfkey_lifetime = (struct sadb_lifetime*)MALLOC(sizeof(struct sadb_lifetime));
-	*pfkey_ext = (struct sadb_ext*)pfkey_lifetime;
-
-	if (pfkey_lifetime == NULL) {
-		DEBUGGING(
-			"pfkey_lifetime_build: "
-			"memory allocation failed\n");
-		SENDERR(ENOMEM);
-	}
-	memset(pfkey_lifetime, 0, sizeof(struct sadb_lifetime));
-
-	pfkey_lifetime->sadb_lifetime_len = sizeof(struct sadb_lifetime) / IPSEC_PFKEYv2_ALIGN;
-	pfkey_lifetime->sadb_lifetime_exttype = exttype;
-	pfkey_lifetime->sadb_lifetime_allocations = allocations;
-	pfkey_lifetime->sadb_lifetime_bytes = bytes;
-	pfkey_lifetime->sadb_lifetime_addtime = addtime;
-	pfkey_lifetime->sadb_lifetime_usetime = usetime;
-	pfkey_lifetime->sadb_x_lifetime_packets = packets;
-
-errlab:
-	return error;
-}
-
-int
-pfkey_address_build(struct sadb_ext**	pfkey_ext,
-		    uint16_t		exttype,
-		    uint8_t		proto,
-		    uint8_t		prefixlen,
-		    struct sockaddr*	address)
-{
-	int error = 0;
-	int saddr_len = 0;
-	char ipaddr_txt[ADDRTOT_BUF + 6/*extra for port number*/];
-	struct sadb_address *pfkey_address = (struct sadb_address *)*pfkey_ext;
-
-	DEBUGGING(
-		"pfkey_address_build: "
-		"exttype=%d proto=%d prefixlen=%d\n",
-		exttype,
-		proto,
-		prefixlen);
-	/* sanity checks... */
-	if (pfkey_address) {
-		DEBUGGING(
-			"pfkey_address_build: "
-			"why is pfkey_address already pointing to something?\n");
-		SENDERR(EINVAL);
-	}
-
-	if (!address)  {
-			DEBUGGING("pfkey_address_build: "
-				  "address is NULL\n");
-			SENDERR(EINVAL);
-	}
-
-	switch(exttype) {
-	case SADB_EXT_ADDRESS_SRC:
-	case SADB_EXT_ADDRESS_DST:
-	case SADB_EXT_ADDRESS_PROXY:
-	case SADB_X_EXT_ADDRESS_DST2:
-	case SADB_X_EXT_ADDRESS_SRC_FLOW:
-	case SADB_X_EXT_ADDRESS_DST_FLOW:
-	case SADB_X_EXT_ADDRESS_SRC_MASK:
-	case SADB_X_EXT_ADDRESS_DST_MASK:
-	case SADB_X_EXT_NAT_T_OA:
-		break;
-	default:
-		DEBUGGING(
-			"pfkey_address_build: "
-			"unrecognised ext_type=%d.\n",
-			exttype);
-		SENDERR(EINVAL);
-	}
-
-	switch (address->sa_family) {
-	case AF_INET:
-		DEBUGGING(
-			"pfkey_address_build: "
-			"found address family AF_INET.\n");
-		saddr_len = sizeof(struct sockaddr_in);
-		sprintf(ipaddr_txt, "%d.%d.%d.%d:%d"
-			, (((struct sockaddr_in*)address)->sin_addr.s_addr >>  0) & 0xFF
-			, (((struct sockaddr_in*)address)->sin_addr.s_addr >>  8) & 0xFF
-			, (((struct sockaddr_in*)address)->sin_addr.s_addr >> 16) & 0xFF
-			, (((struct sockaddr_in*)address)->sin_addr.s_addr >> 24) & 0xFF
-			, ntohs(((struct sockaddr_in*)address)->sin_port));
-		break;
-	case AF_INET6:
-		DEBUGGING(
-			"pfkey_address_build: "
-			"found address family AF_INET6.\n");
-		saddr_len = sizeof(struct sockaddr_in6);
-		sprintf(ipaddr_txt, "%x:%x:%x:%x:%x:%x:%x:%x-%x"
-			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[0])
-			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[1])
-			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[2])
-			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[3])
-			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[4])
-			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[5])
-			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[6])
-			, ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[7])
-			, ntohs(((struct sockaddr_in6*)address)->sin6_port));
-		break;
-	default:
-		DEBUGGING(
-			"pfkey_address_build: "
-			"address->sa_family=%d not supported.\n",
-			address->sa_family);
-		SENDERR(EPFNOSUPPORT);
-	}
-
-	DEBUGGING(
-		"pfkey_address_build: "
-		"found address=%s.\n",
-		ipaddr_txt);
-	if (prefixlen != 0) {
-		DEBUGGING(
-			"pfkey_address_build: "
-			"address prefixes not supported yet.\n");
-		SENDERR(EAFNOSUPPORT); /* not supported yet */
-	}
-
-	pfkey_address = (struct sadb_address*)
-		MALLOC(ALIGN_N(sizeof(struct sadb_address) + saddr_len, IPSEC_PFKEYv2_ALIGN));
-	*pfkey_ext = (struct sadb_ext*)pfkey_address;
-
-	if (pfkey_address == NULL) {
-		DEBUGGING(
-			"pfkey_lifetime_build: "
-			"memory allocation failed\n");
-		SENDERR(ENOMEM);
-	}
-	memset(pfkey_address,
-	       0,
-	       ALIGN_N(sizeof(struct sadb_address) + saddr_len,
-		     IPSEC_PFKEYv2_ALIGN));
-
-	pfkey_address->sadb_address_len = DIVUP(sizeof(struct sadb_address) + saddr_len,
-						IPSEC_PFKEYv2_ALIGN);
-
-	pfkey_address->sadb_address_exttype = exttype;
-	pfkey_address->sadb_address_proto = proto;
-	pfkey_address->sadb_address_prefixlen = prefixlen;
-	pfkey_address->sadb_address_reserved = 0;
-
-	memcpy((char*)pfkey_address + sizeof(struct sadb_address),
-	       address,
-	       saddr_len);
-
-#if 0
-	for (i = 0; i < sizeof(struct sockaddr_in) - offsetof(struct sockaddr_in, sin_zero); i++) {
-		pfkey_address_s_ska.sin_zero[i] = 0;
-	}
-#endif
-	DEBUGGING(
-		"pfkey_address_build: "
-		"successful.\n");
-
- errlab:
-	return error;
-}
-
-int
-pfkey_key_build(struct sadb_ext**	pfkey_ext,
-		uint16_t		exttype,
-		uint16_t		key_bits,
-		char*			key)
-{
-	int error = 0;
-	struct sadb_key *pfkey_key = (struct sadb_key *)*pfkey_ext;
-
-	DEBUGGING(
-		"pfkey_key_build:\n");
-	/* sanity checks... */
-	if (pfkey_key) {
-		DEBUGGING(
-			"pfkey_key_build: "
-			"why is pfkey_key already pointing to something?\n");
-		SENDERR(EINVAL);
-	}
-
-	if (!key_bits) {
-		DEBUGGING(
-			"pfkey_key_build: "
-			"key_bits is zero, it must be non-zero.\n");
-		SENDERR(EINVAL);
-	}
-
-	if ( !((exttype == SADB_EXT_KEY_AUTH) || (exttype == SADB_EXT_KEY_ENCRYPT))) {
-		DEBUGGING(
-			"pfkey_key_build: "
-			"unsupported extension type=%d.\n",
-			exttype);
-		SENDERR(EINVAL);
-	}
-
-	pfkey_key = (struct sadb_key*)
-		MALLOC(sizeof(struct sadb_key) +
-			DIVUP(key_bits, 64) * IPSEC_PFKEYv2_ALIGN);
-	*pfkey_ext = (struct sadb_ext*)pfkey_key;
-
-	if (pfkey_key == NULL) {
-		DEBUGGING(
-			"pfkey_key_build: "
-			"memory allocation failed\n");
-		SENDERR(ENOMEM);
-	}
-	memset(pfkey_key,
-	       0,
-	       sizeof(struct sadb_key) +
-	       DIVUP(key_bits, 64) * IPSEC_PFKEYv2_ALIGN);
-
-	pfkey_key->sadb_key_len = DIVUP(sizeof(struct sadb_key) * IPSEC_PFKEYv2_ALIGN +	key_bits,
-					64);
-	pfkey_key->sadb_key_exttype = exttype;
-	pfkey_key->sadb_key_bits = key_bits;
-	pfkey_key->sadb_key_reserved = 0;
-	memcpy((char*)pfkey_key + sizeof(struct sadb_key),
-	       key,
-	       DIVUP(key_bits, 8));
-
-errlab:
-	return error;
-}
-
-int
-pfkey_ident_build(struct sadb_ext**	pfkey_ext,
-		  uint16_t		exttype,
-		  uint16_t		ident_type,
-		  uint64_t		ident_id,
-		  uint8_t               ident_len,
-		  char*			ident_string)
-{
-	int error = 0;
-	struct sadb_ident *pfkey_ident = (struct sadb_ident *)*pfkey_ext;
-	int data_len = ident_len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
-
-	DEBUGGING(
-		"pfkey_ident_build:\n");
-	/* sanity checks... */
-	if (pfkey_ident) {
-		DEBUGGING(
-			"pfkey_ident_build: "
-			"why is pfkey_ident already pointing to something?\n");
-		SENDERR(EINVAL);
-	}
-
-	if ( !((exttype == SADB_EXT_IDENTITY_SRC) ||
-	       (exttype == SADB_EXT_IDENTITY_DST))) {
-		DEBUGGING(
-			"pfkey_ident_build: "
-			"unsupported extension type=%d.\n",
-			exttype);
-		SENDERR(EINVAL);
-	}
-
-	if (ident_type == SADB_IDENTTYPE_RESERVED) {
-		DEBUGGING(
-			"pfkey_ident_build: "
-			"ident_type must be non-zero.\n");
-		SENDERR(EINVAL);
-	}
-
-	if (ident_type > SADB_IDENTTYPE_MAX) {
-		DEBUGGING(
-			"pfkey_ident_build: "
-			"identtype=%d out of range.\n",
-			ident_type);
-		SENDERR(EINVAL);
-	}
-
-	if ((ident_type == SADB_IDENTTYPE_PREFIX ||
-	    ident_type == SADB_IDENTTYPE_FQDN) &&
-	   !ident_string) {
-		DEBUGGING(
-			"pfkey_ident_build: "
-			"string required to allocate size of extension.\n");
-		SENDERR(EINVAL);
-	}
-
-#if 0
-	if (ident_type == SADB_IDENTTYPE_USERFQDN) {
-	}
-#endif
-
-	pfkey_ident = (struct sadb_ident*)
-		MALLOC(ident_len * IPSEC_PFKEYv2_ALIGN);
-	*pfkey_ext = (struct sadb_ext*)pfkey_ident;
-
-	if (pfkey_ident == NULL) {
-		DEBUGGING(
-			"pfkey_ident_build: "
-			"memory allocation failed\n");
-		SENDERR(ENOMEM);
-	}
-	memset(pfkey_ident, 0, ident_len * IPSEC_PFKEYv2_ALIGN);
-
-	pfkey_ident->sadb_ident_len = ident_len;
-	pfkey_ident->sadb_ident_exttype = exttype;
-	pfkey_ident->sadb_ident_type = ident_type;
-	pfkey_ident->sadb_ident_reserved = 0;
-	pfkey_ident->sadb_ident_id = ident_id;
-	memcpy((char*)pfkey_ident + sizeof(struct sadb_ident),
-	       ident_string,
-	       data_len);
-
-errlab:
-	return error;
-}
-
-int
-pfkey_sens_build(struct sadb_ext**	pfkey_ext,
-		 uint32_t		dpd,
-		 uint8_t		sens_level,
-		 uint8_t		sens_len,
-		 uint64_t*		sens_bitmap,
-		 uint8_t		integ_level,
-		 uint8_t		integ_len,
-		 uint64_t*		integ_bitmap)
-{
-	int error = 0;
-	struct sadb_sens *pfkey_sens = (struct sadb_sens *)*pfkey_ext;
-	int i;
-	uint64_t* bitmap;
-
-	DEBUGGING(
-		"pfkey_sens_build:\n");
-	/* sanity checks... */
-	if (pfkey_sens) {
-		DEBUGGING(
-			"pfkey_sens_build: "
-			"why is pfkey_sens already pointing to something?\n");
-		SENDERR(EINVAL);
-	}
-
-	DEBUGGING(
-		"pfkey_sens_build: "
-		"Sorry, I can't build exttype=%d yet.\n",
-		(*pfkey_ext)->sadb_ext_type);
-	SENDERR(EINVAL); /* don't process these yet */
-
-	pfkey_sens = (struct sadb_sens*)
-		MALLOC(sizeof(struct sadb_sens) +
-			(sens_len + integ_len) * sizeof(uint64_t));
-	*pfkey_ext = (struct sadb_ext*)pfkey_sens;
-
-	if (pfkey_sens == NULL) {
-		DEBUGGING(
-			"pfkey_sens_build: "
-			"memory allocation failed\n");
-		SENDERR(ENOMEM);
-	}
-	memset(pfkey_sens,
-	       0,
-	       sizeof(struct sadb_sens) +
-	       (sens_len + integ_len) * sizeof(uint64_t));
-
-	pfkey_sens->sadb_sens_len = (sizeof(struct sadb_sens) +
-		    (sens_len + integ_len) * sizeof(uint64_t)) / IPSEC_PFKEYv2_ALIGN;
-	pfkey_sens->sadb_sens_exttype = SADB_EXT_SENSITIVITY;
-	pfkey_sens->sadb_sens_dpd = dpd;
-	pfkey_sens->sadb_sens_sens_level = sens_level;
-	pfkey_sens->sadb_sens_sens_len = sens_len;
-	pfkey_sens->sadb_sens_integ_level = integ_level;
-	pfkey_sens->sadb_sens_integ_len = integ_len;
-	pfkey_sens->sadb_sens_reserved = 0;
-
-	bitmap = (uint64_t*)((char*)pfkey_ext + sizeof(struct sadb_sens));
-	for (i = 0; i < sens_len; i++) {
-		*bitmap = sens_bitmap[i];
-		bitmap++;
-	}
-	for (i = 0; i < integ_len; i++) {
-		*bitmap = integ_bitmap[i];
-		bitmap++;
-	}
-
-errlab:
-	return error;
-}
-
-int
-pfkey_prop_build(struct sadb_ext**	pfkey_ext,
-		 uint8_t		replay,
-		 unsigned int		comb_num,
-		 struct sadb_comb*	comb)
-{
-	int error = 0;
-	int i;
-	struct sadb_prop *pfkey_prop = (struct sadb_prop *)*pfkey_ext;
-	struct sadb_comb *combp;
-
-	DEBUGGING(
-		"pfkey_prop_build:\n");
-	/* sanity checks... */
-	if (pfkey_prop) {
-		DEBUGGING(
-			"pfkey_prop_build: "
-			"why is pfkey_prop already pointing to something?\n");
-		SENDERR(EINVAL);
-	}
-
-	pfkey_prop = (struct sadb_prop*)
-		MALLOC(sizeof(struct sadb_prop) +
-			comb_num * sizeof(struct sadb_comb));
-
-	*pfkey_ext = (struct sadb_ext*)pfkey_prop;
-
-	if (pfkey_prop == NULL) {
-		DEBUGGING(
-			"pfkey_prop_build: "
-			"memory allocation failed\n");
-		SENDERR(ENOMEM);
-	}
-	memset(pfkey_prop,
-	       0,
-	       sizeof(struct sadb_prop) +
-		    comb_num * sizeof(struct sadb_comb));
-
-	pfkey_prop->sadb_prop_len = (sizeof(struct sadb_prop) +
-		    comb_num * sizeof(struct sadb_comb)) / IPSEC_PFKEYv2_ALIGN;
-
-	pfkey_prop->sadb_prop_exttype = SADB_EXT_PROPOSAL;
-	pfkey_prop->sadb_prop_replay = replay;
-
-	for (i=0; i<3; i++) {
-		pfkey_prop->sadb_prop_reserved[i] = 0;
-	}
-
-	combp = (struct sadb_comb*)((char*)*pfkey_ext + sizeof(struct sadb_prop));
-	for (i = 0; i < comb_num; i++) {
-		memcpy (combp, &(comb[i]), sizeof(struct sadb_comb));
-		combp++;
-	}
-
-#if 0
-  uint8_t sadb_comb_auth;
-  uint8_t sadb_comb_encrypt;
-  uint16_t sadb_comb_flags;
-  uint16_t sadb_comb_auth_minbits;
-  uint16_t sadb_comb_auth_maxbits;
-  uint16_t sadb_comb_encrypt_minbits;
-  uint16_t sadb_comb_encrypt_maxbits;
-  uint32_t sadb_comb_reserved;
-  uint32_t sadb_comb_soft_allocations;
-  uint32_t sadb_comb_hard_allocations;
-  uint64_t sadb_comb_soft_bytes;
-  uint64_t sadb_comb_hard_bytes;
-  uint64_t sadb_comb_soft_addtime;
-  uint64_t sadb_comb_hard_addtime;
-  uint64_t sadb_comb_soft_usetime;
-  uint64_t sadb_comb_hard_usetime;
-  uint32_t sadb_comb_soft_packets;
-  uint32_t sadb_comb_hard_packets;
-#endif
-errlab:
-	return error;
-}
-
-int
-pfkey_supported_build(struct sadb_ext**	pfkey_ext,
-		      uint16_t		exttype,
-		      unsigned int	alg_num,
-		      struct sadb_alg*	alg)
-{
-	int error = 0;
-	unsigned int i;
-	struct sadb_supported *pfkey_supported = (struct sadb_supported *)*pfkey_ext;
-	struct sadb_alg *pfkey_alg;
-
-	/* sanity checks... */
-	if (pfkey_supported) {
-		DEBUGGING(
-			"pfkey_supported_build: "
-			"why is pfkey_supported already pointing to something?\n");
-		SENDERR(EINVAL);
-	}
-
-	if ( !((exttype == SADB_EXT_SUPPORTED_AUTH) || (exttype == SADB_EXT_SUPPORTED_ENCRYPT))) {
-		DEBUGGING(
-			"pfkey_supported_build: "
-			"unsupported extension type=%d.\n",
-			exttype);
-		SENDERR(EINVAL);
-	}
-
-	pfkey_supported = (struct sadb_supported*)
-		MALLOC(sizeof(struct sadb_supported) +
-			alg_num * sizeof(struct sadb_alg));
-
-	*pfkey_ext = (struct sadb_ext*)pfkey_supported;
-
-	if (pfkey_supported == NULL) {
-		DEBUGGING(
-			"pfkey_supported_build: "
-			"memory allocation failed\n");
-		SENDERR(ENOMEM);
-	}
-	memset(pfkey_supported,
-	       0,
-	       sizeof(struct sadb_supported) +
-					       alg_num *
-					       sizeof(struct sadb_alg));
-
-	pfkey_supported->sadb_supported_len = (sizeof(struct sadb_supported) +
-					       alg_num *
-					       sizeof(struct sadb_alg)) /
-						IPSEC_PFKEYv2_ALIGN;
-	pfkey_supported->sadb_supported_exttype = exttype;
-	pfkey_supported->sadb_supported_reserved = 0;
-
-	pfkey_alg = (struct sadb_alg*)((char*)pfkey_supported + sizeof(struct sadb_supported));
-	for(i = 0; i < alg_num; i++) {
-		memcpy (pfkey_alg, &(alg[i]), sizeof(struct sadb_alg));
-		pfkey_alg->sadb_alg_reserved = 0;
-		pfkey_alg++;
-	}
-
-#if 0
-	DEBUGGING(
-		"pfkey_supported_build: "
-		"Sorry, I can't build exttype=%d yet.\n",
-		(*pfkey_ext)->sadb_ext_type);
-	SENDERR(EINVAL); /* don't process these yet */
-
-  uint8_t sadb_alg_id;
-  uint8_t sadb_alg_ivlen;
-  uint16_t sadb_alg_minbits;
-  uint16_t sadb_alg_maxbits;
-  uint16_t sadb_alg_reserved;
-#endif
-errlab:
-	return error;
-}
-
-int
-pfkey_spirange_build(struct sadb_ext**	pfkey_ext,
-		     uint16_t		exttype,
-		     uint32_t		min, /* in network order */
-		     uint32_t		max) /* in network order */
-{
-	int error = 0;
-	struct sadb_spirange *pfkey_spirange = (struct sadb_spirange *)*pfkey_ext;
-
-	/* sanity checks... */
-	if (pfkey_spirange) {
-		DEBUGGING(
-			"pfkey_spirange_build: "
-			"why is pfkey_spirange already pointing to something?\n");
-		SENDERR(EINVAL);
-	}
-
-        if (ntohl(max) < ntohl(min)) {
-		DEBUGGING(
-			"pfkey_spirange_build: "
-			"minspi=%08x must be < maxspi=%08x.\n",
-			ntohl(min),
-			ntohl(max));
-                SENDERR(EINVAL);
-        }
-
-	if (ntohl(min) <= 255) {
-		DEBUGGING(
-			"pfkey_spirange_build: "
-			"minspi=%08x must be > 255.\n",
-			ntohl(min));
-		SENDERR(EEXIST);
-	}
-
-	pfkey_spirange = (struct sadb_spirange*)
-		MALLOC(sizeof(struct sadb_spirange));
-	*pfkey_ext = (struct sadb_ext*)pfkey_spirange;
-
-	if (pfkey_spirange == NULL) {
-		DEBUGGING(
-			"pfkey_spirange_build: "
-			"memory allocation failed\n");
-		SENDERR(ENOMEM);
-	}
-	memset(pfkey_spirange,
-	       0,
-	       sizeof(struct sadb_spirange));
-
-        pfkey_spirange->sadb_spirange_len = sizeof(struct sadb_spirange) / IPSEC_PFKEYv2_ALIGN;
-
-	pfkey_spirange->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
-	pfkey_spirange->sadb_spirange_min = min;
-	pfkey_spirange->sadb_spirange_max = max;
-	pfkey_spirange->sadb_spirange_reserved = 0;
- errlab:
-	return error;
-}
-
-int
-pfkey_x_kmprivate_build(struct sadb_ext**	pfkey_ext)
-{
-	int error = 0;
-	struct sadb_x_kmprivate *pfkey_x_kmprivate = (struct sadb_x_kmprivate *)*pfkey_ext;
-
-	/* sanity checks... */
-	if (pfkey_x_kmprivate) {
-		DEBUGGING(
-			"pfkey_x_kmprivate_build: "
-			"why is pfkey_x_kmprivate already pointing to something?\n");
-		SENDERR(EINVAL);
-	}
-
-	pfkey_x_kmprivate->sadb_x_kmprivate_reserved = 0;
-
-	DEBUGGING(
-		"pfkey_x_kmprivate_build: "
-		"Sorry, I can't build exttype=%d yet.\n",
-		(*pfkey_ext)->sadb_ext_type);
-	SENDERR(EINVAL); /* don't process these yet */
-
-	pfkey_x_kmprivate = (struct sadb_x_kmprivate*)
-		MALLOC(sizeof(struct sadb_x_kmprivate));
-	*pfkey_ext = (struct sadb_ext*)pfkey_x_kmprivate;
-
-	if (pfkey_x_kmprivate == NULL) {
-		DEBUGGING(
-			"pfkey_x_kmprivate_build: "
-			"memory allocation failed\n");
-		SENDERR(ENOMEM);
-	}
-	memset(pfkey_x_kmprivate,
-	       0,
-	       sizeof(struct sadb_x_kmprivate));
-
-        pfkey_x_kmprivate->sadb_x_kmprivate_len =
-		sizeof(struct sadb_x_kmprivate) / IPSEC_PFKEYv2_ALIGN;
-
-        pfkey_x_kmprivate->sadb_x_kmprivate_exttype = SADB_X_EXT_KMPRIVATE;
-        pfkey_x_kmprivate->sadb_x_kmprivate_reserved = 0;
-errlab:
-	return error;
-}
-
-int
-pfkey_x_satype_build(struct sadb_ext**	pfkey_ext,
-		     uint8_t		satype)
-{
-	int error = 0;
-	int i;
-	struct sadb_x_satype *pfkey_x_satype = (struct sadb_x_satype *)*pfkey_ext;
-
-	DEBUGGING(
-		"pfkey_x_satype_build:\n");
-	/* sanity checks... */
-	if (pfkey_x_satype) {
-		DEBUGGING(
-			"pfkey_x_satype_build: "
-			"why is pfkey_x_satype already pointing to something?\n");
-		SENDERR(EINVAL);
-	}
-
-	if (!satype) {
-		DEBUGGING(
-			"pfkey_x_satype_build: "
-			"SA type not set, must be non-zero.\n");
-		SENDERR(EINVAL);
-	}
-
-	if (satype > SADB_SATYPE_MAX) {
-		DEBUGGING(
-			"pfkey_x_satype_build: "
-			"satype %d > max %d\n",
-			satype, SADB_SATYPE_MAX);
-		SENDERR(EINVAL);
-	}
-
-	pfkey_x_satype = (struct sadb_x_satype*)
-	     MALLOC(sizeof(struct sadb_x_satype));
-
-	*pfkey_ext = (struct sadb_ext*)pfkey_x_satype;
-
-	if (pfkey_x_satype == NULL) {
-		DEBUGGING(
-			"pfkey_x_satype_build: "
-			"memory allocation failed\n");
-		SENDERR(ENOMEM);
-	}
-	memset(pfkey_x_satype,
-	       0,
-	       sizeof(struct sadb_x_satype));
-
-        pfkey_x_satype->sadb_x_satype_len = sizeof(struct sadb_x_satype) / IPSEC_PFKEYv2_ALIGN;
-
-	pfkey_x_satype->sadb_x_satype_exttype = SADB_X_EXT_SATYPE2;
-	pfkey_x_satype->sadb_x_satype_satype = satype;
-	for (i=0; i<3; i++) {
-		pfkey_x_satype->sadb_x_satype_reserved[i] = 0;
-	}
-
-errlab:
-	return error;
-}
-
-int
-pfkey_x_debug_build(struct sadb_ext**	pfkey_ext,
-		    uint32_t            tunnel,
-		    uint32_t		netlink,
-		    uint32_t		xform,
-		    uint32_t		eroute,
-		    uint32_t		spi,
-		    uint32_t		radij,
-		    uint32_t		esp,
-		    uint32_t		ah,
-		    uint32_t		rcv,
-		    uint32_t            pfkey,
-		    uint32_t            ipcomp,
-		    uint32_t            verbose)
-{
-	int error = 0;
-	int i;
-	struct sadb_x_debug *pfkey_x_debug = (struct sadb_x_debug *)*pfkey_ext;
-
-	DEBUGGING(
-		"pfkey_x_debug_build:\n");
-	/* sanity checks... */
-	if (pfkey_x_debug) {
-		DEBUGGING(
-			"pfkey_x_debug_build: "
-			"why is pfkey_x_debug already pointing to something?\n");
-		SENDERR(EINVAL);
-	}
-
-	DEBUGGING(
-		"pfkey_x_debug_build: "
-		"tunnel=%x netlink=%x xform=%x eroute=%x spi=%x radij=%x esp=%x ah=%x rcv=%x pfkey=%x ipcomp=%x verbose=%x?\n",
-		tunnel, netlink, xform, eroute, spi, radij, esp, ah, rcv, pfkey, ipcomp, verbose);
-
-	pfkey_x_debug = (struct sadb_x_debug*)
-		MALLOC(sizeof(struct sadb_x_debug));
-	*pfkey_ext = (struct sadb_ext*)pfkey_x_debug;
-
-	if (pfkey_x_debug == NULL) {
-		DEBUGGING(
-			"pfkey_x_debug_build: "
-			"memory allocation failed\n");
-		SENDERR(ENOMEM);
-	}
-#if 0
-	memset(pfkey_x_debug,
-	       0,
-	       sizeof(struct sadb_x_debug));
-#endif
-
-        pfkey_x_debug->sadb_x_debug_len = sizeof(struct sadb_x_debug) / IPSEC_PFKEYv2_ALIGN;
-	pfkey_x_debug->sadb_x_debug_exttype = SADB_X_EXT_DEBUG;
-
-	pfkey_x_debug->sadb_x_debug_tunnel = tunnel;
-	pfkey_x_debug->sadb_x_debug_netlink = netlink;
-	pfkey_x_debug->sadb_x_debug_xform = xform;
-	pfkey_x_debug->sadb_x_debug_eroute = eroute;
-	pfkey_x_debug->sadb_x_debug_spi = spi;
-	pfkey_x_debug->sadb_x_debug_radij = radij;
-	pfkey_x_debug->sadb_x_debug_esp = esp;
-	pfkey_x_debug->sadb_x_debug_ah = ah;
-	pfkey_x_debug->sadb_x_debug_rcv = rcv;
-	pfkey_x_debug->sadb_x_debug_pfkey = pfkey;
-	pfkey_x_debug->sadb_x_debug_ipcomp = ipcomp;
-	pfkey_x_debug->sadb_x_debug_verbose = verbose;
-
-	for (i=0; i<4; i++) {
-		pfkey_x_debug->sadb_x_debug_reserved[i] = 0;
-	}
-
-errlab:
-	return error;
-}
-
-int
-pfkey_x_nat_t_type_build(struct sadb_ext**	pfkey_ext,
-		    uint8_t         type)
-{
-	int error = 0;
-	int i;
-	struct sadb_x_nat_t_type *pfkey_x_nat_t_type = (struct sadb_x_nat_t_type *)*pfkey_ext;
-
-	DEBUGGING(
-		"pfkey_x_nat_t_type_build:\n");
-	/* sanity checks... */
-	if (pfkey_x_nat_t_type) {
-		DEBUGGING(
-			"pfkey_x_nat_t_type_build: "
-			"why is pfkey_x_nat_t_type already pointing to something?\n");
-		SENDERR(EINVAL);
-	}
-
-	DEBUGGING(
-		"pfkey_x_nat_t_type_build: "
-		"type=%d\n", type);
-
-	pfkey_x_nat_t_type = (struct sadb_x_nat_t_type*)
-		MALLOC(sizeof(struct sadb_x_nat_t_type));
-
-	*pfkey_ext = (struct sadb_ext*)pfkey_x_nat_t_type;
-	if (pfkey_x_nat_t_type == NULL) {
-		DEBUGGING(
-			"pfkey_x_nat_t_type_build: "
-			"memory allocation failed\n");
-		SENDERR(ENOMEM);
-	}
-
-	pfkey_x_nat_t_type->sadb_x_nat_t_type_len = sizeof(struct sadb_x_nat_t_type) / IPSEC_PFKEYv2_ALIGN;
-	pfkey_x_nat_t_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
-	pfkey_x_nat_t_type->sadb_x_nat_t_type_type = type;
-	for (i=0; i<3; i++) {
-		pfkey_x_nat_t_type->sadb_x_nat_t_type_reserved[i] = 0;
-	}
-
-errlab:
-	return error;
-}
-
-int
-pfkey_x_nat_t_port_build(struct sadb_ext**	pfkey_ext,
-		    uint16_t         exttype,
-		    uint16_t         port)
-{
-	int error = 0;
-	struct sadb_x_nat_t_port *pfkey_x_nat_t_port = (struct sadb_x_nat_t_port *)*pfkey_ext;
-
-	DEBUGGING(
-		"pfkey_x_nat_t_port_build:\n");
-	/* sanity checks... */
-	if (pfkey_x_nat_t_port) {
-		DEBUGGING(
-			"pfkey_x_nat_t_port_build: "
-			"why is pfkey_x_nat_t_port already pointing to something?\n");
-		SENDERR(EINVAL);
-	}
-
-	switch (exttype) {
-	case SADB_X_EXT_NAT_T_SPORT:
-	case SADB_X_EXT_NAT_T_DPORT:
-		break;
-	default:
-		DEBUGGING(
-			"pfkey_nat_t_port_build: "
-			"unrecognised ext_type=%d.\n",
-			exttype);
-		SENDERR(EINVAL);
-	}
-
-	DEBUGGING(
-		"pfkey_x_nat_t_port_build: "
-		"ext=%d, port=%d\n", exttype, port);
-
-	pfkey_x_nat_t_port = (struct sadb_x_nat_t_port*)
-		MALLOC(sizeof(struct sadb_x_nat_t_port));
-	*pfkey_ext = (struct sadb_ext*)pfkey_x_nat_t_port;
-
-	if (pfkey_x_nat_t_port == NULL) {
-		DEBUGGING(
-			"pfkey_x_nat_t_port_build: "
-			"memory allocation failed\n");
-		SENDERR(ENOMEM);
-	}
-
-	pfkey_x_nat_t_port->sadb_x_nat_t_port_len = sizeof(struct sadb_x_nat_t_port) / IPSEC_PFKEYv2_ALIGN;
-	pfkey_x_nat_t_port->sadb_x_nat_t_port_exttype = exttype;
-	pfkey_x_nat_t_port->sadb_x_nat_t_port_port = port;
-	pfkey_x_nat_t_port->sadb_x_nat_t_port_reserved = 0;
-
-errlab:
-	return error;
-}
-
-int pfkey_x_protocol_build(struct sadb_ext **pfkey_ext,
-			   uint8_t protocol)
-{
-	int error = 0;
-	struct sadb_protocol * p = (struct sadb_protocol *)*pfkey_ext;
-	DEBUGGING("pfkey_x_protocol_build: protocol=%u\n", protocol);
-	/* sanity checks... */
-	if  (p != 0) {
-		DEBUGGING("pfkey_x_protocol_build: bogus protocol pointer\n");
-		SENDERR(EINVAL);
-	}
-	if ((p = (struct sadb_protocol*)MALLOC(sizeof(*p))) == 0) {
-		DEBUGGING("pfkey_build: memory allocation failed\n");
-		SENDERR(ENOMEM);
-	}
-	*pfkey_ext = (struct sadb_ext *)p;
-	p->sadb_protocol_len = sizeof(*p) / sizeof(uint64_t);
-	p->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
-	p->sadb_protocol_proto = protocol;
-	p->sadb_protocol_flags = 0;
-	p->sadb_protocol_reserved2 = 0;
- errlab:
-	return error;
-}
-
-
-#if I_DONT_THINK_THIS_WILL_BE_USEFUL
-int (*ext_default_builders[SADB_EXT_MAX +1])(struct sadb_msg*, struct sadb_ext*)
- =
-{
-	NULL, /* pfkey_msg_build, */
-	pfkey_sa_build,
-	pfkey_lifetime_build,
-	pfkey_lifetime_build,
-	pfkey_lifetime_build,
-	pfkey_address_build,
-	pfkey_address_build,
-	pfkey_address_build,
-	pfkey_key_build,
-	pfkey_key_build,
-	pfkey_ident_build,
-	pfkey_ident_build,
-	pfkey_sens_build,
-	pfkey_prop_build,
-	pfkey_supported_build,
-	pfkey_supported_build,
-	pfkey_spirange_build,
-	pfkey_x_kmprivate_build,
-	pfkey_x_satype_build,
-	pfkey_sa_build,
-	pfkey_address_build,
-	pfkey_address_build,
-	pfkey_address_build,
-	pfkey_address_build,
-	pfkey_address_build,
-	pfkey_x_ext_debug_build
-};
-#endif
-
-int
-pfkey_msg_build(struct sadb_msg **pfkey_msg, struct sadb_ext *extensions[], int dir)
-{
-	int error = 0;
-	unsigned ext;
-	unsigned total_size;
-	struct sadb_ext *pfkey_ext;
-	int extensions_seen = 0;
-	struct sadb_ext *extensions_check[SADB_EXT_MAX + 1];
-
-	if (!extensions[0]) {
-		DEBUGGING(
-			"pfkey_msg_build: "
-			"extensions[0] must be specified (struct sadb_msg).\n");
-		SENDERR(EINVAL);
-	}
-
-	total_size = sizeof(struct sadb_msg) / IPSEC_PFKEYv2_ALIGN;
-	for (ext = 1; ext <= SADB_EXT_MAX; ext++) {
-		if(extensions[ext]) {
-			total_size += (extensions[ext])->sadb_ext_len;
-		}
-        }
-
-	if (!(*pfkey_msg = (struct sadb_msg*)MALLOC(total_size * IPSEC_PFKEYv2_ALIGN))) {
-		DEBUGGING(
-			"pfkey_msg_build: "
-			"memory allocation failed\n");
-		SENDERR(ENOMEM);
-	}
-
-	DEBUGGING(
-		"pfkey_msg_build: "
-		"pfkey_msg=0p%p allocated %lu bytes, &(extensions[0])=0p%p\n",
-		*pfkey_msg,
-		(unsigned long)(total_size * IPSEC_PFKEYv2_ALIGN),
-		&(extensions[0]));
-	memcpy(*pfkey_msg,
-	       extensions[0],
-	       sizeof(struct sadb_msg));
-	(*pfkey_msg)->sadb_msg_len = total_size;
-	(*pfkey_msg)->sadb_msg_reserved = 0;
-	extensions_seen =  1 ;
-
-	pfkey_ext = (struct sadb_ext*)(((char*)(*pfkey_msg)) + sizeof(struct sadb_msg));
-
-	for (ext = 1; ext <= SADB_EXT_MAX; ext++) {
-		/* copy from extension[ext] to buffer */
-		if (extensions[ext]) {
-			/* Is this type of extension permitted for this type of message? */
-			if (!(extensions_bitmaps[dir][EXT_BITS_PERM][(*pfkey_msg)->sadb_msg_type] &
-			     1<<ext)) {
-				DEBUGGING(
-					"pfkey_msg_build: "
-					"ext type %d not permitted, exts_perm=%08x, 1<<type=%08x\n",
-					ext,
-					extensions_bitmaps[dir][EXT_BITS_PERM][(*pfkey_msg)->sadb_msg_type],
-					1<<ext);
-				SENDERR(EINVAL);
-			}
-			DEBUGGING(
-				"pfkey_msg_build: "
-				"copying %lu bytes from extensions[%u]=0p%p to=0p%p\n",
-				(unsigned long)(extensions[ext]->sadb_ext_len * IPSEC_PFKEYv2_ALIGN),
-				ext,
-				extensions[ext],
-				pfkey_ext);
-			memcpy(pfkey_ext,
-			       extensions[ext],
-			       (extensions[ext])->sadb_ext_len * IPSEC_PFKEYv2_ALIGN);
-			{
-				char *pfkey_ext_c = (char *)pfkey_ext;
-
-				pfkey_ext_c += (extensions[ext])->sadb_ext_len * IPSEC_PFKEYv2_ALIGN;
-				pfkey_ext = (struct sadb_ext *)pfkey_ext_c;
-			}
-			/* Mark that we have seen this extension and remember the header location */
-			extensions_seen |= ( 1 << ext );
-		}
-	}
-
-	/* check required extensions */
-	DEBUGGING(
-		"pfkey_msg_build: "
-		"extensions permitted=%08x, seen=%08x, required=%08x.\n",
-		extensions_bitmaps[dir][EXT_BITS_PERM][(*pfkey_msg)->sadb_msg_type],
-		extensions_seen,
-		extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]);
-
-	if ((extensions_seen &
-	    extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) !=
-	    extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) {
-		DEBUGGING(
-			"pfkey_msg_build: "
-			"required extensions missing:%08x.\n",
-			extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type] -
-			(extensions_seen &
-			 extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) );
-		SENDERR(EINVAL);
-	}
-
-	error = pfkey_msg_parse(*pfkey_msg, NULL, extensions_check, dir);
-	if (error) {
-		DEBUGGING(
-			"pfkey_msg_build: "
-			"Trouble parsing newly built pfkey message, error=%d.\n",
-			error);
-		SENDERR(-error);
-	}
-
-errlab:
-
-	return error;
-}
diff --git a/src/libfreeswan/pfkey_v2_debug.c b/src/libfreeswan/pfkey_v2_debug.c
deleted file mode 100644
index 0762d8f2b..000000000
--- a/src/libfreeswan/pfkey_v2_debug.c
+++ /dev/null
@@ -1,104 +0,0 @@
-/*
- * @(#) pfkey version 2 debugging messages
- *
- * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
- *                 and Michael Richardson  <mcr@freeswan.org>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-# include <sys/types.h>
-# include <errno.h>
-
-#include "freeswan.h"
-#include "pfkeyv2.h"
-#include "pfkey.h"
-
-/*
- * This file provides ASCII translations of PF_KEY magic numbers.
- *
- */
-
-static char *pfkey_sadb_ext_strings[]={
-  "reserved",                     /* SADB_EXT_RESERVED             0 */
-  "security-association",         /* SADB_EXT_SA                   1 */
-  "lifetime-current",             /* SADB_EXT_LIFETIME_CURRENT     2 */
-  "lifetime-hard",                /* SADB_EXT_LIFETIME_HARD        3 */
-  "lifetime-soft",                /* SADB_EXT_LIFETIME_SOFT        4 */
-  "source-address",               /* SADB_EXT_ADDRESS_SRC          5 */
-  "destination-address",          /* SADB_EXT_ADDRESS_DST          6 */
-  "proxy-address",                /* SADB_EXT_ADDRESS_PROXY        7 */
-  "authentication-key",           /* SADB_EXT_KEY_AUTH             8 */
-  "cipher-key",                   /* SADB_EXT_KEY_ENCRYPT          9 */
-  "source-identity",              /* SADB_EXT_IDENTITY_SRC         10 */
-  "destination-identity",         /* SADB_EXT_IDENTITY_DST         11 */
-  "sensitivity-label",            /* SADB_EXT_SENSITIVITY          12 */
-  "proposal",                     /* SADB_EXT_PROPOSAL             13 */
-  "supported-auth",               /* SADB_EXT_SUPPORTED_AUTH       14 */
-  "supported-cipher",             /* SADB_EXT_SUPPORTED_ENCRYPT    15 */
-  "spi-range",                    /* SADB_EXT_SPIRANGE             16 */
-  "X-kmpprivate",                 /* SADB_X_EXT_KMPRIVATE          17 */
-  "X-satype2",                    /* SADB_X_EXT_SATYPE2            18 */
-  "X-security-association",       /* SADB_X_EXT_SA2                19 */
-  "X-destination-address2",       /* SADB_X_EXT_ADDRESS_DST2       20 */
-  "X-source-flow-address",        /* SADB_X_EXT_ADDRESS_SRC_FLOW   21 */
-  "X-dest-flow-address",          /* SADB_X_EXT_ADDRESS_DST_FLOW   22 */
-  "X-source-mask",                /* SADB_X_EXT_ADDRESS_SRC_MASK   23 */
-  "X-dest-mask",                  /* SADB_X_EXT_ADDRESS_DST_MASK   24 */
-  "X-set-debug",                  /* SADB_X_EXT_DEBUG              25 */
-  "X-protocol",                   /* SADB_X_EXT_PROTOCOL           26 */
-  "X-NAT-T-type",                 /* SADB_X_EXT_NAT_T_TYPE         27 */
-  "X-NAT-T-sport",                /* SADB_X_EXT_NAT_T_SPORT        28 */
-  "X-NAT-T-dport",                /* SADB_X_EXT_NAT_T_DPORT        29 */
-  "X-NAT-T-OA",                   /* SADB_X_EXT_NAT_T_OA           30 */
-};
-
-const char *
-pfkey_v2_sadb_ext_string(int ext)
-{
-  if(ext <= SADB_EXT_MAX) {
-    return pfkey_sadb_ext_strings[ext];
-  } else {
-    return "unknown-ext";
-  }
-}
-
-
-static char *pfkey_sadb_type_strings[]={
-	"reserved",                     /* SADB_RESERVED            */
-	"getspi",                       /* SADB_GETSPI              */
-	"update",                       /* SADB_UPDATE              */
-	"add",                          /* SADB_ADD                 */
-	"delete",                       /* SADB_DELETE              */
-	"get",                          /* SADB_GET                 */
-	"acquire",                      /* SADB_ACQUIRE             */
-	"register",                     /* SADB_REGISTER            */
-	"expire",                       /* SADB_EXPIRE              */
-	"flush",                        /* SADB_FLUSH               */
-	"dump",                         /* SADB_DUMP                */
-	"x-promisc",                    /* SADB_X_PROMISC           */
-	"x-pchange",                    /* SADB_X_PCHANGE           */
-	"x-groupsa",                    /* SADB_X_GRPSA             */
-	"x-addflow(eroute)",            /* SADB_X_ADDFLOW           */
-	"x-delflow(eroute)",            /* SADB_X_DELFLOW           */
-	"x-debug",                      /* SADB_X_DEBUG             */
-	"x-nat-t-new-mapping",          /* SADB_X_NAT_T_NEW_MAPPING */
-};
-
-const char *
-pfkey_v2_sadb_type_string(int sadb_type)
-{
-  if(sadb_type <= SADB_MAX) {
-    return pfkey_sadb_type_strings[sadb_type];
-  } else {
-    return "unknown-sadb-type";
-  }
-}
diff --git a/src/libfreeswan/pfkey_v2_ext_bits.c b/src/libfreeswan/pfkey_v2_ext_bits.c
deleted file mode 100644
index 49b4aa567..000000000
--- a/src/libfreeswan/pfkey_v2_ext_bits.c
+++ /dev/null
@@ -1,692 +0,0 @@
-/*
- * RFC2367 PF_KEYv2 Key management API message parser
- * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/*
- *		Template from klips/net/ipsec/ipsec/ipsec_parse.c.
- */
-
-char pfkey_v2_ext_bits_c_version[] = "";
-
-# include <sys/types.h>
-# include <errno.h>
-
-#include <freeswan.h>
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_MAX + 1/*ext*/] = {
-
-/* INBOUND EXTENSIONS */
-{
-
-/* PERMITTED IN */
-{
-/* SADB_RESERVED */
-0
-,
-/* SADB_GETSPI */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_ADDRESS_PROXY
-| 1<<SADB_EXT_SPIRANGE
-,
-/* SADB_UPDATE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_LIFETIME_CURRENT
-| 1<<SADB_EXT_LIFETIME_HARD
-| 1<<SADB_EXT_LIFETIME_SOFT
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_ADDRESS_PROXY
-| 1<<SADB_EXT_KEY_AUTH
-| 1<<SADB_EXT_KEY_ENCRYPT
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_EXT_SENSITIVITY
-| 1<<SADB_X_EXT_NAT_T_SPORT
-| 1<<SADB_X_EXT_NAT_T_DPORT
-,
-/* SADB_ADD */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_LIFETIME_HARD
-| 1<<SADB_EXT_LIFETIME_SOFT
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_ADDRESS_PROXY
-| 1<<SADB_EXT_KEY_AUTH
-| 1<<SADB_EXT_KEY_ENCRYPT
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_EXT_SENSITIVITY
-| 1<<SADB_X_EXT_NAT_T_TYPE
-| 1<<SADB_X_EXT_NAT_T_SPORT
-| 1<<SADB_X_EXT_NAT_T_DPORT
-| 1<<SADB_X_EXT_NAT_T_OA
-,
-/* SADB_DELETE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-,
-/* SADB_GET */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-,
-/* SADB_ACQUIRE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_ADDRESS_PROXY
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_EXT_SENSITIVITY
-| 1<<SADB_EXT_PROPOSAL
-,
-/* SADB_REGISTER */
-1<<SADB_EXT_RESERVED
-,
-/* SADB_EXPIRE */
-0
-,
-/* SADB_FLUSH */
-1<<SADB_EXT_RESERVED
-,
-/* SADB_DUMP */
-1<<SADB_EXT_RESERVED
-,
-/* SADB_X_PROMISC */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_LIFETIME_CURRENT
-| 1<<SADB_EXT_LIFETIME_HARD
-| 1<<SADB_EXT_LIFETIME_SOFT
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_ADDRESS_PROXY
-| 1<<SADB_EXT_KEY_AUTH
-| 1<<SADB_EXT_KEY_ENCRYPT
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_EXT_SENSITIVITY
-| 1<<SADB_EXT_PROPOSAL
-| 1<<SADB_EXT_SUPPORTED_AUTH
-| 1<<SADB_EXT_SUPPORTED_ENCRYPT
-| 1<<SADB_EXT_SPIRANGE
-| 1<<SADB_X_EXT_KMPRIVATE
-| 1<<SADB_X_EXT_SATYPE2
-| 1<<SADB_X_EXT_SA2
-| 1<<SADB_X_EXT_ADDRESS_DST2
-,
-/* SADB_X_PCHANGE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_LIFETIME_CURRENT
-| 1<<SADB_EXT_LIFETIME_HARD
-| 1<<SADB_EXT_LIFETIME_SOFT
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_ADDRESS_PROXY
-| 1<<SADB_EXT_KEY_AUTH
-| 1<<SADB_EXT_KEY_ENCRYPT
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_EXT_SENSITIVITY
-| 1<<SADB_EXT_PROPOSAL
-| 1<<SADB_EXT_SUPPORTED_AUTH
-| 1<<SADB_EXT_SUPPORTED_ENCRYPT
-| 1<<SADB_EXT_SPIRANGE
-| 1<<SADB_X_EXT_KMPRIVATE
-| 1<<SADB_X_EXT_SATYPE2
-| 1<<SADB_X_EXT_SA2
-| 1<<SADB_X_EXT_ADDRESS_DST2
-,
-/* SADB_X_GRPSA */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_X_EXT_SATYPE2
-| 1<<SADB_X_EXT_SA2
-| 1<<SADB_X_EXT_ADDRESS_DST2
-,
-/* SADB_X_ADDFLOW */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
-| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
-| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
-| 1<<SADB_X_EXT_ADDRESS_DST_MASK
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_X_EXT_PROTOCOL
-,
-/* SADB_X_DELFLOW */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
-| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
-| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
-| 1<<SADB_X_EXT_ADDRESS_DST_MASK
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_X_EXT_PROTOCOL
-,
-/* SADB_X_DEBUG */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_X_EXT_DEBUG
-,
-/* SADB_X_NAT_T_NEW_MAPPING */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_X_EXT_NAT_T_SPORT
-| 1<<SADB_X_EXT_NAT_T_DPORT
-},
-
-/* REQUIRED IN */
-{
-/* SADB_RESERVED */
-0
-,
-/* SADB_GETSPI */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_SPIRANGE
-,
-/* SADB_UPDATE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-/*| 1<<SADB_EXT_KEY_AUTH*/
-/*| 1<<SADB_EXT_KEY_ENCRYPT*/
-,
-/* SADB_ADD */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-/*| 1<<SADB_EXT_KEY_AUTH*/
-/*| 1<<SADB_EXT_KEY_ENCRYPT*/
-,
-/* SADB_DELETE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-,
-/* SADB_GET */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-,
-/* SADB_ACQUIRE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_PROPOSAL
-,
-/* SADB_REGISTER */
-1<<SADB_EXT_RESERVED
-,
-/* SADB_EXPIRE */
-0
-,
-/* SADB_FLUSH */
-1<<SADB_EXT_RESERVED
-,
-/* SADB_DUMP */
-1<<SADB_EXT_RESERVED
-,
-/* SADB_X_PROMISC */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_LIFETIME_CURRENT
-| 1<<SADB_EXT_LIFETIME_HARD
-| 1<<SADB_EXT_LIFETIME_SOFT
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_ADDRESS_PROXY
-| 1<<SADB_EXT_KEY_AUTH
-| 1<<SADB_EXT_KEY_ENCRYPT
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_EXT_SENSITIVITY
-| 1<<SADB_EXT_PROPOSAL
-| 1<<SADB_EXT_SUPPORTED_AUTH
-| 1<<SADB_EXT_SUPPORTED_ENCRYPT
-| 1<<SADB_EXT_SPIRANGE
-| 1<<SADB_X_EXT_KMPRIVATE
-| 1<<SADB_X_EXT_SATYPE2
-| 1<<SADB_X_EXT_SA2
-| 1<<SADB_X_EXT_ADDRESS_DST2
-,
-/* SADB_X_PCHANGE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_LIFETIME_CURRENT
-| 1<<SADB_EXT_LIFETIME_HARD
-| 1<<SADB_EXT_LIFETIME_SOFT
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_ADDRESS_PROXY
-| 1<<SADB_EXT_KEY_AUTH
-| 1<<SADB_EXT_KEY_ENCRYPT
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_EXT_SENSITIVITY
-| 1<<SADB_EXT_PROPOSAL
-| 1<<SADB_EXT_SUPPORTED_AUTH
-| 1<<SADB_EXT_SUPPORTED_ENCRYPT
-| 1<<SADB_EXT_SPIRANGE
-| 1<<SADB_X_EXT_KMPRIVATE
-| 1<<SADB_X_EXT_SATYPE2
-| 1<<SADB_X_EXT_SA2
-| 1<<SADB_X_EXT_ADDRESS_DST2
-,
-/* SADB_X_GRPSA */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_DST
-/*| 1<<SADB_X_EXT_SATYPE2*/
-/*| 1<<SADB_X_EXT_SA2*/
-/*| 1<<SADB_X_EXT_ADDRESS_DST2*/
-,
-/* SADB_X_ADDFLOW */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
-| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
-| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
-| 1<<SADB_X_EXT_ADDRESS_DST_MASK
-,
-/* SADB_X_DELFLOW */
-1<<SADB_EXT_RESERVED
-/*| 1<<SADB_EXT_SA*/
-#if 0 /* SADB_X_CLREROUTE doesn't need all these... */
-| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
-| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
-| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
-| 1<<SADB_X_EXT_ADDRESS_DST_MASK
-#endif
-,
-/* SADB_X_DEBUG */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_X_EXT_DEBUG
-,
-/* SADB_X_NAT_T_NEW_MAPPING */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_X_EXT_NAT_T_SPORT
-| 1<<SADB_X_EXT_NAT_T_DPORT
-}
-
-},
-
-/* OUTBOUND EXTENSIONS */
-{
-
-/* PERMITTED OUT */
-{
-/* SADB_RESERVED */
-0
-,
-/* SADB_GETSPI */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-,
-/* SADB_UPDATE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_LIFETIME_CURRENT
-| 1<<SADB_EXT_LIFETIME_HARD
-| 1<<SADB_EXT_LIFETIME_SOFT
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_ADDRESS_PROXY
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_EXT_SENSITIVITY
-,
-/* SADB_ADD */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_LIFETIME_HARD
-| 1<<SADB_EXT_LIFETIME_SOFT
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_EXT_SENSITIVITY
-| 1<<SADB_X_EXT_NAT_T_TYPE
-| 1<<SADB_X_EXT_NAT_T_SPORT
-| 1<<SADB_X_EXT_NAT_T_DPORT
-| 1<<SADB_X_EXT_NAT_T_OA
-,
-/* SADB_DELETE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-,
-/* SADB_GET */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_LIFETIME_CURRENT
-| 1<<SADB_EXT_LIFETIME_HARD
-| 1<<SADB_EXT_LIFETIME_SOFT
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_ADDRESS_PROXY
-| 1<<SADB_EXT_KEY_AUTH
-| 1<<SADB_EXT_KEY_ENCRYPT
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_EXT_SENSITIVITY
-,
-/* SADB_ACQUIRE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_ADDRESS_PROXY
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_EXT_SENSITIVITY
-| 1<<SADB_EXT_PROPOSAL
-,
-/* SADB_REGISTER */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SUPPORTED_AUTH
-| 1<<SADB_EXT_SUPPORTED_ENCRYPT
-,
-/* SADB_EXPIRE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_LIFETIME_CURRENT
-| 1<<SADB_EXT_LIFETIME_HARD
-| 1<<SADB_EXT_LIFETIME_SOFT
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-,
-/* SADB_FLUSH */
-1<<SADB_EXT_RESERVED
-,
-/* SADB_DUMP */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_LIFETIME_CURRENT
-| 1<<SADB_EXT_LIFETIME_HARD
-| 1<<SADB_EXT_LIFETIME_SOFT
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_ADDRESS_PROXY
-| 1<<SADB_EXT_KEY_AUTH
-| 1<<SADB_EXT_KEY_ENCRYPT
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_EXT_SENSITIVITY
-,
-/* SADB_X_PROMISC */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_LIFETIME_CURRENT
-| 1<<SADB_EXT_LIFETIME_HARD
-| 1<<SADB_EXT_LIFETIME_SOFT
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_ADDRESS_PROXY
-| 1<<SADB_EXT_KEY_AUTH
-| 1<<SADB_EXT_KEY_ENCRYPT
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_EXT_SENSITIVITY
-| 1<<SADB_EXT_PROPOSAL
-| 1<<SADB_EXT_SUPPORTED_AUTH
-| 1<<SADB_EXT_SUPPORTED_ENCRYPT
-| 1<<SADB_EXT_SPIRANGE
-| 1<<SADB_X_EXT_KMPRIVATE
-| 1<<SADB_X_EXT_SATYPE2
-| 1<<SADB_X_EXT_SA2
-| 1<<SADB_X_EXT_ADDRESS_DST2
-,
-/* SADB_X_PCHANGE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_LIFETIME_CURRENT
-| 1<<SADB_EXT_LIFETIME_HARD
-| 1<<SADB_EXT_LIFETIME_SOFT
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_ADDRESS_PROXY
-| 1<<SADB_EXT_KEY_AUTH
-| 1<<SADB_EXT_KEY_ENCRYPT
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_EXT_SENSITIVITY
-| 1<<SADB_EXT_PROPOSAL
-| 1<<SADB_EXT_SUPPORTED_AUTH
-| 1<<SADB_EXT_SUPPORTED_ENCRYPT
-| 1<<SADB_EXT_SPIRANGE
-| 1<<SADB_X_EXT_KMPRIVATE
-| 1<<SADB_X_EXT_SATYPE2
-| 1<<SADB_X_EXT_SA2
-| 1<<SADB_X_EXT_ADDRESS_DST2
-,
-/* SADB_X_GRPSA */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_X_EXT_SATYPE2
-| 1<<SADB_X_EXT_SA2
-| 1<<SADB_X_EXT_ADDRESS_DST2
-,
-/* SADB_X_ADDFLOW */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
-| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
-| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
-| 1<<SADB_X_EXT_ADDRESS_DST_MASK
-| 1<<SADB_X_EXT_PROTOCOL
-,
-/* SADB_X_DELFLOW */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
-| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
-| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
-| 1<<SADB_X_EXT_ADDRESS_DST_MASK
-| 1<<SADB_X_EXT_PROTOCOL
-,
-/* SADB_X_DEBUG */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_X_EXT_DEBUG
-,
-/* SADB_X_NAT_T_NEW_MAPPING */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_X_EXT_NAT_T_SPORT
-| 1<<SADB_X_EXT_NAT_T_DPORT
-},
-
-/* REQUIRED OUT */
-{
-/* SADB_RESERVED */
-0
-,
-/* SADB_GETSPI */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-,
-/* SADB_UPDATE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-,
-/* SADB_ADD */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-,
-/* SADB_DELETE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-,
-/* SADB_GET */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-/* | 1<<SADB_EXT_KEY_AUTH */
-/* | 1<<SADB_EXT_KEY_ENCRYPT */
-,
-/* SADB_ACQUIRE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_PROPOSAL
-,
-/* SADB_REGISTER */
-1<<SADB_EXT_RESERVED
-/* | 1<<SADB_EXT_SUPPORTED_AUTH
-   | 1<<SADB_EXT_SUPPORTED_ENCRYPT */
-,
-/* SADB_EXPIRE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_LIFETIME_CURRENT
-/* | 1<<SADB_EXT_LIFETIME_HARD
-   | 1<<SADB_EXT_LIFETIME_SOFT */
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-,
-/* SADB_FLUSH */
-1<<SADB_EXT_RESERVED
-,
-/* SADB_DUMP */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_KEY_AUTH
-| 1<<SADB_EXT_KEY_ENCRYPT
-,
-/* SADB_X_PROMISC */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_LIFETIME_CURRENT
-| 1<<SADB_EXT_LIFETIME_HARD
-| 1<<SADB_EXT_LIFETIME_SOFT
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_ADDRESS_PROXY
-| 1<<SADB_EXT_KEY_AUTH
-| 1<<SADB_EXT_KEY_ENCRYPT
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_EXT_SENSITIVITY
-| 1<<SADB_EXT_PROPOSAL
-| 1<<SADB_EXT_SUPPORTED_AUTH
-| 1<<SADB_EXT_SUPPORTED_ENCRYPT
-| 1<<SADB_EXT_SPIRANGE
-| 1<<SADB_X_EXT_KMPRIVATE
-| 1<<SADB_X_EXT_SATYPE2
-| 1<<SADB_X_EXT_SA2
-| 1<<SADB_X_EXT_ADDRESS_DST2
-,
-/* SADB_X_PCHANGE */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_LIFETIME_CURRENT
-| 1<<SADB_EXT_LIFETIME_HARD
-| 1<<SADB_EXT_LIFETIME_SOFT
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_EXT_ADDRESS_PROXY
-| 1<<SADB_EXT_KEY_AUTH
-| 1<<SADB_EXT_KEY_ENCRYPT
-| 1<<SADB_EXT_IDENTITY_SRC
-| 1<<SADB_EXT_IDENTITY_DST
-| 1<<SADB_EXT_SENSITIVITY
-| 1<<SADB_EXT_PROPOSAL
-| 1<<SADB_EXT_SUPPORTED_AUTH
-| 1<<SADB_EXT_SUPPORTED_ENCRYPT
-| 1<<SADB_EXT_SPIRANGE
-| 1<<SADB_X_EXT_KMPRIVATE
-| 1<<SADB_X_EXT_SATYPE2
-| 1<<SADB_X_EXT_SA2
-| 1<<SADB_X_EXT_ADDRESS_DST2
-,
-/* SADB_X_GRPSA */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_DST
-,
-/* SADB_X_ADDFLOW */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
-| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
-| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
-| 1<<SADB_X_EXT_ADDRESS_DST_MASK
-,
-/* SADB_X_DELFLOW */
-1<<SADB_EXT_RESERVED
-/*| 1<<SADB_EXT_SA*/
-| 1<<SADB_X_EXT_ADDRESS_SRC_FLOW
-| 1<<SADB_X_EXT_ADDRESS_DST_FLOW
-| 1<<SADB_X_EXT_ADDRESS_SRC_MASK
-| 1<<SADB_X_EXT_ADDRESS_DST_MASK
-,
-/* SADB_X_DEBUG */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_X_EXT_DEBUG
-,
-/* SADB_X_NAT_T_NEW_MAPPING */
-1<<SADB_EXT_RESERVED
-| 1<<SADB_EXT_SA
-| 1<<SADB_EXT_ADDRESS_SRC
-| 1<<SADB_EXT_ADDRESS_DST
-| 1<<SADB_X_EXT_NAT_T_SPORT
-| 1<<SADB_X_EXT_NAT_T_DPORT
-}
-}
-};
diff --git a/src/libfreeswan/pfkey_v2_parse.c b/src/libfreeswan/pfkey_v2_parse.c
deleted file mode 100644
index 8fec9d119..000000000
--- a/src/libfreeswan/pfkey_v2_parse.c
+++ /dev/null
@@ -1,1539 +0,0 @@
-/*
- * RFC2367 PF_KEYv2 Key management API message parser
- * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/*
- *		Template from klips/net/ipsec/ipsec/ipsec_parser.c.
- */
-
-char pfkey_v2_parse_c_version[] = "";
-
-# include <sys/types.h>
-# include <sys/socket.h>
-# include <errno.h>
-
-# include <freeswan.h>
-# include <constants.h>
-# include <defs.h>  /* for PRINTF_LIKE */
-# include <log.h>  /* for debugging and DBG_log */
-
-# ifdef PLUTO
-#  define DEBUGGING(level, args...)  { DBG_log("pfkey_lib_debug:" args);  }
-# else
-#  define DEBUGGING(level, args...)  if(pfkey_lib_debug & level) { printf("pfkey_lib_debug:" args); } else { ; }
-# endif
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-
-#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
-
-static struct {
-	uint8_t proto;
-	uint8_t satype;
-	char* name;
-} satype_tbl[] = {
-	{ SA_ESP,	SADB_SATYPE_ESP,	"ESP"  },
-	{ SA_AH,	SADB_SATYPE_AH,		"AH"   },
-	{ SA_IPIP,	SADB_X_SATYPE_IPIP,	"IPIP" },
-	{ SA_COMP,	SADB_X_SATYPE_COMP,	"COMP" },
-	{ SA_INT,	SADB_X_SATYPE_INT,	"INT" },
-	{ 0,		0,			"UNKNOWN" }
-};
-
-uint8_t
-satype2proto(uint8_t satype)
-{
-	int i =0;
-
-	while(satype_tbl[i].satype != satype && satype_tbl[i].satype != 0) {
-		i++;
-	}
-	return satype_tbl[i].proto;
-}
-
-uint8_t
-proto2satype(uint8_t proto)
-{
-	int i = 0;
-
-	while(satype_tbl[i].proto != proto && satype_tbl[i].proto != 0) {
-		i++;
-	}
-	return satype_tbl[i].satype;
-}
-
-char*
-satype2name(uint8_t satype)
-{
-	int i = 0;
-
-	while(satype_tbl[i].satype != satype && satype_tbl[i].satype != 0) {
-		i++;
-	}
-	return satype_tbl[i].name;
-}
-
-char*
-proto2name(uint8_t proto)
-{
-	int i = 0;
-
-	while(satype_tbl[i].proto != proto && satype_tbl[i].proto != 0) {
-		i++;
-	}
-	return satype_tbl[i].name;
-}
-
-/* Default extension parsers taken from the KLIPS code */
-
-DEBUG_NO_STATIC int
-pfkey_sa_parse(struct sadb_ext *pfkey_ext)
-{
-	int error = 0;
-	struct sadb_sa *pfkey_sa = (struct sadb_sa *)pfkey_ext;
-#if 0
-	struct sadb_sa sav2;
-#endif
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
-		  "pfkey_sa_parse: entry\n");
-	/* sanity checks... */
-	if(!pfkey_sa) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_sa_parse: "
-			  "NULL pointer passed in.\n");
-		SENDERR(EINVAL);
-	}
-
-#if 0
-	/* check if this structure is short, and if so, fix it up.
-	 * XXX this is NOT the way to do things.
-	 */
-	if(pfkey_sa->sadb_sa_len == sizeof(struct sadb_sa_v1)/IPSEC_PFKEYv2_ALIGN) {
-
-		/* yes, so clear out a temporary structure, and copy first */
-		memset(&sav2, 0, sizeof(sav2));
-		memcpy(&sav2, pfkey_sa, sizeof(struct sadb_sa_v1));
-		sav2.sadb_x_sa_ref=-1;
-		sav2.sadb_sa_len = sizeof(struct sadb_sa) / IPSEC_PFKEYv2_ALIGN;
-
-		pfkey_sa = &sav2;
-	}
-#endif
-
-
-	if(pfkey_sa->sadb_sa_len != sizeof(struct sadb_sa) / IPSEC_PFKEYv2_ALIGN) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_sa_parse: "
-			  "length wrong pfkey_sa->sadb_sa_len=%d sizeof(struct sadb_sa)=%d.\n",
-			  pfkey_sa->sadb_sa_len,
-			  (int)sizeof(struct sadb_sa));
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_sa->sadb_sa_encrypt > SADB_EALG_MAX) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_sa_parse: "
-			  "pfkey_sa->sadb_sa_encrypt=%d > SADB_EALG_MAX=%d.\n",
-			  pfkey_sa->sadb_sa_encrypt,
-			  SADB_EALG_MAX);
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_sa->sadb_sa_auth > SADB_AALG_MAX) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_sa_parse: "
-			  "pfkey_sa->sadb_sa_auth=%d > SADB_AALG_MAX=%d.\n",
-			  pfkey_sa->sadb_sa_auth,
-			  SADB_AALG_MAX);
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_sa->sadb_sa_state > SADB_SASTATE_MAX) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_sa_parse: "
-			  "state=%d exceeds MAX=%d.\n",
-			  pfkey_sa->sadb_sa_state,
-			  SADB_SASTATE_MAX);
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_sa->sadb_sa_state == SADB_SASTATE_DEAD) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_sa_parse: "
-			  "state=%d is DEAD=%d.\n",
-			  pfkey_sa->sadb_sa_state,
-			  SADB_SASTATE_DEAD);
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_sa->sadb_sa_replay > 64) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_sa_parse: "
-			  "replay window size: %d -- must be 0 <= size <= 64\n",
-			  pfkey_sa->sadb_sa_replay);
-		SENDERR(EINVAL);
-	}
-
-	if(! ((pfkey_sa->sadb_sa_exttype ==  SADB_EXT_SA) ||
-	      (pfkey_sa->sadb_sa_exttype ==  SADB_X_EXT_SA2)))
-	{
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_sa_parse: "
-			  "unknown exttype=%d, expecting SADB_EXT_SA=%d or SADB_X_EXT_SA2=%d.\n",
-			  pfkey_sa->sadb_sa_exttype,
-			  SADB_EXT_SA,
-			  SADB_X_EXT_SA2);
-		SENDERR(EINVAL);
-	}
-
-	if((IPSEC_SAREF_NULL != pfkey_sa->sadb_x_sa_ref) && (pfkey_sa->sadb_x_sa_ref >= (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH))) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_sa_parse: "
-			  "SAref=%d must be (SAref == IPSEC_SAREF_NULL(%d) || SAref < IPSEC_SA_REF_TABLE_NUM_ENTRIES(%d)).\n",
-			  pfkey_sa->sadb_x_sa_ref,
-			  IPSEC_SAREF_NULL,
-			  IPSEC_SA_REF_TABLE_NUM_ENTRIES);
-		SENDERR(EINVAL);
-	}
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
-		  "pfkey_sa_parse: "
-		  "successfully found len=%d exttype=%d(%s) spi=%08lx replay=%d state=%d auth=%d encrypt=%d flags=%d ref=%d.\n",
-		  pfkey_sa->sadb_sa_len,
-		  pfkey_sa->sadb_sa_exttype,
-		  pfkey_v2_sadb_ext_string(pfkey_sa->sadb_sa_exttype),
-		  (long unsigned int)ntohl(pfkey_sa->sadb_sa_spi),
-		  pfkey_sa->sadb_sa_replay,
-		  pfkey_sa->sadb_sa_state,
-		  pfkey_sa->sadb_sa_auth,
-		  pfkey_sa->sadb_sa_encrypt,
-		  pfkey_sa->sadb_sa_flags,
-		  pfkey_sa->sadb_x_sa_ref);
-
- errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_lifetime_parse(struct sadb_ext  *pfkey_ext)
-{
-	int error = 0;
-	struct sadb_lifetime *pfkey_lifetime = (struct sadb_lifetime *)pfkey_ext;
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
-		  "pfkey_lifetime_parse:enter\n");
-	/* sanity checks... */
-	if(!pfkey_lifetime) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_lifetime_parse: "
-			  "NULL pointer passed in.\n");
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_lifetime->sadb_lifetime_len !=
-	   sizeof(struct sadb_lifetime) / IPSEC_PFKEYv2_ALIGN) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_lifetime_parse: "
-			  "length wrong pfkey_lifetime->sadb_lifetime_len=%d sizeof(struct sadb_lifetime)=%d.\n",
-			  pfkey_lifetime->sadb_lifetime_len,
-			  (int)sizeof(struct sadb_lifetime));
-		SENDERR(EINVAL);
-	}
-
-	if((pfkey_lifetime->sadb_lifetime_exttype != SADB_EXT_LIFETIME_HARD) &&
-	   (pfkey_lifetime->sadb_lifetime_exttype != SADB_EXT_LIFETIME_SOFT) &&
-	   (pfkey_lifetime->sadb_lifetime_exttype != SADB_EXT_LIFETIME_CURRENT)) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_lifetime_parse: "
-			  "unexpected ext_type=%d.\n",
-			  pfkey_lifetime->sadb_lifetime_exttype);
-		SENDERR(EINVAL);
-	}
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
-		  "pfkey_lifetime_parse: "
-		  "life_type=%d(%s) alloc=%u bytes=%u add=%u use=%u pkts=%u.\n",
-		  pfkey_lifetime->sadb_lifetime_exttype,
-		  pfkey_v2_sadb_ext_string(pfkey_lifetime->sadb_lifetime_exttype),
-		  pfkey_lifetime->sadb_lifetime_allocations,
-		  (unsigned)pfkey_lifetime->sadb_lifetime_bytes,
-		  (unsigned)pfkey_lifetime->sadb_lifetime_addtime,
-		  (unsigned)pfkey_lifetime->sadb_lifetime_usetime,
-		  pfkey_lifetime->sadb_x_lifetime_packets);
-errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_address_parse(struct sadb_ext *pfkey_ext)
-{
-	int error = 0;
-	int saddr_len = 0;
-	struct sadb_address *pfkey_address = (struct sadb_address *)pfkey_ext;
-	struct sockaddr* s = (struct sockaddr*)((char*)pfkey_address + sizeof(*pfkey_address));
-	char ipaddr_txt[ADDRTOT_BUF];
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
-		"pfkey_address_parse:enter\n");
-	/* sanity checks... */
-	if(!pfkey_address) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_address_parse: "
-			"NULL pointer passed in.\n");
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_address->sadb_address_len <
-	   (sizeof(struct sadb_address) + sizeof(struct sockaddr))/
-	   IPSEC_PFKEYv2_ALIGN) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_address_parse: "
-			  "size wrong 1 ext_len=%d, adr_ext_len=%d, saddr_len=%d.\n",
-			  pfkey_address->sadb_address_len,
-			  (int)sizeof(struct sadb_address),
-			  (int)sizeof(struct sockaddr));
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_address->sadb_address_reserved) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_address_parse: "
-			  "res=%d, must be zero.\n",
-			  pfkey_address->sadb_address_reserved);
-		SENDERR(EINVAL);
-	}
-
-	switch(pfkey_address->sadb_address_exttype) {
-	case SADB_EXT_ADDRESS_SRC:
-	case SADB_EXT_ADDRESS_DST:
-	case SADB_EXT_ADDRESS_PROXY:
-	case SADB_X_EXT_ADDRESS_DST2:
-	case SADB_X_EXT_ADDRESS_SRC_FLOW:
-	case SADB_X_EXT_ADDRESS_DST_FLOW:
-	case SADB_X_EXT_ADDRESS_SRC_MASK:
-	case SADB_X_EXT_ADDRESS_DST_MASK:
-	case SADB_X_EXT_NAT_T_OA:
-		break;
-	default:
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_address_parse: "
-			"unexpected ext_type=%d.\n",
-			pfkey_address->sadb_address_exttype);
-		SENDERR(EINVAL);
-	}
-
-	switch(s->sa_family) {
-	case AF_INET:
-		saddr_len = sizeof(struct sockaddr_in);
-		sprintf(ipaddr_txt, "%d.%d.%d.%d"
-			, (((struct sockaddr_in*)s)->sin_addr.s_addr >>  0) & 0xFF
-			, (((struct sockaddr_in*)s)->sin_addr.s_addr >>  8) & 0xFF
-			, (((struct sockaddr_in*)s)->sin_addr.s_addr >> 16) & 0xFF
-			, (((struct sockaddr_in*)s)->sin_addr.s_addr >> 24) & 0xFF);
-		DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
-			  "pfkey_address_parse: "
-			  "found exttype=%u(%s) family=%d(AF_INET) address=%s proto=%u port=%u.\n",
-			  pfkey_address->sadb_address_exttype,
-			  pfkey_v2_sadb_ext_string(pfkey_address->sadb_address_exttype),
-			  s->sa_family,
-			  ipaddr_txt,
-			  pfkey_address->sadb_address_proto,
-			  ntohs(((struct sockaddr_in*)s)->sin_port));
-		break;
-	case AF_INET6:
-		saddr_len = sizeof(struct sockaddr_in6);
-		sprintf(ipaddr_txt, "%x:%x:%x:%x:%x:%x:%x:%x"
-			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[0])
-			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[1])
-			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[2])
-			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[3])
-			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[4])
-			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[5])
-			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[6])
-			, ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[7]));
-		DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
-			  "pfkey_address_parse: "
-			  "found exttype=%u(%s) family=%d(AF_INET6) address=%s proto=%u port=%u.\n",
-			  pfkey_address->sadb_address_exttype,
-			  pfkey_v2_sadb_ext_string(pfkey_address->sadb_address_exttype),
-			  s->sa_family,
-			  ipaddr_txt,
-			  pfkey_address->sadb_address_proto,
-			  ((struct sockaddr_in6*)s)->sin6_port);
-		break;
-	default:
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_address_parse: "
-			"s->sa_family=%d not supported.\n",
-			s->sa_family);
-		SENDERR(EPFNOSUPPORT);
-	}
-
-	if(pfkey_address->sadb_address_len !=
-	   DIVUP(sizeof(struct sadb_address) + saddr_len, IPSEC_PFKEYv2_ALIGN)) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_address_parse: "
-			  "size wrong 2 ext_len=%d, adr_ext_len=%d, saddr_len=%d.\n",
-			  pfkey_address->sadb_address_len,
-			  (int)sizeof(struct sadb_address),
-			  saddr_len);
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_address->sadb_address_prefixlen != 0) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_address_parse: "
-			"address prefixes not supported yet.\n");
-		SENDERR(EAFNOSUPPORT); /* not supported yet */
-	}
-
-	/* XXX check if port!=0 */
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
-		"pfkey_address_parse: successful.\n");
- errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_key_parse(struct sadb_ext *pfkey_ext)
-{
-	int error = 0;
-	struct sadb_key *pfkey_key = (struct sadb_key *)pfkey_ext;
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
-		"pfkey_key_parse:enter\n");
-	/* sanity checks... */
-
-	if(!pfkey_key) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_key_parse: "
-			"NULL pointer passed in.\n");
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_key->sadb_key_len < sizeof(struct sadb_key) / IPSEC_PFKEYv2_ALIGN) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_key_parse: "
-			  "size wrong ext_len=%d, key_ext_len=%d.\n",
-			  pfkey_key->sadb_key_len,
-			  (int)sizeof(struct sadb_key));
-		SENDERR(EINVAL);
-	}
-
-	if(!pfkey_key->sadb_key_bits) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_key_parse: "
-			"key length set to zero, must be non-zero.\n");
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_key->sadb_key_len !=
-	   DIVUP(sizeof(struct sadb_key) * OCTETBITS + pfkey_key->sadb_key_bits,
-		 PFKEYBITS)) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_key_parse: "
-			"key length=%d does not agree with extension length=%d.\n",
-			pfkey_key->sadb_key_bits,
-			pfkey_key->sadb_key_len);
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_key->sadb_key_reserved) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_key_parse: "
-			"res=%d, must be zero.\n",
-			pfkey_key->sadb_key_reserved);
-		SENDERR(EINVAL);
-	}
-
-	if(! ( (pfkey_key->sadb_key_exttype == SADB_EXT_KEY_AUTH) ||
-	       (pfkey_key->sadb_key_exttype == SADB_EXT_KEY_ENCRYPT))) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_key_parse: "
-			"expecting extension type AUTH or ENCRYPT, got %d.\n",
-			pfkey_key->sadb_key_exttype);
-		SENDERR(EINVAL);
-	}
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
-		  "pfkey_key_parse: "
-		  "success, found len=%d exttype=%d(%s) bits=%d reserved=%d.\n",
-		  pfkey_key->sadb_key_len,
-		  pfkey_key->sadb_key_exttype,
-		  pfkey_v2_sadb_ext_string(pfkey_key->sadb_key_exttype),
-		  pfkey_key->sadb_key_bits,
-		  pfkey_key->sadb_key_reserved);
-
-errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_ident_parse(struct sadb_ext *pfkey_ext)
-{
-	int error = 0;
-	struct sadb_ident *pfkey_ident = (struct sadb_ident *)pfkey_ext;
-
-	/* sanity checks... */
-	if(pfkey_ident->sadb_ident_len < sizeof(struct sadb_ident) / IPSEC_PFKEYv2_ALIGN) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_ident_parse: "
-			  "size wrong ext_len=%d, key_ext_len=%d.\n",
-			  pfkey_ident->sadb_ident_len,
-			  (int)sizeof(struct sadb_ident));
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_ident->sadb_ident_type > SADB_IDENTTYPE_MAX) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_ident_parse: "
-			"ident_type=%d out of range, must be less than %d.\n",
-			pfkey_ident->sadb_ident_type,
-			SADB_IDENTTYPE_MAX);
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_ident->sadb_ident_reserved) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_ident_parse: "
-			"res=%d, must be zero.\n",
-			pfkey_ident->sadb_ident_reserved);
-		SENDERR(EINVAL);
-	}
-
-	/* string terminator/padding must be zero */
-	if(pfkey_ident->sadb_ident_len > sizeof(struct sadb_ident) / IPSEC_PFKEYv2_ALIGN) {
-		if(*((char*)pfkey_ident + pfkey_ident->sadb_ident_len * IPSEC_PFKEYv2_ALIGN - 1)) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_ident_parse: "
-				"string padding must be zero, last is 0x%02x.\n",
-				*((char*)pfkey_ident +
-				  pfkey_ident->sadb_ident_len * IPSEC_PFKEYv2_ALIGN - 1));
-			SENDERR(EINVAL);
-		}
-	}
-
-	if( ! ((pfkey_ident->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC) ||
-	       (pfkey_ident->sadb_ident_exttype == SADB_EXT_IDENTITY_DST))) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_key_parse: "
-			"expecting extension type IDENTITY_SRC or IDENTITY_DST, got %d.\n",
-			pfkey_ident->sadb_ident_exttype);
-		SENDERR(EINVAL);
-	}
-
-errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_sens_parse(struct sadb_ext *pfkey_ext)
-{
-	int error = 0;
-	struct sadb_sens *pfkey_sens = (struct sadb_sens *)pfkey_ext;
-
-	/* sanity checks... */
-	if(pfkey_sens->sadb_sens_len < sizeof(struct sadb_sens) / IPSEC_PFKEYv2_ALIGN) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_sens_parse: "
-			  "size wrong ext_len=%d, key_ext_len=%d.\n",
-			  pfkey_sens->sadb_sens_len,
-			  (int)sizeof(struct sadb_sens));
-		SENDERR(EINVAL);
-	}
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-		"pfkey_sens_parse: "
-		"Sorry, I can't parse exttype=%d yet.\n",
-		pfkey_ext->sadb_ext_type);
-#if 0
-	SENDERR(EINVAL); /* don't process these yet */
-#endif
-
-errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_prop_parse(struct sadb_ext *pfkey_ext)
-{
-	int error = 0;
-	int i, num_comb;
-	struct sadb_prop *pfkey_prop = (struct sadb_prop *)pfkey_ext;
-	struct sadb_comb *pfkey_comb = (struct sadb_comb *)((char*)pfkey_ext + sizeof(struct sadb_prop));
-
-	/* sanity checks... */
-	if((pfkey_prop->sadb_prop_len < sizeof(struct sadb_prop) / IPSEC_PFKEYv2_ALIGN) ||
-	   (((pfkey_prop->sadb_prop_len * IPSEC_PFKEYv2_ALIGN) - sizeof(struct sadb_prop)) % sizeof(struct sadb_comb))) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_prop_parse: "
-			  "size wrong ext_len=%d, prop_ext_len=%d comb_ext_len=%d.\n",
-			  pfkey_prop->sadb_prop_len,
-			  (int)sizeof(struct sadb_prop),
-			  (int)sizeof(struct sadb_comb));
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_prop->sadb_prop_replay > 64) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_prop_parse: "
-			"replay window size: %d -- must be 0 <= size <= 64\n",
-			pfkey_prop->sadb_prop_replay);
-		SENDERR(EINVAL);
-	}
-
-	for(i=0; i<3; i++) {
-		if(pfkey_prop->sadb_prop_reserved[i]) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_prop_parse: "
-				"res[%d]=%d, must be zero.\n",
-				i, pfkey_prop->sadb_prop_reserved[i]);
-			SENDERR(EINVAL);
-		}
-	}
-
-	num_comb = ((pfkey_prop->sadb_prop_len * IPSEC_PFKEYv2_ALIGN) - sizeof(struct sadb_prop)) / sizeof(struct sadb_comb);
-
-	for(i = 0; i < num_comb; i++) {
-		if(pfkey_comb->sadb_comb_auth > SADB_AALG_MAX) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_prop_parse: "
-				"pfkey_comb[%d]->sadb_comb_auth=%d > SADB_AALG_MAX=%d.\n",
-				i,
-				pfkey_comb->sadb_comb_auth,
-				SADB_AALG_MAX);
-			SENDERR(EINVAL);
-		}
-
-		if(pfkey_comb->sadb_comb_auth) {
-			if(!pfkey_comb->sadb_comb_auth_minbits) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_prop_parse: "
-					"pfkey_comb[%d]->sadb_comb_auth_minbits=0, fatal.\n",
-					i);
-				SENDERR(EINVAL);
-			}
-			if(!pfkey_comb->sadb_comb_auth_maxbits) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_prop_parse: "
-					"pfkey_comb[%d]->sadb_comb_auth_maxbits=0, fatal.\n",
-					i);
-				SENDERR(EINVAL);
-			}
-			if(pfkey_comb->sadb_comb_auth_minbits > pfkey_comb->sadb_comb_auth_maxbits) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_prop_parse: "
-					"pfkey_comb[%d]->sadb_comb_auth_minbits=%d > maxbits=%d, fatal.\n",
-					i,
-					pfkey_comb->sadb_comb_auth_minbits,
-					pfkey_comb->sadb_comb_auth_maxbits);
-				SENDERR(EINVAL);
-			}
-		} else {
-			if(pfkey_comb->sadb_comb_auth_minbits) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_prop_parse: "
-					"pfkey_comb[%d]->sadb_comb_auth_minbits=%d != 0, fatal.\n",
-					i,
-					pfkey_comb->sadb_comb_auth_minbits);
-				SENDERR(EINVAL);
-			}
-			if(pfkey_comb->sadb_comb_auth_maxbits) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_prop_parse: "
-					"pfkey_comb[%d]->sadb_comb_auth_maxbits=%d != 0, fatal.\n",
-					i,
-					pfkey_comb->sadb_comb_auth_maxbits);
-				SENDERR(EINVAL);
-			}
-		}
-
-		if(pfkey_comb->sadb_comb_encrypt > SADB_EALG_MAX) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_comb_parse: "
-				"pfkey_comb[%d]->sadb_comb_encrypt=%d > SADB_EALG_MAX=%d.\n",
-				i,
-				pfkey_comb->sadb_comb_encrypt,
-				SADB_EALG_MAX);
-			SENDERR(EINVAL);
-		}
-
-		if(pfkey_comb->sadb_comb_encrypt) {
-			if(!pfkey_comb->sadb_comb_encrypt_minbits) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_prop_parse: "
-					"pfkey_comb[%d]->sadb_comb_encrypt_minbits=0, fatal.\n",
-					i);
-				SENDERR(EINVAL);
-			}
-			if(!pfkey_comb->sadb_comb_encrypt_maxbits) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_prop_parse: "
-					"pfkey_comb[%d]->sadb_comb_encrypt_maxbits=0, fatal.\n",
-					i);
-				SENDERR(EINVAL);
-			}
-			if(pfkey_comb->sadb_comb_encrypt_minbits > pfkey_comb->sadb_comb_encrypt_maxbits) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_prop_parse: "
-					"pfkey_comb[%d]->sadb_comb_encrypt_minbits=%d > maxbits=%d, fatal.\n",
-					i,
-					pfkey_comb->sadb_comb_encrypt_minbits,
-					pfkey_comb->sadb_comb_encrypt_maxbits);
-				SENDERR(EINVAL);
-			}
-		} else {
-			if(pfkey_comb->sadb_comb_encrypt_minbits) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_prop_parse: "
-					"pfkey_comb[%d]->sadb_comb_encrypt_minbits=%d != 0, fatal.\n",
-					i,
-					pfkey_comb->sadb_comb_encrypt_minbits);
-				SENDERR(EINVAL);
-			}
-			if(pfkey_comb->sadb_comb_encrypt_maxbits) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_prop_parse: "
-					"pfkey_comb[%d]->sadb_comb_encrypt_maxbits=%d != 0, fatal.\n",
-					i,
-					pfkey_comb->sadb_comb_encrypt_maxbits);
-				SENDERR(EINVAL);
-			}
-		}
-
-		/* XXX do sanity check on flags */
-
-		if(pfkey_comb->sadb_comb_hard_allocations && pfkey_comb->sadb_comb_soft_allocations > pfkey_comb->sadb_comb_hard_allocations) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				  "pfkey_prop_parse: "
-				  "pfkey_comb[%d]->sadb_comb_soft_allocations=%d > hard_allocations=%d, fatal.\n",
-				  i,
-				  pfkey_comb->sadb_comb_soft_allocations,
-				  pfkey_comb->sadb_comb_hard_allocations);
-			SENDERR(EINVAL);
-		}
-
-		if(pfkey_comb->sadb_comb_hard_bytes && pfkey_comb->sadb_comb_soft_bytes > pfkey_comb->sadb_comb_hard_bytes) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				  "pfkey_prop_parse: "
-				  "pfkey_comb[%d]->sadb_comb_soft_bytes=%Ld > hard_bytes=%Ld, fatal.\n",
-				  i,
-				  (unsigned long long int)pfkey_comb->sadb_comb_soft_bytes,
-				  (unsigned long long int)pfkey_comb->sadb_comb_hard_bytes);
-			SENDERR(EINVAL);
-		}
-
-		if(pfkey_comb->sadb_comb_hard_addtime && pfkey_comb->sadb_comb_soft_addtime > pfkey_comb->sadb_comb_hard_addtime) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				  "pfkey_prop_parse: "
-				  "pfkey_comb[%d]->sadb_comb_soft_addtime=%Ld > hard_addtime=%Ld, fatal.\n",
-				  i,
-				  (unsigned long long int)pfkey_comb->sadb_comb_soft_addtime,
-				  (unsigned long long int)pfkey_comb->sadb_comb_hard_addtime);
-			SENDERR(EINVAL);
-		}
-
-		if(pfkey_comb->sadb_comb_hard_usetime && pfkey_comb->sadb_comb_soft_usetime > pfkey_comb->sadb_comb_hard_usetime) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				  "pfkey_prop_parse: "
-				  "pfkey_comb[%d]->sadb_comb_soft_usetime=%Ld > hard_usetime=%Ld, fatal.\n",
-				  i,
-				  (unsigned long long int)pfkey_comb->sadb_comb_soft_usetime,
-				  (unsigned long long int)pfkey_comb->sadb_comb_hard_usetime);
-			SENDERR(EINVAL);
-		}
-
-		if(pfkey_comb->sadb_x_comb_hard_packets && pfkey_comb->sadb_x_comb_soft_packets > pfkey_comb->sadb_x_comb_hard_packets) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_prop_parse: "
-				"pfkey_comb[%d]->sadb_x_comb_soft_packets=%d > hard_packets=%d, fatal.\n",
-				i,
-				pfkey_comb->sadb_x_comb_soft_packets,
-				pfkey_comb->sadb_x_comb_hard_packets);
-			SENDERR(EINVAL);
-		}
-
-		if(pfkey_comb->sadb_comb_reserved) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_prop_parse: "
-				"comb[%d].res=%d, must be zero.\n",
-				i,
-				pfkey_comb->sadb_comb_reserved);
-			SENDERR(EINVAL);
-		}
-		pfkey_comb++;
-	}
-
-errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_supported_parse(struct sadb_ext *pfkey_ext)
-{
-	int error = 0;
-	unsigned int i, num_alg;
-	struct sadb_supported *pfkey_supported = (struct sadb_supported *)pfkey_ext;
-	struct sadb_alg *pfkey_alg = (struct sadb_alg*)((char*)pfkey_ext + sizeof(struct sadb_supported));
-
-	/* sanity checks... */
-	if((pfkey_supported->sadb_supported_len <
-	   sizeof(struct sadb_supported) / IPSEC_PFKEYv2_ALIGN) ||
-	   (((pfkey_supported->sadb_supported_len * IPSEC_PFKEYv2_ALIGN) -
-	     sizeof(struct sadb_supported)) % sizeof(struct sadb_alg))) {
-
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_supported_parse: "
-			  "size wrong ext_len=%d, supported_ext_len=%d alg_ext_len=%d.\n",
-			  pfkey_supported->sadb_supported_len,
-			  (int)sizeof(struct sadb_supported),
-			  (int)sizeof(struct sadb_alg));
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_supported->sadb_supported_reserved) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_supported_parse: "
-			"res=%d, must be zero.\n",
-			pfkey_supported->sadb_supported_reserved);
-		SENDERR(EINVAL);
-	}
-
-	num_alg = ((pfkey_supported->sadb_supported_len * IPSEC_PFKEYv2_ALIGN) - sizeof(struct sadb_supported)) / sizeof(struct sadb_alg);
-
-	for(i = 0; i < num_alg; i++) {
-		/* process algo description */
-		if(pfkey_alg->sadb_alg_reserved) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_supported_parse: "
-				"alg[%d], id=%d, ivlen=%d, minbits=%d, maxbits=%d, res=%d, must be zero.\n",
-				i,
-				pfkey_alg->sadb_alg_id,
-				pfkey_alg->sadb_alg_ivlen,
-				pfkey_alg->sadb_alg_minbits,
-				pfkey_alg->sadb_alg_maxbits,
-				pfkey_alg->sadb_alg_reserved);
-			SENDERR(EINVAL);
-		}
-
-		/* XXX can alg_id auth/enc be determined from info given?
-		   Yes, but OpenBSD's method does not iteroperate with rfc2367.
-		   rgb, 2000-04-06 */
-
-		switch(pfkey_supported->sadb_supported_exttype) {
-		case SADB_EXT_SUPPORTED_AUTH:
-			if(pfkey_alg->sadb_alg_id > SADB_AALG_MAX) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_supported_parse: "
-					"alg[%d], alg_id=%d > SADB_AALG_MAX=%d, fatal.\n",
-					i,
-					pfkey_alg->sadb_alg_id,
-					SADB_AALG_MAX);
-				SENDERR(EINVAL);
-			}
-			break;
-		case SADB_EXT_SUPPORTED_ENCRYPT:
-			if(pfkey_alg->sadb_alg_id > SADB_EALG_MAX) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_supported_parse: "
-					"alg[%d], alg_id=%d > SADB_EALG_MAX=%d, fatal.\n",
-					i,
-					pfkey_alg->sadb_alg_id,
-					SADB_EALG_MAX);
-				SENDERR(EINVAL);
-			}
-			break;
-		default:
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_supported_parse: "
-				"alg[%d], alg_id=%d > SADB_EALG_MAX=%d, fatal.\n",
-				i,
-				pfkey_alg->sadb_alg_id,
-				SADB_EALG_MAX);
-			SENDERR(EINVAL);
-		}
-		pfkey_alg++;
-	}
-
- errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_spirange_parse(struct sadb_ext *pfkey_ext)
-{
-	int error = 0;
-	struct sadb_spirange *pfkey_spirange = (struct sadb_spirange *)pfkey_ext;
-
-	/* sanity checks... */
-        if(pfkey_spirange->sadb_spirange_len !=
-	   sizeof(struct sadb_spirange) / IPSEC_PFKEYv2_ALIGN) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_spirange_parse: "
-			  "size wrong ext_len=%d, key_ext_len=%d.\n",
-			  pfkey_spirange->sadb_spirange_len,
-			  (int)sizeof(struct sadb_spirange));
-                SENDERR(EINVAL);
-        }
-
-        if(pfkey_spirange->sadb_spirange_reserved) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_spirange_parse: "
-			"reserved=%d must be set to zero.\n",
-			pfkey_spirange->sadb_spirange_reserved);
-                SENDERR(EINVAL);
-        }
-
-        if(ntohl(pfkey_spirange->sadb_spirange_max) < ntohl(pfkey_spirange->sadb_spirange_min)) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_spirange_parse: "
-			"minspi=%08x must be < maxspi=%08x.\n",
-			ntohl(pfkey_spirange->sadb_spirange_min),
-			ntohl(pfkey_spirange->sadb_spirange_max));
-                SENDERR(EINVAL);
-        }
-
-	if(ntohl(pfkey_spirange->sadb_spirange_min) <= 255) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_spirange_parse: "
-			"minspi=%08x must be > 255.\n",
-			ntohl(pfkey_spirange->sadb_spirange_min));
-		SENDERR(EEXIST);
-	}
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
-		  "pfkey_spirange_parse: "
-		  "ext_len=%u ext_type=%u(%s) min=%u max=%u res=%u.\n",
-		  pfkey_spirange->sadb_spirange_len,
-		  pfkey_spirange->sadb_spirange_exttype,
-		  pfkey_v2_sadb_ext_string(pfkey_spirange->sadb_spirange_exttype),
-		  pfkey_spirange->sadb_spirange_min,
-		  pfkey_spirange->sadb_spirange_max,
-		  pfkey_spirange->sadb_spirange_reserved);
- errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_x_kmprivate_parse(struct sadb_ext *pfkey_ext)
-{
-	int error = 0;
-	struct sadb_x_kmprivate *pfkey_x_kmprivate = (struct sadb_x_kmprivate *)pfkey_ext;
-
-	/* sanity checks... */
-	if(pfkey_x_kmprivate->sadb_x_kmprivate_len <
-	   sizeof(struct sadb_x_kmprivate) / IPSEC_PFKEYv2_ALIGN) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_x_kmprivate_parse: "
-			  "size wrong ext_len=%d, key_ext_len=%d.\n",
-			  pfkey_x_kmprivate->sadb_x_kmprivate_len,
-			  (int)sizeof(struct sadb_x_kmprivate));
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_x_kmprivate->sadb_x_kmprivate_reserved) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_x_kmprivate_parse: "
-			  "reserved=%d must be set to zero.\n",
-			  pfkey_x_kmprivate->sadb_x_kmprivate_reserved);
-		SENDERR(EINVAL);
-	}
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-		  "pfkey_x_kmprivate_parse: "
-		  "Sorry, I can't parse exttype=%d yet.\n",
-		  pfkey_ext->sadb_ext_type);
-	SENDERR(EINVAL); /* don't process these yet */
-
-errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_x_satype_parse(struct sadb_ext *pfkey_ext)
-{
-	int error = 0;
-	int i;
-	struct sadb_x_satype *pfkey_x_satype = (struct sadb_x_satype *)pfkey_ext;
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
-		"pfkey_x_satype_parse: enter\n");
-	/* sanity checks... */
-	if(pfkey_x_satype->sadb_x_satype_len !=
-	   sizeof(struct sadb_x_satype) / IPSEC_PFKEYv2_ALIGN) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_x_satype_parse: "
-			  "size wrong ext_len=%d, key_ext_len=%d.\n",
-			  pfkey_x_satype->sadb_x_satype_len,
-			  (int)sizeof(struct sadb_x_satype));
-		SENDERR(EINVAL);
-	}
-
-	if(!pfkey_x_satype->sadb_x_satype_satype) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_x_satype_parse: "
-			"satype is zero, must be non-zero.\n");
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_x_satype->sadb_x_satype_satype > SADB_SATYPE_MAX) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_x_satype_parse: "
-			"satype %d > max %d, invalid.\n",
-			pfkey_x_satype->sadb_x_satype_satype, SADB_SATYPE_MAX);
-		SENDERR(EINVAL);
-	}
-
-	if(!(satype2proto(pfkey_x_satype->sadb_x_satype_satype))) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_x_satype_parse: "
-			"proto lookup from satype=%d failed.\n",
-			pfkey_x_satype->sadb_x_satype_satype);
-		SENDERR(EINVAL);
-	}
-
-	for(i = 0; i < 3; i++) {
-		if(pfkey_x_satype->sadb_x_satype_reserved[i]) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_x_satype_parse: "
-				"reserved[%d]=%d must be set to zero.\n",
-				i, pfkey_x_satype->sadb_x_satype_reserved[i]);
-			SENDERR(EINVAL);
-		}
-	}
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
-		  "pfkey_x_satype_parse: "
-		  "len=%u ext=%u(%s) satype=%u(%s) res=%u,%u,%u.\n",
-		  pfkey_x_satype->sadb_x_satype_len,
-		  pfkey_x_satype->sadb_x_satype_exttype,
-		  pfkey_v2_sadb_ext_string(pfkey_x_satype->sadb_x_satype_exttype),
-		  pfkey_x_satype->sadb_x_satype_satype,
-		  satype2name(pfkey_x_satype->sadb_x_satype_satype),
-		  pfkey_x_satype->sadb_x_satype_reserved[0],
-		  pfkey_x_satype->sadb_x_satype_reserved[1],
-		  pfkey_x_satype->sadb_x_satype_reserved[2]);
-errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_x_ext_debug_parse(struct sadb_ext *pfkey_ext)
-{
-	int error = 0;
-	int i;
-	struct sadb_x_debug *pfkey_x_debug = (struct sadb_x_debug *)pfkey_ext;
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
-		"pfkey_x_debug_parse: enter\n");
-	/* sanity checks... */
-	if(pfkey_x_debug->sadb_x_debug_len !=
-	   sizeof(struct sadb_x_debug) / IPSEC_PFKEYv2_ALIGN) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_x_debug_parse: "
-			  "size wrong ext_len=%d, key_ext_len=%d.\n",
-			  pfkey_x_debug->sadb_x_debug_len,
-			  (int)sizeof(struct sadb_x_debug));
-		SENDERR(EINVAL);
-	}
-
-	for(i = 0; i < 4; i++) {
-		if(pfkey_x_debug->sadb_x_debug_reserved[i]) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_x_debug_parse: "
-				"reserved[%d]=%d must be set to zero.\n",
-				i, pfkey_x_debug->sadb_x_debug_reserved[i]);
-			SENDERR(EINVAL);
-		}
-	}
-
-errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_x_ext_protocol_parse(struct sadb_ext *pfkey_ext)
-{
-	int error = 0;
-	struct sadb_protocol *p = (struct sadb_protocol *)pfkey_ext;
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, "pfkey_x_protocol_parse:\n");
-	/* sanity checks... */
-
-	if (p->sadb_protocol_len != sizeof(*p)/IPSEC_PFKEYv2_ALIGN) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_x_protocol_parse: size wrong ext_len=%d, key_ext_len=%d.\n",
-			  p->sadb_protocol_len, (int)sizeof(*p));
-		SENDERR(EINVAL);
-	}
-
-	if (p->sadb_protocol_reserved2 != 0) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			  "pfkey_protocol_parse: res=%d, must be zero.\n",
-			  p->sadb_protocol_reserved2);
-		SENDERR(EINVAL);
-	}
-
- errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_x_ext_nat_t_type_parse(struct sadb_ext *pfkey_ext)
-{
-	return 0;
-}
-
-DEBUG_NO_STATIC int
-pfkey_x_ext_nat_t_port_parse(struct sadb_ext *pfkey_ext)
-{
-	return 0;
-}
-
-#define DEFINEPARSER(NAME) static struct pf_key_ext_parsers_def NAME##_def={NAME, #NAME};
-
-DEFINEPARSER(pfkey_sa_parse);
-DEFINEPARSER(pfkey_lifetime_parse);
-DEFINEPARSER(pfkey_address_parse);
-DEFINEPARSER(pfkey_key_parse);
-DEFINEPARSER(pfkey_ident_parse);
-DEFINEPARSER(pfkey_sens_parse);
-DEFINEPARSER(pfkey_prop_parse);
-DEFINEPARSER(pfkey_supported_parse);
-DEFINEPARSER(pfkey_spirange_parse);
-DEFINEPARSER(pfkey_x_kmprivate_parse);
-DEFINEPARSER(pfkey_x_satype_parse);
-DEFINEPARSER(pfkey_x_ext_debug_parse);
-DEFINEPARSER(pfkey_x_ext_protocol_parse);
-DEFINEPARSER(pfkey_x_ext_nat_t_type_parse);
-DEFINEPARSER(pfkey_x_ext_nat_t_port_parse);
-
-struct pf_key_ext_parsers_def *ext_default_parsers[]=
-{
-	NULL,                 /* pfkey_msg_parse, */
-	&pfkey_sa_parse_def,
-	&pfkey_lifetime_parse_def,
-	&pfkey_lifetime_parse_def,
-	&pfkey_lifetime_parse_def,
-	&pfkey_address_parse_def,
-	&pfkey_address_parse_def,
-	&pfkey_address_parse_def,
-	&pfkey_key_parse_def,
-	&pfkey_key_parse_def,
-	&pfkey_ident_parse_def,
-	&pfkey_ident_parse_def,
-	&pfkey_sens_parse_def,
-	&pfkey_prop_parse_def,
-	&pfkey_supported_parse_def,
-	&pfkey_supported_parse_def,
-	&pfkey_spirange_parse_def,
-	&pfkey_x_kmprivate_parse_def,
-	&pfkey_x_satype_parse_def,
-	&pfkey_sa_parse_def,
-	&pfkey_address_parse_def,
-	&pfkey_address_parse_def,
-	&pfkey_address_parse_def,
-	&pfkey_address_parse_def,
-	&pfkey_address_parse_def,
-	&pfkey_x_ext_debug_parse_def,
-	&pfkey_x_ext_protocol_parse_def	,
-	&pfkey_x_ext_nat_t_type_parse_def,
-	&pfkey_x_ext_nat_t_port_parse_def,
-	&pfkey_x_ext_nat_t_port_parse_def,
-	&pfkey_address_parse_def
-};
-
-int
-pfkey_msg_parse(struct sadb_msg *pfkey_msg,
-		struct pf_key_ext_parsers_def *ext_parsers[],
-		struct sadb_ext *extensions[],
-		int dir)
-{
-	int error = 0;
-	int remain;
-	struct sadb_ext *pfkey_ext;
-	int extensions_seen = 0;
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
-		  "pfkey_msg_parse: "
-		  "parsing message ver=%d, type=%d(%s), errno=%d, satype=%d(%s), len=%d, res=%d, seq=%d, pid=%d.\n",
-		  pfkey_msg->sadb_msg_version,
-		  pfkey_msg->sadb_msg_type,
-		  pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type),
-		  pfkey_msg->sadb_msg_errno,
-		  pfkey_msg->sadb_msg_satype,
-		  satype2name(pfkey_msg->sadb_msg_satype),
-		  pfkey_msg->sadb_msg_len,
-		  pfkey_msg->sadb_msg_reserved,
-		  pfkey_msg->sadb_msg_seq,
-		  pfkey_msg->sadb_msg_pid);
-
-	if(ext_parsers == NULL) ext_parsers = ext_default_parsers;
-
-	pfkey_extensions_init(extensions);
-
-	remain = pfkey_msg->sadb_msg_len;
-	remain -= sizeof(struct sadb_msg) / IPSEC_PFKEYv2_ALIGN;
-
-	pfkey_ext = (struct sadb_ext*)((char*)pfkey_msg +
-				       sizeof(struct sadb_msg));
-
-	extensions[0] = (struct sadb_ext *) pfkey_msg;
-
-
-	if(pfkey_msg->sadb_msg_version != PF_KEY_V2) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_msg_parse: "
-			"not PF_KEY_V2 msg, found %d, should be %d.\n",
-			pfkey_msg->sadb_msg_version,
-			PF_KEY_V2);
-		SENDERR(EINVAL);
-	}
-
-	if(!pfkey_msg->sadb_msg_type) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_msg_parse: "
-			"msg type not set, must be non-zero..\n");
-		SENDERR(EINVAL);
-	}
-
-	if(pfkey_msg->sadb_msg_type > SADB_MAX) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_msg_parse: "
-			"msg type=%d > max=%d.\n",
-			pfkey_msg->sadb_msg_type,
-			SADB_MAX);
-		SENDERR(EINVAL);
-	}
-
-	switch(pfkey_msg->sadb_msg_type) {
-	case SADB_GETSPI:
-	case SADB_UPDATE:
-	case SADB_ADD:
-	case SADB_DELETE:
-	case SADB_GET:
-	case SADB_X_GRPSA:
-	case SADB_X_ADDFLOW:
-		if(!satype2proto(pfkey_msg->sadb_msg_satype)) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				  "pfkey_msg_parse: "
-				  "satype %d conversion to proto failed for msg_type %d (%s).\n",
-				  pfkey_msg->sadb_msg_satype,
-				  pfkey_msg->sadb_msg_type,
-				  pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type));
-			SENDERR(EINVAL);
-		} else {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				  "pfkey_msg_parse: "
-				  "satype %d(%s) conversion to proto gives %d for msg_type %d(%s).\n",
-				  pfkey_msg->sadb_msg_satype,
-				  satype2name(pfkey_msg->sadb_msg_satype),
-				  satype2proto(pfkey_msg->sadb_msg_satype),
-				  pfkey_msg->sadb_msg_type,
-				  pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type));
-		}
-		/* fall through */
-	case SADB_ACQUIRE:
-	case SADB_REGISTER:
-	case SADB_EXPIRE:
-		if(!pfkey_msg->sadb_msg_satype) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				  "pfkey_msg_parse: "
-				  "satype is zero, must be non-zero for msg_type %d(%s).\n",
-				  pfkey_msg->sadb_msg_type,
-				  pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type));
-			SENDERR(EINVAL);
-		}
-	default:
-		break;
-	}
-
-	/* errno must not be set in downward messages */
-	/* this is not entirely true... a response to an ACQUIRE could return an error */
-	if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type != SADB_ACQUIRE) && pfkey_msg->sadb_msg_errno) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			    "pfkey_msg_parse: "
-			    "errno set to %d.\n",
-			    pfkey_msg->sadb_msg_errno);
-		SENDERR(EINVAL);
-	}
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
-		  "pfkey_msg_parse: "
-		  "remain=%d, ext_type=%d(%s), ext_len=%d.\n",
-		  remain,
-		  pfkey_ext->sadb_ext_type,
-		  pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
-		  pfkey_ext->sadb_ext_len);
-
-	DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
-		"pfkey_msg_parse: "
-		"extensions permitted=%08x, required=%08x.\n",
-		extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
-		extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]);
-
-	extensions_seen = 1;
-
-	while( (remain * IPSEC_PFKEYv2_ALIGN) >= sizeof(struct sadb_ext) ) {
-		/* Is there enough message left to support another extension header? */
-		if(remain < pfkey_ext->sadb_ext_len) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_msg_parse: "
-				"remain %d less than ext len %d.\n",
-				remain, pfkey_ext->sadb_ext_len);
-			SENDERR(EINVAL);
-		}
-
-		DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
-			"pfkey_msg_parse: "
-			"parsing ext type=%d(%s) remain=%d.\n",
-			pfkey_ext->sadb_ext_type,
-			pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
-			remain);
-
-		/* Is the extension header type valid? */
-		if((pfkey_ext->sadb_ext_type > SADB_EXT_MAX) || (!pfkey_ext->sadb_ext_type)) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_msg_parse: "
-				"ext type %d(%s) invalid, SADB_EXT_MAX=%d.\n",
-				pfkey_ext->sadb_ext_type,
-				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
-				SADB_EXT_MAX);
-			SENDERR(EINVAL);
-		}
-
-		/* Have we already seen this type of extension? */
-		if((extensions_seen & ( 1 << pfkey_ext->sadb_ext_type )) != 0)
-		{
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_msg_parse: "
-				"ext type %d(%s) already seen.\n",
-				pfkey_ext->sadb_ext_type,
-				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
-			SENDERR(EINVAL);
-		}
-
-		/* Do I even know about this type of extension? */
-		if(ext_parsers[pfkey_ext->sadb_ext_type]==NULL) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_msg_parse: "
-				"ext type %d(%s) unknown, ignoring.\n",
-				pfkey_ext->sadb_ext_type,
-				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
-			goto next_ext;
-		}
-
-		/* Is this type of extension permitted for this type of message? */
-		if(!(extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type] &
-		     1<<pfkey_ext->sadb_ext_type)) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_msg_parse: "
-				"ext type %d(%s) not permitted, exts_perm_in=%08x, 1<<type=%08x\n",
-				pfkey_ext->sadb_ext_type,
-				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
-				extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
-				1<<pfkey_ext->sadb_ext_type);
-			SENDERR(EINVAL);
-		}
-
-		DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
-			  "pfkey_msg_parse: "
-			  "remain=%d ext_type=%d(%s) ext_len=%d parsing ext 0p%p with parser %s.\n",
-			  remain,
-			  pfkey_ext->sadb_ext_type,
-			  pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
-			  pfkey_ext->sadb_ext_len,
-			  pfkey_ext,
-			  ext_parsers[pfkey_ext->sadb_ext_type]->parser_name);
-
-		/* Parse the extension */
-		if((error =
-		    (*ext_parsers[pfkey_ext->sadb_ext_type]->parser)(pfkey_ext))) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_msg_parse: "
-				"extension parsing for type %d(%s) failed with error %d.\n",
-				pfkey_ext->sadb_ext_type,
-				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
-				error);
-			SENDERR(-error);
-		}
-		DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
-			"pfkey_msg_parse: "
-			"Extension %d(%s) parsed.\n",
-			pfkey_ext->sadb_ext_type,
-			pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
-
-		/* Mark that we have seen this extension and remember the header location */
-		extensions_seen |= ( 1 << pfkey_ext->sadb_ext_type );
-		extensions[pfkey_ext->sadb_ext_type] = pfkey_ext;
-
-	next_ext:
-		/* Calculate how much message remains */
-		remain -= pfkey_ext->sadb_ext_len;
-
-		if(!remain) {
-			break;
-		}
-		/* Find the next extension header */
-		pfkey_ext = (struct sadb_ext*)((char*)pfkey_ext +
-			pfkey_ext->sadb_ext_len * IPSEC_PFKEYv2_ALIGN);
-	}
-
-	if(remain) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_msg_parse: "
-			"unexpected remainder of %d.\n",
-			remain);
-		/* why is there still something remaining? */
-		SENDERR(EINVAL);
-	}
-
-	/* check required extensions */
-	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
-		"pfkey_msg_parse: "
-		"extensions permitted=%08x, seen=%08x, required=%08x.\n",
-		extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
-		extensions_seen,
-		extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]);
-
-	/* don't check further if it is an error return message since it
-	   may not have a body */
-	if(pfkey_msg->sadb_msg_errno) {
-		SENDERR(-error);
-	}
-
-	if((extensions_seen &
-	    extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]) !=
-	   extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_msg_parse: "
-			"required extensions missing:%08x.\n",
-			extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type] -
-			(extensions_seen &
-			 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]));
-		SENDERR(EINVAL);
-	}
-
-	if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type == SADB_X_DELFLOW)
-	   && ((extensions_seen	& SADB_X_EXT_ADDRESS_DELFLOW)
-	       != SADB_X_EXT_ADDRESS_DELFLOW)
-	   && (((extensions_seen & (1<<SADB_EXT_SA)) != (1<<SADB_EXT_SA))
-	   || ((((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_flags
-		& SADB_X_SAFLAGS_CLEARFLOW)
-	       != SADB_X_SAFLAGS_CLEARFLOW))) {
-		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-			"pfkey_msg_parse: "
-			"required SADB_X_DELFLOW extensions missing: either %08x must be present or %08x must be present with SADB_X_SAFLAGS_CLEARFLOW set.\n",
-			SADB_X_EXT_ADDRESS_DELFLOW
-			- (extensions_seen & SADB_X_EXT_ADDRESS_DELFLOW),
-			(1<<SADB_EXT_SA) - (extensions_seen & (1<<SADB_EXT_SA)));
-		SENDERR(EINVAL);
-	}
-
-	switch(pfkey_msg->sadb_msg_type) {
-	case SADB_ADD:
-	case SADB_UPDATE:
-		/* check maturity */
-		if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state !=
-		   SADB_SASTATE_MATURE) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_msg_parse: "
-				"state=%d for add or update should be MATURE=%d.\n",
-				((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state,
-				SADB_SASTATE_MATURE);
-			SENDERR(EINVAL);
-		}
-
-		/* check AH and ESP */
-		switch(((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype) {
-		case SADB_SATYPE_AH:
-			if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
-			     ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_auth !=
-			     SADB_AALG_NONE)) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_msg_parse: "
-					"auth alg is zero, must be non-zero for AH SAs.\n");
-				SENDERR(EINVAL);
-			}
-			if(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt !=
-			   SADB_EALG_NONE) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_msg_parse: "
-					"AH handed encalg=%d, must be zero.\n",
-					((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt);
-				SENDERR(EINVAL);
-			}
-			break;
-		case SADB_SATYPE_ESP:
-			if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
-			     ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt !=
-			     SADB_EALG_NONE)) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_msg_parse: "
-					"encrypt alg=%d is zero, must be non-zero for ESP=%d SAs.\n",
-					((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt,
-					((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
-				SENDERR(EINVAL);
-			}
-			if((((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt ==
-			    SADB_EALG_NULL) &&
-			   (((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth ==
-			    SADB_AALG_NONE) ) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_msg_parse: "
-					"ESP handed encNULL+authNONE, illegal combination.\n");
-				SENDERR(EINVAL);
-			}
-			break;
-		case SADB_X_SATYPE_COMP:
-			if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
-			     ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt !=
-			     SADB_EALG_NONE)) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_msg_parse: "
-					"encrypt alg=%d is zero, must be non-zero for COMP=%d SAs.\n",
-					((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt,
-					((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
-				SENDERR(EINVAL);
-			}
-			if(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth !=
-			   SADB_AALG_NONE) {
-				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-					"pfkey_msg_parse: "
-					"COMP handed auth=%d, must be zero.\n",
-					((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth);
-				SENDERR(EINVAL);
-			}
-			break;
-		default:
-			break;
-		}
-		if(ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi) <= 255) {
-			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-				"pfkey_msg_parse: "
-				"spi=%08x must be > 255.\n",
-				ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi));
-			SENDERR(EINVAL);
-		}
-	default:
-		break;
-	}
-errlab:
-
-	return error;
-}
diff --git a/src/libfreeswan/pfkeyv2.h b/src/libfreeswan/pfkeyv2.h
deleted file mode 100644
index 725997ebc..000000000
--- a/src/libfreeswan/pfkeyv2.h
+++ /dev/null
@@ -1,368 +0,0 @@
-/*
-RFC 2367               PF_KEY Key Management API               July 1998
-
-
-Appendix D: Sample Header File
-
-This file defines structures and symbols for the PF_KEY Version 2
-key management interface. It was written at the U.S. Naval Research
-Laboratory. This file is in the public domain. The authors ask that
-you leave this credit intact on any copies of this file.
-*/
-#ifndef __PFKEY_V2_H
-#define __PFKEY_V2_H 1
-
-#define PF_KEY_V2 2
-#define PFKEYV2_REVISION        199806L
-
-#define SADB_RESERVED             0
-#define SADB_GETSPI               1
-#define SADB_UPDATE               2
-#define SADB_ADD                  3
-#define SADB_DELETE               4
-#define SADB_GET                  5
-#define SADB_ACQUIRE              6
-#define SADB_REGISTER             7
-#define SADB_EXPIRE               8
-#define SADB_FLUSH                9
-#define SADB_DUMP                10
-#define SADB_X_PROMISC           11
-#define SADB_X_PCHANGE           12
-#define SADB_X_GRPSA             13
-#define SADB_X_ADDFLOW           14
-#define SADB_X_DELFLOW           15
-#define SADB_X_DEBUG             16
-#define SADB_X_NAT_T_NEW_MAPPING 17
-#define SADB_MAX                 17
-
-struct sadb_msg {
-  uint8_t sadb_msg_version;
-  uint8_t sadb_msg_type;
-  uint8_t sadb_msg_errno;
-  uint8_t sadb_msg_satype;
-  uint16_t sadb_msg_len;
-  uint16_t sadb_msg_reserved;
-  uint32_t sadb_msg_seq;
-  uint32_t sadb_msg_pid;
-};
-
-struct sadb_ext {
-  uint16_t sadb_ext_len;
-  uint16_t sadb_ext_type;
-};
-
-struct sadb_sa {
-  uint16_t sadb_sa_len;
-  uint16_t sadb_sa_exttype;
-  uint32_t sadb_sa_spi;
-  uint8_t sadb_sa_replay;
-  uint8_t sadb_sa_state;
-  uint8_t sadb_sa_auth;
-  uint8_t sadb_sa_encrypt;
-  uint32_t sadb_sa_flags;
-  uint32_t /*IPsecSAref_t*/ sadb_x_sa_ref; /* 32 bits */
-  uint8_t sadb_x_reserved[4];
-};
-
-struct sadb_sa_v1 {
-  uint16_t sadb_sa_len;
-  uint16_t sadb_sa_exttype;
-  uint32_t sadb_sa_spi;
-  uint8_t sadb_sa_replay;
-  uint8_t sadb_sa_state;
-  uint8_t sadb_sa_auth;
-  uint8_t sadb_sa_encrypt;
-  uint32_t sadb_sa_flags;
-};
-
-struct sadb_lifetime {
-  uint16_t sadb_lifetime_len;
-  uint16_t sadb_lifetime_exttype;
-  uint32_t sadb_lifetime_allocations;
-  uint64_t sadb_lifetime_bytes;
-  uint64_t sadb_lifetime_addtime;
-  uint64_t sadb_lifetime_usetime;
-  uint32_t sadb_x_lifetime_packets;
-  uint32_t sadb_x_lifetime_reserved;
-};
-
-struct sadb_address {
-  uint16_t sadb_address_len;
-  uint16_t sadb_address_exttype;
-  uint8_t sadb_address_proto;
-  uint8_t sadb_address_prefixlen;
-  uint16_t sadb_address_reserved;
-};
-
-struct sadb_key {
-  uint16_t sadb_key_len;
-  uint16_t sadb_key_exttype;
-  uint16_t sadb_key_bits;
-  uint16_t sadb_key_reserved;
-};
-
-struct sadb_ident {
-  uint16_t sadb_ident_len;
-  uint16_t sadb_ident_exttype;
-  uint16_t sadb_ident_type;
-  uint16_t sadb_ident_reserved;
-  uint64_t sadb_ident_id;
-};
-
-struct sadb_sens {
-  uint16_t sadb_sens_len;
-  uint16_t sadb_sens_exttype;
-  uint32_t sadb_sens_dpd;
-  uint8_t sadb_sens_sens_level;
-  uint8_t sadb_sens_sens_len;
-  uint8_t sadb_sens_integ_level;
-  uint8_t sadb_sens_integ_len;
-  uint32_t sadb_sens_reserved;
-};
-
-struct sadb_prop {
-  uint16_t sadb_prop_len;
-  uint16_t sadb_prop_exttype;
-  uint8_t sadb_prop_replay;
-  uint8_t sadb_prop_reserved[3];
-};
-
-struct sadb_comb {
-  uint8_t sadb_comb_auth;
-  uint8_t sadb_comb_encrypt;
-  uint16_t sadb_comb_flags;
-  uint16_t sadb_comb_auth_minbits;
-  uint16_t sadb_comb_auth_maxbits;
-  uint16_t sadb_comb_encrypt_minbits;
-  uint16_t sadb_comb_encrypt_maxbits;
-  uint32_t sadb_comb_reserved;
-  uint32_t sadb_comb_soft_allocations;
-  uint32_t sadb_comb_hard_allocations;
-  uint64_t sadb_comb_soft_bytes;
-  uint64_t sadb_comb_hard_bytes;
-  uint64_t sadb_comb_soft_addtime;
-  uint64_t sadb_comb_hard_addtime;
-  uint64_t sadb_comb_soft_usetime;
-  uint64_t sadb_comb_hard_usetime;
-  uint32_t sadb_x_comb_soft_packets;
-  uint32_t sadb_x_comb_hard_packets;
-};
-
-struct sadb_supported {
-  uint16_t sadb_supported_len;
-  uint16_t sadb_supported_exttype;
-  uint32_t sadb_supported_reserved;
-};
-
-struct sadb_alg {
-  uint8_t sadb_alg_id;
-  uint8_t sadb_alg_ivlen;
-  uint16_t sadb_alg_minbits;
-  uint16_t sadb_alg_maxbits;
-  uint16_t sadb_alg_reserved;
-};
-
-struct sadb_spirange {
-  uint16_t sadb_spirange_len;
-  uint16_t sadb_spirange_exttype;
-  uint32_t sadb_spirange_min;
-  uint32_t sadb_spirange_max;
-  uint32_t sadb_spirange_reserved;
-};
-
-struct sadb_x_kmprivate {
-  uint16_t sadb_x_kmprivate_len;
-  uint16_t sadb_x_kmprivate_exttype;
-  uint32_t sadb_x_kmprivate_reserved;
-};
-
-struct sadb_x_satype {
-  uint16_t sadb_x_satype_len;
-  uint16_t sadb_x_satype_exttype;
-  uint8_t sadb_x_satype_satype;
-  uint8_t sadb_x_satype_reserved[3];
-};
-
-struct sadb_x_policy {
-  uint16_t sadb_x_policy_len;
-  uint16_t sadb_x_policy_exttype;
-  uint16_t sadb_x_policy_type;
-  uint8_t sadb_x_policy_dir;
-  uint8_t sadb_x_policy_reserved;
-  uint32_t sadb_x_policy_id;
-  uint32_t sadb_x_policy_reserved2;
-};
-
-struct sadb_x_debug {
-  uint16_t sadb_x_debug_len;
-  uint16_t sadb_x_debug_exttype;
-  uint32_t sadb_x_debug_tunnel;
-  uint32_t sadb_x_debug_netlink;
-  uint32_t sadb_x_debug_xform;
-  uint32_t sadb_x_debug_eroute;
-  uint32_t sadb_x_debug_spi;
-  uint32_t sadb_x_debug_radij;
-  uint32_t sadb_x_debug_esp;
-  uint32_t sadb_x_debug_ah;
-  uint32_t sadb_x_debug_rcv;
-  uint32_t sadb_x_debug_pfkey;
-  uint32_t sadb_x_debug_ipcomp;
-  uint32_t sadb_x_debug_verbose;
-  uint8_t sadb_x_debug_reserved[4];
-};
-
-struct sadb_x_nat_t_type {
-  uint16_t sadb_x_nat_t_type_len;
-  uint16_t sadb_x_nat_t_type_exttype;
-  uint8_t sadb_x_nat_t_type_type;
-  uint8_t sadb_x_nat_t_type_reserved[3];
-};
-struct sadb_x_nat_t_port {
-  uint16_t sadb_x_nat_t_port_len;
-  uint16_t sadb_x_nat_t_port_exttype;
-  uint16_t sadb_x_nat_t_port_port;
-  uint16_t sadb_x_nat_t_port_reserved;
-};
-
-/*
- * A protocol structure for passing through the transport level
- * protocol.  It contains more fields than are actually used/needed
- * but it is this way to be compatible with the structure used in
- * OpenBSD (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfkeyv2.h)
- */
-struct sadb_protocol {
-  uint16_t sadb_protocol_len;
-  uint16_t sadb_protocol_exttype;
-  uint8_t  sadb_protocol_proto;
-  uint8_t  sadb_protocol_direction;
-  uint8_t  sadb_protocol_flags;
-  uint8_t  sadb_protocol_reserved2;
-};
-
-#define SADB_EXT_RESERVED             0
-#define SADB_EXT_SA                   1
-#define SADB_EXT_LIFETIME_CURRENT     2
-#define SADB_EXT_LIFETIME_HARD        3
-#define SADB_EXT_LIFETIME_SOFT        4
-#define SADB_EXT_ADDRESS_SRC          5
-#define SADB_EXT_ADDRESS_DST          6
-#define SADB_EXT_ADDRESS_PROXY        7
-#define SADB_EXT_KEY_AUTH             8
-#define SADB_EXT_KEY_ENCRYPT          9
-#define SADB_EXT_IDENTITY_SRC         10
-#define SADB_EXT_IDENTITY_DST         11
-#define SADB_EXT_SENSITIVITY          12
-#define SADB_EXT_PROPOSAL             13
-#define SADB_EXT_SUPPORTED_AUTH       14
-#define SADB_EXT_SUPPORTED_ENCRYPT    15
-#define SADB_EXT_SPIRANGE             16
-#define SADB_X_EXT_KMPRIVATE          17
-#define SADB_X_EXT_SATYPE2            18
-#ifdef KERNEL26_HAS_KAME_DUPLICATES
-#define SADB_X_EXT_POLICY             18
-#endif
-#define SADB_X_EXT_SA2                19
-#define SADB_X_EXT_ADDRESS_DST2       20
-#define SADB_X_EXT_ADDRESS_SRC_FLOW   21
-#define SADB_X_EXT_ADDRESS_DST_FLOW   22
-#define SADB_X_EXT_ADDRESS_SRC_MASK   23
-#define SADB_X_EXT_ADDRESS_DST_MASK   24
-#define SADB_X_EXT_DEBUG              25
-#define SADB_X_EXT_PROTOCOL           26
-#define SADB_X_EXT_NAT_T_TYPE         27
-#define SADB_X_EXT_NAT_T_SPORT        28
-#define SADB_X_EXT_NAT_T_DPORT        29
-#define SADB_X_EXT_NAT_T_OA           30
-#define SADB_EXT_MAX                  30
-
-/* SADB_X_DELFLOW required over and above SADB_X_SAFLAGS_CLEARFLOW */
-#define SADB_X_EXT_ADDRESS_DELFLOW \
-	( (1<<SADB_X_EXT_ADDRESS_SRC_FLOW) \
-	| (1<<SADB_X_EXT_ADDRESS_DST_FLOW) \
-	| (1<<SADB_X_EXT_ADDRESS_SRC_MASK) \
-	| (1<<SADB_X_EXT_ADDRESS_DST_MASK))
-
-#define SADB_SATYPE_UNSPEC    0
-#define SADB_SATYPE_AH        2
-#define SADB_SATYPE_ESP       3
-#define SADB_SATYPE_RSVP      5
-#define SADB_SATYPE_OSPFV2    6
-#define SADB_SATYPE_RIPV2     7
-#define SADB_SATYPE_MIP       8
-#define SADB_X_SATYPE_IPIP    9
-#ifdef KERNEL26_HAS_KAME_DUPLICATES
-#define SADB_X_SATYPE_IPCOMP  9   /* ICK! */
-#endif
-#define SADB_X_SATYPE_COMP    10
-#define SADB_X_SATYPE_INT     11
-#define SADB_SATYPE_MAX       11
-
-#define SADB_SASTATE_LARVAL   0
-#define SADB_SASTATE_MATURE   1
-#define SADB_SASTATE_DYING    2
-#define SADB_SASTATE_DEAD     3
-#define SADB_SASTATE_MAX      3
-
-#define SADB_SAFLAGS_PFS			1
-#define SADB_X_SAFLAGS_REPLACEFLOW	2
-#define SADB_X_SAFLAGS_CLEARFLOW	4
-#define SADB_X_SAFLAGS_INFLOW		8
-
-/* Authentication algorithms */
-#define SADB_AALG_NONE				0
-#define SADB_AALG_MD5HMAC			2
-#define SADB_AALG_SHA1HMAC			3
-#define SADB_X_AALG_SHA2_256HMAC	5
-#define SADB_X_AALG_SHA2_384HMAC	6
-#define SADB_X_AALG_SHA2_512HMAC	7
-#define SADB_X_AALG_RIPEMD160HMAC	8
-#define SADB_X_AALG_AES_XCBC_MAC	9
-#define SADB_X_AALG_NULL			251	/* kame */
-#define SADB_X_AALG_SHA2_256_96HMAC	252
-#define SADB_AALG_MAX				252
-
-/* Encryption algorithms */
-#define SADB_EALG_NONE				0
-#define SADB_EALG_DESCBC			2
-#define SADB_EALG_3DESCBC			3
-#define SADB_X_EALG_CASTCBC			6
-#define SADB_X_EALG_BLOWFISHCBC		7
-#define SADB_EALG_NULL				11
-#define SADB_X_EALG_AESCBC			12
-#define SADB_X_EALG_AESCTR			13
-#define SADB_X_EALG_AES_CCM_ICV8	14
-#define SADB_X_EALG_AES_CCM_ICV12	15
-#define SADB_X_EALG_AES_CCM_ICV16	16
-#define SADB_X_EALG_AES_GCM_ICV8	18
-#define SADB_X_EALG_AES_GCM_ICV12	19
-#define SADB_X_EALG_AES_GCM_ICV16	20
-#define SADB_X_EALG_CAMELLIACBC		22
-#define SADB_X_EALG_NULL_AES_GMAC	23
-#define SADB_EALG_MAX			253 /* last EALG */
-/* private allocations should use 249-255 (RFC2407) */
-#define SADB_X_EALG_SERPENTCBC  252     /* draft-ietf-ipsec-ciph-aes-cbc-00 */
-#define SADB_X_EALG_TWOFISHCBC  253     /* draft-ietf-ipsec-ciph-aes-cbc-00 */
-
-/* Compression algorithms */
-#define SADB_X_CALG_NONE		0
-#define SADB_X_CALG_OUI			1
-#define SADB_X_CALG_DEFLATE		2
-#define SADB_X_CALG_LZS			3
-#define SADB_X_CALG_LZJH		4
-#define SADB_X_CALG_MAX			4
-
-#define SADB_X_TALG_NONE          0
-#define SADB_X_TALG_IPv4_in_IPv4  1
-#define SADB_X_TALG_IPv6_in_IPv4  2
-#define SADB_X_TALG_IPv4_in_IPv6  3
-#define SADB_X_TALG_IPv6_in_IPv6  4
-#define SADB_X_TALG_MAX           4
-
-/* Identity Extension values */
-#define SADB_IDENTTYPE_RESERVED	0
-#define SADB_IDENTTYPE_PREFIX	1
-#define SADB_IDENTTYPE_FQDN	2
-#define SADB_IDENTTYPE_USERFQDN	3
-#define SADB_IDENTTYPE_MAX	3
-
-#endif /* __PFKEY_V2_H */
diff --git a/src/libfreeswan/portof.3 b/src/libfreeswan/portof.3
deleted file mode 100644
index 112def560..000000000
--- a/src/libfreeswan/portof.3
+++ /dev/null
@@ -1,69 +0,0 @@
-.TH IPSEC_PORTOF 3 "8 Sept 2000"
-.SH NAME
-ipsec portof \- get port field of an ip_address
-.br
-ipsec setportof \- set port field of an ip_address
-.br
-ipsec sockaddrof \- get pointer to internal sockaddr of an ip_address
-.br
-ipsec sockaddrlenof \- get length of internal sockaddr of an ip_address
-.SH SYNOPSIS
-.B "#include <freeswan.h>"
-.sp
-.B "int portof(const ip_address *src);"
-.br
-.B "void setportof(int port, ip_address *dst);"
-.br
-.B "struct sockaddr *sockaddrof(ip_address *src);"
-.br
-.B "size_t sockaddrlenof(const ip_address *src);"
-.SH DESCRIPTION
-The
-.B <freeswan.h>
-internal type
-.I ip_address
-contains one of the
-.I sockaddr
-types internally.
-\fIReliance on this feature is discouraged\fR,
-but it may occasionally be necessary.
-These functions provide low-level tools for this purpose.
-.PP
-.I Portof
-and
-.I setportof
-respectively read and write the port-number field of the internal
-.IR sockaddr .
-The values are in network byte order.
-.PP
-.I Sockaddrof
-returns a pointer to the internal
-.IR sockaddr ,
-for passing to other functions.
-.PP
-.I Sockaddrlenof
-reports the size of the internal
-.IR sockaddr ,
-for use in storage allocation.
-.SH SEE ALSO
-inet(3), ipsec_initaddr(3)
-.SH DIAGNOSTICS
-.I Portof
-returns
-.BR \-1 ,
-.I sockaddrof
-returns
-.BR NULL ,
-and
-.I sockaddrlenof
-returns
-.B 0
-if an unknown address family is found within the
-.IR ip_address .
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
-.SH BUGS
-These functions all depend on low-level details of the
-.I ip_address
-type, which are in principle subject to change.
-Avoid using them unless really necessary.
diff --git a/src/libfreeswan/portof.c b/src/libfreeswan/portof.c
deleted file mode 100644
index c44b839f3..000000000
--- a/src/libfreeswan/portof.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- * low-level ip_address ugliness
- * Copyright (C) 2000  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include <sys/socket.h>
-
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - portof - get the port field of an ip_address
- */
-int				/* network order */
-portof(src)
-const ip_address *src;
-{
-	switch (src->u.v4.sin_family) {
-	case AF_INET:
-		return src->u.v4.sin_port;
-		break;
-	case AF_INET6:
-		return src->u.v6.sin6_port;
-		break;
-	default:
-		return -1;	/* "can't happen" */
-		break;
-	}
-}
-
-/*
- - setportof - set the port field of an ip_address
- */
-void
-setportof(port, dst)
-int port;			/* network order */
-ip_address *dst;
-{
-	switch (dst->u.v4.sin_family) {
-	case AF_INET:
-		dst->u.v4.sin_port = port;
-		break;
-	case AF_INET6:
-		dst->u.v6.sin6_port = port;
-		break;
-	}
-}
-
-/*
- - sockaddrof - get a pointer to the sockaddr hiding inside an ip_address
- */
-struct sockaddr *
-sockaddrof(src)
-ip_address *src;
-{
-	switch (src->u.v4.sin_family) {
-	case AF_INET:
-		return (struct sockaddr *)&src->u.v4;
-		break;
-	case AF_INET6:
-		return (struct sockaddr *)&src->u.v6;
-		break;
-	default:
-		return NULL;	/* "can't happen" */
-		break;
-	}
-}
-
-/*
- - sockaddrlenof - get length of the sockaddr hiding inside an ip_address
- */
-size_t				/* 0 for error */
-sockaddrlenof(src)
-const ip_address *src;
-{
-	switch (src->u.v4.sin_family) {
-	case AF_INET:
-		return sizeof(src->u.v4);
-		break;
-	case AF_INET6:
-		return sizeof(src->u.v6);
-		break;
-	default:
-		return 0;
-		break;
-	}
-}
diff --git a/src/libfreeswan/rangetoa.c b/src/libfreeswan/rangetoa.c
deleted file mode 100644
index 704558248..000000000
--- a/src/libfreeswan/rangetoa.c
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * convert binary form of address range to ASCII
- * Copyright (C) 1998, 1999  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - rangetoa - convert address range to ASCII
- */
-size_t				/* space needed for full conversion */
-rangetoa(addrs, format, dst, dstlen)
-struct in_addr addrs[2];
-int format;			/* character */
-char *dst;			/* need not be valid if dstlen is 0 */
-size_t dstlen;
-{
-	size_t len;
-	size_t rest;
-	int n;
-	char *p;
-
-	switch (format) {
-	case 0:
-		break;
-	default:
-		return 0;
-		break;
-	}
-
-	len = addrtoa(addrs[0], 0, dst, dstlen);
-	if (len < dstlen)
-		for (p = dst + len - 1, n = 3; len < dstlen && n > 0;
-								p++, len++, n--)
-			*p = '.';
-	else
-		p = NULL;
-	if (len < dstlen)
-		rest = dstlen - len;
-	else {
-		if (dstlen > 0)
-			*(dst + dstlen - 1) = '\0';
-		rest = 0;
-	}
-
-	len += addrtoa(addrs[1], 0, p, rest);
-
-	return len;
-}
diff --git a/src/libfreeswan/rangetosubnet.3 b/src/libfreeswan/rangetosubnet.3
deleted file mode 100644
index 100b42bd9..000000000
--- a/src/libfreeswan/rangetosubnet.3
+++ /dev/null
@@ -1,58 +0,0 @@
-.TH IPSEC_RANGETOSUBNET 3 "8 Sept 2000"
-.SH NAME
-ipsec rangetosubnet \- convert address range to subnet
-.SH SYNOPSIS
-.B "#include <freeswan.h>"
-.sp
-.B "const char *rangetosubnet(const ip_address *start,"
-.ti +1c
-.B "const ip_address *stop, ip_subnet *dst);"
-.SH DESCRIPTION
-.I Rangetosubnet
-accepts two IP addresses which define an address range,
-from
-.I start
-to
-.I stop
-inclusive,
-and converts this to a subnet if possible.
-The addresses must both be IPv4 or both be IPv6,
-and the address family of the resulting subnet is the same.
-.PP
-.I Rangetosubnet
-returns NULL for success and
-a pointer to a string-literal error message for failure;
-see DIAGNOSTICS.
-.SH SEE ALSO
-ipsec_initsubnet(3), ipsec_ttosubnet(3)
-.SH DIAGNOSTICS
-Fatal errors in
-.I rangetosubnet
-are:
-mixed address families;
-unknown address family;
-.I start
-and
-.I stop
-do not define a subnet.
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
-.SH BUGS
-The restriction of error reports to literal strings
-(so that callers don't need to worry about freeing them or copying them)
-does limit the precision of error reporting.
-.PP
-The error-reporting convention lends itself
-to slightly obscure code,
-because many readers will not think of NULL as signifying success.
-A good way to make it clearer is to write something like:
-.PP
-.RS
-.nf
-.B "const char *error;"
-.sp
-.B "error = rangetosubnet( /* ... */ );"
-.B "if (error != NULL) {"
-.B "        /* something went wrong */"
-.fi
-.RE
diff --git a/src/libfreeswan/rangetosubnet.c b/src/libfreeswan/rangetosubnet.c
deleted file mode 100644
index 2a989300e..000000000
--- a/src/libfreeswan/rangetosubnet.c
+++ /dev/null
@@ -1,224 +0,0 @@
-/*
- * express an address range as a subnet (if possible)
- * Copyright (C) 2000  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - rangetosubnet - turn an address range into a subnet, if possible
- *
- * A range which is a valid subnet will have a network part which is the
- * same in the from value and the to value, followed by a host part which
- * is all 0 in the from value and all 1 in the to value.
- */
-err_t
-rangetosubnet(from, to, dst)
-const ip_address *from;
-const ip_address *to;
-ip_subnet *dst;
-{
-	unsigned const char *fp;
-	unsigned const char *tp;
-	unsigned fb;
-	unsigned tb;
-	unsigned const char *f;
-	unsigned const char *t;
-	size_t n;
-	size_t n2;
-	int i;
-	int nnet;
-	unsigned m;
-
-	if (addrtypeof(from) != addrtypeof(to))
-		return "mismatched address types";
-	n = addrbytesptr(from, &fp);
-	if (n == 0)
-		return "unknown address type";
-	n2 = addrbytesptr(to, &tp);
-	if (n != n2)
-		return "internal size mismatch in rangetosubnet";
-
-	f = fp;
-	t = tp;
-	nnet = 0;
-	for (i = n; i > 0 && *f == *t; i--, f++, t++)
-		nnet += 8;
-	if (i > 0 && !(*f == 0x00 && *t == 0xff)) {	/* mid-byte bdry. */
-		fb = *f++;
-		tb = *t++;
-		i--;
-		m = 0x80;
-		while ((fb&m) == (tb&m)) {
-			fb &= ~m;
-			tb |= m;
-			m >>= 1;
-			nnet++;
-		}
-		if (fb != 0x00 || tb != 0xff)
-			return "not a valid subnet";
-	}
-	for (; i > 0 && *f == 0x00 && *t == 0xff; i--, f++, t++)
-		continue;
-
-	if (i != 0)
-		return "invalid subnet";
-
-	return initsubnet(from, nnet, 'x', dst);
-}
-
-
-
-#ifdef RANGETOSUBNET_MAIN
-
-#include <stdio.h>
-
-void regress(void);
-
-int
-main(int argc, char *argv[])
-{
-	ip_address start;
-	ip_address stop;
-	ip_subnet sub;
-	char buf[100];
-	const char *oops;
-	size_t n;
-	int af;
-	int i;
-
-	if (argc == 2 && strcmp(argv[1], "-r") == 0) {
-		regress();
-		fprintf(stderr, "regress() returned?!?\n");
-		exit(1);
-	}
-
-	if (argc < 3) {
-		fprintf(stderr, "Usage: %s [-6] start stop\n", argv[0]);
-		fprintf(stderr, "   or: %s -r\n", argv[0]);
-		exit(2);
-	}
-
-	af = AF_INET;
-	i = 1;
-	if (strcmp(argv[i], "-6") == 0) {
-		af = AF_INET6;
-		i++;
-	}
-
-	oops = ttoaddr(argv[i], 0, af, &start);
-	if (oops != NULL) {
-		fprintf(stderr, "%s: start conversion failed: %s\n", argv[0], oops);
-		exit(1);
-	}
-	oops = ttoaddr(argv[i+1], 0, af, &stop);
-	if (oops != NULL) {
-		fprintf(stderr, "%s: stop conversion failed: %s\n", argv[0], oops);
-		exit(1);
-	}
-	oops = rangetosubnet(&start, &stop, &sub);
-	if (oops != NULL) {
-		fprintf(stderr, "%s: rangetosubnet failed: %s\n", argv[0], oops);
-		exit(1);
-	}
-	n = subnettot(&sub, 0, buf, sizeof(buf));
-	if (n > sizeof(buf)) {
-		fprintf(stderr, "%s: reverse conversion", argv[0]);
-		fprintf(stderr, " failed: need %ld bytes, have only %ld\n",
-						(long)n, (long)sizeof(buf));
-		exit(1);
-	}
-	printf("%s\n", buf);
-
-	exit(0);
-}
-
-struct rtab {
-	int family;
-	char *start;
-	char *stop;
-	char *output;			/* NULL means error expected */
-} rtab[] = {
-	{4, "1.2.3.0",		"1.2.3.255",		"1.2.3.0/24"},
-	{4, "1.2.3.0",		"1.2.3.7",		"1.2.3.0/29"},
-	{4, "1.2.3.240",	"1.2.3.255",		"1.2.3.240/28"},
-	{4, "0.0.0.0",		"255.255.255.255",	"0.0.0.0/0"},
-	{4, "1.2.3.4",		"1.2.3.4",		"1.2.3.4/32"},
-	{4, "1.2.3.0",		"1.2.3.254",		NULL},
-	{4, "1.2.3.0",		"1.2.3.126",		NULL},
-	{4, "1.2.3.0",		"1.2.3.125",		NULL},
-	{4, "1.2.0.0",		"1.2.255.255",		"1.2.0.0/16"},
-	{4, "1.2.0.0",		"1.2.0.255",		"1.2.0.0/24"},
-	{4, "1.2.255.0",		"1.2.255.255",	"1.2.255.0/24"},
-	{4, "1.2.255.0",		"1.2.254.255",	NULL},
-	{4, "1.2.255.1",		"1.2.255.255",	NULL},
-	{4, "1.2.0.1",		"1.2.255.255",		NULL},
-	{6, "1:2:3:4:5:6:7:0",	"1:2:3:4:5:6:7:ffff",	"1:2:3:4:5:6:7:0/112"},
-	{6, "1:2:3:4:5:6:7:0",	"1:2:3:4:5:6:7:fff",	"1:2:3:4:5:6:7:0/116"},
-	{6, "1:2:3:4:5:6:7:f0",	"1:2:3:4:5:6:7:ff",	"1:2:3:4:5:6:7:f0/124"},
-	{4, NULL,		NULL,			NULL},
-};
-
-void
-regress()
-{
-	struct rtab *r;
-	int status = 0;
-	ip_address start;
-	ip_address stop;
-	ip_subnet sub;
-	char buf[100];
-	const char *oops;
-	size_t n;
-	int af;
-
-	for (r = rtab; r->start != NULL; r++) {
-		af = (r->family == 4) ? AF_INET : AF_INET6;
-		oops = ttoaddr(r->start, 0, af, &start);
-		if (oops != NULL) {
-			printf("surprise failure converting `%s'\n", r->start);
-			exit(1);
-		}
-		oops = ttoaddr(r->stop, 0, af, &stop);
-		if (oops != NULL) {
-			printf("surprise failure converting `%s'\n", r->stop);
-			exit(1);
-		}
-		oops = rangetosubnet(&start, &stop, &sub);
-		if (oops != NULL && r->output == NULL)
-			{}		/* okay, error expected */
-		else if (oops != NULL) {
-			printf("`%s'-`%s' rangetosubnet failed: %s\n",
-						r->start, r->stop, oops);
-			status = 1;
-		} else if (r->output == NULL) {
-			printf("`%s'-`%s' rangetosubnet succeeded unexpectedly\n",
-							r->start, r->stop);
-			status = 1;
-		} else {
-			n = subnettot(&sub, 0, buf, sizeof(buf));
-			if (n > sizeof(buf)) {
-				printf("`%s'-`%s' subnettot failed:  need %ld\n",
-						r->start, r->stop, (long)n);
-				status = 1;
-			} else if (strcmp(r->output, buf) != 0) {
-				printf("`%s'-`%s' gave `%s', expected `%s'\n",
-					r->start, r->stop, buf, r->output);
-				status = 1;
-			}
-		}
-	}
-	exit(status);
-}
-
-#endif /* RANGETOSUBNET_MAIN */
diff --git a/src/libfreeswan/sameaddr.3 b/src/libfreeswan/sameaddr.3
deleted file mode 100644
index 62886bf1a..000000000
--- a/src/libfreeswan/sameaddr.3
+++ /dev/null
@@ -1,164 +0,0 @@
-.TH IPSEC_ANYADDR 3 "28 Nov 2000"
-.SH NAME
-ipsec sameaddr \- are two addresses the same?
-.br
-ipsec addrcmp \- ordered comparison of addresses
-.br
-ipsec samesubnet \- are two subnets the same?
-.br
-ipsec addrinsubnet \- is an address within a subnet?
-.br
-ipsec subnetinsubnet \- is a subnet within another subnet?
-.br
-ipsec subnetishost \- is a subnet a single host?
-.br
-ipsec samesaid \- are two SA IDs the same?
-.br
-ipsec sameaddrtype \- are two addresses of the same address family?
-.br
-ipsec samesubnettype \- are two subnets of the same address family?
-.SH SYNOPSIS
-.B "#include <freeswan.h>
-.sp
-.B "int sameaddr(const ip_address *a, const ip_address *b);"
-.br
-.B "int addrcmp(const ip_address *a, const ip_address *b);"
-.br
-.B "int samesubnet(const ip_subnet *a, const ip_subnet *b);"
-.br
-.B "int addrinsubnet(const ip_address *a, const ip_subnet *s);"
-.br
-.B "int subnetinsubnet(const ip_subnet *a, const ip_subnet *b);"
-.br
-.B "int subnetishost(const ip_subnet *s);"
-.br
-.B "int samesaid(const ip_said *a, const ip_said *b);"
-.br
-.B "int sameaddrtype(const ip_address *a, const ip_address *b);"
-.br
-.B "int samesubnettype(const ip_subnet *a, const ip_subnet *b);"
-.SH DESCRIPTION
-These functions do various comparisons and tests on the
-.I ip_address
-type and
-.I ip_subnet
-types.
-.PP
-.I Sameaddr
-returns
-non-zero
-if addresses
-.I a
-and
-.IR b
-are identical,
-and
-.B 0
-otherwise.
-Addresses of different families are never identical.
-.PP
-.I Addrcmp
-returns
-.BR \-1 ,
-.BR 0 ,
-or
-.BR 1
-respectively
-if address
-.I a
-is less than, equal to, or greater than
-.IR b .
-If they are not of the same address family,
-they are never equal;
-the ordering reported in this case is arbitrary
-(and probably not useful) but consistent.
-.PP
-.I Samesubnet
-returns
-non-zero
-if subnets
-.I a
-and
-.IR b
-are identical,
-and
-.B 0
-otherwise.
-Subnets of different address families are never identical.
-.PP
-.I Addrinsubnet
-returns
-non-zero
-if address
-.I a
-is within subnet
-.IR s
-and
-.B 0
-otherwise.
-An address is never within a
-subnet of a different address family.
-.PP
-.I Subnetinsubnet
-returns
-non-zero
-if subnet
-.I a
-is a subset of subnet
-.IR b
-and
-.B 0
-otherwise.
-A subnet is deemed to be a subset of itself.
-A subnet is never a subset of another
-subnet if their address families differ.
-.PP
-.I Subnetishost
-returns
-non-zero
-if subnet
-.I s
-is in fact only a single host,
-and
-.B 0
-otherwise.
-.PP
-.I Samesaid
-returns
-non-zero
-if SA IDs
-.I a
-and
-.IR b
-are identical,
-and
-.B 0
-otherwise.
-.PP
-.I Sameaddrtype
-returns
-non-zero
-if addresses
-.I a
-and
-.IR b
-are of the same address family,
-and
-.B 0
-otherwise.
-.PP
-.I Samesubnettype
-returns
-non-zero
-if subnets
-.I a
-and
-.IR b
-are of the same address family,
-and
-.B 0
-otherwise.
-.SH SEE ALSO
-inet(3), ipsec_initaddr(3)
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
diff --git a/src/libfreeswan/sameaddr.c b/src/libfreeswan/sameaddr.c
deleted file mode 100644
index 47daaa4ee..000000000
--- a/src/libfreeswan/sameaddr.c
+++ /dev/null
@@ -1,188 +0,0 @@
-/*
- * comparisons
- * Copyright (C) 2000  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-static int samenbits(const ip_address *a, const ip_address *b, int n);
-
-/*
- - addrcmp - compare two addresses
- * Caution, the order of the tests is subtle:  doing type test before
- * size test can yield cases where a<b, b<c, but a>c.
- */
-int				/* like memcmp */
-addrcmp(a, b)
-const ip_address *a;
-const ip_address *b;
-{
-	int at = addrtypeof(a);
-	int bt = addrtypeof(b);
-	const unsigned char *ap;
-	const unsigned char *bp;
-	size_t as = addrbytesptr(a, &ap);
-	size_t bs = addrbytesptr(b, &bp);
-	size_t n = (as < bs) ? as : bs;		/* min(as, bs) */
-	int c = memcmp(ap, bp, n);
-
-	if (c != 0)		/* bytes differ */
-		return (c < 0) ? -1 : 1;
-	if (as != bs)		/* comparison incomplete:  lexical order */
-		return (as < bs) ? -1 : 1;
-	if (at != bt)		/* bytes same but not same type:  break tie */
-		return (at < bt) ? -1 : 1;
-	return 0;
-}
-
-/*
- - sameaddr - are two addresses the same?
- */
-int
-sameaddr(a, b)
-const ip_address *a;
-const ip_address *b;
-{
-	return (addrcmp(a, b) == 0) ? 1 : 0;
-}
-
-/*
- - samesubnet - are two subnets the same?
- */
-int
-samesubnet(a, b)
-const ip_subnet *a;
-const ip_subnet *b;
-{
-	if (!sameaddr(&a->addr, &b->addr))	/* also does type check */
-		return 0;
-	if (a->maskbits != b->maskbits)
-		return 0;
-	return 1;
-}
-
-/*
- - subnetishost - is a subnet in fact a single host?
- */
-int
-subnetishost(a)
-const ip_subnet *a;
-{
-	return (a->maskbits == addrlenof(&a->addr)*8) ? 1 : 0;
-}
-
-/*
- - samesaid - are two SA IDs the same?
- */
-int
-samesaid(a, b)
-const ip_said *a;
-const ip_said *b;
-{
-	if (a->spi != b->spi)	/* test first, most likely to be different */
-		return 0;
-	if (!sameaddr(&a->dst, &b->dst))
-		return 0;
-	if (a->proto != b->proto)
-		return 0;
-	return 1;
-}
-
-/*
- - sameaddrtype - do two addresses have the same type?
- */
-int
-sameaddrtype(a, b)
-const ip_address *a;
-const ip_address *b;
-{
-	return (addrtypeof(a) == addrtypeof(b)) ? 1 : 0;
-}
-
-/*
- - samesubnettype - do two subnets have the same type?
- */
-int
-samesubnettype(a, b)
-const ip_subnet *a;
-const ip_subnet *b;
-{
-	return (subnettypeof(a) == subnettypeof(b)) ? 1 : 0;
-}
-
-/*
- - addrinsubnet - is this address in this subnet?
- */
-int
-addrinsubnet(a, s)
-const ip_address *a;
-const ip_subnet *s;
-{
-	if (addrtypeof(a) != subnettypeof(s))
-		return 0;
-	if (!samenbits(a, &s->addr, s->maskbits))
-		return 0;
-	return 1;
-}
-
-/*
- - subnetinsubnet - is one subnet within another?
- */
-int
-subnetinsubnet(a, b)
-const ip_subnet *a;
-const ip_subnet *b;
-{
-	if (subnettypeof(a) != subnettypeof(b))
-		return 0;
-	if (a->maskbits < b->maskbits)	/* a is bigger than b */
-		return 0;
-	if (!samenbits(&a->addr, &b->addr, b->maskbits))
-		return 0;
-	return 1;
-}
-
-/*
- - samenbits - do two addresses have the same first n bits?
- */
-static int
-samenbits(a, b, nbits)
-const ip_address *a;
-const ip_address *b;
-int nbits;
-{
-	const unsigned char *ap;
-	const unsigned char *bp;
-	size_t n;
-	int m;
-
-	if (addrtypeof(a) != addrtypeof(b))
-		return 0;	/* arbitrary */
-	n = addrbytesptr(a, &ap);
-	if (n == 0)
-		return 0;	/* arbitrary */
-	(void) addrbytesptr(b, &bp);
-	if (nbits > n*8)
-		return 0;	/* "can't happen" */
-
-	for (; nbits >= 8 && *ap == *bp; nbits -= 8, ap++, bp++)
-		continue;
-	if (nbits >= 8)
-		return 0;
-	if (nbits > 0) {	/* partial byte */
-		m = ~(0xff >> nbits);
-		if ((*ap & m) != (*bp & m))
-			return 0;
-	}
-	return 1;
-}
diff --git a/src/libfreeswan/satot.c b/src/libfreeswan/satot.c
deleted file mode 100644
index a3feb1591..000000000
--- a/src/libfreeswan/satot.c
+++ /dev/null
@@ -1,132 +0,0 @@
-/*
- * convert from binary form of SA ID to text
- * Copyright (C) 2000, 2001  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include <sys/socket.h>
-
-#include "internal.h"
-#include "freeswan.h"
-
-static struct typename {
-	char type;
-	char *name;
-} typenames[] = {
-	{ SA_AH,	"ah" },
-	{ SA_ESP,	"esp" },
-	{ SA_IPIP,	"tun" },
-	{ SA_COMP,	"comp" },
-	{ SA_INT,	"int" },
-	{ 0,		NULL }
-};
-
-/*
- - satot - convert SA to text "ah507@1.2.3.4"
- */
-size_t				/* space needed for full conversion */
-satot(sa, format, dst, dstlen)
-const ip_said *sa;
-int format;			/* character */
-char *dst;			/* need not be valid if dstlen is 0 */
-size_t dstlen;
-{
-	size_t len = 0;		/* 0 means "not recognized yet" */
-	int base;
-	int showversion;	/* use delimiter to show IP version? */
-	struct typename *tn;
-	char *p;
-	char *pre;
-	char buf[10+1+ULTOT_BUF+ADDRTOT_BUF];
-	char unk[10];
-
-	switch (format) {
-	case 0:
-		base = 16;
-		showversion = 1;
-		break;
-	case 'f':
-		base = 17;
-		showversion = 1;
-		break;
-	case 'x':
-		base = 'x';
-		showversion = 0;
-		break;
-	case 'd':
-		base = 10;
-		showversion = 0;
-		break;
-	default:
-		return 0;
-		break;
-	}
-
-	pre = NULL;
-	for (tn = typenames; tn->name != NULL; tn++)
-		if (sa->proto == tn->type) {
-			pre = tn->name;
-			break;			/* NOTE BREAK OUT */
-		}
-	if (pre == NULL) {		/* unknown protocol */
-		strncpy(unk, "unk", sizeof(unk));
-		(void) ultot((unsigned char)sa->proto, 10, unk+strlen(unk),
-						sizeof(unk)-strlen(unk));
-		pre = unk;
-	}
-
-	if (strcmp(pre, PASSTHROUGHTYPE) == 0 &&
-					sa->spi == PASSTHROUGHSPI &&
-					isunspecaddr(&sa->dst)) {
-		strncpy(buf, (addrtypeof(&sa->dst) == AF_INET) ?
-							PASSTHROUGH4NAME :
-							PASSTHROUGH6NAME, sizeof(buf));
-		len = strlen(buf);
-	}
-
-	if (sa->proto == SA_INT && addrtypeof(&sa->dst) == AF_INET &&
-						isunspecaddr(&sa->dst)) {
-		switch (ntohl(sa->spi)) {
-		case SPI_PASS:	p = "%pass";	break;
-		case SPI_DROP:	p = "%drop";	break;
-		case SPI_REJECT:	p = "%reject";	break;
-		case SPI_HOLD:	p = "%hold";	break;
-		case SPI_TRAP:	p = "%trap";	break;
-		case SPI_TRAPSUBNET:	p = "%trapsubnet";	break;
-		default:	p = NULL;	break;
-		}
-		if (p != NULL) {
-			strncpy(buf, p, sizeof(buf));
-			len = strlen(buf);
-		}
-	}
-
-	if (len == 0) {			/* general case needed */
-		strncpy(buf, pre, sizeof(buf));
-		len = strlen(buf);
-		if (showversion) {
-			*(buf+len) = (addrtypeof(&sa->dst) == AF_INET) ? '.' :
-									':';
-			len++;
-			*(buf+len) = '\0';
-		}
-		len += ultot(ntohl(sa->spi), base, buf+len, sizeof(buf)-len);
-		*(buf+len-1) = '@';
-		len += addrtot(&sa->dst, 0, buf+len, sizeof(buf)-len);
-	}
-
-	if (dst != NULL) {
-		if (len > dstlen)
-			*(buf+dstlen-1) = '\0';
-		strncpy(dst, buf, dstlen);
-	}
-	return len;
-}
diff --git a/src/libfreeswan/subnetof.3 b/src/libfreeswan/subnetof.3
deleted file mode 100644
index aacc76d2c..000000000
--- a/src/libfreeswan/subnetof.3
+++ /dev/null
@@ -1,46 +0,0 @@
-.TH IPSEC_SUBNETOF 3 "11 June 2001"
-.SH NAME
-ipsec subnetof \- given Internet address and subnet mask, return subnet number
-.br
-ipsec hostof \- given Internet address and subnet mask, return host part
-.br
-ipsec broadcastof \- given Internet address and subnet mask, return broadcast address
-.SH SYNOPSIS
-.B "#include <freeswan.h>
-.sp
-.B "struct in_addr subnetof(struct in_addr addr,"
-.ti +1c
-.B "struct in_addr mask);"
-.br
-.B "struct in_addr hostof(struct in_addr addr,"
-.ti +1c
-.B "struct in_addr mask);"
-.br
-.B "struct in_addr broadcastof(struct in_addr addr,"
-.ti +1c
-.B "struct in_addr mask);"
-.SH DESCRIPTION
-These functions are obsolete; see
-.IR ipsec_networkof (3)
-for their replacements.
-.PP
-.I Subnetof
-takes an Internet
-.I address
-and a subnet
-.I mask
-and returns the network part of the address
-(all in network byte order).
-.I Hostof
-similarly returns the host part, and
-.I broadcastof
-returns the broadcast address (all-1s convention) for the network.
-.PP
-These functions are provided to hide the Internet bit-munging inside
-an API, in hopes of easing the eventual transition to IPv6.
-.SH SEE ALSO
-inet(3), ipsec_atosubnet(3)
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
-.SH BUGS
-Calling functions for this is more costly than doing it yourself.
diff --git a/src/libfreeswan/subnetof.c b/src/libfreeswan/subnetof.c
deleted file mode 100644
index ec9b8ec7d..000000000
--- a/src/libfreeswan/subnetof.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * minor network-address manipulation utilities
- * Copyright (C) 1998, 1999  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - subnetof - given address and mask, return subnet part
- */
-struct in_addr
-subnetof(addr, mask)
-struct in_addr addr;
-struct in_addr mask;
-{
-	struct in_addr result;
-
-	result.s_addr = addr.s_addr & mask.s_addr;
-	return result;
-}
-
-/*
- - hostof - given address and mask, return host part
- */
-struct in_addr
-hostof(addr, mask)
-struct in_addr addr;
-struct in_addr mask;
-{
-	struct in_addr result;
-
-	result.s_addr = addr.s_addr & ~mask.s_addr;
-	return result;
-}
-
-/*
- - broadcastof - given (network) address and mask, return broadcast address
- */
-struct in_addr
-broadcastof(addr, mask)
-struct in_addr addr;
-struct in_addr mask;
-{
-	struct in_addr result;
-
-	result.s_addr = addr.s_addr | ~mask.s_addr;
-	return result;
-}
diff --git a/src/libfreeswan/subnettoa.c b/src/libfreeswan/subnettoa.c
deleted file mode 100644
index 694fa40da..000000000
--- a/src/libfreeswan/subnettoa.c
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * convert binary form of subnet description to ASCII
- * Copyright (C) 1998, 1999  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - subnettoa - convert address and mask to ASCII "addr/mask"
- * Output expresses the mask as a bit count if possible, else dotted decimal.
- */
-size_t				/* space needed for full conversion */
-subnettoa(addr, mask, format, dst, dstlen)
-struct in_addr addr;
-struct in_addr mask;
-int format;			/* character */
-char *dst;			/* need not be valid if dstlen is 0 */
-size_t dstlen;
-{
-	size_t len;
-	size_t rest;
-	int n;
-	char *p;
-
-	switch (format) {
-	case 0:
-		break;
-	default:
-		return 0;
-		break;
-	}
-
-	len = addrtoa(addr, 0, dst, dstlen);
-	if (len < dstlen) {
-		dst[len - 1] = '/';
-		p = dst + len;
-		rest = dstlen - len;
-	} else {
-		p = NULL;
-		rest = 0;
-	}
-
-	n = masktobits(mask);
-	if (n >= 0)
-		len += ultoa((unsigned long)n, 10, p, rest);
-	else
-		len += addrtoa(mask, 0, p, rest);
-
-	return len;
-}
diff --git a/src/libfreeswan/subnettot.c b/src/libfreeswan/subnettot.c
deleted file mode 100644
index 64d511ba2..000000000
--- a/src/libfreeswan/subnettot.c
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * convert binary form of subnet description to text
- * Copyright (C) 2000  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - subnettot - convert subnet to text "addr/bitcount"
- */
-size_t				/* space needed for full conversion */
-subnettot(sub, format, dst, dstlen)
-const ip_subnet *sub;
-int format;			/* character */
-char *dst;			/* need not be valid if dstlen is 0 */
-size_t dstlen;
-{
-	size_t len;
-	size_t rest;
-	char *p;
-
-	switch (format) {
-	case 0:
-		break;
-	default:
-		return 0;
-		break;
-	}
-
-	len = addrtot(&sub->addr, format, dst, dstlen);
-	if (len < dstlen) {
-		dst[len - 1] = '/';
-		p = dst + len;
-		rest = dstlen - len;
-	} else {
-		p = NULL;
-		rest = 0;
-	}
-
-
-	len += ultoa((unsigned long)sub->maskbits, 10, p, rest);
-
-	return len;
-}
diff --git a/src/libfreeswan/subnettypeof.c b/src/libfreeswan/subnettypeof.c
deleted file mode 100644
index 96c283c04..000000000
--- a/src/libfreeswan/subnettypeof.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- * extract parts of an ip_subnet, and related
- * Copyright (C) 2000  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - subnettypeof - get the address type of an ip_subnet
- */
-int
-subnettypeof(src)
-const ip_subnet *src;
-{
-	return src->addr.u.v4.sin_family;
-}
-
-/*
- - networkof - get the network address of a subnet
- */
-void
-networkof(src, dst)
-const ip_subnet *src;
-ip_address *dst;
-{
-	*dst = src->addr;
-}
-
-/*
- - maskof - get the mask of a subnet, as an address
- */
-void
-maskof(src, dst)
-const ip_subnet *src;
-ip_address *dst;
-{
-	int b;
-	unsigned char buf[16];
-	size_t n = addrlenof(&src->addr);
-	unsigned char *p;
-
-	if (src->maskbits > n*8 || n > sizeof(buf))
-		return;		/* "can't happen" */
-
-	p = buf;
-	for (b = src->maskbits; b >= 8; b -= 8)
-		*p++ = 0xff;
-	if (b != 0)
-		*p++ = (0xff << (8 - b)) & 0xff;
-	while (p - buf < n)
-		*p++ = 0;
-
-	(void) initaddr(buf, n, addrtypeof(&src->addr), dst);
-}
-
-/*
- - masktocount - convert a mask, expressed as an address, to a bit count
- */
-int				/* -1 if not valid mask */
-masktocount(src)
-const ip_address *src;
-{
-	int b;
-	unsigned const char *bp;
-	size_t n;
-	unsigned const char *p;
-	unsigned const char *stop;
-
-	n = addrbytesptr(src, &bp);
-	if (n == 0)
-		return -1;
-
-	p = bp;
-	stop = bp + n;
-
-	n = 0;
-	while (p < stop && *p == 0xff) {
-		p++;
-		n += 8;
-	}
-	if (p < stop && *p != 0) {	/* boundary in mid-byte */
-		b = *p++;
-		while (b&0x80) {
-			b <<= 1;
-			n++;
-		}
-		if ((b&0xff) != 0)
-			return -1;	/* bits not contiguous */
-	}
-	while (p < stop && *p == 0)
-		p++;
-
-	if (p != stop)
-		return -1;
-
-	return n;
-}
diff --git a/src/libfreeswan/ttoaddr.3 b/src/libfreeswan/ttoaddr.3
deleted file mode 100644
index d43d2b16f..000000000
--- a/src/libfreeswan/ttoaddr.3
+++ /dev/null
@@ -1,374 +0,0 @@
-.TH IPSEC_TTOADDR 3 "28 Sept 2001"
-.SH NAME
-ipsec ttoaddr, tnatoaddr, addrtot \- convert Internet addresses to and from text
-.br
-ipsec ttosubnet, subnettot \- convert subnet/mask text form to and from addresses
-.SH SYNOPSIS
-.B "#include <freeswan.h>
-.sp
-.B "const char *ttoaddr(const char *src, size_t srclen,"
-.ti +1c
-.B "int af, ip_address *addr);"
-.br
-.B "const char *tnatoaddr(const char *src, size_t srclen,"
-.ti +1c
-.B "int af, ip_address *addr);"
-.br
-.B "size_t addrtot(const ip_address *addr, int format,"
-.ti +1c
-.B "char *dst, size_t dstlen);"
-.sp
-.B "const char *ttosubnet(const char *src, size_t srclen,"
-.ti +1c
-.B "int af, ip_subnet *dst);"
-.br
-.B "size_t subnettot(const ip_subnet *sub, int format,"
-.ti +1c
-.B "char *dst, size_t dstlen);"
-.SH DESCRIPTION
-.I Ttoaddr
-converts a text-string name or numeric address into a binary address
-(in network byte order).
-.I Tnatoaddr
-does the same conversion,
-but the only text forms it accepts are
-the ``official'' forms of
-numeric address (dotted-decimal for IPv4, colon-hex for IPv6).
-.I Addrtot
-does the reverse conversion, from binary address back to a text form.
-.I Ttosubnet
-and
-.I subnettot
-do likewise for the ``address/mask'' form used to write a
-specification of a subnet.
-.PP
-An IPv4 address is specified in text as a
-dotted-decimal address (e.g.
-.BR 1.2.3.4 ),
-an eight-digit network-order hexadecimal number with the usual C prefix (e.g.
-.BR 0x01020304 ,
-which is synonymous with
-.BR 1.2.3.4 ),
-an eight-digit host-order hexadecimal number with a
-.B 0h
-prefix (e.g.
-.BR 0h01020304 ,
-which is synonymous with
-.B 1.2.3.4
-on a big-endian host and
-.B 4.3.2.1
-on a little-endian host),
-a DNS name to be looked up via
-.IR getaddrinfo (3),
-or an old-style network name to be looked up via
-.IR getnetbyname (3).
-.PP
-A dotted-decimal address may be incomplete, in which case
-text-to-binary conversion implicitly appends
-as many instances of
-.B .0
-as necessary to bring it up to four components.
-The components of a dotted-decimal address are always taken as
-decimal, and leading zeros are ignored.
-For example,
-.B 10
-is synonymous with
-.BR 10.0.0.0 ,
-and
-.B 128.009.000.032
-is synonymous with
-.BR 128.9.0.32
-(the latter example is verbatim from RFC 1166).
-The result of applying
-.I addrtot
-to an IPv4 address is always complete and does not contain leading zeros.
-.PP
-Use of hexadecimal addresses is
-.B strongly
-.BR discouraged ;
-they are included only to save hassles when dealing with
-the handful of perverted programs which already print 
-network addresses in hexadecimal.
-.PP
-An IPv6 address is specified in text with
-colon-hex notation (e.g.
-.BR 0:56:78ab:22:33:44:55:66 ),
-colon-hex with
-.B ::
-abbreviating at most one subsequence of multiple zeros (e.g.
-.BR 99:ab::54:068 ,
-which is synonymous with
-.BR 99:ab:0:0:0:0:54:68 ),
-or a DNS name to be looked up via
-.IR getaddrinfo (3).
-The result of applying
-.I addrtot
-to an IPv6 address will use
-.B ::
-abbreviation if possible,
-and will not contain leading zeros.
-.PP
-The letters in hexadecimal
-may be uppercase or lowercase or any mixture thereof.
-.PP
-DNS names may be complete (optionally terminated with a ``.'')
-or incomplete, and are looked up as specified by local system configuration
-(see
-.IR resolver (5)).
-The first value returned by
-.IR getaddrinfo (3)
-is used,
-so with current DNS implementations,
-the result when the name corresponds to more than one address is
-difficult to predict.
-IPv4 name lookup resorts to
-.IR getnetbyname (3)
-only if
-.IR getaddrinfo (3)
-fails.
-.PP
-A subnet specification is of the form \fInetwork\fB/\fImask\fR.
-The
-.I network
-and
-.I mask
-can be any form acceptable to
-.IR ttoaddr .
-In addition, and preferably, the
-.I mask
-can be a decimal integer (leading zeros ignored) giving a bit count,
-in which case
-it stands for a mask with that number of high bits on and all others off
-(e.g.,
-.B 24
-in IPv4 means
-.BR 255.255.255.0 ).
-In any case, the mask must be contiguous
-(a sequence of high bits on and all remaining low bits off).
-As a special case, the subnet specification
-.B %default
-is a synonym for
-.B 0.0.0.0/0
-or
-.B ::/0
-in IPv4 or IPv6 respectively.
-.PP
-.I Ttosubnet
-ANDs the mask with the address before returning,
-so that any non-network bits in the address are turned off
-(e.g.,
-.B 10.1.2.3/24
-is synonymous with
-.BR 10.1.2.0/24 ).
-.I Subnettot
-always generates the decimal-integer-bit-count
-form of the mask,
-with no leading zeros.
-.PP
-The
-.I srclen
-parameter of
-.I ttoaddr
-and
-.I ttosubnet
-specifies the length of the text string pointed to by
-.IR src ;
-it is an error for there to be anything else
-(e.g., a terminating NUL) within that length.
-As a convenience for cases where an entire NUL-terminated string is
-to be converted,
-a
-.I srclen
-value of
-.B 0
-is taken to mean
-.BR strlen(src) .
-.PP
-The
-.I af
-parameter of
-.I ttoaddr
-and
-.I ttosubnet
-specifies the address family of interest.
-It should be either
-.B AF_INET
-or
-.BR AF_INET6 .
-.PP
-The
-.I dstlen
-parameter of
-.I addrtot
-and
-.I subnettot
-specifies the size of the
-.I dst
-parameter;
-under no circumstances are more than
-.I dstlen
-bytes written to
-.IR dst .
-A result which will not fit is truncated.
-.I Dstlen
-can be zero, in which case
-.I dst
-need not be valid and no result is written,
-but the return value is unaffected;
-in all other cases, the (possibly truncated) result is NUL-terminated.
-The
-.I freeswan.h
-header file defines constants,
-.B ADDRTOT_BUF
-and
-.BR SUBNETTOT_BUF ,
-which are the sizes of buffers just large enough for worst-case results.
-.PP
-The
-.I format
-parameter of
-.I addrtot
-and
-.I subnettot
-specifies what format is to be used for the conversion.
-The value
-.B 0
-(not the character
-.BR '0' ,
-but a zero value)
-specifies a reasonable default,
-and is in fact the only format currently available in
-.IR subnettot .
-.I Addrtot
-also accepts format values
-.B 'r'
-(signifying a text form suitable for DNS reverse lookups,
-e.g.
-.B 4.3.2.1.IN-ADDR.ARPA.
-for IPv4 and
-RFC 2874 format for IPv6),
-and
-.B 'R'
-(signifying an alternate reverse-lookup form,
-an error for IPv4 and RFC 1886 format for IPv6).
-Reverse-lookup names always end with a ``.''.
-.PP
-The text-to-binary functions return NULL for success and
-a pointer to a string-literal error message for failure;
-see DIAGNOSTICS.
-The binary-to-text functions return
-.B 0
-for a failure, and otherwise
-always return the size of buffer which would 
-be needed to
-accommodate the full conversion result, including terminating NUL;
-it is the caller's responsibility to check this against the size of
-the provided buffer to determine whether truncation has occurred.
-.SH SEE ALSO
-inet(3)
-.SH DIAGNOSTICS
-Fatal errors in
-.I ttoaddr
-are:
-empty input;
-unknown address family;
-attempt to allocate temporary storage for a very long name failed;
-name lookup failed;
-syntax error in dotted-decimal or colon-hex form;
-dotted-decimal or colon-hex component too large.
-.PP
-Fatal errors in
-.I ttosubnet
-are:
-no
-.B /
-in
-.IR src ;
-.I ttoaddr
-error in conversion of
-.I network
-or
-.IR mask ;
-bit-count mask too big;
-mask non-contiguous.
-.PP
-Fatal errors in
-.I addrtot
-and
-.I subnettot
-are:
-unknown format.
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
-.SH BUGS
-The interpretation of incomplete dotted-decimal addresses
-(e.g.
-.B 10/24
-means
-.BR 10.0.0.0/24 )
-differs from that of some older conversion
-functions, e.g. those of
-.IR inet (3).
-The behavior of the older functions has never been
-particularly consistent or particularly useful.
-.PP
-Ignoring leading zeros in dotted-decimal components and bit counts
-is arguably the most useful behavior in this application,
-but it might occasionally cause confusion with the historical use of leading 
-zeros to denote octal numbers.
-.PP
-.I Ttoaddr
-does not support the mixed colon-hex-dotted-decimal
-convention used to embed an IPv4 address in an IPv6 address.
-.PP
-.I Addrtot
-always uses the
-.B ::
-abbreviation (which can appear only once in an address) for the
-.I first
-sequence of multiple zeros in an IPv6 address.
-One can construct addresses (unlikely ones) in which this is suboptimal.
-.PP
-.I Addrtot
-.B 'r'
-conversion of an IPv6 address uses lowercase hexadecimal,
-not the uppercase used in RFC 2874's examples.
-It takes careful reading of RFCs 2874, 2673, and 2234 to realize
-that lowercase is technically legitimate here,
-and there may be software which botches this
-and hence would have trouble with lowercase hex.
-.PP
-Possibly
-.I subnettot
-ought to recognize the
-.B %default
-case and generate that string as its output.
-Currently it doesn't.
-.PP
-It is barely possible that somebody, somewhere,
-might have a legitimate use for non-contiguous subnet masks.
-.PP
-.IR Getnetbyname (3)
-is a historical dreg.
-.PP
-.I Tnatoaddr
-probably should enforce completeness of dotted-decimal addresses.
-.PP
-The restriction of text-to-binary error reports to literal strings
-(so that callers don't need to worry about freeing them or copying them)
-does limit the precision of error reporting.
-.PP
-The text-to-binary error-reporting convention lends itself
-to slightly obscure code,
-because many readers will not think of NULL as signifying success.
-A good way to make it clearer is to write something like:
-.PP
-.RS
-.nf
-.B "const char *error;"
-.sp
-.B "error = ttoaddr( /* ... */ );"
-.B "if (error != NULL) {"
-.B "        /* something went wrong */"
-.fi
-.RE
diff --git a/src/libfreeswan/ttoaddr.c b/src/libfreeswan/ttoaddr.c
deleted file mode 100644
index 234c9d8e7..000000000
--- a/src/libfreeswan/ttoaddr.c
+++ /dev/null
@@ -1,471 +0,0 @@
-/*
- * conversion from text forms of addresses to internal ones
- * Copyright (C) 2000  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include <sys/socket.h>
-
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- * Legal ASCII characters in a domain name.  Underscore technically is not,
- * but is a common misunderstanding.  Non-ASCII characters are simply
- * exempted from checking at the moment, to allow for UTF-8 encoded stuff;
- * the purpose of this check is merely to catch blatant errors.
- */
-static const char namechars[] = "abcdefghijklmnopqrstuvwxyz0123456789"
-				"ABCDEFGHIJKLMNOPQRSTUVWXYZ-_.";
-#define	ISASCII(c)	(((c) & 0x80) == 0)
-
-static err_t tryname(const char *, size_t, int, int, ip_address *);
-static err_t tryhex(const char *, size_t, int, ip_address *);
-static err_t trydotted(const char *, size_t, ip_address *);
-static err_t getbyte(const char **, const char *, int *);
-static err_t colon(const char *, size_t, ip_address *);
-static err_t getpiece(const char **, const char *, unsigned *);
-
-/*
- - ttoaddr - convert text name or dotted-decimal address to binary address
- */
-err_t				/* NULL for success, else string literal */
-ttoaddr(src, srclen, af, dst)
-const char *src;
-size_t srclen;			/* 0 means "apply strlen" */
-int af;				/* address family */
-ip_address *dst;
-{
-	err_t oops;
-#	define	HEXLEN	10	/* strlen("0x11223344") */
-	int nultermd;
-
-	if (srclen == 0) {
-		srclen = strlen(src);
-		if (srclen == 0)
-			return "empty string";
-		nultermd = 1;
-	} else
-		nultermd = 0;	/* at least, not *known* to be terminated */
-
-	switch (af) {
-	case AF_INET:
-	case AF_INET6:
-	case 0:                  /* guess */
-		break;
-
-	default:
-		return "invalid address family";
-	}
-
-	if (af == AF_INET && srclen == HEXLEN && *src == '0') {
-		if (*(src+1) == 'x' || *(src+1) == 'X')
-			return tryhex(src+2, srclen-2, 'x', dst);
-		if (*(src+1) == 'h' || *(src+1) == 'H')
-			return tryhex(src+2, srclen-2, 'h', dst);
-	}
-
-	if (memchr(src, ':', srclen) != NULL) {
-	    if(af == 0)
-	    {
-		af = AF_INET6;
-	    }
-
-		if (af != AF_INET6)
-			return "non-ipv6 address may not contain `:'";
-		return colon(src, srclen, dst);
-	}
-
-	if (af == 0 || af == AF_INET) {
-		oops = trydotted(src, srclen, dst);
-		if (oops == NULL)
-			return NULL;		/* it worked */
-		if (*oops != '?')
-			return oops;		/* probably meant as d-d */
-	}
-
-	return tryname(src, srclen, nultermd, af, dst);
-}
-
-/*
- - tnatoaddr - convert text numeric address (only) to binary address
- */
-err_t				/* NULL for success, else string literal */
-tnatoaddr(src, srclen, af, dst)
-const char *src;
-size_t srclen;			/* 0 means "apply strlen" */
-int af;				/* address family */
-ip_address *dst;
-{
-	err_t oops;
-
-	if (srclen == 0) {
-		srclen = strlen(src);
-		if (srclen == 0)
-			return "empty string";
-	}
-
-	switch (af) {
-	case 0:  /* guess */
-	        oops = colon(src, srclen, dst);
-		if(oops == NULL)
-		{
-		    return NULL;
-		}
-		oops = trydotted(src, srclen, dst);
-		if(oops == NULL)
-		{
-		    return NULL;
-		}
-		return "does not appear to be either IPv4 or IPv6 numeric address";
-		break;
-
-	case AF_INET6:
-		return colon(src, srclen, dst);
-		break;
-	case AF_INET:
-		oops = trydotted(src, srclen, dst);
-		if (oops == NULL)
-			return NULL;		/* it worked */
-		if (*oops != '?')
-			return oops;		/* probably meant as d-d */
-		return "does not appear to be numeric address";
-		break;
-	default:
-		return "unknown address family in tnatoaddr";
-		break;
-	}
-}
-
-/*
- - tryname - try it as a name
- * Slightly complicated by lack of reliable NUL termination in source.
- */
-static err_t
-tryname(src, srclen, nultermd, af, dst)
-const char *src;
-size_t srclen;
-int nultermd;			/* is it known to be NUL-terminated? */
-int af;
-ip_address *dst;
-{
-	struct addrinfo hints, *res;
-	struct netent *ne = NULL;
-	char namebuf[100];	/* enough for most DNS names */
-	const char *cp;
-	char *p = namebuf;
-	unsigned char *addr = NULL;
-	size_t n;
-	int error;
-	err_t err = NULL;
-
-	for (cp = src, n = srclen; n > 0; cp++, n--)
-		if (ISASCII(*cp) && strchr(namechars, *cp) == NULL)
-			return "illegal (non-DNS-name) character in name";
-
-	if (nultermd)
-		cp = src;
-	else {
-		if (srclen+1 > sizeof(namebuf)) {
-			p = (char *) MALLOC(srclen+1);
-			if (p == NULL)
-				return "unable to get temporary space for name";
-		}
-		p[0] = '\0';	/* strncpy semantics are wrong */
-		strncat(p, src, srclen);
-		cp = (const char *)p;
-	}
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = af;
-	error = getaddrinfo(cp, NULL, &hints, &res);
-	if (error != 0)
-	{	/* getaddrinfo failed, try getnetbyname */
-		if (af == AF_INET)
-		{
-			ne = getnetbyname(cp);
-			if (ne != NULL)
-			{
-				ne->n_net = htonl(ne->n_net);
-				addr = (unsigned char*)&ne->n_net;
-				err = initaddr(addr, sizeof(ne->n_net), af, dst);
-			}
-		}
-	}
-	else
-	{
-		struct addrinfo *r = res;
-		while (r)
-		{
-			size_t addr_len;
-			switch (r->ai_family)
-			{
-				case AF_INET:
-				{
-					struct sockaddr_in *in = (struct sockaddr_in*)r->ai_addr;
-					addr_len = 4;
-					addr = (unsigned char*)&in->sin_addr.s_addr;
-					break;
-				}
-				case AF_INET6:
-				{
-					struct sockaddr_in6 *in6 = (struct sockaddr_in6*)r->ai_addr;
-					addr_len = 16;
-					addr = (unsigned char*)&in6->sin6_addr.s6_addr;
-					break;
-				}
-				default:
-				{	/* unknown family, try next result */
-					r = r->ai_next;
-					continue;
-				}
-			}
-			err = initaddr(addr, addr_len, r->ai_family, dst);
-			break;
-		}
-		freeaddrinfo(res);
-	}
-
-	if (p != namebuf)
-	{
-		FREE(p);
-	}
-
-	if (addr == NULL)
-	{
-		return "does not look numeric and name lookup failed";
-	}
-
-	return err;
-}
-
-/*
- - tryhex - try conversion as an eight-digit hex number (AF_INET only)
- */
-static err_t
-tryhex(src, srclen, flavor, dst)
-const char *src;
-size_t srclen;			/* should be 8 */
-int flavor;			/* 'x' for network order, 'h' for host order */
-ip_address *dst;
-{
-	err_t oops;
-	unsigned long ul;
-	union {
-		uint32_t addr;
-		unsigned char buf[4];
-	} u;
-
-	if (srclen != 8)
-		return "internal error, tryhex called with bad length";
-
-	oops = ttoul(src, srclen, 16, &ul);
-	if (oops != NULL)
-		return oops;
-
-	u.addr = (flavor == 'h') ? ul : htonl(ul);
-	return initaddr(u.buf, sizeof(u.buf), AF_INET, dst);
-}
-
-/*
- - trydotted - try conversion as dotted decimal (AF_INET only)
- *
- * If the first char of a complaint is '?', that means "didn't look like
- * dotted decimal at all".
- */
-static err_t
-trydotted(src, srclen, dst)
-const char *src;
-size_t srclen;
-ip_address *dst;
-{
-	const char *stop = src + srclen;	/* just past end */
-	int byte;
-	err_t oops;
-#	define	NBYTES	4
-	unsigned char buf[NBYTES];
-	int i;
-
-	memset(buf, 0, sizeof(buf));
-	for (i = 0; i < NBYTES && src < stop; i++) {
-		oops = getbyte(&src, stop, &byte);
-		if (oops != NULL) {
-			if (*oops != '?')
-				return oops;	/* bad number */
-			if (i > 1)
-				return oops+1;	/* failed number */
-			return oops;		/* with leading '?' */
-		}
-		buf[i] = byte;
-		if (i < 3 && src < stop && *src++ != '.') {
-			if (i == 0)
-				return "?syntax error in dotted-decimal address";
-			else
-				return "syntax error in dotted-decimal address";
-		}
-	}
-	if (src != stop)
-		return "extra garbage on end of dotted-decimal address";
-
-	return initaddr(buf, sizeof(buf), AF_INET, dst);
-}
-
-/*
- - getbyte - try to scan a byte in dotted decimal
- * A subtlety here is that all this arithmetic on ASCII digits really is
- * highly portable -- ANSI C guarantees that digits 0-9 are contiguous.
- * It's easier to just do it ourselves than set up for a call to ttoul().
- *
- * If the first char of a complaint is '?', that means "didn't look like a
- * number at all".
- */
-err_t
-getbyte(srcp, stop, retp)
-const char **srcp;		/* *srcp is updated */
-const char *stop;		/* first untouchable char */
-int *retp;			/* return-value pointer */
-{
-	char c;
-	const char *p;
-	int no;
-
-	if (*srcp >= stop)
-		return "?empty number in dotted-decimal address";
-
-	no = 0;
-	p = *srcp;
-	while (p < stop && no <= 255 && (c = *p) >= '0' && c <= '9') {
-		no = no*10 + (c - '0');
-		p++;
-	}
-	if (p == *srcp)
-		return "?non-numeric component in dotted-decimal address";
-	*srcp = p;
-	if (no > 255)
-		return "byte overflow in dotted-decimal address";
-	*retp = no;
-	return NULL;
-}
-
-/*
- - colon - convert IPv6 "numeric" address
- */
-static err_t
-colon(src, srclen, dst)
-const char *src;
-size_t srclen;			/* known to be >0 */
-ip_address *dst;
-{
-	const char *stop = src + srclen;	/* just past end */
-	unsigned piece = 0;
-	int gapat;		/* where was empty piece seen */
-	err_t oops;
-#	define	NPIECES	8
-	unsigned char buf[NPIECES*2];	/* short may have wrong byte order */
-	int i;
-	int j;
-#	define	IT	"IPv6 numeric address"
-	int naftergap;
-
-	/* leading or trailing :: becomes single empty field */
-	if (*src == ':') {		/* legal only if leading :: */
-		if (srclen == 1 || *(src+1) != ':')
-			return "illegal leading `:' in " IT;
-		if (srclen == 2) {
-			unspecaddr(AF_INET6, dst);
-			return NULL;
-		}
-		src++;		/* past first but not second */
-		srclen--;
-	}
-	if (*(stop-1) == ':') {		/* legal only if trailing :: */
-		if (srclen == 1 || *(stop-2) != ':')
-			return "illegal trailing `:' in " IT;
-		srclen--;		/* leave one */
-	}
-
-	gapat = -1;
-	for (i = 0; i < NPIECES && src < stop; i++) {
-		oops = getpiece(&src, stop, &piece);
-		if (oops != NULL && *oops == ':') {	/* empty field */
-			if (gapat >= 0)
-				return "more than one :: in " IT;
-			gapat = i;
-		} else if (oops != NULL)
-			return oops;
-		buf[2*i] = piece >> 8;
-		buf[2*i + 1] = piece & 0xff;
-		if (i < NPIECES-1) {	/* there should be more input */
-			if (src == stop && gapat < 0)
-				return IT " ends prematurely";
-			if (src != stop && *src++ != ':')
-				return "syntax error in " IT;
-		}
-	}
-	if (src != stop)
-		return "extra garbage on end of " IT;
-
-	if (gapat < 0 && i < NPIECES)	/* should have been caught earlier */
-		return "incomplete " IT " (internal error)";
-	if (gapat >= 0 && i == NPIECES)
-		return "non-abbreviating empty field in " IT;
-	if (gapat >= 0) {
-		naftergap = i - (gapat + 1);
-		for (i--, j = NPIECES-1; naftergap > 0; i--, j--, naftergap--) {
-			buf[2*j] = buf[2*i];
-			buf[2*j + 1] = buf[2*i + 1];
-		}
-		for (; j >= gapat; j--)
-			buf[2*j] = buf[2*j + 1] = 0;
-	}
-
-	return initaddr(buf, sizeof(buf), AF_INET6, dst);
-}
-
-/*
- - getpiece - try to scan one 16-bit piece of an IPv6 address
- */
-err_t				/* ":" means "empty field seen" */
-getpiece(srcp, stop, retp)
-const char **srcp;		/* *srcp is updated */
-const char *stop;		/* first untouchable char */
-unsigned *retp;			/* return-value pointer */
-{
-	const char *p;
-#	define	NDIG	4
-	int d;
-	unsigned long ret;
-	err_t oops;
-
-	if (*srcp >= stop || **srcp == ':') {	/* empty field */
-		*retp = 0;
-		return ":";
-	}
-
-	p = *srcp;
-	d = 0;
-	while (p < stop && d < NDIG && isxdigit(*p)) {
-		p++;
-		d++;
-	}
-	if (d == 0)
-		return "non-hex field in IPv6 numeric address";
-	if (p < stop && d == NDIG && isxdigit(*p))
-		return "field in IPv6 numeric address longer than 4 hex digits";
-
-	oops = ttoul(*srcp, d, 16, &ret);
-	if (oops != NULL)	/* shouldn't happen, really... */
-		return oops;
-
-	*srcp = p;
-	*retp = ret;
-	return NULL;
-}
diff --git a/src/libfreeswan/ttodata.3 b/src/libfreeswan/ttodata.3
deleted file mode 100644
index 8f4b1ec93..000000000
--- a/src/libfreeswan/ttodata.3
+++ /dev/null
@@ -1,280 +0,0 @@
-.TH IPSEC_TTODATA 3 "16 August 2003"
-.SH NAME
-ipsec ttodata, datatot \- convert binary data bytes from and to text formats
-.SH SYNOPSIS
-.B "#include <freeswan.h>"
-.sp
-.B "const char *ttodata(const char *src, size_t srclen,"
-.ti +1c
-.B "int base, char *dst, size_t dstlen, size_t *lenp);"
-.br
-.B "const char *ttodatav(const char *src, size_t srclen,"
-.ti +1c
-.B "int base, char *dst, size_t dstlen, size_t *lenp,"
-.ti +1c
-.B "char *errp, size_t errlen, int flags);"
-.br
-.B "size_t datatot(const char *src, size_t srclen,"
-.ti +1c
-.B "int format, char *dst, size_t dstlen);"
-.SH DESCRIPTION
-.IR Ttodata ,
-.IR ttodatav ,
-and
-.I datatot
-convert arbitrary binary data (e.g. encryption or authentication keys)
-from and to more-or-less human-readable text formats.
-.PP
-Currently supported formats are hexadecimal, base64, and characters.
-.PP
-A hexadecimal text value begins with a
-.B 0x
-(or
-.BR 0X )
-prefix and continues with two-digit groups
-of hexadecimal digits (0-9, and a-f or A-F),
-each group encoding the value of one binary byte, high-order digit first.
-A single
-.B _
-(underscore)
-between consecutive groups is ignored, permitting punctuation to improve 
-readability; doing this every eight digits seems about right.
-.PP
-A base64 text value begins with a
-.B 0s
-(or
-.BR 0S )
-prefix 
-and continues with four-digit groups of base64 digits (A-Z, a-z, 0-9, +, and /),
-each group encoding the value of three binary bytes as described in
-section 6.8 of RFC 2045.
-If
-.B flags
-has the
-.B TTODATAV_IGNORESPACE
-bit on, blanks are ignore (after the prefix).
-Note that the last one or two digits of a base64 group can be
-.B =
-to indicate that fewer than three binary bytes are encoded.
-.PP
-A character text value begins with a
-.B 0t
-(or
-.BR 0T )
-prefix
-and continues with text characters, each being the value of one binary byte. 
-.PP
-All these functions basically copy data from
-.I src
-(whose size is specified by
-.IR srclen )
-to
-.I dst
-(whose size is specified by
-.IR dstlen ),
-doing the conversion en route.
-If the result will not fit in
-.IR dst ,
-it is truncated;
-under no circumstances are more than
-.I dstlen
-bytes of result written to
-.IR dst .
-.I Dstlen
-can be zero, in which case
-.I dst
-need not be valid and no result bytes are written at all.
-.PP
-The
-.I base
-parameter of
-.I ttodata
-and
-.I ttodatav
-specifies what format the input is in;
-normally it should be
-.B 0
-to signify that this gets figured out from the prefix.
-Values of
-.BR 16 ,
-.BR 64 ,
-and
-.BR 256
-respectively signify hexadecimal, base64, and character-text formats
-without prefixes.
-.PP
-The
-.I format
-parameter of
-.IR datatot ,
-a single character used as a type code,
-specifies which text format is wanted.
-The value
-.B 0
-(not ASCII
-.BR '0' ,
-but a zero value) specifies a reasonable default.
-Other currently-supported values are:
-.RS 2
-.TP 4
-.B 'x'
-continuous lower-case hexadecimal with a
-.B 0x
-prefix
-.TP
-.B 'h'
-lower-case hexadecimal with a
-.B 0x
-prefix and a
-.B _
-every eight digits
-.TP
-.B ':'
-lower-case hexadecimal with no prefix and a
-.B :
-(colon) every two digits
-.TP
-.B 16
-lower-case hexadecimal with no prefix or
-.B _
-.TP
-.B 's'
-continuous base64 with a
-.B 0s
-prefix
-.TP
-.B 64
-continuous base64 with no prefix
-.RE
-.PP
-The default format is currently
-.BR 'h' .
-.PP
-.I Ttodata
-returns NULL for success and
-a pointer to a string-literal error message for failure;
-see DIAGNOSTICS.
-On success,
-if and only if
-.I lenp
-is non-NULL,
-.B *lenp
-is set to the number of bytes required to contain the full untruncated result.
-It is the caller's responsibility to check this against
-.I dstlen
-to determine whether he has obtained a complete result.
-The
-.B *lenp
-value is correct even if
-.I dstlen
-is zero, which offers a way to determine how much space would be needed
-before having to allocate any.
-.PP
-.I Ttodatav
-is just like
-.I ttodata
-except that in certain cases,
-if
-.I errp
-is non-NULL,
-the buffer pointed to by
-.I errp
-(whose length is given by
-.IR errlen )
-is used to hold a more detailed error message.
-The return value is NULL for success,
-and is either
-.I errp
-or a pointer to a string literal for failure.
-If the size of the error-message buffer is
-inadequate for the desired message,
-.I ttodatav
-will fall back on returning a pointer to a literal string instead.
-The
-.I freeswan.h
-header file defines a constant
-.B TTODATAV_BUF
-which is the size of a buffer large enough for worst-case results.
-.PP
-The normal return value of
-.IR datatot
-is the number of bytes required
-to contain the full untruncated result.
-It is the caller's responsibility to check this against
-.I dstlen
-to determine whether he has obtained a complete result.
-The return value is correct even if
-.I dstlen
-is zero, which offers a way to determine how much space would be needed
-before having to allocate any.
-A return value of
-.B 0
-signals a fatal error of some kind
-(see DIAGNOSTICS).
-.PP
-A zero value for
-.I srclen
-in
-.I ttodata
-(but not
-.IR datatot !)
-is synonymous with
-.BR strlen(src) .
-A non-zero
-.I srclen
-in
-.I ttodata
-must not include the terminating NUL.
-.PP
-Unless
-.I dstlen
-is zero,
-the result supplied by
-.I datatot
-is always NUL-terminated,
-and its needed-size return value includes space for the terminating NUL.
-.PP
-Several obsolete variants of these functions
-.RI ( atodata ,
-.IR datatoa ,
-.IR atobytes ,
-and
-.IR bytestoa )
-are temporarily also supported.
-.SH SEE ALSO
-sprintf(3), ipsec_atoaddr(3)
-.SH DIAGNOSTICS
-Fatal errors in
-.I ttodata
-and
-.I ttodatav
-are:
-unknown characters in the input;
-unknown or missing prefix;
-unknown base;
-incomplete digit group;
-non-zero padding in a base64 less-than-three-bytes digit group;
-zero-length input.
-.PP
-Fatal errors in
-.I datatot
-are:
-unknown format code;
-zero-length input.
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
-.SH BUGS
-.I Datatot
-should have a format code to produce character-text output.
-.PP
-The
-.B 0s
-and
-.B 0t
-prefixes are the author's inventions and are not a standard
-of any kind.
-They have been chosen to avoid collisions with existing practice
-(some C implementations use
-.B 0b
-for binary)
-and possible confusion with unprefixed hexadecimal.
diff --git a/src/libfreeswan/ttodata.c b/src/libfreeswan/ttodata.c
deleted file mode 100644
index ef3717797..000000000
--- a/src/libfreeswan/ttodata.c
+++ /dev/null
@@ -1,720 +0,0 @@
-/*
- * convert from text form of arbitrary data (e.g., keys) to binary
- * Copyright (C) 2000  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-/* converters and misc */
-static int unhex(const char *, char *, size_t);
-static int unb64(const char *, char *, size_t);
-static int untext(const char *, char *, size_t);
-static const char *badch(const char *, int, char *, size_t);
-
-/* internal error codes for converters */
-#define	SHORT	(-2)		/* internal buffer too short */
-#define	BADPAD	(-3)		/* bad base64 padding */
-#define	BADCH0	(-4)		/* invalid character 0 */
-#define	BADCH1	(-5)		/* invalid character 1 */
-#define	BADCH2	(-6)		/* invalid character 2 */
-#define	BADCH3	(-7)		/* invalid character 3 */
-#define	BADOFF(code) (BADCH0-(code))
-
-/*
- - ttodatav - convert text to data, with verbose error reports
- * If some of this looks slightly odd, it's because it has changed
- * repeatedly (from the original atodata()) without a major rewrite.
- */
-const char *			/* NULL on success, else literal or errp */
-ttodatav(src, srclen, base, dst, dstlen, lenp, errp, errlen, flags)
-const char *src;
-size_t srclen;			/* 0 means apply strlen() */
-int base;			/* 0 means figure it out */
-char *dst;			/* need not be valid if dstlen is 0 */
-size_t dstlen;
-size_t *lenp;			/* where to record length (NULL is nowhere) */
-char *errp;			/* error buffer */
-size_t errlen;
-unsigned int flags;
-{
-	size_t ingroup;	/* number of input bytes converted at once */
-	char buf[4];		/* output from conversion */
-	int nbytes;		/* size of output */
-	int (*decode)(const char *, char *, size_t);
-	char *stop;
-	int ndone;
-	int i;
-	int underscoreok;
-	int skipSpace = 0;
-
-	if (srclen == 0)
-		srclen = strlen(src);
-	if (dstlen == 0)
-		dst = buf;	/* point it somewhere valid */
-	stop = dst + dstlen;
-
-	if (base == 0) {
-		if (srclen < 2)
-			return "input too short to be valid";
-		if (*src++ != '0')
-			return "input does not begin with format prefix";
-		switch (*src++) {
-		case 'x':
-		case 'X':
-			base = 16;
-			break;
-		case 's':
-		case 'S':
-			base = 64;
-			break;
-		case 't':
-		case 'T':
-			base = 256;
-			break;
-		default:
-			return "unknown format prefix";
-		}
-		srclen -= 2;
-	}
-	switch (base) {
-	case 16:
-		decode = unhex;
-		underscoreok = 1;
-		ingroup = 2;
-		break;
-	case 64:
-		decode = unb64;
-		underscoreok = 0;
-		ingroup = 4;
-		if(flags & TTODATAV_IGNORESPACE) {
-			skipSpace = 1;
-		}
-		break;
-
-	case 256:
-		decode = untext;
-		ingroup = 1;
-		underscoreok = 0;
-		break;
-	default:
-		return "unknown base";
-	}
-
-	/* proceed */
-	ndone = 0;
-	while (srclen > 0) {
-		char stage[4];	/* staging area for group */
-		size_t sl = 0;
-
-		/* Grab ingroup characters into stage,
-		 * squeezing out blanks if we are supposed to ignore them.
-		 */
-		for (sl = 0; sl < ingroup; src++, srclen--) {
-			if (srclen == 0)
-				return "input ends in mid-byte, perhaps truncated";
-			else if (!(skipSpace && (*src == ' ' || *src == '\t')))
-				stage[sl++] = *src;
-		}
-
-		nbytes = (*decode)(stage, buf, sizeof(buf));
-		switch (nbytes) {
-		case BADCH0:
-		case BADCH1:
-		case BADCH2:
-		case BADCH3:
-			return badch(stage, nbytes, errp, errlen);
-		case SHORT:
-			return "internal buffer too short (\"can't happen\")";
-		case BADPAD:
-			return "bad (non-zero) padding at end of base64 input";
-		}
-		if (nbytes <= 0)
-			return "unknown internal error";
-		for (i = 0; i < nbytes; i++) {
-			if (dst < stop)
-				*dst++ = buf[i];
-			ndone++;
-		}
-		while (srclen >= 1 && skipSpace && (*src == ' ' || *src == '\t')){
-			src++;
-			srclen--;
-		}
-		if (underscoreok && srclen > 1 && *src == '_') {
-			/* srclen > 1 means not last character */
-			src++;
-			srclen--;
-		}
-	}
-
-	if (ndone == 0)
-		return "no data bytes specified by input";
-	if (lenp != NULL)
-		*lenp = ndone;
-	return NULL;
-}
-
-/*
- - ttodata - convert text to data
- */
-const char *			/* NULL on success, else literal */
-ttodata(src, srclen, base, dst, dstlen, lenp)
-const char *src;
-size_t srclen;			/* 0 means apply strlen() */
-int base;			/* 0 means figure it out */
-char *dst;			/* need not be valid if dstlen is 0 */
-size_t dstlen;
-size_t *lenp;			/* where to record length (NULL is nowhere) */
-{
-	return ttodatav(src, srclen, base, dst, dstlen, lenp, (char *)NULL,
-			(size_t)0, TTODATAV_SPACECOUNTS);
-}
-
-/*
- - atodata - convert ASCII to data
- * backward-compatibility interface
- */
-size_t				/* 0 for failure, true length for success */
-atodata(src, srclen, dst, dstlen)
-const char *src;
-size_t srclen;
-char *dst;
-size_t dstlen;
-{
-	size_t len;
-	const char *err;
-
-	err = ttodata(src, srclen, 0, dst, dstlen, &len);
-	if (err != NULL)
-		return 0;
-	return len;
-}
-
-/*
- - atobytes - convert ASCII to data bytes
- * another backward-compatibility interface
- */
-const char *
-atobytes(src, srclen, dst, dstlen, lenp)
-const char *src;
-size_t srclen;
-char *dst;
-size_t dstlen;
-size_t *lenp;
-{
-	return ttodata(src, srclen, 0, dst, dstlen, lenp);
-}
-
-/*
- - unhex - convert two ASCII hex digits to byte
- */
-static int		/* number of result bytes, or error code */
-unhex(src, dst, dstlen)
-const char *src;	/* known to be full length */
-char *dst;
-size_t dstlen;		/* not large enough is a failure */
-{
-	char *p;
-	unsigned byte;
-	static char hex[] = "0123456789abcdef";
-
-	if (dstlen < 1)
-		return SHORT;
-
-	p = strchr(hex, *src);
-	if (p == NULL)
-		p = strchr(hex, tolower(*src));
-	if (p == NULL)
-		return BADCH0;
-	byte = (p - hex) << 4;
-	src++;
-
-	p = strchr(hex, *src);
-	if (p == NULL)
-		p = strchr(hex, tolower(*src));
-	if (p == NULL)
-		return BADCH1;
-	byte |= (p - hex);
-
-	*dst = byte;
-	return 1;
-}
-
-/*
- - unb64 - convert four ASCII base64 digits to three bytes
- * Note that a base64 digit group is padded out with '=' if it represents
- * less than three bytes:  one byte is dd==, two is ddd=, three is dddd.
- */
-static int		/* number of result bytes, or error code */
-unb64(src, dst, dstlen)
-const char *src;	/* known to be full length */
-char *dst;
-size_t dstlen;
-{
-	char *p;
-	unsigned byte1;
-	unsigned byte2;
-	static char base64[] =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-
-	if (dstlen < 3)
-		return SHORT;
-
-	p = strchr(base64, *src++);
-
-	if (p == NULL)
-		return BADCH0;
-	byte1 = (p - base64) << 2;	/* first six bits */
-
-	p = strchr(base64, *src++);
-	if (p == NULL) {
-		return BADCH1;
-	}
-
-	byte2 = p - base64;		/* next six:  two plus four */
-	*dst++ = byte1 | (byte2 >> 4);
-	byte1 = (byte2 & 0xf) << 4;
-
-	p = strchr(base64, *src++);
-	if (p == NULL) {
-		if (*(src-1) == '=' && *src == '=') {
-			if (byte1 != 0)		/* bad padding */
-				return BADPAD;
-			return 1;
-		}
-		return BADCH2;
-	}
-
-	byte2 = p - base64;		/* next six:  four plus two */
-	*dst++ = byte1 | (byte2 >> 2);
-	byte1 = (byte2 & 0x3) << 6;
-
-	p = strchr(base64, *src++);
-	if (p == NULL) {
-		if (*(src-1) == '=') {
-			if (byte1 != 0)		/* bad padding */
-				return BADPAD;
-			return 2;
-		}
-		return BADCH3;
-	}
-	byte2 = p - base64;		/* last six */
-	*dst++ = byte1 | byte2;
-
-	return 3;
-}
-
-/*
- - untext - convert one ASCII character to byte
- */
-static int		/* number of result bytes, or error code */
-untext(src, dst, dstlen)
-const char *src;	/* known to be full length */
-char *dst;
-size_t dstlen;		/* not large enough is a failure */
-{
-	if (dstlen < 1)
-		return SHORT;
-
-	*dst = *src;
-	return 1;
-}
-
-/*
- - badch - produce a nice complaint about an unknown character
- *
- * If the compiler complains that the array bigenough[] has a negative
- * size, that means the TTODATAV_BUF constant has been set too small.
- */
-static const char *		/* literal or errp */
-badch(src, errcode, errp, errlen)
-const char *src;
-int errcode;
-char *errp;			/* might be NULL */
-size_t errlen;
-{
-	static const char pre[] = "unknown character (`";
-	static const char suf[] = "') in input";
-	char buf[5];
-#	define	REQD	(sizeof(pre) - 1 + sizeof(buf) - 1 + sizeof(suf))
-	struct sizecheck {
-		char bigenough[TTODATAV_BUF - REQD];	/* see above */
-	};
-	char ch;
-
-	if (errp == NULL || errlen < REQD)
-		return "unknown character in input";
-	strcpy(errp, pre);
-	ch = *(src + BADOFF(errcode));
-	if (isprint(ch)) {
-		buf[0] = ch;
-		buf[1] = '\0';
-	} else {
-		buf[0] = '\\';
-		buf[1] = ((ch & 0700) >> 6) + '0';
-		buf[2] = ((ch & 0070) >> 3) + '0';
-		buf[3] = ((ch & 0007) >> 0) + '0';
-		buf[4] = '\0';
-	}
-	strcat(errp, buf);
-	strcat(errp, suf);
-	return (const char *)errp;
-}
-
-
-
-#ifdef TTODATA_MAIN
-
-#include <stdio.h>
-
-struct artab;
-static void check(struct artab *r, char *buf, size_t n, err_t oops, int *status);
-static void regress(char *pgm);
-static void hexout(const char *s, size_t len, FILE *f);
-
-/*
- - main - convert first argument to hex, or run regression
- */
-int
-main(int argc, char *argv[])
-{
-	char buf[1024];
-	char buf2[1024];
-	char err[512];
-	size_t n;
-	size_t i;
-	char *p = buf;
-	char *p2 = buf2;
-	char *pgm = argv[0];
-	const char *oops;
-
-	if (argc < 2) {
-		fprintf(stderr, "Usage: %s {0x<hex>|0s<base64>|-r}\n", pgm);
-		exit(2);
-	}
-
-	if (strcmp(argv[1], "-r") == 0) {
-		regress(pgm);	/* should not return */
-		fprintf(stderr, "%s: regress() returned?!?\n", pgm);
-		exit(1);
-	}
-
-	oops = ttodatav(argv[1], 0, 0, buf, sizeof(buf), &n,
-			err, sizeof(err), TTODATAV_IGNORESPACE);
-	if (oops != NULL) {
-		fprintf(stderr, "%s: ttodata error `%s' in `%s'\n", pgm,
-								oops, argv[1]);
-		exit(1);
-	}
-
-	if (n > sizeof(buf)) {
-		p = (char *)malloc((size_t)n);
-		if (p == NULL) {
-			fprintf(stderr,
-				"%s: unable to malloc %d bytes for result\n",
-				pgm, n);
-			exit(1);
-		}
-		oops = ttodata(argv[1], 0, 0, p, n, &n);
-		if (oops != NULL) {
-			fprintf(stderr, "%s: error `%s' in ttodata retry?!?\n",
-								pgm, oops);
-			exit(1);
-		}
-	}
-
-	hexout(p, n, stdout);
-	printf("\n");
-
-	i = datatot(buf, n, 'h', buf2, sizeof(buf2));
-	if (i == 0) {
-		fprintf(stderr, "%s: datatot reports error in `%s'\n", pgm,
-								argv[1]);
-		exit(1);
-	}
-
-	if (i > sizeof(buf2)) {
-		p2 = (char *)malloc((size_t)i);
-		if (p == NULL) {
-			fprintf(stderr,
-				"%s: unable to malloc %d bytes for result\n",
-				pgm, i);
-			exit(1);
-		}
-		i = datatot(buf, n, 'h', p2, i);
-		if (i == 0) {
-			fprintf(stderr, "%s: error in datatoa retry?!?\n", pgm);
-			exit(1);
-		}
-	}
-
-	printf("%s\n", p2);
-
-	exit(0);
-}
-
-/*
- - hexout - output an arbitrary-length string in hex
- */
-static void
-hexout(s, len, f)
-const char *s;
-size_t len;
-FILE *f;
-{
-	size_t i;
-
-	fprintf(f, "0x");
-	for (i = 0; i < len; i++)
-		fprintf(f, "%02x", (unsigned char)s[i]);
-}
-
-struct artab {
-	int base;
-#	    define IGNORESPACE_BIAS 1000
-	char *ascii;		/* NULL for end */
-	char *data;		/* NULL for error expected */
-} atodatatab[] = {
-	{ 0, "",			NULL, },
-	{ 0, "0",			NULL, },
-	{ 0, "0x",		NULL, },
-	{ 0, "0xa",		NULL, },
-	{ 0, "0xab",		"\xab", },
-	{ 0, "0xabc",		NULL, },
-	{ 0, "0xabcd",		"\xab\xcd", },
-	{ 0, "0x0123456789",	"\x01\x23\x45\x67\x89", },
-	{ 0, "0x01x",		NULL, },
-	{ 0, "0xabcdef",		"\xab\xcd\xef", },
-	{ 0, "0xABCDEF",		"\xab\xcd\xef", },
-	{ 0, "0XaBc0eEd81f",	"\xab\xc0\xee\xd8\x1f", },
-	{ 0, "0XaBc0_eEd8",	"\xab\xc0\xee\xd8", },
-	{ 0, "0XaBc0_",		NULL, },
-	{ 0, "0X_aBc0",		NULL, },
-	{ 0, "0Xa_Bc0",		NULL, },
-	{ 16, "aBc0eEd8",	"\xab\xc0\xee\xd8", },
-	{ 0, "0s",		NULL, },
-	{ 0, "0sA",		NULL, },
-	{ 0, "0sBA",		NULL, },
-	{ 0, "0sCBA",		NULL, },
-	{ 0, "0sDCBA",		"\x0c\x20\x40", },
-	{ 0, "0SDCBA",		"\x0c\x20\x40", },
-	{ 0, "0sDA==",		"\x0c", },
-	{ 0, "0sDC==",		NULL, },
-	{ 0, "0sDCA=",		"\x0c\x20", },
-	{ 0, "0sDCB=",		NULL, },
-	{ 0, "0sDCAZ",		"\x0c\x20\x19", },
-	{ 0, "0sDCAa",		"\x0c\x20\x1a", },
-	{ 0, "0sDCAz",		"\x0c\x20\x33", },
-	{ 0, "0sDCA0",		"\x0c\x20\x34", },
-	{ 0, "0sDCA9",		"\x0c\x20\x3d", },
-	{ 0, "0sDCA+",		"\x0c\x20\x3e", },
-	{ 0, "0sDCA/",		"\x0c\x20\x3f", },
-	{ 0, "0sAbraCadabra+",	"\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
-	{ IGNORESPACE_BIAS + 0, "0s AbraCadabra+",	"\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
-	{ IGNORESPACE_BIAS + 0, "0sA braCadabra+",	"\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
-	{ IGNORESPACE_BIAS + 0, "0sAb raCadabra+",	"\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
-	{ IGNORESPACE_BIAS + 0, "0sAbr aCadabra+",	"\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
-	{ IGNORESPACE_BIAS + 0, "0sAbra Cadabra+",	"\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
-	{ IGNORESPACE_BIAS + 0, "0sAbraC adabra+",	"\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
-	{ IGNORESPACE_BIAS + 0, "0sAbraCa dabra+",	"\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
-	{ IGNORESPACE_BIAS + 0, "0sAbraCad abra+",	"\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
-	{ IGNORESPACE_BIAS + 0, "0sAbraCada bra+",	"\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
-	{ IGNORESPACE_BIAS + 0, "0sAbraCadab ra+",	"\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
-	{ IGNORESPACE_BIAS + 0, "0sAbraCadabr a+",	"\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
-	{ IGNORESPACE_BIAS + 0, "0sAbraCadabra +",	"\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
-	{ IGNORESPACE_BIAS + 0, "0sAbraCadabra+ ",	"\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", },
-	{ 0, "0t",		NULL, },
-	{ 0, "0tabc_xyz",		"abc_xyz", },
-	{ 256, "abc_xyz",		"abc_xyz", },
-	{ 0, NULL,		NULL, },
-};
-
-struct drtab {
-	char *data;	/* input; NULL for end */
-	char format;
-	int buflen;	/* -1 means big buffer */
-	int outlen;	/* -1 means strlen(ascii)+1 */
-	char *ascii;	/* NULL for error expected */
-} datatoatab[] = {
-	{ "",			'x',	-1,	-1,	NULL, },
-	{ "",			'X',	-1,	-1,	NULL, },
-	{ "",			'n',	-1,	-1,	NULL, },
-	{ "0",			'x',	-1,	-1,	"0x30", },
-	{ "0",			'x',	0,	5,	"---", },
-	{ "0",			'x',	1,	5,	"", },
-	{ "0",			'x',	2,	5,	"0", },
-	{ "0",			'x',	3,	5,	"0x", },
-	{ "0",			'x',	4,	5,	"0x3", },
-	{ "0",			'x',	5,	5,	"0x30", },
-	{ "0",			'x',	6,	5,	"0x30", },
-	{ "\xab\xcd",		'x',	-1,	-1,	"0xabcd", },
-	{ "\x01\x23\x45\x67\x89",	'x',	-1,	-1,	"0x0123456789", },
-	{ "\xab\xcd\xef",		'x',	-1,	-1,	"0xabcdef", },
-	{ "\xab\xc0\xee\xd8\x1f",	'x',	-1,	-1,	"0xabc0eed81f", },
-	{ "\x01\x02",		'h',	-1,	-1,	"0x0102", },
-	{ "\x01\x02\x03\x04\x05\x06",	'h',	-1, -1,	"0x01020304_0506", },
-	{ "\xab\xc0\xee\xd8\x1f",	16,	-1,	-1,	"abc0eed81f", },
-	{ "\x0c\x20\x40",		's',	-1,	-1,	"0sDCBA", },
-	{ "\x0c\x20\x40",		's',	0,	7,	"---", },
-	{ "\x0c\x20\x40",		's',	1,	7,	"", },
-	{ "\x0c\x20\x40",		's',	2,	7,	"0", },
-	{ "\x0c\x20\x40",		's',	3,	7,	"0s", },
-	{ "\x0c\x20\x40",		's',	4,	7,	"0sD", },
-	{ "\x0c\x20\x40",		's',	5,	7,	"0sDC", },
-	{ "\x0c\x20\x40",		's',	6,	7,	"0sDCB", },
-	{ "\x0c\x20\x40",		's',	7,	7,	"0sDCBA", },
-	{ "\x0c\x20\x40",		's',	8,	7,	"0sDCBA", },
-	{ "\x0c",			's',	-1,	-1,	"0sDA==", },
-	{ "\x0c\x20",		's',	-1,	-1,	"0sDCA=", },
-	{ "\x0c\x20\x19",		's',	-1,	-1,	"0sDCAZ", },
-	{ "\x0c\x20\x1a",		's',	-1,	-1,	"0sDCAa", },
-	{ "\x0c\x20\x33",		's',	-1,	-1,	"0sDCAz", },
-	{ "\x0c\x20\x34",		's',	-1,	-1,	"0sDCA0", },
-	{ "\x0c\x20\x3d",		's',	-1,	-1,	"0sDCA9", },
-	{ "\x0c\x20\x3e",		's',	-1,	-1,	"0sDCA+", },
-	{ "\x0c\x20\x3f",		's',	-1,	-1,	"0sDCA/", },
-	{ "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", 's', -1, -1, "0sAbraCadabra+", },
-	{ "\x01\xba\xda\x09\xa7\x5a\x6e\xb6\xbe", 64, -1, -1, "AbraCadabra+", },
-	{ NULL,			'x',	-1,	-1,	NULL, },
-};
-
-/*
- - regress - regression-test ttodata() and datatot()
- */
-static void
-check(r, buf, n, oops, status)
-struct artab *r;
-char *buf;
-size_t n;
-err_t oops;
-int *status;
-{
-	if (oops != NULL && r->data == NULL)
-		{}			/* error expected */
-	else if (oops != NULL) {
-		printf("`%s' gave error `%s', expecting %d `", r->ascii,
-						oops, strlen(r->data));
-		hexout(r->data, strlen(r->data), stdout);
-		printf("'\n");
-		*status = 1;
-	} else if (r->data == NULL) {
-		printf("`%s' gave %d `", r->ascii, n);
-		hexout(buf, n, stdout);
-		printf("', expecting error\n");
-		*status = 1;
-	} else if (n != strlen(r->data)) {
-		printf("length wrong in `%s': got %d `", r->ascii, n);
-		hexout(buf, n, stdout);
-		printf("', expecting %d `", strlen(r->data));
-		hexout(r->data, strlen(r->data), stdout);
-		printf("'\n");
-		*status = 1;
-	} else if (memcmp(buf, r->data, n) != 0) {
-		printf("`%s' gave %d `", r->ascii, n);
-		hexout(buf, n, stdout);
-		printf("', expecting %d `", strlen(r->data));
-		hexout(r->data, strlen(r->data), stdout);
-		printf("'\n");
-		*status = 1;
-	}
-	fflush(stdout);
-}
-
-static void			/* should not return at all, in fact */
-regress(pgm)
-char *pgm;
-{
-	struct artab *r;
-	struct drtab *dr;
-	char buf[100];
-	size_t n;
-	int status = 0;
-
-	for (r = atodatatab; r->ascii != NULL; r++) {
-		int base = r->base;
-		int xbase = 0;
-
-		if ((base == 0 || base == IGNORESPACE_BIAS + 0) && r->ascii[0] == '0') {
-			switch (r->ascii[1]) {
-			case 'x':
-			case 'X':
-				xbase = 16;
-				break;
-			case 's':
-			case 'S':
-				xbase = 64;
-				break;
-			case 't':
-			case 'T':
-				xbase = 256;
-				break;
-			}
-		}
-
-		if (base >= IGNORESPACE_BIAS) {
-			base = base - IGNORESPACE_BIAS;
-			check(r, buf, n, ttodatav(r->ascii, 0, base, buf, sizeof(buf), &n, NULL, 0, TTODATAV_IGNORESPACE), &status);
-			if (xbase != 0)
-				check(r, buf, n, ttodatav(r->ascii+2, 0, xbase, buf, sizeof(buf), &n, NULL, 0, TTODATAV_IGNORESPACE), &status);
-		} else {
-			check(r, buf, n, ttodata(r->ascii, 0, base, buf, sizeof(buf), &n), &status);
-			if (base == 64 || xbase == 64)
-				check(r, buf, n, ttodatav(r->ascii, 0, base, buf, sizeof(buf), &n, NULL, 0, TTODATAV_IGNORESPACE), &status);
-			if (xbase != 0) {
-				check(r, buf, n, ttodata(r->ascii+2, 0, xbase, buf, sizeof(buf), &n), &status);
-				if (base == 64 || xbase == 64)
-					check(r, buf, n, ttodatav(r->ascii+2, 0, xbase, buf, sizeof(buf), &n, NULL, 0, TTODATAV_IGNORESPACE), &status);
-			}
-		}
-	}
-	for (dr = datatoatab; dr->data != NULL; dr++) {
-		size_t should;
-
-		strcpy(buf, "---");
-		n = datatot(dr->data, strlen(dr->data), dr->format, buf,
-				(dr->buflen == -1) ? sizeof(buf) : dr->buflen);
-		should = (dr->ascii == NULL) ? 0 : strlen(dr->ascii) + 1;
-		if (dr->outlen != -1)
-			should = dr->outlen;
-		if (n == 0 && dr->ascii == NULL)
-			{}			/* error expected */
-		else if (n == 0) {
-			printf("`");
-			hexout(dr->data, strlen(dr->data), stdout);
-			printf("' %c gave error, expecting %d `%s'\n",
-				dr->format, should, dr->ascii);
-			status = 1;
-		} else if (dr->ascii == NULL) {
-			printf("`");
-			hexout(dr->data, strlen(dr->data), stdout);
-			printf("' %c gave %d `%.*s', expecting error\n",
-				dr->format, n, (int)n, buf);
-			status = 1;
-		} else if (n != should) {
-			printf("length wrong in `");
-			hexout(dr->data, strlen(dr->data), stdout);
-			printf("': got %d `%s'", n, buf);
-			printf(", expecting %d `%s'\n", should, dr->ascii);
-			status = 1;
-		} else if (strcmp(buf, dr->ascii) != 0) {
-			printf("`");
-			hexout(dr->data, strlen(dr->data), stdout);
-			printf("' gave %d `%s'", n, buf);
-			printf(", expecting %d `%s'\n", should, dr->ascii);
-			status = 1;
-		}
-		fflush(stdout);
-	}
-	exit(status);
-}
-
-#endif /* TTODATA_MAIN */
diff --git a/src/libfreeswan/ttoprotoport.c b/src/libfreeswan/ttoprotoport.c
deleted file mode 100644
index e75b206be..000000000
--- a/src/libfreeswan/ttoprotoport.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- * conversion from protocol/port string to protocol and port
- * Copyright (C) 2002 Mario Strasser <mast@gmx.net>,
- *                    Zuercher Hochschule Winterthur,
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- * ttoprotoport - converts from protocol/port string to protocol and port
- */
-err_t
-ttoprotoport(src, src_len, proto, port, has_port_wildcard)
-char *src;		/* input string */
-size_t src_len;		/* length of input string, use strlen() if 0 */
-u_int8_t *proto;	/* extracted protocol number */
-u_int16_t *port;	/* extracted port number if it exists */
-bool *has_port_wildcard;	/* set if port is %any */
-{
-    char *end, *service_name;
-    char proto_name[16];
-    int proto_len;
-    long int l;
-    struct protoent *protocol;
-    struct servent *service;
-
-    /* get the length of the string */
-    if (!src_len) src_len = strlen(src);
-
-    /* locate delimiter '/' between protocol and port */
-    end = strchr(src, '/');
-    if (end != NULL) {
-      proto_len = end - src;
-      service_name = end + 1;
-    } else {
-      proto_len = src_len;
-      service_name = src + src_len;
-    }
-
-   /* copy protocol name*/
-    memset(proto_name, '\0', sizeof(proto_name));
-    memcpy(proto_name, src, proto_len);
-
-    /* extract protocol by trying to resolve it by name */
-    protocol = getprotobyname(proto_name);
-    if (protocol != NULL) {
-	*proto = protocol->p_proto;
-    }
-    else  /* failed, now try it by number */
-    {
-	l = strtol(proto_name, &end, 0);
-
-	if (*proto_name && *end)
-	    return "<protocol> is neither a number nor a valid name";
-
-	if (l < 0 || l > 0xff)
-            return "<protocol> must be between 0 and 255";
-
-	*proto = (u_int8_t)l;
-    }
-
-    /* is there a port wildcard? */
-    *has_port_wildcard = (strcmp(service_name, "%any") == 0);
-
-    if (*has_port_wildcard)
-    {
-	*port = 0;
-	return NULL;
-    }
-
-    /* extract port by trying to resolve it by name */
-    service = getservbyname(service_name, NULL);
-    if (service != NULL) {
-        *port = ntohs(service->s_port);
-    }
-    else /* failed, now try it by number */
-    {
-	l = strtol(service_name, &end, 0);
-
-	if (*service_name && *end)
-	    return "<port> is neither a number nor a valid name";
-
-	if (l < 0 || l > 0xffff)
-	    return "<port> must be between 0 and 65535";
-
-	*port = (u_int16_t)l;
-    }
-    return NULL;
-}
-
diff --git a/src/libfreeswan/ttosa.3 b/src/libfreeswan/ttosa.3
deleted file mode 100644
index f9ea36a09..000000000
--- a/src/libfreeswan/ttosa.3
+++ /dev/null
@@ -1,287 +0,0 @@
-.TH IPSEC_TTOSA 3 "26 Nov 2001"
-.SH NAME
-ipsec ttosa, satot \- convert IPsec Security Association IDs to and from text
-.br
-ipsec initsaid \- initialize an SA ID
-.SH SYNOPSIS
-.B "#include <freeswan.h>
-.sp
-.B "typedef struct {"
-.ti +1c
-.B "ip_address dst;"
-.ti +1c
-.B "ipsec_spi_t spi;"
-.ti +1c
-.B "int proto;"
-.br
-.B "} ip_said;"
-.sp
-.B "const char *ttosa(const char *src, size_t srclen,"
-.ti +1c
-.B "ip_said *sa);
-.br
-.B "size_t satot(const ip_said *sa, int format,"
-.ti +1c
-.B "char *dst, size_t dstlen);"
-.br
-.B "void initsaid(const ip_address *addr, ipsec_spi_t spi,"
-.ti +1c
-.B "int proto, ip_said *dst);"
-.SH DESCRIPTION
-.I Ttosa
-converts an ASCII Security Association (SA) specifier into an
-.B ip_said
-structure (containing
-a destination-host address
-in network byte order,
-an SPI number in network byte order, and
-a protocol code).
-.I Satot
-does the reverse conversion, back to a text SA specifier.
-.I Initsaid
-initializes an
-.B ip_said
-from separate items of information.
-.PP
-An SA is specified in text with a mail-like syntax, e.g.
-.BR esp.5a7@1.2.3.4 .
-An SA specifier contains
-a protocol prefix (currently
-.BR ah ,
-.BR esp ,
-.BR tun ,
-.BR comp ,
-or
-.BR int ),
-a single character indicating the address family
-.RB ( .
-for IPv4,
-.B :
-for IPv6),
-an unsigned integer SPI number in hexadecimal (with no
-.B 0x
-prefix),
-and an IP address.
-The IP address can be any form accepted by
-.IR ipsec_ttoaddr (3),
-e.g. dotted-decimal IPv4 address,
-colon-hex IPv6 address,
-or DNS name.
-.PP
-As a special case, the SA specifier
-.B %passthrough4
-or
-.B %passthrough6
-signifies the special SA used to indicate that packets should be
-passed through unaltered.
-(At present, these are synonyms for
-.B tun.0@0.0.0.0
-and
-.B tun:0@::
-respectively,
-but that is subject to change without notice.)
-.B %passthrough
-is a historical synonym for
-.BR %passthrough4 . 
-These forms are known to both
-.I ttosa
-and
-.IR satot ,
-so the internal representation is never visible.
-.PP
-Similarly, the SA specifiers
-.BR %pass ,
-.BR %drop ,
-.BR %reject ,
-.BR %hold ,
-.BR %trap ,
-and
-.BR %trapsubnet
-signify special ``magic'' SAs used to indicate that packets should be
-passed, dropped, rejected (dropped with ICMP notification),
-held,
-and trapped (sent up to
-.IR ipsec_pluto (8),
-with either of two forms of
-.B %hold
-automatically installed)
-respectively.
-These forms too are known to both routines,
-so the internal representation of the magic SAs should never be visible.
-.PP
-The
-.B <freeswan.h>
-header file supplies the
-.B ip_said
-structure, as well as a data type
-.B ipsec_spi_t
-which is an unsigned 32-bit integer.
-(There is no consistency between kernel and user on what such a type
-is called, hence the header hides the differences.)
-.PP
-The protocol code uses the same numbers that IP does.
-For user convenience, given the difficulty in acquiring the exact set of
-protocol names used by the kernel,
-.B <freeswan.h>
-defines the names
-.BR SA_ESP ,
-.BR SA_AH ,
-.BR SA_IPIP ,
-and
-.BR SA_COMP
-to have the same values as the kernel names
-.BR IPPROTO_ESP ,
-.BR IPPROTO_AH ,
-.BR IPPROTO_IPIP ,
-and
-.BR IPPROTO_COMP .
-.PP
-.B <freeswan.h>
-also defines
-.BR SA_INT
-to have the value
-.BR 61
-(reserved by IANA for ``any host internal protocol'')
-and
-.BR SPI_PASS ,
-.BR SPI_DROP ,
-.BR SPI_REJECT ,
-.BR SPI_HOLD ,
-and
-.B SPI_TRAP
-to have the values 256-260 (in \fIhost\fR byte order) respectively.
-These are used in constructing the magic SAs
-(which always have address
-.BR 0.0.0.0 ).
-.PP
-If
-.I satot
-encounters an unknown protocol code, e.g. 77,
-it yields output using a prefix
-showing the code numerically, e.g. ``unk77''.
-This form is
-.I not
-recognized by
-.IR ttosa .
-.PP
-The
-.I srclen
-parameter of
-.I ttosa
-specifies the length of the string pointed to by
-.IR src ;
-it is an error for there to be anything else
-(e.g., a terminating NUL) within that length.
-As a convenience for cases where an entire NUL-terminated string is
-to be converted,
-a
-.I srclen
-value of
-.B 0
-is taken to mean
-.BR strlen(src) .
-.PP
-The
-.I dstlen
-parameter of
-.I satot
-specifies the size of the
-.I dst
-parameter;
-under no circumstances are more than
-.I dstlen
-bytes written to
-.IR dst .
-A result which will not fit is truncated.
-.I Dstlen
-can be zero, in which case
-.I dst
-need not be valid and no result is written,
-but the return value is unaffected;
-in all other cases, the (possibly truncated) result is NUL-terminated.
-The
-.B <freeswan.h>
-header file defines a constant,
-.BR SATOT_BUF ,
-which is the size of a buffer just large enough for worst-case results.
-.PP
-The
-.I format
-parameter of
-.I satot
-specifies what format is to be used for the conversion.
-The value
-.B 0
-(not the ASCII character
-.BR '0' ,
-but a zero value)
-specifies a reasonable default
-(currently
-lowercase protocol prefix, lowercase hexadecimal SPI,
-dotted-decimal or colon-hex address).
-The value
-.B 'f'
-is similar except that the SPI is padded with
-.BR 0 s
-to a fixed 32-bit width, to ease aligning displayed tables.
-.PP
-.I Ttosa
-returns
-.B NULL
-for success and
-a pointer to a string-literal error message for failure;
-see DIAGNOSTICS.
-.I Satot
-returns
-.B 0
-for a failure, and otherwise
-always returns the size of buffer which would 
-be needed to
-accommodate the full conversion result, including terminating NUL;
-it is the caller's responsibility to check this against the size of
-the provided buffer to determine whether truncation has occurred.
-.PP
-There is also, temporarily, support for some obsolete
-forms of SA specifier which lack the address-family indicator.
-.SH SEE ALSO
-ipsec_ttoul(3), ipsec_ttoaddr(3), ipsec_samesaid(3), inet(3)
-.SH DIAGNOSTICS
-Fatal errors in
-.I ttosa
-are:
-empty input;
-input too small to be a legal SA specifier;
-no
-.B @
-in input;
-unknown protocol prefix;
-conversion error in
-.I ttoul
-or
-.IR ttoaddr .
-.PP
-Fatal errors in
-.I satot
-are:
-unknown format.
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
-.SH BUGS
-The restriction of text-to-binary error reports to literal strings
-(so that callers don't need to worry about freeing them or copying them)
-does limit the precision of error reporting.
-.PP
-The text-to-binary error-reporting convention lends itself
-to slightly obscure code,
-because many readers will not think of NULL as signifying success.
-A good way to make it clearer is to write something like:
-.PP
-.RS
-.nf
-.B "const char *error;"
-.sp
-.B "error = ttosa( /* ... */ );"
-.B "if (error != NULL) {"
-.B "        /* something went wrong */"
-.fi
-.RE
diff --git a/src/libfreeswan/ttosa.c b/src/libfreeswan/ttosa.c
deleted file mode 100644
index 9873231c0..000000000
--- a/src/libfreeswan/ttosa.c
+++ /dev/null
@@ -1,280 +0,0 @@
-/*
- * convert from text form of SA ID to binary
- * Copyright (C) 2000, 2001  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include <sys/socket.h>
-
-#include "internal.h"
-#include "freeswan.h"
-
-static struct satype {
-	char *prefix;
-	size_t prelen;		/* strlen(prefix) */
-	int proto;
-} satypes[] = {
-	{ "ah",		2,	SA_AH	},
-	{ "esp",	3,	SA_ESP	},
-	{ "tun",	3,	SA_IPIP },
-	{ "comp",	4,	SA_COMP	},
-	{ "int",	3,	SA_INT	},
-	{ NULL,		0,	0,	}
-};
-
-static struct magic {
-	char *name;
-	char *really;
-} magic[] = {
-	{ PASSTHROUGHNAME,	PASSTHROUGH4IS		},
-	{ PASSTHROUGH4NAME,	PASSTHROUGH4IS		},
-	{ PASSTHROUGH6NAME,	PASSTHROUGH6IS		},
-	{ "%pass",		"int256@0.0.0.0"	},
-	{ "%drop",		"int257@0.0.0.0"	},
-	{ "%reject",		"int258@0.0.0.0"	},
-	{ "%hold",		"int259@0.0.0.0"	},
-	{ "%trap",		"int260@0.0.0.0"	},
-	{ "%trapsubnet",	"int261@0.0.0.0"	},
-	{ NULL,			NULL			}
-};
-
-/*
- - ttosa - convert text "ah507@10.0.0.1" to SA identifier
- */
-err_t				/* NULL for success, else string literal */
-ttosa(src, srclen, sa)
-const char *src;
-size_t srclen;			/* 0 means "apply strlen" */
-ip_said *sa;
-{
-	const char *at;
-	const char *addr;
-	size_t alen;
-	const char *spi = NULL;
-	struct satype *sat;
-	unsigned long ul;
-	const char *oops;
-	struct magic *mp;
-	size_t nlen;
-#	define	MINLEN	5	/* ah0@0 is as short as it can get */
-	int af;
-	int base;
-
-	if (srclen == 0)
-		srclen = strlen(src);
-	if (srclen == 0)
-		return "empty string";
-	if (srclen < MINLEN)
-		return "string too short to be SA identifier";
-	if (*src == '%') {
-		for (mp = magic; mp->name != NULL; mp++) {
-			nlen = strlen(mp->name);
-			if (srclen == nlen && memcmp(src, mp->name, nlen) == 0)
-				break;
-		}
-		if (mp->name == NULL)
-			return "unknown % keyword";
-		src = mp->really;
-		srclen = strlen(src);
-	}
-
-	at = memchr(src, '@', srclen);
-	if (at == NULL)
-		return "no @ in SA specifier";
-
-	for (sat = satypes; sat->prefix != NULL; sat++)
-		if (sat->prelen < srclen &&
-				strncmp(src, sat->prefix, sat->prelen) == 0) {
-			sa->proto = sat->proto;
-			spi = src + sat->prelen;
-			break;			/* NOTE BREAK OUT */
-		}
-	if (sat->prefix == NULL)
-		return "SA specifier lacks valid protocol prefix";
-
-	if (spi >= at)
-		return "no SPI in SA specifier";
-	switch (*spi) {
-	case '.':
-		af = AF_INET;
-		spi++;
-		base = 16;
-		break;
-	case ':':
-		af = AF_INET6;
-		spi++;
-		base = 16;
-		break;
-	default:
-		af = AF_UNSPEC;		/* not known yet */
-		base = 0;
-		break;
-	}
-	if (spi >= at)
-		return "no SPI found in SA specifier";
-	oops = ttoul(spi, at - spi, base, &ul);
-	if (oops != NULL)
-		return oops;
-	sa->spi = htonl(ul);
-
-	addr = at + 1;
-	alen = srclen - (addr - src);
-	if (af == AF_UNSPEC)
-		af = (memchr(addr, ':', alen) != NULL) ? AF_INET6 : AF_INET;
-	oops = ttoaddr(addr, alen, af, &sa->dst);
-	if (oops != NULL)
-		return oops;
-
-	return NULL;
-}
-
-
-
-#ifdef TTOSA_MAIN
-
-#include <stdio.h>
-
-void regress(void);
-
-int
-main(int argc, char *argv[])
-{
-	ip_said sa;
-	char buf[100];
-	char buf2[100];
-	const char *oops;
-	size_t n;
-
-	if (argc < 2) {
-		fprintf(stderr, "Usage: %s {ahnnn@aaa|-r}\n", argv[0]);
-		exit(2);
-	}
-
-	if (strcmp(argv[1], "-r") == 0) {
-		regress();
-		fprintf(stderr, "regress() returned?!?\n");
-		exit(1);
-	}
-
-	oops = ttosa(argv[1], 0, &sa);
-	if (oops != NULL) {
-		fprintf(stderr, "%s: conversion failed: %s\n", argv[0], oops);
-		exit(1);
-	}
-	n = satot(&sa, 0, buf, sizeof(buf));
-	if (n > sizeof(buf)) {
-		fprintf(stderr, "%s: reverse conv of `%d'", argv[0], sa.proto);
-		fprintf(stderr, "%lx@", (long unsigned int)sa.spi);
-		(void) addrtot(&sa.dst, 0, buf2, sizeof(buf2));
-		fprintf(stderr, "%s", buf2);
-		fprintf(stderr, " failed: need %ld bytes, have only %ld\n",
-						(long)n, (long)sizeof(buf));
-		exit(1);
-	}
-	printf("%s\n", buf);
-
-	exit(0);
-}
-
-struct rtab {
-	int format;
-#		define	FUDGE	0x1000
-	char *input;
-	char *output;			/* NULL means error expected */
-} rtab[] = {
-	{0, "esp257@1.2.3.0",		"esp.101@1.2.3.0"},
-	{0, "ah0x20@1.2.3.4",		"ah.20@1.2.3.4"},
-	{0, "tun20@1.2.3.4",		"tun.14@1.2.3.4"},
-	{0, "comp20@1.2.3.4",		"comp.14@1.2.3.4"},
-	{0, "esp257@::1",		"esp:101@::1"},
-	{0, "esp257@0bc:12de::1",	"esp:101@bc:12de::1"},
-	{0, "esp78@1049:1::8007:2040",	"esp:4e@1049:1::8007:2040"},
-	{0, "esp0x78@1049:1::8007:2040",	"esp:78@1049:1::8007:2040"},
-	{0, "ah78@1049:1::8007:2040",	"ah:4e@1049:1::8007:2040"},
-	{0, "ah0x78@1049:1::8007:2040",	"ah:78@1049:1::8007:2040"},
-	{0, "tun78@1049:1::8007:2040",	"tun:4e@1049:1::8007:2040"},
-	{0, "tun0x78@1049:1::8007:2040",	"tun:78@1049:1::8007:2040"},
-	{0, "duk99@3ffe:370:400:ff::9001:3001",	NULL},
-	{0, "esp78x@1049:1::8007:2040",	NULL},
-	{0, "esp0x78@1049:1:0xfff::8007:2040",	NULL},
-	{0, "es78@1049:1::8007:2040",	NULL},
-	{0, "",				NULL},
-	{0, "_",				NULL},
-	{0, "ah2.2",			NULL},
-	{0, "goo2@1.2.3.4",		NULL},
-	{0, "esp9@1.2.3.4",		"esp.9@1.2.3.4"},
-	{'f', "esp0xa9@1.2.3.4",		"esp.000000a9@1.2.3.4"},
-	{0, "espp9@1.2.3.4",		NULL},
-	{0, "es9@1.2.3.4",		NULL},
-	{0, "ah@1.2.3.4",		NULL},
-	{0, "esp7x7@1.2.3.4",		NULL},
-	{0, "esp77@1.0x2.3.4",		NULL},
-	{0, PASSTHROUGHNAME,		PASSTHROUGH4NAME},
-	{0, PASSTHROUGH6NAME,		PASSTHROUGH6NAME},
-	{0, "%pass",			"%pass"},
-	{0, "int256@0.0.0.0",		"%pass"},
-	{0, "%drop",			"%drop"},
-	{0, "int257@0.0.0.0",		"%drop"},
-	{0, "%reject",			"%reject"},
-	{0, "int258@0.0.0.0",		"%reject"},
-	{0, "%hold",			"%hold"},
-	{0, "int259@0.0.0.0",		"%hold"},
-	{0, "%trap",			"%trap"},
-	{0, "int260@0.0.0.0",		"%trap"},
-	{0, "%trapsubnet",		"%trapsubnet"},
-	{0, "int261@0.0.0.0",		"%trapsubnet"},
-	{0, "int262@0.0.0.0",		"int.106@0.0.0.0"},
-	{FUDGE, "esp9@1.2.3.4",		"unk77.9@1.2.3.4"},
-	{0, NULL,			NULL}
-};
-
-void
-regress(void)
-{
-	struct rtab *r;
-	int status = 0;
-	ip_said sa;
-	char in[100];
-	char buf[100];
-	const char *oops;
-	size_t n;
-
-	for (r = rtab; r->input != NULL; r++) {
-		strcpy(in, r->input);
-		oops = ttosa(in, 0, &sa);
-		if (oops != NULL && r->output == NULL)
-			{}		/* okay, error expected */
-		else if (oops != NULL) {
-			printf("`%s' ttosa failed: %s\n", r->input, oops);
-			status = 1;
-		} else if (r->output == NULL) {
-			printf("`%s' ttosa succeeded unexpectedly\n",
-								r->input);
-			status = 1;
-		} else {
-			if (r->format&FUDGE)
-				sa.proto = 77;
-			n = satot(&sa, (char)r->format, buf, sizeof(buf));
-			if (n > sizeof(buf)) {
-				printf("`%s' satot failed:  need %ld\n",
-							r->input, (long)n);
-				status = 1;
-			} else if (strcmp(r->output, buf) != 0) {
-				printf("`%s' gave `%s', expected `%s'\n",
-						r->input, buf, r->output);
-				status = 1;
-			}
-		}
-	}
-	exit(status);
-}
-
-#endif /* TTOSA_MAIN */
diff --git a/src/libfreeswan/ttosubnet.c b/src/libfreeswan/ttosubnet.c
deleted file mode 100644
index a18a3f326..000000000
--- a/src/libfreeswan/ttosubnet.c
+++ /dev/null
@@ -1,296 +0,0 @@
-/*
- * convert from text form of subnet specification to binary
- * Copyright (C) 2000  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include <sys/socket.h>
-
-#include "internal.h"
-#include "freeswan.h"
-
-#ifndef DEFAULTSUBNET
-#define	DEFAULTSUBNET	"%default"
-#endif
-
-/*
- - ttosubnet - convert text "addr/mask" to address and mask
- * Mask can be integer bit count.
- */
-err_t
-ttosubnet(src, srclen, af, dst)
-const char *src;
-size_t srclen;			/* 0 means "apply strlen" */
-int af;				/* AF_INET or AF_INET6 */
-ip_subnet *dst;
-{
-	const char *slash;
-	const char *colon;
-	const char *mask;
-	size_t mlen;
-	const char *oops;
-	unsigned long bc;
-	static char def[] = DEFAULTSUBNET;
-#	define	DEFLEN	(sizeof(def) - 1)	/* -1 for NUL */
-	static char defis4[] = "0/0";
-#	define	DEFIS4LEN	(sizeof(defis4) - 1)
-	static char defis6[] = "::/0";
-#	define	DEFIS6LEN	(sizeof(defis6) - 1)
-	ip_address addrtmp;
-	ip_address masktmp;
-	int nbits;
-	int i;
-
-	if (srclen == 0)
-		srclen = strlen(src);
-	if (srclen == 0)
-		return "empty string";
-
-	switch (af) {
-	case AF_INET:
-		nbits = 32;
-		break;
-	case AF_INET6:
-		nbits = 128;
-		break;
-	default:
-		return "unknown address family in ttosubnet";
-		break;
-	}
-
-	if (srclen == DEFLEN && strncmp(src, def, srclen) == 0) {
-		src = (af == AF_INET) ? defis4 : defis6;
-		srclen = (af == AF_INET) ? DEFIS4LEN : DEFIS6LEN;
-	}
-
-	slash = memchr(src, '/', srclen);
-	if (slash == NULL)
-		return "no / in subnet specification";
-	mask = slash + 1;
-	mlen = srclen - (mask - src);
-
-	oops = ttoaddr(src, slash-src, af, &addrtmp);
-	if (oops != NULL)
-		return oops;
-
-	/* extract port */
-	colon = memchr(mask, ':', mlen);
-	if (colon == 0)
-	{
-		setportof(0, &addrtmp);
-	}
-	else
-	{
-		long port;
-
-		oops =  ttoul(colon+1, mlen-(colon-mask+1), 10, &port);
-		if (oops != NULL)
-			return oops;
-		setportof(htons(port), &addrtmp);
-		mlen = colon - mask;
-	}
-
-	/*extract mask */
-	oops = ttoul(mask, mlen, 10, &bc);
-	if (oops == NULL) {
-		/* ttoul succeeded, it's a bit-count mask */
-		if (bc > nbits)
-			return "subnet mask bit count too large";
-		i = bc;
-	} else {
-		oops = ttoaddr(mask, mlen, af, &masktmp);
-		if (oops != NULL)
-			return oops;
-		i = masktocount(&masktmp);
-		if (i < 0)
-			return "non-contiguous or otherwise erroneous mask";
-	}
-
-	return initsubnet(&addrtmp, i, '0', dst);
-}
-
-
-
-#ifdef TTOSUBNET_MAIN
-
-#include <stdio.h>
-
-void regress(void);
-
-int main(int argc, char *argv[])
-{
-	ip_subnet s;
-	char buf[100];
-	char buf2[100];
-	const char *oops;
-	size_t n;
-	int af;
-	char *p;
-
-	if (argc < 2) {
-		fprintf(stderr, "Usage: %s [-6] addr/mask\n", argv[0]);
-		fprintf(stderr, "   or: %s -r\n", argv[0]);
-		exit(2);
-	}
-
-	if (strcmp(argv[1], "-r") == 0) {
-		regress();
-		fprintf(stderr, "regress() returned?!?\n");
-		exit(1);
-	}
-
-	af = AF_INET;
-	p = argv[1];
-	if (strcmp(argv[1], "-6") == 0) {
-		af = AF_INET6;
-		p = argv[2];
-	} else if (strchr(argv[1], ':') != NULL)
-		af = AF_INET6;
-
-	oops = ttosubnet(p, 0, af, &s);
-	if (oops != NULL) {
-		fprintf(stderr, "%s: conversion failed: %s\n", argv[0], oops);
-		exit(1);
-	}
-	n = subnettot(&s, 0, buf, sizeof(buf));
-	if (n > sizeof(buf)) {
-		fprintf(stderr, "%s: reverse conversion of ", argv[0]);
-		(void) addrtot(&s.addr, 0, buf2, sizeof(buf2));
-		fprintf(stderr, "%s/", buf2);
-		fprintf(stderr, "%d", s.maskbits);
-		fprintf(stderr, " failed: need %ld bytes, have only %ld\n",
-						(long)n, (long)sizeof(buf));
-		exit(1);
-	}
-	printf("%s\n", buf);
-
-	exit(0);
-}
-
-struct rtab {
-	int family;
-	char *input;
-	char *output;			/* NULL means error expected */
-} rtab[] = {
-	{4, "1.2.3.0/255.255.255.0",	"1.2.3.0/24"},
-	{4, "1.2.3.0/24",		"1.2.3.0/24"},
-	{4, "1.2.3.0/24:10",		"1.2.3.0/24:10"},
-	{4, "1.2.3.0/24:-1",		NULL},
-	{4, "1.2.3.0/24:none",		NULL},
-	{4, "1.2.3.0/24:",		NULL},
-	{4, "1.2.3.0/24:0x10",		"1.2.3.0/24:16"},
-	{4, "1.2.3.0/24:0X10",		"1.2.3.0/24:16"},
-	{4, "1.2.3.0/24:010",		"1.2.3.0/24:8"},
-	{4, "1.2.3.1/255.255.255.240",	"1.2.3.0/28"},
-	{4, "1.2.3.1/32",		"1.2.3.1/32"},
-	{4, "1.2.3.1/0",			"0.0.0.0/0"},
-/*	{4, "1.2.3.1/255.255.127.0",	"1.2.3.0/255.255.127.0"},	*/
-	{4, "1.2.3.1/255.255.127.0",	NULL},
-	{4, "128.009.000.032/32",	"128.9.0.32/32"},
-	{4, "128.0x9.0.32/32",		NULL},
-	{4, "0x80090020/32",		"128.9.0.32/32"},
-	{4, "0x800x0020/32",		NULL},
-	{4, "128.9.0.32/0xffFF0000",	"128.9.0.0/16"},
-	{4, "128.9.0.32/0xff0000FF",	NULL},
-	{4, "128.9.0.32/0x0000ffFF",	NULL},
-	{4, "128.9.0.32/0x00ffFF0000",	NULL},
-	{4, "128.9.0.32/0xffFF",	NULL},
-	{4, "128.9.0.32.27/32",		NULL},
-	{4, "128.9.0k32/32",		NULL},
-	{4, "328.9.0.32/32",		NULL},
-	{4, "128.9..32/32",		NULL},
-	{4, "10/8",			"10.0.0.0/8"},
-	{4, "10.0/8",			"10.0.0.0/8"},
-	{4, "10.0.0/8",			"10.0.0.0/8"},
-	{4, "10.0.1/24",			"10.0.1.0/24"},
-	{4, "_",				NULL},
-	{4, "_/_",			NULL},
-	{4, "1.2.3.1",			NULL},
-	{4, "1.2.3.1/_",			NULL},
-	{4, "1.2.3.1/24._",		NULL},
-	{4, "1.2.3.1/99",		NULL},
-	{4, "localhost/32", 		"127.0.0.1/32"},
-	{4, "%default",			"0.0.0.0/0"},
-	{6, "3049:1::8007:2040/0",	"::/0"},
-	{6, "3049:1::8007:2040/128",	"3049:1::8007:2040/128"},
-	{6, "3049:1::192.168.0.1/128", NULL},	/*"3049:1::c0a8:1/128",*/
-	{6, "3049:1::8007::2040/128",	NULL},
-	{6, "3049:1::8007:2040/ffff::0",	"3049::/16"},
-	{6, "3049:1::8007:2040/64",	"3049:1::/64"},
-	{6, "3049:1::8007:2040/ffff::",	"3049::/16"},
-	{6, "3049:1::8007:2040/0000:ffff::0",	NULL},
-	{6, "3049:1::8007:2040/ff1f::0",	NULL},
-	{6, "3049:1::8007:x:2040/128",	NULL},
-	{6, "3049:1t::8007:2040/128",	NULL},
-	{6, "3049:1::80071:2040/128",	NULL},
-	{6, "::/21",			"::/21"},
-	{6, "::1/128",			"::1/128"},
-	{6, "1::/21",			"1::/21"},
-	{6, "1::2/128",			"1::2/128"},
-	{6, "1:0:0:0:0:0:0:2/128",	"1::2/128"},
-	{6, "1:0:0:0:3:0:0:2/128",	"1::3:0:0:2/128"},
-	{6, "1:0:0:3:0:0:0:2/128",	"1::3:0:0:0:2/128"},
-	{6, "1:0:3:0:0:0:0:2/128",	"1:0:3::2/128"},
-	{6, "abcd:ef01:2345:6789:0:00a:000:20/128",	"abcd:ef01:2345:6789:0:a:0:20/128"},
-	{6, "3049:1::8007:2040/ffff:ffff:",	NULL},
-	{6, "3049:1::8007:2040/ffff:88::",	NULL},
-	{6, "3049:12::9000:3200/ffff:fff0::",	"3049:10::/28"},
-	{6, "3049:12::9000:3200/28",	"3049:10::/28"},
-	{6, "3049:12::9000:3200/ff00:::",	NULL},
-	{6, "3049:12::9000:3200/ffff:::",	NULL},
-	{6, "3049:12::9000:3200/128_",	NULL},
-	{6, "3049:12::9000:3200/",	NULL},
-	{6, "%default",			"::/0"},
-        {4, NULL,			NULL}
-};
-
-void
-regress(void)
-{
-	struct rtab *r;
-	int status = 0;
-	ip_subnet s;
-	char in[100];
-	char buf[100];
-	const char *oops;
-	size_t n;
-	int af;
-
-	for (r = rtab; r->input != NULL; r++) {
-		af = (r->family == 4) ? AF_INET : AF_INET6;
-		strcpy(in, r->input);
-		oops = ttosubnet(in, 0, af, &s);
-		if (oops != NULL && r->output == NULL)
-			{}		/* okay, error expected */
-		else if (oops != NULL) {
-			printf("`%s' ttosubnet failed: %s\n", r->input, oops);
-			status = 1;
-		} else if (r->output == NULL) {
-			printf("`%s' ttosubnet succeeded unexpectedly\n",
-								r->input);
-			status = 1;
-		} else {
-			n = subnettot(&s, 0, buf, sizeof(buf));
-			if (n > sizeof(buf)) {
-				printf("`%s' subnettot failed:  need %ld\n",
-							r->input, (long)n);
-				status = 1;
-			} else if (strcmp(r->output, buf) != 0) {
-				printf("`%s' gave `%s', expected `%s'\n",
-						r->input, buf, r->output);
-				status = 1;
-			}
-		}
-	}
-	exit(status);
-}
-
-#endif /* TTOSUBNET_MAIN */
diff --git a/src/libfreeswan/ttoul.3 b/src/libfreeswan/ttoul.3
deleted file mode 100644
index ffd9fb38a..000000000
--- a/src/libfreeswan/ttoul.3
+++ /dev/null
@@ -1,191 +0,0 @@
-.TH IPSEC_TTOUL 3 "16 Aug 2000"
-.SH NAME
-ipsec ttoul, ultot \- convert unsigned-long numbers to and from text
-.SH SYNOPSIS
-.B "#include <freeswan.h>
-.sp
-.B "const char *ttoul(const char *src, size_t srclen,"
-.ti +1c
-.B "int base, unsigned long *n);"
-.br
-.B "size_t ultot(unsigned long n, int format, char *dst,"
-.ti +1c
-.B "size_t dstlen);"
-.SH DESCRIPTION
-.I Ttoul
-converts a text-string number into a binary
-.B "unsigned long"
-value.
-.I Ultot
-does the reverse conversion, back to a text version.
-.PP
-Numbers are specified in text as
-decimal (e.g.
-.BR 123 ),
-octal with a leading zero (e.g.
-.BR 012 ,
-which has value 10),
-or hexadecimal with a leading
-.B 0x
-(e.g.
-.BR 0x1f ,
-which has value 31)
-in either upper or lower case.
-.PP
-The
-.I srclen
-parameter of
-.I ttoul
-specifies the length of the string pointed to by
-.IR src ;
-it is an error for there to be anything else
-(e.g., a terminating NUL) within that length.
-As a convenience for cases where an entire NUL-terminated string is
-to be converted,
-a
-.I srclen
-value of
-.B 0
-is taken to mean
-.BR strlen(src) .
-.PP
-The
-.I base
-parameter of
-.I ttoul
-can be
-.BR 8 ,
-.BR 10 ,
-or
-.BR 16 ,
-in which case the number supplied is assumed to be of that form
-(and in the case of
-.BR 16 ,
-to lack any
-.B 0x
-prefix).
-It can also be
-.BR 0 ,
-in which case the number is examined for a leading zero
-or a leading
-.B 0x
-to determine its base.
-.PP
-The
-.I dstlen
-parameter of
-.I ultot
-specifies the size of the
-.I dst
-parameter;
-under no circumstances are more than
-.I dstlen
-bytes written to
-.IR dst .
-A result which will not fit is truncated.
-.I Dstlen
-can be zero, in which case
-.I dst
-need not be valid and no result is written,
-but the return value is unaffected;
-in all other cases, the (possibly truncated) result is NUL-terminated.
-The
-.I freeswan.h
-header file defines a constant,
-.BR ULTOT_BUF ,
-which is the size of a buffer just large enough for worst-case results.
-.PP
-The
-.I format
-parameter of
-.I ultot
-must be one of:
-.RS
-.IP \fB'o'\fR 4
-octal conversion with leading
-.B 0
-.IP \fB\ 8\fR
-octal conversion with no leading
-.B 0
-.IP \fB'd'\fR
-decimal conversion
-.IP \fB10\fR
-same as
-.B d
-.IP \fB'x'\fR
-hexadecimal conversion, including leading
-.B 0x
-.IP \fB16\fR
-hexadecimal conversion with no leading
-.B 0x
-.IP \fB17\fR
-like
-.B 16
-except padded on left with
-.BR 0 s
-to eight digits (full width of a 32-bit number)
-.RE
-.PP
-.I Ttoul
-returns NULL for success and
-a pointer to a string-literal error message for failure;
-see DIAGNOSTICS.
-.I Ultot
-returns
-.B 0
-for a failure, and otherwise
-returns the size of buffer which would 
-be needed to
-accommodate the full conversion result, including terminating NUL
-(it is the caller's responsibility to check this against the size of
-the provided buffer to determine whether truncation has occurred).
-.SH SEE ALSO
-atol(3), strtoul(3)
-.SH DIAGNOSTICS
-Fatal errors in
-.I ttoul
-are:
-empty input;
-unknown
-.IR base ;
-non-digit character found;
-number too large for an
-.BR "unsigned long" .
-.PP
-Fatal errors in
-.I ultot
-are:
-unknown
-.IR format .
-.SH HISTORY
-Written for the FreeS/WAN project by Henry Spencer.
-.SH BUGS
-Conversion of
-.B 0
-with format
-.B o
-yields
-.BR 00 .
-.PP
-.I Ultot
-format
-.B 17
-is a bit of a kludge.
-.PP
-The restriction of error reports to literal strings
-(so that callers don't need to worry about freeing them or copying them)
-does limit the precision of error reporting.
-.PP
-The error-reporting convention lends itself to slightly obscure code,
-because many readers will not think of NULL as signifying success.
-A good way to make it clearer is to write something like:
-.PP
-.RS
-.nf
-.B "const char *error;"
-.sp
-.B "error = ttoul( /* ... */ );"
-.B "if (error != NULL) {"
-.B "        /* something went wrong */"
-.fi
-.RE
diff --git a/src/libfreeswan/ttoul.c b/src/libfreeswan/ttoul.c
deleted file mode 100644
index 7524789c4..000000000
--- a/src/libfreeswan/ttoul.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- * convert from text form of unsigned long to binary
- * Copyright (C) 2000  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - ttoul - convert text substring to unsigned long number
- */
-const char *			/* NULL for success, else string literal */
-ttoul(src, srclen, base, resultp)
-const char *src;
-size_t srclen;			/* 0 means strlen(src) */
-int base;			/* 0 means figure it out */
-unsigned long *resultp;
-{
-	const char *stop;
-	static char hex[] = "0123456789abcdef";
-	static char uchex[] = "0123456789ABCDEF";
-	int d;
-	char c;
-	char *p;
-	unsigned long r;
-	unsigned long rlimit;
-	int dlimit;
-
-	if (srclen == 0)
-		srclen = strlen(src);
-	if (srclen == 0)
-		return "empty string";
-
-	if (base == 0) {
-		if (srclen > 2 && *src == '0' &&
-					(*(src+1) == 'x' || *(src+1) == 'X'))
-			return ttoul(src+2, srclen-2, 16, resultp);
-		if (srclen > 1 && *src == '0')
-			return ttoul(src+1, srclen-1, 8, resultp);
-		return ttoul(src, srclen, 10, resultp);
-	}
-	if (base != 8 && base != 10 && base != 16)
-		return "unsupported number base";
-
-	r = 0;
-	stop = src + srclen;
-	if (base == 16) {
-		while (src < stop) {
-			c = *src++;
-			p = strchr(hex, c);
-			if (p != NULL)
-				d = p - hex;
-			else {
-				p = strchr(uchex, c);
-				if (p == NULL)
-					return "non-hex digit in hex number";
-				d = p - uchex;
-			}
-			r = (r << 4) | d;
-		}
-		/* defer length check to catch invalid digits first */
-		if (srclen > sizeof(unsigned long) * 2)
-			return "hex number too long";
-	} else {
-		rlimit = ULONG_MAX / base;
-		dlimit = (int)(ULONG_MAX - rlimit*base);
-		while (src < stop) {
-			c = *src++;
-			d = c - '0';
-			if (d < 0 || d >= base)
-				return "non-digit in number";
-			if (r > rlimit || (r == rlimit && d > dlimit))
-				return "unsigned-long overflow";
-			r = r*base + d;
-		}
-	}
-
-	*resultp = r;
-	return NULL;
-}
diff --git a/src/libfreeswan/ultoa.c b/src/libfreeswan/ultoa.c
deleted file mode 100644
index 16ddd2c1e..000000000
--- a/src/libfreeswan/ultoa.c
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * convert unsigned long to ASCII
- * Copyright (C) 1998, 1999  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - ultoa - convert unsigned long to decimal ASCII
- */
-size_t				/* length required for full conversion */
-ultoa(n, base, dst, dstlen)
-unsigned long n;
-int base;
-char *dst;			/* need not be valid if dstlen is 0 */
-size_t dstlen;
-{
-	char buf[3*sizeof(unsigned long) + 1];
-	char *bufend = buf + sizeof(buf);
-	size_t len;
-	char *p;
-	static char hex[] = "0123456789abcdef";
-
-	p = bufend;
-	*--p = '\0';
-	if (base == 10) {
-		do {
-			*--p = n%10 + '0';
-			n /= 10;
-		} while (n != 0);
-	} else if (base == 16) {
-		do {
-			*--p = hex[n&0xf];
-			n >>= 4;
-		} while (n != 0);
-		*--p = 'x';
-		*--p = '0';
-	} else if (base == 8) {
-		do {
-			*--p = (n&07) + '0';
-			n >>= 3;
-		} while (n != 0);
-		*--p = '0';
-	} else
-		*--p = '?';
-
-	len = bufend - p;
-
-	if (dstlen > 0) {
-		if (len > dstlen)
-			*(p + dstlen - 1) = '\0';
-		strcpy(dst, p);
-	}
-	return len;
-}
diff --git a/src/libfreeswan/ultot.c b/src/libfreeswan/ultot.c
deleted file mode 100644
index 6685f8f7c..000000000
--- a/src/libfreeswan/ultot.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * convert unsigned long to text
- * Copyright (C) 2000  Henry Spencer.
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- */
-#include "internal.h"
-#include "freeswan.h"
-
-/*
- - ultot - convert unsigned long to text
- */
-size_t				/* length required for full conversion */
-ultot(n, base, dst, dstlen)
-unsigned long n;
-int base;
-char *dst;			/* need not be valid if dstlen is 0 */
-size_t dstlen;
-{
-	char buf[3*sizeof(unsigned long) + 1];
-	char *bufend = buf + sizeof(buf);
-	size_t len;
-	char *p;
-	static char hex[] = "0123456789abcdef";
-#	define	HEX32	(32/4)
-
-	p = bufend;
-	*--p = '\0';
-	switch (base) {
-	case 10:
-	case 'd':
-		do {
-			*--p = n%10 + '0';
-			n /= 10;
-		} while (n != 0);
-		break;
-	case 16:
-	case 17:
-	case 'x':
-		do {
-			*--p = hex[n&0xf];
-			n >>= 4;
-		} while (n != 0);
-		if (base == 17)
-			while (bufend - p < HEX32 + 1)
-				*--p = '0';
-		if (base == 'x') {
-			*--p = 'x';
-			*--p = '0';
-		}
-		break;
-	case 8:
-	case 'o':
-		do {
-			*--p = (n&07) + '0';
-			n >>= 3;
-		} while (n != 0);
-		if (base == 'o')
-			*--p = '0';
-		break;
-	default:
-		return 0;
-		break;
-	}
-
-	len = bufend - p;
-	if (dstlen > 0) {
-		if (len > dstlen)
-			*(p + dstlen - 1) = '\0';
-		strcpy(dst, p);
-	}
-	return len;
-}
diff --git a/src/libhydra/Android.mk b/src/libhydra/Android.mk
index 075f8dbcb..429feed55 100644
--- a/src/libhydra/Android.mk
+++ b/src/libhydra/Android.mk
@@ -2,7 +2,7 @@ LOCAL_PATH := $(call my-dir)
 include $(CLEAR_VARS)
 
 # copy-n-paste from Makefile.am
-LOCAL_SRC_FILES := \
+libhydra_la_SOURCES := \
 hydra.c hydra.h \
 attributes/attributes.c attributes/attributes.h \
 attributes/attribute_provider.h attributes/attribute_handler.h \
@@ -13,6 +13,8 @@ kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
 kernel/kernel_net.c kernel/kernel_net.h \
 kernel/kernel_listener.h
 
+LOCAL_SRC_FILES := $(filter %.c,$(libhydra_la_SOURCES))
+
 # adding the plugin source files
 
 LOCAL_SRC_FILES += $(call add_plugin, attr)
diff --git a/src/libhydra/Makefile.am b/src/libhydra/Makefile.am
index 1c7b3ba43..a2a164bd9 100644
--- a/src/libhydra/Makefile.am
+++ b/src/libhydra/Makefile.am
@@ -13,11 +13,11 @@ kernel/kernel_listener.h
 
 libhydra_la_LIBADD =
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = \
--DIPSEC_DIR=\"${ipsecdir}\" \
--DPLUGINDIR=\"${plugindir}\" \
--DSTRONGSWAN_CONF=\"${strongswan_conf}\"
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DPLUGINDIR=\"${plugindir}\" \
+	-DSTRONGSWAN_CONF=\"${strongswan_conf}\"
 
 EXTRA_DIST = Android.mk
 
@@ -78,4 +78,3 @@ if MONOLITHIC
   libhydra_la_LIBADD += plugins/resolve/libstrongswan-resolve.la
 endif
 endif
-
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index f452719dd..80da51c16 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -59,10 +76,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -86,6 +104,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libhydra_la_DEPENDENCIES = $(am__append_2) $(am__append_4) \
@@ -94,19 +118,35 @@ libhydra_la_DEPENDENCIES = $(am__append_2) $(am__append_4) \
 am_libhydra_la_OBJECTS = hydra.lo attributes.lo attribute_manager.lo \
 	mem_pool.lo kernel_interface.lo kernel_ipsec.lo kernel_net.lo
 libhydra_la_OBJECTS = $(am_libhydra_la_OBJECTS)
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libhydra_la_SOURCES)
 DIST_SOURCES = $(libhydra_la_SOURCES)
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -116,6 +156,11 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
@@ -155,21 +200,28 @@ am__relativize = \
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -178,13 +230,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -197,6 +252,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -224,11 +280,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -236,6 +294,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -244,8 +303,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -254,14 +311,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -275,17 +337,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -295,16 +357,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -347,11 +408,11 @@ kernel/kernel_listener.h
 libhydra_la_LIBADD = $(am__append_2) $(am__append_4) $(am__append_6) \
 	$(am__append_8) $(am__append_10) $(am__append_12) \
 	$(am__append_14)
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = \
--DIPSEC_DIR=\"${ipsecdir}\" \
--DPLUGINDIR=\"${plugindir}\" \
--DSTRONGSWAN_CONF=\"${strongswan_conf}\"
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DPLUGINDIR=\"${plugindir}\" \
+	-DSTRONGSWAN_CONF=\"${strongswan_conf}\"
 
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_1) $(am__append_3) \
@@ -401,7 +462,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -409,6 +469,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -430,8 +492,8 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libhydra.la: $(libhydra_la_OBJECTS) $(libhydra_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libhydra_la_OBJECTS) $(libhydra_la_LIBADD) $(LIBS)
+libhydra.la: $(libhydra_la_OBJECTS) $(libhydra_la_DEPENDENCIES) $(EXTRA_libhydra_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libhydra_la_OBJECTS) $(libhydra_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -448,67 +510,67 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mem_pool.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 attributes.lo: attributes/attributes.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT attributes.lo -MD -MP -MF $(DEPDIR)/attributes.Tpo -c -o attributes.lo `test -f 'attributes/attributes.c' || echo '$(srcdir)/'`attributes/attributes.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/attributes.Tpo $(DEPDIR)/attributes.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='attributes/attributes.c' object='attributes.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT attributes.lo -MD -MP -MF $(DEPDIR)/attributes.Tpo -c -o attributes.lo `test -f 'attributes/attributes.c' || echo '$(srcdir)/'`attributes/attributes.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/attributes.Tpo $(DEPDIR)/attributes.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='attributes/attributes.c' object='attributes.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o attributes.lo `test -f 'attributes/attributes.c' || echo '$(srcdir)/'`attributes/attributes.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o attributes.lo `test -f 'attributes/attributes.c' || echo '$(srcdir)/'`attributes/attributes.c
 
 attribute_manager.lo: attributes/attribute_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT attribute_manager.lo -MD -MP -MF $(DEPDIR)/attribute_manager.Tpo -c -o attribute_manager.lo `test -f 'attributes/attribute_manager.c' || echo '$(srcdir)/'`attributes/attribute_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/attribute_manager.Tpo $(DEPDIR)/attribute_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='attributes/attribute_manager.c' object='attribute_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT attribute_manager.lo -MD -MP -MF $(DEPDIR)/attribute_manager.Tpo -c -o attribute_manager.lo `test -f 'attributes/attribute_manager.c' || echo '$(srcdir)/'`attributes/attribute_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/attribute_manager.Tpo $(DEPDIR)/attribute_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='attributes/attribute_manager.c' object='attribute_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o attribute_manager.lo `test -f 'attributes/attribute_manager.c' || echo '$(srcdir)/'`attributes/attribute_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o attribute_manager.lo `test -f 'attributes/attribute_manager.c' || echo '$(srcdir)/'`attributes/attribute_manager.c
 
 mem_pool.lo: attributes/mem_pool.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mem_pool.lo -MD -MP -MF $(DEPDIR)/mem_pool.Tpo -c -o mem_pool.lo `test -f 'attributes/mem_pool.c' || echo '$(srcdir)/'`attributes/mem_pool.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mem_pool.Tpo $(DEPDIR)/mem_pool.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='attributes/mem_pool.c' object='mem_pool.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mem_pool.lo -MD -MP -MF $(DEPDIR)/mem_pool.Tpo -c -o mem_pool.lo `test -f 'attributes/mem_pool.c' || echo '$(srcdir)/'`attributes/mem_pool.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/mem_pool.Tpo $(DEPDIR)/mem_pool.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='attributes/mem_pool.c' object='mem_pool.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mem_pool.lo `test -f 'attributes/mem_pool.c' || echo '$(srcdir)/'`attributes/mem_pool.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mem_pool.lo `test -f 'attributes/mem_pool.c' || echo '$(srcdir)/'`attributes/mem_pool.c
 
 kernel_interface.lo: kernel/kernel_interface.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.lo -MD -MP -MF $(DEPDIR)/kernel_interface.Tpo -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_interface.Tpo $(DEPDIR)/kernel_interface.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_interface.c' object='kernel_interface.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.lo -MD -MP -MF $(DEPDIR)/kernel_interface.Tpo -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/kernel_interface.Tpo $(DEPDIR)/kernel_interface.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kernel/kernel_interface.c' object='kernel_interface.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
 
 kernel_ipsec.lo: kernel/kernel_ipsec.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_ipsec.lo -MD -MP -MF $(DEPDIR)/kernel_ipsec.Tpo -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_ipsec.c' object='kernel_ipsec.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_ipsec.lo -MD -MP -MF $(DEPDIR)/kernel_ipsec.Tpo -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kernel/kernel_ipsec.c' object='kernel_ipsec.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
 
 kernel_net.lo: kernel/kernel_net.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_net.lo -MD -MP -MF $(DEPDIR)/kernel_net.Tpo -c -o kernel_net.lo `test -f 'kernel/kernel_net.c' || echo '$(srcdir)/'`kernel/kernel_net.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_net.Tpo $(DEPDIR)/kernel_net.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_net.c' object='kernel_net.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_net.lo -MD -MP -MF $(DEPDIR)/kernel_net.Tpo -c -o kernel_net.lo `test -f 'kernel/kernel_net.c' || echo '$(srcdir)/'`kernel/kernel_net.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/kernel_net.Tpo $(DEPDIR)/kernel_net.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kernel/kernel_net.c' object='kernel_net.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_net.lo `test -f 'kernel/kernel_net.c' || echo '$(srcdir)/'`kernel/kernel_net.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_net.lo `test -f 'kernel/kernel_net.c' || echo '$(srcdir)/'`kernel/kernel_net.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -683,13 +745,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
@@ -727,10 +786,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/attributes/attribute_handler.h b/src/libhydra/attributes/attribute_handler.h
index d042f47ef..bc488f6cb 100644
--- a/src/libhydra/attributes/attribute_handler.h
+++ b/src/libhydra/attributes/attribute_handler.h
@@ -21,9 +21,9 @@
 #ifndef ATTRIBUTE_HANDLER_H_
 #define ATTRIBUTE_HANDLER_H_
 
-#include <chunk.h>
-#include <utils/host.h>
+#include <utils/chunk.h>
 #include <utils/identification.h>
+#include <collections/linked_list.h>
 
 #include "attributes.h"
 
@@ -62,11 +62,11 @@ struct attribute_handler_t {
 	 * Enumerate attributes to request from a server.
 	 *
 	 * @param server		server identity to request attributes from
-	 * @param vip			virtual IP we are requesting, if any
+	 * @param vips			list of virtual IPs (host_t*) we are requesting
 	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
 	 */
 	enumerator_t* (*create_attribute_enumerator)(attribute_handler_t *this,
-										identification_t *server, host_t *vip);
+								identification_t *server, linked_list_t *vips);
 };
 
 #endif /** ATTRIBUTE_HANDLER_H_ @}*/
diff --git a/src/libhydra/attributes/attribute_manager.c b/src/libhydra/attributes/attribute_manager.c
index 95520531e..5fda8b426 100644
--- a/src/libhydra/attributes/attribute_manager.c
+++ b/src/libhydra/attributes/attribute_manager.c
@@ -15,8 +15,8 @@
 
 #include "attribute_manager.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_attribute_manager_t private_attribute_manager_t;
@@ -51,17 +51,17 @@ struct private_attribute_manager_t {
  * Data to pass to enumerator filters
  */
 typedef struct {
-	/** attribute group pool */
-	char *pool;
+	/** attribute group pools */
+	linked_list_t *pools;
 	/** server/peer identity */
 	identification_t *id;
-	/** requesting/assigned virtual IP */
-	host_t *vip;
+	/** requesting/assigned virtual IPs */
+	linked_list_t *vips;
 } enum_data_t;
 
 METHOD(attribute_manager_t, acquire_address, host_t*,
-	private_attribute_manager_t *this, char *pool, identification_t *id,
-	host_t *requested)
+	private_attribute_manager_t *this, linked_list_t *pools,
+	identification_t *id, host_t *requested)
 {
 	enumerator_t *enumerator;
 	attribute_provider_t *current;
@@ -71,7 +71,7 @@ METHOD(attribute_manager_t, acquire_address, host_t*,
 	enumerator = this->providers->create_enumerator(this->providers);
 	while (enumerator->enumerate(enumerator, &current))
 	{
-		host = current->acquire_address(current, pool, id, requested);
+		host = current->acquire_address(current, pools, id, requested);
 		if (host)
 		{
 			break;
@@ -80,15 +80,11 @@ METHOD(attribute_manager_t, acquire_address, host_t*,
 	enumerator->destroy(enumerator);
 	this->lock->unlock(this->lock);
 
-	if (!host)
-	{
-		DBG1(DBG_CFG, "acquiring address from pool '%s' failed", pool);
-	}
 	return host;
 }
 
-METHOD(attribute_manager_t, release_address, void,
-	private_attribute_manager_t *this, char *pool, host_t *address,
+METHOD(attribute_manager_t, release_address, bool,
+	private_attribute_manager_t *this, linked_list_t *pools, host_t *address,
 	identification_t *id)
 {
 	enumerator_t *enumerator;
@@ -99,7 +95,7 @@ METHOD(attribute_manager_t, release_address, void,
 	enumerator = this->providers->create_enumerator(this->providers);
 	while (enumerator->enumerate(enumerator, &current))
 	{
-		if (current->release_address(current, pool, address, id))
+		if (current->release_address(current, pools, address, id))
 		{
 			found = TRUE;
 			break;
@@ -108,10 +104,7 @@ METHOD(attribute_manager_t, release_address, void,
 	enumerator->destroy(enumerator);
 	this->lock->unlock(this->lock);
 
-	if (!found)
-	{
-		DBG1(DBG_CFG, "releasing address to pool '%s' failed", pool);
-	}
+	return found;
 }
 
 /**
@@ -120,19 +113,21 @@ METHOD(attribute_manager_t, release_address, void,
 static enumerator_t *responder_enum_create(attribute_provider_t *provider,
 										   enum_data_t *data)
 {
-	return provider->create_attribute_enumerator(provider, data->pool,
-												 data->id, data->vip);
+	return provider->create_attribute_enumerator(provider, data->pools,
+												 data->id, data->vips);
 }
 
 METHOD(attribute_manager_t, create_responder_enumerator, enumerator_t*,
-	private_attribute_manager_t *this, char *pool, identification_t *id,
-	host_t *vip)
+	private_attribute_manager_t *this, linked_list_t *pools,
+	identification_t *id, linked_list_t *vips)
 {
-	enum_data_t *data = malloc_thing(enum_data_t);
+	enum_data_t *data;
 
-	data->pool = pool;
-	data->id = id;
-	data->vip = vip;
+	INIT(data,
+		.pools = pools,
+		.id = id,
+		.vips = vips,
+	);
 	this->lock->read_lock(this->lock);
 	return enumerator_create_cleaner(
 				enumerator_create_nested(
@@ -238,8 +233,8 @@ typedef struct {
 	enumerator_t *inner;
 	/** server ID we want attributes for */
 	identification_t *id;
-	/** virtual IP we are requesting along with attriubutes */
-	host_t *vip;
+	/** virtual IPs we are requesting along with attriubutes */
+	linked_list_t *vips;
 } initiator_enumerator_t;
 
 /**
@@ -259,7 +254,7 @@ static bool initiator_enumerate(initiator_enumerator_t *this,
 		}
 		DESTROY_IF(this->inner);
 		this->inner = this->handler->create_attribute_enumerator(this->handler,
-														this->id, this->vip);
+														this->id, this->vips);
 	}
 	/* inject the handler as additional attribute */
 	*handler = this->handler;
@@ -278,20 +273,22 @@ static void initiator_destroy(initiator_enumerator_t *this)
 }
 
 METHOD(attribute_manager_t, create_initiator_enumerator, enumerator_t*,
-	private_attribute_manager_t *this, identification_t *id, host_t *vip)
+	private_attribute_manager_t *this, identification_t *id, linked_list_t *vips)
 {
-	initiator_enumerator_t *enumerator = malloc_thing(initiator_enumerator_t);
+	initiator_enumerator_t *enumerator;
 
 	this->lock->read_lock(this->lock);
-	enumerator->public.enumerate = (void*)initiator_enumerate;
-	enumerator->public.destroy = (void*)initiator_destroy;
-	enumerator->this = this;
-	enumerator->id = id;
-	enumerator->vip = vip;
-	enumerator->outer = this->handlers->create_enumerator(this->handlers);
-	enumerator->inner = NULL;
-	enumerator->handler = NULL;
 
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)initiator_enumerate,
+			.destroy = (void*)initiator_destroy,
+		},
+		.this = this,
+		.id = id,
+		.vips = vips,
+		.outer = this->handlers->create_enumerator(this->handlers),
+	);
 	return &enumerator->public;
 }
 
diff --git a/src/libhydra/attributes/attribute_manager.h b/src/libhydra/attributes/attribute_manager.h
index 56afef7c6..99f41772c 100644
--- a/src/libhydra/attributes/attribute_manager.h
+++ b/src/libhydra/attributes/attribute_manager.h
@@ -39,35 +39,38 @@ struct attribute_manager_t {
 	/**
 	 * Acquire a virtual IP address to assign to a peer.
 	 *
-	 * @param pool			pool name to acquire address from
+	 * @param pools			list of pool names (char*) to acquire from
 	 * @param id			peer identity to get address forua
 	 * @param requested		IP in configuration request
 	 * @return				allocated address, NULL to serve none
 	 */
 	host_t* (*acquire_address)(attribute_manager_t *this,
-							   char *pool, identification_t *id,
+							   linked_list_t *pool, identification_t *id,
 							   host_t *requested);
 
 	/**
 	 * Release a previously acquired address.
 	 *
-	 * @param pool			pool name from which the address was acquired
+	 * @param pools			list of pool names (char*) to release to
 	 * @param address		address to release
 	 * @param id			peer identity to get address for
+	 * @return				TRUE if address released to pool
 	 */
-	void (*release_address)(attribute_manager_t *this,
-							char *pool, host_t *address, identification_t *id);
+	bool (*release_address)(attribute_manager_t *this,
+							linked_list_t *pools, host_t *address,
+							identification_t *id);
 
 	/**
 	 * Create an enumerator over attributes to hand out to a peer.
 	 *
-	 * @param pool			pool name to get attributes from
+	 * @param pool			list of pools names (char*) to query attributes from
 	 * @param id			peer identity to hand out attributes to
-	 * @param vip			virtual IP to assign to peer, if any
+	 * @param vip			list of virtual IPs (host_t*) to assign to peer
 	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
 	 */
 	enumerator_t* (*create_responder_enumerator)(attribute_manager_t *this,
-								char *pool, identification_t *id, host_t *vip);
+									linked_list_t *pool, identification_t *id,
+									linked_list_t *vips);
 
 	/**
 	 * Register an attribute provider to the manager.
@@ -114,11 +117,11 @@ struct attribute_manager_t {
 	 * Create an enumerator over attributes to request from server.
 	 *
 	 * @param id			server identity to hand out attributes to
-	 * @param vip			virtual IP going to request, if any
+	 * @param vip			list of virtual IPs (host_t*) going to request
 	 * @return				enumerator (attribute_handler_t, ca_type_t, chunk_t)
 	 */
 	enumerator_t* (*create_initiator_enumerator)(attribute_manager_t *this,
-											identification_t *id, host_t *vip);
+									identification_t *id, linked_list_t *vips);
 
 	/**
 	 * Register an attribute handler to the manager.
diff --git a/src/libhydra/attributes/attribute_provider.h b/src/libhydra/attributes/attribute_provider.h
index e4b4e13f3..adfd4a516 100644
--- a/src/libhydra/attributes/attribute_provider.h
+++ b/src/libhydra/attributes/attribute_provider.h
@@ -21,8 +21,9 @@
 #ifndef ATTRIBUTE_PROVIDER_H_
 #define ATTRIBUTE_PROVIDER_H_
 
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
+#include <collections/linked_list.h>
 
 typedef struct attribute_provider_t attribute_provider_t;
 
@@ -34,35 +35,37 @@ struct attribute_provider_t {
 	/**
 	 * Acquire a virtual IP address to assign to a peer.
 	 *
-	 * @param pool			name of the pool to acquire address from
+	 * @param pools			list of pool names (char*) to acquire from
 	 * @param id			peer ID
 	 * @param requested		IP in configuration request
 	 * @return				allocated address, NULL to serve none
 	 */
 	host_t* (*acquire_address)(attribute_provider_t *this,
-							   char *pool, identification_t *id,
+							   linked_list_t *pools, identification_t *id,
 							   host_t *requested);
 	/**
 	 * Release a previously acquired address.
 	 *
-	 * @param pool			name of the pool this address was acquired from
+	 * @param pools			list of pool names (char*) to release to
 	 * @param address		address to release
 	 * @param id			peer ID
 	 * @return				TRUE if the address has been released by the provider
 	 */
 	bool (*release_address)(attribute_provider_t *this,
-							char *pool, host_t *address, identification_t *id);
+							linked_list_t *pools, host_t *address,
+							identification_t *id);
 
 	/**
 	 * Create an enumerator over attributes to hand out to a peer.
 	 *
-	 * @param pool			pool name to get attributes from
+	 * @param pool			list of pools names (char*) to query attributes from
 	 * @param id			peer ID
-	 * @param vip			virtual IP to assign to peer, if any
+	 * @param vip			list of virtual IPs (host_t*) to assign to peer
 	 * @return				enumerator (configuration_attribute_type_t, chunk_t)
 	 */
 	enumerator_t* (*create_attribute_enumerator)(attribute_provider_t *this,
-							char *pool, identification_t *id, host_t *vip);
+									linked_list_t *pools, identification_t *id,
+									linked_list_t *vips);
 };
 
 #endif /** ATTRIBUTE_PROVIDER_H_ @}*/
diff --git a/src/libhydra/attributes/attributes.h b/src/libhydra/attributes/attributes.h
index 8ff774b64..c3c37cfc4 100644
--- a/src/libhydra/attributes/attributes.h
+++ b/src/libhydra/attributes/attributes.h
@@ -24,7 +24,7 @@
 
 typedef enum configuration_attribute_type_t configuration_attribute_type_t;
 
-#include <enum.h>
+#include <utils/enum.h>
 
 /**
  * Type of the attribute, as in IKEv2 RFC 3.15.1 or IKEv1 ModeConfig.
diff --git a/src/libhydra/attributes/mem_pool.c b/src/libhydra/attributes/mem_pool.c
index 8af97dc78..77567ce48 100644
--- a/src/libhydra/attributes/mem_pool.c
+++ b/src/libhydra/attributes/mem_pool.c
@@ -16,12 +16,14 @@
 
 #include "mem_pool.h"
 
-#include <debug.h>
-#include <utils/hashtable.h>
-#include <utils/linked_list.h>
+#include <library.h>
+#include <hydra.h>
+#include <utils/debug.h>
+#include <collections/hashtable.h>
+#include <collections/array.h>
 #include <threading/mutex.h>
 
-#define POOL_LIMIT (sizeof(uintptr_t)*8)
+#define POOL_LIMIT (sizeof(u_int)*8 - 1)
 
 typedef struct private_mem_pool_t private_mem_pool_t;
 
@@ -63,6 +65,11 @@ struct private_mem_pool_t {
 	 * lock to safely access the pool
 	 */
 	mutex_t *mutex;
+
+	/**
+	 * Do we reassign online leases to the same identity, if requested?
+	 */
+	bool reassign_online;
 };
 
 /**
@@ -71,13 +78,28 @@ struct private_mem_pool_t {
 typedef struct {
 	/* identitiy reference */
 	identification_t *id;
-	/* list of online leases, as offset */
-	linked_list_t *online;
-	/* list of offline leases, as offset */
-	linked_list_t *offline;
+	/* array of online leases, as u_int offset */
+	array_t *online;
+	/* array of offline leases, as u_int offset */
+	array_t *offline;
 } entry_t;
 
 /**
+ * Create a new entry
+ */
+static entry_t* entry_create(identification_t *id)
+{
+	entry_t *entry;
+
+	INIT(entry,
+		.id = id->clone(id),
+		.online = array_create(sizeof(u_int), 0),
+		.offline = array_create(sizeof(u_int), 0),
+	);
+	return entry;
+}
+
+/**
  * hashtable hash function for identities
  */
 static u_int id_hash(identification_t *id)
@@ -162,6 +184,12 @@ METHOD(mem_pool_t, get_name, const char*,
 	return this->name;
 }
 
+METHOD(mem_pool_t, get_base, host_t*,
+	private_mem_pool_t *this)
+{
+	return this->base;
+}
+
 METHOD(mem_pool_t, get_size, u_int,
 	private_mem_pool_t *this)
 {
@@ -179,7 +207,7 @@ METHOD(mem_pool_t, get_online, u_int,
 	enumerator = this->leases->create_enumerator(this->leases);
 	while (enumerator->enumerate(enumerator, NULL, &entry))
 	{
-		count += entry->online->get_count(entry->online);
+		count += array_count(entry->online);
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
@@ -198,7 +226,7 @@ METHOD(mem_pool_t, get_offline, u_int,
 	enumerator = this->leases->create_enumerator(this->leases);
 	while (enumerator->enumerate(enumerator, NULL, &entry))
 	{
-		count += entry->offline->get_count(entry->offline);
+		count += array_count(entry->offline);
 	}
 	enumerator->destroy(enumerator);
 	this->mutex->unlock(this->mutex);
@@ -206,99 +234,154 @@ METHOD(mem_pool_t, get_offline, u_int,
 	return count;
 }
 
-METHOD(mem_pool_t, acquire_address, host_t*,
-	private_mem_pool_t *this, identification_t *id, host_t *requested)
+/**
+ * Get an existing lease for id
+ */
+static int get_existing(private_mem_pool_t *this, identification_t *id,
+						host_t *requested)
 {
-	uintptr_t offset = 0, current;
 	enumerator_t *enumerator;
-	entry_t *entry, *old;
+	u_int *current;
+	entry_t *entry;
+	int offset = 0;
 
-	/* if the pool is empty (e.g. in the %config case) we simply return the
-	 * requested address */
-	if (this->size == 0)
+	entry = this->leases->get(this->leases, id);
+	if (!entry)
 	{
-		return requested->clone(requested);
+		return 0;
 	}
 
-	if (!requested->is_anyaddr(requested) &&
-		requested->get_family(requested) !=
-		this->base->get_family(this->base))
+	/* check for a valid offline lease, refresh */
+	enumerator = array_create_enumerator(entry->offline);
+	if (enumerator->enumerate(enumerator, &current))
 	{
-		DBG1(DBG_CFG, "IP pool address family mismatch");
-		return NULL;
+		offset = *current;
+		array_insert(entry->online, ARRAY_TAIL, current);
+		array_remove_at(entry->offline, enumerator);
 	}
-
-	this->mutex->lock(this->mutex);
-	while (TRUE)
+	enumerator->destroy(enumerator);
+	if (offset)
 	{
-		entry = this->leases->get(this->leases, id);
-		if (entry)
+		DBG1(DBG_CFG, "reassigning offline lease to '%Y'", id);
+		return offset;
+	}
+	if (!this->reassign_online)
+	{
+		return 0;
+	}
+	/* check for a valid online lease to reassign */
+	enumerator = array_create_enumerator(entry->online);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (*current == host2offset(this, requested))
 		{
-			/* check for a valid offline lease, refresh */
-			enumerator = entry->offline->create_enumerator(entry->offline);
-			if (enumerator->enumerate(enumerator, &current))
-			{
-				entry->offline->remove_at(entry->offline, enumerator);
-				entry->online->insert_last(entry->online, (void*)current);
-				offset = current;
-			}
-			enumerator->destroy(enumerator);
-			if (offset)
-			{
-				DBG1(DBG_CFG, "reassigning offline lease to '%Y'", id);
-				break;
-			}
-			/* check for a valid online lease to reassign */
-			enumerator = entry->online->create_enumerator(entry->online);
-			while (enumerator->enumerate(enumerator, &current))
-			{
-				if (current == host2offset(this, requested))
-				{
-					offset = current;
-					break;
-				}
-			}
-			enumerator->destroy(enumerator);
-			if (offset)
-			{
-				DBG1(DBG_CFG, "reassigning online lease to '%Y'", id);
-				break;
-			}
+			offset = *current;
+			/* add an additional "online" entry */
+			array_insert(entry->online, ARRAY_TAIL, current);
+			break;
 		}
-		else
+	}
+	enumerator->destroy(enumerator);
+	if (offset)
+	{
+		DBG1(DBG_CFG, "reassigning online lease to '%Y'", id);
+	}
+	return offset;
+}
+
+/**
+ * Get a new lease for id
+ */
+static int get_new(private_mem_pool_t *this, identification_t *id)
+{
+	entry_t *entry;
+	u_int offset = 0;
+
+	if (this->unused < this->size)
+	{
+		entry = this->leases->get(this->leases, id);
+		if (!entry)
 		{
-			INIT(entry,
-				.id = id->clone(id),
-				.online = linked_list_create(),
-				.offline = linked_list_create(),
-			);
+			entry = entry_create(id);
 			this->leases->put(this->leases, entry->id, entry);
 		}
-		if (this->unused < this->size)
+		/* assigning offset, starting by 1 */
+		offset = ++this->unused;
+		array_insert(entry->online, ARRAY_TAIL, &offset);
+		DBG1(DBG_CFG, "assigning new lease to '%Y'", id);
+	}
+	return offset;
+}
+
+/**
+ * Get a reassigned lease for id in case the pool is full
+ */
+static int get_reassigned(private_mem_pool_t *this, identification_t *id)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	u_int current, offset = 0;
+
+	enumerator = this->leases->create_enumerator(this->leases);
+	while (enumerator->enumerate(enumerator, NULL, &entry))
+	{
+		if (array_remove(entry->offline, ARRAY_HEAD, &current))
 		{
-			/* assigning offset, starting by 1 */
-			offset = ++this->unused;
-			entry->online->insert_last(entry->online, (void*)offset);
-			DBG1(DBG_CFG, "assigning new lease to '%Y'", id);
+			offset = current;
+			DBG1(DBG_CFG, "reassigning existing offline lease by '%Y'"
+				 " to '%Y'", entry->id, id);
 			break;
 		}
+	}
+	enumerator->destroy(enumerator);
 
-		/* no more addresses, replace the first found offline lease */
-		enumerator = this->leases->create_enumerator(this->leases);
-		while (enumerator->enumerate(enumerator, NULL, &old))
-		{
-			if (old->offline->remove_first(old->offline,
-										   (void**)&current) == SUCCESS)
+	if (offset)
+	{
+		entry = entry_create(id);
+		array_insert(entry->online, ARRAY_TAIL, &offset);
+		this->leases->put(this->leases, entry->id, entry);
+	}
+	return offset;
+}
+
+METHOD(mem_pool_t, acquire_address, host_t*,
+	private_mem_pool_t *this, identification_t *id, host_t *requested,
+	mem_pool_op_t operation)
+{
+	int offset = 0;
+
+	/* if the pool is empty (e.g. in the %config case) we simply return the
+	 * requested address */
+	if (this->size == 0)
+	{
+		return requested->clone(requested);
+	}
+
+	if (requested->get_family(requested) !=
+		this->base->get_family(this->base))
+	{
+		return NULL;
+	}
+
+	this->mutex->lock(this->mutex);
+	switch (operation)
+	{
+		case MEM_POOL_EXISTING:
+			offset = get_existing(this, id, requested);
+			break;
+		case MEM_POOL_NEW:
+			offset = get_new(this, id);
+			break;
+		case MEM_POOL_REASSIGN:
+			offset = get_reassigned(this, id);
+			if (!offset)
 			{
-				offset = current;
-				entry->online->insert_last(entry->online, (void*)offset);
-				DBG1(DBG_CFG, "reassigning existing offline lease by '%Y'"
-					 " to '%Y'", old->id, id);
-				break;
+				DBG1(DBG_CFG, "pool '%s' is full, unable to assign address",
+					 this->name);
 			}
-		}
-		enumerator->destroy(enumerator);
-		break;
+			break;
+		default:
+			break;
 	}
 	this->mutex->unlock(this->mutex);
 
@@ -306,20 +389,16 @@ METHOD(mem_pool_t, acquire_address, host_t*,
 	{
 		return offset2host(this, offset);
 	}
-	else
-	{
-		DBG1(DBG_CFG, "pool '%s' is full, unable to assign address",
-			 this->name);
-	}
 	return NULL;
 }
 
 METHOD(mem_pool_t, release_address, bool,
 	private_mem_pool_t *this, host_t *address, identification_t *id)
 {
-	bool found = FALSE;
+	enumerator_t *enumerator;
+	bool found = FALSE, more = FALSE;
 	entry_t *entry;
-	uintptr_t offset;
+	u_int offset, *current;
 
 	if (this->size != 0)
 	{
@@ -328,11 +407,31 @@ METHOD(mem_pool_t, release_address, bool,
 		if (entry)
 		{
 			offset = host2offset(this, address);
-			if (entry->online->remove(entry->online, (void*)offset, NULL) > 0)
+
+			enumerator = array_create_enumerator(entry->online);
+			while (enumerator->enumerate(enumerator, &current))
 			{
+				if (*current == offset)
+				{
+					if (!found)
+					{	/* remove the first entry only */
+						array_remove_at(entry->online, enumerator);
+						found = TRUE;
+					}
+					else
+					{	/* but check for more entries */
+						more = TRUE;
+						break;
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+
+			if (found && !more)
+			{
+				/* no tunnels are online anymore for this lease, make offline */
+				array_insert(entry->offline, ARRAY_TAIL, &offset);
 				DBG1(DBG_CFG, "lease %H by '%Y' went offline", address, id);
-				entry->offline->insert_last(entry->offline, (void*)offset);
-				found = TRUE;
 			}
 		}
 		this->mutex->unlock(this->mutex);
@@ -363,7 +462,7 @@ typedef struct {
 METHOD(enumerator_t, lease_enumerate, bool,
 	lease_enumerator_t *this, identification_t **id, host_t **addr, bool *online)
 {
-	uintptr_t offset;
+	u_int *offset;
 
 	DESTROY_IF(this->addr);
 	this->addr = NULL;
@@ -372,17 +471,17 @@ METHOD(enumerator_t, lease_enumerate, bool,
 	{
 		if (this->entry)
 		{
-			if (this->online->enumerate(this->online, (void**)&offset))
+			if (this->online->enumerate(this->online, &offset))
 			{
 				*id = this->entry->id;
-				*addr = this->addr = offset2host(this->pool, offset);
+				*addr = this->addr = offset2host(this->pool, *offset);
 				*online = TRUE;
 				return TRUE;
 			}
-			if (this->offline->enumerate(this->offline, (void**)&offset))
+			if (this->offline->enumerate(this->offline, &offset))
 			{
 				*id = this->entry->id;
-				*addr = this->addr = offset2host(this->pool, offset);
+				*addr = this->addr = offset2host(this->pool, *offset);
 				*online = FALSE;
 				return TRUE;
 			}
@@ -394,10 +493,8 @@ METHOD(enumerator_t, lease_enumerate, bool,
 		{
 			return FALSE;
 		}
-		this->online = this->entry->online->create_enumerator(
-														this->entry->online);
-		this->offline = this->entry->offline->create_enumerator(
-														this->entry->offline);
+		this->online = array_create_enumerator(this->entry->online);
+		this->offline = array_create_enumerator(this->entry->offline);
 	}
 }
 
@@ -439,8 +536,8 @@ METHOD(mem_pool_t, destroy, void,
 	while (enumerator->enumerate(enumerator, NULL, &entry))
 	{
 		entry->id->destroy(entry->id);
-		entry->online->destroy(entry->online);
-		entry->offline->destroy(entry->offline);
+		array_destroy(entry->online);
+		array_destroy(entry->offline);
 		free(entry);
 	}
 	enumerator->destroy(enumerator);
@@ -453,16 +550,16 @@ METHOD(mem_pool_t, destroy, void,
 }
 
 /**
- * Described in header
+ * Generic constructor
  */
-mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
+static private_mem_pool_t *create_generic(char *name)
 {
 	private_mem_pool_t *this;
-	int addr_bits;
 
 	INIT(this,
 		.public = {
 			.get_name = _get_name,
+			.get_base = _get_base,
 			.get_size = _get_size,
 			.get_online = _get_online,
 			.get_offline = _get_offline,
@@ -475,11 +572,26 @@ mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
 		.leases = hashtable_create((hashtable_hash_t)id_hash,
 								   (hashtable_equals_t)id_equals, 16),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.reassign_online = lib->settings->get_bool(lib->settings,
+							"%s.mem-pool.reassign_online", FALSE, hydra->daemon),
 	);
 
+	return this;
+}
+
+/**
+ * Described in header
+ */
+mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
+{
+	private_mem_pool_t *this;
+	int addr_bits;
+
+	this = create_generic(name);
 	if (base)
 	{
 		addr_bits = base->get_family(base) == AF_INET ? 32 : 128;
+		bits = max(0, min(bits, base->get_family(base) == AF_INET ? 32 : 128));
 		/* net bits -> host bits */
 		bits = addr_bits - bits;
 		if (bits > POOL_LIMIT)
@@ -488,12 +600,12 @@ mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
 			DBG1(DBG_CFG, "virtual IP pool too large, limiting to %H/%d",
 				 base, addr_bits - bits);
 		}
-		this->size = 1 << (bits);
+		this->size = 1 << bits;
 
 		if (this->size > 2)
 		{	/* do not use first and last addresses of a block */
 			this->unused++;
-			this->size--;
+			this->size -= 2;
 		}
 		this->base = base->clone(base);
 	}
@@ -501,3 +613,37 @@ mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
 	return &this->public;
 }
 
+/**
+ * Described in header
+ */
+mem_pool_t *mem_pool_create_range(char *name, host_t *from, host_t *to)
+{
+	private_mem_pool_t *this;
+	chunk_t fromaddr, toaddr;
+	u_int32_t diff;
+
+	fromaddr = from->get_address(from);
+	toaddr = to->get_address(to);
+
+	if (from->get_family(from) != to->get_family(to) ||
+		fromaddr.len != toaddr.len || fromaddr.len < sizeof(diff) ||
+		memcmp(fromaddr.ptr, toaddr.ptr, toaddr.len) > 0)
+	{
+		DBG1(DBG_CFG, "invalid IP address range: %H-%H", from, to);
+		return NULL;
+	}
+	if (fromaddr.len > sizeof(diff) &&
+		!chunk_equals(chunk_create(fromaddr.ptr, fromaddr.len - sizeof(diff)),
+					  chunk_create(toaddr.ptr, toaddr.len - sizeof(diff))))
+	{
+		DBG1(DBG_CFG, "IP address range too large: %H-%H", from, to);
+		return NULL;
+	}
+	this = create_generic(name);
+	this->base = from->clone(from);
+	diff = untoh32(toaddr.ptr + toaddr.len - sizeof(diff)) -
+		   untoh32(fromaddr.ptr + fromaddr.len - sizeof(diff));
+	this->size = diff + 1;
+
+	return &this->public;
+}
diff --git a/src/libhydra/attributes/mem_pool.h b/src/libhydra/attributes/mem_pool.h
index bb963de93..7347bb547 100644
--- a/src/libhydra/attributes/mem_pool.h
+++ b/src/libhydra/attributes/mem_pool.h
@@ -22,11 +22,24 @@
 #define MEM_POOL_H
 
 typedef struct mem_pool_t mem_pool_t;
+typedef enum mem_pool_op_t mem_pool_op_t;
 
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 
 /**
+ * In-memory IP pool acquire operation.
+ */
+enum mem_pool_op_t {
+	/** Check for an exsiting lease */
+	MEM_POOL_EXISTING,
+	/** Get a new lease */
+	MEM_POOL_NEW,
+	/** Replace an existing offline lease of another ID */
+	MEM_POOL_REASSIGN,
+};
+
+/**
  * An in-memory IP address pool.
  */
 struct mem_pool_t {
@@ -39,6 +52,13 @@ struct mem_pool_t {
 	const char* (*get_name)(mem_pool_t *this);
 
 	/**
+	 * Get the base (first) address of this pool.
+	 *
+	 * @return			base address, internal host
+	 */
+	host_t* (*get_base)(mem_pool_t *this);
+
+	/**
 	 * Get the size (i.e. number of addresses) of this pool.
 	 *
 	 * @return			the size of this pool
@@ -62,12 +82,18 @@ struct mem_pool_t {
 	/**
 	 * Acquire an address for the given id from this pool.
 	 *
+	 * This call is usually invoked several times: The first time to find an
+	 * existing lease (MEM_POOL_EXISTING), if none found a second time to
+	 * acquire a new lease (MEM_POOL_NEW), and if the pool is full once again
+	 * to assign an existing offline lease (MEM_POOL_REASSIGN).
+	 *
 	 * @param id		the id to acquire an address for
 	 * @param requested	acquire this address, if possible
+	 * @param operation	acquire operation to perform, see above
 	 * @return			the acquired address
 	 */
 	host_t* (*acquire_address)(mem_pool_t *this, identification_t *id,
-							   host_t *requested);
+							   host_t *requested, mem_pool_op_t operation);
 
 	/**
 	 * Release a previously acquired address.
@@ -102,9 +128,19 @@ struct mem_pool_t {
  *
  * @param name		name of this pool
  * @param base		base address of this pool, NULL to create an empty pool
- * @param bits		net mask
+ * @param bits		number of non-network bits in base, as in CIDR notation
+ * @return			memory pool instance
  */
 mem_pool_t *mem_pool_create(char *name, host_t *base, int bits);
 
-#endif /** MEM_POOL_H_ @} */
+/**
+ * Create an in-memory IP address from a range.
+ *
+ * @param name		name of this pool
+ * @param from		start of ranged pool
+ * @param to		end of ranged pool
+ * @return			memory pool instance, NULL if range invalid
+ */
+mem_pool_t *mem_pool_create_range(char *name, host_t *from, host_t *to);
 
+#endif /** MEM_POOL_H_ @} */
diff --git a/src/libhydra/hydra.c b/src/libhydra/hydra.c
index f180e36bb..f531bd5f4 100644
--- a/src/libhydra/hydra.c
+++ b/src/libhydra/hydra.c
@@ -15,7 +15,7 @@
 
 #include "hydra.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_hydra_t private_hydra_t;
 
@@ -28,12 +28,22 @@ struct private_hydra_t {
 	 * Public members of hydra_t.
 	 */
 	hydra_t public;
+
+	/**
+	 * Integrity check failed?
+	 */
+	bool integrity_failed;
+
+	/**
+	 * Number of times we have been initialized
+	 */
+	refcount_t ref;
 };
 
 /**
  * Single instance of hydra_t.
  */
-hydra_t *hydra;
+hydra_t *hydra = NULL;
 
 /**
  * Described in header.
@@ -41,6 +51,12 @@ hydra_t *hydra;
 void libhydra_deinit()
 {
 	private_hydra_t *this = (private_hydra_t*)hydra;
+
+	if (!this || !ref_put(&this->ref))
+	{	/* have more users */
+		return;
+	}
+
 	this->public.attributes->destroy(this->public.attributes);
 	this->public.kernel_interface->destroy(this->public.kernel_interface);
 	free((void*)this->public.daemon);
@@ -55,21 +71,29 @@ bool libhydra_init(const char *daemon)
 {
 	private_hydra_t *this;
 
+	if (hydra)
+	{	/* already initialized, increase refcount */
+		this = (private_hydra_t*)hydra;
+		ref_get(&this->ref);
+		return !this->integrity_failed;
+	}
+
 	INIT(this,
 		.public = {
 			.attributes = attribute_manager_create(),
-			.kernel_interface = kernel_interface_create(),
 			.daemon = strdup(daemon ?: "libhydra"),
 		},
+		.ref = 1,
 	);
 	hydra = &this->public;
 
+	this->public.kernel_interface = kernel_interface_create();
+
 	if (lib->integrity &&
 		!lib->integrity->check(lib->integrity, "libhydra", libhydra_init))
 	{
 		DBG1(DBG_LIB, "integrity check of libhydra failed");
-		return FALSE;
+		this->integrity_failed = TRUE;
 	}
-	return TRUE;
+	return !this->integrity_failed;
 }
-
diff --git a/src/libhydra/hydra.h b/src/libhydra/hydra.h
index d7a7d8de4..2a8709d72 100644
--- a/src/libhydra/hydra.h
+++ b/src/libhydra/hydra.h
@@ -72,6 +72,9 @@ extern hydra_t *hydra;
  *
  * The daemon's name is used to load daemon-specific settings.
  *
+ * libhydra_init() may be called multiple times in a single process, but each
+ * caller should call libhydra_deinit() for each call to libhydra_init().
+ *
  * @param daemon		name of the daemon that initializes the library
  * @return				FALSE if integrity check failed
  */
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index 573557506..90637fa06 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2011 Tobias Brunner
+ * Copyright (C) 2008-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
@@ -15,14 +15,65 @@
  * for more details.
  */
 
+/*
+ * Copyright (c) 2012 Nanoteq Pty Ltd
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include "kernel_interface.h"
 
-#include <debug.h>
+#include <hydra.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_kernel_interface_t private_kernel_interface_t;
 
+typedef struct kernel_algorithm_t kernel_algorithm_t;
+
+/**
+ * Mapping of IKE algorithms to kernel-specific algorithm identifiers
+ */
+struct kernel_algorithm_t {
+
+	/**
+	 * Transform type of the algorithm
+	 */
+	transform_type_t type;
+
+	/**
+	 * Identifier specified in IKE
+	 */
+	u_int16_t ike;
+
+	/**
+	 * Identifier as defined in pfkeyv2.h
+	 */
+	u_int16_t kernel;
+
+	/**
+	 * Name of the algorithm in linux crypto API
+	 */
+	char *name;
+};
+
 /**
  * Private data of a kernel_interface_t object.
  */
@@ -62,8 +113,46 @@ struct private_kernel_interface_t {
 	 * list of registered listeners
 	 */
 	linked_list_t *listeners;
+
+	/**
+	 * mutex for algorithm mappings
+	 */
+	mutex_t *mutex_algs;
+
+	/**
+	 * List of algorithm mappings (kernel_algorithm_t*)
+	 */
+	linked_list_t *algorithms;
+
+	/**
+	 * List of interface names to include or exclude (char*), NULL if interfaces
+	 * are not filtered
+	 */
+	linked_list_t *ifaces_filter;
+
+	/**
+	 * TRUE to exclude interfaces listed in ifaces_filter, FALSE to consider
+	 * only those listed there
+	 */
+	bool ifaces_exclude;
 };
 
+METHOD(kernel_interface_t, get_features, kernel_feature_t,
+	private_kernel_interface_t *this)
+{
+	kernel_feature_t features = 0;
+
+	if (this->ipsec && this->ipsec->get_features)
+	{
+		features |= this->ipsec->get_features(this->ipsec);
+	}
+	if (this->net && this->net->get_features)
+	{
+		features |= this->net->get_features(this->net);
+	}
+	return features;
+}
+
 METHOD(kernel_interface_t, get_spi, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
 	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
@@ -91,7 +180,7 @@ METHOD(kernel_interface_t, add_sa, status_t,
 	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
 	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key,	ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool encap, bool esn, bool inbound,
+	u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
 	if (!this->ipsec)
@@ -100,7 +189,7 @@ METHOD(kernel_interface_t, add_sa, status_t,
 	}
 	return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
 			mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode,
-			ipcomp, cpi, encap, esn, inbound, src_ts, dst_ts);
+			ipcomp, cpi, initiator, encap, esn, inbound, src_ts, dst_ts);
 }
 
 METHOD(kernel_interface_t, update_sa, status_t,
@@ -118,13 +207,15 @@ METHOD(kernel_interface_t, update_sa, status_t,
 
 METHOD(kernel_interface_t, query_sa, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
+	u_int32_t spi, u_int8_t protocol, mark_t mark,
+	u_int64_t *bytes, u_int64_t *packets, u_int32_t *time)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark, bytes);
+	return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark,
+								 bytes, packets, time);
 }
 
 METHOD(kernel_interface_t, del_sa, status_t,
@@ -209,55 +300,54 @@ METHOD(kernel_interface_t, get_source_addr, host_t*,
 }
 
 METHOD(kernel_interface_t, get_nexthop, host_t*,
-	private_kernel_interface_t *this, host_t *dest)
+	private_kernel_interface_t *this, host_t *dest, host_t *src)
 {
 	if (!this->net)
 	{
 		return NULL;
 	}
-	return this->net->get_nexthop(this->net, dest);
+	return this->net->get_nexthop(this->net, dest, src);
 }
 
-METHOD(kernel_interface_t, get_interface, char*,
-	private_kernel_interface_t *this, host_t *host)
+METHOD(kernel_interface_t, get_interface, bool,
+	private_kernel_interface_t *this, host_t *host, char **name)
 {
 	if (!this->net)
 	{
 		return NULL;
 	}
-	return this->net->get_interface(this->net, host);
+	return this->net->get_interface(this->net, host, name);
 }
 
 METHOD(kernel_interface_t, create_address_enumerator, enumerator_t*,
-	private_kernel_interface_t *this, bool include_down_ifaces,
-	bool include_virtual_ips)
+	private_kernel_interface_t *this, kernel_address_type_t which)
 {
 	if (!this->net)
 	{
 		return enumerator_create_empty();
 	}
-	return this->net->create_address_enumerator(this->net, include_down_ifaces,
-												include_virtual_ips);
+	return this->net->create_address_enumerator(this->net, which);
 }
 
 METHOD(kernel_interface_t, add_ip, status_t,
-	private_kernel_interface_t *this, host_t *virtual_ip, host_t *iface_ip)
+	private_kernel_interface_t *this, host_t *virtual_ip, int prefix,
+	char *iface)
 {
 	if (!this->net)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->net->add_ip(this->net, virtual_ip, iface_ip);
+	return this->net->add_ip(this->net, virtual_ip, prefix, iface);
 }
 
 METHOD(kernel_interface_t, del_ip, status_t,
-	private_kernel_interface_t *this, host_t *virtual_ip)
+	private_kernel_interface_t *this, host_t *virtual_ip, int prefix, bool wait)
 {
 	if (!this->net)
 	{
 		return NOT_SUPPORTED;
 	}
-	return this->net->del_ip(this->net, virtual_ip);
+	return this->net->del_ip(this->net, virtual_ip, prefix, wait);
 }
 
 METHOD(kernel_interface_t, add_route, status_t,
@@ -294,8 +384,39 @@ METHOD(kernel_interface_t, bypass_socket, bool,
 	return this->ipsec->bypass_socket(this->ipsec, fd, family);
 }
 
+METHOD(kernel_interface_t, enable_udp_decap, bool,
+	private_kernel_interface_t *this, int fd, int family, u_int16_t port)
+{
+	if (!this->ipsec)
+	{
+		return FALSE;
+	}
+	return this->ipsec->enable_udp_decap(this->ipsec, fd, family, port);
+}
+
+METHOD(kernel_interface_t, is_interface_usable, bool,
+	private_kernel_interface_t *this, const char *iface)
+{
+	status_t expected;
+
+	if (!this->ifaces_filter)
+	{
+		return TRUE;
+	}
+	expected = this->ifaces_exclude ? NOT_FOUND : SUCCESS;
+	return this->ifaces_filter->find_first(this->ifaces_filter, (void*)streq,
+										   NULL, iface) == expected;
+}
+
+METHOD(kernel_interface_t, all_interfaces_usable, bool,
+	private_kernel_interface_t *this)
+{
+	return this->ifaces_filter == NULL;
+}
+
 METHOD(kernel_interface_t, get_address_by_ts, status_t,
-	private_kernel_interface_t *this, traffic_selector_t *ts, host_t **ip)
+	private_kernel_interface_t *this, traffic_selector_t *ts,
+	host_t **ip, bool *vip)
 {
 	enumerator_t *addrs;
 	host_t *host;
@@ -326,13 +447,17 @@ METHOD(kernel_interface_t, get_address_by_ts, status_t,
 	}
 	host->destroy(host);
 
-	addrs = create_address_enumerator(this, TRUE, TRUE);
+	addrs = create_address_enumerator(this, ADDR_TYPE_VIRTUAL);
 	while (addrs->enumerate(addrs, (void**)&host))
 	{
 		if (ts->includes(ts, host))
 		{
 			found = TRUE;
 			*ip = host->clone(host);
+			if (vip)
+			{
+				*vip = TRUE;
+			}
 			break;
 		}
 	}
@@ -340,6 +465,25 @@ METHOD(kernel_interface_t, get_address_by_ts, status_t,
 
 	if (!found)
 	{
+		addrs = create_address_enumerator(this, ADDR_TYPE_REGULAR);
+		while (addrs->enumerate(addrs, (void**)&host))
+		{
+			if (ts->includes(ts, host))
+			{
+				found = TRUE;
+				*ip = host->clone(host);
+				if (vip)
+				{
+					*vip = FALSE;
+				}
+				break;
+			}
+		}
+		addrs->destroy(addrs);
+	}
+
+	if (!found)
+	{
 		DBG2(DBG_KNL, "no local address found in traffic selector %R", ts);
 		return FAILED;
 	}
@@ -362,7 +506,7 @@ METHOD(kernel_interface_t, add_ipsec_interface, void,
 METHOD(kernel_interface_t, remove_ipsec_interface, void,
 	private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor)
 {
-	if (constructor == this->ipsec_constructor)
+	if (constructor == this->ipsec_constructor && this->ipsec)
 	{
 		this->ipsec->destroy(this->ipsec);
 		this->ipsec = NULL;
@@ -382,7 +526,7 @@ METHOD(kernel_interface_t, add_net_interface, void,
 METHOD(kernel_interface_t, remove_net_interface, void,
 	private_kernel_interface_t *this, kernel_net_constructor_t constructor)
 {
-	if (constructor == this->net_constructor)
+	if (constructor == this->net_constructor && this->net)
 	{
 		this->net->destroy(this->net);
 		this->net = NULL;
@@ -500,13 +644,92 @@ METHOD(kernel_interface_t, roam, void,
 	this->mutex->unlock(this->mutex);
 }
 
+METHOD(kernel_interface_t, tun, void,
+	private_kernel_interface_t *this, tun_device_t *tun, bool created)
+{
+	kernel_listener_t *listener;
+	enumerator_t *enumerator;
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &listener))
+	{
+		if (listener->tun &&
+			!listener->tun(listener, tun, created))
+		{
+			this->listeners->remove_at(this->listeners, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(kernel_interface_t, register_algorithm, void,
+	private_kernel_interface_t *this, u_int16_t alg_id, transform_type_t type,
+	u_int16_t kernel_id, char *kernel_name)
+{
+	kernel_algorithm_t *algorithm;
+
+	INIT(algorithm,
+		.type = type,
+		.ike = alg_id,
+		.kernel = kernel_id,
+		.name = strdup(kernel_name),
+	);
+
+	this->mutex_algs->lock(this->mutex_algs);
+	this->algorithms->insert_first(this->algorithms, algorithm);
+	this->mutex_algs->unlock(this->mutex_algs);
+}
+
+METHOD(kernel_interface_t, lookup_algorithm, bool,
+	private_kernel_interface_t *this, u_int16_t alg_id, transform_type_t type,
+	u_int16_t *kernel_id, char **kernel_name)
+{
+	kernel_algorithm_t *algorithm;
+	enumerator_t *enumerator;
+	bool found = FALSE;
+
+	this->mutex_algs->lock(this->mutex_algs);
+	enumerator = this->algorithms->create_enumerator(this->algorithms);
+	while (enumerator->enumerate(enumerator, &algorithm))
+	{
+		if (algorithm->type == type && algorithm->ike == alg_id)
+		{
+			if (kernel_id)
+			{
+				*kernel_id = algorithm->kernel;
+			}
+			if (kernel_name)
+			{
+				*kernel_name = algorithm->name;
+			}
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex_algs->unlock(this->mutex_algs);
+	return found;
+}
+
 METHOD(kernel_interface_t, destroy, void,
 	private_kernel_interface_t *this)
 {
+	kernel_algorithm_t *algorithm;
+
+	while (this->algorithms->remove_first(this->algorithms,
+										 (void**)&algorithm) == SUCCESS)
+	{
+		free(algorithm->name);
+		free(algorithm);
+	}
+	this->algorithms->destroy(this->algorithms);
+	this->mutex_algs->destroy(this->mutex_algs);
 	DESTROY_IF(this->ipsec);
 	DESTROY_IF(this->net);
-	this->mutex->destroy(this->mutex);
+	DESTROY_FUNCTION_IF(this->ifaces_filter, (void*)free);
 	this->listeners->destroy(this->listeners);
+	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
@@ -516,9 +739,11 @@ METHOD(kernel_interface_t, destroy, void,
 kernel_interface_t *kernel_interface_create()
 {
 	private_kernel_interface_t *this;
+	char *ifaces;
 
 	INIT(this,
 		.public = {
+			.get_features = _get_features,
 			.get_spi = _get_spi,
 			.get_cpi = _get_cpi,
 			.add_sa = _add_sa,
@@ -539,7 +764,10 @@ kernel_interface_t *kernel_interface_create()
 			.add_route = _add_route,
 			.del_route = _del_route,
 			.bypass_socket = _bypass_socket,
+			.enable_udp_decap = _enable_udp_decap,
 
+			.is_interface_usable = _is_interface_usable,
+			.all_interfaces_usable = _all_interfaces_usable,
 			.get_address_by_ts = _get_address_by_ts,
 			.add_ipsec_interface = _add_ipsec_interface,
 			.remove_ipsec_interface = _remove_ipsec_interface,
@@ -548,17 +776,47 @@ kernel_interface_t *kernel_interface_create()
 
 			.add_listener = _add_listener,
 			.remove_listener = _remove_listener,
+			.register_algorithm = _register_algorithm,
+			.lookup_algorithm = _lookup_algorithm,
 			.acquire = _acquire,
 			.expire = _expire,
 			.mapping = _mapping,
 			.migrate = _migrate,
 			.roam = _roam,
+			.tun = _tun,
 			.destroy = _destroy,
 		},
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.listeners = linked_list_create(),
+		.mutex_algs = mutex_create(MUTEX_TYPE_DEFAULT),
+		.algorithms = linked_list_create(),
 	);
 
+	ifaces = lib->settings->get_str(lib->settings,
+					"%s.interfaces_use", NULL, hydra->daemon);
+	if (!ifaces)
+	{
+		this->ifaces_exclude = TRUE;
+		ifaces = lib->settings->get_str(lib->settings,
+					"%s.interfaces_ignore", NULL, hydra->daemon);
+	}
+	if (ifaces)
+	{
+		enumerator_t *enumerator;
+		char *iface;
+
+		enumerator = enumerator_create_token(ifaces, ",", " ");
+		while (enumerator->enumerate(enumerator, &iface))
+		{
+			if (!this->ifaces_filter)
+			{
+				this->ifaces_filter = linked_list_create();
+			}
+			this->ifaces_filter->insert_last(this->ifaces_filter,
+											 strdup(iface));
+		}
+		enumerator->destroy(enumerator);
+	}
+
 	return &this->public;
 }
-
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index 991cfafd0..1d96f1c35 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2011 Tobias Brunner
+ * Copyright (C) 2006-2013 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -16,6 +16,28 @@
  * for more details.
  */
 
+/*
+ * Copyright (c) 2012 Nanoteq Pty Ltd
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 /**
  * @defgroup kernel_interface kernel_interface
  * @{ @ingroup hkernel
@@ -25,8 +47,9 @@
 #define KERNEL_INTERFACE_H_
 
 typedef struct kernel_interface_t kernel_interface_t;
+typedef enum kernel_feature_t kernel_feature_t;
 
-#include <utils/host.h>
+#include <networking/host.h>
 #include <crypto/prf_plus.h>
 
 #include <kernel/kernel_listener.h>
@@ -34,6 +57,21 @@ typedef struct kernel_interface_t kernel_interface_t;
 #include <kernel/kernel_net.h>
 
 /**
+ * Bitfield of optional features a kernel backend supports.
+ *
+ * This feature-set is for both, kernel_ipsec_t and kernel_net_t. Each
+ * backend returns a subset of these features.
+ */
+enum kernel_feature_t {
+	/** IPsec can process ESPv3 (RFC 4303) TFC padded packets */
+	KERNEL_ESP_V3_TFC = (1<<0),
+	/** Networking requires an "exclude" route for IKE/ESP packets */
+	KERNEL_REQUIRE_EXCLUDE_ROUTE = (1<<1),
+	/** IPsec implementation requires UDP encapsulation of ESP packets */
+	KERNEL_REQUIRE_UDP_ENCAPSULATION = (1<<2),
+};
+
+/**
  * Constructor function for ipsec kernel interface
  */
 typedef kernel_ipsec_t* (*kernel_ipsec_constructor_t)(void);
@@ -52,6 +90,13 @@ typedef kernel_net_t* (*kernel_net_constructor_t)(void);
 struct kernel_interface_t {
 
 	/**
+	 * Get the feature set supported by the net and ipsec kernel backends.
+	 *
+	 * @return				ORed feature-set of backends
+	 */
+	kernel_feature_t (*get_features)(kernel_interface_t *this);
+
+	/**
 	 * Get a SPI from the kernel.
 	 *
 	 * @param src		source address of SA
@@ -100,6 +145,7 @@ struct kernel_interface_t {
 	 * @param mode			mode of the SA (tunnel, transport)
 	 * @param ipcomp		IPComp transform to use
 	 * @param cpi			CPI for IPComp
+	 * @param initiator		TRUE if initiator of the exchange creating this SA
 	 * @param encap			enable UDP encapsulation for NAT traversal
 	 * @param esn			TRUE to use Extended Sequence Numbers
 	 * @param inbound		TRUE if this is an inbound SA
@@ -114,7 +160,7 @@ struct kernel_interface_t {
 						u_int16_t enc_alg, chunk_t enc_key,
 						u_int16_t int_alg, chunk_t int_key,
 						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						bool encap, bool esn, bool inbound,
+						bool initiator, bool encap, bool esn, bool inbound,
 						traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
 
 	/**
@@ -153,11 +199,13 @@ struct kernel_interface_t {
 	 * @param protocol		protocol for this SA (ESP/AH)
 	 * @param mark			optional mark for this SA
 	 * @param[out] bytes	the number of bytes processed by SA
+	 * @param[out] packets	number of packets processed by SA
+	 * @param[out] time		last time of SA use
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
 						  u_int32_t spi, u_int8_t protocol, mark_t mark,
-						  u_int64_t *bytes);
+						  u_int64_t *bytes, u_int64_t *packets, u_int32_t *time);
 
 	/**
 	 * Delete a previously installed SA from the SAD.
@@ -260,7 +308,7 @@ struct kernel_interface_t {
 	 * Does a route lookup to get the source address used to reach dest.
 	 * The returned host is allocated and must be destroyed.
 	 * An optional src address can be used to check if a route is available
-	 * for given source to dest.
+	 * for the given source to dest.
 	 *
 	 * @param dest			target destination address
 	 * @param src			source address to check, or NULL
@@ -274,19 +322,23 @@ struct kernel_interface_t {
 	 *
 	 * Does a route lookup to get the next hop used to reach dest.
 	 * The returned host is allocated and must be destroyed.
+	 * An optional src address can be used to check if a route is available
+	 * for the given source to dest.
 	 *
 	 * @param dest			target destination address
 	 * @return				next hop address, NULL if unreachable
 	 */
-	host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest);
+	host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest, host_t *src);
 
 	/**
-	 * Get the interface name of a local address.
+	 * Get the interface name of a local address. Interfaces that are down or
+	 * ignored by config are not considered.
 	 *
 	 * @param host			address to get interface name from
-	 * @return				allocated interface name, or NULL if not found
+	 * @param name			allocated interface name (optional)
+	 * @return				TRUE if interface found and usable
 	 */
-	char* (*get_interface) (kernel_interface_t *this, host_t *host);
+	bool (*get_interface)(kernel_interface_t *this, host_t *host, char **name);
 
 	/**
 	 * Creates an enumerator over all local addresses.
@@ -295,12 +347,11 @@ struct kernel_interface_t {
 	 * enumerator gets destroyed.
 	 * The hosts are read-only, do not modify of free.
 	 *
-	 * @param include_down_ifaces	TRUE to enumerate addresses from down interfaces
-	 * @param include_virtual_ips	TRUE to enumerate virtual ip addresses
-	 * @return						enumerator over host_t's
+	 * @param which			a combination of address types to enumerate
+	 * @return				enumerator over host_t's
 	 */
 	enumerator_t *(*create_address_enumerator) (kernel_interface_t *this,
-						bool include_down_ifaces, bool include_virtual_ips);
+												kernel_address_type_t which);
 
 	/**
 	 * Add a virtual IP to an interface.
@@ -308,24 +359,27 @@ struct kernel_interface_t {
 	 * Virtual IPs are attached to an interface. If an IP is added multiple
 	 * times, the IP is refcounted and not removed until del_ip() was called
 	 * as many times as add_ip().
-	 * The virtual IP is attached to the interface where the iface_ip is found.
 	 *
 	 * @param virtual_ip	virtual ip address to assign
-	 * @param iface_ip		IP of an interface to attach virtual IP
+	 * @param prefix		prefix length to install IP with, -1 for auto
+	 * @param iface			interface to install virtual IP on
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip,
-						host_t *iface_ip);
+	status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip, int prefix,
+						char *iface);
 
 	/**
 	 * Remove a virtual IP from an interface.
 	 *
 	 * The kernel interface uses refcounting, see add_ip().
 	 *
-	 * @param virtual_ip	virtual ip address to assign
+	 * @param virtual_ip	virtual ip address to remove
+	 * @param prefix		prefix length of the IP to uninstall, -1 for auto
+	 * @param wait			TRUE to wait untily IP is gone
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip);
+	status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip,
+						int prefix, bool wait);
 
 	/**
 	 * Add a route.
@@ -333,7 +387,7 @@ struct kernel_interface_t {
 	 * @param dst_net		destination net
 	 * @param prefixlen		destination net prefix length
 	 * @param gateway		gateway for this route
-	 * @param src_ip		sourc ip of the route
+	 * @param src_ip		source ip of the route
 	 * @param if_name		name of the interface the route is bound to
 	 * @return				SUCCESS if operation completed
 	 *						ALREADY_DONE if the route already exists
@@ -348,7 +402,7 @@ struct kernel_interface_t {
 	 * @param dst_net		destination net
 	 * @param prefixlen		destination net prefix length
 	 * @param gateway		gateway for this route
-	 * @param src_ip		sourc ip of the route
+	 * @param src_ip		source ip of the route
 	 * @param if_name		name of the interface the route is bound to
 	 * @return				SUCCESS if operation completed
 	 */
@@ -361,24 +415,53 @@ struct kernel_interface_t {
 	 *
 	 * @param fd			socket file descriptor to setup policy for
 	 * @param family		protocol family of the socket
-	 * @return				TRUE of policy set up successfully
+	 * @return				TRUE if policy set up successfully
 	 */
 	bool (*bypass_socket)(kernel_interface_t *this, int fd, int family);
 
 	/**
+	 * Enable decapsulation of ESP-in-UDP packets for the given port/socket.
+	 *
+	 * @param fd			socket file descriptor
+	 * @param family		protocol family of the socket
+	 * @param port			the UDP port
+	 * @return				TRUE if UDP decapsulation was enabled successfully
+	 */
+	bool (*enable_udp_decap)(kernel_interface_t *this, int fd, int family,
+							 u_int16_t port);
+
+
+	/**
 	 * manager methods
 	 */
 
 	/**
-	 * Tries to find an ip address of a local interface that is included in the
+	 * Verifies that the given interface is usable and not excluded by
+	 * configuration.
+	 *
+	 * @param iface			interface name
+	 * @return				TRUE if usable
+	 */
+	bool (*is_interface_usable)(kernel_interface_t *this, const char *iface);
+
+	/**
+	 * Check if interfaces are excluded by config.
+	 *
+	 * @return				TRUE if no interfaces are exclued by config
+	 */
+	bool (*all_interfaces_usable)(kernel_interface_t *this);
+
+	/**
+	 * Tries to find an IP address of a local interface that is included in the
 	 * supplied traffic selector.
 	 *
 	 * @param ts			traffic selector
-	 * @param ip			returned ip (has to be destroyed)
+	 * @param ip			returned IP address (has to be destroyed)
+	 * @param vip			set to TRUE if returned address is a virtual IP
 	 * @return				SUCCESS if address found
 	 */
 	status_t (*get_address_by_ts)(kernel_interface_t *this,
-								  traffic_selector_t *ts, host_t **ip);
+								  traffic_selector_t *ts, host_t **ip, bool *vip);
 
 	/**
 	 * Register an ipsec kernel interface constructor on the manager.
@@ -481,7 +564,41 @@ struct kernel_interface_t {
 	void (*roam)(kernel_interface_t *this, bool address);
 
 	/**
-	 * Destroys a kernel_interface_manager_t object.
+	 * Raise a tun event.
+	 *
+	 * @param tun			TUN device
+	 * @param created		TRUE if created, FALSE if going to be destroyed
+	 */
+	void (*tun)(kernel_interface_t *this, tun_device_t *tun, bool created);
+
+	/**
+	 * Register a new algorithm with the kernel interface.
+	 *
+	 * @param alg_id			the IKE id of the algorithm
+	 * @param type				the transform type of the algorithm
+	 * @param kernel_id			the kernel id of the algorithm
+	 * @param kernel_name		the kernel name of the algorithm
+	 */
+	void (*register_algorithm)(kernel_interface_t *this, u_int16_t alg_id,
+							   transform_type_t type, u_int16_t kernel_id,
+							   char *kernel_name);
+
+	/**
+	 * Return the kernel-specific id and/or name for an algorithms depending on
+	 * the arguments specified.
+	 *
+	 * @param alg_id			the IKE id of the algorithm
+	 * @param type				the transform type of the algorithm
+	 * @param kernel_id			the kernel id of the algorithm (optional)
+	 * @param kernel_name		the kernel name of the algorithm (optional)
+	 * @return					TRUE if algorithm was found
+	 */
+	bool (*lookup_algorithm)(kernel_interface_t *this, u_int16_t alg_id,
+							 transform_type_t type, u_int16_t *kernel_id,
+							 char **kernel_name);
+
+	/**
+	 * Destroys a kernel_interface_t object.
 	 */
 	void (*destroy) (kernel_interface_t *this);
 };
diff --git a/src/libhydra/kernel/kernel_ipsec.c b/src/libhydra/kernel/kernel_ipsec.c
index 9b38297cc..1a32ab4e7 100644
--- a/src/libhydra/kernel/kernel_ipsec.c
+++ b/src/libhydra/kernel/kernel_ipsec.c
@@ -17,28 +17,6 @@
 
 #include <hydra.h>
 
-ENUM(ipsec_mode_names, MODE_TRANSPORT, MODE_DROP,
-	"TRANSPORT",
-	"TUNNEL",
-	"BEET",
-	"PASS",
-	"DROP"
-);
-
-ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
-	"in",
-	"out",
-	"fwd"
-);
-
-ENUM(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_LZJH,
-	"IPCOMP_NONE",
-	"IPCOMP_OUI",
-	"IPCOMP_DEFLATE",
-	"IPCOMP_LZS",
-	"IPCOMP_LZJH"
-);
-
 /**
  * See header
  */
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index ddb63283c..413e5920f 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2011 Tobias Brunner
+ * Copyright (C) 2006-2012 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -24,150 +24,13 @@
 #ifndef KERNEL_IPSEC_H_
 #define KERNEL_IPSEC_H_
 
-typedef enum ipsec_mode_t ipsec_mode_t;
-typedef enum policy_dir_t policy_dir_t;
-typedef enum policy_type_t policy_type_t;
-typedef enum policy_priority_t policy_priority_t;
-typedef enum ipcomp_transform_t ipcomp_transform_t;
 typedef struct kernel_ipsec_t kernel_ipsec_t;
-typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t;
-typedef struct lifetime_cfg_t lifetime_cfg_t;
-typedef struct mark_t mark_t;
 
-#include <utils/host.h>
-#include <crypto/prf_plus.h>
+#include <networking/host.h>
+#include <ipsec/ipsec_types.h>
 #include <selectors/traffic_selector.h>
 #include <plugins/plugin.h>
-
-/**
- * Mode of an IPsec SA.
- */
-enum ipsec_mode_t {
-	/** transport mode, no inner address */
-	MODE_TRANSPORT = 1,
-	/** tunnel mode, inner and outer addresses */
-	MODE_TUNNEL,
-	/** BEET mode, tunnel mode but fixed, bound inner addresses */
-	MODE_BEET,
-	/** passthrough policy for traffic without an IPsec SA */
-	MODE_PASS,
-	/** drop policy discarding traffic */
-	MODE_DROP
-};
-
-/**
- * enum names for ipsec_mode_t.
- */
-extern enum_name_t *ipsec_mode_names;
-
-/**
- * Direction of a policy. These are equal to those
- * defined in xfrm.h, but we want to stay implementation
- * neutral here.
- */
-enum policy_dir_t {
-	/** Policy for inbound traffic */
-	POLICY_IN = 0,
-	/** Policy for outbound traffic */
-	POLICY_OUT = 1,
-	/** Policy for forwarded traffic */
-	POLICY_FWD = 2,
-};
-
-/**
- * enum names for policy_dir_t.
- */
-extern enum_name_t *policy_dir_names;
-
-/**
- * Type of a policy.
- */
-enum policy_type_t {
-	/** Normal IPsec policy */
-	POLICY_IPSEC = 1,
-	/** Passthrough policy (traffic is ignored by IPsec) */
-	POLICY_PASS,
-	/** Drop policy (traffic is discarded) */
-	POLICY_DROP,
-};
-
-/**
- * High-level priority of a policy.
- */
-enum policy_priority_t {
-	/** Default priority */
-	POLICY_PRIORITY_DEFAULT,
-	/** Priority for trap policies */
-	POLICY_PRIORITY_ROUTED,
-	/** Priority for fallback drop policies */
-	POLICY_PRIORITY_FALLBACK,
-};
-
-/**
- * IPComp transform IDs, as in RFC 4306
- */
-enum ipcomp_transform_t {
-	IPCOMP_NONE = 0,
-	IPCOMP_OUI = 1,
-	IPCOMP_DEFLATE = 2,
-	IPCOMP_LZS = 3,
-	IPCOMP_LZJH = 4,
-};
-
-/**
- * enum strings for ipcomp_transform_t.
- */
-extern enum_name_t *ipcomp_transform_names;
-
-/**
- * This struct contains details about IPsec SA(s) tied to a policy.
- */
-struct ipsec_sa_cfg_t {
-	/** mode of SA (tunnel, transport) */
-	ipsec_mode_t mode;
-	/** unique ID */
-	u_int32_t reqid;
-	/** details about ESP/AH */
-	struct {
-		/** TRUE if this protocol is used */
-		bool use;
-		/** SPI for ESP/AH */
-		u_int32_t spi;
-	} esp, ah;
-	/** details about IPComp */
-	struct {
-		/** the IPComp transform used */
-		u_int16_t transform;
-		/** CPI for IPComp */
-		u_int16_t cpi;
-	} ipcomp;
-};
-
-/**
- * A lifetime_cfg_t defines the lifetime limits of an SA.
- *
- * Set any of these values to 0 to ignore.
- */
-struct lifetime_cfg_t {
-	struct {
-		/** Limit before the SA gets invalid. */
-		u_int64_t	life;
-		/** Limit before the SA gets rekeyed. */
-		u_int64_t	rekey;
-		/** The range of a random value subtracted from rekey. */
-		u_int64_t	jitter;
-	} time, bytes, packets;
-};
-
-/**
- * A mark_t defines an optional mark in an IPsec SA.
- */
-struct mark_t {
-	/** Mark value */
-	u_int32_t value;
-	/** Mark mask */
-	u_int32_t mask;
-};
+#include <kernel/kernel_interface.h>
 
 /**
  * Interface to the ipsec subsystem of the kernel.
@@ -183,6 +46,13 @@ struct mark_t {
 struct kernel_ipsec_t {
 
 	/**
+	 * Get the feature set supported by this kernel backend.
+	 *
+	 * @return				ORed feature-set of backend
+	 */
+	kernel_feature_t (*get_features)(kernel_ipsec_t *this);
+
+	/**
 	 * Get a SPI from the kernel.
 	 *
 	 * @param src		source address of SA
@@ -231,6 +101,7 @@ struct kernel_ipsec_t {
 	 * @param mode			mode of the SA (tunnel, transport)
 	 * @param ipcomp		IPComp transform to use
 	 * @param cpi			CPI for IPComp
+	 * @param initiator		TRUE if initiator of the exchange creating this SA
 	 * @param encap			enable UDP encapsulation for NAT traversal
 	 * @param esn			TRUE to use Extended Sequence Numbers
 	 * @param inbound		TRUE if this is an inbound SA
@@ -245,7 +116,7 @@ struct kernel_ipsec_t {
 						u_int16_t enc_alg, chunk_t enc_key,
 						u_int16_t int_alg, chunk_t int_key,
 						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-						bool encap, bool esn, bool inbound,
+						bool initiator, bool encap, bool esn, bool inbound,
 						traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
 
 	/**
@@ -284,11 +155,13 @@ struct kernel_ipsec_t {
 	 * @param protocol		protocol for this SA (ESP/AH)
 	 * @param mark			optional mark for this SA
 	 * @param[out] bytes	the number of bytes processed by SA
+	 * @param[out] packets	number of packets processed by SA
+	 * @param[out] time		last time of SA use
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
 						  u_int32_t spi, u_int8_t protocol, mark_t mark,
-						  u_int64_t *bytes);
+						  u_int64_t *bytes, u_int64_t *packets, u_int32_t *time);
 
 	/**
 	 * Delete a previusly installed SA from the SAD.
@@ -396,6 +269,17 @@ struct kernel_ipsec_t {
 	bool (*bypass_socket)(kernel_ipsec_t *this, int fd, int family);
 
 	/**
+	 * Enable decapsulation of ESP-in-UDP packets for the given port/socket.
+	 *
+	 * @param fd			socket file descriptor
+	 * @param family		protocol family of the socket
+	 * @param port			the UDP port
+	 * @return				TRUE if UDP decapsulation was enabled successfully
+	 */
+	bool (*enable_udp_decap)(kernel_ipsec_t *this, int fd, int family,
+							 u_int16_t port);
+
+	/**
 	 * Destroy the implementation.
 	 */
 	void (*destroy) (kernel_ipsec_t *this);
diff --git a/src/libhydra/kernel/kernel_listener.h b/src/libhydra/kernel/kernel_listener.h
index 5db297b6f..4382a43fd 100644
--- a/src/libhydra/kernel/kernel_listener.h
+++ b/src/libhydra/kernel/kernel_listener.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2010-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -23,9 +23,10 @@
 
 typedef struct kernel_listener_t kernel_listener_t;
 
-#include <kernel/kernel_ipsec.h>
+#include <networking/host.h>
+#include <networking/tun_device.h>
 #include <selectors/traffic_selector.h>
-#include <utils/host.h>
+#include <kernel/kernel_ipsec.h>
 
 /**
  * Interface for components interested in kernel events.
@@ -91,6 +92,15 @@ struct kernel_listener_t {
 	 * @return				TRUE to remain registered, FALSE to unregister
 	 */
 	bool (*roam)(kernel_listener_t *this, bool address);
+
+	/**
+	 * Hook called after a TUN device was created for a virtual IP address, or
+	 * before such a device gets destroyed.
+	 *
+	 * @param tun			TUN device
+	 * @param created		TRUE if created, FALSE if going to be destroyed
+	 */
+	bool (*tun)(kernel_listener_t *this, tun_device_t *tun, bool created);
 };
 
 #endif /** KERNEL_LISTENER_H_ @}*/
diff --git a/src/libhydra/kernel/kernel_net.h b/src/libhydra/kernel/kernel_net.h
index a89e76804..8c448ddbc 100644
--- a/src/libhydra/kernel/kernel_net.h
+++ b/src/libhydra/kernel/kernel_net.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2012 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -23,10 +23,30 @@
 #define KERNEL_NET_H_
 
 typedef struct kernel_net_t kernel_net_t;
+typedef enum kernel_address_type_t kernel_address_type_t;
 
-#include <utils/enumerator.h>
-#include <utils/host.h>
+#include <collections/enumerator.h>
+#include <networking/host.h>
 #include <plugins/plugin.h>
+#include <kernel/kernel_interface.h>
+
+/**
+ * Type of addresses (e.g. when enumerating them)
+ */
+enum kernel_address_type_t {
+	/** normal addresses (on regular, up, non-ignored) interfaces */
+	ADDR_TYPE_REGULAR = (1 << 0),
+	/** addresses on down interfaces */
+	ADDR_TYPE_DOWN =  (1 << 1),
+	/** addresses on ignored interfaces */
+	ADDR_TYPE_IGNORED = (1 << 2),
+	/** addresses on loopback interfaces */
+	ADDR_TYPE_LOOPBACK = (1 << 3),
+	/** virtual IP addresses */
+	ADDR_TYPE_VIRTUAL = (1 << 4),
+	/** to enumerate all available addresses */
+	ADDR_TYPE_ALL = (1 << 5) - 1,
+};
 
 /**
  * Interface to the network subsystem of the kernel.
@@ -37,12 +57,19 @@ typedef struct kernel_net_t kernel_net_t;
 struct kernel_net_t {
 
 	/**
+	 * Get the feature set supported by this kernel backend.
+	 *
+	 * @return				ORed feature-set of backend
+	 */
+	kernel_feature_t (*get_features)(kernel_net_t *this);
+
+	/**
 	 * Get our outgoing source address for a destination.
 	 *
 	 * Does a route lookup to get the source address used to reach dest.
 	 * The returned host is allocated and must be destroyed.
 	 * An optional src address can be used to check if a route is available
-	 * for given source to dest.
+	 * for the given source to dest.
 	 *
 	 * @param dest			target destination address
 	 * @param src			source address to check, or NULL
@@ -55,19 +82,24 @@ struct kernel_net_t {
 	 *
 	 * Does a route lookup to get the next hop used to reach dest.
 	 * The returned host is allocated and must be destroyed.
+	 * An optional src address can be used to check if a route is available
+	 * for the given source to dest.
 	 *
 	 * @param dest			target destination address
+	 * @param src			source address to check, or NULL
 	 * @return				next hop address, NULL if unreachable
 	 */
-	host_t* (*get_nexthop)(kernel_net_t *this, host_t *dest);
+	host_t* (*get_nexthop)(kernel_net_t *this, host_t *dest, host_t *src);
 
 	/**
-	 * Get the interface name of a local address.
+	 * Get the interface name of a local address. Interfaces that are down or
+	 * ignored by config are not considered.
 	 *
 	 * @param host			address to get interface name from
-	 * @return				allocated interface name, or NULL if not found
+	 * @param name			allocated interface name (optional)
+	 * @return				TRUE if interface found and usable
 	 */
-	char* (*get_interface) (kernel_net_t *this, host_t *host);
+	bool (*get_interface) (kernel_net_t *this, host_t *host, char **name);
 
 	/**
 	 * Creates an enumerator over all local addresses.
@@ -76,12 +108,11 @@ struct kernel_net_t {
 	 * enumerator gets destroyed.
 	 * The hosts are read-only, do not modify of free.
 	 *
-	 * @param include_down_ifaces	TRUE to enumerate addresses from down interfaces
-	 * @param include_virtual_ips	TRUE to enumerate virtual ip addresses
-	 * @return						enumerator over host_t's
+	 * @param which			a combination of address types to enumerate
+	 * @return				enumerator over host_t's
 	 */
 	enumerator_t *(*create_address_enumerator) (kernel_net_t *this,
-						bool include_down_ifaces, bool include_virtual_ips);
+												kernel_address_type_t which);
 
 	/**
 	 * Add a virtual IP to an interface.
@@ -89,24 +120,27 @@ struct kernel_net_t {
 	 * Virtual IPs are attached to an interface. If an IP is added multiple
 	 * times, the IP is refcounted and not removed until del_ip() was called
 	 * as many times as add_ip().
-	 * The virtual IP is attached to the interface where the iface_ip is found.
 	 *
 	 * @param virtual_ip	virtual ip address to assign
-	 * @param iface_ip		IP of an interface to attach virtual IP
+	 * @param prefix		prefix length to install with IP address, -1 for auto
+	 * @param iface			interface to install virtual IP on
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*add_ip) (kernel_net_t *this, host_t *virtual_ip,
-						host_t *iface_ip);
+	status_t (*add_ip) (kernel_net_t *this, host_t *virtual_ip, int prefix,
+						char *iface);
 
 	/**
 	 * Remove a virtual IP from an interface.
 	 *
 	 * The kernel interface uses refcounting, see add_ip().
 	 *
-	 * @param virtual_ip	virtual ip address to assign
+	 * @param virtual_ip	virtual ip address to remove
+	 * @param prefix		prefix length of the IP to uninstall, -1 for auto
+	 * @param wait			TRUE to wait until IP is gone
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*del_ip) (kernel_net_t *this, host_t *virtual_ip);
+	status_t (*del_ip) (kernel_net_t *this, host_t *virtual_ip, int prefix,
+						bool wait);
 
 	/**
 	 * Add a route.
@@ -114,7 +148,7 @@ struct kernel_net_t {
 	 * @param dst_net		destination net
 	 * @param prefixlen		destination net prefix length
 	 * @param gateway		gateway for this route
-	 * @param src_ip		sourc ip of the route
+	 * @param src_ip		source ip of the route
 	 * @param if_name		name of the interface the route is bound to
 	 * @return				SUCCESS if operation completed
 	 *						ALREADY_DONE if the route already exists
@@ -129,7 +163,7 @@ struct kernel_net_t {
 	 * @param dst_net		destination net
 	 * @param prefixlen		destination net prefix length
 	 * @param gateway		gateway for this route
-	 * @param src_ip		sourc ip of the route
+	 * @param src_ip		source ip of the route
 	 * @param if_name		name of the interface the route is bound to
 	 * @return				SUCCESS if operation completed
 	 */
diff --git a/src/libhydra/plugins/attr/Makefile.am b/src/libhydra/plugins/attr/Makefile.am
index fe0c39ebd..5989beae4 100644
--- a/src/libhydra/plugins/attr/Makefile.am
+++ b/src/libhydra/plugins/attr/Makefile.am
@@ -1,7 +1,9 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-attr.la
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in
index 1ceb93ef3..0d935ead3 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libhydra/plugins/attr/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,52 +90,87 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_attr_la_LIBADD =
 am_libstrongswan_attr_la_OBJECTS = attr_plugin.lo attr_provider.lo
 libstrongswan_attr_la_OBJECTS = $(am_libstrongswan_attr_la_OBJECTS)
-libstrongswan_attr_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_attr_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_attr_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_attr_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_attr_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_attr_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_attr_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_attr_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -126,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -145,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -172,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -184,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -192,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -202,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -223,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -243,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -280,8 +342,13 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-attr.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr.la
 libstrongswan_attr_la_SOURCES = \
@@ -334,7 +401,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -342,6 +408,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -363,8 +431,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-attr.la: $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_DEPENDENCIES) 
-	$(libstrongswan_attr_la_LINK) $(am_libstrongswan_attr_la_rpath) $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_LIBADD) $(LIBS)
+libstrongswan-attr.la: $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_DEPENDENCIES) $(EXTRA_libstrongswan_attr_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_attr_la_LINK) $(am_libstrongswan_attr_la_rpath) $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -376,25 +444,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_provider.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -501,10 +569,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/attr/attr_plugin.c b/src/libhydra/plugins/attr/attr_plugin.c
index cb14495af..72fcd6dff 100644
--- a/src/libhydra/plugins/attr/attr_plugin.c
+++ b/src/libhydra/plugins/attr/attr_plugin.c
@@ -42,6 +42,36 @@ METHOD(plugin_t, get_name, char*,
 	return "attr";
 }
 
+/**
+ * Register provider
+ */
+static bool plugin_cb(private_attr_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		hydra->attributes->add_provider(hydra->attributes,
+										&this->provider->provider);
+	}
+	else
+	{
+		hydra->attributes->remove_provider(hydra->attributes,
+										   &this->provider->provider);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_attr_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "attr"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, reload, bool,
 	private_attr_plugin_t *this)
 {
@@ -52,7 +82,6 @@ METHOD(plugin_t, reload, bool,
 METHOD(plugin_t, destroy, void,
 	private_attr_plugin_t *this)
 {
-	hydra->attributes->remove_provider(hydra->attributes, &this->provider->provider);
 	this->provider->destroy(this->provider);
 	free(this);
 }
@@ -68,14 +97,13 @@ plugin_t *attr_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
+				.get_features = _get_features,
 				.reload = _reload,
 				.destroy = _destroy,
 			},
 		},
 		.provider = attr_provider_create(),
 	);
-	hydra->attributes->add_provider(hydra->attributes, &this->provider->provider);
 
 	return &this->public.plugin;
 }
-
diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libhydra/plugins/attr/attr_provider.c
index 44242c259..1a2fa7f28 100644
--- a/src/libhydra/plugins/attr/attr_provider.c
+++ b/src/libhydra/plugins/attr/attr_provider.c
@@ -19,8 +19,8 @@
 #include <time.h>
 
 #include <hydra.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 #define SERVER_MAX		2
@@ -77,10 +77,10 @@ static bool attr_enum_filter(void *null, attribute_entry_t **in,
 }
 
 METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
-	private_attr_provider_t *this, char *pool,
-	identification_t *id, host_t *vip)
+	private_attr_provider_t *this, linked_list_t *pools,
+	identification_t *id, linked_list_t *vips)
 {
-	if (vip)
+	if (vips->get_count(vips))
 	{
 		this->lock->read_lock(this->lock);
 		return enumerator_create_filter(
@@ -145,18 +145,22 @@ static void add_legacy_entry(private_attr_provider_t *this, char *key, int nr,
 /**
  * Key to attribute type mappings, for v4 and v6 attributes
  */
-static struct {
+typedef struct {
 	char *name;
 	configuration_attribute_type_t v4;
 	configuration_attribute_type_t v6;
-} keys[] = {
-	{"address",		INTERNAL_IP4_ADDRESS,	INTERNAL_IP6_ADDRESS},
-	{"dns",			INTERNAL_IP4_DNS,		INTERNAL_IP6_DNS},
-	{"nbns",		INTERNAL_IP4_NBNS,		INTERNAL_IP6_NBNS},
-	{"dhcp",		INTERNAL_IP4_DHCP,		INTERNAL_IP6_DHCP},
-	{"netmask",		INTERNAL_IP4_NETMASK,	INTERNAL_IP6_NETMASK},
-	{"server",		INTERNAL_IP4_SERVER,	INTERNAL_IP6_SERVER},
-	{"subnet",		INTERNAL_IP4_SUBNET,	INTERNAL_IP6_SUBNET},
+} attribute_type_key_t;
+
+static attribute_type_key_t keys[] = {
+	{"address",			INTERNAL_IP4_ADDRESS,	INTERNAL_IP6_ADDRESS},
+	{"dns",				INTERNAL_IP4_DNS,		INTERNAL_IP6_DNS},
+	{"nbns",			INTERNAL_IP4_NBNS,		INTERNAL_IP6_NBNS},
+	{"dhcp",			INTERNAL_IP4_DHCP,		INTERNAL_IP6_DHCP},
+	{"netmask",			INTERNAL_IP4_NETMASK,	INTERNAL_IP6_NETMASK},
+	{"server",			INTERNAL_IP4_SERVER,	INTERNAL_IP6_SERVER},
+	{"subnet",			INTERNAL_IP4_SUBNET,	INTERNAL_IP6_SUBNET},
+	{"split-include",	UNITY_SPLIT_INCLUDE,	UNITY_SPLIT_INCLUDE},
+	{"split-exclude",	UNITY_LOCAL_LAN,		UNITY_LOCAL_LAN},
 };
 
 /**
@@ -179,12 +183,30 @@ static void load_entries(private_attr_provider_t *this)
 	while (enumerator->enumerate(enumerator, &key, &value))
 	{
 		configuration_attribute_type_t type;
+		attribute_type_key_t *mapped = NULL;
 		attribute_entry_t *entry;
+		chunk_t data;
 		host_t *host;
 		char *pos;
-		int i, mask = -1;
+		int i, mask = -1, family;
 
 		type = atoi(key);
+		if (!type)
+		{
+			for (i = 0; i < countof(keys); i++)
+			{
+				if (streq(key, keys[i].name))
+				{
+					mapped = &keys[i];
+					break;
+				}
+			}
+			if (!mapped)
+			{
+				DBG1(DBG_CFG, "mapping attribute type %s failed", key);
+				continue;
+			}
+		}
 		tokens = enumerator_create_token(value, ",", " ");
 		while (tokens->enumerate(tokens, &token))
 		{
@@ -197,55 +219,56 @@ static void load_entries(private_attr_provider_t *this)
 			host = host_create_from_string(token, 0);
 			if (!host)
 			{
-				DBG1(DBG_CFG, "invalid host in key %s: %s", key, token);
-				continue;
-			}
-			if (!type)
-			{
-				for (i = 0; i < countof(keys); i++)
-				{
-					if (streq(key, keys[i].name))
-					{
-						if (host->get_family(host) == AF_INET)
-						{
-							type = keys[i].v4;
-						}
-						else
-						{
-							type = keys[i].v6;
-						}
-					}
-				}
-				if (!type)
+				if (mapped)
 				{
-					DBG1(DBG_CFG, "mapping attribute type %s failed", key);
-					break;
+					DBG1(DBG_CFG, "invalid host in key %s: %s", key, token);
+					continue;
 				}
-			}
-			entry = malloc_thing(attribute_entry_t);
-			entry->type = type;
-			if (mask == -1)
-			{
-				entry->value = chunk_clone(host->get_address(host));
+				/* store numeric attributes that are no IP addresses as strings */
+				data = chunk_clone(chunk_from_str(token));
 			}
 			else
 			{
-				if (host->get_family(host) == AF_INET)
-				{	/* IPv4 attributes contain a subnet mask */
-					u_int32_t netmask;
-
-					mask = 32 - mask;
-					netmask = htonl((0xFFFFFFFF >> mask) << mask);
-					entry->value = chunk_cat("cc", host->get_address(host),
-											 chunk_from_thing(netmask));
+				family = host->get_family(host);
+				if (mask == -1)
+				{
+					data = chunk_clone(host->get_address(host));
 				}
 				else
-				{	/* IPv6 addresses the prefix only */
-					entry->value = chunk_cat("cc", host->get_address(host),
-											 chunk_from_chars(mask));
+				{
+					if (family == AF_INET)
+					{	/* IPv4 attributes contain a subnet mask */
+						u_int32_t netmask;
+
+						mask = 32 - mask;
+						netmask = htonl((0xFFFFFFFF >> mask) << mask);
+						data = chunk_cat("cc", host->get_address(host),
+										 chunk_from_thing(netmask));
+					}
+					else
+					{	/* IPv6 addresses the prefix only */
+						data = chunk_cat("cc", host->get_address(host),
+										 chunk_from_chars(mask));
+					}
+				}
+				host->destroy(host);
+				if (mapped)
+				{
+					switch (family)
+					{
+						case AF_INET:
+							type = mapped->v4;
+							break;
+						case AF_INET6:
+							type = mapped->v6;
+							break;
+					}
 				}
 			}
-			host->destroy(host);
+			INIT(entry,
+				.type = type,
+				.value = data,
+			);
 			DBG2(DBG_CFG, "loaded attribute %N: %#B",
 				 configuration_attribute_type_names, entry->type, &entry->value);
 			this->attributes->insert_last(this->attributes, entry);
@@ -297,4 +320,3 @@ attr_provider_t *attr_provider_create(database_t *db)
 
 	return &this->public;
 }
-
diff --git a/src/libhydra/plugins/attr_sql/Makefile.am b/src/libhydra/plugins/attr_sql/Makefile.am
index 7491debcd..4c369a2bd 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.am
+++ b/src/libhydra/plugins/attr_sql/Makefile.am
@@ -1,9 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-DPLUGINS=\""${pool_plugins}\""
 
 AM_CFLAGS = \
-	-rdynamic \
-	-DPLUGINS=\""${pool_plugins}\""
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-attr-sql.la
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in
index 4fe577f3b..935740b28 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libhydra/plugins/attr_sql/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -47,10 +64,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -74,6 +92,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_attr_sql_la_LIBADD =
@@ -81,7 +105,10 @@ am_libstrongswan_attr_sql_la_OBJECTS = attr_sql_plugin.lo \
 	sql_attribute.lo
 libstrongswan_attr_sql_la_OBJECTS =  \
 	$(am_libstrongswan_attr_sql_la_OBJECTS)
-libstrongswan_attr_sql_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_attr_sql_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_attr_sql_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
@@ -95,42 +122,67 @@ pool_OBJECTS = $(am_pool_OBJECTS)
 pool_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libhydra/libhydra.la
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_attr_sql_la_SOURCES) $(pool_SOURCES)
 DIST_SOURCES = $(libstrongswan_attr_sql_la_SOURCES) $(pool_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -139,13 +191,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -158,6 +213,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -185,11 +241,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -197,6 +255,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -205,8 +264,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -215,14 +272,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -236,17 +298,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -256,16 +318,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -293,11 +354,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
-AM_CFLAGS = \
-	-rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-DPLUGINS=\""${pool_plugins}\""
 
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-attr-sql.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr-sql.la
 libstrongswan_attr_sql_la_SOURCES = \
@@ -356,7 +420,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -364,6 +427,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -385,12 +450,15 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-attr-sql.la: $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_DEPENDENCIES) 
-	$(libstrongswan_attr_sql_la_LINK) $(am_libstrongswan_attr_sql_la_rpath) $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_LIBADD) $(LIBS)
+libstrongswan-attr-sql.la: $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_DEPENDENCIES) $(EXTRA_libstrongswan_attr_sql_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_attr_sql_la_LINK) $(am_libstrongswan_attr_sql_la_rpath) $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -430,9 +498,9 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-pool$(EXEEXT): $(pool_OBJECTS) $(pool_DEPENDENCIES) 
+pool$(EXEEXT): $(pool_OBJECTS) $(pool_DEPENDENCIES) $(EXTRA_pool_DEPENDENCIES) 
 	@rm -f pool$(EXEEXT)
-	$(LINK) $(pool_OBJECTS) $(pool_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(pool_OBJECTS) $(pool_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -447,25 +515,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_attribute.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -572,10 +640,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
index c04ec9a01..702872c57 100644
--- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
+++ b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,7 +15,8 @@
  */
 
 #include <hydra.h>
-#include <debug.h>
+#include <utils/debug.h>
+#include <plugins/plugin_feature.h>
 
 #include "attr_sql_plugin.h"
 #include "sql_attribute.h"
@@ -48,12 +50,59 @@ METHOD(plugin_t, get_name, char*,
 	return "attr-sql";
 }
 
+/**
+ * Connect to database
+ */
+static bool open_database(private_attr_sql_plugin_t *this,
+						  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		char *uri;
+
+		uri = lib->settings->get_str(lib->settings,
+								"libhydra.plugins.attr-sql.database", NULL);
+		if (!uri)
+		{
+			DBG1(DBG_CFG, "attr-sql plugin: database URI not set");
+			return FALSE;
+		}
+
+		this->db = lib->db->create(lib->db, uri);
+		if (!this->db)
+		{
+			DBG1(DBG_CFG, "attr-sql plugin failed to connect to database");
+			return FALSE;
+		}
+		this->attribute = sql_attribute_create(this->db);
+		hydra->attributes->add_provider(hydra->attributes,
+										&this->attribute->provider);
+	}
+	else
+	{
+		hydra->attributes->remove_provider(hydra->attributes,
+										   &this->attribute->provider);
+		this->attribute->destroy(this->attribute);
+		this->db->destroy(this->db);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_attr_sql_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)open_database, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "attr-sql"),
+				PLUGIN_DEPENDS(DATABASE, DB_ANY),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_attr_sql_plugin_t *this)
 {
-	hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider);
-	this->attribute->destroy(this->attribute);
-	this->db->destroy(this->db);
 	free(this);
 }
 
@@ -63,36 +112,16 @@ METHOD(plugin_t, destroy, void,
 plugin_t *attr_sql_plugin_create()
 {
 	private_attr_sql_plugin_t *this;
-	char *uri;
-
-	uri = lib->settings->get_str(lib->settings, "libhydra.plugins.attr-sql.database",
-												 NULL);
-	if (!uri)
-	{
-		DBG1(DBG_CFG, "attr-sql plugin: database URI not set");
-		return NULL;
-	}
 
 	INIT(this,
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
-		.db = lib->db->create(lib->db, uri),
 	);
 
-	if (!this->db)
-	{
-		DBG1(DBG_CFG, "attr-sql plugin failed to connect to database");
-		free(this);
-		return NULL;
-	}
-	this->attribute = sql_attribute_create(this->db);
-	hydra->attributes->add_provider(hydra->attributes, &this->attribute->provider);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libhydra/plugins/attr_sql/pool.c b/src/libhydra/plugins/attr_sql/pool.c
index a2000cffe..4e7c48e23 100644
--- a/src/libhydra/plugins/attr_sql/pool.c
+++ b/src/libhydra/plugins/attr_sql/pool.c
@@ -21,9 +21,9 @@
 #include <string.h>
 #include <errno.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 #include <utils/identification.h>
 #include <attributes/attributes.h>
 
@@ -495,6 +495,21 @@ static void add_addresses(char *pool, char *path, int timeout)
 		fclose(file);
 	}
 
+	if (family == AF_INET6)
+	{	/* update address family if necessary */
+		addr = host_create_from_string("%any6", 0);
+		if (db->execute(db, NULL,
+					"UPDATE pools SET start = ?, end = ? WHERE id = ?",
+					DB_BLOB, addr->get_address(addr),
+					DB_BLOB, addr->get_address(addr), DB_UINT, pool_id) <= 0)
+		{
+			addr->destroy(addr);
+			fprintf(stderr, "updating pool address family failed.\n");
+			exit(EXIT_FAILURE);
+		}
+		addr->destroy(addr);
+	}
+
 	commit_transaction();
 
 	printf("%d addresses done.\n", count);
@@ -1245,7 +1260,7 @@ int main(int argc, char *argv[])
 		fprintf(stderr, "integrity check of pool failed\n");
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "pool.load", PLUGINS)))
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
diff --git a/src/libhydra/plugins/attr_sql/pool_attributes.c b/src/libhydra/plugins/attr_sql/pool_attributes.c
index 5c7397476..1d1ba8f58 100644
--- a/src/libhydra/plugins/attr_sql/pool_attributes.c
+++ b/src/libhydra/plugins/attr_sql/pool_attributes.c
@@ -17,7 +17,7 @@
 #include <string.h>
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 
 #include "pool_attributes.h"
 #include "pool_usage.h"
@@ -75,6 +75,7 @@ static const attr_info_t attr_info[] = {
 	{ "unity_def_domain",     VALUE_STRING, UNITY_DEF_DOMAIN,     0 },
 	{ "unity_splitdns_name",  VALUE_STRING, UNITY_SPLITDNS_NAME,  0 },
 	{ "unity_split_include",  VALUE_SUBNET, UNITY_SPLIT_INCLUDE,  0 },
+	{ "unity_split_exclude",  VALUE_SUBNET, UNITY_LOCAL_LAN,      0 },
 	{ "unity_local_lan",      VALUE_SUBNET, UNITY_LOCAL_LAN,      0 },
 };
 
@@ -153,6 +154,7 @@ static bool parse_attributes(char *name, char *value, value_type_t *value_type,
 				memcpy(pos_addr,     addr_chunk.ptr, 4);
 				memcpy(pos_addr + 4, mask_chunk.ptr, 4);
 				addr->destroy(addr);
+				addr = NULL;
 				mask->destroy(mask);
 				chunk_free(blob);
 				*blob = blob_next;
@@ -492,7 +494,7 @@ void del_attr(char *name, char *pool, char *identity,
 			{
 				fprintf(stderr, "deleting %s attribute (%N) with value '%.*s'%s failed.\n",
 						 		name, configuration_attribute_type_names, type,
-								blob_db.len, blob_db.ptr, id_pool_str);
+								(int)blob_db.len, blob_db.ptr, id_pool_str);
 			}
 
 			else
@@ -514,7 +516,7 @@ void del_attr(char *name, char *pool, char *identity,
 		{
 			printf("deleted %s attribute (%N) with value '%.*s'%s.\n",
 				   name, configuration_attribute_type_names, type,
-				   blob_db.len, blob_db.ptr, id_pool_str);
+				   (int)blob_db.len, blob_db.ptr, id_pool_str);
 		}
 		else
 		{
@@ -555,7 +557,7 @@ void del_attr(char *name, char *pool, char *identity,
 				fprintf(stderr, "the %s attribute (%N) with value '%.*s'%s "
 								"was not found.\n", name,
 								 configuration_attribute_type_names, type,
-								 blob.len, blob.ptr, id_pool_str);
+								 (int)blob.len, blob.ptr, id_pool_str);
 			}
 		}
 	}
diff --git a/src/libhydra/plugins/attr_sql/sql_attribute.c b/src/libhydra/plugins/attr_sql/sql_attribute.c
index 714bbcd72..e91e1ed15 100644
--- a/src/libhydra/plugins/attr_sql/sql_attribute.c
+++ b/src/libhydra/plugins/attr_sql/sql_attribute.c
@@ -15,7 +15,7 @@
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 
 #include "sql_attribute.h"
@@ -94,19 +94,26 @@ static u_int get_attr_pool(private_sql_attribute_t *this, char *name)
 }
 
 /**
- * Lookup pool by name
+ * Lookup pool by name and address family
  */
-static u_int get_pool(private_sql_attribute_t *this, char *name, u_int *timeout)
+static u_int get_pool(private_sql_attribute_t *this, char *name, int family,
+					  u_int *timeout)
 {
 	enumerator_t *e;
+	chunk_t start;
 	u_int pool;
 
-	e = this->db->query(this->db, "SELECT id, timeout FROM pools WHERE name = ?",
-						DB_TEXT, name, DB_UINT, DB_UINT);
-	if (e && e->enumerate(e, &pool, timeout))
+	e = this->db->query(this->db,
+						"SELECT id, start, timeout FROM pools WHERE name = ?",
+						DB_TEXT, name, DB_UINT, DB_BLOB, DB_UINT);
+	if (e && e->enumerate(e, &pool, &start, timeout))
 	{
-		e->destroy(e);
-		return pool;
+		if ((family == AF_INET  && start.len == 4) ||
+			(family == AF_INET6 && start.len == 16))
+		{
+			e->destroy(e);
+			return pool;
+		}
 	}
 	DESTROY_IF(e);
 	return 0;
@@ -233,57 +240,42 @@ static host_t* get_lease(private_sql_attribute_t *this, char *name,
 }
 
 METHOD(attribute_provider_t, acquire_address, host_t*,
-	private_sql_attribute_t *this, char *names, identification_t *id,
+	private_sql_attribute_t *this, linked_list_t *pools, identification_t *id,
 	host_t *requested)
 {
+	enumerator_t *enumerator;
 	host_t *address = NULL;
 	u_int identity, pool, timeout;
+	char *name;
+	int family;
 
 	identity = get_identity(this, id);
 	if (identity)
 	{
-		/* check for a single pool first (no concatenation and enumeration) */
-		if (strchr(names, ',') == NULL)
+		family = requested->get_family(requested);
+		/* check for an existing lease in all pools */
+		enumerator = pools->create_enumerator(pools);
+		while (enumerator->enumerate(enumerator, &name))
 		{
-			pool = get_pool(this, names, &timeout);
+			pool = get_pool(this, name, family, &timeout);
 			if (pool)
 			{
-				/* check for an existing lease */
-				address = check_lease(this, names, pool, identity);
-				if (address == NULL)
+				address = check_lease(this, name, pool, identity);
+				if (address)
 				{
-					/* get an unallocated address or expired lease */
-					address = get_lease(this, names, pool, timeout, identity);
+					break;
 				}
 			}
 		}
-		else
-		{
-			enumerator_t *enumerator;
-			char *name;
-
-			/* in a first step check for an existing lease over all pools */
-			enumerator = enumerator_create_token(names, ",", " ");
-			while (enumerator->enumerate(enumerator, &name))
-			{
-				pool = get_pool(this, name, &timeout);
-				if (pool)
-				{
-					address = check_lease(this, name, pool, identity);
-					if (address)
-					{
-						enumerator->destroy(enumerator);
-						return address;
-					}
-				}
-			}
-			enumerator->destroy(enumerator);
+		enumerator->destroy(enumerator);
 
-			/* in a second step get an unallocated address or expired lease */
-			enumerator = enumerator_create_token(names, ",", " ");
+		if (!address)
+		{
+			/* get an unallocated address or expired lease */
+			enumerator = pools->create_enumerator(pools);
 			while (enumerator->enumerate(enumerator, &name))
 			{
-				pool = get_pool(this, name, &timeout);
+				pool = get_pool(this, name, family, &timeout);
 				if (pool)
 				{
 					address = get_lease(this, name, pool, timeout, identity);
@@ -300,20 +292,29 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
 }
 
 METHOD(attribute_provider_t, release_address, bool,
-	private_sql_attribute_t *this, char *name, host_t *address,
+	private_sql_attribute_t *this, linked_list_t *pools, host_t *address,
 	identification_t *id)
 {
 	enumerator_t *enumerator;
-	bool found = FALSE;
+	u_int pool, timeout;
 	time_t now = time(NULL);
+	bool found = FALSE;
+	char *name;
+	int family;
 
-	enumerator = enumerator_create_token(name, ",", " ");
+	family = address->get_family(address);
+	enumerator = pools->create_enumerator(pools);
 	while (enumerator->enumerate(enumerator, &name))
 	{
-		u_int pool, timeout;
-
-		pool = get_pool(this, name, &timeout);
-		if (pool)
+		pool = get_pool(this, name, family, &timeout);
+		if (!pool)
+		{
+			continue;
+		}
+		if (this->db->execute(this->db, NULL,
+				"UPDATE addresses SET released = ? WHERE "
+				"pool = ? AND address = ?", DB_UINT, time(NULL),
+				DB_UINT, pool, DB_BLOB, address->get_address(address)) > 0)
 		{
 			if (this->history)
 			{
@@ -324,29 +325,24 @@ METHOD(attribute_provider_t, release_address, bool,
 					DB_UINT, now, DB_UINT, pool,
 					DB_BLOB, address->get_address(address));
 			}
-			if (this->db->execute(this->db, NULL,
-					"UPDATE addresses SET released = ? WHERE "
-					"pool = ? AND address = ?", DB_UINT, time(NULL),
-					DB_UINT, pool, DB_BLOB, address->get_address(address)) > 0)
-			{
-				found = TRUE;
-				break;
-			}
+			found = TRUE;
+			break;
 		}
 	}
 	enumerator->destroy(enumerator);
+
 	return found;
 }
 
 METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
-	private_sql_attribute_t *this, char *names, identification_t *id,
-	host_t *vip)
+	private_sql_attribute_t *this, linked_list_t *pools, identification_t *id,
+	linked_list_t *vips)
 {
 	enumerator_t *attr_enumerator = NULL;
 
-	if (vip)
+	if (vips->get_count(vips))
 	{
-		enumerator_t *names_enumerator;
+		enumerator_t *pool_enumerator;
 		u_int count;
 		char *name;
 
@@ -357,8 +353,8 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 		{
 			u_int identity = get_identity(this, id);
 
-			names_enumerator = enumerator_create_token(names, ",", " ");
-			while (names_enumerator->enumerate(names_enumerator, &name))
+			pool_enumerator = pools->create_enumerator(pools);
+			while (pool_enumerator->enumerate(pool_enumerator, &name))
 			{
 				u_int attr_pool = get_attr_pool(this, name);
 				if (!attr_pool)
@@ -385,14 +381,14 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 				DESTROY_IF(attr_enumerator);
 				attr_enumerator = NULL;
 			}
-			names_enumerator->destroy(names_enumerator);
+			pool_enumerator->destroy(pool_enumerator);
 		}
 
 		/* in a second step check for attributes that match name */
 		if (!attr_enumerator)
 		{
-			names_enumerator = enumerator_create_token(names, ",", " ");
-			while (names_enumerator->enumerate(names_enumerator, &name))
+			pool_enumerator = pools->create_enumerator(pools);
+			while (pool_enumerator->enumerate(pool_enumerator, &name))
 			{
 				u_int attr_pool = get_attr_pool(this, name);
 				if (!attr_pool)
@@ -419,7 +415,7 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 				DESTROY_IF(attr_enumerator);
 				attr_enumerator = NULL;
 			}
-			names_enumerator->destroy(names_enumerator);
+			pool_enumerator->destroy(pool_enumerator);
 		}
 
 		this->db->execute(this->db, NULL, "END TRANSACTION");
diff --git a/src/libhydra/plugins/kernel_klips/Makefile.am b/src/libhydra/plugins/kernel_klips/Makefile.am
index df639b255..1b98cab06 100644
--- a/src/libhydra/plugins/kernel_klips/Makefile.am
+++ b/src/libhydra/plugins/kernel_klips/Makefile.am
@@ -1,7 +1,9 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-kernel-klips.la
diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in
index 63f3e045b..81208b5ca 100644
--- a/src/libhydra/plugins/kernel_klips/Makefile.in
+++ b/src/libhydra/plugins/kernel_klips/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_kernel_klips_la_LIBADD =
@@ -79,49 +103,77 @@ am_libstrongswan_kernel_klips_la_OBJECTS = kernel_klips_plugin.lo \
 	kernel_klips_ipsec.lo
 libstrongswan_kernel_klips_la_OBJECTS =  \
 	$(am_libstrongswan_kernel_klips_la_OBJECTS)
-libstrongswan_kernel_klips_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_kernel_klips_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_kernel_klips_la_LDFLAGS) $(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_kernel_klips_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_kernel_klips_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_kernel_klips_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,8 +345,13 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-klips.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
 libstrongswan_kernel_klips_la_SOURCES = \
@@ -338,7 +404,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -346,6 +411,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -367,8 +434,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-kernel-klips.la: $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_DEPENDENCIES) 
-	$(libstrongswan_kernel_klips_la_LINK) $(am_libstrongswan_kernel_klips_la_rpath) $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_LIBADD) $(LIBS)
+libstrongswan-kernel-klips.la: $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_klips_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_kernel_klips_la_LINK) $(am_libstrongswan_kernel_klips_la_rpath) $(libstrongswan_kernel_klips_la_OBJECTS) $(libstrongswan_kernel_klips_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -380,25 +447,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_klips_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -505,10 +572,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
index ceff8cdc9..82f80fd4c 100644
--- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -29,8 +29,8 @@
 #include "kernel_klips_ipsec.h"
 
 #include <hydra.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include <processing/jobs/callback_job.h>
@@ -78,7 +78,7 @@
 /** this is the default number of ipsec devices */
 #define DEFAULT_IPSEC_DEV_COUNT 4
 /** TRUE if the given name matches an ipsec device */
-#define IS_IPSEC_DEV(name) (strneq((name), IPSEC_DEV_PREFIX, sizeof(IPSEC_DEV_PREFIX) - 1))
+#define IS_IPSEC_DEV(name) (strpfx((name), IPSEC_DEV_PREFIX))
 
 /** the following stuff is from ipsec_tunnel.h */
 struct ipsectunnelconf
@@ -138,11 +138,6 @@ struct private_kernel_klips_ipsec_t
 	linked_list_t *ipsec_devices;
 
 	/**
-	 * job receiving PF_KEY events
-	 */
-	callback_job_t *job;
-
-	/**
 	 * mutex to lock access to the PF_KEY socket
 	 */
 	mutex_t *mutex_pfkey;
@@ -825,8 +820,22 @@ static kernel_algorithm_t compression_algs[] = {
 /**
  * Look up a kernel algorithm ID and its key size
  */
-static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
+static int lookup_algorithm(transform_type_t type, int ikev2)
 {
+	kernel_algorithm_t *list;
+	int alg = 0;
+
+	switch (type)
+	{
+		case ENCRYPTION_ALGORITHM:
+			list = encryption_algs;
+			break;
+		case INTEGRITY_ALGORITHM:
+			list = integrity_algs;
+			break;
+		default:
+			return 0;
+	}
 	while (list->ikev2 != END_OF_LIST)
 	{
 		if (ikev2 == list->ikev2)
@@ -835,7 +844,9 @@ static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
 		}
 		list++;
 	}
-	return 0;
+	hydra->kernel_interface->lookup_algorithm(hydra->kernel_interface, ikev2,
+											  type, &alg, NULL);
+	return alg;
 }
 
 /**
@@ -1525,12 +1536,12 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 	u_int32_t spi_gen;
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
+	if (!rng || !rng->get_bytes(rng, sizeof(spi_gen), (void*)&spi_gen))
 	{
-		DBG1(DBG_KNL, "allocating SPI failed: no RNG");
+		DBG1(DBG_KNL, "allocating SPI failed");
+		DESTROY_IF(rng);
 		return FAILED;
 	}
-	rng->get_bytes(rng, sizeof(spi_gen), (void*)&spi_gen);
 	rng->destroy(rng);
 
 	/* allocated SPIs lie within the range from 0xc0000000 to 0xcFFFFFFF */
@@ -1671,8 +1682,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
 	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
-	u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+	u_int16_t ipcomp, u_int16_t cpi, bool initiator, bool encap, bool esn,
+	bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1718,8 +1729,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	sa->sadb_sa_spi = spi;
 	sa->sadb_sa_state = SADB_SASTATE_MATURE;
 	sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
-	sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
-	sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
+	sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, int_alg);
+	sa->sadb_sa_encrypt = lookup_algorithm(ENCRYPTION_ALGORITHM, enc_alg);
 	PFKEY_EXT_ADD(msg, sa);
 
 	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
@@ -1899,7 +1910,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
+	u_int32_t spi, u_int8_t protocol, mark_t mark,
+	u_int64_t *bytes, u_int64_t *packets, u_int32_t *time)
 {
 	return NOT_SUPPORTED;  /* TODO */
 }
@@ -2010,7 +2022,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	else
 	{
 		/* apply the new one, if we have no such policy */
-		this->policies->insert_last(this->policies, policy);
+		this->policies->insert_first(this->policies, policy);
 	}
 
 	if (priority == POLICY_PRIORITY_ROUTED)
@@ -2076,7 +2088,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	this->mutex->lock(this->mutex);
 
 	/* we try to find the policy again and install the route if needed */
-	if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
+	if (this->policies->find_first(this->policies, NULL,
+								  (void**)&policy) != SUCCESS)
 	{
 		this->mutex->unlock(this->mutex);
 		DBG2(DBG_KNL, "the policy %R === %R %N is already gone, ignoring",
@@ -2097,7 +2110,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	 */
 	if (policy->route == NULL && direction == POLICY_OUT)
 	{
-		char *iface;
+		char *iface = NULL;
 		ipsec_dev_t *dev;
 		route_entry_t *route = malloc_thing(route_entry_t);
 		route->src_ip = NULL;
@@ -2106,7 +2119,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 			this->install_routes)
 		{
 			hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
-													   src_ts, &route->src_ip);
+												src_ts, &route->src_ip, NULL);
 		}
 
 		if (!route->src_ip)
@@ -2115,8 +2128,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 		}
 
 		/* find the virtual interface */
-		iface = hydra->kernel_interface->get_interface(hydra->kernel_interface,
-													   src);
+		hydra->kernel_interface->get_interface(hydra->kernel_interface,
+											   src, &iface);
 		if (find_ipsec_dev(this, iface, &dev) == SUCCESS)
 		{
 			/* above, we got either the name of a virtual or a physical
@@ -2163,7 +2176,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 
 		/* get the nexthop to dst */
 		route->gateway = hydra->kernel_interface->get_nexthop(
-												hydra->kernel_interface, dst);
+								hydra->kernel_interface, dst, route->src_ip);
 		route->dst_net = chunk_clone(policy->dst.net->get_address(policy->dst.net));
 		route->prefixlen = policy->dst.mask;
 
@@ -2320,7 +2333,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 
 	while (fgets(line, sizeof(line), file))
 	{
-		if (strneq(line, said, strlen(said)))
+		if (strpfx(line, said))
 		{
 			/* fine we found the correct line, now find the idle time */
 			u_int32_t idle_time;
@@ -2542,20 +2555,9 @@ static status_t register_pfkey_socket(private_kernel_klips_ipsec_t *this, u_int8
 	return SUCCESS;
 }
 
-METHOD(kernel_ipsec_t, bypass_socket, bool,
-	private_kernel_klips_ipsec_t *this, int fd, int family)
-{
-	/* KLIPS does not need a bypass policy for IKE */
-	return TRUE;
-}
-
 METHOD(kernel_ipsec_t, destroy, void,
 	private_kernel_klips_ipsec_t *this)
 {
-	if (this->job)
-	{
-		this->job->cancel(this->job);
-	}
 	if (this->socket > 0)
 	{
 		close(this->socket);
@@ -2594,7 +2596,10 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
 				.query_policy = _query_policy,
 				.del_policy = _del_policy,
 				.flush_policies = (void*)return_failed,
-				.bypass_socket = _bypass_socket,
+				/* KLIPS does not need a bypass policy for IKE */
+				.bypass_socket = (void*)return_true,
+				/* KLIPS does not need enabling UDP decap explicitly */
+				.enable_udp_decap = (void*)return_true,
 				.destroy = _destroy,
 			},
 		},
@@ -2639,10 +2644,9 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
 		return NULL;
 	}
 
-	this->job = callback_job_create_with_prio((callback_job_cb_t)receive_events,
-									this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive_events,
+			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
 
 	return &this->public;
 }
-
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.am b/src/libhydra/plugins/kernel_netlink/Makefile.am
index 1ad379421..ad573523e 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.am
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.am
@@ -1,10 +1,12 @@
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-DROUTING_TABLE=${routing_table} \
+	-DROUTING_TABLE_PRIO=${routing_table_prio}
 
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra
-
-AM_CFLAGS = -rdynamic \
--DROUTING_TABLE=${routing_table} \
--DROUTING_TABLE_PRIO=${routing_table_prio}
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-kernel-netlink.la
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
index 73dbdd0e3..9cb988c8d 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_kernel_netlink_la_LIBADD =
@@ -80,49 +104,77 @@ am_libstrongswan_kernel_netlink_la_OBJECTS = kernel_netlink_plugin.lo \
 	kernel_netlink_shared.lo
 libstrongswan_kernel_netlink_la_OBJECTS =  \
 	$(am_libstrongswan_kernel_netlink_la_OBJECTS)
-libstrongswan_kernel_netlink_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_kernel_netlink_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_kernel_netlink_la_LDFLAGS) $(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_kernel_netlink_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_kernel_netlink_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -131,13 +183,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -150,6 +205,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,11 +233,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -189,6 +247,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -197,8 +256,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -207,14 +264,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -228,17 +290,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -248,16 +310,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -285,12 +346,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-DROUTING_TABLE=${routing_table} \
+	-DROUTING_TABLE_PRIO=${routing_table_prio}
 
-AM_CFLAGS = -rdynamic \
--DROUTING_TABLE=${routing_table} \
--DROUTING_TABLE_PRIO=${routing_table_prio}
+AM_CFLAGS = \
+	-rdynamic
 
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-netlink.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la
@@ -346,7 +410,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -354,6 +417,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -375,8 +440,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-kernel-netlink.la: $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_DEPENDENCIES) 
-	$(libstrongswan_kernel_netlink_la_LINK) $(am_libstrongswan_kernel_netlink_la_rpath) $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_LIBADD) $(LIBS)
+libstrongswan-kernel-netlink.la: $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_netlink_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_kernel_netlink_la_LINK) $(am_libstrongswan_kernel_netlink_la_rpath) $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -390,25 +455,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_shared.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -515,10 +580,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index b2cf778be..b34fa149c 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2011 Tobias Brunner
+ * Copyright (C) 2006-2012 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2008 Andreas Steffen
  * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
@@ -36,12 +36,10 @@
 #include "kernel_netlink_shared.h"
 
 #include <hydra.h>
-#include <debug.h>
-#include <threading/thread.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
-#include <utils/hashtable.h>
-#include <utils/linked_list.h>
-#include <processing/jobs/callback_job.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 
 /** Required for Linux 2.6.26 kernel and later */
 #ifndef XFRM_STATE_AF_UNSPEC
@@ -58,6 +56,20 @@
 #define IPV6_XFRM_POLICY 34
 #endif /*IPV6_XFRM_POLICY*/
 
+/* from linux/udp.h */
+#ifndef UDP_ENCAP
+#define UDP_ENCAP 100
+#endif
+
+#ifndef UDP_ENCAP_ESPINUDP
+#define UDP_ENCAP_ESPINUDP 2
+#endif
+
+/* this is not defined on some platforms */
+#ifndef SOL_UDP
+#define SOL_UDP IPPROTO_UDP
+#endif
+
 /** Default priority of installed policies */
 #define PRIO_BASE 512
 
@@ -81,12 +93,6 @@
 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + \
 										   NLMSG_ALIGN(sizeof(x))))
 /**
- * Returns a pointer to the next rtattr following rta.
- * !!! Do not use this to parse messages. Use RTA_NEXT and RTA_OK instead !!!
- */
-#define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + \
-											 RTA_ALIGN((rta)->rta_len)))
-/**
  * Returns the total size of attached rta data
  * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
  */
@@ -162,8 +168,6 @@ ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_REPLAY_ESN_VAL,
 	"XFRMA_REPLAY_ESN_VAL",
 );
 
-#define END_OF_LIST -1
-
 /**
  * Algorithms for encryption
  */
@@ -194,7 +198,6 @@ static kernel_algorithm_t encryption_algs[] = {
 /*	{ENCR_CAMELLIA_CCM_ICV16,	"***"				}, */
 	{ENCR_SERPENT_CBC,			"serpent"			},
 	{ENCR_TWOFISH_CBC,			"twofish"			},
-	{END_OF_LIST,				NULL				}
 };
 
 /**
@@ -212,7 +215,6 @@ static kernel_algorithm_t integrity_algs[] = {
 /*	{AUTH_DES_MAC,				"***"				}, */
 /*	{AUTH_KPDK_MD5,				"***"				}, */
 	{AUTH_AES_XCBC_96,			"xcbc(aes)"			},
-	{END_OF_LIST,				NULL				}
 };
 
 /**
@@ -223,21 +225,45 @@ static kernel_algorithm_t compression_algs[] = {
 	{IPCOMP_DEFLATE,			"deflate"			},
 	{IPCOMP_LZS,				"lzs"				},
 	{IPCOMP_LZJH,				"lzjh"				},
-	{END_OF_LIST,				NULL				}
 };
 
 /**
  * Look up a kernel algorithm name and its key size
  */
-static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
+static char* lookup_algorithm(transform_type_t type, int ikev2)
 {
-	while (list->ikev2 != END_OF_LIST)
+	kernel_algorithm_t *list;
+	int i, count;
+	char *name;
+
+	switch (type)
+	{
+		case ENCRYPTION_ALGORITHM:
+			list = encryption_algs;
+			count = countof(encryption_algs);
+			break;
+		case INTEGRITY_ALGORITHM:
+			list = integrity_algs;
+			count = countof(integrity_algs);
+			break;
+		case COMPRESSION_ALGORITHM:
+			list = compression_algs;
+			count = countof(compression_algs);
+			break;
+		default:
+			return NULL;
+	}
+	for (i = 0; i < count; i++)
 	{
-		if (list->ikev2 == ikev2)
+		if (list[i].ikev2 == ikev2)
 		{
-			return list->name;
+			return list[i].name;
 		}
-		list++;
+	}
+	if (hydra->kernel_interface->lookup_algorithm(hydra->kernel_interface,
+												  ikev2, type, NULL, &name))
+	{
+		return name;
 	}
 	return NULL;
 }
@@ -269,11 +295,6 @@ struct private_kernel_netlink_ipsec_t {
 	hashtable_t *sas;
 
 	/**
-	 * Job receiving netlink events
-	 */
-	callback_job_t *job;
-
-	/**
 	 * Netlink xfrm socket (IPsec)
 	 */
 	netlink_socket_t *socket_xfrm;
@@ -294,12 +315,12 @@ struct private_kernel_netlink_ipsec_t {
 	bool policy_history;
 
 	/**
-	 * Size of the replay window, in packets
+	 * Size of the replay window, in packets (= bits)
 	 */
 	u_int32_t replay_window;
 
 	/**
-	 * Size of the replay window bitmap, in bytes
+	 * Size of the replay window bitmap, in number of __u32 blocks
 	 */
 	u_int32_t replay_bmp;
 };
@@ -344,8 +365,8 @@ static void route_entry_destroy(route_entry_t *this)
 static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
 {
 	return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
-		   a->src_ip->equals(a->src_ip, b->src_ip) &&
-		   a->gateway->equals(a->gateway, b->gateway) &&
+		   a->src_ip->ip_equals(a->src_ip, b->src_ip) &&
+		   a->gateway->ip_equals(a->gateway, b->gateway) &&
 		   chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen;
 }
 
@@ -535,6 +556,9 @@ struct policy_entry_t {
 
 	/** List of SAs this policy is used by, ordered by priority */
 	linked_list_t *used_by;
+
+	/** reqid for this policy */
+	u_int32_t reqid;
 };
 
 /**
@@ -562,9 +586,8 @@ static void policy_entry_destroy(private_kernel_netlink_ipsec_t *this,
  */
 static u_int policy_hash(policy_entry_t *key)
 {
-	chunk_t chunk = chunk_create((void*)&key->sel,
-							sizeof(struct xfrm_selector) + sizeof(u_int32_t));
-	return chunk_hash(chunk);
+	chunk_t chunk = chunk_from_thing(key->sel);
+	return chunk_hash_inc(chunk, chunk_hash(chunk_from_thing(key->mark)));
 }
 
 /**
@@ -572,8 +595,8 @@ static u_int policy_hash(policy_entry_t *key)
  */
 static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
 {
-	return memeq(&key->sel, &other_key->sel,
-				 sizeof(struct xfrm_selector) + sizeof(u_int32_t)) &&
+	return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector)) &&
+		   key->mark == other_key->mark &&
 		   key->direction == other_key->direction;
 }
 
@@ -760,7 +783,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
 	if (host)
 	{
 		return traffic_selector_create_from_subnet(host, prefixlen,
-												   sel->proto, port);
+											sel->proto, port, port ?: 65535);
 	}
 	return NULL;
 }
@@ -947,40 +970,37 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this,
 /**
  * Receives events from kernel
  */
-static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
+static bool receive_events(private_kernel_netlink_ipsec_t *this, int fd,
+						   watcher_event_t event)
 {
 	char response[1024];
 	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
 	struct sockaddr_nl addr;
 	socklen_t addr_len = sizeof(addr);
 	int len;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
-				   (struct sockaddr*)&addr, &addr_len);
-	thread_cancelability(oldstate);
 
+	len = recvfrom(this->socket_xfrm_events, response, sizeof(response),
+				   MSG_DONTWAIT, (struct sockaddr*)&addr, &addr_len);
 	if (len < 0)
 	{
 		switch (errno)
 		{
 			case EINTR:
 				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
+				return TRUE;
 			case EAGAIN:
 				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
+				return TRUE;
 			default:
 				DBG1(DBG_KNL, "unable to receive from xfrm event socket");
 				sleep(1);
-				return JOB_REQUEUE_FAIR;
+				return TRUE;
 		}
 	}
 
 	if (addr.nl_pid != 0)
 	{	/* not from kernel. not interested, try another one */
-		return JOB_REQUEUE_DIRECT;
+		return TRUE;
 	}
 
 	while (NLMSG_OK(hdr, len))
@@ -1006,7 +1026,13 @@ static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
 		}
 		hdr = NLMSG_NEXT(hdr, len);
 	}
-	return JOB_REQUEUE_DIRECT;
+	return TRUE;
+}
+
+METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
+	private_kernel_netlink_ipsec_t *this)
+{
+	return KERNEL_ESP_V3_TFC;
 }
 
 /**
@@ -1117,12 +1143,32 @@ METHOD(kernel_ipsec_t, get_cpi, status_t,
 	return SUCCESS;
 }
 
+/**
+ * Add a XFRM mark to message if required
+ */
+static bool add_mark(struct nlmsghdr *hdr, int buflen, mark_t mark)
+{
+	if (mark.value)
+	{
+		struct xfrm_mark *xmrk;
+
+		xmrk = netlink_reserve(hdr, buflen, XFRMA_MARK, sizeof(*xmrk));
+		if (!xmrk)
+		{
+			return FALSE;
+		}
+		xmrk->v = mark.value;
+		xmrk->m = mark.mask;
+	}
+	return TRUE;
+}
+
 METHOD(kernel_ipsec_t, add_sa, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
 	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
 	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool encap, bool esn, bool inbound,
+	u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
 	traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
 {
 	netlink_buf_t request;
@@ -1139,7 +1185,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
 		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
 			   tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
-			   chunk_empty, mode, ipcomp, 0, FALSE, FALSE, inbound, NULL, NULL);
+			   chunk_empty, mode, ipcomp, 0, initiator, FALSE, FALSE, inbound,
+			   NULL, NULL);
 		ipcomp = IPCOMP_NONE;
 		/* use transport mode ESP SA, IPComp uses tunnel mode */
 		mode = MODE_TRANSPORT;
@@ -1147,16 +1194,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 
 	memset(&request, 0, sizeof(request));
 
-	if (mark.value)
-	{
-		DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}  (mark "
-					  "%u/0x%8x)", ntohl(spi), reqid, mark.value, mark.mask);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
-					   ntohl(spi), reqid);
-	}
+	DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}  (mark "
+				  "%u/0x%08x)", ntohl(spi), reqid, mark.value, mark.mask);
+
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
@@ -1179,6 +1219,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			if(src_ts && dst_ts)
 			{
 				sa->sel = ts2selector(src_ts, dst_ts);
+				/* don't install proto/port on SA. This would break
+				 * potential secondary SAs for the same address using a
+				 * different prot/port. */
+				sa->sel.proto = 0;
+				sa->sel.dport = sa->sel.dport_mask = 0;
+				sa->sel.sport = sa->sel.sport_mask = 0;
 			}
 			break;
 		default:
@@ -1196,8 +1242,6 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	sa->lft.soft_use_expires_seconds = 0;
 	sa->lft.hard_use_expires_seconds = 0;
 
-	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
-
 	switch (enc_alg)
 	{
 		case ENCR_UNDEFINED:
@@ -1220,39 +1264,34 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		{
 			struct xfrm_algo_aead *algo;
 
-			alg_name = lookup_algorithm(encryption_algs, enc_alg);
+			alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, enc_alg);
 			if (alg_name == NULL)
 			{
 				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
-					 encryption_algorithm_names, enc_alg);
-				goto failed;
+						 encryption_algorithm_names, enc_alg);
+					goto failed;
 			}
 			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
 				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
 
-			rthdr->rta_type = XFRMA_ALG_AEAD;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) +
-										enc_key.len);
-			hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-			if (hdr->nlmsg_len > sizeof(request))
+			algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AEAD,
+								   sizeof(*algo) + enc_key.len);
+			if (!algo)
 			{
 				goto failed;
 			}
-
-			algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
 			algo->alg_key_len = enc_key.len * 8;
 			algo->alg_icv_len = icv_size;
-			strcpy(algo->alg_name, alg_name);
+			strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
+			algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
 			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
-
-			rthdr = XFRM_RTA_NEXT(rthdr);
 			break;
 		}
 		default:
 		{
 			struct xfrm_algo *algo;
 
-			alg_name = lookup_algorithm(encryption_algs, enc_alg);
+			alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, enc_alg);
 			if (alg_name == NULL)
 			{
 				DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
@@ -1262,20 +1301,16 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
 				 encryption_algorithm_names, enc_alg, enc_key.len * 8);
 
-			rthdr->rta_type = XFRMA_ALG_CRYPT;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
-			hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-			if (hdr->nlmsg_len > sizeof(request))
+			algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_CRYPT,
+								   sizeof(*algo) + enc_key.len);
+			if (!algo)
 			{
 				goto failed;
 			}
-
-			algo = (struct xfrm_algo*)RTA_DATA(rthdr);
 			algo->alg_key_len = enc_key.len * 8;
-			strcpy(algo->alg_name, alg_name);
+			strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
+			algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
 			memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
-
-			rthdr = XFRM_RTA_NEXT(rthdr);
 		}
 	}
 
@@ -1283,7 +1318,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	{
 		u_int trunc_len = 0;
 
-		alg_name = lookup_algorithm(integrity_algs, int_alg);
+		alg_name = lookup_algorithm(INTEGRITY_ALGORITHM, int_alg);
 		if (alg_name == NULL)
 		{
 			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
@@ -1313,47 +1348,40 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			/* the kernel uses SHA256 with 96 bit truncation by default,
 			 * use specified truncation size supported by newer kernels.
 			 * also use this for untruncated MD5 and SHA1. */
-			rthdr->rta_type = XFRMA_ALG_AUTH_TRUNC;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_auth) +
-										int_key.len);
-
-			hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-			if (hdr->nlmsg_len > sizeof(request))
+			algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH_TRUNC,
+								   sizeof(*algo) + int_key.len);
+			if (!algo)
 			{
 				goto failed;
 			}
-
-			algo = (struct xfrm_algo_auth*)RTA_DATA(rthdr);
 			algo->alg_key_len = int_key.len * 8;
 			algo->alg_trunc_len = trunc_len;
-			strcpy(algo->alg_name, alg_name);
+			strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
+			algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
 			memcpy(algo->alg_key, int_key.ptr, int_key.len);
 		}
 		else
 		{
 			struct xfrm_algo* algo;
 
-			rthdr->rta_type = XFRMA_ALG_AUTH;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
-
-			hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-			if (hdr->nlmsg_len > sizeof(request))
+			algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH,
+								   sizeof(*algo) + int_key.len);
+			if (!algo)
 			{
 				goto failed;
 			}
-
-			algo = (struct xfrm_algo*)RTA_DATA(rthdr);
 			algo->alg_key_len = int_key.len * 8;
-			strcpy(algo->alg_name, alg_name);
+			strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
+			algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
 			memcpy(algo->alg_key, int_key.ptr, int_key.len);
 		}
-		rthdr = XFRM_RTA_NEXT(rthdr);
 	}
 
 	if (ipcomp != IPCOMP_NONE)
 	{
-		rthdr->rta_type = XFRMA_ALG_COMP;
-		alg_name = lookup_algorithm(compression_algs, ipcomp);
+		struct xfrm_algo* algo;
+
+		alg_name = lookup_algorithm(COMPRESSION_ALGORITHM, ipcomp);
 		if (alg_name == NULL)
 		{
 			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
@@ -1363,34 +1391,26 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		DBG2(DBG_KNL, "  using compression algorithm %N",
 			 ipcomp_transform_names, ipcomp);
 
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
+		algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_COMP,
+							   sizeof(*algo));
+		if (!algo)
 		{
 			goto failed;
 		}
-
-		struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
 		algo->alg_key_len = 0;
-		strcpy(algo->alg_name, alg_name);
-
-		rthdr = XFRM_RTA_NEXT(rthdr);
+		strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
+		algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
 	}
 
 	if (encap)
 	{
 		struct xfrm_encap_tmpl *tmpl;
 
-		rthdr->rta_type = XFRMA_ENCAP;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
-
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
+		tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_ENCAP, sizeof(*tmpl));
+		if (!tmpl)
 		{
 			goto failed;
 		}
-
-		tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
 		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
 		tmpl->encap_sport = htons(src->get_port(src));
 		tmpl->encap_dport = htons(dst->get_port(dst));
@@ -1405,44 +1425,24 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		 * No. The reason the kernel ignores NAT-OA is that it recomputes
 		 * (or, rather, just ignores) the checksum. If packets pass the IPsec
 		 * checks it marks them "checksum ok" so OA isn't needed. */
-		rthdr = XFRM_RTA_NEXT(rthdr);
 	}
 
-	if (mark.value)
+	if (!add_mark(hdr, sizeof(request), mark))
 	{
-		struct xfrm_mark *mrk;
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			goto failed;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
-		rthdr = XFRM_RTA_NEXT(rthdr);
+		goto failed;
 	}
 
 	if (tfc)
 	{
 		u_int32_t *tfcpad;
 
-		rthdr->rta_type = XFRMA_TFCPAD;
-		rthdr->rta_len = RTA_LENGTH(sizeof(u_int32_t));
-
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
+		tfcpad = netlink_reserve(hdr, sizeof(request), XFRMA_TFCPAD,
+								 sizeof(*tfcpad));
+		if (!tfcpad)
 		{
 			goto failed;
 		}
-
-		tfcpad = (u_int32_t*)RTA_DATA(rthdr);
 		*tfcpad = tfc;
-		rthdr = XFRM_RTA_NEXT(rthdr);
 	}
 
 	if (protocol != IPPROTO_COMP)
@@ -1453,24 +1453,18 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			 * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */
 			struct xfrm_replay_state_esn *replay;
 
-			rthdr->rta_type = XFRMA_REPLAY_ESN_VAL;
-			rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state_esn) +
-										(this->replay_window + 7) / 8);
-
-			hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-			if (hdr->nlmsg_len > sizeof(request))
+			replay = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
+							sizeof(*replay) + (this->replay_window + 7) / 8);
+			if (!replay)
 			{
 				goto failed;
 			}
-
-			replay = (struct xfrm_replay_state_esn*)RTA_DATA(rthdr);
 			/* bmp_len contains number uf __u32's */
 			replay->bmp_len = this->replay_bmp;
 			replay->replay_window = this->replay_window;
-			DBG2(DBG_KNL, "  using replay window of %u bytes",
+			DBG2(DBG_KNL, "  using replay window of %u packets",
 				 this->replay_window);
 
-			rthdr = XFRM_RTA_NEXT(rthdr);
 			if (esn)
 			{
 				DBG2(DBG_KNL, "  using extended sequence numbers (ESN)");
@@ -1479,7 +1473,9 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		}
 		else
 		{
-			sa->replay_window = DEFAULT_REPLAY_WINDOW;
+			DBG2(DBG_KNL, "  using replay window of %u packets",
+				 this->replay_window);
+			sa->replay_window = this->replay_window;
 		}
 	}
 
@@ -1488,7 +1484,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		if (mark.value)
 		{
 			DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x  "
-						  "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask);
+						  "(mark %u/0x%08x)", ntohl(spi), mark.value, mark.mask);
 		}
 		else
 		{
@@ -1510,7 +1506,8 @@ failed:
  * Allocates into one the replay state structure we get from the kernel.
  */
 static void get_replay_state(private_kernel_netlink_ipsec_t *this,
-							 u_int32_t spi, u_int8_t protocol, host_t *dst,
+							 u_int32_t spi, u_int8_t protocol,
+							 host_t *dst, mark_t mark,
 							 struct xfrm_replay_state_esn **replay_esn,
 							 struct xfrm_replay_state **replay)
 {
@@ -1539,6 +1536,11 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
 	aevent_id->sa_id.proto = protocol;
 	aevent_id->sa_id.family = dst->get_family(dst);
 
+	if (!add_mark(hdr, sizeof(request), mark))
+	{
+		return;
+	}
+
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
 	{
 		hdr = out;
@@ -1597,7 +1599,8 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
+	u_int32_t spi, u_int8_t protocol, mark_t mark,
+	u_int64_t *bytes, u_int64_t *packets, u_int32_t *time)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *out = NULL, *hdr;
@@ -1608,15 +1611,9 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 
 	memset(&request, 0, sizeof(request));
 
-	if (mark.value)
-	{
-		DBG2(DBG_KNL, "querying SAD entry with SPI %.8x  (mark %u/0x%8x)",
-					   ntohl(spi), mark.value, mark.mask);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
-	}
+	DBG2(DBG_KNL, "querying SAD entry with SPI %.8x  (mark %u/0x%08x)",
+				   ntohl(spi), mark.value, mark.mask);
+
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
 	hdr->nlmsg_type = XFRM_MSG_GETSA;
@@ -1628,22 +1625,9 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 	sa_id->proto = protocol;
 	sa_id->family = dst->get_family(dst);
 
-	if (mark.value)
+	if (!add_mark(hdr, sizeof(request), mark))
 	{
-		struct xfrm_mark *mrk;
-		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
+		return FAILED;
 	}
 
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
@@ -1665,7 +1649,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 					if (mark.value)
 					{
 						DBG1(DBG_KNL, "querying SAD entry with SPI %.8x  "
-									  "(mark %u/0x%8x) failed: %s (%d)",
+									  "(mark %u/0x%08x) failed: %s (%d)",
 									   ntohl(spi), mark.value, mark.mask,
 									   strerror(-err->error), -err->error);
 					}
@@ -1693,7 +1677,20 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 	}
 	else
 	{
-		*bytes = sa->curlft.bytes;
+		if (bytes)
+		{
+			*bytes = sa->curlft.bytes;
+		}
+		if (packets)
+		{
+			*packets = sa->curlft.packets;
+		}
+		if (time)
+		{	/* curlft contains an "use" time, but that contains a timestamp
+			 * of the first use, not the last. Last use time must be queried
+			 * on the policy on Linux */
+			*time = 0;
+		}
 		status = SUCCESS;
 	}
 	memwipe(out, len);
@@ -1717,15 +1714,9 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 
 	memset(&request, 0, sizeof(request));
 
-	if (mark.value)
-	{
-		DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x  (mark %u/0x%8x)",
-					   ntohl(spi), mark.value, mark.mask);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
-	}
+	DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x  (mark %u/0x%08x)",
+				   ntohl(spi), mark.value, mark.mask);
+
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = XFRM_MSG_DELSA;
@@ -1737,48 +1728,32 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 	sa_id->proto = protocol;
 	sa_id->family = dst->get_family(dst);
 
-	if (mark.value)
+	if (!add_mark(hdr, sizeof(request), mark))
 	{
-		struct xfrm_mark *mrk;
-		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
-	}
-
-	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
-	{
-		if (mark.value)
-		{
-			DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x  "
-						  "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask);
-		}
-		else
-		{
-			DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x",
-						   ntohl(spi));
-		}
 		return FAILED;
 	}
-	if (mark.value)
-	{
-		DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x  (mark %u/0x%8x)",
-					   ntohl(spi), mark.value, mark.mask);
-	}
-	else
+
+	switch (this->socket_xfrm->send_ack(this->socket_xfrm, hdr))
 	{
-		DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
+		case SUCCESS:
+			DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x (mark %u/0x%08x)",
+				 ntohl(spi), mark.value, mark.mask);
+			return SUCCESS;
+		case NOT_FOUND:
+			return NOT_FOUND;
+		default:
+			if (mark.value)
+			{
+				DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x "
+					 "(mark %u/0x%08x)", ntohl(spi), mark.value, mark.mask);
+			}
+			else
+			{
+				DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x",
+					 ntohl(spi));
+			}
+			return FAILED;
 	}
-	return SUCCESS;
 }
 
 METHOD(kernel_ipsec_t, update_sa, status_t,
@@ -1787,7 +1762,6 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	bool old_encap, bool new_encap, mark_t mark)
 {
 	netlink_buf_t request;
-	u_char *pos;
 	struct nlmsghdr *hdr, *out = NULL;
 	struct xfrm_usersa_id *sa_id;
 	struct xfrm_usersa_info *out_sa = NULL, *sa;
@@ -1822,6 +1796,11 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	sa_id->proto = protocol;
 	sa_id->family = dst->get_family(dst);
 
+	if (!add_mark(hdr, sizeof(request), mark))
+	{
+		return FAILED;
+	}
+
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
 	{
 		hdr = out;
@@ -1856,7 +1835,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 		goto failed;
 	}
 
-	get_replay_state(this, spi, protocol, dst, &replay_esn, &replay);
+	get_replay_state(this, spi, protocol, dst, mark, &replay_esn, &replay);
 
 	/* delete the old SA (without affecting the IPComp SA) */
 	if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS)
@@ -1870,11 +1849,11 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 				   ntohl(spi), src, dst, new_src, new_dst);
 	/* copy over the SA from out to request */
 	hdr = (struct nlmsghdr*)request;
-	memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
 	hdr->nlmsg_type = XFRM_MSG_NEWSA;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
 	sa = NLMSG_DATA(hdr);
+	memcpy(sa, NLMSG_DATA(out), sizeof(struct xfrm_usersa_info));
 	sa->family = new_dst->get_family(new_dst);
 
 	if (!src->ip_equals(src, new_src))
@@ -1888,75 +1867,60 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 
 	rta = XFRM_RTA(out, struct xfrm_usersa_info);
 	rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
-	pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
-	while(RTA_OK(rta, rtasize))
+	while (RTA_OK(rta, rtasize))
 	{
 		/* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
 		if (rta->rta_type != XFRMA_ENCAP || new_encap)
 		{
 			if (rta->rta_type == XFRMA_ENCAP)
 			{	/* update encap tmpl */
-				tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
+				tmpl = RTA_DATA(rta);
 				tmpl->encap_sport = ntohs(new_src->get_port(new_src));
 				tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
 			}
-			memcpy(pos, rta, rta->rta_len);
-			pos += RTA_ALIGN(rta->rta_len);
-			hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
+			netlink_add_attribute(hdr, rta->rta_type,
+								  chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)),
+								  sizeof(request));
 		}
 		rta = RTA_NEXT(rta, rtasize);
 	}
 
-	rta = (struct rtattr*)pos;
 	if (tmpl == NULL && new_encap)
 	{	/* add tmpl if we are enabling it */
-		rta->rta_type = XFRMA_ENCAP;
-		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
-
-		hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
+		tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_ENCAP, sizeof(*tmpl));
+		if (!tmpl)
 		{
 			goto failed;
 		}
-
-		tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
 		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
 		tmpl->encap_sport = ntohs(new_src->get_port(new_src));
 		tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
 		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
-
-		rta = XFRM_RTA_NEXT(rta);
 	}
 
 	if (replay_esn)
 	{
-		rta->rta_type = XFRMA_REPLAY_ESN_VAL;
-		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state_esn) +
-								  this->replay_bmp);
+		struct xfrm_replay_state_esn *state;
 
-		hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
+		state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
+								sizeof(*state) + this->replay_bmp);
+		if (!state)
 		{
 			goto failed;
 		}
-		memcpy(RTA_DATA(rta), replay_esn,
-			   sizeof(struct xfrm_replay_state_esn) + this->replay_bmp);
-
-		rta = XFRM_RTA_NEXT(rta);
+		memcpy(state, replay_esn, sizeof(*state) + this->replay_bmp);
 	}
 	else if (replay)
 	{
-		rta->rta_type = XFRMA_REPLAY_VAL;
-		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
+		struct xfrm_replay_state *state;
 
-		hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
+		state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_VAL,
+								sizeof(*state));
+		if (!state)
 		{
 			goto failed;
 		}
-		memcpy(RTA_DATA(rta), replay, sizeof(replay));
-
-		rta = XFRM_RTA_NEXT(rta);
+		memcpy(state, replay, sizeof(*state));
 	}
 	else
 	{
@@ -2053,11 +2017,9 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 	policy_info->lft.soft_use_expires_seconds = 0;
 	policy_info->lft.hard_use_expires_seconds = 0;
 
-	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
-
 	if (mapping->type == POLICY_IPSEC)
 	{
-		struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
+		struct xfrm_user_tmpl *tmpl;
 		struct {
 			u_int8_t proto;
 			bool use;
@@ -2067,26 +2029,30 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 			{ IPPROTO_AH, ipsec->cfg.ah.use },
 		};
 		ipsec_mode_t proto_mode = ipsec->cfg.mode;
-
-		rthdr->rta_type = XFRMA_TMPL;
-		rthdr->rta_len = 0; /* actual length is set below */
+		int count = 0;
 
 		for (i = 0; i < countof(protos); i++)
 		{
-			if (!protos[i].use)
+			if (protos[i].use)
 			{
-				continue;
+				count++;
 			}
+		}
+		tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_TMPL,
+							   count * sizeof(*tmpl));
+		if (!tmpl)
+		{
+			this->mutex->unlock(this->mutex);
+			return FAILED;
+		}
 
-			rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
-			hdr->nlmsg_len += RTA_ALIGN(RTA_LENGTH(sizeof(struct xfrm_user_tmpl)));
-			if (hdr->nlmsg_len > sizeof(request))
+		for (i = 0; i < countof(protos); i++)
+		{
+			if (!protos[i].use)
 			{
-				this->mutex->unlock(this->mutex);
-				return FAILED;
+				continue;
 			}
-
-			tmpl->reqid = ipsec->cfg.reqid;
+			tmpl->reqid = policy->reqid;
 			tmpl->id.proto = protos[i].proto;
 			tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
 			tmpl->mode = mode2kernel(proto_mode);
@@ -2094,7 +2060,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 							 policy->direction != POLICY_OUT;
 			tmpl->family = ipsec->src->get_family(ipsec->src);
 
-			if (proto_mode == MODE_TUNNEL)
+			if (proto_mode == MODE_TUNNEL || proto_mode == MODE_BEET)
 			{	/* only for tunnel mode */
 				host2xfrm(ipsec->src, &tmpl->saddr);
 				host2xfrm(ipsec->dst, &tmpl->id.daddr);
@@ -2105,27 +2071,12 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 			/* use transport mode for other SAs */
 			proto_mode = MODE_TRANSPORT;
 		}
-
-		rthdr = XFRM_RTA_NEXT(rthdr);
 	}
 
-	if (ipsec->mark.value)
+	if (!add_mark(hdr, sizeof(request), ipsec->mark))
 	{
-		struct xfrm_mark *mrk;
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			this->mutex->unlock(this->mutex);
-			return FAILED;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = ipsec->mark.value;
-		mrk->m = ipsec->mark.mask;
+		this->mutex->unlock(this->mutex);
+		return FAILED;
 	}
 	this->mutex->unlock(this->mutex);
 
@@ -2147,29 +2098,41 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 
 	/* install a route, if:
 	 * - this is a forward policy (to just get one for each child)
-	 * - we are in tunnel/BEET mode
+	 * - we are in tunnel/BEET mode or install a bypass policy
 	 * - routing is not disabled via strongswan.conf
 	 */
-	if (policy->direction == POLICY_FWD &&
-		ipsec->cfg.mode != MODE_TRANSPORT && this->install_routes)
+	if (policy->direction == POLICY_FWD && this->install_routes &&
+		(mapping->type != POLICY_IPSEC || ipsec->cfg.mode != MODE_TRANSPORT))
 	{
-		route_entry_t *route = malloc_thing(route_entry_t);
 		policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)mapping;
+		route_entry_t *route;
+		host_t *iface;
+
+		INIT(route,
+			.prefixlen = policy->sel.prefixlen_s,
+		);
 
 		if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
-				fwd->dst_ts, &route->src_ip) == SUCCESS)
+				fwd->dst_ts, &route->src_ip, NULL) == SUCCESS)
 		{
 			/* get the nexthop to src (src as we are in POLICY_FWD) */
 			route->gateway = hydra->kernel_interface->get_nexthop(
-										hydra->kernel_interface, ipsec->src);
-			/* install route via outgoing interface */
-			route->if_name = hydra->kernel_interface->get_interface(
-										hydra->kernel_interface, ipsec->dst);
+											hydra->kernel_interface, ipsec->src,
+											ipsec->dst);
 			route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
 			memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
-			route->prefixlen = policy->sel.prefixlen_s;
 
-			if (!route->if_name)
+			/* get the interface to install the route for. If we have a local
+			 * address, use it. Otherwise (for shunt policies) use the
+			 * routes source address. */
+			iface = ipsec->dst;
+			if (iface->is_anyaddr(iface))
+			{
+				iface = route->src_ip;
+			}
+			/* install route via outgoing interface */
+			if (!hydra->kernel_interface->get_interface(hydra->kernel_interface,
+														iface, &route->if_name))
 			{
 				this->mutex->unlock(this->mutex);
 				route_entry_destroy(route);
@@ -2180,12 +2143,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 			{
 				route_entry_t *old = policy->route;
 				if (route_entry_equals(old, route))
-				{	/* keep previously installed route. since it might have
-					 * still been removed by an address change, we install it
-					 * again but ignore the result */
-					hydra->kernel_interface->add_route(hydra->kernel_interface,
-							route->dst_net, route->prefixlen, route->gateway,
-							route->src_ip, route->if_name);
+				{
 					this->mutex->unlock(this->mutex);
 					route_entry_destroy(route);
 					return SUCCESS;
@@ -2250,6 +2208,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 		.sel = ts2selector(src_ts, dst_ts),
 		.mark = mark.value & mark.mask,
 		.direction = direction,
+		.reqid = sa->reqid,
 	);
 
 	/* find the policy, which matches EXACTLY */
@@ -2257,20 +2216,21 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	current = this->policies->get(this->policies, policy);
 	if (current)
 	{
-		/* use existing policy */
-		if (mark.value)
-		{
-			DBG2(DBG_KNL, "policy %R === %R %N  (mark %u/0x%8x) "
-						  "already exists, increasing refcount",
-						   src_ts, dst_ts, policy_dir_names, direction,
-						   mark.value, mark.mask);
-		}
-		else
+		if (current->reqid != sa->reqid)
 		{
-			DBG2(DBG_KNL, "policy %R === %R %N "
-						  "already exists, increasing refcount",
-						   src_ts, dst_ts, policy_dir_names, direction);
+			DBG1(DBG_CFG, "unable to install policy %R === %R %N (mark "
+				 "%u/0x%08x) for reqid %u, the same policy for reqid %u exists",
+				 src_ts, dst_ts, policy_dir_names, direction,
+				 mark.value, mark.mask, sa->reqid, current->reqid);
+			policy_entry_destroy(this, policy);
+			this->mutex->unlock(this->mutex);
+			return INVALID_STATE;
 		}
+		/* use existing policy */
+		DBG2(DBG_KNL, "policy %R === %R %N  (mark %u/0x%08x) "
+					  "already exists, increasing refcount",
+					   src_ts, dst_ts, policy_dir_names, direction,
+					   mark.value, mark.mask);
 		policy_entry_destroy(this, policy);
 		policy = current;
 		found = TRUE;
@@ -2314,18 +2274,9 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 		return SUCCESS;
 	}
 
-	if (mark.value)
-	{
-		DBG2(DBG_KNL, "%s policy %R === %R %N  (mark %u/0x%8x)",
-					   found ? "updating" : "adding", src_ts, dst_ts,
-					   policy_dir_names, direction, mark.value, mark.mask);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "%s policy %R === %R %N",
-					   found ? "updating" : "adding", src_ts, dst_ts,
-					   policy_dir_names, direction);
-	}
+	DBG2(DBG_KNL, "%s policy %R === %R %N  (mark %u/0x%08x)",
+				   found ? "updating" : "adding", src_ts, dst_ts,
+				   policy_dir_names, direction, mark.value, mark.mask);
 
 	if (add_policy_internal(this, policy, assigned_sa, found) != SUCCESS)
 	{
@@ -2350,17 +2301,10 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 
 	memset(&request, 0, sizeof(request));
 
-	if (mark.value)
-	{
-		DBG2(DBG_KNL, "querying policy %R === %R %N  (mark %u/0x%8x)",
-					   src_ts, dst_ts, policy_dir_names, direction,
-					   mark.value, mark.mask);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
-					   policy_dir_names, direction);
-	}
+	DBG2(DBG_KNL, "querying policy %R === %R %N  (mark %u/0x%08x)",
+				   src_ts, dst_ts, policy_dir_names, direction,
+				   mark.value, mark.mask);
+
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
 	hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
@@ -2370,23 +2314,9 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 	policy_id->sel = ts2selector(src_ts, dst_ts);
 	policy_id->dir = direction;
 
-	if (mark.value)
+	if (!add_mark(hdr, sizeof(request), mark))
 	{
-		struct xfrm_mark *mrk;
-		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
+		return FAILED;
 	}
 
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
@@ -2454,17 +2384,9 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	bool is_installed = TRUE;
 	u_int32_t priority;
 
-	if (mark.value)
-	{
-		DBG2(DBG_KNL, "deleting policy %R === %R %N  (mark %u/0x%8x)",
-					   src_ts, dst_ts, policy_dir_names, direction,
-					   mark.value, mark.mask);
-	}
-	else
-	{
-		DBG2(DBG_KNL, "deleting policy %R === %R %N",
-					   src_ts, dst_ts, policy_dir_names, direction);
-	}
+	DBG2(DBG_KNL, "deleting policy %R === %R %N  (mark %u/0x%08x)",
+				   src_ts, dst_ts, policy_dir_names, direction,
+				   mark.value, mark.mask);
 
 	/* create a policy */
 	memset(&policy, 0, sizeof(policy_entry_t));
@@ -2475,11 +2397,11 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	/* find the policy */
 	this->mutex->lock(this->mutex);
 	current = this->policies->get(this->policies, &policy);
-	if (!current)
+	if (!current || current->reqid != reqid)
 	{
 		if (mark.value)
 		{
-			DBG1(DBG_KNL, "deleting policy %R === %R %N  (mark %u/0x%8x) "
+			DBG1(DBG_KNL, "deleting policy %R === %R %N  (mark %u/0x%08x) "
 						  "failed, not found", src_ts, dst_ts, policy_dir_names,
 						   direction, mark.value, mark.mask);
 		}
@@ -2498,8 +2420,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 		enumerator = current->used_by->create_enumerator(current->used_by);
 		while (enumerator->enumerate(enumerator, (void**)&mapping))
 		{
-			if (reqid == mapping->sa->cfg.reqid &&
-				priority == mapping->priority)
+			if (priority == mapping->priority)
 			{
 				current->used_by->remove_at(current->used_by, enumerator);
 				policy_sa_destroy(mapping, &direction, this);
@@ -2525,17 +2446,9 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 			return SUCCESS;
 		}
 
-		if (mark.value)
-		{
-			DBG2(DBG_KNL, "updating policy %R === %R %N  (mark %u/0x%8x)",
-						   src_ts, dst_ts, policy_dir_names, direction,
-						   mark.value, mark.mask);
-		}
-		else
-		{
-			DBG2(DBG_KNL, "updating policy %R === %R %N",
-						   src_ts, dst_ts, policy_dir_names, direction);
-		}
+		DBG2(DBG_KNL, "updating policy %R === %R %N  (mark %u/0x%08x)",
+					   src_ts, dst_ts, policy_dir_names, direction,
+					   mark.value, mark.mask);
 
 		current->used_by->get_first(current->used_by, (void**)&mapping);
 		if (add_policy_internal(this, current, mapping, TRUE) != SUCCESS)
@@ -2558,23 +2471,9 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	policy_id->sel = current->sel;
 	policy_id->dir = direction;
 
-	if (mark.value)
+	if (!add_mark(hdr, sizeof(request), mark))
 	{
-		struct xfrm_mark *mrk;
-		struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
-
-		rthdr->rta_type = XFRMA_MARK;
-		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
-		hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			this->mutex->unlock(this->mutex);
-			return FAILED;
-		}
-
-		mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
-		mrk->v = mark.value;
-		mrk->m = mark.mask;
+		return FAILED;
 	}
 
 	if (current->route)
@@ -2599,7 +2498,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 		if (mark.value)
 		{
 			DBG1(DBG_KNL, "unable to delete policy %R === %R %N  "
-						  "(mark %u/0x%8x)", src_ts, dst_ts, policy_dir_names,
+						  "(mark %u/0x%08x)", src_ts, dst_ts, policy_dir_names,
 						   direction, mark.value, mark.mask);
 		}
 		else
@@ -2680,18 +2579,28 @@ METHOD(kernel_ipsec_t, bypass_socket, bool,
 	return TRUE;
 }
 
+METHOD(kernel_ipsec_t, enable_udp_decap, bool,
+	private_kernel_netlink_ipsec_t *this, int fd, int family, u_int16_t port)
+{
+	int type = UDP_ENCAP_ESPINUDP;
+
+	if (setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
+	{
+		DBG1(DBG_KNL, "unable to set UDP_ENCAP: %s", strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
 METHOD(kernel_ipsec_t, destroy, void,
 	private_kernel_netlink_ipsec_t *this)
 {
 	enumerator_t *enumerator;
 	policy_entry_t *policy;
 
-	if (this->job)
-	{
-		this->job->cancel(this->job);
-	}
 	if (this->socket_xfrm_events > 0)
 	{
+		lib->watcher->remove(lib->watcher, this->socket_xfrm_events);
 		close(this->socket_xfrm_events);
 	}
 	DESTROY_IF(this->socket_xfrm);
@@ -2713,12 +2622,13 @@ METHOD(kernel_ipsec_t, destroy, void,
 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 {
 	private_kernel_netlink_ipsec_t *this;
-	struct sockaddr_nl addr;
+	bool register_for_events = TRUE;
 	int fd;
 
 	INIT(this,
 		.public = {
 			.interface = {
+				.get_features = _get_features,
 				.get_spi = _get_spi,
 				.get_cpi = _get_cpi,
 				.add_sa  = _add_sa,
@@ -2731,6 +2641,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 				.del_policy = _del_policy,
 				.flush_policies = _flush_policies,
 				.bypass_socket = _bypass_socket,
+				.enable_udp_decap = _enable_udp_decap,
 				.destroy = _destroy,
 			},
 		},
@@ -2749,16 +2660,14 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 	this->replay_bmp = (this->replay_window + sizeof(u_int32_t) * 8 - 1) /
 													(sizeof(u_int32_t) * 8);
 
-	if (streq(hydra->daemon, "pluto"))
-	{	/* no routes for pluto, they are installed via updown script */
-		this->install_routes = FALSE;
-		/* no policy history for pluto */
-		this->policy_history = FALSE;
+	if (streq(hydra->daemon, "starter"))
+	{	/* starter has no threads, so we do not register for kernel events */
+		register_for_events = FALSE;
 	}
 
 	/* disable lifetimes for allocated SPIs in kernel */
 	fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
-	if (fd)
+	if (fd > 0)
 	{
 		ignore_result(write(fd, "165", 3));
 		close(fd);
@@ -2771,29 +2680,32 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 		return NULL;
 	}
 
-	memset(&addr, 0, sizeof(addr));
-	addr.nl_family = AF_NETLINK;
-
-	/* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
-	this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
-	if (this->socket_xfrm_events <= 0)
-	{
-		DBG1(DBG_KNL, "unable to create XFRM event socket");
-		destroy(this);
-		return NULL;
-	}
-	addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
-					 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
-	if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
+	if (register_for_events)
 	{
-		DBG1(DBG_KNL, "unable to bind XFRM event socket");
-		destroy(this);
-		return NULL;
+		struct sockaddr_nl addr;
+
+		memset(&addr, 0, sizeof(addr));
+		addr.nl_family = AF_NETLINK;
+
+		/* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
+		this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
+		if (this->socket_xfrm_events <= 0)
+		{
+			DBG1(DBG_KNL, "unable to create XFRM event socket");
+			destroy(this);
+			return NULL;
+		}
+		addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
+						 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
+		if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
+		{
+			DBG1(DBG_KNL, "unable to bind XFRM event socket");
+			destroy(this);
+			return NULL;
+		}
+		lib->watcher->add(lib->watcher, this->socket_xfrm_events, WATCHER_READ,
+						  (watcher_cb_t)receive_events, this);
 	}
-	this->job = callback_job_create_with_prio((callback_job_cb_t)receive_events,
-										this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
-
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
index cce0ff402..e129ab131 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2013 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -38,6 +38,7 @@
  */
 
 #include <sys/socket.h>
+#include <sys/utsname.h>
 #include <linux/netlink.h>
 #include <linux/rtnetlink.h>
 #include <unistd.h>
@@ -48,34 +49,50 @@
 #include "kernel_netlink_shared.h"
 
 #include <hydra.h>
-#include <debug.h>
-#include <threading/thread.h>
-#include <threading/condvar.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <threading/rwlock.h>
+#include <threading/rwlock_condvar.h>
+#include <threading/spinlock.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
 
 /** delay before firing roam events (ms) */
 #define ROAM_DELAY 100
 
+/** delay before reinstalling routes (ms) */
+#define ROUTE_DELAY 100
+
+/** maximum recursion when searching for addresses in get_route() */
+#define MAX_ROUTE_RECURSION 2
+
+#ifndef ROUTING_TABLE
+#define ROUTING_TABLE 0
+#endif
+
+#ifndef ROUTING_TABLE_PRIO
+#define ROUTING_TABLE_PRIO 0
+#endif
+
 typedef struct addr_entry_t addr_entry_t;
 
 /**
- * IP address in an inface_entry_t
+ * IP address in an iface_entry_t
  */
 struct addr_entry_t {
 
-	/** The ip address */
+	/** the ip address */
 	host_t *ip;
 
-	/** virtual IP managed by us */
-	bool virtual;
-
 	/** scope of the address */
 	u_char scope;
 
-	/** Number of times this IP is used, if virtual */
+	/** number of times this IP is used, if virtual (i.e. managed by us) */
 	u_int refcount;
+
+	/** TRUE once it is installed, if virtual */
+	bool installed;
 };
 
 /**
@@ -105,6 +122,9 @@ struct iface_entry_t {
 
 	/** list of addresses as host_t */
 	linked_list_t *addrs;
+
+	/** TRUE if usable by config */
+	bool usable;
 };
 
 /**
@@ -116,6 +136,212 @@ static void iface_entry_destroy(iface_entry_t *this)
 	free(this);
 }
 
+/**
+ * find an interface entry by index
+ */
+static bool iface_entry_by_index(iface_entry_t *this, int *ifindex)
+{
+	return this->ifindex == *ifindex;
+}
+
+/**
+ * find an interface entry by name
+ */
+static bool iface_entry_by_name(iface_entry_t *this, char *ifname)
+{
+	return streq(this->ifname, ifname);
+}
+
+/**
+ * check if an interface is up
+ */
+static inline bool iface_entry_up(iface_entry_t *iface)
+{
+	return (iface->flags & IFF_UP) == IFF_UP;
+}
+
+/**
+ * check if an interface is up and usable
+ */
+static inline bool iface_entry_up_and_usable(iface_entry_t *iface)
+{
+	return iface->usable && iface_entry_up(iface);
+}
+
+typedef struct addr_map_entry_t addr_map_entry_t;
+
+/**
+ * Entry that maps an IP address to an interface entry
+ */
+struct addr_map_entry_t {
+	/** The IP address */
+	host_t *ip;
+
+	/** The address entry for this IP address */
+	addr_entry_t *addr;
+
+	/** The interface this address is installed on */
+	iface_entry_t *iface;
+};
+
+/**
+ * Hash a addr_map_entry_t object, all entries with the same IP address
+ * are stored in the same bucket
+ */
+static u_int addr_map_entry_hash(addr_map_entry_t *this)
+{
+	return chunk_hash(this->ip->get_address(this->ip));
+}
+
+/**
+ * Compare two addr_map_entry_t objects, two entries are equal if they are
+ * installed on the same interface
+ */
+static bool addr_map_entry_equals(addr_map_entry_t *a, addr_map_entry_t *b)
+{
+	return a->iface->ifindex == b->iface->ifindex &&
+		   a->ip->ip_equals(a->ip, b->ip);
+}
+
+/**
+ * Used with get_match this finds an address entry if it is installed on
+ * an up and usable interface
+ */
+static bool addr_map_entry_match_up_and_usable(addr_map_entry_t *a,
+											   addr_map_entry_t *b)
+{
+	return iface_entry_up_and_usable(b->iface) &&
+		   a->ip->ip_equals(a->ip, b->ip);
+}
+
+/**
+ * Used with get_match this finds an address entry if it is installed on
+ * any active local interface
+ */
+static bool addr_map_entry_match_up(addr_map_entry_t *a, addr_map_entry_t *b)
+{
+	return iface_entry_up(b->iface) && a->ip->ip_equals(a->ip, b->ip);
+}
+
+/**
+ * Used with get_match this finds an address entry if it is installed on
+ * any local interface
+ */
+static bool addr_map_entry_match(addr_map_entry_t *a, addr_map_entry_t *b)
+{
+	return a->ip->ip_equals(a->ip, b->ip);
+}
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * Installed routing entry
+ */
+struct route_entry_t {
+	/** Name of the interface the route is bound to */
+	char *if_name;
+
+	/** Source ip of the route */
+	host_t *src_ip;
+
+	/** Gateway for this route */
+	host_t *gateway;
+
+	/** Destination net */
+	chunk_t dst_net;
+
+	/** Destination net prefixlen */
+	u_int8_t prefixlen;
+};
+
+/**
+ * Clone a route_entry_t object.
+ */
+static route_entry_t *route_entry_clone(route_entry_t *this)
+{
+	route_entry_t *route;
+
+	INIT(route,
+		.if_name = strdup(this->if_name),
+		.src_ip = this->src_ip->clone(this->src_ip),
+		.gateway = this->gateway ? this->gateway->clone(this->gateway) : NULL,
+		.dst_net = chunk_clone(this->dst_net),
+		.prefixlen = this->prefixlen,
+	);
+	return route;
+}
+
+/**
+ * Destroy a route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+	free(this->if_name);
+	DESTROY_IF(this->src_ip);
+	DESTROY_IF(this->gateway);
+	chunk_free(&this->dst_net);
+	free(this);
+}
+
+/**
+ * Hash a route_entry_t object
+ */
+static u_int route_entry_hash(route_entry_t *this)
+{
+	return chunk_hash_inc(chunk_from_thing(this->prefixlen),
+						  chunk_hash(this->dst_net));
+}
+
+/**
+ * Compare two route_entry_t objects
+ */
+static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
+{
+	if (a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
+		a->src_ip->ip_equals(a->src_ip, b->src_ip) &&
+		chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen)
+	{
+		return (!a->gateway && !b->gateway) || (a->gateway && b->gateway &&
+					a->gateway->ip_equals(a->gateway, b->gateway));
+	}
+	return FALSE;
+}
+
+typedef struct net_change_t net_change_t;
+
+/**
+ * Queued network changes
+ */
+struct net_change_t {
+	/** Name of the interface that got activated (or an IP appeared on) */
+	char *if_name;
+};
+
+/**
+ * Destroy a net_change_t object
+ */
+static void net_change_destroy(net_change_t *this)
+{
+	free(this->if_name);
+	free(this);
+}
+
+/**
+ * Hash a net_change_t object
+ */
+static u_int net_change_hash(net_change_t *this)
+{
+	return chunk_hash(chunk_create(this->if_name, strlen(this->if_name)));
+}
+
+/**
+ * Compare two net_change_t objects
+ */
+static bool net_change_equals(net_change_t *a, net_change_t *b)
+{
+	return streq(a->if_name, b->if_name);
+}
+
 typedef struct private_kernel_netlink_net_t private_kernel_netlink_net_t;
 
 /**
@@ -128,14 +354,14 @@ struct private_kernel_netlink_net_t {
 	kernel_netlink_net_t public;
 
 	/**
-	 * mutex to lock access to various lists
+	 * lock to access various lists and maps
 	 */
-	mutex_t *mutex;
+	rwlock_t *lock;
 
 	/**
 	 * condition variable to signal virtual IP add/removal
 	 */
-	condvar_t *condvar;
+	rwlock_condvar_t *condvar;
 
 	/**
 	 * Cached list of interfaces and its addresses (iface_entry_t)
@@ -143,9 +369,14 @@ struct private_kernel_netlink_net_t {
 	linked_list_t *ifaces;
 
 	/**
-	 * job receiving netlink events
+	 * Map for IP addresses to iface_entry_t objects (addr_map_entry_t)
+	 */
+	hashtable_t *addrs;
+
+	/**
+	 * Map for virtual IP addresses to iface_entry_t objects (addr_map_entry_t)
 	 */
-	callback_job_t *job;
+	hashtable_t *vips;
 
 	/**
 	 * netlink rt socket (routing)
@@ -158,9 +389,14 @@ struct private_kernel_netlink_net_t {
 	int socket_events;
 
 	/**
-	 * time of the last roam event
+	 * earliest time of the next roam event
 	 */
-	timeval_t last_roam;
+	timeval_t next_roam;
+
+	/**
+	 * lock to check and update roam event time
+	 */
+	spinlock_t *roam_lock;
 
 	/**
 	 * routing table to install routes
@@ -173,89 +409,288 @@ struct private_kernel_netlink_net_t {
 	int routing_table_prio;
 
 	/**
+	 * installed routes
+	 */
+	hashtable_t *routes;
+
+	/**
+	 * mutex for routes
+	 */
+	mutex_t *routes_lock;
+
+	/**
+	 * interface changes which may trigger route reinstallation
+	 */
+	hashtable_t *net_changes;
+
+	/**
+	 * mutex for route reinstallation triggers
+	 */
+	mutex_t *net_changes_lock;
+
+	/**
+	 * time of last route reinstallation
+	 */
+	timeval_t last_route_reinstall;
+
+	/**
 	 * whether to react to RTM_NEWROUTE or RTM_DELROUTE events
 	 */
 	bool process_route;
 
 	/**
+	 * whether to trigger roam events
+	 */
+	bool roam_events;
+
+	/**
 	 * whether to actually install virtual IPs
 	 */
 	bool install_virtual_ip;
 
 	/**
+	 * the name of the interface virtual IP addresses are installed on
+	 */
+	char *install_virtual_ip_on;
+
+	/**
+	 * whether preferred source addresses can be specified for IPv6 routes
+	 */
+	bool rta_prefsrc_for_ipv6;
+
+	/**
 	 * list with routing tables to be excluded from route lookup
 	 */
 	linked_list_t *rt_exclude;
 };
 
 /**
- * get the refcount of a virtual ip
+ * Forward declaration
  */
-static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip)
+static status_t manage_srcroute(private_kernel_netlink_net_t *this,
+								int nlmsg_type, int flags, chunk_t dst_net,
+								u_int8_t prefixlen, host_t *gateway,
+								host_t *src_ip, char *if_name);
+
+/**
+ * Clear the queued network changes.
+ */
+static void net_changes_clear(private_kernel_netlink_net_t *this)
 {
-	enumerator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	int refcount = 0;
+	enumerator_t *enumerator;
+	net_change_t *change;
 
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, (void**)&iface))
+	enumerator = this->net_changes->create_enumerator(this->net_changes);
+	while (enumerator->enumerate(enumerator, NULL, (void**)&change))
 	{
-		addrs = iface->addrs->create_enumerator(iface->addrs);
-		while (addrs->enumerate(addrs, (void**)&addr))
-		{
-			if (addr->virtual && (iface->flags & IFF_UP) &&
-				ip->ip_equals(ip, addr->ip))
+		this->net_changes->remove_at(this->net_changes, enumerator);
+		net_change_destroy(change);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Act upon queued network changes.
+ */
+static job_requeue_t reinstall_routes(private_kernel_netlink_net_t *this)
+{
+	enumerator_t *enumerator;
+	route_entry_t *route;
+
+	this->net_changes_lock->lock(this->net_changes_lock);
+	this->routes_lock->lock(this->routes_lock);
+
+	enumerator = this->routes->create_enumerator(this->routes);
+	while (enumerator->enumerate(enumerator, NULL, (void**)&route))
+	{
+		net_change_t *change, lookup = {
+			.if_name = route->if_name,
+		};
+		/* check if a change for the outgoing interface is queued */
+		change = this->net_changes->get(this->net_changes, &lookup);
+		if (!change)
+		{	/* in case src_ip is not on the outgoing interface */
+			if (this->public.interface.get_interface(&this->public.interface,
+												route->src_ip, &lookup.if_name))
 			{
-				refcount = addr->refcount;
-				break;
+				if (!streq(lookup.if_name, route->if_name))
+				{
+					change = this->net_changes->get(this->net_changes, &lookup);
+				}
+				free(lookup.if_name);
 			}
 		}
-		addrs->destroy(addrs);
-		if (refcount)
+		if (change)
 		{
-			break;
+			manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
+							route->dst_net, route->prefixlen, route->gateway,
+							route->src_ip, route->if_name);
 		}
 	}
-	ifaces->destroy(ifaces);
+	enumerator->destroy(enumerator);
+	this->routes_lock->unlock(this->routes_lock);
 
-	return refcount;
+	net_changes_clear(this);
+	this->net_changes_lock->unlock(this->net_changes_lock);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Queue route reinstallation caused by network changes for a given interface.
+ *
+ * The route reinstallation is delayed for a while and only done once for
+ * several calls during this delay, in order to avoid doing it too often.
+ * The interface name is freed.
+ */
+static void queue_route_reinstall(private_kernel_netlink_net_t *this,
+								  char *if_name)
+{
+	net_change_t *update, *found;
+	timeval_t now;
+	job_t *job;
+
+	INIT(update,
+		.if_name = if_name
+	);
+
+	this->net_changes_lock->lock(this->net_changes_lock);
+	found = this->net_changes->put(this->net_changes, update, update);
+	if (found)
+	{
+		net_change_destroy(found);
+	}
+	time_monotonic(&now);
+	if (timercmp(&now, &this->last_route_reinstall, >))
+	{
+		timeval_add_ms(&now, ROUTE_DELAY);
+		this->last_route_reinstall = now;
+
+		job = (job_t*)callback_job_create((callback_job_cb_t)reinstall_routes,
+										  this, NULL, NULL);
+		lib->scheduler->schedule_job_ms(lib->scheduler, job, ROUTE_DELAY);
+	}
+	this->net_changes_lock->unlock(this->net_changes_lock);
+}
+
+/**
+ * check if the given IP is known as virtual IP and currently installed
+ *
+ * this function will also return TRUE if the virtual IP entry disappeared.
+ * in that case the returned entry will be NULL.
+ *
+ * this->lock must be held when calling this function
+ */
+static bool is_vip_installed_or_gone(private_kernel_netlink_net_t *this,
+									 host_t *ip, addr_map_entry_t **entry)
+{
+	addr_map_entry_t lookup = {
+		.ip = ip,
+	};
+
+	*entry = this->vips->get_match(this->vips, &lookup,
+								  (void*)addr_map_entry_match);
+	if (*entry == NULL)
+	{	/* the virtual IP disappeared */
+		return TRUE;
+	}
+	return (*entry)->addr->installed;
+}
+
+/**
+ * check if the given IP is known as virtual IP
+ *
+ * this->lock must be held when calling this function
+ */
+static bool is_known_vip(private_kernel_netlink_net_t *this, host_t *ip)
+{
+	addr_map_entry_t lookup = {
+		.ip = ip,
+	};
+
+	return this->vips->get_match(this->vips, &lookup,
+								(void*)addr_map_entry_match) != NULL;
+}
+
+/**
+ * Add an address map entry
+ */
+static void addr_map_entry_add(hashtable_t *map, addr_entry_t *addr,
+							   iface_entry_t *iface)
+{
+	addr_map_entry_t *entry;
+
+	INIT(entry,
+		.ip = addr->ip,
+		.addr = addr,
+		.iface = iface,
+	);
+	entry = map->put(map, entry, entry);
+	free(entry);
+}
+
+/**
+ * Remove an address map entry
+ */
+static void addr_map_entry_remove(hashtable_t *map, addr_entry_t *addr,
+								  iface_entry_t *iface)
+{
+	addr_map_entry_t *entry, lookup = {
+		.ip = addr->ip,
+		.addr = addr,
+		.iface = iface,
+	};
+
+	entry = map->remove(map, &lookup);
+	free(entry);
 }
 
 /**
  * get the first non-virtual ip address on the given interface.
+ * if a candidate address is given, we first search for that address and if not
+ * found return the address as above.
  * returned host is a clone, has to be freed by caller.
+ *
+ * this->lock must be held when calling this function
  */
 static host_t *get_interface_address(private_kernel_netlink_net_t *this,
-									 int ifindex, int family)
+									 int ifindex, int family, host_t *candidate)
 {
-	enumerator_t *ifaces, *addrs;
 	iface_entry_t *iface;
+	enumerator_t *addrs;
 	addr_entry_t *addr;
 	host_t *ip = NULL;
 
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
+	if (this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_index,
+								 (void**)&iface, &ifindex) == SUCCESS)
 	{
-		if (iface->ifindex == ifindex)
-		{
+		if (iface->usable)
+		{	/* only use interfaces not excluded by config */
 			addrs = iface->addrs->create_enumerator(iface->addrs);
 			while (addrs->enumerate(addrs, &addr))
 			{
-				if (!addr->virtual && addr->ip->get_family(addr->ip) == family)
+				if (addr->refcount)
+				{	/* ignore virtual IP addresses */
+					continue;
+				}
+				if (addr->ip->get_family(addr->ip) == family)
 				{
-					ip = addr->ip->clone(addr->ip);
-					break;
+					if (!candidate || candidate->ip_equals(candidate, addr->ip))
+					{	/* stop at the first address if we don't search for a
+						 * candidate or if the candidate matches */
+						ip = addr->ip;
+						break;
+					}
+					else if (!ip)
+					{	/* store the first address as fallback if candidate is
+						 * not found */
+						ip = addr->ip;
+					}
 				}
 			}
 			addrs->destroy(addrs);
-			break;
 		}
 	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-	return ip;
+	return ip ? ip->clone(ip) : NULL;
 }
 
 /**
@@ -276,22 +711,61 @@ static void fire_roam_event(private_kernel_netlink_net_t *this, bool address)
 	timeval_t now;
 	job_t *job;
 
+	if (!this->roam_events)
+	{
+		return;
+	}
+
 	time_monotonic(&now);
-	if (timercmp(&now, &this->last_roam, >))
+	this->roam_lock->lock(this->roam_lock);
+	if (!timercmp(&now, &this->next_roam, >))
 	{
-		now.tv_usec += ROAM_DELAY * 1000;
-		while (now.tv_usec > 1000000)
-		{
-			now.tv_sec++;
-			now.tv_usec -= 1000000;
-		}
-		this->last_roam = now;
+		this->roam_lock->unlock(this->roam_lock);
+		return;
+	}
+	timeval_add_ms(&now, ROAM_DELAY);
+	this->next_roam = now;
+	this->roam_lock->unlock(this->roam_lock);
+
+	job = (job_t*)callback_job_create((callback_job_cb_t)roam_event,
+									  (void*)(uintptr_t)(address ? 1 : 0),
+									   NULL, NULL);
+	lib->scheduler->schedule_job_ms(lib->scheduler, job, ROAM_DELAY);
+}
+
+/**
+ * check if an interface with a given index is up and usable
+ *
+ * this->lock must be locked when calling this function
+ */
+static bool is_interface_up_and_usable(private_kernel_netlink_net_t *this,
+									   int index)
+{
+	iface_entry_t *iface;
+
+	if (this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_index,
+								 (void**)&iface, &index) == SUCCESS)
+	{
+		return iface_entry_up_and_usable(iface);
+	}
+	return FALSE;
+}
 
-		job = (job_t*)callback_job_create((callback_job_cb_t)roam_event,
-										  (void*)(uintptr_t)(address ? 1 : 0),
-										  NULL, NULL);
-		lib->scheduler->schedule_job_ms(lib->scheduler, job, ROAM_DELAY);
+/**
+ * unregister the current addr_entry_t from the hashtable it is stored in
+ *
+ * this->lock must be locked when calling this function
+ */
+static void addr_entry_unregister(addr_entry_t *addr, iface_entry_t *iface,
+								  private_kernel_netlink_net_t *this)
+{
+	if (addr->refcount)
+	{
+		addr_map_entry_remove(this->vips, addr, iface);
+		this->condvar->broadcast(this->condvar);
+		return;
 	}
+	addr_map_entry_remove(this->addrs, addr, iface);
 }
 
 /**
@@ -306,9 +780,9 @@ static void process_link(private_kernel_netlink_net_t *this,
 	enumerator_t *enumerator;
 	iface_entry_t *current, *entry = NULL;
 	char *name = NULL;
-	bool update = FALSE;
+	bool update = FALSE, update_routes = FALSE;
 
-	while(RTA_OK(rta, rtasize))
+	while (RTA_OK(rta, rtasize))
 	{
 		switch (rta->rta_type)
 		{
@@ -323,40 +797,30 @@ static void process_link(private_kernel_netlink_net_t *this,
 		name = "(unknown)";
 	}
 
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	switch (hdr->nlmsg_type)
 	{
 		case RTM_NEWLINK:
 		{
-			if (msg->ifi_flags & IFF_LOOPBACK)
-			{	/* ignore loopback interfaces */
-				break;
-			}
-			enumerator = this->ifaces->create_enumerator(this->ifaces);
-			while (enumerator->enumerate(enumerator, &current))
+			if (this->ifaces->find_first(this->ifaces,
+									(void*)iface_entry_by_index, (void**)&entry,
+									&msg->ifi_index) != SUCCESS)
 			{
-				if (current->ifindex == msg->ifi_index)
-				{
-					entry = current;
-					break;
-				}
-			}
-			enumerator->destroy(enumerator);
-			if (!entry)
-			{
-				entry = malloc_thing(iface_entry_t);
-				entry->ifindex = msg->ifi_index;
-				entry->flags = 0;
-				entry->addrs = linked_list_create();
+				INIT(entry,
+					.ifindex = msg->ifi_index,
+					.addrs = linked_list_create(),
+					.usable = hydra->kernel_interface->is_interface_usable(
+												hydra->kernel_interface, name),
+				);
 				this->ifaces->insert_last(this->ifaces, entry);
 			}
 			strncpy(entry->ifname, name, IFNAMSIZ);
 			entry->ifname[IFNAMSIZ-1] = '\0';
-			if (event)
+			if (event && entry->usable)
 			{
 				if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
 				{
-					update = TRUE;
+					update = update_routes = TRUE;
 					DBG1(DBG_KNL, "interface %s activated", name);
 				}
 				if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
@@ -375,12 +839,16 @@ static void process_link(private_kernel_netlink_net_t *this,
 			{
 				if (current->ifindex == msg->ifi_index)
 				{
-					if (event)
+					if (event && current->usable)
 					{
 						update = TRUE;
 						DBG1(DBG_KNL, "interface %s deleted", current->ifname);
 					}
+					/* TODO: move virtual IPs installed on this interface to
+					 * another interface? */
 					this->ifaces->remove_at(this->ifaces, enumerator);
+					current->addrs->invoke_function(current->addrs,
+								(void*)addr_entry_unregister, current, this);
 					iface_entry_destroy(current);
 					break;
 				}
@@ -389,9 +857,13 @@ static void process_link(private_kernel_netlink_net_t *this,
 			break;
 		}
 	}
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
+
+	if (update_routes && event)
+	{
+		queue_route_reinstall(this, strdup(name));
+	}
 
-	/* send an update to all IKE_SAs */
 	if (update && event)
 	{
 		fire_roam_event(this, TRUE);
@@ -408,13 +880,12 @@ static void process_addr(private_kernel_netlink_net_t *this,
 	struct rtattr *rta = IFA_RTA(msg);
 	size_t rtasize = IFA_PAYLOAD (hdr);
 	host_t *host = NULL;
-	enumerator_t *ifaces, *addrs;
 	iface_entry_t *iface;
-	addr_entry_t *addr;
 	chunk_t local = chunk_empty, address = chunk_empty;
+	char *route_ifname = NULL;
 	bool update = FALSE, found = FALSE, changed = FALSE;
 
-	while(RTA_OK(rta, rtasize))
+	while (RTA_OK(rta, rtasize))
 	{
 		switch (rta->rta_type)
 		{
@@ -447,65 +918,92 @@ static void process_addr(private_kernel_netlink_net_t *this,
 		return;
 	}
 
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
+	this->lock->write_lock(this->lock);
+	if (this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_index,
+								 (void**)&iface, &msg->ifa_index) == SUCCESS)
 	{
-		if (iface->ifindex == msg->ifa_index)
+		addr_map_entry_t *entry, lookup = {
+			.ip = host,
+			.iface = iface,
+		};
+		addr_entry_t *addr;
+
+		entry = this->vips->get(this->vips, &lookup);
+		if (entry)
 		{
-			addrs = iface->addrs->create_enumerator(iface->addrs);
-			while (addrs->enumerate(addrs, &addr))
+			if (hdr->nlmsg_type == RTM_NEWADDR)
+			{	/* mark as installed and signal waiting threads */
+				entry->addr->installed = TRUE;
+			}
+			else
+			{	/* the address was already marked as uninstalled */
+				addr = entry->addr;
+				iface->addrs->remove(iface->addrs, addr, NULL);
+				addr_map_entry_remove(this->vips, addr, iface);
+				addr_entry_destroy(addr);
+			}
+			/* no roam events etc. for virtual IPs */
+			this->condvar->broadcast(this->condvar);
+			this->lock->unlock(this->lock);
+			host->destroy(host);
+			return;
+		}
+		entry = this->addrs->get(this->addrs, &lookup);
+		if (entry)
+		{
+			if (hdr->nlmsg_type == RTM_DELADDR)
 			{
-				if (host->ip_equals(host, addr->ip))
+				found = TRUE;
+				addr = entry->addr;
+				iface->addrs->remove(iface->addrs, addr, NULL);
+				if (iface->usable)
 				{
-					found = TRUE;
-					if (hdr->nlmsg_type == RTM_DELADDR)
-					{
-						iface->addrs->remove_at(iface->addrs, addrs);
-						if (!addr->virtual)
-						{
-							changed = TRUE;
-							DBG1(DBG_KNL, "%H disappeared from %s",
-								 host, iface->ifname);
-						}
-						addr_entry_destroy(addr);
-					}
-					else if (hdr->nlmsg_type == RTM_NEWADDR && addr->virtual)
-					{
-						addr->refcount = 1;
-					}
+					changed = TRUE;
+					DBG1(DBG_KNL, "%H disappeared from %s", host,
+						 iface->ifname);
 				}
+				addr_map_entry_remove(this->addrs, addr, iface);
+				addr_entry_destroy(addr);
 			}
-			addrs->destroy(addrs);
-
+		}
+		else
+		{
 			if (hdr->nlmsg_type == RTM_NEWADDR)
 			{
-				if (!found)
+				found = TRUE;
+				changed = TRUE;
+				route_ifname = strdup(iface->ifname);
+				INIT(addr,
+					.ip = host->clone(host),
+					.scope = msg->ifa_scope,
+				);
+				iface->addrs->insert_last(iface->addrs, addr);
+				addr_map_entry_add(this->addrs, addr, iface);
+				if (event && iface->usable)
 				{
-					found = TRUE;
-					changed = TRUE;
-					addr = malloc_thing(addr_entry_t);
-					addr->ip = host->clone(host);
-					addr->virtual = FALSE;
-					addr->refcount = 1;
-					addr->scope = msg->ifa_scope;
-
-					iface->addrs->insert_last(iface->addrs, addr);
-					if (event)
-					{
-						DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
-					}
+					DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
 				}
 			}
-			if (found && (iface->flags & IFF_UP))
-			{
-				update = TRUE;
-			}
-			break;
+		}
+		if (found && (iface->flags & IFF_UP))
+		{
+			update = TRUE;
+		}
+		if (!iface->usable)
+		{	/* ignore events for interfaces excluded by config */
+			update = changed = FALSE;
 		}
 	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
+
+	if (update && event && route_ifname)
+	{
+		queue_route_reinstall(this, route_ifname);
+	}
+	else
+	{
+		free(route_ifname);
+	}
 	host->destroy(host);
 
 	/* send an update to all IKE_SAs */
@@ -532,6 +1030,10 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h
 	{
 		return;
 	}
+	else if (msg->rtm_flags & RTM_F_CLONED)
+	{	/* ignore cached routes, seem to be created a lot for IPv6 */
+		return;
+	}
 
 	while (RTA_OK(rta, rtasize))
 	{
@@ -551,59 +1053,62 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h
 		}
 		rta = RTA_NEXT(rta, rtasize);
 	}
+	this->lock->read_lock(this->lock);
+	if (rta_oif && !is_interface_up_and_usable(this, rta_oif))
+	{	/* ignore route changes for interfaces that are ignored or down */
+		this->lock->unlock(this->lock);
+		DESTROY_IF(host);
+		return;
+	}
 	if (!host && rta_oif)
 	{
-		host = get_interface_address(this, rta_oif, msg->rtm_family);
+		host = get_interface_address(this, rta_oif, msg->rtm_family, NULL);
 	}
-	if (host)
-	{
-		this->mutex->lock(this->mutex);
-		if (!get_vip_refcount(this, host))
-		{	/* ignore routes added for virtual IPs */
-			fire_roam_event(this, FALSE);
-		}
-		this->mutex->unlock(this->mutex);
-		host->destroy(host);
+	if (!host || is_known_vip(this, host))
+	{	/* ignore routes added for virtual IPs */
+		this->lock->unlock(this->lock);
+		DESTROY_IF(host);
+		return;
 	}
+	this->lock->unlock(this->lock);
+	fire_roam_event(this, FALSE);
+	host->destroy(host);
 }
 
 /**
  * Receives events from kernel
  */
-static job_requeue_t receive_events(private_kernel_netlink_net_t *this)
+static bool receive_events(private_kernel_netlink_net_t *this, int fd,
+						   watcher_event_t event)
 {
 	char response[1024];
 	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
 	struct sockaddr_nl addr;
 	socklen_t addr_len = sizeof(addr);
 	int len;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->socket_events, response, sizeof(response), 0,
-				   (struct sockaddr*)&addr, &addr_len);
-	thread_cancelability(oldstate);
 
+	len = recvfrom(this->socket_events, response, sizeof(response),
+				   MSG_DONTWAIT, (struct sockaddr*)&addr, &addr_len);
 	if (len < 0)
 	{
 		switch (errno)
 		{
 			case EINTR:
 				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
+				return TRUE;
 			case EAGAIN:
 				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
+				return TRUE;
 			default:
 				DBG1(DBG_KNL, "unable to receive from rt event socket");
 				sleep(1);
-				return JOB_REQUEUE_FAIR;
+				return TRUE;
 		}
 	}
 
 	if (addr.nl_pid != 0)
 	{	/* not from kernel. not interested, try another one */
-		return JOB_REQUEUE_DIRECT;
+		return TRUE;
 	}
 
 	while (NLMSG_OK(hdr, len))
@@ -614,12 +1119,10 @@ static job_requeue_t receive_events(private_kernel_netlink_net_t *this)
 			case RTM_NEWADDR:
 			case RTM_DELADDR:
 				process_addr(this, hdr, TRUE);
-				this->condvar->broadcast(this->condvar);
 				break;
 			case RTM_NEWLINK:
 			case RTM_DELLINK:
 				process_link(this, hdr, TRUE);
-				this->condvar->broadcast(this->condvar);
 				break;
 			case RTM_NEWROUTE:
 			case RTM_DELROUTE:
@@ -633,16 +1136,14 @@ static job_requeue_t receive_events(private_kernel_netlink_net_t *this)
 		}
 		hdr = NLMSG_NEXT(hdr, len);
 	}
-	return JOB_REQUEUE_DIRECT;
+	return TRUE;
 }
 
 /** enumerator over addresses */
 typedef struct {
 	private_kernel_netlink_net_t* this;
-	/** whether to enumerate down interfaces */
-	bool include_down_ifaces;
-	/** whether to enumerate virtual ip addresses */
-	bool include_virtual_ips;
+	/** which addresses to enumerate */
+	kernel_address_type_t which;
 } address_enumerator_t;
 
 /**
@@ -650,7 +1151,7 @@ typedef struct {
  */
 static void address_enumerator_destroy(address_enumerator_t *data)
 {
-	data->this->mutex->unlock(data->this->mutex);
+	data->this->lock->unlock(data->this->lock);
 	free(data);
 }
 
@@ -660,10 +1161,14 @@ static void address_enumerator_destroy(address_enumerator_t *data)
 static bool filter_addresses(address_enumerator_t *data,
 							 addr_entry_t** in, host_t** out)
 {
-	if (!data->include_virtual_ips && (*in)->virtual)
+	if (!(data->which & ADDR_TYPE_VIRTUAL) && (*in)->refcount)
 	{	/* skip virtual interfaces added by us */
 		return FALSE;
 	}
+	if (!(data->which & ADDR_TYPE_REGULAR) && !(*in)->refcount)
+	{	/* address is regular, but not requested */
+		return FALSE;
+	}
 	if ((*in)->scope >= RT_SCOPE_LINK)
 	{	/* skip addresses with a unusable scope */
 		return FALSE;
@@ -689,7 +1194,15 @@ static enumerator_t *create_iface_enumerator(iface_entry_t *iface,
 static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in,
 							  iface_entry_t** out)
 {
-	if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
+	if (!(data->which & ADDR_TYPE_IGNORED) && !(*in)->usable)
+	{	/* skip interfaces excluded by config */
+		return FALSE;
+	}
+	if (!(data->which & ADDR_TYPE_LOOPBACK) && ((*in)->flags & IFF_LOOPBACK))
+	{	/* ignore loopback devices */
+		return FALSE;
+	}
+	if (!(data->which & ADDR_TYPE_DOWN) && !((*in)->flags & IFF_UP))
 	{	/* skip interfaces not up */
 		return FALSE;
 	}
@@ -698,15 +1211,16 @@ static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in,
 }
 
 METHOD(kernel_net_t, create_address_enumerator, enumerator_t*,
-	private_kernel_netlink_net_t *this,
-	bool include_down_ifaces, bool include_virtual_ips)
+	private_kernel_netlink_net_t *this, kernel_address_type_t which)
 {
-	address_enumerator_t *data = malloc_thing(address_enumerator_t);
-	data->this = this;
-	data->include_down_ifaces = include_down_ifaces;
-	data->include_virtual_ips = include_virtual_ips;
+	address_enumerator_t *data;
+
+	INIT(data,
+		.this = this,
+		.which = which,
+	);
 
-	this->mutex->lock(this->mutex);
+	this->lock->read_lock(this->lock);
 	return enumerator_create_nested(
 				enumerator_create_filter(
 					this->ifaces->create_enumerator(this->ifaces),
@@ -715,47 +1229,53 @@ METHOD(kernel_net_t, create_address_enumerator, enumerator_t*,
 				(void*)address_enumerator_destroy);
 }
 
-METHOD(kernel_net_t, get_interface_name, char*,
-	private_kernel_netlink_net_t *this, host_t* ip)
+METHOD(kernel_net_t, get_interface_name, bool,
+	private_kernel_netlink_net_t *this, host_t* ip, char **name)
 {
-	enumerator_t *ifaces, *addrs;
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	char *name = NULL;
-
-	DBG2(DBG_KNL, "getting interface name for %H", ip);
+	addr_map_entry_t *entry, lookup = {
+		.ip = ip,
+	};
 
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
+	if (ip->is_anyaddr(ip))
+	{
+		return FALSE;
+	}
+	this->lock->read_lock(this->lock);
+	/* first try to find it on an up and usable interface */
+	entry = this->addrs->get_match(this->addrs, &lookup,
+								  (void*)addr_map_entry_match_up_and_usable);
+	if (entry)
 	{
-		addrs = iface->addrs->create_enumerator(iface->addrs);
-		while (addrs->enumerate(addrs, &addr))
-		{
-			if (ip->ip_equals(ip, addr->ip))
-			{
-				name = strdup(iface->ifname);
-				break;
-			}
-		}
-		addrs->destroy(addrs);
 		if (name)
 		{
-			break;
+			*name = strdup(entry->iface->ifname);
+			DBG2(DBG_KNL, "%H is on interface %s", ip, *name);
 		}
+		this->lock->unlock(this->lock);
+		return TRUE;
 	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-
-	if (name)
+	/* in a second step, consider virtual IPs installed by us */
+	entry = this->vips->get_match(this->vips, &lookup,
+								  (void*)addr_map_entry_match_up_and_usable);
+	if (entry)
 	{
-		DBG2(DBG_KNL, "%H is on interface %s", ip, name);
+		if (name)
+		{
+			*name = strdup(entry->iface->ifname);
+			DBG2(DBG_KNL, "virtual IP %H is on interface %s", ip, *name);
+		}
+		this->lock->unlock(this->lock);
+		return TRUE;
 	}
-	else
+	/* maybe it is installed on an ignored interface */
+	entry = this->addrs->get_match(this->addrs, &lookup,
+								  (void*)addr_map_entry_match_up);
+	if (!entry)
 	{
-		DBG2(DBG_KNL, "%H is not a local address", ip);
+		DBG2(DBG_KNL, "%H is not a local address or the interface is down", ip);
 	}
-	return name;
+	this->lock->unlock(this->lock);
+	return FALSE;
 }
 
 /**
@@ -763,24 +1283,18 @@ METHOD(kernel_net_t, get_interface_name, char*,
  */
 static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
 {
-	enumerator_t *ifaces;
 	iface_entry_t *iface;
 	int ifindex = 0;
 
 	DBG2(DBG_KNL, "getting iface index for %s", name);
 
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
+	this->lock->read_lock(this->lock);
+	if (this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_name,
+								(void**)&iface, name) == SUCCESS)
 	{
-		if (streq(name, iface->ifname))
-		{
-			ifindex = iface->ifindex;
-			break;
-		}
+		ifindex = iface->ifindex;
 	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 
 	if (ifindex == 0)
 	{
@@ -790,29 +1304,6 @@ static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
 }
 
 /**
- * Check if an interface with a given index is up
- */
-static bool is_interface_up(private_kernel_netlink_net_t *this, int index)
-{
-	enumerator_t *ifaces;
-	iface_entry_t *iface;
-	/* default to TRUE for interface we do not monitor (e.g. lo) */
-	bool up = TRUE;
-
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		if (iface->ifindex == index)
-		{
-			up = iface->flags & IFF_UP;
-			break;
-		}
-	}
-	ifaces->destroy(ifaces);
-	return up;
-}
-
-/**
  * check if an address (chunk) addr is in subnet (net with net_len net bits)
  */
 static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
@@ -849,32 +1340,124 @@ static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
 }
 
 /**
+ * Store information about a route retrieved via RTNETLINK
+ */
+typedef struct {
+	chunk_t gtw;
+	chunk_t src;
+	chunk_t dst;
+	host_t *src_host;
+	u_int8_t dst_len;
+	u_int32_t table;
+	u_int32_t oif;
+} rt_entry_t;
+
+/**
+ * Free a route entry
+ */
+static void rt_entry_destroy(rt_entry_t *this)
+{
+	DESTROY_IF(this->src_host);
+	free(this);
+}
+
+/**
+ * Parse route received with RTM_NEWROUTE. The given rt_entry_t object will be
+ * reused if not NULL.
+ *
+ * Returned chunks point to internal data of the Netlink message.
+ */
+static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route)
+{
+	struct rtattr *rta;
+	struct rtmsg *msg;
+	size_t rtasize;
+
+	msg = (struct rtmsg*)(NLMSG_DATA(hdr));
+	rta = RTM_RTA(msg);
+	rtasize = RTM_PAYLOAD(hdr);
+
+	if (route)
+	{
+		route->gtw = chunk_empty;
+		route->src = chunk_empty;
+		route->dst = chunk_empty;
+		route->dst_len = msg->rtm_dst_len;
+		route->table = msg->rtm_table;
+		route->oif = 0;
+	}
+	else
+	{
+		INIT(route,
+			.dst_len = msg->rtm_dst_len,
+			.table = msg->rtm_table,
+		);
+	}
+
+	while (RTA_OK(rta, rtasize))
+	{
+		switch (rta->rta_type)
+		{
+			case RTA_PREFSRC:
+				route->src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
+				break;
+			case RTA_GATEWAY:
+				route->gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
+				break;
+			case RTA_DST:
+				route->dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
+				break;
+			case RTA_OIF:
+				if (RTA_PAYLOAD(rta) == sizeof(route->oif))
+				{
+					route->oif = *(u_int32_t*)RTA_DATA(rta);
+				}
+				break;
+#ifdef HAVE_RTA_TABLE
+			case RTA_TABLE:
+				if (RTA_PAYLOAD(rta) == sizeof(route->table))
+				{
+					route->table = *(u_int32_t*)RTA_DATA(rta);
+				}
+				break;
+#endif /* HAVE_RTA_TABLE*/
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+	return route;
+}
+
+/**
  * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
  */
 static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
-						 bool nexthop, host_t *candidate)
+						 bool nexthop, host_t *candidate, u_int recursion)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr, *out, *current;
 	struct rtmsg *msg;
 	chunk_t chunk;
 	size_t len;
-	int best = -1;
+	linked_list_t *routes;
+	rt_entry_t *route = NULL, *best = NULL;
 	enumerator_t *enumerator;
-	host_t *src = NULL, *gtw = NULL;
+	host_t *addr = NULL;
 
-	DBG2(DBG_KNL, "getting address to reach %H", dest);
+	if (recursion > MAX_ROUTE_RECURSION)
+	{
+		return NULL;
+	}
 
 	memset(&request, 0, sizeof(request));
 
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
-	if (dest->get_family(dest) == AF_INET)
-	{
-		/* We dump all addresses for IPv4, as we want to ignore IPsec specific
-		 * routes installed by us. But the kernel does not return source
-		 * addresses in a IPv6 dump, so fall back to get() for v6 routes. */
-		hdr->nlmsg_flags |= NLM_F_ROOT | NLM_F_DUMP;
+	if (dest->get_family(dest) == AF_INET || this->rta_prefsrc_for_ipv6 ||
+		this->routing_table)
+	{	/* kernels prior to 3.0 do not support RTA_PREFSRC for IPv6 routes.
+		 * as we want to ignore routes with virtual IPs we cannot use DUMP
+		 * if these routes are not installed in a separate table */
+		hdr->nlmsg_flags |= NLM_F_DUMP;
 	}
 	hdr->nlmsg_type = RTM_GETROUTE;
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
@@ -891,10 +1474,12 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 
 	if (this->socket->send(this->socket, hdr, &out, &len) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "getting address to %H failed", dest);
+		DBG2(DBG_KNL, "getting %s to reach %H failed",
+			 nexthop ? "nexthop" : "address", dest);
 		return NULL;
 	}
-	this->mutex->lock(this->mutex);
+	routes = linked_list_create();
+	this->lock->read_lock(this->lock);
 
 	for (current = out; NLMSG_OK(current, len);
 		 current = NLMSG_NEXT(current, len))
@@ -905,132 +1490,53 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 				break;
 			case RTM_NEWROUTE:
 			{
-				struct rtattr *rta;
-				size_t rtasize;
-				chunk_t rta_gtw, rta_src, rta_dst;
-				u_int32_t rta_oif = 0, rta_table;
-				host_t *new_src, *new_gtw;
-				bool cont = FALSE;
+				rt_entry_t *other;
 				uintptr_t table;
 
-				rta_gtw = rta_src = rta_dst = chunk_empty;
-				msg = (struct rtmsg*)(NLMSG_DATA(current));
-				rta = RTM_RTA(msg);
-				rtasize = RTM_PAYLOAD(current);
-				rta_table = msg->rtm_table;
-				while (RTA_OK(rta, rtasize))
-				{
-					switch (rta->rta_type)
-					{
-						case RTA_PREFSRC:
-							rta_src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
-							break;
-						case RTA_GATEWAY:
-							rta_gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
-							break;
-						case RTA_DST:
-							rta_dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
-							break;
-						case RTA_OIF:
-							if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
-							{
-								rta_oif = *(u_int32_t*)RTA_DATA(rta);
-							}
-							break;
-#ifdef HAVE_RTA_TABLE
-						case RTA_TABLE:
-							if (RTA_PAYLOAD(rta) == sizeof(rta_table))
-							{
-								rta_table = *(u_int32_t*)RTA_DATA(rta);
-							}
-							break;
-#endif /* HAVE_RTA_TABLE*/
-					}
-					rta = RTA_NEXT(rta, rtasize);
-				}
-				if (msg->rtm_dst_len <= best)
-				{	/* not better than a previous one */
-					continue;
-				}
-				enumerator = this->rt_exclude->create_enumerator(this->rt_exclude);
-				while (enumerator->enumerate(enumerator, &table))
-				{
-					if (table == rta_table)
-					{
-						cont = TRUE;
-						break;
-					}
-				}
-				enumerator->destroy(enumerator);
-				if (cont)
-				{
+				route = parse_route(current, route);
+
+				table = (uintptr_t)route->table;
+				if (this->rt_exclude->find_first(this->rt_exclude, NULL,
+												 (void**)&table) == SUCCESS)
+				{	/* route is from an excluded routing table */
 					continue;
 				}
 				if (this->routing_table != 0 &&
-					rta_table == this->routing_table)
+					route->table == this->routing_table)
 				{	/* route is from our own ipsec routing table */
 					continue;
 				}
-				if (rta_oif && !is_interface_up(this, rta_oif))
+				if (route->oif && !is_interface_up_and_usable(this, route->oif))
 				{	/* interface is down */
 					continue;
 				}
-				if (!addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len))
+				if (!addr_in_subnet(chunk, route->dst, route->dst_len))
 				{	/* route destination does not contain dest */
 					continue;
 				}
-
-				if (nexthop)
-				{
-					/* nexthop lookup, return gateway if any */
-					DESTROY_IF(gtw);
-					gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
-					best = msg->rtm_dst_len;
-					continue;
-				}
-				if (rta_src.ptr)
-				{	/* got a source address */
-					new_src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
-					if (new_src)
-					{
-						if (get_vip_refcount(this, new_src))
-						{	/* skip source address if it is installed by us */
-							new_src->destroy(new_src);
-						}
-						else
-						{
-							DESTROY_IF(src);
-							src = new_src;
-							best = msg->rtm_dst_len;
-						}
-					}
-					continue;
-				}
-				if (rta_oif)
-				{	/* no src or gtw, but an interface. Get address from it. */
-					new_src = get_interface_address(this, rta_oif,
-													msg->rtm_family);
-					if (new_src)
-					{
-						DESTROY_IF(src);
-						src = new_src;
-						best = msg->rtm_dst_len;
+				if (route->src.ptr)
+				{	/* verify source address, if any */
+					host_t *src = host_create_from_chunk(msg->rtm_family,
+														 route->src, 0);
+					if (src && is_known_vip(this, src))
+					{	/* ignore routes installed by us */
+						src->destroy(src);
+						continue;
 					}
-					continue;
+					route->src_host = src;
 				}
-				if (rta_gtw.ptr)
-				{	/* no source, but a gateway. Lookup source to reach gtw. */
-					new_gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
-					new_src = get_route(this, new_gtw, FALSE, candidate);
-					new_gtw->destroy(new_gtw);
-					if (new_src)
+				/* insert route, sorted by decreasing network prefix */
+				enumerator = routes->create_enumerator(routes);
+				while (enumerator->enumerate(enumerator, &other))
+				{
+					if (route->dst_len > other->dst_len)
 					{
-						DESTROY_IF(src);
-						src = new_src;
-						best = msg->rtm_dst_len;
+						break;
 					}
-					continue;
 				}
+				routes->insert_before(routes, enumerator, route);
+				enumerator->destroy(enumerator);
+				route = NULL;
 				continue;
 			}
 			default:
@@ -1038,30 +1544,127 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 		}
 		break;
 	}
-	free(out);
-	this->mutex->unlock(this->mutex);
+	if (route)
+	{
+		rt_entry_destroy(route);
+	}
+
+	/* now we have a list of routes matching dest, sorted by net prefix.
+	 * we will look for source addresses for these routes and select the one
+	 * with the preferred source address, if possible */
+	enumerator = routes->create_enumerator(routes);
+	while (enumerator->enumerate(enumerator, &route))
+	{
+		if (route->src_host)
+		{	/* got a source address with the route, if no preferred source
+			 * is given or it matches we are done, as this is the best route */
+			if (!candidate || candidate->ip_equals(candidate, route->src_host))
+			{
+				best = route;
+				break;
+			}
+			else if (route->oif)
+			{	/* no match yet, maybe it is assigned to the same interface */
+				host_t *src = get_interface_address(this, route->oif,
+													msg->rtm_family, candidate);
+				if (src && src->ip_equals(src, candidate))
+				{
+					route->src_host->destroy(route->src_host);
+					route->src_host = src;
+					best = route;
+					break;
+				}
+				DESTROY_IF(src);
+			}
+			/* no luck yet with the source address. if this is the best (first)
+			 * route we store it as fallback in case we don't find a route with
+			 * the preferred source */
+			best = best ?: route;
+			continue;
+		}
+		if (route->oif)
+		{	/* no src, but an interface - get address from it */
+			route->src_host = get_interface_address(this, route->oif,
+													msg->rtm_family, candidate);
+			if (route->src_host)
+			{	/* we handle this address the same as the one above */
+				if (!candidate ||
+					 candidate->ip_equals(candidate, route->src_host))
+				{
+					best = route;
+					break;
+				}
+				best = best ?: route;
+				continue;
+			}
+		}
+		if (route->gtw.ptr)
+		{	/* no src, no iface, but a gateway - lookup src to reach gtw */
+			host_t *gtw;
+
+			gtw = host_create_from_chunk(msg->rtm_family, route->gtw, 0);
+			if (gtw && !gtw->ip_equals(gtw, dest))
+			{
+				route->src_host = get_route(this, gtw, FALSE, candidate,
+											recursion + 1);
+			}
+			DESTROY_IF(gtw);
+			if (route->src_host)
+			{	/* more of the same */
+				if (!candidate ||
+					 candidate->ip_equals(candidate, route->src_host))
+				{
+					best = route;
+					break;
+				}
+				best = best ?: route;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
 
 	if (nexthop)
+	{	/* nexthop lookup, return gateway if any */
+		if (best || routes->get_first(routes, (void**)&best) == SUCCESS)
+		{
+			addr = host_create_from_chunk(msg->rtm_family, best->gtw, 0);
+		}
+		addr = addr ?: dest->clone(dest);
+	}
+	else
 	{
-		if (gtw)
+		if (best)
 		{
-			return gtw;
+			addr = best->src_host->clone(best->src_host);
 		}
-		return dest->clone(dest);
 	}
-	return src;
+	this->lock->unlock(this->lock);
+	routes->destroy_function(routes, (void*)rt_entry_destroy);
+	free(out);
+
+	if (addr)
+	{
+		DBG2(DBG_KNL, "using %H as %s to reach %H", addr,
+			 nexthop ? "nexthop" : "address", dest);
+	}
+	else if (!recursion)
+	{
+		DBG2(DBG_KNL, "no %s found to reach %H",
+			 nexthop ? "nexthop" : "address", dest);
+	}
+	return addr;
 }
 
 METHOD(kernel_net_t, get_source_addr, host_t*,
 	private_kernel_netlink_net_t *this, host_t *dest, host_t *src)
 {
-	return get_route(this, dest, FALSE, src);
+	return get_route(this, dest, FALSE, src, 0);
 }
 
 METHOD(kernel_net_t, get_nexthop, host_t*,
-	private_kernel_netlink_net_t *this, host_t *dest)
+	private_kernel_netlink_net_t *this, host_t *dest, host_t *src)
 {
-	return get_route(this, dest, TRUE, NULL);
+	return get_route(this, dest, TRUE, src, 0);
 }
 
 /**
@@ -1069,7 +1672,7 @@ METHOD(kernel_net_t, get_nexthop, host_t*,
  * By setting the appropriate nlmsg_type, the ip will be set or unset.
  */
 static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type,
-							  int flags, int if_index, host_t *ip)
+							  int flags, int if_index, host_t *ip, int prefix)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
@@ -1088,7 +1691,7 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type
 	msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
 	msg->ifa_family = ip->get_family(ip);
 	msg->ifa_flags = 0;
-	msg->ifa_prefixlen = 8 * chunk.len;
+	msg->ifa_prefixlen = prefix < 0 ? chunk.len * 8 : prefix;
 	msg->ifa_scope = RT_SCOPE_UNIVERSE;
 	msg->ifa_index = if_index;
 
@@ -1098,89 +1701,111 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type
 }
 
 METHOD(kernel_net_t, add_ip, status_t,
-	private_kernel_netlink_net_t *this, host_t *virtual_ip, host_t *iface_ip)
+	private_kernel_netlink_net_t *this, host_t *virtual_ip, int prefix,
+	char *iface_name)
 {
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	enumerator_t *addrs, *ifaces;
-	int ifindex;
+	addr_map_entry_t *entry, lookup = {
+		.ip = virtual_ip,
+	};
+	iface_entry_t *iface = NULL;
 
 	if (!this->install_virtual_ip)
 	{	/* disabled by config */
 		return SUCCESS;
 	}
 
-	DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
-
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		bool iface_found = FALSE;
-
-		addrs = iface->addrs->create_enumerator(iface->addrs);
-		while (addrs->enumerate(addrs, &addr))
-		{
-			if (iface_ip->ip_equals(iface_ip, addr->ip))
+	this->lock->write_lock(this->lock);
+	/* the virtual IP might actually be installed as regular IP, in which case
+	 * we don't track it as virtual IP */
+	entry = this->addrs->get_match(this->addrs, &lookup,
+								  (void*)addr_map_entry_match);
+	if (!entry)
+	{	/* otherwise it might already be installed as virtual IP */
+		entry = this->vips->get_match(this->vips, &lookup,
+									 (void*)addr_map_entry_match);
+		if (entry)
+		{	/* the vip we found can be in one of three states: 1) installed and
+			 * ready, 2) just added by another thread, but not yet confirmed to
+			 * be installed by the kernel, 3) just deleted, but not yet gone.
+			 * Then while we wait below, several things could happen (as we
+			 * release the lock).  For instance, the interface could disappear,
+			 * or the IP is finally deleted, and it reappears on a different
+			 * interface. All these cases are handled by the call below. */
+			while (!is_vip_installed_or_gone(this, virtual_ip, &entry))
 			{
-				iface_found = TRUE;
+				this->condvar->wait(this->condvar, this->lock);
 			}
-			else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
+			if (entry)
 			{
-				addr->refcount++;
-				DBG2(DBG_KNL, "virtual IP %H already installed on %s",
-					 virtual_ip, iface->ifname);
-				addrs->destroy(addrs);
-				ifaces->destroy(ifaces);
-				this->mutex->unlock(this->mutex);
-				return SUCCESS;
+				entry->addr->refcount++;
 			}
 		}
-		addrs->destroy(addrs);
-
-		if (iface_found)
+	}
+	if (entry)
+	{
+		DBG2(DBG_KNL, "virtual IP %H is already installed on %s", virtual_ip,
+			 entry->iface->ifname);
+		this->lock->unlock(this->lock);
+		return SUCCESS;
+	}
+	/* try to find the target interface, either by config or via src ip */
+	if (!this->install_virtual_ip_on ||
+		 this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_name,
+						(void**)&iface, this->install_virtual_ip_on) != SUCCESS)
+	{
+		if (this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_name,
+									 (void**)&iface, iface_name) != SUCCESS)
+		{	/* if we don't find the requested interface we just use the first */
+			this->ifaces->get_first(this->ifaces, (void**)&iface);
+		}
+	}
+	if (iface)
+	{
+		addr_entry_t *addr;
+
+		INIT(addr,
+			.ip = virtual_ip->clone(virtual_ip),
+			.refcount = 1,
+			.scope = RT_SCOPE_UNIVERSE,
+		);
+		iface->addrs->insert_last(iface->addrs, addr);
+		addr_map_entry_add(this->vips, addr, iface);
+		if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
+						  iface->ifindex, virtual_ip, prefix) == SUCCESS)
 		{
-			ifindex = iface->ifindex;
-			addr = malloc_thing(addr_entry_t);
-			addr->ip = virtual_ip->clone(virtual_ip);
-			addr->refcount = 0;
-			addr->virtual = TRUE;
-			addr->scope = RT_SCOPE_UNIVERSE;
-			iface->addrs->insert_last(iface->addrs, addr);
-
-			if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
-							  ifindex, virtual_ip) == SUCCESS)
-			{
-				while (get_vip_refcount(this, virtual_ip) == 0)
-				{	/* wait until address appears */
-					this->condvar->wait(this->condvar, this->mutex);
-				}
-				ifaces->destroy(ifaces);
-				this->mutex->unlock(this->mutex);
+			while (!is_vip_installed_or_gone(this, virtual_ip, &entry))
+			{	/* wait until address appears */
+				this->condvar->wait(this->condvar, this->lock);
+			}
+			if (entry)
+			{	/* we fail if the interface got deleted in the meantime */
+				DBG2(DBG_KNL, "virtual IP %H installed on %s", virtual_ip,
+					 entry->iface->ifname);
+				this->lock->unlock(this->lock);
+				/* during IKEv1 reauthentication, children get moved from
+				 * old the new SA before the virtual IP is available. This
+				 * kills the route for our virtual IP, reinstall. */
+				queue_route_reinstall(this, strdup(entry->iface->ifname));
 				return SUCCESS;
 			}
-			ifaces->destroy(ifaces);
-			this->mutex->unlock(this->mutex);
-			DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
-			return FAILED;
 		}
+		this->lock->unlock(this->lock);
+		DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
+		return FAILED;
 	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-
-	DBG1(DBG_KNL, "interface address %H not found, unable to install"
-		 "virtual IP %H", iface_ip, virtual_ip);
+	this->lock->unlock(this->lock);
+	DBG1(DBG_KNL, "no interface available, unable to install virtual IP %H",
+		 virtual_ip);
 	return FAILED;
 }
 
 METHOD(kernel_net_t, del_ip, status_t,
-	private_kernel_netlink_net_t *this, host_t *virtual_ip)
+	private_kernel_netlink_net_t *this, host_t *virtual_ip, int prefix,
+	bool wait)
 {
-	iface_entry_t *iface;
-	addr_entry_t *addr;
-	enumerator_t *addrs, *ifaces;
-	status_t status;
-	int ifindex;
+	addr_map_entry_t *entry, lookup = {
+		.ip = virtual_ip,
+	};
 
 	if (!this->install_virtual_ip)
 	{	/* disabled by config */
@@ -1189,60 +1814,61 @@ METHOD(kernel_net_t, del_ip, status_t,
 
 	DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
 
-	this->mutex->lock(this->mutex);
-	ifaces = this->ifaces->create_enumerator(this->ifaces);
-	while (ifaces->enumerate(ifaces, &iface))
-	{
-		addrs = iface->addrs->create_enumerator(iface->addrs);
-		while (addrs->enumerate(addrs, &addr))
+	this->lock->write_lock(this->lock);
+	entry = this->vips->get_match(this->vips, &lookup,
+								 (void*)addr_map_entry_match);
+	if (!entry)
+	{	/* we didn't install this IP as virtual IP */
+		entry = this->addrs->get_match(this->addrs, &lookup,
+									  (void*)addr_map_entry_match);
+		if (entry)
 		{
-			if (virtual_ip->ip_equals(virtual_ip, addr->ip))
+			DBG2(DBG_KNL, "not deleting existing IP %H on %s", virtual_ip,
+				 entry->iface->ifname);
+			this->lock->unlock(this->lock);
+			return SUCCESS;
+		}
+		DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
+		this->lock->unlock(this->lock);
+		return FAILED;
+	}
+	if (entry->addr->refcount == 1)
+	{
+		status_t status;
+
+		/* we set this flag so that threads calling add_ip will block and wait
+		 * until the entry is gone, also so we can wait below */
+		entry->addr->installed = FALSE;
+		status = manage_ipaddr(this, RTM_DELADDR, 0, entry->iface->ifindex,
+							   virtual_ip, prefix);
+		if (status == SUCCESS && wait)
+		{	/* wait until the address is really gone */
+			while (is_known_vip(this, virtual_ip))
 			{
-				ifindex = iface->ifindex;
-				if (addr->refcount == 1)
-				{
-					status = manage_ipaddr(this, RTM_DELADDR, 0,
-										   ifindex, virtual_ip);
-					if (status == SUCCESS)
-					{	/* wait until the address is really gone */
-						while (get_vip_refcount(this, virtual_ip) > 0)
-						{
-							this->condvar->wait(this->condvar, this->mutex);
-						}
-					}
-					addrs->destroy(addrs);
-					ifaces->destroy(ifaces);
-					this->mutex->unlock(this->mutex);
-					return status;
-				}
-				else
-				{
-					addr->refcount--;
-				}
-				DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
-					 virtual_ip);
-				addrs->destroy(addrs);
-				ifaces->destroy(ifaces);
-				this->mutex->unlock(this->mutex);
-				return SUCCESS;
+				this->condvar->wait(this->condvar, this->lock);
 			}
 		}
-		addrs->destroy(addrs);
+		this->lock->unlock(this->lock);
+		return status;
 	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
-
-	DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
-	return FAILED;
+	else
+	{
+		entry->addr->refcount--;
+	}
+	DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
+		 virtual_ip);
+	this->lock->unlock(this->lock);
+	return SUCCESS;
 }
 
 /**
  * Manages source routes in the routing table.
  * By setting the appropriate nlmsg_type, the route gets added or removed.
  */
-static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_type,
-								int flags, chunk_t dst_net, u_int8_t prefixlen,
-								host_t *gateway, host_t *src_ip, char *if_name)
+static status_t manage_srcroute(private_kernel_netlink_net_t *this,
+								int nlmsg_type, int flags, chunk_t dst_net,
+								u_int8_t prefixlen, host_t *gateway,
+								host_t *src_ip, char *if_name)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
@@ -1306,16 +1932,56 @@ METHOD(kernel_net_t, add_route, status_t,
 	private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
 	host_t *gateway, host_t *src_ip, char *if_name)
 {
-	return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
-				dst_net, prefixlen, gateway, src_ip, if_name);
+	status_t status;
+	route_entry_t *found, route = {
+		.dst_net = dst_net,
+		.prefixlen = prefixlen,
+		.gateway = gateway,
+		.src_ip = src_ip,
+		.if_name = if_name,
+	};
+
+	this->routes_lock->lock(this->routes_lock);
+	found = this->routes->get(this->routes, &route);
+	if (found)
+	{
+		this->routes_lock->unlock(this->routes_lock);
+		return ALREADY_DONE;
+	}
+	found = route_entry_clone(&route);
+	this->routes->put(this->routes, found, found);
+	status = manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
+							 dst_net, prefixlen, gateway, src_ip, if_name);
+	this->routes_lock->unlock(this->routes_lock);
+	return status;
 }
 
 METHOD(kernel_net_t, del_route, status_t,
 	private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
 	host_t *gateway, host_t *src_ip, char *if_name)
 {
-	return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen,
-				gateway, src_ip, if_name);
+	status_t status;
+	route_entry_t *found, route = {
+		.dst_net = dst_net,
+		.prefixlen = prefixlen,
+		.gateway = gateway,
+		.src_ip = src_ip,
+		.if_name = if_name,
+	};
+
+	this->routes_lock->lock(this->routes_lock);
+	found = this->routes->get(this->routes, &route);
+	if (!found)
+	{
+		this->routes_lock->unlock(this->routes_lock);
+		return NOT_FOUND;
+	}
+	this->routes->remove(this->routes, found);
+	route_entry_destroy(found);
+	status = manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen,
+							 gateway, src_ip, if_name);
+	this->routes_lock->unlock(this->routes_lock);
+	return status;
 }
 
 /**
@@ -1331,7 +1997,7 @@ static status_t init_address_list(private_kernel_netlink_net_t *this)
 	iface_entry_t *iface;
 	addr_entry_t *addr;
 
-	DBG1(DBG_KNL, "listening on interfaces:");
+	DBG2(DBG_KNL, "known interfaces and IP addresses:");
 
 	memset(&request, 0, sizeof(request));
 
@@ -1389,23 +2055,23 @@ static status_t init_address_list(private_kernel_netlink_net_t *this)
 	}
 	free(out);
 
-	this->mutex->lock(this->mutex);
+	this->lock->read_lock(this->lock);
 	ifaces = this->ifaces->create_enumerator(this->ifaces);
 	while (ifaces->enumerate(ifaces, &iface))
 	{
-		if (iface->flags & IFF_UP)
+		if (iface_entry_up_and_usable(iface))
 		{
-			DBG1(DBG_KNL, "  %s", iface->ifname);
+			DBG2(DBG_KNL, "  %s", iface->ifname);
 			addrs = iface->addrs->create_enumerator(iface->addrs);
 			while (addrs->enumerate(addrs, (void**)&addr))
 			{
-				DBG1(DBG_KNL, "    %H", addr->ip);
+				DBG2(DBG_KNL, "    %H", addr->ip);
 			}
 			addrs->destroy(addrs);
 		}
 	}
 	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 	return SUCCESS;
 }
 
@@ -1443,9 +2109,59 @@ static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
 	return this->socket->send_ack(this->socket, hdr);
 }
 
+/**
+ * check for kernel features (currently only via version number)
+ */
+static void check_kernel_features(private_kernel_netlink_net_t *this)
+{
+	struct utsname utsname;
+	int a, b, c;
+
+	if (uname(&utsname) == 0)
+	{
+		switch(sscanf(utsname.release, "%d.%d.%d", &a, &b, &c))
+		{
+			case 3:
+				if (a == 2)
+				{
+					DBG2(DBG_KNL, "detected Linux %d.%d.%d, no support for "
+						 "RTA_PREFSRC for IPv6 routes", a, b, c);
+					break;
+				}
+				/* fall-through */
+			case 2:
+				/* only 3.x+ uses two part version numbers */
+				this->rta_prefsrc_for_ipv6 = TRUE;
+				break;
+			default:
+				break;
+		}
+	}
+}
+
+/**
+ * Destroy an address to iface map
+ */
+static void addr_map_destroy(hashtable_t *map)
+{
+	enumerator_t *enumerator;
+	addr_map_entry_t *addr;
+
+	enumerator = map->create_enumerator(map);
+	while (enumerator->enumerate(enumerator, NULL, (void**)&addr))
+	{
+		free(addr);
+	}
+	enumerator->destroy(enumerator);
+	map->destroy(map);
+}
+
 METHOD(kernel_net_t, destroy, void,
 	private_kernel_netlink_net_t *this)
 {
+	enumerator_t *enumerator;
+	route_entry_t *route;
+
 	if (this->routing_table)
 	{
 		manage_rule(this, RTM_DELRULE, AF_INET, this->routing_table,
@@ -1453,19 +2169,35 @@ METHOD(kernel_net_t, destroy, void,
 		manage_rule(this, RTM_DELRULE, AF_INET6, this->routing_table,
 					this->routing_table_prio);
 	}
-	if (this->job)
-	{
-		this->job->cancel(this->job);
-	}
 	if (this->socket_events > 0)
 	{
+		lib->watcher->remove(lib->watcher, this->socket_events);
 		close(this->socket_events);
 	}
+	enumerator = this->routes->create_enumerator(this->routes);
+	while (enumerator->enumerate(enumerator, NULL, (void**)&route))
+	{
+		manage_srcroute(this, RTM_DELROUTE, 0, route->dst_net, route->prefixlen,
+						route->gateway, route->src_ip, route->if_name);
+		route_entry_destroy(route);
+	}
+	enumerator->destroy(enumerator);
+	this->routes->destroy(this->routes);
+	this->routes_lock->destroy(this->routes_lock);
 	DESTROY_IF(this->socket);
+
+	net_changes_clear(this);
+	this->net_changes->destroy(this->net_changes);
+	this->net_changes_lock->destroy(this->net_changes_lock);
+
+	addr_map_destroy(this->addrs);
+	addr_map_destroy(this->vips);
+
 	this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
 	this->rt_exclude->destroy(this->rt_exclude);
+	this->roam_lock->destroy(this->roam_lock);
 	this->condvar->destroy(this->condvar);
-	this->mutex->destroy(this->mutex);
+	this->lock->destroy(this->lock);
 	free(this);
 }
 
@@ -1475,8 +2207,8 @@ METHOD(kernel_net_t, destroy, void,
 kernel_netlink_net_t *kernel_netlink_net_create()
 {
 	private_kernel_netlink_net_t *this;
-	struct sockaddr_nl addr;
 	enumerator_t *enumerator;
+	bool register_for_events = TRUE;
 	char *exclude;
 
 	INIT(this,
@@ -1495,9 +2227,22 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 		},
 		.socket = netlink_socket_create(NETLINK_ROUTE),
 		.rt_exclude = linked_list_create(),
+		.routes = hashtable_create((hashtable_hash_t)route_entry_hash,
+								   (hashtable_equals_t)route_entry_equals, 16),
+		.net_changes = hashtable_create(
+								   (hashtable_hash_t)net_change_hash,
+								   (hashtable_equals_t)net_change_equals, 16),
+		.addrs = hashtable_create(
+								(hashtable_hash_t)addr_map_entry_hash,
+								(hashtable_equals_t)addr_map_entry_equals, 16),
+		.vips = hashtable_create((hashtable_hash_t)addr_map_entry_hash,
+								 (hashtable_equals_t)addr_map_entry_equals, 16),
+		.routes_lock = mutex_create(MUTEX_TYPE_DEFAULT),
+		.net_changes_lock = mutex_create(MUTEX_TYPE_DEFAULT),
 		.ifaces = linked_list_create(),
-		.mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
-		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.condvar = rwlock_condvar_create(),
+		.roam_lock = spinlock_create(),
 		.routing_table = lib->settings->get_int(lib->settings,
 				"%s.routing_table", ROUTING_TABLE, hydra->daemon),
 		.routing_table_prio = lib->settings->get_int(lib->settings,
@@ -1506,8 +2251,20 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 				"%s.process_route", TRUE, hydra->daemon),
 		.install_virtual_ip = lib->settings->get_bool(lib->settings,
 				"%s.install_virtual_ip", TRUE, hydra->daemon),
+		.install_virtual_ip_on = lib->settings->get_str(lib->settings,
+				"%s.install_virtual_ip_on", NULL, hydra->daemon),
+		.roam_events = lib->settings->get_bool(lib->settings,
+				"%s.plugins.kernel-netlink.roam_events", TRUE, hydra->daemon),
 	);
-	timerclear(&this->last_roam);
+	timerclear(&this->last_route_reinstall);
+	timerclear(&this->next_roam);
+
+	check_kernel_features(this);
+
+	if (streq(hydra->daemon, "starter"))
+	{	/* starter has no threads, so we do not register for kernel events */
+		register_for_events = FALSE;
+	}
 
 	exclude = lib->settings->get_str(lib->settings,
 					"%s.ignore_routing_tables", NULL, hydra->daemon);
@@ -1530,29 +2287,33 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 		enumerator->destroy(enumerator);
 	}
 
-	memset(&addr, 0, sizeof(addr));
-	addr.nl_family = AF_NETLINK;
-
-	/* create and bind RT socket for events (address/interface/route changes) */
-	this->socket_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
-	if (this->socket_events < 0)
+	if (register_for_events)
 	{
-		DBG1(DBG_KNL, "unable to create RT event socket");
-		destroy(this);
-		return NULL;
-	}
-	addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
-					 RTMGRP_IPV4_ROUTE | RTMGRP_IPV6_ROUTE | RTMGRP_LINK;
-	if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr)))
-	{
-		DBG1(DBG_KNL, "unable to bind RT event socket");
-		destroy(this);
-		return NULL;
-	}
+		struct sockaddr_nl addr;
+
+		memset(&addr, 0, sizeof(addr));
+		addr.nl_family = AF_NETLINK;
 
-	this->job = callback_job_create_with_prio((callback_job_cb_t)receive_events,
-										this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+		/* create and bind RT socket for events (address/interface/route changes) */
+		this->socket_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+		if (this->socket_events < 0)
+		{
+			DBG1(DBG_KNL, "unable to create RT event socket");
+			destroy(this);
+			return NULL;
+		}
+		addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
+						 RTMGRP_IPV4_ROUTE | RTMGRP_IPV6_ROUTE | RTMGRP_LINK;
+		if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr)))
+		{
+			DBG1(DBG_KNL, "unable to bind RT event socket");
+			destroy(this);
+			return NULL;
+		}
+
+		lib->watcher->add(lib->watcher, this->socket_events, WATCHER_READ,
+						  (watcher_cb_t)receive_events, this);
+	}
 
 	if (init_address_list(this) != SUCCESS)
 	{
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
index 0eb00dadf..8d5a0d5e8 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -65,6 +65,14 @@ plugin_t *kernel_netlink_plugin_create()
 {
 	private_kernel_netlink_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+	{	/* required to bind/use XFRM sockets / create/modify routing tables, but
+		 * not if only the read-only parts of kernel-netlink-net are used, so
+		 * we don't fail here */
+		DBG1(DBG_KNL, "kernel-netlink plugin might require CAP_NET_ADMIN "
+			 "capability");
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
index dad3fb68e..fd00c23af 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -21,7 +21,7 @@
 
 #include "kernel_netlink_shared.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
 
 typedef struct private_netlink_socket_t private_netlink_socket_t;
@@ -206,6 +206,11 @@ METHOD(netlink_socket_t, netlink_send_ack, status_t,
 						free(out);
 						return ALREADY_DONE;
 					}
+					if (-err->error == ESRCH)
+					{	/* do not report missing entries */
+						free(out);
+						return NOT_FOUND;
+					}
 					DBG1(DBG_KNL, "received netlink error: %s (%d)",
 						 strerror(-err->error), -err->error);
 					free(out);
@@ -287,7 +292,7 @@ void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
 {
 	struct rtattr *rta;
 
-	if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
+	if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_LENGTH(data.len) > buflen)
 	{
 		DBG1(DBG_KNL, "unable to add attribute, buffer too small");
 		return;
@@ -299,3 +304,24 @@ void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
 	memcpy(RTA_DATA(rta), data.ptr, data.len);
 	hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
 }
+
+/**
+ * Described in header.
+ */
+void* netlink_reserve(struct nlmsghdr *hdr, int buflen, int type, int len)
+{
+	struct rtattr *rta;
+
+	if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_LENGTH(len) > buflen)
+	{
+		DBG1(DBG_KNL, "unable to add attribute, buffer too small");
+		return NULL;
+	}
+
+	rta = ((void*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len);
+	rta->rta_type = type;
+	rta->rta_len = RTA_LENGTH(len);
+	hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
+
+	return RTA_DATA(rta);
+}
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
index dfd27a21a..8be935bc3 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
@@ -42,7 +42,8 @@ struct netlink_socket_t {
 	 * @param	out 	received netlink message
 	 * @param	out_len	length of the received message
 	 */
-	status_t (*send)(netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out, size_t *out_len);
+	status_t (*send)(netlink_socket_t *this, struct nlmsghdr *in,
+					 struct nlmsghdr **out, size_t *out_len);
 
 	/**
 	 * Send a netlink message and wait for its acknowledge.
@@ -67,11 +68,23 @@ netlink_socket_t *netlink_socket_create(int protocol);
 /**
  * Creates an rtattr and adds it to the given netlink message.
  *
- * @param	hdr			netlink message
- * @param	rta_type	type of the rtattr
- * @param	data		data to add to the rtattr
- * @param	buflen		length of the netlink message buffer
+ * @param hdr			netlink message
+ * @param rta_type		type of the rtattr
+ * @param data			data to add to the rtattr
+ * @param buflen		length of the netlink message buffer
  */
-void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data, size_t buflen);
+void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
+						   size_t buflen);
+
+/**
+ * Reserve space in a netlink message for given size and type, returning buffer.
+ *
+ * @param hdr			netlink message
+ * @param buflen		size of full netlink buffer
+ * @param type			RTA type
+ * @param len			length of RTA data
+ * @return				buffer to len bytes of attribute data, NULL on error
+ */
+void* netlink_reserve(struct nlmsghdr *hdr, int buflen, int type, int len);
 
 #endif /* KERNEL_NETLINK_SHARED_H_ */
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.am b/src/libhydra/plugins/kernel_pfkey/Makefile.am
index 1d1488a6b..bb5d0d7f7 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.am
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in
index 14c924b6f..fd95afd09 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_kernel_pfkey_la_LIBADD =
@@ -79,49 +103,77 @@ am_libstrongswan_kernel_pfkey_la_OBJECTS = kernel_pfkey_plugin.lo \
 	kernel_pfkey_ipsec.lo
 libstrongswan_kernel_pfkey_la_OBJECTS =  \
 	$(am_libstrongswan_kernel_pfkey_la_OBJECTS)
-libstrongswan_kernel_pfkey_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_kernel_pfkey_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_kernel_pfkey_la_LDFLAGS) $(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_kernel_pfkey_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_kernel_pfkey_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_kernel_pfkey_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
 libstrongswan_kernel_pfkey_la_SOURCES = \
@@ -340,7 +405,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -348,6 +412,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -369,8 +435,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-kernel-pfkey.la: $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_DEPENDENCIES) 
-	$(libstrongswan_kernel_pfkey_la_LINK) $(am_libstrongswan_kernel_pfkey_la_rpath) $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_LIBADD) $(LIBS)
+libstrongswan-kernel-pfkey.la: $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_pfkey_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_kernel_pfkey_la_LINK) $(am_libstrongswan_kernel_pfkey_la_rpath) $(libstrongswan_kernel_pfkey_la_OBJECTS) $(libstrongswan_kernel_pfkey_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -382,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -507,10 +573,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index da10edffe..668c581e1 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2011 Tobias Brunner
+ * Copyright (C) 2008-2012 Tobias Brunner
  * Copyright (C) 2008 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
  *
@@ -51,17 +51,18 @@
 #include <unistd.h>
 #include <time.h>
 #include <errno.h>
+#ifdef __APPLE__
+#include <sys/sysctl.h>
+#endif
 
 #include "kernel_pfkey_ipsec.h"
 
 #include <hydra.h>
-#include <debug.h>
-#include <utils/host.h>
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
-#include <threading/thread.h>
+#include <utils/debug.h>
+#include <networking/host.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
 #include <threading/mutex.h>
-#include <processing/jobs/callback_job.h>
 
 /** non linux specific */
 #ifndef IPPROTO_COMP
@@ -99,6 +100,20 @@
 #define IPV6_IPSEC_POLICY 34
 #endif
 
+/* from linux/udp.h */
+#ifndef UDP_ENCAP
+#define UDP_ENCAP 100
+#endif
+
+#ifndef UDP_ENCAP_ESPINUDP
+#define UDP_ENCAP_ESPINUDP 2
+#endif
+
+/* this is not defined on some platforms */
+#ifndef SOL_UDP
+#define SOL_UDP IPPROTO_UDP
+#endif
+
 /** default priority of installed policies */
 #define PRIO_BASE 512
 
@@ -163,6 +178,11 @@ struct private_kernel_pfkey_ipsec_t
 	linked_list_t *policies;
 
 	/**
+	 * List of exclude routes (exclude_route_t)
+	 */
+	linked_list_t *excludes;
+
+	/**
 	 * Hash table of IPsec SAs using policies (ipsec_sa_t)
 	 */
 	hashtable_t *sas;
@@ -173,11 +193,6 @@ struct private_kernel_pfkey_ipsec_t
 	bool install_routes;
 
 	/**
-	 * job receiving PF_KEY events
-	 */
-	callback_job_t *job;
-
-	/**
 	 * mutex to lock access to the PF_KEY socket
 	 */
 	mutex_t *mutex_pfkey;
@@ -198,6 +213,33 @@ struct private_kernel_pfkey_ipsec_t
 	int seq;
 };
 
+typedef struct exclude_route_t exclude_route_t;
+
+/**
+ * Exclude route definition
+ */
+struct exclude_route_t {
+	/** destination address of exclude */
+	host_t *dst;
+	/** source address for route */
+	host_t *src;
+	/** nexthop exclude has been installed */
+	host_t *gtw;
+	/** references to this route */
+	int refs;
+};
+
+/**
+ * clean up a route exclude entry
+ */
+static void exclude_route_destroy(exclude_route_t *this)
+{
+	this->dst->destroy(this->dst);
+	this->src->destroy(this->src);
+	this->gtw->destroy(this->gtw);
+	free(this);
+}
+
 typedef struct route_entry_t route_entry_t;
 
 /**
@@ -218,6 +260,9 @@ struct route_entry_t {
 
 	/** destination net prefixlen */
 	u_int8_t prefixlen;
+
+	/** reference to exclude route, if any */
+	exclude_route_t *exclude;
 };
 
 /**
@@ -238,8 +283,9 @@ static void route_entry_destroy(route_entry_t *this)
 static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
 {
 	return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
-		   a->src_ip->equals(a->src_ip, b->src_ip) &&
-		   a->gateway->equals(a->gateway, b->gateway) &&
+		   a->src_ip->ip_equals(a->src_ip, b->src_ip) &&
+		   a->gateway && b->gateway &&
+		   a->gateway->ip_equals(a->gateway, b->gateway) &&
 		   chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen;
 }
 
@@ -327,7 +373,7 @@ static void ipsec_sa_destroy(private_kernel_pfkey_ipsec_t *this,
 }
 
 typedef struct policy_sa_t policy_sa_t;
-typedef struct policy_sa_fwd_t policy_sa_fwd_t;
+typedef struct policy_sa_in_t policy_sa_in_t;
 
 /**
  * Mapping between a policy and an IPsec SA.
@@ -344,10 +390,10 @@ struct policy_sa_t {
 };
 
 /**
- * For forward policies we also cache the traffic selectors in order to install
+ * For input policies we also cache the traffic selectors in order to install
  * the route.
  */
-struct policy_sa_fwd_t {
+struct policy_sa_in_t {
 	/** Generic interface */
 	policy_sa_t generic;
 
@@ -359,7 +405,7 @@ struct policy_sa_fwd_t {
 };
 
 /**
- * Create a policy_sa(_fwd)_t object
+ * Create a policy_sa(_in)_t object
  */
 static policy_sa_t *policy_sa_create(private_kernel_pfkey_ipsec_t *this,
 	policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
@@ -367,14 +413,14 @@ static policy_sa_t *policy_sa_create(private_kernel_pfkey_ipsec_t *this,
 {
 	policy_sa_t *policy;
 
-	if (dir == POLICY_FWD)
+	if (dir == POLICY_IN)
 	{
-		policy_sa_fwd_t *fwd;
-		INIT(fwd,
+		policy_sa_in_t *in;
+		INIT(in,
 			.src_ts = src_ts->clone(src_ts),
 			.dst_ts = dst_ts->clone(dst_ts),
 		);
-		policy = &fwd->generic;
+		policy = &in->generic;
 	}
 	else
 	{
@@ -386,16 +432,16 @@ static policy_sa_t *policy_sa_create(private_kernel_pfkey_ipsec_t *this,
 }
 
 /**
- * Destroy a policy_sa(_fwd)_t object
+ * Destroy a policy_sa(_in)_t object
  */
 static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t *dir,
 							  private_kernel_pfkey_ipsec_t *this)
 {
-	if (*dir == POLICY_FWD)
+	if (*dir == POLICY_IN)
 	{
-		policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)policy;
-		fwd->src_ts->destroy(fwd->src_ts);
-		fwd->dst_ts->destroy(fwd->dst_ts);
+		policy_sa_in_t *in = (policy_sa_in_t*)policy;
+		in->src_ts->destroy(in->src_ts);
+		in->dst_ts->destroy(in->dst_ts);
 	}
 	ipsec_sa_destroy(this, policy->sa);
 	free(policy);
@@ -795,8 +841,22 @@ static kernel_algorithm_t compression_algs[] = {
 /**
  * Look up a kernel algorithm ID and its key size
  */
-static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
+static int lookup_algorithm(transform_type_t type, int ikev2)
 {
+	kernel_algorithm_t *list;
+	u_int16_t alg = 0;
+
+	switch (type)
+	{
+		case ENCRYPTION_ALGORITHM:
+			list = encryption_algs;
+			break;
+		case INTEGRITY_ALGORITHM:
+			list = integrity_algs;
+			break;
+		default:
+			return 0;
+	}
 	while (list->ikev2 != END_OF_LIST)
 	{
 		if (ikev2 == list->ikev2)
@@ -805,18 +865,21 @@ static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
 		}
 		list++;
 	}
-	return 0;
+	hydra->kernel_interface->lookup_algorithm(hydra->kernel_interface, ikev2,
+											  type, &alg, NULL);
+	return alg;
 }
 
 /**
- * Copy a host_t as sockaddr_t to the given memory location. Ports are
- * reset to zero as per RFC 2367.
+ * Copy a host_t as sockaddr_t to the given memory location.
  * @return		the number of bytes copied
  */
-static size_t hostcpy(void *dest, host_t *host)
+static size_t hostcpy(void *dest, host_t *host, bool include_port)
 {
 	sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest;
 	socklen_t *len = host->get_sockaddr_len(host);
+	u_int16_t port = htons(host->get_port(host));
+
 	memcpy(dest, addr, *len);
 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
 	dest_addr->sa_len = *len;
@@ -826,13 +889,13 @@ static size_t hostcpy(void *dest, host_t *host)
 		case AF_INET:
 		{
 			struct sockaddr_in *sin = dest;
-			sin->sin_port = 0;
+			sin->sin_port = include_port ? port : 0;
 			break;
 		}
 		case AF_INET6:
 		{
 			struct sockaddr_in6 *sin6 = dest;
-			sin6->sin6_port = 0;
+			sin6->sin6_port = include_port ? port : 0;
 			break;
 		}
 	}
@@ -842,9 +905,9 @@ static size_t hostcpy(void *dest, host_t *host)
 /**
  * add a host behind an sadb_address extension
  */
-static void host2ext(host_t *host, struct sadb_address *ext)
+static void host2ext(host_t *host, struct sadb_address *ext, bool include_port)
 {
-	size_t len = hostcpy(ext + 1, host);
+	size_t len = hostcpy(ext + 1, host, include_port);
 	ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + len);
 }
 
@@ -852,13 +915,13 @@ static void host2ext(host_t *host, struct sadb_address *ext)
  * add a host to the given sadb_msg
  */
 static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
-						 u_int8_t proto, u_int8_t prefixlen)
+						 u_int8_t proto, u_int8_t prefixlen, bool include_port)
 {
 	struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
 	addr->sadb_address_exttype = type;
 	addr->sadb_address_proto = proto;
 	addr->sadb_address_prefixlen = prefixlen;
-	host2ext(host, addr);
+	host2ext(host, addr, include_port);
 	PFKEY_EXT_ADD(msg, addr);
 }
 
@@ -916,6 +979,10 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
 {
 	traffic_selector_t *ts;
 	host_t *host;
+	u_int8_t proto;
+
+	proto = address->sadb_address_proto;
+	proto = proto == IPSEC_PROTO_ANY ? 0 : proto;
 
 	/* The Linux 2.6 kernel does not set the protocol and port information
 	 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
@@ -923,8 +990,8 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
 	host = host_create_from_sockaddr((sockaddr_t*)&address[1]);
 	ts = traffic_selector_create_from_subnet(host,
 											 address->sadb_address_prefixlen,
-											 address->sadb_address_proto,
-											 host->get_port(host));
+											 proto, host->get_port(host),
+											 host->get_port(host) ?: 65535);
 	return ts;
 }
 
@@ -1060,7 +1127,7 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
 		}
 		if (msg->sadb_msg_seq != this->seq)
 		{
-			DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
+			DBG2(DBG_KNL, "received PF_KEY message with unexpected sequence "
 						  "number, was %d expected %d", msg->sadb_msg_seq,
 						  this->seq);
 			if (msg->sadb_msg_seq == 0)
@@ -1292,11 +1359,13 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this,
 		{
 			struct sockaddr_in *sin = (struct sockaddr_in*)sa;
 			sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+			break;
 		}
 		case AF_INET6:
 		{
 			struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
 			sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+			break;
 		}
 		default:
 			break;
@@ -1314,31 +1383,28 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this,
 /**
  * Receives events from kernel
  */
-static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
+static bool receive_events(private_kernel_pfkey_ipsec_t *this, int fd,
+						   watcher_event_t event)
 {
 	unsigned char buf[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg = (struct sadb_msg*)buf;
-	bool oldstate;
 	int len;
 
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
-	thread_cancelability(oldstate);
-
+	len = recvfrom(this->socket_events, buf, sizeof(buf), MSG_DONTWAIT, NULL, 0);
 	if (len < 0)
 	{
 		switch (errno)
 		{
 			case EINTR:
 				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
+				return TRUE;
 			case EAGAIN:
 				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
+				return TRUE;
 			default:
 				DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
 				sleep(1);
-				return JOB_REQUEUE_FAIR;
+				return TRUE;
 		}
 	}
 
@@ -1346,17 +1412,17 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 		msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
 	{
 		DBG2(DBG_KNL, "received corrupted PF_KEY message");
-		return JOB_REQUEUE_DIRECT;
+		return TRUE;
 	}
 	if (msg->sadb_msg_pid != 0)
 	{	/* not from kernel. not interested, try another one */
-		return JOB_REQUEUE_DIRECT;
+		return TRUE;
 	}
 	if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
 	{
 		DBG1(DBG_KNL, "buffer was too small to receive the complete "
 					  "PF_KEY message");
-		return JOB_REQUEUE_DIRECT;
+		return TRUE;
 	}
 
 	switch (msg->sadb_msg_type)
@@ -1381,7 +1447,7 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 			break;
 	}
 
-	return JOB_REQUEUE_DIRECT;
+	return TRUE;
 }
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
@@ -1410,8 +1476,8 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 	sa2->sadb_x_sa2_reqid = reqid;
 	PFKEY_EXT_ADD(msg, sa2);
 
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
 
 	range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
 	range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
@@ -1455,8 +1521,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
 	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
-	u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+	u_int16_t ipcomp, u_int16_t cpi, bool initiator, bool encap, bool esn,
+	bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1497,8 +1563,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	sa->sadb_sa_len = PFKEY_LEN(len);
 	sa->sadb_sa_spi = spi;
 	sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
-	sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
-	sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
+	sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, int_alg);
+	sa->sadb_sa_encrypt = lookup_algorithm(ENCRYPTION_ALGORITHM, enc_alg);
 	PFKEY_EXT_ADD(msg, sa);
 
 	sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
@@ -1508,8 +1574,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	sa2->sadb_x_sa2_reqid = reqid;
 	PFKEY_EXT_ADD(msg, sa2);
 
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
 
 	lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
 	lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
@@ -1639,7 +1705,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	/* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
 	 * it is not used for anything. */
 	add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
 
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
@@ -1735,7 +1801,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
+	u_int32_t spi, u_int8_t protocol, mark_t mark,
+	u_int64_t *bytes, u_int64_t *packets, u_int32_t *time)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1762,8 +1829,8 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 	/* the Linux Kernel doesn't care for the src address, but other systems do
 	 * (e.g. FreeBSD)
 	 */
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
 
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
@@ -1784,7 +1851,27 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 		free(out);
 		return FAILED;
 	}
-	*bytes = response.lft_current->sadb_lifetime_bytes;
+	if (bytes)
+	{
+		*bytes = response.lft_current->sadb_lifetime_bytes;
+	}
+	if (packets)
+	{
+		/* not supported by PF_KEY */
+		*packets = 0;
+	}
+	if (time)
+	{
+#ifdef __APPLE__
+		/* OS X uses the "last" time of use in usetime */
+		*time = response.lft_current->sadb_lifetime_usetime;
+#else /* !__APPLE__ */
+		/* on Linux, sadb_lifetime_usetime is set to the "first" time of use,
+		 * which is actually correct according to PF_KEY. We have to query
+		 * policies for the last usetime. */
+		*time = 0;
+#endif /* !__APPLE__ */
+	}
 
 	free(out);
 	return SUCCESS;
@@ -1818,8 +1905,8 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 	/* the Linux Kernel doesn't care for the src address, but other systems do
 	 * (e.g. FreeBSD)
 	 */
-	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
-	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+	add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
+	add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
 
 	if (pfkey_send(this, msg, &out, &len) != SUCCESS)
 	{
@@ -1874,6 +1961,228 @@ METHOD(kernel_ipsec_t, flush_sas, status_t,
 }
 
 /**
+ * Add an explicit exclude route to a routing entry
+ */
+static void add_exclude_route(private_kernel_pfkey_ipsec_t *this,
+							  route_entry_t *route, host_t *src, host_t *dst)
+{
+	enumerator_t *enumerator;
+	exclude_route_t *exclude;
+	host_t *gtw;
+
+	enumerator = this->excludes->create_enumerator(this->excludes);
+	while (enumerator->enumerate(enumerator, &exclude))
+	{
+		if (dst->ip_equals(dst, exclude->dst))
+		{
+			route->exclude = exclude;
+			exclude->refs++;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!route->exclude)
+	{
+		DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src);
+		gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface,
+												   dst, NULL);
+		if (gtw)
+		{
+			char *if_name = NULL;
+
+			if (hydra->kernel_interface->get_interface(
+									hydra->kernel_interface, src, &if_name) &&
+				hydra->kernel_interface->add_route(hydra->kernel_interface,
+									dst->get_address(dst),
+									dst->get_family(dst) == AF_INET ? 32 : 128,
+									gtw, src, if_name) == SUCCESS)
+			{
+				INIT(exclude,
+					.dst = dst->clone(dst),
+					.src = src->clone(src),
+					.gtw = gtw->clone(gtw),
+					.refs = 1,
+				);
+				route->exclude = exclude;
+				this->excludes->insert_last(this->excludes, exclude);
+			}
+			else
+			{
+				DBG1(DBG_KNL, "installing exclude route for %H failed", dst);
+			}
+			gtw->destroy(gtw);
+			free(if_name);
+		}
+		else
+		{
+			DBG1(DBG_KNL, "gateway lookup for for %H failed", dst);
+		}
+	}
+}
+
+/**
+ * Remove an exclude route attached to a routing entry
+ */
+static void remove_exclude_route(private_kernel_pfkey_ipsec_t *this,
+								 route_entry_t *route)
+{
+	if (route->exclude)
+	{
+		enumerator_t *enumerator;
+		exclude_route_t *exclude;
+		bool removed = FALSE;
+		host_t *dst;
+
+		enumerator = this->excludes->create_enumerator(this->excludes);
+		while (enumerator->enumerate(enumerator, &exclude))
+		{
+			if (route->exclude == exclude)
+			{
+				if (--exclude->refs == 0)
+				{
+					this->excludes->remove_at(this->excludes, enumerator);
+					removed = TRUE;
+					break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		if (removed)
+		{
+			char *if_name = NULL;
+
+			dst = route->exclude->dst;
+			DBG2(DBG_KNL, "uninstalling exclude route for %H src %H",
+				 dst, route->exclude->src);
+			if (hydra->kernel_interface->get_interface(
+									hydra->kernel_interface,
+									route->exclude->src, &if_name) &&
+				hydra->kernel_interface->del_route(hydra->kernel_interface,
+									dst->get_address(dst),
+									dst->get_family(dst) == AF_INET ? 32 : 128,
+									route->exclude->gtw, route->exclude->src,
+									if_name) != SUCCESS)
+			{
+				DBG1(DBG_KNL, "uninstalling exclude route for %H failed", dst);
+			}
+			exclude_route_destroy(route->exclude);
+			free(if_name);
+		}
+		route->exclude = NULL;
+	}
+}
+
+/**
+ * Try to install a route to the given inbound policy
+ */
+static bool install_route(private_kernel_pfkey_ipsec_t *this,
+						  policy_entry_t *policy, policy_sa_in_t *in)
+{
+	route_entry_t *route, *old;
+	host_t *host, *src, *dst;
+	bool is_virtual;
+
+	if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
+									in->dst_ts, &host, &is_virtual) != SUCCESS)
+	{
+		return FALSE;
+	}
+
+	/* switch src/dst, as we handle an IN policy */
+	src = in->generic.sa->dst;
+	dst = in->generic.sa->src;
+
+	INIT(route,
+		.prefixlen = policy->src.mask,
+		.src_ip = host,
+		.gateway = hydra->kernel_interface->get_nexthop(
+											hydra->kernel_interface, dst, src),
+		.dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)),
+	);
+
+	/* if the IP is virtual, we install the route over the interface it has
+	 * been installed on. Otherwise we use the interface we use for IKE, as
+	 * this is required for example on Linux. */
+	if (is_virtual)
+	{
+		src = route->src_ip;
+	}
+
+	/* get interface for route, using source address */
+	if (!hydra->kernel_interface->get_interface(hydra->kernel_interface,
+												src, &route->if_name))
+	{
+		route_entry_destroy(route);
+		return FALSE;
+	}
+
+	if (policy->route)
+	{
+		old = policy->route;
+
+		if (route_entry_equals(old, route))
+		{	/* such a route already exists */
+			route_entry_destroy(route);
+			return TRUE;
+		}
+		/* uninstall previously installed route */
+		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
+									old->dst_net, old->prefixlen, old->gateway,
+									old->src_ip, old->if_name) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "error uninstalling route installed with policy "
+				 "%R === %R %N", in->src_ts, in->dst_ts,
+				policy_dir_names, policy->direction);
+		}
+		route_entry_destroy(old);
+		policy->route = NULL;
+	}
+
+	/* if remote traffic selector covers the IKE peer, add an exclude route */
+	if (hydra->kernel_interface->get_features(
+					hydra->kernel_interface) & KERNEL_REQUIRE_EXCLUDE_ROUTE)
+	{
+		if (in->src_ts->is_host(in->src_ts, dst))
+		{
+			DBG1(DBG_KNL, "can't install route for %R === %R %N, conflicts "
+				 "with IKE traffic", in->src_ts, in->dst_ts, policy_dir_names,
+				 policy->direction);
+			route_entry_destroy(route);
+			return FALSE;
+		}
+		if (in->src_ts->includes(in->src_ts, dst))
+		{
+			add_exclude_route(this, route, in->generic.sa->dst, dst);
+		}
+	}
+
+	DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
+		 in->src_ts, route->gateway, route->src_ip, route->if_name);
+
+	switch (hydra->kernel_interface->add_route(hydra->kernel_interface,
+							route->dst_net, route->prefixlen, route->gateway,
+							route->src_ip, route->if_name))
+	{
+		case ALREADY_DONE:
+			/* route exists, do not uninstall */
+			remove_exclude_route(this, route);
+			route_entry_destroy(route);
+			return TRUE;
+		case SUCCESS:
+			/* cache the installed route */
+			policy->route = route;
+			return TRUE;
+		default:
+			DBG1(DBG_KNL, "installing route failed: %R via %H src %H dev %s",
+				 in->src_ts, route->gateway, route->src_ip, route->if_name);
+			remove_exclude_route(this, route);
+			route_entry_destroy(route);
+			return FALSE;
+	}
+}
+
+/**
  * Add or update a policy in the kernel.
  *
  * Note: The mutex has to be locked when entering this function.
@@ -1919,9 +2228,9 @@ static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
 	req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
 	if (ipsec->cfg.mode == MODE_TUNNEL)
 	{
-		len = hostcpy(req + 1, ipsec->src);
+		len = hostcpy(req + 1, ipsec->src, FALSE);
 		req->sadb_x_ipsecrequest_len += len;
-		len = hostcpy((char*)(req + 1) + len, ipsec->dst);
+		len = hostcpy((char*)(req + 1) + len, ipsec->dst, FALSE);
 		req->sadb_x_ipsecrequest_len += len;
 	}
 
@@ -1929,9 +2238,9 @@ static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
 	PFKEY_EXT_ADD(msg, pol);
 
 	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
-				 policy->src.mask);
+				 policy->src.mask, TRUE);
 	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
-				 policy->dst.mask);
+				 policy->dst.mask, TRUE);
 
 #ifdef __FreeBSD__
 	{	/* on FreeBSD a lifetime has to be defined to be able to later query
@@ -1969,8 +2278,8 @@ static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
 
 	/* we try to find the policy again and update the kernel index */
 	this->mutex->lock(this->mutex);
-	if (this->policies->find_last(this->policies, NULL,
-								 (void**)&policy) != SUCCESS)
+	if (this->policies->find_first(this->policies, NULL,
+								  (void**)&policy) != SUCCESS)
 	{
 		DBG2(DBG_KNL, "unable to update index, the policy is already gone, "
 					  "ignoring");
@@ -1986,85 +2295,10 @@ static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
 	 * - we are in tunnel mode
 	 * - routing is not disabled via strongswan.conf
 	 */
-	if (policy->direction == POLICY_FWD &&
+	if (policy->direction == POLICY_IN &&
 		ipsec->cfg.mode != MODE_TRANSPORT && this->install_routes)
 	{
-		route_entry_t *route = malloc_thing(route_entry_t);
-		policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)mapping;
-
-		if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
-				fwd->dst_ts, &route->src_ip) == SUCCESS)
-		{
-			/* get the nexthop to src (src as we are in POLICY_FWD).*/
-			route->gateway = hydra->kernel_interface->get_nexthop(
-										hydra->kernel_interface, ipsec->src);
-			/* install route via outgoing interface */
-			route->if_name = hydra->kernel_interface->get_interface(
-										hydra->kernel_interface, ipsec->dst);
-			route->dst_net = chunk_clone(policy->src.net->get_address(
-											policy->src.net));
-			route->prefixlen = policy->src.mask;
-
-			if (!route->if_name)
-			{
-				this->mutex->unlock(this->mutex);
-				route_entry_destroy(route);
-				return SUCCESS;
-			}
-
-			if (policy->route)
-			{
-				route_entry_t *old = policy->route;
-				if (route_entry_equals(old, route))
-				{	/* keep previously installed route. since it might have
-					 * still been removed by an address change, we install it
-					 * again but ignore the result */
-					hydra->kernel_interface->add_route(hydra->kernel_interface,
-							route->dst_net, route->prefixlen, route->gateway,
-							route->src_ip, route->if_name);
-					this->mutex->unlock(this->mutex);
-					route_entry_destroy(route);
-					return SUCCESS;
-				}
-				/* uninstall previously installed route */
-				if (hydra->kernel_interface->del_route(hydra->kernel_interface,
-						old->dst_net, old->prefixlen, old->gateway,
-						old->src_ip, old->if_name) != SUCCESS)
-				{
-					DBG1(DBG_KNL, "error uninstalling route installed with "
-								  "policy %R === %R %N", fwd->src_ts,
-								   fwd->dst_ts, policy_dir_names,
-								   policy->direction);
-				}
-				route_entry_destroy(old);
-				policy->route = NULL;
-			}
-
-			DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
-				 fwd->src_ts, route->gateway, route->src_ip, route->if_name);
-			switch (hydra->kernel_interface->add_route(
-								hydra->kernel_interface, route->dst_net,
-								route->prefixlen, route->gateway,
-								route->src_ip, route->if_name))
-			{
-				default:
-					DBG1(DBG_KNL, "unable to install source route for %H",
-								   route->src_ip);
-					/* FALL */
-				case ALREADY_DONE:
-					/* route exists, do not uninstall */
-					route_entry_destroy(route);
-					break;
-				case SUCCESS:
-					/* cache the installed route */
-					policy->route = route;
-					break;
-			}
-		}
-		else
-		{
-			free(route);
-		}
+		install_route(this, policy, (policy_sa_in_t*)mapping);
 	}
 	this->mutex->unlock(this->mutex);
 	return SUCCESS;
@@ -2102,7 +2336,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	}
 	else
 	{	/* use the new one, if we have no such policy */
-		this->policies->insert_last(this->policies, policy);
+		this->policies->insert_first(this->policies, policy);
 		policy->used_by = linked_list_create();
 	}
 
@@ -2200,9 +2434,9 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 	PFKEY_EXT_ADD(msg, pol);
 
 	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
-				 policy->src.mask);
+				 policy->src.mask, TRUE);
 	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
-				 policy->dst.mask);
+				 policy->dst.mask, TRUE);
 
 	this->mutex->unlock(this->mutex);
 
@@ -2230,7 +2464,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 	}
 	else if (response.lft_current == NULL)
 	{
-		DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
+		DBG2(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
 					  "use time", src_ts, dst_ts, policy_dir_names, direction);
 		free(out);
 		return FAILED;
@@ -2259,9 +2493,9 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	struct sadb_msg *msg, *out;
 	struct sadb_x_policy *pol;
 	policy_entry_t *policy, *found = NULL;
-	policy_sa_t *mapping;
+	policy_sa_t *mapping, *to_remove = NULL;
 	enumerator_t *enumerator;
-	bool is_installed = TRUE;
+	bool first = TRUE, is_installed = TRUE;
 	u_int32_t priority;
 	size_t len;
 
@@ -2291,19 +2525,31 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	policy_entry_destroy(policy, this);
 	policy = found;
 
-	/* remove mapping to SA by reqid and priority */
+	/* remove mapping to SA by reqid and priority, if multiple match, which
+	 * could happen when rekeying due to an address change, remove the oldest */
 	priority = get_priority(policy, prio);
 	enumerator = policy->used_by->create_enumerator(policy->used_by);
 	while (enumerator->enumerate(enumerator, (void**)&mapping))
 	{
 		if (reqid == mapping->sa->cfg.reqid && priority == mapping->priority)
 		{
-			policy->used_by->remove_at(policy->used_by, enumerator);
+			to_remove = mapping;
+			is_installed = first;
+		}
+		else if (priority < mapping->priority)
+		{
 			break;
 		}
-		is_installed = FALSE;
+		first = FALSE;
 	}
 	enumerator->destroy(enumerator);
+	if (!to_remove)
+	{	/* sanity check */
+		this->mutex->unlock(this->mutex);
+		return SUCCESS;
+	}
+	policy->used_by->remove(policy->used_by, to_remove, NULL);
+	mapping = to_remove;
 
 	if (policy->used_by->get_count(policy->used_by) > 0)
 	{	/* policy is used by more SAs, keep in kernel */
@@ -2344,9 +2590,9 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	PFKEY_EXT_ADD(msg, pol);
 
 	add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
-				 policy->src.mask);
+				 policy->src.mask, TRUE);
 	add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
-				 policy->dst.mask);
+				 policy->dst.mask, TRUE);
 
 	if (policy->route)
 	{
@@ -2359,6 +2605,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 						  "policy %R === %R %N", src_ts, dst_ts,
 						   policy_dir_names, direction);
 		}
+		remove_exclude_route(this, route);
 	}
 
 	this->policies->remove(this->policies, found, NULL);
@@ -2497,25 +2744,49 @@ METHOD(kernel_ipsec_t, bypass_socket, bool,
 	return TRUE;
 }
 
-METHOD(kernel_ipsec_t, destroy, void,
-	private_kernel_pfkey_ipsec_t *this)
+METHOD(kernel_ipsec_t, enable_udp_decap, bool,
+	private_kernel_pfkey_ipsec_t *this, int fd, int family, u_int16_t port)
 {
-	if (this->job)
+#ifndef __APPLE__
+	int type = UDP_ENCAP_ESPINUDP;
+
+	if (setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
 	{
-		this->job->cancel(this->job);
+		DBG1(DBG_KNL, "unable to set UDP_ENCAP: %s", strerror(errno));
+		return FALSE;
 	}
+#else /* __APPLE__ */
+	int intport = port;
+
+	if (sysctlbyname("net.inet.ipsec.esp_port", NULL, NULL, &intport,
+					 sizeof(intport)) != 0)
+	{
+		DBG1(DBG_KNL, "could not set net.inet.ipsec.esp_port to %d: %s",
+			 port, strerror(errno));
+		return FALSE;
+	}
+#endif /* __APPLE__ */
+
+	return TRUE;
+}
+
+METHOD(kernel_ipsec_t, destroy, void,
+	private_kernel_pfkey_ipsec_t *this)
+{
 	if (this->socket > 0)
 	{
 		close(this->socket);
 	}
 	if (this->socket_events > 0)
 	{
+		lib->watcher->remove(lib->watcher, this->socket_events);
 		close(this->socket_events);
 	}
 	this->policies->invoke_function(this->policies,
 								   (linked_list_invoke_t)policy_entry_destroy,
 									this);
 	this->policies->destroy(this->policies);
+	this->excludes->destroy(this->excludes);
 	this->sas->destroy(this->sas);
 	this->mutex->destroy(this->mutex);
 	this->mutex_pfkey->destroy(this->mutex_pfkey);
@@ -2528,6 +2799,7 @@ METHOD(kernel_ipsec_t, destroy, void,
 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 {
 	private_kernel_pfkey_ipsec_t *this;
+	bool register_for_events = TRUE;
 
 	INIT(this,
 		.public = {
@@ -2544,10 +2816,12 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 				.del_policy = _del_policy,
 				.flush_policies = _flush_policies,
 				.bypass_socket = _bypass_socket,
+				.enable_udp_decap = _enable_udp_decap,
 				.destroy = _destroy,
 			},
 		},
 		.policies = linked_list_create(),
+		.excludes = linked_list_create(),
 		.sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash,
 								(hashtable_equals_t)ipsec_sa_equals, 32),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
@@ -2557,9 +2831,9 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 												  hydra->daemon),
 	);
 
-	if (streq(hydra->daemon, "pluto"))
-	{	/* no routes for pluto, they are installed via updown script */
-		this->install_routes = FALSE;
+	if (streq(hydra->daemon, "starter"))
+	{	/* starter has no threads, so we do not register for kernel events */
+		register_for_events = FALSE;
 	}
 
 	/* create a PF_KEY socket to communicate with the kernel */
@@ -2571,28 +2845,29 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 		return NULL;
 	}
 
-	/* create a PF_KEY socket for ACQUIRE & EXPIRE */
-	this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
-	if (this->socket_events <= 0)
+	if (register_for_events)
 	{
-		DBG1(DBG_KNL, "unable to create PF_KEY event socket");
-		destroy(this);
-		return NULL;
-	}
+		/* create a PF_KEY socket for ACQUIRE & EXPIRE */
+		this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+		if (this->socket_events <= 0)
+		{
+			DBG1(DBG_KNL, "unable to create PF_KEY event socket");
+			destroy(this);
+			return NULL;
+		}
 
-	/* register the event socket */
-	if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
-		register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
-	{
-		DBG1(DBG_KNL, "unable to register PF_KEY event socket");
-		destroy(this);
-		return NULL;
-	}
+		/* register the event socket */
+		if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
+			register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "unable to register PF_KEY event socket");
+			destroy(this);
+			return NULL;
+		}
 
-	this->job = callback_job_create_with_prio((callback_job_cb_t)receive_events,
-										this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+		lib->watcher->add(lib->watcher, this->socket_events, WATCHER_READ,
+						  (watcher_cb_t)receive_events, this);
+	}
 
 	return &this->public;
 }
-
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
index 894175402..61d576547 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -62,6 +62,12 @@ plugin_t *kernel_pfkey_plugin_create()
 {
 	private_kernel_pfkey_plugin_t *this;
 
+	if (!lib->caps->check(lib->caps, CAP_NET_ADMIN))
+	{	/* required to open PF_KEY sockets */
+		DBG1(DBG_KNL, "kernel-pfkey plugin requires CAP_NET_ADMIN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.am b/src/libhydra/plugins/kernel_pfroute/Makefile.am
index df3109eb8..9d1621366 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.am
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-kernel-pfroute.la
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in
index 1412db0ec..b0324ac18 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_kernel_pfroute_la_LIBADD =
@@ -79,49 +103,77 @@ am_libstrongswan_kernel_pfroute_la_OBJECTS = kernel_pfroute_plugin.lo \
 	kernel_pfroute_net.lo
 libstrongswan_kernel_pfroute_la_OBJECTS =  \
 	$(am_libstrongswan_kernel_pfroute_la_OBJECTS)
-libstrongswan_kernel_pfroute_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_kernel_pfroute_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_kernel_pfroute_la_LDFLAGS) $(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_kernel_pfroute_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_kernel_pfroute_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfroute.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
 libstrongswan_kernel_pfroute_la_SOURCES = \
@@ -340,7 +405,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -348,6 +412,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -369,8 +435,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-kernel-pfroute.la: $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_DEPENDENCIES) 
-	$(libstrongswan_kernel_pfroute_la_LINK) $(am_libstrongswan_kernel_pfroute_la_rpath) $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_LIBADD) $(LIBS)
+libstrongswan-kernel-pfroute.la: $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_pfroute_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_kernel_pfroute_la_LINK) $(am_libstrongswan_kernel_pfroute_la_rpath) $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -382,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfroute_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -507,10 +573,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
index 5464568df..976170c57 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2009-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -16,6 +16,7 @@
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <net/if.h>
+#include <net/if_dl.h>
 #include <ifaddrs.h>
 #include <net/route.h>
 #include <unistd.h>
@@ -24,22 +25,36 @@
 #include "kernel_pfroute_net.h"
 
 #include <hydra.h>
-#include <debug.h>
-#include <utils/host.h>
+#include <utils/debug.h>
+#include <networking/host.h>
+#include <networking/tun_device.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <threading/condvar.h>
+#include <threading/rwlock.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
 
 #ifndef HAVE_STRUCT_SOCKADDR_SA_LEN
 #error Cannot compile this plugin on systems where 'struct sockaddr' has no sa_len member.
 #endif
 
+/** properly align sockaddrs */
+#ifdef __APPLE__
+/* Apple always uses 4 bytes */
+#define SA_ALIGN 4
+#else
+/* while on other platforms like FreeBSD it depends on the architecture */
+#define SA_ALIGN sizeof(long)
+#endif
+#define SA_LEN(len) ((len) > 0 ? (((len)+SA_ALIGN-1) & ~(SA_ALIGN-1)) : SA_ALIGN)
+
 /** delay before firing roam events (ms) */
 #define ROAM_DELAY 100
 
-/** buffer size for PF_ROUTE messages */
-#define PFROUTE_BUFFER_SIZE 4096
+/** delay before reinstalling routes (ms) */
+#define ROUTE_DELAY 100
 
 typedef struct addr_entry_t addr_entry_t;
 
@@ -53,9 +68,6 @@ struct addr_entry_t {
 
 	/** virtual IP managed by us */
 	bool virtual;
-
-	/** Number of times this IP is used, if virtual */
-	u_int refcount;
 };
 
 /**
@@ -85,6 +97,9 @@ struct iface_entry_t {
 
 	/** list of addresses as host_t */
 	linked_list_t *addrs;
+
+	/** TRUE if usable by config */
+	bool usable;
 };
 
 /**
@@ -96,6 +111,190 @@ static void iface_entry_destroy(iface_entry_t *this)
 	free(this);
 }
 
+/**
+ * check if an interface is up
+ */
+static inline bool iface_entry_up(iface_entry_t *iface)
+{
+	return (iface->flags & IFF_UP) == IFF_UP;
+}
+
+/**
+ * check if an interface is up and usable
+ */
+static inline bool iface_entry_up_and_usable(iface_entry_t *iface)
+{
+	return iface->usable && iface_entry_up(iface);
+}
+
+typedef struct addr_map_entry_t addr_map_entry_t;
+
+/**
+ * Entry that maps an IP address to an interface entry
+ */
+struct addr_map_entry_t {
+	/** The IP address */
+	host_t *ip;
+
+	/** The address entry for this IP address */
+	addr_entry_t *addr;
+
+	/** The interface this address is installed on */
+	iface_entry_t *iface;
+};
+
+/**
+ * Hash a addr_map_entry_t object, all entries with the same IP address
+ * are stored in the same bucket
+ */
+static u_int addr_map_entry_hash(addr_map_entry_t *this)
+{
+	return chunk_hash(this->ip->get_address(this->ip));
+}
+
+/**
+ * Compare two addr_map_entry_t objects, two entries are equal if they are
+ * installed on the same interface
+ */
+static bool addr_map_entry_equals(addr_map_entry_t *a, addr_map_entry_t *b)
+{
+	return a->iface->ifindex == b->iface->ifindex &&
+		   a->ip->ip_equals(a->ip, b->ip);
+}
+
+/**
+ * Used with get_match this finds an address entry if it is installed on
+ * an up and usable interface
+ */
+static bool addr_map_entry_match_up_and_usable(addr_map_entry_t *a,
+											   addr_map_entry_t *b)
+{
+	return !b->addr->virtual && iface_entry_up_and_usable(b->iface) &&
+			a->ip->ip_equals(a->ip, b->ip);
+}
+
+/**
+ * Used with get_match this finds an address entry if it is installed as virtual
+ * IP address
+ */
+static bool addr_map_entry_match_virtual(addr_map_entry_t *a, addr_map_entry_t *b)
+{
+	return b->addr->virtual && a->ip->ip_equals(a->ip, b->ip);
+}
+
+/**
+ * Used with get_match this finds an address entry if it is installed on
+ * any active local interface
+ */
+static bool addr_map_entry_match_up(addr_map_entry_t *a, addr_map_entry_t *b)
+{
+	return !b->addr->virtual && iface_entry_up(b->iface) &&
+			a->ip->ip_equals(a->ip, b->ip);
+}
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * Installed routing entry
+ */
+struct route_entry_t {
+	/** Name of the interface the route is bound to */
+	char *if_name;
+
+	/** Gateway for this route */
+	host_t *gateway;
+
+	/** Destination net */
+	chunk_t dst_net;
+
+	/** Destination net prefixlen */
+	u_int8_t prefixlen;
+};
+
+/**
+ * Clone a route_entry_t object.
+ */
+static route_entry_t *route_entry_clone(route_entry_t *this)
+{
+	route_entry_t *route;
+
+	INIT(route,
+		.if_name = strdup(this->if_name),
+		.gateway = this->gateway ? this->gateway->clone(this->gateway) : NULL,
+		.dst_net = chunk_clone(this->dst_net),
+		.prefixlen = this->prefixlen,
+	);
+	return route;
+}
+
+/**
+ * Destroy a route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+	free(this->if_name);
+	DESTROY_IF(this->gateway);
+	chunk_free(&this->dst_net);
+	free(this);
+}
+
+/**
+ * Hash a route_entry_t object
+ */
+static u_int route_entry_hash(route_entry_t *this)
+{
+	return chunk_hash_inc(chunk_from_thing(this->prefixlen),
+						  chunk_hash(this->dst_net));
+}
+
+/**
+ * Compare two route_entry_t objects
+ */
+static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
+{
+	if (a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
+		chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen)
+	{
+		return (!a->gateway && !b->gateway) || (a->gateway && b->gateway &&
+					a->gateway->ip_equals(a->gateway, b->gateway));
+	}
+	return FALSE;
+}
+
+typedef struct net_change_t net_change_t;
+
+/**
+ * Queued network changes
+ */
+struct net_change_t {
+	/** Name of the interface that got activated (or an IP appeared on) */
+	char *if_name;
+};
+
+/**
+ * Destroy a net_change_t object
+ */
+static void net_change_destroy(net_change_t *this)
+{
+	free(this->if_name);
+	free(this);
+}
+
+/**
+ * Hash a net_change_t object
+ */
+static u_int net_change_hash(net_change_t *this)
+{
+	return chunk_hash(chunk_create(this->if_name, strlen(this->if_name)));
+}
+
+/**
+ * Compare two net_change_t objects
+ */
+static bool net_change_equals(net_change_t *a, net_change_t *b)
+{
+	return streq(a->if_name, b->if_name);
+}
 
 typedef struct private_kernel_pfroute_net_t private_kernel_pfroute_net_t;
 
@@ -110,9 +309,9 @@ struct private_kernel_pfroute_net_t
 	kernel_pfroute_net_t public;
 
 	/**
-	 * mutex to lock access to various lists
+	 * lock to access lists and maps
 	 */
-	mutex_t *mutex;
+	rwlock_t *lock;
 
 	/**
 	 * Cached list of interfaces and their addresses (iface_entry_t)
@@ -120,24 +319,59 @@ struct private_kernel_pfroute_net_t
 	linked_list_t *ifaces;
 
 	/**
-	 * job receiving PF_ROUTE events
+	 * Map for IP addresses to iface_entry_t objects (addr_map_entry_t)
 	 */
-	callback_job_t *job;
+	hashtable_t *addrs;
 
 	/**
-	 * mutex to lock access to the PF_ROUTE socket
+	 * List of tun devices we installed for virtual IPs
 	 */
-	mutex_t *mutex_pfroute;
+	linked_list_t *tuns;
 
 	/**
-	 * PF_ROUTE socket to communicate with the kernel
+	 * mutex to communicate exclusively with PF_KEY
 	 */
-	int socket;
+	mutex_t *mutex;
+
+	/**
+	 * condvar to signal if PF_KEY query got a response
+	 */
+	condvar_t *condvar;
+
+	/**
+	 * installed routes
+	 */
+	hashtable_t *routes;
+
+	/**
+	 * mutex for routes
+	 */
+	mutex_t *routes_lock;
+
+	/**
+	 * interface changes which may trigger route reinstallation
+	 */
+	hashtable_t *net_changes;
+
+	/**
+	 * mutex for route reinstallation triggers
+	 */
+	mutex_t *net_changes_lock;
 
 	/**
-	 * PF_ROUTE socket to receive events
+	 * time of last route reinstallation
 	 */
-	int socket_events;
+	timeval_t last_route_reinstall;
+
+	/**
+	 * pid to send PF_ROUTE messages with
+	 */
+	pid_t pid;
+
+	/**
+	 * PF_ROUTE socket to communicate with the kernel
+	 */
+	int socket;
 
 	/**
 	 * sequence number for messages sent to the kernel
@@ -145,11 +379,155 @@ struct private_kernel_pfroute_net_t
 	int seq;
 
 	/**
+	 * Sequence number a query is waiting for
+	 */
+	int waiting_seq;
+
+	/**
+	 * Allocated reply message from kernel
+	 */
+	struct rt_msghdr *reply;
+
+	/**
 	 * time of last roam event
 	 */
 	timeval_t last_roam;
+
+	/**
+	 * Time in ms to wait for IP addresses to appear/disappear
+	 */
+	int vip_wait;
 };
 
+
+/**
+ * Forward declaration
+ */
+static status_t manage_route(private_kernel_pfroute_net_t *this, int op,
+							 chunk_t dst_net, u_int8_t prefixlen,
+							 host_t *gateway, char *if_name);
+
+/**
+ * Clear the queued network changes.
+ */
+static void net_changes_clear(private_kernel_pfroute_net_t *this)
+{
+	enumerator_t *enumerator;
+	net_change_t *change;
+
+	enumerator = this->net_changes->create_enumerator(this->net_changes);
+	while (enumerator->enumerate(enumerator, NULL, (void**)&change))
+	{
+		this->net_changes->remove_at(this->net_changes, enumerator);
+		net_change_destroy(change);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Act upon queued network changes.
+ */
+static job_requeue_t reinstall_routes(private_kernel_pfroute_net_t *this)
+{
+	enumerator_t *enumerator;
+	route_entry_t *route;
+
+	this->net_changes_lock->lock(this->net_changes_lock);
+	this->routes_lock->lock(this->routes_lock);
+
+	enumerator = this->routes->create_enumerator(this->routes);
+	while (enumerator->enumerate(enumerator, NULL, (void**)&route))
+	{
+		net_change_t *change, lookup = {
+			.if_name = route->if_name,
+		};
+		/* check if a change for the outgoing interface is queued */
+		change = this->net_changes->get(this->net_changes, &lookup);
+		if (change)
+		{
+			manage_route(this, RTM_ADD, route->dst_net, route->prefixlen,
+						 route->gateway, route->if_name);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->routes_lock->unlock(this->routes_lock);
+
+	net_changes_clear(this);
+	this->net_changes_lock->unlock(this->net_changes_lock);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Queue route reinstallation caused by network changes for a given interface.
+ *
+ * The route reinstallation is delayed for a while and only done once for
+ * several calls during this delay, in order to avoid doing it too often.
+ * The interface name is freed.
+ */
+static void queue_route_reinstall(private_kernel_pfroute_net_t *this,
+								  char *if_name)
+{
+	net_change_t *update, *found;
+	timeval_t now;
+	job_t *job;
+
+	INIT(update,
+		.if_name = if_name
+	);
+
+	this->net_changes_lock->lock(this->net_changes_lock);
+	found = this->net_changes->put(this->net_changes, update, update);
+	if (found)
+	{
+		net_change_destroy(found);
+	}
+	time_monotonic(&now);
+	if (timercmp(&now, &this->last_route_reinstall, >))
+	{
+		timeval_add_ms(&now, ROUTE_DELAY);
+		this->last_route_reinstall = now;
+
+		job = (job_t*)callback_job_create((callback_job_cb_t)reinstall_routes,
+										  this, NULL, NULL);
+		lib->scheduler->schedule_job_ms(lib->scheduler, job, ROUTE_DELAY);
+	}
+	this->net_changes_lock->unlock(this->net_changes_lock);
+}
+
+/**
+ * Add an address map entry
+ */
+static void addr_map_entry_add(private_kernel_pfroute_net_t *this,
+							   addr_entry_t *addr, iface_entry_t *iface)
+{
+	addr_map_entry_t *entry;
+
+	INIT(entry,
+		.ip = addr->ip,
+		.addr = addr,
+		.iface = iface,
+	);
+	entry = this->addrs->put(this->addrs, entry, entry);
+	free(entry);
+}
+
+/**
+ * Remove an address map entry (the argument order is a bit strange because
+ * it is also used with linked_list_t.invoke_function)
+ */
+static void addr_map_entry_remove(addr_entry_t *addr, iface_entry_t *iface,
+								  private_kernel_pfroute_net_t *this)
+{
+	addr_map_entry_t *entry, lookup = {
+		.ip = addr->ip,
+		.addr = addr,
+		.iface = iface,
+	};
+
+	entry = this->addrs->remove(this->addrs, &lookup);
+	free(entry);
+}
+
 /**
  * callback function that raises the delayed roam event
  */
@@ -171,12 +549,7 @@ static void fire_roam_event(private_kernel_pfroute_net_t *this, bool address)
 	time_monotonic(&now);
 	if (timercmp(&now, &this->last_roam, >))
 	{
-		now.tv_usec += ROAM_DELAY * 1000;
-		while (now.tv_usec > 1000000)
-		{
-			now.tv_sec++;
-			now.tv_usec -= 1000000;
-		}
+		timeval_add_ms(&now, ROAM_DELAY);
 		this->last_roam = now;
 
 		job = (job_t*)callback_job_create((callback_job_cb_t)roam_event,
@@ -187,39 +560,118 @@ static void fire_roam_event(private_kernel_pfroute_net_t *this, bool address)
 }
 
 /**
+ * Data for enumerator over rtmsg sockaddrs
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** copy of attribute bitfield */
+	int types;
+	/** bytes remaining in buffer */
+	int remaining;
+	/** next sockaddr to enumerate */
+	struct sockaddr *addr;
+} rt_enumerator_t;
+
+METHOD(enumerator_t, rt_enumerate, bool,
+	rt_enumerator_t *this, int *xtype, struct sockaddr **addr)
+{
+	int i, type;
+
+	if (this->remaining < sizeof(this->addr->sa_len) ||
+		this->remaining < this->addr->sa_len)
+	{
+		return FALSE;
+	}
+	for (i = 0; i < RTAX_MAX; i++)
+	{
+		type = (1 << i);
+		if (this->types & type)
+		{
+			this->types &= ~type;
+			*addr = this->addr;
+			*xtype = i;
+			this->remaining -= SA_LEN(this->addr->sa_len);
+			this->addr = (struct sockaddr*)((char*)this->addr +
+											SA_LEN(this->addr->sa_len));
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Create an enumerator over sockaddrs in rt/if messages
+ */
+static enumerator_t *create_rt_enumerator(int types, int remaining,
+										  struct sockaddr *addr)
+{
+	rt_enumerator_t *this;
+
+	INIT(this,
+		.public = {
+			.enumerate = (void*)_rt_enumerate,
+			.destroy = (void*)free,
+		},
+		.types = types,
+		.remaining = remaining,
+		.addr = addr,
+	);
+	return &this->public;
+}
+
+/**
+ * Create a safe enumerator over sockaddrs in rt_msghdr
+ */
+static enumerator_t *create_rtmsg_enumerator(struct rt_msghdr *hdr)
+{
+	return create_rt_enumerator(hdr->rtm_addrs, hdr->rtm_msglen - sizeof(*hdr),
+								(struct sockaddr *)(hdr + 1));
+}
+
+/**
+ * Create a safe enumerator over sockaddrs in ifa_msghdr
+ */
+static enumerator_t *create_ifamsg_enumerator(struct ifa_msghdr *hdr)
+{
+	return create_rt_enumerator(hdr->ifam_addrs, hdr->ifam_msglen - sizeof(*hdr),
+								(struct sockaddr *)(hdr + 1));
+}
+
+/**
  * Process an RTM_*ADDR message from the kernel
  */
 static void process_addr(private_kernel_pfroute_net_t *this,
-						 struct rt_msghdr *msg)
+						 struct ifa_msghdr *ifa)
 {
-	struct ifa_msghdr *ifa = (struct ifa_msghdr*)msg;
-	sockaddr_t *sockaddr = (sockaddr_t*)(ifa + 1);
+	struct sockaddr *sockaddr;
 	host_t *host = NULL;
 	enumerator_t *ifaces, *addrs;
 	iface_entry_t *iface;
 	addr_entry_t *addr;
 	bool found = FALSE, changed = FALSE, roam = FALSE;
-	int i;
+	enumerator_t *enumerator;
+	char *ifname = NULL;
+	int type;
 
-	for (i = 1; i < (1 << RTAX_MAX); i <<= 1)
+	enumerator = create_ifamsg_enumerator(ifa);
+	while (enumerator->enumerate(enumerator, &type, &sockaddr))
 	{
-		if (ifa->ifam_addrs & i)
+		if (type == RTAX_IFA)
 		{
-			if (RTA_IFA & i)
-			{
-				host = host_create_from_sockaddr(sockaddr);
-				break;
-			}
-			sockaddr = (sockaddr_t*)((char*)sockaddr + sockaddr->sa_len);
+			host = host_create_from_sockaddr(sockaddr);
+			break;
 		}
 	}
+	enumerator->destroy(enumerator);
 
-	if (!host)
+	if (!host || host->is_anyaddr(host))
 	{
+		DESTROY_IF(host);
 		return;
 	}
 
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	ifaces = this->ifaces->create_enumerator(this->ifaces);
 	while (ifaces->enumerate(ifaces, &iface))
 	{
@@ -234,34 +686,35 @@ static void process_addr(private_kernel_pfroute_net_t *this,
 					if (ifa->ifam_type == RTM_DELADDR)
 					{
 						iface->addrs->remove_at(iface->addrs, addrs);
-						if (!addr->virtual)
+						if (!addr->virtual && iface->usable)
 						{
 							changed = TRUE;
 							DBG1(DBG_KNL, "%H disappeared from %s",
 								 host, iface->ifname);
 						}
+						addr_map_entry_remove(addr, iface, this);
 						addr_entry_destroy(addr);
 					}
-					else if (ifa->ifam_type == RTM_NEWADDR && addr->virtual)
-					{
-						addr->refcount = 1;
-					}
 				}
 			}
 			addrs->destroy(addrs);
 
 			if (!found && ifa->ifam_type == RTM_NEWADDR)
 			{
+				INIT(addr,
+					.ip = host->clone(host),
+				);
 				changed = TRUE;
-				addr = malloc_thing(addr_entry_t);
-				addr->ip = host->clone(host);
-				addr->virtual = FALSE;
-				addr->refcount = 1;
+				ifname = strdup(iface->ifname);
 				iface->addrs->insert_last(iface->addrs, addr);
-				DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
+				addr_map_entry_add(this, addr, iface);
+				if (iface->usable)
+				{
+					DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
+				}
 			}
 
-			if (changed && (iface->flags & IFF_UP))
+			if (changed && iface_entry_up_and_usable(iface))
 			{
 				roam = TRUE;
 			}
@@ -269,9 +722,18 @@ static void process_addr(private_kernel_pfroute_net_t *this,
 		}
 	}
 	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
+	this->lock->unlock(this->lock);
 	host->destroy(host);
 
+	if (roam && ifname)
+	{
+		queue_route_reinstall(this, ifname);
+	}
+	else
+	{
+		free(ifname);
+	}
+
 	if (roam)
 	{
 		fire_roam_event(this, TRUE);
@@ -279,43 +741,112 @@ static void process_addr(private_kernel_pfroute_net_t *this,
 }
 
 /**
+ * Re-initialize address list of an interface if it changes state
+ */
+static void repopulate_iface(private_kernel_pfroute_net_t *this,
+							 iface_entry_t *iface)
+{
+	struct ifaddrs *ifap, *ifa;
+	addr_entry_t *addr;
+
+	while (iface->addrs->remove_last(iface->addrs, (void**)&addr) == SUCCESS)
+	{
+		addr_map_entry_remove(addr, iface, this);
+		addr_entry_destroy(addr);
+	}
+
+	if (getifaddrs(&ifap) == 0)
+	{
+		for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next)
+		{
+			if (ifa->ifa_addr && streq(ifa->ifa_name, iface->ifname))
+			{
+				switch (ifa->ifa_addr->sa_family)
+				{
+					case AF_INET:
+					case AF_INET6:
+						INIT(addr,
+							.ip = host_create_from_sockaddr(ifa->ifa_addr),
+						);
+						iface->addrs->insert_last(iface->addrs, addr);
+						addr_map_entry_add(this, addr, iface);
+						break;
+					default:
+						break;
+				}
+			}
+		}
+		freeifaddrs(ifap);
+	}
+}
+
+/**
  * Process an RTM_IFINFO message from the kernel
  */
 static void process_link(private_kernel_pfroute_net_t *this,
-						 struct rt_msghdr *hdr)
+						 struct if_msghdr *msg)
 {
-	struct if_msghdr *msg = (struct if_msghdr*)hdr;
 	enumerator_t *enumerator;
 	iface_entry_t *iface;
-	bool roam = FALSE;
-
-	if (msg->ifm_flags & IFF_LOOPBACK)
-	{	/* ignore loopback interfaces */
-		return;
-	}
+	bool roam = FALSE, found = FALSE, update_routes = FALSE;
 
-	this->mutex->lock(this->mutex);
+	this->lock->write_lock(this->lock);
 	enumerator = this->ifaces->create_enumerator(this->ifaces);
 	while (enumerator->enumerate(enumerator, &iface))
 	{
 		if (iface->ifindex == msg->ifm_index)
 		{
-			if (!(iface->flags & IFF_UP) && (msg->ifm_flags & IFF_UP))
-			{
-				roam = TRUE;
-				DBG1(DBG_KNL, "interface %s activated", iface->ifname);
-			}
-			else if ((iface->flags & IFF_UP) && !(msg->ifm_flags & IFF_UP))
+			if (iface->usable)
 			{
-				roam = TRUE;
-				DBG1(DBG_KNL, "interface %s deactivated", iface->ifname);
+				if (!(iface->flags & IFF_UP) && (msg->ifm_flags & IFF_UP))
+				{
+					roam = update_routes = TRUE;
+					DBG1(DBG_KNL, "interface %s activated", iface->ifname);
+				}
+				else if ((iface->flags & IFF_UP) && !(msg->ifm_flags & IFF_UP))
+				{
+					roam = TRUE;
+					DBG1(DBG_KNL, "interface %s deactivated", iface->ifname);
+				}
 			}
 			iface->flags = msg->ifm_flags;
+			repopulate_iface(this, iface);
+			found = TRUE;
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+
+	if (!found)
+	{
+		INIT(iface,
+			.ifindex = msg->ifm_index,
+			.flags = msg->ifm_flags,
+			.addrs = linked_list_create(),
+		);
+		if (if_indextoname(iface->ifindex, iface->ifname))
+		{
+			DBG1(DBG_KNL, "interface %s appeared", iface->ifname);
+			iface->usable = hydra->kernel_interface->is_interface_usable(
+										hydra->kernel_interface, iface->ifname);
+			repopulate_iface(this, iface);
+			this->ifaces->insert_last(this->ifaces, iface);
+			if (iface->usable)
+			{
+				roam = update_routes = TRUE;
+			}
+		}
+		else
+		{
+			free(iface);
+		}
+	}
+	this->lock->unlock(this->lock);
+
+	if (update_routes)
+	{
+		queue_route_reinstall(this, strdup(iface->ifname));
+	}
 
 	if (roam)
 	{
@@ -333,71 +864,106 @@ static void process_route(private_kernel_pfroute_net_t *this,
 }
 
 /**
- * Receives events from kernel
+ * Receives PF_ROUTE messages from kernel
  */
-static job_requeue_t receive_events(private_kernel_pfroute_net_t *this)
+static bool receive_events(private_kernel_pfroute_net_t *this, int fd,
+						   watcher_event_t event)
 {
-	unsigned char buf[PFROUTE_BUFFER_SIZE];
-	struct rt_msghdr *msg = (struct rt_msghdr*)buf;
-	int len;
-	bool oldstate;
-
-	oldstate = thread_cancelability(TRUE);
-	len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
-	thread_cancelability(oldstate);
-
+	struct {
+		union {
+			struct rt_msghdr rtm;
+			struct if_msghdr ifm;
+			struct ifa_msghdr ifam;
+		};
+		char buf[sizeof(struct sockaddr_storage) * RTAX_MAX];
+	} msg;
+	int len, hdrlen;
+
+	len = recv(this->socket, &msg, sizeof(msg), MSG_DONTWAIT);
 	if (len < 0)
 	{
 		switch (errno)
 		{
 			case EINTR:
-				/* interrupted, try again */
-				return JOB_REQUEUE_DIRECT;
 			case EAGAIN:
-				/* no data ready, select again */
-				return JOB_REQUEUE_DIRECT;
+				return TRUE;
 			default:
 				DBG1(DBG_KNL, "unable to receive from PF_ROUTE event socket");
 				sleep(1);
-				return JOB_REQUEUE_FAIR;
+				return TRUE;
 		}
 	}
 
-	if (len < sizeof(msg->rtm_msglen) || len < msg->rtm_msglen ||
-		msg->rtm_version != RTM_VERSION)
+	if (len < offsetof(struct rt_msghdr, rtm_flags) || len < msg.rtm.rtm_msglen)
 	{
-		DBG2(DBG_KNL, "received corrupted PF_ROUTE message");
-		return JOB_REQUEUE_DIRECT;
+		DBG1(DBG_KNL, "received invalid PF_ROUTE message");
+		return TRUE;
 	}
-
-	switch (msg->rtm_type)
+	if (msg.rtm.rtm_version != RTM_VERSION)
+	{
+		DBG1(DBG_KNL, "received PF_ROUTE message with unsupported version: %d",
+			 msg.rtm.rtm_version);
+		return TRUE;
+	}
+	switch (msg.rtm.rtm_type)
 	{
 		case RTM_NEWADDR:
 		case RTM_DELADDR:
-			process_addr(this, msg);
+			hdrlen = sizeof(msg.ifam);
 			break;
 		case RTM_IFINFO:
-		/*case RTM_IFANNOUNCE <- what about this*/
-			process_link(this, msg);
+			hdrlen = sizeof(msg.ifm);
 			break;
 		case RTM_ADD:
 		case RTM_DELETE:
-			process_route(this, msg);
+		case RTM_GET:
+			hdrlen = sizeof(msg.rtm);
+			break;
+		default:
+			return TRUE;
+	}
+	if (msg.rtm.rtm_msglen < hdrlen)
+	{
+		DBG1(DBG_KNL, "ignoring short PF_ROUTE message");
+		return TRUE;
+	}
+	switch (msg.rtm.rtm_type)
+	{
+		case RTM_NEWADDR:
+		case RTM_DELADDR:
+			process_addr(this, &msg.ifam);
+			break;
+		case RTM_IFINFO:
+			process_link(this, &msg.ifm);
+			break;
+		case RTM_ADD:
+		case RTM_DELETE:
+			process_route(this, &msg.rtm);
+			break;
 		default:
 			break;
 	}
 
-	return JOB_REQUEUE_DIRECT;
+	this->mutex->lock(this->mutex);
+	if (msg.rtm.rtm_pid == this->pid && msg.rtm.rtm_seq == this->waiting_seq)
+	{
+		/* seems like the message someone is waiting for, deliver */
+		this->reply = realloc(this->reply, msg.rtm.rtm_msglen);
+		memcpy(this->reply, &msg, msg.rtm.rtm_msglen);
+	}
+	/* signal on any event, add_ip()/del_ip() might wait for it */
+	this->condvar->broadcast(this->condvar);
+	this->mutex->unlock(this->mutex);
+
+	return TRUE;
 }
 
 
 /** enumerator over addresses */
 typedef struct {
 	private_kernel_pfroute_net_t* this;
-	/** whether to enumerate down interfaces */
-	bool include_down_ifaces;
-	/** whether to enumerate virtual ip addresses */
-	bool include_virtual_ips;
+	/** which addresses to enumerate */
+	kernel_address_type_t which;
 } address_enumerator_t;
 
 /**
@@ -405,7 +971,7 @@ typedef struct {
  */
 static void address_enumerator_destroy(address_enumerator_t *data)
 {
-	data->this->mutex->unlock(data->this->mutex);
+	data->this->lock->unlock(data->this->lock);
 	free(data);
 }
 
@@ -416,10 +982,14 @@ static bool filter_addresses(address_enumerator_t *data,
 							 addr_entry_t** in, host_t** out)
 {
 	host_t *ip;
-	if (!data->include_virtual_ips && (*in)->virtual)
+	if (!(data->which & ADDR_TYPE_VIRTUAL) && (*in)->virtual)
 	{   /* skip virtual interfaces added by us */
 		return FALSE;
 	}
+	if (!(data->which & ADDR_TYPE_REGULAR) && !(*in)->virtual)
+	{	/* address is regular, but not requested */
+		return FALSE;
+	}
 	ip = (*in)->ip;
 	if (ip->get_family(ip) == AF_INET6)
 	{
@@ -449,8 +1019,16 @@ static enumerator_t *create_iface_enumerator(iface_entry_t *iface,
 static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in,
 							  iface_entry_t** out)
 {
-	if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
-	{   /* skip interfaces not up */
+	if (!(data->which & ADDR_TYPE_IGNORED) && !(*in)->usable)
+	{	/* skip interfaces excluded by config */
+		return FALSE;
+	}
+	if (!(data->which & ADDR_TYPE_LOOPBACK) && ((*in)->flags & IFF_LOOPBACK))
+	{	/* ignore loopback devices */
+		return FALSE;
+	}
+	if (!(data->which & ADDR_TYPE_DOWN) && !((*in)->flags & IFF_UP))
+	{	/* skip interfaces not up */
 		return FALSE;
 	}
 	*out = *in;
@@ -458,15 +1036,16 @@ static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in,
 }
 
 METHOD(kernel_net_t, create_address_enumerator, enumerator_t*,
-	private_kernel_pfroute_net_t *this,
-	bool include_down_ifaces, bool include_virtual_ips)
+	private_kernel_pfroute_net_t *this, kernel_address_type_t which)
 {
-	address_enumerator_t *data = malloc_thing(address_enumerator_t);
-	data->this = this;
-	data->include_down_ifaces = include_down_ifaces;
-	data->include_virtual_ips = include_virtual_ips;
+	address_enumerator_t *data;
 
-	this->mutex->lock(this->mutex);
+	INIT(data,
+		.this = this,
+		.which = which,
+	);
+
+	this->lock->read_lock(this->lock);
 	return enumerator_create_nested(
 				enumerator_create_filter(
 					this->ifaces->create_enumerator(this->ifaces),
@@ -475,85 +1054,539 @@ METHOD(kernel_net_t, create_address_enumerator, enumerator_t*,
 				(void*)address_enumerator_destroy);
 }
 
-METHOD(kernel_net_t, get_interface_name, char*,
-	private_kernel_pfroute_net_t *this, host_t* ip)
+METHOD(kernel_net_t, get_features, kernel_feature_t,
+	private_kernel_pfroute_net_t *this)
+{
+	return KERNEL_REQUIRE_EXCLUDE_ROUTE;
+}
+
+METHOD(kernel_net_t, get_interface_name, bool,
+	private_kernel_pfroute_net_t *this, host_t* ip, char **name)
+{
+	addr_map_entry_t *entry, lookup = {
+		.ip = ip,
+	};
+
+	if (ip->is_anyaddr(ip))
+	{
+		return FALSE;
+	}
+	this->lock->read_lock(this->lock);
+	/* first try to find it on an up and usable interface */
+	entry = this->addrs->get_match(this->addrs, &lookup,
+								  (void*)addr_map_entry_match_up_and_usable);
+	if (entry)
+	{
+		if (name)
+		{
+			*name = strdup(entry->iface->ifname);
+			DBG2(DBG_KNL, "%H is on interface %s", ip, *name);
+		}
+		this->lock->unlock(this->lock);
+		return TRUE;
+	}
+	/* check if it is a virtual IP */
+	entry = this->addrs->get_match(this->addrs, &lookup,
+								  (void*)addr_map_entry_match_virtual);
+	if (entry)
+	{
+		if (name)
+		{
+			*name = strdup(entry->iface->ifname);
+			DBG2(DBG_KNL, "virtual IP %H is on interface %s", ip, *name);
+		}
+		this->lock->unlock(this->lock);
+		return TRUE;
+	}
+	/* maybe it is installed on an ignored interface */
+	entry = this->addrs->get_match(this->addrs, &lookup,
+								  (void*)addr_map_entry_match_up);
+	if (!entry)
+	{	/* the address does not exist, is on a down interface */
+		DBG2(DBG_KNL, "%H is not a local address or the interface is down", ip);
+	}
+	this->lock->unlock(this->lock);
+	return FALSE;
+}
+
+METHOD(kernel_net_t, add_ip, status_t,
+	private_kernel_pfroute_net_t *this, host_t *vip, int prefix,
+	char *ifname)
 {
 	enumerator_t *ifaces, *addrs;
 	iface_entry_t *iface;
 	addr_entry_t *addr;
-	char *name = NULL;
+	tun_device_t *tun;
+	bool timeout = FALSE;
 
-	DBG2(DBG_KNL, "getting interface name for %H", ip);
+	tun = tun_device_create(NULL);
+	if (!tun)
+	{
+		return FAILED;
+	}
+	if (prefix == -1)
+	{
+		prefix = vip->get_address(vip).len * 8;
+	}
+	if (!tun->up(tun) || !tun->set_address(tun, vip, prefix))
+	{
+		tun->destroy(tun);
+		return FAILED;
+	}
 
+	/* wait until address appears */
 	this->mutex->lock(this->mutex);
+	while (!timeout && !get_interface_name(this, vip, NULL))
+	{
+		timeout = this->condvar->timed_wait(this->condvar, this->mutex,
+											this->vip_wait);
+	}
+	this->mutex->unlock(this->mutex);
+	if (timeout)
+	{
+		DBG1(DBG_KNL, "virtual IP %H did not appear on %s",
+			 vip, tun->get_name(tun));
+		tun->destroy(tun);
+		return FAILED;
+	}
+
+	this->lock->write_lock(this->lock);
+	this->tuns->insert_last(this->tuns, tun);
+
 	ifaces = this->ifaces->create_enumerator(this->ifaces);
 	while (ifaces->enumerate(ifaces, &iface))
 	{
-		addrs = iface->addrs->create_enumerator(iface->addrs);
-		while (addrs->enumerate(addrs, &addr))
+		if (streq(iface->ifname, tun->get_name(tun)))
 		{
-			if (ip->ip_equals(ip, addr->ip))
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, &addr))
 			{
-				name = strdup(iface->ifname);
-				break;
+				if (addr->ip->ip_equals(addr->ip, vip))
+				{
+					addr->virtual = TRUE;
+				}
 			}
+			addrs->destroy(addrs);
+			/* during IKEv1 reauthentication, children get moved from
+			 * old the new SA before the virtual IP is available. This
+			 * kills the route for our virtual IP, reinstall. */
+			queue_route_reinstall(this, strdup(iface->ifname));
+			break;
 		}
-		addrs->destroy(addrs);
-		if (name)
+	}
+	ifaces->destroy(ifaces);
+	/* lets do this while holding the lock, thus preventing another thread
+	 * from deleting the TUN device concurrently, hopefully listeners are quick
+	 * and cause no deadlocks */
+	hydra->kernel_interface->tun(hydra->kernel_interface, tun, TRUE);
+	this->lock->unlock(this->lock);
+
+	return SUCCESS;
+}
+
+METHOD(kernel_net_t, del_ip, status_t,
+	private_kernel_pfroute_net_t *this, host_t *vip, int prefix,
+	bool wait)
+{
+	enumerator_t *enumerator;
+	tun_device_t *tun;
+	host_t *addr;
+	bool timeout = FALSE, found = FALSE;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->tuns->create_enumerator(this->tuns);
+	while (enumerator->enumerate(enumerator, &tun))
+	{
+		addr = tun->get_address(tun, NULL);
+		if (addr && addr->ip_equals(addr, vip))
 		{
+			this->tuns->remove_at(this->tuns, enumerator);
+			hydra->kernel_interface->tun(hydra->kernel_interface, tun,
+										 FALSE);
+			tun->destroy(tun);
+			found = TRUE;
 			break;
 		}
 	}
-	ifaces->destroy(ifaces);
-	this->mutex->unlock(this->mutex);
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 
-	if (name)
+	if (!found)
 	{
-		DBG2(DBG_KNL, "%H is on interface %s", ip, name);
+		return NOT_FOUND;
 	}
-	else
+	/* wait until address disappears */
+	if (wait)
 	{
-		DBG2(DBG_KNL, "%H is not a local address", ip);
+		this->mutex->lock(this->mutex);
+		while (!timeout && get_interface_name(this, vip, NULL))
+		{
+			timeout = this->condvar->timed_wait(this->condvar, this->mutex,
+												this->vip_wait);
+		}
+		this->mutex->unlock(this->mutex);
+		if (timeout)
+		{
+			DBG1(DBG_KNL, "virtual IP %H did not disappear from tun", vip);
+			return FAILED;
+		}
 	}
-	return name;
+	return SUCCESS;
 }
 
-METHOD(kernel_net_t, get_source_addr, host_t*,
-	private_kernel_pfroute_net_t *this, host_t *dest, host_t *src)
+/**
+ * Append a sockaddr_in/in6 of given type to routing message
+ */
+static void add_rt_addr(struct rt_msghdr *hdr, int type, host_t *addr)
 {
-	return NULL;
+	if (addr)
+	{
+		int len;
+
+		len = *addr->get_sockaddr_len(addr);
+		memcpy((char*)hdr + hdr->rtm_msglen, addr->get_sockaddr(addr), len);
+		hdr->rtm_msglen += SA_LEN(len);
+		hdr->rtm_addrs |= type;
+	}
 }
 
-METHOD(kernel_net_t, get_nexthop, host_t*,
-	private_kernel_pfroute_net_t *this, host_t *dest)
+/**
+ * Append a subnet mask sockaddr using the given prefix to routing message
+ */
+static void add_rt_mask(struct rt_msghdr *hdr, int type, int family, int prefix)
 {
-	return NULL;
+	host_t *mask;
+
+	mask = host_create_netmask(family, prefix);
+	if (mask)
+	{
+		add_rt_addr(hdr, type, mask);
+		mask->destroy(mask);
+	}
 }
 
-METHOD(kernel_net_t, add_ip, status_t,
-	private_kernel_pfroute_net_t *this, host_t *virtual_ip, host_t *iface_ip)
+/**
+ * Append an interface name sockaddr_dl to routing message
+ */
+static void add_rt_ifname(struct rt_msghdr *hdr, int type, char *name)
 {
-	return FAILED;
+	struct sockaddr_dl sdl = {
+		.sdl_len = sizeof(struct sockaddr_dl),
+		.sdl_family = AF_LINK,
+		.sdl_nlen = strlen(name),
+	};
+
+	if (strlen(name) <= sizeof(sdl.sdl_data))
+	{
+		memcpy(sdl.sdl_data, name, sdl.sdl_nlen);
+		memcpy((char*)hdr + hdr->rtm_msglen, &sdl, sdl.sdl_len);
+		hdr->rtm_msglen += SA_LEN(sdl.sdl_len);
+		hdr->rtm_addrs |= type;
+	}
 }
 
-METHOD(kernel_net_t, del_ip, status_t,
-	private_kernel_pfroute_net_t *this, host_t *virtual_ip)
+/**
+ * Add or remove a route
+ */
+static status_t manage_route(private_kernel_pfroute_net_t *this, int op,
+							 chunk_t dst_net, u_int8_t prefixlen,
+							 host_t *gateway, char *if_name)
 {
-	return FAILED;
+	struct {
+		struct rt_msghdr hdr;
+		char buf[sizeof(struct sockaddr_storage) * RTAX_MAX];
+	} msg = {
+		.hdr = {
+			.rtm_version = RTM_VERSION,
+			.rtm_type = op,
+			.rtm_flags = RTF_UP | RTF_STATIC,
+			.rtm_pid = this->pid,
+			.rtm_seq = ref_get(&this->seq),
+		},
+	};
+	host_t *dst;
+	int type;
+
+	if (prefixlen == 0 && dst_net.len)
+	{
+		status_t status;
+		chunk_t half;
+
+		half = chunk_clonea(dst_net);
+		half.ptr[0] |= 0x80;
+		prefixlen = 1;
+		status = manage_route(this, op, half, prefixlen, gateway, if_name);
+		if (status != SUCCESS)
+		{
+			return status;
+		}
+	}
+
+	dst = host_create_from_chunk(AF_UNSPEC, dst_net, 0);
+	if (!dst)
+	{
+		return FAILED;
+	}
+
+	if ((dst->get_family(dst) == AF_INET && prefixlen == 32) ||
+		(dst->get_family(dst) == AF_INET6 && prefixlen == 128))
+	{
+		msg.hdr.rtm_flags |= RTF_HOST | RTF_GATEWAY;
+	}
+
+	msg.hdr.rtm_msglen = sizeof(struct rt_msghdr);
+	for (type = 0; type < RTAX_MAX; type++)
+	{
+		switch (type)
+		{
+			case RTAX_DST:
+				add_rt_addr(&msg.hdr, RTA_DST, dst);
+				break;
+			case RTAX_NETMASK:
+				if (!(msg.hdr.rtm_flags & RTF_HOST))
+				{
+					add_rt_mask(&msg.hdr, RTA_NETMASK,
+								dst->get_family(dst), prefixlen);
+				}
+				break;
+			case RTAX_IFP:
+				if (if_name)
+				{
+					add_rt_ifname(&msg.hdr, RTA_IFP, if_name);
+				}
+				break;
+			case RTAX_GATEWAY:
+				if (gateway)
+				{
+					add_rt_addr(&msg.hdr, RTA_GATEWAY, gateway);
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	dst->destroy(dst);
+
+	if (send(this->socket, &msg, msg.hdr.rtm_msglen, 0) != msg.hdr.rtm_msglen)
+	{
+		if (errno == EEXIST)
+		{
+			return ALREADY_DONE;
+		}
+		DBG1(DBG_KNL, "%s PF_ROUTE route failed: %s",
+			 op == RTM_ADD ? "adding" : "deleting", strerror(errno));
+		return FAILED;
+	}
+	return SUCCESS;
 }
 
 METHOD(kernel_net_t, add_route, status_t,
 	private_kernel_pfroute_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
 	host_t *gateway, host_t *src_ip, char *if_name)
 {
-	return FAILED;
+	status_t status;
+	route_entry_t *found, route = {
+		.dst_net = dst_net,
+		.prefixlen = prefixlen,
+		.gateway = gateway,
+		.if_name = if_name,
+	};
+
+	this->routes_lock->lock(this->routes_lock);
+	found = this->routes->get(this->routes, &route);
+	if (found)
+	{
+		this->routes_lock->unlock(this->routes_lock);
+		return ALREADY_DONE;
+	}
+	found = route_entry_clone(&route);
+	this->routes->put(this->routes, found, found);
+	status = manage_route(this, RTM_ADD, dst_net, prefixlen, gateway, if_name);
+	this->routes_lock->unlock(this->routes_lock);
+	return status;
 }
 
 METHOD(kernel_net_t, del_route, status_t,
 	private_kernel_pfroute_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
 	host_t *gateway, host_t *src_ip, char *if_name)
 {
-	return FAILED;
+	status_t status;
+	route_entry_t *found, route = {
+		.dst_net = dst_net,
+		.prefixlen = prefixlen,
+		.gateway = gateway,
+		.if_name = if_name,
+	};
+
+	this->routes_lock->lock(this->routes_lock);
+	found = this->routes->get(this->routes, &route);
+	if (!found)
+	{
+		this->routes_lock->unlock(this->routes_lock);
+		return NOT_FOUND;
+	}
+	this->routes->remove(this->routes, found);
+	route_entry_destroy(found);
+	status = manage_route(this, RTM_DELETE, dst_net, prefixlen, gateway,
+						  if_name);
+	this->routes_lock->unlock(this->routes_lock);
+	return status;
+}
+
+/**
+ * Do a route lookup for dest and return either the nexthop or the source
+ * address.
+ */
+static host_t *get_route(private_kernel_pfroute_net_t *this, bool nexthop,
+						 host_t *dest, host_t *src)
+{
+	struct {
+		struct rt_msghdr hdr;
+		char buf[sizeof(struct sockaddr_storage) * RTAX_MAX];
+	} msg = {
+		.hdr = {
+			.rtm_version = RTM_VERSION,
+			.rtm_type = RTM_GET,
+			.rtm_pid = this->pid,
+			.rtm_seq = ref_get(&this->seq),
+		},
+	};
+	host_t *host = NULL;
+	enumerator_t *enumerator;
+	struct sockaddr *addr;
+	bool failed = FALSE;
+	int type;
+
+retry:
+	msg.hdr.rtm_msglen = sizeof(struct rt_msghdr);
+	for (type = 0; type < RTAX_MAX; type++)
+	{
+		switch (type)
+		{
+			case RTAX_DST:
+				add_rt_addr(&msg.hdr, RTA_DST, dest);
+				break;
+			case RTAX_IFA:
+				add_rt_addr(&msg.hdr, RTA_IFA, src);
+				break;
+			case RTAX_IFP:
+				if (!nexthop)
+				{	/* add an empty IFP to ensure we get a source address */
+					add_rt_ifname(&msg.hdr, RTA_IFP, "");
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	this->mutex->lock(this->mutex);
+
+	while (this->waiting_seq)
+	{
+		this->condvar->wait(this->condvar, this->mutex);
+	}
+	this->waiting_seq = msg.hdr.rtm_seq;
+	if (send(this->socket, &msg, msg.hdr.rtm_msglen, 0) == msg.hdr.rtm_msglen)
+	{
+		while (TRUE)
+		{
+			if (this->condvar->timed_wait(this->condvar, this->mutex, 1000))
+			{	/* timed out? */
+				break;
+			}
+			if (this->reply->rtm_msglen < sizeof(*this->reply) ||
+				msg.hdr.rtm_seq != this->reply->rtm_seq)
+			{
+				continue;
+			}
+			enumerator = create_rtmsg_enumerator(this->reply);
+			while (enumerator->enumerate(enumerator, &type, &addr))
+			{
+				if (nexthop)
+				{
+					if (type == RTAX_DST && this->reply->rtm_flags & RTF_HOST)
+					{	/* probably a cloned/cached direct route, only use that
+						 * as fallback if no gateway is found */
+						host = host ?: host_create_from_sockaddr(addr);
+					}
+					if (type == RTAX_GATEWAY)
+					{	/* could actually be a MAC address */
+						host_t *gtw = host_create_from_sockaddr(addr);
+						if (gtw)
+						{
+							DESTROY_IF(host);
+							host = gtw;
+						}
+					}
+				}
+				else
+				{
+					if (type == RTAX_IFA)
+					{
+						host = host_create_from_sockaddr(addr);
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+			break;
+		}
+	}
+	else
+	{
+		failed = TRUE;
+	}
+	/* signal completion of query to a waiting thread */
+	this->waiting_seq = 0;
+	this->condvar->signal(this->condvar);
+	this->mutex->unlock(this->mutex);
+
+	if (failed)
+	{
+		if (src)
+		{	/* the given source address might be gone, try again without */
+			src = NULL;
+			msg.hdr.rtm_seq = ref_get(&this->seq);
+			msg.hdr.rtm_addrs = 0;
+			memset(msg.buf, sizeof(msg.buf), 0);
+			goto retry;
+		}
+		DBG1(DBG_KNL, "PF_ROUTE lookup failed: %s", strerror(errno));
+	}
+	if (!host)
+	{
+		return NULL;
+	}
+	if (!nexthop)
+	{	/* make sure the source address is not virtual and usable */
+		addr_entry_t *entry, lookup = {
+			.ip = host,
+		};
+
+		this->lock->read_lock(this->lock);
+		entry = this->addrs->get_match(this->addrs, &lookup,
+									(void*)addr_map_entry_match_up_and_usable);
+		this->lock->unlock(this->lock);
+		if (!entry)
+		{
+			host->destroy(host);
+			return NULL;
+		}
+	}
+	DBG2(DBG_KNL, "using %H as %s to reach %H", host,
+		 nexthop ? "nexthop" : "address", dest);
+	return host;
+}
+
+METHOD(kernel_net_t, get_source_addr, host_t*,
+	private_kernel_pfroute_net_t *this, host_t *dest, host_t *src)
+{
+	return get_route(this, FALSE, dest, src);
+}
+
+METHOD(kernel_net_t, get_nexthop, host_t*,
+	private_kernel_pfroute_net_t *this, host_t *dest, host_t *src)
+{
+	return get_route(this, TRUE, dest, src);
 }
 
 /**
@@ -566,7 +1599,7 @@ static status_t init_address_list(private_kernel_pfroute_net_t *this)
 	addr_entry_t *addr;
 	enumerator_t *ifaces, *addrs;
 
-	DBG1(DBG_KNL, "listening on interfaces:");
+	DBG2(DBG_KNL, "known interfaces and IP addresses:");
 
 	if (getifaddrs(&ifap) < 0)
 	{
@@ -586,11 +1619,6 @@ static status_t init_address_list(private_kernel_pfroute_net_t *this)
 			case AF_INET:
 			case AF_INET6:
 			{
-				if (ifa->ifa_flags & IFF_LOOPBACK)
-				{	/* ignore loopback interfaces */
-					continue;
-				}
-
 				iface = NULL;
 				ifaces = this->ifaces->create_enumerator(this->ifaces);
 				while (ifaces->enumerate(ifaces, &current))
@@ -605,21 +1633,24 @@ static status_t init_address_list(private_kernel_pfroute_net_t *this)
 
 				if (!iface)
 				{
-					iface = malloc_thing(iface_entry_t);
+					INIT(iface,
+						.ifindex = if_nametoindex(ifa->ifa_name),
+						.flags = ifa->ifa_flags,
+						.addrs = linked_list_create(),
+						.usable = hydra->kernel_interface->is_interface_usable(
+										hydra->kernel_interface, ifa->ifa_name),
+					);
 					memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ);
-					iface->ifindex = if_nametoindex(ifa->ifa_name);
-					iface->flags = ifa->ifa_flags;
-					iface->addrs = linked_list_create();
 					this->ifaces->insert_last(this->ifaces, iface);
 				}
 
 				if (ifa->ifa_addr->sa_family != AF_LINK)
 				{
-					addr = malloc_thing(addr_entry_t);
-					addr->ip = host_create_from_sockaddr(ifa->ifa_addr);
-					addr->virtual = FALSE;
-					addr->refcount = 1;
+					INIT(addr,
+						.ip = host_create_from_sockaddr(ifa->ifa_addr),
+					);
 					iface->addrs->insert_last(iface->addrs, addr);
+					addr_map_entry_add(this, addr, iface);
 				}
 			}
 		}
@@ -629,13 +1660,13 @@ static status_t init_address_list(private_kernel_pfroute_net_t *this)
 	ifaces = this->ifaces->create_enumerator(this->ifaces);
 	while (ifaces->enumerate(ifaces, &iface))
 	{
-		if (iface->flags & IFF_UP)
+		if (iface->usable && iface->flags & IFF_UP)
 		{
-			DBG1(DBG_KNL, "  %s", iface->ifname);
+			DBG2(DBG_KNL, "  %s", iface->ifname);
 			addrs = iface->addrs->create_enumerator(iface->addrs);
 			while (addrs->enumerate(addrs, (void**)&addr))
 			{
-				DBG1(DBG_KNL, "    %H", addr->ip);
+				DBG2(DBG_KNL, "    %H", addr->ip);
 			}
 			addrs->destroy(addrs);
 		}
@@ -648,21 +1679,44 @@ static status_t init_address_list(private_kernel_pfroute_net_t *this)
 METHOD(kernel_net_t, destroy, void,
 	private_kernel_pfroute_net_t *this)
 {
-	if (this->job)
+	enumerator_t *enumerator;
+	route_entry_t *route;
+	addr_entry_t *addr;
+
+	enumerator = this->routes->create_enumerator(this->routes);
+	while (enumerator->enumerate(enumerator, NULL, (void**)&route))
 	{
-		this->job->cancel(this->job);
+		manage_route(this, RTM_DELETE, route->dst_net, route->prefixlen,
+					 route->gateway, route->if_name);
+		route_entry_destroy(route);
 	}
-	if (this->socket > 0)
+	enumerator->destroy(enumerator);
+	this->routes->destroy(this->routes);
+	this->routes_lock->destroy(this->routes_lock);
+
+	if (this->socket != -1)
 	{
+		lib->watcher->remove(lib->watcher, this->socket);
 		close(this->socket);
 	}
-	if (this->socket_events)
+
+	net_changes_clear(this);
+	this->net_changes->destroy(this->net_changes);
+	this->net_changes_lock->destroy(this->net_changes_lock);
+
+	enumerator = this->addrs->create_enumerator(this->addrs);
+	while (enumerator->enumerate(enumerator, NULL, (void**)&addr))
 	{
-		close(this->socket_events);
+		free(addr);
 	}
+	enumerator->destroy(enumerator);
+	this->addrs->destroy(this->addrs);
 	this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
+	this->tuns->destroy(this->tuns);
+	this->lock->destroy(this->lock);
 	this->mutex->destroy(this->mutex);
-	this->mutex_pfroute->destroy(this->mutex_pfroute);
+	this->condvar->destroy(this->condvar);
+	free(this->reply);
 	free(this);
 }
 
@@ -676,6 +1730,7 @@ kernel_pfroute_net_t *kernel_pfroute_net_create()
 	INIT(this,
 		.public = {
 			.interface = {
+				.get_features = _get_features,
 				.get_interface = _get_interface_name,
 				.create_address_enumerator = _create_address_enumerator,
 				.get_source_addr = _get_source_addr,
@@ -687,33 +1742,51 @@ kernel_pfroute_net_t *kernel_pfroute_net_create()
 				.destroy = _destroy,
 			},
 		},
+		.pid = getpid(),
 		.ifaces = linked_list_create(),
+		.addrs = hashtable_create(
+								(hashtable_hash_t)addr_map_entry_hash,
+								(hashtable_equals_t)addr_map_entry_equals, 16),
+		.routes = hashtable_create((hashtable_hash_t)route_entry_hash,
+								   (hashtable_equals_t)route_entry_equals, 16),
+		.net_changes = hashtable_create(
+								   (hashtable_hash_t)net_change_hash,
+								   (hashtable_equals_t)net_change_equals, 16),
+		.tuns = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
-		.mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT),
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.routes_lock = mutex_create(MUTEX_TYPE_DEFAULT),
+		.net_changes_lock = mutex_create(MUTEX_TYPE_DEFAULT),
+		.vip_wait = lib->settings->get_int(lib->settings,
+					"%s.plugins.kernel-pfroute.vip_wait", 1000, hydra->daemon),
 	);
+	timerclear(&this->last_route_reinstall);
+	timerclear(&this->last_roam);
 
 	/* create a PF_ROUTE socket to communicate with the kernel */
 	this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
-	if (this->socket < 0)
+	if (this->socket == -1)
 	{
 		DBG1(DBG_KNL, "unable to create PF_ROUTE socket");
 		destroy(this);
 		return NULL;
 	}
 
-	/* create a PF_ROUTE socket to receive events */
-	this->socket_events = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
-	if (this->socket_events < 0)
+	if (streq(hydra->daemon, "starter"))
 	{
-		DBG1(DBG_KNL, "unable to create PF_ROUTE event socket");
-		destroy(this);
-		return NULL;
+		/* starter has no threads, so we do not register for kernel events */
+		if (shutdown(this->socket, SHUT_RD) != 0)
+		{
+			DBG1(DBG_KNL, "closing read end of PF_ROUTE socket failed: %s",
+				 strerror(errno));
+		}
+	}
+	else
+	{
+		lib->watcher->add(lib->watcher, this->socket, WATCHER_READ,
+						  (watcher_cb_t)receive_events, this);
 	}
-
-	this->job = callback_job_create_with_prio((callback_job_cb_t)receive_events,
-										this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
-
 	if (init_address_list(this) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to get interface list");
diff --git a/src/libhydra/plugins/resolve/Makefile.am b/src/libhydra/plugins/resolve/Makefile.am
index a05c84061..4cbf65fc0 100644
--- a/src/libhydra/plugins/resolve/Makefile.am
+++ b/src/libhydra/plugins/resolve/Makefile.am
@@ -1,9 +1,11 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
-
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-DRESOLV_CONF=\"${resolv_conf}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-resolve.la
 else
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in
index 41846ffe0..1dc4df294 100644
--- a/src/libhydra/plugins/resolve/Makefile.in
+++ b/src/libhydra/plugins/resolve/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_resolve_la_LIBADD =
@@ -79,48 +103,77 @@ am_libstrongswan_resolve_la_OBJECTS = resolve_plugin.lo \
 	resolve_handler.lo
 libstrongswan_resolve_la_OBJECTS =  \
 	$(am_libstrongswan_resolve_la_OBJECTS)
-libstrongswan_resolve_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_resolve_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_resolve_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_resolve_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_resolve_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_resolve_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_resolve_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_resolve_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -129,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -148,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -187,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -195,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -205,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -226,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -246,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -283,10 +345,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
-AM_CFLAGS = -rdynamic \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
 	-DRESOLV_CONF=\"${resolv_conf}\"
 
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-resolve.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-resolve.la
 libstrongswan_resolve_la_SOURCES = \
@@ -339,7 +405,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -347,6 +412,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -368,8 +435,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-resolve.la: $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_DEPENDENCIES) 
-	$(libstrongswan_resolve_la_LINK) $(am_libstrongswan_resolve_la_rpath) $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_LIBADD) $(LIBS)
+libstrongswan-resolve.la: $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_DEPENDENCIES) $(EXTRA_libstrongswan_resolve_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_resolve_la_LINK) $(am_libstrongswan_resolve_la_rpath) $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -381,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -506,10 +573,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libhydra/plugins/resolve/resolve_handler.c b/src/libhydra/plugins/resolve/resolve_handler.c
index 011ebbaaf..6c57fa0bf 100644
--- a/src/libhydra/plugins/resolve/resolve_handler.c
+++ b/src/libhydra/plugins/resolve/resolve_handler.c
@@ -21,7 +21,7 @@
 #include <unistd.h>
 
 #include <hydra.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
 
 /* path to resolvconf executable */
@@ -126,7 +126,7 @@ static void remove_nameserver(private_resolve_handler_t *this,
 			/* copy all, but matching line */
 			while (fgets(line, sizeof(line), in))
 			{
-				if (strneq(line, matcher, strlen(matcher)))
+				if (strpfx(line, matcher))
 				{
 					DBG1(DBG_IKE, "removing DNS server %H from %s",
 						 addr, this->file);
@@ -150,6 +150,7 @@ static bool invoke_resolvconf(private_resolve_handler_t *this,
 							  bool install)
 {
 	char cmd[128];
+	bool success = TRUE;
 
 	/* we use the nameserver's IP address as part of the interface name to
 	 * make them unique */
@@ -171,7 +172,8 @@ static bool invoke_resolvconf(private_resolve_handler_t *this,
 		DBG1(DBG_IKE, "installing DNS server %H via resolvconf", addr);
 		fprintf(out, "nameserver %H   # by strongSwan, from %Y\n", addr,
 				server);
-		if (ferror(out) || pclose(out))
+		success = !ferror(out);
+		if (pclose(out))
 		{
 			return FALSE;
 		}
@@ -180,7 +182,7 @@ static bool invoke_resolvconf(private_resolve_handler_t *this,
 	{
 		ignore_result(system(cmd));
 	}
-	return TRUE;
+	return success;
 }
 
 METHOD(attribute_handler_t, handle, bool,
@@ -267,46 +269,71 @@ METHOD(attribute_handler_t, release, void,
 typedef struct {
 	/** implements enumerator_t interface */
 	enumerator_t public;
-	/** virtual IP we are requesting */
-	host_t *vip;
+	/** request IPv4 DNS? */
+	bool v4;
+	/** request IPv6 DNS? */
+	bool v6;
 } attribute_enumerator_t;
 
 static bool attribute_enumerate(attribute_enumerator_t *this,
 								configuration_attribute_type_t *type,
 								chunk_t *data)
 {
-	switch (this->vip->get_family(this->vip))
+	if (this->v4)
 	{
-		case AF_INET:
-			*type = INTERNAL_IP4_DNS;
-			break;
-		case AF_INET6:
-			*type = INTERNAL_IP6_DNS;
-			break;
-		default:
-			return FALSE;
+		*type = INTERNAL_IP4_DNS;
+		*data = chunk_empty;
+		this->v4 = FALSE;
+		return TRUE;
+	}
+	if (this->v6)
+	{
+		*type = INTERNAL_IP6_DNS;
+		*data = chunk_empty;
+		this->v6 = FALSE;
+		return TRUE;
 	}
-	*data = chunk_empty;
-	/* enumerate only once */
-	this->public.enumerate = (void*)return_false;
-	return TRUE;
+	return FALSE;
 }
 
-METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*,
-	private_resolve_handler_t *this, identification_t *server, host_t *vip)
+/**
+ * Check if a list has a host of given family
+ */
+static bool has_host_family(linked_list_t *list, int family)
 {
-	if (vip)
+	enumerator_t *enumerator;
+	host_t *host;
+	bool found = FALSE;
+
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &host))
 	{
-		attribute_enumerator_t *enumerator;
+		if (host->get_family(host) == family)
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
 
-		enumerator = malloc_thing(attribute_enumerator_t);
-		enumerator->public.enumerate = (void*)attribute_enumerate;
-		enumerator->public.destroy = (void*)free;
-		enumerator->vip = vip;
+	return found;
+}
 
-		return &enumerator->public;
-	}
-	return enumerator_create_empty();
+METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*,
+	private_resolve_handler_t *this, identification_t *server,
+	linked_list_t *vips)
+{
+	attribute_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)attribute_enumerate,
+			.destroy = (void*)free,
+		},
+		.v4 = has_host_family(vips, AF_INET),
+		.v6 = has_host_family(vips, AF_INET6),
+	);
+	return &enumerator->public;
 }
 
 METHOD(resolve_handler_t, destroy, void,
diff --git a/src/libhydra/plugins/resolve/resolve_plugin.c b/src/libhydra/plugins/resolve/resolve_plugin.c
index f95827ed9..2fef09a49 100644
--- a/src/libhydra/plugins/resolve/resolve_plugin.c
+++ b/src/libhydra/plugins/resolve/resolve_plugin.c
@@ -42,10 +42,39 @@ METHOD(plugin_t, get_name, char*,
 	return "resolve";
 }
 
+/**
+ * Register handler
+ */
+static bool plugin_cb(private_resolve_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		hydra->attributes->add_handler(hydra->attributes,
+									   &this->handler->handler);
+	}
+	else
+	{
+		hydra->attributes->remove_handler(hydra->attributes,
+										  &this->handler->handler);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_resolve_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "resolve"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_resolve_plugin_t *this)
 {
-	hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
 	this->handler->destroy(this->handler);
 	free(this);
 }
@@ -61,13 +90,12 @@ plugin_t *resolve_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.handler = resolve_handler_create(),
 	);
-	hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
 
 	return &this->public.plugin;
 }
diff --git a/src/libimcv/Makefile.am b/src/libimcv/Makefile.am
index fae9fd662..e1e6541aa 100644
--- a/src/libimcv/Makefile.am
+++ b/src/libimcv/Makefile.am
@@ -1,5 +1,6 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif
 
 ipseclib_LTLIBRARIES = libimcv.la
 
@@ -8,17 +9,53 @@ libimcv_la_LIBADD = $(top_builddir)/src/libtncif/libtncif.la
 libimcv_la_SOURCES = \
 	imcv.h imcv.c \
 	imc/imc_agent.h imc/imc_agent.c imc/imc_state.h \
+	imc/imc_msg.h imc/imc_msg.c \
 	imv/imv_agent.h imv/imv_agent.c imv/imv_state.h \
+	imv/imv_agent_if.h imv/imv_if.h \
+	imv/imv_database.h imv/imv_database.c \
+	imv/imv_msg.h imv/imv_msg.c \
+	imv/imv_lang_string.h imv/imv_lang_string.c \
+	imv/imv_reason_string.h imv/imv_reason_string.c \
+	imv/imv_remediation_string.h imv/imv_remediation_string.c \
+	imv/imv_session.h imv/imv_session.c \
+	imv/imv_workitem.h imv/imv_workitem.c \
+	imv/tables.sql imv/data.sql \
 	ietf/ietf_attr.h ietf/ietf_attr.c \
+	ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \
+	ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \
+	ietf/ietf_attr_fwd_enabled.h ietf/ietf_attr_fwd_enabled.c \
+	ietf/ietf_attr_default_pwd_enabled.h ietf/ietf_attr_default_pwd_enabled.c \
+	ietf/ietf_attr_installed_packages.h ietf/ietf_attr_installed_packages.c \
+	ietf/ietf_attr_numeric_version.h ietf/ietf_attr_numeric_version.c \
+	ietf/ietf_attr_op_status.h ietf/ietf_attr_op_status.c \
 	ietf/ietf_attr_pa_tnc_error.h ietf/ietf_attr_pa_tnc_error.c \
 	ietf/ietf_attr_port_filter.h ietf/ietf_attr_port_filter.c \
 	ietf/ietf_attr_product_info.h ietf/ietf_attr_product_info.c \
+	ietf/ietf_attr_remediation_instr.h ietf/ietf_attr_remediation_instr.c \
+	ietf/ietf_attr_string_version.h ietf/ietf_attr_string_version.c \
 	ita/ita_attr.h ita/ita_attr.c \
 	ita/ita_attr_command.h ita/ita_attr_command.c \
+	ita/ita_attr_dummy.h ita/ita_attr_dummy.c \
+	ita/ita_attr_get_settings.h ita/ita_attr_get_settings.c \
+	ita/ita_attr_settings.h ita/ita_attr_settings.c \
+	ita/ita_attr_angel.h ita/ita_attr_angel.c \
+	ita/ita_attr_device_id.h ita/ita_attr_device_id.c \
+	os_info/os_info.h os_info/os_info.c \
 	pa_tnc/pa_tnc_attr.h \
 	pa_tnc/pa_tnc_msg.h pa_tnc/pa_tnc_msg.c \
 	pa_tnc/pa_tnc_attr_manager.h pa_tnc/pa_tnc_attr_manager.c
 
+ipsec_SCRIPTS = imv/_imv_policy
+EXTRA_DIST = imv/_imv_policy
+
+ipsec_PROGRAMS = imv_policy_manager
+imv_policy_manager_SOURCES = \
+	imv/imv_policy_manager.c \
+	imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c
+imv_policy_manager_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+#imv/imv_policy_manager.o :	$(top_builddir)/config.status
+
 SUBDIRS = .
 
 if USE_IMC_TEST
@@ -35,4 +72,12 @@ endif
 
 if USE_IMV_SCANNER
   SUBDIRS += plugins/imv_scanner
-endif 
+endif
+
+if USE_IMC_OS
+  SUBDIRS += plugins/imc_os
+endif
+
+if USE_IMV_OS
+  SUBDIRS += plugins/imv_os
+endif
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index 7e90a7aca..296f422fe 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -15,7 +15,26 @@
 
 @SET_MAKE@
 
+
+
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -34,10 +53,13 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
+ipsec_PROGRAMS = imv_policy_manager$(EXEEXT)
 @USE_IMC_TEST_TRUE@am__append_1 = plugins/imc_test
 @USE_IMV_TEST_TRUE@am__append_2 = plugins/imv_test
 @USE_IMC_SCANNER_TRUE@am__append_3 = plugins/imc_scanner
 @USE_IMV_SCANNER_TRUE@am__append_4 = plugins/imv_scanner
+@USE_IMC_OS_TRUE@am__append_5 = plugins/imc_os
+@USE_IMV_OS_TRUE@am__append_6 = plugins/imv_os
 subdir = src/libimcv
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -49,10 +71,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -76,29 +99,69 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(ipseclibdir)"
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(ipsecdir)" \
+	"$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libimcv_la_DEPENDENCIES = $(top_builddir)/src/libtncif/libtncif.la
-am_libimcv_la_OBJECTS = imcv.lo imc_agent.lo imv_agent.lo ietf_attr.lo \
-	ietf_attr_pa_tnc_error.lo ietf_attr_port_filter.lo \
-	ietf_attr_product_info.lo ita_attr.lo ita_attr_command.lo \
+am_libimcv_la_OBJECTS = imcv.lo imc_agent.lo imc_msg.lo imv_agent.lo \
+	imv_database.lo imv_msg.lo imv_lang_string.lo \
+	imv_reason_string.lo imv_remediation_string.lo imv_session.lo \
+	imv_workitem.lo ietf_attr.lo ietf_attr_assess_result.lo \
+	ietf_attr_attr_request.lo ietf_attr_fwd_enabled.lo \
+	ietf_attr_default_pwd_enabled.lo \
+	ietf_attr_installed_packages.lo ietf_attr_numeric_version.lo \
+	ietf_attr_op_status.lo ietf_attr_pa_tnc_error.lo \
+	ietf_attr_port_filter.lo ietf_attr_product_info.lo \
+	ietf_attr_remediation_instr.lo ietf_attr_string_version.lo \
+	ita_attr.lo ita_attr_command.lo ita_attr_dummy.lo \
+	ita_attr_get_settings.lo ita_attr_settings.lo \
+	ita_attr_angel.lo ita_attr_device_id.lo os_info.lo \
 	pa_tnc_msg.lo pa_tnc_attr_manager.lo
 libimcv_la_OBJECTS = $(am_libimcv_la_OBJECTS)
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+PROGRAMS = $(ipsec_PROGRAMS)
+am_imv_policy_manager_OBJECTS = imv_policy_manager.$(OBJEXT) \
+	imv_policy_manager_usage.$(OBJEXT)
+imv_policy_manager_OBJECTS = $(am_imv_policy_manager_OBJECTS)
+imv_policy_manager_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+SCRIPTS = $(ipsec_SCRIPTS)
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libimcv_la_SOURCES)
-DIST_SOURCES = $(libimcv_la_SOURCES)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libimcv_la_SOURCES) $(imv_policy_manager_SOURCES)
+DIST_SOURCES = $(libimcv_la_SOURCES) $(imv_policy_manager_SOURCES)
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	html-recursive info-recursive install-data-recursive \
 	install-dvi-recursive install-exec-recursive \
@@ -106,6 +169,11 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
@@ -114,7 +182,7 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . plugins/imc_test plugins/imv_test plugins/imc_scanner \
-	plugins/imv_scanner
+	plugins/imv_scanner plugins/imc_os plugins/imv_os
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -144,21 +212,28 @@ am__relativize = \
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -167,13 +242,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -186,6 +264,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -213,11 +292,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -225,6 +306,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -233,8 +315,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -243,14 +323,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -264,17 +349,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -284,16 +369,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -321,25 +405,63 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif
+
 ipseclib_LTLIBRARIES = libimcv.la
 libimcv_la_LIBADD = $(top_builddir)/src/libtncif/libtncif.la
 libimcv_la_SOURCES = \
 	imcv.h imcv.c \
 	imc/imc_agent.h imc/imc_agent.c imc/imc_state.h \
+	imc/imc_msg.h imc/imc_msg.c \
 	imv/imv_agent.h imv/imv_agent.c imv/imv_state.h \
+	imv/imv_agent_if.h imv/imv_if.h \
+	imv/imv_database.h imv/imv_database.c \
+	imv/imv_msg.h imv/imv_msg.c \
+	imv/imv_lang_string.h imv/imv_lang_string.c \
+	imv/imv_reason_string.h imv/imv_reason_string.c \
+	imv/imv_remediation_string.h imv/imv_remediation_string.c \
+	imv/imv_session.h imv/imv_session.c \
+	imv/imv_workitem.h imv/imv_workitem.c \
+	imv/tables.sql imv/data.sql \
 	ietf/ietf_attr.h ietf/ietf_attr.c \
+	ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \
+	ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \
+	ietf/ietf_attr_fwd_enabled.h ietf/ietf_attr_fwd_enabled.c \
+	ietf/ietf_attr_default_pwd_enabled.h ietf/ietf_attr_default_pwd_enabled.c \
+	ietf/ietf_attr_installed_packages.h ietf/ietf_attr_installed_packages.c \
+	ietf/ietf_attr_numeric_version.h ietf/ietf_attr_numeric_version.c \
+	ietf/ietf_attr_op_status.h ietf/ietf_attr_op_status.c \
 	ietf/ietf_attr_pa_tnc_error.h ietf/ietf_attr_pa_tnc_error.c \
 	ietf/ietf_attr_port_filter.h ietf/ietf_attr_port_filter.c \
 	ietf/ietf_attr_product_info.h ietf/ietf_attr_product_info.c \
+	ietf/ietf_attr_remediation_instr.h ietf/ietf_attr_remediation_instr.c \
+	ietf/ietf_attr_string_version.h ietf/ietf_attr_string_version.c \
 	ita/ita_attr.h ita/ita_attr.c \
 	ita/ita_attr_command.h ita/ita_attr_command.c \
+	ita/ita_attr_dummy.h ita/ita_attr_dummy.c \
+	ita/ita_attr_get_settings.h ita/ita_attr_get_settings.c \
+	ita/ita_attr_settings.h ita/ita_attr_settings.c \
+	ita/ita_attr_angel.h ita/ita_attr_angel.c \
+	ita/ita_attr_device_id.h ita/ita_attr_device_id.c \
+	os_info/os_info.h os_info/os_info.c \
 	pa_tnc/pa_tnc_attr.h \
 	pa_tnc/pa_tnc_msg.h pa_tnc/pa_tnc_msg.c \
 	pa_tnc/pa_tnc_attr_manager.h pa_tnc/pa_tnc_attr_manager.c
 
+ipsec_SCRIPTS = imv/_imv_policy
+EXTRA_DIST = imv/_imv_policy
+imv_policy_manager_SOURCES = \
+	imv/imv_policy_manager.c \
+	imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c
+
+imv_policy_manager_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+
+#imv/imv_policy_manager.o :	$(top_builddir)/config.status
 SUBDIRS = . $(am__append_1) $(am__append_2) $(am__append_3) \
-	$(am__append_4)
+	$(am__append_4) $(am__append_5) $(am__append_6)
 all: all-recursive
 
 .SUFFIXES:
@@ -376,7 +498,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -384,6 +505,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -405,8 +528,92 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libimcv.la: $(libimcv_la_OBJECTS) $(libimcv_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libimcv_la_OBJECTS) $(libimcv_la_LIBADD) $(LIBS)
+libimcv.la: $(libimcv_la_OBJECTS) $(libimcv_la_DEPENDENCIES) $(EXTRA_libimcv_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libimcv_la_OBJECTS) $(libimcv_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+imv_policy_manager$(EXEEXT): $(imv_policy_manager_OBJECTS) $(imv_policy_manager_DEPENDENCIES) $(EXTRA_imv_policy_manager_DEPENDENCIES) 
+	@rm -f imv_policy_manager$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(imv_policy_manager_OBJECTS) $(imv_policy_manager_LDADD) $(LIBS)
+install-ipsecSCRIPTS: $(ipsec_SCRIPTS)
+	@$(NORMAL_INSTALL)
+	@list='$(ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
+	for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n' \
+	    -e 'h;s|.*|.|' \
+	    -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) { files[d] = files[d] " " $$1; \
+	      if (++n[d] == $(am__install_max)) { \
+		print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
+	    else { print "f", d "/" $$4, $$1 } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	     if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	     test -z "$$files" || { \
+	       echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	       $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	     } \
+	; done
+
+uninstall-ipsecSCRIPTS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || exit 0; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	       sed -e 's,.*/,,;$(transform)'`; \
+	dir='$(DESTDIR)$(ipsecdir)'; $(am__uninstall_files_from_dir)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -415,107 +622,321 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_assess_result.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_attr_request.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_default_pwd_enabled.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_fwd_enabled.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_installed_packages.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_numeric_version.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_op_status.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_pa_tnc_error.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_port_filter.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_product_info.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_remediation_instr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_string_version.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_agent.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_msg.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imcv.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_agent.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_database.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_lang_string.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_policy_manager.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_policy_manager_usage.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_reason_string.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_remediation_string.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_session.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_workitem.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_angel.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_command.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_device_id.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_dummy.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_get_settings.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ita_attr_settings.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/os_info.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pa_tnc_attr_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pa_tnc_msg.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 imc_agent.lo: imc/imc_agent.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imc_agent.lo -MD -MP -MF $(DEPDIR)/imc_agent.Tpo -c -o imc_agent.lo `test -f 'imc/imc_agent.c' || echo '$(srcdir)/'`imc/imc_agent.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imc_agent.Tpo $(DEPDIR)/imc_agent.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imc/imc_agent.c' object='imc_agent.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imc_agent.lo -MD -MP -MF $(DEPDIR)/imc_agent.Tpo -c -o imc_agent.lo `test -f 'imc/imc_agent.c' || echo '$(srcdir)/'`imc/imc_agent.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imc_agent.Tpo $(DEPDIR)/imc_agent.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imc/imc_agent.c' object='imc_agent.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_agent.lo `test -f 'imc/imc_agent.c' || echo '$(srcdir)/'`imc/imc_agent.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_agent.lo `test -f 'imc/imc_agent.c' || echo '$(srcdir)/'`imc/imc_agent.c
+
+imc_msg.lo: imc/imc_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imc_msg.lo -MD -MP -MF $(DEPDIR)/imc_msg.Tpo -c -o imc_msg.lo `test -f 'imc/imc_msg.c' || echo '$(srcdir)/'`imc/imc_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imc_msg.Tpo $(DEPDIR)/imc_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imc/imc_msg.c' object='imc_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_msg.lo `test -f 'imc/imc_msg.c' || echo '$(srcdir)/'`imc/imc_msg.c
 
 imv_agent.lo: imv/imv_agent.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_agent.lo -MD -MP -MF $(DEPDIR)/imv_agent.Tpo -c -o imv_agent.lo `test -f 'imv/imv_agent.c' || echo '$(srcdir)/'`imv/imv_agent.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_agent.Tpo $(DEPDIR)/imv_agent.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='imv/imv_agent.c' object='imv_agent.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_agent.lo -MD -MP -MF $(DEPDIR)/imv_agent.Tpo -c -o imv_agent.lo `test -f 'imv/imv_agent.c' || echo '$(srcdir)/'`imv/imv_agent.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_agent.Tpo $(DEPDIR)/imv_agent.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_agent.c' object='imv_agent.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_agent.lo `test -f 'imv/imv_agent.c' || echo '$(srcdir)/'`imv/imv_agent.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_agent.lo `test -f 'imv/imv_agent.c' || echo '$(srcdir)/'`imv/imv_agent.c
+
+imv_database.lo: imv/imv_database.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_database.lo -MD -MP -MF $(DEPDIR)/imv_database.Tpo -c -o imv_database.lo `test -f 'imv/imv_database.c' || echo '$(srcdir)/'`imv/imv_database.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_database.Tpo $(DEPDIR)/imv_database.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_database.c' object='imv_database.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_database.lo `test -f 'imv/imv_database.c' || echo '$(srcdir)/'`imv/imv_database.c
+
+imv_msg.lo: imv/imv_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_msg.lo -MD -MP -MF $(DEPDIR)/imv_msg.Tpo -c -o imv_msg.lo `test -f 'imv/imv_msg.c' || echo '$(srcdir)/'`imv/imv_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_msg.Tpo $(DEPDIR)/imv_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_msg.c' object='imv_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_msg.lo `test -f 'imv/imv_msg.c' || echo '$(srcdir)/'`imv/imv_msg.c
+
+imv_lang_string.lo: imv/imv_lang_string.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_lang_string.lo -MD -MP -MF $(DEPDIR)/imv_lang_string.Tpo -c -o imv_lang_string.lo `test -f 'imv/imv_lang_string.c' || echo '$(srcdir)/'`imv/imv_lang_string.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_lang_string.Tpo $(DEPDIR)/imv_lang_string.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_lang_string.c' object='imv_lang_string.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_lang_string.lo `test -f 'imv/imv_lang_string.c' || echo '$(srcdir)/'`imv/imv_lang_string.c
+
+imv_reason_string.lo: imv/imv_reason_string.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_reason_string.lo -MD -MP -MF $(DEPDIR)/imv_reason_string.Tpo -c -o imv_reason_string.lo `test -f 'imv/imv_reason_string.c' || echo '$(srcdir)/'`imv/imv_reason_string.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_reason_string.Tpo $(DEPDIR)/imv_reason_string.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_reason_string.c' object='imv_reason_string.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_reason_string.lo `test -f 'imv/imv_reason_string.c' || echo '$(srcdir)/'`imv/imv_reason_string.c
+
+imv_remediation_string.lo: imv/imv_remediation_string.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_remediation_string.lo -MD -MP -MF $(DEPDIR)/imv_remediation_string.Tpo -c -o imv_remediation_string.lo `test -f 'imv/imv_remediation_string.c' || echo '$(srcdir)/'`imv/imv_remediation_string.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_remediation_string.Tpo $(DEPDIR)/imv_remediation_string.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_remediation_string.c' object='imv_remediation_string.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_remediation_string.lo `test -f 'imv/imv_remediation_string.c' || echo '$(srcdir)/'`imv/imv_remediation_string.c
+
+imv_session.lo: imv/imv_session.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_session.lo -MD -MP -MF $(DEPDIR)/imv_session.Tpo -c -o imv_session.lo `test -f 'imv/imv_session.c' || echo '$(srcdir)/'`imv/imv_session.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_session.Tpo $(DEPDIR)/imv_session.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_session.c' object='imv_session.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_session.lo `test -f 'imv/imv_session.c' || echo '$(srcdir)/'`imv/imv_session.c
+
+imv_workitem.lo: imv/imv_workitem.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_workitem.lo -MD -MP -MF $(DEPDIR)/imv_workitem.Tpo -c -o imv_workitem.lo `test -f 'imv/imv_workitem.c' || echo '$(srcdir)/'`imv/imv_workitem.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_workitem.Tpo $(DEPDIR)/imv_workitem.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_workitem.c' object='imv_workitem.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_workitem.lo `test -f 'imv/imv_workitem.c' || echo '$(srcdir)/'`imv/imv_workitem.c
 
 ietf_attr.lo: ietf/ietf_attr.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr.lo -MD -MP -MF $(DEPDIR)/ietf_attr.Tpo -c -o ietf_attr.lo `test -f 'ietf/ietf_attr.c' || echo '$(srcdir)/'`ietf/ietf_attr.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr.Tpo $(DEPDIR)/ietf_attr.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr.c' object='ietf_attr.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr.lo -MD -MP -MF $(DEPDIR)/ietf_attr.Tpo -c -o ietf_attr.lo `test -f 'ietf/ietf_attr.c' || echo '$(srcdir)/'`ietf/ietf_attr.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr.Tpo $(DEPDIR)/ietf_attr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr.c' object='ietf_attr.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr.lo `test -f 'ietf/ietf_attr.c' || echo '$(srcdir)/'`ietf/ietf_attr.c
+
+ietf_attr_assess_result.lo: ietf/ietf_attr_assess_result.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_assess_result.lo -MD -MP -MF $(DEPDIR)/ietf_attr_assess_result.Tpo -c -o ietf_attr_assess_result.lo `test -f 'ietf/ietf_attr_assess_result.c' || echo '$(srcdir)/'`ietf/ietf_attr_assess_result.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_assess_result.Tpo $(DEPDIR)/ietf_attr_assess_result.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_assess_result.c' object='ietf_attr_assess_result.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_assess_result.lo `test -f 'ietf/ietf_attr_assess_result.c' || echo '$(srcdir)/'`ietf/ietf_attr_assess_result.c
+
+ietf_attr_attr_request.lo: ietf/ietf_attr_attr_request.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_attr_request.lo -MD -MP -MF $(DEPDIR)/ietf_attr_attr_request.Tpo -c -o ietf_attr_attr_request.lo `test -f 'ietf/ietf_attr_attr_request.c' || echo '$(srcdir)/'`ietf/ietf_attr_attr_request.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_attr_request.Tpo $(DEPDIR)/ietf_attr_attr_request.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_attr_request.c' object='ietf_attr_attr_request.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_attr_request.lo `test -f 'ietf/ietf_attr_attr_request.c' || echo '$(srcdir)/'`ietf/ietf_attr_attr_request.c
+
+ietf_attr_fwd_enabled.lo: ietf/ietf_attr_fwd_enabled.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_fwd_enabled.lo -MD -MP -MF $(DEPDIR)/ietf_attr_fwd_enabled.Tpo -c -o ietf_attr_fwd_enabled.lo `test -f 'ietf/ietf_attr_fwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_fwd_enabled.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_fwd_enabled.Tpo $(DEPDIR)/ietf_attr_fwd_enabled.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_fwd_enabled.c' object='ietf_attr_fwd_enabled.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_fwd_enabled.lo `test -f 'ietf/ietf_attr_fwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_fwd_enabled.c
+
+ietf_attr_default_pwd_enabled.lo: ietf/ietf_attr_default_pwd_enabled.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_default_pwd_enabled.lo -MD -MP -MF $(DEPDIR)/ietf_attr_default_pwd_enabled.Tpo -c -o ietf_attr_default_pwd_enabled.lo `test -f 'ietf/ietf_attr_default_pwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_default_pwd_enabled.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_default_pwd_enabled.Tpo $(DEPDIR)/ietf_attr_default_pwd_enabled.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_default_pwd_enabled.c' object='ietf_attr_default_pwd_enabled.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_default_pwd_enabled.lo `test -f 'ietf/ietf_attr_default_pwd_enabled.c' || echo '$(srcdir)/'`ietf/ietf_attr_default_pwd_enabled.c
+
+ietf_attr_installed_packages.lo: ietf/ietf_attr_installed_packages.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_installed_packages.lo -MD -MP -MF $(DEPDIR)/ietf_attr_installed_packages.Tpo -c -o ietf_attr_installed_packages.lo `test -f 'ietf/ietf_attr_installed_packages.c' || echo '$(srcdir)/'`ietf/ietf_attr_installed_packages.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_installed_packages.Tpo $(DEPDIR)/ietf_attr_installed_packages.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_installed_packages.c' object='ietf_attr_installed_packages.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_installed_packages.lo `test -f 'ietf/ietf_attr_installed_packages.c' || echo '$(srcdir)/'`ietf/ietf_attr_installed_packages.c
+
+ietf_attr_numeric_version.lo: ietf/ietf_attr_numeric_version.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_numeric_version.lo -MD -MP -MF $(DEPDIR)/ietf_attr_numeric_version.Tpo -c -o ietf_attr_numeric_version.lo `test -f 'ietf/ietf_attr_numeric_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_numeric_version.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_numeric_version.Tpo $(DEPDIR)/ietf_attr_numeric_version.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_numeric_version.c' object='ietf_attr_numeric_version.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_numeric_version.lo `test -f 'ietf/ietf_attr_numeric_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_numeric_version.c
+
+ietf_attr_op_status.lo: ietf/ietf_attr_op_status.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_op_status.lo -MD -MP -MF $(DEPDIR)/ietf_attr_op_status.Tpo -c -o ietf_attr_op_status.lo `test -f 'ietf/ietf_attr_op_status.c' || echo '$(srcdir)/'`ietf/ietf_attr_op_status.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_op_status.Tpo $(DEPDIR)/ietf_attr_op_status.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_op_status.c' object='ietf_attr_op_status.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr.lo `test -f 'ietf/ietf_attr.c' || echo '$(srcdir)/'`ietf/ietf_attr.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_op_status.lo `test -f 'ietf/ietf_attr_op_status.c' || echo '$(srcdir)/'`ietf/ietf_attr_op_status.c
 
 ietf_attr_pa_tnc_error.lo: ietf/ietf_attr_pa_tnc_error.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_pa_tnc_error.lo -MD -MP -MF $(DEPDIR)/ietf_attr_pa_tnc_error.Tpo -c -o ietf_attr_pa_tnc_error.lo `test -f 'ietf/ietf_attr_pa_tnc_error.c' || echo '$(srcdir)/'`ietf/ietf_attr_pa_tnc_error.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_pa_tnc_error.Tpo $(DEPDIR)/ietf_attr_pa_tnc_error.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_pa_tnc_error.c' object='ietf_attr_pa_tnc_error.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_pa_tnc_error.lo -MD -MP -MF $(DEPDIR)/ietf_attr_pa_tnc_error.Tpo -c -o ietf_attr_pa_tnc_error.lo `test -f 'ietf/ietf_attr_pa_tnc_error.c' || echo '$(srcdir)/'`ietf/ietf_attr_pa_tnc_error.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_pa_tnc_error.Tpo $(DEPDIR)/ietf_attr_pa_tnc_error.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_pa_tnc_error.c' object='ietf_attr_pa_tnc_error.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_pa_tnc_error.lo `test -f 'ietf/ietf_attr_pa_tnc_error.c' || echo '$(srcdir)/'`ietf/ietf_attr_pa_tnc_error.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_pa_tnc_error.lo `test -f 'ietf/ietf_attr_pa_tnc_error.c' || echo '$(srcdir)/'`ietf/ietf_attr_pa_tnc_error.c
 
 ietf_attr_port_filter.lo: ietf/ietf_attr_port_filter.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_port_filter.lo -MD -MP -MF $(DEPDIR)/ietf_attr_port_filter.Tpo -c -o ietf_attr_port_filter.lo `test -f 'ietf/ietf_attr_port_filter.c' || echo '$(srcdir)/'`ietf/ietf_attr_port_filter.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_port_filter.Tpo $(DEPDIR)/ietf_attr_port_filter.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_port_filter.c' object='ietf_attr_port_filter.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_port_filter.lo -MD -MP -MF $(DEPDIR)/ietf_attr_port_filter.Tpo -c -o ietf_attr_port_filter.lo `test -f 'ietf/ietf_attr_port_filter.c' || echo '$(srcdir)/'`ietf/ietf_attr_port_filter.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_port_filter.Tpo $(DEPDIR)/ietf_attr_port_filter.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_port_filter.c' object='ietf_attr_port_filter.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_port_filter.lo `test -f 'ietf/ietf_attr_port_filter.c' || echo '$(srcdir)/'`ietf/ietf_attr_port_filter.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_port_filter.lo `test -f 'ietf/ietf_attr_port_filter.c' || echo '$(srcdir)/'`ietf/ietf_attr_port_filter.c
 
 ietf_attr_product_info.lo: ietf/ietf_attr_product_info.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_product_info.lo -MD -MP -MF $(DEPDIR)/ietf_attr_product_info.Tpo -c -o ietf_attr_product_info.lo `test -f 'ietf/ietf_attr_product_info.c' || echo '$(srcdir)/'`ietf/ietf_attr_product_info.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attr_product_info.Tpo $(DEPDIR)/ietf_attr_product_info.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ietf/ietf_attr_product_info.c' object='ietf_attr_product_info.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_product_info.lo -MD -MP -MF $(DEPDIR)/ietf_attr_product_info.Tpo -c -o ietf_attr_product_info.lo `test -f 'ietf/ietf_attr_product_info.c' || echo '$(srcdir)/'`ietf/ietf_attr_product_info.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_product_info.Tpo $(DEPDIR)/ietf_attr_product_info.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_product_info.c' object='ietf_attr_product_info.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_product_info.lo `test -f 'ietf/ietf_attr_product_info.c' || echo '$(srcdir)/'`ietf/ietf_attr_product_info.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_product_info.lo `test -f 'ietf/ietf_attr_product_info.c' || echo '$(srcdir)/'`ietf/ietf_attr_product_info.c
+
+ietf_attr_remediation_instr.lo: ietf/ietf_attr_remediation_instr.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_remediation_instr.lo -MD -MP -MF $(DEPDIR)/ietf_attr_remediation_instr.Tpo -c -o ietf_attr_remediation_instr.lo `test -f 'ietf/ietf_attr_remediation_instr.c' || echo '$(srcdir)/'`ietf/ietf_attr_remediation_instr.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_remediation_instr.Tpo $(DEPDIR)/ietf_attr_remediation_instr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_remediation_instr.c' object='ietf_attr_remediation_instr.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_remediation_instr.lo `test -f 'ietf/ietf_attr_remediation_instr.c' || echo '$(srcdir)/'`ietf/ietf_attr_remediation_instr.c
+
+ietf_attr_string_version.lo: ietf/ietf_attr_string_version.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_string_version.lo -MD -MP -MF $(DEPDIR)/ietf_attr_string_version.Tpo -c -o ietf_attr_string_version.lo `test -f 'ietf/ietf_attr_string_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_string_version.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attr_string_version.Tpo $(DEPDIR)/ietf_attr_string_version.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ietf/ietf_attr_string_version.c' object='ietf_attr_string_version.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_string_version.lo `test -f 'ietf/ietf_attr_string_version.c' || echo '$(srcdir)/'`ietf/ietf_attr_string_version.c
 
 ita_attr.lo: ita/ita_attr.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr.lo -MD -MP -MF $(DEPDIR)/ita_attr.Tpo -c -o ita_attr.lo `test -f 'ita/ita_attr.c' || echo '$(srcdir)/'`ita/ita_attr.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_attr.Tpo $(DEPDIR)/ita_attr.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ita/ita_attr.c' object='ita_attr.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr.lo -MD -MP -MF $(DEPDIR)/ita_attr.Tpo -c -o ita_attr.lo `test -f 'ita/ita_attr.c' || echo '$(srcdir)/'`ita/ita_attr.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_attr.Tpo $(DEPDIR)/ita_attr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ita/ita_attr.c' object='ita_attr.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr.lo `test -f 'ita/ita_attr.c' || echo '$(srcdir)/'`ita/ita_attr.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr.lo `test -f 'ita/ita_attr.c' || echo '$(srcdir)/'`ita/ita_attr.c
 
 ita_attr_command.lo: ita/ita_attr_command.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_command.lo -MD -MP -MF $(DEPDIR)/ita_attr_command.Tpo -c -o ita_attr_command.lo `test -f 'ita/ita_attr_command.c' || echo '$(srcdir)/'`ita/ita_attr_command.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_attr_command.Tpo $(DEPDIR)/ita_attr_command.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ita/ita_attr_command.c' object='ita_attr_command.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_command.lo -MD -MP -MF $(DEPDIR)/ita_attr_command.Tpo -c -o ita_attr_command.lo `test -f 'ita/ita_attr_command.c' || echo '$(srcdir)/'`ita/ita_attr_command.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_attr_command.Tpo $(DEPDIR)/ita_attr_command.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ita/ita_attr_command.c' object='ita_attr_command.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_command.lo `test -f 'ita/ita_attr_command.c' || echo '$(srcdir)/'`ita/ita_attr_command.c
+
+ita_attr_dummy.lo: ita/ita_attr_dummy.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_dummy.lo -MD -MP -MF $(DEPDIR)/ita_attr_dummy.Tpo -c -o ita_attr_dummy.lo `test -f 'ita/ita_attr_dummy.c' || echo '$(srcdir)/'`ita/ita_attr_dummy.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_attr_dummy.Tpo $(DEPDIR)/ita_attr_dummy.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ita/ita_attr_dummy.c' object='ita_attr_dummy.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_dummy.lo `test -f 'ita/ita_attr_dummy.c' || echo '$(srcdir)/'`ita/ita_attr_dummy.c
+
+ita_attr_get_settings.lo: ita/ita_attr_get_settings.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_get_settings.lo -MD -MP -MF $(DEPDIR)/ita_attr_get_settings.Tpo -c -o ita_attr_get_settings.lo `test -f 'ita/ita_attr_get_settings.c' || echo '$(srcdir)/'`ita/ita_attr_get_settings.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_attr_get_settings.Tpo $(DEPDIR)/ita_attr_get_settings.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ita/ita_attr_get_settings.c' object='ita_attr_get_settings.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_get_settings.lo `test -f 'ita/ita_attr_get_settings.c' || echo '$(srcdir)/'`ita/ita_attr_get_settings.c
+
+ita_attr_settings.lo: ita/ita_attr_settings.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_settings.lo -MD -MP -MF $(DEPDIR)/ita_attr_settings.Tpo -c -o ita_attr_settings.lo `test -f 'ita/ita_attr_settings.c' || echo '$(srcdir)/'`ita/ita_attr_settings.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_attr_settings.Tpo $(DEPDIR)/ita_attr_settings.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ita/ita_attr_settings.c' object='ita_attr_settings.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_settings.lo `test -f 'ita/ita_attr_settings.c' || echo '$(srcdir)/'`ita/ita_attr_settings.c
+
+ita_attr_angel.lo: ita/ita_attr_angel.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_angel.lo -MD -MP -MF $(DEPDIR)/ita_attr_angel.Tpo -c -o ita_attr_angel.lo `test -f 'ita/ita_attr_angel.c' || echo '$(srcdir)/'`ita/ita_attr_angel.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_attr_angel.Tpo $(DEPDIR)/ita_attr_angel.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ita/ita_attr_angel.c' object='ita_attr_angel.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_angel.lo `test -f 'ita/ita_attr_angel.c' || echo '$(srcdir)/'`ita/ita_attr_angel.c
+
+ita_attr_device_id.lo: ita/ita_attr_device_id.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_attr_device_id.lo -MD -MP -MF $(DEPDIR)/ita_attr_device_id.Tpo -c -o ita_attr_device_id.lo `test -f 'ita/ita_attr_device_id.c' || echo '$(srcdir)/'`ita/ita_attr_device_id.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_attr_device_id.Tpo $(DEPDIR)/ita_attr_device_id.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ita/ita_attr_device_id.c' object='ita_attr_device_id.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_command.lo `test -f 'ita/ita_attr_command.c' || echo '$(srcdir)/'`ita/ita_attr_command.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_attr_device_id.lo `test -f 'ita/ita_attr_device_id.c' || echo '$(srcdir)/'`ita/ita_attr_device_id.c
+
+os_info.lo: os_info/os_info.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT os_info.lo -MD -MP -MF $(DEPDIR)/os_info.Tpo -c -o os_info.lo `test -f 'os_info/os_info.c' || echo '$(srcdir)/'`os_info/os_info.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/os_info.Tpo $(DEPDIR)/os_info.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='os_info/os_info.c' object='os_info.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o os_info.lo `test -f 'os_info/os_info.c' || echo '$(srcdir)/'`os_info/os_info.c
 
 pa_tnc_msg.lo: pa_tnc/pa_tnc_msg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pa_tnc_msg.lo -MD -MP -MF $(DEPDIR)/pa_tnc_msg.Tpo -c -o pa_tnc_msg.lo `test -f 'pa_tnc/pa_tnc_msg.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_msg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pa_tnc_msg.Tpo $(DEPDIR)/pa_tnc_msg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pa_tnc/pa_tnc_msg.c' object='pa_tnc_msg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pa_tnc_msg.lo -MD -MP -MF $(DEPDIR)/pa_tnc_msg.Tpo -c -o pa_tnc_msg.lo `test -f 'pa_tnc/pa_tnc_msg.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_msg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pa_tnc_msg.Tpo $(DEPDIR)/pa_tnc_msg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pa_tnc/pa_tnc_msg.c' object='pa_tnc_msg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pa_tnc_msg.lo `test -f 'pa_tnc/pa_tnc_msg.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_msg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pa_tnc_msg.lo `test -f 'pa_tnc/pa_tnc_msg.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_msg.c
 
 pa_tnc_attr_manager.lo: pa_tnc/pa_tnc_attr_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pa_tnc_attr_manager.lo -MD -MP -MF $(DEPDIR)/pa_tnc_attr_manager.Tpo -c -o pa_tnc_attr_manager.lo `test -f 'pa_tnc/pa_tnc_attr_manager.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_attr_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pa_tnc_attr_manager.Tpo $(DEPDIR)/pa_tnc_attr_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pa_tnc/pa_tnc_attr_manager.c' object='pa_tnc_attr_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pa_tnc_attr_manager.lo -MD -MP -MF $(DEPDIR)/pa_tnc_attr_manager.Tpo -c -o pa_tnc_attr_manager.lo `test -f 'pa_tnc/pa_tnc_attr_manager.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_attr_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pa_tnc_attr_manager.Tpo $(DEPDIR)/pa_tnc_attr_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pa_tnc/pa_tnc_attr_manager.c' object='pa_tnc_attr_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pa_tnc_attr_manager.lo `test -f 'pa_tnc/pa_tnc_attr_manager.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_attr_manager.c
+
+imv_policy_manager.o: imv/imv_policy_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_policy_manager.o -MD -MP -MF $(DEPDIR)/imv_policy_manager.Tpo -c -o imv_policy_manager.o `test -f 'imv/imv_policy_manager.c' || echo '$(srcdir)/'`imv/imv_policy_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_policy_manager.Tpo $(DEPDIR)/imv_policy_manager.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_policy_manager.c' object='imv_policy_manager.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_policy_manager.o `test -f 'imv/imv_policy_manager.c' || echo '$(srcdir)/'`imv/imv_policy_manager.c
+
+imv_policy_manager.obj: imv/imv_policy_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_policy_manager.obj -MD -MP -MF $(DEPDIR)/imv_policy_manager.Tpo -c -o imv_policy_manager.obj `if test -f 'imv/imv_policy_manager.c'; then $(CYGPATH_W) 'imv/imv_policy_manager.c'; else $(CYGPATH_W) '$(srcdir)/imv/imv_policy_manager.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_policy_manager.Tpo $(DEPDIR)/imv_policy_manager.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_policy_manager.c' object='imv_policy_manager.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_policy_manager.obj `if test -f 'imv/imv_policy_manager.c'; then $(CYGPATH_W) 'imv/imv_policy_manager.c'; else $(CYGPATH_W) '$(srcdir)/imv/imv_policy_manager.c'; fi`
+
+imv_policy_manager_usage.o: imv/imv_policy_manager_usage.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_policy_manager_usage.o -MD -MP -MF $(DEPDIR)/imv_policy_manager_usage.Tpo -c -o imv_policy_manager_usage.o `test -f 'imv/imv_policy_manager_usage.c' || echo '$(srcdir)/'`imv/imv_policy_manager_usage.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_policy_manager_usage.Tpo $(DEPDIR)/imv_policy_manager_usage.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_policy_manager_usage.c' object='imv_policy_manager_usage.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_policy_manager_usage.o `test -f 'imv/imv_policy_manager_usage.c' || echo '$(srcdir)/'`imv/imv_policy_manager_usage.c
+
+imv_policy_manager_usage.obj: imv/imv_policy_manager_usage.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_policy_manager_usage.obj -MD -MP -MF $(DEPDIR)/imv_policy_manager_usage.Tpo -c -o imv_policy_manager_usage.obj `if test -f 'imv/imv_policy_manager_usage.c'; then $(CYGPATH_W) 'imv/imv_policy_manager_usage.c'; else $(CYGPATH_W) '$(srcdir)/imv/imv_policy_manager_usage.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_policy_manager_usage.Tpo $(DEPDIR)/imv_policy_manager_usage.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='imv/imv_policy_manager_usage.c' object='imv_policy_manager_usage.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pa_tnc_attr_manager.lo `test -f 'pa_tnc/pa_tnc_attr_manager.c' || echo '$(srcdir)/'`pa_tnc/pa_tnc_attr_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_policy_manager_usage.obj `if test -f 'imv/imv_policy_manager_usage.c'; then $(CYGPATH_W) 'imv/imv_policy_manager_usage.c'; else $(CYGPATH_W) '$(srcdir)/imv/imv_policy_manager_usage.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -690,13 +1111,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
@@ -718,10 +1136,10 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-recursive
-all-am: Makefile $(LTLIBRARIES)
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS)
 installdirs: installdirs-recursive
 installdirs-am:
-	for dir in "$(DESTDIR)$(ipseclibdir)"; do \
+	for dir in "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(ipsecdir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-recursive
@@ -734,10 +1152,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -751,8 +1174,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-recursive
 
-clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
-	mostlyclean-am
+clean-am: clean-generic clean-ipsecPROGRAMS clean-ipseclibLTLIBRARIES \
+	clean-libtool mostlyclean-am
 
 distclean: distclean-recursive
 	-rm -rf ./$(DEPDIR)
@@ -772,7 +1195,8 @@ info: info-recursive
 
 info-am:
 
-install-data-am: install-ipseclibLTLIBRARIES
+install-data-am: install-ipsecPROGRAMS install-ipsecSCRIPTS \
+	install-ipseclibLTLIBRARIES
 
 install-dvi: install-dvi-recursive
 
@@ -818,26 +1242,29 @@ ps: ps-recursive
 
 ps-am:
 
-uninstall-am: uninstall-ipseclibLTLIBRARIES
+uninstall-am: uninstall-ipsecPROGRAMS uninstall-ipsecSCRIPTS \
+	uninstall-ipseclibLTLIBRARIES
 
 .MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
 	install-am install-strip tags-recursive
 
 .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
 	all all-am check check-am clean clean-generic \
-	clean-ipseclibLTLIBRARIES clean-libtool ctags ctags-recursive \
-	distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipseclibLTLIBRARIES install-man \
+	clean-ipsecPROGRAMS clean-ipseclibLTLIBRARIES clean-libtool \
+	ctags ctags-recursive distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-ipsecPROGRAMS \
+	install-ipsecSCRIPTS install-ipseclibLTLIBRARIES install-man \
 	install-pdf install-pdf-am install-ps install-ps-am \
 	install-strip installcheck installcheck-am installdirs \
 	installdirs-am maintainer-clean maintainer-clean-generic \
 	mostlyclean mostlyclean-compile mostlyclean-generic \
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
-	uninstall uninstall-am uninstall-ipseclibLTLIBRARIES
+	uninstall uninstall-am uninstall-ipsecPROGRAMS \
+	uninstall-ipsecSCRIPTS uninstall-ipseclibLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libimcv/ietf/ietf_attr.c b/src/libimcv/ietf/ietf_attr.c
index 89c6fc8db..2f3819898 100644
--- a/src/libimcv/ietf/ietf_attr.c
+++ b/src/libimcv/ietf/ietf_attr.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,9 +14,19 @@
  */
 
 #include "ietf_attr.h"
+#include "ietf/ietf_attr_assess_result.h"
+#include "ietf/ietf_attr_attr_request.h"
+#include "ietf/ietf_attr_fwd_enabled.h"
+#include "ietf/ietf_attr_default_pwd_enabled.h"
+#include "ietf/ietf_attr_installed_packages.h"
+#include "ietf/ietf_attr_numeric_version.h"
+#include "ietf/ietf_attr_op_status.h"
 #include "ietf/ietf_attr_pa_tnc_error.h"
 #include "ietf/ietf_attr_port_filter.h"
 #include "ietf/ietf_attr_product_info.h"
+#include "ietf/ietf_attr_remediation_instr.h"
+#include "ietf/ietf_attr_string_version.h"
+
 
 ENUM(ietf_attr_names, IETF_ATTR_TESTING, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED,
 	"Testing",
@@ -40,22 +51,31 @@ pa_tnc_attr_t* ietf_attr_create_from_data(u_int32_t type, chunk_t value)
 {
 	switch (type)
 	{
-		case IETF_ATTR_PORT_FILTER:
-			return ietf_attr_port_filter_create_from_data(value);
-		case IETF_ATTR_PA_TNC_ERROR:
-			return ietf_attr_pa_tnc_error_create_from_data(value);
+		case IETF_ATTR_ATTRIBUTE_REQUEST:
+			return ietf_attr_attr_request_create_from_data(value);
 		case IETF_ATTR_PRODUCT_INFORMATION:
 			return ietf_attr_product_info_create_from_data(value);
-		case IETF_ATTR_TESTING:
-		case IETF_ATTR_ATTRIBUTE_REQUEST:
 		case IETF_ATTR_NUMERIC_VERSION:
+			return ietf_attr_numeric_version_create_from_data(value);
 		case IETF_ATTR_STRING_VERSION:
+			return ietf_attr_string_version_create_from_data(value);
 		case IETF_ATTR_OPERATIONAL_STATUS:
+			return ietf_attr_op_status_create_from_data(value);
+		case IETF_ATTR_PORT_FILTER:
+			return ietf_attr_port_filter_create_from_data(value);
 		case IETF_ATTR_INSTALLED_PACKAGES:
+			return ietf_attr_installed_packages_create_from_data(value);
+		case IETF_ATTR_PA_TNC_ERROR:
+			return ietf_attr_pa_tnc_error_create_from_data(value);
 		case IETF_ATTR_ASSESSMENT_RESULT:
+			return ietf_attr_assess_result_create_from_data(value);
 		case IETF_ATTR_REMEDIATION_INSTRUCTIONS:
+			return ietf_attr_remediation_instr_create_from_data(value);
 		case IETF_ATTR_FORWARDING_ENABLED:
+			return ietf_attr_fwd_enabled_create_from_data(value);
 		case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED:
+			return ietf_attr_default_pwd_enabled_create_from_data(value);
+		case IETF_ATTR_TESTING:
 		case IETF_ATTR_RESERVED:
 		default:
 			return NULL;
diff --git a/src/libimcv/ietf/ietf_attr.h b/src/libimcv/ietf/ietf_attr.h
index a1ba42565..d22175d94 100644
--- a/src/libimcv/ietf/ietf_attr.h
+++ b/src/libimcv/ietf/ietf_attr.h
@@ -14,8 +14,8 @@
  */
 
 /**
- * @defgroup ietf_attrt ietf_attr
- * @{ @ingroup ietf_attr
+ * @defgroup ietf_attr ietf_attr
+ * @{ @ingroup libimcv
  */
 
 #ifndef IETF_ATTR_H_
diff --git a/src/libimcv/ietf/ietf_attr_assess_result.c b/src/libimcv/ietf/ietf_attr_assess_result.c
new file mode 100644
index 000000000..55226e3bb
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_assess_result.c
@@ -0,0 +1,211 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_assess_result.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+typedef struct private_ietf_attr_assess_result_t private_ietf_attr_assess_result_t;
+
+/**
+ * PA-TNC Product Information type  (see section 4.2.2 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |                       Assessment Result                       |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define ASSESS_RESULT_SIZE	4
+
+/**
+ * Private data of an ietf_attr_assess_result_t object.
+ */
+struct private_ietf_attr_assess_result_t {
+
+	/**
+	 * Public members of ietf_attr_assess_result_t
+	 */
+	ietf_attr_assess_result_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Assessment Result
+	 */
+	u_int32_t result;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_assess_result_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_assess_result_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_assess_result_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_assess_result_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_assess_result_t *this)
+{
+	bio_writer_t *writer;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+
+	writer = bio_writer_create(ASSESS_RESULT_SIZE);
+	writer->write_uint32(writer, this->result);
+	this->value = writer->extract_buf(writer);
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_assess_result_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+
+	if (this->value.len < ASSESS_RESULT_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF assessment result");
+		*offset = 0;
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint32(reader, &this->result);
+	reader->destroy(reader);
+
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_assess_result_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_assess_result_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_assess_result_t, get_result, u_int32_t,
+	private_ietf_attr_assess_result_t *this)
+{
+	return this->result;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_assess_result_create(u_int32_t result)
+{
+	private_ietf_attr_assess_result_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_result = _get_result,
+		},
+		.type = { PEN_IETF, IETF_ATTR_ASSESSMENT_RESULT },
+		.result = result,
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_assess_result_create_from_data(chunk_t data)
+{
+	private_ietf_attr_assess_result_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_result = _get_result,
+		},
+		.type = { PEN_IETF, IETF_ATTR_ASSESSMENT_RESULT },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
diff --git a/src/libimcv/ietf/ietf_attr_assess_result.h b/src/libimcv/ietf/ietf_attr_assess_result.h
new file mode 100644
index 000000000..e94b57b88
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_assess_result.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_assess_resultt ietf_attr_assess_result
+ * @{ @ingroup ietf_attr
+ */
+
+#ifndef IETF_ATTR_ASSESS_RESULT_H_
+#define IETF_ATTR_ASSESS_RESULT_H_
+
+typedef struct ietf_attr_assess_result_t ietf_attr_assess_result_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+
+/**
+ * Class implementing the IETF PA-TNC Assessment Result attribute.
+ *
+ */
+struct ietf_attr_assess_result_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Get the assessment result
+	 *
+	 * @return				Assessment Result
+	 */
+	u_int32_t (*get_result)(ietf_attr_assess_result_t *this);
+
+};
+
+/**
+ * Creates an ietf_attr_assess_result_t object
+ *
+ */
+pa_tnc_attr_t* ietf_attr_assess_result_create(u_int32_t result);
+
+/**
+ * Creates an ietf_attr_assess_result_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_assess_result_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_ASSESS_RESULT_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_attr_request.c b/src/libimcv/ietf/ietf_attr_attr_request.c
new file mode 100644
index 000000000..3b4fd26cd
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_attr_request.c
@@ -0,0 +1,276 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imcv.h"
+#include "ietf_attr_attr_request.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <collections/linked_list.h>
+
+#include <utils/debug.h>
+
+typedef struct private_ietf_attr_attr_request_t private_ietf_attr_attr_request_t;
+
+/**
+ * PA-TNC Attribute Request type  (see section 4.2.1 of RFC 5792)
+ *
+ *                      1                   2                   3
+ *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |   Reserved    |           PA-TNC Attribute Vendor ID          |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |                      PA-TNC Attribute Type                    |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |   Reserved    |           PA-TNC Attribute Vendor ID          |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |                      PA-TNC Attribute Type                    |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define ATTR_REQUEST_ENTRY_SIZE		8
+
+/**
+ * Private data of an ietf_attr_attr_request_t object.
+ */
+struct private_ietf_attr_attr_request_t {
+
+	/**
+	 * Public members of ietf_attr_attr_request_t
+	 */
+	ietf_attr_attr_request_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * List of requested attribute types
+	 */
+	linked_list_t *list;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_attr_request_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_attr_request_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_attr_request_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_attr_request_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_attr_request_t *this)
+{
+	bio_writer_t *writer;
+	enumerator_t *enumerator;
+	pen_type_t *entry;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+	writer = bio_writer_create(ATTR_REQUEST_ENTRY_SIZE *
+							   this->list->get_count(this->list));
+
+	enumerator = this->list->create_enumerator(this->list);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		writer->write_uint32(writer, entry->vendor_id);
+		writer->write_uint32(writer, entry->type);
+	}
+	enumerator->destroy(enumerator);
+
+	this->value = writer->extract_buf(writer);
+	writer->destroy(writer);
+}
+
+METHOD(ietf_attr_attr_request_t, add, void,
+	private_ietf_attr_attr_request_t *this, pen_t vendor_id, u_int32_t type)
+{
+	pen_type_t *entry;
+
+	entry = malloc_thing(pen_type_t);
+	entry->vendor_id = vendor_id;
+	entry->type = type;
+	this->list->insert_last(this->list, entry);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_attr_request_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	enum_name_t *pa_attr_names;
+	pen_t vendor_id;
+	u_int32_t type;
+	u_int8_t reserved;
+	int count;
+
+	count = this->value.len / ATTR_REQUEST_ENTRY_SIZE;
+	if (this->value.len != ATTR_REQUEST_ENTRY_SIZE * count)
+	{
+		DBG1(DBG_TNC, "incorrect attribute length for IETF attribute request");
+		*offset = 0;
+		return FAILED;
+	}
+
+	reader = bio_reader_create(this->value);
+	while (count--)
+	{
+		reader->read_uint8 (reader, &reserved);
+		reader->read_uint24(reader, &vendor_id);
+		reader->read_uint32(reader, &type);
+
+		pa_attr_names = imcv_pa_tnc_attributes->get_names(imcv_pa_tnc_attributes,
+														  vendor_id);
+		if (pa_attr_names)
+		{
+			DBG2(DBG_TNC, "  0x%06x/0x%08x '%N/%N'", vendor_id, type,
+							 pen_names, vendor_id, pa_attr_names, type);
+		}
+		else
+		{
+			DBG2(DBG_TNC, "  0x%06x/0x%08x '%N'", vendor_id, type,
+							 pen_names, vendor_id);
+		}
+		add(this, vendor_id, type);
+	}
+	reader->destroy(reader);
+
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_attr_request_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_attr_request_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->list->destroy_function(this->list, free);
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_attr_request_t, create_enumerator, enumerator_t*,
+	private_ietf_attr_attr_request_t *this)
+{
+	return this->list->create_enumerator(this->list);
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_attr_request_create(pen_t vendor_id, u_int32_t type)
+{
+	private_ietf_attr_attr_request_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = { PEN_IETF, IETF_ATTR_ATTRIBUTE_REQUEST },
+		.list = linked_list_create(),
+		.ref = 1,
+	);
+
+	if (vendor_id != PEN_RESERVED)
+	{
+		add(this, vendor_id, type);
+	}
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_attr_request_create_from_data(chunk_t data)
+{
+	private_ietf_attr_attr_request_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = { PEN_IETF, IETF_ATTR_ATTRIBUTE_REQUEST },
+		.value = chunk_clone(data),
+		.list = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
diff --git a/src/libimcv/ietf/ietf_attr_attr_request.h b/src/libimcv/ietf/ietf_attr_attr_request.h
new file mode 100644
index 000000000..fc9e08676
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_attr_request.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_attr_requestt ietf_attr_attr_request
+ * @{ @ingroup ietf_attr
+ */
+
+#ifndef IETF_ATTR_ATTR_REQUEST_H_
+#define IETF_ATTR_ATTR_REQUEST_H_
+
+typedef struct ietf_attr_attr_request_t ietf_attr_attr_request_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+
+/**
+ * Class implementing the IETF PA-TNC Attribute Request attribute.
+ *
+ */
+struct ietf_attr_attr_request_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Adds another attribute type to the attribute request
+	 *
+	 * @param vendor_id		Attribute Vendor ID
+	 * @param type			Attribute Type
+	 */
+	void (*add)(ietf_attr_attr_request_t *this, pen_t vendor_id, u_int32_t type);
+
+	/**
+	 * Creates an enumerator over all attribute types contained
+	 * in the attribute request
+	 *
+	 * @return			Attribute Type enumerator returns { vendor ID, type }
+	 */
+	enumerator_t* (*create_enumerator)(ietf_attr_attr_request_t *this);
+};
+
+/**
+ * Creates an ietf_attr_attr_request_t object
+ *
+ */
+pa_tnc_attr_t* ietf_attr_attr_request_create(pen_t vendor_id, u_int32_t type);
+
+/**
+ * Creates an ietf_attr_attr_request_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_attr_request_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_ATTR_REQUEST_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c
new file mode 100644
index 000000000..2c6b3d542
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c
@@ -0,0 +1,222 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_default_pwd_enabled.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+typedef struct private_ietf_attr_default_pwd_enabled_t private_ietf_attr_default_pwd_enabled_t;
+
+/**
+ * PA-TNC Factory Default Password Enabled type (see section 4.2.12 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |              Factory Default Password Enabled                 |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define DEFAULT_PWD_ENABLED_SIZE	4
+
+/**
+ * Private data of an ietf_attr_default_pwd_enabled_t object.
+ */
+struct private_ietf_attr_default_pwd_enabled_t {
+
+	/**
+	 * Public members of ietf_attr_default_pwd_enabled_t
+	 */
+	ietf_attr_default_pwd_enabled_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Factory Default Password Enabled status
+	 */
+	bool status;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_default_pwd_enabled_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	bio_writer_t *writer;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+	writer = bio_writer_create(DEFAULT_PWD_ENABLED_SIZE);
+	writer->write_uint32(writer, this->status);
+
+	this->value = writer->extract_buf(writer);
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_default_pwd_enabled_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	u_int32_t status;
+
+	*offset = 0;
+
+	if (this->value.len != DEFAULT_PWD_ENABLED_SIZE)
+	{
+		DBG1(DBG_TNC, "incorrect size for IETF factory default password "
+					  "enabled attribute");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint32(reader, &status);
+	reader->destroy(reader);
+
+	if (status > TRUE)
+	{
+		DBG1(DBG_TNC, "IETF factory default password enabled field "
+					  "has unknown value %u", status);
+		return FAILED;
+	}
+	this->status = status;
+
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_default_pwd_enabled_t, get_status, bool,
+	private_ietf_attr_default_pwd_enabled_t *this)
+{
+	return this->status;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_default_pwd_enabled_create(bool status)
+{
+	private_ietf_attr_default_pwd_enabled_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+		},
+		.type = { PEN_IETF, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED },
+		.status = status,
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_default_pwd_enabled_create_from_data(chunk_t data)
+{
+	private_ietf_attr_default_pwd_enabled_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+		},
+		.type = { PEN_IETF, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
diff --git a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h
new file mode 100644
index 000000000..6fe1a02b1
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_default_pwd_enabled ietf_attr_default_pwd_enabled
+ * @{ @ingroup ietf_attr
+ */
+
+#ifndef IETF_ATTR_PWD_ENABLED_H_
+#define IETF_ATTR_PWD_ENABLED_H_
+
+typedef struct ietf_attr_default_pwd_enabled_t ietf_attr_default_pwd_enabled_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Class implementing the IETF PA-TNC Factory Default Password Enabled attribute.
+ *
+ */
+struct ietf_attr_default_pwd_enabled_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Gets the Factory Default Password Enabled status
+	 *
+	 * @return				Factory Default Password Enabled status
+	 */
+	bool (*get_status)(ietf_attr_default_pwd_enabled_t *this);
+
+};
+
+/**
+ * Creates an ietf_attr_default_pwd_enabled_t object
+ *
+ * @param status			Factory Default Password Enabled status
+ */
+pa_tnc_attr_t* ietf_attr_default_pwd_enabled_create(bool status);
+
+/**
+ * Creates an ietf_attr_default_pwd_enabled_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_default_pwd_enabled_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_PWD_ENABLED_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_fwd_enabled.c b/src/libimcv/ietf/ietf_attr_fwd_enabled.c
new file mode 100644
index 000000000..a906b2258
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_fwd_enabled.c
@@ -0,0 +1,221 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_fwd_enabled.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+typedef struct private_ietf_attr_fwd_enabled_t private_ietf_attr_fwd_enabled_t;
+
+/**
+ * PA-TNC Forwarding Enabled type  (see section 4.2.11 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                        Forwarding Enabled                     |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define FORWARDING_ENABLED_SIZE		4
+
+/**
+ * Private data of an ietf_attr_fwd_enabled_t object.
+ */
+struct private_ietf_attr_fwd_enabled_t {
+
+	/**
+	 * Public members of ietf_attr_fwd_enabled_t
+	 */
+	ietf_attr_fwd_enabled_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Forwarding Enabled status
+	 */
+	os_fwd_status_t fwd_status;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_fwd_enabled_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	bio_writer_t *writer;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+	writer = bio_writer_create(FORWARDING_ENABLED_SIZE);
+	writer->write_uint32(writer, this->fwd_status);
+
+	this->value = writer->extract_buf(writer);
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_fwd_enabled_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	u_int32_t fwd_status;
+
+	*offset = 0;
+
+	if (this->value.len != FORWARDING_ENABLED_SIZE)
+	{
+		DBG1(DBG_TNC, "incorrect size for IETF forwarding enabled attribute");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint32(reader, &fwd_status);
+	reader->destroy(reader);
+
+	if (fwd_status > OS_FWD_UNKNOWN)
+	{
+		DBG1(DBG_TNC, "IETF forwarding enabled field has unknown value %u",
+					   fwd_status);
+		return FAILED;
+	}
+	this->fwd_status = fwd_status;
+
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_fwd_enabled_t, get_status, os_fwd_status_t,
+	private_ietf_attr_fwd_enabled_t *this)
+{
+	return this->fwd_status;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_fwd_enabled_create(os_fwd_status_t fwd_status)
+{
+	private_ietf_attr_fwd_enabled_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+		},
+		.type = { PEN_IETF, IETF_ATTR_FORWARDING_ENABLED },
+		.fwd_status = fwd_status,
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_fwd_enabled_create_from_data(chunk_t data)
+{
+	private_ietf_attr_fwd_enabled_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+		},
+		.type = { PEN_IETF, IETF_ATTR_FORWARDING_ENABLED },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
diff --git a/src/libimcv/ietf/ietf_attr_fwd_enabled.h b/src/libimcv/ietf/ietf_attr_fwd_enabled.h
new file mode 100644
index 000000000..41714380e
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_fwd_enabled.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_fwd_enabled ietf_attr_fwd_enabled
+ * @{ @ingroup ietf_attr
+ */
+
+#ifndef IETF_ATTR_FWD_ENABLED_H_
+#define IETF_ATTR_FWD_ENABLED_H_
+
+typedef struct ietf_attr_fwd_enabled_t ietf_attr_fwd_enabled_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+#include "os_info/os_info.h"
+
+/**
+ * Class implementing the IETF PA-TNC Forwarding Enabled attribute.
+ *
+ */
+struct ietf_attr_fwd_enabled_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Gets the Forwarding Enabled status
+	 *
+	 * @return				Forwarding Enabled status
+	 */
+	os_fwd_status_t (*get_status)(ietf_attr_fwd_enabled_t *this);
+
+};
+
+/**
+ * Creates an ietf_attr_fwd_enabled_t object
+ *
+ * @param fwd_status		Forwarding Enabled status
+ */
+pa_tnc_attr_t* ietf_attr_fwd_enabled_create(os_fwd_status_t fwd_status);
+
+/**
+ * Creates an ietf_attr_fwd_enabled_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_fwd_enabled_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_FWD_ENABLED_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_installed_packages.c b/src/libimcv/ietf/ietf_attr_installed_packages.c
new file mode 100644
index 000000000..462805e38
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_installed_packages.c
@@ -0,0 +1,335 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_installed_packages.h"
+
+#include <string.h>
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+
+
+typedef struct private_ietf_attr_installed_packages_t private_ietf_attr_installed_packages_t;
+typedef struct package_entry_t package_entry_t;
+
+/**
+ * PA-TNC Installed Packages Type  (see section 4.2.7 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |          Reserved             |         Package Count         |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  | Pkg Name Len  |        Package Name (Variable Length)         |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |  Version Len  |    Package Version Number (Variable Length)   |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define INSTALLED_PACKAGES_MIN_SIZE		4
+
+/**
+ * Private data of an ietf_attr_installed_packages_t object.
+ */
+struct private_ietf_attr_installed_packages_t {
+
+	/**
+	 * Public members of ietf_attr_installed_packages_t
+	 */
+	ietf_attr_installed_packages_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * List of Installed Package entries
+	 */
+	linked_list_t *packages;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+/**
+ * Package entry
+ */
+struct package_entry_t {
+	chunk_t name;
+	chunk_t version;
+};
+
+/**
+ * Free a package entry
+ */
+static void free_package_entry(package_entry_t *entry)
+{
+	free(entry->name.ptr);
+	free(entry->version.ptr);
+	free(entry);
+}
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_installed_packages_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_installed_packages_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_installed_packages_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_installed_packages_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_installed_packages_t *this)
+{
+	bio_writer_t *writer;
+	enumerator_t *enumerator;
+	package_entry_t *entry;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+	writer = bio_writer_create(INSTALLED_PACKAGES_MIN_SIZE);
+	writer->write_uint16(writer, 0x0000);
+	writer->write_uint16(writer, this->packages->get_count(this->packages));
+
+	enumerator = this->packages->create_enumerator(this->packages);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		writer->write_data8(writer, entry->name);
+		writer->write_data8(writer, entry->version);
+	}
+	enumerator->destroy(enumerator);
+
+	this->value = writer->extract_buf(writer);
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_installed_packages_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	package_entry_t *entry;
+	status_t status = FAILED;
+	chunk_t name, version;
+	u_int16_t reserved, count;
+	u_char *pos;
+
+	*offset = 0;
+
+	if (this->value.len < INSTALLED_PACKAGES_MIN_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF installed packages");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint16(reader, &reserved);
+	reader->read_uint16(reader, &count);
+	*offset = INSTALLED_PACKAGES_MIN_SIZE;
+
+	while (reader->remaining(reader))
+	{
+		if (!reader->read_data8(reader, &name))
+		{
+			DBG1(DBG_TNC, "insufficient data for IETF installed package name");
+			goto end;
+		}
+		pos = memchr(name.ptr, '\0', name.len);
+		if (pos)
+		{
+			DBG1(DBG_TNC, "nul termination in IETF installed package name");
+			*offset += 1 + (pos - name.ptr);
+			goto end;
+		}
+		*offset += 1 + name.len;
+
+		if (!reader->read_data8(reader, &version))
+		{
+			DBG1(DBG_TNC, "insufficient data for IETF installed package version");
+			goto end;
+		}
+		pos = memchr(version.ptr, '\0', version.len);
+		if (pos)
+		{
+			DBG1(DBG_TNC, "nul termination in IETF installed package version");
+			*offset += 1 + (pos - version.ptr);
+			goto end;
+		}
+		*offset += 1 + version.len;
+
+		entry = malloc_thing(package_entry_t);
+		entry->name = chunk_clone(name);
+		entry->version = chunk_clone(version);
+		this->packages->insert_last(this->packages, entry);
+	}
+
+	if (count != this->packages->get_count(this->packages))
+	{
+		DBG1(DBG_TNC, "IETF installed package count unequal to "
+					  "number of included packages");
+		goto end;
+	}
+	status = SUCCESS;
+
+end:
+	reader->destroy(reader);
+	return status;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_installed_packages_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_installed_packages_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->packages->destroy_function(this->packages, (void*)free_package_entry);
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_installed_packages_t, add, void,
+	private_ietf_attr_installed_packages_t *this, chunk_t name, chunk_t version)
+{
+	package_entry_t *entry;
+
+	/* restrict package name and package version number fields to 255 octets */
+	name.len = min(255, name.len);
+	version.len = min(255, version.len);
+
+	entry = malloc_thing(package_entry_t);
+	entry->name = chunk_clone(name);
+	entry->version = chunk_clone(version);
+	this->packages->insert_last(this->packages, entry);
+}
+
+/**
+ * Enumerate package filter entries
+ */
+static bool package_filter(void *null, package_entry_t **entry, chunk_t *name,
+						   void *i2, chunk_t *version)
+{
+	*name = (*entry)->name;
+	*version = (*entry)->version;
+	return TRUE;
+}
+
+METHOD(ietf_attr_installed_packages_t, create_enumerator, enumerator_t*,
+	private_ietf_attr_installed_packages_t *this)
+{
+	return enumerator_create_filter(
+						this->packages->create_enumerator(this->packages),
+						(void*)package_filter, NULL, NULL);
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_installed_packages_create(void)
+{
+	private_ietf_attr_installed_packages_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = { PEN_IETF, IETF_ATTR_INSTALLED_PACKAGES },
+		.packages = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_installed_packages_create_from_data(chunk_t data)
+{
+	private_ietf_attr_installed_packages_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = {PEN_IETF, IETF_ATTR_INSTALLED_PACKAGES },
+		.value = chunk_clone(data),
+		.packages = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+
diff --git a/src/libimcv/ietf/ietf_attr_installed_packages.h b/src/libimcv/ietf/ietf_attr_installed_packages.h
new file mode 100644
index 000000000..b79c4040c
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_installed_packages.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_installed_packagest ietf_attr_installed_packages
+ * @{ @ingroup ietf_attr
+ */
+
+#ifndef IETF_ATTR_INSTALLED_PACKAGES_H_
+#define IETF_ATTR_INSTALLED_PACKAGES_H_
+
+typedef struct ietf_attr_installed_packages_t ietf_attr_installed_packages_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+
+/**
+ * Class implementing the IETF PA-TNC Installed Packages attribute.
+ *
+ */
+struct ietf_attr_installed_packages_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Add a package entry
+	 *
+	 * @param name			package name
+	 * @param version		package version number
+	 */
+	void (*add)(ietf_attr_installed_packages_t *this, chunk_t name,
+													  chunk_t version);
+
+	/**
+	 * Enumerates over all packages
+	 * Format:  chunk_t name, chunk_t version
+	 *
+	 * @return				enumerator
+	 */
+	enumerator_t* (*create_enumerator)(ietf_attr_installed_packages_t *this);
+
+};
+
+/**
+ * Creates an ietf_attr_installed_packages_t object
+ *
+ */
+pa_tnc_attr_t* ietf_attr_installed_packages_create(void);
+
+/**
+ * Creates an ietf_attr_installed_packages_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_installed_packages_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_INSTALLED_PACKAGES_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_numeric_version.c b/src/libimcv/ietf/ietf_attr_numeric_version.c
new file mode 100644
index 000000000..739256457
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_numeric_version.c
@@ -0,0 +1,282 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_numeric_version.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+typedef struct private_ietf_attr_numeric_version_t private_ietf_attr_numeric_version_t;
+
+/**
+ * PA-TNC Numeric Version type  (see section 4.2.3 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                        Major Version Number                   |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                        Minor Version Number                   |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                            Build Number                       |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |      Service Pack Major       |      Service Pack Minor       |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define NUMERIC_VERSION_SIZE		16
+
+/**
+ * Private data of an ietf_attr_numeric_version_t object.
+ */
+struct private_ietf_attr_numeric_version_t {
+
+	/**
+	 * Public members of ietf_attr_numeric_version_t
+	 */
+	ietf_attr_numeric_version_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Major Version Number
+	 */
+	u_int32_t major_version;
+
+	/**
+	 * Minor Version Number
+	 */
+	u_int32_t minor_version;
+
+	/**
+	 * IBuild Number
+	 */
+	u_int32_t build;
+
+	/**
+	 * Service Pack Major Number
+	 */
+	u_int16_t service_pack_major;
+
+	/**
+	 * Service Pack Minor Number
+	 */
+	u_int16_t service_pack_minor;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_numeric_version_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_numeric_version_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_numeric_version_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_numeric_version_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_numeric_version_t *this)
+{
+	bio_writer_t *writer;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+
+	writer = bio_writer_create(NUMERIC_VERSION_SIZE);
+	writer->write_uint32(writer, this->major_version);
+	writer->write_uint32(writer, this->minor_version);
+	writer->write_uint32(writer, this->build);
+	writer->write_uint16(writer, this->service_pack_major);
+	writer->write_uint16(writer, this->service_pack_minor);
+
+	this->value = writer->extract_buf(writer);
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_numeric_version_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+
+	if (this->value.len < NUMERIC_VERSION_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF numeric version");
+		*offset = 0;
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint32(reader, &this->major_version);
+	reader->read_uint32(reader, &this->minor_version);
+	reader->read_uint32(reader, &this->build);
+	reader->read_uint16(reader, &this->service_pack_major);
+	reader->read_uint16(reader, &this->service_pack_minor);
+	reader->destroy(reader);
+
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_numeric_version_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_numeric_version_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_numeric_version_t, get_version, void,
+	private_ietf_attr_numeric_version_t *this, u_int32_t *major, u_int32_t *minor)
+{
+	if (major)
+	{
+		*major = this->major_version;
+	}
+	if (minor)
+	{
+		*minor = this->minor_version;
+	}
+}
+
+METHOD(ietf_attr_numeric_version_t, get_build, u_int32_t,
+	private_ietf_attr_numeric_version_t *this)
+{
+	return this->build;
+}
+
+METHOD(ietf_attr_numeric_version_t, get_service_pack, void,
+	private_ietf_attr_numeric_version_t *this, u_int16_t *major, u_int16_t *minor)
+{
+	if (major)
+	{
+		*major = this->service_pack_major;
+	}
+	if (minor)
+	{
+		*minor = this->service_pack_minor;
+	}
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_numeric_version_create(u_int32_t major, u_int32_t minor,
+												u_int32_t build,
+												u_int16_t service_pack_major,
+												u_int16_t service_pack_minor)
+{
+	private_ietf_attr_numeric_version_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_version = _get_version,
+			.get_build = _get_build,
+			.get_service_pack = _get_service_pack,
+		},
+		.type = { PEN_IETF, IETF_ATTR_NUMERIC_VERSION },
+		.major_version = major,
+		.minor_version = minor,
+		.build = build,
+		.service_pack_major = service_pack_major,
+		.service_pack_minor = service_pack_minor,
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_numeric_version_create_from_data(chunk_t data)
+{
+	private_ietf_attr_numeric_version_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_version = _get_version,
+			.get_build = _get_build,
+			.get_service_pack = _get_service_pack,
+		},
+		.type = { PEN_IETF, IETF_ATTR_NUMERIC_VERSION },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
diff --git a/src/libimcv/ietf/ietf_attr_numeric_version.h b/src/libimcv/ietf/ietf_attr_numeric_version.h
new file mode 100644
index 000000000..bbda6b895
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_numeric_version.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_numeric_versiont ietf_attr_numeric_version
+ * @{ @ingroup ietf_attr
+ */
+
+#ifndef IETF_ATTR_NUMERIC_VERSION_H_
+#define IETF_ATTR_NUMERIC_VERSION_H_
+
+typedef struct ietf_attr_numeric_version_t ietf_attr_numeric_version_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+
+/**
+ * Class implementing the IETF PA-TNC String Version attribute.
+ *
+ */
+struct ietf_attr_numeric_version_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Gets the Major and Minor Version Numbers
+	 *
+	 * @param major			Major Version Number
+	 * @param minor			Minor Version Number
+	 */
+	void (*get_version)(ietf_attr_numeric_version_t *this,
+						u_int32_t *major, u_int32_t *minor);
+
+	/**
+	 * Gets the Build Number
+	 *
+	 * @param major			Major Version Number
+	 * @param minor			Minor Version Number
+	 */
+	u_int32_t (*get_build)(ietf_attr_numeric_version_t *this);
+
+	/**
+	 * Gets the Major and Minor Numbers of the Service Pack
+	 *
+	 * @param major			Service Pack Major Number
+	 * @param minor			Servcie Pack Minor Number
+	 */
+	void (*get_service_pack)(ietf_attr_numeric_version_t *this,
+							 u_int16_t *major, u_int16_t *minor);
+};
+
+/**
+ * Creates an ietf_attr_numeric_version_t object
+ *
+ */
+pa_tnc_attr_t* ietf_attr_numeric_version_create(u_int32_t major, u_int32_t minor,
+												u_int32_t build,
+												u_int16_t service_pack_major,
+												u_int16_t service_pack_minor);
+
+/**
+ * Creates an ietf_attr_numeric_version_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_numeric_version_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_NUMERIC_VERSION_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_op_status.c b/src/libimcv/ietf/ietf_attr_op_status.c
new file mode 100644
index 000000000..23530684a
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_op_status.c
@@ -0,0 +1,314 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_op_status.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+#include <time.h>
+
+typedef struct private_ietf_attr_op_status_t private_ietf_attr_op_status_t;
+
+ENUM(op_status_names, OP_STATUS_UNKNOWN, OP_STATUS_OPERATIONAL,
+	"unknown",
+	"not installed",
+	"installed",
+	"operational"
+);
+
+ENUM(op_result_names, OP_RESULT_UNKNOWN, OP_RESULT_UNSUCCESSFUL,
+	"unknown",
+	"successful",
+	"errored",
+	"unsuccessful"
+);
+
+/**
+ * PA-TNC Operational Status type  (see section 4.2.5 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |    Status     |     Result    |         Reserved              |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                          Last Use                             |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Last Use (continued)                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Last Use (continued)                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Last Use (continued)                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Last Use (continued)                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define OP_STATUS_SIZE		24
+
+/**
+ * Private data of an ietf_attr_op_status_t object.
+ */
+struct private_ietf_attr_op_status_t {
+
+	/**
+	 * Public members of ietf_attr_op_status_t
+	 */
+	ietf_attr_op_status_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Status
+	 */
+	u_int8_t status;
+
+	/**
+	 * Result
+	 */
+	u_int8_t result;
+
+	/**
+	 * Last Use
+	 */
+	time_t last_use;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_op_status_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_op_status_t *this)
+{
+	bio_writer_t *writer;
+	char last_use[24];
+	struct tm t;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+
+	/* Conversion from time_t to RFC 3339 ASCII string */
+	gmtime_r(&this->last_use, &t);
+	snprintf(last_use, 21, "%04d-%02d-%02dT%02d:%02d:%02dZ", 1900 + t.tm_year,
+			 t.tm_mon + 1, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec);
+
+	writer = bio_writer_create(OP_STATUS_SIZE);
+	writer->write_uint8 (writer, this->status);
+	writer->write_uint8 (writer, this->result);
+	writer->write_uint16(writer, 0x0000);
+	writer->write_data  (writer, chunk_create(last_use, 20));
+
+	this->value = writer->extract_buf(writer);
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_op_status_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	chunk_t last_use;
+	u_int16_t reserved;
+	struct tm t;
+
+	*offset = 0;
+
+	if (this->value.len != OP_STATUS_SIZE)
+	{
+		DBG1(DBG_TNC, "incorrect size for IETF operational status");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint8 (reader, &this->status);
+	reader->read_uint8 (reader, &this->result);
+	reader->read_uint16(reader, &reserved);
+	reader->read_data  (reader, 20, &last_use);
+	reader->destroy(reader);
+
+	if (this->status > OP_STATUS_ROOF)
+	{
+		DBG1(DBG_TNC, "invalid status value %c for IETF operational status",
+					   this->status);
+		return FAILED;
+	}
+
+	*offset = 1;
+
+	if (this->result > OP_RESULT_ROOF)
+	{
+		DBG1(DBG_TNC, "invalid result value %c for IETF operational status",
+					   this->result);
+		return FAILED;
+	}
+
+	*offset = 4;
+
+	/* Conversion from RFC 3339 ASCII string to time_t */
+	if (sscanf(last_use.ptr, "%4d-%2d-%2dT%2d:%2d:%2dZ", &t.tm_year, &t.tm_mon,
+			   &t.tm_mday, &t.tm_hour, &t.tm_min, &t.tm_sec) != 6)
+	{
+		DBG1(DBG_TNC, "invalid last_use time format in IETF operational status");
+		return FAILED;
+	}
+	t.tm_year -= 1900;
+	t.tm_mon -= 1;
+	t.tm_isdst = 0;
+	this->last_use = mktime(&t) - timezone;
+
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_op_status_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_op_status_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_op_status_t, get_status, u_int8_t,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->status;
+}
+
+METHOD(ietf_attr_op_status_t, get_result, u_int8_t,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->result;
+}
+
+METHOD(ietf_attr_op_status_t, get_last_use, time_t,
+	private_ietf_attr_op_status_t *this)
+{
+	return this->last_use;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_op_status_create(u_int8_t status, u_int8_t result,
+										  time_t last_use)
+{
+	private_ietf_attr_op_status_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+			.get_result = _get_result,
+			.get_last_use = _get_last_use,
+		},
+		.type = { PEN_IETF, IETF_ATTR_OPERATIONAL_STATUS },
+		.status = status,
+		.result = result,
+		.last_use = last_use,
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_op_status_create_from_data(chunk_t data)
+{
+	private_ietf_attr_op_status_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_status = _get_status,
+			.get_result = _get_result,
+			.get_last_use = _get_last_use,
+		},
+		.type = { PEN_IETF, IETF_ATTR_OPERATIONAL_STATUS },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
diff --git a/src/libimcv/ietf/ietf_attr_op_status.h b/src/libimcv/ietf/ietf_attr_op_status.h
new file mode 100644
index 000000000..b70fab608
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_op_status.h
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_op_statust ietf_attr_op_status
+ * @{ @ingroup ietf_attr
+ */
+
+#ifndef IETF_ATTR_OP_STATUS_H_
+#define IETF_ATTR_OP_STATUS_H_
+
+typedef struct ietf_attr_op_status_t ietf_attr_op_status_t;
+typedef enum op_status_t op_status_t;
+typedef enum op_result_t op_result_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Operational Status type
+ */
+enum op_status_t {
+	OP_STATUS_UNKNOWN =       0,
+	OP_STATUS_NOT_INSTALLED = 1,
+	OP_STATUS_INSTALLED =     2,
+	OP_STATUS_OPERATIONAL =   3,
+	OP_STATUS_ROOF =          3
+};
+
+extern enum_name_t *op_status_names;
+
+/**
+ * Operational Result type
+ */
+enum op_result_t {
+	OP_RESULT_UNKNOWN =      0,
+	OP_RESULT_SUCCESSFUL =   1,
+	OP_RESULT_ERRORED =      2,
+	OP_RESULT_UNSUCCESSFUL = 3,
+	OP_RESULT_ROOF         = 3
+};
+
+extern enum_name_t *op_result_names;
+
+/**
+ * Class implementing the IETF PA-TNC Operational Status attribute.
+ *
+ */
+struct ietf_attr_op_status_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Gets the Operational Status
+	 *
+	 * @return				Operational Status
+	 */
+	u_int8_t (*get_status)(ietf_attr_op_status_t *this);
+
+	/**
+	 * Gets the Operational Result
+	 *
+	 * @return				Operational Result
+	 */
+	u_int8_t (*get_result)(ietf_attr_op_status_t *this);
+
+	/**
+	 * Gets the time of last use
+	 *
+	 * @return				Time of last use
+	 */
+	time_t (*get_last_use)(ietf_attr_op_status_t *this);
+};
+
+/**
+ * Creates an ietf_attr_op_status_t object
+ *
+ * @param status			Operational Status
+ * @param result			Operational Result
+ * @param last_use			Time of last use
+ */
+pa_tnc_attr_t* ietf_attr_op_status_create(u_int8_t status, u_int8_t result,
+										  time_t last_use);
+
+/**
+ * Creates an ietf_attr_op_status_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_op_status_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_OP_STATUS_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
index 6daee1a77..5f20f8958 100644
--- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
+++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -17,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(pa_tnc_error_code_names, PA_ERROR_RESERVED,
 							  PA_ERROR_ATTR_TYPE_NOT_SUPPORTED,
@@ -79,7 +80,7 @@ typedef struct private_ietf_attr_pa_tnc_error_t private_ietf_attr_pa_tnc_error_t
  *  |  Max Version  |  Min Version  |            Reserved           |
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
-	
+
 #define PA_ERROR_VERSION_RESERVED	0x0000
 
 /**
@@ -107,14 +108,9 @@ struct private_ietf_attr_pa_tnc_error_t {
 	ietf_attr_pa_tnc_error_t public;
 
 	/**
-	 * Attribute vendor ID
-	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
+	 * Vendor-specific attribute type
 	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
@@ -127,14 +123,9 @@ struct private_ietf_attr_pa_tnc_error_t {
 	bool noskip_flag;
 
 	/**
-	 * Error code vendor ID
+	 * Vendor-specific error code
 	 */
-	pen_t error_vendor_id;
-
-	/**
-	 * Error code
-	 */
-	u_int32_t error_code;
+	pen_type_t error_code;
 
 	/**
 	 * First 8 bytes of erroneous PA-TNC message
@@ -157,13 +148,7 @@ struct private_ietf_attr_pa_tnc_error_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_ietf_attr_pa_tnc_error_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_ietf_attr_pa_tnc_error_t *this)
 {
 	return this->type;
@@ -192,15 +177,19 @@ METHOD(pa_tnc_attr_t, build, void,
 {
 	bio_writer_t *writer;
 
+	if (this->value.ptr)
+	{
+		return;
+	}
 	writer = bio_writer_create(PA_ERROR_HEADER_SIZE + PA_ERROR_MSG_INFO_SIZE);
 	writer->write_uint8 (writer, PA_ERROR_RESERVED);
-	writer->write_uint24(writer, this->error_vendor_id);
-	writer->write_uint32(writer, this->error_code);
+	writer->write_uint24(writer, this->error_code.vendor_id);
+	writer->write_uint32(writer, this->error_code.type);
 	writer->write_data  (writer, this->msg_info);
-	
-	if (this->error_vendor_id == PEN_IETF)
+
+	if (this->error_code.vendor_id == PEN_IETF)
 	{
-		switch (this->error_code)
+		switch (this->error_code.type)
 		{
 			case PA_ERROR_INVALID_PARAMETER:
 				writer->write_uint32(writer, this->error_offset);
@@ -217,7 +206,7 @@ METHOD(pa_tnc_attr_t, build, void,
 				break;
 		}
 	}
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -235,10 +224,10 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	}
 	reader = bio_reader_create(this->value);
 	reader->read_uint8 (reader, &reserved);
-	reader->read_uint24(reader, &this->error_vendor_id);
-	reader->read_uint32(reader, &this->error_code);
+	reader->read_uint24(reader, &this->error_code.vendor_id);
+	reader->read_uint32(reader, &this->error_code.type);
 
-	if (this->error_vendor_id == PEN_IETF)
+	if (this->error_code.vendor_id == PEN_IETF)
 	{
 		if (!reader->read_data(reader, PA_ERROR_MSG_INFO_SIZE, &this->msg_info))
 		{
@@ -249,7 +238,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		}
 		this->msg_info = chunk_clone(this->msg_info);
 
-		switch (this->error_code)
+		switch (this->error_code.type)
 		{
 			case PA_ERROR_INVALID_PARAMETER:
 				if (!reader->read_uint32(reader, &this->error_offset))
@@ -283,7 +272,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	}
 	reader->destroy(reader);
 
-	return SUCCESS;	
+	return SUCCESS;
 }
 
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
@@ -305,13 +294,7 @@ METHOD(pa_tnc_attr_t, destroy, void,
 	}
 }
 
-METHOD(ietf_attr_pa_tnc_error_t, get_error_vendor_id, pen_t,
-	private_ietf_attr_pa_tnc_error_t *this)
-{
-	return this->error_vendor_id;
-}
-
-METHOD(ietf_attr_pa_tnc_error_t, get_error_code, u_int32_t,
+METHOD(ietf_attr_pa_tnc_error_t, get_error_code, pen_type_t,
 	private_ietf_attr_pa_tnc_error_t *this)
 {
 	return this->error_code;
@@ -342,27 +325,15 @@ METHOD(ietf_attr_pa_tnc_error_t, get_offset, u_int32_t,
 }
 
 /**
- * Described in header.
+ * Generic constructor
  */
-pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_t vendor_id,
-											 u_int32_t error_code,
-											 chunk_t msg_info)
+static private_ietf_attr_pa_tnc_error_t* create_generic()
 {
 	private_ietf_attr_pa_tnc_error_t *this;
 
-	if (vendor_id == PEN_IETF)
-	{
-		msg_info.len = PA_ERROR_MSG_INFO_SIZE;
-	}
-	else if (msg_info.len > PA_ERROR_MSG_INFO_MAX_SIZE)
-	{
-		msg_info.len = PA_ERROR_MSG_INFO_MAX_SIZE;
-	}
-
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -372,29 +343,47 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_t vendor_id,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
-			.get_vendor_id = _get_error_vendor_id,
 			.get_error_code = _get_error_code,
 			.get_msg_info = _get_msg_info,
 			.get_attr_info = _get_attr_info,
 			.set_attr_info = _set_attr_info,
 			.get_offset = _get_offset,
 		},
-		.vendor_id = PEN_IETF,
-		.type = IETF_ATTR_PA_TNC_ERROR,
-		.error_vendor_id = vendor_id,
-		.error_code = error_code,
-		.msg_info = chunk_clone(msg_info),
+		.type = { PEN_IETF, IETF_ATTR_PA_TNC_ERROR },
 		.ref = 1,
 	);
 
+	return this;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_type_t error_code,
+											 chunk_t msg_info)
+{
+	private_ietf_attr_pa_tnc_error_t *this;
+
+	if (error_code.vendor_id == PEN_IETF)
+	{
+		msg_info.len = PA_ERROR_MSG_INFO_SIZE;
+	}
+	else if (msg_info.len > PA_ERROR_MSG_INFO_MAX_SIZE)
+	{
+		msg_info.len = PA_ERROR_MSG_INFO_MAX_SIZE;
+	}
+
+	this = create_generic();
+	this->error_code = error_code;
+	this->msg_info = chunk_clone(msg_info);
+
 	return &this->public.pa_tnc_attribute;
 }
 
 /**
  * Described in header.
  */
-pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_with_offset(pen_t vendor_id,
-														 u_int32_t error_code,
+pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_with_offset(pen_type_t error_code,
 														 chunk_t msg_info,
 														 u_int32_t error_offset)
 {
@@ -403,34 +392,10 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_with_offset(pen_t vendor_id,
 	/* the first 8 bytes of the erroneous PA-TNC message are sent back */
 	msg_info.len = PA_ERROR_MSG_INFO_SIZE;
 
-	INIT(this,
-		.public = {
-			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
-				.get_type = _get_type,
-				.get_value = _get_value,
-				.get_noskip_flag = _get_noskip_flag,
-				.set_noskip_flag = _set_noskip_flag,
-				.build = _build,
-				.process = _process,
-				.get_ref = _get_ref,
-				.destroy = _destroy,
-			},
-			.get_vendor_id = _get_error_vendor_id,
-			.get_error_code = _get_error_code,
-			.get_msg_info = _get_msg_info,
-			.get_attr_info = _get_attr_info,
-			.set_attr_info = _set_attr_info,
-			.get_offset = _get_offset,
-		},
-		.vendor_id = PEN_IETF,
-		.type = IETF_ATTR_PA_TNC_ERROR,
-		.error_vendor_id = vendor_id,
-		.error_code = error_code,
-		.msg_info = chunk_clone(msg_info),
-		.error_offset = error_offset,
-		.ref = 1,
-	);
+	this = create_generic();
+	this->error_code = error_code;
+	this->msg_info = chunk_clone(msg_info);
+	this->error_offset = error_offset;
 
 	return &this->public.pa_tnc_attribute;
 }
@@ -442,31 +407,8 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_from_data(chunk_t data)
 {
 	private_ietf_attr_pa_tnc_error_t *this;
 
-	INIT(this,
-		.public = {
-			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
-				.get_type = _get_type,
-				.get_value = _get_value,
-				.build = _build,
-				.process = _process,
-				.get_ref = _get_ref,
-				.destroy = _destroy,
-			},
-			.get_vendor_id = _get_error_vendor_id,
-			.get_error_code = _get_error_code,
-			.get_msg_info = _get_msg_info,
-			.get_attr_info = _get_attr_info,
-			.set_attr_info = _set_attr_info,
-			.get_offset = _get_offset,
-		},
-		.vendor_id = PEN_IETF,
-		.type = IETF_ATTR_PA_TNC_ERROR,
-		.value = chunk_clone(data),
-		.ref = 1,
-	);
+	this = create_generic();
+	this->value = chunk_clone(data);
 
 	return &this->public.pa_tnc_attribute;
 }
-
-
diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
index 945e06c62..faa38f8f9 100644
--- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
+++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ietf_attr_pa_tnc_errort ietf_attr_pa_tnc_error
- * @{ @ingroup ietf_attr_pa_tnc_error
+ * @{ @ingroup ietf_attr
  */
 
 #ifndef IETF_ATTR_PA_TNC_ERROR_H_
@@ -55,18 +55,11 @@ struct ietf_attr_pa_tnc_error_t {
 	pa_tnc_attr_t pa_tnc_attribute;
 
 	/**
-	 * Get PA-TNC error code vendor ID
-	 *
-	 * @return				error code vendor ID
-	 */
-	pen_t (*get_vendor_id)(ietf_attr_pa_tnc_error_t *this);
-
-	/**
-	 * Get PA-TNC error code
+	 * Get Vendor-specific PA-TNC error code
 	 *
 	 * @return				error code
 	 */
-	pa_tnc_error_code_t (*get_error_code)(ietf_attr_pa_tnc_error_t *this);
+	pen_type_t (*get_error_code)(ietf_attr_pa_tnc_error_t *this);
 
 	/**
 	 * Get first 8 bytes of erroneous PA-TNC message
@@ -101,26 +94,22 @@ struct ietf_attr_pa_tnc_error_t {
 /**
  * Creates an ietf_attr_pa_tnc_error_t object from an error code
  *
- * @param vendor_id			PA-TNC error code vendor ID
- * @param error_code		PA-TNC error code
+ * @param error_code		Vendor-specific PA-TNC error code
  * @param header			PA-TNC message header (first 8 bytes)
- * 
+ *
  */
-pa_tnc_attr_t* ietf_attr_pa_tnc_error_create(pen_t vendor_id,
-											 u_int32_t error_code,
+pa_tnc_attr_t* ietf_attr_pa_tnc_error_create(pen_type_t error_code,
 											 chunk_t header);
 
 /**
  * Creates an ietf_attr_pa_tnc_error_t object from an error code with offset
  *
- * @param vendor_id			PA-TNC error code vendor ID
- * @param error_code		PA-TNC error code
+ * @param error_code		Vendor-specifica PA-TNC error code
  * @param header			PA-TNC message header (first 8 bytes)
  * @param error_offset		PA-TNC error offset in bytes
- * 
+ *
  */
-pa_tnc_attr_t* ietf_attr_pa_tnc_error_create_with_offset(pen_t vendor_id,
-														 u_int32_t error_code,
+pa_tnc_attr_t* ietf_attr_pa_tnc_error_create_with_offset(pen_type_t error_code,
 														 chunk_t header,
 														 u_int32_t error_offset);
 
diff --git a/src/libimcv/ietf/ietf_attr_port_filter.c b/src/libimcv/ietf/ietf_attr_port_filter.c
index b53019657..1d516a51f 100644
--- a/src/libimcv/ietf/ietf_attr_port_filter.c
+++ b/src/libimcv/ietf/ietf_attr_port_filter.c
@@ -17,8 +17,8 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 
 typedef struct private_ietf_attr_port_filter_t private_ietf_attr_port_filter_t;
@@ -36,8 +36,8 @@ struct port_entry_t {
 /**
  * PA-TNC Port Filter Type  (see section 4.2.6 of RFC 5792)
  *
- *                        1                   2                   3
- *    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |   Reserved  |B|    Protocol   |         Port Number           |
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -58,14 +58,9 @@ struct private_ietf_attr_port_filter_t {
 	ietf_attr_port_filter_t public;
 
 	/**
-	 * Attribute vendor ID
+	 * Vendor-specific attribute type
 	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
-	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
@@ -88,13 +83,7 @@ struct private_ietf_attr_port_filter_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_ietf_attr_port_filter_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_ietf_attr_port_filter_t *this)
 {
 	return this->type;
@@ -125,6 +114,10 @@ METHOD(pa_tnc_attr_t, build, void,
 	enumerator_t *enumerator;
 	port_entry_t *entry;
 
+	if (this->value.ptr)
+	{
+		return;
+	}
 	writer = bio_writer_create(this->ports->get_count(this->ports) *
 							   PORT_FILTER_ENTRY_SIZE);
 
@@ -137,7 +130,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	}
 	enumerator->destroy(enumerator);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -159,7 +152,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 
 	while (reader->remaining(reader))
 	{
-		entry = malloc_thing(port_entry_t);	
+		entry = malloc_thing(port_entry_t);
 		reader->read_uint8 (reader, &blocked);
 		entry->blocked = blocked & 0x01;
 		reader->read_uint8 (reader, &entry->protocol);
@@ -168,7 +161,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	}
 	reader->destroy(reader);
 
-	return SUCCESS;	
+	return SUCCESS;
 }
 
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
@@ -199,7 +192,7 @@ METHOD(ietf_attr_port_filter_t, add_port, void,
 	entry->blocked = blocked;
 	entry->protocol = protocol;
 	entry->port = port;
-	this->ports->insert_last(this->ports, entry);	
+	this->ports->insert_last(this->ports, entry);
 }
 
 /**
@@ -232,7 +225,6 @@ pa_tnc_attr_t *ietf_attr_port_filter_create(void)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -245,8 +237,7 @@ pa_tnc_attr_t *ietf_attr_port_filter_create(void)
 			.add_port = _add_port,
 			.create_port_enumerator = _create_port_enumerator,
 		},
-		.vendor_id = PEN_IETF,
-		.type = IETF_ATTR_PORT_FILTER,
+		.type = { PEN_IETF, IETF_ATTR_PORT_FILTER },
 		.ports = linked_list_create(),
 		.ref = 1,
 	);
@@ -264,9 +255,10 @@ pa_tnc_attr_t *ietf_attr_port_filter_create_from_data(chunk_t data)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
 				.get_ref = _get_ref,
@@ -275,8 +267,7 @@ pa_tnc_attr_t *ietf_attr_port_filter_create_from_data(chunk_t data)
 			.add_port = _add_port,
 			.create_port_enumerator = _create_port_enumerator,
 		},
-		.vendor_id = PEN_IETF,
-		.type = IETF_ATTR_PORT_FILTER,
+		.type = {PEN_IETF, IETF_ATTR_PORT_FILTER },
 		.value = chunk_clone(data),
 		.ports = linked_list_create(),
 		.ref = 1,
diff --git a/src/libimcv/ietf/ietf_attr_port_filter.h b/src/libimcv/ietf/ietf_attr_port_filter.h
index ad5553417..93b696e45 100644
--- a/src/libimcv/ietf/ietf_attr_port_filter.h
+++ b/src/libimcv/ietf/ietf_attr_port_filter.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ietf_attr_port_filtert ietf_attr_port_filter
- * @{ @ingroup ietf_attr_port_filter
+ * @{ @ingroup ietf_attr
  */
 
 #ifndef IETF_ATTR_PORT_FILTER_H_
diff --git a/src/libimcv/ietf/ietf_attr_product_info.c b/src/libimcv/ietf/ietf_attr_product_info.c
index 548793547..a107c27d3 100644
--- a/src/libimcv/ietf/ietf_attr_product_info.c
+++ b/src/libimcv/ietf/ietf_attr_product_info.c
@@ -17,7 +17,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_ietf_attr_product_info_t private_ietf_attr_product_info_t;
 
@@ -46,14 +46,9 @@ struct private_ietf_attr_product_info_t {
 	ietf_attr_product_info_t public;
 
 	/**
-	 * Attribute vendor ID
+	 * Vendor-specific attribute type
 	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
-	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
@@ -78,7 +73,7 @@ struct private_ietf_attr_product_info_t {
 	/**
 	 * Product Name
 	 */
-	char *product_name;
+	chunk_t product_name;
 
 	/**
 	 * Reference count
@@ -86,13 +81,7 @@ struct private_ietf_attr_product_info_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_ietf_attr_product_info_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_ietf_attr_product_info_t *this)
 {
 	return this->type;
@@ -120,16 +109,17 @@ METHOD(pa_tnc_attr_t, build, void,
 	private_ietf_attr_product_info_t *this)
 {
 	bio_writer_t *writer;
-	chunk_t product_name;
-
-	product_name = chunk_create(this->product_name, strlen(this->product_name));
 
+	if (this->value.ptr)
+	{
+		return;
+	}
 	writer = bio_writer_create(PRODUCT_INFO_MIN_SIZE);
 	writer->write_uint24(writer, this->product_vendor_id);
 	writer->write_uint16(writer, this->product_id);
-	writer->write_data  (writer, product_name);
+	writer->write_data  (writer, this->product_name);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -151,9 +141,14 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	reader->read_data  (reader, reader->remaining(reader), &product_name);
 	reader->destroy(reader);
 
-	this->product_name = malloc(product_name.len + 1);
-	memcpy(this->product_name, product_name.ptr, product_name.len);
-	this->product_name[product_name.len] = '\0';
+	if (!this->product_vendor_id && this->product_id)
+	{
+		DBG1(DBG_TNC, "IETF product information vendor ID is 0 "
+					  "but product ID is not 0");
+		*offset = 3;
+		return FAILED;
+	}
+	this->product_name = chunk_clone(product_name);
 
 	return SUCCESS;
 }
@@ -170,13 +165,13 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		free(this->product_name);
+		free(this->product_name.ptr);
 		free(this->value.ptr);
 		free(this);
 	}
 }
 
-METHOD(ietf_attr_product_info_t, get_info, char*,
+METHOD(ietf_attr_product_info_t, get_info, chunk_t,
 	private_ietf_attr_product_info_t *this, pen_t *vendor_id, u_int16_t *id)
 {
 	if (vendor_id)
@@ -194,14 +189,13 @@ METHOD(ietf_attr_product_info_t, get_info, char*,
  * Described in header.
  */
 pa_tnc_attr_t *ietf_attr_product_info_create(pen_t vendor_id, u_int16_t id,
-											 char *name)
+											 chunk_t name)
 {
 	private_ietf_attr_product_info_t *this;
 
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -213,11 +207,10 @@ pa_tnc_attr_t *ietf_attr_product_info_create(pen_t vendor_id, u_int16_t id,
 			},
 			.get_info = _get_info,
 		},
-		.vendor_id = PEN_IETF,
-		.type = IETF_ATTR_PRODUCT_INFORMATION,
+		.type = { PEN_IETF, IETF_ATTR_PRODUCT_INFORMATION },
 		.product_vendor_id = vendor_id,
 		.product_id = id,
-		.product_name = strdup(name),
+		.product_name = chunk_clone(name),
 		.ref = 1,
 	);
 
@@ -234,9 +227,10 @@ pa_tnc_attr_t *ietf_attr_product_info_create_from_data(chunk_t data)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
 				.get_ref = _get_ref,
@@ -244,8 +238,7 @@ pa_tnc_attr_t *ietf_attr_product_info_create_from_data(chunk_t data)
 			},
 			.get_info = _get_info,
 		},
-		.vendor_id = PEN_IETF,
-		.type = IETF_ATTR_PRODUCT_INFORMATION,
+		.type = { PEN_IETF, IETF_ATTR_PRODUCT_INFORMATION },
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libimcv/ietf/ietf_attr_product_info.h b/src/libimcv/ietf/ietf_attr_product_info.h
index f1dfc3e83..d0b2d2a84 100644
--- a/src/libimcv/ietf/ietf_attr_product_info.h
+++ b/src/libimcv/ietf/ietf_attr_product_info.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup ietf_attr_product_infot ietf_attr_product_info
- * @{ @ingroup ietf
+ * @{ @ingroup ietf_attr
  */
 
 #ifndef IETF_ATTR_PRODUCT_INFO_H_
@@ -45,8 +45,8 @@ struct ietf_attr_product_info_t {
 	 * @param id			Product ID
 	 * @return				Product Name
 	 */
-	char* (*get_info)(ietf_attr_product_info_t *this,
-					  pen_t *vendor_id, u_int16_t *id);
+	chunk_t (*get_info)(ietf_attr_product_info_t *this,
+						pen_t *vendor_id, u_int16_t *id);
 
 };
 
@@ -55,7 +55,7 @@ struct ietf_attr_product_info_t {
  *
  */
 pa_tnc_attr_t* ietf_attr_product_info_create(pen_t vendor_id, u_int16_t id,
-											 char *name);
+											 chunk_t name);
 
 /**
  * Creates an ietf_attr_product_info_t object from received data
diff --git a/src/libimcv/ietf/ietf_attr_remediation_instr.c b/src/libimcv/ietf/ietf_attr_remediation_instr.c
new file mode 100644
index 000000000..5d85e5d89
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_remediation_instr.c
@@ -0,0 +1,359 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_remediation_instr.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+typedef struct private_ietf_attr_remediation_instr_t private_ietf_attr_remediation_instr_t;
+
+/**
+ * PA-TNC Remediation Instructions type  (see section 4.2.10 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |    Reserved   |       Remediation Parameters Vendor ID        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                  Remediation Parameters Type                  |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |            Remediation Parameters (Variable Length)           |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define REMEDIATION_INSTR_MIN_SIZE		8
+#define REMEDIATION_INSTR_RESERVED		0x00
+
+/**
+ * IETF Remediation Parameters URI type  (see section 4.2.10.1 of RFC 5792)
+ *
+ *                     1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                 Remediation URI (Variable Length)             |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * IETF Remediation Parameters String type  (see section 4.2.10.2 of RFC 5792)
+ *
+ *                     1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                   Remediation String Length                   |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                Remediation String (Variable Length)           |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  | Lang Code Len |  Remediation String Lang Code (Variable Len)  |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/**
+ * Private data of an ietf_attr_remediation_instr_t object.
+ */
+struct private_ietf_attr_remediation_instr_t {
+
+	/**
+	 * Public members of ietf_attr_remediation_instr_t
+	 */
+	ietf_attr_remediation_instr_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Remediation Parameters Type
+	 */
+	pen_type_t parameters_type;
+
+	/**
+	 * Remediation Parameters
+	 */
+	chunk_t parameters;
+
+	/**
+	 * Remediation String
+	 */
+	chunk_t string;
+
+	/**
+	 * Remediation Language Code
+	 */
+	chunk_t lang_code;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_remediation_instr_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	bio_writer_t *writer;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+
+	writer = bio_writer_create(REMEDIATION_INSTR_MIN_SIZE);
+	writer->write_uint8 (writer, REMEDIATION_INSTR_RESERVED);
+	writer->write_uint24(writer, this->parameters_type.vendor_id);
+	writer->write_uint32(writer, this->parameters_type.type);
+	writer->write_data  (writer, this->parameters);
+
+	this->value = writer->extract_buf(writer);
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_remediation_instr_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	u_int8_t reserved;
+	status_t status = SUCCESS;
+	u_char *pos;
+
+	*offset = 0;
+
+	if (this->value.len < REMEDIATION_INSTR_MIN_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF remediation instructions");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint8 (reader, &reserved);
+	reader->read_uint24(reader, &this->parameters_type.vendor_id);
+	reader->read_uint32(reader, &this->parameters_type.type);
+	reader->read_data  (reader, reader->remaining(reader), &this->parameters);
+
+	this->parameters = chunk_clone(this->parameters);
+	reader->destroy(reader);
+
+	if (this->parameters_type.vendor_id == PEN_IETF &&
+		this->parameters_type.type == IETF_REMEDIATION_PARAMETERS_STRING)
+	{
+		reader = bio_reader_create(this->parameters);
+		status = FAILED;
+		*offset = 8;
+
+		if (!reader->read_data32(reader, &this->string))
+		{
+			DBG1(DBG_TNC, "insufficient data for IETF remediation string");
+			goto end;
+		}
+		*offset += 4;
+
+		pos = memchr(this->string.ptr, '\0', this->string.len);
+		if (pos)
+		{
+			DBG1(DBG_TNC, "nul termination in IETF remediation string");
+			*offset += (pos - this->string.ptr);
+			goto end;
+		}
+		*offset += this->string.len;
+
+		if (!reader->read_data8(reader, &this->lang_code))
+		{
+			DBG1(DBG_TNC, "insufficient data for IETF remediation lang code");
+			goto end;
+		}
+		status = SUCCESS;
+
+end:
+		reader->destroy(reader);
+	}
+	return status;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->parameters.ptr);
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_remediation_instr_t, get_parameters_type, pen_type_t,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	return this->parameters_type;
+}
+
+METHOD(ietf_attr_remediation_instr_t, get_parameters, chunk_t,
+	private_ietf_attr_remediation_instr_t *this)
+{
+	return this->parameters;
+}
+
+METHOD(ietf_attr_remediation_instr_t, get_string, chunk_t,
+	private_ietf_attr_remediation_instr_t *this, chunk_t *lang_code)
+{
+	if (lang_code)
+	{
+		*lang_code = this->lang_code;
+	}
+	return this->string;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_remediation_instr_create(pen_type_t parameters_type,
+												  chunk_t parameters)
+{
+	private_ietf_attr_remediation_instr_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_parameters_type = _get_parameters_type,
+			.get_parameters = _get_parameters,
+			.get_uri = _get_parameters,
+			.get_string = _get_string,
+		},
+		.type = { PEN_IETF, IETF_ATTR_REMEDIATION_INSTRUCTIONS },
+		.parameters_type = parameters_type,
+		.parameters = chunk_clone(parameters),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_remediation_instr_create_from_uri(chunk_t uri)
+{
+	pen_type_t type = { PEN_IETF, IETF_REMEDIATION_PARAMETERS_URI };
+
+	return ietf_attr_remediation_instr_create(type, uri);
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_remediation_instr_create_from_string(chunk_t string,
+															  chunk_t lang_code)
+{
+	pa_tnc_attr_t *attr;
+	bio_writer_t *writer;
+	pen_type_t type = { PEN_IETF, IETF_REMEDIATION_PARAMETERS_STRING };
+
+	/* limit language code to 255 octets */
+	lang_code.len = min(255, lang_code.len);
+
+	writer = bio_writer_create(4 + string.len + 1 + lang_code.len);
+	writer->write_data32(writer, string);
+	writer->write_data8 (writer, lang_code);
+
+	attr = ietf_attr_remediation_instr_create(type, writer->get_buf(writer));
+	writer->destroy(writer);
+
+	return attr;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_remediation_instr_create_from_data(chunk_t data)
+{
+	private_ietf_attr_remediation_instr_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_parameters_type = _get_parameters_type,
+			.get_parameters = _get_parameters,
+			.get_uri = _get_parameters,
+			.get_string = _get_string,
+		},
+		.type = { PEN_IETF, IETF_ATTR_REMEDIATION_INSTRUCTIONS },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
diff --git a/src/libimcv/ietf/ietf_attr_remediation_instr.h b/src/libimcv/ietf/ietf_attr_remediation_instr.h
new file mode 100644
index 000000000..5c7c8891b
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_remediation_instr.h
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_remediation_instrt ietf_attr_remediation_instr
+ * @{ @ingroup ietf_attr
+ */
+
+#ifndef IETF_ATTR_REMEDIATION_INSTR_H_
+#define IETF_ATTR_REMEDIATION_INSTR_H_
+
+typedef struct ietf_attr_remediation_instr_t ietf_attr_remediation_instr_t;
+typedef enum ietf_remediation_parameters_t ietf_remediation_parameters_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+enum ietf_remediation_parameters_t {
+	IETF_REMEDIATION_PARAMETERS_URI =    1,
+	IETF_REMEDIATION_PARAMETERS_STRING = 2
+};
+
+/**
+ * Class implementing the IETF PA-TNC Remediation Instructions attribute.
+ *
+ */
+struct ietf_attr_remediation_instr_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Get the Remediation Parameters Type (Vendor ID and Type)
+	 *
+	 * @return				Remediation Parameters Type
+	 */
+	pen_type_t (*get_parameters_type)(ietf_attr_remediation_instr_t *this);
+
+	/**
+	 * Get the Remediation Parameters
+	 *
+	 * @return				Remediation Parameters
+	 */
+	chunk_t (*get_parameters)(ietf_attr_remediation_instr_t *this);
+
+	/**
+	 * Get the Remediation URI
+	 *
+	 * @return				Remediation URI
+	 */
+	chunk_t (*get_uri)(ietf_attr_remediation_instr_t *this);
+
+	/**
+	 * Get the Remediation String
+	 *
+	 * @param lang_code		Optional Language Code
+	 * @return				Remediation String
+	 */
+	chunk_t (*get_string)(ietf_attr_remediation_instr_t *this,
+						  chunk_t *lang_code);
+};
+
+/**
+ * Creates a general ietf_attr_remediation_instr_t object
+ *
+ * @param parameters_type	Remediation Parameters Type
+ * @param parameters		Remediation Parameters
+ */
+pa_tnc_attr_t* ietf_attr_remediation_instr_create(pen_type_t parameters_type,
+												  chunk_t parameters);
+
+/**
+ * Creates an ietf_attr_remediation_instr_t object of Remediation URI Type
+ *
+ * @param uri				Remediation URI
+ */
+pa_tnc_attr_t* ietf_attr_remediation_instr_create_from_uri(chunk_t uri);
+
+/**
+ * Creates an ietf_attr_remediation_instr_t object of Remediation String Type
+ *
+ * @param string			Remediation String
+ * @param lang_code			Remediation String Language Code
+ */
+pa_tnc_attr_t* ietf_attr_remediation_instr_create_from_string(chunk_t string,
+															  chunk_t lang_code);
+
+/**
+ * Creates an ietf_attr_remediation_instr_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_remediation_instr_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_REMEDIATION_INSTR_H_ @}*/
diff --git a/src/libimcv/ietf/ietf_attr_string_version.c b/src/libimcv/ietf/ietf_attr_string_version.c
new file mode 100644
index 000000000..68adde612
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_string_version.c
@@ -0,0 +1,300 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_string_version.h"
+
+#include <pa_tnc/pa_tnc_msg.h>
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+typedef struct private_ietf_attr_string_version_t private_ietf_attr_string_version_t;
+
+/**
+ * PA-TNC String Version type  (see section 4.2.4 of RFC 5792)
+ *
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |  Version Len  |   Product Version Number (Variable Length)    |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  | Build Num Len |   Internal Build Number (Variable Length)     |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |  Config. Len  | Configuration Version Number (Variable Length)|
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define STRING_VERSION_MIN_SIZE		3
+
+/**
+ * Private data of an ietf_attr_string_version_t object.
+ */
+struct private_ietf_attr_string_version_t {
+
+	/**
+	 * Public members of ietf_attr_string_version_t
+	 */
+	ietf_attr_string_version_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Product Version Number
+	 */
+	chunk_t version;
+
+	/**
+	 * Internal Build Number
+	 */
+	chunk_t build;
+
+	/**
+	 * Configuration Version Number
+	 */
+	chunk_t config;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ietf_attr_string_version_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_string_version_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_string_version_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_string_version_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_string_version_t *this)
+{
+	bio_writer_t *writer;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+
+	writer = bio_writer_create(STRING_VERSION_MIN_SIZE);
+	writer->write_data8(writer, this->version);
+	writer->write_data8(writer, this->build);
+	writer->write_data8(writer, this->config);
+
+	this->value = writer->extract_buf(writer);
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_string_version_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	status_t status = FAILED;
+	chunk_t version, build, config;
+	u_char *pos;
+
+	*offset = 0;
+
+	if (this->value.len < STRING_VERSION_MIN_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF string version");
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+
+	if (!reader->read_data8(reader, &version))
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF product version number");
+		goto end;
+
+	}
+	pos = memchr(version.ptr, '\0', version.len);
+	if (pos)
+	{
+		DBG1(DBG_TNC, "nul termination in IETF product version number");
+		*offset += 1 + (pos - version.ptr);
+		goto end;
+	}
+	*offset += 1 + version.len;
+
+	if (!reader->read_data8(reader, &build))
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF internal build number");
+		goto end;
+
+	}
+	pos = memchr(build.ptr, '\0', build.len);
+	if (pos)
+	{
+		DBG1(DBG_TNC, "nul termination in IETF internal build number");
+		*offset += 1 + (pos - build.ptr);
+		goto end;
+	}
+	*offset += 1 + build.len;
+
+	if (!reader->read_data8(reader, &config))
+	{
+		DBG1(DBG_TNC, "insufficient data for IETF configuration version number");
+		goto end;
+
+	}
+	pos = memchr(config.ptr, '\0', config.len);
+	if (pos)
+	{
+		DBG1(DBG_TNC, "nul termination in IETF configuration version number");
+		*offset += 1 + (pos - config.ptr);
+		goto end;
+	}
+
+	this->version = chunk_clone(version);
+	this->build = chunk_clone(build);
+	this->config = chunk_clone(config);
+	status = SUCCESS;
+
+end:
+	reader->destroy(reader);
+	return status;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ietf_attr_string_version_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_string_version_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->version.ptr);
+		free(this->build.ptr);
+		free(this->config.ptr);
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ietf_attr_string_version_t, get_version, chunk_t,
+	private_ietf_attr_string_version_t *this, chunk_t *build, chunk_t *config)
+{
+	if (build)
+	{
+		*build = this->build;
+	}
+	if (config)
+	{
+		*config = this->config;
+	}
+	return this->version;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_string_version_create(chunk_t version, chunk_t build,
+											   chunk_t config)
+{
+	private_ietf_attr_string_version_t *this;
+
+	/* limit version numbers to 255 octets */
+	version.len = min(255, version.len);
+	build.len = min(255, build.len);
+	config.len = min(255, config.len);
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_version = _get_version,
+		},
+		.type = { PEN_IETF, IETF_ATTR_STRING_VERSION },
+		.version = chunk_clone(version),
+		.build = chunk_clone(build),
+		.config = chunk_clone(config),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_string_version_create_from_data(chunk_t data)
+{
+	private_ietf_attr_string_version_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_version = _get_version,
+		},
+		.type = { PEN_IETF, IETF_ATTR_STRING_VERSION },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
diff --git a/src/libimcv/ietf/ietf_attr_string_version.h b/src/libimcv/ietf/ietf_attr_string_version.h
new file mode 100644
index 000000000..9ccc1f0ee
--- /dev/null
+++ b/src/libimcv/ietf/ietf_attr_string_version.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_string_versiont ietf_attr_string_version
+ * @{ @ingroup ietf_attr
+ */
+
+#ifndef IETF_ATTR_STRING_VERSION_H_
+#define IETF_ATTR_STRING_VERSION_H_
+
+typedef struct ietf_attr_string_version_t ietf_attr_string_version_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+
+/**
+ * Class implementing the IETF PA-TNC String Version attribute.
+ *
+ */
+struct ietf_attr_string_version_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Gets the Product Version Number and optionally the Internal Build
+	 * and Configuration Version Numbers
+	 *
+	 * @param build			Internal Build Number (if build != NULL)
+	 * @param config		Configuration Version Number (if config != NULL)
+	 * @return				Product Version Number
+	 */
+	chunk_t (*get_version)(ietf_attr_string_version_t *this, chunk_t *build,
+															 chunk_t *config);
+};
+
+/**
+ * Creates an ietf_attr_string_version_t object
+ *
+ */
+pa_tnc_attr_t* ietf_attr_string_version_create(chunk_t version, chunk_t build,
+											   chunk_t config);
+
+/**
+ * Creates an ietf_attr_string_version_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_string_version_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_STRING_VERSION_H_ @}*/
diff --git a/src/libimcv/imc/imc_agent.c b/src/libimcv/imc/imc_agent.c
index de2f959a4..7dc3abddd 100644
--- a/src/libimcv/imc/imc_agent.c
+++ b/src/libimcv/imc/imc_agent.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -17,8 +18,7 @@
 
 #include <tncif_names.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
 #include <threading/rwlock.h>
 
 typedef struct private_imc_agent_t private_imc_agent_t;
@@ -39,14 +39,14 @@ struct private_imc_agent_t {
 	const char *name;
 
 	/**
-	 * message vendor ID of IMC
+	 * message types registered by IMC
 	 */
-	TNC_VendorID vendor_id;
+	pen_type_t *supported_types;
 
 	/**
-	 * message subtype of IMC
+	 * number of message types registered by IMC
 	 */
-	TNC_MessageSubtype subtype;
+	u_int32_t type_count;
 
 	/**
 	 * ID of IMC as assigned by TNCC
@@ -95,45 +95,6 @@ struct private_imc_agent_t {
 									TNC_UInt32 type_count);
 
 	/**
-	 * Call when an IMC-IMC message is to be sent
-	 *
-	 * @param imc_id			IMC ID assigned by TNCC
-	 * @param connection_id		network connection ID assigned by TNCC
-	 * @param msg				message to send
-	 * @param msg_len			message length in bytes
-	 * @param msg_type			message type
-	 * @return					TNC result code
-	 */
-	TNC_Result (*send_message)(TNC_IMCID imc_id,
-							   TNC_ConnectionID connection_id,
-							   TNC_BufferReference msg,
-							   TNC_UInt32 msg_len,
-							   TNC_MessageType msg_type);
-
-
-	/**
-	 * Call when an IMC-IMC message is to be sent with long message types
-	 *
-	 * @param imc_id			IMC ID assigned by TNCC
-	 * @param connection_id		network connection ID assigned by TNCC
-	 * @param msg_flags			message flags
-	 * @param msg				message to send
-	 * @param msg_len			message length in bytes
-	 * @param msg_vid			message vendor ID
-	 * @param msg_subtype		message subtype
-	 * @param dst_imc_id		destination IMV ID
-	 * @return					TNC result code
-	 */
-	TNC_Result (*send_message_long)(TNC_IMCID imc_id,
-									TNC_ConnectionID connection_id,
-									TNC_UInt32 msg_flags,
-									TNC_BufferReference msg,
-									TNC_UInt32 msg_len,
-									TNC_VendorID msg_vid,
-									TNC_MessageSubtype msg_subtype,
-									TNC_UInt32 dst_imv_id);
-
-	/**
 	 * Get the value of an attribute associated with a connection
 	 * or with the TNCC as a whole.
 	 *
@@ -205,14 +166,14 @@ METHOD(imc_agent_t, bind_functions, TNC_Result,
 		this->public.request_handshake_retry = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCC_SendMessage",
-			(void**)&this->send_message) != TNC_RESULT_SUCCESS)
+			(void**)&this->public.send_message) != TNC_RESULT_SUCCESS)
 	{
-		this->send_message = NULL;
+		this->public.send_message = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCC_SendMessageLong",
-			(void**)&this->send_message_long) != TNC_RESULT_SUCCESS)
+			(void**)&this->public.send_message_long) != TNC_RESULT_SUCCESS)
 	{
-		this->send_message_long = NULL;
+		this->public.send_message_long = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCC_GetAttribute",
 			(void**)&this->get_attribute) != TNC_RESULT_SUCCESS)
@@ -229,22 +190,40 @@ METHOD(imc_agent_t, bind_functions, TNC_Result,
 	{
 		this->reserve_additional_id = NULL;
 	}
-	DBG2(DBG_IMC, "IMC %u \"%s\" provided with bind function",
-				  this->id, this->name);
 
 	if (this->report_message_types_long)
 	{
-		this->report_message_types_long(this->id, &this->vendor_id,
-										&this->subtype, 1);
+		TNC_VendorIDList vendor_id_list;
+		TNC_MessageSubtypeList subtype_list;
+		int i;
+
+		vendor_id_list = malloc(this->type_count * sizeof(TNC_UInt32));
+		subtype_list   = malloc(this->type_count * sizeof(TNC_UInt32));
+
+		for (i = 0; i < this->type_count; i++)
+		{
+			vendor_id_list[i] = this->supported_types[i].vendor_id;
+			subtype_list[i]   = this->supported_types[i].type;
+		}
+		this->report_message_types_long(this->id, vendor_id_list, subtype_list,
+										this->type_count);
+		free(vendor_id_list);
+		free(subtype_list);
 	}
-	else if (this->report_message_types &&
-			 this->vendor_id <= TNC_VENDORID_ANY &&
-			 this->subtype <= TNC_SUBTYPE_ANY)
+	else if (this->report_message_types)
 	{
-		TNC_MessageType type;
+		TNC_MessageTypeList type_list;
+		int i;
 
-		type = (this->vendor_id << 8) | this->subtype;
-		this->report_message_types(this->id, &type, 1);
+		type_list = malloc(this->type_count * sizeof(TNC_UInt32));
+
+		for (i = 0; i < this->type_count; i++)
+		{
+			type_list[i] = (this->supported_types[i].vendor_id << 8) |
+						   (this->supported_types[i].type & 0xff);
+		}
+		this->report_message_types(this->id, type_list, this->type_count);
+		free(type_list);
 	}
 	return TNC_RESULT_SUCCESS;
 }
@@ -333,12 +312,31 @@ static char* get_str_attribute(private_imc_agent_t *this, TNC_ConnectionID id,
 	return NULL;
  }
 
+/**
+ * Read an UInt32 attribute
+ */
+static u_int32_t get_uint_attribute(private_imc_agent_t *this, TNC_ConnectionID id,
+									TNC_AttributeID attribute_id)
+{
+	TNC_UInt32 len;
+	char buf[4];
+
+	if (this->get_attribute  &&
+		this->get_attribute(this->id, id, attribute_id, 4, buf, &len) ==
+							TNC_RESULT_SUCCESS && len == 4)
+	{
+		return untoh32(buf);
+	}
+	return 0;
+ }
+
 METHOD(imc_agent_t, create_state, TNC_Result,
 	private_imc_agent_t *this, imc_state_t *state)
 {
 	TNC_ConnectionID conn_id;
 	char *tnccs_p = NULL, *tnccs_v = NULL, *t_p = NULL, *t_v = NULL;
 	bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE;
+	u_int32_t max_msg_len;
 
 	conn_id = state->get_connection_id(state);
 	if (find_connection(this, conn_id))
@@ -353,18 +351,22 @@ METHOD(imc_agent_t, create_state, TNC_Result,
 	has_long = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_LONG_TYPES);
 	has_excl = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_EXCLUSIVE);
 	has_soh  = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_SOH);
-	tnccs_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL); 
+	tnccs_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL);
 	tnccs_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_VERSION);
 	t_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_PROTOCOL);
 	t_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_VERSION);
+	max_msg_len = get_uint_attribute(this, conn_id, TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE);
 
 	state->set_flags(state, has_long, has_excl);
+	state->set_max_msg_len(state, max_msg_len);
+
+	DBG2(DBG_IMC, "IMC %u \"%s\" created a state for %s %s Connection ID %u: "
+				  "%slong %sexcl %ssoh", this->id, this->name,
+				  tnccs_p ? tnccs_p:"?", tnccs_v ? tnccs_v:"?", conn_id,
+			      has_long ? "+":"-", has_excl ? "+":"-", has_soh ? "+":"-");
+	DBG2(DBG_IMC, "  over %s %s with maximum PA-TNC message size of %u bytes",
+				  t_p ? t_p:"?", t_v ? t_v :"?", max_msg_len);
 
-	DBG2(DBG_IMC, "IMC %u \"%s\" created a state for Connection ID %u: "
-				  "%s %s with %slong %sexcl %ssoh over %s %s",
-				  this->id, this->name, conn_id, tnccs_p ? tnccs_p:"?",
-				  tnccs_v ? tnccs_v:"?", has_long ? "+":"-", has_excl ? "+":"-",
-				  has_soh ? "+":"-",  t_p ? t_p:"?", t_v ? t_v :"?");
 	free(tnccs_p);
 	free(tnccs_v);
 	free(t_p);
@@ -404,7 +406,7 @@ METHOD(imc_agent_t, change_state, TNC_Result,
 		case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
 		case TNC_CONNECTION_STATE_ACCESS_NONE:
 			state = find_connection(this, connection_id);
-			
+
 			if (!state)
 			{
 				DBG1(DBG_IMC, "IMC %u \"%s\" has no state for Connection ID %u",
@@ -432,7 +434,7 @@ METHOD(imc_agent_t, change_state, TNC_Result,
 			DBG1(DBG_IMC, "IMC %u \"%s\" was notified of unknown state %u "
 				 		  "for Connection ID %u",
 						  this->id, this->name, new_state, connection_id);
-			return TNC_RESULT_INVALID_PARAMETER;		
+			return TNC_RESULT_INVALID_PARAMETER;
 	}
 	return TNC_RESULT_SUCCESS;
 }
@@ -451,142 +453,16 @@ METHOD(imc_agent_t, get_state, bool,
 	return TRUE;
 }
 
-METHOD(imc_agent_t, send_message, TNC_Result,
-	private_imc_agent_t *this, TNC_ConnectionID connection_id, bool excl,
-	TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id, chunk_t msg)
+METHOD(imc_agent_t, get_name, const char*,
+	private_imc_agent_t *this)
 {
-	TNC_MessageType type;
-	TNC_UInt32 msg_flags;
-	imc_state_t *state;
-
-	state = find_connection(this, connection_id);
-	if (!state)
-	{
-		DBG1(DBG_IMV, "IMC %u \"%s\" has no state for Connection ID %u",
-					  this->id, this->name, connection_id);
-		return TNC_RESULT_FATAL;
-	}
-
-	if (state->has_long(state) && this->send_message_long)
-	{
-		if (!src_imc_id)
-		{
-			src_imc_id = this->id;
-		}
-		msg_flags = excl ? TNC_MESSAGE_FLAGS_EXCLUSIVE : 0;
-
-		return this->send_message_long(src_imc_id, connection_id, msg_flags,
-									   msg.ptr, msg.len, this->vendor_id,
-									   this->subtype, dst_imv_id);
-	}
-	if (this->send_message)
-	{
-		type = (this->vendor_id << 8) | this->subtype;
-
-		return this->send_message(this->id, connection_id, msg.ptr, msg.len,
-								  type);
-	}
-	return TNC_RESULT_FATAL;
+	return	this->name;
 }
 
-METHOD(imc_agent_t, receive_message, TNC_Result,
-	private_imc_agent_t *this, imc_state_t *state, chunk_t msg,
-	TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype,
-	TNC_UInt32 src_imv_id, TNC_UInt32 dst_imc_id, pa_tnc_msg_t **pa_tnc_msg)
+METHOD(imc_agent_t, get_id, TNC_IMCID,
+	private_imc_agent_t *this)
 {
-	pa_tnc_msg_t *pa_msg, *error_msg;
-	pa_tnc_attr_t *error_attr;
-	enumerator_t *enumerator;
-	TNC_MessageType msg_type;
-	TNC_UInt32 msg_flags, src_imc_id, dst_imv_id;
-	TNC_ConnectionID connection_id;
-	TNC_Result result;
-
-	connection_id = state->get_connection_id(state);
-
-	if (state->has_long(state))
-	{
-		if (dst_imc_id != TNC_IMCID_ANY)
-		{
-			DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u "
-						  "from IMV %u to IMC %u", this->id, this->name,
-						   connection_id, src_imv_id, dst_imc_id);
-		}
-		else
-		{
-			DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u "
-						  "from IMV %u", this->id, this->name, connection_id,
-						   src_imv_id);
-		}
-	}
-	else
-	{
-		DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u",
-					   this->id, this->name, connection_id);
-	}
-
-	*pa_tnc_msg = NULL;
-	pa_msg = pa_tnc_msg_create_from_data(msg);
-
-	switch (pa_msg->process(pa_msg))
-	{
-		case SUCCESS:
-			*pa_tnc_msg = pa_msg;
-			break;
-		case VERIFY_ERROR:
-			/* build error message */
-			error_msg = pa_tnc_msg_create();
-			enumerator = pa_msg->create_error_enumerator(pa_msg);
-			while (enumerator->enumerate(enumerator, &error_attr))
-			{
-				error_msg->add_attribute(error_msg,
-										 error_attr->get_ref(error_attr));
-			}
-			enumerator->destroy(enumerator);
-			error_msg->build(error_msg);
-
-			/* send error message */
-			if (state->has_long(state) && this->send_message_long)
-			{
-				if (state->has_excl(state))
-				{
-					msg_flags =	TNC_MESSAGE_FLAGS_EXCLUSIVE;
-					dst_imv_id = src_imv_id;
-				}
-				else
-				{
-					msg_flags = 0;
-					dst_imv_id = TNC_IMVID_ANY;
-				}
-				src_imc_id = (dst_imc_id == TNC_IMCID_ANY) ? this->id
-														   : dst_imc_id;
-
-				result = this->send_message_long(src_imc_id, connection_id,
-										msg_flags, msg.ptr, msg.len, msg_vid,
-										msg_subtype, dst_imv_id);
-			}
-			else if (this->send_message)
-			{
-				msg_type = (msg_vid << 8) | msg_subtype;
-
-				result = this->send_message(this->id, connection_id,
-										msg.ptr, msg.len, msg_type);
-			}
-			else
-			{
-				result = TNC_RESULT_FATAL;
-			}
-
-			/* clean up */
-			error_msg->destroy(error_msg);
-			pa_msg->destroy(pa_msg);
-			return result;
-		case FAILED:
-		default:
-			pa_msg->destroy(pa_msg);
-			return TNC_RESULT_FATAL;
-	}
-	return TNC_RESULT_SUCCESS;
+	return	this->id;
 }
 
 METHOD(imc_agent_t, reserve_additional_ids, TNC_Result,
@@ -651,13 +527,13 @@ METHOD(imc_agent_t, destroy, void,
  * Described in header.
  */
 imc_agent_t *imc_agent_create(const char *name,
-							  pen_t vendor_id, u_int32_t subtype,
+							  pen_type_t *supported_types, u_int32_t type_count,
 							  TNC_IMCID id, TNC_Version *actual_version)
 {
 	private_imc_agent_t *this;
 
 	/* initialize  or increase the reference count */
-	if (!libimcv_init())
+	if (!libimcv_init(FALSE))
 	{
 		return NULL;
 	}
@@ -669,22 +545,22 @@ imc_agent_t *imc_agent_create(const char *name,
 			.delete_state = _delete_state,
 			.change_state = _change_state,
 			.get_state = _get_state,
-			.send_message = _send_message,
-			.receive_message = _receive_message,
+			.get_name = _get_name,
+			.get_id = _get_id,
 			.reserve_additional_ids = _reserve_additional_ids,
 			.count_additional_ids = _count_additional_ids,
 			.create_id_enumerator = _create_id_enumerator,
 			.destroy = _destroy,
 		},
 		.name = name,
-		.vendor_id = vendor_id,
-		.subtype = subtype,
+		.supported_types = supported_types,
+		.type_count = type_count,
 		.id = id,
 		.additional_ids = linked_list_create(),
 		.connections = linked_list_create(),
 		.connection_lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 	);
-	
+
 	*actual_version = TNC_IFIMC_VERSION_1;
 	DBG1(DBG_IMC, "IMC %u \"%s\" initialized", this->id, this->name);
 
diff --git a/src/libimcv/imc/imc_agent.h b/src/libimcv/imc/imc_agent.h
index d1fef4d8d..0a1638f47 100644
--- a/src/libimcv/imc/imc_agent.h
+++ b/src/libimcv/imc/imc_agent.h
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -15,7 +16,7 @@
 /**
  *
  * @defgroup imc_agent_t imc_agent
- * @{ @ingroup imc_agent
+ * @{ @ingroup libimcv_imc
  */
 
 #ifndef IMC_AGENT_H_
@@ -26,6 +27,7 @@
 
 #include <tncifimc.h>
 #include <pen/pen.h>
+#include <collections/linked_list.h>
 
 #include <library.h>
 
@@ -49,6 +51,44 @@ struct imc_agent_t {
 										  TNC_RetryReason reason);
 
 	/**
+	 * Call when an IMC-IMC message is to be sent
+	 *
+	 * @param imc_id			IMC ID assigned by TNCC
+	 * @param connection_id		network connection ID assigned by TNCC
+	 * @param msg				message to send
+	 * @param msg_len			message length in bytes
+	 * @param msg_type			message type
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send_message)(TNC_IMCID imc_id,
+							   TNC_ConnectionID connection_id,
+							   TNC_BufferReference msg,
+							   TNC_UInt32 msg_len,
+							   TNC_MessageType msg_type);
+
+	/**
+	 * Call when an IMC-IMC message is to be sent with long message types
+	 *
+	 * @param imc_id			IMC ID assigned by TNCC
+	 * @param connection_id		network connection ID assigned by TNCC
+	 * @param msg_flags			message flags
+	 * @param msg				message to send
+	 * @param msg_len			message length in bytes
+	 * @param msg_vid			message vendor ID
+	 * @param msg_subtype		message subtype
+	 * @param dst_imc_id		destination IMV ID
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send_message_long)(TNC_IMCID imc_id,
+									TNC_ConnectionID connection_id,
+									TNC_UInt32 msg_flags,
+									TNC_BufferReference msg,
+									TNC_UInt32 msg_len,
+									TNC_VendorID msg_vid,
+									TNC_MessageSubtype msg_subtype,
+									TNC_UInt32 dst_imv_id);
+
+	/**
 	 * Bind TNCC functions
 	 *
 	 * @param bind_function		function offered by the TNCC
@@ -98,39 +138,18 @@ struct imc_agent_t {
 					  TNC_ConnectionID connection_id, imc_state_t **state);
 
 	/**
-	 * Call when an PA-TNC message is to be sent
+	 * Get IMC name
 	 *
-	 * @param connection_id		network connection ID assigned by TNCC
-	 * @param excl				exclusive flag
-	 * @param src_imc_id		IMC ID to be set as source
-	 * @param dst_imv_id		IMV ID to be set as destination
-	 * @param msg				message to send
-	 * @return					TNC result code
+	 * return					IMC name
 	 */
-	TNC_Result (*send_message)(imc_agent_t *this,
-							   TNC_ConnectionID connection_id, bool excl,
-							   TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id,
-							   chunk_t msg);
+	const char* (*get_name)(imc_agent_t *this);
 
 	/**
-	 * Call when a PA-TNC message was received
+	 * Get base IMC ID
 	 *
-	 * @param state				state for current connection
-	 * @param msg				received unparsed message
-	 * @param msg_vid			message vendorID of the received message
-	 * @param msg_subtype		message subtype of the received message
-	 * @param src_imv_id		source IMV ID
-	 * @param dst_imc_id		destination IMC ID
-	 * @param pa_tnc_message	parsed PA-TNC message or NULL if an error occurred
-	 * @return					TNC result code
+	 * return					base IMC ID
 	 */
-	TNC_Result (*receive_message)(imc_agent_t *this,
-								  imc_state_t *state, chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imv_id,
-								  TNC_UInt32 dst_imc_id,
-								  pa_tnc_msg_t **pa_tnc_msg);
+	TNC_IMCID (*get_id)(imc_agent_t *this);
 
 	/**
 	 * Reserve additional IMC IDs from TNCC
@@ -162,14 +181,14 @@ struct imc_agent_t {
  * Create an imc_agent_t object
  *
  * @param name				name of the IMC
- * @param vendor_id			vendor ID of the IMC
- * @param subtype			message subtype of the IMC
+ * @param supported_types	list of message types registered by the IMC
+ * @param type_count		number of registered message types
  * @param id				ID of the IMC as assigned by the TNCS
  * @param actual_version	actual version of the IF-IMC API
  *
  */
 imc_agent_t *imc_agent_create(const char *name,
-							  pen_t vendor_id, u_int32_t subtype,
+							  pen_type_t *supported_types, u_int32_t type_count,
 							  TNC_IMCID id, TNC_Version *actual_version);
 
 #endif /** IMC_AGENT_H_ @}*/
diff --git a/src/libimcv/imc/imc_msg.c b/src/libimcv/imc/imc_msg.c
new file mode 100644
index 000000000..1fc3d3be5
--- /dev/null
+++ b/src/libimcv/imc/imc_msg.c
@@ -0,0 +1,463 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imc_msg.h"
+
+#include "ietf/ietf_attr.h"
+#include "ietf/ietf_attr_assess_result.h"
+#include "ietf/ietf_attr_remediation_instr.h"
+
+#include <tncif_names.h>
+
+#include <pen/pen.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+
+typedef struct private_imc_msg_t private_imc_msg_t;
+
+/**
+ * Private data of a imc_msg_t object.
+ *
+ */
+struct private_imc_msg_t {
+
+	/**
+	 * Public imc_msg_t interface.
+	 */
+	imc_msg_t public;
+
+	/**
+	 * Connection ID
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * source ID
+	 */
+	TNC_UInt32 src_id;
+
+	/**
+	 * destination ID
+	 */
+	TNC_UInt32 dst_id;
+
+	/**
+	 * PA-TNC message type
+	 */
+	pen_type_t msg_type;
+
+	/**
+	 * List of PA-TNC attributes to be sent
+	 */
+	linked_list_t *attr_list;
+
+	/**
+	 * PA-TNC message
+	 */
+	pa_tnc_msg_t *pa_msg;
+
+	/**
+	 * Assigned IMC agent
+	 */
+	imc_agent_t *agent;
+
+	/**
+	 * Assigned IMC state
+	 */
+	imc_state_t *state;
+};
+
+METHOD(imc_msg_t, get_src_id, TNC_UInt32,
+	private_imc_msg_t *this)
+{
+	return this->src_id;
+}
+
+METHOD(imc_msg_t, get_dst_id, TNC_UInt32,
+	private_imc_msg_t *this)
+{
+	return this->dst_id;
+}
+
+METHOD(imc_msg_t, get_msg_type, pen_type_t,
+	private_imc_msg_t *this)
+{
+	return this->msg_type;
+}
+
+METHOD(imc_msg_t, send_, TNC_Result,
+	private_imc_msg_t *this, bool excl)
+{
+	pa_tnc_msg_t *pa_tnc_msg;
+	pa_tnc_attr_t *attr;
+	TNC_UInt32 msg_flags;
+	TNC_MessageType msg_type;
+	bool attr_added;
+	chunk_t msg;
+	enumerator_t *enumerator;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+
+	while (this->attr_list->get_count(this->attr_list))
+	{
+		pa_tnc_msg = pa_tnc_msg_create(this->state->get_max_msg_len(this->state));
+		attr_added = FALSE;
+
+		enumerator = this->attr_list->create_enumerator(this->attr_list);
+		while (enumerator->enumerate(enumerator, &attr))
+		{
+			if (pa_tnc_msg->add_attribute(pa_tnc_msg, attr))
+			{
+				attr_added = TRUE;
+			}
+			else
+			{
+				if (attr_added)
+				{
+					break;
+				}
+				else
+				{
+					DBG1(DBG_IMC, "PA-TNC attribute too large to send, deleted");
+					attr->destroy(attr);
+				}
+			}
+			this->attr_list->remove_at(this->attr_list, enumerator);
+		}
+		enumerator->destroy(enumerator);
+
+		/* build and send the PA-TNC message via the IF-IMC interface */
+		if (!pa_tnc_msg->build(pa_tnc_msg))
+		{
+			pa_tnc_msg->destroy(pa_tnc_msg);
+			return TNC_RESULT_FATAL;
+		}
+		msg = pa_tnc_msg->get_encoding(pa_tnc_msg);
+		DBG3(DBG_IMC, "created PA-TNC message: %B", &msg);
+
+		if (this->state->has_long(this->state) && this->agent->send_message_long)
+		{
+			excl = excl && this->state->has_excl(this->state) &&
+						   this->dst_id != TNC_IMVID_ANY;
+			msg_flags = excl ? TNC_MESSAGE_FLAGS_EXCLUSIVE : 0;
+			result = this->agent->send_message_long(this->src_id,
+							this->connection_id, msg_flags,	msg.ptr, msg.len,
+							this->msg_type.vendor_id, this->msg_type.type,
+							this->dst_id);
+		}
+		else if (this->agent->send_message)
+		{
+			msg_type = (this->msg_type.vendor_id << 8) |
+					   (this->msg_type.type & 0x000000ff);
+			result = this->agent->send_message(this->src_id, this->connection_id,
+											   msg.ptr, msg.len, msg_type);
+		}
+
+		pa_tnc_msg->destroy(pa_tnc_msg);
+
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			break;
+		}
+	}
+	return result;
+}
+
+/**
+ * Print a clearly visible assessment header to the log
+ */
+static void print_assessment_header(const char *name, TNC_UInt32 id, bool *first)
+{
+	if (*first)
+	{
+		DBG1(DBG_IMC, "***** assessment of IMC %u \"%s\" *****", id, name);
+		*first = FALSE;
+	}
+}
+
+/**
+ * Print a clearly visible assessment trailer to the log
+ */
+static void print_assessment_trailer(bool first)
+{
+	if (!first)
+	{
+		DBG1(DBG_IMC, "***** end of assessment *****");
+	}
+}
+
+METHOD(imc_msg_t, receive, TNC_Result,
+	private_imc_msg_t *this, bool *fatal_error)
+{
+	TNC_UInt32 target_imc_id;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t attr_type;
+	chunk_t msg;
+	bool first = TRUE;
+
+	if (this->state->has_long(this->state))
+	{
+		if (this->dst_id != TNC_IMCID_ANY)
+		{
+			DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u "
+						  "from IMV %u to IMC %u",
+						   this->agent->get_id(this->agent),
+						   this->agent->get_name(this->agent),
+						   this->connection_id, this->src_id, this->dst_id);
+		}
+		else
+		{
+			DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u "
+						  "from IMV %u", this->agent->get_id(this->agent),
+						   this->agent->get_name(this->agent),
+						   this->connection_id, this->src_id);
+		}
+	}
+	else
+	{
+		DBG2(DBG_IMC, "IMC %u \"%s\" received message for Connection ID %u",
+					   this->agent->get_id(this->agent),
+					   this->agent->get_name(this->agent),
+					   this->connection_id);
+	}
+	msg = this->pa_msg->get_encoding(this->pa_msg);
+	DBG3(DBG_IMC, "%B", &msg);
+
+	switch (this->pa_msg->process(this->pa_msg))
+	{
+		case SUCCESS:
+			break;
+		case VERIFY_ERROR:
+		{
+			imc_msg_t *error_msg;
+			TNC_Result result;
+
+			error_msg = imc_msg_create_as_reply(&this->public);
+
+			/* extract and copy by reference all error attributes */
+			enumerator = this->pa_msg->create_error_enumerator(this->pa_msg);
+			while (enumerator->enumerate(enumerator, &attr))
+			{
+				error_msg->add_attribute(error_msg, attr->get_ref(attr));
+			}
+			enumerator->destroy(enumerator);
+
+			/*
+			 * send the PA-TNC message containing all error attributes
+			 * with the excl flag set
+			 */
+			result = error_msg->send(error_msg, TRUE);
+			error_msg->destroy(error_msg);
+			return result;
+		}
+		case FAILED:
+		default:
+			return TNC_RESULT_FATAL;
+	}
+
+	/* determine target IMC ID */
+	target_imc_id = (this->dst_id != TNC_IMCID_ANY) ?
+					 this->dst_id : this->agent->get_id(this->agent);
+
+	/* preprocess any received IETF standard error attributes */
+	*fatal_error = this->pa_msg->process_ietf_std_errors(this->pa_msg);
+
+	/* preprocess any received IETF assessment result attribute */
+	enumerator = this->pa_msg->create_attribute_enumerator(this->pa_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		attr_type = attr->get_type(attr);
+
+		if (attr_type.vendor_id != PEN_IETF)
+		{
+			continue;
+		}
+		if (attr_type.type == IETF_ATTR_ASSESSMENT_RESULT)
+		{
+			ietf_attr_assess_result_t *attr_cast;
+			TNC_IMV_Evaluation_Result result;
+
+			attr_cast = (ietf_attr_assess_result_t*)attr;
+			result =  attr_cast->get_result(attr_cast);
+			this->state->set_result(this->state, target_imc_id, result);
+
+			print_assessment_header(this->agent->get_name(this->agent),
+									target_imc_id, &first);
+			DBG1(DBG_IMC, "assessment result is '%N'",
+				 TNC_IMV_Evaluation_Result_names, result);
+		}
+		else if (attr_type.type == IETF_ATTR_REMEDIATION_INSTRUCTIONS)
+		{
+			ietf_attr_remediation_instr_t *attr_cast;
+			pen_type_t parameters_type;
+			chunk_t parameters, string, lang_code;
+
+			attr_cast = (ietf_attr_remediation_instr_t*)attr;
+			parameters_type = attr_cast->get_parameters_type(attr_cast);
+			parameters = attr_cast->get_parameters(attr_cast);
+
+			print_assessment_header(this->agent->get_name(this->agent),
+									target_imc_id, &first);
+			if (parameters_type.vendor_id == PEN_IETF)
+			{
+				switch (parameters_type.type)
+				{
+					case IETF_REMEDIATION_PARAMETERS_URI:
+						DBG1(DBG_IMC, "remediation uri: %.*s",
+									   parameters.len, parameters.ptr);
+						break;
+					case IETF_REMEDIATION_PARAMETERS_STRING:
+						string = attr_cast->get_string(attr_cast, &lang_code);
+						DBG1(DBG_IMC, "remediation string: [%.*s]\n%.*s",
+									   lang_code.len, lang_code.ptr,
+									   string.len, string.ptr);
+						break;
+					default:
+						DBG1(DBG_IMC, "remediation parameters: %B", &parameters);
+				}
+			}
+			else
+			{
+				DBG1(DBG_IMC, "remediation parameters: %B", &parameters);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	print_assessment_trailer(first);
+
+	return TNC_RESULT_SUCCESS;
+}
+
+METHOD(imc_msg_t, add_attribute, void,
+	private_imc_msg_t *this, pa_tnc_attr_t *attr)
+{
+	this->attr_list->insert_last(this->attr_list, attr);
+}
+
+METHOD(imc_msg_t, create_attribute_enumerator, enumerator_t*,
+	private_imc_msg_t *this)
+{
+	return this->pa_msg->create_attribute_enumerator(this->pa_msg);
+}
+
+METHOD(imc_msg_t, get_encoding, chunk_t,
+	private_imc_msg_t *this)
+{
+	if (this->pa_msg)
+	{
+		return this->pa_msg->get_encoding(this->pa_msg);
+	}
+	return chunk_empty;
+}
+
+METHOD(imc_msg_t, destroy, void,
+	private_imc_msg_t *this)
+{
+	this->attr_list->destroy_offset(this->attr_list,
+									offsetof(pa_tnc_attr_t, destroy));
+	DESTROY_IF(this->pa_msg);
+	free(this);
+}
+
+/**
+ * See header
+ */
+imc_msg_t *imc_msg_create(imc_agent_t *agent, imc_state_t *state,
+						  TNC_ConnectionID connection_id,
+						  TNC_UInt32 src_id, TNC_UInt32 dst_id,
+						  pen_type_t msg_type)
+{
+	private_imc_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.get_src_id = _get_src_id,
+			.get_dst_id = _get_dst_id,
+			.get_msg_type = _get_msg_type,
+			.send = _send_,
+			.receive = _receive,
+			.add_attribute = _add_attribute,
+			.create_attribute_enumerator = _create_attribute_enumerator,
+			.get_encoding = _get_encoding,
+			.destroy = _destroy,
+		},
+		.connection_id = connection_id,
+		.src_id = src_id,
+		.dst_id = dst_id,
+		.msg_type = msg_type,
+		.attr_list = linked_list_create(),
+		.agent = agent,
+		.state = state,
+	);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+imc_msg_t* imc_msg_create_as_reply(imc_msg_t *msg)
+{
+	private_imc_msg_t *in;
+	TNC_UInt32 src_id;
+
+	in = (private_imc_msg_t*)msg;
+	src_id = (in->dst_id != TNC_IMCID_ANY) ?
+			  in->dst_id : in->agent->get_id(in->agent);
+
+	return imc_msg_create(in->agent, in->state, in->connection_id, src_id,
+						  in->src_id, in->msg_type);
+}
+
+/**
+ * See header
+ */
+imc_msg_t *imc_msg_create_from_data(imc_agent_t *agent, imc_state_t *state,
+									TNC_ConnectionID connection_id,
+									TNC_MessageType msg_type,
+									chunk_t msg)
+{
+	TNC_VendorID msg_vid;
+	TNC_MessageSubtype msg_subtype;
+
+	msg_vid = msg_type >> 8;
+	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+
+	return imc_msg_create_from_long_data(agent, state, connection_id,
+								TNC_IMVID_ANY, agent->get_id(agent),
+								msg_vid, msg_subtype, msg);
+}
+
+/**
+ * See header
+ */
+imc_msg_t *imc_msg_create_from_long_data(imc_agent_t *agent, imc_state_t *state,
+										 TNC_ConnectionID connection_id,
+										 TNC_UInt32 src_id,
+										 TNC_UInt32 dst_id,
+										 TNC_VendorID msg_vid,
+										 TNC_MessageSubtype msg_subtype,
+										 chunk_t msg)
+{
+	private_imc_msg_t *this;
+
+	this = (private_imc_msg_t*)imc_msg_create(agent, state,
+										connection_id, src_id, dst_id,
+										pen_type_create(msg_vid, msg_subtype));
+	this->pa_msg = pa_tnc_msg_create_from_data(msg);
+
+	return &this->public;
+}
diff --git a/src/libimcv/imc/imc_msg.h b/src/libimcv/imc/imc_msg.h
new file mode 100644
index 000000000..588225dbe
--- /dev/null
+++ b/src/libimcv/imc/imc_msg.h
@@ -0,0 +1,155 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imc_msg imc_msg
+ * @{ @ingroup libimcv_imc
+ */
+
+#ifndef IMC_MSG_H_
+#define IMC_MSG_H_
+
+#include <imc/imc_agent.h>
+
+typedef struct imc_msg_t imc_msg_t;
+
+#include <library.h>
+
+/**
+ * Interface for a PA-TNC message handled by an IMC.
+ *
+ */
+struct imc_msg_t {
+
+	/**
+	 * Get source ID of PA-TNC message
+	 *
+	 * @return					src ID
+	 */
+	TNC_UInt32 (*get_src_id)(imc_msg_t *this);
+
+	/**
+	 * Get destination ID of PA-TNC message
+	 *
+	 * @return					destination ID
+	 */
+	TNC_UInt32 (*get_dst_id)(imc_msg_t *this);
+
+	/**
+	 * Get the PA-TNC message type.
+	 *
+	 * @return					message type
+	 */
+	pen_type_t (*get_msg_type)(imc_msg_t *this);
+
+	/**
+	 * Sends one or multiple PA-TNC messages
+	 *
+	 * @param excl				set the excl message flag if supported
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send)(imc_msg_t *this, bool excl);
+
+	/**
+	 * Processes a received PA-TNC message
+	 *
+	 * @param fatal_error		TRUE if IMV sent a fatal error message
+	 * @return					TNC result code
+	 */
+	TNC_Result (*receive)(imc_msg_t *this, bool *fatal_error);
+
+	/**
+	 * Add a PA-TNC attribute to the send queue
+	 *
+	 * @param attr				PA-TNC attribute to be added
+	 */
+	void (*add_attribute)(imc_msg_t *this, pa_tnc_attr_t *attr);
+
+	/**
+	 * Enumerator over PA-TNC attributes contained in the PA-TNC message
+	 *
+	 * @return					PA-TNC attribute enumerator
+	 */
+	enumerator_t* (*create_attribute_enumerator)(imc_msg_t *this);
+
+	/**
+	 * Get the encoding of the IMC message.
+	 *
+	 * @return					message encoding, internal data
+	 */
+	chunk_t (*get_encoding)(imc_msg_t *this);
+
+	/**
+	 * Destroys a imc_msg_t object.
+	 */
+	void (*destroy)(imc_msg_t *this);
+};
+
+/**
+ * Create a wrapper for an outbound message
+ *
+ * @param agent					IMC agent responsible for the message
+ * @param state					IMC state for the given connection ID
+ * @param connection_id			connection ID
+ * @param src_id				source IMC ID
+ * @param dst_id				destination IMV ID
+ * @param msg_type				PA-TNC message type
+ */
+imc_msg_t* imc_msg_create(imc_agent_t *agent, imc_state_t *state,
+						  TNC_ConnectionID connection_id,
+						  TNC_UInt32 src_id, TNC_UInt32 dst_id,
+						  pen_type_t msg_type);
+
+/**
+ * Create a wrapper for an outbound message based on a received message
+ *
+ * @param msg					received message the reply is based on
+ */
+imc_msg_t* imc_msg_create_as_reply(imc_msg_t *msg);
+
+/**
+ * Create a wrapper around message data received via the legacy IF-IMC interface
+ *
+ * @param agent					IMC agent responsible for the message
+ * @param state					IMC state for the given connection ID
+ * @param connection_id			connection ID
+ * @param msg_type				PA-TNC message type
+ * @param msg					received PA-TNC message blob
+ */
+imc_msg_t* imc_msg_create_from_data(imc_agent_t *agent, imc_state_t *state,
+									TNC_ConnectionID connection_id,
+									TNC_MessageType msg_type,
+									chunk_t msg);
+
+/**
+ * Create a wrapper around message data received via the long IF-IMC interface
+ *
+ * @param agent					IMC agent responsible for the message
+ * @param state					IMC state for the given connection ID
+ * @param connection_id			connection ID
+ * @param src_id				source IMV ID
+ * @param dst_id				destination IMC ID
+ * @param msg_vid				PA-TNC message vendor ID
+ * @param msg_subtype			PA-TNC subtype
+ * @param msg					received PA-TNC message blob
+ */
+imc_msg_t* imc_msg_create_from_long_data(imc_agent_t *agent, imc_state_t *state,
+										 TNC_ConnectionID connection_id,
+										 TNC_UInt32 src_id, TNC_UInt32 dst_id,
+										 TNC_VendorID msg_vid,
+										 TNC_MessageSubtype msg_subtype,
+										 chunk_t msg);
+
+#endif /** IMC_MSG_H_ @}*/
diff --git a/src/libimcv/imc/imc_state.h b/src/libimcv/imc/imc_state.h
index f1b0358c9..7e763fbe1 100644
--- a/src/libimcv/imc/imc_state.h
+++ b/src/libimcv/imc/imc_state.h
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -15,13 +16,15 @@
 /**
  *
  * @defgroup imc_state_t imc_state
- * @{ @ingroup imc_state
+ * @{ @ingroup libimcv_imc
  */
 
 #ifndef IMC_STATE_H_
 #define IMC_STATE_H_
 
 #include <tncif.h>
+#include <tncifimv.h>
+#include <tncifimc.h>
 
 #include <library.h>
 
@@ -33,8 +36,7 @@ typedef struct imc_state_t imc_state_t;
 struct imc_state_t {
 
 	/**
-	 * Get the TNCS connection I
-D attached to the state
+	 * Get the TNCS connection ID attached to the state
 	 *
 	 * @return				TNCS connection ID of the state
 	 */
@@ -64,6 +66,20 @@ D attached to the state
 	void (*set_flags)(imc_state_t *this, bool has_long, bool has_excl);
 
 	/**
+	 * Set the maximum size of a PA-TNC message for this TNCCS connection
+	 *
+	 * @param max_msg_len	maximum size of a PA-TNC message
+	 */
+	void (*set_max_msg_len)(imc_state_t *this, u_int32_t max_msg_len);
+
+	/**
+	 * Get the maximum size of a PA-TNC message for this TNCCS connection
+	 *
+	 * @return				maximum size of a PA-TNC message
+	 */
+	u_int32_t (*get_max_msg_len)(imc_state_t *this);
+
+	/**
 	 * Change the connection state
 	 *
 	 * @param new_state		new connection state
@@ -71,6 +87,25 @@ D attached to the state
 	void (*change_state)(imc_state_t *this, TNC_ConnectionState new_state);
 
 	/**
+	 * Set the Assessment/Evaluation Result
+	 *
+	 * @param id			IMC ID
+	 * @param result		Assessment/Evaluation Result
+	 */
+	void (*set_result)(imc_state_t *this, TNC_IMCID id,
+										  TNC_IMV_Evaluation_Result result);
+
+	/**
+	 * Get the Assessment/Evaluation Result
+	 *
+	 * @param id			IMC ID
+	 * @param result		Assessment/Evaluation Result
+	 * @return				TRUE if result is known
+	 */
+	bool (*get_result)(imc_state_t *this, TNC_IMCID id,
+										  TNC_IMV_Evaluation_Result *result);
+
+	/**
 	 * Destroys an imc_state_t object
 	 */
 	void (*destroy)(imc_state_t *this);
diff --git a/src/libimcv/imcv.c b/src/libimcv/imcv.c
index a8c0af47b..b5862daee 100644
--- a/src/libimcv/imcv.c
+++ b/src/libimcv/imcv.c
@@ -16,13 +16,15 @@
 #include "ietf/ietf_attr.h"
 #include "ita/ita_attr.h"
 
-#include <utils.h>
-#include <debug.h>
+#include <utils/debug.h>
+#include <utils/utils.h>
 #include <pen/pen.h>
 
 #include <syslog.h>
 
-#define IMCV_DEBUG_LEVEL	1
+#define IMCV_DEBUG_LEVEL			1
+#define IMCV_DEFAULT_POLICY_SCRIPT	"ipsec _imv_policy"
+
 
 /**
  * PA-TNC attribute manager
@@ -30,6 +32,11 @@
 pa_tnc_attr_manager_t *imcv_pa_tnc_attributes;
 
 /**
+ * Global IMV database
+ */
+imv_database_t *imcv_db;
+
+/**
  * Reference count for libimcv
  */
 static refcount_t libimcv_ref = 0;
@@ -88,7 +95,7 @@ static void imcv_dbg(debug_t group, level_t level, char *fmt, ...)
 /**
  * Described in header.
  */
-bool libimcv_init(void)
+bool libimcv_init(bool is_imv)
 {
 	/* initialize libstrongswan library only once */
 	if (lib)
@@ -107,33 +114,49 @@ bool libimcv_init(void)
 			return FALSE;
 		}
 
-		if (!lib->plugins->load(lib->plugins, NULL,
-							"sha1 sha2 random gmp pubkey x509"))
-		{
-			library_deinit();
-			return FALSE;
-		}
-
 		/* set the debug level and stderr output */
 		imcv_debug_level =  lib->settings->get_int(lib->settings,
 									"libimcv.debug_level", IMCV_DEBUG_LEVEL);
 		imcv_stderr_quiet = lib->settings->get_int(lib->settings,
 									"libimcv.stderr_quiet", FALSE);
-		
+
 		/* activate the imcv debugging hook */
 		dbg = imcv_dbg;
 		openlog("imcv", 0, LOG_DAEMON);
+
+		if (!lib->plugins->load(lib->plugins,
+				lib->settings->get_str(lib->settings, "libimcv.load",
+					"random nonce gmp pubkey x509")))
+		{
+			library_deinit();
+			return FALSE;
+		}
 	}
 	ref_get(&libstrongswan_ref);
 
 	if (libimcv_ref == 0)
 	{
+		char *uri, *script;
+
 		/* initialize the PA-TNC attribute manager */
 	 	imcv_pa_tnc_attributes = pa_tnc_attr_manager_create();
 		imcv_pa_tnc_attributes->add_vendor(imcv_pa_tnc_attributes, PEN_IETF,
 							ietf_attr_create_from_data, ietf_attr_names);
 		imcv_pa_tnc_attributes->add_vendor(imcv_pa_tnc_attributes, PEN_ITA,
 							ita_attr_create_from_data, ita_attr_names);
+
+		/* attach global IMV database */
+		if (is_imv)
+		{
+			uri = lib->settings->get_str(lib->settings,
+						"libimcv.database", NULL);
+			script = lib->settings->get_str(lib->settings,
+						"libimcv.policy_script", IMCV_DEFAULT_POLICY_SCRIPT);
+			if (uri)
+			{
+				imcv_db = imv_database_create(uri, script);
+			}
+		}
 		DBG1(DBG_LIB, "libimcv initialized");
 	}
 	ref_get(&libimcv_ref);
@@ -151,11 +174,13 @@ void libimcv_deinit(void)
 		imcv_pa_tnc_attributes->remove_vendor(imcv_pa_tnc_attributes, PEN_IETF);
 		imcv_pa_tnc_attributes->remove_vendor(imcv_pa_tnc_attributes, PEN_ITA);
 		DESTROY_IF(imcv_pa_tnc_attributes);
+		imcv_pa_tnc_attributes = NULL;
+		DESTROY_IF(imcv_db);
 		DBG1(DBG_LIB, "libimcv terminated");
 	}
 	if (ref_put(&libstrongswan_ref))
 	{
-		library_deinit();		
+		library_deinit();
 	}
 }
 
diff --git a/src/libimcv/imcv.h b/src/libimcv/imcv.h
index a1a5a5f43..10c66e65a 100644
--- a/src/libimcv/imcv.h
+++ b/src/libimcv/imcv.h
@@ -15,7 +15,16 @@
 /**
  * @defgroup libimcv libimcv
  *
- * @defgroup iplugins plugins
+ * @defgroup libimcv_imc imc
+ * @ingroup libimcv
+ *
+ * @defgroup libimcv_imv imv
+ * @ingroup libimcv
+ *
+ * @defgroup pa_tnc pa_tnc
+ * @ingroup libimcv
+ *
+ * @defgroup libimcv_plugins plugins
  * @ingroup libimcv
  *
  * @addtogroup libimcv
@@ -26,15 +35,17 @@
 #define IMCV_H_
 
 #include "pa_tnc/pa_tnc_attr_manager.h"
+#include "imv/imv_database.h"
 
 #include <library.h>
 
 /**
  * Initialize libimcv.
  *
+ * @param is_imv		TRUE if called by IMV, FALSE if by IMC
  * @return				FALSE if initialization failed
  */
-bool libimcv_init(void);
+bool libimcv_init(bool is_imv);
 
 /**
  * Deinitialize libimcv.
@@ -46,4 +57,9 @@ void libimcv_deinit(void);
  */
 extern pa_tnc_attr_manager_t* imcv_pa_tnc_attributes;
 
+/**
+ * Global IMV database object
+ */
+extern imv_database_t* imcv_db;
+
 #endif /** IMCV_H_ @}*/
diff --git a/src/libimcv/imv/_imv_policy b/src/libimcv/imv/_imv_policy
new file mode 100755
index 000000000..68a963c27
--- /dev/null
+++ b/src/libimcv/imv/_imv_policy
@@ -0,0 +1,39 @@
+#! /bin/sh
+# default TNC policy command script
+#
+# Copyright 2013 Andreas Steffen
+# HSR Hochschule fuer Technik Rapperswil
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the "libimcv.policy_script = " option in strongswan.conf
+# to make strongSwan use yours instead of this default one.
+
+# Environment variables that this script gets 
+#
+#    TNC_SESSION_ID 
+#         unique session ID used as a reference by the policy 
+#         manager. 
+#
+case "$1" in
+start)
+	echo "start session $TNC_SESSION_ID"
+	;;
+stop)
+	echo "stop session $TNC_SESSION_ID"
+	;;
+*)	echo "$0: unknown command '$1'"
+	exit 1
+	;;
+esac
diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql
new file mode 100644
index 000000000..35fd65753
--- /dev/null
+++ b/src/libimcv/imv/data.sql
@@ -0,0 +1,846 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 6.0 i686'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 6.0 x86_64'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Debian 8.0 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Debian 8.0 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+INSERT INTO directories (		/* 13 */
+  path
+) VALUES (
+ '/system/bin'
+);
+
+INSERT INTO directories (		/* 14 */
+  path
+) VALUES (
+ '/system/lib'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 4, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name
+) VALUES (
+  'Default'
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Linux', 1
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Android', 1
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Debian i686', 2
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 2
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 2
+);
+
+INSERT INTO groups (			/*  7 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 2
+);
+
+INSERT INTO groups (			/*  8 */
+  name
+) VALUES (
+  'Reference'
+);
+
+INSERT INTO groups (			/*  9 */
+  name, parent
+) VALUES (
+  'Ref. Android', 8
+);
+
+INSERT INTO groups (			/* 10 */
+  name, parent
+) VALUES (
+  'Ref. Linux', 8
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 1
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 4
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 7
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 13
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 19
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 10
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 16
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 22
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled',  1, 1
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+INSERT INTO policies (			/* 14 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/bin', 13, 0, 0
+);
+
+INSERT INTO policies (			/* 15 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/lib', 14, 0, 0
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  1, 1, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 3, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  3, 2, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 2, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 10, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  14, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  15, 9, 0
+);
+
diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c
index 56131c547..435c25a3c 100644
--- a/src/libimcv/imv/imv_agent.c
+++ b/src/libimcv/imv/imv_agent.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -14,11 +15,16 @@
 
 #include "imcv.h"
 #include "imv_agent.h"
+#include "imv_session.h"
+
+#include "ietf/ietf_attr_assess_result.h"
 
 #include <tncif_names.h>
+#include <tncif_identity.h>
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
+#include <bio/bio_reader.h>
 #include <threading/rwlock.h>
 
 typedef struct private_imv_agent_t private_imv_agent_t;
@@ -39,14 +45,14 @@ struct private_imv_agent_t {
 	const char *name;
 
 	/**
-	 * message vendor ID of IMV
+	 * message types registered by IMV
 	 */
-	TNC_VendorID vendor_id;
+	pen_type_t *supported_types;
 
 	/**
-	 * message subtype of IMV
+	 * number of message types registered by IMV
 	 */
-	TNC_MessageSubtype subtype;
+	u_int32_t type_count;
 
 	/**
 	 * ID of IMV as assigned by TNCS
@@ -95,44 +101,6 @@ struct private_imv_agent_t {
 									TNC_UInt32 type_count);
 
 	/**
-	 * Call when an IMV-IMC message is to be sent
-	 *
-	 * @param imv_id			IMV ID assigned by TNCS
-	 * @param connection_id		network connection ID assigned by TNCS
-	 * @param msg				message to send
-	 * @param msg_len			message length in bytes
-	 * @param msg_type			message type
-	 * @return					TNC result code
-	 */
-	TNC_Result (*send_message)(TNC_IMVID imv_id,
-							   TNC_ConnectionID connection_id,
-							   TNC_BufferReference msg,
-							   TNC_UInt32 msg_len,
-							   TNC_MessageType msg_type);
-
-	/**
-	 * Call when an IMV-IMC message is to be sent with long message types
-	 *
-	 * @param imv_id			IMV ID assigned by TNCS
-	 * @param connection_id		network connection ID assigned by TNCS
-	 * @param msg_flags			message flags
-	 * @param msg				message to send
-	 * @param msg_len			message length in bytes
-	 * @param msg_vid			message vendor ID
-	 * @param msg_subtype		message subtype
-	 * @param dst_imc_id		destination IMC ID
-	 * @return					TNC result code
-	 */
-	TNC_Result (*send_message_long)(TNC_IMVID imv_id,
-									TNC_ConnectionID connection_id,
-									TNC_UInt32 msg_flags,
-									TNC_BufferReference msg,
-									TNC_UInt32 msg_len,
-									TNC_VendorID msg_vid,
-									TNC_MessageSubtype msg_subtype,
-									TNC_UInt32 dst_imc_id);
-
-	/**
 	 * Deliver IMV Action Recommendation and IMV Evaluation Results to the TNCS
 	 *
 	 * @param imv_id			IMV ID assigned by TNCS
@@ -218,14 +186,14 @@ METHOD(imv_agent_t, bind_functions, TNC_Result,
 		this->public.request_handshake_retry = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCS_SendMessage",
-			(void**)&this->send_message) != TNC_RESULT_SUCCESS)
+			(void**)&this->public.send_message) != TNC_RESULT_SUCCESS)
 	{
-		this->send_message = NULL;
+		this->public.send_message = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCS_SendMessageLong",
-			(void**)&this->send_message_long) != TNC_RESULT_SUCCESS)
+			(void**)&this->public.send_message_long) != TNC_RESULT_SUCCESS)
 	{
-		this->send_message_long = NULL;
+		this->public.send_message_long = NULL;
 	}
 	if (bind_function(this->id, "TNC_TNCS_ProvideRecommendation",
 			(void**)&this->provide_recommendation) != TNC_RESULT_SUCCESS)
@@ -247,22 +215,40 @@ METHOD(imv_agent_t, bind_functions, TNC_Result,
 	{
 		this->reserve_additional_id = NULL;
 	}
-	DBG2(DBG_IMV, "IMV %u \"%s\" provided with bind function",
-				  this->id, this->name);
 
 	if (this->report_message_types_long)
 	{
-		this->report_message_types_long(this->id, &this->vendor_id,
-										&this->subtype, 1);
+		TNC_VendorIDList vendor_id_list;
+		TNC_MessageSubtypeList subtype_list;
+		int i;
+
+		vendor_id_list = malloc(this->type_count * sizeof(TNC_UInt32));
+		subtype_list   = malloc(this->type_count * sizeof(TNC_UInt32));
+
+		for (i = 0; i < this->type_count; i++)
+		{
+			vendor_id_list[i] = this->supported_types[i].vendor_id;
+			subtype_list[i]   = this->supported_types[i].type;
+		}
+		this->report_message_types_long(this->id, vendor_id_list, subtype_list,
+										this->type_count);
+		free(vendor_id_list);
+		free(subtype_list);
 	}
-	else if (this->report_message_types &&
-			 this->vendor_id <= TNC_VENDORID_ANY &&
-			 this->subtype <= TNC_SUBTYPE_ANY)
+	else if (this->report_message_types)
 	{
-		TNC_MessageType type;
+		TNC_MessageTypeList type_list;
+		int i;
+
+		type_list = malloc(this->type_count * sizeof(TNC_UInt32));
 
-		type = (this->vendor_id << 8) | this->subtype;
-		this->report_message_types(this->id, &type, 1);
+		for (i = 0; i < this->type_count; i++)
+		{
+			type_list[i] = (this->supported_types[i].vendor_id << 8) |
+						   (this->supported_types[i].type & 0xff);
+		}
+		this->report_message_types(this->id, type_list, this->type_count);
+		free(type_list);
 	}
 	return TNC_RESULT_SUCCESS;
 }
@@ -299,6 +285,7 @@ static bool delete_connection(private_imv_agent_t *this, TNC_ConnectionID id)
 {
 	enumerator_t *enumerator;
 	imv_state_t *state;
+	imv_session_t *session;
 	bool found = FALSE;
 
 	this->connection_lock->write_lock(this->connection_lock);
@@ -308,6 +295,11 @@ static bool delete_connection(private_imv_agent_t *this, TNC_ConnectionID id)
 		if (id == state->get_connection_id(state))
 		{
 			found = TRUE;
+			session = state->get_session(state);
+			if (session)
+			{
+				imcv_db->remove_session(imcv_db, session);
+			}
 			state->destroy(state);
 			this->connections->remove_at(this->connections, enumerator);
 			break;
@@ -351,12 +343,81 @@ static char* get_str_attribute(private_imv_agent_t *this, TNC_ConnectionID id,
 	return NULL;
  }
 
+/**
+ * Read an UInt32 attribute
+ */
+static u_int32_t get_uint_attribute(private_imv_agent_t *this, TNC_ConnectionID id,
+									TNC_AttributeID attribute_id)
+{
+	TNC_UInt32 len;
+	char buf[4];
+
+	if (this->get_attribute  &&
+		this->get_attribute(this->id, id, attribute_id, 4, buf, &len) ==
+							TNC_RESULT_SUCCESS && len == 4)
+	{
+		return untoh32(buf);
+	}
+	return 0;
+ }
+
+/**
+ * Read a TNC identity attribute
+ */
+static linked_list_t* get_identity_attribute(private_imv_agent_t *this,
+											 TNC_ConnectionID id,
+											 TNC_AttributeID attribute_id)
+{
+	TNC_UInt32 len;
+	char buf[2048];
+	u_int32_t count;
+	tncif_identity_t *tnc_id;
+	bio_reader_t *reader;
+	linked_list_t *list;
+
+	list = linked_list_create();
+
+	if (!this->get_attribute ||
+		 this->get_attribute(this->id, id, attribute_id, sizeof(buf), buf, &len)
+				!= TNC_RESULT_SUCCESS || len > sizeof(buf))
+	{
+		return list;
+	}
+
+	reader = bio_reader_create(chunk_create(buf, len));
+	if (!reader->read_uint32(reader, &count))
+	{
+			goto end;
+	}
+	while (count--)
+	{
+		tnc_id = tncif_identity_create_empty();
+		if (!tnc_id->process(tnc_id, reader))
+		{
+			tnc_id->destroy(tnc_id);
+			goto end;
+		}
+		list->insert_last(list, tnc_id);
+	}
+
+end:
+	reader->destroy(reader);
+	return list;
+ }
+
 METHOD(imv_agent_t, create_state, TNC_Result,
 	private_imv_agent_t *this, imv_state_t *state)
 {
 	TNC_ConnectionID conn_id;
 	char *tnccs_p = NULL, *tnccs_v = NULL, *t_p = NULL, *t_v = NULL;
-	bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE;
+	bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE, first = TRUE;
+	linked_list_t *ar_identities;
+	enumerator_t *enumerator;
+	tncif_identity_t *tnc_id;
+	imv_session_t *session;
+	u_int32_t max_msg_len;
+	u_int32_t ar_id_type = TNC_ID_UNKNOWN;
+	chunk_t ar_id_value = chunk_empty;
 
 	conn_id = state->get_connection_id(state);
 	if (find_connection(this, conn_id))
@@ -371,18 +432,74 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 	has_long = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_LONG_TYPES);
 	has_excl = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_EXCLUSIVE);
 	has_soh  = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_SOH);
-	tnccs_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL); 
+	tnccs_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL);
 	tnccs_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_VERSION);
 	t_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_PROTOCOL);
 	t_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_VERSION);
+	max_msg_len = get_uint_attribute(this, conn_id, TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE);
+	ar_identities = get_identity_attribute(this, conn_id, TNC_ATTRIBUTEID_AR_IDENTITIES);
 
 	state->set_flags(state, has_long, has_excl);
+	state->set_max_msg_len(state, max_msg_len);
+
+	DBG2(DBG_IMV, "IMV %u \"%s\" created a state for %s %s Connection ID %u: "
+				  "%slong %sexcl %ssoh", this->id, this->name,
+				  tnccs_p ? tnccs_p:"?", tnccs_v ? tnccs_v:"?", conn_id,
+			      has_long ? "+":"-", has_excl ? "+":"-", has_soh ? "+":"-");
+	DBG2(DBG_IMV, "  over %s %s with maximum PA-TNC message size of %u bytes",
+				  t_p ? t_p:"?", t_v ? t_v :"?", max_msg_len);
+
+	enumerator = ar_identities->create_enumerator(ar_identities);
+	while (enumerator->enumerate(enumerator, &tnc_id))
+	{
+		pen_type_t id_type, subject_type, auth_type;
+		u_int32_t tcg_id_type, tcg_subject_type, tcg_auth_type;
+		chunk_t id_value;
+
+		id_type = tnc_id->get_identity_type(tnc_id);
+		id_value = tnc_id->get_identity_value(tnc_id);
+		subject_type = tnc_id->get_subject_type(tnc_id);
+		auth_type = tnc_id->get_auth_type(tnc_id);
+
+		tcg_id_type =      (id_type.vendor_id == PEN_TCG) ?
+							id_type.type : TNC_ID_UNKNOWN;
+		tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ?
+							subject_type.type : TNC_SUBJECT_UNKNOWN;
+		tcg_auth_type =    (auth_type.vendor_id == PEN_TCG) ?
+							auth_type.type : TNC_AUTH_UNKNOWN;
+
+
+		DBG2(DBG_IMV, "  %N AR identity '%.*s' authenticated by %N",
+			 TNC_Subject_names, tcg_subject_type,
+			 id_value.len, id_value.ptr,
+			 TNC_Authentication_names, tcg_auth_type);
 
-	DBG2(DBG_IMV, "IMV %u \"%s\" created a state for Connection ID %u: "
-				  "%s %s with %slong %sexcl %ssoh over %s %s",
-				  this->id, this->name, conn_id, tnccs_p ? tnccs_p:"?",
-				  tnccs_v ? tnccs_v:"?", has_long ? "+":"-", has_excl ? "+":"-",
-				  has_soh ? "+":"-",  t_p ? t_p:"?", t_v ? t_v :"?");
+		if (first)
+		{
+			ar_id_type = tcg_id_type;
+			ar_id_value = id_value;
+			state->set_ar_id(state, ar_id_type, ar_id_value);
+			first = FALSE;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (imcv_db)
+	{
+		session = imcv_db->add_session(imcv_db, conn_id, ar_id_type, ar_id_value);
+		if (session)
+		{
+			DBG2(DBG_IMV, "  assigned session ID %d",
+				 session->get_session_id(session));
+			state->set_session(state, session);
+		}
+		else
+		{
+			DBG1(DBG_IMV, "  no session ID assigned");
+		}
+	}
+	ar_identities->destroy_offset(ar_identities,
+						   offsetof(tncif_identity_t, destroy));
 	free(tnccs_p);
 	free(tnccs_v);
 	free(t_p);
@@ -449,7 +566,7 @@ METHOD(imv_agent_t, change_state, TNC_Result,
 			DBG1(DBG_IMV, "IMV %u \"%s\" was notified of unknown state %u "
 				 		  "for Connection ID %u",
 						  this->id, this->name, new_state, connection_id);
-			return TNC_RESULT_INVALID_PARAMETER;		
+			return TNC_RESULT_INVALID_PARAMETER;
 	}
 	return TNC_RESULT_SUCCESS;
 }
@@ -468,220 +585,16 @@ METHOD(imv_agent_t, get_state, bool,
 	return TRUE;
 }
 
-METHOD(imv_agent_t, send_message, TNC_Result,
-	private_imv_agent_t *this, TNC_ConnectionID connection_id, bool excl,
-	TNC_UInt32 src_imv_id, TNC_UInt32 dst_imc_id, chunk_t msg)
-{
-	TNC_MessageType type;
-	TNC_UInt32 msg_flags;
-	imv_state_t *state;
-
-	state = find_connection(this, connection_id);
-	if (!state)
-	{
-		DBG1(DBG_IMV, "IMV %u \"%s\" has no state for Connection ID %u",
-					  this->id, this->name, connection_id);
-		return TNC_RESULT_FATAL;
-	}
-
-	if (state->has_long(state) && this->send_message_long)
-	{
-		if (!src_imv_id)
-		{
-			src_imv_id = this->id;
-		}
-		msg_flags = excl ? TNC_MESSAGE_FLAGS_EXCLUSIVE : 0;
-
-		return this->send_message_long(src_imv_id, connection_id, msg_flags,
-									   msg.ptr, msg.len, this->vendor_id,
-									   this->subtype, dst_imc_id);
-	}
-	if (this->send_message)
-	{
-		type = (this->vendor_id << 8) | this->subtype;
-
-		return this->send_message(this->id, connection_id, msg.ptr, msg.len,
-								  type);
-	}
-	return TNC_RESULT_FATAL;
-}
-
-METHOD(imv_agent_t, set_recommendation, TNC_Result,
-	private_imv_agent_t *this, TNC_ConnectionID connection_id,
-							   TNC_IMV_Action_Recommendation rec,
-							   TNC_IMV_Evaluation_Result eval)
+METHOD(imv_agent_t, get_name, const char*,
+	private_imv_agent_t *this)
 {
-	imv_state_t *state;
-
-	state = find_connection(this, connection_id);
-	if (!state)
-	{
-		DBG1(DBG_IMV, "IMV %u \"%s\" has no state for Connection ID %u",
-					  this->id, this->name, connection_id);
-		return TNC_RESULT_FATAL;
-	}
-
-	state->set_recommendation(state, rec, eval);
-	return this->provide_recommendation(this->id, connection_id, rec, eval);
+	return	this->name;
 }
 
-METHOD(imv_agent_t, receive_message, TNC_Result,
-	private_imv_agent_t *this, imv_state_t *state, chunk_t msg,
-	TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype,
-	TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id, pa_tnc_msg_t **pa_tnc_msg)
-{
-	pa_tnc_msg_t *pa_msg, *error_msg;
-	pa_tnc_attr_t *error_attr;
-	enumerator_t *enumerator;
-	TNC_MessageType msg_type;
-	TNC_UInt32 msg_flags, src_imv_id, dst_imc_id;
-	TNC_ConnectionID connection_id;
-	TNC_Result result;
-
-	connection_id = state->get_connection_id(state);
-
-	if (state->has_long(state))
-	{
-		if (dst_imv_id != TNC_IMVID_ANY)
-		{
-			DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u "
-						  "from IMC %u to IMV %u", this->id, this->name,
-						   connection_id, src_imc_id, dst_imv_id);
-		}
-		else
-		{
-			DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u "
-						  "from IMC %u", this->id, this->name, connection_id,
-						   src_imc_id);
-		}
-	}
-	else
-	{
-		DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u",
-					   this->id, this->name, connection_id);
-	}
-
-	*pa_tnc_msg = NULL;
-	pa_msg = pa_tnc_msg_create_from_data(msg);
-
-	switch (pa_msg->process(pa_msg))
-	{
-		case SUCCESS:
-			*pa_tnc_msg = pa_msg;
-			break;
-		case VERIFY_ERROR:
-			/* build error message */
-			error_msg = pa_tnc_msg_create();
-			enumerator = pa_msg->create_error_enumerator(pa_msg);
-			while (enumerator->enumerate(enumerator, &error_attr))
-			{
-				error_msg->add_attribute(error_msg,
-										 error_attr->get_ref(error_attr));
-			}
-			enumerator->destroy(enumerator);
-			error_msg->build(error_msg);
-
-			/* send error message */
-			msg = error_msg->get_encoding(error_msg);
-
-			if (state->has_long(state) && this->send_message_long)
-			{
-				if (state->has_excl(state))
-				{
-					msg_flags =	TNC_MESSAGE_FLAGS_EXCLUSIVE;
-					dst_imc_id = src_imc_id;
-				}
-				else
-				{
-					msg_flags = 0;
-					dst_imc_id = TNC_IMCID_ANY;
-				}
-				src_imv_id = (dst_imv_id == TNC_IMVID_ANY) ? this->id
-														   : dst_imv_id;
-								
-				result = this->send_message_long(src_imv_id, connection_id,
-										msg_flags, msg.ptr, msg.len, msg_vid,
-										msg_subtype, dst_imc_id);
-			}
-			else if (this->send_message)
-			{
-				msg_type = (msg_vid << 8) | msg_subtype;
-
-				result = this->send_message(this->id, connection_id,
-										msg.ptr, msg.len, msg_type);
-			}
-			else
-			{
-				result = TNC_RESULT_FATAL;
-			}
-
-			/* clean up */
-			error_msg->destroy(error_msg);
-			pa_msg->destroy(pa_msg);
-			return result;
-		case FAILED:
-		default:
-			pa_msg->destroy(pa_msg);
-			state->set_recommendation(state,
-							TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-							TNC_IMV_EVALUATION_RESULT_ERROR);
-			return this->provide_recommendation(this->id, connection_id,
-							TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-							TNC_IMV_EVALUATION_RESULT_ERROR);
-	}
-	return TNC_RESULT_SUCCESS;
-}
-
-METHOD(imv_agent_t, provide_recommendation, TNC_Result,
-	private_imv_agent_t *this, TNC_ConnectionID connection_id)
+METHOD(imv_agent_t, get_id, TNC_IMVID,
+	private_imv_agent_t *this)
 {
-	imv_state_t *state;
-	TNC_IMV_Action_Recommendation rec;
-	TNC_IMV_Evaluation_Result eval;
-	TNC_UInt32 lang_len;
-	char buf[BUF_LEN];
-	chunk_t pref_lang = { buf, 0 }, reason_string, reason_lang;
-
-	state = find_connection(this, connection_id);
-	if (!state)
-	{
-		DBG1(DBG_IMV, "IMV %u \"%s\" has no state for Connection ID %u",
-					  this->id, this->name, connection_id);
-		return TNC_RESULT_FATAL;
-	}
-	state->get_recommendation(state, &rec, &eval);
-
-
-	/* send a reason string if action recommendation is not allow */
-	if (rec != TNC_IMV_ACTION_RECOMMENDATION_ALLOW)
-	{
-		/* check if there a preferred language has been requested */
-		if (this->get_attribute  &&
-			this->get_attribute(this->id, connection_id,
-								TNC_ATTRIBUTEID_PREFERRED_LANGUAGE, BUF_LEN,
-								buf, &lang_len) == TNC_RESULT_SUCCESS &&
-			lang_len <= BUF_LEN)
-		{
-			pref_lang.len = lang_len;
-			DBG2(DBG_IMV, "preferred language is '%.*s'",
-						   pref_lang.len, pref_lang.ptr);
-		}
-
-		/* find a reason string for the preferred or default language and set it */
-		if (this->set_attribute &&
-			state->get_reason_string(state, pref_lang, &reason_string,
-													   &reason_lang))
-		{
-			this->set_attribute(this->id, connection_id,
-								TNC_ATTRIBUTEID_REASON_STRING,
-								reason_string.len, reason_string.ptr);
-			this->set_attribute(this->id, connection_id,
-								TNC_ATTRIBUTEID_REASON_LANGUAGE,
-								reason_lang.len, reason_lang.ptr);
-		}
-	}
-			
-	return this->provide_recommendation(this->id, connection_id, rec, eval);
+	return	this->id;
 }
 
 METHOD(imv_agent_t, reserve_additional_ids, TNC_Result,
@@ -729,6 +642,146 @@ METHOD(imv_agent_t, create_id_enumerator, enumerator_t*,
 	return this->additional_ids->create_enumerator(this->additional_ids);
 }
 
+typedef struct {
+	/**
+	 * implements enumerator_t
+	 */
+	enumerator_t public;
+
+	/**
+	 * language length
+	 */
+	TNC_UInt32 lang_len;
+
+	/**
+	 * language buffer
+	 */
+	char lang_buf[BUF_LEN];
+
+	/**
+	 * position pointer into language buffer
+	 */
+	char *lang_pos;
+
+} language_enumerator_t;
+
+/**
+ * Implementation of language_enumerator.destroy.
+ */
+static void language_enumerator_destroy(language_enumerator_t *this)
+{
+	free(this);
+}
+
+/**
+ * Implementation of language_enumerator.enumerate
+ */
+static bool language_enumerator_enumerate(language_enumerator_t *this, ...)
+{
+	char *pos, *cur_lang, **lang;
+	TNC_UInt32 len;
+	va_list args;
+
+	if (!this->lang_len)
+	{
+		return FALSE;
+	}
+	cur_lang = this->lang_pos;
+	pos = strchr(this->lang_pos, ',');
+	if (pos)
+	{
+		len = pos - this->lang_pos;
+		this->lang_pos += len + 1,
+		this->lang_len -= len + 1;
+	}
+	else
+	{
+		len = this->lang_len;
+		pos = this->lang_pos + len;
+		this->lang_pos = NULL;
+		this->lang_len = 0;
+	}
+
+	/* remove preceding whitespace */
+	while (*cur_lang == ' ' && len--)
+	{
+		cur_lang++;
+	}
+
+	/* remove trailing whitespace */
+	while (len && *(--pos) == ' ')
+	{
+		len--;
+	}
+	cur_lang[len] = '\0';
+
+	va_start(args, this);
+	lang = va_arg(args, char**);
+	*lang = cur_lang;
+	va_end(args);
+
+	return TRUE;
+}
+
+METHOD(imv_agent_t, create_language_enumerator, enumerator_t*,
+	private_imv_agent_t *this, imv_state_t *state)
+{
+	language_enumerator_t *e;
+
+	/* Create a language enumerator instance */
+	e = malloc_thing(language_enumerator_t);
+	e->public.enumerate = (void*)language_enumerator_enumerate;
+	e->public.destroy = (void*)language_enumerator_destroy;
+
+	if (!this->get_attribute ||
+		!this->get_attribute(this->id, state->get_connection_id(state),
+						TNC_ATTRIBUTEID_PREFERRED_LANGUAGE, BUF_LEN,
+						e->lang_buf, &e->lang_len) == TNC_RESULT_SUCCESS ||
+		e->lang_len >= BUF_LEN)
+	{
+		e->lang_len = 0;
+	}
+	e->lang_buf[e->lang_len] = '\0';
+	e->lang_pos = e->lang_buf;
+
+	return (enumerator_t*)e;
+}
+
+METHOD(imv_agent_t, provide_recommendation, TNC_Result,
+	private_imv_agent_t *this, imv_state_t *state)
+{
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
+	TNC_ConnectionID connection_id;
+	chunk_t reason_string;
+	char *reason_lang;
+	enumerator_t *e;
+
+	state->get_recommendation(state, &rec, &eval);
+	connection_id = state->get_connection_id(state);
+
+	/* send a reason string if action recommendation is not allow */
+	if (rec != TNC_IMV_ACTION_RECOMMENDATION_ALLOW)
+	{
+		/* find a reason string for the preferred language and set it */
+		if (this->set_attribute)
+		{
+			e = create_language_enumerator(this, state);
+			if (state->get_reason_string(state, e, &reason_string, &reason_lang))
+			{
+				this->set_attribute(this->id, connection_id,
+									TNC_ATTRIBUTEID_REASON_STRING,
+									reason_string.len, reason_string.ptr);
+				this->set_attribute(this->id, connection_id,
+									TNC_ATTRIBUTEID_REASON_LANGUAGE,
+									strlen(reason_lang), reason_lang);
+			}
+			e->destroy(e);
+		}
+	}
+	return this->provide_recommendation(this->id, connection_id, rec, eval);
+}
+
 METHOD(imv_agent_t, destroy, void,
 	private_imv_agent_t *this)
 {
@@ -747,13 +800,13 @@ METHOD(imv_agent_t, destroy, void,
  * Described in header.
  */
 imv_agent_t *imv_agent_create(const char *name,
-							  pen_t vendor_id, u_int32_t subtype,
+							  pen_type_t *supported_types, u_int32_t type_count,
 							  TNC_IMVID id, TNC_Version *actual_version)
 {
 	private_imv_agent_t *this;
 
 	/* initialize  or increase the reference count */
-	if (!libimcv_init())
+	if (!libimcv_init(TRUE))
 	{
 		return NULL;
 	}
@@ -765,18 +818,18 @@ imv_agent_t *imv_agent_create(const char *name,
 			.delete_state = _delete_state,
 			.change_state = _change_state,
 			.get_state = _get_state,
-			.send_message = _send_message,
-			.receive_message = _receive_message,
-			.set_recommendation = _set_recommendation,
-			.provide_recommendation = _provide_recommendation,
+			.get_name = _get_name,
+			.get_id = _get_id,
 			.reserve_additional_ids = _reserve_additional_ids,
 			.count_additional_ids = _count_additional_ids,
 			.create_id_enumerator = _create_id_enumerator,
+			.create_language_enumerator = _create_language_enumerator,
+			.provide_recommendation = _provide_recommendation,
 			.destroy = _destroy,
 		},
 		.name = name,
-		.vendor_id = vendor_id,
-		.subtype = subtype,
+		.supported_types = supported_types,
+		.type_count = type_count,
 		.id = id,
 		.additional_ids = linked_list_create(),
 		.connections = linked_list_create(),
diff --git a/src/libimcv/imv/imv_agent.h b/src/libimcv/imv/imv_agent.h
index de70f3bc1..d58af260b 100644
--- a/src/libimcv/imv/imv_agent.h
+++ b/src/libimcv/imv/imv_agent.h
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -15,17 +16,19 @@
 /**
  *
  * @defgroup imv_agent_t imv_agent
- * @{ @ingroup imv_agent
+ * @{ @ingroup libimcv_imv
  */
 
 #ifndef IMV_AGENT_H_
 #define IMV_AGENT_H_
 
 #include "imv_state.h"
+#include "imv_database.h"
 #include "pa_tnc/pa_tnc_msg.h"
 
 #include <tncifimv.h>
 #include <pen/pen.h>
+#include <collections/linked_list.h>
 
 #include <library.h>
 
@@ -49,6 +52,44 @@ struct imv_agent_t {
 										  TNC_RetryReason reason);
 
 	/**
+	 * Call when an IMV-IMC message is to be sent
+	 *
+	 * @param imv_id			IMV ID assigned by TNCS
+	 * @param connection_id		network connection ID assigned by TNCS
+	 * @param msg				message to send
+	 * @param msg_len			message length in bytes
+	 * @param msg_type			message type
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send_message)(TNC_IMVID imv_id,
+							   TNC_ConnectionID connection_id,
+							   TNC_BufferReference msg,
+							   TNC_UInt32 msg_len,
+							   TNC_MessageType msg_type);
+
+	/**
+	 * Call when an IMV-IMC message is to be sent with long message types
+	 *
+	 * @param imv_id			IMV ID assigned by TNCS
+	 * @param connection_id		network connection ID assigned by TNCS
+	 * @param msg_flags			message flags
+	 * @param msg				message to send
+	 * @param msg_len			message length in bytes
+	 * @param msg_vid			message vendor ID
+	 * @param msg_subtype		message subtype
+	 * @param dst_imc_id		destination IMC ID
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send_message_long)(TNC_IMVID imv_id,
+									TNC_ConnectionID connection_id,
+									TNC_UInt32 msg_flags,
+									TNC_BufferReference msg,
+									TNC_UInt32 msg_len,
+									TNC_VendorID msg_vid,
+									TNC_MessageSubtype msg_subtype,
+									TNC_UInt32 dst_imc_id);
+
+	/**
 	 * Bind TNCS functions
 	 *
 	 * @param bind_function		function offered by the TNCS
@@ -98,61 +139,18 @@ struct imv_agent_t {
 					  TNC_ConnectionID connection_id, imv_state_t **state);
 
 	/**
-	 * Call when a PA-TNC message is to be sent
-	 *
-	 * @param connection_id		network connection ID assigned by TNCS
-	 * @param excl				exclusive flag
-	 * @param src_imv_id		IMV ID to be set as source
-	 * @param dst_imc_id		IMD ID to be set as destination
-	 * @param msg				message to send
-	 * @return					TNC result code
-	 */
-	TNC_Result (*send_message)(imv_agent_t *this,
-							   TNC_ConnectionID connection_id, bool excl,
-							   TNC_UInt32 src_imv_id, TNC_UInt32 dst_imc_id,
-							   chunk_t msg);
-
-	/**
-	 * Call when a PA-TNC message was received
+	 * Get IMV name
 	 *
-	 * @param state				state for current connection
-	 * @param msg				received unparsed message
-	 * @param msg_vid			message vendorID of the received message
-	 * @param msg_subtype		message subtype of the received message
-	 * @param src_imc_id		source IMC ID
-	 * @param dst_imv_id		destination IMV ID
-	 * @param pa_tnc_message	parsed PA-TNC message or NULL if an error occurred
-	 * @return					TNC result code
+	 * return					IMV name
 	 */
-	TNC_Result (*receive_message)(imv_agent_t *this,
-								  imv_state_t *state, chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imc_id,
-								  TNC_UInt32 dst_imv_id,
-								  pa_tnc_msg_t **pa_tnc_msg);
+	const char* (*get_name)(imv_agent_t *this);
 
 	/**
-	 * Set Action Recommendation and Evaluation Result in the IMV state
+	 * Get base IMV ID
 	 *
-	 * @param connection_id		network connection ID assigned by TNCS
-	 * @param rec				IMV action recommendation
-	 * @param eval				IMV evaluation result
-	 * @return					TNC result code
-	 */
-	TNC_Result (*set_recommendation)(imv_agent_t *this,
-									 TNC_ConnectionID connection_id,
-									 TNC_IMV_Action_Recommendation rec,
-									 TNC_IMV_Evaluation_Result eval);
-
-	/**
-	 * Deliver IMV Action Recommendation and IMV Evaluation Result to the TNCS
-	 *
-	 * @param connection_id		network connection ID assigned by TNCS
-	 * @return					TNC result code
+	 * return					base IMV ID
 	 */
-	TNC_Result (*provide_recommendation)(imv_agent_t *this,
-										 TNC_ConnectionID connection_id);
+	TNC_IMVID (*get_id)(imv_agent_t *this);
 
 	/**
 	 * Reserve additional IMV IDs from TNCS
@@ -175,6 +173,22 @@ struct imv_agent_t {
 	enumerator_t* (*create_id_enumerator)(imv_agent_t *this);
 
 	/**
+	 * Create a preferred languages enumerator
+	 *
+	 * @param					state of TNCCS connection
+	 */
+	enumerator_t* (*create_language_enumerator)(imv_agent_t *this,
+				   imv_state_t *state);
+
+	/**
+	 * Deliver IMV Action Recommendation and IMV Evaluation Result to the TNCS
+	 *
+	 * @param state				state bound to a connection ID
+	 * @return					TNC result code
+	 */
+	TNC_Result (*provide_recommendation)(imv_agent_t *this, imv_state_t* state);
+
+	/**
 	 * Destroys an imv_agent_t object
 	 */
 	void (*destroy)(imv_agent_t *this);
@@ -184,14 +198,14 @@ struct imv_agent_t {
  * Create an imv_agent_t object
  *
  * @param name				name of the IMV
- * @param vendor_id			vendor ID of the IMV
- * @param subtype			message subtype of the IMV
+ * @param supported_types	list of message types registered by the IMV
+ * @param type_count		number of registered message types
  * @param id				ID of the IMV as assigned by the TNCS
  * @param actual_version	actual version of the IF-IMV API
  *
  */
 imv_agent_t *imv_agent_create(const char *name,
-							  pen_t vendor_id, u_int32_t subtype,
+							  pen_type_t *supported_types, u_int32_t type_count,
 							  TNC_IMVID id, TNC_Version *actual_version);
 
 #endif /** IMV_AGENT_H_ @}*/
diff --git a/src/libimcv/imv/imv_agent_if.h b/src/libimcv/imv/imv_agent_if.h
new file mode 100644
index 000000000..db188793a
--- /dev/null
+++ b/src/libimcv/imv/imv_agent_if.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_agent_if_t imv_agent_if
+ * @{ @ingroup imv_os
+ */
+
+#ifndef IMV_AGENT_IF_H_
+#define IMV_AGENT_IF_H_
+
+#include <tncifimv.h>
+
+#include <library.h>
+
+typedef struct imv_agent_if_t imv_agent_if_t;
+
+/**
+ * IF-IMV interface for IMV agents
+ */
+struct imv_agent_if_t {
+
+	/**
+	 * Implements the TNC_IMV_ProvideBindFunction function of the IMV
+	 *
+	 * @param bind_function		Function offered by the TNCS
+	 * @return					TNC result code
+	 */
+	TNC_Result (*bind_functions)(imv_agent_if_t *this,
+								 TNC_TNCS_BindFunctionPointer bind_function);
+
+	/**
+	 * Implements the TNC_IMV_NotifyConnectionChange() function of the IMV
+	 *
+	 * @param id				Network connection ID assigned by TNCS
+	 * @param new_state			New connection state to be set
+	 * @return					TNC result code
+	 */
+	TNC_Result (*notify_connection_change)(imv_agent_if_t *this,
+										   TNC_ConnectionID id,
+										   TNC_ConnectionState new_state);
+
+	/**
+	 * Implements the TNC_IMV_ReceiveMessage() function of the IMV
+	 *
+	 * @param id				Network connection ID assigned by TNCS
+	 * @param msg_type			PA-TNC message type
+	 * @param msg				Received message
+	 * @return					TNC result code
+	 */
+	TNC_Result (*receive_message)(imv_agent_if_t *this, TNC_ConnectionID id,
+								  TNC_MessageType msg_type, chunk_t msg);
+
+	/**
+	 * Implements the TNC_IMV_ReceiveMessageLong() function of the IMV
+	 *
+	 * @param id				Network connection ID assigned by TNCS
+	 * @param src_imc_id		ID of source IMC
+	 * @param dst_imv_id		ID of destination IMV
+	 * @param msg_vid			Vendor ID of message type
+	 * @param msg_subtype		PA-TNC message subtype
+	 * @param msg				Received message
+	 * @return					TNC result code
+	 */
+	TNC_Result (*receive_message_long)(imv_agent_if_t *this,
+									   TNC_ConnectionID id,
+									   TNC_UInt32 src_imc_id,
+									   TNC_UInt32 dst_imv_id,
+									   TNC_VendorID msg_vid,
+									   TNC_MessageSubtype msg_subtype,
+									   chunk_t msg);
+
+	/**
+	 * Implements the TNC_IMV_BatchEnding() function of the IMV
+	 *
+	 * @param id				Network connection ID assigned by TNCS
+	 * @return					TNC result code
+	 */
+	TNC_Result (*batch_ending)(imv_agent_if_t *this, TNC_ConnectionID id);
+
+	/**
+	 * Implements the TNC_IMV_SolicitRecommendation() function of the IMV
+	 *
+	 * @param id				Network connection ID assigned by TNCS
+	 * @return					TNC result code
+	 */
+	TNC_Result (*solicit_recommendation)(imv_agent_if_t *this,
+										 TNC_ConnectionID id);
+
+	/**
+	 * Destroys an imv_agent_if_t object
+	 */
+	void (*destroy)(imv_agent_if_t *this);
+
+};
+
+/**
+ * Constructor template
+ */
+typedef imv_agent_if_t* (*imv_agent_create_t)(const char* name, TNC_IMVID id,
+											  TNC_Version *actual_version);
+
+#endif /** IMV_AGENT_IF_H_ @}*/
diff --git a/src/libimcv/imv/imv_database.c b/src/libimcv/imv/imv_database.c
new file mode 100644
index 000000000..dc7edd7aa
--- /dev/null
+++ b/src/libimcv/imv/imv_database.c
@@ -0,0 +1,381 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+#include <time.h>
+
+#include "imv_database.h"
+
+#include <utils/debug.h>
+#include <threading/mutex.h>
+
+typedef struct private_imv_database_t private_imv_database_t;
+
+/**
+ * Private data of a imv_database_t object.
+ */
+struct private_imv_database_t {
+
+	/**
+	 * Public imv_database_t interface.
+	 */
+	imv_database_t public;
+
+	/**
+	 * database instance
+	 */
+	database_t *db;
+
+	/**
+	 * policy script
+	 */
+	char *script;
+
+	/**
+	 * Session list
+	 */
+	linked_list_t *sessions;
+
+	/**
+	 * mutex used to lock session list
+	 */
+	mutex_t *mutex;
+
+};
+
+METHOD(imv_database_t, add_session, imv_session_t*,
+	private_imv_database_t *this, TNC_ConnectionID conn_id,
+	u_int32_t ar_id_type, chunk_t ar_id_value)
+{
+	enumerator_t *enumerator, *e;
+	imv_session_t *current, *session = NULL;
+	int ar_id = 0, session_id;
+	u_int created;
+
+	this->mutex->lock(this->mutex);
+
+	/* check if a session has already been assigned */
+	enumerator = this->sessions->create_enumerator(this->sessions);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (conn_id == current->get_connection_id(current))
+		{
+			session = current;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* session already exists */
+	if (session)
+	{
+		this->mutex->unlock(this->mutex);
+		return session->get_ref(session);
+	}
+
+	if (ar_id_value.len)
+	{
+		/* get primary key of AR identity if it exists */
+		e = this->db->query(this->db,
+				"SELECT id FROM identities WHERE type = ? AND value = ?",
+				DB_INT, ar_id_type, DB_BLOB, ar_id_value, DB_INT);
+		if (e)
+		{
+			e->enumerate(e, &ar_id);
+			e->destroy(e);
+		}
+
+		/* if AR identity has not been found - register it */
+		if (!ar_id)
+		{
+			this->db->execute(this->db, &ar_id,
+				"INSERT INTO identities (type, value) VALUES (?, ?)",
+				 DB_INT, ar_id_type, DB_BLOB, ar_id_value);
+		}
+	}
+	/* create a new session entry */
+	created = time(NULL);
+	this->db->execute(this->db, &session_id,
+				"INSERT INTO sessions (time, connection, identity) "
+				"VALUES (?, ?, ?)",
+				DB_UINT, created, DB_INT, conn_id, DB_INT, ar_id);
+	session = imv_session_create(session_id, conn_id);
+	this->sessions->insert_last(this->sessions, session);
+
+	this->mutex->unlock(this->mutex);
+
+	return session;
+}
+
+METHOD(imv_database_t, remove_session, void,
+	private_imv_database_t *this, imv_session_t *session)
+{
+	enumerator_t *enumerator;
+	imv_session_t *current;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->sessions->create_enumerator(this->sessions);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (current == session)
+		{
+			this->sessions->remove_at(this->sessions, enumerator);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(imv_database_t, add_product, int,
+	private_imv_database_t *this, imv_session_t *session, char *product)
+{
+	enumerator_t *e;
+	int pid = 0;
+
+	/* get primary key of product info string if it exists */
+	e = this->db->query(this->db,
+			"SELECT id FROM products WHERE name = ?", DB_TEXT, product, DB_INT);
+	if (e)
+	{
+		e->enumerate(e, &pid);
+		e->destroy(e);
+	}
+
+	/* if product info string has not been found - register it */
+	if (!pid)
+	{
+		this->db->execute(this->db, &pid,
+			"INSERT INTO products (name) VALUES (?)", DB_TEXT, product);
+	}
+	
+	/* add product reference to session */
+	if (pid)
+	{
+		this->db->execute(this->db, NULL,
+			"UPDATE sessions SET product = ? WHERE id = ?",
+			 DB_INT, pid, DB_INT, session->get_session_id(session));
+	}
+
+	return pid;
+}
+
+METHOD(imv_database_t, add_device, int,
+	private_imv_database_t *this, imv_session_t *session, chunk_t device)
+{
+	enumerator_t *e;
+	char *device_str;
+	int pid = 0, did = 0;
+
+	/* get primary key of product from session */
+	e = this->db->query(this->db,
+			"SELECT product FROM sessions WHERE id = ?",
+			 DB_INT, session->get_session_id(session), DB_INT);
+	if (e)
+	{
+		e->enumerate(e, &pid);
+		e->destroy(e);
+	}
+
+	/* some IMV policy manager expect a text string */
+	device_str = strndup(device.ptr, device.len);
+
+	/* get primary key of device identification if it exists */
+	e = this->db->query(this->db,
+			"SELECT id FROM devices WHERE value = ? AND product = ?",
+			 DB_TEXT, device_str, DB_INT, pid, DB_INT);
+	if (e)
+	{
+		e->enumerate(e, &did);
+		e->destroy(e);
+	}
+
+	/* if device identification has not been found - register it */
+	if (!did)
+	{
+		this->db->execute(this->db, &did,
+			"INSERT INTO devices (value, product) VALUES (?, ?)",
+			 DB_TEXT, device_str, DB_INT, pid);
+	}
+	free(device_str);
+	
+	/* add device reference to session */
+	if (did)
+	{
+		this->db->execute(this->db, NULL,
+			"UPDATE sessions SET device = ? WHERE id = ?",
+			 DB_INT, did, DB_INT, session->get_session_id(session));
+	}
+
+	return did;
+}
+
+METHOD(imv_database_t, add_recommendation, void,
+	private_imv_database_t *this, imv_session_t *session,
+	TNC_IMV_Action_Recommendation rec)
+{
+	/* add final recommendation to session */
+	this->db->execute(this->db, NULL,
+			"UPDATE sessions SET rec = ? WHERE id = ?",
+			 DB_INT, rec, DB_INT, session->get_session_id(session));
+}
+
+METHOD(imv_database_t, policy_script, bool,
+	private_imv_database_t *this, imv_session_t *session, bool start)
+{
+	imv_workitem_t *workitem;
+	imv_workitem_type_t type;
+	int id, session_id, arg_int, rec_fail, rec_noresult;
+	enumerator_t *e;
+	char command[512], resp[128], *last, *arg_str;
+	FILE *shell;
+
+	session_id = session->get_session_id(session);
+
+	snprintf(command, sizeof(command), "2>&1 TNC_SESSION_ID='%d' %s %s",
+			 session_id, this->script, start ? "start" : "stop");
+	DBG3(DBG_IMV, "running policy script: %s", command);
+
+	shell = popen(command, "r");
+	if (shell == NULL)
+	{
+		DBG1(DBG_IMV, "could not execute policy script '%s'",
+			 this->script);
+		return FALSE;
+	}
+	while (TRUE)
+	{
+		if (fgets(resp, sizeof(resp), shell) == NULL)
+		{
+			if (ferror(shell))
+			{
+				DBG1(DBG_IMV, "error reading output from policy script");
+			}
+			break;
+		}
+		else
+		{
+			last = resp + strlen(resp) - 1;
+			if (last >= resp && *last == '\n')
+			{
+				/* replace trailing '\n' */
+				*last = '\0';
+			}
+			DBG1(DBG_IMV, "policy: %s", resp);
+		}
+	}
+	pclose(shell);
+
+	if (start && !session->get_policy_started(session))
+	{
+		/* get workitem list generated by policy manager */
+		e = this->db->query(this->db,
+				"SELECT id, type, arg_str, arg_int, rec_fail, rec_noresult "
+				"FROM workitems WHERE session = ?",	DB_INT, session_id,
+				 DB_INT, DB_INT, DB_TEXT, DB_INT,DB_INT, DB_INT);
+		if (!e)
+		{
+			DBG1(DBG_IMV, "no workitem enumerator returned");
+			return FALSE;
+		}
+		while (e->enumerate(e, &id, &type, &arg_str, &arg_int, &rec_fail,
+							   &rec_noresult))
+		{
+			workitem = imv_workitem_create(id, type, arg_str, arg_int, rec_fail,
+										   rec_noresult);
+			session->insert_workitem(session, workitem);
+		}
+		e->destroy(e);
+
+		session->set_policy_started(session, TRUE);
+	}
+	else if (!start && session->get_policy_started(session))
+	{
+		session->set_policy_started(session, FALSE);
+	}
+
+	return TRUE;
+}
+
+METHOD(imv_database_t, finalize_workitem, bool,
+	private_imv_database_t *this, imv_workitem_t *workitem)
+{
+	char *result;
+	int rec;
+
+	rec = workitem->get_result(workitem, &result);
+
+	return this->db->execute(this->db, NULL,
+				"UPDATE workitems SET result = ?, rec_final = ? WHERE id = ?",
+				DB_TEXT, result, DB_INT, rec,
+				DB_INT, workitem->get_id(workitem)) == 1;
+}
+
+METHOD(imv_database_t, get_database, database_t*,
+	private_imv_database_t *this)
+{
+	return this->db;
+}
+
+METHOD(imv_database_t, destroy, void,
+	private_imv_database_t *this)
+{
+	DESTROY_IF(this->db);
+	this->sessions->destroy_offset(this->sessions,
+							offsetof(imv_session_t, destroy));
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * See header
+ */
+imv_database_t *imv_database_create(char *uri, char *script)
+{
+	private_imv_database_t *this;
+
+	INIT(this,
+		.public = {
+			.add_session = _add_session,
+			.remove_session = _remove_session,
+			.add_product = _add_product,
+			.add_device = _add_device,
+			.add_recommendation = _add_recommendation,
+			.policy_script = _policy_script,
+			.finalize_workitem = _finalize_workitem,
+			.get_database = _get_database,
+			.destroy = _destroy,
+		},
+		.db = lib->db->create(lib->db, uri),
+		.script = script,
+		.sessions = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	if (!this->db)
+	{
+		DBG1(DBG_IMV,
+			 "failed to connect to IMV database '%s'", uri);
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/imv/imv_database.h b/src/libimcv/imv/imv_database.h
new file mode 100644
index 000000000..48a3ded9e
--- /dev/null
+++ b/src/libimcv/imv/imv_database.h
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_database_t imv_database
+ * @{ @ingroup libimcv_imv
+ */
+
+#ifndef IMV_DATABASE_H_
+#define IMV_DATABASE_H_
+
+#include "imv_session.h"
+#include "imv_workitem.h"
+
+#include <tncifimv.h>
+
+#include <library.h>
+
+typedef struct imv_database_t imv_database_t;
+
+/**
+ * IMV database interface 
+ */
+struct imv_database_t {
+
+	/**
+	 * Create or get a session associated with a TNCCS connection
+	 *
+	 * @param conn_id		TNCCS Connection ID
+	 * @param ar_id_type	Access Requestor identity type
+	 * @param ar_id_value	Access Requestor identity value
+	 * @return				Session associated with TNCCS Connection
+	 */
+	 imv_session_t* (*add_session)(imv_database_t *this,
+								   TNC_ConnectionID conn_id,
+								   u_int32_t ar_id_type, chunk_t ar_id_value);
+
+	/**
+	 * Remove and delete a session
+	 *
+	 * @param session		Session
+	 */
+	 void (*remove_session)(imv_database_t *this, imv_session_t *session);
+
+	/**
+	 * Add product information string to a session database entry
+	 *
+	 * @param session		Session
+	 * @param product		Product information string
+	 * @return				Product ID
+	 */
+	 int (*add_product)(imv_database_t *this, imv_session_t *session,
+						char *product);
+
+	/**
+	 * Add device identification to a session database entry
+	 *
+	 * @param session		Session
+	 * @param device		Device identification
+	 * @return				Device ID
+	 */
+	 int (*add_device)(imv_database_t *this, imv_session_t *session,
+					   chunk_t device);
+
+	/**
+	 * Add final recommendation to a session database entry
+	 *
+	 * @param session		Session
+	 * @param rec			Final recommendation
+	 */
+	 void (*add_recommendation)(imv_database_t *this, imv_session_t *session,
+								TNC_IMV_Action_Recommendation rec);
+
+	/**
+	 * Announce session start/stop to policy script
+	 *
+	 * @param session		Session
+	 * @param start			TRUE if session start, FALSE if session stop
+	 * @return				TRUE if command successful, FALSE otherwise
+	 */
+	 bool (*policy_script)(imv_database_t *this, imv_session_t *session,
+						   bool start);
+
+	/**
+	 * Finalize a workitem
+	 *
+	 * @param workitem		Workitem to be finalized
+	 */
+	bool (*finalize_workitem)(imv_database_t *this, imv_workitem_t *workitem);
+
+	/**
+	 * Get database handle
+	 *
+	 * @return				Database handle
+	 */
+	 database_t* (*get_database)(imv_database_t *this);
+
+	/**
+	 * Destroys an imv_database_t object
+	 */
+	void (*destroy)(imv_database_t *this);
+};
+
+/**
+ * Create an imv_database_t instance
+ *
+ * @param uri				Database uri
+ * @param script			Policy Manager script
+ */
+imv_database_t* imv_database_create(char *uri, char *script);
+
+#endif /** IMV_DATABASE_H_ @}*/
diff --git a/src/libimcv/imv/imv_if.h b/src/libimcv/imv/imv_if.h
new file mode 100644
index 000000000..fa9765b11
--- /dev/null
+++ b/src/libimcv/imv/imv_if.h
@@ -0,0 +1,167 @@
+/*
+ * Copyright (C) 2012-2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Define the following two static constants externally:
+ * static const char imv_name[] = "xx";
+ * static const imv_agent_create_t imv_agent_create = imv_xx_agent_create;
+ */
+
+#include <utils/debug.h>
+
+static imv_agent_if_t *imv_agent;
+
+/*
+ * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
+							  TNC_Version min_version,
+							  TNC_Version max_version,
+							  TNC_Version *actual_version)
+{
+	if (imv_agent)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
+		return TNC_RESULT_ALREADY_INITIALIZED;
+	}
+
+	imv_agent = imv_agent_create(imv_name, imv_id, actual_version);
+
+	if (!imv_agent)
+	{
+		return TNC_RESULT_FATAL;
+	}
+	if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
+	{
+		DBG1(DBG_IMV, "no common IF-IMV version");
+		return TNC_RESULT_NO_COMMON_VERSION;
+	}
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
+										  TNC_ConnectionID connection_id,
+										  TNC_ConnectionState new_state)
+{
+	if (!imv_agent)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imv_agent->notify_connection_change(imv_agent, connection_id,
+											   new_state);
+}
+
+/**
+ * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
+								  TNC_ConnectionID connection_id,
+								  TNC_BufferReference msg,
+								  TNC_UInt32 msg_len,
+								  TNC_MessageType msg_type)
+{
+	if (!imv_agent)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imv_agent->receive_message(imv_agent, connection_id, msg_type,
+									  chunk_create(msg, msg_len));
+}
+
+/**
+ * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
+									  TNC_ConnectionID connection_id,
+									  TNC_UInt32 msg_flags,
+									  TNC_BufferReference msg,
+									  TNC_UInt32 msg_len,
+									  TNC_VendorID msg_vid,
+									  TNC_MessageSubtype msg_subtype,
+									  TNC_UInt32 src_imc_id,
+									  TNC_UInt32 dst_imv_id)
+{
+	if (!imv_agent)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imv_agent->receive_message_long(imv_agent, connection_id,
+							src_imc_id, dst_imv_id,
+							msg_vid, msg_subtype, chunk_create(msg, msg_len));
+}
+
+/**
+ * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
+										 TNC_ConnectionID connection_id)
+{
+
+	if (!imv_agent)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imv_agent->solicit_recommendation(imv_agent, connection_id);
+}
+
+/**
+ * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id, TNC_ConnectionID connection_id)
+{
+	if (!imv_agent)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imv_agent->batch_ending(imv_agent, connection_id);
+}
+
+/**
+ * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
+{
+	if (!imv_agent)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	imv_agent->destroy(imv_agent);
+	imv_agent = NULL;
+
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
+									   TNC_TNCS_BindFunctionPointer bind_function)
+{
+	if (!imv_agent)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imv_agent->bind_functions(imv_agent, bind_function);
+}
diff --git a/src/libimcv/imv/imv_lang_string.c b/src/libimcv/imv/imv_lang_string.c
new file mode 100644
index 000000000..c86fc5cd7
--- /dev/null
+++ b/src/libimcv/imv/imv_lang_string.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_lang_string.h"
+
+#include <utils/debug.h>
+
+/**
+ * Described in header.
+ */
+char* imv_lang_string_select_lang(enumerator_t *language_enumerator,
+								  char* languages[], int lang_count)
+{
+	bool match = FALSE;
+	char *lang;
+	int i, i_chosen = 0;
+
+	while (language_enumerator->enumerate(language_enumerator, &lang))
+	{
+		for (i = 0; i < lang_count; i++)
+		{
+			if (streq(lang, languages[i]))
+			{
+				match = TRUE;
+				i_chosen = i;
+				break;
+			}
+		}
+		if (match)
+		{
+			break;
+		}
+	}
+	return languages[i_chosen];
+}
+
+/**
+ * Described in header.
+ */
+char* imv_lang_string_select_string(imv_lang_string_t lang_string[], char *lang)
+{
+	char *string;
+	int i = 0;
+
+	if (!lang_string)
+	{
+		return NULL;
+	}
+
+	string = lang_string[0].string;
+	while (lang_string[i].lang)
+	{
+		if (streq(lang, lang_string[i].lang))
+		{
+			string = lang_string[i].string;
+			break;
+		}
+		i++;
+	}
+	return string;
+}
diff --git a/src/libimcv/imv/imv_lang_string.h b/src/libimcv/imv/imv_lang_string.h
new file mode 100644
index 000000000..56b4572f8
--- /dev/null
+++ b/src/libimcv/imv/imv_lang_string.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_lang_string_t imv_lang_string
+ * @{ @ingroup libimcv_imv
+ */
+
+#ifndef IMV_LANG_STRING_H_
+#define IMV_LANG_STRING_H_
+
+#include <library.h>
+#include <collections/enumerator.h>
+
+typedef struct imv_lang_string_t imv_lang_string_t;
+
+/**
+ * Define a language string entry
+ */
+struct imv_lang_string_t {
+
+	/**
+	 * language code
+	 */
+	char *lang;
+
+	/**
+	 * UTF-8 string in the corresponding language
+	 */
+	char *string;
+
+};
+
+/**
+ * Select the preferred language
+ *
+ * @param language_enumerator	enumerator over user preferred languages
+ * @param languages				string array of available languages
+ * @param lang_count			number of available languages
+ * @return						selected language as a language code
+ */
+char* imv_lang_string_select_lang(enumerator_t *language_enumerator,
+								  char* languages[], int lang_count);
+
+/**
+ * Select the preferred language string
+ *
+ * @param lang_string			multi-lingual array of strings
+ * @param lang					language code of preferred language
+ * @return						selected string
+ */
+char* imv_lang_string_select_string(imv_lang_string_t lang_string[], char *lang);
+
+#endif /** IMV_LANG_STRING_H_ @}*/
diff --git a/src/libimcv/imv/imv_msg.c b/src/libimcv/imv/imv_msg.c
new file mode 100644
index 000000000..642b47935
--- /dev/null
+++ b/src/libimcv/imv/imv_msg.c
@@ -0,0 +1,443 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_msg.h"
+
+#include "ietf/ietf_attr.h"
+#include "ietf/ietf_attr_assess_result.h"
+#include "ietf/ietf_attr_remediation_instr.h"
+
+#include <tncif_names.h>
+
+#include <pen/pen.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+
+typedef struct private_imv_msg_t private_imv_msg_t;
+
+/**
+ * Private data of a imv_msg_t object.
+ *
+ */
+struct private_imv_msg_t {
+
+	/**
+	 * Public imv_msg_t interface.
+	 */
+	imv_msg_t public;
+
+	/**
+	 * Connection ID
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * source ID
+	 */
+	TNC_UInt32 src_id;
+
+	/**
+	 * destination ID
+	 */
+	TNC_UInt32 dst_id;
+
+	/**
+	 * PA-TNC message type
+	 */
+	pen_type_t msg_type;
+
+	/**
+	 * List of PA-TNC attributes to be sent
+	 */
+	linked_list_t *attr_list;
+
+	/**
+	 * PA-TNC message
+	 */
+	pa_tnc_msg_t *pa_msg;
+
+	/**
+	 * Assigned IMV agent
+	 */
+	imv_agent_t *agent;
+
+	/**
+	 * Assigned IMV state
+	 */
+	imv_state_t *state;
+};
+
+METHOD(imv_msg_t, get_src_id, TNC_UInt32,
+	private_imv_msg_t *this)
+{
+	return this->src_id;
+}
+
+METHOD(imv_msg_t, get_dst_id, TNC_UInt32,
+	private_imv_msg_t *this)
+{
+	return this->dst_id;
+}
+
+METHOD(imv_msg_t, set_msg_type, void,
+	private_imv_msg_t *this, pen_type_t msg_type)
+{
+	if (msg_type.vendor_id != this->msg_type.vendor_id ||
+		msg_type.type != this->msg_type.type)
+	{
+		this->msg_type = msg_type;
+		this->dst_id = TNC_IMCID_ANY;
+	}
+}
+
+METHOD(imv_msg_t, get_msg_type, pen_type_t,
+	private_imv_msg_t *this)
+{
+	return this->msg_type;
+}
+
+METHOD(imv_msg_t, add_attribute, void,
+	private_imv_msg_t *this, pa_tnc_attr_t *attr)
+{
+	this->attr_list->insert_last(this->attr_list, attr);
+}
+
+METHOD(imv_msg_t, send_, TNC_Result,
+	private_imv_msg_t *this, bool excl)
+{
+	pa_tnc_msg_t *pa_tnc_msg;
+	pa_tnc_attr_t *attr;
+	TNC_UInt32 msg_flags;
+	TNC_MessageType msg_type;
+	bool attr_added;
+	chunk_t msg;
+	enumerator_t *enumerator;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+
+	while (this->attr_list->get_count(this->attr_list))
+	{
+		pa_tnc_msg = pa_tnc_msg_create(this->state->get_max_msg_len(this->state));
+		attr_added = FALSE;
+
+		enumerator = this->attr_list->create_enumerator(this->attr_list);
+		while (enumerator->enumerate(enumerator, &attr))
+		{
+			if (pa_tnc_msg->add_attribute(pa_tnc_msg, attr))
+			{
+				attr_added = TRUE;
+			}
+			else
+			{
+				if (attr_added)
+				{
+					break;
+				}
+				else
+				{
+					DBG1(DBG_IMV, "PA-TNC attribute too large to send, deleted");
+					attr->destroy(attr);
+				}
+			}
+			this->attr_list->remove_at(this->attr_list, enumerator);
+		}
+		enumerator->destroy(enumerator);
+
+		/* build and send the PA-TNC message via the IF-IMV interface */
+		if (!pa_tnc_msg->build(pa_tnc_msg))
+		{
+			pa_tnc_msg->destroy(pa_tnc_msg);
+			return TNC_RESULT_FATAL;
+		}
+		msg = pa_tnc_msg->get_encoding(pa_tnc_msg);
+		DBG3(DBG_IMV, "created PA-TNC message: %B", &msg);
+
+		if (this->state->has_long(this->state) && this->agent->send_message_long)
+		{
+			excl = excl && this->state->has_excl(this->state) &&
+						   this->dst_id != TNC_IMCID_ANY;
+			msg_flags = excl ? TNC_MESSAGE_FLAGS_EXCLUSIVE : 0;
+			result = this->agent->send_message_long(this->src_id,
+							this->connection_id, msg_flags,	msg.ptr, msg.len,
+							this->msg_type.vendor_id, this->msg_type.type,
+							this->dst_id);
+		}
+		else if (this->agent->send_message)
+		{
+			msg_type = (this->msg_type.vendor_id << 8) |
+					   (this->msg_type.type & 0x000000ff);
+			result = this->agent->send_message(this->src_id, this->connection_id,
+											   msg.ptr, msg.len, msg_type);
+		}
+
+		pa_tnc_msg->destroy(pa_tnc_msg);
+
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			break;
+		}
+	}
+	return result;
+}
+
+METHOD(imv_msg_t, send_assessment, TNC_Result,
+	private_imv_msg_t *this)
+{
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
+	pa_tnc_attr_t *attr;
+	chunk_t string = chunk_empty;
+	char *lang_code = NULL, *uri = NULL;
+	enumerator_t *e;
+
+	/* Remove any attributes that have already been constructed */
+	while (this->attr_list->remove_last(this->attr_list, (void**)&attr) == SUCCESS)
+	{
+		attr->destroy(attr);
+	}
+
+	/* Send an IETF Assessment Result attribute if enabled */
+	if (lib->settings->get_bool(lib->settings, "libimcv.assessment_result",
+								TRUE))
+	{
+		this->state->get_recommendation(this->state, &rec, &eval);
+		attr = ietf_attr_assess_result_create(eval);
+		add_attribute(this, attr);
+
+		/* Send IETF Remediation Instructions if available */
+		if (eval != TNC_IMV_EVALUATION_RESULT_COMPLIANT)
+		{
+			e = this->agent->create_language_enumerator(this->agent,
+									this->state);
+			if (this->state->get_remediation_instructions(this->state,
+									e, &string, &lang_code, &uri))
+			{
+				if (string.len && lang_code)
+				{
+					attr = ietf_attr_remediation_instr_create_from_string(string,
+									chunk_create(lang_code, strlen(lang_code)));
+					add_attribute(this, attr);
+				}
+				if (uri)
+				{
+					attr = ietf_attr_remediation_instr_create_from_uri(
+									chunk_create(uri, strlen(uri)));
+					add_attribute(this, attr);
+				}
+			}
+			e->destroy(e);
+		}
+
+		/* send PA-TNC message with the excl flag set */
+		return send_(this, TRUE);
+	}
+	return TNC_RESULT_SUCCESS;
+}
+
+METHOD(imv_msg_t, receive, TNC_Result,
+	private_imv_msg_t *this, bool *fatal_error)
+{
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	chunk_t msg;
+
+	if (this->state->has_long(this->state))
+	{
+		if (this->dst_id != TNC_IMVID_ANY)
+		{
+			DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u "
+						  "from IMC %u to IMV %u",
+						   this->agent->get_id(this->agent),
+						   this->agent->get_name(this->agent),
+						   this->connection_id, this->src_id, this->dst_id);
+		}
+		else
+		{
+			DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u "
+						  "from IMC %u", this->agent->get_id(this->agent),
+						   this->agent->get_name(this->agent),
+						   this->connection_id, this->src_id);
+		}
+	}
+	else
+	{
+		DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u",
+					   this->agent->get_id(this->agent),
+					   this->agent->get_name(this->agent),
+					   this->connection_id);
+	}
+	msg = this->pa_msg->get_encoding(this->pa_msg);
+	DBG3(DBG_IMV, "%B", &msg);
+
+	switch (this->pa_msg->process(this->pa_msg))
+	{
+		case SUCCESS:
+			break;
+		case VERIFY_ERROR:
+		{
+			imv_msg_t *error_msg;
+			TNC_Result result;
+
+			error_msg = imv_msg_create_as_reply(&this->public);
+
+			/* extract and copy by reference all error attributes */
+			enumerator = this->pa_msg->create_error_enumerator(this->pa_msg);
+			while (enumerator->enumerate(enumerator, &attr))
+			{
+				error_msg->add_attribute(error_msg, attr->get_ref(attr));
+			}
+			enumerator->destroy(enumerator);
+
+			/*
+			 * send the PA-TNC message containing all error attributes
+			 * with the excl flag set
+			 */
+			result = error_msg->send(error_msg, TRUE);
+			error_msg->destroy(error_msg);
+			return result;
+		}
+		case FAILED:
+		default:
+			return TNC_RESULT_FATAL;
+	}
+
+	/* preprocess any received IETF standard error attributes */
+	*fatal_error = this->pa_msg->process_ietf_std_errors(this->pa_msg);
+
+	return TNC_RESULT_SUCCESS;
+}
+
+METHOD(imv_msg_t, get_attribute_count, int,
+	private_imv_msg_t *this)
+{
+	return this->attr_list->get_count(this->attr_list);
+}
+
+METHOD(imv_msg_t, create_attribute_enumerator, enumerator_t*,
+	private_imv_msg_t *this)
+{
+	return this->pa_msg->create_attribute_enumerator(this->pa_msg);
+}
+
+METHOD(imv_msg_t, get_encoding, chunk_t,
+	private_imv_msg_t *this)
+{
+	if (this->pa_msg)
+	{
+		return this->pa_msg->get_encoding(this->pa_msg);
+	}
+	return chunk_empty;
+}
+
+METHOD(imv_msg_t, destroy, void,
+	private_imv_msg_t *this)
+{
+	this->attr_list->destroy_offset(this->attr_list,
+									offsetof(pa_tnc_attr_t, destroy));
+	DESTROY_IF(this->pa_msg);
+	free(this);
+}
+
+/**
+ * See header
+ */
+imv_msg_t *imv_msg_create(imv_agent_t *agent, imv_state_t *state,
+						  TNC_ConnectionID connection_id,
+						  TNC_UInt32 src_id, TNC_UInt32 dst_id,
+						  pen_type_t msg_type)
+{
+	private_imv_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.get_src_id = _get_src_id,
+			.get_dst_id = _get_dst_id,
+			.set_msg_type = _set_msg_type,
+			.get_msg_type = _get_msg_type,
+			.send = _send_,
+			.send_assessment = _send_assessment,
+			.receive = _receive,
+			.add_attribute = _add_attribute,
+			.get_attribute_count = _get_attribute_count,
+			.create_attribute_enumerator = _create_attribute_enumerator,
+			.get_encoding = _get_encoding,
+			.destroy = _destroy,
+		},
+		.connection_id = connection_id,
+		.src_id = src_id,
+		.dst_id = dst_id,
+		.msg_type = msg_type,
+		.attr_list = linked_list_create(),
+		.agent = agent,
+		.state = state,
+	);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+imv_msg_t* imv_msg_create_as_reply(imv_msg_t *msg)
+{
+	private_imv_msg_t *in;
+	TNC_UInt32 src_id;
+
+	in = (private_imv_msg_t*)msg;
+	src_id = (in->dst_id != TNC_IMVID_ANY) ?
+			  in->dst_id : in->agent->get_id(in->agent);
+
+	return imv_msg_create(in->agent, in->state, in->connection_id, src_id,
+						  in->src_id, in->msg_type);
+}
+
+/**
+ * See header
+ */
+imv_msg_t *imv_msg_create_from_data(imv_agent_t *agent, imv_state_t *state,
+									TNC_ConnectionID connection_id,
+									TNC_MessageType msg_type,
+									chunk_t msg)
+{
+	TNC_VendorID msg_vid;
+	TNC_MessageSubtype msg_subtype;
+
+	msg_vid = msg_type >> 8;
+	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+
+	return imv_msg_create_from_long_data(agent, state, connection_id,
+								TNC_IMCID_ANY, agent->get_id(agent),
+								msg_vid, msg_subtype, msg);
+}
+
+/**
+ * See header
+ */
+imv_msg_t *imv_msg_create_from_long_data(imv_agent_t *agent, imv_state_t *state,
+										 TNC_ConnectionID connection_id,
+										 TNC_UInt32 src_id,
+										 TNC_UInt32 dst_id,
+										 TNC_VendorID msg_vid,
+										 TNC_MessageSubtype msg_subtype,
+										 chunk_t msg)
+{
+	private_imv_msg_t *this;
+
+	this = (private_imv_msg_t*)imv_msg_create(agent, state,
+										connection_id, src_id, dst_id,
+										pen_type_create(msg_vid, msg_subtype));
+	this->pa_msg = pa_tnc_msg_create_from_data(msg);
+
+	return &this->public;
+}
diff --git a/src/libimcv/imv/imv_msg.h b/src/libimcv/imv/imv_msg.h
new file mode 100644
index 000000000..dfec169cc
--- /dev/null
+++ b/src/libimcv/imv/imv_msg.h
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_msg_t imv_msg
+ * @{ @ingroup libimcv_imv
+ */
+
+#ifndef IMV_MSG_H_
+#define IMV_MSG_H_
+
+#include <imv/imv_agent.h>
+
+typedef struct imv_msg_t imv_msg_t;
+
+#include <library.h>
+
+/**
+ * Interface for a PA-TNC message handled by an IMV.
+ *
+ */
+struct imv_msg_t {
+
+	/**
+	 * Get source ID of PA-TNC message
+	 *
+	 * @return					src ID
+	 */
+	TNC_UInt32 (*get_src_id)(imv_msg_t *this);
+
+	/**
+	 * Get destination ID of PA-TNC message
+	 *
+	 * @return					destination ID
+	 */
+	TNC_UInt32 (*get_dst_id)(imv_msg_t *this);
+
+	/**
+	 * Set the type of a PA-TNC message
+	 *
+	 * @param msg_type			message type
+	 */
+	void (*set_msg_type)(imv_msg_t *this, pen_type_t msg_type);
+
+	/**
+	 * Get the type of a PA-TNC message.
+	 *
+	 * @return					message type
+	 */
+	pen_type_t (*get_msg_type)(imv_msg_t *this);
+
+	/**
+	 * Sends one or multiple PA-TNC messages
+	 *
+	 * @param excl				set the excl message flag if supported
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send)(imv_msg_t *this, bool excl);
+
+	/**
+	 * Send a PA-TNC message containing an IETF Assessment Result attribute
+	 *
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send_assessment)(imv_msg_t *this);
+
+	/**
+	 * Processes a received PA-TNC message
+	 *
+	 * @param fatal_error		TRUE if IMC sent a fatal error message
+	 * @return					TNC result code
+	 */
+	TNC_Result (*receive)(imv_msg_t *this, bool *fatal_error);
+
+	/**
+	 * Add a PA-TNC attribute to the send queue
+	 *
+	 * @param attr				PA-TNC attribute to be added
+	 */
+	void (*add_attribute)(imv_msg_t *this, pa_tnc_attr_t *attr);
+
+	/**
+	 * Get the number of PA-TNC attributes in the send queue
+	 *
+	 * @return					number of PA-TNC attribute in send queue
+	 */
+	int (*get_attribute_count)(imv_msg_t *this);
+
+	/**
+	 * Enumerator over PA-TNC attributes contained in the PA-TNC message
+	 *
+	 * @return					PA-TNC attribute enumerator
+	 */
+	enumerator_t* (*create_attribute_enumerator)(imv_msg_t *this);
+
+	/**
+	 * Get the full encoding of an IMV message.
+	 *
+	 * @return					message encoding, internal data
+	 */
+	chunk_t (*get_encoding)(imv_msg_t *this);
+
+	/**
+	 * Destroys a imv_msg_t object.
+	 */
+	void (*destroy)(imv_msg_t *this);
+};
+
+/**
+ * Create a wrapper for an outbound message
+ *
+ * @param agent					IMV agent responsible for the message
+ * @param state					IMV state for the given connection ID
+ * @param connection_id			connection ID
+ * @param src_id				source IMV ID
+ * @param dst_id				destination IMC ID
+ * @param msg_type				PA-TNC message type
+ */
+imv_msg_t* imv_msg_create(imv_agent_t *agent, imv_state_t *state,
+						  TNC_ConnectionID connection_id,
+						  TNC_UInt32 src_id, TNC_UInt32 dst_id,
+						  pen_type_t msg_type);
+
+/**
+ * Create a wrapper for an outbound message based on a received message
+ *
+ * @param msg					received message the reply is based on
+ */
+imv_msg_t* imv_msg_create_as_reply(imv_msg_t *msg);
+
+/**
+ * Create a wrapper around message data received via the legacy IF-IMV interface
+ *
+ * @param agent					IMV agent responsible for the message
+ * @param state					IMV state for the given connection ID
+ * @param connection_id			connection ID
+ * @param msg_type				PA-TNC message type
+ * @param msg					received PA-TNC message blob
+ */
+imv_msg_t* imv_msg_create_from_data(imv_agent_t *agent, imv_state_t *state,
+									TNC_ConnectionID connection_id,
+									TNC_MessageType msg_type,
+									chunk_t msg);
+
+/**
+ * Create a wrapper around message data received via the long IF-IMV interface
+ *
+ * @param agent					IMV agent responsible for the message
+ * @param state					IMV state for the given connection ID
+ * @param connection_id			connection ID
+ * @param src_id				source IMC ID
+ * @param dst_id				destination IMV ID
+ * @param msg_vid				PA-TNC message vendor ID
+ * @param msg_subtype			PA-TNC subtype
+ * @param msg					received PA-TNC message blob
+ */
+imv_msg_t* imv_msg_create_from_long_data(imv_agent_t *agent, imv_state_t *state,
+										 TNC_ConnectionID connection_id,
+										 TNC_UInt32 src_id, TNC_UInt32 dst_id,
+										 TNC_VendorID msg_vid,
+										 TNC_MessageSubtype msg_subtype,
+										 chunk_t msg);
+
+#endif /** IMV_MSG_H_ @}*/
diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c
new file mode 100644
index 000000000..61e0cd05b
--- /dev/null
+++ b/src/libimcv/imv/imv_policy_manager.c
@@ -0,0 +1,359 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_policy_manager_usage.h"
+#include "imv_workitem.h"
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <time.h>
+
+/* The default policy group #1 is assumed to always exist */
+#define DEFAULT_GROUP_ID	1
+
+/**
+ * global debug output variables
+ */
+static int debug_level = 1;
+static bool stderr_quiet = FALSE;
+
+/**
+ * attest dbg function
+ */
+static void stderr_dbg(debug_t group, level_t level, char *fmt, ...)
+{
+	va_list args;
+
+	if (level <= debug_level)
+	{
+		if (!stderr_quiet)
+		{
+			va_start(args, fmt);
+			vfprintf(stderr, fmt, args);
+			fprintf(stderr, "\n");
+			va_end(args);
+		}
+	}
+}
+
+/**
+ * Collect all enforcements by iterating up through parent groups
+ */
+static bool iterate_enforcements(database_t *db, int device_id, int session_id,
+								 int group_id)
+{
+	int id, type, file, dir, arg_int, parent, policy, max_age;
+	int p_rec_fail, p_rec_noresult, e_rec_fail, e_rec_noresult, latest_rec;
+	bool latest_success;
+	char *argument;
+	time_t now;
+	enumerator_t *e, *e1, *e2;
+
+	now = time(NULL);
+
+	while (group_id)
+	{
+		e1 = db->query(db,
+				"SELECT e.id, p.type, p.argument, p.file, p.dir, p.rec_fail, "
+				"p.rec_noresult, e.policy, e.max_age, e.rec_fail, e.rec_noresult "
+				"FROM enforcements AS e JOIN policies as p ON e.policy = p.id "
+				"WHERE e.group_id = ?", DB_INT, group_id,
+				 DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, DB_INT,
+				 DB_INT, DB_INT, DB_INT, DB_INT);
+		if (!e1)
+		{
+			return FALSE;
+		}
+		while (e1->enumerate(e1, &id, &type, &argument, &file, &dir,
+								 &p_rec_fail, &p_rec_noresult, &policy, &max_age,
+								 &e_rec_fail, &e_rec_noresult))
+		{
+			/* check if the latest measurement of the device was successful */
+			latest_success = FALSE;
+
+			if (device_id)
+			{
+				e2 = db->query(db,
+						"SELECT r.rec FROM results AS r "
+						"JOIN sessions AS s ON s.id = r.session "
+						"WHERE r.policy = ? AND s.device = ? AND s.time > ? "
+						"ORDER BY s.time DESC",
+						DB_INT, policy, DB_INT, device_id,
+						DB_UINT, now - max_age,	DB_INT);
+				if (!e2)
+				{
+					e1->destroy(e1);
+					return FALSE;
+				}
+				if (e2->enumerate(e2, &latest_rec) &&
+					latest_rec == TNC_IMV_ACTION_RECOMMENDATION_ALLOW)
+				{
+					latest_success = TRUE;
+				}
+				e2->destroy(e2);
+			}
+
+			if (latest_success)
+			{
+				/*skipping enforcement */
+				printf("skipping enforcment %d\n", id);
+				continue;
+			}
+
+			/* determine arg_int */
+			switch ((imv_workitem_type_t)type)
+			{
+				case IMV_WORKITEM_FILE_REF_MEAS:
+				case IMV_WORKITEM_FILE_MEAS:
+				case IMV_WORKITEM_FILE_META:
+					arg_int = file;
+					break;
+				case IMV_WORKITEM_DIR_REF_MEAS:
+				case IMV_WORKITEM_DIR_MEAS:
+				case IMV_WORKITEM_DIR_META:
+					arg_int = dir;
+					break;
+				default:
+					arg_int = 0;
+			}
+
+			/* insert a workitem */
+			if (db->execute(db, NULL,
+				"INSERT INTO workitems (session, enforcement, type, arg_str, "
+				"arg_int, rec_fail, rec_noresult) VALUES (?, ?, ?, ?, ?, ?, ?)",
+				DB_INT, session_id, DB_INT, id, DB_INT, type, DB_TEXT, argument,
+				DB_INT, arg_int, DB_INT, e_rec_fail ? e_rec_fail : p_rec_fail,
+				DB_INT, e_rec_noresult ? e_rec_noresult : p_rec_noresult) != 1)
+			{
+				e1->destroy(e1);
+				fprintf(stderr, "could not insert workitem\n");
+				return FALSE;
+			}
+		}
+		e1->destroy(e1);
+
+		e = db->query(db,
+				"SELECT parent FROM groups WHERE id = ?",
+				 DB_INT, group_id, DB_INT);
+		if (!e)
+		{
+			return FALSE;
+		}
+		if (e->enumerate(e, &parent))
+		{
+			group_id = parent;
+		}
+		else
+		{
+			fprintf(stderr, "group information not found\n");
+			group_id = 0;
+		}
+		e->destroy(e);
+	}
+	return TRUE;
+}
+
+static bool policy_start(database_t *db, int session_id)
+{
+	enumerator_t *e;
+	int device_id, product_id, gid, group_id = DEFAULT_GROUP_ID;
+	u_int created;
+
+	/* get session data */
+	e = db->query(db,
+			"SELECT s.device, s.product, d.created FROM sessions AS s "
+			"LEFT JOIN devices AS d ON s.device = d.id WHERE s.id = ?",
+			 DB_INT, session_id, DB_INT, DB_INT, DB_UINT);
+	if (!e || !e->enumerate(e, &device_id, &product_id, &created))
+	{
+		DESTROY_IF(e);
+		fprintf(stderr, "session %d not found\n", session_id);
+		return FALSE;
+	}
+	e->destroy(e);
+
+	/* if a device ID with a creation date exists, get all group memberships */
+	if (device_id & created)
+	{
+		e = db->query(db,
+				"SELECT group_id FROM groups_members WHERE device_id = ?",
+				 DB_INT, device_id, DB_INT);
+		if (!e)
+		{
+			return FALSE;
+		}
+		while (e->enumerate(e, &group_id))
+		{
+			if (!iterate_enforcements(db, device_id, session_id, group_id))
+			{
+				e->destroy(e);
+				return FALSE;
+			}
+		}
+		e->destroy(e);
+
+		return TRUE;
+	}
+
+	/* determine if a default product group exists */
+	e = db->query(db,
+			"SELECT group_id FROM groups_product_defaults "
+			"WHERE product_id = ?", DB_INT, product_id, DB_INT);
+	if (!e)
+	{
+		return FALSE;
+	}
+	if (e->enumerate(e, &gid))
+	{
+		group_id = gid;
+	}
+	e->destroy(e);
+
+	if (device_id && !created)
+	{
+		/* assign a newly created device to a default group */
+		if (db->execute(db, NULL,
+			"INSERT INTO groups_members (device_id, group_id) "
+			"VALUES (?, ?)", DB_INT, device_id, DB_INT, group_id) != 1)
+		{
+			fprintf(stderr, "could not assign device to a default group\n");
+			return FALSE;
+		}
+
+		/* set the creation date if it hasn't been set yet */
+		if (db->execute(db, NULL,
+				"UPDATE devices SET created = ? WHERE id = ?",
+				DB_UINT, time(NULL), DB_INT, device_id) != 1)
+		{
+			fprintf(stderr, "creation date of device could not be set\n");
+			return FALSE;
+		}
+	}
+
+	return iterate_enforcements(db, device_id, session_id, group_id);
+}
+
+static bool policy_stop(database_t *db, int session_id)
+{
+	enumerator_t *e;
+	int rec, policy;
+	char *result;
+
+	e = db->query(db,
+			"SELECT w.rec_final, w.result, e.policy FROM workitems AS w "
+			"JOIN enforcements AS e ON w.enforcement = e.id "
+			"WHERE w.session = ? AND w.result IS NOT NULL",
+			 DB_INT, session_id, DB_INT, DB_TEXT, DB_INT);
+	if (e)
+	{
+		while (e->enumerate(e, &rec, &result, &policy))
+		{
+			db->execute(db, NULL,
+				"INSERT INTO results (session, policy, rec, result) "
+				"VALUES (?, ?, ?, ?)", DB_INT, session_id, DB_INT, policy,
+				 DB_INT, rec, DB_TEXT, result);
+		}
+		e->destroy(e);
+	}
+	return db->execute(db, NULL,
+				"DELETE FROM workitems WHERE session = ?",
+				DB_UINT, session_id) >= 0;
+}
+
+int main(int argc, char *argv[])
+{
+	database_t *db;
+	char *uri, *tnc_session_id;
+	int session_id;
+	bool start, success;
+
+	/* enable attest debugging hook */
+	dbg = stderr_dbg;
+
+	atexit(library_deinit);
+
+	/* initialize library */
+	if (!library_init(NULL))
+	{
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	if (!lib->plugins->load(lib->plugins,
+			lib->settings->get_str(lib->settings, "imv_policy_manager.load",
+				 "sqlite")))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+
+	if (argc < 2)
+	{
+		usage();
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	if (streq(argv[1], "start"))
+	{
+		start = TRUE;
+	}
+	else if (streq(argv[1], "stop"))
+	{
+		start = FALSE;
+	}
+	else
+	{
+		usage();
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+
+	/* get session ID */
+	tnc_session_id = getenv("TNC_SESSION_ID");
+	if (!tnc_session_id)
+	{
+		fprintf(stderr, "environment variable TNC_SESSION_ID is not defined\n");
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	session_id = atoi(tnc_session_id);
+
+	/* attach IMV database */
+	uri = lib->settings->get_str(lib->settings, "libimcv.database", NULL);
+	if (!uri)
+	{
+		fprintf(stderr, "database uri not defined.\n");
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+
+	db = lib->db->create(lib->db, uri);
+	if (!db)
+	{
+		fprintf(stderr, "opening database failed.\n");
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+
+	if (start)
+	{
+		success = policy_start(db, session_id);
+	}
+	else
+	{
+		success = policy_stop(db, session_id);
+	}
+	db->destroy(db);
+
+	fprintf(stderr, "imv_policy_manager %s %s\n", start ? "start" : "stop",
+			success ? "successful" : "failed");
+
+	exit(EXIT_SUCCESS);
+}
diff --git a/src/libimcv/imv/imv_policy_manager_usage.c b/src/libimcv/imv/imv_policy_manager_usage.c
new file mode 100644
index 000000000..3167a5441
--- /dev/null
+++ b/src/libimcv/imv/imv_policy_manager_usage.c
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+
+#include "imv_policy_manager_usage.h"
+
+/**
+ * print imv_policy_manager usage info
+ */
+void usage(void)
+{
+	printf("\
+Usage:\n\
+  imv_policy_manager start|stop\n");
+}
+
diff --git a/src/libimcv/imv/imv_policy_manager_usage.h b/src/libimcv/imv/imv_policy_manager_usage.h
new file mode 100644
index 000000000..9c90d40c6
--- /dev/null
+++ b/src/libimcv/imv/imv_policy_manager_usage.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef IMV_POLICY_MANAGER_USAGE_H_
+#define IMV_POLICY_MANAGER_USAGE_H_
+
+/**
+ * print imv_policy_manager usage info
+ */
+void usage(void);
+
+#endif /* IMV_POLICY_MANAGER_USAGE_H_ */
diff --git a/src/libimcv/imv/imv_reason_string.c b/src/libimcv/imv/imv_reason_string.c
new file mode 100644
index 000000000..d1447ec35
--- /dev/null
+++ b/src/libimcv/imv/imv_reason_string.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_reason_string.h"
+
+#include <utils/debug.h>
+
+typedef struct private_imv_reason_string_t private_imv_reason_string_t;
+
+/**
+ * Private data of an imv_reason_string_t object.
+ */
+struct private_imv_reason_string_t {
+
+	/**
+	 * Public members of imv_reason_string_t
+	 */
+	imv_reason_string_t public;
+
+	/**
+	 * Preferred language
+	 */
+	char *lang;
+
+	/**
+	 * Contains the concatenated reasons
+	 */
+	chunk_t reasons;
+
+};
+
+METHOD(imv_reason_string_t, add_reason, void,
+	private_imv_reason_string_t *this, imv_lang_string_t reason[])
+{
+	char *s_reason;
+
+	s_reason = imv_lang_string_select_string(reason, this->lang);
+
+	if (this->reasons.len)
+	{
+		/* append any further reasons */
+		this->reasons = chunk_cat("mcc", this->reasons, chunk_from_chars('\n'),
+								  chunk_create(s_reason, strlen(s_reason)));
+	}
+	else
+	{
+		/* add the first reason */
+		this->reasons = chunk_clone(chunk_create(s_reason, strlen(s_reason)));
+	}
+}
+
+METHOD(imv_reason_string_t, get_encoding, chunk_t,
+	private_imv_reason_string_t *this)
+{
+	return this->reasons;
+}
+
+METHOD(imv_reason_string_t, destroy, void,
+	private_imv_reason_string_t *this)
+{
+	free(this->reasons.ptr);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imv_reason_string_t *imv_reason_string_create(char *lang)
+{
+	private_imv_reason_string_t *this;
+
+	INIT(this,
+		.public = {
+			.add_reason = _add_reason,
+			.get_encoding = _get_encoding,
+			.destroy = _destroy,
+		},
+		.lang = lang,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/imv/imv_reason_string.h b/src/libimcv/imv/imv_reason_string.h
new file mode 100644
index 000000000..cb4c27f93
--- /dev/null
+++ b/src/libimcv/imv/imv_reason_string.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_reason_string_t imv_reason_string
+ * @{ @ingroup libimcv_imv
+ */
+
+#ifndef IMV_REASON_STRING_H_
+#define IMV_REASON_STRING_H_
+
+#include "imv_lang_string.h"
+
+#include <library.h>
+#include <collections/linked_list.h>
+
+typedef struct imv_reason_string_t imv_reason_string_t;
+
+/**
+ * Defines and builds a TNC Reason String
+ */
+struct imv_reason_string_t {
+
+	/**
+	 * Add an individual remediation instruction to the string
+	 *
+	 * @param reason		Multi-lingual reason string
+	 */
+	 void (*add_reason)(imv_reason_string_t *this, imv_lang_string_t reason[]);
+
+	/**
+	 * Gets  encoding of the reason string
+	 *
+	 * @return				TNC reason string
+	 */
+	chunk_t (*get_encoding)(imv_reason_string_t *this);
+
+	/**
+	 * Destroys an imv_reason_string_t object
+	 */
+	void (*destroy)(imv_reason_string_t *this);
+};
+
+/**
+ * Creates an Reason String object
+ *
+ * @param lang				Preferred language
+ */
+ imv_reason_string_t* imv_reason_string_create(char *lang);
+
+#endif /** IMV_REASON_STRING_H_ @}*/
diff --git a/src/libimcv/imv/imv_remediation_string.c b/src/libimcv/imv/imv_remediation_string.c
new file mode 100644
index 000000000..af82e1cdd
--- /dev/null
+++ b/src/libimcv/imv/imv_remediation_string.c
@@ -0,0 +1,209 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_remediation_string.h"
+
+#include <utils/debug.h>
+
+typedef struct private_imv_remediation_string_t private_imv_remediation_string_t;
+
+/**
+ * Private data of an imv_remediation_string_t object.
+ */
+struct private_imv_remediation_string_t {
+
+	/**
+	 * Public members of imv_remediation_string_t
+	 */
+	imv_remediation_string_t public;
+
+	/**
+	 * XML or plaintext encoding
+	 */
+	bool as_xml;
+
+	/**
+	 * Preferred language
+	 */
+	char *lang;
+
+	/**
+	 * Contains the concatenated remediation instructions
+	 */
+	chunk_t instructions;
+
+};
+
+METHOD(imv_remediation_string_t, add_instruction, void,
+	private_imv_remediation_string_t *this, imv_lang_string_t title[],
+	imv_lang_string_t description[], imv_lang_string_t itemsheader[],
+	linked_list_t *item_list)
+{
+	char xml_format[] = "  <instruction>\n"
+						"    <title>%s</title>\n"
+						"    <description>%s</description>\n"
+						"%s%s"
+						"  </instruction>\n";
+	char *instruction, *format, *item, *pos, *header, *items;
+	char *s_title, *s_description, *s_itemsheader;
+	size_t len;
+
+	s_title = imv_lang_string_select_string(title, this->lang);
+	s_description = imv_lang_string_select_string(description, this->lang);
+	s_itemsheader = imv_lang_string_select_string(itemsheader, this->lang);
+	header = NULL;
+	items = NULL;
+
+	if (s_itemsheader)
+	{
+		int header_len = strlen(s_itemsheader);
+		char *header_format;
+
+		if (this->as_xml)
+		{
+			header_format = "    <itemsheader>%s</itemsheader>\n";
+			header_len +=  strlen(header_format) - 2;
+		}
+		else
+		{
+			header_format = "\n  %s";
+			header_len += 3;
+		}
+		header = malloc(header_len + 1);
+		sprintf(header, header_format, s_itemsheader);
+	}
+
+	if (item_list && item_list->get_count(item_list))
+	{
+		enumerator_t *enumerator;
+		int items_len = 0;
+
+		/* compute total length of all items */
+		enumerator = item_list->create_enumerator(item_list);
+		while (enumerator->enumerate(enumerator, &item))
+		{
+			items_len += strlen(item);
+		}
+		enumerator->destroy(enumerator);
+
+		if (this->as_xml)
+		{
+			items_len += 12 + 20 * item_list->get_count(item_list) + 13;
+
+			pos = items = malloc(items_len + 1);
+			pos += sprintf(pos, "    <items>\n");
+
+			enumerator = item_list->create_enumerator(item_list);
+			while (enumerator->enumerate(enumerator, &item))
+			{
+				pos += sprintf(pos, "      <item>%s</item>\n", item);
+			}
+			enumerator->destroy(enumerator);
+
+			pos += sprintf(pos, "    </items>\n");
+		}
+		else
+		{
+			items_len += 5 * item_list->get_count(item_list);
+
+			pos = items = malloc(items_len + 1);
+
+			enumerator = item_list->create_enumerator(item_list);
+			while (enumerator->enumerate(enumerator, &item))
+			{
+				pos += sprintf(pos, "\n    %s", item);
+			}
+			enumerator->destroy(enumerator);
+		}
+	}
+
+	len = strlen(s_title) + strlen(s_description);
+	if (header)
+	{
+		len += strlen(header);
+	}
+	if (items)
+	{
+		len += strlen(items);
+	}
+
+	if (this->as_xml)
+	{
+		format = xml_format;
+		len += strlen(xml_format) - 8;
+	}
+	else
+	{
+		format = this->instructions.len ? "\n%s\n  %s%s%s" : "%s\n  %s%s%s";
+		len += 4;
+	}
+	instruction = malloc(len + 1);
+	sprintf(instruction, format, s_title, s_description, header ? header : "",
+			items ? items : "");
+	free(header);
+	free(items);
+	this->instructions = chunk_cat("mm", this->instructions, 
+							chunk_create(instruction, strlen(instruction)));
+}
+
+METHOD(imv_remediation_string_t, get_encoding, chunk_t,
+	private_imv_remediation_string_t *this)
+{
+	char xml_header[]  = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
+						 "<remediationinstructions>\n";
+	char xml_trailer[] = "</remediationinstructions>";
+
+	if (!this->instructions.len)
+	{
+		return chunk_empty;
+	}
+	if (this->as_xml)
+	{
+		this->instructions = chunk_cat("cmc",
+								chunk_create(xml_header, strlen(xml_header)),
+								this->instructions,
+								chunk_create(xml_trailer, strlen(xml_trailer))
+							 );
+	}
+	return this->instructions;
+}
+
+METHOD(imv_remediation_string_t, destroy, void,
+	private_imv_remediation_string_t *this)
+{
+	free(this->instructions.ptr);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imv_remediation_string_t *imv_remediation_string_create(bool as_xml, char *lang)
+{
+	private_imv_remediation_string_t *this;
+
+	INIT(this,
+		.public = {
+			.add_instruction = _add_instruction,
+			.get_encoding = _get_encoding,
+			.destroy = _destroy,
+		},
+		.as_xml = as_xml,
+		.lang = lang,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/imv/imv_remediation_string.h b/src/libimcv/imv/imv_remediation_string.h
new file mode 100644
index 000000000..605013abb
--- /dev/null
+++ b/src/libimcv/imv/imv_remediation_string.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_remediation_string_t imv_remediation_string
+ * @{ @ingroup libimcv_imv
+ */
+
+#ifndef IMV_REMEDIATION_STRING_H_
+#define IMV_REMEDIATION_STRING_H_
+
+#include "imv_lang_string.h"
+
+#include <library.h>
+#include <collections/linked_list.h>
+
+typedef struct imv_remediation_string_t imv_remediation_string_t;
+
+/**
+ * Defines and builds an IETF Remediation Instructions String
+ */
+struct imv_remediation_string_t {
+
+	/**
+	 * Add an individual remediation instruction to the string
+	 *
+	 * @param title			instruction title
+	 * @param description	instruction description
+	 * @param itemsheader	optional items header or NULL
+	 * @param items			optional items list or NULL
+	 */
+	 void (*add_instruction)(imv_remediation_string_t *this,
+							 imv_lang_string_t title[],
+							 imv_lang_string_t description[],
+							 imv_lang_string_t itemsheader[],
+							 linked_list_t *items);
+
+	/**
+	 * Gets the plaintext or XML encoding of the remediation instructions
+	 *
+	 * @return				remediation instructions string
+	 */
+	chunk_t (*get_encoding)(imv_remediation_string_t *this);
+
+	/**
+	 * Destroys an imv_remediation_string_t object
+	 */
+	void (*destroy)(imv_remediation_string_t *this);
+};
+
+/**
+ * Creates an IETF Remediation Instructions String object
+ *
+ * @param as_xml			XML encoding if TRUE, plaintext otherwise
+ * @param lang				Preferred language
+ */
+ imv_remediation_string_t* imv_remediation_string_create(bool as_xml, char *lang);
+
+#endif /** IMV_REMEDIATION_STRING_H_ @}*/
diff --git a/src/libimcv/imv/imv_session.c b/src/libimcv/imv/imv_session.c
new file mode 100644
index 000000000..754f1f74c
--- /dev/null
+++ b/src/libimcv/imv/imv_session.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_session.h"
+
+#include <utils/debug.h>
+
+typedef struct private_imv_session_t private_imv_session_t;
+
+/**
+ * Private data of a imv_session_t object.
+ */
+struct private_imv_session_t {
+
+	/**
+	 * Public imv_session_t interface.
+	 */
+	imv_session_t public;
+
+	/**
+	 * Unique Session ID
+	 */
+	int session_id;
+
+	/**
+	 * TNCCS connection ID
+	 */
+	TNC_ConnectionID conn_id;
+
+	/**
+	 * Have the workitems been generated?
+	 */
+	bool policy_started;
+
+	/**
+	 * List of worklist items
+	 */
+	linked_list_t *workitems;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+
+};
+
+METHOD(imv_session_t, get_session_id, int,
+	private_imv_session_t *this)
+{
+	return this->session_id;
+}
+
+METHOD(imv_session_t, get_connection_id, TNC_ConnectionID,
+	private_imv_session_t *this)
+{
+	return this->conn_id;
+}
+
+METHOD(imv_session_t, set_policy_started, void,
+	private_imv_session_t *this, bool start)
+{
+	this->policy_started = start;
+}
+
+METHOD(imv_session_t, get_policy_started, bool,
+	private_imv_session_t *this)
+{
+	return this->policy_started;
+}
+
+METHOD(imv_session_t, insert_workitem, void,
+	private_imv_session_t *this, imv_workitem_t *workitem)
+{
+	this->workitems->insert_last(this->workitems, workitem);
+}
+
+METHOD(imv_session_t, remove_workitem, void,
+	private_imv_session_t *this, enumerator_t *enumerator)
+{
+	this->workitems->remove_at(this->workitems, enumerator);
+}
+
+METHOD(imv_session_t, create_workitem_enumerator, enumerator_t*,
+	private_imv_session_t *this)
+{
+	if (!this->policy_started)
+	{
+		return NULL;
+	}
+	return this->workitems->create_enumerator(this->workitems);
+}
+
+METHOD(imv_session_t, get_workitem_count, int,
+	private_imv_session_t *this, TNC_IMVID imv_id)
+{
+	enumerator_t *enumerator;
+	imv_workitem_t *workitem;
+	int count = 0;
+
+	enumerator = this->workitems->create_enumerator(this->workitems);
+	while (enumerator->enumerate(enumerator, &workitem))
+	{
+		if (workitem->get_imv_id(workitem) == imv_id)
+		{
+			count++;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return count;
+}
+
+METHOD(imv_session_t, get_ref, imv_session_t*,
+	private_imv_session_t *this)
+{
+	ref_get(&this->ref);
+
+	return &this->public;
+}
+
+METHOD(imv_session_t, destroy, void,
+	private_imv_session_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->workitems->destroy_offset(this->workitems,
+								 offsetof(imv_workitem_t, destroy));
+		free(this);
+	}
+}
+
+/**
+ * See header
+ */
+imv_session_t *imv_session_create(int session_id, TNC_ConnectionID conn_id)
+{
+	private_imv_session_t *this;
+
+	INIT(this,
+		.public = {
+			.get_session_id = _get_session_id,
+			.get_connection_id = _get_connection_id,
+			.set_policy_started = _set_policy_started,
+			.get_policy_started = _get_policy_started,
+			.insert_workitem = _insert_workitem,
+			.remove_workitem = _remove_workitem,
+			.create_workitem_enumerator = _create_workitem_enumerator,
+			.get_workitem_count = _get_workitem_count,
+			.get_ref = _get_ref,
+			.destroy = _destroy,
+		},
+		.session_id = session_id,
+		.conn_id = conn_id,
+		.workitems = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public;
+}
diff --git a/src/libimcv/imv/imv_session.h b/src/libimcv/imv/imv_session.h
new file mode 100644
index 000000000..6b94523b8
--- /dev/null
+++ b/src/libimcv/imv/imv_session.h
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_session_t imv_session
+ * @{ @ingroup libimcv_imv
+ */
+
+#ifndef  IMV_SESSION_H_
+#define  IMV_SESSION_H_
+
+#include "imv_workitem.h"
+
+#include <tncifimv.h>
+
+#include <library.h>
+
+typedef struct imv_session_t imv_session_t;
+
+/**
+ * IMV session interface
+ */
+struct imv_session_t {
+
+	/**
+	 * Get unique session ID
+	 *
+	 * @return				Session ID
+	 */
+	int (*get_session_id)(imv_session_t *this);
+
+	/**
+	 * Get TNCCS Connection ID
+	 *
+	 * @return				TNCCS Connection ID
+	 */
+	TNC_ConnectionID (*get_connection_id)(imv_session_t *this);
+
+	/**
+	 * Set policy_started status
+	 *
+	 * @param start			TRUE if policy started, FALSE if policy stopped
+	 */
+	void (*set_policy_started)(imv_session_t *this, bool start);
+
+	/**
+	 * Get policy_started status
+	 *
+	 * @return				TRUE if policy started, FALSE if policy stopped
+	 */
+	bool (*get_policy_started)(imv_session_t *this);
+
+	/**
+	 * Insert workitem into list
+	 *
+	 * @param workitem		Workitem to be inserted
+	 */
+	void (*insert_workitem)(imv_session_t *this, imv_workitem_t *workitem);
+
+	/**
+	 * Remove workitem from list
+	 *
+	 * @param enumerator	Enumerator pointing to workitem to be removed
+	 */
+	void (*remove_workitem)(imv_session_t *this, enumerator_t *enumerator);
+
+	/**
+	 * Create workitem enumerator
+	 *
+	 */
+	 enumerator_t* (*create_workitem_enumerator)(imv_session_t *this);
+
+	/**
+	 * Get number of workitem allocated to a given IMV
+	 *
+	 * @param imv_id		IMV ID
+	 * @return				Number of workitems assigned to given IMV
+	 */
+	 int (*get_workitem_count)(imv_session_t *this, TNC_IMVID imv_id);
+
+	/**
+	 * Get reference to session
+	 */
+	imv_session_t* (*get_ref)(imv_session_t*);
+
+	/**
+	 * Destroys an imv_session_t object
+	 */
+	void (*destroy)(imv_session_t *this);
+};
+
+/**
+ * Create an imv_session_t instance
+ *
+ * @param session_id		Unique Session ID
+ * @param id				Associated Connection ID
+ */
+imv_session_t* imv_session_create(int session_id, TNC_ConnectionID id);
+
+#endif /**  IMV_SESSION_H_ @}*/
diff --git a/src/libimcv/imv/imv_state.h b/src/libimcv/imv/imv_state.h
index 9e7a29a9f..791846bb1 100644
--- a/src/libimcv/imv/imv_state.h
+++ b/src/libimcv/imv/imv_state.h
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -15,12 +16,14 @@
 /**
  *
  * @defgroup imv_state_t imv_state
- * @{ @ingroup imv_state
+ * @{ @ingroup libimcv_imv
  */
 
 #ifndef IMV_STATE_H_
 #define IMV_STATE_H_
 
+#include "imv_session.h"
+
 #include <tncifimv.h>
 
 #include <library.h>
@@ -33,9 +36,9 @@ typedef struct imv_state_t imv_state_t;
 struct imv_state_t {
 
 	/**
-	 * Get the TNCS connection ID attached to the state
+	 * Get the TNCCS connection ID attached to the state
 	 *
-	 * @return				TNCS connection ID of the state
+	 * @return				TNCCS connection ID of the state
 	 */
 	 TNC_ConnectionID (*get_connection_id)(imv_state_t *this);
 
@@ -63,6 +66,65 @@ struct imv_state_t {
 	void (*set_flags)(imv_state_t *this, bool has_long, bool has_excl);
 
 	/**
+	 * Set the maximum size of a PA-TNC message for this TNCCS connection
+	 *
+	 * @param max_msg_len	maximum size of a PA-TNC message
+	 */
+	void (*set_max_msg_len)(imv_state_t *this, u_int32_t max_msg_len);
+
+	/**
+	 * Get the maximum size of a PA-TNC message for this TNCCS connection
+	 *
+	 * @return				maximum size of a PA-TNC message
+	 */
+	u_int32_t (*get_max_msg_len)(imv_state_t *this);
+
+	/**
+	 * Set flags for completed actions
+	 *
+	 * @param flags			Flags to be set
+	 */
+	void (*set_action_flags)(imv_state_t *this, u_int32_t flags);
+
+	/**
+	 * Get flags set for completed actions
+	 *
+	 * @return				Flags set for completed actions
+	 */
+	u_int32_t (*get_action_flags)(imv_state_t *this);
+
+	/**
+	 * Set Access Requestor ID
+	 *
+	 * @param id_type		Access Requestor TCG Standard ID Type
+	 * @param id_value		Access Requestor TCG Standard ID Value
+	 *
+	 */
+	void (*set_ar_id)(imv_state_t *this, u_int32_t id_type, chunk_t id_value);
+
+	/**
+	 * Get Access Requestor ID
+	 *
+	 * @param id_type		Access Requestor TCG Standard ID Type
+	 * @return				Access Requestor TCG Standard ID Value
+	 */
+	chunk_t (*get_ar_id)(imv_state_t *this, u_int32_t *id_type);
+
+	/**
+	 * Set session associated with TNCCS Connection
+	 *
+	 * @param session		Session associated with TNCCS Connection
+	 */
+	void (*set_session)(imv_state_t *this, imv_session_t *session);
+
+	/**
+	 * Get session associated with TNCCS Connection
+	 *
+	 * @return				Session associated with TNCCS Connection
+	 */
+	imv_session_t* (*get_session)(imv_state_t *this);
+
+	/**
 	 * Change the connection state
 	 *
 	 * @param new_state		new connection state
@@ -92,15 +154,41 @@ struct imv_state_t {
 							   TNC_IMV_Evaluation_Result eval);
 
 	/**
+	 * Update IMV action recommendation and evaluation result
+	 *
+	 * @param rec			IMV action recommendation
+	 * @param eval			IMV evaluation result
+	 *
+	 */
+	void (*update_recommendation)(imv_state_t *this,
+								  TNC_IMV_Action_Recommendation rec,
+								  TNC_IMV_Evaluation_Result eval);
+
+	/**
 	 * Get reason string based on the preferred language
 	 *
-	 * @param preferred_language	preferred language
+	 * @param language_enumerator	language enumerator
 	 * @param reason_string			reason string
-	 * @param language code			language of the returned reason string
+	 * @param reason_language		language of the returned reason string
 	 * @return						TRUE if a reason string was found
 	 */
-	bool (*get_reason_string)(imv_state_t *this, chunk_t preferred_language,
-							  chunk_t *reason_string, chunk_t *language_code);
+	bool (*get_reason_string)(imv_state_t *this,
+							  enumerator_t *language_enumerator,
+							  chunk_t *reason_string, char **reason_language);
+
+	/**
+	 * Get remediation instructions based on the preferred language
+	 *
+	 * @param language_enumerator	language enumerator
+	 * @param string				remediation instruction string
+	 * @param lang_code				language of the remediation instructions
+	 * @param uri					remediation URI
+	 * @return						TRUE if remediation instructions were found
+	 */
+	bool (*get_remediation_instructions)(imv_state_t *this,
+										 enumerator_t *language_enumerator,
+										 chunk_t *string, char **lang_code,
+										 char **uri);
 
 	/**
 	 * Destroys an imv_state_t object
diff --git a/src/libimcv/imv/imv_workitem.c b/src/libimcv/imv/imv_workitem.c
new file mode 100644
index 000000000..a61a826bc
--- /dev/null
+++ b/src/libimcv/imv/imv_workitem.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_workitem.h"
+
+#include <utils/debug.h>
+#include <tncif_names.h>
+
+typedef struct private_imv_workitem_t private_imv_workitem_t;
+
+ENUM(imv_workitem_type_names, IMV_WORKITEM_PACKAGES, IMV_WORKITEM_UDP_PORT_BLOCK,
+	"PCKGS",
+	"UNSRC",
+	"FWDEN",
+	"PWDEN",
+	"FREFM",
+	"FMEAS",
+	"FMETA",
+	"DREFM",
+	"DMEAS",
+	"DMETA",
+	"TCPOP",
+	"TCPBL",
+	"UDPOP",
+	"UDPBL"
+);
+
+/**
+ * Private data of a imv_workitem_t object.
+ *
+ */
+struct private_imv_workitem_t {
+
+	/**
+	 * Public imv_workitem_t interface.
+	 */
+	imv_workitem_t public;
+
+	/**
+	 * Primary workitem key
+	 */
+	int id;
+
+	/**
+	 * IMV ID
+	 */
+	TNC_IMVID imv_id;
+
+	/**
+	 * Workitem type
+	 */
+	imv_workitem_type_t type;
+
+	/**
+	 * Argument string
+	 */
+	char *arg_str;
+
+	/**
+	 * Argument integer
+	 */
+	int arg_int;
+
+	/**
+	 * Result string
+	 */
+	char *result;
+
+	/**
+	 * IMV action recommendation
+	 */
+	TNC_IMV_Action_Recommendation rec_fail;
+
+	/**
+	 * IMV action recommendation
+	 */
+	TNC_IMV_Action_Recommendation rec_noresult;
+
+	/**
+	 * IMV action recommendation
+	 */
+	TNC_IMV_Action_Recommendation rec_final;
+
+};
+
+METHOD(imv_workitem_t, get_id, int,
+	private_imv_workitem_t *this)
+{
+	return this->id;
+}
+
+METHOD(imv_workitem_t, set_imv_id, void,
+	private_imv_workitem_t *this, TNC_IMVID imv_id)
+{
+	this->imv_id = imv_id;
+}
+
+METHOD(imv_workitem_t, get_imv_id, TNC_IMVID,
+	private_imv_workitem_t *this)
+{
+	return this->imv_id;
+}
+
+METHOD(imv_workitem_t, get_type, imv_workitem_type_t,
+	private_imv_workitem_t *this)
+{
+	return this->type;
+}
+
+METHOD(imv_workitem_t, get_arg_str, char*,
+	private_imv_workitem_t *this)
+{
+	return this->arg_str;
+}
+
+METHOD(imv_workitem_t, get_arg_int, int,
+	private_imv_workitem_t *this)
+{
+	return this->arg_int;
+}
+
+METHOD(imv_workitem_t, set_result, TNC_IMV_Action_Recommendation,
+	private_imv_workitem_t *this, char *result, TNC_IMV_Evaluation_Result eval)
+{
+	this->result = strdup(result);
+	switch (eval)
+	{
+		case TNC_IMV_EVALUATION_RESULT_COMPLIANT:
+			this->rec_final = TNC_IMV_ACTION_RECOMMENDATION_ALLOW;
+			break;
+		case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR:
+		case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR:
+			this->rec_final = this->rec_fail;
+			break;
+		case TNC_IMV_EVALUATION_RESULT_ERROR:
+		case TNC_IMV_EVALUATION_RESULT_DONT_KNOW:
+		default:
+			this->rec_final = this->rec_noresult;
+			break;
+	}
+	DBG2(DBG_IMV, "IMV %d handled %N workitem %d: %N%s%s", this->imv_id,
+		 imv_workitem_type_names, this->type, this->id,
+		 TNC_IMV_Action_Recommendation_names, this->rec_final,
+		 strlen(result) ? " - " : "", result);
+
+	return this->rec_final;	
+}
+
+METHOD(imv_workitem_t, get_result, TNC_IMV_Action_Recommendation,
+	private_imv_workitem_t *this, char **result)
+{
+	if (result)
+	{
+		*result = this->result;
+	}
+	return this->rec_final;
+}
+
+METHOD(imv_workitem_t, destroy, void,
+	private_imv_workitem_t *this)
+{
+	free(this->arg_str);
+	free(this->result);
+	free(this);
+}
+
+/**
+ * See header
+ */
+imv_workitem_t *imv_workitem_create(int id, imv_workitem_type_t type,
+									char *arg_str, int arg_int,
+									TNC_IMV_Action_Recommendation rec_fail,
+									TNC_IMV_Action_Recommendation rec_noresult)
+{
+	private_imv_workitem_t *this;
+
+	INIT(this,
+		.public = {
+			.get_id = _get_id,
+			.set_imv_id = _set_imv_id,
+			.get_imv_id = _get_imv_id,
+			.get_type = _get_type,
+			.get_arg_str = _get_arg_str,
+			.get_arg_int = _get_arg_int,
+			.set_result = _set_result,
+			.get_result = _get_result,
+			.destroy = _destroy,
+		},
+		.id = id,
+		.imv_id = TNC_IMVID_ANY,
+		.type = type,
+		.arg_str = arg_str ? strdup(arg_str) : NULL,
+		.arg_int = arg_int,
+		.rec_fail = rec_fail,
+		.rec_noresult = rec_noresult,
+		.rec_final = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/imv/imv_workitem.h b/src/libimcv/imv/imv_workitem.h
new file mode 100644
index 000000000..f6ca3ea68
--- /dev/null
+++ b/src/libimcv/imv/imv_workitem.h
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_workitem_t imv_workitem
+ * @{ @ingroup libimcv_imv
+ */
+
+#ifndef IMV_WORKITEM_H_
+#define IMV_WORKITEM_H_
+
+#include <tncifimv.h>
+
+#include <library.h>
+
+typedef struct imv_workitem_t imv_workitem_t;
+typedef enum imv_workitem_type_t imv_workitem_type_t;
+
+enum imv_workitem_type_t {
+	IMV_WORKITEM_PACKAGES =        1,
+	IMV_WORKITEM_UNKNOWN_SOURCE =  2,
+	IMV_WORKITEM_FORWARDING =      3,
+	IMV_WORKITEM_DEFAULT_PWD =     4,
+	IMV_WORKITEM_FILE_REF_MEAS =   5,
+	IMV_WORKITEM_FILE_MEAS =       6,
+	IMV_WORKITEM_FILE_META =       7,
+	IMV_WORKITEM_DIR_REF_MEAS =    8,
+	IMV_WORKITEM_DIR_MEAS =        9,
+	IMV_WORKITEM_DIR_META =       10,
+	IMV_WORKITEM_TCP_PORT_OPEN =  11,
+	IMV_WORKITEM_TCP_PORT_BLOCK = 12,
+	IMV_WORKITEM_UDP_PORT_OPEN =  13,
+	IMV_WORKITEM_UDP_PORT_BLOCK = 14
+};
+
+extern enum_name_t *imv_workitem_type_names;
+
+/**
+ * IMV database interface 
+ */
+struct imv_workitem_t {
+
+	/**
+	 * Get primary workitem key 
+	 *
+	 * @return				Primary workitem key
+	 */
+	 int (*get_id)(imv_workitem_t *this);
+
+	/**
+	 * Get workitem type
+	 *
+	 * @return				Workitem type
+	 */
+	 imv_workitem_type_t (*get_type)(imv_workitem_t *this);
+
+	/**
+	 * Set IMV ID
+	 *
+	 * @param id			IMV ID
+	 */
+	 void (*set_imv_id)(imv_workitem_t *this, TNC_IMVID imv_id);
+
+	/**
+	 * Get IMV ID
+	 *
+	 * @return				IMV ID
+	 */
+	 TNC_IMVID (*get_imv_id)(imv_workitem_t *this);
+
+	/**
+	 * Get string argument
+	 *
+	 * @return				Argument string
+	 */
+	 char* (*get_arg_str)(imv_workitem_t *this);
+
+	/**
+	 * Get integer argument
+	 *
+	 * @return				Argument integer
+	 */
+	 int (*get_arg_int)(imv_workitem_t *this);
+
+	/**
+	 * Set result string
+	 *
+	 * @param result		Result string
+	 * @param eval			Evaluation Result
+	 * @return				Action Recommendation
+	 */
+	 TNC_IMV_Action_Recommendation (*set_result)(imv_workitem_t *this, 
+						char *result, TNC_IMV_Evaluation_Result eval);
+
+	/**
+	 * Set result string
+	 *
+	 * @param result		Result string
+	 * @return				Action Recommendatino
+	 */
+	 TNC_IMV_Action_Recommendation (*get_result)(imv_workitem_t *this, 
+												 char **result);
+
+	/**
+	 * Destroys an imv_workitem_t object
+	 */
+	void (*destroy)(imv_workitem_t *this);
+};
+
+/**
+ * Create an imv_workitem_t instance
+ *
+ * @param id				Primary workitem key
+ * @param type				Workitem type
+ * @param arg_str			String argument
+ * @param arg_int			Integer argument
+ * @param rec_fail			Recommendation with minor/major non-compliance case
+ * @param rec_noresult		Recommendation in don't know/error case
+ */
+imv_workitem_t *imv_workitem_create(int id, imv_workitem_type_t type,
+									char *arg_str, int arg_int,
+									TNC_IMV_Action_Recommendation rec_fail,
+									TNC_IMV_Action_Recommendation rec_noresult);
+
+#endif /** IMV_WORKITEM_H_ @}*/
diff --git a/src/libimcv/imv/tables.sql b/src/libimcv/imv/tables.sql
new file mode 100644
index 000000000..4cc959e09
--- /dev/null
+++ b/src/libimcv/imv/tables.sql
@@ -0,0 +1,234 @@
+/* IMV PTS SQLite database */
+
+DROP TABLE IF EXISTS directories;
+CREATE TABLE directories (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  path TEXT NOT NULL
+);
+DROP INDEX IF EXISTS directories_path;
+CREATE INDEX directories_path ON directories (
+  path
+);
+
+DROP TABLE IF EXISTS files;
+CREATE TABLE files (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  dir INTEGER DEFAULT 0 REFERENCES directories(id),
+  name TEXT NOT NULL
+);
+DROP INDEX IF EXISTS files_name;
+CREATE INDEX files_name ON files (
+  name
+);
+
+DROP TABLE IF EXISTS products;
+CREATE TABLE products (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL
+);
+DROP INDEX IF EXISTS products_name;
+CREATE INDEX products_name ON products (
+  name
+);
+
+DROP TABLE IF EXISTS algorithms;
+CREATE TABLE algorithms (
+  id INTEGER PRIMARY KEY,
+  name VARCHAR(20) not NULL
+);
+
+DROP TABLE IF EXISTS file_hashes;
+CREATE TABLE file_hashes (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  file INTEGER NOT NULL REFERENCES files(id),
+  product INTEGER NOT NULL REFERENCES products(id),
+  device INTEGER DEFAULT 0,
+  key INTEGER DEFAULT 0 REFERENCES keys(id),
+  algo INTEGER NOT NULL REFERENCES algorithms(id),
+  hash BLOB NOT NULL
+);
+
+DROP TABLE IF EXISTS keys;
+CREATE TABLE keys (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  keyid BLOB NOT NULL,
+  owner TEXT NOT NULL
+);
+DROP INDEX IF EXISTS keys_keyid;
+CREATE INDEX keys_keyid ON keys (
+  keyid
+);
+DROP INDEX IF EXISTS keys_owner;
+CREATE INDEX keys_owner ON keys (
+  owner
+);
+
+DROP TABLE IF EXISTS groups;
+CREATE TABLE groups (
+  id INTEGER NOT NULL PRIMARY KEY,
+  name VARCHAR(50) NOT NULL UNIQUE,
+  parent INTEGER
+);
+
+DROP TABLE IF EXISTS groups_members;
+CREATE TABLE groups_members (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  group_id INTEGER NOT NULL REFERENCES groups(id),
+  device_id INTEGER NOT NULL REFERENCES devices(id),
+  UNIQUE (group_id, device_id)
+);
+
+DROP TABLE IF EXISTS groups_product_defaults;
+CREATE TABLE groups_product_defaults (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  group_id INTEGER NOT NULL REFERENCES groups(id),
+  product_id INTEGER NOT NULL REFERENCES products(id),
+  UNIQUE (group_id, product_id)
+);
+
+DROP TABLE IF EXISTS policies;
+CREATE TABLE policies (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  name VARCHAR(100) NOT NULL UNIQUE,
+  argument TEXT DEFAULT '' NOT NULL,
+  rec_fail INTEGER NOT NULL,
+  rec_noresult INTEGER NOT NULL,
+  file INTEGER DEFAULT 0 REFERENCES files(id),
+  dir INTEGER DEFAULT 0 REFERENCES directories(id)
+);
+
+DROP TABLE IF EXISTS enforcements;
+CREATE TABLE enforcements (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  policy INTEGER NOT NULL REFERENCES policies(id),
+  group_id INTEGER NOT NULL REFERENCES groups(id),
+  rec_fail INTEGER,
+  rec_noresult INTEGER,
+  max_age INTEGER NOT NULL,
+  UNIQUE (policy, group_id)
+);
+
+DROP TABLE IF EXISTS sessions;
+CREATE TABLE sessions (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  time INTEGER NOT NULL,
+  connection INTEGER NOT NULL,
+  identity INTEGER DEFAULT 0 REFERENCES identities(id),
+  device INTEGER DEFAULT 0 REFERENCES devices(id),
+  product INTEGER DEFAULT 0 REFERENCES products(id),
+  rec INTEGER DEFAULT 3
+);
+
+DROP TABLE IF EXISTS workitems;
+CREATE TABLE workitems (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  session INTEGER NOT NULL REFERENCES sessions(id),
+  enforcement INTEGER NOT NULL REFERENCES enforcements(id),
+  type INTEGER NOT NULL,
+  arg_str TEXT,
+  arg_int INTEGER DEFAULT 0,
+  rec_fail INTEGER NOT NULL,
+  rec_noresult INTEGER NOT NULL,
+  rec_final INTEGER,
+  result TEXT
+);
+DROP INDEX IF EXISTS workitems_session;
+CREATE INDEX workitems_sessions ON workitems (
+  session
+);
+
+DROP TABLE IF EXISTS results;
+CREATE TABLE results (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  session INTEGER NOT NULL REFERENCES measurements(id),
+  policy INTEGER NOT NULL REFERENCES policies(id),
+  rec INTEGER NOT NULL,
+  result TEXT NOT NULL
+);
+DROP INDEX IF EXISTS results_session;
+CREATE INDEX results_session ON results (
+  session
+);
+
+DROP TABLE IF EXISTS components;
+CREATE TABLE components (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  vendor_id INTEGER NOT NULL,
+  name INTEGER NOT NULL,
+  qualifier INTEGER DEFAULT 0
+);
+
+
+DROP TABLE IF EXISTS key_component;
+CREATE TABLE key_component (
+  key INTEGER NOT NULL,
+  component INTEGER NOT NULL,
+  depth INTEGER DEFAULT 0,
+  seq_no INTEGER DEFAULT 0,
+  PRIMARY KEY (key, component)
+);
+
+
+DROP TABLE IF EXISTS component_hashes;
+CREATE TABLE component_hashes (
+  component INTEGER NOT NULL,
+  key INTEGER NOT NULL,
+  seq_no INTEGER NOT NULL,
+  pcr INTEGER NOT NULL,
+  algo INTEGER NOT NULL,
+  hash BLOB NOT NULL,
+  PRIMARY KEY(component, key, seq_no, algo)
+);
+
+DROP TABLE IF EXISTS packages;
+CREATE TABLE packages (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL,
+  blacklist INTEGER DEFAULT 0
+);
+DROP INDEX IF EXISTS packages_name;
+CREATE INDEX packages_name ON packages (
+  name
+);
+
+DROP TABLE IF EXISTS versions;
+CREATE TABLE versions (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  package INTEGER NOT NULL REFERENCES packages(id),
+  product INTEGER NOT NULL REFERENCES products(id),
+  release TEXT NOT NULL,
+  security INTEGER DEFAULT 0,
+  blacklist INTEGER DEFAULT 0,
+  time INTEGER DEFAULT 0
+);
+DROP INDEX IF EXISTS versions_release;
+CREATE INDEX versions_release ON versions (
+  release
+);
+DROP INDEX IF EXISTS versions_package_product;
+CREATE INDEX versions_package_product ON versions (
+  package, product
+);
+
+DROP TABLE IF EXISTS devices;
+CREATE TABLE devices (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  description TEXT DEFAULT '',
+  value TEXT NOT NULL,
+  product INTEGER REFERENCES products(id),
+  created INTEGER
+);
+DROP INDEX IF EXISTS devices_id;
+CREATE INDEX devices_value ON devices (
+  value
+);
+
+DROP TABLE IF EXISTS identities;
+CREATE TABLE identities (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  value BLOB NOT NULL,
+  UNIQUE (type, value)
+);
+
diff --git a/src/libimcv/ita/ita_attr.c b/src/libimcv/ita/ita_attr.c
index ec23c11ea..f3956717d 100644
--- a/src/libimcv/ita/ita_attr.c
+++ b/src/libimcv/ita/ita_attr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,9 +15,21 @@
 
 #include "ita_attr.h"
 #include "ita/ita_attr_command.h"
+#include "ita/ita_attr_dummy.h"
+#include "ita/ita_attr_get_settings.h"
+#include "ita/ita_attr_settings.h"
+#include "ita/ita_attr_angel.h"
+#include "ita/ita_attr_device_id.h"
 
-ENUM(ita_attr_names, ITA_ATTR_COMMAND, ITA_ATTR_COMMAND,
+ENUM(ita_attr_names, ITA_ATTR_COMMAND, ITA_ATTR_DEVICE_ID,
 	"Command",
+	"Dummy",
+	"Get Settings",
+	"Settings",
+	"Start Angel",
+	"Stop Angel",
+	"Echo",
+	"Device ID"
 );
 
 /**
@@ -29,6 +41,18 @@ pa_tnc_attr_t* ita_attr_create_from_data(u_int32_t type, chunk_t value)
 	{
 		case ITA_ATTR_COMMAND:
 			return ita_attr_command_create_from_data(value);
+		case ITA_ATTR_DUMMY:
+			return ita_attr_dummy_create_from_data(value);
+		case ITA_ATTR_GET_SETTINGS:
+			return ita_attr_get_settings_create_from_data(value);
+		case ITA_ATTR_SETTINGS:
+			return ita_attr_settings_create_from_data(value);
+		case ITA_ATTR_START_ANGEL:
+			return ita_attr_angel_create_from_data(TRUE, value);
+		case ITA_ATTR_STOP_ANGEL:
+			return ita_attr_angel_create_from_data(FALSE, value);
+		case ITA_ATTR_DEVICE_ID:
+			return ita_attr_device_id_create_from_data(value);
 		default:
 			return NULL;
 	}
diff --git a/src/libimcv/ita/ita_attr.h b/src/libimcv/ita/ita_attr.h
index 82debdd1e..ac5d8abaa 100644
--- a/src/libimcv/ita/ita_attr.h
+++ b/src/libimcv/ita/ita_attr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -14,8 +14,8 @@
  */
 
 /**
- * @defgroup ita_attrt ita_attr
- * @{ @ingroup ita_attr
+ * @defgroup ita_attr ita_attr
+ * @{ @ingroup libimcv
  */
 
 #ifndef ITA_ATTR_H_
@@ -32,6 +32,13 @@ typedef enum ita_attr_t ita_attr_t;
  */
 enum ita_attr_t {
 	ITA_ATTR_COMMAND =	1,
+	ITA_ATTR_DUMMY = 2,
+	ITA_ATTR_GET_SETTINGS = 3,
+	ITA_ATTR_SETTINGS = 4,
+	ITA_ATTR_START_ANGEL = 5,
+	ITA_ATTR_STOP_ANGEL = 6,
+	ITA_ATTR_ECHO = 7,
+	ITA_ATTR_DEVICE_ID = 8
 };
 
 /**
diff --git a/src/libimcv/ita/ita_attr_angel.c b/src/libimcv/ita/ita_attr_angel.c
new file mode 100644
index 000000000..0e9cff0a9
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_angel.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ita_attr.h"
+#include "ita_attr_angel.h"
+
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+#include <collections/linked_list.h>
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+typedef struct private_ita_attr_angel_t private_ita_attr_angel_t;
+
+/**
+ * Private data of an ita_attr_angel_t object.
+ */
+struct private_ita_attr_angel_t {
+
+	/**
+	 * Public members of ita_attr_angel_t
+	 */
+	ita_attr_angel_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ita_attr_angel_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ita_attr_angel_t *this)
+{
+	return chunk_empty;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ita_attr_angel_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ita_attr_angel_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ita_attr_angel_t *this)
+{
+	/* nothing to build */
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ita_attr_angel_t *this, u_int32_t *offset)
+{
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ita_attr_angel_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ita_attr_angel_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this);
+	}
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_angel_create(bool start)
+{
+	private_ita_attr_angel_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.type = { PEN_ITA, start ? ITA_ATTR_START_ANGEL : ITA_ATTR_STOP_ANGEL },
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_angel_create_from_data(bool start, chunk_t data)
+{
+	private_ita_attr_angel_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.type = { PEN_ITA, start ? ITA_ATTR_START_ANGEL : ITA_ATTR_STOP_ANGEL },
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+
diff --git a/src/libimcv/ita/ita_attr_angel.h b/src/libimcv/ita/ita_attr_angel.h
new file mode 100644
index 000000000..d42e7119a
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_angel.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ita_attr_angel ita_attr_angel
+ * @{ @ingroup ita_attr
+ */
+
+#ifndef ITA_ATTR_ANGEL_H_
+#define ITA_ATTR_ANGEL_H_
+
+typedef struct ita_attr_angel_t ita_attr_angel_t;
+
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Class implementing the ITA Start/Stop Angel PA-TNC attribute.
+ *
+ */
+struct ita_attr_angel_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+};
+
+/**
+ * Creates an ita_attr_angel_t object with an empty settings list
+ *
+ * @param start				TRUE for Start, FALSE for Stop Angel attribute
+ */
+pa_tnc_attr_t* ita_attr_angel_create(bool start);
+
+/**
+ * Creates an ita_attr_angel_t object from received data
+ *
+ * @param start				TRUE for Start, FALSE for Stop Angel attribute
+ * @param value				binary value blob
+ */
+pa_tnc_attr_t* ita_attr_angel_create_from_data(bool start, chunk_t value);
+
+#endif /** ITA_ATTR_ANGEL_H_ @}*/
diff --git a/src/libimcv/ita/ita_attr_command.c b/src/libimcv/ita/ita_attr_command.c
index 5c1577a7c..f32ab2bfe 100644
--- a/src/libimcv/ita/ita_attr_command.c
+++ b/src/libimcv/ita/ita_attr_command.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -16,8 +17,9 @@
 #include "ita_attr_command.h"
 
 #include <pen/pen.h>
+#include <utils/debug.h>
 
-#include <debug.h>
+#include <string.h>
 
 typedef struct private_ita_attr_command_t private_ita_attr_command_t;
 
@@ -32,14 +34,9 @@ struct private_ita_attr_command_t {
 	ita_attr_command_t public;
 
 	/**
-	 * Attribute vendor ID
+	 * Vendor-specific attribute type
 	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
-	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
@@ -62,13 +59,7 @@ struct private_ita_attr_command_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_ita_attr_command_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_ita_attr_command_t *this)
 {
 	return this->type;
@@ -95,6 +86,10 @@ METHOD(pa_tnc_attr_t, set_noskip_flag,void,
 METHOD(pa_tnc_attr_t, build, void,
 	private_ita_attr_command_t *this)
 {
+	if (this->value.ptr)
+	{
+		return;
+	}
 	this->value = chunk_create(this->command, strlen(this->command));
 	this->value = chunk_clone(this->value);
 }
@@ -102,11 +97,9 @@ METHOD(pa_tnc_attr_t, build, void,
 METHOD(pa_tnc_attr_t, process, status_t,
 	private_ita_attr_command_t *this, u_int32_t *offset)
 {
-	this->command = malloc(this->value.len + 1);
-	memcpy(this->command, this->value.ptr, this->value.len);
-	this->command[this->value.len] = '\0';
+	this->command = strndup(this->value.ptr, this->value.len);
 
-	return SUCCESS;	
+	return SUCCESS;
 }
 
 METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
@@ -143,7 +136,6 @@ pa_tnc_attr_t *ita_attr_command_create(char *command)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -155,8 +147,7 @@ pa_tnc_attr_t *ita_attr_command_create(char *command)
 			},
 			.get_command = _get_command,
 		},
-		.vendor_id = PEN_ITA,
-		.type = ITA_ATTR_COMMAND,
+		.type = { PEN_ITA, ITA_ATTR_COMMAND },
 		.command = strdup(command),
 		.ref = 1,
 	);
@@ -174,9 +165,10 @@ pa_tnc_attr_t *ita_attr_command_create_from_data(chunk_t data)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
 				.build = _build,
 				.process = _process,
 				.get_ref = _get_ref,
@@ -184,8 +176,7 @@ pa_tnc_attr_t *ita_attr_command_create_from_data(chunk_t data)
 			},
 			.get_command = _get_command,
 		},
-		.vendor_id = PEN_ITA,
-		.type = ITA_ATTR_COMMAND,
+		.type = {PEN_ITA, ITA_ATTR_COMMAND },
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libimcv/ita/ita_attr_command.h b/src/libimcv/ita/ita_attr_command.h
index 372355197..3926c3887 100644
--- a/src/libimcv/ita/ita_attr_command.h
+++ b/src/libimcv/ita/ita_attr_command.h
@@ -14,8 +14,8 @@
  */
 
 /**
- * @defgroup ita_attr_commandt ita_attr_command
- * @{ @ingroup ita_attr_command
+ * @defgroup ita_attr_command ita_attr_command
+ * @{ @ingroup ita_attr
  */
 
 #ifndef ITA_ATTR_COMMAND_H_
@@ -54,7 +54,7 @@ pa_tnc_attr_t* ita_attr_command_create(char *command);
 /**
  * Creates an ita_attr_command_t object from received data
  *
- * @param command			ITA command string
+ * @param value				binary value blob
  */
 pa_tnc_attr_t* ita_attr_command_create_from_data(chunk_t value);
 
diff --git a/src/libimcv/ita/ita_attr_device_id.c b/src/libimcv/ita/ita_attr_device_id.c
new file mode 100644
index 000000000..36907eb34
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_device_id.c
@@ -0,0 +1,144 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ita_attr.h"
+#include "ita_attr_device_id.h"
+
+#include <pen/pen.h>
+
+#include <utils/debug.h>
+
+typedef struct private_ita_attr_device_id_t private_ita_attr_device_id_t;
+
+/**
+ * Private data of an ita_attr_device_id_t object.
+ */
+struct private_ita_attr_device_id_t {
+
+	/**
+	 * Public members of ita_attr_device_id_t
+	 */
+	ita_attr_device_id_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ita_attr_device_id_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ita_attr_device_id_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ita_attr_device_id_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ita_attr_device_id_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ita_attr_device_id_t *this)
+{
+	return;
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ita_attr_device_id_t *this, u_int32_t *offset)
+{
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ita_attr_device_id_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ita_attr_device_id_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_device_id_create_from_data(chunk_t value)
+{
+	private_ita_attr_device_id_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.type = { PEN_ITA, ITA_ATTR_DEVICE_ID },
+		.value = chunk_clone(value),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_device_id_create(chunk_t value)
+{
+	return ita_attr_device_id_create_from_data(value);
+}
+
diff --git a/src/libimcv/ita/ita_attr_device_id.h b/src/libimcv/ita/ita_attr_device_id.h
new file mode 100644
index 000000000..ffacdba1e
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_device_id.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ita_attr_device_id ita_attr_device_id
+ * @{ @ingroup ita_attr
+ */
+
+#ifndef ITA_ATTR_DEVICE_ID_H_
+#define ITA_ATTR_DEVICE_ID_H_
+
+typedef struct ita_attr_device_id_t ita_attr_device_id_t;
+
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Class implementing the ITA Device ID PA-TNC attribute.
+ *
+ */
+struct ita_attr_device_id_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+};
+
+/**
+ * Creates an ita_attr_device_id_t object
+ *
+ * @param value				ITA Device ID attribute value
+ */
+pa_tnc_attr_t* ita_attr_device_id_create(chunk_t value);
+
+/**
+ * Creates an ita_attr_device_id_t object from received data
+ *
+ * @param value				binary value blob
+ */
+pa_tnc_attr_t* ita_attr_device_id_create_from_data(chunk_t value);
+
+#endif /** ITA_ATTR_DEVICE_ID_H_ @}*/
diff --git a/src/libimcv/ita/ita_attr_dummy.c b/src/libimcv/ita/ita_attr_dummy.c
new file mode 100644
index 000000000..6497d4645
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_dummy.c
@@ -0,0 +1,185 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ita_attr.h"
+#include "ita_attr_dummy.h"
+
+#include <pen/pen.h>
+
+#include <utils/debug.h>
+
+typedef struct private_ita_attr_dummy_t private_ita_attr_dummy_t;
+
+/**
+ * Private data of an ita_attr_dummy_t object.
+ */
+struct private_ita_attr_dummy_t {
+
+	/**
+	 * Public members of ita_attr_dummy_t
+	 */
+	ita_attr_dummy_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Size of the attribute value
+	 */
+	int size;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ita_attr_dummy_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ita_attr_dummy_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ita_attr_dummy_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ita_attr_dummy_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ita_attr_dummy_t *this)
+{
+	if (this->value.ptr)
+	{
+		return;
+	}
+	this->value = chunk_alloc(this->size);
+	memset(this->value.ptr, 0xdd, this->value.len);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ita_attr_dummy_t *this, u_int32_t *offset)
+{
+	this->size = this->value.len;
+
+	return SUCCESS;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ita_attr_dummy_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ita_attr_dummy_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ita_attr_dummy_t, get_size, int,
+	private_ita_attr_dummy_t *this)
+{
+	return this->size;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_dummy_create(int size)
+{
+	private_ita_attr_dummy_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_size = _get_size,
+		},
+		.type = { PEN_ITA, ITA_ATTR_DUMMY },
+		.size = size,
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_dummy_create_from_data(chunk_t data)
+{
+	private_ita_attr_dummy_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.get_size = _get_size,
+		},
+		.type = { PEN_ITA, ITA_ATTR_DUMMY },
+		.value = chunk_clone(data),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+
diff --git a/src/libimcv/ita/ita_attr_dummy.h b/src/libimcv/ita/ita_attr_dummy.h
new file mode 100644
index 000000000..1f85ece54
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_dummy.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ita_attr_dummy ita_attr_dummy
+ * @{ @ingroup ita_attr
+ */
+
+#ifndef ITA_ATTR_DUMMY_H_
+#define ITA_ATTR_DUMMY_H_
+
+typedef struct ita_attr_dummy_t ita_attr_dummy_t;
+
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Class implementing the ITA Dummy PA-TNC attribute.
+ *
+ */
+struct ita_attr_dummy_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Get the size the ITA Dummy attribute value
+	 *
+	 * @return				size of dummy attribute value
+	 */
+	int (*get_size)(ita_attr_dummy_t *this);
+};
+
+/**
+ * Creates an ita_attr_dummy_t object with a given size
+ *
+ * @param size				size of dummy attribute value
+ */
+pa_tnc_attr_t* ita_attr_dummy_create(int size);
+
+/**
+ * Creates an ita_attr_dummy_t object from received data
+ *
+ * @param value				binary value blob
+ */
+pa_tnc_attr_t* ita_attr_dummy_create_from_data(chunk_t value);
+
+#endif /** ITA_ATTR_DUMMY_H_ @}*/
diff --git a/src/libimcv/ita/ita_attr_get_settings.c b/src/libimcv/ita/ita_attr_get_settings.c
new file mode 100644
index 000000000..196613153
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_get_settings.c
@@ -0,0 +1,268 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ita_attr.h"
+#include "ita_attr_get_settings.h"
+
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+#include <collections/linked_list.h>
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+#include <string.h>
+
+typedef struct private_ita_attr_get_settings_t private_ita_attr_get_settings_t;
+
+/**
+ * ITA Get Settings
+ *
+ *					   1				   2				   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                         Settings Count                        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Name Length            |  Name (Variable Length)       ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Name (Variable Length)                   ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Name Length            |  Name (Variable Length)       ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Name (Variable Length)                   ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *					 ...........................
+ */
+
+#define ITA_GET_SETTINGS_MIN_SIZE	4
+
+/**
+ * Private data of an ita_attr_get_settings_t object.
+ */
+struct private_ita_attr_get_settings_t {
+
+	/**
+	 * Public members of ita_attr_get_settings_t
+	 */
+	ita_attr_get_settings_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * List of requested settings
+	 */
+	linked_list_t *list;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ita_attr_get_settings_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ita_attr_get_settings_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ita_attr_get_settings_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ita_attr_get_settings_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ita_attr_get_settings_t *this)
+{
+	bio_writer_t *writer;
+	enumerator_t *enumerator;
+	char *name;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+	writer = bio_writer_create(ITA_GET_SETTINGS_MIN_SIZE);
+	writer->write_uint32(writer, this->list->get_count(this->list));
+
+	enumerator = this->list->create_enumerator(this->list);
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		writer->write_data16(writer, chunk_create(name, strlen(name)));
+	}
+	enumerator->destroy(enumerator);
+
+	this->value = writer->extract_buf(writer);
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ita_attr_get_settings_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	u_int32_t count;
+	chunk_t name;
+	status_t status = FAILED;
+
+	if (this->value.len < ITA_GET_SETTINGS_MIN_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for ITA Get Settings attribute");
+		*offset = 0;
+		return FAILED;
+	}
+
+	reader = bio_reader_create(this->value);
+	reader->read_uint32(reader, &count);
+
+	*offset = ITA_GET_SETTINGS_MIN_SIZE;
+
+	while (count--)
+	{
+		if (!reader->read_data16(reader, &name))
+		{
+			DBG1(DBG_TNC, "insufficient data for setting name");
+			goto end;
+		}
+		*offset += 2 + name.len;
+
+		this->list->insert_last(this->list, strndup(name.ptr, name.len));
+	}
+	status = SUCCESS;
+
+end:
+	reader->destroy(reader);	
+	return status;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ita_attr_get_settings_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ita_attr_get_settings_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->list->destroy_function(this->list, free);	
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ita_attr_get_settings_t, add, void,
+	private_ita_attr_get_settings_t *this, char *name)
+{
+	this->list->insert_last(this->list, strdup(name));
+}
+
+METHOD(ita_attr_get_settings_t, create_enumerator, enumerator_t*,
+	private_ita_attr_get_settings_t *this)
+{
+	return this->list->create_enumerator(this->list);
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_get_settings_create(char *name)
+{
+	private_ita_attr_get_settings_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = { PEN_ITA, ITA_ATTR_GET_SETTINGS },
+		.list = linked_list_create(),
+		.ref = 1,
+	);
+
+	if (name)
+	{
+		add(this, name);
+	}
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_get_settings_create_from_data(chunk_t data)
+{
+	private_ita_attr_get_settings_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = { PEN_ITA, ITA_ATTR_GET_SETTINGS },
+		.value = chunk_clone(data),
+		.list = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+
diff --git a/src/libimcv/ita/ita_attr_get_settings.h b/src/libimcv/ita/ita_attr_get_settings.h
new file mode 100644
index 000000000..975fd0d9d
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_get_settings.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ita_attr_get_settings ita_attr_get_settings
+ * @{ @ingroup ita_attr
+ */
+
+#ifndef ITA_ATTR_GET_SETTINGS_H_
+#define ITA_ATTR_GET_SETTINGS_H_
+
+typedef struct ita_attr_get_settings_t ita_attr_get_settings_t;
+
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Class implementing the ITA Get Settings PA-TNC attribute.
+ *
+ */
+struct ita_attr_get_settings_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Add a setting request to the list
+	 *
+	 * @param name			name of the requested setting
+	 */
+	void (*add)(ita_attr_get_settings_t *this, char *name);
+
+	/**
+	 * Return an enumerator over all requested settings
+	 *
+	 * @return				enumerator returns char *name
+	 */
+	enumerator_t* (*create_enumerator)(ita_attr_get_settings_t *this);
+};
+
+/**
+ * Creates an ita_attr_get_settings_t object with an optional first entry
+ *
+ * @param name				name of the requested setting or NULL
+ */
+pa_tnc_attr_t* ita_attr_get_settings_create(char *name);
+
+/**
+ * Creates an ita_attr_get_settings_t object from received data
+ *
+ * @param value				binary value blob
+ */
+pa_tnc_attr_t* ita_attr_get_settings_create_from_data(chunk_t value);
+
+#endif /** ITA_ATTR_GET_SETTINGS_H_ @}*/
diff --git a/src/libimcv/ita/ita_attr_settings.c b/src/libimcv/ita/ita_attr_settings.c
new file mode 100644
index 000000000..9ce253d28
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_settings.c
@@ -0,0 +1,326 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ita_attr.h"
+#include "ita_attr_settings.h"
+
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+#include <collections/linked_list.h>
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+#include <string.h>
+
+typedef struct private_ita_attr_settings_t private_ita_attr_settings_t;
+typedef struct entry_t entry_t;
+
+/**
+ * Contains a settins name/value pair
+ */
+struct entry_t {
+	char *name;
+	chunk_t value;
+};
+
+/**
+ * Free an entry_t object
+ */
+static void free_entry(entry_t *this)
+{
+	free(this->name);
+	free(this->value.ptr);
+	free(this);
+}
+
+/**
+ * ITA Settings
+ *
+ *					   1				   2				   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                         Settings Count                        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Name Length            |  Name (Variable Length)       ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Name (Variable Length)                   ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Value Length           |  Value (Variable Length)      ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Value (Variable Length)                  ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Name Length            |  Name (Variable Length)       ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Name (Variable Length)                   ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |        Value Length           |  Value (Variable Length)      ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  ~                      Value (Variable Length)                  ~
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *					 ...........................
+ */
+
+#define ITA_SETTINGS_MIN_SIZE	4
+
+/**
+ * Private data of an ita_attr_settings_t object.
+ */
+struct private_ita_attr_settings_t {
+
+	/**
+	 * Public members of ita_attr_settings_t
+	 */
+	ita_attr_settings_t public;
+
+	/**
+	 * Vendor-specific attribute type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * List of settings
+	 */
+	linked_list_t *list;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+};
+
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
+	private_ita_attr_settings_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ita_attr_settings_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ita_attr_settings_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ita_attr_settings_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ita_attr_settings_t *this)
+{
+	bio_writer_t *writer;
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+	writer = bio_writer_create(ITA_SETTINGS_MIN_SIZE);
+	writer->write_uint32(writer, this->list->get_count(this->list));
+
+	enumerator = this->list->create_enumerator(this->list);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		writer->write_data16(writer, chunk_create(entry->name,
+												  strlen(entry->name)));
+		writer->write_data16(writer, entry->value);
+	}
+	enumerator->destroy(enumerator);
+
+	this->value = writer->extract_buf(writer);
+	writer->destroy(writer);
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ita_attr_settings_t *this, u_int32_t *offset)
+{
+	bio_reader_t *reader;
+	u_int32_t count;
+	chunk_t name, value;
+	entry_t *entry;
+	status_t status = FAILED;
+
+	if (this->value.len < ITA_SETTINGS_MIN_SIZE)
+	{
+		DBG1(DBG_TNC, "insufficient data for ITA Settings attribute");
+		*offset = 0;
+		return FAILED;
+	}
+
+	reader = bio_reader_create(this->value);
+	reader->read_uint32(reader, &count);
+
+	*offset = ITA_SETTINGS_MIN_SIZE;
+
+	while (count--)
+	{
+		if (!reader->read_data16(reader, &name))
+		{
+			DBG1(DBG_TNC, "insufficient data for setting name");
+			goto end;
+		}
+		*offset += 2 + name.len;
+
+		if (!reader->read_data16(reader, &value))
+		{
+			DBG1(DBG_TNC, "insufficient data for setting value");
+			goto end;
+		}
+		*offset += 2 + value.len;
+
+		/* remove a terminating newline character */
+		if (value.len && value.ptr[value.len - 1] == '\n')
+		{
+			value.len--;
+		}
+		entry = malloc_thing(entry_t);
+		entry->name = strndup(name.ptr, name.len);
+		entry->value = chunk_clone(value);
+		this->list->insert_last(this->list, entry);
+	}
+	status = SUCCESS;
+
+end:
+	reader->destroy(reader);	
+	return status;
+}
+
+METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*,
+	private_ita_attr_settings_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.pa_tnc_attribute;
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ita_attr_settings_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		this->list->destroy_function(this->list, (void*)free_entry);	
+		free(this->value.ptr);
+		free(this);
+	}
+}
+
+METHOD(ita_attr_settings_t, add, void,
+	private_ita_attr_settings_t *this, char *name, chunk_t value)
+{
+	entry_t *entry;
+
+	entry = malloc_thing(entry_t);
+	entry->name = strdup(name);
+	entry->value = chunk_clone(value);
+	this->list->insert_last(this->list, entry);
+}
+
+/**
+ * Enumerate name/value pairs
+ */
+static bool entry_filter(void *null, entry_t **entry, char **name,
+						 void *i2, chunk_t *value)
+{
+	*name = (*entry)->name;
+	*value = (*entry)->value;
+	return TRUE;
+}
+
+METHOD(ita_attr_settings_t, create_enumerator, enumerator_t*,
+	private_ita_attr_settings_t *this)
+{
+	return enumerator_create_filter(this->list->create_enumerator(this->list),
+								   (void*)entry_filter, NULL, NULL);
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_settings_create(void)
+{
+	private_ita_attr_settings_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = { PEN_ITA, ITA_ATTR_SETTINGS },
+		.list = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ita_attr_settings_create_from_data(chunk_t data)
+{
+	private_ita_attr_settings_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+			.add = _add,
+			.create_enumerator = _create_enumerator,
+		},
+		.type = { PEN_ITA, ITA_ATTR_SETTINGS },
+		.value = chunk_clone(data),
+		.list = linked_list_create(),
+		.ref = 1,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+
diff --git a/src/libimcv/ita/ita_attr_settings.h b/src/libimcv/ita/ita_attr_settings.h
new file mode 100644
index 000000000..eb7eedae3
--- /dev/null
+++ b/src/libimcv/ita/ita_attr_settings.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ita_attr_settings ita_attr_settings
+ * @{ @ingroup ita_attr
+ */
+
+#ifndef ITA_ATTR_SETTINGS_H_
+#define ITA_ATTR_SETTINGS_H_
+
+typedef struct ita_attr_settings_t ita_attr_settings_t;
+
+#include "pa_tnc/pa_tnc_attr.h"
+
+/**
+ * Class implementing the ITA Settings PA-TNC attribute.
+ *
+ */
+struct ita_attr_settings_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Add a setting to the list
+	 *
+	 * @param name			name of the setting
+	 * @param value			value of the setting
+	 */
+	void (*add)(ita_attr_settings_t *this, char *name, chunk_t value);
+
+	/**
+	 * Return an enumerator over all name/value pairs
+	 *
+	 * @return				enumerator returns char **name, chunk_t *value
+	 */
+	enumerator_t* (*create_enumerator)(ita_attr_settings_t *this);
+};
+
+/**
+ * Creates an ita_attr_settings_t object with an empty settings list
+ */
+pa_tnc_attr_t* ita_attr_settings_create(void);
+
+/**
+ * Creates an ita_attr_settings_t object from received data
+ *
+ * @param value				binary value blob
+ */
+pa_tnc_attr_t* ita_attr_settings_create_from_data(chunk_t value);
+
+#endif /** ITA_ATTR_SETTINGS_H_ @}*/
diff --git a/src/libimcv/os_info/os_info.c b/src/libimcv/os_info/os_info.c
new file mode 100644
index 000000000..17000cd27
--- /dev/null
+++ b/src/libimcv/os_info/os_info.c
@@ -0,0 +1,606 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "os_info.h"
+
+#include <sys/utsname.h>
+#include <stdio.h>
+#include <stdarg.h>
+
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+
+typedef struct private_os_info_t private_os_info_t;
+
+ENUM(os_type_names, OS_TYPE_UNKNOWN, OS_TYPE_ANDROID,
+	"Unknown",
+	"Debian",
+	"Ubuntu",
+	"Fedora",
+	"Red Hat",
+	"CentOS",
+	"SUSE",
+	"Gentoo",
+	"Android"
+);
+
+ENUM(os_fwd_status_names, OS_FWD_DISABLED, OS_FWD_UNKNOWN,
+	"disabled",
+	"enabled",
+	"unknown"
+);
+
+ENUM(os_package_state_names, OS_PACKAGE_STATE_UPDATE, OS_PACKAGE_STATE_BLACKLIST,
+	"",
+	" [s]",
+	" [b]"
+);
+
+/**
+ * Private data of an os_info_t object.
+ *
+ */
+struct private_os_info_t {
+
+	/**
+	 * Public os_info_t interface.
+	 */
+	os_info_t public;
+
+	/**
+	 * OS type
+	 */
+	os_type_t type;
+
+	/**
+	 * OS name
+	 */
+	chunk_t name;
+
+	/**
+	 * OS version
+	 */
+	chunk_t version;
+
+};
+
+METHOD(os_info_t, get_type, os_type_t,
+	private_os_info_t *this)
+{
+	return this->type;
+}
+
+METHOD(os_info_t, get_name, chunk_t,
+	private_os_info_t *this)
+{
+	return this->name;
+}
+
+METHOD(os_info_t, get_numeric_version, void,
+	private_os_info_t *this, u_int32_t *major, u_int32_t *minor)
+{
+	u_char *pos;
+
+	if (major)
+	{
+		*major = atol(this->version.ptr);
+	}
+	pos = memchr(this->version.ptr, '.', this->version.len);
+	if (minor)
+	{
+		*minor = pos ? atol(pos + 1) : 0;
+	}
+}
+
+METHOD(os_info_t, get_version, chunk_t,
+	private_os_info_t *this)
+{
+	return this->version;
+}
+
+METHOD(os_info_t, get_fwd_status, os_fwd_status_t,
+	private_os_info_t *this)
+{
+	const char ip_forward[] = "/proc/sys/net/ipv4/ip_forward";
+	char buf[2];
+	FILE *file;
+
+	os_fwd_status_t fwd_status = OS_FWD_UNKNOWN;
+
+	file = fopen(ip_forward, "r");
+	if (file)
+	{
+		if (fread(buf, 1, 1, file) == 1)
+		{
+			switch (buf[0])
+			{
+				case '0':
+					fwd_status = OS_FWD_DISABLED;
+					break;
+				case '1':
+					fwd_status = OS_FWD_ENABLED;
+					break;
+				default:
+					DBG1(DBG_IMC, "\"%s\" returns invalid value ", ip_forward);
+					break;
+			}
+		}
+		else
+		{
+			DBG1(DBG_IMC, "could not read from \"%s\"", ip_forward);
+		}
+		fclose(file);
+	}
+	else
+	{
+		DBG1(DBG_IMC, "failed to open \"%s\"", ip_forward);
+	}
+
+	return fwd_status;
+}
+
+METHOD(os_info_t, get_uptime, time_t,
+	private_os_info_t *this)
+{
+	const char proc_uptime[] = "/proc/uptime";
+	FILE *file;
+	u_int uptime;
+
+	file = fopen(proc_uptime, "r");
+	if (!file)
+	{
+		DBG1(DBG_IMC, "failed to open \"%s\"", proc_uptime);
+		return 0;
+	}
+	if (fscanf(file, "%u", &uptime) != 1)
+	{
+		DBG1(DBG_IMC, "failed to read file \"%s\"", proc_uptime);
+		uptime = 0;
+	}
+	fclose(file);
+
+	return uptime;
+}
+
+METHOD(os_info_t, get_setting, chunk_t,
+	private_os_info_t *this, char *name)
+{
+	FILE *file;
+	u_char buf[2048];
+	size_t i = 0;
+	chunk_t value;
+
+	if (!strpfx(name, "/etc/") && !strpfx(name, "/proc/") &&
+		!strpfx(name, "/sys/") && !strpfx(name, "/var/"))
+	{
+		/**
+		 * In order to guarantee privacy, only settings from the
+		 * /etc/, /proc/ and /sys/ directories can be retrieved
+		 */
+		DBG1(DBG_IMC, "not allowed to access '%s'", name);
+
+		return chunk_empty;
+	}
+
+	file = fopen(name, "r");
+	if (!file)
+	{
+		DBG1(DBG_IMC, "failed to open '%s'", name);
+
+		return chunk_empty;
+	}
+	while (i < sizeof(buf) && fread(buf + i, 1, 1, file) == 1)
+	{
+		i++;
+	}
+	fclose(file);
+
+	value = chunk_create(buf, i);
+
+	return chunk_clone(value);
+}
+
+typedef struct {
+	/**
+	 * implements enumerator_t
+	 */
+	enumerator_t public;
+
+	/**
+	 * package info pipe stream
+	 */
+	FILE* file;
+
+	/**
+	 * line buffer
+	 */
+	u_char line[512];
+
+} package_enumerator_t;
+
+/**
+ * Implementation of package_enumerator.destroy.
+ */
+static void package_enumerator_destroy(package_enumerator_t *this)
+{
+	pclose(this->file);
+	free(this);
+}
+
+/**
+ * Implementation of package_enumerator.enumerate
+ */
+static bool package_enumerator_enumerate(package_enumerator_t *this, ...)
+{
+	chunk_t *name, *version;
+	u_char *pos;
+	va_list args;
+
+	while (TRUE)
+	{
+		if (!fgets(this->line, sizeof(this->line), this->file))
+		{
+			return FALSE;
+		}
+
+		pos = strchr(this->line, '\t');
+		if (!pos)
+		{
+			return FALSE;
+		}
+		*pos++ = '\0';
+
+		if (!streq(this->line, "install ok installed"))
+		{
+			continue;
+		}
+		va_start(args, this);
+
+		name = va_arg(args, chunk_t*);
+		name->ptr = pos;
+		pos = strchr(pos, '\t');
+		if (!pos)
+		{
+			va_end(args);
+			return FALSE;
+		}
+		name->len = pos++ - name->ptr;
+
+		version = va_arg(args, chunk_t*);
+		version->ptr = pos;
+		version->len = strlen(pos) - 1;
+
+		va_end(args);
+		return TRUE;
+	}
+}
+
+METHOD(os_info_t, create_package_enumerator, enumerator_t*,
+	private_os_info_t *this)
+{
+	FILE *file;
+	const char command[] = "dpkg-query --show --showformat="
+								"'${Status}\t${Package}\t${Version}\n'";
+	package_enumerator_t *enumerator;
+
+	/* Only Debian and Ubuntu package enumeration is currently supported */
+	if (this->type != OS_TYPE_DEBIAN && this->type != OS_TYPE_UBUNTU)
+	{
+		return NULL;
+	}
+
+	/* Open a pipe stream for reading the output of the dpkg-query commmand */
+	file = popen(command, "r");
+	if (!file)
+	{
+		DBG1(DBG_IMC, "failed to run dpkg command");
+		return NULL;
+	}
+
+	/* Create a package enumerator instance */
+	enumerator = malloc_thing(package_enumerator_t);
+	enumerator->public.enumerate = (void*)package_enumerator_enumerate;
+	enumerator->public.destroy = (void*)package_enumerator_destroy;
+	enumerator->file = file;
+
+	return (enumerator_t*)enumerator;
+}
+
+
+METHOD(os_info_t, destroy, void,
+	private_os_info_t *this)
+{
+	free(this->name.ptr);
+	free(this->version.ptr);
+	free(this);
+}
+
+#define RELEASE_LSB		0
+#define RELEASE_DEBIAN	1
+
+/**
+ * Determine Linux distribution version and hardware platform
+ */
+static bool extract_platform_info(os_type_t *type, chunk_t *name,
+								  chunk_t *version)
+{
+	FILE *file;
+	u_char buf[BUF_LEN], *pos = buf;
+	int len = BUF_LEN - 1;
+	os_type_t os_type = OS_TYPE_UNKNOWN;
+	chunk_t os_name = chunk_empty;
+	chunk_t os_version = chunk_empty;
+	char *os_str;
+	struct utsname uninfo;
+	int i;
+
+	/* Linux/Unix distribution release info (from http://linuxmafia.com) */
+	const char* releases[] = {
+		"/etc/lsb-release",           "/etc/debian_version",
+		"/etc/SuSE-release",          "/etc/novell-release",
+		"/etc/sles-release",          "/etc/redhat-release",
+		"/etc/fedora-release",        "/etc/gentoo-release",
+		"/etc/slackware-version",     "/etc/annvix-release",
+		"/etc/arch-release",          "/etc/arklinux-release",
+		"/etc/aurox-release",         "/etc/blackcat-release",
+		"/etc/cobalt-release",        "/etc/conectiva-release",
+		"/etc/debian_release",        "/etc/immunix-release",
+		"/etc/lfs-release",           "/etc/linuxppc-release",
+		"/etc/mandrake-release",      "/etc/mandriva-release",
+		"/etc/mandrakelinux-release", "/etc/mklinux-release",
+		"/etc/pld-release",           "/etc/redhat_version",
+		"/etc/slackware-release",     "/etc/e-smith-release",
+		"/etc/release",               "/etc/sun-release",
+		"/etc/tinysofa-release",      "/etc/turbolinux-release",
+		"/etc/ultrapenguin-release",  "/etc/UnitedLinux-release",
+		"/etc/va-release",            "/etc/yellowdog-release"
+	};
+
+	const char lsb_distrib_id[]      = "DISTRIB_ID=";
+	const char lsb_distrib_release[] = "DISTRIB_RELEASE=";
+
+	for (i = 0; i < countof(releases); i++)
+	{
+		file = fopen(releases[i], "r");
+		if (!file)
+		{
+			continue;
+		}
+
+		/* read release file into buffer */
+		fseek(file, 0, SEEK_END);
+		len = min(ftell(file), len);
+		rewind(file);
+		buf[len] = '\0';
+		if (fread(buf, 1, len, file) != len)
+		{
+			DBG1(DBG_IMC, "failed to read file \"%s\"", releases[i]);
+			fclose(file);
+			return FALSE;
+		}
+		fclose(file);
+
+		DBG1(DBG_IMC, "processing \"%s\" file", releases[i]);
+
+		switch (i)
+		{
+			case RELEASE_LSB:
+			{
+				/* Determine Distribution ID */
+				pos = strstr(buf, lsb_distrib_id);
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find begin of DISTRIB_ID field");
+					return FALSE;
+				}
+				pos += strlen(lsb_distrib_id);
+
+				os_name.ptr = pos;
+
+				pos = strchr(pos, '\n');
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find end of DISTRIB_ID field");
+					return FALSE;
+			 	}
+				os_name.len = pos - os_name.ptr;
+
+				/* Determine Distribution Release */
+				pos = strstr(buf, lsb_distrib_release);
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find begin of DISTRIB_RELEASE field");
+					return FALSE;
+				}
+				pos += strlen(lsb_distrib_release);
+
+				os_version.ptr = pos;
+
+				pos = strchr(pos, '\n');
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find end of DISTRIB_RELEASE field");
+					return FALSE;
+			 	}
+				os_version.len = pos - os_version.ptr;
+
+				break;
+			}
+			case RELEASE_DEBIAN:
+			{
+				os_type = OS_TYPE_DEBIAN;
+
+				os_version.ptr = buf;
+				pos = strchr(buf, '\n');
+				if (!pos)
+				{
+					DBG1(DBG_PTS, "failed to find end of release string");
+					return FALSE;
+				}
+
+				os_version.len = pos - os_version.ptr;
+
+				break;
+			}
+			default:
+			{
+				const char str_release[] = " release ";
+
+				os_name.ptr = buf;
+
+				pos = strstr(buf, str_release);
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find release keyword");
+					return FALSE;
+				}
+
+				os_name.len = pos - os_name.ptr;
+
+				pos += strlen(str_release);
+				os_version.ptr = pos;
+
+				pos = strchr(pos, '\n');
+				if (!pos)
+				{
+					DBG1(DBG_IMC, "failed to find end of release string");
+					return FALSE;
+			 	}
+
+				os_version.len = pos - os_version.ptr;
+
+				break;
+			}
+		}
+		break;
+	}
+
+	if (!os_version.ptr)
+	{
+		DBG1(DBG_IMC, "no distribution release file found");
+		return FALSE;
+	}
+
+	if (uname(&uninfo) < 0)
+	{
+		DBG1(DBG_IMC, "could not retrieve machine architecture");
+		return FALSE;
+	}
+
+	/* Try to find a matching OS type based on the OS name */
+	if (os_type == OS_TYPE_UNKNOWN)
+	{
+		os_type = os_type_from_name(os_name);
+	}
+
+	/* If known use the official OS name */
+	if (os_type != OS_TYPE_UNKNOWN)
+	{
+		os_str = enum_to_name(os_type_names, os_type);
+		os_name = chunk_create(os_str, strlen(os_str));
+	}
+
+	/* copy OS type */
+	*type = os_type;
+
+	/* copy OS name */
+	*name = chunk_clone(os_name);
+
+	/* copy OS version and machine architecture */
+	*version = chunk_alloc(os_version.len + 1 + strlen(uninfo.machine));
+	pos = version->ptr;
+	memcpy(pos, os_version.ptr, os_version.len);
+	pos += os_version.len;
+	*pos++ = ' ';
+	memcpy(pos, uninfo.machine, strlen(uninfo.machine));
+
+	return TRUE;
+}
+
+/**
+ * See header
+ */
+os_type_t os_type_from_name(chunk_t name)
+{
+	os_type_t type;
+	char *name_str;
+
+	for (type = OS_TYPE_DEBIAN; type < OS_TYPE_ROOF; type++)
+	{
+		/* name_str is a substring of name.ptr */
+		name_str = enum_to_name(os_type_names, type);
+		if (memeq(name.ptr, name_str, min(name.len, strlen(name_str))))
+		{
+			return type;
+		}
+	}
+	return OS_TYPE_UNKNOWN;
+}
+
+/**
+ * See header
+ */
+os_info_t *os_info_create(void)
+{
+	private_os_info_t *this;
+	chunk_t name, version;
+	os_type_t type;
+
+	/* As an option OS name and OS version can be configured manually */
+	name.ptr = lib->settings->get_str(lib->settings,
+									  "libimcv.os_info.name", NULL);
+	version.ptr = lib->settings->get_str(lib->settings,
+									  "libimcv.os_info.version", NULL);
+	if (name.ptr && version.ptr)
+	{
+		name.len = strlen(name.ptr);
+		name = chunk_clone(name);
+
+		version.len = strlen(version.ptr);
+		version = chunk_clone(version);
+
+		type = os_type_from_name(name);
+	}
+	else
+	{
+		if (!extract_platform_info(&type, &name, &version))
+		{
+			return NULL;
+		}
+	}
+	DBG1(DBG_IMC, "operating system name is '%.*s'",
+				   name.len, name.ptr);
+	DBG1(DBG_IMC, "operating system version is '%.*s'",
+				   version.len, version.ptr);
+
+	INIT(this,
+		.public = {
+			.get_type = _get_type,
+			.get_name = _get_name,
+			.get_numeric_version = _get_numeric_version,
+			.get_version = _get_version,
+			.get_fwd_status = _get_fwd_status,
+			.get_uptime = _get_uptime,
+			.get_setting = _get_setting,
+			.create_package_enumerator = _create_package_enumerator,
+			.destroy = _destroy,
+		},
+		.type = type,
+		.name = name,
+		.version = version,
+	);
+
+	return &this->public;
+}
diff --git a/src/libimcv/os_info/os_info.h b/src/libimcv/os_info/os_info.h
new file mode 100644
index 000000000..f47460709
--- /dev/null
+++ b/src/libimcv/os_info/os_info.h
@@ -0,0 +1,153 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup os_info os_info
+ * @{ @ingroup libimcv
+ */
+
+#ifndef OS_INFO_H_
+#define OS_INFO_H_
+
+typedef struct os_info_t os_info_t;
+typedef enum os_type_t os_type_t;
+typedef enum os_fwd_status_t os_fwd_status_t;
+typedef enum os_package_state_t os_package_state_t;
+
+#include <library.h>
+
+#include <time.h>
+
+enum os_type_t {
+	OS_TYPE_UNKNOWN,
+	OS_TYPE_DEBIAN,
+	OS_TYPE_UBUNTU,
+	OS_TYPE_FEDORA,
+	OS_TYPE_REDHAT,
+	OS_TYPE_CENTOS,
+	OS_TYPE_SUSE,
+	OS_TYPE_GENTOO,
+	OS_TYPE_ANDROID,
+	OS_TYPE_ROOF
+};
+
+extern enum_name_t *os_type_names;
+
+/**
+ * Defines the security state of a package stored in the database
+ */
+enum os_package_state_t {
+	OS_PACKAGE_STATE_UPDATE =    0,		/* latest update */
+	OS_PACKAGE_STATE_SECURITY =  1,		/* latest security fix */
+	OS_PACKAGE_STATE_BLACKLIST = 2 		/* blacklisted package */
+};
+
+extern enum_name_t *os_package_state_names;
+
+/**
+ * Defines the IPv4 forwarding status
+ */
+enum os_fwd_status_t {
+	OS_FWD_DISABLED =	0,
+	OS_FWD_ENABLED =	1,
+	OS_FWD_UNKNOWN =	2
+};
+
+extern enum_name_t *os_fwd_status_names;
+
+/**
+ * Interface for the Operating System (OS) information module
+ */
+struct os_info_t {
+
+	/**
+	 * Get the OS type if it can be determined
+	 *
+	 * @return					OS type
+	 */
+	os_type_t (*get_type)(os_info_t *this);
+
+	/**
+	 * Get the OS product name or distribution
+	 *
+	 * @return					OS name
+	 */
+	chunk_t (*get_name)(os_info_t *this);
+
+	/**
+	 * Get the numeric OS version or release
+	 *
+	 * @param major				OS major version number
+	 * @param minor				OS minor version number
+	 */
+	void (*get_numeric_version)(os_info_t *this, u_int32_t *major,
+												 u_int32_t *minor);
+
+	/**
+	 * Get the OS version or release
+	 *
+	 * @return					OS version
+	 */
+	chunk_t (*get_version)(os_info_t *this);
+
+	/**
+	 * Get the OS IPv4 forwarding status
+	 *
+	 * @return					IP forwarding status
+	 */
+	os_fwd_status_t (*get_fwd_status)(os_info_t *this);
+
+	/**
+	 * Get the OS uptime in seconds
+	 *
+	 * @return					OS uptime
+	 */
+	time_t (*get_uptime)(os_info_t *this);
+
+	/**
+	 * Get an OS setting (restricted to /proc, /sys, and /etc)
+	 *
+	 * @param name				name of OS setting
+	 * @return					value of OS setting
+	 */
+	chunk_t (*get_setting)(os_info_t *this, char *name);
+
+	/**
+	 * Enumerates over all installed packages
+	 *
+	 * @return				return package enumerator
+	 */
+	enumerator_t* (*create_package_enumerator)(os_info_t *this);
+
+	/**
+	 * Destroys an os_info_t object.
+	 */
+	void (*destroy)(os_info_t *this);
+};
+
+/**
+ * Convert an OS name into an OS enumeration type
+ *
+ * @param name				OS name
+ * @return					OS enumeration type
+ */
+os_type_t os_type_from_name(chunk_t name);
+
+/**
+ * Create an os_info_t object
+ */
+os_info_t* os_info_create(void);
+
+#endif /** OS_INFO_H_ @}*/
diff --git a/src/libimcv/pa_tnc/pa_tnc_attr.h b/src/libimcv/pa_tnc/pa_tnc_attr.h
index b6057a70b..e2ce06ee4 100644
--- a/src/libimcv/pa_tnc/pa_tnc_attr.h
+++ b/src/libimcv/pa_tnc/pa_tnc_attr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup pa_tnc_attr pa_tnc_attr
- * @{ @ingroup libimcv
+ * @{ @ingroup pa_tnc
  */
 
 #ifndef PA_TNC_ATTR_H_
@@ -33,18 +33,11 @@ typedef struct pa_tnc_attr_t pa_tnc_attr_t;
 struct pa_tnc_attr_t {
 
 	/**
-	 * Get the vendor ID of an PA-TNC attribute
+	 * Get the vendor ID/type of an PA-TNC attribute
 	 *
-	 * @return					attribute vendor ID
+	 * @return					vendor-specific attribute type
 	 */
-	u_int32_t (*get_vendor_id)(pa_tnc_attr_t *this);
-
-	/**
-	 * Get the type of an PA-TNC attribute
-	 *
-	 * @return					attribute type
-	 */
-	u_int32_t (*get_type)(pa_tnc_attr_t *this);
+	pen_type_t (*get_type)(pa_tnc_attr_t *this);
 
 	/**
 	 * Get the value of an PA-TNC attribute
diff --git a/src/libimcv/pa_tnc/pa_tnc_attr_manager.c b/src/libimcv/pa_tnc/pa_tnc_attr_manager.c
index 1de89d87d..900a55716 100644
--- a/src/libimcv/pa_tnc/pa_tnc_attr_manager.c
+++ b/src/libimcv/pa_tnc/pa_tnc_attr_manager.c
@@ -16,8 +16,8 @@
 
 #include "pa_tnc_attr_manager.h"
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_pa_tnc_attr_manager_t private_pa_tnc_attr_manager_t;
 typedef struct entry_t entry_t;
@@ -46,7 +46,7 @@ struct private_pa_tnc_attr_manager_t {
 };
 
 METHOD(pa_tnc_attr_manager_t, add_vendor, void,
-	private_pa_tnc_attr_manager_t *this, pen_t vendor_id, 
+	private_pa_tnc_attr_manager_t *this, pen_t vendor_id,
 	pa_tnc_attr_create_t attr_create, enum_name_t *attr_names)
 {
 	entry_t *entry;
@@ -128,7 +128,7 @@ METHOD(pa_tnc_attr_manager_t, create, pa_tnc_attr_t*,
 METHOD(pa_tnc_attr_manager_t, destroy, void,
 	private_pa_tnc_attr_manager_t *this)
 {
-	this->list->destroy_function(this->list, free); 
+	this->list->destroy_function(this->list, free);
 	free(this);
 }
 
diff --git a/src/libimcv/pa_tnc/pa_tnc_attr_manager.h b/src/libimcv/pa_tnc/pa_tnc_attr_manager.h
index 40c3ab335..121be7f90 100644
--- a/src/libimcv/pa_tnc/pa_tnc_attr_manager.h
+++ b/src/libimcv/pa_tnc/pa_tnc_attr_manager.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup pa_tnc_attr_manager pa_tnc_attr_manager
- * @{ @ingroup libimcv
+ * @{ @ingroup pa_tnc
  */
 
 #ifndef PA_TNC_ATTR_MANAGER_H_
@@ -56,7 +56,7 @@ struct pa_tnc_attr_manager_t {
 	 * Return the PA-TNC attribute names for a given vendor ID
 	 *
 	 * @param vendor_id		Private Enterprise Number (PEN)
-	 * @return 				PA-TNC attribute names if found, NULL else
+	 * @return				PA-TNC attribute names if found, NULL else
 	 */
 	enum_name_t* (*get_names)(pa_tnc_attr_manager_t *this, pen_t vendor_id);
 
@@ -66,7 +66,7 @@ struct pa_tnc_attr_manager_t {
 	 * @param vendor_id		Private Enterprise Number (PEN)
 	 * @param type			PA-TNC attribute type
 	 * @param value			PA-TNC attribute value as encoded data
-	 * @return 				PA-TNC attribute object if supported, NULL else
+	 * @return				PA-TNC attribute object if supported, NULL else
 	 */
 	pa_tnc_attr_t* (*create)(pa_tnc_attr_manager_t *this, pen_t vendor_id,
 							 u_int32_t type, chunk_t value);
diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.c b/src/libimcv/pa_tnc/pa_tnc_msg.c
index b5df0a5b5..140463b83 100644
--- a/src/libimcv/pa_tnc/pa_tnc_msg.c
+++ b/src/libimcv/pa_tnc/pa_tnc_msg.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
- *
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -20,9 +19,9 @@
 
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 
 typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t;
@@ -43,7 +42,7 @@ typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t;
 #define PA_TNC_RESERVED		0x000000
 
 /**
- *  PA-TNC attribute 
+ *  PA-TNC attribute
  *
  *                       1                   2                   3
  *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
@@ -90,6 +89,16 @@ struct private_pa_tnc_msg_t {
 	u_int32_t identifier;
 
 	/**
+	 * Current PA-TNC Message size
+	 */
+	size_t msg_len;
+
+	/**
+	 * Maximum PA-TNC Message size
+	 */
+	size_t max_msg_len;
+
+	/**
 	 * Encoded message
 	 */
 	chunk_t encoding;
@@ -101,75 +110,94 @@ METHOD(pa_tnc_msg_t, get_encoding, chunk_t,
 	return this->encoding;
 }
 
-METHOD(pa_tnc_msg_t, add_attribute, void,
+METHOD(pa_tnc_msg_t, add_attribute, bool,
 	private_pa_tnc_msg_t *this, pa_tnc_attr_t *attr)
 {
+	chunk_t attr_value;
+	size_t attr_len;
+
+	attr->build(attr);
+	attr_value = attr->get_value(attr);
+	attr_len = PA_TNC_ATTR_HEADER_SIZE + attr_value.len;
+
+	if (this->max_msg_len && this->msg_len + attr_len > this->max_msg_len)
+	{
+		/* attribute just does not fit into this message */
+		return FALSE;
+	}
+	this->msg_len += attr_len;
+
 	this->attributes->insert_last(this->attributes, attr);
+	return TRUE;
 }
 
-METHOD(pa_tnc_msg_t, build, void,
+METHOD(pa_tnc_msg_t, build, bool,
 	private_pa_tnc_msg_t *this)
 {
 	bio_writer_t *writer;
 	enumerator_t *enumerator;
 	pa_tnc_attr_t *attr;
 	enum_name_t *pa_attr_names;
-	pen_t vendor_id;
-	u_int32_t type;
+	pen_type_t type;
 	u_int8_t flags;
 	chunk_t value;
-	rng_t *rng;
+	nonce_gen_t *ng;
 
-	/* create a random message identifier */
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	rng->get_bytes(rng, sizeof(this->identifier), (u_int8_t*)&this->identifier);
-	rng->destroy(rng);
-	DBG2(DBG_TNC, "creating PA-TNC message with ID 0x%08x", this->identifier);
+	/* generate a nonce as a message identifier */
+	ng = lib->crypto->create_nonce_gen(lib->crypto);
+	if (!ng || !ng->get_nonce(ng, 4, (u_int8_t*)&this->identifier))
+	{
+		DBG1(DBG_TNC, "failed to generate random PA-TNC message identifier");
+		DESTROY_IF(ng);
+		return FALSE;
+	}
+	ng->destroy(ng);
+	DBG1(DBG_TNC, "creating PA-TNC message with ID 0x%08x", this->identifier);
 
 	/* build message header */
-	writer = bio_writer_create(PA_TNC_HEADER_SIZE);
+	writer = bio_writer_create(this->msg_len);
 	writer->write_uint8 (writer, PA_TNC_VERSION);
 	writer->write_uint24(writer, PA_TNC_RESERVED);
 	writer->write_uint32(writer, this->identifier);
 
-	/* build and append encoding of PA-TNC attributes */
+	/* append encoded value of PA-TNC attributes */
 	enumerator = this->attributes->create_enumerator(this->attributes);
 	while (enumerator->enumerate(enumerator, &attr))
 	{
-		attr->build(attr);
-		vendor_id = attr->get_vendor_id(attr);
-		type = attr->get_type(attr);
+		type  = attr->get_type(attr);
 		value = attr->get_value(attr);
 		flags = attr->get_noskip_flag(attr) ? PA_TNC_ATTR_FLAG_NOSKIP :
 											  PA_TNC_ATTR_FLAG_NONE;
 
 		pa_attr_names = imcv_pa_tnc_attributes->get_names(imcv_pa_tnc_attributes,
-														  vendor_id);
+														  type.vendor_id);
 		if (pa_attr_names)
 		{
 			DBG2(DBG_TNC, "creating PA-TNC attribute type '%N/%N' "
-						  "0x%06x/0x%08x", pen_names, vendor_id,
-						   pa_attr_names, type, vendor_id, type);
+						  "0x%06x/0x%08x", pen_names, type.vendor_id,
+						   pa_attr_names, type.type, type.vendor_id, type.type);
 		}
 		else
 		{
 			DBG2(DBG_TNC, "creating PA-TNC attribute type '%N' "
-						  "0x%06x/0x%08x", pen_names, vendor_id,
-						   vendor_id, type);
+						  "0x%06x/0x%08x", pen_names, type.vendor_id,
+						   type.vendor_id, type.type);
 		}
 		DBG3(DBG_TNC, "%B", &value);
 
 		writer->write_uint8 (writer, flags);
-		writer->write_uint24(writer, vendor_id);
-		writer->write_uint32(writer, type);
+		writer->write_uint24(writer, type.vendor_id);
+		writer->write_uint32(writer, type.type);
 		writer->write_uint32(writer, PA_TNC_ATTR_HEADER_SIZE + value.len);
 		writer->write_data  (writer, value);
 	}
 	enumerator->destroy(enumerator);
 
 	free(this->encoding.ptr);
-	this->encoding = chunk_clone(writer->get_buf(writer));
+	this->encoding = writer->extract_buf(writer);
 	writer->destroy(writer);
+
+	return TRUE;
 }
 
 METHOD(pa_tnc_msg_t, process, status_t,
@@ -179,6 +207,7 @@ METHOD(pa_tnc_msg_t, process, status_t,
 	pa_tnc_attr_t *error;
 	u_int8_t version;
 	u_int32_t reserved, offset, attr_offset;
+	pen_type_t error_code = { PEN_IETF, PA_ERROR_INVALID_PARAMETER };
 
 	/* process message header */
 	if (this->encoding.len < PA_TNC_HEADER_SIZE)
@@ -191,16 +220,16 @@ METHOD(pa_tnc_msg_t, process, status_t,
 	reader->read_uint8 (reader, &version);
 	reader->read_uint24(reader, &reserved);
 	reader->read_uint32(reader, &this->identifier);
-	DBG2(DBG_TNC, "processing PA-TNC message with ID 0x%08x", this->identifier);
+	DBG1(DBG_TNC, "processing PA-TNC message with ID 0x%08x", this->identifier);
 
 	if (version != PA_TNC_VERSION)
 	{
 		DBG1(DBG_TNC, "PA-TNC version %u not supported", version);
-		error = ietf_attr_pa_tnc_error_create(PEN_IETF,
-					PA_ERROR_VERSION_NOT_SUPPORTED, this->encoding);
+		error_code = pen_type_create(PEN_IETF, PA_ERROR_VERSION_NOT_SUPPORTED);
+		error = ietf_attr_pa_tnc_error_create(error_code, this->encoding);
 		goto err;
 	}
-	
+
 	/* offset of the first PA-TNC attribute in the PA-TNC message */
 	offset = PA_TNC_HEADER_SIZE;
 
@@ -241,22 +270,32 @@ METHOD(pa_tnc_msg_t, process, status_t,
 		{
 			DBG1(DBG_TNC, "%u bytes too small for PA-TNC attribute length",
 						   length);
-			error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
-						PA_ERROR_INVALID_PARAMETER, this->encoding,
-						offset + PA_TNC_ATTR_INFO_SIZE);
+			error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
+						this->encoding, offset + PA_TNC_ATTR_INFO_SIZE);
 			goto err;
 		}
 
 		if (!reader->read_data(reader, length - PA_TNC_ATTR_HEADER_SIZE, &value))
 		{
 			DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute value");
-			error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
-						PA_ERROR_INVALID_PARAMETER, this->encoding,
-						offset + PA_TNC_ATTR_INFO_SIZE);
-			goto err; 
-		} 
+			error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
+						this->encoding, offset + PA_TNC_ATTR_INFO_SIZE);
+			goto err;
+		}
 		DBG3(DBG_TNC, "%B", &value);
 
+		if (vendor_id == PEN_RESERVED)
+		{
+			error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
+						this->encoding, offset + 1);
+			goto err;
+		}
+		if (type == IETF_ATTR_RESERVED)
+		{
+			error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
+						this->encoding, offset + 4);
+			goto err;
+		}
 		attr = imcv_pa_tnc_attributes->create(imcv_pa_tnc_attributes,
 											  vendor_id, type, value);
 		if (!attr)
@@ -264,8 +303,10 @@ METHOD(pa_tnc_msg_t, process, status_t,
 			if (flags & PA_TNC_ATTR_FLAG_NOSKIP)
 			{
 				DBG1(DBG_TNC, "unsupported PA-TNC attribute with NOSKIP flag");
-				error = ietf_attr_pa_tnc_error_create(PEN_IETF,
-							PA_ERROR_ATTR_TYPE_NOT_SUPPORTED, this->encoding);
+				error_code = pen_type_create(PEN_IETF,
+											 PA_ERROR_ATTR_TYPE_NOT_SUPPORTED);
+				error = ietf_attr_pa_tnc_error_create(error_code,
+							this->encoding);
 				error_attr = (ietf_attr_pa_tnc_error_t*)error;
 				error_attr->set_attr_info(error_attr, attr_info);
 				goto err;
@@ -287,12 +328,14 @@ METHOD(pa_tnc_msg_t, process, status_t,
 				reader->destroy(reader);
 				return FAILED;
 			}
-			error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
-						PA_ERROR_INVALID_PARAMETER, this->encoding,
+			error_code = pen_type_create(PEN_IETF,
+										 PA_ERROR_INVALID_PARAMETER);
+			error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
+						this->encoding,
 						offset + PA_TNC_ATTR_HEADER_SIZE + attr_offset);
 			goto err;
 		}
-		add_attribute(this, attr);
+		this->attributes->insert_last(this->attributes, attr);
 		offset += length;
 	}
 
@@ -302,8 +345,8 @@ METHOD(pa_tnc_msg_t, process, status_t,
 		return SUCCESS;
 	}
 	DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute header");
-	error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
-				PA_ERROR_INVALID_PARAMETER, this->encoding, offset);
+	error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
+						this->encoding, offset);
 
 err:
 	reader->destroy(reader);
@@ -316,50 +359,47 @@ METHOD(pa_tnc_msg_t, process_ietf_std_errors, bool,
 {
 	enumerator_t *enumerator;
 	pa_tnc_attr_t *attr;
+	pen_type_t type;
 	bool fatal_error = FALSE;
 
 	enumerator = this->attributes->create_enumerator(this->attributes);
 	while (enumerator->enumerate(enumerator, &attr))
 	{
-		if (attr->get_vendor_id(attr) == PEN_IETF &&
-			attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR)
+		type = attr->get_type(attr);
+
+		if (type.vendor_id == PEN_IETF && type.type == IETF_ATTR_PA_TNC_ERROR)
 		{
 			ietf_attr_pa_tnc_error_t *error_attr;
-			pen_t error_vendor_id;
-			pa_tnc_error_code_t error_code;
+			pen_type_t error_code;
 			chunk_t msg_info, attr_info;
 			u_int32_t offset;
 
 			error_attr = (ietf_attr_pa_tnc_error_t*)attr;
-			error_vendor_id = error_attr->get_vendor_id(error_attr);
 			error_code = error_attr->get_error_code(error_attr);
 			msg_info = error_attr->get_msg_info(error_attr);
 
 			/* skip errors from non-IETF namespaces */
-			if (error_vendor_id != PEN_IETF)
+			if (error_code.vendor_id != PEN_IETF)
 			{
 				continue;
 			}
-			DBG1(DBG_IMC, "received PA-TNC error '%N' concerning message "
-				 "0x%08x/0x%08x", pa_tnc_error_code_names, error_code,
+			DBG1(DBG_TNC, "received PA-TNC error '%N' concerning message "
+				 "0x%08x/0x%08x", pa_tnc_error_code_names, error_code.type,
 				 untoh32(msg_info.ptr), untoh32(msg_info.ptr + 4));
 
-			switch (error_code)
+			switch (error_code.type)
 			{
 				case PA_ERROR_INVALID_PARAMETER:
 					offset = error_attr->get_offset(error_attr);
-					DBG1(DBG_IMC, "  occurred at offset of %u bytes", offset);
+					DBG1(DBG_TNC, "  occurred at offset of %u bytes", offset);
 					break;
 				case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
 					attr_info = error_attr->get_attr_info(error_attr);
-					DBG1(DBG_IMC, "  unsupported attribute %#B", &attr_info);
+					DBG1(DBG_TNC, "  unsupported attribute %#B", &attr_info);
 					break;
 				default:
 					break;
 			}
-
-			/* remove the processed IETF standard error attribute */
-			this->attributes->remove_at(this->attributes, enumerator);
 			fatal_error = TRUE;
 		}
 	}
@@ -384,7 +424,7 @@ METHOD(pa_tnc_msg_t, destroy, void,
 	private_pa_tnc_msg_t *this)
 {
 	this->attributes->destroy_offset(this->attributes,
-									 offsetof(pa_tnc_attr_t, destroy)); 
+									 offsetof(pa_tnc_attr_t, destroy));
 	this->errors->destroy_offset(this->errors,
 									 offsetof(pa_tnc_attr_t, destroy));
 	free(this->encoding.ptr);
@@ -394,7 +434,7 @@ METHOD(pa_tnc_msg_t, destroy, void,
 /**
  * See header
  */
-pa_tnc_msg_t *pa_tnc_msg_create_from_data(chunk_t data)
+pa_tnc_msg_t *pa_tnc_msg_create(size_t max_msg_len)
 {
 	private_pa_tnc_msg_t *this;
 
@@ -409,9 +449,10 @@ pa_tnc_msg_t *pa_tnc_msg_create_from_data(chunk_t data)
 			.create_error_enumerator = _create_error_enumerator,
 			.destroy = _destroy,
 		},
-		.encoding = chunk_clone(data),
 		.attributes = linked_list_create(),
 		.errors = linked_list_create(),
+		.msg_len = PA_TNC_HEADER_SIZE,
+		.max_msg_len = max_msg_len,
 	);
 
 	return &this->public;
@@ -420,8 +461,26 @@ pa_tnc_msg_t *pa_tnc_msg_create_from_data(chunk_t data)
 /**
  * See header
  */
-pa_tnc_msg_t *pa_tnc_msg_create(void)
+pa_tnc_msg_t *pa_tnc_msg_create_from_data(chunk_t data)
 {
-	return pa_tnc_msg_create_from_data(chunk_empty);
+	private_pa_tnc_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.get_encoding = _get_encoding,
+			.add_attribute = _add_attribute,
+			.build = _build,
+			.process = _process,
+			.process_ietf_std_errors = _process_ietf_std_errors,
+			.create_attribute_enumerator = _create_attribute_enumerator,
+			.create_error_enumerator = _create_error_enumerator,
+			.destroy = _destroy,
+		},
+		.encoding = chunk_clone(data),
+		.attributes = linked_list_create(),
+		.errors = linked_list_create(),
+	);
+
+	return &this->public;
 }
 
diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.h b/src/libimcv/pa_tnc/pa_tnc_msg.h
index c3ce829d5..218d3d673 100644
--- a/src/libimcv/pa_tnc/pa_tnc_msg.h
+++ b/src/libimcv/pa_tnc/pa_tnc_msg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup pa_tnc_msg pa_tnc_msg
- * @{ @ingroup libimcv
+ * @{ @ingroup pa_tnc
  */
 
 #ifndef PA_TNC_MSG_H_
@@ -46,13 +46,16 @@ struct pa_tnc_msg_t {
 	 * Add a PA-TNC attribute
 	 *
 	 * @param attr				PA-TNC attribute to be addedd
+	 * @return					TRUE if attribute fit into message and was added
 	 */
-	void (*add_attribute)(pa_tnc_msg_t *this, pa_tnc_attr_t* attr);
+	bool (*add_attribute)(pa_tnc_msg_t *this, pa_tnc_attr_t* attr);
 
 	/**
 	 * Build the PA-TNC message
+	 *
+	 * @return					TRUE if PA-TNC message was built successfully
 	 */
-	void (*build)(pa_tnc_msg_t *this);
+	bool (*build)(pa_tnc_msg_t *this);
 
 	/**
 	 * Process the PA-TNC message
@@ -62,7 +65,7 @@ struct pa_tnc_msg_t {
 	status_t (*process)(pa_tnc_msg_t *this);
 
 	/**
-	 * Process and remove all IETF standard error PA-TNC attributes
+	 * Process all IETF standard error PA-TNC attributes
 	 *
 	 * @return					TRUE if at least one error attribute processed
 	 */
@@ -91,7 +94,7 @@ struct pa_tnc_msg_t {
 /**
  * Create an empty PA-TNC message
  */
-pa_tnc_msg_t* pa_tnc_msg_create(void);
+pa_tnc_msg_t* pa_tnc_msg_create(size_t max_msg_len);
 
 /**
  * Create an unprocessed PA-TNC message from received data
diff --git a/src/libimcv/plugins/imc_os/Makefile.am b/src/libimcv/plugins/imc_os/Makefile.am
new file mode 100644
index 000000000..83c46558b
--- /dev/null
+++ b/src/libimcv/plugins/imc_os/Makefile.am
@@ -0,0 +1,16 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv
+
+AM_CFLAGS = \
+	-rdynamic
+
+imcv_LTLIBRARIES = imc-os.la
+
+imc_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+
+imc_os_la_SOURCES = imc_os.c imc_os_state.h imc_os_state.c
+
+imc_os_la_LDFLAGS = -module -avoid-version
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
new file mode 100644
index 000000000..729fa8478
--- /dev/null
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -0,0 +1,671 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libimcv/plugins/imc_os
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(imcvdir)"
+LTLIBRARIES = $(imcv_LTLIBRARIES)
+imc_os_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am_imc_os_la_OBJECTS = imc_os.lo imc_os_state.lo
+imc_os_la_OBJECTS = $(am_imc_os_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+imc_os_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(imc_os_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(imc_os_la_SOURCES)
+DIST_SOURCES = $(imc_os_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv
+
+AM_CFLAGS = \
+	-rdynamic
+
+imcv_LTLIBRARIES = imc-os.la
+imc_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+
+imc_os_la_SOURCES = imc_os.c imc_os_state.h imc_os_state.c
+imc_os_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libimcv/plugins/imc_os/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libimcv/plugins/imc_os/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
+	}
+
+uninstall-imcvLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(imcvdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(imcvdir)/$$f"; \
+	done
+
+clean-imcvLTLIBRARIES:
+	-test -z "$(imcv_LTLIBRARIES)" || rm -f $(imcv_LTLIBRARIES)
+	@list='$(imcv_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+imc-os.la: $(imc_os_la_OBJECTS) $(imc_os_la_DEPENDENCIES) $(EXTRA_imc_os_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(imc_os_la_LINK) -rpath $(imcvdir) $(imc_os_la_OBJECTS) $(imc_os_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_os.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_os_state.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(imcvdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-imcvLTLIBRARIES clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-imcvLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-imcvLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-imcvLTLIBRARIES clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-imcvLTLIBRARIES install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-imcvLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libimcv/plugins/imc_os/imc_os.c b/src/libimcv/plugins/imc_os/imc_os.c
new file mode 100644
index 000000000..2558be9f8
--- /dev/null
+++ b/src/libimcv/plugins/imc_os/imc_os.c
@@ -0,0 +1,628 @@
+/*
+ * Copyright (C) 2011-2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imc_os_state.h"
+
+#include <imc/imc_agent.h>
+#include <imc/imc_msg.h>
+#include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_attr_request.h>
+#include <ietf/ietf_attr_default_pwd_enabled.h>
+#include <ietf/ietf_attr_fwd_enabled.h>
+#include <ietf/ietf_attr_installed_packages.h>
+#include <ietf/ietf_attr_numeric_version.h>
+#include <ietf/ietf_attr_op_status.h>
+#include <ietf/ietf_attr_product_info.h>
+#include <ietf/ietf_attr_string_version.h>
+#include <ita/ita_attr.h>
+#include <ita/ita_attr_get_settings.h>
+#include <ita/ita_attr_settings.h>
+#include <ita/ita_attr_angel.h>
+#include <ita/ita_attr_device_id.h>
+#include <os_info/os_info.h>
+
+#include <tncif_pa_subtypes.h>
+
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+/* IMC definitions */
+
+static const char imc_name[] = "OS";
+
+static pen_type_t msg_types[] = {
+	{ PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM }
+};
+
+static imc_agent_t *imc_os;
+static os_info_t *os;
+
+/**
+ * see section 3.8.1 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
+							  TNC_Version min_version,
+							  TNC_Version max_version,
+							  TNC_Version *actual_version)
+{
+	if (imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
+		return TNC_RESULT_ALREADY_INITIALIZED;
+	}
+	imc_os = imc_agent_create(imc_name, msg_types, countof(msg_types),
+							  imc_id, actual_version);
+	if (!imc_os)
+	{
+		return TNC_RESULT_FATAL;
+	}
+
+	os = os_info_create();
+	if (!os)
+	{
+		imc_os->destroy(imc_os);
+		imc_os = NULL;
+
+		return TNC_RESULT_FATAL;
+	}
+
+	if (min_version > TNC_IFIMC_VERSION_1 || max_version < TNC_IFIMC_VERSION_1)
+	{
+		DBG1(DBG_IMC, "no common IF-IMC version");
+		return TNC_RESULT_NO_COMMON_VERSION;
+	}
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 3.8.2 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
+										  TNC_ConnectionID connection_id,
+										  TNC_ConnectionState new_state)
+{
+	imc_state_t *state;
+
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	switch (new_state)
+	{
+		case TNC_CONNECTION_STATE_CREATE:
+			state = imc_os_state_create(connection_id);
+			return imc_os->create_state(imc_os, state);
+		case TNC_CONNECTION_STATE_HANDSHAKE:
+			if (imc_os->change_state(imc_os, connection_id, new_state,
+				&state) != TNC_RESULT_SUCCESS)
+			{
+				return TNC_RESULT_FATAL;
+			}
+			state->set_result(state, imc_id,
+							  TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+			return TNC_RESULT_SUCCESS;
+		case TNC_CONNECTION_STATE_DELETE:
+			return imc_os->delete_state(imc_os, connection_id);
+		default:
+			return imc_os->change_state(imc_os, connection_id,
+											 new_state, NULL);
+	}
+}
+
+/**
+ * Add IETF Product Information attribute to the send queue
+ */
+static void add_product_info(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+	os_type_t os_type;
+	pen_t vendor_id = PEN_IETF;
+	int i;
+
+	typedef struct vendor_pen_t {
+		os_type_t os_type;
+		pen_t pen;
+	} vendor_pen_t;
+
+	vendor_pen_t vendor_pens[] = {
+		{ OS_TYPE_DEBIAN,  PEN_DEBIAN },
+		{ OS_TYPE_UBUNTU,  PEN_CANONICAL },
+		{ OS_TYPE_FEDORA,  PEN_FEDORA },
+		{ OS_TYPE_REDHAT,  PEN_REDHAT },
+		{ OS_TYPE_ANDROID, PEN_GOOGLE }
+	};
+
+	os_type = os->get_type(os);
+	for (i = 0; i < countof(vendor_pens); i++)
+	{
+		if (os_type == vendor_pens[i].os_type)
+		{
+			vendor_id = vendor_pens[i].pen;
+			break;
+		}
+	}
+	attr = ietf_attr_product_info_create(vendor_id, 0, os->get_name(os));
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add IETF Numeric Version attribute to the send queue
+ */
+static void add_numeric_version(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+	u_int32_t major, minor;
+
+	os->get_numeric_version(os, &major, &minor);
+	DBG1(DBG_IMC, "operating system numeric version is %d.%d",
+				   major, minor);
+
+	attr = ietf_attr_numeric_version_create(major, minor, 0, 0, 0);
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add IETF String Version attribute to the send queue
+ */
+static void add_string_version(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+
+	attr = ietf_attr_string_version_create(os->get_version(os),
+										   chunk_empty, chunk_empty);
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add IETF Operational Status attribute to the send queue
+ */
+static void add_op_status(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+	time_t uptime, last_boot;
+
+	uptime = os->get_uptime(os);
+	last_boot = uptime ? time(NULL) - uptime : UNDEFINED_TIME;
+	if (last_boot != UNDEFINED_TIME)
+	{
+		DBG1(DBG_IMC, "last boot: %T, %u s ago", &last_boot, TRUE, uptime);
+	}
+	attr = ietf_attr_op_status_create(OP_STATUS_OPERATIONAL,
+									  OP_RESULT_SUCCESSFUL, last_boot);
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add IETF Forwarding Enabled attribute to the send queue
+ */
+static void add_fwd_enabled(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+	os_fwd_status_t fwd_status;
+
+	fwd_status = os->get_fwd_status(os);
+	DBG1(DBG_IMC, "IPv4 forwarding is %N",
+				   os_fwd_status_names, fwd_status);
+	attr = ietf_attr_fwd_enabled_create(fwd_status);
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add IETF Factory Default Password Enabled attribute to the send queue
+ */
+static void add_default_pwd_enabled(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+
+	DBG1(DBG_IMC, "factory default password is disabled");
+	attr = ietf_attr_default_pwd_enabled_create(FALSE);
+	msg->add_attribute(msg, attr);
+}
+
+/**
+ * Add ITA Device ID attribute to the send queue
+ */
+static void add_device_id(imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr;
+	chunk_t value;
+	char *name;
+
+	name = os->get_type(os) == OS_TYPE_ANDROID ?
+				  "android_id" : "/var/lib/dbus/machine-id";
+	value = os->get_setting(os, name);
+
+	if (value.len == 0)
+	{
+		DBG1(DBG_IMC, "no device ID available");
+		return;
+	}
+
+	/* trim trailing newline character */
+	if (value.ptr[value.len - 1] == '\n')
+	{
+		value.len--;
+	}
+
+	DBG1(DBG_IMC, "device ID is %.*s", value.len, value.ptr);
+	attr = ita_attr_device_id_create(value);
+	msg->add_attribute(msg, attr);
+	free(value.ptr);
+}
+
+/**
+ * Add an IETF Installed Packages attribute to the send queue
+ */
+static void add_installed_packages(imc_state_t *state, imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr = NULL, *attr_angel;
+	ietf_attr_installed_packages_t *attr_cast;
+	enumerator_t *enumerator;
+	chunk_t name, version;
+	size_t max_attr_size, attr_size, entry_size;
+	bool first = TRUE;
+
+	/**
+	 * Compute the maximum IETF Installed Packages attribute size
+	 * leaving space for an additional ITA Angel attribute
+	 */
+	max_attr_size = state->get_max_msg_len(state) - 8 - 12;
+
+	/* At least one IETF Installed Packages attribute is sent */
+	attr = ietf_attr_installed_packages_create();
+	attr_size = 12 + 4;
+
+	enumerator = os->create_package_enumerator(os);
+	if (enumerator)
+	{
+		while (enumerator->enumerate(enumerator, &name, &version))
+		{
+			DBG2(DBG_IMC, "package '%.*s' (%.*s)",
+						   name.len, name.ptr, version.len, version.ptr);
+
+			entry_size = 2 + name.len + version.len;
+			if (attr_size + entry_size > max_attr_size)
+			{
+				if (first)
+				{
+					/**
+					 * Send an ITA Start Angel attribute to the IMV signalling
+					 * that multiple ITA Installed Package attributes follow.
+					 */
+					attr_angel = ita_attr_angel_create(TRUE);
+					msg->add_attribute(msg, attr_angel);
+					first = FALSE;
+				}
+				msg->add_attribute(msg, attr);
+
+				/* create the next IETF Installed Packages attribute */
+				attr = ietf_attr_installed_packages_create();
+				attr_size = 12 + 4;
+			}
+			attr_cast = (ietf_attr_installed_packages_t*)attr;
+			attr_cast->add(attr_cast, name, version);
+			attr_size += entry_size;
+		}
+		enumerator->destroy(enumerator);
+	}
+	msg->add_attribute(msg, attr);
+
+	if (!first)
+	{
+		/**
+		 * If we sent an ITA Start Angel attribute in the first place,
+		 * terminate by appending a matching ITA Stop Angel attribute.
+		 */
+		attr_angel = ita_attr_angel_create(FALSE);
+		msg->add_attribute(msg, attr_angel);
+	}
+}
+
+/**
+ * Add ITA Settings attribute to the send queue
+ */
+static void add_settings(enumerator_t *enumerator, imc_msg_t *msg)
+{
+	pa_tnc_attr_t *attr = NULL;
+	ita_attr_settings_t *attr_cast;
+	chunk_t value;
+	char *name;
+	bool first = TRUE;
+
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		DBG1(DBG_IMC, "setting '%s'", name);
+
+		value = os->get_setting(os, name);
+		if (!value.ptr)
+		{
+			continue;
+		}
+		if (first)
+		{
+			attr = ita_attr_settings_create();
+			first = FALSE;
+		}
+		attr_cast = (ita_attr_settings_t*)attr;
+		attr_cast->add(attr_cast, name, value);
+		chunk_free(&value);
+	}
+
+	if (attr)
+	{
+		msg->add_attribute(msg, attr);
+	}
+}
+
+/**
+ * see section 3.8.3 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
+								  TNC_ConnectionID connection_id)
+{
+	imc_state_t *state;
+	imc_msg_t *out_msg;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_os->get_state(imc_os, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	if (lib->settings->get_bool(lib->settings,
+								"libimcv.plugins.imc-os.push_info", TRUE))
+	{
+		out_msg = imc_msg_create(imc_os, state, connection_id, imc_id,
+								 TNC_IMVID_ANY, msg_types[0]);
+		add_product_info(out_msg);
+		add_string_version(out_msg);
+		add_numeric_version(out_msg);
+		add_op_status(out_msg);
+		add_fwd_enabled(out_msg);
+		add_default_pwd_enabled(out_msg);
+		add_device_id(out_msg);
+
+		/* send PA-TNC message with the excl flag not set */
+		result = out_msg->send(out_msg, FALSE);
+		out_msg->destroy(out_msg);
+	}
+
+	return result;
+}
+
+static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg)
+{
+	imc_msg_t *out_msg;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t type;
+	TNC_Result result;
+	bool fatal_error = FALSE;
+
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
+	{
+		return result;
+	}
+	out_msg = imc_msg_create_as_reply(in_msg);
+
+	/* analyze PA-TNC attributes */
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		type = attr->get_type(attr);
+
+		if (type.vendor_id == PEN_IETF)
+		{
+			if (type.type == IETF_ATTR_ATTRIBUTE_REQUEST)
+			{
+				ietf_attr_attr_request_t *attr_cast;
+				pen_type_t *entry;
+				enumerator_t *e;
+
+				attr_cast = (ietf_attr_attr_request_t*)attr;
+
+				e = attr_cast->create_enumerator(attr_cast);
+				while (e->enumerate(e, &entry))
+				{
+					if (entry->vendor_id == PEN_IETF)
+					{
+						switch (entry->type)
+						{
+							case IETF_ATTR_PRODUCT_INFORMATION:
+								add_product_info(out_msg);
+								break;
+							case IETF_ATTR_STRING_VERSION:
+								add_string_version(out_msg);
+								break;
+							case IETF_ATTR_NUMERIC_VERSION:
+								add_numeric_version(out_msg);
+								break;
+							case IETF_ATTR_OPERATIONAL_STATUS:
+								add_op_status(out_msg);
+								break;
+							case IETF_ATTR_FORWARDING_ENABLED:
+								add_fwd_enabled(out_msg);
+								break;
+							case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED:
+								add_default_pwd_enabled(out_msg);
+								break;
+							case IETF_ATTR_INSTALLED_PACKAGES:
+								add_installed_packages(state, out_msg);
+								break;
+							default:
+								break;
+						}
+					}
+					else if (entry->vendor_id == PEN_ITA)
+					{
+						switch (entry->type)
+						{
+							case ITA_ATTR_DEVICE_ID:
+								add_device_id(out_msg);
+								break;
+							default:
+								break;
+						}
+					}
+				}
+				e->destroy(e);
+			}
+		}
+		else if (type.vendor_id == PEN_ITA && type.type == ITA_ATTR_GET_SETTINGS)
+		{
+			ita_attr_get_settings_t *attr_cast;
+			enumerator_t *e;
+
+			attr_cast = (ita_attr_get_settings_t*)attr;
+
+			e = attr_cast->create_enumerator(attr_cast);
+			add_settings(e, out_msg);
+			e->destroy(e);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (fatal_error)
+	{
+		result = TNC_RESULT_FATAL;
+	}
+	else
+	{
+		result = out_msg->send(out_msg, TRUE);
+	}
+	out_msg->destroy(out_msg);
+
+	return result;
+}
+
+/**
+ * see section 3.8.4 of TCG TNC IF-IMC Specification 1.3
+
+ */
+TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
+								  TNC_ConnectionID connection_id,
+								  TNC_BufferReference msg,
+								  TNC_UInt32 msg_len,
+								  TNC_MessageType msg_type)
+{
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_os->get_state(imc_os, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imc_msg_create_from_data(imc_os, state, connection_id, msg_type,
+									  chunk_create(msg, msg_len));
+	result = receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+/**
+ * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
+ */
+TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id,
+									  TNC_ConnectionID connection_id,
+									  TNC_UInt32 msg_flags,
+									  TNC_BufferReference msg,
+									  TNC_UInt32 msg_len,
+									  TNC_VendorID msg_vid,
+									  TNC_MessageSubtype msg_subtype,
+									  TNC_UInt32 src_imv_id,
+									  TNC_UInt32 dst_imc_id)
+{
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_os->get_state(imc_os, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imc_msg_create_from_long_data(imc_os, state, connection_id,
+								src_imv_id, dst_imc_id,msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result =receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+/**
+ * see section 3.8.7 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_BatchEnding(TNC_IMCID imc_id,
+							   TNC_ConnectionID connection_id)
+{
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 3.8.8 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_Terminate(TNC_IMCID imc_id)
+{
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	imc_os->destroy(imc_os);
+	imc_os = NULL;
+
+	os->destroy(os);
+	os = NULL;
+
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 4.2.8.1 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_ProvideBindFunction(TNC_IMCID imc_id,
+									   TNC_TNCC_BindFunctionPointer bind_function)
+{
+	if (!imc_os)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imc_os->bind_functions(imc_os, bind_function);
+}
diff --git a/src/libimcv/plugins/imc_os/imc_os_state.c b/src/libimcv/plugins/imc_os/imc_os_state.c
new file mode 100644
index 000000000..f49959ab9
--- /dev/null
+++ b/src/libimcv/plugins/imc_os/imc_os_state.c
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imc_os_state.h"
+
+#include <tncif_names.h>
+
+#include <utils/debug.h>
+
+typedef struct private_imc_os_state_t private_imc_os_state_t;
+
+/**
+ * Private data of an imc_os_state_t object.
+ */
+struct private_imc_os_state_t {
+
+	/**
+	 * Public members of imc_os_state_t
+	 */
+	imc_os_state_t public;
+
+	/**
+	 * TNCCS connection ID
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * TNCCS connection state
+	 */
+	TNC_ConnectionState state;
+
+	/**
+	 * Assessment/Evaluation Result
+	 */
+	TNC_IMV_Evaluation_Result result;
+
+	/**
+	 * Does the TNCCS connection support long message types?
+	 */
+	bool has_long;
+
+	/**
+	 * Does the TNCCS connection support exclusive delivery?
+	 */
+	bool has_excl;
+
+	/**
+	 * Maximum PA-TNC message size for this TNCCS connection
+	 */
+	u_int32_t max_msg_len;
+};
+
+METHOD(imc_state_t, get_connection_id, TNC_ConnectionID,
+	private_imc_os_state_t *this)
+{
+	return this->connection_id;
+}
+
+METHOD(imc_state_t, has_long, bool,
+	private_imc_os_state_t *this)
+{
+	return this->has_long;
+}
+
+METHOD(imc_state_t, has_excl, bool,
+	private_imc_os_state_t *this)
+{
+	return this->has_excl;
+}
+
+METHOD(imc_state_t, set_flags, void,
+	private_imc_os_state_t *this, bool has_long, bool has_excl)
+{
+	this->has_long = has_long;
+	this->has_excl = has_excl;
+}
+
+METHOD(imc_state_t, set_max_msg_len, void,
+	private_imc_os_state_t *this, u_int32_t max_msg_len)
+{
+	this->max_msg_len = max_msg_len;
+}
+
+METHOD(imc_state_t, get_max_msg_len, u_int32_t,
+	private_imc_os_state_t *this)
+{
+	return this->max_msg_len;
+}
+
+METHOD(imc_state_t, change_state, void,
+	private_imc_os_state_t *this, TNC_ConnectionState new_state)
+{
+	this->state = new_state;
+}
+
+METHOD(imc_state_t, set_result, void,
+	private_imc_os_state_t *this, TNC_IMCID id,
+	TNC_IMV_Evaluation_Result result)
+{
+	this->result = result;
+}
+
+METHOD(imc_state_t, get_result, bool,
+	private_imc_os_state_t *this, TNC_IMCID id,
+	TNC_IMV_Evaluation_Result *result)
+{
+	if (result)
+	{
+		*result = this->result;
+	}
+	return this->result != TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+}
+
+METHOD(imc_state_t, destroy, void,
+	private_imc_os_state_t *this)
+{
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imc_state_t *imc_os_state_create(TNC_ConnectionID connection_id)
+{
+	private_imc_os_state_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_connection_id = _get_connection_id,
+				.has_long = _has_long,
+				.has_excl = _has_excl,
+				.set_flags = _set_flags,
+				.set_max_msg_len = _set_max_msg_len,
+				.get_max_msg_len = _get_max_msg_len,
+				.change_state = _change_state,
+				.set_result = _set_result,
+				.get_result = _get_result,
+				.destroy = _destroy,
+			},
+		},
+		.state = TNC_CONNECTION_STATE_CREATE,
+		.result = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
+		.connection_id = connection_id,
+	);
+
+	return &this->public.interface;
+}
+
+
diff --git a/src/libimcv/plugins/imc_os/imc_os_state.h b/src/libimcv/plugins/imc_os/imc_os_state.h
new file mode 100644
index 000000000..366e2b60c
--- /dev/null
+++ b/src/libimcv/plugins/imc_os/imc_os_state.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imc_os imc_os
+ * @ingroup libimcv_plugins
+ *
+ * @defgroup imc_os_state_t imc_os_state
+ * @{ @ingroup imc_os
+ */
+
+#ifndef IMC_OS_STATE_H_
+#define IMC_OS_STATE_H_
+
+#include <imc/imc_state.h>
+#include <library.h>
+
+typedef struct imc_os_state_t imc_os_state_t;
+
+/**
+ * Internal state of an imc_os_t connection instance
+ */
+struct imc_os_state_t {
+
+	/**
+	 * imc_state_t interface
+	 */
+	imc_state_t interface;
+};
+
+/**
+ * Create an imc_os_state_t instance
+ *
+ * @param id		connection ID
+ */
+imc_state_t* imc_os_state_create(TNC_ConnectionID id);
+
+#endif /** IMC_OS_STATE_H_ @}*/
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.am b/src/libimcv/plugins/imc_scanner/Makefile.am
index f27d73b67..b294541c4 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.am
+++ b/src/libimcv/plugins/imc_scanner/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 imcv_LTLIBRARIES = imc-scanner.la
 
@@ -12,4 +14,3 @@ imc_scanner_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 imc_scanner_la_SOURCES = imc_scanner.c imc_scanner_state.h imc_scanner_state.c
 
 imc_scanner_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index 497d317d5..39d3ae685 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,51 +90,86 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imc_scanner_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_imc_scanner_la_OBJECTS = imc_scanner.lo imc_scanner_state.lo
 imc_scanner_la_OBJECTS = $(am_imc_scanner_la_OBJECTS)
-imc_scanner_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(imc_scanner_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+imc_scanner_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(imc_scanner_la_LDFLAGS) $(LDFLAGS) -o \
+	$@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(imc_scanner_la_SOURCES)
 DIST_SOURCES = $(imc_scanner_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -125,13 +178,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -144,6 +200,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -171,11 +228,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -183,6 +242,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -191,8 +251,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -201,14 +259,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -222,17 +285,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -242,16 +305,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -279,10 +341,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 imcv_LTLIBRARIES = imc-scanner.la
 imc_scanner_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -325,7 +391,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
 	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -333,6 +398,8 @@ install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
 	}
@@ -354,8 +421,8 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imc-scanner.la: $(imc_scanner_la_OBJECTS) $(imc_scanner_la_DEPENDENCIES) 
-	$(imc_scanner_la_LINK) -rpath $(imcvdir) $(imc_scanner_la_OBJECTS) $(imc_scanner_la_LIBADD) $(LIBS)
+imc-scanner.la: $(imc_scanner_la_OBJECTS) $(imc_scanner_la_DEPENDENCIES) $(EXTRA_imc_scanner_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(imc_scanner_la_LINK) -rpath $(imcvdir) $(imc_scanner_la_OBJECTS) $(imc_scanner_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -367,25 +434,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_scanner_state.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -492,10 +559,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libimcv/plugins/imc_scanner/imc_scanner.c b/src/libimcv/plugins/imc_scanner/imc_scanner.c
index b24c39c3a..c87e827cd 100644
--- a/src/libimcv/plugins/imc_scanner/imc_scanner.c
+++ b/src/libimcv/plugins/imc_scanner/imc_scanner.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -15,17 +16,16 @@
 #include "imc_scanner_state.h"
 
 #include <imc/imc_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imc/imc_msg.h>
 #include <ietf/ietf_attr.h>
-#include <ietf/ietf_attr_pa_tnc_error.h>
+#include <ietf/ietf_attr_attr_request.h>
 #include <ietf/ietf_attr_port_filter.h>
 
-#include <tncif_names.h>
 #include <tncif_pa_subtypes.h>
 
 #include <pen/pen.h>
 #include <utils/lexparser.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <stdio.h>
 
@@ -33,11 +33,12 @@
 
 static const char imc_name[] = "Scanner";
 
-#define IMC_VENDOR_ID	PEN_ITA
-#define IMC_SUBTYPE		PA_SUBTYPE_ITA_SCANNER
+static pen_type_t msg_types[] = {
+	{ PEN_IETF, PA_SUBTYPE_IETF_VPN }
+};
 
 static imc_agent_t *imc_scanner;
- 
+
 /**
  * see section 3.8.1 of TCG TNC IF-IMC Specification 1.3
  */
@@ -51,8 +52,8 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 		DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
 		return TNC_RESULT_ALREADY_INITIALIZED;
 	}
-	imc_scanner = imc_agent_create(imc_name, IMC_VENDOR_ID, IMC_SUBTYPE,
-								imc_id, actual_version);
+	imc_scanner = imc_agent_create(imc_name, msg_types, countof(msg_types),
+								   imc_id, actual_version);
 	if (!imc_scanner)
 	{
 		return TNC_RESULT_FATAL;
@@ -84,6 +85,15 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 		case TNC_CONNECTION_STATE_CREATE:
 			state = imc_scanner_state_create(connection_id);
 			return imc_scanner->create_state(imc_scanner, state);
+		case TNC_CONNECTION_STATE_HANDSHAKE:
+			if (imc_scanner->change_state(imc_scanner, connection_id, new_state,
+				&state) != TNC_RESULT_SUCCESS)
+			{
+				return TNC_RESULT_FATAL;
+			}
+			state->set_result(state, imc_id,
+							  TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+			return TNC_RESULT_SUCCESS;
 		case TNC_CONNECTION_STATE_DELETE:
 			return imc_scanner->delete_state(imc_scanner, connection_id);
 		default:
@@ -102,6 +112,7 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 	chunk_t line, token;
 	int n = 0;
 	bool success = FALSE;
+	const char system_v4[]   = "127.0.1.1";
 	const char loopback_v4[] = "127.0.0.1";
 	const char loopback_v6[] = "::1";
 
@@ -109,12 +120,12 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 	file = popen("/bin/netstat -n -l -p -4 -6 --inet", "r");
 	if (!file)
 	{
-		DBG1(DBG_IMC, "Failed to run netstat command");
+		DBG1(DBG_IMC, "failed to run netstat command");
 		return FALSE;
 	}
 
 	/* Read the output a line at a time */
-	while (fgets(buf, BUF_LEN-1, file))
+	while (fgets(buf, sizeof(buf), file))
 	{
 		u_char *pos;
 		u_int8_t new_protocol, protocol;
@@ -123,7 +134,7 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 		enumerator_t *enumerator;
 		bool allowed, found = FALSE;
 
-		DBG2(DBG_IMC, "%.*s", strlen(buf)-1, buf);
+		DBG2(DBG_IMC, "%.*s", (int)(strlen(buf)-1), buf);
 
 		if (n++ < 2)
 		{
@@ -135,7 +146,7 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 		/* Extract the IP protocol type */
 		if (!extract_token(&token, ' ', &line))
 		{
-			DBG1(DBG_IMC, "Protocol field in netstat output not found");
+			DBG1(DBG_IMC, "protocol field in netstat output not found");
 			goto end;
 		}
 		if (match("tcp", &token) || match("tcp6", &token))
@@ -148,7 +159,7 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 		}
 		else
 		{
-			DBG1(DBG_IMC, "Skipped unknown IP protocol in netstat output");
+			DBG1(DBG_IMC, "skipped unknown IP protocol in netstat output");
 			continue;
 		}
 
@@ -163,7 +174,7 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 		}
 		if (token.len == 0)
 		{
-			DBG1(DBG_IMC, "Local Address field in netstat output not found");
+			DBG1(DBG_IMC, "local address field in netstat output not found");
 			goto end;
 		}
 
@@ -172,13 +183,16 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 		while (*--pos != ':' && --token.len);
 		if (*pos != ':')
 		{
-			DBG1(DBG_IMC, "Local port field in netstat output not found");
+			DBG1(DBG_IMC, "local port field in netstat output not found");
 			goto end;
 		}
 		token.len--;
 
-		/* ignore ports of IPv4 and IPv6 loopback interfaces */
-		if ((token.len == strlen(loopback_v4) &&
+		/* ignore ports of IPv4 and IPv6 loopback interfaces
+		   and the internal system IPv4 address */
+		if ((token.len == strlen(system_v4) &&
+				memeq(system_v4, token.ptr, token.len)) ||
+			(token.len == strlen(loopback_v4) &&
 				memeq(loopback_v4, token.ptr, token.len)) ||
 			(token.len == strlen(loopback_v6) &&
 				memeq(loopback_v6, token.ptr, token.len)))
@@ -199,7 +213,7 @@ static bool do_netstat(ietf_attr_port_filter_t *attr)
 			}
 		}
 		enumerator->destroy(enumerator);
-		
+
 		/* Skip the duplicate port entry */
 		if (found)
 		{
@@ -219,12 +233,13 @@ end:
 	return success;
 }
 
-static TNC_Result send_message(TNC_ConnectionID connection_id)
+/**
+ * Add IETF Port Filter attribute to the send queue
+ */
+static TNC_Result add_port_filter(imc_msg_t *msg)
 {
-	pa_tnc_msg_t *msg;
 	pa_tnc_attr_t *attr;
 	ietf_attr_port_filter_t *attr_port_filter;
-	TNC_Result result;
 
 	attr = ietf_attr_port_filter_create();
 	attr->set_noskip_flag(attr, TRUE);
@@ -234,14 +249,9 @@ static TNC_Result send_message(TNC_ConnectionID connection_id)
 		attr->destroy(attr);
 		return TNC_RESULT_FATAL;
 	}
-	msg = pa_tnc_msg_create();
 	msg->add_attribute(msg, attr);
-	msg->build(msg);
-	result = imc_scanner->send_message(imc_scanner, connection_id, FALSE, 0,
-									   TNC_IMVID_ANY, msg->get_encoding(msg));	
-	msg->destroy(msg);
 
-	return result;
+	return TNC_RESULT_SUCCESS;
 }
 
 /**
@@ -250,60 +260,108 @@ static TNC_Result send_message(TNC_ConnectionID connection_id)
 TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 								  TNC_ConnectionID connection_id)
 {
-	if (!imc_scanner)
-	{
-		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	return send_message(connection_id);
-}
-
-static TNC_Result receive_message(TNC_IMCID imc_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imv_id,
-								  TNC_UInt32 dst_imc_id)
-{
-	pa_tnc_msg_t *pa_tnc_msg;
 	imc_state_t *state;
-	TNC_Result result;
-	bool fatal_error;
+	imc_msg_t *out_msg;
+	TNC_Result result = TNC_RESULT_SUCCESS;
 
 	if (!imc_scanner)
 	{
 		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
-
-	/* get current IMC state */
 	if (!imc_scanner->get_state(imc_scanner, connection_id, &state))
 	{
 		return TNC_RESULT_FATAL;
 	}
+	if (lib->settings->get_bool(lib->settings,
+								"libimcv.plugins.imc-scanner.push_info", TRUE))
+	{
+		out_msg = imc_msg_create(imc_scanner, state, connection_id, imc_id,
+								 TNC_IMVID_ANY, msg_types[0]);
+		result = add_port_filter(out_msg);
+		if (result == TNC_RESULT_SUCCESS)
+		{
+			/* send PA-TNC message with the excl flag not set */
+			result = out_msg->send(out_msg, FALSE);
+		}
+		out_msg->destroy(out_msg);
+	}
 
-	/* parse received PA-TNC message and automatically handle any errors */ 
-	result = imc_scanner->receive_message(imc_scanner, state, msg, msg_vid,
-							msg_subtype, src_imv_id, dst_imc_id, &pa_tnc_msg);
+	return result;
+}
+
+static TNC_Result receive_message(imc_msg_t *in_msg)
+{
+	imc_msg_t *out_msg;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t attr_type;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+	bool fatal_error = FALSE;
 
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
 	{
 		return result;
 	}
+	out_msg = imc_msg_create_as_reply(in_msg);
 
-	/* preprocess any IETF standard error attributes */
-	fatal_error = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg);
-	pa_tnc_msg->destroy(pa_tnc_msg);
+	/* analyze PA-TNC attributes */
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		attr_type = attr->get_type(attr);
 
-	/* if no error occurred then always return the same response */
-	return fatal_error ? TNC_RESULT_FATAL : send_message(connection_id);
+		if (attr_type.vendor_id != PEN_IETF)
+		{
+			continue;
+		}
+		if (attr_type.type == IETF_ATTR_ATTRIBUTE_REQUEST)
+		{
+			ietf_attr_attr_request_t *attr_cast;
+			pen_type_t *entry;
+			enumerator_t *e;
+
+			attr_cast = (ietf_attr_attr_request_t*)attr;
+
+			e = attr_cast->create_enumerator(attr_cast);
+			while (e->enumerate(e, &entry))
+			{
+				if (entry->vendor_id != PEN_IETF)
+				{
+					continue;
+				}
+				switch (entry->type)
+				{
+					case IETF_ATTR_PORT_FILTER:
+						result = add_port_filter(out_msg);
+						break;
+					default:
+						break;
+				}
+			}
+			e->destroy(e);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (fatal_error)
+	{
+		result = TNC_RESULT_FATAL;
+	}
+	else if (result == TNC_RESULT_SUCCESS)
+	{
+		result = out_msg->send(out_msg, TRUE);
+	}
+	out_msg->destroy(out_msg);
+
+	return result;
 }
 
 /**
  * see section 3.8.4 of TCG TNC IF-IMC Specification 1.3
+
  */
 TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
 								  TNC_ConnectionID connection_id,
@@ -311,14 +369,26 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
 								  TNC_UInt32 msg_len,
 								  TNC_MessageType msg_type)
 {
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
 
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+	if (!imc_scanner)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_scanner->get_state(imc_scanner, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+
+	in_msg = imc_msg_create_from_data(imc_scanner, state, connection_id,
+									  msg_type, chunk_create(msg, msg_len));
+	result = receive_message(in_msg);
+	in_msg->destroy(in_msg);
 
-	return receive_message(imc_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMCID_ANY);
+	return result;
 }
 
 /**
@@ -334,9 +404,26 @@ TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id,
 									  TNC_UInt32 src_imv_id,
 									  TNC_UInt32 dst_imc_id)
 {
-	return receive_message(imc_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imv_id, dst_imc_id);
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_scanner)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_scanner->get_state(imc_scanner, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imc_msg_create_from_long_data(imc_scanner, state, connection_id,
+								src_imv_id, dst_imc_id, msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result = receive_message(in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
 }
 
 /**
diff --git a/src/libimcv/plugins/imc_scanner/imc_scanner_state.c b/src/libimcv/plugins/imc_scanner/imc_scanner_state.c
index 563105548..b5a6cdd20 100644
--- a/src/libimcv/plugins/imc_scanner/imc_scanner_state.c
+++ b/src/libimcv/plugins/imc_scanner/imc_scanner_state.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -14,7 +15,9 @@
 
 #include "imc_scanner_state.h"
 
-#include <debug.h>
+#include <tncif_names.h>
+
+#include <utils/debug.h>
 
 typedef struct private_imc_scanner_state_t private_imc_scanner_state_t;
 
@@ -39,6 +42,11 @@ struct private_imc_scanner_state_t {
 	TNC_ConnectionState state;
 
 	/**
+	 * Assessment/Evaluation Result
+	 */
+	TNC_IMV_Evaluation_Result result;
+
+	/**
 	 * Does the TNCCS connection support long message types?
 	 */
 	bool has_long;
@@ -48,6 +56,10 @@ struct private_imc_scanner_state_t {
 	 */
 	bool has_excl;
 
+	/**
+	 * Maximum PA-TNC message size for this TNCCS connection
+	 */
+	u_int32_t max_msg_len;
 };
 
 METHOD(imc_state_t, get_connection_id, TNC_ConnectionID,
@@ -75,12 +87,42 @@ METHOD(imc_state_t, set_flags, void,
 	this->has_excl = has_excl;
 }
 
+METHOD(imc_state_t, set_max_msg_len, void,
+	private_imc_scanner_state_t *this, u_int32_t max_msg_len)
+{
+	this->max_msg_len = max_msg_len;
+}
+
+METHOD(imc_state_t, get_max_msg_len, u_int32_t,
+	private_imc_scanner_state_t *this)
+{
+	return this->max_msg_len;
+}
+
 METHOD(imc_state_t, change_state, void,
 	private_imc_scanner_state_t *this, TNC_ConnectionState new_state)
 {
 	this->state = new_state;
 }
 
+METHOD(imc_state_t, set_result, void,
+	private_imc_scanner_state_t *this, TNC_IMCID id,
+	TNC_IMV_Evaluation_Result result)
+{
+	this->result = result;
+}
+
+METHOD(imc_state_t, get_result, bool,
+	private_imc_scanner_state_t *this, TNC_IMCID id,
+	TNC_IMV_Evaluation_Result *result)
+{
+	if (result)
+	{
+		*result = this->result;
+	}
+	return this->result != TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+}
+
 METHOD(imc_state_t, destroy, void,
 	private_imc_scanner_state_t *this)
 {
@@ -101,14 +143,19 @@ imc_state_t *imc_scanner_state_create(TNC_ConnectionID connection_id)
 				.has_long = _has_long,
 				.has_excl = _has_excl,
 				.set_flags = _set_flags,
+				.set_max_msg_len = _set_max_msg_len,
+				.get_max_msg_len = _get_max_msg_len,
 				.change_state = _change_state,
+				.set_result = _set_result,
+				.get_result = _get_result,
 				.destroy = _destroy,
 			},
 		},
 		.state = TNC_CONNECTION_STATE_CREATE,
+		.result = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
 		.connection_id = connection_id,
 	);
-	
+
 	return &this->public.interface;
 }
 
diff --git a/src/libimcv/plugins/imc_scanner/imc_scanner_state.h b/src/libimcv/plugins/imc_scanner/imc_scanner_state.h
index 76aa4165b..3b40575e3 100644
--- a/src/libimcv/plugins/imc_scanner/imc_scanner_state.h
+++ b/src/libimcv/plugins/imc_scanner/imc_scanner_state.h
@@ -13,9 +13,11 @@
  */
 
 /**
+ * @defgroup imc_scanner imc_scanner
+ * @ingroup libimcv_plugins
  *
  * @defgroup imc_scanner_state_t imc_scanner_state
- * @{ @ingroup imc_scanner_state
+ * @{ @ingroup imc_scanner
  */
 
 #ifndef IMC_SCANNER_STATE_H_
diff --git a/src/libimcv/plugins/imc_test/Makefile.am b/src/libimcv/plugins/imc_test/Makefile.am
index b55e7bcd4..b1a719ab4 100644
--- a/src/libimcv/plugins/imc_test/Makefile.am
+++ b/src/libimcv/plugins/imc_test/Makefile.am
@@ -1,8 +1,10 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 imcv_LTLIBRARIES = imc-test.la
 
@@ -12,4 +14,3 @@ imc_test_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 imc_test_la_SOURCES = imc_test.c imc_test_state.h imc_test_state.c
 
 imc_test_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index b4e3f8ae0..5cc1f0d7b 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,51 +90,85 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imc_test_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_imc_test_la_OBJECTS = imc_test.lo imc_test_state.lo
 imc_test_la_OBJECTS = $(am_imc_test_la_OBJECTS)
-imc_test_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+imc_test_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(imc_test_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(imc_test_la_SOURCES)
 DIST_SOURCES = $(imc_test_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -125,13 +177,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -144,6 +199,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -171,11 +227,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -183,6 +241,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -191,8 +250,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -201,14 +258,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -222,17 +284,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -242,16 +304,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -279,10 +340,14 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 imcv_LTLIBRARIES = imc-test.la
 imc_test_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -325,7 +390,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
 	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -333,6 +397,8 @@ install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
 	}
@@ -354,8 +420,8 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imc-test.la: $(imc_test_la_OBJECTS) $(imc_test_la_DEPENDENCIES) 
-	$(imc_test_la_LINK) -rpath $(imcvdir) $(imc_test_la_OBJECTS) $(imc_test_la_LIBADD) $(LIBS)
+imc-test.la: $(imc_test_la_OBJECTS) $(imc_test_la_DEPENDENCIES) $(EXTRA_imc_test_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(imc_test_la_LINK) -rpath $(imcvdir) $(imc_test_la_OBJECTS) $(imc_test_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -367,25 +433,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_test_state.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -492,10 +558,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libimcv/plugins/imc_test/imc_test.c b/src/libimcv/plugins/imc_test/imc_test.c
index fe005ed4a..c97d41628 100644
--- a/src/libimcv/plugins/imc_test/imc_test.c
+++ b/src/libimcv/plugins/imc_test/imc_test.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -15,27 +16,27 @@
 #include "imc_test_state.h"
 
 #include <imc/imc_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imc/imc_msg.h>
 #include <ietf/ietf_attr.h>
-#include <ietf/ietf_attr_pa_tnc_error.h>
 #include <ita/ita_attr.h>
 #include <ita/ita_attr_command.h>
+#include <ita/ita_attr_dummy.h>
 
-#include <tncif_names.h>
 #include <tncif_pa_subtypes.h>
 
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 /* IMC definitions */
 
 static const char imc_name[] = "Test";
 
-#define IMC_VENDOR_ID	PEN_ITA
-#define IMC_SUBTYPE		PA_SUBTYPE_ITA_TEST
+static pen_type_t msg_types[] = {
+	{ PEN_ITA, PA_SUBTYPE_ITA_TEST }
+};
 
 static imc_agent_t *imc_test;
- 
+
 /**
  * see section 3.8.1 of TCG TNC IF-IMC Specification 1.3
  */
@@ -49,7 +50,7 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 		DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
 		return TNC_RESULT_ALREADY_INITIALIZED;
 	}
-	imc_test = imc_agent_create(imc_name, IMC_VENDOR_ID, IMC_SUBTYPE,
+	imc_test = imc_agent_create(imc_name, msg_types, countof(msg_types),
 								imc_id, actual_version);
 	if (!imc_test)
 	{
@@ -73,9 +74,12 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 	imc_state_t *state;
 	imc_test_state_t *test_state;
 	TNC_Result result;
+	TNC_UInt32 additional_id;
 	char *command;
 	bool retry;
-	int additional_ids;
+	void *pointer;
+	enumerator_t *enumerator;
+	int dummy_size, additional_ids;
 
 	if (!imc_test)
 	{
@@ -88,9 +92,12 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 		case TNC_CONNECTION_STATE_CREATE:
 			command = lib->settings->get_str(lib->settings,
 						 		"libimcv.plugins.imc-test.command", "none");
+			dummy_size = lib->settings->get_int(lib->settings,
+								"libimcv.plugins.imc-test.dummy_size", 0);
 			retry = lib->settings->get_bool(lib->settings,
 								"libimcv.plugins.imc-test.retry", FALSE);
-			state = imc_test_state_create(connection_id, command, retry);
+			state = imc_test_state_create(connection_id, command, dummy_size,
+										  retry);
 
 			result = imc_test->create_state(imc_test, state);
 			if (result != TNC_RESULT_SUCCESS)
@@ -124,6 +131,26 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 								test_state->get_command(test_state));
 				test_state->set_command(test_state, command);
 			}
+
+			state->set_result(state, imc_id, TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+
+			/* Exit if there are no additional IMC IDs */
+			if (!imc_test->count_additional_ids(imc_test))
+			{
+				return result;
+			}
+
+			enumerator = imc_test->create_id_enumerator(imc_test);
+			while (enumerator->enumerate(enumerator, &pointer))
+			{
+				/* interpret pointer as scalar value */
+				additional_id = (TNC_UInt32)pointer;
+
+				state->set_result(state, additional_id,
+								  TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+			}
+			enumerator->destroy(enumerator);
+
 			return TNC_RESULT_SUCCESS;
 
 		case TNC_CONNECTION_STATE_DELETE:
@@ -154,29 +181,24 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 	}
 }
 
-static TNC_Result send_message(imc_state_t *state, TNC_UInt32 src_imc_id,
-												   TNC_UInt32 dst_imv_id)
+static TNC_Result send_message(imc_state_t *state, imc_msg_t *out_msg)
 {
 	imc_test_state_t *test_state;
-	pa_tnc_msg_t *msg;
 	pa_tnc_attr_t *attr;
-	bool excl;
-	TNC_ConnectionID connection_id;
-	TNC_Result result;
 
-	connection_id = state->get_connection_id(state);
 	test_state = (imc_test_state_t*)state;
+	if (test_state->get_dummy_size(test_state))
+	{
+		attr = ita_attr_dummy_create(test_state->get_dummy_size(test_state));
+		attr->set_noskip_flag(attr, TRUE);
+		out_msg->add_attribute(out_msg, attr);
+	}
 	attr = ita_attr_command_create(test_state->get_command(test_state));
 	attr->set_noskip_flag(attr, TRUE);
-	msg = pa_tnc_msg_create();
-	msg->add_attribute(msg, attr);
-	msg->build(msg);
-	excl = dst_imv_id != TNC_IMVID_ANY;
-	result = imc_test->send_message(imc_test, connection_id, excl, src_imc_id,
-									dst_imv_id, msg->get_encoding(msg));	
-	msg->destroy(msg);
+	out_msg->add_attribute(out_msg, attr);
 
-	return result;
+	/* send PA-TNC message with the excl flag set */
+	return out_msg->send(out_msg, TRUE);
 }
 
 /**
@@ -186,6 +208,7 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 								  TNC_ConnectionID connection_id)
 {
 	imc_state_t *state;
+	imc_msg_t *out_msg;
 	enumerator_t *enumerator;
 	void *pointer;
 	TNC_UInt32 additional_id;
@@ -196,15 +219,16 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
-
-	/* get current IMC state */
 	if (!imc_test->get_state(imc_test, connection_id, &state))
 	{
 		return TNC_RESULT_FATAL;
 	}
 
 	/* send PA message for primary IMC ID */
-	result = send_message(state, imc_id, TNC_IMVID_ANY);
+	out_msg = imc_msg_create(imc_test, state, connection_id, imc_id,
+							 TNC_IMVID_ANY, msg_types[0]);
+	result = send_message(state, out_msg);
+	out_msg->destroy(out_msg);
 
 	/* Exit if there are no additional IMC IDs */
 	if (!imc_test->count_additional_ids(imc_test))
@@ -227,74 +251,76 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 	{
 		/* interpret pointer as scalar value */
 		additional_id = (TNC_UInt32)pointer;
-		result = send_message(state, additional_id, TNC_IMVID_ANY);	
+		out_msg = imc_msg_create(imc_test, state, connection_id, additional_id,
+								 TNC_IMVID_ANY, msg_types[0]);
+		result = send_message(state, out_msg);
+		out_msg->destroy(out_msg);
 	}
 	enumerator->destroy(enumerator);
 
 	return result;
 }
 
-static TNC_Result receive_message(TNC_IMCID imc_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imv_id,
-								  TNC_UInt32 dst_imc_id)
+static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg)
 {
-	pa_tnc_msg_t *pa_tnc_msg;
-	pa_tnc_attr_t *attr;
-	imc_state_t *state;
+	imc_msg_t *out_msg;
 	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t attr_type;
 	TNC_Result result;
 	bool fatal_error = FALSE;
 
-	if (!imc_test)
-	{
-		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-
-	/* get current IMC state */
-	if (!imc_test->get_state(imc_test, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-
-	/* parse received PA-TNC message and automatically handle any errors */ 
-	result = imc_test->receive_message(imc_test, state, msg, msg_vid,
-							msg_subtype, src_imv_id, dst_imc_id, &pa_tnc_msg);
-
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
 	{
 		return result;
 	}
 
-	/* preprocess any IETF standard error attributes */
-	fatal_error = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg);
-
 	/* analyze PA-TNC attributes */
-	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
 	while (enumerator->enumerate(enumerator, &attr))
 	{
-		if (attr->get_vendor_id(attr) == PEN_ITA &&
-			attr->get_type(attr) == ITA_ATTR_COMMAND)
+		attr_type = attr->get_type(attr);
+
+		if (attr_type.vendor_id != PEN_ITA)
+		{
+			continue;
+		}
+		if (attr_type.type == ITA_ATTR_COMMAND)
 		{
 			ita_attr_command_t *ita_attr;
-			char *command;
-	
+
 			ita_attr = (ita_attr_command_t*)attr;
-			command = ita_attr->get_command(ita_attr);
+			DBG1(DBG_IMC, "received command '%s'",
+				 ita_attr->get_command(ita_attr));
+		}
+		else if (attr_type.type == ITA_ATTR_DUMMY)
+		{
+			ita_attr_dummy_t *ita_attr;
+
+			ita_attr = (ita_attr_dummy_t*)attr;
+			DBG1(DBG_IMC, "received dummy attribute value (%d bytes)",
+				 ita_attr->get_size(ita_attr));
 		}
 	}
 	enumerator->destroy(enumerator);
-	pa_tnc_msg->destroy(pa_tnc_msg);
 
-	/* if no error occurred then always return the same response */
-	return fatal_error ? TNC_RESULT_FATAL :
-						 send_message(state, dst_imc_id, src_imv_id);
+	if (fatal_error)
+	{
+		return TNC_RESULT_FATAL;
+	}
+
+	/* if no assessment result is known then repeat the measurement */
+	if (state->get_result(state, in_msg->get_dst_id(in_msg), NULL))
+	{
+		return TNC_RESULT_SUCCESS;
+	}
+	out_msg = imc_msg_create_as_reply(in_msg);
+ 	result = send_message(state, out_msg);
+	out_msg->destroy(out_msg);
+
+	return result;
 }
 
 /**
@@ -306,14 +332,26 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
 								  TNC_UInt32 msg_len,
 								  TNC_MessageType msg_type)
 {
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
 
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+	if (!imc_test)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_test->get_state(imc_test, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
 
-	return receive_message(imc_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMCID_ANY);
+	in_msg = imc_msg_create_from_data(imc_test, state, connection_id, msg_type,
+									  chunk_create(msg, msg_len));
+	result = receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
 }
 
 /**
@@ -329,9 +367,26 @@ TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id,
 									  TNC_UInt32 src_imv_id,
 									  TNC_UInt32 dst_imc_id)
 {
-	return receive_message(imc_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imv_id, dst_imc_id);
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_test)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_test->get_state(imc_test, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imc_msg_create_from_long_data(imc_test, state, connection_id,
+								src_imv_id, dst_imc_id, msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result =receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
 }
 
 /**
diff --git a/src/libimcv/plugins/imc_test/imc_test_state.c b/src/libimcv/plugins/imc_test/imc_test_state.c
index 2adfd7d64..e7beca0aa 100644
--- a/src/libimcv/plugins/imc_test/imc_test_state.c
+++ b/src/libimcv/plugins/imc_test/imc_test_state.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -14,10 +15,13 @@
 
 #include "imc_test_state.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <tncif_names.h>
+
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 typedef struct private_imc_test_state_t private_imc_test_state_t;
+typedef struct entry_t entry_t;
 
 /**
  * Private data of an imc_test_state_t object.
@@ -40,6 +44,11 @@ struct private_imc_test_state_t {
 	TNC_ConnectionState state;
 
 	/**
+	 * Assessment/Evaluation Results for all IMC IDs
+	 */
+	linked_list_t *results;
+
+	/**
 	 * Does the TNCCS connection support long message types?
 	 */
 	bool has_long;
@@ -50,11 +59,21 @@ struct private_imc_test_state_t {
 	bool has_excl;
 
 	/**
+	 * Maximum PA-TNC message size for this TNCCS connection
+	 */
+	u_int32_t max_msg_len;
+
+	/**
 	 * Command to transmit to IMV
 	 */
 	char *command;
 
 	/**
+	 * Size of the dummy attribute value to transmit to IMV
+	 */
+	int dummy_size;
+
+	/**
 	 * Is it the first handshake?
 	 */
 	bool first_handshake;
@@ -63,7 +82,15 @@ struct private_imc_test_state_t {
 	 * Do a handshake retry
 	 */
 	bool handshake_retry;
-	
+
+};
+
+/**
+ * Stores the Assessment/Evaluation Result for a given IMC ID
+ */
+struct entry_t {
+	TNC_IMCID id;
+	TNC_IMV_Evaluation_Result result;
 };
 
 METHOD(imc_state_t, get_connection_id, TNC_ConnectionID,
@@ -91,15 +118,83 @@ METHOD(imc_state_t, set_flags, void,
 	this->has_excl = has_excl;
 }
 
+METHOD(imc_state_t, set_max_msg_len, void,
+	private_imc_test_state_t *this, u_int32_t max_msg_len)
+{
+	this->max_msg_len = max_msg_len;
+}
+
+METHOD(imc_state_t, get_max_msg_len, u_int32_t,
+	private_imc_test_state_t *this)
+{
+	return this->max_msg_len;
+}
+
 METHOD(imc_state_t, change_state, void,
 	private_imc_test_state_t *this, TNC_ConnectionState new_state)
 {
 	this->state = new_state;
 }
 
+METHOD(imc_state_t, set_result, void,
+	private_imc_test_state_t *this, TNC_IMCID id,
+	TNC_IMV_Evaluation_Result result)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	bool found = FALSE;
+
+	enumerator = this->results->create_enumerator(this->results);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->id == id)
+		{
+			entry->result = result;
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!found)
+	{
+		entry = malloc_thing(entry_t);
+		entry->id = id;
+		entry->result = result;
+		this->results->insert_last(this->results, entry);
+	}
+}
+
+METHOD(imc_state_t, get_result, bool,
+	private_imc_test_state_t *this, TNC_IMCID id,
+	TNC_IMV_Evaluation_Result *result)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	TNC_IMV_Evaluation_Result eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+
+	enumerator = this->results->create_enumerator(this->results);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->id == id)
+		{
+			eval = entry->result;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (result)
+	{
+		*result = eval;
+	}
+	return eval != TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+}
+
 METHOD(imc_state_t, destroy, void,
 	private_imc_test_state_t *this)
 {
+	this->results->destroy_function(this->results, free);
 	free(this->command);
 	free(this);
 }
@@ -120,6 +215,13 @@ METHOD(imc_test_state_t, set_command, void,
 	free(old_command);
 }
 
+METHOD(imc_test_state_t, get_dummy_size, int,
+	private_imc_test_state_t *this)
+{
+	return this->dummy_size;
+}
+
+
 METHOD(imc_test_state_t, is_first_handshake, bool,
 	private_imc_test_state_t *this)
 {
@@ -146,7 +248,7 @@ METHOD(imc_test_state_t, do_handshake_retry, bool,
  * Described in header.
  */
 imc_state_t *imc_test_state_create(TNC_ConnectionID connection_id,
-								   char *command, bool retry)
+								   char *command, int dummy_size, bool retry)
 {
 	private_imc_test_state_t *this;
 
@@ -157,22 +259,28 @@ imc_state_t *imc_test_state_create(TNC_ConnectionID connection_id,
 				.has_long = _has_long,
 				.has_excl = _has_excl,
 				.set_flags = _set_flags,
+				.set_max_msg_len = _set_max_msg_len,
+				.get_max_msg_len = _get_max_msg_len,
 				.change_state = _change_state,
+				.set_result = _set_result,
+				.get_result = _get_result,
 				.destroy = _destroy,
 			},
 			.get_command = _get_command,
 			.set_command = _set_command,
+			.get_dummy_size = _get_dummy_size,
 			.is_first_handshake = _is_first_handshake,
 			.do_handshake_retry = _do_handshake_retry,
 		},
 		.state = TNC_CONNECTION_STATE_CREATE,
+		.results = linked_list_create(),
 		.connection_id = connection_id,
 		.command = strdup(command),
+		.dummy_size = dummy_size,
 		.first_handshake = TRUE,
 		.handshake_retry = retry,
 	);
-	
+
 	return &this->public.interface;
 }
 
-
diff --git a/src/libimcv/plugins/imc_test/imc_test_state.h b/src/libimcv/plugins/imc_test/imc_test_state.h
index d9160df94..5f9ee2537 100644
--- a/src/libimcv/plugins/imc_test/imc_test_state.h
+++ b/src/libimcv/plugins/imc_test/imc_test_state.h
@@ -13,9 +13,11 @@
  */
 
 /**
+ * @defgroup imc_test imc_test
+ * @ingroup libimcv_plugins
  *
  * @defgroup imc_test_state_t imc_test_state
- * @{ @ingroup imc_test_state
+ * @{ @ingroup imc_test
  */
 
 #ifndef IMC_TEST_STATE_H_
@@ -52,6 +54,13 @@ struct imc_test_state_t {
 	void (*set_command)(imc_test_state_t *this, char *command);
 
 	/**
+	 * get the value size of a dummy attribute to send to IMV
+	 *
+	 * @return				size of the dummy attribute value to send to IMV
+	 */
+	int (*get_dummy_size)(imc_test_state_t *this);
+
+	/**
 	 * Test and reset the first handshake flag
 	 *
 	 * @return				TRUE if first handshake
@@ -70,11 +79,12 @@ struct imc_test_state_t {
 /**
  * Create an imc_test_state_t instance
  *
- * @param id		connection ID
- * @param command	command to send to IMV
- * @param retry		TRUE if a handshake retry should be done
+ * @param id			connection ID
+ * @param command		command to send to IMV
+ * @param dummy_size	size of the dummy attribute to send (only if > 0)
+ * @param retry			TRUE if a handshake retry should be done
  */
 imc_state_t* imc_test_state_create(TNC_ConnectionID id, char* command,
-								   bool retry);
+								   int dummy_size, bool retry);
 
 #endif /** IMC_TEST_STATE_H_ @}*/
diff --git a/src/libimcv/plugins/imv_os/Makefile.am b/src/libimcv/plugins/imv_os/Makefile.am
new file mode 100644
index 000000000..4713b0913
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/Makefile.am
@@ -0,0 +1,26 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv
+
+AM_CFLAGS = \
+	-rdynamic
+
+imcv_LTLIBRARIES = imv-os.la
+
+imv_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+
+imv_os_la_SOURCES = \
+	imv_os.c imv_os_state.h imv_os_state.c \
+	imv_os_agent.h imv_os_agent.c \
+	imv_os_database.c imv_os_database.h
+
+imv_os_la_LDFLAGS = -module -avoid-version
+
+ipsec_PROGRAMS = pacman
+pacman_SOURCES = pacman.c
+pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+pacman.o :	$(top_builddir)/config.status
+
+EXTRA_DIST = pacman.sh
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
new file mode 100644
index 000000000..1718be000
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -0,0 +1,741 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = pacman$(EXEEXT)
+subdir = src/libimcv/plugins/imv_os
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)"
+LTLIBRARIES = $(imcv_LTLIBRARIES)
+imv_os_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+am_imv_os_la_OBJECTS = imv_os.lo imv_os_state.lo imv_os_agent.lo \
+	imv_os_database.lo
+imv_os_la_OBJECTS = $(am_imv_os_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+imv_os_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(imv_os_la_LDFLAGS) $(LDFLAGS) -o $@
+PROGRAMS = $(ipsec_PROGRAMS)
+am_pacman_OBJECTS = pacman.$(OBJEXT)
+pacman_OBJECTS = $(am_pacman_OBJECTS)
+pacman_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(imv_os_la_SOURCES) $(pacman_SOURCES)
+DIST_SOURCES = $(imv_os_la_SOURCES) $(pacman_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv
+
+AM_CFLAGS = \
+	-rdynamic
+
+imcv_LTLIBRARIES = imv-os.la
+imv_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+
+imv_os_la_SOURCES = \
+	imv_os.c imv_os_state.h imv_os_state.c \
+	imv_os_agent.h imv_os_agent.c \
+	imv_os_database.c imv_os_database.h
+
+imv_os_la_LDFLAGS = -module -avoid-version
+pacman_SOURCES = pacman.c
+pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+EXTRA_DIST = pacman.sh
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libimcv/plugins/imv_os/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libimcv/plugins/imv_os/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
+	}
+
+uninstall-imcvLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(imcvdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(imcvdir)/$$f"; \
+	done
+
+clean-imcvLTLIBRARIES:
+	-test -z "$(imcv_LTLIBRARIES)" || rm -f $(imcv_LTLIBRARIES)
+	@list='$(imcv_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+imv-os.la: $(imv_os_la_OBJECTS) $(imv_os_la_DEPENDENCIES) $(EXTRA_imv_os_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(imv_os_la_LINK) -rpath $(imcvdir) $(imv_os_la_OBJECTS) $(imv_os_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+pacman$(EXEEXT): $(pacman_OBJECTS) $(pacman_DEPENDENCIES) $(EXTRA_pacman_DEPENDENCIES) 
+	@rm -f pacman$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(pacman_OBJECTS) $(pacman_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_agent.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_database.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_os_state.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pacman.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-imcvLTLIBRARIES clean-ipsecPROGRAMS \
+	clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-imcvLTLIBRARIES install-ipsecPROGRAMS
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-imcvLTLIBRARIES uninstall-ipsecPROGRAMS
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-imcvLTLIBRARIES clean-ipsecPROGRAMS clean-libtool ctags \
+	distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am \
+	install-imcvLTLIBRARIES install-info install-info-am \
+	install-ipsecPROGRAMS install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-imcvLTLIBRARIES \
+	uninstall-ipsecPROGRAMS
+
+pacman.o :	$(top_builddir)/config.status
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libimcv/plugins/imv_os/imv_os.c b/src/libimcv/plugins/imv_os/imv_os.c
new file mode 100644
index 000000000..ba0fa8153
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os.c
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_os_agent.h"
+
+static const char imv_name[] = "OS";
+static const imv_agent_create_t imv_agent_create = imv_os_agent_create;
+
+/* include generic TGC TNC IF-IMV API code below */
+
+#include <imv/imv_if.h>
+
diff --git a/src/libimcv/plugins/imv_os/imv_os_agent.c b/src/libimcv/plugins/imv_os/imv_os_agent.c
new file mode 100644
index 000000000..ba3f3afc6
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os_agent.c
@@ -0,0 +1,805 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+
+#include "imv_os_agent.h"
+#include "imv_os_state.h"
+#include "imv_os_database.h"
+
+#include <imcv.h>
+#include <imv/imv_agent.h>
+#include <imv/imv_msg.h>
+#include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_attr_request.h>
+#include <ietf/ietf_attr_default_pwd_enabled.h>
+#include <ietf/ietf_attr_fwd_enabled.h>
+#include <ietf/ietf_attr_installed_packages.h>
+#include <ietf/ietf_attr_numeric_version.h>
+#include <ietf/ietf_attr_op_status.h>
+#include <ietf/ietf_attr_pa_tnc_error.h>
+#include <ietf/ietf_attr_product_info.h>
+#include <ietf/ietf_attr_remediation_instr.h>
+#include <ietf/ietf_attr_string_version.h>
+#include <ita/ita_attr.h>
+#include <ita/ita_attr_get_settings.h>
+#include <ita/ita_attr_settings.h>
+#include <ita/ita_attr_angel.h>
+#include <ita/ita_attr_device_id.h>
+
+#include <tncif_names.h>
+#include <tncif_pa_subtypes.h>
+
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+typedef struct private_imv_os_agent_t private_imv_os_agent_t;
+typedef enum imv_os_attr_t imv_os_attr_t;
+
+/* Subscribed PA-TNC message subtypes */
+static pen_type_t msg_types[] = {
+	{ PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM }
+};
+
+static char unknown_source_str[] = "install_non_market_apps";
+
+/**
+ * Flag set when corresponding attribute has been received
+ */
+enum imv_os_attr_t {
+	IMV_OS_ATTR_PRODUCT_INFORMATION =         (1<<0),
+	IMV_OS_ATTR_STRING_VERSION =              (1<<1),
+	IMV_OS_ATTR_NUMERIC_VERSION =             (1<<2),
+	IMV_OS_ATTR_OPERATIONAL_STATUS =          (1<<3),
+	IMV_OS_ATTR_FORWARDING_ENABLED =          (1<<4),
+	IMV_OS_ATTR_FACTORY_DEFAULT_PWD_ENABLED = (1<<5),
+	IMV_OS_ATTR_DEVICE_ID =                   (1<<6),
+	IMV_OS_ATTR_MUST =                        (1<<7)-1,
+	IMV_OS_ATTR_INSTALLED_PACKAGES =          (1<<7),
+	IMV_OS_ATTR_SETTINGS =                    (1<<8)
+};
+
+/**
+ * Private data of an imv_os_agent_t object.
+ */
+struct private_imv_os_agent_t {
+
+	/**
+	 * Public members of imv_os_agent_t
+	 */
+	imv_agent_if_t public;
+
+	/**
+	 * IMV agent responsible for generic functions
+	 */
+	imv_agent_t *agent;
+
+	/**
+	 * IMV OS database
+	 */
+	imv_os_database_t *db;
+
+};
+
+METHOD(imv_agent_if_t, bind_functions, TNC_Result,
+	private_imv_os_agent_t *this, TNC_TNCS_BindFunctionPointer bind_function)
+{
+	return this->agent->bind_functions(this->agent, bind_function);
+}
+
+METHOD(imv_agent_if_t, notify_connection_change, TNC_Result,
+	private_imv_os_agent_t *this, TNC_ConnectionID id,
+	TNC_ConnectionState new_state)
+{
+	TNC_IMV_Action_Recommendation rec;
+	imv_state_t *state;
+	imv_session_t *session;
+
+	switch (new_state)
+	{
+		case TNC_CONNECTION_STATE_CREATE:
+			state = imv_os_state_create(id);
+			return this->agent->create_state(this->agent, state);
+		case TNC_CONNECTION_STATE_DELETE:
+			return this->agent->delete_state(this->agent, id);
+		case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
+		case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
+		case TNC_CONNECTION_STATE_ACCESS_NONE:
+			if (imcv_db && this->agent->get_state(this->agent, id, &state))
+			{
+				switch (new_state)
+				{
+					case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
+						rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW;
+						break;
+					case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
+						rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE;
+						break;
+					case TNC_CONNECTION_STATE_ACCESS_NONE:
+					default:
+						rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS;
+				}
+				session = state->get_session(state);
+				imcv_db->add_recommendation(imcv_db, session, rec);
+				imcv_db->policy_script(imcv_db, session, FALSE);
+			}
+			/* fall through to default state */
+		default:
+			return this->agent->change_state(this->agent, id, new_state, NULL);
+	}
+}
+
+/**
+ * Process a received message
+ */
+static TNC_Result receive_msg(private_imv_os_agent_t *this, imv_state_t *state,
+							  imv_msg_t *in_msg)
+{
+	imv_msg_t *out_msg;
+	imv_os_state_t *os_state;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t type;
+	TNC_Result result;
+	chunk_t os_name = chunk_empty;
+	chunk_t os_version = chunk_empty;
+	bool fatal_error = FALSE, assessment = FALSE;
+
+	os_state = (imv_os_state_t*)state;
+
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
+	{
+		return result;
+	}
+
+	out_msg = imv_msg_create_as_reply(in_msg);
+
+	/* analyze PA-TNC attributes */
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		type = attr->get_type(attr);
+
+		if (type.vendor_id == PEN_IETF)
+		{
+			switch (type.type)
+			{
+				case IETF_ATTR_PRODUCT_INFORMATION:
+				{
+					ietf_attr_product_info_t *attr_cast;
+					pen_t vendor_id;
+
+					state->set_action_flags(state,
+											IMV_OS_ATTR_PRODUCT_INFORMATION);
+					attr_cast = (ietf_attr_product_info_t*)attr;
+					os_name = attr_cast->get_info(attr_cast, &vendor_id, NULL);
+					if (vendor_id != PEN_IETF)
+					{
+						DBG1(DBG_IMV, "operating system name is '%.*s' "
+									  "from vendor %N", os_name.len, os_name.ptr,
+									   pen_names, vendor_id);
+					}
+					else
+					{
+						DBG1(DBG_IMV, "operating system name is '%.*s'",
+									   os_name.len, os_name.ptr);
+					}
+					break;
+				}
+				case IETF_ATTR_STRING_VERSION:
+				{
+					ietf_attr_string_version_t *attr_cast;
+
+					state->set_action_flags(state,
+											IMV_OS_ATTR_STRING_VERSION);
+					attr_cast = (ietf_attr_string_version_t*)attr;
+					os_version = attr_cast->get_version(attr_cast, NULL, NULL);
+					if (os_version.len)
+					{
+						DBG1(DBG_IMV, "operating system version is '%.*s'",
+									   os_version.len, os_version.ptr);
+					}
+					break;
+				}
+				case IETF_ATTR_NUMERIC_VERSION:
+				{
+					ietf_attr_numeric_version_t *attr_cast;
+					u_int32_t major, minor;
+
+					state->set_action_flags(state,
+											IMV_OS_ATTR_NUMERIC_VERSION);
+					attr_cast = (ietf_attr_numeric_version_t*)attr;
+					attr_cast->get_version(attr_cast, &major, &minor);
+					DBG1(DBG_IMV, "operating system numeric version is %d.%d",
+								   major, minor);
+					break;
+				}
+				case IETF_ATTR_OPERATIONAL_STATUS:
+				{
+					ietf_attr_op_status_t *attr_cast;
+					op_status_t op_status;
+					op_result_t op_result;
+					time_t last_boot;
+
+					state->set_action_flags(state,
+											IMV_OS_ATTR_OPERATIONAL_STATUS);
+					attr_cast = (ietf_attr_op_status_t*)attr;
+					op_status = attr_cast->get_status(attr_cast);
+					op_result = attr_cast->get_result(attr_cast);
+					last_boot = attr_cast->get_last_use(attr_cast);
+					DBG1(DBG_IMV, "operational status: %N, result: %N",
+						 op_status_names, op_status, op_result_names, op_result);
+					DBG1(DBG_IMV, "last boot: %T", &last_boot, TRUE);
+					break;
+				}
+				case IETF_ATTR_FORWARDING_ENABLED:
+				{
+					ietf_attr_fwd_enabled_t *attr_cast;
+					os_fwd_status_t fwd_status;
+
+					state->set_action_flags(state,
+											IMV_OS_ATTR_FORWARDING_ENABLED);
+					attr_cast = (ietf_attr_fwd_enabled_t*)attr;
+					fwd_status = attr_cast->get_status(attr_cast);
+					DBG1(DBG_IMV, "IPv4 forwarding is %N",
+								   os_fwd_status_names, fwd_status);
+					if (fwd_status == OS_FWD_ENABLED)
+					{
+						os_state->set_os_settings(os_state,
+											OS_SETTINGS_FWD_ENABLED);
+					}
+					break;
+				}
+				case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED:
+				{
+					ietf_attr_default_pwd_enabled_t *attr_cast;
+					bool default_pwd_status;
+
+					state->set_action_flags(state,
+									IMV_OS_ATTR_FACTORY_DEFAULT_PWD_ENABLED);
+					attr_cast = (ietf_attr_default_pwd_enabled_t*)attr;
+					default_pwd_status = attr_cast->get_status(attr_cast);
+					DBG1(DBG_IMV, "factory default password is %sabled",
+								   default_pwd_status ? "en":"dis");
+					if (default_pwd_status)
+					{
+						os_state->set_os_settings(os_state,
+											OS_SETTINGS_DEFAULT_PWD_ENABLED);
+					}
+					break;
+				}
+				case IETF_ATTR_INSTALLED_PACKAGES:
+				{
+					ietf_attr_installed_packages_t *attr_cast;
+					enumerator_t *e;
+					status_t status;
+
+					state->set_action_flags(state,
+											IMV_OS_ATTR_INSTALLED_PACKAGES);
+					if (!this->db)
+					{
+						break;
+					}
+					attr_cast = (ietf_attr_installed_packages_t*)attr;
+
+					e = attr_cast->create_enumerator(attr_cast);
+					status = this->db->check_packages(this->db, os_state, e);
+					e->destroy(e);
+
+					if (status == FAILED)
+					{
+						state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+						assessment = TRUE;
+					}
+					break;
+				}
+				default:
+					break;
+			}
+		}
+		else if (type.vendor_id == PEN_ITA)
+		{
+			switch (type.type)
+			{
+				case ITA_ATTR_SETTINGS:
+				{
+					ita_attr_settings_t *attr_cast;
+					enumerator_t *e;
+					char *name;
+					chunk_t value;
+
+					state->set_action_flags(state, IMV_OS_ATTR_SETTINGS);
+
+					attr_cast = (ita_attr_settings_t*)attr;
+					e = attr_cast->create_enumerator(attr_cast);
+					while (e->enumerate(e, &name, &value))
+					{
+						if (streq(name, unknown_source_str) &&
+							chunk_equals(value, chunk_from_chars('1')))
+						{
+							os_state->set_os_settings(os_state,
+												OS_SETTINGS_UNKNOWN_SOURCE);
+						}
+						DBG1(DBG_IMV, "setting '%s'\n  %.*s",
+							 name, value.len, value.ptr);
+					}
+					e->destroy(e);
+					break;
+				}
+				case ITA_ATTR_DEVICE_ID:
+				{
+					chunk_t value;
+
+					state->set_action_flags(state, IMV_OS_ATTR_DEVICE_ID);
+
+					value = attr->get_value(attr);
+					os_state->set_device_id(os_state, value);
+					DBG1(DBG_IMV, "device ID is %.*s", value.len, value.ptr);
+					break;
+				}
+				case ITA_ATTR_START_ANGEL:
+					os_state->set_angel_count(os_state, TRUE);
+					break;
+				case ITA_ATTR_STOP_ANGEL:
+					os_state->set_angel_count(os_state, FALSE);
+					break;
+				default:
+					break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/**
+	 * The IETF Product Information and String Version attributes
+	 * are supposed to arrive in the same PA-TNC message
+	 */
+	if (os_name.len && os_version.len)
+	{
+		os_type_t os_type;
+
+		/* set the OS type, name and version */
+		os_type = os_type_from_name(os_name);
+		os_state->set_info(os_state,os_type, os_name, os_version);
+
+		if (imcv_db)
+		{
+			imcv_db->add_product(imcv_db, state->get_session(state),
+					os_state->get_info(os_state, NULL, NULL, NULL));
+		}
+	}
+
+	if (fatal_error)
+	{
+		state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+		assessment = TRUE;
+	}
+
+	if (assessment)
+	{
+		os_state->set_handshake_state(os_state, IMV_OS_STATE_END);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+
+	/* send PA-TNC message with excl flag set */
+	result = out_msg->send(out_msg, TRUE);
+	out_msg->destroy(out_msg);
+
+	return result;
+ }
+
+METHOD(imv_agent_if_t, receive_message, TNC_Result,
+	private_imv_os_agent_t *this, TNC_ConnectionID id,
+	TNC_MessageType msg_type, chunk_t msg)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_data(this->agent, state, id, msg_type, msg);
+	result = receive_msg(this, state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, receive_message_long, TNC_Result,
+	private_imv_os_agent_t *this, TNC_ConnectionID id,
+	TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id,
+	TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype, chunk_t msg)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_long_data(this->agent, state, id,
+					src_imc_id, dst_imv_id, msg_vid, msg_subtype, msg);
+	result = receive_msg(this, state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+
+}
+
+/**
+ * Build an IETF Attribute Request attribute for missing attributes
+ */
+static pa_tnc_attr_t* build_attr_request(u_int32_t received)
+{
+	pa_tnc_attr_t *attr;
+	ietf_attr_attr_request_t *attr_cast;
+
+	attr = ietf_attr_attr_request_create(PEN_RESERVED, 0);
+	attr_cast = (ietf_attr_attr_request_t*)attr;
+
+	if (!(received & IMV_OS_ATTR_PRODUCT_INFORMATION) ||
+		!(received & IMV_OS_ATTR_STRING_VERSION))
+	{
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_PRODUCT_INFORMATION);
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_STRING_VERSION);
+	}
+	if (!(received & IMV_OS_ATTR_NUMERIC_VERSION))
+	{
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_NUMERIC_VERSION);
+	}
+	if (!(received & IMV_OS_ATTR_OPERATIONAL_STATUS))
+	{
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_OPERATIONAL_STATUS);
+	}
+	if (!(received & IMV_OS_ATTR_FORWARDING_ENABLED))
+	{
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_FORWARDING_ENABLED);
+	}
+	if (!(received & IMV_OS_ATTR_FACTORY_DEFAULT_PWD_ENABLED))
+	{
+		attr_cast->add(attr_cast, PEN_IETF,
+								  IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED);
+	}
+	if (!(received & IMV_OS_ATTR_DEVICE_ID))
+	{
+		attr_cast->add(attr_cast, PEN_ITA,  ITA_ATTR_DEVICE_ID);
+	}
+
+	return attr;
+}
+
+METHOD(imv_agent_if_t, batch_ending, TNC_Result,
+	private_imv_os_agent_t *this, TNC_ConnectionID id)
+{
+	imv_msg_t *out_msg;
+	imv_state_t *state;
+	imv_session_t *session;
+	imv_workitem_t *workitem;
+	imv_os_state_t *os_state;
+	imv_os_handshake_state_t handshake_state;
+	pa_tnc_attr_t *attr;
+	TNC_IMVID imv_id;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+	bool no_workitems = TRUE;
+	enumerator_t *enumerator;
+	u_int32_t received;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	os_state = (imv_os_state_t*)state;
+	handshake_state = os_state->get_handshake_state(os_state);
+	received = state->get_action_flags(state);
+	session = state->get_session(state);
+	imv_id = this->agent->get_id(this->agent);
+
+	if (handshake_state == IMV_OS_STATE_END)
+	{
+		return TNC_RESULT_SUCCESS;
+	}
+
+	/* create an empty out message - we might need it */
+	out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY,
+							 msg_types[0]);
+
+	if (handshake_state == IMV_OS_STATE_INIT)
+	{
+		if ((received & IMV_OS_ATTR_MUST) != IMV_OS_ATTR_MUST)
+		{
+			/* create attribute request for missing mandatory attributes */
+			out_msg->add_attribute(out_msg, build_attr_request(received));
+		}
+	}
+
+	if (handshake_state < IMV_OS_STATE_POLICY_START)
+	{
+		if (((received & IMV_OS_ATTR_PRODUCT_INFORMATION) &&
+			 (received & IMV_OS_ATTR_STRING_VERSION)) &&
+			((received & IMV_OS_ATTR_DEVICE_ID) ||
+			 (handshake_state == IMV_OS_STATE_ATTR_REQ)))
+		{
+			if (imcv_db)
+			{
+				imcv_db->add_device(imcv_db, session,
+								os_state->get_device_id(os_state));
+
+				/* trigger the policy manager */
+				imcv_db->policy_script(imcv_db, session, TRUE);
+			}
+			else
+			{
+				DBG2(DBG_IMV, "no workitems available - no evaluation possible");
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+								TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+			}
+			handshake_state = IMV_OS_STATE_POLICY_START;
+		}
+		else if (handshake_state == IMV_OS_STATE_ATTR_REQ)
+		{
+			/**
+			 * both the IETF Product Information and IETF String Version
+			 * attribute should have been present
+			 */
+			state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+
+			/* send assessment */
+			result = out_msg->send_assessment(out_msg);
+			out_msg->destroy(out_msg);
+
+			if (result != TNC_RESULT_SUCCESS)
+			{
+				return result;
+			}  
+			return this->agent->provide_recommendation(this->agent, state);
+		}
+		else
+		{
+			handshake_state = IMV_OS_STATE_ATTR_REQ;
+		}
+		os_state->set_handshake_state(os_state, handshake_state);
+	}
+
+	if (handshake_state == IMV_OS_STATE_POLICY_START && session)
+	{
+		enumerator = session->create_workitem_enumerator(session);
+		if (enumerator)
+		{
+			while (enumerator->enumerate(enumerator, &workitem))
+			{
+				if (workitem->get_imv_id(workitem) != TNC_IMVID_ANY)
+				{
+					continue;
+				}
+
+				switch (workitem->get_type(workitem))
+				{
+					case IMV_WORKITEM_PACKAGES:
+						attr = ietf_attr_attr_request_create(PEN_IETF,
+										IETF_ATTR_INSTALLED_PACKAGES);
+						out_msg->add_attribute(out_msg, attr);
+						break;
+					case IMV_WORKITEM_UNKNOWN_SOURCE:
+						attr = ita_attr_get_settings_create(unknown_source_str);
+						out_msg->add_attribute(out_msg, attr);
+						break;
+					case IMV_WORKITEM_FORWARDING:
+					case IMV_WORKITEM_DEFAULT_PWD:
+						break;
+					default:
+						continue;
+				}
+				workitem->set_imv_id(workitem, imv_id);
+				no_workitems = FALSE;
+			}
+			enumerator->destroy(enumerator);
+
+			if (no_workitems)
+			{
+				DBG2(DBG_IMV, "IMV %d has no workitems - "
+							  "no evaluation requested", imv_id);
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+								TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+			}
+			handshake_state = IMV_OS_STATE_WORKITEMS;
+			os_state->set_handshake_state(os_state, handshake_state);
+		}
+	}
+
+	if (handshake_state == IMV_OS_STATE_WORKITEMS && session)
+	{
+		TNC_IMV_Evaluation_Result eval;
+		TNC_IMV_Action_Recommendation rec;
+		char result_str[BUF_LEN];
+		bool fail;
+
+		enumerator = session->create_workitem_enumerator(session);
+		while (enumerator->enumerate(enumerator, &workitem))
+		{
+			if (workitem->get_imv_id(workitem) != imv_id)
+			{
+				continue;
+			}
+			eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+
+			switch (workitem->get_type(workitem))
+			{
+				case IMV_WORKITEM_PACKAGES:
+				{
+					int count, count_update, count_blacklist, count_ok;
+
+					if (!(received & IMV_OS_ATTR_INSTALLED_PACKAGES) ||
+						os_state->get_angel_count(os_state))
+					{
+						continue;
+					}
+					os_state->get_count(os_state, &count, &count_update,
+										&count_blacklist, &count_ok);
+					fail = count_update || count_blacklist;
+					eval = fail ? TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR :
+								  TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+					snprintf(result_str, BUF_LEN, "processed %d packages: "
+							"%d not updated, %d blacklisted, %d ok, "
+							"%d not found",
+							count, count_update, count_blacklist, count_ok,
+							count - count_update - count_blacklist - count_ok);
+					break;
+				}
+				case IMV_WORKITEM_UNKNOWN_SOURCE:
+					if (!(received & IMV_OS_ATTR_SETTINGS))
+					{
+						continue;
+					}
+					fail = os_state->get_os_settings(os_state) &
+								OS_SETTINGS_UNKNOWN_SOURCE;
+					eval = fail ? TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR :
+								  TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+					snprintf(result_str, BUF_LEN, "unknown sources%s enabled",
+							 fail ? "" : " not");
+					break;					
+				case IMV_WORKITEM_FORWARDING:
+					if (!(received & IMV_OS_ATTR_FORWARDING_ENABLED))
+					{
+						continue;
+					}
+					fail = os_state->get_os_settings(os_state) &
+								OS_SETTINGS_FWD_ENABLED;
+					eval = fail ? TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR :
+								  TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+					snprintf(result_str, BUF_LEN, "forwarding%s enabled",
+							 fail ? "" : " not");
+					break;
+				case IMV_WORKITEM_DEFAULT_PWD:
+					if (!(received & IMV_OS_ATTR_FACTORY_DEFAULT_PWD_ENABLED))
+					{
+						continue;
+					}
+					fail = os_state->get_os_settings(os_state) &
+								OS_SETTINGS_DEFAULT_PWD_ENABLED;
+					eval = fail ? TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR :
+								  TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+					snprintf(result_str, BUF_LEN, "factory default password%s enabled",
+							 fail ? "" : " not");
+					break;
+				default:
+					continue;
+			}
+			if (eval != TNC_IMV_EVALUATION_RESULT_DONT_KNOW)
+			{
+				session->remove_workitem(session, enumerator);
+				rec = workitem->set_result(workitem, result_str, eval);
+				state->update_recommendation(state, rec, eval);
+				imcv_db->finalize_workitem(imcv_db, workitem);
+				workitem->destroy(workitem);
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		/* finalized all workitems ? */
+		if (session->get_workitem_count(session, imv_id) == 0)
+		{
+			os_state->set_handshake_state(os_state, IMV_OS_STATE_END);
+
+			result = out_msg->send_assessment(out_msg);
+			out_msg->destroy(out_msg);
+			if (result != TNC_RESULT_SUCCESS)
+			{
+				return result;
+			}
+			return this->agent->provide_recommendation(this->agent, state);
+		}		
+	}
+
+	/* send non-empty PA-TNC message with excl flag not set */
+	if (out_msg->get_attribute_count(out_msg))
+	{
+		result = out_msg->send(out_msg, FALSE);
+	}
+	out_msg->destroy(out_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result,
+	private_imv_os_agent_t *this, TNC_ConnectionID id)
+{
+	imv_state_t *state;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	return this->agent->provide_recommendation(this->agent, state);
+}
+
+METHOD(imv_agent_if_t, destroy, void,
+	private_imv_os_agent_t *this)
+{
+	DESTROY_IF(this->agent);
+	DESTROY_IF(this->db);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imv_agent_if_t *imv_os_agent_create(const char *name, TNC_IMVID id,
+									TNC_Version *actual_version)
+{
+	private_imv_os_agent_t *this;
+
+	INIT(this,
+		.public = {
+			.bind_functions = _bind_functions,
+			.notify_connection_change = _notify_connection_change,
+			.receive_message = _receive_message,
+			.receive_message_long = _receive_message_long,
+			.batch_ending = _batch_ending,
+			.solicit_recommendation = _solicit_recommendation,
+			.destroy = _destroy,
+		},
+		.agent = imv_agent_create(name, msg_types, countof(msg_types), id,
+								 actual_version),
+		.db = imv_os_database_create(imcv_db),
+	);
+
+	if (!this->agent)
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
diff --git a/src/libimcv/plugins/imv_os/imv_os_agent.h b/src/libimcv/plugins/imv_os/imv_os_agent.h
new file mode 100644
index 000000000..cec1b1f20
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os_agent.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_os_agent_t imv_os_agent
+ * @{ @ingroup imv_os
+ */
+
+#ifndef IMV_OS_AGENT_H_
+#define IMV_OS_AGENT_H_
+
+#include <imv/imv_agent_if.h>
+
+/**
+ * Creates an OS IMV agent
+ *
+ * @param name					Name of the IMV
+ * @param id					ID of the IMV
+ * @param actual_version		TNC IF-IMV version
+ */
+imv_agent_if_t* imv_os_agent_create(const char* name, TNC_IMVID id,
+									TNC_Version *actual_version);
+
+#endif /** IMV_OS_AGENT_H_ @}*/
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c
new file mode 100644
index 000000000..d2a08b0fa
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os_database.c
@@ -0,0 +1,215 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_os_database.h"
+
+#include <utils/debug.h>
+
+#include <string.h>
+
+typedef struct private_imv_os_database_t private_imv_os_database_t;
+
+/**
+ * Private data of a imv_os_database_t object.
+ *
+ */
+struct private_imv_os_database_t {
+
+	/**
+	 * Public imv_os_database_t interface.
+	 */
+	imv_os_database_t public;
+
+	/**
+	 * database instance
+	 */
+	database_t *db;
+
+};
+
+METHOD(imv_os_database_t, check_packages, status_t,
+	private_imv_os_database_t *this, imv_os_state_t *state,
+	enumerator_t *package_enumerator)
+{
+	char *product, *package, *release, *cur_release;
+	chunk_t name, version;
+	os_type_t os_type;
+	int pid, gid, security, blacklist;
+	int count = 0, count_ok = 0, count_no_match = 0, count_blacklist = 0;
+	enumerator_t *e;
+	status_t status = SUCCESS;
+	bool found, match;
+
+	product = state->get_info(state, &os_type, NULL, NULL);
+
+	if (os_type == OS_TYPE_ANDROID)
+	{
+		/*no package dependency on Android version */
+		product = enum_to_name(os_type_names, os_type);
+	}
+	DBG1(DBG_IMV, "processing installed '%s' packages", product);
+
+	/* Get primary key of product */
+	e = this->db->query(this->db,
+				"SELECT id FROM products WHERE name = ?",
+				DB_TEXT, product, DB_INT);
+	if (!e)
+	{
+		return FAILED;
+	}
+	if (!e->enumerate(e, &pid))
+	{
+		e->destroy(e);
+		return NOT_FOUND;
+	}
+	e->destroy(e);
+
+	while (package_enumerator->enumerate(package_enumerator, &name, &version))
+	{
+		/* Convert package name chunk to a string */
+		package = strndup(name.ptr, name.len);
+		count++;
+
+		/* Get primary key of package */
+		e = this->db->query(this->db,
+					"SELECT id FROM packages WHERE name = ?",
+					DB_TEXT, package, DB_INT);
+		if (!e)
+		{
+			free(package);
+			return FAILED;
+		}
+		if (!e->enumerate(e, &gid))
+		{
+			/* package not present in database for any product - skip */
+			if (os_type == OS_TYPE_ANDROID)
+			{
+				DBG2(DBG_IMV, "package '%s' (%.*s) not found",
+					 package, version.len, version.ptr);
+			}
+			free(package);
+			e->destroy(e);
+			continue;
+		}
+		e->destroy(e);
+
+		/* Convert package version chunk to a string */
+		release = strndup(version.ptr, version.len);
+
+		/* Enumerate over all acceptable versions */
+		e = this->db->query(this->db,
+				"SELECT release, security, blacklist FROM versions "
+				"WHERE product = ? AND package = ?",
+				DB_INT, pid, DB_INT, gid, DB_TEXT, DB_INT, DB_INT);
+		if (!e)
+		{
+			free(package);
+			free(release);
+			return FAILED;
+		}
+		found = FALSE;
+		match = FALSE;
+
+		while (e->enumerate(e, &cur_release, &security, &blacklist))
+		{
+			found = TRUE;
+			if (streq(release, cur_release) || streq("*", cur_release))
+			{
+				match = TRUE;
+				break;
+			}
+		}
+		e->destroy(e);
+
+		if (found)
+		{
+			if (match)
+			{
+				if (blacklist)
+				{
+					DBG2(DBG_IMV, "package '%s' (%s) is blacklisted",
+								   package, release);
+					count_blacklist++;
+					state->add_bad_package(state, package,
+										   OS_PACKAGE_STATE_BLACKLIST);
+				}
+				else
+				{
+					DBG2(DBG_IMV, "package '%s' (%s)%s is ok", package, release,
+								   security ? " [s]" : "");
+					count_ok++;
+				}
+			}
+			else
+			{
+				DBG1(DBG_IMV, "package '%s' (%s) no match", package, release);
+				count_no_match++;
+				state->add_bad_package(state, package,
+									   OS_PACKAGE_STATE_SECURITY);
+			}
+		}
+		else
+		{
+			/* package not present in database for this product - skip */
+		}
+		free(package);
+		free(release);
+	}
+	state->set_count(state, count, count_no_match, count_blacklist, count_ok);
+
+	return status;
+}
+
+METHOD(imv_os_database_t, set_device_info, void,
+	private_imv_os_database_t *this,  int session_id, int count,
+	int count_update, int count_blacklist, u_int flags)
+{
+	this->db->execute(this->db, NULL,
+			"INSERT INTO device_infos (session, count, count_update, "
+			"count_blacklist, flags) VALUES (?, ?, ?, ?, ?)",
+			 DB_INT, session_id, DB_INT, count, DB_INT, count_update,
+			 DB_INT, count_blacklist, DB_UINT, flags);
+}
+
+METHOD(imv_os_database_t, destroy, void,
+	private_imv_os_database_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+imv_os_database_t *imv_os_database_create(imv_database_t *imv_db)
+{
+	private_imv_os_database_t *this;
+
+	if (!imv_db)
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.check_packages = _check_packages,
+			.set_device_info = _set_device_info,
+			.destroy = _destroy,
+		},
+		.db = imv_db->get_database(imv_db),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.h b/src/libimcv/plugins/imv_os/imv_os_database.h
new file mode 100644
index 000000000..7b9ef3c33
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os_database.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_os_database_t imv_os_database
+ * @{ @ingroup imv_os
+ */
+
+#ifndef IMV_OS_DATABASE_H_
+#define IMV_OS_DATABASE_H_
+
+#include "imv_os_state.h"
+#include "imv/imv_database.h"
+
+#include <library.h>
+
+typedef struct imv_os_database_t imv_os_database_t;
+
+/**
+ * Internal state of an imv_os_database_t instance
+ */
+struct imv_os_database_t {
+
+	/**
+	 * Check Installed Packages for a given OS
+	 *
+	 * @param state					OS IMV state
+	 * @param package_enumerator	enumerates over installed packages
+	 */
+	status_t (*check_packages)(imv_os_database_t *this, imv_os_state_t *state,
+							   enumerator_t *package_enumerator);
+
+	/**
+	 * Set health infos for a given  device
+	 *
+	 * @param sesson_id				Session ID
+	 * @param count					Number of installed packages
+	 * @param count_update			Number of packages to be updated
+	 * @param count_blacklist		Number of blacklisted packages
+	 * @param flags					Various flags, e.g. illegal OS settings
+	 */
+	void (*set_device_info)(imv_os_database_t *this, int session_id, int count,
+							int count_update, int count_blacklist, u_int flags);
+
+	/**
+	 * Destroys an imv_os_database_t object.
+	 */
+	void (*destroy)(imv_os_database_t *this);
+
+};
+
+/**
+ * Create an imv_os_database_t instance
+ *
+ * @param imv_db			Already attached IMV database
+ */
+imv_os_database_t* imv_os_database_create(imv_database_t *imv_db);
+
+#endif /** IMV_OS_DATABASE_H_ @}*/
diff --git a/src/libimcv/plugins/imv_os/imv_os_state.c b/src/libimcv/plugins/imv_os/imv_os_state.c
new file mode 100644
index 000000000..f6d904c3c
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os_state.c
@@ -0,0 +1,703 @@
+/*
+ * Copyright (C) 2012-2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_os_state.h"
+
+#include "imv/imv_lang_string.h"
+#include "imv/imv_reason_string.h"
+#include "imv/imv_remediation_string.h"
+
+#include <tncif_policy.h>
+
+#include <utils/debug.h>
+#include <collections/linked_list.h>
+
+typedef struct private_imv_os_state_t private_imv_os_state_t;
+typedef struct package_entry_t package_entry_t;
+typedef struct entry_t entry_t;
+typedef struct instruction_entry_t instruction_entry_t;
+
+/**
+ * Private data of an imv_os_state_t object.
+ */
+struct private_imv_os_state_t {
+
+	/**
+	 * Public members of imv_os_state_t
+	 */
+	imv_os_state_t public;
+
+	/**
+	 * TNCCS connection ID
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * TNCCS connection state
+	 */
+	TNC_ConnectionState state;
+
+	/**
+	 * Does the TNCCS connection support long message types?
+	 */
+	bool has_long;
+
+	/**
+	 * Does the TNCCS connection support exclusive delivery?
+	 */
+	bool has_excl;
+
+	/**
+	 * Maximum PA-TNC message size for this TNCCS connection
+	 */
+	u_int32_t max_msg_len;
+
+	/**
+	 * Flags set for completed actions
+	 */
+	u_int32_t action_flags;
+
+	/**
+	 * Access Requestor ID Type
+	 */
+	u_int32_t ar_id_type;
+
+	/**
+	 * Access Requestor ID Value
+	 */
+	chunk_t ar_id_value;
+
+	/**
+	 * IMV database session associated with TNCCS connection
+	 */
+	imv_session_t *session;
+
+	/**
+	 * IMV action recommendation
+	 */
+	TNC_IMV_Action_Recommendation rec;
+
+	/**
+	 * IMV evaluation result
+	 */
+	TNC_IMV_Evaluation_Result eval;
+
+	/**
+	 * IMV OS handshake state
+	 */
+	imv_os_handshake_state_t handshake_state;
+
+	/**
+	 * OS Product Information (concatenation of OS Name and Version)
+	 */
+	char *info;
+
+	/**
+	 * OS Type
+	 */
+	os_type_t type;
+
+	/**
+	 * OS Name
+	 */
+	chunk_t name;
+
+	/**
+	 * OS Version
+	 */
+	chunk_t version;
+
+	/**
+	 * List of blacklisted packages to be removed
+	 */
+	linked_list_t *remove_packages;
+
+	/**
+	 * List of vulnerable packages to be updated
+	 */
+	linked_list_t *update_packages;
+
+	/**
+	 * TNC Reason String
+	 */
+	imv_reason_string_t *reason_string;
+
+	/**
+	 * IETF Remediation Instructions String
+	 */
+	imv_remediation_string_t *remediation_string;
+
+	/**
+	 * Dgevice ID
+	 */
+	chunk_t device_id;
+
+	/**
+	 * Number of processed packages
+	 */
+	int count;
+
+	/**
+	 * Number of not updated packages
+	 */
+	int count_update;
+
+	/**
+	 * Number of blacklisted packages
+	 */
+	int count_blacklist;
+
+	/**
+	 * Number of whitelisted packages
+	 */
+	int count_ok;
+
+	/**
+	 * OS Settings
+	 */
+	u_int os_settings;
+
+	/**
+	 * Angel count
+	 */
+	int angel_count;
+
+};
+
+/**
+ * Supported languages
+ */
+static char* languages[] = { "en", "de", "pl" };
+
+/**
+ * Reason strings for "OS settings"
+ */
+static imv_lang_string_t reason_settings[] = {
+	{ "en", "Improper OS settings were detected" },
+	{ "de", "Unzulässige OS Einstellungen wurden festgestellt" },
+	{ "pl", "Stwierdzono niewłaściwe ustawienia OS" },
+	{ NULL, NULL }
+};
+
+/**
+ * Reason strings for "installed software packages"
+ */
+static imv_lang_string_t reason_packages[] = {
+	{ "en", "Vulnerable or blacklisted software packages were found" },
+	{ "de", "Schwachstellenbehaftete oder gesperrte Softwarepakete wurden gefunden" },
+	{ "pl", "Znaleziono pakiety podatne na atak lub będące na czarnej liście" },
+	{ NULL, NULL }
+};
+
+/**
+ * Instruction strings for "Software Security Updates"
+ */
+static imv_lang_string_t instr_update_packages_title[] = {
+	{ "en", "Software Security Updates" },
+	{ "de", "Software Sicherheitsupdates" },
+	{ "pl", "Aktualizacja softwaru zabezpieczajÄ…cego" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_update_packages_descr[] = {
+	{ "en", "Packages with security vulnerabilities were found" },
+	{ "de", "Softwarepakete mit Sicherheitsschwachstellen wurden gefunden" },
+	{ "pl", "Znaleziono pakiety podatne na atak" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_update_packages_header[] = {
+	{ "en", "Please update the following software packages:" },
+	{ "de", "Bitte updaten Sie die folgenden Softwarepakete:" },
+	{ "pl", "Proszę zaktualizować następujące pakiety:" },
+	{ NULL, NULL }
+};
+
+/**
+ * Instruction strings for "Blacklisted Software Packages"
+ */
+static imv_lang_string_t instr_remove_packages_title[] = {
+	{ "en", "Blacklisted Software Packages" },
+	{ "de", "Gesperrte Softwarepakete" },
+	{ "pl", "Pakiety będące na czarnej liście" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_remove_packages_descr[] = {
+	{ "en", "Dangerous software packages were found" },
+	{ "de", "Gefährliche Softwarepakete wurden gefunden" },
+	{ "pl", "Znaleziono niebezpieczne pakiety" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_remove_packages_header[] = {
+	{ "en", "Please remove the following software packages:" },
+	{ "de", "Bitte entfernen Sie die folgenden Softwarepakete:" },
+	{ "pl", "Proszę usunąć następujące pakiety:" },
+	{ NULL, NULL }
+};
+
+;/**
+ * Instruction strings for "Forwarding Enabled"
+ */
+static imv_lang_string_t instr_fwd_enabled_title[] = {
+	{ "en", "IP Packet Forwarding" },
+	{ "de", "Weiterleitung von IP Paketen" },
+	{ "pl", "Przekazywanie pakietów IP" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_fwd_enabled_descr[] = {
+	{ "en", "Please disable the forwarding of IP packets" },
+	{ "de", "Bitte deaktivieren Sie das Forwarding von IP Paketen" },
+	{ "pl", "Proszę zdezaktywować przekazywanie pakietów IP" },
+	{ NULL, NULL }
+};
+
+/**
+ * Instruction strings for "Default Password Enabled"
+ */
+static imv_lang_string_t instr_default_pwd_enabled_title[] = {
+	{ "en", "Default Password" },
+	{ "de", "Default Passwort" },
+	{ "pl", "Hasło domyślne" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_default_pwd_enabled_descr[] = {
+	{ "en", "Please change the default password" },
+	{ "de", "Bitte ändern Sie das Default Passwort" },
+	{ "pl", "Proszę zmienić domyślne hasło" },
+	{ NULL, NULL }
+};
+
+/**
+ * Instruction strings for  "Unknown Source"
+ */
+static imv_lang_string_t instr_unknown_source_title[] = {
+	{ "en", "Unknown Software Origin" },
+	{ "de", "Unbekannte Softwareherkunft" },
+	{ "pl", "Nieznane pochodzenie softwaru" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_unknown_source_descr[] = {
+	{ "en", "Do not allow the installation of apps from unknown sources" },
+	{ "de", "Erlauben Sie nicht die Installation von Apps aus unbekannten Quellen" },
+	{ "pl", "Proszę nie dopuszczać do instalacji Apps z nieznanych źródeł" },
+	{ NULL, NULL }
+};
+
+METHOD(imv_state_t, get_connection_id, TNC_ConnectionID,
+	private_imv_os_state_t *this)
+{
+	return this->connection_id;
+}
+
+METHOD(imv_state_t, has_long, bool,
+	private_imv_os_state_t *this)
+{
+	return this->has_long;
+}
+
+METHOD(imv_state_t, has_excl, bool,
+	private_imv_os_state_t *this)
+{
+	return this->has_excl;
+}
+
+METHOD(imv_state_t, set_flags, void,
+	private_imv_os_state_t *this, bool has_long, bool has_excl)
+{
+	this->has_long = has_long;
+	this->has_excl = has_excl;
+}
+
+METHOD(imv_state_t, set_max_msg_len, void,
+	private_imv_os_state_t *this, u_int32_t max_msg_len)
+{
+	this->max_msg_len = max_msg_len;
+}
+
+METHOD(imv_state_t, get_max_msg_len, u_int32_t,
+	private_imv_os_state_t *this)
+{
+	return this->max_msg_len;
+}
+
+METHOD(imv_state_t, set_action_flags, void,
+	private_imv_os_state_t *this, u_int32_t flags)
+{
+	this->action_flags |= flags;
+}
+
+METHOD(imv_state_t, get_action_flags, u_int32_t,
+	private_imv_os_state_t *this)
+{
+	return this->action_flags;
+}
+
+METHOD(imv_state_t, set_ar_id, void,
+	private_imv_os_state_t *this, u_int32_t id_type, chunk_t id_value)
+{
+	this->ar_id_type = id_type;
+	this->ar_id_value = chunk_clone(id_value);
+}
+
+METHOD(imv_state_t, get_ar_id, chunk_t,
+	private_imv_os_state_t *this, u_int32_t *id_type)
+{
+	if (id_type)
+	{
+		*id_type = this->ar_id_type;
+	}
+	return this->ar_id_value;
+}
+
+METHOD(imv_state_t, set_session, void,
+	private_imv_os_state_t *this, imv_session_t *session)
+{
+	this->session = session;
+}
+
+METHOD(imv_state_t, get_session, imv_session_t*,
+	private_imv_os_state_t *this)
+{
+	return this->session;
+}
+
+METHOD(imv_state_t, get_recommendation, void,
+	private_imv_os_state_t *this, TNC_IMV_Action_Recommendation *rec,
+								  TNC_IMV_Evaluation_Result *eval)
+{
+	*rec = this->rec;
+	*eval = this->eval;
+}
+
+METHOD(imv_state_t, set_recommendation, void,
+	private_imv_os_state_t *this, TNC_IMV_Action_Recommendation rec,
+								  TNC_IMV_Evaluation_Result eval)
+{
+	this->rec = rec;
+	this->eval = eval;
+}
+
+METHOD(imv_state_t, update_recommendation, void,
+	private_imv_os_state_t *this, TNC_IMV_Action_Recommendation rec,
+								  TNC_IMV_Evaluation_Result eval)
+{
+	this->rec  = tncif_policy_update_recommendation(this->rec, rec);
+	this->eval = tncif_policy_update_evaluation(this->eval, eval);
+}
+
+METHOD(imv_state_t, change_state, void,
+	private_imv_os_state_t *this, TNC_ConnectionState new_state)
+{
+	this->state = new_state;
+}
+
+METHOD(imv_state_t, get_reason_string, bool,
+	private_imv_os_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *reason_string, char **reason_language)
+{
+	if (!this->count_update && !this->count_blacklist & !this->os_settings)
+	{
+		return FALSE;
+	}
+	*reason_language = imv_lang_string_select_lang(language_enumerator,
+											  languages, countof(languages));
+
+	/* Instantiate a TNC Reason String object */
+	DESTROY_IF(this->reason_string);
+	this->reason_string = imv_reason_string_create(*reason_language);
+
+	if (this->count_update || this->count_blacklist)
+	{
+		this->reason_string->add_reason(this->reason_string, reason_packages);
+	}
+	if (this->os_settings)
+	{
+		this->reason_string->add_reason(this->reason_string, reason_settings);
+	}
+	*reason_string = this->reason_string->get_encoding(this->reason_string);
+
+	return TRUE;
+}
+
+METHOD(imv_state_t, get_remediation_instructions, bool,
+	private_imv_os_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *string, char **lang_code, char **uri)
+{
+	if (!this->count_update && !this->count_blacklist & !this->os_settings)
+	{
+		return FALSE;
+	}
+	*lang_code = imv_lang_string_select_lang(language_enumerator,
+										languages, countof(languages));
+
+	/* Instantiate an IETF Remediation Instructions String object */
+	DESTROY_IF(this->remediation_string);
+	this->remediation_string = imv_remediation_string_create(
+									this->type == OS_TYPE_ANDROID, *lang_code);
+
+	/* List of blacklisted packages to be removed, if any */
+	if (this->count_blacklist)
+	{
+		this->remediation_string->add_instruction(this->remediation_string,
+							instr_remove_packages_title,
+							instr_remove_packages_descr,
+							instr_remove_packages_header,
+							this->remove_packages);
+	}
+
+	/* List of packages in need of an update, if any */
+	if (this->count_update)
+	{
+		this->remediation_string->add_instruction(this->remediation_string,
+							instr_update_packages_title,
+							instr_update_packages_descr,
+							instr_update_packages_header,
+							this->update_packages);
+	}
+
+	/* Add instructions concerning improper OS settings */
+	if (this->os_settings & OS_SETTINGS_FWD_ENABLED)
+	{
+		this->remediation_string->add_instruction(this->remediation_string,
+							instr_fwd_enabled_title,
+							instr_fwd_enabled_descr, NULL, NULL);
+	}
+	if (this->os_settings & OS_SETTINGS_DEFAULT_PWD_ENABLED)
+	{
+		this->remediation_string->add_instruction(this->remediation_string,
+							instr_default_pwd_enabled_title,
+							instr_default_pwd_enabled_descr, NULL, NULL);
+	}
+	if (this->os_settings & OS_SETTINGS_UNKNOWN_SOURCE)
+	{
+		this->remediation_string->add_instruction(this->remediation_string,
+							instr_unknown_source_title,
+							instr_unknown_source_descr, NULL, NULL);
+	}
+
+	*string = this->remediation_string->get_encoding(this->remediation_string);
+	*uri = lib->settings->get_str(lib->settings,
+							"libimcv.plugins.imv-os.remediation_uri", NULL);
+
+	return TRUE;
+}
+
+METHOD(imv_state_t, destroy, void,
+	private_imv_os_state_t *this)
+{
+	DESTROY_IF(this->session);
+	DESTROY_IF(this->reason_string);
+	DESTROY_IF(this->remediation_string);
+	this->update_packages->destroy_function(this->update_packages, free);
+	this->remove_packages->destroy_function(this->remove_packages, free);
+	free(this->info);
+	free(this->name.ptr);
+	free(this->version.ptr);
+	free(this->ar_id_value.ptr);
+	free(this->device_id.ptr);
+	free(this);
+}
+
+METHOD(imv_os_state_t, set_handshake_state, void,
+	private_imv_os_state_t *this, imv_os_handshake_state_t new_state)
+{
+	this->handshake_state = new_state;
+}
+
+METHOD(imv_os_state_t, get_handshake_state, imv_os_handshake_state_t,
+	private_imv_os_state_t *this)
+{
+	return this->handshake_state;
+}
+
+METHOD(imv_os_state_t, set_info, void,
+	private_imv_os_state_t *this, os_type_t type, chunk_t name, chunk_t version)
+{
+	int len = name.len + 1 + version.len + 1;
+
+	/* OS info is a concatenation of OS name and OS version */
+	free(this->info);
+	this->info = malloc(len);
+	snprintf(this->info, len, "%.*s %.*s", (int)name.len, name.ptr,
+										   (int)version.len, version.ptr);
+	this->type = type;
+	this->name = chunk_clone(name);
+	this->version = chunk_clone(version);
+}
+
+METHOD(imv_os_state_t, get_info, char*,
+	private_imv_os_state_t *this, os_type_t *type, chunk_t *name,
+	chunk_t *version)
+{
+	if (type)
+	{
+		*type = this->type;
+	}
+	if (name)
+	{
+		*name = this->name;
+	}
+	if (version)
+	{
+		*version = this->version;
+	}
+	return this->info;
+}
+
+METHOD(imv_os_state_t, set_count, void,
+	private_imv_os_state_t *this, int count, int count_update,
+	int count_blacklist, int count_ok)
+{
+	this->count           += count;
+	this->count_update    += count_update;
+	this->count_blacklist += count_blacklist;
+	this->count_ok        += count_ok;
+}
+
+METHOD(imv_os_state_t, get_count, void,
+	private_imv_os_state_t *this, int *count, int *count_update,
+	int *count_blacklist, int *count_ok)
+{
+	if (count)
+	{
+		*count = this->count;
+	}
+	if (count_update)
+	{
+		*count_update = this->count_update;
+	}
+	if (count_blacklist)
+	{
+		*count_blacklist = this->count_blacklist;
+	}
+	if (count_ok)
+	{
+		*count_ok = this->count_ok;
+	}
+}
+
+METHOD(imv_os_state_t, set_device_id, void,
+	private_imv_os_state_t *this, chunk_t id)
+{
+	this->device_id = chunk_clone(id);
+}
+
+METHOD(imv_os_state_t, get_device_id, chunk_t,
+	private_imv_os_state_t *this)
+{
+	return this->device_id;
+}
+
+METHOD(imv_os_state_t, set_os_settings, void,
+	private_imv_os_state_t *this, u_int settings)
+{
+	this->os_settings |= settings;
+}
+
+METHOD(imv_os_state_t, get_os_settings, u_int,
+	private_imv_os_state_t *this)
+{
+	return this->os_settings;
+}
+
+METHOD(imv_os_state_t, set_angel_count, void,
+	private_imv_os_state_t *this, bool start)
+{
+	this->angel_count += start ? 1 : -1;
+}
+
+METHOD(imv_os_state_t, get_angel_count, int,
+	private_imv_os_state_t *this)
+{
+	return this->angel_count;
+}
+
+METHOD(imv_os_state_t, add_bad_package, void,
+	private_imv_os_state_t *this, char *package,
+	os_package_state_t package_state)
+{
+	package = strdup(package);
+
+	if (package_state == OS_PACKAGE_STATE_BLACKLIST)
+	{
+		this->remove_packages->insert_last(this->remove_packages, package);
+	}
+	else
+	{
+		this->update_packages->insert_last(this->update_packages, package);
+	}
+}
+
+/**
+ * Described in header.
+ */
+imv_state_t *imv_os_state_create(TNC_ConnectionID connection_id)
+{
+	private_imv_os_state_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_connection_id = _get_connection_id,
+				.has_long = _has_long,
+				.has_excl = _has_excl,
+				.set_flags = _set_flags,
+				.set_max_msg_len = _set_max_msg_len,
+				.get_max_msg_len = _get_max_msg_len,
+				.set_action_flags = _set_action_flags,
+				.get_action_flags = _get_action_flags,
+				.set_ar_id = _set_ar_id,
+				.get_ar_id = _get_ar_id,
+				.set_session = _set_session,
+				.get_session = _get_session,
+				.change_state = _change_state,
+				.get_recommendation = _get_recommendation,
+				.set_recommendation = _set_recommendation,
+				.update_recommendation = _update_recommendation,
+				.get_reason_string = _get_reason_string,
+				.get_remediation_instructions = _get_remediation_instructions,
+				.destroy = _destroy,
+			},
+			.set_handshake_state = _set_handshake_state,
+			.get_handshake_state = _get_handshake_state,
+			.set_info = _set_info,
+			.get_info = _get_info,
+			.set_count = _set_count,
+			.get_count = _get_count,
+			.set_device_id = _set_device_id,
+			.get_device_id = _get_device_id,
+			.set_os_settings = _set_os_settings,
+			.get_os_settings = _get_os_settings,
+			.set_angel_count = _set_angel_count,
+			.get_angel_count = _get_angel_count,
+			.add_bad_package = _add_bad_package,
+		},
+		.state = TNC_CONNECTION_STATE_CREATE,
+		.rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+		.eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
+		.connection_id = connection_id,
+		.update_packages = linked_list_create(),
+		.remove_packages = linked_list_create(),
+	);
+
+	return &this->public.interface;
+}
+
+
diff --git a/src/libimcv/plugins/imv_os/imv_os_state.h b/src/libimcv/plugins/imv_os/imv_os_state.h
new file mode 100644
index 000000000..97f695319
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/imv_os_state.h
@@ -0,0 +1,183 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_os imv_os
+ * @ingroup libimcv_plugins
+ *
+ * @defgroup imv_os_state_t imv_os_state
+ * @{ @ingroup imv_os
+ */
+
+#ifndef IMV_OS_STATE_H_
+#define IMV_OS_STATE_H_
+
+#include "os_info/os_info.h"
+#include <imv/imv_state.h>
+#include <library.h>
+
+typedef struct imv_os_state_t imv_os_state_t;
+typedef enum imv_os_handshake_state_t imv_os_handshake_state_t;
+typedef enum os_settings_t os_settings_t;
+
+/**
+ * IMV OS Handshake States (state machine)
+ */
+enum imv_os_handshake_state_t {
+	IMV_OS_STATE_INIT,
+	IMV_OS_STATE_ATTR_REQ,
+	IMV_OS_STATE_POLICY_START,
+	IMV_OS_STATE_WORKITEMS,
+	IMV_OS_STATE_END
+};
+
+/**
+ * Flags for detected OS Settings
+ */
+enum os_settings_t {
+	OS_SETTINGS_FWD_ENABLED =         (1<<0),
+	OS_SETTINGS_DEFAULT_PWD_ENABLED = (1<<1),
+	OS_SETTINGS_UNKNOWN_SOURCE =      (1<<2)
+};
+
+/**
+ * Internal state of an imv_os_t connection instance
+ */
+struct imv_os_state_t {
+
+	/**
+	 * imv_state_t interface
+	 */
+	imv_state_t interface;
+
+	/**
+	 * Set state of the handshake
+	 *
+	 * @param new_state			the handshake state of IMV
+	 */
+	void (*set_handshake_state)(imv_os_state_t *this,
+								imv_os_handshake_state_t new_state);
+
+	/**
+	 * Get state of the handshake
+	 *
+	 * @return					the handshake state of IMV
+	 */
+	imv_os_handshake_state_t (*get_handshake_state)(imv_os_state_t *this);
+
+	/**
+	 * Set OS Product Information
+	 *
+	 * @param type			OS type (enumerated)
+	 * @param name			OS name (string)
+	 * @param version		OS version
+	 */
+	void (*set_info)(imv_os_state_t *this, os_type_t os_type,
+					 chunk_t name, chunk_t version);
+
+	/**
+	 * Get OS Product Information
+	 *
+	 * @param type			OS type (enumerated)
+	 * @param name			OS name (string)
+	 * @param version		OS version
+	 * @return				OS name & version as a concatenated string
+	 */
+	char* (*get_info)(imv_os_state_t *this, os_type_t *os_type,
+					  chunk_t *name, chunk_t *version);
+
+	/**
+	 * Set [or with multiple attributes increment] package counters
+	 *
+	 * @param count				Number of processed packages
+	 * @param count_update		Number of not updated packages
+	 * @param count_blacklist	Number of blacklisted packages
+	 * @param count_ok			Number of whitelisted packages
+	 */
+	void (*set_count)(imv_os_state_t *this, int count, int count_update,
+					  int count_blacklist, int count_ok);
+
+	/**
+	 * Set [or with multiple attributes increment] package counters
+	 *
+	 * @param count				Number of processed packages
+	 * @param count_update		Number of not updated packages
+	 * @param count_blacklist	Number of blacklisted packages
+	 * @param count_ok			Number of whitelisted packages
+	 */
+	void (*get_count)(imv_os_state_t *this, int *count, int *count_update,
+					  int *count_blacklist, int *count_ok);
+
+	/**
+	 * Set device ID
+	 *
+	 * @param device_id		Device ID
+	 */
+	void (*set_device_id)(imv_os_state_t *this, chunk_t id);
+
+	/**
+	 * Get device ID
+	 *
+	 * @return				Device ID
+	 */
+	chunk_t (*get_device_id)(imv_os_state_t *this);
+
+	/**
+	 * Set OS settings
+	 *
+	 * @param settings		OS settings
+	 */
+	void (*set_os_settings)(imv_os_state_t *this, u_int settings);
+
+	/**
+	 * Get OS settings
+	 *
+	 * @return				OS settings
+	 */
+	u_int (*get_os_settings)(imv_os_state_t *this);
+
+	/**
+	 * Increase/Decrease the ITA Angel count
+	 *
+	 * @param start			TRUE increases and FALSE decreases count by one
+	 */
+	void (*set_angel_count)(imv_os_state_t *this, bool start);
+
+	/**
+	 * Get the ITA Angel count
+	 *
+	 * @return				ITA Angel count
+	 */
+	int (*get_angel_count)(imv_os_state_t *this);
+
+	/**
+	 * Store a bad package that has to be updated or removed
+	 *
+	 * @param package		Name of software package
+	 * @param package_state	Security state of software package
+	 */
+	void (*add_bad_package)(imv_os_state_t *this, char *package,
+							os_package_state_t package_state);
+
+};
+
+/**
+ * Create an imv_os_state_t instance
+ *
+ * @param id			connection ID
+ */
+imv_state_t* imv_os_state_create(TNC_ConnectionID id);
+
+#endif /** IMV_OS_STATE_H_ @}*/
diff --git a/src/libimcv/plugins/imv_os/pacman.c b/src/libimcv/plugins/imv_os/pacman.c
new file mode 100644
index 000000000..57cc62a08
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/pacman.c
@@ -0,0 +1,482 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <getopt.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <syslog.h>
+#include <time.h>
+#include <sys/stat.h>
+
+#include "imv_os_state.h"
+
+#include <library.h>
+#include <utils/debug.h>
+
+typedef enum pacman_state_t pacman_state_t;
+
+enum pacman_state_t {
+	PACMAN_STATE_BEGIN_PACKAGE,
+	PACMAN_STATE_VERSION,
+	PACMAN_STATE_END_PACKAGE
+};
+
+typedef struct stats_t stats_t;
+
+struct stats_t {
+	time_t release;
+	int product;
+	int packages;
+	int new_packages;
+	int new_versions;
+	int updated_versions;
+	int deleted_versions;
+};
+
+/**
+ * global debug output variables
+ */
+static int debug_level = 1;
+static bool stderr_quiet = TRUE;
+
+/**
+ * pacman dbg function
+ */
+static void pacman_dbg(debug_t group, level_t level, char *fmt, ...)
+{
+	int priority = LOG_INFO;
+	char buffer[8192];
+	char *current = buffer, *next;
+	va_list args;
+
+	if (level <= debug_level)
+	{
+		if (!stderr_quiet)
+		{
+			va_start(args, fmt);
+			vfprintf(stderr, fmt, args);
+			fprintf(stderr, "\n");
+			va_end(args);
+		}
+
+		/* write in memory buffer first */
+		va_start(args, fmt);
+		vsnprintf(buffer, sizeof(buffer), fmt, args);
+		va_end(args);
+
+		/* do a syslog with every line */
+		while (current)
+		{
+			next = strchr(current, '\n');
+			if (next)
+			{
+				*(next++) = '\0';
+			}
+			syslog(priority, "%s\n", current);
+			current = next;
+		}
+	}
+}
+
+/**
+ * atexit handler to close everything on shutdown
+ */
+static void cleanup(void)
+{
+	closelog();
+	library_deinit();
+}
+
+static void usage(void)
+{
+ 	printf("Usage:\n"
+		   "ipsec pacman --product <name> --file <filename> [--update]\n");
+}
+
+/**
+ * Update the package database
+ */
+static bool update_database(database_t *db, char *package, char *version,
+							bool security, stats_t *stats)
+{
+	char *cur_version, *version_update = NULL, *version_delete = NULL;
+	int cur_security, security_update = 0, security_delete = 0;
+	int pac_id = 0, vid = 0, vid_update = 0, vid_delete = 0;
+	u_int cur_time;
+	bool add_version = TRUE;
+	enumerator_t *e;
+
+	/* increment package count */
+	stats->packages++;
+
+	/* check if package is already in database */
+	e = db->query(db, "SELECT id FROM packages WHERE name = ?",
+					  DB_TEXT, package, DB_INT);
+	if (!e)
+	{
+		return FALSE;
+	}
+	if (!e->enumerate(e, &pac_id))
+	{
+		pac_id = 0;
+	}
+	e->destroy(e);
+
+	if (!pac_id && security)
+	{
+		if (db->execute(db, &pac_id, "INSERT INTO packages (name) VALUES (?)",
+						DB_TEXT, package) != 1)
+		{
+			fprintf(stderr, "could not store package '%s' to database\n",
+							 package);
+			return FALSE;
+		}
+		stats->new_packages++;
+	}
+
+	/* check for package versions already in database */
+	e = db->query(db,
+			"SELECT id, release, security, time FROM versions "
+			"WHERE package = ? AND product = ?", DB_INT, pac_id,
+			 DB_INT, stats->product, DB_INT, DB_TEXT, DB_INT, DB_UINT);
+	if (!e)
+	{
+		return FALSE;
+	}
+
+	while (e->enumerate(e, &vid, &cur_version, &cur_security, &cur_time))
+	{
+		if (streq(version, cur_version))
+		{
+			/* already in data base */
+			add_version = FALSE;
+			break;
+		}
+		else if (stats->release >= cur_time)
+		{
+			if (security)
+			{
+				if (cur_security)
+				{
+					vid_update = vid;
+					version_update = strdup(cur_version);
+					security_update = cur_security;
+				}
+				else
+				{
+					vid_delete = vid;
+					version_delete = strdup(cur_version);
+					security_delete = cur_security;
+				}
+			}
+			else
+			{
+				if (!cur_security)
+				{
+					vid_update = vid;
+					version_update = strdup(cur_version);
+					security_update = cur_security;
+				}
+			}
+		}
+		else
+		{
+			if (security == cur_security)
+			{
+				add_version = FALSE;
+			}
+		}
+	}
+	e->destroy(e);
+
+	if ((!vid && !security) || (vid && !add_version))
+	{
+		free(version_update);
+		free(version_delete);
+		return TRUE;
+	}
+
+	if ((!vid && security) || (vid && !vid_update))
+	{
+		printf("%s (%s) %s\n", package, version, security ? "[s]" : "");
+
+		if (db->execute(db, &vid,
+			"INSERT INTO versions "
+			"(package, product, release, security, time) "
+			"VALUES (?, ?, ?, ?, ?)", DB_INT, pac_id, DB_INT, stats->product,
+			DB_TEXT, version, DB_INT, security, DB_INT, stats->release) != 1)
+		{
+			fprintf(stderr, "could not store version '%s' to database\n",
+							 version);
+			free(version_update);
+			free(version_delete);
+			return FALSE;
+		}
+		stats->new_versions++;
+	}
+	else
+	{
+		printf("%s (%s) %s updated by\n",
+			   package, version_update, security_update ? "[s]" : "");
+		printf("%s (%s) %s\n", package, version, security ? "[s]" : "");
+
+		if (db->execute(db, NULL,
+			"UPDATE versions SET release = ?, time = ? WHERE id = ?",
+			DB_TEXT, version, DB_INT, stats->release, DB_INT, vid_update) <= 0)
+		{
+			fprintf(stderr, "could not update version '%s' to database\n",
+							 version);
+			free(version_update);
+			free(version_delete);
+			return FALSE;
+		}
+		stats->updated_versions++;
+	}
+
+	if (vid_delete)
+	{
+		printf("%s (%s) %s deleted\n",
+			   package, version_delete, security_delete ? "[s]" : "");
+			if (db->execute(db, NULL,
+			"DELETE FROM  versions WHERE id = ?",
+			DB_INT, vid_delete) <= 0)
+		{
+			fprintf(stderr, "could not delete version '%s' from database\n",
+							 version_delete);
+			free(version_update);
+			free(version_delete);
+			return FALSE;
+		}
+		stats->deleted_versions++;
+	}
+	free(version_update);
+	free(version_delete);
+
+	return TRUE;
+}
+
+/**
+ * Process a package file and store updates in the database
+ */
+static void process_packages(char *filename, char *product, bool security)
+{
+	char *uri, line[BUF_LEN], *pos, *package = NULL, *version = NULL;
+	pacman_state_t pacman_state;
+	enumerator_t *e;
+	database_t *db;
+	int pid;
+	FILE *file;
+	stats_t stats;
+	bool success;
+
+	/* initialize statistics */
+	memset(&stats, 0x00, sizeof(stats_t));
+
+	/* Set release date to current time */
+	stats.release = time(NULL);
+
+	/* opening package file */
+	printf("loading\"%s\"\n", filename);
+	file = fopen(filename, "r");
+	if (!file)
+	{
+		fprintf(stderr, "could not open \"%s\"\n", filename);
+		exit(EXIT_FAILURE);
+	}
+
+	/* connect package database */
+	uri = lib->settings->get_str(lib->settings, "pacman.database", NULL);
+	if (!uri)
+	{
+		fprintf(stderr, "database URI pacman.database not set\n");
+		fclose(file);
+		exit(EXIT_FAILURE);
+	}
+	db = lib->db->create(lib->db, uri);
+	if (!db)
+	{
+		fprintf(stderr, "could not connect to database '%s'\n", uri);
+		fclose(file);
+		exit(EXIT_FAILURE);
+	}
+
+	/* check if product is already in database */
+	e = db->query(db, "SELECT id FROM products WHERE name = ?",
+				  DB_TEXT, product, DB_INT);
+	if (e)
+	{
+		if (e->enumerate(e, &pid))
+		{
+			stats.product = pid;
+		}
+		e->destroy(e);
+	}
+	if (!stats.product)
+	{
+		if (db->execute(db, &pid, "INSERT INTO products (name) VALUES (?)",
+						DB_TEXT, product) != 1)
+		{
+			fprintf(stderr, "could not store product '%s' to database\n",
+							 product);
+			fclose(file);
+			db->destroy(db);
+			exit(EXIT_FAILURE);
+		}
+		stats.product = pid;
+	}
+
+	pacman_state = PACMAN_STATE_BEGIN_PACKAGE;
+
+	while (fgets(line, sizeof(line), file))
+	{
+		/* set read pointer to beginning of line */
+		pos = line;
+
+		switch (pacman_state)
+		{
+			case PACMAN_STATE_BEGIN_PACKAGE:
+				pos = strstr(pos, "Package: ");
+				if (!pos)
+				{
+					continue;
+				}
+				pos += 9;
+				package = pos;
+				pos = strchr(pos, '\n');
+				if (pos)
+				{
+					package = strndup(package, pos - package);
+					pacman_state = PACMAN_STATE_VERSION;
+				}
+				break;
+			case PACMAN_STATE_VERSION:
+				pos = strstr(pos, "Version: ");
+				if (!pos)
+				{
+					continue;
+				}
+				pos += 9;
+				version = pos;
+				pos = strchr(pos, '\n');
+				if (pos)
+				{
+					version = strndup(version, pos - version);
+					pacman_state = PACMAN_STATE_END_PACKAGE;
+				}
+				break;
+			case PACMAN_STATE_END_PACKAGE:
+				if (*pos != '\n')
+				{
+					continue;
+				}
+				success = update_database(db, package, version, security, &stats);
+				free(package);
+				free(version);
+				if (!success)
+				{
+					fclose(file);
+					db->destroy(db);
+					exit(EXIT_FAILURE);
+				}
+				pacman_state = PACMAN_STATE_BEGIN_PACKAGE;
+		}
+	}
+	fclose(file);
+	db->destroy(db);
+
+	printf("processed %d packages, %d new packages, %d new versions, "
+		   "%d updated versions, %d deleted versions\n",
+			stats.packages, stats.new_packages, stats.new_versions,
+			stats.updated_versions, stats.deleted_versions);
+}
+
+static void do_args(int argc, char *argv[])
+{
+	char *filename = NULL, *product = NULL;
+	bool security = FALSE;
+
+	/* reinit getopt state */
+	optind = 0;
+
+	while (TRUE)
+	{
+		int c;
+
+		struct option long_opts[] = {
+			{ "help", no_argument, NULL, 'h' },
+			{ "file", required_argument, NULL, 'f' },
+			{ "product", required_argument, NULL, 'p' },
+			{ "security", no_argument, NULL, 's' },
+			{ 0,0,0,0 }
+		};
+
+		c = getopt_long(argc, argv, "", long_opts, NULL);
+		switch (c)
+		{
+			case EOF:
+				break;
+			case 'h':
+				usage();
+				exit(EXIT_SUCCESS);
+			case 'f':
+				filename = optarg;
+				continue;
+			case 'p':
+				product = optarg;
+				continue;
+			case 's':
+				security = TRUE;
+				continue;
+		}
+		break;
+	}
+
+	if (filename && product)
+	{
+		process_packages(filename, product, security);
+	}
+	else
+	{
+		usage();
+		exit(EXIT_FAILURE);
+	}
+}
+
+int main(int argc, char *argv[])
+{
+	/* enable attest debugging hook */
+	dbg = pacman_dbg;
+	openlog("pacman", 0, LOG_DEBUG);
+
+	atexit(cleanup);
+
+	/* initialize library */
+	if (!library_init(NULL))
+	{
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	if (!lib->plugins->load(lib->plugins,
+			lib->settings->get_str(lib->settings, "attest.load", "sqlite")))
+	{
+		exit(SS_RC_INITIALIZATION_FAILED);
+	}
+	do_args(argc, argv);
+
+	exit(EXIT_SUCCESS);
+}
+
diff --git a/src/libimcv/plugins/imv_os/pacman.sh b/src/libimcv/plugins/imv_os/pacman.sh
new file mode 100755
index 000000000..e99de0cb5
--- /dev/null
+++ b/src/libimcv/plugins/imv_os/pacman.sh
@@ -0,0 +1,160 @@
+#!/bin/sh
+
+DIR="/etc/pts"
+DATE=`date +%Y%m%d-%H%M`
+UBUNTU="http://security.ubuntu.com/ubuntu/dists"
+UBUNTU_VERSIONS="raring quantal precise lucid"
+UBUNTU_DIRS="main multiverse restricted universe"
+UBUNTU_ARCH="binary-amd64 binary-i386"
+DEBIAN="http://security.debian.org/dists"
+DEBIAN_VERSIONS="jessie wheezy squeeze"
+DEBIAN_DIRS="main contrib non-free"
+DEBIAN_ARCH="binary-amd64 binary-i386"
+PACMAN=/usr/libexec/ipsec/pacman
+PACMAN_LOG="$DIR/$DATE-pacman.log"
+
+cd $DIR/dists
+
+for v in $UBUNTU_VERSIONS
+do
+  for a in $UBUNTU_ARCH
+  do
+    mkdir -p $v-security/$a $v-updates/$a
+    for d in $UBUNTU_DIRS
+    do
+  	  wget $UBUNTU/$v-security/$d/$a/Packages.bz2 -O $v-security/$a/Packages-$d.bz2
+      bunzip2 -f $v-security/$a/Packages-$d.bz2
+  	  wget $UBUNTU/$v-updates/$d/$a/Packages.bz2  -O $v-updates/$a/Packages-$d.bz2
+      bunzip2 -f $v-updates/$a/Packages-$d.bz2
+	done
+  done
+done
+
+for v in $DEBIAN_VERSIONS
+do
+  for a in $DEBIAN_ARCH
+  do
+    mkdir -p $v-updates/$a
+    for d in $DEBIAN_DIRS
+    do
+  	  wget $DEBIAN/$v/updates/$d/$a/Packages.bz2  -O $v-updates/$a/Packages-$d.bz2
+      bunzip2 -f $v-updates/$a/Packages-$d.bz2
+	done
+  done
+done
+
+for f in raring-security/binary-amd64/*
+do
+  $PACMAN --product "Ubuntu 13.04 x86_64" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in raring-updates/binary-amd64/*
+do
+  $PACMAN --product "Ubuntu 13.04 x86_64" --file $f >> $PACMAN_LOG
+done
+echo
+for f in raring-security/binary-i386/*
+do
+  $PACMAN --product "Ubuntu 13.04 i686" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in raring-updates/binary-i386/*
+do
+  $PACMAN --product "Ubuntu 13.04 i686" --file $f >> $PACMAN_LOG
+done
+echo
+
+for f in quantal-security/binary-amd64/*
+do
+  $PACMAN --product "Ubuntu 12.10 x86_64" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in quantal-updates/binary-amd64/*
+do
+  $PACMAN --product "Ubuntu 12.10 x86_64" --file $f >> $PACMAN_LOG
+done
+echo
+for f in quantal-security/binary-i386/*
+do
+  $PACMAN --product "Ubuntu 12.10 i686" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in quantal-updates/binary-i386/*
+do
+  $PACMAN --product "Ubuntu 12.10 i686" --file $f >> $PACMAN_LOG
+done
+echo
+
+for f in precise-security/binary-amd64/*
+do
+  $PACMAN --product "Ubuntu 12.04 x86_64" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in precise-updates/binary-amd64/*
+do
+  $PACMAN --product "Ubuntu 12.04 x86_64" --file $f >> $PACMAN_LOG
+done
+echo
+for f in precise-security/binary-i386/*
+do
+  $PACMAN --product "Ubuntu 12.04 i686" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in precise-updates/binary-i386/*
+do
+  $PACMAN --product "Ubuntu 12.04 i686" --file $f >> $PACMAN_LOG
+done
+echo
+
+for f in lucid-security/binary-amd64/*
+do
+  $PACMAN --product "Ubuntu 10.04 x86_64" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in lucid-updates/binary-amd64/*
+do
+  $PACMAN --product "Ubuntu 10.04 x86_64" --file $f >> $PACMAN_LOG
+done
+echo
+for f in lucid-security/binary-i386/*
+do
+  $PACMAN --product "Ubuntu 10.04 i686" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in lucid-updates/binary-i386/*
+do
+  $PACMAN --product "Ubuntu 10.04 i686" --file $f >> $PACMAN_LOG
+done
+echo
+
+for f in jessie-updates/binary-amd64/*
+do
+  $PACMAN --product "Debian 8.0 x86_64" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in jessie-updates/binary-i386/*
+do
+  $PACMAN --product "Debian 8.0 i686" --file $f --security >> $PACMAN_LOG
+done
+
+for f in wheezy-updates/binary-amd64/*
+do
+  $PACMAN --product "Debian 7.0 x86_64" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in wheezy-updates/binary-i386/*
+do
+  $PACMAN --product "Debian 7.0 i686" --file $f --security >> $PACMAN_LOG
+done
+
+for f in squeeze-updates/binary-amd64/*
+do
+  $PACMAN --product "Debian 6.0 x86_64" --file $f --security >> $PACMAN_LOG
+done
+echo
+for f in squeeze-updates/binary-i386/*
+do
+  $PACMAN --product "Debian 6.0 i686" --file $f --security >> $PACMAN_LOG
+done
+
+cp $DIR/config.db $DIR/config.db-$DATE
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.am b/src/libimcv/plugins/imv_scanner/Makefile.am
index df2158e72..625e62316 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.am
+++ b/src/libimcv/plugins/imv_scanner/Makefile.am
@@ -1,15 +1,18 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 imcv_LTLIBRARIES = imv-scanner.la
 
 imv_scanner_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 
-imv_scanner_la_SOURCES = imv_scanner.c imv_scanner_state.h imv_scanner_state.c
+imv_scanner_la_SOURCES = \
+	imv_scanner.c imv_scanner_state.h imv_scanner_state.c \
+	imv_scanner_agent.h imv_scanner_agent.c
 
 imv_scanner_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index 63602c707..e336b86bb 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,51 +90,87 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imv_scanner_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
-am_imv_scanner_la_OBJECTS = imv_scanner.lo imv_scanner_state.lo
+am_imv_scanner_la_OBJECTS = imv_scanner.lo imv_scanner_state.lo \
+	imv_scanner_agent.lo
 imv_scanner_la_OBJECTS = $(am_imv_scanner_la_OBJECTS)
-imv_scanner_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(imv_scanner_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+imv_scanner_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(imv_scanner_la_LDFLAGS) $(LDFLAGS) -o \
+	$@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(imv_scanner_la_SOURCES)
 DIST_SOURCES = $(imv_scanner_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -125,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -144,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -171,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -183,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -191,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -201,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -222,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -242,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -279,15 +342,22 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 imcv_LTLIBRARIES = imv-scanner.la
 imv_scanner_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 
-imv_scanner_la_SOURCES = imv_scanner.c imv_scanner_state.h imv_scanner_state.c
+imv_scanner_la_SOURCES = \
+	imv_scanner.c imv_scanner_state.h imv_scanner_state.c \
+	imv_scanner_agent.h imv_scanner_agent.c
+
 imv_scanner_la_LDFLAGS = -module -avoid-version
 all: all-am
 
@@ -325,7 +395,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
 	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -333,6 +402,8 @@ install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
 	}
@@ -354,8 +425,8 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imv-scanner.la: $(imv_scanner_la_OBJECTS) $(imv_scanner_la_DEPENDENCIES) 
-	$(imv_scanner_la_LINK) -rpath $(imcvdir) $(imv_scanner_la_OBJECTS) $(imv_scanner_la_LIBADD) $(LIBS)
+imv-scanner.la: $(imv_scanner_la_OBJECTS) $(imv_scanner_la_DEPENDENCIES) $(EXTRA_imv_scanner_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(imv_scanner_la_LINK) -rpath $(imcvdir) $(imv_scanner_la_OBJECTS) $(imv_scanner_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -364,28 +435,29 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_scanner.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_scanner_agent.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_scanner_state.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -492,10 +564,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner.c b/src/libimcv/plugins/imv_scanner/imv_scanner.c
index dba3fd632..6f5e82355 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner.c
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -12,398 +13,12 @@
  * for more details.
  */
 
-#include "imv_scanner_state.h"
-
-#include <imv/imv_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
-#include <ietf/ietf_attr.h>
-#include <ietf/ietf_attr_pa_tnc_error.h>
-#include <ietf/ietf_attr_port_filter.h>
-
-#include <tncif_names.h>
-#include <tncif_pa_subtypes.h>
-
-#include <pen/pen.h>
-#include <utils/linked_list.h>
-#include <utils/lexparser.h>
-#include <debug.h>
-
-/* IMV definitions */
+#include "imv_scanner_agent.h"
 
 static const char imv_name[] = "Scanner";
+static const imv_agent_create_t imv_agent_create = imv_scanner_agent_create;
 
-#define IMV_VENDOR_ID	PEN_ITA
-#define IMV_SUBTYPE		PA_SUBTYPE_ITA_SCANNER
-
-static imv_agent_t *imv_scanner;
-
-typedef struct port_range_t port_range_t;
-
-struct port_range_t {
-	u_int16_t start, stop;
-};
-
-
-/**
- * Default port policy 
- *
- * TRUE:  all server ports on the TNC client must be closed
- * FALSE: any server port on the TNC client is allowed to be open
- */
-static bool closed_port_policy = TRUE;
-
-/**
- * List of TCP and UDP port ranges
- *
- * TRUE:  server ports on the TNC client that are allowed to be open
- * FALSE: server ports on the TNC client that must be closed
- */
-static linked_list_t *tcp_ports, *udp_ports;
-
-/**
- * Get a TCP or UDP port list from strongswan.conf
- */
-static linked_list_t* get_port_list(char *label)
-{
-	char key[40], *value;
-	linked_list_t *list;
-	chunk_t port_list, port_item, port_start;
-	port_range_t *port_range;
-
-	list = linked_list_create();
-
-	snprintf(key, sizeof(key), "libimcv.plugins.imv-scanner.%s_ports", label);
-	value = lib->settings->get_str(lib->settings, key, NULL);
-	if (!value)
-	{
-		DBG1(DBG_IMV, "%s not defined", key);
-		return list;
-	}
-	port_list = chunk_create(value, strlen(value));
-	DBG2(DBG_IMV, "list of %s ports that %s:", label,
-		 closed_port_policy ? "are allowed to be open" : "must be closed");
-
-	while (eat_whitespace(&port_list))
-	{
-		if (!extract_token(&port_item, ' ', &port_list))
-		{
-			/* reached last port item */
-			port_item = port_list;
-			port_list = chunk_empty;
-		}
-		port_range = malloc_thing(port_range_t);
-		port_range->start = atoi(port_item.ptr);
-
-		if (extract_token(&port_start, '-', &port_item) && port_item.len)
-		{
-			port_range->stop = atoi(port_item.ptr);
-		}
-		else
-		{
-			port_range->stop = port_range->start;
-		}
-		DBG2(DBG_IMV, "%5u - %5u", port_range->start, port_range->stop);
-		list->insert_last(list, port_range);
-	}
-
-	return list;
-}
-
-
-/*
- * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
-							  TNC_Version min_version,
-							  TNC_Version max_version,
-							  TNC_Version *actual_version)
-{
-	if (imv_scanner)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
-		return TNC_RESULT_ALREADY_INITIALIZED;
-	}
-	imv_scanner = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
-								imv_id, actual_version);
-	if (!imv_scanner)
-	{
-		return TNC_RESULT_FATAL;
-	}
-	if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
-	{
-		DBG1(DBG_IMV, "no common IF-IMV version");
-		return TNC_RESULT_NO_COMMON_VERSION;
-	}
-
-	/* set the default port policy to closed (TRUE) or open (FALSE) */
-	closed_port_policy = lib->settings->get_bool(lib->settings,
-						"libimcv.plugins.imv-scanner.closed_port_policy", TRUE);
-	DBG2(DBG_IMV, "default port policy is %s ports",
-						closed_port_policy ? "closed" : "open");
-
-	/* get the list of open|closed ports */
-	tcp_ports = get_port_list("tcp");
-	udp_ports = get_port_list("udp");
-
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
-										  TNC_ConnectionID connection_id,
-										  TNC_ConnectionState new_state)
-{
-	imv_state_t *state;
-
-	if (!imv_scanner)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	switch (new_state)
-	{
-		case TNC_CONNECTION_STATE_CREATE:
-			state = imv_scanner_state_create(connection_id);
-			return imv_scanner->create_state(imv_scanner, state);
-		case TNC_CONNECTION_STATE_DELETE:
-			return imv_scanner->delete_state(imv_scanner, connection_id);
-		default:
-			return imv_scanner->change_state(imv_scanner, connection_id,
-											 new_state, NULL);
-	}
-}
-
-static TNC_Result receive_message(TNC_IMVID imv_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imc_id,
-								  TNC_UInt32 dst_imv_id)
-{
-	pa_tnc_msg_t *pa_tnc_msg;
-	pa_tnc_attr_t *attr;
-	imv_state_t *state;
-	enumerator_t *enumerator;
-	TNC_Result result;
-	bool fatal_error;
-
-	if (!imv_scanner)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-
-	/* get current IMV state */
-	if (!imv_scanner->get_state(imv_scanner, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-
-	/* parse received PA-TNC message and automatically handle any errors */ 
-	result = imv_scanner->receive_message(imv_scanner, state, msg, msg_vid,
-					 		msg_subtype, src_imc_id, dst_imv_id, &pa_tnc_msg);
-
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
-	{
-		return result;
-	}
-
-	/* preprocess any IETF standard error attributes */
-	fatal_error = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg);
-
-	/* analyze PA-TNC attributes */
-	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
-	while (enumerator->enumerate(enumerator, &attr))
-	{
-		if (attr->get_vendor_id(attr) == PEN_IETF &&
-			attr->get_type(attr) == IETF_ATTR_PORT_FILTER)
-		{
-			ietf_attr_port_filter_t *attr_port_filter;
-			enumerator_t *enumerator;
-			u_int8_t protocol;
-			u_int16_t port;
-			char buf[BUF_LEN], *pos = buf;
-			size_t len = BUF_LEN;
-			bool blocked, compliant = TRUE;
-	
-			attr_port_filter = (ietf_attr_port_filter_t*)attr;
-			enumerator = attr_port_filter->create_port_enumerator(attr_port_filter);
-			while (enumerator->enumerate(enumerator, &blocked, &protocol, &port))
-			{
-				enumerator_t *e;
-				port_range_t *port_range;
-				bool passed, found = FALSE;
-				int written = 0;
-
-				if (blocked)
-				{
-					/* ignore closed ports */
-					continue;
-				}
-
-				e = (protocol == IPPROTO_TCP) ?
-							tcp_ports->create_enumerator(tcp_ports) :
-							udp_ports->create_enumerator(udp_ports);
-				while (e->enumerate(e, &port_range))
-				{
-					if (port >= port_range->start && port <= port_range->stop)
-					{
-						found = TRUE;
-						break;
-					}
-				}
-				e->destroy(e);
-
-				passed = (closed_port_policy == found);
-				DBG2(DBG_IMV, "%s port %5u %s: %s", 
-					(protocol == IPPROTO_TCP) ? "tcp" : "udp", port,
-					 blocked ? "closed" : "open", passed ? "ok" : "fatal");
-				if (!passed)
-				{
-					compliant = FALSE;
-					written = snprintf(pos, len, " %s/%u",
-									  (protocol == IPPROTO_TCP) ? "tcp" : "udp",
-									   port);
-					if (written < 0 || written >= len)
-					{
-						break;
-					}
-					pos += written;
-					len -= written;
-				}
-			} 
-			enumerator->destroy(enumerator);
-
-			if (compliant)
-			{
-				state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
-								TNC_IMV_EVALUATION_RESULT_COMPLIANT);	
-			}
-			else
-			{
-				imv_scanner_state_t *imv_scanner_state;
-
-				imv_scanner_state = (imv_scanner_state_t*)state;
-				imv_scanner_state->set_violating_ports(imv_scanner_state, buf);
-				state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);	
-			}		  
-		}		
-	}
-	enumerator->destroy(enumerator);
-	pa_tnc_msg->destroy(pa_tnc_msg);
-
-	if (fatal_error)
-	{
-		state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);			  
-		return imv_scanner->provide_recommendation(imv_scanner, connection_id);
-	}
+/* include generic TGC TNC IF-IMV API code below */
 
-	return imv_scanner->provide_recommendation(imv_scanner, connection_id);
- }
+#include <imv/imv_if.h>
 
-/**
- * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_BufferReference msg,
-								  TNC_UInt32 msg_len,
-								  TNC_MessageType msg_type)
-{
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
-
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
-
-	return receive_message(imv_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMVID_ANY);
-}
-
-/**
- * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
-									  TNC_ConnectionID connection_id,
-									  TNC_UInt32 msg_flags,
-									  TNC_BufferReference msg,
-									  TNC_UInt32 msg_len,
-									  TNC_VendorID msg_vid,
-									  TNC_MessageSubtype msg_subtype,
-									  TNC_UInt32 src_imc_id,
-									  TNC_UInt32 dst_imv_id)
-{
-	return receive_message(imv_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imc_id, dst_imv_id);
-}
-
-/**
- * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
-										 TNC_ConnectionID connection_id)
-{
-	if (!imv_scanner)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	return imv_scanner->provide_recommendation(imv_scanner, connection_id);
-}
-
-/**
- * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
-							   TNC_ConnectionID connection_id)
-{
-	if (!imv_scanner)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
-{
-	if (!imv_scanner)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	tcp_ports->destroy_function(tcp_ports, free);
-	udp_ports->destroy_function(udp_ports, free);
-	imv_scanner->destroy(imv_scanner);
-	imv_scanner = NULL;
-
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
-									   TNC_TNCS_BindFunctionPointer bind_function)
-{
-	if (!imv_scanner)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	return imv_scanner->bind_functions(imv_scanner, bind_function);
-}
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c b/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c
new file mode 100644
index 000000000..d1e093137
--- /dev/null
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c
@@ -0,0 +1,526 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_scanner_agent.h"
+#include "imv_scanner_state.h"
+
+#include <imcv.h>
+#include <imv/imv_agent.h>
+#include <imv/imv_msg.h>
+#include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_attr_request.h>
+#include <ietf/ietf_attr_pa_tnc_error.h>
+#include <ietf/ietf_attr_port_filter.h>
+
+#include <tncif_names.h>
+#include <tncif_pa_subtypes.h>
+
+#include <pen/pen.h>
+#include <utils/debug.h>
+#include <utils/lexparser.h>
+
+typedef struct private_imv_scanner_agent_t private_imv_scanner_agent_t;
+
+/* Subscribed PA-TNC message subtypes */
+static pen_type_t msg_types[] = {
+	{ PEN_IETF, PA_SUBTYPE_IETF_VPN }
+};
+
+/**
+ * Private data of an imv_scanner_agent_t object.
+ */
+struct private_imv_scanner_agent_t {
+
+	/**
+	 * Public members of imv_scanner_agent_t
+	 */
+	imv_agent_if_t public;
+
+	/**
+	 * IMV agent responsible for generic functions
+	 */
+	imv_agent_t *agent;
+
+};
+
+METHOD(imv_agent_if_t, bind_functions, TNC_Result,
+	private_imv_scanner_agent_t *this, TNC_TNCS_BindFunctionPointer bind_function)
+{
+	return this->agent->bind_functions(this->agent, bind_function);
+}
+
+METHOD(imv_agent_if_t, notify_connection_change, TNC_Result,
+	private_imv_scanner_agent_t *this, TNC_ConnectionID id,
+	TNC_ConnectionState new_state)
+{
+	imv_state_t *state;
+
+	switch (new_state)
+	{
+		case TNC_CONNECTION_STATE_CREATE:
+			state = imv_scanner_state_create(id);
+			return this->agent->create_state(this->agent, state);
+		case TNC_CONNECTION_STATE_DELETE:
+			return this->agent->delete_state(this->agent, id);
+		default:
+			return this->agent->change_state(this->agent, id, new_state, NULL);
+	}
+}
+
+/**
+ * Process a received message
+ */
+static TNC_Result receive_msg(private_imv_scanner_agent_t *this,
+							  imv_state_t *state, imv_msg_t *in_msg)
+{
+	imv_msg_t *out_msg;
+	imv_scanner_state_t *scanner_state;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t type;
+	TNC_Result result;
+	ietf_attr_port_filter_t *port_filter_attr;
+	bool fatal_error = FALSE;
+
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
+	{
+		return result;
+	}
+
+	/* analyze PA-TNC attributes */
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		type = attr->get_type(attr);
+
+		if (type.vendor_id == PEN_IETF && type.type == IETF_ATTR_PORT_FILTER)
+		{
+			scanner_state = (imv_scanner_state_t*)state;
+			port_filter_attr = (ietf_attr_port_filter_t*)attr->get_ref(attr);
+			scanner_state->set_port_filter_attr(scanner_state, port_filter_attr);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (fatal_error)
+	{
+		state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+		out_msg = imv_msg_create_as_reply(in_msg);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+
+	return TNC_RESULT_SUCCESS;
+}
+
+METHOD(imv_agent_if_t, receive_message, TNC_Result,
+	private_imv_scanner_agent_t *this, TNC_ConnectionID id,
+	TNC_MessageType msg_type, chunk_t msg)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_data(this->agent, state, id, msg_type, msg);
+	result = receive_msg(this, state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, receive_message_long, TNC_Result,
+	private_imv_scanner_agent_t *this, TNC_ConnectionID id,
+	TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id,
+	TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype, chunk_t msg)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_long_data(this->agent, state, id,
+					src_imc_id, dst_imv_id, msg_vid, msg_subtype, msg);
+	result = receive_msg(this, state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+
+}
+
+typedef struct port_range_t port_range_t;
+
+struct port_range_t {
+	u_int16_t start, stop;
+};
+
+/**
+ * Parse a TCP or UDP port list from an argument string
+ */
+static linked_list_t* get_port_list(u_int8_t protocol_family,
+									bool closed_port_policy, char *arg_str)
+{
+	chunk_t port_list, port_item, port_start;
+	port_range_t *port_range;
+	linked_list_t *list;
+
+	list = linked_list_create();
+
+	port_list = chunk_from_str(arg_str);
+	DBG2(DBG_IMV, "list of %s ports that %s:",
+		 (protocol_family == IPPROTO_TCP) ? "tcp" : "udp",
+		 closed_port_policy ? "are allowed to be open" : "must be closed");
+
+	while (eat_whitespace(&port_list))
+	{
+		if (!extract_token(&port_item, ' ', &port_list))
+		{
+			/* reached last port item */
+			port_item = port_list;
+			port_list = chunk_empty;
+		}
+		port_range = malloc_thing(port_range_t);
+		port_range->start = atoi(port_item.ptr);
+
+		if (extract_token(&port_start, '-', &port_item) && port_item.len)
+		{
+			port_range->stop = atoi(port_item.ptr);
+		}
+		else
+		{
+			port_range->stop = port_range->start;
+		}
+		DBG2(DBG_IMV, "%5u - %5u", port_range->start, port_range->stop);
+		list->insert_last(list, port_range);
+	}
+
+	return list;
+}
+
+METHOD(imv_agent_if_t, batch_ending, TNC_Result,
+	private_imv_scanner_agent_t *this, TNC_ConnectionID id)
+{
+	imv_msg_t *out_msg;
+	imv_state_t *state;
+	imv_session_t *session;
+	imv_workitem_t *workitem;
+	imv_scanner_state_t *scanner_state;
+	imv_scanner_handshake_state_t handshake_state;
+	pa_tnc_attr_t *attr;
+	ietf_attr_port_filter_t *port_filter_attr;
+	TNC_IMVID imv_id;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+	bool no_workitems = TRUE;
+	enumerator_t *enumerator;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	scanner_state = (imv_scanner_state_t*)state;
+	handshake_state = scanner_state->get_handshake_state(scanner_state);
+	port_filter_attr = scanner_state->get_port_filter_attr(scanner_state);
+	session = state->get_session(state);
+	imv_id = this->agent->get_id(this->agent);
+
+	if (handshake_state == IMV_SCANNER_STATE_END)
+	{
+		return TNC_RESULT_SUCCESS;
+	}
+
+	/* create an empty out message - we might need it */
+	out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY,
+							 msg_types[0]);
+
+	if (!session)
+	{
+		DBG2(DBG_IMV, "no workitems available - no evaluation possible");
+		state->set_recommendation(state,
+							TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+							TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		scanner_state->set_handshake_state(scanner_state, IMV_SCANNER_STATE_END);
+
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+
+	if (handshake_state == IMV_SCANNER_STATE_INIT)
+	{
+		enumerator = session->create_workitem_enumerator(session);
+		if (enumerator)
+		{
+			while (enumerator->enumerate(enumerator, &workitem))
+			{
+				if (workitem->get_imv_id(workitem) != TNC_IMVID_ANY)
+				{
+					continue;
+				}
+
+				switch (workitem->get_type(workitem))
+				{
+					case IMV_WORKITEM_TCP_PORT_OPEN:
+					case IMV_WORKITEM_TCP_PORT_BLOCK:
+					case IMV_WORKITEM_UDP_PORT_OPEN:
+					case IMV_WORKITEM_UDP_PORT_BLOCK:
+						if (!port_filter_attr &&
+							handshake_state != IMV_SCANNER_STATE_ATTR_REQ)
+						{
+							attr = ietf_attr_attr_request_create(PEN_IETF,
+											IETF_ATTR_PORT_FILTER);
+							out_msg->add_attribute(out_msg, attr);
+							handshake_state = IMV_SCANNER_STATE_ATTR_REQ;
+						}
+						break;
+					default:
+						continue;
+				}
+				workitem->set_imv_id(workitem, imv_id);
+				no_workitems = FALSE;
+			}
+			enumerator->destroy(enumerator);
+
+			if (no_workitems)
+			{
+				DBG2(DBG_IMV, "IMV %d has no workitems - "
+							  "no evaluation requested", imv_id);
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+								TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+			}
+			handshake_state = IMV_SCANNER_STATE_WORKITEMS;
+			scanner_state->set_handshake_state(scanner_state, handshake_state);
+		}
+	}
+
+	if (handshake_state == IMV_SCANNER_STATE_WORKITEMS && port_filter_attr)
+	{
+		TNC_IMV_Evaluation_Result eval;
+		TNC_IMV_Action_Recommendation rec;
+		u_int8_t protocol_family, protocol;
+		u_int16_t port;
+		bool closed_port_policy, blocked, first;
+		char result_str[BUF_LEN], *pos, *protocol_str;
+		size_t len;
+		int written;
+		linked_list_t *port_list;
+		enumerator_t *e1, *e2;
+
+		enumerator = session->create_workitem_enumerator(session);
+		while (enumerator->enumerate(enumerator, &workitem))
+		{
+			if (workitem->get_imv_id(workitem) != imv_id)
+			{
+				continue;
+			}
+			eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+
+			switch (workitem->get_type(workitem))
+			{
+				case IMV_WORKITEM_TCP_PORT_OPEN:
+					protocol_family = IPPROTO_TCP;
+					closed_port_policy = TRUE;
+					break;
+				case IMV_WORKITEM_TCP_PORT_BLOCK:
+					protocol_family = IPPROTO_TCP;
+					closed_port_policy = FALSE;
+					break;
+				case IMV_WORKITEM_UDP_PORT_OPEN:
+					protocol_family = IPPROTO_UDP;
+					closed_port_policy = TRUE;
+					break;
+				case IMV_WORKITEM_UDP_PORT_BLOCK:
+					protocol_family = IPPROTO_UDP;
+					closed_port_policy = FALSE;
+					break;
+				default:
+					continue;
+			}
+			port_list = get_port_list(protocol_family, closed_port_policy,
+									  workitem->get_arg_str(workitem));
+			protocol_str = (protocol_family == IPPROTO_TCP) ? "tcp" : "udp";
+			result_str[0] = '\0';
+			pos = result_str;
+			len = BUF_LEN;
+			first = TRUE;
+
+			e1 = port_filter_attr->create_port_enumerator(port_filter_attr);
+			while (e1->enumerate(e1, &blocked, &protocol, &port))
+			{
+				port_range_t *port_range;
+				bool passed, found = FALSE;
+				char buf[20];
+
+				if (blocked || protocol != protocol_family)
+				{
+					/* ignore closed ports or non-matching protocols */
+					continue;
+				}
+
+				e2 = port_list->create_enumerator(port_list);
+				while (e2->enumerate(e2, &port_range))
+				{
+					if (port >= port_range->start && port <= port_range->stop)
+					{
+						found = TRUE;
+						break;
+					}
+				}
+				e2->destroy(e2);
+
+				passed = (closed_port_policy == found);
+				DBG2(DBG_IMV, "%s port %5u open: %s", protocol_str, port,
+							   passed ? "ok" : "fatal");
+				if (!passed)
+				{
+					eval = TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR;
+					snprintf(buf, sizeof(buf), "%s/%u", protocol_str, port);
+					scanner_state->add_violating_port(scanner_state, strdup(buf));
+					if (first)
+					{
+						written = snprintf(pos, len, "violating %s ports:",
+													  protocol_str);
+						if (written > 0 && written < len)
+						{
+							pos += written;
+							len -= written;
+						}
+						first = FALSE;
+					}
+					written = snprintf(pos, len, " %u", port);
+					if (written < 0 || written >= len)
+					{
+						pos += len - 1;
+						*pos = '\0';
+					}
+					else
+					{
+						pos += written;
+						len -= written;
+					}
+				}
+			}
+			e1->destroy(e1);
+
+			if (first)
+			{
+				snprintf(pos, len, "no violating %s ports", protocol_str);
+			}
+			port_list->destroy(port_list);
+
+			session->remove_workitem(session, enumerator);
+			rec = workitem->set_result(workitem, result_str, eval);
+			state->update_recommendation(state, rec, eval);
+			imcv_db->finalize_workitem(imcv_db, workitem);
+			workitem->destroy(workitem);
+		}
+		enumerator->destroy(enumerator);
+	}
+
+	/* finalized all workitems ? */
+	if (handshake_state == IMV_SCANNER_STATE_WORKITEMS &&
+		session->get_workitem_count(session, imv_id) == 0)
+	{
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		scanner_state->set_handshake_state(scanner_state, IMV_SCANNER_STATE_END);
+
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+
+	/* send non-empty PA-TNC message with excl flag not set */
+	if (out_msg->get_attribute_count(out_msg))
+	{
+		result = out_msg->send(out_msg, FALSE);
+	}
+	out_msg->destroy(out_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result,
+	private_imv_scanner_agent_t *this, TNC_ConnectionID id)
+{
+	imv_state_t *state;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	return this->agent->provide_recommendation(this->agent, state);
+}
+
+METHOD(imv_agent_if_t, destroy, void,
+	private_imv_scanner_agent_t *this)
+{
+	this->agent->destroy(this->agent);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imv_agent_if_t *imv_scanner_agent_create(const char *name, TNC_IMVID id,
+										 TNC_Version *actual_version)
+{
+	private_imv_scanner_agent_t *this;
+	imv_agent_t *agent;
+
+	agent = imv_agent_create(name, msg_types, countof(msg_types), id,
+							 actual_version);
+	if (!agent)
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.bind_functions = _bind_functions,
+			.notify_connection_change = _notify_connection_change,
+			.receive_message = _receive_message,
+			.receive_message_long = _receive_message_long,
+			.batch_ending = _batch_ending,
+			.solicit_recommendation = _solicit_recommendation,
+			.destroy = _destroy,
+		},
+		.agent = agent,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_agent.h b/src/libimcv/plugins/imv_scanner/imv_scanner_agent.h
new file mode 100644
index 000000000..155453363
--- /dev/null
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_agent.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_scanner_agent_t imv_scanner_agent
+ * @{ @ingroup imv_scanner
+ */
+
+#ifndef IMV_SCANNER_AGENT_H_
+#define IMV_SCANNER_AGENT_H_
+
+#include <imv/imv_agent_if.h>
+
+/**
+ * Creates a Scanner IMV agent
+ *
+ * @param name					Name of the IMV
+ * @param id					ID of the IMV
+ * @param actual_version		TNC IF-IMV version
+ */
+imv_agent_if_t* imv_scanner_agent_create(const char* name, TNC_IMVID id,
+										 TNC_Version *actual_version);
+
+#endif /** IMV_SCANNER_AGENT_H_ @}*/
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
index 422cb980d..4c570c46a 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,9 +14,14 @@
  */
 
 #include "imv_scanner_state.h"
+#include "imv/imv_lang_string.h"
+#include "imv/imv_reason_string.h"
+#include "imv/imv_remediation_string.h"
+
+#include <tncif_policy.h>
 
 #include <utils/lexparser.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_imv_scanner_state_t private_imv_scanner_state_t;
 
@@ -50,6 +56,31 @@ struct private_imv_scanner_state_t {
 	bool has_excl;
 
 	/**
+	 * Maximum PA-TNC message size for this TNCCS connection
+	 */
+	u_int32_t max_msg_len;
+
+	/**
+	 * Flags set for completed actions
+	 */
+	u_int32_t action_flags;
+
+	/**
+	 * Access Requestor ID Type
+	 */
+	u_int32_t ar_id_type;
+
+	/**
+	 * Access Requestor ID Value
+	 */
+	chunk_t ar_id_value;
+
+	/**
+	 * IMV database session associatied with TNCCS connection
+	 */
+	imv_session_t *session;
+
+	/**
 	 * IMV action recommendation
 	 */
 	TNC_IMV_Action_Recommendation rec;
@@ -60,34 +91,73 @@ struct private_imv_scanner_state_t {
 	TNC_IMV_Evaluation_Result eval;
 
 	/**
-	 * String with list of ports that should be closed
+	 * IMV Scanner handshake state
+	 */
+	imv_scanner_handshake_state_t handshake_state;
+
+	/**
+	 * Copy of the received IEEE Port Filter attribute
+	 */
+	 ietf_attr_port_filter_t *port_filter_attr;
+
+	/**
+	 * List with ports that should be closed
 	 */
-	char *violating_ports;
+	 linked_list_t *violating_ports;
 
 	/**
-	 * Local copy of the reason string
+	 * TNC Reason String
 	 */
-	chunk_t reason_string;
+	imv_reason_string_t *reason_string;
+
+	/**
+	 * IETF Remediation Instructions String
+	 */
+	imv_remediation_string_t *remediation_string;
+
 };
 
-typedef struct entry_t entry_t;
+/**
+ * Supported languages
+ */
+static char* languages[] = { "en", "de", "fr", "pl" };
 
 /**
- * Define an internal reason string entry
+ * Reason strings for "Port Filter"
  */
-struct entry_t {
-	char *lang;
-	char *string;
+static imv_lang_string_t reasons[] = {
+	{ "en", "Open server ports were detected" },
+	{ "de", "Offene Serverports wurden festgestellt" },
+	{ "fr", "Il y a des ports du serveur ouverts" },
+	{ "pl", "SÄ… otwarte porty serwera" },
+	{ NULL, NULL }
 };
 
 /**
- * Table of multi-lingual reason string entries 
+ * Instruction strings for "Port Filters"
  */
-static entry_t reasons[] = {
-	{ "en", "The following ports are open:" },
-	{ "de", "Die folgenden Ports sind offen" },
-	{ "fr", "Les ports suivants sont ouverts:" },
-	{ "pl", "Następujące porty sa otwarte:" }
+static imv_lang_string_t instr_ports_title[] = {
+	{ "en", "Open Server Ports" },
+	{ "de", "Offene Server Ports" },
+	{ "fr", "Ports ouverts du serveur" },
+	{ "pl", "Otwarte Porty Serwera" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_ports_descr[] = {
+	{ "en", "Open Internet ports have been detected" },
+	{ "de", "Offenen Internet-Ports wurden festgestellt" },
+	{ "fr", "Il y'a des ports Internet ouverts" },
+	{ "pl", "Porty internetowe sÄ… otwarte" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t instr_ports_header[] = {
+	{ "en", "Please close the following server ports:" },
+	{ "de", "Bitte schliessen Sie die folgenden Serverports:" },
+	{ "fr", "Fermez les ports du serveur suivants s'il vous plait:" },
+	{ "pl", "Proszę zamknąć następujące porty serwera:" },
+	{ NULL, NULL }
 };
 
 METHOD(imv_state_t, get_connection_id, TNC_ConnectionID,
@@ -115,6 +185,59 @@ METHOD(imv_state_t, set_flags, void,
 	this->has_excl = has_excl;
 }
 
+METHOD(imv_state_t, set_max_msg_len, void,
+	private_imv_scanner_state_t *this, u_int32_t max_msg_len)
+{
+	this->max_msg_len = max_msg_len;
+}
+
+METHOD(imv_state_t, get_max_msg_len, u_int32_t,
+	private_imv_scanner_state_t *this)
+{
+	return this->max_msg_len;
+}
+
+METHOD(imv_state_t, set_action_flags, void,
+	private_imv_scanner_state_t *this, u_int32_t flags)
+{
+	this->action_flags |= flags;
+}
+
+METHOD(imv_state_t, get_action_flags, u_int32_t,
+	private_imv_scanner_state_t *this)
+{
+	return this->action_flags;
+}
+
+METHOD(imv_state_t, set_ar_id, void,
+	private_imv_scanner_state_t *this, u_int32_t id_type, chunk_t id_value)
+{
+	this->ar_id_type = id_type;
+	this->ar_id_value = chunk_clone(id_value);
+}
+
+METHOD(imv_state_t, get_ar_id, chunk_t,
+	private_imv_scanner_state_t *this, u_int32_t *id_type)
+{
+	if (id_type)
+	{
+		*id_type = this->ar_id_type;
+	}
+	return this->ar_id_value;
+}
+
+METHOD(imv_state_t, set_session, void,
+	private_imv_scanner_state_t *this, imv_session_t *session)
+{
+	this->session = session;
+}
+
+METHOD(imv_state_t, get_session, imv_session_t*,
+	private_imv_scanner_state_t *this)
+{
+	return this->session;
+}
+
 METHOD(imv_state_t, change_state, void,
 	private_imv_scanner_state_t *this, TNC_ConnectionState new_state)
 {
@@ -123,7 +246,7 @@ METHOD(imv_state_t, change_state, void,
 
 METHOD(imv_state_t, get_recommendation, void,
 	private_imv_scanner_state_t *this, TNC_IMV_Action_Recommendation *rec,
-									TNC_IMV_Evaluation_Result *eval)
+									   TNC_IMV_Evaluation_Result *eval)
 {
 	*rec = this->rec;
 	*eval = this->eval;
@@ -131,82 +254,112 @@ METHOD(imv_state_t, get_recommendation, void,
 
 METHOD(imv_state_t, set_recommendation, void,
 	private_imv_scanner_state_t *this, TNC_IMV_Action_Recommendation rec,
-									TNC_IMV_Evaluation_Result eval)
+									   TNC_IMV_Evaluation_Result eval)
 {
 	this->rec = rec;
 	this->eval = eval;
 }
 
-METHOD(imv_state_t, get_reason_string, bool,
-	private_imv_scanner_state_t *this, chunk_t preferred_language,
-	chunk_t *reason_string, chunk_t *reason_language)
+METHOD(imv_state_t, update_recommendation, void,
+	private_imv_scanner_state_t *this, TNC_IMV_Action_Recommendation rec,
+									   TNC_IMV_Evaluation_Result eval)
 {
-	chunk_t pref_lang, lang;
-	u_char *pos;
-	int i;
+	this->rec  = tncif_policy_update_recommendation(this->rec, rec);
+	this->eval = tncif_policy_update_evaluation(this->eval, eval);
+}
 
-	if (!this->violating_ports)
+METHOD(imv_state_t, get_reason_string, bool,
+	private_imv_scanner_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *reason_string, char **reason_language)
+{
+	if (this->violating_ports->get_count(this->violating_ports) == 0)
 	{
 		return FALSE;
 	}
+	*reason_language = imv_lang_string_select_lang(language_enumerator,
+											  languages, countof(languages));
 
-	while (eat_whitespace(&preferred_language))
+	/* Instantiate a TNC Reason String object */
+	DESTROY_IF(this->reason_string);
+	this->reason_string = imv_reason_string_create(*reason_language);
+	if (this->rec != TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
 	{
-		if (!extract_token(&pref_lang, ',', &preferred_language))
-		{
-			/* last entry in a comma-separated list or single entry */
-			pref_lang = preferred_language;
-		}
-
-		/* eat trailing whitespace */
-		pos = pref_lang.ptr + pref_lang.len - 1;
-		while (pref_lang.len && *pos-- == ' ')
-		{
-			pref_lang.len--;
-		}
-
-		for (i = 0 ; i < countof(reasons); i++)
-		{
-			lang = chunk_create(reasons[i].lang, strlen(reasons[i].lang));
-			if (chunk_equals(lang, pref_lang))
-			{
-				this->reason_string = chunk_cat("cc",
-									chunk_create(reasons[i].string, 
-												 strlen(reasons[i].string)),
-									chunk_create(this->violating_ports,
-												 strlen(this->violating_ports)));
-				*reason_string = this->reason_string;
-				*reason_language = lang;
-				return TRUE;
-			}
-		}
+		this->reason_string->add_reason(this->reason_string, reasons);
 	}
+	*reason_string = this->reason_string->get_encoding(this->reason_string);
 
-	/* no preferred language match found - use the default language */
+	return TRUE;
+}
+
+METHOD(imv_state_t, get_remediation_instructions, bool,
+	private_imv_scanner_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *string, char **lang_code, char **uri)
+{
+	if (this->violating_ports->get_count(this->violating_ports) == 0)
+	{
+		return FALSE;
+	}
+	*lang_code = imv_lang_string_select_lang(language_enumerator,
+										languages, countof(languages));
+
+	/* Instantiate an IETF Remediation Instructions String object */
+	DESTROY_IF(this->remediation_string);
+	this->remediation_string = imv_remediation_string_create(
+									TRUE, *lang_code);	/* TODO get os_type */
+
+	this->remediation_string->add_instruction(this->remediation_string,
+									instr_ports_title,
+									instr_ports_descr,
+									instr_ports_header,
+									this->violating_ports);
+	*string = this->remediation_string->get_encoding(this->remediation_string);
+	*uri = lib->settings->get_str(lib->settings,
+				"libimcv.plugins.imv-scanner.remediation_uri", NULL);
 
-	this->reason_string =   chunk_cat("cc",
-									chunk_create(reasons[0].string,
-												 strlen(reasons[0].string)),
-									chunk_create(this->violating_ports,
-												 strlen(this->violating_ports)));
-	*reason_string = this->reason_string;
-	*reason_language = chunk_create(reasons[0].lang, 
-									strlen(reasons[0].lang));
 	return TRUE;
 }
 
 METHOD(imv_state_t, destroy, void,
 	private_imv_scanner_state_t *this)
 {
-	free(this->violating_ports);
-	free(this->reason_string.ptr);
+	DESTROY_IF(this->session);
+	DESTROY_IF(this->reason_string);
+	DESTROY_IF(this->remediation_string);
+	DESTROY_IF(&this->port_filter_attr->pa_tnc_attribute);
+	this->violating_ports->destroy_function(this->violating_ports, free);
+	free(this->ar_id_value.ptr);
 	free(this);
 }
 
-METHOD(imv_scanner_state_t, set_violating_ports, void,
-	private_imv_scanner_state_t *this, char *ports)
+METHOD(imv_scanner_state_t, set_handshake_state, void,
+	private_imv_scanner_state_t *this, imv_scanner_handshake_state_t new_state)
+{
+	this->handshake_state = new_state;
+}
+
+METHOD(imv_scanner_state_t, get_handshake_state, imv_scanner_handshake_state_t,
+	private_imv_scanner_state_t *this)
+{
+	return this->handshake_state;
+}
+
+METHOD(imv_scanner_state_t, set_port_filter_attr, void,
+	private_imv_scanner_state_t *this, ietf_attr_port_filter_t *attr)
 {
-	this->violating_ports = strdup(ports);
+	DESTROY_IF(&this->port_filter_attr->pa_tnc_attribute);
+	this->port_filter_attr = attr;
+}
+
+METHOD(imv_scanner_state_t, get_port_filter_attr, ietf_attr_port_filter_t*,
+	private_imv_scanner_state_t *this)
+{
+	return this->port_filter_attr;
+}
+
+METHOD(imv_scanner_state_t, add_violating_port, void,
+	private_imv_scanner_state_t *this, char *port)
+{
+	this->violating_ports->insert_last(this->violating_ports, port);
 }
 
 /**
@@ -223,20 +376,35 @@ imv_state_t *imv_scanner_state_create(TNC_ConnectionID connection_id)
 				.has_long = _has_long,
 				.has_excl = _has_excl,
 				.set_flags = _set_flags,
+				.set_max_msg_len = _set_max_msg_len,
+				.get_max_msg_len = _get_max_msg_len,
+				.set_action_flags = _set_action_flags,
+				.get_action_flags = _get_action_flags,
+				.set_ar_id = _set_ar_id,
+				.get_ar_id = _get_ar_id,
+				.set_session = _set_session,
+				.get_session= _get_session,
 				.change_state = _change_state,
 				.get_recommendation = _get_recommendation,
 				.set_recommendation = _set_recommendation,
+				.update_recommendation = _update_recommendation,
 				.get_reason_string = _get_reason_string,
+				.get_remediation_instructions = _get_remediation_instructions,
 				.destroy = _destroy,
 			},
-			.set_violating_ports = _set_violating_ports,
+			.set_handshake_state = _set_handshake_state,
+			.get_handshake_state = _get_handshake_state,
+			.set_port_filter_attr = _set_port_filter_attr,
+			.get_port_filter_attr = _get_port_filter_attr,
+			.add_violating_port = _add_violating_port,
 		},
 		.state = TNC_CONNECTION_STATE_CREATE,
 		.rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
 		.eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
 		.connection_id = connection_id,
+		.violating_ports = linked_list_create(),
 	);
-	
+
 	return &this->public.interface;
 }
 
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_state.h b/src/libimcv/plugins/imv_scanner/imv_scanner_state.h
index 716ddfea0..7f147f864 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner_state.h
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner_state.h
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,18 +14,33 @@
  */
 
 /**
+ * @defgroup imv_scanner imv_scanner
+ * @ingroup libimcv_plugins
  *
  * @defgroup imv_scanner_state_t imv_scanner_state
- * @{ @ingroup imv_scanner_state
+ * @{ @ingroup imv_scanner
  */
 
 #ifndef IMV_SCANNER_STATE_H_
 #define IMV_SCANNER_STATE_H_
 
 #include <imv/imv_state.h>
+#include <ietf/ietf_attr_port_filter.h>
+
 #include <library.h>
 
 typedef struct imv_scanner_state_t imv_scanner_state_t;
+typedef enum imv_scanner_handshake_state_t imv_scanner_handshake_state_t;
+
+/**
+ * IMV Scanner Handshake States (state machine)
+ */
+enum imv_scanner_handshake_state_t {
+	IMV_SCANNER_STATE_INIT,
+	IMV_SCANNER_STATE_ATTR_REQ,
+	IMV_SCANNER_STATE_WORKITEMS,
+	IMV_SCANNER_STATE_END
+};
 
 /**
  * Internal state of an imv_scanner_t connection instance
@@ -37,9 +53,39 @@ struct imv_scanner_state_t {
 	imv_state_t interface;
 
 	/**
-	 * list of violating TCP and UDP ports
+	 * Set state of the handshake
+	 *
+	 * @param new_state			the handshake state of IMV
+	 */
+	void (*set_handshake_state)(imv_scanner_state_t *this,
+								imv_scanner_handshake_state_t new_state);
+
+	/**
+	 * Get state of the handshake
+	 *
+	 * @return					the handshake state of IMV
+	 */
+	imv_scanner_handshake_state_t (*get_handshake_state)(imv_scanner_state_t *this);
+
+	/**
+	 * Store an IETF Port Filter attribute for later evaluation
+	 *
+	 * @param attr				IETF Port Filter attribute
+	 */
+	void (*set_port_filter_attr)(imv_scanner_state_t *this,
+								 ietf_attr_port_filter_t *attr);
+
+	/**
+	 * Get the stored IETF Port Filter attribute
+	 *
+	 * @return					IETF Port Filter attribute
+	 */
+	ietf_attr_port_filter_t* (*get_port_filter_attr)(imv_scanner_state_t *this);
+
+	/**
+	 * add a violating TCP or UDP port
 	 */
-	void (*set_violating_ports)(imv_scanner_state_t *this, char *ports);
+	void (*add_violating_port)(imv_scanner_state_t *this, char *port);
 };
 
 /**
diff --git a/src/libimcv/plugins/imv_test/Makefile.am b/src/libimcv/plugins/imv_test/Makefile.am
index 4ca5b852b..34922867e 100644
--- a/src/libimcv/plugins/imv_test/Makefile.am
+++ b/src/libimcv/plugins/imv_test/Makefile.am
@@ -1,15 +1,18 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 imcv_LTLIBRARIES = imv-test.la
 
 imv_test_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 
-imv_test_la_SOURCES = imv_test.c imv_test_state.h imv_test_state.c
+imv_test_la_SOURCES = \
+	imv_test.c imv_test_state.h imv_test_state.c \
+	imv_test_agent.h imv_test_agent.c
 
 imv_test_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index e51ad9afd..e77573395 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,51 +90,86 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imv_test_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
-am_imv_test_la_OBJECTS = imv_test.lo imv_test_state.lo
+am_imv_test_la_OBJECTS = imv_test.lo imv_test_state.lo \
+	imv_test_agent.lo
 imv_test_la_OBJECTS = $(am_imv_test_la_OBJECTS)
-imv_test_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+imv_test_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(imv_test_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(imv_test_la_SOURCES)
 DIST_SOURCES = $(imv_test_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -125,13 +178,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -144,6 +200,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -171,11 +228,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -183,6 +242,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -191,8 +251,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -201,14 +259,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -222,17 +285,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -242,16 +305,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -279,15 +341,22 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
+
 imcv_LTLIBRARIES = imv-test.la
 imv_test_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 
-imv_test_la_SOURCES = imv_test.c imv_test_state.h imv_test_state.c
+imv_test_la_SOURCES = \
+	imv_test.c imv_test_state.h imv_test_state.c \
+	imv_test_agent.h imv_test_agent.c
+
 imv_test_la_LDFLAGS = -module -avoid-version
 all: all-am
 
@@ -325,7 +394,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
 	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -333,6 +401,8 @@ install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
 	}
@@ -354,8 +424,8 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imv-test.la: $(imv_test_la_OBJECTS) $(imv_test_la_DEPENDENCIES) 
-	$(imv_test_la_LINK) -rpath $(imcvdir) $(imv_test_la_OBJECTS) $(imv_test_la_LIBADD) $(LIBS)
+imv-test.la: $(imv_test_la_OBJECTS) $(imv_test_la_DEPENDENCIES) $(EXTRA_imv_test_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(imv_test_la_LINK) -rpath $(imcvdir) $(imv_test_la_OBJECTS) $(imv_test_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -364,28 +434,29 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_test.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_test_agent.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_test_state.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -492,10 +563,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libimcv/plugins/imv_test/imv_test.c b/src/libimcv/plugins/imv_test/imv_test.c
index 0afd81aec..964faef65 100644
--- a/src/libimcv/plugins/imv_test/imv_test.c
+++ b/src/libimcv/plugins/imv_test/imv_test.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -12,304 +13,12 @@
  * for more details.
  */
 
-#include "imv_test_state.h"
-
-#include <imv/imv_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
-#include <ietf/ietf_attr.h>
-#include <ietf/ietf_attr_pa_tnc_error.h>
-#include <ita/ita_attr.h>
-#include <ita/ita_attr_command.h>
-
-#include <tncif_names.h>
-#include <tncif_pa_subtypes.h>
-
-#include <pen/pen.h>
-#include <debug.h>
-
-/* IMV definitions */
+#include "imv_test_agent.h"
 
 static const char imv_name[] = "Test";
+static const imv_agent_create_t imv_agent_create = imv_test_agent_create;
 
-#define IMV_VENDOR_ID	PEN_ITA
-#define IMV_SUBTYPE		PA_SUBTYPE_ITA_TEST
-
-static imv_agent_t *imv_test;
-
-/**
- * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
-							  TNC_Version min_version,
-							  TNC_Version max_version,
-							  TNC_Version *actual_version)
-{
-	if (imv_test)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
-		return TNC_RESULT_ALREADY_INITIALIZED;
-	}
-	imv_test = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
-								imv_id, actual_version);
-	if (!imv_test)
-	{
-		return TNC_RESULT_FATAL;
-	}
-	if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
-	{
-		DBG1(DBG_IMV, "no common IF-IMV version");
-		return TNC_RESULT_NO_COMMON_VERSION;
-	}
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
-										  TNC_ConnectionID connection_id,
-										  TNC_ConnectionState new_state)
-{
-	imv_state_t *state;
-
-	if (!imv_test)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	switch (new_state)
-	{
-		case TNC_CONNECTION_STATE_CREATE:
-			state = imv_test_state_create(connection_id);
-			return imv_test->create_state(imv_test, state);
-		case TNC_CONNECTION_STATE_DELETE:
-			return imv_test->delete_state(imv_test, connection_id);
-		default:
-			return imv_test->change_state(imv_test, connection_id,
-										  new_state, NULL);
-	}
-}
-
-static TNC_Result receive_message(TNC_IMVID imv_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imc_id,
-								  TNC_UInt32 dst_imv_id)
-{
-	pa_tnc_msg_t *pa_tnc_msg;
-	pa_tnc_attr_t *attr;
-	imv_state_t *state;
-	imv_test_state_t *test_state;
-	enumerator_t *enumerator;
-	TNC_Result result;
-	int rounds;
-	bool fatal_error, retry = FALSE;
-
-	if (!imv_test)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-
-	/* get current IMV state */
-	if (!imv_test->get_state(imv_test, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	test_state = (imv_test_state_t*)state;
-
-	/* parse received PA-TNC message and automatically handle any errors */ 
-	result = imv_test->receive_message(imv_test, state, msg, msg_vid,
-					 		msg_subtype, src_imc_id, dst_imv_id, &pa_tnc_msg);
-
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
-	{
-		return result;
-	}
-
-	/* preprocess any IETF standard error attributes */
-	fatal_error = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg);
-
-	/* add any new IMC and set its number of rounds */
-	rounds = lib->settings->get_int(lib->settings,
-								"libimcv.plugins.imv-test.rounds", 0);
-	test_state->add_imc(test_state, src_imc_id, rounds);
-
-	/* analyze PA-TNC attributes */
-	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
-	while (enumerator->enumerate(enumerator, &attr))
-	{
-		if (attr->get_vendor_id(attr) == PEN_ITA &&
-			attr->get_type(attr) == ITA_ATTR_COMMAND)
-		{
-			ita_attr_command_t *ita_attr;
-			char *command;
-	
-			ita_attr = (ita_attr_command_t*)attr;
-			command = ita_attr->get_command(ita_attr);
+/* include generic TGC TNC IF-IMV API code below */
 
-			if (streq(command, "allow"))
-			{
-				state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
-								TNC_IMV_EVALUATION_RESULT_COMPLIANT);			  
-			}
-			else if (streq(command, "isolate"))
-			{
-				state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);			  
-			}
-			else if (streq(command, "block") || streq(command, "none"))
-			{
-				state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);			  
-			}
-			else if (streq(command, "retry"))
-			{
-				retry = TRUE;
-			}
-			else
-			{
-				DBG1(DBG_IMV, "unsupported ITA Command '%s'", command);
-				state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);			  
-			}
-		}		
-	}
-	enumerator->destroy(enumerator);
-	pa_tnc_msg->destroy(pa_tnc_msg);
+#include <imv/imv_if.h>
 
-	if (fatal_error)
-	{
-		state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);			  
-		return imv_test->provide_recommendation(imv_test, connection_id);
-	}
-
-	/* request a handshake retry ? */
-	if (retry)
-	{
-		test_state->set_rounds(test_state, rounds);
-		return imv_test->request_handshake_retry(imv_id, connection_id,
-								TNC_RETRY_REASON_IMV_SERIOUS_EVENT);
-	}
-	
-	/* repeat the measurement ? */
-	if (test_state->another_round(test_state, src_imc_id))
-	{
-		attr = ita_attr_command_create("repeat");
-		pa_tnc_msg = pa_tnc_msg_create();
-		pa_tnc_msg->add_attribute(pa_tnc_msg, attr);
-		pa_tnc_msg->build(pa_tnc_msg);
-		result = imv_test->send_message(imv_test, connection_id, TRUE, imv_id,
-							src_imc_id, pa_tnc_msg->get_encoding(pa_tnc_msg));	
-		pa_tnc_msg->destroy(pa_tnc_msg);
-
-		return result;
-	}
-
-	return imv_test->provide_recommendation(imv_test, connection_id);
-}
-
-/**
- * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_BufferReference msg,
-								  TNC_UInt32 msg_len,
-								  TNC_MessageType msg_type)
-{
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
-
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
-
-	return receive_message(imv_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMVID_ANY);
-}
-
-/**
- * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
-									  TNC_ConnectionID connection_id,
-									  TNC_UInt32 msg_flags,
-									  TNC_BufferReference msg,
-									  TNC_UInt32 msg_len,
-									  TNC_VendorID msg_vid,
-									  TNC_MessageSubtype msg_subtype,
-									  TNC_UInt32 src_imc_id,
-									  TNC_UInt32 dst_imv_id)
-{
-	return receive_message(imv_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imc_id, dst_imv_id);
-}
-
-/**
- * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
-										 TNC_ConnectionID connection_id)
-{
-	if (!imv_test)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	return imv_test->provide_recommendation(imv_test, connection_id);
-}
-
-/**
- * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
-							   TNC_ConnectionID connection_id)
-{
-	if (!imv_test)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
-{
-	if (!imv_test)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	imv_test->destroy(imv_test);
-	imv_test = NULL;
-
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
-									   TNC_TNCS_BindFunctionPointer bind_function)
-{
-	if (!imv_test)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	return imv_test->bind_functions(imv_test, bind_function);
-}
diff --git a/src/libimcv/plugins/imv_test/imv_test_agent.c b/src/libimcv/plugins/imv_test/imv_test_agent.c
new file mode 100644
index 000000000..87d69373f
--- /dev/null
+++ b/src/libimcv/plugins/imv_test/imv_test_agent.c
@@ -0,0 +1,321 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_test_agent.h"
+#include "imv_test_state.h"
+
+#include <imv/imv_agent.h>
+#include <imv/imv_msg.h>
+#include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_pa_tnc_error.h>
+#include <ita/ita_attr.h>
+#include <ita/ita_attr_get_settings.h>
+#include <ita/ita_attr_command.h>
+#include <ita/ita_attr_dummy.h>
+
+#include <tncif_names.h>
+#include <tncif_pa_subtypes.h>
+
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+typedef struct private_imv_test_agent_t private_imv_test_agent_t;
+
+/* Subscribed PA-TNC message subtypes */
+static pen_type_t msg_types[] = {
+	{ PEN_ITA, PA_SUBTYPE_ITA_TEST }
+};
+
+/**
+ * Private data of an imv_test_agent_t object.
+ */
+struct private_imv_test_agent_t {
+
+	/**
+	 * Public members of imv_test_agent_t
+	 */
+	imv_agent_if_t public;
+
+	/**
+	 * IMV agent responsible for generic functions
+	 */
+	imv_agent_t *agent;
+
+};
+
+METHOD(imv_agent_if_t, bind_functions, TNC_Result,
+	private_imv_test_agent_t *this, TNC_TNCS_BindFunctionPointer bind_function)
+{
+	return this->agent->bind_functions(this->agent, bind_function);
+}
+
+METHOD(imv_agent_if_t, notify_connection_change, TNC_Result,
+	private_imv_test_agent_t *this, TNC_ConnectionID id,
+	TNC_ConnectionState new_state)
+{
+	imv_state_t *state;
+
+	switch (new_state)
+	{
+		case TNC_CONNECTION_STATE_CREATE:
+			state = imv_test_state_create(id);
+			return this->agent->create_state(this->agent, state);
+		case TNC_CONNECTION_STATE_DELETE:
+			return this->agent->delete_state(this->agent, id);
+		default:
+			return this->agent->change_state(this->agent, id, new_state, NULL);
+	}
+}
+
+/**
+ * Process a received message
+ */
+static TNC_Result receive_msg(private_imv_test_agent_t *this, imv_state_t *state,
+							  imv_msg_t *in_msg)
+{
+	imv_msg_t *out_msg;
+	imv_test_state_t *test_state;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t attr_type;
+	TNC_Result result;
+	int rounds;
+	bool fatal_error = FALSE, received_command = FALSE, retry = FALSE;
+
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
+	{
+		return result;
+	}
+
+	/* add any new IMC and set its number of rounds */
+	rounds = lib->settings->get_int(lib->settings,
+								"libimcv.plugins.imv-test.rounds", 0);
+	test_state = (imv_test_state_t*)state;
+	test_state->add_imc(test_state, in_msg->get_src_id(in_msg), rounds);
+
+	/* analyze PA-TNC attributes */
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		attr_type = attr->get_type(attr);
+
+		if (attr_type.vendor_id != PEN_ITA)
+		{
+			continue;
+		}
+		if (attr_type.type == ITA_ATTR_COMMAND)
+		{
+			ita_attr_command_t *ita_attr;
+			char *command;
+
+			received_command = TRUE;
+			ita_attr = (ita_attr_command_t*)attr;
+			command = ita_attr->get_command(ita_attr);
+
+			if (streq(command, "allow"))
+			{
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+								TNC_IMV_EVALUATION_RESULT_COMPLIANT);
+			}
+			else if (streq(command, "isolate"))
+			{
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
+								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
+			}
+			else if (streq(command, "block") || streq(command, "none"))
+			{
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS,
+								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
+			}
+			else if (streq(command, "retry"))
+			{
+				retry = TRUE;
+			}
+			else
+			{
+				DBG1(DBG_IMV, "unsupported ITA Command '%s'", command);
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+			}
+		}
+		else if (attr_type.type == ITA_ATTR_DUMMY)
+		{
+			ita_attr_dummy_t *ita_attr;
+
+			ita_attr = (ita_attr_dummy_t*)attr;
+			DBG1(DBG_IMV, "received dummy attribute value (%d bytes)",
+						   ita_attr->get_size(ita_attr));
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (fatal_error)
+	{
+		state->set_recommendation(state,
+							TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+							TNC_IMV_EVALUATION_RESULT_ERROR);
+		out_msg = imv_msg_create_as_reply(in_msg);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}  
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+
+	/* request a handshake retry ? */
+	if (retry)
+	{
+		test_state->set_rounds(test_state, rounds);
+		return this->agent->request_handshake_retry(
+									this->agent->get_id(this->agent),
+									state->get_connection_id(state),
+									TNC_RETRY_REASON_IMV_SERIOUS_EVENT);
+	}
+
+	/* repeat the measurement ? */
+	if (test_state->another_round(test_state, in_msg->get_src_id(in_msg)))
+	{
+		out_msg = imv_msg_create_as_reply(in_msg);
+		attr = ita_attr_command_create("repeat");
+		out_msg->add_attribute(out_msg, attr);
+
+		/* send PA-TNC message with excl flag set */
+		result = out_msg->send(out_msg, TRUE);	
+		out_msg->destroy(out_msg);
+
+		return result;
+	}
+
+	if (received_command)
+	{
+		out_msg = imv_msg_create_as_reply(in_msg);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}  
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+	else
+	{	
+		return TNC_RESULT_SUCCESS;
+	}
+ }
+
+METHOD(imv_agent_if_t, receive_message, TNC_Result,
+	private_imv_test_agent_t *this, TNC_ConnectionID id,
+	TNC_MessageType msg_type, chunk_t msg)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_data(this->agent, state, id, msg_type, msg);
+	result = receive_msg(this, state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, receive_message_long, TNC_Result,
+	private_imv_test_agent_t *this, TNC_ConnectionID id,
+	TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id,
+	TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype, chunk_t msg)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_long_data(this->agent, state, id,
+					src_imc_id, dst_imv_id, msg_vid, msg_subtype, msg);
+	result = receive_msg(this, state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+
+}
+
+METHOD(imv_agent_if_t, batch_ending, TNC_Result,
+	private_imv_test_agent_t *this, TNC_ConnectionID id)
+{
+	return TNC_RESULT_SUCCESS;
+}
+
+METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result,
+	private_imv_test_agent_t *this, TNC_ConnectionID id)
+{
+	imv_state_t *state;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	return this->agent->provide_recommendation(this->agent, state);
+}
+
+METHOD(imv_agent_if_t, destroy, void,
+	private_imv_test_agent_t *this)
+{
+	DESTROY_IF(this->agent);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imv_agent_if_t *imv_test_agent_create(const char *name, TNC_IMVID id,
+									  TNC_Version *actual_version)
+{
+	private_imv_test_agent_t *this;
+
+	INIT(this,
+		.public = {
+			.bind_functions = _bind_functions,
+			.notify_connection_change = _notify_connection_change,
+			.receive_message = _receive_message,
+			.receive_message_long = _receive_message_long,
+			.batch_ending = _batch_ending,
+			.solicit_recommendation = _solicit_recommendation,
+			.destroy = _destroy,
+		},
+		.agent = imv_agent_create(name, msg_types, countof(msg_types), id,
+								  actual_version),
+	);
+
+	if (!this->agent)
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
diff --git a/src/libimcv/plugins/imv_test/imv_test_agent.h b/src/libimcv/plugins/imv_test/imv_test_agent.h
new file mode 100644
index 000000000..15508d375
--- /dev/null
+++ b/src/libimcv/plugins/imv_test/imv_test_agent.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_test_agent_t imv_test_agent
+ * @{ @ingroup imv_test
+ */
+
+#ifndef IMV_TEST_AGENT_H_
+#define IMV_TEST_AGENT_H_
+
+#include <imv/imv_agent_if.h>
+
+/**
+ * Creates a Test IMV agent
+ *
+ * @param name					Name of the IMV
+ * @param id					ID of the IMV
+ * @param actual_version		TNC IF-IMV version
+ */
+imv_agent_if_t* imv_test_agent_create(const char* name, TNC_IMVID id,
+									  TNC_Version *actual_version);
+
+#endif /** IMV_TEST_AGENT_H_ @}*/
diff --git a/src/libimcv/plugins/imv_test/imv_test_state.c b/src/libimcv/plugins/imv_test/imv_test_state.c
index 530090af7..0da09df67 100644
--- a/src/libimcv/plugins/imv_test/imv_test_state.c
+++ b/src/libimcv/plugins/imv_test/imv_test_state.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,10 +14,14 @@
  */
 
 #include "imv_test_state.h"
+#include "imv/imv_lang_string.h"
+#include "imv/imv_reason_string.h"
+
+#include <tncif_policy.h>
 
 #include <utils/lexparser.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_imv_test_state_t private_imv_test_state_t;
 
@@ -51,6 +56,26 @@ struct private_imv_test_state_t {
 	bool has_excl;
 
 	/**
+	 * Maximum PA-TNC message size for this TNCCS connection
+	 */
+	u_int32_t max_msg_len;
+
+	/**
+	 * Access Requestor ID Type
+	 */
+	u_int32_t ar_id_type;
+
+	/**
+	 * Access Requestor ID Value
+	 */
+	chunk_t ar_id_value;
+
+	/**
+	 * IMV database session associated with TNCCS connection
+	 */
+	imv_session_t *session;
+
+	/**
 	 * IMV action recommendation
 	 */
 	TNC_IMV_Action_Recommendation rec;
@@ -61,6 +86,11 @@ struct private_imv_test_state_t {
 	TNC_IMV_Evaluation_Result eval;
 
 	/**
+	 * TNC Reason String
+	 */
+	imv_reason_string_t *reason_string;
+
+	/**
 	 * List of IMCs
 	 */
 	linked_list_t *imcs;
@@ -77,24 +107,20 @@ struct imc_entry_t {
 	int rounds;
 };
 
-typedef struct entry_t entry_t;
-
 /**
- * Define an internal reason string entry
+ * Supported languages
  */
-struct entry_t {
-	char *lang;
-	char *string;
-};
+static char* languages[] = { "en", "de", "fr", "pl" };
 
 /**
- * Table of multi-lingual reason string entries 
+ * Table of reason strings
  */
-static entry_t reasons[] = {
+static imv_lang_string_t reasons[] = {
 	{ "en", "IMC Test was not configured with \"command = allow\"" },
 	{ "de", "IMC Test wurde nicht mit \"command = allow\" konfiguriert" },
 	{ "fr", "IMC Test n'etait pas configuré avec \"command = allow\"" },
-	{ "pl", "IMC Test nie zostało skonfigurowany z \"command = allow\"" }
+	{ "pl", "IMC Test nie zostało skonfigurowany z \"command = allow\"" },
+	{ NULL, NULL }
 };
 
 METHOD(imv_state_t, get_connection_id, TNC_ConnectionID,
@@ -122,6 +148,47 @@ METHOD(imv_state_t, set_flags, void,
 	this->has_excl = has_excl;
 }
 
+METHOD(imv_state_t, set_max_msg_len, void,
+	private_imv_test_state_t *this, u_int32_t max_msg_len)
+{
+	this->max_msg_len = max_msg_len;
+}
+
+METHOD(imv_state_t, get_max_msg_len, u_int32_t,
+	private_imv_test_state_t *this)
+{
+	return this->max_msg_len;
+}
+
+METHOD(imv_state_t, set_ar_id, void,
+	private_imv_test_state_t *this, u_int32_t id_type, chunk_t id_value)
+{
+	this->ar_id_type = id_type;
+	this->ar_id_value = chunk_clone(id_value);
+}
+
+METHOD(imv_state_t, get_ar_id, chunk_t,
+	private_imv_test_state_t *this, u_int32_t *id_type)
+{
+	if (id_type)
+	{
+		*id_type = this->ar_id_type;
+	}
+	return this->ar_id_value;
+}
+
+METHOD(imv_state_t, set_session, void,
+	private_imv_test_state_t *this, imv_session_t *session)
+{
+	this->session = session;
+}
+
+METHOD(imv_state_t, get_session, imv_session_t*,
+	private_imv_test_state_t *this)
+{
+	return this->session;
+}
+
 METHOD(imv_state_t, change_state, void,
 	private_imv_test_state_t *this, TNC_ConnectionState new_state)
 {
@@ -144,54 +211,44 @@ METHOD(imv_state_t, set_recommendation, void,
 	this->eval = eval;
 }
 
-METHOD(imv_state_t, get_reason_string, bool,
-	private_imv_test_state_t *this, chunk_t preferred_language,
-	chunk_t *reason_string, chunk_t *reason_language)
+METHOD(imv_state_t, update_recommendation, void,
+	private_imv_test_state_t *this, TNC_IMV_Action_Recommendation rec,
+									TNC_IMV_Evaluation_Result eval)
 {
-	chunk_t pref_lang, lang;
-	u_char *pos;
-	int i;
-
-	while (eat_whitespace(&preferred_language))
-	{
-		if (!extract_token(&pref_lang, ',', &preferred_language))
-		{
-			/* last entry in a comma-separated list or single entry */
-			pref_lang = preferred_language;
-		}
+	this->rec  = tncif_policy_update_recommendation(this->rec, rec);
+	this->eval = tncif_policy_update_evaluation(this->eval, eval);
+}
 
-		/* eat trailing whitespace */
-		pos = pref_lang.ptr + pref_lang.len - 1;
-		while (pref_lang.len && *pos-- == ' ')
-		{
-			pref_lang.len--;
-		}
+METHOD(imv_state_t, get_reason_string, bool,
+	private_imv_test_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *reason_string, char **reason_language)
+{
+	*reason_language = imv_lang_string_select_lang(language_enumerator,
+											  languages, countof(languages));
 
-		for (i = 0 ; i < countof(reasons); i++)
-		{
-			lang = chunk_create(reasons[i].lang, strlen(reasons[i].lang));
-			if (chunk_equals(lang, pref_lang))
-			{
-				*reason_language = lang;
-				*reason_string = chunk_create(reasons[i].string, 
-										strlen(reasons[i].string));
-				return TRUE;
-			}
-		}
-	}
+	/* Instantiate a TNC Reason String object */
+	DESTROY_IF(this->reason_string);
+	this->reason_string = imv_reason_string_create(*reason_language);
+	this->reason_string->add_reason(this->reason_string, reasons);
+	*reason_string = this->reason_string->get_encoding(this->reason_string);
 
-	/* no preferred language match found - use the default language */
-	*reason_string =   chunk_create(reasons[0].string,
-									strlen(reasons[0].string));
-	*reason_language = chunk_create(reasons[0].lang, 
-									strlen(reasons[0].lang));
 	return TRUE;
 }
 
+METHOD(imv_state_t, get_remediation_instructions, bool,
+	private_imv_test_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *string, char **lang_code, char **uri)
+{
+	return FALSE;
+}
+
 METHOD(imv_state_t, destroy, void,
 	private_imv_test_state_t *this)
 {
+	DESTROY_IF(this->session);
+	DESTROY_IF(this->reason_string);
 	this->imcs->destroy_function(this->imcs, free);
+	free(this->ar_id_value.ptr);
 	free(this);
 }
 
@@ -256,8 +313,8 @@ METHOD(imv_test_state_t, another_round, bool,
 		}
 	}
 	enumerator->destroy(enumerator);
-	
-	return not_finished;	
+
+	return not_finished;
 }
 
 /**
@@ -274,10 +331,18 @@ imv_state_t *imv_test_state_create(TNC_ConnectionID connection_id)
 				.has_long = _has_long,
 				.has_excl = _has_excl,
 				.set_flags = _set_flags,
+				.set_max_msg_len = _set_max_msg_len,
+				.get_max_msg_len = _get_max_msg_len,
+				.set_ar_id = _set_ar_id,
+				.get_ar_id = _get_ar_id,
+				.set_session = _set_session,
+				.get_session = _get_session,
 				.change_state = _change_state,
 				.get_recommendation = _get_recommendation,
 				.set_recommendation = _set_recommendation,
+				.update_recommendation = _update_recommendation,
 				.get_reason_string = _get_reason_string,
+				.get_remediation_instructions = _get_remediation_instructions,
 				.destroy = _destroy,
 			},
 			.add_imc = _add_imc,
@@ -290,7 +355,7 @@ imv_state_t *imv_test_state_create(TNC_ConnectionID connection_id)
 		.connection_id = connection_id,
 		.imcs = linked_list_create(),
 	);
-	
+
 	return &this->public.interface;
 }
 
diff --git a/src/libimcv/plugins/imv_test/imv_test_state.h b/src/libimcv/plugins/imv_test/imv_test_state.h
index af78d1470..2de5b6ffc 100644
--- a/src/libimcv/plugins/imv_test/imv_test_state.h
+++ b/src/libimcv/plugins/imv_test/imv_test_state.h
@@ -13,9 +13,11 @@
  */
 
 /**
+ * @defgroup imv_test imv_test
+ * @ingroup libimcv_plugins
  *
  * @defgroup imv_test_state_t imv_test_state
- * @{ @ingroup imv_test_state
+ * @{ @ingroup imv_test
  */
 
 #ifndef IMV_TEST_STATE_H_
diff --git a/src/libipsec/Android.mk b/src/libipsec/Android.mk
new file mode 100644
index 000000000..37f400fc3
--- /dev/null
+++ b/src/libipsec/Android.mk
@@ -0,0 +1,40 @@
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+# copy-n-paste from Makefile.am
+libipsec_la_SOURCES := \
+ipsec.c ipsec.h \
+esp_context.c esp_context.h \
+esp_packet.c esp_packet.h \
+ip_packet.c ip_packet.h \
+ipsec_event_listener.h \
+ipsec_event_relay.c ipsec_event_relay.h \
+ipsec_policy.c ipsec_policy.h \
+ipsec_policy_mgr.c ipsec_policy_mgr.h \
+ipsec_processor.c ipsec_processor.h \
+ipsec_sa.c ipsec_sa.h \
+ipsec_sa_mgr.c ipsec_sa_mgr.h
+
+LOCAL_SRC_FILES := $(filter %.c,$(libipsec_la_SOURCES))
+
+# build libipsec ---------------------------------------------------------------
+
+LOCAL_C_INCLUDES += \
+	$(libvstr_PATH) \
+	$(strongswan_PATH)/src/include \
+	$(strongswan_PATH)/src/libstrongswan
+
+LOCAL_CFLAGS := $(strongswan_CFLAGS)
+
+LOCAL_MODULE := libipsec
+
+LOCAL_MODULE_TAGS := optional
+
+LOCAL_ARM_MODE := arm
+
+LOCAL_PRELINK_MODULE := false
+
+LOCAL_SHARED_LIBRARIES += libstrongswan
+
+include $(BUILD_SHARED_LIBRARY)
+
diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am
new file mode 100644
index 000000000..74379f1d5
--- /dev/null
+++ b/src/libipsec/Makefile.am
@@ -0,0 +1,30 @@
+ipseclib_LTLIBRARIES = libipsec.la
+
+libipsec_la_SOURCES = \
+ipsec.c ipsec.h \
+esp_context.c esp_context.h \
+esp_packet.c esp_packet.h \
+ip_packet.c ip_packet.h \
+ipsec_event_listener.h \
+ipsec_event_relay.c ipsec_event_relay.h \
+ipsec_policy.c ipsec_policy.h \
+ipsec_policy_mgr.c ipsec_policy_mgr.h \
+ipsec_processor.c ipsec_processor.h \
+ipsec_sa.c ipsec_sa.h \
+ipsec_sa_mgr.c ipsec_sa_mgr.h
+
+libipsec_la_LIBADD =
+
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+EXTRA_DIST = Android.mk
+
+# build optional plugins
+########################
+
+if MONOLITHIC
+SUBDIRS =
+else
+SUBDIRS = .
+endif
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
new file mode 100644
index 000000000..3dbf34ed2
--- /dev/null
+++ b/src/libipsec/Makefile.in
@@ -0,0 +1,838 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libipsec
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(ipseclibdir)"
+LTLIBRARIES = $(ipseclib_LTLIBRARIES)
+libipsec_la_DEPENDENCIES =
+am_libipsec_la_OBJECTS = ipsec.lo esp_context.lo esp_packet.lo \
+	ip_packet.lo ipsec_event_relay.lo ipsec_policy.lo \
+	ipsec_policy_mgr.lo ipsec_processor.lo ipsec_sa.lo \
+	ipsec_sa_mgr.lo
+libipsec_la_OBJECTS = $(am_libipsec_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libipsec_la_SOURCES)
+DIST_SOURCES = $(libipsec_la_SOURCES)
+RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
+	html-recursive info-recursive install-data-recursive \
+	install-dvi-recursive install-exec-recursive \
+	install-html-recursive install-info-recursive \
+	install-pdf-recursive install-ps-recursive install-recursive \
+	installcheck-recursive installdirs-recursive pdf-recursive \
+	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
+AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
+	$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
+	distdir
+ETAGS = etags
+CTAGS = ctags
+DIST_SUBDIRS = .
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+am__relativize = \
+  dir0=`pwd`; \
+  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
+  sed_rest='s,^[^/]*/*,,'; \
+  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
+  sed_butlast='s,/*[^/]*$$,,'; \
+  while test -n "$$dir1"; do \
+    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
+    if test "$$first" != "."; then \
+      if test "$$first" = ".."; then \
+        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
+        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
+      else \
+        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
+        if test "$$first2" = "$$first"; then \
+          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
+        else \
+          dir2="../$$dir2"; \
+        fi; \
+        dir0="$$dir0"/"$$first"; \
+      fi; \
+    fi; \
+    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
+  done; \
+  reldir="$$dir2"
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+ipseclib_LTLIBRARIES = libipsec.la
+libipsec_la_SOURCES = \
+ipsec.c ipsec.h \
+esp_context.c esp_context.h \
+esp_packet.c esp_packet.h \
+ip_packet.c ip_packet.h \
+ipsec_event_listener.h \
+ipsec_event_relay.c ipsec_event_relay.h \
+ipsec_policy.c ipsec_policy.h \
+ipsec_policy_mgr.c ipsec_policy_mgr.h \
+ipsec_processor.c ipsec_processor.h \
+ipsec_sa.c ipsec_sa.h \
+ipsec_sa_mgr.c ipsec_sa_mgr.h
+
+libipsec_la_LIBADD = 
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+EXTRA_DIST = Android.mk
+@MONOLITHIC_FALSE@SUBDIRS = .
+
+# build optional plugins
+########################
+@MONOLITHIC_TRUE@SUBDIRS = 
+all: all-recursive
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libipsec/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libipsec/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
+	}
+
+uninstall-ipseclibLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(ipseclibdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(ipseclibdir)/$$f"; \
+	done
+
+clean-ipseclibLTLIBRARIES:
+	-test -z "$(ipseclib_LTLIBRARIES)" || rm -f $(ipseclib_LTLIBRARIES)
+	@list='$(ipseclib_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libipsec.la: $(libipsec_la_OBJECTS) $(libipsec_la_DEPENDENCIES) $(EXTRA_libipsec_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libipsec_la_OBJECTS) $(libipsec_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/esp_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/esp_packet.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ip_packet.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_event_relay.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_policy.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_policy_mgr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_processor.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_sa.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_sa_mgr.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+$(RECURSIVE_TARGETS):
+	@fail= failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+$(RECURSIVE_CLEAN_TARGETS):
+	@fail= failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
+	done; \
+	rev="$$rev ."; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+ctags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
+	  include_option=--etags-include; \
+	  empty_fix=.; \
+	else \
+	  include_option=--include; \
+	  empty_fix=; \
+	fi; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test ! -f $$subdir/TAGS || \
+	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
+	  fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
+	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
+	    $(am__relativize); \
+	    new_distdir=$$reldir; \
+	    dir1=$$subdir; dir2="$(top_distdir)"; \
+	    $(am__relativize); \
+	    new_top_distdir=$$reldir; \
+	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
+	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
+	    ($(am__cd) $$subdir && \
+	      $(MAKE) $(AM_MAKEFLAGS) \
+	        top_distdir="$$new_top_distdir" \
+	        distdir="$$new_distdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
+		am__skip_mode_fix=: \
+	        distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-recursive
+all-am: Makefile $(LTLIBRARIES)
+installdirs: installdirs-recursive
+installdirs-am:
+	for dir in "$(DESTDIR)$(ipseclibdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-recursive
+install-exec: install-exec-recursive
+install-data: install-data-recursive
+uninstall: uninstall-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-recursive
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-recursive
+
+clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-recursive
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-recursive
+
+dvi-am:
+
+html: html-recursive
+
+html-am:
+
+info: info-recursive
+
+info-am:
+
+install-data-am: install-ipseclibLTLIBRARIES
+
+install-dvi: install-dvi-recursive
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-recursive
+
+install-html-am:
+
+install-info: install-info-recursive
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-recursive
+
+install-pdf-am:
+
+install-ps: install-ps-recursive
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-recursive
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-recursive
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-recursive
+
+pdf-am:
+
+ps: ps-recursive
+
+ps-am:
+
+uninstall-am: uninstall-ipseclibLTLIBRARIES
+
+.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
+	install-am install-strip tags-recursive
+
+.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
+	all all-am check check-am clean clean-generic \
+	clean-ipseclibLTLIBRARIES clean-libtool ctags ctags-recursive \
+	distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-ipseclibLTLIBRARIES install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	installdirs-am maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
+	uninstall uninstall-am uninstall-ipseclibLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c
new file mode 100644
index 000000000..bbcb62add
--- /dev/null
+++ b/src/libipsec/esp_context.c
@@ -0,0 +1,345 @@
+/*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <limits.h>
+#include <stdint.h>
+
+#include "esp_context.h"
+
+#include <library.h>
+#include <utils/debug.h>
+
+/**
+ * Should be a multiple of 8
+ */
+#define ESP_DEFAULT_WINDOW_SIZE 128
+
+typedef struct private_esp_context_t private_esp_context_t;
+
+/**
+ * Private additions to esp_context_t.
+ */
+struct private_esp_context_t {
+
+	/**
+	 * Public members
+	 */
+	esp_context_t public;
+
+	/**
+	 * AEAD wrapper or method to encrypt/decrypt/authenticate ESP packets
+	 */
+	aead_t *aead;
+
+	/**
+	 * The highest sequence number that was successfully verified
+	 * and authenticated, or assigned in an outbound context
+	 */
+	u_int32_t last_seqno;
+
+	/**
+	 * The bit in the window of the highest authenticated sequence number
+	 */
+	u_int seqno_index;
+
+	/**
+	 * The size of the anti-replay window (in bits)
+	 */
+	u_int window_size;
+
+	/**
+	 * The anti-replay window buffer
+	 */
+	chunk_t window;
+
+	/**
+	 * TRUE in case of an inbound ESP context
+	 */
+	bool inbound;
+};
+
+/**
+ * Set or unset a bit in the window.
+ */
+static inline void set_window_bit(private_esp_context_t *this,
+								  u_int index, bool set)
+{
+	u_int i = index / CHAR_BIT;
+
+	if (set)
+	{
+		this->window.ptr[i] |= 1 << (index % CHAR_BIT);
+	}
+	else
+	{
+		this->window.ptr[i] &= ~(1 << (index % CHAR_BIT));
+	}
+}
+
+/**
+ * Get a bit from the window.
+ */
+static inline bool get_window_bit(private_esp_context_t *this, u_int index)
+{
+	u_int i = index / CHAR_BIT;
+
+	return this->window.ptr[i] & (1 << index % CHAR_BIT);
+}
+
+/**
+ * Returns TRUE if the supplied seqno is not already marked in the window
+ */
+static bool check_window(private_esp_context_t *this, u_int32_t seqno)
+{
+	u_int offset;
+
+	offset = this->last_seqno - seqno;
+	offset = (this->seqno_index - offset) % this->window_size;
+	return !get_window_bit(this, offset);
+}
+
+METHOD(esp_context_t, verify_seqno, bool,
+	private_esp_context_t *this, u_int32_t seqno)
+{
+	if (!this->inbound)
+	{
+		return FALSE;
+	}
+
+	if (seqno > this->last_seqno)
+	{	/*       |----------------------------------------|
+		 *  <---------^   ^   or    <---------^     ^
+		 *     WIN    H   S            WIN    H     S
+		 */
+		return TRUE;
+	}
+	else if (seqno > 0 && this->window_size > this->last_seqno - seqno)
+	{	/*       |----------------------------------------|
+		 *  <---------^      or     <---------^
+		 *     WIN ^  H                WIN ^  H
+		 *         S                       S
+		 */
+		return check_window(this, seqno);
+	}
+	else
+	{	/*       |----------------------------------------|
+		 *                       ^  <---------^
+		 *                       S     WIN    H
+		 */
+		return FALSE;
+	}
+}
+
+METHOD(esp_context_t, set_authenticated_seqno, void,
+	private_esp_context_t *this, u_int32_t seqno)
+{
+	u_int i, shift;
+
+	if (!this->inbound)
+	{
+		return;
+	}
+
+	if (seqno > this->last_seqno)
+	{	/* shift the window to the new highest authenticated seqno */
+		shift = seqno - this->last_seqno;
+		shift = shift < this->window_size ? shift : this->window_size;
+		for (i = 0; i < shift; ++i)
+		{
+			this->seqno_index = (this->seqno_index + 1) % this->window_size;
+			set_window_bit(this, this->seqno_index, FALSE);
+		}
+		set_window_bit(this, this->seqno_index, TRUE);
+		this->last_seqno = seqno;
+	}
+	else
+	{	/* seqno is inside the window, set the corresponding window bit */
+		i = this->last_seqno - seqno;
+		set_window_bit(this, (this->seqno_index - i) % this->window_size, TRUE);
+	}
+}
+
+METHOD(esp_context_t, get_seqno, u_int32_t,
+	private_esp_context_t *this)
+{
+	return this->last_seqno;
+}
+
+METHOD(esp_context_t, next_seqno, bool,
+	private_esp_context_t *this, u_int32_t *seqno)
+{
+	if (this->inbound || this->last_seqno == UINT32_MAX)
+	{	/* inbound or segno would cycle */
+		return FALSE;
+	}
+	*seqno = ++this->last_seqno;
+	return TRUE;
+}
+
+METHOD(esp_context_t, get_aead, aead_t*,
+	private_esp_context_t *this)
+{
+	return this->aead;
+}
+
+METHOD(esp_context_t, destroy, void,
+	private_esp_context_t *this)
+{
+	chunk_free(&this->window);
+	DESTROY_IF(this->aead);
+	free(this);
+}
+
+/**
+ * Create an AEAD algorithm
+ */
+static bool create_aead(private_esp_context_t *this, int alg,
+						chunk_t key)
+{
+	switch (alg)
+	{
+		case ENCR_AES_GCM_ICV8:
+		case ENCR_AES_GCM_ICV12:
+		case ENCR_AES_GCM_ICV16:
+			/* the key includes a 4 byte salt */
+			this->aead = lib->crypto->create_aead(lib->crypto, alg, key.len-4);
+			break;
+		default:
+			break;
+	}
+	if (!this->aead)
+	{
+		DBG1(DBG_ESP, "failed to create ESP context: unsupported AEAD "
+			 "algorithm");
+		return FALSE;
+	}
+	if (!this->aead->set_key(this->aead, key))
+	{
+		DBG1(DBG_ESP, "failed to create ESP context: setting AEAD key failed");
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Create AEAD wrapper around traditional encryption/integrity algorithms
+ */
+static bool create_traditional(private_esp_context_t *this, int enc_alg,
+							   chunk_t enc_key, int int_alg, chunk_t int_key)
+{
+	crypter_t *crypter = NULL;
+	signer_t *signer = NULL;
+
+	switch (enc_alg)
+	{
+		case ENCR_AES_CBC:
+			crypter = lib->crypto->create_crypter(lib->crypto, enc_alg,
+												  enc_key.len);
+			break;
+		default:
+			break;
+	}
+	if (!crypter)
+	{
+		DBG1(DBG_ESP, "failed to create ESP context: unsupported encryption "
+			 "algorithm");
+		goto failed;
+	}
+	if (!crypter->set_key(crypter, enc_key))
+	{
+		DBG1(DBG_ESP, "failed to create ESP context: setting encryption key "
+			 "failed");
+		goto failed;
+	}
+
+	switch (int_alg)
+	{
+		case AUTH_HMAC_SHA1_96:
+		case AUTH_HMAC_SHA2_256_128:
+		case AUTH_HMAC_SHA2_384_192:
+		case AUTH_HMAC_SHA2_512_256:
+			signer = lib->crypto->create_signer(lib->crypto, int_alg);
+			break;
+		default:
+			break;
+	}
+	if (!signer)
+	{
+		DBG1(DBG_ESP, "failed to create ESP context: unsupported integrity "
+			 "algorithm");
+		goto failed;
+	}
+	if (!signer->set_key(signer, int_key))
+	{
+		DBG1(DBG_ESP, "failed to create ESP context: setting signature key "
+			 "failed");
+		goto failed;
+	}
+	this->aead = aead_create(crypter, signer);
+	return TRUE;
+
+failed:
+	DESTROY_IF(crypter);
+	DESTROY_IF(signer);
+	return FALSE;
+}
+
+/**
+ * Described in header.
+ */
+esp_context_t *esp_context_create(int enc_alg, chunk_t enc_key,
+								  int int_alg, chunk_t int_key, bool inbound)
+{
+	private_esp_context_t *this;
+
+	INIT(this,
+		.public = {
+			.get_aead = _get_aead,
+			.get_seqno = _get_seqno,
+			.next_seqno = _next_seqno,
+			.verify_seqno = _verify_seqno,
+			.set_authenticated_seqno = _set_authenticated_seqno,
+			.destroy = _destroy,
+		},
+		.inbound = inbound,
+		.window_size = ESP_DEFAULT_WINDOW_SIZE,
+	);
+
+	if (encryption_algorithm_is_aead(enc_alg))
+	{
+		if (!create_aead(this, enc_alg, enc_key))
+		{
+			destroy(this);
+			return NULL;
+		}
+	}
+	else
+	{
+		if (!create_traditional(this, enc_alg, enc_key, int_alg, int_key))
+		{
+			destroy(this);
+			return NULL;
+		}
+	}
+
+	if (inbound)
+	{
+		this->window = chunk_alloc(this->window_size / CHAR_BIT + 1);
+		memset(this->window.ptr, 0, this->window.len);
+	}
+	return &this->public;
+}
diff --git a/src/libipsec/esp_context.h b/src/libipsec/esp_context.h
new file mode 100644
index 000000000..b33daf589
--- /dev/null
+++ b/src/libipsec/esp_context.h
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup esp_context esp_context
+ * @{ @ingroup libipsec
+ */
+
+#ifndef ESP_CONTEXT_H_
+#define ESP_CONTEXT_H_
+
+#include <library.h>
+#include <crypto/aead.h>
+
+typedef struct esp_context_t esp_context_t;
+
+/**
+ *  ESP context, handles sequence numbers and maintains cryptographic primitives
+ */
+struct esp_context_t {
+
+	/**
+	 * Get AEAD wrapper or method to encrypt/decrypt/authenticate ESP packets.
+	 *
+	 * @return				AEAD wrapper of method
+	 */
+	aead_t *(*get_aead)(esp_context_t *this);
+
+	/**
+	 * Get the current outbound ESP sequence number or the highest authenticated
+	 * inbound sequence number.
+	 *
+	 * @return			current sequence number, in host byte order
+	 */
+	u_int32_t (*get_seqno)(esp_context_t *this);
+
+	/**
+	 * Allocate the next outbound ESP sequence number.
+	 *
+	 * @param seqno		the sequence number, in host byte order
+	 * @return			FALSE if the sequence number cycled or inbound context
+	 */
+	bool (*next_seqno)(esp_context_t *this, u_int32_t *seqno);
+
+	/**
+	 * Verify an ESP sequence number.  Checks whether a packet with this
+	 * sequence number was already received, using the anti-replay window.
+	 * This operation does not modify the internal state.  After the sequence
+	 * number is successfully verified and the ESP packet is authenticated,
+	 * set_authenticated_seqno() should be called.
+	 *
+	 * @param seqno		the sequence number to verify, in host byte order
+	 * @return			TRUE when sequence number is valid
+	 */
+	bool (*verify_seqno)(esp_context_t *this, u_int32_t seqno);
+
+	/**
+	 * Adds a sequence number that was successfully verified and
+	 * authenticated.  A user MUST call verify_seqno() immediately before
+	 * calling this method.
+	 *
+	 * @param seqno		verified and authenticated seq number in host byte order
+	 */
+	void (*set_authenticated_seqno)(esp_context_t *this,
+									u_int32_t seqno);
+
+	/**
+	 * Destroy an esp_context_t
+	 */
+	void (*destroy)(esp_context_t *this);
+
+};
+
+/**
+ * Create an esp_context_t instance
+ *
+ * @param enc_alg		encryption algorithm
+ * @param enc_key		encryption key
+ * @param int_alg		integrity protection algorithm
+ * @param int_key		integrity protection key
+ * @param inbound		TRUE to create an inbound ESP context
+ * @return				ESP context instance, or NULL if creation fails
+ */
+esp_context_t *esp_context_create(int enc_alg, chunk_t enc_key, int int_alg,
+								  chunk_t int_key, bool inbound);
+
+#endif /** ESP_CONTEXT_H_ @}*/
+
diff --git a/src/libipsec/esp_packet.c b/src/libipsec/esp_packet.c
new file mode 100644
index 000000000..61389daa4
--- /dev/null
+++ b/src/libipsec/esp_packet.c
@@ -0,0 +1,469 @@
+/*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "esp_packet.h"
+
+#include <library.h>
+#include <utils/debug.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+
+#include <netinet/in.h>
+
+typedef struct private_esp_packet_t private_esp_packet_t;
+
+/**
+ * Private additions to esp_packet_t.
+ */
+struct private_esp_packet_t {
+
+	/**
+	 * Public members
+	 */
+	esp_packet_t public;
+
+	/**
+	 * Raw ESP packet
+	 */
+	packet_t *packet;
+
+	/**
+	 * Payload of this packet
+	 */
+	ip_packet_t *payload;
+
+	/**
+	 * Next Header info (e.g. IPPROTO_IPIP)
+	 */
+	u_int8_t next_header;
+
+};
+
+/**
+ * Forward declaration for clone()
+ */
+static private_esp_packet_t *esp_packet_create_internal(packet_t *packet);
+
+METHOD(packet_t, set_source, void,
+	private_esp_packet_t *this, host_t *src)
+{
+	return this->packet->set_source(this->packet, src);
+}
+
+METHOD2(esp_packet_t, packet_t, get_source, host_t*,
+	private_esp_packet_t *this)
+{
+	return this->packet->get_source(this->packet);
+}
+
+METHOD(packet_t, set_destination, void,
+	private_esp_packet_t *this, host_t *dst)
+{
+	return this->packet->set_destination(this->packet, dst);
+}
+
+METHOD2(esp_packet_t, packet_t, get_destination, host_t*,
+	private_esp_packet_t *this)
+{
+	return this->packet->get_destination(this->packet);
+}
+
+METHOD(packet_t, get_data, chunk_t,
+	private_esp_packet_t *this)
+{
+	return this->packet->get_data(this->packet);
+}
+
+METHOD(packet_t, set_data, void,
+	private_esp_packet_t *this, chunk_t data)
+{
+	return this->packet->set_data(this->packet, data);
+}
+
+METHOD(packet_t, get_dscp, u_int8_t,
+	private_esp_packet_t *this)
+{
+	return this->packet->get_dscp(this->packet);
+}
+
+METHOD(packet_t, set_dscp, void,
+	private_esp_packet_t *this, u_int8_t value)
+{
+	this->packet->set_dscp(this->packet, value);
+}
+
+METHOD(packet_t, skip_bytes, void,
+	private_esp_packet_t *this, size_t bytes)
+{
+	return this->packet->skip_bytes(this->packet, bytes);
+}
+
+METHOD(packet_t, clone, packet_t*,
+	private_esp_packet_t *this)
+{
+	private_esp_packet_t *pkt;
+
+	pkt = esp_packet_create_internal(this->packet->clone(this->packet));
+	pkt->payload = this->payload ? this->payload->clone(this->payload) : NULL;
+	pkt->next_header = this->next_header;
+	return &pkt->public.packet;
+}
+
+METHOD(esp_packet_t, parse_header, bool,
+	private_esp_packet_t *this, u_int32_t *spi)
+{
+	bio_reader_t *reader;
+	u_int32_t seq;
+
+	reader = bio_reader_create(this->packet->get_data(this->packet));
+	if (!reader->read_uint32(reader, spi) ||
+		!reader->read_uint32(reader, &seq))
+	{
+		DBG1(DBG_ESP, "failed to parse ESP header: invalid length");
+		reader->destroy(reader);
+		return FALSE;
+	}
+	reader->destroy(reader);
+
+	DBG2(DBG_ESP, "parsed ESP header with SPI %.8x [seq %u]", *spi, seq);
+	*spi = htonl(*spi);
+	return TRUE;
+}
+
+/**
+ * Check padding as specified in RFC 4303
+ */
+static bool check_padding(chunk_t padding)
+{
+	size_t i;
+
+	for (i = 0; i < padding.len; ++i)
+	{
+		if (padding.ptr[i] != (u_int8_t)(i + 1))
+		{
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Remove the padding from the payload and set the next header info
+ */
+static bool remove_padding(private_esp_packet_t *this, chunk_t plaintext)
+{
+	u_int8_t next_header, pad_length;
+	chunk_t padding, payload;
+	bio_reader_t *reader;
+
+	reader = bio_reader_create(plaintext);
+	if (!reader->read_uint8_end(reader, &next_header) ||
+		!reader->read_uint8_end(reader, &pad_length))
+	{
+		DBG1(DBG_ESP, "parsing ESP payload failed: invalid length");
+		goto failed;
+	}
+	if (!reader->read_data_end(reader, pad_length, &padding) ||
+		!check_padding(padding))
+	{
+		DBG1(DBG_ESP, "parsing ESP payload failed: invalid padding");
+		goto failed;
+	}
+	this->payload = ip_packet_create(reader->peek(reader));
+	reader->destroy(reader);
+	if (!this->payload)
+	{
+		DBG1(DBG_ESP, "parsing ESP payload failed: unsupported payload");
+		return FALSE;
+	}
+	this->next_header = next_header;
+	payload = this->payload->get_encoding(this->payload);
+
+	DBG3(DBG_ESP, "ESP payload:\n  payload %B\n  padding %B\n  "
+		 "padding length = %hhu, next header = %hhu", &payload, &padding,
+		 pad_length, this->next_header);
+	return TRUE;
+
+failed:
+	reader->destroy(reader);
+	chunk_free(&plaintext);
+	return FALSE;
+}
+
+METHOD(esp_packet_t, decrypt, status_t,
+	private_esp_packet_t *this, esp_context_t *esp_context)
+{
+	bio_reader_t *reader;
+	u_int32_t spi, seq;
+	chunk_t data, iv, icv, aad, ciphertext, plaintext;
+	aead_t *aead;
+
+	DESTROY_IF(this->payload);
+	this->payload = NULL;
+
+	data = this->packet->get_data(this->packet);
+	aead = esp_context->get_aead(esp_context);
+
+	reader = bio_reader_create(data);
+	if (!reader->read_uint32(reader, &spi) ||
+		!reader->read_uint32(reader, &seq) ||
+		!reader->read_data(reader, aead->get_iv_size(aead), &iv) ||
+		!reader->read_data_end(reader, aead->get_icv_size(aead), &icv) ||
+		reader->remaining(reader) % aead->get_block_size(aead))
+	{
+		DBG1(DBG_ESP, "ESP decryption failed: invalid length");
+		return PARSE_ERROR;
+	}
+	ciphertext = reader->peek(reader);
+	ciphertext.len += icv.len;
+	reader->destroy(reader);
+
+	if (!esp_context->verify_seqno(esp_context, seq))
+	{
+		DBG1(DBG_ESP, "ESP sequence number verification failed:\n  "
+			 "src %H, dst %H, SPI %.8x [seq %u]",
+			 get_source(this), get_destination(this), spi, seq);
+		return VERIFY_ERROR;
+	}
+	DBG3(DBG_ESP, "ESP decryption:\n  SPI %.8x [seq %u]\n  IV %B\n  "
+		 "encrypted %B\n  ICV %B", spi, seq, &iv, &ciphertext, &icv);
+
+	/* aad = spi + seq */
+	aad = chunk_create(data.ptr, 8);
+
+	if (!aead->decrypt(aead, ciphertext, aad, iv, &plaintext))
+	{
+		DBG1(DBG_ESP, "ESP decryption or ICV verification failed");
+		return FAILED;
+	}
+	esp_context->set_authenticated_seqno(esp_context, seq);
+
+	if (!remove_padding(this, plaintext))
+	{
+		return PARSE_ERROR;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Generate the padding as specified in RFC4303
+ */
+static void generate_padding(chunk_t padding)
+{
+	size_t i;
+
+	for (i = 0; i < padding.len; ++i)
+	{
+		padding.ptr[i] = (u_int8_t)(i + 1);
+	}
+}
+
+METHOD(esp_packet_t, encrypt, status_t,
+	private_esp_packet_t *this, esp_context_t *esp_context, u_int32_t spi)
+{
+	chunk_t iv, icv, aad, padding, payload, ciphertext;
+	bio_writer_t *writer;
+	u_int32_t next_seqno;
+	size_t blocksize, plainlen;
+	aead_t *aead;
+	rng_t *rng;
+
+	this->packet->set_data(this->packet, chunk_empty);
+
+	if (!esp_context->next_seqno(esp_context, &next_seqno))
+	{
+		DBG1(DBG_ESP, "ESP encapsulation failed: sequence numbers cycled");
+		return FAILED;
+	}
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_ESP, "ESP encryption failed: could not find RNG");
+		return NOT_FOUND;
+	}
+	aead = esp_context->get_aead(esp_context);
+
+	blocksize = aead->get_block_size(aead);
+	iv.len = aead->get_iv_size(aead);
+	icv.len = aead->get_icv_size(aead);
+
+	/* plaintext = payload, padding, pad_length, next_header */
+	payload = this->payload ? this->payload->get_encoding(this->payload)
+							: chunk_empty;
+	plainlen = payload.len + 2;
+	padding.len = blocksize - (plainlen % blocksize);
+	plainlen += padding.len;
+
+	/* len = spi, seq, IV, plaintext, ICV */
+	writer = bio_writer_create(2 * sizeof(u_int32_t) + iv.len + plainlen +
+							   icv.len);
+	writer->write_uint32(writer, ntohl(spi));
+	writer->write_uint32(writer, next_seqno);
+
+	iv = writer->skip(writer, iv.len);
+	if (!rng->get_bytes(rng, iv.len, iv.ptr))
+	{
+		DBG1(DBG_ESP, "ESP encryption failed: could not generate IV");
+		writer->destroy(writer);
+		rng->destroy(rng);
+		return FAILED;
+	}
+	rng->destroy(rng);
+
+	/* plain-/ciphertext will start here */
+	ciphertext = writer->get_buf(writer);
+	ciphertext.ptr += ciphertext.len;
+	ciphertext.len = plainlen;
+
+	writer->write_data(writer, payload);
+
+	padding = writer->skip(writer, padding.len);
+	generate_padding(padding);
+
+	writer->write_uint8(writer, padding.len);
+	writer->write_uint8(writer, this->next_header);
+
+	/* aad = spi + seq */
+	aad = writer->get_buf(writer);
+	aad.len = 8;
+	icv = writer->skip(writer, icv.len);
+
+	DBG3(DBG_ESP, "ESP before encryption:\n  payload = %B\n  padding = %B\n  "
+		 "padding length = %hhu, next header = %hhu", &payload, &padding,
+		 (u_int8_t)padding.len, this->next_header);
+
+	/* encrypt/authenticate the content inline */
+	if (!aead->encrypt(aead, ciphertext, aad, iv, NULL))
+	{
+		DBG1(DBG_ESP, "ESP encryption or ICV generation failed");
+		writer->destroy(writer);
+		return FAILED;
+	}
+
+	DBG3(DBG_ESP, "ESP packet:\n  SPI %.8x [seq %u]\n  IV %B\n  "
+		 "encrypted %B\n  ICV %B", ntohl(spi), next_seqno, &iv,
+		 &ciphertext, &icv);
+
+	this->packet->set_data(this->packet, writer->extract_buf(writer));
+	writer->destroy(writer);
+	return SUCCESS;
+}
+
+METHOD(esp_packet_t, get_next_header, u_int8_t,
+	private_esp_packet_t *this)
+{
+	return this->next_header;
+}
+
+METHOD(esp_packet_t, get_payload, ip_packet_t*,
+	private_esp_packet_t *this)
+{
+	return this->payload;
+}
+
+METHOD(esp_packet_t, extract_payload, ip_packet_t*,
+	private_esp_packet_t *this)
+{
+	ip_packet_t *payload;
+
+	payload = this->payload;
+	this->payload = NULL;
+	return payload;
+}
+
+METHOD2(esp_packet_t, packet_t, destroy, void,
+	private_esp_packet_t *this)
+{
+	DESTROY_IF(this->payload);
+	this->packet->destroy(this->packet);
+	free(this);
+}
+
+static private_esp_packet_t *esp_packet_create_internal(packet_t *packet)
+{
+	private_esp_packet_t *this;
+
+	INIT(this,
+		.public = {
+			.packet = {
+				.set_source = _set_source,
+				.get_source = _get_source,
+				.set_destination = _set_destination,
+				.get_destination = _get_destination,
+				.get_data = _get_data,
+				.set_data = _set_data,
+				.get_dscp = _get_dscp,
+				.set_dscp = _set_dscp,
+				.skip_bytes = _skip_bytes,
+				.clone = _clone,
+				.destroy = _destroy,
+			},
+			.get_source = _get_source,
+			.get_destination = _get_destination,
+			.get_next_header = _get_next_header,
+			.parse_header = _parse_header,
+			.decrypt = _decrypt,
+			.encrypt = _encrypt,
+			.get_payload = _get_payload,
+			.extract_payload = _extract_payload,
+			.destroy = _destroy,
+		},
+		.packet = packet,
+		.next_header = IPPROTO_NONE,
+	);
+	return this;
+}
+
+/**
+ * Described in header.
+ */
+esp_packet_t *esp_packet_create_from_packet(packet_t *packet)
+{
+	private_esp_packet_t *this;
+
+	this = esp_packet_create_internal(packet);
+
+	return &this->public;
+}
+
+/**
+ * Described in header.
+ */
+esp_packet_t *esp_packet_create_from_payload(host_t *src, host_t *dst,
+											 ip_packet_t *payload)
+{
+	private_esp_packet_t *this;
+	packet_t *packet;
+
+	packet = packet_create_from_data(src, dst, chunk_empty);
+	this = esp_packet_create_internal(packet);
+	this->payload = payload;
+	if (payload)
+	{
+		this->next_header = payload->get_version(payload) == 4 ? IPPROTO_IPIP
+															   : IPPROTO_IPV6;
+	}
+	else
+	{
+		this->next_header = IPPROTO_NONE;
+	}
+	return &this->public;
+}
diff --git a/src/libipsec/esp_packet.h b/src/libipsec/esp_packet.h
new file mode 100644
index 000000000..ce8645825
--- /dev/null
+++ b/src/libipsec/esp_packet.h
@@ -0,0 +1,151 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup esp_packet esp_packet
+ * @{ @ingroup libipsec
+ */
+
+#ifndef ESP_PACKET_H_
+#define ESP_PACKET_H_
+
+#include "ip_packet.h"
+#include "esp_context.h"
+
+#include <library.h>
+#include <networking/host.h>
+#include <networking/packet.h>
+
+typedef struct esp_packet_t esp_packet_t;
+
+/**
+ *  ESP packet
+ */
+struct esp_packet_t {
+
+	/**
+	 * Implements packet_t interface to access the raw ESP packet
+	 */
+	packet_t packet;
+
+	/**
+	 * Get the source address of this packet
+	 *
+	 * @return				source host
+	 */
+	host_t *(*get_source)(esp_packet_t *this);
+
+	/**
+	 * Get the destination address of this packet
+	 *
+	 * @return				destination host
+	 */
+	host_t *(*get_destination)(esp_packet_t *this);
+
+	/**
+	 * Parse the packet header before decryption. Tries to read the SPI
+	 * from the packet to find a corresponding SA.
+	 *
+	 * @param spi			parsed SPI, in network byte order
+	 * @return				TRUE when successful, FALSE otherwise (e.g. when the
+	 *						length of the packet is invalid)
+	 */
+	bool (*parse_header)(esp_packet_t *this, u_int32_t *spi);
+
+	/**
+	 * Authenticate and decrypt the packet. Also verifies the sequence number
+	 * using the supplied ESP context and updates the anti-replay window.
+	 *
+	 * @param esp_context		ESP context of corresponding inbound IPsec SA
+	 * @return					- SUCCESS if successfully authenticated,
+	 *							  decrypted and parsed
+	 *							- PARSE_ERROR if the length of the packet or the
+	 *							  padding is invalid
+	 *							- VERIFY_ERROR if the sequence number
+	 *							  verification failed
+	 *							- FAILED if the ICV (MAC) check or the actual
+	 *							  decryption failed
+	 */
+	status_t (*decrypt)(esp_packet_t *this, esp_context_t *esp_context);
+
+	/**
+	 * Encapsulate and encrypt the packet. The sequence number will be generated
+	 * using the supplied ESP context.
+	 *
+	 * @param esp_context		ESP context of corresponding outbound IPsec SA
+	 * @param spi				SPI value to use, in network byte order
+	 * @return					- SUCCESS if encrypted
+	 *							- FAILED if sequence number cycled or any of the
+	 *							  cryptographic functions failed
+	 *							- NOT_FOUND if no suitable RNG could be found
+	 */
+	status_t (*encrypt)(esp_packet_t *this, esp_context_t *esp_context,
+						u_int32_t spi);
+
+	/**
+	 * Get the next header field of a packet.
+	 *
+	 * @note Packet has to be in the decrypted state.
+	 *
+	 * @return					next header field
+	 */
+	u_int8_t (*get_next_header)(esp_packet_t *this);
+
+	/**
+	 * Get the plaintext payload of this packet.
+	 *
+	 * @return					plaintext payload (internal data),
+	 *							NULL if not decrypted
+	 */
+	ip_packet_t *(*get_payload)(esp_packet_t *this);
+
+	/**
+	 * Extract the plaintext payload from this packet.
+	 *
+	 * @return					plaintext payload (has to be destroyed),
+	 *							NULL if not decrypted
+	 */
+	ip_packet_t *(*extract_payload)(esp_packet_t *this);
+
+	/**
+	 * Destroy an esp_packet_t
+	 */
+	void (*destroy)(esp_packet_t *this);
+
+};
+
+/**
+ * Create an ESP packet out of data from the wire.
+ *
+ * @param packet		the packet data as received, gets owned
+ * @return				esp_packet_t instance
+ */
+esp_packet_t *esp_packet_create_from_packet(packet_t *packet);
+
+/**
+ * Create an ESP packet from a plaintext payload
+ *
+ * @param src			source address
+ * @param dst			destination address
+ * @param payload		plaintext payload, gets owned
+ * @return				esp_packet_t instance
+ */
+esp_packet_t *esp_packet_create_from_payload(host_t *src, host_t *dst,
+											 ip_packet_t *payload);
+
+#endif /** ESP_PACKET_H_ @}*/
+
diff --git a/src/libipsec/ip_packet.c b/src/libipsec/ip_packet.c
new file mode 100644
index 000000000..d08e09057
--- /dev/null
+++ b/src/libipsec/ip_packet.c
@@ -0,0 +1,194 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "ip_packet.h"
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#ifdef HAVE_NETINET_IP6_H
+#include <netinet/ip6.h>
+#endif
+
+typedef struct private_ip_packet_t private_ip_packet_t;
+
+/**
+ * Private additions to ip_packet_t.
+ */
+struct private_ip_packet_t {
+
+	/**
+	 * Public members
+	 */
+	ip_packet_t public;
+
+	/**
+	 * Source address
+	 */
+	host_t *src;
+
+	/**
+	 * Destination address
+	 */
+	host_t *dst;
+
+	/**
+	 * IP packet
+	 */
+	chunk_t packet;
+
+	/**
+	 * IP version
+	 */
+	u_int8_t version;
+
+	/**
+	 * Protocol|Next Header field
+	 */
+	u_int8_t next_header;
+
+};
+
+METHOD(ip_packet_t, get_version, u_int8_t,
+	private_ip_packet_t *this)
+{
+	return this->version;
+}
+
+METHOD(ip_packet_t, get_source, host_t*,
+	private_ip_packet_t *this)
+{
+	return this->src;
+}
+
+METHOD(ip_packet_t, get_destination, host_t*,
+	private_ip_packet_t *this)
+{
+	return this->dst;
+}
+
+METHOD(ip_packet_t, get_encoding, chunk_t,
+	private_ip_packet_t *this)
+{
+	return this->packet;
+}
+
+METHOD(ip_packet_t, get_next_header, u_int8_t,
+	private_ip_packet_t *this)
+{
+	return this->next_header;
+}
+
+METHOD(ip_packet_t, clone, ip_packet_t*,
+	private_ip_packet_t *this)
+{
+	return ip_packet_create(this->packet);
+}
+
+METHOD(ip_packet_t, destroy, void,
+	private_ip_packet_t *this)
+{
+	this->src->destroy(this->src);
+	this->dst->destroy(this->dst);
+	chunk_free(&this->packet);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+ip_packet_t *ip_packet_create(chunk_t packet)
+{
+	private_ip_packet_t *this;
+	u_int8_t version, next_header;
+	host_t *src, *dst;
+
+	if (packet.len < 1)
+	{
+		DBG1(DBG_ESP, "IP packet too short");
+		goto failed;
+	}
+
+	version = (packet.ptr[0] & 0xf0) >> 4;
+
+	switch (version)
+	{
+		case 4:
+		{
+			struct ip *ip;
+
+			if (packet.len < sizeof(struct ip))
+			{
+				DBG1(DBG_ESP, "IPv4 packet too short");
+				goto failed;
+			}
+			ip = (struct ip*)packet.ptr;
+			src = host_create_from_chunk(AF_INET,
+										 chunk_from_thing(ip->ip_src), 0);
+			dst = host_create_from_chunk(AF_INET,
+										 chunk_from_thing(ip->ip_dst), 0);
+			next_header = ip->ip_p;
+			break;
+		}
+#ifdef HAVE_NETINET_IP6_H
+		case 6:
+		{
+			struct ip6_hdr *ip;
+
+			if (packet.len < sizeof(struct ip6_hdr))
+			{
+				DBG1(DBG_ESP, "IPv6 packet too short");
+				goto failed;
+			}
+			ip = (struct ip6_hdr*)packet.ptr;
+			src = host_create_from_chunk(AF_INET6,
+										 chunk_from_thing(ip->ip6_src), 0);
+			dst = host_create_from_chunk(AF_INET6,
+										 chunk_from_thing(ip->ip6_dst), 0);
+			next_header = ip->ip6_nxt;
+			break;
+		}
+#endif /* HAVE_NETINET_IP6_H */
+		default:
+			DBG1(DBG_ESP, "unsupported IP version");
+			goto failed;
+	}
+
+	INIT(this,
+		.public = {
+			.get_version = _get_version,
+			.get_source = _get_source,
+			.get_destination = _get_destination,
+			.get_next_header = _get_next_header,
+			.get_encoding = _get_encoding,
+			.clone = _clone,
+			.destroy = _destroy,
+		},
+		.src = src,
+		.dst = dst,
+		.packet = packet,
+		.version = version,
+		.next_header = next_header,
+	);
+	return &this->public;
+
+failed:
+	chunk_free(&packet);
+	return NULL;
+}
diff --git a/src/libipsec/ip_packet.h b/src/libipsec/ip_packet.h
new file mode 100644
index 000000000..de817e23e
--- /dev/null
+++ b/src/libipsec/ip_packet.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ip_packet ip_packet
+ * @{ @ingroup libipsec
+ */
+
+#ifndef IP_PACKET_H_
+#define IP_PACKET_H_
+
+#include <library.h>
+#include <networking/host.h>
+#include <networking/packet.h>
+
+typedef struct ip_packet_t ip_packet_t;
+
+/**
+ *  IP packet
+ */
+struct ip_packet_t {
+
+	/**
+	 * IP version of this packet
+	 *
+	 * @return				ip version
+	 */
+	u_int8_t (*get_version)(ip_packet_t *this);
+
+	/**
+	 * Get the source address of this packet
+	 *
+	 * @return				source host
+	 */
+	host_t *(*get_source)(ip_packet_t *this);
+
+	/**
+	 * Get the destination address of this packet
+	 *
+	 * @return				destination host
+	 */
+	host_t *(*get_destination)(ip_packet_t *this);
+
+	/**
+	 * Get the protocol (IPv4) or next header (IPv6) field of this packet.
+	 *
+	 * @return				protocol|next header field
+	 */
+	u_int8_t (*get_next_header)(ip_packet_t *this);
+
+	/**
+	 * Get the complete IP packet (including the header)
+	 *
+	 * @return				IP packet (internal data)
+	 */
+	chunk_t (*get_encoding)(ip_packet_t *this);
+
+	/**
+	 * Clone the IP packet
+	 *
+	 * @return				clone of the packet
+	 */
+	ip_packet_t *(*clone)(ip_packet_t *this);
+
+	/**
+	 * Destroy an ip_packet_t
+	 */
+	void (*destroy)(ip_packet_t *this);
+
+};
+
+/**
+ * Create an IP packet out of data from the wire (or decapsulated from another
+ * packet).
+ *
+ * @note The raw IP packet gets either owned by the new object, or destroyed,
+ * if the data is invalid.
+ *
+ * @param packet		the IP packet (including header), gets owned
+ * @return				ip_packet_t instance, or NULL if invalid
+ */
+ip_packet_t *ip_packet_create(chunk_t packet);
+
+#endif /** IP_PACKET_H_ @}*/
diff --git a/src/libipsec/ipsec.c b/src/libipsec/ipsec.c
new file mode 100644
index 000000000..6c9a26acf
--- /dev/null
+++ b/src/libipsec/ipsec.c
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipsec.h"
+
+#include <utils/debug.h>
+
+typedef struct private_ipsec_t private_ipsec_t;
+
+/**
+ * Private additions to ipsec_t.
+ */
+struct private_ipsec_t {
+
+	/**
+	 * Public members of ipsec_t.
+	 */
+	ipsec_t public;
+};
+
+/**
+ * Single instance of ipsec_t.
+ */
+ipsec_t *ipsec;
+
+/**
+ * Described in header.
+ */
+void libipsec_deinit()
+{
+	private_ipsec_t *this = (private_ipsec_t*)ipsec;
+	DESTROY_IF(this->public.processor);
+	DESTROY_IF(this->public.events);
+	DESTROY_IF(this->public.policies);
+	DESTROY_IF(this->public.sas);
+	free(this);
+	ipsec = NULL;
+}
+
+/**
+ * Described in header.
+ */
+bool libipsec_init()
+{
+	private_ipsec_t *this;
+
+	INIT(this);
+	ipsec = &this->public;
+
+	if (lib->integrity &&
+		!lib->integrity->check(lib->integrity, "libipsec", libipsec_init))
+	{
+		DBG1(DBG_LIB, "integrity check of libipsec failed");
+		return FALSE;
+	}
+
+	this->public.sas = ipsec_sa_mgr_create();
+	this->public.policies = ipsec_policy_mgr_create();
+	this->public.events = ipsec_event_relay_create();
+	this->public.processor = ipsec_processor_create();
+	return TRUE;
+}
+
diff --git a/src/libipsec/ipsec.h b/src/libipsec/ipsec.h
new file mode 100644
index 000000000..7ee49432a
--- /dev/null
+++ b/src/libipsec/ipsec.h
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup libipsec libipsec
+ *
+ * @addtogroup libipsec
+ * @{
+ */
+
+#ifndef IPSEC_H_
+#define IPSEC_H_
+
+#include "ipsec_sa_mgr.h"
+#include "ipsec_policy_mgr.h"
+#include "ipsec_event_relay.h"
+#include "ipsec_processor.h"
+
+#include <library.h>
+
+typedef struct ipsec_t ipsec_t;
+
+/**
+ * User space IPsec implementation.
+ */
+struct ipsec_t {
+
+	/**
+	 * IPsec SA manager instance
+	 */
+	ipsec_sa_mgr_t *sas;
+
+	/**
+	 * IPsec policy manager instance
+	 */
+	ipsec_policy_mgr_t *policies;
+
+	/**
+	 * Event relay instance
+	 */
+	ipsec_event_relay_t *events;
+
+	/**
+	 * IPsec processor instance
+	 */
+	ipsec_processor_t *processor;
+
+};
+
+/**
+ * The single instance of ipsec_t.
+ *
+ * Set between calls to libipsec_init() and libipsec_deinit() calls.
+ */
+extern ipsec_t *ipsec;
+
+/**
+ * Initialize libipsec.
+ *
+ * @return				FALSE if integrity check failed
+ */
+bool libipsec_init();
+
+/**
+ * Deinitialize libipsec.
+ */
+void libipsec_deinit();
+
+#endif /** IPSEC_H_ @}*/
diff --git a/src/libipsec/ipsec_event_listener.h b/src/libipsec/ipsec_event_listener.h
new file mode 100644
index 000000000..c5c39b0f1
--- /dev/null
+++ b/src/libipsec/ipsec_event_listener.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipsec_event_listener ipsec_event_listener
+ * @{ @ingroup libipsec
+ */
+
+#ifndef IPSEC_EVENT_LISTENER_H_
+#define IPSEC_EVENT_LISTENER_H_
+
+typedef struct ipsec_event_listener_t ipsec_event_listener_t;
+
+#include <library.h>
+
+/**
+ * Listener interface for IPsec events
+ *
+ * All methods are optional.
+ */
+struct ipsec_event_listener_t {
+
+	/**
+	 * Called when the lifetime of an IPsec SA expired
+	 *
+	 * @param reqid			reqid of the expired SA
+	 * @param protocol		protocol of the expired SA
+	 * @param spi			spi of the expired SA
+	 * @param hard			TRUE if this is a hard expire, FALSE otherwise
+	 */
+	void (*expire)(u_int32_t reqid, u_int8_t protocol, u_int32_t spi,
+				   bool hard);
+
+};
+
+#endif /** IPSEC_EVENT_LISTENER_H_ @}*/
diff --git a/src/libipsec/ipsec_event_relay.c b/src/libipsec/ipsec_event_relay.c
new file mode 100644
index 000000000..c6b2a550d
--- /dev/null
+++ b/src/libipsec/ipsec_event_relay.c
@@ -0,0 +1,194 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipsec_event_relay.h"
+
+#include <library.h>
+#include <utils/debug.h>
+#include <threading/rwlock.h>
+#include <collections/linked_list.h>
+#include <collections/blocking_queue.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_ipsec_event_relay_t private_ipsec_event_relay_t;
+
+/**
+ * Private additions to ipsec_event_relay_t.
+ */
+struct private_ipsec_event_relay_t {
+
+	/**
+	 * Public members
+	 */
+	ipsec_event_relay_t public;
+
+	/**
+	 * Registered listeners
+	 */
+	linked_list_t *listeners;
+
+	/**
+	 * Lock to safely access the list of listeners
+	 */
+	rwlock_t *lock;
+
+	/**
+	 * Blocking queue for events
+	 */
+	blocking_queue_t *queue;
+};
+
+/**
+ * Helper struct used to manage events in a queue
+ */
+typedef struct {
+
+	/**
+	 * Type of the event
+	 */
+	enum {
+		IPSEC_EVENT_EXPIRE,
+	} type;
+
+	/**
+	 * Reqid of the SA, if any
+	 */
+	u_int32_t reqid;
+
+	/**
+	 * SPI of the SA, if any
+	 */
+	u_int32_t spi;
+
+	/**
+	 * Additional data for specific event types
+	 */
+	union {
+
+		struct {
+			/** Protocol of the SA */
+			u_int8_t protocol;
+			/** TRUE in case of a hard expire */
+			bool hard;
+		} expire;
+
+	} data;
+
+} ipsec_event_t;
+
+/**
+ * Dequeue events and relay them to listeners
+ */
+static job_requeue_t handle_events(private_ipsec_event_relay_t *this)
+{
+	enumerator_t *enumerator;
+	ipsec_event_listener_t *current;
+	ipsec_event_t *event;
+
+	event = this->queue->dequeue(this->queue);
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, (void**)&current))
+	{
+		switch (event->type)
+		{
+			case IPSEC_EVENT_EXPIRE:
+				if (current->expire)
+				{
+					current->expire(event->reqid, event->data.expire.protocol,
+									event->spi, event->data.expire.hard);
+				}
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	free(event);
+	return JOB_REQUEUE_DIRECT;
+}
+
+METHOD(ipsec_event_relay_t, expire, void,
+	private_ipsec_event_relay_t *this, u_int32_t reqid, u_int8_t protocol,
+	u_int32_t spi, bool hard)
+{
+	ipsec_event_t *event;
+
+	INIT(event,
+		.type = IPSEC_EVENT_EXPIRE,
+		.reqid = reqid,
+		.spi = spi,
+		.data = {
+			.expire = {
+				.protocol = protocol,
+				.hard = hard,
+			},
+		},
+	);
+	this->queue->enqueue(this->queue, event);
+}
+
+METHOD(ipsec_event_relay_t, register_listener, void,
+	private_ipsec_event_relay_t *this, ipsec_event_listener_t *listener)
+{
+	this->lock->write_lock(this->lock);
+	this->listeners->insert_last(this->listeners, listener);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(ipsec_event_relay_t, unregister_listener, void,
+	private_ipsec_event_relay_t *this, ipsec_event_listener_t *listener)
+{
+	this->lock->write_lock(this->lock);
+	this->listeners->remove(this->listeners, listener, NULL);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(ipsec_event_relay_t, destroy, void,
+	private_ipsec_event_relay_t *this)
+{
+	this->queue->destroy_function(this->queue, free);
+	this->listeners->destroy(this->listeners);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+ipsec_event_relay_t *ipsec_event_relay_create()
+{
+	private_ipsec_event_relay_t *this;
+
+	INIT(this,
+		.public = {
+			.expire = _expire,
+			.register_listener = _register_listener,
+			.unregister_listener = _unregister_listener,
+			.destroy = _destroy,
+		},
+		.listeners = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.queue = blocking_queue_create(),
+	);
+
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create((callback_job_cb_t)handle_events, this,
+			NULL, (callback_job_cancel_t)return_false));
+
+	return &this->public;
+}
diff --git a/src/libipsec/ipsec_event_relay.h b/src/libipsec/ipsec_event_relay.h
new file mode 100644
index 000000000..c6935d546
--- /dev/null
+++ b/src/libipsec/ipsec_event_relay.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipsec_event_relay ipsec_event_relay
+ * @{ @ingroup libipsec
+ */
+
+#ifndef IPSEC_EVENT_RELAY_H_
+#define IPSEC_EVENT_RELAY_H_
+
+#include "ipsec_event_listener.h"
+
+#include <library.h>
+
+typedef struct ipsec_event_relay_t ipsec_event_relay_t;
+
+/**
+ *  Event relay manager.
+ *
+ *  Used to notify upper layers about changes
+ */
+struct ipsec_event_relay_t {
+
+	/**
+	 * Raise an expire event.
+	 *
+	 * @param reqid			reqid of the expired IPsec SA
+	 * @param protocol		protocol (e.g ESP) of the expired SA
+	 * @param spi			SPI of the expired SA
+	 * @param hard			TRUE for a hard expire, FALSE otherwise
+	 */
+	void (*expire)(ipsec_event_relay_t *this, u_int32_t reqid,
+				   u_int8_t protocol, u_int32_t spi, bool hard);
+
+	/**
+	 * Register a listener to events raised by this manager
+	 *
+	 * @param listener		the listener to register
+	 */
+	void (*register_listener)(ipsec_event_relay_t *this,
+							  ipsec_event_listener_t *listener);
+
+	/**
+	 * Unregister a listener
+	 *
+	 * @param listener		the listener to unregister
+	 */
+	void (*unregister_listener)(ipsec_event_relay_t *this,
+								ipsec_event_listener_t *listener);
+
+	/**
+	 * Destroy an ipsec_event_relay_t
+	 */
+	void (*destroy)(ipsec_event_relay_t *this);
+
+};
+
+/**
+ * Create an ipsec_event_relay_t instance
+ *
+ * @return			IPsec event relay instance
+ */
+ipsec_event_relay_t *ipsec_event_relay_create();
+
+#endif /** IPSEC_EVENT_RELAY_H_ @}*/
diff --git a/src/libipsec/ipsec_policy.c b/src/libipsec/ipsec_policy.c
new file mode 100644
index 000000000..8407921ac
--- /dev/null
+++ b/src/libipsec/ipsec_policy.c
@@ -0,0 +1,212 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipsec_policy.h"
+
+#include <utils/debug.h>
+
+typedef struct private_ipsec_policy_t private_ipsec_policy_t;
+
+/**
+ * Private additions to ipsec_policy_t.
+ */
+struct private_ipsec_policy_t {
+
+	/**
+	 * Public members
+	 */
+	ipsec_policy_t public;
+
+	/**
+	 * SA source address
+	 */
+	host_t *src;
+
+	/**
+	 * SA destination address
+	 */
+	host_t *dst;
+
+	/**
+	 * Source traffic selector
+	 */
+	traffic_selector_t *src_ts;
+
+	/**
+	 * Destination traffic selector
+	 */
+	traffic_selector_t *dst_ts;
+
+	/**
+	 * If any of the two TS has a protocol selector we cache it here
+	 */
+	u_int8_t protocol;
+
+	/**
+	 * Traffic direction
+	 */
+	policy_dir_t direction;
+
+	/**
+	 * Policy type
+	 */
+	policy_type_t type;
+
+	/**
+	 * SA configuration
+	 */
+	ipsec_sa_cfg_t sa;
+
+	/**
+	 * Mark
+	 */
+	mark_t mark;
+
+	/**
+	 * Policy priority
+	 */
+	policy_priority_t priority;
+
+	/**
+	 * Reference counter
+	 */
+	refcount_t refcount;
+
+};
+
+METHOD(ipsec_policy_t, match, bool,
+	private_ipsec_policy_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
+	mark_t mark, policy_priority_t priority)
+{
+	return (this->direction == direction &&
+			this->priority == priority &&
+			this->sa.reqid == reqid &&
+			memeq(&this->mark, &mark, sizeof(mark_t)) &&
+			this->src_ts->equals(this->src_ts, src_ts) &&
+			this->dst_ts->equals(this->dst_ts, dst_ts));
+}
+
+METHOD(ipsec_policy_t, match_packet, bool,
+	private_ipsec_policy_t *this, ip_packet_t *packet)
+{
+	u_int8_t proto = packet->get_next_header(packet);
+	host_t *src = packet->get_source(packet),
+		   *dst = packet->get_destination(packet);
+
+	return (!this->protocol || this->protocol == proto) &&
+		   this->src_ts->includes(this->src_ts, src) &&
+		   this->dst_ts->includes(this->dst_ts, dst);
+}
+
+METHOD(ipsec_policy_t, get_source_ts, traffic_selector_t*,
+	private_ipsec_policy_t *this)
+{
+	return this->src_ts;
+}
+
+METHOD(ipsec_policy_t, get_destination_ts, traffic_selector_t*,
+	private_ipsec_policy_t *this)
+{
+	return this->dst_ts;
+}
+
+METHOD(ipsec_policy_t, get_reqid, u_int32_t,
+	private_ipsec_policy_t *this)
+{
+	return this->sa.reqid;
+}
+
+METHOD(ipsec_policy_t, get_direction, policy_dir_t,
+	private_ipsec_policy_t *this)
+{
+	return this->direction;
+}
+
+METHOD(ipsec_policy_t, get_priority, policy_priority_t,
+	private_ipsec_policy_t *this)
+{
+	return this->priority;
+}
+
+METHOD(ipsec_policy_t, get_type, policy_type_t,
+	private_ipsec_policy_t *this)
+{
+	return this->type;
+}
+
+METHOD(ipsec_policy_t, get_ref, ipsec_policy_t*,
+	private_ipsec_policy_t *this)
+{
+	ref_get(&this->refcount);
+	return &this->public;
+}
+
+METHOD(ipsec_policy_t, destroy, void,
+		private_ipsec_policy_t *this)
+{
+	if (ref_put(&this->refcount))
+	{
+		this->src->destroy(this->src);
+		this->dst->destroy(this->dst);
+		this->src_ts->destroy(this->src_ts);
+		this->dst_ts->destroy(this->dst_ts);
+		free(this);
+	}
+}
+
+/**
+ * Described in header.
+ */
+ipsec_policy_t *ipsec_policy_create(host_t *src, host_t *dst,
+									traffic_selector_t *src_ts,
+									traffic_selector_t *dst_ts,
+									policy_dir_t direction, policy_type_t type,
+									ipsec_sa_cfg_t *sa, mark_t mark,
+									policy_priority_t priority)
+{
+	private_ipsec_policy_t *this;
+
+	INIT(this,
+		.public = {
+			.match = _match,
+			.match_packet = _match_packet,
+			.get_source_ts = _get_source_ts,
+			.get_destination_ts = _get_destination_ts,
+			.get_direction = _get_direction,
+			.get_priority = _get_priority,
+			.get_reqid = _get_reqid,
+			.get_type = _get_type,
+			.get_ref = _get_ref,
+			.destroy = _destroy,
+		},
+		.src = src->clone(src),
+		.dst = dst->clone(dst),
+		.src_ts = src_ts->clone(src_ts),
+		.dst_ts = dst_ts->clone(dst_ts),
+		.protocol = max(src_ts->get_protocol(src_ts),
+						dst_ts->get_protocol(dst_ts)),
+		.direction = direction,
+		.type = type,
+		.sa = *sa,
+		.mark = mark,
+		.priority = priority,
+		.refcount = 1,
+	);
+
+	return &this->public;
+}
diff --git a/src/libipsec/ipsec_policy.h b/src/libipsec/ipsec_policy.h
new file mode 100644
index 000000000..23a9ea99d
--- /dev/null
+++ b/src/libipsec/ipsec_policy.h
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipsec_policy ipsec_policy
+ * @{ @ingroup libipsec
+ */
+
+#ifndef IPSEC_POLICY_H
+#define IPSEC_POLICY_H
+
+#include "ip_packet.h"
+
+#include <library.h>
+#include <networking/host.h>
+#include <ipsec/ipsec_types.h>
+#include <selectors/traffic_selector.h>
+
+typedef struct ipsec_policy_t ipsec_policy_t;
+
+/**
+ * IPsec Policy
+ */
+struct ipsec_policy_t {
+
+	/**
+	 * Get the source traffic selector of this policy
+	 *
+	 * @return			the source traffic selector
+	 */
+	traffic_selector_t *(*get_source_ts)(ipsec_policy_t *this);
+
+	/**
+	 * Get the destination traffic selector of this policy
+	 *
+	 * @return			the destination traffic selector
+	 */
+	traffic_selector_t *(*get_destination_ts)(ipsec_policy_t *this);
+
+	/**
+	 * Get the direction of this policy
+	 *
+	 * @return			direction
+	 */
+	policy_dir_t (*get_direction)(ipsec_policy_t *this);
+
+	/**
+	 * Get the priority of this policy
+	 *
+	 * @return			priority
+	 */
+	policy_priority_t (*get_priority)(ipsec_policy_t *this);
+
+	/**
+	 * Get the type of this policy (e.g. IPsec)
+	 *
+	 * @return			the policy type
+	 */
+	policy_type_t (*get_type)(ipsec_policy_t *this);
+
+	/**
+	 * Get the reqid associated to this policy
+	 *
+	 * @return			the reqid
+	 */
+	u_int32_t (*get_reqid)(ipsec_policy_t *this);
+
+	/**
+	 * Get another reference to this policy
+	 *
+	 * @return			additional reference to the policy
+	 */
+	ipsec_policy_t *(*get_ref)(ipsec_policy_t *this);
+
+	/**
+	 * Check if this policy matches all given parameters
+	 *
+	 * @param src_ts		source traffic selector
+	 * @param dst_ts		destination traffic selector
+	 * @param direction		traffic direction
+	 * @param reqid			reqid of the policy
+	 * @param mark			mark for this policy
+	 * @param prioirty		policy priority
+	 * @return				TRUE if policy matches all parameters
+	 */
+	bool (*match)(ipsec_policy_t *this, traffic_selector_t *src_ts,
+				  traffic_selector_t *dst_ts, policy_dir_t direction,
+				  u_int32_t reqid, mark_t mark, policy_priority_t priority);
+
+	/**
+	 * Check if this policy matches the given IP packet
+	 *
+	 * @param packet		IP packet
+	 * @return				TRUE if policy matches the packet
+	 */
+	bool (*match_packet)(ipsec_policy_t *this, ip_packet_t *packet);
+
+	/**
+	 * Destroy an ipsec_policy_t
+	 */
+	void (*destroy)(ipsec_policy_t *this);
+
+};
+
+/**
+ * Create an ipsec_policy_t instance
+ *
+ * @param src			source address of SA
+ * @param dst			dest address of SA
+ * @param src_ts		traffic selector to match traffic source
+ * @param dst_ts		traffic selector to match traffic dest
+ * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
+ * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
+ * @param sa			details about the SA(s) tied to this policy
+ * @param mark			mark for this policy
+ * @param priority		priority of this policy
+ * @return				ipsec policy instance
+ */
+ipsec_policy_t *ipsec_policy_create(host_t *src, host_t *dst,
+									traffic_selector_t *src_ts,
+									traffic_selector_t *dst_ts,
+									policy_dir_t direction,	policy_type_t type,
+									ipsec_sa_cfg_t *sa, mark_t mark,
+									policy_priority_t priority);
+
+#endif /** IPSEC_POLICY_H @}*/
diff --git a/src/libipsec/ipsec_policy_mgr.c b/src/libipsec/ipsec_policy_mgr.c
new file mode 100644
index 000000000..72f94ec20
--- /dev/null
+++ b/src/libipsec/ipsec_policy_mgr.c
@@ -0,0 +1,286 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipsec_policy_mgr.h"
+
+#include <utils/debug.h>
+#include <threading/rwlock.h>
+#include <collections/linked_list.h>
+
+/** Base priority for installed policies */
+#define PRIO_BASE 512
+
+typedef struct private_ipsec_policy_mgr_t private_ipsec_policy_mgr_t;
+
+/**
+ * Private additions to ipsec_policy_mgr_t.
+ */
+struct private_ipsec_policy_mgr_t {
+
+	/**
+	 * Public members of ipsec_policy_mgr_t.
+	 */
+	ipsec_policy_mgr_t public;
+
+	/**
+	 * Installed policies (ipsec_policy_entry_t*)
+	 */
+	linked_list_t *policies;
+
+	/**
+	 * Lock to safely access the list of policies
+	 */
+	rwlock_t *lock;
+
+};
+
+/**
+ * Helper struct to store policies in a list sorted by the same pseudo-priority
+ * used by the NETLINK kernel interface.
+ */
+typedef struct {
+
+	/**
+	 * Priority used to sort policies
+	 */
+	u_int32_t priority;
+
+	/**
+	 * The policy
+	 */
+	ipsec_policy_t *policy;
+
+} ipsec_policy_entry_t;
+
+/**
+ * Calculate the pseudo-priority to sort policies.  This is the same algorithm
+ * used by the NETLINK kernel interface (i.e. high priority -> low value).
+ */
+static u_int32_t calculate_priority(policy_priority_t policy_priority,
+									traffic_selector_t *src,
+									traffic_selector_t *dst)
+{
+	u_int32_t priority = PRIO_BASE;
+	u_int16_t port;
+	u_int8_t mask, proto;
+	host_t *net;
+
+	switch (policy_priority)
+	{
+		case POLICY_PRIORITY_FALLBACK:
+			priority <<= 1;
+			/* fall-through */
+		case POLICY_PRIORITY_ROUTED:
+			priority <<= 1;
+			/* fall-through */
+		case POLICY_PRIORITY_DEFAULT:
+			break;
+	}
+	/* calculate priority based on selector size, small size = high prio */
+	src->to_subnet(src, &net, &mask);
+	priority -= mask;
+	proto = src->get_protocol(src);
+	port = net->get_port(net);
+	net->destroy(net);
+
+	dst->to_subnet(dst, &net, &mask);
+	priority -= mask;
+	proto = max(proto, dst->get_protocol(dst));
+	port = max(port, net->get_port(net));
+	net->destroy(net);
+
+	priority <<= 2; /* make some room for the two flags */
+	priority += port ? 0 : 2;
+	priority += proto ? 0 : 1;
+	return priority;
+}
+
+/**
+ * Create a policy entry
+ */
+static ipsec_policy_entry_t *policy_entry_create(ipsec_policy_t *policy)
+{
+	ipsec_policy_entry_t *this;
+
+	INIT(this,
+		.policy = policy,
+		.priority = calculate_priority(policy->get_priority(policy),
+									   policy->get_source_ts(policy),
+									   policy->get_destination_ts(policy)),
+	);
+	return this;
+}
+
+/**
+ * Destroy a policy entry
+ */
+static void policy_entry_destroy(ipsec_policy_entry_t *this)
+{
+	this->policy->destroy(this->policy);
+	free(this);
+}
+
+METHOD(ipsec_policy_mgr_t, add_policy, status_t,
+	private_ipsec_policy_mgr_t *this, host_t *src, host_t *dst,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
+	policy_priority_t priority)
+{
+	enumerator_t *enumerator;
+	ipsec_policy_entry_t *entry, *current;
+	ipsec_policy_t *policy;
+
+	if (type != POLICY_IPSEC || direction == POLICY_FWD)
+	{	/* we ignore these policies as we currently have no use for them */
+		return SUCCESS;
+	}
+
+	DBG2(DBG_ESP, "adding policy %R === %R %N", src_ts, dst_ts,
+		 policy_dir_names, direction);
+
+	policy = ipsec_policy_create(src, dst, src_ts, dst_ts, direction, type, sa,
+								 mark, priority);
+	entry = policy_entry_create(policy);
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->policies->create_enumerator(this->policies);
+	while (enumerator->enumerate(enumerator, (void**)&current))
+	{
+		if (current->priority >= entry->priority)
+		{
+			break;
+		}
+	}
+	this->policies->insert_before(this->policies, enumerator, entry);
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return SUCCESS;
+}
+
+METHOD(ipsec_policy_mgr_t, del_policy, status_t,
+	private_ipsec_policy_mgr_t *this, traffic_selector_t *src_ts,
+	traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
+	mark_t mark, policy_priority_t policy_priority)
+{
+	enumerator_t *enumerator;
+	ipsec_policy_entry_t *current, *found = NULL;
+	u_int32_t priority;
+
+	if (direction == POLICY_FWD)
+	{	/* we ignore these policies as we currently have no use for them */
+		return SUCCESS;
+	}
+	DBG2(DBG_ESP, "deleting policy %R === %R %N", src_ts, dst_ts,
+		 policy_dir_names, direction);
+
+	priority = calculate_priority(policy_priority, src_ts, dst_ts);
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->policies->create_enumerator(this->policies);
+	while (enumerator->enumerate(enumerator, (void**)&current))
+	{
+		if (current->priority == priority &&
+			current->policy->match(current->policy, src_ts, dst_ts, direction,
+								   reqid, mark, policy_priority))
+		{
+			this->policies->remove_at(this->policies, enumerator);
+			found = current;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	if (found)
+	{
+		policy_entry_destroy(found);
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+METHOD(ipsec_policy_mgr_t, flush_policies, status_t,
+	private_ipsec_policy_mgr_t *this)
+{
+	ipsec_policy_entry_t *entry;
+
+	DBG2(DBG_ESP, "flushing policies");
+
+	this->lock->write_lock(this->lock);
+	while (this->policies->remove_last(this->policies,
+									  (void**)&entry) == SUCCESS)
+	{
+		policy_entry_destroy(entry);
+	}
+	this->lock->unlock(this->lock);
+	return SUCCESS;
+}
+
+METHOD(ipsec_policy_mgr_t, find_by_packet, ipsec_policy_t*,
+	private_ipsec_policy_mgr_t *this, ip_packet_t *packet, bool inbound)
+{
+	enumerator_t *enumerator;
+	ipsec_policy_entry_t *current;
+	ipsec_policy_t *found = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->policies->create_enumerator(this->policies);
+	while (enumerator->enumerate(enumerator, (void**)&current))
+	{
+		ipsec_policy_t *policy = current->policy;
+
+		if ((inbound == (policy->get_direction(policy) == POLICY_IN)) &&
+			 policy->match_packet(policy, packet))
+		{
+			found = policy->get_ref(policy);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return found;
+}
+
+METHOD(ipsec_policy_mgr_t, destroy, void,
+	private_ipsec_policy_mgr_t *this)
+{
+	flush_policies(this);
+	this->policies->destroy(this->policies);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+ipsec_policy_mgr_t *ipsec_policy_mgr_create()
+{
+	private_ipsec_policy_mgr_t *this;
+
+	INIT(this,
+		.public = {
+			.add_policy = _add_policy,
+			.del_policy = _del_policy,
+			.flush_policies = _flush_policies,
+			.find_by_packet = _find_by_packet,
+			.destroy = _destroy,
+		},
+		.policies = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
diff --git a/src/libipsec/ipsec_policy_mgr.h b/src/libipsec/ipsec_policy_mgr.h
new file mode 100644
index 000000000..dfa4b12c3
--- /dev/null
+++ b/src/libipsec/ipsec_policy_mgr.h
@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipsec_policy_mgr ipsec_policy_mgr
+ * @{ @ingroup libipsec
+ */
+
+#ifndef IPSEC_POLICY_MGR_H_
+#define IPSEC_POLICY_MGR_H_
+
+#include "ipsec_policy.h"
+#include "ip_packet.h"
+
+#include <library.h>
+#include <networking/host.h>
+#include <collections/linked_list.h>
+#include <ipsec/ipsec_types.h>
+#include <selectors/traffic_selector.h>
+
+typedef struct ipsec_policy_mgr_t ipsec_policy_mgr_t;
+
+/**
+ * IPsec policy manager
+ *
+ * The first methods are modeled after those in kernel_ipsec_t.
+ *
+ * @note Only policies of type POLICY_IPSEC are currently used, also policies
+ * with direction POLICY_FWD are ignored.  Any packets that do not match an
+ * installed policy will be dropped.
+ */
+struct ipsec_policy_mgr_t {
+
+	/**
+	 * Add a policy
+	 *
+	 * A policy is always associated to an SA. Traffic which matches a
+	 * policy is handled by the SA with the same reqid.
+	 *
+	 * @param src			source address of SA
+	 * @param dst			dest address of SA
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
+	 * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
+	 * @param sa			details about the SA(s) tied to this policy
+	 * @param mark			mark for this policy
+	 * @param priority		priority of this policy
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*add_policy)(ipsec_policy_mgr_t *this,
+						   host_t *src, host_t *dst, traffic_selector_t *src_ts,
+						   traffic_selector_t *dst_ts, policy_dir_t direction,
+						   policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
+						   policy_priority_t priority);
+
+	/**
+	 * Remove a policy
+	 *
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
+	 * @param reqid			unique ID of the associated SA
+	 * @param mark			optional mark
+	 * @param priority		priority of the policy
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_policy)(ipsec_policy_mgr_t *this,
+						   traffic_selector_t *src_ts,
+						   traffic_selector_t *dst_ts,
+						   policy_dir_t direction, u_int32_t reqid, mark_t mark,
+						   policy_priority_t priority);
+
+	/**
+	 * Flush all policies
+	 *
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*flush_policies)(ipsec_policy_mgr_t *this);
+
+	/**
+	 * Find the policy that matches the given IP packet best
+	 *
+	 * @param packet		IP packet to match
+	 * @param inbound		TRUE for an inbound packet
+	 * @return				reference to the policy, or NULL if none found
+	 */
+	ipsec_policy_t *(*find_by_packet)(ipsec_policy_mgr_t *this,
+									  ip_packet_t *packet, bool inbound);
+
+	/**
+	 * Destroy an ipsec_policy_mgr_t
+	 */
+	void (*destroy)(ipsec_policy_mgr_t *this);
+
+};
+
+/**
+ * Create an ipsec_policy_mgr instance
+ *
+ * @return			ipsec_policy_mgr
+ */
+ipsec_policy_mgr_t *ipsec_policy_mgr_create();
+
+#endif /** IPSEC_POLICY_MGR_H_ @}*/
diff --git a/src/libipsec/ipsec_processor.c b/src/libipsec/ipsec_processor.c
new file mode 100644
index 000000000..e142157f8
--- /dev/null
+++ b/src/libipsec/ipsec_processor.c
@@ -0,0 +1,326 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipsec.h"
+#include "ipsec_processor.h"
+
+#include <utils/debug.h>
+#include <library.h>
+#include <threading/rwlock.h>
+#include <collections/blocking_queue.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_ipsec_processor_t private_ipsec_processor_t;
+
+/**
+ * Private additions to ipsec_processor_t.
+ */
+struct private_ipsec_processor_t {
+
+	/**
+	 * Public members
+	 */
+	ipsec_processor_t public;
+
+	/**
+	 * Queue for inbound packets (esp_packet_t*)
+	 */
+	blocking_queue_t *inbound_queue;
+
+	/**
+	 * Queue for outbound packets (ip_packet_t*)
+	 */
+	blocking_queue_t *outbound_queue;
+
+	/**
+	 * Registered inbound callback
+	 */
+	struct {
+		ipsec_inbound_cb_t cb;
+		void *data;
+	} inbound;
+
+	/**
+	 * Registered outbound callback
+	 */
+	struct {
+		ipsec_outbound_cb_t cb;
+		void *data;
+	} outbound;
+
+	/**
+	 * Lock used to synchronize access to the callbacks
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * Deliver an inbound IP packet to the registered listener
+ */
+static void deliver_inbound(private_ipsec_processor_t *this,
+							esp_packet_t *packet)
+{
+	this->lock->read_lock(this->lock);
+	if (this->inbound.cb)
+	{
+		this->inbound.cb(this->inbound.data, packet->extract_payload(packet));
+	}
+	else
+	{
+		DBG2(DBG_ESP, "no inbound callback registered, dropping packet");
+	}
+	packet->destroy(packet);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Processes inbound packets
+ */
+static job_requeue_t process_inbound(private_ipsec_processor_t *this)
+{
+	esp_packet_t *packet;
+	ipsec_sa_t *sa;
+	u_int8_t next_header;
+	u_int32_t spi;
+
+	packet = (esp_packet_t*)this->inbound_queue->dequeue(this->inbound_queue);
+
+	if (!packet->parse_header(packet, &spi))
+	{
+		packet->destroy(packet);
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	sa = ipsec->sas->checkout_by_spi(ipsec->sas, spi,
+									 packet->get_destination(packet));
+	if (!sa)
+	{
+		DBG2(DBG_ESP, "inbound ESP packet does not belong to an installed SA");
+		packet->destroy(packet);
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	if (!sa->is_inbound(sa))
+	{
+		DBG1(DBG_ESP, "error: IPsec SA is not inbound");
+		packet->destroy(packet);
+		ipsec->sas->checkin(ipsec->sas, sa);
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	if (packet->decrypt(packet, sa->get_esp_context(sa)) != SUCCESS)
+	{
+		ipsec->sas->checkin(ipsec->sas, sa);
+		packet->destroy(packet);
+		return JOB_REQUEUE_DIRECT;
+	}
+	ipsec->sas->checkin(ipsec->sas, sa);
+
+	next_header = packet->get_next_header(packet);
+	switch (next_header)
+	{
+		case IPPROTO_IPIP:
+		case IPPROTO_IPV6:
+		{
+			ipsec_policy_t *policy;
+			ip_packet_t *ip_packet;
+
+			ip_packet = packet->get_payload(packet);
+			policy = ipsec->policies->find_by_packet(ipsec->policies,
+													 ip_packet, TRUE);
+			if (policy)
+			{	/* TODO-IPSEC: update policy/sa stats? */
+				deliver_inbound(this, packet);
+				policy->destroy(policy);
+				break;
+			}
+			DBG1(DBG_ESP, "discarding inbound IP packet %H == %H due to "
+				 "policy", ip_packet->get_source(ip_packet),
+				 ip_packet->get_destination(ip_packet));
+			/* no matching policy found, fall-through */
+		}
+		case IPPROTO_NONE:
+			/* discard dummy packets */
+			/* fall-through */
+		default:
+			packet->destroy(packet);
+			break;
+	}
+	return JOB_REQUEUE_DIRECT;
+}
+
+/**
+ * Send an ESP packet using the registered outbound callback
+ */
+static void send_outbound(private_ipsec_processor_t *this,
+						  esp_packet_t *packet)
+{
+	this->lock->read_lock(this->lock);
+	if (this->outbound.cb)
+	{
+		this->outbound.cb(this->outbound.data, packet);
+	}
+	else
+	{
+		DBG2(DBG_ESP, "no outbound callback registered, dropping packet");
+		packet->destroy(packet);
+	}
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Processes outbound packets
+ */
+static job_requeue_t process_outbound(private_ipsec_processor_t *this)
+{
+	ipsec_policy_t *policy;
+	esp_packet_t *esp_packet;
+	ip_packet_t *packet;
+	ipsec_sa_t *sa;
+	host_t *src, *dst;
+
+	packet = (ip_packet_t*)this->outbound_queue->dequeue(this->outbound_queue);
+
+	policy = ipsec->policies->find_by_packet(ipsec->policies, packet, FALSE);
+	if (!policy)
+	{
+		DBG2(DBG_ESP, "no matching outbound IPsec policy for %H == %H",
+			 packet->get_source(packet), packet->get_destination(packet));
+		packet->destroy(packet);
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	sa = ipsec->sas->checkout_by_reqid(ipsec->sas, policy->get_reqid(policy),
+									   FALSE);
+	if (!sa)
+	{	/* TODO-IPSEC: send an acquire to uppper layer */
+		DBG1(DBG_ESP, "could not find an outbound IPsec SA for reqid {%u}, "
+			 "dropping packet", policy->get_reqid(policy));
+		packet->destroy(packet);
+		policy->destroy(policy);
+		return JOB_REQUEUE_DIRECT;
+	}
+	src = sa->get_source(sa);
+	dst = sa->get_destination(sa);
+	esp_packet = esp_packet_create_from_payload(src->clone(src),
+												dst->clone(dst), packet);
+	if (esp_packet->encrypt(esp_packet, sa->get_esp_context(sa),
+							sa->get_spi(sa)) != SUCCESS)
+	{
+		ipsec->sas->checkin(ipsec->sas, sa);
+		esp_packet->destroy(esp_packet);
+		policy->destroy(policy);
+		return JOB_REQUEUE_DIRECT;
+	}
+	/* TODO-IPSEC: update policy/sa counters? */
+	ipsec->sas->checkin(ipsec->sas, sa);
+	policy->destroy(policy);
+	send_outbound(this, esp_packet);
+	return JOB_REQUEUE_DIRECT;
+}
+
+METHOD(ipsec_processor_t, queue_inbound, void,
+	private_ipsec_processor_t *this, esp_packet_t *packet)
+{
+	this->inbound_queue->enqueue(this->inbound_queue, packet);
+}
+
+METHOD(ipsec_processor_t, queue_outbound, void,
+	private_ipsec_processor_t *this, ip_packet_t *packet)
+{
+	this->outbound_queue->enqueue(this->outbound_queue, packet);
+}
+
+METHOD(ipsec_processor_t, register_inbound, void,
+	private_ipsec_processor_t *this, ipsec_inbound_cb_t cb, void *data)
+{
+	this->lock->write_lock(this->lock);
+	this->inbound.cb = cb;
+	this->inbound.data = data;
+	this->lock->unlock(this->lock);
+}
+
+METHOD(ipsec_processor_t, unregister_inbound, void,
+	private_ipsec_processor_t *this, ipsec_inbound_cb_t cb)
+{
+	this->lock->write_lock(this->lock);
+	if (this->inbound.cb == cb)
+	{
+		this->inbound.cb = NULL;
+	}
+	this->lock->unlock(this->lock);
+}
+
+METHOD(ipsec_processor_t, register_outbound, void,
+	private_ipsec_processor_t *this, ipsec_outbound_cb_t cb, void *data)
+{
+	this->lock->write_lock(this->lock);
+	this->outbound.cb = cb;
+	this->outbound.data = data;
+	this->lock->unlock(this->lock);
+}
+
+METHOD(ipsec_processor_t, unregister_outbound, void,
+	private_ipsec_processor_t *this, ipsec_outbound_cb_t cb)
+{
+	this->lock->write_lock(this->lock);
+	if (this->outbound.cb == cb)
+	{
+		this->outbound.cb = NULL;
+	}
+	this->lock->unlock(this->lock);
+}
+
+METHOD(ipsec_processor_t, destroy, void,
+	private_ipsec_processor_t *this)
+{
+	this->inbound_queue->destroy_offset(this->inbound_queue,
+										offsetof(esp_packet_t, destroy));
+	this->outbound_queue->destroy_offset(this->outbound_queue,
+										 offsetof(ip_packet_t, destroy));
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+ipsec_processor_t *ipsec_processor_create()
+{
+	private_ipsec_processor_t *this;
+
+	INIT(this,
+		.public = {
+			.queue_inbound = _queue_inbound,
+			.queue_outbound = _queue_outbound,
+			.register_inbound = _register_inbound,
+			.unregister_inbound = _unregister_inbound,
+			.register_outbound = _register_outbound,
+			.unregister_outbound = _unregister_outbound,
+			.destroy = _destroy,
+		},
+		.inbound_queue = blocking_queue_create(),
+		.outbound_queue = blocking_queue_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create((callback_job_cb_t)process_inbound, this,
+									NULL, (callback_job_cancel_t)return_false));
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create((callback_job_cb_t)process_outbound, this,
+									NULL, (callback_job_cancel_t)return_false));
+	return &this->public;
+}
diff --git a/src/libipsec/ipsec_processor.h b/src/libipsec/ipsec_processor.h
new file mode 100644
index 000000000..0a409828b
--- /dev/null
+++ b/src/libipsec/ipsec_processor.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipsec_processor ipsec_processor
+ * @{ @ingroup libipsec
+ */
+
+#ifndef IPSEC_PROCESSOR_H_
+#define IPSEC_PROCESSOR_H_
+
+#include "ip_packet.h"
+#include "esp_packet.h"
+
+typedef struct ipsec_processor_t ipsec_processor_t;
+
+/**
+ * Callback called to deliver an inbound plaintext packet.
+ *
+ * @param data			data supplied during registration of the callback
+ * @param packet		plaintext IP packet to deliver
+ */
+typedef void (*ipsec_inbound_cb_t)(void *data, ip_packet_t *packet);
+
+/**
+ * Callback called to send an ESP packet.
+ *
+ * @note The ESP packet currently comes without IP header (and without UDP
+ * header in case of UDP encapsulation)
+ *
+ * @param data			data supplied during registration of the callback
+ * @param packet		ESP packet to send
+ */
+typedef void (*ipsec_outbound_cb_t)(void *data, esp_packet_t *packet);
+
+/**
+ *  IPsec processor
+ */
+struct ipsec_processor_t {
+
+	/**
+	 * Queue an inbound ESP packet for processing.
+	 *
+	 * @param packet		the ESP packet to process
+	 */
+	void (*queue_inbound)(ipsec_processor_t *this, esp_packet_t *packet);
+
+	/**
+	 * Queue an outbound plaintext IP packet for processing.
+	 *
+	 * @param packet		the plaintext IP packet
+	 */
+	void (*queue_outbound)(ipsec_processor_t *this, ip_packet_t *packet);
+
+	/**
+	 * Register the callback used to deliver inbound plaintext packets.
+	 *
+	 * @param cb			the inbound callback function
+	 * @param data			optional data provided to callback
+	 */
+	void (*register_inbound)(ipsec_processor_t *this, ipsec_inbound_cb_t cb,
+							 void *data);
+
+	/**
+	 * Unregister a previously registered inbound callback.
+	 *
+	 * @param cb			previously registered callback function
+	 */
+	void (*unregister_inbound)(ipsec_processor_t *this,
+							   ipsec_inbound_cb_t cb);
+
+	/**
+	 * Register the callback used to send outbound ESP packets.
+	 *
+	 * @param cb			the outbound callback function
+	 * @param data			optional data provided to callback
+	 */
+	void (*register_outbound)(ipsec_processor_t *this, ipsec_outbound_cb_t cb,
+							  void *data);
+
+	/**
+	 * Unregister a previously registered outbound callback.
+	 *
+	 * @param cb			previously registered callback function
+	 */
+	void (*unregister_outbound)(ipsec_processor_t *this,
+								ipsec_outbound_cb_t cb);
+
+	/**
+	 * Destroy an ipsec_processor_t.
+	 */
+	void (*destroy)(ipsec_processor_t *this);
+
+};
+
+/**
+ * Create an ipsec_processor_t instance
+ *
+ * @return					IPsec processor instance
+ */
+ipsec_processor_t *ipsec_processor_create();
+
+#endif /** IPSEC_PROCESSOR_H_ @}*/
diff --git a/src/libipsec/ipsec_sa.c b/src/libipsec/ipsec_sa.c
new file mode 100644
index 000000000..2ff5cff55
--- /dev/null
+++ b/src/libipsec/ipsec_sa.c
@@ -0,0 +1,250 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipsec_sa.h"
+
+#include <library.h>
+#include <utils/debug.h>
+
+typedef struct private_ipsec_sa_t private_ipsec_sa_t;
+
+/**
+ * Private additions to ipsec_sa_t.
+ */
+struct private_ipsec_sa_t {
+
+	/**
+	 * Public members
+	 */
+	ipsec_sa_t public;
+
+	/**
+	 * SPI of this SA
+	 */
+	u_int32_t spi;
+
+	/**
+	 * Source address
+	 */
+	host_t *src;
+
+	/**
+	 * Destination address
+	 */
+	host_t *dst;
+
+	/**
+	 * Protocol
+	 */
+	u_int8_t protocol;
+
+	/**
+	 * Reqid of this SA
+	 */
+	u_int32_t reqid;
+
+	/**
+	 * Lifetime configuration
+	 */
+	lifetime_cfg_t lifetime;
+
+	/**
+	 * IPsec mode
+	 */
+	ipsec_mode_t mode;
+
+	/**
+	 * TRUE if extended sequence numbers are used
+	 */
+	bool esn;
+
+	/**
+	 * TRUE if this is an inbound SA
+	 */
+	bool inbound;
+
+	/**
+	 * ESP context
+	 */
+	esp_context_t *esp_context;
+};
+
+METHOD(ipsec_sa_t, get_source, host_t*,
+	private_ipsec_sa_t *this)
+{
+	return this->src;
+}
+
+METHOD(ipsec_sa_t, get_destination, host_t*,
+	private_ipsec_sa_t *this)
+{
+	return this->dst;
+}
+
+METHOD(ipsec_sa_t, set_source, void,
+	private_ipsec_sa_t *this, host_t *addr)
+{
+	this->src->destroy(this->src);
+	this->src = addr->clone(addr);
+}
+
+METHOD(ipsec_sa_t, set_destination, void,
+	private_ipsec_sa_t *this, host_t *addr)
+{
+	this->dst->destroy(this->dst);
+	this->dst = addr->clone(addr);
+}
+
+METHOD(ipsec_sa_t, get_spi, u_int32_t,
+	private_ipsec_sa_t *this)
+{
+	return this->spi;
+}
+
+METHOD(ipsec_sa_t, get_reqid, u_int32_t,
+	private_ipsec_sa_t *this)
+{
+	return this->reqid;
+}
+
+METHOD(ipsec_sa_t, get_protocol, u_int8_t,
+	private_ipsec_sa_t *this)
+{
+	return this->protocol;
+}
+
+METHOD(ipsec_sa_t, get_lifetime, lifetime_cfg_t*,
+	private_ipsec_sa_t *this)
+{
+	return &this->lifetime;
+}
+
+METHOD(ipsec_sa_t, is_inbound, bool,
+	private_ipsec_sa_t *this)
+{
+	return this->inbound;
+}
+
+METHOD(ipsec_sa_t, get_esp_context, esp_context_t*,
+	private_ipsec_sa_t *this)
+{
+	return this->esp_context;
+}
+
+METHOD(ipsec_sa_t, match_by_spi_dst, bool,
+	private_ipsec_sa_t *this, u_int32_t spi, host_t *dst)
+{
+	return this->spi == spi && this->dst->ip_equals(this->dst, dst);
+}
+
+METHOD(ipsec_sa_t, match_by_spi_src_dst, bool,
+	private_ipsec_sa_t *this, u_int32_t spi, host_t *src, host_t *dst)
+{
+	return this->spi == spi && this->src->ip_equals(this->src, src) &&
+		   this->dst->ip_equals(this->dst, dst);
+}
+
+METHOD(ipsec_sa_t, match_by_reqid, bool,
+	private_ipsec_sa_t *this, u_int32_t reqid, bool inbound)
+{
+	return this->reqid == reqid && this->inbound == inbound;
+}
+
+METHOD(ipsec_sa_t, destroy, void,
+	private_ipsec_sa_t *this)
+{
+	this->src->destroy(this->src);
+	this->dst->destroy(this->dst);
+	DESTROY_IF(this->esp_context);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
+		u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
+		lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+		u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
+		u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
+		traffic_selector_t *src_ts,	traffic_selector_t *dst_ts)
+{
+	private_ipsec_sa_t *this;
+
+	if (protocol != IPPROTO_ESP)
+	{
+		DBG1(DBG_ESP, "  IPsec SA: protocol not supported");
+		return NULL;
+	}
+	if (!encap)
+	{
+		DBG1(DBG_ESP, "  IPsec SA: only UDP encapsulation is supported");
+		return NULL;
+	}
+	if (esn)
+	{
+		DBG1(DBG_ESP, "  IPsec SA: ESN not supported");
+		return NULL;
+	}
+	if (ipcomp != IPCOMP_NONE)
+	{
+		DBG1(DBG_ESP, "  IPsec SA: compression not supported");
+		return NULL;
+	}
+	if (mode != MODE_TUNNEL)
+	{
+		DBG1(DBG_ESP, "  IPsec SA: unsupported mode");
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.destroy = _destroy,
+			.get_source = _get_source,
+			.get_destination = _get_destination,
+			.set_source = _set_source,
+			.set_destination = _set_destination,
+			.get_spi = _get_spi,
+			.get_reqid = _get_reqid,
+			.get_protocol = _get_protocol,
+			.get_lifetime = _get_lifetime,
+			.is_inbound = _is_inbound,
+			.match_by_spi_dst = _match_by_spi_dst,
+			.match_by_spi_src_dst = _match_by_spi_src_dst,
+			.match_by_reqid = _match_by_reqid,
+			.get_esp_context = _get_esp_context,
+		},
+		.spi = spi,
+		.src = src->clone(src),
+		.dst = dst->clone(dst),
+		.lifetime = *lifetime,
+		.protocol = protocol,
+		.reqid = reqid,
+		.mode = mode,
+		.esn = esn,
+		.inbound = inbound,
+	);
+
+	this->esp_context = esp_context_create(enc_alg, enc_key, int_alg, int_key,
+										   inbound);
+	if (!this->esp_context)
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libipsec/ipsec_sa.h b/src/libipsec/ipsec_sa.h
new file mode 100644
index 000000000..dec688e68
--- /dev/null
+++ b/src/libipsec/ipsec_sa.h
@@ -0,0 +1,183 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipsec_sa ipsec_sa
+ * @{ @ingroup libipsec
+ */
+
+#ifndef IPSEC_SA_H_
+#define IPSEC_SA_H_
+
+#include "esp_context.h"
+
+#include <library.h>
+#include <networking/host.h>
+#include <selectors/traffic_selector.h>
+#include <ipsec/ipsec_types.h>
+
+typedef struct ipsec_sa_t ipsec_sa_t;
+
+/**
+ * IPsec Security Association (SA)
+ */
+struct ipsec_sa_t {
+
+	/**
+	 * Get the source address for this SA
+	 *
+	 * @return			source address of this SA
+	 */
+	host_t *(*get_source)(ipsec_sa_t *this);
+
+	/**
+	 * Get the destination address for this SA
+	 *
+	 * @return			destination address of this SA
+	 */
+	host_t *(*get_destination)(ipsec_sa_t *this);
+
+	/**
+	 * Set the source address for this SA
+	 *
+	 * @param addr		source address of this SA (gets cloned)
+	 */
+	void (*set_source)(ipsec_sa_t *this, host_t *addr);
+
+	/**
+	 * Set the destination address for this SA
+	 *
+	 * @param addr		destination address of this SA (gets cloned)
+	 */
+	void (*set_destination)(ipsec_sa_t *this, host_t *addr);
+
+	/**
+	 * Get the SPI for this SA
+	 *
+	 * @return			SPI of this SA
+	 */
+	u_int32_t (*get_spi)(ipsec_sa_t *this);
+
+	/**
+	 * Get the reqid of this SA
+	 *
+	 * @return			reqid of this SA
+	 */
+	u_int32_t (*get_reqid)(ipsec_sa_t *this);
+
+	/**
+	 * Get the protocol (e.g. IPPROTO_ESP) of this SA
+	 *
+	 * @return			protocol of this SA
+	 */
+	u_int8_t (*get_protocol)(ipsec_sa_t *this);
+
+	/**
+	 * Returns whether this SA is inbound or outbound
+	 *
+	 * @return			TRUE if inbound, FALSE if outbound
+	 */
+	bool (*is_inbound)(ipsec_sa_t *this);
+
+	/**
+	 * Get the lifetime information for this SA
+	 * Note that this information is always relative to the time when the
+	 * SA was installed (i.e. it is not adjusted over time)
+	 *
+	 * @return			lifetime of this SA
+	 */
+	lifetime_cfg_t *(*get_lifetime)(ipsec_sa_t *this);
+
+	/**
+	 * Get the ESP context for this SA
+	 *
+	 * @return			ESP context of this SA
+	 */
+	esp_context_t *(*get_esp_context)(ipsec_sa_t *this);
+
+	/**
+	 * Check if this SA matches all given parameters
+	 *
+	 * @param spi		SPI
+	 * @param dst		destination address
+	 * @return			TRUE if this SA matches all parameters, FALSE otherwise
+	 */
+	bool (*match_by_spi_dst)(ipsec_sa_t *this, u_int32_t spi, host_t *dst);
+
+	/**
+	 * Check if this SA matches all given parameters
+	 *
+	 * @param spi		SPI
+	 * @param src		source address
+	 * @param dst		destination address
+	 * @return			TRUE if this SA matches all parameters, FALSE otherwise
+	 */
+	bool (*match_by_spi_src_dst)(ipsec_sa_t *this, u_int32_t spi, host_t *src,
+								 host_t *dst);
+
+	/**
+	 * Check if this SA matches all given parameters
+	 *
+	 * @param reqid		reqid
+	 * @param inbound	TRUE for inbound SA, FALSE for outbound
+	 * @return			TRUE if this SA matches all parameters, FALSE otherwise
+	 */
+	bool (*match_by_reqid)(ipsec_sa_t *this, u_int32_t reqid, bool inbound);
+
+	/**
+	 * Destroy an ipsec_sa_t
+	 */
+	void (*destroy)(ipsec_sa_t *this);
+
+};
+
+/**
+ * Create an ipsec_sa_t instance
+ *
+ * @param spi			SPI for this SA
+ * @param src			source address for this SA (gets cloned)
+ * @param dst			destination address for this SA (gets cloned)
+ * @param protocol		protocol for this SA (only ESP is supported)
+ * @param reqid			reqid for this SA
+ * @param mark			mark for this SA (ignored)
+ * @param tfc			Traffic Flow Confidentiality (currently not supported)
+ * @param lifetime		lifetime for this SA
+ * @param enc_alg		encryption algorithm for this SA
+ * @param enc_key		encryption key for this SA
+ * @param int_alg		integrity protection algorithm
+ * @param int_key		integrity protection key
+ * @param mode			mode for this SA (only tunnel mode is supported)
+ * @param ipcomp		IPcomp transform (not supported, use IPCOMP_NONE)
+ * @param cpi			CPI for IPcomp (ignored)
+ * @param encap			enable UDP encapsulation (must be TRUE)
+ * @param esn			Extended Sequence Numbers (currently not supported)
+ * @param inbound		TRUE if this is an inbound SA, FALSE otherwise
+ * @param src_ts		source traffic selector
+ * @param dst_ts		destination traffic selector
+ * @return				the IPsec SA, or NULL if the creation failed
+ */
+ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
+							u_int8_t protocol, u_int32_t reqid, mark_t mark,
+							u_int32_t tfc, lifetime_cfg_t *lifetime,
+							u_int16_t enc_alg, chunk_t enc_key,
+							u_int16_t int_alg, chunk_t int_key,
+							ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+							bool encap, bool esn, bool inbound,
+							traffic_selector_t *src_ts,
+							traffic_selector_t *dst_ts);
+
+#endif /** IPSEC_SA_H_ @}*/
diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c
new file mode 100644
index 000000000..928a53d50
--- /dev/null
+++ b/src/libipsec/ipsec_sa_mgr.c
@@ -0,0 +1,670 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipsec.h"
+#include "ipsec_sa_mgr.h"
+
+#include <utils/debug.h>
+#include <library.h>
+#include <processing/jobs/callback_job.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
+
+typedef struct private_ipsec_sa_mgr_t private_ipsec_sa_mgr_t;
+
+/**
+ * Private additions to ipsec_sa_mgr_t.
+ */
+struct private_ipsec_sa_mgr_t {
+
+	/**
+	 * Public members of ipsec_sa_mgr_t.
+	 */
+	ipsec_sa_mgr_t public;
+
+	/**
+	 * Installed SAs
+	 */
+	linked_list_t *sas;
+
+	/**
+	 * SPIs allocated using get_spi()
+	 */
+	hashtable_t *allocated_spis;
+
+	/**
+	 * Mutex used to synchronize access to the SA manager
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * RNG used to generate SPIs
+	 */
+	rng_t *rng;
+};
+
+/**
+ * Struct to keep track of locked IPsec SAs
+ */
+typedef struct {
+
+	/**
+	 * IPsec SA
+	 */
+	ipsec_sa_t *sa;
+
+	/**
+	 * Set if this SA is currently in use by a thread
+	 */
+	bool locked;
+
+	/**
+	 * Condvar used by threads to wait for this entry
+	 */
+	condvar_t *condvar;
+
+	/**
+	 * Number of threads waiting for this entry
+	 */
+	u_int waiting_threads;
+
+	/**
+	 * Set if this entry is awaiting deletion
+	 */
+	bool awaits_deletion;
+
+}  ipsec_sa_entry_t;
+
+/**
+ * Helper struct for expiration events
+ */
+typedef struct {
+
+	/**
+	 * IPsec SA manager
+	 */
+	private_ipsec_sa_mgr_t *manager;
+
+	/**
+	 * Entry that expired
+	 */
+	ipsec_sa_entry_t *entry;
+
+	/**
+	 * 0 if this is a hard expire, otherwise the offset in s (soft->hard)
+	 */
+	u_int32_t hard_offset;
+
+} ipsec_sa_expired_t;
+
+/*
+ * Used for the hash table of allocated SPIs
+ */
+static bool spi_equals(u_int32_t *spi, u_int32_t *other_spi)
+{
+	return *spi == *other_spi;
+}
+
+static u_int spi_hash(u_int32_t *spi)
+{
+	return chunk_hash(chunk_from_thing(*spi));
+}
+
+/**
+ * Create an SA entry
+ */
+static ipsec_sa_entry_t *create_entry(ipsec_sa_t *sa)
+{
+	ipsec_sa_entry_t *this;
+
+	INIT(this,
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.sa = sa,
+	);
+	return this;
+}
+
+/**
+ * Destroy an SA entry
+ */
+static void destroy_entry(ipsec_sa_entry_t *entry)
+{
+	entry->condvar->destroy(entry->condvar);
+	entry->sa->destroy(entry->sa);
+	free(entry);
+}
+
+/**
+ * Makes sure an entry is safe to remove
+ * Must be called with this->mutex held.
+ *
+ * @return			TRUE if entry can be removed, FALSE if entry is already
+*					being removed by another thread
+ */
+static bool wait_remove_entry(private_ipsec_sa_mgr_t *this,
+							  ipsec_sa_entry_t *entry)
+{
+	if (entry->awaits_deletion)
+	{
+		/* this will be deleted by another thread already */
+		return FALSE;
+	}
+	entry->awaits_deletion = TRUE;
+	while (entry->locked)
+	{
+		entry->condvar->wait(entry->condvar, this->mutex);
+	}
+	while (entry->waiting_threads > 0)
+	{
+		entry->condvar->broadcast(entry->condvar);
+		entry->condvar->wait(entry->condvar, this->mutex);
+	}
+	return TRUE;
+}
+
+/**
+ * Waits until an is available and then locks it.
+ * Must only be called with this->mutex held
+ */
+static bool wait_for_entry(private_ipsec_sa_mgr_t *this,
+						   ipsec_sa_entry_t *entry)
+{
+	while (entry->locked && !entry->awaits_deletion)
+	{
+		entry->waiting_threads++;
+		entry->condvar->wait(entry->condvar, this->mutex);
+		entry->waiting_threads--;
+	}
+	if (entry->awaits_deletion)
+	{
+		/* others may still be waiting, */
+		entry->condvar->signal(entry->condvar);
+		return FALSE;
+	}
+	entry->locked = TRUE;
+	return TRUE;
+}
+
+/**
+ * Flushes all entries
+ * Must be called with this->mutex held.
+ */
+static void flush_entries(private_ipsec_sa_mgr_t *this)
+{
+	ipsec_sa_entry_t *current;
+	enumerator_t *enumerator;
+
+	DBG2(DBG_ESP, "flushing SAD");
+
+	enumerator = this->sas->create_enumerator(this->sas);
+	while (enumerator->enumerate(enumerator, (void**)&current))
+	{
+		if (wait_remove_entry(this, current))
+		{
+			this->sas->remove_at(this->sas, enumerator);
+			destroy_entry(current);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/*
+ * Different match functions to find SAs in the linked list
+ */
+static bool match_entry_by_ptr(ipsec_sa_entry_t *item, ipsec_sa_entry_t *entry)
+{
+	return item == entry;
+}
+
+static bool match_entry_by_sa_ptr(ipsec_sa_entry_t *item, ipsec_sa_t *sa)
+{
+	return item->sa == sa;
+}
+
+static bool match_entry_by_spi_inbound(ipsec_sa_entry_t *item, u_int32_t *spi,
+									   bool *inbound)
+{
+	return item->sa->get_spi(item->sa) == *spi &&
+		   item->sa->is_inbound(item->sa) == *inbound;
+}
+
+static bool match_entry_by_spi_src_dst(ipsec_sa_entry_t *item, u_int32_t *spi,
+									   host_t *src, host_t *dst)
+{
+	return item->sa->match_by_spi_src_dst(item->sa, *spi, src, dst);
+}
+
+static bool match_entry_by_reqid_inbound(ipsec_sa_entry_t *item,
+										 u_int32_t *reqid, bool *inbound)
+{
+	return item->sa->match_by_reqid(item->sa, *reqid, *inbound);
+}
+
+static bool match_entry_by_spi_dst(ipsec_sa_entry_t *item, u_int32_t *spi,
+								   host_t *dst)
+{
+	return item->sa->match_by_spi_dst(item->sa, *spi, dst);
+}
+
+/**
+ * Remove an entry
+ */
+static bool remove_entry(private_ipsec_sa_mgr_t *this, ipsec_sa_entry_t *entry)
+{
+	ipsec_sa_entry_t *current;
+	enumerator_t *enumerator;
+	bool removed = FALSE;
+
+	enumerator = this->sas->create_enumerator(this->sas);
+	while (enumerator->enumerate(enumerator, (void**)&current))
+	{
+		if (current == entry)
+		{
+			if (wait_remove_entry(this, current))
+			{
+				this->sas->remove_at(this->sas, enumerator);
+				removed = TRUE;
+			}
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return removed;
+}
+
+/**
+ * Callback for expiration events
+ */
+static job_requeue_t sa_expired(ipsec_sa_expired_t *expired)
+{
+	private_ipsec_sa_mgr_t *this = expired->manager;
+
+	this->mutex->lock(this->mutex);
+	if (this->sas->find_first(this->sas, (void*)match_entry_by_ptr,
+							  NULL, expired->entry) == SUCCESS)
+	{
+		u_int32_t hard_offset = expired->hard_offset;
+		ipsec_sa_t *sa = expired->entry->sa;
+
+		ipsec->events->expire(ipsec->events, sa->get_reqid(sa),
+							  sa->get_protocol(sa), sa->get_spi(sa),
+							  hard_offset == 0);
+		if (hard_offset)
+		{	/* soft limit reached, schedule hard expire */
+			expired->hard_offset = 0;
+			this->mutex->unlock(this->mutex);
+			return JOB_RESCHEDULE(hard_offset);
+		}
+		/* hard limit reached */
+		if (remove_entry(this, expired->entry))
+		{
+			destroy_entry(expired->entry);
+		}
+	}
+	this->mutex->unlock(this->mutex);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Schedule a job to handle IPsec SA expiration
+ */
+static void schedule_expiration(private_ipsec_sa_mgr_t *this,
+								ipsec_sa_entry_t *entry)
+{
+	lifetime_cfg_t *lifetime = entry->sa->get_lifetime(entry->sa);
+	ipsec_sa_expired_t *expired;
+	callback_job_t *job;
+	u_int32_t timeout;
+
+	if (!lifetime->time.life)
+	{	/* no expiration at all */
+		return;
+	}
+
+	INIT(expired,
+		.manager = this,
+		.entry = entry,
+	);
+
+	/* schedule a rekey first, a hard timeout will be scheduled then, if any */
+	expired->hard_offset = lifetime->time.life - lifetime->time.rekey;
+	timeout = lifetime->time.rekey;
+
+	if (lifetime->time.life <= lifetime->time.rekey ||
+		lifetime->time.rekey == 0)
+	{	/* no rekey, schedule hard timeout */
+		expired->hard_offset = 0;
+		timeout = lifetime->time.life;
+	}
+
+	job = callback_job_create((callback_job_cb_t)sa_expired, expired,
+							  (callback_job_cleanup_t)free, NULL);
+	lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, timeout);
+}
+
+/**
+ * Remove all allocated SPIs
+ */
+static void flush_allocated_spis(private_ipsec_sa_mgr_t *this)
+{
+	enumerator_t *enumerator;
+	u_int32_t *current;
+
+	DBG2(DBG_ESP, "flushing allocated SPIs");
+	enumerator = this->allocated_spis->create_enumerator(this->allocated_spis);
+	while (enumerator->enumerate(enumerator, NULL, (void**)&current))
+	{
+		this->allocated_spis->remove_at(this->allocated_spis, enumerator);
+		DBG2(DBG_ESP, "  removed allocated SPI %.8x", ntohl(*current));
+		free(current);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Pre-allocate an SPI for an inbound SA
+ */
+static bool allocate_spi(private_ipsec_sa_mgr_t *this, u_int32_t spi)
+{
+	u_int32_t *spi_alloc;
+
+	if (this->allocated_spis->get(this->allocated_spis, &spi) ||
+		this->sas->find_first(this->sas, (void*)match_entry_by_spi_inbound,
+							  NULL, &spi, TRUE) == SUCCESS)
+	{
+		return FALSE;
+	}
+	spi_alloc = malloc_thing(u_int32_t);
+	*spi_alloc = spi;
+	this->allocated_spis->put(this->allocated_spis, spi_alloc, spi_alloc);
+	return TRUE;
+}
+
+METHOD(ipsec_sa_mgr_t, get_spi, status_t,
+	private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, u_int8_t protocol,
+	u_int32_t reqid, u_int32_t *spi)
+{
+	u_int32_t spi_new;
+
+	DBG2(DBG_ESP, "allocating SPI for reqid {%u}", reqid);
+
+	this->mutex->lock(this->mutex);
+	if (!this->rng)
+	{
+		this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+		if (!this->rng)
+		{
+			this->mutex->unlock(this->mutex);
+			DBG1(DBG_ESP, "failed to create RNG for SPI generation");
+			return FAILED;
+		}
+	}
+
+	do
+	{
+		if (!this->rng->get_bytes(this->rng, sizeof(spi_new),
+								 (u_int8_t*)&spi_new))
+		{
+			this->mutex->unlock(this->mutex);
+			DBG1(DBG_ESP, "failed to allocate SPI for reqid {%u}", reqid);
+			return FAILED;
+		}
+		/* make sure the SPI is valid (not in range 0-255) */
+		spi_new |= 0x00000100;
+		spi_new = htonl(spi_new);
+	}
+	while (!allocate_spi(this, spi_new));
+	this->mutex->unlock(this->mutex);
+
+	*spi = spi_new;
+
+	DBG2(DBG_ESP, "allocated SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
+	return SUCCESS;
+}
+
+METHOD(ipsec_sa_mgr_t, add_sa, status_t,
+	private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, u_int32_t spi,
+	u_int8_t protocol, u_int32_t reqid,	mark_t mark, u_int32_t tfc,
+	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
+	u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+{
+	ipsec_sa_entry_t *entry;
+	ipsec_sa_t *sa_new;
+
+	DBG2(DBG_ESP, "adding SAD entry with SPI %.8x and reqid {%u}",
+		 ntohl(spi), reqid);
+	DBG2(DBG_ESP, "  using encryption algorithm %N with key size %d",
+		 encryption_algorithm_names, enc_alg, enc_key.len * 8);
+	DBG2(DBG_ESP, "  using integrity algorithm %N with key size %d",
+		 integrity_algorithm_names, int_alg, int_key.len * 8);
+
+	sa_new = ipsec_sa_create(spi, src, dst, protocol, reqid, mark, tfc,
+							 lifetime, enc_alg, enc_key, int_alg, int_key, mode,
+							 ipcomp, cpi, encap, esn, inbound, src_ts, dst_ts);
+	if (!sa_new)
+	{
+		DBG1(DBG_ESP, "failed to create SAD entry");
+		return FAILED;
+	}
+
+	this->mutex->lock(this->mutex);
+
+	if (inbound)
+	{	/* remove any pre-allocated SPIs */
+		u_int32_t *spi_alloc;
+
+		spi_alloc = this->allocated_spis->remove(this->allocated_spis, &spi);
+		free(spi_alloc);
+	}
+
+	if (this->sas->find_first(this->sas, (void*)match_entry_by_spi_src_dst,
+							  NULL, &spi, src, dst) == SUCCESS)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_ESP, "failed to install SAD entry: already installed");
+		sa_new->destroy(sa_new);
+		return FAILED;
+	}
+
+	entry = create_entry(sa_new);
+	schedule_expiration(this, entry);
+	this->sas->insert_last(this->sas, entry);
+
+	this->mutex->unlock(this->mutex);
+	return SUCCESS;
+}
+
+METHOD(ipsec_sa_mgr_t, update_sa, status_t,
+	private_ipsec_sa_mgr_t *this, u_int32_t spi, u_int8_t protocol,
+	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
+	bool encap, bool new_encap, mark_t mark)
+{
+	ipsec_sa_entry_t *entry = NULL;
+
+	DBG2(DBG_ESP, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
+		 ntohl(spi), src, dst, new_src, new_dst);
+
+	if (!new_encap)
+	{
+		DBG1(DBG_ESP, "failed to update SAD entry: can't deactivate UDP "
+			 "encapsulation");
+		return NOT_SUPPORTED;
+	}
+
+	this->mutex->lock(this->mutex);
+	if (this->sas->find_first(this->sas, (void*)match_entry_by_spi_src_dst,
+							 (void**)&entry, &spi, src, dst) == SUCCESS &&
+		wait_for_entry(this, entry))
+	{
+		entry->sa->set_source(entry->sa, new_src);
+		entry->sa->set_destination(entry->sa, new_dst);
+		/* checkin the entry */
+		entry->locked = FALSE;
+		entry->condvar->signal(entry->condvar);
+	}
+	this->mutex->unlock(this->mutex);
+
+	if (!entry)
+	{
+		DBG1(DBG_ESP, "failed to update SAD entry: not found");
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+METHOD(ipsec_sa_mgr_t, del_sa, status_t,
+	private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, u_int32_t spi,
+	u_int8_t protocol, u_int16_t cpi, mark_t mark)
+{
+	ipsec_sa_entry_t *current, *found = NULL;
+	enumerator_t *enumerator;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->sas->create_enumerator(this->sas);
+	while (enumerator->enumerate(enumerator, (void**)&current))
+	{
+		if (match_entry_by_spi_src_dst(current, &spi, src, dst))
+		{
+			if (wait_remove_entry(this, current))
+			{
+				this->sas->remove_at(this->sas, enumerator);
+				found = current;
+			}
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	if (found)
+	{
+		DBG2(DBG_ESP, "deleted %sbound SAD entry with SPI %.8x",
+			 found->sa->is_inbound(found->sa) ? "in" : "out", ntohl(spi));
+		destroy_entry(found);
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+METHOD(ipsec_sa_mgr_t, checkout_by_reqid, ipsec_sa_t*,
+	private_ipsec_sa_mgr_t *this, u_int32_t reqid, bool inbound)
+{
+	ipsec_sa_entry_t *entry;
+	ipsec_sa_t *sa = NULL;
+
+	this->mutex->lock(this->mutex);
+	if (this->sas->find_first(this->sas, (void*)match_entry_by_reqid_inbound,
+							 (void**)&entry, &reqid, &inbound) == SUCCESS &&
+		wait_for_entry(this, entry))
+	{
+		sa = entry->sa;
+	}
+	this->mutex->unlock(this->mutex);
+	return sa;
+}
+
+METHOD(ipsec_sa_mgr_t, checkout_by_spi, ipsec_sa_t*,
+	private_ipsec_sa_mgr_t *this, u_int32_t spi, host_t *dst)
+{
+	ipsec_sa_entry_t *entry;
+	ipsec_sa_t *sa = NULL;
+
+	this->mutex->lock(this->mutex);
+	if (this->sas->find_first(this->sas, (void*)match_entry_by_spi_dst,
+							 (void**)&entry, &spi, dst) == SUCCESS &&
+		wait_for_entry(this, entry))
+	{
+		sa = entry->sa;
+	}
+	this->mutex->unlock(this->mutex);
+	return sa;
+}
+
+METHOD(ipsec_sa_mgr_t, checkin, void,
+	private_ipsec_sa_mgr_t *this, ipsec_sa_t *sa)
+{
+	ipsec_sa_entry_t *entry;
+
+	this->mutex->lock(this->mutex);
+	if (this->sas->find_first(this->sas, (void*)match_entry_by_sa_ptr,
+							 (void**)&entry, sa) == SUCCESS)
+	{
+		if (entry->locked)
+		{
+			entry->locked = FALSE;
+			entry->condvar->signal(entry->condvar);
+		}
+	}
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(ipsec_sa_mgr_t, flush_sas, status_t,
+	private_ipsec_sa_mgr_t *this)
+{
+	this->mutex->lock(this->mutex);
+	flush_entries(this);
+	this->mutex->unlock(this->mutex);
+	return SUCCESS;
+}
+
+METHOD(ipsec_sa_mgr_t, destroy, void,
+	private_ipsec_sa_mgr_t *this)
+{
+	this->mutex->lock(this->mutex);
+	flush_entries(this);
+	flush_allocated_spis(this);
+	this->mutex->unlock(this->mutex);
+
+	this->allocated_spis->destroy(this->allocated_spis);
+	this->sas->destroy(this->sas);
+
+	this->mutex->destroy(this->mutex);
+	DESTROY_IF(this->rng);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+ipsec_sa_mgr_t *ipsec_sa_mgr_create()
+{
+	private_ipsec_sa_mgr_t *this;
+
+	INIT(this,
+		.public = {
+			.get_spi = _get_spi,
+			.add_sa = _add_sa,
+			.update_sa = _update_sa,
+			.del_sa = _del_sa,
+			.checkout_by_spi = _checkout_by_spi,
+			.checkout_by_reqid = _checkout_by_reqid,
+			.checkin = _checkin,
+			.flush_sas = _flush_sas,
+			.destroy = _destroy,
+		},
+		.sas = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.allocated_spis = hashtable_create((hashtable_hash_t)spi_hash,
+										   (hashtable_equals_t)spi_equals, 16),
+	);
+
+	return &this->public;
+}
diff --git a/src/libipsec/ipsec_sa_mgr.h b/src/libipsec/ipsec_sa_mgr.h
new file mode 100644
index 000000000..e9ce5ee8f
--- /dev/null
+++ b/src/libipsec/ipsec_sa_mgr.h
@@ -0,0 +1,190 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipsec_sa_mgr ipsec_sa_mgr
+ * @{ @ingroup libipsec
+ */
+
+#ifndef IPSEC_SA_MGR_H_
+#define IPSEC_SA_MGR_H_
+
+#include "ipsec_sa.h"
+
+#include <library.h>
+#include <ipsec/ipsec_types.h>
+#include <selectors/traffic_selector.h>
+#include <networking/host.h>
+
+typedef struct ipsec_sa_mgr_t ipsec_sa_mgr_t;
+
+/**
+ * IPsec SA manager
+ *
+ * The first methods are modeled after those in kernel_ipsec_t.
+ */
+struct ipsec_sa_mgr_t {
+
+	/**
+	 * Allocate an SPI for an inbound IPsec SA
+	 *
+	 * @param src			source address of the SA
+	 * @param dst			destination address of the SA
+	 * @param protocol		protocol of the SA (only ESP supported)
+	 * @param reqid			reqid for the SA
+	 * @param spi			the allocated SPI
+	 * @return				SUCCESS of operation successful
+	 */
+	status_t (*get_spi)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
+						u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
+
+	/**
+	 * Add a new SA
+	 *
+	 * @param src			source address for this SA (gets cloned)
+	 * @param dst			destination address for this SA (gets cloned)
+	 * @param spi			SPI for this SA
+	 * @param protocol		protocol for this SA (only ESP is supported)
+	 * @param reqid			reqid for this SA
+	 * @param mark			mark for this SA (ignored)
+	 * @param tfc			Traffic Flow Confidentiality (not yet supported)
+	 * @param lifetime		lifetime for this SA
+	 * @param enc_alg		encryption algorithm for this SA
+	 * @param enc_key		encryption key for this SA
+	 * @param int_alg		integrity protection algorithm
+	 * @param int_key		integrity protection key
+	 * @param mode			mode for this SA (only tunnel mode is supported)
+	 * @param ipcomp		IPcomp transform (not supported, use IPCOMP_NONE)
+	 * @param cpi			CPI for IPcomp (ignored)
+	 * @param initiator		TRUE if initiator of the exchange creating this SA
+	 * @param encap			enable UDP encapsulation (must be TRUE)
+	 * @param esn			Extended Sequence Numbers (currently not supported)
+	 * @param inbound		TRUE if this is an inbound SA, FALSE otherwise
+	 * @param src_ts		source traffic selector
+	 * @param dst_ts		destination traffic selector
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*add_sa)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
+					   u_int32_t spi, u_int8_t protocol, u_int32_t reqid,
+					   mark_t mark, u_int32_t tfc,	lifetime_cfg_t *lifetime,
+					   u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg,
+					   chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
+					   u_int16_t cpi, bool initiator, bool encap, bool esn,
+					   bool inbound, traffic_selector_t *src_ts,
+					   traffic_selector_t *dst_ts);
+
+	/**
+	 * Update the hosts on an installed SA.
+	 *
+	 * @param spi			SPI of the SA
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param cpi			CPI for IPComp, 0 if no IPComp is used
+	 * @param src			current source address
+	 * @param dst			current destination address
+	 * @param new_src		new source address
+	 * @param new_dst		new destination address
+	 * @param encap			current use of UDP encapsulation
+	 * @param new_encap		new use of UDP encapsulation
+	 * @param mark			optional mark for this SA
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*update_sa)(ipsec_sa_mgr_t *this,
+						  u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
+						  host_t *src, host_t *dst,
+						  host_t *new_src, host_t *new_dst,
+						  bool encap, bool new_encap, mark_t mark);
+
+	/**
+	 * Delete a previously added SA
+	 *
+	 * @param spi			SPI of the SA
+	 * @param src			source address of the SA
+	 * @param dst			destination address of the SA
+	 * @param protocol		protocol of the SA
+	 * @param cpi			CPI for IPcomp
+	 * @param mark			optional mark
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*del_sa)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
+					   u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
+					   mark_t mark);
+
+	/**
+	 * Flush all SAs
+	 *
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*flush_sas)(ipsec_sa_mgr_t *this);
+
+	/**
+	 * Checkout an installed IPsec SA by SPI and destination address
+	 * Can be used to find the correct SA for an inbound packet.
+	 *
+	 * The matching SA is locked until it is checked in using checkin().
+	 * If the matching SA is already checked out, this call blocks until the
+	 * SA is checked in.
+	 *
+	 * Since other threads may be waiting for the checked out SA, it should be
+	 * checked in as soon as possible after use.
+	 *
+	 * @param spi			SPI (e.g. of an inbound packet)
+	 * @param dst			destination address (e.g. of an inbound packet)
+	 * @return				the matching IPsec SA, or NULL if none is found
+	 */
+	ipsec_sa_t *(*checkout_by_spi)(ipsec_sa_mgr_t *this, u_int32_t spi,
+								   host_t *dst);
+
+	/**
+	 * Checkout an installed IPsec SA by its reqid and inbound/outbound flag.
+	 * Can be used to find the correct SA for an outbound packet.
+	 *
+	 * The matching SA is locked until it is checked in using checkin().
+	 * If the matching SA is already checked out, this call blocks until the
+	 * SA is checked in.
+	 *
+	 * Since other threads may be waiting for a checked out SA, it should be
+	 * checked in as soon as possible after use.
+	 *
+	 * @param reqid			reqid of the SA
+	 * @param inbound		TRUE for an inbound SA, FALSE for an outbound SA
+	 * @return				the matching IPsec SA, or NULL if none is found
+	 */
+	ipsec_sa_t *(*checkout_by_reqid)(ipsec_sa_mgr_t *this, u_int32_t reqid,
+									 bool inbound);
+
+	/**
+	 * Checkin an SA after use.
+	 *
+	 * @param sa			checked out SA
+	 */
+	void (*checkin)(ipsec_sa_mgr_t *this, ipsec_sa_t *sa);
+
+	/**
+	 * Destroy an ipsec_sa_mgr_t
+	 */
+	void (*destroy)(ipsec_sa_mgr_t *this);
+
+};
+
+/**
+ * Create an ipsec_sa_mgr instance
+ *
+ * @return					IPsec SA manager instance
+ */
+ipsec_sa_mgr_t *ipsec_sa_mgr_create();
+
+#endif /** IPSEC_SA_MGR_H_ @}*/
diff --git a/src/libpts/Makefile.am b/src/libpts/Makefile.am
index 3ff941794..162af5d0d 100644
--- a/src/libpts/Makefile.am
+++ b/src/libpts/Makefile.am
@@ -1,14 +1,21 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libimcv
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv
 
 ipseclib_LTLIBRARIES = libpts.la
 
-libpts_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la -ltspi
+libpts_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la
+
+if USE_TROUSERS
+  libpts_la_LIBADD += -ltspi
+endif
 
 libpts_la_SOURCES = \
 	libpts.h libpts.c \
 	pts/pts.h pts/pts.c \
 	pts/pts_error.h pts/pts_error.c \
+	pts/pts_pcr.h pts/pts_pcr.c \
 	pts/pts_proto_caps.h \
 	pts/pts_req_func_comp_evid.h \
 	pts/pts_simple_evid_final.h \
@@ -46,7 +53,7 @@ libpts_la_SOURCES = \
 	tcg/tcg_pts_attr_file_meas.h tcg/tcg_pts_attr_file_meas.c \
 	tcg/tcg_pts_attr_req_file_meta.h tcg/tcg_pts_attr_req_file_meta.c \
 	tcg/tcg_pts_attr_unix_file_meta.h tcg/tcg_pts_attr_unix_file_meta.c
-	
+
 SUBDIRS = .
 
 if USE_IMC_ATTESTATION
diff --git a/src/libpts/Makefile.in b/src/libpts/Makefile.in
index d317cfea1..aa219f7f4 100644
--- a/src/libpts/Makefile.in
+++ b/src/libpts/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -34,8 +51,9 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-@USE_IMC_ATTESTATION_TRUE@am__append_1 = plugins/imc_attestation
-@USE_IMV_ATTESTATION_TRUE@am__append_2 = plugins/imv_attestation
+@USE_TROUSERS_TRUE@am__append_1 = -ltspi
+@USE_IMC_ATTESTATION_TRUE@am__append_2 = plugins/imc_attestation
+@USE_IMV_ATTESTATION_TRUE@am__append_3 = plugins/imv_attestation
 subdir = src/libpts
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -47,10 +65,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -74,11 +93,19 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
-libpts_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la
-am_libpts_la_OBJECTS = libpts.lo pts.lo pts_error.lo pts_creds.lo \
-	pts_database.lo pts_dh_group.lo pts_file_meas.lo \
+am__DEPENDENCIES_1 =
+libpts_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
+	$(am__DEPENDENCIES_1)
+am_libpts_la_OBJECTS = libpts.lo pts.lo pts_error.lo pts_pcr.lo \
+	pts_creds.lo pts_database.lo pts_dh_group.lo pts_file_meas.lo \
 	pts_file_meta.lo pts_file_type.lo pts_meas_algo.lo \
 	pts_component_manager.lo pts_comp_evidence.lo \
 	pts_comp_func_name.lo ita_comp_func_name.lo ita_comp_ima.lo \
@@ -96,19 +123,35 @@ am_libpts_la_OBJECTS = libpts.lo pts.lo pts_error.lo pts_creds.lo \
 	tcg_pts_attr_req_file_meas.lo tcg_pts_attr_file_meas.lo \
 	tcg_pts_attr_req_file_meta.lo tcg_pts_attr_unix_file_meta.lo
 libpts_la_OBJECTS = $(am_libpts_la_OBJECTS)
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libpts_la_SOURCES)
 DIST_SOURCES = $(libpts_la_SOURCES)
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -118,6 +161,11 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
@@ -155,21 +203,28 @@ am__relativize = \
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -178,13 +233,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -197,6 +255,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -224,11 +283,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -236,6 +297,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -244,8 +306,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -254,14 +314,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -275,17 +340,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -295,16 +360,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -332,13 +396,19 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libimcv
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv
+
 ipseclib_LTLIBRARIES = libpts.la
-libpts_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la -ltspi
+libpts_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
+	$(am__append_1)
 libpts_la_SOURCES = \
 	libpts.h libpts.c \
 	pts/pts.h pts/pts.c \
 	pts/pts_error.h pts/pts_error.c \
+	pts/pts_pcr.h pts/pts_pcr.c \
 	pts/pts_proto_caps.h \
 	pts/pts_req_func_comp_evid.h \
 	pts/pts_simple_evid_final.h \
@@ -377,7 +447,7 @@ libpts_la_SOURCES = \
 	tcg/tcg_pts_attr_req_file_meta.h tcg/tcg_pts_attr_req_file_meta.c \
 	tcg/tcg_pts_attr_unix_file_meta.h tcg/tcg_pts_attr_unix_file_meta.c
 
-SUBDIRS = . $(am__append_1) $(am__append_2)
+SUBDIRS = . $(am__append_2) $(am__append_3)
 all: all-recursive
 
 .SUFFIXES:
@@ -414,7 +484,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -422,6 +491,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -443,8 +514,8 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libpts.la: $(libpts_la_OBJECTS) $(libpts_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libpts_la_OBJECTS) $(libpts_la_LIBADD) $(LIBS)
+libpts.la: $(libpts_la_OBJECTS) $(libpts_la_DEPENDENCIES) $(EXTRA_libpts_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libpts_la_OBJECTS) $(libpts_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -469,6 +540,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pts_file_meta.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pts_file_type.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pts_meas_algo.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pts_pcr.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tcg_attr.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tcg_comp_func_name.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tcg_pts_attr_aik.Plo@am__quote@
@@ -490,270 +562,277 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tcg_pts_attr_unix_file_meta.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 pts.lo: pts/pts.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts.lo -MD -MP -MF $(DEPDIR)/pts.Tpo -c -o pts.lo `test -f 'pts/pts.c' || echo '$(srcdir)/'`pts/pts.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts.Tpo $(DEPDIR)/pts.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts.c' object='pts.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts.lo -MD -MP -MF $(DEPDIR)/pts.Tpo -c -o pts.lo `test -f 'pts/pts.c' || echo '$(srcdir)/'`pts/pts.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts.Tpo $(DEPDIR)/pts.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts.c' object='pts.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts.lo `test -f 'pts/pts.c' || echo '$(srcdir)/'`pts/pts.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts.lo `test -f 'pts/pts.c' || echo '$(srcdir)/'`pts/pts.c
 
 pts_error.lo: pts/pts_error.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_error.lo -MD -MP -MF $(DEPDIR)/pts_error.Tpo -c -o pts_error.lo `test -f 'pts/pts_error.c' || echo '$(srcdir)/'`pts/pts_error.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_error.Tpo $(DEPDIR)/pts_error.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts_error.c' object='pts_error.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_error.lo -MD -MP -MF $(DEPDIR)/pts_error.Tpo -c -o pts_error.lo `test -f 'pts/pts_error.c' || echo '$(srcdir)/'`pts/pts_error.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_error.Tpo $(DEPDIR)/pts_error.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_error.c' object='pts_error.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_error.lo `test -f 'pts/pts_error.c' || echo '$(srcdir)/'`pts/pts_error.c
+
+pts_pcr.lo: pts/pts_pcr.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_pcr.lo -MD -MP -MF $(DEPDIR)/pts_pcr.Tpo -c -o pts_pcr.lo `test -f 'pts/pts_pcr.c' || echo '$(srcdir)/'`pts/pts_pcr.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_pcr.Tpo $(DEPDIR)/pts_pcr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_pcr.c' object='pts_pcr.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_error.lo `test -f 'pts/pts_error.c' || echo '$(srcdir)/'`pts/pts_error.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_pcr.lo `test -f 'pts/pts_pcr.c' || echo '$(srcdir)/'`pts/pts_pcr.c
 
 pts_creds.lo: pts/pts_creds.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_creds.lo -MD -MP -MF $(DEPDIR)/pts_creds.Tpo -c -o pts_creds.lo `test -f 'pts/pts_creds.c' || echo '$(srcdir)/'`pts/pts_creds.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_creds.Tpo $(DEPDIR)/pts_creds.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts_creds.c' object='pts_creds.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_creds.lo -MD -MP -MF $(DEPDIR)/pts_creds.Tpo -c -o pts_creds.lo `test -f 'pts/pts_creds.c' || echo '$(srcdir)/'`pts/pts_creds.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_creds.Tpo $(DEPDIR)/pts_creds.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_creds.c' object='pts_creds.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_creds.lo `test -f 'pts/pts_creds.c' || echo '$(srcdir)/'`pts/pts_creds.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_creds.lo `test -f 'pts/pts_creds.c' || echo '$(srcdir)/'`pts/pts_creds.c
 
 pts_database.lo: pts/pts_database.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_database.lo -MD -MP -MF $(DEPDIR)/pts_database.Tpo -c -o pts_database.lo `test -f 'pts/pts_database.c' || echo '$(srcdir)/'`pts/pts_database.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_database.Tpo $(DEPDIR)/pts_database.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts_database.c' object='pts_database.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_database.lo -MD -MP -MF $(DEPDIR)/pts_database.Tpo -c -o pts_database.lo `test -f 'pts/pts_database.c' || echo '$(srcdir)/'`pts/pts_database.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_database.Tpo $(DEPDIR)/pts_database.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_database.c' object='pts_database.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_database.lo `test -f 'pts/pts_database.c' || echo '$(srcdir)/'`pts/pts_database.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_database.lo `test -f 'pts/pts_database.c' || echo '$(srcdir)/'`pts/pts_database.c
 
 pts_dh_group.lo: pts/pts_dh_group.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_dh_group.lo -MD -MP -MF $(DEPDIR)/pts_dh_group.Tpo -c -o pts_dh_group.lo `test -f 'pts/pts_dh_group.c' || echo '$(srcdir)/'`pts/pts_dh_group.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_dh_group.Tpo $(DEPDIR)/pts_dh_group.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts_dh_group.c' object='pts_dh_group.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_dh_group.lo -MD -MP -MF $(DEPDIR)/pts_dh_group.Tpo -c -o pts_dh_group.lo `test -f 'pts/pts_dh_group.c' || echo '$(srcdir)/'`pts/pts_dh_group.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_dh_group.Tpo $(DEPDIR)/pts_dh_group.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_dh_group.c' object='pts_dh_group.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_dh_group.lo `test -f 'pts/pts_dh_group.c' || echo '$(srcdir)/'`pts/pts_dh_group.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_dh_group.lo `test -f 'pts/pts_dh_group.c' || echo '$(srcdir)/'`pts/pts_dh_group.c
 
 pts_file_meas.lo: pts/pts_file_meas.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_file_meas.lo -MD -MP -MF $(DEPDIR)/pts_file_meas.Tpo -c -o pts_file_meas.lo `test -f 'pts/pts_file_meas.c' || echo '$(srcdir)/'`pts/pts_file_meas.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_file_meas.Tpo $(DEPDIR)/pts_file_meas.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts_file_meas.c' object='pts_file_meas.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_file_meas.lo -MD -MP -MF $(DEPDIR)/pts_file_meas.Tpo -c -o pts_file_meas.lo `test -f 'pts/pts_file_meas.c' || echo '$(srcdir)/'`pts/pts_file_meas.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_file_meas.Tpo $(DEPDIR)/pts_file_meas.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_file_meas.c' object='pts_file_meas.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_file_meas.lo `test -f 'pts/pts_file_meas.c' || echo '$(srcdir)/'`pts/pts_file_meas.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_file_meas.lo `test -f 'pts/pts_file_meas.c' || echo '$(srcdir)/'`pts/pts_file_meas.c
 
 pts_file_meta.lo: pts/pts_file_meta.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_file_meta.lo -MD -MP -MF $(DEPDIR)/pts_file_meta.Tpo -c -o pts_file_meta.lo `test -f 'pts/pts_file_meta.c' || echo '$(srcdir)/'`pts/pts_file_meta.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_file_meta.Tpo $(DEPDIR)/pts_file_meta.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts_file_meta.c' object='pts_file_meta.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_file_meta.lo -MD -MP -MF $(DEPDIR)/pts_file_meta.Tpo -c -o pts_file_meta.lo `test -f 'pts/pts_file_meta.c' || echo '$(srcdir)/'`pts/pts_file_meta.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_file_meta.Tpo $(DEPDIR)/pts_file_meta.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_file_meta.c' object='pts_file_meta.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_file_meta.lo `test -f 'pts/pts_file_meta.c' || echo '$(srcdir)/'`pts/pts_file_meta.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_file_meta.lo `test -f 'pts/pts_file_meta.c' || echo '$(srcdir)/'`pts/pts_file_meta.c
 
 pts_file_type.lo: pts/pts_file_type.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_file_type.lo -MD -MP -MF $(DEPDIR)/pts_file_type.Tpo -c -o pts_file_type.lo `test -f 'pts/pts_file_type.c' || echo '$(srcdir)/'`pts/pts_file_type.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_file_type.Tpo $(DEPDIR)/pts_file_type.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts_file_type.c' object='pts_file_type.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_file_type.lo -MD -MP -MF $(DEPDIR)/pts_file_type.Tpo -c -o pts_file_type.lo `test -f 'pts/pts_file_type.c' || echo '$(srcdir)/'`pts/pts_file_type.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_file_type.Tpo $(DEPDIR)/pts_file_type.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_file_type.c' object='pts_file_type.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_file_type.lo `test -f 'pts/pts_file_type.c' || echo '$(srcdir)/'`pts/pts_file_type.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_file_type.lo `test -f 'pts/pts_file_type.c' || echo '$(srcdir)/'`pts/pts_file_type.c
 
 pts_meas_algo.lo: pts/pts_meas_algo.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_meas_algo.lo -MD -MP -MF $(DEPDIR)/pts_meas_algo.Tpo -c -o pts_meas_algo.lo `test -f 'pts/pts_meas_algo.c' || echo '$(srcdir)/'`pts/pts_meas_algo.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_meas_algo.Tpo $(DEPDIR)/pts_meas_algo.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/pts_meas_algo.c' object='pts_meas_algo.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_meas_algo.lo -MD -MP -MF $(DEPDIR)/pts_meas_algo.Tpo -c -o pts_meas_algo.lo `test -f 'pts/pts_meas_algo.c' || echo '$(srcdir)/'`pts/pts_meas_algo.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_meas_algo.Tpo $(DEPDIR)/pts_meas_algo.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/pts_meas_algo.c' object='pts_meas_algo.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_meas_algo.lo `test -f 'pts/pts_meas_algo.c' || echo '$(srcdir)/'`pts/pts_meas_algo.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_meas_algo.lo `test -f 'pts/pts_meas_algo.c' || echo '$(srcdir)/'`pts/pts_meas_algo.c
 
 pts_component_manager.lo: pts/components/pts_component_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_component_manager.lo -MD -MP -MF $(DEPDIR)/pts_component_manager.Tpo -c -o pts_component_manager.lo `test -f 'pts/components/pts_component_manager.c' || echo '$(srcdir)/'`pts/components/pts_component_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_component_manager.Tpo $(DEPDIR)/pts_component_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/components/pts_component_manager.c' object='pts_component_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_component_manager.lo -MD -MP -MF $(DEPDIR)/pts_component_manager.Tpo -c -o pts_component_manager.lo `test -f 'pts/components/pts_component_manager.c' || echo '$(srcdir)/'`pts/components/pts_component_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_component_manager.Tpo $(DEPDIR)/pts_component_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/components/pts_component_manager.c' object='pts_component_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_component_manager.lo `test -f 'pts/components/pts_component_manager.c' || echo '$(srcdir)/'`pts/components/pts_component_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_component_manager.lo `test -f 'pts/components/pts_component_manager.c' || echo '$(srcdir)/'`pts/components/pts_component_manager.c
 
 pts_comp_evidence.lo: pts/components/pts_comp_evidence.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_comp_evidence.lo -MD -MP -MF $(DEPDIR)/pts_comp_evidence.Tpo -c -o pts_comp_evidence.lo `test -f 'pts/components/pts_comp_evidence.c' || echo '$(srcdir)/'`pts/components/pts_comp_evidence.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_comp_evidence.Tpo $(DEPDIR)/pts_comp_evidence.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/components/pts_comp_evidence.c' object='pts_comp_evidence.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_comp_evidence.lo -MD -MP -MF $(DEPDIR)/pts_comp_evidence.Tpo -c -o pts_comp_evidence.lo `test -f 'pts/components/pts_comp_evidence.c' || echo '$(srcdir)/'`pts/components/pts_comp_evidence.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_comp_evidence.Tpo $(DEPDIR)/pts_comp_evidence.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/components/pts_comp_evidence.c' object='pts_comp_evidence.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_comp_evidence.lo `test -f 'pts/components/pts_comp_evidence.c' || echo '$(srcdir)/'`pts/components/pts_comp_evidence.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_comp_evidence.lo `test -f 'pts/components/pts_comp_evidence.c' || echo '$(srcdir)/'`pts/components/pts_comp_evidence.c
 
 pts_comp_func_name.lo: pts/components/pts_comp_func_name.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_comp_func_name.lo -MD -MP -MF $(DEPDIR)/pts_comp_func_name.Tpo -c -o pts_comp_func_name.lo `test -f 'pts/components/pts_comp_func_name.c' || echo '$(srcdir)/'`pts/components/pts_comp_func_name.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pts_comp_func_name.Tpo $(DEPDIR)/pts_comp_func_name.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/components/pts_comp_func_name.c' object='pts_comp_func_name.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pts_comp_func_name.lo -MD -MP -MF $(DEPDIR)/pts_comp_func_name.Tpo -c -o pts_comp_func_name.lo `test -f 'pts/components/pts_comp_func_name.c' || echo '$(srcdir)/'`pts/components/pts_comp_func_name.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pts_comp_func_name.Tpo $(DEPDIR)/pts_comp_func_name.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/components/pts_comp_func_name.c' object='pts_comp_func_name.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_comp_func_name.lo `test -f 'pts/components/pts_comp_func_name.c' || echo '$(srcdir)/'`pts/components/pts_comp_func_name.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pts_comp_func_name.lo `test -f 'pts/components/pts_comp_func_name.c' || echo '$(srcdir)/'`pts/components/pts_comp_func_name.c
 
 ita_comp_func_name.lo: pts/components/ita/ita_comp_func_name.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_comp_func_name.lo -MD -MP -MF $(DEPDIR)/ita_comp_func_name.Tpo -c -o ita_comp_func_name.lo `test -f 'pts/components/ita/ita_comp_func_name.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_func_name.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_comp_func_name.Tpo $(DEPDIR)/ita_comp_func_name.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/components/ita/ita_comp_func_name.c' object='ita_comp_func_name.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_comp_func_name.lo -MD -MP -MF $(DEPDIR)/ita_comp_func_name.Tpo -c -o ita_comp_func_name.lo `test -f 'pts/components/ita/ita_comp_func_name.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_func_name.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_comp_func_name.Tpo $(DEPDIR)/ita_comp_func_name.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/components/ita/ita_comp_func_name.c' object='ita_comp_func_name.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_comp_func_name.lo `test -f 'pts/components/ita/ita_comp_func_name.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_func_name.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_comp_func_name.lo `test -f 'pts/components/ita/ita_comp_func_name.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_func_name.c
 
 ita_comp_ima.lo: pts/components/ita/ita_comp_ima.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_comp_ima.lo -MD -MP -MF $(DEPDIR)/ita_comp_ima.Tpo -c -o ita_comp_ima.lo `test -f 'pts/components/ita/ita_comp_ima.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_ima.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_comp_ima.Tpo $(DEPDIR)/ita_comp_ima.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/components/ita/ita_comp_ima.c' object='ita_comp_ima.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_comp_ima.lo -MD -MP -MF $(DEPDIR)/ita_comp_ima.Tpo -c -o ita_comp_ima.lo `test -f 'pts/components/ita/ita_comp_ima.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_ima.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_comp_ima.Tpo $(DEPDIR)/ita_comp_ima.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/components/ita/ita_comp_ima.c' object='ita_comp_ima.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_comp_ima.lo `test -f 'pts/components/ita/ita_comp_ima.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_ima.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_comp_ima.lo `test -f 'pts/components/ita/ita_comp_ima.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_ima.c
 
 ita_comp_tboot.lo: pts/components/ita/ita_comp_tboot.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_comp_tboot.lo -MD -MP -MF $(DEPDIR)/ita_comp_tboot.Tpo -c -o ita_comp_tboot.lo `test -f 'pts/components/ita/ita_comp_tboot.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_tboot.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_comp_tboot.Tpo $(DEPDIR)/ita_comp_tboot.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/components/ita/ita_comp_tboot.c' object='ita_comp_tboot.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_comp_tboot.lo -MD -MP -MF $(DEPDIR)/ita_comp_tboot.Tpo -c -o ita_comp_tboot.lo `test -f 'pts/components/ita/ita_comp_tboot.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_tboot.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_comp_tboot.Tpo $(DEPDIR)/ita_comp_tboot.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/components/ita/ita_comp_tboot.c' object='ita_comp_tboot.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_comp_tboot.lo `test -f 'pts/components/ita/ita_comp_tboot.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_tboot.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_comp_tboot.lo `test -f 'pts/components/ita/ita_comp_tboot.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_tboot.c
 
 ita_comp_tgrub.lo: pts/components/ita/ita_comp_tgrub.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_comp_tgrub.lo -MD -MP -MF $(DEPDIR)/ita_comp_tgrub.Tpo -c -o ita_comp_tgrub.lo `test -f 'pts/components/ita/ita_comp_tgrub.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_tgrub.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ita_comp_tgrub.Tpo $(DEPDIR)/ita_comp_tgrub.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/components/ita/ita_comp_tgrub.c' object='ita_comp_tgrub.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ita_comp_tgrub.lo -MD -MP -MF $(DEPDIR)/ita_comp_tgrub.Tpo -c -o ita_comp_tgrub.lo `test -f 'pts/components/ita/ita_comp_tgrub.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_tgrub.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ita_comp_tgrub.Tpo $(DEPDIR)/ita_comp_tgrub.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/components/ita/ita_comp_tgrub.c' object='ita_comp_tgrub.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_comp_tgrub.lo `test -f 'pts/components/ita/ita_comp_tgrub.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_tgrub.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ita_comp_tgrub.lo `test -f 'pts/components/ita/ita_comp_tgrub.c' || echo '$(srcdir)/'`pts/components/ita/ita_comp_tgrub.c
 
 tcg_comp_func_name.lo: pts/components/tcg/tcg_comp_func_name.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_comp_func_name.lo -MD -MP -MF $(DEPDIR)/tcg_comp_func_name.Tpo -c -o tcg_comp_func_name.lo `test -f 'pts/components/tcg/tcg_comp_func_name.c' || echo '$(srcdir)/'`pts/components/tcg/tcg_comp_func_name.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_comp_func_name.Tpo $(DEPDIR)/tcg_comp_func_name.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pts/components/tcg/tcg_comp_func_name.c' object='tcg_comp_func_name.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_comp_func_name.lo -MD -MP -MF $(DEPDIR)/tcg_comp_func_name.Tpo -c -o tcg_comp_func_name.lo `test -f 'pts/components/tcg/tcg_comp_func_name.c' || echo '$(srcdir)/'`pts/components/tcg/tcg_comp_func_name.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_comp_func_name.Tpo $(DEPDIR)/tcg_comp_func_name.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pts/components/tcg/tcg_comp_func_name.c' object='tcg_comp_func_name.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_comp_func_name.lo `test -f 'pts/components/tcg/tcg_comp_func_name.c' || echo '$(srcdir)/'`pts/components/tcg/tcg_comp_func_name.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_comp_func_name.lo `test -f 'pts/components/tcg/tcg_comp_func_name.c' || echo '$(srcdir)/'`pts/components/tcg/tcg_comp_func_name.c
 
 tcg_attr.lo: tcg/tcg_attr.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_attr.lo -MD -MP -MF $(DEPDIR)/tcg_attr.Tpo -c -o tcg_attr.lo `test -f 'tcg/tcg_attr.c' || echo '$(srcdir)/'`tcg/tcg_attr.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_attr.Tpo $(DEPDIR)/tcg_attr.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_attr.c' object='tcg_attr.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_attr.lo -MD -MP -MF $(DEPDIR)/tcg_attr.Tpo -c -o tcg_attr.lo `test -f 'tcg/tcg_attr.c' || echo '$(srcdir)/'`tcg/tcg_attr.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_attr.Tpo $(DEPDIR)/tcg_attr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_attr.c' object='tcg_attr.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_attr.lo `test -f 'tcg/tcg_attr.c' || echo '$(srcdir)/'`tcg/tcg_attr.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_attr.lo `test -f 'tcg/tcg_attr.c' || echo '$(srcdir)/'`tcg/tcg_attr.c
 
 tcg_pts_attr_proto_caps.lo: tcg/tcg_pts_attr_proto_caps.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_proto_caps.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_proto_caps.Tpo -c -o tcg_pts_attr_proto_caps.lo `test -f 'tcg/tcg_pts_attr_proto_caps.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_proto_caps.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_proto_caps.Tpo $(DEPDIR)/tcg_pts_attr_proto_caps.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_proto_caps.c' object='tcg_pts_attr_proto_caps.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_proto_caps.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_proto_caps.Tpo -c -o tcg_pts_attr_proto_caps.lo `test -f 'tcg/tcg_pts_attr_proto_caps.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_proto_caps.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_proto_caps.Tpo $(DEPDIR)/tcg_pts_attr_proto_caps.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_proto_caps.c' object='tcg_pts_attr_proto_caps.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_proto_caps.lo `test -f 'tcg/tcg_pts_attr_proto_caps.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_proto_caps.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_proto_caps.lo `test -f 'tcg/tcg_pts_attr_proto_caps.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_proto_caps.c
 
 tcg_pts_attr_dh_nonce_params_req.lo: tcg/tcg_pts_attr_dh_nonce_params_req.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_dh_nonce_params_req.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_dh_nonce_params_req.Tpo -c -o tcg_pts_attr_dh_nonce_params_req.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_params_req.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_params_req.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_dh_nonce_params_req.Tpo $(DEPDIR)/tcg_pts_attr_dh_nonce_params_req.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_dh_nonce_params_req.c' object='tcg_pts_attr_dh_nonce_params_req.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_dh_nonce_params_req.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_dh_nonce_params_req.Tpo -c -o tcg_pts_attr_dh_nonce_params_req.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_params_req.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_params_req.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_dh_nonce_params_req.Tpo $(DEPDIR)/tcg_pts_attr_dh_nonce_params_req.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_dh_nonce_params_req.c' object='tcg_pts_attr_dh_nonce_params_req.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_dh_nonce_params_req.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_params_req.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_params_req.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_dh_nonce_params_req.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_params_req.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_params_req.c
 
 tcg_pts_attr_dh_nonce_params_resp.lo: tcg/tcg_pts_attr_dh_nonce_params_resp.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_dh_nonce_params_resp.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_dh_nonce_params_resp.Tpo -c -o tcg_pts_attr_dh_nonce_params_resp.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_params_resp.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_params_resp.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_dh_nonce_params_resp.Tpo $(DEPDIR)/tcg_pts_attr_dh_nonce_params_resp.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_dh_nonce_params_resp.c' object='tcg_pts_attr_dh_nonce_params_resp.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_dh_nonce_params_resp.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_dh_nonce_params_resp.Tpo -c -o tcg_pts_attr_dh_nonce_params_resp.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_params_resp.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_params_resp.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_dh_nonce_params_resp.Tpo $(DEPDIR)/tcg_pts_attr_dh_nonce_params_resp.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_dh_nonce_params_resp.c' object='tcg_pts_attr_dh_nonce_params_resp.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_dh_nonce_params_resp.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_params_resp.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_params_resp.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_dh_nonce_params_resp.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_params_resp.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_params_resp.c
 
 tcg_pts_attr_dh_nonce_finish.lo: tcg/tcg_pts_attr_dh_nonce_finish.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_dh_nonce_finish.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_dh_nonce_finish.Tpo -c -o tcg_pts_attr_dh_nonce_finish.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_finish.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_finish.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_dh_nonce_finish.Tpo $(DEPDIR)/tcg_pts_attr_dh_nonce_finish.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_dh_nonce_finish.c' object='tcg_pts_attr_dh_nonce_finish.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_dh_nonce_finish.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_dh_nonce_finish.Tpo -c -o tcg_pts_attr_dh_nonce_finish.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_finish.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_finish.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_dh_nonce_finish.Tpo $(DEPDIR)/tcg_pts_attr_dh_nonce_finish.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_dh_nonce_finish.c' object='tcg_pts_attr_dh_nonce_finish.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_dh_nonce_finish.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_finish.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_finish.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_dh_nonce_finish.lo `test -f 'tcg/tcg_pts_attr_dh_nonce_finish.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_dh_nonce_finish.c
 
 tcg_pts_attr_meas_algo.lo: tcg/tcg_pts_attr_meas_algo.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_meas_algo.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_meas_algo.Tpo -c -o tcg_pts_attr_meas_algo.lo `test -f 'tcg/tcg_pts_attr_meas_algo.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_meas_algo.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_meas_algo.Tpo $(DEPDIR)/tcg_pts_attr_meas_algo.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_meas_algo.c' object='tcg_pts_attr_meas_algo.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_meas_algo.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_meas_algo.Tpo -c -o tcg_pts_attr_meas_algo.lo `test -f 'tcg/tcg_pts_attr_meas_algo.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_meas_algo.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_meas_algo.Tpo $(DEPDIR)/tcg_pts_attr_meas_algo.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_meas_algo.c' object='tcg_pts_attr_meas_algo.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_meas_algo.lo `test -f 'tcg/tcg_pts_attr_meas_algo.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_meas_algo.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_meas_algo.lo `test -f 'tcg/tcg_pts_attr_meas_algo.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_meas_algo.c
 
 tcg_pts_attr_get_tpm_version_info.lo: tcg/tcg_pts_attr_get_tpm_version_info.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_get_tpm_version_info.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_get_tpm_version_info.Tpo -c -o tcg_pts_attr_get_tpm_version_info.lo `test -f 'tcg/tcg_pts_attr_get_tpm_version_info.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_get_tpm_version_info.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_get_tpm_version_info.Tpo $(DEPDIR)/tcg_pts_attr_get_tpm_version_info.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_get_tpm_version_info.c' object='tcg_pts_attr_get_tpm_version_info.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_get_tpm_version_info.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_get_tpm_version_info.Tpo -c -o tcg_pts_attr_get_tpm_version_info.lo `test -f 'tcg/tcg_pts_attr_get_tpm_version_info.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_get_tpm_version_info.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_get_tpm_version_info.Tpo $(DEPDIR)/tcg_pts_attr_get_tpm_version_info.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_get_tpm_version_info.c' object='tcg_pts_attr_get_tpm_version_info.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_get_tpm_version_info.lo `test -f 'tcg/tcg_pts_attr_get_tpm_version_info.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_get_tpm_version_info.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_get_tpm_version_info.lo `test -f 'tcg/tcg_pts_attr_get_tpm_version_info.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_get_tpm_version_info.c
 
 tcg_pts_attr_tpm_version_info.lo: tcg/tcg_pts_attr_tpm_version_info.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_tpm_version_info.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_tpm_version_info.Tpo -c -o tcg_pts_attr_tpm_version_info.lo `test -f 'tcg/tcg_pts_attr_tpm_version_info.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_tpm_version_info.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_tpm_version_info.Tpo $(DEPDIR)/tcg_pts_attr_tpm_version_info.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_tpm_version_info.c' object='tcg_pts_attr_tpm_version_info.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_tpm_version_info.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_tpm_version_info.Tpo -c -o tcg_pts_attr_tpm_version_info.lo `test -f 'tcg/tcg_pts_attr_tpm_version_info.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_tpm_version_info.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_tpm_version_info.Tpo $(DEPDIR)/tcg_pts_attr_tpm_version_info.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_tpm_version_info.c' object='tcg_pts_attr_tpm_version_info.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_tpm_version_info.lo `test -f 'tcg/tcg_pts_attr_tpm_version_info.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_tpm_version_info.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_tpm_version_info.lo `test -f 'tcg/tcg_pts_attr_tpm_version_info.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_tpm_version_info.c
 
 tcg_pts_attr_get_aik.lo: tcg/tcg_pts_attr_get_aik.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_get_aik.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_get_aik.Tpo -c -o tcg_pts_attr_get_aik.lo `test -f 'tcg/tcg_pts_attr_get_aik.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_get_aik.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_get_aik.Tpo $(DEPDIR)/tcg_pts_attr_get_aik.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_get_aik.c' object='tcg_pts_attr_get_aik.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_get_aik.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_get_aik.Tpo -c -o tcg_pts_attr_get_aik.lo `test -f 'tcg/tcg_pts_attr_get_aik.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_get_aik.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_get_aik.Tpo $(DEPDIR)/tcg_pts_attr_get_aik.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_get_aik.c' object='tcg_pts_attr_get_aik.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_get_aik.lo `test -f 'tcg/tcg_pts_attr_get_aik.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_get_aik.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_get_aik.lo `test -f 'tcg/tcg_pts_attr_get_aik.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_get_aik.c
 
 tcg_pts_attr_aik.lo: tcg/tcg_pts_attr_aik.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_aik.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_aik.Tpo -c -o tcg_pts_attr_aik.lo `test -f 'tcg/tcg_pts_attr_aik.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_aik.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_aik.Tpo $(DEPDIR)/tcg_pts_attr_aik.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_aik.c' object='tcg_pts_attr_aik.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_aik.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_aik.Tpo -c -o tcg_pts_attr_aik.lo `test -f 'tcg/tcg_pts_attr_aik.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_aik.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_aik.Tpo $(DEPDIR)/tcg_pts_attr_aik.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_aik.c' object='tcg_pts_attr_aik.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_aik.lo `test -f 'tcg/tcg_pts_attr_aik.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_aik.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_aik.lo `test -f 'tcg/tcg_pts_attr_aik.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_aik.c
 
 tcg_pts_attr_req_func_comp_evid.lo: tcg/tcg_pts_attr_req_func_comp_evid.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_req_func_comp_evid.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_req_func_comp_evid.Tpo -c -o tcg_pts_attr_req_func_comp_evid.lo `test -f 'tcg/tcg_pts_attr_req_func_comp_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_func_comp_evid.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_req_func_comp_evid.Tpo $(DEPDIR)/tcg_pts_attr_req_func_comp_evid.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_req_func_comp_evid.c' object='tcg_pts_attr_req_func_comp_evid.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_req_func_comp_evid.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_req_func_comp_evid.Tpo -c -o tcg_pts_attr_req_func_comp_evid.lo `test -f 'tcg/tcg_pts_attr_req_func_comp_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_func_comp_evid.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_req_func_comp_evid.Tpo $(DEPDIR)/tcg_pts_attr_req_func_comp_evid.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_req_func_comp_evid.c' object='tcg_pts_attr_req_func_comp_evid.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_req_func_comp_evid.lo `test -f 'tcg/tcg_pts_attr_req_func_comp_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_func_comp_evid.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_req_func_comp_evid.lo `test -f 'tcg/tcg_pts_attr_req_func_comp_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_func_comp_evid.c
 
 tcg_pts_attr_gen_attest_evid.lo: tcg/tcg_pts_attr_gen_attest_evid.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_gen_attest_evid.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_gen_attest_evid.Tpo -c -o tcg_pts_attr_gen_attest_evid.lo `test -f 'tcg/tcg_pts_attr_gen_attest_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_gen_attest_evid.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_gen_attest_evid.Tpo $(DEPDIR)/tcg_pts_attr_gen_attest_evid.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_gen_attest_evid.c' object='tcg_pts_attr_gen_attest_evid.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_gen_attest_evid.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_gen_attest_evid.Tpo -c -o tcg_pts_attr_gen_attest_evid.lo `test -f 'tcg/tcg_pts_attr_gen_attest_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_gen_attest_evid.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_gen_attest_evid.Tpo $(DEPDIR)/tcg_pts_attr_gen_attest_evid.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_gen_attest_evid.c' object='tcg_pts_attr_gen_attest_evid.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_gen_attest_evid.lo `test -f 'tcg/tcg_pts_attr_gen_attest_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_gen_attest_evid.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_gen_attest_evid.lo `test -f 'tcg/tcg_pts_attr_gen_attest_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_gen_attest_evid.c
 
 tcg_pts_attr_simple_comp_evid.lo: tcg/tcg_pts_attr_simple_comp_evid.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_simple_comp_evid.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_simple_comp_evid.Tpo -c -o tcg_pts_attr_simple_comp_evid.lo `test -f 'tcg/tcg_pts_attr_simple_comp_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_simple_comp_evid.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_simple_comp_evid.Tpo $(DEPDIR)/tcg_pts_attr_simple_comp_evid.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_simple_comp_evid.c' object='tcg_pts_attr_simple_comp_evid.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_simple_comp_evid.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_simple_comp_evid.Tpo -c -o tcg_pts_attr_simple_comp_evid.lo `test -f 'tcg/tcg_pts_attr_simple_comp_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_simple_comp_evid.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_simple_comp_evid.Tpo $(DEPDIR)/tcg_pts_attr_simple_comp_evid.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_simple_comp_evid.c' object='tcg_pts_attr_simple_comp_evid.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_simple_comp_evid.lo `test -f 'tcg/tcg_pts_attr_simple_comp_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_simple_comp_evid.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_simple_comp_evid.lo `test -f 'tcg/tcg_pts_attr_simple_comp_evid.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_simple_comp_evid.c
 
 tcg_pts_attr_simple_evid_final.lo: tcg/tcg_pts_attr_simple_evid_final.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_simple_evid_final.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_simple_evid_final.Tpo -c -o tcg_pts_attr_simple_evid_final.lo `test -f 'tcg/tcg_pts_attr_simple_evid_final.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_simple_evid_final.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_simple_evid_final.Tpo $(DEPDIR)/tcg_pts_attr_simple_evid_final.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_simple_evid_final.c' object='tcg_pts_attr_simple_evid_final.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_simple_evid_final.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_simple_evid_final.Tpo -c -o tcg_pts_attr_simple_evid_final.lo `test -f 'tcg/tcg_pts_attr_simple_evid_final.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_simple_evid_final.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_simple_evid_final.Tpo $(DEPDIR)/tcg_pts_attr_simple_evid_final.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_simple_evid_final.c' object='tcg_pts_attr_simple_evid_final.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_simple_evid_final.lo `test -f 'tcg/tcg_pts_attr_simple_evid_final.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_simple_evid_final.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_simple_evid_final.lo `test -f 'tcg/tcg_pts_attr_simple_evid_final.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_simple_evid_final.c
 
 tcg_pts_attr_req_file_meas.lo: tcg/tcg_pts_attr_req_file_meas.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_req_file_meas.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_req_file_meas.Tpo -c -o tcg_pts_attr_req_file_meas.lo `test -f 'tcg/tcg_pts_attr_req_file_meas.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_file_meas.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_req_file_meas.Tpo $(DEPDIR)/tcg_pts_attr_req_file_meas.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_req_file_meas.c' object='tcg_pts_attr_req_file_meas.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_req_file_meas.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_req_file_meas.Tpo -c -o tcg_pts_attr_req_file_meas.lo `test -f 'tcg/tcg_pts_attr_req_file_meas.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_file_meas.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_req_file_meas.Tpo $(DEPDIR)/tcg_pts_attr_req_file_meas.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_req_file_meas.c' object='tcg_pts_attr_req_file_meas.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_req_file_meas.lo `test -f 'tcg/tcg_pts_attr_req_file_meas.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_file_meas.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_req_file_meas.lo `test -f 'tcg/tcg_pts_attr_req_file_meas.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_file_meas.c
 
 tcg_pts_attr_file_meas.lo: tcg/tcg_pts_attr_file_meas.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_file_meas.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_file_meas.Tpo -c -o tcg_pts_attr_file_meas.lo `test -f 'tcg/tcg_pts_attr_file_meas.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_file_meas.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_file_meas.Tpo $(DEPDIR)/tcg_pts_attr_file_meas.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_file_meas.c' object='tcg_pts_attr_file_meas.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_file_meas.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_file_meas.Tpo -c -o tcg_pts_attr_file_meas.lo `test -f 'tcg/tcg_pts_attr_file_meas.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_file_meas.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_file_meas.Tpo $(DEPDIR)/tcg_pts_attr_file_meas.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_file_meas.c' object='tcg_pts_attr_file_meas.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_file_meas.lo `test -f 'tcg/tcg_pts_attr_file_meas.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_file_meas.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_file_meas.lo `test -f 'tcg/tcg_pts_attr_file_meas.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_file_meas.c
 
 tcg_pts_attr_req_file_meta.lo: tcg/tcg_pts_attr_req_file_meta.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_req_file_meta.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_req_file_meta.Tpo -c -o tcg_pts_attr_req_file_meta.lo `test -f 'tcg/tcg_pts_attr_req_file_meta.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_file_meta.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_req_file_meta.Tpo $(DEPDIR)/tcg_pts_attr_req_file_meta.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_req_file_meta.c' object='tcg_pts_attr_req_file_meta.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_req_file_meta.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_req_file_meta.Tpo -c -o tcg_pts_attr_req_file_meta.lo `test -f 'tcg/tcg_pts_attr_req_file_meta.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_file_meta.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_req_file_meta.Tpo $(DEPDIR)/tcg_pts_attr_req_file_meta.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_req_file_meta.c' object='tcg_pts_attr_req_file_meta.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_req_file_meta.lo `test -f 'tcg/tcg_pts_attr_req_file_meta.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_file_meta.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_req_file_meta.lo `test -f 'tcg/tcg_pts_attr_req_file_meta.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_req_file_meta.c
 
 tcg_pts_attr_unix_file_meta.lo: tcg/tcg_pts_attr_unix_file_meta.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_unix_file_meta.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_unix_file_meta.Tpo -c -o tcg_pts_attr_unix_file_meta.lo `test -f 'tcg/tcg_pts_attr_unix_file_meta.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_unix_file_meta.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tcg_pts_attr_unix_file_meta.Tpo $(DEPDIR)/tcg_pts_attr_unix_file_meta.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tcg/tcg_pts_attr_unix_file_meta.c' object='tcg_pts_attr_unix_file_meta.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tcg_pts_attr_unix_file_meta.lo -MD -MP -MF $(DEPDIR)/tcg_pts_attr_unix_file_meta.Tpo -c -o tcg_pts_attr_unix_file_meta.lo `test -f 'tcg/tcg_pts_attr_unix_file_meta.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_unix_file_meta.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tcg_pts_attr_unix_file_meta.Tpo $(DEPDIR)/tcg_pts_attr_unix_file_meta.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tcg/tcg_pts_attr_unix_file_meta.c' object='tcg_pts_attr_unix_file_meta.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_unix_file_meta.lo `test -f 'tcg/tcg_pts_attr_unix_file_meta.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_unix_file_meta.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tcg_pts_attr_unix_file_meta.lo `test -f 'tcg/tcg_pts_attr_unix_file_meta.c' || echo '$(srcdir)/'`tcg/tcg_pts_attr_unix_file_meta.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -928,13 +1007,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
@@ -972,10 +1048,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libpts/libpts.c b/src/libpts/libpts.c
index 384ee4ed7..95110823c 100644
--- a/src/libpts/libpts.c
+++ b/src/libpts/libpts.c
@@ -23,7 +23,7 @@
 #include "pts/components/ita/ita_comp_tgrub.h"
 
 #include <imcv.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * PTS Functional Component manager
diff --git a/src/libpts/libpts.h b/src/libpts/libpts.h
index 7b2959728..0846aaea2 100644
--- a/src/libpts/libpts.h
+++ b/src/libpts/libpts.h
@@ -15,7 +15,7 @@
 /**
  * @defgroup libpts libpts
  *
- * @defgroup iplugins plugins
+ * @defgroup libpts_plugins plugins
  * @ingroup libpts
  *
  * @addtogroup libpts
diff --git a/src/libpts/plugins/imc_attestation/Makefile.am b/src/libpts/plugins/imc_attestation/Makefile.am
index 9d78b935a..18c756884 100644
--- a/src/libpts/plugins/imc_attestation/Makefile.am
+++ b/src/libpts/plugins/imc_attestation/Makefile.am
@@ -1,8 +1,11 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv \
+	-I$(top_srcdir)/src/libpts
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libimcv -I$(top_srcdir)/src/libpts
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 imcv_LTLIBRARIES = imc-attestation.la
 
@@ -15,4 +18,3 @@ imc_attestation_la_SOURCES = imc_attestation.c \
 	imc_attestation_process.h imc_attestation_process.c
 
 imc_attestation_la_LDFLAGS = -module -avoid-version
-
diff --git a/src/libpts/plugins/imc_attestation/Makefile.in b/src/libpts/plugins/imc_attestation/Makefile.in
index 583d2dfee..b129f9274 100644
--- a/src/libpts/plugins/imc_attestation/Makefile.in
+++ b/src/libpts/plugins/imc_attestation/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imc_attestation_la_DEPENDENCIES =  \
@@ -81,45 +105,74 @@ imc_attestation_la_DEPENDENCIES =  \
 am_imc_attestation_la_OBJECTS = imc_attestation.lo \
 	imc_attestation_state.lo imc_attestation_process.lo
 imc_attestation_la_OBJECTS = $(am_imc_attestation_la_OBJECTS)
-imc_attestation_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(imc_attestation_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+imc_attestation_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(imc_attestation_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(imc_attestation_la_SOURCES)
 DIST_SOURCES = $(imc_attestation_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -128,13 +181,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -147,6 +203,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,11 +231,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -186,6 +245,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -194,8 +254,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -204,14 +262,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -225,17 +288,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -245,16 +308,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -282,10 +344,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libimcv -I$(top_srcdir)/src/libpts
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libimcv \
+	-I$(top_srcdir)/src/libpts
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic
 imcv_LTLIBRARIES = imc-attestation.la
 imc_attestation_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
@@ -332,7 +399,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
 	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -340,6 +406,8 @@ install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
 	}
@@ -361,8 +429,8 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imc-attestation.la: $(imc_attestation_la_OBJECTS) $(imc_attestation_la_DEPENDENCIES) 
-	$(imc_attestation_la_LINK) -rpath $(imcvdir) $(imc_attestation_la_OBJECTS) $(imc_attestation_la_LIBADD) $(LIBS)
+imc-attestation.la: $(imc_attestation_la_OBJECTS) $(imc_attestation_la_DEPENDENCIES) $(EXTRA_imc_attestation_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(imc_attestation_la_LINK) -rpath $(imcvdir) $(imc_attestation_la_OBJECTS) $(imc_attestation_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -375,25 +443,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_attestation_state.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -500,10 +568,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation.c b/src/libpts/plugins/imc_attestation/imc_attestation.c
index 4f77ba093..bb327e936 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation.c
+++ b/src/libpts/plugins/imc_attestation/imc_attestation.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -17,10 +17,13 @@
 #include "imc_attestation_process.h"
 
 #include <imc/imc_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imc/imc_msg.h>
 #include <ietf/ietf_attr.h>
 #include <ietf/ietf_attr_pa_tnc_error.h>
 #include <ietf/ietf_attr_product_info.h>
+#include <ietf/ietf_attr_string_version.h>
+#include <ietf/ietf_attr_assess_result.h>
+#include <os_info/os_info.h>
 
 #include <libpts.h>
 
@@ -32,15 +35,16 @@
 #include <tncif_pa_subtypes.h>
 
 #include <pen/pen.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 /* IMC definitions */
 
 static const char imc_name[] = "Attestation";
 
-#define IMC_VENDOR_ID				PEN_TCG
-#define IMC_SUBTYPE					PA_SUBTYPE_TCG_PTS
+static pen_type_t msg_types[] = {
+	{ PEN_TCG, PA_SUBTYPE_TCG_PTS }
+};
 
 static imc_agent_t *imc_attestation;
 
@@ -72,7 +76,7 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 	{
 		return TNC_RESULT_FATAL;
 	}
-	imc_attestation = imc_agent_create(imc_name, IMC_VENDOR_ID, IMC_SUBTYPE,
+	imc_attestation = imc_agent_create(imc_name, msg_types, countof(msg_types),
 									   imc_id, actual_version);
 	if (!imc_attestation)
 	{
@@ -80,7 +84,7 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 	}
 
 	libpts_init();
-	
+
 	if (min_version > TNC_IFIMC_VERSION_1 || max_version < TNC_IFIMC_VERSION_1)
 	{
 		DBG1(DBG_IMC, "no common IF-IMC version");
@@ -108,9 +112,17 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 		case TNC_CONNECTION_STATE_CREATE:
 			state = imc_attestation_state_create(connection_id);
 			return imc_attestation->create_state(imc_attestation, state);
+		case TNC_CONNECTION_STATE_HANDSHAKE:
+			if (imc_attestation->change_state(imc_attestation, connection_id,
+				new_state, &state) != TNC_RESULT_SUCCESS)
+			{
+				return TNC_RESULT_FATAL;
+			}
+			state->set_result(state, imc_id,
+							  TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+			return TNC_RESULT_SUCCESS;
 		case TNC_CONNECTION_STATE_DELETE:
 			return imc_attestation->delete_state(imc_attestation, connection_id);
-		case TNC_CONNECTION_STATE_HANDSHAKE:
 		case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
 		case TNC_CONNECTION_STATE_ACCESS_NONE:
 		default:
@@ -126,121 +138,67 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 								  TNC_ConnectionID connection_id)
 {
-	imc_state_t *state;
-	imc_attestation_state_t *attestation_state;
-	pts_t *pts;
-	char *platform_info;
-	TNC_Result result = TNC_RESULT_SUCCESS;
-
 	if (!imc_attestation)
 	{
 		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
 
-	/* get current IMC state */
-	if (!imc_attestation->get_state(imc_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	attestation_state = (imc_attestation_state_t*)state;
-	pts = attestation_state->get_pts(attestation_state);
-
-	platform_info = pts->get_platform_info(pts);
-	if (platform_info)
-	{
-		pa_tnc_msg_t *pa_tnc_msg;
-		pa_tnc_attr_t *attr;
-
-		pa_tnc_msg = pa_tnc_msg_create();
-		attr = ietf_attr_product_info_create(0, 0, platform_info);
-		pa_tnc_msg->add_attribute(pa_tnc_msg, attr);
-		pa_tnc_msg->build(pa_tnc_msg);
-		result = imc_attestation->send_message(imc_attestation, connection_id,
-										FALSE, 0, TNC_IMVID_ANY,
-										pa_tnc_msg->get_encoding(pa_tnc_msg));
-		pa_tnc_msg->destroy(pa_tnc_msg);
-	}
-
-	return result;
+	return TNC_RESULT_SUCCESS;
 }
 
-static TNC_Result receive_message(TNC_IMCID imc_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imv_id,
-								  TNC_UInt32 dst_imc_id)
+static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg)
 {
-	pa_tnc_msg_t *pa_tnc_msg;
-	pa_tnc_attr_t *attr;
-	linked_list_t *attr_list;
-	imc_state_t *state;
+	imc_msg_t *out_msg;
 	imc_attestation_state_t *attestation_state;
 	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t type;
 	TNC_Result result;
+	bool fatal_error = FALSE;
 
-	if (!imc_attestation)
-	{
-		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-
-	/* get current IMC state */
-	if (!imc_attestation->get_state(imc_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	attestation_state = (imc_attestation_state_t*)state;
-
-	/* parse received PA-TNC message and automatically handle any errors */
-	result = imc_attestation->receive_message(imc_attestation, state, msg,
-					msg_vid, msg_subtype, src_imv_id, dst_imc_id, &pa_tnc_msg);
-
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
 	{
 		return result;
 	}
-	
-	/* preprocess any IETF standard error attributes */
-	result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ?
-					TNC_RESULT_FATAL : TNC_RESULT_SUCCESS;
-
-	attr_list = linked_list_create();
+	out_msg = imc_msg_create_as_reply(in_msg);
 
 	/* analyze PA-TNC attributes */
-	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
 	while (enumerator->enumerate(enumerator, &attr))
 	{
-		if (attr->get_vendor_id(attr) == PEN_IETF &&
-			attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR)
-		{
-			ietf_attr_pa_tnc_error_t *error_attr;
-			pen_t error_vendor_id;
-			pa_tnc_error_code_t error_code;
-			chunk_t msg_info;
-
-			error_attr = (ietf_attr_pa_tnc_error_t*)attr;
-			error_vendor_id = error_attr->get_vendor_id(error_attr);
+		type = attr->get_type(attr);
 
-			if (error_vendor_id == PEN_TCG)
+		if (type.vendor_id == PEN_IETF)
+		{
+			if (type.type == IETF_ATTR_PA_TNC_ERROR)
 			{
+				ietf_attr_pa_tnc_error_t *error_attr;
+				pen_type_t error_code;
+				chunk_t msg_info;
+
+				error_attr = (ietf_attr_pa_tnc_error_t*)attr;
 				error_code = error_attr->get_error_code(error_attr);
-				msg_info = error_attr->get_msg_info(error_attr);
 
-				DBG1(DBG_IMC, "received TCG-PTS error '%N'",
-					 pts_error_code_names, error_code);
-				DBG1(DBG_IMC, "error information: %B", &msg_info);
+				if (error_code.vendor_id == PEN_TCG)
+				{
+					msg_info = error_attr->get_msg_info(error_attr);
 
-				result = TNC_RESULT_FATAL;
+					DBG1(DBG_IMC, "received TCG-PTS error '%N'",
+						 pts_error_code_names, error_code.type);
+					DBG1(DBG_IMC, "error information: %B", &msg_info);
+
+					result = TNC_RESULT_FATAL;
+				}
 			}
 		}
-		else if (attr->get_vendor_id(attr) == PEN_TCG)
+		else if (type.vendor_id == PEN_TCG)
 		{
-			if (!imc_attestation_process(attr, attr_list, attestation_state,
+			attestation_state = (imc_attestation_state_t*)state;
+
+			if (!imc_attestation_process(attr, out_msg, attestation_state,
 				supported_algorithms, supported_dh_groups))
 			{
 				result = TNC_RESULT_FATAL;
@@ -249,27 +207,14 @@ static TNC_Result receive_message(TNC_IMCID imc_id,
 		}
 	}
 	enumerator->destroy(enumerator);
-	pa_tnc_msg->destroy(pa_tnc_msg);
 
-	if (result == TNC_RESULT_SUCCESS && attr_list->get_count(attr_list))
+	if (result == TNC_RESULT_SUCCESS)
 	{
-		pa_tnc_msg = pa_tnc_msg_create();
-
-		enumerator = attr_list->create_enumerator(attr_list);
-		while (enumerator->enumerate(enumerator, &attr))
-		{
-			pa_tnc_msg->add_attribute(pa_tnc_msg, attr);
-		}
-		enumerator->destroy(enumerator);
-
-		pa_tnc_msg->build(pa_tnc_msg);
-		result = imc_attestation->send_message(imc_attestation, connection_id,
-										FALSE, 0, TNC_IMVID_ANY,
-										pa_tnc_msg->get_encoding(pa_tnc_msg));
-		pa_tnc_msg->destroy(pa_tnc_msg);
+		/* send PA-TNC message with the excl flag set */
+		result = out_msg->send(out_msg, TRUE);
 	}
+	out_msg->destroy(out_msg);
 
-	attr_list->destroy(attr_list);
 	return result;
 }
 
@@ -282,14 +227,26 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
 								  TNC_UInt32 msg_len,
 								  TNC_MessageType msg_type)
 {
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_attestation)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_attestation->get_state(imc_attestation, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
 
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+	in_msg = imc_msg_create_from_data(imc_attestation, state, connection_id,
+									  msg_type, chunk_create(msg, msg_len));
+	result = receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
 
-	return receive_message(imc_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMCID_ANY);
+	return result;
 }
 
 /**
@@ -305,9 +262,26 @@ TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id,
 									  TNC_UInt32 src_imv_id,
 									  TNC_UInt32 dst_imc_id)
 {
-	return receive_message(imc_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imv_id, dst_imc_id);
+	imc_state_t *state;
+	imc_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!imc_attestation)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	if (!imc_attestation->get_state(imc_attestation, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imc_msg_create_from_long_data(imc_attestation, state, connection_id,
+								src_imv_id, dst_imc_id, msg_vid, msg_subtype,
+								chunk_create(msg, msg_len));
+	result =receive_message(state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
 }
 
 /**
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_process.c b/src/libpts/plugins/imc_attestation/imc_attestation_process.c
index b70c05370..88d24dd88 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation_process.c
+++ b/src/libpts/plugins/imc_attestation/imc_attestation_process.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -23,7 +23,6 @@
 
 #include <ietf/ietf_attr_pa_tnc_error.h>
 
-#include <libpts.h>
 #include <pts/pts.h>
 
 #include <tcg/tcg_pts_attr_proto_caps.h>
@@ -44,12 +43,12 @@
 #include <tcg/tcg_pts_attr_req_file_meta.h>
 #include <tcg/tcg_pts_attr_unix_file_meta.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <utils/lexparser.h>
 
 #define DEFAULT_NONCE_LEN		20
 
-bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
+bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
 							 imc_attestation_state_t *attestation_state,
 							 pts_meas_algorithms_t supported_algorithms,
 							 pts_dh_group_t supported_dh_groups)
@@ -57,10 +56,13 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 	chunk_t attr_info;
 	pts_t *pts;
 	pts_error_code_t pts_error;
+	pen_type_t attr_type;
 	bool valid_path;
 
 	pts = attestation_state->get_pts(attestation_state);
-	switch (attr->get_type(attr))
+	attr_type = attr->get_type(attr);
+
+	switch (attr_type.type)
 	{
 		case TCG_PTS_REQ_PROTO_CAPS:
 		{
@@ -74,7 +76,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 
 			/* Send PTS Protocol Capabilities attribute */
 			attr = tcg_pts_attr_proto_caps_create(imc_caps & imv_caps, FALSE);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_MEAS_ALGO:
@@ -89,14 +91,14 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			if (selected_algorithm == PTS_MEAS_ALGO_NONE)
 			{
 				attr = pts_hash_alg_error_create(supported_algorithms);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 
 			/* Send Measurement Algorithm Selection attribute */
 			pts->set_meas_algorithm(pts, selected_algorithm);
 			attr = tcg_pts_attr_meas_algo_create(selected_algorithm, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_DH_NONCE_PARAMS_REQ:
@@ -116,7 +118,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				(min_nonce_len > 0 && nonce_len < min_nonce_len))
 			{
 				attr = pts_dh_nonce_error_create(nonce_len, PTS_MAX_NONCE_LEN);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 
@@ -126,7 +128,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			if (selected_dh_group == PTS_DH_GROUP_NONE)
 			{
 				attr = pts_dh_group_error_create(supported_dh_groups);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 
@@ -140,7 +142,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			/* Send DH Nonce Parameters Response attribute */
 			attr = tcg_pts_attr_dh_nonce_params_resp_create(selected_dh_group,
 					 supported_algorithms, responder_nonce, responder_value);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_DH_NONCE_FINISH:
@@ -171,7 +173,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 							  "have differing lengths");
 				return FALSE;
 			}
-					
+
 			pts->set_peer_public_value(pts, initiator_value, initiator_nonce);
 			if (!pts->calculate_secret(pts))
 			{
@@ -182,19 +184,19 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 		case TCG_PTS_GET_TPM_VERSION_INFO:
 		{
 			chunk_t tpm_version_info, attr_info;
+			pen_type_t error_code = { PEN_TCG, TCG_PTS_TPM_VERS_NOT_SUPPORTED };
 
 			if (!pts->get_tpm_version_info(pts, &tpm_version_info))
 			{
 				attr_info = attr->get_value(attr);
-				attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
-							TCG_PTS_TPM_VERS_NOT_SUPPORTED, attr_info);
-				attr_list->insert_last(attr_list, attr);
+				attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 
 			/* Send TPM Version Info attribute */
 			attr = tcg_pts_attr_tpm_version_info_create(tpm_version_info);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_GET_AIK:
@@ -210,7 +212,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 
 			/* Send AIK attribute */
 			attr = tcg_pts_attr_aik_create(aik);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_REQ_FILE_MEAS:
@@ -221,6 +223,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			bool is_directory;
 			u_int32_t delimiter;
 			pts_file_meas_t *measurements;
+			pen_type_t error_code;
 
 			attr_info = attr->get_value(attr);
 			attr_cast = (tcg_pts_attr_req_file_meas_t*)attr;
@@ -232,9 +235,9 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 
 			if (valid_path && pts_error)
 			{
-				attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
-										pts_error, attr_info);
-				attr_list->insert_last(attr_list, attr);
+				error_code = pen_type_create(PEN_TCG, pts_error);
+				attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 			else if (!valid_path)
@@ -244,9 +247,10 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 
 			if (delimiter != SOLIDUS_UTF && delimiter != REVERSE_SOLIDUS_UTF)
 			{
-				attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
-										TCG_PTS_INVALID_DELIMITER, attr_info);
-				attr_list->insert_last(attr_list, attr);
+				error_code = pen_type_create(PEN_TCG,
+											 TCG_PTS_INVALID_DELIMITER);
+				attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 
@@ -254,8 +258,9 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			DBG2(DBG_IMC, "measurement request %d for %s '%s'",
 				 request_id, is_directory ? "directory" : "file",
 				 pathname);
-			measurements = pts->do_measurements(pts, request_id,
-									pathname, is_directory);
+			measurements = pts_file_meas_create_from_path(request_id,
+										pathname, is_directory, TRUE,
+										pts->get_meas_algorithm(pts));
 			if (!measurements)
 			{
 				/* TODO handle error codes from measurements */
@@ -263,7 +268,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			}
 			attr = tcg_pts_attr_file_meas_create(measurements);
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_REQ_FILE_META:
@@ -273,6 +278,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			bool is_directory;
 			u_int8_t delimiter;
 			pts_file_meta_t *metadata;
+			pen_type_t error_code;
 
 			attr_info = attr->get_value(attr);
 			attr_cast = (tcg_pts_attr_req_file_meta_t*)attr;
@@ -283,9 +289,9 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			valid_path = pts->is_path_valid(pts, pathname, &pts_error);
 			if (valid_path && pts_error)
 			{
-				attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
-										pts_error, attr_info);
-				attr_list->insert_last(attr_list, attr);
+				error_code = pen_type_create(PEN_TCG, pts_error);
+				attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 			else if (!valid_path)
@@ -294,9 +300,10 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			}
 			if (delimiter != SOLIDUS_UTF && delimiter != REVERSE_SOLIDUS_UTF)
 			{
-				attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
-										TCG_PTS_INVALID_DELIMITER, attr_info);
-				attr_list->insert_last(attr_list, attr);
+				error_code = pen_type_create(PEN_TCG,
+											 TCG_PTS_INVALID_DELIMITER);
+				attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
+				msg->add_attribute(msg, attr);
 				break;
 			}
 			/* Get File Metadata and send them to PTS-IMV */
@@ -312,8 +319,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			}
 			attr = tcg_pts_attr_unix_file_meta_create(metadata);
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
-
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		case TCG_PTS_REQ_FUNC_COMP_EVID:
@@ -323,11 +329,12 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			pts_comp_func_name_t *name;
 			pts_comp_evidence_t *evid;
 			pts_component_t *comp;
+			pen_type_t error_code;
 			u_int32_t depth;
 			u_int8_t flags;
 			status_t status;
 			enumerator_t *e;
-			
+
 			attr_info = attr->get_value(attr);
 			attr_cast = (tcg_pts_attr_req_func_comp_evid_t*)attr;
 
@@ -342,33 +349,37 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 
 				if (flags & PTS_REQ_FUNC_COMP_EVID_TTC)
 				{
-					attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
-											TCG_PTS_UNABLE_DET_TTC, attr_info);
-					attr_list->insert_last(attr_list, attr);
+					error_code = pen_type_create(PEN_TCG,
+												 TCG_PTS_UNABLE_DET_TTC);
+					attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
+					msg->add_attribute(msg, attr);
 					break;
 				}
 				if (flags & PTS_REQ_FUNC_COMP_EVID_VER &&
 					!(negotiated_caps & PTS_PROTO_CAPS_V))
 				{
-					attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
-										TCG_PTS_UNABLE_LOCAL_VAL, attr_info);
-					attr_list->insert_last(attr_list, attr);
+					error_code = pen_type_create(PEN_TCG,
+												 TCG_PTS_UNABLE_LOCAL_VAL);
+					attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
+					msg->add_attribute(msg, attr);
 					break;
 				}
 				if (flags & PTS_REQ_FUNC_COMP_EVID_CURR &&
 					!(negotiated_caps & PTS_PROTO_CAPS_C))
 				{
-					attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
-										TCG_PTS_UNABLE_CUR_EVID, attr_info);
-					attr_list->insert_last(attr_list, attr);
+					error_code = pen_type_create(PEN_TCG,
+												 TCG_PTS_UNABLE_CUR_EVID);
+					attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
+					msg->add_attribute(msg, attr);
 					break;
 				}
 				if (flags & PTS_REQ_FUNC_COMP_EVID_PCR &&
 					!(negotiated_caps & PTS_PROTO_CAPS_T))
 				{
-					attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
-										TCG_PTS_UNABLE_DET_PCR, attr_info);
-					attr_list->insert_last(attr_list, attr);
+					error_code = pen_type_create(PEN_TCG,
+												 TCG_PTS_UNABLE_DET_PCR);
+					attr = ietf_attr_pa_tnc_error_create(error_code, attr_info);
+					msg->add_attribute(msg, attr);
 					break;
 				}
 				if (depth > 0)
@@ -377,17 +388,19 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 								  "support sub component measurements");
 					return FALSE;
 				}
-				comp = pts_components->create(pts_components, name, depth, NULL);
+				comp = attestation_state->create_component(attestation_state,
+														   name, depth);
 				if (!comp)
 				{
 					DBG2(DBG_IMC, "    not registered: no evidence provided");
 					continue;
 				}
 
-				/* do the component evidence measurement[s] */
+				/* do the component evidence measurement[s] and cache them */
 				do
 				{
-					status = comp->measure(comp, pts, &evid);
+					status = comp->measure(comp, name->get_qualifier(name),
+										   pts, &evid);
 					if (status == FAILED)
 					{
 						break;
@@ -395,7 +408,6 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 					attestation_state->add_evidence(attestation_state, evid);
 				}
 				while (status == NEED_MORE);
-				comp->destroy(comp);
 			}
 			e->destroy(e);
 			break;
@@ -408,14 +420,11 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			chunk_t pcr_composite, quote_sig;
 			bool use_quote2;
 
-			/* Send buffered Simple Component Evidences */
+			/* Send cached Component Evidence entries */
 			while (attestation_state->next_evidence(attestation_state, &evid))
 			{
-				pts->select_pcr(pts, evid->get_extended_pcr(evid));
-
-				/* Send Simple Component Evidence */
 				attr = tcg_pts_attr_simple_comp_evid_create(evid);
-				attr_list->insert_last(attr_list, attr);
+				msg->add_attribute(msg, attr);
 			}
 
 			use_quote2 = lib->settings->get_bool(lib->settings,
@@ -433,7 +442,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 
 			attr = tcg_pts_attr_simple_evid_final_create(flags,
 								comp_hash_algorithm, pcr_composite, quote_sig);
-			attr_list->insert_last(attr_list, attr);
+			msg->add_attribute(msg, attr);
 			break;
 		}
 		/* TODO: Not implemented yet */
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_process.h b/src/libpts/plugins/imc_attestation/imc_attestation_process.h
index b6dca1f56..a2f1b4e3c 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation_process.h
+++ b/src/libpts/plugins/imc_attestation/imc_attestation_process.h
@@ -14,9 +14,8 @@
  */
 
 /**
- *
  * @defgroup imc_attestation_process_t imc_attestation_process
- * @{ @ingroup imc_attestation_process
+ * @{ @ingroup imc_attestation
  */
 
 #ifndef IMC_ATTESTATION_PROCESS_H_
@@ -26,6 +25,7 @@
 
 #include <library.h>
 
+#include <imc/imc_msg.h>
 #include <pa_tnc/pa_tnc_attr.h>
 
 #include <pts/pts_dh_group.h>
@@ -35,13 +35,13 @@
  * Process a TCG PTS attribute
  *
  * @param attr					PA-TNC attribute to be processed
- * @param attr_list				list with PA-TNC error attributes
+ * @param msg					outbound PA-TNC message to be assembled
  * @param attestation_state		attestation state of a given connection
  * @param supported_algorithms	supported PTS measurement algorithms
  * @param supported_dh_groups	supported DH groups
  * @return						TRUE if successful
  */
-bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
+bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
 							 imc_attestation_state_t *attestation_state,
 							 pts_meas_algorithms_t supported_algorithms,
 							 pts_dh_group_t supported_dh_groups);
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_state.c b/src/libpts/plugins/imc_attestation/imc_attestation_state.c
index 72a55f60e..4fcbdfa8a 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation_state.c
+++ b/src/libpts/plugins/imc_attestation/imc_attestation_state.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,10 +15,15 @@
 
 #include "imc_attestation_state.h"
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <libpts.h>
+
+#include <tncif_names.h>
+
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_imc_attestation_state_t private_imc_attestation_state_t;
+typedef struct func_comp_t func_comp_t;
 
 /**
  * Private data of an imc_attestation_state_t object.
@@ -41,6 +46,11 @@ struct private_imc_attestation_state_t {
 	TNC_ConnectionState state;
 
 	/**
+	 * Assessment/Evaluation Result
+	 */
+	TNC_IMV_Evaluation_Result result;
+
+	/**
 	 * Does the TNCCS connection support long message types?
 	 */
 	bool has_long;
@@ -51,12 +61,22 @@ struct private_imc_attestation_state_t {
 	bool has_excl;
 
 	/**
+	 * Maximum PA-TNC message size for this TNCCS connection
+	 */
+	u_int32_t max_msg_len;
+
+	/**
 	 * PTS object
 	 */
 	pts_t *pts;
 
 	/**
-	 * PTS Component Evidence list
+	 * List of Functional Components
+	 */
+	linked_list_t *components;
+
+	/**
+	 * Functional Component Evidence cache list
 	 */
 	linked_list_t *list;
 
@@ -87,18 +107,50 @@ METHOD(imc_state_t, set_flags, void,
 	this->has_excl = has_excl;
 }
 
+METHOD(imc_state_t, set_max_msg_len, void,
+	private_imc_attestation_state_t *this, u_int32_t max_msg_len)
+{
+	this->max_msg_len = max_msg_len;
+}
+
+METHOD(imc_state_t, get_max_msg_len, u_int32_t,
+	private_imc_attestation_state_t *this)
+{
+	return this->max_msg_len;
+}
+
 METHOD(imc_state_t, change_state, void,
 	private_imc_attestation_state_t *this, TNC_ConnectionState new_state)
 {
 	this->state = new_state;
 }
 
+METHOD(imc_state_t, set_result, void,
+	private_imc_attestation_state_t *this, TNC_IMCID id,
+	TNC_IMV_Evaluation_Result result)
+{
+	this->result = result;
+}
+
+METHOD(imc_state_t, get_result, bool,
+	private_imc_attestation_state_t *this, TNC_IMCID id,
+	TNC_IMV_Evaluation_Result *result)
+{
+	if (result)
+	{
+		*result = this->result;
+	}
+	return this->result != TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+}
 
 METHOD(imc_state_t, destroy, void,
 	private_imc_attestation_state_t *this)
 {
 	this->pts->destroy(this->pts);
-	this->list->destroy_offset(this->list, offsetof(pts_comp_evidence_t, destroy));
+	this->components->destroy_offset(this->components,
+							offsetof(pts_component_t, destroy));
+	this->list->destroy_offset(this->list,
+							offsetof(pts_comp_evidence_t, destroy));
 	free(this);
 }
 
@@ -108,10 +160,42 @@ METHOD(imc_attestation_state_t, get_pts, pts_t*,
 	return this->pts;
 }
 
+METHOD(imc_attestation_state_t, create_component, pts_component_t*,
+	private_imc_attestation_state_t *this, pts_comp_func_name_t *name,
+	u_int32_t depth)
+{
+	enumerator_t *enumerator;
+	pts_component_t *component;
+	bool found = FALSE;
+
+	enumerator = this->components->create_enumerator(this->components);
+	while (enumerator->enumerate(enumerator, &component))
+	{
+		if (name->equals(name, component->get_comp_func_name(component)))
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!found)
+	{
+		component = pts_components->create(pts_components, name, depth, NULL);
+		if (!component)
+		{
+			return NULL;
+		}
+		this->components->insert_last(this->components, component);
+
+	}
+	return component;
+}
+
 METHOD(imc_attestation_state_t, add_evidence, void,
-	private_imc_attestation_state_t *this, pts_comp_evidence_t *evidence)
+	private_imc_attestation_state_t *this, pts_comp_evidence_t *evid)
 {
-	this->list->insert_last(this->list, evidence);
+	this->list->insert_last(this->list, evid);
 }
 
 METHOD(imc_attestation_state_t, next_evidence, bool,
@@ -126,7 +210,6 @@ METHOD(imc_attestation_state_t, next_evidence, bool,
 imc_state_t *imc_attestation_state_create(TNC_ConnectionID connection_id)
 {
 	private_imc_attestation_state_t *this;
-	char *platform_info;
 
 	INIT(this,
 		.public = {
@@ -135,26 +218,26 @@ imc_state_t *imc_attestation_state_create(TNC_ConnectionID connection_id)
 				.has_long = _has_long,
 				.has_excl = _has_excl,
 				.set_flags = _set_flags,
+				.set_max_msg_len = _set_max_msg_len,
+				.get_max_msg_len = _get_max_msg_len,
 				.change_state = _change_state,
+				.set_result = _set_result,
+				.get_result = _get_result,
 				.destroy = _destroy,
 			},
 			.get_pts = _get_pts,
+			.create_component = _create_component,
 			.add_evidence = _add_evidence,
 			.next_evidence = _next_evidence,
 		},
 		.connection_id = connection_id,
 		.state = TNC_CONNECTION_STATE_CREATE,
+		.result = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
 		.pts = pts_create(TRUE),
+		.components = linked_list_create(),
 		.list = linked_list_create(),
 	);
 
-	platform_info = lib->settings->get_str(lib->settings,
-						 "libimcv.plugins.imc-attestation.platform_info", NULL);
-	if (platform_info)
-	{
-		this->pts->set_platform_info(this->pts, platform_info);
-	}
-	
 	return &this->public.interface;
 }
 
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_state.h b/src/libpts/plugins/imc_attestation/imc_attestation_state.h
index 22b0bba23..4b93931c3 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation_state.h
+++ b/src/libpts/plugins/imc_attestation/imc_attestation_state.h
@@ -14,9 +14,11 @@
  */
 
 /**
+ * @defgroup imc_attestation imc_attestation
+ * @ingroup libpts_plugins
  *
  * @defgroup imc_attestation_state_t imc_attestation_state
- * @{ @ingroup imc_attestation_state
+ * @{ @ingroup imc_attestation
  */
 
 #ifndef IMC_ATTESTATION_STATE_H_
@@ -24,6 +26,7 @@
 
 #include <imc/imc_state.h>
 #include <pts/pts.h>
+#include <pts/components/pts_component.h>
 #include <pts/components/pts_comp_evidence.h>
 #include <library.h>
 
@@ -47,14 +50,24 @@ struct imc_attestation_state_t {
 	pts_t* (*get_pts)(imc_attestation_state_t *this);
 
 	/**
-	 * Add an entry to the Component Evidence list
+	 * Create and add an entry to the list of Functional Components
 	 *
-	 * @param entry				Component Evidence entry
+	 * @param name				Component Functional Name
+	 * @param depth				Sub-component Depth
+	 * @return					created functional component instance or NULL
 	 */
-	void (*add_evidence)(imc_attestation_state_t *this, pts_comp_evidence_t *entry);
+	pts_component_t* (*create_component)(imc_attestation_state_t *this,
+							 pts_comp_func_name_t *name, u_int32_t depth);
 
 	/**
-	 * Removes next Component Evidence entry from list and returns it
+	 * Add an entry to the Component Evidence cache list
+	 *
+	 * @param evid				Component Evidence entry
+	 */
+	void (*add_evidence)(imc_attestation_state_t *this, pts_comp_evidence_t *evid);
+
+	/**
+	 * Removes next entry from the Component Evidence cache list and returns it
 	 *
 	 * @param evid				Next Component Evidence entry
 	 * @return					TRUE if next entry is available
diff --git a/src/libpts/plugins/imv_attestation/Makefile.am b/src/libpts/plugins/imv_attestation/Makefile.am
index a550a3552..ae5225ae3 100644
--- a/src/libpts/plugins/imv_attestation/Makefile.am
+++ b/src/libpts/plugins/imv_attestation/Makefile.am
@@ -1,11 +1,12 @@
-
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv \
-	-I$(top_srcdir)/src/libpts
+	-I$(top_srcdir)/src/libpts \
+	-DPLUGINS=\""${attest_plugins}\""
 
-AM_CFLAGS = -rdynamic -DPLUGINS=\""${attest_plugins}\""
+AM_CFLAGS = \
+	-rdynamic
 
 imcv_LTLIBRARIES = imv-attestation.la
 
@@ -16,6 +17,7 @@ imv_attestation_la_LIBADD = \
 
 imv_attestation_la_SOURCES = imv_attestation.c \
 	imv_attestation_state.h imv_attestation_state.c \
+	imv_attestation_agent.h imv_attestation_agent.c \
 	imv_attestation_process.h imv_attestation_process.c \
 	imv_attestation_build.h imv_attestation_build.c
 
@@ -24,10 +26,11 @@ imv_attestation_la_LDFLAGS = -module -avoid-version
 ipsec_PROGRAMS = attest
 attest_SOURCES = attest.c \
 	attest_usage.h attest_usage.c \
-	attest_db.h attest_db.c \
-	tables.sql data.sql
+	attest_db.h attest_db.c
 attest_LDADD = \
 	$(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libpts/libpts.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 attest.o :	$(top_builddir)/config.status
+
+EXTRA_DIST = build-database.sh
diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in
index 989a173b5..36b440e82 100644
--- a/src/libpts/plugins/imv_attestation/Makefile.in
+++ b/src/libpts/plugins/imv_attestation/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -47,10 +64,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -74,6 +92,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)"
 LTLIBRARIES = $(imcv_LTLIBRARIES)
 imv_attestation_la_DEPENDENCIES =  \
@@ -81,12 +105,16 @@ imv_attestation_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libpts/libpts.la
 am_imv_attestation_la_OBJECTS = imv_attestation.lo \
-	imv_attestation_state.lo imv_attestation_process.lo \
-	imv_attestation_build.lo
+	imv_attestation_state.lo imv_attestation_agent.lo \
+	imv_attestation_process.lo imv_attestation_build.lo
 imv_attestation_la_OBJECTS = $(am_imv_attestation_la_OBJECTS)
-imv_attestation_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(imv_attestation_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+imv_attestation_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(imv_attestation_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 PROGRAMS = $(ipsec_PROGRAMS)
 am_attest_OBJECTS = attest.$(OBJEXT) attest_usage.$(OBJEXT) \
 	attest_db.$(OBJEXT)
@@ -94,42 +122,67 @@ attest_OBJECTS = $(am_attest_OBJECTS)
 attest_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libpts/libpts.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(imv_attestation_la_SOURCES) $(attest_SOURCES)
 DIST_SOURCES = $(imv_attestation_la_SOURCES) $(attest_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -138,13 +191,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -157,6 +213,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -184,11 +241,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -196,6 +255,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -204,8 +264,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -214,14 +272,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -235,17 +298,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -255,16 +318,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -292,13 +354,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libimcv \
-	-I$(top_srcdir)/src/libpts
+	-I$(top_srcdir)/src/libpts \
+	-DPLUGINS=\""${attest_plugins}\""
+
+AM_CFLAGS = \
+	-rdynamic
 
-AM_CFLAGS = -rdynamic -DPLUGINS=\""${attest_plugins}\""
 imcv_LTLIBRARIES = imv-attestation.la
 imv_attestation_la_LIBADD = \
 	$(top_builddir)/src/libimcv/libimcv.la \
@@ -307,20 +372,21 @@ imv_attestation_la_LIBADD = \
 
 imv_attestation_la_SOURCES = imv_attestation.c \
 	imv_attestation_state.h imv_attestation_state.c \
+	imv_attestation_agent.h imv_attestation_agent.c \
 	imv_attestation_process.h imv_attestation_process.c \
 	imv_attestation_build.h imv_attestation_build.c
 
 imv_attestation_la_LDFLAGS = -module -avoid-version
 attest_SOURCES = attest.c \
 	attest_usage.h attest_usage.c \
-	attest_db.h attest_db.c \
-	tables.sql data.sql
+	attest_db.h attest_db.c
 
 attest_LDADD = \
 	$(top_builddir)/src/libimcv/libimcv.la \
 	$(top_builddir)/src/libpts/libpts.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
 
+EXTRA_DIST = build-database.sh
 all: all-am
 
 .SUFFIXES:
@@ -357,7 +423,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)"
 	@list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -365,6 +430,8 @@ install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \
 	}
@@ -386,12 +453,15 @@ clean-imcvLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-imv-attestation.la: $(imv_attestation_la_OBJECTS) $(imv_attestation_la_DEPENDENCIES) 
-	$(imv_attestation_la_LINK) -rpath $(imcvdir) $(imv_attestation_la_OBJECTS) $(imv_attestation_la_LIBADD) $(LIBS)
+imv-attestation.la: $(imv_attestation_la_OBJECTS) $(imv_attestation_la_DEPENDENCIES) $(EXTRA_imv_attestation_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(imv_attestation_la_LINK) -rpath $(imcvdir) $(imv_attestation_la_OBJECTS) $(imv_attestation_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -431,9 +501,9 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-attest$(EXEEXT): $(attest_OBJECTS) $(attest_DEPENDENCIES) 
+attest$(EXEEXT): $(attest_OBJECTS) $(attest_DEPENDENCIES) $(EXTRA_attest_DEPENDENCIES) 
 	@rm -f attest$(EXEEXT)
-	$(LINK) $(attest_OBJECTS) $(attest_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(attest_OBJECTS) $(attest_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -445,30 +515,31 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attest_db.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attest_usage.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation_agent.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation_build.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation_process.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation_state.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -575,10 +646,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c
index 9200820e8..4d25df3f4 100644
--- a/src/libpts/plugins/imv_attestation/attest.c
+++ b/src/libpts/plugins/imv_attestation/attest.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -20,9 +20,10 @@
 #include <string.h>
 #include <errno.h>
 #include <syslog.h>
+#include <libgen.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <imcv.h>
 #include <libpts.h>
@@ -34,7 +35,7 @@
 /**
  * global debug output variables
  */
-static int debug_level = 2;
+static int debug_level = 1;
 static bool stderr_quiet = TRUE;
 
 /**
@@ -81,6 +82,7 @@ static void attest_dbg(debug_t group, level_t level, char *fmt, ...)
  */
 attest_db_t *attest;
 
+
 /**
  * atexit handler to close db on shutdown
  */
@@ -99,10 +101,14 @@ static void do_args(int argc, char *argv[])
 		OP_USAGE,
 		OP_KEYS,
 		OP_COMPONENTS,
+		OP_DEVICES,
+		OP_DIRECTORIES,
 		OP_FILES,
 		OP_HASHES,
 		OP_MEASUREMENTS,
+		OP_PACKAGES,
 		OP_PRODUCTS,
+		OP_SESSIONS,
 		OP_ADD,
 		OP_DEL,
 	} op = OP_UNDEF;
@@ -117,23 +123,39 @@ static void do_args(int argc, char *argv[])
 		struct option long_opts[] = {
 			{ "help", no_argument, NULL, 'h' },
 			{ "components", no_argument, NULL, 'c' },
+			{ "devices", no_argument, NULL, 'e' },
+			{ "directories", no_argument, NULL, 'd' },
+			{ "dirs", no_argument, NULL, 'd' },
 			{ "files", no_argument, NULL, 'f' },
 			{ "keys", no_argument, NULL, 'k' },
+			{ "packages", no_argument, NULL, 'g' },
 			{ "products", no_argument, NULL, 'p' },
 			{ "hashes", no_argument, NULL, 'H' },
 			{ "measurements", no_argument, NULL, 'm' },
+			{ "sessions", no_argument, NULL, 's' },
 			{ "add", no_argument, NULL, 'a' },
-			{ "delete", no_argument, NULL, 'd' },
-			{ "del", no_argument, NULL, 'd' },
+			{ "delete", no_argument, NULL, 'r' },
+			{ "del", no_argument, NULL, 'r' },
+			{ "remove", no_argument, NULL, 'r' },
 			{ "aik", required_argument, NULL, 'A' },
+			{ "blacklist", no_argument, NULL, 'B' },
 			{ "component", required_argument, NULL, 'C' },
 			{ "comp", required_argument, NULL, 'C' },
 			{ "directory", required_argument, NULL, 'D' },
 			{ "dir", required_argument, NULL, 'D' },
 			{ "file", required_argument, NULL, 'F' },
+			{ "sha1-ima", no_argument, NULL, 'I' },
+			{ "package", required_argument, NULL, 'G' },
 			{ "key", required_argument, NULL, 'K' },
 			{ "owner", required_argument, NULL, 'O' },
 			{ "product", required_argument, NULL, 'P' },
+			{ "relative", no_argument, NULL, 'R' },
+			{ "rel", no_argument, NULL, 'R' },
+			{ "sequence", required_argument, NULL, 'S' },
+			{ "seq", required_argument, NULL, 'S' },
+			{ "utc", no_argument, NULL, 'U' },
+			{ "version", required_argument, NULL, 'V' },
+			{ "security", no_argument, NULL, 'Y' },
 			{ "sha1", no_argument, NULL, '1' },
 			{ "sha256", no_argument, NULL, '2' },
 			{ "sha384", no_argument, NULL, '3' },
@@ -142,6 +164,7 @@ static void do_args(int argc, char *argv[])
 			{ "pid", required_argument, NULL, '6' },
 			{ "cid", required_argument, NULL, '7' },
 			{ "kid", required_argument, NULL, '8' },
+			{ "gid", required_argument, NULL, '9' },
 			{ 0,0,0,0 }
 		};
 
@@ -156,9 +179,18 @@ static void do_args(int argc, char *argv[])
 			case 'c':
 				op = OP_COMPONENTS;
 				continue;
+			case 'd':
+				op = OP_DIRECTORIES;
+				continue;
+			case 'e':
+				op = OP_DEVICES;
+				continue;
 			case 'f':
 				op = OP_FILES;
 				continue;
+			case 'g':
+				op = OP_PACKAGES;
+				continue;
 			case 'k':
 				op = OP_KEYS;
 				continue;
@@ -171,10 +203,13 @@ static void do_args(int argc, char *argv[])
 			case 'm':
 				op = OP_MEASUREMENTS;
 				continue;
+			case 's':
+				op = OP_SESSIONS;
+				continue;
 			case 'a':
 				op = OP_ADD;
 				continue;
-			case 'd':
+			case 'r':
 				op = OP_DEL;
 				continue;
 			case 'A':
@@ -214,6 +249,9 @@ static void do_args(int argc, char *argv[])
 				}
 				continue;
 			}
+			case 'B':
+				attest->set_package_state(attest, OS_PACKAGE_STATE_BLACKLIST);
+				continue;
 			case 'C':
 				if (!attest->set_component(attest, optarg, op == OP_ADD))
 				{
@@ -227,11 +265,35 @@ static void do_args(int argc, char *argv[])
 				}
 				continue;
 			case 'F':
-				if (!attest->set_file(attest, optarg, op == OP_ADD))
+			{
+				char *path = strdup(optarg);
+				char *dir = dirname(path);
+				char *file = basename(optarg);
+
+				if (*dir != '.')
+				{
+					if (!attest->set_directory(attest, dir, op == OP_ADD))
+					{
+						free(path);
+						exit(EXIT_FAILURE);
+					}
+				}
+				free(path);
+				if (!attest->set_file(attest, file, op == OP_ADD))
+				{
+					exit(EXIT_FAILURE);
+				}
+				continue;
+			}
+			case 'G':
+				if (!attest->set_package(attest, optarg, op == OP_ADD))
 				{
 					exit(EXIT_FAILURE);
 				}
 				continue;
+			case 'I':
+				attest->set_algo(attest, PTS_MEAS_ALGO_SHA1_IMA);
+				continue;
 			case 'K':
 			{
 				chunk_t aik;
@@ -252,6 +314,24 @@ static void do_args(int argc, char *argv[])
 					exit(EXIT_FAILURE);
 				}
 				continue;
+			case 'R':
+				attest->set_relative(attest);
+				continue;
+			case 'S':
+				attest->set_sequence(attest, atoi(optarg));
+				continue;
+			case 'U':
+				attest->set_utc(attest);
+				continue;
+			case 'V':
+				if (!attest->set_version(attest, optarg))
+				{
+					exit(EXIT_FAILURE);
+				}
+				continue;
+			case 'Y':
+				attest->set_package_state(attest, OS_PACKAGE_STATE_SECURITY);
+				continue;
 			case '1':
 				attest->set_algo(attest, PTS_MEAS_ALGO_SHA1);
 				continue;
@@ -291,6 +371,12 @@ static void do_args(int argc, char *argv[])
 					exit(EXIT_FAILURE);
 				}
 				continue;
+			case '9':
+				if (!attest->set_gid(attest, atoi(optarg)))
+				{
+					exit(EXIT_FAILURE);
+				}
+				continue;
 		}
 		break;
 	}
@@ -300,6 +386,9 @@ static void do_args(int argc, char *argv[])
 		case OP_USAGE:
 			usage();
 			break;
+		case OP_PACKAGES:
+			attest->list_packages(attest);
+			break;
 		case OP_PRODUCTS:
 			attest->list_products(attest);
 			break;
@@ -309,6 +398,12 @@ static void do_args(int argc, char *argv[])
 		case OP_COMPONENTS:
 			attest->list_components(attest);
 			break;
+		case OP_DEVICES:
+			attest->list_devices(attest);
+			break;
+		case OP_DIRECTORIES:
+			attest->list_directories(attest);
+			break;
 		case OP_FILES:
 			attest->list_files(attest);
 			break;
@@ -318,6 +413,9 @@ static void do_args(int argc, char *argv[])
 		case OP_MEASUREMENTS:
 			attest->list_measurements(attest);
 			break;
+		case OP_SESSIONS:
+			attest->list_sessions(attest);
+			break;
 		case OP_ADD:
 			attest->add(attest);
 			break;
@@ -345,7 +443,7 @@ int main(int argc, char *argv[])
 	{
 		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
 	}
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "attest.load", PLUGINS)))
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
@@ -363,7 +461,7 @@ int main(int argc, char *argv[])
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
 	atexit(cleanup);
-	libimcv_init();
+	libimcv_init(FALSE);
 	libpts_init();
 
 	do_args(argc, argv);
diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c
index 88d19eee1..d7654ab43 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.c
+++ b/src/libpts/plugins/imv_attestation/attest_db.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,11 +13,24 @@
  * for more details.
  */
 
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <libgen.h>
+#include <time.h>
+
+#include <tncif_names.h>
+
 #include "attest_db.h"
 
 #include "libpts.h"
+#include "pts/pts_meas_algo.h"
+#include "pts/pts_file_meas.h"
 #include "pts/components/pts_comp_func_name.h"
 
+#define IMA_MAX_NAME_LEN	255
+#define DEVICE_MAX_LEN		 20
+
 typedef struct private_attest_db_t private_attest_db_t;
 
 /**
@@ -56,11 +69,6 @@ struct private_attest_db_t {
 	int did;
 
 	/**
-	 * TRUE if directory has been set
-	 */
-	bool dir_set;
-
-	/**
 	 * Measurement file to be queried
 	 */
 	char *file;
@@ -71,11 +79,6 @@ struct private_attest_db_t {
 	int fid;
 
 	/**
-	 * TRUE if file has been set
-	 */
-	bool file_set;
-
-	/**
 	 *  AIK to be queried
 	 */
 	chunk_t key;
@@ -91,6 +94,21 @@ struct private_attest_db_t {
 	bool key_set;
 
 	/**
+	 * Software package to be queried
+	 */
+	char *package;
+
+	/**
+	 * Primary key of software package to be queried
+	 */
+	int gid;
+
+	/**
+	 * TRUE if package has been set
+	 */
+	bool package_set;
+
+	/**
 	 * Software product to be queried
 	 */
 	char *product;
@@ -106,6 +124,36 @@ struct private_attest_db_t {
 	bool product_set;
 
 	/**
+	 * Software package version to be queried
+	 */
+	char *version;
+
+	/**
+	 * TRUE if version has been set
+	 */
+	bool version_set;
+
+	/**
+	 * TRUE if relative filenames are to be used
+	 */
+	bool relative;
+
+	/**
+	 * TRUE if dates are to be displayed in UTC
+	 */
+	bool utc;
+
+	/**
+	 * Package security or blacklist state
+	 */
+	os_package_state_t package_state;
+
+	/**
+	 * Sequence number for ordering entries
+	 */
+	int seq_no;
+
+	/**
 	 * File measurement hash algorithm
 	 */
 	pts_meas_algorithms_t algo;
@@ -175,7 +223,7 @@ METHOD(attest_db_t, set_component, bool,
 	e = this->db->query(this->db,
 					   "SELECT id FROM components "
 					   "WHERE vendor_id = ? AND name = ? AND qualifier = ?",
-						DB_INT, vid, DB_INT, name, DB_INT, qualifier, DB_INT);
+						DB_UINT, vid, DB_INT, name, DB_INT, qualifier, DB_INT);
 	if (e)
 	{
 		if (e->enumerate(e, &this->cid))
@@ -231,7 +279,7 @@ METHOD(attest_db_t, set_cid, bool,
 
 	e = this->db->query(this->db, "SELECT vendor_id, name, qualifier "
 								  "FROM components WHERE id = ?",
-						DB_INT, cid, DB_INT, DB_INT, DB_INT);
+						DB_UINT, cid, DB_INT, DB_INT, DB_INT);
 	if (e)
 	{
 		if (e->enumerate(e, &vid, &name, &qualifier))
@@ -252,27 +300,35 @@ METHOD(attest_db_t, set_directory, bool,
 	private_attest_db_t *this, char *dir, bool create)
 {
 	enumerator_t *e;
+	int did;
+	size_t len;
 
-	if (this->dir_set)
+	if (this->did)
 	{
 		printf("directory has already been set\n");
 		return FALSE;
 	}
-	free(this->dir);
+
+	/* remove trailing '/' character if not root directory */
+	len = strlen(dir);
+	if (len > 1 && dir[len-1] == '/')
+	{
+		dir[len-1] = '\0';
+	}
 	this->dir = strdup(dir);
 
 	e = this->db->query(this->db,
-						"SELECT id FROM files WHERE type = 1 AND path = ?",
+						"SELECT id FROM directories WHERE path = ?",
 						DB_TEXT, dir, DB_INT);
 	if (e)
 	{
-		if (e->enumerate(e, &this->did))
+		if (e->enumerate(e, &did))
 		{
-			this->dir_set = TRUE;
+			this->did = did;
 		}
 		e->destroy(e);
 	}
-	if (this->dir_set)
+	if (this->did)
 	{
 		return TRUE;
 	}
@@ -284,14 +340,15 @@ METHOD(attest_db_t, set_directory, bool,
 	}
 
 	/* Add a new database entry */
-	this->dir_set = this->db->execute(this->db, &this->did,
-								"INSERT INTO files (type, path) VALUES (1, ?)",
-								DB_TEXT, dir) == 1;
-
+	if (1 == this->db->execute(this->db, &did,
+				"INSERT INTO directories (path) VALUES (?)", DB_TEXT, dir))
+	{
+		this->did = did;
+	}
 	printf("directory '%s' %sinserted into database\n", dir,
-		   this->dir_set ? "" : "could not be ");
+			this->did ? "" : "could not be ");
 
-	return this->dir_set;
+	return this->did > 0;
 }
 
 METHOD(attest_db_t, set_did, bool,
@@ -300,22 +357,20 @@ METHOD(attest_db_t, set_did, bool,
 	enumerator_t *e;
 	char *dir;
 
-	if (this->dir_set)
+	if (this->did)
 	{
 		printf("directory has already been set\n");
 		return FALSE;
 	}
-	this->did = did;
 
-	e = this->db->query(this->db, "SELECT path FROM files WHERE id = ?",
-						DB_INT, did, DB_TEXT);
+	e = this->db->query(this->db, "SELECT path FROM directories WHERE id = ?",
+						DB_UINT, did, DB_TEXT);
 	if (e)
 	{
 		if (e->enumerate(e, &dir))
 		{
-			free(this->dir);
 			this->dir = strdup(dir);
-			this->dir_set = TRUE;
+			this->did = did;
 		}
 		else
 		{
@@ -323,74 +378,88 @@ METHOD(attest_db_t, set_did, bool,
 		}
 		e->destroy(e);
 	}
-	return this->dir_set;
+	return this->did > 0;
 }
 
 METHOD(attest_db_t, set_file, bool,
 	private_attest_db_t *this, char *file, bool create)
 {
+	int fid;
+	char *sep;
 	enumerator_t *e;
 
-	if (this->file_set)
+	if (this->file)
 	{
 		printf("file has already been set\n");
 		return FALSE;
 	}
 	this->file = strdup(file);
 
-	e = this->db->query(this->db, "SELECT id FROM files WHERE path = ?",
-						DB_TEXT, file, DB_INT);
+	if (!this->did)
+	{
+		return TRUE;
+	}
+	sep = streq(this->dir, "/") ? "" : "/";
+	e = this->db->query(this->db, "SELECT id FROM files "
+						"WHERE dir = ? AND name = ?",
+						DB_INT, this->did, DB_TEXT, file, DB_INT);
 	if (e)
 	{
-		if (e->enumerate(e, &this->fid))
+		if (e->enumerate(e, &fid))
 		{
-			this->file_set = TRUE;
+			this->fid = fid;
 		}
 		e->destroy(e);
 	}
-	if (this->file_set)
+	if (this->fid)
 	{
 		return TRUE;
 	}
 
 	if (!create)
 	{
-		printf("file '%s' not found in database\n", file);
+		printf("file '%s%s%s' not found in database\n", this->dir, sep, file);
 		return FALSE;
 	}
 
 	/* Add a new database entry */
-	this->file_set = this->db->execute(this->db, &this->fid,
-								"INSERT INTO files (type, path) VALUES (0, ?)",
-								DB_TEXT, file) == 1;
-
-	printf("file '%s' %sinserted into database\n", file,
-		   this->file_set ? "" : "could not be ");
+	if (1 == this->db->execute(this->db, &fid,
+							   "INSERT INTO files (dir, name) VALUES (?, ?)",
+							   DB_INT, this->did, DB_TEXT, file))
+	{
+		this->fid = fid;
+	}
+	printf("file '%s%s%s' %sinserted into database\n", this->dir, sep, file,
+		   this->fid ? "" : "could not be ");
 
-	return this->file_set;
+	return this->fid > 0;
 }
 
 METHOD(attest_db_t, set_fid, bool,
 	private_attest_db_t *this, int fid)
 {
 	enumerator_t *e;
+	int did;
 	char *file;
 
-	if (this->file_set)
+	if (this->fid)
 	{
 		printf("file has already been set\n");
 		return FALSE;
 	}
-	this->fid = fid;
 
-	e = this->db->query(this->db, "SELECT path FROM files WHERE id = ?",
-						DB_INT, fid, DB_TEXT);
+	e = this->db->query(this->db, "SELECT dir, name FROM files WHERE id = ?",
+						DB_UINT, fid, DB_INT, DB_TEXT);
 	if (e)
 	{
-		if (e->enumerate(e, &file))
+		if (e->enumerate(e, &did, &file))
 		{
+			if (did)
+			{
+				set_did(this, did);
+			}
 			this->file = strdup(file);
-			this->file_set = TRUE;
+			this->fid = fid;
 		}
 		else
 		{
@@ -398,7 +467,7 @@ METHOD(attest_db_t, set_fid, bool,
 		}
 		e->destroy(e);
 	}
-	return this->file_set;
+	return this->fid > 0;
 }
 
 METHOD(attest_db_t, set_key, bool,
@@ -468,7 +537,7 @@ METHOD(attest_db_t, set_kid, bool,
 	this->kid = kid;
 
 	e = this->db->query(this->db, "SELECT keyid, owner FROM keys WHERE id = ?",
-						DB_INT, kid, DB_BLOB, DB_TEXT);
+						DB_UINT, kid, DB_BLOB, DB_TEXT);
 	if (e)
 	{
 		if (e->enumerate(e, &key, &owner))
@@ -545,7 +614,7 @@ METHOD(attest_db_t, set_pid, bool,
 	this->pid = pid;
 
 	e = this->db->query(this->db, "SELECT name FROM products WHERE id = ?",
-						DB_INT, pid, DB_TEXT);
+						DB_UINT, pid, DB_TEXT);
 	if (e)
 	{
 		if (e->enumerate(e, &product))
@@ -562,12 +631,120 @@ METHOD(attest_db_t, set_pid, bool,
 	return this->product_set;
 }
 
+METHOD(attest_db_t, set_package, bool,
+	private_attest_db_t *this, char *package, bool create)
+{
+	enumerator_t *e;
+
+	if (this->package_set)
+	{
+		printf("package has already been set\n");
+		return FALSE;
+	}
+	this->package = strdup(package);
+
+	e = this->db->query(this->db, "SELECT id FROM packages WHERE name = ?",
+						DB_TEXT, package, DB_INT);
+	if (e)
+	{
+		if (e->enumerate(e, &this->gid))
+		{
+			this->package_set = TRUE;
+		}
+		e->destroy(e);
+	}
+	if (this->package_set)
+	{
+		return TRUE;
+	}
+
+	if (!create)
+	{
+		printf("package '%s' not found in database\n", package);
+		return FALSE;
+	}
+
+	/* Add a new database entry */
+	this->package_set = this->db->execute(this->db, &this->gid,
+									"INSERT INTO packages (name) VALUES (?)",
+									DB_TEXT, package) == 1;
+
+	printf("package '%s' %sinserted into database\n", package,
+		   this->package_set ? "" : "could not be ");
+
+	return this->package_set;
+}
+
+METHOD(attest_db_t, set_gid, bool,
+	private_attest_db_t *this, int gid)
+{
+	enumerator_t *e;
+	char *package;
+
+	if (this->package_set)
+	{
+		printf("package has already been set\n");
+		return FALSE;
+	}
+	this->gid = gid;
+
+	e = this->db->query(this->db, "SELECT name FROM packages WHERE id = ?",
+						DB_UINT, gid, DB_TEXT);
+	if (e)
+	{
+		if (e->enumerate(e, &package))
+		{
+			this->package = strdup(package);
+			this->package_set = TRUE;
+		}
+		else
+		{
+			printf("no package found with gid %d in database\n", gid);
+		}
+		e->destroy(e);
+	}
+	return this->package_set;
+}
+
+METHOD(attest_db_t, set_version, bool,
+	private_attest_db_t *this, char *version)
+{
+	if (this->version_set)
+	{
+		printf("version has already been set\n");
+		return FALSE;
+	}
+	this->version = strdup(version);
+	this->version_set = TRUE;
+
+	return TRUE;
+}
+
+
 METHOD(attest_db_t, set_algo, void,
 	private_attest_db_t *this, pts_meas_algorithms_t algo)
 {
 	this->algo = algo;
 }
 
+METHOD(attest_db_t, set_relative, void,
+	private_attest_db_t *this)
+{
+	this->relative = TRUE;
+}
+
+METHOD(attest_db_t, set_package_state, void,
+	private_attest_db_t *this, os_package_state_t package_state)
+{
+	this->package_state = package_state;
+}
+
+METHOD(attest_db_t, set_sequence, void,
+	private_attest_db_t *this, int seq_no)
+{
+	this->seq_no = seq_no;
+}
+
 METHOD(attest_db_t, set_owner, void,
 	private_attest_db_t *this, char *owner)
 {
@@ -575,21 +752,40 @@ METHOD(attest_db_t, set_owner, void,
 	this->owner = strdup(owner);
 }
 
+METHOD(attest_db_t, set_utc, void,
+	private_attest_db_t *this)
+{
+	this->utc = TRUE;
+}
+
 METHOD(attest_db_t, list_components, void,
 	private_attest_db_t *this)
 {
 	enumerator_t *e;
 	pts_comp_func_name_t *cfn;
-	int cid, vid, name, qualifier, count = 0;
+	int seq_no, cid, vid, name, qualifier, count = 0;
 
 	if (this->kid)
 	{
 		e = this->db->query(this->db,
-				"SELECT c.id, c.vendor_id, c.name, c.qualifier "
+				"SELECT kc.seq_no, c.id, c.vendor_id, c.name, c.qualifier "
 				"FROM components AS c "
 				"JOIN key_component AS kc ON c.id = kc.component "
-				"WHERE kc.key = ? ORDER BY c.vendor_id, c.name, c.qualifier",
-				DB_INT, this->kid, DB_INT, DB_INT, DB_INT, DB_INT);
+				"WHERE kc.key = ? ORDER BY kc.seq_no",
+				DB_UINT, this->kid, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT);
+		if (e)
+		{
+			while (e->enumerate(e,  &cid, &seq_no, &vid, &name, &qualifier))
+			{
+				cfn   = pts_comp_func_name_create(vid, name, qualifier);
+				printf("%4d: #%-2d %s\n", seq_no, cid, print_cfn(cfn));
+				cfn->destroy(cfn);
+				count++;
+			}
+			e->destroy(e);
+			printf("%d component%s found for key %#B\n", count,
+				  (count == 1) ? "" : "s", &this->key);
+		}
 	}
 	else
 	{
@@ -597,24 +793,82 @@ METHOD(attest_db_t, list_components, void,
 				"SELECT id, vendor_id, name, qualifier FROM components "
 				"ORDER BY vendor_id, name, qualifier",
 				DB_INT, DB_INT, DB_INT, DB_INT);
+		if (e)
+		{
+			while (e->enumerate(e,  &cid, &vid, &name, &qualifier))
+			{
+				cfn   = pts_comp_func_name_create(vid, name, qualifier);
+				printf("%4d: %s\n", cid, print_cfn(cfn));
+				cfn->destroy(cfn);
+				count++;
+			}
+			e->destroy(e);
+			printf("%d component%s found\n", count, (count == 1) ? "" : "s");
+		}
 	}
+}
+
+METHOD(attest_db_t, list_devices, void,
+	private_attest_db_t *this)
+{
+	enumerator_t *e, *e_ar;
+	chunk_t ar_id_value = chunk_empty;
+	char *product, *device;
+	time_t timestamp;
+	int id, last_id = 0, ar_id = 0, last_ar_id = 0, device_count = 0;
+	int session_id, rec;
+	u_int32_t ar_id_type;
+	u_int tstamp;
+
+	e = this->db->query(this->db,
+			"SELECT d.id, d.value, s.id, s.time, s.identity, s.rec, p.name "
+			"FROM devices AS d "
+			"JOIN sessions AS s ON d.id = s.device "
+			"JOIN products AS p ON p.id = s.product "
+			"ORDER BY d.value, s.time DESC", DB_INT, DB_TEXT, DB_INT, DB_UINT,
+			 DB_INT, DB_INT, DB_TEXT);
+
 	if (e)
 	{
-		while (e->enumerate(e, &cid, &vid, &name, &qualifier))
+		while (e->enumerate(e, &id, &device, &session_id, &tstamp, &ar_id, &rec,
+							   &product))
 		{
-			cfn   = pts_comp_func_name_create(vid, name, qualifier);
-			printf("%3d: %s\n", cid, print_cfn(cfn));
-			cfn->destroy(cfn);
-			count++;
+			if (id != last_id)
+			{
+				printf("%4d: %s - %s\n", id, device, product);
+				device_count++;
+				last_id = id;
+			}
+			timestamp = tstamp;
+			printf("%4d:   %T", session_id, &timestamp, this->utc);
+			if (ar_id)
+			{
+				if (ar_id != last_ar_id)
+				{
+					chunk_free(&ar_id_value);
+					e_ar = this->db->query(this->db,
+								"SELECT type, value FROM identities "
+								"WHERE id = ?", DB_INT, ar_id, DB_INT, DB_BLOB);
+					if (e_ar)
+					{
+						e_ar->enumerate(e_ar, &ar_id_type, &ar_id_value);
+						ar_id_value = chunk_clone(ar_id_value);
+						e_ar->destroy(e_ar);
+					}
+				}
+				if (ar_id_value.len)
+				{
+					printf(" %.*s", (int)ar_id_value.len, ar_id_value.ptr);
+				}
+				last_ar_id = ar_id;
+			}
+			printf(" - %N\n", TNC_IMV_Action_Recommendation_names, rec);
 		}
 		e->destroy(e);
+		free(ar_id_value.ptr);
 
-		printf("%d component%s found", count, (count == 1) ? "" : "s");
-		if (this->key_set)
-		{
-			printf(" for key %#B", &this->key);
-		}
-		printf("\n");
+		printf("%d device%s found\n", device_count,
+									 (device_count == 1) ? "" : "s");
 	}
 }
 
@@ -632,12 +886,12 @@ METHOD(attest_db_t, list_keys, void,
 				"SELECT k.id, k.keyid, k.owner FROM keys AS k "
 				"JOIN key_component AS kc ON k.id = kc.key "
 				"WHERE kc.component = ? ORDER BY k.keyid",
-				DB_INT, this->cid, DB_INT, DB_BLOB, DB_TEXT);
+				DB_UINT, this->cid, DB_INT, DB_BLOB, DB_TEXT);
 		if (e)
 		{
 			while (e->enumerate(e, &kid, &keyid, &owner))
 			{
-				printf("%3d: %#B '%s'\n", kid, &keyid, owner);
+				printf("%4d: %#B '%s'\n", kid, &keyid, owner);
 				count++;
 			}
 			e->destroy(e);
@@ -652,7 +906,7 @@ METHOD(attest_db_t, list_keys, void,
 		{
 			while (e->enumerate(e, &kid, &keyid, &owner))
 			{
-				printf("%3d: %#B '%s'\n", kid, &keyid, owner);
+				printf("%4d: %#B '%s'\n", kid, &keyid, owner);
 				count++;
 			}
 			e->destroy(e);
@@ -671,48 +925,164 @@ METHOD(attest_db_t, list_files, void,
 	private_attest_db_t *this)
 {
 	enumerator_t *e;
-	char *file, *file_type[] = { " ", "d", "r" };
-	int fid, type, meas, meta, count = 0;
+	char *dir, *file;
+	int did, last_did = 0, fid, count = 0;
 
-	if (this->pid)
+	if (this->did)
 	{
 		e = this->db->query(this->db,
-				"SELECT f.id, f.type, f.path, pf.measurement, pf.metadata "
-				"FROM files AS f "
-				"JOIN product_file AS pf ON f.id = pf.file "
-				"WHERE pf.product = ? ORDER BY f.path",
-				DB_INT, this->pid, DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT);
+				"SELECT id, name FROM files WHERE dir = ? ORDER BY name",
+				DB_INT, this->did, DB_INT, DB_TEXT);
 		if (e)
 		{
-			while (e->enumerate(e, &fid, &type, &file, &meas, &meta))
+			while (e->enumerate(e, &fid, &file))
 			{
-				type = (type < 0 || type > 2) ? 0 : type;
-				printf("%3d: |%s%s| %s %s\n", fid, meas ? "M":" ", meta ? "T":" ",
-											  file_type[type], file);
+				printf("%4d: %s\n", fid, file);
 				count++;
 			}
 			e->destroy(e);
 		}
+		printf("%d file%s found in directory '%s'\n", count,
+			  (count == 1) ? "" : "s", this->dir);
 	}
 	else
 	{
 		e = this->db->query(this->db,
-				"SELECT id, type, path FROM files "
-				"ORDER BY path",
-				DB_INT, DB_INT, DB_TEXT);
+				"SELECT d.id, d.path, f.id, f.name FROM files AS f "
+				"JOIN directories AS d ON f.dir = d.id "
+				"ORDER BY d.path, f.name",
+				DB_INT, DB_TEXT, DB_INT, DB_TEXT);
 		if (e)
 		{
-			while (e->enumerate(e, &fid, &type, &file))
+			while (e->enumerate(e, &did, &dir, &fid, &file))
 			{
-				type = (type < 0 || type > 2) ? 0 : type;
-				printf("%3d: %s %s\n", fid, file_type[type], file);
+				if (did != last_did)
+				{
+					printf("%4d: %s\n", did, dir);
+					last_did = did;
+				}
+				printf("%4d:   %s\n", fid, file);
 				count++;
 			}
 			e->destroy(e);
 		}
+		printf("%d file%s found\n", count, (count == 1) ? "" : "s");
 	}
+}
 
-	printf("%d file%s found", count, (count == 1) ? "" : "s");
+METHOD(attest_db_t, list_directories, void,
+	private_attest_db_t *this)
+{
+	enumerator_t *e;
+	char *dir;
+	int did, count = 0;
+
+	if (this->file)
+	{
+		e = this->db->query(this->db,
+				"SELECT d.id, d.path FROM directories AS d "
+				"JOIN files AS f ON f.dir = d.id WHERE f.name = ? "
+				"ORDER BY path", DB_TEXT, this->file, DB_INT, DB_TEXT);
+		if (e)
+		{
+			while (e->enumerate(e, &did, &dir))
+			{
+				printf("%4d: %s\n", did, dir);
+				count++;
+			}
+			e->destroy(e);
+		}
+		printf("%d director%s found containing file '%s'\n", count,
+			  (count == 1) ? "y" : "ies", this->file);
+	}
+	else
+	{
+		e = this->db->query(this->db,
+				"SELECT id, path FROM directories ORDER BY path",
+				DB_INT, DB_TEXT);
+		if (e)
+		{
+			while (e->enumerate(e, &did, &dir))
+			{
+				printf("%4d: %s\n", did, dir);
+				count++;
+			}
+			e->destroy(e);
+		}
+		printf("%d director%s found\n", count, (count == 1) ? "y" : "ies");
+	}
+}
+
+METHOD(attest_db_t, list_packages, void,
+	private_attest_db_t *this)
+{
+	enumerator_t *e;
+	char *package, *version;
+	os_package_state_t package_state;
+	int blacklist, security, gid, gid_old = 0, spaces, count = 0, t;
+	time_t timestamp;
+
+	if (this->pid)
+	{
+		e = this->db->query(this->db,
+				"SELECT p.id, p.name, "
+				"v.release, v.security, v.blacklist, v.time "
+				"FROM packages AS p JOIN versions AS v ON v.package = p.id "
+				"WHERE v.product = ? ORDER BY p.name, v.release",
+				DB_INT, this->pid,
+				DB_INT, DB_TEXT, DB_TEXT, DB_INT, DB_INT, DB_INT);
+		if (e)
+		{
+			while (e->enumerate(e, &gid, &package,
+								   &version, &security, &blacklist, &t))
+			{
+				if (gid != gid_old)
+				{
+					printf("%5d: %s,", gid, package);
+					gid_old = gid;
+				}
+				else
+				{
+					spaces = 8 + strlen(package);
+					while (spaces--)
+					{
+						printf(" ");
+					}
+				}
+				timestamp = t;
+				if (blacklist)
+				{
+					package_state = OS_PACKAGE_STATE_BLACKLIST;
+				}
+				else
+				{
+					package_state = security ? OS_PACKAGE_STATE_SECURITY :
+											   OS_PACKAGE_STATE_UPDATE;
+				}
+				printf(" %T (%s)%N\n", &timestamp, this->utc, version,
+					 os_package_state_names, package_state);
+				count++;
+			}
+			e->destroy(e);
+		}
+	}
+	else
+	{
+		e = this->db->query(this->db, "SELECT id, name FROM packages "
+				"ORDER BY name",
+				DB_INT, DB_TEXT);
+		if (e)
+		{
+			while (e->enumerate(e, &gid, &package))
+			{
+				printf("%4d: %s\n", gid, package);
+				count++;
+			}
+			e->destroy(e);
+		}
+	}
+
+	printf("%d package%s found", count, (count == 1) ? "" : "s");
 	if (this->product_set)
 	{
 		printf(" for product '%s'", this->product);
@@ -734,12 +1104,12 @@ METHOD(attest_db_t, list_products, void,
 				"FROM products AS p "
 				"JOIN product_file AS pf ON p.id = pf.product "
 				"WHERE pf.file = ? ORDER BY p.name",
-				DB_INT, this->fid, DB_INT, DB_TEXT, DB_INT, DB_INT);
+				DB_UINT, this->fid, DB_INT, DB_TEXT, DB_INT, DB_INT);
 		if (e)
 		{
 			while (e->enumerate(e, &pid, &product, &meas, &meta))
 			{
-				printf("%3d: |%s%s| %s\n", pid, meas ? "M":" ", meta ? "T":" ",
+				printf("%4d: |%s%s| %s\n", pid, meas ? "M":" ", meta ? "T":" ",
 										   product);
 				count++;
 			}
@@ -755,7 +1125,7 @@ METHOD(attest_db_t, list_products, void,
 		{
 			while (e->enumerate(e, &pid, &product))
 			{
-				printf("%3d: %s\n", pid, product);
+				printf("%4d: %s\n", pid, product);
 				count++;
 			}
 			e->destroy(e);
@@ -763,179 +1133,293 @@ METHOD(attest_db_t, list_products, void,
 	}
 
 	printf("%d product%s found", count, (count == 1) ? "" : "s");
-	if (this->file_set)
+	if (this->fid)
 	{
 		printf(" for file '%s'", this->file);
 	}
 	printf("\n");
 }
 
-/**
- * get the directory if there is one from the files tables
- */
-static void get_directory(private_attest_db_t *this, int did, char **directory)
+METHOD(attest_db_t, list_hashes, void,
+	private_attest_db_t *this)
 {
 	enumerator_t *e;
-	char *dir;
-
-	free(*directory);
-	*directory = strdup("");
+	chunk_t hash;
+	char *file, *dir, *product;
+	int id, fid, fid_old = 0, did, did_old = 0, pid, pid_old = 0, count = 0;
 
-	if (did)
+	if (this->pid && this->fid && this->did)
 	{
+		printf("%4d: %s\n", this->did, this->dir);
+		printf("%4d:   %s\n", this->fid, this->file);
 		e = this->db->query(this->db,
-				"SELECT path from files WHERE id = ?",
-				DB_INT, did, DB_TEXT);
+				"SELECT id, hash FROM file_hashes "
+				"WHERE algo = ? AND file = ? AND product = ?",
+				DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->pid,
+				DB_INT, DB_BLOB);
 		if (e)
 		{
-			if (e->enumerate(e, &dir))
+			while (e->enumerate(e, &id, &hash))
 			{
-				free(*directory);
-				*directory = strdup(dir);
+				printf("%4d:     %#B\n", id, &hash);
+				count++;
 			}
 			e->destroy(e);
+
+			printf("%d %N value%s found for product '%s'\n", count,
+				   pts_meas_algorithm_names, this->algo,
+				   (count == 1) ? "" : "s", this->product);
 		}
 	}
-}
-
-static bool slash(char *directory, char *file)
-{
-	return *file != '/' && directory[max(0, strlen(directory)-1)] != '/';
-}
-
-METHOD(attest_db_t, list_hashes, void,
-	private_attest_db_t *this)
-{
-	enumerator_t *e;
-	chunk_t hash;
-	char *file, *dir, *product;
-	int fid, fid_old = 0, did, did_old = 0, count = 0;
-
-	dir = strdup("");
+	else if (this->pid && this->file)
+	{
+		e = this->db->query(this->db,
+				"SELECT h.id, h.hash, f.id, d.id, d.path "
+				"FROM file_hashes AS h "
+				"JOIN files AS f ON h.file = f.id "
+				"JOIN directories AS d ON f.dir = d.id "
+				"WHERE h.algo = ? AND h.product = ? AND f.name = ? "
+				"ORDER BY d.path, f.name, h.hash",
+				DB_INT, this->algo, DB_INT, this->pid, DB_TEXT, this->file,
+				DB_INT, DB_BLOB, DB_INT, DB_INT, DB_TEXT);
+		if (e)
+		{
+			while (e->enumerate(e, &id, &hash, &fid, &did, &dir))
+			{
+				if (did != did_old)
+				{
+					printf("%4d: %s\n", did, dir);
+					did_old = did;
+				}
+				if (fid != fid_old)
+				{
+					printf("%4d:   %s\n", fid, this->file);
+					fid_old = fid;
+				}
+				printf("%4d:     %#B\n", id, &hash);
+				count++;
+			}
+			e->destroy(e);
 
-	if (this->pid && this->fid)
+			printf("%d %N value%s found for product '%s'\n", count,
+				   pts_meas_algorithm_names, this->algo,
+				   (count == 1) ? "" : "s", this->product);
+		}
+	}
+	else if (this->pid && this->did)
 	{
+		printf("%4d: %s\n", this->did, this->dir);
 		e = this->db->query(this->db,
-				"SELECT hash FROM file_hashes "
-				"WHERE algo = ? AND file = ? AND directory = ? AND product = ?",
-				DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->did,
-				DB_INT, this->pid, DB_BLOB);
+				"SELECT h.id, h.hash, f.id, f.name "
+				"FROM file_hashes AS h "
+				"JOIN files AS f ON h.file = f.id "
+				"WHERE h.algo = ? AND h.product = ? AND f.dir = ? "
+				"ORDER BY f.name, h.hash",
+				DB_INT, this->algo, DB_INT, this->pid, DB_INT, this->did,
+				DB_INT, DB_BLOB, DB_INT, DB_TEXT);
 		if (e)
 		{
-			while (e->enumerate(e, &hash))
+			while (e->enumerate(e, &id, &hash, &fid, &file))
 			{
-				if (this->fid != fid_old)
+				if (fid != fid_old)
 				{
-					printf("%3d: %s%s%s\n", this->fid, this->dir,
-						   slash(this->dir, this->file) ? "/" : "", this->file);
-					fid_old = this->fid;
+					printf("%4d:   %s\n", fid, file);
+					fid_old = fid;
 				}
-				printf("     %#B\n", &hash);
+				printf("%4d:     %#B\n", id, &hash);
 				count++;
 			}
 			e->destroy(e);
 
 			printf("%d %N value%s found for product '%s'\n", count,
-				   hash_algorithm_names, pts_meas_algo_to_hash(this->algo),
+				   pts_meas_algorithm_names, this->algo,
 				   (count == 1) ? "" : "s", this->product);
 		}
 	}
 	else if (this->pid)
 	{
 		e = this->db->query(this->db,
-				"SELECT f.id, f. f.path, fh.hash, fh.directory "
-				"FROM file_hashes AS fh "
-				"JOIN files AS f ON f.id = fh.file "
-				"WHERE fh.algo = ? AND fh.product = ? "
-				"ORDER BY fh.directory, f.path",
+				"SELECT h.id, h.hash, f.id, f.name, d.id, d.path "
+				"FROM file_hashes AS h "
+				"JOIN files AS f ON h.file = f.id "
+				"JOIN directories AS d ON f.dir = d.id "
+				"WHERE h.algo = ? AND h.product = ? "
+				"ORDER BY d.path, f.name, h.hash",
 				DB_INT, this->algo, DB_INT, this->pid,
-				DB_INT, DB_TEXT, DB_BLOB, DB_INT);
+				DB_INT, DB_BLOB, DB_INT, DB_TEXT, DB_INT, DB_TEXT);
 		if (e)
 		{
-			while (e->enumerate(e, &fid,  &file, &hash, &did))
+			while (e->enumerate(e, &id, &hash, &fid, &file, &did, &dir))
 			{
-				if (fid != fid_old || did != did_old)
+				if (did != did_old)
 				{
-					if (did != did_old)
-					{
-						get_directory(this, did, &dir);
-					}
-					printf("%3d: %s%s%s\n", fid,
-						   dir, slash(dir, file) ? "/" : "", file);
-					fid_old = fid;
+					printf("%4d: %s\n", did, dir);
 					did_old = did;
 				}
-				printf("     %#B\n", &hash);
+				if (fid != fid_old)
+				{
+					printf("%4d:   %s\n", fid, file);
+					fid_old = fid;
+				}
+				printf("%4d:     %#B\n", id, &hash);
 				count++;
 			}
 			e->destroy(e);
 
 			printf("%d %N value%s found for product '%s'\n", count,
-				   hash_algorithm_names, pts_meas_algo_to_hash(this->algo),
+				   pts_meas_algorithm_names, this->algo,
 				   (count == 1) ? "" : "s", this->product);
 		}
 	}
-	else if (this->fid)
+	else if (this->fid && this->did)
 	{
 		e = this->db->query(this->db,
-				"SELECT p.name, fh.hash, fh.directory "
-				"FROM file_hashes AS fh "
-				"JOIN products AS p ON p.id = fh.product "
-				"WHERE fh.algo = ? AND fh.file = ? AND fh.directory = ?"
-				"ORDER BY p.name",
-				DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->did,
-				DB_TEXT, DB_BLOB, DB_INT);
+				"SELECT h.id, h.hash, p.id, p.name FROM file_hashes AS h "
+				"JOIN products AS p ON h.product = p.id "
+				"WHERE h.algo = ? AND h.file = ? "
+				"ORDER BY p.name, h.hash",
+				DB_INT, this->algo, DB_INT, this->fid,
+				DB_INT, DB_BLOB, DB_INT, DB_TEXT);
 		if (e)
 		{
-			while (e->enumerate(e, &product, &hash, &did))
+			while (e->enumerate(e, &id, &hash, &pid, &product))
 			{
-				printf("%#B '%s'\n", &hash, product);
+				if (pid != pid_old)
+				{
+					printf("%4d: %s\n", pid, product);
+					pid_old = pid;
+				}
+				printf("%4d:   %#B\n", id, &hash);
 				count++;
 			}
 			e->destroy(e);
 
-			printf("%d %N value%s found for file '%s%s%s'\n",
-				   count, hash_algorithm_names, pts_meas_algo_to_hash(this->algo),
+			printf("%d %N value%s found for file '%s%s%s'\n", count,
+				   pts_meas_algorithm_names, this->algo,
 				   (count == 1) ? "" : "s", this->dir,
-				   slash(this->dir, this->file) ? "/" : "", this->file);
+				   streq(this->dir, "/") ? "" : "/", this->file);
+		}
+	}
+	else if (this->file)
+	{
+		e = this->db->query(this->db,
+				"SELECT h.id, h.hash, f.id, d.id, d.path, p.id, p.name "
+				"FROM file_hashes AS h "
+				"JOIN files AS f ON h.file = f.id "
+				"JOIN directories AS d ON f.dir = d.id "
+				"JOIN products AS p ON h.product = p.id "
+				"WHERE h.algo = ? AND f.name = ? "
+				"ORDER BY d.path, f.name, p.name, h.hash",
+				DB_INT, this->algo, DB_TEXT, this->file,
+				DB_INT, DB_BLOB, DB_INT, DB_INT, DB_TEXT, DB_INT, DB_TEXT);
+		if (e)
+		{
+			while (e->enumerate(e, &id, &hash, &fid, &did, &dir, &pid, &product))
+			{
+				if (did != did_old)
+				{
+					printf("%4d: %s\n", did, dir);
+					did_old = did;
+				}
+				if (fid != fid_old)
+				{
+					printf("%4d:   %s\n", fid, this->file);
+					fid_old = fid;
+					pid_old = 0;
+				}
+				if (pid != pid_old)
+				{
+					printf("%4d:     %s\n", pid, product);
+					pid_old = pid;
+				}
+				printf("%4d:     %#B\n", id, &hash);
+				count++;
+			}
+			e->destroy(e);
+
+			printf("%d %N value%s found\n", count, pts_meas_algorithm_names,
+				   this->algo, (count == 1) ? "" : "s");
+		}
+
+	}
+	else if (this->did)
+	{
+		e = this->db->query(this->db,
+				"SELECT h.id, h.hash, f.id, f.name, p.id, p.name "
+				"FROM file_hashes AS h "
+				"JOIN files AS f ON h.file = f.id "
+				"JOIN products AS p ON h.product = p.id "
+				"WHERE h.algo = ? AND f.dir = ? "
+				"ORDER BY f.name, p.name, h.hash",
+				DB_INT, this->algo, DB_INT, this->did,
+				DB_INT, DB_BLOB, DB_INT, DB_TEXT, DB_INT, DB_TEXT);
+		if (e)
+		{
+			while (e->enumerate(e, &id, &hash, &fid, &file, &pid, &product))
+			{
+				if (fid != fid_old)
+				{
+					printf("%4d: %s\n", fid, file);
+					fid_old = fid;
+					pid_old = 0;
+				}
+				if (pid != pid_old)
+				{
+					printf("%4d:   %s\n", pid, product);
+					pid_old = pid;
+				}
+				printf("%4d:     %#B\n", id, &hash);
+				count++;
+			}
+			e->destroy(e);
+
+			printf("%d %N value%s found for directory '%s'\n", count,
+				   pts_meas_algorithm_names, this->algo,
+				   (count == 1) ? "" : "s", this->dir);
 		}
 	}
 	else
 	{
 		e = this->db->query(this->db,
-				"SELECT f.id, f.path, p.name, fh.hash, fh.directory "
-				"FROM file_hashes AS fh "
-				"JOIN files AS f ON f.id = fh.file "
-				"JOIN products AS p ON p.id = fh.product "
-				"WHERE fh.algo = ? "
-				"ORDER BY fh.directory, f.path, p.name",
-				DB_INT, this->algo,
-				DB_INT, DB_TEXT, DB_TEXT, DB_BLOB, DB_INT);
+				"SELECT h.id, h.hash, f.id, f.name, d.id, d.path, p.id, p.name "
+				"FROM file_hashes AS h "
+				"JOIN files AS f ON h.file = f.id "
+				"JOIN directories AS d ON f.dir = d.id "
+				"JOIN products AS p on h.product = p.id "
+				"WHERE h.algo = ? "
+				"ORDER BY d.path, f.name, p.name, h.hash",
+				DB_INT, this->algo, DB_INT, DB_BLOB, DB_INT, DB_TEXT,
+				DB_INT, DB_TEXT, DB_INT, DB_TEXT);
 		if (e)
 		{
-			while (e->enumerate(e, &fid, &file, &product, &hash, &did))
+			while (e->enumerate(e, &id, &hash, &fid, &file, &did, &dir, &pid,
+								&product))
 			{
-				if (fid != fid_old || did != did_old)
+				if (did != did_old)
 				{
-					if (did != did_old)
-					{
-						get_directory(this, did, &dir);
-						did_old = did;
-					}
-					printf("%3d: %s%s%s\n", fid,
-						   dir, slash(dir, file) ? "/" : "", file);
+					printf("%4d: %s\n", did, dir);
+					did_old = did;
+				}
+				if (fid != fid_old)
+				{
+					printf("%4d:   %s\n", fid, file);
 					fid_old = fid;
+					pid_old = 0;
 				}
-				printf("     %#B '%s'\n", &hash, product);
+				if (pid != pid_old)
+				{
+					printf("%4d:     %s\n", pid, product);
+					pid_old = pid;
+				}
+				printf("%4d:       %#B\n", id, &hash);
 				count++;
 			}
 			e->destroy(e);
 
-			printf("%d %N value%s found\n", count, hash_algorithm_names,
-				   pts_meas_algo_to_hash(this->algo), (count == 1) ? "" : "s");
+			printf("%d %N value%s found\n", count, pts_meas_algorithm_names,
+				   this->algo, (count == 1) ? "" : "s");
 		}
 	}
-	free(dir);
 }
 
 METHOD(attest_db_t, list_measurements, void,
@@ -956,7 +1440,7 @@ METHOD(attest_db_t, list_measurements, void,
 				"JOIN keys AS k ON k.id = ch.key "
 				"WHERE ch.algo = ? AND ch.key = ? AND ch.component = ? "
 				"ORDER BY seq_no",
-				DB_INT, this->algo, DB_INT, this->kid, DB_INT, this->cid,
+				DB_INT, this->algo, DB_UINT, this->kid, DB_UINT, this->cid,
 				DB_INT, DB_INT, DB_BLOB, DB_TEXT);
 		if (e)
 		{
@@ -964,16 +1448,16 @@ METHOD(attest_db_t, list_measurements, void,
 			{
 				if (this->kid != kid_old)
 				{
-					printf("%3d: %#B '%s'\n", this->kid, &this->key, owner);
+					printf("%4d: %#B '%s'\n", this->kid, &this->key, owner);
 					kid_old = this->kid;
 				}
-				printf("%5d %02d %#B\n", seq_no, pcr, &hash);
+				printf("%7d %02d %#B\n", seq_no, pcr, &hash);
 				count++;
 			}
 			e->destroy(e);
 
 			printf("%d %N value%s found for component '%s'\n", count,
-				   hash_algorithm_names, pts_meas_algo_to_hash(this->algo),
+				   pts_meas_algorithm_names, this->algo,
 				   (count == 1) ? "" : "s", print_cfn(this->cfn));
 		}
 	}
@@ -985,7 +1469,7 @@ METHOD(attest_db_t, list_measurements, void,
 				"JOIN keys AS k ON k.id = ch.key "
 				"WHERE ch.algo = ? AND ch.component = ? "
 				"ORDER BY keyid, seq_no",
-				DB_INT, this->algo, DB_INT, this->cid,
+				DB_INT, this->algo, DB_UINT, this->cid,
 				DB_INT, DB_INT, DB_BLOB, DB_INT, DB_BLOB, DB_TEXT);
 		if (e)
 		{
@@ -993,16 +1477,16 @@ METHOD(attest_db_t, list_measurements, void,
 			{
 				if (kid != kid_old)
 				{
-					printf("%3d: %#B '%s'\n", kid, &keyid, owner);
+					printf("%4d: %#B '%s'\n", kid, &keyid, owner);
 					kid_old = kid;
 				}
-				printf("%5d %02d %#B\n", seq_no, pcr, &hash);
+				printf("%7d %02d %#B\n", seq_no, pcr, &hash);
 				count++;
 			}
 			e->destroy(e);
 
 			printf("%d %N value%s found for component '%s'\n", count,
-				   hash_algorithm_names, pts_meas_algo_to_hash(this->algo),
+				   pts_meas_algorithm_names, this->algo,
 				   (count == 1) ? "" : "s", print_cfn(this->cfn));
 		}
 
@@ -1016,7 +1500,7 @@ METHOD(attest_db_t, list_measurements, void,
 				"JOIN components AS c ON c.id = ch.component "
 				"WHERE ch.algo = ? AND ch.key = ? "
 				"ORDER BY vendor_id, name, qualifier, seq_no",
-				DB_INT, this->algo, DB_INT, this->kid, DB_INT, DB_INT, DB_BLOB,
+				DB_INT, this->algo, DB_UINT, this->kid, DB_INT, DB_INT, DB_BLOB,
 				DB_INT, DB_INT, DB_INT, DB_INT);
 		if (e)
 		{
@@ -1026,7 +1510,7 @@ METHOD(attest_db_t, list_measurements, void,
 				if (cid != cid_old)
 				{
 					cfn = pts_comp_func_name_create(vid, name, qualifier);
-					printf("%3d: %s\n", cid, print_cfn(cfn));
+					printf("%4d: %s\n", cid, print_cfn(cfn));
 					cfn->destroy(cfn);
 					cid_old = cid;
 				}
@@ -1036,25 +1520,309 @@ METHOD(attest_db_t, list_measurements, void,
 			e->destroy(e);
 
 			printf("%d %N value%s found for key %#B '%s'\n", count,
-				   hash_algorithm_names, pts_meas_algo_to_hash(this->algo),
+				   pts_meas_algorithm_names, this->algo,
 				   (count == 1) ? "" : "s", &this->key, this->owner);
 		}
 	}
 }
 
+METHOD(attest_db_t, list_sessions, void,
+	private_attest_db_t *this)
+{
+	enumerator_t *e;
+	chunk_t identity;
+	char *product, *device;
+	int session_id, conn_id, rec, device_len;
+	time_t created;
+	u_int t;
+
+	e = this->db->query(this->db,
+			"SELECT s.id, s.time, s.connection, s.rec, p.name, d.value, i.value "
+			"FROM sessions AS s "
+			"LEFT JOIN products AS p ON s.product = p.id "
+			"LEFT JOIN devices AS d ON s.device = d.id "
+			"LEFT JOIN identities AS i ON s.identity = i.id "
+			"ORDER BY s.time DESC",
+			 DB_INT, DB_UINT, DB_INT, DB_INT, DB_TEXT, DB_TEXT, DB_BLOB);
+	if (e)
+	{
+		while (e->enumerate(e, &session_id, &t, &conn_id, &rec, &product,
+							   &device, &identity))
+		{
+			created = t;
+			product = product ? product : "-";
+			device = strlen(device) ? device : "-";
+			device_len = min(strlen(device), DEVICE_MAX_LEN);
+			identity = identity.len ? identity : chunk_from_str("-");
+			printf("%4d: %T %2d %-20s %.*s%*s%.*s - %N\n", session_id, &created,
+				   FALSE, conn_id, product, device_len, device,
+				   DEVICE_MAX_LEN - device_len + 1, " ", (int)identity.len,
+				   identity.ptr, TNC_IMV_Action_Recommendation_names, rec);
+		}
+		e->destroy(e);
+	}
+}
+
+/**
+ * Insert a file hash into the database
+ */
+static bool insert_file_hash(private_attest_db_t *this,
+							 pts_meas_algorithms_t algo,
+							 chunk_t measurement, int fid, bool ima,
+							 int *hashes_added, int *hashes_updated)
+{
+	enumerator_t *e;
+	chunk_t hash;
+	char *label;
+
+	label = "could not be created";
+
+	e = this->db->query(this->db,
+		"SELECT hash FROM file_hashes WHERE algo = ? "
+		"AND file = ? AND product = ? AND device = 0",
+		DB_INT, algo, DB_UINT, fid, DB_UINT, this->pid, DB_BLOB);
+	if (!e)
+	{
+		printf("file_hashes query failed\n");
+		return FALSE;
+	}
+	if (e->enumerate(e, &hash))
+	{
+		if (chunk_equals(measurement, hash))
+		{
+			label = "exists and equals";
+		}
+		else
+		{
+			if (this->db->execute(this->db, NULL,
+				"UPDATE file_hashes SET hash = ? WHERE algo = ? "
+				"AND file = ? AND product = ? and device = 0",
+				DB_BLOB, measurement, DB_INT, algo, DB_UINT, fid,
+				DB_UINT, this->pid) == 1)
+			{
+				label = "updated";
+				(*hashes_updated)++;
+			}
+		}
+	}
+	else
+	{
+		if (this->db->execute(this->db, NULL,
+			"INSERT INTO file_hashes "
+			"(file, product, device, algo, hash) "
+			"VALUES (?, ?, 0, ?, ?)",
+			DB_UINT, fid, DB_UINT, this->pid,
+			DB_INT, algo, DB_BLOB, measurement) == 1)
+		{
+			label = "created";
+			(*hashes_added)++;
+		}
+	}
+	e->destroy(e);
+
+	printf("     %#B - %s%s\n", &measurement, ima ? "ima - " : "", label);
+	return TRUE;
+}
+
+/**
+ * Add hash measurement for a single file or all files in a directory
+ */
+static bool add_hash(private_attest_db_t *this)
+{
+	char *pathname, *filename, *sep, *label, *pos;
+	char ima_buffer[IMA_MAX_NAME_LEN + 1];
+	chunk_t measurement, ima_template;
+	pts_file_meas_t *measurements;
+	hasher_t *hasher = NULL;
+	bool ima = FALSE;
+	int fid, files_added = 0, hashes_added = 0, hashes_updated = 0;
+	int len, ima_hashes_added = 0, ima_hashes_updated = 0;
+	enumerator_t *enumerator, *e;
+
+	if (this->algo == PTS_MEAS_ALGO_SHA1_IMA)
+	{
+		ima = TRUE;
+		this->algo = PTS_MEAS_ALGO_SHA1;
+		hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+		if (!hasher)
+		{
+			printf("could not create hasher\n");
+			return FALSE;
+		}
+	}
+	sep = streq(this->dir, "/") ? "" : "/";
+
+	if (this->fid)
+	{
+		/* build pathname from directory path and relative filename */
+		if (asprintf(&pathname, "%s%s%s", this->dir, sep, this->file) == -1)
+		{
+			return FALSE;
+		}
+		measurements = pts_file_meas_create_from_path(0, pathname, FALSE,
+													  TRUE, this->algo);
+		free(pathname);
+	}
+	else
+	{
+		measurements = pts_file_meas_create_from_path(0, this->dir, TRUE,
+													  TRUE, this->algo);
+	}
+	if (!measurements)
+	{
+		printf("file measurement failed\n");
+		DESTROY_IF(hasher);
+		return FALSE;
+	}
+
+	enumerator = measurements->create_enumerator(measurements);
+	while (enumerator->enumerate(enumerator, &filename, &measurement))
+	{
+		if (this->fid)
+		{
+			/* a single file already exists */
+			filename = this->file;
+			fid = this->fid;
+			label = "exists";
+		}
+		else
+		{
+			/* retrieve or create filename */
+			label = "could not be created";
+
+			e = this->db->query(this->db,
+				"SELECT id FROM files WHERE name = ? AND dir = ?",
+				DB_TEXT, filename, DB_INT, this->did, DB_INT);
+			if (!e)
+			{
+				printf("files query failed\n");
+				break;
+			}
+			if (e->enumerate(e, &fid))
+			{
+				label = "exists";
+			}
+			else
+			{
+				if (this->db->execute(this->db, &fid,
+					"INSERT INTO files (name, dir) VALUES (?, ?)",
+					DB_TEXT, filename, DB_INT, this->did) == 1)
+				{
+					label = "created";
+					files_added++;
+				}
+			}
+			e->destroy(e);
+		}
+		printf("%4d: %s - %s\n", fid, filename, label);
+
+		/* compute file measurement hash */
+		if (!insert_file_hash(this, this->algo, measurement, fid, FALSE,
+							  &hashes_added, &hashes_updated))
+		{
+			break;
+		}
+		if (!ima)
+		{
+			continue;
+		}
+
+		/* compute IMA template hash */
+		pos = ima_buffer;
+		len = IMA_MAX_NAME_LEN;
+		if (!this->relative)
+		{
+			strncpy(pos, this->dir, len);
+			len = max(0, len - strlen(this->dir));
+			pos = ima_buffer + IMA_MAX_NAME_LEN - len;
+			strncpy(pos, sep, len);
+			len = max(0, len - strlen(sep));
+			pos = ima_buffer + IMA_MAX_NAME_LEN - len;
+		}
+		strncpy(pos, filename, len);
+		ima_buffer[IMA_MAX_NAME_LEN] = '\0';
+		ima_template = chunk_create(ima_buffer, sizeof(ima_buffer));
+		if (!hasher->get_hash(hasher, measurement, NULL) ||
+			!hasher->get_hash(hasher, ima_template, measurement.ptr))
+		{
+			printf("could not compute IMA template hash\n");
+			break;
+		}
+		if (!insert_file_hash(this, PTS_MEAS_ALGO_SHA1_IMA, measurement, fid,
+							  TRUE, &ima_hashes_added, &ima_hashes_updated))
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	printf("%d measurements, added %d new files, %d file hashes",
+		    measurements->get_file_count(measurements), files_added,
+			hashes_added);
+	if (ima)
+	{
+		printf(", %d ima hashes", ima_hashes_added);
+		hasher->destroy(hasher);
+	}
+	printf(", updated %d file hashes", hashes_updated);
+	if (ima)
+	{
+		printf(", %d ima hashes", ima_hashes_updated);
+	}
+	printf("\n");
+	measurements->destroy(measurements);
+
+	return TRUE;
+}
+
 METHOD(attest_db_t, add, bool,
 	private_attest_db_t *this)
 {
 	bool success = FALSE;
 
+	/* add key/component pair */
 	if (this->kid && this->cid)
 	{
 		success = this->db->execute(this->db, NULL,
-					"INSERT INTO key_component (key, component) VALUES (?, ?)",
-					DB_UINT, this->kid, DB_UINT, this->cid) == 1;
+					"INSERT INTO key_component (key, component, seq_no) "
+					"VALUES (?, ?, ?)",
+					DB_UINT, this->kid, DB_UINT, this->cid,
+					DB_UINT, this->seq_no) == 1;
 
-		printf("key/component pair (%d/%d) %sinserted into database\n",
-				this->kid, this->cid, success ? "" : "could not be ");
+		printf("key/component pair (%d/%d) %sinserted into database at "
+			   "position %d\n", this->kid, this->cid,
+			    success ? "" : "could not be ", this->seq_no);
+
+		return success;
+	}
+
+	/* add directory or file hash measurement for a given product */
+	if (this->did && this->pid)
+	{
+		return add_hash(this);
+	}
+
+	/* insert package version */
+	if (this->version_set && this->gid && this->pid)
+	{
+		time_t t = time(NULL);
+		int security, blacklist;
+
+		security =  this->package_state == OS_PACKAGE_STATE_SECURITY;
+		blacklist = this->package_state == OS_PACKAGE_STATE_BLACKLIST;
+
+		success = this->db->execute(this->db, NULL,
+					"INSERT INTO versions "
+					"(package, product, release, security, blacklist, time) "
+					"VALUES (?, ?, ?, ?, ?, ?)",
+					DB_UINT, this->gid, DB_INT, this->pid, DB_TEXT,
+					this->version, DB_INT, security, DB_INT, blacklist,
+					DB_INT, t) == 1;
+
+		printf("'%s' package %s (%s)%N %sinserted into database\n",
+				this->product, this->package, this->version,
+				os_package_state_names, this->package_state,
+				success ? "" : "could not be ");
 	}
 	return success;
 }
@@ -1063,13 +1831,45 @@ METHOD(attest_db_t, delete, bool,
 	private_attest_db_t *this)
 {
 	bool success;
+	int id, count = 0;
+	char *name;
+	enumerator_t *e;
+
+	/* delete a file measurement hash for a given product */
+	if (this->algo && this->pid && this->fid)
+	{
+		success = this->db->execute(this->db, NULL,
+								"DELETE FROM file_hashes "
+								"WHERE algo = ? AND product = ? AND file = ?",
+								DB_UINT, this->algo, DB_UINT, this->pid,
+								DB_UINT, this->fid) > 0;
+
+		printf("%4d: %s%s%s\n", this->fid, this->dir,
+				streq(this->dir, "/") ? "" : "/", this->file);
+		printf("%N value for product '%s' %sdeleted from database\n",
+				pts_meas_algorithm_names, this->algo, this->product,
+				success ? "" : "could not be ");
+
+		return success;
+	}
 
+	/* delete product/file entries */
 	if (this->pid && (this->fid || this->did))
 	{
-		printf("deletion of product/file entries not supported yet\n");
-		return FALSE;
+		success = this->db->execute(this->db, NULL,
+							"DELETE FROM product_file "
+							"WHERE product = ? AND file = ?",
+							DB_UINT, this->pid,
+							DB_UINT, this->fid ? this->fid : this->did) > 0;
+
+		printf("product/file pair (%d/%d) %sdeleted from database\n",
+				this->pid, this->fid ? this->fid : this->did,
+				success ? "" : "could not be ");
+
+		return success;
 	}
 
+	/* delete key/component pair */
 	if (this->kid && this->cid)
 	{
 		success = this->db->execute(this->db, NULL,
@@ -1093,24 +1893,44 @@ METHOD(attest_db_t, delete, bool,
 		return success;
 	}
 
-	if (this->did)
+	if (this->fid)
 	{
 		success = this->db->execute(this->db, NULL,
-								"DELETE FROM files WHERE type = 1 AND id = ?",
-								DB_UINT, this->did) > 0;
+								"DELETE FROM files WHERE id = ?",
+								DB_UINT, this->fid) > 0;
 
-		printf("directory '%s' %sdeleted from database\n", this->dir,
+		printf("file '%s%s%s' %sdeleted from database\n", this->dir,
+			   streq(this->dir, "/") ? "" : "/", this->file,
 			   success ? "" : "could not be ");
 		return success;
 	}
 
-	if (this->fid)
+	if (this->did)
 	{
-		success = this->db->execute(this->db, NULL,
-								"DELETE FROM files WHERE id = ?",
-								DB_UINT, this->fid) > 0;
+		e = this->db->query(this->db,
+				"SELECT id, name FROM files WHERE dir = ? ORDER BY name",
+				DB_INT, this->did, DB_INT, DB_TEXT);
+		if (e)
+		{
+			while (e->enumerate(e, &id, &name))
+			{
+				printf("%4d: %s\n", id, name);
+				count++;
+			}
+			e->destroy(e);
 
-		printf("file '%s' %sdeleted from database\n", this->file,
+			if (count)
+			{
+				printf("%d dependent file%s found, "
+					   "directory '%s' could not deleted\n",
+					   count, (count == 1) ? "" : "s", this->dir);
+				return FALSE;
+			}
+		}
+		success = this->db->execute(this->db, NULL,
+								"DELETE FROM directories WHERE id = ?",
+								DB_UINT, this->did) > 0;
+		printf("directory '%s' %sdeleted from database\n", this->dir,
 			   success ? "" : "could not be ");
 		return success;
 	}
@@ -1145,7 +1965,9 @@ METHOD(attest_db_t, destroy, void,
 {
 	DESTROY_IF(this->db);
 	DESTROY_IF(this->cfn);
+	free(this->package);
 	free(this->product);
+	free(this->version);
 	free(this->file);
 	free(this->dir);
 	free(this->owner);
@@ -1170,22 +1992,31 @@ attest_db_t *attest_db_create(char *uri)
 			.set_fid = _set_fid,
 			.set_key = _set_key,
 			.set_kid = _set_kid,
+			.set_package = _set_package,
+			.set_gid = _set_gid,
 			.set_product = _set_product,
 			.set_pid = _set_pid,
+			.set_version = _set_version,
 			.set_algo = _set_algo,
+			.set_relative = _set_relative,
+			.set_package_state = _set_package_state,
+			.set_sequence = _set_sequence,
 			.set_owner = _set_owner,
+			.set_utc = _set_utc,
+			.list_packages = _list_packages,
 			.list_products = _list_products,
 			.list_files = _list_files,
+			.list_directories = _list_directories,
 			.list_components = _list_components,
+			.list_devices = _list_devices,
 			.list_keys = _list_keys,
 			.list_hashes = _list_hashes,
 			.list_measurements = _list_measurements,
+			.list_sessions = _list_sessions,
 			.add = _add,
 			.delete = _delete,
 			.destroy = _destroy,
 		},
-		.dir = strdup(""),
-		.algo = PTS_MEAS_ALGO_SHA256,
 		.db = lib->db->create(lib->db, uri),
 	);
 
diff --git a/src/libpts/plugins/imv_attestation/attest_db.h b/src/libpts/plugins/imv_attestation/attest_db.h
index 9c9a9dcba..d0a48d844 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.h
+++ b/src/libpts/plugins/imv_attestation/attest_db.h
@@ -14,16 +14,15 @@
  */
 
 /**
- *
  * @defgroup attest_db_t attest_db
- * @{ @ingroup attest_db
+ * @{ @ingroup libpts
  */
 
 #ifndef ATTEST_DB_H_
 #define ATTEST_DB_H_
 
 #include <pts/pts_meas_algo.h>
-
+#include <os_info/os_info.h>
 #include <library.h>
 
 typedef struct attest_db_t attest_db_t;
@@ -102,6 +101,23 @@ struct attest_db_t {
 	bool (*set_kid)(attest_db_t *this, int kid);
 
 	/**
+	 * Set software package to be queried
+	 *
+	 * @param product		software package
+	 * @param create		if TRUE create database entry if it doesn't exist
+	 * @return				TRUE if successful
+	 */
+	bool (*set_package)(attest_db_t *this, char *package, bool create);
+
+	/**
+	 * Set primary key of the software package to be queried
+	 *
+	 * @param gid			primary key of software package
+	 * @return				TRUE if successful
+	 */
+	bool (*set_gid)(attest_db_t *this, int gid);
+
+	/**
 	 * Set software product to be queried
 	 *
 	 * @param product		software product
@@ -119,6 +135,14 @@ struct attest_db_t {
 	bool (*set_pid)(attest_db_t *this, int pid);
 
 	/**
+	 * Set software package version to be queried
+	 *
+	 * @param version		software package version
+	 * @return				TRUE if successful
+	 */
+	bool (*set_version)(attest_db_t *this, char *version);
+
+	/**
 	 * Set measurement hash algorithm
 	 *
 	 * @param algo			hash algorithm
@@ -126,6 +150,26 @@ struct attest_db_t {
 	void (*set_algo)(attest_db_t *this, pts_meas_algorithms_t algo);
 
 	/**
+	 * Set that the IMA-specific SHA-1 template hash be computed
+	 */
+	void (*set_ima)(attest_db_t *this);
+
+	/**
+	 * Set that relative filenames are to be used
+	 */
+	void (*set_relative)(attest_db_t *this);
+
+	/**
+	 * Set the package security or blacklist state
+	 */
+	void (*set_package_state)(attest_db_t *this, os_package_state_t package_state);
+
+	/**
+	 * Set the sequence number
+	 */
+	void (*set_sequence)(attest_db_t *this, int seq_no);
+
+	/**
 	 * Set owner [user/host] of an AIK
 	 *
 	 * @param owner			user/host name
@@ -134,11 +178,26 @@ struct attest_db_t {
 	void (*set_owner)(attest_db_t *this, char *owner);
 
 	/**
+	 * Display all dates in UTC
+	 */
+	void (*set_utc)(attest_db_t *this);
+
+	/**
+	 * List all packages stored in the database
+	 */
+	void (*list_packages)(attest_db_t *this);
+
+	/**
 	 * List all products stored in the database
 	 */
 	void (*list_products)(attest_db_t *this);
 
 	/**
+	 * List all directories stored in the database
+	 */
+	void (*list_directories)(attest_db_t *this);
+
+	/**
 	 * List selected files stored in the database
 	 */
 	void (*list_files)(attest_db_t *this);
@@ -149,6 +208,11 @@ struct attest_db_t {
 	void (*list_components)(attest_db_t *this);
 
 	/**
+	 * List all devices stored in the database
+	 */
+	void (*list_devices)(attest_db_t *this);
+
+	/**
 	 * List all AIKs stored in the database
 	 */
 	void (*list_keys)(attest_db_t *this);
@@ -164,6 +228,11 @@ struct attest_db_t {
 	void (*list_measurements)(attest_db_t *this);
 
 	/**
+	 * List sessions stored in the database
+	 */
+	void (*list_sessions)(attest_db_t *this);
+
+	/**
 	 * Add an entry to the database
 	 */
 	bool (*add)(attest_db_t *this);
diff --git a/src/libpts/plugins/imv_attestation/attest_usage.c b/src/libpts/plugins/imv_attestation/attest_usage.c
index e58f821e0..324fcafc3 100644
--- a/src/libpts/plugins/imv_attestation/attest_usage.c
+++ b/src/libpts/plugins/imv_attestation/attest_usage.c
@@ -24,42 +24,49 @@ void usage(void)
 {
 	printf("\
 Usage:\n\
-  ipsec attest --files|--products|--keys|--hashes [options]\n\
+  ipsec attest --components|--devices|--files|--hashes|--keys [options]\n\
   \n\
-  ipsec attest --components|-keys|--measurements|--add|--del [options]\n\
+  ipsec attest --measurements|--packages|--products|--add|--del [options]\n\
   \n\
-  ipsec attest --files [--product <name>|--pid <id>]\n\
-    Show a list of files with a software product name or\n\
+  ipsec attest --components [--key <digest>|--kid <id>]\n\
+    Show a list of components with an AIK digest or\n\
     its primary key as an optional selector.\n\
   \n\
-  ipsec attest --products [--file <path>|--fid <id>]\n\
-    Show a list of supported software products with a file path or\n\
+  ipsec attest --devices [--utc]\n\
+    Show a list of registered devices and associated collected information\n\
+  \n\
+  ipsec attest --files [--product <name>|--pid <id>]\n\
+    Show a list of files with a software product name or\n\
     its primary key as an optional selector.\n\
   \n\
   ipsec attest --hashes [--sha1|--sha256|--sha384] [--product <name>|--pid <id>]\n\
     Show a list of measurement hashes for a given software product or\n\
     its primary key as an optional selector.\n\
   \n\
-  ipsec attest --hashes [--sha1|--sha256|--sha384] [--file <path>|--fid <id>]\n\
+  ipsec attest --hashes [--sha1|--sha1-ima|--sha256|--sha384] [--file <path>|--fid <id>]\n\
     Show a list of measurement hashes for a given file or\n\
     its primary key as an optional selector.\n\
   \n\
-  ipsec attest --components [--key <digest>|--kid <id>]\n\
-    Show a list of components with an AIK digest or\n\
-    its primary key as an optional selector.\n\
-  \n\
   ipsec attest --keys [--components <cfn>|--cid <id>]\n\
     Show a list of AIK key digests with a component or\n\
     its primary key as an optional selector.\n\
   \n\
-  ipsec attest --measurements [--sha1|--sha256|--sha384] [--component <cfn>|--cid <id>]\n\
+  ipsec attest --measurements --sha1|--sha256|--sha384 [--component <cfn>|--cid <id>]\n\
     Show a list of component measurements for a given component or\n\
     its primary key as an optional selector.\n\
   \n\
-  ipsec attest --measurements [--sha1|--sha256|--sha384] [--key <digest>|--kid <id>|--aik <path>]\n\
+  ipsec attest --measurements --sha1|--sha256|--sha384 [--key <digest>|--kid <id>|--aik <path>]\n\
     Show a list of component measurements for a given AIK or\n\
     its primary key as an optional selector.\n\
   \n\
+  ipsec attest --packages [--product <name>|--pid <id>] [--utc]\n\
+    Show a list of software packages for a given product or\n\
+    its primary key as an optional selector.\n\
+  \n\
+  ipsec attest --products [--file <path>|--fid <id>]\n\
+    Show a list of supported software products with a file path or\n\
+    its primary key as an optional selector.\n\
+  \n\
   ipsec attest --add --file <path>|--dir <path>|--product <name>|--component <cfn>\n\
     Add a file, directory, product or component entry\n\
     Component <cfn> entries must be of the form <vendor_id>/<name>-<qualifier>\n\
@@ -67,14 +74,35 @@ Usage:\n\
   ipsec attest --add [--owner <name>] --key <digest>|--aik <path>\n\
     Add an AIK public key digest entry preceded by an optional owner name\n\
   \n\
+  ipsec attest --add --product <name>|--pid <id> --sha1|--sha1-ima|--sha256|--sha384\n\
+              [--relative|--rel] --dir <path>|--file <path>\n\
+    Add hashes of a single file or all files in a directory under absolute or relative filenames\n\
+  \n\
+  ipsec attest --add --key <digest|--kid <id> --component <cfn>|--cid <id> --sequence <no>|--seq <no>\n\
+    Add an ordered key/component entry\n\
+  \n\
+  ipsec attest --add --package <name> --version <string> [--security|--blacklist]\n\
+              [--product <name>|--pid <id>]\n\
+    Add a package version for a given product optionally with security or blacklist flag\n\
+  \n\
   ipsec attest --del --file <path>|--fid <id>|--dir <path>|--did <id>\n\
     Delete a file or directory entry referenced either by value or primary key\n\
   \n\
   ipsec attest --del --product <name>|--pid <id>|--component <cfn>|--cid <id>\n\
     Delete a product or component entry referenced either by value or primary key\n\
   \n\
+  ipsec attest --del --product <name>|--pid <id> --file <path>|--fid <id>|--dir <path>|--did <id>\n\
+    Delete a product/file entry referenced either by value or primary key\n\
+  \n\
   ipsec attest --del --key <digest>|--kid <id>|--aik <path>\n\
     Delete an AIK entry referenced either by value or primary key\n\
+  \n\
+  ipsec attest --del --key <digest|--kid <id> --component <cfn>|--cid <id>\n\
+    Delete a key/component entry\n\
+  \n\
+  ipsec attest --del --product <name>|--pid <id> --sha1|--sha1-ima|--sha256|--sha384\n\
+               [--dir <path>|--did <id>] --file <path>|--fid <id>\n\
+    Delete a file hash given an absolute or relative filename\n\
   \n");
 }
 
diff --git a/src/libpts/plugins/imv_attestation/build-database.sh b/src/libpts/plugins/imv_attestation/build-database.sh
new file mode 100755
index 000000000..be1024de0
--- /dev/null
+++ b/src/libpts/plugins/imv_attestation/build-database.sh
@@ -0,0 +1,221 @@
+#!/bin/sh
+
+p="Ubuntu 12.04 i686"
+
+ipsec attest --add --product "$p" --sha1-ima --dir  /sbin 
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/sbin
+ipsec attest --add --product "$p" --sha1-ima --dir  /bin
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/bin
+ipsec attest --add --product "$p" --sha1-ima --dir  /etc/acpi
+ipsec attest --add --product "$p" --sha1-ima --file /etc/init.d/rc
+ipsec attest --add --product "$p" --sha1-ima --file /etc/init.d/rcS
+ipsec attest --add --product "$p" --sha1-ima --dir  /etc/network/if-post-down.d
+ipsec attest --add --product "$p" --sha1-ima --dir  /etc/network/if-pre-up.d
+ipsec attest --add --product "$p" --sha1-ima --dir  /etc/network/if-up.d
+ipsec attest --add --product "$p" --sha1-ima --file /etc/NetworkManager/dispatcher.d/01ifupdown
+ipsec attest --add --product "$p" --sha1-ima --dir  /etc/ppp/ip-down.d
+ipsec attest --add --product "$p" --sha1-ima --dir  /etc/rc2.d
+ipsec attest --add --product "$p" --sha1-ima --dir  /etc/rcS.d
+ipsec attest --add --product "$p" --sha1-ima --file /etc/rc.local
+ipsec attest --add --product "$p" --sha1-ima --dir  /etc/resolvconf/update.d
+ipsec attest --add --product "$p" --sha1-ima --file /etc/resolvconf/update-libc.d/avahi-daemon
+ipsec attest --add --product "$p" --sha1-ima --dir  /etc/update-motd.d
+ipsec attest --add --product "$p" --sha1-ima --file /lib/crda/setregdomain
+ipsec attest --add --product "$p" --sha1-ima --file /lib/init/apparmor-profile-load
+ipsec attest --add --product "$p" --sha1-ima --file /lib/resolvconf/list-records
+ipsec attest --add --product "$p" --sha1-ima --dir  /lib/udev
+ipsec attest --add --product "$p" --sha1-ima --file /lib/ufw/ufw-init
+ipsec attest --add --product "$p" --sha1-ima --file /opt/Adobe/Reader9/Reader/intellinux/bin/acroread
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/accountsservice/accounts-daemon
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/lib/apt/methods
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/lib/at-spi2-core
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/avahi/avahi-daemon-check-dns.sh
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/bamf/bamfdaemon
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/lib/ConsoleKit
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/lib/ConsoleKit/run-seat.d
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/lib/ConsoleKit/run-session.d
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/lib/cups/notifier
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/dconf/dconf-service
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/dbus-1.0/dbus-daemon-launch-helper
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/deja-dup/deja-dup/deja-dup-monitor
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/evolution/3.2/evolution-alarm-notify
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/firefox/firefox
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/firefox/plugin-container
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gcc/i686-linux-gnu/4.6/cc1
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gcc/i686-linux-gnu/4.6/collect2
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/geoclue/geoclue-master
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/lib/git-core
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-desktop3/check_gl_texture_size
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-disk-utility/gdu-notification-daemon
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-online-accounts/goa-daemon
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/lib/gnome-settings-daemon
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-user-share/gnome-user-share
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-screensaver/gnome-screensaver-dialog
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/lib/gvfs
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gvfs//gvfs-fuse-daemon
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/i386-linux-gnu/colord/colord
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/lib/i386-linux-gnu/gconf
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-application/indicator-application-service
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-appmenu/hud-service
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-datetime/indicator-datetime-service
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-messages/indicator-messages-service
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-printers/indicator-printers-service
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-session/indicator-session-service
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-sound/indicator-sound-service
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/lib/lightdm
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/NetworkManager/nm-dhcp-client.action
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/NetworkManager/nm-dispatcher.action
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/notify-osd/notify-osd
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/nux/unity_support_test
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/lib/pm-utils/power.d
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/lib/pm-utils/sleep.d
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/policykit-1/polkitd
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/pulseaudio/pulse/gconf-helper
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/rtkit/rtkit-daemon
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/system-service/system-service-d
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/telepathy/mission-control-5
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/thunderbird/thunderbird
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/lib/ubuntuone-client
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/ubuntu-geoip/ubuntu-geoip-provider
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/lib/ubuntu-sso-client
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/lib/udisks
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity/unity-panel-service
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity-lens-applications/unity-applications-daemon
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity-lens-files/unity-files-daemon
+ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/unity-lens-music
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity-lens-video/unity-lens-video
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity-scope-video-remote/unity-scope-video-remote
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/update-manager/release-upgrade-motd
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/lib/update-notifier
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/upower/upowerd
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/libvte-2.90-9/gnome-pty-helper
+ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/zeitgeist/zeitgeist-fts
+ipsec attest --add --product "$p" --sha1-ima --file /usr/share/apport/apport
+ipsec attest --add --product "$p" --sha1-ima --file /usr/share/apport/apport-checkreports
+ipsec attest --add --product "$p" --sha1-ima --file /usr/share/apport/apport-gtk
+ipsec attest --add --product "$p" --sha1-ima --dir  /usr/share/language-tools
+ipsec attest --add --product "$p" --sha1-ima --file /usr/share/virtualbox/VBoxCreateUSBNode.sh
+ipsec attest --add --product "$p" --sha1-ima --relative --file /etc/ld.so.cache
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /lib
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /lib/i386-linux-gnu
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /lib/i386-linux-gnu/security
+for file in `find /lib/modules/3.2.21ima/kernel -name *.ko`
+do
+ipsec attest --add --product "$p" --sha1-ima --relative --file $file
+done
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /lib/plymouth
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /lib/plymouth/renderers
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /lib/security
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /opt/Adobe/Reader9/Reader/intellinux/lib
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/apache2/modules
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/compiz
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/compizconfig/backends/
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/enchant
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/evolution/3.2/libemiscwidgets.so.0.0.0
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/evolution/3.2/libeutil.so.0.0.0
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/evolution/3.2/libgnomecanvas.so.0.0.0
+for file in /usr/lib/firefox/*.so
+do
+ipsec attest --add --product "$p" --sha1-ima --relative --file $file
+done
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox/components/libbrowsercomps.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox/components/libdbusservice.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox/components/libmozgnome.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox-addons/extensions/globalmenu@ubuntu.com/components/libglobalmenu.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox-addons/plugins/nppdf.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/flashplugin-installer/libflashplayer.so
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/gedit/plugins
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/gnome-bluetooth
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/gnome-settings-daemon-3.0
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/gtk-2.0/2.10.0/menuproxies
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/gtk-3.0/3.0.0/menuproxies
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/gtk-3.0/3.0.0/theming-engines
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/alsa-lib
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/dri
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/gconf/2
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/gconv
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/gio/modules
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/gtk-2.0/modules
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/gtk-2.0/2.10.0/engines
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/gtk-2.0/2.10.0/immodules
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/gtk-3.0/modules
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/gtk-3.0/3.0.0/immodules
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/gvfs
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/libcanberra-0.28
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/mesa
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/mit-krb5
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/openssl-1.0.0/engines
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/pango/1.6.0/modules
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/pkcs11
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/polkit-1/extensions
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/nss
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/sane
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/i386-linux-gnu/sse2
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/indicators3/7
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/indicator-messages/status-providers/1
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/libpeas-1.0/loaders
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/man-db/libman-2.6.1.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/man-db/libmandb-2.6.1.so
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/mission-control-plugins.0
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/ModemManager
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/nautilus/extensions-3.0
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/NetworkManager/libnm-settings-plugin-ifupdown.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/perl/5.14.2/auto/File/Glob/Glob.so
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/pulse-1.1/modules
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/python2.7/lib-dynload
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/apt_inst.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/apt_pkg.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/cairo/_cairo.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/dbus/mainloop/qt.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/_dbus_bindings.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/_dbus_glib_bindings.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/duplicity/_librsync.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gi/_gi.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gi/_gobject/_gobject.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gi/_glib/_glib.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/glib/_glib.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gobject/_gobject.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/atk.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/gtk/_gtk.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/gio/_gio.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/gio/unix.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/pango.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/pangocairo.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/pynotify/_pynotify.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/OpenSSL/crypto.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/OpenSSL/rand.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/OpenSSL/SSL.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/PyQt4/QtCore.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/simplejson/_speedups.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/sip.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/twisted/internet/_sigchld.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/twisted/python/_initgroups.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/xapian/_xapian.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/zope/interface/_zope_interface_coptimizations.so
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/rsyslog
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/sane
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/sse2
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/sudo
+for file in /usr/lib/thunderbird/*.so
+do
+ipsec attest --add --product "$p" --sha1-ima --relative --file $file
+done
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/thunderbird/components/libdbusservice.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/thunderbird/components/libmozgnome.so
+ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/thunderbird-addons/extensions/globalmenu@ubuntu.com/components/libglobalmenu.so
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/xorg/modules
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/xorg/modules/drivers
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/xorg/modules/extensions
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/lib/xorg/modules/input
+ipsec attest --add --product "$p" --sha1-ima --relative --dir  /usr/share/fonts/truetype/ubuntu-font-family
+ipsec attest --del --product "$p" --sha1                --file /lib/resolvconf/list-records
+ipsec attest --del --product "$p" --sha1-ima            --file /lib/resolvconf/list-records
+ipsec attest --del --product "$p" --sha1                --file /usr/bin/lsb_release
+ipsec attest --del --product "$p" --sha1-ima            --file /usr/bin/lsb_release
+ipsec attest --del --product "$p" --sha1                --file /usr/share/language-tools/language-options
+ipsec attest --del --product "$p" --sha1-ima            --file /usr/share/language-tools/language-options
+
diff --git a/src/libpts/plugins/imv_attestation/data.sql b/src/libpts/plugins/imv_attestation/data.sql
deleted file mode 100644
index e6e03627a..000000000
--- a/src/libpts/plugins/imv_attestation/data.sql
+++ /dev/null
@@ -1,1305 +0,0 @@
-/* Products */
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 11.04 i686'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 11.04 x86_64'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'CentOS release 5.6 (Final) x86_64'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 10.10 x86_64'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 10.10 i686'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Gentoo Base System release 1.12.11.1 i686'
-);
-
-INSERT INTO products (
-  name
-) VALUES (
- 'Ubuntu 11.10 i686'
-);
-
-/* Files */
-
-INSERT INTO files (			/* 1 */
-  type, path
-) VALUES (
-  0, '/lib/i386-linux-gnu/libdl.so.2'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, '/lib/x86_64-linux-gnu/libdl.so.2'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, '/lib/libdl.so.2'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, '/sbin/iptables'
-);
-
-INSERT INTO files (			/* 5 */
-  type, path
-) VALUES (
-  0, '/lib/libxtables.so.5'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, '/lib/libxtables.so.2'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  1, '/lib/xtables/'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libxt_udp.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libxt_tcp.so'
-);
-
-INSERT INTO files (			/* 10 */
-  type, path
-) VALUES (
-  0, 'libxt_esp.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libxt_policy.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libxt_conntrack.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libipt_SNAT.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libipt_DNAT.so'
-);
-
-INSERT INTO files (			/* 15 */
-  type, path
-) VALUES (
-  0, 'libipt_MASQUERADE.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libipt_LOG.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, '/sbin/ip6tables'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libip6t_LOG.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, 'libxt_mark.so'
-);
-
-INSERT INTO files (			/* 20 */
-  type, path
-) VALUES (
-  0, 'libxt_MARK.so'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  1, '/lib/iptables'
-);
-
-INSERT INTO files (
-  type, path
-) VALUES (
-  0, '/etc/tnc_config'
-);
-
-/* Product-File */
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  1, 1, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  1, 4, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  1, 5, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  1, 7, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  1, 17, 1
-);
-
-INSERT INTO product_file (
-  product, file, metadata
-) VALUES (
-  1, 22, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  2, 2, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  2, 4, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  2, 5, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  2, 7, 1
-);
-
-INSERT INTO product_file (
-  product, file, metadata
-) VALUES (
-  2, 22, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  3, 3, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  3, 4, 1
-);
-
-INSERT INTO product_file (
-  product, file, metadata
-) VALUES (
-  3, 22, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  4, 3, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  4, 4, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  4, 6, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  4, 7, 1
-);
-
-INSERT INTO product_file (
-  product, file, metadata
-) VALUES (
-  4, 22, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  5, 3, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  5, 4, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  5, 6, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  5, 7, 1
-);
-
-INSERT INTO product_file (
-  product, file, metadata
-) VALUES (
-  5, 22, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  6, 3, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  6, 4, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  6, 17, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  6, 21, 1
-);
-
-INSERT INTO product_file (
-  product, file, metadata
-) VALUES (
-  6, 22, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  7, 1, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  7, 4, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  7, 5, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  7, 7, 1
-);
-
-INSERT INTO product_file (
-  product, file, measurement
-) VALUES (
-  7, 17, 1
-);
-
-INSERT INTO product_file (
-  product, file, metadata
-) VALUES (
-  7, 22, 1
-);
-
-/* File Hashes */
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 1, 32768, X'409bb1a97e26ea1144cdd6801b8159f17f376b8f'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 1, 16384, X'675172775cfd2b73ed1e249e4a730921f06c2f86fffdce4c71674cc654f37ed7'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 1, 8192, X'abc8ce3fc99b6dcec6745ffc2f59e35372b9b126491480d04b0f93076beded06cccb27b61f1170868fada8cddefa7be4'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 7, 32768, X'40763935cdea25119002c42f984b994d8d2a6d75'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 7, 16384, X'27c4f867d3f994a361e0b25d7846b3698d29f82b38662f233a97cafc60c44189'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  1, 7, 8192, X'301dad8829308f5a68c603a87bf961b91365f0346ac2f322de3ddcbb4645f56c0e6d2dc503ec2abff8fe8e895ce9304d'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  2, 2, 32768, X'2a4047437e6fb346e2d854fc415e16b80e75bf6b'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  2, 2, 16384, X'86aa0bf93dade999277d963338402ed437271f3436f594a49ffca85b6c487523'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  2, 2, 8192, X'6090441219c0b478d294ae88e006d85ac0d94464573bcca7d180618a612bd170e3ee47c1545861b0f06fe0db85544c59'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 3, 32768, X'07d8c0218a5b3469b409dc95cf8f77a341a595fb'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 3, 16384, X'b083699fbc4c9f9e0d463361118904a3832670ad2fe3d6b42f811061188d509f'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 3, 8192, X'b14908de476467a11a7a98835d1cf8317c7b80a684692426ddd7b0014e00b70b3d1b4fc1dd02ad440447612ee9dadb52'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 4, 32768, X'4350f082511c742cc05050d18a23d1da9fb09340'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 4, 16384, X'f9e12408828b5842c45503342dc2af78bc74d701a19c5fd5483df0e203315e0a'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 4, 8192, X'1a5ea36e4ab0cda550c0da2af6a62d9310981d2f170c9e75bff1770be2efb9ddccc451743ff4c3d76876364f19fdf8c1'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 6, 32768, X'91f4bb52404ca26b3a797152076ca5d233b93c1d'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 6, 16384, X'59bced619eabbde5dd3ef74b92ba660349e105d36be9756c8d1598abd4bc066c'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  3, 6, 8192, X'fc6b1350067d23fca711b8a674e0367ad255bae0ddb2efe10dca1b18b18985bd09a7459937fda729d349874bb2701df3'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 1, 32768, X'ff6deca0eeb7a257205c5f0ab5f5d821ea184098'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 1, 16384, X'5c84fdf7c529d3c65a001587eda641fe489f83961a621fe514e7852a842690d6'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 1, 8192, X'8bd699f85f5b3efb27204b4699c518f871ef245d03b4bf8d1cc00456025017546030c2f493525754cffcd24cdbc03b21'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 2, 32768, X'1118805b490051637e93e592f4c71e0ee78a2422'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 2, 16384, X'5ea7229ebef5dc8f9fb2118676b773dd62cf89dc21657e3b8fbbcbc70ee24bd3'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 2, 8192, X'3b8da9e704e644eb7b196981624a2f6826c401d689e00ba47e42ff46351d27c6b9e91b1e8351ee01f66e5244b4c2a9b0'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 3, 32768, X'b5cd500ec15d6bfcae15e0af1dc121df7114b97d'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 3, 16384, X'b94f1cba12abb0ec79d207142526388ec0d127c4f2aad4a46a623a1f69bac84f'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 3, 8192, X'6663d66ff0e93b1b8a1edcdbe45d64834e29dc9c2b1d23126fd370a85b2c56da5cadcbc65b6e8afbb1e18bea8e413bd1'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 4, 32768, X'86c4463293859874243d8374f7f3ef60f44f9309'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 4, 16384, X'348b711f16ee9810738857c8ffbc54f8e16a393df8635cb29b02fc62daeefc14'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 4, 8192, X'0cb6b7d91148b1bb1b9333bc71de01509cb6d12c646a6756e6942647046286fbbca92b25dc1999e8f81be1264061ee4d'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 6, 32768, X'e3cf3ef2ee5df0117972808bfa93b7795f5da873'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 6, 16384, X'fde81f544e49c44aabe0e312a00a7f8af01a0e3123dc5c54c65e3e78ba475b22'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 6, 8192, X'e0cc89d1f229f9f35109bef3b163badc0941ca0a957d09e397a8d06e2b32e737f1f1135ebf0c0546d3d4c5354aaca40f'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 7, 32768, X'ff6deca0eeb7a257205c5f0ab5f5d821ea184098'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 7, 16384, X'5c84fdf7c529d3c65a001587eda641fe489f83961a621fe514e7852a842690d6'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  4, 7, 8192, X'8bd699f85f5b3efb27204b4699c518f871ef245d03b4bf8d1cc00456025017546030c2f493525754cffcd24cdbc03b21'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 1, 32768, X'7a3ca72158e60b0c91e48a420848f1b693aea26c'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 1, 16384, X'f9693c7d36c087d51f5012897fa0e8bb94081854d080c84f831f4d693d22f645'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 1, 8192, X'4ec135e54c8840ab575fcdf00c66f996f763863ad30800b0f0a0b02e7899697d6ab9ccfe185ccbc16c19f38d0a27becb'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 2, 32768, X'5d36a26856021d68a42f8bd7ca22365579d43891'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 2, 16384, X'411be0558ad0cef33b437dafeed40104917e2079646524145abf9d05ddc6c1c5'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 2, 8192, X'237f4691f9b780bec7aff217d64a9780ceed2973a41e86c92e0d6dab81cc5d13a9b99ba408302264f5665de1f42ef6e1'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 7, 32768, X'7a3ca72158e60b0c91e48a420848f1b693aea26c'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 7, 16384, X'f9693c7d36c087d51f5012897fa0e8bb94081854d080c84f831f4d693d22f645'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  5, 7, 8192, X'4ec135e54c8840ab575fcdf00c66f996f763863ad30800b0f0a0b02e7899697d6ab9ccfe185ccbc16c19f38d0a27becb'
-);
-
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  6, 4, 32768, X'92e66ae282947f66544682039a33fd1dbd402244'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  6, 4, 16384, X'dc6bad544f72c4538fb92f777646fd734b49ce95f41b2c96b74a21addbc86ed8'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  6, 4, 8192, X'08fd91f9017763212d1491f178e4d7e41d34a21b0117ee3321d832f5b8e02d4c7152a6cdc53bb4ca7e8aad5b1f279d1f'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 1, 32768, X'11ce3b45feb3e66a75490d42ba95071ac6f40a7f'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 1, 16384, X'468ef70f19372bc4a2b1805ffa3621515061fc19fa361374788bd362d638ac02'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 1, 8192, X'63076ae505ce52c37878c9b6891ac516320046403aec25bf347c7011c2d28d5db7e2946d1fae3006ab4ef43716ff4558'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 4, 32768, X'200eab67377bf3d5a25372838c38841658a718e4'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 4, 16384, X'31045af9a12efdc58155a177e9391dd28b93fa38af58ce00f49259cc26e97687'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 4, 8192, X'e8c64b508171d947069382da58dc7e39a97ce878a07f494a6fb370efb09116d32f1d4cdddeef85f22e14d1c5d5a37625'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 7, 32768, X'11ce3b45feb3e66a75490d42ba95071ac6f40a7f'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 7, 16384, X'468ef70f19372bc4a2b1805ffa3621515061fc19fa361374788bd362d638ac02'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 7, 7, 8192, X'63076ae505ce52c37878c9b6891ac516320046403aec25bf347c7011c2d28d5db7e2946d1fae3006ab4ef43716ff4558'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 21, 6, 32768, X'010873de0d682a26e1c6795dd4992248cc47cdd1'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 21, 6, 16384, X'bfb45524d81a3645bf216a6cf52cd5624aadf6717012bf722afce2db3e31f712'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  8, 21, 6, 8192, X'f69b3f60b904f2deb39ea1fb9b0132638f0aea27357e365297f6b2ec895d42b260143b5e912d00df1a4a1d75a1b508fa'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 1, 32768, X'1d740abd38f9f4bc81ca434a0e25b6e21704248b'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 1, 16384, X'e26bb7175956dc8747a81431e810f830413b6c63756bf5156ab51367fe4f48a0'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 1, 8192, X'5d3637413b9e318d0e0be6a9da86121062b99d1bdb084dfda4222baa71b250de644b4024281760b4eae926e03fac4fdb'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 4, 32768, X'd2bf3556a0b38cfba2962d058fa8ea777397e82d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 4, 16384, X'4ec845e828af69dcbde3ecb981096ac1e25c9e3e607e9a24b27da7e44527edf9'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 4, 8192, X'3204a34ca409730298f60361865dace24900827ee9f3bc87884d50827911b4b17beb4c09bad77e43f28938f10bc5138a'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 7, 32768, X'1d740abd38f9f4bc81ca434a0e25b6e21704248b'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 7, 16384, X'e26bb7175956dc8747a81431e810f830413b6c63756bf5156ab51367fe4f48a0'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 7, 7, 8192, X'5d3637413b9e318d0e0be6a9da86121062b99d1bdb084dfda4222baa71b250de644b4024281760b4eae926e03fac4fdb'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 21, 6, 32768, X'e1df4f3949b09c25e15b9c9b7088a60d683903a8'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 21, 6, 16384, X'46f0ec6b0a2c3a24157019ed60f03de2ec9160d07f12b7e0b3d3f02b609a151d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  9, 21, 6, 8192, X'4f73eae305e01e9ad57b5b1271a16bb8518fb82135aeb27311aa390d0d3a564b596adb723137f15bbf1db38b8dcbbdae'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 7, 1, 32768, X'339a58a1b313830c3cc74cb3fb52a5b8152f44e6'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 7, 1, 16384, X'789f2c6a9382bb342964a12947ddf84735d3e3ed3aefbae407098738cdf7c686'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 7, 1, 8192, X'858310a6e4b6311c491c4370990bfd6b9f03a49bb5ddf45b0d788f7043f130016e11be6bd95db66e49e2906a87adf8cb'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 7, 7, 32768, X'339a58a1b313830c3cc74cb3fb52a5b8152f44e6'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 7, 7, 16384, X'789f2c6a9382bb342964a12947ddf84735d3e3ed3aefbae407098738cdf7c686'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 7, 7, 8192, X'858310a6e4b6311c491c4370990bfd6b9f03a49bb5ddf45b0d788f7043f130016e11be6bd95db66e49e2906a87adf8cb'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 21, 6, 32768, X'87df2d01b85d8354819b431bae0a0a65bfc5d2db'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 21, 6, 16384, X'a25fef11c899d826ea61996f0bc05330bc88428eafb792be0182ad97b6283aae'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  10, 21, 6, 8192, X'357e5756dbfa22c21d3666521e644eefdf532b7d371cca62fc099579f3c98b97cb51d005dcbaf805f8a7def26dfde142'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  11, 7, 1, 32768, X'2d32ef93126abf8c660d57c67e5076c6394cabe8'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  11, 7, 1, 16384, X'ced29aca7fc2dd0b01d5d544dfb2e1640a6a79c657f589e7dd6636cfd63eda3b'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  11, 7, 1, 8192, X'a2d33fa2d0ee7bffa5e628f88ccb83cd61bb4c5fe6d2edb8b853b83d8c43f498fa6e8da70510f0a1a3ddb36060bbd4d8'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  11, 7, 7, 32768, X'2d32ef93126abf8c660d57c67e5076c6394cabe8'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  11, 7, 7, 16384, X'ced29aca7fc2dd0b01d5d544dfb2e1640a6a79c657f589e7dd6636cfd63eda3b'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  11, 7, 7, 8192, X'a2d33fa2d0ee7bffa5e628f88ccb83cd61bb4c5fe6d2edb8b853b83d8c43f498fa6e8da70510f0a1a3ddb36060bbd4d8'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  12, 7, 1, 32768, X'6c0b2df4fc4c9122b5762ae140d53fdd1cf9e89b'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  12, 7, 1, 16384, X'53c3f2bd5aaf8ef4c40f9af92a67621f5e67840b5ff2db67d1bccbcb56f7eef1'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  12, 7, 1, 8192, X'1a4a6d91bda3ce59e6c444ccc1e758c9c6f0e223fd8c5aac369260cdfa83081c0e8f3753f100490910ec161902f10ba7'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  12, 7, 7, 32768, X'6c0b2df4fc4c9122b5762ae140d53fdd1cf9e89b'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  12, 7, 7, 16384, X'53c3f2bd5aaf8ef4c40f9af92a67621f5e67840b5ff2db67d1bccbcb56f7eef1'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  12, 7, 7, 8192, X'1a4a6d91bda3ce59e6c444ccc1e758c9c6f0e223fd8c5aac369260cdfa83081c0e8f3753f100490910ec161902f10ba7'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  13, 7, 1, 32768, X'e2f7b92abda769f82796f57a29801870585dcea3'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  13, 7, 1, 16384, X'6d3fe67a040dbb469ef498b26cece45806cb7ca04787bba53b7ba1c18e2abd0a'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  13, 7, 1, 8192, X'014852b73cd3eabfa955b7bd56b269d5a0590a2770cf3d656b3d68dbad30884327fc81ff96c6f661c9c4189c3aefa346'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  13, 7, 7, 32768, X'e2f7b92abda769f82796f57a29801870585dcea3'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  13, 7, 7, 16384, X'6d3fe67a040dbb469ef498b26cece45806cb7ca04787bba53b7ba1c18e2abd0a'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  13, 7, 7, 8192, X'014852b73cd3eabfa955b7bd56b269d5a0590a2770cf3d656b3d68dbad30884327fc81ff96c6f661c9c4189c3aefa346'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  14, 7, 1, 32768, X'160d2b04d11eb225fb148615b699081869e15b6c'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  14, 7, 1, 16384, X'1f5a2ceae1418f9c1fbf51eb7d84f74d488908cde5931a5461746d1e24682a25'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  14, 7, 1, 8192, X'f701cb25b0e9a9f32d3bba9b274ca0e8838363d13b7283b842d6c9673442890e538127c3b64ca4b177de1d243b44cf0d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  14, 7, 7, 32768, X'160d2b04d11eb225fb148615b699081869e15b6c'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  14, 7, 7, 16384, X'1f5a2ceae1418f9c1fbf51eb7d84f74d488908cde5931a5461746d1e24682a25'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  14, 7, 7, 8192, X'f701cb25b0e9a9f32d3bba9b274ca0e8838363d13b7283b842d6c9673442890e538127c3b64ca4b177de1d243b44cf0d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  15, 7, 1, 32768, X'5a0d07ab036603a76759e5f61f7d04f2d3c056cc'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  15, 7, 1, 16384, X'85491714e860062c441ff50d93ad79350449596b89b2e409b513c2d883321c9d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  15, 7, 1, 8192, X'8038830a994c779bc200e844d8768280feca9dd5d58de6cd359b87cc68846799edfd16e36e83002da4bb309cfd3b353d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  15, 7, 7, 32768, X'5a0d07ab036603a76759e5f61f7d04f2d3c056cc'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  15, 7, 7, 16384, X'85491714e860062c441ff50d93ad79350449596b89b2e409b513c2d883321c9d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  15, 7, 7, 8192, X'8038830a994c779bc200e844d8768280feca9dd5d58de6cd359b87cc68846799edfd16e36e83002da4bb309cfd3b353d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  16, 7, 1, 32768, X'd6c8dfbaae7ab28b5cef2626a2af3f99a6ea4365'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  16, 7, 1, 16384, X'd0d6f784e937227cce99e3be860be078d0397a6fb5a5bc9d95a19ef855609dbc'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  16, 7, 1, 8192, X'4be6e7978a6e4fb8a792815f2bbe28c2e66276401fb98ca90e49a5c2f2c94a1c7aac635d501d35d1db0fd53a0cb9d0fa'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  16, 7, 7, 32768, X'd6c8dfbaae7ab28b5cef2626a2af3f99a6ea4365'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  16, 7, 7, 16384, X'd0d6f784e937227cce99e3be860be078d0397a6fb5a5bc9d95a19ef855609dbc'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  16, 7, 7, 8192, X'4be6e7978a6e4fb8a792815f2bbe28c2e66276401fb98ca90e49a5c2f2c94a1c7aac635d501d35d1db0fd53a0cb9d0fa'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 1, 32768, X'8a7c41167bc0fcc1dec8329a868ba265c23857f5'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 1, 16384, X'f8eb857d7bb850f44c15363ba699442c2810663ac5a83a5f49e06e0fd8144b0e'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 1, 8192, X'f40cb6e557ab18d70080e7995e3f96cc272842e822bf52bc1c59075313c2cd832f96cf03a8524905f3d3f7a61441c651'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 6, 32768, X'8178f18dcb836e7f7432c4ad568bfd66b7ef4a96'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 6, 16384, X'2d6aaed577bfac626ff4958ee1076bc343f8db46538aa6c381521bac94c5ca9e'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 6, 8192, X'747bbaee322f9bf1849308f8907e2a43868eae8559a7be718113abb4ce535f6d509d005e51788cf3e83e148487fe7bf3'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 7, 32768, X'8a7c41167bc0fcc1dec8329a868ba265c23857f5'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 7, 16384, X'f8eb857d7bb850f44c15363ba699442c2810663ac5a83a5f49e06e0fd8144b0e'
-);
-
-INSERT INTO file_hashes (
-  file, product, algo, hash
-) VALUES (
-  17, 7, 8192, X'f40cb6e557ab18d70080e7995e3f96cc272842e822bf52bc1c59075313c2cd832f96cf03a8524905f3d3f7a61441c651'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  18, 7, 1, 32768, X'23296f48276e160b6d99b1b42a9114df720bb1ab'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  18, 7, 1, 16384, X'78cd0a598080e31453f477e8d8a12ec794e859f4076ed92e53d2053d6d16762c'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  18, 7, 1, 8192, X'4da3955f1fd968ecf95cff825d42715b544e577f28f411a020a270834235125bc0c8872bac8dd3466349ac8ab0aa2d74'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  18, 7, 7, 32768, X'23296f48276e160b6d99b1b42a9114df720bb1ab'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  18, 7, 7, 16384, X'78cd0a598080e31453f477e8d8a12ec794e859f4076ed92e53d2053d6d16762c'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  18, 7, 7, 8192, X'4da3955f1fd968ecf95cff825d42715b544e577f28f411a020a270834235125bc0c8872bac8dd3466349ac8ab0aa2d74'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  19, 7, 1, 32768, X'd537d437f058136eb3d7be517dbe7647b623c619'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  19, 7, 1, 16384, X'6a837037ad3fc4d06270d99cee2714dcf96b91aeb54d3483009219337961f834'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  19, 7, 1, 8192, X'7b5b16840da590a995fab23533f41982c5b136bff8e9b9a90b3c919a12cee20d312091455057a8bba9d9fbe314e6203d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  19, 7, 7, 32768, X'd537d437f058136eb3d7be517dbe7647b623c619'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  19, 7, 7, 16384, X'6a837037ad3fc4d06270d99cee2714dcf96b91aeb54d3483009219337961f834'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  19, 7, 7, 8192, X'7b5b16840da590a995fab23533f41982c5b136bff8e9b9a90b3c919a12cee20d312091455057a8bba9d9fbe314e6203d'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  20, 7, 1, 32768, X'f9e3531abb67a020cf667d46ca823675dd0a0dd4'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  20, 7, 1, 16384, X'569bafa2dabbcfa0ba9c7c411eacfeb8930f9d856a1a43cf8aa3662a67c13e35'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  20, 7, 1, 8192, X'84200bd318bb022915150842ddf4002e061ef593604ad0d07021dc662cc40bfa749cce084ddf25d0e5137f6380f613d8'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  20, 7, 7, 32768, X'f9e3531abb67a020cf667d46ca823675dd0a0dd4'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  20, 7, 7, 16384, X'569bafa2dabbcfa0ba9c7c411eacfeb8930f9d856a1a43cf8aa3662a67c13e35'
-);
-
-INSERT INTO file_hashes (
-  file, directory, product, algo, hash
-) VALUES (
-  20, 7, 7, 8192, X'84200bd318bb022915150842ddf4002e061ef593604ad0d07021dc662cc40bfa749cce084ddf25d0e5137f6380f613d8'
-);
-
-/* AIKs */
-
-INSERT INTO keys (
-  keyid, owner
-) VALUES (
-  X'b772a6730776b9f028e5adfccd40b55c320a13b6', 'Andreas, merthyr (Fujitsu Siemens Lifebook S6420)'
-);
-
-/* Components */
-
-INSERT INTO components (
-  vendor_id, name, qualifier
-) VALUES (
-  36906, 1, 33  /* ITA TGRUB */
-);
-
-INSERT INTO components (
-  vendor_id, name, qualifier
-) VALUES (
-  36906, 2, 33  /* ITA TBOOT */
-);
-
-INSERT INTO components (
-  vendor_id, name, qualifier
-) VALUES (
-  36906, 3, 33  /* ITA IMA */
-);
-
-/* AIK Component */
-
-INSERT INTO key_component (
-  key, component, depth, seq_no
-) VALUES (
-  2, 2, 0, 1
-);
-
-INSERT INTO key_component (
-  key, component, depth, seq_no
-) VALUES (
-  1, 3, 0, 1
-);
-
-INSERT INTO key_component (
-  key, component, depth, seq_no
-) VALUES (
-  1, 2, 0, 2
-);
-
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation.c b/src/libpts/plugins/imv_attestation/imv_attestation.c
index 51069b02d..542a561aa 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,508 +13,12 @@
  * for more details.
  */
 
-#include "imv_attestation_state.h"
-#include "imv_attestation_process.h"
-#include "imv_attestation_build.h"
-
-#include <imv/imv_agent.h>
-#include <pa_tnc/pa_tnc_msg.h>
-#include <ietf/ietf_attr.h>
-#include <ietf/ietf_attr_pa_tnc_error.h>
-#include <ietf/ietf_attr_product_info.h>
-
-#include <libpts.h>
-
-#include <pts/pts.h>
-#include <pts/pts_database.h>
-#include <pts/pts_creds.h>
-
-#include <tcg/tcg_attr.h>
-
-#include <tncif_pa_subtypes.h>
-
-#include <pen/pen.h>
-#include <debug.h>
-#include <credentials/credential_manager.h>
-#include <utils/linked_list.h>
-
-/* IMV definitions */
+#include "imv_attestation_agent.h"
 
 static const char imv_name[] = "Attestation";
+static const imv_agent_create_t imv_agent_create = imv_attestation_agent_create;
 
-#define IMV_VENDOR_ID			PEN_TCG
-#define IMV_SUBTYPE				PA_SUBTYPE_TCG_PTS
-
-static imv_agent_t *imv_attestation;
-
-/**
- * Supported PTS measurement algorithms
- */
-static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE;
-
-/**
- * Supported PTS Diffie Hellman Groups
- */
-static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
-
-/**
- * PTS file measurement database
- */
-static pts_database_t *pts_db;
-
-/**
- * PTS credentials
- */
-static pts_creds_t *pts_creds;
-
-/**
- * PTS credential manager
- */
-static credential_manager_t *pts_credmgr;
-
-/**
- * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
-							  TNC_Version min_version,
-							  TNC_Version max_version,
-							  TNC_Version *actual_version)
-{
-	char *hash_alg, *dh_group, *uri, *cadir;
-
-	if (imv_attestation)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
-		return TNC_RESULT_ALREADY_INITIALIZED;
-	}
-	if (!pts_meas_algo_probe(&supported_algorithms) ||
-		!pts_dh_group_probe(&supported_dh_groups))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	imv_attestation = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
-									   imv_id, actual_version);
-	if (!imv_attestation)
-	{
-		return TNC_RESULT_FATAL;
-	}
-
-	libpts_init();
-	
-	if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
-	{
-		DBG1(DBG_IMV, "no common IF-IMV version");
-		return TNC_RESULT_NO_COMMON_VERSION;
-	}
-
-	hash_alg = lib->settings->get_str(lib->settings,
-				"libimcv.plugins.imv-attestation.hash_algorithm", "sha256");
-	dh_group = lib->settings->get_str(lib->settings,
-				"libimcv.plugins.imv-attestation.dh_group", "ecp256");
-
-	if (!pts_meas_algo_update(hash_alg, &supported_algorithms) ||
-		!pts_dh_group_update(dh_group, &supported_dh_groups))
-	{
-		return TNC_RESULT_FATAL;
-	}
-
-	/* create a PTS credential manager */
-	pts_credmgr = credential_manager_create();
-
-	/* create PTS credential set */
-	cadir = lib->settings->get_str(lib->settings,
-				"libimcv.plugins.imv-attestation.cadir", NULL);
-	pts_creds = pts_creds_create(cadir);
-	if (pts_creds)
-	{
-		pts_credmgr->add_set(pts_credmgr, pts_creds->get_set(pts_creds));
-	}
-
-	/* attach file measurement database */
-	uri = lib->settings->get_str(lib->settings,
-				"libimcv.plugins.imv-attestation.database", NULL);
-	pts_db = pts_database_create(uri);
-
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
-										  TNC_ConnectionID connection_id,
-										  TNC_ConnectionState new_state)
-{
-	imv_state_t *state;
-
-	if (!imv_attestation)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	switch (new_state)
-	{
-		case TNC_CONNECTION_STATE_CREATE:
-			state = imv_attestation_state_create(connection_id);
-			return imv_attestation->create_state(imv_attestation, state);
-		case TNC_CONNECTION_STATE_DELETE:
-			return imv_attestation->delete_state(imv_attestation, connection_id);
-		case TNC_CONNECTION_STATE_HANDSHAKE:
-		default:
-			return imv_attestation->change_state(imv_attestation, connection_id,
-												 new_state, NULL);
-	}
-}
-
-static TNC_Result send_message(TNC_ConnectionID connection_id)
-{
-	pa_tnc_msg_t *msg;
-	pa_tnc_attr_t *attr;
-	imv_state_t *state;
-	imv_attestation_state_t *attestation_state;
-	TNC_Result result;
-	linked_list_t *attr_list;
-	enumerator_t *enumerator;
-
-	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	attestation_state = (imv_attestation_state_t*)state;
-	attr_list = linked_list_create();
-
-	if (imv_attestation_build(attr_list, attestation_state, supported_algorithms,
-							  supported_dh_groups, pts_db))
-	{
-		if (attr_list->get_count(attr_list))
-		{
-			msg = pa_tnc_msg_create();
-
-			/* move PA-TNC attributes to PA-TNC message */
-			enumerator = attr_list->create_enumerator(attr_list);
-			while (enumerator->enumerate(enumerator, &attr))
-			{
-				msg->add_attribute(msg, attr);
-			}
-			enumerator->destroy(enumerator);
-
-			msg->build(msg);
-			result = imv_attestation->send_message(imv_attestation,
-							connection_id, FALSE, 0, TNC_IMCID_ANY,
-							msg->get_encoding(msg));
-			msg->destroy(msg);
-		}
-		else
-		{
-			result = TNC_RESULT_SUCCESS;
-		}
-		attr_list->destroy(attr_list);
-	}
-	else
-	{
-		attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy));
-		result = TNC_RESULT_FATAL;
-	}
-
-	return result;
-}
+/* include generic TGC TNC IF-IMV API code below */
 
-static TNC_Result receive_message(TNC_IMVID imv_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_UInt32 msg_flags,
-								  chunk_t msg,
-								  TNC_VendorID msg_vid,
-								  TNC_MessageSubtype msg_subtype,
-								  TNC_UInt32 src_imc_id,
-								  TNC_UInt32 dst_imv_id)
-{
-	pa_tnc_msg_t *pa_tnc_msg;
-	pa_tnc_attr_t *attr;
-	linked_list_t *attr_list;
-	imv_state_t *state;
-	imv_attestation_state_t *attestation_state;
-	pts_t *pts;
-	enumerator_t *enumerator;
-	TNC_Result result;
+#include <imv/imv_if.h>
 
-	if (!imv_attestation)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-
-	/* get current IMV state */
-	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	attestation_state = (imv_attestation_state_t*)state;
-	pts = attestation_state->get_pts(attestation_state);
-
-	/* parse received PA-TNC message and automatically handle any errors */
-	result = imv_attestation->receive_message(imv_attestation, state, msg,
-					 msg_vid, msg_subtype, src_imc_id, dst_imv_id, &pa_tnc_msg);
-
-	/* no parsed PA-TNC attributes available if an error occurred */
-	if (!pa_tnc_msg)
-	{
-		return result;
-	}
-
-	/* preprocess any IETF standard error attributes */
-	result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ?
-					TNC_RESULT_FATAL : TNC_RESULT_SUCCESS;
-
-	attr_list = linked_list_create();
-
-	/* analyze PA-TNC attributes */
-	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
-	while (enumerator->enumerate(enumerator, &attr))
-	{
-		if (attr->get_vendor_id(attr) == PEN_IETF)
-		{
-			if (attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR)
-			{
-				ietf_attr_pa_tnc_error_t *error_attr;
-				pen_t error_vendor_id;
-				pa_tnc_error_code_t error_code;
-				chunk_t msg_info;
-
-				error_attr = (ietf_attr_pa_tnc_error_t*)attr;
-				error_vendor_id = error_attr->get_vendor_id(error_attr);
-
-				if (error_vendor_id == PEN_TCG)
-				{
-					error_code = error_attr->get_error_code(error_attr);
-					msg_info = error_attr->get_msg_info(error_attr);
-
-					DBG1(DBG_IMV, "received TCG-PTS error '%N'",
-						 pts_error_code_names, error_code);
-					DBG1(DBG_IMV, "error information: %B", &msg_info);
-
-					result = TNC_RESULT_FATAL;
-				}
-			}
-			else if (attr->get_type(attr) == IETF_ATTR_PRODUCT_INFORMATION)
-			{
-				ietf_attr_product_info_t *attr_cast;
-				char *platform_info;
-
-				attr_cast = (ietf_attr_product_info_t*)attr;
-				platform_info = attr_cast->get_info(attr_cast, NULL, NULL);
-				pts->set_platform_info(pts, platform_info);
-			}
-		}
-		else if (attr->get_vendor_id(attr) == PEN_TCG)
-		{
-			if (!imv_attestation_process(attr, attr_list, attestation_state,
-				supported_algorithms,supported_dh_groups, pts_db, pts_credmgr))
-			{
-				result = TNC_RESULT_FATAL;
-				break;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-	pa_tnc_msg->destroy(pa_tnc_msg);
-
-	if (result != TNC_RESULT_SUCCESS)
-	{
-		attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy));
-		state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
-								TNC_IMV_EVALUATION_RESULT_ERROR);
-		return imv_attestation->provide_recommendation(imv_attestation,
-													   connection_id);
-	}
-
-	if (attr_list->get_count(attr_list))
-	{
-		pa_tnc_msg = pa_tnc_msg_create();
-
-		/* move PA-TNC attributes to PA-TNC message */
-		enumerator = attr_list->create_enumerator(attr_list);
-		while (enumerator->enumerate(enumerator, &attr))
-		{
-			pa_tnc_msg->add_attribute(pa_tnc_msg, attr);
-		}
-		enumerator->destroy(enumerator);
-
-		pa_tnc_msg->build(pa_tnc_msg);
-		result = imv_attestation->send_message(imv_attestation, connection_id,
-										FALSE, 0, TNC_IMCID_ANY,
-										pa_tnc_msg->get_encoding(pa_tnc_msg));
-		
-		pa_tnc_msg->destroy(pa_tnc_msg);
-		attr_list->destroy(attr_list);
-		
-		return result;
-	}
-	attr_list->destroy(attr_list);
-
-	/* check the IMV state for the next PA-TNC attributes to send */
-	result = send_message(connection_id);
-	if (result != TNC_RESULT_SUCCESS)
-	{
-		state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);
-		return imv_attestation->provide_recommendation(imv_attestation,
-													   connection_id);
-	}
-
-	if (attestation_state->get_handshake_state(attestation_state) ==
-		IMV_ATTESTATION_STATE_END)
-	{
-		if (attestation_state->get_file_meas_request_count(attestation_state))
-		{
-			DBG1(DBG_IMV, "failure due to %d pending file measurements",
-				attestation_state->get_file_meas_request_count(attestation_state));
-			attestation_state->set_measurement_error(attestation_state);
-		}
-		if (attestation_state->get_component_count(attestation_state))
-		{
-			DBG1(DBG_IMV, "failure due to %d components waiting for evidence",
-				 attestation_state->get_component_count(attestation_state));
-			attestation_state->set_measurement_error(attestation_state);
-		}
-		if (attestation_state->get_measurement_error(attestation_state))
-		{
-			state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
-								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
-		}
-		else
-		{
-			state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
-								TNC_IMV_EVALUATION_RESULT_COMPLIANT);
-		}
-		return imv_attestation->provide_recommendation(imv_attestation,
-													   connection_id);
-	}
-
-	return result;
-}
-
-/**
- * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_BufferReference msg,
-								  TNC_UInt32 msg_len,
-								  TNC_MessageType msg_type)
-{
-	TNC_VendorID msg_vid;
-	TNC_MessageSubtype msg_subtype;
-
-	msg_vid = msg_type >> 8;
-	msg_subtype = msg_type & TNC_SUBTYPE_ANY;
-
-	return receive_message(imv_id, connection_id, 0, chunk_create(msg, msg_len),
-						   msg_vid,	msg_subtype, 0, TNC_IMVID_ANY);
-}
-
-/**
- * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
-									  TNC_ConnectionID connection_id,
-									  TNC_UInt32 msg_flags,
-									  TNC_BufferReference msg,
-									  TNC_UInt32 msg_len,
-									  TNC_VendorID msg_vid,
-									  TNC_MessageSubtype msg_subtype,
-									  TNC_UInt32 src_imc_id,
-									  TNC_UInt32 dst_imv_id)
-{
-	return receive_message(imv_id, connection_id, msg_flags,
-						   chunk_create(msg, msg_len), msg_vid, msg_subtype,
-						   src_imc_id, dst_imv_id);
-}
-
-/**
- * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
-										 TNC_ConnectionID connection_id)
-{
-	if (!imv_attestation)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	return imv_attestation->provide_recommendation(imv_attestation,
-												   connection_id);
-}
-
-/**
- * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
-							   TNC_ConnectionID connection_id)
-{
-	imv_state_t *state;
-	imv_attestation_state_t *attestation_state;
-
-	if (!imv_attestation)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	/* get current IMV state */
-	if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
-	{
-		return TNC_RESULT_FATAL;
-	}
-	attestation_state = (imv_attestation_state_t*)state;
-
-	/* Check if IMV has to initiate the PA-TNC exchange */
-	if (attestation_state->get_handshake_state(attestation_state) ==
-		IMV_ATTESTATION_STATE_INIT)
-	{
-		return send_message(connection_id);
-	}
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
-{
-	if (!imv_attestation)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	if (pts_creds)
-	{
-		pts_credmgr->remove_set(pts_credmgr, pts_creds->get_set(pts_creds));
-		pts_creds->destroy(pts_creds);
-	}
-	DESTROY_IF(pts_db);
-	DESTROY_IF(pts_credmgr);
-
-	libpts_deinit();
-
-	imv_attestation->destroy(imv_attestation);
-	imv_attestation = NULL;
-
-	return TNC_RESULT_SUCCESS;
-}
-
-/**
- * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
- */
-TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
-								TNC_TNCS_BindFunctionPointer bind_function)
-{
-	if (!imv_attestation)
-	{
-		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
-		return TNC_RESULT_NOT_INITIALIZED;
-	}
-	return imv_attestation->bind_functions(imv_attestation, bind_function);
-}
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
new file mode 100644
index 000000000..fb934127e
--- /dev/null
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
@@ -0,0 +1,616 @@
+/*
+ * Copyright (C) 2011-2012 Sansar Choinyambuu
+ * Copyright (C) 2011-2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_attestation_agent.h"
+#include "imv_attestation_state.h"
+#include "imv_attestation_process.h"
+#include "imv_attestation_build.h"
+
+#include <imcv.h>
+#include <imv/imv_agent.h>
+#include <imv/imv_msg.h>
+#include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_attr_request.h>
+#include <ietf/ietf_attr_pa_tnc_error.h>
+#include <ietf/ietf_attr_product_info.h>
+#include <ietf/ietf_attr_string_version.h>
+
+#include <libpts.h>
+
+#include <pts/pts.h>
+#include <pts/pts_database.h>
+#include <pts/pts_creds.h>
+
+#include <tcg/tcg_attr.h>
+#include <tcg/tcg_pts_attr_req_file_meas.h>
+#include <tcg/tcg_pts_attr_req_file_meta.h>
+
+#include <tncif_pa_subtypes.h>
+
+#include <pen/pen.h>
+#include <utils/debug.h>
+#include <credentials/credential_manager.h>
+#include <collections/linked_list.h>
+
+typedef struct private_imv_attestation_agent_t private_imv_attestation_agent_t;
+
+/* Subscribed PA-TNC message subtypes */
+static pen_type_t msg_types[] = {
+	{ PEN_TCG,  PA_SUBTYPE_TCG_PTS },
+	{ PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM }
+};
+
+/**
+ * Private data of an imv_attestation_agent_t object.
+ */
+struct private_imv_attestation_agent_t {
+
+	/**
+	 * Public members of imv_attestation_agent_t
+	 */
+	imv_agent_if_t public;
+
+	/**
+	 * IMV agent responsible for generic functions
+	 */
+	imv_agent_t *agent;
+
+	/**
+	 * Supported PTS measurement algorithms
+	 */
+	pts_meas_algorithms_t supported_algorithms;
+
+	/**
+	 * Supported PTS Diffie Hellman Groups
+	 */
+	pts_dh_group_t supported_dh_groups;
+
+	/**
+	 * PTS file measurement database
+	 */
+	pts_database_t *pts_db;
+
+	/**
+	 * PTS credentials
+	 */
+	pts_creds_t *pts_creds;
+
+	/**
+	 * PTS credential manager
+	 */
+	credential_manager_t *pts_credmgr;
+
+};
+
+METHOD(imv_agent_if_t, bind_functions, TNC_Result,
+	private_imv_attestation_agent_t *this, TNC_TNCS_BindFunctionPointer bind_function)
+{
+	return this->agent->bind_functions(this->agent, bind_function);
+}
+
+METHOD(imv_agent_if_t, notify_connection_change, TNC_Result,
+	private_imv_attestation_agent_t *this, TNC_ConnectionID id,
+	TNC_ConnectionState new_state)
+{
+	imv_state_t *state;
+
+	switch (new_state)
+	{
+		case TNC_CONNECTION_STATE_CREATE:
+			state = imv_attestation_state_create(id);
+			return this->agent->create_state(this->agent, state);
+		case TNC_CONNECTION_STATE_DELETE:
+			return this->agent->delete_state(this->agent, id);
+		default:
+			return this->agent->change_state(this->agent, id, new_state, NULL);
+	}
+}
+
+/**
+ * Process a received message
+ */
+static TNC_Result receive_msg(private_imv_attestation_agent_t *this,
+							  imv_state_t *state, imv_msg_t *in_msg)
+{
+	imv_attestation_state_t *attestation_state;
+	imv_msg_t *out_msg;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t type;
+	TNC_Result result;
+	pts_t *pts;
+	chunk_t os_name = chunk_empty;
+	chunk_t os_version = chunk_empty;
+	bool fatal_error = FALSE;
+
+	/* parse received PA-TNC message and handle local and remote errors */
+	result = in_msg->receive(in_msg, &fatal_error);
+	if (result != TNC_RESULT_SUCCESS)
+	{
+		return result;
+	}
+
+	attestation_state = (imv_attestation_state_t*)state;
+	pts = attestation_state->get_pts(attestation_state);
+
+	out_msg = imv_msg_create_as_reply(in_msg);
+	out_msg->set_msg_type(out_msg, msg_types[0]);
+
+	/* analyze PA-TNC attributes */
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		type = attr->get_type(attr);
+
+		if (type.vendor_id == PEN_IETF)
+		{
+			switch (type.type)
+			{
+				case IETF_ATTR_PA_TNC_ERROR:
+				{
+					ietf_attr_pa_tnc_error_t *error_attr;
+					pen_type_t error_code;
+					chunk_t msg_info;
+
+					error_attr = (ietf_attr_pa_tnc_error_t*)attr;
+					error_code = error_attr->get_error_code(error_attr);
+
+					if (error_code.vendor_id == PEN_TCG)
+					{
+						msg_info = error_attr->get_msg_info(error_attr);
+
+						DBG1(DBG_IMV, "received TCG-PTS error '%N'",
+							 pts_error_code_names, error_code.type);
+						DBG1(DBG_IMV, "error information: %B", &msg_info);
+						fatal_error = TRUE;
+					}
+					break;
+				}
+				case IETF_ATTR_PRODUCT_INFORMATION:
+				{
+					ietf_attr_product_info_t *attr_cast;
+
+					attr_cast = (ietf_attr_product_info_t*)attr;
+					os_name = attr_cast->get_info(attr_cast, NULL, NULL);
+					break;
+				}
+				case IETF_ATTR_STRING_VERSION:
+				{
+					ietf_attr_string_version_t *attr_cast;
+
+					attr_cast = (ietf_attr_string_version_t*)attr;
+					os_version = attr_cast->get_version(attr_cast, NULL, NULL);
+					break;
+				}
+				default:
+					break;
+			}
+		}
+		else if (type.vendor_id == PEN_TCG)
+		{
+			if (!imv_attestation_process(attr, out_msg, state,
+				this->supported_algorithms, this->supported_dh_groups,
+				this->pts_db, this->pts_credmgr))
+			{
+				result = TNC_RESULT_FATAL;
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/**
+	 * The IETF Product Information and String Version attributes
+	 * are supposed to arrive in the same PA-TNC message
+	 */
+	if (os_name.len && os_version.len)
+	{
+		pts->set_platform_info(pts, os_name, os_version);
+	}
+
+	if (fatal_error || result != TNC_RESULT_SUCCESS)
+	{
+		state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+
+	/* send PA-TNC message with excl flag set */
+	result = out_msg->send(out_msg, TRUE);
+	out_msg->destroy(out_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, receive_message, TNC_Result,
+	private_imv_attestation_agent_t *this, TNC_ConnectionID id,
+	TNC_MessageType msg_type, chunk_t msg)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_data(this->agent, state, id, msg_type, msg);
+	result = receive_msg(this, state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, receive_message_long, TNC_Result,
+	private_imv_attestation_agent_t *this, TNC_ConnectionID id,
+	TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id,
+	TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype, chunk_t msg)
+{
+	imv_state_t *state;
+	imv_msg_t *in_msg;
+	TNC_Result result;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	in_msg = imv_msg_create_from_long_data(this->agent, state, id,
+					src_imc_id, dst_imv_id, msg_vid, msg_subtype, msg);
+	result = receive_msg(this, state, in_msg);
+	in_msg->destroy(in_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, batch_ending, TNC_Result,
+	private_imv_attestation_agent_t *this, TNC_ConnectionID id)
+{
+	imv_msg_t *out_msg;
+	imv_state_t *state;
+	imv_session_t *session;
+	imv_attestation_state_t *attestation_state;
+	TNC_IMVID imv_id;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+	pts_t *pts;
+	char *platform_info;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	attestation_state = (imv_attestation_state_t*)state;
+	pts = attestation_state->get_pts(attestation_state);
+	platform_info = pts->get_platform_info(pts);
+	session = state->get_session(state);
+	imv_id = this->agent->get_id(this->agent);
+
+	/* exit if a recommendation has already been provided */
+	if (state->get_action_flags(state) & IMV_ATTESTATION_FLAG_REC)
+	{
+		return TNC_RESULT_SUCCESS;
+	}
+
+	/* send an IETF attribute request if no platform info was received */
+	if (!platform_info &&
+		!(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ATTR_REQ))
+	{
+		pa_tnc_attr_t *attr;
+		ietf_attr_attr_request_t *attr_cast;
+		imv_msg_t *os_msg;
+
+		attr = ietf_attr_attr_request_create(PEN_IETF,
+											 IETF_ATTR_PRODUCT_INFORMATION);
+		attr_cast = (ietf_attr_attr_request_t*)attr;
+		attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_STRING_VERSION);
+
+		os_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY,
+								 msg_types[1]);
+		os_msg->add_attribute(os_msg, attr);
+		result = os_msg->send(os_msg, FALSE);
+		os_msg->destroy(os_msg);
+
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		state->set_action_flags(state, IMV_ATTESTATION_FLAG_ATTR_REQ);
+	}
+
+	/* create an empty out message - we might need it */
+	out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY,
+							 msg_types[0]);
+
+	if (platform_info && session &&
+	   (state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ALGO) &&
+	  !(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_FILE_MEAS))
+	{
+		imv_workitem_t *workitem;
+		bool is_dir, no_workitems = TRUE;
+		u_int32_t delimiter = SOLIDUS_UTF;
+		u_int16_t request_id;
+		pa_tnc_attr_t *attr;
+		char *pathname;
+		enumerator_t *enumerator;
+
+		enumerator = session->create_workitem_enumerator(session);
+		if (enumerator)
+		{
+			while (enumerator->enumerate(enumerator, &workitem))
+			{
+				if (workitem->get_imv_id(workitem) != TNC_IMVID_ANY)
+				{
+					continue;
+				}
+
+				switch (workitem->get_type(workitem))
+				{
+					case IMV_WORKITEM_FILE_REF_MEAS:
+					case IMV_WORKITEM_FILE_MEAS:
+					case IMV_WORKITEM_FILE_META:
+						is_dir = FALSE;
+						break;
+					case IMV_WORKITEM_DIR_REF_MEAS:
+					case IMV_WORKITEM_DIR_MEAS:
+					case IMV_WORKITEM_DIR_META:
+						is_dir = TRUE;
+						break;
+					default:
+						continue;
+				}
+
+				pathname = this->pts_db->get_pathname(this->pts_db, is_dir,
+											workitem->get_arg_int(workitem));
+				if (!pathname)
+				{
+					continue;
+				}
+				workitem->set_imv_id(workitem, imv_id);
+				no_workitems = FALSE;
+
+				if (workitem->get_type(workitem) == IMV_WORKITEM_FILE_META)
+				{
+					TNC_IMV_Action_Recommendation rec;
+					TNC_IMV_Evaluation_Result eval;
+					char result_str[BUF_LEN];
+
+					DBG2(DBG_IMV, "IMV %d requests metadata for %s '%s'",
+						 imv_id, is_dir ? "directory" : "file", pathname);
+
+					/* currently just fire and forget metadata requests */
+					attr = tcg_pts_attr_req_file_meta_create(is_dir,
+												delimiter, pathname);
+					snprintf(result_str, BUF_LEN, "%s metadata requested",
+							 is_dir ? "directory" : "file");
+					eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+					session->remove_workitem(session, enumerator);
+					rec = workitem->set_result(workitem, result_str, eval);
+					state->update_recommendation(state, rec, eval);
+					imcv_db->finalize_workitem(imcv_db, workitem);
+					workitem->destroy(workitem);
+				}
+				else
+				{
+					/* use lower 16 bits of the workitem ID as request ID */
+					request_id = workitem->get_id(workitem) & 0xffff;
+
+					DBG2(DBG_IMV, "IMV %d requests measurement %d for %s '%s'",
+						 imv_id, request_id, is_dir ? "directory" : "file",
+						 pathname);
+					attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id,
+												delimiter, pathname);
+				}
+				free(pathname);
+				attr->set_noskip_flag(attr, TRUE);
+				out_msg->add_attribute(out_msg, attr);
+			}
+			enumerator->destroy(enumerator);
+
+			/* sent all file and directory measurement and metadata requests */
+			state->set_action_flags(state, IMV_ATTESTATION_FLAG_FILE_MEAS);
+
+			if (no_workitems)
+			{
+				DBG2(DBG_IMV, "IMV %d has no workitems - "
+							  "no evaluation requested", imv_id);
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+								TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+			}
+		}
+	}
+
+	/* check the IMV state for the next PA-TNC attributes to send */
+	if (!imv_attestation_build(out_msg, attestation_state,
+							  this->supported_algorithms,
+							  this->supported_dh_groups, this->pts_db))
+	{
+		state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		state->set_action_flags(state, IMV_ATTESTATION_FLAG_REC);
+
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+
+	/* finalized all workitems? */
+	if (session && session->get_policy_started(session) &&
+		session->get_workitem_count(session, imv_id) == 0 &&
+		attestation_state->get_handshake_state(attestation_state) ==
+			IMV_ATTESTATION_STATE_END)
+	{
+		result = out_msg->send_assessment(out_msg);
+		out_msg->destroy(out_msg);
+		state->set_action_flags(state, IMV_ATTESTATION_FLAG_REC);
+
+		if (result != TNC_RESULT_SUCCESS)
+		{
+			return result;
+		}
+		return this->agent->provide_recommendation(this->agent, state);
+	}
+
+	/* send non-empty PA-TNC message with excl flag not set */
+	if (out_msg->get_attribute_count(out_msg))
+	{
+		result = out_msg->send(out_msg, FALSE);
+	}
+	out_msg->destroy(out_msg);
+
+	return result;
+}
+
+METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result,
+	private_imv_attestation_agent_t *this, TNC_ConnectionID id)
+{
+	TNC_IMVID imv_id;
+	imv_state_t *state;
+	imv_attestation_state_t *attestation_state;
+	imv_session_t *session;
+
+	if (!this->agent->get_state(this->agent, id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	attestation_state = (imv_attestation_state_t*)state;
+	session = state->get_session(state);
+	imv_id = this->agent->get_id(this->agent);
+
+	if (session)
+	{
+		imv_workitem_t *workitem;
+		enumerator_t *enumerator;
+		int pending_file_meas = 0;
+
+		enumerator = session->create_workitem_enumerator(session);
+		if (enumerator)
+		{
+			while (enumerator->enumerate(enumerator, &workitem))
+			{
+				if (workitem->get_imv_id(workitem) != imv_id)
+				{
+					continue;
+				}
+				switch (workitem->get_type(workitem))
+				{
+					case IMV_WORKITEM_FILE_REF_MEAS:
+					case IMV_WORKITEM_FILE_MEAS:
+					case IMV_WORKITEM_DIR_REF_MEAS:
+					case IMV_WORKITEM_DIR_MEAS:
+						pending_file_meas++;
+						break;
+					default:
+						break;
+				}
+			}
+			enumerator->destroy(enumerator);
+
+			if (pending_file_meas)
+			{
+				DBG1(DBG_IMV, "failure due to %d pending file measurements",
+							   pending_file_meas);
+				attestation_state->set_measurement_error(attestation_state,
+							   IMV_ATTESTATION_ERROR_FILE_MEAS_PEND);
+			}
+		}
+	}
+	return this->agent->provide_recommendation(this->agent, state);
+}
+
+METHOD(imv_agent_if_t, destroy, void,
+	private_imv_attestation_agent_t *this)
+{
+	if (this->pts_creds)
+	{
+		this->pts_credmgr->remove_set(this->pts_credmgr,
+						 			  this->pts_creds->get_set(this->pts_creds));
+		this->pts_creds->destroy(this->pts_creds);
+	}
+	DESTROY_IF(this->pts_db);
+	DESTROY_IF(this->pts_credmgr);
+	DESTROY_IF(this->agent);
+	free(this);
+	libpts_deinit();
+}
+
+/**
+ * Described in header.
+ */
+imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
+										 TNC_Version *actual_version)
+{
+	private_imv_attestation_agent_t *this;
+	char *hash_alg, *dh_group, *cadir;
+
+	hash_alg = lib->settings->get_str(lib->settings,
+					"libimcv.plugins.imv-attestation.hash_algorithm", "sha256");
+	dh_group = lib->settings->get_str(lib->settings,
+					"libimcv.plugins.imv-attestation.dh_group", "ecp256");
+	cadir = lib->settings->get_str(lib->settings,
+					"libimcv.plugins.imv-attestation.cadir", NULL);
+
+	INIT(this,
+		.public = {
+			.bind_functions = _bind_functions,
+			.notify_connection_change = _notify_connection_change,
+			.receive_message = _receive_message,
+			.receive_message_long = _receive_message_long,
+			.batch_ending = _batch_ending,
+			.solicit_recommendation = _solicit_recommendation,
+			.destroy = _destroy,
+		},
+		.agent = imv_agent_create(name, msg_types, countof(msg_types), id,
+								  actual_version),
+		.supported_algorithms = PTS_MEAS_ALGO_NONE,
+		.supported_dh_groups = PTS_DH_GROUP_NONE,
+		.pts_credmgr = credential_manager_create(),
+		.pts_creds = pts_creds_create(cadir),
+		.pts_db = pts_database_create(imcv_db),
+	);
+
+	libpts_init();
+
+	if (!this->agent ||
+		!pts_meas_algo_probe(&this->supported_algorithms) ||
+		!pts_dh_group_probe(&this->supported_dh_groups) ||
+		!pts_meas_algo_update(hash_alg, &this->supported_algorithms) ||
+		!pts_dh_group_update(dh_group, &this->supported_dh_groups))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	if (this->pts_creds)
+	{
+		this->pts_credmgr->add_set(this->pts_credmgr,
+								   this->pts_creds->get_set(this->pts_creds));
+	}
+
+	return &this->public;
+}
+
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.h b/src/libpts/plugins/imv_attestation/imv_attestation_agent.h
new file mode 100644
index 000000000..cc421a29a
--- /dev/null
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_attestation_agent_t imv_attestation_agent
+ * @{ @ingroup imv_attestation
+ */
+
+#ifndef IMV_ATTESTATION_AGENT_H_
+#define IMV_ATTESTATION_AGENT_H_
+
+#include <imv/imv_agent_if.h>
+
+/**
+ * Creates a Attestation IMV agent
+ *
+ * @param name					Name of the IMV
+ * @param id					ID of the IMV
+ * @param actual_version		TNC IF-IMV version
+ */
+imv_agent_if_t* imv_attestation_agent_create(const char* name, TNC_IMVID id,
+											 TNC_Version *actual_version);
+
+#endif /** IMV_ATTESTATION_AGENT_H_ @}*/
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.c b/src/libpts/plugins/imv_attestation/imv_attestation_build.c
index 4f2cc1e95..3e09f7204 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_build.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -16,7 +16,6 @@
 #include "imv_attestation_build.h"
 #include "imv_attestation_state.h"
 
-#include <libpts.h>
 #include <tcg/tcg_pts_attr_proto_caps.h>
 #include <tcg/tcg_pts_attr_meas_algo.h>
 #include <tcg/tcg_pts_attr_dh_nonce_params_req.h>
@@ -25,12 +24,10 @@
 #include <tcg/tcg_pts_attr_get_aik.h>
 #include <tcg/tcg_pts_attr_req_func_comp_evid.h>
 #include <tcg/tcg_pts_attr_gen_attest_evid.h>
-#include <tcg/tcg_pts_attr_req_file_meas.h>
-#include <tcg/tcg_pts_attr_req_file_meta.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
-bool imv_attestation_build(linked_list_t *attr_list,
+bool imv_attestation_build(imv_msg_t *out_msg,
 						   imv_attestation_state_t *attestation_state,
 						   pts_meas_algorithms_t supported_algorithms,
 						   pts_dh_group_t supported_dh_groups,
@@ -50,8 +47,7 @@ bool imv_attestation_build(linked_list_t *attr_list,
 	if (handshake_state == IMV_ATTESTATION_STATE_NONCE_REQ &&
 		!(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
 	{
-		DBG2(DBG_IMV, "PTS-IMC does not support DH Nonce negotiation - "
-					  "advancing to TPM Initialization");
+		DBG2(DBG_IMV, "PTS-IMC does not support DH Nonce negotiation");
 		handshake_state = IMV_ATTESTATION_STATE_TPM_INIT;
 	}
 
@@ -62,9 +58,8 @@ bool imv_attestation_build(linked_list_t *attr_list,
 	if (handshake_state == IMV_ATTESTATION_STATE_TPM_INIT &&
 		!(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T))
 	{
-		DBG2(DBG_IMV, "PTS-IMC made no TPM available - "
-					  "advancing to File Measurements");
-		handshake_state = IMV_ATTESTATION_STATE_MEAS;
+		DBG2(DBG_IMV, "PTS-IMC made no TPM available");
+		handshake_state = IMV_ATTESTATION_STATE_END;
 	}
 
 	switch (handshake_state)
@@ -77,12 +72,12 @@ bool imv_attestation_build(linked_list_t *attr_list,
 			flags = pts->get_proto_caps(pts);
 			attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			out_msg->add_attribute(out_msg, attr);
 
 			/* Send Measurement Algorithms attribute */
 			attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE);
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			out_msg->add_attribute(out_msg, attr);
 
 			attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_NONCE_REQ);
@@ -98,7 +93,7 @@ bool imv_attestation_build(linked_list_t *attr_list,
 			attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len,
 													 supported_dh_groups);
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			out_msg->add_attribute(out_msg, attr);
 
 			attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_TPM_INIT);
@@ -117,87 +112,21 @@ bool imv_attestation_build(linked_list_t *attr_list,
 				attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
 											initiator_value, initiator_nonce);
 				attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
 			}
 
 			/* Send Get TPM Version attribute */
 			attr = tcg_pts_attr_get_tpm_version_info_create();
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
+			out_msg->add_attribute(out_msg, attr);
 
 			/* Send Get AIK attribute */
 			attr = tcg_pts_attr_get_aik_create();
 			attr->set_noskip_flag(attr, TRUE);
-			attr_list->insert_last(attr_list, attr);
-
-			attestation_state->set_handshake_state(attestation_state,
-										IMV_ATTESTATION_STATE_MEAS);
-			break;
-		}
-		case IMV_ATTESTATION_STATE_MEAS:
-		{
-			enumerator_t *enumerator;
-			u_int32_t delimiter = SOLIDUS_UTF;
-			char *platform_info, *pathname;
-			u_int16_t request_id;
-			int id, type;
-			bool is_dir;
+			out_msg->add_attribute(out_msg, attr);
 
 			attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_COMP_EVID);
-
-			/* Get Platform and OS of the PTS-IMC */
-			platform_info = pts->get_platform_info(pts);
-
-			if (!pts_db || !platform_info)
-			{
-				DBG1(DBG_IMV, "%s%s%s not available",
-					(pts_db) ? "" : "pts database",
-					(!pts_db && !platform_info) ? "and" : "",
-					(platform_info) ? "" : "platform info");
-				break;
-			}
-			DBG1(DBG_IMV, "platform is '%s'", platform_info);
-
-			/* Send Request File Metadata attribute */
-			enumerator = pts_db->create_file_meta_enumerator(pts_db,
-															 platform_info);
-			if (!enumerator)
-			{
-				break;
-			}
-			while (enumerator->enumerate(enumerator, &type, &pathname))
-			{
-				is_dir = (type != 0);
-				DBG2(DBG_IMV, "metadata request for %s '%s'",
-					 is_dir ? "directory" : "file", pathname);
-				attr = tcg_pts_attr_req_file_meta_create(is_dir, delimiter,
-														 pathname);
-				attr->set_noskip_flag(attr, TRUE);
-				attr_list->insert_last(attr_list, attr);
-			}
-			enumerator->destroy(enumerator);
-			
-			/* Send Request File Measurement attribute */
-			enumerator = pts_db->create_file_meas_enumerator(pts_db,
-															 platform_info);
-			if (!enumerator)
-			{
-				break;
-			}
-			while (enumerator->enumerate(enumerator, &id, &type, &pathname))
-			{
-				is_dir = (type != 0);
-				request_id = attestation_state->add_file_meas_request(
-							attestation_state, id, is_dir);
-				DBG2(DBG_IMV, "measurement request %d for %s '%s'",
-					 request_id, is_dir ? "directory" : "file", pathname);
-				attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id,
-													 delimiter, pathname);
-				attr->set_noskip_flag(attr, TRUE);
-				attr_list->insert_last(attr_list, attr);
-			}
-			enumerator->destroy(enumerator);
 			break;
 		}
 		case IMV_ATTESTATION_STATE_COMP_EVID:
@@ -252,15 +181,15 @@ bool imv_attestation_build(linked_list_t *attr_list,
 				comp_name = pts_comp_func_name_create(vid, name, qualifier);
 				comp_name->log(comp_name, "  ");
 
-				comp = pts_components->create(pts_components, comp_name,
-											  depth, pts_db);
+				comp = attestation_state->create_component(attestation_state,
+													comp_name, depth, pts_db);
 				if (!comp)
 				{
-					DBG2(DBG_IMV, "    not registered: removed from request");
+					DBG2(DBG_IMV, "    not registered or duplicate"
+								  " - removed from request");
 					comp_name->destroy(comp_name);
 					continue;
 				}
-				attestation_state->add_component(attestation_state, comp);
 				if (first_component)
 				{
 					attr = tcg_pts_attr_req_func_comp_evid_create();
@@ -277,12 +206,12 @@ bool imv_attestation_build(linked_list_t *attr_list,
 			if (attr)
 			{
 				/* Send Request Functional Component Evidence attribute */
-				attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
 
 				/* Send Generate Attestation Evidence attribute */
 				attr = tcg_pts_attr_gen_attest_evid_create();
 				attr->set_noskip_flag(attr, TRUE);
-				attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
 
 				attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_EVID_FINAL);
@@ -290,10 +219,15 @@ bool imv_attestation_build(linked_list_t *attr_list,
 			break;
 		}
 		case IMV_ATTESTATION_STATE_EVID_FINAL:
-			attestation_state->set_handshake_state(attestation_state,
+			if (attestation_state->components_finalized(attestation_state))
+			{
+				attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_END);
+			}
 			break;
 		case IMV_ATTESTATION_STATE_END:
+			attestation_state->set_handshake_state(attestation_state,
+										IMV_ATTESTATION_STATE_END);
 			break;
 	}
 	return TRUE;
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.h b/src/libpts/plugins/imv_attestation/imv_attestation_build.h
index 7f934fd09..108f6f923 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_build.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.h
@@ -14,9 +14,8 @@
  */
 
 /**
- *
  * @defgroup imv_attestation_build_t imv_attestation_build
- * @{ @ingroup imv_attestation_build
+ * @{ @ingroup imv_attestation
  */
 
 #ifndef IMV_ATTESTATION_BUILD_H_
@@ -24,7 +23,7 @@
 
 #include "imv_attestation_state.h"
 
-#include <pa_tnc/pa_tnc_msg.h>
+#include <imv/imv_msg.h>
 #include <library.h>
 
 #include <pts/pts_database.h>
@@ -34,14 +33,14 @@
 /**
  * Process a TCG PTS attribute
  *
- * @param attr_list				list of PA-TNC attriubutes to be built
+ * @param out_msg				outbound PA-TNC message to be built
  * @param attestation_state		attestation state of a given connection
  * @param supported_algorithms	supported PTS measurement algorithms
  * @param supported_dh_groups	supported DH groups
  * @param pts_db				PTS configuration database
  * @return						TRUE if successful
  */
-bool imv_attestation_build(linked_list_t *attr_list,
+bool imv_attestation_build(imv_msg_t *out_msg,
 						   imv_attestation_state_t *attestation_state,
 						   pts_meas_algorithms_t supported_algorithms,
 						   pts_dh_group_t supported_dh_groups,
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
index a742b6697..d422ebcda 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2013 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,6 +15,7 @@
 
 #include "imv_attestation_process.h"
 
+#include <imcv.h>
 #include <ietf/ietf_attr_pa_tnc_error.h>
 
 #include <pts/pts.h>
@@ -29,23 +30,27 @@
 #include <tcg/tcg_pts_attr_tpm_version_info.h>
 #include <tcg/tcg_pts_attr_unix_file_meta.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/hashers/hasher.h>
 
 #include <inttypes.h>
 
-bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
-							 imv_attestation_state_t *attestation_state,
+bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
+							 imv_state_t *state,
 							 pts_meas_algorithms_t supported_algorithms,
 							 pts_dh_group_t supported_dh_groups,
 							 pts_database_t *pts_db,
 							 credential_manager_t *pts_credmgr)
 {
+	imv_attestation_state_t *attestation_state;
+	pen_type_t attr_type;
 	pts_t *pts;
 
+	attestation_state = (imv_attestation_state_t*)state;
 	pts = attestation_state->get_pts(attestation_state);
- 
-	switch (attr->get_type(attr))
+	attr_type = attr->get_type(attr);
+
+	switch (attr_type.type)
 	{
 		case TCG_PTS_PROTO_CAPS:
 		{
@@ -71,6 +76,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				return FALSE;
 			}
 			pts->set_meas_algorithm(pts, selected_algorithm);
+			state->set_action_flags(state, IMV_ATTESTATION_FLAG_ALGO);
 			break;
 		}
 		case TCG_PTS_DH_NONCE_PARAMS_RESP:
@@ -94,7 +100,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				attr = pts_dh_nonce_error_create(
 									max(PTS_MIN_NONCE_LEN, min_nonce_len),
 										PTS_MAX_NONCE_LEN);
-				attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
 				break;
 			}
 
@@ -111,7 +117,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			if (selected_algorithm == PTS_MEAS_ALGO_NONE)
 			{
 				attr = pts_hash_alg_error_create(supported_algorithms);
-				attr_list->insert_last(attr_list, attr);
+				out_msg->add_attribute(out_msg, attr);
 				break;
 			}
 			pts->set_dh_hash_algorithm(pts, selected_algorithm);
@@ -169,7 +175,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 							KEY_ANY, aik->get_issuer(aik), FALSE);
 				while (e->enumerate(e, &issuer))
 				{
-					if (aik->issued_by(aik, issuer))
+					if (aik->issued_by(aik, issuer, NULL))
 					{
 						trusted = TRUE;
 						break;
@@ -188,50 +194,134 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 		}
 		case TCG_PTS_FILE_MEAS:
 		{
+			TNC_IMV_Evaluation_Result eval;
+			TNC_IMV_Action_Recommendation rec;
 			tcg_pts_attr_file_meas_t *attr_cast;
 			u_int16_t request_id;
-			int file_count, file_id;
+			int arg_int, file_count;
 			pts_meas_algorithms_t algo;
 			pts_file_meas_t *measurements;
-			char *platform_info;
-			enumerator_t *e_hash;
-			bool is_dir;
-
+			imv_session_t *session;
+			imv_workitem_t *workitem, *found = NULL;
+			imv_workitem_type_t type;
+			char result_str[BUF_LEN], *platform_info;
+			bool is_dir, correct;
+			enumerator_t *enumerator;
+
+			eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+			session = state->get_session(state);
+			algo = pts->get_meas_algorithm(pts);
 			platform_info = pts->get_platform_info(pts);
-			if (!pts_db || !platform_info)
-			{
-				DBG1(DBG_IMV, "%s%s%s not available",
-					(pts_db) ? "" : "pts database",
-					(!pts_db && !platform_info) ? "and" : "",
-					(platform_info) ? "" : "platform info");
-				break;
-			}
-
 			attr_cast = (tcg_pts_attr_file_meas_t*)attr;
 			measurements = attr_cast->get_measurements(attr_cast);
-			algo = pts->get_meas_algorithm(pts);
 			request_id = measurements->get_request_id(measurements);
 			file_count = measurements->get_file_count(measurements);
 
 			DBG1(DBG_IMV, "measurement request %d returned %d file%s:",
 				 request_id, file_count, (file_count == 1) ? "":"s");
 
-			if (!attestation_state->check_off_file_meas_request(attestation_state,
-				request_id, &file_id, &is_dir))
+			if (request_id)
 			{
-				DBG1(DBG_IMV, "  no entry found for file measurement request %d",
-					 request_id);
-				break;
-			}
+				enumerator = session->create_workitem_enumerator(session);
+				while (enumerator->enumerate(enumerator, &workitem))
+				{
+					/* request ID consist of lower 16 bits of workitem ID */
+					if ((workitem->get_id(workitem) & 0xffff) == request_id)
+					{
+						found = workitem;
+						break;
+					}
+				}
 
-			/* check hashes from database against measurements */
-			e_hash = pts_db->create_file_hash_enumerator(pts_db,
-							platform_info, algo, file_id, is_dir);
-			if (!measurements->verify(measurements, e_hash, is_dir))
+				if (!found)
+				{
+					DBG1(DBG_IMV, "  no entry found for file measurement "
+								  "request %d", request_id);
+					enumerator->destroy(enumerator);
+					break;
+				}
+				type =    found->get_type(found);
+				arg_int = found->get_arg_int(found);
+ 
+				switch (type)
+				{
+					default:
+					case IMV_WORKITEM_FILE_REF_MEAS:
+					case IMV_WORKITEM_FILE_MEAS:
+						is_dir = FALSE;
+						break;
+					case IMV_WORKITEM_DIR_REF_MEAS:
+					case IMV_WORKITEM_DIR_MEAS:
+						is_dir = TRUE;
+				}
+
+				switch (type)
+				{
+					case IMV_WORKITEM_FILE_MEAS:
+					case IMV_WORKITEM_DIR_MEAS:
+					{
+						enumerator_t *e;
+
+						/* check hashes from database against measurements */
+						e = pts_db->create_file_hash_enumerator(pts_db,
+										platform_info, algo, is_dir, arg_int);
+						if (!e)
+						{
+							eval = TNC_IMV_EVALUATION_RESULT_ERROR;
+							break;
+						}
+						correct = measurements->verify(measurements, e, is_dir);
+						if (!correct)
+						{
+							attestation_state->set_measurement_error(
+										attestation_state,
+										IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL);
+							eval = TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR;
+						}
+						e->destroy(e);
+
+						snprintf(result_str, BUF_LEN, "%s measurement%s correct",
+								 is_dir ? "directory" : "file",
+								 correct ? "" : " not");
+						break;
+					}
+					case IMV_WORKITEM_FILE_REF_MEAS:
+					case IMV_WORKITEM_DIR_REF_MEAS:
+					{
+						enumerator_t *e;
+						char *filename;
+						chunk_t measurement;
+
+						e = measurements->create_enumerator(measurements);
+						while (e->enumerate(e, &filename, &measurement))
+						{
+							if (pts_db->add_file_measurement(pts_db, 
+									platform_info, algo, measurement, filename,
+									is_dir, arg_int) != SUCCESS)
+							{
+								eval = TNC_IMV_EVALUATION_RESULT_ERROR;
+							}
+						}
+						e->destroy(e);
+						snprintf(result_str, BUF_LEN, "%s reference measurement "
+								"successful", is_dir ? "directory" : "file");
+						break;
+					}
+					default:
+						break;
+				}
+
+				session->remove_workitem(session, enumerator);
+				enumerator->destroy(enumerator);
+				rec = found->set_result(found, result_str, eval);
+				state->update_recommendation(state, rec, eval);
+				imcv_db->finalize_workitem(imcv_db, found);
+				found->destroy(found);
+			}
+			else
 			{
-				attestation_state->set_measurement_error(attestation_state);
+				measurements->check(measurements, pts_db, platform_info, algo);
 			}
-			e_hash->destroy(e_hash);
 			break;
 		}
 		case TCG_PTS_UNIX_FILE_META:
@@ -276,34 +366,23 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 			pts_comp_evidence_t *evidence;
 			pts_component_t *comp;
 			u_int32_t depth;
-			status_t status;
 
 			attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
 			evidence = attr_cast->get_comp_evidence(attr_cast);
 			name = evidence->get_comp_func_name(evidence, &depth);
 
-			comp = attestation_state->check_off_component(attestation_state, name);
+			comp = attestation_state->get_component(attestation_state, name);
 			if (!comp)
 			{
 				DBG1(DBG_IMV, "  no entry found for component evidence request");
 				break;
 			}
-			status = comp->verify(comp, pts, evidence);
-			
-			switch (status)
+			if (comp->verify(comp, name->get_qualifier(name), pts,
+							 evidence) != SUCCESS)
 			{
-				default:
-				case FAILED:
-					attestation_state->set_measurement_error(attestation_state);
-					comp->destroy(comp);
-					break;
-				case SUCCESS:
-					name->log(name, "  successfully measured ");
-					comp->destroy(comp);
-					break;
-				case NEED_MORE:
-					/* re-enter component into list */
-					attestation_state->add_component(attestation_state, comp);
+				attestation_state->set_measurement_error(attestation_state,
+									IMV_ATTESTATION_ERROR_COMP_EVID_FAIL);
+				name->log(name, "  measurement mismatch for ");
 			}
 			break;
 		}
@@ -338,23 +417,30 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				{
 					DBG1(DBG_IMV, "received PCR Composite does not match "
 								  "constructed one");
+					attestation_state->set_measurement_error(attestation_state,
+										IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
 					free(pcr_composite.ptr);
 					free(quote_info.ptr);
-					return FALSE;
+					break;
 				}
 				DBG2(DBG_IMV, "received PCR Composite matches constructed one");
 				free(pcr_composite.ptr);
 
 				if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sig))
 				{
+					attestation_state->set_measurement_error(attestation_state,
+										IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
 					free(quote_info.ptr);
-					return FALSE;
+					break;
 				}
 				DBG2(DBG_IMV, "TPM Quote Info signature verification successful");
 				free(quote_info.ptr);
 
-				/* Finalize any pending measurement registrations */
-				attestation_state->check_off_registrations(attestation_state);
+				/**
+				 * Finalize any pending measurement registrations and check
+				 * if all expected component measurements were received
+				 */
+				attestation_state->finalize_components(attestation_state);
 			}
 
 			if (attr_cast->get_evid_sig(attr_cast, &evid_sig))
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.h b/src/libpts/plugins/imv_attestation/imv_attestation_process.h
index 4d4eeefbb..af8666b66 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_process.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.h
@@ -14,9 +14,8 @@
  */
 
 /**
- *
  * @defgroup imv_attestation_process_t imv_attestation_process
- * @{ @ingroup imv_attestation_process
+ * @{ @ingroup imv_attestation
  */
 
 #ifndef IMV_ATTESTATION_PROCESS_H_
@@ -25,10 +24,11 @@
 #include "imv_attestation_state.h"
 
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/credential_manager.h>
 #include <crypto/hashers/hasher.h>
 
+#include <imv/imv_msg.h>
 #include <pa_tnc/pa_tnc_attr.h>
 
 #include <pts/pts_database.h>
@@ -39,16 +39,16 @@
  * Process a TCG PTS attribute
  *
  * @param attr					PA-TNC attribute to be processed
- * @param attr_list				list with PA-TNC error attributes
- * @param attestation_state		attestation state of a given connection
+ * @param out_msg				PA-TNC message containing error messages
+ * @param state					state of a given connection
  * @param supported_algorithms	supported PTS measurement algorithms
  * @param supported_dh_groups	supported DH groups
  * @param pts_db				PTS configuration database
  * @param pts_credmgr			PTS credential manager
  * @return						TRUE if successful
  */
-bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
-							 imv_attestation_state_t *attestation_state,
+bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
+							 imv_state_t *state,
 							 pts_meas_algorithms_t supported_algorithms,
 							 pts_dh_group_t supported_dh_groups,
 							 pts_database_t *pts_db,
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.c b/src/libpts/plugins/imv_attestation/imv_attestation_state.c
index a58fd3ec3..27b2655f8 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_state.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu
+ * Copyright (C) 2011-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,21 +16,19 @@
 
 #include "imv_attestation_state.h"
 
-#include <utils/lexparser.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <libpts.h>
+
+#include <imv/imv_lang_string.h>
+#include "imv/imv_reason_string.h"
+
+#include <tncif_policy.h>
+
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_imv_attestation_state_t private_imv_attestation_state_t;
 typedef struct file_meas_request_t file_meas_request_t;
-
-/**
- * PTS File/Directory Measurement request entry
- */
-struct file_meas_request_t {
-	u_int16_t id;
-	int file_id;
-	bool is_dir;
-};
+typedef struct func_comp_t func_comp_t;
 
 /**
  * Private data of an imv_attestation_state_t object.
@@ -50,7 +49,7 @@ struct private_imv_attestation_state_t {
 	 * TNCCS connection state
 	 */
 	TNC_ConnectionState state;
-	
+
 	/**
 	 * Does the TNCCS connection support long message types?
 	 */
@@ -62,29 +61,44 @@ struct private_imv_attestation_state_t {
 	bool has_excl;
 
 	/**
-	 * IMV Attestation handshake state
+	 * Maximum PA-TNC message size for this TNCCS connection
 	 */
-	imv_attestation_handshake_state_t handshake_state;
+	u_int32_t max_msg_len;
 
 	/**
-	 * IMV action recommendation
+	 * Flags set for completed actions
 	 */
-	TNC_IMV_Action_Recommendation rec;
+	u_int32_t action_flags;
 
 	/**
-	 * IMV evaluation result
+	 * Access Requestor ID Type
 	 */
-	TNC_IMV_Evaluation_Result eval;
+	u_int32_t ar_id_type;
 
 	/**
-	 * File Measurement Request counter
+	 * Access Requestor ID Value
 	 */
-	u_int16_t file_meas_request_counter;
+	chunk_t ar_id_value;
 
 	/**
-	 * List of PTS File/Directory Measurement requests
+	 * IMV database session associated with TNCCS connection
 	 */
-	linked_list_t *file_meas_requests;
+	imv_session_t *session;
+
+	/**
+	 * IMV Attestation handshake state
+	 */
+	imv_attestation_handshake_state_t handshake_state;
+
+	/**
+	 * IMV action recommendation
+	 */
+	TNC_IMV_Action_Recommendation rec;
+
+	/**
+	 * IMV evaluation result
+	 */
+	TNC_IMV_Evaluation_Result eval;
 
 	/**
 	 * List of Functional Components
@@ -97,32 +111,75 @@ struct private_imv_attestation_state_t {
 	pts_t *pts;
 
 	/**
-	 * Measurement error
+	 * Measurement error flags
 	 */
-	bool measurement_error;
+	u_int32_t measurement_error;
 
-};
+	/**
+	 * TNC Reason String
+	 */
+	imv_reason_string_t *reason_string;
 
-typedef struct entry_t entry_t;
+};
 
 /**
- * Define an internal reason string entry
+ * PTS Functional Component entry
  */
-struct entry_t {
-	char *lang;
-	char *string;
+struct func_comp_t {
+	pts_component_t *comp;
+	u_int8_t qualifier;
 };
 
 /**
- * Table of multi-lingual reason string entries 
+ * Frees a func_comp_t object
+ */
+static void free_func_comp(func_comp_t *this)
+{
+	this->comp->destroy(this->comp);
+	free(this);
+}
+
+/**
+ * Supported languages
+ */
+static char* languages[] = { "en", "de", "mn" };
+
+/**
+ * Table of reason strings
  */
-static entry_t reasons[] = {
-	{ "en", "IMV Attestation: Incorrect/pending file measurement/component"
-			" evidence or invalid TPM Quote signature received" },
-	{ "mn", "IMV Attestation:  Буруу/хүл��гд�ж байгаа файл/компонент х�мжилт "
-			"��в�л буруу TPM Quote гарын ү��г" },
-	{ "de", "IMV Attestation: Falsche/Fehlende Dateimessung/Komponenten Beweis "
-			"oder ungültige TPM Quote Unterschrift ist erhalten" },
+static imv_lang_string_t reason_file_meas_fail[] = {
+	{ "en", "Incorrect file measurement" },
+	{ "de", "Falsche Dateimessung" },
+	{ "mn", "Буруу байгаа файл" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t reason_file_meas_pend[] = {
+	{ "en", "Pending file measurement" },
+	{ "de", "Ausstehende Dateimessung" },
+	{ "mn", "Xүл��гд�ж байгаа файл" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t reason_comp_evid_fail[] = {
+	{ "en", "Incorrect component evidence" },
+	{ "de", "Falsche Komponenten-Evidenz" },
+	{ "mn", "Буруу компонент х�мжилт" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t reason_comp_evid_pend[] = {
+	{ "en", "Pending component evidence" },
+	{ "de", "Ausstehende Komponenten-Evidenz" },
+	{ "mn", "Xүл��гд�ж компонент х�мжилт" },
+	{ NULL, NULL }
+};
+
+static imv_lang_string_t reason_tpm_quote_fail[] = {
+	{ "en", "Invalid TPM Quote signature received" },
+	{ "de", "Falsche TPM Quote Signature erhalten" },
+	{ "mn", "Буруу TPM Quote гарын ү��г" },
+	{ NULL, NULL }
 };
 
 METHOD(imv_state_t, get_connection_id, TNC_ConnectionID,
@@ -150,6 +207,59 @@ METHOD(imv_state_t, set_flags, void,
 	this->has_excl = has_excl;
 }
 
+METHOD(imv_state_t, set_max_msg_len, void,
+	private_imv_attestation_state_t *this, u_int32_t max_msg_len)
+{
+	this->max_msg_len = max_msg_len;
+}
+
+METHOD(imv_state_t, get_max_msg_len, u_int32_t,
+	private_imv_attestation_state_t *this)
+{
+	return this->max_msg_len;
+}
+
+METHOD(imv_state_t, set_action_flags, void,
+	private_imv_attestation_state_t *this, u_int32_t flags)
+{
+	this->action_flags |= flags;
+}
+
+METHOD(imv_state_t, get_action_flags, u_int32_t,
+	private_imv_attestation_state_t *this)
+{
+	return this->action_flags;
+}
+
+METHOD(imv_state_t, set_ar_id, void,
+	private_imv_attestation_state_t *this, u_int32_t id_type, chunk_t id_value)
+{
+	this->ar_id_type = id_type;
+	this->ar_id_value = chunk_clone(id_value);
+}
+
+METHOD(imv_state_t, get_ar_id, chunk_t,
+	private_imv_attestation_state_t *this, u_int32_t *id_type)
+{
+	if (id_type)
+	{
+		*id_type = this->ar_id_type;
+	}
+	return this->ar_id_value;
+}
+
+METHOD(imv_state_t, set_session, void,
+	private_imv_attestation_state_t *this, imv_session_t *session)
+{
+	this->session = session;
+}
+
+METHOD(imv_state_t, get_session, imv_session_t*,
+	private_imv_attestation_state_t *this)
+{
+	return this->session;
+}
+
 METHOD(imv_state_t, change_state, void,
 	private_imv_attestation_state_t *this, TNC_ConnectionState new_state)
 {
@@ -158,7 +268,7 @@ METHOD(imv_state_t, change_state, void,
 
 METHOD(imv_state_t, get_recommendation, void,
 	private_imv_attestation_state_t *this, TNC_IMV_Action_Recommendation *rec,
-									TNC_IMV_Evaluation_Result *eval)
+										   TNC_IMV_Evaluation_Result *eval)
 {
 	*rec = this->rec;
 	*eval = this->eval;
@@ -166,63 +276,76 @@ METHOD(imv_state_t, get_recommendation, void,
 
 METHOD(imv_state_t, set_recommendation, void,
 	private_imv_attestation_state_t *this, TNC_IMV_Action_Recommendation rec,
-									TNC_IMV_Evaluation_Result eval)
+										   TNC_IMV_Evaluation_Result eval)
 {
 	this->rec = rec;
 	this->eval = eval;
 }
 
-METHOD(imv_state_t, get_reason_string, bool,
-	private_imv_attestation_state_t *this, chunk_t preferred_language,
-	chunk_t *reason_string, chunk_t *reason_language)
+METHOD(imv_state_t, update_recommendation, void,
+	private_imv_attestation_state_t *this, TNC_IMV_Action_Recommendation rec,
+										   TNC_IMV_Evaluation_Result eval)
 {
-	chunk_t pref_lang, lang;
-	u_char *pos;
-	int i;
+	this->rec  = tncif_policy_update_recommendation(this->rec, rec);
+	this->eval = tncif_policy_update_evaluation(this->eval, eval);
+}
 
-	while (eat_whitespace(&preferred_language))
-	{
-		if (!extract_token(&pref_lang, ',', &preferred_language))
-		{
-			/* last entry in a comma-separated list or single entry */
-			pref_lang = preferred_language;
-		}
+METHOD(imv_state_t, get_reason_string, bool,
+	private_imv_attestation_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *reason_string, char **reason_language)
+{
+	*reason_language = imv_lang_string_select_lang(language_enumerator,
+											  languages, countof(languages));
 
-		/* eat trailing whitespace */
-		pos = pref_lang.ptr + pref_lang.len - 1;
-		while (pref_lang.len && *pos-- == ' ')
-		{
-			pref_lang.len--;
-		}
+	/* Instantiate a TNC Reason String object */
+	DESTROY_IF(this->reason_string);
+	this->reason_string = imv_reason_string_create(*reason_language);
 
-		for (i = 0 ; i < countof(reasons); i++)
-		{
-			lang = chunk_create(reasons[i].lang, strlen(reasons[i].lang));
-			if (chunk_equals(lang, pref_lang))
-			{
-				*reason_language = lang;
-				*reason_string = chunk_create(reasons[i].string,
-										strlen(reasons[i].string));
-				return TRUE;
-			}
-		}
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL)
+	{
+		this->reason_string->add_reason(this->reason_string,
+										reason_file_meas_fail);
 	}
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_PEND)
+	{
+		this->reason_string->add_reason(this->reason_string,
+										reason_file_meas_pend);
+	}
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_FAIL)
+	{
+		this->reason_string->add_reason(this->reason_string,
+										reason_comp_evid_fail);
+	}
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_PEND)
+	{
+		this->reason_string->add_reason(this->reason_string,
+										reason_comp_evid_pend);
+	}
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL)
+	{
+		this->reason_string->add_reason(this->reason_string,
+										reason_tpm_quote_fail);
+	}
+	*reason_string = this->reason_string->get_encoding(this->reason_string);
 
-	/* no preferred language match found - use the default language */
-	*reason_string =   chunk_create(reasons[0].string,
-									strlen(reasons[0].string));
-	*reason_language = chunk_create(reasons[0].lang,
-									strlen(reasons[0].lang));
 	return TRUE;
 }
 
+METHOD(imv_state_t, get_remediation_instructions, bool,
+	private_imv_attestation_state_t *this, enumerator_t *language_enumerator,
+	chunk_t *string, char **lang_code, char **uri)
+{
+	return FALSE;
+}
+
 METHOD(imv_state_t, destroy, void,
 	private_imv_attestation_state_t *this)
 {
-	this->file_meas_requests->destroy_function(this->file_meas_requests, free);
-	this->components->destroy_offset(this->components,
-									 offsetof(pts_component_t, destroy));
+	DESTROY_IF(this->session);
+	DESTROY_IF(this->reason_string);
+	this->components->destroy_function(this->components, (void *)free_func_comp);
 	this->pts->destroy(this->pts);
+	free(this->ar_id_value.ptr);
 	free(this);
 }
 
@@ -245,70 +368,69 @@ METHOD(imv_attestation_state_t, get_pts, pts_t*,
 	return this->pts;
 }
 
-METHOD(imv_attestation_state_t, add_file_meas_request, u_int16_t,
-	private_imv_attestation_state_t *this, int file_id, bool is_dir)
-{
-	file_meas_request_t *request;
-
-	request = malloc_thing(file_meas_request_t);
-	request->id = ++this->file_meas_request_counter;
-	request->file_id = file_id;
-	request->is_dir = is_dir;
-	this->file_meas_requests->insert_last(this->file_meas_requests, request);
-
-	return this->file_meas_request_counter;
-}
-
-METHOD(imv_attestation_state_t, check_off_file_meas_request, bool,
-	private_imv_attestation_state_t *this, u_int16_t id, int *file_id,
-	bool* is_dir)
+METHOD(imv_attestation_state_t, create_component, pts_component_t*,
+	private_imv_attestation_state_t *this, pts_comp_func_name_t *name,
+	u_int32_t depth, pts_database_t *pts_db)
 {
 	enumerator_t *enumerator;
-	file_meas_request_t *request;
+	func_comp_t *entry, *new_entry;
+	pts_component_t *component;
 	bool found = FALSE;
-	
-	enumerator = this->file_meas_requests->create_enumerator(this->file_meas_requests);
-	while (enumerator->enumerate(enumerator, &request))
+
+	enumerator = this->components->create_enumerator(this->components);
+	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (request->id == id)
+		if (name->equals(name, entry->comp->get_comp_func_name(entry->comp)))
 		{
 			found = TRUE;
-			*file_id = request->file_id;
-			*is_dir = request->is_dir;
-			this->file_meas_requests->remove_at(this->file_meas_requests, enumerator);
-			free(request);
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
-	return found;
-}
 
-METHOD(imv_attestation_state_t, get_file_meas_request_count, int,
-	private_imv_attestation_state_t *this)
-{
-	return this->file_meas_requests->get_count(this->file_meas_requests);
-}
-
-METHOD(imv_attestation_state_t, add_component, void,
-	private_imv_attestation_state_t *this, pts_component_t *entry)
-{
-	this->components->insert_last(this->components, entry);
+	if (found)
+	{
+		if (name->get_qualifier(name) == entry->qualifier)
+		{
+			/* duplicate entry */
+			return NULL;
+		}
+		new_entry = malloc_thing(func_comp_t);
+		new_entry->qualifier = name->get_qualifier(name);
+		new_entry->comp = entry->comp->get_ref(entry->comp);
+		this->components->insert_last(this->components, new_entry);
+		return entry->comp;
+	}
+	else
+	{
+		component = pts_components->create(pts_components, name, depth, pts_db);
+		if (!component)
+		{
+			/* unsupported component */
+			return NULL;
+		}
+		new_entry = malloc_thing(func_comp_t);
+		new_entry->qualifier = name->get_qualifier(name);
+		new_entry->comp = component;
+		this->components->insert_last(this->components, new_entry);
+		return component;
+	}
 }
 
-METHOD(imv_attestation_state_t, check_off_component, pts_component_t*,
+METHOD(imv_attestation_state_t, get_component, pts_component_t*,
 	private_imv_attestation_state_t *this, pts_comp_func_name_t *name)
 {
 	enumerator_t *enumerator;
-	pts_component_t *entry, *found = NULL;
+	func_comp_t *entry;
+	pts_component_t *found = NULL;
 
 	enumerator = this->components->create_enumerator(this->components);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (name->equals(name, entry->get_comp_func_name(entry)))
+		if (name->equals(name, entry->comp->get_comp_func_name(entry->comp)) &&
+			name->get_qualifier(name) == entry->qualifier)
 		{
-			found = entry;
-			this->components->remove_at(this->components, enumerator);
+			found = entry->comp;
 			break;
 		}
 	}
@@ -316,40 +438,38 @@ METHOD(imv_attestation_state_t, check_off_component, pts_component_t*,
 	return found;
 }
 
-METHOD(imv_attestation_state_t, check_off_registrations, void,
+METHOD(imv_attestation_state_t, get_measurement_error, u_int32_t,
 	private_imv_attestation_state_t *this)
 {
-	enumerator_t *enumerator;
-	pts_component_t *entry;
-
-	enumerator = this->components->create_enumerator(this->components);
-	while (enumerator->enumerate(enumerator, &entry))
-	{
-		if (entry->check_off_registrations(entry))
-		{
-			this->components->remove_at(this->components, enumerator);
-			entry->destroy(entry);
-		}
-	}
-	enumerator->destroy(enumerator);
+	return this->measurement_error;
 }
 
-METHOD(imv_attestation_state_t, get_component_count, int,
-	private_imv_attestation_state_t *this)
+METHOD(imv_attestation_state_t, set_measurement_error, void,
+	private_imv_attestation_state_t *this, u_int32_t error)
 {
-	return this->components->get_count(this->components);
+	this->measurement_error |= error;
 }
 
-METHOD(imv_attestation_state_t, get_measurement_error, bool,
+METHOD(imv_attestation_state_t, finalize_components, void,
 	private_imv_attestation_state_t *this)
 {
-	return this->measurement_error;
+	func_comp_t *entry;
+
+	while (this->components->remove_last(this->components,
+										(void**)&entry) == SUCCESS)
+	{
+		if (!entry->comp->finalize(entry->comp, entry->qualifier))
+		{
+			set_measurement_error(this, IMV_ATTESTATION_ERROR_COMP_EVID_PEND);
+		}
+		free_func_comp(entry);
+	}
 }
 
-METHOD(imv_attestation_state_t, set_measurement_error, void,
+METHOD(imv_attestation_state_t, components_finalized, bool,
 	private_imv_attestation_state_t *this)
 {
-	this->measurement_error = TRUE;
+	return this->components->get_count(this->components) == 0;
 }
 
 /**
@@ -358,7 +478,6 @@ METHOD(imv_attestation_state_t, set_measurement_error, void,
 imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
 {
 	private_imv_attestation_state_t *this;
-	char *platform_info;
 
 	INIT(this,
 		.public = {
@@ -367,22 +486,29 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
 				.has_long = _has_long,
 				.has_excl = _has_excl,
 				.set_flags = _set_flags,
+				.set_max_msg_len = _set_max_msg_len,
+				.get_max_msg_len = _get_max_msg_len,
+				.set_action_flags = _set_action_flags,
+				.get_action_flags = _get_action_flags,
+				.set_ar_id = _set_ar_id,
+				.get_ar_id = _get_ar_id,
+				.set_session = _set_session,
+				.get_session = _get_session,
 				.change_state = _change_state,
 				.get_recommendation = _get_recommendation,
 				.set_recommendation = _set_recommendation,
+				.update_recommendation = _update_recommendation,
 				.get_reason_string = _get_reason_string,
+				.get_remediation_instructions = _get_remediation_instructions,
 				.destroy = _destroy,
 			},
 			.get_handshake_state = _get_handshake_state,
 			.set_handshake_state = _set_handshake_state,
 			.get_pts = _get_pts,
-			.add_file_meas_request = _add_file_meas_request,
-			.check_off_file_meas_request = _check_off_file_meas_request,
-			.get_file_meas_request_count = _get_file_meas_request_count,
-			.add_component = _add_component,
-			.check_off_component = _check_off_component,
-			.check_off_registrations = _check_off_registrations,
-			.get_component_count = _get_component_count,
+			.create_component = _create_component,
+			.get_component = _get_component,
+			.finalize_components = _finalize_components,
+			.components_finalized = _components_finalized,
 			.get_measurement_error = _get_measurement_error,
 			.set_measurement_error = _set_measurement_error,
 		},
@@ -391,17 +517,9 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
 		.handshake_state = IMV_ATTESTATION_STATE_INIT,
 		.rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
 		.eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
-		.file_meas_requests = linked_list_create(),
 		.components = linked_list_create(),
 		.pts = pts_create(FALSE),
 	);
 
-	platform_info = lib->settings->get_str(lib->settings,
-						 "libimcv.plugins.imv-attestation.platform_info", NULL);
-	if (platform_info)
-	{
-		this->pts->set_platform_info(this->pts, platform_info);
-	}
-	
 	return &this->public.interface;
 }
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.h b/src/libpts/plugins/imv_attestation/imv_attestation_state.h
index 0e2c04da4..f3edd5fa1 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_state.h
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -14,9 +14,11 @@
  */
 
 /**
+ * @defgroup imv_attestation imv_attestation
+ * @ingroup libpts_plugins
  *
  * @defgroup imv_attestation_state_t imv_attestation_state
- * @{ @ingroup imv_attestation_state
+ * @{ @ingroup imv_attestation
  */
 
 #ifndef IMV_ATTESTATION_STATE_H_
@@ -24,11 +26,24 @@
 
 #include <imv/imv_state.h>
 #include <pts/pts.h>
+#include <pts/pts_database.h>
 #include <pts/components/pts_component.h>
 #include <library.h>
 
 typedef struct imv_attestation_state_t imv_attestation_state_t;
+typedef enum imv_attestation_flag_t imv_attestation_flag_t;
 typedef enum imv_attestation_handshake_state_t imv_attestation_handshake_state_t;
+typedef enum imv_meas_error_t imv_meas_error_t;
+
+/**
+ * IMV Attestation Flags set for completed actions
+ */
+enum imv_attestation_flag_t {
+	IMV_ATTESTATION_FLAG_ATTR_REQ =  (1<<0),
+	IMV_ATTESTATION_FLAG_ALGO =      (1<<1),
+	IMV_ATTESTATION_FLAG_FILE_MEAS = (1<<2),
+	IMV_ATTESTATION_FLAG_REC =       (1<<3)
+};
 
 /**
  * IMV Attestation Handshake States (state machine)
@@ -37,13 +52,23 @@ enum imv_attestation_handshake_state_t {
 	IMV_ATTESTATION_STATE_INIT,
 	IMV_ATTESTATION_STATE_NONCE_REQ,
 	IMV_ATTESTATION_STATE_TPM_INIT,
-	IMV_ATTESTATION_STATE_MEAS,
 	IMV_ATTESTATION_STATE_COMP_EVID,
 	IMV_ATTESTATION_STATE_EVID_FINAL,
 	IMV_ATTESTATION_STATE_END,
 };
 
 /**
+ * IMV Measurement Error Types
+ */
+enum imv_meas_error_t {
+	IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL =  1,
+	IMV_ATTESTATION_ERROR_FILE_MEAS_PEND =  2,
+	IMV_ATTESTATION_ERROR_COMP_EVID_FAIL =  4,
+	IMV_ATTESTATION_ERROR_COMP_EVID_PEND =  8,
+	IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 16
+};
+
+/**
  * Internal state of an imv_attestation_t connection instance
  */
 struct imv_attestation_state_t {
@@ -60,7 +85,7 @@ struct imv_attestation_state_t {
 	 */
 	imv_attestation_handshake_state_t (*get_handshake_state)(
 		imv_attestation_state_t *this);
-	
+
 	/**
 	 * Set state of the handshake
 	 *
@@ -77,72 +102,52 @@ struct imv_attestation_state_t {
 	pts_t* (*get_pts)(imv_attestation_state_t *this);
 
 	/**
-	 * Add an entry to the list of pending file/directory measurement requests
-	 *
-	 * @param file_id			primary key into file table
-	 * @param is_dir			TRUE if directory
-	 * @return					unique request ID
-	 */
-	u_int16_t (*add_file_meas_request)(imv_attestation_state_t *this,
-									   int file_id, bool is_dir);
-
-	/**
-	 * Returns the number of pending file/directory measurement requests
+	 * Create and add an entry to the list of Functional Components
 	 *
-	 * @return					number of pending requests
+	 * @param name				Component Functional Name
+	 * @param depth				Sub-component Depth
+	 * @param pts_db			PTS measurement database
+	 * @return					created functional component instance or NULL
 	 */
-	int (*get_file_meas_request_count)(imv_attestation_state_t *this);
+	pts_component_t* (*create_component)(imv_attestation_state_t *this,
+										 pts_comp_func_name_t *name,
+										 u_int32_t depth,
+										 pts_database_t *pts_db);
 
 	/**
-	 * Check for presence of request_id and if found remove it from the list
+	 * Get a Functional Component with a given name
 	 *
-	 * @param id				unique request ID
-	 * @param file_id			primary key into file table
-	 * @param is_dir			return TRUE if request was for a directory
-	 * @return					TRUE if request ID found, FALSE otherwise
+	 * @param name				Name of the requested Functional Component
+	 * @return					Functional Component if found, NULL otherwise
 	 */
-	bool (*check_off_file_meas_request)(imv_attestation_state_t *this,
-										u_int16_t id, int *file_id, bool *is_dir);
+	pts_component_t* (*get_component)(imv_attestation_state_t *this,
+									  pts_comp_func_name_t *name);
 
 	/**
-	 * Add an entry to the list of Functional Components waiting for evidence
-	 *
-	 * @param entry				Functional Component
+	 * Tell the Functional Components to finalize any measurement registrations
+	 * and to check if all expected measurements were received
 	 */
-	void (*add_component)(imv_attestation_state_t *this, pts_component_t *entry);
+	void (*finalize_components)(imv_attestation_state_t *this);
 
 	/**
-	 * Returns the number of Functional Component waiting for evidence
-	 *
-	 * @return					Number of waiting Functional Components
+	 * Have the Functional Component measurements been finalized?
 	 */
-	int (*get_component_count)(imv_attestation_state_t *this);
+	bool (*components_finalized)(imv_attestation_state_t *this);
 
 	/**
-	 * Check for presence of Functional Component and remove and return it
+	 * Indicates the types of measurement errors that occurred
 	 *
-	 * @param name			 	Name of the requested Functional Component
-	 * @return					Functional Component if found, NULL otherwise
-	 */
-	pts_component_t* (*check_off_component)(imv_attestation_state_t *this,
-											pts_comp_func_name_t *name);
-
-	/**
-	 * Tell the Functional Components to finalize any measurement registrations
+	 * @return					Measurement error flags
 	 */
-	void (*check_off_registrations)(imv_attestation_state_t *this);
+	u_int32_t (*get_measurement_error)(imv_attestation_state_t *this);
 
 	/**
-	 * Indicates if a file measurement error occurred
+	 * Call if a measurement error is encountered
 	 *
-	 * @return					TRUE in case of measurement error
-	 */
-	bool (*get_measurement_error)(imv_attestation_state_t *this);
-
-	/**
-	 * Call if a file measurement error is encountered
+	 * @param error				Measurement error type
 	 */
-	void (*set_measurement_error)(imv_attestation_state_t *this);
+	void (*set_measurement_error)(imv_attestation_state_t *this,
+								  u_int32_t error);
 
 };
 
diff --git a/src/libpts/plugins/imv_attestation/tables.sql b/src/libpts/plugins/imv_attestation/tables.sql
deleted file mode 100644
index 703557a07..000000000
--- a/src/libpts/plugins/imv_attestation/tables.sql
+++ /dev/null
@@ -1,82 +0,0 @@
-/* PTS SQLite database */
-
-DROP TABLE IF EXISTS files;
-CREATE TABLE files (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  type INTEGER NOT NULL,
-  path TEXT NOT NULL
-);
-
-DROP TABLE IF EXISTS products;
-CREATE TABLE products (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  name TEXT NOT NULL
-);
-DROP INDEX IF EXISTS products_name;
-CREATE INDEX products_name ON products (
-  name
-);
-
-DROP TABLE IF EXISTS product_file;
-CREATE TABLE product_file (
-  product INTEGER NOT NULL,
-  file INTEGER NOT NULL,
-  measurement INTEGER DEFAULT 0,
-  metadata INTEGER DEFAULT 0,
-  PRIMARY KEY (product, file)
-);
-
-DROP TABLE IF EXISTS file_hashes;
-CREATE TABLE file_hashes (
-  file INTEGER NOT NULL,
-  directory INTEGER DEFAULT 0,
-  product INTEGER NOT NULL,
-  algo INTEGER NOT NULL,
-  hash BLOB NOT NULL,
-  PRIMARY KEY(file, directory, product, algo)
-);
-
-DROP TABLE IF EXISTS keys;
-CREATE TABLE keys (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  keyid BLOB NOT NULL,
-  owner TEXT NOT NULL
-);
-DROP INDEX IF EXISTS keys_keyid;
-CREATE INDEX keys_keyid ON keys (
-  keyid
-);
-DROP INDEX IF EXISTS keys_owner;
-CREATE INDEX keys_owner ON keys (
-  owner
-);
-
-DROP TABLE IF EXISTS components;
-CREATE TABLE components (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  vendor_id INTEGER NOT NULL,
-  name INTEGER NOT NULL,
-  qualifier INTEGER DEFAULT 0
-);
-
-
-DROP TABLE IF EXISTS key_component;
-CREATE TABLE key_component (
-  key INTEGER NOT NULL,
-  component INTEGER NOT NULL,
-  depth INTEGER DEFAULT 0,
-  seq_no INTEGER DEFAULT 0,
-  PRIMARY KEY (key, component)
-);
-
-
-DROP TABLE IF EXISTS component_hashes;
-CREATE TABLE component_hashes (
-  component INTEGER NOT NULL,
-  key INTEGER NOT NULL,
-  seq_no INTEGER NOT NULL,
-  pcr INTEGER NOT NULL,
-  algo INTEGER NOT NULL,
-  hash BLOB NOT NULL,
-  PRIMARY KEY(component, key, seq_no, algo)
-);
diff --git a/src/libpts/pts/components/ita/ita_comp_ima.c b/src/libpts/pts/components/ita/ita_comp_ima.c
index a7da76651..02470f5f5 100644
--- a/src/libpts/pts/components/ita/ita_comp_ima.c
+++ b/src/libpts/pts/components/ita/ita_comp_ima.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
- *
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,9 +17,10 @@
 #include "ita_comp_func_name.h"
 
 #include "libpts.h"
+#include "pts/pts_pcr.h"
 #include "pts/components/pts_component.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <pen/pen.h>
 
 #include <sys/types.h>
@@ -29,11 +29,25 @@
 #include <fcntl.h>
 #include <errno.h>
 
-#define IMA_SECURITY_DIR			"/sys/kernel/security/tpm0/"
-#define IMA_BIOS_MEASUREMENT_PATH	IMA_SECURITY_DIR "binary_bios_measurements"
-#define IMA_PCR_MAX					16
+#define SECURITY_DIR				"/sys/kernel/security/"
+#define IMA_BIOS_MEASUREMENTS		SECURITY_DIR "tpm0/binary_bios_measurements"
+#define IMA_RUNTIME_MEASUREMENTS	SECURITY_DIR "ima/binary_runtime_measurements"
+#define IMA_PCR						10
+#define IMA_TYPE_LEN				3
+#define IMA_FILENAME_LEN_MAX	255
 
 typedef struct pts_ita_comp_ima_t pts_ita_comp_ima_t;
+typedef struct bios_entry_t bios_entry_t;
+typedef struct ima_entry_t ima_entry_t;
+typedef enum ima_state_t ima_state_t;
+
+enum ima_state_t {
+	IMA_STATE_INIT,
+	IMA_STATE_BIOS,
+	IMA_STATE_BOOT_AGGREGATE,
+	IMA_STATE_RUNTIME,
+	IMA_STATE_END
+};
 
 /**
  * Private data of a pts_ita_comp_ima_t object.
@@ -67,52 +81,101 @@ struct pts_ita_comp_ima_t {
 	pts_database_t *pts_db;
 
 	/**
-	 * Primary key for Component Functional Name database entry
+	 * Primary key for AIK database entry
 	 */
-	int cid;
+	int kid;
 
 	/**
-	 * Primary key for AIK database entry
+	 * Primary key for IMA BIOS Component Functional Name database entry
 	 */
-	int kid;
+	int bios_cid;
+
+	/**
+	 * Primary key for IMA Runtime Component Functional Name database entry
+	 */
+	int ima_cid;
 
 	/**
-	 * Component is registering measurements 
+	 * Component is registering IMA BIOS measurements
 	 */
-	bool is_registering;
+	bool is_bios_registering;
+
+	/**
+	 * Component is registering IMA boot aggregate measurement
+	 */
+	bool is_ima_registering;
+
+	/**
+	 * Measurement sequence number
+	 */
+	int seq_no;
 
 	/**
-     * IMA BIOS measurement time
+	 * Expected IMA BIOS measurement count
 	 */
-	time_t bios_measurement_time;
+	int bios_count;
 
 	/**
      * IMA BIOS measurements
 	 */
-	linked_list_t *list;
+	linked_list_t *bios_list;
 
 	/**
-	 * Expected measurement count
+     * IMA runtime file measurements
+	 */
+	linked_list_t *ima_list;
+
+	/**
+	 * Whether to send pcr_before and pcr_after info
+	 */
+	bool pcr_info;
+
+	/**
+	 * IMA measurement time
+	 */
+	time_t measurement_time;
+
+	/**
+	 * IMA state machine
+	 */
+	ima_state_t state;
+
+	/**
+	 * Total number of component measurements
 	 */
 	int count;
 
 	/**
-	 * Measurement sequence number
+	 * Number of successful component measurements
 	 */
-	int seq_no;
+	int count_ok;
 
 	/**
-	 * Shadow PCR registers
+	 * Number of unknown component measurements
 	 */
-	chunk_t pcrs[IMA_PCR_MAX];
-};
+	int count_unknown;
 
-typedef struct entry_t entry_t;
+	/**
+	 * Number of differing component measurements
+	 */
+	int count_differ;
+
+	/**
+	 * Number of failed component measurements
+	 */
+	int count_failed;
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+
+};
 
 /**
- * Linux IMA measurement entry
+ * Linux IMA BIOS measurement entry
  */
-struct entry_t {
+struct bios_entry_t {
 
 	/**
 	 * PCR register
@@ -121,26 +184,53 @@ struct entry_t {
 
 	/**
 	 * SHA1 measurement hash
-	 */	
+	 */
+	chunk_t measurement;
+};
+
+/**
+ * Linux IMA runtime file measurement entry
+ */
+struct ima_entry_t {
+
+	/**
+	 * SHA1 measurement hash
+	 */
 	chunk_t measurement;
+
+	/**
+	 * absolute path of executable files or basename of dynamic libraries
+	 */
+	char *filename;
 };
 
 /**
- * Free an entry_t object
+ * Free a bios_entry_t object
+ */
+static void free_bios_entry(bios_entry_t *this)
+{
+	free(this->measurement.ptr);
+	free(this);
+}
+
+/**
+ * Free an ima_entry_t object
  */
-static void free_entry(entry_t *this)
+static void free_ima_entry(ima_entry_t *this)
 {
 	free(this->measurement.ptr);
+	free(this->filename);
 	free(this);
 }
 
 /**
  * Load a PCR measurement file and determine the creation date
  */
-static bool load_measurements(char *file, linked_list_t *list, time_t *created)
+static bool load_bios_measurements(char *file, linked_list_t *list,
+								   time_t *created)
 {
 	u_int32_t pcr, num, len;
-	entry_t *entry;
+	bios_entry_t *entry;
 	struct stat st;
 	ssize_t res;
 	int fd;
@@ -148,13 +238,13 @@ static bool load_measurements(char *file, linked_list_t *list, time_t *created)
 	fd = open(file, O_RDONLY);
 	if (fd == -1)
 	{
-		DBG1(DBG_PTS, "  opening '%s' failed: %s", file, strerror(errno));
+		DBG1(DBG_PTS, "opening '%s' failed: %s", file, strerror(errno));
 		return FALSE;
 	}
 
 	if (fstat(fd, &st) == -1)
 	{
-		DBG1(DBG_PTS, "  getting statistics of '%s' failed: %s", file,
+		DBG1(DBG_PTS, "getting statistics of '%s' failed: %s", file,
 			 strerror(errno));
 		close(fd);
 		return FALSE;
@@ -167,12 +257,12 @@ static bool load_measurements(char *file, linked_list_t *list, time_t *created)
 		if (res == 0)
 		{
 			DBG2(DBG_PTS, "loaded bios measurements '%s' (%d entries)",
-						   file, list->get_count(list));
+				 file, list->get_count(list));
 			close(fd);
 			return TRUE;
 		}
 
-		entry = malloc_thing(entry_t);
+		entry = malloc_thing(bios_entry_t);
 		entry->pcr = pcr;
 		entry->measurement = chunk_alloc(HASH_SIZE_SHA1);
 
@@ -199,12 +289,190 @@ static bool load_measurements(char *file, linked_list_t *list, time_t *created)
 		list->insert_last(list, entry);
 	}
 
-	DBG1(DBG_PTS, "loading bios measurements '%s' failed: %s",
-				   file, strerror(errno));
+	DBG1(DBG_PTS, "loading bios measurements '%s' failed: %s", file,
+		 strerror(errno));
+	free_bios_entry(entry);
 	close(fd);
 	return FALSE;
 }
 
+/**
+ * Load an IMA runtime measurement file and determine the creation and
+ * update dates
+ */
+static bool load_runtime_measurements(char *file, linked_list_t *list,
+									 time_t *created)
+{
+	u_int32_t pcr, len;
+	ima_entry_t *entry;
+	char type[IMA_TYPE_LEN];
+	struct stat st;
+	ssize_t res;
+	int fd;
+
+	fd = open(file, O_RDONLY);
+	if (fd == -1)
+	{
+		DBG1(DBG_PTS, "opening '%s' failed: %s", file, strerror(errno));
+		return TRUE;
+	}
+
+	if (fstat(fd, &st) == -1)
+	{
+		DBG1(DBG_PTS, "getting statistics of '%s' failed: %s", file,
+			 strerror(errno));
+		close(fd);
+		return FALSE;
+	}
+	*created = st.st_ctime;
+
+	while (TRUE)
+	{
+		res = read(fd, &pcr, 4);
+		if (res == 0)
+		{
+			DBG2(DBG_PTS, "loaded ima measurements '%s' (%d entries)",
+				 file, list->get_count(list));
+			close(fd);
+			return TRUE;
+		}
+
+		entry = malloc_thing(ima_entry_t);
+		entry->measurement = chunk_alloc(HASH_SIZE_SHA1);
+		entry->filename = NULL;
+
+		if (res != 4 || pcr != IMA_PCR)
+		{
+			break;
+		}
+		if (read(fd, entry->measurement.ptr, HASH_SIZE_SHA1) != HASH_SIZE_SHA1)
+		{
+			break;
+		}
+		if (read(fd, &len, 4) != 4 || len != IMA_TYPE_LEN)
+		{
+			break;
+		}
+		if (read(fd, type, IMA_TYPE_LEN) != IMA_TYPE_LEN ||
+			memcmp(type, "ima", IMA_TYPE_LEN))
+		{
+			break;
+		}
+		if (lseek(fd, HASH_SIZE_SHA1, SEEK_CUR) == -1)
+		{
+			break;
+		}
+		if (read(fd, &len, 4) != 4)
+		{
+			break;
+		}
+		entry->filename = malloc(len + 1);
+		if (read(fd, entry->filename, len) != len)
+		{
+			break;
+		}
+		entry->filename[len] = '\0';
+
+		list->insert_last(list, entry);
+	}
+
+	DBG1(DBG_PTS, "loading ima measurements '%s' failed: %s",
+		 file, strerror(errno));
+	free_ima_entry(entry);
+	close(fd);
+	return FALSE;
+}
+
+/**
+ * Extend measurement into PCR an create evidence
+ */
+static pts_comp_evidence_t* extend_pcr(pts_ita_comp_ima_t* this,
+									   u_int8_t qualifier, pts_pcr_t *pcrs,
+									   u_int32_t pcr, chunk_t measurement)
+{
+	size_t pcr_len;
+	pts_pcr_transform_t pcr_transform;
+	pts_meas_algorithms_t hash_algo;
+	pts_comp_func_name_t *name;
+	pts_comp_evidence_t *evidence;
+	chunk_t pcr_before = chunk_empty, pcr_after = chunk_empty;
+
+	hash_algo = PTS_MEAS_ALGO_SHA1;
+	pcr_len = HASH_SIZE_SHA1;
+	pcr_transform = pts_meas_algo_to_pcr_transform(hash_algo, pcr_len);
+
+	if (this->pcr_info)
+	{
+		pcr_before = chunk_clone(pcrs->get(pcrs, pcr));
+	}
+	pcr_after = pcrs->extend(pcrs, pcr, measurement);
+	if (!pcr_after.ptr)
+	{
+		free(pcr_before.ptr);
+		return NULL;
+	}
+	name = this->name->clone(this->name);
+	name->set_qualifier(name, qualifier);
+	evidence = pts_comp_evidence_create(name, this->depth, pcr, hash_algo,
+			 		pcr_transform, this->measurement_time, measurement);
+	if (this->pcr_info)
+	{
+		pcr_after =chunk_clone(pcrs->get(pcrs, pcr));
+		evidence->set_pcr_info(evidence, pcr_before, pcr_after);
+	}
+	return evidence;
+}
+
+/**
+ * Compute and check boot aggregate value by hashing PCR0 to PCR7
+ */
+static bool check_boot_aggregate(pts_pcr_t *pcrs, chunk_t measurement)
+{
+	u_int32_t i;
+	u_char filename_buffer[IMA_FILENAME_LEN_MAX + 1];
+	u_char pcr_buffer[HASH_SIZE_SHA1];
+	chunk_t file_name, boot_aggregate;
+	hasher_t *hasher;
+	bool success, pcr_ok = TRUE;
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher)
+	{
+		DBG1(DBG_PTS, "%N hasher could not be created",
+			 hash_algorithm_short_names, HASH_SHA1);
+		return FALSE;
+	}
+	for (i = 0; i < 8 && pcr_ok; i++)
+	{
+		pcr_ok = hasher->get_hash(hasher, pcrs->get(pcrs, i), NULL);
+	}
+	if (pcr_ok)
+	{
+		boot_aggregate = chunk_create(pcr_buffer, sizeof(pcr_buffer));
+		memset(filename_buffer, 0, sizeof(filename_buffer));
+		strcpy(filename_buffer, "boot_aggregate");
+		file_name = chunk_create (filename_buffer, sizeof(filename_buffer));
+
+		pcr_ok = hasher->get_hash(hasher, chunk_empty, pcr_buffer) &&
+				 hasher->get_hash(hasher, boot_aggregate, NULL) &&
+				 hasher->get_hash(hasher, file_name, boot_aggregate.ptr);
+	}
+	hasher->destroy(hasher);
+
+	if (pcr_ok)
+	{
+		success = chunk_equals(boot_aggregate, measurement);
+		DBG1(DBG_PTS, "boot aggregate value is %scorrect",
+					   success ? "":"in");
+		return success;
+	}
+	else
+	{
+		DBG1(DBG_PTS, "failed to compute boot aggregate value");
+		return FALSE;
+	}
+}
+
 METHOD(pts_component_t, get_comp_func_name, pts_comp_func_name_t*,
 	pts_ita_comp_ima_t *this)
 {
@@ -224,193 +492,446 @@ METHOD(pts_component_t, get_depth, u_int32_t,
 }
 
 METHOD(pts_component_t, measure, status_t,
-	pts_ita_comp_ima_t *this, pts_t *pts, pts_comp_evidence_t **evidence)
+	pts_ita_comp_ima_t *this, u_int8_t qualifier, pts_t *pts,
+	pts_comp_evidence_t **evidence)
 {
-	pts_comp_evidence_t *evid;
-	chunk_t pcr_before, pcr_after;
-	pts_pcr_transform_t pcr_transform;
-	pts_meas_algorithms_t hash_algo;
-	size_t pcr_len;
-	entry_t *entry;
-	hasher_t *hasher;
+	bios_entry_t *bios_entry;
+	ima_entry_t *ima_entry;
+	pts_pcr_t *pcrs;
+	pts_comp_evidence_t *evid = NULL;
+	status_t status;
 
-	hash_algo = PTS_MEAS_ALGO_SHA1;
-	pcr_len = pts->get_pcr_len(pts);   
-	pcr_transform = pts_meas_algo_to_pcr_transform(hash_algo, pcr_len);
+	pcrs = pts->get_pcrs(pts);
 
-	if (this->list->get_count(this->list) == 0)
+	if (qualifier == (PTS_ITA_QUALIFIER_FLAG_KERNEL |
+					  PTS_ITA_QUALIFIER_TYPE_TRUSTED))
 	{
-		if (!load_measurements(IMA_BIOS_MEASUREMENT_PATH, this->list,
-							   &this->bios_measurement_time))
+		switch (this->state)
 		{
-			return FAILED;
+			case IMA_STATE_INIT:
+				if (!load_bios_measurements(IMA_BIOS_MEASUREMENTS,
+					this->bios_list, &this->measurement_time))
+				{
+					return FAILED;
+				}
+				this->bios_count = this->bios_list->get_count(this->bios_list);
+				this->state = IMA_STATE_BIOS;
+				/* fall through to next state */
+			case IMA_STATE_BIOS:
+				status = this->bios_list->remove_first(this->bios_list,
+													  (void**)&bios_entry);
+				if (status != SUCCESS)
+				{
+					DBG1(DBG_PTS, "could not retrieve bios measurement entry");
+					return status;
+				}
+				evid = extend_pcr(this, qualifier, pcrs, bios_entry->pcr,
+								  bios_entry->measurement);
+				free(bios_entry);
+
+				this->state = this->bios_list->get_count(this->bios_list) ?
+										IMA_STATE_BIOS : IMA_STATE_INIT;
+				break;
+			default:
+				return FAILED;
+		}
+	}
+	else if (qualifier == (PTS_ITA_QUALIFIER_FLAG_KERNEL |
+						   PTS_ITA_QUALIFIER_TYPE_OS))
+	{
+		switch (this->state)
+		{
+			case IMA_STATE_INIT:
+				if (!load_runtime_measurements(IMA_RUNTIME_MEASUREMENTS,
+								this->ima_list, &this->measurement_time))
+				{
+					return FAILED;
+				}
+				this->state = IMA_STATE_BOOT_AGGREGATE;
+				/* fall through to next state */
+			case IMA_STATE_BOOT_AGGREGATE:
+			case IMA_STATE_RUNTIME:
+				status = this->ima_list->remove_first(this->ima_list,
+													 (void**)&ima_entry);
+				if (status != SUCCESS)
+				{
+					DBG1(DBG_PTS, "could not retrieve ima measurement entry");
+					return status;
+				}
+				if (this->state == IMA_STATE_BOOT_AGGREGATE && this->bios_count)
+				{
+					if (!check_boot_aggregate(pcrs, ima_entry->measurement))
+					{
+						return FAILED;
+					}
+				}
+				evid = extend_pcr(this, qualifier, pcrs, IMA_PCR,
+								  ima_entry->measurement);
+				if (evid)
+				{
+					evid->set_validation(evid, PTS_COMP_EVID_VALIDATION_PASSED,
+											   ima_entry->filename);
+				}
+				free(ima_entry->filename);
+				free(ima_entry);
+
+				this->state = this->ima_list->get_count(this->ima_list) ?
+									IMA_STATE_RUNTIME : IMA_STATE_END;
+				break;
+			default:
+				return FAILED;
 		}
 	}
-	
-	if (this->list->remove_first(this->list, (void**)&entry) != SUCCESS)
+	else
 	{
-		DBG1(DBG_PTS, "could not retrieve measurement entry");
+		DBG1(DBG_PTS, "unsupported functional component name qualifier");
 		return FAILED;
 	}
-	
-	pcr_before = chunk_clone(this->pcrs[entry->pcr]);
-	
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	hasher->get_hash(hasher, pcr_before, NULL);
-	hasher->get_hash(hasher, entry->measurement, this->pcrs[entry->pcr].ptr);
-	hasher->destroy(hasher);
 
-	pcr_after = chunk_clone(this->pcrs[entry->pcr]);
-
-	evid = *evidence = pts_comp_evidence_create(this->name->clone(this->name),
-							this->depth, entry->pcr, hash_algo, pcr_transform,
-							this->bios_measurement_time, entry->measurement);
-	evid->set_pcr_info(evid, pcr_before, pcr_after);
-
-	free(entry);
+	*evidence = evid;
+	if (!evid)
+	{
+		return FAILED;
+	}
 
-	return (this->list->get_count(this->list)) ? NEED_MORE : SUCCESS;
+	return (this->state == IMA_STATE_INIT || this->state == IMA_STATE_END) ?
+			SUCCESS : NEED_MORE;
 }
 
 METHOD(pts_component_t, verify, status_t,
-	pts_ita_comp_ima_t *this, pts_t *pts, pts_comp_evidence_t *evidence)
+	pts_ita_comp_ima_t *this, u_int8_t qualifier, pts_t *pts,
+	pts_comp_evidence_t *evidence)
 {
 	bool has_pcr_info;
-	u_int32_t extended_pcr, vid, name;
+	u_int32_t pcr, vid, name;
 	enum_name_t *names;
 	pts_meas_algorithms_t algo;
 	pts_pcr_transform_t transform;
+	pts_pcr_t *pcrs;
 	time_t measurement_time;
 	chunk_t measurement, pcr_before, pcr_after;
+	status_t status;
+	char *uri;
 
-	measurement = evidence->get_measurement(evidence, &extended_pcr,
-								&algo, &transform, &measurement_time);
-
+	/* some first time initializations */
 	if (!this->keyid.ptr)
 	{
 		if (!pts->get_aik_keyid(pts, &this->keyid))
 		{
+			DBG1(DBG_PTS, "AIK keyid not available");
 			return FAILED;
 		}
 		this->keyid = chunk_clone(this->keyid);
-
 		if (!this->pts_db)
 		{
 			DBG1(DBG_PTS, "pts database not available");
 			return FAILED;
 		}
-		if (this->pts_db->get_comp_measurement_count(this->pts_db,
-							this->name, this->keyid, algo,
-							&this->cid, &this->kid, &this->count) != SUCCESS)
-		{
-			return FAILED;
-		}
-		vid = this->name->get_vendor_id(this->name);
-		name = this->name->get_name(this->name);
-		names = pts_components->get_comp_func_names(pts_components, vid);
+	}
 
-		if (this->count)
-		{
-			DBG1(DBG_PTS, "checking %d %N '%N' functional component evidence "
-				 "measurements", this->count, pen_names, vid, names, name);
-		}
-		else
+	pcrs = pts->get_pcrs(pts);
+	measurement = evidence->get_measurement(evidence, &pcr,	&algo, &transform,
+											&measurement_time);
+
+	if (qualifier == (PTS_ITA_QUALIFIER_FLAG_KERNEL |
+					  PTS_ITA_QUALIFIER_TYPE_TRUSTED))
+	{
+		switch (this->state)
 		{
-			DBG1(DBG_PTS, "registering %N '%N' functional component evidence "
-				 "measurements", pen_names, vid, names, name);
-			this->is_registering = TRUE;
+			case IMA_STATE_INIT:
+				this->name->set_qualifier(this->name, qualifier);
+				status = this->pts_db->get_comp_measurement_count(this->pts_db,
+								this->name, this->keyid, algo, &this->bios_cid,
+								&this->kid, &this->bios_count);
+				this->name->set_qualifier(this->name, PTS_QUALIFIER_UNKNOWN);
+				if (status != SUCCESS)
+				{
+					return status;
+				}
+				vid = this->name->get_vendor_id(this->name);
+				name = this->name->get_name(this->name);
+				names = pts_components->get_comp_func_names(pts_components, vid);
+
+				if (this->bios_count)
+				{
+					DBG1(DBG_PTS, "checking %d %N '%N' BIOS evidence measurements",
+								   this->bios_count, pen_names, vid, names, name);
+				}
+				else
+				{
+					DBG1(DBG_PTS, "registering %N '%N' BIOS evidence measurements",
+								   pen_names, vid, names, name);
+					this->is_bios_registering = TRUE;
+				}
+
+				this->state = IMA_STATE_BIOS;
+				/* fall through to next state */
+			case IMA_STATE_BIOS:
+				if (this->is_bios_registering)
+				{
+					status = this->pts_db->insert_comp_measurement(this->pts_db,
+										measurement, this->bios_cid, this->kid,
+										++this->seq_no,	pcr, algo);
+					if (status != SUCCESS)
+					{
+						return status;
+					}
+					this->bios_count = this->seq_no + 1;
+				}
+				else
+				{
+					status = this->pts_db->check_comp_measurement(this->pts_db,
+										measurement, this->bios_cid, this->kid,
+										++this->seq_no,	pcr, algo);
+					if (status != SUCCESS)
+					{
+						return status;
+					}
+				}
+				break;
+			default:
+				return FAILED;
 		}
 	}
-
-	if (this->is_registering)
+	else if (qualifier == (PTS_ITA_QUALIFIER_FLAG_KERNEL |
+						   PTS_ITA_QUALIFIER_TYPE_OS))
 	{
-		if (this->pts_db->insert_comp_measurement(this->pts_db, measurement,
-										this->cid, this->kid, ++this->seq_no,
-										extended_pcr, algo) != SUCCESS)
+		int ima_count;
+
+		switch (this->state)
 		{
-			return FAILED;
+			case IMA_STATE_BIOS:
+				if (!check_boot_aggregate(pcrs, measurement))
+				{
+					this->state = IMA_STATE_RUNTIME;
+					return FAILED;
+				}
+				this->state = IMA_STATE_INIT;
+				/* fall through to next state */
+			case IMA_STATE_INIT:
+				this->name->set_qualifier(this->name, qualifier);
+				status = this->pts_db->get_comp_measurement_count(this->pts_db,
+										this->name, this->keyid, algo,
+										&this->ima_cid,	&this->kid, &ima_count);
+				this->name->set_qualifier(this->name, PTS_QUALIFIER_UNKNOWN);
+				if (status != SUCCESS)
+				{
+					return status;
+				}
+				vid = this->name->get_vendor_id(this->name);
+				name = this->name->get_name(this->name);
+				names = pts_components->get_comp_func_names(pts_components, vid);
+
+				if (ima_count)
+				{
+					DBG1(DBG_PTS, "checking %N '%N' boot aggregate evidence "
+								  "measurement", pen_names, vid, names, name);
+					status = this->pts_db->check_comp_measurement(this->pts_db,
+													measurement, this->ima_cid,
+													this->kid, 1, pcr, algo);
+				}
+				else
+				{
+					DBG1(DBG_PTS, "registering %N '%N' boot aggregate evidence "
+								   "measurement", pen_names, vid, names, name);
+					this->is_ima_registering = TRUE;
+					status = this->pts_db->insert_comp_measurement(this->pts_db,
+													measurement, this->ima_cid,
+										 			this->kid, 1, pcr, algo);
+				}
+				this->state = IMA_STATE_RUNTIME;
+
+				if (status != SUCCESS)
+				{
+					return status;
+				}
+				break;
+			case IMA_STATE_RUNTIME:
+				this->count++;
+				if (evidence->get_validation(evidence, &uri) !=
+					PTS_COMP_EVID_VALIDATION_PASSED)
+				{
+					DBG1(DBG_PTS, "policy URI could no be retrieved");
+					this->count_failed++;
+					return FAILED;
+				}
+				status = this->pts_db->check_file_measurement(this->pts_db,
+												pts->get_platform_info(pts),
+												PTS_MEAS_ALGO_SHA1_IMA,
+												measurement, uri);
+				switch (status)
+				{
+					case SUCCESS:
+						DBG3(DBG_PTS, "%#B for '%s' is ok",
+									   &measurement, uri);
+						this->count_ok++;
+						break;
+					case NOT_FOUND:
+						DBG2(DBG_PTS, "%#B for '%s' not found",
+									   &measurement, uri);
+						this->count_unknown++;
+						break;
+					case VERIFY_ERROR:
+						DBG1(DBG_PTS, "%#B for '%s' differs",
+									   &measurement, uri);
+						this->count_differ++;
+						break;
+					case FAILED:
+					default:
+						DBG1(DBG_PTS, "%#B for '%s' failed",
+									   &measurement, uri);
+						this->count_failed++;
+				}
+				break;
+			default:
+				return FAILED;
 		}
-		this->count = this->seq_no + 1;
 	}
 	else
 	{
-		if (this->pts_db->check_comp_measurement(this->pts_db, measurement,
-										this->cid, this->kid, ++this->seq_no,
-										extended_pcr, algo) != SUCCESS)
-		{
-			return FAILED;
-		}
+		DBG1(DBG_PTS, "unsupported functional component name qualifier");
+		return FAILED;
 	}
 
 	has_pcr_info = evidence->get_pcr_info(evidence, &pcr_before, &pcr_after);
 	if (has_pcr_info)
 	{
-		if (!pts->add_pcr(pts, extended_pcr, pcr_before, pcr_after))
+		if (!chunk_equals(pcr_before, pcrs->get(pcrs, pcr)))
 		{
-			return FAILED;
+			DBG1(DBG_PTS, "PCR %2u: pcr_before is not equal to register value",
+						   pcr);
+		}
+		if (pcrs->set(pcrs, pcr, pcr_after))
+		{
+			return SUCCESS;
 		}
 	}
-
-	return (this->seq_no < this->count) ? NEED_MORE : SUCCESS;
+	else
+	{
+		pcr_after = pcrs->extend(pcrs, pcr, measurement);
+		if (pcr_after.ptr)
+		{
+			return SUCCESS;
+		}
+	}
+	return FAILED;
 }
 
-METHOD(pts_component_t, check_off_registrations, bool,
-	pts_ita_comp_ima_t *this)
+METHOD(pts_component_t, finalize, bool,
+	pts_ita_comp_ima_t *this, u_int8_t qualifier)
 {
 	u_int32_t vid, name;
 	enum_name_t *names;
-		
-	if (!this->is_registering)
-	{
-		return FALSE;
-	}
-
-	/* Finalize registration */
-	this->is_registering = FALSE;
+	bool success = TRUE;
 
+	this->name->set_qualifier(this->name, qualifier);
 	vid = this->name->get_vendor_id(this->name);
 	name = this->name->get_name(this->name);
 	names = pts_components->get_comp_func_names(pts_components, vid);
-	DBG1(DBG_PTS, "registered %d %N '%N' functional component evidence "
-				  "measurements", this->seq_no, pen_names, vid, names, name);
-	return TRUE;
+
+	if (qualifier == (PTS_ITA_QUALIFIER_FLAG_KERNEL |
+					  PTS_ITA_QUALIFIER_TYPE_TRUSTED))
+	{
+		/* finalize BIOS measurements */
+		if (this->is_bios_registering)
+		{
+			/* close registration */
+			this->is_bios_registering = FALSE;
+
+			DBG1(DBG_PTS, "registered %d %N '%N' BIOS evidence measurements",
+						   this->seq_no, pen_names, vid, names, name);
+		}
+		else if (this->seq_no < this->bios_count)
+		{
+			DBG1(DBG_PTS, "%d of %d %N '%N' BIOS evidence measurements missing",
+						   this->bios_count - this->seq_no, this->bios_count,
+						   pen_names, vid, names, name);
+			success = FALSE;
+		}
+	}
+	else if (qualifier == (PTS_ITA_QUALIFIER_FLAG_KERNEL |
+						   PTS_ITA_QUALIFIER_TYPE_OS))
+	{
+		/* finalize IMA file measurements */
+		if (this->is_ima_registering)
+		{
+			/* close registration */
+			this->is_ima_registering = FALSE;
+
+			DBG1(DBG_PTS, "registered %N '%N' boot aggregate evidence "
+						  "measurement", pen_names, vid, names, name);
+		}
+		if (this->count)
+		{
+			DBG1(DBG_PTS, "processed %d %N '%N' file evidence measurements: "
+						  "%d ok, %d unknown, %d differ, %d failed",
+						   this->count, pen_names, vid, names, name,
+						   this->count_ok, this->count_unknown,
+						   this->count_differ, this->count_failed);
+			success = !this->count_differ && !this->count_failed;
+		}
+	}
+	else
+	{
+		DBG1(DBG_PTS, "unsupported functional component name qualifier");
+		success = FALSE;
+	}
+	this->name->set_qualifier(this->name, PTS_QUALIFIER_UNKNOWN);
+
+	return success;
+}
+
+METHOD(pts_component_t, get_ref, pts_component_t*,
+	pts_ita_comp_ima_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public;
 }
 
 METHOD(pts_component_t, destroy, void,
 	pts_ita_comp_ima_t *this)
 {
-	int i, count;
+	int count;
 	u_int32_t vid, name;
 	enum_name_t *names;
 
-	for (i = 0; i < IMA_PCR_MAX; i++)
-	{
-		free(this->pcrs[i].ptr);
-	}
-	if (this->is_registering)
+	if (ref_put(&this->ref))
 	{
-		count = this->pts_db->delete_comp_measurements(this->pts_db,
-													   this->cid, this->kid);
 		vid = this->name->get_vendor_id(this->name);
 		name = this->name->get_name(this->name);
 		names = pts_components->get_comp_func_names(pts_components, vid);
-		DBG1(DBG_PTS, "deleted %d registered %N '%N' functional component "
-			 "evidence measurements", count, pen_names, vid, names, name);
+
+		if (this->is_bios_registering)
+		{
+			count = this->pts_db->delete_comp_measurements(this->pts_db,
+													this->bios_cid, this->kid);
+			DBG1(DBG_PTS, "deleted %d registered %N '%N' BIOS evidence "
+						  "measurements", count, pen_names, vid, names, name);
+		}
+		if (this->is_ima_registering)
+		{
+			count = this->pts_db->delete_comp_measurements(this->pts_db,
+													this->ima_cid, this->kid);
+			DBG1(DBG_PTS, "deleted registered %N '%N' boot aggregate evidence "
+						  "measurement", pen_names, vid, names, name);
+		}
+		this->bios_list->destroy_function(this->bios_list,
+										 (void *)free_bios_entry);
+		this->ima_list->destroy_function(this->ima_list,
+										 (void *)free_ima_entry);
+		this->name->destroy(this->name);
+		free(this->keyid.ptr);
+		free(this);
 	}
-	this->list->destroy_function(this->list, (void *)free_entry);
-	this->name->destroy(this->name);
-	free(this->keyid.ptr);
-	free(this);
 }
 
 /**
  * See header
  */
-pts_component_t *pts_ita_comp_ima_create(u_int8_t qualifier, u_int32_t depth,
+pts_component_t *pts_ita_comp_ima_create(u_int32_t depth,
 										 pts_database_t *pts_db)
 {
 	pts_ita_comp_ima_t *this;
-	int i;
 
 	INIT(this,
 		.public = {
@@ -419,21 +940,21 @@ pts_component_t *pts_ita_comp_ima_create(u_int8_t qualifier, u_int32_t depth,
 			.get_depth = _get_depth,
 			.measure = _measure,
 			.verify = _verify,
-			.check_off_registrations = _check_off_registrations,
+			.finalize = _finalize,
+			.get_ref = _get_ref,
 			.destroy = _destroy,
 		},
 		.name = pts_comp_func_name_create(PEN_ITA, PTS_ITA_COMP_FUNC_NAME_IMA,
-										  qualifier),
+										  PTS_QUALIFIER_UNKNOWN),
 		.depth = depth,
 		.pts_db = pts_db,
-		.list = linked_list_create(),
+		.bios_list = linked_list_create(),
+		.ima_list = linked_list_create(),
+		.pcr_info = lib->settings->get_bool(lib->settings,
+						"libimcv.plugins.imc-attestation.pcr_info", TRUE),
+		.ref = 1,
 	);
 
-	for (i = 0; i < IMA_PCR_MAX; i++)
-	{
-		this->pcrs[i] = chunk_alloc(HASH_SIZE_SHA1);
-		memset(this->pcrs[i].ptr, 0x00, HASH_SIZE_SHA1);
-	}
 	return &this->public;
 }
 
diff --git a/src/libpts/pts/components/ita/ita_comp_ima.h b/src/libpts/pts/components/ita/ita_comp_ima.h
index 1ca27e6f0..546d0a4b2 100644
--- a/src/libpts/pts/components/ita/ita_comp_ima.h
+++ b/src/libpts/pts/components/ita/ita_comp_ima.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -26,11 +26,10 @@
 /**
  * Create a PTS ITS Functional Component object
  *
- * @param qualifier		PTS Component Functional Name Qualifier
  * @param depth			Sub-component depth
  * @param pts_db		PTS measurement database
  */
-pts_component_t* pts_ita_comp_ima_create(u_int8_t qualifier, u_int32_t depth,
+pts_component_t* pts_ita_comp_ima_create(u_int32_t depth,
 										 pts_database_t *pts_db);
 
 #endif /** PTS_ITA_COMP_IMA_H_ @}*/
diff --git a/src/libpts/pts/components/ita/ita_comp_tboot.c b/src/libpts/pts/components/ita/ita_comp_tboot.c
index a85de8cd8..8fb5abddf 100644
--- a/src/libpts/pts/components/ita/ita_comp_tboot.c
+++ b/src/libpts/pts/components/ita/ita_comp_tboot.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
- *
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -20,7 +19,7 @@
 #include "libpts.h"
 #include "pts/components/pts_component.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <pen/pen.h>
 
 typedef struct pts_ita_comp_tboot_t pts_ita_comp_tboot_t;
@@ -67,7 +66,7 @@ struct pts_ita_comp_tboot_t {
 	int kid;
 
 	/**
-	 * Component is registering measurements 
+	 * Component is registering measurements
 	 */
 	bool is_registering;
 
@@ -86,6 +85,11 @@ struct pts_ita_comp_tboot_t {
 	 */
 	int seq_no;
 
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+
 };
 
 METHOD(pts_component_t, get_comp_func_name, pts_comp_func_name_t*,
@@ -107,16 +111,19 @@ METHOD(pts_component_t, get_depth, u_int32_t,
 }
 
 METHOD(pts_component_t, measure, status_t,
-	pts_ita_comp_tboot_t *this, pts_t *pts, pts_comp_evidence_t **evidence)
+	pts_ita_comp_tboot_t *this, u_int8_t qualifier, pts_t *pts,
+	pts_comp_evidence_t **evidence)
+
 {
+	size_t pcr_len;
+	pts_pcr_t *pcrs;
+	pts_pcr_transform_t pcr_transform;
+	pts_meas_algorithms_t hash_algo;
 	pts_comp_evidence_t *evid;
 	char *meas_hex, *pcr_before_hex, *pcr_after_hex;
 	chunk_t measurement, pcr_before, pcr_after;
-	size_t hash_size, pcr_len;
 	u_int32_t extended_pcr;
-	pts_pcr_transform_t pcr_transform;
-	pts_meas_algorithms_t hash_algo;
-	
+
 	switch (this->seq_no++)
 	{
 		case 0:
@@ -149,9 +156,8 @@ METHOD(pts_component_t, measure, status_t,
 		return FAILED;
 	}
 
-	hash_algo = pts->get_meas_algorithm(pts);
-	hash_size = pts_meas_algo_hash_size(hash_algo);
-	pcr_len = pts->get_pcr_len(pts);
+	hash_algo = PTS_MEAS_ALGO_SHA1;
+	pcr_len = HASH_SIZE_SHA1;
 	pcr_transform = pts_meas_algo_to_pcr_transform(hash_algo, pcr_len);
 
 	/* get and check the measurement data */
@@ -162,35 +168,40 @@ METHOD(pts_component_t, measure, status_t,
 	pcr_after = chunk_from_hex(
 					chunk_create(pcr_after_hex, strlen(pcr_after_hex)), NULL);
 	if (pcr_before.len != pcr_len || pcr_after.len != pcr_len ||
-		measurement.len != hash_size)
+		measurement.len != pcr_len)
 	{
-		DBG1(DBG_PTS, "TBOOT measurement or pcr data have the wrong size");
+		DBG1(DBG_PTS, "TBOOT measurement or PCR data have the wrong size");
 		free(measurement.ptr);
 		free(pcr_before.ptr);
 		free(pcr_after.ptr);
 		return FAILED;
 	}
 
+	pcrs = pts->get_pcrs(pts);
+	pcrs->set(pcrs, extended_pcr, pcr_after);
 	evid = *evidence = pts_comp_evidence_create(this->name->clone(this->name),
-								this->depth, extended_pcr,
-								hash_algo, pcr_transform,
-								this->measurement_time, measurement);
+							this->depth, extended_pcr, hash_algo, pcr_transform,
+							this->measurement_time, measurement);
 	evid->set_pcr_info(evid, pcr_before, pcr_after);
 
 	return (this->seq_no < 2) ? NEED_MORE : SUCCESS;
 }
 
 METHOD(pts_component_t, verify, status_t,
-	pts_ita_comp_tboot_t *this, pts_t *pts, pts_comp_evidence_t *evidence)
+	pts_ita_comp_tboot_t *this, u_int8_t qualifier,pts_t *pts,
+	pts_comp_evidence_t *evidence)
 {
 	bool has_pcr_info;
 	u_int32_t extended_pcr, vid, name;
 	enum_name_t *names;
 	pts_meas_algorithms_t algo;
 	pts_pcr_transform_t transform;
+	pts_pcr_t *pcrs;
 	time_t measurement_time;
 	chunk_t measurement, pcr_before, pcr_after;
+	status_t status;
 
+	pcrs = pts->get_pcrs(pts);
 	measurement = evidence->get_measurement(evidence, &extended_pcr,
 								&algo, &transform, &measurement_time);
 
@@ -207,11 +218,12 @@ METHOD(pts_component_t, verify, status_t,
 			DBG1(DBG_PTS, "pts database not available");
 			return FAILED;
 		}
-		if (this->pts_db->get_comp_measurement_count(this->pts_db,
-					 		this->name, this->keyid, algo,
-							&this->cid, &this->kid, &this->count) != SUCCESS)
+		status = this->pts_db->get_comp_measurement_count(this->pts_db,
+								this->name, this->keyid, algo, &this->cid,
+								&this->kid, &this->count);
+		if (status != SUCCESS)
 		{
-			return FAILED;
+			return status;
 		}
 		vid = this->name->get_vendor_id(this->name);
 		name = this->name->get_name(this->name);
@@ -232,58 +244,79 @@ METHOD(pts_component_t, verify, status_t,
 
 	if (this->is_registering)
 	{
-		if (this->pts_db->insert_comp_measurement(this->pts_db, measurement,
-						 				this->cid, this->kid, ++this->seq_no,
-										extended_pcr, algo) != SUCCESS)
+		status = this->pts_db->insert_comp_measurement(this->pts_db,
+								measurement, this->cid, this->kid,
+								++this->seq_no, extended_pcr, algo);
+		if (status != SUCCESS)
 		{
-			return FAILED;
+			return status;
 		}
 		this->count = this->seq_no + 1;
 	}
 	else
 	{
-		if (this->pts_db->check_comp_measurement(this->pts_db, measurement,
-										this->cid, this->kid, ++this->seq_no,
-										extended_pcr, algo) != SUCCESS)
+		status = this->pts_db->check_comp_measurement(this->pts_db,
+								measurement, this->cid, this->kid,
+								++this->seq_no, extended_pcr, algo);
+		if (status != SUCCESS)
 		{
-			return FAILED;
+			return status;
 		}
 	}
 
 	has_pcr_info = evidence->get_pcr_info(evidence, &pcr_before, &pcr_after);
 	if (has_pcr_info)
 	{
-		if (!pts->add_pcr(pts, extended_pcr, pcr_before, pcr_after))
+		if (!chunk_equals(pcr_before, pcrs->get(pcrs, extended_pcr)))
 		{
-			return FAILED;
+			DBG1(DBG_PTS, "PCR %2u: pcr_before is not equal to register value",
+						   extended_pcr);
+		}
+		if (pcrs->set(pcrs, extended_pcr, pcr_after))
+		{
+			return SUCCESS;
 		}
 	}
 
-	return (this->seq_no < this->count) ? NEED_MORE : SUCCESS;
+	return SUCCESS;
 }
 
-METHOD(pts_component_t, check_off_registrations, bool,
-	pts_ita_comp_tboot_t *this)
+METHOD(pts_component_t, finalize, bool,
+	pts_ita_comp_tboot_t *this, u_int8_t qualifier)
 {
 	u_int32_t vid, name;
 	enum_name_t *names;
-		
-	if (!this->is_registering)
-	{
-		return FALSE;
-	}
-
-	/* Finalize registration */
-	this->is_registering = FALSE;
 
 	vid = this->name->get_vendor_id(this->name);
 	name = this->name->get_name(this->name);
 	names = pts_components->get_comp_func_names(pts_components, vid);
-	DBG1(DBG_PTS, "registered %d %N '%N' functional component evidence "
-				  "measurements", this->seq_no, pen_names, vid, names, name);
+
+	if (this->is_registering)
+	{
+		/* close registration */
+		this->is_registering = FALSE;
+
+		DBG1(DBG_PTS, "registered %d %N '%N' functional component evidence "
+					  "measurements", this->seq_no, pen_names, vid, names, name);
+	}
+	else if (this->seq_no < this->count)
+	{
+		DBG1(DBG_PTS, "%d of %d %N '%N' functional component evidence "
+					  "measurements missing", this->count - this->seq_no,
+					   this->count, pen_names, vid, names, name);
+		return FALSE;
+	}
+
 	return TRUE;
 }
 
+METHOD(pts_component_t, get_ref, pts_component_t*,
+	pts_ita_comp_tboot_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public;
+}
+
 METHOD(pts_component_t, destroy, void,
 	   pts_ita_comp_tboot_t *this)
 {
@@ -291,25 +324,28 @@ METHOD(pts_component_t, destroy, void,
 	u_int32_t vid, name;
 	enum_name_t *names;
 
-	if (this->is_registering)
+	if (ref_put(&this->ref))
 	{
-		count = this->pts_db->delete_comp_measurements(this->pts_db,
-													   this->cid, this->kid);
-		vid = this->name->get_vendor_id(this->name);
-		name = this->name->get_name(this->name);
-		names = pts_components->get_comp_func_names(pts_components, vid);
-		DBG1(DBG_PTS, "deleted %d registered %N '%N' functional component "
-			 "evidence measurements", count, pen_names, vid, names, name);
+		if (this->is_registering)
+		{
+			count = this->pts_db->delete_comp_measurements(this->pts_db,
+													this->cid, this->kid);
+			vid = this->name->get_vendor_id(this->name);
+			name = this->name->get_name(this->name);
+			names = pts_components->get_comp_func_names(pts_components, vid);
+			DBG1(DBG_PTS, "deleted %d registered %N '%N' functional component "
+				 "evidence measurements", count, pen_names, vid, names, name);
+		}
+		this->name->destroy(this->name);
+		free(this->keyid.ptr);
+		free(this);
 	}
-	this->name->destroy(this->name);
-	free(this->keyid.ptr);
-	free(this);
 }
 
 /**
  * See header
  */
-pts_component_t *pts_ita_comp_tboot_create(u_int8_t qualifier, u_int32_t depth,
+pts_component_t *pts_ita_comp_tboot_create(u_int32_t depth,
 										   pts_database_t *pts_db)
 {
 	pts_ita_comp_tboot_t *this;
@@ -321,13 +357,16 @@ pts_component_t *pts_ita_comp_tboot_create(u_int8_t qualifier, u_int32_t depth,
 			.get_depth = _get_depth,
 			.measure = _measure,
 			.verify = _verify,
-			.check_off_registrations = _check_off_registrations,
+			.finalize = _finalize,
+			.get_ref = _get_ref,
 			.destroy = _destroy,
 		},
 		.name = pts_comp_func_name_create(PEN_ITA, PTS_ITA_COMP_FUNC_NAME_TBOOT,
-										  qualifier),
+										  PTS_ITA_QUALIFIER_FLAG_KERNEL |
+										  PTS_ITA_QUALIFIER_TYPE_TRUSTED),
 		.depth = depth,
 		.pts_db = pts_db,
+		.ref = 1,
 	);
 
 	return &this->public;
diff --git a/src/libpts/pts/components/ita/ita_comp_tboot.h b/src/libpts/pts/components/ita/ita_comp_tboot.h
index 39554fbc7..1e1a14831 100644
--- a/src/libpts/pts/components/ita/ita_comp_tboot.h
+++ b/src/libpts/pts/components/ita/ita_comp_tboot.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -26,11 +26,10 @@
 /**
  * Create a PTS ITS Functional Component object
  *
- * @param qualifier		PTS Component Functional Name Qualifier
  * @param depth			Sub-component depth
  * @param pts_db		PTS measurement database
  */
-pts_component_t* pts_ita_comp_tboot_create(u_int8_t qualifier, u_int32_t depth,
+pts_component_t* pts_ita_comp_tboot_create(u_int32_t depth,
 										   pts_database_t *pts_db);
 
 #endif /** PTS_ITA_COMP_TBOOT_H_ @}*/
diff --git a/src/libpts/pts/components/ita/ita_comp_tgrub.c b/src/libpts/pts/components/ita/ita_comp_tgrub.c
index 0dfd5fd41..e3acd8774 100644
--- a/src/libpts/pts/components/ita/ita_comp_tgrub.c
+++ b/src/libpts/pts/components/ita/ita_comp_tgrub.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
- *
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -19,7 +18,7 @@
 
 #include "pts/components/pts_component.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <pen/pen.h>
 
 typedef struct pts_ita_comp_tgrub_t pts_ita_comp_tgrub_t;
@@ -50,6 +49,12 @@ struct pts_ita_comp_tgrub_t {
 	 */
 	pts_database_t *pts_db;
 
+
+	/**
+	 * Reference count
+	 */
+	refcount_t ref;
+
 };
 
 METHOD(pts_component_t, get_comp_func_name, pts_comp_func_name_t*,
@@ -71,34 +76,34 @@ METHOD(pts_component_t, get_depth, u_int32_t,
 }
 
 METHOD(pts_component_t, measure, status_t,
-	pts_ita_comp_tgrub_t *this, pts_t *pts, pts_comp_evidence_t **evidence)
+	pts_ita_comp_tgrub_t *this, u_int8_t qualifier, pts_t *pts,
+	pts_comp_evidence_t **evidence)
 {
+	size_t pcr_len;
+	pts_pcr_transform_t pcr_transform;
+	pts_meas_algorithms_t hash_algo;
 	pts_comp_evidence_t *evid;
 	u_int32_t extended_pcr;
 	time_t measurement_time;
 	chunk_t measurement, pcr_before, pcr_after;
-	pts_pcr_transform_t pcr_transform;
-	pts_meas_algorithms_t hash_algo;
-	size_t hash_size, pcr_len;
 
 	/* Provisional implementation for TGRUB */
 	extended_pcr = PCR_DEBUG;
 	time(&measurement_time);
-		
+
 	if (!pts->read_pcr(pts, extended_pcr, &pcr_after))
 	{
 		DBG1(DBG_PTS, "error occurred while reading PCR: %d", extended_pcr);
 		return FAILED;
 	}
 
-	hash_algo = pts->get_meas_algorithm(pts);
-	hash_size = pts_meas_algo_hash_size(hash_algo);
-	pcr_len = pts->get_pcr_len(pts);
+	hash_algo = PTS_MEAS_ALGO_SHA1;
+	pcr_len = HASH_SIZE_SHA1;
 	pcr_transform = pts_meas_algo_to_pcr_transform(hash_algo, pcr_len);
 
-	measurement = chunk_alloc(hash_size);
+	measurement = chunk_alloc(pcr_len);
 	memset(measurement.ptr, 0x00, measurement.len);
-		
+
 	pcr_before = chunk_alloc(pcr_len);
 	memset(pcr_before.ptr, 0x00, pcr_before.len);
 
@@ -112,15 +117,18 @@ METHOD(pts_component_t, measure, status_t,
 }
 
 METHOD(pts_component_t, verify, status_t,
-	pts_ita_comp_tgrub_t *this, pts_t *pts,	pts_comp_evidence_t *evidence)
+	pts_ita_comp_tgrub_t *this, u_int8_t qualifier, pts_t *pts,
+	pts_comp_evidence_t *evidence)
 {
 	bool has_pcr_info;
 	u_int32_t extended_pcr;
 	pts_meas_algorithms_t algo;
 	pts_pcr_transform_t transform;
+	pts_pcr_t *pcrs;
 	time_t measurement_time;
 	chunk_t measurement, pcr_before, pcr_after;
 
+	pcrs = pts->get_pcrs(pts);
 	measurement = evidence->get_measurement(evidence, &extended_pcr,
 								&algo, &transform, &measurement_time);
 	if (extended_pcr != PCR_DEBUG)
@@ -133,32 +141,46 @@ METHOD(pts_component_t, verify, status_t,
 	has_pcr_info = evidence->get_pcr_info(evidence, &pcr_before, &pcr_after);
 	if (has_pcr_info)
 	{
-		if (!pts->add_pcr(pts, extended_pcr, pcr_before, pcr_after))
+		if (!chunk_equals(pcr_before, pcrs->get(pcrs, extended_pcr)))
 		{
-			return FAILED;
+			DBG1(DBG_PTS, "PCR %2u: pcr_before is not equal to pcr value");
+		}
+		if (pcrs->set(pcrs, extended_pcr, pcr_after))
+		{
+			return SUCCESS;
 		}
 	}
-	
+
 	return SUCCESS;
 }
 
-METHOD(pts_component_t, check_off_registrations, bool,
-	pts_ita_comp_tgrub_t *this)
+METHOD(pts_component_t, finalize, bool,
+	pts_ita_comp_tgrub_t *this, u_int8_t qualifier)
 {
 	return FALSE;
 }
 
+METHOD(pts_component_t, get_ref, pts_component_t*,
+	pts_ita_comp_tgrub_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public;
+}
+
 METHOD(pts_component_t, destroy, void,
 	pts_ita_comp_tgrub_t *this)
 {
-	this->name->destroy(this->name);
-	free(this);
+	if (ref_put(&this->ref))
+	{
+		this->name->destroy(this->name);
+		free(this);
+	}
 }
 
 /**
  * See header
  */
-pts_component_t *pts_ita_comp_tgrub_create(u_int8_t qualifier, u_int32_t depth,
+pts_component_t *pts_ita_comp_tgrub_create(u_int32_t depth,
 										   pts_database_t *pts_db)
 {
 	pts_ita_comp_tgrub_t *this;
@@ -170,13 +192,16 @@ pts_component_t *pts_ita_comp_tgrub_create(u_int8_t qualifier, u_int32_t depth,
 			.get_depth = _get_depth,
 			.measure = _measure,
 			.verify = _verify,
-			.check_off_registrations = _check_off_registrations,
+			.finalize = _finalize,
+			.get_ref = _get_ref,
 			.destroy = _destroy,
 		},
 		.name = pts_comp_func_name_create(PEN_ITA, PTS_ITA_COMP_FUNC_NAME_TGRUB,
-										  qualifier),
+										  PTS_ITA_QUALIFIER_FLAG_KERNEL |
+										  PTS_ITA_QUALIFIER_TYPE_TRUSTED),
 		.depth = depth,
 		.pts_db = pts_db,
+		.ref = 1,
 	);
 
 	return &this->public;
diff --git a/src/libpts/pts/components/ita/ita_comp_tgrub.h b/src/libpts/pts/components/ita/ita_comp_tgrub.h
index 52ecc325c..59913c82d 100644
--- a/src/libpts/pts/components/ita/ita_comp_tgrub.h
+++ b/src/libpts/pts/components/ita/ita_comp_tgrub.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -26,11 +26,10 @@
 /**
  * Create a PTS ITS Functional Component object
  *
- * @param qualifier		PTS Component Functional Name Qualifier
  * @param depth			Sub-component depth
  * @param pts_db		PTS measurement database
  */
-pts_component_t* pts_ita_comp_tgrub_create(u_int8_t qualifier, u_int32_t depth,
+pts_component_t* pts_ita_comp_tgrub_create(u_int32_t depth,
 										   pts_database_t *pts_db);
 
 #endif /** PTS_ITA_COMP_TGRUB_H_ @}*/
diff --git a/src/libpts/pts/components/pts_comp_evidence.c b/src/libpts/pts/components/pts_comp_evidence.c
index 9eb8dae75..08c3d5e9a 100644
--- a/src/libpts/pts/components/pts_comp_evidence.c
+++ b/src/libpts/pts/components/pts_comp_evidence.c
@@ -15,7 +15,7 @@
 
 #include "pts/components/pts_comp_evidence.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pts_comp_evidence_t private_pts_comp_evidence_t;
 
@@ -87,7 +87,7 @@ struct private_pts_comp_evidence_t {
 	/**
 	 * Verification Policy URI
 	 */
-	chunk_t policy_uri;
+	char *policy_uri;
 
 };
 
@@ -148,16 +148,16 @@ METHOD(pts_comp_evidence_t, get_pcr_info, bool,
 METHOD(pts_comp_evidence_t, set_pcr_info, void,
 	private_pts_comp_evidence_t *this, chunk_t pcr_before, chunk_t pcr_after)
 {
-	this->has_pcr_info = TRUE;	
+	this->has_pcr_info = TRUE;
 	this->pcr_before = pcr_before;
 	this->pcr_after =  pcr_after;
 
-	DBG2(DBG_PTS, "PCR %2d before value : %#B", this->extended_pcr, &pcr_before);
-	DBG2(DBG_PTS, "PCR %2d after value  : %#B", this->extended_pcr, &pcr_after);
+	DBG3(DBG_PTS, "PCR %2d before value : %#B", this->extended_pcr, &pcr_before);
+	DBG3(DBG_PTS, "PCR %2d after value  : %#B", this->extended_pcr, &pcr_after);
 }
 
 METHOD(pts_comp_evidence_t, get_validation, pts_comp_evid_validation_t,
-	private_pts_comp_evidence_t *this, chunk_t *uri)
+	private_pts_comp_evidence_t *this, char **uri)
 {
 	if (uri)
 	{
@@ -168,10 +168,14 @@ METHOD(pts_comp_evidence_t, get_validation, pts_comp_evid_validation_t,
 
 METHOD(pts_comp_evidence_t, set_validation, void,
 	private_pts_comp_evidence_t *this, pts_comp_evid_validation_t validation,
-	chunk_t uri)
+	char *uri)
 {
 	this->validation = validation;
-	this->policy_uri = chunk_clone(uri);
+	if (uri)
+	{
+		this->policy_uri = strdup(uri);
+		DBG3(DBG_PTS, "'%s'", uri);
+	}
 }
 
 METHOD(pts_comp_evidence_t, destroy, void,
@@ -181,7 +185,7 @@ METHOD(pts_comp_evidence_t, destroy, void,
 	free(this->measurement.ptr);
 	free(this->pcr_before.ptr);
 	free(this->pcr_after.ptr);
-	free(this->policy_uri.ptr);
+	free(this->policy_uri);
 	free(this);
 }
 
@@ -219,8 +223,8 @@ pts_comp_evidence_t *pts_comp_evidence_create(pts_comp_func_name_t *name,
 	);
 
 	name->log(name, "");
-	DBG2(DBG_PTS, "measurement time: %T", &measurement_time, FALSE);
-	DBG2(DBG_PTS, "PCR %2d extended with: %#B", extended_pcr, &measurement);
+	DBG3(DBG_PTS, "measurement time: %T", &measurement_time, FALSE);
+	DBG3(DBG_PTS, "PCR %2d extended with: %#B", extended_pcr, &measurement);
 
 	return &this->public;
 }
diff --git a/src/libpts/pts/components/pts_comp_evidence.h b/src/libpts/pts/components/pts_comp_evidence.h
index fe86aa940..55776ce8b 100644
--- a/src/libpts/pts/components/pts_comp_evidence.h
+++ b/src/libpts/pts/components/pts_comp_evidence.h
@@ -120,7 +120,7 @@ struct pts_comp_evidence_t {
 	 * @return validation		Validation Result
 	 */
 	pts_comp_evid_validation_t (*get_validation)(pts_comp_evidence_t *this,
-								chunk_t *uri);
+								char **uri);
 
 	/**
 	 * Sets Validation Result if available
@@ -129,7 +129,7 @@ struct pts_comp_evidence_t {
 	 * @param uri				Verification Policy URI
 	 */
 	void (*set_validation)(pts_comp_evidence_t *this,
-						   pts_comp_evid_validation_t validation, chunk_t uri);
+						   pts_comp_evid_validation_t validation, char* uri);
 
 	/**
 	 * Destroys a pts_comp_evidence_t object.
diff --git a/src/libpts/pts/components/pts_comp_func_name.c b/src/libpts/pts/components/pts_comp_func_name.c
index d98850d78..6c630f8fb 100644
--- a/src/libpts/pts/components/pts_comp_func_name.c
+++ b/src/libpts/pts/components/pts_comp_func_name.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2012 Andreas Steffen
  *
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -17,7 +17,7 @@
 #include "libpts.h"
 #include "pts/components/pts_comp_func_name.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pts_comp_func_name_t private_pts_comp_func_name_t;
 
@@ -67,6 +67,12 @@ METHOD(pts_comp_func_name_t, get_qualifier, u_int8_t,
 	return this->qualifier;
 }
 
+METHOD(pts_comp_func_name_t, set_qualifier, void,
+	private_pts_comp_func_name_t *this, u_int8_t qualifier)
+{
+	this->qualifier = qualifier;
+}
+
 static bool equals(private_pts_comp_func_name_t *this,
 				   private_pts_comp_func_name_t *other)
 {
@@ -137,6 +143,7 @@ pts_comp_func_name_t* pts_comp_func_name_create(u_int32_t vid, u_int32_t name,
 			.get_vendor_id = _get_vendor_id,
 			.get_name = _get_name,
 			.get_qualifier = _get_qualifier,
+			.set_qualifier = _set_qualifier,
 			.equals = (bool(*)(pts_comp_func_name_t*,pts_comp_func_name_t*))equals,
 			.clone = _clone_,
 			.log = _log_,
diff --git a/src/libpts/pts/components/pts_comp_func_name.h b/src/libpts/pts/components/pts_comp_func_name.h
index 2c7a84177..90ad7083f 100644
--- a/src/libpts/pts/components/pts_comp_func_name.h
+++ b/src/libpts/pts/components/pts_comp_func_name.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -55,6 +55,13 @@ struct pts_comp_func_name_t {
 	u_int8_t (*get_qualifier)(pts_comp_func_name_t *this);
 
 	/**
+	 * Set the PTS Component Functional Name Qualifier
+	 *
+	 * @param qualifier		PTS Component Functional Name Qualifier to be set
+	 */
+	void (*set_qualifier)(pts_comp_func_name_t *this, u_int8_t qualifier);
+
+	/**
 	 * Check to PTS Component Functional Names for equality
 	 *
 	 * @param other			Other PTS Component Functional Name
@@ -88,7 +95,7 @@ struct pts_comp_func_name_t {
  *
  * @param vid				PTS Component Functional Name Vendor ID
  * @param name				PTS Component Functional Name
- * @param					PTS Component Functional Name Qualifier
+ * @param qualifier			PTS Component Functional Name Qualifier
  */
 pts_comp_func_name_t* pts_comp_func_name_create(u_int32_t vid, u_int32_t name,
 												u_int8_t qualifier);
diff --git a/src/libpts/pts/components/pts_component.h b/src/libpts/pts/components/pts_component.h
index 524ff332d..da339a55f 100644
--- a/src/libpts/pts/components/pts_component.h
+++ b/src/libpts/pts/components/pts_component.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -25,6 +25,7 @@ typedef struct pts_component_t pts_component_t;
 
 #include "pts/pts.h"
 #include "pts/pts_database.h"
+#include "pts/pts_file_meas.h"
 #include "pts/components/pts_comp_func_name.h"
 #include "pts/components/pts_comp_evidence.h"
 
@@ -59,30 +60,41 @@ struct pts_component_t {
 	/**
 	 * Do evidence measurements on the PTS Functional Component
 	 *
+	 * @param qualifier		PTS Component Functional Name Qualifier
 	 * @param pts			PTS interface
 	 * @param evidence		returns component evidence measureemt
+	 * @param measurements	additional file measurements (NULL if not present)
 	 * @return				status return code
 	 */
-	status_t (*measure)(pts_component_t *this, pts_t *pts,
+	status_t (*measure)(pts_component_t *this, u_int8_t qualifier, pts_t *pts,
 						pts_comp_evidence_t** evidence);
 
 	/**
 	 * Verify the evidence measurements of the PTS Functional Component
 	 *
+	 * @param qualifier		PTS Component Functional Name Qualifier
 	 * @param pts			PTS interface
 	 * @param evidence		component evidence measurement to be verified
 	 * @return				status return code
 	 */
-	status_t (*verify)(pts_component_t *this, pts_t *pts,
+	status_t (*verify)(pts_component_t *this, u_int8_t qualifier, pts_t *pts,
 					   pts_comp_evidence_t *evidence);
 
-
 	/**
 	 * Tell the PTS Functional Component to finalize pending registrations
+	 * and check for missing measurements
+	 *
+	 * @param qualifier		PTS Component Functional Name Qualifier
+	 * @return				TRUE if finalization successful
+	 */
+	bool (*finalize)(pts_component_t *this, u_int8_t qualifier);
+
+	/**
+	 * Get a new reference to the PTS Functional Component
 	 *
-	 * @return				TRUE if there are pending registrations
+	 * @return			this, with an increased refcount
 	 */
-	bool (*check_off_registrations)(pts_component_t *this);
+	pts_component_t* (*get_ref)(pts_component_t *this);
 
 	/**
 	 * Destroys a pts_component_t object.
diff --git a/src/libpts/pts/components/pts_component_manager.c b/src/libpts/pts/components/pts_component_manager.c
index 8ac4767bf..9c1375b79 100644
--- a/src/libpts/pts/components/pts_component_manager.c
+++ b/src/libpts/pts/components/pts_component_manager.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
- *
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -16,8 +15,8 @@
 
 #include "pts/components/pts_component_manager.h"
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_pts_component_manager_t private_pts_component_manager_t;
 typedef struct vendor_entry_t vendor_entry_t;
@@ -57,7 +56,7 @@ struct vendor_entry_t {
 
 	/**
 	 * List of vendor-specific registered Functional Components
-	 */	
+	 */
 	linked_list_t *components;
 };
 
@@ -104,7 +103,7 @@ struct private_pts_component_manager_t {
 };
 
 METHOD(pts_component_manager_t, add_vendor, void,
-	private_pts_component_manager_t *this, pen_t vendor_id, 
+	private_pts_component_manager_t *this, pen_t vendor_id,
 	enum_name_t *comp_func_names, int qualifier_type_size,
 	char *qualifier_flag_names, enum_name_t *qualifier_type_names)
 {
@@ -270,8 +269,7 @@ METHOD(pts_component_manager_t, create, pts_component_t*,
 			{
 				if (entry2->name == name->get_name(name) && entry2->create)
 				{
-					component = entry2->create(name->get_qualifier(name),
-											   depth, pts_db);
+					component = entry2->create(depth, pts_db);
 					break;
 				}
 			}
@@ -287,7 +285,7 @@ METHOD(pts_component_manager_t, create, pts_component_t*,
 METHOD(pts_component_manager_t, destroy, void,
 	private_pts_component_manager_t *this)
 {
-	this->list->destroy_function(this->list, (void *)vendor_entry_destroy); 
+	this->list->destroy_function(this->list, (void *)vendor_entry_destroy);
 	free(this);
 }
 
diff --git a/src/libpts/pts/components/pts_component_manager.h b/src/libpts/pts/components/pts_component_manager.h
index 0079d0e26..61055ec74 100644
--- a/src/libpts/pts/components/pts_component_manager.h
+++ b/src/libpts/pts/components/pts_component_manager.h
@@ -30,8 +30,7 @@ typedef struct pts_component_manager_t pts_component_manager_t;
 #include <library.h>
 #include <pen/pen.h>
 
-typedef pts_component_t* (*pts_component_create_t)(u_int8_t qualifier,
-												   u_int32_t depth,
+typedef pts_component_t* (*pts_component_create_t)(u_int32_t depth,
 												   pts_database_t *pts_db);
 
 /**
diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c
index 65ae2b2d2..f646d67e1 100644
--- a/src/libpts/pts/pts.c
+++ b/src/libpts/pts/pts.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,30 +15,30 @@
 
 #include "pts.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/hashers/hasher.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
 
+#ifdef TSS_TROUSERS
 #include <trousers/tss.h>
 #include <trousers/trousers.h>
-
+#else
+#ifndef TPM_TAG_QUOTE_INFO2
+#define TPM_TAG_QUOTE_INFO2 0x0036
+#endif
+#ifndef TPM_LOC_ZERO
+#define TPM_LOC_ZERO 0x01
+#endif
+#endif
+
+#include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/utsname.h>
+#include <libgen.h>
+#include <unistd.h>
 #include <errno.h>
 
-#define PTS_BUF_SIZE	4096
-
-/**
- * Maximum number of PCR's of TPM, TPM Spec 1.2
- */
-#define PCR_MAX_NUM				24
-
-/**
- * Number of bytes that can be saved in a PCR of TPM, TPM Spec 1.2
- */
-#define PCR_LEN					20
-
 typedef struct private_pts_t private_pts_t;
 
 /**
@@ -118,29 +118,9 @@ struct private_pts_t {
  	certificate_t *aik;
 
 	/**
-	 * Table of extended PCRs with corresponding values
-	 */
-	u_char* pcrs[PCR_MAX_NUM];
-
-	/**
-	 * Length of PCR registers
-	 */
-	size_t pcr_len;
-
-	/**
-	 * Number of extended PCR registers
-	 */
-	u_int32_t pcr_count;
-
-	/**
-	 * Highest extended PCR register
-	 */
-	u_int32_t pcr_max;
-
-	/**
-	 * Bitmap of extended PCR registers
+	 * Shadow PCR set
 	 */
-	u_int8_t pcr_select[PCR_MAX_NUM / 8];
+	pts_pcr_t *pcrs;
 
 };
 
@@ -225,9 +205,13 @@ METHOD(pts_t, create_dh_nonce, bool,
 	DBG2(DBG_PTS, "nonce length is %d", nonce_len);
 	nonce = this->is_imc ? &this->responder_nonce : &this->initiator_nonce;
 	chunk_free(nonce);
-	rng->allocate_bytes(rng, nonce_len, nonce);
+	if (!rng->allocate_bytes(rng, nonce_len, nonce))
+	{
+		DBG1(DBG_PTS, "failed to allocate nonce");
+		rng->destroy(rng);
+		return FALSE;
+	}
 	rng->destroy(rng);
-
 	return TRUE;
 }
 
@@ -282,10 +266,15 @@ METHOD(pts_t, calculate_secret, bool,
 	hash_alg = pts_meas_algo_to_hash(this->dh_hash_algorithm);
 	hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
 
-	hasher->allocate_hash(hasher, chunk_from_chars('1'), NULL);
-	hasher->allocate_hash(hasher, this->initiator_nonce, NULL);
-	hasher->allocate_hash(hasher, this->responder_nonce, NULL);
-	hasher->allocate_hash(hasher, shared_secret, &this->secret);
+	if (!hasher ||
+		!hasher->get_hash(hasher, chunk_from_chars('1'), NULL) ||
+		!hasher->get_hash(hasher, this->initiator_nonce, NULL) ||
+		!hasher->get_hash(hasher, this->responder_nonce, NULL) ||
+		!hasher->allocate_hash(hasher, shared_secret, &this->secret))
+	{
+		DESTROY_IF(hasher);
+		return FALSE;
+	}
 	hasher->destroy(hasher);
 
 	/* The DH secret must be destroyed */
@@ -300,6 +289,8 @@ METHOD(pts_t, calculate_secret, bool,
 	return TRUE;
 }
 
+#ifdef TSS_TROUSERS
+
 /**
  * Print TPM 1.2 Version Info
  */
@@ -319,14 +310,26 @@ static void print_tpm_version_info(private_pts_t *this)
 	else
 	{
 		DBG2(DBG_PTS, "TPM 1.2 Version Info: Chip Version: %hhu.%hhu.%hhu.%hhu,"
-					  " Spec Level: %hu, Errata Rev: %hhu, Vendor ID: %.4s",
+					  " Spec Level: %hu, Errata Rev: %hhu, Vendor ID: %.4s [%.*s]",
 					  versionInfo.version.major, versionInfo.version.minor,
 					  versionInfo.version.revMajor, versionInfo.version.revMinor,
 					  versionInfo.specLevel, versionInfo.errataRev,
-					  versionInfo.tpmVendorID);
+					  versionInfo.tpmVendorID, versionInfo.vendorSpecificSize,
+					  versionInfo.vendorSpecificSize ?
+					  (char*)versionInfo.vendorSpecific : "");
 	}
+	free(versionInfo.vendorSpecific);
 }
 
+#else
+
+static void print_tpm_version_info(private_pts_t *this)
+{
+	DBG1(DBG_PTS, "unknown TPM version: no TSS implementation available");
+}
+
+#endif /* TSS_TROUSERS */
+
 METHOD(pts_t, get_platform_info, char*,
 	private_pts_t *this)
 {
@@ -334,10 +337,15 @@ METHOD(pts_t, get_platform_info, char*,
 }
 
 METHOD(pts_t, set_platform_info, void,
-	private_pts_t *this, char *info)
+	private_pts_t *this, chunk_t name, chunk_t version)
 {
+	int len = name.len + 1 + version.len + 1;
+
+	/* platform info is a concatenation of OS name and OS version */
 	free(this->platform_info);
-	this->platform_info = strdup(info);
+	this->platform_info = malloc(len);
+	snprintf(this->platform_info, len, "%.*s %.*s", (int)name.len, name.ptr,
+			(int)version.len, version.ptr);
 }
 
 METHOD(pts_t, get_tpm_version_info, bool,
@@ -359,12 +367,6 @@ METHOD(pts_t, set_tpm_version_info, void,
 	print_tpm_version_info(this);
 }
 
-METHOD(pts_t, get_pcr_len, size_t,
-	private_pts_t *this)
-{
-	return this->pcr_len;
-}
-
 /**
  * Load an AIK Blob (TSS_TSPATTRIB_KEYBLOB_BLOB attribute)
  */
@@ -486,54 +488,6 @@ METHOD(pts_t, get_aik_keyid, bool,
 	return success;
 }
 
-METHOD(pts_t, hash_file, bool,
-	private_pts_t *this, hasher_t *hasher, char *pathname, u_char *hash)
-{
-	u_char buffer[PTS_BUF_SIZE];
-	FILE *file;
-	int bytes_read;
-
-	file = fopen(pathname, "rb");
-	if (!file)
-	{
-		DBG1(DBG_PTS,"  file '%s' can not be opened, %s", pathname,
-			 strerror(errno));
-		return FALSE;
-	}
-	while (TRUE)
-	{
-		bytes_read = fread(buffer, 1, sizeof(buffer), file);
-		if (bytes_read > 0)
-		{
-			hasher->get_hash(hasher, chunk_create(buffer, bytes_read), NULL);
-		}
-		else
-		{
-			hasher->get_hash(hasher, chunk_empty, hash);
-			break;
-		}
-	}
-	fclose(file);
-
-	return TRUE;
-}
-
-/**
- * Get the relative filename of a fully qualified file pathname
- */
-static char* get_filename(char *pathname)
-{
-	char *pos, *filename;
-
-	pos = filename = pathname;
-	while (pos && *(++pos) != '\0')
-	{
-		filename = pos;
-		pos = strchr(filename, '/');
-	}
-	return filename;
-}
-
 METHOD(pts_t, is_path_valid, bool,
 	private_pts_t *this, char *path, pts_error_code_t *error_code)
 {
@@ -565,82 +519,6 @@ METHOD(pts_t, is_path_valid, bool,
 	return TRUE;
 }
 
-METHOD(pts_t, do_measurements, pts_file_meas_t*,
-	private_pts_t *this, u_int16_t request_id, char *pathname, bool is_directory)
-{
-	hasher_t *hasher;
-	hash_algorithm_t hash_alg;
-	u_char hash[HASH_SIZE_SHA384];
-	chunk_t measurement;
-	pts_file_meas_t *measurements;
-
-	/* Create a hasher */
-	hash_alg = pts_meas_algo_to_hash(this->algorithm);
-	hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
-	if (!hasher)
-	{
-		DBG1(DBG_PTS, "hasher %N not available", hash_algorithm_names, hash_alg);
-		return NULL;
-	}
-
-	/* Create a measurement object */
-	measurements = pts_file_meas_create(request_id);
-
-	/* Link the hash to the measurement and set the measurement length */
-	measurement = chunk_create(hash, hasher->get_hash_size(hasher));
-
-	if (is_directory)
-	{
-		enumerator_t *enumerator;
-		char *rel_name, *abs_name;
-		struct stat st;
-
-		enumerator = enumerator_create_directory(pathname);
-		if (!enumerator)
-		{
-			DBG1(DBG_PTS,"  directory '%s' can not be opened, %s", pathname,
-				 strerror(errno));
-			hasher->destroy(hasher);
-			measurements->destroy(measurements);
-			return NULL;
-		}
-		while (enumerator->enumerate(enumerator, &rel_name, &abs_name, &st))
-		{
-			/* measure regular files only */
-			if (S_ISREG(st.st_mode) && *rel_name != '.')
-			{
-				if (!hash_file(this, hasher, abs_name, hash))
-				{
-					enumerator->destroy(enumerator);
-					hasher->destroy(hasher);
-					measurements->destroy(measurements);
-					return NULL;
-				}
-				DBG2(DBG_PTS, "  %#B for '%s'", &measurement, rel_name);
-				measurements->add(measurements, rel_name, measurement);
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	else
-	{
-		char *filename;
-
-		if (!hash_file(this, hasher, pathname, hash))
-		{
-			hasher->destroy(hasher);
-			measurements->destroy(measurements);
-			return NULL;
-		}
-		filename = get_filename(pathname);
-		DBG2(DBG_PTS, "  %#B for '%s'", &measurement, filename);
-		measurements->add(measurements, filename, measurement);
-	}
-	hasher->destroy(hasher);
-
-	return measurements;
-}
-
 /**
  * Obtain statistical information describing a file
  */
@@ -654,6 +532,7 @@ static bool file_metadata(char *pathname, pts_file_metadata_t **entry)
 	if (stat(pathname, &st))
 	{
 		DBG1(DBG_PTS, "unable to obtain statistics about '%s'", pathname);
+		free(this);
 		return FALSE;
 	}
 
@@ -748,13 +627,16 @@ METHOD(pts_t, get_metadata, pts_file_meta_t*,
 			metadata->destroy(metadata);
 			return NULL;
 		}
-		entry->filename = strdup(get_filename(pathname));
+		entry->filename = strdup(basename(pathname));
 		metadata->add(metadata, entry);
 	}
 
 	return metadata;
 }
 
+
+#ifdef TSS_TROUSERS
+
 METHOD(pts_t, read_pcr, bool,
 	private_pts_t *this, u_int32_t pcr_num, chunk_t *pcr_value)
 {
@@ -809,7 +691,7 @@ METHOD(pts_t, extend_pcr, bool,
 	TSS_HTPM hTPM;
 	TSS_RESULT result;
 	u_int32_t pcr_length;
-	chunk_t pcr_value;
+	chunk_t pcr_value = chunk_empty;
 
 	result = Tspi_Context_Create(&hContext);
 	if (result != TSS_SUCCESS)
@@ -829,8 +711,8 @@ METHOD(pts_t, extend_pcr, bool,
 		goto err;
 	}
 
-	pcr_value = chunk_alloc(PCR_LEN);
-	result = Tspi_TPM_PcrExtend(hTPM, pcr_num, PCR_LEN, input.ptr,
+	pcr_value = chunk_alloc(PTS_PCR_LEN);
+	result = Tspi_TPM_PcrExtend(hTPM, pcr_num, PTS_PCR_LEN, input.ptr,
 								NULL, &pcr_length, &pcr_value.ptr);
 	if (result != TSS_SUCCESS)
 	{
@@ -842,7 +724,7 @@ METHOD(pts_t, extend_pcr, bool,
 
 	DBG3(DBG_PTS, "PCR %d extended with:      %B", pcr_num, &input);
 	DBG3(DBG_PTS, "PCR %d value after extend: %B", pcr_num, output);
-	
+
 	chunk_clear(&pcr_value);
 	Tspi_Context_FreeMemory(hContext, NULL);
 	Tspi_Context_Close(hContext);
@@ -851,28 +733,12 @@ METHOD(pts_t, extend_pcr, bool,
 
 err:
 	DBG1(DBG_PTS, "TPM not available: tss error 0x%x", result);
-	
+
 	chunk_clear(&pcr_value);
 	Tspi_Context_FreeMemory(hContext, NULL);
 	Tspi_Context_Close(hContext);
-	
-	return FALSE;
-}
-
 
-static void clear_pcrs(private_pts_t *this)
-{
-	int i;
-
-	for (i = 0; i <= this->pcr_max; i++)
-	{
-		free(this->pcrs[i]);
-		this->pcrs[i] = NULL;
-	}
-	this->pcr_count = 0;
-	this->pcr_max = 0;
-
-	memset(this->pcr_select, 0x00, sizeof(this->pcr_select));
+	return FALSE;
 }
 
 METHOD(pts_t, quote_tpm, bool,
@@ -890,7 +756,8 @@ METHOD(pts_t, quote_tpm, bool,
 	TSS_RESULT result;
 	chunk_t quote_info;
 	BYTE* versionInfo;
-	u_int32_t versionInfoSize, pcr, i = 0, f = 1;
+	u_int32_t versionInfoSize, pcr;
+	enumerator_t *enumerator;
 	bool success = FALSE;
 
 	result = Tspi_Context_Create(&hContext);
@@ -943,32 +810,30 @@ METHOD(pts_t, quote_tpm, bool,
 			Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_PCRS,
 							TSS_PCRS_STRUCT_INFO_SHORT, &hPcrComposite) :
 			Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_PCRS,
-							0, &hPcrComposite);
+							TSS_PCRS_STRUCT_DEFAULT, &hPcrComposite);
 	if (result != TSS_SUCCESS)
 	{
 		goto err2;
 	}
 
 	/* Select PCRs */
-	for (pcr = 0; pcr <= this->pcr_max ; pcr++)
-	{
-		if (f == 256)
+	enumerator = this->pcrs->create_enumerator(this->pcrs);
+	while (enumerator->enumerate(enumerator, &pcr))
+	{
+		result = use_quote2 ?
+				Tspi_PcrComposite_SelectPcrIndexEx(hPcrComposite, pcr,
+											TSS_PCRS_DIRECTION_RELEASE) :
+				Tspi_PcrComposite_SelectPcrIndex(hPcrComposite, pcr);
+		if (result != TSS_SUCCESS)
 		{
-			i++;
-			f = 1;
-		}		
-		if (this->pcr_select[i] & f)
-		{
-			result = use_quote2 ?
-					Tspi_PcrComposite_SelectPcrIndexEx(hPcrComposite, pcr,
-												TSS_PCRS_DIRECTION_RELEASE) :
-					Tspi_PcrComposite_SelectPcrIndex(hPcrComposite, pcr);
-			if (result != TSS_SUCCESS)
-			{
-				goto err3;
-			}
+			break;
 		}
-		f <<= 1;
+	}
+	enumerator->destroy(enumerator);
+
+	if (result != TSS_SUCCESS)
+	{
+		goto err3;
 	}
 
 	/* Set the Validation Data */
@@ -1023,94 +888,35 @@ err2:
 
 err1:
 	Tspi_Context_Close(hContext);
-
 	if (!success)
 	{
 		DBG1(DBG_PTS, "TPM not available: tss error 0x%x", result);
 	}
-	clear_pcrs(this);
-
 	return success;
 }
 
-METHOD(pts_t, select_pcr, bool,
-	private_pts_t *this, u_int32_t pcr)
-{
-	u_int32_t i, f;
-
-	if (pcr >= PCR_MAX_NUM)
-	{
-		DBG1(DBG_PTS, "PCR %u: number is larger than maximum of %u",
-					   pcr, PCR_MAX_NUM-1);
-		return FALSE;
-	}
-
-	/* Determine PCR selection flag */
-	i = pcr / 8;
-	f = 1 << (pcr - 8*i);
+#else /* TSS_TROUSERS */
 
-	/* Has this PCR already been selected? */
-	if (!(this->pcr_select[i] & f))
-	{
-		this->pcr_select[i] |= f;
-		this->pcr_max = max(this->pcr_max, pcr);
-		this->pcr_count++;
-	}
-
-	return TRUE;
+METHOD(pts_t, read_pcr, bool,
+	private_pts_t *this, u_int32_t pcr_num, chunk_t *pcr_value)
+{
+	return FALSE;
 }
 
-METHOD(pts_t, add_pcr, bool,
-	private_pts_t *this, u_int32_t pcr, chunk_t pcr_before, chunk_t pcr_after)
+METHOD(pts_t, extend_pcr, bool,
+	private_pts_t *this, u_int32_t pcr_num, chunk_t input, chunk_t *output)
 {
-	if (pcr >= PCR_MAX_NUM)
-	{
-		DBG1(DBG_PTS, "PCR %u: number is larger than maximum of %u",
-					   pcr, PCR_MAX_NUM-1);
-		return FALSE;
-	}
-
-	/* Is the length of the PCR registers already set? */
-	if (this->pcr_len)
-	{
-		if (pcr_after.len != this->pcr_len)
-		{
-			DBG1(DBG_PTS, "PCR %02u: length is %d bytes but should be %d bytes",
-						   pcr_after.len, this->pcr_len);
-			return FALSE;
-		}
-	}
-	else
-	{
-		this->pcr_len = pcr_after.len;
-	}
-
-	/* Has the value of the PCR register already been assigned? */
-	if (this->pcrs[pcr])
-	{
-		if (!memeq(this->pcrs[pcr], pcr_before.ptr, this->pcr_len))
-		{
-			DBG1(DBG_PTS, "PCR %02u: new pcr_before value does not equal "
-						  "old pcr_after value");
-		}
-		/* remove the old PCR value */
-		free(this->pcrs[pcr]);
-	}
-	else
-	{
-		/* add extended PCR Register */
-		this->pcr_select[pcr / 8] |= 1 << (pcr % 8);
-		this->pcr_max = max(this->pcr_max, pcr);
-		this->pcr_count++;
-	}
-
-	/* Duplicate and store current PCR value */
-	pcr_after = chunk_clone(pcr_after);
-	this->pcrs[pcr] = pcr_after.ptr;
+	return FALSE;
+}
 
-	return TRUE;
+METHOD(pts_t, quote_tpm, bool,
+	private_pts_t *this, bool use_quote2, chunk_t *pcr_comp, chunk_t *quote_sig)
+{
+	return FALSE;
 }
 
+#endif /* TSS_TROUSERS */
+
 /**
  * TPM_QUOTE_INFO structure:
  *	4 bytes of version
@@ -1130,13 +936,11 @@ METHOD(pts_t, get_quote_info, bool,
 	pts_meas_algorithms_t comp_hash_algo,
 	chunk_t *out_pcr_comp, chunk_t *out_quote_info)
 {
-	u_int8_t size_of_select;
-	int pcr_comp_len, i;
-	chunk_t pcr_comp, hash_pcr_comp;
+	chunk_t selection, pcr_comp, hash_pcr_comp;
 	bio_writer_t *writer;
 	hasher_t *hasher;
 
-	if (this->pcr_count == 0)
+	if (!this->pcrs->get_count(this->pcrs))
 	{
 		DBG1(DBG_PTS, "No extended PCR entries available, "
 					  "unable to construct TPM Quote Info");
@@ -1154,34 +958,9 @@ METHOD(pts_t, get_quote_info, bool,
 					  "unable to construct TPM Quote Info2");
 		return FALSE;
 	}
-	
-	/**
-	 * A TPM v1.2 has 24 PCR Registers
-	 * so the bitmask field length used by TrouSerS is at least 3 bytes
-	 */
-	size_of_select = max(PCR_MAX_NUM / 8, 1 + this->pcr_max / 8);
-	pcr_comp_len = 2 + size_of_select + 4 + this->pcr_count * this->pcr_len;
-	
-	writer = bio_writer_create(pcr_comp_len);
-
-	writer->write_uint16(writer, size_of_select);
-	for (i = 0; i < size_of_select; i++)
-	{
-		writer->write_uint8(writer, this->pcr_select[i]);
-	}
 
-	writer->write_uint32(writer, this->pcr_count * this->pcr_len);
-	for (i = 0; i < 8 * size_of_select; i++)
-	{
-		if (this->pcrs[i])
-		{
-			writer->write_data(writer, chunk_create(this->pcrs[i], this->pcr_len));
-		}
-	}
-	pcr_comp = chunk_clone(writer->get_buf(writer));
-	DBG3(DBG_PTS, "constructed PCR Composite: %B", &pcr_comp);
+	pcr_comp = this->pcrs->get_composite(this->pcrs);
 
-	writer->destroy(writer);
 
 	/* Output the TPM_PCR_COMPOSITE expected from IMC */
 	if (comp_hash_algo)
@@ -1192,7 +971,12 @@ METHOD(pts_t, get_quote_info, bool,
 		hasher = lib->crypto->create_hasher(lib->crypto, algo);
 
 		/* Hash the PCR Composite Structure */
-		hasher->allocate_hash(hasher, pcr_comp, out_pcr_comp);
+		if (!hasher || !hasher->allocate_hash(hasher, pcr_comp, out_pcr_comp))
+		{
+			DESTROY_IF(hasher);
+			free(pcr_comp.ptr);
+			return FALSE;
+		}
 		DBG3(DBG_PTS, "constructed PCR Composite hash: %#B", out_pcr_comp);
 		hasher->destroy(hasher);
 	}
@@ -1203,7 +987,13 @@ METHOD(pts_t, get_quote_info, bool,
 
 	/* SHA1 hash of PCR Composite to construct TPM_QUOTE_INFO */
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	hasher->allocate_hash(hasher, pcr_comp, &hash_pcr_comp);
+	if (!hasher || !hasher->allocate_hash(hasher, pcr_comp, &hash_pcr_comp))
+	{
+		DESTROY_IF(hasher);
+		chunk_free(out_pcr_comp);
+		free(pcr_comp.ptr);
+		return FALSE;
+	}
 	hasher->destroy(hasher);
 
 	/* Construct TPM_QUOTE_INFO/TPM_QUOTE_INFO2 structure */
@@ -1220,15 +1010,11 @@ METHOD(pts_t, get_quote_info, bool,
 		/* Secret assessment value 20 bytes (nonce) */
 		writer->write_data(writer, this->secret);
 
-		/* Length of the PCR selection field */
-		writer->write_uint16(writer, size_of_select);
-
 		/* PCR selection */
-		for (i = 0; i < size_of_select ; i++)
-		{
-			writer->write_uint8(writer, this->pcr_select[i]);
-		}
-		
+		selection.ptr = pcr_comp.ptr;
+		selection.len = 2 + this->pcrs->get_selection_size(this->pcrs);
+		writer->write_data(writer, selection);
+
 		/* TPM Locality Selection */
 		writer->write_uint8(writer, TPM_LOC_ZERO);
 
@@ -1257,13 +1043,12 @@ METHOD(pts_t, get_quote_info, bool,
 	}
 
 	/* TPM Quote Info */
-	*out_quote_info = chunk_clone(writer->get_buf(writer));
+	*out_quote_info = writer->extract_buf(writer);
 	DBG3(DBG_PTS, "constructed TPM Quote Info: %B", out_quote_info);
 
 	writer->destroy(writer);
 	free(pcr_comp.ptr);
 	free(hash_pcr_comp.ptr);
-	clear_pcrs(this);
 
 	return TRUE;
 }
@@ -1292,10 +1077,16 @@ METHOD(pts_t, verify_quote_signature, bool,
 	return TRUE;
 }
 
+METHOD(pts_t, get_pcrs, pts_pcr_t*,
+	private_pts_t *this)
+{
+	return this->pcrs;
+}
+
 METHOD(pts_t, destroy, void,
 	private_pts_t *this)
 {
-	clear_pcrs(this);
+	DESTROY_IF(this->pcrs);
 	DESTROY_IF(this->aik);
 	DESTROY_IF(this->dh);
 	free(this->initiator_nonce.ptr);
@@ -1307,121 +1098,8 @@ METHOD(pts_t, destroy, void,
 	free(this);
 }
 
-#define RELEASE_LSB		0
-#define RELEASE_DEBIAN	1
 
-/**
- * Determine Linux distribution and hardware platform
- */
-static char* extract_platform_info(void)
-{
-	FILE *file;
-	char buf[BUF_LEN], *pos = buf, *value = NULL;
-	int i, len = BUF_LEN - 1;
-	struct utsname uninfo;
-
-	/* Linux/Unix distribution release info (from http://linuxmafia.com) */
-	const char* releases[] = {
-		"/etc/lsb-release",           "/etc/debian_version",
-		"/etc/SuSE-release",          "/etc/novell-release",
-		"/etc/sles-release",          "/etc/redhat-release",
-		"/etc/fedora-release",        "/etc/gentoo-release",
-		"/etc/slackware-version",     "/etc/annvix-release",
-		"/etc/arch-release",          "/etc/arklinux-release",
-		"/etc/aurox-release",         "/etc/blackcat-release",
-		"/etc/cobalt-release",        "/etc/conectiva-release",
-		"/etc/debian_release",        "/etc/immunix-release",
-		"/etc/lfs-release",           "/etc/linuxppc-release",
-		"/etc/mandrake-release",      "/etc/mandriva-release",
-		"/etc/mandrakelinux-release", "/etc/mklinux-release",
-		"/etc/pld-release",           "/etc/redhat_version",
-		"/etc/slackware-release",     "/etc/e-smith-release",
-		"/etc/release",               "/etc/sun-release",
-		"/etc/tinysofa-release",      "/etc/turbolinux-release",
-		"/etc/ultrapenguin-release",  "/etc/UnitedLinux-release",
-		"/etc/va-release",            "/etc/yellowdog-release"
-	};
-
-	const char description[] = "DISTRIB_DESCRIPTION=\"";
-	const char str_debian[] = "Debian ";
-
-	for (i = 0; i < countof(releases); i++)
-	{
-		file = fopen(releases[i], "r");
-		if (!file)
-		{
-			continue;
-		}
-
-		if (i == RELEASE_DEBIAN)
-		{
-			strcpy(buf, str_debian);
-			pos += strlen(str_debian);
-			len -= strlen(str_debian); 
-		}
-
-		fseek(file, 0, SEEK_END);
-		len = min(ftell(file), len);
-		rewind(file);
-		pos[len] = '\0';
-		if (fread(pos, 1, len, file) != len)
-		{
-			DBG1(DBG_PTS, "failed to read file '%s'", releases[i]);
-			fclose(file);
-			return NULL;
-		}
-		fclose(file);
-
-		if (i == RELEASE_LSB)
-		{
-			pos = strstr(buf, description);
-			if (!pos)
-			{
-				DBG1(DBG_PTS, "failed to find begin of lsb-release "
-							  "DESCRIPTION field");
-				return NULL;
-			}
-			value = pos + strlen(description);
-			pos = strchr(value, '"');
-			if (!pos)
-			{
-				DBG1(DBG_PTS, "failed to find end of lsb-release "
-							  "DESCRIPTION field");
-				return NULL;
-			 }
-		}
-		else
-		{
-			value = buf;
-			pos = strchr(pos, '\n');
-			if (!pos)
-			{
-				DBG1(DBG_PTS, "failed to find end of release string");
-				return NULL;
-			 }
-		}
-		break;
-	}
-
-	if (!value)
-	{
-		DBG1(DBG_PTS, "no distribution release file found");
-		return NULL;
-	}
-
-	if (uname(&uninfo) < 0)
-	{
-		DBG1(DBG_PTS, "could not retrieve machine architecture");
-		return NULL;
-	}
-
-	*pos++ = ' ';
-	len = sizeof(buf)-1 + (pos - buf);
-	strncpy(pos, uninfo.machine, len);
-
-	DBG1(DBG_PTS, "platform is '%s'", value);
-	return strdup(value);
-}
+#ifdef TSS_TROUSERS
 
 /**
  * Check for a TPM by querying for TPM Version Info
@@ -1471,12 +1149,30 @@ static bool has_tpm(private_pts_t *this)
 	return FALSE;
 }
 
+#else /* TSS_TROUSERS */
+
+static bool has_tpm(private_pts_t *this)
+{
+	return FALSE;
+}
+
+#endif /* TSS_TROUSERS */
+
+
 /**
  * See header
  */
 pts_t *pts_create(bool is_imc)
 {
 	private_pts_t *this;
+	pts_pcr_t *pcrs;
+
+	pcrs = pts_pcr_create();
+	if (!pcrs)
+	{
+		DBG1(DBG_PTS, "shadow PCR set could not be created");
+		return NULL;
+	}
 
 	INIT(this,
 		.public = {
@@ -1494,19 +1190,15 @@ pts_t *pts_create(bool is_imc)
 			.set_platform_info = _set_platform_info,
 			.get_tpm_version_info = _get_tpm_version_info,
 			.set_tpm_version_info = _set_tpm_version_info,
-			.get_pcr_len = _get_pcr_len,
 			.get_aik = _get_aik,
 			.set_aik = _set_aik,
 			.get_aik_keyid = _get_aik_keyid,
 			.is_path_valid = _is_path_valid,
-			.hash_file = _hash_file,
-			.do_measurements = _do_measurements,
 			.get_metadata = _get_metadata,
 			.read_pcr = _read_pcr,
 			.extend_pcr = _extend_pcr,
 			.quote_tpm = _quote_tpm,
-			.select_pcr = _select_pcr,
-			.add_pcr = _add_pcr,
+			.get_pcrs = _get_pcrs,
 			.get_quote_info = _get_quote_info,
 			.verify_quote_signature  = _verify_quote_signature,
 			.destroy = _destroy,
@@ -1515,16 +1207,14 @@ pts_t *pts_create(bool is_imc)
 		.proto_caps = PTS_PROTO_CAPS_V,
 		.algorithm = PTS_MEAS_ALGO_SHA256,
 		.dh_hash_algorithm = PTS_MEAS_ALGO_SHA256,
+		.pcrs = pcrs,
 	);
 
 	if (is_imc)
 	{
-		this->platform_info = extract_platform_info();
-
 		if (has_tpm(this))
 		{
 			this->has_tpm = TRUE;
-			this->pcr_len = PCR_LEN;
 			this->proto_caps |= PTS_PROTO_CAPS_T | PTS_PROTO_CAPS_D;
 			load_aik(this);
 			load_aik_blob(this);
diff --git a/src/libpts/pts/pts.h b/src/libpts/pts/pts.h
index 212acb02a..11154aa38 100644
--- a/src/libpts/pts/pts.h
+++ b/src/libpts/pts/pts.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup pts pts
- * @{ @ingroup pts
+ * @{ @ingroup libpts
  */
 
 #ifndef PTS_H_
@@ -29,12 +29,13 @@ typedef struct pts_t pts_t;
 #include "pts_file_meas.h"
 #include "pts_file_meta.h"
 #include "pts_dh_group.h"
+#include "pts_pcr.h"
 #include "pts_req_func_comp_evid.h"
 #include "pts_simple_evid_final.h"
 #include "components/pts_comp_func_name.h"
 
 #include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * UTF-8 encoding of the character used to delimiter the filename
@@ -170,9 +171,10 @@ struct pts_t {
 	/**
 	 * Set Platform and OS Info
 	 *
-	 * @param info				Platform and OS info
+	 * @param name				OS name
+	 * @param version			OS version
 	 */
-	void (*set_platform_info)(pts_t *this, char *info);
+	void (*set_platform_info)(pts_t *this, chunk_t name, chunk_t version);
 
 	/**
 	 * Get TPM 1.2 Version Info
@@ -190,13 +192,6 @@ struct pts_t {
 	void (*set_tpm_version_info)(pts_t *this, chunk_t info);
 
 	/**
-	 * Get the length of the TPM PCR registers
-	 *
-	 * @return					Length of PCR registers in bytes, 0 if undefined
-	 */
-	size_t (*get_pcr_len)(pts_t *this);
-
-	/**
 	 * Get Attestation Identity Certificate or Public Key
 	 *
 	 * @return					AIK Certificate or Public Key
@@ -230,34 +225,13 @@ struct pts_t {
 	bool (*is_path_valid)(pts_t *this, char *path, pts_error_code_t *error_code);
 
 	/**
-	* Compute a hash over a file
-	 * @param hasher			Hasher to be used
-	 * @param pathname			Absolute path of a file
-	 * @param hash				Buffer to keep hash output
-	 * @return					TRUE if path is valid and hashing succeeded
-	 */
-	bool (*hash_file)(pts_t *this, hasher_t *hasher, char *pathname, u_char *hash);
-
-	/**
-	 * Do PTS File Measurements
-	 *
-	 * @param request_id		ID of PTS File Measurement Request
-	 * @param pathname			Absolute pathname of file to be measured
-	 * @param is_directory		TRUE if directory contents are measured
-	 * @return					PTS File Measurements of NULL if FAILED
-	 */
-	pts_file_meas_t* (*do_measurements)(pts_t *this, u_int16_t request_id,
-										char *pathname, bool is_directory);
-
-	/**
 	 * Obtain file metadata
 	 *
 	 * @param pathname			Absolute pathname of file/directory
-	 * @param is_directory		TRUE if directory contents are requested
+	 * @param is_dir			TRUE if directory contents are requested
 	 * @return					PTS File Metadata or NULL if FAILED
 	 */
-	pts_file_meta_t* (*get_metadata)(pts_t *this, char *pathname,
-									 bool is_directory);
+	pts_file_meta_t* (*get_metadata)(pts_t *this, char *pathname, bool is_dir);
 
 	/**
 	 * Reads given PCR value and returns it
@@ -294,24 +268,12 @@ struct pts_t {
 	 bool (*quote_tpm)(pts_t *this, bool use_quote2, chunk_t *pcr_comp,
 													 chunk_t *quote_sig);
 
-	 /**
-	 * Mark an extended PCR as selected
-	 *
-	 * @param pcr				Number of the extended PCR
-	 * @return					TRUE if PCR number is valid
-	 */
-	 bool (*select_pcr)(pts_t *this, u_int32_t pcr);
-
-	 /**
-	 * Add an extended PCR with its corresponding value
+	/**
+	 * Get the shadow PCR set
 	 *
-	 * @param pcr				Number of the extended PCR
-	 * @param pcr_before		PCR value before extension
-	 * @param pcr_after			PCR value after extension
-	 * @return					TRUE if PCR number and register length is valid
+	 * @return					shadow PCR set
 	 */
-	bool (*add_pcr)(pts_t *this, u_int32_t pcr, chunk_t pcr_before,
-												chunk_t pcr_after);
+	pts_pcr_t* (*get_pcrs)(pts_t *this);
 
 	 /**
 	 * Constructs and returns TPM Quote Info structure expected from IMC
diff --git a/src/libpts/pts/pts_creds.c b/src/libpts/pts/pts_creds.c
index 5a6197bdb..bc483eb84 100644
--- a/src/libpts/pts/pts_creds.c
+++ b/src/libpts/pts/pts_creds.c
@@ -15,7 +15,7 @@
 
 #include "pts_creds.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/sets/mem_cred.h>
 
diff --git a/src/libpts/pts/pts_database.c b/src/libpts/pts/pts_database.c
index 282755c0a..e5a06cc8d 100644
--- a/src/libpts/pts/pts_database.c
+++ b/src/libpts/pts/pts_database.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -13,9 +13,12 @@
  * for more details.
  */
 
+#define _GNU_SOURCE
+#include <stdio.h>
+
 #include "pts_database.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <crypto/hashers/hasher.h>
 
 
@@ -39,60 +42,69 @@ struct private_pts_database_t {
 
 };
 
-METHOD(pts_database_t, create_file_meas_enumerator, enumerator_t*,
-	private_pts_database_t *this, char *product)
+METHOD(pts_database_t, get_pathname, char*,
+	private_pts_database_t *this, bool is_dir, int id)
 {
 	enumerator_t *e;
+	char *path, *name, *pathname;
 
-	/* look for all entries belonging to a product in the files table */
-	e = this->db->query(this->db,
-				"SELECT f.id, f.type, f.path FROM files AS f "
-				"JOIN product_file AS pf ON f.id = pf.file "
-				"JOIN products AS p ON p.id = pf.product "
-				"WHERE p.name = ? AND pf.measurement = 1",
-				DB_TEXT, product, DB_INT, DB_INT, DB_TEXT);
-	return e;
-}
-
-METHOD(pts_database_t, create_file_meta_enumerator, enumerator_t*,
-	private_pts_database_t *this, char *product)
-{
-	enumerator_t *e;
+	if (is_dir)
+	{
+		e = this->db->query(this->db,
+				"SELECT path FROM directories WHERE id = ?",
+				 DB_INT, id, DB_TEXT);
+		if (!e || !e->enumerate(e, &path))
+		{
+			pathname = NULL;
+		}
+		else
+		{
+			pathname = strdup(path);
+		}
+	}
+	else
+	{
+		e = this->db->query(this->db,
+				"SELECT d.path, f.name FROM files AS f "
+				"JOIN directories AS d ON d.id = f.dir WHERE f.id = ?",
+				 DB_INT, id, DB_TEXT, DB_TEXT);
+		if (!e || !e->enumerate(e, &path, &name) ||
+			asprintf(&pathname, "%s%s%s",
+					 path, streq(path, "/") ? "" : "/", name) == -1)
+		{
+			pathname = NULL;
+		}
+	}
+	DESTROY_IF(e);
 
-	/* look for all entries belonging to a product in the files table */
-	e = this->db->query(this->db,
-				"SELECT f.type, f.path FROM files AS f "
-				"JOIN product_file AS pf ON f.id = pf.file "
-				"JOIN products AS p ON p.id = pf.product "
-				"WHERE p.name = ? AND pf.metadata = 1",
-				DB_TEXT, product, DB_INT, DB_TEXT);
-	return e;
+	return pathname;
 }
 
 METHOD(pts_database_t, create_file_hash_enumerator, enumerator_t*,
 	private_pts_database_t *this, char *product, pts_meas_algorithms_t algo,
-	int id, bool is_dir)
+	bool is_dir, int id)
 {
 	enumerator_t *e;
 
 	if (is_dir)
 	{
 		e = this->db->query(this->db,
-				"SELECT f.path, fh.hash FROM file_hashes AS fh "
-				"JOIN files AS f ON fh.file = f.id "
-				"JOIN products AS p ON fh.product = p.id "
-				"WHERE p.name = ? AND fh.directory = ? AND fh.algo = ? "
-				"ORDER BY f.path",
-				DB_TEXT, product, DB_INT, id, DB_INT, algo, DB_TEXT, DB_BLOB);
+				"SELECT f.name, fh.hash FROM file_hashes AS fh "
+				"JOIN files AS f ON f.id = fh.file "
+				"JOIN products AS p ON p.id = fh.product "
+				"JOIN directories as d ON d.id = f.dir "
+				"WHERE p.name = ? AND fh.algo = ? AND d.id = ? "
+				"ORDER BY f.name",
+				DB_TEXT, product, DB_INT, algo, DB_INT, id, DB_TEXT, DB_BLOB);
 	}
 	else
 	{
 		e = this->db->query(this->db,
-				"SELECT f.path, fh.hash FROM file_hashes AS fh "
-				"JOIN files AS f ON fh.file = f.id "
-				"JOIN products AS p ON fh.product = p.id "
-				"WHERE p.name = ? AND fh.file = ? AND fh.algo = ?",
-				DB_TEXT, product, DB_INT, id, DB_INT, algo, DB_TEXT, DB_BLOB);
+				"SELECT f.name, fh.hash FROM file_hashes AS fh "
+				"JOIN files AS f ON f.id = fh.file "
+				"JOIN products AS p ON p.id = fh.product "
+				"WHERE p.name = ? AND fh.algo = ? AND fh.file = ?",
+				DB_TEXT, product, DB_INT, algo, DB_INT, id, DB_TEXT, DB_BLOB);
 	}
 	return e;
 }
@@ -121,6 +133,150 @@ METHOD(pts_database_t, check_aik_keyid, status_t,
 	return SUCCESS;
 }
 
+METHOD(pts_database_t, add_file_measurement, status_t,
+	private_pts_database_t *this, char *product, pts_meas_algorithms_t algo,
+	chunk_t measurement, char *filename, bool is_dir, int id)
+{
+	enumerator_t *e;
+	char *name;
+	chunk_t hash_value;
+	int hash_id, fid, pid = 0;
+	status_t status = SUCCESS;
+
+	/* get primary key of product string */
+	e = this->db->query(this->db,
+			"SELECT id FROM products WHERE name = ?", DB_TEXT, product, DB_INT);
+	if (e)
+	{
+		e->enumerate(e, &pid);
+		e->destroy(e);
+	}
+	if (pid == 0)
+	{
+		return FAILED;
+	}
+
+	if (is_dir)
+	{
+		/* does filename entry already exist? */
+		e = this->db->query(this->db,
+				"SELECT id FROM files WHERE name = ? AND dir = ?",
+				 DB_TEXT, filename, DB_INT, id, DB_INT);
+		if (!e)
+		{
+			return FAILED;
+		}
+		if (!e->enumerate(e, &fid))
+		{
+			/* create filename entry */
+			if (this->db->execute(this->db, &fid,
+					"INSERT INTO files (name, dir) VALUES (?, ?)",
+					 DB_TEXT, filename, DB_INT, id) != 1)
+			{
+				DBG1(DBG_PTS, "could not insert filename into database");
+				status = FAILED;
+			}
+		}
+		e->destroy(e);
+	}
+	else
+	{
+		fid = id;
+
+		/* verify filename */
+		e = this->db->query(this->db,
+				 "SELECT name FROM files WHERE id = ?", DB_INT, fid, DB_TEXT);
+		if (!e)
+		{
+			return FAILED;
+		}
+		if (!e->enumerate(e, &name) || !streq(name, filename))
+		{
+			DBG1(DBG_PTS, "filename of reference measurement does not match");
+			status = FAILED;
+		}
+		e->destroy(e);
+	}
+
+	if (status != SUCCESS)
+	{
+		return status;
+	}
+
+	/* does hash measurement value already exist? */
+	e = this->db->query(this->db,
+			"SELECT fh.id, fh.hash FROM file_hashes AS fh "
+			"WHERE fh.product = ? AND fh.algo = ? AND fh.file = ?",
+			 DB_INT, pid, DB_INT, algo, DB_INT, fid, DB_INT, DB_BLOB);
+	if (!e)
+	{
+		return FAILED;
+	}
+	if (e->enumerate(e, &hash_id, &hash_value))
+	{
+		if (!chunk_equals(measurement, hash_value))
+		{
+			/* update hash measurement value */
+			if (this->db->execute(this->db, &hash_id,
+					"UPDATE file_hashes SET hash = ? WHERE id = ?",
+					 DB_BLOB, measurement, DB_INT, hash_id) != 1)
+			{
+				status = FAILED;
+			}
+		}
+	}
+	else
+	{
+		/* insert hash measurement value */
+		if (this->db->execute(this->db, &hash_id,
+				"INSERT INTO file_hashes (file, product, algo, hash) "
+				"VALUES (?, ?, ?, ?)", DB_INT, fid, DB_INT, pid,
+				 DB_INT, algo, DB_BLOB, measurement) != 1)
+		{
+			status = FAILED;
+		}
+	}
+	e->destroy(e);
+
+	return status;
+}
+
+METHOD(pts_database_t, check_file_measurement, status_t,
+	private_pts_database_t *this, char *product, pts_meas_algorithms_t algo,
+	chunk_t measurement, char *filename)
+{
+	enumerator_t *e;
+	chunk_t hash;
+	status_t status = NOT_FOUND;
+
+	e = this->db->query(this->db,
+		"SELECT fh.hash FROM file_hashes AS fh "
+		"JOIN files AS f ON f.id = fh.file "
+		"JOIN products AS p ON p.id = fh.product "
+		"WHERE p.name = ? AND f.path = ? AND fh.algo = ?",
+		DB_TEXT, product, DB_TEXT, filename, DB_INT, algo, DB_BLOB);
+	if (!e)
+	{
+		return FAILED;
+	}
+	while (e->enumerate(e, &hash))
+	{
+		/* with relative filenames there might be multiple entries */
+		if (chunk_equals(measurement, hash))
+		{
+			status = SUCCESS;
+			break;
+		}
+		else
+		{
+			status = VERIFY_ERROR;
+		}
+	}
+	e->destroy(e);
+
+	return status;
+}
+
 METHOD(pts_database_t, create_comp_evid_enumerator, enumerator_t*,
 	private_pts_database_t *this, int kid)
 {
@@ -143,7 +299,7 @@ METHOD(pts_database_t, check_comp_measurement, status_t,
 	enumerator_t *e;
 	chunk_t hash;
 	status_t status = NOT_FOUND;
-	
+
 	e = this->db->query(this->db,
 					"SELECT hash FROM component_hashes "
 					"WHERE component = ?  AND key = ? "
@@ -152,7 +308,7 @@ METHOD(pts_database_t, check_comp_measurement, status_t,
 					DB_INT, pcr, DB_INT, algo, DB_BLOB);
 	if (!e)
 	{
-		DBG1(DBG_PTS, "no database query enumerator returned"); 
+		DBG1(DBG_PTS, "no database query enumerator returned");
 		return FAILED;
 	}
 
@@ -169,7 +325,7 @@ METHOD(pts_database_t, check_comp_measurement, status_t,
 						  "found in database", pcr, seq_no);
 			DBG1(DBG_PTS, "  expected: %#B", &hash);
 			DBG1(DBG_PTS, "  received: %#B", &measurement);
-			status = FAILED;
+			status = VERIFY_ERROR;
 			break;
 		}
 	}
@@ -189,7 +345,7 @@ METHOD(pts_database_t, insert_comp_measurement, status_t,
 	int seq_no, int pcr, pts_meas_algorithms_t algo)
 {
 	int id;
-	
+
 	if (this->db->execute(this->db, &id,
 					"INSERT INTO component_hashes "
 					"(component, key, seq_no, pcr, algo, hash) "
@@ -272,41 +428,38 @@ METHOD(pts_database_t, get_comp_measurement_count, status_t,
 METHOD(pts_database_t, destroy, void,
 	private_pts_database_t *this)
 {
-	this->db->destroy(this->db);
 	free(this);
 }
 
 /**
  * See header
  */
-pts_database_t *pts_database_create(char *uri)
+pts_database_t *pts_database_create(imv_database_t *imv_db)
 {
 	private_pts_database_t *this;
 
+	if (!imv_db)
+	{
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
-			.create_file_meas_enumerator = _create_file_meas_enumerator,
-			.create_file_meta_enumerator = _create_file_meta_enumerator,
+			.get_pathname = _get_pathname,
 			.create_comp_evid_enumerator = _create_comp_evid_enumerator,
 			.create_file_hash_enumerator = _create_file_hash_enumerator,
 			.check_aik_keyid = _check_aik_keyid,
+			.add_file_measurement = _add_file_measurement,
+			.check_file_measurement = _check_file_measurement,
 			.check_comp_measurement = _check_comp_measurement,
 			.insert_comp_measurement = _insert_comp_measurement,
 			.delete_comp_measurements = _delete_comp_measurements,
 			.get_comp_measurement_count = _get_comp_measurement_count,
 			.destroy = _destroy,
 		},
-		.db = lib->db->create(lib->db, uri),
+		.db = imv_db->get_database(imv_db),
 	);
 
-	if (!this->db)
-	{
-		DBG1(DBG_PTS,
-			 "failed to connect to PTS file measurement database '%s'", uri);
-		free(this);
-		return NULL;
-	}
-
 	return &this->public;
 }
 
diff --git a/src/libpts/pts/pts_database.h b/src/libpts/pts/pts_database.h
index a9a68ac76..eb8aca346 100644
--- a/src/libpts/pts/pts_database.h
+++ b/src/libpts/pts/pts_database.h
@@ -25,6 +25,8 @@ typedef struct pts_database_t pts_database_t;
 
 #include "pts_meas_algo.h"
 #include "components/pts_comp_func_name.h"
+
+#include <imv/imv_database.h>
 #include <library.h>
 
 /**
@@ -34,35 +36,26 @@ typedef struct pts_database_t pts_database_t;
 struct pts_database_t {
 
 	/**
-	* Get files/directories to be measured by PTS
-	*
-	* @param product		Software product (os, vpn client, etc.)
-	* @return				Enumerator over all matching files/directories
-	*/
-	enumerator_t* (*create_file_meas_enumerator)(pts_database_t *this,
-												 char *product);
-
-	/**
-	* Get files/directories to request metadata of
+	* Get absolute pathname for file or directory measurement
 	*
-	* @param product		Software product (os, vpn client, etc.)
-	* @return				Enumerator over all matching files/directories
+	* @param is_dir			TRUE if dir, FALSE if file
+	* @param id				Primary key into directories or files table
+	* @return				Absolute pathname as a text string
 	*/
-	enumerator_t* (*create_file_meta_enumerator)(pts_database_t *this,
-												 char *product);
+	char* (*get_pathname)(pts_database_t *this, bool is_dir, int id);
 
 	/**
 	* Get stored measurement hash for single file or directory entries
 	*
 	* @param product		Software product (os, vpn client, etc.)
 	* @param algo			Hash algorithm used for measurement
-	* @param id				Primary key of measured file/directory
 	* @param is_dir			TRUE if directory was measured
+	* @param id				Primary key of measured file/directory
 	* @return				Enumerator over all matching measurement hashes
 	*/
 	enumerator_t* (*create_file_hash_enumerator)(pts_database_t *this,
 								char *product, pts_meas_algorithms_t algo,
-								int id, bool is_dir);
+								bool is_dir, int id);
 
 	/**
 	* Check if an AIK given by its keyid is registered in the database
@@ -82,6 +75,35 @@ struct pts_database_t {
 	enumerator_t* (*create_comp_evid_enumerator)(pts_database_t *this, int kid);
 
 	/**
+	* Add PTS file measurement reference value
+	*
+	* @param product		Software product (os, vpn client, etc.)
+	* @param algo			File measurement hash algorithm used
+	* @param measurement	File measurement hash
+	* @param filename		Optional name of the file to be checked
+	* @param is_dir			TRUE if part of directory measurement
+	* @param id				Primary key into direcories/files table
+	* @return				Status
+	*/
+	status_t (*add_file_measurement)(pts_database_t *this, char *product,
+									 pts_meas_algorithms_t algo,
+									 chunk_t measurement, char *filename,
+									 bool is_dir, int id);
+
+	/**
+	* Check PTS file measurement against reference stored in database
+	*
+	* @param product		Software product (os, vpn client, etc.)
+	* @param algo			File measurement hash algorithm used
+	* @param measurement	File measurement hash
+	* @param filename		Optional name of the file to be checked
+	* @return				Status
+	*/
+	status_t (*check_file_measurement)(pts_database_t *this, char *product,
+									   pts_meas_algorithms_t algo,
+									   chunk_t measurement, char *filename);
+
+	/**
 	* Check a functional component measurement against value stored in database
 	*
 	* @param measurement	measurement hash
@@ -146,8 +168,8 @@ struct pts_database_t {
 /**
  * Creates an pts_database_t object
  *
- * @param uri				database uri
+ * @param imv_db			Already attached IMV database
  */
-pts_database_t* pts_database_create(char *uri);
+pts_database_t* pts_database_create(imv_database_t *imv_db);
 
 #endif /** PTS_DATABASE_H_ @}*/
diff --git a/src/libpts/pts/pts_dh_group.c b/src/libpts/pts/pts_dh_group.c
index fb141327f..41a436036 100644
--- a/src/libpts/pts/pts_dh_group.c
+++ b/src/libpts/pts/pts_dh_group.c
@@ -15,7 +15,7 @@
 
 #include "pts_dh_group.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Described in header.
@@ -27,7 +27,7 @@ bool pts_dh_group_probe(pts_dh_group_t *dh_groups)
 	const char *plugin_name;
 	char format1[] = "  %s PTS DH group %N[%s] available";
 	char format2[] = "  %s PTS DH group %N not available";
-	
+
 	*dh_groups = PTS_DH_GROUP_NONE;
 
 	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
diff --git a/src/libpts/pts/pts_dh_group.h b/src/libpts/pts/pts_dh_group.h
index 8664a4b84..2aab90263 100644
--- a/src/libpts/pts/pts_dh_group.h
+++ b/src/libpts/pts/pts_dh_group.h
@@ -48,12 +48,12 @@ enum pts_dh_group_t {
  * Diffie-Hellman Group Values
  * see section 3.8.6 of PTS Protocol: Binding to TNC IF-M Specification
  *
- *					   1
- *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 
+ *                       1
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |1|2|3|4|5|R|R|R|R|R|R|R|R|R|R|R|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 /**
@@ -90,8 +90,8 @@ bool pts_dh_group_update(char *dh_group, pts_dh_group_t *dh_groups);
  * @param offered_groups	set of offered DH groups
  * @return					selected DH group
  */
-pts_dh_group_t pts_dh_group_select(pts_dh_group_t supported_dh_groups,
-								   pts_dh_group_t offered_dh_groups);
+pts_dh_group_t pts_dh_group_select(pts_dh_group_t supported_groups,
+								   pts_dh_group_t offered_groups);
 
 /**
  * Convert pts_dh_group_t to diffie_hellman_group_t
diff --git a/src/libpts/pts/pts_error.c b/src/libpts/pts/pts_error.c
index 6e914b2a9..1e79689f9 100644
--- a/src/libpts/pts/pts_error.c
+++ b/src/libpts/pts/pts_error.c
@@ -46,13 +46,13 @@ pa_tnc_attr_t* pts_hash_alg_error_create(pts_meas_algorithms_t algorithms)
 	bio_writer_t *writer;
 	chunk_t msg_info;
 	pa_tnc_attr_t *attr;
+	pen_type_t error_code = { PEN_TCG, TCG_PTS_HASH_ALG_NOT_SUPPORTED };
 
 	writer = bio_writer_create(4);
 	writer->write_uint16(writer, 0x0000);
 	writer->write_uint16(writer, algorithms);
 	msg_info = writer->get_buf(writer);
-	attr = ietf_attr_pa_tnc_error_create(PEN_TCG, TCG_PTS_HASH_ALG_NOT_SUPPORTED,
-										 msg_info);
+	attr = ietf_attr_pa_tnc_error_create(error_code, msg_info);
 	writer->destroy(writer);
 
 	return attr;
@@ -66,13 +66,13 @@ pa_tnc_attr_t* pts_dh_group_error_create(pts_dh_group_t dh_groups)
 	bio_writer_t *writer;
 	chunk_t msg_info;
 	pa_tnc_attr_t *attr;
+	pen_type_t error_code = { PEN_TCG, TCG_PTS_DH_GRPS_NOT_SUPPORTED };
 
 	writer = bio_writer_create(4);
 	writer->write_uint16(writer, 0x0000);
 	writer->write_uint16(writer, dh_groups);
 	msg_info = writer->get_buf(writer);
-	attr = ietf_attr_pa_tnc_error_create(PEN_TCG, TCG_PTS_DH_GRPS_NOT_SUPPORTED,
-										 msg_info);
+	attr = ietf_attr_pa_tnc_error_create(error_code, msg_info);
 	writer->destroy(writer);
 
 	return attr;
@@ -86,13 +86,13 @@ pa_tnc_attr_t* pts_dh_nonce_error_create(int min_nonce_len, int max_nonce_len)
 	bio_writer_t *writer;
 	chunk_t msg_info;
 	pa_tnc_attr_t *attr;
+	pen_type_t error_code = { PEN_TCG, TCG_PTS_BAD_NONCE_LENGTH };
 
 	writer = bio_writer_create(4);
 	writer->write_uint16(writer, min_nonce_len);
 	writer->write_uint16(writer, max_nonce_len);
 	msg_info = writer->get_buf(writer);
-	attr = ietf_attr_pa_tnc_error_create(PEN_TCG, TCG_PTS_BAD_NONCE_LENGTH,
-										 msg_info);
+	attr = ietf_attr_pa_tnc_error_create(error_code, msg_info);
 	writer->destroy(writer);
 
 	return attr;
diff --git a/src/libpts/pts/pts_file_meas.c b/src/libpts/pts/pts_file_meas.c
index f0e0d4c0a..f684087d7 100644
--- a/src/libpts/pts/pts_file_meas.c
+++ b/src/libpts/pts/pts_file_meas.c
@@ -15,8 +15,12 @@
 
 #include "pts_file_meas.h"
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+
+#include <sys/stat.h>
+#include <libgen.h>
+#include <errno.h>
 
 typedef struct private_pts_file_meas_t private_pts_file_meas_t;
 
@@ -107,6 +111,51 @@ METHOD(pts_file_meas_t, create_enumerator, enumerator_t*,
 								   (void*)entry_filter, NULL, NULL);
 }
 
+METHOD(pts_file_meas_t, check, bool,
+	private_pts_file_meas_t *this, pts_database_t *pts_db, char *product,
+	pts_meas_algorithms_t algo)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	int count_ok = 0, count_not_found = 0, count_differ = 0;
+	status_t status;
+
+	enumerator = this->list->create_enumerator(this->list);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		status = pts_db->check_file_measurement(pts_db, product, algo,
+									entry->measurement, entry->filename);
+		switch (status)
+		{
+			case SUCCESS:
+				DBG3(DBG_PTS, "  %#B for '%s' is ok", &entry->measurement,
+													   entry->filename);
+				count_ok++;
+				break;
+			case NOT_FOUND:
+				DBG2(DBG_PTS, "  %#B for '%s' not found", &entry->measurement,
+														   entry->filename);
+				count_not_found++;
+				break;
+			case VERIFY_ERROR:
+				DBG1(DBG_PTS, "  %#B for '%s' differs", &entry->measurement,
+														 entry->filename);
+				count_differ++;
+				break;
+			case FAILED:
+			default:
+				DBG1(DBG_PTS, "  %#B for '%s' failed", &entry->measurement,
+														entry->filename);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	DBG1(DBG_PTS, "%d measurements, %d ok, %d not found, %d differ",
+		 this->list->get_count(this->list),
+		 count_ok, count_not_found, count_differ);
+	return TRUE;
+}
+
 METHOD(pts_file_meas_t, verify, bool,
 	private_pts_file_meas_t *this, enumerator_t *e_hash, bool is_dir)
 {
@@ -130,7 +179,7 @@ METHOD(pts_file_meas_t, verify, bool,
 			}
 		}
 		enumerator->destroy(enumerator);
-		
+
 		if (!found)
 		{
 			DBG1(DBG_PTS, "  no measurement found for '%s'", filename);
@@ -151,7 +200,7 @@ METHOD(pts_file_meas_t, verify, bool,
 			break;
 		}
 	}
-	return success;	
+	return success;
 }
 
 METHOD(pts_file_meas_t, destroy, void,
@@ -174,6 +223,7 @@ pts_file_meas_t *pts_file_meas_create(u_int16_t request_id)
 			.get_file_count = _get_file_count,
 			.add = _add,
 			.create_enumerator = _create_enumerator,
+			.check = _check,
 			.verify = _verify,
 			.destroy = _destroy,
 		},
@@ -184,3 +234,127 @@ pts_file_meas_t *pts_file_meas_create(u_int16_t request_id)
 	return &this->public;
 }
 
+/**
+ * Hash a file with a given absolute pathname
+ */
+static bool hash_file(hasher_t *hasher, char *pathname, u_char *hash)
+{
+	u_char buffer[4096];
+	size_t bytes_read;
+	bool success = TRUE;
+	FILE *file;
+
+	file = fopen(pathname, "rb");
+	if (!file)
+	{
+		DBG1(DBG_PTS,"  file '%s' can not be opened, %s", pathname,
+			 strerror(errno));
+		return FALSE;
+	}
+	while (TRUE)
+	{
+		bytes_read = fread(buffer, 1, sizeof(buffer), file);
+		if (bytes_read > 0)
+		{
+			if (!hasher->get_hash(hasher, chunk_create(buffer, bytes_read), NULL))
+			{
+				DBG1(DBG_PTS, "  hasher increment error");
+				success = FALSE;
+				break;
+			}
+		}
+		else
+		{
+			if (!hasher->get_hash(hasher, chunk_empty, hash))
+			{
+				DBG1(DBG_PTS, "  hasher finalize error");
+				success = FALSE;
+			}
+			break;
+		}
+	}
+	fclose(file);
+
+	return success;
+}
+
+/**
+ * See header
+ */
+pts_file_meas_t *pts_file_meas_create_from_path(u_int16_t request_id,
+							char *pathname, bool is_dir, bool use_rel_name,
+							pts_meas_algorithms_t alg)
+{
+	private_pts_file_meas_t *this;
+	hash_algorithm_t hash_alg;
+	hasher_t *hasher;
+	u_char hash[HASH_SIZE_SHA384];
+	chunk_t measurement;
+	char* filename;
+	bool success = TRUE;
+
+	/* Create a hasher and a hash measurement buffer */
+	hash_alg = pts_meas_algo_to_hash(alg);
+	hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
+	if (!hasher)
+	{
+		DBG1(DBG_PTS, "hasher %N not available", hash_algorithm_names, hash_alg);
+		return NULL;
+	}
+	measurement = chunk_create(hash, hasher->get_hash_size(hasher));
+	this = (private_pts_file_meas_t*)pts_file_meas_create(request_id);
+
+	if (is_dir)
+	{
+		enumerator_t *enumerator;
+		char *rel_name, *abs_name;
+		struct stat st;
+
+		enumerator = enumerator_create_directory(pathname);
+		if (!enumerator)
+		{
+			DBG1(DBG_PTS, "  directory '%s' can not be opened, %s", pathname,
+				 strerror(errno));
+			success = FALSE;
+			goto end;
+		}
+		while (enumerator->enumerate(enumerator, &rel_name, &abs_name, &st))
+		{
+			/* measure regular files only */
+			if (S_ISREG(st.st_mode) && *rel_name != '.')
+			{
+				if (!hash_file(hasher, abs_name, hash))
+				{
+					continue;
+				}
+				filename = use_rel_name ? rel_name : abs_name;
+				DBG2(DBG_PTS, "  %#B for '%s'", &measurement, filename);
+				add(this, filename, measurement);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{
+		if (!hash_file(hasher, pathname, hash))
+		{
+			success = FALSE;
+			goto end;
+		}
+		filename = use_rel_name ? basename(pathname) : pathname;
+		DBG2(DBG_PTS, "  %#B for '%s'", &measurement, filename);
+		add(this, filename, measurement);
+	}
+
+end:
+	hasher->destroy(hasher);
+	if (success)
+	{
+		return &this->public;
+	}
+	else
+	{
+		destroy(this);
+		return NULL;
+	}
+}
diff --git a/src/libpts/pts/pts_file_meas.h b/src/libpts/pts/pts_file_meas.h
index 3ebb5c2a0..a13bb29ba 100644
--- a/src/libpts/pts/pts_file_meas.h
+++ b/src/libpts/pts/pts_file_meas.h
@@ -21,6 +21,8 @@
 #ifndef PTS_FILE_MEAS_H_
 #define PTS_FILE_MEAS_H_
 
+#include "pts/pts_database.h"
+
 #include <library.h>
 
 typedef struct pts_file_meas_t pts_file_meas_t;
@@ -55,15 +57,26 @@ struct pts_file_meas_t {
 	/**
 	  * Create a PTS File Measurement enumerator
 	  *
-	  * @return				Enumerator returning filename and measurement 
+	  * @return				Enumerator returning filename and measurement
 	  */
 	enumerator_t* (*create_enumerator)(pts_file_meas_t *this);
 
 	/**
+	 * Check PTS File Measurements against reference value in the database
+	 *
+	 * @param db			PTS Measurement database
+	 * @param product		Software product (os, vpn client, etc.)
+	 * @param algo			PTS Measurement algorithm used
+	 * @return				TRUE if all measurements agreed
+	 */
+	bool (*check)(pts_file_meas_t *this, pts_database_t *db, char* product,
+				  pts_meas_algorithms_t algo);
+
+	/**
 	 * Verify stored hashes against PTS File Measurements
 	 *
 	 * @param e_hash		Hash enumerator
-	 * @paraem is_dir		TRUE for directory contents hashes
+	 * @param is_dir		TRUE for directory contents hashes
 	 * @return				TRUE if all hashes match a measurement
 	 */
 	bool (*verify)(pts_file_meas_t *this, enumerator_t *e_hash, bool is_dir);
@@ -82,4 +95,17 @@ struct pts_file_meas_t {
  */
 pts_file_meas_t* pts_file_meas_create(u_int16_t request_id);
 
+/**
+ * Creates a pts_file_meas_t object measuring a file/directory
+ *
+ * @param request_id		ID of PTS File Measurement Request
+ * @param pathname			Absolute file or directory pathname
+ * @param is_dir			TRUE if directory path
+ * @param use_rel_name		TRUE if relative filenames are to be used
+ * @param alg				PTS hash measurement algorithm to be used
+ */
+pts_file_meas_t* pts_file_meas_create_from_path(u_int16_t request_id,
+							char* pathname, bool is_dir, bool use_rel_name,
+							pts_meas_algorithms_t alg);
+
 #endif /** PTS_FILE_MEAS_H_ @}*/
diff --git a/src/libpts/pts/pts_file_meta.c b/src/libpts/pts/pts_file_meta.c
index 6ed1c01b4..9cca0a5a5 100644
--- a/src/libpts/pts/pts_file_meta.c
+++ b/src/libpts/pts/pts_file_meta.c
@@ -15,8 +15,8 @@
 
 #include "pts_file_meta.h"
 
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_pts_file_meta_t private_pts_file_meta_t;
 
diff --git a/src/libpts/pts/pts_meas_algo.c b/src/libpts/pts/pts_meas_algo.c
index 865857d3c..16a66e7b3 100644
--- a/src/libpts/pts/pts_meas_algo.c
+++ b/src/libpts/pts/pts_meas_algo.c
@@ -15,14 +15,23 @@
 
 #include "pts_meas_algo.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
-ENUM(pts_meas_algorithm_names, PTS_MEAS_ALGO_NONE, PTS_MEAS_ALGO_SHA384,
-	"None",
-	"SHA1",
-	"SHA256",
-	"SHA384"
-);
+ENUM_BEGIN(pts_meas_algorithm_names, PTS_MEAS_ALGO_NONE, PTS_MEAS_ALGO_NONE,
+	"None");
+ENUM_NEXT(pts_meas_algorithm_names,	PTS_MEAS_ALGO_SHA384, PTS_MEAS_ALGO_SHA384,
+									PTS_MEAS_ALGO_NONE,
+	"SHA384");
+ENUM_NEXT(pts_meas_algorithm_names,	PTS_MEAS_ALGO_SHA256, PTS_MEAS_ALGO_SHA256,
+									PTS_MEAS_ALGO_SHA384,
+	"SHA256");
+ENUM_NEXT(pts_meas_algorithm_names,	PTS_MEAS_ALGO_SHA1, PTS_MEAS_ALGO_SHA1,
+									PTS_MEAS_ALGO_SHA256,
+	"SHA1");
+ENUM_NEXT(pts_meas_algorithm_names,	PTS_MEAS_ALGO_SHA1_IMA, PTS_MEAS_ALGO_SHA1_IMA,
+									PTS_MEAS_ALGO_SHA1,
+	"SHA1-IMA");
+ENUM_END(pts_meas_algorithm_names,  PTS_MEAS_ALGO_SHA1_IMA);
 
 /**
  * Described in header.
@@ -34,7 +43,7 @@ bool pts_meas_algo_probe(pts_meas_algorithms_t *algorithms)
 	const char *plugin_name;
 	char format1[] = "  %s PTS measurement algorithm %N[%s] available";
 	char format2[] = "  %s PTS measurement algorithm %N not available";
-	
+
 	*algorithms = 0;
 
 	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
diff --git a/src/libpts/pts/pts_meas_algo.h b/src/libpts/pts/pts_meas_algo.h
index 1d96a4946..27cdaea7e 100644
--- a/src/libpts/pts/pts_meas_algo.h
+++ b/src/libpts/pts/pts_meas_algo.h
@@ -30,10 +30,11 @@ typedef enum pts_meas_algorithms_t pts_meas_algorithms_t;
  * PTS Measurement Algorithms
  */
 enum pts_meas_algorithms_t {
-	PTS_MEAS_ALGO_NONE   =	   0,
-	PTS_MEAS_ALGO_SHA1   =	(1<<15),
-	PTS_MEAS_ALGO_SHA256 =	(1<<14),
-	PTS_MEAS_ALGO_SHA384 =	(1<<13),
+	PTS_MEAS_ALGO_NONE     =      0,
+	PTS_MEAS_ALGO_SHA384   = (1<<13),
+	PTS_MEAS_ALGO_SHA256   = (1<<14),
+	PTS_MEAS_ALGO_SHA1     = (1<<15),
+	PTS_MEAS_ALGO_SHA1_IMA = (1<<16), /* internal use only */
 };
 
 /**
diff --git a/src/libpts/pts/pts_pcr.c b/src/libpts/pts/pts_pcr.c
new file mode 100644
index 000000000..0af93b608
--- /dev/null
+++ b/src/libpts/pts/pts_pcr.c
@@ -0,0 +1,289 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pts_pcr.h"
+
+#include <utils/debug.h>
+
+#include <stdarg.h>
+
+typedef struct private_pts_pcr_t private_pts_pcr_t;
+
+/**
+ * Private data of a pts_pcr_t object.
+ *
+ */
+struct private_pts_pcr_t {
+
+	/**
+	 * Public pts_pcr_t interface.
+	 */
+	pts_pcr_t public;
+
+	/**
+	 * Shadow PCR registers
+	 */
+	chunk_t pcrs[PTS_PCR_MAX_NUM];
+
+	/**
+	 * Number of extended PCR registers
+	 */
+	u_int32_t pcr_count;
+
+	/**
+	 * Highest extended PCR register
+	 */
+	u_int32_t pcr_max;
+
+	/**
+	 * Bitmap of extended PCR registers
+	 */
+	u_int8_t pcr_select[PTS_PCR_MAX_NUM / 8];
+
+	/**
+	 * Hasher used to extend shadow PCRs
+	 */
+	hasher_t *hasher;
+
+};
+
+METHOD(pts_pcr_t, get_count, u_int32_t,
+	private_pts_pcr_t *this)
+{
+	return this->pcr_count;
+}
+
+METHOD(pts_pcr_t, select_pcr, bool,
+	private_pts_pcr_t *this, u_int32_t pcr)
+{
+	u_int32_t i, f;
+
+	if (pcr >= PTS_PCR_MAX_NUM)
+	{
+		DBG1(DBG_PTS, "PCR %2u: number is larger than maximum of %u",
+					   pcr, PTS_PCR_MAX_NUM-1);
+		return FALSE;
+	}
+
+	/* Determine PCR selection flag */
+	i = pcr / 8;
+	f = 1 << (pcr - 8*i);
+
+	/* Has this PCR already been selected? */
+	if (!(this->pcr_select[i] & f))
+	{
+		this->pcr_select[i] |= f;
+		this->pcr_max = max(this->pcr_max, pcr);
+		this->pcr_count++;
+	}
+	return TRUE;
+}
+
+METHOD(pts_pcr_t, get_selection_size, size_t,
+	private_pts_pcr_t *this)
+{
+
+	/**
+	 * A TPM v1.2 has 24 PCR Registers so the bitmask field length
+	 * used by TrouSerS is at least 3 bytes
+	 */
+	return PTS_PCR_MAX_NUM / 8;
+}
+
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** current PCR */
+	u_int32_t pcr;
+	/** back reference to parent */
+	private_pts_pcr_t *pcrs;
+} pcr_enumerator_t;
+
+/**
+ * Implementation of enumerator.enumerate
+ */
+static bool pcr_enumerator_enumerate(pcr_enumerator_t *this, ...)
+{
+	u_int32_t *pcr, i, f;
+	va_list args;
+
+	va_start(args, this);
+	pcr = va_arg(args, u_int32_t*);
+	va_end(args);
+
+	while (this->pcr <= this->pcrs->pcr_max)
+	{
+		/* Determine PCR selection flag */
+		i = this->pcr / 8;
+		f = 1 << (this->pcr - 8*i);
+
+		/* Assign current PCR to output argument and increase */
+		*pcr = this->pcr++;
+
+		/* return if PCR is selected */
+		if (this->pcrs->pcr_select[i] & f)
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(pts_pcr_t, create_enumerator, enumerator_t*,
+	private_pts_pcr_t *this)
+{
+	pcr_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)pcr_enumerator_enumerate,
+			.destroy = (void*)free,
+		},
+		.pcrs = this,
+	);
+
+	return (enumerator_t*)enumerator;
+}
+
+METHOD(pts_pcr_t, get, chunk_t,
+	private_pts_pcr_t *this, u_int32_t pcr)
+{
+	return (pcr < PTS_PCR_MAX_NUM) ? this->pcrs[pcr] : chunk_empty;
+}
+
+METHOD(pts_pcr_t, set, bool,
+	private_pts_pcr_t *this, u_int32_t pcr, chunk_t value)
+{
+	if (value.len != PTS_PCR_LEN)
+	{
+		DBG1(DBG_PTS, "PCR %2u: value does not fit", pcr);
+		return FALSE;
+	}
+	if (select_pcr(this, pcr))
+	{
+		memcpy(this->pcrs[pcr].ptr, value.ptr, PTS_PCR_LEN);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(pts_pcr_t, extend, chunk_t,
+	private_pts_pcr_t *this, u_int32_t pcr, chunk_t measurement)
+{
+	if (measurement.len != PTS_PCR_LEN)
+	{
+		DBG1(DBG_PTS, "PCR %2u: measurement does not fit", pcr);
+		return chunk_empty;
+	}
+	if (!select_pcr(this, pcr))
+	{
+		return chunk_empty;
+	}
+	if (!this->hasher->get_hash(this->hasher, this->pcrs[pcr] , NULL) ||
+		!this->hasher->get_hash(this->hasher, measurement, this->pcrs[pcr].ptr))
+	{
+		DBG1(DBG_PTS, "PCR %2u: not extended due to hasher problem", pcr);
+		return chunk_empty;
+	}
+	return this->pcrs[pcr];
+}
+
+METHOD(pts_pcr_t, get_composite, chunk_t,
+	private_pts_pcr_t *this)
+{
+	chunk_t composite;
+	enumerator_t *enumerator;
+	u_int16_t selection_size;
+	u_int32_t pcr_field_size, pcr;
+	u_char *pos;
+
+	selection_size = get_selection_size(this);
+	pcr_field_size = this->pcr_count * PTS_PCR_LEN;
+
+	composite = chunk_alloc(2 + selection_size + 4 + pcr_field_size);
+	pos = composite.ptr;
+	htoun16(pos, selection_size);
+	pos += 2;
+	memcpy(pos, this->pcr_select, selection_size);
+	pos += selection_size;
+	htoun32(pos, pcr_field_size);
+	pos += 4;
+
+	enumerator = create_enumerator(this);
+	while (enumerator->enumerate(enumerator, &pcr))
+	{
+		memcpy(pos, this->pcrs[pcr].ptr, PTS_PCR_LEN);
+		pos += PTS_PCR_LEN;
+	}
+	enumerator->destroy(enumerator);
+
+	DBG3(DBG_PTS, "constructed PCR Composite: %B", &composite);
+	return composite;
+}
+
+METHOD(pts_pcr_t, destroy, void,
+	private_pts_pcr_t *this)
+{
+	u_int32_t i;
+
+	for (i = 0; i < PTS_PCR_MAX_NUM; i++)
+	{
+		free(this->pcrs[i].ptr);
+	}
+	this->hasher->destroy(this->hasher);
+	free(this);
+}
+
+/**
+ * See header
+ */
+pts_pcr_t *pts_pcr_create(void)
+{
+	private_pts_pcr_t *this;
+	hasher_t *hasher;
+	u_int32_t i;
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher)
+	{
+		DBG1(DBG_PTS, "%N hasher could not be created",
+			 hash_algorithm_short_names, HASH_SHA1);
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.get_count = _get_count,
+			.select_pcr = _select_pcr,
+			.get_selection_size = _get_selection_size,
+			.create_enumerator = _create_enumerator,
+			.get = _get,
+			.set = _set,
+			.extend = _extend,
+			.get_composite = _get_composite,
+			.destroy = _destroy,
+		},
+		.hasher = hasher,
+	);
+
+	for (i = 0; i < PTS_PCR_MAX_NUM; i++)
+	{
+		this->pcrs[i] = chunk_alloc(PTS_PCR_LEN);
+		memset(this->pcrs[i].ptr, 0x00, PTS_PCR_LEN);
+	}
+
+	return &this->public;
+}
+
diff --git a/src/libpts/pts/pts_pcr.h b/src/libpts/pts/pts_pcr.h
new file mode 100644
index 000000000..f638b5ee4
--- /dev/null
+++ b/src/libpts/pts/pts_pcr.h
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pts_pcr pts_pcr
+ * @{ @ingroup pts
+ */
+
+#ifndef PTS_PCR_H_
+#define PTS_PCR_H_
+
+typedef struct pts_pcr_t pts_pcr_t;
+
+#include <library.h>
+
+/**
+ * Maximum number of PCR's of TPM, TPM Spec 1.2
+ */
+#define PTS_PCR_MAX_NUM				24
+
+/**
+ * Number of bytes that can be saved in a PCR of TPM, TPM Spec 1.2
+ */
+#define PTS_PCR_LEN					20
+
+/**
+ * Class implementing a shadow PCR register set
+ */
+struct pts_pcr_t {
+
+	/**
+	 * Get the number of selected PCRs
+	 *
+	 * @return				number of selected PCRs
+	 */
+	u_int32_t (*get_count)(pts_pcr_t *this);
+
+	/**
+	 * Mark a PCR as selected
+	 *
+	 * @param pcr			index of PCR
+	 * @return				TRUE if PCR index exists
+	 */
+	bool (*select_pcr)(pts_pcr_t *this, u_int32_t pcr);
+
+	/**
+	 * Get the size of the selection field in bytes
+	 *
+	 * @return				number of bytes written
+	 */
+	size_t (*get_selection_size)(pts_pcr_t *this);
+
+	/**
+	 * Create an enumerator over all selected PCR indexes
+	 *
+	 * @return				enumerator
+	 */
+	enumerator_t* (*create_enumerator)(pts_pcr_t *this);
+
+	/**
+	 * Get the current content of a PCR
+	 *
+	 * @param pcr			index of PCR
+	 * @return				content of PCR
+	 */
+	chunk_t (*get)(pts_pcr_t *this, u_int32_t pcr);
+
+	/**
+	 * Set the content of a PCR
+	 *
+	 * @param pcr			index of PCR
+	 * @param value			new value of PCR
+	 * @return				TRUE if value could be set
+	 */
+	bool (*set)(pts_pcr_t *this, u_int32_t pcr, chunk_t value);
+
+	/**
+	 * Extend the content of a PCR
+	 *
+	 * @param pcr			index of PCR
+	 * @param measurement	measurment value to be extended into PCR
+	 * @return				new content of PCR
+	 */
+	chunk_t (*extend)(pts_pcr_t *this, u_int32_t pcr, chunk_t measurement);
+
+	/**
+	 * Create a PCR Composite object over all selected PCRs
+	 *
+	 * @return				PCR Composite object (must be freed)
+	 */
+	chunk_t (*get_composite)(pts_pcr_t *this);
+
+	/**
+
+	 * Destroys a pts_pcr_t object.
+	 */
+	void (*destroy)(pts_pcr_t *this);
+
+};
+
+/**
+ * Creates an pts_pcr_t object
+ */
+pts_pcr_t* pts_pcr_create(void);
+
+#endif /** PTS_PCR_H_ @}*/
diff --git a/src/libpts/tcg/tcg_attr.c b/src/libpts/tcg/tcg_attr.c
index 656791a8f..b91bf8283 100644
--- a/src/libpts/tcg/tcg_attr.c
+++ b/src/libpts/tcg/tcg_attr.c
@@ -31,8 +31,23 @@
 #include "tcg/tcg_pts_attr_req_file_meta.h"
 #include "tcg/tcg_pts_attr_unix_file_meta.h"
 
-ENUM_BEGIN(tcg_attr_names,	TCG_PTS_REQ_FUNC_COMP_EVID,
+ENUM_BEGIN(tcg_attr_names,	TCG_SCAP_REFERENCES,
+							TCG_SCAP_SUMMARY_RESULTS,
+	"SCAP References",
+	"SCAP Capabilities and Inventory",
+	"SCAP Content",
+	"SCAP Assessment",
+	"SCAP Results",
+	"SCAP Summary Results");
+ENUM_NEXT(tcg_attr_names,	TCG_SWID_INVENTORY_REQUEST,
+							TCG_SWID_TAG_IDENTIFIER_RESPONSE,
+							TCG_SCAP_SUMMARY_RESULTS,
+	"SWID Inventory Request",
+	"SWID Tag Response",
+	"SWID Tag Identifier Response");
+ENUM_NEXT(tcg_attr_names,	TCG_PTS_REQ_FUNC_COMP_EVID,
 							TCG_PTS_REQ_FUNC_COMP_EVID,
+							TCG_SWID_TAG_IDENTIFIER_RESPONSE,
 	"Request Functional Component Evidence");
 ENUM_NEXT(tcg_attr_names,	TCG_PTS_GEN_ATTEST_EVID,
 							TCG_PTS_GEN_ATTEST_EVID,
diff --git a/src/libpts/tcg/tcg_attr.h b/src/libpts/tcg/tcg_attr.h
index b45e1488f..ed6c97619 100644
--- a/src/libpts/tcg/tcg_attr.h
+++ b/src/libpts/tcg/tcg_attr.h
@@ -14,8 +14,8 @@
  */
 
 /**
- * @defgroup tcg_attrt tcg_attr
- * @{ @ingroup tcg_attr
+ * @defgroup tcg_attr tcg_attr
+ * @{ @ingroup libpts
  */
 
 #ifndef TCG_ATTR_H_
@@ -31,6 +31,19 @@ typedef enum tcg_attr_t tcg_attr_t;
  */
 enum tcg_attr_t {
 
+	/* SCAP Messages */
+	TCG_SCAP_REFERENCES =                 0x00000001,
+	TCG_SCAP_CAPS_AND_INVENTORY =         0x00000002,
+	TCG_SCAP_CONTENT =                    0x00000003,
+	TCG_SCAP_ASSESSMENT =                 0x00000004,
+	TCG_SCAP_RESULTS =                    0x00000005,
+	TCG_SCAP_SUMMARY_RESULTS =            0x00000006,
+
+	/* SWID Messages */
+	TCG_SWID_INVENTORY_REQUEST =          0x00000011,
+	TCG_SWID_TAG_RESPONSE =               0x00000012,
+	TCG_SWID_TAG_IDENTIFIER_RESPONSE =    0x00000013,
+
 	/* PTS Protocol Negotiations */
 	TCG_PTS_REQ_PROTO_CAPS =              0x01000000,
 	TCG_PTS_PROTO_CAPS =                  0x02000000,
diff --git a/src/libpts/tcg/tcg_pts_attr_aik.c b/src/libpts/tcg/tcg_pts_attr_aik.c
index 9be3794b6..17a8db5d6 100644
--- a/src/libpts/tcg/tcg_pts_attr_aik.c
+++ b/src/libpts/tcg/tcg_pts_attr_aik.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_aik_t private_tcg_pts_attr_aik_t;
 
@@ -49,20 +49,15 @@ struct private_tcg_pts_attr_aik_t {
 	tcg_pts_attr_aik_t public;
 
 	/**
-	 * Attribute vendor ID
+	 * Vendor-specific attribute type
 	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
-	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
@@ -79,13 +74,7 @@ struct private_tcg_pts_attr_aik_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_tcg_pts_attr_aik_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_tcg_pts_attr_aik_t *this)
 {
 	return this->type;
@@ -117,6 +106,10 @@ METHOD(pa_tnc_attr_t, build, void,
 	cred_encoding_type_t encoding_type = CERT_ASN1_DER;
 	chunk_t aik_blob;
 
+	if (this->value.ptr)
+	{
+		return;
+	}
 	if (this->aik->get_type(this->aik) == CERT_TRUSTED_PUBKEY)
 	{
 		flags |= PTS_AIK_FLAGS_NAKED_KEY;
@@ -130,9 +123,9 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer = bio_writer_create(PTS_AIK_SIZE);
 	writer->write_uint8(writer, flags);
 	writer->write_data (writer, aik_blob);
-	this->value = chunk_clone(writer->get_buf(writer));
-	free(aik_blob.ptr);
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
+	free(aik_blob.ptr);
 }
 
 METHOD(pa_tnc_attr_t, process, status_t,
@@ -142,7 +135,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	u_int8_t flags;
 	certificate_type_t type;
 	chunk_t aik_blob;
-	
+
 	if (this->value.len < PTS_AIK_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Attestation Identity Key");
@@ -202,7 +195,6 @@ pa_tnc_attr_t *tcg_pts_attr_aik_create(certificate_t *aik)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -214,8 +206,7 @@ pa_tnc_attr_t *tcg_pts_attr_aik_create(certificate_t *aik)
 			},
 			.get_aik = _get_aik,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_AIK,
+		.type = { PEN_TCG, TCG_PTS_AIK },
 		.aik = aik->get_ref(aik),
 		.ref = 1,
 	);
@@ -234,7 +225,6 @@ pa_tnc_attr_t *tcg_pts_attr_aik_create_from_data(chunk_t data)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -246,8 +236,7 @@ pa_tnc_attr_t *tcg_pts_attr_aik_create_from_data(chunk_t data)
 			},
 			.get_aik = _get_aik,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_AIK,
+		.type = { PEN_TCG, TCG_PTS_AIK },
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libpts/tcg/tcg_pts_attr_aik.h b/src/libpts/tcg/tcg_pts_attr_aik.h
index 96e90582b..758fd58db 100644
--- a/src/libpts/tcg/tcg_pts_attr_aik.h
+++ b/src/libpts/tcg/tcg_pts_attr_aik.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_aik tcg_pts_attr_aik
- * @{ @ingroup tcg_pts_attr_aik
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_AIK_H_
@@ -38,7 +38,7 @@ struct tcg_pts_attr_aik_t {
 	 * Public PA-TNC attribute interface
 	 */
 	pa_tnc_attr_t pa_tnc_attribute;
-	
+
 	/**
 	 * Get AIK
 	 *
@@ -50,7 +50,7 @@ struct tcg_pts_attr_aik_t {
 
 /**
  * Creates an tcg_pts_attr_aik_t object
- * 
+ *
  * @param aik				Attestation Identity Key
  */
 pa_tnc_attr_t* tcg_pts_attr_aik_create(certificate_t *aik);
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c
index dce98e87d..6119b4973 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_dh_nonce_finish_t
 					private_tcg_pts_attr_dh_nonce_finish_t;
@@ -36,7 +36,7 @@ typedef struct private_tcg_pts_attr_dh_nonce_finish_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |						D-H Initiator Nonce ...					|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_DH_NONCE_FINISH_SIZE			12
@@ -53,14 +53,9 @@ struct private_tcg_pts_attr_dh_nonce_finish_t {
 	tcg_pts_attr_dh_nonce_finish_t public;
 
 	/**
-	 * Attribute vendor ID
-	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
+	 * Vendor-specific attribute type
 	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
@@ -71,7 +66,7 @@ struct private_tcg_pts_attr_dh_nonce_finish_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Selected Hashing Algorithm
 	 */
@@ -93,13 +88,7 @@ struct private_tcg_pts_attr_dh_nonce_finish_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_tcg_pts_attr_dh_nonce_finish_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_tcg_pts_attr_dh_nonce_finish_t *this)
 {
 	return this->type;
@@ -128,14 +117,18 @@ METHOD(pa_tnc_attr_t, build, void,
 {
 	bio_writer_t *writer;
 
+	if (this->value.ptr)
+	{
+		return;
+	}
 	writer = bio_writer_create(PTS_DH_NONCE_FINISH_SIZE);
 	writer->write_uint8 (writer, PTS_DH_NONCE_FINISH_RESERVED);
 	writer->write_uint8 (writer, this->initiator_nonce.len);
 	writer->write_uint16(writer, this->hash_algo);
 	writer->write_data  (writer, this->initiator_value);
 	writer->write_data  (writer, this->initiator_nonce);
-	
-	this->value = chunk_clone(writer->get_buf(writer));
+
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -217,7 +210,6 @@ pa_tnc_attr_t *tcg_pts_attr_dh_nonce_finish_create(
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -231,8 +223,7 @@ pa_tnc_attr_t *tcg_pts_attr_dh_nonce_finish_create(
 			.get_initiator_nonce = _get_initiator_nonce,
 			.get_initiator_value = _get_initiator_value,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_DH_NONCE_FINISH,
+		.type = { PEN_TCG, TCG_PTS_DH_NONCE_FINISH },
 		.hash_algo = hash_algo,
 		.initiator_value = initiator_value,
 		.initiator_nonce = chunk_clone(initiator_nonce),
@@ -252,7 +243,6 @@ pa_tnc_attr_t *tcg_pts_attr_dh_nonce_finish_create_from_data(chunk_t value)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -266,8 +256,7 @@ pa_tnc_attr_t *tcg_pts_attr_dh_nonce_finish_create_from_data(chunk_t value)
 			.get_initiator_nonce = _get_initiator_nonce,
 			.get_initiator_value = _get_initiator_value,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_DH_NONCE_FINISH,
+		.type = { PEN_TCG, TCG_PTS_DH_NONCE_FINISH },
 		.value = chunk_clone(value),
 		.ref = 1,
 	);
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.h b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.h
index 7148065c5..57cb5a9b6 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.h
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_dh_nonce_finish tcg_pts_attr_dh_nonce_finish
- * @{ @ingroup tcg_pts_attr_dh_nonce_finish
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_DH_NONCE_FINISH_H_
@@ -64,7 +64,7 @@ struct tcg_pts_attr_dh_nonce_finish_t {
 	 * @return				DH Initiator Nonce
 	 */
 	chunk_t (*get_initiator_nonce)(tcg_pts_attr_dh_nonce_finish_t *this);
-	
+
 };
 
 /**
@@ -76,7 +76,7 @@ struct tcg_pts_attr_dh_nonce_finish_t {
  */
 pa_tnc_attr_t* tcg_pts_attr_dh_nonce_finish_create(
 										pts_meas_algorithms_t hash_algo,
-   										chunk_t initiator_value,
+										chunk_t initiator_value,
 										chunk_t initiator_nonce);
 
 /**
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c
index 36266fe12..7761b977d 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_dh_nonce_params_req_t
 					private_tcg_pts_attr_dh_nonce_params_req_t;
@@ -32,7 +32,7 @@ typedef struct private_tcg_pts_attr_dh_nonce_params_req_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |	Reserved  | Min. Nonce Len |		D-H Group Set			|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_DH_NONCE_PARAMS_REQ_SIZE			4
@@ -49,14 +49,9 @@ struct private_tcg_pts_attr_dh_nonce_params_req_t {
 	tcg_pts_attr_dh_nonce_params_req_t public;
 
 	/**
-	 * Attribute vendor ID
-	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
+	 * Vendor-specific attribute type
 	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
@@ -67,7 +62,7 @@ struct private_tcg_pts_attr_dh_nonce_params_req_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Minimum acceptable length of nonce
 	 */
@@ -84,13 +79,7 @@ struct private_tcg_pts_attr_dh_nonce_params_req_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_tcg_pts_attr_dh_nonce_params_req_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_tcg_pts_attr_dh_nonce_params_req_t *this)
 {
 	return this->type;
@@ -119,12 +108,16 @@ METHOD(pa_tnc_attr_t, build, void,
 {
 	bio_writer_t *writer;
 
+	if (this->value.ptr)
+	{
+		return;
+	}
 	writer = bio_writer_create(PTS_DH_NONCE_PARAMS_REQ_SIZE);
 	writer->write_uint8 (writer, PTS_DH_NONCE_PARAMS_REQ_RESERVED);
 	writer->write_uint8 (writer, this->min_nonce_len);
 	writer->write_uint16(writer, this->dh_groups);
-	
-	this->value = chunk_clone(writer->get_buf(writer));
+
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -191,7 +184,6 @@ pa_tnc_attr_t *tcg_pts_attr_dh_nonce_params_req_create(u_int8_t min_nonce_len,
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -204,8 +196,7 @@ pa_tnc_attr_t *tcg_pts_attr_dh_nonce_params_req_create(u_int8_t min_nonce_len,
 			.get_min_nonce_len = _get_min_nonce_len,
 			.get_dh_groups = _get_dh_groups,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_DH_NONCE_PARAMS_REQ,
+		.type = { PEN_TCG, TCG_PTS_DH_NONCE_PARAMS_REQ },
 		.min_nonce_len = min_nonce_len,
 		.dh_groups = dh_groups,
 		.ref = 1,
@@ -224,7 +215,6 @@ pa_tnc_attr_t *tcg_pts_attr_dh_nonce_params_req_create_from_data(chunk_t value)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -237,8 +227,7 @@ pa_tnc_attr_t *tcg_pts_attr_dh_nonce_params_req_create_from_data(chunk_t value)
 			.get_min_nonce_len = _get_min_nonce_len,
 			.get_dh_groups = _get_dh_groups,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_DH_NONCE_PARAMS_REQ,
+		.type = { PEN_TCG, TCG_PTS_DH_NONCE_PARAMS_REQ },
 		.value = chunk_clone(value),
 		.ref = 1,
 	);
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.h b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.h
index 170077156..22e1bd189 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.h
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_dh_nonce_params_req tcg_pts_attr_dh_nonce_params_req
- * @{ @ingroup tcg_pts_attr_dh_nonce_params_req
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_DH_NONCE_PARAMS_REQ_H_
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c
index 09bfa3aac..eb0d0e533 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_dh_nonce_params_resp_t
 					private_tcg_pts_attr_dh_nonce_params_resp_t;
@@ -38,7 +38,7 @@ typedef struct private_tcg_pts_attr_dh_nonce_params_resp_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |					D-H Responder Public Value ...				|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_DH_NONCE_PARAMS_RESP_SIZE			16
@@ -55,14 +55,9 @@ struct private_tcg_pts_attr_dh_nonce_params_resp_t {
 	tcg_pts_attr_dh_nonce_params_resp_t public;
 
 	/**
-	 * Attribute vendor ID
-	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
+	 * Vendor-specific attribute type
 	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
@@ -73,7 +68,7 @@ struct private_tcg_pts_attr_dh_nonce_params_resp_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Selected Diffie Hellman group
 	 */
@@ -100,13 +95,7 @@ struct private_tcg_pts_attr_dh_nonce_params_resp_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_tcg_pts_attr_dh_nonce_params_resp_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_tcg_pts_attr_dh_nonce_params_resp_t *this)
 {
 	return this->type;
@@ -135,6 +124,10 @@ METHOD(pa_tnc_attr_t, build, void,
 {
 	bio_writer_t *writer;
 
+	if (this->value.ptr)
+	{
+		return;
+	}
 	writer = bio_writer_create(PTS_DH_NONCE_PARAMS_RESP_SIZE);
 	writer->write_uint24(writer, PTS_DH_NONCE_PARAMS_RESP_RESERVED);
 	writer->write_uint8 (writer, this->responder_nonce.len);
@@ -142,8 +135,8 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint16(writer, this->hash_algo_set);
 	writer->write_data  (writer, this->responder_nonce);
 	writer->write_data  (writer, this->responder_value);
-	
-	this->value = chunk_clone(writer->get_buf(writer));
+
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -233,7 +226,6 @@ pa_tnc_attr_t *tcg_pts_attr_dh_nonce_params_resp_create(pts_dh_group_t dh_group,
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -248,8 +240,7 @@ pa_tnc_attr_t *tcg_pts_attr_dh_nonce_params_resp_create(pts_dh_group_t dh_group,
 			.get_responder_nonce = _get_responder_nonce,
 			.get_responder_value = _get_responder_value,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_DH_NONCE_PARAMS_RESP,
+		.type = { PEN_TCG, TCG_PTS_DH_NONCE_PARAMS_RESP },
 		.dh_group = dh_group,
 		.hash_algo_set = hash_algo_set,
 		.responder_nonce = chunk_clone(responder_nonce),
@@ -270,7 +261,6 @@ pa_tnc_attr_t *tcg_pts_attr_dh_nonce_params_resp_create_from_data(chunk_t value)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -285,8 +275,7 @@ pa_tnc_attr_t *tcg_pts_attr_dh_nonce_params_resp_create_from_data(chunk_t value)
 			.get_responder_nonce = _get_responder_nonce,
 			.get_responder_value = _get_responder_value,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_DH_NONCE_PARAMS_RESP,
+		.type = { PEN_TCG, TCG_PTS_DH_NONCE_PARAMS_RESP },
 		.value = chunk_clone(value),
 		.ref = 1,
 	);
diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.h b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.h
index d2141f8b9..aaf85ef37 100644
--- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.h
+++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_dh_nonce_params_resp tcg_pts_attr_dh_nonce_params_resp
- * @{ @ingroup tcg_pts_attr_dh_nonce_params_resp
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_DH_NONCE_PARAMS_RESP_H_
@@ -67,7 +67,7 @@ struct tcg_pts_attr_dh_nonce_params_resp_t {
 	 * @return				DH Responder Public Value
 	 */
 	chunk_t (*get_responder_value)(tcg_pts_attr_dh_nonce_params_resp_t *this);
-	
+
 };
 
 /**
@@ -76,11 +76,11 @@ struct tcg_pts_attr_dh_nonce_params_resp_t {
  * @param dh_group					Selected DH group
  * @param hash_algo_set				Set of supported hash algorithms
  * @param responder_nonce			DH Responder Nonce
- * @param responder_pub_val			DH Responder Public value
+ * @param responder_value			DH Responder Public value
  */
 pa_tnc_attr_t* tcg_pts_attr_dh_nonce_params_resp_create(pts_dh_group_t dh_group,
 											pts_meas_algorithms_t hash_algo_set,
-   											chunk_t responder_nonce,
+											chunk_t responder_nonce,
 											chunk_t responder_value);
 
 /**
diff --git a/src/libpts/tcg/tcg_pts_attr_file_meas.c b/src/libpts/tcg/tcg_pts_attr_file_meas.c
index 737da65c1..b9095f5be 100644
--- a/src/libpts/tcg/tcg_pts_attr_file_meas.c
+++ b/src/libpts/tcg/tcg_pts_attr_file_meas.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,15 +18,15 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_file_meas_t private_tcg_pts_attr_file_meas_t;
 
 /**
  * File Measurement
  * see section 3.19.2 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -64,25 +64,20 @@ struct private_tcg_pts_attr_file_meas_t {
 	tcg_pts_attr_file_meas_t public;
 
 	/**
-	 * Attribute vendor ID
-	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
+	 * Vendor-specific attribute type
 	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * PTS File Measurements
 	 */
@@ -94,13 +89,7 @@ struct private_tcg_pts_attr_file_meas_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_tcg_pts_attr_file_meas_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_tcg_pts_attr_file_meas_t *this)
 {
 	return this->type;
@@ -134,7 +123,11 @@ METHOD(pa_tnc_attr_t, build, void,
 	char *filename;
 	chunk_t measurement;
 	bool first = TRUE;
-	
+
+	if (this->value.ptr)
+	{
+		return;
+	}
 	number_of_files = this->measurements->get_file_count(this->measurements);
 	request_id = this->measurements->get_request_id(this->measurements);
 
@@ -151,8 +144,7 @@ METHOD(pa_tnc_attr_t, build, void,
 			first = FALSE;
 		}
 		writer->write_data  (writer, measurement);
-		writer->write_uint16(writer, strlen(filename));
-		writer->write_data  (writer, chunk_create(filename, strlen(filename)));
+		writer->write_data16(writer, chunk_create(filename, strlen(filename)));
 	}
 	enumerator->destroy(enumerator);
 
@@ -162,7 +154,7 @@ METHOD(pa_tnc_attr_t, build, void,
 		writer->write_uint16(writer, 0);
 	}
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -171,12 +163,12 @@ METHOD(pa_tnc_attr_t, process, status_t,
 {
 	bio_reader_t *reader;
 	u_int64_t number_of_files;
-	u_int16_t request_id, meas_len, filename_len;
-	size_t len;
+	u_int16_t request_id, meas_len;
 	chunk_t measurement, filename;
+	size_t len;
 	char buf[BUF_LEN];
 	status_t status = FAILED;
-	
+
 	if (this->value.len < PTS_FILE_MEAS_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for PTS file measurement header");
@@ -188,9 +180,10 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	reader->read_uint64(reader, &number_of_files);
 	reader->read_uint16(reader, &request_id);
 	reader->read_uint16(reader, &meas_len);
-	
+	*offset = PTS_FILE_MEAS_SIZE;
+
 	this->measurements = pts_file_meas_create(request_id);
-	
+
 	while (number_of_files--)
 	{
 		if (!reader->read_data(reader, meas_len, &measurement))
@@ -198,16 +191,14 @@ METHOD(pa_tnc_attr_t, process, status_t,
 			DBG1(DBG_TNC, "insufficient data for PTS file measurement");
 			goto end;
 		}
-		if (!reader->read_uint16(reader, &filename_len))
-		{
-			DBG1(DBG_TNC, "insufficient data for filename length");
-			goto end;
-		}
-		if (!reader->read_data(reader, filename_len, &filename))
+		*offset += meas_len;
+
+		if (!reader->read_data16(reader, &filename))
 		{
 			DBG1(DBG_TNC, "insufficient data for filename");
 			goto end;
 		}
+		*offset += 2 + filename.len;
 
 		len = min(filename.len, BUF_LEN-1);
 		memcpy(buf, filename.ptr, len);
@@ -232,7 +223,7 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		this->measurements->destroy(this->measurements);
+		DESTROY_IF(this->measurements);
 		free(this->value.ptr);
 		free(this);
 	}
@@ -254,7 +245,6 @@ pa_tnc_attr_t *tcg_pts_attr_file_meas_create(pts_file_meas_t *measurements)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -266,8 +256,7 @@ pa_tnc_attr_t *tcg_pts_attr_file_meas_create(pts_file_meas_t *measurements)
 			},
 			.get_measurements = _get_measurements,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_FILE_MEAS,
+		.type = { PEN_TCG, TCG_PTS_FILE_MEAS },
 		.measurements = measurements,
 		.ref = 1,
 	);
@@ -286,7 +275,6 @@ pa_tnc_attr_t *tcg_pts_attr_file_meas_create_from_data(chunk_t data)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -298,8 +286,7 @@ pa_tnc_attr_t *tcg_pts_attr_file_meas_create_from_data(chunk_t data)
 			},
 			.get_measurements = _get_measurements,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_FILE_MEAS,
+		.type = { PEN_TCG, TCG_PTS_FILE_MEAS },
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libpts/tcg/tcg_pts_attr_file_meas.h b/src/libpts/tcg/tcg_pts_attr_file_meas.h
index c432ba9a9..8d50cd9c6 100644
--- a/src/libpts/tcg/tcg_pts_attr_file_meas.h
+++ b/src/libpts/tcg/tcg_pts_attr_file_meas.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_file_meas tcg_pts_attr_file_meas
- * @{ @ingroup tcg_pts_attr_file_meas
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_FILE_MEAS_H_
@@ -38,19 +38,19 @@ struct tcg_pts_attr_file_meas_t {
 	 * Public PA-TNC attribute interface
 	 */
 	pa_tnc_attr_t pa_tnc_attribute;
-	
+
 	/**
 	 * Get PTS File Measurements
 	 *
 	 * @return					PTS File Measurements
 	 */
 	pts_file_meas_t* (*get_measurements)(tcg_pts_attr_file_meas_t *this);
-	
+
 };
 
 /**
  * Creates an tcg_pts_attr_file_meas_t object
- * 
+ *
  * @param measurements			PTS File Measurements
  */
 pa_tnc_attr_t* tcg_pts_attr_file_meas_create(pts_file_meas_t *measurements);
diff --git a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c
index 054285c4e..f263747a3 100644
--- a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c
+++ b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_gen_attest_evid_t
 					private_tcg_pts_attr_gen_attest_evid_t;
@@ -33,7 +33,7 @@ typedef struct private_tcg_pts_attr_gen_attest_evid_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |						   Reserved								|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_GEN_ATTEST_EVID_SIZE		4
@@ -50,14 +50,9 @@ struct private_tcg_pts_attr_gen_attest_evid_t {
 	tcg_pts_attr_gen_attest_evid_t public;
 
 	/**
-	 * Attribute vendor ID
-	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
+	 * Vendor-specific attribute type
 	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
@@ -75,13 +70,7 @@ struct private_tcg_pts_attr_gen_attest_evid_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_tcg_pts_attr_gen_attest_evid_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_tcg_pts_attr_gen_attest_evid_t *this)
 {
 	return this->type;
@@ -110,10 +99,14 @@ METHOD(pa_tnc_attr_t, build, void,
 {
 	bio_writer_t *writer;
 
+	if (this->value.ptr)
+	{
+		return;
+	}
 	writer = bio_writer_create(PTS_GEN_ATTEST_EVID_SIZE);
 	writer->write_uint32 (writer, PTS_GEN_ATTEST_EVID_RESERVED);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -122,7 +115,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 {
 	bio_reader_t *reader;
 	u_int32_t reserved;
-	
+
 	if (this->value.len < PTS_GEN_ATTEST_EVID_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Generate Attestation Evidence");
@@ -163,7 +156,6 @@ pa_tnc_attr_t *tcg_pts_attr_gen_attest_evid_create()
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -174,8 +166,7 @@ pa_tnc_attr_t *tcg_pts_attr_gen_attest_evid_create()
 				.destroy = _destroy,
 			},
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_GEN_ATTEST_EVID,
+		.type = { PEN_TCG, TCG_PTS_GEN_ATTEST_EVID },
 		.ref = 1,
 	);
 
@@ -193,7 +184,6 @@ pa_tnc_attr_t *tcg_pts_attr_gen_attest_evid_create_from_data(chunk_t data)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -204,8 +194,7 @@ pa_tnc_attr_t *tcg_pts_attr_gen_attest_evid_create_from_data(chunk_t data)
 				.destroy = _destroy,
 			},
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_GEN_ATTEST_EVID,
+		.type = { PEN_TCG, TCG_PTS_GEN_ATTEST_EVID },
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.h b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.h
index 0a65f2143..88f070406 100644
--- a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.h
+++ b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_gen_attest_evid tcg_pts_attr_gen_attest_evid
- * @{ @ingroup tcg_pts_attr_gen_attest_evid
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_GEN_ATTEST_EVID_H_
diff --git a/src/libpts/tcg/tcg_pts_attr_get_aik.c b/src/libpts/tcg/tcg_pts_attr_get_aik.c
index 1875375a4..cf944d2a9 100644
--- a/src/libpts/tcg/tcg_pts_attr_get_aik.c
+++ b/src/libpts/tcg/tcg_pts_attr_get_aik.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_get_aik_t private_tcg_pts_attr_get_aik_t;
 
@@ -47,14 +47,9 @@ struct private_tcg_pts_attr_get_aik_t {
 	tcg_pts_attr_get_aik_t public;
 
 	/**
-	 * Attribute vendor ID
+	 * Vendor-specific attribute type
 	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
-	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
@@ -72,13 +67,7 @@ struct private_tcg_pts_attr_get_aik_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_tcg_pts_attr_get_aik_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_tcg_pts_attr_get_aik_t *this)
 {
 	return this->type;
@@ -107,10 +96,14 @@ METHOD(pa_tnc_attr_t, build, void,
 {
 	bio_writer_t *writer;
 
+	if (this->value.ptr)
+	{
+		return;
+	}
 	writer = bio_writer_create(PTS_GET_AIK_SIZE);
 	writer->write_uint32 (writer, PTS_GET_AIK_RESERVED);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -119,7 +112,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 {
 	bio_reader_t *reader;
 	u_int32_t reserved;
-	
+
 	if (this->value.len < PTS_GET_AIK_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Get AIK");
@@ -160,7 +153,6 @@ pa_tnc_attr_t *tcg_pts_attr_get_aik_create()
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -171,8 +163,7 @@ pa_tnc_attr_t *tcg_pts_attr_get_aik_create()
 				.destroy = _destroy,
 			},
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_GET_AIK,
+		.type = { PEN_TCG, TCG_PTS_GET_AIK },
 		.ref = 1,
 	);
 
@@ -190,7 +181,6 @@ pa_tnc_attr_t *tcg_pts_attr_get_aik_create_from_data(chunk_t data)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -201,8 +191,7 @@ pa_tnc_attr_t *tcg_pts_attr_get_aik_create_from_data(chunk_t data)
 				.destroy = _destroy,
 			},
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_GET_AIK,
+		.type = { PEN_TCG, TCG_PTS_GET_AIK },
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libpts/tcg/tcg_pts_attr_get_aik.h b/src/libpts/tcg/tcg_pts_attr_get_aik.h
index e5c74b4dc..aca890a20 100644
--- a/src/libpts/tcg/tcg_pts_attr_get_aik.h
+++ b/src/libpts/tcg/tcg_pts_attr_get_aik.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_get_aik tcg_pts_attr_get_aik
- * @{ @ingroup tcg_pts_attr_get_aik
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_GET_AIK_H_
diff --git a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c
index cb6834ca5..647c426ed 100644
--- a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c
+++ b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_get_tpm_version_info_t
 					private_tcg_pts_attr_get_tpm_version_info_t;
@@ -33,7 +33,7 @@ typedef struct private_tcg_pts_attr_get_tpm_version_info_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |						   Reserved								|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_GET_TPM_VER_INFO_SIZE		4
@@ -50,14 +50,9 @@ struct private_tcg_pts_attr_get_tpm_version_info_t {
 	tcg_pts_attr_get_tpm_version_info_t public;
 
 	/**
-	 * Attribute vendor ID
-	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
+	 * Vendor-specific attribute type
 	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
@@ -75,13 +70,7 @@ struct private_tcg_pts_attr_get_tpm_version_info_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_tcg_pts_attr_get_tpm_version_info_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_tcg_pts_attr_get_tpm_version_info_t *this)
 {
 	return this->type;
@@ -110,10 +99,14 @@ METHOD(pa_tnc_attr_t, build, void,
 {
 	bio_writer_t *writer;
 
+	if (this->value.ptr)
+	{
+		return;
+	}
 	writer = bio_writer_create(PTS_GET_TPM_VER_INFO_SIZE);
 	writer->write_uint32 (writer, PTS_GET_TPM_VER_INFO_RESERVED);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -122,7 +115,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 {
 	bio_reader_t *reader;
 	u_int32_t reserved;
-	
+
 	if (this->value.len < PTS_GET_TPM_VER_INFO_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Get TPM Version Information");
@@ -163,7 +156,6 @@ pa_tnc_attr_t *tcg_pts_attr_get_tpm_version_info_create()
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -174,8 +166,7 @@ pa_tnc_attr_t *tcg_pts_attr_get_tpm_version_info_create()
 				.destroy = _destroy,
 			},
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_GET_TPM_VERSION_INFO,
+		.type = { PEN_TCG, TCG_PTS_GET_TPM_VERSION_INFO },
 		.ref = 1,
 	);
 
@@ -193,7 +184,6 @@ pa_tnc_attr_t *tcg_pts_attr_get_tpm_version_info_create_from_data(chunk_t data)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -204,8 +194,7 @@ pa_tnc_attr_t *tcg_pts_attr_get_tpm_version_info_create_from_data(chunk_t data)
 				.destroy = _destroy,
 			},
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_GET_TPM_VERSION_INFO,
+		.type = { PEN_TCG, TCG_PTS_GET_TPM_VERSION_INFO },
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.h b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.h
index 1b693402a..360049690 100644
--- a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.h
+++ b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_get_tpm_version_info tcg_pts_attr_get_tpm_version_info
- * @{ @ingroup tcg_pts_attr_get_tpm_version_info
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_GET_TPM_VERSION_INFO_H_
diff --git a/src/libpts/tcg/tcg_pts_attr_meas_algo.c b/src/libpts/tcg/tcg_pts_attr_meas_algo.c
index ed520e3cd..a4dac9070 100644
--- a/src/libpts/tcg/tcg_pts_attr_meas_algo.c
+++ b/src/libpts/tcg/tcg_pts_attr_meas_algo.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,12 +18,12 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_meas_algo_t private_tcg_pts_attr_meas_algo_t;
 
 /**
- * PTS Measurement Algorithm 
+ * PTS Measurement Algorithm
  * see section 3.9.1 of PTS Protocol: Binding to TNC IF-M Specification
  *
  *					   1				   2				   3
@@ -31,7 +31,7 @@ typedef struct private_tcg_pts_attr_meas_algo_t private_tcg_pts_attr_meas_algo_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |			Reserved			|	   Hash Algorithm Set	  	|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_MEAS_ALGO_SIZE		4
@@ -48,14 +48,9 @@ struct private_tcg_pts_attr_meas_algo_t {
 	tcg_pts_attr_meas_algo_t public;
 
 	/**
-	 * Attribute vendor ID
-	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
+	 * Vendor-specific attribute type
 	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
@@ -66,7 +61,7 @@ struct private_tcg_pts_attr_meas_algo_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Set of algorithms
 	 */
@@ -78,13 +73,7 @@ struct private_tcg_pts_attr_meas_algo_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_tcg_pts_attr_meas_algo_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_tcg_pts_attr_meas_algo_t *this)
 {
 	return this->type;
@@ -113,10 +102,14 @@ METHOD(pa_tnc_attr_t, build, void,
 {
 	bio_writer_t *writer;
 
+	if (this->value.ptr)
+	{
+		return;
+	}
 	writer = bio_writer_create(PTS_MEAS_ALGO_SIZE);
 	writer->write_uint16(writer, PTS_MEAS_ALGO_RESERVED);
 	writer->write_uint16(writer, this->algorithms);
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -175,7 +168,6 @@ pa_tnc_attr_t *tcg_pts_attr_meas_algo_create(pts_meas_algorithms_t algorithms,
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -187,8 +179,8 @@ pa_tnc_attr_t *tcg_pts_attr_meas_algo_create(pts_meas_algorithms_t algorithms,
 			},
 			.get_algorithms = _get_algorithms,
 		},
-		.vendor_id = PEN_TCG,
-		.type = selection ? TCG_PTS_MEAS_ALGO_SELECTION : TCG_PTS_MEAS_ALGO,
+		.type = { PEN_TCG,
+				  selection ? TCG_PTS_MEAS_ALGO_SELECTION : TCG_PTS_MEAS_ALGO },
 		.algorithms = algorithms,
 		.ref = 1,
 	);
@@ -208,7 +200,6 @@ pa_tnc_attr_t *tcg_pts_attr_meas_algo_create_from_data(chunk_t data,
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -220,8 +211,8 @@ pa_tnc_attr_t *tcg_pts_attr_meas_algo_create_from_data(chunk_t data,
 			},
 			.get_algorithms = _get_algorithms,
 		},
-		.vendor_id = PEN_TCG,
-		.type = selection ? TCG_PTS_MEAS_ALGO_SELECTION : TCG_PTS_MEAS_ALGO,
+		.type = { PEN_TCG,
+				  selection ? TCG_PTS_MEAS_ALGO_SELECTION : TCG_PTS_MEAS_ALGO },
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libpts/tcg/tcg_pts_attr_meas_algo.h b/src/libpts/tcg/tcg_pts_attr_meas_algo.h
index 885e2c16b..758100bbc 100644
--- a/src/libpts/tcg/tcg_pts_attr_meas_algo.h
+++ b/src/libpts/tcg/tcg_pts_attr_meas_algo.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_meas_algo tcg_pts_attr_meas_algo
- * @{ @ingroup tcg_pts_attr_meas_algo
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_MEAS_ALGO_H_
diff --git a/src/libpts/tcg/tcg_pts_attr_proto_caps.c b/src/libpts/tcg/tcg_pts_attr_proto_caps.c
index 055c750ff..6473ea808 100644
--- a/src/libpts/tcg/tcg_pts_attr_proto_caps.c
+++ b/src/libpts/tcg/tcg_pts_attr_proto_caps.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_proto_caps_t private_tcg_pts_attr_proto_caps_t;
 
@@ -31,7 +31,7 @@ typedef struct private_tcg_pts_attr_proto_caps_t private_tcg_pts_attr_proto_caps
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |						Reserved					  |C|V|D|T|X|
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *  
+ *
  */
 
 #define PTS_PROTO_CAPS_SIZE			4
@@ -48,14 +48,9 @@ struct private_tcg_pts_attr_proto_caps_t {
 	tcg_pts_attr_proto_caps_t public;
 
 	/**
-	 * Attribute vendor ID
-	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
+	 * Vendor-specific attribute type
 	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
@@ -66,7 +61,7 @@ struct private_tcg_pts_attr_proto_caps_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Set of flags
 	 */
@@ -78,13 +73,7 @@ struct private_tcg_pts_attr_proto_caps_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_tcg_pts_attr_proto_caps_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_tcg_pts_attr_proto_caps_t *this)
 {
 	return this->type;
@@ -113,11 +102,15 @@ METHOD(pa_tnc_attr_t, build, void,
 {
 	bio_writer_t *writer;
 
+	if (this->value.ptr)
+	{
+		return;
+	}
 	writer = bio_writer_create(PTS_PROTO_CAPS_SIZE);
 	writer->write_uint16(writer, PTS_PROTO_CAPS_RESERVED);
 	writer->write_uint16(writer, this->flags);
-	
-	this->value = chunk_clone(writer->get_buf(writer));
+
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -176,7 +169,6 @@ pa_tnc_attr_t *tcg_pts_attr_proto_caps_create(pts_proto_caps_flag_t flags,
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -188,8 +180,8 @@ pa_tnc_attr_t *tcg_pts_attr_proto_caps_create(pts_proto_caps_flag_t flags,
 			},
 			.get_flags = _get_flags,
 		},
-		.vendor_id = PEN_TCG,
-		.type = request ? TCG_PTS_REQ_PROTO_CAPS : TCG_PTS_PROTO_CAPS,
+		.type = { PEN_TCG,
+				  request ? TCG_PTS_REQ_PROTO_CAPS : TCG_PTS_PROTO_CAPS },
 		.flags = flags,
 		.ref = 1,
 	);
@@ -208,7 +200,6 @@ pa_tnc_attr_t *tcg_pts_attr_proto_caps_create_from_data(chunk_t data,
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -220,8 +211,8 @@ pa_tnc_attr_t *tcg_pts_attr_proto_caps_create_from_data(chunk_t data,
 			},
 			.get_flags = _get_flags,
 		},
-		.vendor_id = PEN_TCG,
-		.type = request ? TCG_PTS_REQ_PROTO_CAPS : TCG_PTS_PROTO_CAPS,
+		.type = { PEN_TCG,
+				  request ? TCG_PTS_REQ_PROTO_CAPS : TCG_PTS_PROTO_CAPS },
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libpts/tcg/tcg_pts_attr_proto_caps.h b/src/libpts/tcg/tcg_pts_attr_proto_caps.h
index 15cfbc7cb..cc59f4ef1 100644
--- a/src/libpts/tcg/tcg_pts_attr_proto_caps.h
+++ b/src/libpts/tcg/tcg_pts_attr_proto_caps.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_proto_caps tcg_pts_attr_proto_caps
- * @{ @ingroup tcg_pts_attr_proto_caps
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_PROTO_CAPS_H_
diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meas.c b/src/libpts/tcg/tcg_pts_attr_req_file_meas.c
index 17781f745..f0bc7cf60 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_file_meas.c
+++ b/src/libpts/tcg/tcg_pts_attr_req_file_meas.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,14 +18,16 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
+
+#include <string.h>
 
 typedef struct private_tcg_pts_attr_req_file_meas_t private_tcg_pts_attr_req_file_meas_t;
 
 /**
  * Request File Measurement
  * see section 3.19.1 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -54,25 +56,20 @@ struct private_tcg_pts_attr_req_file_meas_t {
 	tcg_pts_attr_req_file_meas_t public;
 
 	/**
-	 * Attribute vendor ID
-	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
+	 * Vendor-specific attribute type
 	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Directory Contents flag
 	 */
@@ -82,12 +79,12 @@ struct private_tcg_pts_attr_req_file_meas_t {
 	 * Request ID
 	 */
 	u_int16_t request_id;
-	
+
 	/**
 	 * UTF8 Encoding of Delimiter Character
 	 */
 	u_int32_t delimiter;
-	
+
 	/**
 	 * Fully Qualified File Pathname
 	 */
@@ -99,13 +96,7 @@ struct private_tcg_pts_attr_req_file_meas_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_tcg_pts_attr_req_file_meas_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_tcg_pts_attr_req_file_meas_t *this)
 {
 	return this->type;
@@ -135,7 +126,11 @@ METHOD(pa_tnc_attr_t, build, void,
 	u_int8_t flags = PTS_REQ_FILE_MEAS_NO_FLAGS;
 	chunk_t pathname;
 	bio_writer_t *writer;
-	
+
+	if (this->value.ptr)
+	{
+		return;
+	}
 	if (this->directory_flag)
 	{
 		flags |= DIRECTORY_CONTENTS_FLAG;
@@ -148,7 +143,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint16(writer, this->request_id);
 	writer->write_uint32(writer, this->delimiter);
 	writer->write_data  (writer, pathname);
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -159,7 +154,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	u_int8_t flags;
 	u_int8_t reserved;
 	chunk_t pathname;
-	
+
 	if (this->value.len < PTS_REQ_FILE_MEAS_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Request File Measurement");
@@ -176,10 +171,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 
 	this->directory_flag = (flags & DIRECTORY_CONTENTS_FLAG) !=
 							PTS_REQ_FILE_MEAS_NO_FLAGS;
-
-	this->pathname = malloc(pathname.len + 1);
-	memcpy(this->pathname, pathname.ptr, pathname.len);
-	this->pathname[pathname.len] = '\0';
+	this->pathname = strndup(pathname.ptr, pathname.len);
 
 	reader->destroy(reader);
 	return SUCCESS;
@@ -240,7 +232,6 @@ pa_tnc_attr_t *tcg_pts_attr_req_file_meas_create(bool directory_flag,
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -255,8 +246,7 @@ pa_tnc_attr_t *tcg_pts_attr_req_file_meas_create(bool directory_flag,
 			.get_delimiter = _get_delimiter,
 			.get_pathname = _get_pathname,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_REQ_FILE_MEAS,
+		.type = { PEN_TCG, TCG_PTS_REQ_FILE_MEAS },
 		.directory_flag = directory_flag,
 		.request_id = request_id,
 		.delimiter = delimiter,
@@ -278,7 +268,6 @@ pa_tnc_attr_t *tcg_pts_attr_req_file_meas_create_from_data(chunk_t data)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -293,8 +282,7 @@ pa_tnc_attr_t *tcg_pts_attr_req_file_meas_create_from_data(chunk_t data)
 			.get_delimiter = _get_delimiter,
 			.get_pathname = _get_pathname,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_REQ_FILE_MEAS,
+		.type = { PEN_TCG, TCG_PTS_REQ_FILE_MEAS },
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meas.h b/src/libpts/tcg/tcg_pts_attr_req_file_meas.h
index 19d189eff..85a6b9a43 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_file_meas.h
+++ b/src/libpts/tcg/tcg_pts_attr_req_file_meas.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_req_file_meas tcg_pts_attr_req_file_meas
- * @{ @ingroup tcg_pts_attr_req_file_meas
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_REQ_FILE_MEAS_H_
@@ -36,7 +36,7 @@ struct tcg_pts_attr_req_file_meas_t {
 	 * Public PA-TNC attribute interface
 	 */
 	pa_tnc_attr_t pa_tnc_attribute;
-	
+
 	/**
 	 * Get flag for PTS Request File Measurement
 	 *
@@ -50,7 +50,6 @@ struct tcg_pts_attr_req_file_meas_t {
 	 * @return				Request ID
 	 */
 	u_int16_t (*get_request_id)(tcg_pts_attr_req_file_meas_t *this);
-	
 
 	/**
 	 * Get Delimiter
@@ -58,19 +57,19 @@ struct tcg_pts_attr_req_file_meas_t {
 	 * @return				UTF-8 encoding of a Delimiter Character
 	 */
 	u_int32_t (*get_delimiter)(tcg_pts_attr_req_file_meas_t *this);
-	
+
 	/**
 	 * Get Fully Qualified File Pathname
 	 *
 	 * @return				Pathname
 	 */
 	char* (*get_pathname)(tcg_pts_attr_req_file_meas_t *this);
-	
+
 };
 
 /**
  * Creates an tcg_pts_attr_req_file_meas_t object
- * 
+ *
  * @param directory_flag	Directory Contents Flag
  * @param request_id		Request ID
  * @param delimiter			Delimiter Character
diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meta.c b/src/libpts/tcg/tcg_pts_attr_req_file_meta.c
index bef6b5db6..e475cd35b 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_file_meta.c
+++ b/src/libpts/tcg/tcg_pts_attr_req_file_meta.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,14 +18,16 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
+
+#include <string.h>
 
 typedef struct private_tcg_pts_attr_req_file_meta_t private_tcg_pts_attr_req_file_meta_t;
 
 /**
  * Request File Metadata
  * see section 3.17.1 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -52,35 +54,30 @@ struct private_tcg_pts_attr_req_file_meta_t {
 	tcg_pts_attr_req_file_meta_t public;
 
 	/**
-	 * Attribute vendor ID
-	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
+	 * Vendor-specific attribute type
 	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * Directory Contents flag
 	 */
 	bool directory_flag;
-	
+
 	/**
 	 * UTF8 Encoding of Delimiter Character
 	 */
 	u_int8_t delimiter;
-	
+
 	/**
 	 * Fully Qualified File Pathname
 	 */
@@ -92,13 +89,7 @@ struct private_tcg_pts_attr_req_file_meta_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_tcg_pts_attr_req_file_meta_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_tcg_pts_attr_req_file_meta_t *this)
 {
 	return this->type;
@@ -128,7 +119,11 @@ METHOD(pa_tnc_attr_t, build, void,
 	u_int8_t flags = PTS_REQ_FILE_META_NO_FLAGS;
 	chunk_t pathname;
 	bio_writer_t *writer;
-	
+
+	if (this->value.ptr)
+	{
+		return;
+	}
 	if (this->directory_flag)
 	{
 		flags |= DIRECTORY_CONTENTS_FLAG;
@@ -139,9 +134,9 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint8 (writer, flags);
 	writer->write_uint8 (writer, this->delimiter);
 	writer->write_uint16(writer, PTS_REQ_FILE_META_RESERVED);
-	
+
 	writer->write_data  (writer, pathname);
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -152,7 +147,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	u_int8_t flags;
 	u_int16_t reserved;
 	chunk_t pathname;
-	
+
 	if (this->value.len < PTS_REQ_FILE_META_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Request File Metadata");
@@ -164,15 +159,12 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	reader->read_uint8 (reader, &flags);
 	reader->read_uint8 (reader, &this->delimiter);
 	reader->read_uint16(reader, &reserved);
-	
+
 	reader->read_data  (reader, reader->remaining(reader), &pathname);
 
 	this->directory_flag = (flags & DIRECTORY_CONTENTS_FLAG) !=
 							PTS_REQ_FILE_META_NO_FLAGS;
-
-	this->pathname = malloc(pathname.len + 1);
-	memcpy(this->pathname, pathname.ptr, pathname.len);
-	this->pathname[pathname.len] = '\0';
+	this->pathname = strndup(pathname.ptr, pathname.len);
 
 	reader->destroy(reader);
 	return SUCCESS;
@@ -226,7 +218,6 @@ pa_tnc_attr_t *tcg_pts_attr_req_file_meta_create(bool directory_flag,
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -240,8 +231,7 @@ pa_tnc_attr_t *tcg_pts_attr_req_file_meta_create(bool directory_flag,
 			.get_delimiter = _get_delimiter,
 			.get_pathname = _get_pathname,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_REQ_FILE_META,
+		.type = { PEN_TCG, TCG_PTS_REQ_FILE_META },
 		.directory_flag = directory_flag,
 		.delimiter = delimiter,
 		.pathname = strdup(pathname),
@@ -262,7 +252,6 @@ pa_tnc_attr_t *tcg_pts_attr_req_file_meta_create_from_data(chunk_t data)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -276,8 +265,7 @@ pa_tnc_attr_t *tcg_pts_attr_req_file_meta_create_from_data(chunk_t data)
 			.get_delimiter = _get_delimiter,
 			.get_pathname = _get_pathname,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_REQ_FILE_META,
+		.type = { PEN_TCG, TCG_PTS_REQ_FILE_META },
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meta.h b/src/libpts/tcg/tcg_pts_attr_req_file_meta.h
index 7620c50ab..311418be2 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_file_meta.h
+++ b/src/libpts/tcg/tcg_pts_attr_req_file_meta.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_req_file_meta tcg_pts_attr_req_file_meta
- * @{ @ingroup tcg_pts_attr_req_file_meta
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_REQ_FILE_META_H_
@@ -36,7 +36,7 @@ struct tcg_pts_attr_req_file_meta_t {
 	 * Public PA-TNC attribute interface
 	 */
 	pa_tnc_attr_t pa_tnc_attribute;
-	
+
 	/**
 	 * Get directory flag for PTS Request File Metadata
 	 *
@@ -50,19 +50,19 @@ struct tcg_pts_attr_req_file_meta_t {
 	 * @return				UTF-8 encoding of a Delimiter Character
 	 */
 	u_int8_t (*get_delimiter)(tcg_pts_attr_req_file_meta_t *this);
-	
+
 	/**
 	 * Get Fully Qualified File Pathname
 	 *
 	 * @return				Pathname
 	 */
 	char* (*get_pathname)(tcg_pts_attr_req_file_meta_t *this);
-	
+
 };
 
 /**
  * Creates an tcg_pts_attr_req_file_meta_t object
- * 
+ *
  * @param directory_flag	Directory Contents Flag
  * @param delimiter			Delimiter Character
  * @param pathname			File Pathname
diff --git a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c
index bfd108b9f..5249fa2ad 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c
+++ b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,8 +18,8 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_req_func_comp_evid_t private_tcg_pts_attr_req_func_comp_evid_t;
 
@@ -47,7 +47,7 @@ typedef struct private_tcg_pts_attr_req_func_comp_evid_t private_tcg_pts_attr_re
  */
 
 /**
- * Component Functional Name Structure 
+ * Component Functional Name Structure
  * (see section 5.1 of PTS Protocol: Binding to TNC IF-M Specification)
  *
  *					   1				   2				   3
@@ -58,7 +58,7 @@ typedef struct private_tcg_pts_attr_req_func_comp_evid_t private_tcg_pts_attr_re
  *  |                   Component Functional Name                   |
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
- 
+
 #define PTS_REQ_FUNC_COMP_EVID_SIZE		12
 #define PTS_REQ_FUNC_COMP_FAMILY_MASK	0xC0
 
@@ -73,20 +73,15 @@ struct private_tcg_pts_attr_req_func_comp_evid_t {
 	tcg_pts_attr_req_func_comp_evid_t public;
 
 	/**
-	 * Attribute vendor ID
-	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
+	 * Vendor-specific attribute type
 	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
@@ -140,13 +135,7 @@ static void free_entry(entry_t *this)
 	}
 }
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_tcg_pts_attr_req_func_comp_evid_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_tcg_pts_attr_req_func_comp_evid_t *this)
 {
 	return this->type;
@@ -177,6 +166,10 @@ METHOD(pa_tnc_attr_t, build, void,
 	enumerator_t *enumerator;
 	entry_t *entry;
 
+	if (this->value.ptr)
+	{
+		return;
+	}
 	writer = bio_writer_create(PTS_REQ_FUNC_COMP_EVID_SIZE);
 
 	enumerator = this->list->create_enumerator(this->list);
@@ -190,7 +183,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	}
 	enumerator->destroy(enumerator);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -256,7 +249,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		entry->flags = flags;
 		entry->depth = depth;
 		entry->name = pts_comp_func_name_create(vendor_id, name, qualifier);
-		
+
 		this->list->insert_last(this->list, entry);
 	}
 	status = SUCCESS;
@@ -320,7 +313,6 @@ pa_tnc_attr_t *tcg_pts_attr_req_func_comp_evid_create(void)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -334,8 +326,7 @@ pa_tnc_attr_t *tcg_pts_attr_req_func_comp_evid_create(void)
 			.get_count = _get_count,
 			.create_enumerator = _create_enumerator,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_REQ_FUNC_COMP_EVID,
+		.type = { PEN_TCG, TCG_PTS_REQ_FUNC_COMP_EVID },
 		.list = linked_list_create(),
 		.ref = 1,
 	);
@@ -353,7 +344,6 @@ pa_tnc_attr_t *tcg_pts_attr_req_func_comp_evid_create_from_data(chunk_t data)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -367,8 +357,7 @@ pa_tnc_attr_t *tcg_pts_attr_req_func_comp_evid_create_from_data(chunk_t data)
 			.get_count = _get_count,
 			.create_enumerator = _create_enumerator,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_REQ_FUNC_COMP_EVID,
+		.type = { PEN_TCG, TCG_PTS_REQ_FUNC_COMP_EVID },
 		.list = linked_list_create(),
 		.value = chunk_clone(data),
 		.ref = 1,
diff --git a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.h b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.h
index 031955aca..749413c2e 100644
--- a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.h
+++ b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_req_func_comp_evid tcg_pts_attr_req_func_comp_evid
- * @{ @ingroup tcg_pts_attr_req_func_comp_evid
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_REQ_FUNC_COMP_EVID_H_
@@ -37,7 +37,7 @@ struct tcg_pts_attr_req_func_comp_evid_t {
 	 * Public PA-TNC attribute interface
 	 */
 	pa_tnc_attr_t pa_tnc_attribute;
-	
+
 	/**
 	 * Add a component to the Functional Component Evidence Request
 	 *
@@ -62,7 +62,7 @@ struct tcg_pts_attr_req_func_comp_evid_t {
 	 * @return					Entry enumerator
 	 */
 	enumerator_t* (*create_enumerator)(tcg_pts_attr_req_func_comp_evid_t *this);
-	
+
 };
 
 /**
diff --git a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c
index d2c197ac4..40f380ab4 100644
--- a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c
+++ b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,16 +18,16 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <time.h>
 
 typedef struct private_tcg_pts_attr_simple_comp_evid_t private_tcg_pts_attr_simple_comp_evid_t;
 
 /**
- * Simple Component Evidence 
+ * Simple Component Evidence
  * see section 3.15.1 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -66,7 +66,7 @@ typedef struct private_tcg_pts_attr_simple_comp_evid_t private_tcg_pts_attr_simp
  */
 
 /**
- * Specific Functional Component -> Component Functional Name Structure 
+ * Specific Functional Component -> Component Functional Name Structure
  * see section 5.1 of PTS Protocol: Binding to TNC IF-M Specification
  *
  *					   1				   2				   3
@@ -100,25 +100,20 @@ struct private_tcg_pts_attr_simple_comp_evid_t {
 	tcg_pts_attr_simple_comp_evid_t public;
 
 	/**
-	 * Attribute vendor ID
-	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
+	 * Vendor-specific attribute type
 	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * PTS Component Evidence
 	 */
@@ -130,13 +125,7 @@ struct private_tcg_pts_attr_simple_comp_evid_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_tcg_pts_attr_simple_comp_evid_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_tcg_pts_attr_simple_comp_evid_t *this)
 {
 	return this->type;
@@ -185,16 +174,22 @@ METHOD(pa_tnc_attr_t, build, void,
 {
 	bio_writer_t *writer;
 	bool has_pcr_info;
-	char utc_time_buf[25];
+	char utc_time_buf[25], *policy_uri;
 	u_int8_t flags;
+	u_int16_t len;
 	u_int32_t depth, extended_pcr;
 	pts_comp_func_name_t *name;
 	pts_meas_algorithms_t hash_algorithm;
 	pts_pcr_transform_t transform;
 	pts_comp_evid_validation_t validation;
 	time_t measurement_time;
-	chunk_t measurement, utc_time, pcr_before, pcr_after, policy_uri;
-	
+	chunk_t measurement, utc_time, pcr_before, pcr_after;
+
+	if (this->value.ptr)
+	{
+		return;
+	}
+
 	/* Extract parameters from comp_evidence_t object */
 	name         = this->evidence->get_comp_func_name(this->evidence,
 							&depth);
@@ -205,7 +200,7 @@ METHOD(pa_tnc_attr_t, build, void,
 							&pcr_before, &pcr_after);
 	validation   = this->evidence->get_validation(this->evidence,
 							&policy_uri);
-	
+
 	/* Determine the flags to set*/
 	flags = validation;
 	if (has_pcr_info)
@@ -213,7 +208,7 @@ METHOD(pa_tnc_attr_t, build, void,
 		flags |= PTS_SIMPLE_COMP_EVID_FLAG_PCR;
 	}
 
-	utc_time = chunk_create(utc_time_buf, PTS_SIMPLE_COMP_EVID_MEAS_TIME_SIZE);	
+	utc_time = chunk_create(utc_time_buf, PTS_SIMPLE_COMP_EVID_MEAS_TIME_SIZE);
 	measurement_time_to_utc(measurement_time, &utc_time);
 
 	writer = bio_writer_create(PTS_SIMPLE_COMP_EVID_SIZE);
@@ -229,13 +224,14 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer->write_uint8 (writer, transform);
 	writer->write_uint8 (writer, PTS_SIMPLE_COMP_EVID_RESERVED);
 	writer->write_data  (writer, utc_time);
-	
+
 	/* Optional fields */
 	if (validation == PTS_COMP_EVID_VALIDATION_FAILED ||
 		validation == PTS_COMP_EVID_VALIDATION_PASSED)
 	{
-		writer->write_uint16(writer, policy_uri.len);
-		writer->write_data  (writer, policy_uri);
+		len = strlen(policy_uri);
+		writer->write_uint16(writer, len);
+		writer->write_data  (writer, chunk_create(policy_uri, len));
 	}
 	if (has_pcr_info)
 	{
@@ -245,8 +241,8 @@ METHOD(pa_tnc_attr_t, build, void,
 	}
 
 	writer->write_data(writer, measurement);
-	
-	this->value = chunk_clone(writer->get_buf(writer));
+
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -254,7 +250,7 @@ static const int days[] = { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 33
 static const int tm_leap_1970 = 477;
 
 /**
- * Convert Simple Component Evidence UTS string format to time_t  
+ * Convert Simple Component Evidence UTS string format to time_t
  */
 bool measurement_time_from_utc(time_t *measurement_time, chunk_t utc_time)
 {
@@ -318,7 +314,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		return FAILED;
 	}
 	reader = bio_reader_create(this->value);
-	
+
 	reader->read_uint8 (reader, &flags);
 	reader->read_uint24(reader, &depth);
 	reader->read_uint24(reader, &vendor_id);
@@ -368,7 +364,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		}
 		has_validation = TRUE;
 	}
-	
+
 	/*  Are optional PCR value fields included? */
 	if (flags & PTS_SIMPLE_COMP_EVID_FLAG_PCR)
 	{
@@ -393,11 +389,11 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		has_pcr_info = TRUE;
 	}
 
-	/* Measurement field comes at the very end */ 
+	/* Measurement field comes at the very end */
 	reader->read_data(reader,reader->remaining(reader), &measurement);
 	reader->destroy(reader);
 
-	/* Create Component Functional Name object */	
+	/* Create Component Functional Name object */
 	name = pts_comp_func_name_create(vendor_id, comp_name, qualifier);
 
 	/* Create Component Evidence object */
@@ -409,8 +405,13 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	/* Add options */
 	if (has_validation)
 	{
-		policy_uri = chunk_clone(policy_uri);
-		this->evidence->set_validation(this->evidence, validation, policy_uri);
+		char buf[BUF_LEN];
+		size_t len;
+
+		len = min(policy_uri.len, BUF_LEN-1);
+		memcpy(buf, policy_uri.ptr, len);
+		buf[len] = '\0';
+		this->evidence->set_validation(this->evidence, validation, buf);
 	}
 	if (has_pcr_info)
 	{
@@ -438,7 +439,7 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		this->evidence->destroy(this->evidence);
+		DESTROY_IF(this->evidence);
 		free(this->value.ptr);
 		free(this);
 	}
@@ -456,11 +457,10 @@ METHOD(tcg_pts_attr_simple_comp_evid_t, get_comp_evidence, pts_comp_evidence_t*,
 pa_tnc_attr_t *tcg_pts_attr_simple_comp_evid_create(pts_comp_evidence_t *evid)
 {
 	private_tcg_pts_attr_simple_comp_evid_t *this;
-	
+
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -472,8 +472,7 @@ pa_tnc_attr_t *tcg_pts_attr_simple_comp_evid_create(pts_comp_evidence_t *evid)
 			},
 			.get_comp_evidence = _get_comp_evidence,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_SIMPLE_COMP_EVID,
+		.type = { PEN_TCG, TCG_PTS_SIMPLE_COMP_EVID },
 		.evidence = evid,
 		.ref = 1,
 	);
@@ -492,7 +491,6 @@ pa_tnc_attr_t *tcg_pts_attr_simple_comp_evid_create_from_data(chunk_t data)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -504,8 +502,7 @@ pa_tnc_attr_t *tcg_pts_attr_simple_comp_evid_create_from_data(chunk_t data)
 			},
 			.get_comp_evidence = _get_comp_evidence,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_SIMPLE_COMP_EVID,
+		.type = { PEN_TCG, TCG_PTS_SIMPLE_COMP_EVID },
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h
index 3a80904c8..494418261 100644
--- a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h
+++ b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_simple_comp_evid tcg_pts_attr_simple_comp_evid
- * @{ @ingroup tcg_pts_attr_simple_comp_evid
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_SIMPLE_COMP_EVID_H_
@@ -24,7 +24,7 @@
 typedef struct tcg_pts_attr_simple_comp_evid_t tcg_pts_attr_simple_comp_evid_t;
 
 #include "tcg_attr.h"
-#include "pts/components/pts_comp_evidence.h" 
+#include "pts/components/pts_comp_evidence.h"
 #include "pa_tnc/pa_tnc_attr.h"
 
 /**
@@ -44,12 +44,12 @@ struct tcg_pts_attr_simple_comp_evid_t {
 	 * @return					Component Evidence
 	 */
 	pts_comp_evidence_t* (*get_comp_evidence)(tcg_pts_attr_simple_comp_evid_t *this);
-	
+
 };
 
 /**
  * Creates an tcg_pts_attr_simple_comp_evid_t object
- * 
+ *
  * @param evid					Component Evidence
  */
 pa_tnc_attr_t* tcg_pts_attr_simple_comp_evid_create(pts_comp_evidence_t *evid);
diff --git a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c
index 27720d509..baadd943f 100644
--- a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c
+++ b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -19,14 +19,14 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_simple_evid_final_t private_tcg_pts_attr_simple_evid_final_t;
 
 /**
  * Simple Evidence Final
  * see section 3.15.2 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -58,20 +58,15 @@ struct private_tcg_pts_attr_simple_evid_final_t {
 	tcg_pts_attr_simple_evid_final_t public;
 
 	/**
-	 * Attribute vendor ID
-	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
+	 * Vendor-specific attribute type
 	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
@@ -86,22 +81,22 @@ struct private_tcg_pts_attr_simple_evid_final_t {
 	 * Optional Composite Hash Algorithm
 	 */
 	pts_meas_algorithms_t comp_hash_algorithm;
-	
+
 	/**
 	 * Optional TPM PCR Composite
 	 */
 	chunk_t pcr_comp;
-	
+
 	/**
 	 * Optional TPM Quote Signature
 	 */
 	chunk_t tpm_quote_sig;
-	
+
 	/**
 	 * Is Evidence Signature included?
 	 */
 	bool has_evid_sig;
-	
+
 	/**
 	 * Optional Evidence Signature
 	 */
@@ -113,13 +108,7 @@ struct private_tcg_pts_attr_simple_evid_final_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_tcg_pts_attr_simple_evid_final_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_tcg_pts_attr_simple_evid_final_t *this)
 {
 	return this->type;
@@ -168,7 +157,11 @@ METHOD(pa_tnc_attr_t, build, void,
 {
 	bio_writer_t *writer;
 	u_int8_t flags;
-	
+
+	if (this->value.ptr)
+	{
+		return;
+	}
 	flags = this->flags & PTS_SIMPLE_EVID_FINAL_FLAG_MASK;
 
 	if (this->has_evid_sig)
@@ -179,7 +172,7 @@ METHOD(pa_tnc_attr_t, build, void,
 	writer = bio_writer_create(PTS_SIMPLE_EVID_FINAL_SIZE);
 	writer->write_uint8 (writer, flags);
 	writer->write_uint8 (writer, PTS_SIMPLE_EVID_FINAL_RESERVED);
-	
+
 	/** Optional Composite Hash Algorithm field is always present
 	 * Field has value of all zeroes if not used.
 	 * Implemented adhering the suggestion of Paul Sangster 28.Oct.2011
@@ -200,8 +193,8 @@ METHOD(pa_tnc_attr_t, build, void,
 	{
 		writer->write_data (writer, this->evid_sig);
 	}
-	
-	this->value = chunk_clone(writer->get_buf(writer));
+
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -213,7 +206,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	u_int16_t algorithm;
 	u_int32_t pcr_comp_len, tpm_quote_sig_len, evid_sig_len;
 	status_t status = FAILED;
-	
+
 	if (this->value.len < PTS_SIMPLE_EVID_FINAL_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for Simple Evidence Final");
@@ -221,7 +214,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		return FAILED;
 	}
 	reader = bio_reader_create(this->value);
-	
+
 	reader->read_uint8(reader, &flags);
 	reader->read_uint8(reader, &reserved);
 
@@ -233,10 +226,10 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	 * Field has value of all zeroes if not used.
 	 * Implemented adhering the suggestion of Paul Sangster 28.Oct.2011
 	 */
-	
+
 	reader->read_uint16(reader, &algorithm);
 	this->comp_hash_algorithm = algorithm;
-	
+
 	/*  Optional Composite Hash Algorithm and TPM PCR Composite fields */
 	if (this->flags != PTS_SIMPLE_EVID_FINAL_NO)
 	{
@@ -253,7 +246,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 			goto end;
 		}
 		this->pcr_comp = chunk_clone(this->pcr_comp);
-		
+
 		if (!reader->read_uint32(reader, &tpm_quote_sig_len))
 		{
 			DBG1(DBG_TNC, "insufficient data for PTS Simple Evidence Final "
@@ -268,7 +261,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		}
 		this->tpm_quote_sig = chunk_clone(this->tpm_quote_sig);
 	}
-	
+
 	/*  Optional Evidence Signature field */
 	if (this->has_evid_sig)
 	{
@@ -276,7 +269,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		reader->read_data(reader, evid_sig_len, &this->evid_sig);
 		this->evid_sig = chunk_clone(this->evid_sig);
 	}
-	
+
 	reader->destroy(reader);
 	return SUCCESS;
 
@@ -333,7 +326,6 @@ pa_tnc_attr_t *tcg_pts_attr_simple_evid_final_create(u_int8_t flags,
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -347,8 +339,7 @@ pa_tnc_attr_t *tcg_pts_attr_simple_evid_final_create(u_int8_t flags,
 			.get_evid_sig = _get_evid_sig,
 			.set_evid_sig = _set_evid_sig,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_SIMPLE_EVID_FINAL,
+		.type = { PEN_TCG, TCG_PTS_SIMPLE_EVID_FINAL },
 		.flags = flags,
 		.comp_hash_algorithm = comp_hash_algorithm,
 		.pcr_comp = pcr_comp,
@@ -370,7 +361,6 @@ pa_tnc_attr_t *tcg_pts_attr_simple_evid_final_create_from_data(chunk_t data)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -384,8 +374,7 @@ pa_tnc_attr_t *tcg_pts_attr_simple_evid_final_create_from_data(chunk_t data)
 			.get_evid_sig = _get_evid_sig,
 			.set_evid_sig = _set_evid_sig,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_SIMPLE_EVID_FINAL,
+		.type = { PEN_TCG, TCG_PTS_SIMPLE_EVID_FINAL },
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.h b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.h
index 3d98bfce7..6778afbdc 100644
--- a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.h
+++ b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_simple_evid_final tcg_pts_attr_simple_evid_final
- * @{ @ingroup tcg_pts_attr_simple_evid_final
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_SIMPLE_EVID_FINAL_H_
@@ -44,27 +44,29 @@ struct tcg_pts_attr_simple_evid_final_t {
 	 * @param comp_hash_algo	Optional Composite Hash Algorithm
 	 * @param pcr_comp			Optional PCR Composite
 	 * @param tpm_quote sig		Optional TPM Quote Signature
-	 * @return					PTS_SIMPLE_EVID_FINAL flags		
+	 * @return					PTS_SIMPLE_EVID_FINAL flags
 	 */
 	u_int8_t (*get_quote_info)(tcg_pts_attr_simple_evid_final_t *this,
 							   pts_meas_algorithms_t *comp_hash_algo,
 							   chunk_t *pcr_comp, chunk_t *tpm_quote_sig);
-	
+
 	/**
 	 * Get Optional Evidence Signature
 	 *
-	 * @evid_sig				Optional Evidence Signature
+	 * @param evid_sig			Optional Evidence Signature
 	 * @return					TRUE if Evidence Signature is available
 	 */
-	bool (*get_evid_sig)(tcg_pts_attr_simple_evid_final_t *this, chunk_t *evid_sig);
+	bool (*get_evid_sig)(tcg_pts_attr_simple_evid_final_t *this,
+						 chunk_t *evid_sig);
 
 	/**
 	 * Set Optional Evidence Signature
 	 *
-	 * @evid_sig				Optional Evidence Signature
+	 * @param vid_sig			Optional Evidence Signature
 	 */
-	void (*set_evid_sig)(tcg_pts_attr_simple_evid_final_t *this, chunk_t evid_sig);
-	
+	void (*set_evid_sig)(tcg_pts_attr_simple_evid_final_t *this,
+						 chunk_t evid_sig);
+
 };
 
 /**
diff --git a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c
index 944a12cc9..b776cb662 100644
--- a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c
+++ b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,7 +18,7 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tcg_pts_attr_tpm_version_info_t private_tcg_pts_attr_tpm_version_info_t;
 
@@ -49,14 +49,9 @@ struct private_tcg_pts_attr_tpm_version_info_t {
 	tcg_pts_attr_tpm_version_info_t public;
 
 	/**
-	 * Attribute vendor ID
+	 * Vendor-specific attribute type
 	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
-	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
@@ -67,7 +62,7 @@ struct private_tcg_pts_attr_tpm_version_info_t {
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * TPM Version Information
 	 */
@@ -79,13 +74,7 @@ struct private_tcg_pts_attr_tpm_version_info_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_tcg_pts_attr_tpm_version_info_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_tcg_pts_attr_tpm_version_info_t *this)
 {
 	return this->type;
@@ -114,10 +103,14 @@ METHOD(pa_tnc_attr_t, build, void,
 {
 	bio_writer_t *writer;
 
+	if (this->value.ptr)
+	{
+		return;
+	}
 	writer = bio_writer_create(PTS_TPM_VER_INFO_SIZE);
 	writer->write_data(writer, this->tpm_version_info);
 
-	this->value = chunk_clone(writer->get_buf(writer));
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -125,7 +118,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	private_tcg_pts_attr_tpm_version_info_t *this, u_int32_t *offset)
 {
 	bio_reader_t *reader;
-	
+
 	if (this->value.len < PTS_TPM_VER_INFO_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for TPM Version Information");
@@ -181,7 +174,6 @@ pa_tnc_attr_t *tcg_pts_attr_tpm_version_info_create(chunk_t tpm_version_info)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -194,8 +186,7 @@ pa_tnc_attr_t *tcg_pts_attr_tpm_version_info_create(chunk_t tpm_version_info)
 			.get_tpm_version_info = _get_tpm_version_info,
 			.set_tpm_version_info = _set_tpm_version_info,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_TPM_VERSION_INFO,
+		.type = { PEN_TCG, TCG_PTS_TPM_VERSION_INFO },
 		.tpm_version_info = chunk_clone(tpm_version_info),
 		.ref = 1,
 	);
@@ -214,7 +205,6 @@ pa_tnc_attr_t *tcg_pts_attr_tpm_version_info_create_from_data(chunk_t data)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -227,8 +217,7 @@ pa_tnc_attr_t *tcg_pts_attr_tpm_version_info_create_from_data(chunk_t data)
 			.get_tpm_version_info = _get_tpm_version_info,
 			.set_tpm_version_info = _set_tpm_version_info,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_TPM_VERSION_INFO,
+		.type = { PEN_TCG, TCG_PTS_TPM_VERSION_INFO },
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.h b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.h
index 2c12bb068..4ac18fb9e 100644
--- a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.h
+++ b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_tpm_version_info tcg_pts_attr_tpm_version_info
- * @{ @ingroup tcg_pts_attr_tpm_version_info
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_TPM_VERSION_INFO_H_
@@ -36,7 +36,7 @@ struct tcg_pts_attr_tpm_version_info_t {
 	 * Public PA-TNC attribute interface
 	 */
 	pa_tnc_attr_t pa_tnc_attribute;
-	
+
 	/**
 	 * Get TPM Version Info
 	 *
@@ -55,7 +55,7 @@ struct tcg_pts_attr_tpm_version_info_t {
 
 /**
  * Creates an tcg_pts_attr_tpm_version_info_t object
- * 
+ *
  * @param tpm_version_info		TPM version info
  */
 pa_tnc_attr_t* tcg_pts_attr_tpm_version_info_create(chunk_t tpm_version_info);
diff --git a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c
index a9f4a115d..f96371b8b 100644
--- a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c
+++ b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,15 +18,17 @@
 #include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
 #include <bio/bio_reader.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
+
+#include <string.h>
 
 typedef struct private_tcg_pts_attr_file_meta_t private_tcg_pts_attr_file_meta_t;
 
 /**
  * Unix-Style File Metadata
  * see section 3.17.3 of PTS Protocol: Binding to TNC IF-M Specification
- * 
+ *
  *					   1				   2				   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -80,25 +82,20 @@ struct private_tcg_pts_attr_file_meta_t {
 	tcg_pts_attr_file_meta_t public;
 
 	/**
-	 * Attribute vendor ID
-	 */
-	pen_t vendor_id;
-
-	/**
-	 * Attribute type
+	 * Vendor-specific attribute type
 	 */
-	u_int32_t type;
+	pen_type_t type;
 
 	/**
 	 * Attribute value
 	 */
 	chunk_t value;
-	
+
 	/**
 	 * Noskip flag
 	 */
 	bool noskip_flag;
-	
+
 	/**
 	 * PTS File Metadata
 	 */
@@ -110,13 +107,7 @@ struct private_tcg_pts_attr_file_meta_t {
 	refcount_t ref;
 };
 
-METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
-	private_tcg_pts_attr_file_meta_t *this)
-{
-	return this->vendor_id;
-}
-
-METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+METHOD(pa_tnc_attr_t, get_type, pen_type_t,
 	private_tcg_pts_attr_file_meta_t *this)
 {
 	return this->type;
@@ -147,7 +138,11 @@ METHOD(pa_tnc_attr_t, build, void,
 	enumerator_t *enumerator;
 	pts_file_metadata_t *entry;
 	u_int64_t number_of_files;
-	
+
+	if (this->value.ptr)
+	{
+		return;
+	}
 	number_of_files = this->metadata->get_file_count(this->metadata);
 	writer = bio_writer_create(PTS_FILE_META_SIZE);
 
@@ -170,8 +165,8 @@ METHOD(pa_tnc_attr_t, build, void,
 												  strlen(entry->filename)));
 	}
 	enumerator->destroy(enumerator);
-	
-	this->value = chunk_clone(writer->get_buf(writer));
+
+	this->value = writer->extract_buf(writer);
 	writer->destroy(writer);
 }
 
@@ -186,7 +181,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	u_int64_t owner, group;
 	chunk_t filename;
 	status_t status = FAILED;
-	
+
 	if (this->value.len < PTS_FILE_META_SIZE)
 	{
 		DBG1(DBG_TNC, "insufficient data for PTS Unix-Style file metadata header");
@@ -197,7 +192,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 	reader->read_uint64(reader, &number_of_files);
 
 	this->metadata = pts_file_meta_create();
-	
+
 	while (number_of_files--)
 	{
 		if (!reader->read_uint16(reader, &len))
@@ -250,7 +245,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 			DBG1(DBG_TNC, "insufficient data for filename");
 			goto end;
 		}
-		
+
 		entry = malloc_thing(pts_file_metadata_t);
 		entry->type = type;
 		entry->filesize = filesize;
@@ -259,9 +254,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		entry->accessed = accessed;
 		entry->owner = owner;
 		entry->group = group;
-		entry->filename = malloc(filename.len + 1);
-		entry->filename[filename.len] = '\0';
-		memcpy(entry->filename, filename.ptr, filename.len);
+		entry->filename = strndup(filename.ptr, filename.len);
 
 		this->metadata->add(this->metadata, entry);
 	}
@@ -284,7 +277,7 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		this->metadata->destroy(this->metadata);
+		DESTROY_IF(this->metadata);
 		free(this->value.ptr);
 		free(this);
 	}
@@ -306,7 +299,6 @@ pa_tnc_attr_t *tcg_pts_attr_unix_file_meta_create(pts_file_meta_t *metadata)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -318,8 +310,7 @@ pa_tnc_attr_t *tcg_pts_attr_unix_file_meta_create(pts_file_meta_t *metadata)
 			},
 			.get_metadata = _get_metadata,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_UNIX_FILE_META,
+		.type = { PEN_TCG, TCG_PTS_UNIX_FILE_META },
 		.metadata = metadata,
 		.ref = 1,
 	);
@@ -338,7 +329,6 @@ pa_tnc_attr_t *tcg_pts_attr_unix_file_meta_create_from_data(chunk_t data)
 	INIT(this,
 		.public = {
 			.pa_tnc_attribute = {
-				.get_vendor_id = _get_vendor_id,
 				.get_type = _get_type,
 				.get_value = _get_value,
 				.get_noskip_flag = _get_noskip_flag,
@@ -350,8 +340,7 @@ pa_tnc_attr_t *tcg_pts_attr_unix_file_meta_create_from_data(chunk_t data)
 			},
 			.get_metadata = _get_metadata,
 		},
-		.vendor_id = PEN_TCG,
-		.type = TCG_PTS_UNIX_FILE_META,
+		.type = { PEN_TCG, TCG_PTS_UNIX_FILE_META },
 		.value = chunk_clone(data),
 		.ref = 1,
 	);
diff --git a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.h b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.h
index 8a594eab5..ad9794b45 100644
--- a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.h
+++ b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup tcg_pts_attr_unix_file_meta tcg_pts_attr_unix_file_meta
- * @{ @ingroup tcg_pts_attr_unix_file_meta
+ * @{ @ingroup tcg_attr
  */
 
 #ifndef TCG_PTS_ATTR_UNIX_FILE_META_H_
@@ -38,19 +38,19 @@ struct tcg_pts_attr_file_meta_t {
 	 * Public PA-TNC attribute interface
 	 */
 	pa_tnc_attr_t pa_tnc_attribute;
-	
+
 	/**
 	 * Get PTS File Metadata
 	 *
 	 * @return					PTS File Metadata
 	 */
 	pts_file_meta_t* (*get_metadata)(tcg_pts_attr_file_meta_t *this);
-	
+
 };
 
 /**
  * Creates an tcg_pts_attr_file_meta_t object
- * 
+ *
  * @param metadata			PTS File Metadata
  */
 pa_tnc_attr_t* tcg_pts_attr_unix_file_meta_create(pts_file_meta_t *metadata);
diff --git a/src/libpttls/Makefile.am b/src/libpttls/Makefile.am
new file mode 100644
index 000000000..225d0e48f
--- /dev/null
+++ b/src/libpttls/Makefile.am
@@ -0,0 +1,14 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtls \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libtnccs
+
+ipseclib_LTLIBRARIES = libpttls.la
+libpttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+libpttls_la_SOURCES = pt_tls.c pt_tls.h \
+	pt_tls_client.c pt_tls_client.h \
+	pt_tls_server.c pt_tls_server.h \
+	pt_tls_dispatcher.c pt_tls_dispatcher.h \
+	sasl/sasl_plain/sasl_plain.c sasl/sasl_plain/sasl_plain.h \
+	sasl/sasl_mechanism.c sasl/sasl_mechanism.h
diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in
new file mode 100644
index 000000000..21acb7889
--- /dev/null
+++ b/src/libpttls/Makefile.in
@@ -0,0 +1,687 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libpttls
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(ipseclibdir)"
+LTLIBRARIES = $(ipseclib_LTLIBRARIES)
+libpttls_la_DEPENDENCIES = $(top_builddir)/src/libtls/libtls.la
+am_libpttls_la_OBJECTS = pt_tls.lo pt_tls_client.lo pt_tls_server.lo \
+	pt_tls_dispatcher.lo sasl_plain.lo sasl_mechanism.lo
+libpttls_la_OBJECTS = $(am_libpttls_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libpttls_la_SOURCES)
+DIST_SOURCES = $(libpttls_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtls \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libtnccs
+
+ipseclib_LTLIBRARIES = libpttls.la
+libpttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+libpttls_la_SOURCES = pt_tls.c pt_tls.h \
+	pt_tls_client.c pt_tls_client.h \
+	pt_tls_server.c pt_tls_server.h \
+	pt_tls_dispatcher.c pt_tls_dispatcher.h \
+	sasl/sasl_plain/sasl_plain.c sasl/sasl_plain/sasl_plain.h \
+	sasl/sasl_mechanism.c sasl/sasl_mechanism.h
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libpttls/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libpttls/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
+	}
+
+uninstall-ipseclibLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(ipseclibdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(ipseclibdir)/$$f"; \
+	done
+
+clean-ipseclibLTLIBRARIES:
+	-test -z "$(ipseclib_LTLIBRARIES)" || rm -f $(ipseclib_LTLIBRARIES)
+	@list='$(ipseclib_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libpttls.la: $(libpttls_la_OBJECTS) $(libpttls_la_DEPENDENCIES) $(EXTRA_libpttls_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libpttls_la_OBJECTS) $(libpttls_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_client.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_dispatcher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_server.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sasl_mechanism.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sasl_plain.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+sasl_plain.lo: sasl/sasl_plain/sasl_plain.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sasl_plain.lo -MD -MP -MF $(DEPDIR)/sasl_plain.Tpo -c -o sasl_plain.lo `test -f 'sasl/sasl_plain/sasl_plain.c' || echo '$(srcdir)/'`sasl/sasl_plain/sasl_plain.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sasl_plain.Tpo $(DEPDIR)/sasl_plain.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sasl/sasl_plain/sasl_plain.c' object='sasl_plain.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sasl_plain.lo `test -f 'sasl/sasl_plain/sasl_plain.c' || echo '$(srcdir)/'`sasl/sasl_plain/sasl_plain.c
+
+sasl_mechanism.lo: sasl/sasl_mechanism.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sasl_mechanism.lo -MD -MP -MF $(DEPDIR)/sasl_mechanism.Tpo -c -o sasl_mechanism.lo `test -f 'sasl/sasl_mechanism.c' || echo '$(srcdir)/'`sasl/sasl_mechanism.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sasl_mechanism.Tpo $(DEPDIR)/sasl_mechanism.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sasl/sasl_mechanism.c' object='sasl_mechanism.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sasl_mechanism.lo `test -f 'sasl/sasl_mechanism.c' || echo '$(srcdir)/'`sasl/sasl_mechanism.c
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(ipseclibdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipseclibLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipseclibLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipseclibLTLIBRARIES clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-ipseclibLTLIBRARIES install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipseclibLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libpttls/pt_tls.c b/src/libpttls/pt_tls.c
new file mode 100644
index 000000000..0fee343b8
--- /dev/null
+++ b/src/libpttls/pt_tls.c
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls.h"
+
+#include <utils/debug.h>
+
+/*
+ * PT-TNC Message format:
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |    Reserved   |           Message Type Vendor ID              |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                          Message Type                         |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                         Message Length                        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                       Message Identifier                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                Message Value (e.g. PB-TNC Batch) . . .        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/**
+ * Read a chunk of data from TLS, returning a reader for it
+ */
+static bio_reader_t* read_tls(tls_socket_t *tls, size_t len)
+{
+	ssize_t got, total = 0;
+	char *buf;
+
+	buf = malloc(len);
+	while (total < len)
+	{
+		got = tls->read(tls, buf + total, len - total, TRUE);
+		if (got <= 0)
+		{
+			free(buf);
+			return NULL;
+		}
+		total += got;
+	}
+	return bio_reader_create_own(chunk_create(buf, len));
+}
+
+/**
+ * Read a PT-TLS message, return header data
+ */
+bio_reader_t* pt_tls_read(tls_socket_t *tls, u_int32_t *vendor,
+						  u_int32_t *type, u_int32_t *identifier)
+{
+	bio_reader_t *reader;
+	u_int32_t len;
+	u_int8_t reserved;
+
+	reader = read_tls(tls, PT_TLS_HEADER_LEN);
+	if (!reader)
+	{
+		return NULL;
+	}
+	if (!reader->read_uint8(reader, &reserved) ||
+		!reader->read_uint24(reader, vendor) ||
+		!reader->read_uint32(reader, type) ||
+		!reader->read_uint32(reader, &len) ||
+		!reader->read_uint32(reader, identifier))
+	{
+		reader->destroy(reader);
+		return NULL;
+	}
+	reader->destroy(reader);
+
+	if (len < PT_TLS_HEADER_LEN)
+	{
+		DBG1(DBG_TNC, "received short PT-TLS header (%d bytes)", len);
+		return NULL;
+	}
+	return read_tls(tls, len - PT_TLS_HEADER_LEN);
+}
+
+/**
+ * Prepend a PT-TLS header to a writer, send data, destroy writer
+ */
+bool pt_tls_write(tls_socket_t *tls, bio_writer_t *writer,
+				  pt_tls_message_type_t type, u_int32_t identifier)
+{
+	bio_writer_t *header;
+	ssize_t len;
+	chunk_t data;
+
+	data =  writer->get_buf(writer);
+	len = PT_TLS_HEADER_LEN + data.len;
+	header = bio_writer_create(len);
+	header->write_uint8(header, 0);
+	header->write_uint24(header, 0);
+	header->write_uint32(header, type);
+	header->write_uint32(header, len);
+	header->write_uint32(header, identifier);
+
+	header->write_data(header, data);
+	writer->destroy(writer);
+
+	data = header->get_buf(header);
+	len = tls->write(tls, data.ptr, data.len);
+	header->destroy(header);
+
+	return len == data.len;
+}
diff --git a/src/libpttls/pt_tls.h b/src/libpttls/pt_tls.h
new file mode 100644
index 000000000..92a040f3f
--- /dev/null
+++ b/src/libpttls/pt_tls.h
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls libpttls
+ *
+ * @addtogroup pt_tls
+ * @{
+ */
+
+#ifndef PT_TLS_H_
+#define PT_TLS_H_
+
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+#include <tls_socket.h>
+
+/**
+ * PT-TLS version we support
+ */
+#define PT_TLS_VERSION 1
+
+/**
+ * Length of a PT-TLS header
+ */
+#define PT_TLS_HEADER_LEN 16
+
+typedef enum pt_tls_message_type_t pt_tls_message_type_t;
+typedef enum pt_tls_sasl_result_t pt_tls_sasl_result_t;
+typedef enum pt_tls_auth_t pt_tls_auth_t;
+
+/**
+ * Message types, as defined by NEA PT-TLS
+ */
+enum pt_tls_message_type_t {
+	PT_TLS_EXPERIMENTAL = 0,
+	PT_TLS_VERSION_REQUEST = 1,
+	PT_TLS_VERSION_RESPONSE = 2,
+	PT_TLS_SASL_MECHS = 3,
+	PT_TLS_SASL_MECH_SELECTION = 4,
+	PT_TLS_SASL_AUTH_DATA = 5,
+	PT_TLS_SASL_RESULT = 6,
+	PT_TLS_PB_TNC_BATCH = 7,
+	PT_TLS_ERROR = 8,
+};
+
+/**
+ * Result code for a single SASL mechansim, as sent in PT_TLS_SASL_RESULT
+ */
+enum pt_tls_sasl_result_t {
+	PT_TLS_SASL_RESULT_SUCCESS = 0,
+	PT_TLS_SASL_RESULT_FAILURE = 1,
+	PT_TLS_SASL_RESULT_ABORT = 2,
+	PT_TLS_SASL_RESULT_MECH_FAILURE = 3,
+};
+
+/**
+ * Client authentication to require as PT-TLS server.
+ */
+enum pt_tls_auth_t {
+	/** don't require TLS client certificate or request SASL authentication */
+	PT_TLS_AUTH_NONE,
+	/** require TLS certificate authentication, no SASL */
+	PT_TLS_AUTH_TLS,
+	/** do SASL regardless of TLS certificate authentication */
+	PT_TLS_AUTH_SASL,
+	/* if client does not authenticate with a TLS certificate, request SASL */
+	PT_TLS_AUTH_TLS_OR_SASL,
+	/* require both, TLS certificate authentication and SASL */
+	PT_TLS_AUTH_TLS_AND_SASL,
+};
+
+/**
+ * Read a PT-TLS message, create reader over Message Value.
+ *
+ * @param tls			TLS socket to read from
+ * @param vendor		receives Message Type Vendor ID from header
+ * @param type			receives Message Type from header
+ * @param identifier	receives Message Identifer
+ * @return				reader over message value, NULL on error
+ */
+bio_reader_t* pt_tls_read(tls_socket_t *tls, u_int32_t *vendor,
+						  u_int32_t *type, u_int32_t *identifier);
+
+/**
+ * Prepend a PT-TLS header to a writer, send data, destroy writer.
+ *
+ * @param tls			TLS socket to write to
+ * @param writer		prepared Message value to write
+ * @param type			Message Type to write
+ * @param identifier	Message Identifier to write
+ * @return				TRUE if data written successfully
+ */
+bool pt_tls_write(tls_socket_t *tls, bio_writer_t *writer,
+				  pt_tls_message_type_t type, u_int32_t identifier);
+
+#endif /** PT_TLS_H_ @}*/
diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c
new file mode 100644
index 000000000..d3ac936a2
--- /dev/null
+++ b/src/libpttls/pt_tls_client.c
@@ -0,0 +1,497 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls_client.h"
+#include "pt_tls.h"
+
+#include <sasl/sasl_mechanism.h>
+
+#include <tls_socket.h>
+#include <utils/debug.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <unistd.h>
+
+typedef struct private_pt_tls_client_t private_pt_tls_client_t;
+
+/**
+ * Private data of an pt_tls_client_t object.
+ */
+struct private_pt_tls_client_t {
+
+	/**
+	 * Public pt_tls_client_t interface.
+	 */
+	pt_tls_client_t public;
+
+	/**
+	 * TLS secured socket used by PT-TLS
+	 */
+	tls_socket_t *tls;
+
+	/**
+	 * Server address/port
+	 */
+	host_t *address;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Client authentication identity
+	 */
+	identification_t *client;
+
+	/**
+	 * Current PT-TLS message identifier
+	 */
+	u_int32_t identifier;
+};
+
+/**
+ * Establish TLS secured TCP connection to TNC server
+ */
+static bool make_connection(private_pt_tls_client_t *this)
+{
+	int fd;
+
+	fd = socket(this->address->get_family(this->address), SOCK_STREAM, 0);
+	if (fd == -1)
+	{
+		DBG1(DBG_TNC, "opening PT-TLS socket failed: %s", strerror(errno));
+		return FALSE;
+	}
+	if (connect(fd, this->address->get_sockaddr(this->address),
+				*this->address->get_sockaddr_len(this->address)) == -1)
+	{
+		DBG1(DBG_TNC, "connecting to PT-TLS server failed: %s", strerror(errno));
+		close(fd);
+		return FALSE;
+	}
+
+	this->tls = tls_socket_create(FALSE, this->server, this->client, fd, NULL);
+	if (!this->tls)
+	{
+		close(fd);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Negotiate PT-TLS version
+ */
+static bool negotiate_version(private_pt_tls_client_t *this)
+{
+	bio_writer_t *writer;
+	bio_reader_t *reader;
+	u_int32_t type, vendor, identifier, reserved;
+	u_int8_t version;
+
+	DBG1(DBG_TNC, "sending offer for PT-TLS version %d", PT_TLS_VERSION);
+
+	writer = bio_writer_create(4);
+	writer->write_uint8(writer, 0);
+	writer->write_uint8(writer, PT_TLS_VERSION);
+	writer->write_uint8(writer, PT_TLS_VERSION);
+	writer->write_uint8(writer, PT_TLS_VERSION);
+	if (!pt_tls_write(this->tls, writer, PT_TLS_VERSION_REQUEST,
+					  this->identifier++))
+	{
+		return FALSE;
+	}
+
+	reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+	if (!reader)
+	{
+		return FALSE;
+	}
+	if (vendor != 0 || type != PT_TLS_VERSION_RESPONSE ||
+		!reader->read_uint24(reader, &reserved) ||
+		!reader->read_uint8(reader, &version) ||
+		version != PT_TLS_VERSION)
+	{
+		DBG1(DBG_TNC, "PT-TLS version negotiation failed");
+		reader->destroy(reader);
+		return FALSE;
+	}
+	reader->destroy(reader);
+	return TRUE;
+}
+
+/**
+ * Run a SASL mechanism
+ */
+static status_t do_sasl(private_pt_tls_client_t *this, sasl_mechanism_t *sasl)
+{
+	u_int32_t type, vendor, identifier;
+	u_int8_t result;
+	bio_reader_t *reader;
+	bio_writer_t *writer;
+	chunk_t data;
+
+	writer = bio_writer_create(32);
+	writer->write_data8(writer, chunk_from_str(sasl->get_name(sasl)));
+	switch (sasl->build(sasl, &data))
+	{
+		case INVALID_STATE:
+			break;
+		case NEED_MORE:
+			writer->write_data(writer, data);
+			free(data.ptr);
+			break;
+		case SUCCESS:
+			/* shouldn't happen */
+			free(data.ptr);
+			/* FALL */
+		case FAILED:
+		default:
+			writer->destroy(writer);
+			return FAILED;
+	}
+	if (!pt_tls_write(this->tls, writer, PT_TLS_SASL_MECH_SELECTION,
+					  this->identifier++))
+	{
+		return FAILED;
+	}
+	while (TRUE)
+	{
+		reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+		if (!reader)
+		{
+			return FAILED;
+		}
+		if (vendor != 0)
+		{
+			reader->destroy(reader);
+			return FAILED;
+		}
+		switch (type)
+		{
+			case PT_TLS_SASL_AUTH_DATA:
+				switch (sasl->process(sasl, reader->peek(reader)))
+				{
+					case NEED_MORE:
+						reader->destroy(reader);
+						break;
+					case SUCCESS:
+						/* should not happen, as it would come in a RESULT */
+					case FAILED:
+					default:
+						reader->destroy(reader);
+						return FAILED;
+				}
+				break;
+			case PT_TLS_SASL_RESULT:
+				if (!reader->read_uint8(reader, &result))
+				{
+					reader->destroy(reader);
+					return FAILED;
+				}
+				switch (result)
+				{
+					case PT_TLS_SASL_RESULT_ABORT:
+						DBG1(DBG_TNC, "received SASL abort result");
+						reader->destroy(reader);
+						return FAILED;
+					case PT_TLS_SASL_RESULT_SUCCESS:
+						DBG1(DBG_TNC, "received SASL success result");
+						switch (sasl->process(sasl, reader->peek(reader)))
+						{
+							case SUCCESS:
+								reader->destroy(reader);
+								return SUCCESS;
+							case NEED_MORE:
+								/* inacceptable, it won't get more. FALL */
+							case FAILED:
+							default:
+								reader->destroy(reader);
+								return FAILED;
+						}
+						break;
+					case PT_TLS_SASL_RESULT_MECH_FAILURE:
+					case PT_TLS_SASL_RESULT_FAILURE:
+						DBG1(DBG_TNC, "received SASL failure result");
+						/* non-fatal failure, try again */
+						reader->destroy(reader);
+						return NEED_MORE;
+				}
+				/* fall-through */
+			default:
+				reader->destroy(reader);
+				return FAILED;
+		}
+
+		writer = bio_writer_create(32);
+		switch (sasl->build(sasl, &data))
+		{
+			case INVALID_STATE:
+				break;
+			case SUCCESS:
+				/* shoudln't happen, continue until we get a result */
+			case NEED_MORE:
+				writer->write_data(writer, data);
+				free(data.ptr);
+				break;
+			case FAILED:
+			default:
+				writer->destroy(writer);
+				return FAILED;
+		}
+		if (!pt_tls_write(this->tls, writer, PT_TLS_SASL_AUTH_DATA,
+						  this->identifier++))
+		{
+			return FAILED;
+		}
+	}
+}
+
+/**
+ * Read SASL mechanism list, select and run mechanism
+ */
+static status_t select_and_do_sasl(private_pt_tls_client_t *this)
+{
+	bio_reader_t *reader;
+	sasl_mechanism_t *sasl = NULL;
+	u_int32_t type, vendor, identifier;
+	u_int8_t len;
+	chunk_t chunk;
+	char buf[21];
+	status_t status = NEED_MORE;
+
+	reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+	if (!reader)
+	{
+		return FAILED;
+	}
+	if (vendor != 0 || type != PT_TLS_SASL_MECHS)
+	{
+		reader->destroy(reader);
+		return FAILED;
+	}
+	if (!reader->remaining(reader))
+	{	/* mechanism list empty, SASL completed */
+		DBG1(DBG_TNC, "PT-TLS authentication complete");
+		reader->destroy(reader);
+		return SUCCESS;
+	}
+	while (reader->remaining(reader))
+	{
+		if (!reader->read_uint8(reader, &len) ||
+			!reader->read_data(reader, len & 0x1F, &chunk))
+		{
+			reader->destroy(reader);
+			return FAILED;
+		}
+		snprintf(buf, sizeof(buf), "%.*s", (int)chunk.len, chunk.ptr);
+		sasl = sasl_mechanism_create(buf, this->client);
+		if (sasl)
+		{
+			break;
+		}
+	}
+	reader->destroy(reader);
+
+	if (!sasl)
+	{
+		/* TODO: send PT-TLS error (5) */
+		return FAILED;
+	}
+	while (status == NEED_MORE)
+	{
+		status = do_sasl(this, sasl);
+	}
+	sasl->destroy(sasl);
+	if (status == SUCCESS)
+	{	/* continue until we receive empty SASL mechanism list */
+		return NEED_MORE;
+	}
+	return FAILED;
+}
+
+/**
+ * Authenticate session using SASL
+ */
+static bool authenticate(private_pt_tls_client_t *this)
+{
+	while (TRUE)
+	{
+		switch (select_and_do_sasl(this))
+		{
+			case NEED_MORE:
+				continue;
+			case SUCCESS:
+				return TRUE;
+			case FAILED:
+			default:
+				return FALSE;
+		}
+	}
+}
+
+/**
+ * Perform assessment
+ */
+static bool assess(private_pt_tls_client_t *this, tls_t *tnccs)
+{
+	while (TRUE)
+	{
+		bio_writer_t *writer;
+		bio_reader_t *reader;
+		u_int32_t vendor, type, identifier;
+		chunk_t data;
+
+		writer = bio_writer_create(32);
+		while (TRUE)
+		{
+			char buf[2048];
+			size_t buflen, msglen;
+
+			buflen = sizeof(buf);
+			switch (tnccs->build(tnccs, buf, &buflen, &msglen))
+			{
+				case SUCCESS:
+					writer->destroy(writer);
+					return tnccs->is_complete(tnccs);
+				case FAILED:
+				default:
+					writer->destroy(writer);
+					return FALSE;
+				case INVALID_STATE:
+					writer->destroy(writer);
+					break;
+				case NEED_MORE:
+					writer->write_data(writer, chunk_create(buf, buflen));
+					continue;
+				case ALREADY_DONE:
+					writer->write_data(writer, chunk_create(buf, buflen));
+					if (!pt_tls_write(this->tls, writer, PT_TLS_PB_TNC_BATCH,
+									  this->identifier++))
+					{
+						return FALSE;
+					}
+					writer = bio_writer_create(32);
+					continue;
+			}
+			break;
+		}
+
+		reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+		if (!reader)
+		{
+			return FALSE;
+		}
+		if (vendor == 0)
+		{
+			if (type == PT_TLS_ERROR)
+			{
+				DBG1(DBG_TNC, "received PT-TLS error");
+				reader->destroy(reader);
+				return FALSE;
+			}
+			if (type != PT_TLS_PB_TNC_BATCH)
+			{
+				DBG1(DBG_TNC, "unexpected PT-TLS message: %d", type);
+				reader->destroy(reader);
+				return FALSE;
+			}
+			data = reader->peek(reader);
+			switch (tnccs->process(tnccs, data.ptr, data.len))
+			{
+				case SUCCESS:
+					reader->destroy(reader);
+					return tnccs->is_complete(tnccs);
+				case FAILED:
+				default:
+					reader->destroy(reader);
+					return FALSE;
+				case NEED_MORE:
+					break;
+			}
+		}
+		else
+		{
+			DBG1(DBG_TNC, "ignoring vendor specific PT-TLS message");
+		}
+		reader->destroy(reader);
+	}
+}
+
+METHOD(pt_tls_client_t, run_assessment, status_t,
+	private_pt_tls_client_t *this, tnccs_t *tnccs)
+{
+	if (!this->tls)
+	{
+		if (!make_connection(this))
+		{
+			return FAILED;
+		}
+	}
+	if (!negotiate_version(this))
+	{
+		return FAILED;
+	}
+	if (!authenticate(this))
+	{
+		return FAILED;
+	}
+	if (!assess(this, (tls_t*)tnccs))
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+
+METHOD(pt_tls_client_t, destroy, void,
+	private_pt_tls_client_t *this)
+{
+	if (this->tls)
+	{
+		int fd;
+
+		fd = this->tls->get_fd(this->tls);
+		this->tls->destroy(this->tls);
+		close(fd);
+	}
+	this->address->destroy(this->address);
+	this->server->destroy(this->server);
+	this->client->destroy(this->client);
+	free(this);
+}
+
+/**
+ * See header
+ */
+pt_tls_client_t *pt_tls_client_create(host_t *address, identification_t *server,
+									  identification_t *client)
+{
+	private_pt_tls_client_t *this;
+
+	INIT(this,
+		.public = {
+			.run_assessment = _run_assessment,
+			.destroy = _destroy,
+		},
+		.address = address,
+		.server = server,
+		.client = client,
+	);
+
+	return &this->public;
+}
diff --git a/src/libpttls/pt_tls_client.h b/src/libpttls/pt_tls_client.h
new file mode 100644
index 000000000..1d418d181
--- /dev/null
+++ b/src/libpttls/pt_tls_client.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls_client pt_tls_client
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_CLIENT_H_
+#define PT_TLS_CLIENT_H_
+
+#include <networking/host.h>
+#include <utils/identification.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+typedef struct pt_tls_client_t pt_tls_client_t;
+
+/**
+ * IF-T for TLS aka PT-TLS transport client.
+ */
+struct pt_tls_client_t {
+
+	/**
+	 * Perform an assessment.
+	 *
+	 * @param tnccs		upper layer TNC client used for assessment
+	 * @return			status of assessment
+	 */
+	status_t (*run_assessment)(pt_tls_client_t *this, tnccs_t *tnccs);
+
+	/**
+	 * Destroy a pt_tls_client_t.
+	 */
+	void (*destroy)(pt_tls_client_t *this);
+};
+
+/**
+ * Create a pt_tls_client instance.
+ *
+ * The client identity is used for:
+ * - TLS authentication if an appropirate certificate is found
+ * - SASL authentication if requested from the server
+ *
+ * @param address		address/port to run assessments against, gets owned
+ * @param server		server identity to use for authentication, gets owned
+ * @param client		client identity to use for authentication, gets owned
+ * @return				PT-TLS context
+ */
+pt_tls_client_t *pt_tls_client_create(host_t *address, identification_t *server,
+									  identification_t *client);
+
+#endif /** PT_TLS_CLIENT_H_ @}*/
diff --git a/src/libpttls/pt_tls_dispatcher.c b/src/libpttls/pt_tls_dispatcher.c
new file mode 100644
index 000000000..469951616
--- /dev/null
+++ b/src/libpttls/pt_tls_dispatcher.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls_dispatcher.h"
+#include "pt_tls_server.h"
+
+#include <threading/thread.h>
+#include <utils/debug.h>
+#include <processing/jobs/callback_job.h>
+
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
+typedef struct private_pt_tls_dispatcher_t private_pt_tls_dispatcher_t;
+
+/**
+ * Private data of an pt_tls_dispatcher_t object.
+ */
+struct private_pt_tls_dispatcher_t {
+
+	/**
+	 * Public pt_tls_dispatcher_t interface.
+	 */
+	pt_tls_dispatcher_t public;
+
+	/**
+	 * Listening socket
+	 */
+	int fd;
+
+	/**
+	 * Client authentication requirements
+	 */
+	pt_tls_auth_t auth;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Peer identity
+	 */
+	identification_t *peer;
+
+	/**
+	 * TNCCS protocol handler constructor
+	 */
+	pt_tls_tnccs_constructor_t *create;
+};
+
+/**
+ * Open listening server socket
+ */
+static bool open_socket(private_pt_tls_dispatcher_t *this, host_t *host)
+{
+	this->fd = socket(AF_INET, SOCK_STREAM, 0);
+	if (this->fd == -1)
+	{
+		DBG1(DBG_TNC, "opening PT-TLS socket failed: %s", strerror(errno));
+		return FALSE;
+	}
+	if (bind(this->fd, host->get_sockaddr(host),
+			 *host->get_sockaddr_len(host)) == -1)
+	{
+		DBG1(DBG_TNC, "binding to PT-TLS socket failed: %s", strerror(errno));
+		return FALSE;
+	}
+	if (listen(this->fd, 5) == -1)
+	{
+		DBG1(DBG_TNC, "listen on PT-TLS socket failed: %s", strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Handle a single PT-TLS client connection
+ */
+static job_requeue_t handle(pt_tls_server_t *connection)
+{
+	while (TRUE)
+	{
+		switch (connection->handle(connection))
+		{
+			case NEED_MORE:
+				continue;
+			case FAILED:
+			case SUCCESS:
+			default:
+				break;
+		}
+		break;
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Clean up connection state
+ */
+static void cleanup(pt_tls_server_t *connection)
+{
+	int fd;
+
+	fd = connection->get_fd(connection);
+	connection->destroy(connection);
+	close(fd);
+}
+
+METHOD(pt_tls_dispatcher_t, dispatch, void,
+	private_pt_tls_dispatcher_t *this,
+	pt_tls_tnccs_constructor_t *create)
+{
+	while (TRUE)
+	{
+		pt_tls_server_t *connection;
+		tnccs_t *tnccs;
+		bool old;
+		int fd;
+
+		old = thread_cancelability(TRUE);
+		fd = accept(this->fd, NULL, NULL);
+		thread_cancelability(old);
+		if (fd == -1)
+		{
+			DBG1(DBG_TNC, "accepting PT-TLS failed: %s", strerror(errno));
+			continue;
+		}
+
+		tnccs = create(this->server, this->peer);
+		if (!tnccs)
+		{
+			close(fd);
+			continue;
+		}
+		connection = pt_tls_server_create(this->server, fd, this->auth, tnccs);
+		if (!connection)
+		{
+			close(fd);
+			continue;
+		}
+		lib->processor->queue_job(lib->processor,
+				(job_t*)callback_job_create_with_prio((callback_job_cb_t)handle,
+										connection, (void*)cleanup,
+										(callback_job_cancel_t)return_false,
+										JOB_PRIO_CRITICAL));
+	}
+}
+
+METHOD(pt_tls_dispatcher_t, destroy, void,
+	private_pt_tls_dispatcher_t *this)
+{
+	if (this->fd != -1)
+	{
+		close(this->fd);
+	}
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
+	free(this);
+}
+
+/**
+ * See header
+ */
+pt_tls_dispatcher_t *pt_tls_dispatcher_create(host_t *address,
+									identification_t *id, pt_tls_auth_t auth)
+{
+	private_pt_tls_dispatcher_t *this;
+
+	INIT(this,
+		.public = {
+			.dispatch = _dispatch,
+			.destroy = _destroy,
+		},
+		.server = id,
+		/* we currently don't authenticate the peer, use %any identity */
+		.peer = identification_create_from_encoding(ID_ANY, chunk_empty),
+		.fd = -1,
+		.auth = auth,
+	);
+
+	if (!open_socket(this, address))
+	{
+		address->destroy(address);
+		destroy(this);
+		return NULL;
+	}
+	address->destroy(address);
+
+	return &this->public;
+}
diff --git a/src/libpttls/pt_tls_dispatcher.h b/src/libpttls/pt_tls_dispatcher.h
new file mode 100644
index 000000000..080197263
--- /dev/null
+++ b/src/libpttls/pt_tls_dispatcher.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls_dispatcher pt_tls_dispatcher
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_DISPATCHER_H_
+#define PT_TLS_DISPATCHER_H_
+
+#include <networking/host.h>
+#include <utils/identification.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+#include "pt_tls.h"
+
+typedef struct pt_tls_dispatcher_t pt_tls_dispatcher_t;
+
+/**
+ * Constructor callback to create TNCCS to use within PT-TLS.
+ *
+ * @param server			server identity
+ * @param peer				peer identity
+ */
+typedef tnccs_t* (pt_tls_tnccs_constructor_t)(identification_t *server,
+											  identification_t *peer);
+
+/**
+ * PT-TLS dispatcher service, handles PT-TLS connections as a server.
+ */
+struct pt_tls_dispatcher_t {
+
+	/**
+	 * Dispatch and handle PT-TLS connections.
+	 *
+	 * This call is blocking and a thread cancellation point. The passed
+	 * constructor gets called for each dispatched connection.
+	 *
+	 * @param create		TNCCS constructor function to use
+	 */
+	void (*dispatch)(pt_tls_dispatcher_t *this,
+					 pt_tls_tnccs_constructor_t *create);
+
+	/**
+	 * Destroy a pt_tls_dispatcher_t.
+	 */
+	void (*destroy)(pt_tls_dispatcher_t *this);
+};
+
+/**
+ * Create a pt_tls_dispatcher instance.
+ *
+ * @param address		server address with port to listen on, gets owned
+ * @param id			TLS server identity, gets owned
+ * @param auth			client authentication to perform
+ * @return				dispatcher service
+ */
+pt_tls_dispatcher_t *pt_tls_dispatcher_create(host_t *address,
+									identification_t *id, pt_tls_auth_t auth);
+
+#endif /** PT_TLS_DISPATCHER_H_ @}*/
diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c
new file mode 100644
index 000000000..3e134f0dd
--- /dev/null
+++ b/src/libpttls/pt_tls_server.c
@@ -0,0 +1,544 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls_server.h"
+
+#include <sasl/sasl_mechanism.h>
+
+#include <utils/debug.h>
+
+typedef struct private_pt_tls_server_t private_pt_tls_server_t;
+
+/**
+ * Private data of an pt_tls_server_t object.
+ */
+struct private_pt_tls_server_t {
+
+	/**
+	 * Public pt_tls_server_t interface.
+	 */
+	pt_tls_server_t public;
+
+	/**
+	 * TLS protected socket
+	 */
+	tls_socket_t *tls;
+
+	/**
+	 * Client authentication requirements
+	 */
+	pt_tls_auth_t auth;
+
+	enum {
+		/* expecting version negotiation */
+		PT_TLS_SERVER_VERSION,
+		/* expecting an SASL exchange */
+		PT_TLS_SERVER_AUTH,
+		/* expecting TNCCS exchange */
+		PT_TLS_SERVER_TNCCS,
+		/* terminating state */
+		PT_TLS_SERVER_END,
+	} state;
+
+	/**
+	 * Message Identifier
+	 */
+	u_int32_t identifier;
+
+	/**
+	 * TNCCS protocol handler, implemented as tls_t
+	 */
+	tls_t *tnccs;
+};
+
+/**
+ * Negotiate PT-TLS version
+ */
+static bool negotiate_version(private_pt_tls_server_t *this)
+{
+	bio_reader_t *reader;
+	bio_writer_t *writer;
+	u_int32_t vendor, type, identifier;
+	u_int8_t reserved, vmin, vmax, vpref;
+
+	reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+	if (!reader)
+	{
+		return FALSE;
+	}
+	if (vendor != 0 || type != PT_TLS_VERSION_REQUEST ||
+		!reader->read_uint8(reader, &reserved) ||
+		!reader->read_uint8(reader, &vmin) ||
+		!reader->read_uint8(reader, &vmax) ||
+		!reader->read_uint8(reader, &vpref))
+	{
+		DBG1(DBG_TNC, "PT-TLS version negotiation failed");
+		reader->destroy(reader);
+		return FALSE;
+	}
+	reader->destroy(reader);
+
+	if (vmin > PT_TLS_VERSION || vmax < PT_TLS_VERSION)
+	{
+		/* TODO: send error */
+		return FALSE;
+	}
+
+	writer = bio_writer_create(4);
+	writer->write_uint24(writer, 0);
+	writer->write_uint8(writer, PT_TLS_VERSION);
+
+	return pt_tls_write(this->tls, writer, PT_TLS_VERSION_RESPONSE,
+						this->identifier++);
+}
+
+/**
+ * Process SASL data, send result
+ */
+static status_t process_sasl(private_pt_tls_server_t *this,
+							 sasl_mechanism_t *sasl, chunk_t data)
+{
+	bio_writer_t *writer;
+
+	switch (sasl->process(sasl, data))
+	{
+		case NEED_MORE:
+			return NEED_MORE;
+		case SUCCESS:
+			DBG1(DBG_TNC, "SASL %s authentication successful",
+				 sasl->get_name(sasl));
+			writer = bio_writer_create(1);
+			writer->write_uint8(writer, PT_TLS_SASL_RESULT_SUCCESS);
+			if (pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT,
+							 this->identifier++))
+			{
+				return SUCCESS;
+			}
+			return FAILED;
+		case FAILED:
+		default:
+			DBG1(DBG_TNC, "SASL %s authentication failed",
+				 sasl->get_name(sasl));
+			writer = bio_writer_create(1);
+			/* sending abort does not allow the client to retry */
+			writer->write_uint8(writer, PT_TLS_SASL_RESULT_ABORT);
+			pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT,
+						 this->identifier++);
+			return FAILED;
+	}
+}
+
+/**
+ * Read a SASL message and process it
+ */
+static status_t read_sasl(private_pt_tls_server_t *this,
+						  sasl_mechanism_t *sasl)
+{
+	u_int32_t vendor, type, identifier;
+	bio_reader_t *reader;
+	status_t status;
+	chunk_t data;
+
+	reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+	if (!reader)
+	{
+		return FAILED;
+	}
+	if (vendor != 0 || type != PT_TLS_SASL_AUTH_DATA ||
+		!reader->read_data(reader, reader->remaining(reader), &data))
+	{
+		reader->destroy(reader);
+		return FAILED;
+	}
+	status = process_sasl(this, sasl, data);
+	reader->destroy(reader);
+	return status;
+}
+
+/**
+ * Build and write SASL message, or result message
+ */
+static status_t write_sasl(private_pt_tls_server_t *this,
+						   sasl_mechanism_t *sasl)
+{
+	bio_writer_t *writer;
+	chunk_t chunk;
+
+	switch (sasl->build(sasl, &chunk))
+	{
+		case NEED_MORE:
+			writer = bio_writer_create(chunk.len);
+			writer->write_data(writer, chunk);
+			free(chunk.ptr);
+			if (pt_tls_write(this->tls, writer, PT_TLS_SASL_AUTH_DATA,
+							 this->identifier++))
+			{
+				return NEED_MORE;
+			}
+			return FAILED;
+		case SUCCESS:
+			DBG1(DBG_TNC, "SASL %s authentication successful",
+				 sasl->get_name(sasl));
+			writer = bio_writer_create(1 + chunk.len);
+			writer->write_uint8(writer, PT_TLS_SASL_RESULT_SUCCESS);
+			writer->write_data(writer, chunk);
+			free(chunk.ptr);
+			if (pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT,
+							 this->identifier++))
+			{
+				return SUCCESS;
+			}
+			return FAILED;
+		case FAILED:
+		default:
+			DBG1(DBG_TNC, "SASL %s authentication failed",
+				 sasl->get_name(sasl));
+			writer = bio_writer_create(1);
+			/* sending abort does not allow the client to retry */
+			writer->write_uint8(writer, PT_TLS_SASL_RESULT_ABORT);
+			pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT,
+						 this->identifier++);
+			return FAILED;
+	}
+}
+
+/**
+ * Send the list of supported SASL mechanisms
+ */
+static bool send_sasl_mechs(private_pt_tls_server_t *this)
+{
+	enumerator_t *enumerator;
+	bio_writer_t *writer = NULL;
+	char *name;
+
+	enumerator = sasl_mechanism_create_enumerator(TRUE);
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		if (!writer)
+		{
+			writer = bio_writer_create(32);
+		}
+		DBG1(DBG_TNC, "offering SASL %s", name);
+		writer->write_data8(writer, chunk_from_str(name));
+	}
+	enumerator->destroy(enumerator);
+
+	if (!writer)
+	{	/* no mechanisms available? */
+		return FALSE;
+	}
+	return pt_tls_write(this->tls, writer, PT_TLS_SASL_MECHS,
+						this->identifier++);
+}
+
+/**
+ * Read the selected SASL mechanism, and process piggybacked data
+ */
+static status_t read_sasl_mech_selection(private_pt_tls_server_t *this,
+										 sasl_mechanism_t **out)
+{
+	u_int32_t vendor, type, identifier;
+	sasl_mechanism_t *sasl;
+	bio_reader_t *reader;
+	chunk_t chunk;
+	u_int8_t len;
+	char buf[21];
+
+	reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+	if (!reader)
+	{
+		return FAILED;
+	}
+	if (vendor != 0 || type != PT_TLS_SASL_MECH_SELECTION ||
+		!reader->read_uint8(reader, &len) ||
+		!reader->read_data(reader, len & 0x1F, &chunk))
+	{
+		reader->destroy(reader);
+		return FAILED;
+	}
+	snprintf(buf, sizeof(buf), "%.*s", (int)chunk.len, chunk.ptr);
+
+	DBG1(DBG_TNC, "client starts SASL %s authentication", buf);
+
+	sasl = sasl_mechanism_create(buf, NULL);
+	if (!sasl)
+	{
+		reader->destroy(reader);
+		return FAILED;
+	}
+	/* initial SASL data piggybacked? */
+	if (reader->remaining(reader))
+	{
+		switch (process_sasl(this, sasl, reader->peek(reader)))
+		{
+			case NEED_MORE:
+				break;
+			case SUCCESS:
+				reader->destroy(reader);
+				*out = sasl;
+				return SUCCESS;
+			case FAILED:
+			default:
+				reader->destroy(reader);
+				sasl->destroy(sasl);
+				return FAILED;
+		}
+	}
+	reader->destroy(reader);
+	*out = sasl;
+	return NEED_MORE;
+}
+
+/**
+ * Do a single SASL exchange
+ */
+static bool do_sasl(private_pt_tls_server_t *this)
+{
+	sasl_mechanism_t *sasl;
+	status_t status;
+
+	switch (this->auth)
+	{
+		case PT_TLS_AUTH_NONE:
+			return TRUE;
+		case PT_TLS_AUTH_TLS:
+			if (this->tls->get_peer_id(this->tls))
+			{
+				return TRUE;
+			}
+			DBG1(DBG_TNC, "requiring TLS certificate client authentication");
+			return FALSE;
+		case PT_TLS_AUTH_SASL:
+			break;
+		case PT_TLS_AUTH_TLS_OR_SASL:
+			if (this->tls->get_peer_id(this->tls))
+			{
+				DBG1(DBG_TNC, "skipping SASL, client authenticated with TLS "
+					 "certificate");
+				return TRUE;
+			}
+			break;
+		case PT_TLS_AUTH_TLS_AND_SASL:
+		default:
+			if (!this->tls->get_peer_id(this->tls))
+			{
+				DBG1(DBG_TNC, "requiring TLS certificate client authentication");
+				return FALSE;
+			}
+			break;
+	}
+
+	if (!send_sasl_mechs(this))
+	{
+		return FALSE;
+	}
+	status = read_sasl_mech_selection(this, &sasl);
+	if (status == FAILED)
+	{
+		return FALSE;
+	}
+	while (status == NEED_MORE)
+	{
+		status = write_sasl(this, sasl);
+		if (status == NEED_MORE)
+		{
+			status = read_sasl(this, sasl);
+		}
+	}
+	sasl->destroy(sasl);
+	return status == SUCCESS;
+}
+
+/**
+ * Authenticated PT-TLS session with a single SASL method
+ */
+static bool authenticate(private_pt_tls_server_t *this)
+{
+	if (do_sasl(this))
+	{
+		/* complete SASL with emtpy mechanism list */
+		bio_writer_t *writer;
+
+		writer = bio_writer_create(0);
+		return pt_tls_write(this->tls, writer, PT_TLS_SASL_MECHS,
+							this->identifier++);
+	}
+	return FALSE;
+}
+
+/**
+ * Perform assessment
+ */
+static bool assess(private_pt_tls_server_t *this, tls_t *tnccs)
+{
+	while (TRUE)
+	{
+		bio_writer_t *writer;
+		bio_reader_t *reader;
+		u_int32_t vendor, type, identifier;
+		chunk_t data;
+
+		writer = bio_writer_create(32);
+		while (TRUE)
+		{
+			char buf[2048];
+			size_t buflen, msglen;
+
+			buflen = sizeof(buf);
+			switch (tnccs->build(tnccs, buf, &buflen, &msglen))
+			{
+				case SUCCESS:
+					writer->destroy(writer);
+					return tnccs->is_complete(tnccs);
+				case FAILED:
+				default:
+					writer->destroy(writer);
+					return FALSE;
+				case INVALID_STATE:
+					writer->destroy(writer);
+					break;
+				case NEED_MORE:
+					writer->write_data(writer, chunk_create(buf, buflen));
+					continue;
+				case ALREADY_DONE:
+					writer->write_data(writer, chunk_create(buf, buflen));
+					if (!pt_tls_write(this->tls, writer, PT_TLS_PB_TNC_BATCH,
+									  this->identifier++))
+					{
+						return FALSE;
+					}
+					writer = bio_writer_create(32);
+					continue;
+			}
+			break;
+		}
+
+		reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+		if (!reader)
+		{
+			return FALSE;
+		}
+		if (vendor == 0)
+		{
+			if (type == PT_TLS_ERROR)
+			{
+				DBG1(DBG_TNC, "received PT-TLS error");
+				reader->destroy(reader);
+				return FALSE;
+			}
+			if (type != PT_TLS_PB_TNC_BATCH)
+			{
+				DBG1(DBG_TNC, "unexpected PT-TLS message: %d", type);
+				reader->destroy(reader);
+				return FALSE;
+			}
+			data = reader->peek(reader);
+			switch (tnccs->process(tnccs, data.ptr, data.len))
+			{
+				case SUCCESS:
+					reader->destroy(reader);
+					return tnccs->is_complete(tnccs);
+				case FAILED:
+				default:
+					reader->destroy(reader);
+					return FALSE;
+				case NEED_MORE:
+					break;
+			}
+		}
+		else
+		{
+			DBG1(DBG_TNC, "ignoring vendor specific PT-TLS message");
+		}
+		reader->destroy(reader);
+	}
+}
+
+METHOD(pt_tls_server_t, handle, status_t,
+	private_pt_tls_server_t *this)
+{
+	switch (this->state)
+	{
+		case PT_TLS_SERVER_VERSION:
+			if (!negotiate_version(this))
+			{
+				return FAILED;
+			}
+			DBG1(DBG_TNC, "negotiated PT-TLS version %d", PT_TLS_VERSION);
+			this->state = PT_TLS_SERVER_AUTH;
+			break;
+		case PT_TLS_SERVER_AUTH:
+			if (!authenticate(this))
+			{
+				return FAILED;
+			}
+			this->state = PT_TLS_SERVER_TNCCS;
+			break;
+		case PT_TLS_SERVER_TNCCS:
+			if (!assess(this, (tls_t*)this->tnccs))
+			{
+				return FAILED;
+			}
+			this->state = PT_TLS_SERVER_END;
+			return SUCCESS;
+		default:
+			return FAILED;
+	}
+	return NEED_MORE;
+}
+
+METHOD(pt_tls_server_t, get_fd, int,
+	private_pt_tls_server_t *this)
+{
+	return this->tls->get_fd(this->tls);
+}
+
+METHOD(pt_tls_server_t, destroy, void,
+	private_pt_tls_server_t *this)
+{
+	this->tnccs->destroy(this->tnccs);
+	this->tls->destroy(this->tls);
+	free(this);
+}
+
+/**
+ * See header
+ */
+pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
+									  pt_tls_auth_t auth, tnccs_t *tnccs)
+{
+	private_pt_tls_server_t *this;
+
+	INIT(this,
+		.public = {
+			.handle = _handle,
+			.get_fd = _get_fd,
+			.destroy = _destroy,
+		},
+		.state = PT_TLS_SERVER_VERSION,
+		.tls = tls_socket_create(TRUE, server, NULL, fd, NULL),
+		.tnccs = (tls_t*)tnccs,
+		.auth = auth,
+	);
+
+	if (!this->tls)
+	{
+		this->tnccs->destroy(this->tnccs);
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libpttls/pt_tls_server.h b/src/libpttls/pt_tls_server.h
new file mode 100644
index 000000000..3e18aee8f
--- /dev/null
+++ b/src/libpttls/pt_tls_server.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls_server pt_tls_server
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_SERVER_H_
+#define PT_TLS_SERVER_H_
+
+#include <utils/identification.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+#include "pt_tls.h"
+
+typedef struct pt_tls_server_t pt_tls_server_t;
+
+/**
+ * IF-T for TLS aka PT-TLS transport server.
+ */
+struct pt_tls_server_t {
+
+	/**
+	 * Handle assessment data read from socket.
+	 *
+	 * @return
+	 *						- NEED_MORE if more exchanges required,
+	 *						- SUCCESS if assessment complete
+	 *						- FAILED if assessment failed
+	 */
+	status_t (*handle)(pt_tls_server_t *this);
+
+	/**
+	 * Get the underlying client connection socket.
+	 *
+	 * @return			socket fd, suitable to select()
+	 */
+	int (*get_fd)(pt_tls_server_t *this);
+
+	/**
+	 * Destroy a pt_tls_server_t.
+	 */
+	void (*destroy)(pt_tls_server_t *this);
+};
+
+/**
+ * Create a pt_tls_server connection instance.
+ *
+ * @param server	TLS server identity
+ * @param fd		client connection socket
+ * @param auth		client authentication requirements
+ * @param tnccs		inner TNCCS protocol handler to use for this connection
+ * @return			PT-TLS server
+ */
+pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
+									  pt_tls_auth_t auth, tnccs_t *tnccs);
+
+#endif /** PT_TLS_SERVER_H_ @}*/
diff --git a/src/libpttls/sasl/sasl_mechanism.c b/src/libpttls/sasl/sasl_mechanism.c
new file mode 100644
index 000000000..05a02e56d
--- /dev/null
+++ b/src/libpttls/sasl/sasl_mechanism.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "sasl_mechanism.h"
+
+#include "sasl_plain/sasl_plain.h"
+
+/**
+ * Available SASL mechanisms.
+ */
+static struct {
+	char *name;
+	bool server;
+	sasl_mechanism_constructor_t create;
+} mechs[] = {
+	{ "PLAIN",		TRUE,	(sasl_mechanism_constructor_t)sasl_plain_create	},
+	{ "PLAIN",		FALSE,	(sasl_mechanism_constructor_t)sasl_plain_create	},
+};
+
+/**
+ * See header.
+ */
+sasl_mechanism_t *sasl_mechanism_create(char *name, identification_t *client)
+{
+	int i;
+
+	for (i = 0; i < countof(mechs); i++)
+	{
+		if (streq(mechs[i].name, name) && mechs[i].server == (client == NULL))
+		{
+			return mechs[i].create(name, client);
+		}
+	}
+	return NULL;
+}
+
+/**
+ * SASL mechanism enumerator
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** looking for client or server? */
+	bool server;
+	/** position in mechs[] */
+	int i;
+} mech_enumerator_t;
+
+METHOD(enumerator_t, mech_enumerate, bool,
+	mech_enumerator_t *this, char **name)
+{
+	while (this->i < countof(mechs))
+	{
+		if (mechs[this->i].server == this->server)
+		{
+			*name = mechs[this->i].name;
+			this->i++;
+			return TRUE;
+		}
+		this->i++;
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+enumerator_t* sasl_mechanism_create_enumerator(bool server)
+{
+	mech_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_mech_enumerate,
+			.destroy = (void*)free,
+		},
+		.server = server,
+	);
+	return &enumerator->public;
+}
diff --git a/src/libpttls/sasl/sasl_mechanism.h b/src/libpttls/sasl/sasl_mechanism.h
new file mode 100644
index 000000000..fb1d08097
--- /dev/null
+++ b/src/libpttls/sasl/sasl_mechanism.h
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sasl sasl
+ * @ingroup pt_tls
+ *
+ * @defgroup sasl_mechanism sasl_mechanism
+ * @{ @ingroup sasl
+ */
+
+#ifndef SASL_MECHANISM_H_
+#define SASL_MECHANISM_H_
+
+typedef struct sasl_mechanism_t sasl_mechanism_t;
+
+#include <library.h>
+
+/**
+ * Constructor function for SASL mechansims.
+ *
+ * @param name			name of the requested SASL mechanism
+ * @param client		client identity, NULL to act as server
+ * @return				SASL mechanism, NULL on failure
+ */
+typedef sasl_mechanism_t*(*sasl_mechanism_constructor_t)(char *name,
+													identification_t *client);
+
+/**
+ * Generic interface for SASL mechanisms.
+ */
+struct sasl_mechanism_t {
+
+	/**
+	 * Get the name of this SASL mechanism.
+	 *
+	 * @return			name of SASL mechanism
+	 */
+	char* (*get_name)(sasl_mechanism_t *this);
+
+	/**
+	 * Build a SASL message to send to remote host.
+	 *
+	 * A message is returned if the return value is NEED_MORE or SUCCESS. A
+	 * client MUST NOT return SUCCESS in build(), as the final message
+	 * is always from server to client (even if it is an empty result message).
+	 *
+	 * @param message	receives allocated SASL message, to free
+	 * @return
+	 *					- FAILED if mechanism failed
+	 *					- NEED_MORE if additional exchanges required
+	 *					- INVALID_STATE if currently nothing to build
+	 *					- SUCCESS if mechanism authenticated successfully
+	 */
+	status_t (*build)(sasl_mechanism_t *this, chunk_t *message);
+
+	/**
+	 * Process a SASL message received from remote host.
+	 *
+	 * If a server returns SUCCESS during process(), an empty result message
+	 * is sent to complete the SASL exchange.
+	 *
+	 * @param message	received SASL message to process
+	 * @return
+	 *					- FAILED if mechanism failed
+	 *					- NEED_MORE if additional exchanges required
+	 *					- SUCCESS if mechanism authenticated successfully
+	 */
+	status_t (*process)(sasl_mechanism_t *this, chunk_t message);
+
+	/**
+	 * Destroy a sasl_mechanism_t.
+	 */
+	void (*destroy)(sasl_mechanism_t *this);
+};
+
+/**
+ * Create a sasl_mechanism instance.
+ *
+ * @param name			name of SASL mechanism to create
+ * @param client		client identity, NULL to act as server
+ * @return				SASL mechanism instance, NULL if not found
+ */
+sasl_mechanism_t *sasl_mechanism_create(char *name, identification_t *client);
+
+/**
+ * Create an enumerator over supported SASL mechanism names.
+ *
+ * @param server		TRUE for server instance, FALSE for client
+ * @return				enumerator over char*
+ */
+enumerator_t* sasl_mechanism_create_enumerator(bool server);
+
+#endif /** SASL_MECHANISM_H_ @}*/
diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.c b/src/libpttls/sasl/sasl_plain/sasl_plain.c
new file mode 100644
index 000000000..e8d6dc80b
--- /dev/null
+++ b/src/libpttls/sasl/sasl_plain/sasl_plain.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "sasl_plain.h"
+
+#include <utils/debug.h>
+
+typedef struct private_sasl_plain_t private_sasl_plain_t;
+
+/**
+ * Private data of an sasl_plain_t object.
+ */
+struct private_sasl_plain_t {
+
+	/**
+	 * Public sasl_plain_t interface.
+	 */
+	sasl_plain_t public;
+
+	/**
+	 * Client identity
+	 */
+	identification_t *client;
+};
+
+METHOD(sasl_mechanism_t, get_name, char*,
+	private_sasl_plain_t *this)
+{
+	return "PLAIN";
+}
+
+METHOD(sasl_mechanism_t, build_server, status_t,
+	private_sasl_plain_t *this, chunk_t *message)
+{
+	/* gets never called */
+	return FAILED;
+}
+
+METHOD(sasl_mechanism_t, process_server, status_t,
+	private_sasl_plain_t *this, chunk_t message)
+{
+	chunk_t authz, authi, password;
+	identification_t *id;
+	shared_key_t *shared;
+	u_char *pos;
+
+	pos = memchr(message.ptr, 0, message.len);
+	if (!pos)
+	{
+		DBG1(DBG_CFG, "invalid authz encoding");
+		return FAILED;
+	}
+	authz = chunk_create(message.ptr, pos - message.ptr);
+	message = chunk_skip(message, authz.len + 1);
+	pos = memchr(message.ptr, 0, message.len);
+	if (!pos)
+	{
+		DBG1(DBG_CFG, "invalid authi encoding");
+		return FAILED;
+	}
+	authi = chunk_create(message.ptr, pos - message.ptr);
+	password = chunk_skip(message, authi.len + 1);
+	id = identification_create_from_data(authi);
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL);
+	if (!shared)
+	{
+		DBG1(DBG_CFG, "no shared secret found for '%Y'", id);
+		id->destroy(id);
+		return FAILED;
+	}
+	if (!chunk_equals(shared->get_key(shared), password))
+	{
+		DBG1(DBG_CFG, "shared secret for '%Y' does not match", id);
+		id->destroy(id);
+		shared->destroy(shared);
+		return FAILED;
+	}
+	id->destroy(id);
+	shared->destroy(shared);
+	return SUCCESS;
+}
+
+METHOD(sasl_mechanism_t, build_client, status_t,
+	private_sasl_plain_t *this, chunk_t *message)
+{
+	shared_key_t *shared;
+	chunk_t password;
+	char buf[256];
+	ssize_t len;
+
+	/* we currently use the EAP type of shared secret */
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP,
+									  this->client, NULL);
+	if (!shared)
+	{
+		DBG1(DBG_CFG, "no shared secret found for %Y", this->client);
+		return FAILED;
+	}
+
+	password = shared->get_key(shared);
+	len = snprintf(buf, sizeof(buf), "%s%c%Y%c%.*s",
+				   "", 0, this->client, 0,
+				   (int)password.len, password.ptr);
+	if (len < 0 || len >= sizeof(buf))
+	{
+		return FAILED;
+	}
+	*message = chunk_clone(chunk_create(buf, len));
+	return NEED_MORE;
+}
+
+METHOD(sasl_mechanism_t, process_client, status_t,
+	private_sasl_plain_t *this, chunk_t message)
+{
+	/* if the server sends a result, authentication successful */
+	return SUCCESS;
+}
+
+METHOD(sasl_mechanism_t, destroy, void,
+	private_sasl_plain_t *this)
+{
+	DESTROY_IF(this->client);
+	free(this);
+}
+
+/**
+ * See header
+ */
+sasl_plain_t *sasl_plain_create(char *name, identification_t *client)
+{
+	private_sasl_plain_t *this;
+
+	if (!streq(get_name(NULL), name))
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.sasl = {
+				.get_name = _get_name,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	if (client)
+	{
+		this->public.sasl.build = _build_client;
+		this->public.sasl.process = _process_client;
+		this->client = client->clone(client);
+	}
+	else
+	{
+		this->public.sasl.build = _build_server;
+		this->public.sasl.process = _process_server;
+	}
+	return &this->public;
+}
diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.h b/src/libpttls/sasl/sasl_plain/sasl_plain.h
new file mode 100644
index 000000000..08b7fc76f
--- /dev/null
+++ b/src/libpttls/sasl/sasl_plain/sasl_plain.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sasl_plain sasl_plain
+ * @{ @ingroup sasl
+ */
+
+#ifndef SASL_PLAIN_H_
+#define SASL_PLAIN_H_
+
+#include <sasl/sasl_mechanism.h>
+
+typedef struct sasl_plain_t sasl_plain_t;
+
+/**
+ * SASL Mechanism implementing PLAIN.
+ */
+struct sasl_plain_t {
+
+	/**
+	 * Implements sasl_mechanism_t
+	 */
+	sasl_mechanism_t sasl;
+};
+
+/**
+ * Create a sasl_plain instance.
+ *
+ * @param name			name of mechanism, must be "PLAIN"
+ * @param client		client identity, NULL to act as server
+ * @return				mechanism implementing PLAIN, NULL on error
+ */
+sasl_plain_t *sasl_plain_create(char *name, identification_t *client);
+
+#endif /** SASL_PLAIN_H_ @}*/
diff --git a/src/libradius/Makefile.am b/src/libradius/Makefile.am
index 5672f7b84..91ded23e3 100644
--- a/src/libradius/Makefile.am
+++ b/src/libradius/Makefile.am
@@ -1,5 +1,5 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
 ipseclib_LTLIBRARIES = libradius.la
 libradius_la_SOURCES = \
@@ -8,4 +8,3 @@ libradius_la_SOURCES = \
 	radius_client.h radius_client.c \
 	radius_config.h radius_config.c \
 	radius_mppe.h
-
diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index bcc38792a..9a530d73d 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,48 +90,82 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libradius_la_LIBADD =
 am_libradius_la_OBJECTS = radius_message.lo radius_socket.lo \
 	radius_client.lo radius_config.lo
 libradius_la_OBJECTS = $(am_libradius_la_OBJECTS)
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libradius_la_SOURCES)
 DIST_SOURCES = $(libradius_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -122,13 +174,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -141,6 +196,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -168,11 +224,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -180,6 +238,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -188,8 +247,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -198,14 +255,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -219,17 +281,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -239,16 +301,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -276,7 +337,9 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
 ipseclib_LTLIBRARIES = libradius.la
 libradius_la_SOURCES = \
 	radius_message.h radius_message.c \
@@ -321,7 +384,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -329,6 +391,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -350,8 +414,8 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libradius.la: $(libradius_la_OBJECTS) $(libradius_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libradius_la_OBJECTS) $(libradius_la_LIBADD) $(LIBS)
+libradius.la: $(libradius_la_OBJECTS) $(libradius_la_DEPENDENCIES) $(EXTRA_libradius_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libradius_la_OBJECTS) $(libradius_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -365,25 +429,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_socket.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -490,10 +554,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libradius/radius_client.c b/src/libradius/radius_client.c
index acdac78c9..d44c5a2e3 100644
--- a/src/libradius/radius_client.c
+++ b/src/libradius/radius_client.c
@@ -19,9 +19,9 @@
 #include <unistd.h>
 #include <errno.h>
 
-#include <debug.h>
-#include <utils/host.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <networking/host.h>
+#include <collections/linked_list.h>
 #include <threading/condvar.h>
 #include <threading/mutex.h>
 
@@ -81,13 +81,10 @@ static void save_state(private_radius_client_t *this, radius_message_t *msg)
 METHOD(radius_client_t, request, radius_message_t*,
 	private_radius_client_t *this, radius_message_t *req)
 {
-	char virtual[] = {0x00,0x00,0x00,0x05};
 	radius_socket_t *socket;
 	radius_message_t *res;
 	chunk_t data;
 
-	/* we add the "Virtual" NAS-Port-Type, as we SHOULD include one */
-	req->add(req, RAT_NAS_PORT_TYPE, chunk_create(virtual, sizeof(virtual)));
 	/* add our NAS-Identifier */
 	req->add(req, RAT_NAS_IDENTIFIER,
 			 this->config->get_nas_identifier(this->config));
diff --git a/src/libradius/radius_config.c b/src/libradius/radius_config.c
index 6e3394bb0..5dbd1d7e0 100644
--- a/src/libradius/radius_config.c
+++ b/src/libradius/radius_config.c
@@ -17,7 +17,7 @@
 
 #include <threading/mutex.h>
 #include <threading/condvar.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_radius_config_t private_radius_config_t;
 
diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c
index 17fa7357b..3905a06c7 100644
--- a/src/libradius/radius_message.c
+++ b/src/libradius/radius_message.c
@@ -15,7 +15,8 @@
 
 #include "radius_message.h"
 
-#include <debug.h>
+#include <utils/debug.h>
+#include <bio/bio_reader.h>
 #include <crypto/hashers/hasher.h>
 
 typedef struct private_radius_message_t private_radius_message_t;
@@ -64,6 +65,11 @@ struct private_radius_message_t {
 	 * message data, allocated
 	 */
 	rmsg_t *msg;
+
+	/**
+	 * User-Password to encrypt and encode, if any
+	 */
+	chunk_t password;
 };
 
 /**
@@ -271,11 +277,99 @@ METHOD(radius_message_t, create_enumerator, enumerator_t*,
 	return &e->public;
 }
 
+/**
+ * Vendor attribute enumerator implementation
+ */
+typedef struct {
+	/** implements enumerator interface */
+	enumerator_t public;
+	/** inner attribute enumerator */
+	enumerator_t *inner;
+	/** current vendor ID */
+	u_int32_t vendor;
+	/** reader for current vendor ID */
+	bio_reader_t *reader;
+} vendor_enumerator_t;
+
+METHOD(enumerator_t, vendor_enumerate, bool,
+	vendor_enumerator_t *this, int *vendor, int *type, chunk_t *data)
+{
+	chunk_t inner_data;
+	int inner_type;
+	u_int8_t type8, len;
+
+	while (TRUE)
+	{
+		if (this->reader)
+		{
+			if (this->reader->remaining(this->reader) >= 2 &&
+				this->reader->read_uint8(this->reader, &type8) &&
+				this->reader->read_uint8(this->reader, &len) && len >= 2 &&
+				this->reader->read_data(this->reader, len - 2, data))
+			{
+				*vendor = this->vendor;
+				*type = type8;
+				return TRUE;
+			}
+			this->reader->destroy(this->reader);
+			this->reader = NULL;
+		}
+		if (this->inner->enumerate(this->inner, &inner_type, &inner_data))
+		{
+			if (inner_type == RAT_VENDOR_SPECIFIC)
+			{
+				this->reader = bio_reader_create(inner_data);
+				if (!this->reader->read_uint32(this->reader, &this->vendor))
+				{
+					this->reader->destroy(this->reader);
+					this->reader = NULL;
+				}
+			}
+		}
+		else
+		{
+			return FALSE;
+		}
+	}
+}
+METHOD(enumerator_t, vendor_destroy, void,
+	vendor_enumerator_t *this)
+{
+	DESTROY_IF(this->reader);
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+METHOD(radius_message_t, create_vendor_enumerator, enumerator_t*,
+	private_radius_message_t *this)
+{
+	vendor_enumerator_t *e;
+
+	INIT(e,
+		.public = {
+			.enumerate = (void*)_vendor_enumerate,
+			.destroy = _vendor_destroy,
+		},
+		.inner = create_enumerator(this),
+	);
+
+	return &e->public;
+}
+
 METHOD(radius_message_t, add, void,
 	private_radius_message_t *this, radius_attribute_type_t type, chunk_t data)
 {
 	rattr_t *attribute;
 
+	if (type == RAT_USER_PASSWORD && !this->password.len)
+	{
+		/* store a null-padded password */
+		this->password = chunk_alloc(round_up(data.len, HASH_SIZE_MD5));
+		memset(this->password.ptr + data.len, 0, this->password.len - data.len);
+		memcpy(this->password.ptr, data.ptr, data.len);
+		return;
+	}
+
 	data.len = min(data.len, MAX_RADIUS_ATTRIBUTE_SIZE);
 	this->msg = realloc(this->msg,
 						ntohs(this->msg->length) + sizeof(rattr_t) + data.len);
@@ -286,14 +380,78 @@ METHOD(radius_message_t, add, void,
 	this->msg->length = htons(ntohs(this->msg->length) + attribute->length);
 }
 
-METHOD(radius_message_t, sign, void,
+METHOD(radius_message_t, crypt, bool,
+	private_radius_message_t *this, chunk_t salt, chunk_t in, chunk_t out,
+	chunk_t secret, hasher_t *hasher)
+{
+	char b[HASH_SIZE_MD5];
+
+	/**
+	 * From RFC2548 (encryption):
+	 * b(1) = MD5(S + R + A)    c(1) = p(1) xor b(1)   C = c(1)
+	 * b(2) = MD5(S + c(1))     c(2) = p(2) xor b(2)   C = C + c(2)
+	 *      . . .
+	 * b(i) = MD5(S + c(i-1))   c(i) = p(i) xor b(i)   C = C + c(i)
+	 *
+	 * P/C = Plain/Crypted => in/out
+	 * S = secret
+	 * R = authenticator
+	 * A = salt
+	 */
+	if (in.len != out.len)
+	{
+		return FALSE;
+	}
+	if (in.len % HASH_SIZE_MD5 || in.len < HASH_SIZE_MD5)
+	{
+		return FALSE;
+	}
+	if (out.ptr != in.ptr)
+	{
+		memcpy(out.ptr, in.ptr, in.len);
+	}
+	/* Preparse seed for first round:
+	 * b(1) = MD5(S + R + A) */
+	if (!hasher->get_hash(hasher, secret, NULL) ||
+		!hasher->get_hash(hasher,
+						  chunk_from_thing(this->msg->authenticator), NULL) ||
+		!hasher->get_hash(hasher, salt, b))
+	{
+		return FALSE;
+	}
+	while (in.len)
+	{
+		/* p(i) = b(i) xor c(1) */
+		memxor(out.ptr, b, HASH_SIZE_MD5);
+
+		out = chunk_skip(out, HASH_SIZE_MD5);
+		if (out.len)
+		{
+			/* Prepare seed for next round::
+			 * b(i) = MD5(S + c(i-1)) */
+			if (!hasher->get_hash(hasher, secret, NULL) ||
+				!hasher->get_hash(hasher,
+								  chunk_create(in.ptr, HASH_SIZE_MD5), b))
+			{
+				return FALSE;
+			}
+		}
+		in = chunk_skip(in, HASH_SIZE_MD5);
+	}
+	return TRUE;
+}
+
+METHOD(radius_message_t, sign, bool,
 	private_radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
 	hasher_t *hasher, signer_t *signer, rng_t *rng, bool msg_auth)
 {
 	if (rng)
 	{
 		/* build Request-Authenticator */
-		rng->get_bytes(rng, HASH_SIZE_MD5, this->msg->authenticator);
+		if (!rng->get_bytes(rng, HASH_SIZE_MD5, this->msg->authenticator))
+		{
+			return FALSE;
+		}
 	}
 	else
 	{
@@ -308,6 +466,18 @@ METHOD(radius_message_t, sign, void,
 		}
 	}
 
+	if (this->password.len)
+	{
+		/* encrypt password inline */
+		if (!crypt(this, chunk_empty, this->password, this->password,
+				   secret, hasher))
+		{
+			return FALSE;
+		}
+		add(this, RAT_USER_PASSWORD, this->password);
+		chunk_clear(&this->password);
+	}
+
 	if (msg_auth)
 	{
 		char buf[HASH_SIZE_MD5];
@@ -315,9 +485,12 @@ METHOD(radius_message_t, sign, void,
 		/* build Message-Authenticator attribute, using 16 null bytes */
 		memset(buf, 0, sizeof(buf));
 		add(this, RAT_MESSAGE_AUTHENTICATOR, chunk_create(buf, sizeof(buf)));
-		signer->get_signature(signer,
+		if (!signer->get_signature(signer,
 				chunk_create((u_char*)this->msg, ntohs(this->msg->length)),
-				((u_char*)this->msg) + ntohs(this->msg->length) - HASH_SIZE_MD5);
+				((u_char*)this->msg) + ntohs(this->msg->length) - HASH_SIZE_MD5))
+		{
+			return FALSE;
+		}
 	}
 
 	if (!rng)
@@ -326,9 +499,13 @@ METHOD(radius_message_t, sign, void,
 
 		/* build Response-Authenticator */
 		msg = chunk_create((u_char*)this->msg, ntohs(this->msg->length));
-		hasher->get_hash(hasher, msg, NULL);
-		hasher->get_hash(hasher, secret, this->msg->authenticator);
+		if (!hasher->get_hash(hasher, msg, NULL) ||
+			!hasher->get_hash(hasher, secret, this->msg->authenticator))
+		{
+			return FALSE;
+		}
 	}
+	return TRUE;
 }
 
 METHOD(radius_message_t, verify, bool,
@@ -357,9 +534,9 @@ METHOD(radius_message_t, verify, bool,
 		}
 
 		/* verify Response-Authenticator */
-		hasher->get_hash(hasher, msg, NULL);
-		hasher->get_hash(hasher, secret, buf);
-		if (!memeq(buf, res_auth, HASH_SIZE_MD5))
+		if (!hasher->get_hash(hasher, msg, NULL) ||
+			!hasher->get_hash(hasher, secret, buf) ||
+			!memeq(buf, res_auth, HASH_SIZE_MD5))
 		{
 			DBG1(DBG_CFG, "RADIUS Response-Authenticator verification failed");
 			return FALSE;
@@ -450,6 +627,7 @@ METHOD(radius_message_t, get_encoding, chunk_t,
 METHOD(radius_message_t, destroy, void,
 	private_radius_message_t *this)
 {
+	chunk_clear(&this->password);
 	free(this->msg);
 	free(this);
 }
@@ -464,6 +642,7 @@ static private_radius_message_t *radius_message_create_empty()
 	INIT(this,
 		.public = {
 			.create_enumerator = _create_enumerator,
+			.create_vendor_enumerator = _create_vendor_enumerator,
 			.add = _add,
 			.get_code = _get_code,
 			.get_identifier = _get_identifier,
@@ -472,6 +651,7 @@ static private_radius_message_t *radius_message_create_empty()
 			.get_encoding = _get_encoding,
 			.sign = _sign,
 			.verify = _verify,
+			.crypt = _crypt,
 			.destroy = _destroy,
 		},
 	);
diff --git a/src/libradius/radius_message.h b/src/libradius/radius_message.h
index 6d0df53c3..4ce03a44e 100644
--- a/src/libradius/radius_message.h
+++ b/src/libradius/radius_message.h
@@ -27,6 +27,7 @@
 #define RADIUS_MESSAGE_H_
 
 #include <library.h>
+#include <pen/pen.h>
 
 #define MAX_RADIUS_ATTRIBUTE_SIZE	253
 
@@ -205,6 +206,16 @@ struct radius_message_t {
 	enumerator_t* (*create_enumerator)(radius_message_t *this);
 
 	/**
+	 * Create an enumerator over contained RADIUS Vendor-ID attributes.
+	 *
+	 * This enumerator parses only vendor specific attributes in the format
+	 * recommended in RFC2865.
+	 *
+	 * @return				enumerator over (int vendor, int type, chunk_t data)
+	 */
+	enumerator_t* (*create_vendor_enumerator)(radius_message_t *this);
+
+	/**
 	 * Add a RADIUS attribute to the message.
 	 *
 	 * @param type			type of attribute to add
@@ -257,8 +268,9 @@ struct radius_message_t {
 	 * @param hasher		MD5 hasher
 	 * @param rng			RNG to create Request-Authenticator, NULL to omit
 	 * @param msg_auth		calculate and add Message-Authenticator
+	 * @return				TRUE if signed successfully
 	 */
-	void (*sign)(radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
+	bool (*sign)(radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
 				 hasher_t *hasher, signer_t *signer, rng_t *rng, bool msg_auth);
 
 	/**
@@ -273,17 +285,28 @@ struct radius_message_t {
 				   hasher_t *hasher, signer_t *signer);
 
 	/**
+	 * Perform RADIUS attribute en-/decryption.
+	 *
+	 * Performs en-/decryption by XOring the hash-extended secret into data,
+	 * as specified in RFC 2865 5.2 and used by RFC 2548.
+	 *
+	 * @param salt			salt to append to message authenticator, if any
+	 * @param in			data to en-/decrypt, multiple of HASH_SIZE_MD5
+	 * @param out			en-/decrypted data, length equal to in
+	 * @param secret		RADIUS secret
+	 * @param hasher		MD5 hasher
+	 * @return				TRUE if en-/decryption successful
+	 */
+	bool (*crypt)(radius_message_t *this, chunk_t salt, chunk_t in, chunk_t out,
+				  chunk_t secret, hasher_t *hasher);
+
+	/**
 	 * Destroy the message.
 	 */
 	void (*destroy)(radius_message_t *this);
 };
 
 /**
- * Dummy libradius initialization function needed for integrity test
- */
-void libradius_init(void);
-
-/**
  * Create an empty RADIUS message.
  *
  * @param code			request type
@@ -299,4 +322,13 @@ radius_message_t *radius_message_create(radius_message_code_t code);
  */
 radius_message_t *radius_message_parse(chunk_t data);
 
+/**
+ * @}
+ * @addtogroup libradius
+ * @{
+ *
+ * Dummy libradius initialization function needed for integrity test
+ */
+void libradius_init(void);
+
 #endif /** RADIUS_MESSAGE_H_ @}*/
diff --git a/src/libradius/radius_socket.c b/src/libradius/radius_socket.c
index 048c8814e..f432151c0 100644
--- a/src/libradius/radius_socket.c
+++ b/src/libradius/radius_socket.c
@@ -20,7 +20,7 @@
 #include <unistd.h>
 
 #include <pen/pen.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_radius_socket_t private_radius_socket_t;
 
@@ -148,8 +148,11 @@ METHOD(radius_socket_t, request, radius_message_t*,
 	/* set Message Identifier */
 	request->set_identifier(request, this->identifier++);
 	/* sign the request */
-	request->sign(request, NULL, this->secret, this->hasher, this->signer,
-						   rng, rng != NULL);
+	if (!request->sign(request, NULL, this->secret, this->hasher, this->signer,
+					   rng, rng != NULL))
+	{
+		return NULL;
+	}
 
 	if (!check_connection(this, fd, port))
 	{
@@ -230,51 +233,17 @@ METHOD(radius_socket_t, request, radius_message_t*,
 static chunk_t decrypt_mppe_key(private_radius_socket_t *this, u_int16_t salt,
 								chunk_t C, radius_message_t *request)
 {
-	chunk_t A, R, P, seed;
-	u_char *c, *p;
-
-	/**
-	 * From RFC2548 (encryption):
-	 * b(1) = MD5(S + R + A)    c(1) = p(1) xor b(1)   C = c(1)
-	 * b(2) = MD5(S + c(1))     c(2) = p(2) xor b(2)   C = C + c(2)
-	 *      . . .
-	 * b(i) = MD5(S + c(i-1))   c(i) = p(i) xor b(i)   C = C + c(i)
-	 */
-
-	if (C.len % HASH_SIZE_MD5 || C.len < HASH_SIZE_MD5)
-	{
-		return chunk_empty;
-	}
+	chunk_t decrypted;
 
-	A = chunk_create((u_char*)&salt, sizeof(salt));
-	R = chunk_create(request->get_authenticator(request), HASH_SIZE_MD5);
-	P = chunk_alloca(C.len);
-	p = P.ptr;
-	c = C.ptr;
-
-	seed = chunk_cata("cc", R, A);
-
-	while (c < C.ptr + C.len)
-	{
-		/* b(i) = MD5(S + c(i-1)) */
-		this->hasher->get_hash(this->hasher, this->secret, NULL);
-		this->hasher->get_hash(this->hasher, seed, p);
-
-		/* p(i) = b(i) xor c(1) */
-		memxor(p, c, HASH_SIZE_MD5);
-
-		/* prepare next round */
-		seed = chunk_create(c, HASH_SIZE_MD5);
-		c += HASH_SIZE_MD5;
-		p += HASH_SIZE_MD5;
-	}
-
-	/* remove truncation, first byte is key length */
-	if (*P.ptr >= P.len)
+	decrypted = chunk_alloca(C.len);
+	if (!request->crypt(request, chunk_from_thing(salt), C, decrypted,
+						this->secret, this->hasher) ||
+		decrypted.ptr[0] >= decrypted.len)
 	{	/* decryption failed? */
 		return chunk_empty;
 	}
-	return chunk_clone(chunk_create(P.ptr + 1, *P.ptr));
+	/* remove truncation, first byte is key length */
+	return chunk_clone(chunk_create(decrypted.ptr + 1, decrypted.ptr[0]));
 }
 
 METHOD(radius_socket_t, decrypt_msk, chunk_t,
@@ -358,14 +327,14 @@ radius_socket_t *radius_socket_create(char *address, u_int16_t auth_port,
 		.rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
 	);
 
-	if (!this->hasher || !this->signer || !this->rng)
+	if (!this->hasher || !this->signer || !this->rng ||
+		!this->signer->set_key(this->signer, secret))
 	{
 		DBG1(DBG_CFG, "RADIUS initialization failed, HMAC/MD5/RNG required");
 		destroy(this);
 		return NULL;
 	}
 	this->secret = secret;
-	this->signer->set_key(this->signer, secret);
 	/* we use a random identifier, helps if we restart often */
 	this->identifier = random();
 
diff --git a/src/libradius/radius_socket.h b/src/libradius/radius_socket.h
index 07d642c08..eb510ea89 100644
--- a/src/libradius/radius_socket.h
+++ b/src/libradius/radius_socket.h
@@ -25,7 +25,7 @@ typedef struct radius_socket_t radius_socket_t;
 
 #include "radius_message.h"
 
-#include <utils/host.h>
+#include <networking/host.h>
 
 /**
  * RADIUS socket to a server.
diff --git a/src/libsimaka/Makefile.am b/src/libsimaka/Makefile.am
index 80d4fb814..8aaac7de0 100644
--- a/src/libsimaka/Makefile.am
+++ b/src/libsimaka/Makefile.am
@@ -1,5 +1,7 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
 
 ipseclib_LTLIBRARIES = libsimaka.la
 libsimaka_la_SOURCES = simaka_message.h simaka_message.c \
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index 59919e559..bdbc00eba 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,48 +90,82 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libsimaka_la_LIBADD =
 am_libsimaka_la_OBJECTS = simaka_message.lo simaka_crypto.lo \
 	simaka_manager.lo
 libsimaka_la_OBJECTS = $(am_libsimaka_la_OBJECTS)
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libsimaka_la_SOURCES)
 DIST_SOURCES = $(libsimaka_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -122,13 +174,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -141,6 +196,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -168,11 +224,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -180,6 +238,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -188,8 +247,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -198,14 +255,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -219,17 +281,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -239,16 +301,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -276,7 +337,11 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
 ipseclib_LTLIBRARIES = libsimaka.la
 libsimaka_la_SOURCES = simaka_message.h simaka_message.c \
   simaka_crypto.h simaka_crypto.c simaka_manager.h simaka_manager.c \
@@ -318,7 +383,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -326,6 +390,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -347,8 +413,8 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libsimaka.la: $(libsimaka_la_OBJECTS) $(libsimaka_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libsimaka_la_OBJECTS) $(libsimaka_la_LIBADD) $(LIBS)
+libsimaka.la: $(libsimaka_la_OBJECTS) $(libsimaka_la_DEPENDENCIES) $(EXTRA_libsimaka_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libsimaka_la_OBJECTS) $(libsimaka_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -361,25 +427,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/simaka_message.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -486,10 +552,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libsimaka/simaka_crypto.c b/src/libsimaka/simaka_crypto.c
index 4819d1b99..e60c02a1a 100644
--- a/src/libsimaka/simaka_crypto.c
+++ b/src/libsimaka/simaka_crypto.c
@@ -17,7 +17,7 @@
 
 #include "simaka_manager.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /** length of the k_encr key */
 #define KENCR_LEN 16
@@ -115,90 +115,128 @@ static void call_hook(private_simaka_crypto_t *this, chunk_t encr, chunk_t auth)
 	mgr->key_hook(mgr, encr, auth);
 }
 
-METHOD(simaka_crypto_t, derive_keys_full, chunk_t,
+METHOD(simaka_crypto_t, derive_keys_full, bool,
 	private_simaka_crypto_t *this, identification_t *id,
-	chunk_t data, chunk_t *mk)
+	chunk_t data, chunk_t *mk, chunk_t *msk)
 {
-	chunk_t str, msk, k_encr, k_auth;
+	chunk_t str, k_encr, k_auth;
 	int i;
 
 	/* For SIM: MK = SHA1(Identity|n*Kc|NONCE_MT|Version List|Selected Version)
 	 * For AKA: MK = SHA1(Identity|IK|CK) */
-	this->hasher->get_hash(this->hasher, id->get_encoding(id), NULL);
-	this->hasher->allocate_hash(this->hasher, data, mk);
+	if (!this->hasher->get_hash(this->hasher, id->get_encoding(id), NULL) ||
+		!this->hasher->allocate_hash(this->hasher, data, mk))
+	{
+		return FALSE;
+	}
 	DBG3(DBG_LIB, "MK %B", mk);
 
 	/* K_encr | K_auth | MSK | EMSK = prf() | prf() | prf() | prf() */
-	this->prf->set_key(this->prf, *mk);
+	if (!this->prf->set_key(this->prf, *mk))
+	{
+		chunk_clear(mk);
+		return FALSE;
+	}
 	str = chunk_alloca(this->prf->get_block_size(this->prf) * 3);
 	for (i = 0; i < 3; i++)
 	{
-		this->prf->get_bytes(this->prf, chunk_empty, str.ptr + str.len / 3 * i);
+		if (!this->prf->get_bytes(this->prf, chunk_empty,
+								  str.ptr + str.len / 3 * i))
+		{
+			chunk_clear(mk);
+			return FALSE;
+		}
 	}
 
 	k_encr = chunk_create(str.ptr, KENCR_LEN);
 	k_auth = chunk_create(str.ptr + KENCR_LEN, KAUTH_LEN);
-	msk = chunk_create(str.ptr + KENCR_LEN + KAUTH_LEN, MSK_LEN);
-	DBG3(DBG_LIB, "K_encr %B\nK_auth %B\nMSK %B", &k_encr, &k_auth, &msk);
 
-	this->signer->set_key(this->signer, k_auth);
-	this->crypter->set_key(this->crypter, k_encr);
+	if (!this->signer->set_key(this->signer, k_auth) ||
+		!this->crypter->set_key(this->crypter, k_encr))
+	{
+		chunk_clear(mk);
+		return FALSE;
+	}
+
+	*msk = chunk_clone(chunk_create(str.ptr + KENCR_LEN + KAUTH_LEN, MSK_LEN));
+	DBG3(DBG_LIB, "K_encr %B\nK_auth %B\nMSK %B", &k_encr, &k_auth, msk);
 
 	call_hook(this, k_encr, k_auth);
 
 	this->derived = TRUE;
-	return chunk_clone(msk);
+	return TRUE;
 }
 
-METHOD(simaka_crypto_t, derive_keys_reauth, void,
+METHOD(simaka_crypto_t, derive_keys_reauth, bool,
 	private_simaka_crypto_t *this, chunk_t mk)
 {
 	chunk_t str, k_encr, k_auth;
 	int i;
 
 	/* K_encr | K_auth = prf() | prf() */
-	this->prf->set_key(this->prf, mk);
+	if (!this->prf->set_key(this->prf, mk))
+	{
+		return FALSE;
+	}
 	str = chunk_alloca(this->prf->get_block_size(this->prf) * 2);
 	for (i = 0; i < 2; i++)
 	{
-		this->prf->get_bytes(this->prf, chunk_empty, str.ptr + str.len / 2 * i);
+		if (!this->prf->get_bytes(this->prf, chunk_empty,
+								  str.ptr + str.len / 2 * i))
+		{
+			return FALSE;
+		}
 	}
 	k_encr = chunk_create(str.ptr, KENCR_LEN);
 	k_auth = chunk_create(str.ptr + KENCR_LEN, KAUTH_LEN);
 	DBG3(DBG_LIB, "K_encr %B\nK_auth %B", &k_encr, &k_auth);
 
-	this->signer->set_key(this->signer, k_auth);
-	this->crypter->set_key(this->crypter, k_encr);
+	if (!this->signer->set_key(this->signer, k_auth) ||
+		!this->crypter->set_key(this->crypter, k_encr))
+	{
+		return FALSE;
+	}
 
 	call_hook(this, k_encr, k_auth);
 
 	this->derived = TRUE;
+	return TRUE;
 }
 
-METHOD(simaka_crypto_t, derive_keys_reauth_msk, chunk_t,
+METHOD(simaka_crypto_t, derive_keys_reauth_msk, bool,
 	private_simaka_crypto_t *this, identification_t *id, chunk_t counter,
-	chunk_t nonce_s, chunk_t mk)
+	chunk_t nonce_s, chunk_t mk, chunk_t *msk)
 {
 	char xkey[HASH_SIZE_SHA1];
-	chunk_t str, msk;
+	chunk_t str;
 	int i;
 
-	this->hasher->get_hash(this->hasher, id->get_encoding(id), NULL);
-	this->hasher->get_hash(this->hasher, counter, NULL);
-	this->hasher->get_hash(this->hasher, nonce_s, NULL);
-	this->hasher->get_hash(this->hasher, mk, xkey);
+	if (!this->hasher->get_hash(this->hasher, id->get_encoding(id), NULL) ||
+		!this->hasher->get_hash(this->hasher, counter, NULL) ||
+		!this->hasher->get_hash(this->hasher, nonce_s, NULL) ||
+		!this->hasher->get_hash(this->hasher, mk, xkey))
+	{
+		return FALSE;
+	}
 
 	/* MSK | EMSK = prf() | prf() | prf() | prf() */
-	this->prf->set_key(this->prf, chunk_create(xkey, sizeof(xkey)));
+	if (!this->prf->set_key(this->prf, chunk_create(xkey, sizeof(xkey))))
+	{
+		return FALSE;
+	}
 	str = chunk_alloca(this->prf->get_block_size(this->prf) * 2);
 	for (i = 0; i < 2; i++)
 	{
-		this->prf->get_bytes(this->prf, chunk_empty, str.ptr + str.len / 2 * i);
+		if (!this->prf->get_bytes(this->prf, chunk_empty,
+								  str.ptr + str.len / 2 * i))
+		{
+			return FALSE;
+		}
 	}
-	msk = chunk_create(str.ptr, MSK_LEN);
-	DBG3(DBG_LIB, "MSK %B", &msk);
+	*msk = chunk_clone(chunk_create(str.ptr, MSK_LEN));
+	DBG3(DBG_LIB, "MSK %B", msk);
 
-	return chunk_clone(msk);
+	return TRUE;
 }
 
 METHOD(simaka_crypto_t, clear_keys, void,
diff --git a/src/libsimaka/simaka_crypto.h b/src/libsimaka/simaka_crypto.h
index d1830e658..c07755865 100644
--- a/src/libsimaka/simaka_crypto.h
+++ b/src/libsimaka/simaka_crypto.h
@@ -62,10 +62,11 @@ struct simaka_crypto_t {
 	 * @param id	peer identity
 	 * @param data	method specific data
 	 * @param mk	chunk receiving allocated master key MK
-	 * @return		allocated MSK value
+	 * @param msk	chunk receiving allocated MSK
+	 * @return		TRUE if keys allocated and derived successfully
 	 */
-	chunk_t (*derive_keys_full)(simaka_crypto_t *this, identification_t *id,
-								chunk_t data, chunk_t *mk);
+	bool (*derive_keys_full)(simaka_crypto_t *this, identification_t *id,
+							 chunk_t data, chunk_t *mk, chunk_t *msk);
 
 	/**
 	 * Derive k_encr/k_auth keys from MK using fast reauthentication.
@@ -74,8 +75,9 @@ struct simaka_crypto_t {
 	 * internal crypter/signer instances.
 	 *
 	 * @param mk	master key
+	 * @return		TRUE if keys derived successfully
 	 */
-	void (*derive_keys_reauth)(simaka_crypto_t *this, chunk_t mk);
+	bool (*derive_keys_reauth)(simaka_crypto_t *this, chunk_t mk);
 
 	/**
 	 * Derive MSK using fast reauthentication.
@@ -84,10 +86,12 @@ struct simaka_crypto_t {
 	 * @param counter	fast reauthentication counter value, network order
 	 * @param nonce_s	server generated NONCE_S value
 	 * @param mk		master key of last full authentication
+	 * @param msk		chunk receiving allocated MSK
+	 * @return			TRUE if MSK allocated and derived successfully
 	 */
-	chunk_t (*derive_keys_reauth_msk)(simaka_crypto_t *this,
-									  identification_t *id, chunk_t counter,
-									  chunk_t nonce_s, chunk_t mk);
+	bool (*derive_keys_reauth_msk)(simaka_crypto_t *this,
+								   identification_t *id, chunk_t counter,
+								   chunk_t nonce_s, chunk_t mk, chunk_t *msk);
 
 	/**
 	 * Clear keys (partially) derived.
diff --git a/src/libsimaka/simaka_manager.c b/src/libsimaka/simaka_manager.c
index 65de1c5ab..e85dd660b 100644
--- a/src/libsimaka/simaka_manager.c
+++ b/src/libsimaka/simaka_manager.c
@@ -15,8 +15,8 @@
 
 #include "simaka_manager.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
 typedef struct private_simaka_manager_t private_simaka_manager_t;
diff --git a/src/libsimaka/simaka_manager.h b/src/libsimaka/simaka_manager.h
index 64a67e56c..bdd50296e 100644
--- a/src/libsimaka/simaka_manager.h
+++ b/src/libsimaka/simaka_manager.h
@@ -23,7 +23,7 @@
 
 #include <crypto/hashers/hasher.h>
 #include <utils/identification.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <plugins/plugin.h>
 
 typedef struct simaka_manager_t simaka_manager_t;
@@ -279,11 +279,6 @@ struct simaka_manager_t {
 };
 
 /**
- * Dummy libsimaka initialization function needed for integrity test
- */
-void libsimaka_init(void);
-
-/**
  * Create an SIM/AKA manager to handle multiple (U)SIM cards/providers.
  *
  * @return			simaka_t object
@@ -312,4 +307,13 @@ typedef void* (*simaka_manager_register_cb_t)(plugin_t *plugin);
 bool simaka_manager_register(plugin_t *plugin, plugin_feature_t *feature,
 							 bool reg, void *data);
 
+/**
+ * @}
+ * @addtogroup libsimaka
+ * @{
+ *
+ * Dummy libsimaka initialization function needed for integrity test
+ */
+void libsimaka_init(void);
+
 #endif /** SIMAKA_MANAGER_H_ @}*/
diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c
index a5754b985..7dd15480b 100644
--- a/src/libsimaka/simaka_message.c
+++ b/src/libsimaka/simaka_message.c
@@ -17,8 +17,8 @@
 
 #include "simaka_manager.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 typedef struct private_simaka_message_t private_simaka_message_t;
 typedef struct hdr_t hdr_t;
@@ -499,8 +499,10 @@ static bool decrypt(private_simaka_message_t *this)
 			 eap_type_names, this->hdr->type);
 		return FALSE;
 	}
-
-	crypter->decrypt(crypter, this->encr, this->iv, &plain);
+	if (!crypter->decrypt(crypter, this->encr, this->iv, &plain))
+	{
+		return FALSE;
+	}
 
 	this->encrypted = TRUE;
 	success = parse_attributes(this, plain);
@@ -599,8 +601,8 @@ METHOD(simaka_message_t, verify, bool,
 	return TRUE;
 }
 
-METHOD(simaka_message_t, generate, chunk_t,
-	private_simaka_message_t *this, chunk_t sigdata)
+METHOD(simaka_message_t, generate, bool,
+	private_simaka_message_t *this, chunk_t sigdata, chunk_t *gen)
 {
 	/* buffers large enough for messages we generate */
 	char out_buf[1024], encr_buf[512];
@@ -771,13 +773,19 @@ METHOD(simaka_message_t, generate, chunk_t,
 		out = chunk_skip(out, 4);
 
 		rng = this->crypto->get_rng(this->crypto);
-		rng->get_bytes(rng, iv.len, out.ptr);
+		if (!rng->get_bytes(rng, iv.len, out.ptr))
+		{
+			return FALSE;
+		}
 
 		iv = chunk_clonea(chunk_create(out.ptr, iv.len));
 		out = chunk_skip(out, iv.len);
 
 		/* inline encryption */
-		crypter->encrypt(crypter, encr, iv, NULL);
+		if (!crypter->encrypt(crypter, encr, iv, NULL))
+		{
+			return FALSE;
+		}
 
 		/* add ENCR_DATA attribute */
 		hdr = (attr_hdr_t*)out.ptr;
@@ -822,12 +830,16 @@ METHOD(simaka_message_t, generate, chunk_t,
 	if (mac.len)
 	{
 		data = chunk_cata("cc", out, sigdata);
-		signer->get_signature(signer, data, mac.ptr);
+		if (!signer->get_signature(signer, data, mac.ptr))
+		{
+			return FALSE;
+		}
 	}
 
 	call_hook(this, FALSE, FALSE);
 
-	return chunk_clone(out);
+	*gen = chunk_clone(out);
+	return TRUE;
 }
 
 METHOD(simaka_message_t, destroy, void,
diff --git a/src/libsimaka/simaka_message.h b/src/libsimaka/simaka_message.h
index 28fe21823..32c39a348 100644
--- a/src/libsimaka/simaka_message.h
+++ b/src/libsimaka/simaka_message.h
@@ -26,7 +26,7 @@
 #ifndef SIMAKA_MESSAGE_H_
 #define SIMAKA_MESSAGE_H_
 
-#include <enum.h>
+#include <utils/enum.h>
 #include <eap/eap.h>
 
 #include "simaka_crypto.h"
@@ -236,9 +236,10 @@ struct simaka_message_t {
 	 * Generate a message, optionally encrypt attributes and create a MAC.
 	 *
 	 * @param sigdata	additional data to include in signature, if any
-	 * @return			allocated data of generated message
+	 * @param gen		allocated generated data, if successful
+	 * @return			TRUE if successful
 	 */
-	chunk_t (*generate)(simaka_message_t *this, chunk_t sigdata);
+	bool (*generate)(simaka_message_t *this, chunk_t sigdata, chunk_t *gen);
 
 	/**
 	 * Destroy a simaka_message_t.
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index d33bee6c7..3811ed083 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -3,81 +3,50 @@ include $(CLEAR_VARS)
 
 # copy-n-paste from Makefile.am
 LOCAL_SRC_FILES := \
-library.c library.h \
-chunk.c chunk.h \
-debug.c debug.h \
-enum.c enum.h \
-settings.h settings.c \
-printf_hook.c printf_hook.h \
-asn1/asn1.c asn1/asn1.h \
-asn1/asn1_parser.c asn1/asn1_parser.h \
-asn1/oid.c asn1/oid.h \
-bio/bio_reader.h bio/bio_reader.c bio/bio_writer.h bio/bio_writer.c \
-crypto/crypters/crypter.c crypto/crypters/crypter.h \
-crypto/hashers/hasher.h crypto/hashers/hasher.c \
-crypto/pkcs9.c crypto/pkcs9.h \
-crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords.h \
-crypto/prfs/prf.c crypto/prfs/prf.h \
-crypto/rngs/rng.c crypto/rngs/rng.h \
-crypto/prf_plus.h crypto/prf_plus.c \
-crypto/signers/signer.c crypto/signers/signer.h \
-crypto/crypto_factory.c crypto/crypto_factory.h \
-crypto/crypto_tester.c crypto/crypto_tester.h \
-crypto/diffie_hellman.c crypto/diffie_hellman.h \
-crypto/aead.c crypto/aead.h \
-crypto/transform.c crypto/transform.h \
-credentials/credential_factory.c credentials/credential_factory.h \
-credentials/builder.c credentials/builder.h \
-credentials/cred_encoding.c credentials/cred_encoding.h \
-credentials/keys/private_key.c credentials/keys/private_key.h \
-credentials/keys/public_key.c credentials/keys/public_key.h \
-credentials/keys/shared_key.c credentials/keys/shared_key.h \
-credentials/certificates/certificate.c credentials/certificates/certificate.h \
-credentials/certificates/x509.h credentials/certificates/ac.h \
-credentials/certificates/crl.h credentials/certificates/crl.c \
-credentials/certificates/pkcs10.h \
-credentials/certificates/ocsp_request.h \
-credentials/certificates/ocsp_response.h credentials/certificates/ocsp_response.c \
-credentials/certificates/pgp_certificate.h \
-credentials/ietf_attributes/ietf_attributes.c credentials/ietf_attributes/ietf_attributes.h \
-credentials/credential_manager.c credentials/credential_manager.h \
-credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
-credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
-credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
-credentials/sets/mem_cred.c credentials/sets/mem_cred.h \
-credentials/sets/callback_cred.c credentials/sets/callback_cred.h \
-credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
-credentials/cert_validator.h database/database.h database/database.c \
-database/database_factory.h database/database_factory.c \
-fetcher/fetcher.h fetcher/fetcher.c fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
-eap/eap.h eap/eap.c \
-pen/pen.h pen/pen.c \
-plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h \
-plugins/plugin_feature.c plugins/plugin_feature.h \
-processing/jobs/job.h processing/jobs/job.c \
-processing/jobs/callback_job.c processing/jobs/callback_job.h \
-processing/processor.c processing/processor.h \
-processing/scheduler.c processing/scheduler.h \
-selectors/traffic_selector.c selectors/traffic_selector.h \
-threading/thread.h threading/thread.c \
-threading/thread_value.h threading/thread_value.c \
-threading/mutex.h threading/mutex.c threading/condvar.h  \
-threading/rwlock.h threading/rwlock.c \
-threading/lock_profiler.h \
-utils.h utils.c \
-utils/host.c utils/host.h \
-utils/identification.c utils/identification.h \
-utils/lexparser.c utils/lexparser.h \
-utils/linked_list.c utils/linked_list.h \
-utils/hashtable.c utils/hashtable.h \
-utils/enumerator.c utils/enumerator.h \
-utils/optionsfrom.c utils/optionsfrom.h \
-utils/backtrace.c utils/backtrace.h
+library.c \
+asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
+collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \
+collections/array.c \
+collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \
+crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
+crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \
+crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
+crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \
+crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
+credentials/credential_factory.c credentials/builder.c \
+credentials/cred_encoding.c credentials/keys/private_key.c \
+credentials/keys/public_key.c credentials/keys/shared_key.c \
+credentials/certificates/certificate.c credentials/certificates/crl.c \
+credentials/certificates/ocsp_response.c \
+credentials/containers/container.c credentials/containers/pkcs12.c \
+credentials/ietf_attributes/ietf_attributes.c credentials/credential_manager.c \
+credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
+credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
+credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
+database/database_factory.c fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
+ipsec/ipsec_types.c \
+networking/host.c networking/host_resolver.c networking/packet.c \
+networking/tun_device.c networking/streams/stream.c \
+networking/streams/stream_service.c networking/streams/stream_manager.c \
+pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c \
+processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \
+processing/watcher.c resolver/resolver_manager.c resolver/rr_set.c \
+selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
+threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
+utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \
+utils/lexparser.c utils/optionsfrom.c utils/capabilities.c utils/backtrace.c \
+utils/printf_hook.c utils/settings.c
 
 # adding the plugin source files
 
 LOCAL_SRC_FILES += $(call add_plugin, aes)
 
+LOCAL_SRC_FILES += $(call add_plugin, curl)
+ifneq ($(call plugin_enabled, curl),)
+LOCAL_C_INCLUDES += $(libcurl_PATH)
+LOCAL_SHARED_LIBRARIES += libcurl
+endif
+
 LOCAL_SRC_FILES += $(call add_plugin, des)
 
 LOCAL_SRC_FILES += $(call add_plugin, fips-prf)
@@ -94,9 +63,11 @@ LOCAL_SRC_FILES += $(call add_plugin, md4)
 
 LOCAL_SRC_FILES += $(call add_plugin, md5)
 
+LOCAL_SRC_FILES += $(call add_plugin, nonce)
+
 LOCAL_SRC_FILES += $(call add_plugin, openssl)
 ifneq ($(call plugin_enabled, openssl),)
-LOCAL_C_INCLUDES += external/openssl/include
+LOCAL_C_INCLUDES += $(openssl_PATH)
 LOCAL_SHARED_LIBRARIES += libcrypto
 endif
 
@@ -104,6 +75,10 @@ LOCAL_SRC_FILES += $(call add_plugin, pem)
 
 LOCAL_SRC_FILES += $(call add_plugin, pkcs1)
 
+LOCAL_SRC_FILES += $(call add_plugin, pkcs7)
+
+LOCAL_SRC_FILES += $(call add_plugin, pkcs8)
+
 LOCAL_SRC_FILES += $(call add_plugin, pkcs11)
 
 LOCAL_SRC_FILES += $(call add_plugin, pubkey)
@@ -137,4 +112,3 @@ LOCAL_PRELINK_MODULE := false
 LOCAL_SHARED_LIBRARIES += libdl libvstr
 
 include $(BUILD_SHARED_LIBRARY)
-
diff --git a/src/libstrongswan/AndroidConfigLocal.h b/src/libstrongswan/AndroidConfigLocal.h
index a6da3276a..ee29c1693 100644
--- a/src/libstrongswan/AndroidConfigLocal.h
+++ b/src/libstrongswan/AndroidConfigLocal.h
@@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
 /* stuff defined in AndroidConfig.h, which is included using the -include
  * command-line option, thus cannot be undefined using -U CFLAGS options.
  * the reason we have to undefine these flags in the first place, is that
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 7bb0812bd..dfe6e7e00 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -1,132 +1,148 @@
 ipseclib_LTLIBRARIES = libstrongswan.la
 
 libstrongswan_la_SOURCES = \
-library.c library.h \
-chunk.c chunk.h \
-debug.c debug.h \
-enum.c enum.h \
-settings.h settings.c \
-printf_hook.c printf_hook.h \
-asn1/asn1.c asn1/asn1.h \
-asn1/asn1_parser.c asn1/asn1_parser.h \
-asn1/oid.c asn1/oid.h \
-bio/bio_reader.h bio/bio_reader.c bio/bio_writer.h bio/bio_writer.c \
-crypto/crypters/crypter.c crypto/crypters/crypter.h \
-crypto/hashers/hasher.h crypto/hashers/hasher.c \
-crypto/pkcs9.c crypto/pkcs9.h \
-crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords.h \
-crypto/prfs/prf.c crypto/prfs/prf.h \
-crypto/rngs/rng.c crypto/rngs/rng.h \
-crypto/prf_plus.h crypto/prf_plus.c \
-crypto/signers/signer.c crypto/signers/signer.h \
-crypto/crypto_factory.c crypto/crypto_factory.h \
-crypto/crypto_tester.c crypto/crypto_tester.h \
-crypto/diffie_hellman.c crypto/diffie_hellman.h \
-crypto/aead.c crypto/aead.h \
-crypto/transform.c crypto/transform.h \
-credentials/credential_factory.c credentials/credential_factory.h \
-credentials/builder.c credentials/builder.h \
-credentials/cred_encoding.c credentials/cred_encoding.h \
-credentials/keys/private_key.c credentials/keys/private_key.h \
-credentials/keys/public_key.c credentials/keys/public_key.h \
-credentials/keys/shared_key.c credentials/keys/shared_key.h \
-credentials/certificates/certificate.c credentials/certificates/certificate.h \
-credentials/certificates/x509.h credentials/certificates/ac.h \
-credentials/certificates/crl.h credentials/certificates/crl.c \
-credentials/certificates/pkcs10.h \
-credentials/certificates/ocsp_request.h \
-credentials/certificates/ocsp_response.h credentials/certificates/ocsp_response.c \
+library.c \
+asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
+collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \
+collections/array.c \
+collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \
+crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
+crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \
+crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
+crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \
+crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
+credentials/credential_factory.c credentials/builder.c \
+credentials/cred_encoding.c credentials/keys/private_key.c \
+credentials/keys/public_key.c credentials/keys/shared_key.c \
+credentials/certificates/certificate.c credentials/certificates/crl.c \
+credentials/certificates/ocsp_response.c \
+credentials/containers/container.c credentials/containers/pkcs12.c \
+credentials/ietf_attributes/ietf_attributes.c credentials/credential_manager.c \
+credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
+credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
+credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \
+database/database_factory.c fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
+ipsec/ipsec_types.c \
+networking/host.c networking/host_resolver.c networking/packet.c \
+networking/tun_device.c networking/streams/stream.c \
+networking/streams/stream_service.c networking/streams/stream_manager.c \
+pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c \
+processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \
+processing/watcher.c resolver/resolver_manager.c resolver/rr_set.c \
+selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
+threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
+utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \
+utils/lexparser.c utils/optionsfrom.c utils/capabilities.c utils/backtrace.c \
+utils/printf_hook.c utils/settings.c
+
+if USE_DEV_HEADERS
+strongswan_includedir = ${dev_headers}
+nobase_strongswan_include_HEADERS = \
+library.h \
+asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \
+collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \
+collections/linked_list.h collections/array.h \
+crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \
+crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \
+crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
+crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
+crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
+crypto/aead.h crypto/transform.h crypto/pkcs5.h \
+credentials/credential_factory.h credentials/builder.h \
+credentials/cred_encoding.h credentials/keys/private_key.h \
+credentials/keys/public_key.h credentials/keys/shared_key.h \
+credentials/certificates/certificate.h credentials/certificates/x509.h \
+credentials/certificates/ac.h credentials/certificates/crl.h \
+credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \
+credentials/certificates/ocsp_response.h \
 credentials/certificates/pgp_certificate.h \
-credentials/ietf_attributes/ietf_attributes.c credentials/ietf_attributes/ietf_attributes.h \
-credentials/credential_manager.c credentials/credential_manager.h \
-credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
-credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
-credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
-credentials/sets/mem_cred.c credentials/sets/mem_cred.h \
-credentials/sets/callback_cred.c credentials/sets/callback_cred.h \
-credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
-credentials/cert_validator.h database/database.h database/database.c \
-database/database_factory.h database/database_factory.c \
-fetcher/fetcher.h fetcher/fetcher.c fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
-eap/eap.h eap/eap.c \
-pen/pen.h pen/pen.c \
-plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h \
-plugins/plugin_feature.c plugins/plugin_feature.h \
-processing/jobs/job.h processing/jobs/job.c \
-processing/jobs/callback_job.c processing/jobs/callback_job.h \
-processing/processor.c processing/processor.h \
-processing/scheduler.c processing/scheduler.h \
-selectors/traffic_selector.c selectors/traffic_selector.h \
-threading/thread.h threading/thread.c \
-threading/thread_value.h threading/thread_value.c \
-threading/mutex.h threading/mutex.c threading/condvar.h  \
-threading/rwlock.h threading/rwlock.c \
-threading/lock_profiler.h \
-utils.h utils.c \
-utils/host.c utils/host.h \
-utils/identification.c utils/identification.h \
-utils/lexparser.c utils/lexparser.h \
-utils/linked_list.c utils/linked_list.h \
-utils/hashtable.c utils/hashtable.h \
-utils/enumerator.c utils/enumerator.h \
-utils/optionsfrom.c utils/optionsfrom.h \
-utils/backtrace.c utils/backtrace.h
-
+credentials/containers/container.h credentials/containers/pkcs7.h \
+credentials/containers/pkcs12.h \
+credentials/ietf_attributes/ietf_attributes.h \
+credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
+credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \
+credentials/sets/mem_cred.h credentials/sets/callback_cred.h \
+credentials/auth_cfg.h credentials/credential_set.h credentials/cert_validator.h \
+database/database.h database/database_factory.h fetcher/fetcher.h \
+fetcher/fetcher_manager.h eap/eap.h pen/pen.h ipsec/ipsec_types.h \
+networking/host.h networking/host_resolver.h networking/packet.h \
+networking/tun_device.h networking/streams/stream.h \
+networking/streams/stream_service.h networking/streams/stream_manager.h \
+resolver/resolver.h resolver/resolver_response.h resolver/rr_set.h \
+resolver/rr.h resolver/resolver_manager.h \
+plugins/plugin_loader.h plugins/plugin.h plugins/plugin_feature.h \
+processing/jobs/job.h processing/jobs/callback_job.h processing/processor.h \
+processing/scheduler.h processing/watcher.h selectors/traffic_selector.h \
+threading/thread.h threading/thread_value.h \
+threading/mutex.h threading/condvar.h threading/spinlock.h threading/semaphore.h \
+threading/rwlock.h threading/rwlock_condvar.h threading/lock_profiler.h \
+utils/utils.h utils/chunk.h utils/debug.h utils/enum.h utils/identification.h \
+utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \
+utils/leak_detective.h utils/printf_hook.h utils/settings.h utils/integrity_checker.h
+endif
 
 library.lo :	$(top_builddir)/config.status
 
-libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB)
+libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB) $(BFDLIB) $(UNWINDLIB)
+
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
+	-DPLUGINDIR=\"${plugindir}\" \
+	-DSTRONGSWAN_CONF=\"${strongswan_conf}\"
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
--DIPSEC_DIR=\"${ipsecdir}\" \
--DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
--DPLUGINDIR=\"${plugindir}\" \
--DSTRONGSWAN_CONF=\"${strongswan_conf}\"
+	@COVERAGE_CFLAGS@
 
 if USE_LEAK_DETECTIVE
-  AM_CFLAGS += -DLEAK_DETECTIVE
-  libstrongswan_la_SOURCES += \
-    utils/leak_detective.c utils/leak_detective.h
+  AM_CPPFLAGS += -DLEAK_DETECTIVE
+  libstrongswan_la_SOURCES += utils/leak_detective.c
 endif
 
 if USE_LOCK_PROFILER
-  AM_CFLAGS += -DLOCK_PROFILER
+  AM_CPPFLAGS += -DLOCK_PROFILER
 endif
 
 if USE_INTEGRITY_TEST
-  AM_CFLAGS += -DINTEGRITY_TEST
-  libstrongswan_la_SOURCES += \
-    integrity_checker.c integrity_checker.h
+  AM_CPPFLAGS += -DINTEGRITY_TEST
+  libstrongswan_la_SOURCES += utils/integrity_checker.c
 endif
 
 if USE_VSTR
   libstrongswan_la_LIBADD += -lvstr
 endif
 
+if USE_LIBCAP
+  libstrongswan_la_LIBADD += -lcap
+endif
+
 EXTRA_DIST = \
 asn1/oid.txt asn1/oid.pl \
-crypto/proposal/proposal_keywords.txt \
+crypto/proposal/proposal_keywords_static.txt \
 Android.mk AndroidConfigLocal.h
 
 BUILT_SOURCES = \
 $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \
-$(srcdir)/crypto/proposal/proposal_keywords.c
+$(srcdir)/crypto/proposal/proposal_keywords_static.c
 
 MAINTAINERCLEANFILES = \
 $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \
-$(srcdir)/crypto/proposal/proposal_keywords.c
+$(srcdir)/crypto/proposal/proposal_keywords_static.c
 
 $(srcdir)/asn1/oid.c :	$(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt
+		$(AM_V_GEN) \
 		(cd $(srcdir)/asn1/ && $(PERL) oid.pl)
 
 $(srcdir)/asn1/oid.h :	$(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt
+		$(AM_V_GEN) \
 		(cd $(srcdir)/asn1/ && $(PERL) oid.pl)
 
-$(srcdir)/crypto/proposal/proposal_keywords.c:	$(srcdir)/crypto/proposal/proposal_keywords.txt \
-												$(srcdir)/crypto/proposal/proposal_keywords.h
-		$(GPERF) -N proposal_get_token -m 10 -C -G -c -t -D < \
-												$(srcdir)/crypto/proposal/proposal_keywords.txt > $@
+$(srcdir)/crypto/proposal/proposal_keywords_static.c:	$(srcdir)/crypto/proposal/proposal_keywords_static.txt \
+														$(srcdir)/crypto/proposal/proposal_keywords_static.h
+		$(AM_V_GEN) \
+		$(GPERF) -N proposal_get_token_static -m 10 -C -G -c -t -D < \
+												$(srcdir)/crypto/proposal/proposal_keywords_static.txt > $@
 
 
 # build plugins with their own Makefile
@@ -166,6 +182,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_RC2
+  SUBDIRS += plugins/rc2
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/rc2/libstrongswan-rc2.la
+endif
+endif
+
 if USE_MD4
   SUBDIRS += plugins/md4
 if MONOLITHIC
@@ -201,6 +224,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_RDRAND
+  SUBDIRS += plugins/rdrand
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/rdrand/libstrongswan-rdrand.la
+endif
+endif
+
 if USE_RANDOM
   SUBDIRS += plugins/random
 if MONOLITHIC
@@ -208,6 +238,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_NONCE
+  SUBDIRS += plugins/nonce
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/nonce/libstrongswan-nonce.la
+endif
+endif
+
 if USE_HMAC
   SUBDIRS += plugins/hmac
 if MONOLITHIC
@@ -264,6 +301,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_PKCS7
+  SUBDIRS += plugins/pkcs7
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/pkcs7/libstrongswan-pkcs7.la
+endif
+endif
+
 if USE_PKCS8
   SUBDIRS += plugins/pkcs8
 if MONOLITHIC
@@ -271,6 +315,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_PKCS12
+  SUBDIRS += plugins/pkcs12
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/pkcs12/libstrongswan-pkcs12.la
+endif
+endif
+
 if USE_PGP
   SUBDIRS += plugins/pgp
 if MONOLITHIC
@@ -285,6 +336,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_SSHKEY
+  SUBDIRS += plugins/sshkey
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/sshkey/libstrongswan-sshkey.la
+endif
+endif
+
 if USE_PEM
   SUBDIRS += plugins/pem
 if MONOLITHIC
@@ -299,6 +357,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_UNBOUND
+  SUBDIRS += plugins/unbound
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/unbound/libstrongswan-unbound.la
+endif
+endif
+
 if USE_SOUP
   SUBDIRS += plugins/soup
 if MONOLITHIC
@@ -362,6 +427,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_KEYCHAIN
+  SUBDIRS += plugins/keychain
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/keychain/libstrongswan-keychain.la
+endif
+endif
+
 if USE_PKCS11
   SUBDIRS += plugins/pkcs11
 if MONOLITHIC
@@ -396,3 +468,10 @@ if MONOLITHIC
   libstrongswan_la_LIBADD += plugins/test_vectors/libstrongswan-test-vectors.la
 endif
 endif
+
+if UNITTESTS
+if MONOLITHIC
+  SUBDIRS += .
+endif
+  SUBDIRS += tests
+endif
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 68c83a5aa..f931e3c47 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -15,7 +15,25 @@
 
 @SET_MAKE@
 
+
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -35,91 +53,107 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 @USE_LEAK_DETECTIVE_TRUE@am__append_1 = -DLEAK_DETECTIVE
-@USE_LEAK_DETECTIVE_TRUE@am__append_2 = \
-@USE_LEAK_DETECTIVE_TRUE@    utils/leak_detective.c utils/leak_detective.h
-
+@USE_LEAK_DETECTIVE_TRUE@am__append_2 = utils/leak_detective.c
 @USE_LOCK_PROFILER_TRUE@am__append_3 = -DLOCK_PROFILER
 @USE_INTEGRITY_TEST_TRUE@am__append_4 = -DINTEGRITY_TEST
-@USE_INTEGRITY_TEST_TRUE@am__append_5 = \
-@USE_INTEGRITY_TEST_TRUE@    integrity_checker.c integrity_checker.h
-
+@USE_INTEGRITY_TEST_TRUE@am__append_5 = utils/integrity_checker.c
 @USE_VSTR_TRUE@am__append_6 = -lvstr
-@USE_AF_ALG_TRUE@am__append_7 = plugins/af_alg
-@MONOLITHIC_TRUE@@USE_AF_ALG_TRUE@am__append_8 = plugins/af_alg/libstrongswan-af-alg.la
-@USE_AES_TRUE@am__append_9 = plugins/aes
-@MONOLITHIC_TRUE@@USE_AES_TRUE@am__append_10 = plugins/aes/libstrongswan-aes.la
-@USE_DES_TRUE@am__append_11 = plugins/des
-@MONOLITHIC_TRUE@@USE_DES_TRUE@am__append_12 = plugins/des/libstrongswan-des.la
-@USE_BLOWFISH_TRUE@am__append_13 = plugins/blowfish
-@MONOLITHIC_TRUE@@USE_BLOWFISH_TRUE@am__append_14 = plugins/blowfish/libstrongswan-blowfish.la
-@USE_MD4_TRUE@am__append_15 = plugins/md4
-@MONOLITHIC_TRUE@@USE_MD4_TRUE@am__append_16 = plugins/md4/libstrongswan-md4.la
-@USE_MD5_TRUE@am__append_17 = plugins/md5
-@MONOLITHIC_TRUE@@USE_MD5_TRUE@am__append_18 = plugins/md5/libstrongswan-md5.la
-@USE_SHA1_TRUE@am__append_19 = plugins/sha1
-@MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_20 = plugins/sha1/libstrongswan-sha1.la
-@USE_SHA2_TRUE@am__append_21 = plugins/sha2
-@MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_22 = plugins/sha2/libstrongswan-sha2.la
-@USE_GMP_TRUE@am__append_23 = plugins/gmp
-@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_24 = plugins/gmp/libstrongswan-gmp.la
-@USE_RANDOM_TRUE@am__append_25 = plugins/random
-@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_26 = plugins/random/libstrongswan-random.la
-@USE_HMAC_TRUE@am__append_27 = plugins/hmac
-@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_28 = plugins/hmac/libstrongswan-hmac.la
-@USE_CMAC_TRUE@am__append_29 = plugins/cmac
-@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_30 = plugins/cmac/libstrongswan-cmac.la
-@USE_XCBC_TRUE@am__append_31 = plugins/xcbc
-@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_32 = plugins/xcbc/libstrongswan-xcbc.la
-@USE_X509_TRUE@am__append_33 = plugins/x509
-@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_34 = plugins/x509/libstrongswan-x509.la
-@USE_REVOCATION_TRUE@am__append_35 = plugins/revocation
-@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_36 = plugins/revocation/libstrongswan-revocation.la
-@USE_CONSTRAINTS_TRUE@am__append_37 = plugins/constraints
-@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_38 = plugins/constraints/libstrongswan-constraints.la
-@USE_PUBKEY_TRUE@am__append_39 = plugins/pubkey
-@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_40 = plugins/pubkey/libstrongswan-pubkey.la
-@USE_PKCS1_TRUE@am__append_41 = plugins/pkcs1
-@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_42 = plugins/pkcs1/libstrongswan-pkcs1.la
-@USE_PKCS8_TRUE@am__append_43 = plugins/pkcs8
-@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_44 = plugins/pkcs8/libstrongswan-pkcs8.la
-@USE_PGP_TRUE@am__append_45 = plugins/pgp
-@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_46 = plugins/pgp/libstrongswan-pgp.la
-@USE_DNSKEY_TRUE@am__append_47 = plugins/dnskey
-@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_48 = plugins/dnskey/libstrongswan-dnskey.la
-@USE_PEM_TRUE@am__append_49 = plugins/pem
-@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_50 = plugins/pem/libstrongswan-pem.la
-@USE_CURL_TRUE@am__append_51 = plugins/curl
-@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_52 = plugins/curl/libstrongswan-curl.la
-@USE_SOUP_TRUE@am__append_53 = plugins/soup
-@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_54 = plugins/soup/libstrongswan-soup.la
-@USE_LDAP_TRUE@am__append_55 = plugins/ldap
-@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_56 = plugins/ldap/libstrongswan-ldap.la
-@USE_MYSQL_TRUE@am__append_57 = plugins/mysql
-@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_58 = plugins/mysql/libstrongswan-mysql.la
-@USE_SQLITE_TRUE@am__append_59 = plugins/sqlite
-@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_60 = plugins/sqlite/libstrongswan-sqlite.la
-@USE_PADLOCK_TRUE@am__append_61 = plugins/padlock
-@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_62 = plugins/padlock/libstrongswan-padlock.la
-@USE_OPENSSL_TRUE@am__append_63 = plugins/openssl
-@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_64 = plugins/openssl/libstrongswan-openssl.la
-@USE_GCRYPT_TRUE@am__append_65 = plugins/gcrypt
-@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_66 = plugins/gcrypt/libstrongswan-gcrypt.la
-@USE_FIPS_PRF_TRUE@am__append_67 = plugins/fips_prf
-@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_68 = plugins/fips_prf/libstrongswan-fips-prf.la
-@USE_AGENT_TRUE@am__append_69 = plugins/agent
-@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_70 = plugins/agent/libstrongswan-agent.la
-@USE_PKCS11_TRUE@am__append_71 = plugins/pkcs11
-@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_72 = plugins/pkcs11/libstrongswan-pkcs11.la
-@USE_CTR_TRUE@am__append_73 = plugins/ctr
-@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_74 = plugins/ctr/libstrongswan-ctr.la
-@USE_CCM_TRUE@am__append_75 = plugins/ccm
-@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_76 = plugins/ccm/libstrongswan-ccm.la
-@USE_GCM_TRUE@am__append_77 = plugins/gcm
-@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_78 = plugins/gcm/libstrongswan-gcm.la
-@USE_TEST_VECTORS_TRUE@am__append_79 = plugins/test_vectors
-@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_80 = plugins/test_vectors/libstrongswan-test-vectors.la
+@USE_LIBCAP_TRUE@am__append_7 = -lcap
+@USE_AF_ALG_TRUE@am__append_8 = plugins/af_alg
+@MONOLITHIC_TRUE@@USE_AF_ALG_TRUE@am__append_9 = plugins/af_alg/libstrongswan-af-alg.la
+@USE_AES_TRUE@am__append_10 = plugins/aes
+@MONOLITHIC_TRUE@@USE_AES_TRUE@am__append_11 = plugins/aes/libstrongswan-aes.la
+@USE_DES_TRUE@am__append_12 = plugins/des
+@MONOLITHIC_TRUE@@USE_DES_TRUE@am__append_13 = plugins/des/libstrongswan-des.la
+@USE_BLOWFISH_TRUE@am__append_14 = plugins/blowfish
+@MONOLITHIC_TRUE@@USE_BLOWFISH_TRUE@am__append_15 = plugins/blowfish/libstrongswan-blowfish.la
+@USE_RC2_TRUE@am__append_16 = plugins/rc2
+@MONOLITHIC_TRUE@@USE_RC2_TRUE@am__append_17 = plugins/rc2/libstrongswan-rc2.la
+@USE_MD4_TRUE@am__append_18 = plugins/md4
+@MONOLITHIC_TRUE@@USE_MD4_TRUE@am__append_19 = plugins/md4/libstrongswan-md4.la
+@USE_MD5_TRUE@am__append_20 = plugins/md5
+@MONOLITHIC_TRUE@@USE_MD5_TRUE@am__append_21 = plugins/md5/libstrongswan-md5.la
+@USE_SHA1_TRUE@am__append_22 = plugins/sha1
+@MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_23 = plugins/sha1/libstrongswan-sha1.la
+@USE_SHA2_TRUE@am__append_24 = plugins/sha2
+@MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_25 = plugins/sha2/libstrongswan-sha2.la
+@USE_GMP_TRUE@am__append_26 = plugins/gmp
+@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_27 = plugins/gmp/libstrongswan-gmp.la
+@USE_RDRAND_TRUE@am__append_28 = plugins/rdrand
+@MONOLITHIC_TRUE@@USE_RDRAND_TRUE@am__append_29 = plugins/rdrand/libstrongswan-rdrand.la
+@USE_RANDOM_TRUE@am__append_30 = plugins/random
+@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_31 = plugins/random/libstrongswan-random.la
+@USE_NONCE_TRUE@am__append_32 = plugins/nonce
+@MONOLITHIC_TRUE@@USE_NONCE_TRUE@am__append_33 = plugins/nonce/libstrongswan-nonce.la
+@USE_HMAC_TRUE@am__append_34 = plugins/hmac
+@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_35 = plugins/hmac/libstrongswan-hmac.la
+@USE_CMAC_TRUE@am__append_36 = plugins/cmac
+@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_37 = plugins/cmac/libstrongswan-cmac.la
+@USE_XCBC_TRUE@am__append_38 = plugins/xcbc
+@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_39 = plugins/xcbc/libstrongswan-xcbc.la
+@USE_X509_TRUE@am__append_40 = plugins/x509
+@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_41 = plugins/x509/libstrongswan-x509.la
+@USE_REVOCATION_TRUE@am__append_42 = plugins/revocation
+@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_43 = plugins/revocation/libstrongswan-revocation.la
+@USE_CONSTRAINTS_TRUE@am__append_44 = plugins/constraints
+@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_45 = plugins/constraints/libstrongswan-constraints.la
+@USE_PUBKEY_TRUE@am__append_46 = plugins/pubkey
+@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_47 = plugins/pubkey/libstrongswan-pubkey.la
+@USE_PKCS1_TRUE@am__append_48 = plugins/pkcs1
+@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_49 = plugins/pkcs1/libstrongswan-pkcs1.la
+@USE_PKCS7_TRUE@am__append_50 = plugins/pkcs7
+@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_51 = plugins/pkcs7/libstrongswan-pkcs7.la
+@USE_PKCS8_TRUE@am__append_52 = plugins/pkcs8
+@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_53 = plugins/pkcs8/libstrongswan-pkcs8.la
+@USE_PKCS12_TRUE@am__append_54 = plugins/pkcs12
+@MONOLITHIC_TRUE@@USE_PKCS12_TRUE@am__append_55 = plugins/pkcs12/libstrongswan-pkcs12.la
+@USE_PGP_TRUE@am__append_56 = plugins/pgp
+@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_57 = plugins/pgp/libstrongswan-pgp.la
+@USE_DNSKEY_TRUE@am__append_58 = plugins/dnskey
+@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_59 = plugins/dnskey/libstrongswan-dnskey.la
+@USE_SSHKEY_TRUE@am__append_60 = plugins/sshkey
+@MONOLITHIC_TRUE@@USE_SSHKEY_TRUE@am__append_61 = plugins/sshkey/libstrongswan-sshkey.la
+@USE_PEM_TRUE@am__append_62 = plugins/pem
+@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_63 = plugins/pem/libstrongswan-pem.la
+@USE_CURL_TRUE@am__append_64 = plugins/curl
+@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_65 = plugins/curl/libstrongswan-curl.la
+@USE_UNBOUND_TRUE@am__append_66 = plugins/unbound
+@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_67 = plugins/unbound/libstrongswan-unbound.la
+@USE_SOUP_TRUE@am__append_68 = plugins/soup
+@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_69 = plugins/soup/libstrongswan-soup.la
+@USE_LDAP_TRUE@am__append_70 = plugins/ldap
+@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_71 = plugins/ldap/libstrongswan-ldap.la
+@USE_MYSQL_TRUE@am__append_72 = plugins/mysql
+@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_73 = plugins/mysql/libstrongswan-mysql.la
+@USE_SQLITE_TRUE@am__append_74 = plugins/sqlite
+@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_75 = plugins/sqlite/libstrongswan-sqlite.la
+@USE_PADLOCK_TRUE@am__append_76 = plugins/padlock
+@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_77 = plugins/padlock/libstrongswan-padlock.la
+@USE_OPENSSL_TRUE@am__append_78 = plugins/openssl
+@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_79 = plugins/openssl/libstrongswan-openssl.la
+@USE_GCRYPT_TRUE@am__append_80 = plugins/gcrypt
+@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_81 = plugins/gcrypt/libstrongswan-gcrypt.la
+@USE_FIPS_PRF_TRUE@am__append_82 = plugins/fips_prf
+@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_83 = plugins/fips_prf/libstrongswan-fips-prf.la
+@USE_AGENT_TRUE@am__append_84 = plugins/agent
+@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_85 = plugins/agent/libstrongswan-agent.la
+@USE_KEYCHAIN_TRUE@am__append_86 = plugins/keychain
+@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_87 = plugins/keychain/libstrongswan-keychain.la
+@USE_PKCS11_TRUE@am__append_88 = plugins/pkcs11
+@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_89 = plugins/pkcs11/libstrongswan-pkcs11.la
+@USE_CTR_TRUE@am__append_90 = plugins/ctr
+@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_91 = plugins/ctr/libstrongswan-ctr.la
+@USE_CCM_TRUE@am__append_92 = plugins/ccm
+@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_93 = plugins/ccm/libstrongswan-ccm.la
+@USE_GCM_TRUE@am__append_94 = plugins/gcm
+@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_95 = plugins/gcm/libstrongswan-gcm.la
+@USE_TEST_VECTORS_TRUE@am__append_96 = plugins/test_vectors
+@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_97 = plugins/test_vectors/libstrongswan-test-vectors.la
+@MONOLITHIC_TRUE@@UNITTESTS_TRUE@am__append_98 = .
+@UNITTESTS_TRUE@am__append_99 = tests
 subdir = src/libstrongswan
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+DIST_COMMON = $(am__nobase_strongswan_include_HEADERS_DIST) \
+	$(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -129,10 +163,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -156,128 +191,136 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(ipseclibdir)"
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(ipseclibdir)" \
+	"$(DESTDIR)$(strongswan_includedir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__append_8) $(am__append_10) \
-	$(am__append_12) $(am__append_14) $(am__append_16) \
-	$(am__append_18) $(am__append_20) $(am__append_22) \
-	$(am__append_24) $(am__append_26) $(am__append_28) \
-	$(am__append_30) $(am__append_32) $(am__append_34) \
-	$(am__append_36) $(am__append_38) $(am__append_40) \
-	$(am__append_42) $(am__append_44) $(am__append_46) \
-	$(am__append_48) $(am__append_50) $(am__append_52) \
-	$(am__append_54) $(am__append_56) $(am__append_58) \
-	$(am__append_60) $(am__append_62) $(am__append_64) \
-	$(am__append_66) $(am__append_68) $(am__append_70) \
-	$(am__append_72) $(am__append_74) $(am__append_76) \
-	$(am__append_78) $(am__append_80)
-am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
-	chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \
-	printf_hook.c printf_hook.h asn1/asn1.c asn1/asn1.h \
-	asn1/asn1_parser.c asn1/asn1_parser.h asn1/oid.c asn1/oid.h \
-	bio/bio_reader.h bio/bio_reader.c bio/bio_writer.h \
-	bio/bio_writer.c crypto/crypters/crypter.c \
-	crypto/crypters/crypter.h crypto/hashers/hasher.h \
-	crypto/hashers/hasher.c crypto/pkcs9.c crypto/pkcs9.h \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_9) \
+	$(am__append_11) $(am__append_13) $(am__append_15) \
+	$(am__append_17) $(am__append_19) $(am__append_21) \
+	$(am__append_23) $(am__append_25) $(am__append_27) \
+	$(am__append_29) $(am__append_31) $(am__append_33) \
+	$(am__append_35) $(am__append_37) $(am__append_39) \
+	$(am__append_41) $(am__append_43) $(am__append_45) \
+	$(am__append_47) $(am__append_49) $(am__append_51) \
+	$(am__append_53) $(am__append_55) $(am__append_57) \
+	$(am__append_59) $(am__append_61) $(am__append_63) \
+	$(am__append_65) $(am__append_67) $(am__append_69) \
+	$(am__append_71) $(am__append_73) $(am__append_75) \
+	$(am__append_77) $(am__append_79) $(am__append_81) \
+	$(am__append_83) $(am__append_85) $(am__append_87) \
+	$(am__append_89) $(am__append_91) $(am__append_93) \
+	$(am__append_95) $(am__append_97)
+am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
+	asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \
+	bio/bio_writer.c collections/blocking_queue.c \
+	collections/enumerator.c collections/hashtable.c \
+	collections/array.c collections/linked_list.c \
+	crypto/crypters/crypter.c crypto/hashers/hasher.c \
 	crypto/proposal/proposal_keywords.c \
-	crypto/proposal/proposal_keywords.h crypto/prfs/prf.c \
-	crypto/prfs/prf.h crypto/rngs/rng.c crypto/rngs/rng.h \
-	crypto/prf_plus.h crypto/prf_plus.c crypto/signers/signer.c \
-	crypto/signers/signer.h crypto/crypto_factory.c \
-	crypto/crypto_factory.h crypto/crypto_tester.c \
-	crypto/crypto_tester.h crypto/diffie_hellman.c \
-	crypto/diffie_hellman.h crypto/aead.c crypto/aead.h \
-	crypto/transform.c crypto/transform.h \
-	credentials/credential_factory.c \
-	credentials/credential_factory.h credentials/builder.c \
-	credentials/builder.h credentials/cred_encoding.c \
-	credentials/cred_encoding.h credentials/keys/private_key.c \
-	credentials/keys/private_key.h credentials/keys/public_key.c \
-	credentials/keys/public_key.h credentials/keys/shared_key.c \
-	credentials/keys/shared_key.h \
+	crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \
+	crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \
+	crypto/prf_plus.c crypto/signers/signer.c \
+	crypto/signers/mac_signer.c crypto/crypto_factory.c \
+	crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \
+	crypto/transform.c credentials/credential_factory.c \
+	credentials/builder.c credentials/cred_encoding.c \
+	credentials/keys/private_key.c credentials/keys/public_key.c \
+	credentials/keys/shared_key.c \
 	credentials/certificates/certificate.c \
-	credentials/certificates/certificate.h \
-	credentials/certificates/x509.h credentials/certificates/ac.h \
-	credentials/certificates/crl.h credentials/certificates/crl.c \
-	credentials/certificates/pkcs10.h \
-	credentials/certificates/ocsp_request.h \
-	credentials/certificates/ocsp_response.h \
+	credentials/certificates/crl.c \
 	credentials/certificates/ocsp_response.c \
-	credentials/certificates/pgp_certificate.h \
+	credentials/containers/container.c \
+	credentials/containers/pkcs12.c \
 	credentials/ietf_attributes/ietf_attributes.c \
-	credentials/ietf_attributes/ietf_attributes.h \
 	credentials/credential_manager.c \
-	credentials/credential_manager.h \
 	credentials/sets/auth_cfg_wrapper.c \
-	credentials/sets/auth_cfg_wrapper.h \
 	credentials/sets/ocsp_response_wrapper.c \
-	credentials/sets/ocsp_response_wrapper.h \
-	credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
-	credentials/sets/mem_cred.c credentials/sets/mem_cred.h \
-	credentials/sets/callback_cred.c \
-	credentials/sets/callback_cred.h credentials/auth_cfg.c \
-	credentials/auth_cfg.h credentials/credential_set.h \
-	credentials/cert_validator.h database/database.h \
-	database/database.c database/database_factory.h \
-	database/database_factory.c fetcher/fetcher.h \
-	fetcher/fetcher.c fetcher/fetcher_manager.h \
-	fetcher/fetcher_manager.c eap/eap.h eap/eap.c pen/pen.h \
-	pen/pen.c plugins/plugin_loader.c plugins/plugin_loader.h \
-	plugins/plugin.h plugins/plugin_feature.c \
-	plugins/plugin_feature.h processing/jobs/job.h \
+	credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
+	credentials/sets/callback_cred.c credentials/auth_cfg.c \
+	database/database.c database/database_factory.c \
+	fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
+	ipsec/ipsec_types.c networking/host.c \
+	networking/host_resolver.c networking/packet.c \
+	networking/tun_device.c networking/streams/stream.c \
+	networking/streams/stream_service.c \
+	networking/streams/stream_manager.c pen/pen.c \
+	plugins/plugin_loader.c plugins/plugin_feature.c \
 	processing/jobs/job.c processing/jobs/callback_job.c \
-	processing/jobs/callback_job.h processing/processor.c \
-	processing/processor.h processing/scheduler.c \
-	processing/scheduler.h selectors/traffic_selector.c \
-	selectors/traffic_selector.h threading/thread.h \
-	threading/thread.c threading/thread_value.h \
-	threading/thread_value.c threading/mutex.h threading/mutex.c \
-	threading/condvar.h threading/rwlock.h threading/rwlock.c \
-	threading/lock_profiler.h utils.h utils.c utils/host.c \
-	utils/host.h utils/identification.c utils/identification.h \
-	utils/lexparser.c utils/lexparser.h utils/linked_list.c \
-	utils/linked_list.h utils/hashtable.c utils/hashtable.h \
-	utils/enumerator.c utils/enumerator.h utils/optionsfrom.c \
-	utils/optionsfrom.h utils/backtrace.c utils/backtrace.h \
-	utils/leak_detective.c utils/leak_detective.h \
-	integrity_checker.c integrity_checker.h
+	processing/processor.c processing/scheduler.c \
+	processing/watcher.c resolver/resolver_manager.c \
+	resolver/rr_set.c selectors/traffic_selector.c \
+	threading/thread.c threading/thread_value.c threading/mutex.c \
+	threading/semaphore.c threading/rwlock.c threading/spinlock.c \
+	utils/utils.c utils/chunk.c utils/debug.c utils/enum.c \
+	utils/identification.c utils/lexparser.c utils/optionsfrom.c \
+	utils/capabilities.c utils/backtrace.c utils/printf_hook.c \
+	utils/settings.c utils/leak_detective.c \
+	utils/integrity_checker.c
 @USE_LEAK_DETECTIVE_TRUE@am__objects_1 = leak_detective.lo
 @USE_INTEGRITY_TEST_TRUE@am__objects_2 = integrity_checker.lo
-am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \
-	settings.lo printf_hook.lo asn1.lo asn1_parser.lo oid.lo \
-	bio_reader.lo bio_writer.lo crypter.lo hasher.lo pkcs9.lo \
-	proposal_keywords.lo prf.lo rng.lo prf_plus.lo signer.lo \
+am_libstrongswan_la_OBJECTS = library.lo asn1.lo asn1_parser.lo oid.lo \
+	bio_reader.lo bio_writer.lo blocking_queue.lo enumerator.lo \
+	hashtable.lo array.lo linked_list.lo crypter.lo hasher.lo \
+	proposal_keywords.lo proposal_keywords_static.lo prf.lo \
+	mac_prf.lo pkcs5.lo rng.lo prf_plus.lo signer.lo mac_signer.lo \
 	crypto_factory.lo crypto_tester.lo diffie_hellman.lo aead.lo \
 	transform.lo credential_factory.lo builder.lo cred_encoding.lo \
 	private_key.lo public_key.lo shared_key.lo certificate.lo \
-	crl.lo ocsp_response.lo ietf_attributes.lo \
-	credential_manager.lo auth_cfg_wrapper.lo \
+	crl.lo ocsp_response.lo container.lo pkcs12.lo \
+	ietf_attributes.lo credential_manager.lo auth_cfg_wrapper.lo \
 	ocsp_response_wrapper.lo cert_cache.lo mem_cred.lo \
 	callback_cred.lo auth_cfg.lo database.lo database_factory.lo \
-	fetcher.lo fetcher_manager.lo eap.lo pen.lo plugin_loader.lo \
+	fetcher.lo fetcher_manager.lo eap.lo ipsec_types.lo host.lo \
+	host_resolver.lo packet.lo tun_device.lo stream.lo \
+	stream_service.lo stream_manager.lo pen.lo plugin_loader.lo \
 	plugin_feature.lo job.lo callback_job.lo processor.lo \
-	scheduler.lo traffic_selector.lo thread.lo thread_value.lo \
-	mutex.lo rwlock.lo utils.lo host.lo identification.lo \
-	lexparser.lo linked_list.lo hashtable.lo enumerator.lo \
-	optionsfrom.lo backtrace.lo $(am__objects_1) $(am__objects_2)
+	scheduler.lo watcher.lo resolver_manager.lo rr_set.lo \
+	traffic_selector.lo thread.lo thread_value.lo mutex.lo \
+	semaphore.lo rwlock.lo spinlock.lo utils.lo chunk.lo debug.lo \
+	enum.lo identification.lo lexparser.lo optionsfrom.lo \
+	capabilities.lo backtrace.lo printf_hook.lo settings.lo \
+	$(am__objects_1) $(am__objects_2)
 libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_la_SOURCES)
 DIST_SOURCES = $(am__libstrongswan_la_SOURCES_DIST)
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
@@ -287,6 +330,65 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
+	asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h \
+	bio/bio_writer.h collections/blocking_queue.h \
+	collections/enumerator.h collections/hashtable.h \
+	collections/linked_list.h collections/array.h \
+	crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \
+	crypto/proposal/proposal_keywords.h \
+	crypto/proposal/proposal_keywords_static.h crypto/prfs/prf.h \
+	crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
+	crypto/prf_plus.h crypto/signers/signer.h \
+	crypto/signers/mac_signer.h crypto/crypto_factory.h \
+	crypto/crypto_tester.h crypto/diffie_hellman.h crypto/aead.h \
+	crypto/transform.h crypto/pkcs5.h \
+	credentials/credential_factory.h credentials/builder.h \
+	credentials/cred_encoding.h credentials/keys/private_key.h \
+	credentials/keys/public_key.h credentials/keys/shared_key.h \
+	credentials/certificates/certificate.h \
+	credentials/certificates/x509.h credentials/certificates/ac.h \
+	credentials/certificates/crl.h \
+	credentials/certificates/pkcs10.h \
+	credentials/certificates/ocsp_request.h \
+	credentials/certificates/ocsp_response.h \
+	credentials/certificates/pgp_certificate.h \
+	credentials/containers/container.h \
+	credentials/containers/pkcs7.h credentials/containers/pkcs12.h \
+	credentials/ietf_attributes/ietf_attributes.h \
+	credentials/credential_manager.h \
+	credentials/sets/auth_cfg_wrapper.h \
+	credentials/sets/ocsp_response_wrapper.h \
+	credentials/sets/cert_cache.h credentials/sets/mem_cred.h \
+	credentials/sets/callback_cred.h credentials/auth_cfg.h \
+	credentials/credential_set.h credentials/cert_validator.h \
+	database/database.h database/database_factory.h \
+	fetcher/fetcher.h fetcher/fetcher_manager.h eap/eap.h \
+	pen/pen.h ipsec/ipsec_types.h networking/host.h \
+	networking/host_resolver.h networking/packet.h \
+	networking/tun_device.h networking/streams/stream.h \
+	networking/streams/stream_service.h \
+	networking/streams/stream_manager.h resolver/resolver.h \
+	resolver/resolver_response.h resolver/rr_set.h resolver/rr.h \
+	resolver/resolver_manager.h plugins/plugin_loader.h \
+	plugins/plugin.h plugins/plugin_feature.h \
+	processing/jobs/job.h processing/jobs/callback_job.h \
+	processing/processor.h processing/scheduler.h \
+	processing/watcher.h selectors/traffic_selector.h \
+	threading/thread.h threading/thread_value.h threading/mutex.h \
+	threading/condvar.h threading/spinlock.h threading/semaphore.h \
+	threading/rwlock.h threading/rwlock_condvar.h \
+	threading/lock_profiler.h utils/utils.h utils/chunk.h \
+	utils/debug.h utils/enum.h utils/identification.h \
+	utils/lexparser.h utils/optionsfrom.h utils/capabilities.h \
+	utils/backtrace.h utils/leak_detective.h utils/printf_hook.h \
+	utils/settings.h utils/integrity_checker.h
+HEADERS = $(nobase_strongswan_include_HEADERS)
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
@@ -295,15 +397,17 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 ETAGS = etags
 CTAGS = ctags
 DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \
-	plugins/blowfish plugins/md4 plugins/md5 plugins/sha1 \
-	plugins/sha2 plugins/gmp plugins/random plugins/hmac \
-	plugins/cmac plugins/xcbc plugins/x509 plugins/revocation \
-	plugins/constraints plugins/pubkey plugins/pkcs1 plugins/pkcs8 \
-	plugins/pgp plugins/dnskey plugins/pem plugins/curl \
+	plugins/blowfish plugins/rc2 plugins/md4 plugins/md5 \
+	plugins/sha1 plugins/sha2 plugins/gmp plugins/rdrand \
+	plugins/random plugins/nonce plugins/hmac plugins/cmac \
+	plugins/xcbc plugins/x509 plugins/revocation \
+	plugins/constraints plugins/pubkey plugins/pkcs1 plugins/pkcs7 \
+	plugins/pkcs8 plugins/pkcs12 plugins/pgp plugins/dnskey \
+	plugins/sshkey plugins/pem plugins/curl plugins/unbound \
 	plugins/soup plugins/ldap plugins/mysql plugins/sqlite \
 	plugins/padlock plugins/openssl plugins/gcrypt \
-	plugins/fips_prf plugins/agent plugins/pkcs11 plugins/ctr \
-	plugins/ccm plugins/gcm plugins/test_vectors
+	plugins/fips_prf plugins/agent plugins/keychain plugins/pkcs11 \
+	plugins/ctr plugins/ccm plugins/gcm plugins/test_vectors tests
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -333,21 +437,28 @@ am__relativize = \
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -356,13 +467,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -375,6 +489,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -402,11 +517,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -414,6 +531,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -422,8 +540,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -432,14 +548,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -453,17 +574,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -473,16 +594,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -511,148 +631,184 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 ipseclib_LTLIBRARIES = libstrongswan.la
-libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
-	debug.h enum.c enum.h settings.h settings.c printf_hook.c \
-	printf_hook.h asn1/asn1.c asn1/asn1.h asn1/asn1_parser.c \
-	asn1/asn1_parser.h asn1/oid.c asn1/oid.h bio/bio_reader.h \
-	bio/bio_reader.c bio/bio_writer.h bio/bio_writer.c \
-	crypto/crypters/crypter.c crypto/crypters/crypter.h \
-	crypto/hashers/hasher.h crypto/hashers/hasher.c crypto/pkcs9.c \
-	crypto/pkcs9.h crypto/proposal/proposal_keywords.c \
-	crypto/proposal/proposal_keywords.h crypto/prfs/prf.c \
-	crypto/prfs/prf.h crypto/rngs/rng.c crypto/rngs/rng.h \
-	crypto/prf_plus.h crypto/prf_plus.c crypto/signers/signer.c \
-	crypto/signers/signer.h crypto/crypto_factory.c \
-	crypto/crypto_factory.h crypto/crypto_tester.c \
-	crypto/crypto_tester.h crypto/diffie_hellman.c \
-	crypto/diffie_hellman.h crypto/aead.c crypto/aead.h \
-	crypto/transform.c crypto/transform.h \
-	credentials/credential_factory.c \
-	credentials/credential_factory.h credentials/builder.c \
-	credentials/builder.h credentials/cred_encoding.c \
-	credentials/cred_encoding.h credentials/keys/private_key.c \
-	credentials/keys/private_key.h credentials/keys/public_key.c \
-	credentials/keys/public_key.h credentials/keys/shared_key.c \
-	credentials/keys/shared_key.h \
+libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
+	asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
+	collections/blocking_queue.c collections/enumerator.c \
+	collections/hashtable.c collections/array.c \
+	collections/linked_list.c crypto/crypters/crypter.c \
+	crypto/hashers/hasher.c crypto/proposal/proposal_keywords.c \
+	crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \
+	crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \
+	crypto/prf_plus.c crypto/signers/signer.c \
+	crypto/signers/mac_signer.c crypto/crypto_factory.c \
+	crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \
+	crypto/transform.c credentials/credential_factory.c \
+	credentials/builder.c credentials/cred_encoding.c \
+	credentials/keys/private_key.c credentials/keys/public_key.c \
+	credentials/keys/shared_key.c \
 	credentials/certificates/certificate.c \
-	credentials/certificates/certificate.h \
-	credentials/certificates/x509.h credentials/certificates/ac.h \
-	credentials/certificates/crl.h credentials/certificates/crl.c \
-	credentials/certificates/pkcs10.h \
-	credentials/certificates/ocsp_request.h \
-	credentials/certificates/ocsp_response.h \
+	credentials/certificates/crl.c \
 	credentials/certificates/ocsp_response.c \
-	credentials/certificates/pgp_certificate.h \
+	credentials/containers/container.c \
+	credentials/containers/pkcs12.c \
 	credentials/ietf_attributes/ietf_attributes.c \
-	credentials/ietf_attributes/ietf_attributes.h \
 	credentials/credential_manager.c \
-	credentials/credential_manager.h \
 	credentials/sets/auth_cfg_wrapper.c \
-	credentials/sets/auth_cfg_wrapper.h \
 	credentials/sets/ocsp_response_wrapper.c \
-	credentials/sets/ocsp_response_wrapper.h \
-	credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
-	credentials/sets/mem_cred.c credentials/sets/mem_cred.h \
-	credentials/sets/callback_cred.c \
-	credentials/sets/callback_cred.h credentials/auth_cfg.c \
-	credentials/auth_cfg.h credentials/credential_set.h \
-	credentials/cert_validator.h database/database.h \
-	database/database.c database/database_factory.h \
-	database/database_factory.c fetcher/fetcher.h \
-	fetcher/fetcher.c fetcher/fetcher_manager.h \
-	fetcher/fetcher_manager.c eap/eap.h eap/eap.c pen/pen.h \
-	pen/pen.c plugins/plugin_loader.c plugins/plugin_loader.h \
-	plugins/plugin.h plugins/plugin_feature.c \
-	plugins/plugin_feature.h processing/jobs/job.h \
+	credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
+	credentials/sets/callback_cred.c credentials/auth_cfg.c \
+	database/database.c database/database_factory.c \
+	fetcher/fetcher.c fetcher/fetcher_manager.c eap/eap.c \
+	ipsec/ipsec_types.c networking/host.c \
+	networking/host_resolver.c networking/packet.c \
+	networking/tun_device.c networking/streams/stream.c \
+	networking/streams/stream_service.c \
+	networking/streams/stream_manager.c pen/pen.c \
+	plugins/plugin_loader.c plugins/plugin_feature.c \
 	processing/jobs/job.c processing/jobs/callback_job.c \
-	processing/jobs/callback_job.h processing/processor.c \
-	processing/processor.h processing/scheduler.c \
-	processing/scheduler.h selectors/traffic_selector.c \
-	selectors/traffic_selector.h threading/thread.h \
-	threading/thread.c threading/thread_value.h \
-	threading/thread_value.c threading/mutex.h threading/mutex.c \
-	threading/condvar.h threading/rwlock.h threading/rwlock.c \
-	threading/lock_profiler.h utils.h utils.c utils/host.c \
-	utils/host.h utils/identification.c utils/identification.h \
-	utils/lexparser.c utils/lexparser.h utils/linked_list.c \
-	utils/linked_list.h utils/hashtable.c utils/hashtable.h \
-	utils/enumerator.c utils/enumerator.h utils/optionsfrom.c \
-	utils/optionsfrom.h utils/backtrace.c utils/backtrace.h \
-	$(am__append_2) $(am__append_5)
+	processing/processor.c processing/scheduler.c \
+	processing/watcher.c resolver/resolver_manager.c \
+	resolver/rr_set.c selectors/traffic_selector.c \
+	threading/thread.c threading/thread_value.c threading/mutex.c \
+	threading/semaphore.c threading/rwlock.c threading/spinlock.c \
+	utils/utils.c utils/chunk.c utils/debug.c utils/enum.c \
+	utils/identification.c utils/lexparser.c utils/optionsfrom.c \
+	utils/capabilities.c utils/backtrace.c utils/printf_hook.c \
+	utils/settings.c $(am__append_2) $(am__append_5)
+@USE_DEV_HEADERS_TRUE@strongswan_includedir = ${dev_headers}
+@USE_DEV_HEADERS_TRUE@nobase_strongswan_include_HEADERS = \
+@USE_DEV_HEADERS_TRUE@library.h \
+@USE_DEV_HEADERS_TRUE@asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \
+@USE_DEV_HEADERS_TRUE@collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \
+@USE_DEV_HEADERS_TRUE@collections/linked_list.h collections/array.h \
+@USE_DEV_HEADERS_TRUE@crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \
+@USE_DEV_HEADERS_TRUE@crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \
+@USE_DEV_HEADERS_TRUE@crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
+@USE_DEV_HEADERS_TRUE@crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
+@USE_DEV_HEADERS_TRUE@crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
+@USE_DEV_HEADERS_TRUE@crypto/aead.h crypto/transform.h crypto/pkcs5.h \
+@USE_DEV_HEADERS_TRUE@credentials/credential_factory.h credentials/builder.h \
+@USE_DEV_HEADERS_TRUE@credentials/cred_encoding.h credentials/keys/private_key.h \
+@USE_DEV_HEADERS_TRUE@credentials/keys/public_key.h credentials/keys/shared_key.h \
+@USE_DEV_HEADERS_TRUE@credentials/certificates/certificate.h credentials/certificates/x509.h \
+@USE_DEV_HEADERS_TRUE@credentials/certificates/ac.h credentials/certificates/crl.h \
+@USE_DEV_HEADERS_TRUE@credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \
+@USE_DEV_HEADERS_TRUE@credentials/certificates/ocsp_response.h \
+@USE_DEV_HEADERS_TRUE@credentials/certificates/pgp_certificate.h \
+@USE_DEV_HEADERS_TRUE@credentials/containers/container.h credentials/containers/pkcs7.h \
+@USE_DEV_HEADERS_TRUE@credentials/containers/pkcs12.h \
+@USE_DEV_HEADERS_TRUE@credentials/ietf_attributes/ietf_attributes.h \
+@USE_DEV_HEADERS_TRUE@credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
+@USE_DEV_HEADERS_TRUE@credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \
+@USE_DEV_HEADERS_TRUE@credentials/sets/mem_cred.h credentials/sets/callback_cred.h \
+@USE_DEV_HEADERS_TRUE@credentials/auth_cfg.h credentials/credential_set.h credentials/cert_validator.h \
+@USE_DEV_HEADERS_TRUE@database/database.h database/database_factory.h fetcher/fetcher.h \
+@USE_DEV_HEADERS_TRUE@fetcher/fetcher_manager.h eap/eap.h pen/pen.h ipsec/ipsec_types.h \
+@USE_DEV_HEADERS_TRUE@networking/host.h networking/host_resolver.h networking/packet.h \
+@USE_DEV_HEADERS_TRUE@networking/tun_device.h networking/streams/stream.h \
+@USE_DEV_HEADERS_TRUE@networking/streams/stream_service.h networking/streams/stream_manager.h \
+@USE_DEV_HEADERS_TRUE@resolver/resolver.h resolver/resolver_response.h resolver/rr_set.h \
+@USE_DEV_HEADERS_TRUE@resolver/rr.h resolver/resolver_manager.h \
+@USE_DEV_HEADERS_TRUE@plugins/plugin_loader.h plugins/plugin.h plugins/plugin_feature.h \
+@USE_DEV_HEADERS_TRUE@processing/jobs/job.h processing/jobs/callback_job.h processing/processor.h \
+@USE_DEV_HEADERS_TRUE@processing/scheduler.h processing/watcher.h selectors/traffic_selector.h \
+@USE_DEV_HEADERS_TRUE@threading/thread.h threading/thread_value.h \
+@USE_DEV_HEADERS_TRUE@threading/mutex.h threading/condvar.h threading/spinlock.h threading/semaphore.h \
+@USE_DEV_HEADERS_TRUE@threading/rwlock.h threading/rwlock_condvar.h threading/lock_profiler.h \
+@USE_DEV_HEADERS_TRUE@utils/utils.h utils/chunk.h utils/debug.h utils/enum.h utils/identification.h \
+@USE_DEV_HEADERS_TRUE@utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \
+@USE_DEV_HEADERS_TRUE@utils/leak_detective.h utils/printf_hook.h utils/settings.h utils/integrity_checker.h
+
 libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
-	$(RTLIB) $(am__append_6) $(am__append_8) $(am__append_10) \
-	$(am__append_12) $(am__append_14) $(am__append_16) \
-	$(am__append_18) $(am__append_20) $(am__append_22) \
-	$(am__append_24) $(am__append_26) $(am__append_28) \
-	$(am__append_30) $(am__append_32) $(am__append_34) \
-	$(am__append_36) $(am__append_38) $(am__append_40) \
-	$(am__append_42) $(am__append_44) $(am__append_46) \
-	$(am__append_48) $(am__append_50) $(am__append_52) \
-	$(am__append_54) $(am__append_56) $(am__append_58) \
-	$(am__append_60) $(am__append_62) $(am__append_64) \
-	$(am__append_66) $(am__append_68) $(am__append_70) \
-	$(am__append_72) $(am__append_74) $(am__append_76) \
-	$(am__append_78) $(am__append_80)
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
-	-DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
+	$(RTLIB) $(BFDLIB) $(UNWINDLIB) $(am__append_6) \
+	$(am__append_7) $(am__append_9) $(am__append_11) \
+	$(am__append_13) $(am__append_15) $(am__append_17) \
+	$(am__append_19) $(am__append_21) $(am__append_23) \
+	$(am__append_25) $(am__append_27) $(am__append_29) \
+	$(am__append_31) $(am__append_33) $(am__append_35) \
+	$(am__append_37) $(am__append_39) $(am__append_41) \
+	$(am__append_43) $(am__append_45) $(am__append_47) \
+	$(am__append_49) $(am__append_51) $(am__append_53) \
+	$(am__append_55) $(am__append_57) $(am__append_59) \
+	$(am__append_61) $(am__append_63) $(am__append_65) \
+	$(am__append_67) $(am__append_69) $(am__append_71) \
+	$(am__append_73) $(am__append_75) $(am__append_77) \
+	$(am__append_79) $(am__append_81) $(am__append_83) \
+	$(am__append_85) $(am__append_87) $(am__append_89) \
+	$(am__append_91) $(am__append_93) $(am__append_95) \
+	$(am__append_97)
+AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
 	-DPLUGINDIR=\"${plugindir}\" \
 	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_1) \
 	$(am__append_3) $(am__append_4)
+AM_CFLAGS = \
+	@COVERAGE_CFLAGS@
+
 EXTRA_DIST = \
 asn1/oid.txt asn1/oid.pl \
-crypto/proposal/proposal_keywords.txt \
+crypto/proposal/proposal_keywords_static.txt \
 Android.mk AndroidConfigLocal.h
 
 BUILT_SOURCES = \
 $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \
-$(srcdir)/crypto/proposal/proposal_keywords.c
+$(srcdir)/crypto/proposal/proposal_keywords_static.c
 
 MAINTAINERCLEANFILES = \
 $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \
-$(srcdir)/crypto/proposal/proposal_keywords.c
-
-@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_7) $(am__append_9) \
-@MONOLITHIC_FALSE@	$(am__append_11) $(am__append_13) \
-@MONOLITHIC_FALSE@	$(am__append_15) $(am__append_17) \
-@MONOLITHIC_FALSE@	$(am__append_19) $(am__append_21) \
-@MONOLITHIC_FALSE@	$(am__append_23) $(am__append_25) \
-@MONOLITHIC_FALSE@	$(am__append_27) $(am__append_29) \
-@MONOLITHIC_FALSE@	$(am__append_31) $(am__append_33) \
-@MONOLITHIC_FALSE@	$(am__append_35) $(am__append_37) \
-@MONOLITHIC_FALSE@	$(am__append_39) $(am__append_41) \
-@MONOLITHIC_FALSE@	$(am__append_43) $(am__append_45) \
-@MONOLITHIC_FALSE@	$(am__append_47) $(am__append_49) \
-@MONOLITHIC_FALSE@	$(am__append_51) $(am__append_53) \
-@MONOLITHIC_FALSE@	$(am__append_55) $(am__append_57) \
-@MONOLITHIC_FALSE@	$(am__append_59) $(am__append_61) \
-@MONOLITHIC_FALSE@	$(am__append_63) $(am__append_65) \
-@MONOLITHIC_FALSE@	$(am__append_67) $(am__append_69) \
-@MONOLITHIC_FALSE@	$(am__append_71) $(am__append_73) \
-@MONOLITHIC_FALSE@	$(am__append_75) $(am__append_77) \
-@MONOLITHIC_FALSE@	$(am__append_79)
+$(srcdir)/crypto/proposal/proposal_keywords_static.c
+
+@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_8) $(am__append_10) \
+@MONOLITHIC_FALSE@	$(am__append_12) $(am__append_14) \
+@MONOLITHIC_FALSE@	$(am__append_16) $(am__append_18) \
+@MONOLITHIC_FALSE@	$(am__append_20) $(am__append_22) \
+@MONOLITHIC_FALSE@	$(am__append_24) $(am__append_26) \
+@MONOLITHIC_FALSE@	$(am__append_28) $(am__append_30) \
+@MONOLITHIC_FALSE@	$(am__append_32) $(am__append_34) \
+@MONOLITHIC_FALSE@	$(am__append_36) $(am__append_38) \
+@MONOLITHIC_FALSE@	$(am__append_40) $(am__append_42) \
+@MONOLITHIC_FALSE@	$(am__append_44) $(am__append_46) \
+@MONOLITHIC_FALSE@	$(am__append_48) $(am__append_50) \
+@MONOLITHIC_FALSE@	$(am__append_52) $(am__append_54) \
+@MONOLITHIC_FALSE@	$(am__append_56) $(am__append_58) \
+@MONOLITHIC_FALSE@	$(am__append_60) $(am__append_62) \
+@MONOLITHIC_FALSE@	$(am__append_64) $(am__append_66) \
+@MONOLITHIC_FALSE@	$(am__append_68) $(am__append_70) \
+@MONOLITHIC_FALSE@	$(am__append_72) $(am__append_74) \
+@MONOLITHIC_FALSE@	$(am__append_76) $(am__append_78) \
+@MONOLITHIC_FALSE@	$(am__append_80) $(am__append_82) \
+@MONOLITHIC_FALSE@	$(am__append_84) $(am__append_86) \
+@MONOLITHIC_FALSE@	$(am__append_88) $(am__append_90) \
+@MONOLITHIC_FALSE@	$(am__append_92) $(am__append_94) \
+@MONOLITHIC_FALSE@	$(am__append_96) $(am__append_98) \
+@MONOLITHIC_FALSE@	$(am__append_99)
 
 # build plugins with their own Makefile
 #######################################
-@MONOLITHIC_TRUE@SUBDIRS = $(am__append_7) $(am__append_9) \
-@MONOLITHIC_TRUE@	$(am__append_11) $(am__append_13) \
-@MONOLITHIC_TRUE@	$(am__append_15) $(am__append_17) \
-@MONOLITHIC_TRUE@	$(am__append_19) $(am__append_21) \
-@MONOLITHIC_TRUE@	$(am__append_23) $(am__append_25) \
-@MONOLITHIC_TRUE@	$(am__append_27) $(am__append_29) \
-@MONOLITHIC_TRUE@	$(am__append_31) $(am__append_33) \
-@MONOLITHIC_TRUE@	$(am__append_35) $(am__append_37) \
-@MONOLITHIC_TRUE@	$(am__append_39) $(am__append_41) \
-@MONOLITHIC_TRUE@	$(am__append_43) $(am__append_45) \
-@MONOLITHIC_TRUE@	$(am__append_47) $(am__append_49) \
-@MONOLITHIC_TRUE@	$(am__append_51) $(am__append_53) \
-@MONOLITHIC_TRUE@	$(am__append_55) $(am__append_57) \
-@MONOLITHIC_TRUE@	$(am__append_59) $(am__append_61) \
-@MONOLITHIC_TRUE@	$(am__append_63) $(am__append_65) \
-@MONOLITHIC_TRUE@	$(am__append_67) $(am__append_69) \
-@MONOLITHIC_TRUE@	$(am__append_71) $(am__append_73) \
-@MONOLITHIC_TRUE@	$(am__append_75) $(am__append_77) \
-@MONOLITHIC_TRUE@	$(am__append_79)
+@MONOLITHIC_TRUE@SUBDIRS = $(am__append_8) $(am__append_10) \
+@MONOLITHIC_TRUE@	$(am__append_12) $(am__append_14) \
+@MONOLITHIC_TRUE@	$(am__append_16) $(am__append_18) \
+@MONOLITHIC_TRUE@	$(am__append_20) $(am__append_22) \
+@MONOLITHIC_TRUE@	$(am__append_24) $(am__append_26) \
+@MONOLITHIC_TRUE@	$(am__append_28) $(am__append_30) \
+@MONOLITHIC_TRUE@	$(am__append_32) $(am__append_34) \
+@MONOLITHIC_TRUE@	$(am__append_36) $(am__append_38) \
+@MONOLITHIC_TRUE@	$(am__append_40) $(am__append_42) \
+@MONOLITHIC_TRUE@	$(am__append_44) $(am__append_46) \
+@MONOLITHIC_TRUE@	$(am__append_48) $(am__append_50) \
+@MONOLITHIC_TRUE@	$(am__append_52) $(am__append_54) \
+@MONOLITHIC_TRUE@	$(am__append_56) $(am__append_58) \
+@MONOLITHIC_TRUE@	$(am__append_60) $(am__append_62) \
+@MONOLITHIC_TRUE@	$(am__append_64) $(am__append_66) \
+@MONOLITHIC_TRUE@	$(am__append_68) $(am__append_70) \
+@MONOLITHIC_TRUE@	$(am__append_72) $(am__append_74) \
+@MONOLITHIC_TRUE@	$(am__append_76) $(am__append_78) \
+@MONOLITHIC_TRUE@	$(am__append_80) $(am__append_82) \
+@MONOLITHIC_TRUE@	$(am__append_84) $(am__append_86) \
+@MONOLITHIC_TRUE@	$(am__append_88) $(am__append_90) \
+@MONOLITHIC_TRUE@	$(am__append_92) $(am__append_94) \
+@MONOLITHIC_TRUE@	$(am__append_96) $(am__append_98) \
+@MONOLITHIC_TRUE@	$(am__append_99)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -690,7 +846,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -698,6 +853,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -719,8 +876,8 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan.la: $(libstrongswan_la_OBJECTS) $(libstrongswan_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libstrongswan_la_OBJECTS) $(libstrongswan_la_LIBADD) $(LIBS)
+libstrongswan.la: $(libstrongswan_la_OBJECTS) $(libstrongswan_la_DEPENDENCIES) $(EXTRA_libstrongswan_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libstrongswan_la_OBJECTS) $(libstrongswan_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -729,6 +886,7 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aead.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/array.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_parser.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg.Plo@am__quote@
@@ -736,12 +894,15 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backtrace.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bio_reader.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bio_writer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blocking_queue.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/builder.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/callback_cred.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/callback_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/capabilities.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_cache.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certificate.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/chunk.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/container.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cred_encoding.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/credential_factory.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/credential_manager.Plo@am__quote@
@@ -761,22 +922,28 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hasher.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hashtable.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host_resolver.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attributes.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/integrity_checker.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_types.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/leak_detective.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexparser.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/library.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/linked_list.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mac_prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mac_signer.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mem_cred.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mutex.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response_wrapper.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oid.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/optionsfrom.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pen.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs9.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs12.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs5.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plugin_feature.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plugin_loader.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf.Plo@am__quote@
@@ -785,472 +952,695 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/private_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/processor.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_keywords.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_keywords_static.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/public_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolver_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rng.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rr_set.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rwlock.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scheduler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/semaphore.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/settings.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shared_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/signer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/spinlock.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stream.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stream_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stream_service.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/thread.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/thread_value.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tun_device.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/utils.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/watcher.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 asn1.lo: asn1/asn1.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT asn1.lo -MD -MP -MF $(DEPDIR)/asn1.Tpo -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/asn1.Tpo $(DEPDIR)/asn1.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/asn1.c' object='asn1.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT asn1.lo -MD -MP -MF $(DEPDIR)/asn1.Tpo -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/asn1.Tpo $(DEPDIR)/asn1.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='asn1/asn1.c' object='asn1.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c
 
 asn1_parser.lo: asn1/asn1_parser.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT asn1_parser.lo -MD -MP -MF $(DEPDIR)/asn1_parser.Tpo -c -o asn1_parser.lo `test -f 'asn1/asn1_parser.c' || echo '$(srcdir)/'`asn1/asn1_parser.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/asn1_parser.Tpo $(DEPDIR)/asn1_parser.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/asn1_parser.c' object='asn1_parser.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT asn1_parser.lo -MD -MP -MF $(DEPDIR)/asn1_parser.Tpo -c -o asn1_parser.lo `test -f 'asn1/asn1_parser.c' || echo '$(srcdir)/'`asn1/asn1_parser.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/asn1_parser.Tpo $(DEPDIR)/asn1_parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='asn1/asn1_parser.c' object='asn1_parser.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o asn1_parser.lo `test -f 'asn1/asn1_parser.c' || echo '$(srcdir)/'`asn1/asn1_parser.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o asn1_parser.lo `test -f 'asn1/asn1_parser.c' || echo '$(srcdir)/'`asn1/asn1_parser.c
 
 oid.lo: asn1/oid.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT oid.lo -MD -MP -MF $(DEPDIR)/oid.Tpo -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/oid.Tpo $(DEPDIR)/oid.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/oid.c' object='oid.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT oid.lo -MD -MP -MF $(DEPDIR)/oid.Tpo -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/oid.Tpo $(DEPDIR)/oid.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='asn1/oid.c' object='oid.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c
 
 bio_reader.lo: bio/bio_reader.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bio_reader.lo -MD -MP -MF $(DEPDIR)/bio_reader.Tpo -c -o bio_reader.lo `test -f 'bio/bio_reader.c' || echo '$(srcdir)/'`bio/bio_reader.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/bio_reader.Tpo $(DEPDIR)/bio_reader.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bio/bio_reader.c' object='bio_reader.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bio_reader.lo -MD -MP -MF $(DEPDIR)/bio_reader.Tpo -c -o bio_reader.lo `test -f 'bio/bio_reader.c' || echo '$(srcdir)/'`bio/bio_reader.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/bio_reader.Tpo $(DEPDIR)/bio_reader.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='bio/bio_reader.c' object='bio_reader.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bio_reader.lo `test -f 'bio/bio_reader.c' || echo '$(srcdir)/'`bio/bio_reader.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bio_reader.lo `test -f 'bio/bio_reader.c' || echo '$(srcdir)/'`bio/bio_reader.c
 
 bio_writer.lo: bio/bio_writer.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bio_writer.lo -MD -MP -MF $(DEPDIR)/bio_writer.Tpo -c -o bio_writer.lo `test -f 'bio/bio_writer.c' || echo '$(srcdir)/'`bio/bio_writer.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/bio_writer.Tpo $(DEPDIR)/bio_writer.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bio/bio_writer.c' object='bio_writer.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bio_writer.lo -MD -MP -MF $(DEPDIR)/bio_writer.Tpo -c -o bio_writer.lo `test -f 'bio/bio_writer.c' || echo '$(srcdir)/'`bio/bio_writer.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/bio_writer.Tpo $(DEPDIR)/bio_writer.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='bio/bio_writer.c' object='bio_writer.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bio_writer.lo `test -f 'bio/bio_writer.c' || echo '$(srcdir)/'`bio/bio_writer.c
+
+blocking_queue.lo: collections/blocking_queue.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blocking_queue.lo -MD -MP -MF $(DEPDIR)/blocking_queue.Tpo -c -o blocking_queue.lo `test -f 'collections/blocking_queue.c' || echo '$(srcdir)/'`collections/blocking_queue.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/blocking_queue.Tpo $(DEPDIR)/blocking_queue.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='collections/blocking_queue.c' object='blocking_queue.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o blocking_queue.lo `test -f 'collections/blocking_queue.c' || echo '$(srcdir)/'`collections/blocking_queue.c
+
+enumerator.lo: collections/enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enumerator.lo -MD -MP -MF $(DEPDIR)/enumerator.Tpo -c -o enumerator.lo `test -f 'collections/enumerator.c' || echo '$(srcdir)/'`collections/enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/enumerator.Tpo $(DEPDIR)/enumerator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='collections/enumerator.c' object='enumerator.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o enumerator.lo `test -f 'collections/enumerator.c' || echo '$(srcdir)/'`collections/enumerator.c
+
+hashtable.lo: collections/hashtable.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hashtable.lo -MD -MP -MF $(DEPDIR)/hashtable.Tpo -c -o hashtable.lo `test -f 'collections/hashtable.c' || echo '$(srcdir)/'`collections/hashtable.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/hashtable.Tpo $(DEPDIR)/hashtable.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='collections/hashtable.c' object='hashtable.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bio_writer.lo `test -f 'bio/bio_writer.c' || echo '$(srcdir)/'`bio/bio_writer.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hashtable.lo `test -f 'collections/hashtable.c' || echo '$(srcdir)/'`collections/hashtable.c
+
+array.lo: collections/array.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT array.lo -MD -MP -MF $(DEPDIR)/array.Tpo -c -o array.lo `test -f 'collections/array.c' || echo '$(srcdir)/'`collections/array.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/array.Tpo $(DEPDIR)/array.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='collections/array.c' object='array.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o array.lo `test -f 'collections/array.c' || echo '$(srcdir)/'`collections/array.c
+
+linked_list.lo: collections/linked_list.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT linked_list.lo -MD -MP -MF $(DEPDIR)/linked_list.Tpo -c -o linked_list.lo `test -f 'collections/linked_list.c' || echo '$(srcdir)/'`collections/linked_list.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/linked_list.Tpo $(DEPDIR)/linked_list.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='collections/linked_list.c' object='linked_list.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o linked_list.lo `test -f 'collections/linked_list.c' || echo '$(srcdir)/'`collections/linked_list.c
 
 crypter.lo: crypto/crypters/crypter.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypter.lo -MD -MP -MF $(DEPDIR)/crypter.Tpo -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/crypter.Tpo $(DEPDIR)/crypter.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypters/crypter.c' object='crypter.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypter.lo -MD -MP -MF $(DEPDIR)/crypter.Tpo -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/crypter.Tpo $(DEPDIR)/crypter.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/crypters/crypter.c' object='crypter.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
 
 hasher.lo: crypto/hashers/hasher.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hasher.lo -MD -MP -MF $(DEPDIR)/hasher.Tpo -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/hasher.Tpo $(DEPDIR)/hasher.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/hashers/hasher.c' object='hasher.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hasher.lo -MD -MP -MF $(DEPDIR)/hasher.Tpo -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/hasher.Tpo $(DEPDIR)/hasher.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/hashers/hasher.c' object='hasher.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
 
-pkcs9.lo: crypto/pkcs9.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs9.lo -MD -MP -MF $(DEPDIR)/pkcs9.Tpo -c -o pkcs9.lo `test -f 'crypto/pkcs9.c' || echo '$(srcdir)/'`crypto/pkcs9.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pkcs9.Tpo $(DEPDIR)/pkcs9.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/pkcs9.c' object='pkcs9.lo' libtool=yes @AMDEPBACKSLASH@
+proposal_keywords.lo: crypto/proposal/proposal_keywords.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_keywords.lo -MD -MP -MF $(DEPDIR)/proposal_keywords.Tpo -c -o proposal_keywords.lo `test -f 'crypto/proposal/proposal_keywords.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/proposal_keywords.Tpo $(DEPDIR)/proposal_keywords.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/proposal/proposal_keywords.c' object='proposal_keywords.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs9.lo `test -f 'crypto/pkcs9.c' || echo '$(srcdir)/'`crypto/pkcs9.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_keywords.lo `test -f 'crypto/proposal/proposal_keywords.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords.c
 
-proposal_keywords.lo: crypto/proposal/proposal_keywords.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_keywords.lo -MD -MP -MF $(DEPDIR)/proposal_keywords.Tpo -c -o proposal_keywords.lo `test -f 'crypto/proposal/proposal_keywords.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/proposal_keywords.Tpo $(DEPDIR)/proposal_keywords.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/proposal/proposal_keywords.c' object='proposal_keywords.lo' libtool=yes @AMDEPBACKSLASH@
+proposal_keywords_static.lo: crypto/proposal/proposal_keywords_static.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_keywords_static.lo -MD -MP -MF $(DEPDIR)/proposal_keywords_static.Tpo -c -o proposal_keywords_static.lo `test -f 'crypto/proposal/proposal_keywords_static.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords_static.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/proposal_keywords_static.Tpo $(DEPDIR)/proposal_keywords_static.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/proposal/proposal_keywords_static.c' object='proposal_keywords_static.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_keywords.lo `test -f 'crypto/proposal/proposal_keywords.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_keywords_static.lo `test -f 'crypto/proposal/proposal_keywords_static.c' || echo '$(srcdir)/'`crypto/proposal/proposal_keywords_static.c
 
 prf.lo: crypto/prfs/prf.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf.lo -MD -MP -MF $(DEPDIR)/prf.Tpo -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/prf.Tpo $(DEPDIR)/prf.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/prfs/prf.c' object='prf.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf.lo -MD -MP -MF $(DEPDIR)/prf.Tpo -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/prf.Tpo $(DEPDIR)/prf.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/prfs/prf.c' object='prf.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c
+
+mac_prf.lo: crypto/prfs/mac_prf.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mac_prf.lo -MD -MP -MF $(DEPDIR)/mac_prf.Tpo -c -o mac_prf.lo `test -f 'crypto/prfs/mac_prf.c' || echo '$(srcdir)/'`crypto/prfs/mac_prf.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/mac_prf.Tpo $(DEPDIR)/mac_prf.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/prfs/mac_prf.c' object='mac_prf.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mac_prf.lo `test -f 'crypto/prfs/mac_prf.c' || echo '$(srcdir)/'`crypto/prfs/mac_prf.c
+
+pkcs5.lo: crypto/pkcs5.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs5.lo -MD -MP -MF $(DEPDIR)/pkcs5.Tpo -c -o pkcs5.lo `test -f 'crypto/pkcs5.c' || echo '$(srcdir)/'`crypto/pkcs5.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pkcs5.Tpo $(DEPDIR)/pkcs5.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/pkcs5.c' object='pkcs5.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs5.lo `test -f 'crypto/pkcs5.c' || echo '$(srcdir)/'`crypto/pkcs5.c
 
 rng.lo: crypto/rngs/rng.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rng.lo -MD -MP -MF $(DEPDIR)/rng.Tpo -c -o rng.lo `test -f 'crypto/rngs/rng.c' || echo '$(srcdir)/'`crypto/rngs/rng.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rng.Tpo $(DEPDIR)/rng.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/rngs/rng.c' object='rng.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rng.lo -MD -MP -MF $(DEPDIR)/rng.Tpo -c -o rng.lo `test -f 'crypto/rngs/rng.c' || echo '$(srcdir)/'`crypto/rngs/rng.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rng.Tpo $(DEPDIR)/rng.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/rngs/rng.c' object='rng.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rng.lo `test -f 'crypto/rngs/rng.c' || echo '$(srcdir)/'`crypto/rngs/rng.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rng.lo `test -f 'crypto/rngs/rng.c' || echo '$(srcdir)/'`crypto/rngs/rng.c
 
 prf_plus.lo: crypto/prf_plus.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf_plus.lo -MD -MP -MF $(DEPDIR)/prf_plus.Tpo -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/prf_plus.Tpo $(DEPDIR)/prf_plus.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/prf_plus.c' object='prf_plus.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf_plus.lo -MD -MP -MF $(DEPDIR)/prf_plus.Tpo -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/prf_plus.Tpo $(DEPDIR)/prf_plus.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/prf_plus.c' object='prf_plus.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c
 
 signer.lo: crypto/signers/signer.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signer.lo -MD -MP -MF $(DEPDIR)/signer.Tpo -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/signer.Tpo $(DEPDIR)/signer.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/signers/signer.c' object='signer.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signer.lo -MD -MP -MF $(DEPDIR)/signer.Tpo -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/signer.Tpo $(DEPDIR)/signer.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/signers/signer.c' object='signer.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c
+
+mac_signer.lo: crypto/signers/mac_signer.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mac_signer.lo -MD -MP -MF $(DEPDIR)/mac_signer.Tpo -c -o mac_signer.lo `test -f 'crypto/signers/mac_signer.c' || echo '$(srcdir)/'`crypto/signers/mac_signer.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/mac_signer.Tpo $(DEPDIR)/mac_signer.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/signers/mac_signer.c' object='mac_signer.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mac_signer.lo `test -f 'crypto/signers/mac_signer.c' || echo '$(srcdir)/'`crypto/signers/mac_signer.c
 
 crypto_factory.lo: crypto/crypto_factory.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_factory.lo -MD -MP -MF $(DEPDIR)/crypto_factory.Tpo -c -o crypto_factory.lo `test -f 'crypto/crypto_factory.c' || echo '$(srcdir)/'`crypto/crypto_factory.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/crypto_factory.Tpo $(DEPDIR)/crypto_factory.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypto_factory.c' object='crypto_factory.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_factory.lo -MD -MP -MF $(DEPDIR)/crypto_factory.Tpo -c -o crypto_factory.lo `test -f 'crypto/crypto_factory.c' || echo '$(srcdir)/'`crypto/crypto_factory.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/crypto_factory.Tpo $(DEPDIR)/crypto_factory.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/crypto_factory.c' object='crypto_factory.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_factory.lo `test -f 'crypto/crypto_factory.c' || echo '$(srcdir)/'`crypto/crypto_factory.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_factory.lo `test -f 'crypto/crypto_factory.c' || echo '$(srcdir)/'`crypto/crypto_factory.c
 
 crypto_tester.lo: crypto/crypto_tester.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_tester.lo -MD -MP -MF $(DEPDIR)/crypto_tester.Tpo -c -o crypto_tester.lo `test -f 'crypto/crypto_tester.c' || echo '$(srcdir)/'`crypto/crypto_tester.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/crypto_tester.Tpo $(DEPDIR)/crypto_tester.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypto_tester.c' object='crypto_tester.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_tester.lo -MD -MP -MF $(DEPDIR)/crypto_tester.Tpo -c -o crypto_tester.lo `test -f 'crypto/crypto_tester.c' || echo '$(srcdir)/'`crypto/crypto_tester.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/crypto_tester.Tpo $(DEPDIR)/crypto_tester.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/crypto_tester.c' object='crypto_tester.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_tester.lo `test -f 'crypto/crypto_tester.c' || echo '$(srcdir)/'`crypto/crypto_tester.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_tester.lo `test -f 'crypto/crypto_tester.c' || echo '$(srcdir)/'`crypto/crypto_tester.c
 
 diffie_hellman.lo: crypto/diffie_hellman.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT diffie_hellman.lo -MD -MP -MF $(DEPDIR)/diffie_hellman.Tpo -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/diffie_hellman.Tpo $(DEPDIR)/diffie_hellman.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/diffie_hellman.c' object='diffie_hellman.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT diffie_hellman.lo -MD -MP -MF $(DEPDIR)/diffie_hellman.Tpo -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/diffie_hellman.Tpo $(DEPDIR)/diffie_hellman.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/diffie_hellman.c' object='diffie_hellman.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
 
 aead.lo: crypto/aead.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aead.lo -MD -MP -MF $(DEPDIR)/aead.Tpo -c -o aead.lo `test -f 'crypto/aead.c' || echo '$(srcdir)/'`crypto/aead.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aead.Tpo $(DEPDIR)/aead.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/aead.c' object='aead.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aead.lo -MD -MP -MF $(DEPDIR)/aead.Tpo -c -o aead.lo `test -f 'crypto/aead.c' || echo '$(srcdir)/'`crypto/aead.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/aead.Tpo $(DEPDIR)/aead.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/aead.c' object='aead.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aead.lo `test -f 'crypto/aead.c' || echo '$(srcdir)/'`crypto/aead.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aead.lo `test -f 'crypto/aead.c' || echo '$(srcdir)/'`crypto/aead.c
 
 transform.lo: crypto/transform.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform.lo -MD -MP -MF $(DEPDIR)/transform.Tpo -c -o transform.lo `test -f 'crypto/transform.c' || echo '$(srcdir)/'`crypto/transform.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform.Tpo $(DEPDIR)/transform.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/transform.c' object='transform.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform.lo -MD -MP -MF $(DEPDIR)/transform.Tpo -c -o transform.lo `test -f 'crypto/transform.c' || echo '$(srcdir)/'`crypto/transform.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/transform.Tpo $(DEPDIR)/transform.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto/transform.c' object='transform.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform.lo `test -f 'crypto/transform.c' || echo '$(srcdir)/'`crypto/transform.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform.lo `test -f 'crypto/transform.c' || echo '$(srcdir)/'`crypto/transform.c
 
 credential_factory.lo: credentials/credential_factory.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_factory.lo -MD -MP -MF $(DEPDIR)/credential_factory.Tpo -c -o credential_factory.lo `test -f 'credentials/credential_factory.c' || echo '$(srcdir)/'`credentials/credential_factory.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/credential_factory.Tpo $(DEPDIR)/credential_factory.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/credential_factory.c' object='credential_factory.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_factory.lo -MD -MP -MF $(DEPDIR)/credential_factory.Tpo -c -o credential_factory.lo `test -f 'credentials/credential_factory.c' || echo '$(srcdir)/'`credentials/credential_factory.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/credential_factory.Tpo $(DEPDIR)/credential_factory.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/credential_factory.c' object='credential_factory.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_factory.lo `test -f 'credentials/credential_factory.c' || echo '$(srcdir)/'`credentials/credential_factory.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_factory.lo `test -f 'credentials/credential_factory.c' || echo '$(srcdir)/'`credentials/credential_factory.c
 
 builder.lo: credentials/builder.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT builder.lo -MD -MP -MF $(DEPDIR)/builder.Tpo -c -o builder.lo `test -f 'credentials/builder.c' || echo '$(srcdir)/'`credentials/builder.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/builder.Tpo $(DEPDIR)/builder.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/builder.c' object='builder.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT builder.lo -MD -MP -MF $(DEPDIR)/builder.Tpo -c -o builder.lo `test -f 'credentials/builder.c' || echo '$(srcdir)/'`credentials/builder.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/builder.Tpo $(DEPDIR)/builder.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/builder.c' object='builder.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o builder.lo `test -f 'credentials/builder.c' || echo '$(srcdir)/'`credentials/builder.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o builder.lo `test -f 'credentials/builder.c' || echo '$(srcdir)/'`credentials/builder.c
 
 cred_encoding.lo: credentials/cred_encoding.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cred_encoding.lo -MD -MP -MF $(DEPDIR)/cred_encoding.Tpo -c -o cred_encoding.lo `test -f 'credentials/cred_encoding.c' || echo '$(srcdir)/'`credentials/cred_encoding.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cred_encoding.Tpo $(DEPDIR)/cred_encoding.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/cred_encoding.c' object='cred_encoding.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cred_encoding.lo -MD -MP -MF $(DEPDIR)/cred_encoding.Tpo -c -o cred_encoding.lo `test -f 'credentials/cred_encoding.c' || echo '$(srcdir)/'`credentials/cred_encoding.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cred_encoding.Tpo $(DEPDIR)/cred_encoding.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/cred_encoding.c' object='cred_encoding.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cred_encoding.lo `test -f 'credentials/cred_encoding.c' || echo '$(srcdir)/'`credentials/cred_encoding.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cred_encoding.lo `test -f 'credentials/cred_encoding.c' || echo '$(srcdir)/'`credentials/cred_encoding.c
 
 private_key.lo: credentials/keys/private_key.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT private_key.lo -MD -MP -MF $(DEPDIR)/private_key.Tpo -c -o private_key.lo `test -f 'credentials/keys/private_key.c' || echo '$(srcdir)/'`credentials/keys/private_key.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/private_key.Tpo $(DEPDIR)/private_key.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/keys/private_key.c' object='private_key.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT private_key.lo -MD -MP -MF $(DEPDIR)/private_key.Tpo -c -o private_key.lo `test -f 'credentials/keys/private_key.c' || echo '$(srcdir)/'`credentials/keys/private_key.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/private_key.Tpo $(DEPDIR)/private_key.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/keys/private_key.c' object='private_key.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o private_key.lo `test -f 'credentials/keys/private_key.c' || echo '$(srcdir)/'`credentials/keys/private_key.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o private_key.lo `test -f 'credentials/keys/private_key.c' || echo '$(srcdir)/'`credentials/keys/private_key.c
 
 public_key.lo: credentials/keys/public_key.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT public_key.lo -MD -MP -MF $(DEPDIR)/public_key.Tpo -c -o public_key.lo `test -f 'credentials/keys/public_key.c' || echo '$(srcdir)/'`credentials/keys/public_key.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/public_key.Tpo $(DEPDIR)/public_key.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/keys/public_key.c' object='public_key.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT public_key.lo -MD -MP -MF $(DEPDIR)/public_key.Tpo -c -o public_key.lo `test -f 'credentials/keys/public_key.c' || echo '$(srcdir)/'`credentials/keys/public_key.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/public_key.Tpo $(DEPDIR)/public_key.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/keys/public_key.c' object='public_key.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o public_key.lo `test -f 'credentials/keys/public_key.c' || echo '$(srcdir)/'`credentials/keys/public_key.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o public_key.lo `test -f 'credentials/keys/public_key.c' || echo '$(srcdir)/'`credentials/keys/public_key.c
 
 shared_key.lo: credentials/keys/shared_key.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT shared_key.lo -MD -MP -MF $(DEPDIR)/shared_key.Tpo -c -o shared_key.lo `test -f 'credentials/keys/shared_key.c' || echo '$(srcdir)/'`credentials/keys/shared_key.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/shared_key.Tpo $(DEPDIR)/shared_key.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/keys/shared_key.c' object='shared_key.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT shared_key.lo -MD -MP -MF $(DEPDIR)/shared_key.Tpo -c -o shared_key.lo `test -f 'credentials/keys/shared_key.c' || echo '$(srcdir)/'`credentials/keys/shared_key.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/shared_key.Tpo $(DEPDIR)/shared_key.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/keys/shared_key.c' object='shared_key.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shared_key.lo `test -f 'credentials/keys/shared_key.c' || echo '$(srcdir)/'`credentials/keys/shared_key.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o shared_key.lo `test -f 'credentials/keys/shared_key.c' || echo '$(srcdir)/'`credentials/keys/shared_key.c
 
 certificate.lo: credentials/certificates/certificate.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certificate.lo -MD -MP -MF $(DEPDIR)/certificate.Tpo -c -o certificate.lo `test -f 'credentials/certificates/certificate.c' || echo '$(srcdir)/'`credentials/certificates/certificate.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/certificate.Tpo $(DEPDIR)/certificate.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/certificates/certificate.c' object='certificate.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certificate.lo -MD -MP -MF $(DEPDIR)/certificate.Tpo -c -o certificate.lo `test -f 'credentials/certificates/certificate.c' || echo '$(srcdir)/'`credentials/certificates/certificate.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/certificate.Tpo $(DEPDIR)/certificate.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/certificates/certificate.c' object='certificate.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certificate.lo `test -f 'credentials/certificates/certificate.c' || echo '$(srcdir)/'`credentials/certificates/certificate.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certificate.lo `test -f 'credentials/certificates/certificate.c' || echo '$(srcdir)/'`credentials/certificates/certificate.c
 
 crl.lo: credentials/certificates/crl.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crl.lo -MD -MP -MF $(DEPDIR)/crl.Tpo -c -o crl.lo `test -f 'credentials/certificates/crl.c' || echo '$(srcdir)/'`credentials/certificates/crl.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/crl.Tpo $(DEPDIR)/crl.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/certificates/crl.c' object='crl.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crl.lo -MD -MP -MF $(DEPDIR)/crl.Tpo -c -o crl.lo `test -f 'credentials/certificates/crl.c' || echo '$(srcdir)/'`credentials/certificates/crl.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/crl.Tpo $(DEPDIR)/crl.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/certificates/crl.c' object='crl.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crl.lo `test -f 'credentials/certificates/crl.c' || echo '$(srcdir)/'`credentials/certificates/crl.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crl.lo `test -f 'credentials/certificates/crl.c' || echo '$(srcdir)/'`credentials/certificates/crl.c
 
 ocsp_response.lo: credentials/certificates/ocsp_response.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response.lo -MD -MP -MF $(DEPDIR)/ocsp_response.Tpo -c -o ocsp_response.lo `test -f 'credentials/certificates/ocsp_response.c' || echo '$(srcdir)/'`credentials/certificates/ocsp_response.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ocsp_response.Tpo $(DEPDIR)/ocsp_response.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/certificates/ocsp_response.c' object='ocsp_response.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response.lo -MD -MP -MF $(DEPDIR)/ocsp_response.Tpo -c -o ocsp_response.lo `test -f 'credentials/certificates/ocsp_response.c' || echo '$(srcdir)/'`credentials/certificates/ocsp_response.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ocsp_response.Tpo $(DEPDIR)/ocsp_response.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/certificates/ocsp_response.c' object='ocsp_response.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response.lo `test -f 'credentials/certificates/ocsp_response.c' || echo '$(srcdir)/'`credentials/certificates/ocsp_response.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response.lo `test -f 'credentials/certificates/ocsp_response.c' || echo '$(srcdir)/'`credentials/certificates/ocsp_response.c
+
+container.lo: credentials/containers/container.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT container.lo -MD -MP -MF $(DEPDIR)/container.Tpo -c -o container.lo `test -f 'credentials/containers/container.c' || echo '$(srcdir)/'`credentials/containers/container.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/container.Tpo $(DEPDIR)/container.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/containers/container.c' object='container.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o container.lo `test -f 'credentials/containers/container.c' || echo '$(srcdir)/'`credentials/containers/container.c
+
+pkcs12.lo: credentials/containers/pkcs12.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs12.lo -MD -MP -MF $(DEPDIR)/pkcs12.Tpo -c -o pkcs12.lo `test -f 'credentials/containers/pkcs12.c' || echo '$(srcdir)/'`credentials/containers/pkcs12.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pkcs12.Tpo $(DEPDIR)/pkcs12.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/containers/pkcs12.c' object='pkcs12.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs12.lo `test -f 'credentials/containers/pkcs12.c' || echo '$(srcdir)/'`credentials/containers/pkcs12.c
 
 ietf_attributes.lo: credentials/ietf_attributes/ietf_attributes.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attributes.lo -MD -MP -MF $(DEPDIR)/ietf_attributes.Tpo -c -o ietf_attributes.lo `test -f 'credentials/ietf_attributes/ietf_attributes.c' || echo '$(srcdir)/'`credentials/ietf_attributes/ietf_attributes.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ietf_attributes.Tpo $(DEPDIR)/ietf_attributes.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/ietf_attributes/ietf_attributes.c' object='ietf_attributes.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attributes.lo -MD -MP -MF $(DEPDIR)/ietf_attributes.Tpo -c -o ietf_attributes.lo `test -f 'credentials/ietf_attributes/ietf_attributes.c' || echo '$(srcdir)/'`credentials/ietf_attributes/ietf_attributes.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ietf_attributes.Tpo $(DEPDIR)/ietf_attributes.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/ietf_attributes/ietf_attributes.c' object='ietf_attributes.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attributes.lo `test -f 'credentials/ietf_attributes/ietf_attributes.c' || echo '$(srcdir)/'`credentials/ietf_attributes/ietf_attributes.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attributes.lo `test -f 'credentials/ietf_attributes/ietf_attributes.c' || echo '$(srcdir)/'`credentials/ietf_attributes/ietf_attributes.c
 
 credential_manager.lo: credentials/credential_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_manager.lo -MD -MP -MF $(DEPDIR)/credential_manager.Tpo -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/credential_manager.Tpo $(DEPDIR)/credential_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/credential_manager.c' object='credential_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_manager.lo -MD -MP -MF $(DEPDIR)/credential_manager.Tpo -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/credential_manager.Tpo $(DEPDIR)/credential_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/credential_manager.c' object='credential_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c
 
 auth_cfg_wrapper.lo: credentials/sets/auth_cfg_wrapper.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.lo -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.lo -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
 
 ocsp_response_wrapper.lo: credentials/sets/ocsp_response_wrapper.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response_wrapper.lo -MD -MP -MF $(DEPDIR)/ocsp_response_wrapper.Tpo -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ocsp_response_wrapper.Tpo $(DEPDIR)/ocsp_response_wrapper.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/ocsp_response_wrapper.c' object='ocsp_response_wrapper.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response_wrapper.lo -MD -MP -MF $(DEPDIR)/ocsp_response_wrapper.Tpo -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ocsp_response_wrapper.Tpo $(DEPDIR)/ocsp_response_wrapper.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/sets/ocsp_response_wrapper.c' object='ocsp_response_wrapper.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
 
 cert_cache.lo: credentials/sets/cert_cache.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_cache.lo -MD -MP -MF $(DEPDIR)/cert_cache.Tpo -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cert_cache.Tpo $(DEPDIR)/cert_cache.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/cert_cache.c' object='cert_cache.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_cache.lo -MD -MP -MF $(DEPDIR)/cert_cache.Tpo -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cert_cache.Tpo $(DEPDIR)/cert_cache.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/sets/cert_cache.c' object='cert_cache.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
 
 mem_cred.lo: credentials/sets/mem_cred.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mem_cred.lo -MD -MP -MF $(DEPDIR)/mem_cred.Tpo -c -o mem_cred.lo `test -f 'credentials/sets/mem_cred.c' || echo '$(srcdir)/'`credentials/sets/mem_cred.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mem_cred.Tpo $(DEPDIR)/mem_cred.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/mem_cred.c' object='mem_cred.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mem_cred.lo -MD -MP -MF $(DEPDIR)/mem_cred.Tpo -c -o mem_cred.lo `test -f 'credentials/sets/mem_cred.c' || echo '$(srcdir)/'`credentials/sets/mem_cred.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/mem_cred.Tpo $(DEPDIR)/mem_cred.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/sets/mem_cred.c' object='mem_cred.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mem_cred.lo `test -f 'credentials/sets/mem_cred.c' || echo '$(srcdir)/'`credentials/sets/mem_cred.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mem_cred.lo `test -f 'credentials/sets/mem_cred.c' || echo '$(srcdir)/'`credentials/sets/mem_cred.c
 
 callback_cred.lo: credentials/sets/callback_cred.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_cred.lo -MD -MP -MF $(DEPDIR)/callback_cred.Tpo -c -o callback_cred.lo `test -f 'credentials/sets/callback_cred.c' || echo '$(srcdir)/'`credentials/sets/callback_cred.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/callback_cred.Tpo $(DEPDIR)/callback_cred.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/callback_cred.c' object='callback_cred.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_cred.lo -MD -MP -MF $(DEPDIR)/callback_cred.Tpo -c -o callback_cred.lo `test -f 'credentials/sets/callback_cred.c' || echo '$(srcdir)/'`credentials/sets/callback_cred.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/callback_cred.Tpo $(DEPDIR)/callback_cred.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/sets/callback_cred.c' object='callback_cred.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_cred.lo `test -f 'credentials/sets/callback_cred.c' || echo '$(srcdir)/'`credentials/sets/callback_cred.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_cred.lo `test -f 'credentials/sets/callback_cred.c' || echo '$(srcdir)/'`credentials/sets/callback_cred.c
 
 auth_cfg.lo: credentials/auth_cfg.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.lo -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.lo `test -f 'credentials/auth_cfg.c' || echo '$(srcdir)/'`credentials/auth_cfg.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/auth_cfg.c' object='auth_cfg.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.lo -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.lo `test -f 'credentials/auth_cfg.c' || echo '$(srcdir)/'`credentials/auth_cfg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='credentials/auth_cfg.c' object='auth_cfg.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.lo `test -f 'credentials/auth_cfg.c' || echo '$(srcdir)/'`credentials/auth_cfg.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.lo `test -f 'credentials/auth_cfg.c' || echo '$(srcdir)/'`credentials/auth_cfg.c
 
 database.lo: database/database.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT database.lo -MD -MP -MF $(DEPDIR)/database.Tpo -c -o database.lo `test -f 'database/database.c' || echo '$(srcdir)/'`database/database.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/database.Tpo $(DEPDIR)/database.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='database/database.c' object='database.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT database.lo -MD -MP -MF $(DEPDIR)/database.Tpo -c -o database.lo `test -f 'database/database.c' || echo '$(srcdir)/'`database/database.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/database.Tpo $(DEPDIR)/database.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='database/database.c' object='database.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o database.lo `test -f 'database/database.c' || echo '$(srcdir)/'`database/database.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o database.lo `test -f 'database/database.c' || echo '$(srcdir)/'`database/database.c
 
 database_factory.lo: database/database_factory.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT database_factory.lo -MD -MP -MF $(DEPDIR)/database_factory.Tpo -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/database_factory.Tpo $(DEPDIR)/database_factory.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='database/database_factory.c' object='database_factory.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT database_factory.lo -MD -MP -MF $(DEPDIR)/database_factory.Tpo -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/database_factory.Tpo $(DEPDIR)/database_factory.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='database/database_factory.c' object='database_factory.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c
 
 fetcher.lo: fetcher/fetcher.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher.lo -MD -MP -MF $(DEPDIR)/fetcher.Tpo -c -o fetcher.lo `test -f 'fetcher/fetcher.c' || echo '$(srcdir)/'`fetcher/fetcher.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/fetcher.Tpo $(DEPDIR)/fetcher.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='fetcher/fetcher.c' object='fetcher.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher.lo -MD -MP -MF $(DEPDIR)/fetcher.Tpo -c -o fetcher.lo `test -f 'fetcher/fetcher.c' || echo '$(srcdir)/'`fetcher/fetcher.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/fetcher.Tpo $(DEPDIR)/fetcher.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='fetcher/fetcher.c' object='fetcher.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher.lo `test -f 'fetcher/fetcher.c' || echo '$(srcdir)/'`fetcher/fetcher.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher.lo `test -f 'fetcher/fetcher.c' || echo '$(srcdir)/'`fetcher/fetcher.c
 
 fetcher_manager.lo: fetcher/fetcher_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher_manager.lo -MD -MP -MF $(DEPDIR)/fetcher_manager.Tpo -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/fetcher_manager.Tpo $(DEPDIR)/fetcher_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='fetcher/fetcher_manager.c' object='fetcher_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher_manager.lo -MD -MP -MF $(DEPDIR)/fetcher_manager.Tpo -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/fetcher_manager.Tpo $(DEPDIR)/fetcher_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='fetcher/fetcher_manager.c' object='fetcher_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c
 
 eap.lo: eap/eap.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap.lo -MD -MP -MF $(DEPDIR)/eap.Tpo -c -o eap.lo `test -f 'eap/eap.c' || echo '$(srcdir)/'`eap/eap.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap.Tpo $(DEPDIR)/eap.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='eap/eap.c' object='eap.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap.lo -MD -MP -MF $(DEPDIR)/eap.Tpo -c -o eap.lo `test -f 'eap/eap.c' || echo '$(srcdir)/'`eap/eap.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/eap.Tpo $(DEPDIR)/eap.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='eap/eap.c' object='eap.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap.lo `test -f 'eap/eap.c' || echo '$(srcdir)/'`eap/eap.c
+
+ipsec_types.lo: ipsec/ipsec_types.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ipsec_types.lo -MD -MP -MF $(DEPDIR)/ipsec_types.Tpo -c -o ipsec_types.lo `test -f 'ipsec/ipsec_types.c' || echo '$(srcdir)/'`ipsec/ipsec_types.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ipsec_types.Tpo $(DEPDIR)/ipsec_types.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ipsec/ipsec_types.c' object='ipsec_types.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ipsec_types.lo `test -f 'ipsec/ipsec_types.c' || echo '$(srcdir)/'`ipsec/ipsec_types.c
+
+host.lo: networking/host.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host.lo -MD -MP -MF $(DEPDIR)/host.Tpo -c -o host.lo `test -f 'networking/host.c' || echo '$(srcdir)/'`networking/host.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/host.Tpo $(DEPDIR)/host.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='networking/host.c' object='host.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap.lo `test -f 'eap/eap.c' || echo '$(srcdir)/'`eap/eap.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host.lo `test -f 'networking/host.c' || echo '$(srcdir)/'`networking/host.c
+
+host_resolver.lo: networking/host_resolver.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host_resolver.lo -MD -MP -MF $(DEPDIR)/host_resolver.Tpo -c -o host_resolver.lo `test -f 'networking/host_resolver.c' || echo '$(srcdir)/'`networking/host_resolver.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/host_resolver.Tpo $(DEPDIR)/host_resolver.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='networking/host_resolver.c' object='host_resolver.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host_resolver.lo `test -f 'networking/host_resolver.c' || echo '$(srcdir)/'`networking/host_resolver.c
+
+packet.lo: networking/packet.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.lo -MD -MP -MF $(DEPDIR)/packet.Tpo -c -o packet.lo `test -f 'networking/packet.c' || echo '$(srcdir)/'`networking/packet.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/packet.Tpo $(DEPDIR)/packet.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='networking/packet.c' object='packet.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.lo `test -f 'networking/packet.c' || echo '$(srcdir)/'`networking/packet.c
+
+tun_device.lo: networking/tun_device.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tun_device.lo -MD -MP -MF $(DEPDIR)/tun_device.Tpo -c -o tun_device.lo `test -f 'networking/tun_device.c' || echo '$(srcdir)/'`networking/tun_device.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tun_device.Tpo $(DEPDIR)/tun_device.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='networking/tun_device.c' object='tun_device.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tun_device.lo `test -f 'networking/tun_device.c' || echo '$(srcdir)/'`networking/tun_device.c
+
+stream.lo: networking/streams/stream.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT stream.lo -MD -MP -MF $(DEPDIR)/stream.Tpo -c -o stream.lo `test -f 'networking/streams/stream.c' || echo '$(srcdir)/'`networking/streams/stream.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/stream.Tpo $(DEPDIR)/stream.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='networking/streams/stream.c' object='stream.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o stream.lo `test -f 'networking/streams/stream.c' || echo '$(srcdir)/'`networking/streams/stream.c
+
+stream_service.lo: networking/streams/stream_service.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT stream_service.lo -MD -MP -MF $(DEPDIR)/stream_service.Tpo -c -o stream_service.lo `test -f 'networking/streams/stream_service.c' || echo '$(srcdir)/'`networking/streams/stream_service.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/stream_service.Tpo $(DEPDIR)/stream_service.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='networking/streams/stream_service.c' object='stream_service.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o stream_service.lo `test -f 'networking/streams/stream_service.c' || echo '$(srcdir)/'`networking/streams/stream_service.c
+
+stream_manager.lo: networking/streams/stream_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT stream_manager.lo -MD -MP -MF $(DEPDIR)/stream_manager.Tpo -c -o stream_manager.lo `test -f 'networking/streams/stream_manager.c' || echo '$(srcdir)/'`networking/streams/stream_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/stream_manager.Tpo $(DEPDIR)/stream_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='networking/streams/stream_manager.c' object='stream_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o stream_manager.lo `test -f 'networking/streams/stream_manager.c' || echo '$(srcdir)/'`networking/streams/stream_manager.c
 
 pen.lo: pen/pen.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pen.lo -MD -MP -MF $(DEPDIR)/pen.Tpo -c -o pen.lo `test -f 'pen/pen.c' || echo '$(srcdir)/'`pen/pen.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pen.Tpo $(DEPDIR)/pen.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='pen/pen.c' object='pen.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pen.lo -MD -MP -MF $(DEPDIR)/pen.Tpo -c -o pen.lo `test -f 'pen/pen.c' || echo '$(srcdir)/'`pen/pen.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pen.Tpo $(DEPDIR)/pen.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pen/pen.c' object='pen.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pen.lo `test -f 'pen/pen.c' || echo '$(srcdir)/'`pen/pen.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pen.lo `test -f 'pen/pen.c' || echo '$(srcdir)/'`pen/pen.c
 
 plugin_loader.lo: plugins/plugin_loader.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT plugin_loader.lo -MD -MP -MF $(DEPDIR)/plugin_loader.Tpo -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/plugin_loader.Tpo $(DEPDIR)/plugin_loader.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='plugins/plugin_loader.c' object='plugin_loader.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT plugin_loader.lo -MD -MP -MF $(DEPDIR)/plugin_loader.Tpo -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/plugin_loader.Tpo $(DEPDIR)/plugin_loader.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='plugins/plugin_loader.c' object='plugin_loader.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
 
 plugin_feature.lo: plugins/plugin_feature.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT plugin_feature.lo -MD -MP -MF $(DEPDIR)/plugin_feature.Tpo -c -o plugin_feature.lo `test -f 'plugins/plugin_feature.c' || echo '$(srcdir)/'`plugins/plugin_feature.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/plugin_feature.Tpo $(DEPDIR)/plugin_feature.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='plugins/plugin_feature.c' object='plugin_feature.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT plugin_feature.lo -MD -MP -MF $(DEPDIR)/plugin_feature.Tpo -c -o plugin_feature.lo `test -f 'plugins/plugin_feature.c' || echo '$(srcdir)/'`plugins/plugin_feature.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/plugin_feature.Tpo $(DEPDIR)/plugin_feature.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='plugins/plugin_feature.c' object='plugin_feature.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o plugin_feature.lo `test -f 'plugins/plugin_feature.c' || echo '$(srcdir)/'`plugins/plugin_feature.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o plugin_feature.lo `test -f 'plugins/plugin_feature.c' || echo '$(srcdir)/'`plugins/plugin_feature.c
 
 job.lo: processing/jobs/job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job.lo -MD -MP -MF $(DEPDIR)/job.Tpo -c -o job.lo `test -f 'processing/jobs/job.c' || echo '$(srcdir)/'`processing/jobs/job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/job.Tpo $(DEPDIR)/job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/job.c' object='job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job.lo -MD -MP -MF $(DEPDIR)/job.Tpo -c -o job.lo `test -f 'processing/jobs/job.c' || echo '$(srcdir)/'`processing/jobs/job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/job.Tpo $(DEPDIR)/job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/job.c' object='job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job.lo `test -f 'processing/jobs/job.c' || echo '$(srcdir)/'`processing/jobs/job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job.lo `test -f 'processing/jobs/job.c' || echo '$(srcdir)/'`processing/jobs/job.c
 
 callback_job.lo: processing/jobs/callback_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_job.lo -MD -MP -MF $(DEPDIR)/callback_job.Tpo -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/callback_job.Tpo $(DEPDIR)/callback_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/callback_job.c' object='callback_job.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_job.lo -MD -MP -MF $(DEPDIR)/callback_job.Tpo -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/callback_job.Tpo $(DEPDIR)/callback_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/jobs/callback_job.c' object='callback_job.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
 
 processor.lo: processing/processor.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processor.lo -MD -MP -MF $(DEPDIR)/processor.Tpo -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/processor.Tpo $(DEPDIR)/processor.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/processor.c' object='processor.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processor.lo -MD -MP -MF $(DEPDIR)/processor.Tpo -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/processor.Tpo $(DEPDIR)/processor.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/processor.c' object='processor.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
 
 scheduler.lo: processing/scheduler.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.lo -MD -MP -MF $(DEPDIR)/scheduler.Tpo -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/scheduler.c' object='scheduler.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.lo -MD -MP -MF $(DEPDIR)/scheduler.Tpo -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/scheduler.c' object='scheduler.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
+
+watcher.lo: processing/watcher.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT watcher.lo -MD -MP -MF $(DEPDIR)/watcher.Tpo -c -o watcher.lo `test -f 'processing/watcher.c' || echo '$(srcdir)/'`processing/watcher.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/watcher.Tpo $(DEPDIR)/watcher.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='processing/watcher.c' object='watcher.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o watcher.lo `test -f 'processing/watcher.c' || echo '$(srcdir)/'`processing/watcher.c
+
+resolver_manager.lo: resolver/resolver_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT resolver_manager.lo -MD -MP -MF $(DEPDIR)/resolver_manager.Tpo -c -o resolver_manager.lo `test -f 'resolver/resolver_manager.c' || echo '$(srcdir)/'`resolver/resolver_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/resolver_manager.Tpo $(DEPDIR)/resolver_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='resolver/resolver_manager.c' object='resolver_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o resolver_manager.lo `test -f 'resolver/resolver_manager.c' || echo '$(srcdir)/'`resolver/resolver_manager.c
+
+rr_set.lo: resolver/rr_set.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rr_set.lo -MD -MP -MF $(DEPDIR)/rr_set.Tpo -c -o rr_set.lo `test -f 'resolver/rr_set.c' || echo '$(srcdir)/'`resolver/rr_set.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rr_set.Tpo $(DEPDIR)/rr_set.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='resolver/rr_set.c' object='rr_set.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rr_set.lo `test -f 'resolver/rr_set.c' || echo '$(srcdir)/'`resolver/rr_set.c
 
 traffic_selector.lo: selectors/traffic_selector.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.lo -MD -MP -MF $(DEPDIR)/traffic_selector.Tpo -c -o traffic_selector.lo `test -f 'selectors/traffic_selector.c' || echo '$(srcdir)/'`selectors/traffic_selector.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/traffic_selector.Tpo $(DEPDIR)/traffic_selector.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='selectors/traffic_selector.c' object='traffic_selector.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.lo -MD -MP -MF $(DEPDIR)/traffic_selector.Tpo -c -o traffic_selector.lo `test -f 'selectors/traffic_selector.c' || echo '$(srcdir)/'`selectors/traffic_selector.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/traffic_selector.Tpo $(DEPDIR)/traffic_selector.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='selectors/traffic_selector.c' object='traffic_selector.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector.lo `test -f 'selectors/traffic_selector.c' || echo '$(srcdir)/'`selectors/traffic_selector.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector.lo `test -f 'selectors/traffic_selector.c' || echo '$(srcdir)/'`selectors/traffic_selector.c
 
 thread.lo: threading/thread.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread.lo -MD -MP -MF $(DEPDIR)/thread.Tpo -c -o thread.lo `test -f 'threading/thread.c' || echo '$(srcdir)/'`threading/thread.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/thread.Tpo $(DEPDIR)/thread.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threading/thread.c' object='thread.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread.lo -MD -MP -MF $(DEPDIR)/thread.Tpo -c -o thread.lo `test -f 'threading/thread.c' || echo '$(srcdir)/'`threading/thread.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/thread.Tpo $(DEPDIR)/thread.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='threading/thread.c' object='thread.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread.lo `test -f 'threading/thread.c' || echo '$(srcdir)/'`threading/thread.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread.lo `test -f 'threading/thread.c' || echo '$(srcdir)/'`threading/thread.c
 
 thread_value.lo: threading/thread_value.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread_value.lo -MD -MP -MF $(DEPDIR)/thread_value.Tpo -c -o thread_value.lo `test -f 'threading/thread_value.c' || echo '$(srcdir)/'`threading/thread_value.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/thread_value.Tpo $(DEPDIR)/thread_value.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threading/thread_value.c' object='thread_value.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread_value.lo -MD -MP -MF $(DEPDIR)/thread_value.Tpo -c -o thread_value.lo `test -f 'threading/thread_value.c' || echo '$(srcdir)/'`threading/thread_value.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/thread_value.Tpo $(DEPDIR)/thread_value.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='threading/thread_value.c' object='thread_value.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread_value.lo `test -f 'threading/thread_value.c' || echo '$(srcdir)/'`threading/thread_value.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread_value.lo `test -f 'threading/thread_value.c' || echo '$(srcdir)/'`threading/thread_value.c
 
 mutex.lo: threading/mutex.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mutex.lo -MD -MP -MF $(DEPDIR)/mutex.Tpo -c -o mutex.lo `test -f 'threading/mutex.c' || echo '$(srcdir)/'`threading/mutex.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mutex.Tpo $(DEPDIR)/mutex.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threading/mutex.c' object='mutex.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mutex.lo -MD -MP -MF $(DEPDIR)/mutex.Tpo -c -o mutex.lo `test -f 'threading/mutex.c' || echo '$(srcdir)/'`threading/mutex.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/mutex.Tpo $(DEPDIR)/mutex.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='threading/mutex.c' object='mutex.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mutex.lo `test -f 'threading/mutex.c' || echo '$(srcdir)/'`threading/mutex.c
+
+semaphore.lo: threading/semaphore.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT semaphore.lo -MD -MP -MF $(DEPDIR)/semaphore.Tpo -c -o semaphore.lo `test -f 'threading/semaphore.c' || echo '$(srcdir)/'`threading/semaphore.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/semaphore.Tpo $(DEPDIR)/semaphore.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='threading/semaphore.c' object='semaphore.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mutex.lo `test -f 'threading/mutex.c' || echo '$(srcdir)/'`threading/mutex.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o semaphore.lo `test -f 'threading/semaphore.c' || echo '$(srcdir)/'`threading/semaphore.c
 
 rwlock.lo: threading/rwlock.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rwlock.lo -MD -MP -MF $(DEPDIR)/rwlock.Tpo -c -o rwlock.lo `test -f 'threading/rwlock.c' || echo '$(srcdir)/'`threading/rwlock.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rwlock.Tpo $(DEPDIR)/rwlock.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threading/rwlock.c' object='rwlock.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rwlock.lo -MD -MP -MF $(DEPDIR)/rwlock.Tpo -c -o rwlock.lo `test -f 'threading/rwlock.c' || echo '$(srcdir)/'`threading/rwlock.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rwlock.Tpo $(DEPDIR)/rwlock.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='threading/rwlock.c' object='rwlock.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rwlock.lo `test -f 'threading/rwlock.c' || echo '$(srcdir)/'`threading/rwlock.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rwlock.lo `test -f 'threading/rwlock.c' || echo '$(srcdir)/'`threading/rwlock.c
 
-host.lo: utils/host.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host.lo -MD -MP -MF $(DEPDIR)/host.Tpo -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/host.Tpo $(DEPDIR)/host.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/host.c' object='host.lo' libtool=yes @AMDEPBACKSLASH@
+spinlock.lo: threading/spinlock.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT spinlock.lo -MD -MP -MF $(DEPDIR)/spinlock.Tpo -c -o spinlock.lo `test -f 'threading/spinlock.c' || echo '$(srcdir)/'`threading/spinlock.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/spinlock.Tpo $(DEPDIR)/spinlock.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='threading/spinlock.c' object='spinlock.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o spinlock.lo `test -f 'threading/spinlock.c' || echo '$(srcdir)/'`threading/spinlock.c
 
-identification.lo: utils/identification.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT identification.lo -MD -MP -MF $(DEPDIR)/identification.Tpo -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/identification.Tpo $(DEPDIR)/identification.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/identification.c' object='identification.lo' libtool=yes @AMDEPBACKSLASH@
+utils.lo: utils/utils.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT utils.lo -MD -MP -MF $(DEPDIR)/utils.Tpo -c -o utils.lo `test -f 'utils/utils.c' || echo '$(srcdir)/'`utils/utils.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/utils.Tpo $(DEPDIR)/utils.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/utils.c' object='utils.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o utils.lo `test -f 'utils/utils.c' || echo '$(srcdir)/'`utils/utils.c
 
-lexparser.lo: utils/lexparser.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lexparser.lo -MD -MP -MF $(DEPDIR)/lexparser.Tpo -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/lexparser.Tpo $(DEPDIR)/lexparser.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/lexparser.c' object='lexparser.lo' libtool=yes @AMDEPBACKSLASH@
+chunk.lo: utils/chunk.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT chunk.lo -MD -MP -MF $(DEPDIR)/chunk.Tpo -c -o chunk.lo `test -f 'utils/chunk.c' || echo '$(srcdir)/'`utils/chunk.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/chunk.Tpo $(DEPDIR)/chunk.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/chunk.c' object='chunk.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o chunk.lo `test -f 'utils/chunk.c' || echo '$(srcdir)/'`utils/chunk.c
 
-linked_list.lo: utils/linked_list.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT linked_list.lo -MD -MP -MF $(DEPDIR)/linked_list.Tpo -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/linked_list.Tpo $(DEPDIR)/linked_list.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/linked_list.c' object='linked_list.lo' libtool=yes @AMDEPBACKSLASH@
+debug.lo: utils/debug.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT debug.lo -MD -MP -MF $(DEPDIR)/debug.Tpo -c -o debug.lo `test -f 'utils/debug.c' || echo '$(srcdir)/'`utils/debug.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/debug.Tpo $(DEPDIR)/debug.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/debug.c' object='debug.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o debug.lo `test -f 'utils/debug.c' || echo '$(srcdir)/'`utils/debug.c
 
-hashtable.lo: utils/hashtable.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hashtable.lo -MD -MP -MF $(DEPDIR)/hashtable.Tpo -c -o hashtable.lo `test -f 'utils/hashtable.c' || echo '$(srcdir)/'`utils/hashtable.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/hashtable.Tpo $(DEPDIR)/hashtable.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/hashtable.c' object='hashtable.lo' libtool=yes @AMDEPBACKSLASH@
+enum.lo: utils/enum.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enum.lo -MD -MP -MF $(DEPDIR)/enum.Tpo -c -o enum.lo `test -f 'utils/enum.c' || echo '$(srcdir)/'`utils/enum.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/enum.Tpo $(DEPDIR)/enum.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/enum.c' object='enum.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hashtable.lo `test -f 'utils/hashtable.c' || echo '$(srcdir)/'`utils/hashtable.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o enum.lo `test -f 'utils/enum.c' || echo '$(srcdir)/'`utils/enum.c
 
-enumerator.lo: utils/enumerator.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enumerator.lo -MD -MP -MF $(DEPDIR)/enumerator.Tpo -c -o enumerator.lo `test -f 'utils/enumerator.c' || echo '$(srcdir)/'`utils/enumerator.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/enumerator.Tpo $(DEPDIR)/enumerator.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/enumerator.c' object='enumerator.lo' libtool=yes @AMDEPBACKSLASH@
+identification.lo: utils/identification.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT identification.lo -MD -MP -MF $(DEPDIR)/identification.Tpo -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/identification.Tpo $(DEPDIR)/identification.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/identification.c' object='identification.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o enumerator.lo `test -f 'utils/enumerator.c' || echo '$(srcdir)/'`utils/enumerator.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
+
+lexparser.lo: utils/lexparser.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lexparser.lo -MD -MP -MF $(DEPDIR)/lexparser.Tpo -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/lexparser.Tpo $(DEPDIR)/lexparser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/lexparser.c' object='lexparser.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
 
 optionsfrom.lo: utils/optionsfrom.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT optionsfrom.lo -MD -MP -MF $(DEPDIR)/optionsfrom.Tpo -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/optionsfrom.Tpo $(DEPDIR)/optionsfrom.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/optionsfrom.c' object='optionsfrom.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT optionsfrom.lo -MD -MP -MF $(DEPDIR)/optionsfrom.Tpo -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/optionsfrom.Tpo $(DEPDIR)/optionsfrom.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/optionsfrom.c' object='optionsfrom.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c
+
+capabilities.lo: utils/capabilities.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT capabilities.lo -MD -MP -MF $(DEPDIR)/capabilities.Tpo -c -o capabilities.lo `test -f 'utils/capabilities.c' || echo '$(srcdir)/'`utils/capabilities.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/capabilities.Tpo $(DEPDIR)/capabilities.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/capabilities.c' object='capabilities.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o capabilities.lo `test -f 'utils/capabilities.c' || echo '$(srcdir)/'`utils/capabilities.c
 
 backtrace.lo: utils/backtrace.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backtrace.lo -MD -MP -MF $(DEPDIR)/backtrace.Tpo -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/backtrace.Tpo $(DEPDIR)/backtrace.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/backtrace.c' object='backtrace.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backtrace.lo -MD -MP -MF $(DEPDIR)/backtrace.Tpo -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/backtrace.Tpo $(DEPDIR)/backtrace.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/backtrace.c' object='backtrace.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
+
+printf_hook.lo: utils/printf_hook.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT printf_hook.lo -MD -MP -MF $(DEPDIR)/printf_hook.Tpo -c -o printf_hook.lo `test -f 'utils/printf_hook.c' || echo '$(srcdir)/'`utils/printf_hook.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/printf_hook.Tpo $(DEPDIR)/printf_hook.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/printf_hook.c' object='printf_hook.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o printf_hook.lo `test -f 'utils/printf_hook.c' || echo '$(srcdir)/'`utils/printf_hook.c
+
+settings.lo: utils/settings.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT settings.lo -MD -MP -MF $(DEPDIR)/settings.Tpo -c -o settings.lo `test -f 'utils/settings.c' || echo '$(srcdir)/'`utils/settings.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/settings.Tpo $(DEPDIR)/settings.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/settings.c' object='settings.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o settings.lo `test -f 'utils/settings.c' || echo '$(srcdir)/'`utils/settings.c
 
 leak_detective.lo: utils/leak_detective.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT leak_detective.lo -MD -MP -MF $(DEPDIR)/leak_detective.Tpo -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/leak_detective.Tpo $(DEPDIR)/leak_detective.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/leak_detective.c' object='leak_detective.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT leak_detective.lo -MD -MP -MF $(DEPDIR)/leak_detective.Tpo -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/leak_detective.Tpo $(DEPDIR)/leak_detective.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/leak_detective.c' object='leak_detective.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
+
+integrity_checker.lo: utils/integrity_checker.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT integrity_checker.lo -MD -MP -MF $(DEPDIR)/integrity_checker.Tpo -c -o integrity_checker.lo `test -f 'utils/integrity_checker.c' || echo '$(srcdir)/'`utils/integrity_checker.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/integrity_checker.Tpo $(DEPDIR)/integrity_checker.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='utils/integrity_checker.c' object='integrity_checker.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o integrity_checker.lo `test -f 'utils/integrity_checker.c' || echo '$(srcdir)/'`utils/integrity_checker.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
+install-nobase_strongswan_includeHEADERS: $(nobase_strongswan_include_HEADERS)
+	@$(NORMAL_INSTALL)
+	@list='$(nobase_strongswan_include_HEADERS)'; test -n "$(strongswan_includedir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(strongswan_includedir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(strongswan_includedir)" || exit 1; \
+	fi; \
+	$(am__nobase_list) | while read dir files; do \
+	  xfiles=; for file in $$files; do \
+	    if test -f "$$file"; then xfiles="$$xfiles $$file"; \
+	    else xfiles="$$xfiles $(srcdir)/$$file"; fi; done; \
+	  test -z "$$xfiles" || { \
+	    test "x$$dir" = x. || { \
+	      echo " $(MKDIR_P) '$(DESTDIR)$(strongswan_includedir)/$$dir'"; \
+	      $(MKDIR_P) "$(DESTDIR)$(strongswan_includedir)/$$dir"; }; \
+	    echo " $(INSTALL_HEADER) $$xfiles '$(DESTDIR)$(strongswan_includedir)/$$dir'"; \
+	    $(INSTALL_HEADER) $$xfiles "$(DESTDIR)$(strongswan_includedir)/$$dir" || exit $$?; }; \
+	done
+
+uninstall-nobase_strongswan_includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(nobase_strongswan_include_HEADERS)'; test -n "$(strongswan_includedir)" || list=; \
+	$(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \
+	dir='$(DESTDIR)$(strongswan_includedir)'; $(am__uninstall_files_from_dir)
 
 # This directory's subdirectories are mostly independent; you can cd
 # into them and run `make' without going through this Makefile.
@@ -1419,13 +1809,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
@@ -1448,10 +1835,10 @@ distdir: $(DISTFILES)
 check-am: all-am
 check: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) check-recursive
-all-am: Makefile $(LTLIBRARIES)
+all-am: Makefile $(LTLIBRARIES) $(HEADERS)
 installdirs: installdirs-recursive
 installdirs-am:
-	for dir in "$(DESTDIR)$(ipseclibdir)"; do \
+	for dir in "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(strongswan_includedir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: $(BUILT_SOURCES)
@@ -1465,10 +1852,15 @@ install-am: all-am
 
 installcheck: installcheck-recursive
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -1505,7 +1897,8 @@ info: info-recursive
 
 info-am:
 
-install-data-am: install-ipseclibLTLIBRARIES
+install-data-am: install-ipseclibLTLIBRARIES \
+	install-nobase_strongswan_includeHEADERS
 
 install-dvi: install-dvi-recursive
 
@@ -1551,7 +1944,8 @@ ps: ps-recursive
 
 ps-am:
 
-uninstall-am: uninstall-ipseclibLTLIBRARIES
+uninstall-am: uninstall-ipseclibLTLIBRARIES \
+	uninstall-nobase_strongswan_includeHEADERS
 
 .MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) all check \
 	ctags-recursive install install-am install-strip \
@@ -1566,26 +1960,31 @@ uninstall-am: uninstall-ipseclibLTLIBRARIES
 	install-data-am install-dvi install-dvi-am install-exec \
 	install-exec-am install-html install-html-am install-info \
 	install-info-am install-ipseclibLTLIBRARIES install-man \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	installdirs-am maintainer-clean maintainer-clean-generic \
-	mostlyclean mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
-	uninstall uninstall-am uninstall-ipseclibLTLIBRARIES
+	install-nobase_strongswan_includeHEADERS install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs installdirs-am \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags tags-recursive uninstall uninstall-am \
+	uninstall-ipseclibLTLIBRARIES \
+	uninstall-nobase_strongswan_includeHEADERS
 
 
 library.lo :	$(top_builddir)/config.status
 
 $(srcdir)/asn1/oid.c :	$(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt
+		$(AM_V_GEN) \
 		(cd $(srcdir)/asn1/ && $(PERL) oid.pl)
 
 $(srcdir)/asn1/oid.h :	$(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt
+		$(AM_V_GEN) \
 		(cd $(srcdir)/asn1/ && $(PERL) oid.pl)
 
-$(srcdir)/crypto/proposal/proposal_keywords.c:	$(srcdir)/crypto/proposal/proposal_keywords.txt \
-												$(srcdir)/crypto/proposal/proposal_keywords.h
-		$(GPERF) -N proposal_get_token -m 10 -C -G -c -t -D < \
-												$(srcdir)/crypto/proposal/proposal_keywords.txt > $@
+$(srcdir)/crypto/proposal/proposal_keywords_static.c:	$(srcdir)/crypto/proposal/proposal_keywords_static.txt \
+														$(srcdir)/crypto/proposal/proposal_keywords_static.h
+		$(AM_V_GEN) \
+		$(GPERF) -N proposal_get_token_static -m 10 -C -G -c -t -D < \
+												$(srcdir)/crypto/proposal/proposal_keywords_static.txt > $@
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index 4cb38d126..d860ad9a2 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -19,7 +19,7 @@
 #include <string.h>
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "oid.h"
 #include "asn1.h"
@@ -28,7 +28,7 @@
 /**
  * Commonly used ASN1 values.
  */
-const chunk_t ASN1_INTEGER_0 = chunk_from_chars(0x02, 0x00);
+const chunk_t ASN1_INTEGER_0 = chunk_from_chars(0x02, 0x01, 0x00);
 const chunk_t ASN1_INTEGER_1 = chunk_from_chars(0x02, 0x01, 0x01);
 const chunk_t ASN1_INTEGER_2 = chunk_from_chars(0x02, 0x01, 0x02);
 
@@ -228,7 +228,8 @@ size_t asn1_length(chunk_t *blob)
 
 	/* read length field, skip tag and length */
 	n = blob->ptr[1];
-	*blob = chunk_skip(*blob, 2);
+	blob->ptr += 2;
+	blob->len -= 2;
 
 	if ((n & 0x80) == 0)
 	{	/* single length octet */
@@ -548,6 +549,22 @@ bool asn1_parse_simple_object(chunk_t *object, asn1_t type, u_int level, const c
 	return TRUE;
 }
 
+/*
+ * Described in header
+ */
+u_int64_t asn1_parse_integer_uint64(chunk_t blob)
+{
+	u_int64_t val = 0;
+	int i;
+
+	for (i = 0; i < blob.len; i++)
+	{	/* if it is longer than 8 bytes, we just use the 8 LSBs */
+		val <<= 8;
+		val |= (u_int64_t)blob.ptr[i];
+	}
+	return val;
+}
+
 /**
  * ASN.1 definition of an algorithmIdentifier
  */
@@ -625,6 +642,11 @@ bool is_asn1(chunk_t blob)
 
 	len = asn1_length(&blob);
 
+	if (len == ASN1_INVALID_LENGTH)
+	{
+		return FALSE;
+	}
+
 	/* exact match */
 	if (len == blob.len)
 	{
@@ -760,16 +782,13 @@ chunk_t asn1_integer(const char *mode, chunk_t content)
 	size_t len;
 	u_char *pos;
 
-	if (content.len == 0 || (content.len == 1 && *content.ptr == 0x00))
-	{
-		/* a zero ASN.1 integer does not have a value field */
-		len = 0;
-	}
-	else
-	{
-		/* ASN.1 integers must be positive numbers in two's complement */
-		len = content.len + ((*content.ptr & 0x80) ? 1 : 0);
+	if (content.len == 0)
+	{	/* make sure 0 is encoded properly */
+		content = chunk_from_chars(0x00);
 	}
+
+	/* ASN.1 integers must be positive numbers in two's complement */
+	len = content.len + ((*content.ptr & 0x80) ? 1 : 0);
 	pos = asn1_build_object(&object, ASN1_INTEGER, len);
 	if (len > content.len)
 	{
diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h
index 15ffff62e..a1d625380 100644
--- a/src/libstrongswan/asn1/asn1.h
+++ b/src/libstrongswan/asn1/asn1.h
@@ -171,6 +171,15 @@ bool asn1_parse_simple_object(chunk_t *object, asn1_t type, u_int level0,
 							  const char* name);
 
 /**
+ * Converts an ASN.1 INTEGER object to an u_int64_t. If the INTEGER is longer
+ * than 8 bytes only the 8 LSBs are returned.
+ *
+ * @param blob		body of an ASN.1 coded integer object
+ * @return			converted integer
+ */
+u_int64_t asn1_parse_integer_uint64(chunk_t blob);
+
+/**
  * Print the value of an ASN.1 simple object
  *
  * @param object	ASN.1 object to be printed
diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c
index 40e11b321..c31fb75f0 100644
--- a/src/libstrongswan/asn1/asn1_parser.c
+++ b/src/libstrongswan/asn1/asn1_parser.c
@@ -19,7 +19,7 @@
 #include <string.h>
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "asn1.h"
 #include "asn1_parser.h"
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index bfc985c25..a0e882b2c 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -10,378 +10,408 @@
 #include "oid.h"
 
 const oid_t oid_names[] = {
- {0x02,                         7, 1,  0, "ITU-T Administration"      }, /*   0 */
- {  0x82,                       0, 1,  1, ""                          }, /*   1 */
- {    0x06,                     0, 1,  2, "Germany ITU-T member"      }, /*   2 */
- {      0x01,                   0, 1,  3, "Deutsche Telekom AG"       }, /*   3 */
- {        0x0A,                 0, 1,  4, ""                          }, /*   4 */
- {          0x07,               0, 1,  5, ""                          }, /*   5 */
- {            0x14,             0, 0,  6, "ND"                        }, /*   6 */
- {0x09,                        18, 1,  0, "data"                      }, /*   7 */
- {  0x92,                       0, 1,  1, ""                          }, /*   8 */
- {    0x26,                     0, 1,  2, ""                          }, /*   9 */
- {      0x89,                   0, 1,  3, ""                          }, /*  10 */
- {        0x93,                 0, 1,  4, ""                          }, /*  11 */
- {          0xF2,               0, 1,  5, ""                          }, /*  12 */
- {            0x2C,             0, 1,  6, ""                          }, /*  13 */
- {              0x64,           0, 1,  7, "pilot"                     }, /*  14 */
- {                0x01,         0, 1,  8, "pilotAttributeType"        }, /*  15 */
- {                  0x01,      17, 0,  9, "UID"                       }, /*  16 */
- {                  0x19,       0, 0,  9, "DC"                        }, /*  17 */
- {0x55,                        65, 1,  0, "X.500"                     }, /*  18 */
- {  0x04,                      37, 1,  1, "X.509"                     }, /*  19 */
- {    0x03,                    21, 0,  2, "CN"                        }, /*  20 */
- {    0x04,                    22, 0,  2, "S"                         }, /*  21 */
- {    0x05,                    23, 0,  2, "SN"                        }, /*  22 */
- {    0x06,                    24, 0,  2, "C"                         }, /*  23 */
- {    0x07,                    25, 0,  2, "L"                         }, /*  24 */
- {    0x08,                    26, 0,  2, "ST"                        }, /*  25 */
- {    0x0A,                    27, 0,  2, "O"                         }, /*  26 */
- {    0x0B,                    28, 0,  2, "OU"                        }, /*  27 */
- {    0x0C,                    29, 0,  2, "T"                         }, /*  28 */
- {    0x0D,                    30, 0,  2, "D"                         }, /*  29 */
- {    0x24,                    31, 0,  2, "userCertificate"           }, /*  30 */
- {    0x29,                    32, 0,  2, "N"                         }, /*  31 */
- {    0x2A,                    33, 0,  2, "G"                         }, /*  32 */
- {    0x2B,                    34, 0,  2, "I"                         }, /*  33 */
- {    0x2D,                    35, 0,  2, "ID"                        }, /*  34 */
- {    0x2E,                    36, 0,  2, "dnQualifier"               }, /*  35 */
- {    0x48,                     0, 0,  2, "role"                      }, /*  36 */
- {  0x1D,                       0, 1,  1, "id-ce"                     }, /*  37 */
- {    0x09,                    39, 0,  2, "subjectDirectoryAttrs"     }, /*  38 */
- {    0x0E,                    40, 0,  2, "subjectKeyIdentifier"      }, /*  39 */
- {    0x0F,                    41, 0,  2, "keyUsage"                  }, /*  40 */
- {    0x10,                    42, 0,  2, "privateKeyUsagePeriod"     }, /*  41 */
- {    0x11,                    43, 0,  2, "subjectAltName"            }, /*  42 */
- {    0x12,                    44, 0,  2, "issuerAltName"             }, /*  43 */
- {    0x13,                    45, 0,  2, "basicConstraints"          }, /*  44 */
- {    0x14,                    46, 0,  2, "crlNumber"                 }, /*  45 */
- {    0x15,                    47, 0,  2, "reasonCode"                }, /*  46 */
- {    0x17,                    48, 0,  2, "holdInstructionCode"       }, /*  47 */
- {    0x18,                    49, 0,  2, "invalidityDate"            }, /*  48 */
- {    0x1B,                    50, 0,  2, "deltaCrlIndicator"         }, /*  49 */
- {    0x1C,                    51, 0,  2, "issuingDistributionPoint"  }, /*  50 */
- {    0x1D,                    52, 0,  2, "certificateIssuer"         }, /*  51 */
- {    0x1E,                    53, 0,  2, "nameConstraints"           }, /*  52 */
- {    0x1F,                    54, 0,  2, "crlDistributionPoints"     }, /*  53 */
- {    0x20,                    56, 1,  2, "certificatePolicies"       }, /*  54 */
- {      0x00,                   0, 0,  3, "anyPolicy"                 }, /*  55 */
- {    0x21,                    57, 0,  2, "policyMappings"            }, /*  56 */
- {    0x23,                    58, 0,  2, "authorityKeyIdentifier"    }, /*  57 */
- {    0x24,                    59, 0,  2, "policyConstraints"         }, /*  58 */
- {    0x25,                    61, 1,  2, "extendedKeyUsage"          }, /*  59 */
- {      0x00,                   0, 0,  3, "anyExtendedKeyUsage"       }, /*  60 */
- {    0x2E,                    62, 0,  2, "freshestCRL"               }, /*  61 */
- {    0x36,                    63, 0,  2, "inhibitAnyPolicy"          }, /*  62 */
- {    0x37,                    64, 0,  2, "targetInformation"         }, /*  63 */
- {    0x38,                     0, 0,  2, "noRevAvail"                }, /*  64 */
- {0x2A,                       169, 1,  0, ""                          }, /*  65 */
- {  0x83,                      78, 1,  1, ""                          }, /*  66 */
- {    0x08,                     0, 1,  2, "jp"                        }, /*  67 */
- {      0x8C,                   0, 1,  3, ""                          }, /*  68 */
- {        0x9A,                 0, 1,  4, ""                          }, /*  69 */
- {          0x4B,               0, 1,  5, ""                          }, /*  70 */
- {            0x3D,             0, 1,  6, ""                          }, /*  71 */
- {              0x01,           0, 1,  7, "security"                  }, /*  72 */
- {                0x01,         0, 1,  8, "algorithm"                 }, /*  73 */
- {                  0x01,       0, 1,  9, "symm-encryption-alg"       }, /*  74 */
- {                    0x02,    76, 0, 10, "camellia128-cbc"           }, /*  75 */
- {                    0x03,    77, 0, 10, "camellia192-cbc"           }, /*  76 */
- {                    0x04,     0, 0, 10, "camellia256-cbc"           }, /*  77 */
- {  0x86,                       0, 1,  1, ""                          }, /*  78 */
- {    0x48,                     0, 1,  2, "us"                        }, /*  79 */
- {      0x86,                 128, 1,  3, ""                          }, /*  80 */
- {        0xF6,                86, 1,  4, ""                          }, /*  81 */
- {          0x7D,               0, 1,  5, "NortelNetworks"            }, /*  82 */
- {            0x07,             0, 1,  6, "Entrust"                   }, /*  83 */
- {              0x41,           0, 1,  7, "nsn-ce"                    }, /*  84 */
- {                0x00,         0, 0,  8, "entrustVersInfo"           }, /*  85 */
- {        0xF7,                 0, 1,  4, ""                          }, /*  86 */
- {          0x0D,               0, 1,  5, "RSADSI"                    }, /*  87 */
- {            0x01,           123, 1,  6, "PKCS"                      }, /*  88 */
- {              0x01,         100, 1,  7, "PKCS-1"                    }, /*  89 */
- {                0x01,        91, 0,  8, "rsaEncryption"             }, /*  90 */
- {                0x02,        92, 0,  8, "md2WithRSAEncryption"      }, /*  91 */
- {                0x04,        93, 0,  8, "md5WithRSAEncryption"      }, /*  92 */
- {                0x05,        94, 0,  8, "sha-1WithRSAEncryption"    }, /*  93 */
- {                0x07,        95, 0,  8, "id-RSAES-OAEP"             }, /*  94 */
- {                0x09,        96, 0,  8, "id-pSpecified"             }, /*  95 */
- {                0x0B,        97, 0,  8, "sha256WithRSAEncryption"   }, /*  96 */
- {                0x0C,        98, 0,  8, "sha384WithRSAEncryption"   }, /*  97 */
- {                0x0D,        99, 0,  8, "sha512WithRSAEncryption"   }, /*  98 */
- {                0x0E,         0, 0,  8, "sha224WithRSAEncryption"   }, /*  99 */
- {              0x05,         105, 1,  7, "PKCS-5"                    }, /* 100 */
- {                0x03,       102, 0,  8, "pbeWithMD5AndDES-CBC"      }, /* 101 */
- {                0x0A,       103, 0,  8, "pbeWithSHA1AndDES-CBC"     }, /* 102 */
- {                0x0C,       104, 0,  8, "id-PBKDF2"                 }, /* 103 */
- {                0x0D,         0, 0,  8, "id-PBES2"                  }, /* 104 */
- {              0x07,         112, 1,  7, "PKCS-7"                    }, /* 105 */
- {                0x01,       107, 0,  8, "data"                      }, /* 106 */
- {                0x02,       108, 0,  8, "signedData"                }, /* 107 */
- {                0x03,       109, 0,  8, "envelopedData"             }, /* 108 */
- {                0x04,       110, 0,  8, "signedAndEnvelopedData"    }, /* 109 */
- {                0x05,       111, 0,  8, "digestedData"              }, /* 110 */
- {                0x06,         0, 0,  8, "encryptedData"             }, /* 111 */
- {              0x09,           0, 1,  7, "PKCS-9"                    }, /* 112 */
- {                0x01,       114, 0,  8, "E"                         }, /* 113 */
- {                0x02,       115, 0,  8, "unstructuredName"          }, /* 114 */
- {                0x03,       116, 0,  8, "contentType"               }, /* 115 */
- {                0x04,       117, 0,  8, "messageDigest"             }, /* 116 */
- {                0x05,       118, 0,  8, "signingTime"               }, /* 117 */
- {                0x06,       119, 0,  8, "counterSignature"          }, /* 118 */
- {                0x07,       120, 0,  8, "challengePassword"         }, /* 119 */
- {                0x08,       121, 0,  8, "unstructuredAddress"       }, /* 120 */
- {                0x0E,       122, 0,  8, "extensionRequest"          }, /* 121 */
- {                0x0F,         0, 0,  8, "S/MIME Capabilities"       }, /* 122 */
- {            0x02,           126, 1,  6, "digestAlgorithm"           }, /* 123 */
- {              0x02,         125, 0,  7, "md2"                       }, /* 124 */
- {              0x05,           0, 0,  7, "md5"                       }, /* 125 */
- {            0x03,             0, 1,  6, "encryptionAlgorithm"       }, /* 126 */
- {              0x07,           0, 0,  7, "3des-ede-cbc"              }, /* 127 */
- {      0xCE,                   0, 1,  3, ""                          }, /* 128 */
- {        0x3D,                 0, 1,  4, "ansi-X9-62"                }, /* 129 */
- {          0x02,             132, 1,  5, "id-publicKeyType"          }, /* 130 */
- {            0x01,             0, 0,  6, "id-ecPublicKey"            }, /* 131 */
- {          0x03,             162, 1,  5, "ellipticCurve"             }, /* 132 */
- {            0x00,           154, 1,  6, "c-TwoCurve"                }, /* 133 */
- {              0x01,         135, 0,  7, "c2pnb163v1"                }, /* 134 */
- {              0x02,         136, 0,  7, "c2pnb163v2"                }, /* 135 */
- {              0x03,         137, 0,  7, "c2pnb163v3"                }, /* 136 */
- {              0x04,         138, 0,  7, "c2pnb176w1"                }, /* 137 */
- {              0x05,         139, 0,  7, "c2tnb191v1"                }, /* 138 */
- {              0x06,         140, 0,  7, "c2tnb191v2"                }, /* 139 */
- {              0x07,         141, 0,  7, "c2tnb191v3"                }, /* 140 */
- {              0x08,         142, 0,  7, "c2onb191v4"                }, /* 141 */
- {              0x09,         143, 0,  7, "c2onb191v5"                }, /* 142 */
- {              0x0A,         144, 0,  7, "c2pnb208w1"                }, /* 143 */
- {              0x0B,         145, 0,  7, "c2tnb239v1"                }, /* 144 */
- {              0x0C,         146, 0,  7, "c2tnb239v2"                }, /* 145 */
- {              0x0D,         147, 0,  7, "c2tnb239v3"                }, /* 146 */
- {              0x0E,         148, 0,  7, "c2onb239v4"                }, /* 147 */
- {              0x0F,         149, 0,  7, "c2onb239v5"                }, /* 148 */
- {              0x10,         150, 0,  7, "c2pnb272w1"                }, /* 149 */
- {              0x11,         151, 0,  7, "c2pnb304w1"                }, /* 150 */
- {              0x12,         152, 0,  7, "c2tnb359v1"                }, /* 151 */
- {              0x13,         153, 0,  7, "c2pnb368w1"                }, /* 152 */
- {              0x14,           0, 0,  7, "c2tnb431r1"                }, /* 153 */
- {            0x01,             0, 1,  6, "primeCurve"                }, /* 154 */
- {              0x01,         156, 0,  7, "prime192v1"                }, /* 155 */
- {              0x02,         157, 0,  7, "prime192v2"                }, /* 156 */
- {              0x03,         158, 0,  7, "prime192v3"                }, /* 157 */
- {              0x04,         159, 0,  7, "prime239v1"                }, /* 158 */
- {              0x05,         160, 0,  7, "prime239v2"                }, /* 159 */
- {              0x06,         161, 0,  7, "prime239v3"                }, /* 160 */
- {              0x07,           0, 0,  7, "prime256v1"                }, /* 161 */
- {          0x04,               0, 1,  5, "id-ecSigType"              }, /* 162 */
- {            0x01,           164, 0,  6, "ecdsa-with-SHA1"           }, /* 163 */
- {            0x03,             0, 1,  6, "ecdsa-with-Specified"      }, /* 164 */
- {              0x01,         166, 0,  7, "ecdsa-with-SHA224"         }, /* 165 */
- {              0x02,         167, 0,  7, "ecdsa-with-SHA256"         }, /* 166 */
- {              0x03,         168, 0,  7, "ecdsa-with-SHA384"         }, /* 167 */
- {              0x04,           0, 0,  7, "ecdsa-with-SHA512"         }, /* 168 */
- {0x2B,                       320, 1,  0, ""                          }, /* 169 */
- {  0x06,                     234, 1,  1, "dod"                       }, /* 170 */
- {    0x01,                     0, 1,  2, "internet"                  }, /* 171 */
- {      0x04,                 194, 1,  3, "private"                   }, /* 172 */
- {        0x01,                 0, 1,  4, "enterprise"                }, /* 173 */
- {          0x82,             187, 1,  5, ""                          }, /* 174 */
- {            0x37,           184, 1,  6, "Microsoft"                 }, /* 175 */
- {              0x0A,         180, 1,  7, ""                          }, /* 176 */
- {                0x03,         0, 1,  8, ""                          }, /* 177 */
- {                  0x03,     179, 0,  9, "msSGC"                     }, /* 178 */
- {                  0x04,       0, 0,  9, "msEncryptingFileSystem"    }, /* 179 */
- {              0x14,           0, 1,  7, "msEnrollmentInfrastructure"}, /* 180 */
- {                0x02,         0, 1,  8, "msCertificateTypeExtension"}, /* 181 */
- {                  0x02,     183, 0,  9, "msSmartcardLogon"          }, /* 182 */
- {                  0x03,       0, 0,  9, "msUPN"                     }, /* 183 */
- {            0xA0,             0, 1,  6, ""                          }, /* 184 */
- {              0x2A,           0, 1,  7, "ITA"                       }, /* 185 */
- {                0x01,         0, 0,  8, "strongSwan"                }, /* 186 */
- {          0x89,               0, 1,  5, ""                          }, /* 187 */
- {            0x31,             0, 1,  6, ""                          }, /* 188 */
- {              0x01,           0, 1,  7, ""                          }, /* 189 */
- {                0x01,         0, 1,  8, ""                          }, /* 190 */
- {                  0x02,       0, 1,  9, ""                          }, /* 191 */
- {                    0x02,     0, 1, 10, ""                          }, /* 192 */
- {                      0x4B,   0, 0, 11, "TCGID"                     }, /* 193 */
- {      0x05,                   0, 1,  3, "security"                  }, /* 194 */
- {        0x05,                 0, 1,  4, "mechanisms"                }, /* 195 */
- {          0x07,               0, 1,  5, "id-pkix"                   }, /* 196 */
- {            0x01,           201, 1,  6, "id-pe"                     }, /* 197 */
- {              0x01,         199, 0,  7, "authorityInfoAccess"       }, /* 198 */
- {              0x03,         200, 0,  7, "qcStatements"              }, /* 199 */
- {              0x07,           0, 0,  7, "ipAddrBlocks"              }, /* 200 */
- {            0x02,           204, 1,  6, "id-qt"                     }, /* 201 */
- {              0x01,         203, 0,  7, "cps"                       }, /* 202 */
- {              0x02,           0, 0,  7, "unotice"                   }, /* 203 */
- {            0x03,           214, 1,  6, "id-kp"                     }, /* 204 */
- {              0x01,         206, 0,  7, "serverAuth"                }, /* 205 */
- {              0x02,         207, 0,  7, "clientAuth"                }, /* 206 */
- {              0x03,         208, 0,  7, "codeSigning"               }, /* 207 */
- {              0x04,         209, 0,  7, "emailProtection"           }, /* 208 */
- {              0x05,         210, 0,  7, "ipsecEndSystem"            }, /* 209 */
- {              0x06,         211, 0,  7, "ipsecTunnel"               }, /* 210 */
- {              0x07,         212, 0,  7, "ipsecUser"                 }, /* 211 */
- {              0x08,         213, 0,  7, "timeStamping"              }, /* 212 */
- {              0x09,           0, 0,  7, "ocspSigning"               }, /* 213 */
- {            0x08,           216, 1,  6, "id-otherNames"             }, /* 214 */
- {              0x05,           0, 0,  7, "xmppAddr"                  }, /* 215 */
- {            0x0A,           221, 1,  6, "id-aca"                    }, /* 216 */
- {              0x01,         218, 0,  7, "authenticationInfo"        }, /* 217 */
- {              0x02,         219, 0,  7, "accessIdentity"            }, /* 218 */
- {              0x03,         220, 0,  7, "chargingIdentity"          }, /* 219 */
- {              0x04,           0, 0,  7, "group"                     }, /* 220 */
- {            0x0B,           222, 0,  6, "subjectInfoAccess"         }, /* 221 */
- {            0x30,             0, 1,  6, "id-ad"                     }, /* 222 */
- {              0x01,         231, 1,  7, "ocsp"                      }, /* 223 */
- {                0x01,       225, 0,  8, "basic"                     }, /* 224 */
- {                0x02,       226, 0,  8, "nonce"                     }, /* 225 */
- {                0x03,       227, 0,  8, "crl"                       }, /* 226 */
- {                0x04,       228, 0,  8, "response"                  }, /* 227 */
- {                0x05,       229, 0,  8, "noCheck"                   }, /* 228 */
- {                0x06,       230, 0,  8, "archiveCutoff"             }, /* 229 */
- {                0x07,         0, 0,  8, "serviceLocator"            }, /* 230 */
- {              0x02,         232, 0,  7, "caIssuers"                 }, /* 231 */
- {              0x03,         233, 0,  7, "timeStamping"              }, /* 232 */
- {              0x05,           0, 0,  7, "caRepository"              }, /* 233 */
- {  0x0E,                     240, 1,  1, "oiw"                       }, /* 234 */
- {    0x03,                     0, 1,  2, "secsig"                    }, /* 235 */
- {      0x02,                   0, 1,  3, "algorithms"                }, /* 236 */
- {        0x07,               238, 0,  4, "des-cbc"                   }, /* 237 */
- {        0x1A,               239, 0,  4, "sha-1"                     }, /* 238 */
- {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"     }, /* 239 */
- {  0x24,                     286, 1,  1, "TeleTrusT"                 }, /* 240 */
- {    0x03,                     0, 1,  2, "algorithm"                 }, /* 241 */
- {      0x03,                   0, 1,  3, "signatureAlgorithm"        }, /* 242 */
- {        0x01,               247, 1,  4, "rsaSignature"              }, /* 243 */
- {          0x02,             245, 0,  5, "rsaSigWithripemd160"       }, /* 244 */
- {          0x03,             246, 0,  5, "rsaSigWithripemd128"       }, /* 245 */
- {          0x04,               0, 0,  5, "rsaSigWithripemd256"       }, /* 246 */
- {        0x02,                 0, 1,  4, "ecSign"                    }, /* 247 */
- {          0x01,             249, 0,  5, "ecSignWithsha1"            }, /* 248 */
- {          0x02,             250, 0,  5, "ecSignWithripemd160"       }, /* 249 */
- {          0x03,             251, 0,  5, "ecSignWithmd2"             }, /* 250 */
- {          0x04,             252, 0,  5, "ecSignWithmd5"             }, /* 251 */
- {          0x05,             269, 1,  5, "ttt-ecg"                   }, /* 252 */
- {            0x01,           257, 1,  6, "fieldType"                 }, /* 253 */
- {              0x01,           0, 1,  7, "characteristictwoField"    }, /* 254 */
- {                0x01,         0, 1,  8, "basisType"                 }, /* 255 */
- {                  0x01,       0, 0,  9, "ipBasis"                   }, /* 256 */
- {            0x02,           259, 1,  6, "keyType"                   }, /* 257 */
- {              0x01,           0, 0,  7, "ecgPublicKey"              }, /* 258 */
- {            0x03,           260, 0,  6, "curve"                     }, /* 259 */
- {            0x04,           267, 1,  6, "signatures"                }, /* 260 */
- {              0x01,         262, 0,  7, "ecgdsa-with-RIPEMD160"     }, /* 261 */
- {              0x02,         263, 0,  7, "ecgdsa-with-SHA1"          }, /* 262 */
- {              0x03,         264, 0,  7, "ecgdsa-with-SHA224"        }, /* 263 */
- {              0x04,         265, 0,  7, "ecgdsa-with-SHA256"        }, /* 264 */
- {              0x05,         266, 0,  7, "ecgdsa-with-SHA384"        }, /* 265 */
- {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"        }, /* 266 */
- {            0x05,             0, 1,  6, "module"                    }, /* 267 */
- {              0x01,           0, 0,  7, "1"                         }, /* 268 */
- {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"  }, /* 269 */
- {            0x01,             0, 1,  6, "ellipticCurve"             }, /* 270 */
- {              0x01,           0, 1,  7, "versionOne"                }, /* 271 */
- {                0x01,       273, 0,  8, "brainpoolP160r1"           }, /* 272 */
- {                0x02,       274, 0,  8, "brainpoolP160t1"           }, /* 273 */
- {                0x03,       275, 0,  8, "brainpoolP192r1"           }, /* 274 */
- {                0x04,       276, 0,  8, "brainpoolP192t1"           }, /* 275 */
- {                0x05,       277, 0,  8, "brainpoolP224r1"           }, /* 276 */
- {                0x06,       278, 0,  8, "brainpoolP224t1"           }, /* 277 */
- {                0x07,       279, 0,  8, "brainpoolP256r1"           }, /* 278 */
- {                0x08,       280, 0,  8, "brainpoolP256t1"           }, /* 279 */
- {                0x09,       281, 0,  8, "brainpoolP320r1"           }, /* 280 */
- {                0x0A,       282, 0,  8, "brainpoolP320t1"           }, /* 281 */
- {                0x0B,       283, 0,  8, "brainpoolP384r1"           }, /* 282 */
- {                0x0C,       284, 0,  8, "brainpoolP384t1"           }, /* 283 */
- {                0x0D,       285, 0,  8, "brainpoolP512r1"           }, /* 284 */
- {                0x0E,         0, 0,  8, "brainpoolP512t1"           }, /* 285 */
- {  0x81,                       0, 1,  1, ""                          }, /* 286 */
- {    0x04,                     0, 1,  2, "Certicom"                  }, /* 287 */
- {      0x00,                   0, 1,  3, "curve"                     }, /* 288 */
- {        0x01,               290, 0,  4, "sect163k1"                 }, /* 289 */
- {        0x02,               291, 0,  4, "sect163r1"                 }, /* 290 */
- {        0x03,               292, 0,  4, "sect239k1"                 }, /* 291 */
- {        0x04,               293, 0,  4, "sect113r1"                 }, /* 292 */
- {        0x05,               294, 0,  4, "sect113r2"                 }, /* 293 */
- {        0x06,               295, 0,  4, "secp112r1"                 }, /* 294 */
- {        0x07,               296, 0,  4, "secp112r2"                 }, /* 295 */
- {        0x08,               297, 0,  4, "secp160r1"                 }, /* 296 */
- {        0x09,               298, 0,  4, "secp160k1"                 }, /* 297 */
- {        0x0A,               299, 0,  4, "secp256k1"                 }, /* 298 */
- {        0x0F,               300, 0,  4, "sect163r2"                 }, /* 299 */
- {        0x10,               301, 0,  4, "sect283k1"                 }, /* 300 */
- {        0x11,               302, 0,  4, "sect283r1"                 }, /* 301 */
- {        0x16,               303, 0,  4, "sect131r1"                 }, /* 302 */
- {        0x17,               304, 0,  4, "sect131r2"                 }, /* 303 */
- {        0x18,               305, 0,  4, "sect193r1"                 }, /* 304 */
- {        0x19,               306, 0,  4, "sect193r2"                 }, /* 305 */
- {        0x1A,               307, 0,  4, "sect233k1"                 }, /* 306 */
- {        0x1B,               308, 0,  4, "sect233r1"                 }, /* 307 */
- {        0x1C,               309, 0,  4, "secp128r1"                 }, /* 308 */
- {        0x1D,               310, 0,  4, "secp128r2"                 }, /* 309 */
- {        0x1E,               311, 0,  4, "secp160r2"                 }, /* 310 */
- {        0x1F,               312, 0,  4, "secp192k1"                 }, /* 311 */
- {        0x20,               313, 0,  4, "secp224k1"                 }, /* 312 */
- {        0x21,               314, 0,  4, "secp224r1"                 }, /* 313 */
- {        0x22,               315, 0,  4, "secp384r1"                 }, /* 314 */
- {        0x23,               316, 0,  4, "secp521r1"                 }, /* 315 */
- {        0x24,               317, 0,  4, "sect409k1"                 }, /* 316 */
- {        0x25,               318, 0,  4, "sect409r1"                 }, /* 317 */
- {        0x26,               319, 0,  4, "sect571k1"                 }, /* 318 */
- {        0x27,                 0, 0,  4, "sect571r1"                 }, /* 319 */
- {0x60,                       366, 1,  0, ""                          }, /* 320 */
- {  0x86,                       0, 1,  1, ""                          }, /* 321 */
- {    0x48,                     0, 1,  2, ""                          }, /* 322 */
- {      0x01,                   0, 1,  3, "organization"              }, /* 323 */
- {        0x65,               342, 1,  4, "gov"                       }, /* 324 */
- {          0x03,               0, 1,  5, "csor"                      }, /* 325 */
- {            0x04,             0, 1,  6, "nistalgorithm"             }, /* 326 */
- {              0x01,         337, 1,  7, "aes"                       }, /* 327 */
- {                0x02,       329, 0,  8, "id-aes128-CBC"             }, /* 328 */
- {                0x06,       330, 0,  8, "id-aes128-GCM"             }, /* 329 */
- {                0x07,       331, 0,  8, "id-aes128-CCM"             }, /* 330 */
- {                0x16,       332, 0,  8, "id-aes192-CBC"             }, /* 331 */
- {                0x1A,       333, 0,  8, "id-aes192-GCM"             }, /* 332 */
- {                0x1B,       334, 0,  8, "id-aes192-CCM"             }, /* 333 */
- {                0x2A,       335, 0,  8, "id-aes256-CBC"             }, /* 334 */
- {                0x2E,       336, 0,  8, "id-aes256-GCM"             }, /* 335 */
- {                0x2F,         0, 0,  8, "id-aes256-CCM"             }, /* 336 */
- {              0x02,           0, 1,  7, "hashalgs"                  }, /* 337 */
- {                0x01,       339, 0,  8, "id-SHA-256"                }, /* 338 */
- {                0x02,       340, 0,  8, "id-SHA-384"                }, /* 339 */
- {                0x03,       341, 0,  8, "id-SHA-512"                }, /* 340 */
- {                0x04,         0, 0,  8, "id-SHA-224"                }, /* 341 */
- {        0x86,                 0, 1,  4, ""                          }, /* 342 */
- {          0xf8,               0, 1,  5, ""                          }, /* 343 */
- {            0x42,           356, 1,  6, "netscape"                  }, /* 344 */
- {              0x01,         351, 1,  7, ""                          }, /* 345 */
- {                0x01,       347, 0,  8, "nsCertType"                }, /* 346 */
- {                0x03,       348, 0,  8, "nsRevocationUrl"           }, /* 347 */
- {                0x04,       349, 0,  8, "nsCaRevocationUrl"         }, /* 348 */
- {                0x08,       350, 0,  8, "nsCaPolicyUrl"             }, /* 349 */
- {                0x0d,         0, 0,  8, "nsComment"                 }, /* 350 */
- {              0x03,         354, 1,  7, "directory"                 }, /* 351 */
- {                0x01,         0, 1,  8, ""                          }, /* 352 */
- {                  0x03,       0, 0,  9, "employeeNumber"            }, /* 353 */
- {              0x04,           0, 1,  7, "policy"                    }, /* 354 */
- {                0x01,         0, 0,  8, "nsSGC"                     }, /* 355 */
- {            0x45,             0, 1,  6, "verisign"                  }, /* 356 */
- {              0x01,           0, 1,  7, "pki"                       }, /* 357 */
- {                0x09,         0, 1,  8, "attributes"                }, /* 358 */
- {                  0x02,     360, 0,  9, "messageType"               }, /* 359 */
- {                  0x03,     361, 0,  9, "pkiStatus"                 }, /* 360 */
- {                  0x04,     362, 0,  9, "failInfo"                  }, /* 361 */
- {                  0x05,     363, 0,  9, "senderNonce"               }, /* 362 */
- {                  0x06,     364, 0,  9, "recipientNonce"            }, /* 363 */
- {                  0x07,     365, 0,  9, "transID"                   }, /* 364 */
- {                  0x08,       0, 0,  9, "extensionReq"              }, /* 365 */
- {0x67,                         0, 1,  0, ""                          }, /* 366 */
- {  0x81,                       0, 1,  1, ""                          }, /* 367 */
- {    0x05,                     0, 1,  2, ""                          }, /* 368 */
- {      0x02,                   0, 1,  3, "tcg-attribute"             }, /* 369 */
- {        0x01,               371, 0,  4, "tcg-at-tpmManufacturer"    }, /* 370 */
- {        0x02,               372, 0,  4, "tcg-at-tpmModel"           }, /* 371 */
- {        0x03,               373, 0,  4, "tcg-at-tpmVersion"         }, /* 372 */
- {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"         }  /* 373 */
+ {0x02,                         7, 1,  0, "ITU-T Administration"           }, /*   0 */
+ {  0x82,                       0, 1,  1, ""                               }, /*   1 */
+ {    0x06,                     0, 1,  2, "Germany ITU-T member"           }, /*   2 */
+ {      0x01,                   0, 1,  3, "Deutsche Telekom AG"            }, /*   3 */
+ {        0x0A,                 0, 1,  4, ""                               }, /*   4 */
+ {          0x07,               0, 1,  5, ""                               }, /*   5 */
+ {            0x14,             0, 0,  6, "ND"                             }, /*   6 */
+ {0x09,                        18, 1,  0, "data"                           }, /*   7 */
+ {  0x92,                       0, 1,  1, ""                               }, /*   8 */
+ {    0x26,                     0, 1,  2, ""                               }, /*   9 */
+ {      0x89,                   0, 1,  3, ""                               }, /*  10 */
+ {        0x93,                 0, 1,  4, ""                               }, /*  11 */
+ {          0xF2,               0, 1,  5, ""                               }, /*  12 */
+ {            0x2C,             0, 1,  6, ""                               }, /*  13 */
+ {              0x64,           0, 1,  7, "pilot"                          }, /*  14 */
+ {                0x01,         0, 1,  8, "pilotAttributeType"             }, /*  15 */
+ {                  0x01,      17, 0,  9, "UID"                            }, /*  16 */
+ {                  0x19,       0, 0,  9, "DC"                             }, /*  17 */
+ {0x55,                        65, 1,  0, "X.500"                          }, /*  18 */
+ {  0x04,                      37, 1,  1, "X.509"                          }, /*  19 */
+ {    0x03,                    21, 0,  2, "CN"                             }, /*  20 */
+ {    0x04,                    22, 0,  2, "S"                              }, /*  21 */
+ {    0x05,                    23, 0,  2, "SN"                             }, /*  22 */
+ {    0x06,                    24, 0,  2, "C"                              }, /*  23 */
+ {    0x07,                    25, 0,  2, "L"                              }, /*  24 */
+ {    0x08,                    26, 0,  2, "ST"                             }, /*  25 */
+ {    0x0A,                    27, 0,  2, "O"                              }, /*  26 */
+ {    0x0B,                    28, 0,  2, "OU"                             }, /*  27 */
+ {    0x0C,                    29, 0,  2, "T"                              }, /*  28 */
+ {    0x0D,                    30, 0,  2, "D"                              }, /*  29 */
+ {    0x24,                    31, 0,  2, "userCertificate"                }, /*  30 */
+ {    0x29,                    32, 0,  2, "N"                              }, /*  31 */
+ {    0x2A,                    33, 0,  2, "G"                              }, /*  32 */
+ {    0x2B,                    34, 0,  2, "I"                              }, /*  33 */
+ {    0x2D,                    35, 0,  2, "ID"                             }, /*  34 */
+ {    0x2E,                    36, 0,  2, "dnQualifier"                    }, /*  35 */
+ {    0x48,                     0, 0,  2, "role"                           }, /*  36 */
+ {  0x1D,                       0, 1,  1, "id-ce"                          }, /*  37 */
+ {    0x09,                    39, 0,  2, "subjectDirectoryAttrs"          }, /*  38 */
+ {    0x0E,                    40, 0,  2, "subjectKeyIdentifier"           }, /*  39 */
+ {    0x0F,                    41, 0,  2, "keyUsage"                       }, /*  40 */
+ {    0x10,                    42, 0,  2, "privateKeyUsagePeriod"          }, /*  41 */
+ {    0x11,                    43, 0,  2, "subjectAltName"                 }, /*  42 */
+ {    0x12,                    44, 0,  2, "issuerAltName"                  }, /*  43 */
+ {    0x13,                    45, 0,  2, "basicConstraints"               }, /*  44 */
+ {    0x14,                    46, 0,  2, "crlNumber"                      }, /*  45 */
+ {    0x15,                    47, 0,  2, "reasonCode"                     }, /*  46 */
+ {    0x17,                    48, 0,  2, "holdInstructionCode"            }, /*  47 */
+ {    0x18,                    49, 0,  2, "invalidityDate"                 }, /*  48 */
+ {    0x1B,                    50, 0,  2, "deltaCrlIndicator"              }, /*  49 */
+ {    0x1C,                    51, 0,  2, "issuingDistributionPoint"       }, /*  50 */
+ {    0x1D,                    52, 0,  2, "certificateIssuer"              }, /*  51 */
+ {    0x1E,                    53, 0,  2, "nameConstraints"                }, /*  52 */
+ {    0x1F,                    54, 0,  2, "crlDistributionPoints"          }, /*  53 */
+ {    0x20,                    56, 1,  2, "certificatePolicies"            }, /*  54 */
+ {      0x00,                   0, 0,  3, "anyPolicy"                      }, /*  55 */
+ {    0x21,                    57, 0,  2, "policyMappings"                 }, /*  56 */
+ {    0x23,                    58, 0,  2, "authorityKeyIdentifier"         }, /*  57 */
+ {    0x24,                    59, 0,  2, "policyConstraints"              }, /*  58 */
+ {    0x25,                    61, 1,  2, "extendedKeyUsage"               }, /*  59 */
+ {      0x00,                   0, 0,  3, "anyExtendedKeyUsage"            }, /*  60 */
+ {    0x2E,                    62, 0,  2, "freshestCRL"                    }, /*  61 */
+ {    0x36,                    63, 0,  2, "inhibitAnyPolicy"               }, /*  62 */
+ {    0x37,                    64, 0,  2, "targetInformation"              }, /*  63 */
+ {    0x38,                     0, 0,  2, "noRevAvail"                     }, /*  64 */
+ {0x2A,                       188, 1,  0, ""                               }, /*  65 */
+ {  0x83,                      78, 1,  1, ""                               }, /*  66 */
+ {    0x08,                     0, 1,  2, "jp"                             }, /*  67 */
+ {      0x8C,                   0, 1,  3, ""                               }, /*  68 */
+ {        0x9A,                 0, 1,  4, ""                               }, /*  69 */
+ {          0x4B,               0, 1,  5, ""                               }, /*  70 */
+ {            0x3D,             0, 1,  6, ""                               }, /*  71 */
+ {              0x01,           0, 1,  7, "security"                       }, /*  72 */
+ {                0x01,         0, 1,  8, "algorithm"                      }, /*  73 */
+ {                  0x01,       0, 1,  9, "symm-encryption-alg"            }, /*  74 */
+ {                    0x02,    76, 0, 10, "camellia128-cbc"                }, /*  75 */
+ {                    0x03,    77, 0, 10, "camellia192-cbc"                }, /*  76 */
+ {                    0x04,     0, 0, 10, "camellia256-cbc"                }, /*  77 */
+ {  0x86,                       0, 1,  1, ""                               }, /*  78 */
+ {    0x48,                     0, 1,  2, "us"                             }, /*  79 */
+ {      0x86,                 147, 1,  3, ""                               }, /*  80 */
+ {        0xF6,                86, 1,  4, ""                               }, /*  81 */
+ {          0x7D,               0, 1,  5, "NortelNetworks"                 }, /*  82 */
+ {            0x07,             0, 1,  6, "Entrust"                        }, /*  83 */
+ {              0x41,           0, 1,  7, "nsn-ce"                         }, /*  84 */
+ {                0x00,         0, 0,  8, "entrustVersInfo"                }, /*  85 */
+ {        0xF7,                 0, 1,  4, ""                               }, /*  86 */
+ {          0x0D,               0, 1,  5, "RSADSI"                         }, /*  87 */
+ {            0x01,           142, 1,  6, "PKCS"                           }, /*  88 */
+ {              0x01,         100, 1,  7, "PKCS-1"                         }, /*  89 */
+ {                0x01,        91, 0,  8, "rsaEncryption"                  }, /*  90 */
+ {                0x02,        92, 0,  8, "md2WithRSAEncryption"           }, /*  91 */
+ {                0x04,        93, 0,  8, "md5WithRSAEncryption"           }, /*  92 */
+ {                0x05,        94, 0,  8, "sha-1WithRSAEncryption"         }, /*  93 */
+ {                0x07,        95, 0,  8, "id-RSAES-OAEP"                  }, /*  94 */
+ {                0x09,        96, 0,  8, "id-pSpecified"                  }, /*  95 */
+ {                0x0B,        97, 0,  8, "sha256WithRSAEncryption"        }, /*  96 */
+ {                0x0C,        98, 0,  8, "sha384WithRSAEncryption"        }, /*  97 */
+ {                0x0D,        99, 0,  8, "sha512WithRSAEncryption"        }, /*  98 */
+ {                0x0E,         0, 0,  8, "sha224WithRSAEncryption"        }, /*  99 */
+ {              0x05,         105, 1,  7, "PKCS-5"                         }, /* 100 */
+ {                0x03,       102, 0,  8, "pbeWithMD5AndDES-CBC"           }, /* 101 */
+ {                0x0A,       103, 0,  8, "pbeWithSHA1AndDES-CBC"          }, /* 102 */
+ {                0x0C,       104, 0,  8, "id-PBKDF2"                      }, /* 103 */
+ {                0x0D,         0, 0,  8, "id-PBES2"                       }, /* 104 */
+ {              0x07,         112, 1,  7, "PKCS-7"                         }, /* 105 */
+ {                0x01,       107, 0,  8, "data"                           }, /* 106 */
+ {                0x02,       108, 0,  8, "signedData"                     }, /* 107 */
+ {                0x03,       109, 0,  8, "envelopedData"                  }, /* 108 */
+ {                0x04,       110, 0,  8, "signedAndEnvelopedData"         }, /* 109 */
+ {                0x05,       111, 0,  8, "digestedData"                   }, /* 110 */
+ {                0x06,         0, 0,  8, "encryptedData"                  }, /* 111 */
+ {              0x09,         126, 1,  7, "PKCS-9"                         }, /* 112 */
+ {                0x01,       114, 0,  8, "E"                              }, /* 113 */
+ {                0x02,       115, 0,  8, "unstructuredName"               }, /* 114 */
+ {                0x03,       116, 0,  8, "contentType"                    }, /* 115 */
+ {                0x04,       117, 0,  8, "messageDigest"                  }, /* 116 */
+ {                0x05,       118, 0,  8, "signingTime"                    }, /* 117 */
+ {                0x06,       119, 0,  8, "counterSignature"               }, /* 118 */
+ {                0x07,       120, 0,  8, "challengePassword"              }, /* 119 */
+ {                0x08,       121, 0,  8, "unstructuredAddress"            }, /* 120 */
+ {                0x0E,       122, 0,  8, "extensionRequest"               }, /* 121 */
+ {                0x0F,       123, 0,  8, "S/MIME Capabilities"            }, /* 122 */
+ {                0x16,         0, 1,  8, "certTypes"                      }, /* 123 */
+ {                  0x01,     125, 0,  9, "X.509"                          }, /* 124 */
+ {                  0x02,       0, 0,  9, "SDSI"                           }, /* 125 */
+ {              0x0c,           0, 1,  7, "PKCS-12"                        }, /* 126 */
+ {                0x01,       134, 1,  8, "pbeIds"                         }, /* 127 */
+ {                  0x01,     129, 0,  9, "pbeWithSHAAnd128BitRC4"         }, /* 128 */
+ {                  0x02,     130, 0,  9, "pbeWithSHAAnd40BitRC4"          }, /* 129 */
+ {                  0x03,     131, 0,  9, "pbeWithSHAAnd3-KeyTripleDES-CBC"}, /* 130 */
+ {                  0x04,     132, 0,  9, "pbeWithSHAAnd2-KeyTripleDES-CBC"}, /* 131 */
+ {                  0x05,     133, 0,  9, "pbeWithSHAAnd128BitRC2-CBC"     }, /* 132 */
+ {                  0x06,       0, 0,  9, "pbeWithSHAAnd40BitRC2-CBC"      }, /* 133 */
+ {                0x0a,         0, 1,  8, "PKCS-12v1"                      }, /* 134 */
+ {                  0x01,       0, 1,  9, "bagIds"                         }, /* 135 */
+ {                    0x01,   137, 0, 10, "keyBag"                         }, /* 136 */
+ {                    0x02,   138, 0, 10, "pkcs8ShroudedKeyBag"            }, /* 137 */
+ {                    0x03,   139, 0, 10, "certBag"                        }, /* 138 */
+ {                    0x04,   140, 0, 10, "crlBag"                         }, /* 139 */
+ {                    0x05,   141, 0, 10, "secretBag"                      }, /* 140 */
+ {                    0x06,     0, 0, 10, "safeContentsBag"                }, /* 141 */
+ {            0x02,           145, 1,  6, "digestAlgorithm"                }, /* 142 */
+ {              0x02,         144, 0,  7, "md2"                            }, /* 143 */
+ {              0x05,           0, 0,  7, "md5"                            }, /* 144 */
+ {            0x03,             0, 1,  6, "encryptionAlgorithm"            }, /* 145 */
+ {              0x07,           0, 0,  7, "3des-ede-cbc"                   }, /* 146 */
+ {      0xCE,                   0, 1,  3, ""                               }, /* 147 */
+ {        0x3D,                 0, 1,  4, "ansi-X9-62"                     }, /* 148 */
+ {          0x02,             151, 1,  5, "id-publicKeyType"               }, /* 149 */
+ {            0x01,             0, 0,  6, "id-ecPublicKey"                 }, /* 150 */
+ {          0x03,             181, 1,  5, "ellipticCurve"                  }, /* 151 */
+ {            0x00,           173, 1,  6, "c-TwoCurve"                     }, /* 152 */
+ {              0x01,         154, 0,  7, "c2pnb163v1"                     }, /* 153 */
+ {              0x02,         155, 0,  7, "c2pnb163v2"                     }, /* 154 */
+ {              0x03,         156, 0,  7, "c2pnb163v3"                     }, /* 155 */
+ {              0x04,         157, 0,  7, "c2pnb176w1"                     }, /* 156 */
+ {              0x05,         158, 0,  7, "c2tnb191v1"                     }, /* 157 */
+ {              0x06,         159, 0,  7, "c2tnb191v2"                     }, /* 158 */
+ {              0x07,         160, 0,  7, "c2tnb191v3"                     }, /* 159 */
+ {              0x08,         161, 0,  7, "c2onb191v4"                     }, /* 160 */
+ {              0x09,         162, 0,  7, "c2onb191v5"                     }, /* 161 */
+ {              0x0A,         163, 0,  7, "c2pnb208w1"                     }, /* 162 */
+ {              0x0B,         164, 0,  7, "c2tnb239v1"                     }, /* 163 */
+ {              0x0C,         165, 0,  7, "c2tnb239v2"                     }, /* 164 */
+ {              0x0D,         166, 0,  7, "c2tnb239v3"                     }, /* 165 */
+ {              0x0E,         167, 0,  7, "c2onb239v4"                     }, /* 166 */
+ {              0x0F,         168, 0,  7, "c2onb239v5"                     }, /* 167 */
+ {              0x10,         169, 0,  7, "c2pnb272w1"                     }, /* 168 */
+ {              0x11,         170, 0,  7, "c2pnb304w1"                     }, /* 169 */
+ {              0x12,         171, 0,  7, "c2tnb359v1"                     }, /* 170 */
+ {              0x13,         172, 0,  7, "c2pnb368w1"                     }, /* 171 */
+ {              0x14,           0, 0,  7, "c2tnb431r1"                     }, /* 172 */
+ {            0x01,             0, 1,  6, "primeCurve"                     }, /* 173 */
+ {              0x01,         175, 0,  7, "prime192v1"                     }, /* 174 */
+ {              0x02,         176, 0,  7, "prime192v2"                     }, /* 175 */
+ {              0x03,         177, 0,  7, "prime192v3"                     }, /* 176 */
+ {              0x04,         178, 0,  7, "prime239v1"                     }, /* 177 */
+ {              0x05,         179, 0,  7, "prime239v2"                     }, /* 178 */
+ {              0x06,         180, 0,  7, "prime239v3"                     }, /* 179 */
+ {              0x07,           0, 0,  7, "prime256v1"                     }, /* 180 */
+ {          0x04,               0, 1,  5, "id-ecSigType"                   }, /* 181 */
+ {            0x01,           183, 0,  6, "ecdsa-with-SHA1"                }, /* 182 */
+ {            0x03,             0, 1,  6, "ecdsa-with-Specified"           }, /* 183 */
+ {              0x01,         185, 0,  7, "ecdsa-with-SHA224"              }, /* 184 */
+ {              0x02,         186, 0,  7, "ecdsa-with-SHA256"              }, /* 185 */
+ {              0x03,         187, 0,  7, "ecdsa-with-SHA384"              }, /* 186 */
+ {              0x04,           0, 0,  7, "ecdsa-with-SHA512"              }, /* 187 */
+ {0x2B,                       348, 1,  0, ""                               }, /* 188 */
+ {  0x06,                     262, 1,  1, "dod"                            }, /* 189 */
+ {    0x01,                     0, 1,  2, "internet"                       }, /* 190 */
+ {      0x04,                 213, 1,  3, "private"                        }, /* 191 */
+ {        0x01,                 0, 1,  4, "enterprise"                     }, /* 192 */
+ {          0x82,             206, 1,  5, ""                               }, /* 193 */
+ {            0x37,           203, 1,  6, "Microsoft"                      }, /* 194 */
+ {              0x0A,         199, 1,  7, ""                               }, /* 195 */
+ {                0x03,         0, 1,  8, ""                               }, /* 196 */
+ {                  0x03,     198, 0,  9, "msSGC"                          }, /* 197 */
+ {                  0x04,       0, 0,  9, "msEncryptingFileSystem"         }, /* 198 */
+ {              0x14,           0, 1,  7, "msEnrollmentInfrastructure"     }, /* 199 */
+ {                0x02,         0, 1,  8, "msCertificateTypeExtension"     }, /* 200 */
+ {                  0x02,     202, 0,  9, "msSmartcardLogon"               }, /* 201 */
+ {                  0x03,       0, 0,  9, "msUPN"                          }, /* 202 */
+ {            0xA0,             0, 1,  6, ""                               }, /* 203 */
+ {              0x2A,           0, 1,  7, "ITA"                            }, /* 204 */
+ {                0x01,         0, 0,  8, "strongSwan"                     }, /* 205 */
+ {          0x89,               0, 1,  5, ""                               }, /* 206 */
+ {            0x31,             0, 1,  6, ""                               }, /* 207 */
+ {              0x01,           0, 1,  7, ""                               }, /* 208 */
+ {                0x01,         0, 1,  8, ""                               }, /* 209 */
+ {                  0x02,       0, 1,  9, ""                               }, /* 210 */
+ {                    0x02,     0, 1, 10, ""                               }, /* 211 */
+ {                      0x4B,   0, 0, 11, "TCGID"                          }, /* 212 */
+ {      0x05,                   0, 1,  3, "security"                       }, /* 213 */
+ {        0x05,                 0, 1,  4, "mechanisms"                     }, /* 214 */
+ {          0x07,             259, 1,  5, "id-pkix"                        }, /* 215 */
+ {            0x01,           220, 1,  6, "id-pe"                          }, /* 216 */
+ {              0x01,         218, 0,  7, "authorityInfoAccess"            }, /* 217 */
+ {              0x03,         219, 0,  7, "qcStatements"                   }, /* 218 */
+ {              0x07,           0, 0,  7, "ipAddrBlocks"                   }, /* 219 */
+ {            0x02,           223, 1,  6, "id-qt"                          }, /* 220 */
+ {              0x01,         222, 0,  7, "cps"                            }, /* 221 */
+ {              0x02,           0, 0,  7, "unotice"                        }, /* 222 */
+ {            0x03,           233, 1,  6, "id-kp"                          }, /* 223 */
+ {              0x01,         225, 0,  7, "serverAuth"                     }, /* 224 */
+ {              0x02,         226, 0,  7, "clientAuth"                     }, /* 225 */
+ {              0x03,         227, 0,  7, "codeSigning"                    }, /* 226 */
+ {              0x04,         228, 0,  7, "emailProtection"                }, /* 227 */
+ {              0x05,         229, 0,  7, "ipsecEndSystem"                 }, /* 228 */
+ {              0x06,         230, 0,  7, "ipsecTunnel"                    }, /* 229 */
+ {              0x07,         231, 0,  7, "ipsecUser"                      }, /* 230 */
+ {              0x08,         232, 0,  7, "timeStamping"                   }, /* 231 */
+ {              0x09,           0, 0,  7, "ocspSigning"                    }, /* 232 */
+ {            0x08,           241, 1,  6, "id-otherNames"                  }, /* 233 */
+ {              0x01,         235, 0,  7, "personalData"                   }, /* 234 */
+ {              0x02,         236, 0,  7, "userGroup"                      }, /* 235 */
+ {              0x03,         237, 0,  7, "id-on-permanentIdentifier"      }, /* 236 */
+ {              0x04,         238, 0,  7, "id-on-hardwareModuleName"       }, /* 237 */
+ {              0x05,         239, 0,  7, "xmppAddr"                       }, /* 238 */
+ {              0x06,         240, 0,  7, "id-on-SIM"                      }, /* 239 */
+ {              0x07,           0, 0,  7, "id-on-dnsSRV"                   }, /* 240 */
+ {            0x0A,           246, 1,  6, "id-aca"                         }, /* 241 */
+ {              0x01,         243, 0,  7, "authenticationInfo"             }, /* 242 */
+ {              0x02,         244, 0,  7, "accessIdentity"                 }, /* 243 */
+ {              0x03,         245, 0,  7, "chargingIdentity"               }, /* 244 */
+ {              0x04,           0, 0,  7, "group"                          }, /* 245 */
+ {            0x0B,           247, 0,  6, "subjectInfoAccess"              }, /* 246 */
+ {            0x30,             0, 1,  6, "id-ad"                          }, /* 247 */
+ {              0x01,         256, 1,  7, "ocsp"                           }, /* 248 */
+ {                0x01,       250, 0,  8, "basic"                          }, /* 249 */
+ {                0x02,       251, 0,  8, "nonce"                          }, /* 250 */
+ {                0x03,       252, 0,  8, "crl"                            }, /* 251 */
+ {                0x04,       253, 0,  8, "response"                       }, /* 252 */
+ {                0x05,       254, 0,  8, "noCheck"                        }, /* 253 */
+ {                0x06,       255, 0,  8, "archiveCutoff"                  }, /* 254 */
+ {                0x07,         0, 0,  8, "serviceLocator"                 }, /* 255 */
+ {              0x02,         257, 0,  7, "caIssuers"                      }, /* 256 */
+ {              0x03,         258, 0,  7, "timeStamping"                   }, /* 257 */
+ {              0x05,           0, 0,  7, "caRepository"                   }, /* 258 */
+ {          0x08,               0, 1,  5, "ipsec"                          }, /* 259 */
+ {            0x02,             0, 1,  6, "certificate"                    }, /* 260 */
+ {              0x02,           0, 0,  7, "iKEIntermediate"                }, /* 261 */
+ {  0x0E,                     268, 1,  1, "oiw"                            }, /* 262 */
+ {    0x03,                     0, 1,  2, "secsig"                         }, /* 263 */
+ {      0x02,                   0, 1,  3, "algorithms"                     }, /* 264 */
+ {        0x07,               266, 0,  4, "des-cbc"                        }, /* 265 */
+ {        0x1A,               267, 0,  4, "sha-1"                          }, /* 266 */
+ {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"          }, /* 267 */
+ {  0x24,                     314, 1,  1, "TeleTrusT"                      }, /* 268 */
+ {    0x03,                     0, 1,  2, "algorithm"                      }, /* 269 */
+ {      0x03,                   0, 1,  3, "signatureAlgorithm"             }, /* 270 */
+ {        0x01,               275, 1,  4, "rsaSignature"                   }, /* 271 */
+ {          0x02,             273, 0,  5, "rsaSigWithripemd160"            }, /* 272 */
+ {          0x03,             274, 0,  5, "rsaSigWithripemd128"            }, /* 273 */
+ {          0x04,               0, 0,  5, "rsaSigWithripemd256"            }, /* 274 */
+ {        0x02,                 0, 1,  4, "ecSign"                         }, /* 275 */
+ {          0x01,             277, 0,  5, "ecSignWithsha1"                 }, /* 276 */
+ {          0x02,             278, 0,  5, "ecSignWithripemd160"            }, /* 277 */
+ {          0x03,             279, 0,  5, "ecSignWithmd2"                  }, /* 278 */
+ {          0x04,             280, 0,  5, "ecSignWithmd5"                  }, /* 279 */
+ {          0x05,             297, 1,  5, "ttt-ecg"                        }, /* 280 */
+ {            0x01,           285, 1,  6, "fieldType"                      }, /* 281 */
+ {              0x01,           0, 1,  7, "characteristictwoField"         }, /* 282 */
+ {                0x01,         0, 1,  8, "basisType"                      }, /* 283 */
+ {                  0x01,       0, 0,  9, "ipBasis"                        }, /* 284 */
+ {            0x02,           287, 1,  6, "keyType"                        }, /* 285 */
+ {              0x01,           0, 0,  7, "ecgPublicKey"                   }, /* 286 */
+ {            0x03,           288, 0,  6, "curve"                          }, /* 287 */
+ {            0x04,           295, 1,  6, "signatures"                     }, /* 288 */
+ {              0x01,         290, 0,  7, "ecgdsa-with-RIPEMD160"          }, /* 289 */
+ {              0x02,         291, 0,  7, "ecgdsa-with-SHA1"               }, /* 290 */
+ {              0x03,         292, 0,  7, "ecgdsa-with-SHA224"             }, /* 291 */
+ {              0x04,         293, 0,  7, "ecgdsa-with-SHA256"             }, /* 292 */
+ {              0x05,         294, 0,  7, "ecgdsa-with-SHA384"             }, /* 293 */
+ {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"             }, /* 294 */
+ {            0x05,             0, 1,  6, "module"                         }, /* 295 */
+ {              0x01,           0, 0,  7, "1"                              }, /* 296 */
+ {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"       }, /* 297 */
+ {            0x01,             0, 1,  6, "ellipticCurve"                  }, /* 298 */
+ {              0x01,           0, 1,  7, "versionOne"                     }, /* 299 */
+ {                0x01,       301, 0,  8, "brainpoolP160r1"                }, /* 300 */
+ {                0x02,       302, 0,  8, "brainpoolP160t1"                }, /* 301 */
+ {                0x03,       303, 0,  8, "brainpoolP192r1"                }, /* 302 */
+ {                0x04,       304, 0,  8, "brainpoolP192t1"                }, /* 303 */
+ {                0x05,       305, 0,  8, "brainpoolP224r1"                }, /* 304 */
+ {                0x06,       306, 0,  8, "brainpoolP224t1"                }, /* 305 */
+ {                0x07,       307, 0,  8, "brainpoolP256r1"                }, /* 306 */
+ {                0x08,       308, 0,  8, "brainpoolP256t1"                }, /* 307 */
+ {                0x09,       309, 0,  8, "brainpoolP320r1"                }, /* 308 */
+ {                0x0A,       310, 0,  8, "brainpoolP320t1"                }, /* 309 */
+ {                0x0B,       311, 0,  8, "brainpoolP384r1"                }, /* 310 */
+ {                0x0C,       312, 0,  8, "brainpoolP384t1"                }, /* 311 */
+ {                0x0D,       313, 0,  8, "brainpoolP512r1"                }, /* 312 */
+ {                0x0E,         0, 0,  8, "brainpoolP512t1"                }, /* 313 */
+ {  0x81,                       0, 1,  1, ""                               }, /* 314 */
+ {    0x04,                     0, 1,  2, "Certicom"                       }, /* 315 */
+ {      0x00,                   0, 1,  3, "curve"                          }, /* 316 */
+ {        0x01,               318, 0,  4, "sect163k1"                      }, /* 317 */
+ {        0x02,               319, 0,  4, "sect163r1"                      }, /* 318 */
+ {        0x03,               320, 0,  4, "sect239k1"                      }, /* 319 */
+ {        0x04,               321, 0,  4, "sect113r1"                      }, /* 320 */
+ {        0x05,               322, 0,  4, "sect113r2"                      }, /* 321 */
+ {        0x06,               323, 0,  4, "secp112r1"                      }, /* 322 */
+ {        0x07,               324, 0,  4, "secp112r2"                      }, /* 323 */
+ {        0x08,               325, 0,  4, "secp160r1"                      }, /* 324 */
+ {        0x09,               326, 0,  4, "secp160k1"                      }, /* 325 */
+ {        0x0A,               327, 0,  4, "secp256k1"                      }, /* 326 */
+ {        0x0F,               328, 0,  4, "sect163r2"                      }, /* 327 */
+ {        0x10,               329, 0,  4, "sect283k1"                      }, /* 328 */
+ {        0x11,               330, 0,  4, "sect283r1"                      }, /* 329 */
+ {        0x16,               331, 0,  4, "sect131r1"                      }, /* 330 */
+ {        0x17,               332, 0,  4, "sect131r2"                      }, /* 331 */
+ {        0x18,               333, 0,  4, "sect193r1"                      }, /* 332 */
+ {        0x19,               334, 0,  4, "sect193r2"                      }, /* 333 */
+ {        0x1A,               335, 0,  4, "sect233k1"                      }, /* 334 */
+ {        0x1B,               336, 0,  4, "sect233r1"                      }, /* 335 */
+ {        0x1C,               337, 0,  4, "secp128r1"                      }, /* 336 */
+ {        0x1D,               338, 0,  4, "secp128r2"                      }, /* 337 */
+ {        0x1E,               339, 0,  4, "secp160r2"                      }, /* 338 */
+ {        0x1F,               340, 0,  4, "secp192k1"                      }, /* 339 */
+ {        0x20,               341, 0,  4, "secp224k1"                      }, /* 340 */
+ {        0x21,               342, 0,  4, "secp224r1"                      }, /* 341 */
+ {        0x22,               343, 0,  4, "secp384r1"                      }, /* 342 */
+ {        0x23,               344, 0,  4, "secp521r1"                      }, /* 343 */
+ {        0x24,               345, 0,  4, "sect409k1"                      }, /* 344 */
+ {        0x25,               346, 0,  4, "sect409r1"                      }, /* 345 */
+ {        0x26,               347, 0,  4, "sect571k1"                      }, /* 346 */
+ {        0x27,                 0, 0,  4, "sect571r1"                      }, /* 347 */
+ {0x60,                       396, 1,  0, ""                               }, /* 348 */
+ {  0x86,                       0, 1,  1, ""                               }, /* 349 */
+ {    0x48,                     0, 1,  2, ""                               }, /* 350 */
+ {      0x01,                   0, 1,  3, "organization"                   }, /* 351 */
+ {        0x65,               372, 1,  4, "gov"                            }, /* 352 */
+ {          0x03,               0, 1,  5, "csor"                           }, /* 353 */
+ {            0x04,             0, 1,  6, "nistalgorithm"                  }, /* 354 */
+ {              0x01,         365, 1,  7, "aes"                            }, /* 355 */
+ {                0x02,       357, 0,  8, "id-aes128-CBC"                  }, /* 356 */
+ {                0x06,       358, 0,  8, "id-aes128-GCM"                  }, /* 357 */
+ {                0x07,       359, 0,  8, "id-aes128-CCM"                  }, /* 358 */
+ {                0x16,       360, 0,  8, "id-aes192-CBC"                  }, /* 359 */
+ {                0x1A,       361, 0,  8, "id-aes192-GCM"                  }, /* 360 */
+ {                0x1B,       362, 0,  8, "id-aes192-CCM"                  }, /* 361 */
+ {                0x2A,       363, 0,  8, "id-aes256-CBC"                  }, /* 362 */
+ {                0x2E,       364, 0,  8, "id-aes256-GCM"                  }, /* 363 */
+ {                0x2F,         0, 0,  8, "id-aes256-CCM"                  }, /* 364 */
+ {              0x02,           0, 1,  7, "hashalgs"                       }, /* 365 */
+ {                0x01,       367, 0,  8, "id-SHA-256"                     }, /* 366 */
+ {                0x02,       368, 0,  8, "id-SHA-384"                     }, /* 367 */
+ {                0x03,       369, 0,  8, "id-SHA-512"                     }, /* 368 */
+ {                0x04,       370, 0,  8, "id-SHA-224"                     }, /* 369 */
+ {                0x05,       371, 0,  8, "id-SHA-512-224"                 }, /* 370 */
+ {                0x06,         0, 0,  8, "id-SHA-512-256"                 }, /* 371 */
+ {        0x86,                 0, 1,  4, ""                               }, /* 372 */
+ {          0xf8,               0, 1,  5, ""                               }, /* 373 */
+ {            0x42,           386, 1,  6, "netscape"                       }, /* 374 */
+ {              0x01,         381, 1,  7, ""                               }, /* 375 */
+ {                0x01,       377, 0,  8, "nsCertType"                     }, /* 376 */
+ {                0x03,       378, 0,  8, "nsRevocationUrl"                }, /* 377 */
+ {                0x04,       379, 0,  8, "nsCaRevocationUrl"              }, /* 378 */
+ {                0x08,       380, 0,  8, "nsCaPolicyUrl"                  }, /* 379 */
+ {                0x0d,         0, 0,  8, "nsComment"                      }, /* 380 */
+ {              0x03,         384, 1,  7, "directory"                      }, /* 381 */
+ {                0x01,         0, 1,  8, ""                               }, /* 382 */
+ {                  0x03,       0, 0,  9, "employeeNumber"                 }, /* 383 */
+ {              0x04,           0, 1,  7, "policy"                         }, /* 384 */
+ {                0x01,         0, 0,  8, "nsSGC"                          }, /* 385 */
+ {            0x45,             0, 1,  6, "verisign"                       }, /* 386 */
+ {              0x01,           0, 1,  7, "pki"                            }, /* 387 */
+ {                0x09,         0, 1,  8, "attributes"                     }, /* 388 */
+ {                  0x02,     390, 0,  9, "messageType"                    }, /* 389 */
+ {                  0x03,     391, 0,  9, "pkiStatus"                      }, /* 390 */
+ {                  0x04,     392, 0,  9, "failInfo"                       }, /* 391 */
+ {                  0x05,     393, 0,  9, "senderNonce"                    }, /* 392 */
+ {                  0x06,     394, 0,  9, "recipientNonce"                 }, /* 393 */
+ {                  0x07,     395, 0,  9, "transID"                        }, /* 394 */
+ {                  0x08,       0, 0,  9, "extensionReq"                   }, /* 395 */
+ {0x67,                         0, 1,  0, ""                               }, /* 396 */
+ {  0x81,                       0, 1,  1, ""                               }, /* 397 */
+ {    0x05,                     0, 1,  2, ""                               }, /* 398 */
+ {      0x02,                   0, 1,  3, "tcg-attribute"                  }, /* 399 */
+ {        0x01,               401, 0,  4, "tcg-at-tpmManufacturer"         }, /* 400 */
+ {        0x02,               402, 0,  4, "tcg-at-tpmModel"                }, /* 401 */
+ {        0x03,               403, 0,  4, "tcg-at-tpmVersion"              }, /* 402 */
+ {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"              }  /* 403 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index a01c434a9..236c86737 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -48,6 +48,7 @@ extern const oid_t oid_names[];
 #define OID_CRL_NUMBER						45
 #define OID_CRL_REASON_CODE					46
 #define OID_DELTA_CRL_INDICATOR				49
+#define OID_ISSUING_DIST_POINT				50
 #define OID_NAME_CONSTRAINTS				52
 #define OID_CRL_DISTRIBUTION_POINTS			53
 #define OID_CERTIFICATE_POLICIES			54
@@ -90,136 +91,148 @@ extern const oid_t oid_names[];
 #define OID_CHALLENGE_PASSWORD				119
 #define OID_UNSTRUCTURED_ADDRESS			120
 #define OID_EXTENSION_REQUEST				121
-#define OID_MD2								124
-#define OID_MD5								125
-#define OID_3DES_EDE_CBC					127
-#define OID_EC_PUBLICKEY					131
-#define OID_C2PNB163V1						134
-#define OID_C2PNB163V2						135
-#define OID_C2PNB163V3						136
-#define OID_C2PNB176W1						137
-#define OID_C2PNB191V1						138
-#define OID_C2PNB191V2						139
-#define OID_C2PNB191V3						140
-#define OID_C2PNB191V4						141
-#define OID_C2PNB191V5						142
-#define OID_C2PNB208W1						143
-#define OID_C2PNB239V1						144
-#define OID_C2PNB239V2						145
-#define OID_C2PNB239V3						146
-#define OID_C2PNB239V4						147
-#define OID_C2PNB239V5						148
-#define OID_C2PNB272W1						149
-#define OID_C2PNB304W1						150
-#define OID_C2PNB359V1						151
-#define OID_C2PNB368W1						152
-#define OID_C2PNB431R1						153
-#define OID_PRIME192V1						155
-#define OID_PRIME192V2						156
-#define OID_PRIME192V3						157
-#define OID_PRIME239V1						158
-#define OID_PRIME239V2						159
-#define OID_PRIME239V3						160
-#define OID_PRIME256V1						161
-#define OID_ECDSA_WITH_SHA1					163
-#define OID_ECDSA_WITH_SHA224				165
-#define OID_ECDSA_WITH_SHA256				166
-#define OID_ECDSA_WITH_SHA384				167
-#define OID_ECDSA_WITH_SHA512				168
-#define OID_USER_PRINCIPAL_NAME				183
-#define OID_STRONGSWAN						186
-#define OID_TCGID							193
-#define OID_AUTHORITY_INFO_ACCESS			198
-#define OID_IP_ADDR_BLOCKS					200
-#define OID_POLICY_QUALIFIER_CPS			202
-#define OID_POLICY_QUALIFIER_UNOTICE		203
-#define OID_SERVER_AUTH						205
-#define OID_CLIENT_AUTH						206
-#define OID_OCSP_SIGNING					213
-#define OID_XMPP_ADDR						215
-#define OID_AUTHENTICATION_INFO				217
-#define OID_ACCESS_IDENTITY					218
-#define OID_CHARGING_IDENTITY				219
-#define OID_GROUP							220
-#define OID_OCSP							223
-#define OID_BASIC							224
-#define OID_NONCE							225
-#define OID_CRL								226
-#define OID_RESPONSE						227
-#define OID_NO_CHECK						228
-#define OID_ARCHIVE_CUTOFF					229
-#define OID_SERVICE_LOCATOR					230
-#define OID_CA_ISSUERS						231
-#define OID_DES_CBC							237
-#define OID_SHA1							238
-#define OID_SHA1_WITH_RSA_OIW				239
-#define OID_ECGDSA_PUBKEY					258
-#define OID_ECGDSA_SIG_WITH_RIPEMD160		261
-#define OID_ECGDSA_SIG_WITH_SHA1			262
-#define OID_ECGDSA_SIG_WITH_SHA224			263
-#define OID_ECGDSA_SIG_WITH_SHA256			264
-#define OID_ECGDSA_SIG_WITH_SHA384			265
-#define OID_ECGDSA_SIG_WITH_SHA512			266
-#define OID_SECT163K1						289
-#define OID_SECT163R1						290
-#define OID_SECT239K1						291
-#define OID_SECT113R1						292
-#define OID_SECT113R2						293
-#define OID_SECT112R1						294
-#define OID_SECT112R2						295
-#define OID_SECT160R1						296
-#define OID_SECT160K1						297
-#define OID_SECT256K1						298
-#define OID_SECT163R2						299
-#define OID_SECT283K1						300
-#define OID_SECT283R1						301
-#define OID_SECT131R1						302
-#define OID_SECT131R2						303
-#define OID_SECT193R1						304
-#define OID_SECT193R2						305
-#define OID_SECT233K1						306
-#define OID_SECT233R1						307
-#define OID_SECT128R1						308
-#define OID_SECT128R2						309
-#define OID_SECT160R2						310
-#define OID_SECT192K1						311
-#define OID_SECT224K1						312
-#define OID_SECT224R1						313
-#define OID_SECT384R1						314
-#define OID_SECT521R1						315
-#define OID_SECT409K1						316
-#define OID_SECT409R1						317
-#define OID_SECT571K1						318
-#define OID_SECT571R1						319
-#define OID_AES128_CBC						328
-#define OID_AES128_GCM						329
-#define OID_AES128_CCM						330
-#define OID_AES192_CBC						331
-#define OID_AES192_GCM						332
-#define OID_AES192_CCM						333
-#define OID_AES256_CBC						334
-#define OID_AES256_GCM						335
-#define OID_AES256_CCM						336
-#define OID_SHA256							338
-#define OID_SHA384							339
-#define OID_SHA512							340
-#define OID_SHA224							341
-#define OID_NS_REVOCATION_URL				347
-#define OID_NS_CA_REVOCATION_URL			348
-#define OID_NS_CA_POLICY_URL				349
-#define OID_NS_COMMENT						350
-#define OID_EMPLOYEE_NUMBER					353
-#define OID_PKI_MESSAGE_TYPE				359
-#define OID_PKI_STATUS						360
-#define OID_PKI_FAIL_INFO					361
-#define OID_PKI_SENDER_NONCE				362
-#define OID_PKI_RECIPIENT_NONCE				363
-#define OID_PKI_TRANS_ID					364
-#define OID_TPM_MANUFACTURER				370
-#define OID_TPM_MODEL						371
-#define OID_TPM_VERSION						372
-#define OID_TPM_ID_LABEL					373
+#define OID_X509_CERTIFICATE				124
+#define OID_PBE_SHA1_RC4_128				128
+#define OID_PBE_SHA1_RC4_40					129
+#define OID_PBE_SHA1_3DES_CBC				130
+#define OID_PBE_SHA1_3DES_2KEY_CBC			131
+#define OID_PBE_SHA1_RC2_CBC_128			132
+#define OID_PBE_SHA1_RC2_CBC_40				133
+#define OID_P12_KEY_BAG						136
+#define OID_P12_PKCS8_KEY_BAG				137
+#define OID_P12_CERT_BAG					138
+#define OID_P12_CRL_BAG						139
+#define OID_MD2								143
+#define OID_MD5								144
+#define OID_3DES_EDE_CBC					146
+#define OID_EC_PUBLICKEY					150
+#define OID_C2PNB163V1						153
+#define OID_C2PNB163V2						154
+#define OID_C2PNB163V3						155
+#define OID_C2PNB176W1						156
+#define OID_C2PNB191V1						157
+#define OID_C2PNB191V2						158
+#define OID_C2PNB191V3						159
+#define OID_C2PNB191V4						160
+#define OID_C2PNB191V5						161
+#define OID_C2PNB208W1						162
+#define OID_C2PNB239V1						163
+#define OID_C2PNB239V2						164
+#define OID_C2PNB239V3						165
+#define OID_C2PNB239V4						166
+#define OID_C2PNB239V5						167
+#define OID_C2PNB272W1						168
+#define OID_C2PNB304W1						169
+#define OID_C2PNB359V1						170
+#define OID_C2PNB368W1						171
+#define OID_C2PNB431R1						172
+#define OID_PRIME192V1						174
+#define OID_PRIME192V2						175
+#define OID_PRIME192V3						176
+#define OID_PRIME239V1						177
+#define OID_PRIME239V2						178
+#define OID_PRIME239V3						179
+#define OID_PRIME256V1						180
+#define OID_ECDSA_WITH_SHA1					182
+#define OID_ECDSA_WITH_SHA224				184
+#define OID_ECDSA_WITH_SHA256				185
+#define OID_ECDSA_WITH_SHA384				186
+#define OID_ECDSA_WITH_SHA512				187
+#define OID_USER_PRINCIPAL_NAME				202
+#define OID_STRONGSWAN						205
+#define OID_TCGID							212
+#define OID_AUTHORITY_INFO_ACCESS			217
+#define OID_IP_ADDR_BLOCKS					219
+#define OID_POLICY_QUALIFIER_CPS			221
+#define OID_POLICY_QUALIFIER_UNOTICE		222
+#define OID_SERVER_AUTH						224
+#define OID_CLIENT_AUTH						225
+#define OID_OCSP_SIGNING					232
+#define OID_XMPP_ADDR						238
+#define OID_AUTHENTICATION_INFO				242
+#define OID_ACCESS_IDENTITY					243
+#define OID_CHARGING_IDENTITY				244
+#define OID_GROUP							245
+#define OID_OCSP							248
+#define OID_BASIC							249
+#define OID_NONCE							250
+#define OID_CRL								251
+#define OID_RESPONSE						252
+#define OID_NO_CHECK						253
+#define OID_ARCHIVE_CUTOFF					254
+#define OID_SERVICE_LOCATOR					255
+#define OID_CA_ISSUERS						256
+#define OID_IKE_INTERMEDIATE				261
+#define OID_DES_CBC							265
+#define OID_SHA1							266
+#define OID_SHA1_WITH_RSA_OIW				267
+#define OID_ECGDSA_PUBKEY					286
+#define OID_ECGDSA_SIG_WITH_RIPEMD160		289
+#define OID_ECGDSA_SIG_WITH_SHA1			290
+#define OID_ECGDSA_SIG_WITH_SHA224			291
+#define OID_ECGDSA_SIG_WITH_SHA256			292
+#define OID_ECGDSA_SIG_WITH_SHA384			293
+#define OID_ECGDSA_SIG_WITH_SHA512			294
+#define OID_SECT163K1						317
+#define OID_SECT163R1						318
+#define OID_SECT239K1						319
+#define OID_SECT113R1						320
+#define OID_SECT113R2						321
+#define OID_SECT112R1						322
+#define OID_SECT112R2						323
+#define OID_SECT160R1						324
+#define OID_SECT160K1						325
+#define OID_SECT256K1						326
+#define OID_SECT163R2						327
+#define OID_SECT283K1						328
+#define OID_SECT283R1						329
+#define OID_SECT131R1						330
+#define OID_SECT131R2						331
+#define OID_SECT193R1						332
+#define OID_SECT193R2						333
+#define OID_SECT233K1						334
+#define OID_SECT233R1						335
+#define OID_SECT128R1						336
+#define OID_SECT128R2						337
+#define OID_SECT160R2						338
+#define OID_SECT192K1						339
+#define OID_SECT224K1						340
+#define OID_SECT224R1						341
+#define OID_SECT384R1						342
+#define OID_SECT521R1						343
+#define OID_SECT409K1						344
+#define OID_SECT409R1						345
+#define OID_SECT571K1						346
+#define OID_SECT571R1						347
+#define OID_AES128_CBC						356
+#define OID_AES128_GCM						357
+#define OID_AES128_CCM						358
+#define OID_AES192_CBC						359
+#define OID_AES192_GCM						360
+#define OID_AES192_CCM						361
+#define OID_AES256_CBC						362
+#define OID_AES256_GCM						363
+#define OID_AES256_CCM						364
+#define OID_SHA256							366
+#define OID_SHA384							367
+#define OID_SHA512							368
+#define OID_SHA224							369
+#define OID_NS_REVOCATION_URL				377
+#define OID_NS_CA_REVOCATION_URL			378
+#define OID_NS_CA_POLICY_URL				379
+#define OID_NS_COMMENT						380
+#define OID_EMPLOYEE_NUMBER					383
+#define OID_PKI_MESSAGE_TYPE				389
+#define OID_PKI_STATUS						390
+#define OID_PKI_FAIL_INFO					391
+#define OID_PKI_SENDER_NONCE				392
+#define OID_PKI_RECIPIENT_NONCE				393
+#define OID_PKI_TRANS_ID					394
+#define OID_TPM_MANUFACTURER				400
+#define OID_TPM_MODEL						401
+#define OID_TPM_VERSION						402
+#define OID_TPM_ID_LABEL					403
 
-#define OID_MAX								374
+#define OID_MAX								404
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.pl b/src/libstrongswan/asn1/oid.pl
index ed26febc9..82100e8aa 100644
--- a/src/libstrongswan/asn1/oid.pl
+++ b/src/libstrongswan/asn1/oid.pl
@@ -19,8 +19,6 @@ $copyright="Copyright (C) 2003-2008 Andreas Steffen, Hochschule fuer Technik Rap
 $automatic="This file has been automatically generated by the script oid.pl";
 $warning="Do not edit manually!";
 
-print "oid.pl generating oid.h and oid.c\n";
-
 # Generate oid.h
 
 open(OID_H,  ">oid.h")
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index c3ff1a9e7..740dc5073 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -48,7 +48,7 @@
     0x17                     "holdInstructionCode"
     0x18                     "invalidityDate"
     0x1B                     "deltaCrlIndicator"		OID_DELTA_CRL_INDICATOR
-    0x1C                     "issuingDistributionPoint"
+    0x1C                     "issuingDistributionPoint"	OID_ISSUING_DIST_POINT
     0x1D                     "certificateIssuer"
     0x1E                     "nameConstraints"			OID_NAME_CONSTRAINTS
     0x1F                     "crlDistributionPoints"	OID_CRL_DISTRIBUTION_POINTS
@@ -121,6 +121,25 @@
                 0x08         "unstructuredAddress"		OID_UNSTRUCTURED_ADDRESS
                 0x0E         "extensionRequest"			OID_EXTENSION_REQUEST
                 0x0F         "S/MIME Capabilities"
+                0x16         "certTypes"
+                  0x01       "X.509"					OID_X509_CERTIFICATE
+                  0x02       "SDSI"
+              0x0c           "PKCS-12"
+                0x01         "pbeIds"
+                  0x01       "pbeWithSHAAnd128BitRC4"	OID_PBE_SHA1_RC4_128
+                  0x02       "pbeWithSHAAnd40BitRC4"	OID_PBE_SHA1_RC4_40
+                  0x03       "pbeWithSHAAnd3-KeyTripleDES-CBC"	OID_PBE_SHA1_3DES_CBC
+                  0x04       "pbeWithSHAAnd2-KeyTripleDES-CBC"	OID_PBE_SHA1_3DES_2KEY_CBC
+                  0x05       "pbeWithSHAAnd128BitRC2-CBC"		OID_PBE_SHA1_RC2_CBC_128
+                  0x06       "pbeWithSHAAnd40BitRC2-CBC"		OID_PBE_SHA1_RC2_CBC_40
+                0x0a         "PKCS-12v1"
+                  0x01       "bagIds"
+                    0x01     "keyBag"					OID_P12_KEY_BAG
+                    0x02     "pkcs8ShroudedKeyBag"		OID_P12_PKCS8_KEY_BAG
+                    0x03     "certBag"					OID_P12_CERT_BAG
+                    0x04     "crlBag"					OID_P12_CRL_BAG
+                    0x05     "secretBag"
+                    0x06     "safeContentsBag"
             0x02             "digestAlgorithm"
               0x02           "md2"						OID_MD2
               0x05           "md5"						OID_MD5
@@ -213,7 +232,13 @@
               0x08           "timeStamping"
               0x09           "ocspSigning"				OID_OCSP_SIGNING
             0x08             "id-otherNames"
+              0x01           "personalData"
+              0x02           "userGroup"
+              0x03           "id-on-permanentIdentifier"
+              0x04           "id-on-hardwareModuleName"
               0x05           "xmppAddr"					OID_XMPP_ADDR
+              0x06           "id-on-SIM"
+              0x07           "id-on-dnsSRV"
             0x0A             "id-aca"
               0x01           "authenticationInfo"		OID_AUTHENTICATION_INFO
               0x02           "accessIdentity"			OID_ACCESS_IDENTITY
@@ -232,6 +257,9 @@
               0x02           "caIssuers"				OID_CA_ISSUERS
               0x03           "timeStamping"
               0x05           "caRepository"
+          0x08               "ipsec"
+            0x02             "certificate"
+              0x02           "iKEIntermediate"			OID_IKE_INTERMEDIATE
   0x0E                       "oiw"
     0x03                     "secsig"
       0x02                   "algorithms"
@@ -340,6 +368,8 @@
                 0x02         "id-SHA-384"				OID_SHA384
                 0x03         "id-SHA-512"				OID_SHA512
                 0x04         "id-SHA-224"				OID_SHA224
+                0x05         "id-SHA-512-224"
+                0x06         "id-SHA-512-256"
         0x86                 ""
           0xf8               ""
             0x42             "netscape"
diff --git a/src/libstrongswan/bio/bio_reader.c b/src/libstrongswan/bio/bio_reader.c
index fce0d1aef..29b9e7279 100644
--- a/src/libstrongswan/bio/bio_reader.c
+++ b/src/libstrongswan/bio/bio_reader.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -15,7 +18,7 @@
 
 #include "bio_reader.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_bio_reader_t private_bio_reader_t;
 
@@ -33,6 +36,11 @@ struct private_bio_reader_t {
 	 * Remaining data to process
 	 */
 	chunk_t buf;
+
+	/**
+	 * Optional data to free during destruction
+	 */
+	chunk_t cleanup;
 };
 
 METHOD(bio_reader_t, remaining, u_int32_t,
@@ -47,8 +55,38 @@ METHOD(bio_reader_t, peek, chunk_t,
 	return this->buf;
 }
 
-METHOD(bio_reader_t, read_uint8, bool,
-	private_bio_reader_t *this, u_int8_t *res)
+/**
+ * A version of chunk_skip() that supports skipping from the end (i.e. simply
+ * reducing the size)
+ */
+static inline chunk_t chunk_skip_end(chunk_t chunk, size_t bytes, bool from_end)
+{
+	if (chunk.len > bytes)
+	{
+		if (!from_end)
+		{
+			chunk.ptr += bytes;
+		}
+		chunk.len -= bytes;
+		return chunk;
+	}
+	return chunk_empty;
+}
+
+/**
+ * Returns a pointer to the data to read, optionally from the end
+ */
+static inline u_char *get_ptr_end(private_bio_reader_t *this, u_int32_t len,
+								  bool from_end)
+{
+	return from_end ? this->buf.ptr + (this->buf.len - len) : this->buf.ptr;
+}
+
+/**
+ * Read an u_int8_t from the buffer, optionally from the end of the buffer
+ */
+static bool read_uint8_internal(private_bio_reader_t *this, u_int8_t *res,
+								bool from_end)
 {
 	if (this->buf.len < 1)
 	{
@@ -56,13 +94,16 @@ METHOD(bio_reader_t, read_uint8, bool,
 			 this->buf.len);
 		return FALSE;
 	}
-	*res = this->buf.ptr[0];
-	this->buf = chunk_skip(this->buf, 1);
+	*res = *get_ptr_end(this, 1, from_end);
+	this->buf = chunk_skip_end(this->buf, 1, from_end);
 	return TRUE;
 }
 
-METHOD(bio_reader_t, read_uint16, bool,
-	private_bio_reader_t *this, u_int16_t *res)
+/**
+ * Read an u_int16_t from the buffer, optionally from the end
+ */
+static bool read_uint16_internal(private_bio_reader_t *this, u_int16_t *res,
+								 bool from_end)
 {
 	if (this->buf.len < 2)
 	{
@@ -70,13 +111,16 @@ METHOD(bio_reader_t, read_uint16, bool,
 			 this->buf.len);
 		return FALSE;
 	}
-	*res = untoh16(this->buf.ptr);
-	this->buf = chunk_skip(this->buf, 2);
+	*res = untoh16(get_ptr_end(this, 2, from_end));
+	this->buf = chunk_skip_end(this->buf, 2, from_end);
 	return TRUE;
 }
 
-METHOD(bio_reader_t, read_uint24, bool,
-	private_bio_reader_t *this, u_int32_t *res)
+/**
+ * Read an u_int32_t (only 24-bit) from the buffer, optionally from the end
+ */
+static bool read_uint24_internal(private_bio_reader_t *this, u_int32_t *res,
+								 bool from_end)
 {
 	if (this->buf.len < 3)
 	{
@@ -84,13 +128,16 @@ METHOD(bio_reader_t, read_uint24, bool,
 			 this->buf.len);
 		return FALSE;
 	}
-	*res = untoh32(this->buf.ptr) >> 8;
-	this->buf = chunk_skip(this->buf, 3);
+	*res = untoh32(get_ptr_end(this, 3, from_end)) >> 8;
+	this->buf = chunk_skip_end(this->buf, 3, from_end);
 	return TRUE;
 }
 
-METHOD(bio_reader_t, read_uint32, bool,
-	private_bio_reader_t *this, u_int32_t *res)
+/**
+ * Read an u_int32_t from the buffer, optionally from the end
+ */
+static bool read_uint32_internal(private_bio_reader_t *this, u_int32_t *res,
+								 bool from_end)
 {
 	if (this->buf.len < 4)
 	{
@@ -98,13 +145,16 @@ METHOD(bio_reader_t, read_uint32, bool,
 			 this->buf.len);
 		return FALSE;
 	}
-	*res = untoh32(this->buf.ptr);
-	this->buf = chunk_skip(this->buf, 4);
+	*res = untoh32(get_ptr_end(this, 4, from_end));
+	this->buf = chunk_skip_end(this->buf, 4, from_end);
 	return TRUE;
 }
 
-METHOD(bio_reader_t, read_uint64, bool,
-	private_bio_reader_t *this, u_int64_t *res)
+/**
+ * Read an u_int64_t from the buffer, optionally from the end
+ */
+static bool read_uint64_internal(private_bio_reader_t *this, u_int64_t *res,
+								 bool from_end)
 {
 	if (this->buf.len < 8)
 	{
@@ -112,13 +162,16 @@ METHOD(bio_reader_t, read_uint64, bool,
 			 this->buf.len);
 		return FALSE;
 	}
-	*res = untoh64(this->buf.ptr);
-	this->buf = chunk_skip(this->buf, 8);
+	*res = untoh64(get_ptr_end(this, 8, from_end));
+	this->buf = chunk_skip_end(this->buf, 8, from_end);
 	return TRUE;
 }
 
-METHOD(bio_reader_t, read_data, bool,
-	private_bio_reader_t *this, u_int32_t len, chunk_t *res)
+/**
+ * Read a chunk of data from the buffer, optionally from the end
+ */
+static bool read_data_internal(private_bio_reader_t *this, u_int32_t len,
+							   chunk_t *res, bool from_end)
 {
 	if (this->buf.len < len)
 	{
@@ -126,11 +179,83 @@ METHOD(bio_reader_t, read_data, bool,
 			 this->buf.len, len);
 		return FALSE;
 	}
-	*res = chunk_create(this->buf.ptr, len);
-	this->buf = chunk_skip(this->buf, len);
+	*res = chunk_create(get_ptr_end(this, len, from_end), len);
+	this->buf = chunk_skip_end(this->buf, len, from_end);
 	return TRUE;
 }
 
+METHOD(bio_reader_t, read_uint8, bool,
+	private_bio_reader_t *this, u_int8_t *res)
+{
+	return read_uint8_internal(this, res, FALSE);
+}
+
+METHOD(bio_reader_t, read_uint16, bool,
+	private_bio_reader_t *this, u_int16_t *res)
+{
+	return read_uint16_internal(this, res, FALSE);
+}
+
+METHOD(bio_reader_t, read_uint24, bool,
+	private_bio_reader_t *this, u_int32_t *res)
+{
+	return read_uint24_internal(this, res, FALSE);
+}
+
+METHOD(bio_reader_t, read_uint32, bool,
+	private_bio_reader_t *this, u_int32_t *res)
+{
+	return read_uint32_internal(this, res, FALSE);
+}
+
+METHOD(bio_reader_t, read_uint64, bool,
+	private_bio_reader_t *this, u_int64_t *res)
+{
+	return read_uint64_internal(this, res, FALSE);
+}
+
+METHOD(bio_reader_t, read_data, bool,
+	private_bio_reader_t *this, u_int32_t len, chunk_t *res)
+{
+	return read_data_internal(this, len, res, FALSE);
+}
+
+METHOD(bio_reader_t, read_uint8_end, bool,
+	private_bio_reader_t *this, u_int8_t *res)
+{
+	return read_uint8_internal(this, res, TRUE);
+}
+
+METHOD(bio_reader_t, read_uint16_end, bool,
+	private_bio_reader_t *this, u_int16_t *res)
+{
+	return read_uint16_internal(this, res, TRUE);
+}
+
+METHOD(bio_reader_t, read_uint24_end, bool,
+	private_bio_reader_t *this, u_int32_t *res)
+{
+	return read_uint24_internal(this, res, TRUE);
+}
+
+METHOD(bio_reader_t, read_uint32_end, bool,
+	private_bio_reader_t *this, u_int32_t *res)
+{
+	return read_uint32_internal(this, res, TRUE);
+}
+
+METHOD(bio_reader_t, read_uint64_end, bool,
+	private_bio_reader_t *this, u_int64_t *res)
+{
+	return read_uint64_internal(this, res, TRUE);
+}
+
+METHOD(bio_reader_t, read_data_end, bool,
+	private_bio_reader_t *this, u_int32_t len, chunk_t *res)
+{
+	return read_data_internal(this, len, res, TRUE);
+}
+
 METHOD(bio_reader_t, read_data8, bool,
 	private_bio_reader_t *this, chunk_t *res)
 {
@@ -182,6 +307,7 @@ METHOD(bio_reader_t, read_data32, bool,
 METHOD(bio_reader_t, destroy, void,
 	private_bio_reader_t *this)
 {
+	free(this->cleanup.ptr);
 	free(this);
 }
 
@@ -202,6 +328,12 @@ bio_reader_t *bio_reader_create(chunk_t data)
 			.read_uint32 = _read_uint32,
 			.read_uint64 = _read_uint64,
 			.read_data = _read_data,
+			.read_uint8_end = _read_uint8_end,
+			.read_uint16_end = _read_uint16_end,
+			.read_uint24_end = _read_uint24_end,
+			.read_uint32_end = _read_uint32_end,
+			.read_uint64_end = _read_uint64_end,
+			.read_data_end = _read_data_end,
 			.read_data8 = _read_data8,
 			.read_data16 = _read_data16,
 			.read_data24 = _read_data24,
@@ -213,3 +345,17 @@ bio_reader_t *bio_reader_create(chunk_t data)
 
 	return &this->public;
 }
+
+/**
+ * See header
+ */
+bio_reader_t *bio_reader_create_own(chunk_t data)
+{
+	private_bio_reader_t *this;
+
+	this = (private_bio_reader_t*)bio_reader_create(data);
+
+	this->cleanup = data;
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/bio/bio_reader.h b/src/libstrongswan/bio/bio_reader.h
index 85434a784..475422428 100644
--- a/src/libstrongswan/bio/bio_reader.h
+++ b/src/libstrongswan/bio/bio_reader.h
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -27,6 +30,8 @@ typedef struct bio_reader_t bio_reader_t;
 
 /**
  * Buffered input parser.
+ *
+ * @note Integers are returned in host byte order.
  */
 struct bio_reader_t {
 
@@ -94,6 +99,55 @@ struct bio_reader_t {
 	bool (*read_data)(bio_reader_t *this, u_int32_t len, chunk_t *res);
 
 	/**
+	 * Read a 8-bit integer from the end of the buffer, reduce remaining.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint8_end)(bio_reader_t *this, u_int8_t *res);
+
+	/**
+	 * Read a 16-bit integer from the end of the buffer, reduce remaining.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint16_end)(bio_reader_t *this, u_int16_t *res);
+
+	/**
+	 * Read a 24-bit integer from the end of the buffer, reduce remaining.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint24_end)(bio_reader_t *this, u_int32_t *res);
+
+	/**
+	 * Read a 32-bit integer from the end of the buffer, reduce remaining.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint32_end)(bio_reader_t *this, u_int32_t *res);
+
+	/**
+	 * Read a 64-bit integer from the end of the buffer, reduce remaining.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint64_end)(bio_reader_t *this, u_int64_t *res);
+
+	/**
+	 * Read a chunk of len bytes from the end of the buffer, reduce remaining.
+	 *
+	 * @param len		number of bytes to read
+	 * @param res		ponter to result, not cloned
+	 * @return			TRUE if data read successfully
+	 */
+	bool (*read_data_end)(bio_reader_t *this, u_int32_t len, chunk_t *res);
+
+	/**
 	 * Read a chunk of bytes with a 8-bit length header, advance.
 	 *
 	 * @param res		pointer to result, not cloned
@@ -133,7 +187,18 @@ struct bio_reader_t {
 
 /**
  * Create a bio_reader instance.
+ *
+ * @param data			data buffer, must survive lifetime of reader
+ * @return				reader
  */
 bio_reader_t *bio_reader_create(chunk_t data);
 
-#endif /** bio_reader_H_ @}*/
+/**
+ * Create a bio_reader instance owning buffer.
+ *
+ * @param data			data buffer, gets freed with destroy()
+ * @return				reader
+ */
+bio_reader_t *bio_reader_create_own(chunk_t data);
+
+#endif /** BIO_READER_H_ @}*/
diff --git a/src/libstrongswan/bio/bio_writer.c b/src/libstrongswan/bio/bio_writer.c
index bf373d6ac..152d9ce22 100644
--- a/src/libstrongswan/bio/bio_writer.c
+++ b/src/libstrongswan/bio/bio_writer.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -44,21 +47,27 @@ struct private_bio_writer_t {
 };
 
 /**
- * Increase buffer size
+ * Increase buffer size, if required
  */
-static void increase(private_bio_writer_t *this)
+static inline void increase(private_bio_writer_t *this, size_t required)
 {
-	this->buf.len += this->increase;
-	this->buf.ptr = realloc(this->buf.ptr, this->buf.len);
+	bool inc = FALSE;
+
+	while (this->used + required > this->buf.len)
+	{
+		this->buf.len += this->increase;
+		inc = TRUE;
+	}
+	if (inc)
+	{
+		this->buf.ptr = realloc(this->buf.ptr, this->buf.len);
+	}
 }
 
 METHOD(bio_writer_t, write_uint8, void,
 	private_bio_writer_t *this, u_int8_t value)
 {
-	if (this->used + 1 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 1);
 	this->buf.ptr[this->used] = value;
 	this->used += 1;
 }
@@ -66,10 +75,7 @@ METHOD(bio_writer_t, write_uint8, void,
 METHOD(bio_writer_t, write_uint16, void,
 	private_bio_writer_t *this, u_int16_t value)
 {
-	if (this->used + 2 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 2);
 	htoun16(this->buf.ptr + this->used, value);
 	this->used += 2;
 }
@@ -77,10 +83,7 @@ METHOD(bio_writer_t, write_uint16, void,
 METHOD(bio_writer_t, write_uint24, void,
 	private_bio_writer_t *this, u_int32_t value)
 {
-	if (this->used + 3 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 3);
 	value = htonl(value);
 	memcpy(this->buf.ptr + this->used, ((char*)&value) + 1, 3);
 	this->used += 3;
@@ -89,10 +92,7 @@ METHOD(bio_writer_t, write_uint24, void,
 METHOD(bio_writer_t, write_uint32, void,
 	private_bio_writer_t *this, u_int32_t value)
 {
-	if (this->used + 4 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 4);
 	htoun32(this->buf.ptr + this->used, value);
 	this->used += 4;
 }
@@ -100,10 +100,7 @@ METHOD(bio_writer_t, write_uint32, void,
 METHOD(bio_writer_t, write_uint64, void,
 	private_bio_writer_t *this, u_int64_t value)
 {
-	if (this->used + 8 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 8);
 	htoun64(this->buf.ptr + this->used, value);
 	this->used += 8;
 }
@@ -111,10 +108,7 @@ METHOD(bio_writer_t, write_uint64, void,
 METHOD(bio_writer_t, write_data, void,
 	private_bio_writer_t *this, chunk_t value)
 {
-	while (this->used + value.len > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, value.len);
 	memcpy(this->buf.ptr + this->used, value.ptr, value.len);
 	this->used += value.len;
 }
@@ -122,6 +116,7 @@ METHOD(bio_writer_t, write_data, void,
 METHOD(bio_writer_t, write_data8, void,
 	private_bio_writer_t *this, chunk_t value)
 {
+	increase(this, 1 + value.len);
 	write_uint8(this, value.len);
 	write_data(this, value);
 }
@@ -129,6 +124,7 @@ METHOD(bio_writer_t, write_data8, void,
 METHOD(bio_writer_t, write_data16, void,
 	private_bio_writer_t *this, chunk_t value)
 {
+	increase(this, 2 + value.len);
 	write_uint16(this, value.len);
 	write_data(this, value);
 }
@@ -136,6 +132,7 @@ METHOD(bio_writer_t, write_data16, void,
 METHOD(bio_writer_t, write_data24, void,
 	private_bio_writer_t *this, chunk_t value)
 {
+	increase(this, 3 + value.len);
 	write_uint24(this, value.len);
 	write_data(this, value);
 }
@@ -143,6 +140,7 @@ METHOD(bio_writer_t, write_data24, void,
 METHOD(bio_writer_t, write_data32, void,
 	private_bio_writer_t *this, chunk_t value)
 {
+	increase(this, 4 + value.len);
 	write_uint32(this, value.len);
 	write_data(this, value);
 }
@@ -150,10 +148,7 @@ METHOD(bio_writer_t, write_data32, void,
 METHOD(bio_writer_t, wrap8, void,
 	private_bio_writer_t *this)
 {
-	if (this->used + 1 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 1);
 	memmove(this->buf.ptr + 1, this->buf.ptr, this->used);
 	this->buf.ptr[0] = this->used;
 	this->used += 1;
@@ -162,10 +157,7 @@ METHOD(bio_writer_t, wrap8, void,
 METHOD(bio_writer_t, wrap16, void,
 	private_bio_writer_t *this)
 {
-	if (this->used + 2 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 2);
 	memmove(this->buf.ptr + 2, this->buf.ptr, this->used);
 	htoun16(this->buf.ptr, this->used);
 	this->used += 2;
@@ -176,10 +168,7 @@ METHOD(bio_writer_t, wrap24, void,
 {
 	u_int32_t len;
 
-	if (this->used + 3 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 3);
 	memmove(this->buf.ptr + 3, this->buf.ptr, this->used);
 
 	len = htonl(this->used);
@@ -190,21 +179,38 @@ METHOD(bio_writer_t, wrap24, void,
 METHOD(bio_writer_t, wrap32, void,
 	private_bio_writer_t *this)
 {
-	if (this->used + 4 > this->buf.len)
-	{
-		increase(this);
-	}
+	increase(this, 4);
 	memmove(this->buf.ptr + 4, this->buf.ptr, this->used);
 	htoun32(this->buf.ptr, this->used);
 	this->used += 4;
 }
 
+METHOD(bio_writer_t, skip, chunk_t,
+	private_bio_writer_t *this, size_t len)
+{
+	chunk_t skipped;
+
+	increase(this, len);
+	skipped = chunk_create(this->buf.ptr + this->used, len);
+	this->used += len;
+	return skipped;
+}
+
 METHOD(bio_writer_t, get_buf, chunk_t,
 	private_bio_writer_t *this)
 {
 	return chunk_create(this->buf.ptr, this->used);
 }
 
+METHOD(bio_writer_t, extract_buf, chunk_t,
+	private_bio_writer_t *this)
+{
+	chunk_t buf = get_buf(this);
+	this->buf = chunk_empty;
+	this->used = 0;
+	return buf;
+}
+
 METHOD(bio_writer_t, destroy, void,
 	private_bio_writer_t *this)
 {
@@ -235,7 +241,9 @@ bio_writer_t *bio_writer_create(u_int32_t bufsize)
 			.wrap16 = _wrap16,
 			.wrap24 = _wrap24,
 			.wrap32 = _wrap32,
+			.skip = _skip,
 			.get_buf = _get_buf,
+			.extract_buf = _extract_buf,
 			.destroy = _destroy,
 		},
 		.increase = bufsize ? max(bufsize, 4) : 32,
diff --git a/src/libstrongswan/bio/bio_writer.h b/src/libstrongswan/bio/bio_writer.h
index 0b50f7882..2ac4f3556 100644
--- a/src/libstrongswan/bio/bio_writer.h
+++ b/src/libstrongswan/bio/bio_writer.h
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -27,6 +30,8 @@ typedef struct bio_writer_t bio_writer_t;
 
 /**
  * Buffered output generator.
+ *
+ * @note Integers are converted to network byte order before writing.
  */
 struct bio_writer_t {
 
@@ -121,6 +126,18 @@ struct bio_writer_t {
 	void (*wrap32)(bio_writer_t *this);
 
 	/**
+	 * Skips len bytes in the buffer, return chunk of skipped data.
+	 *
+	 * The returned chunk is not valid after calling any other writer function
+	 * (except get_buf()), because a buffer reallocation might move the
+	 * internal buffer to a different memory location!
+	 *
+	 * @param len		number of bytes to skip
+	 * @return			chunk pointing to skipped bytes in the internal buffer
+	 */
+	chunk_t (*skip)(bio_writer_t *this, size_t len);
+
+	/**
 	 * Get the encoded data buffer.
 	 *
 	 * @return			chunk to internal buffer
@@ -128,6 +145,14 @@ struct bio_writer_t {
 	chunk_t (*get_buf)(bio_writer_t *this);
 
 	/**
+	 * Return the encoded data buffer and detach it from the writer (resets
+	 * the internal buffer).
+	 *
+	 * @return			chunk to internal buffer (has to be freed)
+	 */
+	chunk_t (*extract_buf)(bio_writer_t *this);
+
+	/**
 	 * Destroy a bio_writer_t.
 	 */
 	void (*destroy)(bio_writer_t *this);
@@ -136,6 +161,9 @@ struct bio_writer_t {
 /**
  * Create a bio_writer instance.
  *
+ * The size of the internal buffer is increased automatically by bufsize (or a
+ * default if not given) if the initial size does not suffice.
+ *
  * @param bufsize		initially allocated buffer size
  */
 bio_writer_t *bio_writer_create(u_int32_t bufsize);
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c
deleted file mode 100644
index 9397c4e44..000000000
--- a/src/libstrongswan/chunk.c
+++ /dev/null
@@ -1,690 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <errno.h>
-#include <ctype.h>
-
-#include "chunk.h"
-#include "debug.h"
-
-/* required for chunk_hash */
-#undef get16bits
-#if (defined(__GNUC__) && defined(__i386__))
-#define get16bits(d) (*((const u_int16_t*)(d)))
-#endif
-#if !defined (get16bits)
-#define get16bits(d) ((((u_int32_t)(((const u_int8_t*)(d))[1])) << 8)\
-                      + (u_int32_t)(((const u_int8_t*)(d))[0]) )
-#endif
-
-/**
- * Empty chunk.
- */
-chunk_t chunk_empty = { NULL, 0 };
-
-/**
- * Described in header.
- */
-chunk_t chunk_create_clone(u_char *ptr, chunk_t chunk)
-{
-	chunk_t clone = chunk_empty;
-
-	if (chunk.ptr && chunk.len > 0)
-	{
-		clone.ptr = ptr;
-		clone.len = chunk.len;
-		memcpy(clone.ptr, chunk.ptr, chunk.len);
-	}
-
-	return clone;
-}
-
-/**
- * Described in header.
- */
-size_t chunk_length(const char* mode, ...)
-{
-	va_list chunks;
-	size_t length = 0;
-
-	va_start(chunks, mode);
-	while (TRUE)
-	{
-		switch (*mode++)
-		{
-			case 'm':
-			case 'c':
-			case 's':
-			{
-				chunk_t ch = va_arg(chunks, chunk_t);
-				length += ch.len;
-				continue;
-			}
-			default:
-				break;
-		}
-		break;
-	}
-	va_end(chunks);
-	return length;
-}
-
-/**
- * Described in header.
- */
-chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...)
-{
-	va_list chunks;
-	chunk_t construct = chunk_create(ptr, 0);
-
-	va_start(chunks, mode);
-	while (TRUE)
-	{
-		bool free_chunk = FALSE, clear_chunk = FALSE;
-		chunk_t ch;
-
-		switch (*mode++)
-		{
-			case 's':
-				clear_chunk = TRUE;
-				/* FALL */
-			case 'm':
-				free_chunk = TRUE;
-				/* FALL */
-			case 'c':
-				ch = va_arg(chunks, chunk_t);
-				memcpy(ptr, ch.ptr, ch.len);
-				ptr += ch.len;
-				construct.len += ch.len;
-				if (clear_chunk)
-				{
-					chunk_clear(&ch);
-				}
-				else if (free_chunk)
-				{
-					free(ch.ptr);
-				}
-				continue;
-			default:
-				break;
-		}
-		break;
-	}
-	va_end(chunks);
-
-	return construct;
-}
-
-/**
- * Described in header.
- */
-void chunk_split(chunk_t chunk, const char *mode, ...)
-{
-	va_list chunks;
-	u_int len;
-	chunk_t *ch;
-
-	va_start(chunks, mode);
-	while (TRUE)
-	{
-		if (*mode == '\0')
-		{
-			break;
-		}
-		len = va_arg(chunks, u_int);
-		ch = va_arg(chunks, chunk_t*);
-		/* a null chunk means skip len bytes */
-		if (ch == NULL)
-		{
-			chunk = chunk_skip(chunk, len);
-			continue;
-		}
-		switch (*mode++)
-		{
-			case 'm':
-			{
-				ch->len = min(chunk.len, len);
-				if (ch->len)
-				{
-					ch->ptr = chunk.ptr;
-				}
-				else
-				{
-					ch->ptr = NULL;
-				}
-				chunk = chunk_skip(chunk, ch->len);
-				continue;
-			}
-			case 'a':
-			{
-				ch->len = min(chunk.len, len);
-				if (ch->len)
-				{
-					ch->ptr = malloc(ch->len);
-					memcpy(ch->ptr, chunk.ptr, ch->len);
-				}
-				else
-				{
-					ch->ptr = NULL;
-				}
-				chunk = chunk_skip(chunk, ch->len);
-				continue;
-			}
-			case 'c':
-			{
-				ch->len = min(ch->len, chunk.len);
-				ch->len = min(ch->len, len);
-				if (ch->len)
-				{
-					memcpy(ch->ptr, chunk.ptr, ch->len);
-				}
-				else
-				{
-					ch->ptr = NULL;
-				}
-				chunk = chunk_skip(chunk, ch->len);
-				continue;
-			}
-			default:
-				break;
-		}
-		break;
-	}
-	va_end(chunks);
-}
-
-/**
- * Described in header.
- */
-bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force)
-{
-	mode_t oldmask;
-	FILE *fd;
-	bool good = FALSE;
-
-	if (!force && access(path, F_OK) == 0)
-	{
-		DBG1(DBG_LIB, "  %s file '%s' already exists", label, path);
-		return FALSE;
-	}
-	oldmask = umask(mask);
-	fd = fopen(path, "w");
-	if (fd)
-	{
-		if (fwrite(chunk.ptr, sizeof(u_char), chunk.len, fd) == chunk.len)
-		{
-			DBG1(DBG_LIB, "  written %s file '%s' (%d bytes)",
-				 label, path, chunk.len);
-			good = TRUE;
-		}
-		else
-		{
-			DBG1(DBG_LIB, "  writing %s file '%s' failed: %s",
-				 label, path, strerror(errno));
-		}
-		fclose(fd);
-	}
-	else
-	{
-		DBG1(DBG_LIB, "  could not open %s file '%s': %s", label, path,
-			 strerror(errno));
-	}
-	umask(oldmask);
-	return good;
-}
-
-
-/** hex conversion digits */
-static char hexdig_upper[] = "0123456789ABCDEF";
-static char hexdig_lower[] = "0123456789abcdef";
-
-/**
- * Described in header.
- */
-chunk_t chunk_to_hex(chunk_t chunk, char *buf, bool uppercase)
-{
-	int i, len;
-	char *hexdig = hexdig_lower;
-
-	if (uppercase)
-	{
-		hexdig = hexdig_upper;
-	}
-
-	len = chunk.len * 2;
-	if (!buf)
-	{
-		buf = malloc(len + 1);
-	}
-	buf[len] = '\0';
-
-	for (i = 0; i < chunk.len; i++)
-	{
-		buf[i*2]   = hexdig[(chunk.ptr[i] >> 4) & 0xF];
-		buf[i*2+1] = hexdig[(chunk.ptr[i]     ) & 0xF];
-	}
-	return chunk_create(buf, len);
-}
-
-/**
- * convert a signle hex character to its binary value
- */
-static char hex2bin(char hex)
-{
-	switch (hex)
-	{
-		case '0' ... '9':
-			return hex - '0';
-		case 'A' ... 'F':
-			return hex - 'A' + 10;
-		case 'a' ... 'f':
-			return hex - 'a' + 10;
-		default:
-			return 0;
-	}
-}
-
-/**
- * Described in header.
- */
-chunk_t chunk_from_hex(chunk_t hex, char *buf)
-{
-	int i, len;
-	u_char *ptr;
-	bool odd = FALSE;
-
-   /* subtract the number of optional ':' separation characters */
-	len = hex.len;
-	ptr = hex.ptr;
-	for (i = 0; i < hex.len; i++)
-	{
-		if (*ptr++ == ':')
-		{
-			len--;
-		}
-	}
-
-	/* compute the number of binary bytes */
-	if (len % 2)
-	{
-		odd = TRUE;
-		len++;
-	}
-	len /= 2;
-
-	/* allocate buffer memory unless provided by caller */
-	if (!buf)
-	{
-		buf = malloc(len);
-	}
-
-	/* buffer is filled from the right */
-	memset(buf, 0, len);
-	hex.ptr += hex.len;
-
-	for (i = len - 1; i >= 0; i--)
-	{
-		/* skip separation characters */
-		if (*(--hex.ptr) == ':')
-		{
-			--hex.ptr;
-		}
-		buf[i] = hex2bin(*hex.ptr);
-		if (i > 0 || !odd)
-		{
-			buf[i] |= hex2bin(*(--hex.ptr)) << 4;
-		}
-	}
-	return chunk_create(buf, len);
-}
-
-/** base 64 conversion digits */
-static char b64digits[] =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-
-/**
- * Described in header.
- */
-chunk_t chunk_to_base64(chunk_t chunk, char *buf)
-{
-	int i, len;
-	char *pos;
-
-	len = chunk.len + ((3 - chunk.len % 3) % 3);
-	if (!buf)
-	{
-		buf = malloc(len * 4 / 3 + 1);
-	}
-	pos = buf;
-	for (i = 0; i < len; i+=3)
-	{
-		*pos++ = b64digits[chunk.ptr[i] >> 2];
-		if (i+1 >= chunk.len)
-		{
-			*pos++ = b64digits[(chunk.ptr[i] & 0x03) << 4];
-			*pos++ = '=';
-			*pos++ = '=';
-			break;
-		}
-		*pos++ = b64digits[((chunk.ptr[i] & 0x03) << 4) | (chunk.ptr[i+1] >> 4)];
-		if (i+2 >= chunk.len)
-		{
-			*pos++ = b64digits[(chunk.ptr[i+1] & 0x0F) << 2];
-			*pos++ = '=';
-			break;
-		}
-		*pos++ = b64digits[((chunk.ptr[i+1] & 0x0F) << 2) | (chunk.ptr[i+2] >> 6)];
-		*pos++ = b64digits[chunk.ptr[i+2] & 0x3F];
-	}
-	*pos = '\0';
-	return chunk_create(buf, len * 4 / 3);
-}
-
-/**
- * convert a base 64 digit to its binary form (inversion of b64digits array)
- */
-static int b642bin(char b64)
-{
-	switch (b64)
-	{
-		case 'A' ... 'Z':
-			return b64 - 'A';
-		case 'a' ... 'z':
-			return ('Z' - 'A' + 1) + b64 - 'a';
-		case '0' ... '9':
-			return ('Z' - 'A' + 1) + ('z' - 'a' + 1) + b64 - '0';
-		case '+':
-		case '-':
-			return 62;
-		case '/':
-		case '_':
-			return 63;
-		case '=':
-			return 0;
-		default:
-			return -1;
-	}
-}
-
-/**
- * Described in header.
- */
-chunk_t chunk_from_base64(chunk_t base64, char *buf)
-{
-	u_char *pos, byte[4];
-	int i, j, len, outlen;
-
-	len = base64.len / 4 * 3;
-	if (!buf)
-	{
-		buf = malloc(len);
-	}
-	pos = base64.ptr;
-	outlen = 0;
-	for (i = 0; i < len; i+=3)
-	{
-		outlen += 3;
-		for (j = 0; j < 4; j++)
-		{
-			if (*pos == '=')
-			{
-				outlen--;
-			}
-			byte[j] = b642bin(*pos++);
-		}
-		buf[i] = (byte[0] << 2) | (byte[1] >> 4);
-		buf[i+1] = (byte[1] << 4) | (byte[2] >> 2);
-		buf[i+2] = (byte[2] << 6) | (byte[3]);
-	}
-	return chunk_create(buf, outlen);
-}
-
-/** base 32 conversion digits */
-static char b32digits[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
-
-/**
- * Described in header.
- */
-chunk_t chunk_to_base32(chunk_t chunk, char *buf)
-{
-	int i, len;
-	char *pos;
-
-	len = chunk.len + ((5 - chunk.len % 5) % 5);
-	if (!buf)
-	{
-		buf = malloc(len * 8 / 5 + 1);
-	}
-	pos = buf;
-	for (i = 0; i < len; i+=5)
-	{
-		*pos++ = b32digits[chunk.ptr[i] >> 3];
-		if (i+1 >= chunk.len)
-		{
-			*pos++ = b32digits[(chunk.ptr[i] & 0x07) << 2];
-			memset(pos, '=', 6);
-			pos += 6;
-			break;
-		}
-		*pos++ = b32digits[((chunk.ptr[i] & 0x07) << 2) |
-						   (chunk.ptr[i+1] >> 6)];
-		*pos++ = b32digits[(chunk.ptr[i+1] & 0x3E) >> 1];
-		if (i+2 >= chunk.len)
-		{
-			*pos++ = b32digits[(chunk.ptr[i+1] & 0x01) << 4];
-			memset(pos, '=', 4);
-			pos += 4;
-			break;
-		}
-		*pos++ = b32digits[((chunk.ptr[i+1] & 0x01) << 4) |
-						   (chunk.ptr[i+2] >> 4)];
-		if (i+3 >= chunk.len)
-		{
-			*pos++ = b32digits[(chunk.ptr[i+2] & 0x0F) << 1];
-			memset(pos, '=', 3);
-			pos += 3;
-			break;
-		}
-		*pos++ = b32digits[((chunk.ptr[i+2] & 0x0F) << 1) |
-						   (chunk.ptr[i+3] >> 7)];
-		*pos++ = b32digits[(chunk.ptr[i+3] & 0x7F) >> 2];
-		if (i+4 >= chunk.len)
-		{
-			*pos++ = b32digits[(chunk.ptr[i+3] & 0x03) << 3];
-			*pos++ = '=';
-			break;
-		}
-		*pos++ = b32digits[((chunk.ptr[i+3] & 0x03) << 3) |
-						   (chunk.ptr[i+4] >> 5)];
-		*pos++ = b32digits[chunk.ptr[i+4] & 0x1F];
-	}
-	*pos = '\0';
-	return chunk_create(buf, len * 8 / 5);
-}
-
-/**
- * Described in header.
- */
-int chunk_compare(chunk_t a, chunk_t b)
-{
-	int compare_len = a.len - b.len;
-	int len = (compare_len < 0)? a.len : b.len;
-
-	if (compare_len != 0 || len == 0)
-	{
-		return compare_len;
-	}
-	return memcmp(a.ptr, b.ptr, len);
-};
-
-
-/**
- * Described in header.
- */
-bool chunk_increment(chunk_t chunk)
-{
-	int i;
-
-	for (i = chunk.len - 1; i >= 0; i--)
-	{
-		if (++chunk.ptr[i] != 0)
-		{
-			return FALSE;
-		}
-	}
-	return TRUE;
-}
-
-/**
- * Remove non-printable characters from a chunk.
- */
-bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace)
-{
-	bool printable = TRUE;
-	int i;
-
-	if (sane)
-	{
-		*sane = chunk_clone(chunk);
-	}
-	for (i = 0; i < chunk.len; i++)
-	{
-		if (!isprint(chunk.ptr[i]))
-		{
-			if (sane)
-			{
-				sane->ptr[i] = replace;
-			}
-			printable = FALSE;
-		}
-	}
-	return printable;
-}
-
-/**
- * Described in header.
- *
- * The implementation is based on Paul Hsieh's SuperFastHash:
- *	 http://www.azillionmonkeys.com/qed/hash.html
- */
-u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash)
-{
-	u_char *data = chunk.ptr;
-	size_t len = chunk.len;
-	u_int32_t tmp;
-	int rem;
-
-	if (!len || data == NULL)
-	{
-		return 0;
-	}
-
-	rem = len & 3;
-	len >>= 2;
-
-	/* Main loop */
-	for (; len > 0; --len)
-	{
-		hash += get16bits(data);
-		tmp   = (get16bits(data + 2) << 11) ^ hash;
-		hash  = (hash << 16) ^ tmp;
-		data += 2 * sizeof(u_int16_t);
-		hash += hash >> 11;
-	}
-
-	/* Handle end cases */
-	switch (rem)
-	{
-		case 3:
-		{
-			hash += get16bits(data);
-			hash ^= hash << 16;
-			hash ^= data[sizeof(u_int16_t)] << 18;
-			hash += hash >> 11;
-			break;
-		}
-		case 2:
-		{
-			hash += get16bits(data);
-			hash ^= hash << 11;
-			hash += hash >> 17;
-			break;
-		}
-		case 1:
-		{
-			hash += *data;
-			hash ^= hash << 10;
-			hash += hash >> 1;
-			break;
-		}
-	}
-
-	/* Force "avalanching" of final 127 bits */
-	hash ^= hash << 3;
-	hash += hash >> 5;
-	hash ^= hash << 4;
-	hash += hash >> 17;
-	hash ^= hash << 25;
-	hash += hash >> 6;
-
-	return hash;
-}
-
-/**
- * Described in header.
- */
-u_int32_t chunk_hash(chunk_t chunk)
-{
-	return chunk_hash_inc(chunk, chunk.len);
-}
-
-/**
- * Described in header.
- */
-int chunk_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
-					  const void *const *args)
-{
-	chunk_t *chunk = *((chunk_t**)(args[0]));
-	bool first = TRUE;
-	chunk_t copy = *chunk;
-	int written = 0;
-
-	if (!spec->hash)
-	{
-		u_int chunk_len = chunk->len;
-		const void *new_args[] = {&chunk->ptr, &chunk_len};
-		return mem_printf_hook(dst, len, spec, new_args);
-	}
-
-	while (copy.len > 0)
-	{
-		if (first)
-		{
-			first = FALSE;
-		}
-		else
-		{
-			written += print_in_hook(dst, len, ":");
-		}
-		written += print_in_hook(dst, len, "%02x", *copy.ptr++);
-		copy.len--;
-	}
-	return written;
-}
diff --git a/src/libstrongswan/collections/array.c b/src/libstrongswan/collections/array.c
new file mode 100644
index 000000000..387e2a57d
--- /dev/null
+++ b/src/libstrongswan/collections/array.c
@@ -0,0 +1,416 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "array.h"
+
+/**
+ * Data is an allocated block, with potentially unused head and tail:
+ *
+ *   "esize" each (or sizeof(void*) if esize = 0)
+ *  /-\ /-\ /-\ /-\ /-\ /-\
+ *
+ * +---------------+-------------------------------+---------------+
+ * | h | e | a | d | e | l | e | m | e | n | t | s | t | a | i | l |
+ * +---------------+-------------------------------+---------------+
+ *
+ * \--------------/ \-----------------------------/ \-------------/
+ *      unused                    used                   unused
+ *      "head"                   "count"                 "tail"
+ *
+ */
+struct array_t {
+	/** number of elements currently in array (not counting head/tail) */
+	u_int32_t count;
+	/** size of each element, 0 for a pointer based array */
+	u_int16_t esize;
+	/** allocated but unused elements at array front */
+	u_int8_t head;
+	/** allocated but unused elements at array end */
+	u_int8_t tail;
+	/** array elements */
+	void *data;
+};
+
+/** maximum number of unused head/tail elements before cleanup */
+#define ARRAY_MAX_UNUSED 32
+
+/**
+ * Get the actual size of a number of elements
+ */
+static size_t get_size(array_t *array, u_int32_t num)
+{
+	if (array->esize)
+	{
+		return array->esize * num;
+	}
+	return sizeof(void*) * num;
+}
+
+/**
+ * Increase allocated but unused tail room to at least "room"
+ */
+static void make_tail_room(array_t *array, u_int8_t room)
+{
+	if (array->tail < room)
+	{
+		array->data = realloc(array->data,
+						get_size(array, array->count + array->head + room));
+		array->tail = room;
+	}
+}
+
+/**
+ * Increase allocated but unused head room to at least "room"
+ */
+static void make_head_room(array_t *array, u_int8_t room)
+{
+	if (array->head < room)
+	{
+		u_int8_t increase = room - array->head;
+
+		array->data = realloc(array->data,
+						get_size(array, array->count + array->tail + room));
+		memmove(array->data + get_size(array, increase), array->data,
+				get_size(array, array->count + array->tail + array->head));
+		array->head = room;
+	}
+}
+
+/**
+ * Make space for an item at index using tail room
+ */
+static void insert_tail(array_t *array, int idx)
+{
+	make_tail_room(array, 1);
+	/* move up all elements after idx by one */
+	memmove(array->data + get_size(array, array->head + idx + 1),
+			array->data + get_size(array, array->head + idx),
+			get_size(array, array->count - idx));
+
+	array->tail--;
+	array->count++;
+}
+
+/**
+ * Make space for an item at index using head room
+ */
+static void insert_head(array_t *array, int idx)
+{
+	make_head_room(array, 1);
+	/* move down all elements before idx by one */
+	memmove(array->data + get_size(array, array->head - 1),
+			array->data + get_size(array, array->head),
+			get_size(array, idx));
+
+	array->head--;
+	array->count++;
+}
+
+/**
+ * Remove an item, increase tail
+ */
+static void remove_tail(array_t *array, int idx)
+{
+	/* move all items after idx one down */
+	memmove(array->data + get_size(array, idx + array->head),
+			array->data + get_size(array, idx + array->head + 1),
+			get_size(array, array->count - idx));
+	array->count--;
+	array->tail++;
+}
+
+/**
+ * Remove an item, increase head
+ */
+static void remove_head(array_t *array, int idx)
+{
+	/* move all items before idx one up */
+	memmove(array->data + get_size(array, array->head + 1),
+			array->data + get_size(array, array->head), get_size(array, idx));
+	array->count--;
+	array->head++;
+}
+
+array_t *array_create(u_int esize, u_int8_t reserve)
+{
+	array_t *array;
+
+	INIT(array,
+		.esize = esize,
+		.tail = reserve,
+	);
+	if (array->tail)
+	{
+		array->data = malloc(array->tail * array->esize);
+	}
+	return array;
+}
+
+int array_count(array_t *array)
+{
+	if (array)
+	{
+		return array->count;
+	}
+	return 0;
+}
+
+void array_compress(array_t *array)
+{
+	if (array)
+	{
+		u_int32_t tail;
+
+		tail = array->tail;
+		if (array->head)
+		{
+			memmove(array->data, array->data + get_size(array, array->head),
+					get_size(array, array->count + array->tail));
+			tail += array->head;
+			array->head = 0;
+		}
+		if (tail)
+		{
+			array->data = realloc(array->data, get_size(array, array->count));
+			array->tail = 0;
+		}
+	}
+}
+
+typedef struct {
+	/** public enumerator interface */
+	enumerator_t public;
+	/** enumerated array */
+	array_t *array;
+	/** current index +1, initialized at 0 */
+	int idx;
+} array_enumerator_t;
+
+METHOD(enumerator_t, enumerate, bool,
+	array_enumerator_t *this, void **out)
+{
+	void *pos;
+
+	if (this->idx >= this->array->count)
+	{
+		return FALSE;
+	}
+
+	pos = this->array->data +
+		  get_size(this->array, this->idx + this->array->head);
+	if (this->array->esize)
+	{
+		/* for element based arrays we return a pointer to the element */
+		*out = pos;
+	}
+	else
+	{
+		/* for pointer based arrays we return the pointer directly */
+		*out = *(void**)pos;
+	}
+	this->idx++;
+	return TRUE;
+}
+
+enumerator_t* array_create_enumerator(array_t *array)
+{
+	array_enumerator_t *enumerator;
+
+	if (!array)
+	{
+		return enumerator_create_empty();
+	}
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_enumerate,
+			.destroy = (void*)free,
+		},
+		.array = array,
+	);
+	return &enumerator->public;
+}
+
+void array_remove_at(array_t *array, enumerator_t *public)
+{
+	array_enumerator_t *enumerator = (array_enumerator_t*)public;
+
+	if (enumerator->idx)
+	{
+		array_remove(array, --enumerator->idx, NULL);
+	}
+}
+
+void array_insert_create(array_t **array, int idx, void *ptr)
+{
+	if (*array == NULL)
+	{
+		*array = array_create(0, 0);
+	}
+	array_insert(*array, idx, ptr);
+}
+
+void array_insert_enumerator(array_t *array, int idx, enumerator_t *enumerator)
+{
+	void *ptr;
+
+	while (enumerator->enumerate(enumerator, &ptr))
+	{
+		array_insert(array, idx, ptr);
+	}
+	enumerator->destroy(enumerator);
+}
+
+void array_insert(array_t *array, int idx, void *data)
+{
+	if (idx < 0 || idx <= array_count(array))
+	{
+		void *pos;
+
+		if (idx < 0)
+		{
+			idx = array_count(array);
+		}
+
+		if (array->head && !array->tail)
+		{
+			insert_head(array, idx);
+		}
+		else if (array->tail && !array->head)
+		{
+			insert_tail(array, idx);
+		}
+		else if (idx > array_count(array) / 2)
+		{
+			insert_tail(array, idx);
+		}
+		else
+		{
+			insert_head(array, idx);
+		}
+
+		pos = array->data + get_size(array, array->head + idx);
+		if (array->esize)
+		{
+			memcpy(pos, data, get_size(array, 1));
+		}
+		else
+		{
+			/* pointer based array, copy pointer value */
+			*(void**)pos = data;
+		}
+	}
+}
+
+bool array_remove(array_t *array, int idx, void *data)
+{
+	if (!array)
+	{
+		return FALSE;
+	}
+	if (idx >= 0 && idx >= array_count(array))
+	{
+		return FALSE;
+	}
+	if (idx < 0)
+	{
+		if (array_count(array) == 0)
+		{
+			return FALSE;
+		}
+		idx = array_count(array) - 1;
+	}
+	if (data)
+	{
+		memcpy(data, array->data + get_size(array, array->head + idx),
+			   get_size(array, 1));
+	}
+	if (idx > array_count(array) / 2)
+	{
+		remove_tail(array, idx);
+	}
+	else
+	{
+		remove_head(array, idx);
+	}
+	if (array->head + array->tail > ARRAY_MAX_UNUSED)
+	{
+		array_compress(array);
+	}
+	return TRUE;
+}
+
+void array_invoke(array_t *array, array_callback_t cb, void *user)
+{
+	if (array)
+	{
+		void *obj;
+		int i;
+
+		for (i = array->head; i < array->count + array->head; i++)
+		{
+			obj = array->data + get_size(array, i);
+			if (!array->esize)
+			{
+				/* dereference if we store store pointers */
+				obj = *(void**)obj;
+			}
+			cb(obj, i - array->head, user);
+		}
+	}
+}
+
+void array_invoke_offset(array_t *array, size_t offset)
+{
+	if (array)
+	{
+		void (*method)(void *data);
+		void *obj;
+		int i;
+
+		for (i = array->head; i < array->count + array->head; i++)
+		{
+			obj = array->data + get_size(array, i);
+			if (!array->esize)
+			{
+				/* dereference if we store store pointers */
+				obj = *(void**)obj;
+			}
+			method = *(void**)(obj + offset);
+			method(obj);
+		}
+	}
+}
+
+void array_destroy(array_t *array)
+{
+	if (array)
+	{
+		free(array->data);
+		free(array);
+	}
+}
+
+void array_destroy_function(array_t *array, array_callback_t cb, void *user)
+{
+	array_invoke(array, cb, user);
+	array_destroy(array);
+}
+
+void array_destroy_offset(array_t *array, size_t offset)
+{
+	array_invoke_offset(array, offset);
+	array_destroy(array);
+}
diff --git a/src/libstrongswan/collections/array.h b/src/libstrongswan/collections/array.h
new file mode 100644
index 000000000..0dc7b2250
--- /dev/null
+++ b/src/libstrongswan/collections/array.h
@@ -0,0 +1,195 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup array array
+ * @{ @ingroup collections
+ */
+
+#ifndef ARRAY_H_
+#define ARRAY_H_
+
+#include <collections/enumerator.h>
+
+/**
+ * Variable sized array with fixed size elements.
+ *
+ * An array is a primitive object with associated functions to avoid the
+ * overhead of an object with methods. It is efficient in memory usage, but
+ * less efficient than a linked list in manipulating elements.
+ */
+typedef struct array_t array_t;
+
+typedef enum array_idx_t array_idx_t;
+
+/**
+ * Special array index values for insert/remove.
+ */
+enum array_idx_t {
+	ARRAY_HEAD = 0,
+	ARRAY_TAIL = -1,
+};
+
+/**
+ * Callback function invoked for each array element.
+ *
+ * Data is a pointer to the array element. If this is a pointer based array,
+ * (esize is zero), data is the pointer itself.
+ *
+ * @param data			pointer to array data, or the pointer itself
+ * @param idx			array index
+ * @param user			user data passed with callback
+ */
+typedef void (*array_callback_t)(void *data, int idx, void *user);
+
+/**
+ * Create a array instance.
+ *
+ * Elements get tight packed to each other. If any alignment is required, pass
+ * appropriate padding to each element. The reserved space does not affect
+ * array_count(), but just preallocates buffer space.
+ *
+ * @param esize			element size for this array, use 0 for a pointer array
+ * @param reserve		number of items to allocate space for
+ * @return				array instance
+ */
+array_t *array_create(u_int esize, u_int8_t reserve);
+
+/**
+ * Get the number of elements currently in the array.
+ *
+ * @return				number of elements
+ */
+int array_count(array_t *array);
+
+/**
+ * Compress an array, remove unused head/tail space.
+ *
+ * @param array			array to compress, or NULL
+ */
+void array_compress(array_t *array);
+
+/**
+ * Create an enumerator over an array.
+ *
+ * The enumerater enumerates directly over the array element (pass a pointer to
+ * element types), unless the array is pointer based. If zero is passed as
+ * element size during construction, the enumerator enumerates over the
+ * deferenced pointer values.
+ *
+ * @param array			array to create enumerator for, or NULL
+ * @return				enumerator, over elements or pointers
+ */
+enumerator_t* array_create_enumerator(array_t *array);
+
+/**
+ * Remove an element at enumerator position.
+ *
+ * @param array			array to remove element in
+ * @param enumerator	enumerator position, from array_create_enumerator()
+ */
+void array_remove_at(array_t *array, enumerator_t *enumerator);
+
+/**
+ * Insert an element to an array.
+ *
+ * If the array is pointer based (esize = 0), the pointer itself is appended.
+ * Otherwise the element gets copied from the pointer.
+ * The idx must be either within array_count() or one above to append the item.
+ * Passing -1 has the same effect as passing array_count(), i.e. appends the
+ * item. It is always valid to pass idx 0 to prepend the item.
+ *
+ * @param array			array to append element to
+ * @param idx			index to insert item at
+ * @param data			pointer to array element to copy
+ */
+void array_insert(array_t *array, int idx, void *data);
+
+/**
+ * Create an pointer based array if it does not exist, insert pointer.
+ *
+ * This is a convenience function for insert a pointer and implicitly
+ * create a pointer based array if array is NULL. Array is set the the newly
+ * created array, if any.
+ *
+ * @param array			pointer to array reference, potentially NULL
+ * @param idx			index to insert item at
+ * @param ptr			pointer to append
+ */
+void array_insert_create(array_t **array, int idx, void *ptr);
+
+/**
+ * Insert all items from an enumerator to an array.
+ *
+ * @param array			array to add items to
+ * @param idx			index to insert each item with
+ * @param enumerator	enumerator over void*, gets destroyed
+ */
+void array_insert_enumerator(array_t *array, int idx, enumerator_t *enumerator);
+
+/**
+ * Remove an element from the array.
+ *
+ * If data is given, the element is copied to that position.
+ *
+ * @param array			array to remove element from, or NULL
+ * @param idx			index of the item to remove
+ * @param data			data to copy element to, or NULL
+ * @return				TRUE if idx existed and item removed
+ */
+bool array_remove(array_t *array, int idx, void *data);
+
+/**
+ * Invoke a callback for all array members.
+ *
+ * @param array			array to traverse, or NULL
+ * @param cb			callback function to invoke each element with
+ * @param user			user data to pass to callback
+ */
+void array_invoke(array_t *array, array_callback_t cb, void *user);
+
+/**
+ * Invoke a method of each element defined with offset.
+ *
+ * @param array			array to traverse, or NULL
+ * @param offset		offset of element method, use offsetof()
+ */
+void array_invoke_offset(array_t *array, size_t offset);
+
+/**
+ * Destroy an array.
+ *
+ * @param array			array to destroy, or NULL
+ */
+void array_destroy(array_t *array);
+
+/**
+ * Destroy an array, call a function to clean up all elements.
+ *
+ * @param array			array to destroy, or NULL
+ * @param cb			callback function to free element data
+ * @param user			user data to pass to callback
+ */
+void array_destroy_function(array_t *array, array_callback_t cb, void *user);
+
+/**
+ * Destroy an array, call element method defined with offset.
+ *
+ * @param array			array to destroy, or NULL
+ * @param offset		offset of element method, use offsetof()
+ */
+void array_destroy_offset(array_t *array, size_t offset);
+
+#endif /** ARRAY_H_ @}*/
diff --git a/src/libstrongswan/collections/blocking_queue.c b/src/libstrongswan/collections/blocking_queue.c
new file mode 100644
index 000000000..da3356970
--- /dev/null
+++ b/src/libstrongswan/collections/blocking_queue.c
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "blocking_queue.h"
+
+#include <threading/mutex.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <collections/linked_list.h>
+
+typedef struct private_blocking_queue_t private_blocking_queue_t;
+
+/**
+ * Private data of a blocking_queue_t object.
+ */
+struct private_blocking_queue_t {
+
+	/**
+	 * Public part
+	 */
+	blocking_queue_t public;
+
+	/**
+	 * Linked list containing all items in the queue
+	 */
+	linked_list_t *list;
+
+	/**
+	 * Mutex used to synchronize access to the queue
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar used to wait for items
+	 */
+	condvar_t *condvar;
+
+};
+
+METHOD(blocking_queue_t, enqueue, void,
+	private_blocking_queue_t *this, void *item)
+{
+	this->mutex->lock(this->mutex);
+	this->list->insert_first(this->list, item);
+	this->condvar->signal(this->condvar);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(blocking_queue_t, dequeue, void*,
+	private_blocking_queue_t *this)
+{
+	bool oldstate;
+	void *item;
+
+
+	this->mutex->lock(this->mutex);
+	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
+	/* ensure that a canceled thread does not dequeue any items */
+	thread_cancellation_point();
+	while (this->list->remove_last(this->list, &item) != SUCCESS)
+	{
+		oldstate = thread_cancelability(TRUE);
+		this->condvar->wait(this->condvar, this->mutex);
+		thread_cancelability(oldstate);
+	}
+	thread_cleanup_pop(TRUE);
+	return item;
+}
+
+METHOD(blocking_queue_t, destroy, void,
+	private_blocking_queue_t *this)
+{
+	this->list->destroy(this->list);
+	this->condvar->destroy(this->condvar);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+METHOD(blocking_queue_t, destroy_offset, void,
+	private_blocking_queue_t *this, size_t offset)
+{
+	this->list->invoke_offset(this->list, offset);
+	destroy(this);
+}
+
+METHOD(blocking_queue_t, destroy_function, void,
+	private_blocking_queue_t *this, void (*fn)(void*))
+{
+	this->list->invoke_function(this->list, (linked_list_invoke_t)fn);
+	destroy(this);
+}
+
+/*
+ * Described in header.
+ */
+blocking_queue_t *blocking_queue_create()
+{
+	private_blocking_queue_t *this;
+
+	INIT(this,
+		.public = {
+			.enqueue = _enqueue,
+			.dequeue = _dequeue,
+			.destroy = _destroy,
+			.destroy_offset = _destroy_offset,
+			.destroy_function = _destroy_function,
+		},
+		.list = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/collections/blocking_queue.h b/src/libstrongswan/collections/blocking_queue.h
new file mode 100644
index 000000000..9b014f719
--- /dev/null
+++ b/src/libstrongswan/collections/blocking_queue.h
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup blocking_queue blocking_queue
+ * @{ @ingroup collections
+ */
+
+#ifndef BLOCKING_QUEUE_H_
+#define BLOCKING_QUEUE_H_
+
+typedef struct blocking_queue_t blocking_queue_t;
+
+#include <library.h>
+
+/**
+ * Class implementing a synchronized blocking queue based on linked_list_t
+ */
+struct blocking_queue_t {
+
+	/**
+	 * Inserts a new item at the tail of the queue
+	 *
+	 * @param item		item to insert in queue
+	 */
+	void (*enqueue)(blocking_queue_t *this, void *item);
+
+	/**
+	 * Removes the first item in the queue and returns its value.
+	 * If the queue is empty, this call blocks until a new item is inserted.
+	 *
+	 * @note This is a thread cancellation point
+	 *
+	 * @return			removed item
+	 */
+	void *(*dequeue)(blocking_queue_t *this);
+
+	/**
+	 * Destroys a blocking_queue_t object.
+	 *
+	 * @note No thread must wait in dequeue() when this function is called
+	 */
+	void (*destroy)(blocking_queue_t *this);
+
+	/**
+	 * Destroys a queue and its objects using the given destructor.
+	 *
+	 * If a queue and the contained objects should be destroyed, use
+	 * destroy_offset. The supplied offset specifies the destructor to
+	 * call on each object. The offset may be calculated using the offsetof
+	 * macro, e.g.: queue->destroy_offset(queue, offsetof(object_t, destroy));
+	 *
+	 * @note No thread must wait in dequeue() when this function is called
+	 *
+	 * @param offset	offset of the objects destructor
+	 */
+	void (*destroy_offset)(blocking_queue_t *this, size_t offset);
+
+	/**
+	 * Destroys a queue and its objects using a cleanup function.
+	 *
+	 * If a queue and its contents should get destroyed using a specific
+	 * cleanup function, use destroy_function. This is useful when the
+	 * list contains malloc()-ed blocks which should get freed,
+	 * e.g.: queue->destroy_function(queue, free);
+	 *
+	 * @note No thread must wait in dequeue() when this function is called
+	 *
+	 * @param function	function to call on each object
+	 */
+	void (*destroy_function)(blocking_queue_t *this, void (*)(void*));
+
+};
+
+/**
+ * Creates an empty queue object.
+ *
+ * @return		blocking_queue_t object.
+ */
+blocking_queue_t *blocking_queue_create();
+
+#endif /** BLOCKING_QUEUE_H_ @}*/
+
diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/collections/enumerator.c
index fb461b448..8049ac016 100644
--- a/src/libstrongswan/utils/enumerator.c
+++ b/src/libstrongswan/collections/enumerator.c
@@ -25,7 +25,7 @@
 #include <errno.h>
 #include <string.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Implementation of enumerator_create_empty().enumerate
@@ -121,7 +121,7 @@ static bool enumerate_dir_enum(dir_enum_t *this, char **relative,
 /**
  * See header
  */
-enumerator_t* enumerator_create_directory(char *path)
+enumerator_t* enumerator_create_directory(const char *path)
 {
 	int len;
 	dir_enum_t *this = malloc_thing(dir_enum_t);
@@ -168,9 +168,9 @@ typedef struct {
 	/** current position */
 	char *pos;
 	/** separater chars */
-	char *sep;
+	const char *sep;
 	/** trim chars */
-	char *trim;
+	const char *trim;
 } token_enum_t;
 
 /**
@@ -187,7 +187,8 @@ static void destroy_token_enum(token_enum_t *this)
  */
 static bool enumerate_token_enum(token_enum_t *this, char **token)
 {
-	char *pos = NULL, *tmp, *sep, *trim;
+	const char *sep, *trim;
+	char *pos = NULL, *tmp;
 	bool last = FALSE;
 
 	/* trim leading characters/separators */
@@ -263,7 +264,7 @@ static bool enumerate_token_enum(token_enum_t *this, char **token)
 		}
 	}
 
-	/* trim trailing characters/separators */
+	/* trim trailing characters */
 	pos--;
 	while (pos >= *token)
 	{
@@ -277,17 +278,7 @@ static bool enumerate_token_enum(token_enum_t *this, char **token)
 			}
 			trim++;
 		}
-		sep = this->sep;
-		while (*sep)
-		{
-			if (*sep == *pos)
-			{
-				*(pos--) = '\0';
-				break;
-			}
-			sep++;
-		}
-		if (!*trim && !*sep)
+		if (!*trim)
 		{
 			break;
 		}
@@ -303,7 +294,8 @@ static bool enumerate_token_enum(token_enum_t *this, char **token)
 /**
  * See header
  */
-enumerator_t* enumerator_create_token(char *string, char *sep, char *trim)
+enumerator_t* enumerator_create_token(const char *string, const char *sep,
+									  const char *trim)
 {
 	token_enum_t *enumerator = malloc_thing(token_enum_t);
 
diff --git a/src/libstrongswan/utils/enumerator.h b/src/libstrongswan/collections/enumerator.h
index 12b5712ae..299373a3e 100644
--- a/src/libstrongswan/utils/enumerator.h
+++ b/src/libstrongswan/collections/enumerator.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup enumerator enumerator
- * @{ @ingroup utils
+ * @{ @ingroup collections
  */
 
 #ifndef ENUMERATOR_H_
@@ -23,7 +23,7 @@
 
 typedef struct enumerator_t enumerator_t;
 
-#include "../utils.h"
+#include <utils/utils.h>
 
 /**
  * Enumerator interface, allows enumeration over collections.
@@ -93,7 +93,7 @@ enumerator_t *enumerator_create_single(void *item, void (*cleanup)(void *item));
  * @param path		path of the directory
  * @return 			the directory enumerator, NULL on failure
  */
-enumerator_t* enumerator_create_directory(char *path);
+enumerator_t* enumerator_create_directory(const char *path);
 
 /**
  * Create an enumerator over tokens of a string.
@@ -106,7 +106,8 @@ enumerator_t* enumerator_create_directory(char *path);
  * @param trim		characters to trim from tokens
  * @return			enumerator over char* tokens
  */
-enumerator_t* enumerator_create_token(char *string, char *sep, char *trim);
+enumerator_t* enumerator_create_token(const char *string, const char *sep,
+									  const char *trim);
 
 /**
  * Creates an enumerator which enumerates over enumerated enumerators :-).
diff --git a/src/libstrongswan/utils/hashtable.c b/src/libstrongswan/collections/hashtable.c
index 33f645170..1003aa0fa 100644
--- a/src/libstrongswan/utils/hashtable.c
+++ b/src/libstrongswan/collections/hashtable.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2011 Tobias Brunner
+ * Copyright (C) 2008-2012 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -16,6 +16,8 @@
 
 #include "hashtable.h"
 
+#include <utils/chunk.h>
+
 /** The maximum capacity of the hash table (MUST be a power of 2) */
 #define MAX_CAPACITY (1 << 30)
 
@@ -146,9 +148,40 @@ struct private_enumerator_t {
 	 * previous pair (used by remove_at)
 	 */
 	pair_t *prev;
-
 };
 
+/*
+ * See header.
+ */
+u_int hashtable_hash_ptr(void *key)
+{
+	return chunk_hash(chunk_from_thing(key));
+}
+
+/*
+ * See header.
+ */
+u_int hashtable_hash_str(void *key)
+{
+	return chunk_hash(chunk_from_str((char*)key));
+}
+
+/*
+ * See header.
+ */
+bool hashtable_equals_ptr(void *key, void *other_key)
+{
+	return key == other_key;
+}
+
+/*
+ * See header.
+ */
+bool hashtable_equals_str(void *key, void *other_key)
+{
+	return streq(key, other_key);
+}
+
 /**
  * This function returns the next-highest power of two for the given number.
  * The algorithm works by setting all bits on the right-hand side of the most
@@ -251,16 +284,21 @@ METHOD(hashtable_t, put, void*,
 	return old_value;
 }
 
-METHOD(hashtable_t, get, void*,
-	   private_hashtable_t *this, void *key)
+static void *get_internal(private_hashtable_t *this, void *key,
+						  hashtable_equals_t equals)
 {
 	void *value = NULL;
 	pair_t *pair;
 
+	if (!this->count)
+	{	/* no need to calculate the hash */
+		return NULL;
+	}
+
 	pair = this->table[this->hash(key) & this->mask];
 	while (pair)
 	{
-		if (this->equals(key, pair->key))
+		if (equals(key, pair->key))
 		{
 			value = pair->value;
 			break;
@@ -270,6 +308,18 @@ METHOD(hashtable_t, get, void*,
 	return value;
 }
 
+METHOD(hashtable_t, get, void*,
+	   private_hashtable_t *this, void *key)
+{
+	return get_internal(this, key, this->equals);
+}
+
+METHOD(hashtable_t, get_match, void*,
+	   private_hashtable_t *this, void *key, hashtable_equals_t match)
+{
+	return get_internal(this, key, match);
+}
+
 METHOD(hashtable_t, remove_, void*,
 	   private_hashtable_t *this, void *key)
 {
@@ -409,6 +459,7 @@ hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals,
 		.public = {
 			.put = _put,
 			.get = _get,
+			.get_match = _get_match,
 			.remove = _remove_,
 			.remove_at = (void*)_remove_at,
 			.get_count = _get_count,
@@ -423,4 +474,3 @@ hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals,
 
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/collections/hashtable.h b/src/libstrongswan/collections/hashtable.h
new file mode 100644
index 000000000..520a86c90
--- /dev/null
+++ b/src/libstrongswan/collections/hashtable.h
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2008-2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup hashtable hashtable
+ * @{ @ingroup collections
+ */
+
+#ifndef HASHTABLE_H_
+#define HASHTABLE_H_
+
+#include <collections/enumerator.h>
+
+typedef struct hashtable_t hashtable_t;
+
+/**
+ * Prototype for a function that computes the hash code from the given key.
+ *
+ * @param key			key to hash
+ * @return				hash code
+ */
+typedef u_int (*hashtable_hash_t)(void *key);
+
+/**
+ * Hashtable hash function calculation the hash solely based on the key pointer.
+ *
+ * @param key			key to hash
+ * @return				hash of key
+ */
+u_int hashtable_hash_ptr(void *key);
+
+/**
+ * Hashtable hash function calculation the hash for char* keys.
+ *
+ * @param key			key to hash, a char*
+ * @return				hash of key
+ */
+u_int hashtable_hash_str(void *key);
+
+/**
+ * Prototype for a function that compares the two keys for equality.
+ *
+ * @param key			first key (the one we are looking for)
+ * @param other_key		second key
+ * @return				TRUE if the keys are equal
+ */
+typedef bool (*hashtable_equals_t)(void *key, void *other_key);
+
+/**
+ * Hashtable equals function comparing pointers.
+ *
+ * @param key			key to compare
+ * @param other_key		other key to compare
+ * @return				TRUE if key == other_key
+ */
+bool hashtable_equals_ptr(void *key, void *other_key);
+
+/**
+ * Hashtable equals function comparing char* keys.
+ *
+ * @param key			key to compare
+ * @param other_key		other key to compare
+ * @return				TRUE if streq(key, other_key)
+ */
+bool hashtable_equals_str(void *key, void *other_key);
+
+/**
+ * Class implementing a hash table.
+ *
+ * General purpose hash table. This hash table is not synchronized.
+ */
+struct hashtable_t {
+
+	/**
+	 * Create an enumerator over the hash table key/value pairs.
+	 *
+	 * @return			enumerator over (void *key, void *value)
+	 */
+	enumerator_t *(*create_enumerator) (hashtable_t *this);
+
+	/**
+	 * Adds the given value with the given key to the hash table, if there
+	 * exists no entry with that key. NULL is returned in this case.
+	 * Otherwise the existing value is replaced and the function returns the
+	 * old value.
+	 *
+	 * @param key		the key to store
+	 * @param value		the value to store
+	 * @return			NULL if no item was replaced, the old value otherwise
+	 */
+	void *(*put) (hashtable_t *this, void *key, void *value);
+
+	/**
+	 * Returns the value with the given key, if the hash table contains such an
+	 * entry, otherwise NULL is returned.
+	 *
+	 * @param key		the key of the requested value
+	 * @return			the value, NULL if not found
+	 */
+	void *(*get) (hashtable_t *this, void *key);
+
+	/**
+	 * Returns the value with a matching key, if the hash table contains such an
+	 * entry, otherwise NULL is returned.
+	 *
+	 * Compared to get() the given match function is used to compare the keys
+	 * for equality.  The hash function does have to be deviced properly in
+	 * order to make this work if the match function compares keys differently
+	 * than the equals function provided to the constructor.  This basically
+	 * allows to enumerate all entries with the same hash value.
+	 *
+	 * @param key		the key to match against
+	 * @param match		match function to be used when comparing keys
+	 * @return			the value, NULL if not found
+	 */
+	void *(*get_match) (hashtable_t *this, void *key, hashtable_equals_t match);
+
+	/**
+	 * Removes the value with the given key from the hash table and returns the
+	 * removed value (or NULL if no such value existed).
+	 *
+	 * @param key		the key of the value to remove
+	 * @return			the removed value, NULL if not found
+	 */
+	void *(*remove) (hashtable_t *this, void *key);
+
+	/**
+	 * Removes the key and value pair from the hash table at which the given
+	 * enumerator currently points.
+	 *
+	 * @param enumerator	enumerator, from create_enumerator
+	 */
+	void (*remove_at) (hashtable_t *this, enumerator_t *enumerator);
+
+	/**
+	 * Gets the number of items in the hash table.
+	 *
+	 * @return			number of items
+	 */
+	u_int (*get_count) (hashtable_t *this);
+
+	/**
+	 * Destroys a hash table object.
+	 */
+	void (*destroy) (hashtable_t *this);
+};
+
+/**
+ * Creates an empty hash table object.
+ *
+ * @param hash			hash function
+ * @param equals		equals function
+ * @param capacity		initial capacity
+ * @return				hashtable_t object.
+ */
+hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals,
+							  u_int capacity);
+
+#endif /** HASHTABLE_H_ @}*/
diff --git a/src/libstrongswan/utils/linked_list.c b/src/libstrongswan/collections/linked_list.c
index 59d416f2f..a176e5a54 100644
--- a/src/libstrongswan/utils/linked_list.c
+++ b/src/libstrongswan/collections/linked_list.c
@@ -16,6 +16,7 @@
  */
 
 #include <stdlib.h>
+#include <stdarg.h>
 
 #include "linked_list.h"
 
@@ -137,7 +138,10 @@ METHOD(enumerator_t, enumerate, bool,
 		this->finished = TRUE;
 		return FALSE;
 	}
-	*item = this->current->value;
+	if (item)
+	{
+		*item = this->current->value;
+	}
 	return TRUE;
 }
 
@@ -164,16 +168,6 @@ METHOD(linked_list_t, reset_enumerator, void,
 	enumerator->finished = FALSE;
 }
 
-METHOD(linked_list_t, has_more, bool,
-	private_linked_list_t *this, private_enumerator_t *enumerator)
-{
-	if (enumerator->current)
-	{
-		return enumerator->current->next != NULL;
-	}
-	return !enumerator->finished && this->first != NULL;
-}
-
 METHOD(linked_list_t, get_count, int,
 	private_linked_list_t *this)
 {
@@ -315,20 +309,6 @@ METHOD(linked_list_t, insert_before, void,
 	this->count++;
 }
 
-METHOD(linked_list_t, replace, void*,
-	private_linked_list_t *this, private_enumerator_t *enumerator,
-	void *item)
-{
-	void *old = NULL;
-
-	if (enumerator->current)
-	{
-		old = enumerator->current->value;
-		enumerator->current->value = item;
-	}
-	return old;
-}
-
 METHOD(linked_list_t, get_last, status_t,
 	private_linked_list_t *this, void **item)
 {
@@ -408,28 +388,6 @@ METHOD(linked_list_t, find_first, status_t,
 	return NOT_FOUND;
 }
 
-METHOD(linked_list_t, find_last, status_t,
-	private_linked_list_t *this, linked_list_match_t match,
-	void **item, void *d1, void *d2, void *d3, void *d4, void *d5)
-{
-	element_t *current = this->last;
-
-	while (current)
-	{
-		if ((match && match(current->value, d1, d2, d3, d4, d5)) ||
-			(!match && item && current->value == *item))
-		{
-			if (item != NULL)
-			{
-				*item = current->value;
-			}
-			return SUCCESS;
-		}
-		current = current->previous;
-	}
-	return NOT_FOUND;
-}
-
 METHOD(linked_list_t, invoke_offset, void,
 	private_linked_list_t *this, size_t offset,
 	void *d1, void *d2, void *d3, void *d4, void *d5)
@@ -475,21 +433,6 @@ METHOD(linked_list_t, clone_offset, linked_list_t*,
 	return clone;
 }
 
-METHOD(linked_list_t, clone_function, linked_list_t*,
-	private_linked_list_t *this, void* (*fn)(void*))
-{
-	element_t *current = this->first;
-	linked_list_t *clone;
-
-	clone = linked_list_create();
-	while (current)
-	{
-		clone->insert_last(clone, fn(current->value));
-		current = current->next;
-	}
-	return clone;
-}
-
 METHOD(linked_list_t, destroy, void,
 	private_linked_list_t *this)
 {
@@ -547,15 +490,12 @@ linked_list_t *linked_list_create()
 			.get_count = _get_count,
 			.create_enumerator = _create_enumerator,
 			.reset_enumerator = (void*)_reset_enumerator,
-			.has_more = (void*)_has_more,
 			.get_first = _get_first,
 			.get_last = _get_last,
 			.find_first = (void*)_find_first,
-			.find_last = (void*)_find_last,
 			.insert_first = _insert_first,
 			.insert_last = _insert_last,
 			.insert_before = (void*)_insert_before,
-			.replace = (void*)_replace,
 			.remove_first = _remove_first,
 			.remove_last = _remove_last,
 			.remove = _remove_,
@@ -563,7 +503,6 @@ linked_list_t *linked_list_create()
 			.invoke_offset = (void*)_invoke_offset,
 			.invoke_function = (void*)_invoke_function,
 			.clone_offset = _clone_offset,
-			.clone_function = _clone_function,
 			.destroy = _destroy,
 			.destroy_offset = _destroy_offset,
 			.destroy_function = _destroy_function,
@@ -572,3 +511,43 @@ linked_list_t *linked_list_create()
 
 	return &this->public;
 }
+
+/*
+ * See header.
+ */
+linked_list_t *linked_list_create_from_enumerator(enumerator_t *enumerator)
+{
+	linked_list_t *list;
+	void *item;
+
+	list = linked_list_create();
+
+	while (enumerator->enumerate(enumerator, &item))
+	{
+		list->insert_last(list, item);
+	}
+	enumerator->destroy(enumerator);
+
+	return list;
+}
+
+/*
+ * See header.
+ */
+linked_list_t *linked_list_create_with_items(void *item, ...)
+{
+	linked_list_t *list;
+	va_list args;
+
+	list = linked_list_create();
+
+	va_start(args, item);
+	while (item)
+	{
+		list->insert_last(list, item);
+		item = va_arg(args, void*);
+	}
+	va_end(args);
+
+	return list;
+}
diff --git a/src/libstrongswan/utils/linked_list.h b/src/libstrongswan/collections/linked_list.h
index 293ca8661..abc33c12a 100644
--- a/src/libstrongswan/utils/linked_list.h
+++ b/src/libstrongswan/collections/linked_list.h
@@ -17,7 +17,7 @@
 
 /**
  * @defgroup linked_list linked_list
- * @{ @ingroup utils
+ * @{ @ingroup collections
  */
 
 #ifndef LINKED_LIST_H_
@@ -25,7 +25,7 @@
 
 typedef struct linked_list_t linked_list_t;
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 /**
  * Method to match elements in a linked list (used in find_* functions)
@@ -78,14 +78,6 @@ struct linked_list_t {
 	void (*reset_enumerator)(linked_list_t *this, enumerator_t *enumerator);
 
 	/**
-	 * Checks if there are more elements following after the enumerator's
-	 * current position.
-	 *
-	 * @param enumerator	enumerator to check
-	 */
-	bool (*has_more)(linked_list_t *this, enumerator_t *enumerator);
-
-	/**
 	 * Inserts a new item at the beginning of the list.
 	 *
 	 * @param item		item value to insert in list
@@ -117,16 +109,6 @@ struct linked_list_t {
 						  void *item);
 
 	/**
-	 * Replaces the item the enumerator currently points to with the given item.
-	 *
-	 * @param enumerator	enumerator with position
-	 * @param item			item value to replace current item with
-	 * @return				current item or NULL if the enumerator is at an
-	 *						invalid position
-	 */
-	void *(*replace)(linked_list_t *this, enumerator_t *enumerator, void *item);
-
-	/**
 	 * Remove an item from the list where the enumerator points to.
 	 *
 	 * @param enumerator enumerator with position
@@ -180,7 +162,8 @@ struct linked_list_t {
 	 */
 	status_t (*get_last) (linked_list_t *this, void **item);
 
-	/** Find the first matching element in the list.
+	/**
+	 * Find the first matching element in the list.
 	 *
 	 * The first object passed to the match function is the current list item,
 	 * followed by the user supplied data.
@@ -200,26 +183,6 @@ struct linked_list_t {
 	status_t (*find_first) (linked_list_t *this, linked_list_match_t match,
 							void **item, ...);
 
-	/** Find the last matching element in the list.
-	 *
-	 * The first object passed to the match function is the current list item,
-	 * followed by the user supplied data.
-	 * If the supplied function returns TRUE this function returns SUCCESS, and
-	 * the current object is returned in the third parameter, otherwise,
-	 * the next item is checked.
-	 *
-	 * If match is NULL, *item and the current object are compared.
-	 *
-	 * @warning Only use pointers as user supplied data.
-	 *
-	 * @param match			comparison function to call on each object, or NULL
-	 * @param item			the list item, if found
-	 * @param ...			user data to supply to match function (limited to 5 arguments)
-	 * @return				SUCCESS if found, NOT_FOUND otherwise
-	 */
-	status_t (*find_last) (linked_list_t *this, linked_list_match_t match,
-						   void **item, ...);
-
 	/**
 	 * Invoke a method on all of the contained objects.
 	 *
@@ -255,14 +218,6 @@ struct linked_list_t {
 	linked_list_t *(*clone_offset) (linked_list_t *this, size_t offset);
 
 	/**
-	 * Clones a list and its objects using a given function.
-	 *
-	 * @param function	function that clones an object
-	 * @return			cloned list
-	 */
-	linked_list_t *(*clone_function) (linked_list_t *this, void*(*)(void*));
-
-	/**
 	 * Destroys a linked_list object.
 	 */
 	void (*destroy) (linked_list_t *this);
@@ -299,4 +254,21 @@ struct linked_list_t {
  */
 linked_list_t *linked_list_create(void);
 
+/**
+ * Creates a linked list from an enumerator.
+ *
+ * @param enumerator	enumerator over void*, gets destroyed
+ * @return				linked_list_t object, containing enumerated values
+ */
+linked_list_t *linked_list_create_from_enumerator(enumerator_t *enumerator);
+
+/**
+ * Creates a linked list from a NULL terminated vararg list of items.
+ *
+ * @param first			first item
+ * @param ...			subsequent items, terminated by NULL
+ * @return				linked_list_t object, containing passed items
+ */
+linked_list_t *linked_list_create_with_items(void *first, ...);
+
 #endif /** LINKED_LIST_H_ @}*/
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 12f75b240..2203519e2 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -17,26 +17,30 @@
 #include "auth_cfg.h"
 
 #include <library.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/array.h>
 #include <utils/identification.h>
 #include <eap/eap.h>
 #include <credentials/certificates/certificate.h>
 
-ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
+ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_XAUTH,
 	"any",
 	"public key",
 	"pre-shared key",
 	"EAP",
+	"XAuth",
 );
 
 ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_REVOCATION_CERT,
 	"RULE_IDENTITY",
+	"RULE_IDENTITY_LOOSE",
 	"RULE_AUTH_CLASS",
 	"RULE_AAA_IDENTITY",
 	"RULE_EAP_IDENTITY",
 	"RULE_EAP_TYPE",
 	"RULE_EAP_VENDOR",
+	"RULE_XAUTH_BACKEND",
+	"RULE_XAUTH_IDENTITY",
 	"RULE_CA_CERT",
 	"RULE_IM_CERT",
 	"RULE_SUBJECT_CERT",
@@ -45,6 +49,7 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_REVOCATION_CERT,
 	"RULE_GROUP",
 	"RULE_RSA_STRENGTH",
 	"RULE_ECDSA_STRENGTH",
+	"RULE_SIGNATURE_SCHEME",
 	"RULE_CERT_POLICY",
 	"HELPER_IM_CERT",
 	"HELPER_SUBJECT_CERT",
@@ -66,9 +71,11 @@ static inline bool is_multi_value_rule(auth_rule_t type)
 		case AUTH_RULE_RSA_STRENGTH:
 		case AUTH_RULE_ECDSA_STRENGTH:
 		case AUTH_RULE_IDENTITY:
+		case AUTH_RULE_IDENTITY_LOOSE:
 		case AUTH_RULE_EAP_IDENTITY:
 		case AUTH_RULE_AAA_IDENTITY:
-		case AUTH_RULE_SUBJECT_CERT:
+		case AUTH_RULE_XAUTH_IDENTITY:
+		case AUTH_RULE_XAUTH_BACKEND:
 		case AUTH_HELPER_SUBJECT_CERT:
 		case AUTH_HELPER_SUBJECT_HASH_URL:
 		case AUTH_RULE_MAX:
@@ -76,9 +83,11 @@ static inline bool is_multi_value_rule(auth_rule_t type)
 		case AUTH_RULE_OCSP_VALIDATION:
 		case AUTH_RULE_CRL_VALIDATION:
 		case AUTH_RULE_GROUP:
+		case AUTH_RULE_SUBJECT_CERT:
 		case AUTH_RULE_CA_CERT:
 		case AUTH_RULE_IM_CERT:
 		case AUTH_RULE_CERT_POLICY:
+		case AUTH_RULE_SIGNATURE_SCHEME:
 		case AUTH_HELPER_IM_CERT:
 		case AUTH_HELPER_IM_HASH_URL:
 		case AUTH_HELPER_REVOCATION_CERT:
@@ -100,9 +109,9 @@ struct private_auth_cfg_t {
 	auth_cfg_t public;
 
 	/**
-	 * list of entry_t
+	 * Array of entry_t
 	 */
-	linked_list_t *entries;
+	array_t *entries;
 };
 
 typedef struct entry_t entry_t;
@@ -175,21 +184,20 @@ METHOD(auth_cfg_t, create_enumerator, enumerator_t*,
 			.enumerate = (void*)enumerate,
 			.destroy = (void*)entry_enumerator_destroy,
 		},
-		.inner = this->entries->create_enumerator(this->entries),
+		.inner = array_create_enumerator(this->entries),
 	);
 	return &enumerator->public;
 }
 
 /**
- * Create an entry from the given arguments.
+ * Initialize an entry.
  */
-static entry_t *entry_create(auth_rule_t type, va_list args)
+static void init_entry(entry_t *this, auth_rule_t type, va_list args)
 {
-	entry_t *this = malloc_thing(entry_t);
-
 	this->type = type;
 	switch (type)
 	{
+		case AUTH_RULE_IDENTITY_LOOSE:
 		case AUTH_RULE_AUTH_CLASS:
 		case AUTH_RULE_EAP_TYPE:
 		case AUTH_RULE_EAP_VENDOR:
@@ -197,12 +205,15 @@ static entry_t *entry_create(auth_rule_t type, va_list args)
 		case AUTH_RULE_OCSP_VALIDATION:
 		case AUTH_RULE_RSA_STRENGTH:
 		case AUTH_RULE_ECDSA_STRENGTH:
+		case AUTH_RULE_SIGNATURE_SCHEME:
 			/* integer type */
 			this->value = (void*)(uintptr_t)va_arg(args, u_int);
 			break;
 		case AUTH_RULE_IDENTITY:
 		case AUTH_RULE_EAP_IDENTITY:
 		case AUTH_RULE_AAA_IDENTITY:
+		case AUTH_RULE_XAUTH_BACKEND:
+		case AUTH_RULE_XAUTH_IDENTITY:
 		case AUTH_RULE_GROUP:
 		case AUTH_RULE_CA_CERT:
 		case AUTH_RULE_IM_CERT:
@@ -220,7 +231,6 @@ static entry_t *entry_create(auth_rule_t type, va_list args)
 			this->value = NULL;
 			break;
 	}
-	return this;
 }
 
 /**
@@ -234,6 +244,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
 	}
 	switch (e1->type)
 	{
+		case AUTH_RULE_IDENTITY_LOOSE:
 		case AUTH_RULE_AUTH_CLASS:
 		case AUTH_RULE_EAP_TYPE:
 		case AUTH_RULE_EAP_VENDOR:
@@ -241,6 +252,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
 		case AUTH_RULE_OCSP_VALIDATION:
 		case AUTH_RULE_RSA_STRENGTH:
 		case AUTH_RULE_ECDSA_STRENGTH:
+		case AUTH_RULE_SIGNATURE_SCHEME:
 		{
 			return e1->value == e2->value;
 		}
@@ -261,6 +273,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
 		case AUTH_RULE_IDENTITY:
 		case AUTH_RULE_EAP_IDENTITY:
 		case AUTH_RULE_AAA_IDENTITY:
+		case AUTH_RULE_XAUTH_IDENTITY:
 		case AUTH_RULE_GROUP:
 		{
 			identification_t *id1, *id2;
@@ -271,6 +284,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
 			return id1->equals(id1, id2);
 		}
 		case AUTH_RULE_CERT_POLICY:
+		case AUTH_RULE_XAUTH_BACKEND:
 		case AUTH_HELPER_IM_HASH_URL:
 		case AUTH_HELPER_SUBJECT_HASH_URL:
 		{
@@ -293,6 +307,7 @@ static void destroy_entry_value(entry_t *entry)
 		case AUTH_RULE_EAP_IDENTITY:
 		case AUTH_RULE_AAA_IDENTITY:
 		case AUTH_RULE_GROUP:
+		case AUTH_RULE_XAUTH_IDENTITY:
 		{
 			identification_t *id = (identification_t*)entry->value;
 			id->destroy(id);
@@ -310,12 +325,14 @@ static void destroy_entry_value(entry_t *entry)
 			break;
 		}
 		case AUTH_RULE_CERT_POLICY:
+		case AUTH_RULE_XAUTH_BACKEND:
 		case AUTH_HELPER_IM_HASH_URL:
 		case AUTH_HELPER_SUBJECT_HASH_URL:
 		{
 			free(entry->value);
 			break;
 		}
+		case AUTH_RULE_IDENTITY_LOOSE:
 		case AUTH_RULE_AUTH_CLASS:
 		case AUTH_RULE_EAP_TYPE:
 		case AUTH_RULE_EAP_VENDOR:
@@ -323,6 +340,7 @@ static void destroy_entry_value(entry_t *entry)
 		case AUTH_RULE_OCSP_VALIDATION:
 		case AUTH_RULE_RSA_STRENGTH:
 		case AUTH_RULE_ECDSA_STRENGTH:
+		case AUTH_RULE_SIGNATURE_SCHEME:
 		case AUTH_RULE_MAX:
 			break;
 	}
@@ -345,6 +363,7 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
 		entry->type = type;
 		switch (type)
 		{
+			case AUTH_RULE_IDENTITY_LOOSE:
 			case AUTH_RULE_AUTH_CLASS:
 			case AUTH_RULE_EAP_TYPE:
 			case AUTH_RULE_EAP_VENDOR:
@@ -352,12 +371,15 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
 			case AUTH_RULE_OCSP_VALIDATION:
 			case AUTH_RULE_RSA_STRENGTH:
 			case AUTH_RULE_ECDSA_STRENGTH:
+			case AUTH_RULE_SIGNATURE_SCHEME:
 				/* integer type */
 				entry->value = (void*)(uintptr_t)va_arg(args, u_int);
 				break;
 			case AUTH_RULE_IDENTITY:
 			case AUTH_RULE_EAP_IDENTITY:
 			case AUTH_RULE_AAA_IDENTITY:
+			case AUTH_RULE_XAUTH_BACKEND:
+			case AUTH_RULE_XAUTH_IDENTITY:
 			case AUTH_RULE_GROUP:
 			case AUTH_RULE_CA_CERT:
 			case AUTH_RULE_IM_CERT:
@@ -423,12 +445,18 @@ METHOD(auth_cfg_t, get, void*,
 		case AUTH_RULE_RSA_STRENGTH:
 		case AUTH_RULE_ECDSA_STRENGTH:
 			return (void*)0;
+		case AUTH_RULE_SIGNATURE_SCHEME:
+			return HASH_UNKNOWN;
 		case AUTH_RULE_CRL_VALIDATION:
 		case AUTH_RULE_OCSP_VALIDATION:
 			return (void*)VALIDATION_FAILED;
+		case AUTH_RULE_IDENTITY_LOOSE:
+			return (void*)FALSE;
 		case AUTH_RULE_IDENTITY:
 		case AUTH_RULE_EAP_IDENTITY:
 		case AUTH_RULE_AAA_IDENTITY:
+		case AUTH_RULE_XAUTH_BACKEND:
+		case AUTH_RULE_XAUTH_IDENTITY:
 		case AUTH_RULE_GROUP:
 		case AUTH_RULE_CA_CERT:
 		case AUTH_RULE_IM_CERT:
@@ -450,21 +478,21 @@ METHOD(auth_cfg_t, get, void*,
  */
 static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
 {
-	entry_t *entry;
+	entry_t entry;
 	va_list args;
 
 	va_start(args, type);
-	entry = entry_create(type, args);
+	init_entry(&entry, type, args);
 	va_end(args);
 
 	if (is_multi_value_rule(type))
 	{	/* insert rules that may occur multiple times at the end */
-		this->entries->insert_last(this->entries, entry);
+		array_insert(this->entries, ARRAY_TAIL, &entry);
 	}
 	else
 	{	/* insert rules we expect only once at the front (get() will return
 		 * the latest value) */
-		this->entries->insert_first(this->entries, entry);
+		array_insert(this->entries, ARRAY_HEAD, &entry);
 	}
 }
 
@@ -472,7 +500,11 @@ METHOD(auth_cfg_t, complies, bool,
 	private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error)
 {
 	enumerator_t *e1, *e2;
-	bool success = TRUE, has_group = FALSE, group_match = FALSE;
+	bool success = TRUE, group_match = FALSE, cert_match = FALSE;
+	identification_t *require_group = NULL;
+	certificate_t *require_cert = NULL;
+	signature_scheme_t scheme = SIGN_UNKNOWN;
+	u_int strength = 0;
 	auth_rule_t t1, t2;
 	void *value;
 
@@ -508,20 +540,21 @@ METHOD(auth_cfg_t, complies, bool,
 			}
 			case AUTH_RULE_SUBJECT_CERT:
 			{
-				certificate_t *c1, *c2;
+				certificate_t *cert;
 
-				c1 = (certificate_t*)value;
-				c2 = get(this, AUTH_RULE_SUBJECT_CERT);
-				if (!c2 || !c1->equals(c1, c2))
+				/* for certs, a match of a single cert is sufficient */
+				require_cert = (certificate_t*)value;
+
+				e2 = create_enumerator(this);
+				while (e2->enumerate(e2, &t2, &cert))
 				{
-					success = FALSE;
-					if (log_error)
+					if (t2 == AUTH_RULE_SUBJECT_CERT &&
+						cert->equals(cert, require_cert))
 					{
-						DBG1(DBG_CFG, "constraint check failed: peer not "
-							 "authenticated with peer cert '%Y'.",
-							 c1->get_subject(c1));
+						cert_match = TRUE;
 					}
 				}
+				e2->destroy(e2);
 				break;
 			}
 			case AUTH_RULE_CRL_VALIDATION:
@@ -571,6 +604,7 @@ METHOD(auth_cfg_t, complies, bool,
 			case AUTH_RULE_IDENTITY:
 			case AUTH_RULE_EAP_IDENTITY:
 			case AUTH_RULE_AAA_IDENTITY:
+			case AUTH_RULE_XAUTH_IDENTITY:
 			{
 				identification_t *id1, *id2;
 
@@ -578,6 +612,17 @@ METHOD(auth_cfg_t, complies, bool,
 				id2 = get(this, t1);
 				if (!id2 || !id2->matches(id2, id1))
 				{
+					if (t1 == AUTH_RULE_IDENTITY &&
+						constraints->get(constraints, AUTH_RULE_IDENTITY_LOOSE))
+					{	/* also verify identity against subjectAltNames */
+						certificate_t *cert;
+
+						cert = get(this, AUTH_HELPER_SUBJECT_CERT);
+						if (cert && cert->has_subject(cert, id1))
+						{
+							break;
+						}
+					}
 					success = FALSE;
 					if (log_error)
 					{
@@ -633,15 +678,15 @@ METHOD(auth_cfg_t, complies, bool,
 			}
 			case AUTH_RULE_GROUP:
 			{
-				identification_t *id1, *id2;
+				identification_t *group;
 
 				/* for groups, a match of a single group is sufficient */
-				has_group = TRUE;
-				id1 = (identification_t*)value;
+				require_group = (identification_t*)value;
 				e2 = create_enumerator(this);
-				while (e2->enumerate(e2, &t2, &id2))
+				while (e2->enumerate(e2, &t2, &group))
 				{
-					if (t2 == AUTH_RULE_GROUP && id2->matches(id2, id1))
+					if (t2 == AUTH_RULE_GROUP &&
+						group->matches(group, require_group))
 					{
 						group_match = TRUE;
 					}
@@ -652,44 +697,12 @@ METHOD(auth_cfg_t, complies, bool,
 			case AUTH_RULE_RSA_STRENGTH:
 			case AUTH_RULE_ECDSA_STRENGTH:
 			{
-				uintptr_t strength;
-
-				e2 = create_enumerator(this);
-				while (e2->enumerate(e2, &t2, &strength))
-				{
-					if (t2 == t1)
-					{
-						if ((uintptr_t)value > strength)
-						{
-							success = FALSE;
-							if (log_error)
-							{
-								DBG1(DBG_CFG, "constraint requires %d bit "
-									 "public keys, but %d bit key used",
-									 (uintptr_t)value, strength);
-							}
-						}
-					}
-					else if (t2 == AUTH_RULE_RSA_STRENGTH)
-					{
-						success = FALSE;
-						if (log_error)
-						{
-							DBG1(DBG_CFG, "constraint requires %d bit ECDSA, "
-								 "but RSA used", (uintptr_t)value);
-						}
-					}
-					else if (t2 == AUTH_RULE_ECDSA_STRENGTH)
-					{
-						success = FALSE;
-						if (log_error)
-						{
-							DBG1(DBG_CFG, "constraint requires %d bit RSA, "
-								 "but ECDSA used", (uintptr_t)value);
-						}
-					}
-				}
-				e2->destroy(e2);
+				strength = (uintptr_t)value;
+				break;
+			}
+			case AUTH_RULE_SIGNATURE_SCHEME:
+			{
+				scheme = (uintptr_t)value;
 				break;
 			}
 			case AUTH_RULE_CERT_POLICY:
@@ -714,6 +727,10 @@ METHOD(auth_cfg_t, complies, bool,
 				}
 				break;
 			}
+			case AUTH_RULE_IDENTITY_LOOSE:
+				/* just an indication when verifying AUTH_RULE_IDENTITY */
+			case AUTH_RULE_XAUTH_BACKEND:
+				/* not enforced, just a hint for local authentication */
 			case AUTH_HELPER_IM_CERT:
 			case AUTH_HELPER_SUBJECT_CERT:
 			case AUTH_HELPER_IM_HASH_URL:
@@ -730,11 +747,94 @@ METHOD(auth_cfg_t, complies, bool,
 	}
 	e1->destroy(e1);
 
-	if (has_group && !group_match)
+	/* Check if we have a matching constraint (or none at all) for used
+	 * signature schemes. */
+	if (success && scheme != SIGN_UNKNOWN)
+	{
+		e2 = create_enumerator(this);
+		while (e2->enumerate(e2, &t2, &scheme))
+		{
+			if (t2 == AUTH_RULE_SIGNATURE_SCHEME)
+			{
+				success = FALSE;
+				e1 = constraints->create_enumerator(constraints);
+				while (e1->enumerate(e1, &t1, &value))
+				{
+					if (t1 == AUTH_RULE_SIGNATURE_SCHEME &&
+						(uintptr_t)value == scheme)
+					{
+						success = TRUE;
+						break;
+					}
+				}
+				e1->destroy(e1);
+				if (!success)
+				{
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "signature scheme %N not acceptable",
+							 signature_scheme_names, (int)scheme);
+					}
+					break;
+				}
+			}
+		}
+		e2->destroy(e2);
+	}
+
+	/* Check if we have a matching constraint (or none at all) for used
+	 * public key strength */
+	if (success && strength)
+	{
+		e2 = create_enumerator(this);
+		while (e2->enumerate(e2, &t2, &strength))
+		{
+			if (t2 == AUTH_RULE_RSA_STRENGTH ||
+				t2 == AUTH_RULE_ECDSA_STRENGTH)
+			{
+				success = FALSE;
+				e1 = constraints->create_enumerator(constraints);
+				while (e1->enumerate(e1, &t1, &value))
+				{
+					if (t1 == t2 && (uintptr_t)value <= strength)
+					{
+						success = TRUE;
+						break;
+					}
+				}
+				e1->destroy(e1);
+				if (!success)
+				{
+					if (log_error)
+					{
+						DBG1(DBG_CFG, "%s-%d signatures not acceptable",
+							 t2 == AUTH_RULE_RSA_STRENGTH ? "RSA" : "ECDSA",
+							 strength);
+					}
+					break;
+				}
+			}
+		}
+		e2->destroy(e2);
+	}
+
+	if (require_group && !group_match)
 	{
 		if (log_error)
 		{
-			DBG1(DBG_CFG, "constraint check failed: group membership required");
+			DBG1(DBG_CFG, "constraint check failed: group membership to "
+				 "'%Y' required", require_group);
+		}
+		return FALSE;
+	}
+
+	if (require_cert && !cert_match)
+	{
+		if (log_error)
+		{
+			DBG1(DBG_CFG, "constraint check failed: peer not "
+				 "authenticated with peer cert '%Y'.",
+				 require_cert->get_subject(require_cert));
 		}
 		return FALSE;
 	}
@@ -774,6 +874,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 					add(this, type, cert->get_ref(cert));
 					break;
 				}
+				case AUTH_RULE_IDENTITY_LOOSE:
 				case AUTH_RULE_CRL_VALIDATION:
 				case AUTH_RULE_OCSP_VALIDATION:
 				case AUTH_RULE_AUTH_CLASS:
@@ -781,6 +882,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 				case AUTH_RULE_EAP_VENDOR:
 				case AUTH_RULE_RSA_STRENGTH:
 				case AUTH_RULE_ECDSA_STRENGTH:
+				case AUTH_RULE_SIGNATURE_SCHEME:
 				{
 					add(this, type, (uintptr_t)value);
 					break;
@@ -789,12 +891,14 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 				case AUTH_RULE_EAP_IDENTITY:
 				case AUTH_RULE_AAA_IDENTITY:
 				case AUTH_RULE_GROUP:
+				case AUTH_RULE_XAUTH_IDENTITY:
 				{
 					identification_t *id = (identification_t*)value;
 
 					add(this, type, id->clone(id));
 					break;
 				}
+				case AUTH_RULE_XAUTH_BACKEND:
 				case AUTH_RULE_CERT_POLICY:
 				case AUTH_HELPER_IM_HASH_URL:
 				case AUTH_HELPER_SUBJECT_HASH_URL:
@@ -810,20 +914,20 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 	}
 	else
 	{
-		entry_t *entry;
+		entry_t entry;
 
-		while (other->entries->remove_first(other->entries,
-											(void**)&entry) == SUCCESS)
+		while (array_remove(other->entries, ARRAY_HEAD, &entry))
 		{
-			this->entries->insert_last(this->entries, entry);
+			array_insert(this->entries, ARRAY_TAIL, &entry);
 		}
+		array_compress(other->entries);
 	}
 }
 
 /**
- * Implementation of auth_cfg_t.equals.
+ * Compare two auth_cfg_t objects for equality.
  */
-static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
+static bool auth_cfg_equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
 {
 	enumerator_t *e1, *e2;
 	entry_t *i1, *i2;
@@ -831,12 +935,12 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
 
 	/* the rule count does not have to be equal for the two, as we only compare
 	 * the first value found for some rules */
-	e1 = this->entries->create_enumerator(this->entries);
+	e1 = array_create_enumerator(this->entries);
 	while (e1->enumerate(e1, &i1))
 	{
 		found = FALSE;
 
-		e2 = other->entries->create_enumerator(other->entries);
+		e2 = array_create_enumerator(other->entries);
 		while (e2->enumerate(e2, &i2))
 		{
 			if (entry_equals(i1, i2))
@@ -860,30 +964,38 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
 	return equal;
 }
 
+/**
+ * Implementation of auth_cfg_t.equals.
+ */
+static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
+{
+	if (auth_cfg_equals(this, other))
+	{
+		/* as 'other' might contain entries that 'this' doesn't we also check
+		 * the other way around */
+		return auth_cfg_equals(other, this);
+	}
+	return FALSE;
+}
+
 METHOD(auth_cfg_t, purge, void,
 	private_auth_cfg_t *this, bool keep_ca)
 {
+	enumerator_t *enumerator;
 	entry_t *entry;
-	linked_list_t *cas;
 
-	cas = linked_list_create();
-	while (this->entries->remove_last(this->entries, (void**)&entry) == SUCCESS)
+	enumerator = array_create_enumerator(this->entries);
+	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (keep_ca && entry->type == AUTH_RULE_CA_CERT)
-		{
-			cas->insert_first(cas, entry);
-		}
-		else
+		if (!keep_ca || entry->type != AUTH_RULE_CA_CERT)
 		{
+			array_remove_at(this->entries, enumerator);
 			destroy_entry_value(entry);
-			free(entry);
 		}
 	}
-	while (cas->remove_last(cas, (void**)&entry) == SUCCESS)
-	{
-		this->entries->insert_first(this->entries, entry);
-	}
-	cas->destroy(cas);
+	enumerator->destroy(enumerator);
+
+	array_compress(this->entries);
 }
 
 METHOD(auth_cfg_t, clone_, auth_cfg_t*,
@@ -891,22 +1003,24 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 {
 	enumerator_t *enumerator;
 	auth_cfg_t *clone;
-	entry_t *entry;
+	auth_rule_t type;
+	void *value;
 
 	clone = auth_cfg_create();
 	/* this enumerator skips duplicates for rules we expect only once */
-	enumerator = this->entries->create_enumerator(this->entries);
-	while (enumerator->enumerate(enumerator, &entry))
+	enumerator = create_enumerator(this);
+	while (enumerator->enumerate(enumerator, &type, &value))
 	{
-		switch (entry->type)
+		switch (type)
 		{
 			case AUTH_RULE_IDENTITY:
 			case AUTH_RULE_EAP_IDENTITY:
 			case AUTH_RULE_AAA_IDENTITY:
 			case AUTH_RULE_GROUP:
+			case AUTH_RULE_XAUTH_IDENTITY:
 			{
-				identification_t *id = (identification_t*)entry->value;
-				clone->add(clone, entry->type, id->clone(id));
+				identification_t *id = (identification_t*)value;
+				clone->add(clone, type, id->clone(id));
 				break;
 			}
 			case AUTH_RULE_CA_CERT:
@@ -916,17 +1030,19 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 			case AUTH_HELPER_SUBJECT_CERT:
 			case AUTH_HELPER_REVOCATION_CERT:
 			{
-				certificate_t *cert = (certificate_t*)entry->value;
-				clone->add(clone, entry->type, cert->get_ref(cert));
+				certificate_t *cert = (certificate_t*)value;
+				clone->add(clone, type, cert->get_ref(cert));
 				break;
 			}
+			case AUTH_RULE_XAUTH_BACKEND:
 			case AUTH_RULE_CERT_POLICY:
 			case AUTH_HELPER_IM_HASH_URL:
 			case AUTH_HELPER_SUBJECT_HASH_URL:
 			{
-				clone->add(clone, entry->type, strdup(entry->value));
+				clone->add(clone, type, strdup(value));
 				break;
 			}
+			case AUTH_RULE_IDENTITY_LOOSE:
 			case AUTH_RULE_AUTH_CLASS:
 			case AUTH_RULE_EAP_TYPE:
 			case AUTH_RULE_EAP_VENDOR:
@@ -934,7 +1050,8 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 			case AUTH_RULE_OCSP_VALIDATION:
 			case AUTH_RULE_RSA_STRENGTH:
 			case AUTH_RULE_ECDSA_STRENGTH:
-				clone->add(clone, entry->type, (uintptr_t)entry->value);
+			case AUTH_RULE_SIGNATURE_SCHEME:
+				clone->add(clone, type, (uintptr_t)value);
 				break;
 			case AUTH_RULE_MAX:
 				break;
@@ -948,7 +1065,7 @@ METHOD(auth_cfg_t, destroy, void,
 	private_auth_cfg_t *this)
 {
 	purge(this, FALSE);
-	this->entries->destroy(this->entries);
+	array_destroy(this->entries);
 	free(this);
 }
 
@@ -972,7 +1089,7 @@ auth_cfg_t *auth_cfg_create()
 			.clone = _clone_,
 			.destroy = _destroy,
 		},
-		.entries = linked_list_create(),
+		.entries = array_create(sizeof(entry_t), 0),
 	);
 
 	return &this->public;
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index 4d12a9c14..d87935589 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -22,7 +22,7 @@
 #ifndef AUTH_CFG_H_
 #define AUTH_CFG_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct auth_cfg_t auth_cfg_t;
 typedef enum auth_rule_t auth_rule_t;
@@ -42,6 +42,8 @@ enum auth_class_t {
 	AUTH_CLASS_PSK = 2,
 	/** authentication using EAP */
 	AUTH_CLASS_EAP = 3,
+	/** authentication using IKEv1 XAUTH */
+	AUTH_CLASS_XAUTH = 4,
 };
 
 /**
@@ -65,6 +67,9 @@ extern enum_name_t *auth_class_names;
 enum auth_rule_t {
 	/** identity to use for IKEv2 authentication exchange, identification_t* */
 	AUTH_RULE_IDENTITY,
+	/** if TRUE don't send IDr as initiator, but verify the identity after
+	 * receiving IDr (but also verify it against subjectAltNames), bool */
+	AUTH_RULE_IDENTITY_LOOSE,
 	/** authentication class, auth_class_t */
 	AUTH_RULE_AUTH_CLASS,
 	/** AAA-backend identity for EAP methods supporting it, identification_t* */
@@ -75,6 +80,10 @@ enum auth_rule_t {
 	AUTH_RULE_EAP_TYPE,
 	/** EAP vendor for vendor specific type, u_int32_t */
 	AUTH_RULE_EAP_VENDOR,
+	/** XAUTH backend name to use, char* */
+	AUTH_RULE_XAUTH_BACKEND,
+	/** XAuth identity to use or require, identification_t* */
+	AUTH_RULE_XAUTH_IDENTITY,
 	/** certificate authority, certificate_t* */
 	AUTH_RULE_CA_CERT,
 	/** intermediate certificate in trustchain, certificate_t* */
@@ -93,6 +102,8 @@ enum auth_rule_t {
 	AUTH_RULE_RSA_STRENGTH,
 	/** required ECDSA public key strength, u_int in bits */
 	AUTH_RULE_ECDSA_STRENGTH,
+	/** required signature scheme, signature_scheme_t */
+	AUTH_RULE_SIGNATURE_SCHEME,
 	/** certificatePolicy constraint, numerical OID as char* */
 	AUTH_RULE_CERT_POLICY,
 
@@ -172,7 +183,7 @@ struct auth_cfg_t {
 	 * For rules we expect only once the latest value is returned.
 	 *
 	 * @param rule		rule type
-	 * @return			bool if item has been found
+	 * @return			rule or NULL (or an appropriate default) if not found
 	 */
 	void* (*get)(auth_cfg_t *this, auth_rule_t rule);
 
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index d3157c80e..6710dfb54 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -19,10 +19,12 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_FROM_FILE",
 	"BUILD_FROM_FD",
 	"BUILD_AGENT_SOCKET",
+	"BUILD_BLOB",
 	"BUILD_BLOB_ASN1_DER",
 	"BUILD_BLOB_PEM",
 	"BUILD_BLOB_PGP",
 	"BUILD_BLOB_DNSKEY",
+	"BUILD_BLOB_SSHKEY",
 	"BUILD_BLOB_ALGID_PARAMS",
 	"BUILD_KEY_SIZE",
 	"BUILD_SIGNING_KEY",
@@ -36,6 +38,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_NOT_AFTER_TIME",
 	"BUILD_SERIAL",
 	"BUILD_DIGEST_ALG",
+	"BUILD_ENCRYPTION_ALG",
 	"BUILD_IETF_GROUP_ATTR",
 	"BUILD_CA_CERT",
 	"BUILD_CERT",
@@ -53,6 +56,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_REVOKED_ENUMERATOR",
 	"BUILD_BASE_CRL",
 	"BUILD_CHALLENGE_PWD",
+	"BUILD_PKCS7_ATTRIBUTE",
 	"BUILD_PKCS11_MODULE",
 	"BUILD_PKCS11_SLOT",
 	"BUILD_PKCS11_KEYID",
@@ -64,6 +68,9 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_RSA_EXP1",
 	"BUILD_RSA_EXP2",
 	"BUILD_RSA_COEFF",
+	"BUILD_SAFE_PRIMES",
+	"BUILD_SHARES",
+	"BUILD_THRESHOLD",
 	"BUILD_END",
 );
 
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 41250ccae..5ab462fa8 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -49,6 +49,8 @@ enum builder_part_t {
 	BUILD_FROM_FD,
 	/** unix socket of a ssh/pgp agent, char* */
 	BUILD_AGENT_SOCKET,
+	/** An arbitrary blob of data, chunk_t */
+	BUILD_BLOB,
 	/** DER encoded ASN.1 blob, chunk_t */
 	BUILD_BLOB_ASN1_DER,
 	/** PEM encoded ASN.1/PGP blob, chunk_t */
@@ -57,6 +59,8 @@ enum builder_part_t {
 	BUILD_BLOB_PGP,
 	/** DNS public key blob (RFC 4034, RSA specifc RFC 3110), chunk_t */
 	BUILD_BLOB_DNSKEY,
+	/** SSH public key blob (RFC 4253), chunk_t */
+	BUILD_BLOB_SSHKEY,
 	/** parameters from algorithmIdentifier (ASN.1 blob), chunk_t */
 	BUILD_BLOB_ALGID_PARAMS,
 	/** key size in bits, as used for key generation, u_int */
@@ -81,8 +85,10 @@ enum builder_part_t {
 	BUILD_NOT_AFTER_TIME,
 	/** a serial number in binary form, chunk_t */
 	BUILD_SERIAL,
-	/** digest algorithm to be used for signature, int */
+	/** digest algorithm to be used for signature, hash_algorithm_t */
 	BUILD_DIGEST_ALG,
+	/** encryption algorithm to use, encryption_algorithm_t */
+	BUILD_ENCRYPTION_ALG,
 	/** a comma-separated list of ietf group attributes, char* */
 	BUILD_IETF_GROUP_ATTR,
 	/** a ca certificate, certificate_t* */
@@ -117,6 +123,8 @@ enum builder_part_t {
 	BUILD_BASE_CRL,
 	/** PKCS#10 challenge password */
 	BUILD_CHALLENGE_PWD,
+	/** PKCS#7 attribute, int oid, chunk_t with ASN1 type encoded value */
+	BUILD_PKCS7_ATTRIBUTE,
 	/** friendly name of a PKCS#11 module, null terminated char* */
 	BUILD_PKCS11_MODULE,
 	/** slot specifier for a token in a PKCS#11 module, int */
@@ -139,6 +147,12 @@ enum builder_part_t {
 	BUILD_RSA_EXP2,
 	/** coefficient (coeff) of a RSA key, chunk_t */
 	BUILD_RSA_COEFF,
+	/** generate (p) and (q) as safe primes */
+	BUILD_SAFE_PRIMES,
+	/** number of private key shares */
+	BUILD_SHARES,
+	/** minimum number of participating private key shares */
+	BUILD_THRESHOLD,
 	/** end of variable argument builder list */
 	BUILD_END,
 };
diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h
index 00e30d7a0..6b28f35c1 100644
--- a/src/libstrongswan/credentials/cert_validator.h
+++ b/src/libstrongswan/credentials/cert_validator.h
@@ -35,14 +35,34 @@ typedef struct cert_validator_t cert_validator_t;
 struct cert_validator_t {
 
 	/**
+	 * Check the lifetime of a certificate.
+	 *
+	 * If this function returns SUCCESS or FAILED, the certificate lifetime is
+	 * considered definitely (in-)valid, without asking other validators.
+	 * If all registered validaters return NEED_MORE, the default
+	 * lifetime check is performed.
+	 *
+	 * @param cert			certificate to check lifetime
+	 * @param pathlen		the current length of the path bottom-up
+	 * @param anchor		is certificate trusted root anchor?
+	 * @param auth			container for resulting authentication info
+	 * @return				SUCCESS, FAILED or NEED_MORE to ask next validator
+	 */
+	status_t (*check_lifetime)(cert_validator_t *this, certificate_t *cert,
+							   int pathlen, bool anchor, auth_cfg_t *auth);
+	/**
 	 * Validate a subject certificate in relation to its issuer.
 	 *
+	 * If FALSE is returned, the validator should call_hook() on the
+	 * credential manager with an appropriate type and the certificate.
+	 *
 	 * @param subject		subject certificate to check
 	 * @param issuer		issuer of subject
 	 * @param online		whether to do online revocation checking
 	 * @param pathlen		the current length of the path bottom-up
 	 * @param anchor		is issuer trusted root anchor
 	 * @param auth			container for resulting authentication info
+	 * @return				TRUE if subject certificate valid
 	 */
 	bool (*validate)(cert_validator_t *this, certificate_t *subject,
 					 certificate_t *issuer, bool online, u_int pathlen,
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index 33ba4e907..b281c1669 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -15,10 +15,10 @@
 
 #include "certificate.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 
-ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL,
+ENUM(certificate_type_names, CERT_ANY, CERT_GPG,
 	"ANY",
 	"X509",
 	"X509_CRL",
@@ -28,9 +28,6 @@ ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL,
 	"TRUSTED_PUBKEY",
 	"PKCS10_REQUEST",
 	"PGP",
-	"PLUTO_CERT",
-	"PLUTO_AC",
-	"PLUTO_CRL",
 );
 
 ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED,
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
index 2f471da5b..d59126bd5 100644
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -52,10 +52,6 @@ enum certificate_type_t {
 	CERT_PKCS10_REQUEST,
 	/** PGP certificate */
 	CERT_GPG,
-	/** Pluto cert_t (not a certificate_t), either x509 or PGP */
-	CERT_PLUTO_CERT,
-	/** Pluto x509crl_t (not a certificate_t), certificate revocation list */
-	CERT_PLUTO_CRL,
 };
 
 /**
@@ -143,9 +139,11 @@ struct certificate_t {
 	 * Check if this certificate is issued and signed by a specific issuer.
 	 *
 	 * @param issuer	issuer's certificate
+	 * @param scheme	receives signature scheme used during verification
 	 * @return			TRUE if certificate issued by issuer and trusted
 	 */
-	bool (*issued_by)(certificate_t *this, certificate_t *issuer);
+	bool (*issued_by)(certificate_t *this, certificate_t *issuer,
+					  signature_scheme_t *scheme);
 
 	/**
 	 * Get the public key associated to this certificate.
diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c
index 69bd80b84..09fd0bfc8 100644
--- a/src/libstrongswan/credentials/certificates/crl.c
+++ b/src/libstrongswan/credentials/certificates/crl.c
@@ -16,7 +16,7 @@
 
 #include "crl.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL,
 	"unspecified",
diff --git a/src/libstrongswan/credentials/certificates/pkcs10.h b/src/libstrongswan/credentials/certificates/pkcs10.h
index 9a4979757..2f35eb6a5 100644
--- a/src/libstrongswan/credentials/certificates/pkcs10.h
+++ b/src/libstrongswan/credentials/certificates/pkcs10.h
@@ -21,7 +21,7 @@
 #ifndef PKCS10_H_
 #define PKCS10_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <credentials/certificates/certificate.h>
 
 typedef struct pkcs10_t pkcs10_t;
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 5125aca26..4e8d4317f 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -21,7 +21,7 @@
 #ifndef X509_H_
 #define X509_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <credentials/certificates/certificate.h>
 
 /* constraints are currently restricted to the range 0..127 */
@@ -56,6 +56,8 @@ enum x509_flag_t {
 	X509_IP_ADDR_BLOCKS =	(1<<6),
 	/** cert has CRL sign key usage */
 	X509_CRL_SIGN =			(1<<7),
+	/** cert has iKEIntermediate key usage */
+	X509_IKE_INTERMEDIATE =	(1<<8),
 };
 
 /**
diff --git a/src/libstrongswan/credentials/containers/container.c b/src/libstrongswan/credentials/containers/container.c
new file mode 100644
index 000000000..7456d43db
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/container.c
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "container.h"
+
+ENUM(container_type_names, CONTAINER_PKCS7, CONTAINER_PKCS12,
+	"PKCS7",
+	"PKCS7_DATA",
+	"PKCS7_SIGNED_DATA",
+	"PKCS7_ENVELOPED_DATA",
+	"PKCS7_ENCRYPTED_DATA",
+	"PKCS12",
+);
diff --git a/src/libstrongswan/credentials/containers/container.h b/src/libstrongswan/credentials/containers/container.h
new file mode 100644
index 000000000..ee329881d
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/container.h
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup container container
+ * @{ @ingroup containers
+ */
+
+#ifndef CONTAINER_H_
+#define CONTAINER_H_
+
+typedef struct container_t container_t;
+typedef enum container_type_t container_type_t;
+
+#include <utils/chunk.h>
+#include <collections/enumerator.h>
+
+/**
+ * Type of the container.
+ */
+enum container_type_t {
+	/** Any kind of PKCS#7/CMS container */
+	CONTAINER_PKCS7,
+	/** PKCS#7/CMS plain "data" */
+	CONTAINER_PKCS7_DATA,
+	/** PKCS#7/CMS "signed-data" */
+	CONTAINER_PKCS7_SIGNED_DATA,
+	/** PKCS#7/CMS "enveloped-data" */
+	CONTAINER_PKCS7_ENVELOPED_DATA,
+	/** PKCS#7/CMS "encrypted-data" */
+	CONTAINER_PKCS7_ENCRYPTED_DATA,
+	/** A PKCS#12 container */
+	CONTAINER_PKCS12,
+};
+
+/**
+ * Enum names for container_type_t
+ */
+extern enum_name_t *container_type_names;
+
+/**
+ * Generic interface for cryptographic containers.
+ */
+struct container_t {
+
+	/**
+	 * Get the type of the container.
+	 *
+	 * @return		container type
+	 */
+	container_type_t (*get_type)(container_t *this);
+
+	/**
+	 * Create an enumerator over trustchains for valid container signatures.
+	 *
+	 * @return		enumerator over auth_cfg_t*
+	 */
+	enumerator_t* (*create_signature_enumerator)(container_t *this);
+
+	/**
+	 * Get signed/decrypted data wrapped in this container.
+	 *
+	 * This function does not verify any associated signatures, use
+	 * create_signature_enumerator() to verify them.
+	 *
+	 * @param data	allocated data wrapped in this container
+	 * @return		TRUE if data decrypted successfully
+	 */
+	bool (*get_data)(container_t *this, chunk_t *data);
+
+	/**
+	 * Get the encoding of the full signed/encrypted container.
+	 *
+	 * @param data	allocated container encoding
+	 * @return		TRUE if encodign successful
+	 */
+	bool (*get_encoding)(container_t *this, chunk_t *encoding);
+
+	/**
+	 * Destroy a container_t.
+	 */
+	void (*destroy)(container_t *this);
+};
+
+#endif /** CONTAINER_H_ @}*/
diff --git a/src/libstrongswan/credentials/containers/pkcs12.c b/src/libstrongswan/credentials/containers/pkcs12.c
new file mode 100644
index 000000000..7b812d27d
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/pkcs12.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs12.h"
+
+#include <utils/debug.h>
+
+/**
+ * v * ceiling(len/v)
+ */
+#define PKCS12_LEN(len, v) (((len) + v-1) & ~(v-1))
+
+/**
+ * Copy src to dst as many times as possible
+ */
+static inline void copy_chunk(chunk_t dst, chunk_t src)
+{
+	size_t i;
+
+	for (i = 0; i < dst.len; i++)
+	{
+		dst.ptr[i] = src.ptr[i % src.len];
+	}
+}
+
+/**
+ * Treat two chunks as integers in network order and add them together.
+ * The result is stored in the first chunk, if the second chunk is longer or the
+ * result overflows this is ignored.
+ */
+static void add_chunks(chunk_t a, chunk_t b)
+{
+	u_int16_t sum;
+	u_int8_t rem = 0;
+	ssize_t i, j;
+
+	for (i = a.len - 1, j = b.len -1; i >= 0 && j >= 0; i--, j--)
+	{
+		sum = a.ptr[i] + b.ptr[j] + rem;
+		a.ptr[i] = (u_char)sum;
+		rem = sum >> 8;
+	}
+	for (; i >= 0 && rem; i--)
+	{
+		sum = a.ptr[i] + rem;
+		a.ptr[i] = (u_char)sum;
+		rem = sum >> 8;
+	}
+}
+
+/**
+ * Do the actual key derivation with the given hasher, password and id.
+ */
+static bool derive_key(hash_algorithm_t hash, chunk_t unicode, chunk_t salt,
+					   u_int64_t iterations, char id, chunk_t result)
+{
+	chunk_t out = result, D, S, P = chunk_empty, I, Ai, B, Ij;
+	hasher_t *hasher;
+	size_t Slen, v, u;
+	u_int64_t i;
+	bool success = FALSE;
+
+	hasher = lib->crypto->create_hasher(lib->crypto, hash);
+	if (!hasher)
+	{
+		DBG1(DBG_ASN, "  %N hash algorithm not available",
+			 hash_algorithm_names, hash);
+		return  FALSE;
+	}
+	switch (hash)
+	{
+		case HASH_MD2:
+		case HASH_MD5:
+		case HASH_SHA1:
+		case HASH_SHA224:
+		case HASH_SHA256:
+			v = 64;
+			break;
+		case HASH_SHA384:
+		case HASH_SHA512:
+			v = 128;
+			break;
+		default:
+			goto end;
+	}
+	u = hasher->get_hash_size(hasher);
+
+	D = chunk_alloca(v);
+	memset(D.ptr, id, D.len);
+
+	Slen = PKCS12_LEN(salt.len, v);
+	I = chunk_alloca(Slen + PKCS12_LEN(unicode.len, v));
+	S = chunk_create(I.ptr, Slen);
+	P = chunk_create(I.ptr + Slen, I.len - Slen);
+	copy_chunk(S, salt);
+	copy_chunk(P, unicode);
+
+	Ai = chunk_alloca(u);
+	B = chunk_alloca(v);
+
+	while (TRUE)
+	{
+		if (!hasher->get_hash(hasher, D, NULL) ||
+			!hasher->get_hash(hasher, I, Ai.ptr))
+		{
+			goto end;
+		}
+		for (i = 1; i < iterations; i++)
+		{
+			if (!hasher->get_hash(hasher, Ai, Ai.ptr))
+			{
+				goto end;
+			}
+		}
+		memcpy(out.ptr, Ai.ptr, min(out.len, Ai.len));
+		out = chunk_skip(out, Ai.len);
+		if (!out.len)
+		{
+			break;
+		}
+		copy_chunk(B, Ai);
+		/* B = B+1 */
+		add_chunks(B, chunk_from_chars(0x01));
+		Ij = chunk_create(I.ptr, v);
+		for (i = 0; i < I.len; i += v, Ij.ptr += v)
+		{	/* Ij = Ij + B + 1 */
+			add_chunks(Ij, B);
+		}
+	}
+	success = TRUE;
+end:
+	hasher->destroy(hasher);
+	return success;
+}
+
+/*
+ * Described in header
+ */
+bool pkcs12_derive_key(hash_algorithm_t hash, chunk_t password, chunk_t salt,
+					   u_int64_t iterations, pkcs12_key_type_t type, chunk_t key)
+{
+	chunk_t unicode = chunk_empty;
+	bool success;
+	int i;
+
+	if (password.len)
+	{	/* convert the password to UTF-16BE (without BOM) with 0 terminator */
+		unicode = chunk_alloca(password.len * 2 + 2);
+		for (i = 0; i < password.len; i++)
+		{
+			unicode.ptr[i * 2] = 0;
+			unicode.ptr[i * 2 + 1] = password.ptr[i];
+		}
+		unicode.ptr[i * 2] = 0;
+		unicode.ptr[i * 2 + 1] = 0;
+	}
+
+	success = derive_key(hash, unicode, salt, iterations, type, key);
+	memwipe(unicode.ptr, unicode.len);
+	return success;
+}
diff --git a/src/libstrongswan/credentials/containers/pkcs12.h b/src/libstrongswan/credentials/containers/pkcs12.h
new file mode 100644
index 000000000..f22ef045a
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/pkcs12.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs12 pkcs12
+ * @{ @ingroup containers
+ */
+
+#ifndef PKCS12_H_
+#define PKCS12_H_
+
+#include <credentials/containers/container.h>
+#include <crypto/hashers/hasher.h>
+
+typedef enum pkcs12_key_type_t pkcs12_key_type_t;
+typedef struct pkcs12_t pkcs12_t;
+
+/**
+ * The types of password based keys used by PKCS#12.
+ */
+enum pkcs12_key_type_t {
+	PKCS12_KEY_ENCRYPTION = 1,
+	PKCS12_KEY_IV = 2,
+	PKCS12_KEY_MAC = 3,
+};
+
+/**
+ * PKCS#12/PFX container type.
+ */
+struct pkcs12_t {
+
+	/**
+	 * Implements container_t.
+	 */
+	container_t container;
+
+	/**
+	 * Create an enumerator over extracted certificates.
+	 *
+	 * @return			enumerator over certificate_t
+	 */
+	enumerator_t* (*create_cert_enumerator)(pkcs12_t *this);
+
+	/**
+	 * Create an enumerator over extracted private keys.
+	 *
+	 * @return			enumerator over private_key_t
+	 */
+	enumerator_t* (*create_key_enumerator)(pkcs12_t *this);
+};
+
+/**
+ * Derive the keys used in PKCS#12 for password integrity/privacy mode.
+ *
+ * @param hash			hash algorithm to use for key derivation
+ * @param password		password (ASCII)
+ * @param salt			salt value
+ * @param iterations	number of iterations
+ * @param type			type of key to derive
+ * @param key			the returned key, must be allocated of desired length
+ * @return				TRUE on success
+ */
+bool pkcs12_derive_key(hash_algorithm_t hash, chunk_t password, chunk_t salt,
+					u_int64_t iterations, pkcs12_key_type_t type, chunk_t key);
+
+#endif /** PKCS12_H_ @}*/
diff --git a/src/libstrongswan/credentials/containers/pkcs7.h b/src/libstrongswan/credentials/containers/pkcs7.h
new file mode 100644
index 000000000..d42d82b0b
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/pkcs7.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7 pkcs7
+ * @{ @ingroup containers
+ */
+
+#ifndef PKCS7_H_
+#define PKCS7_H_
+
+#include <credentials/containers/container.h>
+
+typedef struct pkcs7_t pkcs7_t;
+
+/**
+ * PKCS#7/CMS container type.
+ */
+struct pkcs7_t {
+
+	/**
+	 * Implements container_t.
+	 */
+	container_t container;
+
+	/**
+	 * Get an authenticated PKCS#9 attribute from PKCS#7 signerInfo.
+	 *
+	 * To select the signerInfo structure to get the attribute from, pass
+	 * the enumerator position from container_t.create_signature_enumerator().
+	 *
+	 * The attribute returned does not contain type information and must be
+	 * freed after use.
+	 *
+	 * @param oid			OID from the attribute to get
+	 * @param enumerator	enumerator to select signerInfo
+	 * @param value			chunk receiving attribute value, allocated
+	 * @return				TRUE if attribute found
+	 */
+	bool (*get_attribute)(pkcs7_t *this, int oid, enumerator_t *enumerator,
+						  chunk_t *value);
+
+	/**
+	 * Create an enumerator over attached certificates.
+	 *
+	 * @return				enumerator over certificate_t
+	 */
+	enumerator_t* (*create_cert_enumerator)(pkcs7_t *this);
+};
+
+#endif /** PKCS7_H_ @}*/
diff --git a/src/libstrongswan/credentials/cred_encoding.c b/src/libstrongswan/credentials/cred_encoding.c
index 4865984dd..53ac13cbb 100644
--- a/src/libstrongswan/credentials/cred_encoding.c
+++ b/src/libstrongswan/credentials/cred_encoding.c
@@ -17,8 +17,8 @@
 
 #include <stdint.h>
 
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
 #include <threading/rwlock.h>
 
 typedef struct private_cred_encoding_t private_cred_encoding_t;
diff --git a/src/libstrongswan/credentials/cred_encoding.h b/src/libstrongswan/credentials/cred_encoding.h
index b029fe2ac..41481f376 100644
--- a/src/libstrongswan/credentials/cred_encoding.h
+++ b/src/libstrongswan/credentials/cred_encoding.h
@@ -85,6 +85,8 @@ enum cred_encoding_type_t {
 	/** PGP key encoding */
 	PUBKEY_PGP,
 	PRIVKEY_PGP,
+	/** DNSKEY encoding */
+	PUBKEY_DNSKEY,
 
 	/** ASN.1 DER encoded certificate */
 	CERT_ASN1_DER,
diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
index ff621012f..94c7820e1 100644
--- a/src/libstrongswan/credentials/credential_factory.c
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -17,17 +17,18 @@
 
 #include "credential_factory.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/thread_value.h>
 #include <threading/rwlock.h>
 #include <credentials/certificates/x509.h>
+#include <credentials/containers/container.h>
 
-ENUM(credential_type_names, CRED_PRIVATE_KEY, CRED_CERTIFICATE,
+ENUM(credential_type_names, CRED_PRIVATE_KEY, CRED_CONTAINER,
 	"CRED_PRIVATE_KEY",
 	"CRED_PUBLIC_KEY",
 	"CRED_CERTIFICATE",
-	"CRED_PLUTO_CERT",
+	"CRED_CONTAINER",
 );
 
 typedef struct private_credential_factory_t private_credential_factory_t;
@@ -139,11 +140,21 @@ METHOD(credential_factory_t, create, void*,
 
 	if (!construct && !level)
 	{
-		enum_name_t *names = key_type_names;
+		enum_name_t *names;
 
-		if (type == CRED_CERTIFICATE)
+		switch (type)
 		{
-			names = certificate_type_names;
+			case CRED_CERTIFICATE:
+				names = certificate_type_names;
+				break;
+			case CRED_CONTAINER:
+				names = container_type_names;
+				break;
+			case CRED_PRIVATE_KEY:
+			case CRED_PUBLIC_KEY:
+			default:
+				names = key_type_names;
+				break;
 		}
 		DBG1(DBG_LIB, "building %N - %N failed, tried %d builders",
 			 credential_type_names, type, names, subtype, failures);
diff --git a/src/libstrongswan/credentials/credential_factory.h b/src/libstrongswan/credentials/credential_factory.h
index c31601245..55b669529 100644
--- a/src/libstrongswan/credentials/credential_factory.h
+++ b/src/libstrongswan/credentials/credential_factory.h
@@ -28,6 +28,9 @@ typedef enum credential_type_t credential_type_t;
 
 /**
  * Kind of credential.
+ *
+ * While crypto containers are not really credentials, we still use the
+ * credential factory and builders create them.
  */
 enum credential_type_t {
 	/** private key, implemented in private_key_t */
@@ -36,6 +39,8 @@ enum credential_type_t {
 	CRED_PUBLIC_KEY,
 	/** certificates, implemented in certificate_t */
 	CRED_CERTIFICATE,
+	/** crypto container, implemented in container_t */
+	CRED_CONTAINER,
 };
 
 /**
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index b3461b810..de19c8d96 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -16,11 +16,11 @@
 #include "credential_manager.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread_value.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/sets/cert_cache.h>
 #include <credentials/sets/auth_cfg_wrapper.h>
 #include <credentials/certificates/x509.h>
@@ -53,6 +53,11 @@ struct private_credential_manager_t {
 	thread_value_t *local_sets;
 
 	/**
+	 * Exclusive local sets, linked_list_t with credential_set_t
+	 */
+	thread_value_t *exclusive_local_sets;
+
+	/**
 	 * trust relationship and certificate cache
 	 */
 	cert_cache_t *cache;
@@ -76,6 +81,16 @@ struct private_credential_manager_t {
 	 * mutex for cache queue
 	 */
 	mutex_t *queue_mutex;
+
+	/**
+	 * Registered hook to call on validation errors
+	 */
+	credential_hook_t hook;
+
+	/**
+	 * Registered data to pass to hook
+	 */
+	void *hook_data;
 };
 
 /** data to pass to create_private_enumerator */
@@ -117,12 +132,39 @@ typedef struct {
 	enumerator_t *global;
 	/** enumerator over local sets */
 	enumerator_t *local;
+	/** enumerator over exclusive local sets */
+	enumerator_t *exclusive;
 } sets_enumerator_t;
 
+METHOD(credential_manager_t, set_hook, void,
+	private_credential_manager_t *this, credential_hook_t hook, void *data)
+{
+	this->hook = hook;
+	this->hook_data = data;
+}
+
+METHOD(credential_manager_t, call_hook, void,
+	private_credential_manager_t *this, credential_hook_type_t type,
+	certificate_t *cert)
+{
+	if (this->hook)
+	{
+		this->hook(this->hook_data, type, cert);
+	}
+}
 
 METHOD(enumerator_t, sets_enumerate, bool,
 	sets_enumerator_t *this, credential_set_t **set)
 {
+	if (this->exclusive)
+	{
+		if (this->exclusive->enumerate(this->exclusive, set))
+		{	/* only enumerate last added */
+			this->exclusive->destroy(this->exclusive);
+			this->exclusive = NULL;
+			return TRUE;
+		}
+	}
 	if (this->global)
 	{
 		if (this->global->enumerate(this->global, set))
@@ -145,6 +187,7 @@ METHOD(enumerator_t, sets_destroy, void,
 {
 	DESTROY_IF(this->global);
 	DESTROY_IF(this->local);
+	DESTROY_IF(this->exclusive);
 	free(this);
 }
 
@@ -154,19 +197,28 @@ METHOD(enumerator_t, sets_destroy, void,
 static enumerator_t *create_sets_enumerator(private_credential_manager_t *this)
 {
 	sets_enumerator_t *enumerator;
-	linked_list_t *local;
+	linked_list_t *list;
 
 	INIT(enumerator,
 		.public = {
 			.enumerate = (void*)_sets_enumerate,
 			.destroy = _sets_destroy,
 		},
-		.global = this->sets->create_enumerator(this->sets),
 	);
-	local = this->local_sets->get(this->local_sets);
-	if (local)
+
+	list = this->exclusive_local_sets->get(this->exclusive_local_sets);
+	if (list && list->get_count(list))
 	{
-		enumerator->local = local->create_enumerator(local);
+		enumerator->exclusive = list->create_enumerator(list);
+	}
+	else
+	{
+		enumerator->global = this->sets->create_enumerator(this->sets);
+		list = this->local_sets->get(this->local_sets);
+		if (list)
+		{
+			enumerator->local = list->create_enumerator(list);
+		}
 	}
 	return &enumerator->public;
 }
@@ -352,8 +404,8 @@ METHOD(credential_manager_t, get_shared, shared_key_t*,
 	identification_t *me, identification_t *other)
 {
 	shared_key_t *current, *found = NULL;
-	id_match_t *best_me = ID_MATCH_NONE, *best_other = ID_MATCH_NONE;
-	id_match_t *match_me, *match_other;
+	id_match_t best_me = ID_MATCH_NONE, best_other = ID_MATCH_NONE;
+	id_match_t match_me, match_other;
 	enumerator_t *enumerator;
 
 	enumerator = create_shared_enumerator(this, type, me, other);
@@ -367,32 +419,76 @@ METHOD(credential_manager_t, get_shared, shared_key_t*,
 			best_me = match_me;
 			best_other = match_other;
 		}
+		if (best_me == ID_MATCH_PERFECT && best_other == ID_MATCH_PERFECT)
+		{
+			break;
+		}
 	}
 	enumerator->destroy(enumerator);
 	return found;
 }
 
 METHOD(credential_manager_t, add_local_set, void,
-	private_credential_manager_t *this, credential_set_t *set)
+	private_credential_manager_t *this, credential_set_t *set, bool exclusive)
 {
 	linked_list_t *sets;
+	thread_value_t *tv;
 
-	sets = this->local_sets->get(this->local_sets);
+	if (exclusive)
+	{
+		tv = this->exclusive_local_sets;
+	}
+	else
+	{
+		tv = this->local_sets;
+	}
+	sets = tv->get(tv);
 	if (!sets)
-	{	/* first invocation */
+	{
 		sets = linked_list_create();
-		this->local_sets->set(this->local_sets, sets);
+		tv->set(tv, sets);
+	}
+	if (exclusive)
+	{
+		sets->insert_first(sets, set);
+	}
+	else
+	{
+		sets->insert_last(sets, set);
 	}
-	sets->insert_last(sets, set);
 }
 
 METHOD(credential_manager_t, remove_local_set, void,
 	private_credential_manager_t *this, credential_set_t *set)
 {
 	linked_list_t *sets;
+	thread_value_t *tv;
 
-	sets = this->local_sets->get(this->local_sets);
-	sets->remove(sets, set, NULL);
+	tv = this->local_sets;
+	sets = tv->get(tv);
+	if (sets && sets->remove(sets, set, NULL) && sets->get_count(sets) == 0)
+	{
+		tv->set(tv, NULL);
+		sets->destroy(sets);
+	}
+	tv = this->exclusive_local_sets;
+	sets = tv->get(tv);
+	if (sets && sets->remove(sets, set, NULL) && sets->get_count(sets) == 0)
+	{
+		tv->set(tv, NULL);
+		sets->destroy(sets);
+	}
+}
+
+METHOD(credential_manager_t, issued_by, bool,
+	private_credential_manager_t *this, certificate_t *subject,
+	certificate_t *issuer, signature_scheme_t *scheme)
+{
+	if (this->cache)
+	{
+		return this->cache->issued_by(this->cache, subject, issuer, scheme);
+	}
+	return subject->issued_by(subject, issuer, scheme);
 }
 
 METHOD(credential_manager_t, cache_cert, void,
@@ -449,32 +545,76 @@ static void cache_queue(private_credential_manager_t *this)
 }
 
 /**
+ * Use validators to check the lifetime of certificates
+ */
+static bool check_lifetime(private_credential_manager_t *this,
+						   certificate_t *cert, char *label,
+						   int pathlen, bool trusted, auth_cfg_t *auth)
+{
+	time_t not_before, not_after;
+	cert_validator_t *validator;
+	enumerator_t *enumerator;
+	status_t status = NEED_MORE;
+
+	enumerator = this->validators->create_enumerator(this->validators);
+	while (enumerator->enumerate(enumerator, &validator))
+	{
+		if (!validator->check_lifetime)
+		{
+			continue;
+		}
+		status = validator->check_lifetime(validator, cert,
+										   pathlen, trusted, auth);
+		if (status != NEED_MORE)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	switch (status)
+	{
+		case NEED_MORE:
+			if (!cert->get_validity(cert, NULL, &not_before, &not_after))
+			{
+				DBG1(DBG_CFG, "%s certificate invalid (valid from %T to %T)",
+					 label, &not_before, FALSE, &not_after, FALSE);
+				break;
+			}
+			return TRUE;
+		case SUCCESS:
+			return TRUE;
+		case FAILED:
+		default:
+			break;
+	}
+	call_hook(this, CRED_HOOK_EXPIRED, cert);
+	return FALSE;
+}
+
+/**
  * check a certificate for its lifetime
  */
 static bool check_certificate(private_credential_manager_t *this,
 				certificate_t *subject, certificate_t *issuer, bool online,
 				int pathlen, bool trusted, auth_cfg_t *auth)
 {
-	time_t not_before, not_after;
 	cert_validator_t *validator;
 	enumerator_t *enumerator;
 
-	if (!subject->get_validity(subject, NULL, &not_before, &not_after))
+	if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) ||
+		!check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth))
 	{
-		DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)",
-			 &not_before, FALSE, &not_after, FALSE);
-		return FALSE;
-	}
-	if (!issuer->get_validity(issuer, NULL, &not_before, &not_after))
-	{
-		DBG1(DBG_CFG, "issuer certificate invalid (valid from %T to %T)",
-			 &not_before, FALSE, &not_after, FALSE);
 		return FALSE;
 	}
 
 	enumerator = this->validators->create_enumerator(this->validators);
 	while (enumerator->enumerate(enumerator, &validator))
 	{
+		if (!validator->validate)
+		{
+			continue;
+		}
 		if (!validator->validate(validator, subject, issuer,
 								 online, pathlen, trusted, auth))
 		{
@@ -514,7 +654,8 @@ static certificate_t *get_pretrusted_cert(private_credential_manager_t *this,
  * Get the issuing certificate of a subject certificate
  */
 static certificate_t *get_issuer_cert(private_credential_manager_t *this,
-									  certificate_t *subject, bool trusted)
+									  certificate_t *subject, bool trusted,
+									  signature_scheme_t *scheme)
 {
 	enumerator_t *enumerator;
 	certificate_t *issuer = NULL, *candidate;
@@ -523,7 +664,7 @@ static certificate_t *get_issuer_cert(private_credential_manager_t *this,
 										subject->get_issuer(subject), trusted);
 	while (enumerator->enumerate(enumerator, &candidate))
 	{
-		if (this->cache->issued_by(this->cache, subject, candidate))
+		if (issued_by(this, subject, candidate, scheme))
 		{
 			issuer = candidate->get_ref(candidate);
 			break;
@@ -573,6 +714,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 {
 	certificate_t *current, *issuer;
 	auth_cfg_t *auth;
+	signature_scheme_t scheme;
 	int pathlen;
 
 	auth = auth_cfg_create();
@@ -582,11 +724,11 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 
 	for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++)
 	{
-		issuer = get_issuer_cert(this, current, TRUE);
+		issuer = get_issuer_cert(this, current, TRUE, &scheme);
 		if (issuer)
 		{
 			/* accept only self-signed CAs as trust anchor */
-			if (this->cache->issued_by(this->cache, issuer, issuer))
+			if (issued_by(this, issuer, issuer, NULL))
 			{
 				auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer));
 				DBG1(DBG_CFG, "  using trusted ca certificate \"%Y\"",
@@ -599,27 +741,31 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 				DBG1(DBG_CFG, "  using trusted intermediate ca certificate "
 					 "\"%Y\"", issuer->get_subject(issuer));
 			}
+			auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme);
 		}
 		else
 		{
-			issuer = get_issuer_cert(this, current, FALSE);
+			issuer = get_issuer_cert(this, current, FALSE, &scheme);
 			if (issuer)
 			{
 				if (current->equals(current, issuer))
 				{
-					DBG1(DBG_CFG, "  self-signed certificate \"%Y\" is not trusted",
-						 current->get_subject(current));
+					DBG1(DBG_CFG, "  self-signed certificate \"%Y\" is not "
+						 "trusted", current->get_subject(current));
 					issuer->destroy(issuer);
+					call_hook(this, CRED_HOOK_UNTRUSTED_ROOT, current);
 					break;
 				}
 				auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
 				DBG1(DBG_CFG, "  using untrusted intermediate certificate "
 					 "\"%Y\"", issuer->get_subject(issuer));
+				auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme);
 			}
 			else
 			{
 				DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"",
 					 current->get_subject(current));
+				call_hook(this, CRED_HOOK_NO_ISSUER, current);
 				break;
 			}
 		}
@@ -638,8 +784,8 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 		current = issuer;
 		if (trusted)
 		{
-			DBG1(DBG_CFG, "  reached self-signed root ca with a path length of %d",
-						  pathlen);
+			DBG1(DBG_CFG, "  reached self-signed root ca with a "
+				 "path length of %d", pathlen);
 			break;
 		}
 	}
@@ -647,6 +793,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 	if (pathlen > MAX_TRUST_PATH_LEN)
 	{
 		DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN);
+		call_hook(this, CRED_HOOK_EXCEEDED_PATH_LEN, subject);
 	}
 	if (trusted)
 	{
@@ -708,8 +855,7 @@ METHOD(enumerator_t, trusted_enumerate, bool,
 			/* if we find a trusted self signed certificate, we just accept it.
 			 * However, in order to fulfill authorization rules, we try to build
 			 * the trust chain if it is not self signed */
-			if (this->this->cache->issued_by(this->this->cache,
-								   this->pretrusted, this->pretrusted) ||
+			if (issued_by(this->this, this->pretrusted, this->pretrusted, NULL) ||
 				verify_trust_chain(this->this, this->pretrusted, this->auth,
 								   TRUE, this->online))
 			{
@@ -859,7 +1005,7 @@ METHOD(credential_manager_t, create_public_enumerator, enumerator_t*,
 	if (auth)
 	{
 		enumerator->wrapper = auth_cfg_wrapper_create(auth);
-		add_local_set(this, &enumerator->wrapper->set);
+		add_local_set(this, &enumerator->wrapper->set, FALSE);
 	}
 	this->lock->read_lock(this->lock);
 	return &enumerator->public;
@@ -916,8 +1062,7 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
 		}
 		else
 		{
-			if (!has_anchor &&
-				this->cache->issued_by(this->cache, current, current))
+			if (!has_anchor && issued_by(this, current, current, NULL))
 			{	/* If no trust anchor specified, accept any CA */
 				trustchain->add(trustchain, AUTH_RULE_CA_CERT, current);
 				return trustchain;
@@ -928,7 +1073,7 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
 		{
 			break;
 		}
-		issuer = get_issuer_cert(this, current, FALSE);
+		issuer = get_issuer_cert(this, current, FALSE, NULL);
 		if (!issuer)
 		{
 			if (!has_anchor)
@@ -973,6 +1118,29 @@ static private_key_t *get_private_by_cert(private_credential_manager_t *this,
 	return private;
 }
 
+/**
+ * Move the actually used certificate to front, so it gets returned with get()
+ */
+static void prefer_cert(auth_cfg_t *auth, certificate_t *cert)
+{
+	enumerator_t *enumerator;
+	auth_rule_t rule;
+	certificate_t *current;
+
+	enumerator = auth->create_enumerator(auth);
+	while (enumerator->enumerate(enumerator, &rule, &current))
+	{
+		if (rule == AUTH_RULE_SUBJECT_CERT)
+		{
+			current->get_ref(current);
+			auth->replace(auth, enumerator, AUTH_RULE_SUBJECT_CERT, cert);
+			cert = current;
+		}
+	}
+	enumerator->destroy(enumerator);
+	auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
+}
+
 METHOD(credential_manager_t, get_private, private_key_t*,
 	private_credential_manager_t *this, key_type_t type, identification_t *id,
 	auth_cfg_t *auth)
@@ -981,6 +1149,7 @@ METHOD(credential_manager_t, get_private, private_key_t*,
 	certificate_t *cert;
 	private_key_t *private = NULL;
 	auth_cfg_t *trustchain;
+	auth_rule_t rule;
 
 	/* check if this is a lookup by key ID, and do it if so */
 	if (id && id->get_type(id) == ID_KEY_ID)
@@ -992,42 +1161,73 @@ METHOD(credential_manager_t, get_private, private_key_t*,
 		}
 	}
 
-	/* if a specific certificate is preferred, check for a matching key */
-	cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
-	if (cert)
+	if (auth)
 	{
-		private = get_private_by_cert(this, cert, type);
-		if (private)
+		/* try to find a trustchain with one of the configured subject certs */
+		enumerator = auth->create_enumerator(auth);
+		while (enumerator->enumerate(enumerator, &rule, &cert))
 		{
-			trustchain = build_trustchain(this, cert, auth);
-			if (trustchain)
+			if (rule == AUTH_RULE_SUBJECT_CERT)
 			{
-				auth->merge(auth, trustchain, FALSE);
-				trustchain->destroy(trustchain);
+				private = get_private_by_cert(this, cert, type);
+				if (private)
+				{
+					trustchain = build_trustchain(this, cert, auth);
+					if (trustchain)
+					{
+						auth->merge(auth, trustchain, FALSE);
+						prefer_cert(auth, cert->get_ref(cert));
+						trustchain->destroy(trustchain);
+						break;
+					}
+					private->destroy(private);
+					private = NULL;
+				}
 			}
+		}
+		enumerator->destroy(enumerator);
+		if (private)
+		{
 			return private;
 		}
-	}
 
-	/* try to build a trust chain for each certificate found */
-	enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE);
-	while (enumerator->enumerate(enumerator, &cert))
-	{
-		private = get_private_by_cert(this, cert, type);
-		if (private)
+		/* if none yielded a trustchain, enforce the first configured cert */
+		cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+		if (cert)
 		{
-			trustchain = build_trustchain(this, cert, auth);
-			if (trustchain)
+			private = get_private_by_cert(this, cert, type);
+			if (private)
 			{
-				auth->merge(auth, trustchain, FALSE);
-				trustchain->destroy(trustchain);
-				break;
+				trustchain = build_trustchain(this, cert, auth);
+				if (trustchain)
+				{
+					auth->merge(auth, trustchain, FALSE);
+					trustchain->destroy(trustchain);
+				}
+				return private;
+			}
+		}
+
+		/* try to build a trust chain for each certificate found */
+		enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE);
+		while (enumerator->enumerate(enumerator, &cert))
+		{
+			private = get_private_by_cert(this, cert, type);
+			if (private)
+			{
+				trustchain = build_trustchain(this, cert, auth);
+				if (trustchain)
+				{
+					auth->merge(auth, trustchain, FALSE);
+					trustchain->destroy(trustchain);
+					break;
+				}
+				private->destroy(private);
+				private = NULL;
 			}
-			private->destroy(private);
-			private = NULL;
 		}
+		enumerator->destroy(enumerator);
 	}
-	enumerator->destroy(enumerator);
 
 	/* if no valid trustchain was found, fall back to the first usable cert */
 	if (!private)
@@ -1038,7 +1238,10 @@ METHOD(credential_manager_t, get_private, private_key_t*,
 			private = get_private_by_cert(this, cert, type);
 			if (private)
 			{
-				auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert));
+				if (auth)
+				{
+					auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert));
+				}
 				break;
 			}
 		}
@@ -1050,14 +1253,10 @@ METHOD(credential_manager_t, get_private, private_key_t*,
 METHOD(credential_manager_t, flush_cache, void,
 	private_credential_manager_t *this, certificate_type_t type)
 {
-	this->cache->flush(this->cache, type);
-}
-
-METHOD(credential_manager_t, issued_by, bool,
-	private_credential_manager_t *this, certificate_t *subject,
-	certificate_t *issuer)
-{
-	return this->cache->issued_by(this->cache, subject, issuer);
+	if (this->cache)
+	{
+		this->cache->flush(this->cache, type);
+	}
 }
 
 METHOD(credential_manager_t, add_set, void,
@@ -1097,10 +1296,14 @@ METHOD(credential_manager_t, destroy, void,
 {
 	cache_queue(this);
 	this->cache_queue->destroy(this->cache_queue);
-	this->sets->remove(this->sets, this->cache, NULL);
+	if (this->cache)
+	{
+		this->sets->remove(this->sets, this->cache, NULL);
+		this->cache->destroy(this->cache);
+	}
 	this->sets->destroy(this->sets);
 	this->local_sets->destroy(this->local_sets);
-	this->cache->destroy(this->cache);
+	this->exclusive_local_sets->destroy(this->exclusive_local_sets);
 	this->validators->destroy(this->validators);
 	this->lock->destroy(this->lock);
 	this->queue_mutex->destroy(this->queue_mutex);
@@ -1133,18 +1336,24 @@ credential_manager_t *credential_manager_create()
 			.remove_local_set = _remove_local_set,
 			.add_validator = _add_validator,
 			.remove_validator = _remove_validator,
+			.set_hook = _set_hook,
+			.call_hook = _call_hook,
 			.destroy = _destroy,
 		},
 		.sets = linked_list_create(),
 		.validators = linked_list_create(),
-		.cache = cert_cache_create(),
 		.cache_queue = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 		.queue_mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
 	this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
-	this->sets->insert_first(this->sets, this->cache);
+	this->exclusive_local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
+	if (lib->settings->get_bool(lib->settings, "libstrongswan.cert_cache", TRUE))
+	{
+		this->cache = cert_cache_create();
+		this->sets->insert_first(this->sets, this->cache);
+	}
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h
index 8e8f04b8c..445ea3f9c 100644
--- a/src/libstrongswan/credentials/credential_manager.h
+++ b/src/libstrongswan/credentials/credential_manager.h
@@ -22,9 +22,10 @@
 #define CREDENTIAL_MANAGER_H_
 
 typedef struct credential_manager_t credential_manager_t;
+typedef enum credential_hook_type_t credential_hook_type_t;
 
 #include <utils/identification.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <credentials/auth_cfg.h>
 #include <credentials/credential_set.h>
 #include <credentials/keys/private_key.h>
@@ -33,6 +34,37 @@ typedef struct credential_manager_t credential_manager_t;
 #include <credentials/cert_validator.h>
 
 /**
+ * Type of a credential hook error/event.
+ */
+enum credential_hook_type_t {
+	/** The certificate has expired (or is not yet valid) */
+	CRED_HOOK_EXPIRED,
+	/** The certificate has been revoked */
+	CRED_HOOK_REVOKED,
+	/** Checking certificate revocation failed. This does not necessarily mean
+	 *  the certificate is rejected, just that revocation checking failed. */
+	CRED_HOOK_VALIDATION_FAILED,
+	/** No trusted issuer certificate has been found for this certificate */
+	CRED_HOOK_NO_ISSUER,
+	/** Encountered a self-signed (root) certificate, but it is not trusted */
+	CRED_HOOK_UNTRUSTED_ROOT,
+	/** Maximum trust chain length exceeded for certificate */
+	CRED_HOOK_EXCEEDED_PATH_LEN,
+	/** The certificate violates some other kind of policy and gets rejected */
+	CRED_HOOK_POLICY_VIOLATION,
+};
+
+/**
+ * Hook function to invoke on certificate validation errors.
+ *
+ * @param data			user data supplied during hook registration
+ * @param type			type of validation error/event
+ * @param cert			associated certificate
+ */
+typedef void (*credential_hook_t)(void *data, credential_hook_type_t type,
+								  certificate_t *cert);
+
+/**
  * Manages credentials using credential_sets.
  *
  * The credential manager is the entry point of the credential framework. It
@@ -89,7 +121,7 @@ struct credential_manager_t {
 	 * @param type		kind of requested shared key
 	 * @param first		first subject between key is shared
 	 * @param second	second subject between key is shared
-	 * @return			enumerator over shared keys
+	 * @return			enumerator over (shared_key_t*,id_match_t,id_match_t)
 	 */
 	enumerator_t *(*create_shared_enumerator)(credential_manager_t *this,
 								shared_key_type_t type,
@@ -204,10 +236,12 @@ struct credential_manager_t {
 	 *
 	 * @param subject	subject certificate to check
 	 * @param issuer	issuer certificate that potentially has signed subject
+	 * @param scheme	receives used signature scheme, if given
 	 * @return			TRUE if issuer signed subject
 	 */
 	bool (*issued_by)(credential_manager_t *this,
-					  certificate_t *subject, certificate_t *issuer);
+					  certificate_t *subject, certificate_t *issuer,
+					  signature_scheme_t *scheme);
 
 	/**
 	 * Register a credential set to the manager.
@@ -230,10 +264,14 @@ struct credential_manager_t {
 	 * operation, sets may be added for the calling thread only. This
 	 * does not require a write lock and is therefore a much cheaper
 	 * operation.
+	 * The exclusive option allows to disable all other credential sets
+	 * until the set is deregistered.
 	 *
 	 * @param set		set to register
+	 * @param exclusive	TRUE to disable all other sets for this thread
 	 */
-	void (*add_local_set)(credential_manager_t *this, credential_set_t *set);
+	void (*add_local_set)(credential_manager_t *this, credential_set_t *set,
+						  bool exclusive);
 
 	/**
 	 * Unregister a thread local credential set from the manager.
@@ -257,6 +295,28 @@ struct credential_manager_t {
 	void (*remove_validator)(credential_manager_t *this, cert_validator_t *vdtr);
 
 	/**
+	 * Set a hook to call on certain credential validation errors.
+	 *
+	 * @param hook		hook to register, NULL to unregister
+	 * @param data		data to pass to hook
+	 */
+	void (*set_hook)(credential_manager_t *this, credential_hook_t hook,
+					 void *data);
+
+	/**
+	 * Call the registered credential hook, if any.
+	 *
+	 * While hooks are usually called by the credential manager itself, some
+	 * validator plugins might raise hooks as well if they consider certificates
+	 * invalid.
+	 *
+	 * @param type		type of the event
+	 * @param cert		associated certificate
+	 */
+	void (*call_hook)(credential_manager_t *this, credential_hook_type_t type,
+					  certificate_t *cert);
+
+	/**
 	 * Destroy a credential_manager instance.
 	 */
 	void (*destroy)(credential_manager_t *this);
diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
index fb18fb53d..49af5a079 100644
--- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
+++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
@@ -17,7 +17,7 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/lexparser.h>
 
 #include "ietf_attributes.h"
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index fdbe17f2c..2afcf8325 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -192,7 +192,7 @@ struct public_key_t {
 	/**
 	 * Get the key in an encoded form as a chunk.
 	 *
-	 * @param type		type of the encoding, one of PRIVKEY_*
+	 * @param type		type of the encoding, one of PUBKEY_*
 	 * @param encoding	encoding of the key, allocated
 	 * @return			TRUE if encoding supported
 	 */
diff --git a/src/libstrongswan/credentials/keys/shared_key.h b/src/libstrongswan/credentials/keys/shared_key.h
index d00b8d12e..900c6613e 100644
--- a/src/libstrongswan/credentials/keys/shared_key.h
+++ b/src/libstrongswan/credentials/keys/shared_key.h
@@ -21,7 +21,7 @@
 #ifndef SHARED_KEY_H_
 #define SHARED_KEY_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <utils/identification.h>
 
 typedef struct shared_key_t shared_key_t;
diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
index 2cef23328..46bfb5c6e 100644
--- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
+++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
@@ -15,7 +15,7 @@
  */
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "auth_cfg_wrapper.h"
 
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index 968c3e31e..e8f0e7ec0 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -20,7 +20,7 @@
 
 #include <library.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /** cache size, a power of 2 for fast modulo */
 #define CACHE_SIZE 32
@@ -47,6 +47,11 @@ struct relation_t {
 	certificate_t *issuer;
 
 	/**
+	 * Signature scheme used to sign this relation
+	 */
+	signature_scheme_t scheme;
+
+	/**
 	 * Cache hits
 	 */
 	u_int hits;
@@ -77,7 +82,8 @@ struct private_cert_cache_t {
  * Cache relation in a free slot/replace an other
  */
 static void cache(private_cert_cache_t *this,
-				  certificate_t *subject, certificate_t *issuer)
+				  certificate_t *subject, certificate_t *issuer,
+				  signature_scheme_t scheme)
 {
 	relation_t *rel;
 	int i, offset, try;
@@ -95,6 +101,7 @@ static void cache(private_cert_cache_t *this,
 			{
 				rel->subject = subject->get_ref(subject);
 				rel->issuer = issuer->get_ref(issuer);
+				rel->scheme = scheme;
 				return rel->lock->unlock(rel->lock);
 			}
 			rel->lock->unlock(rel->lock);
@@ -123,6 +130,7 @@ static void cache(private_cert_cache_t *this,
 				}
 				rel->subject = subject->get_ref(subject);
 				rel->issuer = issuer->get_ref(issuer);
+				rel->scheme = scheme;
 				rel->hits = 0;
 				return rel->lock->unlock(rel->lock);
 			}
@@ -133,9 +141,11 @@ static void cache(private_cert_cache_t *this,
 }
 
 METHOD(cert_cache_t, issued_by, bool,
-	private_cert_cache_t *this, certificate_t *subject, certificate_t *issuer)
+	private_cert_cache_t *this, certificate_t *subject, certificate_t *issuer,
+	signature_scheme_t *schemep)
 {
 	relation_t *found = NULL, *current;
+	signature_scheme_t scheme;
 	int i;
 
 	for (i = 0; i < CACHE_SIZE; i++)
@@ -154,7 +164,11 @@ METHOD(cert_cache_t, issued_by, bool,
 				{
 					/* write hit counter is not locked, but not critical */
 					current->hits++;
-					found = current;
+					found = current;;
+					if (schemep)
+					{
+						*schemep = current->scheme;
+					}
 				}
 			}
 		}
@@ -165,9 +179,13 @@ METHOD(cert_cache_t, issued_by, bool,
 		}
 	}
 	/* no cache hit, check and cache signature */
-	if (subject->issued_by(subject, issuer))
+	if (subject->issued_by(subject, issuer, &scheme))
 	{
-		cache(this, subject, issuer);
+		cache(this, subject, issuer, scheme);
+		if (schemep)
+		{
+			*schemep = scheme;
+		}
 		return TRUE;
 	}
 	return FALSE;
diff --git a/src/libstrongswan/credentials/sets/cert_cache.h b/src/libstrongswan/credentials/sets/cert_cache.h
index d2721866e..2bcdbe464 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.h
+++ b/src/libstrongswan/credentials/sets/cert_cache.h
@@ -45,10 +45,12 @@ struct cert_cache_t {
 	 *
 	 * @param subject		certificate to verify
 	 * @param issuer		issuing certificate to verify subject
+	 * @param scheme		receives used signature scheme, if given
 	 * @return				TRUE if subject issued by issuer
 	 */
 	bool (*issued_by)(cert_cache_t *this,
-					  certificate_t *subject, certificate_t *issuer);
+					  certificate_t *subject, certificate_t *issuer,
+					  signature_scheme_t *scheme);
 
 	/**
 	 * Flush the certificate cache.
diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c
index e023e8443..b8da3f620 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.c
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2010-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperwsil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
@@ -18,7 +18,7 @@
 #include "mem_cred.h"
 
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_mem_cred_t private_mem_cred_t;
 
@@ -555,14 +555,66 @@ METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*,
 
 }
 
-METHOD(mem_cred_t, clear_secrets, void,
-	private_mem_cred_t *this)
+static void reset_secrets(private_mem_cred_t *this)
 {
-	this->lock->write_lock(this->lock);
 	this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy));
 	this->shared->destroy_function(this->shared, (void*)shared_entry_destroy);
 	this->keys = linked_list_create();
 	this->shared = linked_list_create();
+}
+
+METHOD(mem_cred_t, replace_secrets, void,
+	private_mem_cred_t *this, mem_cred_t *other_set, bool clone)
+{
+	private_mem_cred_t *other = (private_mem_cred_t*)other_set;
+	enumerator_t *enumerator;
+	shared_entry_t *entry, *new_entry;
+	private_key_t *key;
+
+	this->lock->write_lock(this->lock);
+
+	reset_secrets(this);
+
+	if (clone)
+	{
+		enumerator = other->keys->create_enumerator(other->keys);
+		while (enumerator->enumerate(enumerator, &key))
+		{
+			this->keys->insert_last(this->keys, key->get_ref(key));
+		}
+		enumerator->destroy(enumerator);
+		enumerator = other->shared->create_enumerator(other->shared);
+		while (enumerator->enumerate(enumerator, &entry))
+		{
+			INIT(new_entry,
+				.shared = entry->shared->get_ref(entry->shared),
+				.owners = entry->owners->clone_offset(entry->owners,
+											offsetof(identification_t, clone)),
+			);
+			this->shared->insert_last(this->shared, new_entry);
+		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{
+		while (other->keys->remove_first(other->keys, (void**)&key) == SUCCESS)
+		{
+			this->keys->insert_last(this->keys, key);
+		}
+		while (other->shared->remove_first(other->shared,
+										  (void**)&entry) == SUCCESS)
+		{
+			this->shared->insert_last(this->shared, entry);
+		}
+	}
+	this->lock->unlock(this->lock);
+}
+
+METHOD(mem_cred_t, clear_secrets, void,
+	private_mem_cred_t *this)
+{
+	this->lock->write_lock(this->lock);
+	reset_secrets(this);
 	this->lock->unlock(this->lock);
 }
 
@@ -619,6 +671,7 @@ mem_cred_t *mem_cred_create()
 			.add_shared = _add_shared,
 			.add_shared_list = _add_shared_list,
 			.add_cdp = _add_cdp,
+			.replace_secrets = _replace_secrets,
 			.clear = _clear_,
 			.clear_secrets = _clear_secrets,
 			.destroy = _destroy,
diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h
index eb46b065b..d0dd51da1 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.h
+++ b/src/libstrongswan/credentials/sets/mem_cred.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2010-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
@@ -27,7 +27,7 @@ typedef struct mem_cred_t mem_cred_t;
 
 #include <credentials/credential_set.h>
 #include <credentials/certificates/crl.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * Generic in-memory credential set.
@@ -101,6 +101,16 @@ struct mem_cred_t {
 					identification_t *id, char *uri);
 
 	/**
+	 * Replace all secrets (private and shared keys) in this credential set
+	 * with those of another.
+	 *
+	 * @param other			credential set to get secrets from
+	 * @param clone			TRUE to clone secrets, FALSE to adopt them (they
+	 *						get removed from the other set)
+	 */
+	void (*replace_secrets)(mem_cred_t *this, mem_cred_t *other, bool clone);
+
+	/**
 	 * Clear all credentials from the credential set.
 	 */
 	void (*clear)(mem_cred_t *this);
diff --git a/src/libstrongswan/crypto/aead.c b/src/libstrongswan/crypto/aead.c
index 51cb05909..32a0e6759 100644
--- a/src/libstrongswan/crypto/aead.c
+++ b/src/libstrongswan/crypto/aead.c
@@ -15,7 +15,7 @@
 
 #include "aead.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_aead_t private_aead_t;
 
@@ -40,26 +40,41 @@ struct private_aead_t {
 	signer_t *signer;
 };
 
-METHOD(aead_t, encrypt, void,
+METHOD(aead_t, encrypt, bool,
 	private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
 	chunk_t *encrypted)
 {
 	chunk_t encr, sig;
 
-	this->signer->get_signature(this->signer, assoc, NULL);
-	this->signer->get_signature(this->signer, iv, NULL);
+	if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+		!this->signer->get_signature(this->signer, iv, NULL))
+	{
+		return FALSE;
+	}
 
 	if (encrypted)
 	{
-		this->crypter->encrypt(this->crypter, plain, iv, &encr);
-		this->signer->allocate_signature(this->signer, encr, &sig);
+		if (!this->crypter->encrypt(this->crypter, plain, iv, &encr))
+		{
+			return FALSE;
+		}
+		if (!this->signer->allocate_signature(this->signer, encr, &sig))
+		{
+			free(encr.ptr);
+			return FALSE;
+		}
 		*encrypted = chunk_cat("cmm", iv, encr, sig);
 	}
 	else
 	{
-		this->crypter->encrypt(this->crypter, plain, iv, NULL);
-		this->signer->get_signature(this->signer, plain, plain.ptr + plain.len);
+		if (!this->crypter->encrypt(this->crypter, plain, iv, NULL) ||
+			!this->signer->get_signature(this->signer,
+										 plain, plain.ptr + plain.len))
+		{
+			return FALSE;
+		}
 	}
+	return TRUE;
 }
 
 METHOD(aead_t, decrypt, bool,
@@ -80,15 +95,17 @@ METHOD(aead_t, decrypt, bool,
 	chunk_split(encrypted, "mm", encrypted.len - sig.len,
 				&encrypted, sig.len, &sig);
 
-	this->signer->get_signature(this->signer, assoc, NULL);
-	this->signer->get_signature(this->signer, iv, NULL);
+	if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+		!this->signer->get_signature(this->signer, iv, NULL))
+	{
+		return FALSE;
+	}
 	if (!this->signer->verify_signature(this->signer, encrypted, sig))
 	{
 		DBG1(DBG_LIB, "MAC verification failed");
 		return FALSE;
 	}
-	this->crypter->decrypt(this->crypter, encrypted, iv, plain);
-	return TRUE;
+	return this->crypter->decrypt(this->crypter, encrypted, iv, plain);
 }
 
 METHOD(aead_t, get_block_size, size_t,
@@ -116,7 +133,7 @@ METHOD(aead_t, get_key_size, size_t,
 			this->signer->get_key_size(this->signer);
 }
 
-METHOD(aead_t, set_key, void,
+METHOD(aead_t, set_key, bool,
 	private_aead_t *this, chunk_t key)
 {
 	chunk_t sig, enc;
@@ -124,8 +141,8 @@ METHOD(aead_t, set_key, void,
 	chunk_split(key, "mm", this->signer->get_key_size(this->signer), &sig,
 				this->crypter->get_key_size(this->crypter), &enc);
 
-	this->signer->set_key(this->signer, sig);
-	this->crypter->set_key(this->crypter, enc);
+	return this->signer->set_key(this->signer, sig) &&
+		   this->crypter->set_key(this->crypter, enc);
 }
 
 METHOD(aead_t, destroy, void,
diff --git a/src/libstrongswan/crypto/aead.h b/src/libstrongswan/crypto/aead.h
index 3f6abb4f9..f3959f8f3 100644
--- a/src/libstrongswan/crypto/aead.h
+++ b/src/libstrongswan/crypto/aead.h
@@ -45,9 +45,10 @@ struct aead_t {
 	 * @param assoc			associated data to sign
 	 * @param iv			initialization vector
 	 * @param encrypted		allocated encryption result
+	 * @return				TRUE if successfully encrypted
 	 */
-	void (*encrypt)(aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
-					chunk_t *encrypted);
+	bool (*encrypt)(aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+					chunk_t *encrypted) __attribute__((warn_unused_result));
 
 	/**
 	 * Decrypt and verify data, verify associated data.
@@ -57,7 +58,7 @@ struct aead_t {
 	 * is returned in the encrypted chunk, the last get_icv_size() bytes
 	 * contain the verified ICV.
 	 *
-	 * @param encrypted		data to encrypt and verify
+	 * @param encrypted		data to decrypt and verify
 	 * @param assoc			associated data to verify
 	 * @param iv			initialization vector
 	 * @param plain			allocated result, if successful
@@ -98,11 +99,13 @@ struct aead_t {
 	 * Set the key for encryption and authentication.
 	 *
 	 * @param key			encryption and authentication key
+	 * @return				TRUE if key set successfully
 	 */
-	void (*set_key)(aead_t *this, chunk_t key);
+	bool (*set_key)(aead_t *this,
+					chunk_t key) __attribute__((warn_unused_result));
 
 	/**
-	 * Destroy a aead_t.
+	 * Destroy an aead_t.
 	 */
 	void (*destroy)(aead_t *this);
 };
diff --git a/src/libstrongswan/crypto/crypters/crypter.c b/src/libstrongswan/crypto/crypters/crypter.c
index 0730c707c..8123adde5 100644
--- a/src/libstrongswan/crypto/crypters/crypter.c
+++ b/src/libstrongswan/crypto/crypters/crypter.c
@@ -46,12 +46,13 @@ ENUM_NEXT(encryption_algorithm_names, ENCR_CAMELLIA_CBC, ENCR_CAMELLIA_CCM_ICV16
 	"CAMELLIA_CCM_8",
 	"CAMELLIA_CCM_12",
 	"CAMELLIA_CCM_16");
-ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_TWOFISH_CBC, ENCR_CAMELLIA_CCM_ICV16,
+ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_RC2_CBC, ENCR_CAMELLIA_CCM_ICV16,
 	"UNDEFINED",
 	"DES_ECB",
 	"SERPENT_CBC",
-	"TWOFISH_CBC");
-ENUM_END(encryption_algorithm_names, ENCR_TWOFISH_CBC);
+	"TWOFISH_CBC",
+	"RC2_CBC");
+ENUM_END(encryption_algorithm_names, ENCR_RC2_CBC);
 
 /*
  * Described in header.
diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h
index 3bf039681..849aea500 100644
--- a/src/libstrongswan/crypto/crypters/crypter.h
+++ b/src/libstrongswan/crypto/crypters/crypter.h
@@ -60,7 +60,9 @@ enum encryption_algorithm_t {
 	ENCR_UNDEFINED =        1024,
 	ENCR_DES_ECB =          1025,
 	ENCR_SERPENT_CBC =      1026,
-	ENCR_TWOFISH_CBC =      1027
+	ENCR_TWOFISH_CBC =      1027,
+	/* see macros below to handle RC2 (effective) key length */
+	ENCR_RC2_CBC =          1028,
 };
 
 #define DES_BLOCK_SIZE			 8
@@ -71,6 +73,15 @@ enum encryption_algorithm_t {
 #define TWOFISH_BLOCK_SIZE		16
 
 /**
+ * For RC2, if the effective key size in bits is not key_size * 8, it should
+ * be encoded with the macro below. It can be decoded with the other two macros.
+ * After decoding the value should be validated.
+ */
+#define RC2_KEY_SIZE(kl, eff) ((kl) | ((eff) << 8))
+#define RC2_EFFECTIVE_KEY_LEN(ks) ((ks) >> 8)
+#define RC2_KEY_LEN(ks) ((ks) & 0xff)
+
+/**
  * enum name for encryption_algorithm_t.
  */
 extern enum_name_t *encryption_algorithm_names;
@@ -90,9 +101,10 @@ struct crypter_t {
 	 * @param data			data to encrypt
 	 * @param iv			initializing vector
 	 * @param encrypted		chunk to allocate encrypted data, or NULL
+	 * @return				TRUE if encryption successful
 	 */
-	void (*encrypt) (crypter_t *this, chunk_t data, chunk_t iv,
-					 chunk_t *encrypted);
+	bool (*encrypt)(crypter_t *this, chunk_t data, chunk_t iv,
+					chunk_t *encrypted) __attribute__((warn_unused_result));
 
 	/**
 	 * Decrypt a chunk of data and allocate space for the decrypted value.
@@ -104,9 +116,10 @@ struct crypter_t {
 	 * @param data			data to decrypt
 	 * @param iv			initializing vector
 	 * @param encrypted		chunk to allocate decrypted data, or NULL
+	 * @return				TRUE if decryption successful
 	 */
-	void (*decrypt) (crypter_t *this, chunk_t data, chunk_t iv,
-					 chunk_t *decrypted);
+	bool (*decrypt)(crypter_t *this, chunk_t data, chunk_t iv,
+					chunk_t *decrypted) __attribute__((warn_unused_result));
 
 	/**
 	 * Get the block size of the crypto algorithm.
@@ -117,7 +130,7 @@ struct crypter_t {
 	 *
 	 * @return				block size in bytes
 	 */
-	size_t (*get_block_size) (crypter_t *this);
+	size_t (*get_block_size)(crypter_t *this);
 
 	/**
 	 * Get the IV size of the crypto algorithm.
@@ -135,7 +148,7 @@ struct crypter_t {
 	 *
 	 * @return				key size in bytes
 	 */
-	size_t (*get_key_size) (crypter_t *this);
+	size_t (*get_key_size)(crypter_t *this);
 
 	/**
 	 * Set the key.
@@ -143,13 +156,15 @@ struct crypter_t {
 	 * The length of the key must match get_key_size().
 	 *
 	 * @param key			key to set
+	 * @return				TRUE if key set successfully
 	 */
-	void (*set_key) (crypter_t *this, chunk_t key);
+	bool (*set_key)(crypter_t *this,
+					chunk_t key) __attribute__((warn_unused_result));
 
 	/**
 	 * Destroys a crypter_t object.
 	 */
-	void (*destroy) (crypter_t *this);
+	void (*destroy)(crypter_t *this);
 };
 
 /**
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index 2d13896d6..b89198003 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -15,9 +15,9 @@
 
 #include "crypto_factory.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <crypto/crypto_tester.h>
 
 const char *default_plugin_name = "default";
@@ -50,6 +50,7 @@ struct entry_t {
 		hasher_constructor_t create_hasher;
 		prf_constructor_t create_prf;
 		rng_constructor_t create_rng;
+		nonce_gen_constructor_t create_nonce_gen;
 		dh_constructor_t create_dh;
 		void *create;
 	};
@@ -98,6 +99,11 @@ struct private_crypto_factory_t {
 	linked_list_t *rngs;
 
 	/**
+	 * registered nonce generators, as entry_t
+	 */
+	linked_list_t *nonce_gens;
+
+	/**
 	 * registered diffie hellman, as entry_t
 	 */
 	linked_list_t *dhs;
@@ -123,6 +129,11 @@ struct private_crypto_factory_t {
 	bool bench;
 
 	/**
+	 * Number of failed test vectors during "add".
+	 */
+	u_int test_failures;
+
+	/**
 	 * rwlock to lock access to modules
 	 */
 	rwlock_t *lock;
@@ -329,34 +340,49 @@ METHOD(crypto_factory_t, create_rng, rng_t*,
 	return NULL;
 }
 
+METHOD(crypto_factory_t, create_nonce_gen, nonce_gen_t*,
+	private_crypto_factory_t *this)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	nonce_gen_t *nonce_gen = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->nonce_gens->create_enumerator(this->nonce_gens);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		nonce_gen = entry->create_nonce_gen();
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	return nonce_gen;
+}
+
 METHOD(crypto_factory_t, create_dh, diffie_hellman_t*,
 	private_crypto_factory_t *this, diffie_hellman_group_t group, ...)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
+	va_list args;
+	chunk_t g = chunk_empty, p = chunk_empty;
 	diffie_hellman_t *diffie_hellman = NULL;
 
+	if (group == MODP_CUSTOM)
+	{
+		va_start(args, group);
+		g = va_arg(args, chunk_t);
+		p = va_arg(args, chunk_t);
+		va_end(args);
+	}
+
 	this->lock->read_lock(this->lock);
 	enumerator = this->dhs->create_enumerator(this->dhs);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
 		if (entry->algo == group)
 		{
-			if (group == MODP_CUSTOM)
-			{
-				va_list args;
-				chunk_t g, p;
-
-				va_start(args, group);
-				g = va_arg(args, chunk_t);
-				p = va_arg(args, chunk_t);
-				va_end(args);
-				diffie_hellman = entry->create_dh(MODP_CUSTOM, g, p);
-			}
-			else
-			{
-				diffie_hellman = entry->create_dh(group);
-			}
+			diffie_hellman = entry->create_dh(group, g, p);
 			if (diffie_hellman)
 			{
 				break;
@@ -414,8 +440,8 @@ static void add_entry(private_crypto_factory_t *this, linked_list_t *list,
 	this->lock->unlock(this->lock);
 }
 
-METHOD(crypto_factory_t, add_crypter, void,
-	private_crypto_factory_t *this,	encryption_algorithm_t algo,
+METHOD(crypto_factory_t, add_crypter, bool,
+	private_crypto_factory_t *this, encryption_algorithm_t algo,
 	const char *plugin_name, crypter_constructor_t create)
 {
 	u_int speed = 0;
@@ -425,7 +451,10 @@ METHOD(crypto_factory_t, add_crypter, void,
 								   this->bench ? &speed : NULL,	plugin_name))
 	{
 		add_entry(this, this->crypters, algo, plugin_name, speed, create);
+		return TRUE;
 	}
+	this->test_failures++;
+	return FALSE;
 }
 
 METHOD(crypto_factory_t, remove_crypter, void,
@@ -448,8 +477,8 @@ METHOD(crypto_factory_t, remove_crypter, void,
 	this->lock->unlock(this->lock);
 }
 
-METHOD(crypto_factory_t, add_aead, void,
-	private_crypto_factory_t *this,	encryption_algorithm_t algo,
+METHOD(crypto_factory_t, add_aead, bool,
+	private_crypto_factory_t *this, encryption_algorithm_t algo,
 	const char *plugin_name, aead_constructor_t create)
 {
 	u_int speed = 0;
@@ -459,7 +488,10 @@ METHOD(crypto_factory_t, add_aead, void,
 								this->bench ? &speed : NULL, plugin_name))
 	{
 		add_entry(this, this->aeads, algo, plugin_name, speed, create);
+		return TRUE;
 	}
+	this->test_failures++;
+	return FALSE;
 }
 
 METHOD(crypto_factory_t, remove_aead, void,
@@ -482,8 +514,8 @@ METHOD(crypto_factory_t, remove_aead, void,
 	this->lock->unlock(this->lock);
 }
 
-METHOD(crypto_factory_t, add_signer, void,
-	private_crypto_factory_t *this,	integrity_algorithm_t algo,
+METHOD(crypto_factory_t, add_signer, bool,
+	private_crypto_factory_t *this, integrity_algorithm_t algo,
 	const char *plugin_name, signer_constructor_t create)
 {
 	u_int speed = 0;
@@ -493,7 +525,10 @@ METHOD(crypto_factory_t, add_signer, void,
 								  this->bench ? &speed : NULL, plugin_name))
 	{
 		add_entry(this, this->signers, algo, plugin_name, speed, create);
+		return TRUE;
 	}
+	this->test_failures++;
+	return FALSE;
 }
 
 METHOD(crypto_factory_t, remove_signer, void,
@@ -516,8 +551,8 @@ METHOD(crypto_factory_t, remove_signer, void,
 	this->lock->unlock(this->lock);
 }
 
-METHOD(crypto_factory_t, add_hasher, void,
-	private_crypto_factory_t *this,	hash_algorithm_t algo,
+METHOD(crypto_factory_t, add_hasher, bool,
+	private_crypto_factory_t *this, hash_algorithm_t algo,
 	const char *plugin_name, hasher_constructor_t create)
 {
 	u_int speed = 0;
@@ -527,7 +562,10 @@ METHOD(crypto_factory_t, add_hasher, void,
 								  this->bench ? &speed : NULL, plugin_name))
 	{
 		add_entry(this, this->hashers, algo, plugin_name, speed, create);
+		return TRUE;
 	}
+	this->test_failures++;
+	return FALSE;
 }
 
 METHOD(crypto_factory_t, remove_hasher, void,
@@ -550,8 +588,8 @@ METHOD(crypto_factory_t, remove_hasher, void,
 	this->lock->unlock(this->lock);
 }
 
-METHOD(crypto_factory_t, add_prf, void,
-	private_crypto_factory_t *this,	pseudo_random_function_t algo,
+METHOD(crypto_factory_t, add_prf, bool,
+	private_crypto_factory_t *this, pseudo_random_function_t algo,
 	const char *plugin_name, prf_constructor_t create)
 {
 	u_int speed = 0;
@@ -561,7 +599,10 @@ METHOD(crypto_factory_t, add_prf, void,
 							   this->bench ? &speed : NULL, plugin_name))
 	{
 		add_entry(this, this->prfs, algo, plugin_name, speed, create);
+		return TRUE;
 	}
+	this->test_failures++;
+	return FALSE;
 }
 
 METHOD(crypto_factory_t, remove_prf, void,
@@ -584,7 +625,7 @@ METHOD(crypto_factory_t, remove_prf, void,
 	this->lock->unlock(this->lock);
 }
 
-METHOD(crypto_factory_t, add_rng, void,
+METHOD(crypto_factory_t, add_rng, bool,
 	private_crypto_factory_t *this, rng_quality_t quality,
 	const char *plugin_name, rng_constructor_t create)
 {
@@ -595,7 +636,10 @@ METHOD(crypto_factory_t, add_rng, void,
 							   this->bench ? &speed : NULL, plugin_name))
 	{
 		add_entry(this, this->rngs, quality, plugin_name, speed, create);
+		return TRUE;
 	}
+	this->test_failures++;
+	return FALSE;
 }
 
 METHOD(crypto_factory_t, remove_rng, void,
@@ -618,11 +662,40 @@ METHOD(crypto_factory_t, remove_rng, void,
 	this->lock->unlock(this->lock);
 }
 
-METHOD(crypto_factory_t, add_dh, void,
-	private_crypto_factory_t *this,	diffie_hellman_group_t group,
-	 const char *plugin_name, dh_constructor_t create)
+METHOD(crypto_factory_t, add_nonce_gen, bool,
+	private_crypto_factory_t *this, const char *plugin_name,
+	nonce_gen_constructor_t create)
+{
+	add_entry(this, this->nonce_gens, 0, plugin_name, 0, create);
+	return TRUE;
+}
+
+METHOD(crypto_factory_t, remove_nonce_gen, void,
+	private_crypto_factory_t *this, nonce_gen_constructor_t create)
+{
+	entry_t *entry;
+	enumerator_t *enumerator;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->nonce_gens->create_enumerator(this->nonce_gens);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->create_nonce_gen == create)
+		{
+			this->nonce_gens->remove_at(this->nonce_gens, enumerator);
+			free(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(crypto_factory_t, add_dh, bool,
+	private_crypto_factory_t *this, diffie_hellman_group_t group,
+	const char *plugin_name, dh_constructor_t create)
 {
 	add_entry(this, this->dhs, group, plugin_name, 0, create);
+	return TRUE;
 }
 
 METHOD(crypto_factory_t, remove_dh, void,
@@ -756,7 +829,7 @@ METHOD(crypto_factory_t, create_prf_enumerator, enumerator_t*,
 }
 
 /**
- * Filter function to enumerate algorithm, not entry
+ * Filter function to enumerate group, not entry
  */
 static bool dh_filter(void *n, entry_t **entry, diffie_hellman_group_t *group,
 					  void *i2, const char **plugin_name)
@@ -773,7 +846,7 @@ METHOD(crypto_factory_t, create_dh_enumerator, enumerator_t*,
 }
 
 /**
- * Filter function to enumerate algorithm, not entry
+ * Filter function to enumerate strength, not entry
  */
 static bool rng_filter(void *n, entry_t **entry, rng_quality_t *quality,
 					   void *i2, const char **plugin_name)
@@ -788,6 +861,22 @@ METHOD(crypto_factory_t, create_rng_enumerator, enumerator_t*,
 {
 	return create_enumerator(this, this->rngs, rng_filter);
 }
+
+/**
+ * Filter function to enumerate plugin name, not entry
+ */
+static bool nonce_gen_filter(void *n, entry_t **entry, const char **plugin_name)
+{
+	*plugin_name = (*entry)->plugin_name;
+	return TRUE;
+}
+
+METHOD(crypto_factory_t, create_nonce_gen_enumerator, enumerator_t*,
+	private_crypto_factory_t *this)
+{
+	return create_enumerator(this, this->nonce_gens, nonce_gen_filter);
+}
+
 METHOD(crypto_factory_t, add_test_vector, void,
 	private_crypto_factory_t *this, transform_type_t type, void *vector)
 {
@@ -811,6 +900,12 @@ METHOD(crypto_factory_t, add_test_vector, void,
 	}
 }
 
+METHOD(crypto_factory_t, get_test_vector_failures, u_int,
+	private_crypto_factory_t *this)
+{
+	return this->test_failures;
+}
+
 METHOD(crypto_factory_t, destroy, void,
 	private_crypto_factory_t *this)
 {
@@ -820,6 +915,7 @@ METHOD(crypto_factory_t, destroy, void,
 	this->hashers->destroy(this->hashers);
 	this->prfs->destroy(this->prfs);
 	this->rngs->destroy(this->rngs);
+	this->nonce_gens->destroy(this->nonce_gens);
 	this->dhs->destroy(this->dhs);
 	this->tester->destroy(this->tester);
 	this->lock->destroy(this->lock);
@@ -841,6 +937,7 @@ crypto_factory_t *crypto_factory_create()
 			.create_hasher = _create_hasher,
 			.create_prf = _create_prf,
 			.create_rng = _create_rng,
+			.create_nonce_gen = _create_nonce_gen,
 			.create_dh = _create_dh,
 			.add_crypter = _add_crypter,
 			.remove_crypter = _remove_crypter,
@@ -854,6 +951,8 @@ crypto_factory_t *crypto_factory_create()
 			.remove_prf = _remove_prf,
 			.add_rng = _add_rng,
 			.remove_rng = _remove_rng,
+			.add_nonce_gen = _add_nonce_gen,
+			.remove_nonce_gen = _remove_nonce_gen,
 			.add_dh = _add_dh,
 			.remove_dh = _remove_dh,
 			.create_crypter_enumerator = _create_crypter_enumerator,
@@ -863,7 +962,9 @@ crypto_factory_t *crypto_factory_create()
 			.create_prf_enumerator = _create_prf_enumerator,
 			.create_dh_enumerator = _create_dh_enumerator,
 			.create_rng_enumerator = _create_rng_enumerator,
+			.create_nonce_gen_enumerator = _create_nonce_gen_enumerator,
 			.add_test_vector = _add_test_vector,
+			.get_test_vector_failures = _get_test_vector_failures,
 			.destroy = _destroy,
 		},
 		.crypters = linked_list_create(),
@@ -872,6 +973,7 @@ crypto_factory_t *crypto_factory_create()
 		.hashers = linked_list_create(),
 		.prfs = linked_list_create(),
 		.rngs = linked_list_create(),
+		.nonce_gens = linked_list_create(),
 		.dhs = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 		.tester = crypto_tester_create(),
@@ -885,4 +987,3 @@ crypto_factory_t *crypto_factory_create()
 
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h
index 8e5db6355..256ecec63 100644
--- a/src/libstrongswan/crypto/crypto_factory.h
+++ b/src/libstrongswan/crypto/crypto_factory.h
@@ -24,12 +24,14 @@
 typedef struct crypto_factory_t crypto_factory_t;
 
 #include <library.h>
+#include <collections/enumerator.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/aead.h>
 #include <crypto/signers/signer.h>
 #include <crypto/hashers/hasher.h>
 #include <crypto/prfs/prf.h>
 #include <crypto/rngs/rng.h>
+#include <crypto/nonce_gen.h>
 #include <crypto/diffie_hellman.h>
 #include <crypto/transform.h>
 
@@ -66,6 +68,11 @@ typedef prf_t* (*prf_constructor_t)(pseudo_random_function_t algo);
 typedef rng_t* (*rng_constructor_t)(rng_quality_t quality);
 
 /**
+ * Constructor function for nonce generators
+ */
+typedef nonce_gen_t* (*nonce_gen_constructor_t)();
+
+/**
  * Constructor function for diffie hellman
  *
  * The DH constructor accepts additional arguments for:
@@ -132,6 +139,13 @@ struct crypto_factory_t {
 	rng_t* (*create_rng)(crypto_factory_t *this, rng_quality_t quality);
 
 	/**
+	 * Create a nonce generator instance.
+	 *
+	 * @return				nonce_gen_t instance, NULL if not supported
+	 */
+	nonce_gen_t* (*create_nonce_gen)(crypto_factory_t *this);
+
+	/**
 	 * Create a diffie hellman instance.
 	 *
 	 * Additional arguments are passed to the DH constructor.
@@ -148,9 +162,9 @@ struct crypto_factory_t {
 	 * @param algo			algorithm to constructor
 	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
-	 * @return
+	 * @return				TRUE if registered, FALSE if test vector failed
 	 */
-	void (*add_crypter)(crypto_factory_t *this, encryption_algorithm_t algo,
+	bool (*add_crypter)(crypto_factory_t *this, encryption_algorithm_t algo,
 						const char *plugin_name, crypter_constructor_t create);
 
 	/**
@@ -173,9 +187,9 @@ struct crypto_factory_t {
 	 * @param algo			algorithm to constructor
 	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
-	 * @return
+	 * @return				TRUE if registered, FALSE if test vector failed
 	 */
-	void (*add_aead)(crypto_factory_t *this, encryption_algorithm_t algo,
+	bool (*add_aead)(crypto_factory_t *this, encryption_algorithm_t algo,
 					 const char *plugin_name, aead_constructor_t create);
 
 	/**
@@ -184,9 +198,9 @@ struct crypto_factory_t {
 	 * @param algo			algorithm to constructor
 	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
-	 * @return
+	 * @return				TRUE if registered, FALSE if test vector failed
 	 */
-	void (*add_signer)(crypto_factory_t *this, integrity_algorithm_t algo,
+	bool (*add_signer)(crypto_factory_t *this, integrity_algorithm_t algo,
 					    const char *plugin_name, signer_constructor_t create);
 
 	/**
@@ -205,9 +219,9 @@ struct crypto_factory_t {
 	 * @param algo			algorithm to constructor
 	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
-	 * @return
+	 * @return				TRUE if registered, FALSE if test vector failed
 	 */
-	void (*add_hasher)(crypto_factory_t *this, hash_algorithm_t algo,
+	bool (*add_hasher)(crypto_factory_t *this, hash_algorithm_t algo,
 					   const char *plugin_name, hasher_constructor_t create);
 
 	/**
@@ -223,9 +237,9 @@ struct crypto_factory_t {
 	 * @param algo			algorithm to constructor
 	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
-	 * @return
+	 * @return				TRUE if registered, FALSE if test vector failed
 	 */
-	void (*add_prf)(crypto_factory_t *this, pseudo_random_function_t algo,
+	bool (*add_prf)(crypto_factory_t *this, pseudo_random_function_t algo,
 					const char *plugin_name, prf_constructor_t create);
 
 	/**
@@ -241,8 +255,9 @@ struct crypto_factory_t {
 	 * @param quality		quality of randomness this RNG serves
 	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for such a quality
+	 * @return				TRUE if registered, FALSE if test vector failed
 	 */
-	void (*add_rng)(crypto_factory_t *this, rng_quality_t quality,
+	bool (*add_rng)(crypto_factory_t *this, rng_quality_t quality,
 					const char *plugin_name, rng_constructor_t create);
 
 	/**
@@ -253,14 +268,32 @@ struct crypto_factory_t {
 	void (*remove_rng)(crypto_factory_t *this, rng_constructor_t create);
 
 	/**
+	 * Register a nonce generator.
+	 *
+	 * @param plugin_name	plugin that registered this algorithm
+	 * @param create		constructor function for that nonce generator
+	 * @return				TRUE if registered, FALSE if test vector failed
+	 */
+	bool (*add_nonce_gen)(crypto_factory_t *this, const char *plugin_name,
+						  nonce_gen_constructor_t create);
+
+	/**
+	 * Unregister a nonce generator.
+	 *
+	 * @param create		constructor function to unregister
+	 */
+	void (*remove_nonce_gen)(crypto_factory_t *this,
+							 nonce_gen_constructor_t create);
+
+	/**
 	 * Register a diffie hellman constructor.
 	 *
 	 * @param group			dh group to constructor
 	 * @param plugin_name	plugin that registered this algorithm
 	 * @param create		constructor function for that algorithm
-	 * @return
+	 * @return				TRUE if registered, FALSE if test vector failed
 	 */
-	void (*add_dh)(crypto_factory_t *this, diffie_hellman_group_t group,
+	bool (*add_dh)(crypto_factory_t *this, diffie_hellman_group_t group,
 				   const char *plugin_name, dh_constructor_t create);
 
 	/**
@@ -273,53 +306,60 @@ struct crypto_factory_t {
 	/**
 	 * Create an enumerator over all registered crypter algorithms.
 	 *
-	 * @return				enumerator over encryption_algorithm_t
+	 * @return				enumerator over encryption_algorithm_t, plugin
 	 */
 	enumerator_t* (*create_crypter_enumerator)(crypto_factory_t *this);
 
 	/**
 	 * Create an enumerator over all registered aead algorithms.
 	 *
-	 * @return				enumerator over encryption_algorithm_t
+	 * @return				enumerator over encryption_algorithm_t, plugin
 	 */
 	enumerator_t* (*create_aead_enumerator)(crypto_factory_t *this);
 
 	/**
 	 * Create an enumerator over all registered signer algorithms.
 	 *
-	 * @return				enumerator over integrity_algorithm_t
+	 * @return				enumerator over integrity_algorithm_t, plugin
 	 */
 	enumerator_t* (*create_signer_enumerator)(crypto_factory_t *this);
 
 	/**
 	 * Create an enumerator over all registered hasher algorithms.
 	 *
-	 * @return				enumerator over hash_algorithm_t
+	 * @return				enumerator over hash_algorithm_t, plugin
 	 */
 	enumerator_t* (*create_hasher_enumerator)(crypto_factory_t *this);
 
 	/**
 	 * Create an enumerator over all registered PRFs.
 	 *
-	 * @return				enumerator over pseudo_random_function_t
+	 * @return				enumerator over pseudo_random_function_t, plugin
 	 */
 	enumerator_t* (*create_prf_enumerator)(crypto_factory_t *this);
 
 	/**
 	 * Create an enumerator over all registered diffie hellman groups.
 	 *
-	 * @return				enumerator over diffie_hellman_group_t
+	 * @return				enumerator over diffie_hellman_group_t, plugin
 	 */
 	enumerator_t* (*create_dh_enumerator)(crypto_factory_t *this);
 
 	/**
 	 * Create an enumerator over all registered random generators.
 	 *
-	 * @return				enumerator over rng_quality_t
+	 * @return				enumerator over rng_quality_t, plugin
 	 */
 	enumerator_t* (*create_rng_enumerator)(crypto_factory_t *this);
 
 	/**
+	 * Create an enumerator over all registered nonce generators.
+	 *
+	 * @return				enumerator over plugin
+	 */
+	enumerator_t* (*create_nonce_gen_enumerator)(crypto_factory_t *this);
+
+	/**
 	 * Add a test vector to the crypto factory.
 	 *
 	 * @param type			type of the test vector
@@ -329,6 +369,16 @@ struct crypto_factory_t {
 							void *vector);
 
 	/**
+	 * Get the number of test vector failures encountered during add.
+	 *
+	 * This counter gets incremented only if transforms get tested during
+	 * registration.
+	 *
+	 * @return				number of failed test vectors
+	 */
+	u_int (*get_test_vector_failures)(crypto_factory_t *this);
+
+	/**
 	 * Destroy a crypto_factory instance.
 	 */
 	void (*destroy)(crypto_factory_t *this);
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 8b1daa885..5a0dccced 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -20,8 +20,8 @@
 
 #include "crypto_tester.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 typedef struct private_crypto_tester_t private_crypto_tester_t;
 
@@ -151,7 +151,10 @@ static u_int bench_crypter(private_crypto_tester_t *this,
 
 		memset(iv, 0x56, sizeof(iv));
 		memset(key, 0x12, sizeof(key));
-		crypter->set_key(crypter, chunk_from_thing(key));
+		if (!crypter->set_key(crypter, chunk_from_thing(key)))
+		{
+			return 0;
+		}
 
 		buf = chunk_alloc(this->bench_size);
 		memset(buf.ptr, 0x34, buf.len);
@@ -160,10 +163,14 @@ static u_int bench_crypter(private_crypto_tester_t *this,
 		start_timing(&start);
 		while (end_timing(&start) < this->bench_time)
 		{
-			crypter->encrypt(crypter, buf, chunk_from_thing(iv), NULL);
-			runs++;
-			crypter->decrypt(crypter, buf, chunk_from_thing(iv), NULL);
-			runs++;
+			if (crypter->encrypt(crypter, buf, chunk_from_thing(iv), NULL))
+			{
+				runs++;
+			}
+			if (crypter->decrypt(crypter, buf, chunk_from_thing(iv), NULL))
+			{
+				runs++;
+			}
 		}
 		free(buf.ptr);
 		crypter->destroy(crypter);
@@ -186,7 +193,7 @@ METHOD(crypto_tester_t, test_crypter, bool,
 	while (enumerator->enumerate(enumerator, &vector))
 	{
 		crypter_t *crypter;
-		chunk_t key, plain, cipher, iv;
+		chunk_t key, iv, plain = chunk_empty, cipher = chunk_empty;
 
 		if (vector->alg != alg)
 		{
@@ -196,53 +203,72 @@ METHOD(crypto_tester_t, test_crypter, bool,
 		{	/* test only vectors with a specific key size, if key size given */
 			continue;
 		}
+
+		tested++;
+		failed = TRUE;
 		crypter = create(alg, vector->key_size);
 		if (!crypter)
 		{
 			DBG1(DBG_LIB, "%N[%s]: %u bit key size not supported",
 				 encryption_algorithm_names, alg, plugin_name,
 				 BITS_PER_BYTE * vector->key_size);
-			failed = TRUE;
 			continue;
 		}
 
-		failed = FALSE;
-		tested++;
-
 		key = chunk_create(vector->key, crypter->get_key_size(crypter));
-		crypter->set_key(crypter, key);
+		if (!crypter->set_key(crypter, key))
+		{
+			goto failure;
+		}
 		iv = chunk_create(vector->iv, crypter->get_iv_size(crypter));
 
 		/* allocated encryption */
 		plain = chunk_create(vector->plain, vector->len);
-		crypter->encrypt(crypter, plain, iv, &cipher);
+		if (!crypter->encrypt(crypter, plain, iv, &cipher))
+		{
+			goto failure;
+		}
 		if (!memeq(vector->cipher, cipher.ptr, cipher.len))
 		{
-			failed = TRUE;
+			goto failure;
 		}
 		/* inline decryption */
-		crypter->decrypt(crypter, cipher, iv, NULL);
+		if (!crypter->decrypt(crypter, cipher, iv, NULL))
+		{
+			goto failure;
+		}
 		if (!memeq(vector->plain, cipher.ptr, cipher.len))
 		{
-			failed = TRUE;
+			goto failure;
 		}
-		free(cipher.ptr);
 		/* allocated decryption */
-		cipher = chunk_create(vector->cipher, vector->len);
-		crypter->decrypt(crypter, cipher, iv, &plain);
+		if (!crypter->decrypt(crypter,
+						chunk_create(vector->cipher, vector->len), iv, &plain))
+		{
+			goto failure;
+		}
 		if (!memeq(vector->plain, plain.ptr, plain.len))
 		{
-			failed = TRUE;
+			goto failure;
 		}
 		/* inline encryption */
-		crypter->encrypt(crypter, plain, iv, NULL);
+		if (!crypter->encrypt(crypter, plain, iv, NULL))
+		{
+			goto failure;
+		}
 		if (!memeq(vector->cipher, plain.ptr, plain.len))
 		{
-			failed = TRUE;
+			goto failure;
 		}
-		free(plain.ptr);
 
+		failed = FALSE;
+failure:
 		crypter->destroy(crypter);
+		chunk_free(&cipher);
+		if (plain.ptr != vector->plain)
+		{
+			chunk_free(&plain);
+		}
 		if (failed)
 		{
 			DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
@@ -306,7 +332,10 @@ static u_int bench_aead(private_crypto_tester_t *this,
 		memset(iv, 0x56, sizeof(iv));
 		memset(key, 0x12, sizeof(key));
 		memset(assoc, 0x78, sizeof(assoc));
-		aead->set_key(aead, chunk_from_thing(key));
+		if (!aead->set_key(aead, chunk_from_thing(key)))
+		{
+			return 0;
+		}
 		icv = aead->get_icv_size(aead);
 
 		buf = chunk_alloc(this->bench_size + icv);
@@ -317,12 +346,16 @@ static u_int bench_aead(private_crypto_tester_t *this,
 		start_timing(&start);
 		while (end_timing(&start) < this->bench_time)
 		{
-			aead->encrypt(aead, buf, chunk_from_thing(assoc),
-						  chunk_from_thing(iv), NULL);
-			runs += 2;
-			aead->decrypt(aead, chunk_create(buf.ptr, buf.len + icv),
-						  chunk_from_thing(assoc), chunk_from_thing(iv), NULL);
-			runs += 2;
+			if (aead->encrypt(aead, buf, chunk_from_thing(assoc),
+						chunk_from_thing(iv), NULL))
+			{
+				runs += 2;
+			}
+			if (aead->decrypt(aead, chunk_create(buf.ptr, buf.len + icv),
+						chunk_from_thing(assoc), chunk_from_thing(iv), NULL))
+			{
+				runs += 2;
+			}
 		}
 		free(buf.ptr);
 		aead->destroy(aead);
@@ -345,7 +378,7 @@ METHOD(crypto_tester_t, test_aead, bool,
 	while (enumerator->enumerate(enumerator, &vector))
 	{
 		aead_t *aead;
-		chunk_t key, plain, cipher, iv, assoc;
+		chunk_t key, iv, assoc, plain = chunk_empty, cipher = chunk_empty;
 		size_t icv;
 
 		if (vector->alg != alg)
@@ -356,63 +389,75 @@ METHOD(crypto_tester_t, test_aead, bool,
 		{	/* test only vectors with a specific key size, if key size given */
 			continue;
 		}
+
+		tested++;
+		failed = TRUE;
 		aead = create(alg, vector->key_size);
 		if (!aead)
 		{
 			DBG1(DBG_LIB, "%N[%s]: %u bit key size not supported",
 				 encryption_algorithm_names, alg, plugin_name,
 				 BITS_PER_BYTE * vector->key_size);
-			failed = TRUE;
 			continue;
 		}
 
-		failed = FALSE;
-		tested++;
-
 		key = chunk_create(vector->key, aead->get_key_size(aead));
-		aead->set_key(aead, key);
+		if (!aead->set_key(aead, key))
+		{
+			goto failure;
+		}
 		iv = chunk_create(vector->iv, aead->get_iv_size(aead));
 		assoc = chunk_create(vector->adata, vector->alen);
 		icv = aead->get_icv_size(aead);
 
 		/* allocated encryption */
 		plain = chunk_create(vector->plain, vector->len);
-		aead->encrypt(aead, plain, assoc, iv, &cipher);
+		if (!aead->encrypt(aead, plain, assoc, iv, &cipher))
+		{
+			goto failure;
+		}
 		if (!memeq(vector->cipher, cipher.ptr, cipher.len))
 		{
-			failed = TRUE;
+			goto failure;
 		}
 		/* inline decryption */
 		if (!aead->decrypt(aead, cipher, assoc, iv, NULL))
 		{
-			failed = TRUE;
+			goto failure;
 		}
 		if (!memeq(vector->plain, cipher.ptr, cipher.len - icv))
 		{
-			failed = TRUE;
+			goto failure;
 		}
-		free(cipher.ptr);
 		/* allocated decryption */
-		cipher = chunk_create(vector->cipher, vector->len + icv);
-		if (!aead->decrypt(aead, cipher, assoc, iv, &plain))
+		if (!aead->decrypt(aead, chunk_create(vector->cipher, vector->len + icv),
+						   assoc, iv, &plain))
 		{
-			plain = chunk_empty;
-			failed = TRUE;
+			goto failure;
 		}
-		else if (!memeq(vector->plain, plain.ptr, plain.len))
+		if (!memeq(vector->plain, plain.ptr, plain.len))
 		{
-			failed = TRUE;
+			goto failure;
 		}
 		plain.ptr = realloc(plain.ptr, plain.len + icv);
 		/* inline encryption */
-		aead->encrypt(aead, plain, assoc, iv, NULL);
+		if (!aead->encrypt(aead, plain, assoc, iv, NULL))
+		{
+			goto failure;
+		}
 		if (!memeq(vector->cipher, plain.ptr, plain.len + icv))
 		{
-			failed = TRUE;
+			goto failure;
 		}
-		free(plain.ptr);
 
+		failed = FALSE;
+failure:
 		aead->destroy(aead);
+		chunk_free(&cipher);
+		if (plain.ptr != vector->plain)
+		{
+			chunk_free(&plain);
+		}
 		if (failed)
 		{
 			DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
@@ -458,7 +503,7 @@ METHOD(crypto_tester_t, test_aead, bool,
  * Benchmark a signer
  */
 static u_int bench_signer(private_crypto_tester_t *this,
-	encryption_algorithm_t alg, signer_constructor_t create)
+	integrity_algorithm_t alg, signer_constructor_t create)
 {
 	signer_t *signer;
 
@@ -472,7 +517,10 @@ static u_int bench_signer(private_crypto_tester_t *this,
 		u_int runs;
 
 		memset(key, 0x12, sizeof(key));
-		signer->set_key(signer, chunk_from_thing(key));
+		if (!signer->set_key(signer, chunk_from_thing(key)))
+		{
+			return 0;
+		}
 
 		buf = chunk_alloc(this->bench_size);
 		memset(buf.ptr, 0x34, buf.len);
@@ -481,10 +529,14 @@ static u_int bench_signer(private_crypto_tester_t *this,
 		start_timing(&start);
 		while (end_timing(&start) < this->bench_time)
 		{
-			signer->get_signature(signer, buf, mac);
-			runs++;
-			signer->verify_signature(signer, buf, chunk_from_thing(mac));
-			runs++;
+			if (signer->get_signature(signer, buf, mac))
+			{
+				runs++;
+			}
+			if (signer->verify_signature(signer, buf, chunk_from_thing(mac)))
+			{
+				runs++;
+			}
 		}
 		free(buf.ptr);
 		signer->destroy(signer);
@@ -507,7 +559,7 @@ METHOD(crypto_tester_t, test_signer, bool,
 	while (enumerator->enumerate(enumerator, &vector))
 	{
 		signer_t *signer;
-		chunk_t key, data, mac;
+		chunk_t key, data, mac = chunk_empty;
 
 		if (vector->alg != alg)
 		{
@@ -515,63 +567,79 @@ METHOD(crypto_tester_t, test_signer, bool,
 		}
 
 		tested++;
+		failed = TRUE;
 		signer = create(alg);
 		if (!signer)
 		{
 			DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed",
 				 integrity_algorithm_names, alg, plugin_name);
-			failed = TRUE;
 			break;
 		}
 
-		failed = FALSE;
-
 		key = chunk_create(vector->key, signer->get_key_size(signer));
-		signer->set_key(signer, key);
-
+		if (!signer->set_key(signer, key))
+		{
+			goto failure;
+		}
 		/* allocated signature */
 		data = chunk_create(vector->data, vector->len);
-		signer->allocate_signature(signer, data, &mac);
+		if (!signer->allocate_signature(signer, data, &mac))
+		{
+			goto failure;
+		}
 		if (mac.len != signer->get_block_size(signer))
 		{
-			failed = TRUE;
+			goto failure;
 		}
 		if (!memeq(vector->mac, mac.ptr, mac.len))
 		{
-			failed = TRUE;
+			goto failure;
 		}
 		/* signature to existing buffer */
 		memset(mac.ptr, 0, mac.len);
-		signer->get_signature(signer, data, mac.ptr);
+		if (!signer->get_signature(signer, data, mac.ptr))
+		{
+			goto failure;
+		}
 		if (!memeq(vector->mac, mac.ptr, mac.len))
 		{
-			failed = TRUE;
+			goto failure;
 		}
 		/* signature verification, good case */
 		if (!signer->verify_signature(signer, data, mac))
 		{
-			failed = TRUE;
+			goto failure;
 		}
 		/* signature verification, bad case */
 		*(mac.ptr + mac.len - 1) += 1;
 		if (signer->verify_signature(signer, data, mac))
 		{
-			failed = TRUE;
+			goto failure;
 		}
 		/* signature to existing buffer, using append mode */
 		if (data.len > 2)
 		{
-			signer->allocate_signature(signer, chunk_create(data.ptr, 1), NULL);
-			signer->get_signature(signer, chunk_create(data.ptr + 1, 1), NULL);
+			if (!signer->allocate_signature(signer,
+											chunk_create(data.ptr, 1), NULL))
+			{
+				goto failure;
+			}
+			if (!signer->get_signature(signer,
+									   chunk_create(data.ptr + 1, 1), NULL))
+			{
+				goto failure;
+			}
 			if (!signer->verify_signature(signer, chunk_skip(data, 2),
 										  chunk_create(vector->mac, mac.len)))
 			{
-				failed = TRUE;
+				goto failure;
 			}
 		}
-		free(mac.ptr);
 
+		failed = FALSE;
+failure:
 		signer->destroy(signer);
+		chunk_free(&mac);
 		if (failed)
 		{
 			DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
@@ -627,8 +695,10 @@ static u_int bench_hasher(private_crypto_tester_t *this,
 		start_timing(&start);
 		while (end_timing(&start) < this->bench_time)
 		{
-			hasher->get_hash(hasher, buf, hash);
-			runs++;
+			if (hasher->get_hash(hasher, buf, hash))
+			{
+				runs++;
+			}
 		}
 		free(buf.ptr);
 		hasher->destroy(hasher);
@@ -659,50 +729,73 @@ METHOD(crypto_tester_t, test_hasher, bool,
 		}
 
 		tested++;
+		failed = TRUE;
 		hasher = create(alg);
 		if (!hasher)
 		{
 			DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed",
 				 hash_algorithm_names, alg, plugin_name);
-			failed = TRUE;
 			break;
 		}
 
-		failed = FALSE;
-
 		/* allocated hash */
 		data = chunk_create(vector->data, vector->len);
-		hasher->allocate_hash(hasher, data, &hash);
+		if (!hasher->allocate_hash(hasher, data, &hash))
+		{
+			goto failure;
+		}
 		if (hash.len != hasher->get_hash_size(hasher))
 		{
-			failed = TRUE;
+			goto failure;
 		}
 		if (!memeq(vector->hash, hash.ptr, hash.len))
 		{
-			failed = TRUE;
+			goto failure;
 		}
-		/* hash to existing buffer */
+		/* hash to existing buffer, with a reset */
 		memset(hash.ptr, 0, hash.len);
-		hasher->get_hash(hasher, data, hash.ptr);
+		if (!hasher->get_hash(hasher, data, NULL))
+		{
+			goto failure;
+		}
+		if (!hasher->reset(hasher))
+		{
+			goto failure;
+		}
+		if (!hasher->get_hash(hasher, data, hash.ptr))
+		{
+			goto failure;
+		}
 		if (!memeq(vector->hash, hash.ptr, hash.len))
 		{
-			failed = TRUE;
+			goto failure;
 		}
 		/* hasher to existing buffer, using append mode */
 		if (data.len > 2)
 		{
 			memset(hash.ptr, 0, hash.len);
-			hasher->allocate_hash(hasher, chunk_create(data.ptr, 1), NULL);
-			hasher->get_hash(hasher, chunk_create(data.ptr + 1, 1), NULL);
-			hasher->get_hash(hasher, chunk_skip(data, 2), hash.ptr);
+			if (!hasher->allocate_hash(hasher, chunk_create(data.ptr, 1), NULL))
+			{
+				goto failure;
+			}
+			if (!hasher->get_hash(hasher, chunk_create(data.ptr + 1, 1), NULL))
+			{
+				goto failure;
+			}
+			if (!hasher->get_hash(hasher, chunk_skip(data, 2), hash.ptr))
+			{
+				goto failure;
+			}
 			if (!memeq(vector->hash, hash.ptr, hash.len))
 			{
-				failed = TRUE;
+				goto failure;
 			}
 		}
-		free(hash.ptr);
 
+		failed = FALSE;
+failure:
 		hasher->destroy(hasher);
+		chunk_free(&hash);
 		if (failed)
 		{
 			DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
@@ -746,11 +839,18 @@ static u_int bench_prf(private_crypto_tester_t *this,
 	prf = create(alg);
 	if (prf)
 	{
-		char bytes[prf->get_block_size(prf)];
+		char bytes[prf->get_block_size(prf)], key[prf->get_block_size(prf)];
 		chunk_t buf;
 		struct timespec start;
 		u_int runs;
 
+		memset(key, 0x56, prf->get_block_size(prf));
+		if (!prf->set_key(prf, chunk_create(key, prf->get_block_size(prf))))
+		{
+			prf->destroy(prf);
+			return 0;
+		}
+
 		buf = chunk_alloc(this->bench_size);
 		memset(buf.ptr, 0x34, buf.len);
 
@@ -758,8 +858,10 @@ static u_int bench_prf(private_crypto_tester_t *this,
 		start_timing(&start);
 		while (end_timing(&start) < this->bench_time)
 		{
-			prf->get_bytes(prf, buf, bytes);
-			runs++;
+			if (prf->get_bytes(prf, buf, bytes))
+			{
+				runs++;
+			}
 		}
 		free(buf.ptr);
 		prf->destroy(prf);
@@ -782,7 +884,7 @@ METHOD(crypto_tester_t, test_prf, bool,
 	while (enumerator->enumerate(enumerator, &vector))
 	{
 		prf_t *prf;
-		chunk_t key, seed, out;
+		chunk_t key, seed, out = chunk_empty;
 
 		if (vector->alg != alg)
 		{
@@ -790,41 +892,50 @@ METHOD(crypto_tester_t, test_prf, bool,
 		}
 
 		tested++;
+		failed = TRUE;
 		prf = create(alg);
 		if (!prf)
 		{
 			DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed",
 				 pseudo_random_function_names, alg, plugin_name);
-			failed = TRUE;
 			break;
 		}
 
-		failed = FALSE;
-
 		key = chunk_create(vector->key, vector->key_size);
-		prf->set_key(prf, key);
-
+		if (!prf->set_key(prf, key))
+		{
+			goto failure;
+		}
 		/* allocated bytes */
 		seed = chunk_create(vector->seed, vector->len);
-		prf->allocate_bytes(prf, seed, &out);
+		if (!prf->allocate_bytes(prf, seed, &out))
+		{
+			goto failure;
+		}
 		if (out.len != prf->get_block_size(prf))
 		{
-			failed = TRUE;
+			goto failure;
 		}
 		if (!memeq(vector->out, out.ptr, out.len))
 		{
-			failed = TRUE;
+			goto failure;
 		}
 		/* bytes to existing buffer */
 		memset(out.ptr, 0, out.len);
 		if (vector->stateful)
 		{
-			prf->set_key(prf, key);
+			if (!prf->set_key(prf, key))
+			{
+				goto failure;
+			}
+		}
+		if (!prf->get_bytes(prf, seed, out.ptr))
+		{
+			goto failure;
 		}
-		prf->get_bytes(prf, seed, out.ptr);
 		if (!memeq(vector->out, out.ptr, out.len))
 		{
-			failed = TRUE;
+			goto failure;
 		}
 		/* bytes to existing buffer, using append mode */
 		if (seed.len > 2)
@@ -832,19 +943,33 @@ METHOD(crypto_tester_t, test_prf, bool,
 			memset(out.ptr, 0, out.len);
 			if (vector->stateful)
 			{
-				prf->set_key(prf, key);
+				if (!prf->set_key(prf, key))
+				{
+					goto failure;
+				}
+			}
+			if (!prf->allocate_bytes(prf, chunk_create(seed.ptr, 1), NULL))
+			{
+				goto failure;
+			}
+			if (!prf->get_bytes(prf, chunk_create(seed.ptr + 1, 1), NULL))
+			{
+				goto failure;
+			}
+			if (!prf->get_bytes(prf, chunk_skip(seed, 2), out.ptr))
+			{
+				goto failure;
 			}
-			prf->allocate_bytes(prf, chunk_create(seed.ptr, 1), NULL);
-			prf->get_bytes(prf, chunk_create(seed.ptr + 1, 1), NULL);
-			prf->get_bytes(prf, chunk_skip(seed, 2), out.ptr);
 			if (!memeq(vector->out, out.ptr, out.len))
 			{
-				failed = TRUE;
+				goto failure;
 			}
 		}
-		free(out.ptr);
 
+		failed = FALSE;
+failure:
 		prf->destroy(prf);
+		chunk_free(&out);
 		if (failed)
 		{
 			DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
@@ -897,7 +1022,11 @@ static u_int bench_rng(private_crypto_tester_t *this,
 		start_timing(&start);
 		while (end_timing(&start) < this->bench_time)
 		{
-			rng->get_bytes(rng, buf.len, buf.ptr);
+			if (!rng->get_bytes(rng, buf.len, buf.ptr))
+			{
+				runs = 0;
+				break;
+			}
 			runs++;
 		}
 		free(buf.ptr);
@@ -927,8 +1056,8 @@ METHOD(crypto_tester_t, test_rng, bool,
 	enumerator = this->rng->create_enumerator(this->rng);
 	while (enumerator->enumerate(enumerator, &vector))
 	{
+		chunk_t data = chunk_empty;
 		rng_t *rng;
-		chunk_t data;
 
 		if (vector->quality != quality)
 		{
@@ -936,37 +1065,37 @@ METHOD(crypto_tester_t, test_rng, bool,
 		}
 
 		tested++;
+		failed = TRUE;
 		rng = create(quality);
 		if (!rng)
 		{
 			DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed",
 				 rng_quality_names, quality, plugin_name);
-			failed = TRUE;
 			break;
 		}
 
-		failed = FALSE;
-
 		/* allocated bytes */
-		rng->allocate_bytes(rng, vector->len, &data);
-		if (data.len != vector->len)
+		if (!rng->allocate_bytes(rng, vector->len, &data) ||
+			data.len != vector->len ||
+			!vector->test(vector->user, data))
 		{
-			failed = TRUE;
+			goto failure;
 		}
-		if (!vector->test(vector->user, data))
+		/* write bytes into existing buffer */
+		memset(data.ptr, 0, data.len);
+		if (!rng->get_bytes(rng, vector->len, data.ptr))
 		{
-			failed = TRUE;
+			goto failure;
 		}
-		/* bytes to existing buffer */
-		memset(data.ptr, 0, data.len);
-		rng->get_bytes(rng, vector->len, data.ptr);
 		if (!vector->test(vector->user, data))
 		{
-			failed = TRUE;
+			goto failure;
 		}
-		free(data.ptr);
 
+		failed = FALSE;
+failure:
 		rng->destroy(rng);
+		chunk_free(&data);
 		if (failed)
 		{
 			DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index 81750a519..679bb324e 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005 Jan Hutter
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
- *
+ * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -32,6 +32,19 @@ ENUM(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA512,
 	"HASH_SHA512"
 );
 
+ENUM(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA512,
+	"unknown",
+	"preferred",
+	"md2",
+	"md4",
+	"md5",
+	"sha1",
+	"sha224",
+	"sha256",
+	"sha384",
+	"sha512"
+);
+
 /*
  * Described in header.
  */
@@ -68,6 +81,177 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid)
 /*
  * Described in header.
  */
+hash_algorithm_t hasher_algorithm_from_prf(pseudo_random_function_t alg)
+{
+	switch (alg)
+	{
+		case PRF_HMAC_MD5:
+			return HASH_MD5;
+		case PRF_HMAC_SHA1:
+		case PRF_FIPS_SHA1_160:
+		case PRF_KEYED_SHA1:
+			return HASH_SHA1;
+		case PRF_HMAC_SHA2_256:
+			return HASH_SHA256;
+		case PRF_HMAC_SHA2_384:
+			return HASH_SHA384;
+		case PRF_HMAC_SHA2_512:
+			return HASH_SHA512;
+		case PRF_HMAC_TIGER:
+		case PRF_AES128_XCBC:
+		case PRF_AES128_CMAC:
+		case PRF_FIPS_DES:
+		case PRF_CAMELLIA128_XCBC:
+		case PRF_UNDEFINED:
+			break;
+	}
+	return HASH_UNKNOWN;
+}
+
+/*
+ * Described in header.
+ */
+hash_algorithm_t hasher_algorithm_from_integrity(integrity_algorithm_t alg,
+												 size_t *length)
+{
+	if (length)
+	{
+		switch (alg)
+		{
+			case AUTH_HMAC_MD5_96:
+			case AUTH_HMAC_SHA1_96:
+			case AUTH_HMAC_SHA2_256_96:
+				*length = 12;
+				break;
+			case AUTH_HMAC_MD5_128:
+			case AUTH_HMAC_SHA1_128:
+			case AUTH_HMAC_SHA2_256_128:
+				*length = 16;
+				break;
+			case AUTH_HMAC_SHA1_160:
+				*length = 20;
+				break;
+			case AUTH_HMAC_SHA2_384_192:
+				*length = 24;
+				break;
+			case AUTH_HMAC_SHA2_256_256:
+			case AUTH_HMAC_SHA2_512_256:
+				*length = 32;
+				break;
+			case AUTH_HMAC_SHA2_384_384:
+				*length = 48;
+				break;
+			case AUTH_HMAC_SHA2_512_512:
+				*length = 64;
+				break;
+			default:
+				break;
+		}
+	}
+	switch (alg)
+	{
+		case AUTH_HMAC_MD5_96:
+		case AUTH_HMAC_MD5_128:
+		case AUTH_KPDK_MD5:
+			return HASH_MD5;
+		case AUTH_HMAC_SHA1_96:
+		case AUTH_HMAC_SHA1_128:
+		case AUTH_HMAC_SHA1_160:
+			return HASH_SHA1;
+		case AUTH_HMAC_SHA2_256_96:
+		case AUTH_HMAC_SHA2_256_128:
+		case AUTH_HMAC_SHA2_256_256:
+			return HASH_SHA256;
+		case AUTH_HMAC_SHA2_384_192:
+		case AUTH_HMAC_SHA2_384_384:
+			return HASH_SHA384;
+		case AUTH_HMAC_SHA2_512_256:
+		case AUTH_HMAC_SHA2_512_512:
+			return HASH_SHA512;
+		case AUTH_AES_CMAC_96:
+		case AUTH_AES_128_GMAC:
+		case AUTH_AES_192_GMAC:
+		case AUTH_AES_256_GMAC:
+		case AUTH_AES_XCBC_96:
+		case AUTH_DES_MAC:
+		case AUTH_CAMELLIA_XCBC_96:
+		case AUTH_UNDEFINED:
+			break;
+	}
+	return HASH_UNKNOWN;
+}
+
+/*
+ * Described in header.
+ */
+integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg,
+													size_t length)
+{
+	switch (alg)
+	{
+		case HASH_MD5:
+			switch (length)
+			{
+				case 12:
+					return AUTH_HMAC_MD5_96;
+				case 16:
+					return AUTH_HMAC_MD5_128;
+			}
+			break;
+		case HASH_SHA1:
+		case HASH_PREFERRED:
+			switch (length)
+			{
+				case 12:
+					return AUTH_HMAC_SHA1_96;
+				case 16:
+					return AUTH_HMAC_SHA1_128;
+				case 20:
+					return AUTH_HMAC_SHA1_160;
+			}
+			break;
+		case HASH_SHA256:
+			switch (length)
+			{
+				case 12:
+					return AUTH_HMAC_SHA2_256_96;
+				case 16:
+					return AUTH_HMAC_SHA2_256_128;
+				case 32:
+					return AUTH_HMAC_SHA2_256_256;
+			}
+			break;
+		case HASH_SHA384:
+			switch (length)
+			{
+				case 24:
+					return AUTH_HMAC_SHA2_384_192;
+				case 48:
+					return AUTH_HMAC_SHA2_384_384;
+
+			}
+			break;
+		case HASH_SHA512:
+			switch (length)
+			{
+				case 32:
+					return AUTH_HMAC_SHA2_512_256;
+				case 64:
+					return AUTH_HMAC_SHA2_512_512;
+			}
+			break;
+		case HASH_MD2:
+		case HASH_MD4:
+		case HASH_SHA224:
+		case HASH_UNKNOWN:
+			break;
+	}
+	return AUTH_UNDEFINED;
+}
+
+/*
+ * Described in header.
+ */
 int hasher_algorithm_to_oid(hash_algorithm_t alg)
 {
 	int oid;
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index 9fa043c7e..4e46fca10 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005 Jan Hutter
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
- *
+ * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -27,6 +27,8 @@ typedef enum hash_algorithm_t hash_algorithm_t;
 typedef struct hasher_t hasher_t;
 
 #include <library.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/signers/signer.h>
 #include <credentials/keys/public_key.h>
 
 /**
@@ -62,9 +64,15 @@ enum hash_algorithm_t {
 extern enum_name_t *hash_algorithm_names;
 
 /**
+ * Short names for hash_algorithm_names
+ */
+extern enum_name_t *hash_algorithm_short_names;
+
+/**
  * Generic interface for all hash functions.
  */
 struct hasher_t {
+
 	/**
 	 * Hash data and write it in the buffer.
 	 *
@@ -77,8 +85,10 @@ struct hasher_t {
 	 *
 	 * @param data		data to hash
 	 * @param hash		pointer where the hash will be written
+	 * @return			TRUE if hash created successfully
 	 */
-	void (*get_hash) (hasher_t *this, chunk_t data, u_int8_t *hash);
+	bool (*get_hash)(hasher_t *this, chunk_t data,
+					 u_int8_t *hash) __attribute__((warn_unused_result));
 
 	/**
 	 * Hash data and allocate space for the hash.
@@ -89,36 +99,72 @@ struct hasher_t {
 	 *
 	 * @param data		chunk with data to hash
 	 * @param hash		chunk which will hold allocated hash
+	 * @return			TRUE if hash allocated successfully
 	 */
-	void (*allocate_hash) (hasher_t *this, chunk_t data, chunk_t *hash);
+	bool (*allocate_hash)(hasher_t *this, chunk_t data,
+						  chunk_t *hash) __attribute__((warn_unused_result));
 
 	/**
 	 * Get the size of the resulting hash.
 	 *
 	 * @return			hash size in bytes
 	 */
-	size_t (*get_hash_size) (hasher_t *this);
+	size_t (*get_hash_size)(hasher_t *this);
 
 	/**
-	 * Resets the hashers state.
+	 * Resets the hasher's state.
+	 *
+	 * @return			TRUE if hasher reset successfully
 	 */
-	void (*reset) (hasher_t *this);
+	bool (*reset)(hasher_t *this) __attribute__((warn_unused_result));
 
 	/**
 	 * Destroys a hasher object.
 	 */
-	void (*destroy) (hasher_t *this);
+	void (*destroy)(hasher_t *this);
 };
 
 /**
  * Conversion of ASN.1 OID to hash algorithm.
  *
  * @param oid			ASN.1 OID
- * @return				hash algorithm, HASH_UNKNOWN if OID unsuported
+ * @return				hash algorithm, HASH_UNKNOWN if OID unsupported
  */
 hash_algorithm_t hasher_algorithm_from_oid(int oid);
 
 /**
+ * Conversion of PRF algorithm to hash algorithm (if based on one).
+ *
+ * @param alg			prf algorithm
+ * @return				hash algorithm, HASH_UNKNOWN if not based on a hash
+ */
+hash_algorithm_t hasher_algorithm_from_prf(pseudo_random_function_t alg);
+
+/**
+ * Conversion of integrity algorithm to hash algorithm (if based on one).
+ *
+ * If length is not NULL the length of the resulting signature is returned,
+ * which might be smaller than the output size of the underlying hash.
+ *
+ * @param alg			integrity algorithm
+ * @param length		returns signature length, if not NULL
+ * @return				hash algorithm, HASH_UNKNOWN if not based on a hash
+ */
+hash_algorithm_t hasher_algorithm_from_integrity(integrity_algorithm_t alg,
+												 size_t *length);
+
+/**
+ * Conversion of hash algorithm to integrity algorithm (if based on a hash).
+ *
+ * @param alg			hash algorithm
+ * @param length		length of the signature
+ * @return				integrity algorithm, AUTH_UNDEFINED if none is known
+ * 						based on the given hash function
+ */
+integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg,
+													size_t length);
+
+/**
  * Conversion of hash algorithm into ASN.1 OID.
  *
  * @param alg			hash algorithm
diff --git a/src/libstrongswan/crypto/mac.h b/src/libstrongswan/crypto/mac.h
new file mode 100644
index 000000000..f7b43ba39
--- /dev/null
+++ b/src/libstrongswan/crypto/mac.h
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mac mac
+ * @{ @ingroup crypto
+ */
+
+#ifndef MAC_H_
+#define MAC_H_
+
+typedef struct mac_t mac_t;
+
+#include <library.h>
+
+/**
+ * Generic interface for message authentication codes.
+ *
+ * Classes implementing this interface can use the PRF and signer wrappers.
+ */
+struct mac_t {
+
+	/**
+	 * Generate message authentication code.
+	 *
+	 * If out is NULL, no result is given back.  A next call will
+	 * append the data to already supplied data.  If out is not NULL,
+	 * the mac of all apended data is calculated, written to out and the
+	 * internal state is reset.
+	 *
+	 * @param data		chunk of data to authenticate
+	 * @param out		pointer where the generated bytes will be written
+	 * @return			TRUE if mac generated successfully
+	 */
+	bool (*get_mac)(mac_t *this, chunk_t data,
+					u_int8_t *out) __attribute__((warn_unused_result));
+
+	/**
+	 * Get the size of the resulting MAC.
+	 *
+	 * @return			block size in bytes
+	 */
+	size_t (*get_mac_size)(mac_t *this);
+
+	/**
+	 * Set the key to be used for the MAC.
+	 *
+	 * Any key length must be accepted.
+	 *
+	 * @param key		key to set
+	 * @return			TRUE if key set successfully
+	 */
+	bool (*set_key)(mac_t *this,
+					chunk_t key) __attribute__((warn_unused_result));
+
+	/**
+	 * Destroys a mac_t object.
+	 */
+	void (*destroy) (mac_t *this);
+};
+
+#endif /** MAC_H_ @}*/
diff --git a/src/libstrongswan/crypto/nonce_gen.h b/src/libstrongswan/crypto/nonce_gen.h
new file mode 100644
index 000000000..7dae4f776
--- /dev/null
+++ b/src/libstrongswan/crypto/nonce_gen.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup nonce_gen nonce_gen
+ * @{ @ingroup crypto
+ */
+
+#ifndef NONCE_GEN_H_
+#define NONCE_GEN_H_
+
+typedef struct nonce_gen_t nonce_gen_t;
+
+#include <library.h>
+
+/**
+ * Generic interface for nonce generators.
+ */
+struct nonce_gen_t {
+
+	/**
+	 * Generates a nonce and writes it into the buffer.
+	 *
+	 * @param size		size of nonce in bytes
+	 * @param buffer	pointer where the generated nonce will be written
+	 * @return			TRUE if nonce allocation was successful, FALSE otherwise
+	 */
+	bool (*get_nonce)(nonce_gen_t *this, size_t size,
+					  u_int8_t *buffer) __attribute__((warn_unused_result));
+
+	/**
+	 * Generates a nonce and allocates space for it.
+	 *
+	 * @param size		size of nonce in bytes
+	 * @param chunk		chunk which will hold the generated nonce
+	 * @return			TRUE if nonce allocation was successful, FALSE otherwise
+	 */
+	bool (*allocate_nonce)(nonce_gen_t *this, size_t size,
+						   chunk_t *chunk) __attribute__((warn_unused_result));
+
+	/**
+	 * Destroys a nonce generator object.
+	 */
+	void (*destroy)(nonce_gen_t *this);
+};
+
+#endif /** NONCE_GEN_H_ @}*/
diff --git a/src/libstrongswan/crypto/pkcs5.c b/src/libstrongswan/crypto/pkcs5.c
new file mode 100644
index 000000000..3b4df0e8a
--- /dev/null
+++ b/src/libstrongswan/crypto/pkcs5.c
@@ -0,0 +1,653 @@
+/*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs5.h"
+
+#include <utils/debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <credentials/containers/pkcs12.h>
+
+typedef struct private_pkcs5_t private_pkcs5_t;
+
+/**
+ * Private data of a pkcs5_t object
+ */
+struct private_pkcs5_t {
+
+	/**
+	 * Implements pkcs5_t.
+	 */
+	pkcs5_t public;
+
+	/**
+	 * Salt used during encryption
+	 */
+	chunk_t salt;
+
+	/**
+	 * Iterations for key derivation
+	 */
+	u_int64_t iterations;
+
+	/**
+	 * Encryption algorithm
+	 */
+	encryption_algorithm_t encr;
+
+	/**
+	 * Encryption key length
+	 */
+	size_t keylen;
+
+	/**
+	 * Crypter
+	 */
+	crypter_t *crypter;
+
+
+	/**
+	 * The encryption scheme
+	 */
+	enum {
+		PKCS5_SCHEME_PBES1,
+		PKCS5_SCHEME_PBES2,
+		PKCS5_SCHEME_PKCS12,
+	} scheme;
+
+	/**
+	 * Data used for individual schemes
+	 */
+	union {
+		struct {
+			/**
+			 * Hash algorithm
+			 */
+			hash_algorithm_t hash;
+
+			/**
+			 * Hasher
+			 */
+			hasher_t *hasher;
+
+		} pbes1;
+		struct {
+			/**
+			 * PRF algorithm
+			 */
+			pseudo_random_function_t prf_alg;
+
+			/**
+			 * PRF
+			 */
+			prf_t * prf;
+
+			/**
+			 * IV
+			 */
+			chunk_t iv;
+
+		} pbes2;
+	} data;
+};
+
+/**
+ * Verify padding of decrypted blob.
+ * Length of blob is adjusted accordingly.
+ */
+static bool verify_padding(chunk_t *blob)
+{
+	u_int8_t padding, count;
+
+	padding = count = blob->ptr[blob->len - 1];
+
+	if (padding > 8)
+	{
+		return FALSE;
+	}
+	for (; blob->len && count; --blob->len, --count)
+	{
+		if (blob->ptr[blob->len - 1] != padding)
+		{
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Prototype for key derivation functions.
+ */
+typedef bool (*kdf_t)(private_pkcs5_t *this, chunk_t password, chunk_t key);
+
+/**
+ * Try to decrypt the given data with the given password using the given
+ * key derivation function. keymat is where the kdf function writes the key
+ * to, key and iv point to the actual keys and initialization vectors resp.
+ */
+static bool decrypt_generic(private_pkcs5_t *this, chunk_t password,
+							chunk_t data, chunk_t *decrypted, kdf_t kdf,
+							chunk_t keymat, chunk_t key, chunk_t iv)
+{
+	if (!kdf(this, password, keymat))
+	{
+		return FALSE;
+	}
+	if (!this->crypter->set_key(this->crypter, key) ||
+		!this->crypter->decrypt(this->crypter, data, iv, decrypted))
+	{
+		memwipe(keymat.ptr, keymat.len);
+		return FALSE;
+	}
+	memwipe(keymat.ptr, keymat.len);
+	if (verify_padding(decrypted))
+	{
+		return TRUE;
+	}
+	chunk_free(decrypted);
+	return FALSE;
+}
+
+/**
+ * KDF as used by PKCS#12
+ */
+static bool pkcs12_kdf(private_pkcs5_t *this, chunk_t password, chunk_t keymat)
+{
+	chunk_t key, iv;
+
+	key = chunk_create(keymat.ptr, this->keylen);
+	iv = chunk_create(keymat.ptr + this->keylen, keymat.len - this->keylen);
+
+	return pkcs12_derive_key(this->data.pbes1.hash, password, this->salt,
+							 this->iterations, PKCS12_KEY_ENCRYPTION, key) &&
+		   pkcs12_derive_key(this->data.pbes1.hash, password, this->salt,
+							 this->iterations, PKCS12_KEY_IV, iv);
+}
+
+/**
+ * Function F of PBKDF2
+ */
+static bool pbkdf2_f(chunk_t block, prf_t *prf, chunk_t seed,
+					 u_int64_t iterations)
+{
+	chunk_t u;
+	u_int64_t i;
+
+	u = chunk_alloca(prf->get_block_size(prf));
+	if (!prf->get_bytes(prf, seed, u.ptr))
+	{
+		return FALSE;
+	}
+	memcpy(block.ptr, u.ptr, block.len);
+
+	for (i = 1; i < iterations; i++)
+	{
+		if (!prf->get_bytes(prf, u, u.ptr))
+		{
+			return FALSE;
+		}
+		memxor(block.ptr, u.ptr, block.len);
+	}
+	return TRUE;
+}
+
+/**
+ * PBKDF2 key derivation function for PBES2, key must be allocated
+ */
+static bool pbkdf2(private_pkcs5_t *this, chunk_t password, chunk_t key)
+{
+	prf_t *prf;
+	chunk_t keymat, block, seed;
+	size_t blocks;
+	u_int32_t i = 0;
+
+	prf = this->data.pbes2.prf;
+
+	if (!prf->set_key(prf, password))
+	{
+		return FALSE;
+	}
+
+	block.len = prf->get_block_size(prf);
+	blocks = (key.len - 1) / block.len + 1;
+	keymat = chunk_alloca(blocks * block.len);
+
+	seed = chunk_cata("cc", this->salt, chunk_from_thing(i));
+
+	for (; i < blocks; i++)
+	{
+		htoun32(seed.ptr + this->salt.len, i + 1);
+		block.ptr = keymat.ptr + (i * block.len);
+		if (!pbkdf2_f(block, prf, seed, this->iterations))
+		{
+			return FALSE;
+		}
+	}
+	memcpy(key.ptr, keymat.ptr, key.len);
+	return TRUE;
+}
+
+/**
+ * PBKDF1 key derivation function for PBES1, key must be allocated
+ */
+static bool pbkdf1(private_pkcs5_t *this, chunk_t password, chunk_t key)
+{
+	hasher_t *hasher;
+	chunk_t hash;
+	u_int64_t i;
+
+	hasher = this->data.pbes1.hasher;
+
+	hash = chunk_alloca(hasher->get_hash_size(hasher));
+	if (!hasher->get_hash(hasher, password, NULL) ||
+		!hasher->get_hash(hasher, this->salt, hash.ptr))
+	{
+		return FALSE;
+	}
+
+	for (i = 1; i < this->iterations; i++)
+	{
+		if (!hasher->get_hash(hasher, hash, hash.ptr))
+		{
+			return FALSE;
+		}
+	}
+	memcpy(key.ptr, hash.ptr, key.len);
+	return TRUE;
+}
+
+static bool ensure_crypto_primitives(private_pkcs5_t *this, chunk_t data)
+{
+	if (!this->crypter)
+	{
+		this->crypter = lib->crypto->create_crypter(lib->crypto, this->encr,
+													this->keylen);
+		if (!this->crypter)
+		{
+			DBG1(DBG_ASN, "  %N encryption algorithm not available",
+				 encryption_algorithm_names, this->encr);
+			return FALSE;
+		}
+	}
+	if (data.len % this->crypter->get_block_size(this->crypter))
+	{
+		DBG1(DBG_ASN, "  data size is not a multiple of block size");
+		return FALSE;
+	}
+	switch (this->scheme)
+	{
+		case PKCS5_SCHEME_PBES1:
+		{
+			if (!this->data.pbes1.hasher)
+			{
+				hasher_t *hasher;
+
+				hasher = lib->crypto->create_hasher(lib->crypto,
+													this->data.pbes1.hash);
+				if (!hasher)
+				{
+					DBG1(DBG_ASN, "  %N hash algorithm not available",
+						 hash_algorithm_names, this->data.pbes1.hash);
+					return  FALSE;
+				}
+				if (hasher->get_hash_size(hasher) < this->keylen)
+				{
+					hasher->destroy(hasher);
+					return FALSE;
+				}
+				this->data.pbes1.hasher = hasher;
+			}
+			break;
+		}
+		case PKCS5_SCHEME_PBES2:
+		{
+			if (!this->data.pbes2.prf)
+			{
+				prf_t *prf;
+
+				prf = lib->crypto->create_prf(lib->crypto,
+											  this->data.pbes2.prf_alg);
+				if (!prf)
+				{
+					DBG1(DBG_ASN, "  %N prf algorithm not available",
+						 pseudo_random_function_names,
+						 this->data.pbes2.prf_alg);
+					return FALSE;
+				}
+				this->data.pbes2.prf = prf;
+			}
+			break;
+		}
+		case PKCS5_SCHEME_PKCS12:
+			break;
+	}
+	return TRUE;
+}
+
+METHOD(pkcs5_t, decrypt, bool,
+	private_pkcs5_t *this, chunk_t password, chunk_t data, chunk_t *decrypted)
+{
+	chunk_t keymat, key, iv;
+	kdf_t kdf;
+
+	if (!ensure_crypto_primitives(this, data) || !decrypted)
+	{
+		return FALSE;
+	}
+	kdf = pbkdf1;
+	switch (this->scheme)
+	{
+		case PKCS5_SCHEME_PKCS12:
+			kdf = pkcs12_kdf;
+			/* fall-through */
+		case PKCS5_SCHEME_PBES1:
+			keymat = chunk_alloca(this->keylen +
+								  this->crypter->get_iv_size(this->crypter));
+			key = chunk_create(keymat.ptr, this->keylen);
+			iv = chunk_create(keymat.ptr + this->keylen,
+							  keymat.len - this->keylen);
+			break;
+		case PKCS5_SCHEME_PBES2:
+			kdf = pbkdf2;
+			keymat = chunk_alloca(this->keylen);
+			key = keymat;
+			iv = this->data.pbes2.iv;
+			break;
+		default:
+			return FALSE;
+	}
+	return decrypt_generic(this, password, data, decrypted, kdf,
+						   keymat, key, iv);
+}
+
+/**
+ * ASN.1 definition of a PBEParameter structure
+ */
+static const asn1Object_t pbeParameterObjects[] = {
+	{ 0, "PBEParameter",		ASN1_SEQUENCE,		ASN1_NONE	}, /* 0 */
+	{ 1,   "salt",				ASN1_OCTET_STRING,	ASN1_BODY	}, /* 1 */
+	{ 1,   "iterationCount",	ASN1_INTEGER,		ASN1_BODY	}, /* 2 */
+	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT	}
+};
+#define PBEPARAM_SALT					1
+#define PBEPARAM_ITERATION_COUNT		2
+
+/**
+ * Parse a PBEParameter structure
+ */
+static bool parse_pbes1_params(private_pkcs5_t *this, chunk_t blob, int level0)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool success;
+
+	parser = asn1_parser_create(pbeParameterObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case PBEPARAM_SALT:
+			{
+				this->salt = chunk_clone(object);
+				break;
+			}
+			case PBEPARAM_ITERATION_COUNT:
+			{
+				this->iterations = asn1_parse_integer_uint64(object);
+				break;
+			}
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * ASN.1 definition of a PBKDF2-params structure
+ * The salt is actually a CHOICE and could be an AlgorithmIdentifier from
+ * PBKDF2-SaltSources (but as per RFC 2898 that's for future versions).
+ */
+static const asn1Object_t pbkdf2ParamsObjects[] = {
+	{ 0, "PBKDF2-params",	ASN1_SEQUENCE,		ASN1_NONE			}, /* 0 */
+	{ 1,   "salt",			ASN1_OCTET_STRING,	ASN1_BODY			}, /* 1 */
+	{ 1,   "iterationCount",ASN1_INTEGER,		ASN1_BODY			}, /* 2 */
+	{ 1,   "keyLength",		ASN1_INTEGER,		ASN1_OPT|ASN1_BODY	}, /* 3 */
+	{ 1,   "end opt",		ASN1_EOC,			ASN1_END			}, /* 4 */
+	{ 1,   "prf",			ASN1_EOC,			ASN1_DEF|ASN1_RAW	}, /* 5 */
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT			}
+};
+#define PBKDF2_SALT					1
+#define PBKDF2_ITERATION_COUNT		2
+#define PBKDF2_KEYLENGTH			3
+#define PBKDF2_PRF					5
+
+/**
+ * Parse a PBKDF2-params structure
+ */
+static bool parse_pbkdf2_params(private_pkcs5_t *this, chunk_t blob, int level0)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool success;
+
+	parser = asn1_parser_create(pbkdf2ParamsObjects, blob);
+	parser->set_top_level(parser, level0);
+
+ 	/* keylen is optional */
+	this->keylen = 0;
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case PBKDF2_SALT:
+			{
+				this->salt = chunk_clone(object);
+				break;
+			}
+			case PBKDF2_ITERATION_COUNT:
+			{
+				this->iterations = asn1_parse_integer_uint64(object);
+				break;
+			}
+			case PBKDF2_KEYLENGTH:
+			{
+				this->keylen = (size_t)asn1_parse_integer_uint64(object);
+				break;
+			}
+			case PBKDF2_PRF:
+			{	/* defaults to id-hmacWithSHA1, no other is currently defined */
+				this->data.pbes2.prf_alg = PRF_HMAC_SHA1;
+				break;
+			}
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * ASN.1 definition of a PBES2-params structure
+ */
+static const asn1Object_t pbes2ParamsObjects[] = {
+	{ 0, "PBES2-params",		ASN1_SEQUENCE,		ASN1_NONE	}, /* 0 */
+	{ 1,   "keyDerivationFunc",	ASN1_EOC,			ASN1_RAW	}, /* 1 */
+	{ 1,   "encryptionScheme",	ASN1_EOC,			ASN1_RAW	}, /* 2 */
+	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT	}
+};
+#define PBES2PARAMS_KEY_DERIVATION_FUNC		1
+#define PBES2PARAMS_ENCRYPTION_SCHEME		2
+
+/**
+ * Parse a PBES2-params structure
+ */
+static bool parse_pbes2_params(private_pkcs5_t *this, chunk_t blob, int level0)
+{
+	asn1_parser_t *parser;
+	chunk_t object, params;
+	int objectID;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(pbes2ParamsObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case PBES2PARAMS_KEY_DERIVATION_FUNC:
+			{
+				int oid = asn1_parse_algorithmIdentifier(object,
+									parser->get_level(parser) + 1, &params);
+				if (oid != OID_PBKDF2)
+				{	/* unsupported key derivation function */
+					goto end;
+				}
+				if (!parse_pbkdf2_params(this, params,
+										 parser->get_level(parser) + 1))
+				{
+					goto end;
+				}
+				break;
+			}
+			case PBES2PARAMS_ENCRYPTION_SCHEME:
+			{
+				int oid = asn1_parse_algorithmIdentifier(object,
+									parser->get_level(parser) + 1, &params);
+				if (oid != OID_3DES_EDE_CBC)
+				{	/* unsupported encryption scheme */
+					goto end;
+				}
+				if (this->keylen <= 0)
+				{	/* default key length for DES-EDE3-CBC-Pad */
+					this->keylen = 24;
+				}
+				if (!asn1_parse_simple_object(&params, ASN1_OCTET_STRING,
+									parser->get_level(parser) + 1, "IV"))
+				{
+					goto end;
+				}
+				this->encr = ENCR_3DES;
+				this->data.pbes2.iv = chunk_clone(params);
+				break;
+			}
+		}
+	}
+	success = parser->success(parser);
+end:
+	parser->destroy(parser);
+	return success;
+}
+
+METHOD(pkcs5_t, destroy, void,
+	private_pkcs5_t *this)
+{
+	DESTROY_IF(this->crypter);
+	chunk_free(&this->salt);
+	switch (this->scheme)
+	{
+		case PKCS5_SCHEME_PBES1:
+			DESTROY_IF(this->data.pbes1.hasher);
+			break;
+		case PKCS5_SCHEME_PBES2:
+			DESTROY_IF(this->data.pbes2.prf);
+			chunk_free(&this->data.pbes2.iv);
+			break;
+		case PKCS5_SCHEME_PKCS12:
+			break;
+	}
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+pkcs5_t *pkcs5_from_algorithmIdentifier(chunk_t blob, int level0)
+{
+	private_pkcs5_t *this;
+	chunk_t params;
+	int oid;
+
+	INIT(this,
+		.public = {
+			.decrypt = _decrypt,
+			.destroy = _destroy,
+		},
+		.scheme = PKCS5_SCHEME_PBES1,
+		.keylen = 8,
+	);
+
+	oid = asn1_parse_algorithmIdentifier(blob, level0, &params);
+
+	switch (oid)
+	{
+		case OID_PBE_MD5_DES_CBC:
+			this->encr = ENCR_DES;
+			this->data.pbes1.hash = HASH_MD5;
+			break;
+		case OID_PBE_SHA1_DES_CBC:
+			this->encr = ENCR_DES;
+			this->data.pbes1.hash = HASH_SHA1;
+			break;
+		case OID_PBE_SHA1_3DES_CBC:
+			this->scheme = PKCS5_SCHEME_PKCS12;
+			this->keylen = 24;
+			this->encr = ENCR_3DES;
+			this->data.pbes1.hash = HASH_SHA1;
+			break;
+		case OID_PBE_SHA1_RC2_CBC_40:
+		case OID_PBE_SHA1_RC2_CBC_128:
+			this->scheme = PKCS5_SCHEME_PKCS12;
+			this->keylen = (oid == OID_PBE_SHA1_RC2_CBC_40) ? 5 : 16;
+			this->encr = ENCR_RC2_CBC;
+			this->data.pbes1.hash = HASH_SHA1;
+			break;
+		case OID_PBES2:
+			this->scheme = PKCS5_SCHEME_PBES2;
+			break;
+		default:
+			/* encryption scheme not supported */
+			goto failure;
+	}
+
+	switch (this->scheme)
+	{
+		case PKCS5_SCHEME_PBES1:
+		case PKCS5_SCHEME_PKCS12:
+			if (!parse_pbes1_params(this, params, level0))
+			{
+				goto failure;
+			}
+			break;
+		case PKCS5_SCHEME_PBES2:
+			if (!parse_pbes2_params(this, params, level0))
+			{
+				goto failure;
+			}
+			break;
+	}
+	return &this->public;
+
+failure:
+	destroy(this);
+	return NULL;
+}
diff --git a/src/libstrongswan/crypto/pkcs5.h b/src/libstrongswan/crypto/pkcs5.h
new file mode 100644
index 000000000..b16d3736e
--- /dev/null
+++ b/src/libstrongswan/crypto/pkcs5.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs5 pkcs5
+ * @{ @ingroup crypto
+ */
+
+#ifndef PKCS5_H_
+#define PKCS5_H_
+
+typedef struct pkcs5_t pkcs5_t;
+
+#include <utils/chunk.h>
+
+/**
+ * PKCS#5 helper class
+ */
+struct pkcs5_t {
+
+	/**
+	 * Decrypt the given data using the given password and the scheme derived
+	 * from the initial AlgorithmIdentifier object.
+	 *
+	 * @param password	password used for decryption
+	 * @param data		data to decrypt
+	 * @param decrypted	decrypted data gets allocated
+	 * @return			TRUE on success, FALSE otherwise
+	 */
+	bool (*decrypt)(pkcs5_t *this, chunk_t password, chunk_t data,
+					chunk_t *decrypted) __attribute__((warn_unused_result));
+
+	/**
+	 * Destroy the object and any associated cryptographic primitive.
+	 */
+	void (*destroy)(pkcs5_t *this);
+};
+
+/**
+ * Create a PKCS#5 helper object from an ASN.1 encoded AlgorithmIdentifier
+ * object.
+ *
+ * @param blob			ASN.1 encoded AlgorithmIdentifier
+ * @param level0		ASN.1 parser level
+ * @return				pkcs5_t object, NULL on failure
+ */
+pkcs5_t *pkcs5_from_algorithmIdentifier(chunk_t blob, int level0);
+
+#endif /** PKCS5_H_ @}*/
diff --git a/src/libstrongswan/crypto/pkcs9.c b/src/libstrongswan/crypto/pkcs9.c
deleted file mode 100644
index 63a615238..000000000
--- a/src/libstrongswan/crypto/pkcs9.c
+++ /dev/null
@@ -1,434 +0,0 @@
-/*
- * Copyright (C)2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <debug.h>
-
-#include <asn1/oid.h>
-#include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-#include <utils/linked_list.h>
-
-#include "pkcs9.h"
-
-typedef struct private_pkcs9_t private_pkcs9_t;
-
-/**
- * Private data of a pkcs9_t attribute list.
- */
-struct private_pkcs9_t {
-	/**
-	 * Public interface
-	 */
-	pkcs9_t public;
-
-	/**
-	 * DER encoding of PKCS#9 attributes
-	 */
-	chunk_t encoding;
-
-	/**
-	 * Linked list of PKCS#9 attributes
-	 */
-	linked_list_t *attributes;
-};
-
-typedef struct attribute_t attribute_t;
-
-/**
- * Definition of an attribute_t object.
- */
-struct attribute_t {
-	/**
-	 * Object Identifier (OID)
-	 */
-	int oid;
-
-	/**
-	 * Attribute value
-	 */
-	chunk_t value;
-
-	/**
-	 * ASN.1 encoding
-	 */
-	chunk_t encoding;
-
-	/**
-	 * Destroys the attribute.
-	 */
-	void (*destroy) (attribute_t *this);
-
-};
-
-/**
- * PKCS#9 attribute type OIDs
- */
-static chunk_t ASN1_contentType_oid = chunk_from_chars(
-	0x06, 0x09,
-		  0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x03
-);
-static chunk_t ASN1_messageDigest_oid = chunk_from_chars(
-	0x06, 0x09,
-		  0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x04
-);
-static chunk_t ASN1_signingTime_oid = chunk_from_chars(
-	0x06, 0x09,
-		  0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x05
-);
-static chunk_t ASN1_messageType_oid = chunk_from_chars(
-	0x06, 0x0A,
-		  0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x02
-);
-static chunk_t ASN1_senderNonce_oid = chunk_from_chars(
-	0x06, 0x0A,
-		  0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x05
-);
-static chunk_t ASN1_transId_oid = chunk_from_chars(
-	0x06, 0x0A,
-		  0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x07
-);
-
-/**
- * return the ASN.1 encoded OID of a PKCS#9 attribute
- */
-static chunk_t asn1_attributeIdentifier(int oid)
-{
-	switch (oid)
-	{
-		case OID_PKCS9_CONTENT_TYPE:
-			return ASN1_contentType_oid;
-		case OID_PKCS9_MESSAGE_DIGEST:
-			return ASN1_messageDigest_oid;
-		case OID_PKCS9_SIGNING_TIME:
-			return ASN1_signingTime_oid;
-		case OID_PKI_MESSAGE_TYPE:
-			return ASN1_messageType_oid;
-		case OID_PKI_SENDER_NONCE:
-			return ASN1_senderNonce_oid;
-		case OID_PKI_TRANS_ID:
-			return ASN1_transId_oid;;
-		default:
-			return chunk_empty;
-	}
-}
-
-/**
- * return the ASN.1 encoding of a PKCS#9 attribute
- */
-static asn1_t asn1_attributeType(int oid)
-{
-	asn1_t type;
-
-	switch (oid)
-	{
-		case OID_PKCS9_CONTENT_TYPE:
-			type = ASN1_OID;
-			break;
-		case OID_PKCS9_SIGNING_TIME:
-			type = ASN1_UTCTIME;
-			break;
-		case OID_PKCS9_MESSAGE_DIGEST:
-			type = ASN1_OCTET_STRING;
-			break;
-		case OID_PKI_MESSAGE_TYPE:
-			type = ASN1_PRINTABLESTRING;
-			break;
-		case OID_PKI_STATUS:
-			type = ASN1_PRINTABLESTRING;
-			break;
-		case OID_PKI_FAIL_INFO:
-			type = ASN1_PRINTABLESTRING;
-			break;
-		case OID_PKI_SENDER_NONCE:
-			type = ASN1_OCTET_STRING;
-			break;
-		case OID_PKI_RECIPIENT_NONCE:
-			type = ASN1_OCTET_STRING;
-			break;
-		case OID_PKI_TRANS_ID:
-			type = ASN1_PRINTABLESTRING;
-			break;
-		default:
-			type = ASN1_EOC;
-	}
-	return type;
-}
-
-/**
- * Destroy an attribute_t object.
- */
-static void attribute_destroy(attribute_t *this)
-{
-	free(this->value.ptr);
-	free(this->encoding.ptr);
-	free(this);
-}
-
-/**
- * Create an attribute_t object.
- */
-static attribute_t *attribute_create(int oid, chunk_t value)
-{
-	attribute_t *this;
-
-	INIT(this,
-		.destroy = attribute_destroy,
-		.oid = oid,
-		.value = chunk_clone(value),
-		.encoding = asn1_wrap(ASN1_SEQUENCE, "cm",
-							asn1_attributeIdentifier(oid),
-							asn1_simple_object(ASN1_SET, value)),
-	);
-
-	return this;
-}
-
-METHOD(pkcs9_t, build_encoding, void,
-	private_pkcs9_t *this)
-{
-	enumerator_t *enumerator;
-	attribute_t *attribute;
-	u_int attributes_len = 0;
-
-	if (this->encoding.ptr)
-	{
-		chunk_free(&this->encoding);
-	}
-	if (this->attributes->get_count(this->attributes) == 0)
-	{
-		return;
-	}
-
-	/* compute the total length of the encoded attributes */
-	enumerator = this->attributes->create_enumerator(this->attributes);
-
-	while (enumerator->enumerate(enumerator, (void**)&attribute))
-	{
-		attributes_len += attribute->encoding.len;
-	}
-	enumerator->destroy(enumerator);
-
-	/* allocate memory for the attributes and build the encoding */
-	{
-		u_char *pos = asn1_build_object(&this->encoding, ASN1_SET, attributes_len);
-
-		enumerator = this->attributes->create_enumerator(this->attributes);
-
-		while (enumerator->enumerate(enumerator, (void**)&attribute))
-		{
-			memcpy(pos, attribute->encoding.ptr, attribute->encoding.len);
-			pos += attribute->encoding.len;
-		}
-		enumerator->destroy(enumerator);
-	}
-}
-
-METHOD(pkcs9_t, get_encoding, chunk_t,
-	private_pkcs9_t *this)
-{
-	if (this->encoding.ptr == NULL)
-	{
-		build_encoding(this);
-	}
-	return this->encoding;
-}
-
-METHOD(pkcs9_t, get_attribute, chunk_t,
-	private_pkcs9_t *this, int oid)
-{
-	enumerator_t *enumerator;
-	chunk_t value = chunk_empty;
-	attribute_t *attribute;
-
-	enumerator = this->attributes->create_enumerator(this->attributes);
-	while (enumerator->enumerate(enumerator, (void**)&attribute))
-	{
-		if (attribute->oid == oid)
-		{
-			value = attribute->value;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return value;
-}
-
-METHOD(pkcs9_t, set_attribute, void,
-	private_pkcs9_t *this, int oid, chunk_t value)
-{
-	attribute_t *attribute = attribute_create(oid, value);
-
-	this->attributes->insert_last(this->attributes, (void*)attribute);
-}
-
-METHOD(pkcs9_t, get_messageDigest, chunk_t,
-	private_pkcs9_t *this)
-{
-	const int oid = OID_PKCS9_MESSAGE_DIGEST;
-	chunk_t value = get_attribute(this, oid);
-
-	if (value.ptr == NULL)
-	{
-		return chunk_empty;
-	}
-	if (!asn1_parse_simple_object(&value, asn1_attributeType(oid), 0,
-								  oid_names[oid].name))
-	{
-		return chunk_empty;
-	}
-	return chunk_clone(value);
-}
-
-METHOD(pkcs9_t, set_messageDigest, void,
-	private_pkcs9_t *this, chunk_t value)
-{
-	const int oid = OID_PKCS9_MESSAGE_DIGEST;
-	chunk_t messageDigest = asn1_simple_object(asn1_attributeType(oid), value);
-
-	set_attribute(this, oid, messageDigest);
-	free(messageDigest.ptr);
-}
-
-METHOD(pkcs9_t, destroy, void,
-	private_pkcs9_t *this)
-{
-	this->attributes->destroy_offset(this->attributes, offsetof(attribute_t, destroy));
-	free(this->encoding.ptr);
-	free(this);
-}
-
-/**
- * Generic private constructor
- */
-static private_pkcs9_t *pkcs9_create_empty(void)
-{
-	private_pkcs9_t *this;
-
-	INIT(this,
-		.public = {
-			.build_encoding = _build_encoding,
-			.get_encoding = _get_encoding,
-			.get_attribute = _get_attribute,
-			.set_attribute = _set_attribute,
-			.get_messageDigest = _get_messageDigest,
-			.set_messageDigest = _set_messageDigest,
-			.destroy = _destroy,
-		},
-		.attributes = linked_list_create(),
-	);
-
-	return this;
-}
-
-/*
- * Described in header.
- */
-pkcs9_t *pkcs9_create(void)
-{
-	private_pkcs9_t *this = pkcs9_create_empty();
-
-	return &this->public;
-}
-
-/**
- * ASN.1 definition of the X.501 atttribute type
- */
-static const asn1Object_t attributesObjects[] = {
-	{ 0, "attributes",		ASN1_SET,		ASN1_LOOP }, /* 0 */
-	{ 1,   "attribute",		ASN1_SEQUENCE,	ASN1_NONE }, /* 1 */
-	{ 2,     "type",		ASN1_OID,		ASN1_BODY }, /* 2 */
-	{ 2,     "values",		ASN1_SET,		ASN1_LOOP }, /* 3 */
-	{ 3,       "value",		ASN1_EOC,		ASN1_RAW  }, /* 4 */
-	{ 2,     "end loop",	ASN1_EOC,		ASN1_END  }, /* 5 */
-	{ 0, "end loop",		ASN1_EOC,		ASN1_END  }, /* 6 */
-	{ 0, "exit",			ASN1_EOC,		ASN1_EXIT }
-};
-#define ATTRIBUTE_OBJ_TYPE 	2
-#define ATTRIBUTE_OBJ_VALUE	4
-
-/**
- * Parse a PKCS#9 attribute list
- */
-static bool parse_attributes(chunk_t chunk, int level0, private_pkcs9_t* this)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-	int oid = OID_UNKNOWN;
-	bool success = FALSE;
-
-	parser = asn1_parser_create(attributesObjects, chunk);
-	parser->set_top_level(parser, level0);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-			case ATTRIBUTE_OBJ_TYPE:
-				oid = asn1_known_oid(object);
-				break;
-			case ATTRIBUTE_OBJ_VALUE:
-				if (oid == OID_UNKNOWN)
-				{
-					break;
-				}
-				/* add the attribute to a linked list */
-				{
-					attribute_t *attribute = attribute_create(oid, object);
-
-					this->attributes->insert_last(this->attributes,
-												 (void*)attribute);
-				}
-				/* parse known attributes  */
-				{
-					asn1_t type = asn1_attributeType(oid);
-
-					if (type != ASN1_EOC)
-					{
-						if (!asn1_parse_simple_object(&object, type,
-										parser->get_level(parser)+1,
-										oid_names[oid].name))
-						{
-							goto end;
-						}
-					}
-				}
-		}
-	}
-	success = parser->success(parser);
-
-end:
-	parser->destroy(parser);
-	return success;
-}
-
-
- /*
- * Described in header.
- */
-pkcs9_t *pkcs9_create_from_chunk(chunk_t chunk, u_int level)
-{
-	private_pkcs9_t *this = pkcs9_create_empty();
-
-	this->encoding = chunk_clone(chunk);
-
-	if (!parse_attributes(chunk, level, this))
-	{
-		destroy(this);
-		return NULL;
-	}
-	return &this->public;
-}
diff --git a/src/libstrongswan/crypto/pkcs9.h b/src/libstrongswan/crypto/pkcs9.h
deleted file mode 100644
index 5b85692d6..000000000
--- a/src/libstrongswan/crypto/pkcs9.h
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
- * Copyright (C) 2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup pkcs9 pkcs9
- * @{ @ingroup crypto
- */
-
-#ifndef PKCS9_H_
-#define PKCS9_H_
-
-typedef struct pkcs9_t pkcs9_t;
-
-#include <library.h>
-
-/**
- * PKCS#9 attributes.
- */
-struct pkcs9_t {
-
-	/**
-	 * Generate ASN.1 encoding of attribute list
-	 */
-	void (*build_encoding) (pkcs9_t *this);
-
-	/**
-	 * Gets ASN.1 encoding of PKCS#9 attribute list
-	 *
-	 * @return				ASN.1 encoded PKCSI#9 list
-	 */
-	chunk_t (*get_encoding) (pkcs9_t *this);
-
-	/**
-	 * Gets a PKCS#9 attribute
-	 *
-	 * @param oid			OID of the attribute
-	 * @return				ASN.1 encoded value of the attribute
-	 */
-	chunk_t (*get_attribute) (pkcs9_t *this, int oid);
-
-	/**
-	 * Adds a PKCS#9 attribute
-	 *
-	 * @param oid			OID of the attribute
-	 * @param value			ASN.1 encoded value of the attribute
-	 */
-	void (*set_attribute) (pkcs9_t *this, int oid, chunk_t value);
-
-	/**
-	 * Gets a PKCS#9 messageDigest attribute
-	 *
-	 * @return				messageDigest
-	 */
-	chunk_t (*get_messageDigest) (pkcs9_t *this);
-
-	/**
-	 * Add a PKCS#9 messageDigest attribute
-	 *
-	 * @param value			messageDigest
-	 */
-	void (*set_messageDigest) (pkcs9_t *this, chunk_t value);
-
-	/**
-	 * Destroys the PKCS#9 attribute list.
-	 */
-	void (*destroy) (pkcs9_t *this);
-};
-
-/**
- * Read a PKCS#9 attribute list from a DER encoded chunk.
- *
- * @param chunk		chunk containing DER encoded data
- * @param level		ASN.1 parsing start level
- * @return 			created pkcs9 attribute list, or NULL if invalid.
- */
-pkcs9_t *pkcs9_create_from_chunk(chunk_t chunk, u_int level);
-
-/**
- * Create an empty PKCS#9 attribute list
- *
- * @return 				created pkcs9 attribute list.
- */
-pkcs9_t *pkcs9_create(void);
-
-#endif /** PKCS9_H_ @}*/
diff --git a/src/libstrongswan/crypto/prf_plus.c b/src/libstrongswan/crypto/prf_plus.c
index 8e815e608..94be1d5bf 100644
--- a/src/libstrongswan/crypto/prf_plus.c
+++ b/src/libstrongswan/crypto/prf_plus.c
@@ -25,6 +25,7 @@ typedef struct private_prf_plus_t private_prf_plus_t;
  *
  */
 struct private_prf_plus_t {
+
 	/**
 	 * Public interface of prf_plus_t.
 	 */
@@ -41,65 +42,74 @@ struct private_prf_plus_t {
 	chunk_t seed;
 
 	/**
-	 * Buffer to store current PRF result.
+	 * Octet which will be appended to the seed, 0 if not used
 	 */
-	chunk_t buffer;
+	u_int8_t counter;
 
 	/**
 	 * Already given out bytes in current buffer.
 	 */
-	size_t given_out;
+	size_t used;
 
 	/**
-	 * Octet which will be appended to the seed.
+	 * Buffer to store current PRF result.
 	 */
-	u_int8_t appending_octet;
+	chunk_t buffer;
 };
 
-METHOD(prf_plus_t, get_bytes, void,
+METHOD(prf_plus_t, get_bytes, bool,
 	private_prf_plus_t *this, size_t length, u_int8_t *buffer)
 {
-	chunk_t appending_chunk;
-	size_t bytes_in_round;
-	size_t total_bytes_written = 0;
-
-	appending_chunk.ptr = &(this->appending_octet);
-	appending_chunk.len = 1;
+	size_t round, written = 0;
 
 	while (length > 0)
-	{	/* still more to do... */
-		if (this->buffer.len == this->given_out)
-		{	/* no bytes left in buffer, get next*/
-			this->prf->get_bytes(this->prf, this->buffer, NULL);
-			this->prf->get_bytes(this->prf, this->seed, NULL);
-			this->prf->get_bytes(this->prf, appending_chunk, this->buffer.ptr);
-			this->given_out = 0;
-			this->appending_octet++;
+	{
+		if (this->buffer.len == this->used)
+		{	/* buffer used, get next round */
+			if (!this->prf->get_bytes(this->prf, this->buffer, NULL))
+			{
+				return FALSE;
+			}
+			if (this->counter)
+			{
+				if (!this->prf->get_bytes(this->prf, this->seed, NULL) ||
+					!this->prf->get_bytes(this->prf,
+							chunk_from_thing(this->counter), this->buffer.ptr))
+				{
+					return FALSE;
+				}
+				this->counter++;
+			}
+			else
+			{
+				if (!this->prf->get_bytes(this->prf, this->seed,
+										  this->buffer.ptr))
+				{
+					return FALSE;
+				}
+			}
+			this->used = 0;
 		}
-		/* how many bytes can we write in this round ? */
-		bytes_in_round = min(length, this->buffer.len - this->given_out);
-		/* copy bytes from buffer with offset */
-		memcpy(buffer + total_bytes_written, this->buffer.ptr + this->given_out, bytes_in_round);
-
-		length -= bytes_in_round;
-		this->given_out += bytes_in_round;
-		total_bytes_written += bytes_in_round;
+		round = min(length, this->buffer.len - this->used);
+		memcpy(buffer + written, this->buffer.ptr + this->used, round);
+
+		length -= round;
+		this->used += round;
+		written += round;
 	}
+	return TRUE;
 }
 
-METHOD(prf_plus_t, allocate_bytes, void,
+METHOD(prf_plus_t, allocate_bytes, bool,
 	private_prf_plus_t *this, size_t length, chunk_t *chunk)
 {
 	if (length)
 	{
-		chunk->ptr = malloc(length);
-		chunk->len = length;
-		get_bytes(this, length, chunk->ptr);
-	}
-	else
-	{
-		*chunk = chunk_empty;
+		*chunk = chunk_alloc(length);
+		return get_bytes(this, length, chunk->ptr);
 	}
+	*chunk = chunk_empty;
+	return TRUE;
 }
 
 METHOD(prf_plus_t, destroy, void,
@@ -113,10 +123,9 @@ METHOD(prf_plus_t, destroy, void,
 /*
  * Description in header.
  */
-prf_plus_t *prf_plus_create(prf_t *prf, chunk_t seed)
+prf_plus_t *prf_plus_create(prf_t *prf, bool counter, chunk_t seed)
 {
 	private_prf_plus_t *this;
-	chunk_t appending_chunk;
 
 	INIT(this,
 		.public = {
@@ -125,25 +134,30 @@ prf_plus_t *prf_plus_create(prf_t *prf, chunk_t seed)
 			.destroy = _destroy,
 		},
 		.prf = prf,
+		.seed = chunk_clone(seed),
+		.buffer = chunk_alloc(prf->get_block_size(prf)),
 	);
 
-	/* allocate buffer for prf output */
-	this->buffer.len = prf->get_block_size(prf);
-	this->buffer.ptr = malloc(this->buffer.len);
-
-	this->appending_octet = 0x01;
-
-	/* clone seed */
-	this->seed.ptr = clalloc(seed.ptr, seed.len);
-	this->seed.len = seed.len;
-
-	/* do the first run */
-	appending_chunk.ptr = &(this->appending_octet);
-	appending_chunk.len = 1;
-	this->prf->get_bytes(this->prf, this->seed, NULL);
-	this->prf->get_bytes(this->prf, appending_chunk, this->buffer.ptr);
-	this->given_out = 0;
-	this->appending_octet++;
+	if (counter)
+	{
+		this->counter = 0x01;
+		if (!this->prf->get_bytes(this->prf, this->seed, NULL) ||
+			!this->prf->get_bytes(this->prf, chunk_from_thing(this->counter),
+								  this->buffer.ptr))
+		{
+			destroy(this);
+			return NULL;
+		}
+		this->counter++;
+	}
+	else
+	{
+		if (!this->prf->get_bytes(this->prf, this->seed, this->buffer.ptr))
+		{
+			destroy(this);
+			return NULL;
+		}
+	}
 
-	return &(this->public);
+	return &this->public;
 }
diff --git a/src/libstrongswan/crypto/prf_plus.h b/src/libstrongswan/crypto/prf_plus.h
index 4179f2695..f994dce16 100644
--- a/src/libstrongswan/crypto/prf_plus.h
+++ b/src/libstrongswan/crypto/prf_plus.h
@@ -27,52 +27,44 @@ typedef struct prf_plus_t prf_plus_t;
 #include <crypto/prfs/prf.h>
 
 /**
- * Implementation of the prf+ function described in IKEv2 RFC.
- *
- * This class implements the prf+ algorithm. Internally it uses a pseudo random
- * function, which implements the prf_t interface.
- * See IKEv2 RFC 2.13.
+ * Implementation of the prf+ function used in IKEv1/IKEv2 keymat extension.
  */
 struct prf_plus_t {
+
 	/**
 	 * Get pseudo random bytes.
 	 *
-	 * Get the next few bytes of the prf+ output. Space
-	 * must be allocated by the caller.
-	 *
 	 * @param length	number of bytes to get
 	 * @param buffer	pointer where the generated bytes will be written
+	 * @return			TRUE if bytes generated successfully
 	 */
-	void (*get_bytes) (prf_plus_t *this, size_t length, u_int8_t *buffer);
+	bool (*get_bytes)(prf_plus_t *this, size_t length,
+					  u_int8_t *buffer) __attribute__((warn_unused_result));
 
 	/**
 	 * Allocate pseudo random bytes.
 	 *
-	 * Get the next few bytes of the prf+ output. This function
-	 * will allocate the required space.
-	 *
 	 * @param length	number of bytes to get
 	 * @param chunk		chunk which will hold generated bytes
+	 * @return			TRUE if bytes allocated successfully
 	 */
-	void (*allocate_bytes) (prf_plus_t *this, size_t length, chunk_t *chunk);
+	bool (*allocate_bytes)(prf_plus_t *this, size_t length,
+						   chunk_t *chunk) __attribute__((warn_unused_result));
 
 	/**
 	 * Destroys a prf_plus_t object.
 	 */
-	void (*destroy) (prf_plus_t *this);
+	void (*destroy)(prf_plus_t *this);
 };
 
 /**
  * Creates a new prf_plus_t object.
  *
- * Seed will be cloned. prf will
- * not be cloned, must be destroyed outside after
- * prf_plus_t usage.
- *
- * @param prf				prf object to use
+ * @param prf				prf object to use, must be destroyd after prf+.
+ * @param counter			use an appending counter byte (for IKEv2 variant)
  * @param seed				input seed for prf
- * @return					prf_plus_t object
+ * @return					prf_plus_t object, NULL on failure
  */
-prf_plus_t *prf_plus_create(prf_t *prf, chunk_t seed);
+prf_plus_t *prf_plus_create(prf_t *prf, bool counter, chunk_t seed);
 
 #endif /** PRF_PLUS_H_ @}*/
diff --git a/src/libstrongswan/crypto/prfs/mac_prf.c b/src/libstrongswan/crypto/prfs/mac_prf.c
new file mode 100644
index 000000000..b5f6be982
--- /dev/null
+++ b/src/libstrongswan/crypto/prfs/mac_prf.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mac_prf.h"
+
+typedef struct private_prf_t private_prf_t;
+
+/**
+ * Private data of a mac_prf_t object.
+ */
+struct private_prf_t {
+
+	/**
+	 * Public interface
+	 */
+	prf_t public;
+
+	/**
+	 * MAC to use
+	 */
+	mac_t *mac;
+};
+
+METHOD(prf_t, get_bytes, bool,
+	private_prf_t *this, chunk_t seed, u_int8_t *buffer)
+{
+	return this->mac->get_mac(this->mac, seed, buffer);
+}
+
+METHOD(prf_t, allocate_bytes, bool,
+	private_prf_t *this, chunk_t seed, chunk_t *chunk)
+{
+	if (chunk)
+	{
+		*chunk = chunk_alloc(this->mac->get_mac_size(this->mac));
+		return this->mac->get_mac(this->mac, seed, chunk->ptr);
+	}
+	return this->mac->get_mac(this->mac, seed, NULL);
+}
+
+METHOD(prf_t, get_block_size, size_t,
+	private_prf_t *this)
+{
+	return this->mac->get_mac_size(this->mac);
+}
+
+METHOD(prf_t, get_key_size, size_t,
+	private_prf_t *this)
+{
+	/* IKEv2 uses MAC size as key size */
+	return this->mac->get_mac_size(this->mac);
+}
+
+METHOD(prf_t, set_key, bool,
+	private_prf_t *this, chunk_t key)
+{
+	return this->mac->set_key(this->mac, key);
+}
+
+METHOD(prf_t, destroy, void,
+	private_prf_t *this)
+{
+	this->mac->destroy(this->mac);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+prf_t *mac_prf_create(mac_t *mac)
+{
+	private_prf_t *this;
+
+	INIT(this,
+		.public = {
+			.get_bytes = _get_bytes,
+			.allocate_bytes = _allocate_bytes,
+			.get_block_size = _get_block_size,
+			.get_key_size = _get_key_size,
+			.set_key = _set_key,
+			.destroy = _destroy,
+		},
+		.mac = mac,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/crypto/prfs/mac_prf.h b/src/libstrongswan/crypto/prfs/mac_prf.h
new file mode 100644
index 000000000..b2c0c6e17
--- /dev/null
+++ b/src/libstrongswan/crypto/prfs/mac_prf.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mac_prf mac_prf
+ * @{ @ingroup crypto
+ */
+
+#ifndef MAC_PRF_H_
+#define MAC_PRF_H_
+
+#include <crypto/mac.h>
+#include <crypto/prfs/prf.h>
+
+/**
+ * Creates an implementation of the prf_t interface using the provided mac_t
+ * implementation.  Basically a simple wrapper to map the interface.
+ *
+ * @param mac		mac_t implementation
+ * @return			prf_t object
+ */
+prf_t *mac_prf_create(mac_t *mac);
+
+#endif /** MAC_PRF_H_ @}*/
diff --git a/src/libstrongswan/crypto/prfs/prf.h b/src/libstrongswan/crypto/prfs/prf.h
index ad15205d3..46e23b244 100644
--- a/src/libstrongswan/crypto/prfs/prf.h
+++ b/src/libstrongswan/crypto/prfs/prf.h
@@ -71,28 +71,33 @@ extern enum_name_t *pseudo_random_function_names;
  * Generic interface for pseudo-random-functions.
  */
 struct prf_t {
+
 	/**
 	 * Generates pseudo random bytes and writes them in the buffer.
 	 *
 	 * @param seed		a chunk containing the seed for the next bytes
 	 * @param buffer	pointer where the generated bytes will be written
+	 * @return			TRUE if bytes generated successfully
 	 */
-	void (*get_bytes) (prf_t *this, chunk_t seed, u_int8_t *buffer);
+	bool (*get_bytes)(prf_t *this, chunk_t seed,
+					  u_int8_t *buffer) __attribute__((warn_unused_result));
 
 	/**
 	 * Generates pseudo random bytes and allocate space for them.
 	 *
 	 * @param seed		a chunk containing the seed for the next bytes
 	 * @param chunk		chunk which will hold generated bytes
+	 * @return			TRUE if bytes allocated and generated successfully
 	 */
-	void (*allocate_bytes) (prf_t *this, chunk_t seed, chunk_t *chunk);
+	bool (*allocate_bytes)(prf_t *this, chunk_t seed,
+						   chunk_t *chunk) __attribute__((warn_unused_result));
 
 	/**
 	 * Get the block size of this prf_t object.
 	 *
 	 * @return			block size in bytes
 	 */
-	size_t (*get_block_size) (prf_t *this);
+	size_t (*get_block_size)(prf_t *this);
 
 	/**
 	 * Get the key size of this prf_t object.
@@ -102,19 +107,21 @@ struct prf_t {
 	 *
 	 * @return			key size in bytes
 	 */
-	size_t (*get_key_size) (prf_t *this);
+	size_t (*get_key_size)(prf_t *this);
 
 	/**
 	 * Set the key for this prf_t object.
 	 *
 	 * @param key		key to set
+	 * @return			TRUE if key set successfully
 	 */
-	void (*set_key) (prf_t *this, chunk_t key);
+	bool (*set_key)(prf_t *this,
+					chunk_t key) __attribute__((warn_unused_result));
 
 	/**
 	 * Destroys a prf object.
 	 */
-	void (*destroy) (prf_t *this);
+	void (*destroy)(prf_t *this);
 };
 
 #endif /** PRF_H_ @}*/
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.c b/src/libstrongswan/crypto/proposal/proposal_keywords.c
index 2060864a5..4db504eb0 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.c
@@ -1,38 +1,6 @@
-/* C code produced by gperf version 3.0.3 */
-/* Command-line: /usr/bin/gperf -N proposal_get_token -m 10 -C -G -c -t -D  */
-/* Computed positions: -k'1,5,7,10,15,$' */
-
-#if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \
-      && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \
-      && (')' == 41) && ('*' == 42) && ('+' == 43) && (',' == 44) \
-      && ('-' == 45) && ('.' == 46) && ('/' == 47) && ('0' == 48) \
-      && ('1' == 49) && ('2' == 50) && ('3' == 51) && ('4' == 52) \
-      && ('5' == 53) && ('6' == 54) && ('7' == 55) && ('8' == 56) \
-      && ('9' == 57) && (':' == 58) && (';' == 59) && ('<' == 60) \
-      && ('=' == 61) && ('>' == 62) && ('?' == 63) && ('A' == 65) \
-      && ('B' == 66) && ('C' == 67) && ('D' == 68) && ('E' == 69) \
-      && ('F' == 70) && ('G' == 71) && ('H' == 72) && ('I' == 73) \
-      && ('J' == 74) && ('K' == 75) && ('L' == 76) && ('M' == 77) \
-      && ('N' == 78) && ('O' == 79) && ('P' == 80) && ('Q' == 81) \
-      && ('R' == 82) && ('S' == 83) && ('T' == 84) && ('U' == 85) \
-      && ('V' == 86) && ('W' == 87) && ('X' == 88) && ('Y' == 89) \
-      && ('Z' == 90) && ('[' == 91) && ('\\' == 92) && (']' == 93) \
-      && ('^' == 94) && ('_' == 95) && ('a' == 97) && ('b' == 98) \
-      && ('c' == 99) && ('d' == 100) && ('e' == 101) && ('f' == 102) \
-      && ('g' == 103) && ('h' == 104) && ('i' == 105) && ('j' == 106) \
-      && ('k' == 107) && ('l' == 108) && ('m' == 109) && ('n' == 110) \
-      && ('o' == 111) && ('p' == 112) && ('q' == 113) && ('r' == 114) \
-      && ('s' == 115) && ('t' == 116) && ('u' == 117) && ('v' == 118) \
-      && ('w' == 119) && ('x' == 120) && ('y' == 121) && ('z' == 122) \
-      && ('{' == 123) && ('|' == 124) && ('}' == 125) && ('~' == 126))
-/* The character set is not based on ISO-646.  */
-error "gperf generated tables don't work with this execution character set. Please report a bug to <bug-gnu-gperf@gnu.org>."
-#endif
-
-
-/* proposal keywords
- * Copyright (C) 2009 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -45,280 +13,134 @@ error "gperf generated tables don't work with this execution character set. Plea
  * for more details.
  */
 
-#include <string.h>
+/*
+ * Copyright (c) 2012 Nanoteq Pty Ltd
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "proposal_keywords.h"
+#include "proposal_keywords_static.h"
 
-#include <crypto/transform.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/signers/signer.h>
-#include <crypto/diffie_hellman.h>
+#include <collections/linked_list.h>
+#include <threading/rwlock.h>
 
-struct proposal_token {
-    char             *name;
-    transform_type_t  type;
-	u_int16_t         algorithm;
-    u_int16_t         keysize;
-};
+typedef struct private_proposal_keywords_t private_proposal_keywords_t;
+
+struct private_proposal_keywords_t {
+
+	/**
+	 * public interface
+	 */
+	proposal_keywords_t public;
+
+	/**
+	 * registered tokens, as proposal_token_t
+	 */
+	linked_list_t * tokens;
 
-#define TOTAL_KEYWORDS 122
-#define MIN_WORD_LENGTH 3
-#define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 9
-#define MAX_HASH_VALUE 213
-/* maximum key range = 205, duplicates = 0 */
+	/**
+	 * rwlock to lock access to modules
+	 */
+	rwlock_t *lock;
+};
 
-#ifdef __GNUC__
-__inline
-#else
-#ifdef __cplusplus
-inline
-#endif
-#endif
-static unsigned int
-hash (str, len)
-     register const char *str;
-     register unsigned int len;
+/**
+ * Find the token object for the algorithm specified.
+ */
+static const proposal_token_t* find_token(private_proposal_keywords_t *this,
+										  const char *str)
 {
-  static const unsigned char asso_values[] =
-    {
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214,  14,   9,
-        4,  34,  66,  19,   8,   4,   5,   3, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 131, 214,   3,  22,  21,
-        3,   1, 101,  48,   3,   4, 214, 214,   3,  10,
-       57,   4, 214, 214,  94,   6,   3,  32, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214, 214, 214, 214,
-      214, 214, 214, 214, 214, 214, 214
-    };
-  register int hval = len;
+	proposal_token_t *token, *found = NULL;
+	enumerator_t *enumerator;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->tokens->create_enumerator(this->tokens);
+	while (enumerator->enumerate(enumerator, &token))
+	{
+		if (streq(token->name, str))
+		{
+			found = token;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return found;
+}
 
-  switch (hval)
-    {
-      default:
-        hval += asso_values[(unsigned char)str[14]];
-      /*FALLTHROUGH*/
-      case 14:
-      case 13:
-      case 12:
-      case 11:
-      case 10:
-        hval += asso_values[(unsigned char)str[9]];
-      /*FALLTHROUGH*/
-      case 9:
-      case 8:
-      case 7:
-        hval += asso_values[(unsigned char)str[6]];
-      /*FALLTHROUGH*/
-      case 6:
-      case 5:
-        hval += asso_values[(unsigned char)str[4]];
-      /*FALLTHROUGH*/
-      case 4:
-      case 3:
-      case 2:
-      case 1:
-        hval += asso_values[(unsigned char)str[0]+1];
-        break;
-    }
-  return hval + asso_values[(unsigned char)str[len - 1]];
+METHOD(proposal_keywords_t, get_token, const proposal_token_t*,
+	private_proposal_keywords_t *this, const char *str)
+{
+	const proposal_token_t *token = proposal_get_token_static(str, strlen(str));
+	return token ?: find_token(this, str);
 }
 
-static const struct proposal_token wordlist[] =
-  {
-    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
-    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
-    {"null",             ENCRYPTION_ALGORITHM, ENCR_NULL,                 0},
-    {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
-    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
-    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
-    {"sha512",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
-    {"serpent192",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        192},
-    {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
-    {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192},
-    {"cast128",          ENCRYPTION_ALGORITHM, ENCR_CAST,               128},
-    {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
-    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
-    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256},
-    {"aes192",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            192},
-    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
-    {"aes128",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
-    {"camellia192ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
-    {"camellia128ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
-    {"camellia192ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
-    {"camellia128ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
-    {"camellia192ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
-    {"camellia128ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
-    {"camellia192ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
-    {"camellia128ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
-    {"camellia192ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
-    {"camellia128ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
-    {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256},
-    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
-    {"camellia256ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
-    {"aes256",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            256},
-    {"camellia256ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
-    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192},
-    {"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
-    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
-    {"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
-    {"camellia256ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
-    {"camelliaxcbc",     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0},
-    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
-    {"aes192ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
-    {"aes128ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
-    {"aes192ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
-    {"aes128ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
-    {"aes192ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
-    {"aes128ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
-    {"aes192ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
-    {"aes128ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
-    {"aes192ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
-    {"aes128ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
-    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
-    {"modp8192",         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0},
-    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
-    {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0},
-    {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
-    {"aescmac",          INTEGRITY_ALGORITHM,  AUTH_AES_CMAC_96,          0},
-    {"aes256ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
-    {"md5_128",          INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_128,         0},
-    {"aes256ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
-    {"aes256ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
-    {"aes256ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
-    {"aes256ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
-    {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0},
-    {"aes192gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
-    {"aes128gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
-    {"aes192gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
-    {"aes128gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
-    {"aes192gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
-    {"aes128gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
-    {"aes192gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
-    {"aes128gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
-    {"aes192gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
-    {"aes128gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
-    {"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
-    {"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
-    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
-    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
-    {"aes256gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
-    {"aes256gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
-    {"aes256gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
-    {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0},
-    {"aes256gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
-    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
-    {"aes256gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
-    {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
-    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
-    {"camellia192ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192},
-    {"camellia128ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128},
-    {"noesn",            EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,   0},
-    {"aes192gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192},
-    {"aes128gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128},
-    {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0},
-    {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
-    {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
-    {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0},
-    {"camellia256ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256},
-    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
-    {"modp2048",         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0},
-    {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
-    {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0},
-    {"modp1024",         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0},
-    {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192},
-    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
-    {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
-    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192},
-    {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128},
-    {"modp2048s256",     DIFFIE_HELLMAN_GROUP, MODP_2048_256,             0},
-    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
-    {"aes192gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
-    {"aes128gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
-    {"esn",              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0},
-    {"sha1_160",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_160,        0},
-    {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256},
-    {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256},
-    {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
-    {"sha256_96",        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
-    {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
-    {"sha2_256_96",      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
-    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
-    {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0},
-    {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0},
-    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0},
-    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0}
-  };
+METHOD(proposal_keywords_t, register_token, void,
+	private_proposal_keywords_t *this, const char *name, transform_type_t type,
+	u_int16_t algorithm, u_int16_t keysize)
+{
+	proposal_token_t *token;
+
+	INIT(token,
+		.name = strdup(name),
+		.type = type,
+		.algorithm = algorithm,
+		.keysize = keysize,
+	);
 
-static const short lookup[] =
-  {
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,   0,
-      1,   2,  -1,  -1,  -1,  -1,   3,   4,  -1,  -1,
-     -1,   5,   6,  -1,  -1,   7,  -1,   8,   9,  10,
-     11,  12,  -1,  13,  -1,  14,  15,  16,  17,  18,
-     19,  20,  21,  22,  23,  24,  25,  26,  27,  28,
-     -1,  -1,  -1,  -1,  29,  30,  31,  32,  33,  34,
-     35,  -1,  36,  -1,  37,  38,  39,  40,  41,  42,
-     43,  44,  45,  46,  47,  48,  49,  50,  51,  52,
-     53,  54,  55,  56,  57,  -1,  58,  -1,  59,  -1,
-     60,  -1,  61,  62,  63,  64,  65,  66,  67,  68,
-     69,  70,  71,  72,  73,  74,  -1,  75,  -1,  76,
-     -1,  77,  -1,  78,  79,  80,  81,  82,  -1,  83,
-     84,  85,  86,  87,  -1,  88,  89,  -1,  90,  -1,
-     -1,  91,  92,  -1,  93,  -1,  -1,  94,  -1,  95,
-     96,  97,  98,  -1,  99,  -1, 100, 101, 102, 103,
-    104, 105,  -1,  -1,  -1, 106,  -1,  -1, 107, 108,
-     -1, 109,  -1,  -1, 110, 111, 112,  -1,  -1, 113,
-    114,  -1,  -1,  -1, 115, 116,  -1, 117, 118,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1, 119,  -1,  -1,  -1, 120,
-     -1,  -1,  -1, 121
-  };
+	this->lock->write_lock(this->lock);
+	this->tokens->insert_first(this->tokens, token);
+	this->lock->unlock(this->lock);
+}
 
-#ifdef __GNUC__
-__inline
-#ifdef __GNUC_STDC_INLINE__
-__attribute__ ((__gnu_inline__))
-#endif
-#endif
-const struct proposal_token *
-proposal_get_token (str, len)
-     register const char *str;
-     register unsigned int len;
+METHOD(proposal_keywords_t, destroy, void,
+	private_proposal_keywords_t *this)
 {
-  if (len <= MAX_WORD_LENGTH && len >= MIN_WORD_LENGTH)
-    {
-      register int key = hash (str, len);
+	proposal_token_t *token;
+
+	while (this->tokens->remove_first(this->tokens, (void**)&token) == SUCCESS)
+	{
+		free(token->name);
+		free(token);
+	}
+	this->tokens->destroy(this->tokens);
+	this->lock->destroy(this->lock);
+	free(this);
+}
 
-      if (key <= MAX_HASH_VALUE && key >= 0)
-        {
-          register int index = lookup[key];
+/*
+ * Described in header.
+ */
+proposal_keywords_t *proposal_keywords_create()
+{
+	private_proposal_keywords_t *this;
 
-          if (index >= 0)
-            {
-              register const char *s = wordlist[index].name;
+	INIT(this,
+		.public = {
+			.get_token = _get_token,
+			.register_token = _register_token,
+			.destroy = _destroy,
+		},
+		.tokens = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
 
-              if (*str == *s && !strncmp (str + 1, s + 1, len - 1) && s[len] == '\0')
-                return &wordlist[index];
-            }
-        }
-    }
-  return 0;
+	return &this->public;
 }
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.h b/src/libstrongswan/crypto/proposal/proposal_keywords.h
index 53fa1728f..d6107abc0 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.h
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.h
@@ -1,6 +1,6 @@
-/* proposal keywords
- * Copyright (C) 2009 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,22 +13,103 @@
  * for more details.
  */
 
-#ifndef _PROPOSAL_KEYWORDS_H_
-#define _PROPOSAL_KEYWORDS_H_
+/*
+ * Copyright (c) 2012 Nanoteq Pty Ltd
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
 
+/**
+ * @defgroup proposal_keywords proposal_keywords
+ * @{ @ingroup crypto
+ */
+
+#ifndef PROPOSAL_KEYWORDS_H_
+#define PROPOSAL_KEYWORDS_H_
+
+typedef struct proposal_token_t proposal_token_t;
+typedef struct proposal_keywords_t proposal_keywords_t;
+
+#include <library.h>
 #include <crypto/transform.h>
 
-typedef struct proposal_token proposal_token_t;
+/**
+ * Class representing a proposal token.
+ */
+struct proposal_token_t {
+
+	/**
+	 * The name of the token.
+	 */
+	char *name;
+
+	/**
+	 * The type of transform in the token.
+	 */
+	transform_type_t type;
+
+	/**
+	 * The IKE id of the algorithm.
+	 */
+	u_int16_t algorithm;
 
-struct proposal_token {
-	char             *name;
-	transform_type_t  type;
-	u_int16_t         algorithm;
-	u_int16_t         keysize;
+	/**
+	 * The key size associated with the specific algorithm.
+	 */
+	u_int16_t keysize;
 };
 
-extern const proposal_token_t* proposal_get_token(register const char *str,
-												  register unsigned int len);
+/**
+ * Class to manage proposal keywords
+ */
+struct proposal_keywords_t {
+
+	/**
+	 * Returns the proposal token for the specified string if a token exists.
+	 *
+	 * @param str		the string containing the name of the token
+	 * @return			proposal_token if found, NULL otherwise
+	 */
+	const proposal_token_t *(*get_token)(proposal_keywords_t *this,
+										 const char *str);
 
-#endif /* _PROPOSAL_KEYWORDS_H_ */
+	/**
+	 * Register a new proposal token for an algorithm.
+	 *
+	 * @param name		the string containing the name of the token
+	 * @param type		the transform_type_t for the token
+	 * @param algorithm	the IKE id of the algorithm
+	 * @param keysize	the key size associated with the specific algorithm
+	 */
+	void (*register_token)(proposal_keywords_t *this, const char *name,
+						   transform_type_t type, u_int16_t algorithm,
+						   u_int16_t keysize);
+
+	/**
+	 * Destroy a proposal_keywords_t instance.
+	 */
+	void (*destroy)(proposal_keywords_t *this);
+};
+
+/**
+ * Create a proposal_keywords_t instance.
+ */
+proposal_keywords_t *proposal_keywords_create();
 
+#endif /** PROPOSAL_KEYWORDS_H_ @}*/
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.txt b/src/libstrongswan/crypto/proposal/proposal_keywords.txt
deleted file mode 100644
index 1d04f2dc4..000000000
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.txt
+++ /dev/null
@@ -1,153 +0,0 @@
-%{
-/* proposal keywords
- * Copyright (C) 2009 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include <crypto/transform.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/signers/signer.h>
-#include <crypto/diffie_hellman.h>
-
-%}
-struct proposal_token {
-    char             *name;
-    transform_type_t  type;
-	u_int16_t         algorithm;
-    u_int16_t         keysize;
-};
-%%
-null,             ENCRYPTION_ALGORITHM, ENCR_NULL,                 0
-des,              ENCRYPTION_ALGORITHM, ENCR_DES,                  0
-3des,             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0
-aes,              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128
-aes128,           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128
-aes192,           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            192
-aes256,           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            256
-aes128ctr,        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128
-aes192ctr,        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192
-aes256ctr,        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256
-aes128ccm8,       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128
-aes128ccm64,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128
-aes128ccm12,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128
-aes128ccm96,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128
-aes128ccm16,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128
-aes128ccm128,     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128
-aes192ccm8,       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192
-aes192ccm64,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192
-aes192ccm12,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192
-aes192ccm96,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192
-aes192ccm16,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192
-aes192ccm128,     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192
-aes256ccm8,       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256
-aes256ccm64,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256
-aes256ccm12,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256
-aes256ccm96,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256
-aes256ccm16,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256
-aes256ccm128,     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256
-aes128gcm8,       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128
-aes128gcm64,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128
-aes128gcm12,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128
-aes128gcm96,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128
-aes128gcm16,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128
-aes128gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128
-aes192gcm8,       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192
-aes192gcm64,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192
-aes192gcm12,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192
-aes192gcm96,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192
-aes192gcm16,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192
-aes192gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192
-aes256gcm8,       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256
-aes256gcm64,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256
-aes256gcm12,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256
-aes256gcm96,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256
-aes256gcm16,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256
-aes256gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256
-aes128gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128
-aes192gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192
-aes256gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256
-blowfish,         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128
-blowfish128,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128
-blowfish192,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192
-blowfish256,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256
-camellia,         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128
-camellia128,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128
-camellia192,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192
-camellia256,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256
-camellia128ctr,   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128
-camellia192ctr,   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192
-camellia256ctr,   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256
-camellia128ccm8,  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128
-camellia128ccm64, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128
-camellia128ccm12, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128
-camellia128ccm96, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128
-camellia128ccm16, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128
-camellia128ccm128,ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128
-camellia192ccm8,  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192
-camellia192ccm64, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192
-camellia192ccm12, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192
-camellia192ccm96, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192
-camellia192ccm16, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192
-camellia192ccm128,ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192
-camellia256ccm8,  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256
-camellia256ccm64, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256
-camellia256ccm12, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256
-camellia256ccm96, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256
-camellia256ccm16, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256
-camellia256ccm128,ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256
-cast128,          ENCRYPTION_ALGORITHM, ENCR_CAST,               128
-serpent,          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128
-serpent128,       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128
-serpent192,       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        192
-serpent256,       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256
-twofish,          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128
-twofish128,       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128
-twofish192,       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192
-twofish256,       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256
-sha,              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0
-sha1,             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0
-sha1_160,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_160,        0
-sha256,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0
-sha2_256,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0
-sha256_96,        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0
-sha2_256_96,      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0
-sha384,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0
-sha2_384,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0
-sha512,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0
-sha2_512,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0
-md5,              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0
-md5_128,          INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_128,         0
-aesxcbc,          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0
-camelliaxcbc,     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0
-aescmac,          INTEGRITY_ALGORITHM,  AUTH_AES_CMAC_96,          0
-modpnull,         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0
-modp768,          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0
-modp1024,         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0
-modp1536,         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0
-modp2048,         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0
-modp3072,         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0
-modp4096,         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0
-modp6144,         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0
-modp8192,         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0
-ecp192,           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0
-ecp224,           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0
-ecp256,           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0
-ecp384,           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0
-ecp521,           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0
-modp1024s160,     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0
-modp2048s224,     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0
-modp2048s256,     DIFFIE_HELLMAN_GROUP, MODP_2048_256,             0
-noesn,            EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,   0
-esn,              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
new file mode 100644
index 000000000..d85bfebd0
--- /dev/null
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
@@ -0,0 +1,332 @@
+/* C code produced by gperf version 3.0.3 */
+/* Command-line: /usr/bin/gperf -N proposal_get_token_static -m 10 -C -G -c -t -D  */
+/* Computed positions: -k'1,5,7,10,15,$' */
+
+#if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \
+      && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \
+      && (')' == 41) && ('*' == 42) && ('+' == 43) && (',' == 44) \
+      && ('-' == 45) && ('.' == 46) && ('/' == 47) && ('0' == 48) \
+      && ('1' == 49) && ('2' == 50) && ('3' == 51) && ('4' == 52) \
+      && ('5' == 53) && ('6' == 54) && ('7' == 55) && ('8' == 56) \
+      && ('9' == 57) && (':' == 58) && (';' == 59) && ('<' == 60) \
+      && ('=' == 61) && ('>' == 62) && ('?' == 63) && ('A' == 65) \
+      && ('B' == 66) && ('C' == 67) && ('D' == 68) && ('E' == 69) \
+      && ('F' == 70) && ('G' == 71) && ('H' == 72) && ('I' == 73) \
+      && ('J' == 74) && ('K' == 75) && ('L' == 76) && ('M' == 77) \
+      && ('N' == 78) && ('O' == 79) && ('P' == 80) && ('Q' == 81) \
+      && ('R' == 82) && ('S' == 83) && ('T' == 84) && ('U' == 85) \
+      && ('V' == 86) && ('W' == 87) && ('X' == 88) && ('Y' == 89) \
+      && ('Z' == 90) && ('[' == 91) && ('\\' == 92) && (']' == 93) \
+      && ('^' == 94) && ('_' == 95) && ('a' == 97) && ('b' == 98) \
+      && ('c' == 99) && ('d' == 100) && ('e' == 101) && ('f' == 102) \
+      && ('g' == 103) && ('h' == 104) && ('i' == 105) && ('j' == 106) \
+      && ('k' == 107) && ('l' == 108) && ('m' == 109) && ('n' == 110) \
+      && ('o' == 111) && ('p' == 112) && ('q' == 113) && ('r' == 114) \
+      && ('s' == 115) && ('t' == 116) && ('u' == 117) && ('v' == 118) \
+      && ('w' == 119) && ('x' == 120) && ('y' == 121) && ('z' == 122) \
+      && ('{' == 123) && ('|' == 124) && ('}' == 125) && ('~' == 126))
+/* The character set is not based on ISO-646.  */
+error "gperf generated tables don't work with this execution character set. Please report a bug to <bug-gnu-gperf@gnu.org>."
+#endif
+
+
+/*
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include <crypto/transform.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+#include <crypto/diffie_hellman.h>
+
+struct proposal_token {
+	char             *name;
+	transform_type_t  type;
+	u_int16_t         algorithm;
+	u_int16_t         keysize;
+};
+
+#define TOTAL_KEYWORDS 130
+#define MIN_WORD_LENGTH 3
+#define MAX_WORD_LENGTH 17
+#define MIN_HASH_VALUE 12
+#define MAX_HASH_VALUE 216
+/* maximum key range = 205, duplicates = 0 */
+
+#ifdef __GNUC__
+__inline
+#else
+#ifdef __cplusplus
+inline
+#endif
+#endif
+static unsigned int
+hash (str, len)
+     register const char *str;
+     register unsigned int len;
+{
+  static const unsigned char asso_values[] =
+    {
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217,  35,  10,
+        5,  34,  68,  21,   9,  16,   6,   4, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 117, 217,  15,  22,  23,
+        4,  29,   4,  51,  57,   4, 217, 217,   4,  16,
+       58,   4, 217,   5,  81, 104,   6,  34, 217, 217,
+        5, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217, 217, 217, 217,
+      217, 217, 217, 217, 217, 217, 217
+    };
+  register int hval = len;
+
+  switch (hval)
+    {
+      default:
+        hval += asso_values[(unsigned char)str[14]];
+      /*FALLTHROUGH*/
+      case 14:
+      case 13:
+      case 12:
+      case 11:
+      case 10:
+        hval += asso_values[(unsigned char)str[9]];
+      /*FALLTHROUGH*/
+      case 9:
+      case 8:
+      case 7:
+        hval += asso_values[(unsigned char)str[6]];
+      /*FALLTHROUGH*/
+      case 6:
+      case 5:
+        hval += asso_values[(unsigned char)str[4]];
+      /*FALLTHROUGH*/
+      case 4:
+      case 3:
+      case 2:
+      case 1:
+        hval += asso_values[(unsigned char)str[0]+1];
+        break;
+    }
+  return hval + asso_values[(unsigned char)str[len - 1]];
+}
+
+static const struct proposal_token wordlist[] =
+  {
+    {"null",             ENCRYPTION_ALGORITHM, ENCR_NULL,                 0},
+    {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0},
+    {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
+    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
+    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
+    {"sha512",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
+    {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192},
+    {"cast128",          ENCRYPTION_ALGORITHM, ENCR_CAST,               128},
+    {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
+    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
+    {"prfmd5",           PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,            0},
+    {"aes192",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            192},
+    {"aes128",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
+    {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0},
+    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
+    {"camellia192ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
+    {"camellia128ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
+    {"camellia192ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
+    {"camellia128ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
+    {"camellia192ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
+    {"camellia128ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
+    {"camellia192ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
+    {"camellia128ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
+    {"camellia192ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
+    {"camellia128ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
+    {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256},
+    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
+    {"aes256",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            256},
+    {"camellia256ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
+    {"serpent192",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        192},
+    {"camellia256ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
+    {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
+    {"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
+    {"esn",              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0},
+    {"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
+    {"camellia256ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
+    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256},
+    {"camelliaxcbc",     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0},
+    {"aes192ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
+    {"aes128ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
+    {"aes192ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
+    {"aes128ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
+    {"aes192ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
+    {"aes128ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
+    {"aes192ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
+    {"aes128ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
+    {"aes192ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
+    {"aes128ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
+    {"modp8192",         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0},
+    {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0},
+    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
+    {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0},
+    {"prfsha256",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,       0},
+    {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
+    {"md5_128",          INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_128,         0},
+    {"aes256ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
+    {"prfsha1",          PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,           0},
+    {"aes256ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
+    {"aescmac",          INTEGRITY_ALGORITHM,  AUTH_AES_CMAC_96,          0},
+    {"aes256ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
+    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
+    {"aes256ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
+    {"prfaesxcbc",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC,         0},
+    {"aes256ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
+    {"prfsha512",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,       0},
+    {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0},
+    {"aes192gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
+    {"aes128gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
+    {"aes192gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
+    {"aes128gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
+    {"aes192gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
+    {"aes128gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
+    {"aes192gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
+    {"aes128gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
+    {"aes192gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
+    {"aes128gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
+    {"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
+    {"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
+    {"camellia192ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192},
+    {"camellia128ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128},
+    {"prfaescmac",       PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC,         0},
+    {"prfcamelliaxcbc",  PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC,    0},
+    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192},
+    {"aes256gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
+    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"aes256gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
+    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
+    {"aes256gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
+    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
+    {"aes256gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
+    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
+    {"aes256gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
+    {"noesn",            EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,   0},
+    {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
+    {"camellia256ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256},
+    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
+    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
+    {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0},
+    {"aes192gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192},
+    {"aes128gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128},
+    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
+    {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
+    {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
+    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192},
+    {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128},
+    {"modp2048",         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0},
+    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
+    {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0},
+    {"modp1024",         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0},
+    {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
+    {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192},
+    {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
+    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
+    {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256},
+    {"modp2048s256",     DIFFIE_HELLMAN_GROUP, MODP_2048_256,             0},
+    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
+    {"sha256_96",        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
+    {"aes192gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
+    {"aes128gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
+    {"sha2_256_96",      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
+    {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256},
+    {"prfsha384",        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,       0},
+    {"sha1_160",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_160,        0},
+    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
+    {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
+    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
+    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
+    {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0},
+    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0}
+  };
+
+static const short lookup[] =
+  {
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,   0,  -1,  -1,  -1,  -1,  -1,  -1,   1,
+      2,  -1,  -1,  -1,   3,   4,  -1,   5,  -1,  -1,
+     -1,  -1,   6,   7,   8,   9,  10,  11,  -1,  12,
+     13,  -1,  14,  15,  16,  17,  18,  19,  20,  21,
+     22,  23,  24,  25,  26,  -1,  -1,  -1,  27,  -1,
+     28,  29,  30,  31,  32,  33,  34,  -1,  35,  36,
+     37,  38,  39,  40,  41,  42,  43,  44,  45,  46,
+     47,  48,  49,  50,  51,  52,  53,  54,  55,  56,
+     57,  58,  59,  60,  61,  62,  63,  64,  65,  66,
+     67,  68,  69,  70,  71,  72,  73,  74,  75,  76,
+     77,  78,  79,  80,  81,  82,  83,  84,  85,  86,
+     87,  88,  89,  90,  91,  92,  93,  -1,  94,  95,
+     96,  -1,  97,  98,  99,  -1, 100, 101, 102, 103,
+    104,  -1,  -1,  -1,  -1, 105, 106, 107,  -1, 108,
+    109, 110,  -1, 111, 112,  -1, 113, 114,  -1, 115,
+     -1, 116, 117,  -1,  -1, 118, 119,  -1, 120,  -1,
+     -1,  -1, 121, 122,  -1, 123, 124,  -1,  -1,  -1,
+     -1,  -1, 125,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1, 126,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1, 127,  -1,  -1,  -1,  -1,
+     -1, 128,  -1,  -1,  -1,  -1, 129
+  };
+
+#ifdef __GNUC__
+__inline
+#ifdef __GNUC_STDC_INLINE__
+__attribute__ ((__gnu_inline__))
+#endif
+#endif
+const struct proposal_token *
+proposal_get_token_static (str, len)
+     register const char *str;
+     register unsigned int len;
+{
+  if (len <= MAX_WORD_LENGTH && len >= MIN_WORD_LENGTH)
+    {
+      register int key = hash (str, len);
+
+      if (key <= MAX_HASH_VALUE && key >= 0)
+        {
+          register int index = lookup[key];
+
+          if (index >= 0)
+            {
+              register const char *s = wordlist[index].name;
+
+              if (*str == *s && !strncmp (str + 1, s + 1, len - 1) && s[len] == '\0')
+                return &wordlist[index];
+            }
+        }
+    }
+  return 0;
+}
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.h b/src/libstrongswan/crypto/proposal/proposal_keywords_static.h
new file mode 100644
index 000000000..bc421dcc5
--- /dev/null
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef PROPOSAL_KEYWORDS_STATIC_H_
+#define PROPOSAL_KEYWORDS_STATIC_H_
+
+#include "proposal_keywords.h"
+
+const proposal_token_t* proposal_get_token_static(register const char *str,
+												  register unsigned int len);
+
+#endif /* PROPOSAL_KEYWORDS_STATIC_H_ */
+
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
new file mode 100644
index 000000000..445438f03
--- /dev/null
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
@@ -0,0 +1,161 @@
+%{
+/*
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include <crypto/transform.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+#include <crypto/diffie_hellman.h>
+
+%}
+struct proposal_token {
+	char             *name;
+	transform_type_t  type;
+	u_int16_t         algorithm;
+	u_int16_t         keysize;
+};
+%%
+null,             ENCRYPTION_ALGORITHM, ENCR_NULL,                 0
+des,              ENCRYPTION_ALGORITHM, ENCR_DES,                  0
+3des,             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0
+aes,              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128
+aes128,           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128
+aes192,           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            192
+aes256,           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            256
+aes128ctr,        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128
+aes192ctr,        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192
+aes256ctr,        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256
+aes128ccm8,       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128
+aes128ccm64,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128
+aes128ccm12,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128
+aes128ccm96,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128
+aes128ccm16,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128
+aes128ccm128,     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128
+aes192ccm8,       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192
+aes192ccm64,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192
+aes192ccm12,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192
+aes192ccm96,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192
+aes192ccm16,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192
+aes192ccm128,     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192
+aes256ccm8,       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256
+aes256ccm64,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256
+aes256ccm12,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256
+aes256ccm96,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256
+aes256ccm16,      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256
+aes256ccm128,     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256
+aes128gcm8,       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128
+aes128gcm64,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128
+aes128gcm12,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128
+aes128gcm96,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128
+aes128gcm16,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128
+aes128gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128
+aes192gcm8,       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192
+aes192gcm64,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192
+aes192gcm12,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192
+aes192gcm96,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192
+aes192gcm16,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192
+aes192gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192
+aes256gcm8,       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256
+aes256gcm64,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256
+aes256gcm12,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256
+aes256gcm96,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256
+aes256gcm16,      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256
+aes256gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256
+aes128gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128
+aes192gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192
+aes256gmac,       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256
+blowfish,         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128
+blowfish128,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128
+blowfish192,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192
+blowfish256,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256
+camellia,         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128
+camellia128,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128
+camellia192,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192
+camellia256,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256
+camellia128ctr,   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128
+camellia192ctr,   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192
+camellia256ctr,   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256
+camellia128ccm8,  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128
+camellia128ccm64, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128
+camellia128ccm12, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128
+camellia128ccm96, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128
+camellia128ccm16, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128
+camellia128ccm128,ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128
+camellia192ccm8,  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192
+camellia192ccm64, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192
+camellia192ccm12, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192
+camellia192ccm96, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192
+camellia192ccm16, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192
+camellia192ccm128,ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192
+camellia256ccm8,  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256
+camellia256ccm64, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256
+camellia256ccm12, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256
+camellia256ccm96, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256
+camellia256ccm16, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256
+camellia256ccm128,ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256
+cast128,          ENCRYPTION_ALGORITHM, ENCR_CAST,               128
+serpent,          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128
+serpent128,       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128
+serpent192,       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        192
+serpent256,       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256
+twofish,          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128
+twofish128,       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128
+twofish192,       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192
+twofish256,       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256
+sha,              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0
+sha1,             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0
+sha1_160,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_160,        0
+sha256,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0
+sha2_256,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0
+sha256_96,        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0
+sha2_256_96,      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0
+sha384,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0
+sha2_384,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0
+sha512,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0
+sha2_512,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0
+md5,              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0
+md5_128,          INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_128,         0
+aesxcbc,          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0
+camelliaxcbc,     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0
+aescmac,          INTEGRITY_ALGORITHM,  AUTH_AES_CMAC_96,          0
+prfsha1,          PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,           0
+prfsha256,        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,       0
+prfsha384,        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,       0
+prfsha512,        PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,       0
+prfmd5,           PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,            0
+prfaesxcbc,       PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC,         0
+prfcamelliaxcbc,  PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC,    0
+prfaescmac,       PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC,         0
+modpnull,         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0
+modp768,          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0
+modp1024,         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0
+modp1536,         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0
+modp2048,         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0
+modp3072,         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0
+modp4096,         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0
+modp6144,         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0
+modp8192,         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0
+ecp192,           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0
+ecp224,           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0
+ecp256,           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0
+ecp384,           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0
+ecp521,           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0
+modp1024s160,     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0
+modp2048s224,     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0
+modp2048s256,     DIFFIE_HELLMAN_GROUP, MODP_2048_256,             0
+noesn,            EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,   0
+esn,              EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS,      0
diff --git a/src/libstrongswan/crypto/rngs/rng.c b/src/libstrongswan/crypto/rngs/rng.c
index 67fd76910..f8fd50d3f 100644
--- a/src/libstrongswan/crypto/rngs/rng.c
+++ b/src/libstrongswan/crypto/rngs/rng.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -20,3 +21,43 @@ ENUM(rng_quality_names, RNG_WEAK, RNG_TRUE,
 	"RNG_STRONG",
 	"RNG_TRUE",
 );
+
+/*
+ * Described in header.
+ */
+bool rng_get_bytes_not_zero(rng_t *rng, size_t len, u_int8_t *buffer, bool all)
+{
+	u_int8_t *pos = buffer, *check = buffer + (all ? len : min(1, len));
+
+	if (!rng->get_bytes(rng, len, pos))
+	{
+		return FALSE;
+	}
+
+	for (; pos < check; pos++)
+	{
+		while (*pos == 0)
+		{
+			if (!rng->get_bytes(rng, 1, pos))
+			{
+				return FALSE;
+			}
+		}
+	}
+	return TRUE;
+}
+
+/*
+ * Described in header.
+ */
+bool rng_allocate_bytes_not_zero(rng_t *rng, size_t len, chunk_t *chunk,
+								 bool all)
+{
+	*chunk = chunk_alloc(len);
+	if (!rng_get_bytes_not_zero(rng, len, chunk->ptr, all))
+	{
+		chunk_clear(chunk);
+		return FALSE;
+	}
+	return TRUE;
+}
diff --git a/src/libstrongswan/crypto/rngs/rng.h b/src/libstrongswan/crypto/rngs/rng.h
index 36ef52bb4..aee829d71 100644
--- a/src/libstrongswan/crypto/rngs/rng.h
+++ b/src/libstrongswan/crypto/rngs/rng.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -53,21 +54,53 @@ struct rng_t {
 	 *
 	 * @param len		number of bytes to get
 	 * @param buffer	pointer where the generated bytes will be written
+	 * @return			TRUE if bytes successfully written
 	 */
-	void (*get_bytes) (rng_t *this, size_t len, u_int8_t *buffer);
+	bool (*get_bytes)(rng_t *this, size_t len,
+					  u_int8_t *buffer) __attribute__((warn_unused_result));
 
 	/**
 	 * Generates random bytes and allocate space for them.
 	 *
 	 * @param len		number of bytes to get
 	 * @param chunk		chunk which will hold generated bytes
+	 * @return			TRUE if allocation succeeded
 	 */
-	void (*allocate_bytes) (rng_t *this, size_t len, chunk_t *chunk);
+	bool (*allocate_bytes)(rng_t *this, size_t len,
+						   chunk_t *chunk) __attribute__((warn_unused_result));
 
 	/**
 	 * Destroys a rng object.
 	 */
-	void (*destroy) (rng_t *this);
+	void (*destroy)(rng_t *this);
 };
 
+/**
+ * Wrapper around rng_t.get_bytes() ensuring that either all bytes or at least
+ * the first byte is not zero.
+ *
+ * @param rng			rng_t object
+ * @param len			number of bytes to get
+ * @param buffer		pointer where the generated bytes will be written
+ * @param all			TRUE if all bytes have to be non-zero, FALSE for first
+ * @return				TRUE if bytes successfully written
+ */
+bool rng_get_bytes_not_zero(rng_t *rng, size_t len, u_int8_t *buffer,
+							bool all) __attribute__((warn_unused_result));
+
+/**
+ * Wrapper around rng_t.allocate_bytes() ensuring that either all bytes or at
+ * least the first byte is not zero.
+ *
+ * @param rng			rng_t object
+ * @param len			number of bytes to get
+ * @param chunk			chunk that stores the generated bytes (allocated)
+ * @param all			TRUE if all bytes have to be non-zero, FALSE for first
+ * @return				TRUE if bytes successfully written
+ */
+bool rng_allocate_bytes_not_zero(rng_t *rng, size_t len, chunk_t *chunk,
+								 bool all) __attribute__((warn_unused_result));
+
+
+
 #endif /** RNG_H_ @}*/
diff --git a/src/libstrongswan/crypto/signers/mac_signer.c b/src/libstrongswan/crypto/signers/mac_signer.c
new file mode 100644
index 000000000..7c52aa305
--- /dev/null
+++ b/src/libstrongswan/crypto/signers/mac_signer.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mac_signer.h"
+
+typedef struct private_signer_t private_signer_t;
+
+/**
+ * Private data of a mac_signer_t object.
+ */
+struct private_signer_t {
+
+	/**
+	 * Public interface
+	 */
+	signer_t public;
+
+	/**
+	 * MAC to use
+	 */
+	mac_t *mac;
+
+	/**
+	 * Truncation of MAC output
+	 */
+	size_t truncation;
+};
+
+METHOD(signer_t, get_signature, bool,
+	private_signer_t *this, chunk_t data, u_int8_t *buffer)
+{
+	if (buffer)
+	{
+		u_int8_t mac[this->mac->get_mac_size(this->mac)];
+
+		if (!this->mac->get_mac(this->mac, data, mac))
+		{
+			return FALSE;
+		}
+		memcpy(buffer, mac, this->truncation);
+		return TRUE;
+	}
+	return this->mac->get_mac(this->mac, data, NULL);
+}
+
+METHOD(signer_t, allocate_signature, bool,
+	private_signer_t *this, chunk_t data, chunk_t *chunk)
+{
+	if (chunk)
+	{
+		u_int8_t mac[this->mac->get_mac_size(this->mac)];
+
+		if (!this->mac->get_mac(this->mac, data, mac))
+		{
+			return FALSE;
+		}
+		*chunk = chunk_alloc(this->truncation);
+		memcpy(chunk->ptr, mac, this->truncation);
+		return TRUE;
+	}
+	return this->mac->get_mac(this->mac, data, NULL);
+}
+
+METHOD(signer_t, verify_signature, bool,
+	private_signer_t *this, chunk_t data, chunk_t signature)
+{
+	u_int8_t mac[this->mac->get_mac_size(this->mac)];
+
+	if (signature.len != this->truncation)
+	{
+		return FALSE;
+	}
+	return this->mac->get_mac(this->mac, data, mac) &&
+		   memeq(signature.ptr, mac, this->truncation);
+}
+
+METHOD(signer_t, get_key_size, size_t,
+	private_signer_t *this)
+{
+	return this->mac->get_mac_size(this->mac);
+}
+
+METHOD(signer_t, get_block_size, size_t,
+	private_signer_t *this)
+{
+	return this->truncation;
+}
+
+METHOD(signer_t, set_key, bool,
+	private_signer_t *this, chunk_t key)
+{
+	return this->mac->set_key(this->mac, key);
+}
+
+METHOD(signer_t, destroy, void,
+	private_signer_t *this)
+{
+	this->mac->destroy(this->mac);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+signer_t *mac_signer_create(mac_t *mac, size_t len)
+{
+	private_signer_t *this;
+
+	INIT(this,
+		.public = {
+			.get_signature = _get_signature,
+			.allocate_signature = _allocate_signature,
+			.verify_signature = _verify_signature,
+			.get_block_size = _get_block_size,
+			.get_key_size = _get_key_size,
+			.set_key = _set_key,
+			.destroy = _destroy,
+		},
+		.truncation = min(len, mac->get_mac_size(mac)),
+		.mac = mac,
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/crypto/signers/mac_signer.h b/src/libstrongswan/crypto/signers/mac_signer.h
new file mode 100644
index 000000000..a50c8cadf
--- /dev/null
+++ b/src/libstrongswan/crypto/signers/mac_signer.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mac_signer mac_signer
+ * @{ @ingroup crypto
+ */
+
+#ifndef MAC_SIGNER_H_
+#define MAC_SIGNER_H_
+
+typedef struct mac_signer_t mac_signer_t;
+
+#include <crypto/mac.h>
+#include <crypto/signers/signer.h>
+
+/**
+ * Creates an implementation of the signer_t interface using the provided mac_t
+ * implementation and truncation length.
+ *
+ * @note len will be set to mac_t.get_mac_size() if it is greater than that.
+ *
+ * @param mac		mac_t implementation
+ * @param len		length of resulting signature
+ * @return			mac_signer_t
+ */
+signer_t *mac_signer_create(mac_t *mac, size_t len);
+
+#endif /** MAC_SIGNER_H_ @}*/
diff --git a/src/libstrongswan/crypto/signers/signer.c b/src/libstrongswan/crypto/signers/signer.c
index d8659170b..522b4e29d 100644
--- a/src/libstrongswan/crypto/signers/signer.c
+++ b/src/libstrongswan/crypto/signers/signer.c
@@ -22,6 +22,7 @@ ENUM_BEGIN(integrity_algorithm_names, AUTH_UNDEFINED, AUTH_CAMELLIA_XCBC_96,
 	"HMAC_SHA2_256_96",
 	"HMAC_SHA2_256_256",
 	"HMAC_SHA2_384_384",
+	"HMAC_SHA2_512_512",
 	"CAMELLIA_XCBC_96");
 ENUM_NEXT(integrity_algorithm_names, AUTH_HMAC_MD5_96, AUTH_HMAC_SHA2_512_256, AUTH_CAMELLIA_XCBC_96,
 	"HMAC_MD5_96",
diff --git a/src/libstrongswan/crypto/signers/signer.h b/src/libstrongswan/crypto/signers/signer.h
index c6870e475..e0cf7eb5a 100644
--- a/src/libstrongswan/crypto/signers/signer.h
+++ b/src/libstrongswan/crypto/signers/signer.h
@@ -70,8 +70,10 @@ enum integrity_algorithm_t {
 	AUTH_HMAC_SHA2_256_256 = 1027,
 	/** SHA384 full length truncation variant, as used in TLS */
 	AUTH_HMAC_SHA2_384_384 = 1028,
+	/** SHA512 full length truncation variant */
+	AUTH_HMAC_SHA2_512_512 = 1029,
 	/** draft-kanno-ipsecme-camellia-xcbc, not yet assigned by IANA */
-	AUTH_CAMELLIA_XCBC_96 = 1029,
+	AUTH_CAMELLIA_XCBC_96 = 1030,
 };
 
 /**
@@ -91,8 +93,10 @@ struct signer_t {
 	 *
 	 * @param data		a chunk containing the data to sign
 	 * @param buffer	pointer where the signature will be written
+	 * @return			TRUE if signature created successfully
 	 */
-	void (*get_signature) (signer_t *this, chunk_t data, u_int8_t *buffer);
+	bool (*get_signature)(signer_t *this, chunk_t data,
+						  u_int8_t *buffer) __attribute__((warn_unused_result));
 
 	/**
 	 * Generate a signature and allocate space for it.
@@ -102,8 +106,10 @@ struct signer_t {
 	 *
 	 * @param data		a chunk containing the data to sign
 	 * @param chunk		chunk which will hold the allocated signature
+	 * @return			TRUE if signature allocated successfully
 	 */
-	void (*allocate_signature) (signer_t *this, chunk_t data, chunk_t *chunk);
+	bool (*allocate_signature)(signer_t *this, chunk_t data,
+						  chunk_t *chunk) __attribute__((warn_unused_result));
 
 	/**
 	 * Verify a signature.
@@ -116,33 +122,35 @@ struct signer_t {
 	 * @param signature	a chunk containing the signature
 	 * @return			TRUE, if signature is valid, FALSE otherwise
 	 */
-	bool (*verify_signature) (signer_t *this, chunk_t data, chunk_t signature);
+	bool (*verify_signature)(signer_t *this, chunk_t data, chunk_t signature);
 
 	/**
 	 * Get the block size of this signature algorithm.
 	 *
 	 * @return			block size in bytes
 	 */
-	size_t (*get_block_size) (signer_t *this);
+	size_t (*get_block_size)(signer_t *this);
 
 	/**
 	 * Get the key size of the signature algorithm.
 	 *
 	 * @return			key size in bytes
 	 */
-	size_t (*get_key_size) (signer_t *this);
+	size_t (*get_key_size)(signer_t *this);
 
 	/**
 	 * Set the key for this object.
 	 *
 	 * @param key		key to set
+	 * @return			TRUE if key set
 	 */
-	void (*set_key) (signer_t *this, chunk_t key);
+	bool (*set_key)(signer_t *this,
+					chunk_t key) __attribute__((warn_unused_result));
 
 	/**
 	 * Destroys a signer_t object.
 	 */
-	void (*destroy) (signer_t *this);
+	void (*destroy)(signer_t *this);
 };
 
 #endif /** SIGNER_H_ @}*/
diff --git a/src/libstrongswan/crypto/transform.c b/src/libstrongswan/crypto/transform.c
index 1e108f1de..56252971a 100644
--- a/src/libstrongswan/crypto/transform.c
+++ b/src/libstrongswan/crypto/transform.c
@@ -15,12 +15,13 @@
 
 #include <crypto/transform.h>
 
-ENUM_BEGIN(transform_type_names, UNDEFINED_TRANSFORM_TYPE, AEAD_ALGORITHM,
+ENUM_BEGIN(transform_type_names, UNDEFINED_TRANSFORM_TYPE, COMPRESSION_ALGORITHM,
 	"UNDEFINED_TRANSFORM_TYPE",
 	"HASH_ALGORITHM",
 	"RANDOM_NUMBER_GENERATOR",
-	"AEAD_ALGORITHM");
-ENUM_NEXT(transform_type_names, ENCRYPTION_ALGORITHM, EXTENDED_SEQUENCE_NUMBERS, AEAD_ALGORITHM,
+	"AEAD_ALGORITHM",
+	"COMPRESSION_ALGORITHM");
+ENUM_NEXT(transform_type_names, ENCRYPTION_ALGORITHM, EXTENDED_SEQUENCE_NUMBERS, COMPRESSION_ALGORITHM,
 	"ENCRYPTION_ALGORITHM",
 	"PSEUDO_RANDOM_FUNCTION",
 	"INTEGRITY_ALGORITHM",
diff --git a/src/libstrongswan/crypto/transform.h b/src/libstrongswan/crypto/transform.h
index 1393c674c..4a98f81e9 100644
--- a/src/libstrongswan/crypto/transform.h
+++ b/src/libstrongswan/crypto/transform.h
@@ -23,7 +23,7 @@
 
 typedef enum transform_type_t transform_type_t;
 
-#include <library.h>
+#include <utils/enum.h>
 
 /**
  * Type of a transform, as in IKEv2 RFC 3.3.2.
@@ -33,6 +33,7 @@ enum transform_type_t {
 	HASH_ALGORITHM = 242,
 	RANDOM_NUMBER_GENERATOR = 243,
 	AEAD_ALGORITHM = 244,
+	COMPRESSION_ALGORITHM = 245,
 	ENCRYPTION_ALGORITHM = 1,
 	PSEUDO_RANDOM_FUNCTION = 2,
 	INTEGRITY_ALGORITHM = 3,
diff --git a/src/libstrongswan/database/database.h b/src/libstrongswan/database/database.h
index dda29b5fb..d46fc3d34 100644
--- a/src/libstrongswan/database/database.h
+++ b/src/libstrongswan/database/database.h
@@ -25,7 +25,7 @@ typedef enum db_type_t db_type_t;
 typedef enum db_driver_t db_driver_t;
 typedef struct database_t database_t;
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 /**
  * Database column types
diff --git a/src/libstrongswan/database/database_factory.c b/src/libstrongswan/database/database_factory.c
index 909522d64..6c714ba51 100644
--- a/src/libstrongswan/database/database_factory.c
+++ b/src/libstrongswan/database/database_factory.c
@@ -15,7 +15,7 @@
 
 #include "database_factory.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 
 typedef struct private_database_factory_t private_database_factory_t;
diff --git a/src/libstrongswan/eap/eap.c b/src/libstrongswan/eap/eap.c
index efd3ee981..c181c5de7 100644
--- a/src/libstrongswan/eap/eap.c
+++ b/src/libstrongswan/eap/eap.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,8 +14,13 @@
  * for more details.
  */
 
+#include <stdlib.h>
+#include <errno.h>
+
 #include "eap.h"
 
+#include <utils/debug.h>
+
 ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE,
 	"EAP_REQUEST",
 	"EAP_RESPONSE",
@@ -51,12 +57,12 @@ ENUM_NEXT(eap_type_names, EAP_MSTLV, EAP_MSTLV, EAP_MSCHAPV2,
 	"EAP_MSTLV");
 ENUM_NEXT(eap_type_names, EAP_TNC, EAP_TNC, EAP_MSTLV,
 	"EAP_TNC");
-ENUM_NEXT(eap_type_names, EAP_DYNAMIC, EAP_EXPERIMENTAL, EAP_TNC,
-	"EAP_DYNAMIC",
-	"EAP_RADIUS",
+ENUM_NEXT(eap_type_names, EAP_EXPANDED, EAP_DYNAMIC, EAP_TNC,
 	"EAP_EXPANDED",
-	"EAP_EXPERIMENTAL");
-ENUM_END(eap_type_names, EAP_EXPERIMENTAL);
+	"EAP_EXPERIMENTAL",
+	"EAP_RADIUS",
+	"EAP_DYNAMIC");
+ENUM_END(eap_type_names, EAP_DYNAMIC);
 
 ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC,
 	"ID",
@@ -80,12 +86,12 @@ ENUM_NEXT(eap_type_short_names, EAP_MSTLV, EAP_MSTLV, EAP_MSCHAPV2,
 	"MSTLV");
 ENUM_NEXT(eap_type_short_names, EAP_TNC, EAP_TNC, EAP_MSTLV,
 	"TNC");
-ENUM_NEXT(eap_type_short_names, EAP_DYNAMIC, EAP_EXPERIMENTAL, EAP_TNC,
-	"DYN",
-	"RAD",
+ENUM_NEXT(eap_type_short_names, EAP_EXPANDED, EAP_DYNAMIC, EAP_TNC,
 	"EXP",
-	"XP");
-ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL);
+	"XP",
+	"RAD",
+	"DYN");
+ENUM_END(eap_type_short_names, EAP_DYNAMIC);
 
 /*
  * See header
@@ -108,6 +114,7 @@ eap_type_t eap_type_from_string(char *name)
 		{"peap",		EAP_PEAP},
 		{"mschapv2",	EAP_MSCHAPV2},
 		{"tnc",			EAP_TNC},
+		{"dynamic",		EAP_DYNAMIC},
 		{"radius",		EAP_RADIUS},
 	};
 
@@ -120,3 +127,56 @@ eap_type_t eap_type_from_string(char *name)
 	}
 	return 0;
 }
+
+/*
+ * See header
+ */
+eap_vendor_type_t *eap_vendor_type_from_string(char *str)
+{
+	enumerator_t *enumerator;
+	eap_vendor_type_t *result = NULL;
+	eap_type_t type = 0;
+	u_int32_t vendor = 0;
+	char *part, *end;
+
+	/* parse EAP method string of the form: [eap-]type[-vendor] */
+	enumerator = enumerator_create_token(str, "-", " ");
+	while (enumerator->enumerate(enumerator, &part))
+	{
+		if (!type)
+		{
+			if (streq(part, "eap"))
+			{	/* skip 'eap' at the beginning */
+				continue;
+			}
+			type = eap_type_from_string(part);
+			if (!type)
+			{
+				type = strtoul(part, &end, 0);
+				if (*end != '\0' || errno)
+				{
+					DBG1(DBG_LIB, "unknown or invalid EAP method: %s", part);
+					break;
+				}
+			}
+			continue;
+		}
+		vendor = strtoul(part, &end, 0);
+		if (*end != '\0' || errno)
+		{
+			DBG1(DBG_LIB, "invalid EAP vendor: %s", part);
+			type = 0;
+		}
+		break;
+	}
+	enumerator->destroy(enumerator);
+
+	if (type)
+	{
+		INIT(result,
+			.type = type,
+			.vendor = vendor,
+		);
+	}
+	return result;
+}
diff --git a/src/libstrongswan/eap/eap.h b/src/libstrongswan/eap/eap.h
index 945e4bc59..0e144b123 100644
--- a/src/libstrongswan/eap/eap.h
+++ b/src/libstrongswan/eap/eap.h
@@ -1,6 +1,8 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
+ * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -14,7 +16,7 @@
  */
 
 /**
- * @defgroup eap eap
+ * @defgroup leap eap
  * @{ @ingroup libstrongswan
  */
 
@@ -23,6 +25,7 @@
 
 typedef enum eap_code_t eap_code_t;
 typedef enum eap_type_t eap_type_t;
+typedef struct eap_vendor_type_t eap_vendor_type_t;
 
 #include <library.h>
 
@@ -62,14 +65,14 @@ enum eap_type_t {
 	EAP_AKA = 23,
 	EAP_PEAP = 25,
 	EAP_MSCHAPV2 = 26,
-	EAP_MSTLV = 33, 
+	EAP_MSTLV = 33,
 	EAP_TNC = 38,
-	/** select EAP method dynamically based on i.e. EAP-Identity */
-	EAP_DYNAMIC = 252,
-	/** not a method, but an implementation providing different methods */
-	EAP_RADIUS = 253,
 	EAP_EXPANDED = 254,
 	EAP_EXPERIMENTAL = 255,
+	/** not a method, but an implementation providing different methods */
+	EAP_RADIUS = 256,
+	/** not a method, select method dynamically based on client selection */
+	EAP_DYNAMIC = 257,
 };
 
 /**
@@ -83,6 +86,22 @@ extern enum_name_t *eap_type_names;
 extern enum_name_t *eap_type_short_names;
 
 /**
+ * Struct that stores EAP type and vendor ID
+ */
+struct eap_vendor_type_t {
+
+	/**
+	 * EAP type
+	 */
+	eap_type_t type;
+
+	/**
+	 * Vendor Id
+	 */
+	u_int32_t vendor;
+};
+
+/**
  * EAP packet format
  */
 typedef struct __attribute__((packed)) {
@@ -101,4 +120,12 @@ typedef struct __attribute__((packed)) {
  */
 eap_type_t eap_type_from_string(char *name);
 
+/**
+ * Parse a string of the form [eap-]type[-vendor].
+ *
+ * @param str		EAP method string
+ * @return			parsed type (gets allocated), NULL if unknown or failed
+ */
+eap_vendor_type_t *eap_vendor_type_from_string(char *str);
+
 #endif /** EAP_H_ @}*/
diff --git a/src/libstrongswan/fetcher/fetcher.h b/src/libstrongswan/fetcher/fetcher.h
index 5b734da3d..890258c3c 100644
--- a/src/libstrongswan/fetcher/fetcher.h
+++ b/src/libstrongswan/fetcher/fetcher.h
@@ -26,7 +26,7 @@ typedef struct fetcher_t fetcher_t;
 typedef enum fetcher_option_t fetcher_option_t;
 
 #include <stdarg.h>
-#include <chunk.h>
+#include <utils/chunk.h>
 
 /**
  * Constructor function which creates fetcher instances.
@@ -90,6 +90,12 @@ enum fetcher_option_t {
 	FETCH_CALLBACK,
 
 	/**
+	 * Source IP address to bind for a fetch.
+	 * Additional argument is a host_t*, which may be NULL.
+	 */
+	FETCH_SOURCEIP,
+
+	/**
 	 * end of fetching options
 	 */
 	FETCH_END,
diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c
index 9b363c7eb..21cd1aff4 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.c
+++ b/src/libstrongswan/fetcher/fetcher_manager.c
@@ -15,9 +15,9 @@
 
 #include "fetcher_manager.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_fetcher_manager_t private_fetcher_manager_t;
 
@@ -73,6 +73,7 @@ METHOD(fetcher_manager_t, fetch, status_t,
 		fetcher_option_t opt;
 		fetcher_t *fetcher;
 		bool good = TRUE;
+		host_t *host;
 		va_list args;
 
 		/* check URL support of fetcher */
@@ -111,6 +112,14 @@ METHOD(fetcher_manager_t, fetch, status_t,
 				case FETCH_CALLBACK:
 					good = fetcher->set_option(fetcher, opt,
 											va_arg(args, fetcher_callback_t));
+					continue;
+				case FETCH_SOURCEIP:
+					host = va_arg(args, host_t*);
+					if (host && !host->is_anyaddr(host))
+					{
+						good = fetcher->set_option(fetcher, opt, host);
+					}
+					continue;
 				case FETCH_END:
 					break;
 			}
@@ -204,4 +213,3 @@ fetcher_manager_t *fetcher_manager_create()
 
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/ipsec/ipsec_types.c b/src/libstrongswan/ipsec/ipsec_types.c
new file mode 100644
index 000000000..e4e927313
--- /dev/null
+++ b/src/libstrongswan/ipsec/ipsec_types.c
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipsec_types.h"
+
+ENUM(ipsec_mode_names, MODE_TRANSPORT, MODE_DROP,
+	"TRANSPORT",
+	"TUNNEL",
+	"BEET",
+	"PASS",
+	"DROP"
+);
+
+ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
+	"in",
+	"out",
+	"fwd"
+);
+
+ENUM(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_LZJH,
+	"IPCOMP_NONE",
+	"IPCOMP_OUI",
+	"IPCOMP_DEFLATE",
+	"IPCOMP_LZS",
+	"IPCOMP_LZJH"
+);
diff --git a/src/libstrongswan/ipsec/ipsec_types.h b/src/libstrongswan/ipsec/ipsec_types.h
new file mode 100644
index 000000000..32e55bc50
--- /dev/null
+++ b/src/libstrongswan/ipsec/ipsec_types.h
@@ -0,0 +1,172 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipsec_types ipsec_types
+ * @{ @ingroup ipsec
+ */
+
+#ifndef IPSEC_TYPES_H_
+#define IPSEC_TYPES_H_
+
+typedef enum ipsec_mode_t ipsec_mode_t;
+typedef enum policy_dir_t policy_dir_t;
+typedef enum policy_type_t policy_type_t;
+typedef enum policy_priority_t policy_priority_t;
+typedef enum ipcomp_transform_t ipcomp_transform_t;
+typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t;
+typedef struct lifetime_cfg_t lifetime_cfg_t;
+typedef struct mark_t mark_t;
+
+#include <library.h>
+
+/**
+ * Mode of an IPsec SA.
+ */
+enum ipsec_mode_t {
+	/** not using any encapsulation */
+	MODE_NONE = 0,
+	/** transport mode, no inner address */
+	MODE_TRANSPORT = 1,
+	/** tunnel mode, inner and outer addresses */
+	MODE_TUNNEL,
+	/** BEET mode, tunnel mode but fixed, bound inner addresses */
+	MODE_BEET,
+	/** passthrough policy for traffic without an IPsec SA */
+	MODE_PASS,
+	/** drop policy discarding traffic */
+	MODE_DROP
+};
+
+/**
+ * enum names for ipsec_mode_t.
+ */
+extern enum_name_t *ipsec_mode_names;
+
+/**
+ * Direction of a policy. These are equal to those
+ * defined in xfrm.h, but we want to stay implementation
+ * neutral here.
+ */
+enum policy_dir_t {
+	/** Policy for inbound traffic */
+	POLICY_IN = 0,
+	/** Policy for outbound traffic */
+	POLICY_OUT = 1,
+	/** Policy for forwarded traffic */
+	POLICY_FWD = 2,
+};
+
+/**
+ * enum names for policy_dir_t.
+ */
+extern enum_name_t *policy_dir_names;
+
+/**
+ * Type of a policy.
+ */
+enum policy_type_t {
+	/** Normal IPsec policy */
+	POLICY_IPSEC = 1,
+	/** Passthrough policy (traffic is ignored by IPsec) */
+	POLICY_PASS,
+	/** Drop policy (traffic is discarded) */
+	POLICY_DROP,
+};
+
+/**
+ * High-level priority of a policy.
+ */
+enum policy_priority_t {
+	/** Default priority */
+	POLICY_PRIORITY_DEFAULT,
+	/** Priority for trap policies */
+	POLICY_PRIORITY_ROUTED,
+	/** Priority for fallback drop policies */
+	POLICY_PRIORITY_FALLBACK,
+};
+
+/**
+ * IPComp transform IDs, as in RFC 4306
+ */
+enum ipcomp_transform_t {
+	IPCOMP_NONE = 0,
+	IPCOMP_OUI = 1,
+	IPCOMP_DEFLATE = 2,
+	IPCOMP_LZS = 3,
+	IPCOMP_LZJH = 4,
+};
+
+/**
+ * enum strings for ipcomp_transform_t.
+ */
+extern enum_name_t *ipcomp_transform_names;
+
+/**
+ * This struct contains details about IPsec SA(s) tied to a policy.
+ */
+struct ipsec_sa_cfg_t {
+	/** mode of SA (tunnel, transport) */
+	ipsec_mode_t mode;
+	/** unique ID */
+	u_int32_t reqid;
+	/** details about ESP/AH */
+	struct {
+		/** TRUE if this protocol is used */
+		bool use;
+		/** SPI for ESP/AH */
+		u_int32_t spi;
+	} esp, ah;
+	/** details about IPComp */
+	struct {
+		/** the IPComp transform used */
+		u_int16_t transform;
+		/** CPI for IPComp */
+		u_int16_t cpi;
+	} ipcomp;
+};
+
+/**
+ * A lifetime_cfg_t defines the lifetime limits of an SA.
+ *
+ * Set any of these values to 0 to ignore.
+ */
+struct lifetime_cfg_t {
+	struct {
+		/** Limit before the SA gets invalid. */
+		u_int64_t	life;
+		/** Limit before the SA gets rekeyed. */
+		u_int64_t	rekey;
+		/** The range of a random value subtracted from rekey. */
+		u_int64_t	jitter;
+	} time, bytes, packets;
+};
+
+/**
+ * A mark_t defines an optional mark in an IPsec SA.
+ */
+struct mark_t {
+	/** Mark value */
+	u_int32_t value;
+	/** Mark mask */
+	u_int32_t mask;
+};
+
+/**
+ * Special mark value that uses the reqid of the CHILD_SA as mark
+ */
+#define MARK_REQID (0xFFFFFFFF)
+
+#endif /** IPSEC_TYPES_H_ @}*/
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index cd6a41f44..f2fa3e0aa 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -18,11 +18,12 @@
 
 #include <stdlib.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <utils/identification.h>
-#include <utils/host.h>
-#include <utils/hashtable.h>
+#include <networking/host.h>
+#include <collections/hashtable.h>
+#include <utils/backtrace.h>
 #include <selectors/traffic_selector.h>
 
 #define CHECKSUM_LIBRARY IPSEC_LIB_DIR"/libchecksum.so"
@@ -43,12 +44,22 @@ struct private_library_t {
 	 * Hashtable with registered objects (name => object)
 	 */
 	hashtable_t *objects;
+
+	/**
+	 * Integrity check failed?
+	 */
+	bool integrity_failed;
+
+	/**
+	 * Number of times we have been initialized
+	 */
+	refcount_t ref;
 };
 
 /**
  * library instance
  */
-library_t *lib;
+library_t *lib = NULL;
 
 /**
  * Deinitialize library
@@ -58,21 +69,32 @@ void library_deinit()
 	private_library_t *this = (private_library_t*)lib;
 	bool detailed;
 
+	if (!this || !ref_put(&this->ref))
+	{	/* have more users */
+		return;
+	}
+
 	detailed = lib->settings->get_bool(lib->settings,
 								"libstrongswan.leak_detective.detailed", TRUE);
 
 	/* make sure the cache is clear before unloading plugins */
 	lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
 
+	this->public.streams->destroy(this->public.streams);
+	this->public.watcher->destroy(this->public.watcher);
 	this->public.scheduler->destroy(this->public.scheduler);
 	this->public.processor->destroy(this->public.processor);
 	this->public.plugins->destroy(this->public.plugins);
+	this->public.hosts->destroy(this->public.hosts);
 	this->public.settings->destroy(this->public.settings);
 	this->public.credmgr->destroy(this->public.credmgr);
 	this->public.creds->destroy(this->public.creds);
 	this->public.encoding->destroy(this->public.encoding);
 	this->public.crypto->destroy(this->public.crypto);
+	this->public.caps->destroy(this->public.caps);
+	this->public.proposal->destroy(this->public.proposal);
 	this->public.fetcher->destroy(this->public.fetcher);
+	this->public.resolver->destroy(this->public.resolver);
 	this->public.db->destroy(this->public.db);
 	this->public.printf_hook->destroy(this->public.printf_hook);
 	this->objects->destroy(this->objects);
@@ -88,6 +110,7 @@ void library_deinit()
 	}
 
 	threads_deinit();
+	backtrace_deinit();
 
 	free(this);
 	lib = NULL;
@@ -130,6 +153,51 @@ static bool equals(char *a, char *b)
 	return streq(a, b);
 }
 
+/**
+ * Number of words we write and memwipe() in memwipe check
+ */
+#define MEMWIPE_WIPE_WORDS 16
+
+/**
+ * Write magic to memory, and try to clear it with memwipe()
+ */
+__attribute__((noinline))
+static void do_magic(int *magic, int **out)
+{
+	int buf[MEMWIPE_WIPE_WORDS], i;
+
+	*out = buf;
+	for (i = 0; i < countof(buf); i++)
+	{
+		buf[i] = *magic;
+	}
+	/* passing buf to dbg should make sure the compiler can't optimize out buf.
+	 * we use directly dbg(3), as DBG3() might be stripped with DEBUG_LEVEL. */
+	dbg(DBG_LIB, 3, "memwipe() pre: %b", buf, sizeof(buf));
+	memwipe(buf, sizeof(buf));
+}
+
+/**
+ * Check if memwipe works as expected
+ */
+static bool check_memwipe()
+{
+	int magic = 0xCAFEBABE, *buf, i;
+
+	do_magic(&magic, &buf);
+
+	for (i = 0; i < MEMWIPE_WIPE_WORDS; i++)
+	{
+		if (buf[i] == magic)
+		{
+			DBG1(DBG_LIB, "memwipe() check failed: stackdir: %b",
+				 buf, MEMWIPE_WIPE_WORDS * sizeof(int));
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
 /*
  * see header file
  */
@@ -138,14 +206,23 @@ bool library_init(char *settings)
 	private_library_t *this;
 	printf_hook_t *pfh;
 
+	if (lib)
+	{	/* already initialized, increase refcount */
+		this = (private_library_t*)lib;
+		ref_get(&this->ref);
+		return !this->integrity_failed;
+	}
+
 	INIT(this,
 		.public = {
 			.get = _get,
 			.set = _set,
 		},
+		.ref = 1,
 	);
 	lib = &this->public;
 
+	backtrace_init();
 	threads_init();
 
 #ifdef LEAK_DETECTIVE
@@ -179,16 +256,27 @@ bool library_init(char *settings)
 	this->objects = hashtable_create((hashtable_hash_t)hash,
 									 (hashtable_equals_t)equals, 4);
 	this->public.settings = settings_create(settings);
+	this->public.hosts = host_resolver_create();
+	this->public.proposal = proposal_keywords_create();
+	this->public.caps = capabilities_create();
 	this->public.crypto = crypto_factory_create();
 	this->public.creds = credential_factory_create();
 	this->public.credmgr = credential_manager_create();
 	this->public.encoding = cred_encoding_create();
 	this->public.fetcher = fetcher_manager_create();
+	this->public.resolver = resolver_manager_create();
 	this->public.db = database_factory_create();
 	this->public.processor = processor_create();
 	this->public.scheduler = scheduler_create();
+	this->public.watcher = watcher_create();
+	this->public.streams = stream_manager_create();
 	this->public.plugins = plugin_loader_create();
 
+	if (!check_memwipe())
+	{
+		return FALSE;
+	}
+
 	if (lib->settings->get_bool(lib->settings,
 								"libstrongswan.integrity_test", FALSE))
 	{
@@ -197,13 +285,13 @@ bool library_init(char *settings)
 		if (!lib->integrity->check(lib->integrity, "libstrongswan", library_init))
 		{
 			DBG1(DBG_LIB, "integrity check of libstrongswan failed");
-			return FALSE;
+			this->integrity_failed = TRUE;
 		}
 #else /* !INTEGRITY_TEST */
 		DBG1(DBG_LIB, "integrity test enabled, but not supported");
-		return FALSE;
+		this->integrity_failed = TRUE;
 #endif /* INTEGRITY_TEST */
 	}
-	return TRUE;
-}
 
+	return !this->integrity_failed;
+}
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 7e76e1927..560da27f9 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -22,6 +22,9 @@
  * @defgroup bio bio
  * @ingroup libstrongswan
  *
+ * @defgroup collections collections
+ * @ingroup libstrongswan
+ *
  * @defgroup credentials credentials
  * @ingroup libstrongswan
  *
@@ -31,6 +34,9 @@
  * @defgroup certificates certificates
  * @ingroup credentials
  *
+ * @defgroup containers containers
+ * @ingroup credentials
+ *
  * @defgroup sets sets
  * @ingroup credentials
  *
@@ -43,6 +49,18 @@
  * @defgroup fetcher fetcher
  * @ingroup libstrongswan
  *
+ * @defgroup resolver resolver
+ * @ingroup libstrongswan
+ *
+ * @defgroup ipsec ipsec
+ * @ingroup libstrongswan
+ *
+ * @defgroup networking networking
+ * @ingroup libstrongswan
+ *
+ * @defgroup streams streams
+ * @ingroup networking
+ *
  * @defgroup plugins plugins
  * @ingroup libstrongswan
  *
@@ -67,20 +85,31 @@
 #ifndef LIBRARY_H_
 #define LIBRARY_H_
 
-#include "printf_hook.h"
-#include "utils.h"
-#include "chunk.h"
-#include "settings.h"
-#include "integrity_checker.h"
+#ifndef CONFIG_H_INCLUDED
+# error config.h not included, pass "-include [...]/config.h" to gcc
+#endif
+
+/* make sure we include printf_hook.h and utils.h first */
+#include "utils/printf_hook.h"
+#include "utils/utils.h"
+#include "networking/host_resolver.h"
+#include "networking/streams/stream_manager.h"
 #include "processing/processor.h"
 #include "processing/scheduler.h"
+#include "processing/watcher.h"
 #include "crypto/crypto_factory.h"
+#include "crypto/proposal/proposal_keywords.h"
 #include "fetcher/fetcher_manager.h"
+#include "resolver/resolver_manager.h"
 #include "database/database_factory.h"
 #include "credentials/credential_factory.h"
 #include "credentials/credential_manager.h"
 #include "credentials/cred_encoding.h"
+#include "utils/chunk.h"
+#include "utils/capabilities.h"
+#include "utils/integrity_checker.h"
 #include "utils/leak_detective.h"
+#include "utils/settings.h"
 #include "plugins/plugin_loader.h"
 
 typedef struct library_t library_t;
@@ -113,6 +142,16 @@ struct library_t {
 	printf_hook_t *printf_hook;
 
 	/**
+	 * Proposal keywords registry
+	 */
+	proposal_keywords_t *proposal;
+
+	/**
+	 * POSIX capability dropping
+	 */
+	capabilities_t *caps;
+
+	/**
 	 * crypto algorithm registry and factory
 	 */
 	crypto_factory_t *crypto;
@@ -138,6 +177,11 @@ struct library_t {
 	fetcher_manager_t *fetcher;
 
 	/**
+	 * Manager for DNS resolvers
+	 */
+	 resolver_manager_t *resolver;
+
+	/**
 	 * database construction factory
 	 */
 	database_factory_t *db;
@@ -158,6 +202,21 @@ struct library_t {
 	scheduler_t *scheduler;
 
 	/**
+	 * File descriptor monitoring
+	 */
+	watcher_t *watcher;
+
+	/**
+	 * Streams and Services
+	 */
+	stream_manager_t *streams;
+
+	/**
+	 * resolve hosts by DNS name
+	 */
+	host_resolver_t *hosts;
+
+	/**
 	 * various settings loaded from settings file
 	 */
 	settings_t *settings;
@@ -176,6 +235,9 @@ struct library_t {
 /**
  * Initialize library, creates "lib" instance.
  *
+ * library_init() may be called multiple times in a single process, but each
+ * caller should call library_deinit() for each call to library_init().
+ *
  * @param settings		file to read settings from, may be NULL for default
  * @return				FALSE if integrity check failed
  */
diff --git a/src/libstrongswan/networking/host.c b/src/libstrongswan/networking/host.c
new file mode 100644
index 000000000..8d04a4ec9
--- /dev/null
+++ b/src/libstrongswan/networking/host.c
@@ -0,0 +1,643 @@
+/*
+ * Copyright (C) 2006-2012 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "host.h"
+
+#include <utils/debug.h>
+#include <library.h>
+
+#define IPV4_LEN	 4
+#define IPV6_LEN	16
+
+typedef struct private_host_t private_host_t;
+
+/**
+ * Private Data of a host object.
+ */
+struct private_host_t {
+	/**
+	 * Public data
+	 */
+	host_t public;
+
+	/**
+	 * low-lewel structure, which stores the address
+	 */
+	union {
+		/** generic type */
+		struct sockaddr address;
+		/** maximum sockaddr size */
+		struct sockaddr_storage address_max;
+		/** IPv4 address */
+		struct sockaddr_in address4;
+		/** IPv6 address */
+		struct sockaddr_in6 address6;
+	};
+	/**
+	 * length of address structure
+	 */
+	socklen_t socklen;
+};
+
+/**
+ * Update the sockaddr internal sa_len option, if available
+ */
+static inline void update_sa_len(private_host_t *this)
+{
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+	this->address.sa_len = this->socklen;
+#endif /* HAVE_STRUCT_SOCKADDR_SA_LEN */
+}
+
+METHOD(host_t, get_sockaddr, sockaddr_t*,
+	private_host_t *this)
+{
+	return &(this->address);
+}
+
+METHOD(host_t, get_sockaddr_len, socklen_t*,
+	private_host_t *this)
+{
+	return &(this->socklen);
+}
+
+METHOD(host_t, is_anyaddr, bool,
+	private_host_t *this)
+{
+	static const u_int8_t zeroes[IPV6_LEN];
+
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			return memeq(zeroes, &(this->address4.sin_addr.s_addr), IPV4_LEN);
+		}
+		case AF_INET6:
+		{
+			return memeq(zeroes, &(this->address6.sin6_addr.s6_addr), IPV6_LEN);
+		}
+		default:
+		{
+			return FALSE;
+		}
+	}
+}
+
+/**
+ * Described in header.
+ */
+int host_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
+					 const void *const *args)
+{
+	private_host_t *this = *((private_host_t**)(args[0]));
+	char buffer[INET6_ADDRSTRLEN + 16];
+
+	if (this == NULL)
+	{
+		snprintf(buffer, sizeof(buffer), "(null)");
+	}
+	else if (is_anyaddr(this) && !spec->plus && !spec->hash)
+	{
+		snprintf(buffer, sizeof(buffer), "%%any%s",
+				 this->address.sa_family == AF_INET6 ? "6" : "");
+	}
+	else
+	{
+		void *address;
+		u_int16_t port;
+		int len;
+
+		address = &this->address6.sin6_addr;
+		port = this->address6.sin6_port;
+
+		switch (this->address.sa_family)
+		{
+			case AF_INET:
+				address = &this->address4.sin_addr;
+				port = this->address4.sin_port;
+				/* fall */
+			case AF_INET6:
+
+				if (inet_ntop(this->address.sa_family, address,
+							  buffer, sizeof(buffer)) == NULL)
+				{
+					snprintf(buffer, sizeof(buffer),
+							 "(address conversion failed)");
+				}
+				else if (spec->hash)
+				{
+					len = strlen(buffer);
+					snprintf(buffer + len, sizeof(buffer) - len,
+							 "[%d]", ntohs(port));
+				}
+				break;
+			default:
+				snprintf(buffer, sizeof(buffer), "(family not supported)");
+				break;
+		}
+	}
+	if (spec->minus)
+	{
+		return print_in_hook(data, "%-*s", spec->width, buffer);
+	}
+	return print_in_hook(data, "%*s", spec->width, buffer);
+}
+
+METHOD(host_t, get_address, chunk_t,
+	private_host_t *this)
+{
+	chunk_t address = chunk_empty;
+
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			address.ptr = (char*)&(this->address4.sin_addr.s_addr);
+			address.len = IPV4_LEN;
+			return address;
+		}
+		case AF_INET6:
+		{
+			address.ptr = (char*)&(this->address6.sin6_addr.s6_addr);
+			address.len = IPV6_LEN;
+			return address;
+		}
+		default:
+		{
+			/* return empty chunk */
+			return address;
+		}
+	}
+}
+
+METHOD(host_t, get_family, int,
+	private_host_t *this)
+{
+	return this->address.sa_family;
+}
+
+METHOD(host_t, get_port, u_int16_t,
+	private_host_t *this)
+{
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			return ntohs(this->address4.sin_port);
+		}
+		case AF_INET6:
+		{
+			return ntohs(this->address6.sin6_port);
+		}
+		default:
+		{
+			return 0;
+		}
+	}
+}
+
+METHOD(host_t, set_port, void,
+	private_host_t *this, u_int16_t port)
+{
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			this->address4.sin_port = htons(port);
+			break;
+		}
+		case AF_INET6:
+		{
+			this->address6.sin6_port = htons(port);
+			break;
+		}
+		default:
+		{
+			break;
+		}
+	}
+}
+
+METHOD(host_t, clone_, host_t*,
+	private_host_t *this)
+{
+	private_host_t *new;
+
+	new = malloc_thing(private_host_t);
+	memcpy(new, this, sizeof(private_host_t));
+
+	return &new->public;
+}
+
+/**
+ * Implements host_t.ip_equals
+ */
+static bool ip_equals(private_host_t *this, private_host_t *other)
+{
+	if (this->address.sa_family != other->address.sa_family)
+	{
+		/* 0.0.0.0 and 0::0 are equal */
+		return (is_anyaddr(this) && is_anyaddr(other));
+	}
+
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			return memeq(&this->address4.sin_addr, &other->address4.sin_addr,
+						 sizeof(this->address4.sin_addr));
+		}
+		case AF_INET6:
+		{
+			return memeq(&this->address6.sin6_addr, &other->address6.sin6_addr,
+						 sizeof(this->address6.sin6_addr));
+		}
+		default:
+			break;
+	}
+	return FALSE;
+}
+
+/**
+ * Implements host_t.equals
+ */
+static bool equals(private_host_t *this, private_host_t *other)
+{
+	if (!ip_equals(this, other))
+	{
+		return FALSE;
+	}
+
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			return (this->address4.sin_port == other->address4.sin_port);
+		}
+		case AF_INET6:
+		{
+			return (this->address6.sin6_port == other->address6.sin6_port);
+		}
+		default:
+			break;
+	}
+	return FALSE;
+}
+
+METHOD(host_t, destroy, void,
+	private_host_t *this)
+{
+	free(this);
+}
+
+/**
+ * Creates an empty host_t object
+ */
+static private_host_t *host_create_empty(void)
+{
+	private_host_t *this;
+
+	INIT(this,
+		.public = {
+			.get_sockaddr = _get_sockaddr,
+			.get_sockaddr_len = _get_sockaddr_len,
+			.clone = _clone_,
+			.get_family = _get_family,
+			.get_address = _get_address,
+			.get_port = _get_port,
+			.set_port = _set_port,
+			.ip_equals = (bool (*)(host_t *,host_t *))ip_equals,
+			.equals = (bool (*)(host_t *,host_t *)) equals,
+			.is_anyaddr = _is_anyaddr,
+			.destroy = _destroy,
+		},
+	);
+
+	return this;
+}
+
+/*
+ * Create a %any host with port
+ */
+static host_t *host_create_any_port(int family, u_int16_t port)
+{
+	host_t *this;
+
+	this = host_create_any(family);
+	this->set_port(this, port);
+	return this;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_string_and_family(char *string, int family,
+										   u_int16_t port)
+{
+	union {
+		struct sockaddr_in v4;
+		struct sockaddr_in6 v6;
+	} addr;
+
+	if (streq(string, "%any"))
+	{
+		return host_create_any_port(family ? family : AF_INET, port);
+	}
+	if (family == AF_UNSPEC || family == AF_INET)
+	{
+		if (streq(string, "%any4") || streq(string, "0.0.0.0"))
+		{
+			return host_create_any_port(AF_INET, port);
+		}
+	}
+	if (family == AF_UNSPEC || family == AF_INET6)
+	{
+		if (streq(string, "%any6") || streq(string, "::"))
+		{
+			return host_create_any_port(AF_INET6, port);
+		}
+	}
+	switch (family)
+	{
+		case AF_UNSPEC:
+			if (strchr(string, '.'))
+			{
+				goto af_inet;
+			}
+			/* FALL */
+		case AF_INET6:
+			memset(&addr.v6, 0, sizeof(addr.v6));
+			if (inet_pton(AF_INET6, string, &addr.v6.sin6_addr) != 1)
+			{
+				return NULL;
+			}
+			addr.v6.sin6_port = htons(port);
+			addr.v6.sin6_family = AF_INET6;
+			return host_create_from_sockaddr((sockaddr_t*)&addr);
+		case AF_INET:
+			if (strchr(string, ':'))
+			{	/* do not try to convert v6 addresses for v4 family */
+				return NULL;
+			}
+		af_inet:
+			memset(&addr.v4, 0, sizeof(addr.v4));
+			if (inet_pton(AF_INET, string, &addr.v4.sin_addr) != 1)
+			{
+				return NULL;
+			}
+			addr.v4.sin_port = htons(port);
+			addr.v4.sin_family = AF_INET;
+			return host_create_from_sockaddr((sockaddr_t*)&addr);
+		default:
+			return NULL;
+	}
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_string(char *string, u_int16_t port)
+{
+	return host_create_from_string_and_family(string, AF_UNSPEC, port);
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_sockaddr(sockaddr_t *sockaddr)
+{
+	private_host_t *this = host_create_empty();
+
+	switch (sockaddr->sa_family)
+	{
+		case AF_INET:
+		{
+			memcpy(&this->address4, (struct sockaddr_in*)sockaddr,
+				   sizeof(struct sockaddr_in));
+			this->socklen = sizeof(struct sockaddr_in);
+			update_sa_len(this);
+			return &this->public;
+		}
+		case AF_INET6:
+		{
+			memcpy(&this->address6, (struct sockaddr_in6*)sockaddr,
+				   sizeof(struct sockaddr_in6));
+			this->socklen = sizeof(struct sockaddr_in6);
+			update_sa_len(this);
+			return &this->public;
+		}
+		default:
+			break;
+	}
+	free(this);
+	return NULL;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_dns(char *string, int af, u_int16_t port)
+{
+	host_t *this;
+
+	this = host_create_from_string_and_family(string, af, port);
+	if (!this)
+	{
+		this = lib->hosts->resolve(lib->hosts, string, af);
+	}
+	if (this)
+	{
+		this->set_port(this, port);
+	}
+	return this;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port)
+{
+	private_host_t *this;
+
+	switch (family)
+	{
+		case AF_INET:
+			if (address.len < IPV4_LEN)
+			{
+				return NULL;
+			}
+			address.len = IPV4_LEN;
+			break;
+		case AF_INET6:
+			if (address.len < IPV6_LEN)
+			{
+				return NULL;
+			}
+			address.len = IPV6_LEN;
+			break;
+		case AF_UNSPEC:
+			switch (address.len)
+			{
+				case IPV4_LEN:
+					family = AF_INET;
+					break;
+				case IPV6_LEN:
+					family = AF_INET6;
+					break;
+				default:
+					return NULL;
+			}
+			break;
+		default:
+			return NULL;
+	}
+	this = host_create_empty();
+	this->address.sa_family = family;
+	switch (family)
+	{
+		case AF_INET:
+			memcpy(&this->address4.sin_addr.s_addr, address.ptr, address.len);
+			this->address4.sin_port = htons(port);
+			this->socklen = sizeof(struct sockaddr_in);
+			break;
+		case AF_INET6:
+			memcpy(&this->address6.sin6_addr.s6_addr, address.ptr, address.len);
+			this->address6.sin6_port = htons(port);
+			this->socklen = sizeof(struct sockaddr_in6);
+			break;
+	}
+	update_sa_len(this);
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_subnet(char *string, int *bits)
+{
+	char *pos, buf[64];
+	host_t *net;
+
+	pos = strchr(string, '/');
+	if (pos)
+	{
+		if (pos - string >= sizeof(buf))
+		{
+			return NULL;
+		}
+		strncpy(buf, string, pos - string);
+		buf[pos - string] = '\0';
+		*bits = atoi(pos + 1);
+		return host_create_from_string(buf, 0);
+	}
+	net = host_create_from_string(string, 0);
+	if (net)
+	{
+		if (net->get_family(net) == AF_INET)
+		{
+			*bits = 32;
+		}
+		else
+		{
+			*bits = 128;
+		}
+	}
+	return net;
+}
+
+/*
+ * See header.
+ */
+host_t *host_create_netmask(int family, int netbits)
+{
+	private_host_t *this;
+	int bits, bytes, len = 0;
+	char *target;
+
+	switch (family)
+	{
+		case AF_INET:
+			if (netbits < 0 || netbits > 32)
+			{
+				return NULL;
+			}
+			this = host_create_empty();
+			this->socklen = sizeof(struct sockaddr_in);
+			target = (char*)&this->address4.sin_addr;
+			len = 4;
+			break;
+		case AF_INET6:
+			if (netbits < 0 || netbits > 128)
+			{
+				return NULL;
+			}
+			this = host_create_empty();
+			this->socklen = sizeof(struct sockaddr_in6);
+			target = (char*)&this->address6.sin6_addr;
+			len = 16;
+			break;
+		default:
+			return NULL;
+	}
+
+	memset(&this->address_max, 0, sizeof(struct sockaddr_storage));
+	this->address.sa_family = family;
+	update_sa_len(this);
+
+	bytes = netbits / 8;
+	bits = 8 - (netbits & 0x07);
+
+	memset(target, 0xff, bytes);
+	if (bytes < len)
+	{
+		memset(target + bytes, 0x00, len - bytes);
+		target[bytes] = (u_int8_t)(0xff << bits);
+	}
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_any(int family)
+{
+	private_host_t *this = host_create_empty();
+
+	memset(&this->address_max, 0, sizeof(struct sockaddr_storage));
+	this->address.sa_family = family;
+
+	switch (family)
+	{
+		case AF_INET:
+		{
+			this->socklen = sizeof(struct sockaddr_in);
+			update_sa_len(this);
+			return &(this->public);
+		}
+		case AF_INET6:
+		{
+			this->socklen = sizeof(struct sockaddr_in6);
+			update_sa_len(this);
+			return &this->public;
+		}
+		default:
+			break;
+	}
+	free(this);
+	return NULL;
+}
diff --git a/src/libstrongswan/utils/host.h b/src/libstrongswan/networking/host.h
index 0a1be6e47..4fc6cf35c 100644
--- a/src/libstrongswan/utils/host.h
+++ b/src/libstrongswan/networking/host.h
@@ -18,7 +18,7 @@
 
 /**
  * @defgroup host host
- * @{ @ingroup utils
+ * @{ @ingroup networking
  */
 
 #ifndef HOST_H_
@@ -34,17 +34,7 @@ typedef struct host_t host_t;
 #include <netinet/in.h>
 #include <arpa/inet.h>
 
-#include <chunk.h>
-
-/**
- * Differences between two hosts. They differ in
- * address, port, or both.
- */
-enum host_diff_t {
-	HOST_DIFF_NONE = 0,
-	HOST_DIFF_ADDR = 1,
-	HOST_DIFF_PORT = 2,
-};
+#include <utils/chunk.h>
 
 /**
  * Representates a Host
@@ -102,7 +92,7 @@ struct host_t {
 	 *
 	 * Returned chunk points to internal data.
 	 *
-	 * @return		address string,
+	 * @return		address blob
 	 */
 	chunk_t (*get_address) (host_t *this);
 
@@ -116,7 +106,7 @@ struct host_t {
 	/**
 	 * Set the port of this host
 	 *
-	 * @param port	port numer
+	 * @param port	port number
 	 */
 	void (*set_port) (host_t *this, u_int16_t port);
 
@@ -137,14 +127,6 @@ struct host_t {
 	bool (*equals) (host_t *this, host_t *other);
 
 	/**
-	 * Compare two hosts and return the differences.
-	 *
-	 * @param other	the other to compare
-	 * @return		differences in a combination of host_diff_t's
-	 */
-	host_diff_t (*get_differences) (host_t *this, host_t *other);
-
-	/**
 	 * Destroy this host object.
 	 */
 	void (*destroy) (host_t *this);
@@ -155,17 +137,28 @@ struct host_t {
  *
  * @param string		string of an address, such as "152.96.193.130"
  * @param port			port number
- * @return 				host_t, NULL if string not an address.
+ * @return				host_t, NULL if string not an address.
  */
 host_t *host_create_from_string(char *string, u_int16_t port);
 
 /**
+ * Same as host_create_from_string(), but with the option to enforce a family.
+ *
+ * @param string		string of an address
+ * @param family		address family, or AF_UNSPEC
+ * @param port			port number
+ * @return				host_t, NULL if string not an address.
+ */
+host_t *host_create_from_string_and_family(char *string, int family,
+										   u_int16_t port);
+
+/**
  * Constructor to create a host_t from a DNS name.
  *
  * @param string		hostname to resolve
  * @param family		family to prefer, 0 for first match
  * @param port			port number
- * @return 				host_t, NULL lookup failed
+ * @return				host_t, NULL lookup failed
  */
 host_t *host_create_from_dns(char *string, int family, u_int16_t port);
 
@@ -174,10 +167,10 @@ host_t *host_create_from_dns(char *string, int family, u_int16_t port);
  *
  * If family is AF_UNSPEC, it is guessed using address.len.
  *
- * @param family 		Address family, such as AF_INET or AF_INET6
+ * @param family		Address family, such as AF_INET or AF_INET6
  * @param address		address as chunk_t in network order
  * @param port			port number
- * @return 				host_t, NULL if family not supported/chunk invalid
+ * @return				host_t, NULL if family not supported/chunk invalid
  */
 host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port);
 
@@ -185,7 +178,7 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port);
  * Constructor to create a host_t object from a sockaddr struct
  *
  * @param sockaddr		sockaddr struct which contains family, address and port
- * @return 				host_t, NULL if family not supported
+ * @return				host_t, NULL if family not supported
  */
 host_t *host_create_from_sockaddr(sockaddr_t *sockaddr);
 
@@ -199,10 +192,19 @@ host_t *host_create_from_sockaddr(sockaddr_t *sockaddr);
 host_t *host_create_from_subnet(char *string, int *bits);
 
 /**
+ * Create a netmask host having the first netbits bits set.
+ *
+ * @param family		family of the netmask host
+ * @param netbits		number of leading bits set in the host
+ * @return				netmask host
+ */
+host_t *host_create_netmask(int family, int netbits);
+
+/**
  * Create a host without an address, a "any" host.
  *
  * @param family		family of the any host
- * @return 				host_t, NULL if family not supported
+ * @return				host_t, NULL if family not supported
  */
 host_t *host_create_any(int family);
 
@@ -212,8 +214,9 @@ host_t *host_create_any(int family);
  * Arguments are:
  *	host_t *host
  * Use #-modifier to include port number
+ * Use +-modifier to force numeric representation (instead of e.g. %any)
  */
-int host_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+int host_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 					 const void *const *args);
 
 #endif /** HOST_H_ @}*/
diff --git a/src/libstrongswan/networking/host_resolver.c b/src/libstrongswan/networking/host_resolver.c
new file mode 100644
index 000000000..99a17d17c
--- /dev/null
+++ b/src/libstrongswan/networking/host_resolver.c
@@ -0,0 +1,365 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+
+#include "host_resolver.h"
+
+#include <library.h>
+#include <utils/debug.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+#include <threading/thread.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
+
+/**
+ * Default minimum and maximum number of threads
+ */
+#define MIN_THREADS_DEFAULT 0
+#define MAX_THREADS_DEFAULT 3
+
+/**
+ * Timeout in seconds to wait for new queries until a thread may be stopped
+ */
+#define NEW_QUERY_WAIT_TIMEOUT 30
+
+typedef struct private_host_resolver_t private_host_resolver_t;
+
+/**
+ * Private data of host_resolver_t
+ */
+struct private_host_resolver_t {
+
+	/**
+	 * Public interface
+	 */
+	host_resolver_t public;
+
+	/**
+	 * Hashtable to check for queued queries, query_t*
+	 */
+	hashtable_t *queries;
+
+	/**
+	 * Queue for queries, query_t*
+	 */
+	linked_list_t *queue;
+
+	/**
+	 * Mutex to safely access private data
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar to signal arrival of new queries
+	 */
+	condvar_t *new_query;
+
+	/**
+	 * Minimum number of resolver threads
+	 */
+	u_int min_threads;
+
+	/**
+	 * Maximum number of resolver threads
+	 */
+	u_int max_threads;
+
+	/**
+	 * Current number of threads
+	 */
+	u_int threads;
+
+	/**
+	 * Current number of busy threads
+	 */
+	u_int busy_threads;
+
+	/**
+	 * Pool of threads, thread_t*
+	 */
+	linked_list_t *pool;
+
+	/**
+	 * TRUE if no new queries are accepted
+	 */
+	bool disabled;
+
+};
+
+typedef struct {
+	/** DNS name we are looking for */
+	char *name;
+	/** address family we request */
+	int family;
+	/** Condvar to signal completion of a query */
+	condvar_t *done;
+	/** refcount */
+	refcount_t refcount;
+	/** the result if successful */
+	host_t *result;
+} query_t;
+
+/**
+ * Destroy the given query_t object if refcount is zero
+ */
+static void query_destroy(query_t *this)
+{
+	if (ref_put(&this->refcount))
+	{
+		DESTROY_IF(this->result);
+		this->done->destroy(this->done);
+		free(this->name);
+		free(this);
+	}
+}
+
+/**
+ * Signals all waiting threads and destroys the query
+ */
+static void query_signal_and_destroy(query_t *this)
+{
+	this->done->broadcast(this->done);
+	query_destroy(this);
+}
+
+/**
+ * Hash a queued query
+ */
+static u_int query_hash(query_t *this)
+{
+	return chunk_hash_inc(chunk_create(this->name, strlen(this->name)),
+						  chunk_hash(chunk_from_thing(this->family)));
+}
+
+/**
+ * Compare two queued queries
+ */
+static bool query_equals(query_t *this, query_t *other)
+{
+	return this->family == other->family && streq(this->name, other->name);
+}
+
+/**
+ * Main function of resolver threads
+ */
+static void *resolve_hosts(private_host_resolver_t *this)
+{
+	struct addrinfo hints, *result;
+	query_t *query;
+	int error;
+	bool old, timed_out;
+
+	while (TRUE)
+	{
+		this->mutex->lock(this->mutex);
+		thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
+		while (this->queue->remove_first(this->queue,
+										(void**)&query) != SUCCESS)
+		{
+			old = thread_cancelability(TRUE);
+			timed_out = this->new_query->timed_wait(this->new_query,
+									this->mutex, NEW_QUERY_WAIT_TIMEOUT * 1000);
+			thread_cancelability(old);
+			if (this->disabled)
+			{
+				thread_cleanup_pop(TRUE);
+				return NULL;
+			}
+			else if (timed_out && (this->threads > this->min_threads))
+			{	/* terminate this thread by detaching it */
+				thread_t *thread = thread_current();
+
+				this->threads--;
+				this->pool->remove(this->pool, thread, NULL);
+				thread_cleanup_pop(TRUE);
+				thread->detach(thread);
+				return NULL;
+			}
+		}
+		this->busy_threads++;
+		thread_cleanup_pop(TRUE);
+
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = query->family;
+		hints.ai_socktype = SOCK_DGRAM;
+
+		thread_cleanup_push((thread_cleanup_t)query_signal_and_destroy, query);
+		old = thread_cancelability(TRUE);
+		error = getaddrinfo(query->name, NULL, &hints, &result);
+		thread_cancelability(old);
+		thread_cleanup_pop(FALSE);
+
+		this->mutex->lock(this->mutex);
+		this->busy_threads--;
+		if (error != 0)
+		{
+			DBG1(DBG_LIB, "resolving '%s' failed: %s", query->name,
+				 gai_strerror(error));
+		}
+		else
+		{	/* result is a linked list, but we use only the first address */
+			query->result = host_create_from_sockaddr(result->ai_addr);
+			freeaddrinfo(result);
+		}
+		this->queries->remove(this->queries, query);
+		query->done->broadcast(query->done);
+		this->mutex->unlock(this->mutex);
+		query_destroy(query);
+	}
+	return NULL;
+}
+
+METHOD(host_resolver_t, resolve, host_t*,
+	private_host_resolver_t *this, char *name, int family)
+{
+	query_t *query, lookup = {
+		.name = name,
+		.family = family,
+	};
+	host_t *result;
+	struct in_addr addr;
+
+	switch (family)
+	{
+		case AF_INET:
+			/* do not try to convert v6 addresses for v4 family */
+			if (strchr(name, ':'))
+			{
+				return NULL;
+			}
+			break;
+		case AF_INET6:
+			/* do not try to convert v4 addresses for v6 family */
+			if (inet_pton(AF_INET, name, &addr) == 1)
+			{
+				return NULL;
+			}
+			break;
+	}
+	this->mutex->lock(this->mutex);
+	if (this->disabled)
+	{
+		this->mutex->unlock(this->mutex);
+		return NULL;
+	}
+	query = this->queries->get(this->queries, &lookup);
+	if (!query)
+	{
+		INIT(query,
+			.name = strdup(name),
+			.family = family,
+			.done = condvar_create(CONDVAR_TYPE_DEFAULT),
+			.refcount = 1,
+		);
+		this->queries->put(this->queries, query, query);
+		this->queue->insert_last(this->queue, query);
+		this->new_query->signal(this->new_query);
+	}
+	ref_get(&query->refcount);
+	if (this->busy_threads == this->threads &&
+		this->threads < this->max_threads)
+	{
+		thread_t *thread;
+
+		thread = thread_create((thread_main_t)resolve_hosts, this);
+		if (thread)
+		{
+			this->threads++;
+			this->pool->insert_last(this->pool, thread);
+		}
+	}
+	query->done->wait(query->done, this->mutex);
+	this->mutex->unlock(this->mutex);
+
+	result = query->result ? query->result->clone(query->result) : NULL;
+	query_destroy(query);
+	return result;
+}
+
+METHOD(host_resolver_t, flush, void,
+	private_host_resolver_t *this)
+{
+	enumerator_t *enumerator;
+	query_t *query;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->queries->create_enumerator(this->queries);
+	while (enumerator->enumerate(enumerator, &query, NULL))
+	{	/* use the hashtable here as we also want to signal dequeued queries */
+		this->queries->remove_at(this->queries, enumerator);
+		query->done->broadcast(query->done);
+	}
+	enumerator->destroy(enumerator);
+	this->queue->destroy_function(this->queue, (void*)query_destroy);
+	this->queue = linked_list_create();
+	this->disabled = TRUE;
+	/* this will already terminate most idle threads */
+	this->new_query->broadcast(this->new_query);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(host_resolver_t, destroy, void,
+	private_host_resolver_t *this)
+{
+	thread_t *thread;
+
+	flush(this);
+	this->pool->invoke_offset(this->pool, offsetof(thread_t, cancel));
+	while (this->pool->remove_first(this->pool, (void**)&thread) == SUCCESS)
+	{
+		thread->join(thread);
+	}
+	this->pool->destroy(this->pool);
+	this->queue->destroy(this->queue);
+	this->queries->destroy(this->queries);
+	this->new_query->destroy(this->new_query);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+host_resolver_t *host_resolver_create()
+{
+	private_host_resolver_t *this;
+
+	INIT(this,
+		.public = {
+			.resolve = _resolve,
+			.flush = _flush,
+			.destroy = _destroy,
+		},
+		.queries = hashtable_create((hashtable_hash_t)query_hash,
+									(hashtable_equals_t)query_equals, 8),
+		.queue = linked_list_create(),
+		.pool = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.new_query = condvar_create(CONDVAR_TYPE_DEFAULT),
+	);
+
+	this->min_threads = max(0, lib->settings->get_int(lib->settings,
+									"libstrongswan.host_resolver.min_threads",
+									 MIN_THREADS_DEFAULT));
+	this->max_threads = max(this->min_threads ?: 1,
+							lib->settings->get_int(lib->settings,
+									"libstrongswan.host_resolver.max_threads",
+									 MAX_THREADS_DEFAULT));
+	return &this->public;
+}
diff --git a/src/libstrongswan/networking/host_resolver.h b/src/libstrongswan/networking/host_resolver.h
new file mode 100644
index 000000000..f944a9cdf
--- /dev/null
+++ b/src/libstrongswan/networking/host_resolver.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup host_resolver host_resolver
+ * @{ @ingroup networking
+ */
+
+#ifndef HOST_RESOLVER_H_
+#define HOST_RESOLVER_H_
+
+#include "host.h"
+
+typedef struct host_resolver_t host_resolver_t;
+
+/**
+ * Resolve hosts by DNS name but do so in a separate thread (calling
+ * getaddrinfo(3) directly might block indefinitely, or at least a very long
+ * time if no DNS servers are reachable).
+ */
+struct host_resolver_t {
+
+	/**
+	 * Resolve host from the given DNS name.
+	 *
+	 * @param name		name to lookup
+	 * @param family	requested address family
+	 * @return			resolved host or NULL if failed or canceled
+	 */
+	host_t *(*resolve)(host_resolver_t *this, char *name, int family);
+
+	/**
+	 * Flush the queue of queries. No new queries will be accepted afterwards.
+	 */
+	void (*flush)(host_resolver_t *this);
+
+	/**
+	 * Destroy a host_resolver_t.
+	 */
+	void (*destroy)(host_resolver_t *this);
+};
+
+/**
+ * Create a host_resolver_t instance.
+ */
+host_resolver_t *host_resolver_create();
+
+#endif /** HOST_RESOLVER_H_ @}*/
diff --git a/src/libstrongswan/networking/packet.c b/src/libstrongswan/networking/packet.c
new file mode 100644
index 000000000..4ff7fc48b
--- /dev/null
+++ b/src/libstrongswan/networking/packet.c
@@ -0,0 +1,182 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "packet.h"
+
+typedef struct private_packet_t private_packet_t;
+
+/**
+ * Private data of an packet_t object.
+ */
+struct private_packet_t {
+
+	/**
+	 * Public part of a packet_t object.
+	 */
+	packet_t public;
+
+	/**
+	 * source address
+	 */
+	host_t *source;
+
+	/**
+	 * destination address
+	 */
+	host_t *destination;
+
+	/**
+	 * DSCP value on packet
+	 */
+	u_int8_t dscp;
+
+	 /**
+	  * message data
+	  */
+	chunk_t data;
+
+	/**
+	 * actual chunk returned from get_data, adjusted when skip_bytes is called
+	 */
+	chunk_t adjusted_data;
+};
+
+METHOD(packet_t, set_source, void,
+	private_packet_t *this, host_t *source)
+{
+	DESTROY_IF(this->source);
+	this->source = source;
+}
+
+METHOD(packet_t, set_destination, void,
+	private_packet_t *this, host_t *destination)
+{
+	DESTROY_IF(this->destination);
+	this->destination = destination;
+}
+
+METHOD(packet_t, get_source, host_t*,
+	private_packet_t *this)
+{
+	return this->source;
+}
+
+METHOD(packet_t, get_destination, host_t*,
+	private_packet_t *this)
+{
+	return this->destination;
+}
+
+METHOD(packet_t, get_data, chunk_t,
+	private_packet_t *this)
+{
+	return this->adjusted_data;
+}
+
+METHOD(packet_t, set_data, void,
+	private_packet_t *this, chunk_t data)
+{
+	free(this->data.ptr);
+	this->adjusted_data = this->data = data;
+}
+
+METHOD(packet_t, get_dscp, u_int8_t,
+	private_packet_t *this)
+{
+	return this->dscp;
+}
+METHOD(packet_t, set_dscp, void,
+	private_packet_t *this, u_int8_t value)
+{
+	this->dscp = value;
+}
+
+METHOD(packet_t, skip_bytes, void,
+	private_packet_t *this, size_t bytes)
+{
+	this->adjusted_data = chunk_skip(this->adjusted_data, bytes);
+}
+
+METHOD(packet_t, destroy, void,
+	private_packet_t *this)
+{
+	DESTROY_IF(this->source);
+	DESTROY_IF(this->destination);
+	free(this->data.ptr);
+	free(this);
+}
+
+METHOD(packet_t, clone_, packet_t*,
+	private_packet_t *this)
+{
+	packet_t *other;
+
+	other = packet_create();
+	if (this->destination)
+	{
+		other->set_destination(other,
+							   this->destination->clone(this->destination));
+	}
+	if (this->source)
+	{
+		other->set_source(other, this->source->clone(this->source));
+	}
+	if (this->data.ptr)
+	{
+		other->set_data(other, chunk_clone(this->adjusted_data));
+	}
+	other->set_dscp(other, this->dscp);
+	return other;
+}
+
+/**
+ * Described in header.
+ */
+packet_t *packet_create_from_data(host_t *src, host_t *dst, chunk_t data)
+{
+	private_packet_t *this;
+
+	INIT(this,
+		.public = {
+			.set_data = _set_data,
+			.get_data = _get_data,
+			.set_source = _set_source,
+			.get_source = _get_source,
+			.set_destination = _set_destination,
+			.get_destination = _get_destination,
+			.get_dscp = _get_dscp,
+			.set_dscp = _set_dscp,
+			.skip_bytes = _skip_bytes,
+			.clone = _clone_,
+			.destroy = _destroy,
+		},
+		.source = src,
+		.destination = dst,
+		.adjusted_data = data,
+		.data = data,
+	);
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+packet_t *packet_create()
+{
+	return packet_create_from_data(NULL, NULL, chunk_empty);
+}
diff --git a/src/libstrongswan/networking/packet.h b/src/libstrongswan/networking/packet.h
new file mode 100644
index 000000000..a96a4b84f
--- /dev/null
+++ b/src/libstrongswan/networking/packet.h
@@ -0,0 +1,135 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup packet packet
+ * @{ @ingroup networking
+ */
+
+#ifndef PACKET_H_
+#define PACKET_H_
+
+typedef struct packet_t packet_t;
+
+#include <library.h>
+#include <networking/host.h>
+
+/**
+ * Abstraction of an IP/UDP-Packet, contains data, sender and receiver.
+ */
+struct packet_t {
+
+	/**
+	 * Set the source address.
+	 *
+	 * @param source	address to set as source (gets owned)
+	 */
+	void (*set_source)(packet_t *packet, host_t *source);
+
+	/**
+	 * Set the destination address.
+	 *
+	 * @param source	address to set as destination (gets owned)
+	 */
+	void (*set_destination)(packet_t *packet, host_t *destination);
+
+	/**
+	 * Get the source address.
+	 *
+	 * @return			source address (internal data)
+	 */
+	host_t *(*get_source)(packet_t *packet);
+
+	/**
+	 * Get the destination address.
+	 *
+	 * @return			destination address (internal data)
+	 */
+	host_t *(*get_destination)(packet_t *packet);
+
+	/**
+	 * Get the data from the packet.
+	 *
+	 * @return			chunk containing the data (internal data)
+	 */
+	chunk_t (*get_data)(packet_t *packet);
+
+	/**
+	 * Set the data in the packet.
+	 *
+	 * @param data		chunk with data to set (gets owned)
+	 */
+	void (*set_data)(packet_t *packet, chunk_t data);
+
+	/**
+	 * Get the DiffServ Code Point set on this packet.
+	 *
+	 * @return			DSCP value
+	 */
+	u_int8_t (*get_dscp)(packet_t *this);
+
+	/**
+	 * Set the DiffServ Code Point to use on this packet.
+	 *
+	 * @param value		DSCP value
+	 */
+	void (*set_dscp)(packet_t *this, u_int8_t value);
+
+	/**
+	 * Increase the offset where the actual packet data starts.
+	 *
+	 * The total offset applies to future calls of get_data() and clone().
+	 *
+	 * @note The offset is reset to 0 when set_data() is called.
+	 *
+	 * @param bytes		the number of additional bytes to skip
+	 */
+	void (*skip_bytes)(packet_t *packet, size_t bytes);
+
+	/**
+	 * Clones a packet_t object.
+	 *
+	 * @note Data is cloned without skipped bytes.
+	 *
+	 * @param clone		clone of the packet
+	 */
+	packet_t* (*clone)(packet_t *packet);
+
+	/**
+	 * Destroy the packet, freeing contained data.
+	 */
+	void (*destroy)(packet_t *packet);
+};
+
+/**
+ * Create an empty packet
+ *
+ * @return packet_t object
+ */
+packet_t *packet_create();
+
+/**
+ * Create a packet from the supplied data
+ *
+ * @param src			source address (gets owned)
+ * @param dst			destination address (gets owned)
+ * @param data			packet data (gets owned)
+ * @return packet_t object
+ */
+packet_t *packet_create_from_data(host_t *src, host_t *dst, chunk_t data);
+
+#endif /** PACKET_H_ @}*/
diff --git a/src/libstrongswan/networking/streams/stream.c b/src/libstrongswan/networking/streams/stream.c
new file mode 100644
index 000000000..8ecb89fc9
--- /dev/null
+++ b/src/libstrongswan/networking/streams/stream.c
@@ -0,0 +1,426 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <errno.h>
+#include <unistd.h>
+#include <limits.h>
+
+typedef struct private_stream_t private_stream_t;
+
+/**
+ * Private data of an stream_t object.
+ */
+struct private_stream_t {
+
+	/**
+	 * Public stream_t interface.
+	 */
+	stream_t public;
+
+	/**
+	 * Underlying socket
+	 */
+	int fd;
+
+	/**
+	 * Callback if data is ready to read
+	 */
+	stream_cb_t read_cb;
+
+	/**
+	 * Data for read-ready callback
+	 */
+	void *read_data;
+
+	/**
+	 * Callback if write is non-blocking
+	 */
+	stream_cb_t write_cb;
+
+	/**
+	 * Data for write-ready callback
+	 */
+	void *write_data;
+};
+
+METHOD(stream_t, read_, ssize_t,
+	private_stream_t *this, void *buf, size_t len, bool block)
+{
+	while (TRUE)
+	{
+		ssize_t ret;
+
+		if (block)
+		{
+			ret = read(this->fd, buf, len);
+		}
+		else
+		{
+			ret = recv(this->fd, buf, len, MSG_DONTWAIT);
+			if (ret == -1 && errno == EAGAIN)
+			{
+				/* unify EGAIN and EWOULDBLOCK */
+				errno = EWOULDBLOCK;
+			}
+		}
+		if (ret == -1 && errno == EINTR)
+		{	/* interrupted, try again */
+			continue;
+		}
+		return ret;
+	}
+}
+
+METHOD(stream_t, read_all, bool,
+	private_stream_t *this, void *buf, size_t len)
+{
+	ssize_t ret;
+
+	while (len)
+	{
+		ret = read_(this, buf, len, TRUE);
+		if (ret < 0)
+		{
+			return FALSE;
+		}
+		if (ret == 0)
+		{
+			errno = ECONNRESET;
+			return FALSE;
+		}
+		len -= ret;
+		buf += ret;
+	}
+	return TRUE;
+}
+
+METHOD(stream_t, write_, ssize_t,
+	private_stream_t *this, void *buf, size_t len, bool block)
+{
+	ssize_t ret;
+
+	while (TRUE)
+	{
+		if (block)
+		{
+			ret = write(this->fd, buf, len);
+		}
+		else
+		{
+			ret = send(this->fd, buf, len, MSG_DONTWAIT);
+			if (ret == -1 && errno == EAGAIN)
+			{
+				/* unify EGAIN and EWOULDBLOCK */
+				errno = EWOULDBLOCK;
+			}
+		}
+		if (ret == -1 && errno == EINTR)
+		{	/* interrupted, try again */
+			continue;
+		}
+		return ret;
+	}
+}
+
+METHOD(stream_t, write_all, bool,
+	private_stream_t *this, void *buf, size_t len)
+{
+	ssize_t ret;
+
+	while (len)
+	{
+		ret = write_(this, buf, len, TRUE);
+		if (ret < 0)
+		{
+			return FALSE;
+		}
+		if (ret == 0)
+		{
+			errno = ECONNRESET;
+			return FALSE;
+		}
+		len -= ret;
+		buf += ret;
+	}
+	return TRUE;
+}
+
+/**
+ * Remove a registered watcher
+ */
+static void remove_watcher(private_stream_t *this)
+{
+	if (this->read_cb || this->write_cb)
+	{
+		lib->watcher->remove(lib->watcher, this->fd);
+	}
+}
+
+/**
+ * Watcher callback
+ */
+static bool watch(private_stream_t *this, int fd, watcher_event_t event)
+{
+	bool keep = FALSE;
+	stream_cb_t cb;
+
+	switch (event)
+	{
+		case WATCHER_READ:
+			cb = this->read_cb;
+			this->read_cb = NULL;
+			keep = cb(this->read_data, &this->public);
+			if (keep)
+			{
+				this->read_cb = cb;
+			}
+			break;
+		case WATCHER_WRITE:
+			cb = this->write_cb;
+			this->write_cb = NULL;
+			keep = cb(this->write_data, &this->public);
+			if (keep)
+			{
+				this->write_cb = cb;
+			}
+			break;
+		case WATCHER_EXCEPT:
+			break;
+	}
+	return keep;
+}
+
+/**
+ * Register watcher for stream callbacks
+ */
+static void add_watcher(private_stream_t *this)
+{
+	watcher_event_t events = 0;
+
+	if (this->read_cb)
+	{
+		events |= WATCHER_READ;
+	}
+	if (this->write_cb)
+	{
+		events |= WATCHER_WRITE;
+	}
+	if (events)
+	{
+		lib->watcher->add(lib->watcher, this->fd, events,
+						  (watcher_cb_t)watch, this);
+	}
+}
+
+METHOD(stream_t, on_read, void,
+	private_stream_t *this, stream_cb_t cb, void *data)
+{
+	remove_watcher(this);
+
+	this->read_cb = cb;
+	this->read_data = data;
+
+	add_watcher(this);
+}
+
+METHOD(stream_t, on_write, void,
+	private_stream_t *this, stream_cb_t cb, void *data)
+{
+	remove_watcher(this);
+
+	this->write_cb = cb;
+	this->write_data = data;
+
+	add_watcher(this);
+}
+
+METHOD(stream_t, get_file, FILE*,
+	private_stream_t *this)
+{
+	FILE *file;
+	int fd;
+
+	/* fclose() closes the FD passed to fdopen(), so dup() it */
+	fd = dup(this->fd);
+	if (fd == -1)
+	{
+		return NULL;
+	}
+	file = fdopen(fd, "w+");
+	if (!file)
+	{
+		close(fd);
+	}
+	return file;
+}
+
+METHOD(stream_t, destroy, void,
+	private_stream_t *this)
+{
+	remove_watcher(this);
+	close(this->fd);
+	free(this);
+}
+
+/**
+ * See header
+ */
+stream_t *stream_create_from_fd(int fd)
+{
+	private_stream_t *this;
+
+	INIT(this,
+		.public = {
+			.read = _read_,
+			.read_all = _read_all,
+			.on_read = _on_read,
+			.write = _write_,
+			.write_all = _write_all,
+			.on_write = _on_write,
+			.get_file = _get_file,
+			.destroy = _destroy,
+		},
+		.fd = fd,
+	);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+int stream_parse_uri_unix(char *uri, struct sockaddr_un *addr)
+{
+	if (!strpfx(uri, "unix://"))
+	{
+		return -1;
+	}
+	uri += strlen("unix://");
+
+	memset(addr, 0, sizeof(*addr));
+	addr->sun_family = AF_UNIX;
+	strncpy(addr->sun_path, uri, sizeof(addr->sun_path));
+	addr->sun_path[sizeof(addr->sun_path)-1] = '\0';
+
+	return offsetof(struct sockaddr_un, sun_path) + strlen(addr->sun_path);
+}
+
+/**
+ * See header
+ */
+stream_t *stream_create_unix(char *uri)
+{
+	struct sockaddr_un addr;
+	int len, fd;
+
+	len = stream_parse_uri_unix(uri, &addr);
+	if (len == -1)
+	{
+		DBG1(DBG_NET, "invalid stream URI: '%s'", uri);
+		return NULL;
+	}
+	fd = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (fd < 0)
+	{
+		DBG1(DBG_NET, "opening socket '%s' failed: %s", uri, strerror(errno));
+		return NULL;
+	}
+	if (connect(fd, (struct sockaddr*)&addr, len) < 0)
+	{
+		DBG1(DBG_NET, "connecting to '%s' failed: %s", uri, strerror(errno));
+		close(fd);
+		return NULL;
+	}
+	return stream_create_from_fd(fd);
+}
+
+/**
+ * See header.
+ */
+int stream_parse_uri_tcp(char *uri, struct sockaddr *addr)
+{
+	char *pos, buf[128];
+	host_t *host;
+	u_long port;
+	int len;
+
+	if (!strpfx(uri, "tcp://"))
+	{
+		return -1;
+	}
+	uri += strlen("tcp://");
+	pos = strrchr(uri, ':');
+	if (!pos)
+	{
+		return -1;
+	}
+	if (*uri == '[' && pos > uri && *(pos - 1) == ']')
+	{
+		/* IPv6 URI */
+		snprintf(buf, sizeof(buf), "%.*s", (int)(pos - uri - 2), uri + 1);
+	}
+	else
+	{
+		snprintf(buf, sizeof(buf), "%.*s", (int)(pos - uri), uri);
+	}
+	port = strtoul(pos + 1, &pos, 10);
+	if (port == ULONG_MAX || *pos || port > 65535)
+	{
+		return -1;
+	}
+	host = host_create_from_dns(buf, AF_UNSPEC, port);
+	if (!host)
+	{
+		return -1;
+	}
+	len = *host->get_sockaddr_len(host);
+	memcpy(addr, host->get_sockaddr(host), len);
+	host->destroy(host);
+	return len;
+}
+
+/**
+ * See header
+ */
+stream_t *stream_create_tcp(char *uri)
+{
+	union {
+		struct sockaddr_in in;
+		struct sockaddr_in6 in6;
+		struct sockaddr sa;
+	} addr;
+	int fd, len;
+
+	len = stream_parse_uri_tcp(uri, &addr.sa);
+	if (len == -1)
+	{
+		DBG1(DBG_NET, "invalid stream URI: '%s'", uri);
+		return NULL;
+	}
+	fd = socket(addr.sa.sa_family, SOCK_STREAM, 0);
+	if (fd < 0)
+	{
+		DBG1(DBG_NET, "opening socket '%s' failed: %s", uri, strerror(errno));
+		return NULL;
+	}
+	if (connect(fd, &addr.sa, len))
+	{
+		DBG1(DBG_NET, "connecting to '%s' failed: %s", uri, strerror(errno));
+		close(fd);
+		return NULL;
+	}
+	return stream_create_from_fd(fd);
+}
diff --git a/src/libstrongswan/networking/streams/stream.h b/src/libstrongswan/networking/streams/stream.h
new file mode 100644
index 000000000..810514da9
--- /dev/null
+++ b/src/libstrongswan/networking/streams/stream.h
@@ -0,0 +1,199 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stream stream
+ * @{ @ingroup streams
+ */
+
+#ifndef STREAM_H_
+#define STREAM_H_
+
+typedef struct stream_t stream_t;
+
+#include <library.h>
+
+#include <sys/un.h>
+#include <sys/socket.h>
+
+/**
+ * Constructor function prototype for stream_t.
+ *
+ * @param uri			URI to create a stream for
+ * @return				stream instance, NULL on error
+ */
+typedef stream_t*(*stream_constructor_t)(char *uri);
+
+/**
+ * Callback function prototype, called when stream is ready.
+ *
+ * It is allowed to destroy the stream during the callback, but only if it has
+ * no other active on_read()/on_write() callback and returns FALSE. It is not
+ * allowed to to call on_read()/on_write/() during the callback.
+ *
+ * As select() may return even if a read()/write() would actually block, it is
+ * recommended to use the non-blocking calls and handle return values
+ * appropriately.
+ *
+ * @param data			data passed during callback registration
+ * @param stream		associated stream
+ * @return				FALSE unregisters the invoked callback, TRUE keeps it
+ */
+typedef bool (*stream_cb_t)(void *data, stream_t *stream);
+
+/**
+ * Abstraction of a Berkley socket using stream semantics.
+ */
+struct stream_t {
+
+	/**
+	 * Read data from the stream.
+	 *
+	 * If "block" is FALSE and no data is available, the function returns -1
+	 * and sets errno to EWOULDBLOCK.
+	 *
+	 * @param buf		data buffer to read into
+	 * @param len		number of bytes to read
+	 * @param block		TRUE to use a blocking read
+	 * @return			number of bytes read, -1 on error
+	 */
+	ssize_t (*read)(stream_t *this, void *buf, size_t len, bool block);
+
+	/**
+	 * Read data from the stream, avoiding short reads.
+	 *
+	 * This call is always blocking, and reads until len has been read
+	 * completely. If the connection is closed before enough bytes could be
+	 * returned, errno is set to ECONNRESET.
+	 *
+	 * @param buf		data buffer to read into
+	 * @param len		number of bytes to read
+	 * @return			TRUE if len bytes read, FALSE on error
+	 */
+	bool (*read_all)(stream_t *this, void *buf, size_t len);
+
+	/**
+	 * Register a callback to invoke when stream has data to read.
+	 *
+	 * @param cb		callback function, NULL to unregister
+	 * @param data		data to pass to callback
+	 */
+	void (*on_read)(stream_t *this, stream_cb_t cb, void *data);
+
+	/**
+	 * Write data to the stream.
+	 *
+	 * If "block" is FALSE and the write would block, the function returns -1
+	 * and sets errno to EWOULDBLOCK.
+	 *
+	 * @param buf		data buffer to write
+	 * @param len		number of bytes to write
+	 * @param block		TRUE to use a blocking write
+	 * @return			number of bytes written, -1 on error
+	 */
+	ssize_t (*write)(stream_t *this, void *buf, size_t len, bool block);
+
+	/**
+	 * Write data to the stream, avoiding short writes.
+	 *
+	 * This call is always blocking, and writes until len bytes has been
+	 * written.
+	 *
+	 * @param buf		data buffer to write
+	 * @param len		number of bytes to write
+	 * @return			TRUE if len bytes written, FALSE on error
+	 */
+	bool (*write_all)(stream_t *this, void *buf, size_t len);
+
+	/**
+	 * Register a callback to invoke when a write would not block.
+	 *
+	 * @param cb		callback function, NULL to unregister
+	 * @param data		data to pass to callback
+	 */
+	void (*on_write)(stream_t *this, stream_cb_t cb, void *data);
+
+	/**
+	 * Get a FILE reference for this stream.
+	 *
+	 * @return			FILE*, must be fclose()d, NULL on error
+	 */
+	FILE* (*get_file)(stream_t *this);
+
+	/**
+	 * Destroy a stream_t.
+	 */
+	void (*destroy)(stream_t *this);
+};
+
+/**
+ * Create a stream for UNIX sockets.
+ *
+ * UNIX URIs start with unix://, followed by the socket path. For absolute
+ * paths, an URI looks something like:
+ *
+ *   unix:///path/to/socket
+ *
+ * @param uri		UNIX socket specific URI, must start with "unix://"
+ * @return			stream instance, NULL on failure
+ */
+stream_t *stream_create_unix(char *uri);
+
+/**
+ * Helper function to parse a unix:// URI to a sockaddr
+ *
+ * @param uri		URI
+ * @param addr		sockaddr
+ * @return			length of sockaddr, -1 on error
+ */
+int stream_parse_uri_unix(char *uri, struct sockaddr_un *addr);
+
+/**
+ * Create a stream for TCP sockets.
+ *
+ * TCP URIs start with tcp://, followed by a hostname (FQDN or IP), followed
+ * by a colon separated port. A full TCP uri looks something like:
+ *
+ *   tcp://srv.example.com:5555
+ *   tcp://0.0.0.0:1234
+ *   tcp://[fec2::1]:7654
+ *
+ * There is no default port, so a colon after tcp:// is mandatory.
+ *
+ * @param uri		TCP socket specific URI, must start with "tcp://"
+ * @return			stream instance, NULL on failure
+ */
+stream_t *stream_create_tcp(char *uri);
+
+/**
+ * Helper function to parse a tcp:// URI to a sockaddr
+ *
+ * @param uri		URI
+ * @param addr		sockaddr, large enough for URI
+ * @return			length of sockaddr, -1 on error
+ */
+int stream_parse_uri_tcp(char *uri, struct sockaddr *addr);
+
+/**
+ * Create a stream from a file descriptor.
+ *
+ * The file descriptor MUST be a socket for non-blocking operation.
+ *
+ * @param fd		file descriptor to wrap into a stream_t
+ * @return			stream instance
+ */
+stream_t *stream_create_from_fd(int fd);
+
+#endif /** STREAM_H_ @}*/
diff --git a/src/libstrongswan/networking/streams/stream_manager.c b/src/libstrongswan/networking/streams/stream_manager.c
new file mode 100644
index 000000000..2cbd6127e
--- /dev/null
+++ b/src/libstrongswan/networking/streams/stream_manager.c
@@ -0,0 +1,235 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "stream_manager.h"
+
+#include <threading/rwlock.h>
+
+typedef struct private_stream_manager_t private_stream_manager_t;
+
+/**
+ * Private data of an stream_manager_t object.
+ */
+struct private_stream_manager_t {
+
+	/**
+	 * Public stream_manager_t interface.
+	 */
+	stream_manager_t public;
+
+	/**
+	 * List of registered stream constructors, as stream_entry_t
+	 */
+	linked_list_t *streams;
+
+	/**
+	 * List of registered service constructors, as service_entry_t
+	 */
+	linked_list_t *services;
+
+	/**
+	 * Lock for all lists
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * Registered stream backend
+ */
+typedef struct {
+	/** URI prefix */
+	char *prefix;
+	/** constructor function */
+	stream_constructor_t create;
+} stream_entry_t;
+
+/**
+ * Registered service backend
+ */
+typedef struct {
+	/** URI prefix */
+	char *prefix;
+	/** constructor function */
+	stream_service_constructor_t create;
+} service_entry_t;
+
+METHOD(stream_manager_t, connect_, stream_t*,
+	private_stream_manager_t *this, char *uri)
+{
+	enumerator_t *enumerator;
+	stream_entry_t *entry;
+	stream_t *stream = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->streams->create_enumerator(this->streams);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (strpfx(uri, entry->prefix))
+		{
+			stream = entry->create(uri);
+			if (stream)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	return stream;
+}
+
+METHOD(stream_manager_t, create_service, stream_service_t*,
+	private_stream_manager_t *this, char *uri, int backlog)
+{
+	enumerator_t *enumerator;
+	service_entry_t *entry;
+	stream_service_t *service = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->services->create_enumerator(this->services);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (strpfx(uri, entry->prefix))
+		{
+			service = entry->create(uri, backlog);
+			if (service)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	return service;
+}
+
+METHOD(stream_manager_t, add_stream, void,
+	private_stream_manager_t *this, char *prefix, stream_constructor_t create)
+{
+	stream_entry_t *entry;
+
+	INIT(entry,
+		.prefix = strdup(prefix),
+		.create = create,
+	);
+
+	this->lock->write_lock(this->lock);
+	this->streams->insert_last(this->streams, entry);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(stream_manager_t, remove_stream, void,
+	private_stream_manager_t *this, stream_constructor_t create)
+{
+	enumerator_t *enumerator;
+	stream_entry_t *entry;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->streams->create_enumerator(this->streams);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->create == create)
+		{
+			this->streams->remove_at(this->streams, enumerator);
+			free(entry->prefix);
+			free(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(stream_manager_t, add_service, void,
+	private_stream_manager_t *this, char *prefix,
+	stream_service_constructor_t create)
+{
+	service_entry_t *entry;
+
+	INIT(entry,
+		.prefix = strdup(prefix),
+		.create = create,
+	);
+
+	this->lock->write_lock(this->lock);
+	this->services->insert_last(this->services, entry);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(stream_manager_t, remove_service, void,
+	private_stream_manager_t *this, stream_service_constructor_t create)
+{
+	enumerator_t *enumerator;
+	service_entry_t *entry;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->services->create_enumerator(this->services);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->create == create)
+		{
+			this->services->remove_at(this->services, enumerator);
+			free(entry->prefix);
+			free(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(stream_manager_t, destroy, void,
+	private_stream_manager_t *this)
+{
+	remove_stream(this, stream_create_unix);
+	remove_stream(this, stream_create_tcp);
+	remove_service(this, stream_service_create_unix);
+	remove_service(this, stream_service_create_tcp);
+
+	this->streams->destroy(this->streams);
+	this->services->destroy(this->services);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+stream_manager_t *stream_manager_create()
+{
+	private_stream_manager_t *this;
+
+	INIT(this,
+		.public = {
+			.connect = _connect_,
+			.create_service = _create_service,
+			.add_stream = _add_stream,
+			.remove_stream = _remove_stream,
+			.add_service = _add_service,
+			.remove_service = _remove_service,
+			.destroy = _destroy,
+		},
+		.streams = linked_list_create(),
+		.services = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	add_stream(this, "unix://", stream_create_unix);
+	add_stream(this, "tcp://", stream_create_tcp);
+	add_service(this, "unix://", stream_service_create_unix);
+	add_service(this, "tcp://", stream_service_create_tcp);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/networking/streams/stream_manager.h b/src/libstrongswan/networking/streams/stream_manager.h
new file mode 100644
index 000000000..352d93e2b
--- /dev/null
+++ b/src/libstrongswan/networking/streams/stream_manager.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stream_manager stream_manager
+ * @{ @ingroup streams
+ */
+
+#ifndef STREAM_MANAGER_H_
+#define STREAM_MANAGER_H_
+
+typedef struct stream_manager_t stream_manager_t;
+
+#include <library.h>
+#include <networking/streams/stream_service.h>
+
+/**
+ * Manages client-server connections and services using stream_t backends.
+ */
+struct stream_manager_t {
+
+	/**
+	 * Create a client-server connection to a service.
+	 *
+	 * @param uri		URI of service to connect to
+	 * @return			stream instance, NULL on error
+	 */
+	stream_t* (*connect)(stream_manager_t *this, char *uri);
+
+	/**
+	 * Create a new service under an URI to accept() client connections.
+	 *
+	 * @param uri		URI of service to provide
+	 * @param backlog	size of the backlog queue, as passed to listen()
+	 * @return			service, NULL on error
+	 */
+	stream_service_t* (*create_service)(stream_manager_t *this, char *uri,
+										int backlog);
+
+	/**
+	 * Register a stream backend to the manager.
+	 *
+	 * @param prefix	prefix of URIs to use the backend for
+	 * @param create	constructor function for the stream
+	 */
+	void (*add_stream)(stream_manager_t *this, char *prefix,
+					   stream_constructor_t create);
+
+	/**
+	 * Unregister stream backends from the manager.
+	 *
+	 * @param create	constructor function passed to add_stream()
+	 */
+	void (*remove_stream)(stream_manager_t *this, stream_constructor_t create);
+
+	/**
+	 * Register a stream service backend to the manager.
+	 *
+	 * @param prefix	prefix of URIs to use the backend for
+	 * @param create	constructor function for the stream service
+	 */
+	void (*add_service)(stream_manager_t *this, char *prefix,
+						stream_service_constructor_t create);
+
+	/**
+	 * Unregister stream service backends from the manager.
+	 *
+	 * @param create	constructor function passed to add_service()
+	 */
+	void (*remove_service)(stream_manager_t *this,
+						   stream_service_constructor_t create);
+
+	/**
+	 * Destroy a stream_manager_t.
+	 */
+	void (*destroy)(stream_manager_t *this);
+};
+
+/**
+ * Create a stream_manager instance.
+ */
+stream_manager_t *stream_manager_create();
+
+#endif /** STREAM_MANAGER_H_ @}*/
diff --git a/src/libstrongswan/networking/streams/stream_service.c b/src/libstrongswan/networking/streams/stream_service.c
new file mode 100644
index 000000000..ece17b41f
--- /dev/null
+++ b/src/libstrongswan/networking/streams/stream_service.c
@@ -0,0 +1,332 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <threading/condvar.h>
+#include <processing/jobs/callback_job.h>
+
+#include <errno.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/stat.h>
+
+typedef struct private_stream_service_t private_stream_service_t;
+
+/**
+ * Private data of an stream_service_t object.
+ */
+struct private_stream_service_t {
+
+	/**
+	 * Public stream_service_t interface.
+	 */
+	stream_service_t public;
+
+	/**
+	 * Underlying socket
+	 */
+	int fd;
+
+	/**
+	 * Accept callback
+	 */
+	stream_service_cb_t cb;
+
+	/**
+	 * Accept callback data
+	 */
+	void *data;
+
+	/**
+	 * Job priority to invoke callback with
+	 */
+	job_priority_t prio;
+
+	/**
+	 * Maximum number of parallel callback invocations
+	 */
+	u_int cncrncy;
+
+	/**
+	 * Currently active jobs
+	 */
+	u_int active;
+
+	/**
+	 * mutex to lock active counter
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar to wait for callback termination
+	 */
+	condvar_t *condvar;
+};
+
+/**
+ * Data to pass to async accept job
+ */
+typedef struct {
+	/** callback function */
+	stream_service_cb_t cb;
+	/** callback data */
+	void *data;
+	/** accepted connection */
+	int fd;
+	/** reference to stream service */
+	private_stream_service_t *this;
+} async_data_t;
+
+/**
+ * Clean up accept data
+ */
+static void destroy_async_data(async_data_t *data)
+{
+	private_stream_service_t *this = data->this;
+
+	this->mutex->lock(this->mutex);
+	if (this->active-- == this->cncrncy)
+	{
+		/* leaving concurrency limit, restart accept()ing. */
+		this->public.on_accept(&this->public, this->cb, this->data,
+							   this->prio, this->cncrncy);
+	}
+	this->condvar->signal(this->condvar);
+	this->mutex->unlock(this->mutex);
+
+	if (data->fd != -1)
+	{
+		close(data->fd);
+	}
+	free(data);
+}
+
+/**
+ * Async processing of accepted connection
+ */
+static job_requeue_t accept_async(async_data_t *data)
+{
+	stream_t *stream;
+
+	stream = stream_create_from_fd(data->fd);
+	if (stream)
+	{
+		/* FD is now owned by stream, don't close it during cleanup */
+		data->fd = -1;
+		thread_cleanup_push((void*)stream->destroy, stream);
+		thread_cleanup_pop(!data->cb(data->data, stream));
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Watcher callback function
+ */
+static bool watch(private_stream_service_t *this, int fd, watcher_event_t event)
+{
+	async_data_t *data;
+	bool keep = TRUE;
+
+	INIT(data,
+		.cb = this->cb,
+		.data = this->data,
+		.fd = accept(fd, NULL, NULL),
+		.this = this,
+	);
+
+	if (data->fd != -1)
+	{
+		this->mutex->lock(this->mutex);
+		if (++this->active == this->cncrncy)
+		{
+			/* concurrency limit reached, stop accept()ing new connections */
+			keep = FALSE;
+		}
+		this->mutex->unlock(this->mutex);
+
+		lib->processor->queue_job(lib->processor,
+			(job_t*)callback_job_create_with_prio((void*)accept_async, data,
+				(void*)destroy_async_data, (callback_job_cancel_t)return_false,
+				this->prio));
+	}
+	else
+	{
+		free(data);
+	}
+	return keep;
+}
+
+METHOD(stream_service_t, on_accept, void,
+	private_stream_service_t *this, stream_service_cb_t cb, void *data,
+	job_priority_t prio, u_int cncrncy)
+{
+	this->mutex->lock(this->mutex);
+
+	/* wait for all callbacks to return */
+	while (this->active)
+	{
+		this->condvar->wait(this->condvar, this->mutex);
+	}
+
+	if (this->cb)
+	{
+		lib->watcher->remove(lib->watcher, this->fd);
+	}
+
+	this->cb = cb;
+	this->data = data;
+	if (prio <= JOB_PRIO_MAX)
+	{
+		this->prio = prio;
+	}
+	this->cncrncy = cncrncy;
+
+	if (this->cb)
+	{
+		lib->watcher->add(lib->watcher, this->fd,
+						  WATCHER_READ, (watcher_cb_t)watch, this);
+	}
+
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(stream_service_t, destroy, void,
+	private_stream_service_t *this)
+{
+	on_accept(this, NULL, NULL, this->prio, this->cncrncy);
+	close(this->fd);
+	this->mutex->destroy(this->mutex);
+	this->condvar->destroy(this->condvar);
+	free(this);
+}
+
+/**
+ * See header
+ */
+stream_service_t *stream_service_create_from_fd(int fd)
+{
+	private_stream_service_t *this;
+
+	INIT(this,
+		.public = {
+			.on_accept = _on_accept,
+			.destroy = _destroy,
+		},
+		.fd = fd,
+		.prio = JOB_PRIO_MEDIUM,
+		.mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+stream_service_t *stream_service_create_unix(char *uri, int backlog)
+{
+	struct sockaddr_un addr;
+	mode_t old;
+	int fd, len;
+
+	len = stream_parse_uri_unix(uri, &addr);
+	if (len == -1)
+	{
+		DBG1(DBG_NET, "invalid stream URI: '%s'", uri);
+		return NULL;
+	}
+	if (!lib->caps->check(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) service socket */
+		DBG1(DBG_NET, "socket '%s' requires CAP_CHOWN capability", uri);
+		return NULL;
+	}
+	fd = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (fd == -1)
+	{
+		DBG1(DBG_NET, "opening socket '%s' failed: %s", uri, strerror(errno));
+		return NULL;
+	}
+	unlink(addr.sun_path);
+
+	old = umask(~(S_IRWXU | S_IRWXG));
+	if (bind(fd, (struct sockaddr*)&addr, len) < 0)
+	{
+		DBG1(DBG_NET, "binding socket '%s' failed: %s", uri, strerror(errno));
+		close(fd);
+		return NULL;
+	}
+	umask(old);
+	if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
+	{
+		DBG1(DBG_NET, "changing socket permissions for '%s' failed: %s",
+			 uri, strerror(errno));
+	}
+	if (listen(fd, backlog) < 0)
+	{
+		DBG1(DBG_NET, "listen on socket '%s' failed: %s", uri, strerror(errno));
+		unlink(addr.sun_path);
+		close(fd);
+		return NULL;
+	}
+	return stream_service_create_from_fd(fd);
+}
+
+/**
+ * See header
+ */
+stream_service_t *stream_service_create_tcp(char *uri, int backlog)
+{
+	union {
+		struct sockaddr_in in;
+		struct sockaddr_in6 in6;
+		struct sockaddr sa;
+	} addr;
+	int fd, len, on = 1;
+
+	len = stream_parse_uri_tcp(uri, &addr.sa);
+	if (len == -1)
+	{
+		DBG1(DBG_NET, "invalid stream URI: '%s'", uri);
+		return NULL;
+	}
+	fd = socket(addr.sa.sa_family, SOCK_STREAM, 0);
+	if (fd < 0)
+	{
+		DBG1(DBG_NET, "opening socket '%s' failed: %s", uri, strerror(errno));
+		return NULL;
+	}
+	if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) != 0)
+	{
+		DBG1(DBG_NET, "SO_REUSADDR on '%s' failed: %s", uri, strerror(errno));
+	}
+	if (bind(fd, &addr.sa, len) < 0)
+	{
+		DBG1(DBG_NET, "binding socket '%s' failed: %s", uri, strerror(errno));
+		close(fd);
+		return NULL;
+	}
+	if (listen(fd, backlog) < 0)
+	{
+		DBG1(DBG_NET, "listen on socket '%s' failed: %s", uri, strerror(errno));
+		close(fd);
+		return NULL;
+	}
+	return stream_service_create_from_fd(fd);
+}
diff --git a/src/libstrongswan/networking/streams/stream_service.h b/src/libstrongswan/networking/streams/stream_service.h
new file mode 100644
index 000000000..c8faba323
--- /dev/null
+++ b/src/libstrongswan/networking/streams/stream_service.h
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup stream_service stream_service
+ * @{ @ingroup streams
+ */
+
+#ifndef STREAM_SERVICE_H_
+#define STREAM_SERVICE_H_
+
+typedef struct stream_service_t stream_service_t;
+
+#include <library.h>
+#include <processing/jobs/job.h>
+#include <networking/streams/stream.h>
+
+/**
+ * Constructor function prototype for stream_service_t.
+ *
+ * @param uri			URI to create a stream for
+ * @param backlog		size of the backlog queue, as passed to listen()
+ * @return				stream instance, NULL on error
+ */
+typedef stream_service_t*(*stream_service_constructor_t)(char *uri, int backlog);
+
+/**
+ * Service callback routine for accepting client connections.
+ *
+ * The passed stream gets closed/destroyed by the callback caller, unless
+ * TRUE is returned.
+ *
+ * @param data			user data, as passed during registration
+ * @param stream		accept()ed client connection
+ * @return				TRUE to keep stream alive, FALSE to destroy it
+ */
+typedef bool (*stream_service_cb_t)(void *data, stream_t *stream);
+
+/**
+ * A service accepting client connection streams.
+ */
+struct stream_service_t {
+
+	/**
+	 * Start accepting client connections on this stream service.
+	 *
+	 * To stop accepting connections, pass a NULL callback function.
+	 *
+	 * @param cb		callback function to call for accepted client streams
+	 * @param data		data to pass to callback function
+	 * @param prio		job priority to run callback with
+	 * @param cncrncy	maximum number of parallel callback invocations
+	 */
+	void (*on_accept)(stream_service_t *this,
+					  stream_service_cb_t cb, void *data,
+					  job_priority_t prio, u_int cncrncy);
+
+	/**
+	 * Destroy a stream_service_t.
+	 */
+	void (*destroy)(stream_service_t *this);
+};
+
+/**
+ * Create a service from a file descriptor.
+ *
+ * The file descriptor MUST be a socket.
+ *
+ * @param fd		file descriptor to wrap into a stream_service_t
+ * @return			stream_service instance
+ */
+stream_service_t *stream_service_create_from_fd(int fd);
+
+/**
+ * Create a service instance for UNIX sockets.
+ *
+ * @param uri		UNIX socket specific URI, must start with "unix://"
+ * @param backlog	size of the backlog queue, as passed to listen()
+ * @return			stream_service instance, NULL on failure
+ */
+stream_service_t *stream_service_create_unix(char *uri, int backlog);
+
+/**
+ * Create a service instance for TCP sockets.
+ *
+ * @param uri		TCP socket specific URI, must start with "tcp://"
+ * @param backlog	size of the backlog queue, as passed to listen()
+ * @return			stream_service instance, NULL on failure
+ */
+stream_service_t *stream_service_create_tcp(char *uri, int backlog);
+
+#endif /** STREAM_SERVICE_H_ @}*/
diff --git a/src/libstrongswan/networking/tun_device.c b/src/libstrongswan/networking/tun_device.c
new file mode 100644
index 000000000..af7e57140
--- /dev/null
+++ b/src/libstrongswan/networking/tun_device.c
@@ -0,0 +1,470 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2012 Martin Willi
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <netinet/in.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <net/if.h>
+
+#ifdef __APPLE__
+#include <net/if_utun.h>
+#include <netinet/in_var.h>
+#include <sys/kern_control.h>
+#elif defined(__linux__)
+#include <linux/if_tun.h>
+#else
+#include <net/if_tun.h>
+#endif
+
+#include "tun_device.h"
+
+#include <library.h>
+#include <utils/debug.h>
+#include <threading/thread.h>
+
+#define TUN_DEFAULT_MTU 1500
+
+typedef struct private_tun_device_t private_tun_device_t;
+
+struct private_tun_device_t {
+
+	/**
+	 * Public interface
+	 */
+	tun_device_t public;
+
+	/**
+	 * The TUN device's file descriptor
+	 */
+	int tunfd;
+
+	/**
+	 * Name of the TUN device
+	 */
+	char if_name[IFNAMSIZ];
+
+	/**
+	 * Socket used for ioctl() to set interface addr, ...
+	 */
+	int sock;
+
+	/**
+	 * The current MTU
+	 */
+	int mtu;
+
+	/**
+	 * Associated address
+	 */
+	host_t *address;
+
+	/**
+	 * Netmask for address
+	 */
+	u_int8_t netmask;
+};
+
+METHOD(tun_device_t, set_address, bool,
+	private_tun_device_t *this, host_t *addr, u_int8_t netmask)
+{
+	struct ifreq ifr;
+	host_t *mask;
+
+	memset(&ifr, 0, sizeof(ifr));
+	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
+	memcpy(&ifr.ifr_addr, addr->get_sockaddr(addr),
+		   *addr->get_sockaddr_len(addr));
+
+	if (ioctl(this->sock, SIOCSIFADDR, &ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to set address on %s: %s",
+			 this->if_name, strerror(errno));
+		return FALSE;
+	}
+#ifdef __APPLE__
+	if (ioctl(this->sock, SIOCSIFDSTADDR, &ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to set dest address on %s: %s",
+			 this->if_name, strerror(errno));
+		return FALSE;
+	}
+#endif /* __APPLE__ */
+
+	mask = host_create_netmask(addr->get_family(addr), netmask);
+	if (!mask)
+	{
+		DBG1(DBG_LIB, "invalid netmask: %d", netmask);
+		return FALSE;
+	}
+	memcpy(&ifr.ifr_addr, mask->get_sockaddr(mask),
+		   *mask->get_sockaddr_len(mask));
+	mask->destroy(mask);
+
+	if (ioctl(this->sock, SIOCSIFNETMASK, &ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to set netmask on %s: %s",
+			 this->if_name, strerror(errno));
+		return FALSE;
+	}
+	this->address = addr->clone(addr);
+	this->netmask = netmask;
+	return TRUE;
+}
+
+METHOD(tun_device_t, get_address, host_t*,
+	private_tun_device_t *this, u_int8_t *netmask)
+{
+	if (netmask && this->address)
+	{
+		*netmask = this->netmask;
+	}
+	return this->address;
+}
+
+METHOD(tun_device_t, up, bool,
+	private_tun_device_t *this)
+{
+	struct ifreq ifr;
+
+	memset(&ifr, 0, sizeof(ifr));
+	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
+
+	if (ioctl(this->sock, SIOCGIFFLAGS, &ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to get interface flags for %s: %s", this->if_name,
+			 strerror(errno));
+		return FALSE;
+	}
+
+	ifr.ifr_flags |= IFF_RUNNING | IFF_UP;
+
+	if (ioctl(this->sock, SIOCSIFFLAGS, &ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to set interface flags on %s: %s", this->if_name,
+			 strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(tun_device_t, set_mtu, bool,
+	private_tun_device_t *this, int mtu)
+{
+	struct ifreq ifr;
+
+	memset(&ifr, 0, sizeof(ifr));
+	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
+	ifr.ifr_mtu = mtu;
+
+	if (ioctl(this->sock, SIOCSIFMTU, &ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to set MTU on %s: %s", this->if_name,
+			 strerror(errno));
+		return FALSE;
+	}
+	this->mtu = mtu;
+	return TRUE;
+}
+
+METHOD(tun_device_t, get_mtu, int,
+	private_tun_device_t *this)
+{
+	struct ifreq ifr;
+
+	if (this->mtu > 0)
+	{
+		return this->mtu;
+	}
+
+	memset(&ifr, 0, sizeof(ifr));
+	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
+	this->mtu = TUN_DEFAULT_MTU;
+
+	if (ioctl(this->sock, SIOCGIFMTU, &ifr) == 0)
+	{
+		this->mtu = ifr.ifr_mtu;
+	}
+	return this->mtu;
+}
+
+METHOD(tun_device_t, get_name, char*,
+	private_tun_device_t *this)
+{
+	return this->if_name;
+}
+
+METHOD(tun_device_t, get_fd, int,
+	private_tun_device_t *this)
+{
+	return this->tunfd;
+}
+
+METHOD(tun_device_t, write_packet, bool,
+	private_tun_device_t *this, chunk_t packet)
+{
+	ssize_t s;
+
+#ifdef __APPLE__
+	/* UTUN's expect the packets to be prepended by a 32-bit protocol number
+	 * instead of parsing the packet again, we assume IPv4 for now */
+	u_int32_t proto = htonl(AF_INET);
+	packet = chunk_cata("cc", chunk_from_thing(proto), packet);
+#endif
+	s = write(this->tunfd, packet.ptr, packet.len);
+	if (s < 0)
+	{
+		DBG1(DBG_LIB, "failed to write packet to TUN device %s: %s",
+			 this->if_name, strerror(errno));
+		return FALSE;
+	}
+	else if (s != packet.len)
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(tun_device_t, read_packet, bool,
+	private_tun_device_t *this, chunk_t *packet)
+{
+	ssize_t len;
+	fd_set set;
+	bool old;
+
+	FD_ZERO(&set);
+	FD_SET(this->tunfd, &set);
+
+	old = thread_cancelability(TRUE);
+	len = select(this->tunfd + 1, &set, NULL, NULL, NULL);
+	thread_cancelability(old);
+
+	if (len < 0)
+	{
+		DBG1(DBG_LIB, "select on TUN device %s failed: %s", this->if_name,
+			 strerror(errno));
+		return FALSE;
+	}
+	/* FIXME: this is quite expensive for lots of small packets, copy from
+	 * local buffer instead? */
+	*packet = chunk_alloc(get_mtu(this));
+	len = read(this->tunfd, packet->ptr, packet->len);
+	if (len < 0)
+	{
+		DBG1(DBG_LIB, "reading from TUN device %s failed: %s", this->if_name,
+			 strerror(errno));
+		chunk_free(packet);
+		return FALSE;
+	}
+	packet->len = len;
+#ifdef __APPLE__
+	/* UTUN's prepend packets with a 32-bit protocol number */
+	packet->len -= sizeof(u_int32_t);
+	memmove(packet->ptr, packet->ptr + sizeof(u_int32_t), packet->len);
+#endif
+	return TRUE;
+}
+
+METHOD(tun_device_t, destroy, void,
+	private_tun_device_t *this)
+{
+	if (this->tunfd > 0)
+	{
+		close(this->tunfd);
+#ifdef __FreeBSD__
+		/* tun(4) says the following: "These network interfaces persist until
+		 * the if_tun.ko module is unloaded, or until removed with the
+		 * ifconfig(8) command."  So simply closing the FD is not enough. */
+		struct ifreq ifr;
+
+		memset(&ifr, 0, sizeof(ifr));
+		strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
+		if (ioctl(this->sock, SIOCIFDESTROY, &ifr) < 0)
+		{
+			DBG1(DBG_LIB, "failed to destroy %s: %s", this->if_name,
+				 strerror(errno));
+		}
+#endif /* __FreeBSD__ */
+	}
+	if (this->sock > 0)
+	{
+		close(this->sock);
+	}
+	DESTROY_IF(this->address);
+	free(this);
+}
+
+/**
+ * Initialize the tun device
+ */
+static bool init_tun(private_tun_device_t *this, const char *name_tmpl)
+{
+#ifdef __APPLE__
+
+	struct ctl_info info;
+	struct sockaddr_ctl addr;
+	socklen_t size = IFNAMSIZ;
+
+	memset(&info, 0, sizeof(info));
+	memset(&addr, 0, sizeof(addr));
+
+	this->tunfd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL);
+	if (this->tunfd < 0)
+	{
+		DBG1(DBG_LIB, "failed to open tundevice PF_SYSTEM socket: %s",
+			 strerror(errno));
+		return FALSE;
+	}
+
+	/* get a control identifier for the utun kernel extension */
+	strncpy(info.ctl_name, UTUN_CONTROL_NAME, strlen(UTUN_CONTROL_NAME));
+	if (ioctl(this->tunfd, CTLIOCGINFO, &info) < 0)
+	{
+		DBG1(DBG_LIB, "failed to ioctl tundevice: %s", strerror(errno));
+		close(this->tunfd);
+		return FALSE;
+	}
+
+	addr.sc_id = info.ctl_id;
+	addr.sc_len = sizeof(addr);
+	addr.sc_family = AF_SYSTEM;
+	addr.ss_sysaddr = AF_SYS_CONTROL;
+	/* allocate identifier dynamically */
+	addr.sc_unit = 0;
+
+	if (connect(this->tunfd, (struct sockaddr*)&addr, sizeof(addr)) < 0)
+	{
+		DBG1(DBG_LIB, "failed to connect tundevice: %s", strerror(errno));
+		close(this->tunfd);
+		return FALSE;
+	}
+	if (getsockopt(this->tunfd, SYSPROTO_CONTROL, UTUN_OPT_IFNAME,
+				   this->if_name, &size) < 0)
+	{
+		DBG1(DBG_LIB, "getting tundevice name failed: %s", strerror(errno));
+		close(this->tunfd);
+		return FALSE;
+	}
+	return TRUE;
+
+#elif defined(IFF_TUN)
+
+	struct ifreq ifr;
+
+	strncpy(this->if_name, name_tmpl ?: "tun%d", IFNAMSIZ);
+	this->if_name[IFNAMSIZ-1] = '\0';
+
+	this->tunfd = open("/dev/net/tun", O_RDWR);
+	if (this->tunfd < 0)
+	{
+		DBG1(DBG_LIB, "failed to open /dev/net/tun: %s", strerror(errno));
+		return FALSE;
+	}
+
+	memset(&ifr, 0, sizeof(ifr));
+
+	/* TUN device, no packet info */
+	ifr.ifr_flags = IFF_TUN | IFF_NO_PI;
+
+	strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ);
+	if (ioctl(this->tunfd, TUNSETIFF, (void*)&ifr) < 0)
+	{
+		DBG1(DBG_LIB, "failed to configure TUN device: %s", strerror(errno));
+		close(this->tunfd);
+		return FALSE;
+	}
+	strncpy(this->if_name, ifr.ifr_name, IFNAMSIZ);
+	return TRUE;
+
+#else /* !IFF_TUN */
+
+	/* this works on FreeBSD and might also work on Linux with older TUN
+	 * driver versions (no IFF_TUN) */
+	char devname[IFNAMSIZ];
+	/* the same process is allowed to open a device again, but that's not what
+	 * we want (unless we previously closed a device, which we don't know at
+	 * this point).  therefore, this counter is static so we don't accidentally
+	 * open a device twice */
+	static int i = -1;
+
+	if (name_tmpl)
+	{
+		DBG1(DBG_LIB, "arbitrary naming of TUN devices is not supported");
+	}
+
+	for (; ++i < 256; )
+	{
+		snprintf(devname, IFNAMSIZ, "/dev/tun%d", i);
+		this->tunfd = open(devname, O_RDWR);
+		if (this->tunfd > 0)
+		{	/* for ioctl(2) calls only the interface name is used */
+			snprintf(this->if_name, IFNAMSIZ, "tun%d", i);
+			break;
+		}
+		DBG1(DBG_LIB, "failed to open %s: %s", this->if_name, strerror(errno));
+	}
+	return this->tunfd > 0;
+
+#endif /* !__APPLE__ */
+}
+
+/*
+ * Described in header
+ */
+tun_device_t *tun_device_create(const char *name_tmpl)
+{
+	private_tun_device_t *this;
+
+	INIT(this,
+		.public = {
+			.read_packet = _read_packet,
+			.write_packet = _write_packet,
+			.get_mtu = _get_mtu,
+			.set_mtu = _set_mtu,
+			.get_name = _get_name,
+			.get_fd = _get_fd,
+			.set_address = _set_address,
+			.get_address = _get_address,
+			.up = _up,
+			.destroy = _destroy,
+		},
+		.tunfd = -1,
+		.sock = -1,
+	);
+
+	if (!init_tun(this, name_tmpl))
+	{
+		free(this);
+		return NULL;
+	}
+	DBG1(DBG_LIB, "created TUN device: %s", this->if_name);
+
+	this->sock = socket(AF_INET, SOCK_DGRAM, 0);
+	if (this->sock < 0)
+	{
+		DBG1(DBG_LIB, "failed to open socket to configure TUN device");
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/networking/tun_device.h b/src/libstrongswan/networking/tun_device.h
new file mode 100644
index 000000000..1d330f133
--- /dev/null
+++ b/src/libstrongswan/networking/tun_device.h
@@ -0,0 +1,127 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tun_device tun_device
+ * @{ @ingroup networking
+ */
+
+#ifndef TUN_DEVICE_H_
+#define TUN_DEVICE_H_
+
+#include <library.h>
+#include <networking/host.h>
+
+typedef struct tun_device_t tun_device_t;
+
+/**
+ * Class to create TUN devices
+ *
+ * Creating such a device requires the CAP_NET_ADMIN capability.
+ *
+ * @note The implementation is currently very Linux specific
+ */
+struct tun_device_t {
+
+	/**
+	 * Read a packet from the TUN device
+	 *
+	 * @note This call blocks until a packet is available. It is a thread
+	 * cancellation point.
+	 *
+	 * @param packet		the packet read from the device
+	 * @return				TRUE if successful
+	 */
+	bool (*read_packet)(tun_device_t *this, chunk_t *packet);
+
+	/**
+	 * Write a packet to the TUN device
+	 *
+	 * @param packet		the packet to write to the TUN device
+	 * @return				TRUE if successful
+	 */
+	bool (*write_packet)(tun_device_t *this, chunk_t packet);
+
+	/**
+	 * Set the IP address of the device
+	 *
+	 * @param addr			the desired interface address
+	 * @param netmask		the netmask to use
+	 * @return				TRUE if operation successful
+	 */
+	bool (*set_address)(tun_device_t *this, host_t *addr, u_int8_t netmask);
+
+	/**
+	 * Get the IP address previously assigned to using set_address().
+	 *
+	 * @param netmask		pointer receiving the configured netmask, or NULL
+	 * @return				address previously set, NULL if none
+	 */
+	host_t* (*get_address)(tun_device_t *this, u_int8_t *netmask);
+
+	/**
+	 * Bring the TUN device up
+	 *
+	 * @return				TRUE if operation successful
+	 */
+	bool (*up)(tun_device_t *this);
+
+	/**
+	 * Set the MTU for this TUN device
+	 *
+	 * @param mtu			new MTU
+	 * @return				TRUE if operation successful
+	 */
+	bool (*set_mtu)(tun_device_t *this, int mtu);
+
+	/**
+	 * Get the current MTU for this TUN device
+	 *
+	 * @return				current MTU
+	 */
+	int (*get_mtu)(tun_device_t *this);
+
+	/**
+	 * Get the interface name of this device
+	 *
+	 * @return				interface name
+	 */
+	char *(*get_name)(tun_device_t *this);
+
+	/**
+	 * Get the underlying tun file descriptor.
+	 *
+	 * @return				file descriptor of this tun device
+	 */
+	int (*get_fd)(tun_device_t *this);
+
+	/**
+	 * Destroy a tun_device_t
+	 */
+	void (*destroy)(tun_device_t *this);
+
+};
+
+/**
+ * Create a TUN device using the given name template.
+ *
+ * @param name_tmpl			name template, defaults to "tun%d" if not given
+ * @return					TUN device
+ */
+tun_device_t *tun_device_create(const char *name_tmpl);
+
+#endif /** TUN_DEVICE_H_ @}*/
diff --git a/src/libstrongswan/pen/pen.c b/src/libstrongswan/pen/pen.c
index 3dd92218d..474a7a876 100644
--- a/src/libstrongswan/pen/pen.c
+++ b/src/libstrongswan/pen/pen.c
@@ -17,17 +17,33 @@
 
 ENUM_BEGIN(pen_names, PEN_IETF, PEN_IETF,
 	"IETF");
-ENUM_NEXT(pen_names, PEN_MICROSOFT, PEN_MICROSOFT, PEN_IETF,
+ENUM_NEXT(pen_names, PEN_IBM, PEN_IBM, PEN_IETF,
+	"IBM");
+ENUM_NEXT(pen_names, PEN_MICROSOFT, PEN_MICROSOFT, PEN_IBM,
 	"Microsoft");
-ENUM_NEXT(pen_names, PEN_OSC, PEN_OSC, PEN_MICROSOFT,
+ENUM_NEXT(pen_names, PEN_REDHAT, PEN_REDHAT, PEN_MICROSOFT,
+	"Redhat");
+ENUM_NEXT(pen_names, PEN_ALTIGA, PEN_ALTIGA, PEN_REDHAT,
+	"Altiga");
+ENUM_NEXT(pen_names, PEN_OSC, PEN_OSC, PEN_ALTIGA,
 	"OSC");
-ENUM_NEXT(pen_names, PEN_TCG, PEN_TCG, PEN_OSC,
+ENUM_NEXT(pen_names, PEN_DEBIAN, PEN_DEBIAN, PEN_OSC,
+	"Debian Project");
+ENUM_NEXT(pen_names, PEN_GOOGLE, PEN_GOOGLE, PEN_DEBIAN,
+	"Google");
+ENUM_NEXT(pen_names, PEN_TCG, PEN_TCG, PEN_GOOGLE,
 	"TCG");
-ENUM_NEXT(pen_names, PEN_FHH, PEN_FHH, PEN_TCG,
+ENUM_NEXT(pen_names, PEN_CANONICAL, PEN_CANONICAL, PEN_TCG,
+	"Canonical");
+ENUM_NEXT(pen_names, PEN_FEDORA, PEN_FEDORA, PEN_CANONICAL,
+	"Fedora Project");
+ENUM_NEXT(pen_names, PEN_FHH, PEN_FHH, PEN_FEDORA,
 	"FHH");
 ENUM_NEXT(pen_names, PEN_ITA, PEN_ITA, PEN_FHH,
 	"ITA-HSR");
-ENUM_NEXT(pen_names, PEN_RESERVED, PEN_RESERVED, PEN_ITA,
+ENUM_NEXT(pen_names, PEN_OPENPTS, PEN_OPENPTS, PEN_ITA,
+	"OpenPTS");
+ENUM_NEXT(pen_names, PEN_UNASSIGNED, PEN_RESERVED, PEN_OPENPTS,
+	"Unassigned",
 	"Reserved");
 ENUM_END(pen_names, PEN_RESERVED);
-
diff --git a/src/libstrongswan/pen/pen.h b/src/libstrongswan/pen/pen.h
index 396cc7199..1760a0578 100644
--- a/src/libstrongswan/pen/pen.h
+++ b/src/libstrongswan/pen/pen.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -27,18 +27,80 @@
 #include <library.h>
 
 typedef enum pen_t pen_t;
+typedef struct pen_type_t pen_type_t;
 
+/**
+ * Private enterprise numbers allocated by IANA.
+ *
+ * http://www.iana.org/assignments/enterprise-numbers
+ */
 enum pen_t {
-	PEN_IETF =		0x000000,	/*        0 */
-	PEN_MICROSOFT = 0x000137,	/*      311 */
-	PEN_OSC =		0x002358,	/*     9048 */
-	PEN_TCG =		0x005597,	/*    21911 */
-	PEN_FHH =		0x0080ab,	/*    32939 */
-	PEN_ITA =		0x00902a,	/*    36906 */
-	PEN_RESERVED =	0xffffff,	/* 16777215 */
+	PEN_IETF =			0x000000,	/*        0 */
+	PEN_IBM =			0x000002,	/*        2 */
+	PEN_MICROSOFT =		0x000137,	/*      311 */
+	PEN_REDHAT =		0x000908,	/*     2312 */
+	PEN_ALTIGA =		0x000c04,	/*     3076 */
+	PEN_OSC =			0x002358,	/*     9048 */
+	PEN_DEBIAN =		0x002572,	/*     9586 */
+	PEN_GOOGLE =		0x002B79,	/*    11129 */
+	PEN_TCG =			0x005597,	/*    21911 */
+	PEN_CANONICAL =		0x007132,	/*    28978 */
+	PEN_FEDORA =		0x0076C1,	/*    30401 */
+	PEN_FHH =			0x0080ab,	/*    32939 */
+	PEN_ITA =			0x00902a,	/*    36906 */
+	PEN_OPENPTS =		0x00950e,	/*    38158 */
+	PEN_UNASSIGNED = 	0xfffffe,	/* 16777214 */
+	PEN_RESERVED =		0xffffff,	/* 16777215 */
+};
+
+/**
+ * Vendor specific type in vendor specific namespace.
+ */
+struct pen_type_t {
+	pen_t vendor_id;
+	u_int32_t type;
 };
 
 /**
+ * Create a pen_type_t struct
+ *
+ * @param vendor_id		vendor ID to create a pen_type_t
+ * @param type			type to create a pen_type_t
+ * @return				created pen_type_t
+ */
+static inline pen_type_t pen_type_create(pen_t vendor_id, u_int32_t type)
+{
+	pen_type_t pen_type = { vendor_id, type };
+	return pen_type;
+}
+
+/**
+ * Check two pen_type_t for equality.
+ *
+ * @param a				first pen_type_t to compare
+ * @param b				second pen_type_t to compare
+ * @return				TRUE if a == b
+ */
+static inline bool pen_type_equals(pen_type_t a, pen_type_t b)
+{
+	return a.vendor_id == b.vendor_id && a.type == b.type;
+}
+
+/**
+ * Check if a pen_type_t matches vendor and type.
+ *
+ * @param pen_type		pen_type_t to compare
+ * @param vendor_id		vendor to check in pen_type
+ * @param type			type to check in pen_type
+ * @return				TRUE if vendor_id and type matches pen_type
+ */
+static inline bool pen_type_is(pen_type_t pen_type,
+							   pen_t vendor_id, u_int32_t type)
+{
+	return pen_type.vendor_id == vendor_id && pen_type.type == type;
+}
+
+/**
  * enum names for pen_t.
  */
 extern enum_name_t *pen_names;
diff --git a/src/libstrongswan/plugins/aes/Makefile.am b/src/libstrongswan/plugins/aes/Makefile.am
index e72daeb44..8c5505bfc 100644
--- a/src/libstrongswan/plugins/aes/Makefile.am
+++ b/src/libstrongswan/plugins/aes/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-aes.la
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 53eecbe8d..c2de8b327 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,52 +90,87 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_aes_la_LIBADD =
 am_libstrongswan_aes_la_OBJECTS = aes_plugin.lo aes_crypter.lo
 libstrongswan_aes_la_OBJECTS = $(am_libstrongswan_aes_la_OBJECTS)
-libstrongswan_aes_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_aes_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_aes_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_aes_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_aes_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_aes_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_aes_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_aes_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -126,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -145,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -172,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -184,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -192,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -202,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -223,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -243,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -280,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-aes.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-aes.la
 libstrongswan_aes_la_SOURCES = \
@@ -333,7 +399,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -341,6 +406,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -362,8 +429,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-aes.la: $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_DEPENDENCIES) 
-	$(libstrongswan_aes_la_LINK) $(am_libstrongswan_aes_la_rpath) $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_LIBADD) $(LIBS)
+libstrongswan-aes.la: $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_DEPENDENCIES) $(EXTRA_libstrongswan_aes_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_aes_la_LINK) $(am_libstrongswan_aes_la_rpath) $(libstrongswan_aes_la_OBJECTS) $(libstrongswan_aes_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -375,25 +442,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -500,10 +567,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/aes/aes_crypter.c b/src/libstrongswan/plugins/aes/aes_crypter.c
index 2a1fed944..6b3d03cea 100644
--- a/src/libstrongswan/plugins/aes/aes_crypter.c
+++ b/src/libstrongswan/plugins/aes/aes_crypter.c
@@ -1331,7 +1331,7 @@ static void decrypt_block(const private_aes_crypter_t *this, const unsigned char
     state_out(out_blk, b0);
 }
 
-METHOD(crypter_t, decrypt, void,
+METHOD(crypter_t, decrypt, bool,
 	private_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
 {
 	int pos;
@@ -1371,9 +1371,10 @@ METHOD(crypter_t, decrypt, void,
 		out-=16;
 		pos-=16;
 	}
+	return TRUE;
 }
 
-METHOD(crypter_t, encrypt, void,
+METHOD(crypter_t, encrypt, bool,
 	private_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
 {
 	int pos;
@@ -1408,6 +1409,7 @@ METHOD(crypter_t, encrypt, void,
 		out+=16;
 		pos+=16;
 	}
+	return TRUE;
 }
 
 METHOD(crypter_t, get_block_size, size_t,
@@ -1428,7 +1430,7 @@ METHOD(crypter_t, get_key_size, size_t,
 	return this->key_size;
 }
 
-METHOD(crypter_t, set_key, void,
+METHOD(crypter_t, set_key, bool,
 	private_aes_crypter_t *this, chunk_t key)
 {
 	u_int32_t    *kf, *kt, rci, f = 0;
@@ -1513,6 +1515,7 @@ METHOD(crypter_t, set_key, void,
 		}
 		cpy(kt, kf);
 	}
+	return TRUE;
 }
 
 METHOD(crypter_t, destroy, void,
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.am b/src/libstrongswan/plugins/af_alg/Makefile.am
index a33fd30b6..58113ca3d 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.am
+++ b/src/libstrongswan/plugins/af_alg/Makefile.am
@@ -1,7 +1,9 @@
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-af-alg.la
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index 679e883e1..5920cc5f6 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_af_alg_la_LIBADD =
@@ -80,48 +104,77 @@ am_libstrongswan_af_alg_la_OBJECTS = af_alg_plugin.lo af_alg_ops.lo \
 	af_alg_crypter.lo
 libstrongswan_af_alg_la_OBJECTS =  \
 	$(am_libstrongswan_af_alg_la_OBJECTS)
-libstrongswan_af_alg_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_af_alg_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_af_alg_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_af_alg_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_af_alg_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_af_alg_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_af_alg_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_af_alg_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +183,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +205,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +233,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +247,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +256,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +264,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +290,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +310,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,8 +346,13 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-af-alg.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-af-alg.la
 libstrongswan_af_alg_la_SOURCES = \
@@ -342,7 +409,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -350,6 +416,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -371,8 +439,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-af-alg.la: $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_DEPENDENCIES) 
-	$(libstrongswan_af_alg_la_LINK) $(am_libstrongswan_af_alg_la_rpath) $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_LIBADD) $(LIBS)
+libstrongswan-af-alg.la: $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_DEPENDENCIES) $(EXTRA_libstrongswan_af_alg_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_af_alg_la_LINK) $(am_libstrongswan_af_alg_la_rpath) $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -388,25 +456,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_signer.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -513,10 +581,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_crypter.c b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c
index 9c547140d..5d0976d95 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_crypter.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c
@@ -131,32 +131,26 @@ static size_t lookup_alg(encryption_algorithm_t algo, char **name,
 	return 0;
 }
 
-METHOD(crypter_t, decrypt, void,
+METHOD(crypter_t, decrypt, bool,
 	private_af_alg_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
 	if (dst)
 	{
 		*dst = chunk_alloc(data.len);
-		this->ops->crypt(this->ops, ALG_OP_DECRYPT, iv, data, dst->ptr);
-	}
-	else
-	{
-		this->ops->crypt(this->ops, ALG_OP_DECRYPT, iv, data, data.ptr);
+		return this->ops->crypt(this->ops, ALG_OP_DECRYPT, iv, data, dst->ptr);
 	}
+	return this->ops->crypt(this->ops, ALG_OP_DECRYPT, iv, data, data.ptr);
 }
 
-METHOD(crypter_t, encrypt, void,
+METHOD(crypter_t, encrypt, bool,
 	private_af_alg_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
 	if (dst)
 	{
 		*dst = chunk_alloc(data.len);
-		this->ops->crypt(this->ops, ALG_OP_ENCRYPT, iv, data, dst->ptr);
-	}
-	else
-	{
-		this->ops->crypt(this->ops, ALG_OP_ENCRYPT, iv, data, data.ptr);
+		return this->ops->crypt(this->ops, ALG_OP_ENCRYPT, iv, data, dst->ptr);
 	}
+	return this->ops->crypt(this->ops, ALG_OP_ENCRYPT, iv, data, data.ptr);
 }
 
 METHOD(crypter_t, get_block_size, size_t,
@@ -177,10 +171,10 @@ METHOD(crypter_t, get_key_size, size_t,
 	return this->keymat_size;
 }
 
-METHOD(crypter_t, set_key, void,
+METHOD(crypter_t, set_key, bool,
 	private_af_alg_crypter_t *this, chunk_t key)
 {
-	this->ops->set_key(this->ops, key);
+	return this->ops->set_key(this->ops, key);
 }
 
 METHOD(crypter_t, destroy, void,
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_hasher.c b/src/libstrongswan/plugins/af_alg/af_alg_hasher.c
index ef2350497..47a6e5e0e 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_hasher.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_hasher.c
@@ -99,30 +99,28 @@ METHOD(hasher_t, get_hash_size, size_t,
 	return this->size;
 }
 
-METHOD(hasher_t, reset, void,
+METHOD(hasher_t, reset, bool,
 	private_af_alg_hasher_t *this)
 {
 	this->ops->reset(this->ops);
+	return TRUE;
 }
 
-METHOD(hasher_t, get_hash, void,
+METHOD(hasher_t, get_hash, bool,
 	private_af_alg_hasher_t *this, chunk_t chunk, u_int8_t *hash)
 {
-	this->ops->hash(this->ops, chunk, hash, this->size);
+	return this->ops->hash(this->ops, chunk, hash, this->size);
 }
 
-METHOD(hasher_t, allocate_hash, void,
+METHOD(hasher_t, allocate_hash, bool,
 	private_af_alg_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	if (hash)
 	{
 		*hash = chunk_alloc(get_hash_size(this));
-		get_hash(this, chunk, hash->ptr);
-	}
-	else
-	{
-		get_hash(this, chunk, NULL);
+		return get_hash(this, chunk, hash->ptr);
 	}
+	return get_hash(this, chunk, NULL);
 }
 
 METHOD(hasher_t, destroy, void,
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_ops.c b/src/libstrongswan/plugins/af_alg/af_alg_ops.c
index a7b5de264..331d1e801 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_ops.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_ops.c
@@ -19,7 +19,7 @@
 #include <errno.h>
 #include <linux/socket.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_af_alg_ops_t private_af_alg_ops_t;
 
@@ -54,7 +54,7 @@ METHOD(af_alg_ops_t, reset, void,
 	}
 }
 
-METHOD(af_alg_ops_t, hash, void,
+METHOD(af_alg_ops_t, hash, bool,
 	private_af_alg_ops_t *this, chunk_t data, char *out, size_t outlen)
 {
 	ssize_t len;
@@ -62,39 +62,52 @@ METHOD(af_alg_ops_t, hash, void,
 	while (this->op == -1)
 	{
 		this->op = accept(this->tfm, NULL, 0);
-		if (this->op == -1)
+		if (this->op == -1 && errno != EINTR)
 		{
 			DBG1(DBG_LIB, "opening AF_ALG hasher failed: %s", strerror(errno));
-			sleep(1);
+			return FALSE;
 		}
 	}
+
 	do
 	{
 		len = send(this->op, data.ptr, data.len, out ? 0 : MSG_MORE);
 		if (len == -1)
 		{
+			if (errno == EINTR)
+			{
+				continue;
+			}
 			DBG1(DBG_LIB, "writing to AF_ALG hasher failed: %s", strerror(errno));
-			sleep(1);
-		}
-		else
-		{
-			data = chunk_skip(data, len);
+			return FALSE;
 		}
+		data = chunk_skip(data, len);
 	}
 	while (data.len);
 
 	if (out)
 	{
-		while (read(this->op, out, outlen) != outlen)
+		while (outlen)
 		{
-			DBG1(DBG_LIB, "reading AF_ALG hasher failed: %s", strerror(errno));
-			sleep(1);
+			len = read(this->op, out, outlen);
+			if (len == -1)
+			{
+				if (errno == EINTR)
+				{
+					continue;
+				}
+				DBG1(DBG_LIB, "reading AF_ALG hasher failed: %s", strerror(errno));
+				return FALSE;
+			}
+			outlen -= len;
+			out += len;
 		}
 		reset(this);
 	}
+	return TRUE;
 }
 
-METHOD(af_alg_ops_t, crypt, void,
+METHOD(af_alg_ops_t, crypt, bool,
 	private_af_alg_ops_t *this, u_int32_t type, chunk_t iv, chunk_t data,
 	char *out)
 {
@@ -107,11 +120,16 @@ METHOD(af_alg_ops_t, crypt, void,
 	ssize_t len;
 	int op;
 
-	while ((op = accept(this->tfm, NULL, 0)) == -1)
+	do
 	{
-		DBG1(DBG_LIB, "accepting AF_ALG crypter failed: %s", strerror(errno));
-		sleep(1);
+		op = accept(this->tfm, NULL, 0);
+		if (op == -1 && errno != EINTR)
+		{
+			DBG1(DBG_LIB, "accepting AF_ALG crypter failed: %s", strerror(errno));
+			return FALSE;
+		}
 	}
+	while (op == -1);
 
 	memset(buf, 0, sizeof(buf));
 
@@ -143,30 +161,39 @@ METHOD(af_alg_ops_t, crypt, void,
 		len = sendmsg(op, &msg, 0);
 		if (len == -1)
 		{
-			DBG1(DBG_LIB, "writing to AF_ALG crypter failed: %s",
-				 strerror(errno));
-			sleep(1);
-			continue;
+			if (errno == EINTR)
+			{
+				continue;
+			}
+			DBG1(DBG_LIB, "writing to AF_ALG crypter failed: %s", strerror(errno));
+			return FALSE;
 		}
-		if (read(op, out, len) != len)
+		while (read(op, out, len) != len)
 		{
-			DBG1(DBG_LIB, "reading from AF_ALG crypter failed: %s",
-				 strerror(errno));
+			if (errno != EINTR)
+			{
+				DBG1(DBG_LIB, "reading from AF_ALG crypter failed: %s",
+					 strerror(errno));
+				return FALSE;
+			}
 		}
 		data = chunk_skip(data, len);
 		/* no IV for subsequent data chunks */
 		msg.msg_controllen = 0;
 	}
 	close(op);
+	return TRUE;
 }
 
-METHOD(af_alg_ops_t, set_key, void,
+METHOD(af_alg_ops_t, set_key, bool,
 	private_af_alg_ops_t *this, chunk_t key)
 {
 	if (setsockopt(this->tfm, SOL_ALG, ALG_SET_KEY, key.ptr, key.len) == -1)
 	{
 		DBG1(DBG_LIB, "setting AF_ALG key failed: %s", strerror(errno));
+		return FALSE;
 	}
+	return TRUE;
 }
 
 METHOD(af_alg_ops_t, destroy, void,
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_ops.h b/src/libstrongswan/plugins/af_alg/af_alg_ops.h
index ad164029f..e34f22977 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_ops.h
+++ b/src/libstrongswan/plugins/af_alg/af_alg_ops.h
@@ -46,8 +46,9 @@ struct af_alg_ops_t {
 	 * @param data		data to hash
 	 * @param out		buffer to write hash to, NULL for append mode
 	 * @param outlen	number of bytes to read into out
+	 * @return			TRUE if successful
 	 */
-	void (*hash)(af_alg_ops_t *this, chunk_t data, char *out, size_t outlen);
+	bool (*hash)(af_alg_ops_t *this, chunk_t data, char *out, size_t outlen);
 
 	/**
 	 * Reset hasher state.
@@ -61,16 +62,18 @@ struct af_alg_ops_t {
 	 * @param iv		iv to use
 	 * @param data		data to encrypt/decrypt
 	 * @param out		buffer write processed data to
+	 * @return			TRUE if successful
 	 */
-	void (*crypt)(af_alg_ops_t *this, u_int32_t type, chunk_t iv, chunk_t data,
+	bool (*crypt)(af_alg_ops_t *this, u_int32_t type, chunk_t iv, chunk_t data,
 				  char *out);
 
 	/**
 	 * Set the key for en-/decryption or HMAC/XCBC operations.
 	 *
 	 * @param key		key to set for transform
+	 * @return			TRUE if successful
 	 */
-	void (*set_key)(af_alg_ops_t *this, chunk_t key);
+	bool (*set_key)(af_alg_ops_t *this, chunk_t key);
 
 	/**
 	 * Destroy a af_alg_ops_t.
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_prf.c b/src/libstrongswan/plugins/af_alg/af_alg_prf.c
index a7912291f..720738a84 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_prf.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_prf.c
@@ -105,24 +105,21 @@ static size_t lookup_alg(pseudo_random_function_t algo, char **name, bool *xcbc)
 	return 0;
 }
 
-METHOD(prf_t, get_bytes, void,
+METHOD(prf_t, get_bytes, bool,
 	private_af_alg_prf_t *this, chunk_t seed, u_int8_t *buffer)
 {
-	this->ops->hash(this->ops, seed, buffer, this->block_size);
+	return this->ops->hash(this->ops, seed, buffer, this->block_size);
 }
 
-METHOD(prf_t, allocate_bytes, void,
+METHOD(prf_t, allocate_bytes, bool,
 	private_af_alg_prf_t *this, chunk_t seed, chunk_t *chunk)
 {
 	if (chunk)
 	{
 		*chunk = chunk_alloc(this->block_size);
-		get_bytes(this, seed, chunk->ptr);
-	}
-	else
-	{
-		get_bytes(this, seed, NULL);
+		return get_bytes(this, seed, chunk->ptr);
 	}
+	return get_bytes(this, seed, NULL);
 }
 
 METHOD(prf_t, get_block_size, size_t,
@@ -137,7 +134,7 @@ METHOD(prf_t, get_key_size, size_t,
 	return this->block_size;
 }
 
-METHOD(prf_t, set_key, void,
+METHOD(prf_t, set_key, bool,
 	private_af_alg_prf_t *this, chunk_t key)
 {
 	char buf[this->block_size];
@@ -155,12 +152,15 @@ METHOD(prf_t, set_key, void,
 		else if (key.len > this->block_size)
 		{
 			memset(buf, 0, this->block_size);
-			this->ops->set_key(this->ops, chunk_from_thing(buf));
-			this->ops->hash(this->ops, key, buf, this->block_size);
+			if (!this->ops->set_key(this->ops, chunk_from_thing(buf)) ||
+				!this->ops->hash(this->ops, key, buf, this->block_size))
+			{
+				return FALSE;
+			}
 			key = chunk_from_thing(buf);
 		}
 	}
-	this->ops->set_key(this->ops, key);
+	return this->ops->set_key(this->ops, key);
 }
 
 METHOD(prf_t, destroy, void,
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.c b/src/libstrongswan/plugins/af_alg/af_alg_signer.c
index 6cd79f8f2..6ee380633 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_signer.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.c
@@ -64,6 +64,7 @@ static struct {
 	{AUTH_HMAC_SHA2_384_192,	"hmac(sha384)",		24,		48,	},
 	{AUTH_HMAC_SHA2_384_384,	"hmac(sha384)",		48,		48,	},
 	{AUTH_HMAC_SHA2_512_256,	"hmac(sha512)",		32,		64,	},
+	{AUTH_HMAC_SHA2_512_512,	"hmac(sha512)",		64,		64,	},
 	{AUTH_AES_XCBC_96,			"xcbc(aes)",		12,		16,	},
 	{AUTH_CAMELLIA_XCBC_96,		"xcbc(camellia)",	12,		16,	},
 };
@@ -107,24 +108,21 @@ static size_t lookup_alg(integrity_algorithm_t algo, char **name,
 	return 0;
 }
 
-METHOD(signer_t, get_signature, void,
+METHOD(signer_t, get_signature, bool,
 	private_af_alg_signer_t *this, chunk_t data, u_int8_t *buffer)
 {
-	this->ops->hash(this->ops, data, buffer, this->block_size);
+	return this->ops->hash(this->ops, data, buffer, this->block_size);
 }
 
-METHOD(signer_t, allocate_signature, void,
+METHOD(signer_t, allocate_signature, bool,
 	private_af_alg_signer_t *this, chunk_t data, chunk_t *chunk)
 {
 	if (chunk)
 	{
 		*chunk = chunk_alloc(this->block_size);
-		get_signature(this, data, chunk->ptr);
-	}
-	else
-	{
-		get_signature(this, data, NULL);
+		return get_signature(this, data, chunk->ptr);
 	}
+	return get_signature(this, data, NULL);
 }
 
 METHOD(signer_t, verify_signature, bool,
@@ -136,7 +134,10 @@ METHOD(signer_t, verify_signature, bool,
 	{
 		return FALSE;
 	}
-	get_signature(this, data, sig);
+	if (!get_signature(this, data, sig))
+	{
+		return FALSE;
+	}
 	return memeq(signature.ptr, sig, signature.len);
 }
 
@@ -152,10 +153,10 @@ METHOD(signer_t, get_block_size, size_t,
 	return this->block_size;
 }
 
-METHOD(signer_t, set_key, void,
+METHOD(signer_t, set_key, bool,
 	private_af_alg_signer_t *this, chunk_t key)
 {
-	this->ops->set_key(this->ops, key);
+	return this->ops->set_key(this->ops, key);
 }
 
 METHOD(signer_t, destroy, void,
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.h b/src/libstrongswan/plugins/af_alg/af_alg_signer.h
index deced7110..5f52e0ce6 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_signer.h
+++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.h
@@ -27,7 +27,7 @@ typedef struct af_alg_signer_t af_alg_signer_t;
 #include <crypto/signers/signer.h>
 
 /** Number of signers */
-#define AF_ALG_SIGNER 13
+#define AF_ALG_SIGNER 14
 
 /**
  * Implementation of signers using AF_ALG.
diff --git a/src/libstrongswan/plugins/agent/Makefile.am b/src/libstrongswan/plugins/agent/Makefile.am
index ffa6e8b7f..e60d19363 100644
--- a/src/libstrongswan/plugins/agent/Makefile.am
+++ b/src/libstrongswan/plugins/agent/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-agent.la
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 452233b85..b1e343c8d 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,54 +90,89 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_agent_la_LIBADD =
 am_libstrongswan_agent_la_OBJECTS = agent_plugin.lo \
 	agent_private_key.lo
 libstrongswan_agent_la_OBJECTS = $(am_libstrongswan_agent_la_OBJECTS)
-libstrongswan_agent_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_agent_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_agent_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_agent_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_agent_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_agent_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_agent_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_agent_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -128,13 +181,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -147,6 +203,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,11 +231,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -186,6 +245,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -194,8 +254,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -204,14 +262,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -225,17 +288,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -245,16 +308,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -282,8 +344,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-agent.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-agent.la
 libstrongswan_agent_la_SOURCES = \
@@ -336,7 +402,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -344,6 +409,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -365,8 +432,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-agent.la: $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_DEPENDENCIES) 
-	$(libstrongswan_agent_la_LINK) $(am_libstrongswan_agent_la_rpath) $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_LIBADD) $(LIBS)
+libstrongswan-agent.la: $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_DEPENDENCIES) $(EXTRA_libstrongswan_agent_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_agent_la_LINK) $(am_libstrongswan_agent_la_rpath) $(libstrongswan_agent_la_OBJECTS) $(libstrongswan_agent_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -378,25 +445,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/agent_private_key.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -503,10 +570,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.c b/src/libstrongswan/plugins/agent/agent_plugin.c
index 980a140b9..322ded48c 100644
--- a/src/libstrongswan/plugins/agent/agent_plugin.c
+++ b/src/libstrongswan/plugins/agent/agent_plugin.c
@@ -42,7 +42,9 @@ METHOD(plugin_t, get_features, int,
 {
 	static plugin_feature_t f[] = {
 		PLUGIN_REGISTER(PRIVKEY, agent_private_key_open, FALSE),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
 			PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index 60b57ad2d..8a3fb150a 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -24,8 +24,8 @@
 #include <errno.h>
 
 #include <library.h>
-#include <chunk.h>
-#include <debug.h>
+#include <utils/chunk.h>
+#include <utils/debug.h>
 
 #ifndef UNIX_PATH_MAX
 #define UNIX_PATH_MAX 108
@@ -49,11 +49,16 @@ struct private_agent_private_key_t {
 	int socket;
 
 	/**
-	 * key identity blob in ssh format
+	 * public key encoded in SSH format
 	 */
 	chunk_t key;
 
 	/**
+	 * public key
+	 */
+	public_key_t *pubkey;
+
+	/**
 	 * keysize in bytes
 	 */
 	size_t key_size;
@@ -163,7 +168,7 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 {
 	int len;
 	char buf[2048];
-	chunk_t blob, key, type, n;
+	chunk_t blob, key;
 
 	len = htonl(1);
 	buf[0] = SSH_AGENT_ID_REQUEST;
@@ -193,34 +198,40 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 		{
 			break;
 		}
-		this->key = key;
-		type = read_string(&key);
-		if (!type.len || !strneq("ssh-rsa", type.ptr, type.len))
-		{
-			break;
-		}
-		read_string(&key);
-		n = read_string(&key);
-		if (n.len <= 512/8)
+		this->pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+										  BUILD_BLOB_SSHKEY, key, BUILD_END);
+		if (!this->pubkey)
 		{
-			break;;
+			continue;
 		}
 		if (pubkey && !private_key_belongs_to(&this->public.key, pubkey))
 		{
+			this->pubkey->destroy(this->pubkey);
+			this->pubkey = NULL;
 			continue;
 		}
-		this->key_size = n.len;
-		if (n.ptr[0] == 0)
-		{
-			this->key_size--;
-		}
-		this->key = chunk_clone(this->key);
+		this->key = chunk_clone(key);
 		return TRUE;
 	}
-	this->key = chunk_empty;
 	return FALSE;
 }
 
+static bool scheme_supported(private_agent_private_key_t *this,
+							signature_scheme_t scheme)
+{
+	switch (this->pubkey->get_type(this->pubkey))
+	{
+		case KEY_RSA:
+			return scheme == SIGN_RSA_EMSA_PKCS1_SHA1;
+		case KEY_ECDSA:
+			return scheme == SIGN_ECDSA_256 ||
+				   scheme == SIGN_ECDSA_384 ||
+				   scheme == SIGN_ECDSA_521;
+		default:
+			return FALSE;
+	}
+}
+
 METHOD(private_key_t, sign, bool,
 	private_agent_private_key_t *this, signature_scheme_t scheme,
 	chunk_t data, chunk_t *signature)
@@ -229,7 +240,7 @@ METHOD(private_key_t, sign, bool,
 	char buf[2048];
 	chunk_t blob;
 
-	if (scheme != SIGN_RSA_EMSA_PKCS1_SHA1)
+	if (!scheme_supported(this, scheme))
 	{
 		DBG1(DBG_LIB, "signature scheme %N not supported by ssh-agent",
 			 signature_scheme_names, scheme);
@@ -279,23 +290,40 @@ METHOD(private_key_t, sign, bool,
 	}
 	/* parse length */
 	blob = read_string(&blob);
-	/* skip sig type */
-	read_string(&blob);
-	/* parse length */
-	blob = read_string(&blob);
-	if (!blob.len)
-	{
-		DBG1(DBG_LIB, "received invalid ssh-agent signature response");
-		return FALSE;
+	/* check sig type */
+	if (chunk_equals(read_string(&blob), chunk_from_str("ssh-rsa")))
+	{	/* for RSA the signature has no special encoding */
+		blob = read_string(&blob);
+		if (blob.len)
+		{
+			*signature = chunk_clone(blob);
+			return TRUE;
+		}
+	}
+	else
+	{	/* anything else is treated as ECSDA for now */
+		blob = read_string(&blob);
+		if (blob.len)
+		{
+			chunk_t r, s;
+
+			r = read_string(&blob);
+			s = read_string(&blob);
+			if (r.len && s.len)
+			{
+				*signature = chunk_cat("cc", r, s);
+				return TRUE;
+			}
+		}
 	}
-	*signature =  chunk_clone(blob);
-	return TRUE;
+	DBG1(DBG_LIB, "received invalid ssh-agent signature response");
+	return FALSE;
 }
 
 METHOD(private_key_t, get_type, key_type_t,
 	private_agent_private_key_t *this)
 {
-	return KEY_RSA;
+	return this->pubkey->get_type(this->pubkey);
 }
 
 METHOD(private_key_t, decrypt, bool,
@@ -309,21 +337,13 @@ METHOD(private_key_t, decrypt, bool,
 METHOD(private_key_t, get_keysize, int,
 	private_agent_private_key_t *this)
 {
-	return this->key_size * 8;
+	return this->pubkey->get_keysize(this->pubkey);
 }
 
 METHOD(private_key_t, get_public_key, public_key_t*,
 	private_agent_private_key_t *this)
 {
-	chunk_t key, n, e;
-
-	key = this->key;
-	read_string(&key);
-	e = read_string(&key);
-	n = read_string(&key);
-
-	return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
-						BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
+	return this->pubkey->get_ref(this->pubkey);
 }
 
 METHOD(private_key_t, get_encoding, bool,
@@ -336,19 +356,7 @@ METHOD(private_key_t, get_encoding, bool,
 METHOD(private_key_t, get_fingerprint, bool,
 	private_agent_private_key_t *this, cred_encoding_type_t type, chunk_t *fp)
 {
-	chunk_t n, e, key;
-
-	if (lib->encoding->get_cache(lib->encoding, type, this, fp))
-	{
-		return TRUE;
-	}
-	key = this->key;
-	read_string(&key);
-	e = read_string(&key);
-	n = read_string(&key);
-
-	return lib->encoding->encode(lib->encoding, type, this, fp,
-			CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
+	return this->pubkey->get_fingerprint(this->pubkey, type, fp);
 }
 
 METHOD(private_key_t, get_ref, private_key_t*,
@@ -364,8 +372,8 @@ METHOD(private_key_t, destroy, void,
 	if (ref_put(&this->ref))
 	{
 		close(this->socket);
-		free(this->key.ptr);
-		lib->encoding->clear_cache(lib->encoding, this);
+		chunk_free(&this->key);
+		DESTROY_IF(this->pubkey);
 		free(this);
 	}
 }
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.am b/src/libstrongswan/plugins/blowfish/Makefile.am
index 95c414204..3e5cf8f08 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.am
+++ b/src/libstrongswan/plugins/blowfish/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-blowfish.la
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 52f5fa98a..7d469d3f7 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_blowfish_la_LIBADD =
@@ -79,49 +103,77 @@ am_libstrongswan_blowfish_la_OBJECTS = blowfish_plugin.lo \
 	blowfish_crypter.lo bf_skey.lo bf_enc.lo
 libstrongswan_blowfish_la_OBJECTS =  \
 	$(am_libstrongswan_blowfish_la_OBJECTS)
-libstrongswan_blowfish_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_blowfish_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_blowfish_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_blowfish_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_blowfish_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_blowfish_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_blowfish_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,8 +345,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-blowfish.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-blowfish.la
 libstrongswan_blowfish_la_SOURCES = \
@@ -338,7 +403,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -346,6 +410,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -367,8 +433,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-blowfish.la: $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_DEPENDENCIES) 
-	$(libstrongswan_blowfish_la_LINK) $(am_libstrongswan_blowfish_la_rpath) $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_LIBADD) $(LIBS)
+libstrongswan-blowfish.la: $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_DEPENDENCIES) $(EXTRA_libstrongswan_blowfish_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_blowfish_la_LINK) $(am_libstrongswan_blowfish_la_rpath) $(libstrongswan_blowfish_la_OBJECTS) $(libstrongswan_blowfish_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -382,25 +448,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blowfish_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -507,10 +573,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
index fc3649b36..253f9b4a4 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
@@ -87,7 +87,7 @@ struct private_blowfish_crypter_t {
 	u_int32_t key_size;
 };
 
-METHOD(crypter_t, decrypt, void,
+METHOD(crypter_t, decrypt, bool,
 	private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
 	chunk_t *decrypted)
 {
@@ -108,9 +108,11 @@ METHOD(crypter_t, decrypt, void,
 	BF_cbc_encrypt(in, out, data.len, &this->schedule, iv.ptr, 0);
 
 	free(iv.ptr);
+
+	return TRUE;
 }
 
-METHOD(crypter_t, encrypt, void,
+METHOD(crypter_t, encrypt, bool,
 	private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
 	chunk_t *encrypted)
 {
@@ -131,6 +133,8 @@ METHOD(crypter_t, encrypt, void,
 	BF_cbc_encrypt(in, out, data.len, &this->schedule, iv.ptr, 1);
 
 	free(iv.ptr);
+
+	return TRUE;
 }
 
 METHOD(crypter_t, get_block_size, size_t,
@@ -151,10 +155,11 @@ METHOD(crypter_t, get_key_size, size_t,
 	return this->key_size;
 }
 
-METHOD(crypter_t, set_key, void,
+METHOD(crypter_t, set_key, bool,
 	private_blowfish_crypter_t *this, chunk_t key)
 {
 	BF_set_key(&this->schedule, key.len , key.ptr);
+	return TRUE;
 }
 
 METHOD(crypter_t, destroy, void,
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
index 9dc8dfe7f..7494c52c3 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2008 Martin Willi
  * Copyright (C) 2009 Andreas Steffen
+ * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -38,11 +38,20 @@ METHOD(plugin_t, get_name, char*,
 	return "blowfish";
 }
 
+METHOD(plugin_t, get_features, int,
+	private_blowfish_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(CRYPTER, blowfish_crypter_create),
+			PLUGIN_PROVIDE(CRYPTER, ENCR_BLOWFISH, 0),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_blowfish_plugin_t *this)
 {
-	lib->crypto->remove_crypter(lib->crypto,
-								(crypter_constructor_t)blowfish_crypter_create);
 	free(this);
 }
 
@@ -57,15 +66,11 @@ plugin_t *blowfish_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 	);
 
-	lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, get_name(this),
-							 (crypter_constructor_t)blowfish_crypter_create);
-
 	return &this->public.plugin;
 }
-
diff --git a/src/libstrongswan/plugins/ccm/Makefile.am b/src/libstrongswan/plugins/ccm/Makefile.am
index bca1f0735..d512f5a94 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.am
+++ b/src/libstrongswan/plugins/ccm/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-ccm.la
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index 2ffe6194b..7b175fd1b 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,52 +90,87 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ccm_la_LIBADD =
 am_libstrongswan_ccm_la_OBJECTS = ccm_plugin.lo ccm_aead.lo
 libstrongswan_ccm_la_OBJECTS = $(am_libstrongswan_ccm_la_OBJECTS)
-libstrongswan_ccm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_ccm_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_ccm_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_ccm_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_ccm_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_ccm_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_ccm_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_ccm_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -126,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -145,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -172,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -184,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -192,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -202,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -223,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -243,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -280,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ccm.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ccm.la
 libstrongswan_ccm_la_SOURCES = \
@@ -334,7 +400,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -342,6 +407,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -363,8 +430,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-ccm.la: $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_DEPENDENCIES) 
-	$(libstrongswan_ccm_la_LINK) $(am_libstrongswan_ccm_la_rpath) $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_LIBADD) $(LIBS)
+libstrongswan-ccm.la: $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_DEPENDENCIES) $(EXTRA_libstrongswan_ccm_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_ccm_la_LINK) $(am_libstrongswan_ccm_la_rpath) $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -376,25 +443,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ccm_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -501,10 +568,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.c b/src/libstrongswan/plugins/ccm/ccm_aead.c
index 0d2a56a49..0e2f9b75f 100644
--- a/src/libstrongswan/plugins/ccm/ccm_aead.c
+++ b/src/libstrongswan/plugins/ccm/ccm_aead.c
@@ -126,7 +126,7 @@ static void build_ctr(private_ccm_aead_t *this, u_int32_t i, chunk_t iv,
 /**
  * En-/Decrypt data
  */
-static void crypt_data(private_ccm_aead_t *this, chunk_t iv,
+static bool crypt_data(private_ccm_aead_t *this, chunk_t iv,
 					   chunk_t in, chunk_t out)
 {
 	char ctr[BLOCK_SIZE];
@@ -139,8 +139,11 @@ static void crypt_data(private_ccm_aead_t *this, chunk_t iv,
 	while (in.len > 0)
 	{
 		memcpy(block, ctr, BLOCK_SIZE);
-		this->crypter->encrypt(this->crypter, chunk_from_thing(block),
-							   chunk_from_thing(zero), NULL);
+		if (!this->crypter->encrypt(this->crypter, chunk_from_thing(block),
+									chunk_from_thing(zero), NULL))
+		{
+			return FALSE;
+		}
 		chunk_increment(chunk_from_thing(ctr));
 
 		if (in.ptr != out.ptr)
@@ -151,12 +154,13 @@ static void crypt_data(private_ccm_aead_t *this, chunk_t iv,
 		in = chunk_skip(in, BLOCK_SIZE);
 		out = chunk_skip(out, BLOCK_SIZE);
 	}
+	return TRUE;
 }
 
 /**
  * En-/Decrypt the ICV
  */
-static void crypt_icv(private_ccm_aead_t *this, chunk_t iv, char *icv)
+static bool crypt_icv(private_ccm_aead_t *this, chunk_t iv, char *icv)
 {
 	char ctr[BLOCK_SIZE];
 	char zero[BLOCK_SIZE];
@@ -164,15 +168,19 @@ static void crypt_icv(private_ccm_aead_t *this, chunk_t iv, char *icv)
 	build_ctr(this, 0, iv, ctr);
 	memset(zero, 0, BLOCK_SIZE);
 
-	this->crypter->encrypt(this->crypter, chunk_from_thing(ctr),
-						   chunk_from_thing(zero), NULL);
+	if (!this->crypter->encrypt(this->crypter, chunk_from_thing(ctr),
+								chunk_from_thing(zero), NULL))
+	{
+		return FALSE;
+	}
 	memxor(icv, ctr, this->icv_size);
+	return TRUE;
 }
 
 /**
  * Create the ICV
  */
-static void create_icv(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc,
+static bool create_icv(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc,
 					   chunk_t iv, char *icv)
 {
 	char zero[BLOCK_SIZE];
@@ -217,14 +225,19 @@ static void create_icv(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc,
 	memset(pos, 0, len);
 
 	/* encrypt inline with CBC, zero IV */
-	this->crypter->encrypt(this->crypter, chunk, chunk_from_thing(zero), NULL);
+	if (!this->crypter->encrypt(this->crypter, chunk,
+								chunk_from_thing(zero), NULL))
+	{
+		free(chunk.ptr);
+		return FALSE;
+	}
 	/* copy last icv_size bytes as ICV to output */
 	memcpy(icv, chunk.ptr + chunk.len - BLOCK_SIZE, this->icv_size);
 
-	/* encrypt the ICV value */
-	crypt_icv(this, iv, icv);
-
 	free(chunk.ptr);
+
+	/* encrypt the ICV value */
+	return crypt_icv(this, iv, icv);
 }
 
 /**
@@ -235,26 +248,22 @@ static bool verify_icv(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc,
 {
 	char buf[this->icv_size];
 
-	create_icv(this, plain, assoc, iv, buf);
-
-	return memeq(buf, icv, this->icv_size);
+	return create_icv(this, plain, assoc, iv, buf) &&
+		   memeq(buf, icv, this->icv_size);
 }
 
-METHOD(aead_t, encrypt, void,
+METHOD(aead_t, encrypt, bool,
 	private_ccm_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
 	chunk_t *encrypted)
 {
 	if (encrypted)
 	{
 		*encrypted = chunk_alloc(plain.len + this->icv_size);
-		create_icv(this, plain, assoc, iv, encrypted->ptr + plain.len);
-		crypt_data(this, iv, plain, *encrypted);
-	}
-	else
-	{
-		create_icv(this, plain, assoc, iv, plain.ptr + plain.len);
-		crypt_data(this, iv, plain, plain);
+		return create_icv(this, plain, assoc, iv, encrypted->ptr + plain.len) &&
+			   crypt_data(this, iv, plain, *encrypted);
 	}
+	return create_icv(this, plain, assoc, iv, plain.ptr + plain.len) &&
+		   crypt_data(this, iv, plain, plain);
 }
 
 METHOD(aead_t, decrypt, bool,
@@ -269,16 +278,13 @@ METHOD(aead_t, decrypt, bool,
 	if (plain)
 	{
 		*plain = chunk_alloc(encrypted.len);
-		crypt_data(this, iv, encrypted, *plain);
-		return verify_icv(this, *plain, assoc, iv,
-						  encrypted.ptr + encrypted.len);
-	}
-	else
-	{
-		crypt_data(this, iv, encrypted, encrypted);
-		return verify_icv(this, encrypted, assoc, iv,
+		return crypt_data(this, iv, encrypted, *plain) &&
+			   verify_icv(this, *plain, assoc, iv,
 						  encrypted.ptr + encrypted.len);
 	}
+	return crypt_data(this, iv, encrypted, encrypted) &&
+		   verify_icv(this, encrypted, assoc, iv,
+					  encrypted.ptr + encrypted.len);
 }
 
 METHOD(aead_t, get_block_size, size_t,
@@ -305,12 +311,12 @@ METHOD(aead_t, get_key_size, size_t,
 	return this->crypter->get_key_size(this->crypter) + SALT_SIZE;
 }
 
-METHOD(aead_t, set_key, void,
+METHOD(aead_t, set_key, bool,
 	private_ccm_aead_t *this, chunk_t key)
 {
 	memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE);
 	key.len -= SALT_SIZE;
-	this->crypter->set_key(this->crypter, key);
+	return this->crypter->set_key(this->crypter, key);
 }
 
 METHOD(aead_t, destroy, void,
diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.h b/src/libstrongswan/plugins/ccm/ccm_aead.h
index d5e302f94..79ab31804 100644
--- a/src/libstrongswan/plugins/ccm/ccm_aead.h
+++ b/src/libstrongswan/plugins/ccm/ccm_aead.h
@@ -42,8 +42,8 @@ struct ccm_aead_t {
 /**
  * Create a ccm_aead instance.
  *
- * @param key_size		key size in bytes
  * @param algo			algorithm to implement, a CCM mode
+ * @param key_size		key size in bytes
  * @return				aead, NULL if not supported
  */
 ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size);
diff --git a/src/libstrongswan/plugins/cmac/Makefile.am b/src/libstrongswan/plugins/cmac/Makefile.am
index ce0104f11..08e910be1 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.am
+++ b/src/libstrongswan/plugins/cmac/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-cmac.la
@@ -10,7 +11,6 @@ plugin_LTLIBRARIES = libstrongswan-cmac.la
 endif
 
 libstrongswan_cmac_la_SOURCES = \
-	cmac_plugin.h cmac_plugin.c cmac.h cmac.c \
-	cmac_prf.h cmac_prf.c cmac_signer.h cmac_signer.c
+	cmac_plugin.h cmac_plugin.c cmac.h cmac.c
 
 libstrongswan_cmac_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in
index 093e63f32..07104bced 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.in
+++ b/src/libstrongswan/plugins/cmac/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,53 +90,87 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_cmac_la_LIBADD =
-am_libstrongswan_cmac_la_OBJECTS = cmac_plugin.lo cmac.lo cmac_prf.lo \
-	cmac_signer.lo
+am_libstrongswan_cmac_la_OBJECTS = cmac_plugin.lo cmac.lo
 libstrongswan_cmac_la_OBJECTS = $(am_libstrongswan_cmac_la_OBJECTS)
-libstrongswan_cmac_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_cmac_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_cmac_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_cmac_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_cmac_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_cmac_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_cmac_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_cmac_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -127,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -146,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -185,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -193,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -203,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -224,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -244,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -281,13 +342,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-cmac.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-cmac.la
 libstrongswan_cmac_la_SOURCES = \
-	cmac_plugin.h cmac_plugin.c cmac.h cmac.c \
-	cmac_prf.h cmac_prf.c cmac_signer.h cmac_signer.c
+	cmac_plugin.h cmac_plugin.c cmac.h cmac.c
 
 libstrongswan_cmac_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -335,7 +399,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -343,6 +406,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -364,8 +429,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-cmac.la: $(libstrongswan_cmac_la_OBJECTS) $(libstrongswan_cmac_la_DEPENDENCIES) 
-	$(libstrongswan_cmac_la_LINK) $(am_libstrongswan_cmac_la_rpath) $(libstrongswan_cmac_la_OBJECTS) $(libstrongswan_cmac_la_LIBADD) $(LIBS)
+libstrongswan-cmac.la: $(libstrongswan_cmac_la_OBJECTS) $(libstrongswan_cmac_la_DEPENDENCIES) $(EXTRA_libstrongswan_cmac_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_cmac_la_LINK) $(am_libstrongswan_cmac_la_rpath) $(libstrongswan_cmac_la_OBJECTS) $(libstrongswan_cmac_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -375,29 +440,27 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cmac.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cmac_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cmac_prf.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cmac_signer.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -504,10 +567,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/cmac/cmac.c b/src/libstrongswan/plugins/cmac/cmac.c
index 5ec7073c7..c8cb7fbf2 100644
--- a/src/libstrongswan/plugins/cmac/cmac.c
+++ b/src/libstrongswan/plugins/cmac/cmac.c
@@ -17,21 +17,24 @@
 
 #include "cmac.h"
 
-#include <debug.h>
+#include <utils/debug.h>
+#include <crypto/mac.h>
+#include <crypto/prfs/mac_prf.h>
+#include <crypto/signers/mac_signer.h>
 
-typedef struct private_cmac_t private_cmac_t;
+typedef struct private_mac_t private_mac_t;
 
 /**
- * Private data of a cmac_t object.
+ * Private data of a mac_t object.
  *
  * The variable names are the same as in the RFC.
  */
-struct private_cmac_t {
+struct private_mac_t {
 
 	/**
 	 * Public interface.
 	 */
-	cmac_t public;
+	mac_t public;
 
 	/**
 	 * Block size, in bytes
@@ -72,7 +75,7 @@ struct private_cmac_t {
 /**
  * process supplied data, but do not run final operation
  */
-static void update(private_cmac_t *this, chunk_t data)
+static bool update(private_mac_t *this, chunk_t data)
 {
 	chunk_t iv;
 
@@ -80,7 +83,7 @@ static void update(private_cmac_t *this, chunk_t data)
 	{	/* no complete block (or last block), just copy into remaining */
 		memcpy(this->remaining + this->remaining_bytes, data.ptr, data.len);
 		this->remaining_bytes += data.len;
-		return;
+		return TRUE;
 	}
 
 	iv = chunk_alloca(this->b);
@@ -97,7 +100,10 @@ static void update(private_cmac_t *this, chunk_t data)
 		   this->b - this->remaining_bytes);
 	data = chunk_skip(data, this->b - this->remaining_bytes);
 	memxor(this->t, this->remaining, this->b);
-	this->k->encrypt(this->k, chunk_create(this->t, this->b), iv, NULL);
+	if (!this->k->encrypt(this->k, chunk_create(this->t, this->b), iv, NULL))
+	{
+		return FALSE;
+	}
 
 	/* process blocks M_2 ... M_n-1 */
 	while (data.len > this->b)
@@ -105,18 +111,23 @@ static void update(private_cmac_t *this, chunk_t data)
 		memcpy(this->remaining, data.ptr, this->b);
 		data = chunk_skip(data, this->b);
 		memxor(this->t, this->remaining, this->b);
-		this->k->encrypt(this->k, chunk_create(this->t, this->b), iv, NULL);
+		if (!this->k->encrypt(this->k, chunk_create(this->t, this->b), iv, NULL))
+		{
+			return FALSE;
+		}
 	}
 
 	/* store remaining bytes of block M_n */
 	memcpy(this->remaining, data.ptr, data.len);
 	this->remaining_bytes = data.len;
+
+	return TRUE;
 }
 
 /**
  * process last block M_last
  */
-static void final(private_cmac_t *this, u_int8_t *out)
+static bool final(private_mac_t *this, u_int8_t *out)
 {
 	chunk_t iv;
 
@@ -153,29 +164,38 @@ static void final(private_cmac_t *this, u_int8_t *out)
 	 * T := AES-128(K,T);
 	 */
 	memxor(this->t, this->remaining, this->b);
-	this->k->encrypt(this->k, chunk_create(this->t, this->b), iv, NULL);
+	if (!this->k->encrypt(this->k, chunk_create(this->t, this->b), iv, NULL))
+	{
+		return FALSE;
+	}
 
 	memcpy(out, this->t, this->b);
 
 	/* reset state */
 	memset(this->t, 0, this->b);
 	this->remaining_bytes = 0;
+
+	return TRUE;
 }
 
-METHOD(cmac_t, get_mac, void,
-	private_cmac_t *this, chunk_t data, u_int8_t *out)
+METHOD(mac_t, get_mac, bool,
+	private_mac_t *this, chunk_t data, u_int8_t *out)
 {
 	/* update T, do not process last block */
-	update(this, data);
+	if (!update(this, data))
+	{
+		return FALSE;
+	}
 
 	if (out)
 	{	/* if not in append mode, process last block and output result */
-		final(this, out);
+		return final(this, out);
 	}
+	return TRUE;
 }
 
-METHOD(cmac_t, get_block_size, size_t,
-	private_cmac_t *this)
+METHOD(mac_t, get_mac_size, size_t,
+	private_mac_t *this)
 {
 	return this->b;
 }
@@ -222,8 +242,8 @@ static void derive_key(chunk_t chunk)
 	}
 }
 
-METHOD(cmac_t, set_key, void,
-	private_cmac_t *this, chunk_t key)
+METHOD(mac_t, set_key, bool,
+	private_mac_t *this, chunk_t key)
 {
 	chunk_t resized, iv, l;
 
@@ -236,8 +256,11 @@ METHOD(cmac_t, set_key, void,
 	{	/* use cmac recursively to resize longer or shorter keys */
 		resized = chunk_alloca(this->b);
 		memset(resized.ptr, 0, resized.len);
-		set_key(this, resized);
-		get_mac(this, key, resized.ptr);
+		if (!set_key(this, resized) ||
+			!get_mac(this, key, resized.ptr))
+		{
+			return FALSE;
+		}
 	}
 
 	/*
@@ -256,17 +279,22 @@ METHOD(cmac_t, set_key, void,
 	memset(iv.ptr, 0, iv.len);
 	l = chunk_alloca(this->b);
 	memset(l.ptr, 0, l.len);
-	this->k->set_key(this->k, resized);
-	this->k->encrypt(this->k, l, iv, NULL);
+	if (!this->k->set_key(this->k, resized) ||
+		!this->k->encrypt(this->k, l, iv, NULL))
+	{
+		return FALSE;
+	}
 	derive_key(l);
 	memcpy(this->k1, l.ptr, l.len);
 	derive_key(l);
 	memcpy(this->k2, l.ptr, l.len);
 	memwipe(l.ptr, l.len);
+
+	return TRUE;
 }
 
-METHOD(cmac_t, destroy, void,
-	private_cmac_t *this)
+METHOD(mac_t, destroy, void,
+	private_mac_t *this)
 {
 	this->k->destroy(this->k);
 	memwipe(this->k1, this->b);
@@ -281,9 +309,9 @@ METHOD(cmac_t, destroy, void,
 /*
  * Described in header
  */
-cmac_t *cmac_create(encryption_algorithm_t algo, size_t key_size)
+mac_t *cmac_create(encryption_algorithm_t algo, size_t key_size)
 {
-	private_cmac_t *this;
+	private_mac_t *this;
 	crypter_t *crypter;
 	u_int8_t b;
 
@@ -303,7 +331,7 @@ cmac_t *cmac_create(encryption_algorithm_t algo, size_t key_size)
 	INIT(this,
 		.public = {
 			.get_mac = _get_mac,
-			.get_block_size = _get_block_size,
+			.get_mac_size = _get_mac_size,
 			.set_key = _set_key,
 			.destroy = _destroy,
 		},
@@ -319,3 +347,48 @@ cmac_t *cmac_create(encryption_algorithm_t algo, size_t key_size)
 	return &this->public;
 }
 
+/*
+ * Described in header.
+ */
+prf_t *cmac_prf_create(pseudo_random_function_t algo)
+{
+	mac_t *cmac;
+
+	switch (algo)
+	{
+		case PRF_AES128_CMAC:
+			cmac = cmac_create(ENCR_AES_CBC, 16);
+			break;
+		default:
+			return NULL;
+	}
+	if (cmac)
+	{
+		return mac_prf_create(cmac);
+	}
+	return NULL;
+}
+
+/*
+ * Described in header
+ */
+signer_t *cmac_signer_create(integrity_algorithm_t algo)
+{
+	size_t truncation;
+	mac_t *cmac;
+
+	switch (algo)
+	{
+		case AUTH_AES_CMAC_96:
+			cmac = cmac_create(ENCR_AES_CBC, 16);
+			truncation = 12;
+			break;
+		default:
+			return NULL;
+	}
+	if (cmac)
+	{
+		return mac_signer_create(cmac, truncation);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/cmac/cmac.h b/src/libstrongswan/plugins/cmac/cmac.h
index 061609127..dc85e3bc3 100644
--- a/src/libstrongswan/plugins/cmac/cmac.h
+++ b/src/libstrongswan/plugins/cmac/cmac.h
@@ -14,6 +14,11 @@
  */
 
 /**
+ * Cipher-based Message Authentication Code (CMAC).
+ *
+ * This class implements the message authentication algorithm
+ * described in RFC 4493.
+ *
  * @defgroup cmac cmac
  * @{ @ingroup cmac_p
  */
@@ -21,58 +26,23 @@
 #ifndef CMAC_H_
 #define CMAC_H_
 
-#include <crypto/crypters/crypter.h>
-
-typedef struct cmac_t cmac_t;
+#include <crypto/prfs/prf.h>
+#include <crypto/signers/signer.h>
 
 /**
- * Cipher-based Message Authentication Code (CMAC).
+ * Creates a new prf_t object based on a CMAC.
  *
- * This class implements the message authentication algorithm
- * described in RFC 4493.
+ * @param algo		algorithm to implement
+ * @return			prf_t object, NULL if not supported
  */
-struct cmac_t {
-
-	/**
-	 * Generate message authentication code.
-	 *
-	 * If buffer is NULL, no result is given back. A next call will
-	 * append the data to already supplied data. If buffer is not NULL,
-	 * the mac of all apended data is calculated, returned and the internal
-	 * state is reset.
-	 *
-	 * @param data		chunk of data to authenticate
-	 * @param buffer	pointer where the generated bytes will be written
-	 */
-	void (*get_mac) (cmac_t *this, chunk_t data, u_int8_t *buffer);
-
-	/**
-	 * Get the block size of this cmac_t object.
-	 *
-	 * @return			block size in bytes
-	 */
-	size_t (*get_block_size) (cmac_t *this);
-
-	/**
-	 * Set the key for this cmac_t object.
-	 *
-	 * @param key		key to set
-	 */
-	void (*set_key) (cmac_t *this, chunk_t key);
-
-	/**
-	 * Destroys a cmac_t object.
-	 */
-	void (*destroy) (cmac_t *this);
-};
+prf_t *cmac_prf_create(pseudo_random_function_t algo);
 
 /**
- * Creates a new cmac_t object.
+ * Creates a new signer_t object based on a CMAC.
  *
- * @param algo			underlying crypto algorithm
- * @param key_size		key size to use, if required for algorithm
- * @return				cmac_t object, NULL if not supported
+ * @param algo		algorithm to implement
+ * @return			signer_t, NULL if  not supported
  */
-cmac_t *cmac_create(encryption_algorithm_t algo, size_t key_size);
+signer_t *cmac_signer_create(integrity_algorithm_t algo);
 
 #endif /** CMAC_H_ @}*/
diff --git a/src/libstrongswan/plugins/cmac/cmac_plugin.c b/src/libstrongswan/plugins/cmac/cmac_plugin.c
index 5b42c5002..694e598a5 100644
--- a/src/libstrongswan/plugins/cmac/cmac_plugin.c
+++ b/src/libstrongswan/plugins/cmac/cmac_plugin.c
@@ -16,8 +16,7 @@
 #include "cmac_plugin.h"
 
 #include <library.h>
-#include "cmac_prf.h"
-#include "cmac_signer.h"
+#include "cmac.h"
 
 typedef struct private_cmac_plugin_t private_cmac_plugin_t;
 
diff --git a/src/libstrongswan/plugins/cmac/cmac_prf.c b/src/libstrongswan/plugins/cmac/cmac_prf.c
deleted file mode 100644
index 17affe439..000000000
--- a/src/libstrongswan/plugins/cmac/cmac_prf.c
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "cmac_prf.h"
-
-#include "cmac.h"
-
-typedef struct private_cmac_prf_t private_cmac_prf_t;
-
-/**
- * Private data of a cmac_prf_t object.
- */
-struct private_cmac_prf_t {
-
-	/**
-	 * Public cmac_prf_t interface.
-	 */
-	cmac_prf_t public;
-
-	/**
-	 * cmac to use for generation.
-	 */
-	cmac_t *cmac;
-};
-
-METHOD(prf_t, get_bytes, void,
-	private_cmac_prf_t *this, chunk_t seed, u_int8_t *buffer)
-{
-	this->cmac->get_mac(this->cmac, seed, buffer);
-}
-
-METHOD(prf_t, allocate_bytes, void,
-	private_cmac_prf_t *this, chunk_t seed, chunk_t *chunk)
-{
-	if (chunk)
-	{
-		*chunk = chunk_alloc(this->cmac->get_block_size(this->cmac));
-		get_bytes(this, seed, chunk->ptr);
-	}
-	else
-	{
-		get_bytes(this, seed, NULL);
-	}
-}
-
-METHOD(prf_t, get_block_size, size_t,
-	private_cmac_prf_t *this)
-{
-	return this->cmac->get_block_size(this->cmac);
-}
-
-METHOD(prf_t, get_key_size, size_t,
-	private_cmac_prf_t *this)
-{
-	/* in cmac, block and key size are always equal */
-	return this->cmac->get_block_size(this->cmac);
-}
-
-METHOD(prf_t, set_key, void,
-	private_cmac_prf_t *this, chunk_t key)
-{
-	this->cmac->set_key(this->cmac, key);
-}
-
-METHOD(prf_t, destroy, void,
-	private_cmac_prf_t *this)
-{
-	this->cmac->destroy(this->cmac);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-cmac_prf_t *cmac_prf_create(pseudo_random_function_t algo)
-{
-	private_cmac_prf_t *this;
-	cmac_t *cmac;
-
-	switch (algo)
-	{
-		case PRF_AES128_CMAC:
-			cmac = cmac_create(ENCR_AES_CBC, 16);
-			break;
-		default:
-			return NULL;
-	}
-	if (!cmac)
-	{
-		return NULL;
-	}
-
-	INIT(this,
-		.public = {
-			.prf = {
-				.get_bytes = _get_bytes,
-				.allocate_bytes = _allocate_bytes,
-				.get_block_size = _get_block_size,
-				.get_key_size = _get_key_size,
-				.set_key = _set_key,
-				.destroy = _destroy,
-			},
-		},
-		.cmac = cmac,
-	);
-
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/plugins/cmac/cmac_prf.h b/src/libstrongswan/plugins/cmac/cmac_prf.h
deleted file mode 100644
index a53cc5947..000000000
--- a/src/libstrongswan/plugins/cmac/cmac_prf.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup cmac_prf cmac_prf
- * @{ @ingroup cmac_p
- */
-
-#ifndef PRF_CMAC_H_
-#define PRF_CMAC_H_
-
-typedef struct cmac_prf_t cmac_prf_t;
-
-#include <crypto/prfs/prf.h>
-
-/**
- * Implementation of prf_t on CBC block cipher using CMAC, RFC 4493 / RFC 4615.
- *
- * This simply wraps a cmac_t in a prf_t. More a question of
- * interface matching.
- */
-struct cmac_prf_t {
-
-	/**
-	 * Implements prf_t interface.
-	 */
-	prf_t prf;
-};
-
-/**
- * Creates a new cmac_prf_t object.
- *
- * @param algo		algorithm to implement
- * @return			cmac_prf_t object, NULL if hash not supported
- */
-cmac_prf_t *cmac_prf_create(pseudo_random_function_t algo);
-
-#endif /** PRF_CMAC_H_ @}*/
diff --git a/src/libstrongswan/plugins/cmac/cmac_signer.c b/src/libstrongswan/plugins/cmac/cmac_signer.c
deleted file mode 100644
index 82e8885d6..000000000
--- a/src/libstrongswan/plugins/cmac/cmac_signer.c
+++ /dev/null
@@ -1,159 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "cmac_signer.h"
-#include "cmac.h"
-
-typedef struct private_cmac_signer_t private_cmac_signer_t;
-
-/**
- * Private data structure with signing context.
- */
-struct private_cmac_signer_t {
-
-	/**
-	 * Public interface.
-	 */
-	cmac_signer_t public;
-
-	/**
-	 * Assigned cmac function.
-	 */
-	cmac_t *cmac;
-
-	/**
-	 * Block size (truncation of CMAC MAC)
-	 */
-	size_t block_size;
-};
-
-METHOD(signer_t, get_signature, void,
-	private_cmac_signer_t *this, chunk_t data, u_int8_t *buffer)
-{
-	if (buffer == NULL)
-	{	/* append mode */
-		this->cmac->get_mac(this->cmac, data, NULL);
-	}
-	else
-	{
-		u_int8_t mac[this->cmac->get_block_size(this->cmac)];
-
-		this->cmac->get_mac(this->cmac, data, mac);
-		memcpy(buffer, mac, this->block_size);
-	}
-}
-
-METHOD(signer_t, allocate_signature, void,
-	private_cmac_signer_t *this, chunk_t data, chunk_t *chunk)
-{
-	if (chunk == NULL)
-	{	/* append mode */
-		this->cmac->get_mac(this->cmac, data, NULL);
-	}
-	else
-	{
-		u_int8_t mac[this->cmac->get_block_size(this->cmac)];
-
-		this->cmac->get_mac(this->cmac, data, mac);
-
-		chunk->ptr = malloc(this->block_size);
-		chunk->len = this->block_size;
-
-		memcpy(chunk->ptr, mac, this->block_size);
-	}
-}
-
-METHOD(signer_t, verify_signature, bool,
-	private_cmac_signer_t *this, chunk_t data, chunk_t signature)
-{
-	u_int8_t mac[this->cmac->get_block_size(this->cmac)];
-
-	if (signature.len != this->block_size)
-	{
-		return FALSE;
-	}
-
-	this->cmac->get_mac(this->cmac, data, mac);
-	return memeq(signature.ptr, mac, this->block_size);
-}
-
-METHOD(signer_t, get_key_size, size_t,
-	private_cmac_signer_t *this)
-{
-	return this->cmac->get_block_size(this->cmac);
-}
-
-METHOD(signer_t, get_block_size, size_t,
-	private_cmac_signer_t *this)
-{
-	return this->block_size;
-}
-
-METHOD(signer_t, set_key, void,
-	private_cmac_signer_t *this, chunk_t key)
-{
-	this->cmac->set_key(this->cmac, key);
-}
-
-METHOD(signer_t, destroy, void,
-	private_cmac_signer_t *this)
-{
-	this->cmac->destroy(this->cmac);
-	free(this);
-}
-
-/*
- * Described in header
- */
-cmac_signer_t *cmac_signer_create(integrity_algorithm_t algo)
-{
-	private_cmac_signer_t *this;
-	size_t truncation;
-	cmac_t *cmac;
-
-	switch (algo)
-	{
-		case AUTH_AES_CMAC_96:
-			cmac = cmac_create(ENCR_AES_CBC, 16);
-			truncation = 12;
-			break;
-		default:
-			return NULL;
-	}
-	if (cmac == NULL)
-	{
-		return NULL;
-	}
-
-	INIT(this,
-		.public = {
-			.signer = {
-				.get_signature = _get_signature,
-				.allocate_signature = _allocate_signature,
-				.verify_signature = _verify_signature,
-				.get_key_size = _get_key_size,
-				.get_block_size = _get_block_size,
-				.set_key = _set_key,
-				.destroy = _destroy,
-			},
-		},
-		.cmac = cmac,
-		.block_size = min(truncation, cmac->get_block_size(cmac)),
-	);
-
-	return &this->public;
-}
diff --git a/src/libstrongswan/plugins/cmac/cmac_signer.h b/src/libstrongswan/plugins/cmac/cmac_signer.h
deleted file mode 100644
index 2e3724471..000000000
--- a/src/libstrongswan/plugins/cmac/cmac_signer.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2012 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup cmac_signer cmac_signer
- * @{ @ingroup cmac_p
- */
-
-#ifndef CMAC_SIGNER_H_
-#define CMAC_SIGNER_H_
-
-typedef struct cmac_signer_t cmac_signer_t;
-
-#include <crypto/signers/signer.h>
-
-/**
- * Implementation of signer_t on CBC symmetric cipher using CMAC, RFC 4494.
- */
-struct cmac_signer_t {
-
-	/**
-	 * Implements signer_t interface.
-	 */
-	signer_t signer;
-};
-
-/**
- * Creates a new cmac_signer_t.
- *
- * @param algo		algorithm to implement
- * @return			cmac_signer_t, NULL if  not supported
- */
-cmac_signer_t *cmac_signer_create(integrity_algorithm_t algo);
-
-#endif /** CMAC_SIGNER_H_ @}*/
diff --git a/src/libstrongswan/plugins/constraints/Makefile.am b/src/libstrongswan/plugins/constraints/Makefile.am
index d80d39a2d..8afde7013 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.am
+++ b/src/libstrongswan/plugins/constraints/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-constraints.la
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index 06b66db60..5152d31b4 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_constraints_la_LIBADD =
@@ -79,49 +103,77 @@ am_libstrongswan_constraints_la_OBJECTS = constraints_plugin.lo \
 	constraints_validator.lo
 libstrongswan_constraints_la_OBJECTS =  \
 	$(am_libstrongswan_constraints_la_OBJECTS)
-libstrongswan_constraints_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_constraints_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_constraints_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_constraints_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_constraints_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_constraints_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_constraints_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,8 +345,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-constraints.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-constraints.la
 libstrongswan_constraints_la_SOURCES = \
@@ -338,7 +403,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -346,6 +410,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -367,8 +433,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-constraints.la: $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_DEPENDENCIES) 
-	$(libstrongswan_constraints_la_LINK) $(am_libstrongswan_constraints_la_rpath) $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_LIBADD) $(LIBS)
+libstrongswan-constraints.la: $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_DEPENDENCIES) $(EXTRA_libstrongswan_constraints_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_constraints_la_LINK) $(am_libstrongswan_constraints_la_rpath) $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -380,25 +446,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constraints_validator.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -505,10 +571,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/constraints/constraints_plugin.c b/src/libstrongswan/plugins/constraints/constraints_plugin.c
index 502c83559..b9b456b23 100644
--- a/src/libstrongswan/plugins/constraints/constraints_plugin.c
+++ b/src/libstrongswan/plugins/constraints/constraints_plugin.c
@@ -42,10 +42,39 @@ METHOD(plugin_t, get_name, char*,
 	return "constraints";
 }
 
+/**
+ * Register validator
+ */
+static bool plugin_cb(private_constraints_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+	}
+	else
+	{
+		lib->credmgr->remove_validator(lib->credmgr,
+									   &this->validator->validator);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_constraints_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "constraints"),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_constraints_plugin_t *this)
 {
-	lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
 	this->validator->destroy(this->validator);
 	free(this);
 }
@@ -61,13 +90,12 @@ plugin_t *constraints_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.validator = constraints_validator_create(),
 	);
-	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
 
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c
index b54d813df..62ccc7108 100644
--- a/src/libstrongswan/plugins/constraints/constraints_validator.c
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@@ -15,9 +15,9 @@
 
 #include "constraints_validator.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/x509.h>
 
 typedef struct private_constraints_validator_t private_constraints_validator_t;
@@ -533,20 +533,28 @@ METHOD(cert_validator_t, validate, bool,
 	{
 		if (!check_pathlen((x509_t*)issuer, pathlen))
 		{
+			lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_EXCEEDED_PATH_LEN,
+									subject);
 			return FALSE;
 		}
 		if (!check_name_constraints(subject, (x509_t*)issuer))
 		{
+			lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
+									subject);
 			return FALSE;
 		}
 		if (!check_policy((x509_t*)subject, (x509_t*)issuer, !pathlen, auth))
 		{
+			lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
+									subject);
 			return FALSE;
 		}
 		if (anchor)
 		{
 			if (!check_policy_constraints((x509_t*)issuer, pathlen, auth))
 			{
+				lib->credmgr->call_hook(lib->credmgr,
+										CRED_HOOK_POLICY_VIOLATION, issuer);
 				return FALSE;
 			}
 		}
diff --git a/src/libstrongswan/plugins/ctr/Makefile.am b/src/libstrongswan/plugins/ctr/Makefile.am
index 893171aab..52278b6d2 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.am
+++ b/src/libstrongswan/plugins/ctr/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-ctr.la
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index 853625a19..a251929d9 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,52 +90,87 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ctr_la_LIBADD =
 am_libstrongswan_ctr_la_OBJECTS = ctr_plugin.lo ctr_ipsec_crypter.lo
 libstrongswan_ctr_la_OBJECTS = $(am_libstrongswan_ctr_la_OBJECTS)
-libstrongswan_ctr_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_ctr_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_ctr_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_ctr_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_ctr_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_ctr_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_ctr_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_ctr_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -126,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -145,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -172,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -184,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -192,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -202,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -223,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -243,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -280,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ctr.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ctr.la
 libstrongswan_ctr_la_SOURCES = \
@@ -334,7 +400,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -342,6 +407,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -363,8 +430,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-ctr.la: $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_DEPENDENCIES) 
-	$(libstrongswan_ctr_la_LINK) $(am_libstrongswan_ctr_la_rpath) $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_LIBADD) $(LIBS)
+libstrongswan-ctr.la: $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_DEPENDENCIES) $(EXTRA_libstrongswan_ctr_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_ctr_la_LINK) $(am_libstrongswan_ctr_la_rpath) $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -376,25 +443,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ctr_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -501,10 +568,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c
index ddcae423b..59d201a6f 100644
--- a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c
+++ b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c
@@ -45,7 +45,7 @@ struct private_ctr_ipsec_crypter_t {
 /**
  * Do the CTR crypto operation
  */
-static void crypt_ctr(private_ctr_ipsec_crypter_t *this,
+static bool crypt_ctr(private_ctr_ipsec_crypter_t *this,
 					  chunk_t in, chunk_t out)
 {
 	size_t is, bs;
@@ -63,8 +63,11 @@ static void crypt_ctr(private_ctr_ipsec_crypter_t *this,
 
 		memset(iv, 0, is);
 		memcpy(block, state.ptr, bs);
-		this->crypter->encrypt(this->crypter,
-						chunk_create(block, bs), chunk_create(iv, is), NULL);
+		if (!this->crypter->encrypt(this->crypter, chunk_create(block, bs),
+									chunk_create(iv, is), NULL))
+		{
+			return FALSE;
+		}
 		chunk_increment(state);
 
 		if (in.ptr != out.ptr)
@@ -75,9 +78,10 @@ static void crypt_ctr(private_ctr_ipsec_crypter_t *this,
 		in = chunk_skip(in, bs);
 		out = chunk_skip(out, bs);
 	}
+	return TRUE;
 }
 
-METHOD(crypter_t, crypt, void,
+METHOD(crypter_t, crypt, bool,
 	private_ctr_ipsec_crypter_t *this, chunk_t in, chunk_t iv, chunk_t *out)
 {
 	memcpy(this->state.iv, iv.ptr, sizeof(this->state.iv));
@@ -85,12 +89,9 @@ METHOD(crypter_t, crypt, void,
 	if (out)
 	{
 		*out = chunk_alloc(in.len);
-		crypt_ctr(this, in, *out);
-	}
-	else
-	{
-		crypt_ctr(this, in, in);
+		return crypt_ctr(this, in, *out);
 	}
+	return crypt_ctr(this, in, in);
 }
 
 METHOD(crypter_t, get_block_size, size_t,
@@ -112,13 +113,13 @@ METHOD(crypter_t, get_key_size, size_t,
 			+ sizeof(this->state.nonce);
 }
 
-METHOD(crypter_t, set_key, void,
+METHOD(crypter_t, set_key, bool,
 	private_ctr_ipsec_crypter_t *this, chunk_t key)
 {
 	memcpy(this->state.nonce, key.ptr + key.len - sizeof(this->state.nonce),
 		   sizeof(this->state.nonce));
 	key.len -= sizeof(this->state.nonce);
-	this->crypter->set_key(this->crypter, key);
+	return this->crypter->set_key(this->crypter, key);
 }
 
 METHOD(crypter_t, destroy, void,
diff --git a/src/libstrongswan/plugins/curl/Makefile.am b/src/libstrongswan/plugins/curl/Makefile.am
index 43718f678..17bcc8d98 100644
--- a/src/libstrongswan/plugins/curl/Makefile.am
+++ b/src/libstrongswan/plugins/curl/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-curl.la
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index 5b83c60f8..d897746a0 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,52 +90,87 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_curl_la_DEPENDENCIES =
 am_libstrongswan_curl_la_OBJECTS = curl_plugin.lo curl_fetcher.lo
 libstrongswan_curl_la_OBJECTS = $(am_libstrongswan_curl_la_OBJECTS)
-libstrongswan_curl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_curl_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_curl_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_curl_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_curl_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_curl_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_curl_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_curl_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -126,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -145,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -172,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -184,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -192,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -202,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -223,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -243,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -280,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-curl.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-curl.la
 libstrongswan_curl_la_SOURCES = \
@@ -334,7 +400,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -342,6 +407,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -363,8 +430,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-curl.la: $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_DEPENDENCIES) 
-	$(libstrongswan_curl_la_LINK) $(am_libstrongswan_curl_la_rpath) $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_LIBADD) $(LIBS)
+libstrongswan-curl.la: $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_DEPENDENCIES) $(EXTRA_libstrongswan_curl_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_curl_la_LINK) $(am_libstrongswan_curl_la_rpath) $(libstrongswan_curl_la_OBJECTS) $(libstrongswan_curl_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -376,25 +443,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -501,10 +568,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index 7f8c0aec2..a8cca98da 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -17,11 +17,11 @@
 #include <curl/curl.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "curl_fetcher.h"
 
-#define DEFAULT_TIMEOUT 10
+#define CONNECT_TIMEOUT 10
 
 typedef struct private_curl_fetcher_t private_curl_fetcher_t;
 
@@ -48,6 +48,11 @@ struct private_curl_fetcher_t {
 	 * Callback function
 	 */
 	fetcher_callback_t cb;
+
+	/**
+	 * Timeout for a transfer
+	 */
+	long timeout;
 };
 
 /**
@@ -94,7 +99,11 @@ METHOD(fetcher_t, fetch, status_t,
 	curl_easy_setopt(this->curl, CURLOPT_ERRORBUFFER, error);
 	curl_easy_setopt(this->curl, CURLOPT_FAILONERROR, TRUE);
 	curl_easy_setopt(this->curl, CURLOPT_NOSIGNAL, TRUE);
-	curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT, DEFAULT_TIMEOUT);
+	if (this->timeout)
+	{
+		curl_easy_setopt(this->curl, CURLOPT_TIMEOUT, this->timeout);
+	}
+	curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT, CONNECT_TIMEOUT);
 	curl_easy_setopt(this->curl, CURLOPT_WRITEFUNCTION, (void*)curl_cb);
 	curl_easy_setopt(this->curl, CURLOPT_WRITEDATA, &data);
 	if (this->headers)
@@ -160,8 +169,7 @@ METHOD(fetcher_t, set_option, bool,
 		}
 		case FETCH_TIMEOUT:
 		{
-			curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT,
-							 va_arg(args, u_int));
+			this->timeout = va_arg(args, u_int);
 			break;
 		}
 		case FETCH_CALLBACK:
@@ -169,6 +177,15 @@ METHOD(fetcher_t, set_option, bool,
 			this->cb = va_arg(args, fetcher_callback_t);
 			break;
 		}
+		case FETCH_SOURCEIP:
+		{
+			char buf[64];
+
+			snprintf(buf, sizeof(buf), "%H", va_arg(args, host_t*));
+			supported = curl_easy_setopt(this->curl, CURLOPT_INTERFACE,
+										 buf) == CURLE_OK;
+			break;
+		}
 		default:
 			supported = FALSE;
 			break;
@@ -211,4 +228,3 @@ curl_fetcher_t *curl_fetcher_create()
 	}
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/plugins/curl/curl_plugin.c b/src/libstrongswan/plugins/curl/curl_plugin.c
index 8628c4bb5..062fe129f 100644
--- a/src/libstrongswan/plugins/curl/curl_plugin.c
+++ b/src/libstrongswan/plugins/curl/curl_plugin.c
@@ -16,7 +16,7 @@
 #include "curl_plugin.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include "curl_fetcher.h"
 
 #include <curl/curl.h>
diff --git a/src/libstrongswan/plugins/des/Makefile.am b/src/libstrongswan/plugins/des/Makefile.am
index c7d9ce915..9ca965995 100644
--- a/src/libstrongswan/plugins/des/Makefile.am
+++ b/src/libstrongswan/plugins/des/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-des.la
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index f4056951a..ce540df73 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,52 +90,87 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_des_la_LIBADD =
 am_libstrongswan_des_la_OBJECTS = des_plugin.lo des_crypter.lo
 libstrongswan_des_la_OBJECTS = $(am_libstrongswan_des_la_OBJECTS)
-libstrongswan_des_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_des_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_des_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_des_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_des_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_des_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_des_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_des_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -126,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -145,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -172,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -184,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -192,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -202,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -223,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -243,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -280,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-des.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-des.la
 libstrongswan_des_la_SOURCES = \
@@ -333,7 +399,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -341,6 +406,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -362,8 +429,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-des.la: $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_DEPENDENCIES) 
-	$(libstrongswan_des_la_LINK) $(am_libstrongswan_des_la_rpath) $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_LIBADD) $(LIBS)
+libstrongswan-des.la: $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_DEPENDENCIES) $(EXTRA_libstrongswan_des_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_des_la_LINK) $(am_libstrongswan_des_la_rpath) $(libstrongswan_des_la_OBJECTS) $(libstrongswan_des_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -375,25 +442,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -500,10 +567,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c
index bc399ef8a..c81318b19 100644
--- a/src/libstrongswan/plugins/des/des_crypter.c
+++ b/src/libstrongswan/plugins/des/des_crypter.c
@@ -1416,7 +1416,7 @@ static void des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, long len
 	tin[0]=tin[1]=0;
 }
 
-METHOD(crypter_t, decrypt, void,
+METHOD(crypter_t, decrypt, bool,
 	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
 {
 	des_cblock ivb;
@@ -1431,10 +1431,11 @@ METHOD(crypter_t, decrypt, void,
 	memcpy(&ivb, iv.ptr, sizeof(des_cblock));
 	des_cbc_encrypt((des_cblock*)(data.ptr), (des_cblock*)out,
 					 data.len, this->ks, &ivb, DES_DECRYPT);
+	return TRUE;
 }
 
 
-METHOD(crypter_t, encrypt, void,
+METHOD(crypter_t, encrypt, bool,
 	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
 {
 	des_cblock ivb;
@@ -1449,9 +1450,10 @@ METHOD(crypter_t, encrypt, void,
 	memcpy(&ivb, iv.ptr, sizeof(des_cblock));
 	des_cbc_encrypt((des_cblock*)(data.ptr), (des_cblock*)out,
 					 data.len, this->ks, &ivb, DES_ENCRYPT);
+	return TRUE;
 }
 
-METHOD(crypter_t, decrypt_ecb, void,
+METHOD(crypter_t, decrypt_ecb, bool,
 	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
 {
 	u_int8_t *out;
@@ -1464,9 +1466,10 @@ METHOD(crypter_t, decrypt_ecb, void,
 	}
 	des_ecb_encrypt((des_cblock*)(data.ptr), (des_cblock*)out,
 					 data.len, this->ks, DES_DECRYPT);
+	return TRUE;
 }
 
-METHOD(crypter_t, encrypt_ecb, void,
+METHOD(crypter_t, encrypt_ecb, bool,
 	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
 {
 	u_int8_t *out;
@@ -1479,9 +1482,10 @@ METHOD(crypter_t, encrypt_ecb, void,
 	}
 	des_ecb_encrypt((des_cblock*)(data.ptr), (des_cblock*)out,
 					 data.len, this->ks, DES_ENCRYPT);
+	return TRUE;
 }
 
-METHOD(crypter_t, decrypt3, void,
+METHOD(crypter_t, decrypt3, bool,
 	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
 {
 	des_cblock ivb;
@@ -1497,9 +1501,10 @@ METHOD(crypter_t, decrypt3, void,
 	des_ede3_cbc_encrypt((des_cblock*)(data.ptr), (des_cblock*)out,
 						 data.len, this->ks3[0], this->ks3[1], this->ks3[2],
 						 &ivb, DES_DECRYPT);
+	return TRUE;
 }
 
-METHOD(crypter_t, encrypt3, void,
+METHOD(crypter_t, encrypt3, bool,
 	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
 {
 	des_cblock ivb;
@@ -1515,6 +1520,7 @@ METHOD(crypter_t, encrypt3, void,
 	des_ede3_cbc_encrypt((des_cblock*)(data.ptr), (des_cblock*)out,
 						  data.len, this->ks3[0], this->ks3[1], this->ks3[2],
 						  &ivb, DES_ENCRYPT);
+	return TRUE;
 }
 
 METHOD(crypter_t, get_block_size, size_t,
@@ -1535,18 +1541,20 @@ METHOD(crypter_t, get_key_size, size_t,
 	return this->key_size;
 }
 
-METHOD(crypter_t, set_key, void,
+METHOD(crypter_t, set_key, bool,
 	private_des_crypter_t *this, chunk_t key)
 {
 	des_set_key((des_cblock*)(key.ptr), &this->ks);
+	return TRUE;
 }
 
-METHOD(crypter_t, set_key3, void,
+METHOD(crypter_t, set_key3, bool,
 	private_des_crypter_t *this, chunk_t key)
 {
 	des_set_key((des_cblock*)(key.ptr) + 0, &this->ks3[0]);
 	des_set_key((des_cblock*)(key.ptr) + 1, &this->ks3[1]);
 	des_set_key((des_cblock*)(key.ptr) + 2, &this->ks3[2]);
+	return TRUE;
 }
 
 METHOD(crypter_t, destroy, void,
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.am b/src/libstrongswan/plugins/dnskey/Makefile.am
index fbba95e0a..7e74fd897 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.am
+++ b/src/libstrongswan/plugins/dnskey/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-dnskey.la
@@ -11,6 +12,7 @@ endif
 
 libstrongswan_dnskey_la_SOURCES = \
 	dnskey_plugin.h dnskey_plugin.c \
-	dnskey_builder.h dnskey_builder.c
+	dnskey_builder.h dnskey_builder.c \
+	dnskey_encoder.h dnskey_encoder.c
 
 libstrongswan_dnskey_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index dabddd6d0..087448737 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,55 +90,90 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_dnskey_la_LIBADD =
 am_libstrongswan_dnskey_la_OBJECTS = dnskey_plugin.lo \
-	dnskey_builder.lo
+	dnskey_builder.lo dnskey_encoder.lo
 libstrongswan_dnskey_la_OBJECTS =  \
 	$(am_libstrongswan_dnskey_la_OBJECTS)
-libstrongswan_dnskey_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_dnskey_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_dnskey_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_dnskey_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_dnskey_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_dnskey_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_dnskey_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_dnskey_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -129,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -148,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -187,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -195,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -205,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -226,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -246,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -283,13 +345,18 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-dnskey.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-dnskey.la
 libstrongswan_dnskey_la_SOURCES = \
 	dnskey_plugin.h dnskey_plugin.c \
-	dnskey_builder.h dnskey_builder.c
+	dnskey_builder.h dnskey_builder.c \
+	dnskey_encoder.h dnskey_encoder.c
 
 libstrongswan_dnskey_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -337,7 +404,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -345,6 +411,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -366,8 +434,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-dnskey.la: $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_DEPENDENCIES) 
-	$(libstrongswan_dnskey_la_LINK) $(am_libstrongswan_dnskey_la_rpath) $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_LIBADD) $(LIBS)
+libstrongswan-dnskey.la: $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_DEPENDENCIES) $(EXTRA_libstrongswan_dnskey_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_dnskey_la_LINK) $(am_libstrongswan_dnskey_la_rpath) $(libstrongswan_dnskey_la_OBJECTS) $(libstrongswan_dnskey_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -376,28 +444,29 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnskey_builder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnskey_encoder.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnskey_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -504,10 +573,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_builder.c b/src/libstrongswan/plugins/dnskey/dnskey_builder.c
index ea4eb6cda..71040437d 100644
--- a/src/libstrongswan/plugins/dnskey/dnskey_builder.c
+++ b/src/libstrongswan/plugins/dnskey/dnskey_builder.c
@@ -15,7 +15,7 @@
 
 #include "dnskey_builder.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/keys/private_key.h>
 
 
@@ -39,8 +39,14 @@ enum dnskey_algorithm_t {
 	DNSKEY_ALG_RSA_MD5 = 1,
 	DNSKEY_ALG_DH = 2,
 	DNSKEY_ALG_DSA = 3,
-	DNSKEY_ALG_ECC = 4,
 	DNSKEY_ALG_RSA_SHA1 = 5,
+	DNSKEY_ALG_DSA_NSEC3_SHA1 = 6,
+	DNSKEY_ALG_RSA_SHA1_NSEC3_SHA1 = 7,
+	DNSKEY_ALG_RSA_SHA256 = 8,
+	DNSKEY_ALG_RSA_SHA512 = 10,
+	DNSKEY_ALG_ECC_GOST = 12,
+	DNSKEY_ALG_ECDSA_P256_SHA256 = 13,
+	DNSKEY_ALG_ECDSA_P384_SHA384 = 14
 };
 
 /**
@@ -59,7 +65,11 @@ static dnskey_public_key_t *parse_public_key(chunk_t blob)
 
 	switch (rr->algorithm)
 	{
+		case DNSKEY_ALG_RSA_MD5:
 		case DNSKEY_ALG_RSA_SHA1:
+		case DNSKEY_ALG_RSA_SHA1_NSEC3_SHA1:
+		case DNSKEY_ALG_RSA_SHA256:
+		case DNSKEY_ALG_RSA_SHA512:
 			return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
 									  BUILD_BLOB_DNSKEY, blob, BUILD_END);
 		default:
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_encoder.c b/src/libstrongswan/plugins/dnskey/dnskey_encoder.c
new file mode 100644
index 000000000..3214f3899
--- /dev/null
+++ b/src/libstrongswan/plugins/dnskey/dnskey_encoder.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "dnskey_encoder.h"
+
+#include <utils/debug.h>
+
+/**
+ * Encode an RSA public key in DNSKEY format (RFC 3110)
+ */
+static bool build_pub(chunk_t *encoding, va_list args)
+{
+	chunk_t n, e, pubkey;
+	size_t exp_len;
+	u_char *pos;
+
+	if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n,
+						   CRED_PART_RSA_PUB_EXP, &e, CRED_PART_END))
+	{
+		/* remove leading zeros in exponent and modulus */
+		while (*e.ptr == 0)
+		{
+			e = chunk_skip(e, 1);
+		}
+		while (*n.ptr == 0)
+		{
+			n = chunk_skip(n, 1);
+		}
+
+		if (e.len < 256)
+		{
+			/* exponent length fits into a single octet */
+			exp_len = 1;
+			pubkey = chunk_alloc(exp_len + e.len + n.len);
+			pubkey.ptr[0] = (char)e.len;
+		}
+		else if (e.len < 65536)
+		{
+			/* exponent length fits into two octets preceded by zero octet */
+			exp_len = 3;
+			pubkey = chunk_alloc(exp_len + e.len + n.len);
+			pubkey.ptr[0] = 0x00;
+			htoun16(pubkey.ptr + 1, e.len);
+		}
+		else
+		{
+			/* exponent length is too large */
+			return FALSE;
+		}
+
+		/* copy exponent and modulus and convert to base64 format */
+		pos = pubkey.ptr + exp_len;
+		memcpy(pos, e.ptr, e.len);
+		pos += e.len;
+		memcpy(pos, n.ptr, n.len);
+		*encoding = chunk_to_base64(pubkey, NULL);
+		chunk_free(&pubkey);
+
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool dnskey_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
+						   va_list args)
+{
+	switch (type)
+	{
+		case PUBKEY_DNSKEY:
+			return build_pub(encoding, args);
+		default:
+			return FALSE;
+	}
+}
+
+
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_encoder.h b/src/libstrongswan/plugins/dnskey/dnskey_encoder.h
new file mode 100644
index 000000000..127260308
--- /dev/null
+++ b/src/libstrongswan/plugins/dnskey/dnskey_encoder.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup dnskey_encoder dnskey_encoder
+ * @{ @ingroup dnskey_p
+ */
+
+#ifndef DNSKEY_ENCODER_H_
+#define DNSKEY_ENCODER_H_
+
+#include <credentials/cred_encoding.h>
+
+/**
+ * Encoding function for DNSKEY (RFC 3110) public key format.
+ */
+bool dnskey_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
+						  va_list args);
+
+#endif /** DNSKEY_ENCODER_H_ @}*/
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
index b6863e8e3..9a4f6252f 100644
--- a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
+++ b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
@@ -17,6 +17,7 @@
 
 #include <library.h>
 #include "dnskey_builder.h"
+#include "dnskey_encoder.h"
 
 typedef struct private_dnskey_plugin_t private_dnskey_plugin_t;
 
@@ -53,6 +54,8 @@ METHOD(plugin_t, get_features, int,
 METHOD(plugin_t, destroy, void,
 	private_dnskey_plugin_t *this)
 {
+	lib->encoding->remove_encoder(lib->encoding, dnskey_encoder_encode);
+
 	free(this);
 }
 
@@ -73,6 +76,8 @@ plugin_t *dnskey_plugin_create()
 		},
 	);
 
+	lib->encoding->add_encoder(lib->encoding, dnskey_encoder_encode);
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.am b/src/libstrongswan/plugins/fips_prf/Makefile.am
index c9cf2c977..a7ae612c0 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.am
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-fips-prf.la
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index cbe9ef303..f6109839c 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,55 +90,89 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_fips_prf_la_LIBADD =
 am_libstrongswan_fips_prf_la_OBJECTS = fips_prf_plugin.lo fips_prf.lo
 libstrongswan_fips_prf_la_OBJECTS =  \
 	$(am_libstrongswan_fips_prf_la_OBJECTS)
-libstrongswan_fips_prf_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_fips_prf_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_fips_prf_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_fips_prf_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_fips_prf_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_fips_prf_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_fips_prf_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -129,13 +181,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -148,6 +203,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,11 +231,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -187,6 +245,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -195,8 +254,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -205,14 +262,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -226,17 +288,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -246,16 +308,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -283,8 +344,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-fips-prf.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-fips-prf.la
 libstrongswan_fips_prf_la_SOURCES = \
@@ -336,7 +401,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -344,6 +408,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -365,8 +431,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-fips-prf.la: $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_DEPENDENCIES) 
-	$(libstrongswan_fips_prf_la_LINK) $(am_libstrongswan_fips_prf_la_rpath) $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_LIBADD) $(LIBS)
+libstrongswan-fips-prf.la: $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_DEPENDENCIES) $(EXTRA_libstrongswan_fips_prf_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_fips_prf_la_LINK) $(am_libstrongswan_fips_prf_la_rpath) $(libstrongswan_fips_prf_la_OBJECTS) $(libstrongswan_fips_prf_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -378,25 +444,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_prf_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -503,10 +569,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.c b/src/libstrongswan/plugins/fips_prf/fips_prf.c
index c0666367a..23825078e 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf.c
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf.c
@@ -17,7 +17,7 @@
 
 #include <arpa/inet.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_fips_prf_t private_fips_prf_t;
 
@@ -48,7 +48,7 @@ struct private_fips_prf_t {
 	/**
 	 * G function, either SHA1 or DES
 	 */
-	void (*g)(private_fips_prf_t *this, chunk_t c, u_int8_t res[]);
+	bool (*g)(private_fips_prf_t *this, chunk_t c, u_int8_t res[]);
 };
 
 /**
@@ -106,7 +106,7 @@ static void chunk_mod(size_t length, chunk_t chunk, u_int8_t buffer[])
  * 0xcb, 0x0f, 0x6c, 0x55, 0xba, 0xbb, 0x13, 0x78,
  * 0x8e, 0x20, 0xd7, 0x37, 0xa3, 0x27, 0x51, 0x16
  */
-METHOD(prf_t, get_bytes, void,
+METHOD(prf_t, get_bytes, bool,
 	private_fips_prf_t *this, chunk_t seed, u_int8_t w[])
 {
 	int i;
@@ -138,6 +138,8 @@ METHOD(prf_t, get_bytes, void,
 	}
 
 	/* 3.3 done already, mod q not used */
+
+	return TRUE;
 }
 
 METHOD(prf_t, get_block_size, size_t,
@@ -145,11 +147,11 @@ METHOD(prf_t, get_block_size, size_t,
 {
 	return 2 * this->b;
 }
-METHOD(prf_t, allocate_bytes, void,
+METHOD(prf_t, allocate_bytes, bool,
 	private_fips_prf_t *this, chunk_t seed, chunk_t *chunk)
 {
 	*chunk = chunk_alloc(get_block_size(this));
-	get_bytes(this, seed, chunk->ptr);
+	return get_bytes(this, seed, chunk->ptr);
 }
 
 METHOD(prf_t, get_key_size, size_t,
@@ -158,17 +160,18 @@ METHOD(prf_t, get_key_size, size_t,
 	return this->b;
 }
 
-METHOD(prf_t, set_key, void,
+METHOD(prf_t, set_key, bool,
 	private_fips_prf_t *this, chunk_t key)
 {
 	/* save key as "key mod 2^b" */
 	chunk_mod(this->b, key, this->key);
+	return TRUE;
 }
 
 /**
  * Implementation of the G() function based on SHA1
  */
-void g_sha1(private_fips_prf_t *this, chunk_t c, u_int8_t res[])
+static bool g_sha1(private_fips_prf_t *this, chunk_t c, u_int8_t res[])
 {
 	u_int8_t buf[64];
 
@@ -187,8 +190,12 @@ void g_sha1(private_fips_prf_t *this, chunk_t c, u_int8_t res[])
 	}
 
 	/* use the keyed hasher, but use an empty key to use SHA1 IV */
-	this->keyed_prf->set_key(this->keyed_prf, chunk_empty);
-	this->keyed_prf->get_bytes(this->keyed_prf, c, res);
+	if (!this->keyed_prf->set_key(this->keyed_prf, chunk_empty) ||
+		!this->keyed_prf->get_bytes(this->keyed_prf, c, res))
+	{
+		return FALSE;
+	}
+	return TRUE;
 }
 
 METHOD(prf_t, destroy, void,
diff --git a/src/libstrongswan/plugins/gcm/Makefile.am b/src/libstrongswan/plugins/gcm/Makefile.am
index ec733fbcc..228b4708d 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.am
+++ b/src/libstrongswan/plugins/gcm/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-gcm.la
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index 8285b5aeb..7ef95b92e 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,52 +90,87 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_gcm_la_LIBADD =
 am_libstrongswan_gcm_la_OBJECTS = gcm_plugin.lo gcm_aead.lo
 libstrongswan_gcm_la_OBJECTS = $(am_libstrongswan_gcm_la_OBJECTS)
-libstrongswan_gcm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_gcm_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_gcm_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_gcm_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_gcm_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_gcm_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_gcm_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_gcm_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -126,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -145,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -172,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -184,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -192,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -202,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -223,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -243,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -280,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-gcm.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-gcm.la
 libstrongswan_gcm_la_SOURCES = \
@@ -334,7 +400,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -342,6 +407,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -363,8 +430,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-gcm.la: $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_DEPENDENCIES) 
-	$(libstrongswan_gcm_la_LINK) $(am_libstrongswan_gcm_la_rpath) $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_LIBADD) $(LIBS)
+libstrongswan-gcm.la: $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_DEPENDENCIES) $(EXTRA_libstrongswan_gcm_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_gcm_la_LINK) $(am_libstrongswan_gcm_la_rpath) $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -376,25 +443,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcm_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -501,10 +568,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.c b/src/libstrongswan/plugins/gcm/gcm_aead.c
index 0d7d91dbf..79ee65d98 100644
--- a/src/libstrongswan/plugins/gcm/gcm_aead.c
+++ b/src/libstrongswan/plugins/gcm/gcm_aead.c
@@ -149,7 +149,7 @@ static void ghash(private_gcm_aead_t *this, chunk_t x, char *res)
 /**
  * GCTR function, en-/decrypts x inline
  */
-static void gctr(private_gcm_aead_t *this, char *icb, chunk_t x)
+static bool gctr(private_gcm_aead_t *this, char *icb, chunk_t x)
 {
 	char cb[BLOCK_SIZE], iv[BLOCK_SIZE], tmp[BLOCK_SIZE];
 
@@ -159,12 +159,16 @@ static void gctr(private_gcm_aead_t *this, char *icb, chunk_t x)
 	while (x.len)
 	{
 		memcpy(tmp, cb, BLOCK_SIZE);
-		this->crypter->encrypt(this->crypter, chunk_from_thing(tmp),
-							   chunk_from_thing(iv), NULL);
+		if (!this->crypter->encrypt(this->crypter, chunk_from_thing(tmp),
+									chunk_from_thing(iv), NULL))
+		{
+			return FALSE;
+		}
 		memxor(x.ptr, tmp, min(BLOCK_SIZE, x.len));
 		chunk_increment(chunk_from_thing(cb));
 		x = chunk_skip(x, BLOCK_SIZE);
 	}
+	return TRUE;
 }
 
 /**
@@ -180,21 +184,21 @@ static void create_j(private_gcm_aead_t *this, char *iv, char *j)
 /**
  * Create GHASH subkey H
  */
-static void create_h(private_gcm_aead_t *this, char *h)
+static bool create_h(private_gcm_aead_t *this, char *h)
 {
 	char zero[BLOCK_SIZE];
 
 	memset(zero, 0, BLOCK_SIZE);
 	memset(h, 0, BLOCK_SIZE);
 
-	this->crypter->encrypt(this->crypter, chunk_create(h, BLOCK_SIZE),
-						   chunk_from_thing(zero), NULL);
+	return this->crypter->encrypt(this->crypter, chunk_create(h, BLOCK_SIZE),
+								  chunk_from_thing(zero), NULL);
 }
 
 /**
  * Encrypt/decrypt
  */
-static void crypt(private_gcm_aead_t *this, char *j, chunk_t in, chunk_t out)
+static bool crypt(private_gcm_aead_t *this, char *j, chunk_t in, chunk_t out)
 {
 	char icb[BLOCK_SIZE];
 
@@ -206,13 +210,13 @@ static void crypt(private_gcm_aead_t *this, char *j, chunk_t in, chunk_t out)
 	{
 		memcpy(out.ptr, in.ptr, in.len);
 	}
-	gctr(this, icb, out);
+	return gctr(this, icb, out);
 }
 
 /**
  * Create ICV
  */
-static void create_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt,
+static bool create_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt,
 					   char *j, char *icv)
 {
 	size_t assoc_pad, crypt_pad;
@@ -249,9 +253,12 @@ static void create_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt,
 
 	ghash(this, chunk, s);
 	free(chunk.ptr);
-	gctr(this, j, chunk_from_thing(s));
-
+	if (!gctr(this, j, chunk_from_thing(s)))
+	{
+		return FALSE;
+	}
 	memcpy(icv, s, this->icv_size);
+	return TRUE;
 }
 
 /**
@@ -262,12 +269,11 @@ static bool verify_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt,
 {
 	char tmp[this->icv_size];
 
-	create_icv(this, assoc, crypt, j, tmp);
-
-	return memeq(tmp, icv, this->icv_size);
+	return create_icv(this, assoc, crypt, j, tmp) &&
+		   memeq(tmp, icv, this->icv_size);
 }
 
-METHOD(aead_t, encrypt, void,
+METHOD(aead_t, encrypt, bool,
 	private_gcm_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
 	chunk_t *encrypted)
 {
@@ -278,16 +284,13 @@ METHOD(aead_t, encrypt, void,
 	if (encrypted)
 	{
 		*encrypted = chunk_alloc(plain.len + this->icv_size);
-		crypt(this, j, plain, *encrypted);
-		create_icv(this, assoc,
-				   chunk_create(encrypted->ptr, encrypted->len - this->icv_size),
-				   j, encrypted->ptr + encrypted->len - this->icv_size);
-	}
-	else
-	{
-		crypt(this, j, plain, plain);
-		create_icv(this, assoc, plain, j, plain.ptr + plain.len);
+		return crypt(this, j, plain, *encrypted) &&
+			   create_icv(this, assoc,
+					chunk_create(encrypted->ptr, encrypted->len - this->icv_size),
+					j, encrypted->ptr + encrypted->len - this->icv_size);
 	}
+	return crypt(this, j, plain, plain) &&
+		   create_icv(this, assoc, plain, j, plain.ptr + plain.len);
 }
 
 METHOD(aead_t, decrypt, bool,
@@ -311,13 +314,9 @@ METHOD(aead_t, decrypt, bool,
 	if (plain)
 	{
 		*plain = chunk_alloc(encrypted.len);
-		crypt(this, j, encrypted, *plain);
+		return crypt(this, j, encrypted, *plain);
 	}
-	else
-	{
-		crypt(this, j, encrypted, encrypted);
-	}
-	return TRUE;
+	return crypt(this, j, encrypted, encrypted);
 }
 
 METHOD(aead_t, get_block_size, size_t,
@@ -344,13 +343,13 @@ METHOD(aead_t, get_key_size, size_t,
 	return this->crypter->get_key_size(this->crypter) + SALT_SIZE;
 }
 
-METHOD(aead_t, set_key, void,
+METHOD(aead_t, set_key, bool,
 	private_gcm_aead_t *this, chunk_t key)
 {
 	memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE);
 	key.len -= SALT_SIZE;
-	this->crypter->set_key(this->crypter, key);
-	create_h(this, this->h);
+	return this->crypter->set_key(this->crypter, key) &&
+		   create_h(this, this->h);
 }
 
 METHOD(aead_t, destroy, void,
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.h b/src/libstrongswan/plugins/gcm/gcm_aead.h
index db4be2442..846c3c76c 100644
--- a/src/libstrongswan/plugins/gcm/gcm_aead.h
+++ b/src/libstrongswan/plugins/gcm/gcm_aead.h
@@ -42,8 +42,8 @@ struct gcm_aead_t {
 /**
  * Create a gcm_aead instance.
  *
- * @param key_size		key size in bytes
  * @param algo			algorithm to implement, a gcm mode
+ * @param key_size		key size in bytes
  * @return				aead, NULL if not supported
  */
 gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size);
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.am b/src/libstrongswan/plugins/gcrypt/Makefile.am
index 57f3f5016..1a9d225ec 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.am
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-gcrypt.la
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 4dc72fed0..2354ec3d3 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_gcrypt_la_DEPENDENCIES =
@@ -80,48 +104,77 @@ am_libstrongswan_gcrypt_la_OBJECTS = gcrypt_plugin.lo \
 	gcrypt_dh.lo gcrypt_rng.lo gcrypt_crypter.lo gcrypt_hasher.lo
 libstrongswan_gcrypt_la_OBJECTS =  \
 	$(am_libstrongswan_gcrypt_la_OBJECTS)
-libstrongswan_gcrypt_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_gcrypt_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_gcrypt_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_gcrypt_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_gcrypt_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_gcrypt_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_gcrypt_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_gcrypt_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +183,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +205,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +233,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +247,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +256,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +264,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +290,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +310,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,8 +346,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-gcrypt.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-gcrypt.la
 libstrongswan_gcrypt_la_SOURCES = \
@@ -344,7 +410,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -352,6 +417,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -373,8 +440,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-gcrypt.la: $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_DEPENDENCIES) 
-	$(libstrongswan_gcrypt_la_LINK) $(am_libstrongswan_gcrypt_la_rpath) $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_LIBADD) $(LIBS)
+libstrongswan-gcrypt.la: $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_DEPENDENCIES) $(EXTRA_libstrongswan_gcrypt_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_gcrypt_la_LINK) $(am_libstrongswan_gcrypt_la_rpath) $(libstrongswan_gcrypt_la_OBJECTS) $(libstrongswan_gcrypt_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -391,25 +458,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcrypt_rsa_public_key.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -516,10 +583,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
index 599481911..a737cb13d 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
@@ -17,7 +17,7 @@
 
 #include <gcrypt.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_gcrypt_crypter_t private_gcrypt_crypter_t;
 
@@ -59,50 +59,47 @@ struct private_gcrypt_crypter_t {
 /**
  * Set the IV for en/decryption
  */
-static void set_iv(private_gcrypt_crypter_t *this, chunk_t iv)
+static bool set_iv(private_gcrypt_crypter_t *this, chunk_t iv)
 {
 	if (this->ctr_mode)
 	{
 		memcpy(this->ctr.iv, iv.ptr, sizeof(this->ctr.iv));
 		this->ctr.counter = htonl(1);
-		gcry_cipher_setctr(this->h, &this->ctr, sizeof(this->ctr));
-	}
-	else
-	{
-		gcry_cipher_setiv(this->h, iv.ptr, iv.len);
+		return gcry_cipher_setctr(this->h, &this->ctr, sizeof(this->ctr)) == 0;
 	}
+	return gcry_cipher_setiv(this->h, iv.ptr, iv.len) == 0;
 }
 
-METHOD(crypter_t, decrypt, void,
+METHOD(crypter_t, decrypt, bool,
 	private_gcrypt_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
-	set_iv(this, iv);
-
-	if (dst)
+	if (!set_iv(this, iv))
 	{
-		*dst = chunk_alloc(data.len);
-		gcry_cipher_decrypt(this->h, dst->ptr, dst->len, data.ptr, data.len);
+		return FALSE;
 	}
-	else
+	if (dst)
 	{
-		gcry_cipher_decrypt(this->h, data.ptr, data.len, NULL, 0);
+		*dst = chunk_alloc(data.len);
+		return gcry_cipher_decrypt(this->h, dst->ptr, dst->len,
+								   data.ptr, data.len) == 0;
 	}
+	return gcry_cipher_decrypt(this->h, data.ptr, data.len, NULL, 0) == 0;
 }
 
-METHOD(crypter_t, encrypt, void,
+METHOD(crypter_t, encrypt, bool,
 	private_gcrypt_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
-	set_iv(this, iv);
-
-	if (dst)
+	if (!set_iv(this, iv))
 	{
-		*dst = chunk_alloc(data.len);
-		gcry_cipher_encrypt(this->h, dst->ptr, dst->len, data.ptr, data.len);
+		return FALSE;
 	}
-	else
+	if (dst)
 	{
-		gcry_cipher_encrypt(this->h, data.ptr, data.len, NULL, 0);
+		*dst = chunk_alloc(data.len);
+		return gcry_cipher_encrypt(this->h, dst->ptr, dst->len,
+								   data.ptr, data.len) == 0;
 	}
+	return gcry_cipher_encrypt(this->h, data.ptr, data.len, NULL, 0) == 0;
 }
 
 METHOD(crypter_t, get_block_size, size_t,
@@ -144,7 +141,7 @@ METHOD(crypter_t, get_key_size, size_t,
 	return len;
 }
 
-METHOD(crypter_t, set_key, void,
+METHOD(crypter_t, set_key, bool,
 	private_gcrypt_crypter_t *this, chunk_t key)
 {
 	if (this->ctr_mode)
@@ -154,7 +151,7 @@ METHOD(crypter_t, set_key, void,
 			   sizeof(this->ctr.nonce));
 		key.len -= sizeof(this->ctr.nonce);
 	}
-	gcry_cipher_setkey(this->h, key.ptr, key.len);
+	return gcry_cipher_setkey(this->h, key.ptr, key.len) == 0;
 }
 
 METHOD(crypter_t, destroy, void,
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
index 6c4665da2..f418b941d 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
@@ -18,7 +18,7 @@
 
 #include "gcrypt_dh.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_gcrypt_dh_t private_gcrypt_dh_t;
 
@@ -208,9 +208,8 @@ gcrypt_dh_t *create_generic(diffie_hellman_group_t group, size_t exp_len,
 	}
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
-	if (rng)
+	if (rng && rng->allocate_bytes(rng, exp_len, &random))
 	{	/* prefer external randomizer */
-		rng->allocate_bytes(rng, exp_len, &random);
 		rng->destroy(rng);
 		err = gcry_mpi_scan(&this->xa, GCRYMPI_FMT_USG,
 							random.ptr, random.len, NULL);
@@ -226,6 +225,7 @@ gcrypt_dh_t *create_generic(diffie_hellman_group_t group, size_t exp_len,
 	}
 	else
 	{	/* fallback to gcrypt internal randomizer, shouldn't ever happen */
+		DESTROY_IF(rng);
 		this->xa = gcry_mpi_new(exp_len * 8);
 		gcry_mpi_randomize(this->xa, exp_len * 8, GCRY_STRONG_RANDOM);
 	}
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
index 96c87614f..af7993101 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
@@ -15,7 +15,7 @@
 
 #include "gcrypt_hasher.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <gcrypt.h>
 
@@ -43,13 +43,14 @@ METHOD(hasher_t, get_hash_size, size_t,
 	return gcry_md_get_algo_dlen(gcry_md_get_algo(this->hd));
 }
 
-METHOD(hasher_t, reset, void,
+METHOD(hasher_t, reset, bool,
 	private_gcrypt_hasher_t *this)
 {
 	gcry_md_reset(this->hd);
+	return TRUE;
 }
 
-METHOD(hasher_t, get_hash, void,
+METHOD(hasher_t, get_hash, bool,
 	private_gcrypt_hasher_t *this, chunk_t chunk, u_int8_t *hash)
 {
 	gcry_md_write(this->hd, chunk.ptr, chunk.len);
@@ -58,20 +59,18 @@ METHOD(hasher_t, get_hash, void,
 		memcpy(hash, gcry_md_read(this->hd, 0), get_hash_size(this));
 		gcry_md_reset(this->hd);
 	}
+	return TRUE;
 }
 
-METHOD(hasher_t, allocate_hash, void,
+METHOD(hasher_t, allocate_hash, bool,
 	private_gcrypt_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	if (hash)
 	{
 		*hash = chunk_alloc(get_hash_size(this));
-		get_hash(this, chunk, hash->ptr);
-	}
-	else
-	{
-		get_hash(this, chunk, NULL);
+		return get_hash(this, chunk, hash->ptr);
 	}
+	return get_hash(this, chunk, NULL);
 }
 
 METHOD(hasher_t, destroy, void,
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index a48d4a133..78d75a238 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -23,7 +23,7 @@
 #include "gcrypt_rsa_public_key.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
 
 #include <errno.h>
@@ -132,9 +132,9 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(CRYPTER, ENCR_TWOFISH_CBC, 32),
 		/* hashers */
 		PLUGIN_REGISTER(HASHER, gcrypt_hasher_create),
+			PLUGIN_PROVIDE(HASHER, HASH_SHA1),
 			PLUGIN_PROVIDE(HASHER, HASH_MD4),
 			PLUGIN_PROVIDE(HASHER, HASH_MD5),
-			PLUGIN_PROVIDE(HASHER, HASH_SHA1),
 			PLUGIN_PROVIDE(HASHER, HASH_SHA224),
 			PLUGIN_PROVIDE(HASHER, HASH_SHA256),
 			PLUGIN_PROVIDE(HASHER, HASH_SHA384),
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
index d29755de9..dc34a8d66 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
@@ -35,7 +35,7 @@ struct private_gcrypt_rng_t {
 	rng_quality_t quality;
 };
 
-METHOD(rng_t, get_bytes, void,
+METHOD(rng_t, get_bytes, bool,
 	private_gcrypt_rng_t *this, size_t bytes, u_int8_t *buffer)
 {
 	switch (this->quality)
@@ -50,13 +50,15 @@ METHOD(rng_t, get_bytes, void,
 			gcry_randomize(buffer, bytes, GCRY_VERY_STRONG_RANDOM);
 			break;
 	}
+	return TRUE;
 }
 
-METHOD(rng_t, allocate_bytes, void,
+METHOD(rng_t, allocate_bytes, bool,
 	private_gcrypt_rng_t *this, size_t bytes, chunk_t *chunk)
 {
 	*chunk = chunk_alloc(bytes);
 	get_bytes(this, chunk->len, chunk->ptr);
+	return TRUE;
 }
 
 METHOD(rng_t, destroy, void,
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index eb38eea3b..938a46490 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -17,7 +17,7 @@
 
 #include "gcrypt_rsa_private_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
@@ -165,11 +165,11 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this,
 		return FALSE;
 	}
 	hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
-	if (!hasher)
+	if (!hasher || !hasher->allocate_hash(hasher, data, &hash))
 	{
+		DESTROY_IF(hasher);
 		return FALSE;
 	}
-	hasher->allocate_hash(hasher, data, &hash);
 	hasher->destroy(hasher);
 
 	err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(hash %s %b))",
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index f8645da97..291287a8f 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -17,7 +17,7 @@
 
 #include "gcrypt_rsa_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
@@ -121,11 +121,11 @@ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this,
 	gcry_sexp_t in, sig;
 
 	hasher = lib->crypto->create_hasher(lib->crypto, algorithm);
-	if (!hasher)
+	if (!hasher || !hasher->allocate_hash(hasher, data, &hash))
 	{
+		DESTROY_IF(hasher);
 		return FALSE;
 	}
-	hasher->allocate_hash(hasher, data, &hash);
 	hasher->destroy(hasher);
 
 	err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(hash %s %b))",
diff --git a/src/libstrongswan/plugins/gmp/Makefile.am b/src/libstrongswan/plugins/gmp/Makefile.am
index cc8ad34db..57e1fd7a8 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.am
+++ b/src/libstrongswan/plugins/gmp/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-gmp.la
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index 34a23312b..757adf370 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,53 +90,88 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_gmp_la_DEPENDENCIES =
 am_libstrongswan_gmp_la_OBJECTS = gmp_plugin.lo gmp_diffie_hellman.lo \
 	gmp_rsa_private_key.lo gmp_rsa_public_key.lo
 libstrongswan_gmp_la_OBJECTS = $(am_libstrongswan_gmp_la_OBJECTS)
-libstrongswan_gmp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_gmp_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_gmp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_gmp_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_gmp_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_gmp_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_gmp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_gmp_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -127,13 +180,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -146,6 +202,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,11 +230,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -185,6 +244,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -193,8 +253,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -203,14 +261,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -224,17 +287,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -244,16 +307,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -281,8 +343,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-gmp.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-gmp.la
 libstrongswan_gmp_la_SOURCES = \
@@ -338,7 +404,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -346,6 +411,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -367,8 +434,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-gmp.la: $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_DEPENDENCIES) 
-	$(libstrongswan_gmp_la_LINK) $(am_libstrongswan_gmp_la_rpath) $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_LIBADD) $(LIBS)
+libstrongswan-gmp.la: $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_DEPENDENCIES) $(EXTRA_libstrongswan_gmp_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_gmp_la_LINK) $(am_libstrongswan_gmp_la_rpath) $(libstrongswan_gmp_la_OBJECTS) $(libstrongswan_gmp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -382,25 +449,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gmp_rsa_public_key.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -507,10 +574,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
index e99502b27..b74d35169 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
@@ -21,7 +21,7 @@
 
 #include "gmp_diffie_hellman.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #ifdef HAVE_MPZ_POWM_SEC
 # undef mpz_powm
@@ -230,8 +230,13 @@ static gmp_diffie_hellman_t *create_generic(diffie_hellman_group_t group,
 		destroy(this);
 		return NULL;
 	}
-
-	rng->allocate_bytes(rng, exp_len, &random);
+	if (!rng->allocate_bytes(rng, exp_len, &random))
+	{
+		DBG1(DBG_LIB, "failed to allocate DH secret");
+		rng->destroy(rng);
+		destroy(this);
+		return NULL;
+	}
 	rng->destroy(rng);
 
 	if (exp_len == this->p_len)
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index 1b6c20817..052b10741 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -1,7 +1,8 @@
 /*
- * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -22,7 +23,7 @@
 #include "gmp_rsa_private_key.h"
 #include "gmp_rsa_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
@@ -69,9 +70,14 @@ struct private_gmp_rsa_private_key_t {
 	mpz_t q;
 
 	/**
-	 * Private exponent.
+	 * Carmichael function m = lambda(n) = lcm(p-1,q-1).
+	*/
+	mpz_t m;
+
+	/**
+	 * Private exponent and optional secret sharing polynomial coefficients.
 	 */
-	mpz_t d;
+	mpz_t *d;
 
 	/**
 	 * Private exponent 1.
@@ -89,6 +95,21 @@ struct private_gmp_rsa_private_key_t {
 	mpz_t coeff;
 
 	/**
+	 * Total number of private key shares
+	 */
+	u_int shares;
+
+	/**
+	 * Secret sharing threshold
+	 */
+	u_int threshold;
+
+	/**
+	 * Optional verification key (threshold > 1).
+	 */
+	mpz_t v;
+
+	/**
 	 * Keysize in bytes.
 	 */
 	size_t k;
@@ -121,22 +142,22 @@ chunk_t gmp_mpz_to_chunk(const mpz_t value)
 static void mpz_clear_sensitive(mpz_t z)
 {
 	size_t len = mpz_size(z) * GMP_LIMB_BITS / BITS_PER_BYTE;
-	u_int8_t *random = alloca(len);
+	u_int8_t *zeros = alloca(len);
 
-	memset(random, 0, len);
+	memset(zeros, 0, len);
 	/* overwrite mpz_t with zero bytes before clearing it */
-	mpz_import(z, len, 1, 1, 1, 0, random);
+	mpz_import(z, len, 1, 1, 1, 0, zeros);
 	mpz_clear(z);
 }
 
 /**
  * Create a mpz prime of at least prime_size
  */
-static status_t compute_prime(private_gmp_rsa_private_key_t *this,
-							  size_t prime_size, mpz_t *prime)
+static status_t compute_prime(size_t prime_size, bool safe, mpz_t *p, mpz_t *q)
 {
 	rng_t *rng;
 	chunk_t random_bytes;
+	int count = 0;
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
 	if (!rng)
@@ -146,21 +167,53 @@ static status_t compute_prime(private_gmp_rsa_private_key_t *this,
 		return FAILED;
 	}
 
-	mpz_init(*prime);
+	mpz_init(*p);
+	mpz_init(*q);
+
 	do
 	{
-		rng->allocate_bytes(rng, prime_size, &random_bytes);
-		/* make sure the two most significant bits are set */
-		random_bytes.ptr[0] = random_bytes.ptr[0] | 0xC0;
+		if (!rng->allocate_bytes(rng, prime_size, &random_bytes))
+		{
+			DBG1(DBG_LIB, "failed to allocate random prime");
+			mpz_clear(*p);
+			mpz_clear(*q);
+			rng->destroy(rng);
+			return FAILED;
+		}
 
-		mpz_import(*prime, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
-		mpz_nextprime (*prime, *prime);
+		/* make sure the two most significant bits are set */
+		if (safe)
+		{
+			random_bytes.ptr[0] &= 0x7F;
+			random_bytes.ptr[0] |= 0x60;
+			mpz_import(*q, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
+			do
+			{
+				count++;
+				mpz_nextprime (*q, *q);
+				mpz_mul_ui(*p, *q, 2);
+				mpz_add_ui(*p, *p, 1);
+			}
+			while (mpz_probab_prime_p(*p, 10) == 0);
+			DBG2(DBG_LIB, "safe prime found after %d iterations", count);
+		}
+		else
+		{
+			random_bytes.ptr[0] |= 0xC0;
+			mpz_import(*p, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
+			mpz_nextprime (*p, *p);
+		}
 		chunk_clear(&random_bytes);
 	}
-	/* check if it isn't too large */
-	while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size);
+
+	/* check if the prime isn't too large */
+	while (((mpz_sizeinbase(*p, 2) + 7) / 8) > prime_size);
 
 	rng->destroy(rng);
+
+	/* additionally return p-1 */
+	mpz_sub_ui(*q, *p, 1);
+
 	return SUCCESS;
 }
 
@@ -230,11 +283,11 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 		}
 
 		hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
-		if (hasher == NULL)
+		if (!hasher || !hasher->allocate_hash(hasher, data, &hash))
 		{
+			DESTROY_IF(hasher);
 			return FALSE;
 		}
-		hasher->allocate_hash(hasher, data, &hash);
 		hasher->destroy(hasher);
 
 		/* build DER-encoded digestInfo */
@@ -388,7 +441,7 @@ METHOD(private_key_t, get_encoding, bool,
 
 	n = gmp_mpz_to_chunk(this->n);
 	e = gmp_mpz_to_chunk(this->e);
-	d = gmp_mpz_to_chunk(this->d);
+	d = gmp_mpz_to_chunk(*this->d);
 	p = gmp_mpz_to_chunk(this->p);
 	q = gmp_mpz_to_chunk(this->q);
 	exp1 = gmp_mpz_to_chunk(this->exp1);
@@ -446,14 +499,24 @@ METHOD(private_key_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		mpz_clear_sensitive(this->n);
-		mpz_clear_sensitive(this->e);
+		int i;
+
+		mpz_clear(this->n);
+		mpz_clear(this->e);
+		mpz_clear(this->v);
 		mpz_clear_sensitive(this->p);
 		mpz_clear_sensitive(this->q);
-		mpz_clear_sensitive(this->d);
+		mpz_clear_sensitive(this->m);
 		mpz_clear_sensitive(this->exp1);
 		mpz_clear_sensitive(this->exp2);
 		mpz_clear_sensitive(this->coeff);
+
+		for (i = 0; i < this->threshold; i++)
+		{
+			mpz_clear_sensitive(*this->d + i);
+		}
+		free(this->d);
+
 		lib->encoding->clear_cache(lib->encoding, this);
 		free(this);
 	}
@@ -464,7 +527,7 @@ METHOD(private_key_t, destroy, void,
  */
 static status_t check(private_gmp_rsa_private_key_t *this)
 {
-	mpz_t t, u, q1;
+	mpz_t u, p1, q1;
 	status_t status = SUCCESS;
 
 	/* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
@@ -483,10 +546,14 @@ static status_t check(private_gmp_rsa_private_key_t *this)
 		return FAILED;
 	}
 
-	mpz_init(t);
 	mpz_init(u);
+	mpz_init(p1);
 	mpz_init(q1);
 
+	/* precompute p1 = p-1 and q1 = q-1 */
+	mpz_sub_ui(p1, this->p, 1);
+	mpz_sub_ui(q1, this->q, 1);
+
 	/* check that n == p * q */
 	mpz_mul(u, this->p, this->q);
 	if (mpz_cmp(u, this->n) != 0)
@@ -495,62 +562,54 @@ static status_t check(private_gmp_rsa_private_key_t *this)
 	}
 
 	/* check that e divides neither p-1 nor q-1 */
-	mpz_sub_ui(t, this->p, 1);
-	mpz_mod(t, t, this->e);
-	if (mpz_cmp_ui(t, 0) == 0)
+	mpz_mod(u, p1, this->e);
+	if (mpz_cmp_ui(u, 0) == 0)
 	{
 		status = FAILED;
 	}
 
-	mpz_sub_ui(t, this->q, 1);
-	mpz_mod(t, t, this->e);
-	if (mpz_cmp_ui(t, 0) == 0)
+	mpz_mod(u, q1, this->e);
+	if (mpz_cmp_ui(u, 0) == 0)
 	{
 		status = FAILED;
 	}
 
 	/* check that d is e^-1 (mod lcm(p-1, q-1)) */
 	/* see PKCS#1v2, aka RFC 2437, for the "lcm" */
-	mpz_sub_ui(q1, this->q, 1);
-	mpz_sub_ui(u, this->p, 1);
-	mpz_gcd(t, u, q1);		/* t := gcd(p-1, q-1) */
-	mpz_mul(u, u, q1);		/* u := (p-1) * (q-1) */
-	mpz_divexact(u, u, t);	/* u := lcm(p-1, q-1) */
-
-	mpz_mul(t, this->d, this->e);
-	mpz_mod(t, t, u);
-	if (mpz_cmp_ui(t, 1) != 0)
+	mpz_lcm(this->m, p1, q1);
+	mpz_mul(u, *this->d, this->e);
+	mpz_mod(u, u, this->m);
+	if (mpz_cmp_ui(u, 1) != 0)
 	{
 		status = FAILED;
 	}
 
 	/* check that exp1 is d mod (p-1) */
-	mpz_sub_ui(u, this->p, 1);
-	mpz_mod(t, this->d, u);
-	if (mpz_cmp(t, this->exp1) != 0)
+	mpz_mod(u, *this->d, p1);
+	if (mpz_cmp(u, this->exp1) != 0)
 	{
 		status = FAILED;
 	}
 
 	/* check that exp2 is d mod (q-1) */
-	mpz_sub_ui(u, this->q, 1);
-	mpz_mod(t, this->d, u);
-	if (mpz_cmp(t, this->exp2) != 0)
+	mpz_mod(u, *this->d, q1);
+	if (mpz_cmp(u, this->exp2) != 0)
 	{
 		status = FAILED;
 	}
 
 	/* check that coeff is (q^-1) mod p */
-	mpz_mul(t, this->coeff, this->q);
-	mpz_mod(t, t, this->p);
-	if (mpz_cmp_ui(t, 1) != 0)
+	mpz_mul(u, this->coeff, this->q);
+	mpz_mod(u, u, this->p);
+	if (mpz_cmp_ui(u, 1) != 0)
 	{
 		status = FAILED;
 	}
 
-	mpz_clear_sensitive(t);
 	mpz_clear_sensitive(u);
+	mpz_clear_sensitive(p1);
 	mpz_clear_sensitive(q1);
+
 	if (status != SUCCESS)
 	{
 		DBG1(DBG_LIB, "key integrity tests failed");
@@ -582,6 +641,7 @@ static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
 				.destroy = _destroy,
 			},
 		},
+		.threshold = 1,
 		.ref = 1,
 	);
 	return this;
@@ -592,9 +652,11 @@ static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
  */
 gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
 {
-	mpz_t p, q, n, e, d, exp1, exp2, coeff, m, q1, t;
 	private_gmp_rsa_private_key_t *this;
-	u_int key_size = 0;
+	u_int key_size = 0, shares = 0, threshold = 1;
+	bool safe_prime = FALSE, rng_failed = FALSE, invert_failed = FALSE;
+	mpz_t p, q, p1, q1, d;
+;
 
 	while (TRUE)
 	{
@@ -603,6 +665,15 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
 			case BUILD_KEY_SIZE:
 				key_size = va_arg(args, u_int);
 				continue;
+			case BUILD_SAFE_PRIMES:
+				safe_prime = TRUE;
+				continue;
+			case BUILD_SHARES:
+				shares = va_arg(args, u_int);
+				continue;
+			case BUILD_THRESHOLD:
+				threshold = va_arg(args, u_int);
+				continue;
 			case BUILD_END:
 				break;
 			default:
@@ -614,76 +685,112 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
 	{
 		return NULL;
 	}
-
-	this = gmp_rsa_private_key_create_empty();
 	key_size = key_size / BITS_PER_BYTE;
 
 	/* Get values of primes p and q  */
-	if (compute_prime(this, key_size/2, &p) != SUCCESS)
+	if (compute_prime(key_size/2, safe_prime, &p, &p1) != SUCCESS)
 	{
-		free(this);
 		return NULL;
 	}
-	if (compute_prime(this, key_size/2, &q) != SUCCESS)
+	if (compute_prime(key_size/2, safe_prime, &q, &q1) != SUCCESS)
 	{
 		mpz_clear(p);
-		free(this);
+		mpz_clear(p1);
 		return NULL;
 	}
 
-	mpz_init(t);
-	mpz_init(n);
-	mpz_init(d);
-	mpz_init(exp1);
-	mpz_init(exp2);
-	mpz_init(coeff);
-
 	/* Swapping Primes so p is larger then q */
 	if (mpz_cmp(p, q) < 0)
 	{
 		mpz_swap(p, q);
+		mpz_swap(p1, q1);
 	}
 
-	mpz_mul(n, p, q);						/* n = p*q */
-	mpz_init_set_ui(e, PUBLIC_EXPONENT);	/* assign public exponent */
-	mpz_init_set(m, p);					/* m = p */
-	mpz_sub_ui(m, m, 1);					/* m = m -1 */
-	mpz_init_set(q1, q);					/* q1 = q */
-	mpz_sub_ui(q1, q1, 1);					/* q1 = q1 -1 */
-	mpz_gcd(t, m, q1);						/* t = gcd(p-1, q-1) */
-	mpz_mul(m, m, q1);						/* m = (p-1)*(q-1) */
-	mpz_divexact(m, m, t);					/* m = m / t */
-	mpz_gcd(t, m, e);						/* t = gcd(m, e) */
+	/* Create and initialize RSA private key object */
+	this = gmp_rsa_private_key_create_empty();
+	this->shares = shares;
+	this->threshold = threshold;
+	this->d = malloc(threshold * sizeof(mpz_t));
+	*this->p = *p;
+	*this->q = *q;
 
-	mpz_invert(d, e, m);					/* e has an inverse mod m */
-	if (mpz_cmp_ui(d, 0) < 0)				/* make sure d is positive */
-	{
-		mpz_add(d, d, m);
-	}
-	mpz_sub_ui(t, p, 1);					/* t = p-1 */
-	mpz_mod(exp1, d, t);					/* exp1 = d mod p-1 */
-	mpz_sub_ui(t, q, 1);					/* t = q-1 */
-	mpz_mod(exp2, d, t);					/* exp2 = d mod q-1 */
+	mpz_init_set_ui(this->e, PUBLIC_EXPONENT);
+	mpz_init(this->n);
+	mpz_init(this->m);
+	mpz_init(this->exp1);
+	mpz_init(this->exp2);
+	mpz_init(this->coeff);
+	mpz_init(this->v);
+	mpz_init(d);
+
+	mpz_mul(this->n, p, q);					/* n = p*q */
+	mpz_lcm(this->m, p1, q1);				/* m = lcm(p-1,q-1) */
+	mpz_invert(d, this->e, this->m);		/* e has an inverse mod m */
+	mpz_mod(this->exp1, d, p1);				/* exp1 = d mod p-1 */
+	mpz_mod(this->exp2, d, q1);				/* exp2 = d mod q-1 */
+	mpz_invert(this->coeff, q, p);			/* coeff = q^-1 mod p */
+
+	invert_failed = mpz_cmp_ui(this->m, 0) == 0 ||
+					mpz_cmp_ui(this->coeff, 0) == 0;
+
+    /* store secret exponent d */
+	(*this->d)[0] = *d;
 
-	mpz_invert(coeff, q, p);				/* coeff = q^-1 mod p */
-	if (mpz_cmp_ui(coeff, 0) < 0)			/* make coeff d is positive */
+	/* generate and store random coefficients of secret sharing polynomial */
+	if (threshold > 1)
 	{
-		mpz_add(coeff, coeff, p);
+		rng_t *rng;
+		chunk_t random_bytes;
+		mpz_t u;
+		int i;
+
+		rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
+		mpz_init(u);
+
+		for (i = 1; i < threshold; i++)
+		{
+			mpz_init(d);
+
+			if (!rng->allocate_bytes(rng, key_size, &random_bytes))
+			{
+				rng_failed = TRUE;
+				continue;
+			}
+			mpz_import(d, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
+			mpz_mod(d, d, this->m);
+			(*this->d)[i] = *d;
+			chunk_clear(&random_bytes);
+		}
+
+		/* generate verification key v as a square number */
+		do
+		{
+			if (!rng->allocate_bytes(rng, key_size, &random_bytes))
+			{
+				rng_failed = TRUE;
+				break;
+			}
+			mpz_import(this->v, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
+			mpz_mul(this->v, this->v, this->v);
+			mpz_mod(this->v, this->v, this->n);
+			mpz_gcd(u, this->v, this->n);
+			chunk_free(&random_bytes);
+		}
+		while (mpz_cmp_ui(u, 1) != 0);
+
+		mpz_clear(u);
+		rng->destroy(rng);
 	}
 
+	mpz_clear_sensitive(p1);
 	mpz_clear_sensitive(q1);
-	mpz_clear_sensitive(m);
-	mpz_clear_sensitive(t);
-
-	/* apply values */
-	*(this->p) = *p;
-	*(this->q) = *q;
-	*(this->n) = *n;
-	*(this->e) = *e;
-	*(this->d) = *d;
-	*(this->exp1) = *exp1;
-	*(this->exp2) = *exp2;
-	*(this->coeff) = *coeff;
+
+	if (rng_failed || invert_failed)
+	{
+		DBG1(DBG_LIB, "rsa key generation failed");
+		destroy(this);
+		return NULL;
+	}
 
 	/* set key size in bytes */
 	this->k = key_size;
@@ -696,8 +803,8 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_gen(key_type_t type, va_list args)
  */
 gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args)
 {
-	chunk_t n, e, d, p, q, exp1, exp2, coeff;
 	private_gmp_rsa_private_key_t *this;
+	chunk_t n, e, d, p, q, exp1, exp2, coeff;
 
 	n = e = d = p = q = exp1 = exp2 = coeff = chunk_empty;
 	while (TRUE)
@@ -738,25 +845,28 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args)
 
 	this = gmp_rsa_private_key_create_empty();
 
+	this->d = malloc(sizeof(mpz_t));
 	mpz_init(this->n);
 	mpz_init(this->e);
+	mpz_init(*this->d);
 	mpz_init(this->p);
 	mpz_init(this->q);
-	mpz_init(this->d);
+	mpz_init(this->m);
 	mpz_init(this->exp1);
 	mpz_init(this->exp2);
 	mpz_init(this->coeff);
+	mpz_init(this->v);
 
 	mpz_import(this->n, n.len, 1, 1, 1, 0, n.ptr);
 	mpz_import(this->e, e.len, 1, 1, 1, 0, e.ptr);
-	mpz_import(this->d, d.len, 1, 1, 1, 0, d.ptr);
+	mpz_import(*this->d, d.len, 1, 1, 1, 0, d.ptr);
 	mpz_import(this->p, p.len, 1, 1, 1, 0, p.ptr);
 	mpz_import(this->q, q.len, 1, 1, 1, 0, q.ptr);
 	mpz_import(this->coeff, coeff.len, 1, 1, 1, 0, coeff.ptr);
 	if (!exp1.len)
 	{	/* exp1 missing in key, recalculate: exp1 = d mod (p-1) */
 		mpz_sub_ui(this->exp1, this->p, 1);
-		mpz_mod(this->exp1, this->d, this->exp1);
+		mpz_mod(this->exp1, *this->d, this->exp1);
 	}
 	else
 	{
@@ -765,7 +875,7 @@ gmp_rsa_private_key_t *gmp_rsa_private_key_load(key_type_t type, va_list args)
 	if (!exp2.len)
 	{	/* exp2 missing in key, recalculate: exp2 = d mod (q-1) */
 		mpz_sub_ui(this->exp2, this->q, 1);
-		mpz_mod(this->exp2, this->d, this->exp2);
+		mpz_mod(this->exp2, *this->d, this->exp2);
 	}
 	else
 	{
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index 898892f5b..ad659e4d7 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -22,7 +22,7 @@
 
 #include "gmp_rsa_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
@@ -252,7 +252,11 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
 					}
 
 					/* build our own hash and compare */
-					hasher->allocate_hash(hasher, data, &hash);
+					if (!hasher->allocate_hash(hasher, data, &hash))
+					{
+						hasher->destroy(hasher);
+						goto end_parser;
+					}
 					hasher->destroy(hasher);
 					success = memeq(object.ptr, hash.ptr, hash.len);
 					free(hash.ptr);
@@ -314,7 +318,7 @@ METHOD(public_key_t, encrypt_, bool,
 {
 	chunk_t em;
 	u_char *pos;
-	int padding, i;
+	int padding;
 	rng_t *rng;
 
 	if (scheme != ENCRYPT_RSA_PKCS1)
@@ -348,19 +352,17 @@ METHOD(public_key_t, encrypt_, bool,
 	*pos++ = 0x02;
 
 	/* fill with pseudo random octets */
-	rng->get_bytes(rng, padding, pos);
-
-	/* replace zero-valued random octets */
-	for (i = 0; i < padding; i++)
+	if (!rng_get_bytes_not_zero(rng, padding, pos, TRUE))
 	{
-		while (*pos == 0)
-		{
-			rng->get_bytes(rng, 1, pos);
-		}
-		pos++;
+		DBG1(DBG_LIB, "failed to allocate padding");
+		chunk_clear(&em);
+		rng->destroy(rng);
+		return FALSE;
 	}
 	rng->destroy(rng);
 
+	pos += padding;
+
 	/* append the padding terminator */
 	*pos++ = 0x00;
 
diff --git a/src/libstrongswan/plugins/hmac/Makefile.am b/src/libstrongswan/plugins/hmac/Makefile.am
index 77aa0ffd1..5d88d26c8 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.am
+++ b/src/libstrongswan/plugins/hmac/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-hmac.la
@@ -10,7 +11,6 @@ plugin_LTLIBRARIES = libstrongswan-hmac.la
 endif
 
 libstrongswan_hmac_la_SOURCES = \
-	hmac_plugin.h hmac_plugin.c hmac.h hmac.c \
-	hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c
+	hmac_plugin.h hmac_plugin.c hmac.h hmac.c
 
 libstrongswan_hmac_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index 5242764d4..923632975 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,53 +90,87 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_hmac_la_LIBADD =
-am_libstrongswan_hmac_la_OBJECTS = hmac_plugin.lo hmac.lo hmac_prf.lo \
-	hmac_signer.lo
+am_libstrongswan_hmac_la_OBJECTS = hmac_plugin.lo hmac.lo
 libstrongswan_hmac_la_OBJECTS = $(am_libstrongswan_hmac_la_OBJECTS)
-libstrongswan_hmac_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_hmac_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_hmac_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_hmac_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_hmac_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_hmac_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_hmac_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_hmac_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -127,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -146,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -185,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -193,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -203,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -224,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -244,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -281,13 +342,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-hmac.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-hmac.la
 libstrongswan_hmac_la_SOURCES = \
-	hmac_plugin.h hmac_plugin.c hmac.h hmac.c \
-	hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c
+	hmac_plugin.h hmac_plugin.c hmac.h hmac.c
 
 libstrongswan_hmac_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -335,7 +399,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -343,6 +406,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -364,8 +429,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-hmac.la: $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_DEPENDENCIES) 
-	$(libstrongswan_hmac_la_LINK) $(am_libstrongswan_hmac_la_rpath) $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_LIBADD) $(LIBS)
+libstrongswan-hmac.la: $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_DEPENDENCIES) $(EXTRA_libstrongswan_hmac_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_hmac_la_LINK) $(am_libstrongswan_hmac_la_rpath) $(libstrongswan_hmac_la_OBJECTS) $(libstrongswan_hmac_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -375,29 +440,27 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_prf.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_signer.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -504,10 +567,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/hmac/hmac.c b/src/libstrongswan/plugins/hmac/hmac.c
index 91294305e..44cb46b4d 100644
--- a/src/libstrongswan/plugins/hmac/hmac.c
+++ b/src/libstrongswan/plugins/hmac/hmac.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -14,23 +15,25 @@
  * for more details.
  */
 
-#include <string.h>
-
 #include "hmac.h"
 
+#include <crypto/mac.h>
+#include <crypto/prfs/mac_prf.h>
+#include <crypto/signers/mac_signer.h>
 
-typedef struct private_hmac_t private_hmac_t;
+typedef struct private_mac_t private_mac_t;
 
 /**
- * Private data of a hmac_t object.
+ * Private data of a mac_t object.
  *
  * The variable names are the same as in the RFC.
  */
-struct private_hmac_t {
+struct private_mac_t {
+
 	/**
-	 * Public hmac_t interface.
+	 * Implements mac_t interface
 	 */
-	hmac_t public;
+	mac_t public;
 
 	/**
 	 * Block size, as in RFC.
@@ -53,8 +56,8 @@ struct private_hmac_t {
 	chunk_t ipaded_key;
 };
 
-METHOD(hmac_t, get_mac, void,
-	private_hmac_t *this, chunk_t data, u_int8_t *out)
+METHOD(mac_t, get_mac, bool,
+	private_mac_t *this, chunk_t data, u_int8_t *out)
 {
 	/* H(K XOR opad, H(K XOR ipad, text))
 	 *
@@ -69,51 +72,28 @@ METHOD(hmac_t, get_mac, void,
 	if (out == NULL)
 	{
 		/* append data to inner */
-		this->h->get_hash(this->h, data, NULL);
+		return this->h->get_hash(this->h, data, NULL);
 	}
-	else
-	{
-		/* append and do outer hash */
-		inner.ptr = buffer;
-		inner.len = this->h->get_hash_size(this->h);
-
-		/* complete inner */
-		this->h->get_hash(this->h, data, buffer);
 
-		/* do outer */
-		this->h->get_hash(this->h, this->opaded_key, NULL);
-		this->h->get_hash(this->h, inner, out);
+	/* append and do outer hash */
+	inner.ptr = buffer;
+	inner.len = this->h->get_hash_size(this->h);
 
-		/* reinit for next call */
-		this->h->get_hash(this->h, this->ipaded_key, NULL);
-	}
+	/* complete inner, do outer and reinit for next call */
+	return this->h->get_hash(this->h, data, buffer) &&
+		   this->h->get_hash(this->h, this->opaded_key, NULL) &&
+		   this->h->get_hash(this->h, inner, out) &&
+		   this->h->get_hash(this->h, this->ipaded_key, NULL);
 }
 
-METHOD(hmac_t, allocate_mac, void,
-	private_hmac_t *this, chunk_t data, chunk_t *out)
-{
-	/* allocate space and use get_mac */
-	if (out == NULL)
-	{
-		/* append mode */
-		get_mac(this, data, NULL);
-	}
-	else
-	{
-		out->len = this->h->get_hash_size(this->h);
-		out->ptr = malloc(out->len);
-		get_mac(this, data, out->ptr);
-	}
-}
-
-METHOD(hmac_t, get_block_size, size_t,
-	private_hmac_t *this)
+METHOD(mac_t, get_mac_size, size_t,
+	private_mac_t *this)
 {
 	return this->h->get_hash_size(this->h);
 }
 
-METHOD(hmac_t, set_key, void,
-	private_hmac_t *this, chunk_t key)
+METHOD(mac_t, set_key, bool,
+	private_mac_t *this, chunk_t key)
 {
 	int i;
 	u_int8_t buffer[this->b];
@@ -123,7 +103,10 @@ METHOD(hmac_t, set_key, void,
 	if (key.len > this->b)
 	{
 		/* if key is too long, it will be hashed */
-		this->h->get_hash(this->h, key, buffer);
+		if (!this->h->get_hash(this->h, key, buffer))
+		{
+			return FALSE;
+		}
 	}
 	else
 	{
@@ -139,12 +122,12 @@ METHOD(hmac_t, set_key, void,
 	}
 
 	/* begin hashing of inner pad */
-	this->h->reset(this->h);
-	this->h->get_hash(this->h, this->ipaded_key, NULL);
+	return this->h->reset(this->h) &&
+		   this->h->get_hash(this->h, this->ipaded_key, NULL);
 }
 
-METHOD(hmac_t, destroy, void,
-	private_hmac_t *this)
+METHOD(mac_t, destroy, void,
+	private_mac_t *this)
 {
 	this->h->destroy(this->h);
 	chunk_clear(&this->opaded_key);
@@ -153,17 +136,16 @@ METHOD(hmac_t, destroy, void,
 }
 
 /*
- * Described in header
+ * Creates an mac_t object
  */
-hmac_t *hmac_create(hash_algorithm_t hash_algorithm)
+static mac_t *hmac_create(hash_algorithm_t hash_algorithm)
 {
-	private_hmac_t *this;
+	private_mac_t *this;
 
 	INIT(this,
 		.public = {
 			.get_mac = _get_mac,
-			.allocate_mac = _allocate_mac,
-			.get_block_size = _get_block_size,
+			.get_mac_size = _get_mac_size,
 			.set_key = _set_key,
 			.destroy = _destroy,
 		},
@@ -202,3 +184,34 @@ hmac_t *hmac_create(hash_algorithm_t hash_algorithm)
 
 	return &this->public;
 }
+
+/*
+ * Described in header
+ */
+prf_t *hmac_prf_create(pseudo_random_function_t algo)
+{
+	mac_t *hmac;
+
+	hmac = hmac_create(hasher_algorithm_from_prf(algo));
+	if (hmac)
+	{
+		return mac_prf_create(hmac);
+	}
+	return NULL;
+}
+
+/*
+ * Described in header
+ */
+signer_t *hmac_signer_create(integrity_algorithm_t algo)
+{
+	mac_t *hmac;
+	size_t trunc;
+
+	hmac = hmac_create(hasher_algorithm_from_integrity(algo, &trunc));
+	if (hmac)
+	{
+		return mac_signer_create(hmac, trunc);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/hmac/hmac.h b/src/libstrongswan/plugins/hmac/hmac.h
index 1ed041596..bf66dd4aa 100644
--- a/src/libstrongswan/plugins/hmac/hmac.h
+++ b/src/libstrongswan/plugins/hmac/hmac.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2005-2008 Martin Willi
- * Copyright (C) 2005 Jan Hutter
+ * Copyright (C) 2012 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,79 +14,34 @@
  */
 
 /**
- * @defgroup hmac hmac
+ * Implements the message authentication algorithm described in RFC2104.
+ *
+ * It uses a hash function, which must be implemented as a hasher_t class.
+ *
+ * @defgroup hmac_mac mac
  * @{ @ingroup hmac_p
  */
 
 #ifndef HMAC_H_
 #define HMAC_H_
 
-typedef struct hmac_t hmac_t;
-
-#include <crypto/hashers/hasher.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/signers/signer.h>
 
 /**
- * Message authentication using hash functions.
+ * Creates a new prf_t object based on an HMAC.
  *
- * This class implements the message authentication algorithm
- * described in RFC2104. It uses a hash function, which must
- * be implemented as a hasher_t class.
+ * @param algo		algorithm to implement
+ * @return			prf_t object, NULL if not supported
  */
-struct hmac_t {
-	/**
-	 * Generate message authentication code.
-	 *
-	 * If buffer is NULL, no result is given back. A next call will
-	 * append the data to already supplied data. If buffer is not NULL,
-	 * the mac of all apended data is calculated, returned and the
-	 * state of the hmac_t is reseted.
-	 *
-	 * @param data		chunk of data to authenticate
-	 * @param buffer	pointer where the generated bytes will be written
-	 */
-	void (*get_mac) (hmac_t *this, chunk_t data, u_int8_t *buffer);
-
-	/**
-	 * Generates message authentication code and allocate space for them.
-	 *
-	 * If chunk is NULL, no result is given back. A next call will
-	 * append the data to already supplied. If chunk is not NULL,
-	 * the mac of all apended data is calculated, returned and the
-	 * state of the hmac_t reset;
-	 *
-	 * @param data		chunk of data to authenticate
-	 * @param chunk		chunk which will hold generated bytes
-	 */
-	void (*allocate_mac) (hmac_t *this, chunk_t data, chunk_t *chunk);
-
-	/**
-	 * Get the block size of this hmac_t object.
-	 *
-	 * @return			block size in bytes
-	 */
-	size_t (*get_block_size) (hmac_t *this);
-
-	/**
-	 * Set the key for this hmac_t object.
-	 *
-	 * Any key length is accepted.
-	 *
-	 * @param key		key to set
-	 */
-	void (*set_key) (hmac_t *this, chunk_t key);
-
-	/**
-	 * Destroys a hmac_t object.
-	 */
-	void (*destroy) (hmac_t *this);
-};
+prf_t *hmac_prf_create(pseudo_random_function_t algo);
 
 /**
- * Creates a new hmac_t object.
+ * Creates a new signer_t object based on an HMAC.
  *
- * @param hash_algorithm	hash algorithm to use
- * @return					hmac_t object, NULL if not supported
+ * @param algo		algorithm to implement
+ * @return			signer_t, NULL if not supported
  */
-hmac_t *hmac_create(hash_algorithm_t hash_algorithm);
+signer_t *hmac_signer_create(integrity_algorithm_t algo);
 
 #endif /** HMAC_H_ @}*/
diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c
index 7d9ff3c67..43d5a0364 100644
--- a/src/libstrongswan/plugins/hmac/hmac_plugin.c
+++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c
@@ -16,8 +16,7 @@
 #include "hmac_plugin.h"
 
 #include <library.h>
-#include "hmac_signer.h"
-#include "hmac_prf.h"
+#include "hmac.h"
 
 typedef struct private_hmac_plugin_t private_hmac_plugin_t;
 
@@ -74,6 +73,8 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_DEPENDS(HASHER,  HASH_SHA384),
 			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
 				PLUGIN_DEPENDS(HASHER,  HASH_SHA512),
+			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_512),
+				PLUGIN_DEPENDS(HASHER,  HASH_SHA512),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libstrongswan/plugins/hmac/hmac_prf.c b/src/libstrongswan/plugins/hmac/hmac_prf.c
deleted file mode 100644
index ca10612f9..000000000
--- a/src/libstrongswan/plugins/hmac/hmac_prf.c
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "hmac_prf.h"
-
-#include "hmac.h"
-
-
-typedef struct private_hmac_prf_t private_hmac_prf_t;
-
-/**
- * Private data of a hma_prf_t object.
- */
-struct private_hmac_prf_t {
-	/**
-	 * Public hmac_prf_t interface.
-	 */
-	hmac_prf_t public;
-
-	/**
-	 * Hmac to use for generation.
-	 */
-	hmac_t *hmac;
-};
-
-METHOD(prf_t, get_bytes, void,
-	private_hmac_prf_t *this, chunk_t seed, u_int8_t *buffer)
-{
-	this->hmac->get_mac(this->hmac, seed, buffer);
-}
-
-METHOD(prf_t, allocate_bytes, void,
-	private_hmac_prf_t *this, chunk_t seed, chunk_t *chunk)
-{
-	this->hmac->allocate_mac(this->hmac, seed, chunk);
-}
-
-METHOD(prf_t, get_block_size, size_t,
-	private_hmac_prf_t *this)
-{
-	return this->hmac->get_block_size(this->hmac);
-}
-
-METHOD(prf_t, get_key_size, size_t,
-	private_hmac_prf_t *this)
-{
-	/* for HMAC prfs, IKEv2 uses block size as key size */
-	return this->hmac->get_block_size(this->hmac);
-}
-
-METHOD(prf_t, set_key, void,
-	private_hmac_prf_t *this, chunk_t key)
-{
-	this->hmac->set_key(this->hmac, key);
-}
-
-METHOD(prf_t, destroy, void,
-	private_hmac_prf_t *this)
-{
-	this->hmac->destroy(this->hmac);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-hmac_prf_t *hmac_prf_create(pseudo_random_function_t algo)
-{
-	private_hmac_prf_t *this;
-	hmac_t *hmac;
-
-	switch (algo)
-	{
-		case PRF_HMAC_SHA1:
-			hmac = hmac_create(HASH_SHA1);
-			break;
-		case PRF_HMAC_MD5:
-			hmac = hmac_create(HASH_MD5);
-			break;
-		case PRF_HMAC_SHA2_256:
-			hmac = hmac_create(HASH_SHA256);
-			break;
-		case PRF_HMAC_SHA2_384:
-			hmac = hmac_create(HASH_SHA384);
-			break;
-		case PRF_HMAC_SHA2_512:
-			hmac = hmac_create(HASH_SHA512);
-			break;
-		default:
-			return NULL;
-	}
-	if (hmac == NULL)
-	{
-		return NULL;
-	}
-
-	INIT(this,
-		.public = {
-			.prf = {
-				.get_bytes = _get_bytes,
-				.allocate_bytes = _allocate_bytes,
-				.get_block_size = _get_block_size,
-				.get_key_size = _get_key_size,
-				.set_key = _set_key,
-				.destroy = _destroy,
-			},
-		},
-		.hmac = hmac,
-	);
-
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/plugins/hmac/hmac_prf.h b/src/libstrongswan/plugins/hmac/hmac_prf.h
deleted file mode 100644
index 29d7269ae..000000000
--- a/src/libstrongswan/plugins/hmac/hmac_prf.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup hmac_prf hmac_prf
- * @{ @ingroup hmac_p
- */
-
-#ifndef PRF_HMAC_H_
-#define PRF_HMAC_H_
-
-typedef struct hmac_prf_t hmac_prf_t;
-
-#include <crypto/prfs/prf.h>
-
-/**
- * Implementation of prf_t interface using the HMAC algorithm.
- *
- * This simply wraps a hmac_t in a prf_t. More a question of
- * interface matching.
- */
-struct hmac_prf_t {
-
-	/**
-	 * Implements prf_t interface.
-	 */
-	prf_t prf;
-};
-
-/**
- * Creates a new hmac_prf_t object.
- *
- * @param algo		algorithm to implement
- * @return			hmac_prf_t object, NULL if hash not supported
- */
-hmac_prf_t *hmac_prf_create(pseudo_random_function_t algo);
-
-#endif /** PRF_HMAC_SHA1_H_ @}*/
diff --git a/src/libstrongswan/plugins/hmac/hmac_signer.c b/src/libstrongswan/plugins/hmac/hmac_signer.c
deleted file mode 100644
index 511a3e3a5..000000000
--- a/src/libstrongswan/plugins/hmac/hmac_signer.c
+++ /dev/null
@@ -1,197 +0,0 @@
-/*
- * Copyright (C) 2005-2008 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "hmac_signer.h"
-#include "hmac.h"
-
-typedef struct private_hmac_signer_t private_hmac_signer_t;
-
-/**
- * Private data structure with signing context.
- */
-struct private_hmac_signer_t {
-	/**
-	 * Public interface of hmac_signer_t.
-	 */
-	hmac_signer_t public;
-
-	/**
-	 * Assigned hmac function.
-	 */
-	hmac_t *hmac;
-
-	/**
-	 * Block size (truncation of HMAC Hash)
-	 */
-	size_t block_size;
-};
-
-METHOD(signer_t, get_signature, void,
-	private_hmac_signer_t *this, chunk_t data, u_int8_t *buffer)
-{
-	if (buffer == NULL)
-	{	/* append mode */
-		this->hmac->get_mac(this->hmac, data, NULL);
-	}
-	else
-	{
-		u_int8_t mac[this->hmac->get_block_size(this->hmac)];
-
-		this->hmac->get_mac(this->hmac, data, mac);
-		memcpy(buffer, mac, this->block_size);
-	}
-}
-
-METHOD(signer_t, allocate_signature, void,
-	private_hmac_signer_t *this, chunk_t data, chunk_t *chunk)
-{
-	if (chunk == NULL)
-	{	/* append mode */
-		this->hmac->get_mac(this->hmac, data, NULL);
-	}
-	else
-	{
-		u_int8_t mac[this->hmac->get_block_size(this->hmac)];
-
-		this->hmac->get_mac(this->hmac, data, mac);
-
-		chunk->ptr = malloc(this->block_size);
-		chunk->len = this->block_size;
-
-		memcpy(chunk->ptr, mac, this->block_size);
-	}
-}
-
-METHOD(signer_t, verify_signature, bool,
-	private_hmac_signer_t *this, chunk_t data, chunk_t signature)
-{
-	u_int8_t mac[this->hmac->get_block_size(this->hmac)];
-
-	this->hmac->get_mac(this->hmac, data, mac);
-
-	if (signature.len != this->block_size)
-	{
-		return FALSE;
-	}
-	return memeq(signature.ptr, mac, this->block_size);
-}
-
-METHOD(signer_t, get_key_size, size_t,
-	private_hmac_signer_t *this)
-{
-	return this->hmac->get_block_size(this->hmac);
-}
-
-METHOD(signer_t, get_block_size, size_t,
-	private_hmac_signer_t *this)
-{
-	return this->block_size;
-}
-
-METHOD(signer_t, set_key, void,
-	private_hmac_signer_t *this, chunk_t key)
-{
-	this->hmac->set_key(this->hmac, key);
-}
-
-METHOD(signer_t, destroy, void,
-	private_hmac_signer_t *this)
-{
-	this->hmac->destroy(this->hmac);
-	free(this);
-}
-
-/*
- * Described in header
- */
-hmac_signer_t *hmac_signer_create(integrity_algorithm_t algo)
-{
-	private_hmac_signer_t *this;
-	hmac_t *hmac;
-	size_t trunc;
-
-	switch (algo)
-	{
-		case AUTH_HMAC_SHA1_96:
-			hmac = hmac_create(HASH_SHA1);
-			trunc = 12;
-			break;
-		case AUTH_HMAC_SHA1_128:
-			hmac = hmac_create(HASH_SHA1);
-			trunc = 16;
-			break;
-		case AUTH_HMAC_SHA1_160:
-			hmac = hmac_create(HASH_SHA1);
-			trunc = 20;
-			break;
-		case AUTH_HMAC_MD5_96:
-			hmac = hmac_create(HASH_MD5);
-			trunc = 12;
-			break;
-		case AUTH_HMAC_MD5_128:
-			hmac = hmac_create(HASH_MD5);
-			trunc = 16;
-			break;
-		case AUTH_HMAC_SHA2_256_128:
-			hmac = hmac_create(HASH_SHA256);
-			trunc = 16;
-			break;
-		case AUTH_HMAC_SHA2_384_192:
-			hmac = hmac_create(HASH_SHA384);
-			trunc = 24;
-			break;
-		case AUTH_HMAC_SHA2_512_256:
-			hmac = hmac_create(HASH_SHA512);
-			trunc = 32;
-			break;
-		case AUTH_HMAC_SHA2_256_256:
-			hmac = hmac_create(HASH_SHA256);
-			trunc = 32;
-			break;
-		case AUTH_HMAC_SHA2_384_384:
-			hmac = hmac_create(HASH_SHA384);
-			trunc = 48;
-			break;
-		default:
-			return NULL;
-	}
-
-	if (hmac == NULL)
-	{
-		return NULL;
-	}
-
-	INIT(this,
-		.public = {
-			.signer = {
-				.get_signature = _get_signature,
-				.allocate_signature = _allocate_signature,
-				.verify_signature = _verify_signature,
-				.get_key_size = _get_key_size,
-				.get_block_size = _get_block_size,
-				.set_key = _set_key,
-				.destroy = _destroy,
-			},
-		},
-		.block_size = min(trunc, hmac->get_block_size(hmac)),
-		.hmac = hmac,
-	);
-
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/plugins/hmac/hmac_signer.h b/src/libstrongswan/plugins/hmac/hmac_signer.h
deleted file mode 100644
index 5e798683b..000000000
--- a/src/libstrongswan/plugins/hmac/hmac_signer.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2005-2008 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup hmac_signer hmac_signer
- * @{ @ingroup hmac_p
- */
-
-#ifndef HMAC_SIGNER_H_
-#define HMAC_SIGNER_H_
-
-typedef struct hmac_signer_t hmac_signer_t;
-
-#include <crypto/signers/signer.h>
-
-/**
- * Implementation of signer_t interface using HMAC.
- *
- * HMAC uses a standard hash function implemented in a hasher_t to build a MAC.
- */
-struct hmac_signer_t {
-
-	/**
-	 * Implements signer_t interface.
-	 */
-	signer_t signer;
-};
-
-/**
- * Creates a new hmac_signer_t.
- *
- * HMAC signatures are often truncated to shorten them to a more usable, but
- * still secure enough length.
- * Block size must be equal or smaller then the hash algorithms hash.
- *
- * @param algo		algorithm to implement
- * @return			hmac_signer_t, NULL if  not supported
- */
-hmac_signer_t *hmac_signer_create(integrity_algorithm_t algo);
-
-#endif /** HMAC_SIGNER_H_ @}*/
diff --git a/src/libstrongswan/plugins/keychain/Makefile.am b/src/libstrongswan/plugins/keychain/Makefile.am
new file mode 100644
index 000000000..bd04db33d
--- /dev/null
+++ b/src/libstrongswan/plugins/keychain/Makefile.am
@@ -0,0 +1,17 @@
+
+AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-keychain.la
+else
+plugin_LTLIBRARIES = libstrongswan-keychain.la
+endif
+
+libstrongswan_keychain_la_SOURCES = \
+	keychain_plugin.h keychain_plugin.c \
+	keychain_creds.h keychain_creds.c
+
+libstrongswan_keychain_la_LDFLAGS = -module -avoid-version \
+	-framework Security -framework CoreFoundation
diff --git a/src/libstrongswan/plugins/keychain/Makefile.in b/src/libstrongswan/plugins/keychain/Makefile.in
new file mode 100644
index 000000000..bbb1e8888
--- /dev/null
+++ b/src/libstrongswan/plugins/keychain/Makefile.in
@@ -0,0 +1,683 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/keychain
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_keychain_la_LIBADD =
+am_libstrongswan_keychain_la_OBJECTS = keychain_plugin.lo \
+	keychain_creds.lo
+libstrongswan_keychain_la_OBJECTS =  \
+	$(am_libstrongswan_keychain_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_keychain_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_keychain_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_keychain_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_keychain_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_keychain_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_keychain_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-keychain.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-keychain.la
+libstrongswan_keychain_la_SOURCES = \
+	keychain_plugin.h keychain_plugin.c \
+	keychain_creds.h keychain_creds.c
+
+libstrongswan_keychain_la_LDFLAGS = -module -avoid-version \
+	-framework Security -framework CoreFoundation
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/keychain/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/keychain/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-keychain.la: $(libstrongswan_keychain_la_OBJECTS) $(libstrongswan_keychain_la_DEPENDENCIES) $(EXTRA_libstrongswan_keychain_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_keychain_la_LINK) $(am_libstrongswan_keychain_la_rpath) $(libstrongswan_keychain_la_OBJECTS) $(libstrongswan_keychain_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keychain_creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keychain_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/keychain/keychain_creds.c b/src/libstrongswan/plugins/keychain/keychain_creds.c
new file mode 100644
index 000000000..d60f28691
--- /dev/null
+++ b/src/libstrongswan/plugins/keychain/keychain_creds.c
@@ -0,0 +1,206 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "keychain_creds.h"
+
+#include <utils/debug.h>
+#include <credentials/sets/mem_cred.h>
+#include <processing/jobs/callback_job.h>
+
+#include <Security/Security.h>
+
+/**
+ * System Roots keychain
+ */
+#define SYSTEM_ROOTS "/System/Library/Keychains/SystemRootCertificates.keychain"
+
+/**
+ * System keychain
+ */
+#define SYSTEM "/Library/Keychains/System.keychain"
+
+typedef struct private_keychain_creds_t private_keychain_creds_t;
+
+/**
+ * Private data of an keychain_creds_t object.
+ */
+struct private_keychain_creds_t {
+
+	/**
+	 * Public keychain_creds_t interface.
+	 */
+	keychain_creds_t public;
+
+	/**
+	 * Active in-memory credential set
+	 */
+	mem_cred_t *set;
+
+	/**
+	 * System roots credential set
+	 */
+	mem_cred_t *roots;
+
+	/**
+	 * Run loop of event monitoring thread
+	 */
+	CFRunLoopRef loop;
+};
+
+/**
+ * Load a credential sets with certificates from a keychain path
+ */
+static mem_cred_t* load_certs(private_keychain_creds_t *this, char *path)
+{
+	SecKeychainRef keychain;
+	SecKeychainSearchRef search;
+	SecKeychainItemRef item;
+	mem_cred_t *set;
+	OSStatus status;
+	int loaded = 0;
+
+	set = mem_cred_create();
+
+	DBG2(DBG_CFG, "loading certificates from %s:", path);
+	status = SecKeychainOpen(path, &keychain);
+	if (status == errSecSuccess)
+	{
+		status = SecKeychainSearchCreateFromAttributes(keychain,
+									kSecCertificateItemClass, NULL, &search);
+		if (status == errSecSuccess)
+		{
+			while (SecKeychainSearchCopyNext(search, &item) == errSecSuccess)
+			{
+				certificate_t *cert;
+				UInt32 len;
+				void *data;
+
+				if (SecKeychainItemCopyAttributesAndData(item, NULL, NULL, NULL,
+												&len, &data) == errSecSuccess)
+				{
+					cert = lib->creds->create(lib->creds,
+								CRED_CERTIFICATE, CERT_X509,
+								BUILD_BLOB_ASN1_DER, chunk_create(data, len),
+								BUILD_END);
+					if (cert)
+					{
+						DBG2(DBG_CFG, "  loaded '%Y'", cert->get_subject(cert));
+						set->add_cert(set, TRUE, cert);
+						loaded++;
+					}
+					SecKeychainItemFreeAttributesAndData(NULL, data);
+				}
+				CFRelease(item);
+			}
+			CFRelease(search);
+		}
+		CFRelease(keychain);
+	}
+	DBG1(DBG_CFG, "loaded %d certificates from %s", loaded, path);
+	return set;
+}
+
+/**
+ * Callback function reloading keychain on changes
+ */
+static OSStatus keychain_cb(SecKeychainEvent keychainEvent,
+							SecKeychainCallbackInfo *info,
+							private_keychain_creds_t *this)
+{
+	mem_cred_t *new;
+
+	DBG1(DBG_CFG, "received keychain event, reloading credentials");
+
+	/* register new before removing old */
+	new = load_certs(this, SYSTEM);
+	lib->credmgr->add_set(lib->credmgr, &new->set);
+	lib->credmgr->remove_set(lib->credmgr, &this->set->set);
+
+	lib->credmgr->flush_cache(lib->credmgr, CERT_X509);
+
+	this->set->destroy(this->set);
+	this->set = new;
+
+	return errSecSuccess;
+}
+
+/**
+ * Wait for changes in the keychain and handle them
+ */
+static job_requeue_t monitor_changes(private_keychain_creds_t *this)
+{
+	if (SecKeychainAddCallback((SecKeychainCallback)keychain_cb,
+						kSecAddEventMask | kSecDeleteEventMask |
+						kSecUpdateEventMask | kSecTrustSettingsChangedEventMask,
+						this) == errSecSuccess)
+	{
+		this->loop = CFRunLoopGetCurrent();
+
+		/* does not return until cancelled */
+		CFRunLoopRun();
+
+		this->loop = NULL;
+		SecKeychainRemoveCallback((SecKeychainCallback)keychain_cb);
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Cancel the monitoring thread in its RunLoop
+ */
+static bool cancel_monitor(private_keychain_creds_t *this)
+{
+	if (this->loop)
+	{
+		CFRunLoopStop(this->loop);
+	}
+	return TRUE;
+}
+
+METHOD(keychain_creds_t, destroy, void,
+	private_keychain_creds_t *this)
+{
+	lib->credmgr->remove_set(lib->credmgr, &this->set->set);
+	lib->credmgr->remove_set(lib->credmgr, &this->roots->set);
+	this->set->destroy(this->set);
+	this->roots->destroy(this->roots);
+	free(this);
+}
+
+/**
+ * See header
+ */
+keychain_creds_t *keychain_creds_create()
+{
+	private_keychain_creds_t *this;
+
+	INIT(this,
+		.public = {
+			.destroy = _destroy,
+		},
+	);
+
+	this->roots = load_certs(this, SYSTEM_ROOTS);
+	this->set = load_certs(this, SYSTEM);
+
+	lib->credmgr->add_set(lib->credmgr, &this->roots->set);
+	lib->credmgr->add_set(lib->credmgr, &this->set->set);
+
+	lib->processor->queue_job(lib->processor,
+			(job_t*)callback_job_create_with_prio((void*)monitor_changes,
+					this, NULL, (void*)cancel_monitor, JOB_PRIO_CRITICAL));
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/keychain/keychain_creds.h b/src/libstrongswan/plugins/keychain/keychain_creds.h
new file mode 100644
index 000000000..64a2ededd
--- /dev/null
+++ b/src/libstrongswan/plugins/keychain/keychain_creds.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup keychain_creds keychain_creds
+ * @{ @ingroup keychain
+ */
+
+#ifndef KEYCHAIN_CREDS_H_
+#define KEYCHAIN_CREDS_H_
+
+typedef struct keychain_creds_t keychain_creds_t;
+
+#include <credentials/credential_manager.h>
+
+/**
+ * Credential set using OS X Keychain Services.
+ */
+struct keychain_creds_t {
+
+	/**
+	 * Destroy a keychain_creds_t.
+	 */
+	void (*destroy)(keychain_creds_t *this);
+};
+
+/**
+ * Create a keychain_creds instance.
+ */
+keychain_creds_t *keychain_creds_create();
+
+#endif /** KEYCHAIN_CREDS_H_ @}*/
diff --git a/src/libstrongswan/plugins/keychain/keychain_plugin.c b/src/libstrongswan/plugins/keychain/keychain_plugin.c
new file mode 100644
index 000000000..6112afaa8
--- /dev/null
+++ b/src/libstrongswan/plugins/keychain/keychain_plugin.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "keychain_plugin.h"
+#include "keychain_creds.h"
+
+#include <library.h>
+
+typedef struct private_keychain_plugin_t private_keychain_plugin_t;
+
+/**
+ * private data of keychain_plugin
+ */
+struct private_keychain_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	keychain_plugin_t public;
+
+	/**
+	 * System level Keychain Services credential set
+	 */
+	keychain_creds_t *creds;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_keychain_plugin_t *this)
+{
+	return "keychain";
+}
+
+/**
+ * Load/unload certificates from Keychain.
+ */
+static bool load_creds(private_keychain_plugin_t *this,
+					   plugin_feature_t *feature, bool reg, void *data)
+{
+	if (reg)
+	{
+		this->creds = keychain_creds_create();
+	}
+	else
+	{
+		this->creds->destroy(this->creds);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_keychain_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)load_creds, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "keychain"),
+				PLUGIN_DEPENDS(CERT_DECODE, CERT_X509),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_keychain_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *keychain_plugin_create()
+{
+	private_keychain_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/keychain/keychain_plugin.h b/src/libstrongswan/plugins/keychain/keychain_plugin.h
new file mode 100644
index 000000000..482f173c3
--- /dev/null
+++ b/src/libstrongswan/plugins/keychain/keychain_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup keychain keychain
+ * @ingroup plugins
+ *
+ * @defgroup keychain_plugin keychain_plugin
+ * @{ @ingroup keychain
+ */
+
+#ifndef KEYCHAIN_PLUGIN_H_
+#define KEYCHAIN_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct keychain_plugin_t keychain_plugin_t;
+
+/**
+ * Plugin providing OS X Keychain Services support.
+ */
+struct keychain_plugin_t {
+
+	/**
+	 * Implements plugin interface,
+	 */
+	plugin_t plugin;
+};
+
+#endif /** KEYCHAIN_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/ldap/Makefile.am b/src/libstrongswan/plugins/ldap/Makefile.am
index 2b2f7d31d..3bcef1aa8 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.am
+++ b/src/libstrongswan/plugins/ldap/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-ldap.la
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 851df5667..1baca7ff2 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,52 +90,87 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_ldap_la_DEPENDENCIES =
 am_libstrongswan_ldap_la_OBJECTS = ldap_plugin.lo ldap_fetcher.lo
 libstrongswan_ldap_la_OBJECTS = $(am_libstrongswan_ldap_la_OBJECTS)
-libstrongswan_ldap_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_ldap_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_ldap_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_ldap_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_ldap_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_ldap_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_ldap_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_ldap_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -126,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -145,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -172,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -184,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -192,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -202,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -223,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -243,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -280,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ldap.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ldap.la
 libstrongswan_ldap_la_SOURCES = \
@@ -334,7 +400,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -342,6 +407,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -363,8 +430,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-ldap.la: $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_DEPENDENCIES) 
-	$(libstrongswan_ldap_la_LINK) $(am_libstrongswan_ldap_la_rpath) $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_LIBADD) $(LIBS)
+libstrongswan-ldap.la: $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_DEPENDENCIES) $(EXTRA_libstrongswan_ldap_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_ldap_la_LINK) $(am_libstrongswan_ldap_la_rpath) $(libstrongswan_ldap_la_OBJECTS) $(libstrongswan_ldap_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -376,25 +443,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ldap_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -501,10 +568,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/ldap/ldap_fetcher.c b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
index fc6114b0a..fe4c55545 100644
--- a/src/libstrongswan/plugins/ldap/ldap_fetcher.c
+++ b/src/libstrongswan/plugins/ldap/ldap_fetcher.c
@@ -22,7 +22,7 @@
 #include <errno.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "ldap_fetcher.h"
 
@@ -112,7 +112,7 @@ METHOD(fetcher_t, fetch, status_t,
 	status_t status = FAILED;
 	chunk_t *result = userdata;
 
-	if (!strneq(url, "ldap", 4))
+	if (!strpfx(url, "ldap"))
 	{
 		return NOT_SUPPORTED;
 	}
@@ -176,13 +176,14 @@ METHOD(fetcher_t, set_option, bool,
 	switch (option)
 	{
 		case FETCH_TIMEOUT:
-		{
 			this->timeout = va_arg(args, u_int);
-			return TRUE;
-		}
+			break;
 		default:
+			va_end(args);
 			return FALSE;
 	}
+	va_end(args);
+	return TRUE;
 }
 
 METHOD(fetcher_t, destroy, void,
diff --git a/src/libstrongswan/plugins/md4/Makefile.am b/src/libstrongswan/plugins/md4/Makefile.am
index 904af70c0..a2fe8ecab 100644
--- a/src/libstrongswan/plugins/md4/Makefile.am
+++ b/src/libstrongswan/plugins/md4/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-md4.la
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index f5b06a0df..85cf32649 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,52 +90,87 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_md4_la_LIBADD =
 am_libstrongswan_md4_la_OBJECTS = md4_plugin.lo md4_hasher.lo
 libstrongswan_md4_la_OBJECTS = $(am_libstrongswan_md4_la_OBJECTS)
-libstrongswan_md4_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_md4_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_md4_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_md4_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_md4_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_md4_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_md4_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_md4_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -126,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -145,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -172,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -184,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -192,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -202,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -223,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -243,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -280,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-md4.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-md4.la
 libstrongswan_md4_la_SOURCES = \
@@ -333,7 +399,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -341,6 +406,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -362,8 +429,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-md4.la: $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_DEPENDENCIES) 
-	$(libstrongswan_md4_la_LINK) $(am_libstrongswan_md4_la_rpath) $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_LIBADD) $(LIBS)
+libstrongswan-md4.la: $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_DEPENDENCIES) $(EXTRA_libstrongswan_md4_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_md4_la_LINK) $(am_libstrongswan_md4_la_rpath) $(libstrongswan_md4_la_OBJECTS) $(libstrongswan_md4_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -375,25 +442,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md4_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -500,10 +567,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/md4/md4_hasher.c b/src/libstrongswan/plugins/md4/md4_hasher.c
index 6a31017c2..06c9ec2f8 100644
--- a/src/libstrongswan/plugins/md4/md4_hasher.c
+++ b/src/libstrongswan/plugins/md4/md4_hasher.c
@@ -266,20 +266,32 @@ static void MD4Final (private_md4_hasher_t *this, u_int8_t digest[16])
 	}
 }
 
+METHOD(hasher_t, reset, bool,
+	private_md4_hasher_t *this)
+{
+	this->state[0] = 0x67452301;
+	this->state[1] = 0xefcdab89;
+	this->state[2] = 0x98badcfe;
+	this->state[3] = 0x10325476;
+	this->count[0] = 0;
+	this->count[1] = 0;
 
+	return TRUE;
+}
 
-METHOD(hasher_t, get_hash, void,
+METHOD(hasher_t, get_hash, bool,
 	private_md4_hasher_t *this, chunk_t chunk, u_int8_t *buffer)
 {
 	MD4Update(this, chunk.ptr, chunk.len);
 	if (buffer != NULL)
 	{
 		MD4Final(this, buffer);
-		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+		reset(this);
 	}
+	return TRUE;
 }
 
-METHOD(hasher_t, allocate_hash, void,
+METHOD(hasher_t, allocate_hash, bool,
 	private_md4_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	chunk_t allocated_hash;
@@ -291,10 +303,11 @@ METHOD(hasher_t, allocate_hash, void,
 		allocated_hash.len = HASH_SIZE_MD4;
 
 		MD4Final(this, allocated_hash.ptr);
-		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+		reset(this);
 
 		*hash = allocated_hash;
 	}
+	return TRUE;
 }
 
 METHOD(hasher_t, get_hash_size, size_t,
@@ -303,17 +316,6 @@ METHOD(hasher_t, get_hash_size, size_t,
 	return HASH_SIZE_MD4;
 }
 
-METHOD(hasher_t, reset, void,
-	private_md4_hasher_t *this)
-{
-	this->state[0] = 0x67452301;
-	this->state[1] = 0xefcdab89;
-	this->state[2] = 0x98badcfe;
-	this->state[3] = 0x10325476;
-	this->count[0] = 0;
-	this->count[1] = 0;
-}
-
 METHOD(hasher_t, destroy, void,
 	private_md4_hasher_t *this)
 {
diff --git a/src/libstrongswan/plugins/md5/Makefile.am b/src/libstrongswan/plugins/md5/Makefile.am
index b2eb2abd2..fc6406afa 100644
--- a/src/libstrongswan/plugins/md5/Makefile.am
+++ b/src/libstrongswan/plugins/md5/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-md5.la
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index f7762c37e..83fed79df 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,52 +90,87 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_md5_la_LIBADD =
 am_libstrongswan_md5_la_OBJECTS = md5_plugin.lo md5_hasher.lo
 libstrongswan_md5_la_OBJECTS = $(am_libstrongswan_md5_la_OBJECTS)
-libstrongswan_md5_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_md5_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_md5_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_md5_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_md5_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_md5_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_md5_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_md5_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -126,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -145,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -172,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -184,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -192,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -202,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -223,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -243,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -280,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-md5.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-md5.la
 libstrongswan_md5_la_SOURCES = \
@@ -333,7 +399,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -341,6 +406,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -362,8 +429,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-md5.la: $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_DEPENDENCIES) 
-	$(libstrongswan_md5_la_LINK) $(am_libstrongswan_md5_la_rpath) $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_LIBADD) $(LIBS)
+libstrongswan-md5.la: $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_DEPENDENCIES) $(EXTRA_libstrongswan_md5_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_md5_la_LINK) $(am_libstrongswan_md5_la_rpath) $(libstrongswan_md5_la_OBJECTS) $(libstrongswan_md5_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -375,25 +442,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -500,10 +567,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/md5/md5_hasher.c b/src/libstrongswan/plugins/md5/md5_hasher.c
index 45c2391ef..99b505e58 100644
--- a/src/libstrongswan/plugins/md5/md5_hasher.c
+++ b/src/libstrongswan/plugins/md5/md5_hasher.c
@@ -299,33 +299,42 @@ static void MD5Final (private_md5_hasher_t *this, u_int8_t digest[16])
 	}
 }
 
-METHOD(hasher_t, get_hash, void,
+METHOD(hasher_t, reset, bool,
+	private_md5_hasher_t *this)
+{
+	this->state[0] = 0x67452301;
+	this->state[1] = 0xefcdab89;
+	this->state[2] = 0x98badcfe;
+	this->state[3] = 0x10325476;
+	this->count[0] = 0;
+	this->count[1] = 0;
+
+	return TRUE;
+}
+
+METHOD(hasher_t, get_hash, bool,
 	private_md5_hasher_t *this, chunk_t chunk, u_int8_t *buffer)
 {
 	MD5Update(this, chunk.ptr, chunk.len);
 	if (buffer != NULL)
 	{
 		MD5Final(this, buffer);
-		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+		reset(this);
 	}
+	return TRUE;
 }
 
-METHOD(hasher_t, allocate_hash, void,
+METHOD(hasher_t, allocate_hash, bool,
 	private_md5_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
-	chunk_t allocated_hash;
-
 	MD5Update(this, chunk.ptr, chunk.len);
 	if (hash != NULL)
 	{
-		allocated_hash.ptr = malloc(HASH_SIZE_MD5);
-		allocated_hash.len = HASH_SIZE_MD5;
-
-		MD5Final(this, allocated_hash.ptr);
-		this->public.hasher_interface.reset(&(this->public.hasher_interface));
-
-		*hash = allocated_hash;
+		*hash = chunk_alloc(HASH_SIZE_MD5);
+		MD5Final(this, hash->ptr);
+		reset(this);
 	}
+	return TRUE;
 }
 
 METHOD(hasher_t, get_hash_size, size_t,
@@ -334,17 +343,6 @@ METHOD(hasher_t, get_hash_size, size_t,
 	return HASH_SIZE_MD5;
 }
 
-METHOD(hasher_t, reset, void,
-	private_md5_hasher_t *this)
-{
-	this->state[0] = 0x67452301;
-	this->state[1] = 0xefcdab89;
-	this->state[2] = 0x98badcfe;
-	this->state[3] = 0x10325476;
-	this->count[0] = 0;
-	this->count[1] = 0;
-}
-
 METHOD(hasher_t, destroy, void,
 	private_md5_hasher_t *this)
 {
diff --git a/src/libstrongswan/plugins/md5/md5_plugin.c b/src/libstrongswan/plugins/md5/md5_plugin.c
index a3ad7b305..4a61af618 100644
--- a/src/libstrongswan/plugins/md5/md5_plugin.c
+++ b/src/libstrongswan/plugins/md5/md5_plugin.c
@@ -51,8 +51,6 @@ METHOD(plugin_t, get_features, int,
 METHOD(plugin_t, destroy, void,
 	private_md5_plugin_t *this)
 {
-	lib->crypto->remove_hasher(lib->crypto,
-							   (hasher_constructor_t)md5_hasher_create);
 	free(this);
 }
 
diff --git a/src/libstrongswan/plugins/mysql/Makefile.am b/src/libstrongswan/plugins/mysql/Makefile.am
index 801a7a7be..588b7991b 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.am
+++ b/src/libstrongswan/plugins/mysql/Makefile.am
@@ -1,7 +1,9 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic $(MYSQLCFLAG)
+AM_CFLAGS = \
+	$(MYSQLCFLAG) \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-mysql.la
@@ -15,4 +17,3 @@ libstrongswan_mysql_la_SOURCES = \
 
 libstrongswan_mysql_la_LDFLAGS = -module -avoid-version
 libstrongswan_mysql_la_LIBADD  = $(MYSQLLIB)
-
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 5025a0eb8..2364df617 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,54 +90,89 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libstrongswan_mysql_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
 am_libstrongswan_mysql_la_OBJECTS = mysql_plugin.lo mysql_database.lo
 libstrongswan_mysql_la_OBJECTS = $(am_libstrongswan_mysql_la_OBJECTS)
-libstrongswan_mysql_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_mysql_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_mysql_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_mysql_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_mysql_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_mysql_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_mysql_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_mysql_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -128,13 +181,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -147,6 +203,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,11 +231,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -186,6 +245,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -194,8 +254,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -204,14 +262,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -225,17 +288,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -245,16 +308,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -282,8 +344,13 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic $(MYSQLCFLAG)
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	$(MYSQLCFLAG) \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-mysql.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-mysql.la
 libstrongswan_mysql_la_SOURCES = \
@@ -337,7 +404,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -345,6 +411,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -366,8 +434,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-mysql.la: $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_DEPENDENCIES) 
-	$(libstrongswan_mysql_la_LINK) $(am_libstrongswan_mysql_la_rpath) $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_LIBADD) $(LIBS)
+libstrongswan-mysql.la: $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_DEPENDENCIES) $(EXTRA_libstrongswan_mysql_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_mysql_la_LINK) $(am_libstrongswan_mysql_la_rpath) $(libstrongswan_mysql_la_OBJECTS) $(libstrongswan_mysql_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -379,25 +447,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mysql_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -504,10 +572,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c
index 25ea42a4f..8bd64692c 100644
--- a/src/libstrongswan/plugins/mysql/mysql_database.c
+++ b/src/libstrongswan/plugins/mysql/mysql_database.c
@@ -19,11 +19,11 @@
 
 #include "mysql_database.h"
 
-#include <debug.h>
-#include <chunk.h>
+#include <utils/debug.h>
+#include <utils/chunk.h>
 #include <threading/thread_value.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /* Older mysql.h headers do not define it, but we need it. It is not returned
  * in in MySQL 4 by default, but by MySQL 5. To avoid this problem, we catch
@@ -143,7 +143,7 @@ void mysql_database_deinit()
 {
 	initialized->destroy(initialized);
 	mysql_thread_end();
-	/* mysql_library_end(); would be the clean way, however, it hangs... */
+	mysql_library_end();
 }
 
 /**
@@ -472,6 +472,7 @@ static bool mysql_enumerator_enumerate(mysql_enumerator_t *this, ...)
 				break;
 		}
 	}
+	va_end(args);
 	return TRUE;
 }
 
@@ -665,7 +666,7 @@ mysql_database_t *mysql_database_create(char *uri)
 	conn_t *conn;
 	private_mysql_database_t *this;
 
-	if (!strneq(uri, "mysql://", 8))
+	if (!strpfx(uri, "mysql://"))
 	{
 		return NULL;
 	}
diff --git a/src/libstrongswan/plugins/mysql/mysql_plugin.c b/src/libstrongswan/plugins/mysql/mysql_plugin.c
index dd8b32761..23d709739 100644
--- a/src/libstrongswan/plugins/mysql/mysql_plugin.c
+++ b/src/libstrongswan/plugins/mysql/mysql_plugin.c
@@ -16,7 +16,7 @@
 #include "mysql_plugin.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include "mysql_database.h"
 
 typedef struct private_mysql_plugin_t private_mysql_plugin_t;
diff --git a/src/libstrongswan/plugins/nonce/Makefile.am b/src/libstrongswan/plugins/nonce/Makefile.am
new file mode 100644
index 000000000..7dde99e5f
--- /dev/null
+++ b/src/libstrongswan/plugins/nonce/Makefile.am
@@ -0,0 +1,17 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-nonce.la
+else
+plugin_LTLIBRARIES = libstrongswan-nonce.la
+endif
+
+libstrongswan_nonce_la_SOURCES = \
+	nonce_plugin.h nonce_plugin.c \
+	nonce_nonceg.c nonce_nonceg.h
+
+libstrongswan_nonce_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in
new file mode 100644
index 000000000..c20c96765
--- /dev/null
+++ b/src/libstrongswan/plugins/nonce/Makefile.in
@@ -0,0 +1,683 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/nonce
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_nonce_la_LIBADD =
+am_libstrongswan_nonce_la_OBJECTS = nonce_plugin.lo nonce_nonceg.lo
+libstrongswan_nonce_la_OBJECTS = $(am_libstrongswan_nonce_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_nonce_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_nonce_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_nonce_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_nonce_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_nonce_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_nonce_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-nonce.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-nonce.la
+libstrongswan_nonce_la_SOURCES = \
+	nonce_plugin.h nonce_plugin.c \
+	nonce_nonceg.c nonce_nonceg.h
+
+libstrongswan_nonce_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/nonce/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/nonce/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-nonce.la: $(libstrongswan_nonce_la_OBJECTS) $(libstrongswan_nonce_la_DEPENDENCIES) $(EXTRA_libstrongswan_nonce_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_nonce_la_LINK) $(am_libstrongswan_nonce_la_rpath) $(libstrongswan_nonce_la_OBJECTS) $(libstrongswan_nonce_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nonce_nonceg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nonce_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/nonce/nonce_nonceg.c b/src/libstrongswan/plugins/nonce/nonce_nonceg.c
new file mode 100644
index 000000000..64ed2e08d
--- /dev/null
+++ b/src/libstrongswan/plugins/nonce/nonce_nonceg.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "nonce_nonceg.h"
+
+#include <utils/debug.h>
+
+typedef struct private_nonce_nonceg_t private_nonce_nonceg_t;
+
+/**
+ * Private data of a nonce_nonceg_t object.
+ */
+struct private_nonce_nonceg_t {
+
+	/**
+	 * Public nonce_nonceg_t interface.
+	 */
+	nonce_nonceg_t public;
+
+	/**
+	 * Random number generator
+	 */
+	rng_t* rng;
+};
+
+METHOD(nonce_gen_t, get_nonce, bool,
+	private_nonce_nonceg_t *this, size_t size, u_int8_t *buffer)
+{
+	return this->rng->get_bytes(this->rng, size, buffer);
+}
+
+METHOD(nonce_gen_t, allocate_nonce, bool,
+	private_nonce_nonceg_t *this, size_t size, chunk_t *chunk)
+{
+	return this->rng->allocate_bytes(this->rng, size, chunk);
+}
+
+METHOD(nonce_gen_t, destroy, void,
+	private_nonce_nonceg_t *this)
+{
+	DESTROY_IF(this->rng);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+nonce_nonceg_t *nonce_nonceg_create()
+{
+	private_nonce_nonceg_t *this;
+
+	INIT(this,
+		.public = {
+			.nonce_gen = {
+				.get_nonce = _get_nonce,
+				.allocate_nonce = _allocate_nonce,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!this->rng)
+	{
+		DBG1(DBG_LIB, "no RNG found for quality %N", rng_quality_names,
+			 RNG_WEAK);
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/nonce/nonce_nonceg.h b/src/libstrongswan/plugins/nonce/nonce_nonceg.h
new file mode 100644
index 000000000..2ae0c97de
--- /dev/null
+++ b/src/libstrongswan/plugins/nonce/nonce_nonceg.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup nonce_nonceg nonce_nonceg
+ * @{ @ingroup nonce_p
+ */
+
+#ifndef NONCE_NONCEG_H_
+#define NONCE_NONCEG_H_
+
+typedef struct nonce_nonceg_t nonce_nonceg_t;
+
+#include <library.h>
+
+/**
+ * nonce_gen_t implementation using an rng plugin
+ */
+struct nonce_nonceg_t {
+
+	/**
+	 * Implements nonce_gen_t.
+	 */
+	nonce_gen_t nonce_gen;
+};
+
+/**
+ * Creates an nonce_nonceg_t instance.
+ *
+ * @return			created nonce_nonceg_t
+ */
+nonce_nonceg_t *nonce_nonceg_create();
+
+#endif /** NONCE_NONCEG_H_ @} */
diff --git a/src/libstrongswan/plugins/nonce/nonce_plugin.c b/src/libstrongswan/plugins/nonce/nonce_plugin.c
new file mode 100644
index 000000000..90f2e8fac
--- /dev/null
+++ b/src/libstrongswan/plugins/nonce/nonce_plugin.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "nonce_plugin.h"
+
+#include <library.h>
+#include "nonce_nonceg.h"
+
+typedef struct private_nonce_plugin_t private_nonce_plugin_t;
+
+/**
+ * private data of nonce_plugin
+ */
+struct private_nonce_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	nonce_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_nonce_plugin_t *this)
+{
+	return "nonce";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_nonce_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(NONCE_GEN, nonce_nonceg_create),
+			PLUGIN_PROVIDE(NONCE_GEN),
+				PLUGIN_DEPENDS(RNG, RNG_WEAK),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_nonce_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *nonce_plugin_create()
+{
+	private_nonce_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/nonce/nonce_plugin.h b/src/libstrongswan/plugins/nonce/nonce_plugin.h
new file mode 100644
index 000000000..f4be1c3a8
--- /dev/null
+++ b/src/libstrongswan/plugins/nonce/nonce_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup nonce_p nonce
+ * @ingroup plugins
+ *
+ * @defgroup nonce_plugin nonce_plugin
+ * @{ @ingroup nonce_p
+ */
+
+#ifndef NONCE_PLUGIN_H_
+#define NONCE_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct nonce_plugin_t nonce_plugin_t;
+
+/**
+ * Plugin implementing a nonce generator using an RNG.
+ */
+struct nonce_plugin_t {
+
+	/**
+	 * Implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** NONCE_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
index 5c845a19c..cbfd69b71 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.am
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -1,7 +1,9 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DFIPS_MODE=${fips_mode}
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-openssl.la
@@ -22,8 +24,12 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_ec_private_key.c openssl_ec_private_key.h \
 	openssl_ec_public_key.c openssl_ec_public_key.h \
 	openssl_x509.c openssl_x509.h \
-	openssl_crl.c openssl_crl.h
+	openssl_crl.c openssl_crl.h \
+	openssl_pkcs7.c openssl_pkcs7.h \
+	openssl_pkcs12.c openssl_pkcs12.h \
+	openssl_rng.c openssl_rng.h \
+	openssl_hmac.c openssl_hmac.h \
+	openssl_gcm.c openssl_gcm.h
 
 libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
 libstrongswan_openssl_la_LIBADD  = -lcrypto
-
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index 8994ff1b4..ad5aa6057 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_openssl_la_DEPENDENCIES =
@@ -80,51 +104,82 @@ am_libstrongswan_openssl_la_OBJECTS = openssl_plugin.lo \
 	openssl_sha1_prf.lo openssl_diffie_hellman.lo \
 	openssl_rsa_private_key.lo openssl_rsa_public_key.lo \
 	openssl_ec_diffie_hellman.lo openssl_ec_private_key.lo \
-	openssl_ec_public_key.lo openssl_x509.lo openssl_crl.lo
+	openssl_ec_public_key.lo openssl_x509.lo openssl_crl.lo \
+	openssl_pkcs7.lo openssl_pkcs12.lo openssl_rng.lo \
+	openssl_hmac.lo openssl_gcm.lo
 libstrongswan_openssl_la_OBJECTS =  \
 	$(am_libstrongswan_openssl_la_OBJECTS)
-libstrongswan_openssl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_openssl_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_openssl_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_openssl_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_openssl_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_openssl_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_openssl_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_openssl_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -133,13 +188,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -152,6 +210,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,11 +238,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -191,6 +252,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -199,8 +261,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -209,14 +269,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -230,17 +295,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -250,16 +315,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -287,8 +351,13 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DFIPS_MODE=${fips_mode}
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-openssl.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-openssl.la
 libstrongswan_openssl_la_SOURCES = \
@@ -304,7 +373,12 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_ec_private_key.c openssl_ec_private_key.h \
 	openssl_ec_public_key.c openssl_ec_public_key.h \
 	openssl_x509.c openssl_x509.h \
-	openssl_crl.c openssl_crl.h
+	openssl_crl.c openssl_crl.h \
+	openssl_pkcs7.c openssl_pkcs7.h \
+	openssl_pkcs12.c openssl_pkcs12.h \
+	openssl_rng.c openssl_rng.h \
+	openssl_hmac.c openssl_hmac.h \
+	openssl_gcm.c openssl_gcm.h
 
 libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
 libstrongswan_openssl_la_LIBADD = -lcrypto
@@ -353,7 +427,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -361,6 +434,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -382,8 +457,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-openssl.la: $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_DEPENDENCIES) 
-	$(libstrongswan_openssl_la_LINK) $(am_libstrongswan_openssl_la_rpath) $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_LIBADD) $(LIBS)
+libstrongswan-openssl.la: $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_DEPENDENCIES) $(EXTRA_libstrongswan_openssl_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_openssl_la_LINK) $(am_libstrongswan_openssl_la_rpath) $(libstrongswan_openssl_la_OBJECTS) $(libstrongswan_openssl_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -397,8 +472,13 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_diffie_hellman.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_private_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_public_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_gcm.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_hasher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_hmac.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_pkcs12.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_pkcs7.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rng.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rsa_private_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rsa_public_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_sha1_prf.Plo@am__quote@
@@ -406,25 +486,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_x509.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -531,10 +611,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index 9a9efb2b6..18aa5ceca 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -42,8 +42,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-#include <debug.h>
-#include <utils/enumerator.h>
+#include <utils/debug.h>
+#include <collections/enumerator.h>
 #include <credentials/certificates/x509.h>
 
 typedef struct private_openssl_crl_t private_openssl_crl_t;
@@ -225,7 +225,8 @@ METHOD(certificate_t, has_subject_or_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_openssl_crl_t *this, certificate_t *issuer)
+	private_openssl_crl_t *this, certificate_t *issuer,
+	signature_scheme_t *scheme)
 {
 	chunk_t fingerprint, tbs;
 	public_key_t *key;
@@ -270,6 +271,10 @@ METHOD(certificate_t, issued_by, bool,
 						openssl_asn1_str2chunk(this->crl->signature));
 	free(tbs.ptr);
 	key->destroy(key);
+	if (valid && scheme)
+	{
+		*scheme = this->scheme;
+	}
 	return valid;
 }
 
@@ -459,6 +464,10 @@ static bool parse_extensions(private_openssl_crl_t *this)
 				case NID_crl_number:
 					ok = parse_crlNumber_ext(this, ext);
 					break;
+				case NID_issuing_distribution_point:
+					/* TODO support of IssuingDistributionPoints */
+					ok = TRUE;
+					break;
 				default:
 					ok = X509_EXTENSION_get_critical(ext) == 0 ||
 						 !lib->settings->get_bool(lib->settings,
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c
index cd9a3bd4a..07b96b320 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c
@@ -90,7 +90,7 @@ static char* lookup_algorithm(u_int16_t ikev2_algo, size_t *key_size)
 /**
  * Do the actual en/decryption in an EVP context
  */
-static void crypt(private_openssl_crypter_t *this, chunk_t data, chunk_t iv,
+static bool crypt(private_openssl_crypter_t *this, chunk_t data, chunk_t iv,
 				  chunk_t *dst, int enc)
 {
 	int len;
@@ -104,25 +104,26 @@ static void crypt(private_openssl_crypter_t *this, chunk_t data, chunk_t iv,
 	}
 	EVP_CIPHER_CTX ctx;
 	EVP_CIPHER_CTX_init(&ctx);
-	EVP_CipherInit_ex(&ctx, this->cipher, NULL, NULL, NULL, enc);
-	EVP_CIPHER_CTX_set_padding(&ctx, 0); 		/* disable padding */
-	EVP_CIPHER_CTX_set_key_length(&ctx, this->key.len);
-	EVP_CipherInit_ex(&ctx, NULL, NULL, this->key.ptr, iv.ptr, enc);
-	EVP_CipherUpdate(&ctx, out, &len, data.ptr, data.len);
-	EVP_CipherFinal_ex(&ctx, out + len, &len); /* since padding is disabled this does nothing */
-	EVP_CIPHER_CTX_cleanup(&ctx);
+	return EVP_CipherInit_ex(&ctx, this->cipher, NULL, NULL, NULL, enc) &&
+		   EVP_CIPHER_CTX_set_padding(&ctx, 0) /* disable padding */ &&
+		   EVP_CIPHER_CTX_set_key_length(&ctx, this->key.len) &&
+		   EVP_CipherInit_ex(&ctx, NULL, NULL, this->key.ptr, iv.ptr, enc) &&
+		   EVP_CipherUpdate(&ctx, out, &len, data.ptr, data.len) &&
+		   /* since padding is disabled this does nothing */
+		   EVP_CipherFinal_ex(&ctx, out + len, &len) &&
+		   EVP_CIPHER_CTX_cleanup(&ctx);
 }
 
-METHOD(crypter_t, decrypt, void,
+METHOD(crypter_t, decrypt, bool,
 	private_openssl_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
-	crypt(this, data, iv, dst, 0);
+	return crypt(this, data, iv, dst, 0);
 }
 
-METHOD(crypter_t, encrypt, void,
+METHOD(crypter_t, encrypt, bool,
 	private_openssl_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
-	crypt(this, data, iv, dst, 1);
+	return crypt(this, data, iv, dst, 1);
 }
 
 METHOD(crypter_t, get_block_size, size_t,
@@ -143,10 +144,11 @@ METHOD(crypter_t, get_key_size, size_t,
 	return this->key.len;
 }
 
-METHOD(crypter_t, set_key, void,
+METHOD(crypter_t, set_key, bool,
 	private_openssl_crypter_t *this, chunk_t key)
 {
 	memcpy(this->key.ptr, key.ptr, min(key.len, this->key.len));
+	return TRUE;
 }
 
 METHOD(crypter_t, destroy, void,
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index b27aa3391..ff3382473 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -14,11 +14,15 @@
  * for more details.
  */
 
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_DH
+
 #include <openssl/dh.h>
 
 #include "openssl_diffie_hellman.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_openssl_diffie_hellman_t private_openssl_diffie_hellman_t;
 
@@ -193,3 +197,5 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(
 
 	return &this->public;
 }
+
+#endif /* OPENSSL_NO_DH */
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index 9e4067589..d846278c8 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -23,7 +23,7 @@
 #include "openssl_ec_diffie_hellman.h"
 #include "openssl_util.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_openssl_ec_diffie_hellman_t private_openssl_ec_diffie_hellman_t;
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index 950504573..12f264267 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -16,13 +16,13 @@
 
 #include <openssl/opensslconf.h>
 
-#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECDSA
 
 #include "openssl_ec_private_key.h"
 #include "openssl_ec_public_key.h"
 #include "openssl_util.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <openssl/evp.h>
 #include <openssl/ecdsa.h>
@@ -423,5 +423,4 @@ error:
 	destroy(this);
 	return NULL;
 }
-#endif /* OPENSSL_NO_EC */
-
+#endif /* OPENSSL_NO_ECDSA */
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index 7461695ad..38cc8bedf 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -16,12 +16,12 @@
 
 #include <openssl/opensslconf.h>
 
-#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECDSA
 
 #include "openssl_ec_public_key.h"
 #include "openssl_util.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <openssl/evp.h>
 #include <openssl/ecdsa.h>
@@ -124,7 +124,7 @@ static bool verify_der_signature(private_openssl_ec_public_key_t *this,
 	if (openssl_hash_chunk(nid_hash, data, &hash))
 	{
 		valid = ECDSA_verify(0, hash.ptr, hash.len,
-							 signature.ptr, signature.len, this->ec);
+							 signature.ptr, signature.len, this->ec) == 1;
 		free(hash.ptr);
 	}
 	return valid;
@@ -221,13 +221,13 @@ bool openssl_ec_fingerprint(EC_KEY *ec, cred_encoding_type_t type, chunk_t *fp)
 			return FALSE;
 	}
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (!hasher)
+	if (!hasher || !hasher->allocate_hash(hasher, key, fp))
 	{
 		DBG1(DBG_LIB, "SHA1 hash algorithm not supported, fingerprinting failed");
+		DESTROY_IF(hasher);
 		free(key.ptr);
 		return FALSE;
 	}
-	hasher->allocate_hash(hasher, key, fp);
 	hasher->destroy(hasher);
 	free(key.ptr);
 	lib->encoding->cache(lib->encoding, type, ec, *fp);
@@ -360,5 +360,5 @@ openssl_ec_public_key_t *openssl_ec_public_key_load(key_type_t type,
 	}
 	return &this->public;
 }
-#endif /* OPENSSL_NO_EC */
+#endif /* OPENSSL_NO_ECDSA */
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_gcm.c b/src/libstrongswan/plugins/openssl/openssl_gcm.c
new file mode 100644
index 000000000..89d1cd589
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_gcm.c
@@ -0,0 +1,265 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <openssl/opensslv.h>
+
+#if OPENSSL_VERSION_NUMBER >= 0x1000100fL
+
+#include "openssl_gcm.h"
+
+#include <openssl/evp.h>
+
+/** as defined in RFC 4106 */
+#define IV_LEN		8
+#define SALT_LEN	4
+#define NONCE_LEN	(IV_LEN + SALT_LEN)
+
+typedef struct private_aead_t private_aead_t;
+
+/**
+ * Private data of aead_t
+ */
+struct private_aead_t {
+
+	/**
+	 * Public interface
+	 */
+	aead_t public;
+
+	/**
+	 * The encryption key
+	 */
+	chunk_t	key;
+
+	/**
+	 * Salt value
+	 */
+	char salt[SALT_LEN];
+
+	/**
+	 * Size of the integrity check value
+	 */
+	size_t icv_size;
+
+	/**
+	 * The cipher to use
+	 */
+	const EVP_CIPHER *cipher;
+};
+
+/**
+ * Do the actual en/decryption in an EVP context
+ */
+static bool crypt(private_aead_t *this, chunk_t data, chunk_t assoc, chunk_t iv,
+				  u_char *out, int enc)
+{
+	EVP_CIPHER_CTX ctx;
+	u_char nonce[NONCE_LEN];
+	bool success = FALSE;
+	int len;
+
+	memcpy(nonce, this->salt, SALT_LEN);
+	memcpy(nonce + SALT_LEN, iv.ptr, IV_LEN);
+
+	EVP_CIPHER_CTX_init(&ctx);
+	EVP_CIPHER_CTX_set_padding(&ctx, 0);
+	if (!EVP_CipherInit_ex(&ctx, this->cipher, NULL, NULL, NULL, enc) ||
+		!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, NONCE_LEN, NULL) ||
+		!EVP_CipherInit_ex(&ctx, NULL, NULL, this->key.ptr, nonce, enc))
+	{
+		goto done;
+	}
+	if (!enc && !EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, this->icv_size,
+									 data.ptr + data.len))
+	{	/* set ICV for verification on decryption */
+		goto done;
+	}
+	if (assoc.len && !EVP_CipherUpdate(&ctx, NULL, &len, assoc.ptr, assoc.len))
+	{	/* set AAD if specified */
+		goto done;
+	}
+	if (!EVP_CipherUpdate(&ctx, out, &len, data.ptr, data.len) ||
+		!EVP_CipherFinal_ex(&ctx, out + len, &len))
+	{	/* EVP_CipherFinal_ex fails if ICV is incorrect on decryption */
+		goto done;
+	}
+	if (enc && !EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, this->icv_size,
+									out + data.len))
+	{	/* copy back the ICV when encrypting */
+		goto done;
+	}
+	success = TRUE;
+
+done:
+	EVP_CIPHER_CTX_cleanup(&ctx);
+	return success;
+}
+
+METHOD(aead_t, encrypt, bool,
+	private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+	chunk_t *encrypted)
+{
+	u_char *out;
+
+	out = plain.ptr;
+	if (encrypted)
+	{
+		*encrypted = chunk_alloc(plain.len + this->icv_size);
+		out = encrypted->ptr;
+	}
+	return crypt(this, plain, assoc, iv, out, 1);
+}
+
+METHOD(aead_t, decrypt, bool,
+	private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
+	chunk_t *plain)
+{
+	u_char *out;
+
+	if (encrypted.len < this->icv_size)
+	{
+		return FALSE;
+	}
+	encrypted.len -= this->icv_size;
+
+	out = encrypted.ptr;
+	if (plain)
+	{
+		*plain = chunk_alloc(encrypted.len);
+		out = plain->ptr;
+	}
+	return crypt(this, encrypted, assoc, iv, out, 0);
+}
+
+METHOD(aead_t, get_block_size, size_t,
+	private_aead_t *this)
+{
+	return this->cipher->block_size;
+}
+
+METHOD(aead_t, get_icv_size, size_t,
+	private_aead_t *this)
+{
+	return this->icv_size;
+}
+
+METHOD(aead_t, get_iv_size, size_t,
+	private_aead_t *this)
+{
+	return IV_LEN;
+}
+
+METHOD(aead_t, get_key_size, size_t,
+	private_aead_t *this)
+{
+	return this->key.len + SALT_LEN;
+}
+
+METHOD(aead_t, set_key, bool,
+	private_aead_t *this, chunk_t key)
+{
+	if (key.len != get_key_size(this))
+	{
+		return FALSE;
+	}
+	memcpy(this->salt, key.ptr + key.len - SALT_LEN, SALT_LEN);
+	memcpy(this->key.ptr, key.ptr, this->key.len);
+	return TRUE;
+}
+
+METHOD(aead_t, destroy, void,
+	private_aead_t *this)
+{
+	chunk_clear(&this->key);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size)
+{
+	private_aead_t *this;
+
+	INIT(this,
+		.public = {
+			.encrypt = _encrypt,
+			.decrypt = _decrypt,
+			.get_block_size = _get_block_size,
+			.get_icv_size = _get_icv_size,
+			.get_iv_size = _get_iv_size,
+			.get_key_size = _get_key_size,
+			.set_key = _set_key,
+			.destroy = _destroy,
+		},
+	);
+
+	switch (algo)
+	{
+		case ENCR_AES_GCM_ICV8:
+			this->icv_size = 8;
+			break;
+		case ENCR_AES_GCM_ICV12:
+			this->icv_size = 12;
+			break;
+		case ENCR_AES_GCM_ICV16:
+			this->icv_size = 16;
+			break;
+		default:
+			free(this);
+			return NULL;
+	}
+
+	switch (algo)
+	{
+		case ENCR_AES_GCM_ICV8:
+		case ENCR_AES_GCM_ICV12:
+		case ENCR_AES_GCM_ICV16:
+			switch (key_size)
+			{
+				case 0:
+					key_size = 16;
+					/* FALL */
+				case 16:
+					this->cipher = EVP_get_cipherbyname("aes-128-gcm");
+					break;
+				case 24:
+					this->cipher = EVP_get_cipherbyname("aes-192-gcm");
+					break;
+				case 32:
+					this->cipher = EVP_get_cipherbyname("aes-256-gcm");
+					break;
+				default:
+					free(this);
+					return NULL;
+			}
+			break;
+		default:
+			free(this);
+			return NULL;
+	}
+
+	if (!this->cipher)
+	{
+		free(this);
+		return NULL;
+	}
+
+	this->key = chunk_alloc(key_size);
+
+	return &this->public;
+}
+
+#endif /* OPENSSL_VERSION_NUMBER */
diff --git a/src/libstrongswan/plugins/openssl/openssl_gcm.h b/src/libstrongswan/plugins/openssl/openssl_gcm.h
new file mode 100644
index 000000000..12d2e8ab6
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_gcm.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Implements the aead_t interface using OpenSSL in GCM mode.
+ *
+ * @defgroup openssl_gcm openssl_gcm
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_GCM_H_
+#define OPENSSL_GCM_H_
+
+#include <crypto/aead.h>
+
+/**
+ * Constructor to create aead_t implementation.
+ *
+ * @param algo			algorithm to implement
+ * @param key_size		key size in bytes
+ * @return				aead_t object, NULL if not supported
+ */
+aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size);
+
+#endif /** OPENSSL_GCM_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c
index d81f4b21e..50b14698b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hasher.c
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c
@@ -40,91 +40,45 @@ struct private_openssl_hasher_t {
 	EVP_MD_CTX *ctx;
 };
 
-/**
- * Mapping from the algorithms defined in IKEv2 to
- * OpenSSL algorithm names
- */
-typedef struct {
-	/**
-	 * Identifier specified in IKEv2
-	 */
-	int ikev2_id;
-
-	/**
-	 * Name of the algorithm, as used in OpenSSL
-	 */
-	char *name;
-} openssl_algorithm_t;
-
-#define END_OF_LIST -1
-
-/**
- * Algorithms for integrity
- */
-static openssl_algorithm_t integrity_algs[] = {
-	{HASH_MD2,		"md2"},
-	{HASH_MD5,		"md5"},
-	{HASH_SHA1,		"sha1"},
-	{HASH_SHA224,	"sha224"},
-	{HASH_SHA256,	"sha256"},
-	{HASH_SHA384,	"sha384"},
-	{HASH_SHA512,	"sha512"},
-	{HASH_MD4,		"md4"},
-	{END_OF_LIST, 	NULL},
-};
-
-/**
- * Look up an OpenSSL algorithm name
- */
-static char* lookup_algorithm(openssl_algorithm_t *openssl_algo,
-					   u_int16_t ikev2_algo)
-{
-	while (openssl_algo->ikev2_id != END_OF_LIST)
-	{
-		if (ikev2_algo == openssl_algo->ikev2_id)
-		{
-			return openssl_algo->name;
-		}
-		openssl_algo++;
-	}
-	return NULL;
-}
-
 METHOD(hasher_t, get_hash_size, size_t,
 	private_openssl_hasher_t *this)
 {
 	return this->hasher->md_size;
 }
 
-METHOD(hasher_t, reset, void,
+METHOD(hasher_t, reset, bool,
 	private_openssl_hasher_t *this)
 {
-	EVP_DigestInit_ex(this->ctx, this->hasher, NULL);
+	return EVP_DigestInit_ex(this->ctx, this->hasher, NULL) == 1;
 }
 
-METHOD(hasher_t, get_hash, void,
+METHOD(hasher_t, get_hash, bool,
 	private_openssl_hasher_t *this, chunk_t chunk, u_int8_t *hash)
 {
-	EVP_DigestUpdate(this->ctx, chunk.ptr, chunk.len);
+	if (EVP_DigestUpdate(this->ctx, chunk.ptr, chunk.len) != 1)
+	{
+		return FALSE;
+	}
 	if (hash)
 	{
-		EVP_DigestFinal_ex(this->ctx, hash, NULL);
-		reset(this);
+		if (EVP_DigestFinal_ex(this->ctx, hash, NULL) != 1)
+		{
+			return FALSE;
+		}
+		return reset(this);
 	}
+	return TRUE;
 }
 
-METHOD(hasher_t, allocate_hash, void,
+METHOD(hasher_t, allocate_hash, bool,
 	private_openssl_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	if (hash)
 	{
 		*hash = chunk_alloc(get_hash_size(this));
-		get_hash(this, chunk, hash->ptr);
-	}
-	else
-	{
-		get_hash(this, chunk, NULL);
+		return get_hash(this, chunk, hash->ptr);
 	}
+	return get_hash(this, chunk, NULL);
 }
 
 METHOD(hasher_t, destroy, void,
@@ -140,11 +94,11 @@ METHOD(hasher_t, destroy, void,
 openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo)
 {
 	private_openssl_hasher_t *this;
+	char* name;
 
-	char* name = lookup_algorithm(integrity_algs, algo);
+	name = enum_to_name(hash_algorithm_short_names, algo);
 	if (!name)
 	{
-		/* algo unavailable */
 		return NULL;
 	}
 
@@ -171,7 +125,11 @@ openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo)
 	this->ctx = EVP_MD_CTX_create();
 
 	/* initialization */
-	reset(this);
+	if (!reset(this))
+	{
+		destroy(this);
+		return NULL;
+	}
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_hmac.c b/src/libstrongswan/plugins/openssl/openssl_hmac.c
new file mode 100644
index 000000000..4f0bcc7c3
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_hmac.c
@@ -0,0 +1,196 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/*
+ * Copyright (C) 2012 Aleksandr Grinberg
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_HMAC
+
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+
+#include "openssl_hmac.h"
+
+#include <crypto/mac.h>
+#include <crypto/prfs/mac_prf.h>
+#include <crypto/signers/mac_signer.h>
+
+typedef struct private_mac_t private_mac_t;
+
+/**
+ * Private data of a mac_t object.
+ */
+struct private_mac_t {
+
+	/**
+	 * Public interface
+	 */
+	mac_t public;
+
+	/**
+	 * Hasher to use
+	 */
+	const EVP_MD *hasher;
+
+	/**
+	 * Current HMAC context
+	 */
+	HMAC_CTX hmac;
+};
+
+METHOD(mac_t, set_key, bool,
+	private_mac_t *this, chunk_t key)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+	return HMAC_Init_ex(&this->hmac, key.ptr, key.len, this->hasher, NULL);
+#else /* OPENSSL_VERSION_NUMBER < 1.0 */
+	HMAC_Init_ex(&this->hmac, key.ptr, key.len, this->hasher, NULL);
+	return TRUE;
+#endif
+}
+
+METHOD(mac_t, get_mac, bool,
+	private_mac_t *this, chunk_t data, u_int8_t *out)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+	if (!HMAC_Update(&this->hmac, data.ptr, data.len))
+	{
+		return FALSE;
+	}
+	if (out == NULL)
+	{
+		return TRUE;
+	}
+	if (!HMAC_Final(&this->hmac, out, NULL))
+	{
+		return FALSE;
+	}
+#else /* OPENSSL_VERSION_NUMBER < 1.0 */
+	HMAC_Update(&this->hmac, data.ptr, data.len);
+	if (out == NULL)
+	{
+		return TRUE;
+	}
+	HMAC_Final(&this->hmac, out, NULL);
+#endif
+	return set_key(this, chunk_empty);
+}
+
+METHOD(mac_t, get_mac_size, size_t,
+	private_mac_t *this)
+{
+	return EVP_MD_size(this->hasher);
+}
+
+METHOD(mac_t, destroy, void,
+	private_mac_t *this)
+{
+	HMAC_CTX_cleanup(&this->hmac);
+	free(this);
+}
+
+/*
+ * Create an OpenSSL-backed implementation of the mac_t interface
+ */
+static mac_t *hmac_create(hash_algorithm_t algo)
+{
+	private_mac_t *this;
+	char *name;
+
+	name = enum_to_name(hash_algorithm_short_names, algo);
+	if (!name)
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.get_mac = _get_mac,
+			.get_mac_size = _get_mac_size,
+			.set_key = _set_key,
+			.destroy = _destroy,
+		},
+		.hasher = EVP_get_digestbyname(name),
+	);
+
+	if (!this->hasher)
+	{
+		free(this);
+		return NULL;
+	}
+
+	HMAC_CTX_init(&this->hmac);
+	if (!set_key(this, chunk_empty))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+prf_t *openssl_hmac_prf_create(pseudo_random_function_t algo)
+{
+	mac_t *hmac;
+
+	hmac = hmac_create(hasher_algorithm_from_prf(algo));
+	if (hmac)
+	{
+		return mac_prf_create(hmac);
+	}
+	return NULL;
+}
+
+/*
+ * Described in header
+ */
+signer_t *openssl_hmac_signer_create(integrity_algorithm_t algo)
+{
+	mac_t *hmac;
+	size_t trunc;
+
+	hmac = hmac_create(hasher_algorithm_from_integrity(algo, &trunc));
+	if (hmac)
+	{
+		return mac_signer_create(hmac, trunc);
+	}
+	return NULL;
+}
+
+#endif /* OPENSSL_NO_HMAC */
diff --git a/src/libstrongswan/plugins/openssl/openssl_hmac.h b/src/libstrongswan/plugins/openssl/openssl_hmac.h
new file mode 100644
index 000000000..95ab6bfc3
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_hmac.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Implements HMAC based PRF and signer using OpenSSL's HMAC functions.
+ *
+ * @defgroup openssl_hmac openssl_hmac
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_HMAC_H_
+#define OPENSSL_HMAC_H_
+
+#include <crypto/prfs/prf.h>
+#include <crypto/signers/signer.h>
+
+/**
+ * Creates a new prf_t object based on an HMAC.
+ *
+ * @param algo		algorithm to implement
+ * @return			prf_t object, NULL if not supported
+ */
+prf_t *openssl_hmac_prf_create(pseudo_random_function_t algo);
+
+/**
+ * Creates a new signer_t object based on an HMAC.
+ *
+ * @param algo		algorithm to implement
+ * @return			signer_t, NULL if not supported
+ */
+signer_t *openssl_hmac_signer_create(integrity_algorithm_t algo);
+
+#endif /** OPENSSL_HMAC_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs12.c b/src/libstrongswan/plugins/openssl/openssl_pkcs12.c
new file mode 100644
index 000000000..d16b2cc05
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs12.c
@@ -0,0 +1,266 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE /* for asprintf() */
+#include <stdio.h>
+#include <openssl/pkcs12.h>
+
+#include "openssl_pkcs12.h"
+#include "openssl_util.h"
+
+#include <library.h>
+#include <credentials/sets/mem_cred.h>
+
+typedef struct private_pkcs12_t private_pkcs12_t;
+
+/**
+ * Private data of a pkcs12_t object.
+ */
+struct private_pkcs12_t {
+
+	/**
+	 * Public pkcs12_t interface.
+	 */
+	pkcs12_t public;
+
+	/**
+	 * OpenSSL PKCS#12 structure
+	 */
+	PKCS12 *p12;
+
+	/**
+	 * Credentials contained in container
+	 */
+	mem_cred_t *creds;
+};
+
+/**
+ * Decode certificate and add it to our credential set
+ */
+static bool add_cert(private_pkcs12_t *this, X509 *x509)
+{
+	certificate_t *cert = NULL;
+	chunk_t encoding;
+
+	if (!x509)
+	{	/* no certificate is ok */
+		return TRUE;
+	}
+	encoding = openssl_i2chunk(X509, x509);
+	if (encoding.ptr)
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_BLOB_ASN1_DER, encoding,
+								  BUILD_END);
+		if (cert)
+		{
+			this->creds->add_cert(this->creds, FALSE, cert);
+		}
+	}
+	chunk_free(&encoding);
+	X509_free(x509);
+	return cert != NULL;
+}
+
+/**
+ * Add CA certificates to our credential set
+ */
+static bool add_cas(private_pkcs12_t *this, STACK_OF(X509) *cas)
+{
+	bool success = TRUE;
+	int i;
+
+	if (!cas)
+	{	/* no CAs is ok */
+		return TRUE;
+	}
+	for (i = 0; i < sk_X509_num(cas); i++)
+	{
+		if (!add_cert(this, sk_X509_value(cas, i)))
+		{	/* continue to free all X509 objects */
+			success = FALSE;
+		}
+	}
+	sk_X509_free(cas);
+	return success;
+}
+
+/**
+ * Decode private key and add it to our credential set
+ */
+static bool add_key(private_pkcs12_t *this, EVP_PKEY *private)
+{
+	private_key_t *key = NULL;
+	chunk_t encoding;
+	key_type_t type;
+
+	if (!private)
+	{	/* no private key is ok */
+		return TRUE;
+	}
+	switch (EVP_PKEY_type(private->type))
+	{
+		case EVP_PKEY_RSA:
+			type = KEY_RSA;
+			break;
+		case EVP_PKEY_EC:
+			type = KEY_ECDSA;
+			break;
+		default:
+			EVP_PKEY_free(private);
+			return FALSE;
+	}
+	encoding = openssl_i2chunk(PrivateKey, private);
+	if (encoding.ptr)
+	{
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+								 BUILD_BLOB_ASN1_DER, encoding,
+								 BUILD_END);
+		if (key)
+		{
+			this->creds->add_key(this->creds, key);
+		}
+	}
+	chunk_clear(&encoding);
+	EVP_PKEY_free(private);
+	return key != NULL;
+}
+
+/**
+ * Decrypt PKCS#12 file and unpack credentials
+ */
+static bool decrypt_and_unpack(private_pkcs12_t *this)
+{
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	STACK_OF(X509) *cas = NULL;
+	EVP_PKEY *private;
+	X509 *cert;
+	chunk_t key;
+	char *password;
+	bool success = FALSE;
+
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+										SHARED_PRIVATE_KEY_PASS, NULL, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+	{
+		key = shared->get_key(shared);
+		if (!key.ptr || asprintf(&password, "%.*s", (int)key.len, key.ptr) < 0)
+		{
+			password = NULL;
+		}
+		if (PKCS12_parse(this->p12, password, &private, &cert, &cas))
+		{
+			success = add_key(this, private);
+			success &= add_cert(this, cert);
+			success &= add_cas(this, cas);
+			free(password);
+			break;
+		}
+		free(password);
+	}
+	enumerator->destroy(enumerator);
+	return success;
+}
+
+METHOD(container_t, get_type, container_type_t,
+	private_pkcs12_t *this)
+{
+	return CONTAINER_PKCS12;
+}
+
+METHOD(pkcs12_t, create_cert_enumerator, enumerator_t*,
+	private_pkcs12_t *this)
+{
+	return this->creds->set.create_cert_enumerator(&this->creds->set, CERT_ANY,
+												   KEY_ANY, NULL, FALSE);
+}
+
+METHOD(pkcs12_t, create_key_enumerator, enumerator_t*,
+	private_pkcs12_t *this)
+{
+	return this->creds->set.create_private_enumerator(&this->creds->set,
+													  KEY_ANY, NULL);
+}
+
+METHOD(container_t, destroy, void,
+	private_pkcs12_t *this)
+{
+	if (this->p12)
+	{
+		PKCS12_free(this->p12);
+	}
+	this->creds->destroy(this->creds);
+	free(this);
+}
+
+/**
+ * Parse a PKCS#12 container
+ */
+static pkcs12_t *parse(chunk_t blob)
+{
+	private_pkcs12_t *this;
+	BIO *bio;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = (void*)enumerator_create_empty,
+				.get_data = (void*)return_false,
+				.get_encoding = (void*)return_false,
+				.destroy = _destroy,
+			},
+			.create_cert_enumerator = _create_cert_enumerator,
+			.create_key_enumerator = _create_key_enumerator,
+		},
+		.creds = mem_cred_create(),
+	);
+
+	bio = BIO_new_mem_buf(blob.ptr, blob.len);
+	this->p12 = d2i_PKCS12_bio(bio, NULL);
+	BIO_free(bio);
+
+	if (!this->p12 || !decrypt_and_unpack(this))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+/*
+ * Defined in header
+ */
+pkcs12_t *openssl_pkcs12_load(container_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	return blob.len ? parse(blob) : NULL;
+}
diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs12.h b/src/libstrongswan/plugins/openssl/openssl_pkcs12.h
new file mode 100644
index 000000000..5c3e5933d
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs12.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup openssl_pkcs12 openssl_pkcs12
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_PKCS12_H_
+#define OPENSSL_PKCS12_H_
+
+#include <credentials/containers/pkcs12.h>
+
+/**
+ * Load a PKCS#12 container.
+ *
+ * The argument list must contain a single BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type		type of the container, CONTAINER_PKCS12
+ * @param args		builder_part_t argument list
+ * @return			container, NULL on failure
+ */
+pkcs12_t *openssl_pkcs12_load(container_type_t type, va_list args);
+
+#endif /** OPENSSL_PKCS12_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs7.c b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
new file mode 100644
index 000000000..9c3c4040c
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
@@ -0,0 +1,793 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <openssl/opensslv.h>
+#include <openssl/opensslconf.h>
+
+#if OPENSSL_VERSION_NUMBER >= 0x0090807fL
+#ifndef OPENSSL_NO_CMS
+
+#include "openssl_pkcs7.h"
+#include "openssl_util.h"
+
+#include <library.h>
+#include <utils/debug.h>
+#include <asn1/oid.h>
+#include <credentials/sets/mem_cred.h>
+
+#include <openssl/cms.h>
+
+typedef struct private_openssl_pkcs7_t private_openssl_pkcs7_t;
+
+/**
+ * Private data of an openssl_pkcs7_t object.
+ */
+struct private_openssl_pkcs7_t {
+
+	/**
+	 * Public pkcs7_t interface.
+	 */
+	pkcs7_t public;
+
+	/**
+	 * Type of this container
+	 */
+	container_type_t type;
+
+	/**
+	 * OpenSSL CMS structure
+	 */
+	CMS_ContentInfo *cms;
+};
+
+/**
+ * OpenSSL does not allow us to read the signature to verify it with our own
+ * crypto API. We define the internal CMS_SignerInfo structure here to get it.
+ */
+struct CMS_SignerInfo_st {
+	long version;
+	void *sid;
+	X509_ALGOR *digestAlgorithm;
+	STACK_OF(X509_ATTRIBUTE) *signedAttrs;
+	X509_ALGOR *signatureAlgorithm;
+	ASN1_OCTET_STRING *signature;
+	/* and more... */
+};
+
+/**
+ * And we also need access to the wrappend CMS_KeyTransRecipientInfo to
+ * read the encrypted key
+ */
+struct CMS_KeyTransRecipientInfo_st {
+	long version;
+	void *rid;
+	X509_ALGOR *keyEncryptionAlgorithm;
+	ASN1_OCTET_STRING *encryptedKey;
+};
+
+struct CMS_RecipientInfo_st {
+	int type;
+	struct CMS_KeyTransRecipientInfo_st *ktri;
+	/* and more in union... */
+};
+
+struct CMS_EncryptedContentInfo_st {
+	ASN1_OBJECT *contentType;
+	X509_ALGOR *contentEncryptionAlgorithm;
+	ASN1_OCTET_STRING *encryptedContent;
+	/* and more... */
+};
+
+struct CMS_EnvelopedData_st {
+	long version;
+	void *originatorInfo;
+	STACK_OF(CMS_RecipientInfo) *recipientInfos;
+	struct CMS_EncryptedContentInfo_st *encryptedContentInfo;
+	/* and more... */
+};
+
+struct CMS_ContentInfo_st {
+	ASN1_OBJECT *contentType;
+	struct CMS_EnvelopedData_st *envelopedData;
+	/* and more in union... */
+};
+
+/**
+ * We can't include asn1.h, declare function prototypes directly
+ */
+chunk_t asn1_wrap(int, const char *mode, ...);
+int asn1_unwrap(chunk_t*, chunk_t*);
+
+/**
+ * Enumerator over certificates
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** Stack of X509 certificates */
+	STACK_OF(X509) *certs;
+	/** current enumerator position in certificates */
+	int i;
+	/** currently enumerating certificate_t */
+	certificate_t *cert;
+} cert_enumerator_t;
+
+METHOD(enumerator_t, cert_destroy, void,
+	cert_enumerator_t *this)
+{
+	DESTROY_IF(this->cert);
+	free(this);
+}
+
+METHOD(enumerator_t, cert_enumerate, bool,
+	cert_enumerator_t *this, certificate_t **out)
+{
+	if (!this->certs)
+	{
+		return FALSE;
+	}
+	while (this->i < sk_X509_num(this->certs))
+	{
+		chunk_t encoding;
+		X509 *x509;
+
+		/* clean up previous round */
+		DESTROY_IF(this->cert);
+		this->cert = NULL;
+
+		x509 = sk_X509_value(this->certs, this->i++);
+		encoding = openssl_i2chunk(X509, x509);
+		this->cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+										BUILD_BLOB_ASN1_DER, encoding,
+										BUILD_END);
+		free(encoding.ptr);
+		if (!this->cert)
+		{
+			continue;
+		}
+		*out = this->cert;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(pkcs7_t, create_cert_enumerator, enumerator_t*,
+	private_openssl_pkcs7_t *this)
+{
+	cert_enumerator_t *enumerator;
+
+	if (this->type == CONTAINER_PKCS7_SIGNED_DATA)
+	{
+		INIT(enumerator,
+			.public = {
+				.enumerate = (void*)_cert_enumerate,
+				.destroy = _cert_destroy,
+			},
+			.certs = CMS_get1_certs(this->cms),
+		);
+		return &enumerator->public;
+	}
+	return enumerator_create_empty();
+}
+
+/**
+ * Enumerator for signatures
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** Stack of signerinfos */
+	STACK_OF(CMS_SignerInfo) *signers;
+	/** current enumerator position in signers */
+	int i;
+	/** currently enumerating auth config */
+	auth_cfg_t *auth;
+	/** full CMS */
+	CMS_ContentInfo *cms;
+	/** credential set containing wrapped certificates */
+	mem_cred_t *creds;
+} signature_enumerator_t;
+
+/**
+ * Verify signerInfo signature
+ */
+static auth_cfg_t *verify_signature(CMS_SignerInfo *si, int hash_oid)
+{
+	enumerator_t *enumerator;
+	public_key_t *key;
+	certificate_t *cert;
+	auth_cfg_t *auth, *found = NULL;
+	identification_t *issuer, *serial;
+	chunk_t attrs = chunk_empty, sig, attr;
+	X509_NAME *name;
+	ASN1_INTEGER *snr;
+	int i;
+
+	if (CMS_SignerInfo_get0_signer_id(si, NULL, &name, &snr) != 1)
+	{
+		return NULL;
+	}
+	issuer = openssl_x509_name2id(name);
+	if (!issuer)
+	{
+		return NULL;
+	}
+	serial = identification_create_from_encoding(
+									ID_KEY_ID, openssl_asn1_str2chunk(snr));
+
+	/* reconstruct DER encoded attributes to verify signature */
+	for (i = 0; i < CMS_signed_get_attr_count(si); i++)
+	{
+		attr = openssl_i2chunk(X509_ATTRIBUTE, CMS_signed_get_attr(si, i));
+		attrs = chunk_cat("mm", attrs, attr);
+	}
+	/* wrap in a ASN1_SET */
+	attrs = asn1_wrap(0x31, "m", attrs);
+
+	/* TODO: find a better way to access and verify the signature */
+	sig = openssl_asn1_str2chunk(si->signature);
+	enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
+														KEY_RSA, serial, FALSE);
+	while (enumerator->enumerate(enumerator, &cert, &auth))
+	{
+		if (issuer->equals(issuer, cert->get_issuer(cert)))
+		{
+			key = cert->get_public_key(cert);
+			if (key)
+			{
+				if (key->verify(key, signature_scheme_from_oid(hash_oid),
+								attrs, sig))
+				{
+					found = auth->clone(auth);
+					key->destroy(key);
+					break;
+				}
+				key->destroy(key);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	issuer->destroy(issuer);
+	serial->destroy(serial);
+	free(attrs.ptr);
+
+	return found;
+}
+
+/**
+ * Verify the message digest in the signerInfo attributes
+ */
+static bool verify_digest(CMS_ContentInfo *cms, CMS_SignerInfo *si, int hash_oid)
+{
+	ASN1_OCTET_STRING *os, **osp;
+	hash_algorithm_t hash_alg;
+	chunk_t digest, content, hash;
+	hasher_t *hasher;
+
+	os = CMS_signed_get0_data_by_OBJ(si,
+				OBJ_nid2obj(NID_pkcs9_messageDigest), -3, V_ASN1_OCTET_STRING);
+	if (!os)
+	{
+		return FALSE;
+	}
+	digest = openssl_asn1_str2chunk(os);
+	osp = CMS_get0_content(cms);
+	if (!osp)
+	{
+		return FALSE;
+	}
+	content = openssl_asn1_str2chunk(*osp);
+
+	hash_alg = hasher_algorithm_from_oid(hash_oid);
+	hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
+	if (!hasher)
+	{
+		DBG1(DBG_LIB, "hash algorithm %N not supported",
+			 hash_algorithm_names, hash_alg);
+		return FALSE;
+	}
+	if (!hasher->allocate_hash(hasher, content, &hash))
+	{
+		hasher->destroy(hasher);
+		return FALSE;
+	}
+	hasher->destroy(hasher);
+
+	if (!chunk_equals(digest, hash))
+	{
+		free(hash.ptr);
+		DBG1(DBG_LIB, "invalid messageDigest");
+		return FALSE;
+	}
+	free(hash.ptr);
+	return TRUE;
+}
+
+METHOD(enumerator_t, signature_enumerate, bool,
+	signature_enumerator_t *this, auth_cfg_t **out)
+{
+	if (!this->signers)
+	{
+		return FALSE;
+	}
+	while (this->i < sk_CMS_SignerInfo_num(this->signers))
+	{
+		CMS_SignerInfo *si;
+		X509_ALGOR *digest, *sig;
+		int hash_oid;
+
+		/* clean up previous round */
+		DESTROY_IF(this->auth);
+		this->auth = NULL;
+
+		si = sk_CMS_SignerInfo_value(this->signers, this->i++);
+
+		CMS_SignerInfo_get0_algs(si, NULL, NULL, &digest, &sig);
+		hash_oid = openssl_asn1_known_oid(digest->algorithm);
+		if (openssl_asn1_known_oid(sig->algorithm) != OID_RSA_ENCRYPTION)
+		{
+			DBG1(DBG_LIB, "only RSA digest encryption supported");
+			continue;
+		}
+		this->auth = verify_signature(si, hash_oid);
+		if (!this->auth)
+		{
+			DBG1(DBG_LIB, "unable to verify pkcs7 attributes signature");
+			continue;
+		}
+		if (!verify_digest(this->cms, si, hash_oid))
+		{
+			continue;
+		}
+		*out = this->auth;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, signature_destroy, void,
+	signature_enumerator_t *this)
+{
+	lib->credmgr->remove_local_set(lib->credmgr, &this->creds->set);
+	this->creds->destroy(this->creds);
+	DESTROY_IF(this->auth);
+	free(this);
+}
+
+METHOD(container_t, create_signature_enumerator, enumerator_t*,
+	private_openssl_pkcs7_t *this)
+{
+	signature_enumerator_t *enumerator;
+
+	if (this->type == CONTAINER_PKCS7_SIGNED_DATA)
+	{
+		enumerator_t *certs;
+		certificate_t *cert;
+
+		INIT(enumerator,
+			.public = {
+				.enumerate = (void*)_signature_enumerate,
+				.destroy = _signature_destroy,
+			},
+			.cms = this->cms,
+			.signers = CMS_get0_SignerInfos(this->cms),
+			.creds = mem_cred_create(),
+		);
+
+		/* make available wrapped certs during signature checking */
+		certs = create_cert_enumerator(this);
+		while (certs->enumerate(certs, &cert))
+		{
+			enumerator->creds->add_cert(enumerator->creds, FALSE,
+										cert->get_ref(cert));
+		}
+		certs->destroy(certs);
+
+		lib->credmgr->add_local_set(lib->credmgr, &enumerator->creds->set,
+									FALSE);
+
+		return &enumerator->public;
+	}
+	return enumerator_create_empty();
+}
+
+
+METHOD(container_t, get_type, container_type_t,
+	private_openssl_pkcs7_t *this)
+{
+	return this->type;
+}
+
+METHOD(pkcs7_t, get_attribute, bool,
+	private_openssl_pkcs7_t *this, int oid,
+	enumerator_t *enumerator, chunk_t *value)
+{
+	signature_enumerator_t *e;
+	CMS_SignerInfo *si;
+	X509_ATTRIBUTE *attr;
+	ASN1_TYPE *type;
+	chunk_t chunk, wrapped;
+	int i;
+
+	e = (signature_enumerator_t*)enumerator;
+	if (e->i <= 0)
+	{
+		return FALSE;
+	}
+
+	/* "i" gets incremeneted after enumerate(), hence read from previous */
+	si = sk_CMS_SignerInfo_value(e->signers, e->i - 1);
+	for (i = 0; i < CMS_signed_get_attr_count(si); i++)
+	{
+		attr = CMS_signed_get_attr(si, i);
+		if (!attr->single && sk_ASN1_TYPE_num(attr->value.set) == 1 &&
+			openssl_asn1_known_oid(attr->object) == oid)
+		{
+			/* get first value in SET */
+			type = sk_ASN1_TYPE_value(attr->value.set, 0);
+			chunk = wrapped = openssl_i2chunk(ASN1_TYPE, type);
+			if (asn1_unwrap(&chunk, &chunk) != 0x100 /* ASN1_INVALID */)
+			{
+				*value = chunk_clone(chunk);
+				free(wrapped.ptr);
+				return TRUE;
+			}
+			free(wrapped.ptr);
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Find a private key for issuerAndSerialNumber
+ */
+static private_key_t *find_private(identification_t *issuer,
+								   identification_t *serial)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	public_key_t *public;
+	private_key_t *private = NULL;
+	identification_t *id;
+	chunk_t fp;
+
+	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+											CERT_X509, KEY_RSA, serial, FALSE);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		if (issuer->equals(issuer, cert->get_issuer(cert)))
+		{
+			public = cert->get_public_key(cert);
+			if (public)
+			{
+				if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &fp))
+				{
+					id = identification_create_from_encoding(ID_KEY_ID, fp);
+					private = lib->credmgr->get_private(lib->credmgr,
+														KEY_ANY, id, NULL);
+					id->destroy(id);
+				}
+				public->destroy(public);
+			}
+		}
+		if (private)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return private;
+}
+
+/**
+ * Decrypt enveloped-data with a decrypted symmetric key
+ */
+static bool decrypt_symmetric(private_openssl_pkcs7_t *this, chunk_t key,
+							  chunk_t encrypted, chunk_t *plain)
+{
+	encryption_algorithm_t encr;
+	X509_ALGOR *alg;
+	crypter_t *crypter;
+	chunk_t iv;
+	size_t key_size;
+
+	/* read encryption algorithm from interal structures; TODO fixup */
+	alg = this->cms->envelopedData->encryptedContentInfo->
+												contentEncryptionAlgorithm;
+	encr = encryption_algorithm_from_oid(openssl_asn1_known_oid(alg->algorithm),
+										 &key_size);
+	if (alg->parameter->type != V_ASN1_OCTET_STRING)
+	{
+		return FALSE;
+	}
+	iv = openssl_asn1_str2chunk(alg->parameter->value.octet_string);
+
+	crypter = lib->crypto->create_crypter(lib->crypto, encr, key_size / 8);
+	if (!crypter)
+	{
+		DBG1(DBG_LIB, "crypter %N-%d not available",
+			 encryption_algorithm_names, alg, key_size);
+		return FALSE;
+	}
+	if (key.len != crypter->get_key_size(crypter))
+	{
+		DBG1(DBG_LIB, "symmetric key length is wrong");
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	if (iv.len != crypter->get_iv_size(crypter))
+	{
+		DBG1(DBG_LIB, "IV length is wrong");
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	if (!crypter->set_key(crypter, key) ||
+		!crypter->decrypt(crypter, encrypted, iv, plain))
+	{
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	crypter->destroy(crypter);
+	return TRUE;
+}
+
+/**
+ * Remove enveloped-data PKCS#7 padding from plain data
+ */
+static bool remove_padding(chunk_t *data)
+{
+	u_char *pos;
+	u_char pattern;
+	size_t padding;
+
+	if (!data->len)
+	{
+		return FALSE;
+	}
+	pos = data->ptr + data->len - 1;
+	padding = pattern = *pos;
+
+	if (padding > data->len)
+	{
+		DBG1(DBG_LIB, "padding greater than data length");
+		return FALSE;
+	}
+	data->len -= padding;
+
+	while (padding-- > 0)
+	{
+		if (*pos-- != pattern)
+		{
+			DBG1(DBG_LIB, "wrong padding pattern");
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Decrypt PKCS#7 enveloped-data
+ */
+static bool decrypt(private_openssl_pkcs7_t *this,
+					chunk_t encrypted, chunk_t *plain)
+{
+	STACK_OF(CMS_RecipientInfo) *ris;
+	CMS_RecipientInfo *ri;
+	chunk_t chunk, key = chunk_empty;
+	int i;
+
+	ris = CMS_get0_RecipientInfos(this->cms);
+	for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++)
+	{
+		ri = sk_CMS_RecipientInfo_value(ris, i);
+		if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_TRANS)
+		{
+			identification_t *serial, *issuer;
+			private_key_t *private;
+			X509_ALGOR *alg;
+			X509_NAME *name;
+			ASN1_INTEGER *sn;
+			u_char zero = 0;
+			int oid;
+
+			if (CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg) == 1 &&
+				CMS_RecipientInfo_ktri_get0_signer_id(ri, NULL, &name, &sn) == 1)
+			{
+				oid = openssl_asn1_known_oid(alg->algorithm);
+				if (oid != OID_RSA_ENCRYPTION)
+				{
+					DBG1(DBG_LIB, "only RSA encryption supported in PKCS#7");
+					continue;
+				}
+				issuer = openssl_x509_name2id(name);
+				if (!issuer)
+				{
+					continue;
+				}
+				chunk = openssl_asn1_str2chunk(sn);
+				if (chunk.len && chunk.ptr[0] & 0x80)
+				{	/* if MSB is set, append a zero to make it non-negative */
+					chunk = chunk_cata("cc", chunk_from_thing(zero), chunk);
+				}
+				serial = identification_create_from_encoding(ID_KEY_ID, chunk);
+				private = find_private(issuer, serial);
+				issuer->destroy(issuer);
+				serial->destroy(serial);
+
+				if (private)
+				{
+					/* get encryptedKey from internal structure; TODO fixup */
+					chunk = openssl_asn1_str2chunk(ri->ktri->encryptedKey);
+					if (private->decrypt(private, ENCRYPT_RSA_PKCS1,
+										 chunk, &key))
+					{
+						private->destroy(private);
+						break;
+					}
+					private->destroy(private);
+				}
+			}
+		}
+	}
+	if (!key.len)
+	{
+		DBG1(DBG_LIB, "no private key found to decrypt PKCS#7");
+		return FALSE;
+	}
+	if (!decrypt_symmetric(this, key, encrypted, plain))
+	{
+		chunk_clear(&key);
+		return FALSE;
+	}
+	chunk_clear(&key);
+	if (!remove_padding(plain))
+	{
+		free(plain->ptr);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(container_t, get_data, bool,
+	private_openssl_pkcs7_t *this, chunk_t *data)
+{
+	ASN1_OCTET_STRING **os;
+	chunk_t chunk;
+
+	os = CMS_get0_content(this->cms);
+	if (os)
+	{
+		chunk = openssl_asn1_str2chunk(*os);
+		switch (this->type)
+		{
+			case CONTAINER_PKCS7_DATA:
+			case CONTAINER_PKCS7_SIGNED_DATA:
+				*data = chunk_clone(chunk);
+				return TRUE;
+			case CONTAINER_PKCS7_ENVELOPED_DATA:
+				return decrypt(this, chunk, data);
+			default:
+				break;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(container_t, get_encoding, bool,
+	private_openssl_pkcs7_t *this, chunk_t *data)
+{
+	return FALSE;
+}
+
+METHOD(container_t, destroy, void,
+	private_openssl_pkcs7_t *this)
+{
+	CMS_ContentInfo_free(this->cms);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+static private_openssl_pkcs7_t* create_empty()
+{
+	private_openssl_pkcs7_t *this;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = _create_signature_enumerator,
+				.get_data = _get_data,
+				.get_encoding = _get_encoding,
+				.destroy = _destroy,
+			},
+			.get_attribute = _get_attribute,
+			.create_cert_enumerator = _create_cert_enumerator,
+		},
+	);
+
+	return this;
+}
+
+/**
+ * Parse a PKCS#7 container
+ */
+static bool parse(private_openssl_pkcs7_t *this, chunk_t blob)
+{
+	BIO *bio;
+
+	bio = BIO_new_mem_buf(blob.ptr, blob.len);
+	this->cms = d2i_CMS_bio(bio, NULL);
+	BIO_free(bio);
+
+	if (!this->cms)
+	{
+		return FALSE;
+	}
+	switch (openssl_asn1_known_oid((ASN1_OBJECT*)CMS_get0_type(this->cms)))
+	{
+		case OID_PKCS7_DATA:
+			this->type = CONTAINER_PKCS7_DATA;
+			break;
+		case OID_PKCS7_SIGNED_DATA:
+			this->type = CONTAINER_PKCS7_SIGNED_DATA;
+			break;
+		case OID_PKCS7_ENVELOPED_DATA:
+			this->type = CONTAINER_PKCS7_ENVELOPED_DATA;
+			break;
+		default:
+			return FALSE;
+	}
+
+	return TRUE;
+}
+
+/**
+ * See header
+ */
+pkcs7_t *openssl_pkcs7_load(container_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+	private_openssl_pkcs7_t *this;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (blob.len)
+	{
+		this = create_empty();
+		if (parse(this, blob))
+		{
+			return &this->public;
+		}
+		destroy(this);
+	}
+	return NULL;
+}
+
+#endif /* OPENSSL_NO_CMS */
+#endif /* OPENSSL_VERSION_NUMBER */
diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs7.h b/src/libstrongswan/plugins/openssl/openssl_pkcs7.h
new file mode 100644
index 000000000..2c7939ebd
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs7.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup openssl_pkcs7 openssl_pkcs7
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_PKCS7_H_
+#define OPENSSL_PKCS7_H_
+
+#include <credentials/containers/pkcs7.h>
+
+/**
+ * Load a generic PKCS#7 container.
+ *
+ * The argument list must contain a single BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type		type of the container, CONTAINER_PKCS7
+ * @param args		builder_part_t argument list
+ * @return			container, NULL on failure
+ */
+pkcs7_t *openssl_pkcs7_load(container_type_t type, va_list args);
+
+#endif /** OPENSSL_PKCS7_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index c93ceacc9..fb34a6858 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,6 +14,7 @@
  * for more details.
  */
 
+#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/conf.h>
 #include <openssl/rand.h>
@@ -25,9 +26,10 @@
 #include "openssl_plugin.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
+#include <threading/thread_value.h>
 #include "openssl_util.h"
 #include "openssl_crypter.h"
 #include "openssl_hasher.h"
@@ -40,6 +42,15 @@
 #include "openssl_ec_public_key.h"
 #include "openssl_x509.h"
 #include "openssl_crl.h"
+#include "openssl_pkcs7.h"
+#include "openssl_pkcs12.h"
+#include "openssl_rng.h"
+#include "openssl_hmac.h"
+#include "openssl_gcm.h"
+
+#ifndef FIPS_MODE
+#define FIPS_MODE 0
+#endif
 
 typedef struct private_openssl_plugin_t private_openssl_plugin_t;
 
@@ -123,13 +134,52 @@ static void destroy_function(struct CRYPTO_dynlock_value *lock,
 }
 
 /**
+ * Thread-local value used to cleanup thread-specific error buffers
+ */
+static thread_value_t *cleanup;
+
+/**
+ * Called when a thread is destroyed. Avoid recursion by setting the thread id
+ * explicitly.
+ */
+static void cleanup_thread(void *arg)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
+	CRYPTO_THREADID tid;
+
+	CRYPTO_THREADID_set_numeric(&tid, (u_long)(uintptr_t)arg);
+	ERR_remove_thread_state(&tid);
+#else
+	ERR_remove_state((u_long)(uintptr_t)arg);
+#endif
+}
+
+/**
  * Thread-ID callback function
  */
-static unsigned long id_function(void)
+static u_long id_function(void)
 {
-	return (unsigned long)thread_current_id();
+	u_long id;
+
+	/* ensure the thread ID is never zero, otherwise OpenSSL might try to
+	 * acquire locks recursively */
+	id = 1 + (u_long)thread_current_id();
+
+	/* cleanup a thread's state later if OpenSSL interacted with it */
+	cleanup->set(cleanup, (void*)(uintptr_t)id);
+	return id;
 }
 
+#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
+/**
+ * Callback for thread ID
+ */
+static void threadid_function(CRYPTO_THREADID *threadid)
+{
+	CRYPTO_THREADID_set_numeric(threadid, id_function());
+}
+#endif /* OPENSSL_VERSION_NUMBER */
+
 /**
  * initialize OpenSSL for multi-threaded use
  */
@@ -137,7 +187,14 @@ static void threading_init()
 {
 	int i, num_locks;
 
+	cleanup = thread_value_create(cleanup_thread);
+
+#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
+	CRYPTO_THREADID_set_callback(threadid_function);
+#else
 	CRYPTO_set_id_callback(id_function);
+#endif
+
 	CRYPTO_set_locking_callback(locking_function);
 
 	CRYPTO_set_dynlock_create_callback(create_function);
@@ -153,6 +210,24 @@ static void threading_init()
 }
 
 /**
+ * cleanup OpenSSL threading locks
+ */
+static void threading_cleanup()
+{
+	int i, num_locks;
+
+	num_locks = CRYPTO_num_locks();
+	for (i = 0; i < num_locks; i++)
+	{
+		mutex[i]->destroy(mutex[i]);
+	}
+	free(mutex);
+	mutex = NULL;
+
+	cleanup->destroy(cleanup);
+}
+
+/**
  * Seed the OpenSSL RNG, if required
  */
 static bool seed_rng()
@@ -170,29 +245,17 @@ static bool seed_rng()
 				return FALSE;
 			}
 		}
-		rng->get_bytes(rng, sizeof(buf), buf);
+		if (!rng->get_bytes(rng, sizeof(buf), buf))
+		{
+			rng->destroy(rng);
+			return FALSE;
+		}
 		RAND_seed(buf, sizeof(buf));
 	}
 	DESTROY_IF(rng);
 	return TRUE;
 }
 
-/**
- * cleanup OpenSSL threading locks
- */
-static void threading_cleanup()
-{
-	int i, num_locks;
-
-	num_locks = CRYPTO_num_locks();
-	for (i = 0; i < num_locks; i++)
-	{
-		mutex[i]->destroy(mutex[i]);
-	}
-	free(mutex);
-	mutex = NULL;
-}
-
 METHOD(plugin_t, get_name, char*,
 	private_openssl_plugin_t *this)
 {
@@ -260,6 +323,57 @@ METHOD(plugin_t, get_features, int,
 		PLUGIN_REGISTER(PRF, openssl_sha1_prf_create),
 			PLUGIN_PROVIDE(PRF, PRF_KEYED_SHA1),
 #endif
+#ifndef OPENSSL_NO_HMAC
+		PLUGIN_REGISTER(PRF, openssl_hmac_prf_create),
+#ifndef OPENSSL_NO_MD5
+			PLUGIN_PROVIDE(PRF, PRF_HMAC_MD5),
+#endif
+#ifndef OPENSSL_NO_SHA1
+			PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA1),
+#endif
+#ifndef OPENSSL_NO_SHA256
+			PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_256),
+#endif
+#ifndef OPENSSL_NO_SHA512
+			PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_384),
+			PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_512),
+#endif
+		PLUGIN_REGISTER(SIGNER, openssl_hmac_signer_create),
+#ifndef OPENSSL_NO_MD5
+			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_MD5_96),
+			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_MD5_128),
+#endif
+#ifndef OPENSSL_NO_SHA1
+			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_96),
+			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_128),
+			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_160),
+#endif
+#ifndef OPENSSL_NO_SHA256
+			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_256_128),
+			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_256_256),
+#endif
+#ifndef OPENSSL_NO_SHA512
+			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_192),
+			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_384),
+			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
+			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_512),
+#endif
+#endif /* OPENSSL_NO_HMAC */
+#if OPENSSL_VERSION_NUMBER >= 0x1000100fL
+#ifndef OPENSSL_NO_AES
+		/* AES GCM */
+		PLUGIN_REGISTER(AEAD, openssl_gcm_create),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 16),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 24),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 32),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 16),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 24),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 32),
+#endif /* OPENSSL_NO_AES */
+#endif /* OPENSSL_VERSION_NUMBER */
 #ifndef OPENSSL_NO_DH
 		/* MODP DH groups */
 		PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
@@ -284,7 +398,7 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
 		PLUGIN_REGISTER(PRIVKEY_GEN, openssl_rsa_private_key_gen, FALSE),
 			PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_RSA),
-		PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, FALSE),
+		PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, TRUE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
 		PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, TRUE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
@@ -317,8 +431,19 @@ METHOD(plugin_t, get_features, int,
 		/* certificate/CRL loading */
 		PLUGIN_REGISTER(CERT_DECODE, openssl_x509_load, TRUE),
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_X509),
+				PLUGIN_SDEPEND(PUBKEY, KEY_RSA),
+				PLUGIN_SDEPEND(PUBKEY, KEY_ECDSA),
+				PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
 		PLUGIN_REGISTER(CERT_DECODE, openssl_crl_load, TRUE),
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_X509_CRL),
+#if OPENSSL_VERSION_NUMBER >= 0x0090807fL
+#ifndef OPENSSL_NO_CMS
+		PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs7_load, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS7),
+#endif /* OPENSSL_NO_CMS */
+#endif /* OPENSSL_VERSION_NUMBER */
+		PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs12_load, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS12),
 #ifndef OPENSSL_NO_ECDH
 		/* EC DH groups */
 		PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
@@ -360,6 +485,9 @@ METHOD(plugin_t, get_features, int,
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
 #endif
 #endif /* OPENSSL_NO_ECDSA */
+		PLUGIN_REGISTER(RNG, openssl_rng_create),
+			PLUGIN_PROVIDE(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(RNG, RNG_WEAK),
 	};
 	*features = f;
 	return countof(f);
@@ -368,13 +496,15 @@ METHOD(plugin_t, get_features, int,
 METHOD(plugin_t, destroy, void,
 	private_openssl_plugin_t *this)
 {
+	CONF_modules_free();
+	OBJ_cleanup();
+	EVP_cleanup();
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE_cleanup();
 #endif /* OPENSSL_NO_ENGINE */
-	EVP_cleanup();
-	CONF_modules_free();
-
+	CRYPTO_cleanup_all_ex_data();
 	threading_cleanup();
+	ERR_free_strings();
 
 	free(this);
 }
@@ -385,6 +515,25 @@ METHOD(plugin_t, destroy, void,
 plugin_t *openssl_plugin_create()
 {
 	private_openssl_plugin_t *this;
+	int fips_mode;
+
+	fips_mode = lib->settings->get_int(lib->settings,
+						"libstrongswan.plugins.openssl.fips_mode", FIPS_MODE);
+#ifdef OPENSSL_FIPS
+	if (!FIPS_mode_set(fips_mode))
+	{
+		DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d)", fips_mode);
+		return NULL;
+	}
+	DBG1(DBG_LIB, "openssl FIPS mode(%d) - %sabled ",fips_mode,
+				   fips_mode ? "en" : "dis");
+#else
+	if (fips_mode)
+	{
+		DBG1(DBG_LIB, "openssl FIPS mode(%d) unavailable", fips_mode);
+		return NULL;
+	}
+#endif
 
 	INIT(this,
 		.public = {
@@ -416,4 +565,3 @@ plugin_t *openssl_plugin_create()
 
 	return &this->public.plugin;
 }
-
diff --git a/src/libstrongswan/plugins/openssl/openssl_rng.c b/src/libstrongswan/plugins/openssl/openssl_rng.c
new file mode 100644
index 000000000..815cf4f0c
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_rng.c
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2012 Aleksandr Grinberg
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include <utils/debug.h>
+#include <openssl/rand.h>
+#include <openssl/err.h>
+
+#include "openssl_rng.h"
+
+typedef struct private_openssl_rng_t private_openssl_rng_t;
+
+/**
+ * Private data of openssl_rng_t
+ */
+struct private_openssl_rng_t {
+
+	/**
+	 * Public part of this class.
+	 */
+	openssl_rng_t public;
+
+	/**
+	 * Quality of randomness
+	 */
+	rng_quality_t quality;
+};
+
+METHOD(rng_t, get_bytes, bool,
+	private_openssl_rng_t *this, size_t bytes, u_int8_t *buffer)
+{
+	if (this->quality == RNG_WEAK)
+	{
+		/* RAND_pseudo_bytes() returns 1 if returned bytes are strong,
+		 * 0 if of not. Both is acceptable for RNG_WEAK. */
+		return RAND_pseudo_bytes((char*)buffer, bytes) != -1;
+	}
+	/* A 0 return value is a failure for RAND_bytes() */
+	return RAND_bytes((char*)buffer, bytes) == 1;
+}
+
+METHOD(rng_t, allocate_bytes, bool,
+	private_openssl_rng_t *this, size_t bytes, chunk_t *chunk)
+{
+	*chunk = chunk_alloc(bytes);
+	if (!get_bytes(this, chunk->len, chunk->ptr))
+	{
+		chunk_free(chunk);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(rng_t, destroy, void,
+	private_openssl_rng_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+openssl_rng_t *openssl_rng_create(rng_quality_t quality)
+{
+	private_openssl_rng_t *this;
+
+	INIT(this,
+		.public = {
+			.rng = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.destroy = _destroy,
+			},
+		},
+		.quality = quality,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/openssl/openssl_rng.h b/src/libstrongswan/plugins/openssl/openssl_rng.h
new file mode 100644
index 000000000..a4596563a
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_rng.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2012 Aleksandr Grinberg
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/**
+ * @defgroup openssl_rng openssl_rng
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_RNG_H_
+#define OPENSSL_RNG_H_
+
+#include <library.h>
+
+typedef struct openssl_rng_t openssl_rng_t;
+
+/**
+ * Implementation of random number using OpenSSL.
+ */
+struct openssl_rng_t {
+
+	/**
+	 * Implements rng_t interface.
+	 */
+	rng_t rng;
+};
+
+/**
+ * Constructor to create openssl_rng_t.
+ *
+ * @param quality	quality of randomness
+ * @return			openssl_rng_t
+ */
+openssl_rng_t *openssl_rng_create(rng_quality_t quality);
+
+#endif /** OPENSSL_RNG_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index d1afd94cc..036f53d23 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -14,10 +14,14 @@
  * for more details.
  */
 
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_RSA
+
 #include "openssl_rsa_private_key.h"
 #include "openssl_rsa_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
@@ -424,7 +428,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
 	if (blob.ptr)
 	{
 		this->rsa = d2i_RSAPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);
-		if (this->rsa && RSA_check_key(this->rsa))
+		if (this->rsa && RSA_check_key(this->rsa) == 1)
 		{
 			return &this->public;
 		}
@@ -446,7 +450,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
 			this->rsa->dmq1 = BN_bin2bn((const u_char*)exp2.ptr, exp2.len, NULL);
 		}
 		this->rsa->iqmp = BN_bin2bn((const u_char*)coeff.ptr, coeff.len, NULL);
-		if (RSA_check_key(this->rsa))
+		if (RSA_check_key(this->rsa) == 1)
 		{
 			return &this->public;
 		}
@@ -475,7 +479,8 @@ static bool login(ENGINE *engine, chunk_t keyid)
 	{
 		found = TRUE;
 		key = shared->get_key(shared);
-		if (snprintf(pin, sizeof(pin), "%.*s", key.len, key.ptr) >= sizeof(pin))
+		if (snprintf(pin, sizeof(pin),
+					 "%.*s", (int)key.len, key.ptr) >= sizeof(pin))
 		{
 			continue;
 		}
@@ -598,3 +603,4 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 #endif /* OPENSSL_NO_ENGINE */
 }
 
+#endif /* OPENSSL_NO_RSA */
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index a24bae5d6..48beedef6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -14,9 +14,13 @@
  * for more details.
  */
 
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_RSA
+
 #include "openssl_rsa_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
@@ -44,8 +48,6 @@ struct private_openssl_rsa_public_key_t {
 	refcount_t ref;
 };
 
-
-
 /**
  * Verification of an EMPSA PKCS1 signature described in PKCS#1
  */
@@ -63,12 +65,17 @@ static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t *this,
 
 	if (type == NID_undef)
 	{
-		chunk_t hash = chunk_alloc(rsa_size);
+		char *buf;
+		int len;
 
-		hash.len = RSA_public_decrypt(signature.len, signature.ptr, hash.ptr,
-									  this->rsa, RSA_PKCS1_PADDING);
-		valid = chunk_equals(data, hash);
-		free(hash.ptr);
+		buf = malloc(rsa_size);
+		len = RSA_public_decrypt(signature.len, signature.ptr, buf, this->rsa,
+								 RSA_PKCS1_PADDING);
+		if (len != -1)
+		{
+			valid = chunk_equals(data, chunk_create(buf, len));
+		}
+		free(buf);
 	}
 	else
 	{
@@ -217,13 +224,13 @@ bool openssl_rsa_fingerprint(RSA *rsa, cred_encoding_type_t type, chunk_t *fp)
 			return FALSE;
 	}
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (!hasher)
+	if (!hasher || !hasher->allocate_hash(hasher, key, fp))
 	{
 		DBG1(DBG_LIB, "SHA1 hash algorithm not supported, fingerprinting failed");
+		DESTROY_IF(hasher);
 		free(key.ptr);
 		return FALSE;
 	}
-	hasher->allocate_hash(hasher, key, fp);
 	free(key.ptr);
 	hasher->destroy(hasher);
 	lib->encoding->cache(lib->encoding, type, rsa, *fp);
@@ -388,3 +395,5 @@ openssl_rsa_public_key_t *openssl_rsa_public_key_load(key_type_t type,
 	destroy(this);
 	return NULL;
 }
+
+#endif /* OPENSSL_NO_RSA */
diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
index 20f2fa984..446c93e2b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
+++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
@@ -13,6 +13,10 @@
  * for more details.
  */
 
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_SHA1
+
 #include "openssl_sha1_prf.h"
 
 #include <openssl/sha.h>
@@ -35,10 +39,17 @@ struct private_openssl_sha1_prf_t {
 	SHA_CTX ctx;
 };
 
-METHOD(prf_t, get_bytes, void,
+METHOD(prf_t, get_bytes, bool,
 	private_openssl_sha1_prf_t *this, chunk_t seed, u_int8_t *bytes)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+	if (!SHA1_Update(&this->ctx, seed.ptr, seed.len))
+	{
+		return FALSE;
+	}
+#else /* OPENSSL_VERSION_NUMBER < 1.0 */
 	SHA1_Update(&this->ctx, seed.ptr, seed.len);
+#endif
 
 	if (bytes)
 	{
@@ -50,6 +61,8 @@ METHOD(prf_t, get_bytes, void,
 		hash[3] = htonl(this->ctx.h3);
 		hash[4] = htonl(this->ctx.h4);
 	}
+
+	return TRUE;
 }
 
 METHOD(prf_t, get_block_size, size_t,
@@ -58,18 +71,15 @@ METHOD(prf_t, get_block_size, size_t,
 	return HASH_SIZE_SHA1;
 }
 
-METHOD(prf_t, allocate_bytes, void,
+METHOD(prf_t, allocate_bytes, bool,
 	private_openssl_sha1_prf_t *this, chunk_t seed, chunk_t *chunk)
 {
 	if (chunk)
 	{
 		*chunk = chunk_alloc(HASH_SIZE_SHA1);
-		get_bytes(this, seed, chunk->ptr);
-	}
-	else
-	{
-		get_bytes(this, seed, NULL);
+		return get_bytes(this, seed, chunk->ptr);
 	}
+	return get_bytes(this, seed, NULL);
 }
 
 METHOD(prf_t, get_key_size, size_t,
@@ -78,11 +88,22 @@ METHOD(prf_t, get_key_size, size_t,
 	return HASH_SIZE_SHA1;
 }
 
-METHOD(prf_t, set_key, void,
+METHOD(prf_t, set_key, bool,
 	private_openssl_sha1_prf_t *this, chunk_t key)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+	if (!SHA1_Init(&this->ctx))
+	{
+		return FALSE;
+	}
+#else /* OPENSSL_VERSION_NUMBER < 1.0 */
 	SHA1_Init(&this->ctx);
+#endif
 
+	if (key.len % 4)
+	{
+		return FALSE;
+	}
 	if (key.len >= 4)
 	{
 		this->ctx.h0 ^= untoh32(key.ptr);
@@ -103,6 +124,7 @@ METHOD(prf_t, set_key, void,
 	{
 		this->ctx.h4 ^= untoh32(key.ptr + 16);
 	}
+	return TRUE;
 }
 
 METHOD(prf_t, destroy, void,
@@ -139,3 +161,4 @@ openssl_sha1_prf_t *openssl_sha1_prf_create(pseudo_random_function_t algo)
 	return &this->public;
 }
 
+#endif /* OPENSSL_NO_SHA1 */
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c
index 1eb1c6723..bc10dd28c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.c
+++ b/src/libstrongswan/plugins/openssl/openssl_util.c
@@ -16,7 +16,7 @@
 
 #include "openssl_util.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <openssl/evp.h>
 #include <openssl/x509.h>
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 5caf5182c..24b12d50c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -17,6 +17,9 @@
  */
 
 /*
+ * Copyright (C) 2013 Michael Rossberg
+ * Copyright (C) 2013 Technische Universität Ilmenau
+ *
  * Copyright (C) 2010 secunet Security Networks AG
  * Copyright (C) 2010 Thomas Egerer
  *
@@ -47,10 +50,15 @@
 #include "openssl_x509.h"
 #include "openssl_util.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
+#include <selectors/traffic_selector.h>
 
+/* IP Addr block extension support was introduced with 0.9.8e */
+#if OPENSSL_VERSION_NUMBER < 0x0090805fL
+#define OPENSSL_NO_RFC3779
+#endif
 
 typedef struct private_openssl_x509_t private_openssl_x509_t;
 
@@ -150,6 +158,12 @@ struct private_openssl_x509_t {
 	linked_list_t *ocsp_uris;
 
 	/**
+	 * List of ipAddrBlocks as traffic_selector_t
+	 */
+	linked_list_t *ipAddrBlocks;
+
+
+	/**
 	 * References to this cert
 	 */
 	refcount_t ref;
@@ -283,6 +297,12 @@ METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*,
 	return this->ocsp_uris->create_enumerator(this->ocsp_uris);
 }
 
+METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*,
+	private_openssl_x509_t *this)
+{
+	return this->ipAddrBlocks->create_enumerator(this->ipAddrBlocks);
+}
+
 METHOD(certificate_t, get_type, certificate_type_t,
 	private_openssl_x509_t *this)
 {
@@ -327,6 +347,10 @@ METHOD(certificate_t, has_subject, id_match_t,
 		{
 			return ID_MATCH_PERFECT;
 		}
+		if (chunk_equals(get_serial(this), encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
 	}
 	best = this->subject->matches(this->subject, subject);
 	enumerator = create_subjectAltName_enumerator(this);
@@ -350,7 +374,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_openssl_x509_t *this, certificate_t *issuer)
+	private_openssl_x509_t *this, certificate_t *issuer,
+	signature_scheme_t *scheme)
 {
 	public_key_t *key;
 	bool valid;
@@ -393,6 +418,10 @@ METHOD(certificate_t, issued_by, bool,
 						openssl_asn1_str2chunk(this->x509->signature));
 	free(tbs.ptr);
 	key->destroy(key);
+	if (valid && scheme)
+	{
+		*scheme = this->scheme;
+	}
 	return valid;
 }
 
@@ -497,6 +526,8 @@ METHOD(certificate_t, destroy, void,
 										offsetof(identification_t, destroy));
 		this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy);
 		this->ocsp_uris->destroy_function(this->ocsp_uris, free);
+		this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks,
+										offsetof(traffic_selector_t, destroy));
 		free(this);
 	}
 }
@@ -533,7 +564,7 @@ static private_openssl_x509_t *create_empty()
 				.create_subjectAltName_enumerator = _create_subjectAltName_enumerator,
 				.create_crl_uri_enumerator = _create_crl_uri_enumerator,
 				.create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator,
-				.create_ipAddrBlock_enumerator = (void*)enumerator_create_empty,
+				.create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator,
 				.create_name_constraint_enumerator = (void*)enumerator_create_empty,
 				.create_cert_policy_enumerator = (void*)enumerator_create_empty,
 				.create_policy_mapping_enumerator = (void*)enumerator_create_empty,
@@ -543,6 +574,7 @@ static private_openssl_x509_t *create_empty()
 		.issuerAltNames = linked_list_create(),
 		.crl_uris = linked_list_create(),
 		.ocsp_uris = linked_list_create(),
+		.ipAddrBlocks = linked_list_create(),
 		.pathlen = X509_NO_CONSTRAINT,
 		.ref = 1,
 	);
@@ -647,6 +679,41 @@ static bool parse_keyUsage_ext(private_openssl_x509_t *this,
 }
 
 /**
+ * Parse ExtendedKeyUsage
+ */
+static bool parse_extKeyUsage_ext(private_openssl_x509_t *this,
+								  X509_EXTENSION *ext)
+{
+	EXTENDED_KEY_USAGE *usage;
+	int i;
+
+	usage = X509V3_EXT_d2i(ext);
+	if (usage)
+	{
+		for (i = 0; i < sk_ASN1_OBJECT_num(usage); i++)
+		{
+			switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(usage, i)))
+			{
+				case NID_server_auth:
+					this->flags |= X509_SERVER_AUTH;
+					break;
+				case NID_client_auth:
+					this->flags |= X509_CLIENT_AUTH;
+					break;
+				case NID_OCSP_sign:
+					this->flags |= X509_OCSP_SIGNER;
+					break;
+				default:
+					break;
+			}
+		}
+		sk_ASN1_OBJECT_pop_free(usage, ASN1_OBJECT_free);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
  * Parse CRL distribution points
  */
 static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this,
@@ -763,6 +830,92 @@ static bool parse_authorityInfoAccess_ext(private_openssl_x509_t *this,
 	return TRUE;
 }
 
+#ifndef OPENSSL_NO_RFC3779
+
+/**
+ * Parse a single block of ipAddrBlock extension
+ */
+static void parse_ipAddrBlock_ext_fam(private_openssl_x509_t *this,
+									  IPAddressFamily *fam)
+{
+	const IPAddressOrRanges *list;
+	IPAddressOrRange *aor;
+	traffic_selector_t *ts;
+	ts_type_t type;
+	chunk_t from, to;
+	int i, afi;
+
+	if (fam->ipAddressChoice->type != IPAddressChoice_addressesOrRanges)
+	{
+		return;
+	}
+
+	afi = v3_addr_get_afi(fam);
+	switch (afi)
+	{
+		case IANA_AFI_IPV4:
+			from = chunk_alloca(4);
+			to = chunk_alloca(4);
+			type = TS_IPV4_ADDR_RANGE;
+			break;
+		case IANA_AFI_IPV6:
+			from = chunk_alloca(16);
+			to = chunk_alloca(16);
+			type = TS_IPV6_ADDR_RANGE;
+			break;
+		default:
+			return;
+	}
+
+	list = fam->ipAddressChoice->u.addressesOrRanges;
+	for (i = 0; i < sk_IPAddressOrRange_num(list); i++)
+	{
+		aor = sk_IPAddressOrRange_value(list, i);
+		if (v3_addr_get_range(aor, afi, from.ptr, to.ptr, from.len) > 0)
+		{
+			ts = traffic_selector_create_from_bytes(0, type, from, 0, to, 65535);
+			if (ts)
+			{
+				this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
+			}
+		}
+	}
+}
+
+/**
+ * Parse ipAddrBlock extension
+ */
+static bool parse_ipAddrBlock_ext(private_openssl_x509_t *this,
+								  X509_EXTENSION *ext)
+{
+	STACK_OF(IPAddressFamily) *blocks;
+	IPAddressFamily *fam;
+
+	blocks = (STACK_OF(IPAddressFamily)*)X509V3_EXT_d2i(ext);
+	if (!blocks)
+	{
+		return FALSE;
+	}
+
+	if (!v3_addr_is_canonical(blocks))
+	{
+		sk_IPAddressFamily_free(blocks);
+		return FALSE;
+	}
+
+	while (sk_IPAddressFamily_num(blocks) > 0)
+	{
+		fam = sk_IPAddressFamily_pop(blocks);
+		parse_ipAddrBlock_ext_fam(this, fam);
+		IPAddressFamily_free(fam);
+	}
+	sk_IPAddressFamily_free(blocks);
+
+	this->flags |= X509_IP_ADDR_BLOCKS;
+	return TRUE;
+}
+#endif /* !OPENSSL_NO_RFC3779 */
+
 /**
  * Parse authorityKeyIdentifier extension
  */
@@ -845,16 +998,29 @@ static bool parse_extensions(private_openssl_x509_t *this)
 				case NID_key_usage:
 					ok = parse_keyUsage_ext(this, ext);
 					break;
+				case NID_ext_key_usage:
+					ok = parse_extKeyUsage_ext(this, ext);
+					break;
 				case NID_crl_distribution_points:
 					ok = parse_crlDistributionPoints_ext(this, ext);
 					break;
+#ifndef OPENSSL_NO_RFC3779
+				case NID_sbgp_ipAddrBlock:
+					ok = parse_ipAddrBlock_ext(this, ext);
+					break;
+#endif /* !OPENSSL_NO_RFC3779 */
 				default:
 					ok = X509_EXTENSION_get_critical(ext) == 0 ||
 						 !lib->settings->get_bool(lib->settings,
 								"libstrongswan.x509.enforce_critical", TRUE);
 					if (!ok)
 					{
-						DBG1(DBG_LIB, "found unsupported critical X.509 extension");
+						char buf[80] = "";
+
+						OBJ_obj2txt(buf, sizeof(buf),
+									X509_EXTENSION_get_object(ext), 0);
+						DBG1(DBG_LIB, "found unsupported critical X.509 "
+							 "extension: %s", buf);
 					}
 					break;
 			}
@@ -868,38 +1034,6 @@ static bool parse_extensions(private_openssl_x509_t *this)
 }
 
 /**
- * Parse ExtendedKeyUsage
- */
-static void parse_extKeyUsage(private_openssl_x509_t *this)
-{
-	EXTENDED_KEY_USAGE *usage;
-	int i;
-
-	usage = X509_get_ext_d2i(this->x509, NID_ext_key_usage, NULL, NULL);
-	if (usage)
-	{
-		for (i = 0; i < sk_ASN1_OBJECT_num(usage); i++)
-		{
-			switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(usage, i)))
-			{
-				case NID_server_auth:
-					this->flags |= X509_SERVER_AUTH;
-					break;
-				case NID_client_auth:
-					this->flags |= X509_CLIENT_AUTH;
-					break;
-				case NID_OCSP_sign:
-					this->flags |= X509_OCSP_SIGNER;
-					break;
-				default:
-					break;
-			}
-		}
-		sk_ASN1_OBJECT_pop_free(usage, ASN1_OBJECT_free);
-	}
-}
-
-/**
  * Parse a DER encoded x509 certificate
  */
 static bool parse_certificate(private_openssl_x509_t *this)
@@ -965,17 +1099,16 @@ static bool parse_certificate(private_openssl_x509_t *this)
 	{
 		return FALSE;
 	}
-	parse_extKeyUsage(this);
 
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (!hasher)
+	if (!hasher || !hasher->allocate_hash(hasher, this->encoding, &this->hash))
 	{
+		DESTROY_IF(hasher);
 		return FALSE;
 	}
-	hasher->allocate_hash(hasher, this->encoding, &this->hash);
 	hasher->destroy(hasher);
 
-	if (issued_by(this, &this->public.x509.interface))
+	if (issued_by(this, &this->public.x509.interface, NULL))
 	{
 		this->flags |= X509_SELF_SIGNED;
 	}
diff --git a/src/libstrongswan/plugins/padlock/Makefile.am b/src/libstrongswan/plugins/padlock/Makefile.am
index 6706d26cb..0acd8384c 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.am
+++ b/src/libstrongswan/plugins/padlock/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-padlock.la
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 6ff607456..028fab232 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_padlock_la_LIBADD =
@@ -79,48 +103,77 @@ am_libstrongswan_padlock_la_OBJECTS = padlock_plugin.lo \
 	padlock_aes_crypter.lo padlock_sha1_hasher.lo padlock_rng.lo
 libstrongswan_padlock_la_OBJECTS =  \
 	$(am_libstrongswan_padlock_la_OBJECTS)
-libstrongswan_padlock_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_padlock_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_padlock_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_padlock_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_padlock_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_padlock_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_padlock_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_padlock_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -129,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -148,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -187,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -195,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -205,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -226,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -246,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -283,8 +345,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-padlock.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-padlock.la
 libstrongswan_padlock_la_SOURCES = \
@@ -339,7 +405,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -347,6 +412,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -368,8 +435,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-padlock.la: $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_DEPENDENCIES) 
-	$(libstrongswan_padlock_la_LINK) $(am_libstrongswan_padlock_la_rpath) $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_LIBADD) $(LIBS)
+libstrongswan-padlock.la: $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_DEPENDENCIES) $(EXTRA_libstrongswan_padlock_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_padlock_la_LINK) $(am_libstrongswan_padlock_la_rpath) $(libstrongswan_padlock_la_OBJECTS) $(libstrongswan_padlock_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -383,25 +450,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/padlock_sha1_hasher.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -508,10 +575,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
index 119de86aa..b5060de0a 100644
--- a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
+++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
@@ -109,16 +109,18 @@ static void crypt(private_padlock_aes_crypter_t *this, char *iv,
 	memwipe(key_aligned, sizeof(key_aligned));
 }
 
-METHOD(crypter_t, decrypt, void,
+METHOD(crypter_t, decrypt, bool,
 	private_padlock_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
 	crypt(this, iv.ptr, data, dst, TRUE);
+	return TRUE;
 }
 
-METHOD(crypter_t, encrypt, void,
+METHOD(crypter_t, encrypt, bool,
 	private_padlock_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
 	crypt(this, iv.ptr, data, dst, FALSE);
+	return TRUE;
 }
 
 METHOD(crypter_t, get_block_size, size_t,
@@ -139,10 +141,11 @@ METHOD(crypter_t, get_key_size, size_t,
 	return this->key.len;
 }
 
-METHOD(crypter_t, set_key, void,
+METHOD(crypter_t, set_key, bool,
 	private_padlock_aes_crypter_t *this, chunk_t key)
 {
 	memcpy(this->key.ptr, key.ptr, min(key.len, this->key.len));
+	return TRUE;
 }
 
 METHOD(crypter_t, destroy, void,
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
index 9d4afd8e8..2005ef648 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.c
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -21,7 +22,8 @@
 #include <stdio.h>
 
 #include <library.h>
-#include <debug.h>
+#include <plugins/plugin_feature.h>
+#include <utils/debug.h>
 
 typedef struct private_padlock_plugin_t private_padlock_plugin_t;
 typedef enum padlock_feature_t padlock_feature_t;
@@ -107,28 +109,49 @@ METHOD(plugin_t, get_name, char*,
 	return "padlock";
 }
 
+METHOD(plugin_t, get_features, int,
+	private_padlock_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f_rng[] = {
+		PLUGIN_REGISTER(RNG, padlock_rng_create),
+			PLUGIN_PROVIDE(RNG, RNG_WEAK),
+			PLUGIN_PROVIDE(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(RNG, RNG_TRUE),
+	};
+	static plugin_feature_t f_aes[] = {
+		PLUGIN_REGISTER(CRYPTER, padlock_aes_crypter_create),
+			PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 16),
+	};
+	static plugin_feature_t f_sha1[] = {
+		PLUGIN_REGISTER(HASHER, padlock_sha1_hasher_create),
+			PLUGIN_PROVIDE(HASHER, HASH_SHA1),
+	};
+	static plugin_feature_t f[countof(f_rng) + countof(f_aes) +
+							  countof(f_sha1)] = {};
+	static int count = 0;
+
+	if (!count)
+	{	/* initialize only once */
+		if (this->features & PADLOCK_RNG_ENABLED)
+		{
+			plugin_features_add(f, f_rng, countof(f_rng), &count);
+		}
+		if (this->features & PADLOCK_ACE2_ENABLED)
+		{
+			plugin_features_add(f, f_aes, countof(f_aes), &count);
+		}
+		if (this->features & PADLOCK_PHE_ENABLED)
+		{
+			plugin_features_add(f, f_sha1, countof(f_sha1), &count);
+		}
+	}
+	*features = f;
+	return count;
+}
+
 METHOD(plugin_t, destroy, void,
 	private_padlock_plugin_t *this)
 {
-	if (this->features & PADLOCK_RNG_ENABLED)
-	{
-		lib->crypto->remove_rng(lib->crypto,
-							(rng_constructor_t)padlock_rng_create);
-		lib->crypto->remove_rng(lib->crypto,
-							(rng_constructor_t)padlock_rng_create);
-		lib->crypto->remove_rng(lib->crypto,
-							(rng_constructor_t)padlock_rng_create);
-	}
-	if (this->features & PADLOCK_ACE2_ENABLED)
-	{
-		lib->crypto->remove_crypter(lib->crypto,
-							(crypter_constructor_t)padlock_aes_crypter_create);
-	}
-	if (this->features & PADLOCK_PHE_ENABLED)
-	{
-		lib->crypto->remove_hasher(lib->crypto,
-							(hasher_constructor_t)padlock_sha1_hasher_create);
-	}
 	free(this);
 }
 
@@ -143,7 +166,7 @@ plugin_t *padlock_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
@@ -167,24 +190,5 @@ plugin_t *padlock_plugin_create()
 		 this->features & PADLOCK_PHE_ENABLED ? " PHE" : "",
 		 this->features & PADLOCK_PMM_ENABLED ? " PMM" : "");
 
-	if (this->features & PADLOCK_RNG_ENABLED)
-	{
-		lib->crypto->add_rng(lib->crypto, RNG_TRUE, get_name(this),
-						(rng_constructor_t)padlock_rng_create);
-		lib->crypto->add_rng(lib->crypto, RNG_STRONG, get_name(this),
-						(rng_constructor_t)padlock_rng_create);
-		lib->crypto->add_rng(lib->crypto, RNG_WEAK, get_name(this),
-						(rng_constructor_t)padlock_rng_create);
-	}
-	if (this->features & PADLOCK_ACE2_ENABLED)
-	{
-		lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, get_name(this),
-						(crypter_constructor_t)padlock_aes_crypter_create);
-	}
-	if (this->features & PADLOCK_PHE_ENABLED)
-	{
-		lib->crypto->add_hasher(lib->crypto, HASH_SHA1, get_name(this),
-						(hasher_constructor_t)padlock_sha1_hasher_create);
-	}
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/padlock/padlock_rng.c b/src/libstrongswan/plugins/padlock/padlock_rng.c
index 3d805df9d..517914ab5 100644
--- a/src/libstrongswan/plugins/padlock/padlock_rng.c
+++ b/src/libstrongswan/plugins/padlock/padlock_rng.c
@@ -69,7 +69,7 @@ static void rng(char *buf, int len, int quality)
 	}
 }
 
-METHOD(rng_t, allocate_bytes, void,
+METHOD(rng_t, allocate_bytes, bool,
 	private_padlock_rng_t *this, size_t bytes, chunk_t *chunk)
 {
 	chunk->len = bytes;
@@ -77,9 +77,10 @@ METHOD(rng_t, allocate_bytes, void,
 	chunk->ptr = malloc(bytes + 7);
 
 	rng(chunk->ptr, chunk->len, this->quality);
+	return TRUE;
 }
 
-METHOD(rng_t, get_bytes, void,
+METHOD(rng_t, get_bytes, bool,
 	private_padlock_rng_t *this, size_t bytes, u_int8_t *buffer)
 {
 	chunk_t chunk;
@@ -88,6 +89,7 @@ METHOD(rng_t, get_bytes, void,
 	allocate_bytes(this, bytes, &chunk);
 	memcpy(buffer, chunk.ptr, bytes);
 	chunk_clear(&chunk);
+	return TRUE;
 }
 
 METHOD(rng_t, destroy, void,
diff --git a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
index 66a077353..4489b902a 100644
--- a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
+++ b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
@@ -83,13 +83,14 @@ static void append_data(private_padlock_sha1_hasher_t *this, chunk_t data)
 	this->data.len += data.len;
 }
 
-METHOD(hasher_t, reset, void,
+METHOD(hasher_t, reset, bool,
 	private_padlock_sha1_hasher_t *this)
 {
 	chunk_free(&this->data);
+	return TRUE;
 }
 
-METHOD(hasher_t, get_hash, void,
+METHOD(hasher_t, get_hash, bool,
 	private_padlock_sha1_hasher_t *this, chunk_t chunk, u_int8_t *hash)
 {
 	if (hash)
@@ -109,20 +110,18 @@ METHOD(hasher_t, get_hash, void,
 	{
 		append_data(this, chunk);
 	}
+	return TRUE;
 }
 
-METHOD(hasher_t, allocate_hash, void,
+METHOD(hasher_t, allocate_hash, bool,
 	private_padlock_sha1_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	if (hash)
 	{
 		*hash = chunk_alloc(HASH_SIZE_SHA1);
-		get_hash(this, chunk, hash->ptr);
-	}
-	else
-	{
-		get_hash(this, chunk, NULL);
+		return get_hash(this, chunk, hash->ptr);
 	}
+	return get_hash(this, chunk, NULL);
 }
 
 METHOD(hasher_t, get_hash_size, size_t,
diff --git a/src/libstrongswan/plugins/pem/Makefile.am b/src/libstrongswan/plugins/pem/Makefile.am
index b815b1e0b..9aa853e13 100644
--- a/src/libstrongswan/plugins/pem/Makefile.am
+++ b/src/libstrongswan/plugins/pem/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-pem.la
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index 98c196ef4..ed7cd3d9a 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,53 +90,88 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pem_la_LIBADD =
 am_libstrongswan_pem_la_OBJECTS = pem_plugin.lo pem_builder.lo \
 	pem_encoder.lo
 libstrongswan_pem_la_OBJECTS = $(am_libstrongswan_pem_la_OBJECTS)
-libstrongswan_pem_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_pem_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_pem_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_pem_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_pem_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_pem_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_pem_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pem_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -127,13 +180,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -146,6 +202,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,11 +230,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -185,6 +244,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -193,8 +253,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -203,14 +261,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -224,17 +287,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -244,16 +307,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -281,8 +343,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pem.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pem.la
 libstrongswan_pem_la_SOURCES = \
@@ -336,7 +402,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -344,6 +409,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -365,8 +432,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pem.la: $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_DEPENDENCIES) 
-	$(libstrongswan_pem_la_LINK) $(am_libstrongswan_pem_la_rpath) $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_LIBADD) $(LIBS)
+libstrongswan-pem.la: $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_DEPENDENCIES) $(EXTRA_libstrongswan_pem_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_pem_la_LINK) $(am_libstrongswan_pem_la_rpath) $(libstrongswan_pem_la_OBJECTS) $(libstrongswan_pem_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -379,25 +446,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pem_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -504,10 +571,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c
index c5d96be47..e9d55f3b8 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.c
+++ b/src/libstrongswan/plugins/pem/pem_builder.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * Copyright (C) 2001-2008 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
@@ -27,7 +28,7 @@
 #include <sys/mman.h>
 #include <sys/stat.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 #include <utils/lexparser.h>
 #include <asn1/asn1.h>
@@ -104,15 +105,21 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg,
 	}
 	hash.len = hasher->get_hash_size(hasher);
 	hash.ptr = alloca(hash.len);
-	hasher->get_hash(hasher, passphrase, NULL);
-	hasher->get_hash(hasher, salt, hash.ptr);
+	if (!hasher->get_hash(hasher, passphrase, NULL) ||
+		!hasher->get_hash(hasher, salt, hash.ptr))
+	{
+		return FAILED;
+	}
 	memcpy(key.ptr, hash.ptr, hash.len);
 
 	if (key.len > hash.len)
 	{
-		hasher->get_hash(hasher, hash, NULL);
-		hasher->get_hash(hasher, passphrase, NULL);
-		hasher->get_hash(hasher, salt, hash.ptr);
+		if (!hasher->get_hash(hasher, hash, NULL) ||
+			!hasher->get_hash(hasher, passphrase, NULL) ||
+			!hasher->get_hash(hasher, salt, hash.ptr))
+		{
+			return FAILED;
+		}
 		memcpy(key.ptr + hash.len, hash.ptr, key.len - hash.len);
 	}
 	hasher->destroy(hasher);
@@ -125,7 +132,6 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg,
 			 encryption_algorithm_names, alg);
 		return NOT_SUPPORTED;
 	}
-	crypter->set_key(crypter, key);
 
 	if (iv.len != crypter->get_iv_size(crypter) ||
 		blob->len % crypter->get_block_size(crypter))
@@ -134,7 +140,12 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg,
 		DBG1(DBG_ASN, "  data size is not multiple of block size");
 		return PARSE_ERROR;
 	}
-	crypter->decrypt(crypter, *blob, iv, &decrypted);
+	if (!crypter->set_key(crypter, key) ||
+		!crypter->decrypt(crypter, *blob, iv, &decrypted))
+	{
+		crypter->destroy(crypter);
+		return FAILED;
+	}
 	crypter->destroy(crypter);
 	memcpy(blob->ptr, decrypted.ptr, blob->len);
 	chunk_free(&decrypted);
@@ -275,11 +286,14 @@ static status_t pem_to_bin(chunk_t *blob, bool *pgp)
 					else
 					{
 						DBG1(DBG_ASN, "  encryption algorithm '%.*s'"
-							 " not supported", dek.len, dek.ptr);
+							 " not supported", (int)dek.len, dek.ptr);
 						return NOT_SUPPORTED;
 					}
-					eat_whitespace(&value);
-					iv = chunk_from_hex(value, iv.ptr);
+					if (!eat_whitespace(&value) || value.len > 2*sizeof(iv_buf))
+					{
+						return PARSE_ERROR;
+					}
+					iv = chunk_from_hex(value, iv_buf);
 				}
 			}
 			else /* state is PEM_BODY */
@@ -551,3 +565,10 @@ certificate_t *pem_certificate_load(certificate_type_t type, va_list args)
 	return pem_load(CRED_CERTIFICATE, type, args);
 }
 
+/**
+ * Container PEM loader.
+ */
+container_t *pem_container_load(container_type_t type, va_list args)
+{
+	return pem_load(CRED_CONTAINER, type, args);
+}
diff --git a/src/libstrongswan/plugins/pem/pem_builder.h b/src/libstrongswan/plugins/pem/pem_builder.h
index 87f5a2c69..b1bfc6d4d 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.h
+++ b/src/libstrongswan/plugins/pem/pem_builder.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -25,6 +26,7 @@
 #include <credentials/credential_factory.h>
 #include <credentials/keys/private_key.h>
 #include <credentials/certificates/certificate.h>
+#include <credentials/containers/container.h>
 
 /**
  * Load PEM encoded private keys.
@@ -53,5 +55,14 @@ public_key_t *pem_public_key_load(key_type_t type, va_list args);
  */
 certificate_t *pem_certificate_load(certificate_type_t type, va_list args);
 
+/**
+ * Build PEM encoded containers.
+ *
+ * @param type		type of the container
+ * @param args		builder_part_t argument list
+ * @return 			container, NULL if failed
+ */
+container_t *pem_container_load(container_type_t type, va_list args);
+
 #endif /** PEM_BUILDER_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c
index fca717a10..e7edd7b89 100644
--- a/src/libstrongswan/plugins/pem/pem_plugin.c
+++ b/src/libstrongswan/plugins/pem/pem_plugin.c
@@ -46,52 +46,69 @@ METHOD(plugin_t, get_features, int,
 		/* private key PEM decoding */
 		PLUGIN_REGISTER(PRIVKEY, pem_private_key_load, FALSE),
 			PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
-				PLUGIN_DEPENDS(HASHER, HASH_MD5),
+				PLUGIN_DEPENDS(PRIVKEY, KEY_ANY),
+				PLUGIN_SDEPEND(HASHER, HASH_MD5),
 		PLUGIN_REGISTER(PRIVKEY, pem_private_key_load, FALSE),
 			PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
-				PLUGIN_DEPENDS(HASHER, HASH_MD5),
+				PLUGIN_DEPENDS(PRIVKEY, KEY_RSA),
+				PLUGIN_SDEPEND(HASHER, HASH_MD5),
 		PLUGIN_REGISTER(PRIVKEY, pem_private_key_load, FALSE),
 			PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA),
-				PLUGIN_DEPENDS(HASHER, HASH_MD5),
+				PLUGIN_DEPENDS(PRIVKEY, KEY_ECDSA),
+				PLUGIN_SDEPEND(HASHER, HASH_MD5),
 		PLUGIN_REGISTER(PRIVKEY, pem_private_key_load, FALSE),
 			PLUGIN_PROVIDE(PRIVKEY, KEY_DSA),
-				PLUGIN_DEPENDS(HASHER, HASH_MD5),
+				PLUGIN_DEPENDS(PRIVKEY, KEY_DSA),
+				PLUGIN_SDEPEND(HASHER, HASH_MD5),
 
 		/* public key PEM decoding */
 		PLUGIN_REGISTER(PUBKEY, pem_public_key_load, FALSE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
+				PLUGIN_DEPENDS(PUBKEY, KEY_ANY),
 		PLUGIN_REGISTER(PUBKEY, pem_public_key_load, FALSE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
+				PLUGIN_DEPENDS(PUBKEY, KEY_RSA),
 		PLUGIN_REGISTER(PUBKEY, pem_public_key_load, FALSE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_ECDSA),
+				PLUGIN_DEPENDS(PUBKEY, KEY_ECDSA),
 		PLUGIN_REGISTER(PUBKEY, pem_public_key_load, FALSE),
 			PLUGIN_PROVIDE(PUBKEY, KEY_DSA),
+				PLUGIN_DEPENDS(PUBKEY, KEY_DSA),
 
 		/* certificate PEM decoding */
 		PLUGIN_REGISTER(CERT_DECODE, pem_certificate_load, FALSE),
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_ANY),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_GPG),
 		PLUGIN_REGISTER(CERT_DECODE, pem_certificate_load, FALSE),
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_X509),
+				PLUGIN_DEPENDS(CERT_DECODE, CERT_X509),
 		PLUGIN_REGISTER(CERT_DECODE, pem_certificate_load, FALSE),
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_X509_CRL),
+				PLUGIN_DEPENDS(CERT_DECODE, CERT_X509_CRL),
 		PLUGIN_REGISTER(CERT_DECODE, pem_certificate_load, FALSE),
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_X509_OCSP_REQUEST),
+				PLUGIN_DEPENDS(CERT_DECODE, CERT_X509_OCSP_REQUEST),
 		PLUGIN_REGISTER(CERT_DECODE, pem_certificate_load, FALSE),
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_X509_OCSP_RESPONSE),
+				PLUGIN_DEPENDS(CERT_DECODE, CERT_X509_OCSP_RESPONSE),
 		PLUGIN_REGISTER(CERT_DECODE, pem_certificate_load, FALSE),
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_X509_AC),
+				PLUGIN_DEPENDS(CERT_DECODE, CERT_X509_AC),
 		PLUGIN_REGISTER(CERT_DECODE, pem_certificate_load, FALSE),
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_PKCS10_REQUEST),
+				PLUGIN_DEPENDS(CERT_DECODE, CERT_PKCS10_REQUEST),
 		PLUGIN_REGISTER(CERT_DECODE, pem_certificate_load, FALSE),
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_TRUSTED_PUBKEY),
+				PLUGIN_DEPENDS(CERT_DECODE, CERT_TRUSTED_PUBKEY),
 		PLUGIN_REGISTER(CERT_DECODE, pem_certificate_load, FALSE),
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_GPG),
+				PLUGIN_DEPENDS(CERT_DECODE, CERT_GPG),
 
-		/* pluto specific certificate formats */
-		PLUGIN_REGISTER(CERT_DECODE, pem_certificate_load, FALSE),
-			PLUGIN_PROVIDE(CERT_DECODE, CERT_PLUTO_CERT),
-		PLUGIN_REGISTER(CERT_DECODE, pem_certificate_load, FALSE),
-			PLUGIN_PROVIDE(CERT_DECODE, CERT_PLUTO_CRL),
+		/* container PEM decoding */
+		PLUGIN_REGISTER(CONTAINER_DECODE, pem_container_load, FALSE),
+			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS12),
+				PLUGIN_DEPENDS(CONTAINER_DECODE, CONTAINER_PKCS12),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libstrongswan/plugins/pgp/Makefile.am b/src/libstrongswan/plugins/pgp/Makefile.am
index 4b414616d..d3eef3ce1 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.am
+++ b/src/libstrongswan/plugins/pgp/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-pgp.la
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index 946424eee..a21b44f4c 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,53 +90,88 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pgp_la_LIBADD =
 am_libstrongswan_pgp_la_OBJECTS = pgp_plugin.lo pgp_utils.lo \
 	pgp_cert.lo pgp_encoder.lo pgp_builder.lo
 libstrongswan_pgp_la_OBJECTS = $(am_libstrongswan_pgp_la_OBJECTS)
-libstrongswan_pgp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_pgp_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_pgp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_pgp_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_pgp_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_pgp_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_pgp_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pgp_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -127,13 +180,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -146,6 +202,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,11 +230,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -185,6 +244,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -193,8 +253,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -203,14 +261,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -224,17 +287,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -244,16 +307,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -281,8 +343,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pgp.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pgp.la
 libstrongswan_pgp_la_SOURCES = \
@@ -338,7 +404,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -346,6 +411,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -367,8 +434,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pgp.la: $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_DEPENDENCIES) 
-	$(libstrongswan_pgp_la_LINK) $(am_libstrongswan_pgp_la_rpath) $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_LIBADD) $(LIBS)
+libstrongswan-pgp.la: $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_DEPENDENCIES) $(EXTRA_libstrongswan_pgp_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_pgp_la_LINK) $(am_libstrongswan_pgp_la_rpath) $(libstrongswan_pgp_la_OBJECTS) $(libstrongswan_pgp_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -383,25 +450,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pgp_utils.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -508,10 +575,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pgp/pgp_builder.c b/src/libstrongswan/plugins/pgp/pgp_builder.c
index 361157742..3ff357202 100644
--- a/src/libstrongswan/plugins/pgp/pgp_builder.c
+++ b/src/libstrongswan/plugins/pgp/pgp_builder.c
@@ -17,8 +17,8 @@
 #include "pgp_builder.h"
 #include "pgp_utils.h"
 
-#include <enum.h>
-#include <debug.h>
+#include <utils/enum.h>
+#include <utils/debug.h>
 #include <credentials/keys/private_key.h>
 
 /**
diff --git a/src/libstrongswan/plugins/pgp/pgp_cert.c b/src/libstrongswan/plugins/pgp/pgp_cert.c
index 70a236855..89d7094ad 100644
--- a/src/libstrongswan/plugins/pgp/pgp_cert.c
+++ b/src/libstrongswan/plugins/pgp/pgp_cert.c
@@ -18,7 +18,7 @@
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pgp_cert_t private_pgp_cert_t;
 
@@ -114,7 +114,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by,bool,
-	private_pgp_cert_t *this, certificate_t *issuer)
+	private_pgp_cert_t *this, certificate_t *issuer, signature_scheme_t *scheme)
 {
 	/* TODO: check signature blobs for a valid signature */
 	return FALSE;
@@ -321,8 +321,12 @@ static bool parse_public_key(private_pgp_cert_t *this, chunk_t packet)
 			DBG1(DBG_ASN, "no SHA-1 hasher available");
 			return FALSE;
 		}
-		hasher->allocate_hash(hasher, pubkey_packet_header, NULL);
-		hasher->allocate_hash(hasher, pubkey_packet, &this->fingerprint);
+		if (!hasher->allocate_hash(hasher, pubkey_packet_header, NULL) ||
+			!hasher->allocate_hash(hasher, pubkey_packet, &this->fingerprint))
+		{
+			hasher->destroy(hasher);
+			return FALSE;
+		}
 		hasher->destroy(hasher);
 		DBG2(DBG_ASN, "L2 - v4 fingerprint %#B", &this->fingerprint);
 	}
diff --git a/src/libstrongswan/plugins/pgp/pgp_encoder.c b/src/libstrongswan/plugins/pgp/pgp_encoder.c
index 9043cdb9f..100f3ef33 100644
--- a/src/libstrongswan/plugins/pgp/pgp_encoder.c
+++ b/src/libstrongswan/plugins/pgp/pgp_encoder.c
@@ -15,7 +15,7 @@
 
 #include "pgp_encoder.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Build a PGPv3 fingerprint
@@ -44,8 +44,12 @@ static bool build_v3_fingerprint(chunk_t *encoding, va_list args)
 		{
 			e = chunk_skip(e, 1);
 		}
-		hasher->allocate_hash(hasher, n, NULL);
-		hasher->allocate_hash(hasher, e, encoding);
+		if (!hasher->allocate_hash(hasher, n, NULL) ||
+			!hasher->allocate_hash(hasher, e, encoding))
+		{
+			hasher->destroy(hasher);
+			return FALSE;
+		}
 		hasher->destroy(hasher);
 		return TRUE;
 	}
diff --git a/src/libstrongswan/plugins/pgp/pgp_utils.c b/src/libstrongswan/plugins/pgp/pgp_utils.c
index 7fd905ce4..bb15627fd 100644
--- a/src/libstrongswan/plugins/pgp/pgp_utils.c
+++ b/src/libstrongswan/plugins/pgp/pgp_utils.c
@@ -15,7 +15,7 @@
 
 #include "pgp_utils.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM_BEGIN(pgp_pubkey_alg_names, PGP_PUBKEY_ALG_RSA, PGP_PUBKEY_ALG_RSA_SIGN_ONLY,
 	"RSA",
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.am b/src/libstrongswan/plugins/pkcs1/Makefile.am
index bd3203dae..5dbc4e9c2 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.am
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-pkcs1.la
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index f9322a62d..0778f6a9c 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,54 +90,89 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pkcs1_la_LIBADD =
 am_libstrongswan_pkcs1_la_OBJECTS = pkcs1_plugin.lo pkcs1_encoder.lo \
 	pkcs1_builder.lo
 libstrongswan_pkcs1_la_OBJECTS = $(am_libstrongswan_pkcs1_la_OBJECTS)
-libstrongswan_pkcs1_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_pkcs1_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_pkcs1_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_pkcs1_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_pkcs1_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_pkcs1_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_pkcs1_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pkcs1_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -128,13 +181,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -147,6 +203,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,11 +231,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -186,6 +245,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -194,8 +254,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -204,14 +262,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -225,17 +288,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -245,16 +308,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -282,8 +344,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs1.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs1.la
 libstrongswan_pkcs1_la_SOURCES = \
@@ -337,7 +403,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -345,6 +410,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -366,8 +433,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pkcs1.la: $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_DEPENDENCIES) 
-	$(libstrongswan_pkcs1_la_LINK) $(am_libstrongswan_pkcs1_la_rpath) $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_LIBADD) $(LIBS)
+libstrongswan-pkcs1.la: $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs1_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_pkcs1_la_LINK) $(am_libstrongswan_pkcs1_la_rpath) $(libstrongswan_pkcs1_la_OBJECTS) $(libstrongswan_pkcs1_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -380,25 +447,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs1_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -505,10 +572,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
index 6d022f362..c6661fcda 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
@@ -17,7 +17,7 @@
 
 #include "pkcs1_builder.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
index 6957b2ad1..2c3bf6e7c 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c
@@ -15,14 +15,14 @@
 
 #include "pkcs1_encoder.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
 #include <asn1/oid.h>
 
 /**
  * Encode a public key in PKCS#1/ASN.1 DER
  */
-bool build_pub(chunk_t *encoding, va_list args)
+static bool build_pub(chunk_t *encoding, va_list args)
 {
 	chunk_t n, e;
 
@@ -40,7 +40,7 @@ bool build_pub(chunk_t *encoding, va_list args)
 /**
  * Encode a public key in PKCS#1/ASN.1 DER, contained in subjectPublicKeyInfo
  */
-bool build_pub_info(chunk_t *encoding, va_list args)
+static bool build_pub_info(chunk_t *encoding, va_list args)
 {
 	chunk_t n, e;
 
@@ -61,7 +61,7 @@ bool build_pub_info(chunk_t *encoding, va_list args)
 /**
  * Encode a private key in PKCS#1/ASN.1 DER
  */
-bool build_priv(chunk_t *encoding, va_list args)
+static bool build_priv(chunk_t *encoding, va_list args)
 {
 	chunk_t n, e, d, p, q, exp1, exp2, coeff;
 
@@ -94,14 +94,14 @@ static bool hash_pubkey(chunk_t pubkey, chunk_t *hash)
 	hasher_t *hasher;
 
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (hasher == NULL)
+	if (!hasher || !hasher->allocate_hash(hasher, pubkey, hash))
 	{
+		DESTROY_IF(hasher);
 		chunk_free(&pubkey);
 		DBG1(DBG_LIB, "SHA1 hash algorithm not supported, "
 			 "fingerprinting failed");
 		return FALSE;
 	}
-	hasher->allocate_hash(hasher, pubkey, hash);
 	hasher->destroy(hasher);
 	chunk_free(&pubkey);
 	return TRUE;
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.am b/src/libstrongswan/plugins/pkcs11/Makefile.am
index d032b879a..1d175ecb4 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.am
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-pkcs11.la
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index 2ead77f5a..90b4156f4 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pkcs11_la_LIBADD =
@@ -81,48 +105,77 @@ am_libstrongswan_pkcs11_la_OBJECTS = pkcs11_plugin.lo \
 	pkcs11_dh.lo pkcs11_manager.lo
 libstrongswan_pkcs11_la_OBJECTS =  \
 	$(am_libstrongswan_pkcs11_la_OBJECTS)
-libstrongswan_pkcs11_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_pkcs11_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_pkcs11_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_pkcs11_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_pkcs11_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_pkcs11_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_pkcs11_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pkcs11_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -131,13 +184,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -150,6 +206,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -177,11 +234,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -189,6 +248,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -197,8 +257,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -207,14 +265,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -228,17 +291,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -248,16 +311,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -285,8 +347,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs11.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs11.la
 libstrongswan_pkcs11_la_SOURCES = \
@@ -346,7 +412,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -354,6 +419,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -375,8 +442,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pkcs11.la: $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_DEPENDENCIES) 
-	$(libstrongswan_pkcs11_la_LINK) $(am_libstrongswan_pkcs11_la_rpath) $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_LIBADD) $(LIBS)
+libstrongswan-pkcs11.la: $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs11_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_pkcs11_la_LINK) $(am_libstrongswan_pkcs11_la_rpath) $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -395,25 +462,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_rng.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -520,10 +587,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
index a81ec1147..e65f3a06b 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
@@ -14,9 +14,10 @@
  */
 
 #include "pkcs11_creds.h"
+#include "pkcs11_manager.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 typedef struct private_pkcs11_creds_t private_pkcs11_creds_t;
 
@@ -109,7 +110,8 @@ static void find_certificates(private_pkcs11_creds_t *this,
 		if (cert)
 		{
 			DBG1(DBG_CFG, "    loaded %strusted cert '%.*s'",
-				 entry->trusted ? "" : "un", entry->label.len, entry->label.ptr);
+				 entry->trusted ? "" : "un", (int)entry->label.len,
+				 entry->label.ptr);
 			/* trusted certificates are also returned as untrusted */
 			this->untrusted->insert_last(this->untrusted, cert);
 			if (entry->trusted)
@@ -120,7 +122,7 @@ static void find_certificates(private_pkcs11_creds_t *this,
 		else
 		{
 			DBG1(DBG_CFG, "    loading cert '%.*s' failed",
-				 entry->label.len, entry->label.ptr);
+				(int)entry->label.len, entry->label.ptr);
 		}
 		free(entry->value.ptr);
 		free(entry->label.ptr);
@@ -256,3 +258,112 @@ pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot)
 
 	return &this->public;
 }
+
+/**
+ * See header.
+ */
+certificate_t *pkcs11_creds_load(certificate_type_t type, va_list args)
+{
+	chunk_t keyid = chunk_empty, data = chunk_empty;
+	enumerator_t *enumerator, *certs;
+	pkcs11_manager_t *manager;
+	pkcs11_library_t *p11;
+	certificate_t *cert = NULL;
+	CK_SLOT_ID current, slot = -1;
+	char *module = NULL;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_PKCS11_KEYID:
+				keyid = va_arg(args, chunk_t);
+				continue;
+			case BUILD_PKCS11_SLOT:
+				slot = va_arg(args, int);
+				continue;
+			case BUILD_PKCS11_MODULE:
+				module = va_arg(args, char*);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (!keyid.len)
+	{
+		return NULL;
+	}
+
+	manager = lib->get(lib, "pkcs11-manager");
+	if (!manager)
+	{
+		return NULL;
+	}
+	enumerator = manager->create_token_enumerator(manager);
+	while (enumerator->enumerate(enumerator, &p11, &current))
+	{
+		CK_OBJECT_CLASS class = CKO_CERTIFICATE;
+		CK_CERTIFICATE_TYPE type = CKC_X_509;
+		CK_ATTRIBUTE tmpl[] = {
+			{CKA_CLASS, &class, sizeof(class)},
+			{CKA_CERTIFICATE_TYPE, &type, sizeof(type)},
+			{CKA_ID, keyid.ptr, keyid.len},
+		};
+		CK_ATTRIBUTE attr[] = {
+			{CKA_VALUE, NULL, 0},
+		};
+		CK_OBJECT_HANDLE object;
+		CK_SESSION_HANDLE session;
+		CK_RV rv;
+
+		if (slot != -1 && slot != current)
+		{
+			continue;
+		}
+		if (module && !streq(module, p11->get_name(p11)))
+		{
+			continue;
+		}
+
+		rv = p11->f->C_OpenSession(current, CKF_SERIAL_SESSION, NULL, NULL,
+								   &session);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", ck_rv_names, rv);
+			continue;
+		}
+		certs = p11->create_object_enumerator(p11, session,
+									tmpl, countof(tmpl), attr, countof(attr));
+		if (certs->enumerate(certs, &object))
+		{
+			data = chunk_clone(chunk_create(attr[0].pValue, attr[0].ulValueLen));
+		}
+		certs->destroy(certs);
+		p11->f->C_CloseSession(session);
+
+		if (data.ptr)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (data.ptr)
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_BLOB_ASN1_DER, data, BUILD_END);
+		free(data.ptr);
+		if (!cert)
+		{
+			DBG1(DBG_CFG, "parsing PKCS#11 certificate %#B failed", &keyid);
+		}
+	}
+	else
+	{
+		DBG1(DBG_CFG, "PKCS#11 certificate %#B not found", &keyid);
+	}
+	return cert;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h
index c40a8dea6..a5a042397 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h
@@ -65,4 +65,16 @@ struct pkcs11_creds_t {
  */
 pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot);
 
+/**
+ * Load a specific certificate from a token.
+ *
+ * Requires a BUILD_PKCS11_KEYID argument, and optionally BUILD_PKCS11_MODULE
+ * and/or BUILD_PKCS11_SLOT.
+ *
+ * @param type			certificate type, must be CERT_X509
+ * @param args			variable argument list, containing BUILD_PKCS11_KEYID.
+ * @return				loaded certificate, or NULL on failure
+ */
+certificate_t *pkcs11_creds_load(certificate_type_t type, va_list args);
+
 #endif /** PKCS11_CREDS_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
index c870370c8..2e5af95ff 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
@@ -15,7 +15,7 @@
 
 #include "pkcs11_dh.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 #include <asn1/asn1.h>
 #include <asn1/oid.h>
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
index 069fa98b6..80079b9a9 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
@@ -17,7 +17,7 @@
 
 #include <unistd.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
 
 #include "pkcs11_manager.h"
@@ -84,7 +84,7 @@ METHOD(hasher_t, get_hash_size, size_t,
 /**
  * Save the Operation state to host memory
  */
-static void save_state(private_pkcs11_hasher_t *this)
+static bool save_state(private_pkcs11_hasher_t *this)
 {
 	CK_RV rv;
 
@@ -110,20 +110,20 @@ static void save_state(private_pkcs11_hasher_t *this)
 				continue;
 			case CKR_OK:
 				this->have_state = TRUE;
-				return;
+				return TRUE;
 			default:
 				break;
 		}
 		break;
 	}
 	DBG1(DBG_CFG, "C_GetOperationState() failed: %N", ck_rv_names, rv);
-	abort();
+	return FALSE;
 }
 
 /**
  * Load the Operation state from host memory
  */
-static void load_state(private_pkcs11_hasher_t *this)
+static bool load_state(private_pkcs11_hasher_t *this)
 {
 	CK_RV rv;
 
@@ -132,18 +132,20 @@ static void load_state(private_pkcs11_hasher_t *this)
 	if (rv != CKR_OK)
 	{
 		DBG1(DBG_CFG, "C_SetOperationState() failed: %N", ck_rv_names, rv);
-		abort();
+		return FALSE;
 	}
 	this->have_state = FALSE;
+	return TRUE;
 }
 
-METHOD(hasher_t, reset, void,
+METHOD(hasher_t, reset, bool,
 	private_pkcs11_hasher_t *this)
 {
 	this->have_state = FALSE;
+	return TRUE;
 }
 
-METHOD(hasher_t, get_hash, void,
+METHOD(hasher_t, get_hash, bool,
 	private_pkcs11_hasher_t *this, chunk_t chunk, u_int8_t *hash)
 {
 	CK_RV rv;
@@ -152,7 +154,11 @@ METHOD(hasher_t, get_hash, void,
 	this->mutex->lock(this->mutex);
 	if (this->have_state)
 	{
-		load_state(this);
+		if (!load_state(this))
+		{
+			this->mutex->unlock(this->mutex);
+			return FALSE;
+		}
 	}
 	else
 	{
@@ -160,7 +166,8 @@ METHOD(hasher_t, get_hash, void,
 		if (rv != CKR_OK)
 		{
 			DBG1(DBG_CFG, "C_DigestInit() failed: %N", ck_rv_names, rv);
-			abort();
+			this->mutex->unlock(this->mutex);
+			return FALSE;
 		}
 	}
 	if (chunk.len)
@@ -169,7 +176,8 @@ METHOD(hasher_t, get_hash, void,
 		if (rv != CKR_OK)
 		{
 			DBG1(DBG_CFG, "C_DigestUpdate() failed: %N", ck_rv_names, rv);
-			abort();
+			this->mutex->unlock(this->mutex);
+			return FALSE;
 		}
 	}
 	if (hash)
@@ -180,28 +188,31 @@ METHOD(hasher_t, get_hash, void,
 		if (rv != CKR_OK)
 		{
 			DBG1(DBG_CFG, "C_DigestFinal() failed: %N", ck_rv_names, rv);
-			abort();
+			this->mutex->unlock(this->mutex);
+			return FALSE;
 		}
 	}
 	else
 	{
-		save_state(this);
+		if (!save_state(this))
+		{
+			this->mutex->unlock(this->mutex);
+			return FALSE;
+		}
 	}
 	this->mutex->unlock(this->mutex);
+	return TRUE;
 }
 
-METHOD(hasher_t, allocate_hash, void,
+METHOD(hasher_t, allocate_hash, bool,
 	private_pkcs11_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	if (hash)
 	{
 		*hash = chunk_alloc(this->size);
-		get_hash(this, chunk, hash->ptr);
-	}
-	else
-	{
-		get_hash(this, chunk, NULL);
+		return get_hash(this, chunk, hash->ptr);
 	}
+	return get_hash(this, chunk, NULL);
 }
 
 METHOD(hasher_t, destroy, void,
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
index 97c3d2fcf..7661473b1 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
@@ -21,9 +21,9 @@
 #include <dlfcn.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_pkcs11_library_t private_pkcs11_library_t;
 
@@ -895,6 +895,7 @@ METHOD(pkcs11_library_t, destroy, void,
 {
 	this->public.f->C_Finalize(NULL);
 	dlclose(this->handle);
+	free(this->name);
 	free(this);
 }
 
@@ -1077,7 +1078,7 @@ pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_locking)
 			.get_ck_attribute = _get_ck_attribute,
 			.destroy = _destroy,
 		},
-		.name = name,
+		.name = strdup(name),
 		.handle = dlopen(file, RTLD_LAZY),
 	);
 
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
index e76e65e07..abd99ed5f 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
@@ -29,9 +29,9 @@ typedef struct pkcs11_library_t pkcs11_library_t;
 
 #include "pkcs11.h"
 
-#include <enum.h>
-#include <chunk.h>
-#include <utils/enumerator.h>
+#include <utils/enum.h>
+#include <utils/chunk.h>
+#include <collections/enumerator.h>
 
 /**
  * Optional PKCS#11 features some libraries support, some not
@@ -161,7 +161,7 @@ void pkcs11_library_trim(char *str, int len);
 /**
  * Create a pkcs11_library instance.
  *
- * @param name		an arbitrary name, for debugging
+ * @param name		an arbitrary name (for debugging), cloned
  * @param file		pkcs11 library file to dlopen()
  * @param os_lock	enforce OS Locking for this library
  * @return			library abstraction
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
index 5b321b26e..8bda5b66f 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
@@ -15,8 +15,8 @@
 
 #include "pkcs11_manager.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/thread.h>
 
 #include "pkcs11_library.h"
@@ -61,8 +61,6 @@ typedef struct {
 	char *path;
 	/* loaded library */
 	pkcs11_library_t *lib;
-	/* event dispatcher job */
-	callback_job_t *job;
 } lib_entry_t;
 
 /**
@@ -70,10 +68,6 @@ typedef struct {
  */
 static void lib_entry_destroy(lib_entry_t *entry)
 {
-	if (entry->job)
-	{
-		entry->job->cancel(entry->job);
-	}
 	entry->lib->destroy(entry->lib);
 	free(entry);
 }
@@ -202,14 +196,6 @@ static job_requeue_t dispatch_slot_events(lib_entry_t *entry)
 }
 
 /**
- * End dispatching, unset job
- */
-static void end_dispatch(lib_entry_t *entry)
-{
-	entry->job = NULL;
-}
-
-/**
  * Get the slot list of a library
  */
 static CK_SLOT_ID_PTR get_slot_list(pkcs11_library_t *p11, CK_ULONG *out)
@@ -384,9 +370,9 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
 	while (enumerator->enumerate(enumerator, &entry))
 	{
 		query_slots(entry);
-		entry->job = callback_job_create_with_prio((void*)dispatch_slot_events,
-						 entry, (void*)end_dispatch, NULL, JOB_PRIO_CRITICAL);
-		lib->processor->queue_job(lib->processor, (job_t*)entry->job);
+		lib->processor->queue_job(lib->processor,
+			(job_t*)callback_job_create_with_prio((void*)dispatch_slot_events,
+						entry, NULL, (void*)return_false, JOB_PRIO_CRITICAL));
 	}
 	enumerator->destroy(enumerator);
 
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
index 183fce53a..3faa59cae 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
@@ -19,8 +19,8 @@
 #include "pkcs11_plugin.h"
 
 #include <library.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
 
@@ -82,13 +82,18 @@ static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11,
 	this->handle_events_lock->read_lock(this->handle_events_lock);
 	if (add && this->handle_events)
 	{
-		creds = pkcs11_creds_create(p11, slot);
-		if (creds)
+		if (lib->settings->get_bool(lib->settings,
+						"libstrongswan.plugins.pkcs11.modules.%s.load_certs",
+						TRUE, p11->get_name(p11)))
 		{
-			this->mutex->lock(this->mutex);
-			this->creds->insert_last(this->creds, creds);
-			this->mutex->unlock(this->mutex);
-			lib->credmgr->add_set(lib->credmgr, &creds->set);
+			creds = pkcs11_creds_create(p11, slot);
+			if (creds)
+			{
+				this->mutex->lock(this->mutex);
+				this->creds->insert_last(this->creds, creds);
+				this->mutex->unlock(this->mutex);
+				lib->credmgr->add_set(lib->credmgr, &creds->set);
+			}
 		}
 	}
 	else if (this->handle_events)
@@ -147,6 +152,9 @@ static bool handle_certs(private_pkcs11_plugin_t *this,
 			token_event_cb(this, p11, slot, TRUE);
 		}
 		enumerator->destroy(enumerator);
+
+		lib->creds->add_builder(lib->creds, CRED_CERTIFICATE,
+								CERT_X509, FALSE, (void*)pkcs11_creds_load);
 	}
 	else
 	{
@@ -157,20 +165,24 @@ static bool handle_certs(private_pkcs11_plugin_t *this,
 			lib->credmgr->remove_set(lib->credmgr, &creds->set);
 			creds->destroy(creds);
 		}
+
+		lib->creds->remove_builder(lib->creds, (void*)pkcs11_creds_load);
 	}
 	return TRUE;
 }
-/**
- * Add a set of features
- */
-static inline void add_features(plugin_feature_t *f, plugin_feature_t *n,
-								int count, int *pos)
+
+METHOD(plugin_t, reload, bool,
+	private_pkcs11_plugin_t *this)
 {
-	int i;
-	for (i = 0; i < count; i++)
+	if (lib->settings->get_bool(lib->settings,
+					"libstrongswan.plugins.pkcs11.reload_certs", FALSE))
 	{
-		f[(*pos)++] = n[i];
+		DBG1(DBG_CFG, "reloading certificates from PKCS#11 tokens");
+		handle_certs(this, NULL, FALSE, NULL);
+		handle_certs(this, NULL, TRUE, NULL);
+		return TRUE;
 	}
+	return FALSE;
 }
 
 METHOD(plugin_t, get_features, int,
@@ -236,32 +248,32 @@ METHOD(plugin_t, get_features, int,
 	{	/* initialize only once */
 		bool use_ecc = lib->settings->get_bool(lib->settings,
 							"libstrongswan.plugins.pkcs11.use_ecc", FALSE);
-		add_features(f, f_manager, countof(f_manager), &count);
+		plugin_features_add(f, f_manager, countof(f_manager), &count);
 		/* private key handling for EC keys is not disabled by use_ecc */
-		add_features(f, f_privkey, countof(f_privkey), &count);
+		plugin_features_add(f, f_privkey, countof(f_privkey), &count);
 		if (lib->settings->get_bool(lib->settings,
 							"libstrongswan.plugins.pkcs11.use_pubkey", FALSE))
 		{
-			add_features(f, f_pubkey, countof(f_pubkey) - (use_ecc ? 0 : 1),
-						 &count);
+			plugin_features_add(f, f_pubkey, countof(f_pubkey) - (use_ecc ? 0 : 1),
+								&count);
 		}
 		if (lib->settings->get_bool(lib->settings,
 							"libstrongswan.plugins.pkcs11.use_hasher", FALSE))
 		{
-			add_features(f, f_hash, countof(f_hash), &count);
+			plugin_features_add(f, f_hash, countof(f_hash), &count);
 		}
 		if (lib->settings->get_bool(lib->settings,
 							"libstrongswan.plugins.pkcs11.use_rng", FALSE))
 		{
-			add_features(f, f_rng, countof(f_rng), &count);
+			plugin_features_add(f, f_rng, countof(f_rng), &count);
 		}
 		if (lib->settings->get_bool(lib->settings,
 							"libstrongswan.plugins.pkcs11.use_dh", FALSE))
 		{
-			add_features(f, f_dh, countof(f_dh), &count);
+			plugin_features_add(f, f_dh, countof(f_dh), &count);
 			if (use_ecc)
 			{
-				add_features(f, f_ecdh, countof(f_ecdh), &count);
+				plugin_features_add(f, f_ecdh, countof(f_ecdh), &count);
 			}
 		}
 	}
@@ -292,6 +304,7 @@ plugin_t *pkcs11_plugin_create()
 			.plugin = {
 				.get_name = _get_name,
 				.get_features = _get_features,
+				.reload = _reload,
 				.destroy = _destroy,
 			},
 		},
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
index b616abc38..bb9cc7a21 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -20,8 +20,9 @@
 
 #include "pkcs11_library.h"
 #include "pkcs11_manager.h"
+#include "pkcs11_public_key.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pkcs11_private_key_t private_pkcs11_private_key_t;
 
@@ -81,12 +82,6 @@ struct private_pkcs11_private_key_t {
 	key_type_t type;
 };
 
-/**
- * Implemented in pkcs11_public_key.c
- */
-public_key_t *pkcs11_public_key_connect(pkcs11_library_t *p11,
-									int slot, key_type_t type, chunk_t keyid);
-
 
 METHOD(private_key_t, get_type, key_type_t,
 	private_pkcs11_private_key_t *this)
@@ -266,13 +261,15 @@ METHOD(private_key_t, sign, bool,
 	}
 	if (hash_alg != HASH_UNKNOWN)
 	{
-		hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
-		if (!hasher)
+		hasher_t *hasher;
+
+		hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
+		if (!hasher || !hasher->allocate_hash(hasher, data, &hash))
 		{
+			DESTROY_IF(hasher);
 			this->lib->f->C_CloseSession(session);
 			return FALSE;
 		}
-		hasher->allocate_hash(hasher, data, &hash);
 		hasher->destroy(hasher);
 		data = hash;
 	}
@@ -418,7 +415,8 @@ static pkcs11_library_t* find_lib(char *module)
 /**
  * Find the PKCS#11 lib having a keyid, and optionally a slot
  */
-static pkcs11_library_t* find_lib_by_keyid(chunk_t keyid, int *slot)
+static pkcs11_library_t* find_lib_by_keyid(chunk_t keyid, int *slot,
+										   CK_OBJECT_CLASS class)
 {
 	pkcs11_manager_t *manager;
 	enumerator_t *enumerator;
@@ -435,8 +433,7 @@ static pkcs11_library_t* find_lib_by_keyid(chunk_t keyid, int *slot)
 	{
 		if (*slot == -1 || *slot == current)
 		{
-			/* we look for a public key, it is usually readable without login */
-			CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
+			/* look for a pubkey/cert, it is usually readable without login */
 			CK_ATTRIBUTE tmpl[] = {
 				{CKA_CLASS, &class, sizeof(class)},
 				{CKA_ID, keyid.ptr, keyid.len},
@@ -575,6 +572,50 @@ static bool login(private_pkcs11_private_key_t *this, int slot)
 }
 
 /**
+ * Get a public key from a certificate with a given key ID.
+ */
+static public_key_t* find_pubkey_in_certs(private_pkcs11_private_key_t *this,
+										  chunk_t keyid)
+{
+	CK_OBJECT_CLASS class = CKO_CERTIFICATE;
+	CK_CERTIFICATE_TYPE type = CKC_X_509;
+	CK_ATTRIBUTE tmpl[] = {
+		{CKA_CLASS, &class, sizeof(class)},
+		{CKA_CERTIFICATE_TYPE, &type, sizeof(type)},
+		{CKA_ID, keyid.ptr, keyid.len},
+	};
+	CK_OBJECT_HANDLE object;
+	CK_ATTRIBUTE attr[] = {
+		{CKA_VALUE, NULL, 0},
+	};
+	enumerator_t *enumerator;
+	chunk_t data = chunk_empty;
+	public_key_t *key = NULL;
+	certificate_t *cert;
+
+	enumerator = this->lib->create_object_enumerator(this->lib, this->session,
+									tmpl, countof(tmpl), attr, countof(attr));
+	if (enumerator->enumerate(enumerator, &object))
+	{
+		data = chunk_clone(chunk_create(attr[0].pValue, attr[0].ulValueLen));
+	}
+	enumerator->destroy(enumerator);
+
+	if (data.ptr)
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_BLOB_ASN1_DER, data, BUILD_END);
+		free(data.ptr);
+		if (cert)
+		{
+			key = cert->get_public_key(cert);
+			cert->destroy(cert);
+		}
+	}
+	return key;
+}
+
+/**
  * See header.
  */
 pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
@@ -642,7 +683,11 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 	}
 	else
 	{
-		this->lib = find_lib_by_keyid(keyid, &slot);
+		this->lib = find_lib_by_keyid(keyid, &slot, CKO_PUBLIC_KEY);
+		if (!this->lib)
+		{
+			this->lib = find_lib_by_keyid(keyid, &slot, CKO_CERTIFICATE);
+		}
 		if (!this->lib)
 		{
 			DBG1(DBG_CFG, "no PKCS#11 module found having a keyid %#B", &keyid);
@@ -676,12 +721,17 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 		return NULL;
 	}
 
-	this->pubkey = pkcs11_public_key_connect(this->lib, slot, this->type,
-											 keyid);
+	this->pubkey = pkcs11_public_key_connect(this->lib, slot, this->type, keyid);
 	if (!this->pubkey)
 	{
-		destroy(this);
-		return NULL;
+		this->pubkey = find_pubkey_in_certs(this, keyid);
+		if (!this->pubkey)
+		{
+			DBG1(DBG_CFG, "no public key or certificate found for private key "
+				 "on '%s':%d", module, slot);
+			destroy(this);
+			return NULL;
+		}
 	}
 
 	return &this->public;
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
index d4ec9235d..0302c0edd 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
@@ -25,7 +25,7 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pkcs11_public_key_t private_pkcs11_public_key_t;
 
@@ -235,13 +235,15 @@ METHOD(public_key_t, verify, bool,
 	}
 	if (hash_alg != HASH_UNKNOWN)
 	{
-		hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
-		if (!hasher)
+		hasher_t *hasher;
+
+		hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
+		if (!hasher || !hasher->allocate_hash(hasher, data, &hash))
 		{
+			DESTROY_IF(hasher);
 			this->lib->f->C_CloseSession(session);
 			return FALSE;
 		}
-		hasher->allocate_hash(hasher, data, &hash);
 		hasher->destroy(hasher);
 		data = hash;
 	}
@@ -374,12 +376,12 @@ static bool fingerprint_ecdsa(private_pkcs11_public_key_t *this,
 			return FALSE;
 	}
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (!hasher)
+	if (!hasher || !hasher->allocate_hash(hasher, asn1, fp))
 	{
+		DESTROY_IF(hasher);
 		chunk_clear(&asn1);
 		return FALSE;
 	}
-	hasher->allocate_hash(hasher, asn1, fp);
 	hasher->destroy(hasher);
 	chunk_clear(&asn1);
 	lib->encoding->cache(lib->encoding, type, this, *fp);
@@ -880,20 +882,10 @@ static private_pkcs11_public_key_t *find_key_by_keyid(pkcs11_library_t *p11,
 }
 
 /**
- * Find a public key on the given token with a specific keyid.
- *
- * Used by pkcs11_private_key_t.
- *
- * TODO: if no public key is found, we should perhaps search for a certificate
- * with the given keyid and extract the key from there
- *
- * @param p11		PKCS#11 module
- * @param slot		slot id
- * @param type		type of the key
- * @param keyid		key id
+ * See header.
  */
-pkcs11_public_key_t *pkcs11_public_key_connect(pkcs11_library_t *p11,
-									int slot, key_type_t type, chunk_t keyid)
+public_key_t *pkcs11_public_key_connect(pkcs11_library_t *p11, int slot,
+										key_type_t type, chunk_t keyid)
 {
 	private_pkcs11_public_key_t *this;
 
@@ -902,5 +894,5 @@ pkcs11_public_key_t *pkcs11_public_key_connect(pkcs11_library_t *p11,
 	{
 		return NULL;
 	}
-	return &this->public;
+	return &this->public.key;
 }
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h
index b3ea725a2..4585e736e 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h
@@ -26,6 +26,8 @@ typedef struct pkcs11_public_key_t pkcs11_public_key_t;
 #include <credentials/builder.h>
 #include <credentials/keys/private_key.h>
 
+#include "pkcs11_library.h"
+
 /**
  * PKCS#11 based public key implementation.
  */
@@ -46,4 +48,15 @@ struct pkcs11_public_key_t {
  */
 pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args);
 
+/**
+ * Find a public key on the given token with a specific keyid.
+ *
+ * @param p11		PKCS#11 module
+ * @param slot		slot id
+ * @param type		type of the key
+ * @param keyid		key id
+ */
+public_key_t *pkcs11_public_key_connect(pkcs11_library_t *p11, int slot,
+										key_type_t type, chunk_t keyid);
+
 #endif /** PKCS11_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_rng.c b/src/libstrongswan/plugins/pkcs11/pkcs11_rng.c
index 45cf0b7c2..d18028b45 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_rng.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_rng.c
@@ -15,7 +15,7 @@
 
 #include "pkcs11_rng.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "pkcs11_manager.h"
 
@@ -43,7 +43,7 @@ struct private_pkcs11_rng_t {
 
 };
 
-METHOD(rng_t, get_bytes, void,
+METHOD(rng_t, get_bytes, bool,
 	private_pkcs11_rng_t *this, size_t bytes, u_int8_t *buffer)
 {
 	CK_RV rv;
@@ -51,15 +51,21 @@ METHOD(rng_t, get_bytes, void,
 	if (rv != CKR_OK)
 	{
 		DBG1(DBG_CFG, "C_GenerateRandom() failed: %N", ck_rv_names, rv);
-		abort();
+		return FALSE;
 	}
+	return TRUE;
 }
 
-METHOD(rng_t, allocate_bytes, void,
+METHOD(rng_t, allocate_bytes, bool,
 	private_pkcs11_rng_t *this, size_t bytes, chunk_t *chunk)
 {
 	*chunk = chunk_alloc(bytes);
-	get_bytes(this, chunk->len, chunk->ptr);
+	if (!get_bytes(this, chunk->len, chunk->ptr))
+	{
+		chunk_clear(chunk);
+		return FALSE;
+	}
+	return TRUE;
 }
 
 METHOD(rng_t, destroy, void,
diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.am b/src/libstrongswan/plugins/pkcs12/Makefile.am
new file mode 100644
index 000000000..af472ba82
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs12/Makefile.am
@@ -0,0 +1,17 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-pkcs12.la
+else
+plugin_LTLIBRARIES = libstrongswan-pkcs12.la
+endif
+
+libstrongswan_pkcs12_la_SOURCES = \
+	pkcs12_plugin.h pkcs12_plugin.c \
+	pkcs12_decode.h pkcs12_decode.c
+
+libstrongswan_pkcs12_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.in b/src/libstrongswan/plugins/pkcs12/Makefile.in
new file mode 100644
index 000000000..6d1aeb334
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs12/Makefile.in
@@ -0,0 +1,684 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/pkcs12
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_pkcs12_la_LIBADD =
+am_libstrongswan_pkcs12_la_OBJECTS = pkcs12_plugin.lo pkcs12_decode.lo
+libstrongswan_pkcs12_la_OBJECTS =  \
+	$(am_libstrongswan_pkcs12_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_pkcs12_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_pkcs12_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_pkcs12_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_pkcs12_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_pkcs12_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_pkcs12_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs12.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs12.la
+libstrongswan_pkcs12_la_SOURCES = \
+	pkcs12_plugin.h pkcs12_plugin.c \
+	pkcs12_decode.h pkcs12_decode.c
+
+libstrongswan_pkcs12_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs12/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs12/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-pkcs12.la: $(libstrongswan_pkcs12_la_OBJECTS) $(libstrongswan_pkcs12_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs12_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_pkcs12_la_LINK) $(am_libstrongswan_pkcs12_la_rpath) $(libstrongswan_pkcs12_la_OBJECTS) $(libstrongswan_pkcs12_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs12_decode.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs12_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/pkcs12/pkcs12_decode.c b/src/libstrongswan/plugins/pkcs12/pkcs12_decode.c
new file mode 100644
index 000000000..379f24796
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs12/pkcs12_decode.c
@@ -0,0 +1,581 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs12_decode.h"
+
+#include <utils/debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <credentials/sets/mem_cred.h>
+
+typedef struct private_pkcs12_t private_pkcs12_t;
+
+/**
+ * Private data of a pkcs12_t object
+ */
+struct private_pkcs12_t {
+
+	/**
+	 * Public interface
+	 */
+	pkcs12_t public;
+
+	/**
+	 * Contained credentials
+	 */
+	mem_cred_t *creds;
+};
+
+METHOD(container_t, get_type, container_type_t,
+	private_pkcs12_t *this)
+{
+	return CONTAINER_PKCS12;
+}
+
+METHOD(container_t, get_data, bool,
+	private_pkcs12_t *this, chunk_t *data)
+{
+	/* we could return the content of the outer-most PKCS#7 container (authSafe)
+	 * don't really see the point though */
+	return FALSE;
+}
+
+METHOD(container_t, get_encoding, bool,
+	private_pkcs12_t *this, chunk_t *encoding)
+{
+	/* similar to get_data() we don't have any use for it at the moment */
+	return FALSE;
+}
+
+METHOD(pkcs12_t, create_cert_enumerator, enumerator_t*,
+	private_pkcs12_t *this)
+{
+	return this->creds->set.create_cert_enumerator(&this->creds->set, CERT_ANY,
+												   KEY_ANY, NULL, FALSE);
+}
+
+METHOD(pkcs12_t, create_key_enumerator, enumerator_t*,
+	private_pkcs12_t *this)
+{
+	return this->creds->set.create_private_enumerator(&this->creds->set,
+													  KEY_ANY, NULL);
+}
+
+METHOD(container_t, destroy, void,
+	private_pkcs12_t *this)
+{
+	this->creds->destroy(this->creds);
+	free(this);
+}
+
+static private_pkcs12_t *pkcs12_create()
+{
+	private_pkcs12_t *this;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = (void*)enumerator_create_empty,
+				.get_data = _get_data,
+				.get_encoding = _get_encoding,
+				.destroy = _destroy,
+			},
+			.create_cert_enumerator = _create_cert_enumerator,
+			.create_key_enumerator = _create_key_enumerator,
+		},
+		.creds = mem_cred_create(),
+	);
+	return this;
+}
+
+/**
+ * ASN.1 definition of an CertBag structure
+ */
+static const asn1Object_t certBagObjects[] = {
+	{ 0, "CertBag",			ASN1_SEQUENCE,		ASN1_BODY			}, /* 0 */
+	{ 1,   "certId",		ASN1_OID,			ASN1_BODY			}, /* 1 */
+	{ 1,   "certValue",		ASN1_CONTEXT_C_0,	ASN1_BODY  			}, /* 2 */
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT			}
+};
+#define CERT_BAG_ID 	1
+#define CERT_BAG_VALUE 	2
+
+/**
+ * Parse a CertBag structure and extract certificate
+ */
+static bool add_certificate(private_pkcs12_t *this, int level0, chunk_t blob)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int oid = OID_UNKNOWN;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(certBagObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case CERT_BAG_ID:
+				oid = asn1_known_oid(object);
+				break;
+			case CERT_BAG_VALUE:
+			{
+				if (oid == OID_X509_CERTIFICATE &&
+					asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
+								parser->get_level(parser)+1, "x509Certificate"))
+				{
+					certificate_t *cert;
+
+					DBG2(DBG_ASN, "-- > parsing certificate from PKCS#12");
+					cert = lib->creds->create(lib->creds,
+											  CRED_CERTIFICATE, CERT_X509,
+											  BUILD_BLOB_ASN1_DER, object,
+											  BUILD_END);
+					if (cert)
+					{
+						this->creds->add_cert(this->creds, FALSE, cert);
+						DBG2(DBG_ASN, "-- < --");
+					}
+					else
+					{
+						DBG2(DBG_ASN, "-- < failed parsing certificate from "
+							 "PKCS#12");
+					}
+				}
+				break;
+			}
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * ASN.1 definition of an AuthenticatedSafe structure
+ */
+static const asn1Object_t safeContentsObjects[] = {
+	{ 0, "SafeContents",	ASN1_SEQUENCE,		ASN1_LOOP			}, /* 0 */
+	{ 1,   "SafeBag",		ASN1_SEQUENCE,		ASN1_BODY			}, /* 1 */
+	{ 2,     "bagId",		ASN1_OID,			ASN1_BODY			}, /* 2 */
+	{ 2,     "bagValue",	ASN1_CONTEXT_C_0,	ASN1_BODY  			}, /* 3 */
+	{ 2,     "bagAttr",		ASN1_SET,			ASN1_OPT|ASN1_RAW 	}, /* 4 */
+	{ 2,     "end opt",		ASN1_EOC,			ASN1_END 			}, /* 5 */
+	{ 0, "end loop",		ASN1_EOC,			ASN1_END			}, /* 6 */
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT			}
+};
+#define SAFE_BAG_ID 	2
+#define SAFE_BAG_VALUE 	3
+
+/**
+ * Parse a SafeContents structure and extract credentials
+ */
+static bool parse_safe_contents(private_pkcs12_t *this, int level0,
+								chunk_t blob)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int oid = OID_UNKNOWN;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(safeContentsObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case SAFE_BAG_ID:
+				oid = asn1_known_oid(object);
+				break;
+			case SAFE_BAG_VALUE:
+			{
+				switch (oid)
+				{
+					case OID_P12_CERT_BAG:
+					{
+						add_certificate(this, parser->get_level(parser)+1,
+										object);
+						break;
+					}
+					case OID_P12_KEY_BAG:
+					case OID_P12_PKCS8_KEY_BAG:
+					{
+						private_key_t *key;
+
+						DBG2(DBG_ASN, "-- > parsing private key from PKCS#12");
+						key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+										KEY_ANY, BUILD_BLOB_ASN1_DER, object,
+										BUILD_END);
+						if (key)
+						{
+							this->creds->add_key(this->creds, key);
+							DBG2(DBG_ASN, "-- < --");
+						}
+						else
+						{
+							DBG2(DBG_ASN, "-- < failed parsing private key "
+								 "from PKCS#12");
+						}
+					}
+					default:
+						break;
+				}
+				break;
+			}
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * ASN.1 definition of an AuthenticatedSafe structure
+ */
+static const asn1Object_t authenticatedSafeObjects[] = {
+	{ 0, "AuthenticatedSafe",	ASN1_SEQUENCE,	ASN1_LOOP	}, /* 0 */
+	{ 1,   "ContentInfo",		ASN1_SEQUENCE,	ASN1_OBJ	}, /* 1 */
+	{ 0, "end loop",			ASN1_EOC,		ASN1_END	}, /* 2 */
+	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT	}
+};
+#define AUTHENTICATED_SAFE_DATA 	1
+
+/**
+ * Parse an AuthenticatedSafe structure
+ */
+static bool parse_authenticated_safe(private_pkcs12_t *this, chunk_t blob)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(authenticatedSafeObjects, blob);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case AUTHENTICATED_SAFE_DATA:
+			{
+				container_t *container;
+				chunk_t data;
+
+				container = lib->creds->create(lib->creds, CRED_CONTAINER,
+										CONTAINER_PKCS7, BUILD_BLOB_ASN1_DER,
+										object, BUILD_END);
+				if (!container)
+				{
+					goto end;
+				}
+				switch (container->get_type(container))
+				{
+					case CONTAINER_PKCS7_DATA:
+					case CONTAINER_PKCS7_ENCRYPTED_DATA:
+					case CONTAINER_PKCS7_ENVELOPED_DATA:
+						if (container->get_data(container, &data))
+						{
+							break;
+						}
+						/* fall-through */
+					default:
+						container->destroy(container);
+						goto end;
+				}
+				container->destroy(container);
+
+				if (!parse_safe_contents(this, parser->get_level(parser)+1,
+										 data))
+				{
+					chunk_free(&data);
+					goto end;
+				}
+				chunk_free(&data);
+				break;
+			}
+		}
+	}
+	success = parser->success(parser);
+end:
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * Verify the given MAC with available passwords.
+ */
+static bool verify_mac(hash_algorithm_t hash, chunk_t salt,
+					   u_int64_t iterations, chunk_t data, chunk_t mac)
+{
+	integrity_algorithm_t integ;
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	signer_t *signer;
+	chunk_t key, calculated;
+	bool success = FALSE;
+
+	integ = hasher_algorithm_to_integrity(hash, mac.len);
+	signer = lib->crypto->create_signer(lib->crypto, integ);
+	if (!signer)
+	{
+		return FALSE;
+	}
+	key = chunk_alloca(signer->get_key_size(signer));
+	calculated = chunk_alloca(signer->get_block_size(signer));
+
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+										SHARED_PRIVATE_KEY_PASS, NULL, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+	{
+		if (!pkcs12_derive_key(hash, shared->get_key(shared), salt, iterations,
+							   PKCS12_KEY_MAC, key))
+		{
+			break;
+		}
+		if (!signer->set_key(signer, key) ||
+			!signer->get_signature(signer, data, calculated.ptr))
+		{
+			break;
+		}
+		if (chunk_equals(mac, calculated))
+		{
+			success = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	signer->destroy(signer);
+	return success;
+}
+
+/**
+ * ASN.1 definition of digestInfo
+ */
+static const asn1Object_t digestInfoObjects[] = {
+	{ 0, "digestInfo",			ASN1_SEQUENCE,		ASN1_OBJ	}, /*  0 */
+	{ 1,   "digestAlgorithm",	ASN1_EOC,			ASN1_RAW	}, /*  1 */
+	{ 1,   "digest",			ASN1_OCTET_STRING,	ASN1_BODY	}, /*  2 */
+	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT	}
+};
+#define DIGEST_INFO_ALGORITHM		1
+#define DIGEST_INFO_DIGEST			2
+
+/**
+ * Parse a digestInfo structure
+ */
+static bool parse_digest_info(chunk_t blob, int level0, hash_algorithm_t *hash,
+							  chunk_t *digest)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	bool success;
+
+	parser = asn1_parser_create(digestInfoObjects, blob);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+
+		{
+			case DIGEST_INFO_ALGORITHM:
+			{
+				int oid = asn1_parse_algorithmIdentifier(object,
+									 parser->get_level(parser)+1, NULL);
+
+				*hash = hasher_algorithm_from_oid(oid);
+				break;
+			}
+			case DIGEST_INFO_DIGEST:
+			{
+				*digest = object;
+				break;
+			}
+			default:
+				break;
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+	return success;
+}
+
+/**
+ * ASN.1 definition of a PFX structure
+ */
+static const asn1Object_t PFXObjects[] = {
+	{ 0, "PFX",				ASN1_SEQUENCE,		ASN1_NONE			}, /* 0 */
+	{ 1,   "version",		ASN1_INTEGER,		ASN1_BODY			}, /* 1 */
+	{ 1,   "authSafe",		ASN1_SEQUENCE,		ASN1_OBJ			}, /* 2 */
+	{ 1,   "macData",		ASN1_SEQUENCE,		ASN1_OPT|ASN1_BODY	}, /* 3 */
+	{ 2,     "mac",			ASN1_SEQUENCE,		ASN1_RAW			}, /* 4 */
+	{ 2,     "macSalt",		ASN1_OCTET_STRING,	ASN1_BODY			}, /* 5 */
+	{ 2,     "iterations",	ASN1_INTEGER,		ASN1_DEF|ASN1_BODY	}, /* 6 */
+	{ 1,   "end opt",		ASN1_EOC,			ASN1_END			}, /* 7 */
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT			}
+};
+#define PFX_AUTH_SAFE	2
+#define PFX_MAC			4
+#define PFX_SALT		5
+#define PFX_ITERATIONS	6
+
+/**
+ * Parse an ASN.1 encoded PFX structure
+ */
+static bool parse_PFX(private_pkcs12_t *this, chunk_t blob)
+{
+	asn1_parser_t *parser;
+	int objectID;
+	chunk_t object, auth_safe, digest = chunk_empty, salt = chunk_empty,
+			data = chunk_empty;
+	hash_algorithm_t hash = HASH_UNKNOWN;
+	container_t *container = NULL;
+	u_int64_t iterations = 0;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(PFXObjects, blob);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case PFX_AUTH_SAFE:
+			{
+				auth_safe = object;
+				break;
+			}
+			case PFX_MAC:
+			{
+				if (!parse_digest_info(object, parser->get_level(parser)+1,
+									   &hash, &digest))
+				{
+					goto end_parse;
+				}
+				break;
+			}
+			case PFX_SALT:
+			{
+				salt = object;
+				break;
+			}
+			case PFX_ITERATIONS:
+			{
+				iterations = object.len ? asn1_parse_integer_uint64(object) : 1;
+				break;
+			}
+		}
+	}
+	success = parser->success(parser);
+
+end_parse:
+	parser->destroy(parser);
+	if (!success)
+	{
+		return FALSE;
+	}
+
+	success = FALSE;
+	DBG2(DBG_ASN, "-- > --");
+	container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+								   BUILD_BLOB_ASN1_DER, auth_safe, BUILD_END);
+	if (container && container->get_data(container, &data))
+	{
+		if (hash != HASH_UNKNOWN)
+		{
+			if (container->get_type(container) != CONTAINER_PKCS7_DATA)
+			{
+				goto end;
+			}
+			if (!verify_mac(hash, salt, iterations, data, digest))
+			{
+				DBG1(DBG_ASN, "  MAC verification of PKCS#12 container failed");
+				goto end;
+			}
+		}
+		else
+		{
+			enumerator_t *enumerator;
+			auth_cfg_t *auth;
+
+			if (container->get_type(container) != CONTAINER_PKCS7_SIGNED_DATA)
+			{
+				goto end;
+			}
+			enumerator = container->create_signature_enumerator(container);
+			if (!enumerator->enumerate(enumerator, &auth))
+			{
+				DBG1(DBG_ASN, "  signature verification of PKCS#12 container "
+					 "failed");
+				enumerator->destroy(enumerator);
+				goto end;
+			}
+			enumerator->destroy(enumerator);
+		}
+		success = parse_authenticated_safe(this, data);
+	}
+end:
+	DBG2(DBG_ASN, "-- < --");
+	DESTROY_IF(container);
+	chunk_free(&data);
+	return success;
+}
+
+/**
+ * See header.
+ */
+pkcs12_t *pkcs12_decode(container_type_t type, va_list args)
+{
+	private_pkcs12_t *this;
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (blob.len)
+	{
+		if (blob.len >= 2 &&
+			blob.ptr[0] == ASN1_SEQUENCE && blob.ptr[1] == 0x80)
+		{	/* looks like infinite length BER encoding, but we can't handle it.
+			 */
+			return NULL;
+		}
+		this = pkcs12_create();
+		if (parse_PFX(this, blob))
+		{
+			return &this->public;
+		}
+		destroy(this);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/pkcs12/pkcs12_decode.h b/src/libstrongswan/plugins/pkcs12/pkcs12_decode.h
new file mode 100644
index 000000000..e2998968f
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs12/pkcs12_decode.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs12_decode pkcs12_decode
+ * @{ @ingroup pkcs12
+ */
+
+#ifndef PKCS12_DECODE_H_
+#define PKCS12_DECODE_H_
+
+#include <credentials/builder.h>
+#include <credentials/containers/pkcs12.h>
+
+/**
+ * Load a PKCS#12 container.
+ *
+ * The argument list must contain a single BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type		type of the container, CONTAINER_PKCS12
+ * @param args		builder_part_t argument list
+ * @return			container, NULL on failure
+ */
+pkcs12_t *pkcs12_decode(container_type_t type, va_list args);
+
+#endif /** PKCS12_DECODE_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs12/pkcs12_plugin.c b/src/libstrongswan/plugins/pkcs12/pkcs12_plugin.c
new file mode 100644
index 000000000..902d2971b
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs12/pkcs12_plugin.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs12_plugin.h"
+
+#include <library.h>
+
+#include "pkcs12_decode.h"
+
+typedef struct private_pkcs12_plugin_t private_pkcs12_plugin_t;
+
+/**
+ * private data of pkcs12_plugin
+ */
+struct private_pkcs12_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	pkcs12_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_pkcs12_plugin_t *this)
+{
+	return "pkcs12";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_pkcs12_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(CONTAINER_DECODE, pkcs12_decode, FALSE),
+			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS12),
+				PLUGIN_DEPENDS(CONTAINER_DECODE, CONTAINER_PKCS7),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_ANY),
+				PLUGIN_SDEPEND(HASHER, HASH_SHA1),
+				PLUGIN_SDEPEND(CRYPTER, ENCR_3DES, 24),
+				PLUGIN_SDEPEND(CRYPTER, ENCR_RC2_CBC, 0),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_pkcs12_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *pkcs12_plugin_create()
+{
+	private_pkcs12_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/pkcs12/pkcs12_plugin.h b/src/libstrongswan/plugins/pkcs12/pkcs12_plugin.h
new file mode 100644
index 000000000..3bd7f2df3
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs12/pkcs12_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs12 pkcs12
+ * @ingroup plugins
+ *
+ * @defgroup pkcs12_plugin pkcs12_plugin
+ * @{ @ingroup pkcs12
+ */
+
+#ifndef PKCS12_PLUGIN_H_
+#define PKCS12_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct pkcs12_plugin_t pkcs12_plugin_t;
+
+/**
+ * Plugin providing PKCS#12 decoding functions
+ */
+struct pkcs12_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** PKCS12_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.am b/src/libstrongswan/plugins/pkcs7/Makefile.am
new file mode 100644
index 000000000..080947f46
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.am
@@ -0,0 +1,22 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-pkcs7.la
+else
+plugin_LTLIBRARIES = libstrongswan-pkcs7.la
+endif
+
+libstrongswan_pkcs7_la_SOURCES = \
+	pkcs7_generic.h pkcs7_generic.c \
+	pkcs7_signed_data.h pkcs7_signed_data.c \
+	pkcs7_encrypted_data.h pkcs7_encrypted_data.c \
+	pkcs7_enveloped_data.h pkcs7_enveloped_data.c \
+	pkcs7_data.h pkcs7_data.c \
+	pkcs7_attributes.h pkcs7_attributes.c \
+	pkcs7_plugin.h pkcs7_plugin.c
+
+libstrongswan_pkcs7_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in
new file mode 100644
index 000000000..f40c03925
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.in
@@ -0,0 +1,696 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/pkcs7
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_pkcs7_la_LIBADD =
+am_libstrongswan_pkcs7_la_OBJECTS = pkcs7_generic.lo \
+	pkcs7_signed_data.lo pkcs7_encrypted_data.lo \
+	pkcs7_enveloped_data.lo pkcs7_data.lo pkcs7_attributes.lo \
+	pkcs7_plugin.lo
+libstrongswan_pkcs7_la_OBJECTS = $(am_libstrongswan_pkcs7_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_pkcs7_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_pkcs7_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_pkcs7_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_pkcs7_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_pkcs7_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_pkcs7_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs7.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs7.la
+libstrongswan_pkcs7_la_SOURCES = \
+	pkcs7_generic.h pkcs7_generic.c \
+	pkcs7_signed_data.h pkcs7_signed_data.c \
+	pkcs7_encrypted_data.h pkcs7_encrypted_data.c \
+	pkcs7_enveloped_data.h pkcs7_enveloped_data.c \
+	pkcs7_data.h pkcs7_data.c \
+	pkcs7_attributes.h pkcs7_attributes.c \
+	pkcs7_plugin.h pkcs7_plugin.c
+
+libstrongswan_pkcs7_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs7/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs7/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-pkcs7.la: $(libstrongswan_pkcs7_la_OBJECTS) $(libstrongswan_pkcs7_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs7_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_pkcs7_la_LINK) $(am_libstrongswan_pkcs7_la_rpath) $(libstrongswan_pkcs7_la_OBJECTS) $(libstrongswan_pkcs7_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_attributes.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_data.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_encrypted_data.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_enveloped_data.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_generic.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7_signed_data.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c
new file mode 100644
index 000000000..ca6899786
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c
@@ -0,0 +1,273 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <collections/linked_list.h>
+
+#include "pkcs7_attributes.h"
+
+typedef struct private_pkcs7_attributes_t private_pkcs7_attributes_t;
+typedef struct attribute_t attribute_t;
+
+/**
+ * Private data of a pkcs7_attributes_t attribute list.
+ */
+struct private_pkcs7_attributes_t {
+	/**
+	 * Public interface
+	 */
+	pkcs7_attributes_t public;
+
+	/**
+	 * DER encoding of PKCS#9 attributes
+	 */
+	chunk_t encoding;
+
+	/**
+	 * Linked list of PKCS#9 attributes
+	 */
+	linked_list_t *attributes;
+};
+
+/**
+ * Definition of an attribute_t object.
+ */
+struct attribute_t {
+
+	/**
+	 * Object Identifier (OID)
+	 */
+	int oid;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * ASN.1 encoding
+	 */
+	chunk_t encoding;
+};
+
+/**
+ * Destroy an attribute_t object.
+ */
+static void attribute_destroy(attribute_t *this)
+{
+	free(this->value.ptr);
+	free(this);
+}
+
+/**
+ * Create an attribute_t object.
+ */
+static attribute_t *attribute_create(int oid, chunk_t value)
+{
+	attribute_t *this;
+
+	INIT(this,
+		.oid = oid,
+		.value = chunk_clone(value),
+	);
+
+	return this;
+}
+
+/**
+ * Build encoding of the attribute list
+ */
+static void build_encoding(private_pkcs7_attributes_t *this)
+{
+	enumerator_t *enumerator;
+	attribute_t *attribute;
+	u_int len = 0, count, i = 0;
+	chunk_t *chunks;
+	u_char *pos;
+
+	count = this->attributes->get_count(this->attributes);
+	chunks = malloc(sizeof(chunk_t) * count);
+
+	enumerator = this->attributes->create_enumerator(this->attributes);
+	while (enumerator->enumerate(enumerator, &attribute))
+	{
+		chunks[i] = asn1_wrap(ASN1_SEQUENCE, "mm",
+								asn1_build_known_oid(attribute->oid),
+								asn1_wrap(ASN1_SET, "c", attribute->value));
+		len += chunks[i].len;
+		i++;
+	}
+	enumerator->destroy(enumerator);
+
+	pos = asn1_build_object(&this->encoding, ASN1_SET, len);
+	for (i = 0; i < count; i++)
+	{
+		memcpy(pos, chunks[i].ptr, chunks[i].len);
+		pos += chunks[i].len;
+		free(chunks[i].ptr);
+	}
+	free(chunks);
+}
+
+METHOD(pkcs7_attributes_t, get_encoding, chunk_t,
+	private_pkcs7_attributes_t *this)
+{
+	if (!this->encoding.len)
+	{
+		build_encoding(this);
+	}
+	return this->encoding;
+}
+
+METHOD(pkcs7_attributes_t, get_attribute, chunk_t,
+	private_pkcs7_attributes_t *this, int oid)
+{
+	enumerator_t *enumerator;
+	chunk_t value = chunk_empty;
+	attribute_t *attribute;
+
+	enumerator = this->attributes->create_enumerator(this->attributes);
+	while (enumerator->enumerate(enumerator, &attribute))
+	{
+		if (attribute->oid == oid)
+		{
+			value = attribute->value;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (value.len && asn1_unwrap(&value, &value) != ASN1_INVALID)
+	{
+		return value;
+	}
+	return chunk_empty;
+}
+
+METHOD(pkcs7_attributes_t, add_attribute, void,
+	private_pkcs7_attributes_t *this, int oid, chunk_t value)
+{
+	this->attributes->insert_last(this->attributes,
+								  attribute_create(oid, value));
+	chunk_free(&value);
+
+	/* rebuild encoding when adding attributes */
+	chunk_free(&this->encoding);
+}
+
+METHOD(pkcs7_attributes_t, destroy, void,
+	private_pkcs7_attributes_t *this)
+{
+	this->attributes->destroy_function(this->attributes,
+									   (void*)attribute_destroy);
+	free(this->encoding.ptr);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+pkcs7_attributes_t *pkcs7_attributes_create(void)
+{
+	private_pkcs7_attributes_t *this;
+
+	INIT(this,
+		.public = {
+			.get_encoding = _get_encoding,
+			.get_attribute = _get_attribute,
+			.add_attribute = _add_attribute,
+			.destroy = _destroy,
+		},
+		.attributes = linked_list_create(),
+	);
+
+	return &this->public;
+}
+
+/**
+ * ASN.1 definition of the X.501 atttribute type
+ */
+static const asn1Object_t attributesObjects[] = {
+	{ 0, "attributes",		ASN1_SET,		ASN1_LOOP }, /* 0 */
+	{ 1,   "attribute",		ASN1_SEQUENCE,	ASN1_NONE }, /* 1 */
+	{ 2,     "type",		ASN1_OID,		ASN1_BODY }, /* 2 */
+	{ 2,     "values",		ASN1_SET,		ASN1_LOOP }, /* 3 */
+	{ 3,       "value",		ASN1_EOC,		ASN1_RAW  }, /* 4 */
+	{ 2,     "end loop",	ASN1_EOC,		ASN1_END  }, /* 5 */
+	{ 0, "end loop",		ASN1_EOC,		ASN1_END  }, /* 6 */
+	{ 0, "exit",			ASN1_EOC,		ASN1_EXIT }
+};
+#define ATTRIBUTE_OBJ_TYPE 	2
+#define ATTRIBUTE_OBJ_VALUE	4
+
+/**
+ * Parse a PKCS#9 attribute list
+ */
+static bool parse_attributes(chunk_t chunk, int level0,
+							 private_pkcs7_attributes_t* this)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID;
+	int oid = OID_UNKNOWN;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(attributesObjects, chunk);
+	parser->set_top_level(parser, level0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		switch (objectID)
+		{
+			case ATTRIBUTE_OBJ_TYPE:
+				oid = asn1_known_oid(object);
+				break;
+			case ATTRIBUTE_OBJ_VALUE:
+				if (oid != OID_UNKNOWN)
+				{
+					this->attributes->insert_last(this->attributes,
+												  attribute_create(oid, object));
+				}
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+	parser->destroy(parser);
+	return success;
+}
+
+ /*
+ * Described in header.
+ */
+pkcs7_attributes_t *pkcs7_attributes_create_from_chunk(chunk_t chunk,
+													   u_int level)
+{
+	private_pkcs7_attributes_t *this;
+
+	this = (private_pkcs7_attributes_t*)pkcs7_attributes_create();
+	this->encoding = chunk_clone(chunk);
+	if (!parse_attributes(chunk, level, this))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.h b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.h
new file mode 100644
index 000000000..d5f6156a1
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2008 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7_attributes pkcs7_attributes
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_ATTRIBUTES_H_
+#define PKCS7_ATTRIBUTES_H_
+
+typedef struct pkcs7_attributes_t pkcs7_attributes_t;
+
+#include <library.h>
+
+/**
+ * PKCS#7 attribute lists, aka PKCS#9.
+ */
+struct pkcs7_attributes_t {
+
+	/**
+	 * Gets ASN.1 encoding of PKCS#9 attribute list.
+	 *
+	 * @return				ASN.1 encoded PKCSI#9 list
+	 */
+	chunk_t (*get_encoding) (pkcs7_attributes_t *this);
+
+	/**
+	 * Gets a PKCS#9 attribute from the list.
+	 *
+	 * @param oid			OID of the attribute
+	 * @return				value of the attribute (internal data)
+	 */
+	chunk_t (*get_attribute) (pkcs7_attributes_t *this, int oid);
+
+	/**
+	 * Adds a PKCS#9 attribute.
+	 *
+	 * @param oid			OID of the attribute
+	 * @param value			value of the attribute, with ASN1 type (gets owned)
+	 */
+	void (*add_attribute) (pkcs7_attributes_t *this, int oid, chunk_t value);
+
+	/**
+	 * Destroys the PKCS#9 attribute list.
+	 */
+	void (*destroy) (pkcs7_attributes_t *this);
+};
+
+/**
+ * Read a PKCS#7 attribute list (aka PKCS#9) from a DER encoded chunk.
+ *
+ * @param chunk		chunk containing DER encoded data
+ * @param level		ASN.1 parsing start level
+ * @return 			created pkcs9 attribute list, or NULL if invalid.
+ */
+pkcs7_attributes_t *pkcs7_attributes_create_from_chunk(chunk_t chunk, u_int level);
+
+/**
+ * Create an empty PKCS#7 attribute list, aka PKCS#9.
+ *
+ * @return 				created pkcs9 attribute list.
+ */
+pkcs7_attributes_t *pkcs7_attributes_create(void);
+
+#endif /** PKCS9_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_data.c
new file mode 100644
index 000000000..06816095c
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_data.c
@@ -0,0 +1,156 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs7_data.h"
+
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+
+typedef struct private_pkcs7_data_t private_pkcs7_data_t;
+
+/**
+ * Private data of a PKCS#7 signed-data container.
+ */
+struct private_pkcs7_data_t {
+
+	/**
+	 * Implements pkcs7_t.
+	 */
+	pkcs7_t public;
+
+	/**
+	 * Encoded data
+	 */
+	chunk_t content;
+
+	/**
+	 * Encoded PKCS#7 data
+	 */
+	chunk_t encoding;
+};
+
+METHOD(container_t, get_type, container_type_t,
+	private_pkcs7_data_t *this)
+{
+	return CONTAINER_PKCS7_DATA;
+}
+
+METHOD(container_t, create_signature_enumerator, enumerator_t*,
+	private_pkcs7_data_t *this)
+{
+	return enumerator_create_empty();
+}
+
+METHOD(container_t, get_data, bool,
+	private_pkcs7_data_t *this, chunk_t *data)
+{
+	chunk_t chunk;
+
+	chunk = this->content;
+	if (asn1_unwrap(&chunk, &chunk) == ASN1_OCTET_STRING)
+	{
+		*data = chunk_clone(chunk);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(container_t, get_encoding, bool,
+	private_pkcs7_data_t *this, chunk_t *data)
+{
+	*data = chunk_clone(this->encoding);
+	return TRUE;
+}
+
+METHOD(container_t, destroy, void,
+	private_pkcs7_data_t *this)
+{
+	free(this->content.ptr);
+	free(this->encoding.ptr);
+	free(this);
+}
+
+/**
+ * Create an empty container
+ */
+static private_pkcs7_data_t* create_empty()
+{
+	private_pkcs7_data_t *this;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = _create_signature_enumerator,
+				.get_data = _get_data,
+				.get_encoding = _get_encoding,
+				.destroy = _destroy,
+			},
+			.get_attribute = (void*)return_false,
+			.create_cert_enumerator = (void*)enumerator_create_empty,
+		},
+	);
+
+	return this;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_data_load(chunk_t encoding, chunk_t content)
+{
+	private_pkcs7_data_t *this = create_empty();
+
+	this->encoding = chunk_clone(encoding);
+	this->content = chunk_clone(content);
+
+	return &this->public;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_data_gen(container_type_t type, va_list args)
+{
+	private_pkcs7_data_t *this;
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	if (blob.len)
+	{
+		this = create_empty();
+
+		this->content = asn1_wrap(ASN1_OCTET_STRING, "c", blob);
+		this->encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+							asn1_build_known_oid(OID_PKCS7_DATA),
+							asn1_wrap(ASN1_CONTEXT_C_0, "c", this->content));
+		return &this->public;
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_data.h b/src/libstrongswan/plugins/pkcs7/pkcs7_data.h
new file mode 100644
index 000000000..86512b76f
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_data.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7_data pkcs7_data
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_DATA_H_
+#define PKCS7_DATA_H_
+
+#include <credentials/builder.h>
+#include <credentials/containers/pkcs7.h>
+
+/**
+ * Parse a PKCS#7 "data" container.
+ *
+ * @param encoding	full contentInfo encoding
+ * @param content	DER encoded content from contentInfo
+ * @return			CONTAINER_PKCS7_DATA container, NULL on failure
+ */
+pkcs7_t *pkcs7_data_load(chunk_t encoding, chunk_t content);
+
+/**
+ * Generate a PKCS#7 data container.
+ *
+ * The only accepted builder argument is BUILDER_BLOB.
+ *
+ * @param type		container type, must be CONTAINER_PKCS7_DATA
+ * @param args		builder_t arguments to use.
+ */
+pkcs7_t *pkcs7_data_gen(container_type_t type, va_list args);
+
+#endif /** PKCS7_DATA_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.c
new file mode 100644
index 000000000..2c414c391
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.c
@@ -0,0 +1,216 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs7_encrypted_data.h"
+
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/oid.h>
+#include <crypto/pkcs5.h>
+#include <utils/debug.h>
+
+typedef struct private_pkcs7_encrypted_data_t private_pkcs7_encrypted_data_t;
+
+/**
+ * Private data of a PKCS#7 signed-data container.
+ */
+struct private_pkcs7_encrypted_data_t {
+
+	/**
+	 * Implements pkcs7_t.
+	 */
+	pkcs7_t public;
+
+	/**
+	 * Decrypted content
+	 */
+	chunk_t content;
+
+	/**
+	 * Encrypted and encoded PKCS#7 encrypted-data
+	 */
+	chunk_t encoding;
+};
+
+/**
+ * Decrypt encrypted-data with available passwords
+ */
+static bool decrypt(pkcs5_t *pkcs5, chunk_t data, chunk_t *decrypted)
+{
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	bool success = FALSE;
+
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+										SHARED_PRIVATE_KEY_PASS, NULL, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+	{
+		if (pkcs5->decrypt(pkcs5, shared->get_key(shared), data, decrypted))
+		{
+			success = TRUE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return success;
+}
+
+/**
+ * ASN.1 definition of the PKCS#7 encrypted-data type
+ */
+static const asn1Object_t encryptedDataObjects[] = {
+	{ 0, "encryptedData",					ASN1_SEQUENCE,		ASN1_NONE }, /* 0 */
+	{ 1,   "version",						ASN1_INTEGER,		ASN1_BODY }, /* 1 */
+	{ 1,   "encryptedContentInfo",			ASN1_SEQUENCE,		ASN1_OBJ  }, /* 2 */
+	{ 2,     "contentType",					ASN1_OID,			ASN1_BODY }, /* 3 */
+	{ 2,     "contentEncryptionAlgorithm",	ASN1_EOC,			ASN1_RAW  }, /* 4 */
+	{ 2,     "encryptedContent",			ASN1_CONTEXT_S_0,	ASN1_BODY }, /* 5 */
+	{ 0, "exit",							ASN1_EOC,			ASN1_EXIT }
+};
+#define PKCS7_VERSION					1
+#define PKCS7_CONTENT_TYPE				3
+#define PKCS7_CONTENT_ENC_ALGORITHM		4
+#define PKCS7_ENCRYPTED_CONTENT			5
+
+/**
+ * Parse and decrypt encrypted-data
+ */
+static bool parse(private_pkcs7_encrypted_data_t *this, chunk_t content)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID, version;
+	bool success = FALSE;
+	chunk_t encrypted = chunk_empty;
+	pkcs5_t *pkcs5 = NULL;
+
+	parser = asn1_parser_create(encryptedDataObjects, content);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		int level = parser->get_level(parser);
+
+		switch (objectID)
+		{
+			case PKCS7_VERSION:
+				version = object.len ? (int)*object.ptr : 0;
+				DBG2(DBG_LIB, "  v%d", version);
+				if (version != 0)
+				{
+					DBG1(DBG_LIB, "encryptedData version is not 0");
+					goto end;
+				}
+				break;
+			case PKCS7_CONTENT_TYPE:
+				if (asn1_known_oid(object) != OID_PKCS7_DATA)
+				{
+					DBG1(DBG_LIB, "encrypted content not of type pkcs7 data");
+					goto end;
+				}
+				break;
+			case PKCS7_CONTENT_ENC_ALGORITHM:
+				pkcs5 = pkcs5_from_algorithmIdentifier(object, level + 1);
+				if (!pkcs5)
+				{
+					DBG1(DBG_LIB, "failed to detect PKCS#5 scheme");
+					goto end;
+				}
+				break;
+			case PKCS7_ENCRYPTED_CONTENT:
+				encrypted = object;
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	success = success && decrypt(pkcs5, encrypted, &this->content);
+	DESTROY_IF(pkcs5);
+	return success;
+}
+
+METHOD(container_t, get_type, container_type_t,
+	private_pkcs7_encrypted_data_t *this)
+{
+	return CONTAINER_PKCS7_ENCRYPTED_DATA;
+}
+
+METHOD(container_t, get_data, bool,
+	private_pkcs7_encrypted_data_t *this, chunk_t *data)
+{
+	if (this->content.len)
+	{
+		*data = chunk_clone(this->content);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(container_t, get_encoding, bool,
+	private_pkcs7_encrypted_data_t *this, chunk_t *data)
+{
+	*data = chunk_clone(this->encoding);
+	return TRUE;
+}
+
+METHOD(container_t, destroy, void,
+	private_pkcs7_encrypted_data_t *this)
+{
+	free(this->content.ptr);
+	free(this->encoding.ptr);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+static private_pkcs7_encrypted_data_t* create_empty()
+{
+	private_pkcs7_encrypted_data_t *this;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = (void*)enumerator_create_empty,
+				.get_data = _get_data,
+				.get_encoding = _get_encoding,
+				.destroy = _destroy,
+			},
+			.create_cert_enumerator = (void*)enumerator_create_empty,
+			.get_attribute = (void*)return_false,
+		},
+	);
+
+	return this;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_encrypted_data_load(chunk_t encoding, chunk_t content)
+{
+	private_pkcs7_encrypted_data_t *this = create_empty();
+
+	this->encoding = chunk_clone(encoding);
+	if (!parse(this, content))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.h b/src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.h
new file mode 100644
index 000000000..b685557fc
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7_encrypted_data pkcs7_encrypted_data
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_ENCRYPTED_DATA_H_
+#define PKCS7_ENCRYPTED_DATA_H_
+
+#include <credentials/builder.h>
+#include <credentials/containers/pkcs7.h>
+
+/**
+ * Parse a PKCS#7 encrypted-data container.
+ *
+ * @param encoding	full contentInfo encoding
+ * @param content	DER encoded content from contentInfo
+ * @return			CONTAINER_PKCS7_ENCRYPTED_DATA container, NULL on failure
+ */
+pkcs7_t *pkcs7_encrypted_data_load(chunk_t encoding, chunk_t content);
+
+#endif /** PKCS7_ENCRYPTED_DATA_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
new file mode 100644
index 000000000..5cd0d8f93
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
@@ -0,0 +1,613 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2002-2008 Andreas Steffen
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs7_enveloped_data.h"
+
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/oid.h>
+#include <credentials/certificates/x509.h>
+#include <utils/debug.h>
+
+typedef struct private_pkcs7_enveloped_data_t private_pkcs7_enveloped_data_t;
+
+/**
+ * Private data of a PKCS#7 signed-data container.
+ */
+struct private_pkcs7_enveloped_data_t {
+
+	/**
+	 * Implements pkcs7_t.
+	 */
+	pkcs7_t public;
+
+	/**
+	 * Decrypted content
+	 */
+	chunk_t content;
+
+	/**
+	 * Encrypted and encoded PKCS#7 enveloped-data
+	 */
+	chunk_t encoding;
+};
+
+/**
+ * ASN.1 definition of the PKCS#7 envelopedData type
+ */
+static const asn1Object_t envelopedDataObjects[] = {
+	{ 0, "envelopedData",					ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "version",						ASN1_INTEGER, 		ASN1_BODY }, /*  1 */
+	{ 1,   "recipientInfos",				ASN1_SET,    		ASN1_LOOP }, /*  2 */
+	{ 2,     "recipientInfo",				ASN1_SEQUENCE, 		ASN1_BODY }, /*  3 */
+	{ 3,       "version",					ASN1_INTEGER, 		ASN1_BODY }, /*  4 */
+	{ 3,       "issuerAndSerialNumber",		ASN1_SEQUENCE,		ASN1_BODY }, /*  5 */
+	{ 4,         "issuer",					ASN1_SEQUENCE,		ASN1_OBJ  }, /*  6 */
+	{ 4,         "serial",					ASN1_INTEGER,		ASN1_BODY }, /*  7 */
+	{ 3,       "encryptionAlgorithm",		ASN1_EOC,			ASN1_RAW  }, /*  8 */
+	{ 3,       "encryptedKey",				ASN1_OCTET_STRING,	ASN1_BODY }, /*  9 */
+	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }, /* 10 */
+	{ 1,   "encryptedContentInfo",			ASN1_SEQUENCE,		ASN1_OBJ  }, /* 11 */
+	{ 2,     "contentType",					ASN1_OID,			ASN1_BODY }, /* 12 */
+	{ 2,     "contentEncryptionAlgorithm",	ASN1_EOC,			ASN1_RAW  }, /* 13 */
+	{ 2,     "encryptedContent",			ASN1_CONTEXT_S_0, 	ASN1_BODY }, /* 14 */
+	{ 0, "exit",							ASN1_EOC,			ASN1_EXIT }
+};
+#define PKCS7_VERSION					 1
+#define PKCS7_RECIPIENT_INFO_VERSION	 4
+#define PKCS7_ISSUER					 6
+#define PKCS7_SERIAL_NUMBER				 7
+#define PKCS7_ENCRYPTION_ALG			 8
+#define PKCS7_ENCRYPTED_KEY				 9
+#define PKCS7_CONTENT_TYPE				12
+#define PKCS7_CONTENT_ENC_ALGORITHM		13
+#define PKCS7_ENCRYPTED_CONTENT			14
+
+/**
+ * Find a private key for issuerAndSerialNumber
+ */
+static private_key_t *find_private(identification_t *issuer,
+								   identification_t *serial)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	public_key_t *public;
+	private_key_t *private = NULL;
+	identification_t *id;
+	chunk_t fp;
+
+	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+											CERT_X509, KEY_RSA, serial, FALSE);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		if (issuer->equals(issuer, cert->get_issuer(cert)))
+		{
+			public = cert->get_public_key(cert);
+			if (public)
+			{
+				if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &fp))
+				{
+					id = identification_create_from_encoding(ID_KEY_ID, fp);
+					private = lib->credmgr->get_private(lib->credmgr,
+														KEY_ANY, id, NULL);
+					id->destroy(id);
+				}
+				public->destroy(public);
+			}
+		}
+		if (private)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return private;
+}
+
+/**
+ * Decrypt content using a private key from "issuer"
+ */
+static bool decrypt(private_key_t *private, chunk_t key, chunk_t iv, int oid,
+					chunk_t encrypted, chunk_t *plain)
+{
+	encryption_algorithm_t alg;
+	chunk_t plain_key;
+	crypter_t *crypter;
+	size_t key_size;
+
+	alg = encryption_algorithm_from_oid(oid, &key_size);
+	if (alg == ENCR_UNDEFINED)
+	{
+		DBG1(DBG_LIB, "unsupported content encryption algorithm");
+		return FALSE;
+	}
+	if (!private->decrypt(private, ENCRYPT_RSA_PKCS1, key, &plain_key))
+	{
+		DBG1(DBG_LIB, "symmetric key could not be decrypted with rsa");
+		return FALSE;
+	}
+	crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
+	if (!crypter)
+	{
+		DBG1(DBG_LIB, "crypter %N-%d not available",
+			 encryption_algorithm_names, alg, key_size);
+		free(plain_key.ptr);
+		return FALSE;
+	}
+	if (plain_key.len != crypter->get_key_size(crypter))
+	{
+		DBG1(DBG_LIB, "symmetric key length %d is wrong", plain_key.len);
+		free(plain_key.ptr);
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	if (iv.len != crypter->get_iv_size(crypter))
+	{
+		DBG1(DBG_LIB, "IV length %d is wrong", iv.len);
+		free(plain_key.ptr);
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	if (!crypter->set_key(crypter, plain_key) ||
+		!crypter->decrypt(crypter, encrypted, iv, plain))
+	{
+		free(plain_key.ptr);
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	DBG4(DBG_LIB, "decrypted content with padding: %B", plain);
+	free(plain_key.ptr);
+	crypter->destroy(crypter);
+	return TRUE;
+}
+
+/**
+ * Remove the padding from plain data
+ */
+static bool remove_padding(private_pkcs7_enveloped_data_t *this)
+{
+	u_char *pos = this->content.ptr + this->content.len - 1;
+	u_char pattern = *pos;
+	size_t padding = pattern;
+
+	if (padding > this->content.len)
+	{
+		DBG1(DBG_LIB, "padding greater than data length");
+		return FALSE;
+	}
+	this->content.len -= padding;
+
+	while (padding-- > 0)
+	{
+		if (*pos-- != pattern)
+		{
+			DBG1(DBG_LIB, "wrong padding pattern");
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Parse and decrypt enveloped-data
+ */
+static bool parse(private_pkcs7_enveloped_data_t *this, chunk_t content)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID, version, alg = OID_UNKNOWN;
+	bool success = FALSE;
+	identification_t *issuer = NULL, *serial = NULL;
+	private_key_t *private = NULL;
+	chunk_t iv = chunk_empty, key = chunk_empty, encrypted = chunk_empty;
+
+	parser = asn1_parser_create(envelopedDataObjects, content);
+	parser->set_top_level(parser, 0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		u_int level = parser->get_level(parser);
+
+		switch (objectID)
+		{
+			case PKCS7_VERSION:
+				version = object.len ? (int)*object.ptr : 0;
+				DBG2(DBG_LIB, "  v%d", version);
+				if (version != 0)
+				{
+					DBG1(DBG_LIB, "envelopedData version is not 0");
+					goto end;
+				}
+				break;
+			case PKCS7_RECIPIENT_INFO_VERSION:
+				version = object.len ? (int)*object.ptr : 0;
+				DBG2(DBG_LIB, "  v%d", version);
+				if (version != 0)
+				{
+					DBG1(DBG_LIB, "recipient info version is not 0");
+					goto end;
+				}
+				break;
+			case PKCS7_ISSUER:
+				if (!issuer)
+				{
+					issuer = identification_create_from_encoding(ID_DER_ASN1_DN,
+																 object);
+				}
+				break;
+			case PKCS7_SERIAL_NUMBER:
+				if (!serial)
+				{
+					serial = identification_create_from_encoding(ID_KEY_ID,
+																 object);
+				}
+				break;
+			case PKCS7_ENCRYPTION_ALG:
+				if (asn1_parse_algorithmIdentifier(object, level,
+												   NULL) != OID_RSA_ENCRYPTION)
+				{
+					DBG1(DBG_LIB, "only rsa encryption supported");
+					goto end;
+				}
+				break;
+			case PKCS7_ENCRYPTED_KEY:
+				key = object;
+				break;
+			case PKCS7_CONTENT_TYPE:
+				if (asn1_known_oid(object) != OID_PKCS7_DATA)
+				{
+					DBG1(DBG_LIB, "encrypted content not of type pkcs7 data");
+					goto end;
+				}
+				break;
+			case PKCS7_CONTENT_ENC_ALGORITHM:
+				alg = asn1_parse_algorithmIdentifier(object, level, &iv);
+				if (!asn1_parse_simple_object(&iv, ASN1_OCTET_STRING,
+											  level + 1, "IV"))
+				{
+					DBG1(DBG_LIB, "IV could not be parsed");
+					goto end;
+				}
+				break;
+			case PKCS7_ENCRYPTED_CONTENT:
+				encrypted = object;
+				break;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+	if (!success)
+	{
+		goto failed;
+	}
+	success = FALSE;
+	if (!issuer)
+	{
+		goto failed;
+	}
+	private = find_private(issuer, serial);
+	if (!private)
+	{
+		DBG1(DBG_LIB, "no private key found to decrypt pkcs7");
+		goto failed;
+	}
+	if (!decrypt(private, key, iv, alg, encrypted, &this->content))
+	{
+		goto failed;
+	}
+	if (!remove_padding(this))
+	{
+		goto failed;
+	}
+
+	success = TRUE;
+failed:
+	DESTROY_IF(issuer);
+	DESTROY_IF(serial);
+	DESTROY_IF(private);
+	return success;
+}
+
+METHOD(container_t, get_type, container_type_t,
+	private_pkcs7_enveloped_data_t *this)
+{
+	return CONTAINER_PKCS7_ENVELOPED_DATA;
+}
+
+METHOD(container_t, create_signature_enumerator, enumerator_t*,
+	private_pkcs7_enveloped_data_t *this)
+{
+	return enumerator_create_empty();
+}
+
+METHOD(container_t, get_data, bool,
+	private_pkcs7_enveloped_data_t *this, chunk_t *data)
+{
+	if (this->content.len)
+	{
+		*data = chunk_clone(this->content);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(container_t, get_encoding, bool,
+	private_pkcs7_enveloped_data_t *this, chunk_t *data)
+{
+	*data = chunk_clone(this->encoding);
+	return TRUE;
+}
+
+METHOD(container_t, destroy, void,
+	private_pkcs7_enveloped_data_t *this)
+{
+	free(this->content.ptr);
+	free(this->encoding.ptr);
+	free(this);
+}
+
+/**
+ * Generic constructor
+ */
+static private_pkcs7_enveloped_data_t* create_empty()
+{
+	private_pkcs7_enveloped_data_t *this;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = _create_signature_enumerator,
+				.get_data = _get_data,
+				.get_encoding = _get_encoding,
+				.destroy = _destroy,
+			},
+			.create_cert_enumerator = (void*)enumerator_create_empty,
+			.get_attribute = (void*)return_false,
+		},
+	);
+
+	return this;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_enveloped_data_load(chunk_t encoding, chunk_t content)
+{
+	private_pkcs7_enveloped_data_t *this = create_empty();
+
+	this->encoding = chunk_clone(encoding);
+	if (!parse(this, content))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
+
+/**
+ * Allocate data with an RNG
+ */
+static bool get_random(rng_quality_t quality, size_t size, chunk_t *out)
+{
+	rng_t *rng;
+
+	rng = lib->crypto->create_rng(lib->crypto, quality);
+	if (!rng)
+	{
+		return FALSE;
+	}
+	if (!rng->allocate_bytes(rng, size, out))
+	{
+		rng->destroy(rng);
+		return FALSE;
+	}
+	rng->destroy(rng);
+	return TRUE;
+}
+
+/**
+ * Encrypt symmetric key using a public key from a certificate
+ */
+static bool encrypt_key(certificate_t *cert, chunk_t in, chunk_t *out)
+{
+	public_key_t *key;
+
+	key = cert->get_public_key(cert);
+	if (!key)
+	{
+		return FALSE;
+	}
+	if (!key->encrypt(key, ENCRYPT_RSA_PKCS1, in, out))
+	{
+		key->destroy(key);
+		return FALSE;
+	}
+	key->destroy(key);
+	return TRUE;
+}
+
+/**
+ * build a DER-encoded issuerAndSerialNumber object
+ */
+static chunk_t build_issuerAndSerialNumber(certificate_t *cert)
+{
+	identification_t *issuer = cert->get_issuer(cert);
+	chunk_t serial = chunk_empty;
+
+	if (cert->get_type(cert) == CERT_X509)
+	{
+		x509_t *x509 = (x509_t*)cert;
+		serial = x509->get_serial(x509);
+	}
+
+	return asn1_wrap(ASN1_SEQUENCE, "cm",
+					 issuer->get_encoding(issuer),
+					 asn1_integer("c", serial));
+}
+
+/**
+ * Generate a new PKCS#7 enveloped-data container
+ */
+static bool generate(private_pkcs7_enveloped_data_t *this,
+				certificate_t *cert, encryption_algorithm_t alg, int key_size)
+{
+	chunk_t contentEncryptionAlgorithm, encryptedContentInfo, recipientInfo;
+	chunk_t iv, symmetricKey, protectedKey, content;
+	crypter_t *crypter;
+	size_t bs, padding;
+	int alg_oid;
+
+	alg_oid = encryption_algorithm_to_oid(alg, key_size);
+	if (alg_oid == OID_UNKNOWN)
+	{
+		DBG1(DBG_LIB, "  encryption algorithm %N not supported",
+			 encryption_algorithm_names, alg);
+		return FALSE;
+	}
+	crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
+	if (crypter == NULL)
+	{
+		DBG1(DBG_LIB, "  could not create crypter for algorithm %N",
+			 encryption_algorithm_names, alg);
+		return FALSE;
+	}
+
+	if (!get_random(RNG_TRUE, crypter->get_key_size(crypter), &symmetricKey))
+	{
+		DBG1(DBG_LIB, "  failed to allocate symmetric encryption key");
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	DBG4(DBG_LIB, "  symmetric encryption key: %B", &symmetricKey);
+
+	if (!get_random(RNG_WEAK, crypter->get_iv_size(crypter), &iv))
+	{
+		DBG1(DBG_LIB, "  failed to allocate initialization vector");
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	DBG4(DBG_LIB, "  initialization vector: %B", &iv);
+
+	bs = crypter->get_block_size(crypter);
+	padding = bs - this->content.len % bs;
+	content = chunk_alloc(this->content.len + padding);
+	memcpy(content.ptr, this->content.ptr, this->content.len);
+	memset(content.ptr + this->content.len, padding, padding);
+	DBG3(DBG_LIB, "  padded unencrypted data: %B", &content);
+
+	/* symmetric inline encryption of content */
+	if (!crypter->set_key(crypter, symmetricKey) ||
+		!crypter->encrypt(crypter, content, iv, NULL))
+	{
+		crypter->destroy(crypter);
+		chunk_clear(&symmetricKey);
+		chunk_free(&iv);
+		return FALSE;
+	}
+	crypter->destroy(crypter);
+	DBG3(DBG_LIB, "  encrypted data: %B", &content);
+
+	if (!encrypt_key(cert, symmetricKey, &protectedKey))
+	{
+		DBG1(DBG_LIB, "  encrypting symmetric key failed");
+		chunk_clear(&symmetricKey);
+		chunk_free(&iv);
+		chunk_free(&content);
+		return FALSE;
+	}
+	chunk_clear(&symmetricKey);
+
+	contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "mm",
+				asn1_build_known_oid(alg_oid),
+				asn1_wrap(ASN1_OCTET_STRING, "m", iv));
+
+	encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "mmm",
+				asn1_build_known_oid(OID_PKCS7_DATA),
+				contentEncryptionAlgorithm,
+				asn1_wrap(ASN1_CONTEXT_S_0, "m", content));
+
+	recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmmm",
+				ASN1_INTEGER_0,
+				build_issuerAndSerialNumber(cert),
+				asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+				asn1_wrap(ASN1_OCTET_STRING, "m", protectedKey));
+
+	this->encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+		asn1_build_known_oid(OID_PKCS7_ENVELOPED_DATA),
+		asn1_wrap(ASN1_CONTEXT_C_0, "m",
+			asn1_wrap(ASN1_SEQUENCE, "cmm",
+				ASN1_INTEGER_0,
+				asn1_wrap(ASN1_SET, "m", recipientInfo),
+				encryptedContentInfo)));
+
+	return TRUE;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_enveloped_data_gen(container_type_t type, va_list args)
+{
+	private_pkcs7_enveloped_data_t *this;
+	chunk_t blob = chunk_empty;
+	encryption_algorithm_t alg = ENCR_AES_CBC;
+	certificate_t *cert = NULL;
+	int key_size = 128;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_CERT:
+				cert = va_arg(args, certificate_t*);
+				continue;
+			case BUILD_ENCRYPTION_ALG:
+				alg = va_arg(args, int);
+				continue;
+			case BUILD_KEY_SIZE:
+				key_size = va_arg(args, int);
+				continue;
+			case BUILD_BLOB:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (blob.len && cert)
+	{
+		this = create_empty();
+
+		this->content = chunk_clone(blob);
+		if (generate(this, cert, alg, key_size))
+		{
+			return &this->public;
+		}
+		destroy(this);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.h b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.h
new file mode 100644
index 000000000..5e35abd54
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7_enveloped_data pkcs7_enveloped_data
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_ENVELOPED_DATA_H_
+#define PKCS7_ENVELOPED_DATA_H_
+
+#include <credentials/builder.h>
+#include <credentials/containers/pkcs7.h>
+
+/**
+ * Parse a PKCS#7 enveloped-data container.
+ *
+ * @param encoding	full contentInfo encoding
+ * @param content	DER encoded content from contentInfo
+ * @return			CONTAINER_PKCS7_ENVELOPED_DATA container, NULL on failure
+ */
+pkcs7_t *pkcs7_enveloped_data_load(chunk_t encoding, chunk_t content);
+
+/**
+ * Generate a PKCS#7 enveloped-data container.
+ *
+ * @param type		container type, must be CONTAINER_PKCS7_ENVELOPED_DATA
+ * @param args		builder_t arguments to use.
+ */
+pkcs7_t *pkcs7_enveloped_data_gen(container_type_t type, va_list args);
+
+#endif /** PKCS7_ENVELOPED_DATA_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_generic.c b/src/libstrongswan/plugins/pkcs7/pkcs7_generic.c
new file mode 100644
index 000000000..24d7cd848
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_generic.c
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2002-2008 Andreas Steffen
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs7_generic.h"
+#include "pkcs7_data.h"
+#include "pkcs7_signed_data.h"
+#include "pkcs7_encrypted_data.h"
+#include "pkcs7_enveloped_data.h"
+
+#include <utils/debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+
+/**
+ * ASN.1 definition of the PKCS#7 ContentInfo type
+ */
+static const asn1Object_t contentInfoObjects[] = {
+	{ 0, "contentInfo",		ASN1_SEQUENCE,		ASN1_NONE }, /* 0 */
+	{ 1,   "contentType",	ASN1_OID,			ASN1_BODY }, /* 1 */
+	{ 1,   "content",		ASN1_CONTEXT_C_0,	ASN1_OPT |
+												ASN1_BODY }, /* 2 */
+	{ 1,   "end opt",		ASN1_EOC,			ASN1_END  }, /* 3 */
+	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT }
+};
+#define PKCS7_INFO_TYPE		1
+#define PKCS7_INFO_CONTENT	2
+
+/**
+ * Parse PKCS#7 contentInfo object
+ */
+static pkcs7_t* parse_contentInfo(chunk_t blob)
+{
+	asn1_parser_t *parser;
+	chunk_t object, content = chunk_empty;
+	int objectID, type = OID_UNKNOWN;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(contentInfoObjects, blob);
+	parser->set_top_level(parser, 0);
+
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		if (objectID == PKCS7_INFO_TYPE)
+		{
+			type = asn1_known_oid(object);
+			if (type < OID_PKCS7_DATA || type > OID_PKCS7_ENCRYPTED_DATA)
+			{
+				DBG1(DBG_ASN, "unknown pkcs7 content type");
+				goto end;
+			}
+		}
+		else if (objectID == PKCS7_INFO_CONTENT)
+		{
+			content = object;
+		}
+	}
+	success = parser->success(parser);
+
+end:
+	parser->destroy(parser);
+
+	if (success)
+	{
+		switch (type)
+		{
+			case OID_PKCS7_DATA:
+				return pkcs7_data_load(blob, content);
+			case OID_PKCS7_SIGNED_DATA:
+				return pkcs7_signed_data_load(blob, content);
+			case OID_PKCS7_ENVELOPED_DATA:
+				return pkcs7_enveloped_data_load(blob, content);
+			case OID_PKCS7_ENCRYPTED_DATA:
+				return pkcs7_encrypted_data_load(blob, content);
+			default:
+				DBG1(DBG_ASN, "pkcs7 content type %d not supported", type);
+				return NULL;
+		}
+	}
+	return NULL;
+}
+
+
+pkcs7_t *pkcs7_generic_load(container_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (blob.len)
+	{
+		if (blob.len >= 2 &&
+			blob.ptr[0] == ASN1_SEQUENCE && blob.ptr[1] == 0x80)
+		{	/* looks like infinite length BER encoding, but we can't handle it.
+			 * ignore silently, our openssl backend can handle it */
+			return NULL;
+		}
+		return parse_contentInfo(blob);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_generic.h b/src/libstrongswan/plugins/pkcs7/pkcs7_generic.h
new file mode 100644
index 000000000..819343c4d
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_generic.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7_generic pkcs7_generic
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_GENERIC_H_
+#define PKCS7_GENERIC_H_
+
+#include <credentials/builder.h>
+#include <credentials/containers/pkcs7.h>
+
+/**
+ * Load a generic PKCS#7 container.
+ *
+ * The argument list must contain a single BUILD_BLOB_ASN1_DER argument.
+ *
+ * @param type		type of the container, CONTAINER_PKCS7
+ * @param args		builder_part_t argument list
+ * @return			container, NULL on failure
+ */
+pkcs7_t *pkcs7_generic_load(container_type_t type, va_list args);
+
+#endif /** PKCS7_GENERIC_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.c b/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.c
new file mode 100644
index 000000000..7d350155d
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs7_plugin.h"
+#include "pkcs7_generic.h"
+#include "pkcs7_data.h"
+#include "pkcs7_signed_data.h"
+#include "pkcs7_enveloped_data.h"
+
+#include <library.h>
+
+typedef struct private_pkcs7_plugin_t private_pkcs7_plugin_t;
+
+/**
+ * private data of pkcs7_plugin
+ */
+struct private_pkcs7_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	pkcs7_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_pkcs7_plugin_t *this)
+{
+	return "pkcs7";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_pkcs7_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(CONTAINER_DECODE, pkcs7_generic_load, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS7),
+		PLUGIN_REGISTER(CONTAINER_ENCODE, pkcs7_data_gen, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_ENCODE, CONTAINER_PKCS7_DATA),
+		PLUGIN_REGISTER(CONTAINER_ENCODE, pkcs7_signed_data_gen, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_ENCODE, CONTAINER_PKCS7_SIGNED_DATA),
+		PLUGIN_REGISTER(CONTAINER_ENCODE, pkcs7_enveloped_data_gen, TRUE),
+			PLUGIN_PROVIDE(CONTAINER_ENCODE, CONTAINER_PKCS7_ENVELOPED_DATA),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_pkcs7_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *pkcs7_plugin_create()
+{
+	private_pkcs7_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.h b/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.h
new file mode 100644
index 000000000..3d582c7c6
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7p pkcs7
+ * @ingroup plugins
+ *
+ * @defgroup pkcs7_plugin pkcs7_plugin
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_PLUGIN_H_
+#define PKCS7_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct pkcs7_plugin_t pkcs7_plugin_t;
+
+/**
+ * Plugin providing PKCS#7 container functionality.
+ */
+struct pkcs7_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** PKCS7_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c
new file mode 100644
index 000000000..48fb5e6a4
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c
@@ -0,0 +1,678 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs7_signed_data.h"
+#include "pkcs7_attributes.h"
+
+#include <time.h>
+
+#include <utils/debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <credentials/sets/mem_cred.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/keys/private_key.h>
+
+typedef struct private_pkcs7_signed_data_t private_pkcs7_signed_data_t;
+
+/**
+ * Private data of a PKCS#7 signed-data container.
+ */
+struct private_pkcs7_signed_data_t {
+
+	/**
+	 * Implements pkcs7_t.
+	 */
+	pkcs7_t public;
+
+	/**
+	 * Signed content data
+	 */
+	container_t *content;
+
+	/**
+	 * Encoded PKCS#7 signed-data
+	 */
+	chunk_t encoding;
+
+	/**
+	 * list of signerInfos, signerinfo_t
+	 */
+	linked_list_t *signerinfos;
+
+	/**
+	 * Contained certificates
+	 */
+	mem_cred_t *creds;
+};
+
+/**
+ * A single signerInfo
+ */
+typedef struct {
+
+	/**
+	 * Signed attributes of signerInfo
+	 */
+	pkcs7_attributes_t *attributes;
+
+	/**
+	 * Serial of signing certificate
+	 */
+	identification_t *serial;
+
+	/**
+	 * Issuer of signing certificate
+	 */
+	identification_t *issuer;
+
+	/**
+	 * EncryptedDigest
+	 */
+	chunk_t encrypted_digest;
+
+	/**
+	 * Digesting algorithm OID
+	 */
+	int digest_alg;
+
+	/**
+	 * Public key encryption algorithm OID
+	 */
+	int enc_alg;
+
+} signerinfo_t;
+
+/**
+ * Destroy a signerinfo_t entry
+ */
+void signerinfo_destroy(signerinfo_t *this)
+{
+	DESTROY_IF(this->attributes);
+	DESTROY_IF(this->serial);
+	DESTROY_IF(this->issuer);
+	free(this->encrypted_digest.ptr);
+	free(this);
+}
+
+/**
+ * ASN.1 definition of the PKCS#7 signedData type
+ */
+static const asn1Object_t signedDataObjects[] = {
+	{ 0, "signedData",						ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "version",						ASN1_INTEGER,		ASN1_BODY }, /*  1 */
+	{ 1,   "digestAlgorithms",				ASN1_SET,			ASN1_LOOP }, /*  2 */
+	{ 2,     "algorithm",					ASN1_EOC,			ASN1_RAW  }, /*  3 */
+	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }, /*  4 */
+	{ 1,   "contentInfo",					ASN1_EOC,			ASN1_RAW  }, /*  5 */
+	{ 1,   "certificates",					ASN1_CONTEXT_C_0,	ASN1_OPT |
+																ASN1_LOOP }, /*  6 */
+	{ 2,      "certificate",				ASN1_SEQUENCE,		ASN1_OBJ  }, /*  7 */
+	{ 1,   "end opt or loop",				ASN1_EOC,			ASN1_END  }, /*  8 */
+	{ 1,   "crls",							ASN1_CONTEXT_C_1,	ASN1_OPT |
+																ASN1_LOOP }, /*  9 */
+	{ 2,	    "crl",						ASN1_SEQUENCE,		ASN1_OBJ  }, /* 10 */
+	{ 1,   "end opt or loop",				ASN1_EOC,			ASN1_END  }, /* 11 */
+	{ 1,   "signerInfos",					ASN1_SET,			ASN1_LOOP }, /* 12 */
+	{ 2,     "signerInfo",					ASN1_SEQUENCE,		ASN1_NONE }, /* 13 */
+	{ 3,       "version",					ASN1_INTEGER,		ASN1_BODY }, /* 14 */
+	{ 3,       "issuerAndSerialNumber",		ASN1_SEQUENCE,		ASN1_BODY }, /* 15 */
+	{ 4,         "issuer",					ASN1_SEQUENCE,		ASN1_OBJ  }, /* 16 */
+	{ 4,         "serial",					ASN1_INTEGER,		ASN1_BODY }, /* 17 */
+	{ 3,       "digestAlgorithm",			ASN1_EOC,			ASN1_RAW  }, /* 18 */
+	{ 3,       "authenticatedAttributes",	ASN1_CONTEXT_C_0,	ASN1_OPT |
+																ASN1_OBJ  }, /* 19 */
+	{ 3,       "end opt",					ASN1_EOC,			ASN1_END  }, /* 20 */
+	{ 3,       "digestEncryptionAlgorithm",	ASN1_EOC,			ASN1_RAW  }, /* 21 */
+	{ 3,       "encryptedDigest",			ASN1_OCTET_STRING,	ASN1_BODY }, /* 22 */
+	{ 3,       "unauthenticatedAttributes", ASN1_CONTEXT_C_1,	ASN1_OPT  }, /* 23 */
+	{ 3,       "end opt",					ASN1_EOC,			ASN1_END  }, /* 24 */
+	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }, /* 25 */
+	{ 0, "exit",							ASN1_EOC,			ASN1_EXIT }
+};
+#define PKCS7_VERSION				 1
+#define PKCS7_DIGEST_ALG			 3
+#define PKCS7_CONTENT_INFO			 5
+#define PKCS7_CERT					 7
+#define PKCS7_SIGNER_INFO			13
+#define PKCS7_SIGNER_INFO_VERSION	14
+#define PKCS7_ISSUER				16
+#define PKCS7_SERIAL_NUMBER			17
+#define PKCS7_DIGEST_ALGORITHM		18
+#define PKCS7_AUTH_ATTRIBUTES		19
+#define PKCS7_DIGEST_ENC_ALGORITHM	21
+#define PKCS7_ENCRYPTED_DIGEST		22
+
+METHOD(container_t, get_type, container_type_t,
+	private_pkcs7_signed_data_t *this)
+{
+	return CONTAINER_PKCS7_SIGNED_DATA;
+}
+
+/**
+ * Signature enumerator implementation
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inner signerinfos enumerator */
+	enumerator_t *inner;
+	/** currently enumerated auth_cfg */
+	auth_cfg_t *auth;
+	/** currently enumerating signerinfo */
+	signerinfo_t *info;
+	/** reference to container */
+	private_pkcs7_signed_data_t *this;
+} signature_enumerator_t;
+
+METHOD(enumerator_t, enumerate, bool,
+	signature_enumerator_t *this, auth_cfg_t **out)
+{
+	signerinfo_t *info;
+	signature_scheme_t scheme;
+	hash_algorithm_t algorithm;
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	public_key_t *key;
+	auth_cfg_t *auth;
+	chunk_t chunk, hash, content;
+	hasher_t *hasher;
+	bool valid;
+
+	while (this->inner->enumerate(this->inner, &info))
+	{
+		/* clean up previous round */
+		DESTROY_IF(this->auth);
+		this->auth = NULL;
+
+		scheme = signature_scheme_from_oid(info->digest_alg);
+		if (scheme == SIGN_UNKNOWN)
+		{
+			DBG1(DBG_LIB, "unsupported signature scheme");
+			continue;
+		}
+		if (!info->attributes)
+		{
+			DBG1(DBG_LIB, "no authenticatedAttributes object found");
+			continue;
+		}
+		if (info->enc_alg != OID_RSA_ENCRYPTION)
+		{
+			DBG1(DBG_LIB, "only RSA digest encryption supported");
+			continue;
+		}
+
+		enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
+												KEY_RSA, info->serial, FALSE);
+		while (enumerator->enumerate(enumerator, &cert, &auth))
+		{
+			if (info->issuer->equals(info->issuer, cert->get_issuer(cert)))
+			{
+				key = cert->get_public_key(cert);
+				if (key)
+				{
+					chunk = info->attributes->get_encoding(info->attributes);
+					if (key->verify(key, scheme, chunk, info->encrypted_digest))
+					{
+						this->auth = auth->clone(auth);
+						key->destroy(key);
+						break;
+					}
+					key->destroy(key);
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		if (!this->auth)
+		{
+			DBG1(DBG_LIB, "unable to verify pkcs7 attributes signature");
+			continue;
+		}
+
+		chunk = info->attributes->get_attribute(info->attributes,
+												OID_PKCS9_MESSAGE_DIGEST);
+		if (!chunk.len)
+		{
+			DBG1(DBG_LIB, "messageDigest attribute not found");
+			continue;
+		}
+		if (!this->this->content->get_data(this->this->content, &content))
+		{
+			continue;
+		}
+
+		algorithm = hasher_algorithm_from_oid(info->digest_alg);
+		hasher = lib->crypto->create_hasher(lib->crypto, algorithm);
+		if (!hasher || !hasher->allocate_hash(hasher, content, &hash))
+		{
+			free(content.ptr);
+			DESTROY_IF(hasher);
+			DBG1(DBG_LIB, "hash algorithm %N not supported",
+				 hash_algorithm_names, algorithm);
+			continue;
+		}
+		free(content.ptr);
+		hasher->destroy(hasher);
+		DBG3(DBG_LIB, "hash: %B", &hash);
+
+		valid = chunk_equals(chunk, hash);
+		free(hash.ptr);
+		if (!valid)
+		{
+			DBG1(DBG_LIB, "invalid messageDigest");
+			continue;
+		}
+		*out = this->auth;
+		this->info = info;
+		return TRUE;
+	}
+	this->info = NULL;
+	return FALSE;
+}
+
+METHOD(enumerator_t, enumerator_destroy, void,
+	signature_enumerator_t *this)
+{
+	lib->credmgr->remove_local_set(lib->credmgr, &this->this->creds->set);
+	this->inner->destroy(this->inner);
+	DESTROY_IF(this->auth);
+	free(this);
+}
+
+METHOD(container_t, create_signature_enumerator, enumerator_t*,
+	private_pkcs7_signed_data_t *this)
+{
+	signature_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_enumerate,
+			.destroy = _enumerator_destroy,
+		},
+		.inner = this->signerinfos->create_enumerator(this->signerinfos),
+		.this = this,
+	);
+
+	lib->credmgr->add_local_set(lib->credmgr, &this->creds->set, FALSE);
+	return &enumerator->public;
+}
+
+METHOD(pkcs7_t, get_attribute, bool,
+	private_pkcs7_signed_data_t *this, int oid, enumerator_t *enumerator, chunk_t *value)
+{
+	signature_enumerator_t *e;
+	chunk_t chunk;
+
+	e = (signature_enumerator_t*)enumerator;
+	if (e->info)
+	{
+		chunk = e->info->attributes->get_attribute(e->info->attributes, oid);
+		if (chunk.len)
+		{
+			*value = chunk_clone(chunk);
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(pkcs7_t, create_cert_enumerator, enumerator_t*,
+	private_pkcs7_signed_data_t *this)
+{
+	return this->creds->set.create_cert_enumerator(&this->creds->set,
+											CERT_ANY, KEY_ANY, NULL, FALSE);
+}
+
+METHOD(container_t, get_data, bool,
+	private_pkcs7_signed_data_t *this, chunk_t *data)
+{
+	if (this->content)
+	{
+		return this->content->get_data(this->content, data);
+	}
+	return FALSE;
+}
+
+METHOD(container_t, get_encoding, bool,
+	private_pkcs7_signed_data_t *this, chunk_t *data)
+{
+	*data = chunk_clone(this->encoding);
+	return TRUE;
+}
+
+METHOD(container_t, destroy, void,
+	private_pkcs7_signed_data_t *this)
+{
+	this->creds->destroy(this->creds);
+	this->signerinfos->destroy_function(this->signerinfos,
+										(void*)signerinfo_destroy);
+	DESTROY_IF(this->content);
+	free(this->encoding.ptr);
+	free(this);
+}
+
+/**
+ * Create an empty PKCS#7 signed-data container.
+ */
+static private_pkcs7_signed_data_t* create_empty()
+{
+	private_pkcs7_signed_data_t *this;
+
+	INIT(this,
+		.public = {
+			.container = {
+				.get_type = _get_type,
+				.create_signature_enumerator = _create_signature_enumerator,
+				.get_data = _get_data,
+				.get_encoding = _get_encoding,
+				.destroy = _destroy,
+			},
+			.get_attribute = _get_attribute,
+			.create_cert_enumerator = _create_cert_enumerator,
+		},
+		.creds = mem_cred_create(),
+		.signerinfos = linked_list_create(),
+	);
+
+	return this;
+}
+
+/**
+ * Parse PKCS#7 signed data
+ */
+static bool parse(private_pkcs7_signed_data_t *this, chunk_t content)
+{
+	asn1_parser_t *parser;
+	chunk_t object;
+	int objectID, version;
+	signerinfo_t *info = NULL;
+	bool success = FALSE;
+
+	parser = asn1_parser_create(signedDataObjects, content);
+	parser->set_top_level(parser, 0);
+	while (parser->iterate(parser, &objectID, &object))
+	{
+		u_int level = parser->get_level(parser);
+
+		switch (objectID)
+		{
+			case PKCS7_VERSION:
+				version = object.len ? (int)*object.ptr : 0;
+				DBG2(DBG_LIB, "  v%d", version);
+				break;
+			case PKCS7_CONTENT_INFO:
+				this->content = lib->creds->create(lib->creds,
+										CRED_CONTAINER, CONTAINER_PKCS7,
+										BUILD_BLOB_ASN1_DER, object, BUILD_END);
+				break;
+			case PKCS7_CERT:
+			{
+				certificate_t *cert;
+
+				DBG2(DBG_LIB, "  parsing pkcs7-wrapped certificate");
+				cert = lib->creds->create(lib->creds,
+										  CRED_CERTIFICATE, CERT_X509,
+										  BUILD_BLOB_ASN1_DER, object,
+										  BUILD_END);
+				if (cert)
+				{
+					this->creds->add_cert(this->creds, FALSE, cert);
+				}
+				break;
+			}
+			case PKCS7_SIGNER_INFO:
+				INIT(info,
+					.digest_alg = OID_UNKNOWN,
+					.enc_alg = OID_UNKNOWN,
+				);
+				this->signerinfos->insert_last(this->signerinfos, info);
+				break;
+			case PKCS7_SIGNER_INFO_VERSION:
+				version = object.len ? (int)*object.ptr : 0;
+				DBG2(DBG_LIB, "  v%d", version);
+				break;
+			case PKCS7_ISSUER:
+				info->issuer = identification_create_from_encoding(
+														ID_DER_ASN1_DN, object);
+				break;
+			case PKCS7_SERIAL_NUMBER:
+				info->serial = identification_create_from_encoding(
+														ID_KEY_ID, object);
+				break;
+			case PKCS7_AUTH_ATTRIBUTES:
+				*object.ptr = ASN1_SET;
+				info->attributes = pkcs7_attributes_create_from_chunk(
+														object, level+1);
+				*object.ptr = ASN1_CONTEXT_C_0;
+				break;
+			case PKCS7_DIGEST_ALGORITHM:
+				info->digest_alg = asn1_parse_algorithmIdentifier(object,
+														level, NULL);
+				break;
+			case PKCS7_DIGEST_ENC_ALGORITHM:
+				info->enc_alg = asn1_parse_algorithmIdentifier(object,
+														level, NULL);
+				break;
+			case PKCS7_ENCRYPTED_DIGEST:
+				info->encrypted_digest = chunk_clone(object);
+				break;
+		}
+	}
+	success = parser->success(parser);
+	parser->destroy(parser);
+
+	return success;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_signed_data_load(chunk_t encoding, chunk_t content)
+{
+	private_pkcs7_signed_data_t *this = create_empty();
+
+	this->encoding = chunk_clone(encoding);
+	if (!parse(this, content))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+/**
+ * build a DER-encoded issuerAndSerialNumber object
+ */
+static chunk_t build_issuerAndSerialNumber(certificate_t *cert)
+{
+	identification_t *issuer = cert->get_issuer(cert);
+	chunk_t serial = chunk_empty;
+
+	if (cert->get_type(cert) == CERT_X509)
+	{
+		x509_t *x509 = (x509_t*)cert;
+		serial = x509->get_serial(x509);
+	}
+
+	return asn1_wrap(ASN1_SEQUENCE, "cm",
+					 issuer->get_encoding(issuer),
+					 asn1_integer("c", serial));
+}
+
+/**
+ * Generate a new PKCS#7 signed-data container
+ */
+static bool generate(private_pkcs7_signed_data_t *this, private_key_t *key,
+					 certificate_t *cert, hash_algorithm_t alg,
+					 pkcs7_attributes_t *pkcs9)
+{
+	chunk_t authenticatedAttributes = chunk_empty;
+	chunk_t encryptedDigest = chunk_empty;
+	chunk_t data, signerInfo, encoding = chunk_empty;
+	chunk_t messageDigest, signingTime, attributes;
+	signature_scheme_t scheme;
+	hasher_t *hasher;
+	time_t now;
+	int digest_oid;
+
+	digest_oid = hasher_algorithm_to_oid(alg);
+	scheme = signature_scheme_from_oid(digest_oid);
+
+	if (!this->content->get_data(this->content, &data))
+	{
+		return FALSE;
+	}
+
+	hasher = lib->crypto->create_hasher(lib->crypto, alg);
+	if (!hasher || !hasher->allocate_hash(hasher, data, &messageDigest))
+	{
+		DESTROY_IF(hasher);
+		DBG1(DBG_LIB, "  hash algorithm %N not support",
+			 hash_algorithm_names, alg);
+		free(data.ptr);
+		return FALSE;
+	}
+	hasher->destroy(hasher);
+	pkcs9->add_attribute(pkcs9,
+					OID_PKCS9_MESSAGE_DIGEST,
+					asn1_wrap(ASN1_OCTET_STRING, "m", messageDigest));
+
+	/* take the current time as signingTime */
+	now = time(NULL);
+	signingTime = asn1_from_time(&now, ASN1_UTCTIME);
+	pkcs9->add_attribute(pkcs9, OID_PKCS9_SIGNING_TIME, signingTime);
+	pkcs9->add_attribute(pkcs9, OID_PKCS9_CONTENT_TYPE,
+						 asn1_build_known_oid(OID_PKCS7_DATA));
+
+	attributes = pkcs9->get_encoding(pkcs9);
+
+	if (!key->sign(key, scheme, attributes, &encryptedDigest))
+	{
+		free(data.ptr);
+		return FALSE;
+	}
+	authenticatedAttributes = chunk_clone(attributes);
+	*authenticatedAttributes.ptr = ASN1_CONTEXT_C_0;
+
+	free(data.ptr);
+	if (encryptedDigest.ptr)
+	{
+		encryptedDigest = asn1_wrap(ASN1_OCTET_STRING, "m", encryptedDigest);
+	}
+	signerInfo = asn1_wrap(ASN1_SEQUENCE, "cmmmmm",
+					ASN1_INTEGER_1,
+					build_issuerAndSerialNumber(cert),
+					asn1_algorithmIdentifier(digest_oid),
+					authenticatedAttributes,
+					asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+					encryptedDigest);
+
+	if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+	{
+		free(signerInfo.ptr);
+		return FALSE;
+	}
+	if (!this->content->get_encoding(this->content, &data))
+	{
+		free(encoding.ptr);
+		free(signerInfo.ptr);
+		return FALSE;
+	}
+
+	this->encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+		asn1_build_known_oid(OID_PKCS7_SIGNED_DATA),
+		asn1_wrap(ASN1_CONTEXT_C_0, "m",
+			asn1_wrap(ASN1_SEQUENCE, "cmmmm",
+				ASN1_INTEGER_1,
+				asn1_wrap(ASN1_SET, "m", asn1_algorithmIdentifier(digest_oid)),
+				data,
+				asn1_wrap(ASN1_CONTEXT_C_0, "m", encoding),
+				asn1_wrap(ASN1_SET, "m", signerInfo))));
+
+
+	pkcs9->destroy(pkcs9);
+	/* TODO: create signerInfos entry */
+	return TRUE;
+}
+
+/**
+ * See header.
+ */
+pkcs7_t *pkcs7_signed_data_gen(container_type_t type, va_list args)
+{
+	private_pkcs7_signed_data_t *this;
+	chunk_t blob = chunk_empty;
+	hash_algorithm_t alg = HASH_SHA1;
+	private_key_t *key = NULL;
+	certificate_t *cert = NULL;
+	pkcs7_attributes_t *pkcs9;
+	chunk_t value;
+	int oid;
+
+	pkcs9 = pkcs7_attributes_create();
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_SIGNING_KEY:
+				key = va_arg(args, private_key_t*);
+				continue;
+			case BUILD_SIGNING_CERT:
+				cert = va_arg(args, certificate_t*);
+				continue;
+			case BUILD_DIGEST_ALG:
+				alg = va_arg(args, int);
+				continue;
+			case BUILD_BLOB:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_PKCS7_ATTRIBUTE:
+				oid = va_arg(args, int);
+				value = va_arg(args, chunk_t);
+				pkcs9->add_attribute(pkcs9, oid, chunk_clone(value));
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				pkcs9->destroy(pkcs9);
+				return NULL;
+		}
+		break;
+	}
+	if (blob.len && key && cert)
+	{
+		this = create_empty();
+
+		this->creds->add_cert(this->creds, FALSE, cert->get_ref(cert));
+		this->content = lib->creds->create(lib->creds,
+										   CRED_CONTAINER, CONTAINER_PKCS7_DATA,
+										   BUILD_BLOB, blob, BUILD_END);
+
+		if (this->content && generate(this, key, cert, alg, pkcs9))
+		{
+			return &this->public;
+		}
+		pkcs9->destroy(pkcs9);
+		destroy(this);
+	}
+	else
+	{
+		pkcs9->destroy(pkcs9);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.h b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.h
new file mode 100644
index 000000000..5de672117
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7_signed_data pkcs7_signed_data
+ * @{ @ingroup pkcs7p
+ */
+
+#ifndef PKCS7_SIGNED_DATA_H_
+#define PKCS7_SIGNED_DATA_H_
+
+#include <credentials/builder.h>
+#include <credentials/containers/pkcs7.h>
+
+/**
+ * Parse a PKCS#7 signed-data container.
+ *
+ * @param encoding	full contentInfo encoding
+ * @param content	DER encoded content from contentInfo
+ * @return			CONTAINER_PKCS7_SIGNED_DATA container, NULL on failure
+ */
+pkcs7_t *pkcs7_signed_data_load(chunk_t encoding, chunk_t content);
+
+/**
+ * Generate a PKCS#7 signed-data container.
+ *
+ * @param type		container type, must be CONTAINER_PKCS7_SIGNED_DATA
+ * @param args		builder_t arguments to use.
+ */
+pkcs7_t *pkcs7_signed_data_gen(container_type_t type, va_list args);
+
+#endif /** PKCS7_SIGNED_DATA_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.am b/src/libstrongswan/plugins/pkcs8/Makefile.am
index bcaf2c6a5..98e3263df 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.am
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-pkcs8.la
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in
index 2b9c6cf95..9ed381e38 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,53 +90,88 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pkcs8_la_LIBADD =
 am_libstrongswan_pkcs8_la_OBJECTS = pkcs8_plugin.lo pkcs8_builder.lo
 libstrongswan_pkcs8_la_OBJECTS = $(am_libstrongswan_pkcs8_la_OBJECTS)
-libstrongswan_pkcs8_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_pkcs8_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_pkcs8_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_pkcs8_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_pkcs8_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_pkcs8_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_pkcs8_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pkcs8_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -127,13 +180,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -146,6 +202,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,11 +230,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -185,6 +244,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -193,8 +253,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -203,14 +261,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -224,17 +287,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -244,16 +307,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -281,8 +343,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs8.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs8.la
 libstrongswan_pkcs8_la_SOURCES = \
@@ -335,7 +401,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -343,6 +408,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -364,8 +431,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pkcs8.la: $(libstrongswan_pkcs8_la_OBJECTS) $(libstrongswan_pkcs8_la_DEPENDENCIES) 
-	$(libstrongswan_pkcs8_la_LINK) $(am_libstrongswan_pkcs8_la_rpath) $(libstrongswan_pkcs8_la_OBJECTS) $(libstrongswan_pkcs8_la_LIBADD) $(LIBS)
+libstrongswan-pkcs8.la: $(libstrongswan_pkcs8_la_OBJECTS) $(libstrongswan_pkcs8_la_DEPENDENCIES) $(EXTRA_libstrongswan_pkcs8_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_pkcs8_la_LINK) $(am_libstrongswan_pkcs8_la_rpath) $(libstrongswan_pkcs8_la_OBJECTS) $(libstrongswan_pkcs8_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -377,25 +444,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs8_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -502,10 +569,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
index 346240ae1..e93a8361c 100644
--- a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
+++ b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
@@ -15,10 +15,11 @@
 
 #include "pkcs8_builder.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
+#include <crypto/pkcs5.h>
 #include <credentials/keys/private_key.h>
 
 /**
@@ -101,422 +102,39 @@ end:
 }
 
 /**
- * Verify padding of decrypted blob.
- * Length of blob is adjusted accordingly.
- */
-static bool verify_padding(chunk_t *blob)
-{
-	u_int8_t padding, count;
-
-	padding = count = blob->ptr[blob->len - 1];
-	if (padding > 8)
-	{
-		return FALSE;
-	}
-	for (; blob->len && count; --blob->len, --count)
-	{
-		if (blob->ptr[blob->len - 1] != padding)
-		{
-			return FALSE;
-		}
-	}
-	return TRUE;
-}
-
-/**
- * Prototype for key derivation functions.
- */
-typedef void (*kdf_t)(void *generator, chunk_t password, chunk_t salt,
-					  u_int64_t iterations, chunk_t key);
-
-/**
  * Try to decrypt the given blob with multiple passwords using the given
- * key derivation function. keymat is where the kdf function writes the key
- * to, key and iv point to the actual keys and initialization vectors resp.
+ * pkcs5 object.
  */
-static private_key_t *decrypt_private_key(chunk_t blob,
-					encryption_algorithm_t encr, size_t key_len, kdf_t kdf,
-					void *generator, chunk_t salt, u_int64_t iterations,
-					chunk_t keymat, chunk_t key, chunk_t iv)
+static private_key_t *decrypt_private_key(pkcs5_t *pkcs5, chunk_t blob)
 {
 	enumerator_t *enumerator;
 	shared_key_t *shared;
-	crypter_t *crypter;
 	private_key_t *private_key = NULL;
 
-	crypter = lib->crypto->create_crypter(lib->crypto, encr, key_len);
-	if (!crypter)
-	{
-		DBG1(DBG_ASN, "  %N encryption algorithm not available",
-			 encryption_algorithm_names, encr);
-		return NULL;
-	}
-	if (blob.len % crypter->get_block_size(crypter))
-	{
-		DBG1(DBG_ASN, "  data size is not a multiple of block size");
-		crypter->destroy(crypter);
-		return NULL;
-	}
-
 	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
 										SHARED_PRIVATE_KEY_PASS, NULL, NULL);
 	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
 	{
 		chunk_t decrypted;
 
-		kdf(generator, shared->get_key(shared), salt, iterations, keymat);
-
-		crypter->set_key(crypter, key);
-		crypter->decrypt(crypter, blob, iv, &decrypted);
-		if (verify_padding(&decrypted))
+		if (!pkcs5->decrypt(pkcs5, shared->get_key(shared), blob, &decrypted))
 		{
-			private_key = parse_private_key(decrypted);
-			if (private_key)
-			{
-				chunk_clear(&decrypted);
-				break;
-			}
+			continue;
+		}
+		private_key = parse_private_key(decrypted);
+		if (private_key)
+		{
+			chunk_clear(&decrypted);
+			break;
 		}
 		chunk_free(&decrypted);
 	}
 	enumerator->destroy(enumerator);
-	crypter->destroy(crypter);
 
 	return private_key;
 }
 
 /**
- * Function F of PBKDF2
- */
-static void pbkdf2_f(chunk_t block, prf_t *prf, chunk_t seed,
-					 u_int64_t iterations)
-{
-	chunk_t u;
-	u_int64_t i;
-
-	u = chunk_alloca(prf->get_block_size(prf));
-	prf->get_bytes(prf, seed, u.ptr);
-	memcpy(block.ptr, u.ptr, block.len);
-
-	for (i = 1; i < iterations; i++)
-	{
-		prf->get_bytes(prf, u, u.ptr);
-		memxor(block.ptr, u.ptr, block.len);
-	}
-}
-
-/**
- * PBKDF2 key derivation function
- */
-static void pbkdf2(prf_t *prf, chunk_t password, chunk_t salt,
-				   u_int64_t iterations, chunk_t key)
-{
-	chunk_t keymat, block, seed;
-	size_t blocks;
-	u_int32_t i = 0, *ni;
-
-	prf->set_key(prf, password);
-
-	block.len = prf->get_block_size(prf);
-	blocks = (key.len - 1) / block.len + 1;
-	keymat = chunk_alloca(blocks * block.len);
-
-	seed = chunk_cata("cc", salt, chunk_from_thing(i));
-	ni = (u_int32_t*)(seed.ptr + salt.len);
-
-	for (; i < blocks; i++)
-	{
-		*ni = htonl(i + 1);
-		block.ptr = keymat.ptr + (i * block.len);
-		pbkdf2_f(block, prf, seed, iterations);
-	}
-
-	memcpy(key.ptr, keymat.ptr, key.len);
-}
-
-/**
- * Decrypt an encrypted PKCS#8 encoded private key according to PBES2
- */
-static private_key_t *decrypt_private_key_pbes2(chunk_t blob,
-							encryption_algorithm_t encr, size_t key_len,
-							chunk_t iv, pseudo_random_function_t prf_func,
-							chunk_t salt, u_int64_t iterations)
-{
-	private_key_t *private_key;
-	prf_t *prf;
-	chunk_t key;
-
-	prf = lib->crypto->create_prf(lib->crypto, prf_func);
-	if (!prf)
-	{
-		DBG1(DBG_ASN, "  %N prf algorithm not available",
-			 pseudo_random_function_names, prf_func);
-		return NULL;
-	}
-
-	key = chunk_alloca(key_len);
-
-	private_key = decrypt_private_key(blob, encr, key_len, (kdf_t)pbkdf2, prf,
-									  salt, iterations, key, key, iv);
-
-	prf->destroy(prf);
-	return private_key;
-}
-
-/**
- * PBKDF1 key derivation function
- */
-static void pbkdf1(hasher_t *hasher, chunk_t password, chunk_t salt,
-				   u_int64_t iterations, chunk_t key)
-{
-	chunk_t hash;
-	u_int64_t i;
-
-	hash = chunk_alloca(hasher->get_hash_size(hasher));
-	hasher->get_hash(hasher, password, NULL);
-	hasher->get_hash(hasher, salt, hash.ptr);
-
-	for (i = 1; i < iterations; i++)
-	{
-		hasher->get_hash(hasher, hash, hash.ptr);
-	}
-
-	memcpy(key.ptr, hash.ptr, key.len);
-}
-
-/**
- * Decrypt an encrypted PKCS#8 encoded private key according to PBES1
- */
-static private_key_t *decrypt_private_key_pbes1(chunk_t blob,
-							encryption_algorithm_t encr, size_t key_len,
-							hash_algorithm_t hash, chunk_t salt,
-							u_int64_t iterations)
-{
-	private_key_t *private_key = NULL;
-	hasher_t *hasher = NULL;
-	chunk_t keymat, key, iv;
-
-	hasher = lib->crypto->create_hasher(lib->crypto, hash);
-	if (!hasher)
-	{
-		DBG1(DBG_ASN, "  %N hash algorithm not available",
-			 hash_algorithm_names, hash);
-		goto end;
-	}
-	if (hasher->get_hash_size(hasher) < key_len)
-	{
-		goto end;
-	}
-
-	keymat = chunk_alloca(key_len * 2);
-	key.len = key_len;
-	key.ptr = keymat.ptr;
-	iv.len = key_len;
-	iv.ptr = keymat.ptr + key_len;
-
-	private_key = decrypt_private_key(blob, encr, key_len, (kdf_t)pbkdf1,
-									  hasher, salt, iterations, keymat,
-									  key, iv);
-
-end:
-	DESTROY_IF(hasher);
-	return private_key;
-}
-
-/**
- * Parse an ASN1_INTEGER to a u_int64_t.
- */
-static u_int64_t parse_asn1_integer_uint64(chunk_t blob)
-{
-	u_int64_t val = 0;
-	int i;
-
-	for (i = 0; i < blob.len; i++)
-	{	/* if it is longer than 8 bytes, we just use the 8 LSBs */
-		val <<= 8;
-		val |= (u_int64_t)blob.ptr[i];
-	}
-	return val;
-}
-
-/**
- * ASN.1 definition of a PBKDF2-params structure
- * The salt is actually a CHOICE and could be an AlgorithmIdentifier from
- * PBKDF2-SaltSources (but as per RFC 2898 that's for future versions).
- */
-static const asn1Object_t pbkdf2ParamsObjects[] = {
-	{ 0, "PBKDF2-params",	ASN1_SEQUENCE,		ASN1_NONE			}, /* 0 */
-	{ 1,   "salt",			ASN1_OCTET_STRING,	ASN1_BODY			}, /* 1 */
-	{ 1,   "iterationCount",ASN1_INTEGER,		ASN1_BODY			}, /* 2 */
-	{ 1,   "keyLength",		ASN1_INTEGER,		ASN1_OPT|ASN1_BODY	}, /* 3 */
-	{ 1,   "end opt",		ASN1_EOC,			ASN1_END			}, /* 4 */
-	{ 1,   "prf",			ASN1_EOC,			ASN1_DEF|ASN1_RAW	}, /* 5 */
-	{ 0, "exit",			ASN1_EOC,			ASN1_EXIT			}
-};
-#define PBKDF2_SALT					1
-#define PBKDF2_ITERATION_COUNT		2
-#define PBKDF2_KEY_LENGTH			3
-#define PBKDF2_PRF					5
-
-/**
- * Parse a PBKDF2-params structure
- */
-static void parse_pbkdf2_params(chunk_t blob, chunk_t *salt,
-								u_int64_t *iterations, size_t *key_len,
-								pseudo_random_function_t *prf)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-
-	parser = asn1_parser_create(pbkdf2ParamsObjects, blob);
-
-	*key_len = 0; /* key_len is optional */
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-			case PBKDF2_SALT:
-			{
-				*salt = object;
-				break;
-			}
-			case PBKDF2_ITERATION_COUNT:
-			{
-				*iterations = parse_asn1_integer_uint64(object);
-				break;
-			}
-			case PBKDF2_KEY_LENGTH:
-			{
-				*key_len = (size_t)parse_asn1_integer_uint64(object);
-				break;
-			}
-			case PBKDF2_PRF:
-			{	/* defaults to id-hmacWithSHA1 */
-				*prf = PRF_HMAC_SHA1;
-				break;
-			}
-		}
-	}
-
-	parser->destroy(parser);
-}
-
-/**
- * ASN.1 definition of a PBES2-params structure
- */
-static const asn1Object_t pbes2ParamsObjects[] = {
-	{ 0, "PBES2-params",		ASN1_SEQUENCE,		ASN1_NONE	}, /* 0 */
-	{ 1,   "keyDerivationFunc",	ASN1_EOC,			ASN1_RAW	}, /* 1 */
-	{ 1,   "encryptionScheme",	ASN1_EOC,			ASN1_RAW	}, /* 2 */
-	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT	}
-};
-#define PBES2PARAMS_KEY_DERIVATION_FUNC		1
-#define PBES2PARAMS_ENCRYPTION_SCHEME		2
-
-/**
- * Parse a PBES2-params structure
- */
-static void parse_pbes2_params(chunk_t blob, chunk_t *salt,
-							   u_int64_t *iterations, size_t *key_len,
-							   pseudo_random_function_t *prf,
-							   encryption_algorithm_t *encr, chunk_t *iv)
-{
-	asn1_parser_t *parser;
-	chunk_t object, params;
-	int objectID;
-
-	parser = asn1_parser_create(pbes2ParamsObjects, blob);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-			case PBES2PARAMS_KEY_DERIVATION_FUNC:
-			{
-				int oid = asn1_parse_algorithmIdentifier(object,
-									parser->get_level(parser) + 1, &params);
-				if (oid != OID_PBKDF2)
-				{	/* unsupported key derivation function */
-					goto end;
-				}
-				parse_pbkdf2_params(params, salt, iterations, key_len, prf);
-				break;
-			}
-			case PBES2PARAMS_ENCRYPTION_SCHEME:
-			{
-				int oid = asn1_parse_algorithmIdentifier(object,
-									parser->get_level(parser) + 1, &params);
-				if (oid != OID_3DES_EDE_CBC)
-				{	/* unsupported encryption scheme */
-					goto end;
-				}
-				if (*key_len <= 0)
-				{	/* default key len for DES-EDE3-CBC-Pad */
-					*key_len = 24;
-				}
-				if (!asn1_parse_simple_object(&params, ASN1_OCTET_STRING,
-									parser->get_level(parser) + 1, "IV"))
-				{
-					goto end;
-				}
-				*encr = ENCR_3DES;
-				*iv = params;
-				break;
-			}
-		}
-	}
-
-end:
-	parser->destroy(parser);
-}
-
-/**
- * ASN.1 definition of a PBEParameter structure
- */
-static const asn1Object_t pbeParameterObjects[] = {
-	{ 0, "PBEParameter",		ASN1_SEQUENCE,		ASN1_NONE	}, /* 0 */
-	{ 1,   "salt",				ASN1_OCTET_STRING,	ASN1_BODY	}, /* 1 */
-	{ 1,   "iterationCount",	ASN1_INTEGER,		ASN1_BODY	}, /* 2 */
-	{ 0, "exit",				ASN1_EOC,			ASN1_EXIT	}
-};
-#define PBEPARAM_SALT					1
-#define PBEPARAM_ITERATION_COUNT		2
-
-/**
- * Parse a PBEParameter structure
- */
-static void parse_pbe_parameters(chunk_t blob, chunk_t *salt,
-								 u_int64_t *iterations)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-
-	parser = asn1_parser_create(pbeParameterObjects, blob);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-			case PBEPARAM_SALT:
-			{
-				*salt = object;
-				break;
-			}
-			case PBEPARAM_ITERATION_COUNT:
-			{
-				*iterations = parse_asn1_integer_uint64(object);
-				break;
-			}
-		}
-	}
-
-	parser->destroy(parser);
-}
-
-/**
  * ASN.1 definition of an encryptedPrivateKeyInfo structure
  */
 static const asn1Object_t encryptedPKIObjects[] = {
@@ -535,14 +153,10 @@ static const asn1Object_t encryptedPKIObjects[] = {
 static private_key_t *parse_encrypted_private_key(chunk_t blob)
 {
 	asn1_parser_t *parser;
-	chunk_t object, params, salt, iv;
-	u_int64_t iterations = 0;
+	chunk_t object;
 	int objectID;
-	encryption_algorithm_t encr = ENCR_UNDEFINED;
-	hash_algorithm_t hash = HASH_UNKNOWN;
-	pseudo_random_function_t prf = PRF_UNDEFINED;
 	private_key_t *key = NULL;
-	size_t key_len = 8;
+	pkcs5_t *pkcs5 = NULL;
 
 	parser = asn1_parser_create(encryptedPKIObjects, blob);
 
@@ -552,49 +166,24 @@ static private_key_t *parse_encrypted_private_key(chunk_t blob)
 		{
 			case EPKINFO_ENCRYPTION_ALGORITHM:
 			{
-				int oid = asn1_parse_algorithmIdentifier(object,
-									parser->get_level(parser) + 1, &params);
-
-				switch (oid)
+				pkcs5 = pkcs5_from_algorithmIdentifier(object,
+												parser->get_level(parser) + 1);
+				if (!pkcs5)
 				{
-					case OID_PBE_MD5_DES_CBC:
-						encr = ENCR_DES;
-						hash = HASH_MD5;
-						parse_pbe_parameters(params, &salt, &iterations);
-						break;
-					case OID_PBE_SHA1_DES_CBC:
-						encr = ENCR_DES;
-						hash = HASH_SHA1;
-						parse_pbe_parameters(params, &salt, &iterations);
-						break;
-					case OID_PBES2:
-						parse_pbes2_params(params, &salt, &iterations,
-										   &key_len, &prf, &encr, &iv);
-						break;
-					default:
-						/* encryption scheme not supported */
-						goto end;
+					goto end;
 				}
 				break;
 			}
 			case EPKINFO_ENCRYPTED_DATA:
 			{
-				if (prf != PRF_UNDEFINED)
-				{
-					key = decrypt_private_key_pbes2(object, encr, key_len, iv,
-													prf, salt, iterations);
-				}
-				else
-				{
-					key = decrypt_private_key_pbes1(object, encr, key_len, hash,
-													salt, iterations);
-				}
+				key = decrypt_private_key(pkcs5, object);
 				break;
 			}
 		}
 	}
 
 end:
+	DESTROY_IF(pkcs5);
 	parser->destroy(parser);
 	return key;
 }
diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c b/src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c
index f78c83054..129fbb045 100644
--- a/src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c
+++ b/src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c
@@ -43,6 +43,7 @@ METHOD(plugin_t, get_features, int,
 {
 	static plugin_feature_t f[] = {
 		PLUGIN_REGISTER(PRIVKEY, pkcs8_private_key_load, FALSE),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
 			PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
 			PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA),
 	};
diff --git a/src/libstrongswan/plugins/plugin_feature.c b/src/libstrongswan/plugins/plugin_feature.c
index 2a97205bb..8a1958be5 100644
--- a/src/libstrongswan/plugins/plugin_feature.c
+++ b/src/libstrongswan/plugins/plugin_feature.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2011 Martin Willi
  * Copyright (C) 2011 revosec AG
  *
@@ -18,7 +21,7 @@
 
 #include "plugin_feature.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(plugin_feature_names, FEATURE_NONE, FEATURE_CUSTOM,
 	"NONE",
@@ -29,6 +32,7 @@ ENUM(plugin_feature_names, FEATURE_NONE, FEATURE_CUSTOM,
 	"PRF",
 	"DH",
 	"RNG",
+	"NONCE_GEN",
 	"PRIVKEY",
 	"PRIVKEY_GEN",
 	"PRIVKEY_SIGN",
@@ -38,16 +42,74 @@ ENUM(plugin_feature_names, FEATURE_NONE, FEATURE_CUSTOM,
 	"PUBKEY_ENCRYPT",
 	"CERT_DECODE",
 	"CERT_ENCODE",
+	"CONTAINER_DECODE",
+	"CONTAINER_ENCODE",
 	"EAP_SERVER",
 	"EAP_CLIENT",
+	"XAUTH_SERVER",
+	"XAUTH_CLIENT",
 	"DATABASE",
 	"FETCHER",
+	"RESOLVER",
 	"CUSTOM",
 );
 
 /**
  * See header.
  */
+u_int32_t plugin_feature_hash(plugin_feature_t *feature)
+{
+	chunk_t data;
+
+	switch (feature->type)
+	{
+		case FEATURE_NONE:
+		case FEATURE_RNG:
+		case FEATURE_NONCE_GEN:
+		case FEATURE_DATABASE:
+		case FEATURE_FETCHER:
+		case FEATURE_RESOLVER:
+			/* put these special cases in their (type-specific) buckets */
+			data = chunk_empty;
+			break;
+		case FEATURE_CRYPTER:
+		case FEATURE_AEAD:
+		case FEATURE_SIGNER:
+		case FEATURE_HASHER:
+		case FEATURE_PRF:
+		case FEATURE_DH:
+		case FEATURE_PRIVKEY:
+		case FEATURE_PRIVKEY_GEN:
+		case FEATURE_PUBKEY:
+		case FEATURE_PRIVKEY_SIGN:
+		case FEATURE_PUBKEY_VERIFY:
+		case FEATURE_PRIVKEY_DECRYPT:
+		case FEATURE_PUBKEY_ENCRYPT:
+		case FEATURE_CERT_DECODE:
+		case FEATURE_CERT_ENCODE:
+		case FEATURE_CONTAINER_DECODE:
+		case FEATURE_CONTAINER_ENCODE:
+		case FEATURE_EAP_SERVER:
+		case FEATURE_EAP_PEER:
+			data = chunk_from_thing(feature->arg);
+			break;
+		case FEATURE_CUSTOM:
+			data = chunk_create(feature->arg.custom,
+								strlen(feature->arg.custom));
+			break;
+		case FEATURE_XAUTH_SERVER:
+		case FEATURE_XAUTH_PEER:
+			data = chunk_create(feature->arg.xauth,
+								strlen(feature->arg.xauth));
+			break;
+	}
+	return chunk_hash_inc(chunk_from_thing(feature->type),
+						  chunk_hash(data));
+}
+
+/**
+ * See header.
+ */
 bool plugin_feature_matches(plugin_feature_t *a, plugin_feature_t *b)
 {
 	if (a->type == b->type)
@@ -72,6 +134,9 @@ bool plugin_feature_matches(plugin_feature_t *a, plugin_feature_t *b)
 				return a->arg.dh_group == b->arg.dh_group;
 			case FEATURE_RNG:
 				return a->arg.rng_quality <= b->arg.rng_quality;
+			case FEATURE_NONCE_GEN:
+			case FEATURE_RESOLVER:
+				return TRUE;
 			case FEATURE_PRIVKEY:
 			case FEATURE_PRIVKEY_GEN:
 			case FEATURE_PUBKEY:
@@ -85,6 +150,9 @@ bool plugin_feature_matches(plugin_feature_t *a, plugin_feature_t *b)
 			case FEATURE_CERT_DECODE:
 			case FEATURE_CERT_ENCODE:
 				return a->arg.cert == b->arg.cert;
+			case FEATURE_CONTAINER_DECODE:
+			case FEATURE_CONTAINER_ENCODE:
+				return a->arg.container == b->arg.container;
 			case FEATURE_EAP_SERVER:
 			case FEATURE_EAP_PEER:
 				return a->arg.eap == b->arg.eap;
@@ -96,6 +164,59 @@ bool plugin_feature_matches(plugin_feature_t *a, plugin_feature_t *b)
 					   streq(a->arg.fetcher, b->arg.fetcher);
 			case FEATURE_CUSTOM:
 				return streq(a->arg.custom, b->arg.custom);
+			case FEATURE_XAUTH_SERVER:
+			case FEATURE_XAUTH_PEER:
+				return streq(a->arg.xauth, b->arg.xauth);
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool plugin_feature_equals(plugin_feature_t *a, plugin_feature_t *b)
+{
+	if (a->type == b->type)
+	{
+		switch (a->type)
+		{
+			case FEATURE_NONE:
+			case FEATURE_CRYPTER:
+			case FEATURE_AEAD:
+			case FEATURE_SIGNER:
+			case FEATURE_HASHER:
+			case FEATURE_PRF:
+			case FEATURE_DH:
+			case FEATURE_NONCE_GEN:
+			case FEATURE_RESOLVER:
+			case FEATURE_PRIVKEY:
+			case FEATURE_PRIVKEY_GEN:
+			case FEATURE_PUBKEY:
+			case FEATURE_PRIVKEY_SIGN:
+			case FEATURE_PUBKEY_VERIFY:
+			case FEATURE_PRIVKEY_DECRYPT:
+			case FEATURE_PUBKEY_ENCRYPT:
+			case FEATURE_CERT_DECODE:
+			case FEATURE_CERT_ENCODE:
+			case FEATURE_CONTAINER_DECODE:
+			case FEATURE_CONTAINER_ENCODE:
+			case FEATURE_EAP_SERVER:
+			case FEATURE_EAP_PEER:
+			case FEATURE_CUSTOM:
+			case FEATURE_XAUTH_SERVER:
+			case FEATURE_XAUTH_PEER:
+				return plugin_feature_matches(a, b);
+			case FEATURE_RNG:
+				return a->arg.rng_quality == b->arg.rng_quality;
+			case FEATURE_DATABASE:
+				return a->arg.database == b->arg.database;
+			case FEATURE_FETCHER:
+				if (a->arg.fetcher && b->arg.fetcher)
+				{
+					return streq(a->arg.fetcher, b->arg.fetcher);
+				}
+				return !a->arg.fetcher && !b->arg.fetcher;
 		}
 	}
 	return FALSE;
@@ -167,6 +288,13 @@ char* plugin_feature_get_string(plugin_feature_t *feature)
 				return str;
 			}
 			break;
+		case FEATURE_NONCE_GEN:
+		case FEATURE_RESOLVER:
+			if (asprintf(&str, "%N", plugin_feature_names, feature->type) > 0)
+			{
+				return str;
+			}
+			break;
 		case FEATURE_PRIVKEY:
 		case FEATURE_PRIVKEY_GEN:
 		case FEATURE_PUBKEY:
@@ -200,6 +328,14 @@ char* plugin_feature_get_string(plugin_feature_t *feature)
 				return str;
 			}
 			break;
+		case FEATURE_CONTAINER_DECODE:
+		case FEATURE_CONTAINER_ENCODE:
+			if (asprintf(&str, "%N:%N", plugin_feature_names, feature->type,
+					container_type_names, feature->arg.container) > 0)
+			{
+				return str;
+			}
+			break;
 		case FEATURE_EAP_SERVER:
 		case FEATURE_EAP_PEER:
 			if (asprintf(&str, "%N:%N", plugin_feature_names, feature->type,
@@ -229,6 +365,14 @@ char* plugin_feature_get_string(plugin_feature_t *feature)
 				return str;
 			}
 			break;
+		case FEATURE_XAUTH_SERVER:
+		case FEATURE_XAUTH_PEER:
+			if (asprintf(&str, "%N:%s", plugin_feature_names, feature->type,
+					feature->arg.xauth) > 0)
+			{
+				return str;
+			}
+			break;
 	}
 	if (!str)
 	{
@@ -251,7 +395,8 @@ bool plugin_feature_load(plugin_t *plugin, plugin_feature_t *feature,
 	}
 	if (reg->kind == FEATURE_CALLBACK)
 	{
-		if (reg->arg.cb.f(plugin, feature, TRUE, reg->arg.cb.data))
+		if (!reg->arg.cb.f ||
+			 reg->arg.cb.f(plugin, feature, TRUE, reg->arg.cb.data))
 		{
 			return TRUE;
 		}
@@ -288,6 +433,10 @@ bool plugin_feature_load(plugin_t *plugin, plugin_feature_t *feature,
 			lib->crypto->add_rng(lib->crypto, feature->arg.rng_quality,
 								name, reg->arg.reg.f);
 			break;
+		case FEATURE_NONCE_GEN:
+			lib->crypto->add_nonce_gen(lib->crypto,
+								name, reg->arg.reg.f);
+			break;
 		case FEATURE_PRIVKEY:
 		case FEATURE_PRIVKEY_GEN:
 			lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY,
@@ -305,6 +454,12 @@ bool plugin_feature_load(plugin_t *plugin, plugin_feature_t *feature,
 								feature->arg.cert, reg->arg.reg.final,
 								reg->arg.reg.f);
 			break;
+		case FEATURE_CONTAINER_DECODE:
+		case FEATURE_CONTAINER_ENCODE:
+			lib->creds->add_builder(lib->creds, CRED_CONTAINER,
+								feature->arg.container, reg->arg.reg.final,
+								reg->arg.reg.f);
+			break;
 		case FEATURE_DATABASE:
 			lib->db->add_database(lib->db, reg->arg.reg.f);
 			break;
@@ -312,6 +467,9 @@ bool plugin_feature_load(plugin_t *plugin, plugin_feature_t *feature,
 			lib->fetcher->add_fetcher(lib->fetcher, reg->arg.reg.f,
 									  feature->arg.fetcher);
 			break;
+		case FEATURE_RESOLVER:
+			lib->resolver->add_resolver(lib->resolver, reg->arg.reg.f);
+			break;
 		default:
 			break;
 	}
@@ -330,7 +488,8 @@ bool plugin_feature_unload(plugin_t *plugin, plugin_feature_t *feature,
 	}
 	if (reg->kind == FEATURE_CALLBACK)
 	{
-		if (reg->arg.cb.f(plugin, feature, FALSE, reg->arg.cb.data))
+		if (!reg->arg.cb.f ||
+			 reg->arg.cb.f(plugin, feature, FALSE, reg->arg.cb.data))
 		{
 			return TRUE;
 		}
@@ -359,6 +518,9 @@ bool plugin_feature_unload(plugin_t *plugin, plugin_feature_t *feature,
 		case FEATURE_RNG:
 			lib->crypto->remove_rng(lib->crypto, reg->arg.reg.f);
 			break;
+		case FEATURE_NONCE_GEN:
+			lib->crypto->remove_nonce_gen(lib->crypto, reg->arg.reg.f);
+			break;
 		case FEATURE_PRIVKEY:
 		case FEATURE_PRIVKEY_GEN:
 			lib->creds->remove_builder(lib->creds, reg->arg.reg.f);
@@ -370,12 +532,19 @@ bool plugin_feature_unload(plugin_t *plugin, plugin_feature_t *feature,
 		case FEATURE_CERT_ENCODE:
 			lib->creds->remove_builder(lib->creds, reg->arg.reg.f);
 			break;
+		case FEATURE_CONTAINER_DECODE:
+		case FEATURE_CONTAINER_ENCODE:
+			lib->creds->remove_builder(lib->creds, reg->arg.reg.f);
+			break;
 		case FEATURE_DATABASE:
 			lib->db->remove_database(lib->db, reg->arg.reg.f);
 			break;
 		case FEATURE_FETCHER:
 			lib->fetcher->remove_fetcher(lib->fetcher, reg->arg.reg.f);
 			break;
+		case FEATURE_RESOLVER:
+			lib->resolver->remove_resolver(lib->resolver, reg->arg.reg.f);
+			break;
 		default:
 			break;
 	}
diff --git a/src/libstrongswan/plugins/plugin_feature.h b/src/libstrongswan/plugins/plugin_feature.h
index b1500feba..ea23f766c 100644
--- a/src/libstrongswan/plugins/plugin_feature.h
+++ b/src/libstrongswan/plugins/plugin_feature.h
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2011 Martin Willi
  * Copyright (C) 2011 revosec AG
  *
@@ -26,6 +29,7 @@ typedef struct plugin_feature_t plugin_feature_t;
 #include <library.h>
 #include <eap/eap.h>
 #include <plugins/plugin.h>
+#include <credentials/containers/container.h>
 
 /**
  * Callback function of a plugin to (un-)register a specified feature.
@@ -48,17 +52,19 @@ typedef bool (*plugin_feature_callback_t)(plugin_t *plugin,
  * features provided by the plugin, hard (DEPENDS) or soft (SDEPEND) dependency
  * specified is related to the previously defined PROVIDE feature.
  * If a plugin feature requires to hook in functionality into the library
- * or a daemon, it can use REGISTER or CALLBACK entries. Each PROVIDED feature
+ * or a daemon, it can use REGISTER or CALLBACK entries. Each PROVIDE feature
  * uses the REGISTER/CALLBACK entry defined previously. The REGISTER entry
  * defines a common feature registration function directly passed to the
  * associated manager or factory (crypto/credential factory etc.). A callback
  * function is more generic allows the loader to invoke a callback to do
- * the registration.
+ * the registration. PROVIDE features that do not use a registration or callback
+ * function must be listed before any REGISTER/CALLBACK entry, or use the NOOP
+ * helper macro.
  *
- * To conviently create feature lists, use the four macros PLUGIN_REGISTER,
- * PLUGIN_CALLBACK, PLUGIN_PROVIDE, PLUGIN_DEPENDS and PLUGIN_SDEPEND. Use
- * identation to show how the registration functions and dependencies are
- * related to a provided feature, such as:
+ * To conveniently create feature lists, use the macros PLUGIN_REGISTER,
+ * PLUGIN_CALLBACK, PLUGIN_NOOP, PLUGIN_PROVIDE, PLUGIN_DEPENDS and
+ * PLUGIN_SDEPEND. Use indentation to show how the registration functions
+ * and dependencies are related to a provided feature, such as:
  *
  * @verbatim
 	// two features, one with two dependencies, both use a callback to register
@@ -72,7 +78,8 @@ typedef bool (*plugin_feature_callback_t)(plugin_t *plugin,
 		PLUGIN_PROVIDE(...),
 			PLUGIN_DEPENDS(...),
 	// feature that does not use a registration function
-	PLUGIN_PROVIDE(...),
+	PLUGIN_NOOP,
+		PLUGIN_PROVIDE(...),
 	@endverbatim
  */
 struct plugin_feature_t {
@@ -107,6 +114,8 @@ struct plugin_feature_t {
 		FEATURE_DH,
 		/** rng_t */
 		FEATURE_RNG,
+		/** nonce_gen_t */
+		FEATURE_NONCE_GEN,
 		/** generic private key support */
 		FEATURE_PRIVKEY,
 		/** generating new private keys */
@@ -125,14 +134,24 @@ struct plugin_feature_t {
 		FEATURE_CERT_DECODE,
 		/** generating certificates */
 		FEATURE_CERT_ENCODE,
+		/** parsing containers */
+		FEATURE_CONTAINER_DECODE,
+		/** generating containers */
+		FEATURE_CONTAINER_ENCODE,
 		/** EAP server implementation */
 		FEATURE_EAP_SERVER,
 		/** EAP peer implementation */
 		FEATURE_EAP_PEER,
+		/** XAuth server implementation */
+		FEATURE_XAUTH_SERVER,
+		/** XAuth peer implementation */
+		FEATURE_XAUTH_PEER,
 		/** database_t */
 		FEATURE_DATABASE,
 		/** fetcher_t */
 		FEATURE_FETCHER,
+		/** resolver_t */
+		FEATURE_RESOLVER,
 		/** custom feature, described with a string */
 		FEATURE_CUSTOM,
 	} type;
@@ -174,6 +193,8 @@ struct plugin_feature_t {
 		encryption_scheme_t pubkey_encrypt;
 		/** FEATURE_CERT_DECODE/ENCODE */
 		certificate_type_t cert;
+		/** FEATURE_CONTAINER_DECODE/ENCODE */
+		container_type_t container;
 		/** FEATURE_EAP_SERVER/CLIENT */
 		eap_type_t eap;
 		/** FEATURE_DATABASE */
@@ -182,6 +203,8 @@ struct plugin_feature_t {
 		char *fetcher;
 		/** FEATURE_CUSTOM */
 		char *custom;
+		/** FEATURE_XAUTH_SERVER/CLIENT */
+		char *xauth;
 
 		/** FEATURE_REGISTER */
 		struct {
@@ -221,6 +244,11 @@ struct plugin_feature_t {
 #define PLUGIN_CALLBACK(cb, data) _PLUGIN_FEATURE_CALLBACK(cb, data)
 
 /**
+ * The upcoming features use neither a callback nor a register function.
+ */
+#define PLUGIN_NOOP _PLUGIN_FEATURE_CALLBACK(NULL, NULL)
+
+/**
  * Define a feature the plugin provides.
  *
  * @param type		feature type to provide
@@ -252,6 +280,7 @@ struct plugin_feature_t {
 #define _PLUGIN_FEATURE_PRF(kind, alg)						__PLUGIN_FEATURE(kind, PRF, .prf = alg)
 #define _PLUGIN_FEATURE_DH(kind, group)						__PLUGIN_FEATURE(kind, DH, .dh_group = group)
 #define _PLUGIN_FEATURE_RNG(kind, quality)					__PLUGIN_FEATURE(kind, RNG, .rng_quality = quality)
+#define _PLUGIN_FEATURE_NONCE_GEN(kind, ...)				__PLUGIN_FEATURE(kind, NONCE_GEN, .custom = NULL)
 #define _PLUGIN_FEATURE_PRIVKEY(kind, type)					__PLUGIN_FEATURE(kind, PRIVKEY, .privkey = type)
 #define _PLUGIN_FEATURE_PRIVKEY_GEN(kind, type)				__PLUGIN_FEATURE(kind, PRIVKEY_GEN, .privkey_gen = type)
 #define _PLUGIN_FEATURE_PRIVKEY_SIGN(kind, scheme)			__PLUGIN_FEATURE(kind, PRIVKEY_SIGN, .privkey_sign = scheme)
@@ -261,11 +290,16 @@ struct plugin_feature_t {
 #define _PLUGIN_FEATURE_PUBKEY_ENCRYPT(kind, scheme)		__PLUGIN_FEATURE(kind, PUBKEY_ENCRYPT, .pubkey_encrypt = scheme)
 #define _PLUGIN_FEATURE_CERT_DECODE(kind, type)				__PLUGIN_FEATURE(kind, CERT_DECODE, .cert = type)
 #define _PLUGIN_FEATURE_CERT_ENCODE(kind, type)				__PLUGIN_FEATURE(kind, CERT_ENCODE, .cert = type)
+#define _PLUGIN_FEATURE_CONTAINER_DECODE(kind, type)		__PLUGIN_FEATURE(kind, CONTAINER_DECODE, .container = type)
+#define _PLUGIN_FEATURE_CONTAINER_ENCODE(kind, type)		__PLUGIN_FEATURE(kind, CONTAINER_ENCODE, .container = type)
 #define _PLUGIN_FEATURE_EAP_SERVER(kind, type)				__PLUGIN_FEATURE(kind, EAP_SERVER, .eap = type)
 #define _PLUGIN_FEATURE_EAP_PEER(kind, type)				__PLUGIN_FEATURE(kind, EAP_PEER, .eap = type)
 #define _PLUGIN_FEATURE_DATABASE(kind, type)				__PLUGIN_FEATURE(kind, DATABASE, .database = type)
 #define _PLUGIN_FEATURE_FETCHER(kind, type)					__PLUGIN_FEATURE(kind, FETCHER, .fetcher = type)
+#define _PLUGIN_FEATURE_RESOLVER(kind, ...)					__PLUGIN_FEATURE(kind, RESOLVER, .custom = NULL)
 #define _PLUGIN_FEATURE_CUSTOM(kind, name)					__PLUGIN_FEATURE(kind, CUSTOM, .custom = name)
+#define _PLUGIN_FEATURE_XAUTH_SERVER(kind, name)			__PLUGIN_FEATURE(kind, XAUTH_SERVER, .xauth = name)
+#define _PLUGIN_FEATURE_XAUTH_PEER(kind, name)				__PLUGIN_FEATURE(kind, XAUTH_PEER, .xauth = name)
 
 #define __PLUGIN_FEATURE_REGISTER(type, _f)					(plugin_feature_t){ FEATURE_REGISTER, FEATURE_##type, .arg.reg.f = _f }
 #define __PLUGIN_FEATURE_REGISTER_BUILDER(type, _f, _final)	(plugin_feature_t){ FEATURE_REGISTER, FEATURE_##type, .arg.reg = {.f = _f, .final = _final, }}
@@ -276,13 +310,17 @@ struct plugin_feature_t {
 #define _PLUGIN_FEATURE_REGISTER_PRF(type, f)				__PLUGIN_FEATURE_REGISTER(type, f)
 #define _PLUGIN_FEATURE_REGISTER_DH(type, f)				__PLUGIN_FEATURE_REGISTER(type, f)
 #define _PLUGIN_FEATURE_REGISTER_RNG(type, f)				__PLUGIN_FEATURE_REGISTER(type, f)
+#define _PLUGIN_FEATURE_REGISTER_NONCE_GEN(type, f)			__PLUGIN_FEATURE_REGISTER(type, f)
 #define _PLUGIN_FEATURE_REGISTER_PRIVKEY(type, f, final)	__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
 #define _PLUGIN_FEATURE_REGISTER_PRIVKEY_GEN(type, f, final)__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
 #define _PLUGIN_FEATURE_REGISTER_PUBKEY(type, f, final)		__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
 #define _PLUGIN_FEATURE_REGISTER_CERT_DECODE(type, f, final)__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
 #define _PLUGIN_FEATURE_REGISTER_CERT_ENCODE(type, f, final)__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
+#define _PLUGIN_FEATURE_REGISTER_CONTAINER_DECODE(type, f, final)__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
+#define _PLUGIN_FEATURE_REGISTER_CONTAINER_ENCODE(type, f, final)__PLUGIN_FEATURE_REGISTER_BUILDER(type, f, final)
 #define _PLUGIN_FEATURE_REGISTER_DATABASE(type, f)			__PLUGIN_FEATURE_REGISTER(type, f)
 #define _PLUGIN_FEATURE_REGISTER_FETCHER(type, f)			__PLUGIN_FEATURE_REGISTER(type, f)
+#define _PLUGIN_FEATURE_REGISTER_RESOLVER(type, f)			__PLUGIN_FEATURE_REGISTER(type, f)
 
 #define _PLUGIN_FEATURE_CALLBACK(_cb, _data) (plugin_feature_t){ FEATURE_CALLBACK, FEATURE_NONE, .arg.cb = { .f = _cb, .data = _data } }
 
@@ -292,8 +330,45 @@ struct plugin_feature_t {
 extern enum_name_t *plugin_feature_names;
 
 /**
+ * Add a set of plugin features to the given array, which must have enough space
+ * to store the added features.
+ *
+ * @param features		the array of plugin features to extend
+ * @param to_add		the features to add
+ * @param count			number of features to add
+ * @param pos			current position in the features array, gets advanced
+ */
+static inline void plugin_features_add(plugin_feature_t *features,
+									   plugin_feature_t *to_add,
+									   int count, int *pos)
+{
+	int i;
+
+	for (i = 0; i < count; i++)
+	{
+		features[(*pos)++] = to_add[i];
+	}
+}
+
+/**
+ * Calculates a hash value for the given feature.
+ *
+ * Since this is intended to be used with the plugin_features_matches function
+ * the hash is not really unique for all types of features (e.g. RNGs are all
+ * mapped to the same value because they are loosely matched by said function).
+ *
+ * @param feature	feature to hash
+ * @return			hash value of the feature
+ */
+u_int32_t plugin_feature_hash(plugin_feature_t *feature);
+
+/**
  * Check if feature a matches to feature b.
  *
+ * This is no check for equality.  For instance, for FEATURE_RNG a matches b if
+ * a's strength is at least the strength of b.  Or for FEATURE_SQL if a is
+ * DB_ANY it will match b if it is of the same type.
+ *
  * @param a			feature to check
  * @param b			feature to match against
  * @return			TRUE if a matches b
@@ -301,6 +376,15 @@ extern enum_name_t *plugin_feature_names;
 bool plugin_feature_matches(plugin_feature_t *a, plugin_feature_t *b);
 
 /**
+ * Check if feature a equals feature b.
+ *
+ * @param a			feature
+ * @param b			feature to compare
+ * @return			TRUE if a equals b
+ */
+bool plugin_feature_equals(plugin_feature_t *a, plugin_feature_t *b);
+
+/**
  * Get a string describing feature.
  *
  * @param feature	feature to describe
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index f97cbb31f..5ed0a9b0f 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2012 Tobias Brunner
+ * Copyright (C) 2010-2013 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -17,18 +17,24 @@
 #define _GNU_SOURCE
 #include "plugin_loader.h"
 
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
 #include <string.h>
 #include <dlfcn.h>
 #include <limits.h>
 #include <stdio.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
-#include <integrity_checker.h>
-#include <utils/linked_list.h>
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
 #include <plugins/plugin.h>
+#include <utils/integrity_checker.h>
 
 typedef struct private_plugin_loader_t private_plugin_loader_t;
+typedef struct registered_feature_t registered_feature_t;
+typedef struct provided_feature_t provided_feature_t;
 typedef struct plugin_entry_t plugin_entry_t;
 
 /**
@@ -47,9 +53,110 @@ struct private_plugin_loader_t {
 	linked_list_t *plugins;
 
 	/**
+	 * Hashtable for registered features, as registered_feature_t
+	 */
+	hashtable_t *features;
+
+	/**
+	 * Loaded features (stored in reverse order), as provided_feature_t
+	 */
+	linked_list_t *loaded;
+
+	/**
+	 * List of paths to search for plugins
+	 */
+	linked_list_t *paths;
+
+	/**
 	 * List of names of loaded plugins
 	 */
 	char *loaded_plugins;
+
+	/**
+	 * Statistics collected while loading features
+	 */
+	struct {
+		/** Number of features that failed to load */
+		int failed;
+		/** Number of features that failed because of unmet dependencies */
+		int depends;
+		/** Number of features in critical plugins that failed to load */
+		int critical;
+	} stats;
+};
+
+/**
+ * Registered plugin feature
+ */
+struct registered_feature_t {
+
+	/**
+	 * The registered feature
+	 */
+	plugin_feature_t *feature;
+
+	/**
+	 * List of plugins providing this feature, as provided_feature_t
+	 */
+	linked_list_t *plugins;
+};
+
+/**
+ * Hash a registered feature
+ */
+static bool registered_feature_hash(registered_feature_t *this)
+{
+	return plugin_feature_hash(this->feature);
+}
+
+/**
+ * Compare two registered features
+ */
+static bool registered_feature_equals(registered_feature_t *a,
+									  registered_feature_t *b)
+{
+	return plugin_feature_equals(a->feature, b->feature);
+}
+
+/**
+ * Feature as provided by a plugin
+ */
+struct provided_feature_t {
+
+	/**
+	 * Plugin providing the feature
+	 */
+	plugin_entry_t *entry;
+
+	/**
+	 * FEATURE_REGISTER or FEATURE_CALLBACK entry
+	 */
+	plugin_feature_t *reg;
+
+	/**
+	 * The provided feature (followed by dependencies)
+	 */
+	plugin_feature_t *feature;
+
+	/**
+	 * Maximum number of dependencies (following feature)
+	 */
+	int dependencies;
+
+	/**
+	 * TRUE if currently loading this feature (to prevent loops)
+	 */
+	bool loading;
+
+	/**
+	 * TRUE if feature loaded
+	 */
+	bool loaded;
+
+	/**
+	 * TRUE if feature failed to load
+	 */
+	bool failed;
 };
 
 /**
@@ -63,19 +170,19 @@ struct plugin_entry_t {
 	plugin_t *plugin;
 
 	/**
-	 * dlopen handle, if in separate lib
+	 * TRUE, if the plugin is marked as critical
 	 */
-	void *handle;
+	bool critical;
 
 	/**
-	 * List of loaded features
+	 * dlopen handle, if in separate lib
 	 */
-	linked_list_t *loaded;
+	void *handle;
 
 	/**
-	 * List features failed to load
+	 * List of features, as provided_feature_t
 	 */
-	linked_list_t *failed;
+	linked_list_t *features;
 };
 
 /**
@@ -88,18 +195,90 @@ static void plugin_entry_destroy(plugin_entry_t *entry)
 	{
 		dlclose(entry->handle);
 	}
-	entry->loaded->destroy(entry->loaded);
-	entry->failed->destroy(entry->failed);
+	entry->features->destroy(entry->features);
 	free(entry);
 }
 
 /**
+ * Wrapper for static plugin features
+ */
+typedef struct {
+
+	/**
+	 * Implements plugin_t interface
+	 */
+	plugin_t public;
+
+	/**
+	 * Name of the module registering these features
+	 */
+	char *name;
+
+	/**
+	 * Static plugin features
+	 */
+	plugin_feature_t *features;
+
+	/**
+	 * Number of plugin features
+	 */
+	int count;
+
+} static_features_t;
+
+METHOD(plugin_t, get_static_name, char*,
+	static_features_t *this)
+{
+	return this->name;
+}
+
+METHOD(plugin_t, get_static_features, int,
+	static_features_t *this, plugin_feature_t *features[])
+{
+	*features = this->features;
+	return this->count;
+}
+
+METHOD(plugin_t, static_destroy, void,
+	static_features_t *this)
+{
+	free(this->features);
+	free(this->name);
+	free(this);
+}
+
+/**
+ * Create a wrapper around static plugin features.
+ */
+static plugin_t *static_features_create(const char *name,
+										plugin_feature_t features[], int count)
+{
+	static_features_t *this;
+
+	INIT(this,
+		.public = {
+			.get_name = _get_static_name,
+			.get_features = _get_static_features,
+			.destroy = _static_destroy,
+		},
+		.name = strdup(name),
+		.features = calloc(count, sizeof(plugin_feature_t)),
+		.count = count,
+	);
+
+	memcpy(this->features, features, sizeof(plugin_feature_t) * count);
+
+	return &this->public;
+}
+
+/**
  * create a plugin
  * returns: NOT_FOUND, if the constructor was not found
  *          FAILED, if the plugin could not be constructed
  */
 static status_t create_plugin(private_plugin_loader_t *this, void *handle,
-						char *name, bool integrity, plugin_entry_t **entry)
+							  char *name, bool integrity, bool critical,
+							  plugin_entry_t **entry)
 {
 	char create[128];
 	plugin_t *plugin;
@@ -135,8 +314,8 @@ static status_t create_plugin(private_plugin_loader_t *this, void *handle,
 	}
 	INIT(*entry,
 		.plugin = plugin,
-		.loaded = linked_list_create(),
-		.failed = linked_list_create(),
+		.critical = critical,
+		.features = linked_list_create(),
 	);
 	DBG2(DBG_LIB, "plugin '%s': loaded successfully", name);
 	return SUCCESS;
@@ -145,21 +324,25 @@ static status_t create_plugin(private_plugin_loader_t *this, void *handle,
 /**
  * load a single plugin
  */
-static bool load_plugin(private_plugin_loader_t *this, char *name, char *file)
+static plugin_entry_t *load_plugin(private_plugin_loader_t *this, char *name,
+								   char *file, bool critical)
 {
 	plugin_entry_t *entry;
 	void *handle;
 
-	switch (create_plugin(this, RTLD_DEFAULT, name, FALSE, &entry))
+	switch (create_plugin(this, RTLD_DEFAULT, name, FALSE, critical, &entry))
 	{
 		case SUCCESS:
 			this->plugins->insert_last(this->plugins, entry);
-			return TRUE;
+			return entry;
 		case NOT_FOUND:
-			/* try to load the plugin from a file */
-			break;
+			if (file)
+			{	/* try to load the plugin from a file */
+				break;
+			}
+			/* fall-through */
 		default:
-			return FALSE;
+			return NULL;
 	}
 	if (lib->integrity)
 	{
@@ -167,23 +350,33 @@ static bool load_plugin(private_plugin_loader_t *this, char *name, char *file)
 		{
 			DBG1(DBG_LIB, "plugin '%s': failed file integrity test of '%s'",
 				 name, file);
-			return FALSE;
+			return NULL;
 		}
 	}
 	handle = dlopen(file, RTLD_LAZY);
 	if (handle == NULL)
 	{
 		DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror());
-		return FALSE;
+		return NULL;
 	}
-	if (create_plugin(this, handle, name, TRUE, &entry) != SUCCESS)
+	if (create_plugin(this, handle, name, TRUE, critical, &entry) != SUCCESS)
 	{
 		dlclose(handle);
-		return FALSE;
+		return NULL;
 	}
 	entry->handle = handle;
 	this->plugins->insert_last(this->plugins, entry);
-	return TRUE;
+	return entry;
+}
+
+/**
+ * Convert enumerated provided_feature_t to plugin_feature_t
+ */
+static bool feature_filter(void *null, provided_feature_t **provided,
+						   plugin_feature_t **feature)
+{
+	*feature = (*provided)->feature;
+	return (*provided)->loaded;
 }
 
 /**
@@ -192,10 +385,16 @@ static bool load_plugin(private_plugin_loader_t *this, char *name, char *file)
 static bool plugin_filter(void *null, plugin_entry_t **entry, plugin_t **plugin,
 						  void *in, linked_list_t **list)
 {
-	*plugin = (*entry)->plugin;
+	plugin_entry_t *this = *entry;
+
+	*plugin = this->plugin;
 	if (list)
 	{
-		*list = (*entry)->loaded;
+		enumerator_t *features;
+		features = enumerator_create_filter(
+							this->features->create_enumerator(this->features),
+							(void*)feature_filter, NULL, NULL);
+		*list = linked_list_create_from_enumerator(features);
 	}
 	return TRUE;
 }
@@ -208,6 +407,35 @@ METHOD(plugin_loader_t, create_plugin_enumerator, enumerator_t*,
 							(void*)plugin_filter, NULL, NULL);
 }
 
+METHOD(plugin_loader_t, has_feature, bool,
+	private_plugin_loader_t *this, plugin_feature_t feature)
+{
+	enumerator_t *plugins, *features;
+	plugin_t *plugin;
+	linked_list_t *list;
+	plugin_feature_t *current;
+	bool found = FALSE;
+
+	plugins = create_plugin_enumerator(this);
+	while (plugins->enumerate(plugins, &plugin, &list))
+	{
+		features = list->create_enumerator(list);
+		while (features->enumerate(features, &current))
+		{
+			if (plugin_feature_matches(&feature, current))
+			{
+				found = TRUE;
+				break;
+			}
+		}
+		features->destroy(features);
+		list->destroy(list);
+	}
+	plugins->destroy(plugins);
+
+	return found;
+}
+
 /**
  * Create a list of the names of all loaded plugins
  */
@@ -239,7 +467,6 @@ static char* loaded_plugins_list(private_plugin_loader_t *this)
 	return buf;
 }
 
-
 /**
  * Check if a plugin is already loaded
  */
@@ -263,76 +490,176 @@ static bool plugin_loaded(private_plugin_loader_t *this, char *name)
 }
 
 /**
- * Check if a feature of a plugin is already loaded
+ * Forward declaration
+ */
+static void load_provided(private_plugin_loader_t *this,
+						  provided_feature_t *provided,
+						  int level);
+
+/**
+ * Used to find a loaded feature
  */
-static bool feature_loaded(private_plugin_loader_t *this, plugin_entry_t *entry,
-						   plugin_feature_t *feature)
+static bool is_feature_loaded(provided_feature_t *item)
 {
-	return entry->loaded->find_first(entry->loaded, NULL,
-									 (void**)&feature) == SUCCESS;
+	return item->loaded;
 }
 
 /**
- * Check if loading a feature of a plugin failed
+ * Used to find a loadable feature
  */
-static bool feature_failed(private_plugin_loader_t *this, plugin_entry_t *entry,
-						   plugin_feature_t *feature)
+static bool is_feature_loadable(provided_feature_t *item)
 {
-	return entry->failed->find_first(entry->failed, NULL,
-									 (void**)&feature) == SUCCESS;
+	return !item->loading && !item->loaded && !item->failed;
 }
 
 /**
- * Check if dependencies are satisfied
+ * Find a loaded and matching feature
  */
-static bool dependencies_satisfied(private_plugin_loader_t *this,
-								plugin_entry_t *entry, bool soft, bool report,
-								plugin_feature_t *features, int count)
+static bool loaded_feature_matches(registered_feature_t *a,
+								   registered_feature_t *b)
 {
+	if (plugin_feature_matches(a->feature, b->feature))
+	{
+		return b->plugins->find_first(b->plugins, (void*)is_feature_loaded,
+									  NULL) == SUCCESS;
+	}
+	return FALSE;
+}
+
+/**
+ * Find a loadable module that equals the requested feature
+ */
+static bool loadable_feature_equals(registered_feature_t *a,
+									registered_feature_t *b)
+{
+	if (plugin_feature_equals(a->feature, b->feature))
+	{
+		return b->plugins->find_first(b->plugins, (void*)is_feature_loadable,
+									  NULL) == SUCCESS;
+	}
+	return FALSE;
+}
+
+/**
+ * Find a loadable module that matches the requested feature
+ */
+static bool loadable_feature_matches(registered_feature_t *a,
+									 registered_feature_t *b)
+{
+	if (plugin_feature_matches(a->feature, b->feature))
+	{
+		return b->plugins->find_first(b->plugins, (void*)is_feature_loadable,
+									  NULL) == SUCCESS;
+	}
+	return FALSE;
+}
+
+/**
+ * Returns a compatible plugin feature for the given depencency
+ */
+static bool find_compatible_feature(private_plugin_loader_t *this,
+									plugin_feature_t *dependency)
+{
+	registered_feature_t *feature, lookup = {
+		.feature = dependency,
+	};
+
+	feature = this->features->get_match(this->features, &lookup,
+									   (void*)loaded_feature_matches);
+	return feature != NULL;
+}
+
+/**
+ * Load a registered plugin feature
+ */
+static void load_registered(private_plugin_loader_t *this,
+							registered_feature_t *registered,
+							int level)
+{
+	enumerator_t *enumerator;
+	provided_feature_t *provided;
+
+	enumerator = registered->plugins->create_enumerator(registered->plugins);
+	while (enumerator->enumerate(enumerator, &provided))
+	{
+		load_provided(this, provided, level);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Try to load dependencies of the given feature
+ */
+static bool load_dependencies(private_plugin_loader_t *this,
+							  provided_feature_t *provided,
+							  int level)
+{
+	registered_feature_t *registered, lookup;
+	int indent = level * 2;
 	int i;
 
 	/* first entry is provided feature, followed by dependencies */
-	for (i = 1; i < count; i++)
+	for (i = 1; i < provided->dependencies; i++)
 	{
-		enumerator_t *entries, *loaded;
-		plugin_feature_t *feature;
-		plugin_entry_t *current;
-		bool found = FALSE;
-
-		if (features[i].kind != FEATURE_DEPENDS &&
-			features[i].kind != FEATURE_SDEPEND)
+		if (provided->feature[i].kind != FEATURE_DEPENDS &&
+			provided->feature[i].kind != FEATURE_SDEPEND)
 		{	/* end of dependencies */
 			break;
 		}
-		entries = this->plugins->create_enumerator(this->plugins);
-		while (entries->enumerate(entries, &current))
-		{
-			loaded = current->loaded->create_enumerator(current->loaded);
-			while (loaded->enumerate(loaded, &feature))
+
+		/* we load the feature even if a compatible one is already loaded,
+		 * otherwise e.g. a specific database implementation loaded before
+		 * another might cause a plugin feature loaded in-between to fail */
+		lookup.feature = &provided->feature[i];
+		do
+		{	/* prefer an exactly matching feature, could be omitted but
+			 * results in a more predictable behavior */
+			registered = this->features->get_match(this->features,
+										 &lookup,
+										 (void*)loadable_feature_equals);
+			if (!registered)
+			{	/* try fuzzy matching */
+				registered = this->features->get_match(this->features,
+										 &lookup,
+										 (void*)loadable_feature_matches);
+			}
+			if (registered)
 			{
-				if (plugin_feature_matches(&features[i], feature))
-				{
-					found = TRUE;
-					break;
-				}
+				load_registered(this, registered, level);
 			}
-			loaded->destroy(loaded);
+			/* we could stop after finding one but for dependencies like
+			 * DB_ANY it might be needed to load all matching features */
 		}
-		entries->destroy(entries);
+		while (registered);
 
-		if (!found && (features[i].kind != FEATURE_SDEPEND || soft))
+		if (!find_compatible_feature(this, &provided->feature[i]))
 		{
-			if (report)
-			{
-				char *provide, *depend, *name;
+			char *name, *provide, *depend;
+			bool soft = provided->feature[i].kind == FEATURE_SDEPEND;
 
-				name = entry->plugin->get_name(entry->plugin);
-				provide = plugin_feature_get_string(&features[0]);
-				depend = plugin_feature_get_string(&features[i]);
-				DBG2(DBG_LIB, "feature %s in '%s' plugin has unsatisfied "
+			name = provided->entry->plugin->get_name(provided->entry->plugin);
+			provide = plugin_feature_get_string(&provided->feature[0]);
+			depend = plugin_feature_get_string(&provided->feature[i]);
+			if (soft)
+			{
+				DBG3(DBG_LIB, "%*sfeature %s in plugin '%s' has unmet soft "
+					 "dependency: %s", indent, "", provide, name, depend);
+			}
+			else if (provided->entry->critical)
+			{
+				DBG1(DBG_LIB, "feature %s in critical plugin '%s' has unmet "
 					 "dependency: %s", provide, name, depend);
-				free(provide);
-				free(depend);
+			}
+			else
+			{
+				DBG2(DBG_LIB, "feature %s in plugin '%s' has unmet dependency: "
+					 "%s", provide, name, depend);
+			}
+			free(provide);
+			free(depend);
+			if (soft)
+			{	/* it's ok if we can't resolve soft dependencies */
+				continue;
 			}
 			return FALSE;
 		}
@@ -341,119 +668,149 @@ static bool dependencies_satisfied(private_plugin_loader_t *this,
 }
 
 /**
- * Check if a given feature is still required as dependency
+ * Load registered plugin features
  */
-static bool dependency_required(private_plugin_loader_t *this,
-								plugin_feature_t *dep)
+static void load_feature(private_plugin_loader_t *this,
+						 provided_feature_t *provided,
+						 int level)
 {
-	enumerator_t *enumerator;
-	plugin_feature_t *features;
-	plugin_entry_t *entry;
-	int count, i;
-
-	enumerator = this->plugins->create_enumerator(this->plugins);
-	while (enumerator->enumerate(enumerator, &entry))
+	if (load_dependencies(this, provided, level))
 	{
-		if (!entry->plugin->get_features)
-		{	/* features not supported */
-			continue;
+		char *name, *provide;
+
+		if (plugin_feature_load(provided->entry->plugin, provided->feature,
+								provided->reg))
+		{
+			provided->loaded = TRUE;
+			/* insert first so we can unload the features in reverse order */
+			this->loaded->insert_first(this->loaded, provided);
+			return;
 		}
-		count = entry->plugin->get_features(entry->plugin, &features);
-		for (i = 0; i < count; i++)
+
+		name = provided->entry->plugin->get_name(provided->entry->plugin);
+		provide = plugin_feature_get_string(&provided->feature[0]);
+		if (provided->entry->critical)
 		{
-			if (feature_loaded(this, entry, &features[i]))
-			{
-				while (++i < count && (features[i].kind == FEATURE_DEPENDS ||
-									   features[i].kind == FEATURE_SDEPEND))
-				{
-					if (plugin_feature_matches(&features[i], dep))
-					{
-						enumerator->destroy(enumerator);
-						return TRUE;
-					}
-				}
-			}
+			DBG1(DBG_LIB, "feature %s in critical plugin '%s' failed to load",
+				 provide, name);
 		}
+		else
+		{
+			DBG2(DBG_LIB, "feature %s in plugin '%s' failed to load",
+				 provide, name);
+		}
+		free(provide);
 	}
-	enumerator->destroy(enumerator);
-	return FALSE;
+	else
+	{	/* TODO: we could check the current level and set a different flag when
+		 * being loaded as dependency. If there are loops there is a chance the
+		 * feature can be loaded later when loading the feature directly. */
+		this->stats.depends++;
+	}
+	provided->failed = TRUE;
+	this->stats.critical += provided->entry->critical ? 1 : 0;
+	this->stats.failed++;
 }
 
 /**
- * Load plugin features in correct order
+ * Load a provided feature
  */
-static int load_features(private_plugin_loader_t *this, bool soft, bool report)
+static void load_provided(private_plugin_loader_t *this,
+						  provided_feature_t *provided,
+						  int level)
 {
-	enumerator_t *enumerator;
-	plugin_feature_t *feature, *reg;
-	plugin_entry_t *entry;
-	int count, i, loaded = 0;
+	char *name, *provide;
+	int indent = level * 2;
+
+	if (provided->loaded || provided->failed)
+	{
+		return;
+	}
+	name = provided->entry->plugin->get_name(provided->entry->plugin);
+	provide = plugin_feature_get_string(provided->feature);
+	if (provided->loading)
+	{	/* prevent loop */
+		DBG3(DBG_LIB, "%*sloop detected while loading %s in plugin '%s'",
+			 indent, "", provide, name);
+		free(provide);
+		return;
+	}
+	DBG3(DBG_LIB, "%*sloading feature %s in plugin '%s'",
+		 indent, "", provide, name);
+	free(provide);
+
+	provided->loading = TRUE;
+	load_feature(this, provided, level + 1);
+	provided->loading = FALSE;
+}
+
+/**
+ * Load registered plugin features
+ */
+static void load_features(private_plugin_loader_t *this)
+{
+	enumerator_t *enumerator, *inner;
+	plugin_entry_t *plugin;
+	provided_feature_t *provided;
 
+	/* we do this in plugin order to allow implicit dependencies to be resolved
+	 * by reordering plugins */
 	enumerator = this->plugins->create_enumerator(this->plugins);
-	while (enumerator->enumerate(enumerator, &entry))
+	while (enumerator->enumerate(enumerator, &plugin))
 	{
-		if (!entry->plugin->get_features)
-		{	/* feature interface not supported */
-			continue;
-		}
-		reg = NULL;
-		count = entry->plugin->get_features(entry->plugin, &feature);
-		for (i = 0; i < count; i++)
+		inner = plugin->features->create_enumerator(plugin->features);
+		while (inner->enumerate(inner, &provided))
 		{
-			switch (feature->kind)
-			{
-				case FEATURE_PROVIDE:
-					if (!feature_loaded(this, entry, feature) &&
-						!feature_failed(this, entry, feature) &&
-						dependencies_satisfied(this, entry, soft, report,
-											   feature, count - i))
-					{
-						if (plugin_feature_load(entry->plugin, feature, reg))
-						{
-							entry->loaded->insert_last(entry->loaded, feature);
-							loaded++;
-						}
-						else
-						{
-							entry->failed->insert_last(entry->failed, feature);
-						}
-					}
-					break;
-				case FEATURE_REGISTER:
-				case FEATURE_CALLBACK:
-					reg = feature;
-					break;
-				default:
-					break;
-			}
-			feature++;
+			load_provided(this, provided, 0);
 		}
+		inner->destroy(inner);
 	}
 	enumerator->destroy(enumerator);
-	return loaded;
 }
 
 /**
- * Try to unload plugin features on which is not depended anymore
+ * Register plugin features provided by the given plugin
  */
-static int unload_features(private_plugin_loader_t *this, plugin_entry_t *entry)
+static void register_features(private_plugin_loader_t *this,
+							  plugin_entry_t *entry)
 {
-	plugin_feature_t *feature, *reg = NULL;
-	int count, i, unloaded = 0;
+	plugin_feature_t *feature, *reg;
+	registered_feature_t *registered, lookup;
+	provided_feature_t *provided;
+	int count, i;
 
+	if (!entry->plugin->get_features)
+	{	/* feature interface not supported */
+		DBG1(DBG_LIB, "plugin '%s' does not provide features, deprecated",
+			 entry->plugin->get_name(entry->plugin));
+		return;
+	}
+	reg = NULL;
 	count = entry->plugin->get_features(entry->plugin, &feature);
 	for (i = 0; i < count; i++)
 	{
 		switch (feature->kind)
 		{
 			case FEATURE_PROVIDE:
-				if (feature_loaded(this, entry, feature) &&
-					!dependency_required(this, feature) &&
-					plugin_feature_unload(entry->plugin, feature, reg))
+				lookup.feature = feature;
+				registered = this->features->get(this->features, &lookup);
+				if (!registered)
 				{
-					entry->loaded->remove(entry->loaded, feature, NULL);
-					unloaded++;
+					INIT(registered,
+						.feature = feature,
+						.plugins = linked_list_create(),
+					);
+					this->features->put(this->features, registered, registered);
 				}
+				INIT(provided,
+					.entry = entry,
+					.feature = feature,
+					.reg = reg,
+					.dependencies = count - i,
+				);
+				registered->plugins->insert_last(registered->plugins,
+												 provided);
+				entry->features->insert_last(entry->features, provided);
 				break;
 			case FEATURE_REGISTER:
 			case FEATURE_CALLBACK:
@@ -464,11 +821,58 @@ static int unload_features(private_plugin_loader_t *this, plugin_entry_t *entry)
 		}
 		feature++;
 	}
-	return unloaded;
 }
 
 /**
- * Remove plugins that we were not able to load any features from.
+ * Unregister a plugin feature
+ */
+static void unregister_feature(private_plugin_loader_t *this,
+							   provided_feature_t *provided)
+{
+	registered_feature_t *registered, lookup;
+
+	lookup.feature = provided->feature;
+	registered = this->features->get(this->features, &lookup);
+	if (registered)
+	{
+		registered->plugins->remove(registered->plugins, provided, NULL);
+		if (registered->plugins->get_count(registered->plugins) == 0)
+		{
+			this->features->remove(this->features, &lookup);
+			registered->plugins->destroy(registered->plugins);
+			free(registered);
+		}
+		else if (registered->feature == provided->feature)
+		{	/* update feature in case the providing plugin gets unloaded */
+			provided_feature_t *first;
+
+			registered->plugins->get_first(registered->plugins, (void**)&first);
+			registered->feature = first->feature;
+		}
+	}
+	free(provided);
+}
+
+/**
+ * Unregister plugin features
+ */
+static void unregister_features(private_plugin_loader_t *this,
+								plugin_entry_t *entry)
+{
+	provided_feature_t *provided;
+	enumerator_t *enumerator;
+
+	enumerator = entry->features->create_enumerator(entry->features);
+	while (enumerator->enumerate(enumerator, &provided))
+	{
+		entry->features->remove_at(entry->features, enumerator);
+		unregister_feature(this, provided);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Remove plugins we were not able to load any plugin features from.
  */
 static void purge_plugins(private_plugin_loader_t *this)
 {
@@ -482,32 +886,73 @@ static void purge_plugins(private_plugin_loader_t *this)
 		{	/* feature interface not supported */
 			continue;
 		}
-		if (!entry->loaded->get_count(entry->loaded))
+		if (entry->features->find_first(entry->features,
+									(void*)is_feature_loaded, NULL) != SUCCESS)
 		{
+			DBG2(DBG_LIB, "unloading plugin '%s' without loaded features",
+				 entry->plugin->get_name(entry->plugin));
 			this->plugins->remove_at(this->plugins, enumerator);
+			unregister_features(this, entry);
 			plugin_entry_destroy(entry);
 		}
 	}
 	enumerator->destroy(enumerator);
 }
 
+METHOD(plugin_loader_t, add_static_features, void,
+	private_plugin_loader_t *this, const char *name,
+	plugin_feature_t features[], int count, bool critical)
+{
+	plugin_entry_t *entry;
+	plugin_t *plugin;
+
+	plugin = static_features_create(name, features, count);
+
+	INIT(entry,
+		.plugin = plugin,
+		.critical = critical,
+		.features = linked_list_create(),
+	);
+	this->plugins->insert_last(this->plugins, entry);
+	register_features(this, entry);
+}
+
+/**
+ * Tries to find the plugin with the given name in the given path.
+ */
+static bool find_plugin(char *path, char *name, char *buf, char **file)
+{
+	struct stat stb;
+
+	if (path && snprintf(buf, PATH_MAX, "%s/libstrongswan-%s.so",
+						 path, name) < PATH_MAX)
+	{
+		if (stat(buf, &stb) == 0)
+		{
+			*file = buf;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
 METHOD(plugin_loader_t, load_plugins, bool,
-	private_plugin_loader_t *this, char *path, char *list)
+	private_plugin_loader_t *this, char *list)
 {
 	enumerator_t *enumerator;
-	char *token;
+	char *default_path = NULL, *token;
 	bool critical_failed = FALSE;
 
-	if (path == NULL)
-	{
-		path = PLUGINDIR;
-	}
+#ifdef PLUGINDIR
+	default_path = PLUGINDIR;
+#endif /* PLUGINDIR */
 
 	enumerator = enumerator_create_token(list, " ", " ");
 	while (!critical_failed && enumerator->enumerate(enumerator, &token))
 	{
+		plugin_entry_t *entry;
 		bool critical = FALSE;
-		char file[PATH_MAX];
+		char buf[PATH_MAX], *file = NULL;
 		int len;
 
 		token = strdup(token);
@@ -522,34 +967,37 @@ METHOD(plugin_loader_t, load_plugins, bool,
 			free(token);
 			continue;
 		}
-		if (snprintf(file, sizeof(file), "%s/libstrongswan-%s.so",
-					 path, token) >= sizeof(file))
+		if (this->paths)
 		{
-			return FALSE;
+			this->paths->find_first(this->paths, (void*)find_plugin, NULL,
+									token, buf, &file);
+		}
+		if (!file)
+		{
+			find_plugin(default_path, token, buf, &file);
+		}
+		entry = load_plugin(this, token, file, critical);
+		if (entry)
+		{
+			register_features(this, entry);
 		}
-		if (!load_plugin(this, token, file) && critical)
+		else if (critical)
 		{
 			critical_failed = TRUE;
 			DBG1(DBG_LIB, "loading critical plugin '%s' failed", token);
 		}
 		free(token);
-		/* TODO: we currently load features after each plugin is loaded. This
-		 * will not be necessary once we have features support in all plugins.
-		 */
-		while (load_features(this, TRUE, FALSE))
-		{
-			/* try load new features until we don't get new ones */
-		}
 	}
 	enumerator->destroy(enumerator);
 	if (!critical_failed)
 	{
-		while (load_features(this, FALSE, FALSE))
+		load_features(this);
+		if (this->stats.critical > 0)
 		{
-			/* enforce loading features, ignoring soft dependencies */
+			critical_failed = TRUE;
+			DBG1(DBG_LIB, "failed to load %d critical plugin feature%s",
+				 this->stats.critical, this->stats.critical == 1 ? "" : "s");
 		}
-		/* report missing dependencies */
-		load_features(this, FALSE, TRUE);
 		/* unload plugins that we were not able to load any features for */
 		purge_plugins(this);
 	}
@@ -561,47 +1009,56 @@ METHOD(plugin_loader_t, load_plugins, bool,
 	return !critical_failed;
 }
 
-METHOD(plugin_loader_t, unload, void,
-	private_plugin_loader_t *this)
+/**
+ * Unload plugin features, they are registered in reverse order
+ */
+static void unload_features(private_plugin_loader_t *this)
 {
 	enumerator_t *enumerator;
+	provided_feature_t *provided;
 	plugin_entry_t *entry;
-	linked_list_t *list;
 
-	/* unload plugins in reverse order, for those not supporting features */
-	list = linked_list_create();
-	while (this->plugins->remove_last(this->plugins, (void**)&entry) == SUCCESS)
+	enumerator = this->loaded->create_enumerator(this->loaded);
+	while (enumerator->enumerate(enumerator, &provided))
 	{
-		list->insert_last(list, entry);
+		entry = provided->entry;
+		plugin_feature_unload(entry->plugin, provided->feature, provided->reg);
+		this->loaded->remove_at(this->loaded, enumerator);
+		entry->features->remove(entry->features, provided, NULL);
+		unregister_feature(this, provided);
 	}
-	while (list->remove_last(list, (void**)&entry) == SUCCESS)
-	{
-		this->plugins->insert_first(this->plugins, entry);
-	}
-	list->destroy(list);
-	while (this->plugins->get_count(this->plugins))
+	enumerator->destroy(enumerator);
+}
+
+METHOD(plugin_loader_t, unload, void,
+	private_plugin_loader_t *this)
+{
+	plugin_entry_t *entry;
+
+	/* unload features followed by plugins, in reverse order */
+	unload_features(this);
+	while (this->plugins->remove_last(this->plugins, (void**)&entry) == SUCCESS)
 	{
-		enumerator = this->plugins->create_enumerator(this->plugins);
-		while (enumerator->enumerate(enumerator, &entry))
-		{
-			if (entry->plugin->get_features)
-			{	/* supports features */
-				while (unload_features(this, entry));
-			}
-			if (entry->loaded->get_count(entry->loaded) == 0)
-			{
-				if (lib->leak_detective)
-				{	/* keep handle to report leaks properly */
-					entry->handle = NULL;
-				}
-				this->plugins->remove_at(this->plugins, enumerator);
-				plugin_entry_destroy(entry);
-			}
+		if (lib->leak_detective)
+		{	/* keep handle to report leaks properly */
+			entry->handle = NULL;
 		}
-		enumerator->destroy(enumerator);
+		unregister_features(this, entry);
+		plugin_entry_destroy(entry);
 	}
 	free(this->loaded_plugins);
 	this->loaded_plugins = NULL;
+	memset(&this->stats, 0, sizeof(this->stats));
+}
+
+METHOD(plugin_loader_t, add_path, void,
+	private_plugin_loader_t *this, char *path)
+{
+	if (!this->paths)
+	{
+		this->paths = linked_list_create();
+	}
+	this->paths->insert_last(this->paths, strdupnull(path));
 }
 
 /**
@@ -656,11 +1113,30 @@ METHOD(plugin_loader_t, loaded_plugins, char*,
 	return this->loaded_plugins ?: "";
 }
 
+METHOD(plugin_loader_t, status, void,
+	private_plugin_loader_t *this, level_t level)
+{
+	if (this->loaded_plugins)
+	{
+		dbg(DBG_LIB, level, "loaded plugins: %s", this->loaded_plugins);
+
+		if (this->stats.failed)
+		{
+			dbg(DBG_LIB, level, "unable to load %d plugin feature%s (%d due to "
+				"unmet dependencies)", this->stats.failed,
+				this->stats.failed == 1 ? "" : "s", this->stats.depends);
+		}
+	}
+}
+
 METHOD(plugin_loader_t, destroy, void,
 	private_plugin_loader_t *this)
 {
 	unload(this);
+	this->features->destroy(this->features);
+	this->loaded->destroy(this->loaded);
 	this->plugins->destroy(this->plugins);
+	DESTROY_FUNCTION_IF(this->paths, free);
 	free(this->loaded_plugins);
 	free(this);
 }
@@ -674,16 +1150,23 @@ plugin_loader_t *plugin_loader_create()
 
 	INIT(this,
 		.public = {
+			.add_static_features = _add_static_features,
 			.load = _load_plugins,
+			.add_path = _add_path,
 			.reload = _reload,
 			.unload = _unload,
 			.create_plugin_enumerator = _create_plugin_enumerator,
+			.has_feature = _has_feature,
 			.loaded_plugins = _loaded_plugins,
+			.status = _status,
 			.destroy = _destroy,
 		},
 		.plugins = linked_list_create(),
+		.loaded = linked_list_create(),
+		.features = hashtable_create(
+							(hashtable_hash_t)registered_feature_hash,
+							(hashtable_equals_t)registered_feature_equals, 64),
 	);
 
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/plugins/plugin_loader.h b/src/libstrongswan/plugins/plugin_loader.h
index 7fd07044d..285b33910 100644
--- a/src/libstrongswan/plugins/plugin_loader.h
+++ b/src/libstrongswan/plugins/plugin_loader.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2013 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -24,7 +24,11 @@
 
 typedef struct plugin_loader_t plugin_loader_t;
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
+#include <utils/debug.h>
+
+/* to avoid circular references we can't include plugin_feature.h */
+struct plugin_feature_t;
 
 /**
  * The plugin_loader loads plugins from a directory and initializes them
@@ -32,17 +36,54 @@ typedef struct plugin_loader_t plugin_loader_t;
 struct plugin_loader_t {
 
 	/**
-	 * Load a list of plugins from a directory.
+	 * Add static plugin features, not loaded via plugins.
+	 *
+	 * Similar to features provided by plugins they are evaluated during load(),
+	 * and unloaded when unload() is called.
+	 *
+	 * If critical is TRUE load() will fail if any of the added features could
+	 * not be loaded.
+	 *
+	 * @note The name should be unique otherwise a plugin with the same name is
+	 * not loaded.
+	 *
+	 * @param name			name of the component adding the features
+	 * @param features		array of plugin features
+	 * @param count			number of features in the array
+	 * @param critical		TRUE if the features are critical
+	 */
+	void (*add_static_features) (plugin_loader_t *this, const char *name,
+								 struct plugin_feature_t *features, int count,
+								 bool critical);
+
+	/**
+	 * Load a list of plugins.
 	 *
-	 * Each plugin in list may have a ending exclamation mark (!) to mark it
+	 * Each plugin in list may have an ending exclamation mark (!) to mark it
 	 * as a critical plugin. If loading a critical plugin fails, plugin loading
 	 * is aborted and FALSE is returned.
 	 *
-	 * @param path			path containing loadable plugins, NULL for default
+	 * Additional paths can be added with add_path(), these will be searched
+	 * for the plugins first, in the order they were added, then the default
+	 * path follows.
+	 *
+	 * @note Even though this method could be called multiple times this is
+	 * currently not really supported in regards to plugin features and their
+	 * dependencies (in particular soft dependencies).
+	 *
 	 * @param list			space separated list of plugins to load
 	 * @return				TRUE if all critical plugins loaded successfully
 	 */
-	bool (*load)(plugin_loader_t *this, char *path, char *list);
+	bool (*load)(plugin_loader_t *this, char *list);
+
+	/**
+	 * Add an additional search path for plugins.
+	 *
+	 * These will be searched in the order they were added.
+	 *
+	 * @param path			path containing loadable plugins
+	 */
+	void (*add_path)(plugin_loader_t *this, char *path);
 
 	/**
 	 * Reload the configuration of one or multiple plugins.
@@ -60,15 +101,23 @@ struct plugin_loader_t {
 	/**
 	 * Create an enumerator over all loaded plugins.
 	 *
-	 * In addition to the plugin, the enumerator returns a list of pointers to
-	 * plugin features currently loaded (if the argument is not NULL).
-	 * This list is to be read only.
+	 * In addition to the plugin, the enumerator optionally provides a list of
+	 * pointers to plugin features currently loaded.
+	 * This list has to be destroyed.
 	 *
 	 * @return				enumerator over plugin_t*, linked_list_t*
 	 */
 	enumerator_t* (*create_plugin_enumerator)(plugin_loader_t *this);
 
 	/**
+	 * Check if the given feature is available and loaded.
+	 *
+	 * @param feature		feature to check
+	 * @return				TRUE if feature available
+	 */
+	bool (*has_feature)(plugin_loader_t *this, struct plugin_feature_t feature);
+
+	/**
 	 * Get a simple list the names of all loaded plugins.
 	 *
 	 * The function returns internal data, do not free.
@@ -78,6 +127,13 @@ struct plugin_loader_t {
 	char* (*loaded_plugins)(plugin_loader_t *this);
 
 	/**
+	 * Log status about loaded plugins and features.
+	 *
+	 * @param level			log level to use
+	 */
+	void (*status)(plugin_loader_t *this, level_t level);
+
+	/**
 	 * Unload loaded plugins, destroy plugin_loader instance.
 	 */
 	void (*destroy)(plugin_loader_t *this);
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.am b/src/libstrongswan/plugins/pubkey/Makefile.am
index c2974a585..4f2354455 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.am
+++ b/src/libstrongswan/plugins/pubkey/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-pubkey.la
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 0de048791..6686d6f5b 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,54 +90,89 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_pubkey_la_LIBADD =
 am_libstrongswan_pubkey_la_OBJECTS = pubkey_plugin.lo pubkey_cert.lo
 libstrongswan_pubkey_la_OBJECTS =  \
 	$(am_libstrongswan_pubkey_la_OBJECTS)
-libstrongswan_pubkey_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_pubkey_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_pubkey_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_pubkey_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_pubkey_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_pubkey_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_pubkey_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_pubkey_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -128,13 +181,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -147,6 +203,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,11 +231,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -186,6 +245,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -194,8 +254,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -204,14 +262,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -225,17 +288,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -245,16 +308,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -282,8 +344,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pubkey.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pubkey.la
 libstrongswan_pubkey_la_SOURCES = \
@@ -336,7 +402,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -344,6 +409,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -365,8 +432,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-pubkey.la: $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_DEPENDENCIES) 
-	$(libstrongswan_pubkey_la_LINK) $(am_libstrongswan_pubkey_la_rpath) $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_LIBADD) $(LIBS)
+libstrongswan-pubkey.la: $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_DEPENDENCIES) $(EXTRA_libstrongswan_pubkey_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_pubkey_la_LINK) $(am_libstrongswan_pubkey_la_rpath) $(libstrongswan_pubkey_la_OBJECTS) $(libstrongswan_pubkey_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -378,25 +445,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -503,10 +570,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
index 67240fe0c..b7ba5ad43 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
@@ -17,7 +17,7 @@
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_pubkey_cert_t private_pubkey_cert_t;
 
@@ -110,15 +110,25 @@ METHOD(certificate_t, has_issuer, id_match_t,
 METHOD(certificate_t, equals, bool,
 	private_pubkey_cert_t *this, certificate_t *other)
 {
+	identification_t *other_subject;
 	public_key_t *other_key;
 
+	if (this == (private_pubkey_cert_t*)other)
+	{
+		return TRUE;
+	}
+	if (other->get_type(other) != CERT_TRUSTED_PUBKEY)
+	{
+		return FALSE;
+	}
 	other_key = other->get_public_key(other);
 	if (other_key)
 	{
 		if (public_key_equals(this->key, other_key))
 		{
 			other_key->destroy(other_key);
-			return TRUE;
+			other_subject = other->get_subject(other);
+			return other_subject->equals(other_subject, this->subject);
 		}
 		other_key->destroy(other_key);
 	}
@@ -126,8 +136,13 @@ METHOD(certificate_t, equals, bool,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_pubkey_cert_t *this, certificate_t *issuer)
+	private_pubkey_cert_t *this, certificate_t *issuer,
+	signature_scheme_t *scheme)
 {
+	if (scheme)
+	{
+		*scheme = SIGN_UNKNOWN;
+	}
 	return equals(this, issuer);
 }
 
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
index 92bfc2e63..a898bbfcc 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
@@ -43,6 +43,11 @@ METHOD(plugin_t, get_features, int,
 	static plugin_feature_t f[] = {
 		PLUGIN_REGISTER(CERT_ENCODE, pubkey_cert_wrap, FALSE),
 			PLUGIN_PROVIDE(CERT_ENCODE, CERT_TRUSTED_PUBKEY),
+		PLUGIN_REGISTER(CERT_DECODE, pubkey_cert_wrap, TRUE),
+			PLUGIN_PROVIDE(CERT_DECODE, CERT_TRUSTED_PUBKEY),
+				PLUGIN_SDEPEND(PUBKEY, KEY_RSA),
+				PLUGIN_SDEPEND(PUBKEY, KEY_ECDSA),
+				PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
 	};
 	*features = f;
 	return countof(f);
diff --git a/src/libstrongswan/plugins/random/Makefile.am b/src/libstrongswan/plugins/random/Makefile.am
index 5df992718..7c03c66ef 100644
--- a/src/libstrongswan/plugins/random/Makefile.am
+++ b/src/libstrongswan/plugins/random/Makefile.am
@@ -1,9 +1,10 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DDEV_RANDOM=\"${random_device}\" \
+	-DDEV_URANDOM=\"${urandom_device}\"
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic \
--DDEV_RANDOM=\"${random_device}\" \
--DDEV_URANDOM=\"${urandom_device}\"
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-random.la
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index 9b549b071..b6e641757 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,54 +90,89 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_random_la_LIBADD =
 am_libstrongswan_random_la_OBJECTS = random_plugin.lo random_rng.lo
 libstrongswan_random_la_OBJECTS =  \
 	$(am_libstrongswan_random_la_OBJECTS)
-libstrongswan_random_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_random_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_random_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_random_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_random_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_random_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_random_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_random_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -128,13 +181,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -147,6 +203,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,11 +231,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -186,6 +245,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -194,8 +254,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -204,14 +262,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -225,17 +288,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -245,16 +308,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -282,10 +344,13 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic \
--DDEV_RANDOM=\"${random_device}\" \
--DDEV_URANDOM=\"${urandom_device}\"
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DDEV_RANDOM=\"${random_device}\" \
+	-DDEV_URANDOM=\"${urandom_device}\"
+
+AM_CFLAGS = \
+	-rdynamic
 
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-random.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-random.la
@@ -339,7 +404,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -347,6 +411,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -368,8 +434,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-random.la: $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_DEPENDENCIES) 
-	$(libstrongswan_random_la_LINK) $(am_libstrongswan_random_la_rpath) $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_LIBADD) $(LIBS)
+libstrongswan-random.la: $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_DEPENDENCIES) $(EXTRA_libstrongswan_random_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_random_la_LINK) $(am_libstrongswan_random_la_rpath) $(libstrongswan_random_la_OBJECTS) $(libstrongswan_random_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -381,25 +447,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random_rng.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -506,10 +572,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c
index 7f81e2622..24c711a69 100644
--- a/src/libstrongswan/plugins/random/random_plugin.c
+++ b/src/libstrongswan/plugins/random/random_plugin.c
@@ -15,9 +15,24 @@
 
 #include "random_plugin.h"
 
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <errno.h>
+
 #include <library.h>
+#include <utils/debug.h>
 #include "random_rng.h"
 
+#ifndef DEV_RANDOM
+# define DEV_RANDOM "/dev/random"
+#endif
+
+#ifndef DEV_URANDOM
+# define DEV_URANDOM "/dev/urandom"
+#endif
+
 typedef struct private_random_plugin_t private_random_plugin_t;
 
 /**
@@ -31,6 +46,41 @@ struct private_random_plugin_t {
 	random_plugin_t public;
 };
 
+/** /dev/random file descriptor */
+static int dev_random = -1;
+/** /dev/urandom file descriptor */
+static int dev_urandom = -1;
+
+/**
+ * See header.
+ */
+int random_plugin_get_dev_random()
+{
+	return dev_random;
+}
+
+/**
+ * See header.
+ */
+int random_plugin_get_dev_urandom()
+{
+	return dev_urandom;
+}
+
+/**
+ * Open a random device file
+ */
+static bool open_dev(char *file, int *fd)
+{
+	*fd = open(file, O_RDONLY);
+	if (*fd == -1)
+	{
+		DBG1(DBG_LIB, "opening \"%s\" failed: %s", file, strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
 METHOD(plugin_t, get_name, char*,
 	private_random_plugin_t *this)
 {
@@ -52,6 +102,14 @@ METHOD(plugin_t, get_features, int,
 METHOD(plugin_t, destroy, void,
 	private_random_plugin_t *this)
 {
+	if (dev_random != -1)
+	{
+		close(dev_random);
+	}
+	if (dev_urandom != -1)
+	{
+		close(dev_urandom);
+	}
 	free(this);
 }
 
@@ -61,6 +119,7 @@ METHOD(plugin_t, destroy, void,
 plugin_t *random_plugin_create()
 {
 	private_random_plugin_t *this;
+	char *urandom_file, *random_file;
 
 	INIT(this,
 		.public = {
@@ -72,6 +131,17 @@ plugin_t *random_plugin_create()
 		},
 	);
 
+	urandom_file = lib->settings->get_str(lib->settings,
+						"libstrongswan.plugins.random.urandom", DEV_URANDOM);
+	random_file = lib->settings->get_str(lib->settings,
+						"libstrongswan.plugins.random.random", DEV_RANDOM);
+	if (!open_dev(urandom_file, &dev_urandom) ||
+		!open_dev(random_file, &dev_random))
+	{
+		destroy(this);
+		return NULL;
+	}
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/random/random_plugin.h b/src/libstrongswan/plugins/random/random_plugin.h
index 7e22c3e5f..c34fa8196 100644
--- a/src/libstrongswan/plugins/random/random_plugin.h
+++ b/src/libstrongswan/plugins/random/random_plugin.h
@@ -39,4 +39,14 @@ struct random_plugin_t {
 	plugin_t plugin;
 };
 
+/**
+ * Get the /dev/random file descriptor
+ */
+int random_plugin_get_dev_random();
+
+/**
+ * Get the /dev/urandom file descriptor
+ */
+int random_plugin_get_dev_urandom();
+
 #endif /** RANDOM_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c
index 1d99a63d5..568844899 100644
--- a/src/libstrongswan/plugins/random/random_rng.c
+++ b/src/libstrongswan/plugins/random/random_rng.c
@@ -15,22 +15,12 @@
  */
 
 #include <string.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "random_rng.h"
-
-#ifndef DEV_RANDOM
-# define DEV_RANDOM "/dev/random"
-#endif
-
-#ifndef DEV_URANDOM
-# define DEV_URANDOM "/dev/urandom"
-#endif
+#include "random_plugin.h"
 
 typedef struct private_random_rng_t private_random_rng_t;
 
@@ -47,15 +37,10 @@ struct private_random_rng_t {
 	/**
 	 * random device, depends on quality
 	 */
-	int dev;
-
-	/**
-	 * file we read random bytes from
-	 */
-	char *file;
+	int fd;
 };
 
-METHOD(rng_t, get_bytes, void,
+METHOD(rng_t, get_bytes, bool,
 	private_random_rng_t *this, size_t bytes, u_int8_t *buffer)
 {
 	size_t done;
@@ -65,30 +50,29 @@ METHOD(rng_t, get_bytes, void,
 
 	while (done < bytes)
 	{
-		got = read(this->dev, buffer + done, bytes - done);
+		got = read(this->fd, buffer + done, bytes - done);
 		if (got <= 0)
 		{
-			DBG1(DBG_LIB, "reading from \"%s\" failed: %s, retrying...",
-				 this->file, strerror(errno));
-			close(this->dev);
+			DBG1(DBG_LIB, "reading from random FD %d failed: %s, retrying...",
+				 this->fd, strerror(errno));
 			sleep(1);
-			this->dev = open(this->file, 0);
 		}
 		done += got;
 	}
+	return TRUE;
 }
 
-METHOD(rng_t, allocate_bytes, void,
+METHOD(rng_t, allocate_bytes, bool,
 	private_random_rng_t *this, size_t bytes, chunk_t *chunk)
 {
 	*chunk = chunk_alloc(bytes);
 	get_bytes(this, chunk->len, chunk->ptr);
+	return TRUE;
 }
 
 METHOD(rng_t, destroy, void,
 	private_random_rng_t *this)
 {
-	close(this->dev);
 	free(this);
 }
 
@@ -109,22 +93,18 @@ random_rng_t *random_rng_create(rng_quality_t quality)
 		},
 	);
 
-	if (quality == RNG_TRUE)
+	switch (quality)
 	{
-		this->file = DEV_RANDOM;
-	}
-	else
-	{
-		this->file = DEV_URANDOM;
+		case RNG_TRUE:
+			this->fd = random_plugin_get_dev_random();
+			break;
+		case RNG_STRONG:
+		case RNG_WEAK:
+		default:
+			this->fd = random_plugin_get_dev_urandom();
+			break;
 	}
 
-	this->dev = open(this->file, 0);
-	if (this->dev < 0)
-	{
-		DBG1(DBG_LIB, "opening \"%s\" failed: %s", this->file, strerror(errno));
-		free(this);
-		return NULL;
-	}
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/rc2/Makefile.am b/src/libstrongswan/plugins/rc2/Makefile.am
new file mode 100644
index 000000000..3f892728d
--- /dev/null
+++ b/src/libstrongswan/plugins/rc2/Makefile.am
@@ -0,0 +1,16 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-rc2.la
+else
+plugin_LTLIBRARIES = libstrongswan-rc2.la
+endif
+
+libstrongswan_rc2_la_SOURCES = \
+	rc2_plugin.h rc2_plugin.c rc2_crypter.c rc2_crypter.h
+
+libstrongswan_rc2_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/rc2/Makefile.in b/src/libstrongswan/plugins/rc2/Makefile.in
new file mode 100644
index 000000000..9b9baf5d6
--- /dev/null
+++ b/src/libstrongswan/plugins/rc2/Makefile.in
@@ -0,0 +1,681 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/rc2
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_rc2_la_LIBADD =
+am_libstrongswan_rc2_la_OBJECTS = rc2_plugin.lo rc2_crypter.lo
+libstrongswan_rc2_la_OBJECTS = $(am_libstrongswan_rc2_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_rc2_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_rc2_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_rc2_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_rc2_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_rc2_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_rc2_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-rc2.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-rc2.la
+libstrongswan_rc2_la_SOURCES = \
+	rc2_plugin.h rc2_plugin.c rc2_crypter.c rc2_crypter.h
+
+libstrongswan_rc2_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/rc2/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/rc2/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-rc2.la: $(libstrongswan_rc2_la_OBJECTS) $(libstrongswan_rc2_la_DEPENDENCIES) $(EXTRA_libstrongswan_rc2_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_rc2_la_LINK) $(am_libstrongswan_rc2_la_rpath) $(libstrongswan_rc2_la_OBJECTS) $(libstrongswan_rc2_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rc2_crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rc2_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/rc2/rc2_crypter.c b/src/libstrongswan/plugins/rc2/rc2_crypter.c
new file mode 100644
index 000000000..256acf817
--- /dev/null
+++ b/src/libstrongswan/plugins/rc2/rc2_crypter.c
@@ -0,0 +1,349 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "rc2_crypter.h"
+
+typedef struct private_rc2_crypter_t private_rc2_crypter_t;
+
+#define RC2_BLOCK_SIZE 8
+
+#define ROL16(x, k)	({ u_int16_t _x = (x); (_x << (k)) | (_x >> (16 - (k))); })
+#define ROR16(x, k)	({ u_int16_t _x = (x); (_x >> (k)) | (_x << (16 - (k))); })
+
+#define GET16(x)	({ u_char *_x = (x); (u_int16_t)_x[0] | ((u_int16_t)_x[1] << 8); })
+#define PUT16(x, v)	({ u_char *_x = (x); u_int16_t _v = (v); _x[0] = _v, _x[1] = _v >> 8; })
+
+/**
+ * Private data of rc2_crypter_t
+ */
+struct private_rc2_crypter_t {
+
+	/**
+	 * Public interface
+	 */
+	rc2_crypter_t public;
+
+	/**
+	* The expanded key in 16-bit words
+	*/
+	u_int16_t  K[64];
+
+	/**
+	* Key size in bytes
+	*/
+	size_t T;
+
+	/**
+	* Effective key size in bits
+	*/
+	size_t T1;
+};
+
+/**
+ * PITABLE
+ */
+static const u_char PITABLE[256] =
+{
+	0xd9, 0x78, 0xf9, 0xc4, 0x19, 0xdd, 0xb5, 0xed,
+	0x28, 0xe9, 0xfd, 0x79, 0x4a, 0xa0, 0xd8, 0x9d,
+	0xc6, 0x7e, 0x37, 0x83, 0x2b, 0x76, 0x53, 0x8e,
+	0x62, 0x4c, 0x64, 0x88, 0x44, 0x8b, 0xfb, 0xa2,
+	0x17, 0x9a, 0x59, 0xf5, 0x87, 0xb3, 0x4f, 0x13,
+	0x61, 0x45, 0x6d, 0x8d, 0x09, 0x81, 0x7d, 0x32,
+	0xbd, 0x8f, 0x40, 0xeb, 0x86, 0xb7, 0x7b, 0x0b,
+	0xf0, 0x95, 0x21, 0x22, 0x5c, 0x6b, 0x4e, 0x82,
+	0x54, 0xd6, 0x65, 0x93, 0xce, 0x60, 0xb2, 0x1c,
+	0x73, 0x56, 0xc0, 0x14, 0xa7, 0x8c, 0xf1, 0xdc,
+	0x12, 0x75, 0xca, 0x1f, 0x3b, 0xbe, 0xe4, 0xd1,
+	0x42, 0x3d, 0xd4, 0x30, 0xa3, 0x3c, 0xb6, 0x26,
+	0x6f, 0xbf, 0x0e, 0xda, 0x46, 0x69, 0x07, 0x57,
+	0x27, 0xf2, 0x1d, 0x9b, 0xbc, 0x94, 0x43, 0x03,
+	0xf8, 0x11, 0xc7, 0xf6, 0x90, 0xef, 0x3e, 0xe7,
+	0x06, 0xc3, 0xd5, 0x2f, 0xc8, 0x66, 0x1e, 0xd7,
+	0x08, 0xe8, 0xea, 0xde, 0x80, 0x52, 0xee, 0xf7,
+	0x84, 0xaa, 0x72, 0xac, 0x35, 0x4d, 0x6a, 0x2a,
+	0x96, 0x1a, 0xd2, 0x71, 0x5a, 0x15, 0x49, 0x74,
+	0x4b, 0x9f, 0xd0, 0x5e, 0x04, 0x18, 0xa4, 0xec,
+	0xc2, 0xe0, 0x41, 0x6e, 0x0f, 0x51, 0xcb, 0xcc,
+	0x24, 0x91, 0xaf, 0x50, 0xa1, 0xf4, 0x70, 0x39,
+	0x99, 0x7c, 0x3a, 0x85, 0x23, 0xb8, 0xb4, 0x7a,
+	0xfc, 0x02, 0x36, 0x5b, 0x25, 0x55, 0x97, 0x31,
+	0x2d, 0x5d, 0xfa, 0x98, 0xe3, 0x8a, 0x92, 0xae,
+	0x05, 0xdf, 0x29, 0x10, 0x67, 0x6c, 0xba, 0xc9,
+	0xd3, 0x00, 0xe6, 0xcf, 0xe1, 0x9e, 0xa8, 0x2c,
+	0x63, 0x16, 0x01, 0x3f, 0x58, 0xe2, 0x89, 0xa9,
+	0x0d, 0x38, 0x34, 0x1b, 0xab, 0x33, 0xff, 0xb0,
+	0xbb, 0x48, 0x0c, 0x5f, 0xb9, 0xb1, 0xcd, 0x2e,
+	0xc5, 0xf3, 0xdb, 0x47, 0xe5, 0xa5, 0x9c, 0x77,
+	0x0a, 0xa6, 0x20, 0x68, 0xfe, 0x7f, 0xc1, 0xad,
+};
+
+/**
+ * Encrypt a single block of data
+ */
+static void encrypt_block(private_rc2_crypter_t *this, u_char R[])
+{
+	register u_int16_t R0, R1, R2, R3, *Kj;
+	int rounds = 3, mix = 5;
+
+	R0 = GET16(R);
+	R1 = GET16(R + 2);
+	R2 = GET16(R + 4);
+	R3 = GET16(R + 6);
+	Kj = &this->K[0];
+
+	/* 5 mix, mash, 6 mix, mash, 5 mix */
+	while (TRUE)
+	{
+		/* mix */
+		R0 = ROL16(R0 + *(Kj++) + (R3 & R2) + (~R3 & R1), 1);
+		R1 = ROL16(R1 + *(Kj++) + (R0 & R3) + (~R0 & R2), 2);
+		R2 = ROL16(R2 + *(Kj++) + (R1 & R0) + (~R1 & R3), 3);
+		R3 = ROL16(R3 + *(Kj++) + (R2 & R1) + (~R2 & R0), 5);
+
+		if (--mix == 0)
+		{
+			if (--rounds == 0)
+			{
+				break;
+			}
+			mix = (rounds == 2) ? 6 : 5;
+			/* mash */
+			R0 += this->K[R3 & 63];
+			R1 += this->K[R0 & 63];
+			R2 += this->K[R1 & 63];
+			R3 += this->K[R2 & 63];
+		}
+	}
+
+	PUT16(R, R0);
+	PUT16(R + 2, R1);
+	PUT16(R + 4, R2);
+	PUT16(R + 6, R3);
+}
+
+/**
+ * Decrypt a single block of data.
+ */
+static void decrypt_block(private_rc2_crypter_t *this, u_char R[])
+{
+	register u_int16_t R0, R1, R2, R3, *Kj;
+	int rounds = 3, mix = 5;
+
+	R0 = GET16(R);
+	R1 = GET16(R + 2);
+	R2 = GET16(R + 4);
+	R3 = GET16(R + 6);
+	Kj = &this->K[63];
+
+	/* 5 r-mix, r-mash, 6 r-mix, r-mash, 5 r-mix */
+	while (TRUE)
+	{
+		/* r-mix */
+		R3 = ROR16(R3, 5);
+		R3 = R3 - *(Kj--) - (R2 & R1) - (~R2 & R0);
+		R2 = ROR16(R2, 3);
+		R2 = R2 - *(Kj--) - (R1 & R0) - (~R1 & R3);
+		R1 = ROR16(R1, 2);
+		R1 = R1 - *(Kj--) - (R0 & R3) - (~R0 & R2);
+		R0 = ROR16(R0, 1);
+		R0 = R0 - *(Kj--) - (R3 & R2) - (~R3 & R1);
+
+		if (--mix == 0)
+		{
+			if (--rounds == 0)
+			{
+				break;
+			}
+			mix = (rounds == 2) ? 6 : 5;
+			/* r-mash */
+			R3 -= this->K[R2 & 63];
+			R2 -= this->K[R1 & 63];
+			R1 -= this->K[R0 & 63];
+			R0 -= this->K[R3 & 63];
+		}
+	}
+
+	PUT16(R, R0);
+	PUT16(R + 2, R1);
+	PUT16(R + 4, R2);
+	PUT16(R + 6, R3);
+}
+
+METHOD(crypter_t, decrypt, bool,
+	private_rc2_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
+{
+	u_int8_t *in, *out, *prev;
+
+	if (data.len % RC2_BLOCK_SIZE || iv.len != RC2_BLOCK_SIZE)
+	{
+		return FALSE;
+	}
+
+	in = data.ptr + data.len - RC2_BLOCK_SIZE;
+	out = data.ptr;
+	if (decrypted)
+	{
+		*decrypted = chunk_alloc(data.len);
+		out = decrypted->ptr;
+	}
+	out += data.len - RC2_BLOCK_SIZE;
+
+	prev = in;
+	for (; in >= data.ptr; in -= RC2_BLOCK_SIZE, out -= RC2_BLOCK_SIZE)
+	{
+		if (decrypted)
+		{
+			memcpy(out, in, RC2_BLOCK_SIZE);
+		}
+		decrypt_block(this, out);
+		prev -= RC2_BLOCK_SIZE;
+		if (prev < data.ptr)
+		{
+			prev = iv.ptr;
+		}
+		memxor(out, prev, RC2_BLOCK_SIZE);
+	}
+	return TRUE;
+}
+
+METHOD(crypter_t, encrypt, bool,
+	private_rc2_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
+{
+	u_int8_t *in, *out, *end, *prev;
+
+	if (data.len % RC2_BLOCK_SIZE || iv.len != RC2_BLOCK_SIZE)
+	{
+		return FALSE;
+	}
+
+	in = data.ptr;
+	end = data.ptr + data.len;
+	out = data.ptr;
+	if (encrypted)
+	{
+		*encrypted = chunk_alloc(data.len);
+		out = encrypted->ptr;
+	}
+
+	prev = iv.ptr;
+	for (; in < end; in += RC2_BLOCK_SIZE, out += RC2_BLOCK_SIZE)
+	{
+		if (encrypted)
+		{
+			memcpy(out, in, RC2_BLOCK_SIZE);
+		}
+		memxor(out, prev, RC2_BLOCK_SIZE);
+		encrypt_block(this, out);
+		prev = out;
+	}
+	return TRUE;
+}
+
+METHOD(crypter_t, get_block_size, size_t,
+	private_rc2_crypter_t *this)
+{
+	return RC2_BLOCK_SIZE;
+}
+
+METHOD(crypter_t, get_iv_size, size_t,
+	private_rc2_crypter_t *this)
+{
+	return RC2_BLOCK_SIZE;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_rc2_crypter_t *this)
+{
+	return this->T;
+}
+
+METHOD(crypter_t, set_key, bool,
+	private_rc2_crypter_t *this, chunk_t key)
+{
+	u_int8_t L[128], T8, TM, idx;
+	int i;
+
+	if (key.len != this->T)
+	{
+		return FALSE;
+	}
+	for (i = 0; i < key.len; i++)
+	{
+		L[i] = key.ptr[i];
+	}
+	for (; i < 128; i++)
+	{
+		idx = L[i-1] + L[i-key.len];
+		L[i] = PITABLE[idx];
+	}
+	T8 = (this->T1 + 7) / 8;
+	TM = ~(0xff << (8 - (8*T8 - this->T1)));
+	L[128-T8] = PITABLE[L[128-T8] & TM];
+	for (i = 127-T8; i >= 0; i--)
+	{
+		idx = L[i+1] ^ L[i+T8];
+		L[i] = PITABLE[idx];
+	}
+	for (i = 0; i < 64; i++)
+	{
+		this->K[i] = GET16(&L[i << 1]);
+	}
+	memwipe(L, sizeof(L));
+	return TRUE;
+}
+
+METHOD(crypter_t, destroy, void,
+	private_rc2_crypter_t *this)
+{
+	memwipe(this->K, sizeof(this->K));
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+rc2_crypter_t *rc2_crypter_create(encryption_algorithm_t algo, size_t key_size)
+{
+	private_rc2_crypter_t *this;
+	size_t effective;
+
+	if (algo != ENCR_RC2_CBC)
+	{
+		return NULL;
+	}
+	key_size = max(1, key_size);
+	effective = RC2_EFFECTIVE_KEY_LEN(key_size);
+	key_size = min(128, RC2_KEY_LEN(key_size));
+	effective = max(1, min(1024, effective ?: key_size * 8));
+
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.T = key_size,
+		.T1 = effective,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/rc2/rc2_crypter.h b/src/libstrongswan/plugins/rc2/rc2_crypter.h
new file mode 100644
index 000000000..d478762a6
--- /dev/null
+++ b/src/libstrongswan/plugins/rc2/rc2_crypter.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rc2_crypter rc2_crypter
+ * @{ @ingroup rc2_p
+ */
+
+#ifndef RC2_CRYPTER_H_
+#define RC2_CRYPTER_H_
+
+typedef struct rc2_crypter_t rc2_crypter_t;
+
+#include <crypto/crypters/crypter.h>
+
+/**
+ * Class implementing the RC2 block cipher as defined in RFC 2268.
+ */
+struct rc2_crypter_t {
+
+	/**
+	 * Implements crypter_t interface.
+	 */
+	crypter_t crypter;
+};
+
+/**
+ * Constructor to create rc2_crypter_t objects.
+ *
+ * @param algo			algorithm to implement (ENCR_RC2_CBC)
+ * @param key_size		use the RC2_KEY_SIZE macro if the effective key size
+ * 						in bits is different than the actual length of the key
+ * @return				rc2_crypter_t object, NULL if not supported
+ */
+rc2_crypter_t *rc2_crypter_create(encryption_algorithm_t algo,
+								  size_t key_size);
+
+#endif /** RC2_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/rc2/rc2_plugin.c b/src/libstrongswan/plugins/rc2/rc2_plugin.c
new file mode 100644
index 000000000..6c6fa76d6
--- /dev/null
+++ b/src/libstrongswan/plugins/rc2/rc2_plugin.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "rc2_plugin.h"
+
+#include <library.h>
+#include "rc2_crypter.h"
+
+typedef struct private_rc2_plugin_t private_rc2_plugin_t;
+
+/**
+ * Private data of rc2_plugin
+ */
+struct private_rc2_plugin_t {
+
+	/**
+	 * Public interface
+	 */
+	rc2_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_rc2_plugin_t *this)
+{
+	return "rc2";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_rc2_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(CRYPTER, rc2_crypter_create),
+			PLUGIN_PROVIDE(CRYPTER, ENCR_RC2_CBC, 0),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_rc2_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+plugin_t *rc2_plugin_create()
+{
+	private_rc2_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libstrongswan/plugins/rc2/rc2_plugin.h b/src/libstrongswan/plugins/rc2/rc2_plugin.h
new file mode 100644
index 000000000..cbbac51af
--- /dev/null
+++ b/src/libstrongswan/plugins/rc2/rc2_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rc2_p rc2
+ * @ingroup plugins
+ *
+ * @defgroup rc2_plugin rc2_plugin
+ * @{ @ingroup rc2_p
+ */
+
+#ifndef RC2_PLUGIN_H_
+#define RC2_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct rc2_plugin_t rc2_plugin_t;
+
+/**
+ * Plugin implementing RC2 (RFC 2268).
+ */
+struct rc2_plugin_t {
+
+	/**
+	 * Implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** RC2_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.am b/src/libstrongswan/plugins/rdrand/Makefile.am
new file mode 100644
index 000000000..d9cb00161
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/Makefile.am
@@ -0,0 +1,17 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-rdrand.la
+else
+plugin_LTLIBRARIES = libstrongswan-rdrand.la
+endif
+
+libstrongswan_rdrand_la_SOURCES = \
+	rdrand_plugin.h rdrand_plugin.c \
+	rdrand_rng.h rdrand_rng.c
+
+libstrongswan_rdrand_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in
new file mode 100644
index 000000000..6a344954e
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/Makefile.in
@@ -0,0 +1,684 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/rdrand
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_rdrand_la_LIBADD =
+am_libstrongswan_rdrand_la_OBJECTS = rdrand_plugin.lo rdrand_rng.lo
+libstrongswan_rdrand_la_OBJECTS =  \
+	$(am_libstrongswan_rdrand_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_rdrand_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_rdrand_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_rdrand_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_rdrand_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_rdrand_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_rdrand_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-rdrand.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-rdrand.la
+libstrongswan_rdrand_la_SOURCES = \
+	rdrand_plugin.h rdrand_plugin.c \
+	rdrand_rng.h rdrand_rng.c
+
+libstrongswan_rdrand_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/rdrand/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/rdrand/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-rdrand.la: $(libstrongswan_rdrand_la_OBJECTS) $(libstrongswan_rdrand_la_DEPENDENCIES) $(EXTRA_libstrongswan_rdrand_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_rdrand_la_LINK) $(am_libstrongswan_rdrand_la_rpath) $(libstrongswan_rdrand_la_OBJECTS) $(libstrongswan_rdrand_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rdrand_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rdrand_rng.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/rdrand/rdrand_plugin.c b/src/libstrongswan/plugins/rdrand/rdrand_plugin.c
new file mode 100644
index 000000000..4bdfc258e
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/rdrand_plugin.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "rdrand_plugin.h"
+#include "rdrand_rng.h"
+
+#include <stdio.h>
+
+#include <library.h>
+#include <utils/debug.h>
+
+typedef struct private_rdrand_plugin_t private_rdrand_plugin_t;
+typedef enum cpuid_feature_t cpuid_feature_t;
+
+/**
+ * private data of rdrand_plugin
+ */
+struct private_rdrand_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	rdrand_plugin_t public;
+};
+
+/**
+ * CPU feature flags, returned via cpuid(1)
+ */
+enum cpuid_feature_t {
+	CPUID_RDRAND =		(1<<30),
+};
+
+/**
+ * Get cpuid for info, return eax, ebx, ecx and edx.
+ * -fPIC requires to save ebx on IA-32.
+ */
+static void cpuid(u_int op, u_int *a, u_int *b, u_int *c, u_int *d)
+{
+#ifdef __x86_64__
+	asm("cpuid" : "=a" (*a), "=b" (*b), "=c" (*c), "=d" (*d) : "a" (op));
+#else /* __i386__ */
+	asm("pushl %%ebx;"
+		"cpuid;"
+		"movl %%ebx, %1;"
+		"popl %%ebx;"
+		: "=a" (*a), "=r" (*b), "=c" (*c), "=d" (*d) : "a" (op));
+#endif /* __x86_64__ / __i386__*/
+}
+
+/**
+ * Check if we have RDRAND instruction
+ */
+static bool have_rdrand()
+{
+	char vendor[3 * sizeof(u_int32_t) + 1];
+	u_int a, b, c, d;
+
+	cpuid(0, &a, &b, &c, &d);
+	/* VendorID string is in b-d-c (yes, in this order) */
+	snprintf(vendor, sizeof(vendor), "%.4s%.4s%.4s", &b, &d, &c);
+
+	/* check if we have an Intel CPU */
+	if (streq(vendor, "GenuineIntel"))
+	{
+		cpuid(1, &a, &b, &c, &d);
+		if (c & CPUID_RDRAND)
+		{
+			DBG1(DBG_LIB, "detected RDRAND support on %s CPU", vendor);
+			return TRUE;
+		}
+	}
+	DBG1(DBG_LIB, "no RDRAND support on %s CPU, disabled", vendor);
+	return FALSE;
+}
+
+METHOD(plugin_t, get_name, char*,
+	private_rdrand_plugin_t *this)
+{
+	return "rdrand";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_rdrand_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(RNG, rdrand_rng_create),
+			PLUGIN_PROVIDE(RNG, RNG_WEAK),
+			PLUGIN_PROVIDE(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(RNG, RNG_TRUE),
+				PLUGIN_DEPENDS(CRYPTER, ENCR_AES_CBC, 16),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_rdrand_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *rdrand_plugin_create()
+{
+	private_rdrand_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.reload = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	if (have_rdrand())
+	{
+		this->public.plugin.get_features = _get_features;
+	}
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/rdrand/rdrand_plugin.h b/src/libstrongswan/plugins/rdrand/rdrand_plugin.h
new file mode 100644
index 000000000..6f0e55313
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/rdrand_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rdrand_p rdrand
+ * @ingroup plugins
+ *
+ * @defgroup rdrand_plugin rdrand_plugin
+ * @{ @ingroup rdrand_p
+ */
+
+#ifndef RDRAND_PLUGIN_H_
+#define RDRAND_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct rdrand_plugin_t rdrand_plugin_t;
+
+/**
+ * Plugin providing random generators based on Intels RDRAND instruction.
+ */
+struct rdrand_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** RDRAND_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/rdrand/rdrand_rng.c b/src/libstrongswan/plugins/rdrand/rdrand_rng.c
new file mode 100644
index 000000000..fa66f3ad7
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/rdrand_rng.c
@@ -0,0 +1,442 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "rdrand_rng.h"
+
+#include <unistd.h>
+
+typedef struct private_rdrand_rng_t private_rdrand_rng_t;
+
+/**
+ * Private data of an rdrand_rng_t object.
+ */
+struct private_rdrand_rng_t {
+
+	/**
+	 * Public rdrand_rng_t interface.
+	 */
+	rdrand_rng_t public;
+
+	/**
+	 * Quality we produce RNG data
+	 */
+	rng_quality_t quality;
+};
+
+/**
+ * Retries for failed RDRAND instructions
+ */
+#define MAX_TRIES 16
+
+/**
+ * After how many bytes should we reseed for RNG_STRONG
+ * (must be a power of two >= 8)
+ */
+#define FORCE_RESEED 16
+
+/**
+ * How many times we mix reseeded RDRAND output when using RNG_TRUE
+ */
+#define MIX_ROUNDS 32
+
+/**
+ * Get a two byte word using RDRAND
+ */
+static bool rdrand16(u_int16_t *out)
+{
+	u_char res;
+	int i;
+
+	for (i = 0; i < MAX_TRIES; i++)
+	{
+		asm(".byte 0x66;.byte 0x0f;.byte 0xc7;.byte 0xf0; " /* rdrand */
+			"setc %1;"
+			: "=a"(*out), "=qm"(res));
+
+		if (res)
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Get a four byte word using RDRAND
+ */
+static bool rdrand32(u_int32_t *out)
+{
+	u_char res;
+	int i;
+
+	for (i = 0; i < MAX_TRIES; i++)
+	{
+		asm(".byte 0x0f;.byte 0xc7;.byte 0xf0;" /* rdrand */
+			"setc %1;"
+			: "=a"(*out), "=qm"(res));
+
+		if (res)
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+#ifdef __x86_64__
+/**
+ * Get a eight byte word using RDRAND
+ */
+static bool rdrand64(u_int64_t *out)
+{
+	u_char res;
+	int i;
+
+	for (i = 0; i < MAX_TRIES; i++)
+	{
+		asm(".byte 0x48;.byte 0x0f;.byte 0xc7;.byte 0xf0;" /* rdrand */
+			"setc %1;"
+			: "=a"(*out), "=qm"(res));
+
+		if (res)
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+#endif /* __x86_64__ */
+
+/**
+ * Get a one byte word using RDRAND
+ */
+static bool rdrand8(u_int8_t *out)
+{
+	u_int16_t u16;
+
+	if (!rdrand16(&u16))
+	{
+		return FALSE;
+	}
+	*out = u16;
+	return TRUE;
+}
+
+/**
+ * Get a 16 byte word using RDRAND
+ */
+static bool rdrand128(void *out)
+{
+#ifdef __x86_64__
+	if (!rdrand64(out) ||
+		!rdrand64(out + sizeof(u_int64_t)))
+	{
+		return FALSE;
+	}
+#else /* __i386__ */
+	if (!rdrand32(out) ||
+		!rdrand32(out + 1 * sizeof(u_int32_t)) ||
+		!rdrand32(out + 2 * sizeof(u_int32_t)) ||
+		!rdrand32(out + 3 * sizeof(u_int32_t)))
+	{
+		return FALSE;
+	}
+#endif /* __x86_64__ / __i386__ */
+	return TRUE;
+}
+
+/**
+ * Enforce a DRNG reseed by reading 511 128-bit samples
+ */
+static bool reseed()
+{
+	int i;
+
+#ifdef __x86_64__
+	u_int64_t tmp;
+
+	for (i = 0; i < 511 * 16 / sizeof(u_int64_t); i++)
+	{
+		if (!rdrand64(&tmp))
+		{
+			return FALSE;
+		}
+	}
+#else /* __i386__ */
+	u_int32_t tmp;
+
+	for (i = 0; i < 511 * 16 / sizeof(u_int32_t); i++)
+	{
+		if (!rdrand32(&tmp))
+		{
+			return FALSE;
+		}
+	}
+#endif /* __x86_64__ / __i386__ */
+	return TRUE;
+}
+
+/**
+ * Fill a preallocated chunk of data with random bytes
+ */
+static bool rdrand_chunk(private_rdrand_rng_t *this, chunk_t chunk)
+{
+	if (this->quality == RNG_STRONG)
+	{
+		if (!reseed())
+		{
+			return FALSE;
+		}
+	}
+
+	/* align to 2 byte */
+	if (chunk.len >= sizeof(u_int8_t))
+	{
+		if ((uintptr_t)chunk.ptr % 2)
+		{
+			if (!rdrand8((u_int8_t*)chunk.ptr))
+			{
+				return FALSE;
+			}
+			chunk = chunk_skip(chunk, sizeof(u_int8_t));
+		}
+	}
+
+	/* align to 4 byte */
+	if (chunk.len >= sizeof(u_int16_t))
+	{
+		if ((uintptr_t)chunk.ptr % 4)
+		{
+			if (!rdrand16((u_int16_t*)chunk.ptr))
+			{
+				return FALSE;
+			}
+			chunk = chunk_skip(chunk, sizeof(u_int16_t));
+		}
+	}
+
+#ifdef __x86_64__
+
+	/* align to 8 byte */
+	if (chunk.len >= sizeof(u_int32_t))
+	{
+		if ((uintptr_t)chunk.ptr % 8)
+		{
+			if (!rdrand32((u_int32_t*)chunk.ptr))
+			{
+				return FALSE;
+			}
+			chunk = chunk_skip(chunk, sizeof(u_int32_t));
+		}
+	}
+
+	/* fill with 8 byte words */
+	while (chunk.len >= sizeof(u_int64_t))
+	{
+		if (this->quality == RNG_STRONG && chunk.len % FORCE_RESEED == 0)
+		{
+			if (!reseed())
+			{
+				return FALSE;
+			}
+		}
+		if (!rdrand64((u_int64_t*)chunk.ptr))
+		{
+			return FALSE;
+		}
+		chunk = chunk_skip(chunk, sizeof(u_int64_t));
+	}
+
+	/* append 4 byte word */
+	if (chunk.len >= sizeof(u_int32_t))
+	{
+		if (!rdrand32((u_int32_t*)chunk.ptr))
+		{
+			return FALSE;
+		}
+		chunk = chunk_skip(chunk, sizeof(u_int32_t));
+	}
+
+#else /* __i386__ */
+
+	/* fill with 4 byte words */
+	while (chunk.len >= sizeof(u_int32_t))
+	{
+		if (this->quality == RNG_STRONG && chunk.len % FORCE_RESEED == 0)
+		{
+			if (!reseed())
+			{
+				return FALSE;
+			}
+		}
+		if (!rdrand32((u_int32_t*)chunk.ptr))
+		{
+			return FALSE;
+		}
+		chunk = chunk_skip(chunk, sizeof(u_int32_t));
+	}
+
+#endif /* __x86_64__ / __i386__ */
+
+	if (this->quality == RNG_STRONG)
+	{
+		if (!reseed())
+		{
+			return FALSE;
+		}
+	}
+
+	/* append 2 byte word */
+	if (chunk.len >= sizeof(u_int16_t))
+	{
+		if (!rdrand16((u_int16_t*)chunk.ptr))
+		{
+			return FALSE;
+		}
+		chunk = chunk_skip(chunk, sizeof(u_int16_t));
+	}
+
+	/* append 1 byte word */
+	if (chunk.len >= sizeof(u_int8_t))
+	{
+		if (!rdrand8((u_int8_t*)chunk.ptr))
+		{
+			return FALSE;
+		}
+		chunk = chunk_skip(chunk, sizeof(u_int8_t));
+	}
+
+	return TRUE;
+}
+
+/**
+ * Stronger variant mixing reseeded results of rdrand output
+ *
+ * This is based on the Intel DRNG "Software Implementation Guide", using
+ * AES-CBC to mix several reseeded RDRAND outputs.
+ */
+static bool rdrand_mixed(private_rdrand_rng_t *this, chunk_t chunk)
+{
+	u_char block[16], forward[16], key[16], iv[16];
+	crypter_t *crypter;
+	int i, len;
+
+	memset(iv, 0, sizeof(iv));
+	crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16);
+	if (!crypter)
+	{
+		return FALSE;
+	}
+	for (i = 0; i < sizeof(key); i++)
+	{
+		key[i] = i;
+	}
+	if (!crypter->set_key(crypter, chunk_from_thing(key)))
+	{
+		crypter->destroy(crypter);
+		return FALSE;
+	}
+	while (chunk.len > 0)
+	{
+		memset(forward, 0, sizeof(forward));
+		for (i = 0; i < MIX_ROUNDS; i++)
+		{
+			/* sleep to reseed PRNG */
+			usleep(10);
+			if (!rdrand128(block))
+			{
+				crypter->destroy(crypter);
+				return FALSE;
+			}
+			memxor(forward, block, sizeof(block));
+			if (!crypter->encrypt(crypter, chunk_from_thing(forward),
+								  chunk_from_thing(iv), NULL))
+			{
+				crypter->destroy(crypter);
+				return FALSE;
+			}
+		}
+		len = min(chunk.len, sizeof(forward));
+		memcpy(chunk.ptr, forward, len);
+		chunk = chunk_skip(chunk, len);
+	}
+	crypter->destroy(crypter);
+
+	return TRUE;
+}
+
+METHOD(rng_t, get_bytes, bool,
+	private_rdrand_rng_t *this, size_t bytes, u_int8_t *buffer)
+{
+	switch (this->quality)
+	{
+		case RNG_WEAK:
+		case RNG_STRONG:
+			return rdrand_chunk(this, chunk_create(buffer, bytes));
+		case RNG_TRUE:
+			return rdrand_mixed(this, chunk_create(buffer, bytes));
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(rng_t, allocate_bytes, bool,
+	private_rdrand_rng_t *this, size_t bytes, chunk_t *chunk)
+{
+	*chunk = chunk_alloc(bytes);
+	if (get_bytes(this, bytes, chunk->ptr))
+	{
+		return TRUE;
+	}
+	free(chunk->ptr);
+	return FALSE;
+}
+
+METHOD(rng_t, destroy, void,
+	private_rdrand_rng_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+rdrand_rng_t *rdrand_rng_create(rng_quality_t quality)
+{
+	private_rdrand_rng_t *this;
+
+	switch (quality)
+	{
+		case RNG_WEAK:
+		case RNG_STRONG:
+		case RNG_TRUE:
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.rng = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.destroy = _destroy,
+			},
+		},
+		.quality = quality,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/rdrand/rdrand_rng.h b/src/libstrongswan/plugins/rdrand/rdrand_rng.h
new file mode 100644
index 000000000..3fb49ce6e
--- /dev/null
+++ b/src/libstrongswan/plugins/rdrand/rdrand_rng.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rdrand_rng rdrand_rng
+ * @{ @ingroup rdrand_p
+ */
+
+#ifndef RDRAND_RNG_H_
+#define RDRAND_RNG_H_
+
+#include <crypto/rngs/rng.h>
+
+typedef struct rdrand_rng_t rdrand_rng_t;
+
+/**
+ * RNG implemented with Intels RDRAND instructions, introduced in Ivy Bridge.
+ */
+struct rdrand_rng_t {
+
+	/**
+	 * Implements rng_t interface.
+	 */
+	rng_t rng;
+};
+
+/**
+ * Create a rdrand_rng instance.
+ *
+ * @param quality		RNG quality
+ * @return				RNG instance
+ */
+rdrand_rng_t *rdrand_rng_create(rng_quality_t quality);
+
+#endif /** RDRAND_RNG_H_ @}*/
diff --git a/src/libstrongswan/plugins/revocation/Makefile.am b/src/libstrongswan/plugins/revocation/Makefile.am
index fb6d01926..5bb5ac204 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.am
+++ b/src/libstrongswan/plugins/revocation/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-revocation.la
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index a78762c82..b13016902 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_revocation_la_LIBADD =
@@ -79,49 +103,77 @@ am_libstrongswan_revocation_la_OBJECTS = revocation_plugin.lo \
 	revocation_validator.lo
 libstrongswan_revocation_la_OBJECTS =  \
 	$(am_libstrongswan_revocation_la_OBJECTS)
-libstrongswan_revocation_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_revocation_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_revocation_la_LDFLAGS) \
 	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_revocation_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_revocation_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_revocation_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_revocation_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -130,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -149,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -176,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -188,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -196,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -206,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -227,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -247,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -284,8 +345,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-revocation.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-revocation.la
 libstrongswan_revocation_la_SOURCES = \
@@ -338,7 +403,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -346,6 +410,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -367,8 +433,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-revocation.la: $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_DEPENDENCIES) 
-	$(libstrongswan_revocation_la_LINK) $(am_libstrongswan_revocation_la_rpath) $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_LIBADD) $(LIBS)
+libstrongswan-revocation.la: $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_DEPENDENCIES) $(EXTRA_libstrongswan_revocation_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_revocation_la_LINK) $(am_libstrongswan_revocation_la_rpath) $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -380,25 +446,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/revocation_validator.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -505,10 +571,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/revocation/revocation_plugin.c b/src/libstrongswan/plugins/revocation/revocation_plugin.c
index fa04fb2a2..fe7eaa765 100644
--- a/src/libstrongswan/plugins/revocation/revocation_plugin.c
+++ b/src/libstrongswan/plugins/revocation/revocation_plugin.c
@@ -42,10 +42,43 @@ METHOD(plugin_t, get_name, char*,
 	return "revocation";
 }
 
+/**
+ * Register validator
+ */
+static bool plugin_cb(private_revocation_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
+	}
+	else
+	{
+		lib->credmgr->remove_validator(lib->credmgr,
+									   &this->validator->validator);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_revocation_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "revocation"),
+				PLUGIN_SDEPEND(CERT_ENCODE, CERT_X509_OCSP_REQUEST),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509_OCSP_RESPONSE),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509_CRL),
+				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+				PLUGIN_SDEPEND(FETCHER, NULL),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_revocation_plugin_t *this)
 {
-	lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator);
 	this->validator->destroy(this->validator);
 	free(this);
 }
@@ -61,13 +94,12 @@ plugin_t *revocation_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
 		.validator = revocation_validator_create(),
 	);
-	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
 
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index 34f347d1a..c8ec3f723 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -17,7 +17,7 @@
 
 #include "revocation_validator.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/crl.h>
 #include <credentials/certificates/ocsp_request.h>
@@ -103,7 +103,7 @@ static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth)
 	bool verified = FALSE;
 
 	wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response);
-	lib->credmgr->add_local_set(lib->credmgr, &wrapper->set);
+	lib->credmgr->add_local_set(lib->credmgr, &wrapper->set, FALSE);
 
 	subject = &response->certificate;
 	responder = subject->get_issuer(subject);
@@ -111,7 +111,7 @@ static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth)
 													KEY_ANY, responder, FALSE);
 	while (enumerator->enumerate(enumerator, &issuer, &current))
 	{
-		if (lib->credmgr->issued_by(lib->credmgr, subject, issuer))
+		if (lib->credmgr->issued_by(lib->credmgr, subject, issuer, NULL))
 		{
 			DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",
 							 issuer->get_subject(issuer));
@@ -341,7 +341,7 @@ static bool verify_crl(certificate_t *crl, auth_cfg_t *auth)
 										KEY_ANY, crl->get_issuer(crl), FALSE);
 	while (enumerator->enumerate(enumerator, &issuer, &current))
 	{
-		if (lib->credmgr->issued_by(lib->credmgr, crl, issuer))
+		if (lib->credmgr->issued_by(lib->credmgr, crl, issuer, NULL))
 		{
 			DBG1(DBG_CFG, "  crl correctly signed by \"%Y\"",
 						   issuer->get_subject(issuer));
@@ -691,6 +691,8 @@ METHOD(cert_validator_t, validate, bool,
 			case VALIDATION_REVOKED:
 			case VALIDATION_ON_HOLD:
 				/* has already been logged */
+				lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
+										subject);
 				return FALSE;
 			case VALIDATION_SKIPPED:
 				DBG2(DBG_CFG, "ocsp check skipped, no ocsp found");
@@ -711,6 +713,8 @@ METHOD(cert_validator_t, validate, bool,
 			case VALIDATION_REVOKED:
 			case VALIDATION_ON_HOLD:
 				/* has already been logged */
+				lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
+										subject);
 				return FALSE;
 			case VALIDATION_FAILED:
 			case VALIDATION_SKIPPED:
@@ -720,6 +724,8 @@ METHOD(cert_validator_t, validate, bool,
 				DBG1(DBG_CFG, "certificate status is unknown, crl is stale");
 				break;
 		}
+		lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_VALIDATION_FAILED,
+								subject);
 	}
 	return TRUE;
 }
diff --git a/src/libstrongswan/plugins/sha1/Makefile.am b/src/libstrongswan/plugins/sha1/Makefile.am
index 4e539fd83..f5e7d946e 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.am
+++ b/src/libstrongswan/plugins/sha1/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-sha1.la
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index f59c7516d..9ac3e5be2 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,53 +90,88 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_sha1_la_LIBADD =
 am_libstrongswan_sha1_la_OBJECTS = sha1_plugin.lo sha1_hasher.lo \
 	sha1_prf.lo
 libstrongswan_sha1_la_OBJECTS = $(am_libstrongswan_sha1_la_OBJECTS)
-libstrongswan_sha1_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_sha1_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_sha1_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_sha1_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_sha1_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_sha1_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_sha1_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_sha1_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -127,13 +180,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -146,6 +202,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,11 +230,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -185,6 +244,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -193,8 +253,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -203,14 +261,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -224,17 +287,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -244,16 +307,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -281,8 +343,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sha1.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sha1.la
 libstrongswan_sha1_la_SOURCES = \
@@ -335,7 +401,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -343,6 +408,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -364,8 +431,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-sha1.la: $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_DEPENDENCIES) 
-	$(libstrongswan_sha1_la_LINK) $(am_libstrongswan_sha1_la_rpath) $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_LIBADD) $(LIBS)
+libstrongswan-sha1.la: $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_DEPENDENCIES) $(EXTRA_libstrongswan_sha1_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_sha1_la_LINK) $(am_libstrongswan_sha1_la_rpath) $(libstrongswan_sha1_la_OBJECTS) $(libstrongswan_sha1_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -378,25 +445,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1_prf.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -503,10 +570,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/sha1/sha1_hasher.c b/src/libstrongswan/plugins/sha1/sha1_hasher.c
index 4d69ad5a4..b0efbae7d 100644
--- a/src/libstrongswan/plugins/sha1/sha1_hasher.c
+++ b/src/libstrongswan/plugins/sha1/sha1_hasher.c
@@ -175,7 +175,7 @@ static void SHA1Final(private_sha1_hasher_t *this, u_int8_t *digest)
 	}
 }
 
-METHOD(hasher_t, reset, void,
+METHOD(hasher_t, reset, bool,
 	private_sha1_hasher_t *this)
 {
 	this->state[0] = 0x67452301;
@@ -185,9 +185,11 @@ METHOD(hasher_t, reset, void,
 	this->state[4] = 0xC3D2E1F0;
 	this->count[0] = 0;
 	this->count[1] = 0;
+
+	return TRUE;
 }
 
-METHOD(hasher_t, get_hash, void,
+METHOD(hasher_t, get_hash, bool,
 	private_sha1_hasher_t *this, chunk_t chunk, u_int8_t *buffer)
 {
 	SHA1Update(this, chunk.ptr, chunk.len);
@@ -196,9 +198,10 @@ METHOD(hasher_t, get_hash, void,
 		SHA1Final(this, buffer);
 		reset(this);
 	}
+	return TRUE;
 }
 
-METHOD(hasher_t, allocate_hash, void,
+METHOD(hasher_t, allocate_hash, bool,
 	private_sha1_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	SHA1Update(this, chunk.ptr, chunk.len);
@@ -210,6 +213,7 @@ METHOD(hasher_t, allocate_hash, void,
 		SHA1Final(this, hash->ptr);
 		reset(this);
 	}
+	return TRUE;
 }
 
 METHOD(hasher_t, get_hash_size, size_t,
diff --git a/src/libstrongswan/plugins/sha1/sha1_prf.c b/src/libstrongswan/plugins/sha1/sha1_prf.c
index 11f588c9d..cdc494b34 100644
--- a/src/libstrongswan/plugins/sha1/sha1_prf.c
+++ b/src/libstrongswan/plugins/sha1/sha1_prf.c
@@ -59,7 +59,7 @@ struct private_sha1_prf_t {
  */
 extern void SHA1Update(private_sha1_hasher_t* this, u_int8_t *data, u_int32_t len);
 
-METHOD(prf_t, get_bytes, void,
+METHOD(prf_t, get_bytes, bool,
 	private_sha1_prf_t *this, chunk_t seed, u_int8_t *bytes)
 {
 	u_int32_t *hash = (u_int32_t*)bytes;
@@ -71,6 +71,8 @@ METHOD(prf_t, get_bytes, void,
 	hash[2] = htonl(this->hasher->state[2]);
 	hash[3] = htonl(this->hasher->state[3]);
 	hash[4] = htonl(this->hasher->state[4]);
+
+	return TRUE;
 }
 
 METHOD(prf_t, get_block_size, size_t,
@@ -79,11 +81,11 @@ METHOD(prf_t, get_block_size, size_t,
 	return HASH_SIZE_SHA1;
 }
 
-METHOD(prf_t, allocate_bytes, void,
+METHOD(prf_t, allocate_bytes, bool,
 	private_sha1_prf_t *this, chunk_t seed, chunk_t *chunk)
 {
 	*chunk = chunk_alloc(HASH_SIZE_SHA1);
-	get_bytes(this, seed, chunk->ptr);
+	return get_bytes(this, seed, chunk->ptr);
 }
 
 METHOD(prf_t, get_key_size, size_t,
@@ -92,18 +94,23 @@ METHOD(prf_t, get_key_size, size_t,
 	return sizeof(this->hasher->state);
 }
 
-METHOD(prf_t, set_key, void,
+METHOD(prf_t, set_key, bool,
 	private_sha1_prf_t *this, chunk_t key)
 {
 	int i, rounds;
 	u_int32_t *iv = (u_int32_t*)key.ptr;
 
-	this->hasher->public.hasher_interface.reset(&this->hasher->public.hasher_interface);
+	if (!this->hasher->public.hasher_interface.reset(
+										&this->hasher->public.hasher_interface))
+	{
+		return FALSE;
+	}
 	rounds = min(key.len/sizeof(u_int32_t), sizeof(this->hasher->state));
 	for (i = 0; i < rounds; i++)
 	{
 		this->hasher->state[i] ^= htonl(iv[i]);
 	}
+	return TRUE;
 }
 
 METHOD(prf_t, destroy, void,
diff --git a/src/libstrongswan/plugins/sha2/Makefile.am b/src/libstrongswan/plugins/sha2/Makefile.am
index a255d0609..cdd8696cd 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.am
+++ b/src/libstrongswan/plugins/sha2/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-sha2.la
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index c99f30e43..aa7699163 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,52 +90,87 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_sha2_la_LIBADD =
 am_libstrongswan_sha2_la_OBJECTS = sha2_plugin.lo sha2_hasher.lo
 libstrongswan_sha2_la_OBJECTS = $(am_libstrongswan_sha2_la_OBJECTS)
-libstrongswan_sha2_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_sha2_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_sha2_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_sha2_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_sha2_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_sha2_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_sha2_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_sha2_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -126,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -145,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -172,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -184,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -192,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -202,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -223,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -243,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -280,8 +342,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sha2.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sha2.la
 libstrongswan_sha2_la_SOURCES = \
@@ -333,7 +399,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -341,6 +406,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -362,8 +429,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-sha2.la: $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_DEPENDENCIES) 
-	$(libstrongswan_sha2_la_LINK) $(am_libstrongswan_sha2_la_rpath) $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_LIBADD) $(LIBS)
+libstrongswan-sha2.la: $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_DEPENDENCIES) $(EXTRA_libstrongswan_sha2_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_sha2_la_LINK) $(am_libstrongswan_sha2_la_rpath) $(libstrongswan_sha2_la_OBJECTS) $(libstrongswan_sha2_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -375,25 +442,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha2_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -500,10 +567,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/sha2/sha2_hasher.c b/src/libstrongswan/plugins/sha2/sha2_hasher.c
index 60fe4bd20..1c6dd2533 100644
--- a/src/libstrongswan/plugins/sha2/sha2_hasher.c
+++ b/src/libstrongswan/plugins/sha2/sha2_hasher.c
@@ -426,41 +426,49 @@ static void sha512_final(private_sha512_hasher_t *ctx)
 	} while(++j < 8);
 }
 
-METHOD(hasher_t, reset224, void,
+METHOD(hasher_t, reset224, bool,
 	private_sha256_hasher_t *this)
 {
 	memcpy(&this->sha_H[0], &sha224_hashInit[0], sizeof(this->sha_H));
 	this->sha_blocks = 0;
 	this->sha_bufCnt = 0;
+
+	return TRUE;
 }
 
-METHOD(hasher_t, reset256, void,
+METHOD(hasher_t, reset256, bool,
 	private_sha256_hasher_t *this)
 {
 	memcpy(&this->sha_H[0], &sha256_hashInit[0], sizeof(this->sha_H));
 	this->sha_blocks = 0;
 	this->sha_bufCnt = 0;
+
+	return TRUE;
 }
 
-METHOD(hasher_t, reset384, void,
+METHOD(hasher_t, reset384, bool,
 	private_sha512_hasher_t *this)
 {
 	memcpy(&this->sha_H[0], &sha384_hashInit[0], sizeof(this->sha_H));
 	this->sha_blocks = 0;
 	this->sha_blocksMSB = 0;
 	this->sha_bufCnt = 0;
+
+	return TRUE;
 }
 
-METHOD(hasher_t, reset512, void,
+METHOD(hasher_t, reset512, bool,
 	private_sha512_hasher_t *this)
 {
 	memcpy(&this->sha_H[0], &sha512_hashInit[0], sizeof(this->sha_H));
 	this->sha_blocks = 0;
 	this->sha_blocksMSB = 0;
 	this->sha_bufCnt = 0;
+
+	return TRUE;
 }
 
-METHOD(hasher_t, get_hash224, void,
+METHOD(hasher_t, get_hash224, bool,
 	private_sha256_hasher_t *this, chunk_t chunk, u_int8_t *buffer)
 {
 	sha256_write(this, chunk.ptr, chunk.len);
@@ -470,9 +478,10 @@ METHOD(hasher_t, get_hash224, void,
 		memcpy(buffer, this->sha_out, HASH_SIZE_SHA224);
 		reset224(this);
 	}
+	return TRUE;
 }
 
-METHOD(hasher_t, get_hash256, void,
+METHOD(hasher_t, get_hash256, bool,
 	private_sha256_hasher_t *this, chunk_t chunk, u_int8_t *buffer)
 {
 	sha256_write(this, chunk.ptr, chunk.len);
@@ -482,9 +491,10 @@ METHOD(hasher_t, get_hash256, void,
 		memcpy(buffer, this->sha_out, HASH_SIZE_SHA256);
 		reset256(this);
 	}
+	return TRUE;
 }
 
-METHOD(hasher_t, get_hash384, void,
+METHOD(hasher_t, get_hash384, bool,
 	private_sha512_hasher_t *this, chunk_t chunk, u_int8_t *buffer)
 {
 	sha512_write(this, chunk.ptr, chunk.len);
@@ -494,9 +504,10 @@ METHOD(hasher_t, get_hash384, void,
 		memcpy(buffer, this->sha_out, HASH_SIZE_SHA384);
 		reset384(this);
 	}
+	return TRUE;
 }
 
-METHOD(hasher_t, get_hash512, void,
+METHOD(hasher_t, get_hash512, bool,
 	private_sha512_hasher_t *this, chunk_t chunk, u_int8_t *buffer)
 {
 	sha512_write(this, chunk.ptr, chunk.len);
@@ -506,9 +517,10 @@ METHOD(hasher_t, get_hash512, void,
 		memcpy(buffer, this->sha_out, HASH_SIZE_SHA512);
 		reset512(this);
 	}
+	return TRUE;
 }
 
-METHOD(hasher_t, allocate_hash224, void,
+METHOD(hasher_t, allocate_hash224, bool,
 	private_sha256_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	chunk_t allocated_hash;
@@ -522,9 +534,10 @@ METHOD(hasher_t, allocate_hash224, void,
 		reset224(this);
 		*hash = allocated_hash;
 	}
+	return TRUE;
 }
 
-METHOD(hasher_t, allocate_hash256, void,
+METHOD(hasher_t, allocate_hash256, bool,
 	private_sha256_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	chunk_t allocated_hash;
@@ -538,9 +551,10 @@ METHOD(hasher_t, allocate_hash256, void,
 		reset256(this);
 		*hash = allocated_hash;
 	}
+	return TRUE;
 }
 
-METHOD(hasher_t, allocate_hash384, void,
+METHOD(hasher_t, allocate_hash384, bool,
 	private_sha512_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	chunk_t allocated_hash;
@@ -554,9 +568,10 @@ METHOD(hasher_t, allocate_hash384, void,
 		reset384(this);
 		*hash = allocated_hash;
 	}
+	return TRUE;
 }
 
-METHOD(hasher_t, allocate_hash512, void,
+METHOD(hasher_t, allocate_hash512, bool,
 	private_sha512_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	chunk_t allocated_hash;
@@ -570,6 +585,7 @@ METHOD(hasher_t, allocate_hash512, void,
 		reset512(this);
 		*hash = allocated_hash;
 	}
+	return TRUE;
 }
 
 METHOD(hasher_t, get_hash_size224, size_t,
diff --git a/src/libstrongswan/plugins/soup/Makefile.am b/src/libstrongswan/plugins/soup/Makefile.am
index 9006f1b7c..8df666f4c 100644
--- a/src/libstrongswan/plugins/soup/Makefile.am
+++ b/src/libstrongswan/plugins/soup/Makefile.am
@@ -1,7 +1,9 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan ${soup_CFLAGS}
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	 ${soup_CFLAGS} \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-soup.la
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
index ce4b07769..c28610eba 100644
--- a/src/libstrongswan/plugins/soup/Makefile.in
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,53 +90,88 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libstrongswan_soup_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
 am_libstrongswan_soup_la_OBJECTS = soup_plugin.lo soup_fetcher.lo
 libstrongswan_soup_la_OBJECTS = $(am_libstrongswan_soup_la_OBJECTS)
-libstrongswan_soup_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_soup_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_soup_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_soup_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_soup_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_soup_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_soup_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_soup_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -127,13 +180,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -146,6 +202,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,11 +230,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -185,6 +244,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -193,8 +253,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -203,14 +261,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -224,17 +287,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -244,16 +307,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -281,8 +343,13 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan ${soup_CFLAGS}
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	 ${soup_CFLAGS} \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-soup.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-soup.la
 libstrongswan_soup_la_SOURCES = \
@@ -335,7 +402,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -343,6 +409,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -364,8 +432,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-soup.la: $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_DEPENDENCIES) 
-	$(libstrongswan_soup_la_LINK) $(am_libstrongswan_soup_la_rpath) $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_LIBADD) $(LIBS)
+libstrongswan-soup.la: $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_DEPENDENCIES) $(EXTRA_libstrongswan_soup_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_soup_la_LINK) $(am_libstrongswan_soup_la_rpath) $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -377,25 +445,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/soup_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -502,10 +570,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/soup/soup_fetcher.c b/src/libstrongswan/plugins/soup/soup_fetcher.c
index 3e5786b12..681a3c357 100644
--- a/src/libstrongswan/plugins/soup/soup_fetcher.c
+++ b/src/libstrongswan/plugins/soup/soup_fetcher.c
@@ -18,7 +18,7 @@
 #include <libsoup/soup.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #define DEFAULT_TIMEOUT 10
 
diff --git a/src/libstrongswan/plugins/soup/soup_plugin.c b/src/libstrongswan/plugins/soup/soup_plugin.c
index b21b28b9f..f57ed81c3 100644
--- a/src/libstrongswan/plugins/soup/soup_plugin.c
+++ b/src/libstrongswan/plugins/soup/soup_plugin.c
@@ -65,11 +65,16 @@ plugin_t *soup_plugin_create()
 {
 	private_soup_plugin_t *this;
 
+#if !GLIB_CHECK_VERSION(2,36,0)
 	g_type_init();
+#endif
+
+#if !GLIB_CHECK_VERSION(2,23,0)
 	if (!g_thread_get_initialized())
 	{
 		g_thread_init(NULL);
 	}
+#endif
 
 	INIT(this,
 		.public = {
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.am b/src/libstrongswan/plugins/sqlite/Makefile.am
index 2e1d9733f..717d6350d 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.am
+++ b/src/libstrongswan/plugins/sqlite/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-sqlite.la
@@ -15,4 +16,3 @@ libstrongswan_sqlite_la_SOURCES = \
 
 libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version
 libstrongswan_sqlite_la_LIBADD  = -lsqlite3
-
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 391827724..15f70535f 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_sqlite_la_DEPENDENCIES =
@@ -79,48 +103,77 @@ am_libstrongswan_sqlite_la_OBJECTS = sqlite_plugin.lo \
 	sqlite_database.lo
 libstrongswan_sqlite_la_OBJECTS =  \
 	$(am_libstrongswan_sqlite_la_OBJECTS)
-libstrongswan_sqlite_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_sqlite_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_sqlite_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_sqlite_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_sqlite_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_sqlite_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_sqlite_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_sqlite_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -129,13 +182,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -148,6 +204,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -175,11 +232,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -187,6 +246,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -195,8 +255,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -205,14 +263,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -226,17 +289,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -246,16 +309,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -283,8 +345,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sqlite.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sqlite.la
 libstrongswan_sqlite_la_SOURCES = \
@@ -338,7 +404,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -346,6 +411,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -367,8 +434,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-sqlite.la: $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_DEPENDENCIES) 
-	$(libstrongswan_sqlite_la_LINK) $(am_libstrongswan_sqlite_la_rpath) $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_LIBADD) $(LIBS)
+libstrongswan-sqlite.la: $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_DEPENDENCIES) $(EXTRA_libstrongswan_sqlite_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_sqlite_la_LINK) $(am_libstrongswan_sqlite_la_rpath) $(libstrongswan_sqlite_la_OBJECTS) $(libstrongswan_sqlite_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -380,25 +447,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sqlite_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -505,10 +572,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c
index f9e06199e..41d45dee7 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_database.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c
@@ -18,7 +18,7 @@
 #include <sqlite3.h>
 #include <unistd.h>
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/mutex.h>
 
 typedef struct private_sqlite_database_t private_sqlite_database_t;
@@ -206,6 +206,7 @@ static bool sqlite_enumerator_enumerate(sqlite_enumerator_t *this, ...)
 			}
 			default:
 				DBG1(DBG_LIB, "invalid result type supplied");
+				va_end(args);
 				return FALSE;
 		}
 	}
@@ -299,7 +300,10 @@ static int busy_handler(private_sqlite_database_t *this, int count)
 METHOD(database_t, destroy, void,
 	private_sqlite_database_t *this)
 {
-	sqlite3_close(this->db);
+	if (sqlite3_close(this->db) == SQLITE_BUSY)
+	{
+		DBG1(DBG_LIB, "sqlite close failed because database is busy");
+	}
 	this->mutex->destroy(this->mutex);
 	free(this);
 }
@@ -315,7 +319,7 @@ sqlite_database_t *sqlite_database_create(char *uri)
 	/**
 	 * parse sqlite:///path/to/file.db uri
 	 */
-	if (!strneq(uri, "sqlite://", 9))
+	if (!strpfx(uri, "sqlite://"))
 	{
 		return NULL;
 	}
diff --git a/src/libstrongswan/plugins/sshkey/Makefile.am b/src/libstrongswan/plugins/sshkey/Makefile.am
new file mode 100644
index 000000000..d2ec631a8
--- /dev/null
+++ b/src/libstrongswan/plugins/sshkey/Makefile.am
@@ -0,0 +1,17 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-sshkey.la
+else
+plugin_LTLIBRARIES = libstrongswan-sshkey.la
+endif
+
+libstrongswan_sshkey_la_SOURCES = \
+	sshkey_plugin.h sshkey_plugin.c \
+	sshkey_builder.h sshkey_builder.c
+
+libstrongswan_sshkey_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/sshkey/Makefile.in b/src/libstrongswan/plugins/sshkey/Makefile.in
new file mode 100644
index 000000000..b7eeecc17
--- /dev/null
+++ b/src/libstrongswan/plugins/sshkey/Makefile.in
@@ -0,0 +1,685 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/sshkey
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_sshkey_la_LIBADD =
+am_libstrongswan_sshkey_la_OBJECTS = sshkey_plugin.lo \
+	sshkey_builder.lo
+libstrongswan_sshkey_la_OBJECTS =  \
+	$(am_libstrongswan_sshkey_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_sshkey_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_sshkey_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_sshkey_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_sshkey_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_sshkey_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_sshkey_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sshkey.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sshkey.la
+libstrongswan_sshkey_la_SOURCES = \
+	sshkey_plugin.h sshkey_plugin.c \
+	sshkey_builder.h sshkey_builder.c
+
+libstrongswan_sshkey_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/sshkey/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/sshkey/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-sshkey.la: $(libstrongswan_sshkey_la_OBJECTS) $(libstrongswan_sshkey_la_DEPENDENCIES) $(EXTRA_libstrongswan_sshkey_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_sshkey_la_LINK) $(am_libstrongswan_sshkey_la_rpath) $(libstrongswan_sshkey_la_OBJECTS) $(libstrongswan_sshkey_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sshkey_builder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sshkey_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/sshkey/sshkey_builder.c b/src/libstrongswan/plugins/sshkey/sshkey_builder.c
new file mode 100644
index 000000000..d6a7c645a
--- /dev/null
+++ b/src/libstrongswan/plugins/sshkey/sshkey_builder.c
@@ -0,0 +1,153 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "sshkey_builder.h"
+
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+#define ECDSA_PREFIX "ecdsa-sha2-"
+
+/**
+ * Parse an EC domain parameter identifier as defined in RFC 5656
+ */
+static chunk_t parse_ec_identifier(chunk_t identifier)
+{
+	chunk_t oid = chunk_empty;
+
+	if (chunk_equals(identifier, chunk_from_str("nistp256")))
+	{
+		oid = asn1_build_known_oid(OID_PRIME256V1);
+	}
+	else if (chunk_equals(identifier, chunk_from_str("nistp384")))
+	{
+		oid = asn1_build_known_oid(OID_SECT384R1);
+	}
+	else if (chunk_equals(identifier, chunk_from_str("nistp521")))
+	{
+		oid = asn1_build_known_oid(OID_SECT521R1);
+	}
+	else
+	{
+		char ascii[64];
+
+		if (snprintf(ascii, sizeof(ascii), "%.*s", (int)identifier.len,
+					 identifier.ptr) < sizeof(ascii))
+		{
+			oid = asn1_wrap(ASN1_OID, "m", asn1_oid_from_string(ascii));
+		}
+	}
+	return oid;
+}
+
+/**
+ * Load a generic public key from an SSH key blob
+ */
+static sshkey_public_key_t *parse_public_key(chunk_t blob)
+{
+	bio_reader_t *reader;
+	chunk_t format;
+
+	reader = bio_reader_create(blob);
+	if (!reader->read_data32(reader, &format))
+	{
+		DBG1(DBG_LIB, "invalid key format in SSH key");
+		reader->destroy(reader);
+		return NULL;
+	}
+	if (chunk_equals(format, chunk_from_str("ssh-rsa")))
+	{
+		chunk_t n, e;
+
+		if (!reader->read_data32(reader, &e) ||
+			!reader->read_data32(reader, &n))
+		{
+			DBG1(DBG_LIB, "invalid RSA key in SSH key");
+			reader->destroy(reader);
+			return NULL;
+		}
+		reader->destroy(reader);
+		return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+						BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
+	}
+	else if (format.len > strlen(ECDSA_PREFIX) &&
+			 strpfx(format.ptr, ECDSA_PREFIX))
+	{
+		chunk_t ec_blob, identifier, q, oid, encoded;
+		sshkey_public_key_t *key;
+
+		ec_blob = reader->peek(reader);
+		reader->destroy(reader);
+		reader = bio_reader_create(ec_blob);
+		if (!reader->read_data32(reader, &identifier) ||
+			!reader->read_data32(reader, &q))
+		{
+			DBG1(DBG_LIB, "invalid ECDSA key in SSH key");
+			reader->destroy(reader);
+			return NULL;
+		}
+		oid = parse_ec_identifier(identifier);
+		if (!oid.ptr)
+		{
+			DBG1(DBG_LIB, "invalid ECDSA key identifier in SSH key");
+			reader->destroy(reader);
+			return NULL;
+		}
+		reader->destroy(reader);
+		/* build key from subjectPublicKeyInfo */
+		encoded = asn1_wrap(ASN1_SEQUENCE, "mm",
+						asn1_wrap(ASN1_SEQUENCE, "mm",
+							asn1_build_known_oid(OID_EC_PUBLICKEY), oid),
+						asn1_bitstring("c", q));
+		key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
+							KEY_ECDSA, BUILD_BLOB_ASN1_DER, encoded, BUILD_END);
+		chunk_free(&encoded);
+		return key;
+	}
+	DBG1(DBG_LIB, "unsupported SSH key format %.*s", (int)format.len,
+		 format.ptr);
+	reader->destroy(reader);
+	return NULL;
+}
+
+/**
+ * See header.
+ */
+sshkey_public_key_t *sshkey_public_key_load(key_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_SSHKEY:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (blob.ptr && type == KEY_ANY)
+	{
+		return parse_public_key(blob);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/sshkey/sshkey_builder.h b/src/libstrongswan/plugins/sshkey/sshkey_builder.h
new file mode 100644
index 000000000..e4c7a90d0
--- /dev/null
+++ b/src/libstrongswan/plugins/sshkey/sshkey_builder.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sshky_public_key sshky_public_key
+ * @{ @ingroup sshkey_p
+ */
+
+#ifndef SSHKEY_BUILDER_H_
+#define SSHKEY_BUILDER_H_
+
+#include <credentials/builder.h>
+#include <credentials/keys/public_key.h>
+
+typedef struct sshkey_public_key_t sshkey_public_key_t;
+
+/**
+ * Public key implementation supporting RFC 4253 decoding.
+ */
+struct sshkey_public_key_t {
+
+	/**
+	 * Implements public_key_t interface.
+	 */
+	public_key_t interface;
+};
+
+/**
+ * Load a public key in RFC 4253 format.
+ *
+ * Takes a BUILD_BLOB_SSHKEY to parse the public key.
+ *
+ * @param type		type of the key, must be KEY_ANY
+ * @param args		builder_part_t argument list
+ * @return 			built key, NULL on failure
+ */
+sshkey_public_key_t *sshkey_public_key_load(key_type_t type, va_list args);
+
+#endif /** SSHKEY_BUILDER_H_ @}*/
diff --git a/src/libstrongswan/plugins/sshkey/sshkey_plugin.c b/src/libstrongswan/plugins/sshkey/sshkey_plugin.c
new file mode 100644
index 000000000..fe6252671
--- /dev/null
+++ b/src/libstrongswan/plugins/sshkey/sshkey_plugin.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "sshkey_plugin.h"
+
+#include <library.h>
+#include "sshkey_builder.h"
+
+typedef struct private_sshkey_plugin_t private_sshkey_plugin_t;
+
+/**
+ * private data of sshkey_plugin
+ */
+struct private_sshkey_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	sshkey_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_sshkey_plugin_t *this)
+{
+	return "sshkey";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_sshkey_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(PUBKEY, sshkey_public_key_load, FALSE),
+			PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_sshkey_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *sshkey_plugin_create()
+{
+	private_sshkey_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/sshkey/sshkey_plugin.h b/src/libstrongswan/plugins/sshkey/sshkey_plugin.h
new file mode 100644
index 000000000..2b9095a98
--- /dev/null
+++ b/src/libstrongswan/plugins/sshkey/sshkey_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sshkey_p sshkey
+ * @ingroup plugins
+ *
+ * @defgroup sshkey_plugin sshkey_plugin
+ * @{ @ingroup sshkey_p
+ */
+
+#ifndef SSHKEY_PLUGIN_H_
+#define SSHKEY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct sshkey_plugin_t sshkey_plugin_t;
+
+/**
+ * Plugin providing RFC 4253 public key decoding functions.
+ */
+struct sshkey_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** SSHKEY_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
index 5280300a8..6dcad400d 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-test-vectors.la
@@ -26,6 +27,7 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors/des.c \
 	test_vectors/idea.c \
 	test_vectors/null.c \
+	test_vectors/rc2.c \
 	test_vectors/rc5.c \
 	test_vectors/serpent_cbc.c \
 	test_vectors/twofish_cbc.c \
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index 7e0271b13..e00a7d75e 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_test_vectors_la_LIBADD =
@@ -79,54 +103,82 @@ am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \
 	3des_cbc.lo aes_cbc.lo aes_ctr.lo aes_xcbc.lo aes_cmac.lo \
 	aes_ccm.lo aes_gcm.lo blowfish.lo camellia_cbc.lo \
 	camellia_ctr.lo camellia_xcbc.lo cast.lo des.lo idea.lo \
-	null.lo rc5.lo serpent_cbc.lo twofish_cbc.lo md2.lo md4.lo \
-	md5.lo md5_hmac.lo sha1.lo sha1_hmac.lo sha2.lo sha2_hmac.lo \
-	fips_prf.lo rng.lo
+	null.lo rc2.lo rc5.lo serpent_cbc.lo twofish_cbc.lo md2.lo \
+	md4.lo md5.lo md5_hmac.lo sha1.lo sha1_hmac.lo sha2.lo \
+	sha2_hmac.lo fips_prf.lo rng.lo
 libstrongswan_test_vectors_la_OBJECTS =  \
 	$(am_libstrongswan_test_vectors_la_OBJECTS)
-libstrongswan_test_vectors_la_LINK = $(LIBTOOL) --tag=CC \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_test_vectors_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
 	$(AM_CFLAGS) $(CFLAGS) \
 	$(libstrongswan_test_vectors_la_LDFLAGS) $(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_test_vectors_la_rpath = -rpath \
 @MONOLITHIC_FALSE@	$(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_test_vectors_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_test_vectors_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_test_vectors_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -135,13 +187,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -154,6 +209,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -181,11 +237,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -193,6 +251,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -201,8 +260,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -211,14 +268,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -232,17 +294,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -252,16 +314,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -289,8 +350,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-test-vectors.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-test-vectors.la
 libstrongswan_test_vectors_la_SOURCES = \
@@ -310,6 +375,7 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors/des.c \
 	test_vectors/idea.c \
 	test_vectors/null.c \
+	test_vectors/rc2.c \
 	test_vectors/rc5.c \
 	test_vectors/serpent_cbc.c \
 	test_vectors/twofish_cbc.c \
@@ -370,7 +436,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -378,6 +443,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -399,8 +466,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-test-vectors.la: $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_DEPENDENCIES) 
-	$(libstrongswan_test_vectors_la_LINK) $(am_libstrongswan_test_vectors_la_rpath) $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_LIBADD) $(LIBS)
+libstrongswan-test-vectors.la: $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_DEPENDENCIES) $(EXTRA_libstrongswan_test_vectors_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_test_vectors_la_LINK) $(am_libstrongswan_test_vectors_la_rpath) $(libstrongswan_test_vectors_la_OBJECTS) $(libstrongswan_test_vectors_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -428,6 +495,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_hmac.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/null.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rc2.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rc5.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rng.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/serpent_cbc.Plo@am__quote@
@@ -439,221 +507,228 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish_cbc.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 3des_cbc.lo: test_vectors/3des_cbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT 3des_cbc.lo -MD -MP -MF $(DEPDIR)/3des_cbc.Tpo -c -o 3des_cbc.lo `test -f 'test_vectors/3des_cbc.c' || echo '$(srcdir)/'`test_vectors/3des_cbc.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/3des_cbc.Tpo $(DEPDIR)/3des_cbc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/3des_cbc.c' object='3des_cbc.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT 3des_cbc.lo -MD -MP -MF $(DEPDIR)/3des_cbc.Tpo -c -o 3des_cbc.lo `test -f 'test_vectors/3des_cbc.c' || echo '$(srcdir)/'`test_vectors/3des_cbc.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/3des_cbc.Tpo $(DEPDIR)/3des_cbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/3des_cbc.c' object='3des_cbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o 3des_cbc.lo `test -f 'test_vectors/3des_cbc.c' || echo '$(srcdir)/'`test_vectors/3des_cbc.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o 3des_cbc.lo `test -f 'test_vectors/3des_cbc.c' || echo '$(srcdir)/'`test_vectors/3des_cbc.c
 
 aes_cbc.lo: test_vectors/aes_cbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cbc.lo -MD -MP -MF $(DEPDIR)/aes_cbc.Tpo -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_cbc.Tpo $(DEPDIR)/aes_cbc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_cbc.c' object='aes_cbc.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cbc.lo -MD -MP -MF $(DEPDIR)/aes_cbc.Tpo -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/aes_cbc.Tpo $(DEPDIR)/aes_cbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/aes_cbc.c' object='aes_cbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c
 
 aes_ctr.lo: test_vectors/aes_ctr.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_ctr.lo -MD -MP -MF $(DEPDIR)/aes_ctr.Tpo -c -o aes_ctr.lo `test -f 'test_vectors/aes_ctr.c' || echo '$(srcdir)/'`test_vectors/aes_ctr.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_ctr.Tpo $(DEPDIR)/aes_ctr.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_ctr.c' object='aes_ctr.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_ctr.lo -MD -MP -MF $(DEPDIR)/aes_ctr.Tpo -c -o aes_ctr.lo `test -f 'test_vectors/aes_ctr.c' || echo '$(srcdir)/'`test_vectors/aes_ctr.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/aes_ctr.Tpo $(DEPDIR)/aes_ctr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/aes_ctr.c' object='aes_ctr.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_ctr.lo `test -f 'test_vectors/aes_ctr.c' || echo '$(srcdir)/'`test_vectors/aes_ctr.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_ctr.lo `test -f 'test_vectors/aes_ctr.c' || echo '$(srcdir)/'`test_vectors/aes_ctr.c
 
 aes_xcbc.lo: test_vectors/aes_xcbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_xcbc.lo -MD -MP -MF $(DEPDIR)/aes_xcbc.Tpo -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_xcbc.Tpo $(DEPDIR)/aes_xcbc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_xcbc.c' object='aes_xcbc.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_xcbc.lo -MD -MP -MF $(DEPDIR)/aes_xcbc.Tpo -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/aes_xcbc.Tpo $(DEPDIR)/aes_xcbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/aes_xcbc.c' object='aes_xcbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
 
 aes_cmac.lo: test_vectors/aes_cmac.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cmac.lo -MD -MP -MF $(DEPDIR)/aes_cmac.Tpo -c -o aes_cmac.lo `test -f 'test_vectors/aes_cmac.c' || echo '$(srcdir)/'`test_vectors/aes_cmac.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_cmac.Tpo $(DEPDIR)/aes_cmac.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_cmac.c' object='aes_cmac.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cmac.lo -MD -MP -MF $(DEPDIR)/aes_cmac.Tpo -c -o aes_cmac.lo `test -f 'test_vectors/aes_cmac.c' || echo '$(srcdir)/'`test_vectors/aes_cmac.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/aes_cmac.Tpo $(DEPDIR)/aes_cmac.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/aes_cmac.c' object='aes_cmac.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cmac.lo `test -f 'test_vectors/aes_cmac.c' || echo '$(srcdir)/'`test_vectors/aes_cmac.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cmac.lo `test -f 'test_vectors/aes_cmac.c' || echo '$(srcdir)/'`test_vectors/aes_cmac.c
 
 aes_ccm.lo: test_vectors/aes_ccm.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_ccm.lo -MD -MP -MF $(DEPDIR)/aes_ccm.Tpo -c -o aes_ccm.lo `test -f 'test_vectors/aes_ccm.c' || echo '$(srcdir)/'`test_vectors/aes_ccm.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_ccm.Tpo $(DEPDIR)/aes_ccm.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_ccm.c' object='aes_ccm.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_ccm.lo -MD -MP -MF $(DEPDIR)/aes_ccm.Tpo -c -o aes_ccm.lo `test -f 'test_vectors/aes_ccm.c' || echo '$(srcdir)/'`test_vectors/aes_ccm.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/aes_ccm.Tpo $(DEPDIR)/aes_ccm.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/aes_ccm.c' object='aes_ccm.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_ccm.lo `test -f 'test_vectors/aes_ccm.c' || echo '$(srcdir)/'`test_vectors/aes_ccm.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_ccm.lo `test -f 'test_vectors/aes_ccm.c' || echo '$(srcdir)/'`test_vectors/aes_ccm.c
 
 aes_gcm.lo: test_vectors/aes_gcm.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_gcm.lo -MD -MP -MF $(DEPDIR)/aes_gcm.Tpo -c -o aes_gcm.lo `test -f 'test_vectors/aes_gcm.c' || echo '$(srcdir)/'`test_vectors/aes_gcm.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_gcm.Tpo $(DEPDIR)/aes_gcm.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_gcm.c' object='aes_gcm.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_gcm.lo -MD -MP -MF $(DEPDIR)/aes_gcm.Tpo -c -o aes_gcm.lo `test -f 'test_vectors/aes_gcm.c' || echo '$(srcdir)/'`test_vectors/aes_gcm.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/aes_gcm.Tpo $(DEPDIR)/aes_gcm.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/aes_gcm.c' object='aes_gcm.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_gcm.lo `test -f 'test_vectors/aes_gcm.c' || echo '$(srcdir)/'`test_vectors/aes_gcm.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_gcm.lo `test -f 'test_vectors/aes_gcm.c' || echo '$(srcdir)/'`test_vectors/aes_gcm.c
 
 blowfish.lo: test_vectors/blowfish.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blowfish.lo -MD -MP -MF $(DEPDIR)/blowfish.Tpo -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/blowfish.Tpo $(DEPDIR)/blowfish.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/blowfish.c' object='blowfish.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blowfish.lo -MD -MP -MF $(DEPDIR)/blowfish.Tpo -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/blowfish.Tpo $(DEPDIR)/blowfish.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/blowfish.c' object='blowfish.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c
 
 camellia_cbc.lo: test_vectors/camellia_cbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_cbc.lo -MD -MP -MF $(DEPDIR)/camellia_cbc.Tpo -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/camellia_cbc.Tpo $(DEPDIR)/camellia_cbc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/camellia_cbc.c' object='camellia_cbc.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_cbc.lo -MD -MP -MF $(DEPDIR)/camellia_cbc.Tpo -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/camellia_cbc.Tpo $(DEPDIR)/camellia_cbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/camellia_cbc.c' object='camellia_cbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c
 
 camellia_ctr.lo: test_vectors/camellia_ctr.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_ctr.lo -MD -MP -MF $(DEPDIR)/camellia_ctr.Tpo -c -o camellia_ctr.lo `test -f 'test_vectors/camellia_ctr.c' || echo '$(srcdir)/'`test_vectors/camellia_ctr.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/camellia_ctr.Tpo $(DEPDIR)/camellia_ctr.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/camellia_ctr.c' object='camellia_ctr.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_ctr.lo -MD -MP -MF $(DEPDIR)/camellia_ctr.Tpo -c -o camellia_ctr.lo `test -f 'test_vectors/camellia_ctr.c' || echo '$(srcdir)/'`test_vectors/camellia_ctr.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/camellia_ctr.Tpo $(DEPDIR)/camellia_ctr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/camellia_ctr.c' object='camellia_ctr.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_ctr.lo `test -f 'test_vectors/camellia_ctr.c' || echo '$(srcdir)/'`test_vectors/camellia_ctr.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_ctr.lo `test -f 'test_vectors/camellia_ctr.c' || echo '$(srcdir)/'`test_vectors/camellia_ctr.c
 
 camellia_xcbc.lo: test_vectors/camellia_xcbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_xcbc.lo -MD -MP -MF $(DEPDIR)/camellia_xcbc.Tpo -c -o camellia_xcbc.lo `test -f 'test_vectors/camellia_xcbc.c' || echo '$(srcdir)/'`test_vectors/camellia_xcbc.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/camellia_xcbc.Tpo $(DEPDIR)/camellia_xcbc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/camellia_xcbc.c' object='camellia_xcbc.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_xcbc.lo -MD -MP -MF $(DEPDIR)/camellia_xcbc.Tpo -c -o camellia_xcbc.lo `test -f 'test_vectors/camellia_xcbc.c' || echo '$(srcdir)/'`test_vectors/camellia_xcbc.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/camellia_xcbc.Tpo $(DEPDIR)/camellia_xcbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/camellia_xcbc.c' object='camellia_xcbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_xcbc.lo `test -f 'test_vectors/camellia_xcbc.c' || echo '$(srcdir)/'`test_vectors/camellia_xcbc.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_xcbc.lo `test -f 'test_vectors/camellia_xcbc.c' || echo '$(srcdir)/'`test_vectors/camellia_xcbc.c
 
 cast.lo: test_vectors/cast.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cast.lo -MD -MP -MF $(DEPDIR)/cast.Tpo -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cast.Tpo $(DEPDIR)/cast.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/cast.c' object='cast.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cast.lo -MD -MP -MF $(DEPDIR)/cast.Tpo -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/cast.Tpo $(DEPDIR)/cast.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/cast.c' object='cast.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c
 
 des.lo: test_vectors/des.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des.lo -MD -MP -MF $(DEPDIR)/des.Tpo -c -o des.lo `test -f 'test_vectors/des.c' || echo '$(srcdir)/'`test_vectors/des.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/des.Tpo $(DEPDIR)/des.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/des.c' object='des.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des.lo -MD -MP -MF $(DEPDIR)/des.Tpo -c -o des.lo `test -f 'test_vectors/des.c' || echo '$(srcdir)/'`test_vectors/des.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/des.Tpo $(DEPDIR)/des.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/des.c' object='des.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des.lo `test -f 'test_vectors/des.c' || echo '$(srcdir)/'`test_vectors/des.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des.lo `test -f 'test_vectors/des.c' || echo '$(srcdir)/'`test_vectors/des.c
 
 idea.lo: test_vectors/idea.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT idea.lo -MD -MP -MF $(DEPDIR)/idea.Tpo -c -o idea.lo `test -f 'test_vectors/idea.c' || echo '$(srcdir)/'`test_vectors/idea.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/idea.Tpo $(DEPDIR)/idea.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/idea.c' object='idea.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT idea.lo -MD -MP -MF $(DEPDIR)/idea.Tpo -c -o idea.lo `test -f 'test_vectors/idea.c' || echo '$(srcdir)/'`test_vectors/idea.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/idea.Tpo $(DEPDIR)/idea.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/idea.c' object='idea.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o idea.lo `test -f 'test_vectors/idea.c' || echo '$(srcdir)/'`test_vectors/idea.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o idea.lo `test -f 'test_vectors/idea.c' || echo '$(srcdir)/'`test_vectors/idea.c
 
 null.lo: test_vectors/null.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT null.lo -MD -MP -MF $(DEPDIR)/null.Tpo -c -o null.lo `test -f 'test_vectors/null.c' || echo '$(srcdir)/'`test_vectors/null.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/null.Tpo $(DEPDIR)/null.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/null.c' object='null.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT null.lo -MD -MP -MF $(DEPDIR)/null.Tpo -c -o null.lo `test -f 'test_vectors/null.c' || echo '$(srcdir)/'`test_vectors/null.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/null.Tpo $(DEPDIR)/null.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/null.c' object='null.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o null.lo `test -f 'test_vectors/null.c' || echo '$(srcdir)/'`test_vectors/null.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o null.lo `test -f 'test_vectors/null.c' || echo '$(srcdir)/'`test_vectors/null.c
+
+rc2.lo: test_vectors/rc2.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rc2.lo -MD -MP -MF $(DEPDIR)/rc2.Tpo -c -o rc2.lo `test -f 'test_vectors/rc2.c' || echo '$(srcdir)/'`test_vectors/rc2.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rc2.Tpo $(DEPDIR)/rc2.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/rc2.c' object='rc2.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rc2.lo `test -f 'test_vectors/rc2.c' || echo '$(srcdir)/'`test_vectors/rc2.c
 
 rc5.lo: test_vectors/rc5.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rc5.lo -MD -MP -MF $(DEPDIR)/rc5.Tpo -c -o rc5.lo `test -f 'test_vectors/rc5.c' || echo '$(srcdir)/'`test_vectors/rc5.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rc5.Tpo $(DEPDIR)/rc5.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/rc5.c' object='rc5.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rc5.lo -MD -MP -MF $(DEPDIR)/rc5.Tpo -c -o rc5.lo `test -f 'test_vectors/rc5.c' || echo '$(srcdir)/'`test_vectors/rc5.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rc5.Tpo $(DEPDIR)/rc5.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/rc5.c' object='rc5.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rc5.lo `test -f 'test_vectors/rc5.c' || echo '$(srcdir)/'`test_vectors/rc5.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rc5.lo `test -f 'test_vectors/rc5.c' || echo '$(srcdir)/'`test_vectors/rc5.c
 
 serpent_cbc.lo: test_vectors/serpent_cbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT serpent_cbc.lo -MD -MP -MF $(DEPDIR)/serpent_cbc.Tpo -c -o serpent_cbc.lo `test -f 'test_vectors/serpent_cbc.c' || echo '$(srcdir)/'`test_vectors/serpent_cbc.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/serpent_cbc.Tpo $(DEPDIR)/serpent_cbc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/serpent_cbc.c' object='serpent_cbc.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT serpent_cbc.lo -MD -MP -MF $(DEPDIR)/serpent_cbc.Tpo -c -o serpent_cbc.lo `test -f 'test_vectors/serpent_cbc.c' || echo '$(srcdir)/'`test_vectors/serpent_cbc.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/serpent_cbc.Tpo $(DEPDIR)/serpent_cbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/serpent_cbc.c' object='serpent_cbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o serpent_cbc.lo `test -f 'test_vectors/serpent_cbc.c' || echo '$(srcdir)/'`test_vectors/serpent_cbc.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o serpent_cbc.lo `test -f 'test_vectors/serpent_cbc.c' || echo '$(srcdir)/'`test_vectors/serpent_cbc.c
 
 twofish_cbc.lo: test_vectors/twofish_cbc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT twofish_cbc.lo -MD -MP -MF $(DEPDIR)/twofish_cbc.Tpo -c -o twofish_cbc.lo `test -f 'test_vectors/twofish_cbc.c' || echo '$(srcdir)/'`test_vectors/twofish_cbc.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/twofish_cbc.Tpo $(DEPDIR)/twofish_cbc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/twofish_cbc.c' object='twofish_cbc.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT twofish_cbc.lo -MD -MP -MF $(DEPDIR)/twofish_cbc.Tpo -c -o twofish_cbc.lo `test -f 'test_vectors/twofish_cbc.c' || echo '$(srcdir)/'`test_vectors/twofish_cbc.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/twofish_cbc.Tpo $(DEPDIR)/twofish_cbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/twofish_cbc.c' object='twofish_cbc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o twofish_cbc.lo `test -f 'test_vectors/twofish_cbc.c' || echo '$(srcdir)/'`test_vectors/twofish_cbc.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o twofish_cbc.lo `test -f 'test_vectors/twofish_cbc.c' || echo '$(srcdir)/'`test_vectors/twofish_cbc.c
 
 md2.lo: test_vectors/md2.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md2.lo -MD -MP -MF $(DEPDIR)/md2.Tpo -c -o md2.lo `test -f 'test_vectors/md2.c' || echo '$(srcdir)/'`test_vectors/md2.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/md2.Tpo $(DEPDIR)/md2.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/md2.c' object='md2.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md2.lo -MD -MP -MF $(DEPDIR)/md2.Tpo -c -o md2.lo `test -f 'test_vectors/md2.c' || echo '$(srcdir)/'`test_vectors/md2.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/md2.Tpo $(DEPDIR)/md2.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/md2.c' object='md2.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md2.lo `test -f 'test_vectors/md2.c' || echo '$(srcdir)/'`test_vectors/md2.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md2.lo `test -f 'test_vectors/md2.c' || echo '$(srcdir)/'`test_vectors/md2.c
 
 md4.lo: test_vectors/md4.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md4.lo -MD -MP -MF $(DEPDIR)/md4.Tpo -c -o md4.lo `test -f 'test_vectors/md4.c' || echo '$(srcdir)/'`test_vectors/md4.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/md4.Tpo $(DEPDIR)/md4.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/md4.c' object='md4.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md4.lo -MD -MP -MF $(DEPDIR)/md4.Tpo -c -o md4.lo `test -f 'test_vectors/md4.c' || echo '$(srcdir)/'`test_vectors/md4.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/md4.Tpo $(DEPDIR)/md4.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/md4.c' object='md4.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md4.lo `test -f 'test_vectors/md4.c' || echo '$(srcdir)/'`test_vectors/md4.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md4.lo `test -f 'test_vectors/md4.c' || echo '$(srcdir)/'`test_vectors/md4.c
 
 md5.lo: test_vectors/md5.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5.lo -MD -MP -MF $(DEPDIR)/md5.Tpo -c -o md5.lo `test -f 'test_vectors/md5.c' || echo '$(srcdir)/'`test_vectors/md5.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/md5.Tpo $(DEPDIR)/md5.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/md5.c' object='md5.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5.lo -MD -MP -MF $(DEPDIR)/md5.Tpo -c -o md5.lo `test -f 'test_vectors/md5.c' || echo '$(srcdir)/'`test_vectors/md5.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/md5.Tpo $(DEPDIR)/md5.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/md5.c' object='md5.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5.lo `test -f 'test_vectors/md5.c' || echo '$(srcdir)/'`test_vectors/md5.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5.lo `test -f 'test_vectors/md5.c' || echo '$(srcdir)/'`test_vectors/md5.c
 
 md5_hmac.lo: test_vectors/md5_hmac.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5_hmac.lo -MD -MP -MF $(DEPDIR)/md5_hmac.Tpo -c -o md5_hmac.lo `test -f 'test_vectors/md5_hmac.c' || echo '$(srcdir)/'`test_vectors/md5_hmac.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/md5_hmac.Tpo $(DEPDIR)/md5_hmac.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/md5_hmac.c' object='md5_hmac.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5_hmac.lo -MD -MP -MF $(DEPDIR)/md5_hmac.Tpo -c -o md5_hmac.lo `test -f 'test_vectors/md5_hmac.c' || echo '$(srcdir)/'`test_vectors/md5_hmac.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/md5_hmac.Tpo $(DEPDIR)/md5_hmac.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/md5_hmac.c' object='md5_hmac.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5_hmac.lo `test -f 'test_vectors/md5_hmac.c' || echo '$(srcdir)/'`test_vectors/md5_hmac.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5_hmac.lo `test -f 'test_vectors/md5_hmac.c' || echo '$(srcdir)/'`test_vectors/md5_hmac.c
 
 sha1.lo: test_vectors/sha1.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1.lo -MD -MP -MF $(DEPDIR)/sha1.Tpo -c -o sha1.lo `test -f 'test_vectors/sha1.c' || echo '$(srcdir)/'`test_vectors/sha1.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sha1.Tpo $(DEPDIR)/sha1.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/sha1.c' object='sha1.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1.lo -MD -MP -MF $(DEPDIR)/sha1.Tpo -c -o sha1.lo `test -f 'test_vectors/sha1.c' || echo '$(srcdir)/'`test_vectors/sha1.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sha1.Tpo $(DEPDIR)/sha1.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/sha1.c' object='sha1.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1.lo `test -f 'test_vectors/sha1.c' || echo '$(srcdir)/'`test_vectors/sha1.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1.lo `test -f 'test_vectors/sha1.c' || echo '$(srcdir)/'`test_vectors/sha1.c
 
 sha1_hmac.lo: test_vectors/sha1_hmac.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1_hmac.lo -MD -MP -MF $(DEPDIR)/sha1_hmac.Tpo -c -o sha1_hmac.lo `test -f 'test_vectors/sha1_hmac.c' || echo '$(srcdir)/'`test_vectors/sha1_hmac.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sha1_hmac.Tpo $(DEPDIR)/sha1_hmac.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/sha1_hmac.c' object='sha1_hmac.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1_hmac.lo -MD -MP -MF $(DEPDIR)/sha1_hmac.Tpo -c -o sha1_hmac.lo `test -f 'test_vectors/sha1_hmac.c' || echo '$(srcdir)/'`test_vectors/sha1_hmac.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sha1_hmac.Tpo $(DEPDIR)/sha1_hmac.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/sha1_hmac.c' object='sha1_hmac.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1_hmac.lo `test -f 'test_vectors/sha1_hmac.c' || echo '$(srcdir)/'`test_vectors/sha1_hmac.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1_hmac.lo `test -f 'test_vectors/sha1_hmac.c' || echo '$(srcdir)/'`test_vectors/sha1_hmac.c
 
 sha2.lo: test_vectors/sha2.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2.lo -MD -MP -MF $(DEPDIR)/sha2.Tpo -c -o sha2.lo `test -f 'test_vectors/sha2.c' || echo '$(srcdir)/'`test_vectors/sha2.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sha2.Tpo $(DEPDIR)/sha2.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/sha2.c' object='sha2.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2.lo -MD -MP -MF $(DEPDIR)/sha2.Tpo -c -o sha2.lo `test -f 'test_vectors/sha2.c' || echo '$(srcdir)/'`test_vectors/sha2.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sha2.Tpo $(DEPDIR)/sha2.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/sha2.c' object='sha2.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2.lo `test -f 'test_vectors/sha2.c' || echo '$(srcdir)/'`test_vectors/sha2.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2.lo `test -f 'test_vectors/sha2.c' || echo '$(srcdir)/'`test_vectors/sha2.c
 
 sha2_hmac.lo: test_vectors/sha2_hmac.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2_hmac.lo -MD -MP -MF $(DEPDIR)/sha2_hmac.Tpo -c -o sha2_hmac.lo `test -f 'test_vectors/sha2_hmac.c' || echo '$(srcdir)/'`test_vectors/sha2_hmac.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sha2_hmac.Tpo $(DEPDIR)/sha2_hmac.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/sha2_hmac.c' object='sha2_hmac.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2_hmac.lo -MD -MP -MF $(DEPDIR)/sha2_hmac.Tpo -c -o sha2_hmac.lo `test -f 'test_vectors/sha2_hmac.c' || echo '$(srcdir)/'`test_vectors/sha2_hmac.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/sha2_hmac.Tpo $(DEPDIR)/sha2_hmac.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/sha2_hmac.c' object='sha2_hmac.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2_hmac.lo `test -f 'test_vectors/sha2_hmac.c' || echo '$(srcdir)/'`test_vectors/sha2_hmac.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2_hmac.lo `test -f 'test_vectors/sha2_hmac.c' || echo '$(srcdir)/'`test_vectors/sha2_hmac.c
 
 fips_prf.lo: test_vectors/fips_prf.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_prf.lo -MD -MP -MF $(DEPDIR)/fips_prf.Tpo -c -o fips_prf.lo `test -f 'test_vectors/fips_prf.c' || echo '$(srcdir)/'`test_vectors/fips_prf.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/fips_prf.Tpo $(DEPDIR)/fips_prf.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/fips_prf.c' object='fips_prf.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_prf.lo -MD -MP -MF $(DEPDIR)/fips_prf.Tpo -c -o fips_prf.lo `test -f 'test_vectors/fips_prf.c' || echo '$(srcdir)/'`test_vectors/fips_prf.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/fips_prf.Tpo $(DEPDIR)/fips_prf.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/fips_prf.c' object='fips_prf.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_prf.lo `test -f 'test_vectors/fips_prf.c' || echo '$(srcdir)/'`test_vectors/fips_prf.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_prf.lo `test -f 'test_vectors/fips_prf.c' || echo '$(srcdir)/'`test_vectors/fips_prf.c
 
 rng.lo: test_vectors/rng.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rng.lo -MD -MP -MF $(DEPDIR)/rng.Tpo -c -o rng.lo `test -f 'test_vectors/rng.c' || echo '$(srcdir)/'`test_vectors/rng.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/rng.Tpo $(DEPDIR)/rng.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/rng.c' object='rng.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rng.lo -MD -MP -MF $(DEPDIR)/rng.Tpo -c -o rng.lo `test -f 'test_vectors/rng.c' || echo '$(srcdir)/'`test_vectors/rng.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/rng.Tpo $(DEPDIR)/rng.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors/rng.c' object='rng.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rng.lo `test -f 'test_vectors/rng.c' || echo '$(srcdir)/'`test_vectors/rng.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rng.lo `test -f 'test_vectors/rng.c' || echo '$(srcdir)/'`test_vectors/rng.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -760,10 +835,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
index 40fb51da6..788baae57 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
@@ -55,6 +55,14 @@ TEST_VECTOR_CRYPTER(des3_cbc2)
 TEST_VECTOR_CRYPTER(idea1)
 TEST_VECTOR_CRYPTER(idea2)
 TEST_VECTOR_CRYPTER(null1)
+TEST_VECTOR_CRYPTER(rc2_1)
+TEST_VECTOR_CRYPTER(rc2_2)
+TEST_VECTOR_CRYPTER(rc2_3)
+TEST_VECTOR_CRYPTER(rc2_4)
+TEST_VECTOR_CRYPTER(rc2_5)
+TEST_VECTOR_CRYPTER(rc2_6)
+TEST_VECTOR_CRYPTER(rc2_7)
+TEST_VECTOR_CRYPTER(rc2_8)
 TEST_VECTOR_CRYPTER(rc5_1)
 TEST_VECTOR_CRYPTER(rc5_2)
 TEST_VECTOR_CRYPTER(serpent_cbc1)
@@ -140,6 +148,7 @@ TEST_VECTOR_HASHER(md5_7)
 TEST_VECTOR_HASHER(sha1_1)
 TEST_VECTOR_HASHER(sha1_2)
 TEST_VECTOR_HASHER(sha1_3)
+TEST_VECTOR_HASHER(sha1_4)
 TEST_VECTOR_HASHER(sha224_1)
 TEST_VECTOR_HASHER(sha224_2)
 TEST_VECTOR_HASHER(sha224_3)
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/rc2.c b/src/libstrongswan/plugins/test_vectors/test_vectors/rc2.c
new file mode 100644
index 000000000..b03d12038
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/rc2.c
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * Test vectors from RFC 2268
+ */
+
+/**
+ * RC2 key length 8 bytes, effective key length 63 bits
+ */
+crypter_test_vector_t rc2_1 = {
+	.alg = ENCR_RC2_CBC, .key_size = RC2_KEY_SIZE(8, 63), .len = 8,
+	.key	= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.cipher	= "\xeb\xb7\x73\xf9\x93\x27\x8e\xff",
+};
+
+/**
+ * RC2 key length 8 bytes, effective key length 64 bits
+ */
+crypter_test_vector_t rc2_2 = {
+	.alg = ENCR_RC2_CBC, .key_size = RC2_KEY_SIZE(8, 64), .len = 8,
+	.key	= "\xff\xff\xff\xff\xff\xff\xff\xff",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\xff\xff\xff\xff\xff\xff\xff\xff",
+	.cipher	= "\x27\x8b\x27\xe4\x2e\x2f\x0d\x49",
+};
+
+/**
+ * RC2 key length 8 bytes, effective key length 64 bits
+ */
+crypter_test_vector_t rc2_3 = {
+	.alg = ENCR_RC2_CBC, .key_size = RC2_KEY_SIZE(8, 64), .len = 8,
+	.key	= "\x30\x00\x00\x00\x00\x00\x00\x00",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x10\x00\x00\x00\x00\x00\x00\x01",
+	.cipher	= "\x30\x64\x9e\xdf\x9b\xe7\xd2\xc2",
+};
+
+/**
+ * RC2 key length 1 byte, effective key length 64 bits
+ */
+crypter_test_vector_t rc2_4 = {
+	.alg = ENCR_RC2_CBC, .key_size = RC2_KEY_SIZE(1, 64), .len = 8,
+	.key	= "\x88",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.cipher	= "\x61\xa8\xa2\x44\xad\xac\xcc\xf0",
+};
+
+/**
+ * RC2 key length 7 bytes, effective key length 64 bits
+ */
+crypter_test_vector_t rc2_5 = {
+	.alg = ENCR_RC2_CBC, .key_size = RC2_KEY_SIZE(7, 64), .len = 8,
+	.key	= "\x88\xbc\xa9\x0e\x90\x87\x5a",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.cipher	= "\x6c\xcf\x43\x08\x97\x4c\x26\x7f",
+};
+
+/**
+ * RC2 key length 16 bytes, effective key length 64 bits
+ */
+crypter_test_vector_t rc2_6 = {
+	.alg = ENCR_RC2_CBC, .key_size = RC2_KEY_SIZE(16, 64), .len = 8,
+	.key	= "\x88\xbc\xa9\x0e\x90\x87\x5a\x7f\x0f\x79\xc3\x84\x62\x7b\xaf\xb2",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.cipher	= "\x1a\x80\x7d\x27\x2b\xbe\x5d\xb1",
+};
+
+/**
+ * RC2 key length 16 bytes, effective key length 128 bits
+ */
+crypter_test_vector_t rc2_7 = {
+	.alg = ENCR_RC2_CBC, .key_size = RC2_KEY_SIZE(16, 128), .len = 8,
+	.key	= "\x88\xbc\xa9\x0e\x90\x87\x5a\x7f\x0f\x79\xc3\x84\x62\x7b\xaf\xb2",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.cipher	= "\x22\x69\x55\x2a\xb0\xf8\x5c\xa6",
+};
+
+/**
+ * RC2 key length 33 bytes, effective key length 129 bits
+ */
+crypter_test_vector_t rc2_8 = {
+	.alg = ENCR_RC2_CBC, .key_size = RC2_KEY_SIZE(33, 129), .len = 8,
+	.key	= "\x88\xbc\xa9\x0e\x90\x87\x5a\x7f\x0f\x79\xc3\x84\x62\x7b\xaf\xb2"
+			  "\x16\xf8\x0a\x6f\x85\x92\x05\x84\xc4\x2f\xce\xb0\xbe\x25\x5d\xaf\x1e",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.cipher	= "\x5b\x78\xd3\xa4\x3d\xff\xf1\xf1",
+};
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c b/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
index 18e0c9278..3316c364d 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/rng.c
@@ -15,7 +15,7 @@
 
 #include <crypto/crypto_tester.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * Monobit test
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/sha1.c b/src/libstrongswan/plugins/test_vectors/test_vectors/sha1.c
index 51f22716e..669adf8c6 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/sha1.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/sha1.c
@@ -49,3 +49,9 @@ hasher_test_vector_t sha1_3 = {
 			  "\x2b\xad\x27\xb3"
 };
 
+hasher_test_vector_t sha1_4 = {
+	.alg = HASH_SHA1, .len = 62,
+	.data	= "12345678901234567890123456789012345678901234567890123456789012",
+	.hash	= "\xd8\xd0\x73\xb3\x83\x15\x66\x17\xc5\xca\xdf\x17\xf6\x15\x96\xa3"
+			  "\x84\x0a\xfd\x8b"
+};
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
index 4a8743289..cd0a12a5c 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
@@ -110,6 +110,17 @@ METHOD(plugin_t, get_name, char*,
 	return "test-vectors";
 }
 
+METHOD(plugin_t, get_features, int,
+	private_test_vectors_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_NOOP,
+			PLUGIN_PROVIDE(CUSTOM, "test-vectors"),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
 	private_test_vectors_plugin_t *this)
 {
@@ -128,7 +139,7 @@ plugin_t *test_vectors_plugin_create()
 		.public = {
 			.plugin = {
 				.get_name = _get_name,
-				.reload = (void*)return_false,
+				.get_features = _get_features,
 				.destroy = _destroy,
 			},
 		},
diff --git a/src/libstrongswan/plugins/unbound/Makefile.am b/src/libstrongswan/plugins/unbound/Makefile.am
new file mode 100644
index 000000000..64a5cc7e1
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/Makefile.am
@@ -0,0 +1,21 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\"
+
+AM_CFLAGS = \
+	-rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-unbound.la
+else
+plugin_LTLIBRARIES = libstrongswan-unbound.la
+endif
+
+libstrongswan_unbound_la_SOURCES = \
+	unbound_plugin.h unbound_plugin.c \
+	unbound_resolver.c unbound_resolver.h \
+	unbound_rr.h unbound_rr.c \
+	unbound_response.h unbound_response.c
+
+libstrongswan_unbound_la_LDFLAGS = -module -avoid-version
+libstrongswan_unbound_la_LIBADD  = -lunbound -lldns
diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in
new file mode 100644
index 000000000..868d2998c
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/Makefile.in
@@ -0,0 +1,691 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/unbound
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_unbound_la_DEPENDENCIES =
+am_libstrongswan_unbound_la_OBJECTS = unbound_plugin.lo \
+	unbound_resolver.lo unbound_rr.lo unbound_response.lo
+libstrongswan_unbound_la_OBJECTS =  \
+	$(am_libstrongswan_unbound_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_unbound_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_unbound_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_unbound_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_unbound_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(libstrongswan_unbound_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_unbound_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\"
+
+AM_CFLAGS = \
+	-rdynamic
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-unbound.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-unbound.la
+libstrongswan_unbound_la_SOURCES = \
+	unbound_plugin.h unbound_plugin.c \
+	unbound_resolver.c unbound_resolver.h \
+	unbound_rr.h unbound_rr.c \
+	unbound_response.h unbound_response.c
+
+libstrongswan_unbound_la_LDFLAGS = -module -avoid-version
+libstrongswan_unbound_la_LIBADD = -lunbound -lldns
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/unbound/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/unbound/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-unbound.la: $(libstrongswan_unbound_la_OBJECTS) $(libstrongswan_unbound_la_DEPENDENCIES) $(EXTRA_libstrongswan_unbound_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_unbound_la_LINK) $(am_libstrongswan_unbound_la_rpath) $(libstrongswan_unbound_la_OBJECTS) $(libstrongswan_unbound_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unbound_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unbound_resolver.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unbound_response.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unbound_rr.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/unbound/unbound_plugin.c b/src/libstrongswan/plugins/unbound/unbound_plugin.c
new file mode 100644
index 000000000..f727cdaae
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/unbound_plugin.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "unbound_plugin.h"
+
+#include <library.h>
+#include "unbound_resolver.h"
+
+typedef struct private_unbound_plugin_t private_unbound_plugin_t;
+
+/**
+ * private data of unbound_plugin
+ */
+struct private_unbound_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	unbound_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_unbound_plugin_t *this)
+{
+	return "unbound";
+}
+
+METHOD(plugin_t, get_features, int,
+	private_unbound_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(RESOLVER, unbound_resolver_create),
+			PLUGIN_PROVIDE(RESOLVER),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_unbound_plugin_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *unbound_plugin_create()
+{
+	private_unbound_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/unbound/unbound_plugin.h b/src/libstrongswan/plugins/unbound/unbound_plugin.h
new file mode 100644
index 000000000..1f0d36454
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/unbound_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unbound_p unbound
+ * @ingroup plugins
+ *
+ * @defgroup unbound_plugin unbound_plugin
+ * @{ @ingroup unbound_p
+ */
+
+#ifndef unbound_PLUGIN_H_
+#define unbound_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct unbound_plugin_t unbound_plugin_t;
+
+/**
+ * Plugin implementing the resolver interface using the libunbound DNS library.
+ */
+struct unbound_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** unbound_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/unbound/unbound_resolver.c b/src/libstrongswan/plugins/unbound/unbound_resolver.c
new file mode 100644
index 000000000..44a2c764b
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/unbound_resolver.c
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <unbound.h>
+#include <errno.h>
+#include <ldns/ldns.h>
+#include <string.h>
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include "unbound_resolver.h"
+#include "unbound_response.h"
+
+/* DNS resolver configuration and DNSSEC trust anchors */
+#define RESOLV_CONF_FILE	"/etc/resolv.conf"
+#define TRUST_ANCHOR_FILE	IPSEC_CONFDIR "/ipsec.d/dnssec.keys"
+
+typedef struct private_resolver_t private_resolver_t;
+
+/**
+ * private data of a unbound_resolver_t object.
+ */
+struct private_resolver_t {
+
+	/**
+	 * Public data
+	 */
+	resolver_t public;
+
+	/**
+	 * private unbound resolver handle (unbound context)
+	 */
+	struct ub_ctx *ctx;
+};
+
+/**
+ * query method implementation
+ */
+METHOD(resolver_t, query, resolver_response_t*,
+	private_resolver_t *this, char *domain, rr_class_t rr_class,
+	rr_type_t rr_type)
+{
+	unbound_response_t *response = NULL;
+	struct ub_result *result = NULL;
+	int ub_retval;
+
+	ub_retval = ub_resolve(this->ctx, domain, rr_type, rr_class, &result);
+	if (ub_retval)
+	{
+		DBG1(DBG_LIB, "unbound resolver error: %s", ub_strerror(ub_retval));
+		ub_resolve_free(result);
+		return NULL;
+	}
+
+	response = unbound_response_create_frm_libub_response(result);
+	if (!response)
+	{
+		DBG1(DBG_LIB, "unbound resolver failed to create response");
+		ub_resolve_free(result);
+		return NULL;
+	}
+	ub_resolve_free(result);
+
+	return (resolver_response_t*)response;
+}
+
+/**
+ * destroy method implementation
+ */
+METHOD(resolver_t, destroy, void,
+	private_resolver_t *this)
+{
+	ub_ctx_delete(this->ctx);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+resolver_t *unbound_resolver_create(void)
+{
+	private_resolver_t *this;
+	int ub_retval = 0;
+	char *resolv_conf_file;
+	char *trust_anchor_file;
+
+	resolv_conf_file = lib->settings->get_str(lib->settings,
+						"libstrongswan.plugins.unbound.resolv_conf",
+						RESOLV_CONF_FILE);
+
+	trust_anchor_file = lib->settings->get_str(lib->settings,
+						"libstrongswan.plugins.unbound.trust_anchors",
+						TRUST_ANCHOR_FILE);
+
+	INIT(this,
+		.public = {
+			.query = _query,
+			.destroy = _destroy,
+		},
+	);
+
+	this->ctx = ub_ctx_create();
+	if (!this->ctx)
+	{
+		DBG1(DBG_LIB, "failed to create unbound resolver context");
+		destroy(this);
+		return NULL;
+	}
+
+	DBG1(DBG_CFG, "loading unbound resolver config from '%s'", resolv_conf_file);
+	ub_retval = ub_ctx_resolvconf(this->ctx, resolv_conf_file);
+	if (ub_retval)
+	{
+		DBG1(DBG_CFG, "failed to read the resolver config: %s (%s)",
+					   ub_strerror(ub_retval), strerror(errno));
+		destroy(this);
+		return NULL;
+	}
+
+	DBG1(DBG_CFG, "loading unbound trust anchors from '%s'", trust_anchor_file);
+	ub_retval = ub_ctx_add_ta_file(this->ctx, trust_anchor_file);
+	if (ub_retval)
+	{
+		DBG1(DBG_CFG, "failed to load trust anchors: %s (%s)",
+					   ub_strerror(ub_retval), strerror(errno));
+	}
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/unbound/unbound_resolver.h b/src/libstrongswan/plugins/unbound/unbound_resolver.h
new file mode 100644
index 000000000..818a717b8
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/unbound_resolver.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unbound_resolver unbound_resolver
+ * @{ @ingroup unbound_p
+ */
+
+#ifndef unbound_RESOLVER_H_
+#define unbound_RESOLVER_H_
+
+/**
+ * Create a resolver_t instance.
+ */
+resolver_t *unbound_resolver_create(void);
+
+#endif /** LIBunbound_RESOLVER_H_ @}*/
diff --git a/src/libstrongswan/plugins/unbound/unbound_response.c b/src/libstrongswan/plugins/unbound/unbound_response.c
new file mode 100644
index 000000000..6f6c25e89
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/unbound_response.c
@@ -0,0 +1,259 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <resolver/resolver_response.h>
+#include <resolver/rr.h>
+#include "unbound_rr.h"
+#include "unbound_response.h"
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include <unbound.h>
+#include <ldns/ldns.h>
+
+typedef struct private_unbound_response_t private_unbound_response_t;
+
+/**
+ * private data of an unbound_response_t object.
+ */
+struct private_unbound_response_t {
+
+	/**
+	 * Public data
+	 */
+	unbound_response_t public;
+
+	/**
+	 * Original question string
+	 */
+	char* query_name;
+
+	/**
+	 * Canonical name of the response
+	 */
+	char* canon_name;
+
+	/**
+	 * Are the some RRs in the RRset of this response?
+	 */
+	bool has_data;
+
+	/*
+	 * Does the queried name exist?
+	 */
+	bool query_name_exist;
+
+	/**
+	 * DNSSEC security state
+	 */
+	dnssec_status_t security_state;
+
+	/**
+	 * RRset
+	 */
+	rr_set_t *rr_set;
+};
+
+METHOD(resolver_response_t, get_query_name, char*,
+	private_unbound_response_t *this)
+{
+	return this->query_name;
+}
+
+METHOD(resolver_response_t, get_canon_name, char*,
+	private_unbound_response_t *this)
+{
+	return this->canon_name;
+}
+
+METHOD(resolver_response_t, has_data, bool,
+	private_unbound_response_t *this)
+{
+	return this->has_data;
+}
+
+METHOD(resolver_response_t, query_name_exist, bool,
+	private_unbound_response_t *this)
+{
+	return this->query_name_exist;
+}
+
+METHOD(resolver_response_t, get_security_state, dnssec_status_t,
+	private_unbound_response_t *this)
+{
+	return this->security_state;
+}
+
+METHOD(resolver_response_t, get_rr_set, rr_set_t*,
+	private_unbound_response_t *this)
+{
+	return this->rr_set;
+}
+
+METHOD(resolver_response_t, destroy, void,
+	private_unbound_response_t *this)
+{
+	free(this->query_name);
+	free(this->canon_name);
+	DESTROY_IF(this->rr_set);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+unbound_response_t *unbound_response_create_frm_libub_response(
+											struct ub_result *libub_response)
+{
+	private_unbound_response_t *this = NULL;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_query_name = _get_query_name,
+				.get_canon_name = _get_canon_name,
+				.has_data = _has_data,
+				.query_name_exist = _query_name_exist,
+				.get_security_state = _get_security_state,
+				.get_rr_set = _get_rr_set,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	this->query_name = strdup(libub_response->qname);
+
+	if (libub_response->canonname)
+	{
+		this->canon_name = strdup(libub_response->canonname);
+	}
+
+	this->has_data = libub_response->havedata;
+
+	this->query_name_exist = !(libub_response->nxdomain);
+
+	if (libub_response->secure)
+	{
+		this->security_state = SECURE;
+	}
+	else if (libub_response->bogus)
+	{
+		this->security_state = BOGUS;
+	}
+	else
+	{
+		this->security_state = INDETERMINATE;
+	}
+
+	/**
+	* Create RRset
+	*/
+	if (this->query_name_exist && this->has_data)
+	{
+		ldns_pkt *dns_pkt = NULL;
+		ldns_rr_list *orig_rr_list = NULL;
+		size_t orig_rr_count;
+		ldns_rr *orig_rr = NULL;
+		ldns_rdf *orig_rdf = NULL;
+		ldns_status status;
+		linked_list_t *rr_list = NULL, *rrsig_list = NULL;
+		unbound_rr_t *rr = NULL;
+		int i;
+
+		/**Parse the received DNS packet using the ldns library */
+		status = ldns_wire2pkt(&dns_pkt, libub_response->answer_packet,
+							   libub_response->answer_len);
+
+		if (status != LDNS_STATUS_OK)
+		{
+			DBG1(DBG_LIB, "failed to parse DNS packet");
+			destroy(this);
+			return NULL;
+		}
+
+		/* Create a list with the queried RRs. If there are corresponding RRSIGs
+		 * create also a list with these.
+		 */
+		rr_list = linked_list_create();
+
+		orig_rr_list = ldns_pkt_get_section_clone(dns_pkt, LDNS_SECTION_ANSWER);
+		orig_rr_count = ldns_rr_list_rr_count(orig_rr_list);
+
+		for (i = 0; i < orig_rr_count; i++)
+		{
+			orig_rr = ldns_rr_list_rr(orig_rr_list, i);
+
+			if (ldns_rr_get_type(orig_rr) == libub_response->qtype &&
+				ldns_rr_get_class(orig_rr) == libub_response->qclass)
+			{
+				/* RR is part of the queried RRset.
+				 * => add it to the list of Resource Records.
+				 */
+				rr = unbound_rr_create_frm_ldns_rr(orig_rr);
+				if (rr)
+				{
+					rr_list->insert_last(rr_list, rr);
+				}
+				else
+				{
+					DBG1(DBG_LIB, "failed to create RR");
+				}
+			}
+
+			if (ldns_rr_get_type(orig_rr) == LDNS_RR_TYPE_RRSIG)
+			{
+				orig_rdf = ldns_rr_rrsig_typecovered(orig_rr);
+				if (!orig_rdf)
+				{
+					DBG1(DBG_LIB, "failed to get the type covered by an RRSIG");
+				}
+				else if (ldns_rdf2native_int16(orig_rdf) == libub_response->qtype)
+				{
+					/* The current RR represent a signature (RRSIG)
+					 * which belongs to the queried RRset.
+					 * => add it to the list of signatures.
+					 */
+					rr = unbound_rr_create_frm_ldns_rr(orig_rr);
+					if (rr)
+					{
+						if (!rrsig_list)
+						{
+							rrsig_list = linked_list_create();
+						}
+						rrsig_list->insert_last(rrsig_list, rr);
+					}
+					else
+					{
+						DBG1(DBG_LIB, "failed to create RRSIG");
+					}
+				}
+				else
+				{
+					DBG1(DBG_LIB, "failed to determine the RR type "
+								  "covered by RRSIG RR");
+				}
+			}
+		}
+		/**
+		 * Create the RRset for which the query was performed.
+		 */
+		this->rr_set = rr_set_create(rr_list, rrsig_list);
+
+		ldns_pkt_free(dns_pkt);
+		ldns_rr_list_free(orig_rr_list);
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/unbound/unbound_response.h b/src/libstrongswan/plugins/unbound/unbound_response.h
new file mode 100644
index 000000000..c82f39d45
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/unbound_response.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unbound_response unbound_response
+ * @{ @ingroup unbound_p
+ */
+
+#ifndef UNBOUND_RESPONSE_H_
+#define UNBOUND_RESPONSE_H_
+
+#include <resolver/resolver_response.h>
+#include <unbound.h>
+
+typedef struct unbound_response_t unbound_response_t;
+
+/**
+ * Implementation of the resolver_response interface using libunbound.
+ *
+ */
+struct unbound_response_t {
+
+	/**
+	 * Implements the resolver_response interface
+	 */
+	resolver_response_t interface;
+};
+
+/**
+ * Create an unbound_response instance from a response of the unbound library.
+ *
+ * @param	response	a response of the unbound library
+ * @return				an unbound_response conforming to the resolver_response
+ * 						interface, or NULL on failure
+ */
+unbound_response_t *unbound_response_create_frm_libub_response(
+													struct ub_result *response);
+
+#endif /** UNBOUND_RESPONSE_H_ @}*/
diff --git a/src/libstrongswan/plugins/unbound/unbound_rr.c b/src/libstrongswan/plugins/unbound/unbound_rr.c
new file mode 100644
index 000000000..97c3b1933
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/unbound_rr.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <resolver/rr.h>
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "unbound_rr.h"
+
+typedef struct private_unbound_rr_t private_unbound_rr_t;
+
+/**
+ * private data of an unbound_rr_t object.
+ */
+struct private_unbound_rr_t {
+
+	/**
+	 * Public data
+	 */
+	unbound_rr_t public;
+
+	/**
+	 * Owner name
+	 */
+	char* name;
+
+	/**
+	 * Type
+	 */
+	rr_type_t type;
+
+	/**
+	 * Class
+	 */
+	rr_class_t class;
+
+	/**
+	 * TTL
+	 */
+	uint32_t ttl;
+
+	/**
+	 * Size of the rdata field in octets
+	 */
+	uint16_t size;
+
+	/**
+	 * RDATA field (array of bytes in network order)
+	 */
+	u_char *rdata;
+};
+
+METHOD(rr_t, get_name, char *,
+	private_unbound_rr_t *this)
+{
+	return this->name;
+}
+
+METHOD(rr_t, get_type, rr_type_t,
+	private_unbound_rr_t *this)
+{
+	return this->type;
+}
+
+METHOD(rr_t, get_class, rr_class_t,
+	private_unbound_rr_t *this)
+{
+	return this->class;
+}
+
+METHOD(rr_t, get_ttl, uint32_t,
+	private_unbound_rr_t *this)
+{
+	return this->ttl;
+}
+
+METHOD(rr_t, get_rdata, chunk_t,
+	private_unbound_rr_t *this)
+{
+	return chunk_create(this->rdata, this->size);
+}
+
+METHOD(rr_t, destroy, void,
+	private_unbound_rr_t *this)
+{
+	free(this->name);
+	free(this->rdata);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+unbound_rr_t *unbound_rr_create_frm_ldns_rr(ldns_rr *rr)
+{
+	private_unbound_rr_t *this;
+	ldns_status status;
+	ldns_buffer *buf;
+	int i;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_name = _get_name,
+				.get_type = _get_type,
+				.get_class = _get_class,
+				.get_ttl = _get_ttl,
+				.get_rdata = _get_rdata,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	this->name = ldns_rdf2str(ldns_rr_owner(rr));
+	if (!this->name)
+	{
+		DBG1(DBG_LIB, "failed to parse the owner name of a DNS RR");
+		_destroy(this);
+		return NULL;
+	}
+
+	this->type = ldns_rr_get_type(rr);
+	this->class = ldns_rr_get_class(rr);
+	this->ttl = ldns_rr_ttl(rr);
+	for(i = 0; i < ldns_rr_rd_count(rr); i++)
+	{
+		this->size += ldns_rdf_size(ldns_rr_rdf(rr, i));
+	}
+
+	/**
+	 * The ldns library splits the RDATA field of a RR in various rdf.
+	 * Here we reassemble these rdf to get the RDATA field of the RR.
+	 */
+	buf = ldns_buffer_new(LDNS_MIN_BUFLEN);
+	/* The buffer will be resized automatically by ldns_rr_rdata2buffer_wire() */
+	status = ldns_rr_rdata2buffer_wire(buf, rr);
+
+	if (status != LDNS_STATUS_OK)
+	{
+		DBG1(DBG_LIB, "failed to get the RDATA field of a DNS RR");
+		_destroy(this);
+		return NULL;
+	}
+
+	this->rdata = ldns_buffer_export(buf);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/unbound/unbound_rr.h b/src/libstrongswan/plugins/unbound/unbound_rr.h
new file mode 100644
index 000000000..d7c114f86
--- /dev/null
+++ b/src/libstrongswan/plugins/unbound/unbound_rr.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unbound_rr unbound_rr
+ * @{ @ingroup unbound_p
+ */
+
+#ifndef UNBOUND_RR_H_
+#define UNBOUND_RR_H_
+
+#include <resolver/rr.h>
+#include <ldns/ldns.h>
+
+typedef struct unbound_rr_t unbound_rr_t;
+
+/**
+ * Implementation of the Resource Record interface using libunbound and libldns.
+ */
+struct unbound_rr_t {
+
+	/**
+	 * Implements the Resource Record interface
+	 */
+	rr_t interface;
+};
+
+/**
+ * Create an unbound_rr instance from a Resource Record given by
+ * a ldns_struct_rr from the ldns library.
+ *
+ * @return		Resource Record, NULL on error
+ */
+unbound_rr_t *unbound_rr_create_frm_ldns_rr(ldns_rr *rr);
+
+#endif /** UNBOUND_RR_H_ @}*/
diff --git a/src/libstrongswan/plugins/x509/Makefile.am b/src/libstrongswan/plugins/x509/Makefile.am
index 4b50d78dc..b464d1483 100644
--- a/src/libstrongswan/plugins/x509/Makefile.am
+++ b/src/libstrongswan/plugins/x509/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-x509.la
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 8c05cb22d..99566c450 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_x509_la_LIBADD =
@@ -79,47 +103,76 @@ am_libstrongswan_x509_la_OBJECTS = x509_plugin.lo x509_cert.lo \
 	x509_crl.lo x509_ac.lo x509_pkcs10.lo x509_ocsp_request.lo \
 	x509_ocsp_response.lo
 libstrongswan_x509_la_OBJECTS = $(am_libstrongswan_x509_la_OBJECTS)
-libstrongswan_x509_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_x509_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_x509_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_x509_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_x509_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_x509_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_x509_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_x509_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -128,13 +181,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -147,6 +203,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -174,11 +231,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -186,6 +245,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -194,8 +254,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -204,14 +262,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -225,17 +288,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -245,16 +308,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -282,8 +344,12 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-x509.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-x509.la
 libstrongswan_x509_la_SOURCES = \
@@ -341,7 +407,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -349,6 +414,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -370,8 +437,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-x509.la: $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_DEPENDENCIES) 
-	$(libstrongswan_x509_la_LINK) $(am_libstrongswan_x509_la_rpath) $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_LIBADD) $(LIBS)
+libstrongswan-x509.la: $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_DEPENDENCIES) $(EXTRA_libstrongswan_x509_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_x509_la_LINK) $(am_libstrongswan_x509_la_rpath) $(libstrongswan_x509_la_OBJECTS) $(libstrongswan_x509_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -388,25 +455,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509_plugin.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -513,10 +580,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index a2cb589e0..7d83e48ea 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -22,12 +22,12 @@
 #include <time.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/ietf_attributes/ietf_attributes.h>
 #include <credentials/keys/private_key.h>
@@ -701,7 +701,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_x509_ac_t *this, certificate_t *issuer)
+	private_x509_ac_t *this, certificate_t *issuer, signature_scheme_t *schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -750,6 +750,10 @@ METHOD(certificate_t, issued_by, bool,
 	}
 	valid = key->verify(key, scheme, this->certificateInfo, this->signature);
 	key->destroy(key);
+	if (valid && schemep)
+	{
+		*schemep = scheme;
+	}
 	return valid;
 }
 
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 4859f4310..85c481552 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -29,13 +29,13 @@
 #include <stdio.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <crypto/hashers/hasher.h>
 #include <credentials/keys/private_key.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 #include <selectors/traffic_selector.h>
 
@@ -752,6 +752,9 @@ static void parse_extendedKeyUsage(chunk_t blob, int level0,
 				case OID_CLIENT_AUTH:
 					this->flags |= X509_CLIENT_AUTH;
 					break;
+				case OID_IKE_INTERMEDIATE:
+					this->flags |= X509_IKE_INTERMEDIATE;
+					break;
 				case OID_OCSP_SIGNING:
 					this->flags |= X509_OCSP_SIGNER;
 					break;
@@ -1105,19 +1108,19 @@ static void parse_policyConstraints(chunk_t blob, int level0,
  * ASN.1 definition of ipAddrBlocks according to RFC 3779
  */
 static const asn1Object_t ipAddrBlocksObjects[] = {
-	{ 0, "ipAddrBlocks",	        ASN1_SEQUENCE,		ASN1_LOOP			}, /*  0 */
+	{ 0, "ipAddrBlocks",			ASN1_SEQUENCE,		ASN1_LOOP			}, /*  0 */
 	{ 1,   "ipAddressFamily",		ASN1_SEQUENCE,		ASN1_NONE			}, /*  1 */
-	{ 2,     "addressFamily",	    ASN1_OCTET_STRING,	ASN1_BODY			}, /*  2 */
-	{ 2,     "inherit",             ASN1_NULL,          ASN1_OPT|ASN1_NONE  }, /*  3 */
-	{ 2,     "end choice",          ASN1_EOC,           ASN1_END            }, /*  4 */
-	{ 2,     "addressesOrRanges",	ASN1_SEQUENCE,	    ASN1_OPT|ASN1_LOOP	}, /*  5 */
-	{ 3,       "addressPrefix",	    ASN1_BIT_STRING,	ASN1_OPT|ASN1_BODY  }, /*  6 */
-	{ 3,       "end choice",        ASN1_EOC,           ASN1_END            }, /*  7 */
-	{ 3,       "addressRange",      ASN1_SEQUENCE,      ASN1_OPT|ASN1_NONE  }, /*  8 */
-	{ 4,         "min",             ASN1_BIT_STRING,    ASN1_BODY           }, /*  9 */
-	{ 4,         "max",             ASN1_BIT_STRING,    ASN1_BODY           }, /* 10 */
-	{ 3,       "end choice",        ASN1_EOC,           ASN1_END            }, /* 11 */
-	{ 2,     "end opt/loop",        ASN1_EOC,           ASN1_END            }, /* 12 */
+	{ 2,     "addressFamily",		ASN1_OCTET_STRING,	ASN1_BODY			}, /*  2 */
+	{ 2,     "inherit",				ASN1_NULL,			ASN1_OPT|ASN1_NONE	}, /*  3 */
+	{ 2,     "end choice",			ASN1_EOC,			ASN1_END			}, /*  4 */
+	{ 2,     "addressesOrRanges",	ASN1_SEQUENCE,		ASN1_OPT|ASN1_LOOP	}, /*  5 */
+	{ 3,       "addressPrefix",		ASN1_BIT_STRING,	ASN1_OPT|ASN1_BODY  }, /*  6 */
+	{ 3,       "end choice",		ASN1_EOC,			ASN1_END			}, /*  7 */
+	{ 3,       "addressRange",		ASN1_SEQUENCE,		ASN1_OPT|ASN1_NONE	}, /*  8 */
+	{ 4,         "min",				ASN1_BIT_STRING,	ASN1_BODY			}, /*  9 */
+	{ 4,         "max",				ASN1_BIT_STRING,	ASN1_BODY			}, /* 10 */
+	{ 3,       "end choice",		ASN1_EOC,			ASN1_END			}, /* 11 */
+	{ 2,     "end opt/loop",		ASN1_EOC,			ASN1_END			}, /* 12 */
 	{ 0, "end loop",				ASN1_EOC,			ASN1_END			}, /* 13 */
 	{ 0, "exit",					ASN1_EOC,			ASN1_EXIT			}
 };
@@ -1480,18 +1483,20 @@ end:
 		/* check if the certificate is self-signed */
 		if (this->public.interface.interface.issued_by(
 											&this->public.interface.interface,
-											&this->public.interface.interface))
+											&this->public.interface.interface,
+											NULL))
 		{
 			this->flags |= X509_SELF_SIGNED;
 		}
 		/* create certificate hash */
 		hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-		if (hasher == NULL)
+		if (!hasher ||
+			!hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash))
 		{
+			DESTROY_IF(hasher);
 			DBG1(DBG_ASN, "  unable to create hash of certificate, SHA1 not supported");
 			return FALSE;
 		}
-		hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
 		hasher->destroy(hasher);
 	}
 	return success;
@@ -1542,6 +1547,10 @@ METHOD(certificate_t, has_subject, id_match_t,
 		{
 			return ID_MATCH_PERFECT;
 		}
+		if (chunk_equals(this->serialNumber, encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
 	}
 	best = this->subject->matches(this->subject, subject);
 	enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
@@ -1565,7 +1574,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_x509_cert_t *this, certificate_t *issuer)
+	private_x509_cert_t *this, certificate_t *issuer,
+	signature_scheme_t *schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -1609,6 +1619,10 @@ METHOD(certificate_t, issued_by, bool,
 	}
 	valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
 	key->destroy(key);
+	if (valid && schemep)
+	{
+		*schemep = scheme;
+	}
 	return valid;
 }
 
@@ -1994,6 +2008,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
 	chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
 	chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
+	chunk_t ikeIntermediate = chunk_empty;
 	identification_t *issuer, *subject;
 	chunk_t key_info;
 	signature_scheme_t scheme;
@@ -2107,7 +2122,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 							asn1_wrap(ASN1_BIT_STRING, "c", keyUsageBits)));
 	}
 
-	/* add serverAuth extendedKeyUsage flag */
+	/* add extendedKeyUsage flags */
 	if (cert->flags & X509_SERVER_AUTH)
 	{
 		serverAuth = asn1_build_known_oid(OID_SERVER_AUTH);
@@ -2116,20 +2131,24 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	{
 		clientAuth = asn1_build_known_oid(OID_CLIENT_AUTH);
 	}
-
-	/* add ocspSigning extendedKeyUsage flag */
+	if (cert->flags & X509_IKE_INTERMEDIATE)
+	{
+		ikeIntermediate = asn1_build_known_oid(OID_IKE_INTERMEDIATE);
+	}
 	if (cert->flags & X509_OCSP_SIGNER)
 	{
 		ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
 	}
 
-	if (serverAuth.ptr || clientAuth.ptr || ocspSigning.ptr)
+	if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr ||
+		ocspSigning.ptr)
 	{
 		extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
 								asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
 								asn1_wrap(ASN1_OCTET_STRING, "m",
-									asn1_wrap(ASN1_SEQUENCE, "mmm",
-										serverAuth, clientAuth, ocspSigning)));
+									asn1_wrap(ASN1_SEQUENCE, "mmmm",
+										serverAuth, clientAuth, ikeIntermediate,
+										ocspSigning)));
 	}
 
 	/* add subjectKeyIdentifier to CA and OCSP signer certificates */
@@ -2330,11 +2349,12 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 							   asn1_bitstring("c", cert->signature));
 
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (!hasher)
+	if (!hasher ||
+		!hasher->allocate_hash(hasher, cert->encoding, &cert->encoding_hash))
 	{
+		DESTROY_IF(hasher);
 		return FALSE;
 	}
-	hasher->allocate_hash(hasher, cert->encoding, &cert->encoding_hash);
 	hasher->destroy(hasher);
 	return TRUE;
 }
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index 7bcca16a3..efb70c94c 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -20,14 +20,14 @@ typedef struct revoked_t revoked_t;
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/keys/private_key.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * entry for a revoked certificate
@@ -221,7 +221,7 @@ static bool parse(private_x509_crl_t *this)
 {
 	asn1_parser_t *parser;
 	chunk_t object;
-	chunk_t extnID;
+	chunk_t extnID = chunk_empty;
 	chunk_t userCertificate = chunk_empty;
 	int objectID;
 	int sig_alg = OID_UNKNOWN;
@@ -320,6 +320,9 @@ static bool parse(private_x509_crl_t *this)
 						}
 						this->baseCrlNumber = object;
 						break;
+					case OID_ISSUING_DIST_POINT:
+						/* TODO support of IssuingDistributionPoints */
+						break;
 					default:
 						if (critical && lib->settings->get_bool(lib->settings,
 							"libstrongswan.x509.enforce_critical", TRUE))
@@ -442,7 +445,7 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_x509_crl_t *this, certificate_t *issuer)
+	private_x509_crl_t *this, certificate_t *issuer, signature_scheme_t *schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -490,6 +493,10 @@ METHOD(certificate_t, issued_by, bool,
 	}
 	valid = key->verify(key, scheme, this->tbsCertList, this->signature);
 	key->destroy(key);
+	if (valid && schemep)
+	{
+		*schemep = scheme;
+	}
 	return valid;
 }
 
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index 33d0aa792..09c5a8539 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -21,8 +21,8 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/keys/private_key.h>
 
@@ -159,22 +159,24 @@ static chunk_t build_requestList(private_x509_ocsp_request_t *this)
 				enumerator_t *enumerator;
 
 				issuer = cert->get_subject(cert);
-				hasher->allocate_hash(hasher, issuer->get_encoding(issuer),
-									  &issuerNameHash);
-				hasher->destroy(hasher);
-
-				enumerator = this->candidates->create_enumerator(this->candidates);
-				while (enumerator->enumerate(enumerator, &x509))
+				if (hasher->allocate_hash(hasher, issuer->get_encoding(issuer),
+										  &issuerNameHash))
 				{
-					chunk_t request, serialNumber;
-
-					serialNumber = x509->get_serial(x509);
-					request = build_Request(this, issuerNameHash, issuerKeyHash,
-											serialNumber);
-					list = chunk_cat("mm", list, request);
+					enumerator = this->candidates->create_enumerator(
+															this->candidates);
+					while (enumerator->enumerate(enumerator, &x509))
+					{
+						chunk_t request, serialNumber;
+
+						serialNumber = x509->get_serial(x509);
+						request = build_Request(this, issuerNameHash,
+												issuerKeyHash, serialNumber);
+						list = chunk_cat("mm", list, request);
+					}
+					enumerator->destroy(enumerator);
+					chunk_free(&issuerNameHash);
 				}
-				enumerator->destroy(enumerator);
-				chunk_free(&issuerNameHash);
+				hasher->destroy(hasher);
 			}
 		}
 		else
@@ -199,15 +201,15 @@ static chunk_t build_nonce(private_x509_ocsp_request_t *this)
 	rng_t *rng;
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (rng)
+	if (!rng || !rng->allocate_bytes(rng, NONCE_LEN, &this->nonce))
 	{
-		rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
-		rng->destroy(rng);
-		return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
-					asn1_simple_object(ASN1_OCTET_STRING, this->nonce));
+		DBG1(DBG_LIB, "creating OCSP request nonce failed, no RNG found");
+		DESTROY_IF(rng);
+		return chunk_empty;
 	}
-	DBG1(DBG_LIB, "creating OCSP request nonce failed, no RNG found");
-	return chunk_empty;
+	rng->destroy(rng);
+	return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
+				asn1_simple_object(ASN1_OCTET_STRING, this->nonce));
 }
 
 /**
@@ -364,7 +366,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_x509_ocsp_request_t *this, certificate_t *issuer)
+	private_x509_ocsp_request_t *this, certificate_t *issuer,
+	signature_scheme_t *scheme)
 {
 	DBG1(DBG_LIB, "OCSP request validation not implemented!");
 	return FALSE;
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 7dfef3993..1f8929958 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -23,8 +23,8 @@
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <utils/identification.h>
-#include <utils/linked_list.h>
-#include <debug.h>
+#include <collections/linked_list.h>
+#include <utils/debug.h>
 
 #include <library.h>
 #include <credentials/certificates/x509.h>
@@ -201,19 +201,22 @@ METHOD(ocsp_response_t, get_status, cert_validation_t,
 		/* check issuerNameHash, if available */
 		else if (response->issuerNameHash.ptr)
 		{
+			id = issuercert->get_subject(issuercert);
 			hasher = lib->crypto->create_hasher(lib->crypto,
 							hasher_algorithm_from_oid(response->hashAlgorithm));
-			if (!hasher)
+			if (!hasher ||
+				!hasher->allocate_hash(hasher, id->get_encoding(id), &hash))
 			{
+				DESTROY_IF(hasher);
 				continue;
 			}
-			id = issuercert->get_subject(issuercert);
-			hasher->allocate_hash(hasher, id->get_encoding(id), &hash);
 			hasher->destroy(hasher);
 			if (!chunk_equals(hash, response->issuerNameHash))
 			{
+				free(hash.ptr);
 				continue;
 			}
+			free(hash.ptr);
 		}
 		else
 		{
@@ -670,7 +673,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_x509_ocsp_response_t *this, certificate_t *issuer)
+	private_x509_ocsp_response_t *this, certificate_t *issuer,
+	signature_scheme_t *schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -722,6 +726,10 @@ METHOD(certificate_t, issued_by, bool,
 	}
 	valid = key->verify(key, scheme, this->tbsResponseData, this->signature);
 	key->destroy(key);
+	if (valid && schemep)
+	{
+		*schemep = scheme;
+	}
 	return valid;
 }
 
diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c
index ca08db2c6..024b4dba5 100644
--- a/src/libstrongswan/plugins/x509/x509_pkcs10.c
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@@ -18,12 +18,12 @@
 #include "x509_pkcs10.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <credentials/keys/private_key.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 
 typedef struct private_x509_pkcs10_t private_x509_pkcs10_t;
@@ -123,10 +123,12 @@ METHOD(certificate_t, has_subject, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_x509_pkcs10_t *this, certificate_t *issuer)
+	private_x509_pkcs10_t *this, certificate_t *issuer,
+	signature_scheme_t *schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
+	bool valid;
 
 	if (&this->public.interface.interface != issuer)
 	{
@@ -150,8 +152,13 @@ METHOD(certificate_t, issued_by, bool,
 	{
 		return FALSE;
 	}
-	return key->verify(key, scheme, this->certificationRequestInfo,
-									this->signature);
+	valid = key->verify(key, scheme, this->certificationRequestInfo,
+						this->signature);
+	if (valid && schemep)
+	{
+		*schemep = scheme;
+	}
+	return valid;
 }
 
 METHOD(certificate_t, get_public_key, public_key_t*,
@@ -327,7 +334,7 @@ static bool parse_challengePassword(private_x509_pkcs10_t *this, chunk_t blob, i
 		return FALSE;
 	}
 	DBG2(DBG_ASN, "L%d - challengePassword:", level);
-	DBG4(DBG_ASN, "  '%.*s'", blob.len, blob.ptr);
+	DBG4(DBG_ASN, "  '%.*s'", (int)blob.len, blob.ptr);
 	return TRUE;
 }
 
@@ -441,7 +448,7 @@ end:
 	if (success)
 	{
 		/* check if the certificate request is self-signed */
-		if (issued_by(this, &this->public.interface.interface))
+		if (issued_by(this, &this->public.interface.interface, NULL))
 		{
 			this->self_signed = TRUE;
 		}
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c
index ed6fbfd91..15fea7ee0 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.c
+++ b/src/libstrongswan/plugins/x509/x509_plugin.c
@@ -52,6 +52,9 @@ METHOD(plugin_t, get_features, int,
 		PLUGIN_REGISTER(CERT_DECODE, x509_cert_load, TRUE),
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_X509),
 				PLUGIN_DEPENDS(HASHER, HASH_SHA1),
+				PLUGIN_SDEPEND(PUBKEY, KEY_RSA),
+				PLUGIN_SDEPEND(PUBKEY, KEY_ECDSA),
+				PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
 
 		PLUGIN_REGISTER(CERT_ENCODE, x509_ac_gen, FALSE),
 			PLUGIN_PROVIDE(CERT_ENCODE, CERT_X509_AC),
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.am b/src/libstrongswan/plugins/xcbc/Makefile.am
index 7de306832..6e2227206 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.am
+++ b/src/libstrongswan/plugins/xcbc/Makefile.am
@@ -1,7 +1,8 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = \
+	-rdynamic
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-xcbc.la
@@ -10,7 +11,6 @@ plugin_LTLIBRARIES = libstrongswan-xcbc.la
 endif
 
 libstrongswan_xcbc_la_SOURCES = \
-	xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \
-	xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c
+	xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c
 
 libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index ae23ce730..e9491e584 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,53 +90,87 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_xcbc_la_LIBADD =
-am_libstrongswan_xcbc_la_OBJECTS = xcbc_plugin.lo xcbc.lo xcbc_prf.lo \
-	xcbc_signer.lo
+am_libstrongswan_xcbc_la_OBJECTS = xcbc_plugin.lo xcbc.lo
 libstrongswan_xcbc_la_OBJECTS = $(am_libstrongswan_xcbc_la_OBJECTS)
-libstrongswan_xcbc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_xcbc_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+libstrongswan_xcbc_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_xcbc_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
 @MONOLITHIC_FALSE@am_libstrongswan_xcbc_la_rpath = -rpath $(plugindir)
 @MONOLITHIC_TRUE@am_libstrongswan_xcbc_la_rpath =
-DEFAULT_INCLUDES = -I.@am__isrc@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libstrongswan_xcbc_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_xcbc_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -127,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -146,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -185,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -193,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -203,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -224,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -244,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -281,13 +342,16 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+	-rdynamic
+
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-xcbc.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-xcbc.la
 libstrongswan_xcbc_la_SOURCES = \
-	xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \
-	xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c
+	xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c
 
 libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -335,7 +399,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -343,6 +406,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -364,8 +429,8 @@ clean-pluginLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libstrongswan-xcbc.la: $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_DEPENDENCIES) 
-	$(libstrongswan_xcbc_la_LINK) $(am_libstrongswan_xcbc_la_rpath) $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_LIBADD) $(LIBS)
+libstrongswan-xcbc.la: $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_DEPENDENCIES) $(EXTRA_libstrongswan_xcbc_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_xcbc_la_LINK) $(am_libstrongswan_xcbc_la_rpath) $(libstrongswan_xcbc_la_OBJECTS) $(libstrongswan_xcbc_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -375,29 +440,27 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xcbc.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xcbc_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xcbc_prf.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xcbc_signer.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -504,10 +567,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libstrongswan/plugins/xcbc/xcbc.c b/src/libstrongswan/plugins/xcbc/xcbc.c
index 53629abe5..802c8a39f 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -17,21 +18,24 @@
 
 #include "xcbc.h"
 
-#include <debug.h>
+#include <utils/debug.h>
+#include <crypto/mac.h>
+#include <crypto/prfs/mac_prf.h>
+#include <crypto/signers/mac_signer.h>
 
-typedef struct private_xcbc_t private_xcbc_t;
+typedef struct private_mac_t private_mac_t;
 
 /**
- * Private data of a xcbc_t object.
+ * Private data of a mac_t object.
  *
  * The variable names are the same as in the RFC.
  */
-struct private_xcbc_t {
+struct private_mac_t {
 
 	/**
-	 * Public xcbc_t interface.
+	 * Public mac_t interface.
 	 */
-	xcbc_t public;
+	mac_t public;
 
 	/**
 	 * Block size, in bytes
@@ -77,7 +81,7 @@ struct private_xcbc_t {
 /**
  * xcbc supplied data, but do not run final operation
  */
-static void update(private_xcbc_t *this, chunk_t data)
+static bool update(private_mac_t *this, chunk_t data)
 {
 	chunk_t iv;
 
@@ -90,7 +94,7 @@ static void update(private_xcbc_t *this, chunk_t data)
 	{	/* no complete block, just copy into remaining */
 		memcpy(this->remaining + this->remaining_bytes, data.ptr, data.len);
 		this->remaining_bytes += data.len;
-		return;
+		return TRUE;
 	}
 
 	iv = chunk_alloca(this->b);
@@ -106,7 +110,10 @@ static void update(private_xcbc_t *this, chunk_t data)
 		   this->b - this->remaining_bytes);
 	data = chunk_skip(data, this->b - this->remaining_bytes);
 	memxor(this->e, this->remaining, this->b);
-	this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
+	if (!this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL))
+	{
+		return FALSE;
+	}
 
 	/* process blocks M[2] ... M[n-1] */
 	while (data.len > this->b)
@@ -114,18 +121,24 @@ static void update(private_xcbc_t *this, chunk_t data)
 		memcpy(this->remaining, data.ptr, this->b);
 		data = chunk_skip(data, this->b);
 		memxor(this->e, this->remaining, this->b);
-		this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
+		if (!this->k1->encrypt(this->k1, chunk_create(this->e, this->b),
+							   iv, NULL))
+		{
+			return FALSE;
+		}
 	}
 
 	/* store remaining bytes of block M[n] */
 	memcpy(this->remaining, data.ptr, data.len);
 	this->remaining_bytes = data.len;
+
+	return TRUE;
 }
 
 /**
  * run last round, data is in this->e
  */
-static void final(private_xcbc_t *this, u_int8_t *out)
+static bool final(private_mac_t *this, u_int8_t *out)
 {
 	chunk_t iv;
 
@@ -141,7 +154,6 @@ static void final(private_xcbc_t *this, u_int8_t *out)
 		 */
 		memxor(this->e, this->remaining, this->b);
 		memxor(this->e, this->k2, this->b);
-		this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
 	}
 	else
 	{
@@ -164,7 +176,10 @@ static void final(private_xcbc_t *this, u_int8_t *out)
 		 */
 		memxor(this->e, this->remaining, this->b);
 		memxor(this->e, this->k3, this->b);
-		this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
+	}
+	if (!this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL))
+	{
+		return FALSE;
 	}
 
 	memcpy(out, this->e, this->b);
@@ -173,28 +188,34 @@ static void final(private_xcbc_t *this, u_int8_t *out)
 	memset(this->e, 0, this->b);
 	this->remaining_bytes = 0;
 	this->zero = TRUE;
+
+	return TRUE;
 }
 
-METHOD(xcbc_t, get_mac, void,
-	private_xcbc_t *this, chunk_t data, u_int8_t *out)
+METHOD(mac_t, get_mac, bool,
+	private_mac_t *this, chunk_t data, u_int8_t *out)
 {
 	/* update E, do not process last block */
-	update(this, data);
+	if (!update(this, data))
+	{
+		return FALSE;
+	}
 
 	if (out)
 	{	/* if not in append mode, process last block and output result */
-		final(this, out);
+		return final(this, out);
 	}
+	return TRUE;
 }
 
-METHOD(xcbc_t, get_block_size, size_t,
-	private_xcbc_t *this)
+METHOD(mac_t, get_mac_size, size_t,
+	private_mac_t *this)
 {
 	return this->b;
 }
 
-METHOD(xcbc_t, set_key, void,
-	private_xcbc_t *this, chunk_t key)
+METHOD(mac_t, set_key, bool,
+	private_mac_t *this, chunk_t key)
 {
 	chunk_t iv, k1, lengthened;
 
@@ -213,8 +234,11 @@ METHOD(xcbc_t, set_key, void,
 	{	/* shorten key using xcbc */
 		lengthened = chunk_alloca(this->b);
 		memset(lengthened.ptr, 0, lengthened.len);
-		set_key(this, lengthened);
-		get_mac(this, key, lengthened.ptr);
+		if (!set_key(this, lengthened) ||
+			!get_mac(this, key, lengthened.ptr))
+		{
+			return FALSE;
+		}
 	}
 
 	k1 = chunk_alloca(this->b);
@@ -228,20 +252,26 @@ METHOD(xcbc_t, set_key, void,
 	 *     K2 = 0x02020202020202020202020202020202 encrypted with Key K
 	 *     K3 = 0x03030303030303030303030303030303 encrypted with Key K
 	 */
-	this->k1->set_key(this->k1, lengthened);
+
+	memset(k1.ptr, 0x01, this->b);
 	memset(this->k2, 0x02, this->b);
-	this->k1->encrypt(this->k1, chunk_create(this->k2, this->b), iv, NULL);
 	memset(this->k3, 0x03, this->b);
-	this->k1->encrypt(this->k1, chunk_create(this->k3, this->b), iv, NULL);
-	memset(k1.ptr, 0x01, this->b);
-	this->k1->encrypt(this->k1, k1, iv, NULL);
-	this->k1->set_key(this->k1, k1);
 
+	if (!this->k1->set_key(this->k1, lengthened) ||
+		!this->k1->encrypt(this->k1, chunk_create(this->k2, this->b), iv, NULL) ||
+		!this->k1->encrypt(this->k1, chunk_create(this->k3, this->b), iv, NULL) ||
+		!this->k1->encrypt(this->k1, k1, iv, NULL) ||
+		!this->k1->set_key(this->k1, k1))
+	{
+		memwipe(k1.ptr, k1.len);
+		return FALSE;
+	}
 	memwipe(k1.ptr, k1.len);
+	return TRUE;
 }
 
-METHOD(xcbc_t, destroy, void,
-	private_xcbc_t *this)
+METHOD(mac_t, destroy, void,
+	private_mac_t *this)
 {
 	this->k1->destroy(this->k1);
 	memwipe(this->k2, this->b);
@@ -256,9 +286,9 @@ METHOD(xcbc_t, destroy, void,
 /*
  * Described in header
  */
-xcbc_t *xcbc_create(encryption_algorithm_t algo, size_t key_size)
+static mac_t *xcbc_create(encryption_algorithm_t algo, size_t key_size)
 {
-	private_xcbc_t *this;
+	private_mac_t *this;
 	crypter_t *crypter;
 	u_int8_t b;
 
@@ -278,7 +308,7 @@ xcbc_t *xcbc_create(encryption_algorithm_t algo, size_t key_size)
 	INIT(this,
 		.public = {
 			.get_mac = _get_mac,
-			.get_block_size = _get_block_size,
+			.get_mac_size = _get_mac_size,
 			.set_key = _set_key,
 			.destroy = _destroy,
 		},
@@ -295,3 +325,55 @@ xcbc_t *xcbc_create(encryption_algorithm_t algo, size_t key_size)
 	return &this->public;
 }
 
+/*
+ * Described in header.
+ */
+prf_t *xcbc_prf_create(pseudo_random_function_t algo)
+{
+	mac_t *xcbc;
+
+	switch (algo)
+	{
+		case PRF_AES128_XCBC:
+			xcbc = xcbc_create(ENCR_AES_CBC, 16);
+			break;
+		case PRF_CAMELLIA128_XCBC:
+			xcbc = xcbc_create(ENCR_CAMELLIA_CBC, 16);
+			break;
+		default:
+			return NULL;
+	}
+	if (xcbc)
+	{
+		return mac_prf_create(xcbc);
+	}
+	return NULL;
+}
+
+/*
+ * Described in header
+ */
+signer_t *xcbc_signer_create(integrity_algorithm_t algo)
+{
+	size_t trunc;
+	mac_t *xcbc;
+
+	switch (algo)
+	{
+		case AUTH_AES_XCBC_96:
+			xcbc = xcbc_create(ENCR_AES_CBC, 16);
+			trunc = 12;
+			break;
+		case AUTH_CAMELLIA_XCBC_96:
+			xcbc = xcbc_create(ENCR_CAMELLIA_CBC, 16);
+			trunc = 12;
+			break;
+		default:
+			return NULL;
+	}
+	if (xcbc)
+	{
+		return mac_signer_create(xcbc, trunc);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/xcbc/xcbc.h b/src/libstrongswan/plugins/xcbc/xcbc.h
index 5d5eb04fb..a36069a17 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc.h
+++ b/src/libstrongswan/plugins/xcbc/xcbc.h
@@ -14,6 +14,11 @@
  */
 
 /**
+ * Message authentication using CBC crypter.
+ *
+ * This class implements the message authentication algorithm
+ * described in RFC3566.
+ *
  * @defgroup xcbc xcbc
  * @{ @ingroup xcbc_p
  */
@@ -21,58 +26,23 @@
 #ifndef XCBC_H_
 #define XCBC_H_
 
-typedef struct xcbc_t xcbc_t;
-
-#include <crypto/hashers/hasher.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/signers/signer.h>
 
 /**
- * Message authentication using CBC crypter.
+ * Creates a new prf_t object based on a XCBC MAC.
  *
- * This class implements the message authentication algorithm
- * described in RFC3566.
+ * @param algo		algorithm to implement
+ * @return			prf_t object, NULL if not supported
  */
-struct xcbc_t {
-
-	/**
-	 * Generate message authentication code.
-	 *
-	 * If buffer is NULL, no result is given back. A next call will
-	 * append the data to already supplied data. If buffer is not NULL,
-	 * the mac of all apended data is calculated, returned and the
-	 * state of the xcbc_t is reseted.
-	 *
-	 * @param data		chunk of data to authenticate
-	 * @param buffer	pointer where the generated bytes will be written
-	 */
-	void (*get_mac) (xcbc_t *this, chunk_t data, u_int8_t *buffer);
-
-	/**
-	 * Get the block size of this xcbc_t object.
-	 *
-	 * @return			block size in bytes
-	 */
-	size_t (*get_block_size) (xcbc_t *this);
-
-	/**
-	 * Set the key for this xcbc_t object.
-	 *
-	 * @param key		key to set
-	 */
-	void (*set_key) (xcbc_t *this, chunk_t key);
-
-	/**
-	 * Destroys a xcbc_t object.
-	 */
-	void (*destroy) (xcbc_t *this);
-};
+prf_t *xcbc_prf_create(pseudo_random_function_t algo);
 
 /**
- * Creates a new xcbc_t object.
+ * Creates a new signer_t object based on a XCBC MAC.
  *
- * @param algo			underlying crypto algorithm
- * @param key_size		key size to use, if required for algorithm
- * @return				xcbc_t object, NULL if not supported
+ * @param algo		algorithm to implement
+ * @return			signer_t, NULL if not supported
  */
-xcbc_t *xcbc_create(encryption_algorithm_t algo, size_t key_size);
+signer_t *xcbc_signer_create(integrity_algorithm_t algo);
 
 #endif /** XCBC_H_ @}*/
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
index 3c3b9d12a..4706a9574 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
@@ -16,8 +16,7 @@
 #include "xcbc_plugin.h"
 
 #include <library.h>
-#include "xcbc_signer.h"
-#include "xcbc_prf.h"
+#include "xcbc.h"
 
 typedef struct private_xcbc_plugin_t private_xcbc_plugin_t;
 
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_prf.c b/src/libstrongswan/plugins/xcbc/xcbc_prf.c
deleted file mode 100644
index ac9e1fda0..000000000
--- a/src/libstrongswan/plugins/xcbc/xcbc_prf.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "xcbc_prf.h"
-
-#include "xcbc.h"
-
-typedef struct private_xcbc_prf_t private_xcbc_prf_t;
-
-/**
- * Private data of a xcbc_prf_t object.
- */
-struct private_xcbc_prf_t {
-
-	/**
-	 * Public xcbc_prf_t interface.
-	 */
-	xcbc_prf_t public;
-
-	/**
-	 * xcbc to use for generation.
-	 */
-	xcbc_t *xcbc;
-};
-
-METHOD(prf_t, get_bytes, void,
-	private_xcbc_prf_t *this, chunk_t seed, u_int8_t *buffer)
-{
-	this->xcbc->get_mac(this->xcbc, seed, buffer);
-}
-
-METHOD(prf_t, allocate_bytes, void,
-	private_xcbc_prf_t *this, chunk_t seed, chunk_t *chunk)
-{
-	if (chunk)
-	{
-		*chunk = chunk_alloc(this->xcbc->get_block_size(this->xcbc));
-		get_bytes(this, seed, chunk->ptr);
-	}
-	else
-	{
-		get_bytes(this, seed, NULL);
-	}
-}
-
-METHOD(prf_t, get_block_size, size_t,
-	private_xcbc_prf_t *this)
-{
-	return this->xcbc->get_block_size(this->xcbc);
-}
-
-METHOD(prf_t, get_key_size, size_t,
-	private_xcbc_prf_t *this)
-{
-	/* in xcbc, block and key size are always equal */
-	return this->xcbc->get_block_size(this->xcbc);
-}
-
-METHOD(prf_t, set_key, void,
-	private_xcbc_prf_t *this, chunk_t key)
-{
-	this->xcbc->set_key(this->xcbc, key);
-}
-
-METHOD(prf_t, destroy, void,
-	private_xcbc_prf_t *this)
-{
-	this->xcbc->destroy(this->xcbc);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-xcbc_prf_t *xcbc_prf_create(pseudo_random_function_t algo)
-{
-	private_xcbc_prf_t *this;
-	xcbc_t *xcbc;
-
-	switch (algo)
-	{
-		case PRF_AES128_XCBC:
-			xcbc = xcbc_create(ENCR_AES_CBC, 16);
-			break;
-		case PRF_CAMELLIA128_XCBC:
-			xcbc = xcbc_create(ENCR_CAMELLIA_CBC, 16);
-			break;
-		default:
-			return NULL;
-	}
-	if (!xcbc)
-	{
-		return NULL;
-	}
-
-	INIT(this,
-		.public = {
-			.prf = {
-				.get_bytes = _get_bytes,
-				.allocate_bytes = _allocate_bytes,
-				.get_block_size = _get_block_size,
-				.get_key_size = _get_key_size,
-				.set_key = _set_key,
-				.destroy = _destroy,
-			},
-		},
-		.xcbc = xcbc,
-	);
-
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_prf.h b/src/libstrongswan/plugins/xcbc/xcbc_prf.h
deleted file mode 100644
index 294a853b4..000000000
--- a/src/libstrongswan/plugins/xcbc/xcbc_prf.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup xcbc_prf xcbc_prf
- * @{ @ingroup xcbc_p
- */
-
-#ifndef PRF_XCBC_H_
-#define PRF_XCBC_H_
-
-typedef struct xcbc_prf_t xcbc_prf_t;
-
-#include <crypto/prfs/prf.h>
-
-/**
- * Implementation of prf_t on CBC block cipher using XCBC, RFC3664/RFC4434.
- *
- * This simply wraps a xcbc_t in a prf_t. More a question of
- * interface matching.
- */
-struct xcbc_prf_t {
-
-	/**
-	 * Implements prf_t interface.
-	 */
-	prf_t prf;
-};
-
-/**
- * Creates a new xcbc_prf_t object.
- *
- * @param algo		algorithm to implement
- * @return			xcbc_prf_t object, NULL if hash not supported
- */
-xcbc_prf_t *xcbc_prf_create(pseudo_random_function_t algo);
-
-#endif /** PRF_XCBC_SHA1_H_ @}*/
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_signer.c b/src/libstrongswan/plugins/xcbc/xcbc_signer.c
deleted file mode 100644
index ece592323..000000000
--- a/src/libstrongswan/plugins/xcbc/xcbc_signer.c
+++ /dev/null
@@ -1,164 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "xcbc_signer.h"
-#include "xcbc.h"
-
-typedef struct private_xcbc_signer_t private_xcbc_signer_t;
-
-/**
- * Private data structure with signing context.
- */
-struct private_xcbc_signer_t {
-
-	/**
-	 * Public interface of xcbc_signer_t.
-	 */
-	xcbc_signer_t public;
-
-	/**
-	 * Assigned xcbc function.
-	 */
-	xcbc_t *xcbc;
-
-	/**
-	 * Block size (truncation of XCBC MAC)
-	 */
-	size_t block_size;
-};
-
-METHOD(signer_t, get_signature, void,
-	private_xcbc_signer_t *this, chunk_t data, u_int8_t *buffer)
-{
-	if (buffer == NULL)
-	{	/* append mode */
-		this->xcbc->get_mac(this->xcbc, data, NULL);
-	}
-	else
-	{
-		u_int8_t mac[this->xcbc->get_block_size(this->xcbc)];
-
-		this->xcbc->get_mac(this->xcbc, data, mac);
-		memcpy(buffer, mac, this->block_size);
-	}
-}
-
-METHOD(signer_t, allocate_signature, void,
-	private_xcbc_signer_t *this, chunk_t data, chunk_t *chunk)
-{
-	if (chunk == NULL)
-	{	/* append mode */
-		this->xcbc->get_mac(this->xcbc, data, NULL);
-	}
-	else
-	{
-		u_int8_t mac[this->xcbc->get_block_size(this->xcbc)];
-
-		this->xcbc->get_mac(this->xcbc, data, mac);
-
-		chunk->ptr = malloc(this->block_size);
-		chunk->len = this->block_size;
-
-		memcpy(chunk->ptr, mac, this->block_size);
-	}
-}
-
-METHOD(signer_t, verify_signature, bool,
-	private_xcbc_signer_t *this, chunk_t data, chunk_t signature)
-{
-	u_int8_t mac[this->xcbc->get_block_size(this->xcbc)];
-
-	if (signature.len != this->block_size)
-	{
-		return FALSE;
-	}
-
-	this->xcbc->get_mac(this->xcbc, data, mac);
-	return memeq(signature.ptr, mac, this->block_size);
-}
-
-METHOD(signer_t, get_key_size, size_t,
-	private_xcbc_signer_t *this)
-{
-	return this->xcbc->get_block_size(this->xcbc);
-}
-
-METHOD(signer_t, get_block_size, size_t,
-	private_xcbc_signer_t *this)
-{
-	return this->block_size;
-}
-
-METHOD(signer_t, set_key, void,
-	private_xcbc_signer_t *this, chunk_t key)
-{
-	this->xcbc->set_key(this->xcbc, key);
-}
-
-METHOD(signer_t, destroy, void,
-	private_xcbc_signer_t *this)
-{
-	this->xcbc->destroy(this->xcbc);
-	free(this);
-}
-
-/*
- * Described in header
- */
-xcbc_signer_t *xcbc_signer_create(integrity_algorithm_t algo)
-{
-	private_xcbc_signer_t *this;
-	size_t trunc;
-	xcbc_t *xcbc;
-
-	switch (algo)
-	{
-		case AUTH_AES_XCBC_96:
-			xcbc = xcbc_create(ENCR_AES_CBC, 16);
-			trunc = 12;
-			break;
-		case AUTH_CAMELLIA_XCBC_96:
-			xcbc = xcbc_create(ENCR_CAMELLIA_CBC, 16);
-			trunc = 12;
-			break;
-		default:
-			return NULL;
-	}
-	if (xcbc == NULL)
-	{
-		return NULL;
-	}
-
-	INIT(this,
-		.public = {
-			.signer = {
-				.get_signature = _get_signature,
-				.allocate_signature = _allocate_signature,
-				.verify_signature = _verify_signature,
-				.get_key_size = _get_key_size,
-				.get_block_size = _get_block_size,
-				.set_key = _set_key,
-				.destroy = _destroy,
-			},
-		},
-		.xcbc = xcbc,
-		.block_size = min(trunc, xcbc->get_block_size(xcbc)),
-	);
-
-	return &this->public;
-}
-
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_signer.h b/src/libstrongswan/plugins/xcbc/xcbc_signer.h
deleted file mode 100644
index 56b55f223..000000000
--- a/src/libstrongswan/plugins/xcbc/xcbc_signer.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup xcbc_signer xcbc_signer
- * @{ @ingroup xcbc_p
- */
-
-#ifndef XCBC_SIGNER_H_
-#define XCBC_SIGNER_H_
-
-typedef struct xcbc_signer_t xcbc_signer_t;
-
-#include <crypto/signers/signer.h>
-
-/**
- * Implementation of signer_t based on CBC symmetric cypher. XCBC, RFC3566.
- */
-struct xcbc_signer_t {
-
-	/**
-	 * Implements signer_t interface.
-	 */
-	signer_t signer;
-};
-
-/**
- * Creates a new xcbc_signer_t.
- *
- * @param algo		algorithm to implement
- * @return			xcbc_signer_t, NULL if  not supported
- */
-xcbc_signer_t *xcbc_signer_create(integrity_algorithm_t algo);
-
-#endif /** XCBC_SIGNER_H_ @}*/
diff --git a/src/libstrongswan/printf_hook.h b/src/libstrongswan/printf_hook.h
deleted file mode 100644
index 11fd66ce9..000000000
--- a/src/libstrongswan/printf_hook.h
+++ /dev/null
@@ -1,157 +0,0 @@
-/*
- * Copyright (C) 2009 Tobias Brunner
- * Copyright (C) 2006-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup printf_hook printf_hook
- * @{ @ingroup libstrongswan
- */
-
-#ifndef PRINTF_HOOK_H_
-#define PRINTF_HOOK_H_
-
-typedef struct printf_hook_t printf_hook_t;
-typedef struct printf_hook_spec_t printf_hook_spec_t;
-typedef enum printf_hook_argtype_t printf_hook_argtype_t;
-
-#if !defined(USE_VSTR) && \
-	(defined(HAVE_PRINTF_FUNCTION) || defined(HAVE_PRINTF_SPECIFIER))
-
-#include <stdio.h>
-#include <printf.h>
-
-enum printf_hook_argtype_t {
-	PRINTF_HOOK_ARGTYPE_END = -1,
-	PRINTF_HOOK_ARGTYPE_INT = PA_INT,
-	PRINTF_HOOK_ARGTYPE_POINTER = PA_POINTER,
-};
-
-#else
-
-#include <vstr.h>
-
-enum printf_hook_argtype_t {
-	PRINTF_HOOK_ARGTYPE_END = VSTR_TYPE_FMT_END,
-	PRINTF_HOOK_ARGTYPE_INT = VSTR_TYPE_FMT_INT,
-	PRINTF_HOOK_ARGTYPE_POINTER = VSTR_TYPE_FMT_PTR_VOID,
-};
-
-/**
- * Redefining printf and alike
- */
-#include <stdio.h>
-#include <stdarg.h>
-
-int vstr_wrapper_printf(const char *format, ...);
-int vstr_wrapper_fprintf(FILE *stream, const char *format, ...);
-int vstr_wrapper_sprintf(char *str, const char *format, ...);
-int vstr_wrapper_snprintf(char *str, size_t size, const char *format, ...);
-int vstr_wrapper_asprintf(char **str, const char *format, ...);
-
-int vstr_wrapper_vprintf(const char *format, va_list ap);
-int vstr_wrapper_vfprintf(FILE *stream, const char *format, va_list ap);
-int vstr_wrapper_vsprintf(char *str, const char *format, va_list ap);
-int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format, va_list ap);
-int vstr_wrapper_vasprintf(char **str, const char *format, va_list ap);
-
-#define printf vstr_wrapper_printf
-#define fprintf vstr_wrapper_fprintf
-#define sprintf vstr_wrapper_sprintf
-#define snprintf vstr_wrapper_snprintf
-#define asprintf vstr_wrapper_asprintf
-
-#define vprintf vstr_wrapper_vprintf
-#define vfprintf vstr_wrapper_vfprintf
-#define vsprintf vstr_wrapper_vsprintf
-#define vsnprintf vstr_wrapper_vsnprintf
-#define vasprintf vstr_wrapper_vasprintf
-
-#endif
-
-/**
- * Callback function type for printf hooks.
- *
- * @param dst		destination buffer
- * @param len		length of the buffer
- * @param spec		format specifier
- * @param args		arguments array
- * @return			number of characters written
- */
-typedef int (*printf_hook_function_t)(char *dst, size_t len,
-									  printf_hook_spec_t *spec,
-									  const void *const *args);
-
-/**
- * Helper macro to be used in printf hook callbacks.
- * buf and buflen get modified.
- */
-#define print_in_hook(buf, buflen, fmt, ...) ({\
-	int _written = snprintf(buf, buflen, fmt, ##__VA_ARGS__);\
-	if (_written < 0 || _written >= buflen)\
-	{\
-		_written = buflen - 1;\
-	}\
-	buf += _written;\
-	buflen -= _written;\
-	_written;\
-})
-
-/**
- * Properties of the format specifier
- */
-struct printf_hook_spec_t {
-	/**
-	 * TRUE if a '#' was used in the format specifier
-	 */
-	int hash;
-
-	/**
-	 * TRUE if a '-' was used in the format specifier
-	 */
-	int minus;
-
-	/**
-	 * The width as given in the format specifier.
-	 */
-	int width;
-};
-
-/**
- * Printf handler management.
- */
-struct printf_hook_t {
-
-	/**
-	 * Register a printf handler.
-	 *
-	 * @param spec		printf hook format character
-	 * @param hook		hook function
-	 * @param ...		list of PRINTF_HOOK_ARGTYPE_*, MUST end with PRINTF_HOOK_ARGTYPE_END
-	 */
-	void (*add_handler)(printf_hook_t *this, char spec,
-						printf_hook_function_t hook, ...);
-
-	/**
-	 * Destroy a printf_hook instance.
-	 */
-	void (*destroy)(printf_hook_t *this);
-};
-
-/**
- * Create a printf_hook instance.
- */
-printf_hook_t *printf_hook_create();
-
-#endif /** PRINTF_HOOK_H_ @}*/
diff --git a/src/libstrongswan/processing/jobs/callback_job.c b/src/libstrongswan/processing/jobs/callback_job.c
index 13f22e69c..8258ccb33 100644
--- a/src/libstrongswan/processing/jobs/callback_job.c
+++ b/src/libstrongswan/processing/jobs/callback_job.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2009-2012 Tobias Brunner
  * Copyright (C) 2007-2011 Martin Willi
  * Copyright (C) 2011 revosec AG
  * Hochschule fuer Technik Rapperswil
@@ -17,12 +17,11 @@
 
 #include "callback_job.h"
 
-#include <semaphore.h>
-
 #include <threading/thread.h>
 #include <threading/condvar.h>
+#include <threading/semaphore.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_callback_job_t private_callback_job_t;
 
@@ -52,42 +51,9 @@ struct private_callback_job_t {
 	callback_job_cleanup_t cleanup;
 
 	/**
-	 * thread of the job, if running
-	 */
-	thread_t *thread;
-
-	/**
-	 * mutex to access jobs interna
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * list of associated child jobs
-	 */
-	linked_list_t *children;
-
-	/**
-	 * parent of this job, or NULL
+	 * cancel function
 	 */
-	private_callback_job_t *parent;
-
-	/**
-	 * TRUE if the job got cancelled
-	 */
-	bool cancelled;
-
-	/**
-	 * condvar to synchronize the cancellation/destruction of the job
-	 */
-	condvar_t *destroyable;
-
-	/**
-	 * semaphore to synchronize the termination of the assigned thread.
-	 *
-	 * separately allocated during cancellation, so that we can wait on it
-	 * without risking that it gets freed too early during destruction.
-	 */
-	sem_t *terminated;
+	callback_job_cancel_t cancel;
 
 	/**
 	 * Priority of this job
@@ -95,141 +61,26 @@ struct private_callback_job_t {
 	job_priority_t prio;
 };
 
-/**
- * unregister a child from its parent, if any.
- * note: this->mutex has to be locked
- */
-static void unregister(private_callback_job_t *this)
-{
-	if (this->parent)
-	{
-		this->parent->mutex->lock(this->parent->mutex);
-		if (this->parent->cancelled && !this->cancelled)
-		{
-			/* if the parent has been cancelled but we have not yet, we do not
-			 * unregister until we got cancelled by the parent. */
-			this->parent->mutex->unlock(this->parent->mutex);
-			this->destroyable->wait(this->destroyable, this->mutex);
-			this->parent->mutex->lock(this->parent->mutex);
-		}
-		this->parent->children->remove(this->parent->children, this, NULL);
-		this->parent->mutex->unlock(this->parent->mutex);
-		this->parent = NULL;
-	}
-}
-
 METHOD(job_t, destroy, void,
 	private_callback_job_t *this)
 {
-	this->mutex->lock(this->mutex);
-	unregister(this);
 	if (this->cleanup)
 	{
 		this->cleanup(this->data);
 	}
-	if (this->terminated)
-	{
-		sem_post(this->terminated);
-	}
-	this->children->destroy(this->children);
-	this->destroyable->destroy(this->destroyable);
-	this->mutex->unlock(this->mutex);
-	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
-METHOD(callback_job_t, cancel, void,
+METHOD(job_t, execute, job_requeue_t,
 	private_callback_job_t *this)
 {
-	callback_job_t *child;
-	sem_t *terminated = NULL;
-
-	this->mutex->lock(this->mutex);
-	this->cancelled = TRUE;
-	/* terminate children */
-	while (this->children->get_first(this->children, (void**)&child) == SUCCESS)
-	{
-		this->mutex->unlock(this->mutex);
-		child->cancel(child);
-		this->mutex->lock(this->mutex);
-	}
-	if (this->thread)
-	{
-		/* terminate the thread, if there is currently one executing the job.
-		 * we wait for its termination using a semaphore */
-		this->thread->cancel(this->thread);
-		terminated = this->terminated = malloc_thing(sem_t);
-		sem_init(terminated, 0, 0);
-	}
-	else
-	{
-		/* if the job is currently queued, it gets terminated later.
-		 * we can't wait, because it might not get executed at all.
-		 * we also unregister the queued job manually from its parent (the
-		 * others get unregistered during destruction) */
-		unregister(this);
-	}
-	this->destroyable->signal(this->destroyable);
-	this->mutex->unlock(this->mutex);
-
-	if (terminated)
-	{
-		sem_wait(terminated);
-		sem_destroy(terminated);
-		free(terminated);
-	}
+	return this->callback(this->data);
 }
 
-METHOD(job_t, execute, void,
+METHOD(job_t, cancel, bool,
 	private_callback_job_t *this)
 {
-	bool cleanup = FALSE, requeue = FALSE;
-
-	thread_cleanup_push((thread_cleanup_t)destroy, this);
-
-	this->mutex->lock(this->mutex);
-	this->thread = thread_current();
-	this->mutex->unlock(this->mutex);
-
-	while (TRUE)
-	{
-		this->mutex->lock(this->mutex);
-		if (this->cancelled)
-		{
-			this->mutex->unlock(this->mutex);
-			cleanup = TRUE;
-			break;
-		}
-		this->mutex->unlock(this->mutex);
-		switch (this->callback(this->data))
-		{
-			case JOB_REQUEUE_DIRECT:
-				continue;
-			case JOB_REQUEUE_FAIR:
-			{
-				requeue = TRUE;
-				break;
-			}
-			case JOB_REQUEUE_NONE:
-			default:
-			{
-				cleanup = TRUE;
-				break;
-			}
-		}
-		break;
-	}
-	this->mutex->lock(this->mutex);
-	this->thread = NULL;
-	this->mutex->unlock(this->mutex);
-	/* manually create a cancellation point to avoid that a cancelled thread
-	 * goes back into the thread pool */
-	thread_cancellation_point();
-	if (requeue)
-	{
-		lib->processor->queue_job(lib->processor, &this->public.job);
-	}
-	thread_cleanup_pop(cleanup);
+	return this->cancel(this->data);
 }
 
 METHOD(job_t, get_priority, job_priority_t,
@@ -242,8 +93,8 @@ METHOD(job_t, get_priority, job_priority_t,
  * Described in header.
  */
 callback_job_t *callback_job_create_with_prio(callback_job_cb_t cb, void *data,
-					callback_job_cleanup_t cleanup, callback_job_t *parent,
-					job_priority_t prio)
+				callback_job_cleanup_t cleanup, callback_job_cancel_t cancel,
+				job_priority_t prio)
 {
 	private_callback_job_t *this;
 
@@ -254,24 +105,17 @@ callback_job_t *callback_job_create_with_prio(callback_job_cb_t cb, void *data,
 				.get_priority = _get_priority,
 				.destroy = _destroy,
 			},
-			.cancel = _cancel,
 		},
-		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.callback = cb,
 		.data = data,
 		.cleanup = cleanup,
-		.children = linked_list_create(),
-		.parent = (private_callback_job_t*)parent,
-		.destroyable = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.cancel = cancel,
 		.prio = prio,
 	);
 
-	/* register us at parent */
-	if (parent)
+	if (cancel)
 	{
-		this->parent->mutex->lock(this->parent->mutex);
-		this->parent->children->insert_last(this->parent->children, this);
-		this->parent->mutex->unlock(this->parent->mutex);
+		this->public.job.cancel = _cancel;
 	}
 
 	return &this->public;
@@ -282,8 +126,8 @@ callback_job_t *callback_job_create_with_prio(callback_job_cb_t cb, void *data,
  */
 callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
 									callback_job_cleanup_t cleanup,
-									callback_job_t *parent)
+									callback_job_cancel_t cancel)
 {
-	return callback_job_create_with_prio(cb, data, cleanup, parent,
+	return callback_job_create_with_prio(cb, data, cleanup, cancel,
 										 JOB_PRIO_MEDIUM);
 }
diff --git a/src/libstrongswan/processing/jobs/callback_job.h b/src/libstrongswan/processing/jobs/callback_job.h
index 3e92b01c0..6f2e39eb8 100644
--- a/src/libstrongswan/processing/jobs/callback_job.h
+++ b/src/libstrongswan/processing/jobs/callback_job.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2007-2011 Martin Willi
  * Copyright (C) 2011 revosec AG
  * Hochschule fuer Technik Rapperswil
@@ -27,33 +28,6 @@ typedef struct callback_job_t callback_job_t;
 #include <library.h>
 #include <processing/jobs/job.h>
 
-
-typedef enum job_requeue_t job_requeue_t;
-
-/**
- * Job requeueing policy.
- *
- * The job requeueing policy defines how a job is handled when the callback
- * function returns.
- */
-enum job_requeue_t {
-
-	/**
-	 * Do not requeue job, destroy it
-	 */
-	JOB_REQUEUE_NONE,
-
-	/**
-	 * Reque the job fairly, meaning it has to requeue as any other job
-	 */
-	JOB_REQUEUE_FAIR,
-
-	/**
-	 * Reexecute the job directly, without the need of requeueing it
-	 */
-	JOB_REQUEUE_DIRECT,
-};
-
 /**
  * The callback function to use for the callback job.
  *
@@ -73,11 +47,22 @@ typedef job_requeue_t (*callback_job_cb_t)(void *data);
  * to supply to the constructor.
  *
  * @param data			param supplied to job
- * @return				requeing policy how to requeue the job
  */
 typedef void (*callback_job_cleanup_t)(void *data);
 
 /**
+ * Cancellation function to use for the callback job.
+ *
+ * Optional function to be called when a job has to be canceled.
+ *
+ * See job_t.cancel() for details on the return value.
+ *
+ * @param data			param supplied to job
+ * @return				TRUE if canceled, FALSE to explicitly cancel the thread
+ */
+typedef bool (*callback_job_cancel_t)(void *data);
+
+/**
  * Class representing an callback Job.
  *
  * This is a special job which allows a simple callback function to
@@ -91,14 +76,6 @@ struct callback_job_t {
 	 */
 	job_t job;
 
-	/**
-	 * Cancel the job's thread and wait for its termination.
-	 *
-	 * This only works reliably for jobs that always use JOB_REQUEUE_FAIR or
-	 * JOB_REQUEUE_DIRECT, otherwise the job may already be destroyed when
-	 * cancel is called.
-	 */
-	void (*cancel)(callback_job_t *this);
 };
 
 /**
@@ -106,19 +83,20 @@ struct callback_job_t {
  *
  * The cleanup function is called when the job gets destroyed to destroy
  * the associated data.
- * If parent is not NULL, the specified job gets an association. Whenever
- * the parent gets cancelled (or runs out), all of its children are cancelled,
- * too.
+ *
+ * The cancel function is optional and should only be provided if the callback
+ * function calls potentially blocking functions and/or always returns
+ * JOB_REQUEUE_DIRECT.
  *
  * @param cb				callback to call from the processor
  * @param data				user data to supply to callback
  * @param cleanup			destructor for data on destruction, or NULL
- * @param parent			parent of this job
+ * @param cancel			function to cancel the job, or NULL
  * @return					callback_job_t object
  */
 callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
 									callback_job_cleanup_t cleanup,
-									callback_job_t *parent);
+									callback_job_cancel_t cancel);
 
 /**
  * Creates a callback job, with priority.
@@ -128,12 +106,12 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
  * @param cb				callback to call from the processor
  * @param data				user data to supply to callback
  * @param cleanup			destructor for data on destruction, or NULL
- * @param parent			parent of this job
+ * @param cancel			function to cancel the job, or NULL
  * @param prio				job priority
  * @return					callback_job_t object
  */
 callback_job_t *callback_job_create_with_prio(callback_job_cb_t cb, void *data,
-					callback_job_cleanup_t cleanup, callback_job_t *parent,
-					job_priority_t prio);
+				callback_job_cleanup_t cleanup, callback_job_cancel_t cancel,
+				job_priority_t prio);
 
 #endif /** CALLBACK_JOB_H_ @}*/
diff --git a/src/libstrongswan/processing/jobs/job.h b/src/libstrongswan/processing/jobs/job.h
index d25cee03e..64454718a 100644
--- a/src/libstrongswan/processing/jobs/job.h
+++ b/src/libstrongswan/processing/jobs/job.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -24,6 +25,9 @@
 
 typedef struct job_t job_t;
 typedef enum job_priority_t job_priority_t;
+typedef enum job_status_t job_status_t;
+typedef enum job_requeue_type_t job_requeue_type_t;
+typedef struct job_requeue_t job_requeue_t;
 
 #include <library.h>
 
@@ -48,18 +52,107 @@ enum job_priority_t {
 extern enum_name_t *job_priority_names;
 
 /**
+ * Job status
+ */
+enum job_status_t {
+	/** The job is queued and has not yet been executed */
+	JOB_STATUS_QUEUED = 0,
+	/** During execution */
+	JOB_STATUS_EXECUTING,
+	/** If the job got canceled */
+	JOB_STATUS_CANCELED,
+	/** The job was executed successfully */
+	JOB_STATUS_DONE,
+};
+
+/**
+ * How a job is handled after is has been executed.
+ */
+enum job_requeue_type_t {
+	/** Do not requeue job, destroy it */
+	JOB_REQUEUE_TYPE_NONE = 0,
+	/** Requeue the job fairly, i.e. it is inserted at the end of the queue */
+	JOB_REQUEUE_TYPE_FAIR,
+	/** Reexecute the job directly, without the need of requeueing it */
+	JOB_REQUEUE_TYPE_DIRECT,
+	/** Rescheduled the job via scheduler_t */
+	JOB_REQUEUE_TYPE_SCHEDULE,
+};
+
+/**
+ * Job requeueing policy.
+ *
+ * The job requeueing policy defines how a job is handled after it has been
+ * executed.
+ */
+struct job_requeue_t {
+	/** How to handle the job after executing it */
+	job_requeue_type_t type;
+	/** How to reschedule the job, if so */
+	enum {
+		JOB_SCHEDULE,
+		JOB_SCHEDULE_MS,
+		JOB_SCHEDULE_TV,
+	} schedule;
+	/** Time to reschedule the job */
+	union {
+		u_int32_t rel;
+		timeval_t abs;
+	} time;
+};
+
+/**
+ * Helper macros to easily define requeueing policies.
+ */
+#define __JOB_REQUEUE(t)			(job_requeue_t){ .type = t }
+#define JOB_REQUEUE_NONE			__JOB_REQUEUE(JOB_REQUEUE_TYPE_NONE)
+#define JOB_REQUEUE_FAIR			__JOB_REQUEUE(JOB_REQUEUE_TYPE_FAIR)
+#define JOB_REQUEUE_DIRECT			__JOB_REQUEUE(JOB_REQUEUE_TYPE_DIRECT)
+#define __JOB_RESCHEDULE(t, ...)	(job_requeue_t){ .type = JOB_REQUEUE_TYPE_SCHEDULE, .schedule = t, { __VA_ARGS__ } }
+#define JOB_RESCHEDULE(s)			__JOB_RESCHEDULE(JOB_SCHEDULE, .rel = s)
+#define JOB_RESCHEDULE_MS(ms)		__JOB_RESCHEDULE(JOB_SCHEDULE_MS, .rel = ms)
+#define JOB_RESCHEDULE_TV(tv)		__JOB_RESCHEDULE(JOB_SCHEDULE_TV, .abs = tv)
+
+/**
  * Job interface as it is stored in the job queue.
  */
 struct job_t {
 
 	/**
+	 * Status of this job, is modified exclusively by the processor/scheduler
+	 */
+	job_status_t status;
+
+	/**
 	 * Execute a job.
 	 *
 	 * The processing facility executes a job using this method. Jobs are
-	 * one-shot, they destroy themself after execution, so don't use a job
-	 * once it has been executed.
+	 * one-shot, they are destroyed after execution (depending on the return
+	 * value here), so don't use a job once it has been queued.
+	 *
+	 * @return			policy how to requeue the job
+	 */
+	job_requeue_t (*execute) (job_t *this);
+
+	/**
+	 * Cancel a job.
+	 *
+	 * Implementing this method is optional.  It allows potentially blocking
+	 * jobs to be canceled during shutdown.
+	 *
+	 * If no special action is to be taken simply return FALSE then the thread
+	 * executing the job will be canceled.  If TRUE is returned the job is
+	 * expected to return from execute() itself (i.e. the thread won't be
+	 * canceled explicitly and can still be joined later).
+	 * Jobs that return FALSE have to make sure they provide the appropriate
+	 * cancellation points.
+	 *
+	 * @note Regular jobs that do not block MUST NOT implement this method.
+	 * @note This method could be called even before execute() has been called.
+	 *
+	 * @return			FALSE to cancel the thread, TRUE if canceled otherwise
 	 */
-	void (*execute) (job_t *this);
+	bool (*cancel)(job_t *this);
 
 	/**
 	 * Get the priority of a job.
@@ -71,10 +164,12 @@ struct job_t {
 	/**
 	 * Destroy a job.
 	 *
-	 * Is only called whenever a job was not executed (e.g. due daemon shutdown).
-	 * After execution, jobs destroy themself.
+	 * Is called after a job is executed or got canceled.  It is also called
+	 * for queued jobs that were never executed.
+	 *
+	 * Use the status of a job to decide what to do during destruction.
 	 */
-	void (*destroy) (job_t *this);
+	void (*destroy)(job_t *this);
 };
 
 #endif /** JOB_H_ @}*/
diff --git a/src/libstrongswan/processing/processor.c b/src/libstrongswan/processing/processor.c
index 222f1a535..adbd95685 100644
--- a/src/libstrongswan/processing/processor.c
+++ b/src/libstrongswan/processing/processor.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2005-2011 Martin Willi
  * Copyright (C) 2011 revosec AG
- * Copyright (C) 2008-2011 Tobias Brunner
+ * Copyright (C) 2008-2013 Tobias Brunner
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -22,12 +22,12 @@
 
 #include "processor.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 #include <threading/condvar.h>
 #include <threading/mutex.h>
 #include <threading/thread_value.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_processor_t private_processor_t;
 
@@ -58,7 +58,7 @@ struct private_processor_t {
 
 	/**
 	 * All threads managed in the pool (including threads that have been
-	 * cancelled, this allows to join them during destruction)
+	 * canceled, this allows to join them later), as worker_thread_t
 	 */
 	linked_list_t *threads;
 
@@ -73,11 +73,6 @@ struct private_processor_t {
 	int prio_threads[JOB_PRIO_MAX];
 
 	/**
-	 * Priority of the job executed by a thread
-	 */
-	thread_value_t *priority;
-
-	/**
 	 * access to job lists is locked through this mutex
 	 */
 	mutex_t *mutex;
@@ -93,39 +88,79 @@ struct private_processor_t {
 	condvar_t *thread_terminated;
 };
 
-static void process_jobs(private_processor_t *this);
+/**
+ * Worker thread
+ */
+typedef struct {
+
+	/**
+	 * Reference to the processor
+	 */
+	private_processor_t *processor;
+
+	/**
+	 * The actual thread
+	 */
+	thread_t *thread;
+
+	/**
+	 * Job currently being executed by this worker thread
+	 */
+	job_t *job;
+
+	/**
+	 * Priority of the current job
+	 */
+	job_priority_t priority;
+
+} worker_thread_t;
+
+static void process_jobs(worker_thread_t *worker);
 
 /**
  * restart a terminated thread
  */
-static void restart(private_processor_t *this)
+static void restart(worker_thread_t *worker)
 {
-	thread_t *thread;
+	private_processor_t *this = worker->processor;
+	job_t *job;
 
 	DBG2(DBG_JOB, "terminated worker thread %.2u", thread_current_id());
 
-	/* respawn thread if required */
 	this->mutex->lock(this->mutex);
-	if (this->desired_threads < this->total_threads ||
-		(thread = thread_create((thread_main_t)process_jobs, this)) == NULL)
-	{
-		this->total_threads--;
-		this->thread_terminated->signal(this->thread_terminated);
-	}
-	else
-	{
-		this->threads->insert_last(this->threads, thread);
-	}
+	/* cleanup worker thread  */
+	this->working_threads[worker->priority]--;
+	worker->job->status = JOB_STATUS_CANCELED;
+	job = worker->job;
+	/* unset the job before releasing the mutex, otherwise cancel() might
+	 * interfere */
+	worker->job = NULL;
+	/* release mutex to avoid deadlocks if the same lock is required
+	 * during queue_job() and in the destructor called here */
 	this->mutex->unlock(this->mutex);
-}
-
-/**
- * Decrement working thread count of a priority class
- */
-static void decrement_working_threads(private_processor_t *this)
-{
+	job->destroy(job);
 	this->mutex->lock(this->mutex);
-	this->working_threads[(intptr_t)this->priority->get(this->priority)]--;
+
+	/* respawn thread if required */
+	if (this->desired_threads >= this->total_threads)
+	{
+		worker_thread_t *new_worker;
+
+		INIT(new_worker,
+			.processor = this,
+		);
+		new_worker->thread = thread_create((thread_main_t)process_jobs,
+										   new_worker);
+		if (new_worker->thread)
+		{
+			this->threads->insert_last(this->threads, new_worker);
+			this->mutex->unlock(this->mutex);
+			return;
+		}
+		free(new_worker);
+	}
+	this->total_threads--;
+	this->thread_terminated->signal(this->thread_terminated);
 	this->mutex->unlock(this->mutex);
 }
 
@@ -145,11 +180,135 @@ static u_int get_idle_threads_nolock(private_processor_t *this)
 }
 
 /**
+ * Get a job from any job queue, starting with the highest priority.
+ *
+ * this->mutex is expected to be locked.
+ */
+static bool get_job(private_processor_t *this, worker_thread_t *worker)
+{
+	int i, reserved = 0, idle;
+
+	idle = get_idle_threads_nolock(this);
+
+	for (i = 0; i < JOB_PRIO_MAX; i++)
+	{
+		if (reserved && reserved >= idle)
+		{
+			DBG2(DBG_JOB, "delaying %N priority jobs: %d threads idle, "
+				 "but %d reserved for higher priorities",
+				 job_priority_names, i, idle, reserved);
+			/* wait until a job of higher priority gets queued */
+			return FALSE;
+		}
+		if (this->working_threads[i] < this->prio_threads[i])
+		{
+			reserved += this->prio_threads[i] - this->working_threads[i];
+		}
+		if (this->jobs[i]->remove_first(this->jobs[i],
+										(void**)&worker->job) == SUCCESS)
+		{
+			worker->priority = i;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Process a single job (provided in worker->job, worker->priority is also
+ * expected to be set)
+ *
+ * this->mutex is expected to be locked.
+ */
+static void process_job(private_processor_t *this, worker_thread_t *worker)
+{
+	job_t *to_destroy = NULL;
+	job_requeue_t requeue;
+
+	this->working_threads[worker->priority]++;
+	worker->job->status = JOB_STATUS_EXECUTING;
+	this->mutex->unlock(this->mutex);
+	/* canceled threads are restarted to get a constant pool */
+	thread_cleanup_push((thread_cleanup_t)restart, worker);
+	while (TRUE)
+	{
+		requeue = worker->job->execute(worker->job);
+		if (requeue.type != JOB_REQUEUE_TYPE_DIRECT)
+		{
+			break;
+		}
+		else if (!worker->job->cancel)
+		{	/* only allow cancelable jobs to requeue directly */
+			requeue.type = JOB_REQUEUE_TYPE_FAIR;
+			break;
+		}
+	}
+	thread_cleanup_pop(FALSE);
+	this->mutex->lock(this->mutex);
+	this->working_threads[worker->priority]--;
+	if (worker->job->status == JOB_STATUS_CANCELED)
+	{	/* job was canceled via a custom cancel() method or did not
+		 * use JOB_REQUEUE_TYPE_DIRECT */
+		to_destroy = worker->job;
+	}
+	else
+	{
+		switch (requeue.type)
+		{
+			case JOB_REQUEUE_TYPE_NONE:
+				worker->job->status = JOB_STATUS_DONE;
+				to_destroy = worker->job;
+				break;
+			case JOB_REQUEUE_TYPE_FAIR:
+				worker->job->status = JOB_STATUS_QUEUED;
+				this->jobs[worker->priority]->insert_last(
+									this->jobs[worker->priority], worker->job);
+				this->job_added->signal(this->job_added);
+				break;
+			case JOB_REQUEUE_TYPE_SCHEDULE:
+				/* scheduler_t does not hold its lock when queuing jobs
+				 * so this should be safe without unlocking our mutex */
+				switch (requeue.schedule)
+				{
+					case JOB_SCHEDULE:
+						lib->scheduler->schedule_job(lib->scheduler,
+												worker->job, requeue.time.rel);
+						break;
+					case JOB_SCHEDULE_MS:
+						lib->scheduler->schedule_job_ms(lib->scheduler,
+												worker->job, requeue.time.rel);
+						break;
+					case JOB_SCHEDULE_TV:
+						lib->scheduler->schedule_job_tv(lib->scheduler,
+												worker->job, requeue.time.abs);
+						break;
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	/* unset the current job to avoid interference with cancel() when
+	 * destroying the job below */
+	worker->job = NULL;
+
+	if (to_destroy)
+	{	/* release mutex to avoid deadlocks if the same lock is required
+		 * during queue_job() and in the destructor called here */
+		this->mutex->unlock(this->mutex);
+		to_destroy->destroy(to_destroy);
+		this->mutex->lock(this->mutex);
+	}
+}
+
+/**
  * Process queued jobs, called by the worker threads
  */
-static void process_jobs(private_processor_t *this)
+static void process_jobs(worker_thread_t *worker)
 {
-	/* worker threads are not cancellable by default */
+	private_processor_t *this = worker->processor;
+
+	/* worker threads are not cancelable by default */
 	thread_cancelability(FALSE);
 
 	DBG2(DBG_JOB, "started worker thread %.2u", thread_current_id());
@@ -157,43 +316,11 @@ static void process_jobs(private_processor_t *this)
 	this->mutex->lock(this->mutex);
 	while (this->desired_threads >= this->total_threads)
 	{
-		job_t *job = NULL;
-		int i, reserved = 0, idle;
-
-		idle = get_idle_threads_nolock(this);
-
-		for (i = 0; i < JOB_PRIO_MAX; i++)
+		if (get_job(this, worker))
 		{
-			if (reserved && reserved >= idle)
-			{
-				DBG2(DBG_JOB, "delaying %N priority jobs: %d threads idle, "
-					 "but %d reserved for higher priorities",
-					 job_priority_names, i, idle, reserved);
-				break;
-			}
-			if (this->working_threads[i] < this->prio_threads[i])
-			{
-				reserved += this->prio_threads[i] - this->working_threads[i];
-			}
-			if (this->jobs[i]->remove_first(this->jobs[i],
-											(void**)&job) == SUCCESS)
-			{
-				this->working_threads[i]++;
-				this->mutex->unlock(this->mutex);
-				this->priority->set(this->priority, (void*)(intptr_t)i);
-				/* terminated threads are restarted to get a constant pool */
-				thread_cleanup_push((thread_cleanup_t)restart, this);
-				thread_cleanup_push((thread_cleanup_t)decrement_working_threads,
-									this);
-				job->execute(job);
-				thread_cleanup_pop(FALSE);
-				thread_cleanup_pop(FALSE);
-				this->mutex->lock(this->mutex);
-				this->working_threads[i]--;
-				break;
-			}
+			process_job(this, worker);
 		}
-		if (!job)
+		else
 		{
 			this->job_added->wait(this->job_added, this->mutex);
 		}
@@ -266,31 +393,65 @@ METHOD(processor_t, queue_job, void,
 	job_priority_t prio;
 
 	prio = sane_prio(job->get_priority(job));
+	job->status = JOB_STATUS_QUEUED;
+
 	this->mutex->lock(this->mutex);
 	this->jobs[prio]->insert_last(this->jobs[prio], job);
 	this->job_added->signal(this->job_added);
 	this->mutex->unlock(this->mutex);
 }
 
+METHOD(processor_t, execute_job, void,
+	private_processor_t *this, job_t *job)
+{
+	job_priority_t prio;
+	bool queued = FALSE;
+
+	this->mutex->lock(this->mutex);
+	if (this->desired_threads && get_idle_threads_nolock(this))
+	{
+		prio = sane_prio(job->get_priority(job));
+		job->status = JOB_STATUS_QUEUED;
+		/* insert job in front to execute it immediately */
+		this->jobs[prio]->insert_first(this->jobs[prio], job);
+		queued = TRUE;
+	}
+	this->job_added->signal(this->job_added);
+	this->mutex->unlock(this->mutex);
+
+	if (!queued)
+	{
+		job->execute(job);
+		job->destroy(job);
+	}
+}
+
 METHOD(processor_t, set_threads, void,
 	private_processor_t *this, u_int count)
 {
 	this->mutex->lock(this->mutex);
 	if (count > this->total_threads)
 	{	/* increase thread count */
+		worker_thread_t *worker;
 		int i;
-		thread_t *current;
 
 		this->desired_threads = count;
 		DBG1(DBG_JOB, "spawning %d worker threads", count - this->total_threads);
 		for (i = this->total_threads; i < count; i++)
 		{
-			current = thread_create((thread_main_t)process_jobs, this);
-			if (current)
+			INIT(worker,
+				.processor = this,
+			);
+			worker->thread = thread_create((thread_main_t)process_jobs, worker);
+			if (worker->thread)
 			{
-				this->threads->insert_last(this->threads, current);
+				this->threads->insert_last(this->threads, worker);
 				this->total_threads++;
 			}
+			else
+			{
+				free(worker);
+			}
 		}
 	}
 	else if (count < this->total_threads)
@@ -301,26 +462,49 @@ METHOD(processor_t, set_threads, void,
 	this->mutex->unlock(this->mutex);
 }
 
-METHOD(processor_t, destroy, void,
+METHOD(processor_t, cancel, void,
 	private_processor_t *this)
 {
-	thread_t *current;
-	int i;
+	enumerator_t *enumerator;
+	worker_thread_t *worker;
 
-	set_threads(this, 0);
 	this->mutex->lock(this->mutex);
+	this->desired_threads = 0;
+	/* cancel potentially blocking jobs */
+	enumerator = this->threads->create_enumerator(this->threads);
+	while (enumerator->enumerate(enumerator, (void**)&worker))
+	{
+		if (worker->job && worker->job->cancel)
+		{
+			worker->job->status = JOB_STATUS_CANCELED;
+			if (!worker->job->cancel(worker->job))
+			{	/* job requests to be canceled explicitly, otherwise we assume
+				 * the thread terminates itself and can be joined */
+				worker->thread->cancel(worker->thread);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
 	while (this->total_threads > 0)
 	{
 		this->job_added->broadcast(this->job_added);
 		this->thread_terminated->wait(this->thread_terminated, this->mutex);
 	}
 	while (this->threads->remove_first(this->threads,
-									   (void**)&current) == SUCCESS)
+									  (void**)&worker) == SUCCESS)
 	{
-		current->join(current);
+		worker->thread->join(worker->thread);
+		free(worker);
 	}
 	this->mutex->unlock(this->mutex);
-	this->priority->destroy(this->priority);
+}
+
+METHOD(processor_t, destroy, void,
+	private_processor_t *this)
+{
+	int i;
+
+	cancel(this);
 	this->thread_terminated->destroy(this->thread_terminated);
 	this->job_added->destroy(this->job_added);
 	this->mutex->destroy(this->mutex);
@@ -347,11 +531,12 @@ processor_t *processor_create()
 			.get_working_threads = _get_working_threads,
 			.get_job_load = _get_job_load,
 			.queue_job = _queue_job,
+			.execute_job = _execute_job,
 			.set_threads = _set_threads,
+			.cancel = _cancel,
 			.destroy = _destroy,
 		},
 		.threads = linked_list_create(),
-		.priority = thread_value_create(NULL),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.job_added = condvar_create(CONDVAR_TYPE_DEFAULT),
 		.thread_terminated = condvar_create(CONDVAR_TYPE_DEFAULT),
@@ -366,4 +551,3 @@ processor_t *processor_create()
 
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/processing/processor.h b/src/libstrongswan/processing/processor.h
index 5db42c04c..f96530e54 100644
--- a/src/libstrongswan/processing/processor.h
+++ b/src/libstrongswan/processing/processor.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -51,7 +52,7 @@ struct processor_t {
 	/**
 	 * Get the number of threads currently working, per priority class.
 	 *
-	 * @param				prioritiy to check
+	 * @param				priority to check
 	 * @return				number of threads in priority working
 	 */
 	u_int (*get_working_threads)(processor_t *this, job_priority_t prio);
@@ -74,18 +75,35 @@ struct processor_t {
 	void (*queue_job) (processor_t *this, job_t *job);
 
 	/**
+	 * Directly execute a job with an idle worker thread.
+	 *
+	 * If no idle thread is available, the job gets executed by the calling
+	 * thread.
+	 *
+	 * @param job			job, gets destroyed
+	 */
+	void (*execute_job)(processor_t *this, job_t *job);
+
+	/**
 	 * Set the number of threads to use in the processor.
 	 *
 	 * If the number of threads is smaller than number of currently running
 	 * threads, thread count is decreased. Use 0 to disable the processor.
-	 * This call blocks if it decreases thread count until threads have
-	 * terminated, so make sure there are not too many blocking jobs.
+	 *
+	 * This call does not block and wait for threads to terminate if the number
+	 * of threads is reduced.  Instead use cancel() for that during shutdown.
 	 *
 	 * @param count			number of threads to allocate
 	 */
 	void (*set_threads)(processor_t *this, u_int count);
 
 	/**
+	 * Sets the number of threads to 0 and cancels all blocking jobs, then waits
+	 * for all threads to be terminated.
+	 */
+	void (*cancel)(processor_t *this);
+
+	/**
 	 * Destroy a processor object.
 	 */
 	void (*destroy) (processor_t *processor);
diff --git a/src/libstrongswan/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c
index f3cc1164a..3f1598fc4 100644
--- a/src/libstrongswan/processing/scheduler.c
+++ b/src/libstrongswan/processing/scheduler.c
@@ -19,7 +19,7 @@
 
 #include "scheduler.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <processing/processor.h>
 #include <processing/jobs/callback_job.h>
 #include <threading/thread.h>
@@ -68,11 +68,6 @@ struct private_scheduler_t {
 	 scheduler_t public;
 
 	/**
-	 * Job which queues scheduled jobs to the processor.
-	 */
-	callback_job_t *job;
-
-	/**
 	 * The heap in which the events are stored.
 	 */
 	event_t **heap;
@@ -250,6 +245,7 @@ METHOD(scheduler_t, schedule_job_tv, void,
 
 	event = malloc_thing(event_t);
 	event->job = job;
+	event->job->status = JOB_STATUS_QUEUED;
 	event->time = tv;
 
 	this->mutex->lock(this->mutex);
@@ -308,7 +304,6 @@ METHOD(scheduler_t, destroy, void,
 	private_scheduler_t *this)
 {
 	event_t *event;
-	this->job->cancel(this->job);
 	this->condvar->destroy(this->condvar);
 	this->mutex->destroy(this->mutex);
 	while ((event = remove_event(this)) != NULL)
@@ -325,6 +320,7 @@ METHOD(scheduler_t, destroy, void,
 scheduler_t * scheduler_create()
 {
 	private_scheduler_t *this;
+	callback_job_t *job;
 
 	INIT(this,
 		.public = {
@@ -341,9 +337,9 @@ scheduler_t * scheduler_create()
 
 	this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*));
 
-	this->job = callback_job_create_with_prio((callback_job_cb_t)schedule,
-										this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+	job = callback_job_create_with_prio((callback_job_cb_t)schedule, this,
+										NULL, return_false, JOB_PRIO_CRITICAL);
+	lib->processor->queue_job(lib->processor, (job_t*)job);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c
new file mode 100644
index 000000000..3009be608
--- /dev/null
+++ b/src/libstrongswan/processing/watcher.c
@@ -0,0 +1,462 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "watcher.h"
+
+#include <library.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
+#include <threading/condvar.h>
+#include <collections/linked_list.h>
+#include <processing/jobs/callback_job.h>
+
+#include <unistd.h>
+#include <errno.h>
+#include <sys/select.h>
+#include <fcntl.h>
+
+typedef struct private_watcher_t private_watcher_t;
+
+/**
+ * Private data of an watcher_t object.
+ */
+struct private_watcher_t {
+
+	/**
+	 * Public watcher_t interface.
+	 */
+	watcher_t public;
+
+	/**
+	 * List of registered FDs, as entry_t
+	 */
+	linked_list_t *fds;
+
+	/**
+	 * Lock to access FD list
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar to signal completion of callback
+	 */
+	condvar_t *condvar;
+
+	/**
+	 * Notification pipe to signal watcher thread
+	 */
+	int notify[2];
+
+	/**
+	 * List of callback jobs to process by watcher thread, as job_t
+	 */
+	linked_list_t *jobs;
+};
+
+/**
+ * Entry for a registered file descriptor
+ */
+typedef struct {
+	/** file descriptor */
+	int fd;
+	/** events to watch */
+	watcher_event_t events;
+	/** registered callback function */
+	watcher_cb_t cb;
+	/** user data to pass to callback */
+	void *data;
+	/** callback(s) currently active? */
+	int in_callback;
+} entry_t;
+
+/**
+ * Data we pass on for an async notification
+ */
+typedef struct {
+	/** file descriptor */
+	int fd;
+	/** event type */
+	watcher_event_t event;
+	/** registered callback function */
+	watcher_cb_t cb;
+	/** user data to pass to callback */
+	void *data;
+	/** keep registered? */
+	bool keep;
+	/** reference to watcher */
+	private_watcher_t *this;
+} notify_data_t;
+
+/**
+ * Notify watcher thread about changes
+ */
+static void update(private_watcher_t *this)
+{
+	char buf[1] = { 'u' };
+
+	if (this->notify[1] != -1)
+	{
+		ignore_result(write(this->notify[1], buf, sizeof(buf)));
+	}
+}
+
+/**
+ * Cleanup function if callback gets cancelled
+ */
+static void unregister(notify_data_t *data)
+{
+	/* if a thread processing a callback gets cancelled, we mark the entry
+	 * as cancelled, like the callback would return FALSE. This is required
+	 * to not queue this watcher again if all threads have been gone. */
+	data->keep = FALSE;
+}
+
+ /**
+ * Execute callback of registered FD, asynchronous
+ */
+static job_requeue_t notify_async(notify_data_t *data)
+{
+	thread_cleanup_push((void*)unregister, data);
+	data->keep = data->cb(data->data, data->fd, data->event);
+	thread_cleanup_pop(FALSE);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Clean up notification data, reactivate FD
+ */
+static void notify_end(notify_data_t *data)
+{
+	private_watcher_t *this = data->this;
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	/* reactivate the disabled entry */
+	this->mutex->lock(this->mutex);
+	enumerator = this->fds->create_enumerator(this->fds);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->fd == data->fd)
+		{
+			if (!data->keep)
+			{
+				entry->events &= ~data->event;
+				if (!entry->events)
+				{
+					this->fds->remove_at(this->fds, enumerator);
+					free(entry);
+					break;
+				}
+			}
+			entry->in_callback--;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	update(this);
+	this->condvar->broadcast(this->condvar);
+	this->mutex->unlock(this->mutex);
+
+	free(data);
+}
+
+/**
+ * Execute the callback for a registered FD
+ */
+static void notify(private_watcher_t *this, entry_t *entry,
+				   watcher_event_t event)
+{
+	notify_data_t *data;
+
+	/* get a copy of entry for async job, but with specific event */
+	INIT(data,
+		.fd = entry->fd,
+		.event = event,
+		.cb = entry->cb,
+		.data = entry->data,
+		.keep = TRUE,
+		.this = this,
+	);
+
+	/* deactivate entry, so we can select() other FDs even if the async
+	 * processing did not handle the event yet */
+	entry->in_callback++;
+
+	this->jobs->insert_last(this->jobs,
+					callback_job_create_with_prio((void*)notify_async, data,
+						(void*)notify_end, (callback_job_cancel_t)return_false,
+						JOB_PRIO_CRITICAL));
+}
+
+/**
+ * Thread cancellation function for watcher thread
+ */
+static void activate_all(private_watcher_t *this)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	/* When the watcher thread gets cancelled, we have to reactivate any entry
+	 * and signal threads in remove() to go on. */
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->fds->create_enumerator(this->fds);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		entry->in_callback = 0;
+	}
+	enumerator->destroy(enumerator);
+	this->condvar->broadcast(this->condvar);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Dispatching function
+ */
+static job_requeue_t watch(private_watcher_t *this)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	fd_set rd, wr, ex;
+	int maxfd = 0, res;
+
+	FD_ZERO(&rd);
+	FD_ZERO(&wr);
+	FD_ZERO(&ex);
+
+	this->mutex->lock(this->mutex);
+	if (this->fds->get_count(this->fds) == 0)
+	{
+		this->mutex->unlock(this->mutex);
+		return JOB_REQUEUE_NONE;
+	}
+
+	if (this->notify[0] != -1)
+	{
+		FD_SET(this->notify[0], &rd);
+		maxfd = this->notify[0];
+	}
+
+	enumerator = this->fds->create_enumerator(this->fds);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (!entry->in_callback)
+		{
+			if (entry->events & WATCHER_READ)
+			{
+				DBG3(DBG_JOB, "  watching %d for reading", entry->fd);
+				FD_SET(entry->fd, &rd);
+			}
+			if (entry->events & WATCHER_WRITE)
+			{
+				DBG3(DBG_JOB, "  watching %d for writing", entry->fd);
+				FD_SET(entry->fd, &wr);
+			}
+			if (entry->events & WATCHER_EXCEPT)
+			{
+				DBG3(DBG_JOB, "  watching %d for exceptions", entry->fd);
+				FD_SET(entry->fd, &ex);
+			}
+			maxfd = max(maxfd, entry->fd);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
+	while (TRUE)
+	{
+		char buf[1];
+		bool old;
+		job_t *job;
+
+		DBG2(DBG_JOB, "watcher going to select()");
+		thread_cleanup_push((void*)activate_all, this);
+		old = thread_cancelability(TRUE);
+		res = select(maxfd + 1, &rd, &wr, &ex, NULL);
+		thread_cancelability(old);
+		thread_cleanup_pop(FALSE);
+		if (res > 0)
+		{
+			if (this->notify[0] != -1 && FD_ISSET(this->notify[0], &rd))
+			{
+				DBG2(DBG_JOB, "watcher got notification, rebuilding");
+				while (read(this->notify[0], buf, sizeof(buf)) > 0);
+				return JOB_REQUEUE_DIRECT;
+			}
+
+			this->mutex->lock(this->mutex);
+			enumerator = this->fds->create_enumerator(this->fds);
+			while (enumerator->enumerate(enumerator, &entry))
+			{
+				if (FD_ISSET(entry->fd, &rd) && (entry->events & WATCHER_READ))
+				{
+					DBG2(DBG_JOB, "watched FD %d ready to read", entry->fd);
+					notify(this, entry, WATCHER_READ);
+				}
+				if (FD_ISSET(entry->fd, &wr) && (entry->events & WATCHER_WRITE))
+				{
+					DBG2(DBG_JOB, "watched FD %d ready to write", entry->fd);
+					notify(this, entry, WATCHER_WRITE);
+				}
+				if (FD_ISSET(entry->fd, &ex) && (entry->events & WATCHER_EXCEPT))
+				{
+					DBG2(DBG_JOB, "watched FD %d has exception", entry->fd);
+					notify(this, entry, WATCHER_EXCEPT);
+				}
+			}
+			enumerator->destroy(enumerator);
+			this->mutex->unlock(this->mutex);
+
+			if (this->jobs->get_count(this->jobs))
+			{
+				while (this->jobs->remove_first(this->jobs,
+												(void**)&job) == SUCCESS)
+				{
+					lib->processor->execute_job(lib->processor, job);
+				}
+				/* we temporarily disable a notified FD, rebuild FDSET */
+				return JOB_REQUEUE_DIRECT;
+			}
+		}
+		else
+		{
+			DBG1(DBG_JOB, "watcher select() error: %s", strerror(errno));
+		}
+	}
+}
+
+METHOD(watcher_t, add, void,
+	private_watcher_t *this, int fd, watcher_event_t events,
+	watcher_cb_t cb, void *data)
+{
+	entry_t *entry;
+
+	INIT(entry,
+		.fd = fd,
+		.events = events,
+		.cb = cb,
+		.data = data,
+	);
+
+	this->mutex->lock(this->mutex);
+	this->fds->insert_last(this->fds, entry);
+	if (this->fds->get_count(this->fds) == 1)
+	{
+		lib->processor->queue_job(lib->processor,
+			(job_t*)callback_job_create_with_prio((void*)watch, this,
+				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+	}
+	else
+	{
+		update(this);
+	}
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(watcher_t, remove_, void,
+	private_watcher_t *this, int fd)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+
+	this->mutex->lock(this->mutex);
+	while (TRUE)
+	{
+		bool is_in_callback = FALSE;
+
+		enumerator = this->fds->create_enumerator(this->fds);
+		while (enumerator->enumerate(enumerator, &entry))
+		{
+			if (entry->fd == fd)
+			{
+				if (entry->in_callback)
+				{
+					is_in_callback = TRUE;
+					break;
+				}
+				this->fds->remove_at(this->fds, enumerator);
+				free(entry);
+			}
+		}
+		enumerator->destroy(enumerator);
+		if (!is_in_callback)
+		{
+			break;
+		}
+		this->condvar->wait(this->condvar, this->mutex);
+	}
+
+	update(this);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(watcher_t, destroy, void,
+	private_watcher_t *this)
+{
+	this->mutex->destroy(this->mutex);
+	this->condvar->destroy(this->condvar);
+	this->fds->destroy(this->fds);
+	if (this->notify[0] != -1)
+	{
+		close(this->notify[0]);
+	}
+	if (this->notify[1] != -1)
+	{
+		close(this->notify[1]);
+	}
+	this->jobs->destroy(this->jobs);
+	free(this);
+}
+
+/**
+ * See header
+ */
+watcher_t *watcher_create()
+{
+	private_watcher_t *this;
+	int flags;
+
+	INIT(this,
+		.public = {
+			.add = _add,
+			.remove = _remove_,
+			.destroy = _destroy,
+		},
+		.fds = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.jobs = linked_list_create(),
+		.notify = {-1, -1},
+	);
+
+	if (pipe(this->notify) == 0)
+	{
+		/* use non-blocking I/O on read-end of notify pipe */
+		flags = fcntl(this->notify[0], F_GETFL);
+		if (flags == -1 ||
+			fcntl(this->notify[0], F_SETFL, flags | O_NONBLOCK) == -1)
+		{
+			DBG1(DBG_LIB, "setting watcher notify pipe read-end non-blocking "
+				 "failed: %s", strerror(errno));
+		}
+	}
+	else
+	{
+		DBG1(DBG_LIB, "creating watcher notify pipe failed: %s",
+			 strerror(errno));
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/processing/watcher.h b/src/libstrongswan/processing/watcher.h
new file mode 100644
index 000000000..6e158cec2
--- /dev/null
+++ b/src/libstrongswan/processing/watcher.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup watcher watcher
+ * @{ @ingroup processor
+ */
+
+#ifndef WATCHER_H_
+#define WATCHER_H_
+
+typedef struct watcher_t watcher_t;
+typedef enum watcher_event_t watcher_event_t;
+
+#include <library.h>
+
+/**
+ * Callback function to register for file descriptor events.
+ *
+ * The callback is executed asynchronously using a thread from the pool.
+ * Monitoring of fd is temporarily suspended to avoid additional events while
+ * it is processed asynchronously. To allow concurrent events, one can quickly
+ * process it (using a read/write) and return from the callback. This will
+ * re-enable the event, while the data read can be processed in another
+ * asynchronous job.
+ *
+ * On Linux, even if select() marks an FD as "ready", a subsequent read/write
+ * can block. It is therefore highly recommended to use non-blocking I/O
+ * and handle EAGAIN/EWOULDBLOCK gracefully.
+ *
+ * @param data		user data passed during registration
+ * @param fd		file descriptor the event occurred on
+ * @param event		type of event
+ * @return			TRUE to keep watching event, FALSE to unregister fd for event
+ */
+typedef bool (*watcher_cb_t)(void *data, int fd, watcher_event_t event);
+
+/**
+ * What events to watch for a file descriptor.
+ */
+enum watcher_event_t {
+	WATCHER_READ = (1<<0),
+	WATCHER_WRITE = (1<<1),
+	WATCHER_EXCEPT = (1<<2),
+};
+
+/**
+ * Watch multiple file descriptors using select().
+ */
+struct watcher_t {
+
+	/**
+	 * Start watching a new file descriptor.
+	 *
+	 * Multiple callbacks can be registered for the same file descriptor, and
+	 * all of them get notified. Such callbacks are executed concurrently.
+	 *
+	 * @param fd		file descriptor to start watching
+	 * @param events	ORed set of events to watch
+	 * @param cb		callback function to invoke on events
+	 * @param data		data to pass to cb()
+	 */
+	void (*add)(watcher_t *this, int fd, watcher_event_t events,
+				watcher_cb_t cb, void *data);
+
+	/**
+	 * Stop watching a previously registered file descriptor.
+	 *
+	 * This call blocks until any active callback for this FD returns. All
+	 * callbacks registered for that FD get unregistered.
+	 *
+	 * @param fd		file descriptor to stop watching
+	 */
+	void (*remove)(watcher_t *this, int fd);
+
+	/**
+	 * Destroy a watcher_t.
+	 */
+	void (*destroy)(watcher_t *this);
+};
+
+/**
+ * Create a watcher instance.
+ *
+ * @return		watcher
+ */
+watcher_t *watcher_create();
+
+#endif /** WATCHER_H_ @}*/
diff --git a/src/libstrongswan/resolver/resolver.h b/src/libstrongswan/resolver/resolver.h
new file mode 100644
index 000000000..5be52b8b1
--- /dev/null
+++ b/src/libstrongswan/resolver/resolver.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup resolveri resolver
+ * @{ @ingroup resolver
+ */
+
+#ifndef RESOLVER_H_
+#define RESOLVER_H_
+
+typedef struct resolver_t resolver_t;
+
+/**
+ * Constructor function which creates DNS resolver instances.
+ */
+typedef resolver_t* (*resolver_constructor_t)(void);
+
+#include <resolver/resolver_response.h>
+#include <resolver/rr_set.h>
+#include <resolver/rr.h>
+
+/**
+ * Interface of a security-aware DNS resolver.
+ *
+ */
+struct resolver_t {
+
+	/**
+	 * Perform a DNS query.
+	 *
+	 * @param domain		domain (FQDN) to query
+	 * @param rr_class		class of the desired RRs
+	 * @param rr_type		type of the desired RRs
+	 * @return				response to the query, NULL on failure
+	 */
+	resolver_response_t *(*query)(resolver_t *this, char *domain,
+								  rr_class_t rr_class, rr_type_t rr_type);
+
+	/**
+	 * Destroy the resolver instance.
+	 */
+	void (*destroy)(resolver_t *this);
+};
+
+#endif /** RESOLVER_H_ @}*/
diff --git a/src/libstrongswan/resolver/resolver_manager.c b/src/libstrongswan/resolver/resolver_manager.c
new file mode 100644
index 000000000..55531e157
--- /dev/null
+++ b/src/libstrongswan/resolver/resolver_manager.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "resolver_manager.h"
+
+#include <utils/debug.h>
+
+typedef struct private_resolver_manager_t private_resolver_manager_t;
+
+/**
+ * private data of resolver_manager
+ */
+struct private_resolver_manager_t {
+
+	/**
+	 * public functions
+	 */
+	resolver_manager_t public;
+
+	/**
+	 * constructor function to create resolver instances
+	 */
+	resolver_constructor_t constructor;
+};
+
+METHOD(resolver_manager_t, add_resolver, void,
+	private_resolver_manager_t *this, resolver_constructor_t constructor)
+{
+	if (!this->constructor)
+	{
+		this->constructor = constructor;
+	}
+}
+
+METHOD(resolver_manager_t, remove_resolver, void,
+	private_resolver_manager_t *this, resolver_constructor_t constructor)
+{
+	if (this->constructor == constructor)
+	{
+		this->constructor = NULL;
+	}
+}
+
+METHOD(resolver_manager_t, create, resolver_t*,
+	private_resolver_manager_t *this)
+{
+	if (this->constructor)
+	{
+		return this->constructor();
+	}
+	return NULL;
+}
+
+METHOD(resolver_manager_t, destroy, void,
+	private_resolver_manager_t *this)
+{
+	free(this);
+}
+
+/*
+ * See header
+ */
+resolver_manager_t *resolver_manager_create()
+{
+	private_resolver_manager_t *this;
+
+	INIT(this,
+			.public = {
+				.add_resolver = _add_resolver,
+				.remove_resolver = _remove_resolver,
+				.create = _create,
+				.destroy = _destroy,
+			},
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/resolver/resolver_manager.h b/src/libstrongswan/resolver/resolver_manager.h
new file mode 100644
index 000000000..6ea22aa24
--- /dev/null
+++ b/src/libstrongswan/resolver/resolver_manager.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+* @defgroup resolver_manager resolver_manager
+* @{ @ingroup resolver
+*/
+
+#ifndef RESOLVER_MANAGER_H_
+#define RESOLVER_MANAGER_H_
+
+typedef struct resolver_manager_t resolver_manager_t;
+
+#include <resolver/resolver.h>
+
+/**
+ * The resolver_manager manages the resolver implementations and
+ * creates instances of them.
+ *
+ * A resolver plugin is registered by providing its constructor function
+ * to the manager. The manager creates instances of the resolver plugin
+ * using the registered constructor function.
+ */
+struct resolver_manager_t {
+
+	/**
+	 * Register a resolver implementation.
+	 *
+	 * @param constructor	resolver constructor function
+	 */
+	void (*add_resolver)(resolver_manager_t *this,
+						 resolver_constructor_t constructor);
+
+	/**
+	 * Unregister a previously registered resolver implementation.
+	 *
+	 * @param constructor	resolver constructor function to unregister
+	 */
+	void (*remove_resolver)(resolver_manager_t *this,
+							resolver_constructor_t constructor);
+
+	/**
+	 * Get a new resolver instance.
+	 *
+	 * @return 				resolver instance.
+	 */
+	resolver_t* (*create)(resolver_manager_t *this);
+
+	/**
+	 * Destroy a resolver_manager instance.
+	 */
+	void (*destroy)(resolver_manager_t *this);
+};
+
+/**
+ * Create a resolver_manager instance.
+ */
+resolver_manager_t *resolver_manager_create();
+
+#endif /** RESOLVER_MANAGER_H_ @}*/
diff --git a/src/libstrongswan/resolver/resolver_response.h b/src/libstrongswan/resolver/resolver_response.h
new file mode 100644
index 000000000..e45fb6401
--- /dev/null
+++ b/src/libstrongswan/resolver/resolver_response.h
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rsolver_response resolver_response
+ * @{ @ingroup resolver
+ */
+
+#ifndef RESOLVER_RESPONSE_H_
+#define RESOLVER_RESPONSE_H_
+
+typedef struct resolver_response_t resolver_response_t;
+typedef enum dnssec_status_t dnssec_status_t;
+
+#include <library.h>
+#include <resolver/rr_set.h>
+
+/**
+ * DNSSEC security state.
+ *
+ * DNSSEC security state, which a security aware resolver is able determine
+ * according to RFC 4033.
+ */
+enum dnssec_status_t {
+	/**
+	 * The validating resolver has a trust anchor, has a chain of
+	 * trust, and is able to verify all the signatures in the response.
+	 * [RFC4033]
+	 */
+	SECURE,
+	/**
+	 * The validating resolver has a trust anchor, a chain of
+	 * trust, and, at some delegation point, signed proof of the
+	 * non-existence of a DS record.  This indicates that subsequent
+	 * branches in the tree are provably insecure.  A validating resolver
+	 * may have a local policy to mark parts of the domain space as
+	 * insecure. [RFC4033]
+	 */
+	INSECURE,
+	/**
+	 * The validating resolver has a trust anchor and a secure
+	 * delegation indicating that subsidiary data is signed, but the
+	 * response fails to validate for some reason: missing signatures,
+	 * expired signatures, signatures with unsupported algorithms, data
+	 * missing that the relevant NSEC RR says should be present, and so
+	 * forth. [RFC4033]
+	 */
+	BOGUS,
+	/**
+	 * There is no trust anchor that would indicate that a
+	 * specific portion of the tree is secure.  This is the default
+	 * operation mode. [RFC4033]
+	 */
+	INDETERMINATE,
+};
+
+
+/**
+ * A response of the DNS resolver to a DNS query.
+ *
+ * A response represents the answer of the Domain Name System to a query.
+ * It contains the RRset with the queried Resource Records and additional
+ * information.
+ */
+struct resolver_response_t {
+
+    /**
+     * Get the original question string.
+     *
+     * The string to which the returned pointer points, is still owned
+	 * by the resolver_response. Clone it if necessary.
+     *
+     * @return			the queried name
+     */
+	char *(*get_query_name)(resolver_response_t *this);
+
+	/**
+	 * Get the canonical name of the result.
+	 *
+	 * The string to which the returned pointer points, is still owned
+	 * by the resolver_response. Clone it if necessary.
+	 *
+	 * @return			- canonical name of result
+	 * 					- NULL, if result has no canonical name
+	 */
+	char *(*get_canon_name)(resolver_response_t *this);
+
+	/**
+	 * Does the RRset of this response contain some Resource Records?
+	 *
+	 * Returns TRUE if the RRset of this response contains some RRs
+	 * (RRSIG Resource Records are ignored).
+	 *
+	 * @return
+	 * 					- TRUE, if there are some RRs in the RRset
+	 * 					- FALSE, otherwise
+	 */
+	bool (*has_data)(resolver_response_t *this);
+
+	/**
+	 * Does the queried name exist?
+	 *
+	 * @return
+	 * 					- TRUE, if the queried name exists
+	 * 					- FALSE, otherwise
+	 */
+	bool (*query_name_exist)(resolver_response_t *this);
+
+	/**
+	 * Get the DNSSEC security state of the response.
+	 *
+	 * @return			DNSSEC security state
+	 */
+	dnssec_status_t (*get_security_state)(resolver_response_t *this);
+
+	/**
+	 * Get the RRset with all Resource Records of this response.
+	 *
+	 * @return			- RRset
+	 * 					- NULL if there is no data or the query name
+	 * 					  does not exist
+	 */
+	rr_set_t *(*get_rr_set)(resolver_response_t *this);
+
+	/**
+	 * Destroy this response.
+	 */
+	void (*destroy) (resolver_response_t *this);
+};
+
+#endif /** RR_SET_H_ @}*/
diff --git a/src/libstrongswan/resolver/rr.h b/src/libstrongswan/resolver/rr.h
new file mode 100644
index 000000000..109ec5135
--- /dev/null
+++ b/src/libstrongswan/resolver/rr.h
@@ -0,0 +1,268 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rr rr
+ * @{ @ingroup resolver
+ */
+
+#ifndef RR_H_
+#define RR_H_
+
+typedef struct rr_t rr_t;
+typedef enum rr_type_t rr_type_t;
+typedef enum rr_class_t rr_class_t;
+
+#include <library.h>
+
+/**
+ * Resource Record types.
+ *
+ * According to www.iana.org/assignments/dns-parameters (version 2012-03-13).
+ */
+enum rr_type_t {
+	/** a host address */
+	RR_TYPE_A = 1,
+	/** an authoritative name server */
+	RR_TYPE_NS = 2,
+	//** a mail destination (OBSOLETE - use MX */
+	RR_TYPE_MD = 3,
+	/** a mail forwarder (OBSOLETE - use MX) */
+	RR_TYPE_MF = 4,
+	/** the canonical name for an alias */
+	RR_TYPE_CNAME = 5,
+	/** marks the start of a zone of authority */
+	RR_TYPE_SOA = 6,
+	/** a mailbox domain name (EXPERIMENTAL) */
+	RR_TYPE_MB = 7,
+	/** a mail group member (EXPERIMENTAL) */
+	RR_TYPE_MG = 8,
+	/** a mail rename domain name (EXPERIMENTAL) */
+	RR_TYPE_MR = 9,
+	/** a null RR (EXPERIMENTAL) */
+	RR_TYPE_NULL = 10,
+	/** a well known service description */
+	RR_TYPE_WKS = 11,
+	/**  a domain name pointer */
+	RR_TYPE_PTR = 12,
+	/**  host information */
+	RR_TYPE_HINFO = 13,
+	/**  mailbox or mail list information */
+	RR_TYPE_MINFO = 14,
+	/**  mail exchange */
+	RR_TYPE_MX = 15,
+	/**  text strings */
+	RR_TYPE_TXT = 16,
+	/** for Responsible Person */
+	RR_TYPE_RP = 17,
+	/** for AFS Data Base location */
+	RR_TYPE_AFSDB = 18,
+	/** for X.25 PSDN address */
+	RR_TYPE_X25 = 19,
+	/** for ISDN address */
+	RR_TYPE_ISDN = 20,
+	/** for Route Through */
+	RR_TYPE_RT = 21,
+	/** for NSAP address, NSAP style A record */
+	RR_TYPE_NSAP = 22,
+	/** for domain name pointer, NSAP style  */
+	RR_TYPE_NSAP_PTR = 23,
+	/** for security signature */
+	RR_TYPE_SIG = 24,
+	/** for security key */
+	RR_TYPE_KEY = 25,
+	/** X.400 mail mapping information  */
+	RR_TYPE_PX = 26,
+	/**  Geographical Position  */
+	RR_TYPE_GPOS = 27,
+	/** ipv6 address */
+	RR_TYPE_AAAA = 28,
+	/** Location Information  */
+	RR_TYPE_LOC = 29,
+	/** Next Domain (OBSOLETE) */
+	RR_TYPE_NXT = 30,
+	/** Endpoint Identifier  */
+	RR_TYPE_EID = 31,
+	/** Nimrod Locator */
+	RR_TYPE_NIMLOC = 32,
+	/** Server Selection */
+	RR_TYPE_SRV = 33,
+	/** ATM Address */
+	RR_TYPE_ATMA = 34,
+	/** Naming Authority Pointer */
+	RR_TYPE_NAPTR = 35,
+	/** Key Exchanger */
+	RR_TYPE_KX = 36,
+	/** CERT */
+	RR_TYPE_CERT = 37,
+	/** A6 (OBSOLETE - use AAAA) */
+	RR_TYPE_A6 = 38,
+	/** DNAME */
+	RR_TYPE_DNAME = 39,
+	/** SINK */
+	RR_TYPE_SINK = 40,
+	/** OPT */
+	RR_TYPE_OPT = 41,
+	/** APL */
+	RR_TYPE_APL = 42,
+	/** Delegation Signer */
+	RR_TYPE_DS = 43,
+	/** SSH Key Fingerprint */
+	RR_TYPE_SSHFP = 44,
+	/** IPSECKEY */
+	RR_TYPE_IPSECKEY = 45,
+	/** RRSIG */
+	RR_TYPE_RRSIG = 46,
+	/** NSEC */
+	RR_TYPE_NSEC = 47,
+	/** DNSKEY */
+	RR_TYPE_DNSKEY = 48,
+	/** DHCID */
+	RR_TYPE_DHCID = 49,
+	/** NSEC3 */
+	RR_TYPE_NSEC3 = 50,
+	/** NSEC3PARAM */
+	RR_TYPE_NSEC3PARAM = 51,
+
+	/** Unassigned   52-54 */
+
+	/** Host Identity Protocol */
+	RR_TYPE_HIP =  55,
+	/** NINFO */
+	RR_TYPE_NINFO = 56,
+	/** RKEY */
+	RR_TYPE_RKEY = 57,
+	/** Trust Anchor LINK */
+	RR_TYPE_TALINK = 58,
+	/** Child DS */
+	RR_TYPE_CDS = 59,
+
+	/** Unassigned   60-98 */
+
+	/** SPF */
+	RR_TYPE_SPF = 99,
+	/** UINFO */
+	RR_TYPE_UINFO = 100,
+	/** UID */
+	RR_TYPE_UID = 101,
+	/** GID */
+	RR_TYPE_GID = 102,
+	/** UNSPEC */
+	RR_TYPE_UNSPEC = 103,
+
+	/** Unassigned   104-248 */
+
+	/** Transaction Key */
+	RR_TYPE_TKEY = 249,
+	/** Transaction Signature */
+	RR_TYPE_TSIG = 250,
+	/** incremental transfer */
+	RR_TYPE_IXFR = 251,
+	/** transfer of an entire zone */
+	RR_TYPE_AXFR = 252,
+	/** mailbox-related RRs (MB, MG or MR) */
+	RR_TYPE_MAILB = 253,
+	/** mail agent RRs (OBSOLETE - see MX) */
+	RR_TYPE_MAILA = 254,
+	/** A request for all records */
+	RR_TYPE_ANY = 255,
+	/** URI */
+	RR_TYPE_URI = 256,
+	/** Certification Authority Authorization */
+	RR_TYPE_CAA = 257,
+
+	/** Unassigned   258-32767 */
+
+	/** DNSSEC Trust Authorities */
+	RR_TYPE_TA = 32768,
+	/** DNSSEC Lookaside Validation */
+	RR_TYPE_DLV = 32769,
+
+	/** Unassigned   32770-65279 */
+
+	/** Private use  65280-65534 */
+
+	/** Reserved     65535 */
+};
+
+
+/**
+ * Resource Record CLASSes
+ */
+enum rr_class_t {
+	/** Internet */
+	RR_CLASS_IN = 1,
+	/** Chaos */
+	RR_CLASS_CH = 3,
+	/** Hesiod */
+	RR_CLASS_HS = 4,
+	/** further CLASSes: http://wwwiana.org/assignments/dns-parameters */
+};
+
+
+/**
+ * A DNS Resource Record.
+ *
+ * Represents a Resource Record of the Domain Name System
+ * as defined in RFC 1035.
+ *
+ */
+struct rr_t {
+
+	/**
+	 * Get the NAME of the owner of this RR.
+	 *
+	 * @return			owner name as string
+	 */
+	char *(*get_name)(rr_t *this);
+
+	/**
+	 * Get the type of this RR.
+	 *
+	 * @return			RR type
+	 */
+	rr_type_t (*get_type)(rr_t *this);
+
+	/**
+	 * Get the class of this RR.
+	 *
+	 * @return			RR class
+	 */
+	rr_class_t (*get_class)(rr_t *this);
+
+	/**
+	 * Get the Time to Live (TTL) of this RR.
+	 *
+	 * @return			Time to Live
+	 */
+	uint32_t (*get_ttl)(rr_t *this);
+
+	/**
+	 * Get the content of the RDATA field as chunk.
+	 *
+	 * The data pointed by the chunk is still owned by the RR.
+	 * Clone it if needed.
+	 *
+	 * @return			RDATA field as chunk
+	 */
+	chunk_t (*get_rdata)(rr_t *this);
+
+	/**
+	 * Destroy the Resource Record.
+	 */
+	void (*destroy) (rr_t *this);
+};
+
+#endif /** RR_H_ @}*/
diff --git a/src/libstrongswan/resolver/rr_set.c b/src/libstrongswan/resolver/rr_set.c
new file mode 100644
index 000000000..dea5c4086
--- /dev/null
+++ b/src/libstrongswan/resolver/rr_set.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "rr_set.h"
+
+#include <library.h>
+#include <utils/debug.h>
+
+typedef struct private_rr_set_t private_rr_set_t;
+
+/**
+* private data of the rr_set
+*/
+struct private_rr_set_t {
+
+	/**
+	 * public functions
+	 */
+	rr_set_t public;
+
+	/**
+	 * List of Resource Records which form the RRset
+	 */
+	linked_list_t *rr_list;
+
+	/**
+	 * List of the signatures (RRSIGs) of the Resource Records contained in
+	 * this set
+	 */
+	linked_list_t *rrsig_list;
+};
+
+METHOD(rr_set_t, create_rr_enumerator, enumerator_t*,
+	private_rr_set_t *this)
+{
+	return this->rr_list->create_enumerator(this->rr_list);
+}
+
+METHOD(rr_set_t, create_rrsig_enumerator, enumerator_t*,
+	private_rr_set_t *this)
+{
+	if (this->rrsig_list)
+	{
+		return this->rrsig_list->create_enumerator(this->rrsig_list);
+	}
+	return NULL;
+}
+
+METHOD(rr_set_t, destroy, void,
+	private_rr_set_t *this)
+{
+	this->rr_list->destroy_offset(this->rr_list,
+								  offsetof(rr_t, destroy));
+	if (this->rrsig_list)
+	{
+		this->rrsig_list->destroy_offset(this->rrsig_list,
+										 offsetof(rr_t, destroy));
+	}
+	free(this);
+}
+
+/*
+ * see header
+ */
+rr_set_t *rr_set_create(linked_list_t *list_of_rr, linked_list_t *list_of_rrsig)
+{
+	private_rr_set_t *this;
+
+	INIT(this,
+		.public = {
+			.create_rr_enumerator = _create_rr_enumerator,
+			.create_rrsig_enumerator = _create_rrsig_enumerator,
+			.destroy = _destroy,
+		},
+	);
+
+	if (list_of_rr == NULL)
+	{
+		DBG1(DBG_LIB, "could not create a rr_set without a list_of_rr");
+		_destroy(this);
+		return NULL;
+	}
+	this->rr_list = list_of_rr;
+	this->rrsig_list = list_of_rrsig;
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/resolver/rr_set.h b/src/libstrongswan/resolver/rr_set.h
new file mode 100644
index 000000000..5a1737a05
--- /dev/null
+++ b/src/libstrongswan/resolver/rr_set.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rr_set rr_set
+ * @{ @ingroup resolver
+ */
+
+#ifndef RR_SET_H_
+#define RR_SET_H_
+
+typedef struct rr_set_t rr_set_t;
+
+#include <library.h>
+#include <collections/enumerator.h>
+#include <collections/linked_list.h>
+
+/**
+ * A set of DNS Resource Records.
+ *
+ * Represents a RRset as defined in RFC 2181. This RRset consists of a set of
+ * Resource Records with the same label, class and type but different data.
+ *
+ * The DNSSEC signature Resource Records (RRSIGs) which sign the RRs of this set
+ * are also part of an object of this type.
+ */
+struct rr_set_t {
+
+	/**
+	 * Create an enumerator over all Resource Records of this RRset.
+	 *
+	 * @note The enumerator's position is invalid before the first call
+	 * to enumerate().
+	 *
+	 * @return			enumerator over Resource Records
+	 */
+	enumerator_t *(*create_rr_enumerator)(rr_set_t *this);
+
+	/**
+	 * Create an enumerator over all RRSIGs of this RRset
+	 *
+	 * @note The enumerator's position is invalid before the first call
+	 * to enumerate().
+	 *
+	 * @return			enumerator over RRSIG Resource Records,
+	 * 					NULL if there are no RRSIGs for this RRset
+	 */
+	enumerator_t *(*create_rrsig_enumerator)(rr_set_t *this);
+
+	/**
+	 * Destroy this RRset with all its Resource Records.
+	 */
+	void (*destroy) (rr_set_t *this);
+};
+
+/**
+ * Create an rr_set instance.
+ *
+ * @param list_of_rr		list of Resource Records which form this RRset
+ * @param list_of_rrsig		list of the signatures (RRSIGs) of the
+ * 							Resource Records of this set
+ * @return					Resource Record set, NULL on failure
+ */
+rr_set_t *rr_set_create(linked_list_t *list_of_rr,
+						linked_list_t *list_of_rrsig);
+
+#endif /** RR_SET_H_ @}*/
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
index b1bcf1b2d..75a8717dd 100644
--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -22,9 +22,9 @@
 
 #include "traffic_selector.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #define NON_SUBNET_ADDRESS_RANGE	255
 
@@ -174,13 +174,30 @@ static u_int8_t calc_netbits(private_traffic_selector_t *this)
 /**
  * internal generic constructor
  */
-static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, ts_type_t type, u_int16_t from_port, u_int16_t to_port);
+static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
+						ts_type_t type, u_int16_t from_port, u_int16_t to_port);
+
+/**
+ * Check if TS contains "opaque" ports
+ */
+static bool is_opaque(private_traffic_selector_t *this)
+{
+	return this->from_port == 0xffff && this->to_port == 0;
+}
+
+/**
+ * Check if TS contains "any" ports
+ */
+static bool is_any(private_traffic_selector_t *this)
+{
+	return this->from_port == 0 && this->to_port == 0xffff;
+}
 
 /**
  * Described in header.
  */
-int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
-								 const void *const *args)
+int traffic_selector_printf_hook(printf_hook_data_t *data,
+							printf_hook_spec_t *spec, const void *const *args)
 {
 	private_traffic_selector_t *this = *((private_traffic_selector_t**)(args[0]));
 	linked_list_t *list = *((linked_list_t**)(args[0]));
@@ -195,7 +212,7 @@ int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec
 
 	if (this == NULL)
 	{
-		return print_in_hook(dst, len, "(null)");
+		return print_in_hook(data, "(null)");
 	}
 
 	if (spec->hash)
@@ -204,7 +221,7 @@ int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec
 		while (enumerator->enumerate(enumerator, (void**)&this))
 		{
 			/* call recursivly */
-			written += print_in_hook(dst, len, "%R ", this);
+			written += print_in_hook(data, "%R ", this);
 		}
 		enumerator->destroy(enumerator);
 		return written;
@@ -216,7 +233,7 @@ int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec
 		memeq(this->from, from, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16) &&
 		memeq(this->to, to, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16))
 	{
-		written += print_in_hook(dst, len, "dynamic");
+		written += print_in_hook(data, "dynamic");
 	}
 	else
 	{
@@ -238,24 +255,24 @@ int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec
 			{
 				inet_ntop(AF_INET6, &this->to6, to_str, sizeof(to_str));
 			}
-			written += print_in_hook(dst, len, "%s..%s", from_str, to_str);
+			written += print_in_hook(data, "%s..%s", from_str, to_str);
 		}
 		else
 		{
-			written += print_in_hook(dst, len, "%s/%d", from_str, this->netbits);
+			written += print_in_hook(data, "%s/%d", from_str, this->netbits);
 		}
 	}
 
 	/* check if we have protocol and/or port selectors */
 	has_proto = this->protocol != 0;
-	has_ports = !(this->from_port == 0 && this->to_port == 0xFFFF);
+	has_ports = !is_any(this);
 
 	if (!has_proto && !has_ports)
 	{
 		return written;
 	}
 
-	written += print_in_hook(dst, len, "[");
+	written += print_in_hook(data, "[");
 
 	/* build protocol string */
 	if (has_proto)
@@ -264,18 +281,18 @@ int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec
 
 		if (proto)
 		{
-			written += print_in_hook(dst, len, "%s", proto->p_name);
+			written += print_in_hook(data, "%s", proto->p_name);
 			serv_proto = proto->p_name;
 		}
 		else
 		{
-			written += print_in_hook(dst, len, "%d", this->protocol);
+			written += print_in_hook(data, "%d", this->protocol);
 		}
 	}
 
 	if (has_proto && has_ports)
 	{
-		written += print_in_hook(dst, len, "/");
+		written += print_in_hook(data, "/");
 	}
 
 	/* build port string */
@@ -283,42 +300,83 @@ int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec
 	{
 		if (this->from_port == this->to_port)
 		{
-			struct servent *serv = getservbyport(htons(this->from_port), serv_proto);
+			struct servent *serv;
 
+			serv = getservbyport(htons(this->from_port), serv_proto);
 			if (serv)
 			{
-				written += print_in_hook(dst, len, "%s", serv->s_name);
+				written += print_in_hook(data, "%s", serv->s_name);
 			}
 			else
 			{
-				written += print_in_hook(dst, len, "%d", this->from_port);
+				written += print_in_hook(data, "%d", this->from_port);
 			}
 		}
+		else if (is_opaque(this))
+		{
+			written += print_in_hook(data, "OPAQUE");
+		}
 		else
 		{
-			written += print_in_hook(dst, len, "%d-%d", this->from_port, this->to_port);
+			written += print_in_hook(data, "%d-%d",
+									 this->from_port, this->to_port);
 		}
 	}
 
-	written += print_in_hook(dst, len, "]");
+	written += print_in_hook(data, "]");
 
 	return written;
 }
 
-/**
- * Implements traffic_selector_t.get_subset
- */
-static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_traffic_selector_t *other)
+METHOD(traffic_selector_t, get_subset, traffic_selector_t*,
+	private_traffic_selector_t *this, traffic_selector_t *other_public)
 {
-	if (this->type == other->type && (this->protocol == other->protocol ||
-								this->protocol == 0 || other->protocol == 0))
+	private_traffic_selector_t *other, *subset;
+	u_int16_t from_port, to_port;
+	u_char *from, *to;
+	u_int8_t protocol;
+	size_t size;
+
+	other = (private_traffic_selector_t*)other_public;
+
+	if (this->dynamic || other->dynamic)
+	{	/* no set_address() applied, TS has no subset */
+		return NULL;
+	}
+
+	if (this->type != other->type)
+	{
+		return NULL;
+	}
+	switch (this->type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+			size = sizeof(this->from4);
+			break;
+		case TS_IPV6_ADDR_RANGE:
+			size = sizeof(this->from6);
+			break;
+		default:
+			return NULL;
+	}
+
+	if (this->protocol != other->protocol &&
+		this->protocol != 0 && other->protocol != 0)
 	{
-		u_int16_t from_port, to_port;
-		u_char *from, *to;
-		u_int8_t protocol;
-		size_t size;
-		private_traffic_selector_t *new_ts;
+		return NULL;
+	}
+	/* select protocol, which is not zero */
+	protocol = max(this->protocol, other->protocol);
 
+	if ((is_opaque(this) && is_opaque(other)) ||
+		(is_opaque(this) && is_any(other)) ||
+		(is_opaque(other) && is_any(this)))
+	{
+		from_port = 0xffff;
+		to_port = 0;
+	}
+	else
+	{
 		/* calculate the maximum port range allowed for both */
 		from_port = max(this->from_port, other->from_port);
 		to_port = min(this->to_port, other->to_port);
@@ -326,61 +384,46 @@ static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_
 		{
 			return NULL;
 		}
-		/* select protocol, which is not zero */
-		protocol = max(this->protocol, other->protocol);
-
-		switch (this->type)
-		{
-			case TS_IPV4_ADDR_RANGE:
-				size = sizeof(this->from4);
-				break;
-			case TS_IPV6_ADDR_RANGE:
-				size = sizeof(this->from6);
-				break;
-			default:
-				return NULL;
-		}
+	}
+	/* get higher from-address */
+	if (memcmp(this->from, other->from, size) > 0)
+	{
+		from = this->from;
+	}
+	else
+	{
+		from = other->from;
+	}
+	/* get lower to-address */
+	if (memcmp(this->to, other->to, size) > 0)
+	{
+		to = other->to;
+	}
+	else
+	{
+		to = this->to;
+	}
+	/* if "from" > "to", we don't have a match */
+	if (memcmp(from, to, size) > 0)
+	{
+		return NULL;
+	}
 
-		/* get higher from-address */
-		if (memcmp(this->from, other->from, size) > 0)
-		{
-			from = this->from;
-		}
-		else
-		{
-			from = other->from;
-		}
-		/* get lower to-address */
-		if (memcmp(this->to, other->to, size) > 0)
-		{
-			to = other->to;
-		}
-		else
-		{
-			to = this->to;
-		}
-		/* if "from" > "to", we don't have a match */
-		if (memcmp(from, to, size) > 0)
-		{
-			return NULL;
-		}
+	/* we have a match in protocol, port, and address: return it... */
+	subset = traffic_selector_create(protocol, this->type, from_port, to_port);
+	memcpy(subset->from, from, size);
+	memcpy(subset->to, to, size);
+	calc_netbits(subset);
 
-		/* we have a match in protocol, port, and address: return it... */
-		new_ts = traffic_selector_create(protocol, this->type, from_port, to_port);
-		new_ts->dynamic = this->dynamic || other->dynamic;
-		memcpy(new_ts->from, from, size);
-		memcpy(new_ts->to, to, size);
-		calc_netbits(new_ts);
-		return &new_ts->public;
-	}
-	return NULL;
+	return &subset->public;
 }
 
-/**
- * Implements traffic_selector_t.equals
- */
-static bool equals(private_traffic_selector_t *this, private_traffic_selector_t *other)
+METHOD(traffic_selector_t, equals, bool,
+	private_traffic_selector_t *this, traffic_selector_t *other_public)
 {
+	private_traffic_selector_t *other;
+
+	other = (private_traffic_selector_t*)other_public;
 	if (this->type != other->type)
 	{
 		return FALSE;
@@ -510,7 +553,7 @@ METHOD(traffic_selector_t, is_dynamic, bool,
 METHOD(traffic_selector_t, set_address, void,
 	private_traffic_selector_t *this, host_t *host)
 {
-	if (this->dynamic)
+	if (is_host(this, NULL))
 	{
 		this->type = host->get_family(host) == AF_INET ?
 				TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
@@ -528,14 +571,12 @@ METHOD(traffic_selector_t, set_address, void,
 			memcpy(this->to, from.ptr, from.len);
 			this->netbits = from.len * 8;
 		}
+		this->dynamic = FALSE;
 	}
 }
 
-/**
- * Implements traffic_selector_t.is_contained_in.
- */
-static bool is_contained_in(private_traffic_selector_t *this,
-							private_traffic_selector_t *other)
+METHOD(traffic_selector_t, is_contained_in, bool,
+	private_traffic_selector_t *this, traffic_selector_t *other)
 {
 	private_traffic_selector_t *subset;
 	bool contained_in = FALSE;
@@ -544,7 +585,7 @@ static bool is_contained_in(private_traffic_selector_t *this,
 
 	if (subset)
 	{
-		if (equals(subset, this))
+		if (equals(subset, &this->public))
 		{
 			contained_in = TRUE;
 		}
@@ -571,7 +612,7 @@ METHOD(traffic_selector_t, includes, bool,
 	return FALSE;
 }
 
-METHOD(traffic_selector_t, to_subnet, void,
+METHOD(traffic_selector_t, to_subnet, bool,
 	private_traffic_selector_t *this, host_t **net, u_int8_t *mask)
 {
 	/* there is no way to do this cleanly, as the address range may
@@ -597,7 +638,7 @@ METHOD(traffic_selector_t, to_subnet, void,
 			break;
 		default:
 			/* unreachable */
-			return;
+			return FALSE;
 	}
 
 	net_chunk.ptr = malloc(net_chunk.len);
@@ -616,6 +657,8 @@ METHOD(traffic_selector_t, to_subnet, void,
 
 	*net = host_create_from_chunk(family, net_chunk, port);
 	chunk_free(&net_chunk);
+
+	return this->netbits != NON_SUBNET_ADDRESS_RANGE;
 }
 
 METHOD(traffic_selector_t, clone_, traffic_selector_t*,
@@ -733,68 +776,34 @@ traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type,
  * see header
  */
 traffic_selector_t *traffic_selector_create_from_subnet(host_t *net,
-							u_int8_t netbits, u_int8_t protocol, u_int16_t port)
+							u_int8_t netbits, u_int8_t protocol,
+							u_int16_t from_port, u_int16_t to_port)
 {
-	private_traffic_selector_t *this = traffic_selector_create(protocol, 0, 0, 65535);
+	private_traffic_selector_t *this;
+	chunk_t from;
+
+	this = traffic_selector_create(protocol, 0, from_port, to_port);
 
 	switch (net->get_family(net))
 	{
 		case AF_INET:
-		{
-			chunk_t from;
-
 			this->type = TS_IPV4_ADDR_RANGE;
-			from = net->get_address(net);
-			memcpy(this->from, from.ptr, from.len);
-			if (this->from4[0] == 0)
-			{
-				/* use /0 for 0.0.0.0 */
-				this->to4[0] = ~0;
-				this->netbits = 0;
-			}
-			else
-			{
-				calc_range(this, netbits);
-			}
 			break;
-		}
 		case AF_INET6:
-		{
-			chunk_t from;
-
 			this->type = TS_IPV6_ADDR_RANGE;
-			from = net->get_address(net);
-			memcpy(this->from, from.ptr, from.len);
-			if (this->from6[0] == 0 && this->from6[1] == 0 &&
-				this->from6[2] == 0 && this->from6[3] == 0)
-			{
-				/* use /0 for ::0 */
-				this->to6[0] = ~0;
-				this->to6[1] = ~0;
-				this->to6[2] = ~0;
-				this->to6[3] = ~0;
-				this->netbits = 0;
-			}
-			else
-			{
-				calc_range(this, netbits);
-			}
 			break;
-		}
 		default:
-		{
 			net->destroy(net);
 			free(this);
 			return NULL;
-		}
-	}
-	if (port)
-	{
-		this->from_port = port;
-		this->to_port = port;
 	}
+	from = net->get_address(net);
+	memcpy(this->from, from.ptr, from.len);
+	netbits = min(netbits, this->type == TS_IPV4_ADDR_RANGE ? 32 : 128);
+	calc_range(this, netbits);
 	net->destroy(net);
-	return (&this->public);
+
+	return &this->public;
 }
 
 /*
@@ -805,38 +814,51 @@ traffic_selector_t *traffic_selector_create_from_string(
 										char *from_addr, u_int16_t from_port,
 										char *to_addr, u_int16_t to_port)
 {
-	private_traffic_selector_t *this = traffic_selector_create(protocol, type,
-															from_port, to_port);
+	private_traffic_selector_t *this;
+	int family;
 
 	switch (type)
 	{
 		case TS_IPV4_ADDR_RANGE:
-			if (inet_pton(AF_INET, from_addr, (struct in_addr*)this->from4) < 0)
-			{
-				free(this);
-				return NULL;
-			}
-			if (inet_pton(AF_INET, to_addr, (struct in_addr*)this->to4) < 0)
-			{
-				free(this);
-				return NULL;
-			}
+			family = AF_INET;
 			break;
 		case TS_IPV6_ADDR_RANGE:
-			if (inet_pton(AF_INET6, from_addr, (struct in6_addr*)this->from6) < 0)
-			{
-				free(this);
-				return NULL;
-			}
-			if (inet_pton(AF_INET6, to_addr, (struct in6_addr*)this->to6) < 0)
-			{
-				free(this);
-				return NULL;
-			}
+			family = AF_INET6;
 			break;
+		default:
+			return NULL;
 	}
+
+	this = traffic_selector_create(protocol, type, from_port, to_port);
+
+	if (inet_pton(family, from_addr, this->from) != 1 ||
+		inet_pton(family, to_addr, this->to) != 1)
+	{
+		free(this);
+		return NULL;
+	}
+
 	calc_netbits(this);
-	return (&this->public);
+	return &this->public;
+}
+
+/*
+ * see header
+ */
+traffic_selector_t *traffic_selector_create_from_cidr(
+										char *string, u_int8_t protocol,
+										u_int16_t from_port, u_int16_t to_port)
+{
+	host_t *net;
+	int bits;
+
+	net = host_create_from_subnet(string, &bits);
+	if (net)
+	{
+		return traffic_selector_create_from_subnet(net, bits, protocol,
+												   from_port, to_port);
+	}
+	return NULL;
 }
 
 /*
@@ -866,8 +888,8 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 
 	INIT(this,
 		.public = {
-			.get_subset = (traffic_selector_t*(*)(traffic_selector_t*,traffic_selector_t*))get_subset,
-			.equals = (bool(*)(traffic_selector_t*,traffic_selector_t*))equals,
+			.get_subset = _get_subset,
+			.equals = _equals,
 			.get_from_address = _get_from_address,
 			.get_to_address = _get_to_address,
 			.get_from_port = _get_from_port,
@@ -876,7 +898,7 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 			.get_protocol = _get_protocol,
 			.is_host = _is_host,
 			.is_dynamic = _is_dynamic,
-			.is_contained_in = (bool(*)(traffic_selector_t*,traffic_selector_t*))is_contained_in,
+			.is_contained_in = _is_contained_in,
 			.includes = _includes,
 			.set_address = _set_address,
 			.to_subnet = _to_subnet,
@@ -891,4 +913,3 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 
 	return this;
 }
-
diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
index 257da3f24..0de358b99 100644
--- a/src/libstrongswan/selectors/traffic_selector.h
+++ b/src/libstrongswan/selectors/traffic_selector.h
@@ -27,7 +27,7 @@ typedef enum ts_type_t ts_type_t;
 typedef struct traffic_selector_t traffic_selector_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
 
 /**
  * Traffic selector types.
@@ -203,8 +203,9 @@ struct traffic_selector_t {
 	 *
 	 * @param net		converted subnet (has to be freed)
 	 * @param mask		converted net mask
+	 * @return			TRUE if traffic selector matches exactly to the subnet
 	 */
-	void (*to_subnet) (traffic_selector_t *this, host_t **net, u_int8_t *mask);
+	bool (*to_subnet) (traffic_selector_t *this, host_t **net, u_int8_t *mask);
 
 	/**
 	 * Destroys the ts object
@@ -230,6 +231,21 @@ traffic_selector_t *traffic_selector_create_from_string(
 									char *from_addr, u_int16_t from_port,
 									char *to_addr, u_int16_t to_port);
 
+
+
+/**
+ * Create a traffic selector from a CIDR string.
+ *
+ * @param string		CIDR string, such as 10.1.0.0/16
+ * @param protocol		protocol for this ts, such as TCP or UDP
+ * @param from_port		start of allowed port range
+ * @param to_port		end of port range
+ * @return				traffic selector, NULL if string invalid
+ */
+traffic_selector_t *traffic_selector_create_from_cidr(
+										char *string, u_int8_t protocol,
+										u_int16_t from_port, u_int16_t to_port);
+
 /**
  * Create a new traffic selector using data read from the net.
  *
@@ -274,14 +290,15 @@ traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type,
  * @param net			subnet to use
  * @param netbits		size of the subnet, as used in e.g. 192.168.0.0/24 notation
  * @param protocol		protocol for this ts, such as TCP or UDP
- * @param port			port number, host order
+ * @param from_port		start of allowed port range
+ * @param to_port		end of port range
  * @return
  *						- traffic_selector_t object
  *						- NULL if address family of net not supported
  */
 traffic_selector_t *traffic_selector_create_from_subnet(
-									host_t *net, u_int8_t netbits,
-									u_int8_t protocol, u_int16_t port);
+							host_t *net, u_int8_t netbits, u_int8_t protocol,
+							u_int16_t from_port, u_int16_t to_port);
 
 /**
  * Create a traffic selector for host-to-host cases.
@@ -309,7 +326,7 @@ traffic_selector_t *traffic_selector_create_dynamic(u_int8_t protocol,
  * With the #-specifier, arguments are:
  *	linked_list_t *list containing traffic_selector_t*
  */
-int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
-								 const void *const *args);
+int traffic_selector_printf_hook(printf_hook_data_t *data,
+							printf_hook_spec_t *spec, const void *const *args);
 
 #endif /** TRAFFIC_SELECTOR_H_ @}*/
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
new file mode 100644
index 000000000..585f9c16e
--- /dev/null
+++ b/src/libstrongswan/tests/Makefile.am
@@ -0,0 +1,23 @@
+TESTS = test_runner
+
+check_PROGRAMS = $(TESTS)
+
+test_runner_SOURCES = \
+  test_runner.c test_runner.h test_suite.h \
+  test_linked_list.c test_enumerator.c test_linked_list_enumerator.c \
+  test_bio_reader.c test_bio_writer.c test_chunk.c test_enum.c test_hashtable.c \
+  test_identification.c test_threading.c test_utils.c test_vectors.c \
+  test_array.c test_ecdsa.c test_rsa.c test_host.c
+
+test_runner_CFLAGS = \
+  -I$(top_srcdir)/src/libstrongswan \
+  -DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \
+  -DPLUGINS=\""${s_plugins}\"" \
+  @COVERAGE_CFLAGS@ \
+  @CHECK_CFLAGS@
+
+test_runner_LDFLAGS = @COVERAGE_LDFLAGS@
+test_runner_LDADD = \
+  $(top_builddir)/src/libstrongswan/libstrongswan.la \
+  $(PTHREADLIB) \
+  @CHECK_LIBS@
diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in
new file mode 100644
index 000000000..dffa24b5b
--- /dev/null
+++ b/src/libstrongswan/tests/Makefile.in
@@ -0,0 +1,992 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+TESTS = test_runner$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1)
+subdir = src/libstrongswan/tests
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__EXEEXT_1 = test_runner$(EXEEXT)
+am_test_runner_OBJECTS = test_runner-test_runner.$(OBJEXT) \
+	test_runner-test_linked_list.$(OBJEXT) \
+	test_runner-test_enumerator.$(OBJEXT) \
+	test_runner-test_linked_list_enumerator.$(OBJEXT) \
+	test_runner-test_bio_reader.$(OBJEXT) \
+	test_runner-test_bio_writer.$(OBJEXT) \
+	test_runner-test_chunk.$(OBJEXT) \
+	test_runner-test_enum.$(OBJEXT) \
+	test_runner-test_hashtable.$(OBJEXT) \
+	test_runner-test_identification.$(OBJEXT) \
+	test_runner-test_threading.$(OBJEXT) \
+	test_runner-test_utils.$(OBJEXT) \
+	test_runner-test_vectors.$(OBJEXT) \
+	test_runner-test_array.$(OBJEXT) \
+	test_runner-test_ecdsa.$(OBJEXT) \
+	test_runner-test_rsa.$(OBJEXT) test_runner-test_host.$(OBJEXT)
+test_runner_OBJECTS = $(am_test_runner_OBJECTS)
+am__DEPENDENCIES_1 =
+test_runner_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(am__DEPENDENCIES_1)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+test_runner_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(test_runner_CFLAGS) \
+	$(CFLAGS) $(test_runner_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(test_runner_SOURCES)
+DIST_SOURCES = $(test_runner_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+am__tty_colors = \
+red=; grn=; lgn=; blu=; std=
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+test_runner_SOURCES = \
+  test_runner.c test_runner.h test_suite.h \
+  test_linked_list.c test_enumerator.c test_linked_list_enumerator.c \
+  test_bio_reader.c test_bio_writer.c test_chunk.c test_enum.c test_hashtable.c \
+  test_identification.c test_threading.c test_utils.c test_vectors.c \
+  test_array.c test_ecdsa.c test_rsa.c test_host.c
+
+test_runner_CFLAGS = \
+  -I$(top_srcdir)/src/libstrongswan \
+  -DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \
+  -DPLUGINS=\""${s_plugins}\"" \
+  @COVERAGE_CFLAGS@ \
+  @CHECK_CFLAGS@
+
+test_runner_LDFLAGS = @COVERAGE_LDFLAGS@
+test_runner_LDADD = \
+  $(top_builddir)/src/libstrongswan/libstrongswan.la \
+  $(PTHREADLIB) \
+  @CHECK_LIBS@
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/tests/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/tests/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-checkPROGRAMS:
+	@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+test_runner$(EXEEXT): $(test_runner_OBJECTS) $(test_runner_DEPENDENCIES) $(EXTRA_test_runner_DEPENDENCIES) 
+	@rm -f test_runner$(EXEEXT)
+	$(AM_V_CCLD)$(test_runner_LINK) $(test_runner_OBJECTS) $(test_runner_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_array.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_bio_reader.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_bio_writer.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_chunk.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_ecdsa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_enum.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_enumerator.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_hashtable.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_host.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_identification.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_linked_list.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_linked_list_enumerator.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_rsa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_runner.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_threading.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_utils.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_runner-test_vectors.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+test_runner-test_runner.o: test_runner.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_runner.o -MD -MP -MF $(DEPDIR)/test_runner-test_runner.Tpo -c -o test_runner-test_runner.o `test -f 'test_runner.c' || echo '$(srcdir)/'`test_runner.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_runner.Tpo $(DEPDIR)/test_runner-test_runner.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_runner.c' object='test_runner-test_runner.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_runner.o `test -f 'test_runner.c' || echo '$(srcdir)/'`test_runner.c
+
+test_runner-test_runner.obj: test_runner.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_runner.obj -MD -MP -MF $(DEPDIR)/test_runner-test_runner.Tpo -c -o test_runner-test_runner.obj `if test -f 'test_runner.c'; then $(CYGPATH_W) 'test_runner.c'; else $(CYGPATH_W) '$(srcdir)/test_runner.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_runner.Tpo $(DEPDIR)/test_runner-test_runner.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_runner.c' object='test_runner-test_runner.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_runner.obj `if test -f 'test_runner.c'; then $(CYGPATH_W) 'test_runner.c'; else $(CYGPATH_W) '$(srcdir)/test_runner.c'; fi`
+
+test_runner-test_linked_list.o: test_linked_list.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_linked_list.o -MD -MP -MF $(DEPDIR)/test_runner-test_linked_list.Tpo -c -o test_runner-test_linked_list.o `test -f 'test_linked_list.c' || echo '$(srcdir)/'`test_linked_list.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_linked_list.Tpo $(DEPDIR)/test_runner-test_linked_list.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_linked_list.c' object='test_runner-test_linked_list.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_linked_list.o `test -f 'test_linked_list.c' || echo '$(srcdir)/'`test_linked_list.c
+
+test_runner-test_linked_list.obj: test_linked_list.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_linked_list.obj -MD -MP -MF $(DEPDIR)/test_runner-test_linked_list.Tpo -c -o test_runner-test_linked_list.obj `if test -f 'test_linked_list.c'; then $(CYGPATH_W) 'test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/test_linked_list.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_linked_list.Tpo $(DEPDIR)/test_runner-test_linked_list.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_linked_list.c' object='test_runner-test_linked_list.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_linked_list.obj `if test -f 'test_linked_list.c'; then $(CYGPATH_W) 'test_linked_list.c'; else $(CYGPATH_W) '$(srcdir)/test_linked_list.c'; fi`
+
+test_runner-test_enumerator.o: test_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_enumerator.o -MD -MP -MF $(DEPDIR)/test_runner-test_enumerator.Tpo -c -o test_runner-test_enumerator.o `test -f 'test_enumerator.c' || echo '$(srcdir)/'`test_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_enumerator.Tpo $(DEPDIR)/test_runner-test_enumerator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_enumerator.c' object='test_runner-test_enumerator.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_enumerator.o `test -f 'test_enumerator.c' || echo '$(srcdir)/'`test_enumerator.c
+
+test_runner-test_enumerator.obj: test_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_enumerator.obj -MD -MP -MF $(DEPDIR)/test_runner-test_enumerator.Tpo -c -o test_runner-test_enumerator.obj `if test -f 'test_enumerator.c'; then $(CYGPATH_W) 'test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/test_enumerator.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_enumerator.Tpo $(DEPDIR)/test_runner-test_enumerator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_enumerator.c' object='test_runner-test_enumerator.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_enumerator.obj `if test -f 'test_enumerator.c'; then $(CYGPATH_W) 'test_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/test_enumerator.c'; fi`
+
+test_runner-test_linked_list_enumerator.o: test_linked_list_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_linked_list_enumerator.o -MD -MP -MF $(DEPDIR)/test_runner-test_linked_list_enumerator.Tpo -c -o test_runner-test_linked_list_enumerator.o `test -f 'test_linked_list_enumerator.c' || echo '$(srcdir)/'`test_linked_list_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_linked_list_enumerator.Tpo $(DEPDIR)/test_runner-test_linked_list_enumerator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_linked_list_enumerator.c' object='test_runner-test_linked_list_enumerator.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_linked_list_enumerator.o `test -f 'test_linked_list_enumerator.c' || echo '$(srcdir)/'`test_linked_list_enumerator.c
+
+test_runner-test_linked_list_enumerator.obj: test_linked_list_enumerator.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_linked_list_enumerator.obj -MD -MP -MF $(DEPDIR)/test_runner-test_linked_list_enumerator.Tpo -c -o test_runner-test_linked_list_enumerator.obj `if test -f 'test_linked_list_enumerator.c'; then $(CYGPATH_W) 'test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/test_linked_list_enumerator.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_linked_list_enumerator.Tpo $(DEPDIR)/test_runner-test_linked_list_enumerator.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_linked_list_enumerator.c' object='test_runner-test_linked_list_enumerator.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_linked_list_enumerator.obj `if test -f 'test_linked_list_enumerator.c'; then $(CYGPATH_W) 'test_linked_list_enumerator.c'; else $(CYGPATH_W) '$(srcdir)/test_linked_list_enumerator.c'; fi`
+
+test_runner-test_bio_reader.o: test_bio_reader.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_bio_reader.o -MD -MP -MF $(DEPDIR)/test_runner-test_bio_reader.Tpo -c -o test_runner-test_bio_reader.o `test -f 'test_bio_reader.c' || echo '$(srcdir)/'`test_bio_reader.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_bio_reader.Tpo $(DEPDIR)/test_runner-test_bio_reader.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_bio_reader.c' object='test_runner-test_bio_reader.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_bio_reader.o `test -f 'test_bio_reader.c' || echo '$(srcdir)/'`test_bio_reader.c
+
+test_runner-test_bio_reader.obj: test_bio_reader.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_bio_reader.obj -MD -MP -MF $(DEPDIR)/test_runner-test_bio_reader.Tpo -c -o test_runner-test_bio_reader.obj `if test -f 'test_bio_reader.c'; then $(CYGPATH_W) 'test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/test_bio_reader.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_bio_reader.Tpo $(DEPDIR)/test_runner-test_bio_reader.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_bio_reader.c' object='test_runner-test_bio_reader.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_bio_reader.obj `if test -f 'test_bio_reader.c'; then $(CYGPATH_W) 'test_bio_reader.c'; else $(CYGPATH_W) '$(srcdir)/test_bio_reader.c'; fi`
+
+test_runner-test_bio_writer.o: test_bio_writer.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_bio_writer.o -MD -MP -MF $(DEPDIR)/test_runner-test_bio_writer.Tpo -c -o test_runner-test_bio_writer.o `test -f 'test_bio_writer.c' || echo '$(srcdir)/'`test_bio_writer.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_bio_writer.Tpo $(DEPDIR)/test_runner-test_bio_writer.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_bio_writer.c' object='test_runner-test_bio_writer.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_bio_writer.o `test -f 'test_bio_writer.c' || echo '$(srcdir)/'`test_bio_writer.c
+
+test_runner-test_bio_writer.obj: test_bio_writer.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_bio_writer.obj -MD -MP -MF $(DEPDIR)/test_runner-test_bio_writer.Tpo -c -o test_runner-test_bio_writer.obj `if test -f 'test_bio_writer.c'; then $(CYGPATH_W) 'test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/test_bio_writer.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_bio_writer.Tpo $(DEPDIR)/test_runner-test_bio_writer.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_bio_writer.c' object='test_runner-test_bio_writer.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_bio_writer.obj `if test -f 'test_bio_writer.c'; then $(CYGPATH_W) 'test_bio_writer.c'; else $(CYGPATH_W) '$(srcdir)/test_bio_writer.c'; fi`
+
+test_runner-test_chunk.o: test_chunk.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_chunk.o -MD -MP -MF $(DEPDIR)/test_runner-test_chunk.Tpo -c -o test_runner-test_chunk.o `test -f 'test_chunk.c' || echo '$(srcdir)/'`test_chunk.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_chunk.Tpo $(DEPDIR)/test_runner-test_chunk.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_chunk.c' object='test_runner-test_chunk.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_chunk.o `test -f 'test_chunk.c' || echo '$(srcdir)/'`test_chunk.c
+
+test_runner-test_chunk.obj: test_chunk.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_chunk.obj -MD -MP -MF $(DEPDIR)/test_runner-test_chunk.Tpo -c -o test_runner-test_chunk.obj `if test -f 'test_chunk.c'; then $(CYGPATH_W) 'test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/test_chunk.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_chunk.Tpo $(DEPDIR)/test_runner-test_chunk.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_chunk.c' object='test_runner-test_chunk.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_chunk.obj `if test -f 'test_chunk.c'; then $(CYGPATH_W) 'test_chunk.c'; else $(CYGPATH_W) '$(srcdir)/test_chunk.c'; fi`
+
+test_runner-test_enum.o: test_enum.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_enum.o -MD -MP -MF $(DEPDIR)/test_runner-test_enum.Tpo -c -o test_runner-test_enum.o `test -f 'test_enum.c' || echo '$(srcdir)/'`test_enum.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_enum.Tpo $(DEPDIR)/test_runner-test_enum.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_enum.c' object='test_runner-test_enum.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_enum.o `test -f 'test_enum.c' || echo '$(srcdir)/'`test_enum.c
+
+test_runner-test_enum.obj: test_enum.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_enum.obj -MD -MP -MF $(DEPDIR)/test_runner-test_enum.Tpo -c -o test_runner-test_enum.obj `if test -f 'test_enum.c'; then $(CYGPATH_W) 'test_enum.c'; else $(CYGPATH_W) '$(srcdir)/test_enum.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_enum.Tpo $(DEPDIR)/test_runner-test_enum.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_enum.c' object='test_runner-test_enum.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_enum.obj `if test -f 'test_enum.c'; then $(CYGPATH_W) 'test_enum.c'; else $(CYGPATH_W) '$(srcdir)/test_enum.c'; fi`
+
+test_runner-test_hashtable.o: test_hashtable.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_hashtable.o -MD -MP -MF $(DEPDIR)/test_runner-test_hashtable.Tpo -c -o test_runner-test_hashtable.o `test -f 'test_hashtable.c' || echo '$(srcdir)/'`test_hashtable.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_hashtable.Tpo $(DEPDIR)/test_runner-test_hashtable.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_hashtable.c' object='test_runner-test_hashtable.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_hashtable.o `test -f 'test_hashtable.c' || echo '$(srcdir)/'`test_hashtable.c
+
+test_runner-test_hashtable.obj: test_hashtable.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_hashtable.obj -MD -MP -MF $(DEPDIR)/test_runner-test_hashtable.Tpo -c -o test_runner-test_hashtable.obj `if test -f 'test_hashtable.c'; then $(CYGPATH_W) 'test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/test_hashtable.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_hashtable.Tpo $(DEPDIR)/test_runner-test_hashtable.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_hashtable.c' object='test_runner-test_hashtable.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_hashtable.obj `if test -f 'test_hashtable.c'; then $(CYGPATH_W) 'test_hashtable.c'; else $(CYGPATH_W) '$(srcdir)/test_hashtable.c'; fi`
+
+test_runner-test_identification.o: test_identification.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_identification.o -MD -MP -MF $(DEPDIR)/test_runner-test_identification.Tpo -c -o test_runner-test_identification.o `test -f 'test_identification.c' || echo '$(srcdir)/'`test_identification.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_identification.Tpo $(DEPDIR)/test_runner-test_identification.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_identification.c' object='test_runner-test_identification.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_identification.o `test -f 'test_identification.c' || echo '$(srcdir)/'`test_identification.c
+
+test_runner-test_identification.obj: test_identification.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_identification.obj -MD -MP -MF $(DEPDIR)/test_runner-test_identification.Tpo -c -o test_runner-test_identification.obj `if test -f 'test_identification.c'; then $(CYGPATH_W) 'test_identification.c'; else $(CYGPATH_W) '$(srcdir)/test_identification.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_identification.Tpo $(DEPDIR)/test_runner-test_identification.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_identification.c' object='test_runner-test_identification.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_identification.obj `if test -f 'test_identification.c'; then $(CYGPATH_W) 'test_identification.c'; else $(CYGPATH_W) '$(srcdir)/test_identification.c'; fi`
+
+test_runner-test_threading.o: test_threading.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_threading.o -MD -MP -MF $(DEPDIR)/test_runner-test_threading.Tpo -c -o test_runner-test_threading.o `test -f 'test_threading.c' || echo '$(srcdir)/'`test_threading.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_threading.Tpo $(DEPDIR)/test_runner-test_threading.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_threading.c' object='test_runner-test_threading.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_threading.o `test -f 'test_threading.c' || echo '$(srcdir)/'`test_threading.c
+
+test_runner-test_threading.obj: test_threading.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_threading.obj -MD -MP -MF $(DEPDIR)/test_runner-test_threading.Tpo -c -o test_runner-test_threading.obj `if test -f 'test_threading.c'; then $(CYGPATH_W) 'test_threading.c'; else $(CYGPATH_W) '$(srcdir)/test_threading.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_threading.Tpo $(DEPDIR)/test_runner-test_threading.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_threading.c' object='test_runner-test_threading.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_threading.obj `if test -f 'test_threading.c'; then $(CYGPATH_W) 'test_threading.c'; else $(CYGPATH_W) '$(srcdir)/test_threading.c'; fi`
+
+test_runner-test_utils.o: test_utils.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_utils.o -MD -MP -MF $(DEPDIR)/test_runner-test_utils.Tpo -c -o test_runner-test_utils.o `test -f 'test_utils.c' || echo '$(srcdir)/'`test_utils.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_utils.Tpo $(DEPDIR)/test_runner-test_utils.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_utils.c' object='test_runner-test_utils.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_utils.o `test -f 'test_utils.c' || echo '$(srcdir)/'`test_utils.c
+
+test_runner-test_utils.obj: test_utils.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_utils.obj -MD -MP -MF $(DEPDIR)/test_runner-test_utils.Tpo -c -o test_runner-test_utils.obj `if test -f 'test_utils.c'; then $(CYGPATH_W) 'test_utils.c'; else $(CYGPATH_W) '$(srcdir)/test_utils.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_utils.Tpo $(DEPDIR)/test_runner-test_utils.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_utils.c' object='test_runner-test_utils.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_utils.obj `if test -f 'test_utils.c'; then $(CYGPATH_W) 'test_utils.c'; else $(CYGPATH_W) '$(srcdir)/test_utils.c'; fi`
+
+test_runner-test_vectors.o: test_vectors.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_vectors.o -MD -MP -MF $(DEPDIR)/test_runner-test_vectors.Tpo -c -o test_runner-test_vectors.o `test -f 'test_vectors.c' || echo '$(srcdir)/'`test_vectors.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_vectors.Tpo $(DEPDIR)/test_runner-test_vectors.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors.c' object='test_runner-test_vectors.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_vectors.o `test -f 'test_vectors.c' || echo '$(srcdir)/'`test_vectors.c
+
+test_runner-test_vectors.obj: test_vectors.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_vectors.obj -MD -MP -MF $(DEPDIR)/test_runner-test_vectors.Tpo -c -o test_runner-test_vectors.obj `if test -f 'test_vectors.c'; then $(CYGPATH_W) 'test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/test_vectors.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_vectors.Tpo $(DEPDIR)/test_runner-test_vectors.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_vectors.c' object='test_runner-test_vectors.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_vectors.obj `if test -f 'test_vectors.c'; then $(CYGPATH_W) 'test_vectors.c'; else $(CYGPATH_W) '$(srcdir)/test_vectors.c'; fi`
+
+test_runner-test_array.o: test_array.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_array.o -MD -MP -MF $(DEPDIR)/test_runner-test_array.Tpo -c -o test_runner-test_array.o `test -f 'test_array.c' || echo '$(srcdir)/'`test_array.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_array.Tpo $(DEPDIR)/test_runner-test_array.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_array.c' object='test_runner-test_array.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_array.o `test -f 'test_array.c' || echo '$(srcdir)/'`test_array.c
+
+test_runner-test_array.obj: test_array.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_array.obj -MD -MP -MF $(DEPDIR)/test_runner-test_array.Tpo -c -o test_runner-test_array.obj `if test -f 'test_array.c'; then $(CYGPATH_W) 'test_array.c'; else $(CYGPATH_W) '$(srcdir)/test_array.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_array.Tpo $(DEPDIR)/test_runner-test_array.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_array.c' object='test_runner-test_array.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_array.obj `if test -f 'test_array.c'; then $(CYGPATH_W) 'test_array.c'; else $(CYGPATH_W) '$(srcdir)/test_array.c'; fi`
+
+test_runner-test_ecdsa.o: test_ecdsa.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_ecdsa.o -MD -MP -MF $(DEPDIR)/test_runner-test_ecdsa.Tpo -c -o test_runner-test_ecdsa.o `test -f 'test_ecdsa.c' || echo '$(srcdir)/'`test_ecdsa.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_ecdsa.Tpo $(DEPDIR)/test_runner-test_ecdsa.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_ecdsa.c' object='test_runner-test_ecdsa.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_ecdsa.o `test -f 'test_ecdsa.c' || echo '$(srcdir)/'`test_ecdsa.c
+
+test_runner-test_ecdsa.obj: test_ecdsa.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_ecdsa.obj -MD -MP -MF $(DEPDIR)/test_runner-test_ecdsa.Tpo -c -o test_runner-test_ecdsa.obj `if test -f 'test_ecdsa.c'; then $(CYGPATH_W) 'test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/test_ecdsa.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_ecdsa.Tpo $(DEPDIR)/test_runner-test_ecdsa.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_ecdsa.c' object='test_runner-test_ecdsa.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_ecdsa.obj `if test -f 'test_ecdsa.c'; then $(CYGPATH_W) 'test_ecdsa.c'; else $(CYGPATH_W) '$(srcdir)/test_ecdsa.c'; fi`
+
+test_runner-test_rsa.o: test_rsa.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_rsa.o -MD -MP -MF $(DEPDIR)/test_runner-test_rsa.Tpo -c -o test_runner-test_rsa.o `test -f 'test_rsa.c' || echo '$(srcdir)/'`test_rsa.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_rsa.Tpo $(DEPDIR)/test_runner-test_rsa.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_rsa.c' object='test_runner-test_rsa.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_rsa.o `test -f 'test_rsa.c' || echo '$(srcdir)/'`test_rsa.c
+
+test_runner-test_rsa.obj: test_rsa.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_rsa.obj -MD -MP -MF $(DEPDIR)/test_runner-test_rsa.Tpo -c -o test_runner-test_rsa.obj `if test -f 'test_rsa.c'; then $(CYGPATH_W) 'test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/test_rsa.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_rsa.Tpo $(DEPDIR)/test_runner-test_rsa.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_rsa.c' object='test_runner-test_rsa.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_rsa.obj `if test -f 'test_rsa.c'; then $(CYGPATH_W) 'test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/test_rsa.c'; fi`
+
+test_runner-test_host.o: test_host.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_host.o -MD -MP -MF $(DEPDIR)/test_runner-test_host.Tpo -c -o test_runner-test_host.o `test -f 'test_host.c' || echo '$(srcdir)/'`test_host.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_host.Tpo $(DEPDIR)/test_runner-test_host.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_host.c' object='test_runner-test_host.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_host.o `test -f 'test_host.c' || echo '$(srcdir)/'`test_host.c
+
+test_runner-test_host.obj: test_host.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -MT test_runner-test_host.obj -MD -MP -MF $(DEPDIR)/test_runner-test_host.Tpo -c -o test_runner-test_host.obj `if test -f 'test_host.c'; then $(CYGPATH_W) 'test_host.c'; else $(CYGPATH_W) '$(srcdir)/test_host.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/test_runner-test_host.Tpo $(DEPDIR)/test_runner-test_host.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='test_host.c' object='test_runner-test_host.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_runner_CFLAGS) $(CFLAGS) -c -o test_runner-test_host.obj `if test -f 'test_host.c'; then $(CYGPATH_W) 'test_host.c'; else $(CYGPATH_W) '$(srcdir)/test_host.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	$(am__tty_colors); \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=XPASS; \
+	      ;; \
+	      *) \
+		col=$$grn; res=PASS; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xfail=`expr $$xfail + 1`; \
+		col=$$lgn; res=XFAIL; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=FAIL; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      col=$$blu; res=SKIP; \
+	    fi; \
+	    echo "$${col}$$res$${std}: $$tst"; \
+	  done; \
+	  if test "$$all" -eq 1; then \
+	    tests="test"; \
+	    All=""; \
+	  else \
+	    tests="tests"; \
+	    All="All "; \
+	  fi; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="$$All$$all $$tests passed"; \
+	    else \
+	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all $$tests failed"; \
+	    else \
+	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    if test "$$skip" -eq 1; then \
+	      skipped="($$skip test was not run)"; \
+	    else \
+	      skipped="($$skip tests were not run)"; \
+	    fi; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  if test "$$failed" -eq 0; then \
+	    col="$$grn"; \
+	  else \
+	    col="$$red"; \
+	  fi; \
+	  echo "$${col}$$dashes$${std}"; \
+	  echo "$${col}$$banner$${std}"; \
+	  test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+	  test -z "$$report" || echo "$${col}$$report$${std}"; \
+	  echo "$${col}$$dashes$${std}"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: check-am install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \
+	clean-checkPROGRAMS clean-generic clean-libtool ctags \
+	distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/tests/test_array.c b/src/libstrongswan/tests/test_array.c
new file mode 100644
index 000000000..2220d5a2b
--- /dev/null
+++ b/src/libstrongswan/tests/test_array.c
@@ -0,0 +1,360 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <collections/array.h>
+
+START_TEST(test_append_ptr)
+{
+	array_t *array;
+	uintptr_t x;
+	int i;
+
+	array = array_create(0, 0);
+
+	for (i = 0; i < 4; i++)
+	{
+		ck_assert_int_eq(array_count(array), 0);
+
+		array_insert(array, ARRAY_HEAD, (void*)(uintptr_t)3);
+		array_insert(array, ARRAY_TAIL, (void*)(uintptr_t)4);
+		ck_assert_int_eq(array_count(array), 2);
+
+		/* 3, 4 */
+
+		array_insert(array, ARRAY_HEAD, (void*)(uintptr_t)1);
+		array_insert(array, 1, (void*)(uintptr_t)2);
+		ck_assert_int_eq(array_count(array), 4);
+
+		/* 1, 2, 3, 4 */
+
+		array_insert(array, ARRAY_TAIL, (void*)(uintptr_t)5);
+		array_insert(array, ARRAY_HEAD, (void*)(uintptr_t)0);
+		ck_assert_int_eq(array_count(array), 6);
+
+		/* 0, 1, 2, 3, 4, 5 */
+
+		ck_assert(array_remove(array, ARRAY_TAIL, &x));
+		ck_assert_int_eq(x, 5);
+		ck_assert(array_remove(array, 4, &x));
+		ck_assert_int_eq(x, 4);
+
+		if (i < 3)
+		{
+			array_compress(array);
+		}
+
+		/* 0, 1, 2, 3 */
+
+		ck_assert(array_remove(array, 1, &x));
+		ck_assert_int_eq(x, 1);
+		ck_assert(array_remove(array, ARRAY_HEAD, &x));
+		ck_assert_int_eq(x, 0);
+
+		if (i < 2)
+		{
+			array_compress(array);
+		}
+
+		/* 2, 3 */
+
+		ck_assert(array_remove(array, ARRAY_TAIL, &x));
+		ck_assert_int_eq(x, 3);
+		ck_assert(array_remove(array, ARRAY_TAIL, &x));
+		ck_assert_int_eq(x, 2);
+
+		if (i < 1)
+		{
+			array_compress(array);
+		}
+
+		ck_assert_int_eq(array_count(array), 0);
+
+		ck_assert(array_remove(array, ARRAY_HEAD, NULL) == FALSE);
+		ck_assert(array_remove(array, ARRAY_TAIL, NULL) == FALSE);
+	}
+
+	array_destroy(array);
+}
+END_TEST
+
+START_TEST(test_append_obj)
+{
+	array_t *array;
+	int i, x, y[6] = {0, 1, 2, 3, 4, 5};
+
+	array = array_create(sizeof(y[0]), 0);
+
+	for (i = 0; i < 4; i++)
+	{
+		ck_assert_int_eq(array_count(array), 0);
+
+		array_insert(array, ARRAY_HEAD, &y[3]);
+		array_insert(array, ARRAY_TAIL, &y[4]);
+		ck_assert_int_eq(array_count(array), 2);;
+
+		/* 3, 4 */
+
+		array_insert(array, ARRAY_HEAD, &y[1]);
+		array_insert(array, 1, &y[2]);
+		ck_assert_int_eq(array_count(array), 4);
+
+		/* 1, 2, 3, 4 */
+
+		array_insert(array, ARRAY_TAIL, &y[5]);
+		array_insert(array, ARRAY_HEAD, &y[0]);
+		ck_assert_int_eq(array_count(array), 6);
+
+		/* 0, 1, 2, 3, 4, 5 */
+
+		ck_assert(array_remove(array, ARRAY_TAIL, &x));
+		ck_assert_int_eq(x, 5);
+		ck_assert(array_remove(array, 4, &x));
+		ck_assert_int_eq(x, 4);
+
+		if (i < 3)
+		{
+			array_compress(array);
+		}
+
+		/* 0, 1, 2, 3 */
+
+		ck_assert(array_remove(array, ARRAY_HEAD, &x));
+		ck_assert_int_eq(x, 0);
+		ck_assert(array_remove(array, ARRAY_HEAD, &x));
+		ck_assert_int_eq(x, 1);
+
+		if (i < 2)
+		{
+			array_compress(array);
+		}
+
+		/* 2, 3 */
+
+		ck_assert(array_remove(array, ARRAY_TAIL, &x));
+		ck_assert_int_eq(x, 3);
+		ck_assert(array_remove(array, ARRAY_HEAD, &x));
+		ck_assert_int_eq(x, 2);
+
+		if (i < 1)
+		{
+			array_compress(array);
+		}
+
+		ck_assert_int_eq(array_count(array), 0);
+
+		ck_assert(array_remove(array, ARRAY_HEAD, NULL) == FALSE);
+		ck_assert(array_remove(array, ARRAY_TAIL, NULL) == FALSE);
+	}
+
+	array_destroy(array);
+}
+END_TEST
+
+START_TEST(test_enumerate)
+{
+	array_t *array;
+	int i, *x, y[6] = {0, 1, 2, 3, 4, 5};
+	enumerator_t *enumerator;
+
+	array = array_create(sizeof(y[0]), 0);
+
+	array_insert(array, ARRAY_TAIL, &y[0]);
+	array_insert(array, ARRAY_TAIL, &y[1]);
+	array_insert(array, ARRAY_TAIL, &y[2]);
+	array_insert(array, ARRAY_TAIL, &y[3]);
+	array_insert(array, ARRAY_TAIL, &y[4]);
+	array_insert(array, ARRAY_TAIL, &y[5]);
+
+	ck_assert_int_eq(array_count(array), 6);
+
+	/* 0, 1, 2, 3, 4, 5 */
+
+	i = 0;
+	enumerator = array_create_enumerator(array);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(*x, y[i]);
+		i++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(i, 6);
+
+	i = 0;
+	enumerator = array_create_enumerator(array);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(*x, y[i]);
+		if (i == 0 || i == 3 || i == 5)
+		{
+			array_remove_at(array, enumerator);
+		}
+		i++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(i, 6);
+	ck_assert_int_eq(array_count(array), 3);
+
+	/* 1, 2, 4 */
+
+	i = 0;
+	enumerator = array_create_enumerator(array);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		switch (i++)
+		{
+			case 0:
+				ck_assert_int_eq(*x, y[1]);
+				break;
+			case 1:
+				ck_assert_int_eq(*x, y[2]);
+				break;
+			case 2:
+				ck_assert_int_eq(*x, y[4]);
+				break;
+			default:
+				ck_assert(0);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	array_compress(array);
+
+	i = 0;
+	enumerator = array_create_enumerator(array);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		switch (i++)
+		{
+			case 0:
+				ck_assert_int_eq(*x, y[1]);
+				break;
+			case 1:
+				ck_assert_int_eq(*x, y[2]);
+				break;
+			case 2:
+				ck_assert_int_eq(*x, y[4]);
+				break;
+			default:
+				ck_assert(0);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	array_destroy(array);
+}
+END_TEST
+
+static void invoke(void *data, int idx, void *user)
+{
+	int *y = user, *x = data;
+
+	ck_assert(idx < 3);
+
+	ck_assert_int_eq(y[idx], *x);
+	y[idx] = 0;
+}
+
+START_TEST(test_invoke)
+{
+	array_t *array;
+	int y[] = {1, 2, 3};
+
+	array = array_create(sizeof(y[0]), 0);
+
+	array_insert(array, ARRAY_TAIL, &y[0]);
+	array_insert(array, ARRAY_TAIL, &y[1]);
+	array_insert(array, ARRAY_TAIL, &y[2]);
+
+	array_invoke(array, invoke, y);
+
+	ck_assert_int_eq(y[0], 0);
+	ck_assert_int_eq(y[0], 0);
+	ck_assert_int_eq(y[0], 0);
+
+	array_destroy(array);
+}
+END_TEST
+
+typedef struct obj_t obj_t;
+
+struct obj_t {
+	void (*fun)(obj_t *obj);
+	int x;
+	int *counter;
+};
+
+static void fun(obj_t *obj)
+{
+	ck_assert(obj->x == (*obj->counter)++);
+}
+
+START_TEST(test_invoke_offset)
+{
+	array_t *array;
+	obj_t objs[5];
+	int i, counter = 0;
+
+	array = array_create(0, 0);
+
+	for (i = 0; i < countof(objs); i++)
+	{
+		objs[i].x = i;
+		objs[i].counter = &counter;
+		objs[i].fun = fun;
+
+		array_insert(array, ARRAY_TAIL, &objs[i]);
+	}
+
+	ck_assert_int_eq(countof(objs), array_count(array));
+
+	array_invoke_offset(array, offsetof(obj_t, fun));
+
+	ck_assert_int_eq(counter, countof(objs));
+
+	array_destroy(array);
+}
+END_TEST
+
+Suite *array_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("array");
+
+	tc = tcase_create("add/remove ptr");
+	tcase_add_test(tc, test_append_ptr);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("add/remove obj");
+	tcase_add_test(tc, test_append_obj);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("enumerate");
+	tcase_add_test(tc, test_enumerate);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("invoke");
+	tcase_add_test(tc, test_invoke);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("invoke offset");
+	tcase_add_test(tc, test_invoke_offset);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_bio_reader.c b/src/libstrongswan/tests/test_bio_reader.c
new file mode 100644
index 000000000..45b20db00
--- /dev/null
+++ b/src/libstrongswan/tests/test_bio_reader.c
@@ -0,0 +1,450 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bio/bio_reader.h>
+
+/*******************************************************************************
+ * different integer reads
+ */
+
+#define assert_integer_read(data, bits, val) ({ \
+	bio_reader_t *reader = bio_reader_create(data); \
+	typeof(val) i; \
+	for (i = 0; reader->remaining(reader) >= (bits / 8); i++) \
+	{ \
+		ck_assert(reader->read_uint##bits(reader, &val)); \
+		ck_assert_int_eq(i, val); \
+	} \
+	ck_assert_int_eq(i, data.len / (bits / 8)); \
+	ck_assert_int_eq(reader->remaining(reader), data.len % (bits / 8)); \
+	ck_assert(!reader->read_uint##bits(reader, &val)); \
+	reader->destroy(reader); \
+})
+
+#define assert_integer_read_uneven(data, bits, val) ({ \
+	int i; \
+	for (i = 0; i <= bits / 8; i++, data.len++) \
+	{ \
+		assert_integer_read(data, bits, val); \
+	} \
+})
+
+#define assert_basic_read(bits, val) ({ \
+	chunk_t data; \
+	data = chunk_empty; \
+	assert_integer_read(data, bits, val); \
+	data = chunk_alloca(bits / 8); \
+	memset(data.ptr, 0, data.len); \
+	data.len = 0; \
+	assert_integer_read_uneven(data, bits, val); \
+})
+
+#define assert_extended_read(data, bits, val) ({ \
+	chunk_t extended = chunk_alloca(data.len + bits / 8); \
+	memset(extended.ptr, 0, extended.len); \
+	extended.ptr[extended.len - 1] = data.len / (bits / 8); \
+	memcpy(extended.ptr, data.ptr, data.len); \
+	extended.len = data.len; \
+	assert_integer_read_uneven(extended, bits, val); \
+})
+
+START_TEST(test_read_uint8)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07);
+	u_int8_t val;
+
+	assert_integer_read(data, 8, val);
+	assert_basic_read(8, val);
+	assert_extended_read(data, 8, val);
+}
+END_TEST
+
+START_TEST(test_read_uint16)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x03);
+	u_int16_t val;
+
+	assert_integer_read(data, 16, val);
+	assert_basic_read(16, val);
+	assert_extended_read(data, 16, val);
+}
+END_TEST
+
+START_TEST(test_read_uint24)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x02, 0x00, 0x00, 0x03);
+	u_int32_t val;
+
+	assert_integer_read(data, 24, val);
+	assert_basic_read(24, val);
+	assert_extended_read(data, 24, val);
+}
+END_TEST
+
+START_TEST(test_read_uint32)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+									0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03);
+	u_int32_t val;
+
+	assert_integer_read(data, 32, val);
+	assert_basic_read(32, val);
+	assert_extended_read(data, 32, val);
+}
+END_TEST
+
+START_TEST(test_read_uint64)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+									0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+									0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+									0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03);
+	u_int64_t val;
+
+	assert_integer_read(data, 64, val);
+	assert_basic_read(64, val);
+	assert_extended_read(data, 64, val);
+}
+END_TEST
+
+/*******************************************************************************
+ * different integer reads from the end of a buffer
+ */
+
+#define assert_integer_read_end(data, bits, val) ({ \
+	bio_reader_t *reader = bio_reader_create(data); \
+	typeof(val) i; \
+	for (i = 0; reader->remaining(reader) >= (bits / 8); i++) \
+	{ \
+		ck_assert(reader->read_uint##bits##_end(reader, &val)); \
+		ck_assert_int_eq(i, val); \
+	} \
+	ck_assert_int_eq(i, data.len / (bits / 8)); \
+	ck_assert_int_eq(reader->remaining(reader), data.len % (bits / 8)); \
+	ck_assert(!reader->read_uint##bits##_end(reader, &val)); \
+	reader->destroy(reader); \
+})
+
+#define assert_integer_read_end_uneven(data, bits, val) ({ \
+	int i; \
+	data.ptr += bits / 8; \
+	for (i = 0; i <= bits / 8; i++, data.ptr--, data.len++) \
+	{ \
+		assert_integer_read_end(data, bits, val); \
+	} \
+})
+
+#define assert_basic_read_end(bits, val) ({ \
+	chunk_t data; \
+	data = chunk_empty; \
+	assert_integer_read_end(data, bits, val); \
+	data = chunk_alloca(bits / 8); \
+	memset(data.ptr, 0, data.len); \
+	data.len = 0; \
+	assert_integer_read_end_uneven(data, bits, val); \
+})
+
+#define assert_extended_read_end(data, bits, val) ({ \
+	chunk_t extended = chunk_alloca(data.len + bits / 8); \
+	memset(extended.ptr, 0, extended.len); \
+	extended.ptr[bits / 8 - 1] = data.len / (bits / 8); \
+	memcpy(extended.ptr + bits / 8, data.ptr, data.len); \
+	extended.len = data.len; \
+	assert_integer_read_end_uneven(extended, bits, val); \
+})
+
+START_TEST(test_read_uint8_end)
+{
+	chunk_t data = chunk_from_chars(0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00);
+	u_int8_t val;
+
+	assert_integer_read_end(data, 8, val);
+	assert_basic_read_end(8, val);
+	assert_extended_read_end(data, 8, val);
+}
+END_TEST
+
+START_TEST(test_read_uint16_end)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x03, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00);
+	u_int16_t val;
+
+	assert_integer_read_end(data, 16, val);
+	assert_basic_read_end(16, val);
+	assert_extended_read_end(data, 16, val);
+}
+END_TEST
+
+START_TEST(test_read_uint24_end)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x00, 0x03, 0x00, 0x00, 0x02, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00);
+	u_int32_t val;
+
+	assert_integer_read_end(data, 24, val);
+	assert_basic_read_end(24, val);
+	assert_extended_read_end(data, 24, val);
+}
+END_TEST
+
+START_TEST(test_read_uint32_end)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x02,
+									0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00);
+	u_int32_t val;
+
+	assert_integer_read_end(data, 32, val);
+	assert_basic_read_end(32, val);
+	assert_extended_read_end(data, 32, val);
+}
+END_TEST
+
+START_TEST(test_read_uint64_end)
+{
+	chunk_t data = chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03,
+									0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+									0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+									0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00);
+	u_int64_t val;
+
+	assert_integer_read_end(data, 64, val);
+	assert_basic_read_end(64, val);
+	assert_extended_read_end(data, 64, val);
+}
+END_TEST
+
+/*******************************************************************************
+ * read data
+ */
+
+static inline void assert_reader_after_read(bio_reader_t *reader, chunk_t data)
+{
+	chunk_t peek;
+
+	ck_assert_int_eq(reader->remaining(reader), data.len);
+	peek = reader->peek(reader);
+	ck_assert_int_eq(reader->remaining(reader), data.len);
+	ck_assert(peek.ptr == data.ptr);
+	data.ptr != NULL ? ck_assert(chunk_equals(peek, data))
+					 : ck_assert(peek.ptr == NULL);
+}
+
+START_TEST(test_read_data)
+{
+	chunk_t read, data = chunk_from_chars(0x00, 0x00, 0x00, 0x00);
+	bio_reader_t *reader;
+
+	reader = bio_reader_create(chunk_empty);
+	ck_assert_int_eq(reader->remaining(reader), 0);
+	ck_assert(reader->read_data(reader, 0, &read));
+	ck_assert(!reader->read_data(reader, 1, &read));
+	reader->destroy(reader);
+
+	reader = bio_reader_create(data);
+	ck_assert(reader->read_data(reader, 0, &read));
+	ck_assert_int_eq(read.len, 0);
+	ck_assert(read.ptr == data.ptr);
+	assert_reader_after_read(reader, data);
+
+	ck_assert(reader->read_data(reader, 1, &read));
+	ck_assert_int_eq(read.len, 1);
+	ck_assert(read.ptr == data.ptr);
+	assert_reader_after_read(reader, chunk_skip(data, 1));
+
+	ck_assert(reader->read_data(reader, 2, &read));
+	ck_assert_int_eq(read.len, 2);
+	ck_assert(read.ptr == data.ptr + 1);
+	assert_reader_after_read(reader, chunk_skip(data, 3));
+
+	ck_assert(!reader->read_data(reader, 2, &read));
+	ck_assert(reader->read_data(reader, 1, &read));
+	ck_assert_int_eq(read.len, 1);
+	ck_assert(read.ptr == data.ptr + 3);
+	assert_reader_after_read(reader, chunk_skip(data, 4));
+
+	ck_assert_int_eq(reader->remaining(reader), 0);
+	ck_assert(reader->read_data(reader, 0, &read));
+	ck_assert(!reader->read_data(reader, 1, &read));
+	reader->destroy(reader);
+}
+END_TEST
+
+START_TEST(test_read_data_end)
+{
+	chunk_t read, data = chunk_from_chars(0x00, 0x00, 0x00, 0x00);
+	bio_reader_t *reader;
+
+	reader = bio_reader_create(chunk_empty);
+	ck_assert_int_eq(reader->remaining(reader), 0);
+	ck_assert(reader->read_data_end(reader, 0, &read));
+	ck_assert(!reader->read_data_end(reader, 1, &read));
+	reader->destroy(reader);
+
+	reader = bio_reader_create(data);
+	ck_assert(reader->read_data_end(reader, 0, &read));
+	ck_assert_int_eq(read.len, 0);
+	ck_assert(read.ptr == data.ptr + data.len);
+	assert_reader_after_read(reader, data);
+
+	ck_assert(reader->read_data_end(reader, 1, &read));
+	ck_assert_int_eq(read.len, 1);
+	data.len--;
+	ck_assert(read.ptr == data.ptr + data.len);
+	assert_reader_after_read(reader, data);
+
+	ck_assert(reader->read_data_end(reader, 2, &read));
+	ck_assert_int_eq(read.len, 2);
+	data.len -= 2;
+	ck_assert(read.ptr == data.ptr + data.len);
+	assert_reader_after_read(reader, data);
+
+	ck_assert(!reader->read_data(reader, 2, &read));
+	ck_assert(reader->read_data(reader, 1, &read));
+	ck_assert_int_eq(read.len, 1);
+	ck_assert(read.ptr == data.ptr);
+	assert_reader_after_read(reader, chunk_empty);
+
+	ck_assert_int_eq(reader->remaining(reader), 0);
+	ck_assert(reader->read_data(reader, 0, &read));
+	ck_assert(!reader->read_data(reader, 1, &read));
+	reader->destroy(reader);
+}
+END_TEST
+
+/*******************************************************************************
+ * read length followed by data
+ */
+
+#define assert_read_data_len(bits) ({ \
+ 	bio_reader_t *reader; \
+	chunk_t read, data; \
+	int i, len = bits / 8; \
+	data = chunk_empty; \
+	reader = bio_reader_create(data); \
+	ck_assert(!reader->read_data##bits(reader, &read)); \
+	reader->destroy(reader); \
+	data = chunk_alloca(len + 8); \
+	memset(data.ptr, 0, data.len); \
+	for (i = 0; i <= 8; i++) \
+	{ \
+		data.ptr[len - 1] = i; \
+		data.len = len + i; \
+		reader = bio_reader_create(data); \
+		ck_assert(reader->read_data##bits(reader, &read)); \
+		ck_assert_int_eq(reader->remaining(reader), 0); \
+		ck_assert_int_eq(read.len, i); \
+		ck_assert((!read.ptr && !read.len) || (read.ptr == data.ptr + len)); \
+		reader->destroy(reader); \
+	} \
+	data.ptr[len - 1] = i; \
+	reader = bio_reader_create(data); \
+	ck_assert(!reader->read_data##bits(reader, &read)); \
+	reader->destroy(reader); \
+})
+
+START_TEST(test_read_data8)
+{
+	assert_read_data_len(8);
+}
+END_TEST
+
+START_TEST(test_read_data16)
+{
+	assert_read_data_len(16);
+}
+END_TEST
+
+START_TEST(test_read_data24)
+{
+	assert_read_data_len(24);
+}
+END_TEST
+
+START_TEST(test_read_data32)
+{
+	assert_read_data_len(32);
+}
+END_TEST
+
+/*******************************************************************************
+ * test constructors
+ */
+
+START_TEST(test_create)
+{
+	chunk_t data = chunk_from_str("foobar");
+	bio_reader_t *reader;
+
+	data = chunk_clone(data);
+	reader = bio_reader_create(data);
+	reader->destroy(reader);
+	chunk_free(&data);
+}
+END_TEST
+
+START_TEST(test_create_own)
+{
+	chunk_t data = chunk_from_str("foobar");
+	bio_reader_t *reader;
+
+	data = chunk_clone(data);
+	reader = bio_reader_create_own(data);
+	reader->destroy(reader);
+}
+END_TEST
+
+Suite *bio_reader_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("bio_reader");
+
+	tc = tcase_create("integer reads");
+	tcase_add_test(tc, test_read_uint8);
+	tcase_add_test(tc, test_read_uint16);
+	tcase_add_test(tc, test_read_uint24);
+	tcase_add_test(tc, test_read_uint32);
+	tcase_add_test(tc, test_read_uint64);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("integer reads from end");
+	tcase_add_test(tc, test_read_uint8_end);
+	tcase_add_test(tc, test_read_uint16_end);
+	tcase_add_test(tc, test_read_uint24_end);
+	tcase_add_test(tc, test_read_uint32_end);
+	tcase_add_test(tc, test_read_uint64_end);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("data reads and peek");
+	tcase_add_test(tc, test_read_data);
+	tcase_add_test(tc, test_read_data_end);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("data length reads");
+	tcase_add_test(tc, test_read_data8);
+	tcase_add_test(tc, test_read_data16);
+	tcase_add_test(tc, test_read_data24);
+	tcase_add_test(tc, test_read_data32);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("constructors");
+	tcase_add_test(tc, test_create);
+	tcase_add_test(tc, test_create_own);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_bio_writer.c b/src/libstrongswan/tests/test_bio_writer.c
new file mode 100644
index 000000000..767f17996
--- /dev/null
+++ b/src/libstrongswan/tests/test_bio_writer.c
@@ -0,0 +1,386 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bio/bio_writer.h>
+
+/*******************************************************************************
+ * different integer writes
+ */
+
+static inline void verify_int_buffer(chunk_t data, int bits, int val)
+{
+	size_t i;
+	int len = bits / 8;
+
+	ck_assert_int_eq(data.len, (val + 1) * len);
+	for (i = 0; i < data.len; i++)
+	{
+		(i + 1) % len ? ck_assert_int_eq(data.ptr[i], 0)
+					  : ck_assert_int_eq(data.ptr[i], i / len);
+	}
+}
+
+#define assert_integer_write(init, bits) ({ \
+	int i; \
+	bio_writer_t *writer = bio_writer_create(init); \
+	for (i = 0; i < 16; i++) \
+	{ \
+		writer->write_uint##bits(writer, i); \
+		verify_int_buffer(writer->get_buf(writer), bits, i); \
+	} \
+	writer->destroy(writer); \
+})
+
+START_TEST(test_write_uint8)
+{
+	/* use default buffer (and increase) size */
+	assert_integer_write(0, 8);
+	/* force a resize by the given size */
+	assert_integer_write(1, 8);
+}
+END_TEST
+
+START_TEST(test_write_uint16)
+{
+	assert_integer_write(0, 16);
+	assert_integer_write(1, 16);
+}
+END_TEST
+
+START_TEST(test_write_uint24)
+{
+	assert_integer_write(0, 24);
+	assert_integer_write(1, 24);
+}
+END_TEST
+
+START_TEST(test_write_uint32)
+{
+	assert_integer_write(0, 32);
+	assert_integer_write(1, 32);
+}
+END_TEST
+
+START_TEST(test_write_uint64)
+{
+	assert_integer_write(0, 64);
+	assert_integer_write(1, 64);
+}
+END_TEST
+
+/*******************************************************************************
+ * write data / skip
+ */
+
+static inline void assert_writer_after_write(bio_writer_t *writer, int count)
+{
+	chunk_t buf;
+	size_t i;
+
+	buf = writer->get_buf(writer);
+	ck_assert_int_eq(buf.len, count * 3);
+	for (i = 0; i < buf.len; i++)
+	{
+		ck_assert(buf.ptr[i] == i % 3);
+	}
+}
+
+START_TEST(test_write_data)
+{
+	chunk_t buf, data = chunk_from_chars(0x00, 0x01, 0x02);
+	bio_writer_t *writer;
+
+	/* no allocation, but default buffer size */
+	writer = bio_writer_create(0);
+	buf = writer->get_buf(writer);
+	ck_assert_int_eq(buf.len, 0);
+	ck_assert(buf.ptr == NULL);
+
+	writer->write_data(writer, chunk_empty);
+	buf = writer->get_buf(writer);
+	ck_assert_int_eq(buf.len, 0);
+	ck_assert(buf.ptr == NULL);
+	writer->destroy(writer);
+
+	/* custom buffer size, initial buffer allocated */
+	writer = bio_writer_create(1);
+	buf = writer->get_buf(writer);
+	ck_assert_int_eq(buf.len, 0);
+	ck_assert(buf.ptr != NULL);
+
+	writer->write_data(writer, chunk_empty);
+	buf = writer->get_buf(writer);
+	ck_assert_int_eq(buf.len, 0);
+	ck_assert(buf.ptr != NULL);
+	writer->destroy(writer);
+
+	writer = bio_writer_create(0);
+
+	writer->write_data(writer, data);
+	assert_writer_after_write(writer, 1);
+
+	writer->write_data(writer, data);
+	assert_writer_after_write(writer, 2);
+
+	writer->write_data(writer, data);
+	assert_writer_after_write(writer, 3);
+
+	writer->destroy(writer);
+}
+END_TEST
+
+START_TEST(test_skip)
+{
+	chunk_t skipped, buf, data = chunk_from_chars(0x00, 0x01, 0x02);
+	bio_writer_t *writer;
+
+	writer = bio_writer_create(4);
+	skipped = writer->skip(writer, 3);
+	ck_assert_int_eq(skipped.len, 3);
+	buf = writer->get_buf(writer);
+	ck_assert(skipped.ptr == buf.ptr);
+	memset(skipped.ptr, 0, skipped.len);
+
+	writer->write_data(writer, data);
+	buf = writer->get_buf(writer);
+	ck_assert(chunk_equals(buf, chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x01, 0x02)));
+	writer->destroy(writer);
+
+	writer = bio_writer_create(1);
+	skipped = writer->skip(writer, 3);
+	memcpy(skipped.ptr, data.ptr, data.len);
+
+	writer->write_data(writer, data);
+	assert_writer_after_write(writer, 2);
+	writer->destroy(writer);
+}
+END_TEST
+
+/*******************************************************************************
+ * write length followed by data
+ */
+
+#define assert_write_data_len(init, bits) ({ \
+ 	bio_writer_t *writer; \
+	chunk_t buf, data; \
+	int i, len = bits / 8; \
+	writer = bio_writer_create(init); \
+	writer->write_data##bits(writer, chunk_empty); \
+	buf = writer->get_buf(writer); \
+	ck_assert_int_eq(buf.len, len); \
+	ck_assert_int_eq(buf.ptr[len - 1], 0); \
+	writer->destroy(writer); \
+	data = chunk_alloca(32); \
+	memset(data.ptr, 0, data.len); \
+	for (i = 0; i < 32; i++) \
+	{ \
+		data.ptr[i] = i; \
+		data.len = i; \
+		writer = bio_writer_create(init); \
+		writer->write_data##bits(writer, data); \
+		buf = writer->get_buf(writer); \
+		ck_assert_int_eq(buf.len, len + i); \
+		ck_assert_int_eq(buf.ptr[len - 1], i); \
+		ck_assert(chunk_equals(chunk_create(buf.ptr + len, buf.len - len), data)); \
+		writer->destroy(writer); \
+	} \
+})
+
+START_TEST(test_write_data8)
+{
+	assert_write_data_len(0, 8);
+	assert_write_data_len(1, 8);
+}
+END_TEST
+
+START_TEST(test_write_data16)
+{
+	assert_write_data_len(0, 16);
+	assert_write_data_len(1, 16);
+}
+END_TEST
+
+START_TEST(test_write_data24)
+{
+	assert_write_data_len(0, 24);
+	assert_write_data_len(1, 24);
+}
+END_TEST
+
+START_TEST(test_write_data32)
+{
+	assert_write_data_len(0, 32);
+	assert_write_data_len(1, 32);
+}
+END_TEST
+
+
+/*******************************************************************************
+ * add length header before current data
+ */
+
+#define assert_wrap_data(init, bits) ({ \
+ 	bio_writer_t *writer; \
+	chunk_t buf, data; \
+	int i, len = bits / 8; \
+	writer = bio_writer_create(init); \
+	writer->wrap##bits(writer); \
+	buf = writer->get_buf(writer); \
+	ck_assert_int_eq(buf.len, len); \
+	ck_assert_int_eq(buf.ptr[len - 1], 0); \
+	writer->destroy(writer); \
+	data = chunk_alloca(32); \
+	memset(data.ptr, 0, data.len); \
+	for (i = 0; i < 32; i++) \
+	{ \
+		data.ptr[i] = i; \
+		data.len = i; \
+		writer = bio_writer_create(init); \
+		writer->write_data(writer, data); \
+		writer->wrap##bits(writer); \
+		buf = writer->get_buf(writer); \
+		ck_assert_int_eq(buf.len, len + i); \
+		ck_assert_int_eq(buf.ptr[len - 1], i); \
+		ck_assert(chunk_equals(chunk_create(buf.ptr + len, buf.len - len), data)); \
+		writer->wrap##bits(writer); \
+		buf = writer->get_buf(writer); \
+		ck_assert_int_eq(buf.len, 2 * len + i); \
+		ck_assert_int_eq(buf.ptr[len - 1], len + i); \
+		ck_assert(chunk_equals(chunk_create(buf.ptr + 2 * len, buf.len - 2 * len), data)); \
+		writer->destroy(writer); \
+	} \
+})
+
+START_TEST(test_wrap8)
+{
+	assert_wrap_data(0, 8);
+	assert_wrap_data(1, 8);
+}
+END_TEST
+
+START_TEST(test_wrap16)
+{
+	assert_wrap_data(0, 16);
+	assert_wrap_data(1, 16);
+}
+END_TEST
+
+START_TEST(test_wrap24)
+{
+	assert_wrap_data(0, 24);
+	assert_wrap_data(1, 24);
+}
+END_TEST
+
+START_TEST(test_wrap32)
+{
+	assert_wrap_data(0, 32);
+	assert_wrap_data(1, 32);
+}
+END_TEST
+
+/*******************************************************************************
+ * test data extraction
+ */
+
+START_TEST(test_get_buf)
+{
+	bio_writer_t *writer;
+	chunk_t data1, data2;
+
+	writer = bio_writer_create(0);
+	writer->write_uint8(writer, 1);
+	data1 = writer->get_buf(writer);
+	ck_assert_int_eq(data1.len, 1);
+	ck_assert(data1.ptr[0] == 1);
+
+	data2 = writer->get_buf(writer);
+	ck_assert(chunk_equals(data1, data2));
+	ck_assert(data1.ptr == data2.ptr);
+	writer->destroy(writer);
+}
+END_TEST
+
+START_TEST(test_extract_buf)
+{
+	bio_writer_t *writer;
+	chunk_t data1, data2;
+
+	writer = bio_writer_create(0);
+	writer->write_uint8(writer, 1);
+	data1 = writer->extract_buf(writer);
+	ck_assert_int_eq(data1.len, 1);
+	ck_assert(data1.ptr[0] == 1);
+
+	data2 = writer->get_buf(writer);
+	ck_assert_int_eq(data2.len, 0);
+	ck_assert(data2.ptr == NULL);
+	data2 = writer->extract_buf(writer);
+	ck_assert_int_eq(data2.len, 0);
+	ck_assert(data2.ptr == NULL);
+
+	writer->write_uint8(writer, 1);
+	data2 = writer->get_buf(writer);
+	ck_assert(chunk_equals(data1, data2));
+	ck_assert(data1.ptr != data2.ptr);
+
+	writer->destroy(writer);
+	chunk_free(&data1);
+}
+END_TEST
+
+Suite *bio_writer_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("bio_writer");
+
+	tc = tcase_create("integer writes");
+	tcase_add_test(tc, test_write_uint8);
+	tcase_add_test(tc, test_write_uint16);
+	tcase_add_test(tc, test_write_uint24);
+	tcase_add_test(tc, test_write_uint32);
+	tcase_add_test(tc, test_write_uint64);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("data writes/skip");
+	tcase_add_test(tc, test_write_data);
+	tcase_add_test(tc, test_skip);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("data length writes");
+	tcase_add_test(tc, test_write_data8);
+	tcase_add_test(tc, test_write_data16);
+	tcase_add_test(tc, test_write_data24);
+	tcase_add_test(tc, test_write_data32);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("wrap writes");
+	tcase_add_test(tc, test_wrap8);
+	tcase_add_test(tc, test_wrap16);
+	tcase_add_test(tc, test_wrap24);
+	tcase_add_test(tc, test_wrap32);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get/extract");
+	tcase_add_test(tc, test_get_buf);
+	tcase_add_test(tc, test_extract_buf);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_chunk.c b/src/libstrongswan/tests/test_chunk.c
new file mode 100644
index 000000000..7f07d057b
--- /dev/null
+++ b/src/libstrongswan/tests/test_chunk.c
@@ -0,0 +1,863 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "test_suite.h"
+
+#include <utils/chunk.h>
+
+/*******************************************************************************
+ * utilities
+ */
+
+static void assert_chunk_empty(chunk_t chunk)
+{
+	ck_assert(chunk.len == 0 && chunk.ptr == NULL);
+}
+
+/*******************************************************************************
+ * equals
+ */
+
+START_TEST(test_chunk_equals)
+{
+	chunk_t chunk = chunk_from_str("chunk");
+	chunk_t chunk_a, chunk_b;
+
+	chunk_a = chunk_empty;
+	chunk_b = chunk_empty;
+	ck_assert(!chunk_equals(chunk_a, chunk_b));
+
+	chunk_a = chunk;
+	ck_assert(!chunk_equals(chunk_a, chunk_b));
+	chunk_b = chunk;
+	ck_assert(chunk_equals(chunk_a, chunk_b));
+
+	chunk_b = chunk_from_str("asdf");
+	ck_assert(!chunk_equals(chunk_a, chunk_b));
+
+	chunk_b = chunk_from_str("chunk");
+	ck_assert(chunk_equals(chunk_a, chunk_b));
+}
+END_TEST
+
+/*******************************************************************************
+ * chunk_compare test
+ */
+
+static struct {
+	int result;
+	chunk_t a;
+	chunk_t b;
+} compare_data[] = {
+	{ 0, { NULL, 0 }, { NULL, 0 }},
+	{ 0, chunk_from_chars(0x00), chunk_from_chars(0x00)},
+	{-1, chunk_from_chars(0x00), chunk_from_chars(0x01)},
+	{ 1, chunk_from_chars(0x01), chunk_from_chars(0x00)},
+	{ 0, chunk_from_chars(0x00, 0x00), chunk_from_chars(0x00, 0x00)},
+	{-1, chunk_from_chars(0x00, 0x00), chunk_from_chars(0x00, 0x01)},
+	{ 1, chunk_from_chars(0x00, 0x01), chunk_from_chars(0x00, 0x00)},
+	{-1, chunk_from_chars(0x00, 0x00), chunk_from_chars(0x01, 0x00)},
+	{ 1, chunk_from_chars(0x01, 0x00), chunk_from_chars(0x00, 0x00)},
+	{-1, chunk_from_chars(0xff), chunk_from_chars(0x00, 0x00)},
+	{ 1, chunk_from_chars(0x00, 0x00), chunk_from_chars(0xff)},
+};
+
+START_TEST(test_compare)
+{
+	int result, expected;
+
+	result = chunk_compare(compare_data[_i].a, compare_data[_i].b);
+	expected = compare_data[_i].result;
+	ck_assert((result == 0 && expected == 0) ||
+			  (result < 0 && expected < 0) ||
+			  (result > 0 && expected > 0));
+}
+END_TEST
+
+/*******************************************************************************
+ * clear
+ */
+
+START_TEST(test_chunk_clear)
+{
+	chunk_t chunk;
+	u_char *ptr;
+	int i;
+	bool cleared = TRUE;
+
+	chunk = chunk_empty;
+	chunk_clear(&chunk);
+	chunk_free(&chunk);
+
+	chunk = chunk_alloc(64);
+	ptr = chunk.ptr;
+	for (i = 0; i < 64; i++)
+	{
+		chunk.ptr[i] = i;
+	}
+	chunk_clear(&chunk);
+	/* check memory area of freed chunk. We can't use ck_assert() for this
+	 * test directly, as it might allocate data at the freed area. */
+	for (i = 0; i < 64; i++)
+	{
+		if (ptr[i] != 0 && ptr[i] == i)
+		{
+			cleared = FALSE;
+			break;
+		}
+	}
+	assert_chunk_empty(chunk);
+	ck_assert(cleared);
+}
+END_TEST
+
+/*******************************************************************************
+ * chunk_length
+ */
+
+START_TEST(test_chunk_length)
+{
+	chunk_t a, b, c;
+	size_t len;
+
+	a = chunk_empty;
+	b = chunk_empty;
+	c = chunk_empty;
+	len = chunk_length("ccc", a, b, c);
+	ck_assert_int_eq(len, 0);
+
+	a = chunk_from_str("foo");
+	b = chunk_from_str("bar");
+	len = chunk_length("ccc", a, b, c);
+	ck_assert_int_eq(len, 6);
+
+	len = chunk_length("zcc", a, b, c);
+	ck_assert_int_eq(len, 0);
+
+	len = chunk_length("czc", a, b, c);
+	ck_assert_int_eq(len, 3);
+
+	a = chunk_from_str("foo");
+	b = chunk_from_str("bar");
+	c = chunk_from_str("baz");
+	len = chunk_length("ccc", a, b, c);
+	ck_assert_int_eq(len, 9);
+}
+END_TEST
+
+/*******************************************************************************
+ * chunk_create_cat
+ */
+
+START_TEST(test_chunk_create_cat)
+{
+	chunk_t foo, bar;
+	chunk_t a, b, c;
+	u_char *ptra, *ptrb;
+
+	foo = chunk_from_str("foo");
+	bar = chunk_from_str("bar");
+
+	/* to simplify things we use the chunk_cata macro */
+
+	a = chunk_empty;
+	b = chunk_empty;
+	c = chunk_cata("cc", a, b);
+	ck_assert_int_eq(c.len, 0);
+	ck_assert(c.ptr != NULL);
+
+	a = foo;
+	b = bar;
+	c = chunk_cata("cc", a, b);
+	ck_assert_int_eq(c.len, 6);
+	ck_assert(chunk_equals(c, chunk_from_str("foobar")));
+
+	a = chunk_clone(foo);
+	b = chunk_clone(bar);
+	c = chunk_cata("mm", a, b);
+	ck_assert_int_eq(c.len, 6);
+	ck_assert(chunk_equals(c, chunk_from_str("foobar")));
+
+	a = chunk_clone(foo);
+	b = chunk_clone(bar);
+	ptra = a.ptr;
+	ptrb = b.ptr;
+	c = chunk_cata("ss", a, b);
+	ck_assert_int_eq(c.len, 6);
+	ck_assert(chunk_equals(c, chunk_from_str("foobar")));
+	/* check memory area of cleared chunk */
+	ck_assert(!chunk_equals(foo, chunk_create(ptra, 3)));
+	ck_assert(!chunk_equals(bar, chunk_create(ptrb, 3)));
+}
+END_TEST
+
+/*******************************************************************************
+ * chunk_split
+ */
+
+static bool mem_in_chunk(u_char *ptr, chunk_t chunk)
+{
+	return ptr >= chunk.ptr && ptr < (chunk.ptr + chunk.len);
+}
+
+START_TEST(test_chunk_split)
+{
+	chunk_t foo, bar, foobar;
+	chunk_t a, b, c;
+	u_char *ptra, *ptrb;
+
+	foo = chunk_from_str("foo");
+	bar = chunk_from_str("bar");
+	foobar = chunk_from_str("foobar");
+
+	chunk_split(foobar, "aa", 3, &a, 3, &b);
+	ck_assert(chunk_equals(a, foo));
+	ck_assert(chunk_equals(b, bar));
+	ck_assert(!mem_in_chunk(a.ptr, foobar));
+	ck_assert(!mem_in_chunk(b.ptr, foobar));
+	chunk_free(&a);
+	chunk_free(&b);
+
+	chunk_split(foobar, "mm", 3, &a, 3, &b);
+	ck_assert(chunk_equals(a, foo));
+	ck_assert(chunk_equals(b, bar));
+	ck_assert(mem_in_chunk(a.ptr, foobar));
+	ck_assert(mem_in_chunk(b.ptr, foobar));
+
+	chunk_split(foobar, "am", 3, &a, 3, &b);
+	ck_assert(chunk_equals(a, foo));
+	ck_assert(chunk_equals(b, bar));
+	ck_assert(!mem_in_chunk(a.ptr, foobar));
+	ck_assert(mem_in_chunk(b.ptr, foobar));
+	chunk_free(&a);
+
+	a = chunk_alloca(3);
+	ptra = a.ptr;
+	b = chunk_alloca(3);
+	ptrb = b.ptr;
+	chunk_split(foobar, "cc", 3, &a, 3, &b);
+	ck_assert(chunk_equals(a, foo));
+	ck_assert(chunk_equals(b, bar));
+	ck_assert(a.ptr == ptra);
+	ck_assert(b.ptr == ptrb);
+
+	chunk_split(foobar, "mm", 1, NULL, 2, &a, 2, NULL, 1, &b);
+	ck_assert(chunk_equals(a, chunk_from_str("oo")));
+	ck_assert(chunk_equals(b, chunk_from_str("r")));
+
+	chunk_split(foobar, "mm", 6, &a, 6, &b);
+	ck_assert(chunk_equals(a, foobar));
+	assert_chunk_empty(b);
+
+	chunk_split(foobar, "mac", 12, &a, 12, &b, 12, &c);
+	ck_assert(chunk_equals(a, foobar));
+	assert_chunk_empty(b);
+	assert_chunk_empty(c);
+}
+END_TEST
+
+/*******************************************************************************
+ * chunk_skip[_zero]
+ */
+
+START_TEST(test_chunk_skip)
+{
+	chunk_t foobar, a;
+
+	foobar = chunk_from_str("foobar");
+	a = foobar;
+	a = chunk_skip(a, 0);
+	ck_assert(chunk_equals(a, foobar));
+	a = chunk_skip(a, 1);
+	ck_assert(chunk_equals(a, chunk_from_str("oobar")));
+	a = chunk_skip(a, 2);
+	ck_assert(chunk_equals(a, chunk_from_str("bar")));
+	a = chunk_skip(a, 3);
+	assert_chunk_empty(a);
+
+	a = foobar;
+	a = chunk_skip(a, 6);
+	assert_chunk_empty(a);
+
+	a = foobar;
+	a = chunk_skip(a, 10);
+	assert_chunk_empty(a);
+}
+END_TEST
+
+START_TEST(test_chunk_skip_zero)
+{
+	chunk_t foobar, a;
+
+	a = chunk_empty;
+	a = chunk_skip_zero(a);
+	assert_chunk_empty(a);
+
+	foobar = chunk_from_str("foobar");
+	a = foobar;
+	a = chunk_skip_zero(a);
+	ck_assert(chunk_equals(a, foobar));
+
+	a = chunk_from_chars(0x00, 0xaa, 0xbb, 0xcc);
+	a = chunk_skip_zero(a);
+	ck_assert(chunk_equals(a, chunk_from_chars(0xaa, 0xbb, 0xcc)));
+	a = chunk_skip_zero(a);
+	ck_assert(chunk_equals(a, chunk_from_chars(0xaa, 0xbb, 0xcc)));
+}
+END_TEST
+
+/*******************************************************************************
+ * BASE16 encoding test
+ */
+
+START_TEST(test_base16)
+{
+	/* test vectors from RFC 4648:
+	 *
+	 * BASE16("") = ""
+	 * BASE16("f") = "66"
+	 * BASE16("fo") = "666F"
+	 * BASE16("foo") = "666F6F"
+	 * BASE16("foob") = "666F6F62"
+	 * BASE16("fooba") = "666F6F6261"
+	 * BASE16("foobar") = "666F6F626172"
+	 */
+	typedef struct {
+		bool upper;
+		char *in;
+		char *out;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{TRUE,  "", ""},
+		{TRUE,  "f", "66"},
+		{TRUE,  "fo", "666F"},
+		{TRUE,  "foo", "666F6F"},
+		{TRUE,  "foob", "666F6F62"},
+		{TRUE,  "fooba", "666F6F6261"},
+		{TRUE,  "foobar", "666F6F626172"},
+		{FALSE, "", ""},
+		{FALSE, "f", "66"},
+		{FALSE, "fo", "666f"},
+		{FALSE, "foo", "666f6f"},
+		{FALSE, "foob", "666f6f62"},
+		{FALSE, "fooba", "666f6f6261"},
+		{FALSE, "foobar", "666f6f626172"},
+	};
+	testdata_t test_colon[] = {
+		{TRUE,  "", ""},
+		{TRUE,  "f", "66"},
+		{TRUE,  "fo", "66:6F"},
+		{TRUE,  "foo", "66:6F:6F"},
+		{FALSE, "foob", "66:6f:6f:62"},
+		{FALSE, "fooba", "66:6f:6f:62:61"},
+		{FALSE, "foobar", "66:6f:6f:62:61:72"},
+		{FALSE, "foobar", "66:6f6f:6261:72"},
+	};
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		chunk_t out;
+
+		out = chunk_to_hex(chunk_create(test[i].in, strlen(test[i].in)), NULL,
+						   test[i].upper);
+		ck_assert_str_eq(out.ptr, test[i].out);
+		free(out.ptr);
+	}
+
+	for (i = 0; i < countof(test); i++)
+	{
+		chunk_t out;
+
+		out = chunk_from_hex(chunk_create(test[i].out, strlen(test[i].out)), NULL);
+		fail_unless(strneq(out.ptr, test[i].in, out.len),
+					"base16 conversion error - should '%s', is %#B",
+					test[i].in, &out);
+		free(out.ptr);
+	}
+
+	for (i = 0; i < countof(test_colon); i++)
+	{
+		chunk_t out;
+
+		out = chunk_from_hex(chunk_create(test_colon[i].out, strlen(test_colon[i].out)), NULL);
+		fail_unless(strneq(out.ptr, test_colon[i].in, out.len),
+					"base16 conversion error - should '%s', is %#B",
+					test_colon[i].in, &out);
+		free(out.ptr);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * BASE64 encoding test
+ */
+
+START_TEST(test_base64)
+{
+	/* test vectors from RFC 4648:
+	 *
+	 * BASE64("") = ""
+	 * BASE64("f") = "Zg=="
+	 * BASE64("fo") = "Zm8="
+	 * BASE64("foo") = "Zm9v"
+	 * BASE64("foob") = "Zm9vYg=="
+	 * BASE64("fooba") = "Zm9vYmE="
+	 * BASE64("foobar") = "Zm9vYmFy"
+	 */
+	typedef struct {
+		char *in;
+		char *out;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{"", ""},
+		{"f", "Zg=="},
+		{"fo", "Zm8="},
+		{"foo", "Zm9v"},
+		{"foob", "Zm9vYg=="},
+		{"fooba", "Zm9vYmE="},
+		{"foobar", "Zm9vYmFy"},
+	};
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		chunk_t out;
+
+		out = chunk_to_base64(chunk_create(test[i].in, strlen(test[i].in)), NULL);
+		ck_assert_str_eq(out.ptr, test[i].out);
+		free(out.ptr);
+	}
+
+	for (i = 0; i < countof(test); i++)
+	{
+		chunk_t out;
+
+		out = chunk_from_base64(chunk_create(test[i].out, strlen(test[i].out)), NULL);
+		fail_unless(strneq(out.ptr, test[i].in, out.len),
+					"base64 conversion error - should '%s', is %#B",
+					test[i].in, &out);
+		free(out.ptr);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * BASE32 encoding test
+ */
+
+START_TEST(test_base32)
+{
+	/* test vectors from RFC 4648:
+	 *
+	 * BASE32("") = ""
+	 * BASE32("f") = "MY======"
+	 * BASE32("fo") = "MZXQ===="
+	 * BASE32("foo") = "MZXW6==="
+	 * BASE32("foob") = "MZXW6YQ="
+	 * BASE32("fooba") = "MZXW6YTB"
+	 * BASE32("foobar") = "MZXW6YTBOI======"
+	 */
+	typedef struct {
+		char *in;
+		char *out;
+	} testdata_t;
+
+	testdata_t test[] = {
+		{"", ""},
+		{"f", "MY======"},
+		{"fo", "MZXQ===="},
+		{"foo", "MZXW6==="},
+		{"foob", "MZXW6YQ="},
+		{"fooba", "MZXW6YTB"},
+		{"foobar", "MZXW6YTBOI======"},
+	};
+	int i;
+
+	for (i = 0; i < countof(test); i++)
+	{
+		chunk_t out;
+
+		out = chunk_to_base32(chunk_create(test[i].in, strlen(test[i].in)), NULL);
+		ck_assert_str_eq(out.ptr, test[i].out);
+		free(out.ptr);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * chunk_increment test
+ */
+
+static struct {
+	bool overflow;
+	chunk_t in;
+	chunk_t out;
+} increment_data[] = {
+	{TRUE,  { NULL, 0 }, { NULL, 0 }},
+	{FALSE, chunk_from_chars(0x00), chunk_from_chars(0x01)},
+	{FALSE, chunk_from_chars(0xfe), chunk_from_chars(0xff)},
+	{TRUE,  chunk_from_chars(0xff), chunk_from_chars(0x00)},
+	{FALSE, chunk_from_chars(0x00, 0x00), chunk_from_chars(0x00, 0x01)},
+	{FALSE, chunk_from_chars(0x00, 0xff), chunk_from_chars(0x01, 0x00)},
+	{FALSE, chunk_from_chars(0xfe, 0xff), chunk_from_chars(0xff, 0x00)},
+	{TRUE,  chunk_from_chars(0xff, 0xff), chunk_from_chars(0x00, 0x00)},
+};
+
+START_TEST(test_increment)
+{
+	chunk_t chunk;
+	bool overflow;
+
+	chunk = chunk_clonea(increment_data[_i].in);
+	overflow = chunk_increment(chunk);
+	ck_assert(overflow == increment_data[_i].overflow);
+	ck_assert(!increment_data[_i].out.ptr ||
+			  chunk_equals(chunk, increment_data[_i].out));
+}
+END_TEST
+
+/*******************************************************************************
+ * chunk_printable tests
+ */
+
+static struct {
+	bool printable;
+	chunk_t in;
+	char *out;
+} printable_data[] = {
+	{TRUE,  chunk_from_chars(0x31), "1"},
+	{FALSE, chunk_from_chars(0x00), "?"},
+	{FALSE, chunk_from_chars(0x31, 0x00), "1?"},
+	{FALSE, chunk_from_chars(0x00, 0x31), "?1"},
+	{TRUE,  chunk_from_chars(0x3f, 0x31), "?1"},
+	{FALSE, chunk_from_chars(0x00, 0x31, 0x00), "?1?"},
+	{FALSE, chunk_from_chars(0x00, 0x31, 0x00, 0x32), "?1?2"},
+};
+
+START_TEST(test_printable)
+{
+	bool printable;
+
+	printable = chunk_printable(printable_data[_i].in, NULL, ' ');
+	ck_assert(printable == printable_data[_i].printable);
+}
+END_TEST
+
+START_TEST(test_printable_sanitize)
+{
+	chunk_t sane, expected;
+	bool printable;
+
+	printable = chunk_printable(printable_data[_i].in, &sane, '?');
+	ck_assert(printable == printable_data[_i].printable);
+	expected = chunk_from_str(printable_data[_i].out);
+	ck_assert(chunk_equals(sane, expected));
+	chunk_free(&sane);
+}
+END_TEST
+
+START_TEST(test_printable_empty)
+{
+	chunk_t sane;
+	bool printable;
+
+	printable = chunk_printable(chunk_empty, NULL, ' ');
+	ck_assert(printable);
+
+	sane.ptr = (void*)1;
+	sane.len = 1;
+	printable = chunk_printable(chunk_empty, &sane, ' ');
+	ck_assert(printable);
+	assert_chunk_empty(sane);
+}
+END_TEST
+
+/*******************************************************************************
+ * test for chunk_mac(), i.e. SipHash-2-4
+ */
+
+/**
+ * SipHash-2-4 output with
+ * k = 00 01 02 ...
+ * and
+ * in = (empty string)
+ * in = 00 (1 byte)
+ * in = 00 01 (2 bytes)
+ * in = 00 01 02 (3 bytes)
+ * ...
+ * in = 00 01 02 ... 3e (63 bytes)
+ */
+static const u_char sip_vectors[64][8] =
+{
+	{ 0x31, 0x0e, 0x0e, 0xdd, 0x47, 0xdb, 0x6f, 0x72, },
+	{ 0xfd, 0x67, 0xdc, 0x93, 0xc5, 0x39, 0xf8, 0x74, },
+	{ 0x5a, 0x4f, 0xa9, 0xd9, 0x09, 0x80, 0x6c, 0x0d, },
+	{ 0x2d, 0x7e, 0xfb, 0xd7, 0x96, 0x66, 0x67, 0x85, },
+	{ 0xb7, 0x87, 0x71, 0x27, 0xe0, 0x94, 0x27, 0xcf, },
+	{ 0x8d, 0xa6, 0x99, 0xcd, 0x64, 0x55, 0x76, 0x18, },
+	{ 0xce, 0xe3, 0xfe, 0x58, 0x6e, 0x46, 0xc9, 0xcb, },
+	{ 0x37, 0xd1, 0x01, 0x8b, 0xf5, 0x00, 0x02, 0xab, },
+	{ 0x62, 0x24, 0x93, 0x9a, 0x79, 0xf5, 0xf5, 0x93, },
+	{ 0xb0, 0xe4, 0xa9, 0x0b, 0xdf, 0x82, 0x00, 0x9e, },
+	{ 0xf3, 0xb9, 0xdd, 0x94, 0xc5, 0xbb, 0x5d, 0x7a, },
+	{ 0xa7, 0xad, 0x6b, 0x22, 0x46, 0x2f, 0xb3, 0xf4, },
+	{ 0xfb, 0xe5, 0x0e, 0x86, 0xbc, 0x8f, 0x1e, 0x75, },
+	{ 0x90, 0x3d, 0x84, 0xc0, 0x27, 0x56, 0xea, 0x14, },
+	{ 0xee, 0xf2, 0x7a, 0x8e, 0x90, 0xca, 0x23, 0xf7, },
+	{ 0xe5, 0x45, 0xbe, 0x49, 0x61, 0xca, 0x29, 0xa1, },
+	{ 0xdb, 0x9b, 0xc2, 0x57, 0x7f, 0xcc, 0x2a, 0x3f, },
+	{ 0x94, 0x47, 0xbe, 0x2c, 0xf5, 0xe9, 0x9a, 0x69, },
+	{ 0x9c, 0xd3, 0x8d, 0x96, 0xf0, 0xb3, 0xc1, 0x4b, },
+	{ 0xbd, 0x61, 0x79, 0xa7, 0x1d, 0xc9, 0x6d, 0xbb, },
+	{ 0x98, 0xee, 0xa2, 0x1a, 0xf2, 0x5c, 0xd6, 0xbe, },
+	{ 0xc7, 0x67, 0x3b, 0x2e, 0xb0, 0xcb, 0xf2, 0xd0, },
+	{ 0x88, 0x3e, 0xa3, 0xe3, 0x95, 0x67, 0x53, 0x93, },
+	{ 0xc8, 0xce, 0x5c, 0xcd, 0x8c, 0x03, 0x0c, 0xa8, },
+	{ 0x94, 0xaf, 0x49, 0xf6, 0xc6, 0x50, 0xad, 0xb8, },
+	{ 0xea, 0xb8, 0x85, 0x8a, 0xde, 0x92, 0xe1, 0xbc, },
+	{ 0xf3, 0x15, 0xbb, 0x5b, 0xb8, 0x35, 0xd8, 0x17, },
+	{ 0xad, 0xcf, 0x6b, 0x07, 0x63, 0x61, 0x2e, 0x2f, },
+	{ 0xa5, 0xc9, 0x1d, 0xa7, 0xac, 0xaa, 0x4d, 0xde, },
+	{ 0x71, 0x65, 0x95, 0x87, 0x66, 0x50, 0xa2, 0xa6, },
+	{ 0x28, 0xef, 0x49, 0x5c, 0x53, 0xa3, 0x87, 0xad, },
+	{ 0x42, 0xc3, 0x41, 0xd8, 0xfa, 0x92, 0xd8, 0x32, },
+	{ 0xce, 0x7c, 0xf2, 0x72, 0x2f, 0x51, 0x27, 0x71, },
+	{ 0xe3, 0x78, 0x59, 0xf9, 0x46, 0x23, 0xf3, 0xa7, },
+	{ 0x38, 0x12, 0x05, 0xbb, 0x1a, 0xb0, 0xe0, 0x12, },
+	{ 0xae, 0x97, 0xa1, 0x0f, 0xd4, 0x34, 0xe0, 0x15, },
+	{ 0xb4, 0xa3, 0x15, 0x08, 0xbe, 0xff, 0x4d, 0x31, },
+	{ 0x81, 0x39, 0x62, 0x29, 0xf0, 0x90, 0x79, 0x02, },
+	{ 0x4d, 0x0c, 0xf4, 0x9e, 0xe5, 0xd4, 0xdc, 0xca, },
+	{ 0x5c, 0x73, 0x33, 0x6a, 0x76, 0xd8, 0xbf, 0x9a, },
+	{ 0xd0, 0xa7, 0x04, 0x53, 0x6b, 0xa9, 0x3e, 0x0e, },
+	{ 0x92, 0x59, 0x58, 0xfc, 0xd6, 0x42, 0x0c, 0xad, },
+	{ 0xa9, 0x15, 0xc2, 0x9b, 0xc8, 0x06, 0x73, 0x18, },
+	{ 0x95, 0x2b, 0x79, 0xf3, 0xbc, 0x0a, 0xa6, 0xd4, },
+	{ 0xf2, 0x1d, 0xf2, 0xe4, 0x1d, 0x45, 0x35, 0xf9, },
+	{ 0x87, 0x57, 0x75, 0x19, 0x04, 0x8f, 0x53, 0xa9, },
+	{ 0x10, 0xa5, 0x6c, 0xf5, 0xdf, 0xcd, 0x9a, 0xdb, },
+	{ 0xeb, 0x75, 0x09, 0x5c, 0xcd, 0x98, 0x6c, 0xd0, },
+	{ 0x51, 0xa9, 0xcb, 0x9e, 0xcb, 0xa3, 0x12, 0xe6, },
+	{ 0x96, 0xaf, 0xad, 0xfc, 0x2c, 0xe6, 0x66, 0xc7, },
+	{ 0x72, 0xfe, 0x52, 0x97, 0x5a, 0x43, 0x64, 0xee, },
+	{ 0x5a, 0x16, 0x45, 0xb2, 0x76, 0xd5, 0x92, 0xa1, },
+	{ 0xb2, 0x74, 0xcb, 0x8e, 0xbf, 0x87, 0x87, 0x0a, },
+	{ 0x6f, 0x9b, 0xb4, 0x20, 0x3d, 0xe7, 0xb3, 0x81, },
+	{ 0xea, 0xec, 0xb2, 0xa3, 0x0b, 0x22, 0xa8, 0x7f, },
+	{ 0x99, 0x24, 0xa4, 0x3c, 0xc1, 0x31, 0x57, 0x24, },
+	{ 0xbd, 0x83, 0x8d, 0x3a, 0xaf, 0xbf, 0x8d, 0xb7, },
+	{ 0x0b, 0x1a, 0x2a, 0x32, 0x65, 0xd5, 0x1a, 0xea, },
+	{ 0x13, 0x50, 0x79, 0xa3, 0x23, 0x1c, 0xe6, 0x60, },
+	{ 0x93, 0x2b, 0x28, 0x46, 0xe4, 0xd7, 0x06, 0x66, },
+	{ 0xe1, 0x91, 0x5f, 0x5c, 0xb1, 0xec, 0xa4, 0x6c, },
+	{ 0xf3, 0x25, 0x96, 0x5c, 0xa1, 0x6d, 0x62, 0x9f, },
+	{ 0x57, 0x5f, 0xf2, 0x8e, 0x60, 0x38, 0x1b, 0xe5, },
+	{ 0x72, 0x45, 0x06, 0xeb, 0x4c, 0x32, 0x8a, 0x95, }
+};
+
+START_TEST(test_chunk_mac)
+{
+	chunk_t in;
+	u_char key[16];
+	u_int64_t out;
+	int i, count;
+
+	count = countof(sip_vectors);
+	in = chunk_alloca(count);
+
+	for (i = 0; i < 16; ++i)
+	{
+		key[i] = i;
+	}
+
+	for (i = 0; i < count; ++i)
+	{
+		in.ptr[i] = i;
+		in.len = i;
+		out = chunk_mac(in, key);
+		fail_unless(memeq(&out, sip_vectors[i], 8),
+					"test vector failed for %d bytes", i);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * test for chunk_hash[_inc]()
+ */
+
+START_TEST(test_chunk_hash)
+{
+	chunk_t chunk;
+	u_int32_t hash_a, hash_b, hash_c;
+
+	chunk = chunk_from_str("asdf");
+
+	/* output is randomized, so there are no test-vectors we could use */
+	hash_a = chunk_hash(chunk);
+	hash_b = chunk_hash(chunk);
+	ck_assert(hash_a == hash_b);
+	hash_b = chunk_hash_inc(chunk, hash_a);
+	ck_assert(hash_a != hash_b);
+	hash_c = chunk_hash_inc(chunk, hash_a);
+	ck_assert(hash_b == hash_c);
+}
+END_TEST
+
+/*******************************************************************************
+ * test for chunk_hash_static[_inc]()
+ */
+
+START_TEST(test_chunk_hash_static)
+{
+	chunk_t in;
+	u_int32_t out, hash_a, hash_b, hash_inc = 0x7b891a95;
+	int i, count;
+
+	count = countof(sip_vectors);
+	in = chunk_alloca(count);
+
+	for (i = 0; i < count; ++i)
+	{
+		in.ptr[i] = i;
+		in.len = i;
+		/* compared to chunk_mac() we only get half the value back */
+		out = chunk_hash_static(in);
+		fail_unless(memeq(&out, sip_vectors[i], 4),
+					"test vector failed for %d bytes", i);
+	}
+	hash_a = chunk_hash_static_inc(in, out);
+	ck_assert_int_eq(hash_a, hash_inc);
+	hash_b = chunk_hash_static_inc(in, out);
+	ck_assert_int_eq(hash_a, hash_b);
+}
+END_TEST
+
+/*******************************************************************************
+ * printf_hook tests
+ */
+
+static struct {
+	chunk_t in;
+	char *out;
+} printf_hook_data[] = {
+	{chunk_from_chars(), ""},
+	{chunk_from_chars(0x00), "00"},
+	{chunk_from_chars(0x00, 0x01), "00:01"},
+	{chunk_from_chars(0x00, 0x01, 0x02), "00:01:02"},
+};
+
+START_TEST(test_printf_hook_hash)
+{
+	char buf[16];
+	int len;
+
+	len = snprintf(buf, sizeof(buf), "%#B", &printf_hook_data[_i].in);
+	ck_assert(len >= 0 && len < sizeof(buf));
+	ck_assert_str_eq(buf, printf_hook_data[_i].out);
+}
+END_TEST
+
+START_TEST(test_printf_hook)
+{
+	char buf[128], mem[128];
+	int len;
+
+	/* %B should be the same as %b, which is what we check, comparing the
+	 * acutal result could be tricky as %b prints the chunk's memory address */
+	len = snprintf(buf, sizeof(buf), "%B", &printf_hook_data[_i].in);
+	ck_assert(len >= 0 && len < sizeof(buf));
+	len = snprintf(mem, sizeof(mem), "%b", printf_hook_data[_i].in.ptr,
+				  (u_int)printf_hook_data[_i].in.len);
+	ck_assert(len >= 0 && len < sizeof(mem));
+	ck_assert_str_eq(buf, mem);
+}
+END_TEST
+
+Suite *chunk_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("chunk");
+
+	tc = tcase_create("equals");
+	tcase_add_test(tc, test_chunk_equals);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_compare");
+	tcase_add_loop_test(tc, test_compare, 0, countof(compare_data));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("clear");
+	tcase_add_test(tc, test_chunk_clear);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_length");
+	tcase_add_test(tc, test_chunk_length);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_create_cat");
+	tcase_add_test(tc, test_chunk_create_cat);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_split");
+	tcase_add_test(tc, test_chunk_split);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_skip");
+	tcase_add_test(tc, test_chunk_skip);
+	tcase_add_test(tc, test_chunk_skip_zero);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_increment");
+	tcase_add_loop_test(tc, test_increment, 0, countof(increment_data));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_printable");
+	tcase_add_loop_test(tc, test_printable, 0, countof(printable_data));
+	tcase_add_loop_test(tc, test_printable_sanitize, 0, countof(printable_data));
+	tcase_add_test(tc, test_printable_empty);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("baseXX");
+	tcase_add_test(tc, test_base64);
+	tcase_add_test(tc, test_base32);
+	tcase_add_test(tc, test_base16);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_mac");
+	tcase_add_test(tc, test_chunk_mac);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_hash");
+	tcase_add_test(tc, test_chunk_hash);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("chunk_hash_static");
+	tcase_add_test(tc, test_chunk_hash_static);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("printf_hook");
+	tcase_add_loop_test(tc, test_printf_hook_hash, 0, countof(printf_hook_data));
+	tcase_add_loop_test(tc, test_printf_hook, 0, countof(printf_hook_data));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_ecdsa.c b/src/libstrongswan/tests/test_ecdsa.c
new file mode 100644
index 000000000..2955bae2f
--- /dev/null
+++ b/src/libstrongswan/tests/test_ecdsa.c
@@ -0,0 +1,237 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <plugins/plugin_feature.h>
+
+/**
+ * Signature schemes to test
+ */
+static struct {
+	/* key size for scheme, 0 for any */
+	int key_size;
+	signature_scheme_t scheme;
+} schemes[] = {
+	{ 0, SIGN_ECDSA_WITH_SHA1_DER },
+	{ 0, SIGN_ECDSA_WITH_SHA256_DER },
+	{ 0, SIGN_ECDSA_WITH_SHA384_DER },
+	{ 0, SIGN_ECDSA_WITH_SHA512_DER },
+	{ 0, SIGN_ECDSA_WITH_NULL },
+	{ 256, SIGN_ECDSA_256 },
+	{ 384, SIGN_ECDSA_384 },
+	{ 521, SIGN_ECDSA_521 },
+};
+
+/**
+ * Perform a signature verification "good" test having a keypair
+ */
+static void test_good_sig(private_key_t *privkey, public_key_t *pubkey)
+{
+	chunk_t sig, data = chunk_from_chars(0x01,0x02,0x03,0xFD,0xFE,0xFF);
+	int i;
+
+	for (i = 0; i < countof(schemes); i++)
+	{
+		if (!lib->plugins->has_feature(lib->plugins,
+						PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].scheme)) ||
+			!lib->plugins->has_feature(lib->plugins,
+						PLUGIN_PROVIDE(PRIVKEY_SIGN, schemes[i].scheme)))
+		{
+			continue;
+		}
+		if (schemes[i].key_size != 0 &&
+			schemes[i].scheme != privkey->get_keysize(privkey))
+		{
+			continue;
+		}
+		fail_unless(privkey->sign(privkey, schemes[i].scheme, data, &sig),
+					"sign %N", signature_scheme_names, schemes[i].scheme);
+		fail_unless(pubkey->verify(pubkey, schemes[i].scheme, data, sig),
+					"verify %N", signature_scheme_names, schemes[i].scheme);
+		free(sig.ptr);
+	}
+}
+
+/**
+ * Some special signatures that should never validate successfully
+ */
+static chunk_t invalid_sigs[] = {
+	chunk_from_chars(),
+	chunk_from_chars(0x00),
+	chunk_from_chars(0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+};
+
+/**
+ * Check public key that it properly fails against some crafted sigs
+ */
+static void test_bad_sigs(public_key_t *pubkey)
+{
+	chunk_t data = chunk_from_chars(0x01,0x02,0x03,0xFD,0xFE,0xFF);
+	int s, i;
+
+	for (s = 0; s < countof(schemes); s++)
+	{
+		if (schemes[s].key_size != 0 &&
+			schemes[s].scheme != pubkey->get_keysize(pubkey))
+		{
+			continue;
+		}
+		if (!lib->plugins->has_feature(lib->plugins,
+						PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[s].scheme)))
+		{
+			continue;
+		}
+		for (i = 0; i < countof(invalid_sigs); i++)
+		{
+			fail_if(
+				pubkey->verify(pubkey, schemes[s].scheme, data, invalid_sigs[i]),
+				"bad %N sig accepted %B",
+				signature_scheme_names, schemes[s].scheme,
+				&invalid_sigs[i]);
+		}
+	}
+}
+
+/**
+ * ECDSA key sizes to test
+ */
+static int key_sizes[] = {
+	256, 384, 521,
+};
+
+START_TEST(test_gen)
+{
+	private_key_t *privkey;
+	public_key_t *pubkey;
+
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+								 BUILD_KEY_SIZE, key_sizes[_i], BUILD_END);
+	ck_assert(privkey != NULL);
+	pubkey = privkey->get_public_key(privkey);
+	ck_assert(pubkey != NULL);
+
+	test_good_sig(privkey, pubkey);
+
+	test_bad_sigs(pubkey);
+
+	pubkey->destroy(pubkey);
+	privkey->destroy(privkey);
+}
+END_TEST
+
+/**
+ * Private keys to load
+ */
+static chunk_t keys[] = {
+	chunk_from_chars( /* ECDSA-256 */
+		0x30,0x77,0x02,0x01,0x01,0x04,0x20,0x42,0xc6,0x8c,0xff,0x2b,0x8b,0x87,0xa1,0xfb,
+		0x50,0xf6,0xfe,0xd6,0x88,0xb3,0x0a,0x48,0xb2,0xc5,0x8f,0x50,0xe0,0xcf,0x40,0xfa,
+		0x57,0xd1,0xc6,0x6c,0x20,0x64,0xc5,0xa0,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,
+		0x03,0x01,0x07,0xa1,0x44,0x03,0x42,0x00,0x04,0x9c,0xb2,0x52,0xcb,0xc0,0x5c,0xcf,
+		0x97,0xdd,0xd6,0xe7,0x49,0x32,0x47,0x0c,0x8e,0xdb,0x6d,0xbf,0xc8,0x1a,0x0a,0x01,
+		0xe8,0x5e,0x3f,0x8e,0x64,0x33,0xb4,0x15,0xbb,0x1b,0xa5,0xed,0xf9,0x4b,0xa7,0xe8,
+		0x5e,0x6f,0x49,0x24,0xf7,0x32,0xf4,0x9b,0x4c,0x47,0xdc,0xf1,0x28,0x44,0x1c,0x37,
+		0xdb,0xee,0xfb,0xd8,0xbd,0x4e,0x5c,0xeb,0x07),
+	chunk_from_chars( /* ECDSA-384 */
+		0x30,0x81,0xa4,0x02,0x01,0x01,0x04,0x30,0x4b,0xbf,0x6c,0xf5,0x24,0x78,0x53,0x4b,
+		0x1a,0x91,0x23,0xae,0x30,0xc8,0xb3,0xc9,0xc2,0x9b,0x23,0x07,0x10,0x6f,0x1b,0x47,
+		0x7c,0xa0,0xd4,0x79,0x3c,0xc4,0x83,0x10,0xd1,0x44,0x07,0xc2,0x1b,0x66,0xff,0xae,
+		0x76,0x57,0x72,0x90,0x53,0xc2,0xf5,0x29,0xa0,0x07,0x06,0x05,0x2b,0x81,0x04,0x00,
+		0x22,0xa1,0x64,0x03,0x62,0x00,0x04,0x1e,0xcf,0x1c,0x85,0x9d,0x06,0xa0,0x54,0xa2,
+		0x24,0x2f,0xd8,0x63,0x56,0x7b,0x70,0x0b,0x7f,0x81,0x96,0xce,0xb9,0x2e,0x35,0x03,
+		0x9c,0xf9,0x0a,0x5d,0x3b,0x10,0xf7,0x13,0x7a,0x0d,0xca,0x56,0xda,0x1d,0x44,0x84,
+		0x07,0x6f,0x58,0xdc,0x34,0x7b,0x1d,0x4c,0xdd,0x28,0x10,0xc0,0xe2,0xae,0xf4,0xd6,
+		0xda,0xea,0xaf,0xfc,0x7a,0xaf,0x59,0x5f,0xbc,0x91,0x65,0xd3,0x21,0x19,0x61,0xbb,
+		0xfe,0x3c,0xdb,0x47,0xcb,0x7a,0xe7,0x5d,0xbd,0x28,0xde,0x25,0x64,0x9e,0x3a,0xa9,
+		0x18,0xed,0x24,0xe1,0x1f,0x73,0xcc),
+	chunk_from_chars( /* ECDSA-521 */
+		0x30,0x81,0xdc,0x02,0x01,0x01,0x04,0x42,0x01,0xcf,0x38,0xaa,0xa7,0x7a,0x79,0x48,
+		0xa9,0x60,0x55,0x24,0xa8,0x7e,0xe1,0xbc,0x45,0x35,0x16,0xff,0x18,0xce,0x44,0xa2,
+		0x0b,0x72,0x6b,0xca,0x0a,0x40,0xb4,0x97,0x13,0x17,0x90,0x50,0x15,0xb9,0xba,0xfc,
+		0x08,0x0e,0xdb,0xf8,0xfc,0x06,0x35,0x37,0xbf,0xfb,0x25,0x74,0xfe,0x0f,0xe1,0x3c,
+		0x3a,0xf0,0x0d,0xe0,0x52,0x15,0xa8,0x07,0x6f,0x3e,0xa0,0x07,0x06,0x05,0x2b,0x81,
+		0x04,0x00,0x23,0xa1,0x81,0x89,0x03,0x81,0x86,0x00,0x04,0x00,0x56,0x81,0x28,0xd6,
+		0xac,0xe9,0xc8,0x82,0x2c,0xac,0x61,0x6d,0xdd,0x88,0x79,0x00,0xe3,0x7a,0x4d,0x25,
+		0xc4,0xea,0x05,0x80,0x75,0x48,0xbc,0x75,0x73,0xc4,0xe9,0x76,0x68,0xba,0x51,0xc3,
+		0x29,0xce,0x7d,0x1b,0xb0,0x8b,0xac,0xc1,0xcc,0x23,0xa7,0x2d,0xa7,0x2c,0x95,0xf6,
+		0x01,0x40,0x26,0x01,0x1c,0x1c,0x9c,0xe7,0xa7,0xb4,0x0f,0x8e,0xba,0x01,0x07,0xb3,
+		0xf7,0xbe,0x45,0x20,0xa9,0x9e,0x70,0xf0,0xcf,0x9b,0xa0,0x91,0xe3,0x88,0x8f,0x04,
+		0x69,0x3d,0x0f,0x2b,0xf3,0xb4,0x03,0x19,0x89,0xcf,0xfa,0x77,0x04,0x15,0xaf,0xdd,
+		0xf7,0x32,0x76,0x25,0x25,0x05,0x8d,0xfd,0x18,0x8a,0xda,0xd6,0xbc,0x71,0xb8,0x9f,
+		0x39,0xb0,0xaf,0xcc,0x54,0xb0,0x9c,0x4d,0x54,0xfb,0x46,0x53,0x5f,0xf8,0x45),
+};
+
+START_TEST(test_load)
+{
+	private_key_t *privkey;
+	public_key_t *pubkey;
+
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+								 BUILD_BLOB_ASN1_DER, keys[_i], BUILD_END);
+	ck_assert(privkey != NULL);
+	pubkey = privkey->get_public_key(privkey);
+	ck_assert(pubkey != NULL);
+
+	test_good_sig(privkey, pubkey);
+
+	test_bad_sigs(pubkey);
+
+	pubkey->destroy(pubkey);
+	privkey->destroy(privkey);
+}
+END_TEST
+
+Suite *ecdsa_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("ecdsa");
+
+	tc = tcase_create("generate");
+	tcase_add_loop_test(tc, test_gen, 0, countof(key_sizes));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("load");
+	tcase_add_loop_test(tc, test_load, 0, countof(keys));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_enum.c b/src/libstrongswan/tests/test_enum.c
new file mode 100644
index 000000000..990d9cfad
--- /dev/null
+++ b/src/libstrongswan/tests/test_enum.c
@@ -0,0 +1,248 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <utils/enum.h>
+#include <utils/utils.h>
+
+/*******************************************************************************
+ * continuous enum
+ */
+enum {
+	CONT1,
+	CONT2,
+	CONT3,
+	CONT4,
+	CONT5,
+} test_enum_cont;
+
+/* can't be static */
+enum_name_t *test_enum_cont_names;
+
+ENUM_BEGIN(test_enum_cont_names, CONT1, CONT5,
+	"CONT1", "CONT2", "CONT3", "CONT4", "CONT5");
+ENUM_END(test_enum_cont_names, CONT5);
+
+/*******************************************************************************
+ * split enum
+ */
+enum {
+	SPLIT1 = 1,
+	SPLIT2,
+	SPLIT3 = 5,
+	SPLIT4,
+	SPLIT5 = 255,
+} test_enum_split;
+
+/* can't be static */
+enum_name_t *test_enum_split_names;
+
+ENUM_BEGIN(test_enum_split_names, SPLIT1, SPLIT2,
+	"SPLIT1", "SPLIT2");
+ENUM_NEXT(test_enum_split_names, SPLIT3, SPLIT4, SPLIT2,
+	"SPLIT3", "SPLIT4");
+ENUM_NEXT(test_enum_split_names, SPLIT5, SPLIT5, SPLIT4,
+	"SPLIT5");
+ENUM_END(test_enum_split_names, SPLIT5);
+
+/*******************************************************************************
+ * enum_to_name
+ */
+
+static struct {
+	int val;
+	char *str;
+} name_tests_cont[] = {
+	{-1, NULL},
+	{CONT1, "CONT1"},
+	{CONT2, "CONT2"},
+	{CONT3, "CONT3"},
+	{CONT4, "CONT4"},
+	{CONT5, "CONT5"},
+	{5, NULL},
+}, name_tests_split[] = {
+	{-1, NULL},
+	{0, NULL},
+	{SPLIT1, "SPLIT1"},
+	{SPLIT2, "SPLIT2"},
+	{3, NULL},
+	{4, NULL},
+	{SPLIT3, "SPLIT3"},
+	{SPLIT4, "SPLIT4"},
+	{7, NULL},
+	{254, NULL},
+	{SPLIT5, "SPLIT5"},
+	{256, NULL},
+};
+
+START_TEST(test_enum_to_name_cont)
+{
+	char *str = enum_to_name(test_enum_cont_names, name_tests_cont[_i].val);
+	if (str)
+	{
+		ck_assert_str_eq(str, name_tests_cont[_i].str);
+	}
+	else
+	{
+		ck_assert(str == name_tests_cont[_i].str);
+	}
+}
+END_TEST
+
+START_TEST(test_enum_to_name_split)
+{
+	char *str = enum_to_name(test_enum_split_names, name_tests_split[_i].val);
+	if (str)
+	{
+		ck_assert_str_eq(str, name_tests_split[_i].str);
+	}
+	else
+	{
+		ck_assert(str == name_tests_split[_i].str);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * enum_from_name
+ */
+
+static struct {
+	int val;
+	char *str;
+} enum_tests_cont[] = {
+	{CONT1, "CONT1"},
+	{CONT2, "CONT2"},
+	{CONT2, "CoNt2"},
+	{CONT3, "CONT3"},
+	{CONT4, "CONT4"},
+	{CONT5, "CONT5"},
+	{-1, "asdf"},
+	{-1, ""},
+	{-1, NULL},
+}, enum_tests_split[] = {
+	{SPLIT1, "SPLIT1"},
+	{SPLIT1, "split1"},
+	{SPLIT2, "SPLIT2"},
+	{SPLIT2, "SpLiT2"},
+	{SPLIT3, "SPLIT3"},
+	{SPLIT4, "SPLIT4"},
+	{SPLIT5, "SPLIT5"},
+	{-1, "asdf"},
+	{-1, ""},
+	{-1, NULL},
+};
+
+START_TEST(test_enum_from_name_cont)
+{
+	int val = enum_from_name(test_enum_cont_names, enum_tests_cont[_i].str);
+	ck_assert_int_eq(val, enum_tests_cont[_i].val);
+}
+END_TEST
+
+START_TEST(test_enum_from_name_split)
+{
+	int val = enum_from_name(test_enum_split_names, enum_tests_split[_i].str);
+	ck_assert_int_eq(val, enum_tests_split[_i].val);
+}
+END_TEST
+
+/*******************************************************************************
+ * enum_printf_hook
+ */
+
+static struct {
+	int val;
+	char *str;
+} printf_tests_cont[] = {
+	{-1, "(-1)"},
+	{CONT1, "CONT1"},
+	{CONT2, "CONT2"},
+	{CONT3, "CONT3"},
+	{CONT4, "CONT4"},
+	{CONT5, "CONT5"},
+	{5, "(5)"},
+}, printf_tests_split[] = {
+	{-1, "(-1)"},
+	{0, "(0)"},
+	{SPLIT1, "SPLIT1"},
+	{SPLIT2, "SPLIT2"},
+	{3, "(3)"},
+	{4, "(4)"},
+	{SPLIT3, "SPLIT3"},
+	{SPLIT4, "SPLIT4"},
+	{7, "(7)"},
+	{254, "(254)"},
+	{SPLIT5, "SPLIT5"},
+	{256, "(256)"},
+};
+
+START_TEST(test_enum_printf_hook_cont)
+{
+	char buf[128];
+
+	snprintf(buf, sizeof(buf), "%N", test_enum_cont_names, printf_tests_cont[_i].val);
+	ck_assert_str_eq(printf_tests_cont[_i].str, buf);
+}
+END_TEST
+
+START_TEST(test_enum_printf_hook_split)
+{
+	char buf[128];
+
+	snprintf(buf, sizeof(buf), "%N", test_enum_split_names, printf_tests_split[_i].val);
+	ck_assert_str_eq(printf_tests_split[_i].str, buf);
+}
+END_TEST
+
+START_TEST(test_enum_printf_hook_width)
+{
+	char buf[128];
+
+	snprintf(buf, sizeof(buf), "%10N", test_enum_cont_names, CONT1);
+	ck_assert_str_eq("     CONT1", buf);
+	snprintf(buf, sizeof(buf), "%-*N", 10, test_enum_cont_names, CONT2);
+	ck_assert_str_eq("CONT2     ", buf);
+	snprintf(buf, sizeof(buf), "%3N", test_enum_cont_names, CONT3);
+	ck_assert_str_eq("CONT3", buf);
+}
+END_TEST
+
+Suite *enum_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("enum");
+
+	tc = tcase_create("enum_to_name");
+	tcase_add_loop_test(tc, test_enum_to_name_cont, 0, countof(name_tests_cont));
+	tcase_add_loop_test(tc, test_enum_to_name_split, 0, countof(name_tests_split));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("enum_from_name");
+	tcase_add_loop_test(tc, test_enum_from_name_cont, 0, countof(enum_tests_cont));
+	tcase_add_loop_test(tc, test_enum_from_name_split, 0, countof(enum_tests_split));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("enum_printf_hook");
+	tcase_add_loop_test(tc, test_enum_printf_hook_cont, 0, countof(printf_tests_cont));
+	tcase_add_loop_test(tc, test_enum_printf_hook_split, 0, countof(printf_tests_split));
+	tcase_add_test(tc, test_enum_printf_hook_width);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_enumerator.c b/src/libstrongswan/tests/test_enumerator.c
new file mode 100644
index 000000000..b5dde4650
--- /dev/null
+++ b/src/libstrongswan/tests/test_enumerator.c
@@ -0,0 +1,409 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <collections/enumerator.h>
+#include <collections/linked_list.h>
+
+/*******************************************************************************
+ * token test
+ */
+
+static const char *token_results1[] = { "abc", "cde", "efg" };
+static const char *token_results2[] = { "a", "b", "c" };
+
+static struct {
+	char *string;
+	char *sep;
+	char *trim;
+	const char **results;
+} token_tests[] = {
+	{"abc, cde, efg", ",", " ", token_results1},
+	{" abc 1:2 cde;3  4efg5.  ", ":;.,", " 12345", token_results1},
+	{"abc.cde,efg", ",.", "", token_results1},
+	{"  abc   cde  efg  ", " ", " ", token_results1},
+	{"a'abc' c 'cde' cefg", " ", " abcd", token_results1},
+	{"'abc' abc 'cde'd 'efg'", " ", " abcd", token_results1},
+
+	{"a, b, c", ",", " ", token_results2},
+	{"a,b,c", ",", " ", token_results2},
+	{" a 1:2 b;3  4c5.  ", ":;.,", " 12345", token_results2},
+	{"a.b,c", ",.", "", token_results2},
+	{"  a   b  c  ", " ", " ", token_results2},
+};
+
+START_TEST(test_token)
+{
+	enumerator_t *enumerator;
+	const char **results;
+	char *token;
+	int tok = 0;
+
+	enumerator = enumerator_create_token(token_tests[_i].string,
+									token_tests[_i].sep, token_tests[_i].trim);
+	results = token_tests[_i].results;
+	while (enumerator->enumerate(enumerator, &token))
+	{
+		switch (tok)
+		{
+			case 0:
+			case 1:
+			case 2:
+				ck_assert_str_eq(token, results[tok]);
+				break;
+			default:
+				fail("unexpected token '%s'", token);
+		}
+		tok++;
+	}
+	fail_if(tok != 3, "not enough tokens (%d) extracted from '%s'",
+			tok, token_tests[_i].string);
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+/*******************************************************************************
+ * utilities for filtered, nested and cleaner tests
+ */
+
+static int destroy_data_called;
+
+START_SETUP(setup_destroy_data)
+{
+	destroy_data_called = 0;
+}
+END_SETUP
+
+START_TEARDOWN(teardown_destroy_data)
+{
+	ck_assert_int_eq(destroy_data_called, 1);
+}
+END_TEARDOWN
+
+static void destroy_data(void *data)
+{
+	fail_if(data != (void*)101, "data does not match '101' in destructor");
+	destroy_data_called++;
+}
+
+/*******************************************************************************
+ * filtered test
+ */
+
+static bool filter(void *data, int *v, int *vo, int *w, int *wo,
+				   int *x, int *xo, int *y, int *yo, int *z, int *zo)
+{
+	int val = *v;
+
+	*vo = val++;
+	*wo = val++;
+	*xo = val++;
+	*yo = val++;
+	*zo = val++;
+	fail_if(data != (void*)101, "data does not match '101' in filter function");
+	return TRUE;
+}
+
+static bool filter_odd(void *data, int *item, int *out)
+{
+	fail_if(data != (void*)101, "data does not match '101' in filter function");
+	*out = *item;
+	return *item % 2 == 0;
+}
+
+START_TEST(test_filtered)
+{
+	int round, v, w, x, y, z;
+	linked_list_t *list;
+	enumerator_t *enumerator;
+
+	list = linked_list_create_with_items((void*)1, (void*)2, (void*)3, (void*)4,
+										 (void*)5, NULL);
+
+	round = 1;
+	enumerator = enumerator_create_filter(list->create_enumerator(list),
+									(void*)filter, (void*)101, destroy_data);
+	while (enumerator->enumerate(enumerator, &v, &w, &x, &y, &z))
+	{
+		ck_assert_int_eq(v, round);
+		ck_assert_int_eq(w, round + 1);
+		ck_assert_int_eq(x, round + 2);
+		ck_assert_int_eq(y, round + 3);
+		ck_assert_int_eq(z, round + 4);
+		round++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(round, 6);
+
+	list->destroy(list);
+}
+END_TEST
+
+START_TEST(test_filtered_filter)
+{
+	int count, x;
+	linked_list_t *list;
+	enumerator_t *enumerator;
+
+	list = linked_list_create_with_items((void*)1, (void*)2, (void*)3, (void*)4,
+										 (void*)5, NULL);
+
+	count = 0;
+	/* should also work without destructor, so set this manually */
+	destroy_data_called = 1;
+	enumerator = enumerator_create_filter(list->create_enumerator(list),
+										 (void*)filter_odd, (void*)101, NULL);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert(x % 2 == 0);
+		count++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(count, 2);
+
+	list->destroy(list);
+}
+END_TEST
+
+/*******************************************************************************
+ * nested test
+ */
+
+static enumerator_t* create_inner(linked_list_t *outer, void *data)
+{
+	fail_if(data != (void*)101, "data does not match '101' in nested constr.");
+	return outer->create_enumerator(outer);
+}
+
+static enumerator_t* create_inner_null(void *outer, void *data)
+{
+	ck_assert(outer == (void*)1);
+	fail_if(data != (void*)101, "data does not match '101' in nested constr.");
+	return NULL;
+}
+
+START_TEST(test_nested)
+{
+	linked_list_t *list, *l1, *l2, *l3;
+	enumerator_t *enumerator;
+	intptr_t x;
+	int round;
+
+	l1 = linked_list_create_with_items((void*)1, (void*)2, NULL);
+	l2 = linked_list_create();
+	l3 = linked_list_create_with_items((void*)3, (void*)4, (void*)5, NULL);
+	list = linked_list_create_with_items(l1, l2, l3, NULL);
+
+	round = 1;
+	enumerator = enumerator_create_nested(list->create_enumerator(list),
+								(void*)create_inner, (void*)101, destroy_data);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(round, x);
+		round++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(round, 6);
+
+	list->destroy(list);
+	l1->destroy(l1);
+	l2->destroy(l2);
+	l3->destroy(l3);
+}
+END_TEST
+
+START_TEST(test_nested_reset)
+{
+	linked_list_t *list, *l1, *l2, *l3;
+	enumerator_t *outer, *enumerator;
+	intptr_t x;
+	int count = 0;
+
+	l1 = linked_list_create_with_items((void*)1, (void*)2, NULL);
+	l2 = linked_list_create();
+	l3 = linked_list_create_with_items((void*)3, (void*)4, (void*)5, NULL);
+	list = linked_list_create_with_items(l1, l2, l3, NULL);
+
+	outer = list->create_enumerator(list);
+	enumerator = enumerator_create_nested(outer, (void*)create_inner,
+										 (void*)101, destroy_data);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		count++;
+	}
+	ck_assert_int_eq(count, 5);
+
+	list->reset_enumerator(list, outer);
+	ck_assert(enumerator->enumerate(enumerator, &x));
+	ck_assert_int_eq(x, 1);
+	enumerator->destroy(enumerator);
+
+	list->destroy(list);
+	l1->destroy(l1);
+	l2->destroy(l2);
+	l3->destroy(l3);
+}
+END_TEST
+
+START_TEST(test_nested_empty)
+{
+	linked_list_t *list;
+	enumerator_t *enumerator;
+	intptr_t x;
+	int count;
+
+	list = linked_list_create();
+	count = 0;
+	enumerator = enumerator_create_nested(list->create_enumerator(list),
+								(void*)create_inner, (void*)101, destroy_data);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		count++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(count, 0);
+
+	list->destroy(list);
+}
+END_TEST
+
+START_TEST(test_nested_null)
+{
+	linked_list_t *list;
+	enumerator_t *enumerator;
+	intptr_t x;
+	int count;
+
+	list = linked_list_create_with_items((void*)1, NULL);
+
+	count = 0;
+	/* should also work without destructor, so set this manually */
+	destroy_data_called = 1;
+	enumerator = enumerator_create_nested(list->create_enumerator(list),
+									(void*)create_inner_null, (void*)101, NULL);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		count++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(count, 0);
+
+	list->destroy(list);
+}
+END_TEST
+
+/*******************************************************************************
+ * cleaner test
+ */
+
+START_TEST(test_cleaner)
+{
+	enumerator_t *enumerator;
+	linked_list_t *list;
+	intptr_t x;
+	int round;
+
+	list = linked_list_create_with_items((void*)1, (void*)2, NULL);
+
+	round = 1;
+	enumerator = enumerator_create_cleaner(list->create_enumerator(list),
+										   destroy_data, (void*)101);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(round, x);
+		round++;
+	}
+	ck_assert_int_eq(round, 3);
+	enumerator->destroy(enumerator);
+	list->destroy(list);
+}
+END_TEST
+
+/*******************************************************************************
+ * single test
+ */
+
+static void single_cleanup(void *data)
+{
+	ck_assert_int_eq((intptr_t)data, 1);
+}
+
+static void do_test_single(enumerator_t *enumerator)
+{
+	intptr_t x;
+
+	ck_assert(enumerator->enumerate(enumerator, &x));
+	ck_assert_int_eq(x, 1);
+	ck_assert(!enumerator->enumerate(enumerator, &x));
+	enumerator->destroy(enumerator);
+}
+
+START_TEST(test_single)
+{
+	enumerator_t *enumerator;
+
+	enumerator = enumerator_create_single((void*)1, NULL);
+	do_test_single(enumerator);
+}
+END_TEST
+
+START_TEST(test_single_cleanup)
+{
+	enumerator_t *enumerator;
+
+	enumerator = enumerator_create_single((void*)1, single_cleanup);
+	do_test_single(enumerator);
+}
+END_TEST
+
+Suite *enumerator_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("enumerator");
+
+	tc = tcase_create("tokens");
+	tcase_add_loop_test(tc, test_token, 0, countof(token_tests));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("filtered");
+	tcase_add_checked_fixture(tc, setup_destroy_data, teardown_destroy_data);
+	tcase_add_test(tc, test_filtered);
+	tcase_add_test(tc, test_filtered_filter);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("nested");
+	tcase_add_checked_fixture(tc, setup_destroy_data, teardown_destroy_data);
+	tcase_add_test(tc, test_nested);
+	tcase_add_test(tc, test_nested_reset);
+	tcase_add_test(tc, test_nested_empty);
+	tcase_add_test(tc, test_nested_null);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("cleaner");
+	tcase_add_checked_fixture(tc, setup_destroy_data, teardown_destroy_data);
+	tcase_add_test(tc, test_cleaner);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("single");
+	tcase_add_test(tc, test_single);
+	tcase_add_test(tc, test_single_cleanup);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_hashtable.c b/src/libstrongswan/tests/test_hashtable.c
new file mode 100644
index 000000000..8cc7bfe42
--- /dev/null
+++ b/src/libstrongswan/tests/test_hashtable.c
@@ -0,0 +1,346 @@
+/*
+ * Copyright (C) 2010-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <collections/hashtable.h>
+#include <utils/chunk.h>
+
+/*******************************************************************************
+ * string hash table functions
+ */
+
+static u_int hash(char *key)
+{
+	return chunk_hash(chunk_from_str(key));
+}
+
+static bool equals(char *key1, char *key2)
+{
+	return streq(key1, key2);
+}
+
+/*******************************************************************************
+ * test fixture
+ */
+
+static hashtable_t *ht;
+
+START_SETUP(setup_ht)
+{
+	ht = hashtable_create((hashtable_hash_t)hash,
+						  (hashtable_equals_t)equals, 0);
+	ck_assert_int_eq(ht->get_count(ht), 0);
+}
+END_SETUP
+
+START_TEARDOWN(teardown_ht)
+{
+	ht->destroy(ht);
+}
+END_TEARDOWN
+
+/*******************************************************************************
+ * put/get
+ */
+
+START_TEST(test_put_get)
+{
+	char *k1 = "key1", *k2 = "key2", *k3 = "key3";
+	char *v1 = "val1", *v2 = "val2", *v3 = "val3", *value;
+
+	value = ht->put(ht, k1, v1);
+	ck_assert_int_eq(ht->get_count(ht), 1);
+	ck_assert(streq(ht->get(ht, k1), v1));
+	ck_assert(ht->get(ht, k2) == NULL);
+	ck_assert(ht->get(ht, k3) == NULL);
+	ck_assert(value == NULL);
+
+	ht->put(ht, k2, v2);
+	ht->put(ht, k3, v3);
+	ck_assert_int_eq(ht->get_count(ht), 3);
+	ck_assert(streq(ht->get(ht, k1), v1));
+	ck_assert(streq(ht->get(ht, k2), v2));
+	ck_assert(streq(ht->get(ht, k3), v3));
+
+	value = ht->put(ht, k2, v1);
+	ck_assert_int_eq(ht->get_count(ht), 3);
+	ck_assert(streq(value, v2));
+	ck_assert(streq(ht->get(ht, k2), v1));
+}
+END_TEST
+
+/*******************************************************************************
+ * get_match
+ */
+
+static u_int hash_match(char *key)
+{
+	return chunk_hash(chunk_create(key, 4));
+}
+
+static bool equal_match(char *key1, char *key2)
+{
+	if (!strneq(key1, key2, 4))
+	{
+		return FALSE;
+	}
+	/* look for an item with a key < than what we look for */
+	return strcmp(key1, key2) >= 0;
+}
+
+START_TEST(test_get_match)
+{
+	char *k1 = "key1_a", *k2 = "key2", *k3 = "key1_b", *k4 = "key1_c";
+	char *v1 = "val1", *v2 = "val2", *v3 = "val3", *value;
+
+	ht = hashtable_create((hashtable_hash_t)hash_match,
+						  (hashtable_equals_t)equals, 0);
+
+	ht->put(ht, k1, v1);
+	ht->put(ht, k2, v2);
+	value = ht->put(ht, k3, v3);
+	ck_assert_int_eq(ht->get_count(ht), 3);
+	ck_assert(streq(ht->get(ht, k1), v1));
+	ck_assert(streq(ht->get(ht, k2), v2));
+	ck_assert(streq(ht->get(ht, k3), v3));
+	ck_assert(value == NULL);
+
+	value = ht->get_match(ht, k1, (hashtable_equals_t)equal_match);
+	ck_assert(value != NULL);
+	ck_assert(streq(value, v1));
+	value = ht->get_match(ht, k2, (hashtable_equals_t)equal_match);
+	ck_assert(value != NULL);
+	ck_assert(streq(value, v2));
+	value = ht->get_match(ht, k3, (hashtable_equals_t)equal_match);
+	ck_assert(value != NULL);
+	ck_assert(streq(value, v1));
+	value = ht->get_match(ht, k4, (hashtable_equals_t)equal_match);
+	ck_assert(value != NULL);
+	ck_assert(streq(value, v1));
+
+	ht->destroy(ht);
+}
+END_TEST
+
+/*******************************************************************************
+ * remove
+ */
+
+static void do_remove(char *k1, char *k2, char *k3)
+{
+	char *v1 = "val1", *v2 = "val2", *v3 = "val3", *value;
+
+	ht->put(ht, k1, v1);
+	ht->put(ht, k2, v2);
+	ht->put(ht, k3, v3);
+
+	value = ht->remove(ht, k2);
+	ck_assert_int_eq(ht->get_count(ht), 2);
+	ck_assert(streq(ht->get(ht, k1), v1));
+	ck_assert(streq(ht->get(ht, k3), v3));
+	ck_assert(streq(value, v2));
+	ck_assert(ht->get(ht, k2) == NULL);
+
+	value = ht->remove(ht, k2);
+	ck_assert_int_eq(ht->get_count(ht), 2);
+	ck_assert(value == NULL);
+
+	value = ht->remove(ht, k1);
+	value = ht->remove(ht, k3);
+	ck_assert_int_eq(ht->get_count(ht), 0);
+	ck_assert(ht->get(ht, k1) == NULL);
+	ck_assert(ht->get(ht, k2) == NULL);
+	ck_assert(ht->get(ht, k3) == NULL);
+}
+
+START_TEST(test_remove)
+{
+	char *k1 = "key1", *k2 = "key2", *k3 = "key3";
+
+	do_remove(k1, k2, k3);
+}
+END_TEST
+
+START_TEST(test_remove_one_bucket)
+{
+	char *k1 = "key1_a", *k2 = "key1_b", *k3 = "key1_c";
+
+	ht->destroy(ht);
+	/* set a capacity to avoid rehashing, which would change the items' order */
+	ht = hashtable_create((hashtable_hash_t)hash_match,
+						  (hashtable_equals_t)equals, 8);
+
+	do_remove(k1, k2, k3);
+}
+END_TEST
+
+/*******************************************************************************
+ * enumerator
+ */
+
+START_TEST(test_enumerator)
+{
+	char *k1 = "key1", *k2 = "key2", *k3 = "key3", *key;
+	char *v1 = "val1", *v2 = "val2", *v3 = "val3", *value;
+	enumerator_t *enumerator;
+	int count;
+
+	ht->put(ht, k1, v1);
+	ht->put(ht, k2, v2);
+	ht->put(ht, k3, v3);
+
+	count = 0;
+	enumerator = ht->create_enumerator(ht);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		ck_assert(streq(key, k1) || streq(key, k2) || streq(key, k3));
+		ck_assert(streq(value, v1) || streq(value, v2) || streq(value, v3));
+		ck_assert(!streq(key, k1) || streq(value, v1));
+		ck_assert(!streq(key, k2) || streq(value, v2));
+		ck_assert(!streq(key, k3) || streq(value, v3));
+		count++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(count, 3);
+
+	count = 0;
+	enumerator = ht->create_enumerator(ht);
+	while (enumerator->enumerate(enumerator, NULL, NULL))
+	{
+		count++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(count, 3);
+
+	value = ht->remove(ht, k1);
+	value = ht->remove(ht, k2);
+	value = ht->remove(ht, k3);
+
+	count = 0;
+	enumerator = ht->create_enumerator(ht);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		count++;
+	}
+	enumerator->destroy(enumerator);
+	ck_assert_int_eq(count, 0);
+}
+END_TEST
+
+/*******************************************************************************
+ * remove_at
+ */
+
+static void do_remove_at(char *k1, char *k2, char *k3)
+{
+	char *v1 = "val1", *v2 = "val2", *v3 = "val3", *value, *key;
+	enumerator_t *enumerator;
+
+	ht->put(ht, k1, v1);
+	ht->put(ht, k2, v2);
+	ht->put(ht, k3, v3);
+
+	enumerator = ht->create_enumerator(ht);
+	ht->remove_at(ht, enumerator);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		if (streq(key, k2))
+		{
+			ht->remove_at(ht, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	ck_assert_int_eq(ht->get_count(ht), 2);
+	ck_assert(ht->get(ht, k1) != NULL);
+	ck_assert(ht->get(ht, k3) != NULL);
+	ck_assert(ht->get(ht, k2) == NULL);
+
+	ht->put(ht, k2, v2);
+
+	ck_assert_int_eq(ht->get_count(ht), 3);
+	ck_assert(ht->get(ht, k1) != NULL);
+	ck_assert(ht->get(ht, k2) != NULL);
+	ck_assert(ht->get(ht, k3) != NULL);
+
+	enumerator = ht->create_enumerator(ht);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		ht->remove_at(ht, enumerator);
+	}
+	enumerator->destroy(enumerator);
+
+	ck_assert_int_eq(ht->get_count(ht), 0);
+	ck_assert(ht->get(ht, k1) == NULL);
+	ck_assert(ht->get(ht, k2) == NULL);
+	ck_assert(ht->get(ht, k3) == NULL);
+}
+
+START_TEST(test_remove_at)
+{
+	char *k1 = "key1", *k2 = "key2", *k3 = "key3";
+
+	do_remove_at(k1, k2, k3);
+}
+END_TEST
+
+START_TEST(test_remove_at_one_bucket)
+{
+	char *k1 = "key1_a", *k2 = "key1_b", *k3 = "key1_c";
+
+	ht->destroy(ht);
+	/* set a capacity to avoid rehashing, which would change the items' order */
+	ht = hashtable_create((hashtable_hash_t)hash_match,
+						  (hashtable_equals_t)equals, 8);
+	do_remove_at(k1, k2, k3);
+}
+END_TEST
+
+Suite *hashtable_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("hashtable");
+
+	tc = tcase_create("put/get");
+	tcase_add_checked_fixture(tc, setup_ht, teardown_ht);
+	tcase_add_test(tc, test_put_get);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("get_match");
+	tcase_add_test(tc, test_get_match);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("remove");
+	tcase_add_checked_fixture(tc, setup_ht, teardown_ht);
+	tcase_add_test(tc, test_remove);
+	tcase_add_test(tc, test_remove_one_bucket);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("enumerator");
+	tcase_add_checked_fixture(tc, setup_ht, teardown_ht);
+	tcase_add_test(tc, test_enumerator);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("remove_at");
+	tcase_add_checked_fixture(tc, setup_ht, teardown_ht);
+	tcase_add_test(tc, test_remove_at);
+	tcase_add_test(tc, test_remove_at_one_bucket);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_host.c b/src/libstrongswan/tests/test_host.c
new file mode 100644
index 000000000..1a68ffc50
--- /dev/null
+++ b/src/libstrongswan/tests/test_host.c
@@ -0,0 +1,645 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <networking/host.h>
+
+/**
+ * Verify a netmask (a number of set bits starting at byte 0)
+ * Can also be used to check for %any (mask == 0)
+ */
+static void verify_netmask(chunk_t addr, int mask)
+{
+	int byte, bit;
+
+	for (byte = 0; byte < addr.len; byte++)
+	{
+		for (bit = 7; bit >= 0; bit--)
+		{
+			int val = (addr.ptr[byte] >> bit) & 0x01;
+			if (mask-- > 0)
+			{
+				ck_assert_int_eq(val, 1);
+			}
+			else
+			{
+				ck_assert_int_eq(val, 0);
+			}
+		}
+	}
+}
+
+/*******************************************************************************
+ * host_create_any
+ */
+
+static void verify_any(host_t *host, int family, u_int16_t port)
+{
+	verify_netmask(host->get_address(host), 0);
+	ck_assert(host->is_anyaddr(host));
+	ck_assert_int_eq(host->get_port(host), port);
+	ck_assert_int_eq(host->get_family(host), family);
+}
+
+static void test_create_any(int family)
+{
+	host_t *host;
+
+	host = host_create_any(family);
+	verify_any(host, family, 0);
+	host->destroy(host);
+}
+
+START_TEST(test_create_any_v4)
+{
+	test_create_any(AF_INET);
+}
+END_TEST
+
+START_TEST(test_create_any_v6)
+{
+	test_create_any(AF_INET6);
+}
+END_TEST
+
+START_TEST(test_create_any_other)
+{
+	host_t *host;
+
+	host = host_create_any(AF_UNSPEC);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+/*******************************************************************************
+ * host_create_from_string
+ */
+
+static void verify_address(host_t *host, chunk_t addr, int family, u_int16_t port)
+{
+	ck_assert(chunk_equals(host->get_address(host), addr));
+	ck_assert(!host->is_anyaddr(host));
+	ck_assert_int_eq(host->get_port(host), port);
+	ck_assert_int_eq(host->get_family(host), family);
+}
+
+static const chunk_t addr_v4 = chunk_from_chars(0xc0, 0xa8, 0x00, 0x01);
+static const chunk_t addr_v6 = chunk_from_chars(0xfe, 0xc1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+												0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01);
+
+START_TEST(test_create_from_string_v4)
+{
+	host_t *host;
+
+	host = host_create_from_string("%any", 500);
+	verify_any(host, AF_INET, 500);
+	host->destroy(host);
+
+	host = host_create_from_string("%any4", 500);
+	verify_any(host, AF_INET, 500);
+	host->destroy(host);
+
+	host = host_create_from_string("0.0.0.0", 500);
+	verify_any(host, AF_INET, 500);
+	host->destroy(host);
+
+	host = host_create_from_string("192.168.0.1", 500);
+	verify_address(host, addr_v4, AF_INET, 500);
+	host->destroy(host);
+
+	host = host_create_from_string("192.168.0.1::500", 500);
+	ck_assert(host == NULL);
+	host = host_create_from_string("123.456.789.012", 500);
+	ck_assert(host == NULL);
+	host = host_create_from_string("1.1.1.1.1.1.1.1", 500);
+	ck_assert(host == NULL);
+	host = host_create_from_string("foo.b.a.r", 500);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+START_TEST(test_create_from_string_any_v6)
+{
+	host_t *host;
+
+	host = host_create_from_string("%any6", 500);
+	verify_any(host, AF_INET6, 500);
+	host->destroy(host);
+
+	host = host_create_from_string("::", 500);
+	verify_any(host, AF_INET6, 500);
+	host->destroy(host);
+
+	host = host_create_from_string("fec1::1", 500);
+	verify_address(host, addr_v6, AF_INET6, 500);
+	host->destroy(host);
+
+	host = host_create_from_string("fec1::1.500", 500);
+	ck_assert(host == NULL);
+	host = host_create_from_string("f::e::c::1::1", 500);
+	ck_assert(host == NULL);
+	host = host_create_from_string("foo::bar", 500);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+/*******************************************************************************
+ * host_create_from_string_and_family
+ */
+
+static void test_create_from_string_and_family_any(char *string, int family,
+												   int expected)
+{
+	host_t *host;
+
+	host = host_create_from_string_and_family(string, family, 500);
+	if (expected == AF_UNSPEC)
+	{
+		ck_assert(host == NULL);
+	}
+	else
+	{
+		verify_any(host, expected, 500);
+		host->destroy(host);
+	}
+}
+
+static void test_create_from_string_and_family_addr(char *string, chunk_t addr,
+													int family, int expected)
+{
+	host_t *host;
+
+	host = host_create_from_string_and_family(string, family, 500);
+	if (expected == AF_UNSPEC)
+	{
+		ck_assert(host == NULL);
+	}
+	else
+	{
+		verify_address(host, addr, expected, 500);
+		host->destroy(host);
+	}
+}
+
+START_TEST(test_create_from_string_and_family_v4)
+{
+	test_create_from_string_and_family_any("%any", AF_INET, AF_INET);
+	test_create_from_string_and_family_any("%any4", AF_INET, AF_INET);
+	test_create_from_string_and_family_any("0.0.0.0", AF_INET, AF_INET);
+
+	test_create_from_string_and_family_any("%any4", AF_INET6, AF_UNSPEC);
+	test_create_from_string_and_family_any("0.0.0.0", AF_INET6, AF_UNSPEC);
+
+	test_create_from_string_and_family_addr("192.168.0.1", addr_v4, AF_INET, AF_INET);
+	test_create_from_string_and_family_addr("192.168.0.1", addr_v4, AF_INET6, AF_UNSPEC);
+}
+END_TEST
+
+START_TEST(test_create_from_string_and_family_v6)
+{
+	test_create_from_string_and_family_any("%any", AF_INET6, AF_INET6);
+	test_create_from_string_and_family_any("%any6", AF_INET6, AF_INET6);
+	test_create_from_string_and_family_any("::", AF_INET6, AF_INET6);
+
+	test_create_from_string_and_family_any("%any6", AF_INET, AF_UNSPEC);
+	test_create_from_string_and_family_any("::", AF_INET, AF_UNSPEC);
+
+	test_create_from_string_and_family_addr("fec1::1", addr_v6, AF_INET6, AF_INET6);
+	test_create_from_string_and_family_addr("fec1::1", addr_v6, AF_INET, AF_UNSPEC);
+}
+END_TEST
+
+START_TEST(test_create_from_string_and_family_other)
+{
+	test_create_from_string_and_family_any("%any", AF_UNSPEC, AF_INET);
+	test_create_from_string_and_family_any("%any4", AF_UNSPEC, AF_INET);
+	test_create_from_string_and_family_any("0.0.0.0", AF_UNSPEC, AF_INET);
+
+	test_create_from_string_and_family_any("%any6", AF_UNSPEC, AF_INET6);
+	test_create_from_string_and_family_any("::", AF_UNSPEC, AF_INET6);
+
+	test_create_from_string_and_family_addr("192.168.0.1", addr_v4, AF_UNSPEC, AF_INET);
+	test_create_from_string_and_family_addr("fec1::1", addr_v6, AF_UNSPEC, AF_INET6);
+}
+END_TEST
+
+/*******************************************************************************
+ * host_create_from_sockaddr
+ */
+
+START_TEST(test_create_from_sockaddr_v4)
+{
+	struct sockaddr_in addr = {
+		.sin_family = AF_INET,
+		.sin_port = htons(500),
+	}, *val;
+	socklen_t *socklen;
+	host_t *host;
+
+	host = host_create_from_sockaddr((sockaddr_t*)&addr);
+	verify_any(host, AF_INET, 500);
+	val = (struct sockaddr_in*)host->get_sockaddr(host);
+	ck_assert(memeq(&addr, val, sizeof(addr)));
+	socklen = host->get_sockaddr_len(host);
+	ck_assert(*socklen == sizeof(addr));
+	host->destroy(host);
+}
+END_TEST
+
+START_TEST(test_create_from_sockaddr_v6)
+{
+	struct sockaddr_in6 addr = {
+		.sin6_family = AF_INET6,
+		.sin6_port = htons(500),
+	}, *val;
+	socklen_t *socklen;
+	host_t *host;
+
+	host = host_create_from_sockaddr((sockaddr_t*)&addr);
+	verify_any(host, AF_INET6, 500);
+	val = (struct sockaddr_in6*)host->get_sockaddr(host);
+	ck_assert(memeq(&addr, val, sizeof(addr)));
+	socklen = host->get_sockaddr_len(host);
+	ck_assert(*socklen == sizeof(addr));
+	host->destroy(host);
+}
+END_TEST
+
+START_TEST(test_create_from_sockaddr_other)
+{
+	struct sockaddr_un addr = {
+		.sun_family = AF_UNIX,
+	};
+	host_t *host;
+
+	host = host_create_from_sockaddr((sockaddr_t*)&addr);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+/*******************************************************************************
+ * host_create_from_chunk
+ */
+
+START_TEST(test_create_from_chunk_v4)
+{
+	host_t *host;
+
+	host = host_create_from_chunk(AF_INET, addr_v4, 500);
+	verify_address(host, addr_v4, AF_INET, 500);
+	host->destroy(host);
+
+	host = host_create_from_chunk(AF_UNSPEC, addr_v4, 500);
+	verify_address(host, addr_v4, AF_INET, 500);
+	host->destroy(host);
+
+	host = host_create_from_chunk(AF_INET, chunk_empty, 500);
+	ck_assert(host == NULL);
+	host = host_create_from_chunk(AF_UNSPEC, chunk_empty, 500);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+START_TEST(test_create_from_chunk_v6)
+{
+	host_t *host;
+
+	host = host_create_from_chunk(AF_INET6, addr_v6, 500);
+	verify_address(host, addr_v6, AF_INET6, 500);
+	host->destroy(host);
+
+	host = host_create_from_chunk(AF_UNSPEC, addr_v6, 500);
+	verify_address(host, addr_v6, AF_INET6, 500);
+	host->destroy(host);
+
+	host = host_create_from_chunk(AF_INET6, chunk_empty, 500);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+START_TEST(test_create_from_chunk_other)
+{
+	host_t *host;
+
+	host = host_create_from_chunk(AF_UNIX, addr_v6, 500);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+/*******************************************************************************
+ * host_create_from_subnet
+ */
+
+START_TEST(test_create_from_subnet_v4)
+{
+	host_t *host;
+	int bits = -1;
+
+	host = host_create_from_subnet("0.0.0.0/0", &bits);
+	verify_any(host, AF_INET, 0);
+	ck_assert_int_eq(bits, 0);
+	host->destroy(host);
+
+	host = host_create_from_subnet("192.168.0.1", &bits);
+	verify_address(host, addr_v4, AF_INET, 0);
+	ck_assert_int_eq(bits, 32);
+	host->destroy(host);
+
+	host = host_create_from_subnet("192.168.0.1/24", &bits);
+	verify_address(host, addr_v4, AF_INET, 0);
+	ck_assert_int_eq(bits, 24);
+	host->destroy(host);
+
+	host = host_create_from_subnet("foo.b.a.r", &bits);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+START_TEST(test_create_from_subnet_v6)
+{
+	host_t *host;
+	int bits = -1;
+
+	host = host_create_from_subnet("::/0", &bits);
+	verify_any(host, AF_INET6, 0);
+	ck_assert_int_eq(bits, 0);
+	host->destroy(host);
+
+	host = host_create_from_subnet("fec1::1", &bits);
+	verify_address(host, addr_v6, AF_INET6, 0);
+	ck_assert_int_eq(bits, 128);
+	host->destroy(host);
+
+	host = host_create_from_subnet("fec1::1/64", &bits);
+	verify_address(host, addr_v6, AF_INET6, 0);
+	ck_assert_int_eq(bits, 64);
+	host->destroy(host);
+
+	host = host_create_from_subnet("foo::bar", &bits);
+	ck_assert(host == NULL);
+}
+END_TEST
+
+/*******************************************************************************
+ * host_create_netmask
+ */
+
+static void test_create_netmask(int family)
+{
+	host_t *netmask;
+	int i, len = (family == AF_INET) ? 32 : 128;
+
+	netmask = host_create_netmask(family, -1);
+	ck_assert(netmask == NULL);
+	for (i = 0; i <= len; i++)
+	{
+		netmask = host_create_netmask(family, i);
+		verify_netmask(netmask->get_address(netmask), i);
+		netmask->destroy(netmask);
+	}
+	netmask = host_create_netmask(family, len + 1);
+	ck_assert(netmask == NULL);
+}
+
+START_TEST(test_create_netmask_v4)
+{
+	test_create_netmask(AF_INET);
+}
+END_TEST
+
+START_TEST(test_create_netmask_v6)
+{
+	test_create_netmask(AF_INET6);
+}
+END_TEST
+
+START_TEST(test_create_netmask_other)
+{
+	host_t *netmask;
+
+	netmask = host_create_netmask(AF_UNSPEC, 0);
+	ck_assert(netmask == NULL);
+}
+END_TEST
+
+/*******************************************************************************
+ * equals, ip_equals
+ */
+
+START_TEST(test_equals)
+{
+	host_t *a, *b;
+
+	a = host_create_from_string("192.168.0.1", 500);
+	b = host_create_from_string("192.168.0.1", 0);
+	ck_assert(!a->equals(a, b));
+	ck_assert(!b->equals(b, a));
+	ck_assert(a->ip_equals(a, b));
+	ck_assert(b->ip_equals(b, a));
+	b->set_port(b, 500);
+	ck_assert(a->equals(a, b));
+	ck_assert(b->equals(b, a));
+	ck_assert(a->ip_equals(a, b));
+	ck_assert(b->ip_equals(b, a));
+	b->destroy(b);
+	b = host_create_from_string("192.168.0.2", 500);
+	ck_assert(!a->ip_equals(a, b));
+	ck_assert(!a->equals(a, b));
+	b->destroy(b);
+
+	b = host_create_from_string("fec1::1", 500);
+	ck_assert(!a->ip_equals(a, b));
+	ck_assert(!a->equals(a, b));
+	a->destroy(a);
+	a = host_create_from_string("fec1::1", 500);
+	ck_assert(a->equals(a, b));
+	ck_assert(a->ip_equals(a, b));
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_equals_any)
+{
+	host_t *a, *b;
+
+	a = host_create_from_string("%any", 500);
+	b = host_create_from_string("%any", 0);
+	ck_assert(!a->equals(a, b));
+	ck_assert(a->ip_equals(a, b));
+	b->set_port(b, 500);
+	ck_assert(a->equals(a, b));
+	ck_assert(a->ip_equals(a, b));
+	b->destroy(b);
+	b = host_create_from_string("%any6", 0);
+	ck_assert(a->ip_equals(a, b));
+	ck_assert(!a->equals(a, b));
+	b->set_port(b, 500);
+	ck_assert(a->ip_equals(a, b));
+	ck_assert(a->equals(a, b));
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+/*******************************************************************************
+ * clone
+ */
+
+START_TEST(test_clone)
+{
+	host_t *a, *b;
+
+	a = host_create_from_string("192.168.0.1", 500);
+	b = a->clone(a);
+	ck_assert(a != b);
+	ck_assert(a->equals(a, b));
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+/*******************************************************************************
+ * printf hook
+ */
+
+static struct {
+	char *addr;
+	u_int16_t port;
+	/* results for %H, %+H, %#H (falls back to [0]) */
+	char *result[3];
+} printf_data[] = {
+	{NULL,          0, { "(null)" }},
+	{NULL,        500, { "(null)" }},
+	{"%any",        0, { "%any", "0.0.0.0", "0.0.0.0[0]" }},
+	{"%any",      500, { "%any", "0.0.0.0", "0.0.0.0[500]" }},
+	{"%any6",       0, { "%any6", "::", "::[0]" }},
+	{"%any6",     500, { "%any6", "::", "::[500]" }},
+	{"192.168.0.1",   0, { "192.168.0.1", "192.168.0.1", "192.168.0.1[0]" }},
+	{"192.168.0.1", 500, { "192.168.0.1", "192.168.0.1", "192.168.0.1[500]" }},
+	{"fec1::1",     0, { "fec1::1", "fec1::1", "fec1::1[0]" }},
+	{"fec1::1",   500, { "fec1::1", "fec1::1", "fec1::1[500]" }},
+};
+
+static void verify_printf(host_t *host, const char *format, char *expected)
+{
+	char buf[64];
+
+	snprintf(buf, sizeof(buf), format, host);
+	ck_assert_str_eq(expected, buf);
+}
+
+START_TEST(test_printf_hook)
+{
+	static const char *formats[] = { "%H", "%+H", "%#H" };
+	host_t *host = NULL;
+	char *expected;
+	int i;
+
+	if (printf_data[_i].addr)
+	{
+		host = host_create_from_string(printf_data[_i].addr,
+									   printf_data[_i].port);
+	}
+	for (i = 0; i < countof(formats); i++)
+	{
+		expected = printf_data[_i].result[i];
+		expected = expected ?: printf_data[_i].result[0];
+		verify_printf(host, formats[i], expected);
+	}
+	DESTROY_IF(host);
+}
+END_TEST
+
+START_TEST(test_printf_hook_align)
+{
+	host_t *host;
+
+	verify_printf(NULL, "%14H", "        (null)");
+	verify_printf(NULL, "%-14H", "(null)        ");
+
+	host = host_create_from_string("192.168.0.1", 0);
+	verify_printf(host, "%14H", "   192.168.0.1");
+	verify_printf(host, "%-14H", "192.168.0.1   ");
+	verify_printf(host, "%4H", "192.168.0.1");
+	verify_printf(host, "%-4H", "192.168.0.1");
+	host->destroy(host);
+}
+END_TEST
+
+Suite *host_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("host");
+
+	tc = tcase_create("host_create_any");
+	tcase_add_test(tc, test_create_any_v4);
+	tcase_add_test(tc, test_create_any_v6);
+	tcase_add_test(tc, test_create_any_other);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("host_create_from_string");
+	tcase_add_test(tc, test_create_from_string_v4);
+	tcase_add_test(tc, test_create_from_string_any_v6);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("host_create_from_string_and_family");
+	tcase_add_test(tc, test_create_from_string_and_family_v4);
+	tcase_add_test(tc, test_create_from_string_and_family_v6);
+	tcase_add_test(tc, test_create_from_string_and_family_other);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("host_create_from_sockaddr");
+	tcase_add_test(tc, test_create_from_sockaddr_v4);
+	tcase_add_test(tc, test_create_from_sockaddr_v6);
+	tcase_add_test(tc, test_create_from_sockaddr_other);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("host_create_from_chunk");
+	tcase_add_test(tc, test_create_from_chunk_v4);
+	tcase_add_test(tc, test_create_from_chunk_v6);
+	tcase_add_test(tc, test_create_from_chunk_other);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("host_create_from_subnet");
+	tcase_add_test(tc, test_create_from_subnet_v4);
+	tcase_add_test(tc, test_create_from_subnet_v6);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("host_create_netmask");
+	tcase_add_test(tc, test_create_netmask_v4);
+	tcase_add_test(tc, test_create_netmask_v6);
+	tcase_add_test(tc, test_create_netmask_other);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("equals, ip_equals");
+	tcase_add_test(tc, test_equals);
+	tcase_add_test(tc, test_equals_any);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("clone");
+	tcase_add_test(tc, test_clone);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("printf hook");
+	tcase_add_loop_test(tc, test_printf_hook, 0, countof(printf_data));
+	tcase_add_test(tc, test_printf_hook_align);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_identification.c b/src/libstrongswan/tests/test_identification.c
new file mode 100644
index 000000000..b0b3ce826
--- /dev/null
+++ b/src/libstrongswan/tests/test_identification.c
@@ -0,0 +1,715 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <utils/identification.h>
+
+/*******************************************************************************
+ * create (_from_encoding, _from_data, _from_string, _from_sockaddr)
+ */
+
+START_TEST(test_from_encoding)
+{
+	identification_t *a;
+	chunk_t expected, encoding;
+
+	/* only ID_ANY is handled differently, for all other types the following
+	 * applies.  should we perhaps test that this is in fact the case? */
+	expected = chunk_from_str("moon@strongswan.org");
+	a = identification_create_from_encoding(ID_RFC822_ADDR, expected);
+	ck_assert(ID_RFC822_ADDR == a->get_type(a));
+	encoding = a->get_encoding(a);
+	ck_assert(expected.ptr != encoding.ptr);
+	ck_assert(chunk_equals(expected, encoding));
+	a->destroy(a);
+
+	a = identification_create_from_encoding(ID_ANY, expected);
+	ck_assert(ID_ANY == a->get_type(a));
+	encoding = a->get_encoding(a);
+	ck_assert(encoding.ptr == NULL);
+	ck_assert(encoding.len == 0);
+	a->destroy(a);
+}
+END_TEST
+
+START_TEST(test_from_data)
+{
+	identification_t *a;
+	chunk_t expected, encoding;
+
+	/* this uses the DN parser (C=CH) */
+	expected = chunk_from_chars(0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06,
+								0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48);
+	a = identification_create_from_data(expected);
+	ck_assert(ID_DER_ASN1_DN == a->get_type(a));
+	encoding = a->get_encoding(a);
+	ck_assert(expected.ptr != encoding.ptr);
+	ck_assert(chunk_equals(expected, encoding));
+	a->destroy(a);
+
+	/* everything else is handled by the string parser */
+	expected = chunk_from_str("moon@strongswan.org");
+	a = identification_create_from_data(expected);
+	ck_assert(ID_RFC822_ADDR == a->get_type(a));
+	encoding = a->get_encoding(a);
+	ck_assert(expected.ptr != encoding.ptr);
+	ck_assert(chunk_equals(expected, encoding));
+	a->destroy(a);
+}
+END_TEST
+
+START_TEST(test_from_sockaddr)
+{
+	identification_t *a;
+	chunk_t expected, encoding;
+	struct sockaddr_in in = {
+		.sin_family = AF_INET,
+	};
+	struct sockaddr_in6 in6 = {
+		.sin6_family = AF_INET6,
+	};
+
+	expected = chunk_from_chars(0xc0, 0xa8, 0x01, 0x01);
+	memcpy(&in.sin_addr, expected.ptr, sizeof(in.sin_addr));
+	a = identification_create_from_sockaddr((sockaddr_t*)&in);
+	ck_assert(ID_IPV4_ADDR == a->get_type(a));
+	encoding = a->get_encoding(a);
+	ck_assert(chunk_equals(expected, encoding));
+	a->destroy(a);
+
+	expected = chunk_from_chars(0xfe, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+								0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01);
+	memcpy(&in6.sin6_addr, expected.ptr, sizeof(in6.sin6_addr));
+	a = identification_create_from_sockaddr((sockaddr_t*)&in6);
+	ck_assert(ID_IPV6_ADDR == a->get_type(a));
+	encoding = a->get_encoding(a);
+	ck_assert(chunk_equals(expected, encoding));
+	a->destroy(a);
+
+	in6.sin6_family = AF_UNSPEC;
+	a = identification_create_from_sockaddr((sockaddr_t*)&in6);
+	ck_assert(ID_ANY == a->get_type(a));
+	a->destroy(a);
+}
+END_TEST
+
+static struct {
+	char *id;
+	id_type_t type;
+	struct {
+		enum {
+			ENC_CHUNK,
+			ENC_STRING,
+			ENC_SIMPLE,
+		} type;
+		union {
+			chunk_t c;
+			char *s;
+		} data;
+	} result;
+} string_data[] = {
+	{NULL,      ID_ANY,  { .type = ENC_CHUNK }},
+	{"",        ID_ANY,  { .type = ENC_CHUNK }},
+	{"%any",    ID_ANY,  { .type = ENC_CHUNK }},
+	{"%any6",   ID_ANY,  { .type = ENC_CHUNK }},
+	{"0.0.0.0", ID_ANY,  { .type = ENC_CHUNK }},
+	{"0::0",    ID_ANY,  { .type = ENC_CHUNK }},
+	{"::",      ID_ANY,  { .type = ENC_CHUNK }},
+	{"*",       ID_ANY,  { .type = ENC_CHUNK }},
+	{"any",     ID_FQDN, { .type = ENC_SIMPLE }},
+	{"any6",    ID_FQDN, { .type = ENC_SIMPLE }},
+	{"0",       ID_FQDN, { .type = ENC_SIMPLE }},
+	{"**",      ID_FQDN, { .type = ENC_SIMPLE }},
+	{"192.168.1.1", ID_IPV4_ADDR, { .type = ENC_CHUNK,
+									.data.c = chunk_from_chars(0xc0, 0xa8, 0x01, 0x01) }},
+	{"192.168.",ID_FQDN, { .type = ENC_SIMPLE }},
+	{".",       ID_FQDN, { .type = ENC_SIMPLE }},
+	{"fec0::1", ID_IPV6_ADDR, { .type = ENC_CHUNK,
+								.data.c = chunk_from_chars(0xfe, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+														   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01) }},
+	{"fec0::",  ID_IPV6_ADDR, { .type = ENC_CHUNK,
+								.data.c = chunk_from_chars(0xfe, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+														   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00) }},
+	{"fec0:",   ID_KEY_ID,    { .type = ENC_SIMPLE }},
+	{":",       ID_KEY_ID,    { .type = ENC_SIMPLE }},
+	{"alice@strongswan.org", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
+	{"alice@strongswan", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
+	{"alice@",  ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
+	{"alice",   ID_FQDN, { .type = ENC_SIMPLE }},
+	{"@",       ID_FQDN, { .type = ENC_CHUNK }},
+	{" @",      ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
+	{"@strongswan.org",  ID_FQDN, { .type = ENC_STRING,
+									.data.s = "strongswan.org" }},
+	{"@#deadbeef", ID_KEY_ID, { .type = ENC_CHUNK,
+								.data.c = chunk_from_chars(0xde, 0xad, 0xbe, 0xef) }},
+	{"@#deadbee",  ID_KEY_ID, { .type = ENC_CHUNK,
+								.data.c = chunk_from_chars(0x0d, 0xea, 0xdb, 0xee) }},
+	{"foo=bar",    ID_KEY_ID, { .type = ENC_SIMPLE }},
+	{"foo=",	   ID_KEY_ID, { .type = ENC_SIMPLE }},
+	{"=bar",	   ID_KEY_ID, { .type = ENC_SIMPLE }},
+	{"C=",		   ID_DER_ASN1_DN, { .type = ENC_CHUNK,
+									 .data.c = chunk_from_chars(0x30, 0x0b, 0x31, 0x09, 0x30, 0x07, 0x06,
+																0x03, 0x55, 0x04, 0x06, 0x13, 0x00)}},
+	{"C=CH",	   ID_DER_ASN1_DN, { .type = ENC_CHUNK,
+									 .data.c = chunk_from_chars(0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06,
+																0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48)}},
+	{"C=CH,",	   ID_DER_ASN1_DN, { .type = ENC_CHUNK,
+									 .data.c = chunk_from_chars(0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06,
+																0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48)}},
+	{"C=CH, ",	   ID_DER_ASN1_DN, { .type = ENC_CHUNK,
+									 .data.c = chunk_from_chars(0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06,
+																0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48)}},
+	{"C=CH, O",	   ID_KEY_ID, { .type = ENC_SIMPLE }},
+};
+
+START_TEST(test_from_string)
+{
+	identification_t *a;
+	chunk_t encoding, expected;
+	char *id;
+
+	id = string_data[_i].id;
+	a = identification_create_from_string(id);
+	fail_unless(a->get_type(a) == string_data[_i].type,
+				"type of id '%s' is %N, %N expected", id,
+				id_type_names, a->get_type(a),
+				id_type_names, string_data[_i].type);
+
+	encoding = a->get_encoding(a);
+	switch (string_data[_i].result.type)
+	{
+		case ENC_SIMPLE:
+			expected = chunk_from_str(string_data[_i].id);
+			break;
+		case ENC_STRING:
+			expected = chunk_from_str(string_data[_i].result.data.s);
+			break;
+		case ENC_CHUNK:
+			expected = string_data[_i].result.data.c;
+			break;
+		default:
+			fail("unexpected result type");
+	}
+
+	ck_assert(!id || (char*)encoding.ptr != id);
+	if (expected.ptr)
+	{
+		fail_unless(chunk_equals(encoding, expected),
+					"parsing '%s' failed\nencoding %B\nexpected %B\n",
+					id, &encoding, &expected);
+	}
+	else
+	{
+		ck_assert(encoding.ptr == NULL);
+		ck_assert(encoding.len == 0);
+	}
+	a->destroy(a);
+}
+END_TEST
+
+/*******************************************************************************
+ * printf_hook
+ */
+
+static void string_equals(char *a_str, char *b_str)
+{
+	identification_t *b;
+	char buf[128];
+
+	b = b_str ? identification_create_from_string(b_str) : NULL;
+	snprintf(buf, sizeof(buf), "%Y", b);
+	DESTROY_IF(b);
+	ck_assert_str_eq(a_str, buf);
+}
+
+static void string_equals_id(char *a_str, identification_t *b)
+{
+	char buf[128];
+
+	snprintf(buf, sizeof(buf), "%Y", b);
+	DESTROY_IF(b);
+	ck_assert_str_eq(a_str, buf);
+}
+
+START_TEST(test_printf_hook)
+{
+	string_equals("(null)", NULL);
+	string_equals("%any", "");
+	string_equals("%any", "%any");
+	string_equals("%any", "*");
+
+	string_equals("192.168.1.1", "192.168.1.1");
+	string_equals_id("(invalid ID_IPV4_ADDR)",
+				identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty));
+	string_equals("fec0::1", "fec0::1");
+	string_equals("fec0::1", "fec0:0:0::1");
+	string_equals_id("(invalid ID_IPV6_ADDR)",
+				identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty));
+
+	string_equals_id("(unknown ID type: 255)",
+				identification_create_from_encoding(255, chunk_empty));
+
+	string_equals("moon@strongswan.org", "moon@strongswan.org");
+	string_equals("MOON@STRONGSWAN.ORG", "MOON@STRONGSWAN.ORG");
+	/* non-printable characters */
+	string_equals_id("????@strongswan.org", identification_create_from_encoding(ID_RFC822_ADDR,
+			chunk_from_chars(0xfa, 0xfb, 0xfc, 0xfd, 0x40, 0x73, 0x74, 0x72,
+							 0x6f, 0x6e, 0x67, 0x73, 0x77, 0x61, 0x6e, 0x2e,
+							 0x6f, 0x72, 0x67)));
+
+	/* not a DN => ID_KEY_ID => no normalization */
+	string_equals("C=CH, AsdF=asdf", "C=CH, AsdF=asdf");
+	string_equals_id("moon@strongswan.org", identification_create_from_encoding(ID_KEY_ID,
+			chunk_from_str("moon@strongswan.org")));
+	/* non-printable characters */
+	string_equals_id("de:ad:be:ef", identification_create_from_encoding(ID_KEY_ID,
+			chunk_from_chars(0xde, 0xad, 0xbe, 0xef)));
+	/* printable characters */
+	string_equals_id("ABCDEFGHIJKLMNOPQRS",
+		identification_create_from_encoding(ID_KEY_ID,
+			chunk_from_chars(0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48,
+							 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50,
+							 0x51, 0x52, 0x53)));
+	/* ABCDEFGHIJKLMNOPQRST is printable but has the length of a SHA1 hash */
+	string_equals_id("41:42:43:44:45:46:47:48:49:4a:4b:4c:4d:4e:4f:50:51:52:53:54",
+		identification_create_from_encoding(ID_KEY_ID,
+			chunk_from_chars(0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48,
+							 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50,
+							 0x51, 0x52, 0x53, 0x54)));
+
+	string_equals_id("", identification_create_from_encoding(ID_DER_ASN1_DN, chunk_empty));
+	string_equals("C=", "C=");
+	string_equals("C=", "C=,");
+	string_equals("C=", "C=, ");
+	string_equals("C=", "C= , ");
+	string_equals("C=, O=strongSwan", "C=, O=strongSwan");
+	string_equals("C=CH, O=", "C=CH, O=");
+	string_equals("C=CH, O=strongSwan, CN=strongswan.org",
+				  "C=CH, O=strongSwan, CN=strongswan.org");
+	string_equals("CN=strongswan.org, O=strongSwan, C=CH",
+				  "cn=strongswan.org, o=strongSwan, c=CH");
+	string_equals("C=CH, O=strongSwan, CN=strongswan.org",
+				  "C=CH,O=strongSwan,CN=strongswan.org");
+	string_equals("C=CH, O=strongSwan, CN=strongswan.org",
+				  "/C=CH/O=strongSwan/CN=strongswan.org");
+	string_equals("CN=strongswan.org, O=strongSwan, C=CH",
+				  "CN=strongswan.org,O=strongSwan,C=CH");
+
+	string_equals("C=CH, E=moon@strongswan.org, CN=moon",
+				  "C=CH, email=moon@strongswan.org, CN=moon");
+	string_equals("C=CH, E=moon@strongswan.org, CN=moon",
+				  "C=CH, emailAddress=moon@strongswan.org, CN=moon");
+
+	/* C=CH, pseudonym=ANO (pseudonym is currently not recognized) */
+	string_equals_id("C=CH, 55:04:41=ANO", identification_create_from_encoding(ID_DER_ASN1_DN,
+		chunk_from_chars(0x30, 0x19, 0x31, 0x17, 0x30, 0x09, 0x06, 0x03, 0x55,
+						 0x04, 0x06, 0x13, 0x02, 0x43, 0x48, 0x30, 0x0a, 0x06,
+						 0x03, 0x55, 0x04, 0x41, 0x13, 0x03, 0x41, 0x4e, 0x4f)));
+	/* C=CH, O=strongSwan (but instead of a 2nd OID -0x06- we got NULL -0x05) */
+	string_equals_id("C=CH, (invalid ID_DER_ASN1_DN)", identification_create_from_encoding(ID_DER_ASN1_DN,
+		chunk_from_chars(0x30, 0x20, 0x31, 0x1e, 0x30, 0x09, 0x06, 0x03, 0x55,
+						 0x04, 0x06, 0x13, 0x02, 0x43, 0x48, 0x30, 0x11, 0x05,
+						 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x73, 0x74, 0x72,
+						 0x6f, 0x6e, 0x67, 0x53, 0x77, 0x61, 0x6e)));
+	/* moon@strongswan.org as GN */
+	string_equals_id("(ASN.1 general name)", identification_create_from_encoding(ID_DER_ASN1_GN,
+		chunk_from_chars(0x81, 0x14, 0x6d, 0x6f, 0x6f, 0x6e, 0x40, 0x73, 0x74,
+						 0x72, 0x6f, 0x6e, 0x67, 0x73, 0x77, 0x61, 0x6e, 0x2e,
+						 0x6f, 0x72, 0x67)));
+}
+END_TEST
+
+START_TEST(test_printf_hook_width)
+{
+	identification_t *a;
+	char buf[128];
+
+	a = identification_create_from_string("moon@strongswan.org");
+	snprintf(buf, sizeof(buf), "%25Y", a);
+	ck_assert_str_eq("      moon@strongswan.org", buf);
+	snprintf(buf, sizeof(buf), "%-*Y", 25, a);
+	ck_assert_str_eq("moon@strongswan.org      ", buf);
+	snprintf(buf, sizeof(buf), "%5Y", a);
+	ck_assert_str_eq("moon@strongswan.org", buf);
+	DESTROY_IF(a);
+}
+END_TEST
+
+/*******************************************************************************
+ * equals
+ */
+
+static bool id_equals(identification_t *a, char *b_str)
+{
+	identification_t *b;
+	bool equals;
+
+	b = identification_create_from_string(b_str);
+	equals = a->equals(a, b);
+	equals = equals && b->equals(b, a);
+	b->destroy(b);
+	return equals;
+}
+
+START_TEST(test_equals)
+{
+	identification_t *a;
+	chunk_t encoding, fuzzed;
+	int i;
+
+	/* this test also tests identification_create_from_string with DNs */
+	a = identification_create_from_string(
+							 "C=CH, E=moon@strongswan.org, CN=moon");
+
+	ck_assert(id_equals(a, "C=CH, E=moon@strongswan.org, CN=moon"));
+	ck_assert(id_equals(a, "C==CH, E==moon@strongswan.org,,, CN==moon"));
+	ck_assert(id_equals(a, "  C=CH, E=moon@strongswan.org, CN=moon  "));
+	ck_assert(id_equals(a, "C=ch, E=moon@STRONGSWAN.ORG, CN=Moon"));
+	ck_assert(id_equals(a, "/C=CH/E=moon@strongswan.org/CN=moon"));
+	ck_assert(id_equals(a, "C=CH/E=moon@strongswan.org/CN=moon"));
+	ck_assert(id_equals(a, "C=CH/E=moon@strongswan.org,CN=moon"));
+	ck_assert(id_equals(a, "C=CH / E=moon@strongswan.org , CN=moon"));
+
+	ck_assert(!id_equals(a, "C=CH E=moon@strongswan.org CN=moon"));
+	ck_assert(!id_equals(a, "C=CN, E=moon@strongswan.org, CN=moon"));
+	ck_assert(!id_equals(a, "E=moon@strongswan.org, C=CH, CN=moon"));
+	ck_assert(!id_equals(a, "E=moon@strongswan.org, C=CH, CN=moon"));
+
+	encoding = chunk_clone(a->get_encoding(a));
+	a->destroy(a);
+
+	/* simple fuzzing, increment each byte of encoding */
+	for (i = 0; i < encoding.len; i++)
+	{
+		if (i == 11 || i == 30 || i == 60)
+		{	/* skip ASN.1 type fields, as equals() handles them graceful */
+			continue;
+		}
+		fuzzed = chunk_clone(encoding);
+		fuzzed.ptr[i]++;
+		a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed);
+		if (id_equals(a, "C=CH, E=moon@strongswan.org, CN=moon"))
+		{
+			printf("%d %B\n%B\n", i, &fuzzed, &encoding);
+		}
+		ck_assert(!id_equals(a, "C=CH, E=moon@strongswan.org, CN=moon"));
+		a->destroy(a);
+		free(fuzzed.ptr);
+	}
+
+	/* and decrement each byte of encoding */
+	for (i = 0; i < encoding.len; i++)
+	{
+		if (i == 11 || i == 30 || i == 60)
+		{
+			continue;
+		}
+		fuzzed = chunk_clone(encoding);
+		fuzzed.ptr[i]--;
+		a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed);
+		ck_assert(!id_equals(a, "C=CH, E=moon@strongswan.org, CN=moon"));
+		a->destroy(a);
+		free(fuzzed.ptr);
+	}
+	free(encoding.ptr);
+}
+END_TEST
+
+START_TEST(test_equals_any)
+{
+	identification_t *a, *b;
+
+	a = identification_create_from_string("%any");
+	b = identification_create_from_encoding(ID_ANY, chunk_empty);
+	ck_assert(a->equals(a, b));
+	ck_assert(b->equals(b, a));
+	b->destroy(b);
+
+	b = identification_create_from_string("C=CH, O=strongSwan, CN=strongswan.org");
+	ck_assert(!a->equals(a, b));
+	ck_assert(!b->equals(b, a));
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_equals_binary)
+{
+	identification_t *a, *b;
+	chunk_t encoding;
+
+	encoding = chunk_from_str("foobar=");
+	/* strings containing = are parsed as KEY_ID if they aren't valid ASN.1 DNs */
+	a = identification_create_from_string("foobar=");
+	ck_assert(a->get_type(a) == ID_KEY_ID);
+	b = identification_create_from_encoding(ID_KEY_ID, encoding);
+	ck_assert(a->equals(a, b));
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_equals_fqdn)
+{
+	identification_t *a;
+
+	a = identification_create_from_string("ipsec.strongswan.org");
+	ck_assert(id_equals(a, "IPSEC.strongswan.org"));
+	ck_assert(id_equals(a, "ipsec.strongSwan.org"));
+	ck_assert(id_equals(a, "ipsec.strongSwan.ORG"));
+	ck_assert(!id_equals(a, "strongswan.org"));
+	a->destroy(a);
+}
+END_TEST
+
+/*******************************************************************************
+ * matches
+ */
+
+static bool id_matches(identification_t *a, char *b_str, id_match_t expected)
+{
+	identification_t *b;
+	id_match_t match;
+
+	b = identification_create_from_string(b_str);
+	match = a->matches(a, b);
+	b->destroy(b);
+	return match == expected;
+}
+
+START_TEST(test_matches)
+{
+	identification_t *a;
+
+	a = identification_create_from_string("C=CH, E=moon@strongswan.org, CN=moon");
+
+	ck_assert(id_matches(a, "C=CH, E=moon@strongswan.org, CN=moon", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "C=CH, E=*, CN=moon", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "C=CH, E=*, CN=*", ID_MATCH_ONE_WILDCARD - 1));
+	ck_assert(id_matches(a, "C=*, E=*, CN=*", ID_MATCH_ONE_WILDCARD - 2));
+	ck_assert(id_matches(a, "C=*, E=*, CN=*, O=BADInc", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "C=*, E=*", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "C=*, E=a@b.c, CN=*", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
+
+	a->destroy(a);
+}
+END_TEST
+
+START_TEST(test_matches_any)
+{
+	identification_t *a;
+
+	a = identification_create_from_string("%any");
+
+	ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "*", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "moon@strongswan.org", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "vpn.strongswan.org", ID_MATCH_NONE));
+	a->destroy(a);
+}
+END_TEST
+
+START_TEST(test_matches_binary)
+{
+	identification_t *a;
+
+	/* strings containing = are parsed as KEY_ID if they aren't valid ASN.1 DNs */
+	a = identification_create_from_string("foo=bar");
+	ck_assert(a->get_type(a) == ID_KEY_ID);
+	ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "foo=bar", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "bar=foo", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "*=bar", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "foo=*", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "foo@bar", ID_MATCH_NONE));
+	a->destroy(a);
+}
+END_TEST
+
+START_TEST(test_matches_string)
+{
+	identification_t *a;
+
+	a = identification_create_from_string("moon@strongswan.org");
+
+	ck_assert(id_matches(a, "moon@strongswan.org", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "*@strongswan.org", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "*@*.org", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "*@*", ID_MATCH_NONE));
+	/* the following two are parsed as ID_FQDN, so no match */
+	ck_assert(id_matches(a, "*strongswan.org", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "*.org", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "moon@*", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "**", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "*", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
+	a->destroy(a);
+
+	a = identification_create_from_string("vpn.strongswan.org");
+
+	ck_assert(id_matches(a, "vpn.strongswan.org", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "*.strongswan.org", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "*strongswan.org", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "*.org", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "*.strongswan.*", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "*vpn.strongswan.org", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "vpn.strongswan.*", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "**", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "*", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
+	a->destroy(a);
+}
+END_TEST
+
+/*******************************************************************************
+ * identification part enumeration
+ */
+
+START_TEST(test_parts)
+{
+	identification_t *id;
+	enumerator_t *enumerator;
+	id_part_t part;
+	chunk_t data;
+	int i = 0;
+
+	id = identification_create_from_string("C=CH, O=strongSwan, CN=tester");
+
+	enumerator = id->create_part_enumerator(id);
+	while (enumerator->enumerate(enumerator, &part, &data))
+	{
+		switch (i++)
+		{
+			case 0:
+				ck_assert(part == ID_PART_RDN_C &&
+						  chunk_equals(data, chunk_create("CH", 2)));
+				break;
+			case 1:
+				ck_assert(part == ID_PART_RDN_O &&
+						  chunk_equals(data, chunk_from_str("strongSwan")));
+				break;
+			case 2:
+				ck_assert(part == ID_PART_RDN_CN &&
+						  chunk_equals(data, chunk_from_str("tester")));
+				break;
+			default:
+				fail("unexpected identification part %d", part);
+		}
+	}
+	ck_assert_int_eq(i, 3);
+	enumerator->destroy(enumerator);
+	id->destroy(id);
+}
+END_TEST
+
+/*******************************************************************************
+ * wildcards
+ */
+
+static bool id_contains_wildcards(char *string)
+{
+	identification_t *id;
+	bool contains;
+
+	id = identification_create_from_string(string);
+	contains = id->contains_wildcards(id);
+	id->destroy(id);
+	return contains;
+}
+
+START_TEST(test_contains_wildcards)
+{
+	ck_assert(id_contains_wildcards("%any"));
+	ck_assert(id_contains_wildcards("C=*, O=strongSwan, CN=gw"));
+	ck_assert(id_contains_wildcards("C=CH, O=strongSwan, CN=*"));
+	ck_assert(id_contains_wildcards("*@strongswan.org"));
+	ck_assert(id_contains_wildcards("*.strongswan.org"));
+	ck_assert(!id_contains_wildcards("C=**, O=a*, CN=*a"));
+}
+END_TEST
+
+/*******************************************************************************
+ * clone
+ */
+
+START_TEST(test_clone)
+{
+	identification_t *a, *b;
+	chunk_t a_enc, b_enc;
+
+	a = identification_create_from_string("moon@strongswan.org");
+	a_enc = a->get_encoding(a);
+	b = a->clone(a);
+	ck_assert(b != NULL);
+	ck_assert(a != b);
+	b_enc = b->get_encoding(b);
+	ck_assert(a_enc.ptr != b_enc.ptr);
+	ck_assert(chunk_equals(a_enc, b_enc));
+	a->destroy(a);
+	b->destroy(b);
+}
+END_TEST
+
+Suite *identification_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("identification");
+
+	tc = tcase_create("create");
+	tcase_add_test(tc, test_from_encoding);
+	tcase_add_test(tc, test_from_data);
+	tcase_add_test(tc, test_from_sockaddr);
+	tcase_add_loop_test(tc, test_from_string, 0, countof(string_data));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("printf_hook");
+	tcase_add_test(tc, test_printf_hook);
+	tcase_add_test(tc, test_printf_hook_width);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("equals");
+	tcase_add_test(tc, test_equals);
+	tcase_add_test(tc, test_equals_any);
+	tcase_add_test(tc, test_equals_binary);
+	tcase_add_test(tc, test_equals_fqdn);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("matches");
+	tcase_add_test(tc, test_matches);
+	tcase_add_test(tc, test_matches_any);
+	tcase_add_test(tc, test_matches_binary);
+	tcase_add_test(tc, test_matches_string);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("part enumeration");
+	tcase_add_test(tc, test_parts);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("wildcards");
+	tcase_add_test(tc, test_contains_wildcards);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("clone");
+	tcase_add_test(tc, test_clone);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_linked_list.c b/src/libstrongswan/tests/test_linked_list.c
new file mode 100644
index 000000000..9e85c58d8
--- /dev/null
+++ b/src/libstrongswan/tests/test_linked_list.c
@@ -0,0 +1,386 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <collections/linked_list.h>
+
+/*******************************************************************************
+ * test fixture
+ */
+
+static linked_list_t *list;
+
+START_SETUP(setup_list)
+{
+	void *x = NULL;
+
+	list = linked_list_create();
+	ck_assert_int_eq(list->get_count(list), 0);
+	ck_assert(list->get_first(list, &x) == NOT_FOUND);
+	ck_assert(list->get_last(list, &x) == NOT_FOUND);
+}
+END_SETUP
+
+START_TEARDOWN(teardown_list)
+{
+	list->destroy(list);
+}
+END_TEARDOWN
+
+/*******************************************************************************
+ * insert first/last
+ */
+
+START_TEST(test_insert_first)
+{
+	void *a = (void*)1, *b = (void*)2, *x = NULL;
+
+	list->insert_first(list, a);
+	ck_assert_int_eq(list->get_count(list), 1);
+	ck_assert(list->get_first(list, &x) == SUCCESS);
+	ck_assert(x == a);
+	ck_assert(list->get_last(list, &x) == SUCCESS);
+	ck_assert(x == a);
+
+	list->insert_first(list, b);
+	ck_assert_int_eq(list->get_count(list), 2);
+	ck_assert(list->get_first(list, &x) == SUCCESS);
+	ck_assert(x == b);
+	ck_assert(list->get_last(list, &x) == SUCCESS);
+	ck_assert(x == a);
+}
+END_TEST
+
+START_TEST(test_insert_last)
+{
+	void *a = (void*)1, *b = (void*)2, *x = NULL;
+
+	list->insert_last(list, a);
+	ck_assert_int_eq(list->get_count(list), 1);
+	ck_assert(list->get_first(list, &x) == SUCCESS);
+	ck_assert(x == a);
+	ck_assert(list->get_last(list, &x) == SUCCESS);
+	ck_assert(x == a);
+
+	list->insert_last(list, b);
+	ck_assert_int_eq(list->get_count(list), 2);
+	ck_assert(list->get_first(list, &x) == SUCCESS);
+	ck_assert(x == a);
+	ck_assert(list->get_last(list, &x) == SUCCESS);
+	ck_assert(x == b);
+}
+END_TEST
+
+/*******************************************************************************
+ * remove first/last
+ */
+
+START_TEST(test_remove_first)
+{
+	void *a = (void*)1, *b = (void*)2, *x = NULL;
+
+	list->insert_first(list, a);
+	list->insert_first(list, b);
+	ck_assert(list->remove_first(list, &x) == SUCCESS);
+	ck_assert_int_eq(list->get_count(list), 1);
+	ck_assert(x == b);
+	ck_assert(list->remove_first(list, &x) == SUCCESS);
+	ck_assert_int_eq(list->get_count(list), 0);
+	ck_assert(x == a);
+	ck_assert(list->remove_first(list, &x) == NOT_FOUND);
+	ck_assert(list->remove_last(list, &x) == NOT_FOUND);
+}
+END_TEST
+
+START_TEST(test_remove_last)
+{
+	void *a = (void*)1, *b = (void*)2, *x = NULL;
+
+	list->insert_first(list, a);
+	list->insert_first(list, b);
+	ck_assert(list->remove_last(list, &x) == SUCCESS);
+	ck_assert_int_eq(list->get_count(list), 1);
+	ck_assert(x == a);
+	ck_assert(list->remove_last(list, &x) == SUCCESS);
+	ck_assert_int_eq(list->get_count(list), 0);
+	ck_assert(x == b);
+	ck_assert(list->remove_first(list, &x) == NOT_FOUND);
+	ck_assert(list->remove_last(list, &x) == NOT_FOUND);
+}
+END_TEST
+
+/*******************************************************************************
+ * helper function for remove and find tests
+ */
+
+static bool match_a(void *item, void *a)
+{
+	ck_assert(a == (void*)1);
+	return item == a;
+}
+
+static bool match_b(void *item, void *b)
+{
+	ck_assert(b == (void*)2);
+	return item == b;
+}
+
+/*******************************************************************************
+ * remove
+ */
+
+START_TEST(test_remove)
+{
+	void *a = (void*)1, *b = (void*)2;
+
+	list->insert_first(list, a);
+	ck_assert(list->remove(list, a, NULL) == 1);
+	ck_assert_int_eq(list->get_count(list), 0);
+
+	list->insert_last(list, a);
+	list->insert_last(list, a);
+	list->insert_last(list, a);
+	list->insert_last(list, b);
+	ck_assert(list->remove(list, a, NULL) == 3);
+	ck_assert(list->remove(list, a, NULL) == 0);
+	ck_assert_int_eq(list->get_count(list), 1);
+	ck_assert(list->remove(list, b, NULL) == 1);
+	ck_assert(list->remove(list, b, NULL) == 0);
+}
+END_TEST
+
+START_TEST(test_remove_callback)
+{
+	void *a = (void*)1, *b = (void*)2;
+
+	list->insert_last(list, a);
+	list->insert_last(list, b);
+	list->insert_last(list, a);
+	list->insert_last(list, b);
+	ck_assert(list->remove(list, a, match_a) == 2);
+	ck_assert(list->remove(list, a, match_a) == 0);
+	ck_assert_int_eq(list->get_count(list), 2);
+	ck_assert(list->remove(list, b, match_b) == 2);
+	ck_assert(list->remove(list, b, match_b) == 0);
+	ck_assert_int_eq(list->get_count(list), 0);
+}
+END_TEST
+
+/*******************************************************************************
+ * find
+ */
+
+static bool match_a_b(void *item, void *a, void *b)
+{
+	ck_assert(a == (void*)1);
+	ck_assert(b == (void*)2);
+	return item == a || item == b;
+}
+
+START_TEST(test_find)
+{
+	void *a = (void*)1, *b = (void*)2;
+
+	ck_assert(list->find_first(list, NULL, &a) == NOT_FOUND);
+	list->insert_last(list, a);
+	ck_assert(list->find_first(list, NULL, &a) == SUCCESS);
+	ck_assert(list->find_first(list, NULL, &b) == NOT_FOUND);
+	list->insert_last(list, b);
+	ck_assert(list->find_first(list, NULL, &a) == SUCCESS);
+	ck_assert(list->find_first(list, NULL, &b) == SUCCESS);
+
+	ck_assert(list->find_first(list, NULL, NULL) == NOT_FOUND);
+}
+END_TEST
+
+START_TEST(test_find_callback)
+{
+	void *a = (void*)1, *b = (void*)2, *x = NULL;
+
+	ck_assert(list->find_first(list, (linked_list_match_t)match_a_b, &x, a, b) == NOT_FOUND);
+	list->insert_last(list, a);
+	ck_assert(list->find_first(list, (linked_list_match_t)match_a, NULL, a) == SUCCESS);
+	x = NULL;
+	ck_assert(list->find_first(list, (linked_list_match_t)match_a, &x, a) == SUCCESS);
+	ck_assert(a == x);
+	ck_assert(list->find_first(list, (linked_list_match_t)match_b, &x, b) == NOT_FOUND);
+	ck_assert(a == x);
+	x = NULL;
+	ck_assert(list->find_first(list, (linked_list_match_t)match_a_b, &x, a, b) == SUCCESS);
+	ck_assert(a == x);
+
+	list->insert_last(list, b);
+	ck_assert(list->find_first(list, (linked_list_match_t)match_a, &x, a) == SUCCESS);
+	ck_assert(a == x);
+	ck_assert(list->find_first(list, (linked_list_match_t)match_b, &x, b) == SUCCESS);
+	ck_assert(b == x);
+	x = NULL;
+	ck_assert(list->find_first(list, (linked_list_match_t)match_a_b, &x, a, b) == SUCCESS);
+	ck_assert(a == x);
+}
+END_TEST
+
+/*******************************************************************************
+ * invoke
+ */
+
+typedef struct invoke_t invoke_t;
+
+struct invoke_t {
+	int val;
+	void (*invoke)(invoke_t *item, void *a, void *b, void *c, void *d, int *sum);
+};
+
+static void invoke(intptr_t item, void *a, void *b, void *c, void *d, int *sum)
+{
+	ck_assert(a == (void*)1);
+	ck_assert(b == (void*)2);
+	ck_assert(c == (void*)3);
+	ck_assert(d == (void*)4);
+	*sum += item;
+}
+
+static void invoke_offset(invoke_t *item, void *a, void *b, void *c, void *d, int *sum)
+{
+	invoke(item->val, a, b, c, d, sum);
+}
+
+START_TEST(test_invoke_function)
+{
+	int sum = 0;
+
+	list->insert_last(list, (void*)1);
+	list->insert_last(list, (void*)2);
+	list->insert_last(list, (void*)3);
+	list->insert_last(list, (void*)4);
+	list->insert_last(list, (void*)5);
+	list->invoke_function(list, (linked_list_invoke_t)invoke, 1, 2, 3, 4, &sum);
+	ck_assert_int_eq(sum, 15);
+}
+END_TEST
+
+START_TEST(test_invoke_offset)
+{
+	invoke_t items[] = {
+		{ .val = 1, .invoke = invoke_offset, },
+		{ .val = 2, .invoke = invoke_offset, },
+		{ .val = 3, .invoke = invoke_offset, },
+		{ .val = 4, .invoke = invoke_offset, },
+		{ .val = 5, .invoke = invoke_offset, },
+	};
+	int i, sum = 0;
+
+	for (i = 0; i < countof(items); i++)
+	{
+		list->insert_last(list, &items[i]);
+	}
+	list->invoke_offset(list, offsetof(invoke_t, invoke), 1, 2, 3, 4, &sum);
+	ck_assert_int_eq(sum, 15);
+}
+END_TEST
+
+/*******************************************************************************
+ * clone
+ */
+
+typedef struct clone_t clone_t;
+
+struct clone_t {
+	void *val;
+	void *(*clone)(clone_t *item);
+};
+
+static void *clone(clone_t *item)
+{
+	return item->val;
+}
+
+static void test_clone(linked_list_t *list)
+{
+	intptr_t x;
+	int round = 1;
+
+	ck_assert_int_eq(list->get_count(list), 5);
+	while (list->remove_first(list, (void*)&x) == SUCCESS)
+	{
+		ck_assert_int_eq(round, x);
+		round++;
+	}
+	ck_assert_int_eq(round, 6);
+}
+
+START_TEST(test_clone_offset)
+{
+	linked_list_t *other;
+	clone_t items[] = {
+		{ .val = (void*)1, .clone = clone, },
+		{ .val = (void*)2, .clone = clone, },
+		{ .val = (void*)3, .clone = clone, },
+		{ .val = (void*)4, .clone = clone, },
+		{ .val = (void*)5, .clone = clone, },
+	};
+	int i;
+
+	for (i = 0; i < countof(items); i++)
+	{
+		list->insert_last(list, &items[i]);
+	}
+	other = list->clone_offset(list, offsetof(clone_t, clone));
+	test_clone(other);
+	other->destroy(other);
+}
+END_TEST
+
+Suite *linked_list_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("linked list");
+
+	tc = tcase_create("insert/get");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_insert_first);
+	tcase_add_test(tc, test_insert_last);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("remove");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_remove_first);
+	tcase_add_test(tc, test_remove_last);
+	tcase_add_test(tc, test_remove);
+	tcase_add_test(tc, test_remove_callback);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("find");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_find);
+	tcase_add_test(tc, test_find_callback);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("invoke");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_invoke_function);
+	tcase_add_test(tc, test_invoke_offset);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("clone");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_clone_offset);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_linked_list_enumerator.c b/src/libstrongswan/tests/test_linked_list_enumerator.c
new file mode 100644
index 000000000..48d6f40e6
--- /dev/null
+++ b/src/libstrongswan/tests/test_linked_list_enumerator.c
@@ -0,0 +1,361 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <collections/linked_list.h>
+
+/*******************************************************************************
+ * test fixture
+ */
+
+static linked_list_t *list;
+
+START_SETUP(setup_list)
+{
+	list = linked_list_create_with_items((void*)1, (void*)2, (void*)3, (void*)4,
+									 (void*)5, NULL);
+	ck_assert_int_eq(list->get_count(list), 5);
+}
+END_SETUP
+
+START_TEARDOWN(teardown_list)
+{
+	list->destroy(list);
+}
+END_TEARDOWN
+
+/*******************************************************************************
+ * enumeration
+ */
+
+START_TEST(test_enumerate)
+{
+	enumerator_t *enumerator;
+	intptr_t x;
+	int round;
+
+	round = 1;
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(round, x);
+		round++;
+	}
+	ck_assert_int_eq(round, 6);
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+START_TEST(test_enumerate_null)
+{
+	enumerator_t *enumerator;
+	int round;
+
+	round = 1;
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, NULL))
+	{
+		round++;
+	}
+	ck_assert_int_eq(round, 6);
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+START_TEST(test_reset_enumerator)
+{
+	enumerator_t *enumerator;
+	intptr_t x;
+	int round;
+
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+	}
+	list->reset_enumerator(list, enumerator);
+	round = 1;
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(round, x);
+		round++;
+	}
+	ck_assert_int_eq(round, 6);
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+/*******************************************************************************
+ * insert before
+ */
+
+START_TEST(test_insert_before)
+{
+	enumerator_t *enumerator;
+	intptr_t x;
+	int round;
+
+	round = 1;
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(round, x);
+		round++;
+		if (x == _i)
+		{
+			list->insert_before(list, enumerator, (void*)6);
+		}
+	}
+	ck_assert_int_eq(list->get_count(list), 6);
+	list->reset_enumerator(list, enumerator);
+	round = 1;
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		if (round == _i && x != _i)
+		{
+			ck_assert_int_eq(6, x);
+		}
+		else
+		{
+			ck_assert_int_eq(round, x);
+			round++;
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+START_TEST(test_insert_before_ends)
+{
+	enumerator_t *enumerator;
+	intptr_t x;
+	int round;
+
+	enumerator = list->create_enumerator(list);
+	list->insert_before(list, enumerator, (void*)0);
+	ck_assert_int_eq(list->get_count(list), 6);
+	ck_assert(list->get_first(list, (void*)&x) == SUCCESS);
+	ck_assert_int_eq(x, 0);
+	round = 0;
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(round, x);
+		round++;
+	}
+	list->insert_before(list, enumerator, (void*)6);
+	ck_assert_int_eq(list->get_count(list), 7);
+	ck_assert(list->get_last(list, (void*)&x) == SUCCESS);
+	ck_assert_int_eq(x, 6);
+	ck_assert(!enumerator->enumerate(enumerator, &x));
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+START_TEST(test_insert_before_empty)
+{
+	enumerator_t *enumerator;
+	intptr_t x;
+
+	list->destroy(list);
+	list = linked_list_create();
+	enumerator = list->create_enumerator(list);
+	list->insert_before(list, enumerator, (void*)1);
+	ck_assert_int_eq(list->get_count(list), 1);
+	ck_assert(list->get_first(list, (void*)&x) == SUCCESS);
+	ck_assert_int_eq(x, 1);
+	ck_assert(list->get_last(list, (void*)&x) == SUCCESS);
+	ck_assert_int_eq(x, 1);
+	ck_assert(enumerator->enumerate(enumerator, &x));
+	ck_assert_int_eq(x, 1);
+	ck_assert(!enumerator->enumerate(enumerator, NULL));
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+/*******************************************************************************
+ * remove_at
+ */
+
+START_TEST(test_remove_at)
+{
+	enumerator_t *enumerator;
+	intptr_t x;
+	int round;
+
+	round = 1;
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(round, x);
+		if (round == 2)
+		{
+			list->remove_at(list, enumerator);
+		}
+		round++;
+	}
+	ck_assert_int_eq(list->get_count(list), 4);
+	list->reset_enumerator(list, enumerator);
+	round = 1;
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		if (round == 2)
+		{	/* skip removed item */
+			round++;
+		}
+		ck_assert_int_eq(round, x);
+		round++;
+	}
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+START_TEST(test_remove_at_ends)
+{
+	enumerator_t *enumerator;
+	intptr_t x;
+
+	enumerator = list->create_enumerator(list);
+	list->remove_at(list, enumerator);
+	ck_assert_int_eq(list->get_count(list), 5);
+	ck_assert(list->get_first(list, (void*)&x) == SUCCESS);
+	ck_assert_int_eq(x, 1);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+	}
+	list->remove_at(list, enumerator);
+	ck_assert_int_eq(list->get_count(list), 5);
+	ck_assert(list->get_last(list, (void*)&x) == SUCCESS);
+	ck_assert_int_eq(x, 5);
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+START_TEST(test_insert_before_remove_at)
+{
+	enumerator_t *enumerator;
+	intptr_t x;
+	int round;
+
+	round = 1;
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		ck_assert_int_eq(round, x);
+		if (round == 2)
+		{	/* this replaces the current item, as insert_before does not change
+			 * the enumerator position */
+			list->insert_before(list, enumerator, (void*)42);
+			list->remove_at(list, enumerator);
+		}
+		else if (round == 4)
+		{	/* this does not replace the item, as remove_at moves the enumerator
+			 * position to the previous item */
+			list->remove_at(list, enumerator);
+			list->insert_before(list, enumerator, (void*)21);
+		}
+		round++;
+	}
+	ck_assert_int_eq(list->get_count(list), 5);
+	list->reset_enumerator(list, enumerator);
+	round = 1;
+	while (enumerator->enumerate(enumerator, &x))
+	{
+		if (round == 2)
+		{	/* check replaced item */
+			ck_assert_int_eq(42, x);
+		}
+		else if (round == 3)
+		{	/* check misplaced item */
+			ck_assert_int_eq(21, x);
+		}
+		else if (round == 4)
+		{	/* check misplaced item */
+			ck_assert_int_eq(3, x);
+		}
+		else
+		{
+			ck_assert_int_eq(round, x);
+		}
+		round++;
+	}
+	enumerator->destroy(enumerator);
+}
+END_TEST
+
+/*******************************************************************************
+ * create list from enumerator
+ */
+
+START_TEST(test_create_from_enumerator)
+{
+	enumerator_t *enumerator, *enumerator_other;
+	linked_list_t *other;
+	intptr_t x, y;
+	int count = 0;
+
+	enumerator = list->create_enumerator(list);
+	other = linked_list_create_from_enumerator(enumerator);
+	ck_assert_int_eq(other->get_count(list), 5);
+
+	enumerator = list->create_enumerator(list);
+	enumerator_other = other->create_enumerator(other);
+	while (enumerator->enumerate(enumerator, &x) &&
+		   enumerator_other->enumerate(enumerator_other, &y))
+	{
+		ck_assert_int_eq(x, y);
+		count++;
+	}
+	ck_assert_int_eq(count, 5);
+	enumerator_other->destroy(enumerator_other);
+	enumerator->destroy(enumerator);
+	other->destroy(other);
+}
+END_TEST
+
+Suite *linked_list_enumerator_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("linked list and enumerators");
+
+	tc = tcase_create("enumerate");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_enumerate);
+	tcase_add_test(tc, test_enumerate_null);
+	tcase_add_test(tc, test_reset_enumerator);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("insert_before()");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_loop_test(tc, test_insert_before, 1, 5);
+	tcase_add_test(tc, test_insert_before_ends);
+	tcase_add_test(tc, test_insert_before_empty);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("modify");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_remove_at);
+	tcase_add_test(tc, test_remove_at_ends);
+	tcase_add_test(tc, test_insert_before_remove_at);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("create_from_enumerator");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_create_from_enumerator);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_rsa.c b/src/libstrongswan/tests/test_rsa.c
new file mode 100644
index 000000000..4c75c34bc
--- /dev/null
+++ b/src/libstrongswan/tests/test_rsa.c
@@ -0,0 +1,393 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <plugins/plugin_feature.h>
+
+/**
+ * Signature schemes to test
+ */
+static signature_scheme_t schemes[] = {
+	SIGN_RSA_EMSA_PKCS1_NULL,
+	SIGN_RSA_EMSA_PKCS1_MD5,
+	SIGN_RSA_EMSA_PKCS1_SHA1,
+	SIGN_RSA_EMSA_PKCS1_SHA224,
+	SIGN_RSA_EMSA_PKCS1_SHA256,
+	SIGN_RSA_EMSA_PKCS1_SHA384,
+	SIGN_RSA_EMSA_PKCS1_SHA512,
+};
+
+/**
+ * Perform a signature verification "good" test having a keypair
+ */
+static void test_good_sig(private_key_t *privkey, public_key_t *pubkey)
+{
+	chunk_t sig, data = chunk_from_chars(0x01,0x02,0x03,0xFD,0xFE,0xFF);
+	int i;
+
+	for (i = 0; i < countof(schemes); i++)
+	{
+		if (!lib->plugins->has_feature(lib->plugins,
+						PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i])) ||
+			!lib->plugins->has_feature(lib->plugins,
+						PLUGIN_PROVIDE(PRIVKEY_SIGN, schemes[i])))
+		{
+			continue;
+		}
+		fail_unless(privkey->sign(privkey, schemes[i], data, &sig),
+					"sign %N", signature_scheme_names, schemes[i]);
+		fail_unless(pubkey->verify(pubkey, schemes[i], data, sig),
+					"verify %N", signature_scheme_names, schemes[i]);
+		free(sig.ptr);
+	}
+}
+
+/**
+ * Some special signatures that should never validate successfully
+ */
+static chunk_t invalid_sigs[] = {
+	chunk_from_chars(),
+	chunk_from_chars(0x00),
+	chunk_from_chars(0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+	chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+					 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00),
+};
+
+/**
+ * Check public key that it properly fails against some crafted sigs
+ */
+static void test_bad_sigs(public_key_t *pubkey)
+{
+	chunk_t data = chunk_from_chars(0x01,0x02,0x03,0xFD,0xFE,0xFF);
+	int s, i;
+
+	for (s = 0; s < countof(schemes); s++)
+	{
+			if (!lib->plugins->has_feature(lib->plugins,
+							PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[s])))
+			{
+				continue;
+			}
+		for (i = 0; i < countof(invalid_sigs); i++)
+		{
+			fail_if(
+				pubkey->verify(pubkey, schemes[s], data, invalid_sigs[i]),
+				"bad %N sig accepted %B", signature_scheme_names, schemes[s],
+				&invalid_sigs[i]);
+		}
+	}
+}
+
+/**
+ * RSA key sizes to test
+ */
+static int key_sizes[] = {
+	786, 1024, 1536, 2048, 3072, 4096,
+};
+
+START_TEST(test_gen)
+{
+	private_key_t *privkey;
+	public_key_t *pubkey;
+
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+								 BUILD_KEY_SIZE, key_sizes[_i], BUILD_END);
+	ck_assert(privkey != NULL);
+	pubkey = privkey->get_public_key(privkey);
+	ck_assert(pubkey != NULL);
+
+	test_good_sig(privkey, pubkey);
+
+	test_bad_sigs(pubkey);
+
+	pubkey->destroy(pubkey);
+	privkey->destroy(privkey);
+}
+END_TEST
+
+/**
+ * Private keys to load
+ */
+static chunk_t keys[] = {
+	chunk_from_chars( /* RSA-768 */
+		0x30,0x82,0x01,0xcb,0x02,0x01,0x00,0x02,0x61,0x00,0xd1,0x5d,0x98,0x97,0x95,0x98,
+		0x19,0x87,0x20,0x3f,0x10,0xb0,0x05,0x36,0x1e,0x1b,0xcd,0xc8,0x93,0x66,0xd7,0x43,
+		0xed,0x84,0xb0,0x3e,0x96,0xd3,0xe7,0x27,0x0e,0xc0,0xba,0xdf,0x7e,0x32,0x05,0xd3,
+		0x08,0xd6,0x44,0xd5,0x01,0x2b,0x3e,0x5d,0xc0,0x37,0xae,0x4f,0xe0,0xea,0x8d,0x2c,
+		0x42,0x4c,0xa9,0xa2,0x42,0xbe,0xdd,0xdb,0xf7,0xd3,0x28,0x07,0x10,0x88,0x53,0x15,
+		0xb2,0x4f,0xb5,0x9d,0x47,0x9b,0xd6,0xc8,0xfe,0x5b,0xa2,0xd7,0xe1,0x13,0xca,0x0b,
+		0xce,0x7a,0xed,0xa2,0x3e,0xd5,0x9b,0xb8,0x8b,0x4f,0x02,0x03,0x01,0x00,0x01,0x02,
+		0x60,0x2d,0x83,0x82,0x53,0x99,0xb2,0xaa,0x02,0x05,0x11,0x90,0xa8,0x23,0x49,0xe3,
+		0x7b,0xb9,0xdd,0x9b,0xa5,0xa4,0xb0,0x60,0xa7,0x12,0xc5,0x58,0x76,0x92,0x6e,0x9c,
+		0x37,0x6b,0xa8,0x80,0x3f,0x91,0xa2,0x91,0xee,0x3a,0xa2,0x6f,0x91,0x9e,0x0a,0x35,
+		0x69,0xc0,0xa7,0xdc,0xd8,0x46,0xe4,0x29,0x1c,0x3d,0x34,0x30,0xa2,0xb9,0x0d,0x34,
+		0x94,0xa1,0x12,0xa7,0x85,0xd3,0x2c,0x47,0x1b,0xf0,0x78,0xd5,0x22,0xfc,0xa5,0xe0,
+		0x75,0xac,0x71,0x21,0xe8,0xe8,0x19,0x9f,0xbb,0x98,0x5c,0xa6,0x9d,0x42,0xd7,0x9c,
+		0x89,0x02,0x31,0x00,0xee,0xaa,0x9e,0x82,0xe1,0xb2,0xdd,0x05,0xbc,0x2e,0x53,0xe9,
+		0x64,0x4b,0x48,0x06,0x3a,0xfd,0x9e,0x91,0xce,0x1b,0x7f,0x66,0xbc,0xd2,0xc4,0xab,
+		0xbf,0xc5,0x5d,0x1a,0xbd,0xd6,0xb5,0x9c,0x5c,0x18,0x01,0xe6,0x79,0x19,0xf2,0xc3,
+		0x1d,0x66,0x88,0x2d,0x02,0x31,0x00,0xe0,0x92,0x34,0x1e,0x09,0xf2,0x1b,0xf9,0xbf,
+		0x11,0x65,0x3f,0xc8,0x85,0x5a,0xe6,0xc0,0xcf,0x93,0x44,0xb0,0x50,0xe4,0x8b,0x6f,
+		0x30,0xde,0x42,0x0c,0x8a,0x77,0x0d,0x98,0x7f,0x52,0x59,0x9e,0x87,0xb8,0x6e,0xdc,
+		0xed,0x15,0x80,0xbd,0xbb,0xf2,0xeb,0x02,0x31,0x00,0xb0,0x6b,0x36,0x98,0x90,0xb5,
+		0x62,0x63,0xa6,0xe2,0xa7,0xec,0x51,0xd2,0xc3,0xfe,0xb7,0x04,0x5a,0x7e,0x74,0xd8,
+		0x26,0xa8,0x8e,0xd3,0x4d,0xc5,0x97,0x10,0x10,0xee,0x7f,0x7d,0x82,0xe9,0x7d,0xb9,
+		0xd1,0x4d,0xc8,0x1e,0xc2,0x30,0x30,0x3f,0x66,0x51,0x02,0x31,0x00,0xaa,0x75,0x2f,
+		0x4c,0x11,0xbe,0x8d,0x0f,0x8f,0xc1,0x13,0x7a,0x4b,0xa9,0x35,0x6b,0x6b,0xb4,0xe3,
+		0x92,0xc2,0xc6,0x54,0x03,0xa6,0x5d,0x90,0x86,0xcf,0xe0,0x16,0x27,0xe2,0xb5,0xd9,
+		0xfb,0x1e,0x82,0xe4,0x32,0x7a,0x4d,0x17,0x02,0x46,0x82,0x30,0x0b,0x02,0x30,0x09,
+		0xf3,0xce,0x9b,0x02,0xc5,0x53,0xe9,0xa2,0x89,0xe2,0x3b,0x8c,0x8b,0xe9,0xc2,0xba,
+		0x94,0x76,0x60,0x27,0x2b,0xe9,0x92,0xc1,0x5e,0x3c,0xc3,0x77,0x9b,0xc7,0xce,0xc6,
+		0x67,0xd5,0x20,0x2c,0x54,0xa1,0x5d,0x2a,0x17,0x16,0x66,0xdf,0x5a,0xe9,0x87,
+	),
+	chunk_from_chars( /* RSA-1024 */
+		0x30,0x82,0x02,0x5c,0x02,0x01,0x00,0x02,0x81,0x81,0x00,0xc0,0xbd,0x48,0x83,0xbc,
+		0xea,0x0b,0x32,0x06,0x4b,0xf5,0x10,0x54,0x1b,0xba,0x88,0xc4,0x10,0x7e,0x47,0xec,
+		0x0e,0xf9,0xb4,0xcf,0x9a,0x02,0xc6,0xb3,0xaf,0x35,0xc8,0xaf,0x78,0x1a,0xbc,0x37,
+		0x1a,0x25,0x7a,0x37,0x24,0x73,0x53,0x9a,0xf0,0x44,0x64,0x5b,0x6b,0x64,0x4c,0xfa,
+		0x83,0x3a,0x0f,0x77,0x5d,0x7b,0x21,0xa2,0x25,0x00,0x11,0xae,0x72,0x36,0x35,0xd9,
+		0x0d,0xef,0x5a,0xdd,0x98,0x35,0x49,0xaf,0x44,0xa0,0x33,0x29,0xc0,0xca,0xf5,0x6f,
+		0xfe,0xc1,0x06,0x4c,0x80,0x9a,0x54,0xbe,0x46,0x1a,0x96,0xb1,0xf3,0x29,0xb8,0x9d,
+		0x07,0x84,0x03,0x68,0x6b,0x9f,0xbf,0xe5,0xd8,0x14,0x2a,0xe0,0xef,0xbd,0x1a,0x61,
+		0x0d,0x3a,0xc8,0x67,0xcd,0x99,0x90,0xe3,0xe6,0x52,0x83,0x02,0x03,0x01,0x00,0x01,
+		0x02,0x81,0x80,0x13,0xd2,0xa3,0xe5,0xa0,0xb0,0x0a,0xe2,0x0f,0x3c,0x65,0x57,0xa8,
+		0xe9,0x87,0xd5,0x79,0xcc,0xc9,0xca,0xc8,0x8a,0xd5,0xc0,0x74,0x90,0x3e,0x1e,0xda,
+		0x40,0xcd,0x42,0xf7,0x01,0x09,0x9c,0x37,0xfd,0x41,0x6e,0x2b,0x6e,0x5d,0x4a,0x1e,
+		0x52,0x53,0x1b,0xbb,0x3c,0x9f,0xfe,0x91,0x79,0x48,0xfc,0x69,0x90,0xbc,0xbc,0x3d,
+		0xcf,0xee,0x62,0x0a,0xbd,0x57,0x6b,0xa9,0x51,0x3e,0xc2,0x7f,0x26,0xb1,0xaa,0x38,
+		0xeb,0x40,0x91,0x3a,0x3c,0x80,0x1e,0x4e,0xe2,0xff,0xa2,0x8e,0x56,0xbb,0xb3,0xeb,
+		0x24,0x81,0x4c,0x19,0x2c,0x8f,0x51,0x4c,0x04,0x81,0xaf,0x5e,0xc2,0xa6,0xf9,0xd3,
+		0x48,0xee,0xe9,0x6d,0x9b,0xe1,0xe5,0x17,0x4f,0x07,0x18,0xea,0x96,0xd3,0x2c,0xce,
+		0x44,0x71,0x51,0x02,0x41,0x00,0xe9,0xe9,0x46,0x7e,0xe1,0xc2,0x86,0x94,0x65,0x77,
+		0x9c,0xc7,0x76,0x5d,0xa0,0xd3,0xcc,0x1f,0xa3,0xc7,0xfe,0xbb,0x4e,0x27,0xd6,0x43,
+		0x6b,0xbd,0x0d,0x05,0x7a,0x10,0xe8,0x48,0x97,0x30,0xaa,0x53,0x61,0x57,0x1f,0x8a,
+		0xf7,0x39,0x5e,0xa6,0xfe,0xe9,0x2c,0x19,0x5e,0x53,0xea,0xc2,0xb2,0xc2,0x11,0x3c,
+		0x18,0xab,0xcf,0xc4,0x91,0x1b,0x02,0x41,0x00,0xd2,0xf0,0xb1,0x49,0xa1,0x6f,0xf1,
+		0x83,0xa3,0xd2,0xa1,0x0e,0xb3,0xb3,0x33,0x01,0xed,0xd0,0x28,0xc1,0x2f,0x88,0x80,
+		0x9f,0x43,0x7c,0x7e,0x5d,0x4c,0x15,0x05,0x86,0xff,0x75,0x9b,0xf1,0x64,0xde,0x06,
+		0xbf,0xdd,0x98,0x50,0xd9,0x4a,0x3a,0xd6,0x25,0x1c,0xdd,0xc8,0x56,0x12,0x11,0xb9,
+		0x02,0x42,0xc7,0x1d,0x86,0xeb,0xd9,0xc2,0xb9,0x02,0x41,0x00,0x80,0x25,0x8c,0xb9,
+		0x76,0x75,0x5b,0xc5,0x70,0xd1,0x56,0xd2,0xef,0xc5,0xdb,0x96,0x2c,0xfe,0x28,0x7c,
+		0x28,0xd1,0xf4,0xbf,0x5e,0x63,0x11,0x63,0x40,0xfe,0xff,0x20,0xc4,0x21,0x00,0xb3,
+		0x68,0x9c,0xc5,0x77,0x35,0x90,0xac,0x60,0x81,0xba,0x7b,0x6c,0xc2,0xfc,0x22,0xf1,
+		0x56,0x6b,0xd4,0x02,0xfd,0xee,0x2e,0x95,0xf1,0xfd,0x7e,0x81,0x02,0x40,0x47,0xaf,
+		0x84,0x90,0x81,0x4c,0x89,0xc7,0x32,0xe5,0x61,0xd6,0x9d,0x3b,0x49,0x1a,0x5e,0xb7,
+		0x5f,0x22,0x48,0x05,0x1b,0xb1,0x04,0x3e,0x4a,0xb3,0x6a,0x27,0xba,0xb9,0x26,0x17,
+		0xd1,0xe7,0x37,0x60,0x3c,0xea,0xf7,0x63,0xcc,0x16,0x0c,0x23,0xf2,0xa2,0xaa,0x2c,
+		0xb4,0xe8,0x8b,0x3b,0x7a,0xa4,0x4a,0x0d,0x60,0xfb,0x79,0x2b,0x88,0x01,0x02,0x40,
+		0x42,0xee,0x12,0x91,0xf9,0x80,0x1e,0x60,0x0b,0xaa,0xbe,0xfd,0x09,0x84,0x93,0x0d,
+		0x09,0xd3,0x1e,0x37,0x52,0xb0,0xe8,0x51,0x4f,0xd3,0x9e,0xda,0x32,0x38,0x22,0x35,
+		0xdb,0x25,0x8b,0x9f,0x1a,0xb5,0xf1,0x75,0xfa,0x4d,0x09,0x42,0x01,0x64,0xe6,0xc4,
+		0x6e,0xba,0x2d,0x88,0x92,0xbe,0xa9,0x1f,0x85,0x38,0x10,0xa3,0x0e,0x1a,0x92,0x54,
+	),
+	chunk_from_chars( /* RSA-1536 */
+		0x30,0x82,0x03,0x7d,0x02,0x01,0x00,0x02,0x81,0xc1,0x00,0xba,0xe3,0x37,0x93,0x7e,
+		0x42,0x13,0x3c,0xba,0x41,0xc1,0x7b,0xf0,0xcc,0x7a,0x44,0xc6,0x54,0xc8,0x77,0x01,
+		0x70,0x2f,0x6e,0x4a,0xcf,0x2d,0x07,0xab,0x01,0xc0,0x43,0xab,0x8d,0x33,0xb3,0xd4,
+		0xeb,0xe3,0x90,0xf6,0x01,0x03,0x75,0x03,0x1d,0xe8,0x06,0x40,0x15,0xfa,0x96,0x0b,
+		0xd5,0x26,0x64,0xea,0x55,0x82,0x16,0x7b,0xd5,0x1e,0xaa,0x08,0xc7,0x30,0x1a,0x59,
+		0xf8,0xd9,0xe3,0x9e,0x89,0xd9,0x92,0x2c,0x32,0x79,0x0e,0xb3,0x25,0xbc,0x1d,0x7c,
+		0x59,0xde,0x05,0x47,0x8f,0x61,0x77,0xf5,0x4f,0xed,0x82,0x2c,0xf8,0x2a,0x3e,0x02,
+		0xf3,0xc0,0x15,0x51,0xde,0x05,0xc4,0xfc,0x80,0x91,0xae,0x06,0x1b,0xd7,0x39,0x8e,
+		0x9a,0x6d,0xb3,0x2f,0xb0,0xd0,0xc8,0x96,0xa6,0x88,0xb3,0x17,0xca,0x58,0xbe,0x38,
+		0x2c,0x64,0x35,0x5a,0x29,0xb7,0xf8,0x74,0x3d,0xbb,0xec,0x90,0x01,0x04,0x64,0x3d,
+		0x38,0x0f,0x87,0xce,0xd7,0xfc,0xd2,0x96,0x93,0x31,0x85,0x0d,0x2d,0xa5,0x91,0xe2,
+		0xfc,0x7b,0xea,0xb0,0x89,0x24,0xaa,0x00,0x29,0x8c,0x26,0x7c,0x94,0x54,0x74,0xe4,
+		0x11,0xa8,0x04,0x6f,0x40,0xeb,0xaf,0xed,0xac,0x75,0x33,0x02,0x03,0x01,0x00,0x01,
+		0x02,0x81,0xc0,0x0a,0x96,0xec,0x63,0xc1,0xa0,0x39,0xd9,0xd3,0x8d,0xfd,0x4a,0x2a,
+		0x13,0x54,0x0c,0x48,0x96,0xae,0x43,0x3c,0x04,0x20,0xd3,0xe5,0x8e,0x46,0xb5,0x6c,
+		0x05,0xad,0xe0,0xc7,0xbc,0x39,0x05,0x44,0x17,0xd7,0xad,0xb3,0x9a,0xcc,0x18,0xd9,
+		0xc3,0xdc,0x8d,0x5a,0x1d,0x44,0xb5,0x32,0xd7,0x71,0x94,0xff,0x48,0x38,0x16,0x51,
+		0x0e,0xfa,0xed,0x54,0x91,0x00,0xd3,0x45,0x6c,0xd9,0xdf,0xd1,0x70,0x6b,0x31,0x22,
+		0xaa,0xfb,0x7c,0x0f,0x3f,0xa0,0xa0,0xa5,0x16,0xac,0x83,0x6d,0x12,0x1d,0x4a,0x40,
+		0x4e,0xb6,0x9c,0xf4,0x67,0xaa,0xa9,0xb0,0xc8,0xb4,0x0a,0xd5,0x3b,0x5c,0x19,0xed,
+		0x86,0x83,0x5a,0x75,0xbc,0xeb,0x17,0xc8,0x16,0xa0,0x60,0x2e,0xb6,0x25,0xc5,0x4d,
+		0x59,0xba,0x62,0xcb,0x3d,0x91,0x7c,0x79,0x6a,0x4b,0x4a,0x54,0xbd,0xb7,0xa3,0x89,
+		0x7f,0xbf,0x0e,0x77,0xe1,0x54,0x29,0x0d,0x45,0x6d,0xa8,0x15,0xa5,0x17,0x8c,0xcf,
+		0x27,0x9e,0x47,0x4e,0x2a,0x91,0x7e,0x4e,0x14,0x59,0x8c,0x62,0x91,0xa3,0x40,0xa5,
+		0x9e,0x67,0xbb,0x02,0x97,0xb4,0xe7,0x06,0x04,0xbc,0x16,0x24,0x3d,0x49,0xb1,0xf0,
+		0xae,0xfc,0x1d,0x02,0x61,0x00,0xde,0x86,0x5d,0x49,0x88,0xeb,0x5c,0xd3,0xe5,0x11,
+		0x48,0x0b,0x1e,0x52,0x95,0xa9,0x65,0x99,0x89,0xcf,0x51,0xb0,0x08,0xdd,0xb5,0x5b,
+		0x64,0x1a,0x34,0xd2,0xee,0x4b,0x2d,0x8b,0xc1,0xd5,0xd6,0x1d,0x6c,0x0c,0x7e,0xa5,
+		0x66,0x12,0xec,0xaf,0x5d,0xe9,0x33,0xd4,0xba,0x18,0x71,0x84,0x97,0xbe,0xc0,0x75,
+		0x63,0x19,0xae,0xc6,0xc7,0x65,0xf3,0xf6,0xda,0x3f,0x91,0xfa,0x5e,0x87,0xf3,0xbc,
+		0xd2,0x64,0x8d,0xcf,0xfb,0xdd,0x7f,0x9b,0x6c,0x81,0xba,0x9b,0x4e,0x94,0x5e,0x83,
+		0xd1,0xcb,0xb9,0xf4,0x39,0x7f,0x02,0x61,0x00,0xd7,0x00,0x6d,0x8e,0x1b,0xa1,0x44,
+		0xd9,0xff,0xe6,0x42,0x72,0x18,0x55,0x26,0x3e,0x87,0x40,0x71,0xb2,0x67,0x37,0x16,
+		0xe9,0xbd,0x51,0x7f,0x0e,0x79,0x0e,0x75,0xa9,0x1f,0x0f,0x6b,0xa5,0x7c,0x5f,0xc8,
+		0xdc,0x17,0xde,0x53,0x88,0x97,0x90,0x88,0xf2,0x4d,0x66,0x5e,0x0e,0x11,0x16,0x92,
+		0x1e,0x61,0x56,0xe6,0xf0,0x74,0x81,0x58,0x95,0x05,0x29,0x71,0x9b,0xa0,0x69,0xed,
+		0x14,0x23,0xf6,0x36,0x9b,0x8f,0x06,0x3a,0x76,0xab,0xeb,0xce,0xe8,0xdc,0x79,0xc1,
+		0x29,0xb9,0xfc,0x49,0x7a,0x26,0x59,0xd6,0x4d,0x02,0x61,0x00,0xaf,0x3c,0xac,0xd6,
+		0x2d,0xe6,0xfb,0x91,0x3a,0xc1,0x23,0x34,0xee,0x4a,0x26,0xe5,0xe1,0xc6,0xc9,0xc9,
+		0xe4,0x10,0x76,0xca,0xf1,0xf8,0xe8,0x99,0xe2,0xa3,0x81,0x58,0xde,0xa3,0x42,0xa0,
+		0x3d,0x1f,0xaa,0x69,0x24,0x8a,0xe8,0x19,0x5b,0x1e,0xb7,0x1b,0xe0,0xdf,0x53,0x35,
+		0xd0,0x9f,0x94,0x48,0x79,0x93,0x77,0xd9,0x4f,0xd3,0xe6,0x4f,0x19,0x92,0x7a,0x48,
+		0xb9,0x92,0xab,0x42,0xf0,0xe4,0xef,0xe2,0x93,0xf3,0x07,0xeb,0x64,0x84,0x67,0x2c,
+		0xba,0x61,0x77,0xbe,0x4b,0xb8,0x0f,0x4d,0x1a,0x41,0x83,0xcd,0x02,0x60,0x56,0xec,
+		0x55,0x5e,0x9e,0xcd,0x14,0x89,0x0e,0x6c,0x89,0x70,0x97,0x65,0xd5,0x90,0x72,0x1e,
+		0x1b,0xd9,0x84,0xe1,0x40,0xe2,0x3f,0x28,0x33,0xb6,0x26,0x3b,0x32,0x56,0xad,0xb8,
+		0x0e,0x4d,0x59,0x7b,0x60,0x39,0x9b,0x6c,0xc7,0x58,0xf1,0xed,0xfd,0x6f,0xf8,0xda,
+		0xea,0x2b,0xc5,0xbc,0xda,0x56,0x6e,0x04,0x34,0x5a,0x02,0xc0,0x48,0x8f,0xf7,0x06,
+		0x4a,0x68,0x20,0xf2,0xb2,0x66,0xf2,0x23,0x18,0xf0,0xcb,0x62,0x39,0x40,0xc1,0x41,
+		0x14,0xe6,0x10,0x3d,0x29,0x5b,0x35,0x56,0x4a,0x5e,0x98,0x22,0xba,0x01,0x02,0x61,
+		0x00,0xcc,0x80,0xb7,0xb9,0xb9,0x4a,0xaf,0x47,0x00,0x3e,0x21,0x0f,0xb8,0x4e,0x7c,
+		0xb1,0xe4,0x25,0xd6,0x19,0x26,0x54,0xc6,0x8c,0x30,0x88,0x54,0x70,0xcf,0x1f,0x62,
+		0x75,0xcb,0x18,0x58,0x6c,0x14,0xb0,0x9b,0x13,0x90,0xa2,0x1a,0x5a,0x79,0xa3,0x82,
+		0xf0,0x9b,0xba,0xf0,0x90,0xaf,0xa1,0xe8,0xa8,0x70,0xef,0x60,0x6a,0x68,0xed,0x5a,
+		0x21,0x77,0x69,0x7a,0xf2,0xee,0x3e,0xe5,0x90,0xd2,0x33,0x71,0x3b,0x82,0x88,0x75,
+		0xdd,0x8e,0x6e,0xbc,0x17,0x83,0xef,0x37,0x82,0x4e,0x83,0x30,0xcb,0x8a,0xbc,0x6c,
+		0x41,
+	),
+	chunk_from_chars( /* RSA-2048 */
+		0x30,0x82,0x04,0xa2,0x02,0x01,0x00,0x02,0x82,0x01,0x01,0x00,0xba,0xbf,0x27,0x0b,
+		0x22,0x59,0xd8,0x6f,0xff,0x26,0x5d,0x41,0x3d,0xb0,0x94,0x58,0x5d,0xc0,0x46,0xb6,
+		0x77,0xa9,0x78,0x10,0x6d,0xe9,0xbf,0xca,0x6f,0x04,0xe1,0xda,0x85,0x12,0x1e,0xe0,
+		0xa6,0xc7,0xa2,0x71,0x04,0x8b,0x6e,0x84,0xf9,0x86,0x2b,0xeb,0x72,0x01,0x72,0xc8,
+		0x0a,0x83,0xa6,0xf7,0xc0,0xd6,0x76,0x1d,0x28,0x38,0xb5,0x7e,0x6c,0x8c,0x6a,0x13,
+		0xf4,0xf1,0x7f,0xf2,0x79,0xae,0x73,0xba,0x1a,0x3f,0x30,0x65,0xb6,0x23,0xa7,0x94,
+		0x34,0x29,0x87,0xce,0x06,0x99,0xee,0x85,0x10,0xce,0x08,0xe2,0x8d,0xd5,0x47,0xf3,
+		0xc8,0xf0,0x18,0x41,0xc0,0x59,0x66,0x06,0xda,0xb6,0x18,0xd2,0xa3,0xa0,0xbd,0x3a,
+		0x90,0x7f,0x37,0x39,0xdf,0x98,0x55,0xa2,0x19,0x5e,0x37,0xbc,0x86,0xf3,0x02,0xf8,
+		0x68,0x49,0x53,0xf2,0x4b,0x3d,0x7a,0xe3,0x1d,0xa4,0x15,0x10,0xa6,0xce,0x8c,0xb8,
+		0xfd,0x95,0x54,0xa2,0x50,0xa2,0xd9,0x35,0x12,0x56,0xae,0xbc,0x51,0x33,0x6d,0xb8,
+		0x63,0x7c,0x26,0xab,0x19,0x01,0xa5,0xda,0xfa,0x4b,0xb6,0x57,0xd3,0x4b,0xdd,0xc0,
+		0x62,0xc5,0x05,0xb7,0xc3,0x2e,0x1f,0x17,0xc8,0x09,0x87,0x12,0x37,0x21,0xd7,0x7a,
+		0x53,0xb0,0x47,0x60,0xa2,0xb5,0x23,0x3b,0x99,0xdf,0xea,0x8b,0x94,0xea,0x9d,0x53,
+		0x5d,0x02,0x52,0xf7,0x29,0xfb,0x63,0xb0,0xff,0x27,0x5e,0xde,0x54,0x7d,0x95,0xd6,
+		0x4e,0x58,0x12,0x06,0x60,0x22,0x33,0xf2,0x19,0x67,0x65,0xdd,0xf3,0x42,0xb5,0x00,
+		0x51,0x35,0xe5,0x62,0x4d,0x90,0x44,0xfb,0x7f,0x5b,0xb5,0xe5,0x02,0x03,0x01,0x00,
+		0x01,0x02,0x82,0x01,0x00,0x1c,0xf5,0x66,0xf5,0xce,0x4c,0x1d,0xe8,0xd2,0x29,0x6e,
+		0x15,0x1f,0x9e,0x9a,0x06,0x70,0xf5,0x4f,0xd1,0xdc,0x51,0x02,0x8e,0x13,0xa9,0x47,
+		0x85,0x39,0xfd,0x89,0x13,0x74,0x86,0xb8,0x94,0x90,0x30,0x4d,0x73,0x96,0xa7,0x93,
+		0x8a,0x19,0xd2,0x91,0x4d,0x77,0xb6,0x9b,0x48,0xc3,0x7e,0xa2,0x5d,0xf1,0x80,0xa0,
+		0x3c,0xc9,0xbf,0xaf,0x7f,0x4d,0x10,0x62,0x23,0xb9,0x9c,0x58,0x81,0xae,0x96,0x5b,
+		0x9a,0x4c,0x97,0x27,0x67,0x62,0x5c,0xf9,0x8f,0xdd,0x1d,0xe2,0x92,0x13,0x8a,0x7b,
+		0xc7,0x15,0x31,0xca,0x05,0x6d,0xc6,0x98,0xdb,0x88,0x39,0x99,0x1d,0x5b,0x19,0x51,
+		0xdd,0xb6,0xbd,0x3d,0xb0,0xae,0x50,0x8e,0xff,0x7d,0xa8,0x48,0x95,0x58,0x23,0xbc,
+		0x85,0xc0,0x46,0xd0,0xc0,0x0e,0xda,0xdd,0xa4,0x8e,0x8d,0x31,0x8b,0x89,0x0f,0x8b,
+		0x76,0x9a,0xb5,0x99,0x56,0x5e,0xd3,0x0c,0x88,0x0b,0x03,0xf1,0xc9,0xe3,0x05,0x05,
+		0x08,0x75,0xce,0x35,0x52,0xa0,0xc0,0xf2,0xf4,0xb9,0x87,0x22,0x21,0x3f,0x61,0xd6,
+		0x99,0xae,0x0e,0x76,0x5d,0x9c,0x16,0xa3,0xe9,0xde,0x2d,0x2a,0x46,0xf7,0x89,0xbf,
+		0x0d,0xb1,0x60,0xad,0xbc,0x24,0xe2,0xe5,0xb1,0xc1,0x1c,0x00,0x40,0x1c,0xbd,0xfa,
+		0x6e,0xc7,0x0d,0xc1,0xda,0x4d,0x54,0x45,0x96,0xac,0xf7,0xfe,0x1b,0xf2,0x47,0x1e,
+		0xf7,0x8b,0xcf,0x27,0xcc,0xe7,0x08,0xd6,0x43,0x60,0xea,0xda,0x19,0xd7,0x98,0x17,
+		0x7c,0xab,0x0c,0x90,0x60,0x75,0x9f,0x8b,0xaa,0x13,0x63,0x98,0x9e,0xc6,0x41,0x9f,
+		0xd4,0x85,0xa3,0xb2,0xb9,0x02,0x81,0x81,0x00,0xe1,0x20,0xf6,0xac,0xa9,0x01,0xbd,
+		0x31,0xe6,0xb2,0x4e,0xcf,0x66,0xc3,0x11,0x0e,0x5b,0xfe,0x58,0x6b,0xc6,0x2d,0x7a,
+		0x05,0x30,0x9a,0x6f,0xcc,0xcc,0xdf,0xd2,0x2c,0xe1,0x47,0x39,0x9e,0xf3,0x0c,0x81,
+		0xd9,0x76,0x00,0xe2,0xb1,0x08,0x91,0xfb,0x12,0x04,0xf6,0x1f,0xea,0xff,0x82,0xe5,
+		0x64,0x64,0x6f,0x14,0xbe,0x33,0x5f,0x41,0x5f,0x73,0x1f,0xa2,0x32,0xec,0x75,0xb3,
+		0x98,0x4b,0x88,0x4d,0x1e,0xec,0x78,0xda,0x4c,0x2d,0xf8,0xbb,0xcf,0x0e,0x8f,0x2f,
+		0x23,0xae,0xcd,0xe0,0x4c,0x13,0x1c,0x1c,0x16,0x8e,0xb9,0x9f,0x02,0x12,0x12,0xa5,
+		0xf4,0x21,0xfe,0x57,0x08,0x7a,0xe8,0xbe,0x15,0xe9,0xdd,0x2a,0xd1,0x7b,0x39,0xd6,
+		0x4f,0x70,0x74,0x7d,0xfd,0x39,0x97,0x80,0x8d,0x02,0x81,0x81,0x00,0xd4,0x5a,0xce,
+		0x05,0x93,0x51,0x15,0x44,0xdd,0x4d,0x79,0x92,0x04,0xe6,0x64,0x7e,0x6c,0xb5,0x61,
+		0x6b,0xc3,0xb3,0xae,0x4f,0x0a,0x75,0xbf,0x6c,0xec,0x47,0xf2,0xbc,0xea,0x76,0xc4,
+		0xc2,0xe7,0xd2,0x50,0xc4,0xe0,0xaf,0x56,0x05,0x72,0x3c,0x34,0x8c,0x5b,0xae,0xb8,
+		0x0e,0xfb,0x83,0x27,0xcf,0x61,0x05,0x44,0x97,0x3f,0x66,0x6d,0x26,0x7d,0xed,0xcd,
+		0x5a,0x87,0x04,0xbc,0xb3,0x70,0x75,0x15,0x51,0xe9,0x18,0x85,0xf7,0x2a,0x45,0xd5,
+		0xc7,0x93,0x32,0x07,0x2e,0x26,0x34,0x2d,0x18,0x63,0x45,0x06,0x6f,0xa9,0x75,0x5d,
+		0x20,0x6b,0x0b,0x13,0x45,0x81,0x7e,0x5c,0xc5,0x48,0x16,0x4b,0x82,0x7c,0xad,0xbe,
+		0xfd,0xa5,0x0a,0xd6,0xc2,0x21,0xfc,0xa5,0x84,0xaf,0xf3,0x10,0xb9,0x02,0x81,0x80,
+		0x29,0x20,0x20,0x6f,0xc2,0x1f,0xf3,0x33,0xde,0x74,0xcc,0x38,0xcf,0x08,0xeb,0x60,
+		0xb8,0x25,0x6a,0x79,0xa5,0xa6,0x41,0x18,0x19,0x9c,0xdc,0xb7,0x88,0xe5,0x8a,0x3b,
+		0x70,0x9b,0xd6,0x46,0xd7,0x17,0x7d,0xd0,0xff,0xe1,0x81,0x87,0xdd,0x8c,0xed,0x54,
+		0x89,0x5b,0x7c,0xd1,0x2d,0x03,0xf8,0x6b,0xb2,0x7d,0x28,0x48,0xe6,0x91,0x8c,0x1b,
+		0xa7,0xa8,0x2b,0xb5,0x29,0xc5,0x06,0x9d,0xd7,0x8e,0x7a,0xa8,0x1f,0x82,0xa4,0x3e,
+		0x2e,0x57,0xb5,0xd7,0x49,0x4d,0x96,0xca,0xe9,0xef,0xe9,0xfd,0x7b,0xb0,0x32,0xe1,
+		0x5c,0x09,0x44,0xa6,0xd8,0x2e,0x57,0xea,0x95,0x1b,0x25,0x43,0x03,0x50,0xe9,0x08,
+		0x8f,0xc4,0x3b,0x42,0x31,0x44,0x8b,0x85,0xcf,0x81,0x38,0x52,0xbd,0xe6,0x93,0x31,
+		0x02,0x81,0x80,0x18,0x3d,0x79,0x51,0x07,0x9c,0xf4,0xd9,0x94,0x8d,0x78,0x78,0x23,
+		0x99,0x0d,0x15,0xa5,0x61,0x1b,0x0a,0xcb,0x1f,0x22,0xa1,0xa1,0x27,0x09,0xbf,0xec,
+		0x44,0xd6,0x3f,0x9c,0x60,0x0c,0x5b,0xd7,0x4c,0x99,0xad,0xaf,0x9c,0x34,0x2c,0x90,
+		0xfa,0xb0,0x60,0xe9,0x42,0x4b,0x7e,0x62,0x55,0x79,0x60,0xe1,0xc9,0x51,0x28,0x16,
+		0xb3,0xa1,0x78,0x08,0x5d,0xf1,0xd8,0x08,0x9b,0x90,0xd2,0xc6,0xde,0x86,0x9d,0x80,
+		0x07,0x2d,0x9b,0xa6,0x36,0xac,0x8d,0x88,0x8e,0xe8,0x64,0xeb,0x35,0x7f,0x84,0x4e,
+		0x28,0x9d,0xf0,0x77,0x1e,0x8f,0x8f,0xd8,0xc8,0x3d,0xdd,0xec,0x47,0x39,0x5d,0xc7,
+		0xb9,0xcb,0xca,0xcc,0x62,0xa4,0xef,0x9d,0x3c,0x5c,0x81,0x72,0x91,0xbd,0x6f,0x25,
+		0x0a,0x90,0xf9,0x02,0x81,0x80,0x51,0x42,0x23,0x64,0x3d,0xbc,0xcb,0xcb,0x77,0xd4,
+		0x5c,0x6b,0xf4,0x16,0x3a,0x6b,0x05,0x5f,0xd4,0xf8,0x59,0xe6,0x98,0x0c,0x43,0x7e,
+		0x6b,0x17,0x0d,0x01,0x23,0x6e,0x4c,0xff,0x35,0xe4,0xc5,0xba,0xe8,0x9e,0x12,0x94,
+		0x34,0x78,0xe4,0x3d,0x35,0xa1,0xd4,0xa9,0xa3,0x7e,0xe4,0x57,0xef,0xa4,0x9a,0x6a,
+		0x32,0xb3,0x9f,0xf8,0x3a,0xcf,0xea,0xf4,0xc7,0x59,0x92,0xd4,0x2a,0x5b,0x26,0x83,
+		0x78,0x30,0x5f,0xdf,0x46,0xa6,0xb0,0x28,0x37,0x2b,0x55,0x08,0x4c,0xb6,0x6b,0xb8,
+		0xa9,0x11,0x7d,0x0b,0xab,0x97,0x4d,0x8c,0xc3,0xbf,0x3b,0xcd,0x3e,0xad,0x80,0xce,
+		0xe8,0xc6,0x01,0x35,0xd2,0x3e,0x31,0xdc,0x96,0xd7,0xc3,0xab,0x65,0xd1,0xc4,0xa3,
+		0x47,0x14,0xa9,0xba,0xd0,0x30,
+	),
+};
+
+START_TEST(test_load)
+{
+	private_key_t *privkey;
+	public_key_t *pubkey;
+
+	privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+								 BUILD_BLOB_ASN1_DER, keys[_i], BUILD_END);
+	ck_assert(privkey != NULL);
+	pubkey = privkey->get_public_key(privkey);
+	ck_assert(pubkey != NULL);
+
+	test_good_sig(privkey, pubkey);
+
+	test_bad_sigs(pubkey);
+
+	pubkey->destroy(pubkey);
+	privkey->destroy(privkey);
+}
+END_TEST
+
+Suite *rsa_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("rsa");
+
+	tc = tcase_create("generate");
+	tcase_add_loop_test(tc, test_gen, 0, countof(key_sizes));
+	tcase_set_timeout(tc, 8);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("load");
+	tcase_add_loop_test(tc, test_load, 0, countof(keys));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_runner.c b/src/libstrongswan/tests/test_runner.c
new file mode 100644
index 000000000..e7a04fd9a
--- /dev/null
+++ b/src/libstrongswan/tests/test_runner.c
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <unistd.h>
+
+#include "test_runner.h"
+
+#include <library.h>
+#include <plugins/plugin_feature.h>
+
+#include <dirent.h>
+
+/**
+ * Load plugins from builddir
+ */
+static bool load_plugins()
+{
+	enumerator_t *enumerator;
+	char *name, path[PATH_MAX], dir[64];
+
+	enumerator = enumerator_create_token(PLUGINS, " ", "");
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		snprintf(dir, sizeof(dir), "%s", name);
+		translate(dir, "-", "_");
+		snprintf(path, sizeof(path), "%s/%s/.libs", PLUGINDIR, dir);
+		lib->plugins->add_path(lib->plugins, path);
+	}
+	enumerator->destroy(enumerator);
+
+	return lib->plugins->load(lib->plugins, PLUGINS);
+}
+
+int main()
+{
+	SRunner *sr;
+	int nf;
+
+	/* test cases are forked and there is no cleanup, so disable leak detective.
+	 * if test_suite.h is included leak detective is enabled in test cases */
+	setenv("LEAK_DETECTIVE_DISABLE", "1", 1);
+	/* redirect all output to stderr (to redirect make's stdout to /dev/null) */
+	dup2(2, 1);
+
+	library_init(NULL);
+
+	/* use non-blocking RNG to generate keys fast */
+	lib->settings->set_default_str(lib->settings,
+			"libstrongswan.plugins.random.random",
+			lib->settings->get_str(lib->settings,
+				"libstrongswan.plugins.random.urandom", "/dev/urandom"));
+
+	if (!load_plugins())
+	{
+		library_deinit();
+		return EXIT_FAILURE;
+	}
+	lib->plugins->status(lib->plugins, LEVEL_CTRL);
+
+	sr = srunner_create(NULL);
+	srunner_add_suite(sr, bio_reader_suite_create());
+	srunner_add_suite(sr, bio_writer_suite_create());
+	srunner_add_suite(sr, chunk_suite_create());
+	srunner_add_suite(sr, enum_suite_create());
+	srunner_add_suite(sr, enumerator_suite_create());
+	srunner_add_suite(sr, linked_list_suite_create());
+	srunner_add_suite(sr, linked_list_enumerator_suite_create());
+	srunner_add_suite(sr, hashtable_suite_create());
+	srunner_add_suite(sr, array_suite_create());
+	srunner_add_suite(sr, identification_suite_create());
+	srunner_add_suite(sr, threading_suite_create());
+	srunner_add_suite(sr, utils_suite_create());
+	srunner_add_suite(sr, host_suite_create());
+	srunner_add_suite(sr, vectors_suite_create());
+	if (lib->plugins->has_feature(lib->plugins,
+								  PLUGIN_DEPENDS(PRIVKEY_GEN, KEY_RSA)))
+	{
+		srunner_add_suite(sr, rsa_suite_create());
+	}
+	if (lib->plugins->has_feature(lib->plugins,
+								  PLUGIN_DEPENDS(PRIVKEY_GEN, KEY_ECDSA)))
+	{
+		srunner_add_suite(sr, ecdsa_suite_create());
+	}
+
+	srunner_run_all(sr, CK_NORMAL);
+	nf = srunner_ntests_failed(sr);
+
+	srunner_free(sr);
+	library_deinit();
+
+	return (nf == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
+}
diff --git a/src/libstrongswan/tests/test_runner.h b/src/libstrongswan/tests/test_runner.h
new file mode 100644
index 000000000..e9381756c
--- /dev/null
+++ b/src/libstrongswan/tests/test_runner.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef TEST_RUNNER_H_
+#define TEST_RUNNER_H_
+
+#include <check.h>
+
+Suite *bio_reader_suite_create();
+Suite *bio_writer_suite_create();
+Suite *chunk_suite_create();
+Suite *enum_suite_create();
+Suite *enumerator_suite_create();
+Suite *linked_list_suite_create();
+Suite *linked_list_enumerator_suite_create();
+Suite *hashtable_suite_create();
+Suite *array_suite_create();
+Suite *identification_suite_create();
+Suite *threading_suite_create();
+Suite *utils_suite_create();
+Suite *vectors_suite_create();
+Suite *ecdsa_suite_create();
+Suite *rsa_suite_create();
+Suite *host_suite_create();
+
+#endif /** TEST_RUNNER_H_ */
diff --git a/src/libstrongswan/tests/test_suite.h b/src/libstrongswan/tests/test_suite.h
new file mode 100644
index 000000000..edf16f128
--- /dev/null
+++ b/src/libstrongswan/tests/test_suite.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef TEST_UTILS_H_
+#define TEST_UTILS_H_
+
+#include <check.h>
+#include <library.h>
+#include <utils/debug.h>
+
+/**
+ * Used to mark test cases that use test fixtures.
+ */
+#define UNIT_TEST_FIXTURE_USED "UNIT_TEST_FIXTURE_USED"
+
+/**
+ * Check for memory leaks and fail if any are encountered.
+ */
+#define CHECK_FOR_LEAKS() do \
+{ \
+	if (lib->leak_detective->leaks(lib->leak_detective)) { \
+		lib->leak_detective->report(lib->leak_detective, TRUE); \
+	} \
+	ck_assert_int_eq(lib->leak_detective->leaks(lib->leak_detective), 0); \
+} \
+while(0)
+
+/**
+ * Extended versions of the START|END_TEST macros that use leak detective.
+ *
+ * Since each test case runs in its own fork of the test runner the stuff
+ * allocated before the test starts is not freed, so leak detective is disabled
+ * by default to prevent false positives.  By enabling it right when the test
+ * starts we at least capture leaks created by the tested objects/functions and
+ * the test case itself.  This allows writing test cases for cleanup functions.
+ *
+ * To define test fixture with possibly allocated/destroyed memory that is
+ * allocated/freed in a test case use the START|END_SETUP|TEARDOWN macros.
+ */
+#undef START_TEST
+#define START_TEST(name) \
+static void name (int _i CK_ATTRIBUTE_UNUSED) \
+{ \
+	tcase_fn_start(""#name, __FILE__, __LINE__); \
+	dbg_default_set_level(LEVEL_SILENT); \
+	lib->leak_detective->set_state(lib->leak_detective, TRUE);
+
+#undef END_TEST
+#define END_TEST \
+	if (!lib->get(lib, UNIT_TEST_FIXTURE_USED)) \
+	{ \
+		CHECK_FOR_LEAKS(); \
+	} \
+}
+
+/**
+ * Define a function to setup a test fixture that can be used with the above
+ * macros.
+ */
+#define START_SETUP(name) \
+static void name() \
+{ \
+	lib->set(lib, UNIT_TEST_FIXTURE_USED, (void*)TRUE); \
+	lib->leak_detective->set_state(lib->leak_detective, TRUE);
+
+/**
+ * End a setup function
+ */
+#define END_SETUP }
+
+/**
+ * Define a function to teardown a test fixture that can be used with the above
+ * macros.
+ */
+#define START_TEARDOWN(name) \
+static void name() \
+{
+
+/**
+ * End a teardown function
+ */
+#define END_TEARDOWN \
+	if (lib->get(lib, UNIT_TEST_FIXTURE_USED)) \
+	{ \
+		CHECK_FOR_LEAKS(); \
+	} \
+}
+
+#endif /** TEST_UTILS_H_ */
diff --git a/src/libstrongswan/tests/test_threading.c b/src/libstrongswan/tests/test_threading.c
new file mode 100644
index 000000000..0c768b3e2
--- /dev/null
+++ b/src/libstrongswan/tests/test_threading.c
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sched.h>
+#include <pthread.h>
+
+#include "test_suite.h"
+
+#include <threading/mutex.h>
+
+/*******************************************************************************
+ * recursive mutex test
+ */
+
+#define THREADS 20
+
+static mutex_t *mutex;
+
+static pthread_barrier_t mutex_barrier;
+
+static int mutex_locked = 0;
+
+static void *mutex_run(void *data)
+{
+	int i;
+
+	/* wait for all threads before getting in action */
+	pthread_barrier_wait(&mutex_barrier);
+
+	for (i = 0; i < 100; i++)
+	{
+		mutex->lock(mutex);
+		mutex->lock(mutex);
+		mutex->lock(mutex);
+		mutex_locked++;
+		sched_yield();
+		if (mutex_locked > 1)
+		{
+			fail("two threads locked the mutex concurrently");
+		}
+		mutex_locked--;
+		mutex->unlock(mutex);
+		mutex->unlock(mutex);
+		mutex->unlock(mutex);
+	}
+	return NULL;
+}
+
+START_TEST(test_mutex)
+{
+	pthread_t threads[THREADS];
+	int i;
+
+	mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
+
+	for (i = 0; i < 10; i++)
+	{
+		mutex->lock(mutex);
+		mutex->unlock(mutex);
+	}
+	for (i = 0; i < 10; i++)
+	{
+		mutex->lock(mutex);
+	}
+	for (i = 0; i < 10; i++)
+	{
+		mutex->unlock(mutex);
+	}
+
+	pthread_barrier_init(&mutex_barrier, NULL, THREADS);
+	for (i = 0; i < THREADS; i++)
+	{
+		pthread_create(&threads[i], NULL, mutex_run, NULL);
+	}
+	for (i = 0; i < THREADS; i++)
+	{
+		pthread_join(threads[i], NULL);
+	}
+	pthread_barrier_destroy(&mutex_barrier);
+
+	mutex->destroy(mutex);
+}
+END_TEST
+
+Suite *threading_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("threading");
+
+	tc = tcase_create("recursive mutex");
+	tcase_add_test(tc, test_mutex);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_utils.c b/src/libstrongswan/tests/test_utils.c
new file mode 100644
index 000000000..d9f1726ff
--- /dev/null
+++ b/src/libstrongswan/tests/test_utils.c
@@ -0,0 +1,464 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <library.h>
+#include <utils/utils.h>
+
+#include <time.h>
+
+/*******************************************************************************
+ * object storage on lib
+ */
+
+START_TEST(test_objects)
+{
+	char *k1 = "key1", *k2 = "key2";
+	char *v1 = "val1", *val;
+
+	ck_assert(lib->get(lib, k1) == NULL);
+
+	ck_assert(lib->set(lib, k1, v1));
+	ck_assert(!lib->set(lib, k1, v1));
+
+	val = lib->get(lib, k1);
+	ck_assert(val != NULL);
+	ck_assert(streq(val, v1));
+
+	ck_assert(lib->set(lib, k1, NULL));
+	ck_assert(!lib->set(lib, k2, NULL));
+
+	ck_assert(lib->get(lib, k1) == NULL);
+}
+END_TEST
+
+/*******************************************************************************
+ * test return_... functions
+ */
+
+START_TEST(test_return_functions)
+{
+	ck_assert(return_null() == NULL);
+	ck_assert(return_null("asdf", 5, NULL, 1, "qwer") == NULL);
+
+	ck_assert(return_true() == TRUE);
+	ck_assert(return_true("asdf", 5, NULL, 1, "qwer") == TRUE);
+
+	ck_assert(return_false() == FALSE);
+	ck_assert(return_false("asdf", 5, NULL, 1, "qwer") == FALSE);
+
+	ck_assert(return_failed() == FAILED);
+	ck_assert(return_failed("asdf", 5, NULL, 1, "qwer") == FAILED);
+
+	ck_assert(return_success() == SUCCESS);
+	ck_assert(return_success("asdf", 5, NULL, 1, "qwer") == SUCCESS);
+
+	/* just make sure this works */
+	nop();
+	nop("asdf", 5, NULL, 1, "qwer");
+}
+END_TEST
+
+/*******************************************************************************
+ * timeval_add_ms
+ */
+
+START_TEST(test_timeval_add_ms)
+{
+	timeval_t tv;
+
+	tv.tv_sec = 0;
+	tv.tv_usec = 0;
+	timeval_add_ms(&tv, 0);
+	ck_assert_int_eq(tv.tv_sec, 0);
+	ck_assert_int_eq(tv.tv_usec, 0);
+
+	timeval_add_ms(&tv, 1);
+	ck_assert_int_eq(tv.tv_sec, 0);
+	ck_assert_int_eq(tv.tv_usec, 1000);
+
+	timeval_add_ms(&tv, 0);
+	ck_assert_int_eq(tv.tv_sec, 0);
+	ck_assert_int_eq(tv.tv_usec, 1000);
+
+	timeval_add_ms(&tv, 999);
+	ck_assert_int_eq(tv.tv_sec, 1);
+	ck_assert_int_eq(tv.tv_usec, 0);
+
+	timeval_add_ms(&tv, 0);
+	ck_assert_int_eq(tv.tv_sec, 1);
+	ck_assert_int_eq(tv.tv_usec, 0);
+
+	timeval_add_ms(&tv, 1000);
+	ck_assert_int_eq(tv.tv_sec, 2);
+	ck_assert_int_eq(tv.tv_usec, 0);
+
+	timeval_add_ms(&tv, 1500);
+	ck_assert_int_eq(tv.tv_sec, 3);
+	ck_assert_int_eq(tv.tv_usec, 500000);
+}
+END_TEST
+
+/*******************************************************************************
+ * htoun/untoh
+ */
+
+START_TEST(test_htoun)
+{
+	chunk_t net64, expected;
+	u_int16_t host16 = 513;
+	u_int32_t net16 = 0, host32 = 67305985;
+	u_int64_t net32 = 0, host64 = 578437695752307201ULL;
+
+	net64 = chunk_alloca(16);
+	memset(net64.ptr, 0, net64.len);
+
+	expected = chunk_from_chars(0x00, 0x02, 0x01, 0x00);
+	htoun16((char*)&net16 + 1, host16);
+	ck_assert(chunk_equals(expected, chunk_from_thing(net16)));
+
+	expected = chunk_from_chars(0x00, 0x00, 0x04, 0x03, 0x02, 0x01, 0x00, 0x00);
+	htoun32((u_int16_t*)&net32 + 1, host32);
+	ck_assert(chunk_equals(expected, chunk_from_thing(net32)));
+
+	expected = chunk_from_chars(0x00, 0x00, 0x00, 0x00,
+								0x08, 0x07, 0x06, 0x05,
+								0x04, 0x03, 0x02, 0x01,
+								0x00, 0x00, 0x00, 0x00);
+	htoun64((u_int32_t*)net64.ptr + 1, host64);
+	ck_assert(chunk_equals(expected, net64));
+}
+END_TEST
+
+START_TEST(test_untoh)
+{
+	chunk_t net;
+	u_int16_t host16;
+	u_int32_t host32;
+	u_int64_t host64;
+
+	net = chunk_from_chars(0x00, 0x02, 0x01, 0x00);
+	host16 = untoh16(net.ptr + 1);
+	ck_assert(host16 == 513);
+
+	net = chunk_from_chars(0x00, 0x00, 0x04, 0x03, 0x02, 0x01, 0x00, 0x00);
+	host32 = untoh32(net.ptr + 2);
+	ck_assert(host32 == 67305985);
+
+	net = chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x08, 0x07, 0x06, 0x05,
+						   0x04, 0x03, 0x02, 0x01, 0x00, 0x00, 0x00, 0x00);
+	host64 = untoh64(net.ptr + 4);
+	ck_assert(host64 == 578437695752307201ULL);
+}
+END_TEST
+
+/*******************************************************************************
+ * round_up/down
+ */
+
+START_TEST(test_round)
+{
+	ck_assert_int_eq(round_up(0, 4), 0);
+	ck_assert_int_eq(round_up(1, 4), 4);
+	ck_assert_int_eq(round_up(2, 4), 4);
+	ck_assert_int_eq(round_up(3, 4), 4);
+	ck_assert_int_eq(round_up(4, 4), 4);
+	ck_assert_int_eq(round_up(5, 4), 8);
+
+	ck_assert_int_eq(round_down(0, 4), 0);
+	ck_assert_int_eq(round_down(1, 4), 0);
+	ck_assert_int_eq(round_down(2, 4), 0);
+	ck_assert_int_eq(round_down(3, 4), 0);
+	ck_assert_int_eq(round_down(4, 4), 4);
+	ck_assert_int_eq(round_down(5, 4), 4);
+}
+END_TEST
+
+/*******************************************************************************
+ * memxor
+ */
+
+static void do_memxor(chunk_t a, chunk_t b, chunk_t exp)
+{
+	chunk_t dst;
+
+	dst = chunk_clonea(a);
+	dst.len = b.len;
+	memxor(dst.ptr, b.ptr, b.len);
+	ck_assert(chunk_equals(dst, exp));
+}
+
+START_TEST(test_memxor)
+{
+	chunk_t a, b, dst;
+	int i;
+
+	a = chunk_alloca(64);
+	memset(a.ptr, 0, a.len);
+	b = chunk_alloca(64);
+	for (i = 0; i < 64; i++)
+	{
+		b.ptr[i] = i;
+		b.len = i;
+		do_memxor(a, b, b);
+	}
+	b.len = 64;
+	do_memxor(a, b, b);
+
+	dst = chunk_clonea(a);
+	memxor(dst.ptr, b.ptr, b.len);
+	ck_assert(chunk_equals(dst, b));
+
+	memxor(dst.ptr, b.ptr, 0);
+	memxor(dst.ptr, b.ptr, 1);
+	memxor(dst.ptr + 1, b.ptr + 1, 1);
+	memxor(dst.ptr + 2, b.ptr + 2, b.len - 2);
+	ck_assert(chunk_equals(dst, a));
+}
+END_TEST
+
+START_TEST(test_memxor_aligned)
+{
+	u_int64_t a = 0, b = 0;
+	chunk_t ca, cb;
+	int i;
+
+	ca = chunk_from_thing(a);
+	cb = chunk_from_thing(b);
+
+	for (i = 0; i < 8; i++)
+	{
+		cb.ptr[i] = i + 1;
+	}
+
+	/* 64-bit aligned */
+	memxor(ca.ptr, cb.ptr, 8);
+	ck_assert(a == b);
+	/* 32-bit aligned source */
+	a = 0;
+	memxor(ca.ptr, cb.ptr + 4, 4);
+	ck_assert(chunk_equals(ca, chunk_from_chars(0x05, 0x06, 0x07, 0x08,
+												0x00, 0x00, 0x00, 0x00)));
+	/* 16-bit aligned source */
+	a = 0;
+	memxor(ca.ptr, cb.ptr + 2, 6);
+	ck_assert(chunk_equals(ca, chunk_from_chars(0x03, 0x04, 0x05, 0x06,
+												0x07, 0x08, 0x00, 0x00)));
+	/* 8-bit aligned source */
+	a = 0;
+	memxor(ca.ptr, cb.ptr + 1, 7);
+	ck_assert(chunk_equals(ca, chunk_from_chars(0x02, 0x03, 0x04, 0x05,
+												0x06, 0x07, 0x08, 0x00)));
+}
+END_TEST
+
+/*******************************************************************************
+ * memstr
+ */
+
+static struct {
+	char *haystack;
+	char *needle;
+	size_t n;
+	int offset;
+} memstr_data[] = {
+	{NULL, NULL, 0, -1},
+	{NULL, NULL, 3, -1},
+	{NULL, "abc", 0, -1},
+	{NULL, "abc", 3, -1},
+	{"", "", 0, -1},
+	{"abc", NULL, 3, -1},
+	{"abc", "", 3, -1},
+	{"abc", "abc", 3, 0},
+	{" abc", "abc", 4, 1},
+	{" abc", "abc", 3, -1},
+	{"abcabc", "abc", 6, 0},
+	{" abc ", "abc", 5, 1},
+};
+
+START_TEST(test_memstr)
+{
+	char *ret;
+
+	ret = memstr(memstr_data[_i].haystack, memstr_data[_i].needle, memstr_data[_i].n);
+	if (memstr_data[_i].offset >= 0)
+	{
+		ck_assert(ret == memstr_data[_i].haystack + memstr_data[_i].offset);
+	}
+	else
+	{
+		ck_assert(ret == NULL);
+	}
+}
+END_TEST
+
+/*******************************************************************************
+ * translate
+ */
+
+static struct {
+	char *in;
+	char *from;
+	char *to;
+	char *out;
+} translate_data[] = {
+	{NULL, "", "", NULL},
+	{"abc", "", "", "abc"},
+	{"abc", "", "x", "abc"},
+	{"abc", "x", "", "abc"},
+	{"abc", "abc", "xyz", "xyz"},
+	{"aabbcc", "abc", "xyz", "xxyyzz"},
+	{"abbaccb", "abc", "xyz", "xyyxzzy"},
+	{"abxyzc", "abc", "xyz", "xyxyzz"},
+	{"abcdef", "abc", "xyz", "xyzdef"},
+	{"aaa", "abc", "xyz", "xxx"},
+	{"abc", "aaa", "xyz", "xbc"},
+	{"abc", "abc", "xxx", "xxx"},
+};
+
+START_TEST(test_translate)
+{
+	char *str, *ret;
+
+	str = strdupnull(translate_data[_i].in);
+	ret = translate(str, translate_data[_i].from, translate_data[_i].to);
+	ck_assert(ret == str);
+	if (ret != translate_data[_i].out)
+	{
+		ck_assert_str_eq(str, translate_data[_i].out);
+	}
+	free(str);
+}
+END_TEST
+
+/*******************************************************************************
+ * time_printf_hook
+ */
+
+static struct {
+	time_t in;
+	bool utc;
+	char *out;
+} time_data[] = {
+	{UNDEFINED_TIME, FALSE, "--- -- --:--:-- ----"},
+	{UNDEFINED_TIME, TRUE , "--- -- --:--:-- UTC ----"},
+	{1, FALSE, "Jan 01 01:00:01 1970"},
+	{1, TRUE , "Jan 01 00:00:01 UTC 1970"},
+	{1341150196, FALSE, "Jul 01 15:43:16 2012"},
+	{1341150196, TRUE , "Jul 01 13:43:16 UTC 2012"},
+};
+
+START_TEST(test_time_printf_hook)
+{
+	char buf[32];
+	int len;
+
+	len = snprintf(buf, sizeof(buf), "%T", &time_data[_i].in, time_data[_i].utc);
+	ck_assert(len >= 0 && len < sizeof(buf));
+	ck_assert_str_eq(buf, time_data[_i].out);
+}
+END_TEST
+
+/*******************************************************************************
+ * time_delta_printf_hook
+ */
+
+static struct {
+	time_t a;
+	time_t b;
+	char *out;
+} time_delta_data[] = {
+	{0, 0, "0 seconds"},
+	{0, 1, "1 second"},
+	{0, -1, "1 second"},
+	{1, 0, "1 second"},
+	{0, 2, "2 seconds"},
+	{2, 0, "2 seconds"},
+	{0, 60, "60 seconds"},
+	{0, 120, "120 seconds"},
+	{0, 121, "2 minutes"},
+	{0, 3600, "60 minutes"},
+	{0, 7200, "120 minutes"},
+	{0, 7201, "2 hours"},
+	{0, 86400, "24 hours"},
+	{0, 172800, "48 hours"},
+	{0, 172801, "2 days"},
+	{172801, 86400, "24 hours"},
+};
+
+START_TEST(test_time_delta_printf_hook)
+{
+	char buf[16];
+	int len;
+
+	len = snprintf(buf, sizeof(buf), "%V", &time_delta_data[_i].a, &time_delta_data[_i].b);
+	ck_assert(len >= 0 && len < sizeof(buf));
+	ck_assert_str_eq(buf, time_delta_data[_i].out);
+}
+END_TEST
+
+Suite *utils_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	/* force a timezone to match non-UTC conversions */
+	setenv("TZ", "Europe/Zurich", 1);
+	tzset();
+
+	s = suite_create("utils");
+
+	tc = tcase_create("objects");
+	tcase_add_test(tc, test_objects);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("return functions");
+	tcase_add_test(tc, test_return_functions);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("timeval_add_ms");
+	tcase_add_test(tc, test_timeval_add_ms);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("htoun,untoh");
+	tcase_add_test(tc, test_htoun);
+	tcase_add_test(tc, test_untoh);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("round");
+	tcase_add_test(tc, test_round);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("memxor");
+	tcase_add_test(tc, test_memxor);
+	tcase_add_test(tc, test_memxor_aligned);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("memstr");
+	tcase_add_loop_test(tc, test_memstr, 0, countof(memstr_data));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("translate");
+	tcase_add_loop_test(tc, test_translate, 0, countof(translate_data));
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("printf_hooks");
+	tcase_add_loop_test(tc, test_time_printf_hook, 0, countof(time_data));
+	tcase_add_loop_test(tc, test_time_delta_printf_hook, 0, countof(time_delta_data));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/test_vectors.c b/src/libstrongswan/tests/test_vectors.c
new file mode 100644
index 000000000..f2817d314
--- /dev/null
+++ b/src/libstrongswan/tests/test_vectors.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+/*******************************************************************************
+ * Check if test vectors have been successful during transform registration
+ */
+
+START_TEST(test_vectors)
+{
+	fail_if(lib->crypto->get_test_vector_failures(lib->crypto));
+}
+END_TEST
+
+
+Suite *vectors_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("vectors");
+
+	tc = tcase_create("failures");
+	tcase_add_test(tc, test_vectors);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/threading/mutex.c b/src/libstrongswan/threading/mutex.c
index 3bdb3bf29..f86e781c5 100644
--- a/src/libstrongswan/threading/mutex.c
+++ b/src/libstrongswan/threading/mutex.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008-2012 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -21,7 +21,7 @@
 #include <errno.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "condvar.h"
 #include "mutex.h"
@@ -73,9 +73,9 @@ struct private_r_mutex_t {
 	pthread_t thread;
 
 	/**
-	 * times we have locked the lock, stored per thread
+	 * times the current thread locked the mutex
 	 */
-	pthread_key_t times;
+	u_int times;
 };
 
 /**
@@ -127,35 +127,24 @@ METHOD(mutex_t, lock_r, void,
 {
 	pthread_t self = pthread_self();
 
-	if (this->thread == self)
+	if (pthread_equal(this->thread, self))
 	{
-		uintptr_t times;
-
-		/* times++ */
-		times = (uintptr_t)pthread_getspecific(this->times);
-		pthread_setspecific(this->times, (void*)times + 1);
+		this->times++;
 	}
 	else
 	{
 		lock(&this->generic);
 		this->thread = self;
-		/* times = 1 */
-		pthread_setspecific(this->times, (void*)1);
+		this->times = 1;
 	}
 }
 
 METHOD(mutex_t, unlock_r, void,
 	private_r_mutex_t *this)
 {
-	uintptr_t times;
-
-	/* times-- */
-	times = (uintptr_t)pthread_getspecific(this->times);
-	pthread_setspecific(this->times, (void*)--times);
-
-	if (times == 0)
+	if (--this->times == 0)
 	{
-		this->thread = 0;
+		memset(&this->thread, 0, sizeof(this->thread));
 		unlock(&this->generic);
 	}
 }
@@ -173,7 +162,6 @@ METHOD(mutex_t, mutex_destroy_r, void,
 {
 	profiler_cleanup(&this->generic.profile);
 	pthread_mutex_destroy(&this->generic.mutex);
-	pthread_key_delete(this->times);
 	free(this);
 }
 
@@ -200,7 +188,6 @@ mutex_t *mutex_create(mutex_type_t type)
 			);
 
 			pthread_mutex_init(&this->generic.mutex, NULL);
-			pthread_key_create(&this->times, NULL);
 			profiler_init(&this->generic.profile);
 
 			return &this->generic.public;
@@ -233,11 +220,15 @@ METHOD(condvar_t, wait_, void,
 	if (mutex->recursive)
 	{
 		private_r_mutex_t* recursive = (private_r_mutex_t*)mutex;
+		u_int times;
 
+		/* keep track of the number of times this thread locked the mutex */
+		times = recursive->times;
 		/* mutex owner gets cleared during condvar wait */
-		recursive->thread = 0;
+		memset(&recursive->thread, 0, sizeof(recursive->thread));
 		pthread_cond_wait(&this->condvar, &mutex->mutex);
 		recursive->thread = pthread_self();
+		recursive->times = times;
 	}
 	else
 	{
@@ -262,11 +253,14 @@ METHOD(condvar_t, timed_wait_abs, bool,
 	if (mutex->recursive)
 	{
 		private_r_mutex_t* recursive = (private_r_mutex_t*)mutex;
+		u_int times;
 
-		recursive->thread = 0;
+		times = recursive->times;
+		memset(&recursive->thread, 0, sizeof(recursive->thread));
 		timed_out = pthread_cond_timedwait(&this->condvar, &mutex->mutex,
 										   &ts) == ETIMEDOUT;
 		recursive->thread = pthread_self();
+		recursive->times = times;
 	}
 	else
 	{
@@ -288,13 +282,7 @@ METHOD(condvar_t, timed_wait, bool,
 	ms = timeout % 1000;
 
 	tv.tv_sec += s;
-	tv.tv_usec += ms * 1000;
-
-	if (tv.tv_usec > 1000000 /* 1s */)
-	{
-		tv.tv_usec -= 1000000;
-		tv.tv_sec++;
-	}
+	timeval_add_ms(&tv, ms);
 	return timed_wait_abs(this, mutex, tv);
 }
 
diff --git a/src/libstrongswan/threading/rwlock.c b/src/libstrongswan/threading/rwlock.c
index 15dc0b334..176445705 100644
--- a/src/libstrongswan/threading/rwlock.c
+++ b/src/libstrongswan/threading/rwlock.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008-2012 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -18,14 +18,17 @@
 #include <pthread.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "rwlock.h"
+#include "rwlock_condvar.h"
+#include "thread.h"
 #include "condvar.h"
 #include "mutex.h"
 #include "lock_profiler.h"
 
 typedef struct private_rwlock_t private_rwlock_t;
+typedef struct private_rwlock_condvar_t private_rwlock_condvar_t;
 
 /**
  * private data of rwlock
@@ -72,9 +75,9 @@ struct private_rwlock_t {
 	u_int reader_count;
 
 	/**
-	 * current writer thread, if any
+	 * TRUE, if a writer is holding the lock currently
 	 */
-	pthread_t writer;
+	bool writer;
 
 #endif /* HAVE_PTHREAD_RWLOCK_INIT */
 
@@ -84,6 +87,27 @@ struct private_rwlock_t {
 	lock_profile_t profile;
 };
 
+/**
+ * private data of condvar
+ */
+struct private_rwlock_condvar_t {
+
+	/**
+	 * public interface
+	 */
+	rwlock_condvar_t public;
+
+	/**
+	 * mutex used to implement rwlock condvar
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * regular condvar to implement rwlock condvar
+	 */
+	condvar_t *condvar;
+};
+
 
 #ifdef HAVE_PTHREAD_RWLOCK_INIT
 
@@ -175,37 +199,81 @@ rwlock_t *rwlock_create(rwlock_type_t type)
 
 /**
  * This implementation of the rwlock_t interface uses mutex_t and condvar_t
- * primitives, if the pthread_rwlock_* group of functions is not available.
+ * primitives, if the pthread_rwlock_* group of functions is not available or
+ * don't allow recursive locking for readers.
  *
  * The following constraints are enforced:
  *   - Multiple readers can hold the lock at the same time.
  *   - Only a single writer can hold the lock at any given time.
  *   - A writer must block until all readers have released the lock before
  *     obtaining the lock exclusively.
- *   - Readers that arrive while a writer is waiting to acquire the lock will
- *     block until after the writer has obtained and released the lock.
+ *   - Readers that don't hold any read lock and arrive while a writer is
+ *     waiting to acquire the lock will block until after the writer has
+ *     obtained and released the lock.
  * These constraints allow for read sharing, prevent write sharing, prevent
- * read-write sharing and prevent starvation of writers by a steady stream
- * of incoming readers. Reader starvation is not prevented (this could happen
- * if there are more writers than readers).
+ * read-write sharing and (largely) prevent starvation of writers by a steady
+ * stream of incoming readers.  Reader starvation is not prevented (this could
+ * happen if there are more writers than readers).
  *
- * The implementation does not support recursive locking and readers must not
- * acquire the lock exclusively at the same time and vice-versa (this is not
- * checked or enforced so behave yourself to prevent deadlocks).
+ * The implementation supports recursive locking of the read lock but not of
+ * the write lock.  Readers must not acquire the lock exclusively at the same
+ * time and vice-versa (this is not checked or enforced so behave yourself to
+ * prevent deadlocks).
+ *
+ * Since writers are preferred a thread currently holding the read lock that
+ * tries to acquire the read lock recursively while a writer is waiting would
+ * result in a deadlock.  In order to avoid having to use a thread-specific
+ * value for each rwlock_t (or a list of threads) to keep track if a thread
+ * already acquired the read lock we use a single thread-specific value for all
+ * rwlock_t objects that keeps track of how many read locks a thread currently
+ * holds.  Preferring readers that already hold ANY read locks prevents this
+ * deadlock while it still largely avoids writer starvation (for locks that can
+ * only be acquired while holding another read lock this will obviously not
+ * work).
+ */
+
+/**
+ * Keep track of how many read locks a thread holds.
+ */
+static pthread_key_t is_reader;
+
+/**
+ * Only initialize the read lock counter once.
  */
+static pthread_once_t is_reader_initialized = PTHREAD_ONCE_INIT;
+
+/**
+ * Initialize the read lock counter.
+ */
+static void initialize_is_reader()
+{
+	pthread_key_create(&is_reader, NULL);
+}
 
 METHOD(rwlock_t, read_lock, void,
 	private_rwlock_t *this)
 {
+	uintptr_t reading;
+
+	reading = (uintptr_t)pthread_getspecific(is_reader);
 	profiler_start(&this->profile);
 	this->mutex->lock(this->mutex);
-	while (this->writer || this->waiting_writers)
+	if (!this->writer && reading > 0)
 	{
-		this->readers->wait(this->readers, this->mutex);
+		/* directly allow threads that hold ANY read locks, to avoid a deadlock
+		 * caused by preferring writers in the loop below */
+	}
+	else
+	{
+		while (this->writer || this->waiting_writers)
+		{
+			this->readers->wait(this->readers, this->mutex);
+		}
 	}
 	this->reader_count++;
 	profiler_end(&this->profile);
 	this->mutex->unlock(this->mutex);
+	pthread_setspecific(is_reader, (void*)(reading + 1));
 }
 
 METHOD(rwlock_t, write_lock, void,
@@ -219,7 +287,7 @@ METHOD(rwlock_t, write_lock, void,
 		this->writers->wait(this->writers, this->mutex);
 	}
 	this->waiting_writers--;
-	this->writer = pthread_self();
+	this->writer = TRUE;
 	profiler_end(&this->profile);
 	this->mutex->unlock(this->mutex);
 }
@@ -231,8 +299,7 @@ METHOD(rwlock_t, try_write_lock, bool,
 	this->mutex->lock(this->mutex);
 	if (!this->writer && !this->reader_count)
 	{
-		res = TRUE;
-		this->writer = pthread_self();
+		res = this->writer = TRUE;
 	}
 	this->mutex->unlock(this->mutex);
 	return res;
@@ -242,9 +309,20 @@ METHOD(rwlock_t, unlock, void,
 	private_rwlock_t *this)
 {
 	this->mutex->lock(this->mutex);
-	if (this->writer == pthread_self())
+	if (this->writer)
+	{
+		this->writer = FALSE;
+	}
+	else
+	{
+		uintptr_t reading;
+
+		this->reader_count--;
+		reading = (uintptr_t)pthread_getspecific(is_reader);
+		pthread_setspecific(is_reader, (void*)(reading - 1));
+	}
+	if (!this->reader_count)
 	{
-		this->writer = 0;
 		if (this->waiting_writers)
 		{
 			this->writers->signal(this->writers);
@@ -254,14 +332,6 @@ METHOD(rwlock_t, unlock, void,
 			this->readers->broadcast(this->readers);
 		}
 	}
-	else
-	{
-		this->reader_count--;
-		if (!this->reader_count)
-		{
-			this->writers->signal(this->writers);
-		}
-	}
 	this->mutex->unlock(this->mutex);
 }
 
@@ -280,6 +350,8 @@ METHOD(rwlock_t, destroy, void,
  */
 rwlock_t *rwlock_create(rwlock_type_t type)
 {
+	pthread_once(&is_reader_initialized,  initialize_is_reader);
+
 	switch (type)
 	{
 		case RWLOCK_TYPE_DEFAULT:
@@ -309,3 +381,105 @@ rwlock_t *rwlock_create(rwlock_type_t type)
 
 #endif /* HAVE_PTHREAD_RWLOCK_INIT */
 
+
+METHOD(rwlock_condvar_t, wait_, void,
+	private_rwlock_condvar_t *this, rwlock_t *lock)
+{
+	/* at this point we have the write lock locked, to make signals more
+	 * predictable we try to prevent other threads from signaling by acquiring
+	 * the mutex while we still hold the write lock (this assumes they will
+	 * hold the write lock themselves when signaling, which is not mandatory) */
+	this->mutex->lock(this->mutex);
+	/* unlock the rwlock and wait for a signal */
+	lock->unlock(lock);
+	/* if the calling thread enabled thread cancelability we want to replicate
+	 * the behavior of the regular condvar, i.e. the lock will be held again
+	 * before executing cleanup functions registered by the calling thread */
+	thread_cleanup_push((thread_cleanup_t)lock->write_lock, lock);
+	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
+	this->condvar->wait(this->condvar, this->mutex);
+	/* we release the mutex to allow other threads into the condvar (might even
+	 * be required so we can acquire the lock again below) */
+	thread_cleanup_pop(TRUE);
+	/* finally we reacquire the lock we held previously */
+	thread_cleanup_pop(TRUE);
+}
+
+METHOD(rwlock_condvar_t, timed_wait_abs, bool,
+	private_rwlock_condvar_t *this, rwlock_t *lock, timeval_t time)
+{
+	bool timed_out;
+
+	/* see wait() above for details on what is going on here */
+	this->mutex->lock(this->mutex);
+	lock->unlock(lock);
+	thread_cleanup_push((thread_cleanup_t)lock->write_lock, lock);
+	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
+	timed_out = this->condvar->timed_wait_abs(this->condvar, this->mutex, time);
+	thread_cleanup_pop(TRUE);
+	thread_cleanup_pop(!timed_out);
+	return timed_out;
+}
+
+METHOD(rwlock_condvar_t, timed_wait, bool,
+	private_rwlock_condvar_t *this, rwlock_t *lock, u_int timeout)
+{
+	timeval_t tv;
+	u_int s, ms;
+
+	time_monotonic(&tv);
+
+	s = timeout / 1000;
+	ms = timeout % 1000;
+
+	tv.tv_sec += s;
+	timeval_add_ms(&tv, ms);
+
+	return timed_wait_abs(this, lock, tv);
+}
+
+METHOD(rwlock_condvar_t, signal_, void,
+	private_rwlock_condvar_t *this)
+{
+	this->mutex->lock(this->mutex);
+	this->condvar->signal(this->condvar);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(rwlock_condvar_t, broadcast, void,
+	private_rwlock_condvar_t *this)
+{
+	this->mutex->lock(this->mutex);
+	this->condvar->broadcast(this->condvar);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(rwlock_condvar_t, condvar_destroy, void,
+	private_rwlock_condvar_t *this)
+{
+	this->condvar->destroy(this->condvar);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+rwlock_condvar_t *rwlock_condvar_create()
+{
+	private_rwlock_condvar_t *this;
+
+	INIT(this,
+		.public = {
+			.wait = _wait_,
+			.timed_wait = _timed_wait,
+			.timed_wait_abs = _timed_wait_abs,
+			.signal = _signal_,
+			.broadcast = _broadcast,
+			.destroy = _condvar_destroy,
+		},
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+	);
+	return &this->public;
+}
diff --git a/src/libstrongswan/threading/rwlock_condvar.h b/src/libstrongswan/threading/rwlock_condvar.h
new file mode 100644
index 000000000..2b40c3fc6
--- /dev/null
+++ b/src/libstrongswan/threading/rwlock_condvar.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rwlock_condvar rwlock_condvar
+ * @{ @ingroup threading
+ */
+
+#ifndef RWLOCK_CONDVAR_H_
+#define RWLOCK_CONDVAR_H_
+
+typedef struct rwlock_condvar_t rwlock_condvar_t;
+
+#include "rwlock.h"
+
+/**
+ * A special condvar implementation that can be used in conjunction
+ * with rwlock_t (the write lock to be precise).
+ *
+ * @note The implementation does not verify that the current thread actually
+ * holds the write lock and not the read lock, so watch out.
+ */
+struct rwlock_condvar_t {
+
+	/**
+	 * Wait on a condvar until it gets signalized.
+	 *
+	 * @param lock			lock to release while waiting (write lock)
+	 */
+	void (*wait)(rwlock_condvar_t *this, rwlock_t *lock);
+
+	/**
+	 * Wait on a condvar until it gets signalized, or times out.
+	 *
+	 * @param lock			lock to release while waiting (write lock)
+	 * @param timeout		timeout im ms
+	 * @return				TRUE if timed out, FALSE otherwise
+	 */
+	bool (*timed_wait)(rwlock_condvar_t *this, rwlock_t *lock, u_int timeout);
+
+	/**
+	 * Wait on a condvar until it gets signalized, or times out.
+	 *
+	 * The passed timeval should be calculated based on the time_monotonic()
+	 * function.
+	 *
+	 * @param lock			lock to release while waiting (write lock)
+	 * @param tv			absolute time until timeout
+	 * @return				TRUE if timed out, FALSE otherwise
+	 */
+	bool (*timed_wait_abs)(rwlock_condvar_t *this, rwlock_t *lock,
+						   timeval_t tv);
+
+	/**
+	 * Wake up a single thread in a condvar.
+	 */
+	void (*signal)(rwlock_condvar_t *this);
+
+	/**
+	 * Wake up all threads in a condvar.
+	 */
+	void (*broadcast)(rwlock_condvar_t *this);
+
+	/**
+	 * Destroy a condvar and free its resources.
+	 */
+	void (*destroy)(rwlock_condvar_t *this);
+};
+
+/**
+ * Create a condvar instance.
+ *
+ * @return			condvar instance
+ */
+rwlock_condvar_t *rwlock_condvar_create();
+
+#endif /** RWLOCK_CONDVAR_H_ @} */
+
diff --git a/src/libstrongswan/threading/semaphore.c b/src/libstrongswan/threading/semaphore.c
new file mode 100644
index 000000000..b785ff944
--- /dev/null
+++ b/src/libstrongswan/threading/semaphore.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) 2011 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+
+#if defined(HAVE_CLOCK_GETTIME) && \
+	(defined(HAVE_CONDATTR_CLOCK_MONOTONIC) || \
+	 defined(HAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC))
+/* if we use MONOTONIC times, we can't use POSIX_SEMAPHORES since they use
+ * times based on CLOCK_REALTIME */
+#undef HAVE_SEM_TIMEDWAIT
+#endif /* HAVE_CLOCK_GETTIME && ... */
+
+#ifdef HAVE_SEM_TIMEDWAIT
+#include <semaphore.h>
+#else /* !HAVE_SEM_TIMEDWAIT */
+#include <threading/condvar.h>
+#endif /* HAVE_SEM_TIMEDWAIT */
+
+#include "semaphore.h"
+
+typedef struct private_semaphore_t private_semaphore_t;
+
+/**
+ * private data of a semaphore
+ */
+struct private_semaphore_t {
+	/**
+	 * public interface
+	 */
+	semaphore_t public;
+
+#ifdef HAVE_SEM_TIMEDWAIT
+	/**
+	 * wrapped POSIX semaphore object
+	 */
+	sem_t sem;
+#else /* !HAVE_SEM_TIMEDWAIT */
+
+	/**
+	 * Mutex to lock count variable
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Condvar to signal count increase
+	 */
+	condvar_t *cond;
+
+	/**
+	 * Semaphore count value
+	 */
+	u_int count;
+#endif /* HAVE_SEM_TIMEDWAIT */
+};
+
+METHOD(semaphore_t, wait_, void,
+	private_semaphore_t *this)
+{
+#ifdef HAVE_SEM_TIMEDWAIT
+	sem_wait(&this->sem);
+#else /* !HAVE_SEM_TIMEDWAIT */
+	this->mutex->lock(this->mutex);
+	while (this->count == 0)
+	{
+		this->cond->wait(this->cond, this->mutex);
+	}
+	this->count--;
+	this->mutex->unlock(this->mutex);
+#endif /* HAVE_SEM_TIMEDWAIT */
+}
+
+METHOD(semaphore_t, timed_wait_abs, bool,
+	private_semaphore_t *this, timeval_t tv)
+{
+#ifdef HAVE_SEM_TIMEDWAIT
+	timespec_t ts;
+
+	ts.tv_sec = tv.tv_sec;
+	ts.tv_nsec = tv.tv_usec * 1000;
+
+	/* there are errors other than ETIMEDOUT possible, but we consider them
+	 * all as timeout */
+	return sem_timedwait(&this->sem, &ts) == -1;
+#else /* !HAVE_SEM_TIMEDWAIT */
+	this->mutex->lock(this->mutex);
+	while (this->count == 0)
+	{
+		if (this->cond->timed_wait_abs(this->cond, this->mutex, tv))
+		{
+			this->mutex->unlock(this->mutex);
+			return TRUE;
+		}
+	}
+	this->count--;
+	this->mutex->unlock(this->mutex);
+	return FALSE;
+#endif /* HAVE_SEM_TIMEDWAIT */
+}
+
+METHOD(semaphore_t, timed_wait, bool,
+	private_semaphore_t *this, u_int timeout)
+{
+	timeval_t tv, add;
+
+	add.tv_sec = timeout / 1000;
+	add.tv_usec = (timeout % 1000) * 1000;
+
+	time_monotonic(&tv);
+	timeradd(&tv, &add, &tv);
+
+	return timed_wait_abs(this, tv);
+}
+
+METHOD(semaphore_t, post, void,
+	private_semaphore_t *this)
+{
+#ifdef HAVE_SEM_TIMEDWAIT
+	sem_post(&this->sem);
+#else /* !HAVE_SEM_TIMEDWAIT */
+	this->mutex->lock(this->mutex);
+	this->count++;
+	this->mutex->unlock(this->mutex);
+	this->cond->signal(this->cond);
+#endif /* HAVE_SEM_TIMEDWAIT */
+}
+
+METHOD(semaphore_t, destroy, void,
+	private_semaphore_t *this)
+{
+#ifdef HAVE_SEM_TIMEDWAIT
+	sem_destroy(&this->sem);
+#else /* !HAVE_SEM_TIMEDWAIT */
+	this->cond->destroy(this->cond);
+	this->mutex->destroy(this->mutex);
+#endif /* HAVE_SEM_TIMEDWAIT */
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+semaphore_t *semaphore_create(u_int value)
+{
+	private_semaphore_t *this;
+
+	INIT(this,
+		.public = {
+			.wait = _wait_,
+			.timed_wait = _timed_wait,
+			.timed_wait_abs = _timed_wait_abs,
+			.post = _post,
+			.destroy = _destroy,
+		},
+	);
+
+#ifdef HAVE_SEM_TIMEDWAIT
+	sem_init(&this->sem, 0, value);
+#else /* !HAVE_SEM_TIMEDWAIT */
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->cond = condvar_create(CONDVAR_TYPE_DEFAULT);
+	this->count = value;
+#endif /* HAVE_SEM_TIMEDWAIT */
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/threading/semaphore.h b/src/libstrongswan/threading/semaphore.h
new file mode 100644
index 000000000..34d814971
--- /dev/null
+++ b/src/libstrongswan/threading/semaphore.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2011 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup semaphore semaphore
+ * @{ @ingroup threading
+ */
+
+#ifndef THREADING_SEMAPHORE_H_
+#define THREADING_SEMAPHORE_H_
+
+#ifdef __APPLE__
+/* Mach uses a semaphore_create() call, use a different name for ours */
+#define semaphore_create(x) strongswan_semaphore_create(x)
+#endif /* __APPLE__ */
+
+typedef struct semaphore_t semaphore_t;
+
+/**
+ * A semaphore is basically an integer whose value is never allowed to be
+ * lower than 0.  Two operations can be performed on it: increment the
+ * value by one, and decrement the value by one.  If the value is currently
+ * zero, then the decrement operation will blcok until the value becomes
+ * greater than zero.
+ */
+struct semaphore_t {
+
+	/**
+	 * Decrease the value by one, if it is greater than zero. Otherwise the
+	 * current thread is blocked and it waits until the value increases.
+	 */
+	void (*wait)(semaphore_t *this);
+
+	/**
+	 * Decrease the value by one, if it is greater than zero. Otherwise the
+	 * current thread is blocked and it waits until the value increases, or the
+	 * call times out.
+	 *
+	 * @param timeout		timeout im ms
+	 * @return				TRUE if timed out, FALSE otherwise
+	 */
+	bool (*timed_wait)(semaphore_t *this, u_int timeout);
+
+	/**
+	 * Decrease the value by one, if it is greater than zero. Otherwise the
+	 * current thread is blocked and it waits until the value increases, or the
+	 * call times out.
+	 *
+	 * The passed timeval should be calculated based on the time_monotonic()
+	 * function.
+	 *
+	 * @param tv			absolute time until timeout
+	 * @return				TRUE if timed out, FALSE otherwise
+	 */
+	bool (*timed_wait_abs)(semaphore_t *this, timeval_t tv);
+
+	/**
+	 * Increase the value by one. If the value becomes greater than zero, then
+	 * another thread waiting will be woken up.
+	 */
+	void (*post)(semaphore_t *this);
+
+	/**
+	 * Destroy a semaphore and free its resources.
+	 */
+	void (*destroy)(semaphore_t *this);
+};
+
+/**
+ * Create a semaphore instance.
+ *
+ * @param value		initial value (typically 0)
+ * @return			semaphore instance
+ */
+semaphore_t *semaphore_create(u_int value);
+
+#endif /** THREADING_SEMAPHORE_H_ @} */
+
diff --git a/src/libstrongswan/threading/spinlock.c b/src/libstrongswan/threading/spinlock.c
new file mode 100644
index 000000000..a0de02ce5
--- /dev/null
+++ b/src/libstrongswan/threading/spinlock.c
@@ -0,0 +1,128 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <pthread.h>
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include "spinlock.h"
+#include "mutex.h"
+#include "lock_profiler.h"
+
+typedef struct private_spinlock_t private_spinlock_t;
+
+/**
+ * private data
+ */
+struct private_spinlock_t {
+
+	/**
+	 * public functions
+	 */
+	spinlock_t public;
+
+#ifdef HAVE_PTHREAD_SPIN_INIT
+
+	/**
+	 * wrapped pthread spin lock
+	 */
+	pthread_spinlock_t spinlock;
+
+	/**
+	 * profiling info, if enabled (the mutex below does profile itself)
+	 */
+	lock_profile_t profile;
+
+#else /* HAVE_PTHREAD_SPIN_INIT */
+
+	/**
+	 * use a mutex if spin locks are not available
+	 */
+	mutex_t *mutex;
+
+#endif /* HAVE_PTHREAD_SPIN_INIT */
+};
+
+METHOD(spinlock_t, lock, void,
+	private_spinlock_t *this)
+{
+#ifdef HAVE_PTHREAD_SPIN_INIT
+	int err;
+
+	profiler_start(&this->profile);
+	err = pthread_spin_lock(&this->spinlock);
+	if (err)
+	{
+		DBG1(DBG_LIB, "!!! SPIN LOCK LOCK ERROR: %s !!!", strerror(err));
+	}
+	profiler_end(&this->profile);
+#else
+	this->mutex->lock(this->mutex);
+#endif
+}
+
+METHOD(spinlock_t, unlock, void,
+	private_spinlock_t *this)
+{
+#ifdef HAVE_PTHREAD_SPIN_INIT
+	int err;
+
+	err = pthread_spin_unlock(&this->spinlock);
+	if (err)
+	{
+		DBG1(DBG_LIB, "!!! SPIN LOCK UNLOCK ERROR: %s !!!", strerror(err));
+	}
+#else
+	this->mutex->unlock(this->mutex);
+#endif
+}
+
+METHOD(spinlock_t, destroy, void,
+	private_spinlock_t *this)
+{
+#ifdef HAVE_PTHREAD_SPIN_INIT
+	profiler_cleanup(&this->profile);
+	pthread_spin_destroy(&this->spinlock);
+#else
+	this->mutex->destroy(this->mutex);
+#endif
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+spinlock_t *spinlock_create()
+{
+	private_spinlock_t *this;
+
+	INIT(this,
+		.public = {
+			.lock = _lock,
+			.unlock = _unlock,
+			.destroy = _destroy,
+		},
+	);
+
+#ifdef HAVE_PTHREAD_SPIN_INIT
+	pthread_spin_init(&this->spinlock, PTHREAD_PROCESS_PRIVATE);
+	profiler_init(&this->profile);
+#else
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+#endif
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/threading/spinlock.h b/src/libstrongswan/threading/spinlock.h
new file mode 100644
index 000000000..883980cc2
--- /dev/null
+++ b/src/libstrongswan/threading/spinlock.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup spinlock spinlock
+ * @{ @ingroup threading
+ */
+
+#ifndef THREADING_SPINLOCK_H_
+#define THREADING_SPINLOCK_H_
+
+typedef struct spinlock_t spinlock_t;
+
+/**
+ * Spin lock wrapper implements a lock with low overhead when the lock is held
+ * only for a short time (waiting wastes processor cycles, though).
+ *
+ * If native spin locks are not available regular mutexes are used as fallback.
+ */
+struct spinlock_t {
+
+	/**
+	 * Acquire the lock.
+	 */
+	void (*lock)(spinlock_t *this);
+
+	/**
+	 * Release the lock.
+	 */
+	void (*unlock)(spinlock_t *this);
+
+	/**
+	 * Destroy the instance.
+	 */
+	void (*destroy)(spinlock_t *this);
+};
+
+/**
+ * Create a spin lock instance.
+ *
+ * @return			unlocked instance
+ */
+spinlock_t *spinlock_create();
+
+#endif /** THREADING_SPINLOCK_H_ @} */
+
diff --git a/src/libstrongswan/threading/thread.c b/src/libstrongswan/threading/thread.c
index 49a1b8430..eb167d6a4 100644
--- a/src/libstrongswan/threading/thread.c
+++ b/src/libstrongswan/threading/thread.c
@@ -32,11 +32,11 @@ static inline pid_t gettid()
 #endif
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include <threading/thread_value.h>
 #include <threading/mutex.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 #include "thread.h"
 
@@ -114,7 +114,7 @@ typedef struct {
 /**
  * Next thread ID.
  */
-static u_int next_id = 1;
+static u_int next_id;
 
 /**
  * Mutex to safely access the next thread ID.
@@ -129,7 +129,11 @@ static thread_value_t *current_thread;
 
 #ifndef HAVE_PTHREAD_CANCEL
 /* if pthread_cancel is not available, we emulate it using a signal */
+#ifdef ANDROID
+#define SIG_CANCEL SIGUSR2
+#else
 #define SIG_CANCEL (SIGRTMIN+7)
+#endif
 
 /* the signal handler for SIG_CANCEL uses pthread_exit to terminate the
  * "cancelled" thread */
@@ -337,7 +341,20 @@ thread_t *thread_create(thread_main_t main, void *arg)
  */
 thread_t *thread_current()
 {
-	return current_thread->get(current_thread);
+	private_thread_t *this;
+
+	this = (private_thread_t*)current_thread->get(current_thread);
+	if (!this)
+	{
+		this = thread_create_internal();
+
+		id_mutex->lock(id_mutex);
+		this->id = next_id++;
+		id_mutex->unlock(id_mutex);
+
+		current_thread->set(current_thread, (void*)this);
+	}
+	return &this->public;
 }
 
 /**
@@ -452,6 +469,7 @@ void threads_init()
 
 	dummy1 = thread_value_create(NULL);
 
+	next_id = 1;
 	main_thread->id = 0;
 	main_thread->thread_id = pthread_self();
 	current_thread = thread_value_create(NULL);
@@ -482,4 +500,3 @@ void threads_deinit()
 	current_thread->destroy(current_thread);
 	id_mutex->destroy(id_mutex);
 }
-
diff --git a/src/libstrongswan/threading/thread_value.c b/src/libstrongswan/threading/thread_value.c
index 3fa70acb2..190b7434f 100644
--- a/src/libstrongswan/threading/thread_value.c
+++ b/src/libstrongswan/threading/thread_value.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2009-2012 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -33,6 +33,11 @@ struct private_thread_value_t {
 	 */
 	pthread_key_t key;
 
+	/**
+	 * Destructor to cleanup the value of the thread destroying this object
+	 */
+	thread_cleanup_t destructor;
+
 };
 
 METHOD(thread_value_t, set, void,
@@ -50,11 +55,22 @@ METHOD(thread_value_t, get, void*,
 METHOD(thread_value_t, destroy, void,
 	private_thread_value_t *this)
 {
+	void *val;
+
+	/* the destructor is not called automatically for the thread calling
+	 * pthread_key_delete() */
+	if (this->destructor)
+	{
+		val = pthread_getspecific(this->key);
+		if (val)
+		{
+			this->destructor(val);
+		}
+	}
 	pthread_key_delete(this->key);
 	free(this);
 }
 
-
 /**
  * Described in header.
  */
@@ -68,6 +84,7 @@ thread_value_t *thread_value_create(thread_cleanup_t destructor)
 			.get = _get,
 			.destroy = _destroy,
 		},
+		.destructor = destructor,
 	);
 
 	pthread_key_create(&this->key, destructor);
diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c
deleted file mode 100644
index f76245a19..000000000
--- a/src/libstrongswan/utils.c
+++ /dev/null
@@ -1,492 +0,0 @@
-/*
- * Copyright (C) 2008-2011 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "utils.h"
-
-#include <sys/stat.h>
-#include <string.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <inttypes.h>
-#include <stdint.h>
-#include <limits.h>
-#include <dirent.h>
-#include <time.h>
-
-#include "enum.h"
-#include "debug.h"
-#include "utils/enumerator.h"
-
-ENUM(status_names, SUCCESS, NEED_MORE,
-	"SUCCESS",
-	"FAILED",
-	"OUT_OF_RES",
-	"ALREADY_DONE",
-	"NOT_SUPPORTED",
-	"INVALID_ARG",
-	"NOT_FOUND",
-	"PARSE_ERROR",
-	"VERIFY_ERROR",
-	"INVALID_STATE",
-	"DESTROY_ME",
-	"NEED_MORE",
-);
-
-/**
- * Described in header.
- */
-void *clalloc(void * pointer, size_t size)
-{
-	void *data;
-	data = malloc(size);
-
-	memcpy(data, pointer, size);
-
-	return (data);
-}
-
-/**
- * Described in header.
- */
-void memxor(u_int8_t dst[], u_int8_t src[], size_t n)
-{
-	int m, i;
-
-	/* byte wise XOR until dst aligned */
-	for (i = 0; (uintptr_t)&dst[i] % sizeof(long) && i < n; i++)
-	{
-		dst[i] ^= src[i];
-	}
-	/* try to use words if src shares an aligment with dst */
-	switch (((uintptr_t)&src[i] % sizeof(long)))
-	{
-		case 0:
-			for (m = n - sizeof(long); i <= m; i += sizeof(long))
-			{
-				*(long*)&dst[i] ^= *(long*)&src[i];
-			}
-			break;
-		case sizeof(int):
-			for (m = n - sizeof(int); i <= m; i += sizeof(int))
-			{
-				*(int*)&dst[i] ^= *(int*)&src[i];
-			}
-			break;
-		case sizeof(short):
-			for (m = n - sizeof(short); i <= m; i += sizeof(short))
-			{
-				*(short*)&dst[i] ^= *(short*)&src[i];
-			}
-			break;
-		default:
-			break;
-	}
-	/* byte wise XOR of the rest */
-	for (; i < n; i++)
-	{
-		dst[i] ^= src[i];
-	}
-}
-
-/**
- * Described in header.
- */
-void memwipe_noinline(void *ptr, size_t n)
-{
-	memwipe_inline(ptr, n);
-}
-
-/**
- * Described in header.
- */
-void *memstr(const void *haystack, const char *needle, size_t n)
-{
-	unsigned const char *pos = haystack;
-	size_t l = strlen(needle);
-	for (; n >= l; ++pos, --n)
-	{
-		if (memeq(pos, needle, l))
-		{
-			return (void*)pos;
-		}
-	}
-	return NULL;
-}
-
-/**
- * Described in header.
- */
-char* translate(char *str, const char *from, const char *to)
-{
-	char *pos = str;
-	if (strlen(from) != strlen(to))
-	{
-		return str;
-	}
-	while (pos && *pos)
-	{
-		char *match;
-		if ((match = strchr(from, *pos)) != NULL)
-		{
-			*pos = to[match - from];
-		}
-		pos++;
-	}
-	return str;
-}
-
-/**
- * Described in header.
- */
-bool mkdir_p(const char *path, mode_t mode)
-{
-	int len;
-	char *pos, full[PATH_MAX];
-	pos = full;
-	if (!path || *path == '\0')
-	{
-		return TRUE;
-	}
-	len = snprintf(full, sizeof(full)-1, "%s", path);
-	if (len < 0 || len >= sizeof(full)-1)
-	{
-		DBG1(DBG_LIB, "path string %s too long", path);
-		return FALSE;
-	}
-	/* ensure that the path ends with a '/' */
-	if (full[len-1] != '/')
-	{
-		full[len++] = '/';
-		full[len] = '\0';
-	}
-	/* skip '/' at the beginning */
-	while (*pos == '/')
-	{
-		pos++;
-	}
-	while ((pos = strchr(pos, '/')))
-	{
-		*pos = '\0';
-		if (access(full, F_OK) < 0)
-		{
-			if (mkdir(full, mode) < 0)
-			{
-				DBG1(DBG_LIB, "failed to create directory %s", full);
-				return FALSE;
-			}
-		}
-		*pos = '/';
-		pos++;
-	}
-	return TRUE;
-}
-
-#ifndef HAVE_CLOSEFROM
-/**
- * Described in header.
- */
-void closefrom(int lowfd)
-{
-	char fd_dir[PATH_MAX];
-	int maxfd, fd, len;
-
-	/* try to close only open file descriptors on Linux... */
-	len = snprintf(fd_dir, sizeof(fd_dir), "/proc/%u/fd", getpid());
-	if (len > 0 && len < sizeof(fd_dir) && access(fd_dir, F_OK) == 0)
-	{
-		enumerator_t *enumerator = enumerator_create_directory(fd_dir);
-		if (enumerator)
-		{
-			char *rel;
-			while (enumerator->enumerate(enumerator, &rel, NULL, NULL))
-			{
-				fd = atoi(rel);
-				if (fd >= lowfd)
-				{
-					close(fd);
-				}
-			}
-			enumerator->destroy(enumerator);
-			return;
-		}
-	}
-
-	/* ...fall back to closing all fds otherwise */
-	maxfd = (int)sysconf(_SC_OPEN_MAX);
-	if (maxfd < 0)
-	{
-		maxfd = 256;
-	}
-	for (fd = lowfd; fd < maxfd; fd++)
-	{
-		close(fd);
-	}
-}
-#endif /* HAVE_CLOSEFROM */
-
-/**
- * Return monotonic time
- */
-time_t time_monotonic(timeval_t *tv)
-{
-#if defined(HAVE_CLOCK_GETTIME) && \
-	(defined(HAVE_CONDATTR_CLOCK_MONOTONIC) || \
-	 defined(HAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC))
-	/* as we use time_monotonic() for condvar operations, we use the
-	 * monotonic time source only if it is also supported by pthread. */
-	timespec_t ts;
-
-	if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0)
-	{
-		if (tv)
-		{
-			tv->tv_sec = ts.tv_sec;
-			tv->tv_usec = ts.tv_nsec / 1000;
-		}
-		return ts.tv_sec;
-	}
-#endif /* HAVE_CLOCK_GETTIME && (...) */
-	/* Fallback to non-monotonic timestamps:
-	 * On MAC OS X, creating monotonic timestamps is rather difficult. We
-	 * could use mach_absolute_time() and catch sleep/wakeup notifications.
-	 * We stick to the simpler (non-monotonic) gettimeofday() for now.
-	 * But keep in mind: we need the same time source here as in condvar! */
-	if (!tv)
-	{
-		return time(NULL);
-	}
-	if (gettimeofday(tv, NULL) != 0)
-	{	/* should actually never fail if passed pointers are valid */
-		return -1;
-	}
-	return tv->tv_sec;
-}
-
-/**
- * return null
- */
-void *return_null()
-{
-	return NULL;
-}
-
-/**
- * returns TRUE
- */
-bool return_true()
-{
-	return TRUE;
-}
-
-/**
- * returns FALSE
- */
-bool return_false()
-{
-	return FALSE;
-}
-
-/**
- * returns FAILED
- */
-status_t return_failed()
-{
-	return FAILED;
-}
-
-/**
- * nop operation
- */
-void nop()
-{
-}
-
-#ifndef HAVE_GCC_ATOMIC_OPERATIONS
-#include <pthread.h>
-
-/**
- * We use a single mutex for all refcount variables.
- */
-static pthread_mutex_t ref_mutex = PTHREAD_MUTEX_INITIALIZER;
-
-/**
- * Increase refcount
- */
-void ref_get(refcount_t *ref)
-{
-	pthread_mutex_lock(&ref_mutex);
-	(*ref)++;
-	pthread_mutex_unlock(&ref_mutex);
-}
-
-/**
- * Decrease refcount
- */
-bool ref_put(refcount_t *ref)
-{
-	bool more_refs;
-
-	pthread_mutex_lock(&ref_mutex);
-	more_refs = --(*ref) > 0;
-	pthread_mutex_unlock(&ref_mutex);
-	return !more_refs;
-}
-
-/**
- * Single mutex for all compare and swap operations.
- */
-static pthread_mutex_t cas_mutex = PTHREAD_MUTEX_INITIALIZER;
-
-/**
- * Compare and swap if equal to old value
- */
-#define _cas_impl(name, type) \
-bool cas_##name(type *ptr, type oldval, type newval) \
-{ \
-	bool swapped; \
-	pthread_mutex_lock(&cas_mutex); \
-	if ((swapped = (*ptr == oldval))) { *ptr = newval; } \
-	pthread_mutex_unlock(&cas_mutex); \
-	return swapped; \
-}
-
-_cas_impl(bool, bool)
-_cas_impl(ptr, void*)
-
-#endif /* HAVE_GCC_ATOMIC_OPERATIONS */
-
-/**
- * Described in header.
- */
-int time_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
-					 const void *const *args)
-{
-	static const char* months[] = {
-		"Jan", "Feb", "Mar", "Apr", "May", "Jun",
-		"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
-	};
-	time_t *time = *((time_t**)(args[0]));
-	bool utc = *((bool*)(args[1]));;
-	struct tm t;
-
-	if (time == UNDEFINED_TIME)
-	{
-		return print_in_hook(dst, len, "--- -- --:--:--%s----",
-							 utc ? " UTC " : " ");
-	}
-	if (utc)
-	{
-		gmtime_r(time, &t);
-	}
-	else
-	{
-		localtime_r(time, &t);
-	}
-	return print_in_hook(dst, len, "%s %02d %02d:%02d:%02d%s%04d",
-						 months[t.tm_mon], t.tm_mday, t.tm_hour, t.tm_min,
-						 t.tm_sec, utc ? " UTC " : " ", t.tm_year + 1900);
-}
-
-/**
- * Described in header.
- */
-int time_delta_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
-						   const void *const *args)
-{
-	char* unit = "second";
-	time_t *arg1 = *((time_t**)(args[0]));
-	time_t *arg2 = *((time_t**)(args[1]));
-	u_int64_t delta = llabs(*arg1 - *arg2);
-
-	if (delta > 2 * 60 * 60 * 24)
-	{
-		delta /= 60 * 60 * 24;
-		unit = "day";
-	}
-	else if (delta > 2 * 60 * 60)
-	{
-		delta /= 60 * 60;
-		unit = "hour";
-	}
-	else if (delta > 2 * 60)
-	{
-		delta /= 60;
-		unit = "minute";
-	}
-	return print_in_hook(dst, len, "%" PRIu64 " %s%s", delta, unit,
-						 (delta == 1) ? "" : "s");
-}
-
-/**
- * Number of bytes per line to dump raw data
- */
-#define BYTES_PER_LINE 16
-
-static char hexdig_upper[] = "0123456789ABCDEF";
-
-/**
- * Described in header.
- */
-int mem_printf_hook(char *dst, size_t dstlen,
-					printf_hook_spec_t *spec, const void *const *args)
-{
-	char *bytes = *((void**)(args[0]));
-	u_int len = *((int*)(args[1]));
-
-	char buffer[BYTES_PER_LINE * 3];
-	char ascii_buffer[BYTES_PER_LINE + 1];
-	char *buffer_pos = buffer;
-	char *bytes_pos  = bytes;
-	char *bytes_roof = bytes + len;
-	int line_start = 0;
-	int i = 0;
-	int written = 0;
-
-	written += print_in_hook(dst, dstlen, "=> %u bytes @ %p", len, bytes);
-
-	while (bytes_pos < bytes_roof)
-	{
-		*buffer_pos++ = hexdig_upper[(*bytes_pos >> 4) & 0xF];
-		*buffer_pos++ = hexdig_upper[ *bytes_pos       & 0xF];
-
-		ascii_buffer[i++] =
-				(*bytes_pos > 31 && *bytes_pos < 127) ? *bytes_pos : '.';
-
-		if (++bytes_pos == bytes_roof || i == BYTES_PER_LINE)
-		{
-			int padding = 3 * (BYTES_PER_LINE - i);
-
-			while (padding--)
-			{
-				*buffer_pos++ = ' ';
-			}
-			*buffer_pos++ = '\0';
-			ascii_buffer[i] = '\0';
-
-			written += print_in_hook(dst, dstlen, "\n%4d: %s  %s",
-									 line_start, buffer, ascii_buffer);
-
-			buffer_pos = buffer;
-			line_start += BYTES_PER_LINE;
-			i = 0;
-		}
-		else
-		{
-			*buffer_pos++ = ' ';
-		}
-	}
-	return written;
-}
diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c
index cb83d9830..93031908a 100644
--- a/src/libstrongswan/utils/backtrace.c
+++ b/src/libstrongswan/utils/backtrace.c
@@ -27,6 +27,8 @@
 
 #include "backtrace.h"
 
+#include <utils/debug.h>
+
 typedef struct private_backtrace_t private_backtrace_t;
 
 /**
@@ -50,16 +52,344 @@ struct private_backtrace_t {
 	void *frames[];
 };
 
+/**
+ * Forward declaration of method getter
+ */
+static backtrace_t get_methods();
+
+/**
+ * Write a format string with arguments to a FILE line, if it is NULL to DBG
+ */
+static void println(FILE *file, char *format, ...)
+{
+	char buf[512];
+	va_list args;
+
+	va_start(args, format);
+	if (file)
+	{
+		vfprintf(file, format, args);
+		fputs("\n", file);
+	}
+	else
+	{
+		vsnprintf(buf, sizeof(buf), format, args);
+		DBG1(DBG_LIB, "%s", buf);
+	}
+	va_end(args);
+}
+
+#ifdef HAVE_DLADDR
+
+/**
+ * Same as tty_escape_get(), but for a potentially NULL FILE*
+ */
+static char* esc(FILE *file, tty_escape_t escape)
+{
+	if (file)
+	{
+		return tty_escape_get(fileno(file), escape);
+	}
+	return "";
+}
+
+#ifdef HAVE_BFD_H
+
+#include <bfd.h>
+#include <collections/hashtable.h>
+#include <threading/mutex.h>
+
+/**
+ * Hashtable-cached bfd handle
+ */
+typedef struct {
+	/** binary file name on disk */
+	char *filename;
+	/** bfd handle */
+	bfd *abfd;
+	/** loaded symbols */
+	asymbol **syms;
+} bfd_entry_t;
+
+/**
+ * Destroy a bfd_entry
+ */
+static void bfd_entry_destroy(bfd_entry_t *this)
+{
+	free(this->filename);
+	free(this->syms);
+	bfd_close(this->abfd);
+	free(this);
+}
+
+/**
+ * Data to pass to find_addr()
+ */
+typedef struct {
+	/** used bfd entry */
+	bfd_entry_t *entry;
+	/** backtrace address */
+	bfd_vma vma;
+	/** stream to log to */
+	FILE *file;
+	/** TRUE if complete */
+	bool found;
+} bfd_find_data_t;
+
+/**
+ * bfd entry cache
+ */
+static hashtable_t *bfds;
+
+static mutex_t *bfd_mutex;
+
+/**
+ * Hashtable hash function
+ */
+static u_int bfd_hash(char *key)
+{
+	return chunk_hash(chunk_create(key, strlen(key)));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool bfd_equals(char *a, char *b)
+{
+	return streq(a, b);
+}
+
+/**
+ * See header.
+ */
+void backtrace_init()
+{
+	bfd_init();
+	bfds = hashtable_create((hashtable_hash_t)bfd_hash,
+							(hashtable_equals_t)bfd_equals, 8);
+	bfd_mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+}
+
+/**
+ * See header.
+ */
+void backtrace_deinit()
+{
+	enumerator_t *enumerator;
+	bfd_entry_t *entry;
+	char *key;
+
+	enumerator = bfds->create_enumerator(bfds);
+	while (enumerator->enumerate(enumerator, &key, &entry))
+	{
+		bfds->remove_at(bfds, enumerator);
+		bfd_entry_destroy(entry);
+	}
+	enumerator->destroy(enumerator);
+
+	bfds->destroy(bfds);
+	bfd_mutex->destroy(bfd_mutex);
+}
+
+/**
+ * Find and print information to an address
+ */
+static void find_addr(bfd *abfd, asection *section, bfd_find_data_t *data)
+{
+	bfd_size_type size;
+	bfd_vma vma;
+	const char *source;
+	const char *function;
+	char fbuf[512] = "", sbuf[512] = "";
+	u_int line;
+
+	if (!data->found || (bfd_get_section_flags(abfd, section) & SEC_ALLOC) != 0)
+	{
+		vma = bfd_get_section_vma(abfd, section);
+		if (data->vma >= vma)
+		{
+			size = bfd_get_section_size(section);
+			if (data->vma < vma + size)
+			{
+				data->found = bfd_find_nearest_line(abfd, section,
+											data->entry->syms, data->vma - vma,
+											&source, &function, &line);
+				if (data->found)
+				{
+					if (source || function)
+					{
+						if (function)
+						{
+							snprintf(fbuf, sizeof(fbuf), "%s%s() ",
+								esc(data->file, TTY_FG_BLUE), function);
+						}
+						if (source)
+						{
+							snprintf(sbuf, sizeof(sbuf), "%s@ %s:%d",
+								esc(data->file, TTY_FG_GREEN), source, line);
+						}
+						println(data->file, "    -> %s%s%s", fbuf, sbuf,
+								esc(data->file, TTY_FG_DEF));
+					}
+				}
+			}
+		}
+	}
+}
+
+/**
+ * Find a cached bfd entry, create'n'cache if not found
+ */
+static bfd_entry_t *get_bfd_entry(char *filename)
+{
+	bool dynamic = FALSE, ok = FALSE;
+	bfd_entry_t *entry;
+	long size;
+
+	/* check cache */
+	entry = bfds->get(bfds, filename);
+	if (entry)
+	{
+		return entry;
+	}
+
+	INIT(entry,
+		.abfd = bfd_openr(filename, NULL),
+	);
+
+	if (!entry->abfd)
+	{
+		free(entry);
+		return NULL;
+	}
+#ifdef BFD_DECOMPRESS
+	entry->abfd->flags |= BFD_DECOMPRESS;
+#endif
+	if (bfd_check_format(entry->abfd, bfd_archive) == 0 &&
+		bfd_check_format_matches(entry->abfd, bfd_object, NULL))
+	{
+		if (bfd_get_file_flags(entry->abfd) & HAS_SYMS)
+		{
+			size = bfd_get_symtab_upper_bound(entry->abfd);
+			if (size == 0)
+			{
+				size = bfd_get_dynamic_symtab_upper_bound(entry->abfd);
+			}
+			if (size >= 0)
+			{
+				entry->syms = malloc(size);
+				if (dynamic)
+				{
+					ok = bfd_canonicalize_dynamic_symtab(entry->abfd,
+														 entry->syms) >= 0;
+				}
+				else
+				{
+					ok = bfd_canonicalize_symtab(entry->abfd,
+												 entry->syms) >= 0;
+				}
+			}
+		}
+	}
+	if (ok)
+	{
+		entry->filename = strdup(filename);
+		bfds->put(bfds, entry->filename, entry);
+		return entry;
+	}
+	bfd_entry_destroy(entry);
+	return NULL;
+}
+
+/**
+ * Print the source file with line number to file, libbfd variant
+ */
+static void print_sourceline(FILE *file, char *filename, void *ptr, void *base)
+{
+	bfd_entry_t *entry;
+	bfd_find_data_t data = {
+		.file = file,
+		.vma = (uintptr_t)ptr,
+	};
+	bool old = FALSE;
+
+	bfd_mutex->lock(bfd_mutex);
+	if (lib->leak_detective)
+	{
+		old = lib->leak_detective->set_state(lib->leak_detective, FALSE);
+	}
+	entry = get_bfd_entry(filename);
+	if (entry)
+	{
+		data.entry = entry;
+		bfd_map_over_sections(entry->abfd, (void*)find_addr, &data);
+	}
+	if (lib->leak_detective)
+	{
+		lib->leak_detective->set_state(lib->leak_detective, old);
+	}
+	bfd_mutex->unlock(bfd_mutex);
+}
+
+#else /* !HAVE_BFD_H */
+
+void backtrace_init() {}
+void backtrace_deinit() {}
+
+/**
+ * Print the source file with line number to file, slow addr2line variant
+ */
+static void print_sourceline(FILE *file, char *filename, void *ptr, void* base)
+{
+	char buf[1024];
+	FILE *output;
+	int c, i = 0;
+
+#ifdef __APPLE__
+	snprintf(buf, sizeof(buf), "atos -o %s -l %p %p 2>&1 | tail -n1",
+			 filename, base, ptr);
+#else /* !__APPLE__ */
+	snprintf(buf, sizeof(buf), "addr2line -e %s %p", filename, ptr);
+#endif /* __APPLE__ */
+
+
+	output = popen(buf, "r");
+	if (output)
+	{
+		while (i < sizeof(buf))
+		{
+			c = getc(output);
+			if (c == '\n' || c == EOF)
+			{
+				buf[i++] = 0;
+				break;
+			}
+			buf[i++] = c;
+		}
+		pclose(output);
+
+		println(file, "    -> %s%s%s", esc(file, TTY_FG_GREEN), buf,
+				esc(file, TTY_FG_DEF));
+	}
+}
+
+#endif /* HAVE_BFD_H */
+
+#else /* !HAVE_DLADDR */
+
+void backtrace_init() {}
+void backtrace_deinit() {}
+
+#endif /* HAVE_DLADDR */
+
 METHOD(backtrace_t, log_, void,
 	private_backtrace_t *this, FILE *file, bool detailed)
 {
-#ifdef HAVE_BACKTRACE
+#if defined(HAVE_BACKTRACE) || defined(HAVE_LIBUNWIND_H)
 	size_t i;
-	char **strings;
-
-	strings = backtrace_symbols(this->frames, this->frame_count);
+	char **strings = NULL;
 
-	fprintf(file, " dumping %d stack frame addresses:\n", this->frame_count);
+	println(file, " dumping %d stack frame addresses:", this->frame_count);
 	for (i = 0; i < this->frame_count; i++)
 	{
 #ifdef HAVE_DLADDR
@@ -67,9 +397,6 @@ METHOD(backtrace_t, log_, void,
 
 		if (dladdr(this->frames[i], &info))
 		{
-			char cmd[1024];
-			FILE *output;
-			int c;
 			void *ptr = this->frames[i];
 
 			if (strstr(info.dli_fname, ".so"))
@@ -78,53 +405,48 @@ METHOD(backtrace_t, log_, void,
 			}
 			if (info.dli_sname)
 			{
-				fprintf(file, "  \e[33m%s\e[0m @ %p (\e[31m%s\e[0m+0x%tx) [%p]\n",
-						info.dli_fname, info.dli_fbase, info.dli_sname,
-						this->frames[i] - info.dli_saddr, this->frames[i]);
+				println(file, "  %s%s%s @ %p (%s%s%s+0x%tx) [%p]",
+						esc(file, TTY_FG_YELLOW), info.dli_fname,
+						esc(file, TTY_FG_DEF), info.dli_fbase,
+						esc(file, TTY_FG_RED), info.dli_sname,
+						esc(file, TTY_FG_DEF), this->frames[i] - info.dli_saddr,
+						this->frames[i]);
 			}
 			else
 			{
-				fprintf(file, "  \e[33m%s\e[0m @ %p [%p]\n", info.dli_fname,
-						info.dli_fbase, this->frames[i]);
+				println(file, "  %s%s%s @ %p [%p]",
+						esc(file, TTY_FG_YELLOW), info.dli_fname,
+						esc(file, TTY_FG_DEF), info.dli_fbase, this->frames[i]);
 			}
-			if (detailed)
+			if (detailed && info.dli_fname[0])
 			{
-				fprintf(file, "    -> \e[32m");
-				snprintf(cmd, sizeof(cmd), "addr2line -e %s %p",
-						 info.dli_fname, ptr);
-				output = popen(cmd, "r");
-				if (output)
-				{
-					while (TRUE)
-					{
-						c = getc(output);
-						if (c == '\n' || c == EOF)
-						{
-							break;
-						}
-						fputc(c, file);
-					}
-					pclose(output);
-				}
-				else
-				{
-	#endif /* HAVE_DLADDR */
-					fprintf(file, "    %s\n", strings[i]);
-	#ifdef HAVE_DLADDR
-				}
-				fprintf(file, "\n\e[0m");
+				print_sourceline(file, (char*)info.dli_fname,
+								 ptr, info.dli_fbase);
 			}
 		}
 		else
+#endif /* HAVE_DLADDR */
 		{
-			fprintf(file, "    %s\n", strings[i]);
+#ifdef HAVE_BACKTRACE
+			if (!strings)
+			{
+				strings = backtrace_symbols(this->frames, this->frame_count);
+			}
+			if (strings)
+			{
+				println(file, "    %s", strings[i]);
+			}
+			else
+#endif /* HAVE_BACKTRACE */
+			{
+				println(file, "    %p", this->frames[i]);
+			}
 		}
-#endif /* HAVE_DLADDR */
 	}
-	free (strings);
-#else /* !HAVE_BACKTRACE */
-	fprintf(file, "C library does not support backtrace().\n");
-#endif /* HAVE_BACKTRACE */
+	free(strings);
+#else /* !HAVE_BACKTRACE && !HAVE_LIBUNWIND_H */
+	println(file, "no support for backtrace()/libunwind");
+#endif /* HAVE_BACKTRACE/HAVE_LIBUNWIND_H */
 }
 
 METHOD(backtrace_t, contains_function, bool,
@@ -214,12 +536,69 @@ METHOD(backtrace_t, create_frame_enumerator, enumerator_t*,
 	return &enumerator->public;
 }
 
+METHOD(backtrace_t, clone, backtrace_t*,
+	private_backtrace_t *this)
+{
+	private_backtrace_t *clone;
+
+	clone = malloc(sizeof(private_backtrace_t) +
+				   this->frame_count * sizeof(void*));
+	memcpy(clone->frames, this->frames, this->frame_count * sizeof(void*));
+	clone->frame_count = this->frame_count;
+
+	clone->public = get_methods();
+
+	return &clone->public;
+}
+
 METHOD(backtrace_t, destroy, void,
 	private_backtrace_t *this)
 {
 	free(this);
 }
 
+#ifdef HAVE_LIBUNWIND_H
+#define UNW_LOCAL_ONLY
+#include <libunwind.h>
+
+/**
+ * libunwind variant for glibc backtrace()
+ */
+static inline int backtrace_unwind(void **frames, int count)
+{
+	unw_context_t context;
+	unw_cursor_t cursor;
+	unw_word_t ip;
+	int depth = 0;
+
+	unw_getcontext(&context);
+	unw_init_local(&cursor, &context);
+	do
+	{
+		unw_get_reg(&cursor, UNW_REG_IP, &ip);
+		frames[depth++] = (void*)ip;
+	}
+	while (depth < count && unw_step(&cursor) > 0);
+
+	return depth;
+}
+#endif /* HAVE_UNWIND */
+
+/**
+ * Get implementation methods of backtrace_t
+ */
+static backtrace_t get_methods()
+{
+	return (backtrace_t) {
+		.log = _log_,
+		.contains_function = _contains_function,
+		.equals = _equals,
+		.clone = _clone,
+		.create_frame_enumerator = _create_frame_enumerator,
+		.destroy = _destroy,
+	};
+}
+
 /**
  * See header
  */
@@ -229,7 +608,9 @@ backtrace_t *backtrace_create(int skip)
 	void *frames[50];
 	int frame_count = 0;
 
-#ifdef HAVE_BACKTRACE
+#ifdef HAVE_LIBUNWIND_H
+	frame_count = backtrace_unwind(frames, countof(frames));
+#elif defined(HAVE_BACKTRACE)
 	frame_count = backtrace(frames, countof(frames));
 #endif /* HAVE_BACKTRACE */
 	frame_count = max(frame_count - skip, 0);
@@ -237,14 +618,24 @@ backtrace_t *backtrace_create(int skip)
 	memcpy(this->frames, frames + skip, frame_count * sizeof(void*));
 	this->frame_count = frame_count;
 
-	this->public = (backtrace_t) {
-		.log = _log_,
-		.contains_function = _contains_function,
-		.equals = _equals,
-		.create_frame_enumerator = _create_frame_enumerator,
-		.destroy = _destroy,
-	};
+	this->public = get_methods();
 
 	return &this->public;
 }
 
+/**
+ * See header
+ */
+void backtrace_dump(char *label, FILE *file, bool detailed)
+{
+	backtrace_t *backtrace;
+
+	backtrace = backtrace_create(2);
+
+	if (label)
+	{
+		println(file, "Debug backtrace: %s", label);
+	}
+	backtrace->log(backtrace, file, detailed);
+	backtrace->destroy(backtrace);
+}
diff --git a/src/libstrongswan/utils/backtrace.h b/src/libstrongswan/utils/backtrace.h
index 9d59d2503..416f58898 100644
--- a/src/libstrongswan/utils/backtrace.h
+++ b/src/libstrongswan/utils/backtrace.h
@@ -35,7 +35,10 @@ struct backtrace_t {
 	/**
 	 * Log the backtrace to a FILE stream.
 	 *
-	 * @param file		FILE to log backtrace to
+	 * If no file pointer is given, the backtrace is reported over the debug
+	 * framework to the registered dbg() callback function.
+	 *
+	 * @param file		FILE to log backtrace to, NULL for dbg() function
 	 * @param detailed	TRUE to resolve line/file using addr2line (slow)
 	 */
 	void (*log)(backtrace_t *this, FILE *file, bool detailed);
@@ -56,6 +59,14 @@ struct backtrace_t {
 	 * @return		TRUE if backtraces are equal
 	 */
 	bool (*equals)(backtrace_t *this, backtrace_t *other);
+
+	/**
+	 * Create a copy of this backtrace.
+	 *
+	 * @return		cloned copy
+	 */
+	backtrace_t* (*clone)(backtrace_t *this);
+
 	/**
 	 * Create an enumerator over the stack frame addresses.
 	 *
@@ -77,4 +88,23 @@ struct backtrace_t {
  */
 backtrace_t *backtrace_create(int skip);
 
+/**
+ * Create a backtrace, dump it and clean it up.
+ *
+ * @param label		description to print for this backtrace, or NULL
+ * @param file		FILE to log backtrace to, NULL to dbg() function
+ * @param detailed	TRUE to resolve line/file using addr2line (slow)
+ */
+void backtrace_dump(char *label, FILE *file, bool detailed);
+
+/**
+ * Initialize backtracing framework.
+ */
+void backtrace_init();
+
+/**
+ * Deinitialize backtracing framework.
+ */
+void backtrace_deinit();
+
 #endif /** BACKTRACE_H_ @}*/
diff --git a/src/libstrongswan/utils/capabilities.c b/src/libstrongswan/utils/capabilities.c
new file mode 100644
index 000000000..c5e90b6c3
--- /dev/null
+++ b/src/libstrongswan/utils/capabilities.c
@@ -0,0 +1,453 @@
+/*
+ * Copyright (C) 2012-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "capabilities.h"
+
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <grp.h>
+#include <unistd.h>
+#ifdef HAVE_PRCTL
+# include <sys/prctl.h>
+#endif /* HAVE_PRCTL */
+
+#include <utils/debug.h>
+
+#if !defined(HAVE_GETPWNAM_R) || \
+    !defined(HAVE_GETGRNAM_R) || \
+    !defined(HAVE_GETPWUID_R)
+# include <threading/mutex.h>
+# define EMULATE_R_FUNCS
+#endif
+
+typedef struct private_capabilities_t private_capabilities_t;
+
+/**
+ * Private data of an capabilities_t object.
+ */
+struct private_capabilities_t {
+
+	/**
+	 * Public capabilities_t interface.
+	 */
+	capabilities_t public;
+
+	/**
+	 * user ID to switch during rights dropping
+	 */
+	uid_t uid;
+
+	/**
+	 * group ID to switch during rights dropping
+	 */
+	gid_t gid;
+
+	/**
+	 * capabilities to keep
+	 */
+#ifdef CAPABILITIES_LIBCAP
+	cap_t caps;
+#endif /* CAPABILITIES_LIBCAP */
+#ifdef CAPABILITIES_NATIVE
+	struct __user_cap_data_struct caps[2];
+#endif /* CAPABILITIES_NATIVE */
+
+#ifdef EMULATE_R_FUNCS
+	/**
+	 * mutex to emulate get(pw|gr)nam_r functions
+	 */
+	mutex_t *mutex;
+#endif
+};
+
+/**
+ * Returns TRUE if the current process/user is member of the given group
+ */
+static bool has_group(gid_t group)
+{
+	gid_t *groups;
+	long ngroups, i;
+	bool found = FALSE;
+
+	if (group == getegid())
+	{	/* it's unspecified if this is part of the list below or not */
+		return TRUE;
+	}
+	ngroups = sysconf(_SC_NGROUPS_MAX);
+	if (ngroups == -1)
+	{
+		DBG1(DBG_LIB, "getting groups for current process failed: %s",
+			 strerror(errno));
+		return FALSE;
+	}
+	groups = calloc(ngroups + 1, sizeof(gid_t));
+	ngroups = getgroups(ngroups, groups);
+	if (ngroups == -1)
+	{
+		DBG1(DBG_LIB, "getting groups for current process failed: %s",
+			 strerror(errno));
+		free(groups);
+		return FALSE;
+	}
+	for (i = 0; i < ngroups; i++)
+	{
+		if (group == groups[i])
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	free(groups);
+	return found;
+}
+
+/**
+ * Verify that the current process has the given capability
+ */
+static bool has_capability(private_capabilities_t *this, u_int cap,
+						   bool *ignore)
+{
+	if (cap == CAP_CHOWN)
+	{	/* if new files/UNIX sockets are created they should be owned by the
+		 * configured user and group.  This requires a call to chown(2).  But
+		 * CAP_CHOWN is not always required. */
+		if (!this->uid || geteuid() == this->uid)
+		{	/* if the owner does not change CAP_CHOWN is not needed */
+			if (!this->gid || has_group(this->gid))
+			{	/* the same applies if the owner is a member of the group */
+				if (ignore)
+				{	/* we don't have to keep this, if requested */
+					*ignore = TRUE;
+				}
+				return TRUE;
+			}
+		}
+	}
+#ifndef CAPABILITIES
+	/* if we can't check the actual capabilities assume only root has it */
+	return geteuid() == 0;
+#endif /* !CAPABILITIES */
+#ifdef CAPABILITIES_LIBCAP
+	cap_flag_value_t val;
+	cap_t caps;
+	bool ok;
+
+	caps = cap_get_proc();
+	if (!caps)
+	{
+		return FALSE;
+	}
+	ok = cap_get_flag(caps, cap, CAP_PERMITTED, &val) == 0 && val == CAP_SET;
+	cap_free(caps);
+	return ok;
+#endif /* CAPABILITIES_LIBCAP */
+#ifdef CAPABILITIES_NATIVE
+	struct __user_cap_header_struct header = {
+#if defined(_LINUX_CAPABILITY_VERSION_3)
+		.version = _LINUX_CAPABILITY_VERSION_3,
+#elif defined(_LINUX_CAPABILITY_VERSION_2)
+		.version = _LINUX_CAPABILITY_VERSION_2,
+#elif defined(_LINUX_CAPABILITY_VERSION_1)
+		.version = _LINUX_CAPABILITY_VERSION_1,
+#else
+		.version = _LINUX_CAPABILITY_VERSION,
+#endif
+	};
+	struct __user_cap_data_struct caps[2];
+	int i = 0;
+
+	if (cap >= 32)
+	{
+		i++;
+		cap -= 32;
+	}
+	return capget(&header, caps) == 0 && caps[i].permitted & (1 << cap);
+#endif /* CAPABILITIES_NATIVE */
+}
+
+/**
+ * Keep the given capability if it is held by the current process.  Returns
+ * FALSE, if this is not the case.
+ */
+static bool keep_capability(private_capabilities_t *this, u_int cap)
+{
+#ifdef CAPABILITIES_LIBCAP
+	cap_set_flag(this->caps, CAP_EFFECTIVE, 1, &cap, CAP_SET);
+	cap_set_flag(this->caps, CAP_INHERITABLE, 1, &cap, CAP_SET);
+	cap_set_flag(this->caps, CAP_PERMITTED, 1, &cap, CAP_SET);
+#endif /* CAPABILITIES_LIBCAP */
+#ifdef CAPABILITIES_NATIVE
+	int i = 0;
+
+	if (cap >= 32)
+	{
+		i++;
+		cap -= 32;
+	}
+	this->caps[i].effective |= 1 << cap;
+	this->caps[i].permitted |= 1 << cap;
+	this->caps[i].inheritable |= 1 << cap;
+#endif /* CAPABILITIES_NATIVE */
+	return TRUE;
+}
+
+METHOD(capabilities_t, keep, bool,
+	private_capabilities_t *this, u_int cap)
+{
+	bool ignore = FALSE;
+
+	if (!has_capability(this, cap, &ignore))
+	{
+		return FALSE;
+	}
+	else if (ignore)
+	{	/* don't keep capabilities that are not required */
+		return TRUE;
+	}
+	return keep_capability(this, cap);
+}
+
+METHOD(capabilities_t, check, bool,
+	private_capabilities_t *this, u_int cap)
+{
+	return has_capability(this, cap, NULL);
+}
+
+METHOD(capabilities_t, get_uid, uid_t,
+	private_capabilities_t *this)
+{
+	return this->uid ?: geteuid();
+}
+
+METHOD(capabilities_t, get_gid, gid_t,
+	private_capabilities_t *this)
+{
+	return this->gid ?: getegid();
+}
+
+METHOD(capabilities_t, set_uid, void,
+	private_capabilities_t *this, uid_t uid)
+{
+	this->uid = uid;
+}
+
+METHOD(capabilities_t, set_gid, void,
+	private_capabilities_t *this, gid_t gid)
+{
+	this->gid = gid;
+}
+
+METHOD(capabilities_t, resolve_uid, bool,
+	private_capabilities_t *this, char *username)
+{
+	struct passwd *pwp;
+	int err;
+
+#ifdef HAVE_GETPWNAM_R
+	struct passwd passwd;
+	char buf[1024];
+
+	err = getpwnam_r(username, &passwd, buf, sizeof(buf), &pwp);
+	if (pwp)
+	{
+		this->uid = pwp->pw_uid;
+	}
+#else /* HAVE GETPWNAM_R */
+	this->mutex->lock(this->mutex);
+	pwp = getpwnam(username);
+	if (pwp)
+	{
+		this->uid = pwp->pw_uid;
+	}
+	err = errno;
+	this->mutex->unlock(this->mutex);
+#endif /* HAVE GETPWNAM_R */
+	if (pwp)
+	{
+		return TRUE;
+	}
+	DBG1(DBG_LIB, "resolving user '%s' failed: %s", username,
+		 err ? strerror(err) : "user not found");
+	return FALSE;
+}
+
+METHOD(capabilities_t, resolve_gid, bool,
+	private_capabilities_t *this, char *groupname)
+{
+	struct group *grp;
+	int err;
+
+#ifdef HAVE_GETGRNAM_R
+	struct group group;
+	char buf[1024];
+
+	err = getgrnam_r(groupname, &group, buf, sizeof(buf), &grp);
+	if (grp)
+	{
+		this->gid = grp->gr_gid;
+	}
+#else /* HAVE_GETGRNAM_R */
+	this->mutex->lock(this->mutex);
+	grp = getgrnam(groupname);
+	if (grp)
+	{
+		this->gid = grp->gr_gid;
+	}
+	err = errno;
+	this->mutex->unlock(this->mutex);
+#endif /* HAVE_GETGRNAM_R */
+	if (grp)
+	{
+		return TRUE;
+	}
+	DBG1(DBG_LIB, "resolving user '%s' failed: %s", groupname,
+		 err ? strerror(err) : "group not found");
+	return FALSE;
+}
+
+/**
+ * Initialize supplementary groups for unprivileged user
+ */
+static bool init_supplementary_groups(private_capabilities_t *this)
+{
+	struct passwd *pwp;
+	int res = -1;
+
+#ifdef HAVE_GETPWUID_R
+	struct passwd pwd;
+	char buf[1024];
+
+	if (getpwuid_r(this->uid, &pwd, buf, sizeof(buf), &pwp) == 0 && pwp)
+	{
+		res = initgroups(pwp->pw_name, this->gid);
+	}
+#else /* HAVE_GETPWUID_R */
+	this->mutex->lock(this->mutex);
+	pwp = getpwuid(this->uid);
+	if (pwp)
+	{
+		res = initgroups(pwp->pw_name, this->gid);
+	}
+	this->mutex->unlock(this->mutex);
+#endif /* HAVE_GETPWUID_R */
+	return res == 0;
+}
+
+METHOD(capabilities_t, drop, bool,
+	private_capabilities_t *this)
+{
+#ifdef HAVE_PRCTL
+	prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
+#endif
+
+	if (this->uid && !init_supplementary_groups(this))
+	{
+		DBG1(DBG_LIB, "initializing supplementary groups for %u failed",
+			 this->uid);
+		return FALSE;
+	}
+	if (this->gid && setgid(this->gid) != 0)
+	{
+		DBG1(DBG_LIB, "change to unprivileged group %u failed: %s",
+			 this->gid, strerror(errno));
+		return FALSE;
+	}
+	if (this->uid && setuid(this->uid) != 0)
+	{
+		DBG1(DBG_LIB, "change to unprivileged user %u failed: %s",
+			 this->uid, strerror(errno));
+		return FALSE;
+	}
+
+#ifdef CAPABILITIES_LIBCAP
+	if (cap_set_proc(this->caps) != 0)
+	{
+		DBG1(DBG_LIB, "dropping capabilities failed: %s", strerror(errno));
+		return FALSE;
+	}
+#endif /* CAPABILITIES_LIBCAP */
+#ifdef CAPABILITIES_NATIVE
+	struct __user_cap_header_struct header = {
+#if defined(_LINUX_CAPABILITY_VERSION_3)
+		.version = _LINUX_CAPABILITY_VERSION_3,
+#elif defined(_LINUX_CAPABILITY_VERSION_2)
+		.version = _LINUX_CAPABILITY_VERSION_2,
+#elif defined(_LINUX_CAPABILITY_VERSION_1)
+		.version = _LINUX_CAPABILITY_VERSION_1,
+#else
+		.version = _LINUX_CAPABILITY_VERSION,
+#endif
+	};
+	if (capset(&header, this->caps) != 0)
+	{
+		DBG1(DBG_LIB, "dropping capabilities failed: %s", strerror(errno));
+		return FALSE;
+	}
+#endif /* CAPABILITIES_NATIVE */
+#ifdef CAPABILITIES
+	DBG1(DBG_LIB, "dropped capabilities, running as uid %u, gid %u",
+		 geteuid(), getegid());
+#endif /* CAPABILITIES */
+	return TRUE;
+}
+
+METHOD(capabilities_t, destroy, void,
+	private_capabilities_t *this)
+{
+#ifdef EMULATE_R_FUNCS
+	this->mutex->destroy(this->mutex);
+#endif /* EMULATE_R_FUNCS */
+#ifdef CAPABILITIES_LIBCAP
+	cap_free(this->caps);
+#endif /* CAPABILITIES_LIBCAP */
+	free(this);
+}
+
+/**
+ * See header
+ */
+capabilities_t *capabilities_create()
+{
+	private_capabilities_t *this;
+
+	INIT(this,
+		.public = {
+			.keep = _keep,
+			.check = _check,
+			.get_uid = _get_uid,
+			.get_gid = _get_gid,
+			.set_uid = _set_uid,
+			.set_gid = _set_gid,
+			.resolve_uid = _resolve_uid,
+			.resolve_gid = _resolve_gid,
+			.drop = _drop,
+			.destroy = _destroy,
+		},
+	);
+
+#ifdef CAPABILITIES_LIBCAP
+	this->caps = cap_init();
+#endif /* CAPABILITIES_LIBCAP */
+
+#ifdef EMULATE_R_FUNCS
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+#endif /* EMULATE_R_FUNCS */
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/utils/capabilities.h b/src/libstrongswan/utils/capabilities.h
new file mode 100644
index 000000000..fe11a4dfc
--- /dev/null
+++ b/src/libstrongswan/utils/capabilities.h
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup capabilities capabilities
+ * @{ @ingroup utils
+ */
+
+#ifndef CAPABILITIES_H_
+#define CAPABILITIES_H_
+
+typedef struct capabilities_t capabilities_t;
+
+#include <library.h>
+#ifdef HAVE_SYS_CAPABILITY_H
+# include <sys/capability.h>
+#elif defined(CAPABILITIES_NATIVE)
+# include <linux/capability.h>
+#endif
+
+#ifndef CAP_CHOWN
+# define CAP_CHOWN 0
+#endif
+#ifndef CAP_NET_BIND_SERVICE
+# define CAP_NET_BIND_SERVICE 10
+#endif
+#ifndef CAP_NET_ADMIN
+# define CAP_NET_ADMIN 12
+#endif
+#ifndef CAP_NET_RAW
+# define CAP_NET_RAW 13
+#endif
+
+/**
+ * POSIX capability dropping abstraction layer.
+ */
+struct capabilities_t {
+
+	/**
+	 * Register a capability to keep while calling drop(). Verifies that the
+	 * capability is currently held.
+	 *
+	 * @note CAP_CHOWN is handled specially as it might not be required.
+	 *
+	 * @param cap		capability to keep
+	 * @return			FALSE if the capability is currently not held
+	 */
+	bool (*keep)(capabilities_t *this,
+				 u_int cap) __attribute__((warn_unused_result));
+
+	/**
+	 * Check if the given capability is currently held.
+	 *
+	 * @note CAP_CHOWN is handled specially as it might not be required.
+	 *
+	 * @param cap		capability to check
+	 * @return			TRUE if the capability is currently held
+	 */
+	bool (*check)(capabilities_t *this, u_int cap);
+
+	/**
+	 * Get the user ID set through set_uid/resolve_uid.
+	 *
+	 * @return			currently set user ID
+	 */
+	uid_t (*get_uid)(capabilities_t *this);
+
+	/**
+	 * Get the group ID set through set_gid/resolve_gid.
+	 *
+	 * @return			currently set group ID
+	 */
+	gid_t (*get_gid)(capabilities_t *this);
+
+	/**
+	 * Set the numerical user ID to use during rights dropping.
+	 *
+	 * @param uid		user ID to use
+	 */
+	void (*set_uid)(capabilities_t *this, uid_t uid);
+
+	/**
+	 * Set the numerical group ID to use during rights dropping.
+	 *
+	 * @param gid		group ID to use
+	 */
+	void (*set_gid)(capabilities_t *this, gid_t gid);
+
+	/**
+	 * Resolve a username and set the user ID accordingly.
+	 *
+	 * @param username	username get the uid for
+	 * @return			TRUE if username resolved and uid set
+	 */
+	bool (*resolve_uid)(capabilities_t *this, char *username);
+
+	/**
+	 * Resolve a groupname and set the group ID accordingly.
+	 *
+	 * @param groupname	groupname to get the gid for
+	 * @return			TRUE if groupname resolved and gid set
+	 */
+	bool (*resolve_gid)(capabilities_t *this, char *groupname);
+
+	/**
+	 * Drop all capabilities not previously passed to keep(), switch to UID/GID.
+	 *
+	 * @return			TRUE if capability drop successful
+	 */
+	bool (*drop)(capabilities_t *this);
+
+	/**
+	 * Destroy a capabilities_t.
+	 */
+	void (*destroy)(capabilities_t *this);
+};
+
+/**
+ * Create a capabilities instance.
+ */
+capabilities_t *capabilities_create();
+
+#endif /** CAPABILITIES_H_ @}*/
diff --git a/src/libstrongswan/utils/chunk.c b/src/libstrongswan/utils/chunk.c
new file mode 100644
index 000000000..04f3eea7d
--- /dev/null
+++ b/src/libstrongswan/utils/chunk.c
@@ -0,0 +1,821 @@
+/*
+ * Copyright (C) 2008-2013 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <pthread.h>
+#include <ctype.h>
+
+#include "chunk.h"
+#include "debug.h"
+
+/**
+ * Empty chunk.
+ */
+chunk_t chunk_empty = { NULL, 0 };
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_create_clone(u_char *ptr, chunk_t chunk)
+{
+	chunk_t clone = chunk_empty;
+
+	if (chunk.ptr && chunk.len > 0)
+	{
+		clone.ptr = ptr;
+		clone.len = chunk.len;
+		memcpy(clone.ptr, chunk.ptr, chunk.len);
+	}
+
+	return clone;
+}
+
+/**
+ * Described in header.
+ */
+size_t chunk_length(const char* mode, ...)
+{
+	va_list chunks;
+	size_t length = 0;
+
+	va_start(chunks, mode);
+	while (TRUE)
+	{
+		switch (*mode++)
+		{
+			case 'm':
+			case 'c':
+			case 's':
+			{
+				chunk_t ch = va_arg(chunks, chunk_t);
+				length += ch.len;
+				continue;
+			}
+			default:
+				break;
+		}
+		break;
+	}
+	va_end(chunks);
+	return length;
+}
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...)
+{
+	va_list chunks;
+	chunk_t construct = chunk_create(ptr, 0);
+
+	va_start(chunks, mode);
+	while (TRUE)
+	{
+		bool free_chunk = FALSE, clear_chunk = FALSE;
+		chunk_t ch;
+
+		switch (*mode++)
+		{
+			case 's':
+				clear_chunk = TRUE;
+				/* FALL */
+			case 'm':
+				free_chunk = TRUE;
+				/* FALL */
+			case 'c':
+				ch = va_arg(chunks, chunk_t);
+				memcpy(ptr, ch.ptr, ch.len);
+				ptr += ch.len;
+				construct.len += ch.len;
+				if (clear_chunk)
+				{
+					chunk_clear(&ch);
+				}
+				else if (free_chunk)
+				{
+					free(ch.ptr);
+				}
+				continue;
+			default:
+				break;
+		}
+		break;
+	}
+	va_end(chunks);
+
+	return construct;
+}
+
+/**
+ * Described in header.
+ */
+void chunk_split(chunk_t chunk, const char *mode, ...)
+{
+	va_list chunks;
+	u_int len;
+	chunk_t *ch;
+
+	va_start(chunks, mode);
+	while (TRUE)
+	{
+		if (*mode == '\0')
+		{
+			break;
+		}
+		len = va_arg(chunks, u_int);
+		ch = va_arg(chunks, chunk_t*);
+		/* a null chunk means skip len bytes */
+		if (ch == NULL)
+		{
+			chunk = chunk_skip(chunk, len);
+			continue;
+		}
+		switch (*mode++)
+		{
+			case 'm':
+			{
+				ch->len = min(chunk.len, len);
+				if (ch->len)
+				{
+					ch->ptr = chunk.ptr;
+				}
+				else
+				{
+					ch->ptr = NULL;
+				}
+				chunk = chunk_skip(chunk, ch->len);
+				continue;
+			}
+			case 'a':
+			{
+				ch->len = min(chunk.len, len);
+				if (ch->len)
+				{
+					ch->ptr = malloc(ch->len);
+					memcpy(ch->ptr, chunk.ptr, ch->len);
+				}
+				else
+				{
+					ch->ptr = NULL;
+				}
+				chunk = chunk_skip(chunk, ch->len);
+				continue;
+			}
+			case 'c':
+			{
+				ch->len = min(ch->len, chunk.len);
+				ch->len = min(ch->len, len);
+				if (ch->len)
+				{
+					memcpy(ch->ptr, chunk.ptr, ch->len);
+				}
+				else
+				{
+					ch->ptr = NULL;
+				}
+				chunk = chunk_skip(chunk, ch->len);
+				continue;
+			}
+			default:
+				break;
+		}
+		break;
+	}
+	va_end(chunks);
+}
+
+/**
+ * Described in header.
+ */
+bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force)
+{
+	mode_t oldmask;
+	FILE *fd;
+	bool good = FALSE;
+
+	if (!force && access(path, F_OK) == 0)
+	{
+		DBG1(DBG_LIB, "  %s file '%s' already exists", label, path);
+		return FALSE;
+	}
+	oldmask = umask(mask);
+	fd = fopen(path, "w");
+	if (fd)
+	{
+		if (fwrite(chunk.ptr, sizeof(u_char), chunk.len, fd) == chunk.len)
+		{
+			DBG1(DBG_LIB, "  written %s file '%s' (%d bytes)",
+				 label, path, chunk.len);
+			good = TRUE;
+		}
+		else
+		{
+			DBG1(DBG_LIB, "  writing %s file '%s' failed: %s",
+				 label, path, strerror(errno));
+		}
+		fclose(fd);
+	}
+	else
+	{
+		DBG1(DBG_LIB, "  could not open %s file '%s': %s", label, path,
+			 strerror(errno));
+	}
+	umask(oldmask);
+	return good;
+}
+
+
+/** hex conversion digits */
+static char hexdig_upper[] = "0123456789ABCDEF";
+static char hexdig_lower[] = "0123456789abcdef";
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_to_hex(chunk_t chunk, char *buf, bool uppercase)
+{
+	int i, len;
+	char *hexdig = hexdig_lower;
+
+	if (uppercase)
+	{
+		hexdig = hexdig_upper;
+	}
+
+	len = chunk.len * 2;
+	if (!buf)
+	{
+		buf = malloc(len + 1);
+	}
+	buf[len] = '\0';
+
+	for (i = 0; i < chunk.len; i++)
+	{
+		buf[i*2]   = hexdig[(chunk.ptr[i] >> 4) & 0xF];
+		buf[i*2+1] = hexdig[(chunk.ptr[i]     ) & 0xF];
+	}
+	return chunk_create(buf, len);
+}
+
+/**
+ * convert a signle hex character to its binary value
+ */
+static char hex2bin(char hex)
+{
+	switch (hex)
+	{
+		case '0' ... '9':
+			return hex - '0';
+		case 'A' ... 'F':
+			return hex - 'A' + 10;
+		case 'a' ... 'f':
+			return hex - 'a' + 10;
+		default:
+			return 0;
+	}
+}
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_from_hex(chunk_t hex, char *buf)
+{
+	int i, len;
+	u_char *ptr;
+	bool odd = FALSE;
+
+   /* subtract the number of optional ':' separation characters */
+	len = hex.len;
+	ptr = hex.ptr;
+	for (i = 0; i < hex.len; i++)
+	{
+		if (*ptr++ == ':')
+		{
+			len--;
+		}
+	}
+
+	/* compute the number of binary bytes */
+	if (len % 2)
+	{
+		odd = TRUE;
+		len++;
+	}
+	len /= 2;
+
+	/* allocate buffer memory unless provided by caller */
+	if (!buf)
+	{
+		buf = malloc(len);
+	}
+
+	/* buffer is filled from the right */
+	memset(buf, 0, len);
+	hex.ptr += hex.len;
+
+	for (i = len - 1; i >= 0; i--)
+	{
+		/* skip separation characters */
+		if (*(--hex.ptr) == ':')
+		{
+			--hex.ptr;
+		}
+		buf[i] = hex2bin(*hex.ptr);
+		if (i > 0 || !odd)
+		{
+			buf[i] |= hex2bin(*(--hex.ptr)) << 4;
+		}
+	}
+	return chunk_create(buf, len);
+}
+
+/** base 64 conversion digits */
+static char b64digits[] =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_to_base64(chunk_t chunk, char *buf)
+{
+	int i, len;
+	char *pos;
+
+	len = chunk.len + ((3 - chunk.len % 3) % 3);
+	if (!buf)
+	{
+		buf = malloc(len * 4 / 3 + 1);
+	}
+	pos = buf;
+	for (i = 0; i < len; i+=3)
+	{
+		*pos++ = b64digits[chunk.ptr[i] >> 2];
+		if (i+1 >= chunk.len)
+		{
+			*pos++ = b64digits[(chunk.ptr[i] & 0x03) << 4];
+			*pos++ = '=';
+			*pos++ = '=';
+			break;
+		}
+		*pos++ = b64digits[((chunk.ptr[i] & 0x03) << 4) | (chunk.ptr[i+1] >> 4)];
+		if (i+2 >= chunk.len)
+		{
+			*pos++ = b64digits[(chunk.ptr[i+1] & 0x0F) << 2];
+			*pos++ = '=';
+			break;
+		}
+		*pos++ = b64digits[((chunk.ptr[i+1] & 0x0F) << 2) | (chunk.ptr[i+2] >> 6)];
+		*pos++ = b64digits[chunk.ptr[i+2] & 0x3F];
+	}
+	*pos = '\0';
+	return chunk_create(buf, len * 4 / 3);
+}
+
+/**
+ * convert a base 64 digit to its binary form (inversion of b64digits array)
+ */
+static int b642bin(char b64)
+{
+	switch (b64)
+	{
+		case 'A' ... 'Z':
+			return b64 - 'A';
+		case 'a' ... 'z':
+			return ('Z' - 'A' + 1) + b64 - 'a';
+		case '0' ... '9':
+			return ('Z' - 'A' + 1) + ('z' - 'a' + 1) + b64 - '0';
+		case '+':
+		case '-':
+			return 62;
+		case '/':
+		case '_':
+			return 63;
+		case '=':
+			return 0;
+		default:
+			return -1;
+	}
+}
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_from_base64(chunk_t base64, char *buf)
+{
+	u_char *pos, byte[4];
+	int i, j, len, outlen;
+
+	len = base64.len / 4 * 3;
+	if (!buf)
+	{
+		buf = malloc(len);
+	}
+	pos = base64.ptr;
+	outlen = 0;
+	for (i = 0; i < len; i+=3)
+	{
+		outlen += 3;
+		for (j = 0; j < 4; j++)
+		{
+			if (*pos == '=')
+			{
+				outlen--;
+			}
+			byte[j] = b642bin(*pos++);
+		}
+		buf[i] = (byte[0] << 2) | (byte[1] >> 4);
+		buf[i+1] = (byte[1] << 4) | (byte[2] >> 2);
+		buf[i+2] = (byte[2] << 6) | (byte[3]);
+	}
+	return chunk_create(buf, outlen);
+}
+
+/** base 32 conversion digits */
+static char b32digits[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_to_base32(chunk_t chunk, char *buf)
+{
+	int i, len;
+	char *pos;
+
+	len = chunk.len + ((5 - chunk.len % 5) % 5);
+	if (!buf)
+	{
+		buf = malloc(len * 8 / 5 + 1);
+	}
+	pos = buf;
+	for (i = 0; i < len; i+=5)
+	{
+		*pos++ = b32digits[chunk.ptr[i] >> 3];
+		if (i+1 >= chunk.len)
+		{
+			*pos++ = b32digits[(chunk.ptr[i] & 0x07) << 2];
+			memset(pos, '=', 6);
+			pos += 6;
+			break;
+		}
+		*pos++ = b32digits[((chunk.ptr[i] & 0x07) << 2) |
+						   (chunk.ptr[i+1] >> 6)];
+		*pos++ = b32digits[(chunk.ptr[i+1] & 0x3E) >> 1];
+		if (i+2 >= chunk.len)
+		{
+			*pos++ = b32digits[(chunk.ptr[i+1] & 0x01) << 4];
+			memset(pos, '=', 4);
+			pos += 4;
+			break;
+		}
+		*pos++ = b32digits[((chunk.ptr[i+1] & 0x01) << 4) |
+						   (chunk.ptr[i+2] >> 4)];
+		if (i+3 >= chunk.len)
+		{
+			*pos++ = b32digits[(chunk.ptr[i+2] & 0x0F) << 1];
+			memset(pos, '=', 3);
+			pos += 3;
+			break;
+		}
+		*pos++ = b32digits[((chunk.ptr[i+2] & 0x0F) << 1) |
+						   (chunk.ptr[i+3] >> 7)];
+		*pos++ = b32digits[(chunk.ptr[i+3] & 0x7F) >> 2];
+		if (i+4 >= chunk.len)
+		{
+			*pos++ = b32digits[(chunk.ptr[i+3] & 0x03) << 3];
+			*pos++ = '=';
+			break;
+		}
+		*pos++ = b32digits[((chunk.ptr[i+3] & 0x03) << 3) |
+						   (chunk.ptr[i+4] >> 5)];
+		*pos++ = b32digits[chunk.ptr[i+4] & 0x1F];
+	}
+	*pos = '\0';
+	return chunk_create(buf, len * 8 / 5);
+}
+
+/**
+ * Described in header.
+ */
+int chunk_compare(chunk_t a, chunk_t b)
+{
+	int compare_len = a.len - b.len;
+	int len = (compare_len < 0)? a.len : b.len;
+
+	if (compare_len != 0 || len == 0)
+	{
+		return compare_len;
+	}
+	return memcmp(a.ptr, b.ptr, len);
+};
+
+
+/**
+ * Described in header.
+ */
+bool chunk_increment(chunk_t chunk)
+{
+	int i;
+
+	for (i = chunk.len - 1; i >= 0; i--)
+	{
+		if (++chunk.ptr[i] != 0)
+		{
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Remove non-printable characters from a chunk.
+ */
+bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace)
+{
+	bool printable = TRUE;
+	int i;
+
+	if (sane)
+	{
+		*sane = chunk_clone(chunk);
+	}
+	for (i = 0; i < chunk.len; i++)
+	{
+		if (!isprint(chunk.ptr[i]))
+		{
+			if (sane)
+			{
+				sane->ptr[i] = replace;
+			}
+			printable = FALSE;
+		}
+	}
+	return printable;
+}
+
+/**
+ * Helper functions for chunk_mac()
+ */
+static inline u_int64_t sipget(u_char *in)
+{
+	u_int64_t v = 0;
+	int i;
+
+	for (i = 0; i < 64; i += 8, ++in)
+	{
+		v |= ((u_int64_t)*in) << i;
+	}
+	return v;
+}
+
+static inline u_int64_t siprotate(u_int64_t v, int shift)
+{
+        return (v << shift) | (v >> (64 - shift));
+}
+
+static inline void sipround(u_int64_t *v0, u_int64_t *v1, u_int64_t *v2,
+							u_int64_t *v3)
+{
+	*v0 += *v1;
+	*v1 = siprotate(*v1, 13);
+	*v1 ^= *v0;
+	*v0 = siprotate(*v0, 32);
+
+	*v2 += *v3;
+	*v3 = siprotate(*v3, 16);
+	*v3 ^= *v2;
+
+	*v2 += *v1;
+	*v1 = siprotate(*v1, 17);
+	*v1 ^= *v2;
+	*v2 = siprotate(*v2, 32);
+
+	*v0 += *v3;
+	*v3 = siprotate(*v3, 21);
+	*v3 ^= *v0;
+}
+
+static inline void sipcompress(u_int64_t *v0, u_int64_t *v1, u_int64_t *v2,
+							   u_int64_t *v3, u_int64_t m)
+{
+	*v3 ^= m;
+	sipround(v0, v1, v2, v3);
+	sipround(v0, v1, v2, v3);
+	*v0 ^= m;
+}
+
+static inline u_int64_t siplast(size_t len, u_char *pos)
+{
+	u_int64_t b;
+	int rem = len & 7;
+
+	b = ((u_int64_t)len) << 56;
+	switch (rem)
+	{
+		case 7:
+			b |= ((u_int64_t)pos[6]) << 48;
+		case 6:
+			b |= ((u_int64_t)pos[5]) << 40;
+		case 5:
+			b |= ((u_int64_t)pos[4]) << 32;
+		case 4:
+			b |= ((u_int64_t)pos[3]) << 24;
+		case 3:
+			b |= ((u_int64_t)pos[2]) << 16;
+		case 2:
+			b |= ((u_int64_t)pos[1]) <<  8;
+		case 1:
+			b |= ((u_int64_t)pos[0]);
+			break;
+		case 0:
+			break;
+	}
+	return b;
+}
+
+/**
+ * Caculate SipHash-2-4 with an optional first block given as argument.
+ */
+static u_int64_t chunk_mac_inc(chunk_t chunk, u_char *key, u_int64_t m)
+{
+	u_int64_t v0, v1, v2, v3, k0, k1;
+	size_t len = chunk.len;
+	u_char *pos = chunk.ptr, *end;
+
+	end = chunk.ptr + len - (len % 8);
+
+	k0 = sipget(key);
+	k1 = sipget(key + 8);
+
+	v0 = k0 ^ 0x736f6d6570736575ULL;
+	v1 = k1 ^ 0x646f72616e646f6dULL;
+	v2 = k0 ^ 0x6c7967656e657261ULL;
+	v3 = k1 ^ 0x7465646279746573ULL;
+
+	if (m)
+	{
+		sipcompress(&v0, &v1, &v2, &v3, m);
+	}
+
+	/* compression with c = 2 */
+	for (; pos != end; pos += 8)
+	{
+		m = sipget(pos);
+		sipcompress(&v0, &v1, &v2, &v3, m);
+	}
+	sipcompress(&v0, &v1, &v2, &v3, siplast(len, pos));
+
+	/* finalization with d = 4 */
+	v2 ^= 0xff;
+	sipround(&v0, &v1, &v2, &v3);
+	sipround(&v0, &v1, &v2, &v3);
+	sipround(&v0, &v1, &v2, &v3);
+	sipround(&v0, &v1, &v2, &v3);
+	return v0 ^ v1 ^ v2  ^ v3;
+}
+
+/**
+ * Described in header.
+ */
+u_int64_t chunk_mac(chunk_t chunk, u_char *key)
+{
+	return chunk_mac_inc(chunk, key, 0);
+}
+
+/**
+ * Secret key allocated randomly during first use.
+ */
+static u_char key[16];
+
+/**
+ * Static key used in case predictable hash values are required.
+ */
+static u_char static_key[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+							  0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f};
+
+/**
+ * Only allocate the key once
+ */
+static pthread_once_t key_allocated = PTHREAD_ONCE_INIT;
+
+/**
+ * Allocate a key on first use, we do this manually to avoid dependencies on
+ * plugins.
+ */
+static void allocate_key()
+{
+	ssize_t len;
+	size_t done = 0;
+	int fd;
+
+	fd = open("/dev/urandom", O_RDONLY);
+	if (fd >= 0)
+	{
+		while (done < sizeof(key))
+		{
+			len = read(fd, key + done, sizeof(key) - done);
+			if (len < 0)
+			{
+				break;
+			}
+			done += len;
+		}
+		close(fd);
+	}
+	/* on error we use random() to generate the key (better than nothing) */
+	if (done < sizeof(key))
+	{
+		srandom(time(NULL) + getpid());
+		for (; done < sizeof(key); done++)
+		{
+			key[done] = (u_char)random();
+		}
+	}
+}
+
+/**
+ * Described in header.
+ */
+u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash)
+{
+	pthread_once(&key_allocated, allocate_key);
+	/* we could use a mac of the previous hash, but this is faster */
+	return chunk_mac_inc(chunk, key, ((u_int64_t)hash) << 32 | hash);
+}
+
+/**
+ * Described in header.
+ */
+u_int32_t chunk_hash(chunk_t chunk)
+{
+	pthread_once(&key_allocated, allocate_key);
+	return chunk_mac(chunk, key);
+}
+
+/**
+ * Described in header.
+ */
+u_int32_t chunk_hash_static_inc(chunk_t chunk, u_int32_t hash)
+{	/* we could use a mac of the previous hash, but this is faster */
+	return chunk_mac_inc(chunk, static_key, ((u_int64_t)hash) << 32 | hash);
+}
+
+/**
+ * Described in header.
+ */
+u_int32_t chunk_hash_static(chunk_t chunk)
+{
+	return chunk_mac(chunk, static_key);
+}
+
+/**
+ * Described in header.
+ */
+int chunk_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
+					  const void *const *args)
+{
+	chunk_t *chunk = *((chunk_t**)(args[0]));
+	bool first = TRUE;
+	chunk_t copy = *chunk;
+	int written = 0;
+
+	if (!spec->hash)
+	{
+		u_int chunk_len = chunk->len;
+		const void *new_args[] = {&chunk->ptr, &chunk_len};
+		return mem_printf_hook(data, spec, new_args);
+	}
+
+	while (copy.len > 0)
+	{
+		if (first)
+		{
+			first = FALSE;
+		}
+		else
+		{
+			written += print_in_hook(data, ":");
+		}
+		written += print_in_hook(data, "%02x", *copy.ptr++);
+		copy.len--;
+	}
+	return written;
+}
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/utils/chunk.h
index 3de02eee7..34ba77357 100644
--- a/src/libstrongswan/chunk.h
+++ b/src/libstrongswan/utils/chunk.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008-2013 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -17,7 +17,7 @@
 
 /**
  * @defgroup chunk chunk
- * @{ @ingroup libstrongswan
+ * @{ @ingroup utils
  */
 
 #ifndef CHUNK_H_
@@ -191,6 +191,11 @@ static inline void chunk_clear(chunk_t *chunk)
 #define chunk_from_thing(thing) chunk_create((char*)&(thing), sizeof(thing))
 
 /**
+ * Initialize a chunk from a string, not containing 0-terminator
+ */
+#define chunk_from_str(str) ({char *x = (str); chunk_create(x, strlen(x));})
+
+/**
  * Allocate a chunk on the heap
  */
 #define chunk_alloc(bytes) ({size_t x = (bytes); chunk_create(x ? malloc(x) : NULL, x);})
@@ -265,6 +270,15 @@ static inline bool chunk_equals(chunk_t a, chunk_t b)
 }
 
 /**
+ * Compare two chunks (given as pointers) for equality (useful as callback),
+ * NULL chunks are never equal.
+ */
+static inline bool chunk_equals_ptr(chunk_t *a, chunk_t *b)
+{
+	return a != NULL && b != NULL && chunk_equals(*a, *b);
+}
+
+/**
  * Increment a chunk, as it would reprensent a network order integer.
  *
  * @param chunk			chunk to increment
@@ -287,23 +301,75 @@ bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace);
 
 /**
  * Computes a 32 bit hash of the given chunk.
- * Note: This hash is only intended for hash tables not for cryptographic purposes.
+ *
+ * @note The output of this function is randomized, that is, it will only
+ * produce the same output for the same input when calling it from the same
+ * process.  For a more predictable hash function use chunk_hash_static()
+ * instead.
+ *
+ * @note This hash is only intended for hash tables not for cryptographic
+ * purposes.
+ *
+ * @param chunk			data to hash
+ * @return				hash value
  */
 u_int32_t chunk_hash(chunk_t chunk);
 
 /**
  * Incremental version of chunk_hash. Use this to hash two or more chunks.
+ *
+ * @param chunk			data to hash
+ * @param hash			previous hash value
+ * @return				hash value
  */
 u_int32_t chunk_hash_inc(chunk_t chunk, u_int32_t hash);
 
 /**
+ * Computes a 32 bit hash of the given chunk.
+ *
+ * Compared to chunk_hash() this will always calculate the same output for the
+ * same input.  Therefore, it should not be used for hash tables (to prevent
+ * hash flooding).
+ *
+ * @note This hash is not intended for cryptographic purposes.
+ *
+ * @param chunk			data to hash
+ * @return				hash value
+ */
+u_int32_t chunk_hash_static(chunk_t chunk);
+
+/**
+ * Incremental version of chunk_hash_static(). Use this to hash two or more
+ * chunks in a predictable way.
+ *
+ * @param chunk			data to hash
+ * @param hash			previous hash value
+ * @return				hash value
+ */
+u_int32_t chunk_hash_static_inc(chunk_t chunk, u_int32_t hash);
+
+/**
+ * Computes a quick MAC from the given chunk and key using SipHash.
+ *
+ * The key must have a length of 128-bit (16 bytes).
+ *
+ * @note While SipHash has strong features using it for cryptographic purposes
+ * is not recommended (in particular because of the rather short output size).
+ *
+ * @param chunk			data to process
+ * @param key			key to use
+ * @return				MAC for given input and key
+ */
+u_int64_t chunk_mac(chunk_t chunk, u_char *key);
+
+/**
  * printf hook function for chunk_t.
  *
  * Arguments are:
  *	chunk_t *chunk
  * Use #-modifier to print a compact version
  */
-int chunk_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+int chunk_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 					  const void *const *args);
 
 #endif /** CHUNK_H_ @}*/
diff --git a/src/libstrongswan/debug.c b/src/libstrongswan/utils/debug.c
index d6c5b06b6..e8c9e6b98 100644
--- a/src/libstrongswan/debug.c
+++ b/src/libstrongswan/utils/debug.c
@@ -33,6 +33,8 @@ ENUM(debug_names, DBG_DMN, DBG_LIB,
 	"IMV",
 	"PTS",
 	"TLS",
+	"APP",
+	"ESP",
 	"LIB",
 );
 
@@ -52,6 +54,8 @@ ENUM(debug_lower_names, DBG_DMN, DBG_LIB,
 	"imv",
 	"pts",
 	"tls",
+	"app",
+	"esp",
 	"lib",
 );
 
diff --git a/src/libstrongswan/debug.h b/src/libstrongswan/utils/debug.h
index 2a6ff98ad..c46d3fe55 100644
--- a/src/libstrongswan/debug.h
+++ b/src/libstrongswan/utils/debug.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup debug debug
- * @{ @ingroup libstrongswan
+ * @{ @ingroup utils
  */
 
 #ifndef DEBUG_H_
@@ -26,7 +26,7 @@ typedef enum level_t level_t;
 
 #include <stdio.h>
 
-#include "enum.h"
+#include "utils/enum.h"
 
 /**
  * Debug message group.
@@ -62,6 +62,10 @@ enum debug_t {
 	DBG_PTS,
 	/** libtls */
 	DBG_TLS,
+	/** applications other than daemons */
+	DBG_APP,
+	/** libipsec */
+	DBG_ESP,
 	/** libstrongswan */
 	DBG_LIB,
 	/** number of groups */
diff --git a/src/libstrongswan/enum.c b/src/libstrongswan/utils/enum.c
index 5c811bd17..3db9a34e0 100644
--- a/src/libstrongswan/enum.c
+++ b/src/libstrongswan/utils/enum.c
@@ -47,7 +47,7 @@ int enum_from_name(enum_name_t *e, char *name)
 
 		for (i = 0; i < count; i++)
 		{
-			if (strcaseeq(name, e->names[i]))
+			if (name && strcaseeq(name, e->names[i]))
 			{
 				return e->first + i;
 			}
@@ -60,20 +60,22 @@ int enum_from_name(enum_name_t *e, char *name)
 /**
  * Described in header.
  */
-int enum_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+int enum_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 					 const void *const *args)
 {
 	enum_name_t *ed = *((enum_name_t**)(args[0]));
 	int val = *((int*)(args[1]));
+	char *name, buf[32];
 
-	char *name = enum_to_name(ed, val);
-
+	name = enum_to_name(ed, val);
 	if (name == NULL)
 	{
-		return print_in_hook(dst, len, "(%d)", val);
+		snprintf(buf, sizeof(buf), "(%d)", val);
+		name = buf;
 	}
-	else
+	if (spec->minus)
 	{
-		return print_in_hook(dst, len, "%s", name);
+		return print_in_hook(data, "%-*s", spec->width, name);
 	}
+	return print_in_hook(data, "%*s", spec->width, name);
 }
diff --git a/src/libstrongswan/enum.h b/src/libstrongswan/utils/enum.h
index d5f169772..df8dbf8c1 100644
--- a/src/libstrongswan/enum.h
+++ b/src/libstrongswan/utils/enum.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup enum enum
- * @{ @ingroup libstrongswan
+ * @{ @ingroup utils
  */
 
 #ifndef ENUM_H_
@@ -130,7 +130,7 @@ int enum_from_name(enum_name_t *e, char *name);
  * Arguments are:
  *	enum_names_t *names, int value
  */
-int enum_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+int enum_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 					 const void *const *args);
 
 #endif /** ENUM_H_ @}*/
diff --git a/src/libstrongswan/utils/hashtable.h b/src/libstrongswan/utils/hashtable.h
deleted file mode 100644
index 27aca9b68..000000000
--- a/src/libstrongswan/utils/hashtable.h
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
- * Copyright (C) 2008-2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup hashtable hashtable
- * @{ @ingroup utils
- */
-
-#ifndef HASHTABLE_H_
-#define HASHTABLE_H_
-
-#include <utils/enumerator.h>
-
-typedef struct hashtable_t hashtable_t;
-
-/**
- * Prototype for a function that computes the hash code from the given key.
- *
- * @param key			key to hash
- * @return				hash code
- */
-typedef u_int (*hashtable_hash_t)(void *key);
-
-/**
- * Prototype for a function that compares the two keys for equality.
- *
- * @param key			first key (the one we are looking for)
- * @param other_key		second key
- * @return				TRUE if the keys are equal
- */
-typedef bool (*hashtable_equals_t)(void *key, void *other_key);
-
-/**
- * Class implementing a hash table.
- *
- * General purpose hash table. This hash table is not synchronized.
- */
-struct hashtable_t {
-
-	/**
-	 * Create an enumerator over the hash table key/value pairs.
-	 *
-	 * @return			enumerator over (void *key, void *value)
-	 */
-	enumerator_t *(*create_enumerator) (hashtable_t *this);
-
-	/**
-	 * Adds the given value with the given key to the hash table, if there
-	 * exists no entry with that key. NULL is returned in this case.
-	 * Otherwise the existing value is replaced and the function returns the
-	 * old value.
-	 *
-	 * @param key		the key to store
-	 * @param value		the value to store
-	 * @return			NULL if no item was replaced, the old value otherwise
-	 */
-	void *(*put) (hashtable_t *this, void *key, void *value);
-
-	/**
-	 * Returns the value with the given key, if the hash table contains such an
-	 * entry, otherwise NULL is returned.
-	 *
-	 * @param key		the key of the requested value
-	 * @return			the value, NULL if not found
-	 */
-	void *(*get) (hashtable_t *this, void *key);
-
-	/**
-	 * Removes the value with the given key from the hash table and returns the
-	 * removed value (or NULL if no such value existed).
-	 *
-	 * @param key		the key of the value to remove
-	 * @return			the removed value, NULL if not found
-	 */
-	void *(*remove) (hashtable_t *this, void *key);
-
-	/**
-	 * Removes the key and value pair from the hash table at which the given
-	 * enumerator currently points.
-	 *
-	 * @param enumerator	enumerator, from create_enumerator
-	 */
-	void (*remove_at) (hashtable_t *this, enumerator_t *enumerator);
-
-	/**
-	 * Gets the number of items in the hash table.
-	 *
-	 * @return			number of items
-	 */
-	u_int (*get_count) (hashtable_t *this);
-
-	/**
-	 * Destroys a hash table object.
-	 */
-	void (*destroy) (hashtable_t *this);
-
-};
-
-/**
- * Creates an empty hash table object.
- *
- * @param hash			hash function
- * @param equals		equals function
- * @param capacity		initial capacity
- * @return				hashtable_t object.
- */
-hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals,
-							  u_int capacity);
-
-#endif /** HASHTABLE_H_ @}*/
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c
deleted file mode 100644
index d3020a5d0..000000000
--- a/src/libstrongswan/utils/host.c
+++ /dev/null
@@ -1,618 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Tobias Brunner
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-#include <sys/socket.h>
-#include <netdb.h>
-#include <string.h>
-
-#include "host.h"
-
-#include <debug.h>
-
-#define IPV4_LEN	 4
-#define IPV6_LEN	16
-
-typedef struct private_host_t private_host_t;
-
-/**
- * Private Data of a host object.
- */
-struct private_host_t {
-	/**
-	 * Public data
-	 */
-	host_t public;
-
-	/**
-	 * low-lewel structure, which stores the address
-	 */
-	union {
-		/** generic type */
-		struct sockaddr address;
-		/** maximum sockaddr size */
-		struct sockaddr_storage address_max;
-		/** IPv4 address */
-		struct sockaddr_in address4;
-		/** IPv6 address */
-		struct sockaddr_in6 address6;
-	};
-	/**
-	 * length of address structure
-	 */
-	socklen_t socklen;
-};
-
-
-METHOD(host_t, get_sockaddr, sockaddr_t*,
-	private_host_t *this)
-{
-	return &(this->address);
-}
-
-METHOD(host_t, get_sockaddr_len, socklen_t*,
-	private_host_t *this)
-{
-	return &(this->socklen);
-}
-
-METHOD(host_t, is_anyaddr, bool,
-	private_host_t *this)
-{
-	switch (this->address.sa_family)
-	{
-		case AF_INET:
-		{
-			u_int8_t zeroes[IPV4_LEN];
-
-			memset(zeroes, 0, IPV4_LEN);
-			return memeq(zeroes, &(this->address4.sin_addr.s_addr), IPV4_LEN);
-		}
-		case AF_INET6:
-		{
-			u_int8_t zeroes[IPV6_LEN];
-
-			memset(zeroes, 0, IPV6_LEN);
-			return memeq(zeroes, &(this->address6.sin6_addr.s6_addr), IPV6_LEN);
-		}
-		default:
-		{
-			return FALSE;
-		}
-	}
-}
-
-/**
- * Described in header.
- */
-int host_printf_hook(char *dst, size_t dstlen, printf_hook_spec_t *spec,
-					 const void *const *args)
-{
-	private_host_t *this = *((private_host_t**)(args[0]));
-	char buffer[INET6_ADDRSTRLEN + 16];
-
-	if (this == NULL)
-	{
-		snprintf(buffer, sizeof(buffer), "(null)");
-	}
-	else if (is_anyaddr(this))
-	{
-		snprintf(buffer, sizeof(buffer), "%%any%s",
-				 this->address.sa_family == AF_INET6 ? "6" : "");
-	}
-	else
-	{
-		void *address;
-		u_int16_t port;
-		int len;
-
-		address = &this->address6.sin6_addr;
-		port = this->address6.sin6_port;
-
-		switch (this->address.sa_family)
-		{
-			case AF_INET:
-				address = &this->address4.sin_addr;
-				port = this->address4.sin_port;
-				/* fall */
-			case AF_INET6:
-
-				if (inet_ntop(this->address.sa_family, address,
-							  buffer, sizeof(buffer)) == NULL)
-				{
-					snprintf(buffer, sizeof(buffer),
-							 "(address conversion failed)");
-				}
-				else if (spec->hash)
-				{
-					len = strlen(buffer);
-					snprintf(buffer + len, sizeof(buffer) - len,
-							 "[%d]", ntohs(port));
-				}
-				break;
-			default:
-				snprintf(buffer, sizeof(buffer), "(family not supported)");
-				break;
-		}
-	}
-	if (spec->minus)
-	{
-		return print_in_hook(dst, dstlen, "%-*s", spec->width, buffer);
-	}
-	return print_in_hook(dst, dstlen, "%*s", spec->width, buffer);
-}
-
-METHOD(host_t, get_address, chunk_t,
-	private_host_t *this)
-{
-	chunk_t address = chunk_empty;
-
-	switch (this->address.sa_family)
-	{
-		case AF_INET:
-		{
-			address.ptr = (char*)&(this->address4.sin_addr.s_addr);
-			address.len = IPV4_LEN;
-			return address;
-		}
-		case AF_INET6:
-		{
-			address.ptr = (char*)&(this->address6.sin6_addr.s6_addr);
-			address.len = IPV6_LEN;
-			return address;
-		}
-		default:
-		{
-			/* return empty chunk */
-			return address;
-		}
-	}
-}
-
-METHOD(host_t, get_family, int,
-	private_host_t *this)
-{
-	return this->address.sa_family;
-}
-
-METHOD(host_t, get_port, u_int16_t,
-	private_host_t *this)
-{
-	switch (this->address.sa_family)
-	{
-		case AF_INET:
-		{
-			return ntohs(this->address4.sin_port);
-		}
-		case AF_INET6:
-		{
-			return ntohs(this->address6.sin6_port);
-		}
-		default:
-		{
-			return 0;
-		}
-	}
-}
-
-METHOD(host_t, set_port, void,
-	private_host_t *this, u_int16_t port)
-{
-	switch (this->address.sa_family)
-	{
-		case AF_INET:
-		{
-			this->address4.sin_port = htons(port);
-			break;
-		}
-		case AF_INET6:
-		{
-			this->address6.sin6_port = htons(port);
-			break;
-		}
-		default:
-		{
-			break;
-		}
-	}
-}
-
-METHOD(host_t, clone_, host_t*,
-	private_host_t *this)
-{
-	private_host_t *new;
-
-	new = malloc_thing(private_host_t);
-	memcpy(new, this, sizeof(private_host_t));
-
-	return &new->public;
-}
-
-/**
- * Implements host_t.ip_equals
- */
-static bool ip_equals(private_host_t *this, private_host_t *other)
-{
-	if (this->address.sa_family != other->address.sa_family)
-	{
-		/* 0.0.0.0 and 0::0 are equal */
-		return (is_anyaddr(this) && is_anyaddr(other));
-	}
-
-	switch (this->address.sa_family)
-	{
-		case AF_INET:
-		{
-			return memeq(&this->address4.sin_addr, &other->address4.sin_addr,
-						 sizeof(this->address4.sin_addr));
-		}
-		case AF_INET6:
-		{
-			return memeq(&this->address6.sin6_addr, &other->address6.sin6_addr,
-						 sizeof(this->address6.sin6_addr));
-		}
-		default:
-			break;
-	}
-	return FALSE;
-}
-
-/**
- * Implements host_t.get_differences
- */
-static host_diff_t get_differences(host_t *this, host_t *other)
-{
-	host_diff_t ret = HOST_DIFF_NONE;
-
-	if (!this->ip_equals(this, other))
-	{
-		ret |= HOST_DIFF_ADDR;
-	}
-
-	if (this->get_port(this) != other->get_port(other))
-	{
-		ret |= HOST_DIFF_PORT;
-	}
-
-	return ret;
-}
-
-/**
- * Implements host_t.equals
- */
-static bool equals(private_host_t *this, private_host_t *other)
-{
-	if (!ip_equals(this, other))
-	{
-		return FALSE;
-	}
-
-	switch (this->address.sa_family)
-	{
-		case AF_INET:
-		{
-			return (this->address4.sin_port == other->address4.sin_port);
-		}
-		case AF_INET6:
-		{
-			return (this->address6.sin6_port == other->address6.sin6_port);
-		}
-		default:
-			break;
-	}
-	return FALSE;
-}
-
-METHOD(host_t, destroy, void,
-	private_host_t *this)
-{
-	free(this);
-}
-
-/**
- * Creates an empty host_t object
- */
-static private_host_t *host_create_empty(void)
-{
-	private_host_t *this;
-
-	INIT(this,
-		.public = {
-			.get_sockaddr = _get_sockaddr,
-			.get_sockaddr_len = _get_sockaddr_len,
-			.clone = _clone_,
-			.get_family = _get_family,
-			.get_address = _get_address,
-			.get_port = _get_port,
-			.set_port = _set_port,
-			.get_differences = get_differences,
-			.ip_equals = (bool (*)(host_t *,host_t *))ip_equals,
-			.equals = (bool (*)(host_t *,host_t *)) equals,
-			.is_anyaddr = _is_anyaddr,
-			.destroy = _destroy,
-		},
-	);
-
-	return this;
-}
-
-/*
- * Create a %any host with port
- */
-static host_t *host_create_any_port(int family, u_int16_t port)
-{
-	host_t *this;
-
-	this = host_create_any(family);
-	this->set_port(this, port);
-	return this;
-}
-
-/*
- * Described in header.
- */
-host_t *host_create_from_string(char *string, u_int16_t port)
-{
-	private_host_t *this;
-
-	if (streq(string, "%any"))
-	{
-		return host_create_any_port(AF_INET, port);
-	}
-	if (streq(string, "%any6"))
-	{
-		return host_create_any_port(AF_INET6, port);
-	}
-
-	this = host_create_empty();
-	if (strchr(string, '.'))
-	{
-		this->address.sa_family = AF_INET;
-	}
-	else
-	{
-		this->address.sa_family = AF_INET6;
-	}
-	switch (this->address.sa_family)
-	{
-		case AF_INET:
-		{
-			if (inet_pton(AF_INET, string, &this->address4.sin_addr) <=0)
-			{
-				break;
-			}
-			this->address4.sin_port = htons(port);
-			this->socklen = sizeof(struct sockaddr_in);
-			return &this->public;
-		}
-		case AF_INET6:
-		{
-			if (inet_pton(AF_INET6, string, &this->address6.sin6_addr) <=0)
-			{
-				break;
-			}
-			this->address6.sin6_port = htons(port);
-			this->socklen = sizeof(struct sockaddr_in6);
-			return &this->public;
-		}
-		default:
-		{
-			break;
-		}
-	}
-	free(this);
-	return NULL;
-}
-
-/*
- * Described in header.
- */
-host_t *host_create_from_sockaddr(sockaddr_t *sockaddr)
-{
-	private_host_t *this = host_create_empty();
-
-	switch (sockaddr->sa_family)
-	{
-		case AF_INET:
-		{
-			memcpy(&this->address4, sockaddr, sizeof(struct sockaddr_in));
-			this->socklen = sizeof(struct sockaddr_in);
-			return &this->public;
-		}
-		case AF_INET6:
-		{
-			memcpy(&this->address6, sockaddr, sizeof(struct sockaddr_in6));
-			this->socklen = sizeof(struct sockaddr_in6);
-			return &this->public;
-		}
-		default:
-			break;
-	}
-	free(this);
-	return NULL;
-}
-
-/*
- * Described in header.
- */
-host_t *host_create_from_dns(char *string, int af, u_int16_t port)
-{
-	private_host_t *this;
-	struct addrinfo hints, *result;
-	int error;
-
-	if (streq(string, "%any"))
-	{
-		return host_create_any_port(af ? af : AF_INET, port);
-	}
-	if (streq(string, "%any6"))
-	{
-		return host_create_any_port(af ? af : AF_INET6, port);
-	}
-	if (af == AF_INET && strchr(string, ':'))
-	{	/* do not try to convert v6 addresses for v4 family */
-		return NULL;
-	}
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = af;
-	error = getaddrinfo(string, NULL, &hints, &result);
-	if (error != 0)
-	{
-		DBG1(DBG_LIB, "resolving '%s' failed: %s", string, gai_strerror(error));
-		return NULL;
-	}
-	/* result is a linked list, but we use only the first address */
-	this = (private_host_t*)host_create_from_sockaddr(result->ai_addr);
-	freeaddrinfo(result);
-	if (this)
-	{
-		switch (this->address.sa_family)
-		{
-			case AF_INET:
-				this->address4.sin_port = htons(port);
-				break;
-			case AF_INET6:
-				this->address6.sin6_port = htons(port);
-				break;
-		}
-		return &this->public;
-	}
-	return NULL;
-}
-
-/*
- * Described in header.
- */
-host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port)
-{
-	private_host_t *this;
-
-	switch (family)
-	{
-		case AF_INET:
-			if (address.len < IPV4_LEN)
-			{
-				return NULL;
-			}
-			address.len = IPV4_LEN;
-			break;
-		case AF_INET6:
-			if (address.len < IPV6_LEN)
-			{
-				return NULL;
-			}
-			address.len = IPV6_LEN;
-			break;
-		case AF_UNSPEC:
-			switch (address.len)
-			{
-				case IPV4_LEN:
-					family = AF_INET;
-					break;
-				case IPV6_LEN:
-					family = AF_INET6;
-					break;
-				default:
-					return NULL;
-			}
-			break;
-		default:
-			return NULL;
-	}
-	this = host_create_empty();
-	this->address.sa_family = family;
-	switch (family)
-	{
-		case AF_INET:
-			memcpy(&this->address4.sin_addr.s_addr, address.ptr, address.len);
-			this->address4.sin_port = htons(port);
-			this->socklen = sizeof(struct sockaddr_in);
-			break;
-		case AF_INET6:
-			memcpy(&this->address6.sin6_addr.s6_addr, address.ptr, address.len);
-			this->address6.sin6_port = htons(port);
-			this->socklen = sizeof(struct sockaddr_in6);
-			break;
-	}
-	return &this->public;
-}
-
-/*
- * Described in header.
- */
-host_t *host_create_from_subnet(char *string, int *bits)
-{
-	char *pos, buf[64];
-	host_t *net;
-
-	pos = strchr(string, '/');
-	if (pos)
-	{
-		if (pos - string >= sizeof(buf))
-		{
-			return NULL;
-		}
-		strncpy(buf, string, pos - string);
-		buf[pos - string] = '\0';
-		*bits = atoi(pos + 1);
-		return host_create_from_string(buf, 0);
-	}
-	net = host_create_from_string(string, 0);
-	if (net)
-	{
-		if (net->get_family(net) == AF_INET)
-		{
-			*bits = 32;
-		}
-		else
-		{
-			*bits = 128;
-		}
-	}
-	return net;
-}
-
-/*
- * Described in header.
- */
-host_t *host_create_any(int family)
-{
-	private_host_t *this = host_create_empty();
-
-	memset(&this->address_max, 0, sizeof(struct sockaddr_storage));
-	this->address.sa_family = family;
-
-	switch (family)
-	{
-		case AF_INET:
-		{
-			this->socklen = sizeof(struct sockaddr_in);
-			return &(this->public);
-		}
-		case AF_INET6:
-		{
-			this->socklen = sizeof(struct sockaddr_in6);
-			return &this->public;
-		}
-		default:
-			break;
-	}
-	free(this);
-	return NULL;
-}
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 9f0007f78..5df3e5fe2 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2009-2012 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -49,10 +49,10 @@ ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID,
 	"ID_DER_ASN1_DN",
 	"ID_DER_ASN1_GN",
 	"ID_KEY_ID");
-ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID,
+ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_USER_ID, ID_KEY_ID,
 	"ID_DER_ASN1_GN_URI",
-	"ID_MYID");
-ENUM_END(id_type_names, ID_MYID);
+	"ID_USER_ID");
+ENUM_END(id_type_names, ID_USER_ID);
 
 /**
  * coding of X.501 distinguished name
@@ -277,6 +277,23 @@ METHOD(identification_t, create_part_enumerator, enumerator_t*,
 }
 
 /**
+ * Print a separator between two RDNs
+ */
+static inline bool print_separator(char **buf, size_t *len)
+{
+	int written;
+
+	written = snprintf(*buf, *len, ", ");
+	if (written < 0 || written >= *len)
+	{
+		return FALSE;
+	}
+	*buf += written;
+	*len -= written;
+	return TRUE;
+}
+
+/**
  * Print a DN with all its RDN in a buffer to present it to the user
  */
 static void dntoa(chunk_t dn, char *buf, size_t len)
@@ -292,8 +309,14 @@ static void dntoa(chunk_t dn, char *buf, size_t len)
 	{
 		empty = FALSE;
 
-		oid = asn1_known_oid(oid_data);
+		/* previous RDN was empty but it wasn't the last one */
+		if (finished && !print_separator(&buf, &len))
+		{
+			break;
+		}
+		finished = FALSE;
 
+		oid = asn1_known_oid(oid_data);
 		if (oid == OID_UNKNOWN)
 		{
 			written = snprintf(buf, len, "%#B=", &oid_data);
@@ -310,7 +333,7 @@ static void dntoa(chunk_t dn, char *buf, size_t len)
 		len -= written;
 
 		chunk_printable(data, &printable, '?');
-		written = snprintf(buf, len, "%.*s", printable.len, printable.ptr);
+		written = snprintf(buf, len, "%.*s", (int)printable.len, printable.ptr);
 		chunk_free(&printable);
 		if (written < 0 || written >= len)
 		{
@@ -319,21 +342,19 @@ static void dntoa(chunk_t dn, char *buf, size_t len)
 		buf += written;
 		len -= written;
 
-		if (data.ptr + data.len != dn.ptr + dn.len)
-		{
-			written = snprintf(buf, len, ", ");
-			if (written < 0 || written >= len)
-			{
-				break;
-			}
-			buf += written;
-			len -= written;
+		if (!data.ptr)
+		{	/* we can't calculate if we're finished, assume we are */
+			finished = TRUE;
 		}
-		else
+		else if (data.ptr + data.len == dn.ptr + dn.len)
 		{
 			finished = TRUE;
 			break;
 		}
+		else if (!print_separator(&buf, &len))
+		{
+			break;
+		}
 	}
 	if (empty)
 	{
@@ -377,7 +398,7 @@ static status_t atodn(char *src, chunk_t *dn)
 		switch (state)
 		{
 			case SEARCH_OID:
-				if (*src != ' ' && *src != '/' && *src !=  ',')
+				if (*src != ' ' && *src != '/' && *src !=  ',' && *src != '\0')
 				{
 					oid.ptr = src;
 					oid.len = 1;
@@ -414,14 +435,22 @@ static status_t atodn(char *src, chunk_t *dn)
 				}
 				break;
 			case SEARCH_NAME:
-				if (*src != ' ' && *src != '=')
+				if (*src == ' ' || *src == '=')
+				{
+					break;
+				}
+				else if (*src != ',' && *src != '/' && *src != '\0')
 				{
 					name.ptr = src;
 					name.len = 1;
 					whitespace = 0;
 					state = READ_NAME;
+					break;
 				}
-				break;
+				name = chunk_empty;
+				whitespace = 0;
+				state = READ_NAME;
+				/* fall-through */
 			case READ_NAME:
 				if (*src != ',' && *src != '/' && *src != '\0')
 				{
@@ -473,6 +502,11 @@ static status_t atodn(char *src, chunk_t *dn)
 		}
 	} while (*src++ != '\0');
 
+	if (state == READ_OID)
+	{	/* unterminated OID */
+		status = INVALID_ARG;
+	}
+
 	/* build the distinguished name sequence */
 	{
 		int i;
@@ -485,7 +519,6 @@ static status_t atodn(char *src, chunk_t *dn)
 			free(rdns[i].ptr);
 		}
 	}
-
 	if (status != SUCCESS)
 	{
 		free(dn->ptr);
@@ -748,8 +781,8 @@ METHOD(identification_t, matches_dn, id_match_t,
 /**
  * Described in header.
  */
-int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
-							   const void *const *args)
+int identification_printf_hook(printf_hook_data_t *data,
+							printf_hook_spec_t *spec, const void *const *args)
 {
 	private_identification_t *this = *((private_identification_t**)(args[0]));
 	chunk_t proper;
@@ -757,7 +790,7 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 
 	if (this == NULL)
 	{
-		return print_in_hook(dst, len, "%*s", spec->width, "(null)");
+		return print_in_hook(data, "%*s", spec->width, "(null)");
 	}
 
 	switch (this->type)
@@ -782,40 +815,38 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 		case ID_FQDN:
 		case ID_RFC822_ADDR:
 		case ID_DER_ASN1_GN_URI:
+		case ID_USER_ID:
 			chunk_printable(this->encoded, &proper, '?');
-			snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr);
+			snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr);
 			chunk_free(&proper);
 			break;
 		case ID_DER_ASN1_DN:
 			dntoa(this->encoded, buf, sizeof(buf));
 			break;
 		case ID_DER_ASN1_GN:
-			snprintf(buf, sizeof(buf), "(ASN.1 general Name");
+			snprintf(buf, sizeof(buf), "(ASN.1 general name)");
 			break;
 		case ID_KEY_ID:
 			if (chunk_printable(this->encoded, NULL, '?') &&
 				this->encoded.len != HASH_SIZE_SHA1)
 			{	/* fully printable, use ascii version */
-				snprintf(buf, sizeof(buf), "%.*s",
-						 this->encoded.len, this->encoded.ptr);
+				snprintf(buf, sizeof(buf), "%.*s", (int)this->encoded.len,
+						 this->encoded.ptr);
 			}
 			else
 			{	/* not printable, hex dump */
 				snprintf(buf, sizeof(buf), "%#B", &this->encoded);
 			}
 			break;
-		case ID_MYID:
-			snprintf(buf, sizeof(buf), "%%myid");
-			break;
 		default:
 			snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type);
 			break;
 	}
 	if (spec->minus)
 	{
-		return print_in_hook(dst, len, "%-*s", spec->width, buf);
+		return print_in_hook(data, "%-*s", spec->width, buf);
 	}
-	return print_in_hook(dst, len, "%*s", spec->width, buf);
+	return print_in_hook(data, "%*s", spec->width, buf);
 }
 
 METHOD(identification_t, clone_, identification_t*,
@@ -865,6 +896,7 @@ static private_identification_t *identification_create(id_type_t type)
 			break;
 		case ID_FQDN:
 		case ID_RFC822_ADDR:
+		case ID_USER_ID:
 			this->public.matches = _matches_string;
 			this->public.equals = _equals_strcasecmp;
 			this->public.contains_wildcards = _contains_wildcards_memchr;
@@ -908,14 +940,15 @@ identification_t *identification_create_from_string(char *string)
 		else
 		{
 			this = identification_create(ID_KEY_ID);
-			this->encoded = chunk_clone(chunk_create(string, strlen(string)));
+			this->encoded = chunk_from_str(strdup(string));
 		}
 		return &this->public;
 	}
 	else if (strchr(string, '@') == NULL)
 	{
-		if (streq(string, "%any")
-		||  streq(string, "%any6")
+		if (streq(string, "")
+		||	streq(string, "%any")
+		||	streq(string, "%any6")
 		||	streq(string, "0.0.0.0")
 		||	streq(string, "*")
 		||	streq(string, "::")
@@ -940,11 +973,7 @@ identification_t *identification_create_from_string(char *string)
 				else
 				{	/* not IPv4, mostly FQDN */
 					this = identification_create(ID_FQDN);
-					this->encoded.len = strlen(string);
-					if (this->encoded.len)
-					{
-						this->encoded.ptr = strdup(string);
-					}
+					this->encoded = chunk_from_str(strdup(string));
 				}
 				return &this->public;
 			}
@@ -961,11 +990,7 @@ identification_t *identification_create_from_string(char *string)
 				else
 				{	/* not IPv4/6 fallback to KEY_ID */
 					this = identification_create(ID_KEY_ID);
-					this->encoded.len = strlen(string);
-					if (this->encoded.len)
-					{
-						this->encoded.ptr = strdup(string);
-					}
+					this->encoded = chunk_from_str(strdup(string));
 				}
 				return &this->public;
 			}
@@ -975,34 +1000,30 @@ identification_t *identification_create_from_string(char *string)
 	{
 		if (*string == '@')
 		{
-			if (*(string + 1) == '#')
+			string++;
+			if (*string == '#')
 			{
 				this = identification_create(ID_KEY_ID);
-				string += 2;
-				this->encoded = chunk_from_hex(
-									chunk_create(string, strlen(string)), NULL);
+				this->encoded = chunk_from_hex(chunk_from_str(string + 1), NULL);
+				return &this->public;
+			}
+			else if (*string == '@')
+			{
+				this = identification_create(ID_USER_FQDN);
+				this->encoded = chunk_clone(chunk_from_str(string + 1));
 				return &this->public;
 			}
 			else
 			{
 				this = identification_create(ID_FQDN);
-				string += 1;
-				this->encoded.len = strlen(string);
-				if (this->encoded.len)
-				{
-					this->encoded.ptr = strdup(string);
-				}
+				this->encoded = chunk_clone(chunk_from_str(string));
 				return &this->public;
 			}
 		}
 		else
 		{
 			this = identification_create(ID_RFC822_ADDR);
-			this->encoded.len = strlen(string);
-			if (this->encoded.len)
-			{
-				this->encoded.ptr = strdup(string);
-			}
+			this->encoded = chunk_from_str(strdup(string));
 			return &this->public;
 		}
 	}
@@ -1015,9 +1036,16 @@ identification_t * identification_create_from_data(chunk_t data)
 {
 	char buf[data.len + 1];
 
-	/* use string constructor */
-	snprintf(buf, sizeof(buf), "%.*s", data.len, data.ptr);
-	return identification_create_from_string(buf);
+	if (is_asn1(data))
+	{
+		return identification_create_from_encoding(ID_DER_ASN1_DN, data);
+	}
+	else
+	{
+		/* use string constructor */
+		snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr);
+		return identification_create_from_string(buf);
+	}
 }
 
 /*
@@ -1065,4 +1093,3 @@ identification_t *identification_create_from_sockaddr(sockaddr_t *sockaddr)
 		}
 	}
 }
-
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index 3978b23f3..e62446879 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -29,8 +29,8 @@ typedef struct identification_t identification_t;
 typedef enum id_match_t id_match_t;
 typedef enum id_part_t id_part_t;
 
-#include <chunk.h>
-#include <utils/enumerator.h>
+#include <utils/chunk.h>
+#include <collections/enumerator.h>
 
 /**
  * Matches returned from identification_t.match
@@ -126,14 +126,14 @@ enum id_type_t {
 	ID_KEY_ID = 11,
 
 	/**
-	 * private type which represents a GeneralName of type URI
+	 * Private ID type which represents a GeneralName of type URI
 	 */
 	ID_DER_ASN1_GN_URI = 201,
 
 	/**
-	 * Private ID used by the pluto daemon for opportunistic encryption
+	 * Private ID type which represents a user ID
 	 */
-	ID_MYID = 203,
+	ID_USER_ID = 202
 };
 
 /**
@@ -241,7 +241,6 @@ struct identification_t {
 	 * no match at all, 1 means a bad match, and 2 a slightly better match.
 	 *
 	 * @param other		the ID containing one or more wildcards
-	 * @param wildcards	returns the number of wildcards, may be NULL
 	 * @return 			match value as described above
 	 */
 	id_match_t (*matches) (identification_t *this, identification_t *other);
@@ -342,7 +341,7 @@ identification_t * identification_create_from_sockaddr(sockaddr_t *sockaddr);
  * Arguments are:
  *	identification_t *identification
  */
-int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
-							   const void *const *args);
+int identification_printf_hook(printf_hook_data_t *data,
+							printf_hook_spec_t *spec, const void *const *args);
 
 #endif /** IDENTIFICATION_H_ @}*/
diff --git a/src/libstrongswan/integrity_checker.c b/src/libstrongswan/utils/integrity_checker.c
index e962aba70..d59a76232 100644
--- a/src/libstrongswan/integrity_checker.c
+++ b/src/libstrongswan/utils/integrity_checker.c
@@ -91,7 +91,7 @@ METHOD(integrity_checker_t, build_file, u_int32_t,
 
 	*len = sb.st_size;
 	contents = chunk_create(addr, sb.st_size);
-	checksum = chunk_hash(contents);
+	checksum = chunk_hash_static(contents);
 
 	munmap(addr, sb.st_size);
 	close(fd);
@@ -153,7 +153,7 @@ METHOD(integrity_checker_t, build_segment, u_int32_t,
 
 	segment = chunk_create(dli.dli_fbase, dli.dli_saddr - dli.dli_fbase);
 	*len = segment.len;
-	return chunk_hash(segment);
+	return chunk_hash_static(segment);
 }
 
 /**
diff --git a/src/libstrongswan/integrity_checker.h b/src/libstrongswan/utils/integrity_checker.h
index 891ccccf7..afaa114b3 100644
--- a/src/libstrongswan/integrity_checker.h
+++ b/src/libstrongswan/utils/integrity_checker.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup integrity_checker integrity_checker
- * @{ @ingroup libstrongswan
+ * @{ @ingroup utils
  */
 
 #ifndef INTEGRITY_CHECKER_H_
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 0a8789335..ffbc62085 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2006-2008 Martin Willi
+ * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2006-2013 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -14,27 +15,38 @@
  */
 
 #define _GNU_SOURCE
-#include <sched.h>
 #include <stddef.h>
 #include <string.h>
 #include <stdio.h>
-#include <malloc.h>
 #include <signal.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <unistd.h>
 #include <syslog.h>
-#include <pthread.h>
 #include <netdb.h>
 #include <locale.h>
+#include <dlfcn.h>
+#include <time.h>
+#include <errno.h>
+
+#ifdef __APPLE__
+#include <sys/mman.h>
+#include <malloc/malloc.h>
+/* overload some of our types clashing with mach */
+#define host_t strongswan_host_t
+#define processor_t strongswan_processor_t
+#define thread_t strongswan_thread_t
+#endif /* __APPLE__ */
 
 #include "leak_detective.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <utils/backtrace.h>
-#include <utils/hashtable.h>
+#include <collections/hashtable.h>
+#include <threading/thread_value.h>
+#include <threading/spinlock.h>
 
 typedef struct private_leak_detective_t private_leak_detective_t;
 
@@ -69,21 +81,6 @@ struct private_leak_detective_t {
  */
 #define MEMORY_ALLOC_PATTERN 0xEE
 
-
-static void install_hooks(void);
-static void uninstall_hooks(void);
-static void *malloc_hook(size_t, const void *);
-static void *realloc_hook(void *, size_t, const void *);
-static void free_hook(void*, const void *);
-
-void *(*old_malloc_hook)(size_t, const void *);
-void *(*old_realloc_hook)(void *, size_t, const void *);
-void (*old_free_hook)(void*, const void *);
-
-static u_int count_malloc = 0;
-static u_int count_free = 0;
-static u_int count_realloc = 0;
-
 typedef struct memory_header_t memory_header_t;
 typedef struct memory_tail_t memory_tail_t;
 
@@ -108,6 +105,11 @@ struct memory_header_t {
 	backtrace_t *backtrace;
 
 	/**
+	 * Padding to make sizeof(memory_header_t) == 32
+	 */
+	u_int32_t padding[sizeof(void*) == sizeof(u_int32_t) ? 3 : 0];
+
+	/**
 	 * Number of bytes following after the header
 	 */
 	u_int32_t bytes;
@@ -136,50 +138,337 @@ struct memory_tail_t {
  * the others on it...
  */
 static memory_header_t first_header = {
-	magic: MEMORY_HEADER_MAGIC,
-	bytes: 0,
-	backtrace: NULL,
-	previous: NULL,
-	next: NULL
+	.magic = MEMORY_HEADER_MAGIC,
 };
 
 /**
- * are the hooks currently installed?
+ * Spinlock to access header linked list
  */
-static bool installed = FALSE;
+static spinlock_t *lock;
+
+/**
+ * Is leak detection currently enabled?
+ */
+static bool enabled = FALSE;
+
+/**
+ * Is leak detection disabled for the current thread?
+ */
+static thread_value_t *thread_disabled;
 
 /**
  * Installs the malloc hooks, enables leak detection
  */
-static void install_hooks()
+static void enable_leak_detective()
+{
+	enabled = TRUE;
+}
+
+/**
+ * Uninstalls the malloc hooks, disables leak detection
+ */
+static void disable_leak_detective()
+{
+	enabled = FALSE;
+}
+
+/**
+ * Enable/Disable leak detective for the current thread
+ *
+ * @return Previous value
+ */
+static bool enable_thread(bool enable)
+{
+	bool before;
+
+	before = thread_disabled->get(thread_disabled) == NULL;
+	thread_disabled->set(thread_disabled, enable ? NULL : (void*)TRUE);
+	return before;
+}
+
+/**
+ * Add a header to the beginning of the list
+ */
+static void add_hdr(memory_header_t *hdr)
 {
-	if (!installed)
+	lock->lock(lock);
+	hdr->next = first_header.next;
+	if (hdr->next)
 	{
-		old_malloc_hook = __malloc_hook;
-		old_realloc_hook = __realloc_hook;
-		old_free_hook = __free_hook;
-		__malloc_hook = malloc_hook;
-		__realloc_hook = realloc_hook;
-		__free_hook = free_hook;
-		installed = TRUE;
+		hdr->next->previous = hdr;
 	}
+	hdr->previous = &first_header;
+	first_header.next = hdr;
+	lock->unlock(lock);
 }
 
 /**
- * Uninstalls the malloc hooks, disables leak detection
+ * Remove a header from the list
+ */
+static void remove_hdr(memory_header_t *hdr)
+{
+	lock->lock(lock);
+	if (hdr->next)
+	{
+		hdr->next->previous = hdr->previous;
+	}
+	hdr->previous->next = hdr->next;
+	lock->unlock(lock);
+}
+
+/**
+ * Check if a header is in the list
+ */
+static bool has_hdr(memory_header_t *hdr)
+{
+	memory_header_t *current;
+	bool found = FALSE;
+
+	lock->lock(lock);
+	for (current = &first_header; current != NULL; current = current->next)
+	{
+		if (current == hdr)
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	lock->unlock(lock);
+
+	return found;
+}
+
+#ifdef __APPLE__
+
+/**
+ * Copy of original default zone, with functions we call in hooks
+ */
+static malloc_zone_t original;
+
+/**
+ * Call original malloc()
+ */
+static void* real_malloc(size_t size)
+{
+	return original.malloc(malloc_default_zone(), size);
+}
+
+/**
+ * Call original free()
+ */
+static void real_free(void *ptr)
+{
+	original.free(malloc_default_zone(), ptr);
+}
+
+/**
+ * Call original realloc()
+ */
+static void* real_realloc(void *ptr, size_t size)
+{
+	return original.realloc(malloc_default_zone(), ptr, size);
+}
+
+/**
+ * Hook definition: static function with _hook suffix, takes additional zone
+ */
+#define HOOK(ret, name, ...) \
+	static ret name ## _hook(malloc_zone_t *_z, __VA_ARGS__)
+
+/**
+ * forward declaration of hooks
+ */
+HOOK(void*, malloc, size_t bytes);
+HOOK(void*, calloc, size_t nmemb, size_t size);
+HOOK(void*, valloc, size_t size);
+HOOK(void, free, void *ptr);
+HOOK(void*, realloc, void *old, size_t bytes);
+
+/**
+ * malloc zone size(), must consider the memory header prepended
+ */
+HOOK(size_t, size, const void *ptr)
+{
+	bool before;
+	size_t size;
+
+	if (enabled)
+	{
+		before = enable_thread(FALSE);
+		if (before)
+		{
+			ptr -= sizeof(memory_header_t);
+		}
+	}
+	size = original.size(malloc_default_zone(), ptr);
+	if (enabled)
+	{
+		enable_thread(before);
+	}
+	return size;
+}
+
+/**
+ * Version of malloc zones we currently support
+ */
+#define MALLOC_ZONE_VERSION 8 /* Snow Leopard */
+
+/**
+ * Hook-in our malloc functions into the default zone
+ */
+static bool register_hooks()
+{
+	malloc_zone_t *zone;
+	void *page;
+
+	zone = malloc_default_zone();
+	if (zone->version != MALLOC_ZONE_VERSION)
+	{
+		DBG1(DBG_CFG, "malloc zone version %d unsupported (requiring %d)",
+			 zone->version, MALLOC_ZONE_VERSION);
+		return FALSE;
+	}
+
+	original = *zone;
+
+	page = (void*)((uintptr_t)zone / getpagesize() * getpagesize());
+	if (mprotect(page, getpagesize(), PROT_WRITE | PROT_READ) != 0)
+	{
+		DBG1(DBG_CFG, "malloc zone unprotection failed: %s", strerror(errno));
+		return FALSE;
+	}
+
+	zone->size = size_hook;
+	zone->malloc = malloc_hook;
+	zone->calloc = calloc_hook;
+	zone->valloc = valloc_hook;
+	zone->free = free_hook;
+	zone->realloc = realloc_hook;
+
+	/* those other functions can be NULLed out to not use them */
+	zone->batch_malloc = NULL;
+	zone->batch_free = NULL;
+	zone->memalign = NULL;
+	zone->free_definite_size = NULL;
+
+	return TRUE;
+}
+
+#else /* !__APPLE__ */
+
+/**
+ * dlsym() might do a malloc(), but we can't do one before we get the malloc()
+ * function pointer. Use this minimalistic malloc implementation instead.
+ */
+static void* malloc_for_dlsym(size_t size)
+{
+	static char buf[1024] = {};
+	static size_t used = 0;
+	char *ptr;
+
+	/* roundup to a multiple of 32 */
+	size = (size - 1) / 32 * 32 + 32;
+
+	if (used + size > sizeof(buf))
+	{
+		return NULL;
+	}
+	ptr = buf + used;
+	used += size;
+	return ptr;
+}
+
+/**
+ * Lookup a malloc function, while disabling wrappers
+ */
+static void* get_malloc_fn(char *name)
+{
+	bool before = FALSE;
+	void *fn;
+
+	if (enabled)
+	{
+		before = enable_thread(FALSE);
+	}
+	fn = dlsym(RTLD_NEXT, name);
+	if (enabled)
+	{
+		enable_thread(before);
+	}
+	return fn;
+}
+
+/**
+ * Call original malloc()
+ */
+static void* real_malloc(size_t size)
+{
+	static void* (*fn)(size_t size);
+	static int recursive = 0;
+
+	if (!fn)
+	{
+		/* checking recursiveness should actually be thread-specific. But as
+		 * it is very likely that the first allocation is done before we go
+		 * multi-threaded, we keep it simple. */
+		if (recursive)
+		{
+			return malloc_for_dlsym(size);
+		}
+		recursive++;
+		fn = get_malloc_fn("malloc");
+		recursive--;
+	}
+	return fn(size);
+}
+
+/**
+ * Call original free()
+ */
+static void real_free(void *ptr)
+{
+	static void (*fn)(void *ptr);
+
+	if (!fn)
+	{
+		fn = get_malloc_fn("free");
+	}
+	return fn(ptr);
+}
+
+/**
+ * Call original realloc()
  */
-static void uninstall_hooks()
+static void* real_realloc(void *ptr, size_t size)
 {
-	if (installed)
+	static void* (*fn)(void *ptr, size_t size);
+
+	if (!fn)
 	{
-		__malloc_hook = old_malloc_hook;
-		__free_hook = old_free_hook;
-		__realloc_hook = old_realloc_hook;
-		installed = FALSE;
+		fn = get_malloc_fn("realloc");
 	}
+	return fn(ptr, size);
 }
 
 /**
+ * Hook definition: plain function overloading existing malloc calls
+ */
+#define HOOK(ret, name, ...) ret name(__VA_ARGS__)
+
+/**
+ * Hook initialization when not using hooks, resolve functions.
+ */
+static bool register_hooks()
+{
+	void *buf = real_malloc(8);
+	real_realloc(buf, 16);
+	real_free(buf);
+	return TRUE;
+}
+
+#endif /* !__APPLE__ */
+
+/**
  * Leak report white list
  *
  * List of functions using static allocation buffers or should be suppressed
@@ -188,17 +477,12 @@ static void uninstall_hooks()
 char *whitelist[] = {
 	/* backtraces, including own */
 	"backtrace_create",
+	"safe_strerror",
 	/* pthread stuff */
 	"pthread_create",
 	"pthread_setspecific",
 	"__pthread_setspecific",
 	/* glibc functions */
-	"mktime",
-	"ctime",
-	"__gmtime_r",
-	"localtime_r",
-	"tzset",
-	"time_printf_hook",
 	"inet_ntoa",
 	"strerror",
 	"getprotobyname",
@@ -224,6 +508,9 @@ char *whitelist[] = {
 	"getpwent_r",
 	"setpwent",
 	"endpwent",
+	"getspnam_r",
+	"getpwuid_r",
+	"initgroups",
 	/* ignore dlopen, as we do not dlclose to get proper leak reports */
 	"dlopen",
 	"dlerror",
@@ -243,18 +530,16 @@ char *whitelist[] = {
 	"Curl_client_write",
 	/* ClearSilver */
 	"nerr_init",
-	/* OpenSSL */
-	"RSA_new_method",
-	"DH_new_method",
-	"ENGINE_load_builtin_engines",
-	"OPENSSL_config",
-	"ecdsa_check",
-	"ERR_put_error",
 	/* libgcrypt */
 	"gcry_control",
 	"gcry_check_version",
 	"gcry_randomize",
 	"gcry_create_nonce",
+	/* OpenSSL: These are needed for unit-tests only, the openssl plugin
+	 * does properly clean up any memory during destroy(). */
+	"ECDSA_do_sign_ex",
+	"ECDSA_verify",
+	"RSA_new_method",
 	/* NSPR */
 	"PR_CallOnce",
 	/* libapr */
@@ -273,6 +558,14 @@ char *whitelist[] = {
 	"gnutls_global_init",
 };
 
+/**
+ * Some functions are hard to whitelist, as they don't use a symbol directly.
+ * Use some static initialization to suppress them on leak reports
+ */
+static void init_static_allocations()
+{
+	tzset();
+}
 
 /**
  * Hashtable hash function
@@ -305,7 +598,8 @@ static bool equals(backtrace_t *a, backtrace_t *b)
  * Summarize and print backtraces
  */
 static int print_traces(private_leak_detective_t *this,
-						FILE *out, int thresh, bool detailed, int *whitelisted)
+						FILE *out, int thresh, int thresh_count,
+						bool detailed, int *whitelisted, size_t *sum)
 {
 	int leaks = 0;
 	memory_header_t *hdr;
@@ -319,11 +613,13 @@ static int print_traces(private_leak_detective_t *this,
 		/** number of allocations */
 		u_int count;
 	} *entry;
+	bool before;
 
-	uninstall_hooks();
+	before = enable_thread(FALSE);
 
 	entries = hashtable_create((hashtable_hash_t)hash,
 							   (hashtable_equals_t)equals, 1024);
+	lock->lock(lock);
 	for (hdr = first_header.next; hdr != NULL; hdr = hdr->next)
 	{
 		if (whitelisted &&
@@ -342,29 +638,37 @@ static int print_traces(private_leak_detective_t *this,
 		else
 		{
 			INIT(entry,
-				.backtrace = hdr->backtrace,
+				.backtrace = hdr->backtrace->clone(hdr->backtrace),
 				.bytes = hdr->bytes,
 				.count = 1,
 			);
-			entries->put(entries, hdr->backtrace, entry);
+			entries->put(entries, entry->backtrace, entry);
+		}
+		if (sum)
+		{
+			*sum += hdr->bytes;
 		}
 		leaks++;
 	}
+	lock->unlock(lock);
 	enumerator = entries->create_enumerator(entries);
 	while (enumerator->enumerate(enumerator, NULL, &entry))
 	{
-		if (!thresh || entry->bytes >= thresh)
+		if (out &&
+			(!thresh || entry->bytes >= thresh) &&
+			(!thresh_count || entry->count >= thresh_count))
 		{
 			fprintf(out, "%d bytes total, %d allocations, %d bytes average:\n",
 					entry->bytes, entry->count, entry->bytes / entry->count);
 			entry->backtrace->log(entry->backtrace, out, detailed);
 		}
+		entry->backtrace->destroy(entry->backtrace);
 		free(entry);
 	}
 	enumerator->destroy(enumerator);
 	entries->destroy(entries);
 
-	install_hooks();
+	enable_thread(before);
 	return leaks;
 }
 
@@ -373,9 +677,10 @@ METHOD(leak_detective_t, report, void,
 {
 	if (lib->leak_detective)
 	{
-		int leaks = 0, whitelisted = 0;
+		int leaks, whitelisted = 0;
+		size_t sum = 0;
 
-		leaks = print_traces(this, stderr, 0, detailed, &whitelisted);
+		leaks = print_traces(this, stderr, 0, 0, detailed, &whitelisted, &sum);
 		switch (leaks)
 		{
 			case 0:
@@ -385,7 +690,7 @@ METHOD(leak_detective_t, report, void,
 				fprintf(stderr, "One leak detected");
 				break;
 			default:
-				fprintf(stderr, "%d leaks detected", leaks);
+				fprintf(stderr, "%d leaks detected, %zu bytes", leaks, sum);
 				break;
 		}
 		fprintf(stderr, ", %d suppressed by whitelist\n", whitelisted);
@@ -396,85 +701,115 @@ METHOD(leak_detective_t, report, void,
 	}
 }
 
+METHOD(leak_detective_t, leaks, int,
+	private_leak_detective_t *this)
+{
+	if (lib->leak_detective)
+	{
+		int leaks, whitelisted = 0;
+
+		leaks = print_traces(this, NULL, 0, 0, FALSE, &whitelisted, NULL);
+		return leaks;
+	}
+	return 0;
+}
+
+METHOD(leak_detective_t, set_state, bool,
+	private_leak_detective_t *this, bool enable)
+{
+	return enable_thread(enable);
+}
+
 METHOD(leak_detective_t, usage, void,
 	private_leak_detective_t *this, FILE *out)
 {
-	int oldpolicy, thresh;
 	bool detailed;
-	pthread_t thread_id = pthread_self();
-	struct sched_param oldparams, params;
+	int thresh, thresh_count;
+	size_t sum = 0;
 
 	thresh = lib->settings->get_int(lib->settings,
 					"libstrongswan.leak_detective.usage_threshold", 10240);
+	thresh_count = lib->settings->get_int(lib->settings,
+					"libstrongswan.leak_detective.usage_threshold_count", 0);
 	detailed = lib->settings->get_bool(lib->settings,
 					"libstrongswan.leak_detective.detailed", TRUE);
 
-	pthread_getschedparam(thread_id, &oldpolicy, &oldparams);
-	params.__sched_priority = sched_get_priority_max(SCHED_FIFO);
-	pthread_setschedparam(thread_id, SCHED_FIFO, &params);
-
-	print_traces(this, out, thresh, detailed, NULL);
+	print_traces(this, out, thresh, thresh_count, detailed, NULL, &sum);
 
-	pthread_setschedparam(thread_id, oldpolicy, &oldparams);
+	fprintf(out, "Total memory usage: %zu\n", sum);
 }
 
 /**
- * Hook function for malloc()
+ * Wrapped malloc() function
  */
-void *malloc_hook(size_t bytes, const void *caller)
+HOOK(void*, malloc, size_t bytes)
 {
 	memory_header_t *hdr;
 	memory_tail_t *tail;
-	pthread_t thread_id = pthread_self();
-	int oldpolicy;
-	struct sched_param oldparams, params;
+	bool before;
 
-	pthread_getschedparam(thread_id, &oldpolicy, &oldparams);
-
-	params.__sched_priority = sched_get_priority_max(SCHED_FIFO);
-	pthread_setschedparam(thread_id, SCHED_FIFO, &params);
+	if (!enabled || thread_disabled->get(thread_disabled))
+	{
+		return real_malloc(bytes);
+	}
 
-	count_malloc++;
-	uninstall_hooks();
-	hdr = malloc(sizeof(memory_header_t) + bytes + sizeof(memory_tail_t));
+	hdr = real_malloc(sizeof(memory_header_t) + bytes + sizeof(memory_tail_t));
 	tail = ((void*)hdr) + bytes + sizeof(memory_header_t);
 	/* set to something which causes crashes */
 	memset(hdr, MEMORY_ALLOC_PATTERN,
 		   sizeof(memory_header_t) + bytes + sizeof(memory_tail_t));
 
+	before = enable_thread(FALSE);
+	hdr->backtrace = backtrace_create(2);
+	enable_thread(before);
+
 	hdr->magic = MEMORY_HEADER_MAGIC;
 	hdr->bytes = bytes;
-	hdr->backtrace = backtrace_create(3);
 	tail->magic = MEMORY_TAIL_MAGIC;
-	install_hooks();
 
-	/* insert at the beginning of the list */
-	hdr->next = first_header.next;
-	if (hdr->next)
-	{
-		hdr->next->previous = hdr;
-	}
-	hdr->previous = &first_header;
-	first_header.next = hdr;
-
-	pthread_setschedparam(thread_id, oldpolicy, &oldparams);
+	add_hdr(hdr);
 
 	return hdr + 1;
 }
 
 /**
- * Hook function for free()
+ * Wrapped calloc() function
+ */
+HOOK(void*, calloc, size_t nmemb, size_t size)
+{
+	void *ptr;
+
+	size *= nmemb;
+	ptr = malloc(size);
+	memset(ptr, 0, size);
+
+	return ptr;
+}
+
+/**
+ * Wrapped valloc(), TODO: currently not supported
  */
-void free_hook(void *ptr, const void *caller)
+HOOK(void*, valloc, size_t size)
 {
-	memory_header_t *hdr, *current;
+	DBG1(DBG_LIB, "valloc() used, but leak-detective hook missing");
+	return NULL;
+}
+
+/**
+ * Wrapped free() function
+ */
+HOOK(void, free, void *ptr)
+{
+	memory_header_t *hdr;
 	memory_tail_t *tail;
 	backtrace_t *backtrace;
-	pthread_t thread_id = pthread_self();
-	int oldpolicy;
-	struct sched_param oldparams, params;
-	bool found = FALSE;
+	bool before;
 
+	if (!enabled || thread_disabled->get(thread_disabled))
+	{
+		real_free(ptr);
+		return;
+	}
 	/* allow freeing of NULL */
 	if (ptr == NULL)
 	{
@@ -483,25 +818,11 @@ void free_hook(void *ptr, const void *caller)
 	hdr = ptr - sizeof(memory_header_t);
 	tail = ptr + hdr->bytes;
 
-	pthread_getschedparam(thread_id, &oldpolicy, &oldparams);
-
-	params.__sched_priority = sched_get_priority_max(SCHED_FIFO);
-	pthread_setschedparam(thread_id, SCHED_FIFO, &params);
-
-	count_free++;
-	uninstall_hooks();
+	before = enable_thread(FALSE);
 	if (hdr->magic != MEMORY_HEADER_MAGIC ||
 		tail->magic != MEMORY_TAIL_MAGIC)
 	{
-		for (current = &first_header; current != NULL; current = current->next)
-		{
-			if (current == hdr)
-			{
-				found = TRUE;
-				break;
-			}
-		}
-		if (found)
+		if (has_hdr(hdr))
 		{
 			/* memory was allocated by our hooks but is corrupted */
 			fprintf(stderr, "freeing corrupted memory (%p): "
@@ -511,100 +832,96 @@ void free_hook(void *ptr, const void *caller)
 		else
 		{
 			/* memory was not allocated by our hooks */
-			fprintf(stderr, "freeing invalid memory (%p)", ptr);
+			fprintf(stderr, "freeing invalid memory (%p)\n", ptr);
 		}
-		backtrace = backtrace_create(3);
+		backtrace = backtrace_create(2);
 		backtrace->log(backtrace, stderr, TRUE);
 		backtrace->destroy(backtrace);
 	}
 	else
 	{
-		/* remove item from list */
-		if (hdr->next)
-		{
-			hdr->next->previous = hdr->previous;
-		}
-		hdr->previous->next = hdr->next;
+		remove_hdr(hdr);
+
 		hdr->backtrace->destroy(hdr->backtrace);
 
 		/* clear MAGIC, set mem to something remarkable */
 		memset(hdr, MEMORY_FREE_PATTERN,
 			   sizeof(memory_header_t) + hdr->bytes + sizeof(memory_tail_t));
 
-		free(hdr);
+		real_free(hdr);
 	}
-
-	install_hooks();
-	pthread_setschedparam(thread_id, oldpolicy, &oldparams);
+	enable_thread(before);
 }
 
 /**
- * Hook function for realloc()
+ * Wrapped realloc() function
  */
-void *realloc_hook(void *old, size_t bytes, const void *caller)
+HOOK(void*, realloc, void *old, size_t bytes)
 {
 	memory_header_t *hdr;
 	memory_tail_t *tail;
 	backtrace_t *backtrace;
-	pthread_t thread_id = pthread_self();
-	int oldpolicy;
-	struct sched_param oldparams, params;
+	bool before;
 
+	if (!enabled || thread_disabled->get(thread_disabled))
+	{
+		return real_realloc(old, bytes);
+	}
 	/* allow reallocation of NULL */
 	if (old == NULL)
 	{
-		return malloc_hook(bytes, caller);
+		return malloc(bytes);
+	}
+	/* handle zero size as a free() */
+	if (bytes == 0)
+	{
+		free(old);
+		return NULL;
 	}
 
 	hdr = old - sizeof(memory_header_t);
 	tail = old + hdr->bytes;
 
-	pthread_getschedparam(thread_id, &oldpolicy, &oldparams);
+	remove_hdr(hdr);
 
-	params.__sched_priority = sched_get_priority_max(SCHED_FIFO);
-	pthread_setschedparam(thread_id, SCHED_FIFO, &params);
-
-	count_realloc++;
-	uninstall_hooks();
 	if (hdr->magic != MEMORY_HEADER_MAGIC ||
 		tail->magic != MEMORY_TAIL_MAGIC)
 	{
-		fprintf(stderr, "reallocating invalid memory (%p): "
-				"header magic 0x%x, tail magic 0x%x:\n",
-				old, hdr->magic, tail->magic);
-		backtrace = backtrace_create(3);
+		fprintf(stderr, "reallocating invalid memory (%p):\n"
+				"header magic 0x%x:\n", old, hdr->magic);
+		backtrace = backtrace_create(2);
 		backtrace->log(backtrace, stderr, TRUE);
 		backtrace->destroy(backtrace);
 	}
-	/* clear tail magic, allocate, set tail magic */
-	memset(&tail->magic, MEMORY_ALLOC_PATTERN, sizeof(tail->magic));
-	hdr = realloc(hdr, sizeof(memory_header_t) + bytes + sizeof(memory_tail_t));
+	else
+	{
+		/* clear tail magic, allocate, set tail magic */
+		memset(&tail->magic, MEMORY_ALLOC_PATTERN, sizeof(tail->magic));
+	}
+	hdr = real_realloc(hdr,
+					   sizeof(memory_header_t) + bytes + sizeof(memory_tail_t));
 	tail = ((void*)hdr) + bytes + sizeof(memory_header_t);
 	tail->magic = MEMORY_TAIL_MAGIC;
 
 	/* update statistics */
 	hdr->bytes = bytes;
+
+	before = enable_thread(FALSE);
 	hdr->backtrace->destroy(hdr->backtrace);
-	hdr->backtrace = backtrace_create(3);
+	hdr->backtrace = backtrace_create(2);
+	enable_thread(before);
+
+	add_hdr(hdr);
 
-	/* update header of linked list neighbours */
-	if (hdr->next)
-	{
-		hdr->next->previous = hdr;
-	}
-	hdr->previous->next = hdr;
-	install_hooks();
-	pthread_setschedparam(thread_id, oldpolicy, &oldparams);
 	return hdr + 1;
 }
 
 METHOD(leak_detective_t, destroy, void,
 	private_leak_detective_t *this)
 {
-	if (installed)
-	{
-		uninstall_hooks();
-	}
+	disable_leak_detective();
+	lock->destroy(lock);
+	thread_disabled->destroy(thread_disabled);
 	free(this);
 }
 
@@ -618,25 +935,24 @@ leak_detective_t *leak_detective_create()
 	INIT(this,
 		.public = {
 			.report = _report,
+			.leaks = _leaks,
 			.usage = _usage,
+			.set_state = _set_state,
 			.destroy = _destroy,
 		},
 	);
 
-	if (getenv("LEAK_DETECTIVE_DISABLE") == NULL)
-	{
-		cpu_set_t mask;
+	lock = spinlock_create();
+	thread_disabled = thread_value_create(NULL);
 
-		CPU_ZERO(&mask);
-		CPU_SET(0, &mask);
+	init_static_allocations();
 
-		if (sched_setaffinity(0, sizeof(cpu_set_t), &mask) != 0)
+	if (getenv("LEAK_DETECTIVE_DISABLE") == NULL)
+	{
+		if (register_hooks())
 		{
-			fprintf(stderr, "setting CPU affinity failed: %m");
+			enable_leak_detective();
 		}
-
-		install_hooks();
 	}
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/utils/leak_detective.h b/src/libstrongswan/utils/leak_detective.h
index 8c80d2532..7a29e81d7 100644
--- a/src/libstrongswan/utils/leak_detective.h
+++ b/src/libstrongswan/utils/leak_detective.h
@@ -43,6 +43,13 @@ struct leak_detective_t {
 	void (*report)(leak_detective_t *this, bool detailed);
 
 	/**
+	 * Number of detected leaks.
+	 *
+	 * @return				number of leaks
+	 */
+	int (*leaks)(leak_detective_t *this);
+
+	/**
 	 * Report current memory usage to out.
 	 *
 	 * @param out			target to write usage report to
@@ -50,6 +57,14 @@ struct leak_detective_t {
 	void (*usage)(leak_detective_t *this, FILE *out);
 
 	/**
+	 * Enable/disable leak detective hooks for the current thread.
+	 *
+	 * @param				TRUE to enable, FALSE to disable
+	 * @return				state active before calling set_state
+	 */
+	bool (*set_state)(leak_detective_t *this, bool enabled);
+
+	/**
 	 * Destroy a leak_detective instance.
 	 */
 	void (*destroy)(leak_detective_t *this);
@@ -61,4 +76,3 @@ struct leak_detective_t {
 leak_detective_t *leak_detective_create();
 
 #endif /** LEAK_DETECTIVE_H_ @}*/
-
diff --git a/src/libstrongswan/utils/optionsfrom.c b/src/libstrongswan/utils/optionsfrom.c
index 5fd4cfd4d..117071351 100644
--- a/src/libstrongswan/utils/optionsfrom.c
+++ b/src/libstrongswan/utils/optionsfrom.c
@@ -2,22 +2,22 @@
  * Copyright (C) 2007-2008 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
  *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  *
- * This library is distributed in the hope that it will be useful, but
+ * This program is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
  */
 
 #include <stdio.h>
 #include <errno.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <utils/lexparser.h>
 
 #include "optionsfrom.h"
diff --git a/src/libstrongswan/printf_hook.c b/src/libstrongswan/utils/printf_hook.c
index c3b5191fd..f030f45c8 100644
--- a/src/libstrongswan/printf_hook.c
+++ b/src/libstrongswan/utils/printf_hook.c
@@ -86,21 +86,18 @@ static printf_hook_handler_t *printf_hooks[NUM_HANDLERS];
 static int custom_print(FILE *stream, const struct printf_info *info,
 						const void *const *args)
 {
-	int written;
-	char buf[PRINTF_BUF_LEN];
 	printf_hook_spec_t spec;
 	printf_hook_handler_t *handler = printf_hooks[SPEC_TO_INDEX(info->spec)];
+	printf_hook_data_t data = {
+		.stream = stream,
+	};
 
 	spec.hash = info->alt;
+	spec.plus = info->showsign;
 	spec.minus = info->left;
 	spec.width = info->width;
 
-	written = handler->hook(buf, sizeof(buf), &spec, args);
-	if (written > 0)
-	{
-		ignore_result(fwrite(buf, 1, written, stream));
-	}
-	return written;
+	return handler->hook(&data, &spec, args);
 }
 
 /**
@@ -145,11 +142,14 @@ static int custom_arginfo(const struct printf_info *info, size_t n, int *argtype
  */
 static int custom_fmt_cb(Vstr_base *base, size_t pos, Vstr_fmt_spec *fmt_spec)
 {
-	int i, written;
-	char buf[PRINTF_BUF_LEN];
+	int i;
 	const void *args[ARGS_MAX];
 	printf_hook_spec_t spec;
 	printf_hook_handler_t *handler = printf_hooks[SPEC_TO_INDEX(fmt_spec->name[0])];
+	printf_hook_data_t data = {
+		.base = base,
+		.pos = pos,
+	};
 
 	for (i = 0; i < handler->numargs; i++)
 	{
@@ -165,14 +165,11 @@ static int custom_fmt_cb(Vstr_base *base, size_t pos, Vstr_fmt_spec *fmt_spec)
 	}
 
 	spec.hash = fmt_spec->fmt_hash;
+	spec.plus = fmt_spec->fmt_plus;
 	spec.minus = fmt_spec->fmt_minus;
 	spec.width = fmt_spec->fmt_field_width;
 
-	written = handler->hook(buf, sizeof(buf), &spec, args);
-	if (written > 0)
-	{
-		vstr_add_buf(base, pos, buf, written);
-	}
+	handler->hook(&data, &spec, args);
 	return 1;
 }
 
@@ -241,6 +238,21 @@ static inline Vstr_conf *get_vstr_conf()
 }
 
 /**
+ * Described in header
+ */
+size_t vstr_print_in_hook(struct Vstr_base *base, size_t pos, const char *fmt,
+						  ...)
+{
+	va_list args;
+	int written;
+
+	va_start(args, fmt);
+	written = vstr_add_vfmt(base, pos, fmt, args);
+	va_end(args);
+	return written;
+}
+
+/**
  * Wrapper functions for printf and alike
  */
 int vstr_wrapper_printf(const char *format, ...)
@@ -462,7 +474,6 @@ METHOD(printf_hook_t, destroy, void,
 	/* freeing the Vstr_conf of the main thread */
 	vstr_conf->destroy(vstr_conf);
 	vstr_conf = NULL;
-	vstr_free_conf(conf);
 	vstr_exit();
 #endif
 	free(this);
diff --git a/src/libstrongswan/utils/printf_hook.h b/src/libstrongswan/utils/printf_hook.h
new file mode 100644
index 000000000..1425910be
--- /dev/null
+++ b/src/libstrongswan/utils/printf_hook.h
@@ -0,0 +1,247 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2006-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup printf_hook printf_hook
+ * @{ @ingroup utils
+ */
+
+#ifndef PRINTF_HOOK_H_
+#define PRINTF_HOOK_H_
+
+typedef struct printf_hook_t printf_hook_t;
+typedef struct printf_hook_spec_t printf_hook_spec_t;
+typedef struct printf_hook_data_t printf_hook_data_t;
+typedef enum printf_hook_argtype_t printf_hook_argtype_t;
+
+#if !defined(USE_VSTR) && \
+	!defined(HAVE_PRINTF_FUNCTION) && \
+	!defined(HAVE_PRINTF_SPECIFIER)
+/* assume newer glibc register_printf_specifier if none given */
+#define HAVE_PRINTF_SPECIFIER
+#endif
+
+#if !defined(USE_VSTR) && \
+	(defined(HAVE_PRINTF_FUNCTION) || defined(HAVE_PRINTF_SPECIFIER))
+
+#include <stdio.h>
+#include <printf.h>
+
+enum printf_hook_argtype_t {
+	PRINTF_HOOK_ARGTYPE_END = -1,
+	PRINTF_HOOK_ARGTYPE_INT = PA_INT,
+	PRINTF_HOOK_ARGTYPE_POINTER = PA_POINTER,
+};
+
+/**
+ * Data to pass to a printf hook.
+ */
+struct printf_hook_data_t {
+
+	/**
+	 * Output FILE stream
+	 */
+	FILE *stream;;
+};
+
+/**
+ * Helper macro to be used in printf hook callbacks.
+ */
+#define print_in_hook(data, fmt, ...) ({\
+	ssize_t _written = fprintf(data->stream, fmt, ##__VA_ARGS__);\
+	if (_written < 0)\
+	{\
+		_written = 0;\
+	}\
+	_written;\
+})
+
+#else
+
+#include <vstr.h>
+
+enum printf_hook_argtype_t {
+	PRINTF_HOOK_ARGTYPE_END = VSTR_TYPE_FMT_END,
+	PRINTF_HOOK_ARGTYPE_INT = VSTR_TYPE_FMT_INT,
+	PRINTF_HOOK_ARGTYPE_POINTER = VSTR_TYPE_FMT_PTR_VOID,
+};
+
+/**
+ * Redefining printf and alike
+ */
+#include <stdio.h>
+#include <stdarg.h>
+
+int vstr_wrapper_printf(const char *format, ...);
+int vstr_wrapper_fprintf(FILE *stream, const char *format, ...);
+int vstr_wrapper_sprintf(char *str, const char *format, ...);
+int vstr_wrapper_snprintf(char *str, size_t size, const char *format, ...);
+int vstr_wrapper_asprintf(char **str, const char *format, ...);
+
+int vstr_wrapper_vprintf(const char *format, va_list ap);
+int vstr_wrapper_vfprintf(FILE *stream, const char *format, va_list ap);
+int vstr_wrapper_vsprintf(char *str, const char *format, va_list ap);
+int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format, va_list ap);
+int vstr_wrapper_vasprintf(char **str, const char *format, va_list ap);
+
+#ifdef printf
+#undef printf
+#endif
+#ifdef fprintf
+#undef fprintf
+#endif
+#ifdef sprintf
+#undef sprintf
+#endif
+#ifdef snprintf
+#undef snprintf
+#endif
+#ifdef asprintf
+#undef asprintf
+#endif
+#ifdef vprintf
+#undef vprintf
+#endif
+#ifdef vfprintf
+#undef vfprintf
+#endif
+#ifdef vsprintf
+#undef vsprintf
+#endif
+#ifdef vsnprintf
+#undef vsnprintf
+#endif
+#ifdef vasprintf
+#undef vasprintf
+#endif
+
+#define printf vstr_wrapper_printf
+#define fprintf vstr_wrapper_fprintf
+#define sprintf vstr_wrapper_sprintf
+#define snprintf vstr_wrapper_snprintf
+#define asprintf vstr_wrapper_asprintf
+
+#define vprintf vstr_wrapper_vprintf
+#define vfprintf vstr_wrapper_vfprintf
+#define vsprintf vstr_wrapper_vsprintf
+#define vsnprintf vstr_wrapper_vsnprintf
+#define vasprintf vstr_wrapper_vasprintf
+
+/**
+ * Data to pass to a printf hook.
+ */
+struct printf_hook_data_t {
+
+	/**
+	 * Base to append printf to
+	 */
+	Vstr_base *base;
+
+	/**
+	 * Position in base to write to
+	 */
+	size_t pos;
+};
+
+/**
+ * Wrapper around vstr_add_vfmt(), avoids having to link all users of
+ * print_in_hook() against libvstr.
+ *
+ * @param base		Vstr_string to add string to
+ * @param pos		position to write to
+ * @param fmt		format string
+ * @param ...		arguments
+ * @return			number of characters written
+ */
+size_t vstr_print_in_hook(struct Vstr_base *base, size_t pos, const char *fmt,
+						  ...);
+
+/**
+ * Helper macro to be used in printf hook callbacks.
+ */
+#define print_in_hook(data, fmt, ...) ({\
+	size_t _written; \
+	_written = vstr_print_in_hook(data->base, data->pos, fmt, ##__VA_ARGS__);\
+	data->pos += _written;\
+	_written;\
+})
+
+#endif
+
+/**
+ * Callback function type for printf hooks.
+ *
+ * @param data		hook data, to pass to print_in_hook()
+ * @param spec		format specifier
+ * @param args		arguments array
+ * @return			number of characters written
+ */
+typedef int (*printf_hook_function_t)(printf_hook_data_t *data,
+									  printf_hook_spec_t *spec,
+									  const void *const *args);
+
+/**
+ * Properties of the format specifier
+ */
+struct printf_hook_spec_t {
+	/**
+	 * TRUE if a '#' was used in the format specifier
+	 */
+	int hash;
+
+	/**
+	 * TRUE if a '-' was used in the format specifier
+	 */
+	int minus;
+
+	/**
+	 * TRUE if a '+' was used in the format specifier
+	 */
+	int plus;
+
+	/**
+	 * The width as given in the format specifier.
+	 */
+	int width;
+};
+
+/**
+ * Printf handler management.
+ */
+struct printf_hook_t {
+
+	/**
+	 * Register a printf handler.
+	 *
+	 * @param spec		printf hook format character
+	 * @param hook		hook function
+	 * @param ...		list of PRINTF_HOOK_ARGTYPE_*, MUST end with PRINTF_HOOK_ARGTYPE_END
+	 */
+	void (*add_handler)(printf_hook_t *this, char spec,
+						printf_hook_function_t hook, ...);
+
+	/**
+	 * Destroy a printf_hook instance.
+	 */
+	void (*destroy)(printf_hook_t *this);
+};
+
+/**
+ * Create a printf_hook instance.
+ */
+printf_hook_t *printf_hook_create();
+
+#endif /** PRINTF_HOOK_H_ @}*/
diff --git a/src/libstrongswan/settings.c b/src/libstrongswan/utils/settings.c
index b26fbebb4..809ca10ab 100644
--- a/src/libstrongswan/settings.c
+++ b/src/libstrongswan/utils/settings.c
@@ -31,9 +31,9 @@
 
 #include "settings.h"
 
-#include "debug.h"
-#include "utils/linked_list.h"
+#include "collections/linked_list.h"
 #include "threading/rwlock.h"
+#include "utils/debug.h"
 
 #define MAX_INCLUSION_LEVEL		10
 
@@ -644,6 +644,26 @@ METHOD(settings_t, set_time, void,
 	va_end(args);
 }
 
+METHOD(settings_t, set_default_str, bool,
+	   private_settings_t *this, char *key, char *value, ...)
+{
+	char *old;
+	va_list args;
+
+	va_start(args, value);
+	old = find_value(this, this->top, key, args);
+	va_end(args);
+
+	if (!old)
+	{
+		va_start(args, value);
+		set_value(this, this->top, key, args, value);
+		va_end(args);
+		return TRUE;
+	}
+	return FALSE;
+}
+
 /**
  * Enumerate section names, not sections
  */
@@ -1117,14 +1137,21 @@ static bool load_files_internal(private_settings_t *this, section_t *parent,
 								char *pattern, bool merge)
 {
 	char *text;
-	linked_list_t *contents = linked_list_create();
-	section_t *section = section_create(NULL);
+	linked_list_t *contents;
+	section_t *section;
 
 	if (pattern == NULL)
 	{
+#ifdef STRONGSWAN_CONF
 		pattern = STRONGSWAN_CONF;
+#else
+		return FALSE;
+#endif
 	}
 
+	contents = linked_list_create();
+	section = section_create(NULL);
+
 	if (!parse_files(contents, NULL, 0, pattern, section))
 	{
 		contents->destroy_function(contents, (void*)free);
@@ -1202,6 +1229,7 @@ settings_t *settings_create(char *file)
 			.set_double = _set_double,
 			.set_time = _set_time,
 			.set_bool = _set_bool,
+			.set_default_str = _set_default_str,
 			.create_section_enumerator = _create_section_enumerator,
 			.create_key_value_enumerator = _create_key_value_enumerator,
 			.load_files = _load_files,
diff --git a/src/libstrongswan/settings.h b/src/libstrongswan/utils/settings.h
index a864779f1..df0c534e9 100644
--- a/src/libstrongswan/settings.h
+++ b/src/libstrongswan/utils/settings.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup settings settings
- * @{ @ingroup libstrongswan
+ * @{ @ingroup utils
  */
 
 #ifndef SETTINGS_H_
@@ -25,7 +25,7 @@
 typedef struct settings_t settings_t;
 
 #include "utils.h"
-#include "utils/enumerator.h"
+#include "collections/enumerator.h"
 
 /**
  * Convert a string value returned by a key/value enumerator to a boolean.
@@ -189,7 +189,7 @@ struct settings_t {
 	 * @param key		key including sections, printf style format
 	 * @param def		value returned if key not found
 	 * @param ...		argument list for key
-	 * @return			value of the key
+	 * @return			value of the key (in seconds)
 	 */
 	u_int32_t (*get_time)(settings_t *this, char *key, u_int32_t def, ...);
 
@@ -239,6 +239,16 @@ struct settings_t {
 	void (*set_time)(settings_t *this, char *key, u_int32_t value, ...);
 
 	/**
+	 * Set a default for string value.
+	 *
+	 * @param key		key including sections, printf style format
+	 * @param def		value to set if unconfigured
+	 * @param ...		argument list for key
+	 * @return			TRUE if a new default value for key has been set
+	 */
+	bool (*set_default_str)(settings_t *this, char *key, char *value, ...);
+
+	/**
 	 * Create an enumerator over subsection names of a section.
 	 *
 	 * @param section	section including parents, printf style format
diff --git a/src/libstrongswan/utils/utils.c b/src/libstrongswan/utils/utils.c
new file mode 100644
index 000000000..30084cd81
--- /dev/null
+++ b/src/libstrongswan/utils/utils.c
@@ -0,0 +1,637 @@
+/*
+ * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "utils.h"
+
+#include <sys/stat.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <inttypes.h>
+#include <stdint.h>
+#include <limits.h>
+#include <dirent.h>
+#include <time.h>
+#include <pthread.h>
+
+#include "collections/enumerator.h"
+#include "utils/debug.h"
+
+ENUM(status_names, SUCCESS, NEED_MORE,
+	"SUCCESS",
+	"FAILED",
+	"OUT_OF_RES",
+	"ALREADY_DONE",
+	"NOT_SUPPORTED",
+	"INVALID_ARG",
+	"NOT_FOUND",
+	"PARSE_ERROR",
+	"VERIFY_ERROR",
+	"INVALID_STATE",
+	"DESTROY_ME",
+	"NEED_MORE",
+);
+
+/**
+ * Described in header.
+ */
+void memxor(u_int8_t dst[], u_int8_t src[], size_t n)
+{
+	int m, i;
+
+	/* byte wise XOR until dst aligned */
+	for (i = 0; (uintptr_t)&dst[i] % sizeof(long) && i < n; i++)
+	{
+		dst[i] ^= src[i];
+	}
+	/* try to use words if src shares an aligment with dst */
+	switch (((uintptr_t)&src[i] % sizeof(long)))
+	{
+		case 0:
+			for (m = n - sizeof(long); i <= m; i += sizeof(long))
+			{
+				*(long*)&dst[i] ^= *(long*)&src[i];
+			}
+			break;
+		case sizeof(int):
+			for (m = n - sizeof(int); i <= m; i += sizeof(int))
+			{
+				*(int*)&dst[i] ^= *(int*)&src[i];
+			}
+			break;
+		case sizeof(short):
+			for (m = n - sizeof(short); i <= m; i += sizeof(short))
+			{
+				*(short*)&dst[i] ^= *(short*)&src[i];
+			}
+			break;
+		default:
+			break;
+	}
+	/* byte wise XOR of the rest */
+	for (; i < n; i++)
+	{
+		dst[i] ^= src[i];
+	}
+}
+
+/**
+ * Described in header.
+ */
+void memwipe_noinline(void *ptr, size_t n)
+{
+	memwipe_inline(ptr, n);
+}
+
+/**
+ * Described in header.
+ */
+void *memstr(const void *haystack, const char *needle, size_t n)
+{
+	unsigned const char *pos = haystack;
+	size_t l;
+
+	if (!haystack || !needle || (l = strlen(needle)) == 0)
+	{
+		return NULL;
+	}
+	for (; n >= l; ++pos, --n)
+	{
+		if (memeq(pos, needle, l))
+		{
+			return (void*)pos;
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Described in header.
+ */
+char* translate(char *str, const char *from, const char *to)
+{
+	char *pos = str;
+	if (strlen(from) != strlen(to))
+	{
+		return str;
+	}
+	while (pos && *pos)
+	{
+		char *match;
+		if ((match = strchr(from, *pos)) != NULL)
+		{
+			*pos = to[match - from];
+		}
+		pos++;
+	}
+	return str;
+}
+
+/**
+ * Described in header.
+ */
+bool mkdir_p(const char *path, mode_t mode)
+{
+	int len;
+	char *pos, full[PATH_MAX];
+	pos = full;
+	if (!path || *path == '\0')
+	{
+		return TRUE;
+	}
+	len = snprintf(full, sizeof(full)-1, "%s", path);
+	if (len < 0 || len >= sizeof(full)-1)
+	{
+		DBG1(DBG_LIB, "path string %s too long", path);
+		return FALSE;
+	}
+	/* ensure that the path ends with a '/' */
+	if (full[len-1] != '/')
+	{
+		full[len++] = '/';
+		full[len] = '\0';
+	}
+	/* skip '/' at the beginning */
+	while (*pos == '/')
+	{
+		pos++;
+	}
+	while ((pos = strchr(pos, '/')))
+	{
+		*pos = '\0';
+		if (access(full, F_OK) < 0)
+		{
+			if (mkdir(full, mode) < 0)
+			{
+				DBG1(DBG_LIB, "failed to create directory %s", full);
+				return FALSE;
+			}
+		}
+		*pos = '/';
+		pos++;
+	}
+	return TRUE;
+}
+
+ENUM(tty_color_names, TTY_RESET, TTY_BG_DEF,
+	"\e[0m",
+	"\e[1m",
+	"\e[4m",
+	"\e[5m",
+	"\e[30m",
+	"\e[31m",
+	"\e[32m",
+	"\e[33m",
+	"\e[34m",
+	"\e[35m",
+	"\e[36m",
+	"\e[37m",
+	"\e[39m",
+	"\e[40m",
+	"\e[41m",
+	"\e[42m",
+	"\e[43m",
+	"\e[44m",
+	"\e[45m",
+	"\e[46m",
+	"\e[47m",
+	"\e[49m",
+);
+
+/**
+ * Get the escape string for a given TTY color, empty string on non-tty FILE
+ */
+char* tty_escape_get(int fd, tty_escape_t escape)
+{
+	if (!isatty(fd))
+	{
+		return "";
+	}
+	switch (escape)
+	{
+		case TTY_RESET:
+		case TTY_BOLD:
+		case TTY_UNDERLINE:
+		case TTY_BLINKING:
+		case TTY_FG_BLACK:
+		case TTY_FG_RED:
+		case TTY_FG_GREEN:
+		case TTY_FG_YELLOW:
+		case TTY_FG_BLUE:
+		case TTY_FG_MAGENTA:
+		case TTY_FG_CYAN:
+		case TTY_FG_WHITE:
+		case TTY_FG_DEF:
+		case TTY_BG_BLACK:
+		case TTY_BG_RED:
+		case TTY_BG_GREEN:
+		case TTY_BG_YELLOW:
+		case TTY_BG_BLUE:
+		case TTY_BG_MAGENTA:
+		case TTY_BG_CYAN:
+		case TTY_BG_WHITE:
+		case TTY_BG_DEF:
+			return enum_to_name(tty_color_names, escape);
+		/* warn if a excape code is missing */
+	}
+	return "";
+}
+
+/**
+ * The size of the thread-specific error buffer
+ */
+#define STRERROR_BUF_LEN 256
+
+/**
+ * Key to store thread-specific error buffer
+ */
+static pthread_key_t strerror_buf_key;
+
+/**
+ * Only initialize the key above once
+ */
+static pthread_once_t strerror_buf_key_once = PTHREAD_ONCE_INIT;
+
+/**
+ * Create the key used for the thread-specific error buffer
+ */
+static void create_strerror_buf_key()
+{
+	pthread_key_create(&strerror_buf_key, free);
+}
+
+/**
+ * Retrieve the error buffer assigned to the current thread (or create it)
+ */
+static inline char *get_strerror_buf()
+{
+	char *buf;
+
+	pthread_once(&strerror_buf_key_once, create_strerror_buf_key);
+	buf = pthread_getspecific(strerror_buf_key);
+	if (!buf)
+	{
+		buf = malloc(STRERROR_BUF_LEN);
+		pthread_setspecific(strerror_buf_key, buf);
+	}
+	return buf;
+}
+
+#ifdef HAVE_STRERROR_R
+/*
+ * Described in header.
+ */
+const char *safe_strerror(int errnum)
+{
+	char *buf = get_strerror_buf(), *msg;
+
+#ifdef STRERROR_R_CHAR_P
+	/* char* version which may or may not return the original buffer */
+	msg = strerror_r(errnum, buf, STRERROR_BUF_LEN);
+#else
+	/* int version returns 0 on success */
+	msg = strerror_r(errnum, buf, STRERROR_BUF_LEN) ? "Unknown error" : buf;
+#endif
+	return msg;
+}
+#else /* HAVE_STRERROR_R */
+/* we actually wan't to call strerror(3) below */
+#undef strerror
+/*
+ * Described in header.
+ */
+const char *safe_strerror(int errnum)
+{
+	static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+	char *buf = get_strerror_buf();
+
+	/* use a mutex to ensure calling strerror(3) is thread-safe */
+	pthread_mutex_lock(&mutex);
+	strncpy(buf, strerror(errnum), STRERROR_BUF_LEN);
+	pthread_mutex_unlock(&mutex);
+	buf[STRERROR_BUF_LEN - 1] = '\0';
+	return buf;
+}
+#endif /* HAVE_STRERROR_R */
+
+
+#ifndef HAVE_CLOSEFROM
+/**
+ * Described in header.
+ */
+void closefrom(int lowfd)
+{
+	char fd_dir[PATH_MAX];
+	int maxfd, fd, len;
+
+	/* try to close only open file descriptors on Linux... */
+	len = snprintf(fd_dir, sizeof(fd_dir), "/proc/%u/fd", getpid());
+	if (len > 0 && len < sizeof(fd_dir) && access(fd_dir, F_OK) == 0)
+	{
+		enumerator_t *enumerator = enumerator_create_directory(fd_dir);
+		if (enumerator)
+		{
+			char *rel;
+			while (enumerator->enumerate(enumerator, &rel, NULL, NULL))
+			{
+				fd = atoi(rel);
+				if (fd >= lowfd)
+				{
+					close(fd);
+				}
+			}
+			enumerator->destroy(enumerator);
+			return;
+		}
+	}
+
+	/* ...fall back to closing all fds otherwise */
+	maxfd = (int)sysconf(_SC_OPEN_MAX);
+	if (maxfd < 0)
+	{
+		maxfd = 256;
+	}
+	for (fd = lowfd; fd < maxfd; fd++)
+	{
+		close(fd);
+	}
+}
+#endif /* HAVE_CLOSEFROM */
+
+/**
+ * Return monotonic time
+ */
+time_t time_monotonic(timeval_t *tv)
+{
+#if defined(HAVE_CLOCK_GETTIME) && \
+	(defined(HAVE_CONDATTR_CLOCK_MONOTONIC) || \
+	 defined(HAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC))
+	/* as we use time_monotonic() for condvar operations, we use the
+	 * monotonic time source only if it is also supported by pthread. */
+	timespec_t ts;
+
+	if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0)
+	{
+		if (tv)
+		{
+			tv->tv_sec = ts.tv_sec;
+			tv->tv_usec = ts.tv_nsec / 1000;
+		}
+		return ts.tv_sec;
+	}
+#endif /* HAVE_CLOCK_GETTIME && (...) */
+	/* Fallback to non-monotonic timestamps:
+	 * On MAC OS X, creating monotonic timestamps is rather difficult. We
+	 * could use mach_absolute_time() and catch sleep/wakeup notifications.
+	 * We stick to the simpler (non-monotonic) gettimeofday() for now.
+	 * But keep in mind: we need the same time source here as in condvar! */
+	if (!tv)
+	{
+		return time(NULL);
+	}
+	if (gettimeofday(tv, NULL) != 0)
+	{	/* should actually never fail if passed pointers are valid */
+		return -1;
+	}
+	return tv->tv_sec;
+}
+
+/**
+ * return null
+ */
+void *return_null()
+{
+	return NULL;
+}
+
+/**
+ * returns TRUE
+ */
+bool return_true()
+{
+	return TRUE;
+}
+
+/**
+ * returns FALSE
+ */
+bool return_false()
+{
+	return FALSE;
+}
+
+/**
+ * returns FAILED
+ */
+status_t return_failed()
+{
+	return FAILED;
+}
+
+/**
+ * returns SUCCESS
+ */
+status_t return_success()
+{
+	return SUCCESS;
+}
+
+/**
+ * nop operation
+ */
+void nop()
+{
+}
+
+#ifndef HAVE_GCC_ATOMIC_OPERATIONS
+
+/**
+ * We use a single mutex for all refcount variables.
+ */
+static pthread_mutex_t ref_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/**
+ * Increase refcount
+ */
+refcount_t ref_get(refcount_t *ref)
+{
+	refcount_t current;
+
+	pthread_mutex_lock(&ref_mutex);
+	current = ++(*ref);
+	pthread_mutex_unlock(&ref_mutex);
+
+	return current;
+}
+
+/**
+ * Decrease refcount
+ */
+bool ref_put(refcount_t *ref)
+{
+	bool more_refs;
+
+	pthread_mutex_lock(&ref_mutex);
+	more_refs = --(*ref) > 0;
+	pthread_mutex_unlock(&ref_mutex);
+	return !more_refs;
+}
+
+/**
+ * Single mutex for all compare and swap operations.
+ */
+static pthread_mutex_t cas_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/**
+ * Compare and swap if equal to old value
+ */
+#define _cas_impl(name, type) \
+bool cas_##name(type *ptr, type oldval, type newval) \
+{ \
+	bool swapped; \
+	pthread_mutex_lock(&cas_mutex); \
+	if ((swapped = (*ptr == oldval))) { *ptr = newval; } \
+	pthread_mutex_unlock(&cas_mutex); \
+	return swapped; \
+}
+
+_cas_impl(bool, bool)
+_cas_impl(ptr, void*)
+
+#endif /* HAVE_GCC_ATOMIC_OPERATIONS */
+
+/**
+ * Described in header.
+ */
+int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
+					 const void *const *args)
+{
+	static const char* months[] = {
+		"Jan", "Feb", "Mar", "Apr", "May", "Jun",
+		"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
+	};
+	time_t *time = *((time_t**)(args[0]));
+	bool utc = *((bool*)(args[1]));;
+	struct tm t;
+
+	if (*time == UNDEFINED_TIME)
+	{
+		return print_in_hook(data, "--- -- --:--:--%s----",
+							 utc ? " UTC " : " ");
+	}
+	if (utc)
+	{
+		gmtime_r(time, &t);
+	}
+	else
+	{
+		localtime_r(time, &t);
+	}
+	return print_in_hook(data, "%s %02d %02d:%02d:%02d%s%04d",
+						 months[t.tm_mon], t.tm_mday, t.tm_hour, t.tm_min,
+						 t.tm_sec, utc ? " UTC " : " ", t.tm_year + 1900);
+}
+
+/**
+ * Described in header.
+ */
+int time_delta_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
+						   const void *const *args)
+{
+	char* unit = "second";
+	time_t *arg1 = *((time_t**)(args[0]));
+	time_t *arg2 = *((time_t**)(args[1]));
+	u_int64_t delta = llabs(*arg1 - *arg2);
+
+	if (delta > 2 * 60 * 60 * 24)
+	{
+		delta /= 60 * 60 * 24;
+		unit = "day";
+	}
+	else if (delta > 2 * 60 * 60)
+	{
+		delta /= 60 * 60;
+		unit = "hour";
+	}
+	else if (delta > 2 * 60)
+	{
+		delta /= 60;
+		unit = "minute";
+	}
+	return print_in_hook(data, "%" PRIu64 " %s%s", delta, unit,
+						 (delta == 1) ? "" : "s");
+}
+
+/**
+ * Number of bytes per line to dump raw data
+ */
+#define BYTES_PER_LINE 16
+
+static char hexdig_upper[] = "0123456789ABCDEF";
+
+/**
+ * Described in header.
+ */
+int mem_printf_hook(printf_hook_data_t *data,
+					printf_hook_spec_t *spec, const void *const *args)
+{
+	char *bytes = *((void**)(args[0]));
+	u_int len = *((int*)(args[1]));
+
+	char buffer[BYTES_PER_LINE * 3];
+	char ascii_buffer[BYTES_PER_LINE + 1];
+	char *buffer_pos = buffer;
+	char *bytes_pos  = bytes;
+	char *bytes_roof = bytes + len;
+	int line_start = 0;
+	int i = 0;
+	int written = 0;
+
+	written += print_in_hook(data, "=> %u bytes @ %p", len, bytes);
+
+	while (bytes_pos < bytes_roof)
+	{
+		*buffer_pos++ = hexdig_upper[(*bytes_pos >> 4) & 0xF];
+		*buffer_pos++ = hexdig_upper[ *bytes_pos       & 0xF];
+
+		ascii_buffer[i++] =
+				(*bytes_pos > 31 && *bytes_pos < 127) ? *bytes_pos : '.';
+
+		if (++bytes_pos == bytes_roof || i == BYTES_PER_LINE)
+		{
+			int padding = 3 * (BYTES_PER_LINE - i);
+
+			while (padding--)
+			{
+				*buffer_pos++ = ' ';
+			}
+			*buffer_pos++ = '\0';
+			ascii_buffer[i] = '\0';
+
+			written += print_in_hook(data, "\n%4d: %s  %s",
+									 line_start, buffer, ascii_buffer);
+
+			buffer_pos = buffer;
+			line_start += BYTES_PER_LINE;
+			i = 0;
+		}
+		else
+		{
+			*buffer_pos++ = ' ';
+		}
+	}
+	return written;
+}
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils/utils.h
index cedfe8fd1..d055f712d 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils/utils.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2011 Tobias Brunner
+ * Copyright (C) 2008-2012 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -15,8 +15,8 @@
  */
 
 /**
- * @defgroup utils utils
- * @{ @ingroup libstrongswan
+ * @defgroup utils_i utils
+ * @{ @ingroup utils
  */
 
 #ifndef UTILS_H_
@@ -52,34 +52,81 @@
 #define BUF_LEN 512
 
 /**
- * Macro compares two strings for equality
+ * General purpose boolean type.
+ */
+#ifdef HAVE_STDBOOL_H
+# include <stdbool.h>
+#else
+# ifndef HAVE__BOOL
+#  define _Bool signed char
+# endif /* HAVE__BOOL */
+# define bool _Bool
+# define false 0
+# define true 1
+# define __bool_true_false_are_defined 1
+#endif /* HAVE_STDBOOL_H */
+#ifndef FALSE
+# define FALSE false
+#endif /* FALSE */
+#ifndef TRUE
+# define TRUE  true
+#endif /* TRUE */
+
+/**
+ * Helper function that compares two strings for equality
  */
-#define streq(x,y) (strcmp(x, y) == 0)
+static inline bool streq(const char *x, const char *y)
+{
+	return strcmp(x, y) == 0;
+}
+
+/**
+ * Helper function that compares two strings for equality, length limited
+ */
+static inline bool strneq(const char *x, const char *y, size_t len)
+{
+	return strncmp(x, y, len) == 0;
+}
 
 /**
- * Macro compares two strings for equality, length limited
+ * Helper function that checks if a string starts with a given prefix
  */
-#define strneq(x,y,len) (strncmp(x, y, len) == 0)
+static inline bool strpfx(const char *x, const char *prefix)
+{
+	return strneq(x, prefix, strlen(prefix));
+}
 
 /**
- * Macro compares two strings for equality ignoring case
+ * Helper function that compares two strings for equality ignoring case
  */
-#define strcaseeq(x,y) (strcasecmp(x, y) == 0)
+static inline bool strcaseeq(const char *x, const char *y)
+{
+	return strcasecmp(x, y) == 0;
+}
 
 /**
- * Macro compares two strings for equality ignoring case, length limited
+ * Helper function that compares two strings for equality ignoring case, length limited
  */
-#define strncaseeq(x,y,len) (strncasecmp(x, y, len) == 0)
+static inline bool strncaseeq(const char *x, const char *y, size_t len)
+{
+	return strncasecmp(x, y, len) == 0;
+}
 
 /**
  * NULL-safe strdup variant
  */
-#define strdupnull(x) ({ char *_x = x; _x ? strdup(_x) : NULL; })
+static inline char *strdupnull(const char *s)
+{
+	return s ? strdup(s) : NULL;
+}
 
 /**
- * Macro compares two binary blobs for equality
+ * Helper function that compares two binary blobs for equality
  */
-#define memeq(x,y,len) (memcmp(x, y, len) == 0)
+static inline bool memeq(const void *x, const void *y, size_t len)
+{
+	return memcmp(x, y, len) == 0;
+}
 
 /**
  * Macro gives back larger of two values.
@@ -121,9 +168,8 @@
 /**
  * Object allocation/initialization macro, using designated initializer.
  */
-#define INIT(this, ...) ({ (this) = malloc(sizeof(*(this))); \
-						   *(this) = (typeof(*(this))){ __VA_ARGS__ }; \
-						   (this); })
+#define INIT(this, ...) { (this) = malloc(sizeof(*(this))); \
+						   *(this) = (typeof(*(this))){ __VA_ARGS__ }; }
 
 /**
  * Method declaration/definition macro, providing private and public interface.
@@ -136,7 +182,7 @@
 #define METHOD(iface, name, ret, this, ...) \
 	static ret name(union {iface *_public; this;} \
 	__attribute__((transparent_union)), ##__VA_ARGS__); \
-	static const typeof(name) *_##name = (const typeof(name)*)name; \
+	static typeof(name) *_##name = (typeof(name)*)name; \
 	static ret name(this, ##__VA_ARGS__)
 
 /**
@@ -145,7 +191,7 @@
 #define METHOD2(iface1, iface2, name, ret, this, ...) \
 	static ret name(union {iface1 *_public1; iface2 *_public2; this;} \
 	__attribute__((transparent_union)), ##__VA_ARGS__); \
-	static const typeof(name) *_##name = (const typeof(name)*)name; \
+	static typeof(name) *_##name = (typeof(name)*)name; \
 	static ret name(this, ##__VA_ARGS__)
 
 /**
@@ -201,27 +247,6 @@
 #define TIME_32_BIT_SIGNED_MAX	0x7fffffff
 
 /**
- * General purpose boolean type.
- */
-#ifdef HAVE_STDBOOL_H
-# include <stdbool.h>
-#else
-# ifndef HAVE__BOOL
-#  define _Bool signed char
-# endif /* HAVE__BOOL */
-# define bool _Bool
-# define false 0
-# define true 1
-# define __bool_true_false_are_defined 1
-#endif /* HAVE_STDBOOL_H */
-#ifndef FALSE
-# define FALSE false
-#endif /* FALSE */
-#ifndef TRUE
-# define TRUE  true
-#endif /* TRUE */
-
-/**
  * define some missing fixed width int types on OpenSolaris.
  * TODO: since the uintXX_t types are defined by the C99 standard we should
  * probably use those anyway
@@ -306,6 +331,46 @@ enum status_t {
  */
 extern enum_name_t *status_names;
 
+typedef enum tty_escape_t tty_escape_t;
+
+/**
+ * Excape codes for tty colors
+ */
+enum tty_escape_t {
+	/** text properties */
+	TTY_RESET,
+	TTY_BOLD,
+	TTY_UNDERLINE,
+	TTY_BLINKING,
+
+	/** foreground colors */
+	TTY_FG_BLACK,
+	TTY_FG_RED,
+	TTY_FG_GREEN,
+	TTY_FG_YELLOW,
+	TTY_FG_BLUE,
+	TTY_FG_MAGENTA,
+	TTY_FG_CYAN,
+	TTY_FG_WHITE,
+	TTY_FG_DEF,
+
+	/** background colors */
+	TTY_BG_BLACK,
+	TTY_BG_RED,
+	TTY_BG_GREEN,
+	TTY_BG_YELLOW,
+	TTY_BG_BLUE,
+	TTY_BG_MAGENTA,
+	TTY_BG_CYAN,
+	TTY_BG_WHITE,
+	TTY_BG_DEF,
+};
+
+/**
+ * Get the escape string for a given TTY color, empty string on non-tty fd
+ */
+char* tty_escape_get(int fd, tty_escape_t escape);
+
 /**
  * deprecated pluto style return value:
  * error message, NULL for success
@@ -328,11 +393,6 @@ typedef struct timespec timespec_t;
 typedef struct sockaddr sockaddr_t;
 
 /**
- * Clone a data to a newly allocated buffer
- */
-void *clalloc(void *pointer, size_t size);
-
-/**
  * Same as memcpy, but XORs src into dst instead of copy
  */
 void memxor(u_int8_t dest[], u_int8_t src[], size_t n);
@@ -375,6 +435,10 @@ static inline void memwipe_inline(void *ptr, size_t n)
  */
 static inline void memwipe(void *ptr, size_t n)
 {
+	if (!ptr)
+	{
+		return;
+	}
 	if (__builtin_constant_p(n))
 	{
 		memwipe_inline(ptr, n);
@@ -408,6 +472,23 @@ char *translate(char *str, const char *from, const char *to);
  */
 bool mkdir_p(const char *path, mode_t mode);
 
+/**
+ * Thread-safe wrapper around strerror and strerror_r.
+ *
+ * This is required because the first is not thread-safe (on some platforms)
+ * and the second uses two different signatures (POSIX/GNU) and is impractical
+ * to use anyway.
+ *
+ * @param errnum	error code (i.e. errno)
+ * @return			error message
+ */
+const char *safe_strerror(int errnum);
+
+/**
+ * Replace usages of strerror(3) with thread-safe variant.
+ */
+#define strerror(errnum) safe_strerror(errnum)
+
 #ifndef HAVE_CLOSEFROM
 /**
  * Close open file descriptors greater than or equal to lowfd.
@@ -430,6 +511,22 @@ void closefrom(int lowfd);
 time_t time_monotonic(timeval_t *tv);
 
 /**
+ * Add the given number of milliseconds to the given timeval struct
+ *
+ * @param tv		timeval struct to modify
+ * @param ms		number of milliseconds
+ */
+static inline void timeval_add_ms(timeval_t *tv, u_int ms)
+{
+	tv->tv_usec += ms * 1000;
+	while (tv->tv_usec >= 1000000 /* 1s */)
+	{
+		tv->tv_usec -= 1000000;
+		tv->tv_sec++;
+	}
+}
+
+/**
  * returns null
  */
 void *return_null();
@@ -455,6 +552,11 @@ bool return_false();
 status_t return_failed();
 
 /**
+ * returns SUCCESS
+ */
+status_t return_success();
+
+/**
  * Write a 16-bit host order value in network order to an unaligned address.
  *
  * @param host		host order 16-bit value
@@ -491,6 +593,11 @@ static inline void htoun32(void *network, u_int32_t host)
 static inline void htoun64(void *network, u_int64_t host)
 {
 	char *unaligned = (char*)network;
+
+#ifdef be64toh
+	host = htobe64(host);
+	memcpy((char*)unaligned, &host, sizeof(host));
+#else
 	u_int32_t high_part, low_part;
 
 	high_part = host >> 32;
@@ -501,6 +608,7 @@ static inline void htoun64(void *network, u_int64_t host)
 	memcpy(unaligned, &high_part, sizeof(high_part));
 	unaligned += sizeof(high_part);
 	memcpy(unaligned, &low_part, sizeof(low_part));
+#endif
 }
 
 /**
@@ -542,6 +650,13 @@ static inline u_int32_t untoh32(void *network)
 static inline u_int64_t untoh64(void *network)
 {
 	char *unaligned = (char*)network;
+
+#ifdef be64toh
+	u_int64_t tmp;
+
+	memcpy(&tmp, unaligned, sizeof(tmp));
+	return be64toh(tmp);
+#else
 	u_int32_t high_part, low_part;
 
 	memcpy(&high_part, unaligned, sizeof(high_part));
@@ -552,17 +667,40 @@ static inline u_int64_t untoh64(void *network)
 	low_part  = ntohl(low_part);
 
 	return (((u_int64_t)high_part) << 32) + low_part;
+#endif
 }
 
 /**
- * Special type to count references
+ * Round up size to be multiple of alignement
  */
-typedef volatile u_int refcount_t;
+static inline size_t round_up(size_t size, int alignement)
+{
+	int remainder;
+
+	remainder = size % alignement;
+	if (remainder)
+	{
+		size += alignement - remainder;
+	}
+	return size;
+}
+
+/**
+ * Round down size to be a multiple of alignement
+ */
+static inline size_t round_down(size_t size, int alignement)
+{
+	return size - (size % alignement);
+}
 
+/**
+ * Special type to count references
+ */
+typedef u_int refcount_t;
 
 #ifdef HAVE_GCC_ATOMIC_OPERATIONS
 
-#define ref_get(ref) {__sync_fetch_and_add(ref, 1); }
+#define ref_get(ref) __sync_add_and_fetch(ref, 1)
 #define ref_put(ref) (!__sync_sub_and_fetch(ref, 1))
 
 #define cas_bool(ptr, oldval, newval) \
@@ -578,8 +716,9 @@ typedef volatile u_int refcount_t;
  * Increments the reference counter atomic.
  *
  * @param ref	pointer to ref counter
+ * @return		new value of ref
  */
-void ref_get(refcount_t *ref);
+refcount_t ref_get(refcount_t *ref);
 
 /**
  * Put back a unused reference.
@@ -612,7 +751,6 @@ bool cas_bool(bool *ptr, bool oldval, bool newval);
  */
 bool cas_ptr(void **ptr, void *oldval, void *newval);
 
-
 #endif /* HAVE_GCC_ATOMIC_OPERATIONS */
 
 /**
@@ -621,7 +759,7 @@ bool cas_ptr(void **ptr, void *oldval, void *newval);
  * Arguments are:
  *	time_t* time, bool utc
  */
-int time_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 					 const void *const *args);
 
 /**
@@ -630,7 +768,7 @@ int time_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
  * Arguments are:
  *	time_t* begin, time_t* end
  */
-int time_delta_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+int time_delta_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 						   const void *const *args);
 
 /**
@@ -639,7 +777,7 @@ int time_delta_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
  * Arguments are:
  *	u_char *ptr, u_int len
  */
-int mem_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+int mem_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
 					const void *const *args);
 
 #endif /** UTILS_H_ @}*/
diff --git a/src/libtls/Makefile.am b/src/libtls/Makefile.am
index 4cc1a1bdb..9e3712abe 100644
--- a/src/libtls/Makefile.am
+++ b/src/libtls/Makefile.am
@@ -1,17 +1,16 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
 ipseclib_LTLIBRARIES = libtls.la
 libtls_la_SOURCES = \
-	tls_protection.h tls_protection.c \
-	tls_compression.h tls_compression.c \
-	tls_fragmentation.h tls_fragmentation.c \
-	tls_alert.h tls_alert.c \
-	tls_crypto.h tls_crypto.c \
-	tls_prf.h tls_prf.c \
-	tls_socket.h tls_socket.c \
-	tls_eap.h tls_eap.c \
-	tls_cache.h tls_cache.c \
-	tls_peer.h tls_peer.c \
-	tls_server.h tls_server.c \
-	tls_handshake.h tls_application.h tls.h tls.c
+	tls_protection.c tls_compression.c tls_fragmentation.c tls_alert.c \
+	tls_crypto.c tls_prf.c tls_socket.c tls_eap.c tls_cache.c tls_peer.c \
+	tls_server.c tls.c
+
+if USE_DEV_HEADERS
+tls_includedir = ${dev_headers}/tls
+nobase_tls_include_HEADERS = \
+	tls_protection.h tls_compression.h tls_fragmentation.h tls_alert.h \
+	tls_crypto.h tls_prf.h tls_socket.h tls_eap.h tls_cache.h tls_peer.h \
+	tls_server.h tls_handshake.h tls_application.h tls.h
+endif
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index 844b65156..df721f79e 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -15,7 +15,25 @@
 
 @SET_MAKE@
 
+
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -35,7 +53,8 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libtls
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+DIST_COMMON = $(am__nobase_tls_include_HEADERS_DIST) \
+	$(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -45,10 +64,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,7 +92,14 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(ipseclibdir)"
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(ipseclibdir)" \
+	"$(DESTDIR)$(tls_includedir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libtls_la_LIBADD =
 am_libtls_la_OBJECTS = tls_protection.lo tls_compression.lo \
@@ -80,42 +107,75 @@ am_libtls_la_OBJECTS = tls_protection.lo tls_compression.lo \
 	tls_socket.lo tls_eap.lo tls_cache.lo tls_peer.lo \
 	tls_server.lo tls.lo
 libtls_la_OBJECTS = $(am_libtls_la_OBJECTS)
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libtls_la_SOURCES)
 DIST_SOURCES = $(libtls_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__nobase_tls_include_HEADERS_DIST = tls_protection.h \
+	tls_compression.h tls_fragmentation.h tls_alert.h tls_crypto.h \
+	tls_prf.h tls_socket.h tls_eap.h tls_cache.h tls_peer.h \
+	tls_server.h tls_handshake.h tls_application.h tls.h
+HEADERS = $(nobase_tls_include_HEADERS)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -124,13 +184,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -143,6 +206,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -170,11 +234,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -182,6 +248,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -190,8 +257,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -200,14 +265,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -221,17 +291,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -241,16 +311,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -278,21 +347,20 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
 ipseclib_LTLIBRARIES = libtls.la
 libtls_la_SOURCES = \
-	tls_protection.h tls_protection.c \
-	tls_compression.h tls_compression.c \
-	tls_fragmentation.h tls_fragmentation.c \
-	tls_alert.h tls_alert.c \
-	tls_crypto.h tls_crypto.c \
-	tls_prf.h tls_prf.c \
-	tls_socket.h tls_socket.c \
-	tls_eap.h tls_eap.c \
-	tls_cache.h tls_cache.c \
-	tls_peer.h tls_peer.c \
-	tls_server.h tls_server.c \
-	tls_handshake.h tls_application.h tls.h tls.c
+	tls_protection.c tls_compression.c tls_fragmentation.c tls_alert.c \
+	tls_crypto.c tls_prf.c tls_socket.c tls_eap.c tls_cache.c tls_peer.c \
+	tls_server.c tls.c
+
+@USE_DEV_HEADERS_TRUE@tls_includedir = ${dev_headers}/tls
+@USE_DEV_HEADERS_TRUE@nobase_tls_include_HEADERS = \
+@USE_DEV_HEADERS_TRUE@	tls_protection.h tls_compression.h tls_fragmentation.h tls_alert.h \
+@USE_DEV_HEADERS_TRUE@	tls_crypto.h tls_prf.h tls_socket.h tls_eap.h tls_cache.h tls_peer.h \
+@USE_DEV_HEADERS_TRUE@	tls_server.h tls_handshake.h tls_application.h tls.h
 
 all: all-am
 
@@ -330,7 +398,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -338,6 +405,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -359,8 +428,8 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libtls.la: $(libtls_la_OBJECTS) $(libtls_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libtls_la_OBJECTS) $(libtls_la_LIBADD) $(LIBS)
+libtls.la: $(libtls_la_OBJECTS) $(libtls_la_DEPENDENCIES) $(EXTRA_libtls_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libtls_la_OBJECTS) $(libtls_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -382,31 +451,55 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_socket.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
+install-nobase_tls_includeHEADERS: $(nobase_tls_include_HEADERS)
+	@$(NORMAL_INSTALL)
+	@list='$(nobase_tls_include_HEADERS)'; test -n "$(tls_includedir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(tls_includedir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(tls_includedir)" || exit 1; \
+	fi; \
+	$(am__nobase_list) | while read dir files; do \
+	  xfiles=; for file in $$files; do \
+	    if test -f "$$file"; then xfiles="$$xfiles $$file"; \
+	    else xfiles="$$xfiles $(srcdir)/$$file"; fi; done; \
+	  test -z "$$xfiles" || { \
+	    test "x$$dir" = x. || { \
+	      echo " $(MKDIR_P) '$(DESTDIR)$(tls_includedir)/$$dir'"; \
+	      $(MKDIR_P) "$(DESTDIR)$(tls_includedir)/$$dir"; }; \
+	    echo " $(INSTALL_HEADER) $$xfiles '$(DESTDIR)$(tls_includedir)/$$dir'"; \
+	    $(INSTALL_HEADER) $$xfiles "$(DESTDIR)$(tls_includedir)/$$dir" || exit $$?; }; \
+	done
+
+uninstall-nobase_tls_includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(nobase_tls_include_HEADERS)'; test -n "$(tls_includedir)" || list=; \
+	$(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \
+	dir='$(DESTDIR)$(tls_includedir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -492,9 +585,9 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(LTLIBRARIES)
+all-am: Makefile $(LTLIBRARIES) $(HEADERS)
 installdirs:
-	for dir in "$(DESTDIR)$(ipseclibdir)"; do \
+	for dir in "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(tls_includedir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -507,10 +600,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -545,7 +643,8 @@ info: info-am
 
 info-am:
 
-install-data-am: install-ipseclibLTLIBRARIES
+install-data-am: install-ipseclibLTLIBRARIES \
+	install-nobase_tls_includeHEADERS
 
 install-dvi: install-dvi-am
 
@@ -591,7 +690,8 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-ipseclibLTLIBRARIES
+uninstall-am: uninstall-ipseclibLTLIBRARIES \
+	uninstall-nobase_tls_includeHEADERS
 
 .MAKE: install-am install-strip
 
@@ -602,12 +702,14 @@ uninstall-am: uninstall-ipseclibLTLIBRARIES
 	install install-am install-data install-data-am install-dvi \
 	install-dvi-am install-exec install-exec-am install-html \
 	install-html-am install-info install-info-am \
-	install-ipseclibLTLIBRARIES install-man install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
+	install-ipseclibLTLIBRARIES install-man \
+	install-nobase_tls_includeHEADERS install-pdf install-pdf-am \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-ipseclibLTLIBRARIES
+	tags uninstall uninstall-am uninstall-ipseclibLTLIBRARIES \
+	uninstall-nobase_tls_includeHEADERS
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index 2bcaffbc8..6d33d843d 100644
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -15,7 +15,7 @@
 
 #include "tls.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "tls_protection.h"
 #include "tls_compression.h"
@@ -107,16 +107,6 @@ struct private_tls_t {
 	bool is_server;
 
 	/**
-	 * Server identity
-	 */
-	identification_t *server;
-
-	/**
-	 * Peer identity
-	 */
-	identification_t *peer;
-
-	/**
 	 * Negotiated TLS version
 	 */
 	tls_version_t version;
@@ -359,6 +349,18 @@ METHOD(tls_t, is_server, bool,
 	return this->is_server;
 }
 
+METHOD(tls_t, get_server_id, identification_t*,
+	private_tls_t *this)
+{
+	return this->handshake->get_server_id(this->handshake);
+}
+
+METHOD(tls_t, get_peer_id, identification_t*,
+	private_tls_t *this)
+{
+	return this->handshake->get_peer_id(this->handshake);
+}
+
 METHOD(tls_t, get_version, tls_version_t,
 	private_tls_t *this)
 {
@@ -421,8 +423,6 @@ METHOD(tls_t, destroy, void,
 	this->fragmentation->destroy(this->fragmentation);
 	this->crypto->destroy(this->crypto);
 	this->handshake->destroy(this->handshake);
-	DESTROY_IF(this->peer);
-	this->server->destroy(this->server);
 	DESTROY_IF(this->application);
 	this->alert->destroy(this->alert);
 
@@ -457,6 +457,8 @@ tls_t *tls_create(bool is_server, identification_t *server,
 			.process = _process,
 			.build = _build,
 			.is_server = _is_server,
+			.get_server_id = _get_server_id,
+			.get_peer_id = _get_peer_id,
 			.get_version = _get_version,
 			.set_version = _set_version,
 			.get_purpose = _get_purpose,
@@ -466,8 +468,6 @@ tls_t *tls_create(bool is_server, identification_t *server,
 		},
 		.is_server = is_server,
 		.version = TLS_1_2,
-		.server = server->clone(server),
-		.peer = peer ? peer->clone(peer) : NULL,
 		.application = application,
 		.purpose = purpose,
 	);
@@ -477,12 +477,12 @@ tls_t *tls_create(bool is_server, identification_t *server,
 	if (is_server)
 	{
 		this->handshake = &tls_server_create(&this->public, this->crypto,
-							this->alert, this->server, this->peer)->handshake;
+										this->alert, server, peer)->handshake;
 	}
 	else
 	{
 		this->handshake = &tls_peer_create(&this->public, this->crypto,
-							this->alert, this->peer, this->server)->handshake;
+										this->alert, peer, server)->handshake;
 	}
 	this->fragmentation = tls_fragmentation_create(this->handshake, this->alert,
 												   this->application);
diff --git a/src/libtls/tls.h b/src/libtls/tls.h
index e22b0facc..7f45b1e09 100644
--- a/src/libtls/tls.h
+++ b/src/libtls/tls.h
@@ -26,6 +26,12 @@
 #ifndef TLS_H_
 #define TLS_H_
 
+/**
+ * Maximum size of a TLS fragment
+ * as defined by section 6.2.1. "Fragmentation" of RFC 5246 TLS 1.2
+ */
+#define TLS_MAX_FRAGMENT_LEN	16384
+
 typedef enum tls_version_t tls_version_t;
 typedef enum tls_content_type_t tls_content_type_t;
 typedef enum tls_handshake_type_t tls_handshake_type_t;
@@ -187,6 +193,20 @@ struct tls_t {
 	bool (*is_server)(tls_t *this);
 
 	/**
+	 * Return the server identity.
+	 *
+	 * @return			server identity
+	 */
+	identification_t* (*get_server_id)(tls_t *this);
+
+	/**
+	 * Return the peer identity.
+	 *
+	 * @return			peer identity
+	 */
+	identification_t* (*get_peer_id)(tls_t *this);
+
+	/**
 	 * Get the negotiated TLS/SSL version.
 	 *
 	 * @return			negotiated TLS version
diff --git a/src/libtls/tls_alert.c b/src/libtls/tls_alert.c
index 8a4fa7d77..7dd219db8 100644
--- a/src/libtls/tls_alert.c
+++ b/src/libtls/tls_alert.c
@@ -15,8 +15,8 @@
 
 #include "tls_alert.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 
 ENUM_BEGIN(tls_alert_desc_names, TLS_CLOSE_NOTIFY, TLS_CLOSE_NOTIFY,
 	"close notify",
diff --git a/src/libtls/tls_cache.c b/src/libtls/tls_cache.c
index a89201ad7..c13b1e851 100644
--- a/src/libtls/tls_cache.c
+++ b/src/libtls/tls_cache.c
@@ -15,9 +15,9 @@
 
 #include "tls_cache.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
 #include <threading/rwlock.h>
 
 typedef struct private_tls_cache_t private_tls_cache_t;
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index 4d84876d0..12aa049a2 100644
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -15,7 +15,7 @@
 
 #include "tls_crypto.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
 								   TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
@@ -1110,6 +1110,7 @@ METHOD(tls_crypto_t, get_signature_algorithms, void,
 	}
 	enumerator->destroy(enumerator);
 
+	supported->wrap16(supported);
 	writer->write_data16(writer, supported->get_buf(supported));
 	supported->destroy(supported);
 }
@@ -1196,12 +1197,12 @@ static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
 			return FALSE;
 		}
 		hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
-		if (!hasher)
+		if (!hasher || !hasher->allocate_hash(hasher, data, hash))
 		{
 			DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
+			DESTROY_IF(hasher);
 			return FALSE;
 		}
-		hasher->allocate_hash(hasher, data, hash);
 		hasher->destroy(hasher);
 	}
 	else
@@ -1210,20 +1211,20 @@ static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
 		char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
 
 		md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
-		if (!md5)
+		if (!md5 || !md5->get_hash(md5, data, buf))
 		{
 			DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
+			DESTROY_IF(md5);
 			return FALSE;
 		}
-		md5->get_hash(md5, data, buf);
 		md5->destroy(md5);
 		sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-		if (!sha1)
+		if (!sha1 || !sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5))
 		{
 			DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
+			DESTROY_IF(sha1);
 			return FALSE;
 		}
-		sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5);
 		sha1->destroy(sha1);
 
 		*hash = chunk_clone(chunk_from_thing(buf));
@@ -1462,7 +1463,11 @@ METHOD(tls_crypto_t, calculate_finished, bool,
 	{
 		return FALSE;
 	}
-	this->prf->get_bytes(this->prf, label, seed, 12, out);
+	if (!this->prf->get_bytes(this->prf, label, seed, 12, out))
+	{
+		free(seed.ptr);
+		return FALSE;
+	}
 	free(seed.ptr);
 	return TRUE;
 }
@@ -1470,7 +1475,7 @@ METHOD(tls_crypto_t, calculate_finished, bool,
 /**
  * Derive master secret from premaster, optionally save session
  */
-static void derive_master(private_tls_crypto_t *this, chunk_t premaster,
+static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
 						  chunk_t session, identification_t *id,
 						  chunk_t client_random, chunk_t server_random)
 {
@@ -1479,23 +1484,28 @@ static void derive_master(private_tls_crypto_t *this, chunk_t premaster,
 
 	/* derive master secret */
 	seed = chunk_cata("cc", client_random, server_random);
-	this->prf->set_key(this->prf, premaster);
-	this->prf->get_bytes(this->prf, "master secret", seed,
-						 sizeof(master), master);
 
-	this->prf->set_key(this->prf, chunk_from_thing(master));
+	if (!this->prf->set_key(this->prf, premaster) ||
+		!this->prf->get_bytes(this->prf, "master secret", seed,
+							  sizeof(master), master) ||
+		!this->prf->set_key(this->prf, chunk_from_thing(master)))
+	{
+		return FALSE;
+	}
+
 	if (this->cache && session.len)
 	{
 		this->cache->create(this->cache, session, id, chunk_from_thing(master),
 							this->suite);
 	}
 	memwipe(master, sizeof(master));
+	return TRUE;
 }
 
 /**
  * Expand key material from master secret
  */
-static void expand_keys(private_tls_crypto_t *this,
+static bool expand_keys(private_tls_crypto_t *this,
 						chunk_t client_random, chunk_t server_random)
 {
 	chunk_t seed, block, client_write, server_write;
@@ -1513,7 +1523,11 @@ static void expand_keys(private_tls_crypto_t *this,
 	}
 	seed = chunk_cata("cc", server_random, client_random);
 	block = chunk_alloca((mks + eks + ivs) * 2);
-	this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
+	if (!this->prf->get_bytes(this->prf, "key expansion", seed,
+							  block.len, block.ptr))
+	{
+		return FALSE;
+	}
 
 	/* signer keys */
 	client_write = chunk_create(block.ptr, mks);
@@ -1522,13 +1536,19 @@ static void expand_keys(private_tls_crypto_t *this,
 	block = chunk_skip(block, mks);
 	if (this->tls->is_server(this->tls))
 	{
-		this->signer_in->set_key(this->signer_in, client_write);
-		this->signer_out->set_key(this->signer_out, server_write);
+		if (!this->signer_in->set_key(this->signer_in, client_write) ||
+			!this->signer_out->set_key(this->signer_out, server_write))
+		{
+			return FALSE;
+		}
 	}
 	else
 	{
-		this->signer_out->set_key(this->signer_out, client_write);
-		this->signer_in->set_key(this->signer_in, server_write);
+		if (!this->signer_out->set_key(this->signer_out, client_write) ||
+			!this->signer_in->set_key(this->signer_in, server_write))
+		{
+			return FALSE;
+		}
 	}
 
 	/* crypter keys, and IVs if < TLSv1.2 */
@@ -1541,13 +1561,19 @@ static void expand_keys(private_tls_crypto_t *this,
 
 		if (this->tls->is_server(this->tls))
 		{
-			this->crypter_in->set_key(this->crypter_in, client_write);
-			this->crypter_out->set_key(this->crypter_out, server_write);
+			if (!this->crypter_in->set_key(this->crypter_in, client_write) ||
+				!this->crypter_out->set_key(this->crypter_out, server_write))
+			{
+				return FALSE;
+			}
 		}
 		else
 		{
-			this->crypter_out->set_key(this->crypter_out, client_write);
-			this->crypter_in->set_key(this->crypter_in, server_write);
+			if (!this->crypter_out->set_key(this->crypter_out, client_write) ||
+				!this->crypter_in->set_key(this->crypter_in, server_write))
+			{
+				return FALSE;
+			}
 		}
 		if (ivs)
 		{
@@ -1574,17 +1600,22 @@ static void expand_keys(private_tls_crypto_t *this,
 	{
 		seed = chunk_cata("cc", client_random, server_random);
 		this->msk = chunk_alloc(64);
-		this->prf->get_bytes(this->prf, this->msk_label, seed,
-							 this->msk.len, this->msk.ptr);
+		if (!this->prf->get_bytes(this->prf, this->msk_label, seed,
+								  this->msk.len, this->msk.ptr))
+		{
+			return FALSE;
+		}
 	}
+	return TRUE;
 }
 
-METHOD(tls_crypto_t, derive_secrets, void,
+METHOD(tls_crypto_t, derive_secrets, bool,
 	private_tls_crypto_t *this, chunk_t premaster, chunk_t session,
 	identification_t *id, chunk_t client_random, chunk_t server_random)
 {
-	derive_master(this, premaster, session, id, client_random, server_random);
-	expand_keys(this, client_random, server_random);
+	return derive_master(this, premaster, session, id,
+						 client_random, server_random) &&
+		   expand_keys(this, client_random, server_random);
 }
 
 METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
@@ -1601,8 +1632,11 @@ METHOD(tls_crypto_t, resume_session, tls_cipher_suite_t,
 			this->suite = select_cipher_suite(this, &this->suite, 1, KEY_ANY);
 			if (this->suite)
 			{
-				this->prf->set_key(this->prf, master);
-				expand_keys(this, client_random, server_random);
+				if (!this->prf->set_key(this->prf, master) ||
+					!expand_keys(this, client_random, server_random))
+				{
+					this->suite = 0;
+				}
 			}
 			chunk_clear(&master);
 		}
@@ -1719,11 +1753,14 @@ tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache)
 	switch (tls->get_purpose(tls))
 	{
 		case TLS_PURPOSE_EAP_TLS:
-		case TLS_PURPOSE_EAP_PEAP:
 			/* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
 			this->msk_label = "client EAP encryption";
 			build_cipher_suite_list(this, FALSE);
 			break;
+		case TLS_PURPOSE_EAP_PEAP:
+			this->msk_label = "client EAP encryption";
+			build_cipher_suite_list(this, TRUE);
+			break;
 		case TLS_PURPOSE_EAP_TTLS:
 			/* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
 			this->msk_label = "ttls keying material";
diff --git a/src/libtls/tls_crypto.h b/src/libtls/tls_crypto.h
index 7430aea66..5512b1f48 100644
--- a/src/libtls/tls_crypto.h
+++ b/src/libtls/tls_crypto.h
@@ -515,8 +515,9 @@ struct tls_crypto_t {
 	 * @param id			identity the session is bound to
 	 * @param client_random	random data from client hello
 	 * @param server_random	random data from server hello
+	 * @return				TRUE if secrets derived successfully
 	 */
-	void (*derive_secrets)(tls_crypto_t *this, chunk_t premaster,
+	bool (*derive_secrets)(tls_crypto_t *this, chunk_t premaster,
 						   chunk_t session, identification_t *id,
 						   chunk_t client_random, chunk_t server_random);
 
diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c
index 685904fdf..68cebb994 100644
--- a/src/libtls/tls_eap.c
+++ b/src/libtls/tls_eap.c
@@ -18,11 +18,14 @@
 
 #include "tls.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <library.h>
 
-/** Size limit for a single TLS message */
-#define MAX_TLS_MESSAGE_LEN 65536
+/**
+ * Size limit for a TLS message allowing for worst-case protection overhead
+ * according to section 6.2.3. "Payload Protection" of RFC 5246 TLS 1.2
+ */
+#define TLS_MAX_MESSAGE_LEN		4 * (TLS_MAX_FRAGMENT_LEN + 2048)
 
 typedef struct private_tls_eap_t private_tls_eap_t;
 
@@ -79,7 +82,7 @@ struct private_tls_eap_t {
 	int processed;
 
 	/**
-	 * Maximum number of processed EAP messages/fragments 
+	 * Maximum number of processed EAP messages/fragments
 	 */
 	int max_msg_count;
 };
@@ -138,7 +141,7 @@ METHOD(tls_eap_t, initiate, status_t,
 
 		*out = chunk_clone(chunk_from_thing(pkt));
 		DBG2(DBG_TLS, "sending %N start packet (%u bytes)",
-					   eap_type_names, this->type, sizeof(eap_tls_packet_t));
+			 eap_type_names, this->type, sizeof(eap_tls_packet_t));
 		DBG3(DBG_TLS, "%B", out);
 		return NEED_MORE;
 	}
@@ -150,10 +153,12 @@ METHOD(tls_eap_t, initiate, status_t,
  */
 static status_t process_pkt(private_tls_eap_t *this, eap_tls_packet_t *pkt)
 {
-	u_int32_t msg_len;
 	u_int16_t pkt_len;
+	u_int32_t msg_len;
+	size_t msg_len_offset = 0;
 
 	pkt_len = untoh16(&pkt->length);
+
 	if (pkt->flags & EAP_TLS_LENGTH)
 	{
 		if (pkt_len < sizeof(eap_tls_packet_t) + sizeof(msg_len))
@@ -163,16 +168,17 @@ static status_t process_pkt(private_tls_eap_t *this, eap_tls_packet_t *pkt)
 		}
 		msg_len = untoh32(pkt + 1);
 		if (msg_len < pkt_len - sizeof(eap_tls_packet_t) - sizeof(msg_len) ||
-			msg_len > MAX_TLS_MESSAGE_LEN)
+			msg_len > TLS_MAX_MESSAGE_LEN)
 		{
-			DBG1(DBG_TLS, "invalid %N packet length", eap_type_names, this->type);
+			DBG1(DBG_TLS, "invalid %N packet length (%u bytes)", eap_type_names,
+				 this->type, msg_len);
 			return FAILED;
 		}
-		return this->tls->process(this->tls, (char*)(pkt + 1) + sizeof(msg_len),
-						pkt_len - sizeof(eap_tls_packet_t) - sizeof(msg_len));
+		msg_len_offset = sizeof(msg_len);
 	}
-	return this->tls->process(this->tls, (char*)(pkt + 1),
-							  pkt_len - sizeof(eap_tls_packet_t));
+
+	return this->tls->process(this->tls, (char*)(pkt + 1) + msg_len_offset,
+					   pkt_len - sizeof(eap_tls_packet_t) - msg_len_offset);
 }
 
 /**
@@ -182,7 +188,7 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out)
 {
 	char buf[this->frag_size];
 	eap_tls_packet_t *pkt;
-	size_t len, reclen;
+	size_t len, reclen, msg_len_offset;
 	status_t status;
 	char *kind;
 
@@ -214,15 +220,16 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out)
 	if (this->first_fragment)
 	{
 		len = sizeof(buf) - sizeof(eap_tls_packet_t) - sizeof(u_int32_t);
-		status = this->tls->build(this->tls, buf + sizeof(eap_tls_packet_t) +
-								  sizeof(u_int32_t), &len, &reclen);
+		msg_len_offset = sizeof(u_int32_t);
 	}
 	else
 	{
 		len = sizeof(buf) - sizeof(eap_tls_packet_t);
-		status = this->tls->build(this->tls, buf + sizeof(eap_tls_packet_t),
-								  &len, &reclen);
+		msg_len_offset = 0;
 	}
+	status = this->tls->build(this->tls, buf + sizeof(eap_tls_packet_t) +
+										 msg_len_offset, &len, &reclen);
+
 	switch (status)
 	{
 		case NEED_MORE:
@@ -230,7 +237,7 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out)
 			kind = "further fragment";
 			if (this->first_fragment)
 			{
-		        pkt->flags |= EAP_TLS_LENGTH;
+				pkt->flags |= EAP_TLS_LENGTH;
 				this->first_fragment = FALSE;
 				kind = "first fragment";
 			}
@@ -244,11 +251,15 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out)
 				}
 				kind = "packet";
 			}
-			else
+			else if (this->type != EAP_TNC)
 			{
 				this->first_fragment = TRUE;
 				kind = "final fragment";
 			}
+			else
+			{
+				kind = "packet";
+			}
 			break;
 		default:
 			return status;
@@ -256,7 +267,7 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out)
 	if (reclen)
 	{
 		if (pkt->flags & EAP_TLS_LENGTH)
-		{ 
+		{
 			htoun32(pkt + 1, reclen);
 			len += sizeof(u_int32_t);
 			pkt->flags |= EAP_TLS_LENGTH;
@@ -264,15 +275,15 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out)
 		else
 		{
 			/* get rid of the reserved length field */
-			memcpy(buf+sizeof(eap_packet_t),
-				   buf+sizeof(eap_packet_t)+sizeof(u_int32_t), len);	
+			memmove(buf + sizeof(eap_tls_packet_t),
+					buf + sizeof(eap_tls_packet_t) + sizeof(u_int32_t), len);
 		}
 	}
 	len += sizeof(eap_tls_packet_t);
 	htoun16(&pkt->length, len);
 	*out = chunk_clone(chunk_create(buf, len));
 	DBG2(DBG_TLS, "sending %N %s (%u bytes)",
-				   eap_type_names, this->type, kind, len);
+		 eap_type_names, this->type, kind, len);
 	DBG3(DBG_TLS, "%B", out);
 	return NEED_MORE;
 }
@@ -319,7 +330,7 @@ METHOD(tls_eap_t, process, status_t,
 	eap_tls_packet_t *pkt;
 	status_t status;
 
-	if (++this->processed > this->max_msg_count)
+	if (this->max_msg_count && ++this->processed > this->max_msg_count)
 	{
 		DBG1(DBG_TLS, "%N packet count exceeded (%d > %d)",
 			 eap_type_names, this->type,
@@ -441,7 +452,7 @@ tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size,
 		},
 		.type = type,
 		.is_server = tls->is_server(tls),
-		.first_fragment = TRUE,
+		.first_fragment = (type != EAP_TNC),
 		.frag_size = frag_size,
 		.max_msg_count = max_msg_count,
 		.include_length = include_length,
diff --git a/src/libtls/tls_fragmentation.c b/src/libtls/tls_fragmentation.c
index 62e36aaec..6e4347e3c 100644
--- a/src/libtls/tls_fragmentation.c
+++ b/src/libtls/tls_fragmentation.c
@@ -16,7 +16,12 @@
 #include "tls_fragmentation.h"
 
 #include <bio/bio_reader.h>
-#include <debug.h>
+#include <utils/debug.h>
+
+/**
+ * Maximum size of a TLS handshake message we accept
+ */
+#define TLS_MAX_HANDSHAKE_LEN	65536
 
 typedef struct private_tls_fragmentation_t private_tls_fragmentation_t;
 
@@ -94,16 +99,6 @@ struct private_tls_fragmentation_t {
 };
 
 /**
- * Maximum size of a TLS fragment
- */
-#define MAX_TLS_FRAGMENT_LEN 16384
-
-/**
- * Maximum size of a TLS handshake message we accept
- */
-#define MAX_TLS_HANDSHAKE_LEN 65536
-
-/**
  * Process a TLS alert
  */
 static status_t process_alert(private_tls_fragmentation_t *this,
@@ -134,7 +129,7 @@ static status_t process_handshake(private_tls_fragmentation_t *this,
 		status_t status;
 		chunk_t data;
 
-		if (reader->remaining(reader) > MAX_TLS_FRAGMENT_LEN)
+		if (reader->remaining(reader) > TLS_MAX_FRAGMENT_LEN)
 		{
 			DBG1(DBG_TLS, "TLS fragment has invalid length");
 			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
@@ -151,7 +146,7 @@ static status_t process_handshake(private_tls_fragmentation_t *this,
 				return NEED_MORE;
 			}
 			this->type = type;
-			if (len > MAX_TLS_HANDSHAKE_LEN)
+			if (len > TLS_MAX_HANDSHAKE_LEN)
 			{
 				DBG1(DBG_TLS, "TLS handshake exceeds maximum length");
 				this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
@@ -202,12 +197,18 @@ static status_t process_handshake(private_tls_fragmentation_t *this,
 static status_t process_application(private_tls_fragmentation_t *this,
 									bio_reader_t *reader)
 {
+	if (!this->handshake->finished(this->handshake))
+	{
+		DBG1(DBG_TLS, "received TLS application data, "
+			 "but handshake not finished");
+		return FAILED;
+	}
 	while (reader->remaining(reader))
 	{
 		status_t status;
 		chunk_t data;
 
-		if (reader->remaining(reader) > MAX_TLS_FRAGMENT_LEN)
+		if (reader->remaining(reader) > TLS_MAX_FRAGMENT_LEN)
 		{
 			DBG1(DBG_TLS, "TLS fragment has invalid length");
 			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
@@ -222,7 +223,7 @@ static status_t process_application(private_tls_fragmentation_t *this,
 				continue;
 			case SUCCESS:
 				this->application_finished = TRUE;
-				return SUCCESS;
+				/* FALL */
 			case FAILED:
 			default:
 				this->alert->add(this->alert, TLS_FATAL, TLS_CLOSE_NOTIFY);
@@ -367,7 +368,7 @@ static status_t build_application(private_tls_fragmentation_t *this)
 				break;
 			case SUCCESS:
 				this->application_finished = TRUE;
-				break;
+				/* FALL */
 			case FAILED:
 			default:
 				this->alert->add(this->alert, TLS_FATAL, TLS_CLOSE_NOTIFY);
@@ -390,6 +391,10 @@ METHOD(tls_fragmentation_t, build, status_t,
 			this->state = ALERT_SENT;
 			return INVALID_STATE;
 		case ALERT_SENT:
+			if (this->application_finished)
+			{
+				return SUCCESS;
+			}
 			return FAILED;
 		case ALERT_NONE:
 			break;
@@ -427,14 +432,14 @@ METHOD(tls_fragmentation_t, build, status_t,
 	if (this->output.len)
 	{
 		*type = this->output_type;
-		if (this->output.len <= MAX_TLS_FRAGMENT_LEN)
+		if (this->output.len <= TLS_MAX_FRAGMENT_LEN)
 		{
 			*data = this->output;
 			this->output = chunk_empty;
 			return NEED_MORE;
 		}
-		*data = chunk_create(this->output.ptr, MAX_TLS_FRAGMENT_LEN);
-		this->output = chunk_clone(chunk_skip(this->output, MAX_TLS_FRAGMENT_LEN));
+		*data = chunk_create(this->output.ptr, TLS_MAX_FRAGMENT_LEN);
+		this->output = chunk_clone(chunk_skip(this->output, TLS_MAX_FRAGMENT_LEN));
 		return NEED_MORE;
 	}
 	return status;
diff --git a/src/libtls/tls_handshake.h b/src/libtls/tls_handshake.h
index bea0024eb..7fa660c58 100644
--- a/src/libtls/tls_handshake.h
+++ b/src/libtls/tls_handshake.h
@@ -84,6 +84,20 @@ struct tls_handshake_t {
 	bool (*finished)(tls_handshake_t *this);
 
 	/**
+	 * Get the peer identity authenticated/to authenticate during handshake.
+	 *
+	 * @return			peer identity
+	 */
+	identification_t* (*get_peer_id)(tls_handshake_t *this);
+
+	/**
+	 * Get the server identity authenticated/to authenticate during handshake.
+	 *
+	 * @return			server identity
+	 */
+	identification_t* (*get_server_id)(tls_handshake_t *this);
+
+	/**
 	 * Destroy a tls_handshake_t.
 	 */
 	void (*destroy)(tls_handshake_t *this);
diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 6091702cf..b429da300 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -15,7 +15,7 @@
 
 #include "tls_peer.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 
 #include <time.h>
@@ -665,6 +665,8 @@ METHOD(tls_handshake_t, process, status_t,
 			{
 				return process_certreq(this, reader);
 			}
+			/* no cert request, server does not want to authenticate us */
+			DESTROY_IF(this->peer);
 			this->peer = NULL;
 			/* fall through since TLS_CERTIFICATE_REQUEST is optional */
 		case STATE_CERTREQ_RECEIVED:
@@ -709,13 +711,15 @@ static status_t send_client_hello(private_tls_peer_t *this,
 
 	htoun32(&this->client_random, time(NULL));
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
+	if (!rng ||
+		!rng->get_bytes(rng, sizeof(this->client_random) - 4,
+						this->client_random + 4))
 	{
-		DBG1(DBG_TLS, "no suitable RNG found to generate client random");
+		DBG1(DBG_TLS, "failed to generate client random");
 		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		DESTROY_IF(rng);
 		return NEED_MORE;
 	}
-	rng->get_bytes(rng, sizeof(this->client_random) - 4, this->client_random + 4);
 	rng->destroy(rng);
 
 	/* TLS version */
@@ -758,6 +762,7 @@ static status_t send_client_hello(private_tls_peer_t *this,
 	enumerator->destroy(enumerator);
 	if (curves)
 	{
+		curves->wrap16(curves);
 		extensions->write_data16(extensions, curves->get_buf(curves));
 		curves->destroy(curves);
 
@@ -847,6 +852,7 @@ static status_t send_certificate(private_tls_peer_t *this,
 	{
 		DBG1(DBG_TLS, "no TLS peer certificate found for '%Y', "
 			 "skipping client authentication", this->peer);
+		this->peer->destroy(this->peer);
 		this->peer = NULL;
 	}
 
@@ -903,20 +909,24 @@ static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
 	chunk_t encrypted;
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
-	if (!rng)
+	if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
 	{
-		DBG1(DBG_TLS, "no suitable RNG found for TLS premaster secret");
+		DBG1(DBG_TLS, "failed to generate TLS premaster secret");
 		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		DESTROY_IF(rng);
 		return NEED_MORE;
 	}
-	rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2);
 	rng->destroy(rng);
 	htoun16(premaster, TLS_1_2);
 
-	this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
-								 this->session, this->server,
-								 chunk_from_thing(this->client_random),
-								 chunk_from_thing(this->server_random));
+	if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
+									  this->session, this->server,
+									  chunk_from_thing(this->client_random),
+									  chunk_from_thing(this->server_random)))
+	{
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
 
 	public = find_public_key(this);
 	if (!public)
@@ -958,10 +968,15 @@ static status_t send_key_exchange_dhe(private_tls_peer_t *this,
 		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
 		return NEED_MORE;
 	}
-	this->crypto->derive_secrets(this->crypto, premaster,
-								 this->session, this->server,
-								 chunk_from_thing(this->client_random),
-								 chunk_from_thing(this->server_random));
+	if (!this->crypto->derive_secrets(this->crypto, premaster,
+									  this->session, this->server,
+									  chunk_from_thing(this->client_random),
+									  chunk_from_thing(this->server_random)))
+	{
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		chunk_clear(&premaster);
+		return NEED_MORE;
+	}
 	chunk_clear(&premaster);
 
 	this->dh->get_my_public_value(this->dh, &pub);
@@ -1120,11 +1135,25 @@ METHOD(tls_handshake_t, finished, bool,
 	return this->state == STATE_FINISHED_RECEIVED;
 }
 
+METHOD(tls_handshake_t, get_peer_id, identification_t*,
+	private_tls_peer_t *this)
+{
+	return this->peer;
+}
+
+METHOD(tls_handshake_t, get_server_id, identification_t*,
+	private_tls_peer_t *this)
+{
+	return this->server;
+}
+
 METHOD(tls_handshake_t, destroy, void,
 	private_tls_peer_t *this)
 {
 	DESTROY_IF(this->private);
 	DESTROY_IF(this->dh);
+	DESTROY_IF(this->peer);
+	this->server->destroy(this->server);
 	this->peer_auth->destroy(this->peer_auth);
 	this->server_auth->destroy(this->server_auth);
 	free(this->hashsig.ptr);
@@ -1149,6 +1178,8 @@ tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert
 				.cipherspec_changed = _cipherspec_changed,
 				.change_cipherspec = _change_cipherspec,
 				.finished = _finished,
+				.get_peer_id = _get_peer_id,
+				.get_server_id = _get_server_id,
 				.destroy = _destroy,
 			},
 		},
@@ -1156,8 +1187,8 @@ tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert
 		.tls = tls,
 		.crypto = crypto,
 		.alert = alert,
-		.peer = peer,
-		.server = server,
+		.peer = peer ? peer->clone(peer) : NULL,
+		.server = server->clone(server),
 		.peer_auth = auth_cfg_create(),
 		.server_auth = auth_cfg_create(),
 	);
diff --git a/src/libtls/tls_peer.h b/src/libtls/tls_peer.h
index f773ea72e..e4ff6f83c 100644
--- a/src/libtls/tls_peer.h
+++ b/src/libtls/tls_peer.h
@@ -41,11 +41,15 @@ struct tls_peer_t {
 
 /**
  * Create a tls_peer instance.
-*
+ *
+ * If a peer identity is given, but the client does not get requested or is
+ * otherwise unable to perform client authentication, NULL is returned in
+ * tls_handshake_t.get_peer_id() instead of the peer identity.
+ *
  * @param tls		TLS stack
  * @param crypto	TLS crypto helper
  * @param alert		TLS alert handler
- * @param peer		peer identity
+ * @param peer		peer identity, NULL to skip client authentication
  * @param server	server identity
  */
 tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
diff --git a/src/libtls/tls_prf.c b/src/libtls/tls_prf.c
index f181d01d3..918de1e50 100644
--- a/src/libtls/tls_prf.c
+++ b/src/libtls/tls_prf.c
@@ -33,16 +33,16 @@ struct private_tls_prf12_t {
 	prf_t *prf;
 };
 
-METHOD(tls_prf_t, set_key12, void,
+METHOD(tls_prf_t, set_key12, bool,
 	private_tls_prf12_t *this, chunk_t key)
 {
-	this->prf->set_key(this->prf, key);
+	return this->prf->set_key(this->prf, key);
 }
 
 /**
  * The P_hash function as in TLS 1.0/1.2
  */
-static void p_hash(prf_t *prf, char *label, chunk_t seed, size_t block_size,
+static bool p_hash(prf_t *prf, char *label, chunk_t seed, size_t block_size,
 				   size_t bytes, char *out)
 {
 	char buf[block_size], abuf[block_size];
@@ -56,11 +56,17 @@ static void p_hash(prf_t *prf, char *label, chunk_t seed, size_t block_size,
 	while (TRUE)
 	{
 		/* A(i) = HMAC_hash(secret, A(i-1)) */
-		prf->get_bytes(prf, a, abuf);
+		if (!prf->get_bytes(prf, a, abuf))
+		{
+			return FALSE;
+		}
 		a = chunk_from_thing(abuf);
 		/* HMAC_hash(secret, A(i) + seed) */
-		prf->get_bytes(prf, a, NULL);
-		prf->get_bytes(prf, seed, buf);
+		if (!prf->get_bytes(prf, a, NULL) ||
+			!prf->get_bytes(prf, seed, buf))
+		{
+			return FALSE;
+		}
 
 		if (bytes <= block_size)
 		{
@@ -71,14 +77,15 @@ static void p_hash(prf_t *prf, char *label, chunk_t seed, size_t block_size,
 		out += block_size;
 		bytes -= block_size;
 	}
+	return TRUE;
 }
 
-METHOD(tls_prf_t, get_bytes12, void,
+METHOD(tls_prf_t, get_bytes12, bool,
 	private_tls_prf12_t *this, char *label, chunk_t seed,
 	size_t bytes, char *out)
 {
-	p_hash(this->prf, label, seed, this->prf->get_block_size(this->prf),
-		   bytes, out);
+	return p_hash(this->prf, label, seed, this->prf->get_block_size(this->prf),
+				  bytes, out);
 }
 
 METHOD(tls_prf_t, destroy12, void,
@@ -135,26 +142,31 @@ struct private_tls_prf10_t {
 	prf_t *sha1;
 };
 
-METHOD(tls_prf_t, set_key10, void,
+METHOD(tls_prf_t, set_key10, bool,
 	private_tls_prf10_t *this, chunk_t key)
 {
 	size_t len = key.len / 2 + key.len % 2;
 
-	this->md5->set_key(this->md5, chunk_create(key.ptr, len));
-	this->sha1->set_key(this->sha1, chunk_create(key.ptr + key.len - len, len));
+	return this->md5->set_key(this->md5, chunk_create(key.ptr, len)) &&
+		   this->sha1->set_key(this->sha1, chunk_create(key.ptr + key.len - len,
+														len));
 }
 
-METHOD(tls_prf_t, get_bytes10, void,
+METHOD(tls_prf_t, get_bytes10, bool,
 	private_tls_prf10_t *this, char *label, chunk_t seed,
 	size_t bytes, char *out)
 {
 	char buf[bytes];
 
-	p_hash(this->md5, label, seed, this->md5->get_block_size(this->md5),
-		   bytes, out);
-	p_hash(this->sha1, label, seed, this->sha1->get_block_size(this->sha1),
-		   bytes, buf);
+	if (!p_hash(this->md5, label, seed, this->md5->get_block_size(this->md5),
+				bytes, out) ||
+		!p_hash(this->sha1, label, seed, this->sha1->get_block_size(this->sha1),
+				bytes, buf))
+	{
+		return FALSE;
+	}
 	memxor(out, buf, bytes);
+	return TRUE;
 }
 
 METHOD(tls_prf_t, destroy10, void,
diff --git a/src/libtls/tls_prf.h b/src/libtls/tls_prf.h
index 9fb9bc2de..095eaea3a 100644
--- a/src/libtls/tls_prf.h
+++ b/src/libtls/tls_prf.h
@@ -34,8 +34,9 @@ struct tls_prf_t {
 	 * Set the key of the PRF function.
 	 *
 	 * @param key		key to set
+	 * @return			TRUE if key set successfully
 	 */
-	void (*set_key)(tls_prf_t *this, chunk_t key);
+	bool (*set_key)(tls_prf_t *this, chunk_t key);
 
 	/**
 	 * Generate a series of bytes using a label and a seed.
@@ -44,8 +45,9 @@ struct tls_prf_t {
 	 * @param seed		seed input value
 	 * @param bytes		number of bytes to get
 	 * @param out		buffer receiving bytes
+	 * @return			TRUE if bytes generated successfully
 	 */
-	void (*get_bytes)(tls_prf_t *this, char *label, chunk_t seed,
+	bool (*get_bytes)(tls_prf_t *this, char *label, chunk_t seed,
 					  size_t bytes, char *out);
 
 	/**
diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c
index dc734545c..0d5df18f7 100644
--- a/src/libtls/tls_protection.c
+++ b/src/libtls/tls_protection.c
@@ -15,7 +15,7 @@
 
 #include "tls_protection.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tls_protection_t private_tls_protection_t;
 
@@ -93,7 +93,7 @@ struct private_tls_protection_t {
 /**
  * Create the header and feed it into a signer for MAC verification
  */
-static void sigheader(signer_t *signer, u_int32_t seq, u_int8_t type,
+static bool sigheader(signer_t *signer, u_int32_t seq, u_int8_t type,
 					  u_int16_t version, u_int16_t length)
 {
 	/* we only support 32 bit sequence numbers, but TLS uses 64 bit */
@@ -110,7 +110,7 @@ static void sigheader(signer_t *signer, u_int32_t seq, u_int8_t type,
 	htoun16(&header.version, version);
 	htoun16(&header.length, length);
 
-	signer->get_signature(signer, chunk_from_thing(header), NULL);
+	return signer->get_signature(signer, chunk_from_thing(header), NULL);
 }
 
 METHOD(tls_protection_t, process, status_t,
@@ -150,7 +150,12 @@ METHOD(tls_protection_t, process, status_t,
 				return NEED_MORE;
 			}
 		}
-		this->crypter_in->decrypt(this->crypter_in, data, iv, NULL);
+		if (!this->crypter_in->decrypt(this->crypter_in, data, iv, NULL))
+		{
+			free(next_iv.ptr);
+			this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
+			return NEED_MORE;
+		}
 
 		if (next_iv.len)
 		{	/* next record IV is last ciphertext block of this record */
@@ -180,8 +185,9 @@ METHOD(tls_protection_t, process, status_t,
 		mac = chunk_skip(data, data.len - bs);
 		data.len -= bs;
 
-		sigheader(this->signer_in, this->seq_in, type, this->version, data.len);
-		if (!this->signer_in->verify_signature(this->signer_in, data, mac))
+		if (!sigheader(this->signer_in, this->seq_in, type,
+					   this->version, data.len) ||
+			!this->signer_in->verify_signature(this->signer_in, data, mac))
 		{
 			DBG1(DBG_TLS, "TLS record MAC verification failed");
 			this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
@@ -218,9 +224,13 @@ METHOD(tls_protection_t, build, status_t,
 		{
 			chunk_t mac;
 
-			sigheader(this->signer_out, this->seq_out, *type,
-					  this->version, data->len);
-			this->signer_out->allocate_signature(this->signer_out, *data, &mac);
+			if (!sigheader(this->signer_out, this->seq_out, *type,
+						   this->version, data->len) ||
+				!this->signer_out->allocate_signature(this->signer_out,
+						   *data, &mac))
+			{
+				return FAILED;
+			}
 			if (this->crypter_out)
 			{
 				chunk_t padding, iv;
@@ -238,20 +248,29 @@ METHOD(tls_protection_t, build, status_t,
 				}
 				else
 				{	/* TLSv1.1 uses random IVs, prepended to record */
-					if (!this->rng)
+					iv.len = this->crypter_out->get_iv_size(this->crypter_out);
+					if (!this->rng ||
+						!this->rng->allocate_bytes(this->rng, iv.len, &iv))
 					{
-						DBG1(DBG_TLS, "no RNG supported to generate TLS IV");
+						DBG1(DBG_TLS, "failed to generate TLS IV");
 						free(data->ptr);
 						return FAILED;
 					}
-					iv.len = this->crypter_out->get_iv_size(this->crypter_out);
-					this->rng->allocate_bytes(this->rng, iv.len, &iv);
 				}
 
 				*data = chunk_cat("mmcc", *data, mac, padding,
 								  chunk_from_thing(padding_length));
 				/* encrypt inline */
-				this->crypter_out->encrypt(this->crypter_out, *data, iv, NULL);
+				if (!this->crypter_out->encrypt(this->crypter_out, *data,
+												iv, NULL))
+				{
+					if (!this->iv_out.len)
+					{
+						free(iv.ptr);
+					}
+					free(data->ptr);
+					return FAILED;
+				}
 
 				if (this->iv_out.len)
 				{	/* next record IV is last ciphertext block of this record */
diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index e3617dc9a..aeb5a714f 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -17,7 +17,7 @@
 
 #include <time.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 
 typedef struct private_tls_server_t private_tls_server_t;
@@ -80,6 +80,11 @@ struct private_tls_server_t {
 	identification_t *peer;
 
 	/**
+	 * Is it acceptable if we couldn't verify the peer certificate?
+	 */
+	bool peer_auth_optional;
+
+	/**
 	 * State we are in
 	 */
 	server_state_t state;
@@ -266,13 +271,15 @@ static status_t process_client_hello(private_tls_server_t *this,
 
 	htoun32(&this->server_random, time(NULL));
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
+	if (!rng ||
+		!rng->get_bytes(rng, sizeof(this->server_random) - 4,
+						this->server_random + 4))
 	{
-		DBG1(DBG_TLS, "no suitable RNG found to generate server random");
+		DBG1(DBG_TLS, "failed to generate server random");
 		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		DESTROY_IF(rng);
 		return NEED_MORE;
 	}
-	rng->get_bytes(rng, sizeof(this->server_random) - 4, this->server_random + 4);
 	rng->destroy(rng);
 
 	if (!this->tls->set_version(this->tls, version))
@@ -311,11 +318,11 @@ static status_t process_client_hello(private_tls_server_t *this,
 			return NEED_MORE;
 		}
 		rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
-		if (rng)
+		if (!rng || !rng->allocate_bytes(rng, SESSION_ID_SIZE, &this->session))
 		{
-			rng->allocate_bytes(rng, SESSION_ID_SIZE, &this->session);
-			rng->destroy(rng);
+			DBG1(DBG_TLS, "generating TLS session identifier failed, skipped");
 		}
+		DESTROY_IF(rng);
 		DBG1(DBG_TLS, "negotiated %N using suite %N",
 			 tls_version_names, this->tls->get_version(this->tls),
 			 tls_cipher_suite_names, this->suite);
@@ -365,6 +372,12 @@ static status_t process_certificate(private_tls_server_t *this,
 				DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
 					 cert->get_subject(cert));
 				first = FALSE;
+				if (this->peer == NULL)
+				{	/* apply identity to authenticate */
+					this->peer = cert->get_subject(cert);
+					this->peer = this->peer->clone(this->peer);
+					this->peer_auth_optional = TRUE;
+				}
 			}
 			else
 			{
@@ -407,13 +420,13 @@ static status_t process_key_exchange_encrypted(private_tls_server_t *this,
 	htoun16(premaster, this->client_version);
 	/* pre-randomize premaster for failure cases */
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
+	if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
 	{
-		DBG1(DBG_TLS, "creating RNG failed");
+		DBG1(DBG_TLS, "failed to generate premaster secret");
 		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		DESTROY_IF(rng);
 		return NEED_MORE;
 	}
-	rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2);
 	rng->destroy(rng);
 
 	if (this->private &&
@@ -436,10 +449,14 @@ static status_t process_key_exchange_encrypted(private_tls_server_t *this,
 		DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
 	}
 
-	this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
-								 this->session, this->peer,
-								 chunk_from_thing(this->client_random),
-								 chunk_from_thing(this->server_random));
+	if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
+									  this->session, this->peer,
+									  chunk_from_thing(this->client_random),
+									  chunk_from_thing(this->server_random)))
+	{
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
 
 	this->state = STATE_KEY_EXCHANGE_RECEIVED;
 	return NEED_MORE;
@@ -485,10 +502,15 @@ static status_t process_key_exchange_dhe(private_tls_server_t *this,
 		return NEED_MORE;
 	}
 
-	this->crypto->derive_secrets(this->crypto, premaster,
-								 this->session, this->peer,
-								 chunk_from_thing(this->client_random),
-								 chunk_from_thing(this->server_random));
+	if (!this->crypto->derive_secrets(this->crypto, premaster,
+									  this->session, this->peer,
+									  chunk_from_thing(this->client_random),
+									  chunk_from_thing(this->server_random)))
+	{
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		chunk_clear(&premaster);
+		return NEED_MORE;
+	}
 	chunk_clear(&premaster);
 
 	this->state = STATE_KEY_EXCHANGE_RECEIVED;
@@ -539,13 +561,22 @@ static status_t process_cert_verify(private_tls_server_t *this,
 	{
 		DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
 			 this->peer);
-		this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
-		return NEED_MORE;
+		if (!this->peer_auth_optional)
+		{	/* client authentication is required */
+			this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
+			return NEED_MORE;
+		}
+		/* reset peer identity, we couldn't authenticate it */
+		this->peer->destroy(this->peer);
+		this->peer = NULL;
+		this->state = STATE_KEY_EXCHANGE_RECEIVED;
+	}
+	else
+	{
+		this->state = STATE_CERT_VERIFY_RECEIVED;
 	}
-
 	this->crypto->append_handshake(this->crypto,
 								   TLS_CERTIFICATE_VERIFY, reader->peek(reader));
-	this->state = STATE_CERT_VERIFY_RECEIVED;
 	return NEED_MORE;
 }
 
@@ -968,11 +999,7 @@ METHOD(tls_handshake_t, build, status_t,
 			}
 			/* otherwise fall through to next state */
 		case STATE_KEY_EXCHANGE_SENT:
-			if (this->peer)
-			{
-				return send_certificate_request(this, type, writer);
-			}
-			/* otherwise fall through to next state */
+			return send_certificate_request(this, type, writer);
 		case STATE_CERTREQ_SENT:
 			return send_hello_done(this, type, writer);
 		case STATE_CIPHERSPEC_CHANGED_OUT:
@@ -1034,11 +1061,25 @@ METHOD(tls_handshake_t, finished, bool,
 	return this->state == STATE_FINISHED_SENT;
 }
 
+METHOD(tls_handshake_t, get_peer_id, identification_t*,
+	private_tls_server_t *this)
+{
+	return this->peer;
+}
+
+METHOD(tls_handshake_t, get_server_id, identification_t*,
+	private_tls_server_t *this)
+{
+	return this->server;
+}
+
 METHOD(tls_handshake_t, destroy, void,
 	private_tls_server_t *this)
 {
 	DESTROY_IF(this->private);
 	DESTROY_IF(this->dh);
+	DESTROY_IF(this->peer);
+	this->server->destroy(this->server);
 	this->peer_auth->destroy(this->peer_auth);
 	this->server_auth->destroy(this->server_auth);
 	free(this->hashsig.ptr);
@@ -1064,14 +1105,16 @@ tls_server_t *tls_server_create(tls_t *tls,
 				.cipherspec_changed = _cipherspec_changed,
 				.change_cipherspec = _change_cipherspec,
 				.finished = _finished,
+				.get_peer_id = _get_peer_id,
+				.get_server_id = _get_server_id,
 				.destroy = _destroy,
 			},
 		},
 		.tls = tls,
 		.crypto = crypto,
 		.alert = alert,
-		.server = server,
-		.peer = peer,
+		.server = server->clone(server),
+		.peer = peer ? peer->clone(peer) : NULL,
 		.state = STATE_INIT,
 		.peer_auth = auth_cfg_create(),
 		.server_auth = auth_cfg_create(),
diff --git a/src/libtls/tls_server.h b/src/libtls/tls_server.h
index 6289dc8eb..d6b8de153 100644
--- a/src/libtls/tls_server.h
+++ b/src/libtls/tls_server.h
@@ -42,11 +42,16 @@ struct tls_server_t {
 /**
  * Create a tls_server instance.
  *
+ * If a peer identity is given, the client must authenticate with a valid
+ * certificate for this identity, or the connection fails. If peer is NULL,
+ * but the client authenticates nonetheless, the authenticated identity
+ * gets returned by tls_handshake_t.get_peer_id().
+ *
  * @param tls		TLS stack
  * @param crypto	TLS crypto helper
  * @param alert		TLS alert handler
  * @param server	server identity
- * @param peer		peer identity
+ * @param peer		peer identity, or NULL
  */
 tls_server_t *tls_server_create(tls_t *tls,
 						tls_crypto_t *crypto, tls_alert_t *alert,
diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c
index 3abff596d..4ba964000 100644
--- a/src/libtls/tls_socket.c
+++ b/src/libtls/tls_socket.c
@@ -18,7 +18,7 @@
 #include <unistd.h>
 #include <errno.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread.h>
 
 /**
@@ -42,14 +42,39 @@ struct private_tls_application_t {
 	tls_application_t application;
 
 	/**
-	 * Chunk of data to send
+	 * Output buffer to write to
 	 */
 	chunk_t out;
 
 	/**
-	 * Chunk of data received
+	 * Number of bytes written to out
+	 */
+	size_t out_done;
+
+	/**
+	 * Input buffer to read to
 	 */
 	chunk_t in;
+
+	/**
+	 * Number of bytes read to in
+	 */
+	size_t in_done;
+
+	/**
+	 * Cached input data
+	 */
+	chunk_t cache;
+
+	/**
+	 * Bytes consumed in cache
+	 */
+	size_t cache_done;
+
+	/**
+	 * Close TLS connection?
+	 */
+	bool close;
 };
 
 /**
@@ -82,22 +107,44 @@ METHOD(tls_application_t, process, status_t,
 	private_tls_application_t *this, bio_reader_t *reader)
 {
 	chunk_t data;
+	size_t len;
 
-	if (!reader->read_data(reader, reader->remaining(reader), &data))
+	if (this->close)
 	{
-		return FAILED;
+		return SUCCESS;
+	}
+	len = min(reader->remaining(reader), this->in.len - this->in_done);
+	if (len)
+	{	/* copy to read buffer as much as fits in */
+		if (!reader->read_data(reader, len, &data))
+		{
+			return FAILED;
+		}
+		memcpy(this->in.ptr + this->in_done, data.ptr, data.len);
+		this->in_done += data.len;
+	}
+	else
+	{	/* read buffer is full, cache for next read */
+		if (!reader->read_data(reader, reader->remaining(reader), &data))
+		{
+			return FAILED;
+		}
+		this->cache = chunk_cat("mc", this->cache, data);
 	}
-	this->in = chunk_cat("mc", this->in, data);
 	return NEED_MORE;
 }
 
 METHOD(tls_application_t, build, status_t,
 	private_tls_application_t *this, bio_writer_t *writer)
 {
-	if (this->out.len)
+	if (this->close)
+	{
+		return SUCCESS;
+	}
+	if (this->out.len > this->out_done)
 	{
 		writer->write_data(writer, this->out);
-		this->out = chunk_empty;
+		this->out_done = this->out.len;
 		return NEED_MORE;
 	}
 	return INVALID_STATE;
@@ -106,11 +153,12 @@ METHOD(tls_application_t, build, status_t,
 /**
  * TLS data exchange loop
  */
-static bool exchange(private_tls_socket_t *this, bool wr)
+static bool exchange(private_tls_socket_t *this, bool wr, bool block)
 {
 	char buf[CRYPTO_BUF_SIZE], *pos;
-	ssize_t len, out;
-	int round = 0;
+	ssize_t in, out;
+	size_t len;
+	int round = 0, flags;
 
 	for (round = 0; TRUE; round++)
 	{
@@ -137,6 +185,8 @@ static bool exchange(private_tls_socket_t *this, bool wr)
 					continue;
 				case INVALID_STATE:
 					break;
+				case SUCCESS:
+					return TRUE;
 				default:
 					return FALSE;
 			}
@@ -144,55 +194,97 @@ static bool exchange(private_tls_socket_t *this, bool wr)
 		}
 		if (wr)
 		{
-			if (this->app.out.len == 0)
+			if (this->app.out_done == this->app.out.len)
 			{	/* all data written */
 				return TRUE;
 			}
 		}
 		else
 		{
-			if (this->app.in.len)
-			{	/* some data received */
+			if (this->app.in_done == this->app.in.len)
+			{	/* buffer fully received */
 				return TRUE;
 			}
-			if (round > 0)
-			{	/* did some handshaking, return empty chunk to not block */
-				return TRUE;
+		}
+
+		flags = 0;
+		if (this->app.out_done == this->app.out.len)
+		{
+			if (!block || this->app.in_done)
+			{
+				flags |= MSG_DONTWAIT;
 			}
 		}
-		len = read(this->fd, buf, sizeof(buf));
-		if (len <= 0)
+		in = recv(this->fd, buf, sizeof(buf), flags);
+		if (in < 0)
 		{
+			if (errno == EAGAIN || errno == EWOULDBLOCK)
+			{
+				if (this->app.in_done == 0)
+				{
+					/* reading, nothing got yet, and call would block */
+					errno = EWOULDBLOCK;
+					this->app.in_done = -1;
+				}
+				return TRUE;
+			}
 			return FALSE;
 		}
-		if (this->tls->process(this->tls, buf, len) != NEED_MORE)
+		if (in == 0)
+		{	/* EOF */
+			return TRUE;
+		}
+		switch (this->tls->process(this->tls, buf, in))
 		{
-			return FALSE;
+			case NEED_MORE:
+				break;
+			case SUCCESS:
+				return TRUE;
+			default:
+				return FALSE;
 		}
 	}
 }
 
-METHOD(tls_socket_t, read_, bool,
-	private_tls_socket_t *this, chunk_t *buf)
+METHOD(tls_socket_t, read_, ssize_t,
+	private_tls_socket_t *this, void *buf, size_t len, bool block)
 {
-	if (exchange(this, FALSE))
+	if (this->app.cache.len)
 	{
-		*buf = this->app.in;
-		this->app.in = chunk_empty;
-		return TRUE;
+		size_t cache;
+
+		cache = min(len, this->app.cache.len - this->app.cache_done);
+		memcpy(buf, this->app.cache.ptr + this->app.cache_done, cache);
+
+		this->app.cache_done += cache;
+		if (this->app.cache_done == this->app.cache.len)
+		{
+			chunk_free(&this->app.cache);
+			this->app.cache_done = 0;
+		}
+		return cache;
 	}
-	return FALSE;
+	this->app.in.ptr = buf;
+	this->app.in.len = len;
+	this->app.in_done = 0;
+	if (exchange(this, FALSE, block))
+	{
+		return this->app.in_done;
+	}
+	return -1;
 }
 
-METHOD(tls_socket_t, write_, bool,
-	private_tls_socket_t *this, chunk_t buf)
+METHOD(tls_socket_t, write_, ssize_t,
+	private_tls_socket_t *this, void *buf, size_t len)
 {
-	this->app.out = buf;
-	if (exchange(this, TRUE))
+	this->app.out.ptr = buf;
+	this->app.out.len = len;
+	this->app.out_done = 0;
+	if (exchange(this, TRUE, FALSE))
 	{
-		return TRUE;
+		return this->app.out_done;
 	}
-	return FALSE;
+	return -1;
 }
 
 METHOD(tls_socket_t, splice, bool,
@@ -200,68 +292,85 @@ METHOD(tls_socket_t, splice, bool,
 {
 	char buf[PLAIN_BUF_SIZE], *pos;
 	fd_set set;
-	chunk_t data;
-	ssize_t len;
-	bool old;
+	ssize_t in, out;
+	bool old, plain_eof = FALSE, crypto_eof = FALSE;
 
-	while (TRUE)
+	while (!plain_eof && !crypto_eof)
 	{
 		FD_ZERO(&set);
 		FD_SET(rfd, &set);
 		FD_SET(this->fd, &set);
 
 		old = thread_cancelability(TRUE);
-		len = select(max(rfd, this->fd) + 1, &set, NULL, NULL, NULL);
+		in = select(max(rfd, this->fd) + 1, &set, NULL, NULL, NULL);
 		thread_cancelability(old);
-		if (len == -1)
+		if (in == -1)
 		{
 			DBG1(DBG_TLS, "TLS select error: %s", strerror(errno));
 			return FALSE;
 		}
-		if (FD_ISSET(this->fd, &set))
+		while (!plain_eof && FD_ISSET(this->fd, &set))
 		{
-			if (!read_(this, &data))
-			{
-				DBG2(DBG_TLS, "TLS read error/disconnect");
-				return TRUE;
-			}
-			pos = data.ptr;
-			while (data.len)
+			in = read_(this, buf, sizeof(buf), FALSE);
+			switch (in)
 			{
-				len = write(wfd, pos, data.len);
-				if (len == -1)
-				{
-					free(data.ptr);
-					DBG1(DBG_TLS, "TLS plain write error: %s", strerror(errno));
-					return FALSE;
-				}
-				data.len -= len;
-				pos += len;
+				case 0:
+					plain_eof = TRUE;
+					break;
+				case -1:
+					if (errno != EWOULDBLOCK)
+					{
+						DBG1(DBG_TLS, "TLS read error: %s", strerror(errno));
+						return FALSE;
+					}
+					break;
+				default:
+					pos = buf;
+					while (in)
+					{
+						out = write(wfd, pos, in);
+						if (out == -1)
+						{
+							DBG1(DBG_TLS, "TLS plain write error: %s",
+								 strerror(errno));
+							return FALSE;
+						}
+						in -= out;
+						pos += out;
+					}
+					continue;
 			}
-			free(data.ptr);
+			break;
 		}
-		if (FD_ISSET(rfd, &set))
+		if (!crypto_eof && FD_ISSET(rfd, &set))
 		{
-			len = read(rfd, buf, sizeof(buf));
-			if (len > 0)
-			{
-				if (!write_(this, chunk_create(buf, len)))
-				{
-					DBG1(DBG_TLS, "TLS write error");
-					return FALSE;
-				}
-			}
-			else
+			in = read(rfd, buf, sizeof(buf));
+			switch (in)
 			{
-				if (len < 0)
-				{
+				case 0:
+					crypto_eof = TRUE;
+					break;
+				case -1:
 					DBG1(DBG_TLS, "TLS plain read error: %s", strerror(errno));
 					return FALSE;
-				}
-				return TRUE;
+				default:
+					pos = buf;
+					while (in)
+					{
+						out = write_(this, pos, in);
+						if (out == -1)
+						{
+							DBG1(DBG_TLS, "TLS write error");
+							return FALSE;
+						}
+						in -= out;
+						pos += out;
+					}
+					break;
 			}
 		}
 	}
+	return TRUE;
 }
 
 METHOD(tls_socket_t, get_fd, int,
@@ -270,11 +379,26 @@ METHOD(tls_socket_t, get_fd, int,
 	return this->fd;
 }
 
+METHOD(tls_socket_t, get_server_id, identification_t*,
+	private_tls_socket_t *this)
+{
+	return this->tls->get_server_id(this->tls);
+}
+
+METHOD(tls_socket_t, get_peer_id, identification_t*,
+	private_tls_socket_t *this)
+{
+	return this->tls->get_peer_id(this->tls);
+}
+
 METHOD(tls_socket_t, destroy, void,
 	private_tls_socket_t *this)
 {
+	/* send a TLS close notify if not done yet */
+	this->app.close = TRUE;
+	write_(this, NULL, 0);
+	free(this->app.cache.ptr);
 	this->tls->destroy(this->tls);
-	free(this->app.in.ptr);
 	free(this);
 }
 
@@ -292,6 +416,8 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
 			.write = _write_,
 			.splice = _splice,
 			.get_fd = _get_fd,
+			.get_server_id = _get_server_id,
+			.get_peer_id = _get_peer_id,
 			.destroy = _destroy,
 		},
 		.app = {
diff --git a/src/libtls/tls_socket.h b/src/libtls/tls_socket.h
index edd05fd29..75130a4d3 100644
--- a/src/libtls/tls_socket.h
+++ b/src/libtls/tls_socket.h
@@ -35,24 +35,27 @@ typedef struct tls_socket_t tls_socket_t;
 struct tls_socket_t {
 
 	/**
-	 * Read data from secured socket, return allocated chunk.
+	 * Read data from secured socket.
 	 *
 	 * This call is blocking, you may use select() on the underlying socket to
-	 * wait for data. If the there was non-application data available, the
-	 * read function can return an empty chunk.
+	 * wait for data. If "block" is FALSE and no application data is available,
+	 * the function returns -1 and sets errno to EWOULDBLOCK.
 	 *
-	 * @param data		pointer to allocate received data
-	 * @return			TRUE if data received successfully
+	 * @param buf		buffer to write received data to
+	 * @param len		size of buffer
+	 * @param block		TRUE to block this call, FALSE to fail if it would block
+	 * @return			number of bytes read, 0 on EOF, -1 on error
 	 */
-	bool (*read)(tls_socket_t *this, chunk_t *data);
+	ssize_t (*read)(tls_socket_t *this, void *buf, size_t len, bool block);
 
 	/**
-	 * Write a chunk of data over the secured socket.
+	 * Write data over the secured socket.
 	 *
-	 * @param data		data to send
-	 * @return			TRUE if data sent successfully
+	 * @param buf		data to send
+	 * @param len		number of bytes to write from buf
+	 * @return			number of bytes written, -1 on error
 	 */
-	bool (*write)(tls_socket_t *this, chunk_t data);
+	ssize_t (*write)(tls_socket_t *this, void *buf, size_t len);
 
 	/**
 	 * Read/write plain data from file descriptor.
@@ -74,6 +77,20 @@ struct tls_socket_t {
 	int (*get_fd)(tls_socket_t *this);
 
 	/**
+	 * Return the server identity.
+	 *
+	 * @return			server identity
+	 */
+	identification_t* (*get_server_id)(tls_socket_t *this);
+
+	/**
+	 * Return the peer identity.
+	 *
+	 * @return			peer identity
+	 */
+	identification_t* (*get_peer_id)(tls_socket_t *this);
+
+	/**
 	 * Destroy a tls_socket_t.
 	 */
 	void (*destroy)(tls_socket_t *this);
diff --git a/src/libtnccs/Android.mk b/src/libtnccs/Android.mk
index a4bbc13f5..ad12e754d 100644
--- a/src/libtnccs/Android.mk
+++ b/src/libtnccs/Android.mk
@@ -2,7 +2,7 @@ LOCAL_PATH := $(call my-dir)
 include $(CLEAR_VARS)
 
 # copy-n-paste from Makefile.am
-LOCAL_SRC_FILES := \
+libtnccs_la_SOURCES := \
 tnc/tnc.h tnc/tnc.c \
 tnc/imc/imc.h tnc/imc/imc_manager.h \
 tnc/imv/imv.h tnc/imv/imv_manager.h \
@@ -10,10 +10,13 @@ tnc/imv/imv_recommendations.h tnc/imv/imv_recommendations.c \
 tnc/tnccs/tnccs.h tnc/tnccs/tnccs.c \
 tnc/tnccs/tnccs_manager.h tnc/tnccs/tnccs_manager.c
 
+LOCAL_SRC_FILES := $(filter %.c,$(libtnccs_la_SOURCES))
+
 # build libtncif ---------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
 	$(libvstr_PATH) \
+	$(strongswan_PATH)/src/libtls \
 	$(strongswan_PATH)/src/libtncif \
 	$(strongswan_PATH)/src/libstrongswan
 
diff --git a/src/libtnccs/Makefile.am b/src/libtnccs/Makefile.am
index 449d32d92..720505757 100644
--- a/src/libtnccs/Makefile.am
+++ b/src/libtnccs/Makefile.am
@@ -1,5 +1,7 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libtls
 
 ipseclib_LTLIBRARIES = libtnccs.la
 
diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in
index 61a51fb4c..014470480 100644
--- a/src/libtnccs/Makefile.in
+++ b/src/libtnccs/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
@@ -72,48 +90,82 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(ipseclibdir)"
 LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 libtnccs_la_DEPENDENCIES = $(top_builddir)/src/libtncif/libtncif.la
 am_libtnccs_la_OBJECTS = tnc.lo imv_recommendations.lo tnccs.lo \
 	tnccs_manager.lo
 libtnccs_la_OBJECTS = $(am_libtnccs_la_OBJECTS)
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libtnccs_la_SOURCES)
 DIST_SOURCES = $(libtnccs_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -122,13 +174,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -141,6 +196,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -168,11 +224,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -180,6 +238,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -188,8 +247,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -198,14 +255,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -219,17 +281,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -239,16 +301,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -276,7 +337,11 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libtls
+
 ipseclib_LTLIBRARIES = libtnccs.la
 libtnccs_la_LIBADD = $(top_builddir)/src/libtncif/libtncif.la
 libtnccs_la_SOURCES = \
@@ -324,7 +389,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipseclibdir)" || $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)"
 	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -332,6 +396,8 @@ install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
 	}
@@ -353,8 +419,8 @@ clean-ipseclibLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libtnccs.la: $(libtnccs_la_OBJECTS) $(libtnccs_la_DEPENDENCIES) 
-	$(LINK) -rpath $(ipseclibdir) $(libtnccs_la_OBJECTS) $(libtnccs_la_LIBADD) $(LIBS)
+libtnccs.la: $(libtnccs_la_OBJECTS) $(libtnccs_la_DEPENDENCIES) $(EXTRA_libtnccs_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libtnccs_la_OBJECTS) $(libtnccs_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -368,53 +434,53 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_manager.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 tnc.lo: tnc/tnc.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnc.lo -MD -MP -MF $(DEPDIR)/tnc.Tpo -c -o tnc.lo `test -f 'tnc/tnc.c' || echo '$(srcdir)/'`tnc/tnc.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnc.Tpo $(DEPDIR)/tnc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnc/tnc.c' object='tnc.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnc.lo -MD -MP -MF $(DEPDIR)/tnc.Tpo -c -o tnc.lo `test -f 'tnc/tnc.c' || echo '$(srcdir)/'`tnc/tnc.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnc.Tpo $(DEPDIR)/tnc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tnc/tnc.c' object='tnc.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnc.lo `test -f 'tnc/tnc.c' || echo '$(srcdir)/'`tnc/tnc.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnc.lo `test -f 'tnc/tnc.c' || echo '$(srcdir)/'`tnc/tnc.c
 
 imv_recommendations.lo: tnc/imv/imv_recommendations.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_recommendations.lo -MD -MP -MF $(DEPDIR)/imv_recommendations.Tpo -c -o imv_recommendations.lo `test -f 'tnc/imv/imv_recommendations.c' || echo '$(srcdir)/'`tnc/imv/imv_recommendations.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/imv_recommendations.Tpo $(DEPDIR)/imv_recommendations.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnc/imv/imv_recommendations.c' object='imv_recommendations.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_recommendations.lo -MD -MP -MF $(DEPDIR)/imv_recommendations.Tpo -c -o imv_recommendations.lo `test -f 'tnc/imv/imv_recommendations.c' || echo '$(srcdir)/'`tnc/imv/imv_recommendations.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/imv_recommendations.Tpo $(DEPDIR)/imv_recommendations.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tnc/imv/imv_recommendations.c' object='imv_recommendations.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_recommendations.lo `test -f 'tnc/imv/imv_recommendations.c' || echo '$(srcdir)/'`tnc/imv/imv_recommendations.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_recommendations.lo `test -f 'tnc/imv/imv_recommendations.c' || echo '$(srcdir)/'`tnc/imv/imv_recommendations.c
 
 tnccs.lo: tnc/tnccs/tnccs.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs.lo -MD -MP -MF $(DEPDIR)/tnccs.Tpo -c -o tnccs.lo `test -f 'tnc/tnccs/tnccs.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs.Tpo $(DEPDIR)/tnccs.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnc/tnccs/tnccs.c' object='tnccs.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs.lo -MD -MP -MF $(DEPDIR)/tnccs.Tpo -c -o tnccs.lo `test -f 'tnc/tnccs/tnccs.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs.Tpo $(DEPDIR)/tnccs.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tnc/tnccs/tnccs.c' object='tnccs.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs.lo `test -f 'tnc/tnccs/tnccs.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs.lo `test -f 'tnc/tnccs/tnccs.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs.c
 
 tnccs_manager.lo: tnc/tnccs/tnccs_manager.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_manager.lo -MD -MP -MF $(DEPDIR)/tnccs_manager.Tpo -c -o tnccs_manager.lo `test -f 'tnc/tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_manager.Tpo $(DEPDIR)/tnccs_manager.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnc/tnccs/tnccs_manager.c' object='tnccs_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_manager.lo -MD -MP -MF $(DEPDIR)/tnccs_manager.Tpo -c -o tnccs_manager.lo `test -f 'tnc/tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs_manager.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/tnccs_manager.Tpo $(DEPDIR)/tnccs_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tnc/tnccs/tnccs_manager.c' object='tnccs_manager.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_manager.lo `test -f 'tnc/tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs_manager.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_manager.lo `test -f 'tnc/tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs_manager.c
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -521,10 +587,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libtnccs/tnc/imc/imc_manager.h b/src/libtnccs/tnc/imc/imc_manager.h
index 25e0efe9d..db033c4c0 100644
--- a/src/libtnccs/tnc/imc/imc_manager.h
+++ b/src/libtnccs/tnc/imc/imc_manager.h
@@ -55,7 +55,31 @@ struct imc_manager_t {
 	 * @param path				path of the IMC dynamic library file
 	 * @return					TRUE if loading succeeded
 	 */
-	 bool (*load)(imc_manager_t *this, char *name, char *path);
+	bool (*load)(imc_manager_t *this, char *name, char *path);
+
+	/**
+	 * Load and initialize an IMC from a set of TNC IMC functions.
+	 *
+	 * @param name						name of the IMC
+	 * @param initialize				TNC_IMC_InitializePointer
+	 * @param notify_connection_change	TNC_IMC_NotifyConnectionChangePointer
+	 * @param begin_handshake			TNC_IMC_BeginHandshakePointer
+	 * @param receive_message			TNC_IMC_ReceiveMessagePointer
+	 * @param receive_message_long		TNC_IMC_ReceiveMessageLongPointer
+	 * @param batch_ending				TNC_IMC_BatchEndingPointer
+	 * @param terminate					TNC_IMC_TerminatePointer
+	 * @param provide_bind_function		TNC_IMC_ProvideBindFunctionPointer
+	 * @return							TRUE if loading succeeded
+	 */
+	bool (*load_from_functions)(imc_manager_t *this, char *name,
+				TNC_IMC_InitializePointer initialize,
+				TNC_IMC_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMC_BeginHandshakePointer begin_handshake,
+				TNC_IMC_ReceiveMessagePointer receive_message,
+				TNC_IMC_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMC_BatchEndingPointer batch_ending,
+				TNC_IMC_TerminatePointer terminate,
+				TNC_IMC_ProvideBindFunctionPointer provide_bind_function);
 
 	/**
 	 * Check if an IMC with a given ID is registered with the IMC manager
diff --git a/src/libtnccs/tnc/imv/imv_manager.h b/src/libtnccs/tnc/imv/imv_manager.h
index 43f40973c..7772b7e08 100644
--- a/src/libtnccs/tnc/imv/imv_manager.h
+++ b/src/libtnccs/tnc/imv/imv_manager.h
@@ -56,8 +56,31 @@ struct imv_manager_t {
 	 * @param path				path of the IMV dynamic library file
 	 * @return					TRUE if loading succeeded
 	 */
-	 bool (*load)(imv_manager_t *this, char *name, char *path);
+	bool (*load)(imv_manager_t *this, char *name, char *path);
 
+	/**
+	 * Load and initialize an IMV from a set of TNC IMC functions.
+	 *
+	 * @param name						name of the IMV
+	 * @param initialize				TNC_IMV_InitializePointer
+	 * @param notify_connection_change	TNC_IMV_NotifyConnectionChangePointer
+	 * @param receive_message			TNC_IMV_ReceiveMessagePointer
+	 * @param receive_message_long		TNC_IMV_ReceiveMessageLongPointer
+	 * @param solicit_recommendation	TNC_IMV_SolicitRecommendationPointer
+	 * @param batch_ending				TNC_IMV_BatchEndingPointer
+	 * @param terminate					TNC_IMV_TerminatePointer
+	 * @param provide_bind_function		TNC_IMV_ProvideBindFunctionPointer
+	 * @return							TRUE if loading succeeded
+	 */
+	bool (*load_from_functions)(imv_manager_t *this, char *name,
+				TNC_IMV_InitializePointer initialize,
+				TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
+				TNC_IMV_ReceiveMessagePointer receive_message,
+				TNC_IMV_ReceiveMessageLongPointer receive_message_long,
+				TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
+				TNC_IMV_BatchEndingPointer batch_ending,
+				TNC_IMV_TerminatePointer terminate,
+				TNC_IMV_ProvideBindFunctionPointer provide_bind_function);
 
 	/**
 	 * Check if an IMV with a given ID is registered with the IMV manager
diff --git a/src/libtnccs/tnc/imv/imv_recommendations.h b/src/libtnccs/tnc/imv/imv_recommendations.h
index d694e16ae..e7fe355f7 100644
--- a/src/libtnccs/tnc/imv/imv_recommendations.h
+++ b/src/libtnccs/tnc/imv/imv_recommendations.h
@@ -68,6 +68,11 @@ struct recommendations_t {
 								TNC_IMV_Evaluation_Result *eval);
 
 	/**
+	 * Clear all recommendation information
+	 */
+	void (*clear_recommendation)(recommendations_t *this);
+
+	/**
 	 * Get the preferred language for remediation messages
 	 *
 	 * @return				preferred language
@@ -110,11 +115,6 @@ struct recommendations_t {
 	enumerator_t* (*create_reason_enumerator)(recommendations_t *this);
 
 	/**
-	 * Clears all reason entries
-	 */
-	void (*clear_reasons)(recommendations_t *this);
-
-	/**
 	 * Destroys an imv_t object.
 	 */
 	void (*destroy)(recommendations_t *this);
diff --git a/src/libtnccs/tnc/tnc.c b/src/libtnccs/tnc/tnc.c
index 652afc291..3a5b84596 100644
--- a/src/libtnccs/tnc/tnc.c
+++ b/src/libtnccs/tnc/tnc.c
@@ -23,7 +23,7 @@
 #include <fcntl.h>
 
 #include <utils/lexparser.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_tnc_t private_tnc_t;
 
@@ -40,6 +40,11 @@ struct private_tnc_t {
 	 * Public members of tnc_t.
 	 */
 	tnc_t public;
+
+	/**
+	 * Number of times we have been initialized
+	 */
+	refcount_t ref;
 };
 
 /**
@@ -54,10 +59,18 @@ void libtnccs_init(void)
 {
 	private_tnc_t *this;
 
+	if (tnc)
+	{	/* already initialized, increase refcount */
+		this = (private_tnc_t*)tnc;
+		ref_get(&this->ref);
+		return;
+	}
+
 	INIT(this,
 		.public = {
 		},
-	);	
+		.ref = 1,
+	);
 
 	tnc = &this->public;
 }
@@ -69,18 +82,29 @@ void libtnccs_deinit(void)
 {
 	private_tnc_t *this = (private_tnc_t*)tnc;
 
+	if (!this || !ref_put(&this->ref))
+	{	/* have more users */
+		return;
+	}
+
 	free(this);
 	tnc = NULL;
 }
 
 static bool load_imcvs_from_config(char *filename, bool is_imc)
 {
+	bool success = FALSE;
 	int fd, line_nr = 0;
 	chunk_t src, line;
 	struct stat sb;
 	void *addr;
 	char *label;
 
+	if (!filename || !*filename)
+	{
+		return TRUE;
+	}
+
 	label = is_imc ? "IMC" : "IMV";
 
 	DBG1(DBG_TNC, "loading %ss from '%s'", label, filename);
@@ -110,7 +134,6 @@ static bool load_imcvs_from_config(char *filename, bool is_imc)
 	while (fetchline(&src, &line))
 	{
 		char *name, *path;
-		bool success;
 		chunk_t token;
 
 		line_nr++;
@@ -126,7 +149,7 @@ static bool load_imcvs_from_config(char *filename, bool is_imc)
 		{
 			DBG1(DBG_TNC, "line %d: keyword must be followed by a space",
 						   line_nr);
-			return FALSE;
+			break;
 		}
 
 		/* only interested in IMCs or IMVs depending on label */
@@ -141,20 +164,18 @@ static bool load_imcvs_from_config(char *filename, bool is_imc)
 		{
 			DBG1(DBG_TNC, "line %d: %s name must be set in double quotes",
 						   line_nr, label);
-			return FALSE;
+			break;
 		}
 
 		/* copy the IMC/IMV name */
-		name = malloc(token.len + 1);
-		memcpy(name, token.ptr, token.len);
-		name[token.len] = '\0';
+		name = strndup(token.ptr, token.len);
 
 		/* advance to the IMC/IMV path and extract it */
 		if (!eat_whitespace(&line))
 		{
 			DBG1(DBG_TNC, "line %d: %s path is missing", line_nr, label);
 			free(name);
-			return FALSE;
+			break;
 		}
 		if (!extract_token(&token, ' ', &line))
 		{
@@ -162,9 +183,7 @@ static bool load_imcvs_from_config(char *filename, bool is_imc)
 		}
 
 		/* copy the IMC/IMV path */
-		path = malloc(token.len + 1);
-		memcpy(path, token.ptr, token.len);
-		path[token.len] = '\0';
+		path = strndup(token.ptr, token.len);
 
 		/* load and register an IMC/IMV instance */
 		if (is_imc)
@@ -175,14 +194,16 @@ static bool load_imcvs_from_config(char *filename, bool is_imc)
 		{
 			success = tnc->imvs->load(tnc->imvs, name, path);
 		}
+		free(name);
+		free(path);
 		if (!success)
 		{
-			return FALSE;
+			break;
 		}
 	}
 	munmap(addr, sb.st_size);
 	close(fd);
-	return TRUE;
+	return success;
 }
 
 /**
@@ -243,24 +264,10 @@ bool tnc_manager_register(plugin_t *plugin, plugin_feature_t *feature,
 
 		if (load_imcvs)
 		{
-			char *tnc_config;
-
-			tnc_config = lib->settings->get_str(lib->settings,
-								"libtnccs.tnc_config", "/etc/tnc_config");
-			if (!load_imcvs_from_config(tnc_config, is_imc))
-			{
-				if (is_imc)
-				{
-					tnc->imcs->destroy(tnc->imcs);
-					tnc->imcs = NULL;
-				}
-				else
-				{
-					tnc->imvs->destroy(tnc->imvs);
-					tnc->imvs = NULL;
-				}
-				return FALSE;
-			}
+			load_imcvs_from_config(
+						lib->settings->get_str(lib->settings,
+									"libtnccs.tnc_config", "/etc/tnc_config"),
+						is_imc);
 		}
 	}
 	return TRUE;
diff --git a/src/libtnccs/tnc/tnccs/tnccs.h b/src/libtnccs/tnc/tnccs/tnccs.h
index c3020d7c3..fd3e5cabb 100644
--- a/src/libtnccs/tnc/tnccs/tnccs.h
+++ b/src/libtnccs/tnc/tnccs/tnccs.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2011 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
 
 typedef struct tnccs_t tnccs_t;
 typedef enum tnccs_type_t tnccs_type_t;
+typedef enum tnc_ift_type_t tnc_ift_type_t;
 
 #include <tncif.h>
 #include <tncifimc.h>
@@ -34,6 +35,8 @@ typedef enum tnccs_type_t tnccs_type_t;
 #include <library.h>
 #include <plugins/plugin.h>
 
+#include <tls.h>
+
 /**
  * Type of TNC Client/Server protocol
  */
@@ -46,17 +49,75 @@ enum tnccs_type_t {
 };
 
 /**
+ * Type of TNC Transport protocol
+ */
+enum tnc_ift_type_t {
+	TNC_IFT_UNKNOWN,
+	TNC_IFT_EAP_1_0,
+	TNC_IFT_EAP_1_1,
+	TNC_IFT_EAP_2_0,
+	TNC_IFT_TLS_1_0,
+	TNC_IFT_TLS_2_0
+};
+
+/**
  * enum names for tnccs_type_t.
  */
 extern enum_name_t *tnccs_type_names;
 
 /**
+ * TNCCS public interface
+ */
+struct tnccs_t {
+
+	/**
+	 * Implements tls_t
+	 */
+	tls_t tls;
+
+	/**
+	 * Get underlying TNC IF-T transport protocol
+	 *
+	 * @return				TNC IF-T transport protocol
+	 */
+	tnc_ift_type_t (*get_transport)(tnccs_t *this);
+
+	/**
+	 * Set underlying TNC IF-T transport protocol
+	 *
+	 * @param transport		TNC IF-T transport protocol
+	 */
+	void (*set_transport)(tnccs_t *this, tnc_ift_type_t transport);
+
+	/**
+	 * Get type of TNC Client authentication
+	 *
+	 * @return				TNC Client authentication type
+	 */
+	u_int32_t (*get_auth_type)(tnccs_t *this);
+
+	/**
+	 * Set type of TNC Client authentication
+	 *
+	 * @param auth_type		TNC Client authentication type
+	 */
+	void (*set_auth_type)(tnccs_t *this, u_int32_t auth_type);
+
+};
+
+/**
  * Constructor definition for a pluggable TNCCS protocol implementation.
  *
  * @param is_server		TRUE if TNC Server, FALSE if TNC Client
+ * @param server		Server identity
+ * @param peer			Client identity
+ * @param transport		Underlying TNC IF-T transport protocol used
  * @return				implementation of the tnccs_t interface
  */
-typedef tnccs_t *(*tnccs_constructor_t)(bool is_server);
+typedef tnccs_t *(*tnccs_constructor_t)(bool is_server,
+										identification_t *server,
+										identification_t *peer,
+										tnc_ift_type_t transport);
 
 /**
  * Callback function adding a message to a TNCCS batch
diff --git a/src/libtnccs/tnc/tnccs/tnccs_manager.c b/src/libtnccs/tnc/tnccs/tnccs_manager.c
index fa91bfb21..fca4b2584 100644
--- a/src/libtnccs/tnc/tnccs/tnccs_manager.c
+++ b/src/libtnccs/tnc/tnccs/tnccs_manager.c
@@ -17,7 +17,7 @@
 
 #include "tnc/tnc.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 /**
  * See header
diff --git a/src/libtnccs/tnc/tnccs/tnccs_manager.h b/src/libtnccs/tnc/tnccs/tnccs_manager.h
index 9ca450468..4ab9d7e18 100644
--- a/src/libtnccs/tnc/tnccs/tnccs_manager.h
+++ b/src/libtnccs/tnc/tnccs/tnccs_manager.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -56,10 +56,15 @@ struct tnccs_manager_t {
 	 *
 	 * @param type		  type of the TNCCS protocol
 	 * @param is_server	  TRUE if TNC Server, FALSE if TNC Client
+	 * @param server	  Server identity
+	 * @param peer		  Client identity
+	 * @param transport	  Underlying TNC IF-T transport protocol used
 	 * @return			  TNCCS protocol instance, NULL if no constructor found
 	 */
 	tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type,
-								bool is_server);
+								bool is_server, identification_t *server,
+								identification_t *peer,
+								tnc_ift_type_t transport);
 
 	/**
 	 * Create a TNCCS connection and assign a unique connection ID as well a
@@ -70,6 +75,7 @@ struct tnccs_manager_t {
 	 * @param tnccs						TNCCS connection instance
 	 * @param send_message				TNCCS callback function
 	 * @param request_handshake_retry	pointer to boolean variable
+	 * @param max_msg_len				maximum PA-TNC message size
 	 * @param recs						pointer to IMV recommendation set
 	 * @return							assigned connection ID
 	 */
@@ -77,6 +83,7 @@ struct tnccs_manager_t {
 										  tnccs_type_t type, tnccs_t *tnccs,
 										  tnccs_send_message_t send_message,
 										  bool *request_handshake_retry,
+										  u_int32_t max_msg_len,
 										  recommendations_t **recs);
 
 	/**
diff --git a/src/libtncif/Android.mk b/src/libtncif/Android.mk
index ef406dd59..13ce6e11a 100644
--- a/src/libtncif/Android.mk
+++ b/src/libtncif/Android.mk
@@ -2,9 +2,13 @@ LOCAL_PATH := $(call my-dir)
 include $(CLEAR_VARS)
 
 # copy-n-paste from Makefile.am
-LOCAL_SRC_FILES := \
+libtncif_la_SOURCES := \
 tncif.h tncifimc.h tncifimv.h tncif_names.h tncif_names.c \
-tncif_pa_subtypes.h tncif_pa_subtypes.c
+tncif_identity.h tncif_identity.c \
+tncif_pa_subtypes.h tncif_pa_subtypes.c \
+tncif_policy.h tncif_policy.c
+
+LOCAL_SRC_FILES := $(filter %.c,$(libtncif_la_SOURCES))
 
 # build libtncif ---------------------------------------------------------------
 
diff --git a/src/libtncif/Makefile.am b/src/libtncif/Makefile.am
index cc262ffca..3c7cb9ff2 100644
--- a/src/libtncif/Makefile.am
+++ b/src/libtncif/Makefile.am
@@ -1,9 +1,12 @@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
 
 noinst_LTLIBRARIES = libtncif.la
 
 libtncif_la_SOURCES = \
 tncif.h tncifimc.h tncifimv.h tncif_names.h tncif_names.c \
-tncif_pa_subtypes.h tncif_pa_subtypes.c
+tncif_identity.h tncif_identity.c \
+tncif_pa_subtypes.h tncif_pa_subtypes.c \
+tncif_policy.h tncif_policy.c
 
 EXTRA_DIST = Android.mk
diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in
index 462b8bd3f..8c51dfd5c 100644
--- a/src/libtncif/Makefile.in
+++ b/src/libtncif/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -45,52 +62,82 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 LTLIBRARIES = $(noinst_LTLIBRARIES)
 libtncif_la_LIBADD =
-am_libtncif_la_OBJECTS = tncif_names.lo tncif_pa_subtypes.lo
+am_libtncif_la_OBJECTS = tncif_names.lo tncif_identity.lo \
+	tncif_pa_subtypes.lo tncif_policy.lo
 libtncif_la_OBJECTS = $(am_libtncif_la_OBJECTS)
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(libtncif_la_SOURCES)
 DIST_SOURCES = $(libtncif_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -99,13 +146,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -118,6 +168,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -145,11 +196,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -157,6 +210,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -165,8 +219,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -175,14 +227,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -196,17 +253,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -216,16 +273,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -253,11 +309,15 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan
+
 noinst_LTLIBRARIES = libtncif.la
 libtncif_la_SOURCES = \
 tncif.h tncifimc.h tncifimv.h tncif_names.h tncif_names.c \
-tncif_pa_subtypes.h tncif_pa_subtypes.c
+tncif_identity.h tncif_identity.c \
+tncif_pa_subtypes.h tncif_pa_subtypes.c \
+tncif_policy.h tncif_policy.c
 
 EXTRA_DIST = Android.mk
 all: all-am
@@ -303,8 +363,8 @@ clean-noinstLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
-libtncif.la: $(libtncif_la_OBJECTS) $(libtncif_la_DEPENDENCIES) 
-	$(LINK)  $(libtncif_la_OBJECTS) $(libtncif_la_LIBADD) $(LIBS)
+libtncif.la: $(libtncif_la_OBJECTS) $(libtncif_la_DEPENDENCIES) $(EXTRA_libtncif_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK)  $(libtncif_la_OBJECTS) $(libtncif_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -312,29 +372,31 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tncif_identity.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tncif_names.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tncif_pa_subtypes.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tncif_policy.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -438,10 +500,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/libtncif/tncif_identity.c b/src/libtncif/tncif_identity.c
new file mode 100644
index 000000000..7ee215c77
--- /dev/null
+++ b/src/libtncif/tncif_identity.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tncif_identity.h"
+
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+typedef struct private_tncif_identity_t private_tncif_identity_t;
+
+/**
+ * TNC Identity List Attribute Format (TCG TNC IF-IMV 1.4 Draft)
+ *
+ *                      1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                        Identity Count                         |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |   RESERVED    |            Identity Type Vendor ID            |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                         Identity Type                         |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Identity Value Length                     |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                                                               |
+ *  ~                         Identity Value                        ~
+ *  |                                                               |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |   RESERVED    |            Subject Type Vendor ID             |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                         Subject Type                          |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |   RESERVED    |        Authentication Method Vendor ID        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Authentication Method                     |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/**
+ * Private data of a tncif_identity_t object.
+ *
+ */
+struct private_tncif_identity_t {
+
+	/**
+	 * Public tncif_identity_t interface.
+	 */
+	tncif_identity_t public;
+
+	/**
+	 * Identity Type
+	 */
+	pen_type_t identity_type;
+
+	/**
+	 * Identity Value
+	 */
+	chunk_t identity_value;
+
+	/**
+	 * Subject Type
+	 */
+	pen_type_t subject_type;
+
+	/**
+	 * Authentication Type
+	 */
+	pen_type_t auth_type;
+};
+
+METHOD(tncif_identity_t, get_identity_type, pen_type_t,
+	private_tncif_identity_t *this)
+{
+	return this->identity_type;
+}
+
+METHOD(tncif_identity_t, get_identity_value, chunk_t,
+	private_tncif_identity_t *this)
+{
+	return this->identity_value;
+}
+
+METHOD(tncif_identity_t, get_subject_type, pen_type_t,
+	private_tncif_identity_t *this)
+{
+	return this->subject_type;
+}
+
+METHOD(tncif_identity_t, get_auth_type, pen_type_t,
+	private_tncif_identity_t *this)
+{
+	return this->auth_type;
+}
+
+METHOD(tncif_identity_t, build, void,
+	private_tncif_identity_t *this, bio_writer_t *writer)
+{
+	writer->write_uint32(writer, this->identity_type.vendor_id);
+	writer->write_uint32(writer, this->identity_type.type);
+	writer->write_data32(writer, this->identity_value);
+	writer->write_uint32(writer, this->subject_type.vendor_id);
+	writer->write_uint32(writer, this->subject_type.type);
+	writer->write_uint32(writer, this->auth_type.vendor_id);
+	writer->write_uint32(writer, this->auth_type.type);
+}
+
+METHOD(tncif_identity_t, process, bool,
+	private_tncif_identity_t *this, bio_reader_t *reader)
+{
+	u_int8_t reserved;
+	u_int32_t vendor_id, type;
+	chunk_t identity_value;
+
+	if (reader->remaining(reader) < TNCIF_IDENTITY_MIN_SIZE)
+	{
+		return FALSE;
+	}
+	reader->read_uint8 (reader, &reserved);
+	reader->read_uint24(reader, &vendor_id);
+	reader->read_uint32(reader, &type);
+	this->identity_type = pen_type_create(vendor_id, type);
+
+	if (!reader->read_data32(reader, &identity_value) ||
+		 reader->remaining(reader) < 16)
+	{
+		return FALSE;
+	}
+	this->identity_value = chunk_clone(identity_value);
+
+	reader->read_uint8 (reader, &reserved);
+	reader->read_uint24(reader, &vendor_id);
+	reader->read_uint32(reader, &type);
+	this->subject_type = pen_type_create(vendor_id, type);		
+
+	reader->read_uint8 (reader, &reserved);
+	reader->read_uint24(reader, &vendor_id);
+	reader->read_uint32(reader, &type);
+	this->auth_type = pen_type_create(vendor_id, type);
+
+	return TRUE;
+}
+
+METHOD(tncif_identity_t, destroy, void,
+	private_tncif_identity_t *this)
+{
+	free(this->identity_value.ptr);
+	free(this);
+}
+
+
+/**
+ * See header
+ */
+tncif_identity_t *tncif_identity_create_empty(void)
+{
+	private_tncif_identity_t *this;
+
+	INIT(this,
+		.public = {
+			.get_identity_type = _get_identity_type,
+			.get_identity_value = _get_identity_value,
+			.get_subject_type = _get_subject_type,
+			.get_auth_type = _get_auth_type,
+			.build = _build,
+			.process = _process,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+tncif_identity_t *tncif_identity_create(pen_type_t identity_type,
+										chunk_t identity_value,
+										pen_type_t subject_type,
+										pen_type_t auth_type)
+{
+	private_tncif_identity_t *this;
+
+	this = (private_tncif_identity_t*)tncif_identity_create_empty();
+	this->identity_type = identity_type;
+	this->identity_value = identity_value;
+	this->subject_type = subject_type;
+	this->auth_type = auth_type;
+
+	return &this->public;
+}
+
diff --git a/src/libtncif/tncif_identity.h b/src/libtncif/tncif_identity.h
new file mode 100644
index 000000000..ad872166f
--- /dev/null
+++ b/src/libtncif/tncif_identity.h
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup libtncif libtncif
+ *
+ * @addtogroup libtncif
+ * TNC interface definitions
+ *
+ * @defgroup tnc_identities tnc_identities
+ * @{ @ingroup libtncif
+ */
+
+#ifndef TNCIF_IDENTITY_H_
+#define TNCIF_IDENTITY_H_
+
+#include <library.h>
+
+#include <pen/pen.h>
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+
+#define TNCIF_IDENTITY_MIN_SIZE			28
+
+typedef struct tncif_identity_t tncif_identity_t;
+
+/**
+ * Public interface of a TNC Identity object
+ */
+struct tncif_identity_t {
+
+	/**
+	 * Get the TNC Identity Type
+	 *
+	 * @return					TNC Identity Type
+	 */
+	pen_type_t (*get_identity_type)(tncif_identity_t *this);
+
+	/**
+	 * Get the TNC Identity Value
+	 *
+	 * @return					TNC Identity Value
+	 */
+	chunk_t (*get_identity_value)(tncif_identity_t *this);
+
+	/**
+	 * Get the TNC Subject Type
+	 *
+	 * @return					TNC Subject Type
+	 */
+	pen_type_t (*get_subject_type)(tncif_identity_t *this);
+
+	/**
+	 * Get the TNC Authentication Type
+	 *
+	 * @return					TNC Authentication Type
+	 */
+	pen_type_t (*get_auth_type)(tncif_identity_t *this);
+
+	/**
+	 * Build the IF-IMV TNC Identity attribute encoding
+	 *
+	 * @param writer			writer to write encoded data to
+	 */
+	void (*build)(tncif_identity_t *this, bio_writer_t *writer);
+
+	/**
+	 * Process the IF-IMV TNC Identity attribute encoding
+	 *
+	 * @param reader			reader to read encoded data from
+	 * @return					TRUE if successful
+	 */
+	bool (*process)(tncif_identity_t *this, bio_reader_t *reader);
+
+	/**
+	 * Destroys a tncif_identity_t object.
+	 */
+	void (*destroy)(tncif_identity_t *this);
+
+};
+
+/**
+ * Create an empty TNC Identity object
+ */
+tncif_identity_t* tncif_identity_create_empty(void);
+
+/**
+ * Create an TNC Identity object from its components
+ *
+ * @param identity_type			TNC Identity Type
+ * @param identity_value		TNC Identity Value (not cloned by constructor)
+ * @param subject_type			TNC Subject Type
+ * @param auth_type				TNC Authentication Type
+ */
+tncif_identity_t* tncif_identity_create(pen_type_t identity_type,
+										chunk_t identity_value,
+										pen_type_t subject_type,
+										pen_type_t auth_type);
+
+#endif /** TNCIF_IDENTITY_H_ @}*/
diff --git a/src/libtncif/tncif_names.c b/src/libtncif/tncif_names.c
index c108776ec..ac948c8ba 100644
--- a/src/libtncif/tncif_names.c
+++ b/src/libtncif/tncif_names.c
@@ -45,3 +45,20 @@ ENUM(TNC_IMV_Evaluation_Result_names,
 	"error",
 	"don't know"
 );
+
+ENUM(TNC_Subject_names,
+	TNC_SUBJECT_UNKNOWN,
+	TNC_SUBJECT_USER,
+	"unknown",
+	"machine",
+	"user"
+);
+
+ENUM(TNC_Authentication_names,
+	TNC_AUTH_UNKNOWN,
+	TNC_AUTH_SIM,
+	"unknown method",
+	"certificate",
+	"password",
+	"SIM card"
+);
diff --git a/src/libtncif/tncif_names.h b/src/libtncif/tncif_names.h
index 9b50a34e9..75458f960 100644
--- a/src/libtncif/tncif_names.h
+++ b/src/libtncif/tncif_names.h
@@ -30,5 +30,7 @@
 extern enum_name_t *TNC_Connection_State_names;
 extern enum_name_t *TNC_IMV_Action_Recommendation_names;
 extern enum_name_t *TNC_IMV_Evaluation_Result_names;
+extern enum_name_t *TNC_Subject_names;
+extern enum_name_t *TNC_Authentication_names;
 
 #endif /** TNCIF_NAME_H_ @}*/
diff --git a/src/libtncif/tncif_pa_subtypes.c b/src/libtncif/tncif_pa_subtypes.c
index d15a1c864..bf1e999b3 100644
--- a/src/libtncif/tncif_pa_subtypes.c
+++ b/src/libtncif/tncif_pa_subtypes.c
@@ -33,11 +33,13 @@ ENUM_NEXT(pa_subtype_ietf_names, PA_SUBTYPE_IETF_ANY, PA_SUBTYPE_IETF_ANY,
 );
 ENUM_END(pa_subtype_ietf_names, PA_SUBTYPE_IETF_ANY);
 
-ENUM_BEGIN(pa_subtype_tcg_names, PA_SUBTYPE_TCG_PTS, PA_SUBTYPE_TCG_PTS,
-	"PTS"
+ENUM_BEGIN(pa_subtype_tcg_names, PA_SUBTYPE_TCG_PTS, PA_SUBTYPE_TCG_SWID,
+	"PTS",
+	"SCAP",
+	"SWID"
 );
 ENUM_NEXT(pa_subtype_tcg_names, PA_SUBTYPE_TCG_ANY, PA_SUBTYPE_TCG_ANY,
-								PA_SUBTYPE_TCG_PTS,
+								PA_SUBTYPE_TCG_SWID,
 	"ANY"
 );
 ENUM_END(pa_subtype_tcg_names, PA_SUBTYPE_TCG_ANY);
@@ -61,12 +63,12 @@ ENUM_NEXT(pa_subtype_fhh_names, PA_SUBTYPE_FHH_ANY, PA_SUBTYPE_FHH_ANY,
 );
 ENUM_END(pa_subtype_fhh_names, PA_SUBTYPE_FHH_ANY);
 
-ENUM_BEGIN(pa_subtype_ita_names, PA_SUBTYPE_ITA_TEST, PA_SUBTYPE_ITA_SCANNER,
+ENUM_BEGIN(pa_subtype_ita_names, PA_SUBTYPE_ITA_TEST, PA_SUBTYPE_ITA_ECHO,
 	"Test",
-	"Scanner"
+	"Echo"
 );
 ENUM_NEXT(pa_subtype_ita_names, PA_SUBTYPE_ITA_ANY, PA_SUBTYPE_ITA_ANY,
-								PA_SUBTYPE_ITA_SCANNER,
+								PA_SUBTYPE_ITA_ECHO,
 	"ANY"
 );
 ENUM_END(pa_subtype_ita_names, PA_SUBTYPE_ITA_ANY);
diff --git a/src/libtncif/tncif_pa_subtypes.h b/src/libtncif/tncif_pa_subtypes.h
index 0be495bfc..0855d1df3 100644
--- a/src/libtncif/tncif_pa_subtypes.h
+++ b/src/libtncif/tncif_pa_subtypes.h
@@ -54,6 +54,8 @@ extern enum_name_t *pa_subtype_ietf_names;
  */
  enum pa_subtype_tcg_t {
 	PA_SUBTYPE_TCG_PTS =				0x01,
+	PA_SUBTYPE_TCG_SCAP =				0x02,
+	PA_SUBTYPE_TCG_SWID =				0x03,
 	PA_SUBTYPE_TCG_ANY =				0xff
 };
 
@@ -84,7 +86,7 @@ extern enum_name_t *pa_subtype_fhh_names;
  */
  enum pa_subtype_ita_t {
 	PA_SUBTYPE_ITA_TEST =				0x01,
-	PA_SUBTYPE_ITA_SCANNER =			0x02,
+	PA_SUBTYPE_ITA_ECHO =				0x02,
 	PA_SUBTYPE_ITA_ANY =				0xff
 };
 
diff --git a/src/libtncif/tncif_policy.c b/src/libtncif/tncif_policy.c
new file mode 100644
index 000000000..1fa88e344
--- /dev/null
+++ b/src/libtncif/tncif_policy.c
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tncif_policy.h"
+
+/**
+ * See header
+ */
+TNC_IMV_Evaluation_Result tncif_policy_update_evaluation(
+									TNC_IMV_Evaluation_Result eval,
+									TNC_IMV_Evaluation_Result eval_add)
+{
+	switch (eval)
+	{
+		case TNC_IMV_EVALUATION_RESULT_COMPLIANT:
+			switch (eval_add)
+			{
+				case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR:
+				case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR:
+				case TNC_IMV_EVALUATION_RESULT_ERROR:
+					eval = eval_add;
+					break;
+				default:
+					break;
+			}
+			break;
+		case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR:
+			switch (eval_add)
+			{
+				case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR:
+				case TNC_IMV_EVALUATION_RESULT_ERROR:
+					eval = eval_add;
+					break;
+				default:
+					break;
+			}
+			break;
+		case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR:
+			switch (eval_add)
+			{
+				case TNC_IMV_EVALUATION_RESULT_ERROR:
+					eval = eval_add;
+					break;
+				default:
+					break;
+			}
+			break;
+		case TNC_IMV_EVALUATION_RESULT_DONT_KNOW:
+			eval = eval_add;
+			break;
+		default:
+			break;
+	}
+	return eval;
+}
+
+/**
+ * See header
+ */
+TNC_IMV_Action_Recommendation tncif_policy_update_recommendation(
+									TNC_IMV_Action_Recommendation rec,
+									TNC_IMV_Action_Recommendation rec_add)
+{
+	switch (rec)
+	{
+		case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+			switch (rec_add)
+			{
+				case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+				case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+					rec = rec_add;
+					break;
+				default:
+					break;
+			}
+			break;
+		case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+			switch (rec_add)
+			{
+				case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+					rec = rec_add;
+					break;
+				default:
+					break;
+			}
+			break;
+		case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+			rec = rec_add;
+			break;
+		default:
+			break;
+	}
+	return rec;
+}
diff --git a/src/libtncif/tncif_policy.h b/src/libtncif/tncif_policy.h
new file mode 100644
index 000000000..d9f553b72
--- /dev/null
+++ b/src/libtncif/tncif_policy.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup libtncif libtncif
+ *
+ * @addtogroup libtncif
+ * TNC interface definitions
+ *
+ * @defgroup tnc_policy tnc_policy
+ * @{ @ingroup libtncif
+ */
+
+#ifndef TNCIF_POLICY_H_
+#define TNCIF_POLICY_H_
+
+#include "tncifimv.h"
+
+/**
+ * Create an empty TNC Identity object
+ *
+ * @param eval			Existing evaluation to be updated
+ * @param eval_add		Partial evaluation to be added
+ * @return				Updated evaluation
+ */
+TNC_IMV_Evaluation_Result tncif_policy_update_evaluation(
+									TNC_IMV_Evaluation_Result eval,
+									TNC_IMV_Evaluation_Result eval_add);
+
+/**
+ * Create an empty TNC Identity object
+ *
+ * @param rec			Existing recommendationto be updated
+ * @param rec_add		Partial recommendation to be added
+ * @return				Updated recommendation
+ */
+TNC_IMV_Action_Recommendation tncif_policy_update_recommendation(
+									TNC_IMV_Action_Recommendation rec,
+									TNC_IMV_Action_Recommendation rec_add);
+
+#endif /** TNCIF_POLICY_H_ @}*/
diff --git a/src/libtncif/tncifimv.h b/src/libtncif/tncifimv.h
index 3c9db0055..ecd4fd45b 100644
--- a/src/libtncif/tncifimv.h
+++ b/src/libtncif/tncifimv.h
@@ -209,6 +209,30 @@ typedef TNC_Result (*TNC_IMV_ProvideBindFunctionPointer)(
 #define TNC_ATTRIBUTEID_SOH ((TNC_AttributeID) 0x00559706)
 #define TNC_ATTRIBUTEID_SSOH ((TNC_AttributeID) 0x00559707)
 #define TNC_ATTRIBUTEID_PRIMARY_IMV_ID ((TNC_AttributeID) 0x00559710)
+#define TNC_ATTRIBUTEID_AR_IDENTITIES ((TNC_AttributeID) 0x00559712)
+
+/* TNC Identity Types */
+
+#define TNC_ID_UNKNOWN 0
+#define TNC_ID_IPV4_ADDR 1
+#define TNC_ID_IPV6_ADDR 2
+#define TNC_ID_FQDN 3
+#define TNC_ID_EMAIL_ADDR 4
+#define TNC_ID_USERNAME 5
+#define TNC_ID_X500_DN 6
+
+/* TNC Subject Types */
+
+#define TNC_SUBJECT_UNKNOWN 0
+#define TNC_SUBJECT_MACHINE 1
+#define TNC_SUBJECT_USER 2
+
+/* TNC Authentication Types */
+
+#define TNC_AUTH_UNKNOWN 0
+#define TNC_AUTH_X509_CERT 1
+#define TNC_AUTH_PASSWORD 2
+#define TNC_AUTH_SIM 3
 
 /* IMV Functions */
 
diff --git a/src/manager/Makefile.am b/src/manager/Makefile.am
index 045c77896..41001dd8b 100644
--- a/src/manager/Makefile.am
+++ b/src/manager/Makefile.am
@@ -13,11 +13,16 @@ controller/gateway_controller.c controller/gateway_controller.h
 manager_fcgi_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libfast/libfast.la ${xml_LIBS}
 main.o :	$(top_builddir)/config.status
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast ${xml_CFLAGS}
-AM_CFLAGS = -rdynamic \
-  -DIPSECDIR=\"${ipsecdir}\" \
-  -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DPLUGINS=\""${manager_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libfast \
+	-DIPSECDIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${manager_plugins}\""
+
+AM_CFLAGS = \
+	${xml_CFLAGS} \
+	-rdynamic
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
 manager_templatesdir = ${managerdir}/templates
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 8ae5ebf36..041d914c6 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -47,10 +64,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(managerdir)" \
@@ -72,21 +90,42 @@ am__DEPENDENCIES_1 =
 manager_fcgi_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libfast/libfast.la $(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(manager_fcgi_SOURCES)
 DIST_SOURCES = $(manager_fcgi_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -108,6 +147,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 DATA = $(manager_templates_DATA) $(manager_templates_auth_DATA) \
 	$(manager_templates_config_DATA) \
 	$(manager_templates_control_DATA) \
@@ -120,21 +165,28 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -143,13 +195,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -162,6 +217,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -189,11 +245,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -201,6 +259,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -209,8 +268,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -219,14 +276,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -240,17 +302,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -260,16 +322,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -307,11 +368,16 @@ controller/config_controller.c controller/config_controller.h \
 controller/gateway_controller.c controller/gateway_controller.h
 
 manager_fcgi_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libfast/libfast.la ${xml_LIBS}
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast ${xml_CFLAGS}
-AM_CFLAGS = -rdynamic \
-  -DIPSECDIR=\"${ipsecdir}\" \
-  -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DPLUGINS=\""${manager_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libfast \
+	-DIPSECDIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${manager_plugins}\""
+
+AM_CFLAGS = \
+	${xml_CFLAGS} \
+	-rdynamic
 
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
@@ -383,8 +449,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-managerPROGRAMS: $(manager_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(managerdir)" || $(MKDIR_P) "$(DESTDIR)$(managerdir)"
 	@list='$(manager_PROGRAMS)'; test -n "$(managerdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(managerdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(managerdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -424,9 +493,9 @@ clean-managerPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-manager.fcgi$(EXEEXT): $(manager_fcgi_OBJECTS) $(manager_fcgi_DEPENDENCIES) 
+manager.fcgi$(EXEEXT): $(manager_fcgi_OBJECTS) $(manager_fcgi_DEPENDENCIES) $(EXTRA_manager_fcgi_DEPENDENCIES) 
 	@rm -f manager.fcgi$(EXEEXT)
-	$(LINK) $(manager_fcgi_OBJECTS) $(manager_fcgi_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(manager_fcgi_OBJECTS) $(manager_fcgi_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -446,95 +515,95 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xml.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 auth_controller.o: controller/auth_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_controller.o -MD -MP -MF $(DEPDIR)/auth_controller.Tpo -c -o auth_controller.o `test -f 'controller/auth_controller.c' || echo '$(srcdir)/'`controller/auth_controller.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_controller.Tpo $(DEPDIR)/auth_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/auth_controller.c' object='auth_controller.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_controller.o -MD -MP -MF $(DEPDIR)/auth_controller.Tpo -c -o auth_controller.o `test -f 'controller/auth_controller.c' || echo '$(srcdir)/'`controller/auth_controller.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/auth_controller.Tpo $(DEPDIR)/auth_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/auth_controller.c' object='auth_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_controller.o `test -f 'controller/auth_controller.c' || echo '$(srcdir)/'`controller/auth_controller.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_controller.o `test -f 'controller/auth_controller.c' || echo '$(srcdir)/'`controller/auth_controller.c
 
 auth_controller.obj: controller/auth_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_controller.obj -MD -MP -MF $(DEPDIR)/auth_controller.Tpo -c -o auth_controller.obj `if test -f 'controller/auth_controller.c'; then $(CYGPATH_W) 'controller/auth_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/auth_controller.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_controller.Tpo $(DEPDIR)/auth_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/auth_controller.c' object='auth_controller.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_controller.obj -MD -MP -MF $(DEPDIR)/auth_controller.Tpo -c -o auth_controller.obj `if test -f 'controller/auth_controller.c'; then $(CYGPATH_W) 'controller/auth_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/auth_controller.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/auth_controller.Tpo $(DEPDIR)/auth_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/auth_controller.c' object='auth_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_controller.obj `if test -f 'controller/auth_controller.c'; then $(CYGPATH_W) 'controller/auth_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/auth_controller.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_controller.obj `if test -f 'controller/auth_controller.c'; then $(CYGPATH_W) 'controller/auth_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/auth_controller.c'; fi`
 
 ikesa_controller.o: controller/ikesa_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ikesa_controller.o -MD -MP -MF $(DEPDIR)/ikesa_controller.Tpo -c -o ikesa_controller.o `test -f 'controller/ikesa_controller.c' || echo '$(srcdir)/'`controller/ikesa_controller.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ikesa_controller.Tpo $(DEPDIR)/ikesa_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/ikesa_controller.c' object='ikesa_controller.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ikesa_controller.o -MD -MP -MF $(DEPDIR)/ikesa_controller.Tpo -c -o ikesa_controller.o `test -f 'controller/ikesa_controller.c' || echo '$(srcdir)/'`controller/ikesa_controller.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ikesa_controller.Tpo $(DEPDIR)/ikesa_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/ikesa_controller.c' object='ikesa_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ikesa_controller.o `test -f 'controller/ikesa_controller.c' || echo '$(srcdir)/'`controller/ikesa_controller.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ikesa_controller.o `test -f 'controller/ikesa_controller.c' || echo '$(srcdir)/'`controller/ikesa_controller.c
 
 ikesa_controller.obj: controller/ikesa_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ikesa_controller.obj -MD -MP -MF $(DEPDIR)/ikesa_controller.Tpo -c -o ikesa_controller.obj `if test -f 'controller/ikesa_controller.c'; then $(CYGPATH_W) 'controller/ikesa_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/ikesa_controller.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/ikesa_controller.Tpo $(DEPDIR)/ikesa_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/ikesa_controller.c' object='ikesa_controller.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ikesa_controller.obj -MD -MP -MF $(DEPDIR)/ikesa_controller.Tpo -c -o ikesa_controller.obj `if test -f 'controller/ikesa_controller.c'; then $(CYGPATH_W) 'controller/ikesa_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/ikesa_controller.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ikesa_controller.Tpo $(DEPDIR)/ikesa_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/ikesa_controller.c' object='ikesa_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ikesa_controller.obj `if test -f 'controller/ikesa_controller.c'; then $(CYGPATH_W) 'controller/ikesa_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/ikesa_controller.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ikesa_controller.obj `if test -f 'controller/ikesa_controller.c'; then $(CYGPATH_W) 'controller/ikesa_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/ikesa_controller.c'; fi`
 
 control_controller.o: controller/control_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT control_controller.o -MD -MP -MF $(DEPDIR)/control_controller.Tpo -c -o control_controller.o `test -f 'controller/control_controller.c' || echo '$(srcdir)/'`controller/control_controller.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/control_controller.Tpo $(DEPDIR)/control_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/control_controller.c' object='control_controller.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT control_controller.o -MD -MP -MF $(DEPDIR)/control_controller.Tpo -c -o control_controller.o `test -f 'controller/control_controller.c' || echo '$(srcdir)/'`controller/control_controller.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/control_controller.Tpo $(DEPDIR)/control_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/control_controller.c' object='control_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o control_controller.o `test -f 'controller/control_controller.c' || echo '$(srcdir)/'`controller/control_controller.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o control_controller.o `test -f 'controller/control_controller.c' || echo '$(srcdir)/'`controller/control_controller.c
 
 control_controller.obj: controller/control_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT control_controller.obj -MD -MP -MF $(DEPDIR)/control_controller.Tpo -c -o control_controller.obj `if test -f 'controller/control_controller.c'; then $(CYGPATH_W) 'controller/control_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/control_controller.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/control_controller.Tpo $(DEPDIR)/control_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/control_controller.c' object='control_controller.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT control_controller.obj -MD -MP -MF $(DEPDIR)/control_controller.Tpo -c -o control_controller.obj `if test -f 'controller/control_controller.c'; then $(CYGPATH_W) 'controller/control_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/control_controller.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/control_controller.Tpo $(DEPDIR)/control_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/control_controller.c' object='control_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o control_controller.obj `if test -f 'controller/control_controller.c'; then $(CYGPATH_W) 'controller/control_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/control_controller.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o control_controller.obj `if test -f 'controller/control_controller.c'; then $(CYGPATH_W) 'controller/control_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/control_controller.c'; fi`
 
 config_controller.o: controller/config_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT config_controller.o -MD -MP -MF $(DEPDIR)/config_controller.Tpo -c -o config_controller.o `test -f 'controller/config_controller.c' || echo '$(srcdir)/'`controller/config_controller.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/config_controller.Tpo $(DEPDIR)/config_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/config_controller.c' object='config_controller.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT config_controller.o -MD -MP -MF $(DEPDIR)/config_controller.Tpo -c -o config_controller.o `test -f 'controller/config_controller.c' || echo '$(srcdir)/'`controller/config_controller.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/config_controller.Tpo $(DEPDIR)/config_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/config_controller.c' object='config_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o config_controller.o `test -f 'controller/config_controller.c' || echo '$(srcdir)/'`controller/config_controller.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o config_controller.o `test -f 'controller/config_controller.c' || echo '$(srcdir)/'`controller/config_controller.c
 
 config_controller.obj: controller/config_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT config_controller.obj -MD -MP -MF $(DEPDIR)/config_controller.Tpo -c -o config_controller.obj `if test -f 'controller/config_controller.c'; then $(CYGPATH_W) 'controller/config_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/config_controller.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/config_controller.Tpo $(DEPDIR)/config_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/config_controller.c' object='config_controller.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT config_controller.obj -MD -MP -MF $(DEPDIR)/config_controller.Tpo -c -o config_controller.obj `if test -f 'controller/config_controller.c'; then $(CYGPATH_W) 'controller/config_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/config_controller.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/config_controller.Tpo $(DEPDIR)/config_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/config_controller.c' object='config_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o config_controller.obj `if test -f 'controller/config_controller.c'; then $(CYGPATH_W) 'controller/config_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/config_controller.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o config_controller.obj `if test -f 'controller/config_controller.c'; then $(CYGPATH_W) 'controller/config_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/config_controller.c'; fi`
 
 gateway_controller.o: controller/gateway_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gateway_controller.o -MD -MP -MF $(DEPDIR)/gateway_controller.Tpo -c -o gateway_controller.o `test -f 'controller/gateway_controller.c' || echo '$(srcdir)/'`controller/gateway_controller.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/gateway_controller.Tpo $(DEPDIR)/gateway_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/gateway_controller.c' object='gateway_controller.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gateway_controller.o -MD -MP -MF $(DEPDIR)/gateway_controller.Tpo -c -o gateway_controller.o `test -f 'controller/gateway_controller.c' || echo '$(srcdir)/'`controller/gateway_controller.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/gateway_controller.Tpo $(DEPDIR)/gateway_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/gateway_controller.c' object='gateway_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gateway_controller.o `test -f 'controller/gateway_controller.c' || echo '$(srcdir)/'`controller/gateway_controller.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gateway_controller.o `test -f 'controller/gateway_controller.c' || echo '$(srcdir)/'`controller/gateway_controller.c
 
 gateway_controller.obj: controller/gateway_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gateway_controller.obj -MD -MP -MF $(DEPDIR)/gateway_controller.Tpo -c -o gateway_controller.obj `if test -f 'controller/gateway_controller.c'; then $(CYGPATH_W) 'controller/gateway_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/gateway_controller.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/gateway_controller.Tpo $(DEPDIR)/gateway_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/gateway_controller.c' object='gateway_controller.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gateway_controller.obj -MD -MP -MF $(DEPDIR)/gateway_controller.Tpo -c -o gateway_controller.obj `if test -f 'controller/gateway_controller.c'; then $(CYGPATH_W) 'controller/gateway_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/gateway_controller.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/gateway_controller.Tpo $(DEPDIR)/gateway_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/gateway_controller.c' object='gateway_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gateway_controller.obj `if test -f 'controller/gateway_controller.c'; then $(CYGPATH_W) 'controller/gateway_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/gateway_controller.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gateway_controller.obj `if test -f 'controller/gateway_controller.c'; then $(CYGPATH_W) 'controller/gateway_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/gateway_controller.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -543,8 +612,11 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-manager_templatesDATA: $(manager_templates_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(manager_templatesdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templatesdir)"
 	@list='$(manager_templates_DATA)'; test -n "$(manager_templatesdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(manager_templatesdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(manager_templatesdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -558,13 +630,14 @@ uninstall-manager_templatesDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_DATA)'; test -n "$(manager_templatesdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templatesdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templatesdir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templatesdir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_authDATA: $(manager_templates_auth_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(manager_templates_authdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_authdir)"
 	@list='$(manager_templates_auth_DATA)'; test -n "$(manager_templates_authdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(manager_templates_authdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(manager_templates_authdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -578,13 +651,14 @@ uninstall-manager_templates_authDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_auth_DATA)'; test -n "$(manager_templates_authdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_authdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_authdir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_authdir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_configDATA: $(manager_templates_config_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(manager_templates_configdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_configdir)"
 	@list='$(manager_templates_config_DATA)'; test -n "$(manager_templates_configdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(manager_templates_configdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(manager_templates_configdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -598,13 +672,14 @@ uninstall-manager_templates_configDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_config_DATA)'; test -n "$(manager_templates_configdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_configdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_configdir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_configdir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_controlDATA: $(manager_templates_control_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(manager_templates_controldir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_controldir)"
 	@list='$(manager_templates_control_DATA)'; test -n "$(manager_templates_controldir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(manager_templates_controldir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(manager_templates_controldir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -618,13 +693,14 @@ uninstall-manager_templates_controlDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_control_DATA)'; test -n "$(manager_templates_controldir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_controldir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_controldir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_controldir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_gatewayDATA: $(manager_templates_gateway_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(manager_templates_gatewaydir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_gatewaydir)"
 	@list='$(manager_templates_gateway_DATA)'; test -n "$(manager_templates_gatewaydir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(manager_templates_gatewaydir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(manager_templates_gatewaydir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -638,13 +714,14 @@ uninstall-manager_templates_gatewayDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_gateway_DATA)'; test -n "$(manager_templates_gatewaydir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_gatewaydir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_gatewaydir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_gatewaydir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_ikesaDATA: $(manager_templates_ikesa_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(manager_templates_ikesadir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_ikesadir)"
 	@list='$(manager_templates_ikesa_DATA)'; test -n "$(manager_templates_ikesadir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(manager_templates_ikesadir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(manager_templates_ikesadir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -658,13 +735,14 @@ uninstall-manager_templates_ikesaDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_ikesa_DATA)'; test -n "$(manager_templates_ikesadir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_ikesadir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_ikesadir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_ikesadir)'; $(am__uninstall_files_from_dir)
 install-manager_templates_staticDATA: $(manager_templates_static_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(manager_templates_staticdir)" || $(MKDIR_P) "$(DESTDIR)$(manager_templates_staticdir)"
 	@list='$(manager_templates_static_DATA)'; test -n "$(manager_templates_staticdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(manager_templates_staticdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(manager_templates_staticdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -678,9 +756,7 @@ uninstall-manager_templates_staticDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(manager_templates_static_DATA)'; test -n "$(manager_templates_staticdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(manager_templates_staticdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(manager_templates_staticdir)" && rm -f $$files
+	dir='$(DESTDIR)$(manager_templates_staticdir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -781,10 +857,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/manager/controller/auth_controller.c b/src/manager/controller/auth_controller.c
index c9a9b5461..5f2de5154 100644
--- a/src/manager/controller/auth_controller.c
+++ b/src/manager/controller/auth_controller.c
@@ -37,14 +37,14 @@ struct private_auth_controller_t {
 	manager_t *manager;
 };
 
-static void login(private_auth_controller_t *this, request_t *request)
+static void login(private_auth_controller_t *this, fast_request_t *request)
 {
 	request->set(request, "action", "check");
 	request->set(request, "title", "Login");
 	request->render(request, "templates/auth/login.cs");
 }
 
-static void check(private_auth_controller_t *this, request_t *request)
+static void check(private_auth_controller_t *this, fast_request_t *request)
 {
 	char *username, *password;
 
@@ -61,20 +61,20 @@ static void check(private_auth_controller_t *this, request_t *request)
 	}
 }
 
-static void logout(private_auth_controller_t *this, request_t *request)
+static void logout(private_auth_controller_t *this, fast_request_t *request)
 {
 	this->manager->logout(this->manager);
 	request->redirect(request, "auth/login");
 }
 
-METHOD(controller_t, get_name, char*,
+METHOD(fast_controller_t, get_name, char*,
 	private_auth_controller_t *this)
 {
 	return "auth";
 }
 
-METHOD(controller_t, handle, void,
-	private_auth_controller_t *this, request_t *request, char *action,
+METHOD(fast_controller_t, handle, void,
+	private_auth_controller_t *this, fast_request_t *request, char *action,
 	char *p2, char *p3, char *p4, char *p5)
 {
 	if (action)
@@ -95,7 +95,7 @@ METHOD(controller_t, handle, void,
 	request->redirect(request, "auth/login");
 }
 
-METHOD(controller_t, destroy, void,
+METHOD(fast_controller_t, destroy, void,
 	private_auth_controller_t *this)
 {
 	free(this);
@@ -104,7 +104,7 @@ METHOD(controller_t, destroy, void,
 /*
  * see header file
  */
-controller_t *auth_controller_create(context_t *context, void *param)
+fast_controller_t *auth_controller_create(fast_context_t *context, void *param)
 {
 	private_auth_controller_t *this;
 
@@ -121,4 +121,3 @@ controller_t *auth_controller_create(context_t *context, void *param)
 
 	return &this->public.controller;
 }
-
diff --git a/src/manager/controller/auth_controller.h b/src/manager/controller/auth_controller.h
index 41e669fd0..07292273d 100644
--- a/src/manager/controller/auth_controller.h
+++ b/src/manager/controller/auth_controller.h
@@ -15,14 +15,13 @@
 
 /**
  * @defgroup auth_controller auth_controller
- * @{ @ingroup controller
+ * @{ @ingroup manager_controller
  */
 
 #ifndef AUTH_CONTROLLER_H_
 #define AUTH_CONTROLLER_H_
 
-
-#include <controller.h>
+#include <fast_controller.h>
 
 typedef struct auth_controller_t auth_controller_t;
 
@@ -34,12 +33,12 @@ struct auth_controller_t {
 	/**
 	 * Implements controller_t interface.
 	 */
-	controller_t controller;
+	fast_controller_t controller;
 };
 
 /**
  * Create a auth_controller controller instance.
  */
-controller_t *auth_controller_create(context_t *context, void *param);
+fast_controller_t *auth_controller_create(fast_context_t *context, void *param);
 
 #endif /** AUTH_CONTROLLER_H_ @}*/
diff --git a/src/manager/controller/config_controller.c b/src/manager/controller/config_controller.c
index 154ab615e..bc93c542d 100644
--- a/src/manager/controller/config_controller.c
+++ b/src/manager/controller/config_controller.c
@@ -44,7 +44,7 @@ struct private_config_controller_t {
  * read XML of a peerconfig element and fill template
  */
 static void process_peerconfig(private_config_controller_t *this,
-							   enumerator_t *e, request_t *r)
+							   enumerator_t *e, fast_request_t *r)
 {
 	xml_t *xml;
 	enumerator_t *e1, *e2, *e3;
@@ -115,7 +115,7 @@ static void process_peerconfig(private_config_controller_t *this,
 	}
 }
 
-static void list(private_config_controller_t *this, request_t *r)
+static void list(private_config_controller_t *this, fast_request_t *r)
 {
 	gateway_t *gateway;
 	xml_t *xml;
@@ -149,14 +149,14 @@ static void list(private_config_controller_t *this, request_t *r)
 	}
 }
 
-METHOD(controller_t, get_name, char*,
+METHOD(fast_controller_t, get_name, char*,
 	private_config_controller_t *this)
 {
 	return "config";
 }
 
-METHOD(controller_t, handle, void,
-	private_config_controller_t *this, request_t *request, char *action,
+METHOD(fast_controller_t, handle, void,
+	private_config_controller_t *this, fast_request_t *request, char *action,
 	char *p2, char *p3, char *p4, char *p5)
 {
 	if (!this->manager->logged_in(this->manager))
@@ -177,7 +177,7 @@ METHOD(controller_t, handle, void,
 	return request->redirect(request, "config/list");
 }
 
-METHOD(controller_t, destroy, void,
+METHOD(fast_controller_t, destroy, void,
 	private_config_controller_t *this)
 {
 	free(this);
@@ -186,7 +186,8 @@ METHOD(controller_t, destroy, void,
 /*
  * see header file
  */
-controller_t *config_controller_create(context_t *context, void *param)
+fast_controller_t *config_controller_create(fast_context_t *context,
+											void *param)
 {
 	private_config_controller_t *this;
 
@@ -203,4 +204,3 @@ controller_t *config_controller_create(context_t *context, void *param)
 
 	return &this->public.controller;
 }
-
diff --git a/src/manager/controller/config_controller.h b/src/manager/controller/config_controller.h
index 07cafd4ff..504ec8c3b 100644
--- a/src/manager/controller/config_controller.h
+++ b/src/manager/controller/config_controller.h
@@ -15,14 +15,13 @@
 
 /**
  * @defgroup config_controller config_controller
- * @{ @ingroup controller
+ * @{ @ingroup manager_controller
  */
 
 #ifndef CONFIG_CONTROLLER_H_
 #define CONFIG_CONTROLLER_H_
 
-
-#include <controller.h>
+#include <fast_controller.h>
 
 typedef struct config_controller_t config_controller_t;
 
@@ -34,12 +33,13 @@ struct config_controller_t {
 	/**
 	 * Implements controller_t interface.
 	 */
-	controller_t controller;
+	fast_controller_t controller;
 };
 
 /**
  * Create a config_controller controller instance.
  */
-controller_t *config_controller_create(context_t *context, void *param);
+fast_controller_t *config_controller_create(fast_context_t *context,
+											void *param);
 
 #endif /** CONFIG_CONTROLLER_H_ @}*/
diff --git a/src/manager/controller/control_controller.c b/src/manager/controller/control_controller.c
index 68238d02f..f275986d2 100644
--- a/src/manager/controller/control_controller.c
+++ b/src/manager/controller/control_controller.c
@@ -43,7 +43,7 @@ struct private_control_controller_t {
 /**
  * handle the result of a control operation
  */
-static void handle_result(private_control_controller_t *this, request_t *r,
+static void handle_result(private_control_controller_t *this, fast_request_t *r,
 						  enumerator_t *e)
 {
 	enumerator_t *e1;
@@ -93,7 +93,7 @@ static void handle_result(private_control_controller_t *this, request_t *r,
 /**
  * initiate an IKE or CHILD SA
  */
-static void initiate(private_control_controller_t *this, request_t *r,
+static void initiate(private_control_controller_t *this, fast_request_t *r,
 					 bool ike, char *config)
 {
 	gateway_t *gateway;
@@ -108,7 +108,7 @@ static void initiate(private_control_controller_t *this, request_t *r,
 /**
  * terminate an IKE or CHILD SA
  */
-static void terminate(private_control_controller_t *this, request_t *r,
+static void terminate(private_control_controller_t *this, fast_request_t *r,
 					  bool ike, u_int32_t id)
 {
 	gateway_t *gateway;
@@ -120,14 +120,14 @@ static void terminate(private_control_controller_t *this, request_t *r,
 	handle_result(this, r, e);
 }
 
-METHOD(controller_t, get_name, char*,
+METHOD(fast_controller_t, get_name, char*,
 	private_control_controller_t *this)
 {
 	return "control";
 }
 
-METHOD(controller_t, handle, void,
-	private_control_controller_t *this, request_t *request, char *action,
+METHOD(fast_controller_t, handle, void,
+	private_control_controller_t *this, fast_request_t *request, char *action,
 	char *str, char *p3, char *p4, char *p5)
 {
 	if (!this->manager->logged_in(this->manager))
@@ -174,7 +174,7 @@ METHOD(controller_t, handle, void,
 	return request->redirect(request, "ikesa/list");
 }
 
-METHOD(controller_t, destroy, void,
+METHOD(fast_controller_t, destroy, void,
 	private_control_controller_t *this)
 {
 	free(this);
@@ -183,7 +183,8 @@ METHOD(controller_t, destroy, void,
 /*
  * see header file
  */
-controller_t *control_controller_create(context_t *context, void *param)
+fast_controller_t *control_controller_create(fast_context_t *context,
+											 void *param)
 {
 	private_control_controller_t *this;
 
@@ -200,4 +201,3 @@ controller_t *control_controller_create(context_t *context, void *param)
 
 	return &this->public.controller;
 }
-
diff --git a/src/manager/controller/control_controller.h b/src/manager/controller/control_controller.h
index c9bc1e4b3..0342f8ca2 100644
--- a/src/manager/controller/control_controller.h
+++ b/src/manager/controller/control_controller.h
@@ -15,14 +15,13 @@
 
 /**
  * @defgroup control_controller control_controller
- * @{ @ingroup controller
+ * @{ @ingroup manager_controller
  */
 
 #ifndef CONTROL_CONTROLLER_H_
 #define CONTROL_CONTROLLER_H_
 
-
-#include <controller.h>
+#include <fast_controller.h>
 
 typedef struct control_controller_t control_controller_t;
 
@@ -34,12 +33,13 @@ struct control_controller_t {
 	/**
 	 * Implements controller_t interface.
 	 */
-	controller_t controller;
+	fast_controller_t controller;
 };
 
 /**
  * Create a control_controller controller instance.
  */
-controller_t *control_controller_create(context_t *context, void *param);
+fast_controller_t *control_controller_create(fast_context_t *context,
+											 void *param);
 
 #endif /** CONTROL_CONTROLLER_H_ @}*/
diff --git a/src/manager/controller/gateway_controller.c b/src/manager/controller/gateway_controller.c
index 39d344502..6c0257980 100644
--- a/src/manager/controller/gateway_controller.c
+++ b/src/manager/controller/gateway_controller.c
@@ -39,7 +39,7 @@ struct private_gateway_controller_t {
 
 };
 
-static void list(private_gateway_controller_t *this, request_t *request)
+static void list(private_gateway_controller_t *this, fast_request_t *request)
 {
 	enumerator_t *enumerator;
 	char *name, *address;
@@ -66,7 +66,7 @@ static void list(private_gateway_controller_t *this, request_t *request)
 	request->render(request, "templates/gateway/list.cs");
 }
 
-static void _select(private_gateway_controller_t *this, request_t *request)
+static void _select(private_gateway_controller_t *this, fast_request_t *request)
 {
 	char *id;
 
@@ -82,14 +82,14 @@ static void _select(private_gateway_controller_t *this, request_t *request)
 	request->redirect(request, "gateway/list");
 }
 
-METHOD(controller_t, get_name, char*,
+METHOD(fast_controller_t, get_name, char*,
 	private_gateway_controller_t *this)
 {
 	return "gateway";
 }
 
-METHOD(controller_t, handle, void,
-	private_gateway_controller_t *this, request_t *request, char *action,
+METHOD(fast_controller_t, handle, void,
+	private_gateway_controller_t *this, fast_request_t *request, char *action,
 	char *p2, char *p3, char *p4, char *p5)
 {
 	if (!this->manager->logged_in(this->manager))
@@ -110,7 +110,7 @@ METHOD(controller_t, handle, void,
 	request->redirect(request, "gateway/list");
 }
 
-METHOD(controller_t, destroy, void,
+METHOD(fast_controller_t, destroy, void,
 	private_gateway_controller_t *this)
 {
 	free(this);
@@ -119,7 +119,8 @@ METHOD(controller_t, destroy, void,
 /*
  * see header file
  */
-controller_t *gateway_controller_create(context_t *context, void *param)
+fast_controller_t *gateway_controller_create(fast_context_t *context,
+											 void *param)
 {
 	private_gateway_controller_t *this;
 
@@ -136,4 +137,3 @@ controller_t *gateway_controller_create(context_t *context, void *param)
 
 	return &this->public.controller;
 }
-
diff --git a/src/manager/controller/gateway_controller.h b/src/manager/controller/gateway_controller.h
index 7d77bdccb..170bc1bdb 100644
--- a/src/manager/controller/gateway_controller.h
+++ b/src/manager/controller/gateway_controller.h
@@ -15,14 +15,13 @@
 
 /**
  * @defgroup gateway_controller gateway_controller
- * @{ @ingroup controller
+ * @{ @ingroup manager_controller
  */
 
 #ifndef GATEWAY_CONTROLLER_H_
 #define GATEWAY_CONTROLLER_H_
 
-
-#include <controller.h>
+#include <fast_controller.h>
 
 typedef struct gateway_controller_t gateway_controller_t;
 
@@ -34,12 +33,13 @@ struct gateway_controller_t {
 	/**
 	 * Implements controller_t interface.
 	 */
-	controller_t controller;
+	fast_controller_t controller;
 };
 
 /**
  * Create a gateway_controller controller instance.
  */
-controller_t *gateway_controller_create(context_t *context, void *param);
+fast_controller_t *gateway_controller_create(fast_context_t *context,
+											 void *param);
 
 #endif /** GATEWAY_CONTROLLER_H_ @}*/
diff --git a/src/manager/controller/ikesa_controller.c b/src/manager/controller/ikesa_controller.c
index 716d51a7a..df0e5f475 100644
--- a/src/manager/controller/ikesa_controller.c
+++ b/src/manager/controller/ikesa_controller.c
@@ -44,7 +44,7 @@ struct private_ikesa_controller_t {
  * read XML of a childsa element and fill template
  */
 static void process_childsa(private_ikesa_controller_t *this, char *id,
-							enumerator_t *e, request_t *r)
+							enumerator_t *e, fast_request_t *r)
 {
 	xml_t *xml;
 	enumerator_t *e1, *e2;
@@ -96,7 +96,7 @@ static void process_childsa(private_ikesa_controller_t *this, char *id,
  * read XML of a ikesa element and fill template
  */
 static void process_ikesa(private_ikesa_controller_t *this,
-						  enumerator_t *e, request_t *r)
+						  enumerator_t *e, fast_request_t *r)
 {
 	xml_t *xml;
 	enumerator_t *e1, *e2;
@@ -139,7 +139,7 @@ static void process_ikesa(private_ikesa_controller_t *this,
 	}
 }
 
-static void list(private_ikesa_controller_t *this, request_t *r)
+static void list(private_ikesa_controller_t *this, fast_request_t *r)
 {
 	gateway_t *gateway;
 	xml_t *xml;
@@ -173,14 +173,14 @@ static void list(private_ikesa_controller_t *this, request_t *r)
 	}
 }
 
-METHOD(controller_t, get_name, char*,
+METHOD(fast_controller_t, get_name, char*,
 	private_ikesa_controller_t *this)
 {
 	return "ikesa";
 }
 
-METHOD(controller_t, handle, void,
-	private_ikesa_controller_t *this, request_t *request, char *action,
+METHOD(fast_controller_t, handle, void,
+	private_ikesa_controller_t *this, fast_request_t *request, char *action,
 	char *p2, char *p3, char *p4, char *p5)
 {
 	if (!this->manager->logged_in(this->manager))
@@ -201,7 +201,7 @@ METHOD(controller_t, handle, void,
 	return request->redirect(request, "ikesa/list");
 }
 
-METHOD(controller_t, destroy, void,
+METHOD(fast_controller_t, destroy, void,
 	private_ikesa_controller_t *this)
 {
 	free(this);
@@ -210,7 +210,7 @@ METHOD(controller_t, destroy, void,
 /*
  * see header file
  */
-controller_t *ikesa_controller_create(context_t *context, void *param)
+fast_controller_t *ikesa_controller_create(fast_context_t *context, void *param)
 {
 	private_ikesa_controller_t *this;
 
@@ -227,4 +227,3 @@ controller_t *ikesa_controller_create(context_t *context, void *param)
 
 	return &this->public.controller;
 }
-
diff --git a/src/manager/controller/ikesa_controller.h b/src/manager/controller/ikesa_controller.h
index 3f6779629..592047539 100644
--- a/src/manager/controller/ikesa_controller.h
+++ b/src/manager/controller/ikesa_controller.h
@@ -15,14 +15,13 @@
 
 /**
  * @defgroup ikesa_controller ikesa_controller
- * @{ @ingroup controller
+ * @{ @ingroup manager_controller
  */
 
 #ifndef IKESA_CONTROLLER_H_
 #define IKESA_CONTROLLER_H_
 
-
-#include <controller.h>
+#include <fast_controller.h>
 
 typedef struct ikesa_controller_t ikesa_controller_t;
 
@@ -34,12 +33,12 @@ struct ikesa_controller_t {
 	/**
 	 * Implements controller_t interface.
 	 */
-	controller_t controller;
+	fast_controller_t controller;
 };
 
 /**
  * Create a ikesa_controller controller instance.
  */
-controller_t *ikesa_controller_create(context_t *context, void *param);
+fast_controller_t *ikesa_controller_create(fast_context_t *context, void *param);
 
 #endif /** IKESA_CONTROLLER_H_ @}*/
diff --git a/src/manager/gateway.h b/src/manager/gateway.h
index db44a2ffa..5792ebf02 100644
--- a/src/manager/gateway.h
+++ b/src/manager/gateway.h
@@ -21,8 +21,8 @@
 #ifndef GATEWAY_H_
 #define GATEWAY_H_
 
-#include <utils/host.h>
-#include <utils/enumerator.h>
+#include <networking/host.h>
+#include <collections/enumerator.h>
 
 typedef struct gateway_t gateway_t;
 
diff --git a/src/manager/main.c b/src/manager/main.c
index 5c297cf0c..5c845b157 100644
--- a/src/manager/main.c
+++ b/src/manager/main.c
@@ -13,8 +13,8 @@
  * for more details.
  */
 
-#include <dispatcher.h>
-#include <debug.h>
+#include <fast_dispatcher.h>
+#include <utils/debug.h>
 #include <stdio.h>
 
 #include "manager.h"
@@ -27,7 +27,7 @@
 
 int main (int arc, char *argv[])
 {
-	dispatcher_t *dispatcher;
+	fast_dispatcher_t *dispatcher;
 	storage_t *storage;
 	char *socket;
 	char *database;
@@ -35,7 +35,7 @@ int main (int arc, char *argv[])
 	int threads, timeout;
 
 	library_init(NULL);
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "manager.load", PLUGINS)))
 	{
 		return 1;
@@ -50,7 +50,7 @@ int main (int arc, char *argv[])
 	{
 		DBG1(DBG_LIB, "database URI undefined, set manager.database "
 			 "in strongswan.conf");
-		return 1;
+		//return 1;
 	}
 
 	storage = storage_create(database);
@@ -59,8 +59,8 @@ int main (int arc, char *argv[])
 		return 1;
 	}
 
-	dispatcher = dispatcher_create(socket, debug, timeout,
-						(context_constructor_t)manager_create, storage);
+	dispatcher = fast_dispatcher_create(socket, debug, timeout,
+						(fast_context_constructor_t)manager_create, storage);
 	dispatcher->add_controller(dispatcher, ikesa_controller_create, NULL);
 	dispatcher->add_controller(dispatcher, gateway_controller_create, NULL);
 	dispatcher->add_controller(dispatcher, auth_controller_create, NULL);
@@ -78,4 +78,3 @@ int main (int arc, char *argv[])
 
 	return 0;
 }
-
diff --git a/src/manager/manager.c b/src/manager/manager.c
index b6f3951c4..22a4191d9 100644
--- a/src/manager/manager.c
+++ b/src/manager/manager.c
@@ -17,7 +17,7 @@
 
 #include "gateway.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_manager_t private_manager_t;
 
@@ -118,7 +118,7 @@ METHOD(manager_t, logout, void,
 	this->user = 0;
 }
 
-METHOD(context_t, destroy, void,
+METHOD(fast_context_t, destroy, void,
 	private_manager_t *this)
 {
 	if (this->gateway) this->gateway->destroy(this->gateway);
@@ -148,4 +148,3 @@ manager_t *manager_create(storage_t *storage)
 
 	return &this->public;
 }
-
diff --git a/src/manager/manager.h b/src/manager/manager.h
index f7620833a..e0ed7fcaf 100644
--- a/src/manager/manager.h
+++ b/src/manager/manager.h
@@ -16,7 +16,7 @@
 /**
  * @defgroup manager manager
  *
- * @defgroup controller controller
+ * @defgroup manager_controller controller
  * @ingroup manager
  *
  * @defgroup manager_i manager
@@ -29,7 +29,7 @@
 #include "storage.h"
 #include "gateway.h"
 
-#include <context.h>
+#include <fast_context.h>
 
 typedef struct manager_t manager_t;
 
@@ -41,7 +41,7 @@ struct manager_t {
 	/**
 	 * implements context_t interface
 	 */
-	context_t context;
+	fast_context_t context;
 
 	/**
 	 * Create an enumerator over all configured gateways.
diff --git a/src/manager/storage.c b/src/manager/storage.c
index 5461a4288..6a8e76e5e 100644
--- a/src/manager/storage.c
+++ b/src/manager/storage.c
@@ -58,7 +58,11 @@ METHOD(storage_t, login, int,
 	data = chunk_alloca(username_len + password_len);
 	memcpy(data.ptr, username, username_len);
 	memcpy(data.ptr + username_len, password, password_len);
-	hasher->get_hash(hasher, data, hash.ptr);
+	if (!hasher->get_hash(hasher, data, hash.ptr))
+	{
+		hasher->destroy(hasher);
+		return 0;
+	}
 	hasher->destroy(hasher);
 	hex_str = chunk_to_hex(hash, NULL, FALSE);
 
diff --git a/src/manager/storage.h b/src/manager/storage.h
index 69459e5aa..4324e99fe 100644
--- a/src/manager/storage.h
+++ b/src/manager/storage.h
@@ -21,7 +21,7 @@
 #ifndef STORAGE_H_
 #define STORAGE_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 
 typedef struct storage_t storage_t;
diff --git a/src/manager/xml.h b/src/manager/xml.h
index 0c362fed1..bd11cb4f8 100644
--- a/src/manager/xml.h
+++ b/src/manager/xml.h
@@ -21,7 +21,7 @@
 #ifndef XML_H_
 #define XML_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct xml_t xml_t;
 
diff --git a/src/medsrv/Makefile.am b/src/medsrv/Makefile.am
index 43da9c4e5..40bafd856 100644
--- a/src/medsrv/Makefile.am
+++ b/src/medsrv/Makefile.am
@@ -10,11 +10,15 @@ controller/peer_controller.c controller/peer_controller.h
 medsrv_fcgi_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libfast/libfast.la
 main.o :	$(top_builddir)/config.status
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast
-AM_CFLAGS = -rdynamic \
-  -DIPSECDIR=\"${ipsecdir}\" \
-  -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DPLUGINS=\""${medsrv_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libfast \
+	-DIPSECDIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${medsrv_plugins}\""
+
+AM_CFLAGS = \
+	-rdynamic
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
 medsrv_templatesdir = ${medsrvdir}/templates
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 95f02c580..e9709d375 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -17,6 +17,23 @@
 
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -47,10 +64,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(medsrvdir)" \
@@ -66,21 +84,42 @@ medsrv_fcgi_OBJECTS = $(am_medsrv_fcgi_OBJECTS)
 medsrv_fcgi_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libfast/libfast.la
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(medsrv_fcgi_SOURCES)
 DIST_SOURCES = $(medsrv_fcgi_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -102,6 +141,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 DATA = $(medsrv_templates_DATA) $(medsrv_templates_peer_DATA) \
 	$(medsrv_templates_static_DATA) $(medsrv_templates_user_DATA)
 ETAGS = etags
@@ -110,21 +155,28 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -133,13 +185,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -152,6 +207,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -179,11 +235,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -191,6 +249,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -199,8 +258,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -209,14 +266,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -230,17 +292,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -250,16 +312,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -294,11 +355,15 @@ controller/user_controller.c controller/user_controller.h \
 controller/peer_controller.c controller/peer_controller.h
 
 medsrv_fcgi_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libfast/libfast.la
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast
-AM_CFLAGS = -rdynamic \
-  -DIPSECDIR=\"${ipsecdir}\" \
-  -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DPLUGINS=\""${medsrv_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libfast \
+	-DIPSECDIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${medsrv_plugins}\""
+
+AM_CFLAGS = \
+	-rdynamic
 
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
@@ -360,8 +425,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-medsrvPROGRAMS: $(medsrv_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(medsrvdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrvdir)"
 	@list='$(medsrv_PROGRAMS)'; test -n "$(medsrvdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(medsrvdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(medsrvdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -401,9 +469,9 @@ clean-medsrvPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-medsrv.fcgi$(EXEEXT): $(medsrv_fcgi_OBJECTS) $(medsrv_fcgi_DEPENDENCIES) 
+medsrv.fcgi$(EXEEXT): $(medsrv_fcgi_OBJECTS) $(medsrv_fcgi_DEPENDENCIES) $(EXTRA_medsrv_fcgi_DEPENDENCIES) 
 	@rm -f medsrv.fcgi$(EXEEXT)
-	$(LINK) $(medsrv_fcgi_OBJECTS) $(medsrv_fcgi_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(medsrv_fcgi_OBJECTS) $(medsrv_fcgi_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -418,67 +486,67 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/user_controller.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 auth_filter.o: filter/auth_filter.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_filter.o -MD -MP -MF $(DEPDIR)/auth_filter.Tpo -c -o auth_filter.o `test -f 'filter/auth_filter.c' || echo '$(srcdir)/'`filter/auth_filter.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_filter.Tpo $(DEPDIR)/auth_filter.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='filter/auth_filter.c' object='auth_filter.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_filter.o -MD -MP -MF $(DEPDIR)/auth_filter.Tpo -c -o auth_filter.o `test -f 'filter/auth_filter.c' || echo '$(srcdir)/'`filter/auth_filter.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/auth_filter.Tpo $(DEPDIR)/auth_filter.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='filter/auth_filter.c' object='auth_filter.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_filter.o `test -f 'filter/auth_filter.c' || echo '$(srcdir)/'`filter/auth_filter.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_filter.o `test -f 'filter/auth_filter.c' || echo '$(srcdir)/'`filter/auth_filter.c
 
 auth_filter.obj: filter/auth_filter.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_filter.obj -MD -MP -MF $(DEPDIR)/auth_filter.Tpo -c -o auth_filter.obj `if test -f 'filter/auth_filter.c'; then $(CYGPATH_W) 'filter/auth_filter.c'; else $(CYGPATH_W) '$(srcdir)/filter/auth_filter.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_filter.Tpo $(DEPDIR)/auth_filter.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='filter/auth_filter.c' object='auth_filter.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_filter.obj -MD -MP -MF $(DEPDIR)/auth_filter.Tpo -c -o auth_filter.obj `if test -f 'filter/auth_filter.c'; then $(CYGPATH_W) 'filter/auth_filter.c'; else $(CYGPATH_W) '$(srcdir)/filter/auth_filter.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/auth_filter.Tpo $(DEPDIR)/auth_filter.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='filter/auth_filter.c' object='auth_filter.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_filter.obj `if test -f 'filter/auth_filter.c'; then $(CYGPATH_W) 'filter/auth_filter.c'; else $(CYGPATH_W) '$(srcdir)/filter/auth_filter.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_filter.obj `if test -f 'filter/auth_filter.c'; then $(CYGPATH_W) 'filter/auth_filter.c'; else $(CYGPATH_W) '$(srcdir)/filter/auth_filter.c'; fi`
 
 user_controller.o: controller/user_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT user_controller.o -MD -MP -MF $(DEPDIR)/user_controller.Tpo -c -o user_controller.o `test -f 'controller/user_controller.c' || echo '$(srcdir)/'`controller/user_controller.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/user_controller.Tpo $(DEPDIR)/user_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/user_controller.c' object='user_controller.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT user_controller.o -MD -MP -MF $(DEPDIR)/user_controller.Tpo -c -o user_controller.o `test -f 'controller/user_controller.c' || echo '$(srcdir)/'`controller/user_controller.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/user_controller.Tpo $(DEPDIR)/user_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/user_controller.c' object='user_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o user_controller.o `test -f 'controller/user_controller.c' || echo '$(srcdir)/'`controller/user_controller.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o user_controller.o `test -f 'controller/user_controller.c' || echo '$(srcdir)/'`controller/user_controller.c
 
 user_controller.obj: controller/user_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT user_controller.obj -MD -MP -MF $(DEPDIR)/user_controller.Tpo -c -o user_controller.obj `if test -f 'controller/user_controller.c'; then $(CYGPATH_W) 'controller/user_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/user_controller.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/user_controller.Tpo $(DEPDIR)/user_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/user_controller.c' object='user_controller.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT user_controller.obj -MD -MP -MF $(DEPDIR)/user_controller.Tpo -c -o user_controller.obj `if test -f 'controller/user_controller.c'; then $(CYGPATH_W) 'controller/user_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/user_controller.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/user_controller.Tpo $(DEPDIR)/user_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/user_controller.c' object='user_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o user_controller.obj `if test -f 'controller/user_controller.c'; then $(CYGPATH_W) 'controller/user_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/user_controller.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o user_controller.obj `if test -f 'controller/user_controller.c'; then $(CYGPATH_W) 'controller/user_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/user_controller.c'; fi`
 
 peer_controller.o: controller/peer_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_controller.o -MD -MP -MF $(DEPDIR)/peer_controller.Tpo -c -o peer_controller.o `test -f 'controller/peer_controller.c' || echo '$(srcdir)/'`controller/peer_controller.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/peer_controller.Tpo $(DEPDIR)/peer_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/peer_controller.c' object='peer_controller.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_controller.o -MD -MP -MF $(DEPDIR)/peer_controller.Tpo -c -o peer_controller.o `test -f 'controller/peer_controller.c' || echo '$(srcdir)/'`controller/peer_controller.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/peer_controller.Tpo $(DEPDIR)/peer_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/peer_controller.c' object='peer_controller.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_controller.o `test -f 'controller/peer_controller.c' || echo '$(srcdir)/'`controller/peer_controller.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_controller.o `test -f 'controller/peer_controller.c' || echo '$(srcdir)/'`controller/peer_controller.c
 
 peer_controller.obj: controller/peer_controller.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_controller.obj -MD -MP -MF $(DEPDIR)/peer_controller.Tpo -c -o peer_controller.obj `if test -f 'controller/peer_controller.c'; then $(CYGPATH_W) 'controller/peer_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/peer_controller.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/peer_controller.Tpo $(DEPDIR)/peer_controller.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='controller/peer_controller.c' object='peer_controller.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_controller.obj -MD -MP -MF $(DEPDIR)/peer_controller.Tpo -c -o peer_controller.obj `if test -f 'controller/peer_controller.c'; then $(CYGPATH_W) 'controller/peer_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/peer_controller.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/peer_controller.Tpo $(DEPDIR)/peer_controller.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='controller/peer_controller.c' object='peer_controller.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_controller.obj `if test -f 'controller/peer_controller.c'; then $(CYGPATH_W) 'controller/peer_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/peer_controller.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_controller.obj `if test -f 'controller/peer_controller.c'; then $(CYGPATH_W) 'controller/peer_controller.c'; else $(CYGPATH_W) '$(srcdir)/controller/peer_controller.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -487,8 +555,11 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-medsrv_templatesDATA: $(medsrv_templates_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(medsrv_templatesdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templatesdir)"
 	@list='$(medsrv_templates_DATA)'; test -n "$(medsrv_templatesdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(medsrv_templatesdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(medsrv_templatesdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -502,13 +573,14 @@ uninstall-medsrv_templatesDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(medsrv_templates_DATA)'; test -n "$(medsrv_templatesdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(medsrv_templatesdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(medsrv_templatesdir)" && rm -f $$files
+	dir='$(DESTDIR)$(medsrv_templatesdir)'; $(am__uninstall_files_from_dir)
 install-medsrv_templates_peerDATA: $(medsrv_templates_peer_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(medsrv_templates_peerdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_peerdir)"
 	@list='$(medsrv_templates_peer_DATA)'; test -n "$(medsrv_templates_peerdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(medsrv_templates_peerdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_peerdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -522,13 +594,14 @@ uninstall-medsrv_templates_peerDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(medsrv_templates_peer_DATA)'; test -n "$(medsrv_templates_peerdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(medsrv_templates_peerdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(medsrv_templates_peerdir)" && rm -f $$files
+	dir='$(DESTDIR)$(medsrv_templates_peerdir)'; $(am__uninstall_files_from_dir)
 install-medsrv_templates_staticDATA: $(medsrv_templates_static_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(medsrv_templates_staticdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_staticdir)"
 	@list='$(medsrv_templates_static_DATA)'; test -n "$(medsrv_templates_staticdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(medsrv_templates_staticdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_staticdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -542,13 +615,14 @@ uninstall-medsrv_templates_staticDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(medsrv_templates_static_DATA)'; test -n "$(medsrv_templates_staticdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(medsrv_templates_staticdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(medsrv_templates_staticdir)" && rm -f $$files
+	dir='$(DESTDIR)$(medsrv_templates_staticdir)'; $(am__uninstall_files_from_dir)
 install-medsrv_templates_userDATA: $(medsrv_templates_user_DATA)
 	@$(NORMAL_INSTALL)
-	test -z "$(medsrv_templates_userdir)" || $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_userdir)"
 	@list='$(medsrv_templates_user_DATA)'; test -n "$(medsrv_templates_userdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(medsrv_templates_userdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(medsrv_templates_userdir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -562,9 +636,7 @@ uninstall-medsrv_templates_userDATA:
 	@$(NORMAL_UNINSTALL)
 	@list='$(medsrv_templates_user_DATA)'; test -n "$(medsrv_templates_userdir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(medsrv_templates_userdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(medsrv_templates_userdir)" && rm -f $$files
+	dir='$(DESTDIR)$(medsrv_templates_userdir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -665,10 +737,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/medsrv/controller/peer_controller.c b/src/medsrv/controller/peer_controller.c
index edcf653b2..4943647b5 100755..100644
--- a/src/medsrv/controller/peer_controller.c
+++ b/src/medsrv/controller/peer_controller.c
@@ -20,7 +20,7 @@
 #include "peer_controller.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
 #include <asn1/oid.h>
 #include <utils/identification.h>
@@ -52,7 +52,7 @@ struct private_peer_controller_t {
 /**
  * list the configured peer configs
  */
-static void list(private_peer_controller_t *this, request_t *request)
+static void list(private_peer_controller_t *this, fast_request_t *request)
 {
 	enumerator_t *query;
 
@@ -83,7 +83,7 @@ static void list(private_peer_controller_t *this, request_t *request)
 /**
  * verify a peer alias
  */
-static bool verify_alias(private_peer_controller_t *this, request_t *request,
+static bool verify_alias(private_peer_controller_t *this, fast_request_t *request,
 						 char *alias)
 {
 	if (!alias || *alias == '\0')
@@ -117,7 +117,7 @@ static bool verify_alias(private_peer_controller_t *this, request_t *request,
  * parse and verify a public key
  */
 static bool parse_public_key(private_peer_controller_t *this,
-							 request_t *request, char *public_key,
+							 fast_request_t *request, char *public_key,
 							 chunk_t *encoding, chunk_t *keyid)
 {
 	public_key_t *public;
@@ -153,7 +153,7 @@ static bool parse_public_key(private_peer_controller_t *this,
 /**
  * register a new peer
  */
-static void add(private_peer_controller_t *this, request_t *request)
+static void add(private_peer_controller_t *this, fast_request_t *request)
 {
 	char *alias = "", *public_key = "";
 
@@ -231,7 +231,7 @@ char* pem_encode(chunk_t der)
 /**
  * edit a peer
  */
-static void edit(private_peer_controller_t *this, request_t *request, int id)
+static void edit(private_peer_controller_t *this, fast_request_t *request, int id)
 {
 	char *alias = "", *public_key = "", *pem;
 	chunk_t encoding, keyid;
@@ -305,21 +305,21 @@ static void edit(private_peer_controller_t *this, request_t *request, int id)
 /**
  * delete a peer from the database
  */
-static void delete(private_peer_controller_t *this, request_t *request, int id)
+static void delete(private_peer_controller_t *this, fast_request_t *request, int id)
 {
 	this->db->execute(this->db, NULL,
 					  "DELETE FROM peer WHERE id = ? AND user = ?",
 					  DB_INT, id, DB_UINT, this->user->get_user(this->user));
 }
 
-METHOD(controller_t, get_name, char*,
+METHOD(fast_controller_t, get_name, char*,
 	private_peer_controller_t *this)
 {
 	return "peer";
 }
 
-METHOD(controller_t, handle, void,
-	private_peer_controller_t *this, request_t *request, char *action,
+METHOD(fast_controller_t, handle, void,
+	private_peer_controller_t *this, fast_request_t *request, char *action,
 	char *idstr, char *p3, char *p4, char *p5)
 {
 	if (action)
@@ -350,7 +350,7 @@ METHOD(controller_t, handle, void,
 	request->redirect(request, "peer/list");
 }
 
-METHOD(controller_t, destroy, void,
+METHOD(fast_controller_t, destroy, void,
 	private_peer_controller_t *this)
 {
 	free(this);
@@ -359,7 +359,7 @@ METHOD(controller_t, destroy, void,
 /*
  * see header file
  */
-controller_t *peer_controller_create(user_t *user, database_t *db)
+fast_controller_t *peer_controller_create(user_t *user, database_t *db)
 {
 	private_peer_controller_t *this;
 
@@ -377,4 +377,3 @@ controller_t *peer_controller_create(user_t *user, database_t *db)
 
 	return &this->public.controller;
 }
-
diff --git a/src/medsrv/controller/peer_controller.h b/src/medsrv/controller/peer_controller.h
index f25c30281..1282156b7 100755..100644
--- a/src/medsrv/controller/peer_controller.h
+++ b/src/medsrv/controller/peer_controller.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup peer_controller_server peer_controller
- * @{ @ingroup controller_server
+ * @{ @ingroup medsrv
  */
 
 #ifndef PEER_CONTROLLER_H_
@@ -24,7 +24,7 @@
 
 #include <user.h>
 
-#include <controller.h>
+#include <fast_controller.h>
 #include <database/database.h>
 
 typedef struct peer_controller_t peer_controller_t;
@@ -37,12 +37,12 @@ struct peer_controller_t {
 	/**
 	 * Implements controller_t interface.
 	 */
-	controller_t controller;
+	fast_controller_t controller;
 };
 
 /**
  * Create a peer_controller controller instance.
  */
-controller_t *peer_controller_create(user_t *user, database_t *db);
+fast_controller_t *peer_controller_create(user_t *user, database_t *db);
 
-#endif /* PEER_CONTROLLER_H_ @} */
+#endif /** PEER_CONTROLLER_H_ @}*/
diff --git a/src/medsrv/controller/user_controller.c b/src/medsrv/controller/user_controller.c
index 12bd938fe..36d04e12c 100755..100644
--- a/src/medsrv/controller/user_controller.c
+++ b/src/medsrv/controller/user_controller.c
@@ -64,7 +64,11 @@ static chunk_t hash_password(char *login, char *password)
 	}
 	data = chunk_cata("cc",	chunk_create(login, strlen(login)),
 							chunk_create(password, strlen(password)));
-	hasher->allocate_hash(hasher, data, &hash);
+	if (!hasher->allocate_hash(hasher, data, &hash))
+	{
+		hasher->destroy(hasher);
+		return chunk_empty;
+	}
 	hasher->destroy(hasher);
 	return hash;
 }
@@ -72,7 +76,7 @@ static chunk_t hash_password(char *login, char *password)
 /**
  * Login a user.
  */
-static void login(private_user_controller_t *this, request_t *request)
+static void login(private_user_controller_t *this, fast_request_t *request)
 {
 	if (request->get_query_data(request, "submit"))
 	{
@@ -111,7 +115,7 @@ static void login(private_user_controller_t *this, request_t *request)
 /**
  * Logout a user.
  */
-static void logout(private_user_controller_t *this, request_t *request)
+static void logout(private_user_controller_t *this, fast_request_t *request)
 {
 	request->redirect(request, "user/login");
 	request->close_session(request);
@@ -120,8 +124,8 @@ static void logout(private_user_controller_t *this, request_t *request)
 /**
  * verify a user entered username for validity
  */
-static bool verify_login(private_user_controller_t *this, request_t *request,
-						 char *login)
+static bool verify_login(private_user_controller_t *this,
+						 fast_request_t *request, char *login)
 {
 	if (!login || *login == '\0')
 	{
@@ -152,7 +156,8 @@ static bool verify_login(private_user_controller_t *this, request_t *request,
 /**
  * verify a user entered password for validity
  */
-static bool verify_password(private_user_controller_t *this, request_t *request,
+static bool verify_password(private_user_controller_t *this,
+							fast_request_t *request,
 							char *password, char *confirm)
 {
 	if (!password || *password == '\0')
@@ -177,7 +182,7 @@ static bool verify_password(private_user_controller_t *this, request_t *request,
 /**
  * Register a user.
  */
-static void add(private_user_controller_t *this, request_t *request)
+static void add(private_user_controller_t *this, fast_request_t *request)
 {
 	char *login = "";
 
@@ -218,7 +223,7 @@ static void add(private_user_controller_t *this, request_t *request)
 /**
  * Edit the logged in user
  */
-static void edit(private_user_controller_t *this, request_t *request)
+static void edit(private_user_controller_t *this, fast_request_t *request)
 {
 	enumerator_t *query;
 	char *old_login;
@@ -293,14 +298,14 @@ static void edit(private_user_controller_t *this, request_t *request)
 	request->render(request, "templates/user/edit.cs");
 }
 
-METHOD(controller_t, get_name, char*,
+METHOD(fast_controller_t, get_name, char*,
 	private_user_controller_t *this)
 {
 	return "user";
 }
 
-METHOD(controller_t, handle, void,
-	private_user_controller_t *this, request_t *request, char *action,
+METHOD(fast_controller_t, handle, void,
+	private_user_controller_t *this, fast_request_t *request, char *action,
 	char *p2, char *p3, char *p4, char *p5)
 {
 	if (action)
@@ -329,7 +334,7 @@ METHOD(controller_t, handle, void,
 	request->redirect(request, "user/login");
 }
 
-METHOD(controller_t, destroy, void,
+METHOD(fast_controller_t, destroy, void,
 	private_user_controller_t *this)
 {
 	free(this);
@@ -338,7 +343,7 @@ METHOD(controller_t, destroy, void,
 /*
  * see header file
  */
-controller_t *user_controller_create(user_t *user, database_t *db)
+fast_controller_t *user_controller_create(user_t *user, database_t *db)
 {
 	private_user_controller_t *this;
 
@@ -358,4 +363,3 @@ controller_t *user_controller_create(user_t *user, database_t *db)
 
 	return &this->public.controller;
 }
-
diff --git a/src/medsrv/controller/user_controller.h b/src/medsrv/controller/user_controller.h
index 9d23795d7..8443a8d2b 100755..100644
--- a/src/medsrv/controller/user_controller.h
+++ b/src/medsrv/controller/user_controller.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup user_controller_server user_controller
- * @{ @ingroup controller_server
+ * @{ @ingroup medsrv
  */
 
 #ifndef USER_CONTROLLER_H_
@@ -24,7 +24,7 @@
 
 #include <user.h>
 
-#include <controller.h>
+#include <fast_controller.h>
 #include <database/database.h>
 
 typedef struct user_controller_t user_controller_t;
@@ -37,12 +37,12 @@ struct user_controller_t {
 	/**
 	 * Implements controller_t interface.
 	 */
-	controller_t controller;
+	fast_controller_t controller;
 };
 
 /**
  * Create a user_controller controller instance.
  */
-controller_t *user_controller_create(user_t *user, database_t *db);
+fast_controller_t *user_controller_create(user_t *user, database_t *db);
 
-#endif /* USER_CONTROLLER_H_ @} */
+#endif /** USER_CONTROLLER_H_ @}*/
diff --git a/src/medsrv/filter/auth_filter.c b/src/medsrv/filter/auth_filter.c
index d21abdc46..fb39bdb0e 100755..100644
--- a/src/medsrv/filter/auth_filter.c
+++ b/src/medsrv/filter/auth_filter.c
@@ -16,7 +16,7 @@
 
 #include "auth_filter.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 typedef struct private_auth_filter_t private_auth_filter_t;
 
@@ -40,8 +40,8 @@ struct private_auth_filter_t {
 	database_t *db;
 };
 
-METHOD(filter_t, run, bool,
-	private_auth_filter_t *this, request_t *request, char *controller,
+METHOD(fast_filter_t, run, bool,
+	private_auth_filter_t *this, fast_request_t *request, char *controller,
 	char *action, char *p2, char *p3, char *p4, char *p5)
 {
 	if (this->user->get_user(this->user))
@@ -70,7 +70,7 @@ METHOD(filter_t, run, bool,
 	return FALSE;
 }
 
-METHOD(filter_t, destroy, void,
+METHOD(fast_filter_t, destroy, void,
 	private_auth_filter_t *this)
 {
 	free(this);
@@ -79,7 +79,7 @@ METHOD(filter_t, destroy, void,
 /*
  * see header file
  */
-filter_t *auth_filter_create(user_t *user, database_t *db)
+fast_filter_t *auth_filter_create(user_t *user, database_t *db)
 {
 	private_auth_filter_t *this;
 
@@ -96,4 +96,3 @@ filter_t *auth_filter_create(user_t *user, database_t *db)
 
 	return &this->public.filter;
 }
-
diff --git a/src/medsrv/filter/auth_filter.h b/src/medsrv/filter/auth_filter.h
index c46de40a5..022254dde 100755..100644
--- a/src/medsrv/filter/auth_filter.h
+++ b/src/medsrv/filter/auth_filter.h
@@ -16,14 +16,14 @@
 
 /**
  * @defgroup auth_filter_server auth_filter
- * @{ @ingroup filter_server
+ * @{ @ingroup medsrv
  */
 
 #ifndef AUTH_FILTER_H_
 #define AUTH_FILTER_H_
 
 #include <library.h>
-#include <filter.h>
+#include <fast_filter.h>
 
 #include "user.h"
 
@@ -37,12 +37,12 @@ struct auth_filter_t {
 	/**
 	 * Implements filter_t interface.
 	 */
-	filter_t filter;
+	fast_filter_t filter;
 };
 
 /**
  * Create a auth_filter instance.
  */
-filter_t *auth_filter_create(user_t *user, database_t *db);
+fast_filter_t *auth_filter_create(user_t *user, database_t *db);
 
-#endif /* AUTH_FILTER_H_  @}*/
+#endif /** AUTH_FILTER_H_  @}*/
diff --git a/src/medsrv/main.c b/src/medsrv/main.c
index 1f43a7e17..6f08b97e5 100644
--- a/src/medsrv/main.c
+++ b/src/medsrv/main.c
@@ -16,8 +16,8 @@
 
 #include <stdio.h>
 
-#include <dispatcher.h>
-#include <debug.h>
+#include <fast_dispatcher.h>
+#include <utils/debug.h>
 #include <database/database.h>
 
 #include "filter/auth_filter.h"
@@ -26,7 +26,7 @@
 
 int main(int arc, char *argv[])
 {
-	dispatcher_t *dispatcher;
+	fast_dispatcher_t *dispatcher;
 	database_t *db;
 	char *socket;
 	bool debug;
@@ -34,7 +34,7 @@ int main(int arc, char *argv[])
 	int timeout, threads;
 
 	library_init(NULL);
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "medsrv.load", PLUGINS)))
 	{
 		return 1;
@@ -58,14 +58,14 @@ int main(int arc, char *argv[])
 		return 1;
 	}
 
-	dispatcher = dispatcher_create(socket, debug, timeout,
-								   (context_constructor_t)user_create, db);
+	dispatcher = fast_dispatcher_create(socket, debug, timeout,
+					(fast_context_constructor_t)user_create, db);
 	dispatcher->add_filter(dispatcher,
-						(filter_constructor_t)auth_filter_create, db);
+					(fast_filter_constructor_t)auth_filter_create, db);
 	dispatcher->add_controller(dispatcher,
-						(controller_constructor_t)user_controller_create, db);
+					(fast_controller_constructor_t)user_controller_create, db);
 	dispatcher->add_controller(dispatcher,
-						(controller_constructor_t)peer_controller_create, db);
+					(fast_controller_constructor_t)peer_controller_create, db);
 
 	dispatcher->run(dispatcher, threads);
 
@@ -76,4 +76,3 @@ int main(int arc, char *argv[])
 	library_deinit();
 	return 0;
 }
-
diff --git a/src/medsrv/templates/footer.cs b/src/medsrv/templates/footer.cs
index db3601961..db3601961 100755..100644
--- a/src/medsrv/templates/footer.cs
+++ b/src/medsrv/templates/footer.cs
diff --git a/src/medsrv/templates/header.cs b/src/medsrv/templates/header.cs
index 4ab4afd1e..4ab4afd1e 100755..100644
--- a/src/medsrv/templates/header.cs
+++ b/src/medsrv/templates/header.cs
diff --git a/src/medsrv/templates/peer/add.cs b/src/medsrv/templates/peer/add.cs
index 28a994f7f..28a994f7f 100755..100644
--- a/src/medsrv/templates/peer/add.cs
+++ b/src/medsrv/templates/peer/add.cs
diff --git a/src/medsrv/templates/peer/edit.cs b/src/medsrv/templates/peer/edit.cs
index 76fb9dafc..76fb9dafc 100755..100644
--- a/src/medsrv/templates/peer/edit.cs
+++ b/src/medsrv/templates/peer/edit.cs
diff --git a/src/medsrv/templates/peer/list.cs b/src/medsrv/templates/peer/list.cs
index 205452641..205452641 100755..100644
--- a/src/medsrv/templates/peer/list.cs
+++ b/src/medsrv/templates/peer/list.cs
diff --git a/src/medsrv/templates/static/favicon.ico b/src/medsrv/templates/static/favicon.ico
index d00459196..d00459196 100755..100644
--- a/src/medsrv/templates/static/favicon.ico
+++ b/src/medsrv/templates/static/favicon.ico
diff --git a/src/medsrv/templates/static/strongswan.png b/src/medsrv/templates/static/strongswan.png
index 869188cdf..869188cdf 100755..100644
--- a/src/medsrv/templates/static/strongswan.png
+++ b/src/medsrv/templates/static/strongswan.png
diff --git a/src/medsrv/templates/static/style.css b/src/medsrv/templates/static/style.css
index e109ce278..e109ce278 100755..100644
--- a/src/medsrv/templates/static/style.css
+++ b/src/medsrv/templates/static/style.css
diff --git a/src/medsrv/templates/user/add.cs b/src/medsrv/templates/user/add.cs
index 8ba4e5c96..8ba4e5c96 100755..100644
--- a/src/medsrv/templates/user/add.cs
+++ b/src/medsrv/templates/user/add.cs
diff --git a/src/medsrv/templates/user/edit.cs b/src/medsrv/templates/user/edit.cs
index 1f168498b..1f168498b 100755..100644
--- a/src/medsrv/templates/user/edit.cs
+++ b/src/medsrv/templates/user/edit.cs
diff --git a/src/medsrv/templates/user/login.cs b/src/medsrv/templates/user/login.cs
index 1d6eadbbc..1d6eadbbc 100755..100644
--- a/src/medsrv/templates/user/login.cs
+++ b/src/medsrv/templates/user/login.cs
diff --git a/src/medsrv/user.c b/src/medsrv/user.c
index b4859080b..023dafbed 100644
--- a/src/medsrv/user.c
+++ b/src/medsrv/user.c
@@ -45,7 +45,7 @@ METHOD(user_t, get_user, u_int,
 	return this->user;
 }
 
-METHOD(context_t, destroy, void,
+METHOD(fast_context_t, destroy, void,
 	private_user_t *this)
 {
 	free(this);
@@ -70,4 +70,3 @@ user_t *user_create(void *param)
 
 	return &this->public;
 }
-
diff --git a/src/medsrv/user.h b/src/medsrv/user.h
index f14650f03..475972a5b 100644
--- a/src/medsrv/user.h
+++ b/src/medsrv/user.h
@@ -13,10 +13,17 @@
  * for more details.
  */
 
+/**
+ * @defgroup medsrv medsrv
+ *
+ * @defgroup user user
+ * @{ @ingroup medsrv
+ */
+
 #ifndef USER_H_
 #define USER_H_
 
-#include <context.h>
+#include <fast_context.h>
 #include <library.h>
 
 typedef struct user_t user_t;
@@ -29,7 +36,7 @@ struct user_t {
 	/**
 	 * implements context_t interface
 	 */
-	context_t context;
+	fast_context_t context;
 
 	/**
 	 * Set the user ID of the logged in user.
@@ -47,4 +54,4 @@ struct user_t {
  */
 user_t *user_create(void *param);
 
-#endif /* USER_H_ @} */
+#endif /** USER_H_ @} */
diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am
index 0be040e87..78a466bd6 100644
--- a/src/openac/Makefile.am
+++ b/src/openac/Makefile.am
@@ -2,9 +2,10 @@ ipsec_PROGRAMS = openac
 openac_SOURCES = openac.c
 dist_man_MANS = openac.8
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = \
-  -DIPSEC_CONFDIR=\"${sysconfdir}\" \
-  -DPLUGINS=\""${openac_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DPLUGINS=\""${openac_plugins}\""
+
 openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 openac.o :		$(top_builddir)/config.status
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index 95043350d..a34fb4285 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -47,10 +64,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
@@ -59,21 +77,42 @@ am_openac_OBJECTS = openac.$(OBJEXT)
 openac_OBJECTS = $(am_openac_OBJECTS)
 openac_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(openac_SOURCES)
 DIST_SOURCES = $(openac_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -95,6 +134,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man_MANS)
@@ -104,21 +149,28 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -127,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -146,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -173,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -185,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -193,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -203,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -224,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -244,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -283,10 +344,10 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 openac_SOURCES = openac.c
 dist_man_MANS = openac.8
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = \
-  -DIPSEC_CONFDIR=\"${sysconfdir}\" \
-  -DPLUGINS=\""${openac_plugins}\""
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DPLUGINS=\""${openac_plugins}\""
 
 openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
@@ -325,8 +386,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -366,9 +430,9 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-openac$(EXEEXT): $(openac_OBJECTS) $(openac_DEPENDENCIES) 
+openac$(EXEEXT): $(openac_OBJECTS) $(openac_DEPENDENCIES) $(EXTRA_openac_DEPENDENCIES) 
 	@rm -f openac$(EXEEXT)
-	$(LINK) $(openac_OBJECTS) $(openac_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(openac_OBJECTS) $(openac_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -379,25 +443,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openac.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -406,11 +470,18 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-man8: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list=''; test -n "$(man8dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.8[a-z]*$$/p'; \
+	@list1=''; \
+	list2='$(dist_man_MANS)'; \
+	test -n "$(man8dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.8[a-z]*$$/p'; \
+	fi; \
 	} | while read p; do \
 	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; echo "$$p"; \
@@ -439,9 +510,7 @@ uninstall-man8:
 	  sed -n '/\.8[a-z]*$$/p'; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -555,10 +624,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 745988750..7074d44be 100755..100644
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -31,7 +31,7 @@
 #include <time.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/ac.h>
@@ -238,7 +238,7 @@ int main(int argc, char **argv)
 		fprintf(stderr, "integrity check of openac failed\n");
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "openac.load", PLUGINS)))
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
index 482f83834..e07938284 100644
--- a/src/pki/Makefile.am
+++ b/src/pki/Makefile.am
@@ -9,11 +9,12 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/self.c \
 	commands/print.c \
 	commands/signcrl.c \
+	commands/pkcs7.c \
 	commands/verify.c
 
 pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 pki.o :	$(top_builddir)/config.status
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
 	-DPLUGINS=\""${pki_plugins}\""
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index f9c417658..f58ad1bce 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -46,10 +63,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)"
@@ -57,45 +75,73 @@ PROGRAMS = $(ipsec_PROGRAMS)
 am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) gen.$(OBJEXT) \
 	issue.$(OBJEXT) keyid.$(OBJEXT) pub.$(OBJEXT) req.$(OBJEXT) \
 	self.$(OBJEXT) print.$(OBJEXT) signcrl.$(OBJEXT) \
-	verify.$(OBJEXT)
+	pkcs7.$(OBJEXT) verify.$(OBJEXT)
 pki_OBJECTS = $(am_pki_OBJECTS)
 pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(pki_SOURCES)
 DIST_SOURCES = $(pki_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -104,13 +150,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -123,6 +172,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -150,11 +200,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -162,6 +214,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -170,8 +223,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -180,14 +231,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -201,17 +257,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -221,16 +277,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -267,11 +322,12 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/self.c \
 	commands/print.c \
 	commands/signcrl.c \
+	commands/pkcs7.c \
 	commands/verify.c
 
 pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = \
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
 	-DPLUGINS=\""${pki_plugins}\""
 
 all: all-am
@@ -310,8 +366,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -351,9 +410,9 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-pki$(EXEEXT): $(pki_OBJECTS) $(pki_DEPENDENCIES) 
+pki$(EXEEXT): $(pki_OBJECTS) $(pki_DEPENDENCIES) $(EXTRA_pki_DEPENDENCIES) 
 	@rm -f pki$(EXEEXT)
-	$(LINK) $(pki_OBJECTS) $(pki_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(pki_OBJECTS) $(pki_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -365,6 +424,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/issue.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pki.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/print.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pub.Po@am__quote@
@@ -374,151 +434,165 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/verify.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 gen.o: commands/gen.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gen.o -MD -MP -MF $(DEPDIR)/gen.Tpo -c -o gen.o `test -f 'commands/gen.c' || echo '$(srcdir)/'`commands/gen.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/gen.Tpo $(DEPDIR)/gen.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/gen.c' object='gen.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gen.o -MD -MP -MF $(DEPDIR)/gen.Tpo -c -o gen.o `test -f 'commands/gen.c' || echo '$(srcdir)/'`commands/gen.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/gen.Tpo $(DEPDIR)/gen.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/gen.c' object='gen.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gen.o `test -f 'commands/gen.c' || echo '$(srcdir)/'`commands/gen.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gen.o `test -f 'commands/gen.c' || echo '$(srcdir)/'`commands/gen.c
 
 gen.obj: commands/gen.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gen.obj -MD -MP -MF $(DEPDIR)/gen.Tpo -c -o gen.obj `if test -f 'commands/gen.c'; then $(CYGPATH_W) 'commands/gen.c'; else $(CYGPATH_W) '$(srcdir)/commands/gen.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/gen.Tpo $(DEPDIR)/gen.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/gen.c' object='gen.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gen.obj -MD -MP -MF $(DEPDIR)/gen.Tpo -c -o gen.obj `if test -f 'commands/gen.c'; then $(CYGPATH_W) 'commands/gen.c'; else $(CYGPATH_W) '$(srcdir)/commands/gen.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/gen.Tpo $(DEPDIR)/gen.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/gen.c' object='gen.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gen.obj `if test -f 'commands/gen.c'; then $(CYGPATH_W) 'commands/gen.c'; else $(CYGPATH_W) '$(srcdir)/commands/gen.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gen.obj `if test -f 'commands/gen.c'; then $(CYGPATH_W) 'commands/gen.c'; else $(CYGPATH_W) '$(srcdir)/commands/gen.c'; fi`
 
 issue.o: commands/issue.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT issue.o -MD -MP -MF $(DEPDIR)/issue.Tpo -c -o issue.o `test -f 'commands/issue.c' || echo '$(srcdir)/'`commands/issue.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/issue.Tpo $(DEPDIR)/issue.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/issue.c' object='issue.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT issue.o -MD -MP -MF $(DEPDIR)/issue.Tpo -c -o issue.o `test -f 'commands/issue.c' || echo '$(srcdir)/'`commands/issue.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/issue.Tpo $(DEPDIR)/issue.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/issue.c' object='issue.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o issue.o `test -f 'commands/issue.c' || echo '$(srcdir)/'`commands/issue.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o issue.o `test -f 'commands/issue.c' || echo '$(srcdir)/'`commands/issue.c
 
 issue.obj: commands/issue.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT issue.obj -MD -MP -MF $(DEPDIR)/issue.Tpo -c -o issue.obj `if test -f 'commands/issue.c'; then $(CYGPATH_W) 'commands/issue.c'; else $(CYGPATH_W) '$(srcdir)/commands/issue.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/issue.Tpo $(DEPDIR)/issue.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/issue.c' object='issue.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT issue.obj -MD -MP -MF $(DEPDIR)/issue.Tpo -c -o issue.obj `if test -f 'commands/issue.c'; then $(CYGPATH_W) 'commands/issue.c'; else $(CYGPATH_W) '$(srcdir)/commands/issue.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/issue.Tpo $(DEPDIR)/issue.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/issue.c' object='issue.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o issue.obj `if test -f 'commands/issue.c'; then $(CYGPATH_W) 'commands/issue.c'; else $(CYGPATH_W) '$(srcdir)/commands/issue.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o issue.obj `if test -f 'commands/issue.c'; then $(CYGPATH_W) 'commands/issue.c'; else $(CYGPATH_W) '$(srcdir)/commands/issue.c'; fi`
 
 keyid.o: commands/keyid.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keyid.o -MD -MP -MF $(DEPDIR)/keyid.Tpo -c -o keyid.o `test -f 'commands/keyid.c' || echo '$(srcdir)/'`commands/keyid.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/keyid.Tpo $(DEPDIR)/keyid.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/keyid.c' object='keyid.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keyid.o -MD -MP -MF $(DEPDIR)/keyid.Tpo -c -o keyid.o `test -f 'commands/keyid.c' || echo '$(srcdir)/'`commands/keyid.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/keyid.Tpo $(DEPDIR)/keyid.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/keyid.c' object='keyid.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keyid.o `test -f 'commands/keyid.c' || echo '$(srcdir)/'`commands/keyid.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keyid.o `test -f 'commands/keyid.c' || echo '$(srcdir)/'`commands/keyid.c
 
 keyid.obj: commands/keyid.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keyid.obj -MD -MP -MF $(DEPDIR)/keyid.Tpo -c -o keyid.obj `if test -f 'commands/keyid.c'; then $(CYGPATH_W) 'commands/keyid.c'; else $(CYGPATH_W) '$(srcdir)/commands/keyid.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/keyid.Tpo $(DEPDIR)/keyid.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/keyid.c' object='keyid.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keyid.obj -MD -MP -MF $(DEPDIR)/keyid.Tpo -c -o keyid.obj `if test -f 'commands/keyid.c'; then $(CYGPATH_W) 'commands/keyid.c'; else $(CYGPATH_W) '$(srcdir)/commands/keyid.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/keyid.Tpo $(DEPDIR)/keyid.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/keyid.c' object='keyid.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keyid.obj `if test -f 'commands/keyid.c'; then $(CYGPATH_W) 'commands/keyid.c'; else $(CYGPATH_W) '$(srcdir)/commands/keyid.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keyid.obj `if test -f 'commands/keyid.c'; then $(CYGPATH_W) 'commands/keyid.c'; else $(CYGPATH_W) '$(srcdir)/commands/keyid.c'; fi`
 
 pub.o: commands/pub.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pub.o -MD -MP -MF $(DEPDIR)/pub.Tpo -c -o pub.o `test -f 'commands/pub.c' || echo '$(srcdir)/'`commands/pub.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pub.Tpo $(DEPDIR)/pub.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/pub.c' object='pub.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pub.o -MD -MP -MF $(DEPDIR)/pub.Tpo -c -o pub.o `test -f 'commands/pub.c' || echo '$(srcdir)/'`commands/pub.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pub.Tpo $(DEPDIR)/pub.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/pub.c' object='pub.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pub.o `test -f 'commands/pub.c' || echo '$(srcdir)/'`commands/pub.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pub.o `test -f 'commands/pub.c' || echo '$(srcdir)/'`commands/pub.c
 
 pub.obj: commands/pub.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pub.obj -MD -MP -MF $(DEPDIR)/pub.Tpo -c -o pub.obj `if test -f 'commands/pub.c'; then $(CYGPATH_W) 'commands/pub.c'; else $(CYGPATH_W) '$(srcdir)/commands/pub.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/pub.Tpo $(DEPDIR)/pub.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/pub.c' object='pub.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pub.obj -MD -MP -MF $(DEPDIR)/pub.Tpo -c -o pub.obj `if test -f 'commands/pub.c'; then $(CYGPATH_W) 'commands/pub.c'; else $(CYGPATH_W) '$(srcdir)/commands/pub.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pub.Tpo $(DEPDIR)/pub.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/pub.c' object='pub.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pub.obj `if test -f 'commands/pub.c'; then $(CYGPATH_W) 'commands/pub.c'; else $(CYGPATH_W) '$(srcdir)/commands/pub.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pub.obj `if test -f 'commands/pub.c'; then $(CYGPATH_W) 'commands/pub.c'; else $(CYGPATH_W) '$(srcdir)/commands/pub.c'; fi`
 
 req.o: commands/req.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT req.o -MD -MP -MF $(DEPDIR)/req.Tpo -c -o req.o `test -f 'commands/req.c' || echo '$(srcdir)/'`commands/req.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/req.Tpo $(DEPDIR)/req.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/req.c' object='req.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT req.o -MD -MP -MF $(DEPDIR)/req.Tpo -c -o req.o `test -f 'commands/req.c' || echo '$(srcdir)/'`commands/req.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/req.Tpo $(DEPDIR)/req.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/req.c' object='req.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o req.o `test -f 'commands/req.c' || echo '$(srcdir)/'`commands/req.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o req.o `test -f 'commands/req.c' || echo '$(srcdir)/'`commands/req.c
 
 req.obj: commands/req.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT req.obj -MD -MP -MF $(DEPDIR)/req.Tpo -c -o req.obj `if test -f 'commands/req.c'; then $(CYGPATH_W) 'commands/req.c'; else $(CYGPATH_W) '$(srcdir)/commands/req.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/req.Tpo $(DEPDIR)/req.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/req.c' object='req.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT req.obj -MD -MP -MF $(DEPDIR)/req.Tpo -c -o req.obj `if test -f 'commands/req.c'; then $(CYGPATH_W) 'commands/req.c'; else $(CYGPATH_W) '$(srcdir)/commands/req.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/req.Tpo $(DEPDIR)/req.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/req.c' object='req.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o req.obj `if test -f 'commands/req.c'; then $(CYGPATH_W) 'commands/req.c'; else $(CYGPATH_W) '$(srcdir)/commands/req.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o req.obj `if test -f 'commands/req.c'; then $(CYGPATH_W) 'commands/req.c'; else $(CYGPATH_W) '$(srcdir)/commands/req.c'; fi`
 
 self.o: commands/self.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT self.o -MD -MP -MF $(DEPDIR)/self.Tpo -c -o self.o `test -f 'commands/self.c' || echo '$(srcdir)/'`commands/self.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/self.Tpo $(DEPDIR)/self.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/self.c' object='self.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT self.o -MD -MP -MF $(DEPDIR)/self.Tpo -c -o self.o `test -f 'commands/self.c' || echo '$(srcdir)/'`commands/self.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/self.Tpo $(DEPDIR)/self.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/self.c' object='self.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o self.o `test -f 'commands/self.c' || echo '$(srcdir)/'`commands/self.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o self.o `test -f 'commands/self.c' || echo '$(srcdir)/'`commands/self.c
 
 self.obj: commands/self.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT self.obj -MD -MP -MF $(DEPDIR)/self.Tpo -c -o self.obj `if test -f 'commands/self.c'; then $(CYGPATH_W) 'commands/self.c'; else $(CYGPATH_W) '$(srcdir)/commands/self.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/self.Tpo $(DEPDIR)/self.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/self.c' object='self.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT self.obj -MD -MP -MF $(DEPDIR)/self.Tpo -c -o self.obj `if test -f 'commands/self.c'; then $(CYGPATH_W) 'commands/self.c'; else $(CYGPATH_W) '$(srcdir)/commands/self.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/self.Tpo $(DEPDIR)/self.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/self.c' object='self.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o self.obj `if test -f 'commands/self.c'; then $(CYGPATH_W) 'commands/self.c'; else $(CYGPATH_W) '$(srcdir)/commands/self.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o self.obj `if test -f 'commands/self.c'; then $(CYGPATH_W) 'commands/self.c'; else $(CYGPATH_W) '$(srcdir)/commands/self.c'; fi`
 
 print.o: commands/print.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.o -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/print.c' object='print.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.o -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/print.c' object='print.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c
 
 print.obj: commands/print.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.obj -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/print.c' object='print.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.obj -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/print.c' object='print.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi`
 
 signcrl.o: commands/signcrl.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.o -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/signcrl.c' object='signcrl.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.o -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/signcrl.c' object='signcrl.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c
 
 signcrl.obj: commands/signcrl.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.obj -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/signcrl.c' object='signcrl.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.obj -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/signcrl.c' object='signcrl.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi`
+
+pkcs7.o: commands/pkcs7.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs7.o -MD -MP -MF $(DEPDIR)/pkcs7.Tpo -c -o pkcs7.o `test -f 'commands/pkcs7.c' || echo '$(srcdir)/'`commands/pkcs7.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pkcs7.Tpo $(DEPDIR)/pkcs7.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/pkcs7.c' object='pkcs7.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs7.o `test -f 'commands/pkcs7.c' || echo '$(srcdir)/'`commands/pkcs7.c
+
+pkcs7.obj: commands/pkcs7.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs7.obj -MD -MP -MF $(DEPDIR)/pkcs7.Tpo -c -o pkcs7.obj `if test -f 'commands/pkcs7.c'; then $(CYGPATH_W) 'commands/pkcs7.c'; else $(CYGPATH_W) '$(srcdir)/commands/pkcs7.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pkcs7.Tpo $(DEPDIR)/pkcs7.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/pkcs7.c' object='pkcs7.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs7.obj `if test -f 'commands/pkcs7.c'; then $(CYGPATH_W) 'commands/pkcs7.c'; else $(CYGPATH_W) '$(srcdir)/commands/pkcs7.c'; fi`
 
 verify.o: commands/verify.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.o -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/verify.c' object='verify.o' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.o -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/verify.c' object='verify.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c
 
 verify.obj: commands/verify.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.obj -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.obj `if test -f 'commands/verify.c'; then $(CYGPATH_W) 'commands/verify.c'; else $(CYGPATH_W) '$(srcdir)/commands/verify.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='commands/verify.c' object='verify.obj' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.obj -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.obj `if test -f 'commands/verify.c'; then $(CYGPATH_W) 'commands/verify.c'; else $(CYGPATH_W) '$(srcdir)/commands/verify.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/verify.c' object='verify.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o verify.obj `if test -f 'commands/verify.c'; then $(CYGPATH_W) 'commands/verify.c'; else $(CYGPATH_W) '$(srcdir)/commands/verify.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o verify.obj `if test -f 'commands/verify.c'; then $(CYGPATH_W) 'commands/verify.c'; else $(CYGPATH_W) '$(srcdir)/commands/verify.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -625,10 +699,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
diff --git a/src/pki/command.c b/src/pki/command.c
index 07ba5bb1d..a5e5b8528 100644
--- a/src/pki/command.c
+++ b/src/pki/command.c
@@ -23,7 +23,7 @@
 #include <stdio.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <utils/optionsfrom.h>
 
 /**
@@ -144,7 +144,7 @@ void command_register(command_t command)
 	/* append default options, but not to --help */
 	if (!active)
 	{
-		for (i = 0; i < countof(cmds[registered].options); i++)
+		for (i = 0; i < countof(cmds[registered].options) - 1; i++)
 		{
 			if (cmds[registered].options[i].name)
 			{
diff --git a/src/pki/command.h b/src/pki/command.h
index a6f8bc758..1a884fb73 100644
--- a/src/pki/command.h
+++ b/src/pki/command.h
@@ -92,4 +92,4 @@ int command_dispatch(int argc, char *argv[]);
  */
 int command_usage(char *error);
 
-#endif /* COMMAND_H_ @}*/
+#endif /** COMMAND_H_ @}*/
diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c
index 33d9cf35d..e3602f0c3 100644
--- a/src/pki/commands/gen.c
+++ b/src/pki/commands/gen.c
@@ -22,9 +22,10 @@ static int gen()
 {
 	cred_encoding_type_t form = PRIVKEY_ASN1_DER;
 	key_type_t type = KEY_RSA;
-	u_int size = 0;
+	u_int size = 0, shares = 0, threshold = 1;
 	private_key_t *key;
 	chunk_t encoding;
+	bool safe_primes = FALSE;
 	char *arg;
 
 	while (TRUE)
@@ -60,6 +61,23 @@ static int gen()
 					return command_usage("invalid key size");
 				}
 				continue;
+			case 'p':
+				safe_primes = TRUE;
+				continue;
+			case 'n':
+				shares = atoi(arg);
+				if (shares < 2)
+				{
+					return command_usage("invalid number of key shares");
+				}
+				continue;
+			case 'l':
+				threshold = atoi(arg);
+				if (threshold < 1)
+				{
+					return command_usage("invalid key share threshold");
+				}
+				continue;
 			case EOF:
 				break;
 			default:
@@ -82,8 +100,27 @@ static int gen()
 				break;
 		}
 	}
-	key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-							 BUILD_KEY_SIZE, size, BUILD_END);
+	if (type == KEY_RSA && shares)
+	{
+		if (threshold > shares)
+		{
+			return command_usage("threshold is larger than number of shares");
+		}
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+							BUILD_KEY_SIZE, size, BUILD_SAFE_PRIMES,
+							BUILD_SHARES, shares, BUILD_THRESHOLD, threshold,
+							BUILD_END);
+	}
+	else if (type == KEY_RSA && safe_primes)
+	{
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+							BUILD_KEY_SIZE, size, BUILD_SAFE_PRIMES, BUILD_END);
+	}
+	else
+	{
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+							BUILD_KEY_SIZE, size, BUILD_END);
+	}
 	if (!key)
 	{
 		fprintf(stderr, "private key generation failed\n");
@@ -113,12 +150,16 @@ static void __attribute__ ((constructor))reg()
 {
 	command_register((command_t) {
 		gen, 'g', "gen", "generate a new private key",
-		{"[--type rsa|ecdsa] [--size bits] [--outform der|pem|pgp]"},
+		{"  [--type rsa|ecdsa] [--size bits] [--safe-primes]",
+		 "[--shares n] [--threshold l] [--outform der|pem|pgp]"},
 		{
-			{"help",	'h', 0, "show usage information"},
-			{"type",	't', 1, "type of key, default: rsa"},
-			{"size",	's', 1, "keylength in bits, default: rsa 2048, ecdsa 384"},
-			{"outform",	'f', 1, "encoding of generated private key"},
+			{"help",		'h', 0, "show usage information"},
+			{"type",		't', 1, "type of key, default: rsa"},
+			{"size",		's', 1, "keylength in bits, default: rsa 2048, ecdsa 384"},
+			{"safe-primes", 'p', 0, "generate rsa safe primes"},
+			{"shares",		'n', 1, "number of private rsa key shares"},
+			{"threshold",	'l', 1, "minimum number of participating rsa key shares"},
+			{"outform",		'f', 1, "encoding of generated private key"},
 		}
 	});
 }
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 20163edf2..5f098ba41 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -17,9 +17,9 @@
 
 #include "pki.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/pkcs10.h>
@@ -105,8 +105,8 @@ static int issue()
 				}
 				continue;
 			case 'g':
-				digest = get_digest(arg);
-				if (digest == HASH_UNKNOWN)
+				digest = enum_from_name(hash_algorithm_short_names, arg);
+				if (digest == -1)
 				{
 					error = "invalid --digest type";
 					goto usage;
@@ -229,6 +229,10 @@ static int issue()
 				{
 					flags |= X509_CLIENT_AUTH;
 				}
+				else if (streq(arg, "ikeIntermediate"))
+				{
+					flags |= X509_IKE_INTERMEDIATE;
+				}
 				else if (streq(arg, "crlSign"))
 				{
 					flags |= X509_CRL_SIGN;
@@ -352,11 +356,11 @@ static int issue()
 			error = "no random number generator found";
 			goto end;
 		}
-		rng->allocate_bytes(rng, 8, &serial);
-		while (*serial.ptr == 0x00)
+		if (!rng_allocate_bytes_not_zero(rng, 8, &serial, FALSE))
 		{
-			/* we don't accept a serial number with leading zeroes */
-			rng->get_bytes(rng, 1, serial.ptr);
+			error = "failed to generate serial number";
+			rng->destroy(rng);
+			goto end;
 		}
 		rng->destroy(rng);
 	}
diff --git a/src/pki/commands/pkcs7.c b/src/pki/commands/pkcs7.c
new file mode 100644
index 000000000..790656c62
--- /dev/null
+++ b/src/pki/commands/pkcs7.c
@@ -0,0 +1,462 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pki.h"
+
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <credentials/containers/pkcs7.h>
+#include <credentials/sets/mem_cred.h>
+
+/**
+ * Read input data as chunk
+ */
+static chunk_t read_from_stream(FILE *stream)
+{
+	char buf[8096];
+	size_t len, total = 0;
+
+	while (TRUE)
+	{
+		len = fread(buf + total, 1, sizeof(buf) - total, stream);
+		if (len < (sizeof(buf) - total))
+		{
+			if (ferror(stream))
+			{
+				return chunk_empty;
+			}
+			if (feof(stream))
+			{
+				return chunk_clone(chunk_create(buf, total + len));
+			}
+		}
+		total += len;
+		if (total == sizeof(buf))
+		{
+			fprintf(stderr, "buffer too small to read input!\n");
+			return chunk_empty;
+		}
+	}
+}
+
+/**
+ * Write output data from chunk to stream
+ */
+static bool write_to_stream(FILE *stream, chunk_t data)
+{
+	size_t len, total = 0;
+
+	while (total < data.len)
+	{
+		len = fwrite(data.ptr + total, 1, data.len - total, stream);
+		if (len <= 0)
+		{
+			return FALSE;
+		}
+		total += len;
+	}
+	return TRUE;
+}
+
+/**
+ * Verify PKCS#7 signed-data
+ */
+static int verify(chunk_t chunk)
+{
+	container_t *container;
+	pkcs7_t *pkcs7;
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	auth_cfg_t *auth;
+	chunk_t data;
+	time_t t;
+	bool verified = FALSE;
+
+	container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+								   BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+	if (!container)
+	{
+		return 1;
+	}
+
+	if (container->get_type(container) != CONTAINER_PKCS7_SIGNED_DATA)
+	{
+		fprintf(stderr, "verification failed, container is %N\n",
+				container_type_names, container->get_type(container));
+		container->destroy(container);
+		return 1;
+	}
+
+	pkcs7 = (pkcs7_t*)container;
+	enumerator = container->create_signature_enumerator(container);
+	while (enumerator->enumerate(enumerator, &auth))
+	{
+		verified = TRUE;
+		cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+		if (cert)
+		{
+			fprintf(stderr, "signed by '%Y'", cert->get_subject(cert));
+
+			if (pkcs7->get_attribute(pkcs7, OID_PKCS9_SIGNING_TIME,
+									 enumerator, &data))
+			{
+				t = asn1_to_time(&data, ASN1_UTCTIME);
+				if (t != UNDEFINED_TIME)
+				{
+					fprintf(stderr, " at %T", &t, FALSE);
+				}
+				free(data.ptr);
+			}
+			fprintf(stderr, "\n");
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (!verified)
+	{
+		fprintf(stderr, "no trusted signature found\n");
+	}
+
+	if (verified)
+	{
+		if (container->get_data(container, &data))
+		{
+			write_to_stream(stdout, data);
+			free(data.ptr);
+		}
+		else
+		{
+			verified = FALSE;
+		}
+	}
+	container->destroy(container);
+
+	return verified ? 0 : 1;
+}
+
+/**
+ * Sign data into PKCS#7 signed-data
+ */
+static int sign(chunk_t chunk, certificate_t *cert, private_key_t *key)
+{
+	container_t *container;
+	chunk_t encoding;
+	int res = 1;
+
+	container = lib->creds->create(lib->creds,
+								   CRED_CONTAINER, CONTAINER_PKCS7_SIGNED_DATA,
+								   BUILD_BLOB, chunk,
+								   BUILD_SIGNING_CERT, cert,
+								   BUILD_SIGNING_KEY, key,
+								   BUILD_END);
+	if (container)
+	{
+		if (container->get_encoding(container, &encoding))
+		{
+			write_to_stream(stdout, encoding);
+			free(encoding.ptr);
+		}
+		container->destroy(container);
+	}
+	return res;
+}
+
+/**
+ * Encrypt data to a PKCS#7 enveloped-data
+ */
+static int encrypt(chunk_t chunk, certificate_t *cert)
+{
+	container_t *container;
+	chunk_t encoding;
+	int res = 1;
+
+	container = lib->creds->create(lib->creds,
+								   CRED_CONTAINER, CONTAINER_PKCS7_ENVELOPED_DATA,
+								   BUILD_BLOB, chunk, BUILD_CERT, cert,
+								   BUILD_END);
+	if (container)
+	{
+		if (container->get_encoding(container, &encoding))
+		{
+			write_to_stream(stdout, encoding);
+			free(encoding.ptr);
+		}
+		container->destroy(container);
+	}
+	return res;
+}
+
+/**
+ * Decrypt PKCS#7 enveloped-data
+ */
+static int decrypt(chunk_t chunk)
+{
+	container_t *container;
+	chunk_t data;
+
+	container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+								   BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+	if (!container)
+	{
+		return 1;
+	}
+	if (container->get_type(container) != CONTAINER_PKCS7_ENVELOPED_DATA)
+	{
+		fprintf(stderr, "decryption failed, container is %N\n",
+				container_type_names, container->get_type(container));
+		container->destroy(container);
+		return 1;
+	}
+	if (!container->get_data(container, &data))
+	{
+		fprintf(stderr, "PKCS#7 decryption failed\n");
+		container->destroy(container);
+		return 1;
+	}
+	container->destroy(container);
+
+	write_to_stream(stdout, data);
+	free(data.ptr);
+
+	return 0;
+}
+
+/**
+ * Show info about PKCS#7 container
+ */
+static int show(chunk_t chunk)
+{
+	container_t *container;
+	pkcs7_t *pkcs7;
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	chunk_t data;
+
+	container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+								   BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+	if (!container)
+	{
+		return 1;
+	}
+	fprintf(stderr, "%N\n", container_type_names, container->get_type(container));
+
+	if (container->get_type(container) == CONTAINER_PKCS7_SIGNED_DATA)
+	{
+		pkcs7 = (pkcs7_t*)container;
+		enumerator = pkcs7->create_cert_enumerator(pkcs7);
+		while (enumerator->enumerate(enumerator, &cert))
+		{
+			if (cert->get_encoding(cert, CERT_PEM, &data))
+			{
+				printf("%.*s", (int)data.len, data.ptr);
+				free(data.ptr);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	container->destroy(container);
+	return 0;
+}
+
+/**
+ * Wrap/Unwrap PKCs#7 containers
+ */
+static int pkcs7()
+{
+	char *arg, *file = NULL;
+	private_key_t *key = NULL;
+	certificate_t *cert = NULL;
+	chunk_t data = chunk_empty;
+	mem_cred_t *creds;
+	int res = 1;
+	FILE *in;
+	enum {
+		OP_NONE,
+		OP_SIGN,
+		OP_VERIFY,
+		OP_ENCRYPT,
+		OP_DECRYPT,
+		OP_SHOW,
+	} op = OP_NONE;
+
+	creds = mem_cred_create();
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				creds->destroy(creds);
+				return command_usage(NULL);
+			case 'i':
+				file = arg;
+				continue;
+			case 's':
+				if (op != OP_NONE)
+				{
+					goto invalid;
+				}
+				op = OP_SIGN;
+				continue;
+			case 'u':
+				if (op != OP_NONE)
+				{
+					goto invalid;
+				}
+				op = OP_VERIFY;
+				continue;
+			case 'e':
+				if (op != OP_NONE)
+				{
+					goto invalid;
+				}
+				op = OP_ENCRYPT;
+				continue;
+			case 'd':
+				if (op != OP_NONE)
+				{
+					goto invalid;
+				}
+				op = OP_DECRYPT;
+				continue;
+			case 'p':
+				if (op != OP_NONE)
+				{
+					goto invalid;
+				}
+				op = OP_SHOW;
+				continue;
+			case 'k':
+				key = lib->creds->create(lib->creds,
+										 CRED_PRIVATE_KEY, KEY_RSA,
+										 BUILD_FROM_FILE, arg, BUILD_END);
+				if (!key)
+				{
+					fprintf(stderr, "parsing private key failed\n");
+					goto end;
+				}
+				creds->add_key(creds, key);
+				continue;
+			case 'c':
+				cert = lib->creds->create(lib->creds,
+										  CRED_CERTIFICATE, CERT_X509,
+										  BUILD_FROM_FILE, arg, BUILD_END);
+				if (!cert)
+				{
+					fprintf(stderr, "parsing certificate failed\n");
+					goto end;
+				}
+				creds->add_cert(creds, TRUE, cert);
+				continue;
+			case EOF:
+				break;
+			default:
+			invalid:
+				creds->destroy(creds);
+				return command_usage("invalid --pkcs7 option");
+		}
+		break;
+	}
+
+	if (file)
+	{
+		in = fopen(file, "r");
+		if (in)
+		{
+			data = read_from_stream(in);
+			fclose(in);
+		}
+	}
+	else
+	{
+		data = read_from_stream(stdin);
+	}
+
+	if (!data.len)
+	{
+		fprintf(stderr, "reading input failed!\n");
+		goto end;
+	}
+	if (op != OP_SHOW && !cert)
+	{
+		fprintf(stderr, "requiring a certificate!\n");
+		goto end;
+	}
+
+	lib->credmgr->add_local_set(lib->credmgr, &creds->set, FALSE);
+
+	switch (op)
+	{
+		case OP_SIGN:
+			if (!key)
+			{
+				fprintf(stderr, "signing requires a private key\n");
+				res = 1;
+				break;
+			}
+			res = sign(data, cert, key);
+			break;
+		case OP_VERIFY:
+			res = verify(data);
+			break;
+		case OP_ENCRYPT:
+			res = encrypt(data, cert);
+			break;
+		case OP_DECRYPT:
+			if (!key)
+			{
+				fprintf(stderr, "decryption requires a private key\n");
+				res = 1;
+				break;
+			}
+			res = decrypt(data);
+			break;
+		case OP_SHOW:
+			res = show(data);
+			break;
+		default:
+			res = 1;
+			break;
+	}
+	lib->credmgr->remove_local_set(lib->credmgr, &creds->set);
+
+end:
+	creds->destroy(creds);
+	free(data.ptr);
+	return res;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		pkcs7, '7', "pkcs7", "PKCS#7 wrap/unwrap functions",
+		{"--sign | --verify | --encrypt | --decrypt",
+		 "--certificate+ [--key]"},
+		{
+			{"help",	'h', 0, "show usage information"},
+			{"sign",	's', 0, "create PKCS#7 signed-data"},
+			{"verify",	'u', 0, "verify PKCS#7 signed-data"},
+			{"encrypt",	'e', 0, "create PKCS#7 enveloped-data"},
+			{"decrypt",	'd', 0, "decrypt PKCS#7 enveloped-data"},
+			{"show",	'p', 0, "show info about PKCS#7, print certificates"},
+			{"in",		'i', 1, "input file, default: stdin"},
+			{"key",		'k', 1, "path to private key for sign/decryp"},
+			{"cert",	'c', 1, "path to certificate for sign/verify/encryp"},
+		}
+	});
+}
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index a7f02bfac..90cf254c8 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -133,6 +133,10 @@ static void print_x509(x509_t *x509)
 	{
 		printf("clientAuth ");
 	}
+	if (flags & X509_IKE_INTERMEDIATE)
+	{
+		printf("iKEIntermediate ");
+	}
 	if (flags & X509_SELF_SIGNED)
 	{
 		printf("self-signed ");
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index 30078a8fa..9912061f4 100644
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -158,7 +158,7 @@ static void __attribute__ ((constructor))reg()
 		pub, 'p', "pub",
 		"extract the public key from a private key/certificate",
 		{"[--in file|--keyid hex] [--type rsa|ecdsa|pkcs10|x509]",
-		 "[--outform der|pem|pgp]"},
+		 "[--outform der|pem|pgp|dnskey]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index 087a97b3e..d90ddc251 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -19,7 +19,7 @@
 
 #include "pki.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/certificate.h>
 
 /**
@@ -63,8 +63,8 @@ static int req()
 				}
 				continue;
 			case 'g':
-				digest = get_digest(arg);
-				if (digest == HASH_UNKNOWN)
+				digest = enum_from_name(hash_algorithm_short_names, arg);
+				if (digest == -1)
 				{
 					error = "invalid --digest type";
 					goto usage;
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index c4508a671..448360821 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -17,7 +17,7 @@
 
 #include "pki.h"
 
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
 #include <asn1/asn1.h>
@@ -94,8 +94,8 @@ static int self()
 				}
 				continue;
 			case 'g':
-				digest = get_digest(arg);
-				if (digest == HASH_UNKNOWN)
+				digest = enum_from_name(hash_algorithm_short_names, arg);
+				if (digest == -1)
 				{
 					error = "invalid --digest type";
 					goto usage;
@@ -212,6 +212,10 @@ static int self()
 				{
 					flags |= X509_CLIENT_AUTH;
 				}
+				else if (streq(arg, "ikeIntermediate"))
+				{
+					flags |= X509_IKE_INTERMEDIATE;
+				}
 				else if (streq(arg, "crlSign"))
 				{
 					flags |= X509_CRL_SIGN;
@@ -294,11 +298,11 @@ static int self()
 			error = "no random number generator found";
 			goto end;
 		}
-		rng->allocate_bytes(rng, 8, &serial);
-		while (*serial.ptr == 0x00)
+		if (!rng_allocate_bytes_not_zero(rng, 8, &serial, FALSE))
 		{
-			/* we don't accept a serial number with leading zeroes */
-			rng->get_bytes(rng, 1, serial.ptr);
+			error = "failed to generate serial number";
+			rng->destroy(rng);
+			goto end;
 		}
 		rng->destroy(rng);
 	}
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 153734f53..f9746cca7 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -17,8 +17,8 @@
 
 #include "pki.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/crl.h>
@@ -141,8 +141,8 @@ static int sign_crl()
 			case 'h':
 				goto usage;
 			case 'g':
-				digest = get_digest(arg);
-				if (digest == HASH_UNKNOWN)
+				digest = enum_from_name(hash_algorithm_short_names, arg);
+				if (digest == -1)
 				{
 					error = "invalid --digest type";
 					goto usage;
diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c
index bbcc53891..3e983d3ec 100644
--- a/src/pki/commands/verify.c
+++ b/src/pki/commands/verify.c
@@ -77,7 +77,7 @@ static int verify()
 	{
 		ca = cert;
 	}
-	if (cert->issued_by(cert, ca))
+	if (cert->issued_by(cert, ca, NULL))
 	{
 		if (cert->get_validity(cert, NULL, NULL, NULL))
 		{
diff --git a/src/pki/pki.c b/src/pki/pki.c
index 3005d2fcd..c3039a649 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -18,7 +18,7 @@
 
 #include <unistd.h>
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/sets/callback_cred.h>
 
 /**
@@ -76,39 +76,18 @@ bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type)
 				return FALSE;
 		}
 	}
-	return FALSE;
-}
-
-/**
- * Convert a digest string to a hash algorithm
- */
-hash_algorithm_t get_digest(char *name)
-{
-	if (streq(name, "md5"))
-	{
-		return HASH_MD5;
-	}
-	if (streq(name, "sha1"))
-	{
-		return HASH_SHA1;
-	}
-	if (streq(name, "sha224"))
-	{
-		return HASH_SHA224;
-	}
-	if (streq(name, "sha256"))
+	else if (streq(form, "dnskey"))
 	{
-		return HASH_SHA256;
-	}
-	if (streq(name, "sha384"))
-	{
-		return HASH_SHA384;
-	}
-	if (streq(name, "sha512"))
-	{
-		return HASH_SHA512;
+		switch (type)
+		{
+			case CRED_PUBLIC_KEY:
+				*enc =PUBKEY_DNSKEY;
+				return TRUE;
+			default:
+				return FALSE;
+		}
 	}
-	return HASH_UNKNOWN;
+	return FALSE;
 }
 
 /**
@@ -188,7 +167,7 @@ int main(int argc, char *argv[])
 		fprintf(stderr, "integrity check of pki failed\n");
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
diff --git a/src/pki/pki.h b/src/pki/pki.h
index 9c145cdc0..09c50c6c2 100644
--- a/src/pki/pki.h
+++ b/src/pki/pki.h
@@ -15,7 +15,9 @@
 
 /**
  * @defgroup pki pki
- * @{ @ingroup pki
+ *
+ * @addtogroup pki
+ * @{
  */
 
 #ifndef PKI_H_
@@ -31,9 +33,4 @@
  */
 bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type);
 
-/**
- * Convert a digest string to a hash algorithm
- */
-hash_algorithm_t get_digest(char *name);
-
 #endif /** PKI_H_ @}*/
diff --git a/src/pluto/Android.mk b/src/pluto/Android.mk
deleted file mode 100644
index 618f79c42..000000000
--- a/src/pluto/Android.mk
+++ /dev/null
@@ -1,80 +0,0 @@
-LOCAL_PATH := $(call my-dir)
-include $(CLEAR_VARS)
-
-# copy-n-paste from Makefile.am
-LOCAL_SRC_FILES := \
-ac.c ac.h \
-alg_info.c alg_info.h \
-ca.c ca.h \
-certs.c certs.h \
-connections.c connections.h \
-constants.c constants.h \
-cookie.c cookie.h \
-crl.c crl.h \
-crypto.c crypto.h \
-db_ops.c db_ops.h \
-defs.c defs.h \
-demux.c demux.h \
-event_queue.c event_queue.h \
-fetch.c fetch.h \
-foodgroups.c foodgroups.h \
-ike_alg.c ike_alg.h \
-ipsec_doi.c ipsec_doi.h \
-kameipsec.h \
-kernel.c kernel.h \
-kernel_alg.c kernel_alg.h \
-kernel_pfkey.c kernel_pfkey.h \
-keys.c keys.h \
-lex.c lex.h \
-log.c log.h \
-myid.c myid.h \
-modecfg.c modecfg.h \
-nat_traversal.c nat_traversal.h \
-ocsp.c ocsp.h \
-packet.c packet.h \
-pkcs7.c pkcs7.h \
-plugin_list.c plugin_list.h \
-pluto.c pluto.h \
-plutomain.c \
-rcv_whack.c rcv_whack.h \
-server.c server.h \
-smartcard.c smartcard.h \
-spdb.c spdb.h \
-state.c state.h \
-timer.c timer.h \
-vendor.c vendor.h \
-virtual.c virtual.h \
-whack_attribute.c whack_attribute.h \
-xauth/xauth_manager.c xauth/xauth_manager.h \
-xauth/xauth_provider.h xauth/xauth_verifier.h \
-x509.c x509.h \
-builder.c builder.h \
-rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
-
-LOCAL_SRC_FILES += $(call add_plugin, xauth)
-
-# build pluto ------------------------------------------------------------------
-
-LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
-	$(strongswan_PATH)/src/libhydra \
-	$(strongswan_PATH)/src/libstrongswan \
-	$(strongswan_PATH)/src/libfreeswan \
-	$(strongswan_PATH)/src/whack
-
-LOCAL_CFLAGS := $(strongswan_CFLAGS) \
-	-DPLUTO -DVENDORID -DXAUTH_VID -DCISCO_QUIRKS \
-	-DTHREADS -DKERNEL26_HAS_KAME_DUPLICATES \
-	-DPLUGINS='"$(strongswan_PLUTO_PLUGINS)"'
-
-LOCAL_MODULE := pluto
-
-LOCAL_MODULE_TAGS := optional
-
-LOCAL_ARM_MODE := arm
-
-LOCAL_PRELINK_MODULE := false
-
-LOCAL_SHARED_LIBRARIES += libstrongswan libhydra libfreeswan libcutils
-
-include $(BUILD_EXECUTABLE)
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
deleted file mode 100644
index 3fd0e039c..000000000
--- a/src/pluto/Makefile.am
+++ /dev/null
@@ -1,155 +0,0 @@
-# Makefile.am was ported from the old Makefile the most
-# painless way. Only the most important options are included,
-# further work may be necessary here...
-
-ipsec_PROGRAMS = pluto
-
-if USE_ADNS
-ipsec_PROGRAMS += _pluto_adns
-endif
-
-pluto_SOURCES = \
-ac.c ac.h \
-alg_info.c alg_info.h \
-ca.c ca.h \
-certs.c certs.h \
-connections.c connections.h \
-constants.c constants.h \
-cookie.c cookie.h \
-crl.c crl.h \
-crypto.c crypto.h \
-db_ops.c db_ops.h \
-defs.c defs.h \
-demux.c demux.h \
-event_queue.c event_queue.h \
-fetch.c fetch.h \
-foodgroups.c foodgroups.h \
-ike_alg.c ike_alg.h \
-ipsec_doi.c ipsec_doi.h \
-kameipsec.h \
-kernel.c kernel.h \
-kernel_alg.c kernel_alg.h \
-kernel_pfkey.c kernel_pfkey.h \
-keys.c keys.h \
-lex.c lex.h \
-log.c log.h \
-myid.c myid.h \
-modecfg.c modecfg.h \
-nat_traversal.c nat_traversal.h \
-ocsp.c ocsp.h \
-packet.c packet.h \
-pkcs7.c pkcs7.h \
-plugin_list.c plugin_list.h \
-pluto.c pluto.h \
-plutomain.c \
-rcv_whack.c rcv_whack.h \
-server.c server.h \
-smartcard.c smartcard.h \
-spdb.c spdb.h \
-state.c state.h \
-timer.c timer.h \
-vendor.c vendor.h \
-virtual.c virtual.h \
-whack_attribute.c whack_attribute.h \
-xauth/xauth_manager.c xauth/xauth_manager.h \
-xauth/xauth_provider.h xauth/xauth_verifier.h \
-x509.c x509.h \
-builder.c builder.h \
-rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
-
-if USE_ADNS
-pluto_SOURCES += \
-dnskey.c dnskey.h
-
-_pluto_adns_SOURCES = \
-adns.c adns.h
-endif
-
-plutomain.o :	$(top_builddir)/config.status
-
-LIBSTRONGSWANDIR=$(top_builddir)/src/libstrongswan
-LIBFREESWANDIR=$(top_builddir)/src/libfreeswan
-LIBHYDRADIR=$(top_builddir)/src/libhydra
-
-INCLUDES = \
--I${linux_headers} \
--I$(top_srcdir)/src/libstrongswan \
--I$(top_srcdir)/src/libfreeswan \
--I$(top_srcdir)/src/libhydra \
--I$(top_srcdir)/src/whack
-
-AM_CFLAGS = -rdynamic \
--DIPSEC_DIR=\"${ipsecdir}\" \
--DIPSEC_CONFDIR=\"${sysconfdir}\" \
--DIPSEC_PIDDIR=\"${piddir}\" \
--DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \
--DPLUGINS=\""${pluto_plugins}\"" \
--DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" \
--DKERNEL26_HAS_KAME_DUPLICATES \
--DPLUTO -DDEBUG
-
-pluto_LDADD = \
-$(LIBSTRONGSWANDIR)/libstrongswan.la \
-$(LIBFREESWANDIR)/libfreeswan.a \
-$(LIBHYDRADIR)/libhydra.la \
--lresolv $(PTHREADLIB) $(DLLIB)
-
-if USE_ADNS
-_pluto_adns_LDADD = \
-$(LIBFREESWANDIR)/libfreeswan.a \
--lresolv $(DLLIB)
-endif
-
-dist_man_MANS = pluto.8
-
-EXTRA_DIST = Android.mk
-
-# compile options
-#################
-
-# This compile option activates the sending of a strongSwan VID
-if USE_VENDORID
-  AM_CFLAGS += -DVENDORID
-endif
-
-# This compile option activates the sending of the XAUTH VID
-if USE_XAUTH_VID
-  AM_CFLAGS += -DXAUTH_VID
-endif
-
-# This compile option activates the support of the Cisco VPN client
-if USE_CISCO_QUIRKS
-  AM_CFLAGS += -DCISCO_QUIRKS
-endif
-
-# This compile option activates NAT traversal with IPSec transport mode
-if USE_NAT_TRANSPORT
-  AM_CFLAGS += -DI_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
-endif
-
-# This compile option activates smartcard support
-if USE_SMARTCARD
-  AM_CFLAGS += -DSMARTCARD
-endif
-
-if USE_LIBCAP
-  pluto_LDADD += -lcap
-endif
-
-if USE_THREADS
-  AM_CFLAGS += -DTHREADS
-endif
-
-if USE_ADNS
-  AM_CFLAGS += -DADNS
-endif
-
-# build optional plugins
-########################
-
-SUBDIRS = .
-
-if USE_XAUTH
-  SUBDIRS += plugins/xauth
-endif
-
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
deleted file mode 100644
index b055ba289..000000000
--- a/src/pluto/Makefile.in
+++ /dev/null
@@ -1,1001 +0,0 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-# Makefile.am was ported from the old Makefile the most
-# painless way. Only the most important options are included,
-# further work may be necessary here...
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-ipsec_PROGRAMS = pluto$(EXEEXT) $(am__EXEEXT_1)
-@USE_ADNS_TRUE@am__append_1 = _pluto_adns
-@USE_ADNS_TRUE@am__append_2 = \
-@USE_ADNS_TRUE@dnskey.c dnskey.h
-
-
-# compile options
-#################
-
-# This compile option activates the sending of a strongSwan VID
-@USE_VENDORID_TRUE@am__append_3 = -DVENDORID
-
-# This compile option activates the sending of the XAUTH VID
-@USE_XAUTH_VID_TRUE@am__append_4 = -DXAUTH_VID
-
-# This compile option activates the support of the Cisco VPN client
-@USE_CISCO_QUIRKS_TRUE@am__append_5 = -DCISCO_QUIRKS
-
-# This compile option activates NAT traversal with IPSec transport mode
-@USE_NAT_TRANSPORT_TRUE@am__append_6 = -DI_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
-
-# This compile option activates smartcard support
-@USE_SMARTCARD_TRUE@am__append_7 = -DSMARTCARD
-@USE_LIBCAP_TRUE@am__append_8 = -lcap
-@USE_THREADS_TRUE@am__append_9 = -DTHREADS
-@USE_ADNS_TRUE@am__append_10 = -DADNS
-@USE_XAUTH_TRUE@am__append_11 = plugins/xauth
-subdir = src/pluto
-DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
-	$(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-@USE_ADNS_TRUE@am__EXEEXT_1 = _pluto_adns$(EXEEXT)
-am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
-PROGRAMS = $(ipsec_PROGRAMS)
-am___pluto_adns_SOURCES_DIST = adns.c adns.h
-@USE_ADNS_TRUE@am__pluto_adns_OBJECTS = adns.$(OBJEXT)
-_pluto_adns_OBJECTS = $(am__pluto_adns_OBJECTS)
-am__DEPENDENCIES_1 =
-@USE_ADNS_TRUE@_pluto_adns_DEPENDENCIES =  \
-@USE_ADNS_TRUE@	$(LIBFREESWANDIR)/libfreeswan.a \
-@USE_ADNS_TRUE@	$(am__DEPENDENCIES_1)
-am__pluto_SOURCES_DIST = ac.c ac.h alg_info.c alg_info.h ca.c ca.h \
-	certs.c certs.h connections.c connections.h constants.c \
-	constants.h cookie.c cookie.h crl.c crl.h crypto.c crypto.h \
-	db_ops.c db_ops.h defs.c defs.h demux.c demux.h event_queue.c \
-	event_queue.h fetch.c fetch.h foodgroups.c foodgroups.h \
-	ike_alg.c ike_alg.h ipsec_doi.c ipsec_doi.h kameipsec.h \
-	kernel.c kernel.h kernel_alg.c kernel_alg.h kernel_pfkey.c \
-	kernel_pfkey.h keys.c keys.h lex.c lex.h log.c log.h myid.c \
-	myid.h modecfg.c modecfg.h nat_traversal.c nat_traversal.h \
-	ocsp.c ocsp.h packet.c packet.h pkcs7.c pkcs7.h plugin_list.c \
-	plugin_list.h pluto.c pluto.h plutomain.c rcv_whack.c \
-	rcv_whack.h server.c server.h smartcard.c smartcard.h spdb.c \
-	spdb.h state.c state.h timer.c timer.h vendor.c vendor.h \
-	virtual.c virtual.h whack_attribute.c whack_attribute.h \
-	xauth/xauth_manager.c xauth/xauth_manager.h \
-	xauth/xauth_provider.h xauth/xauth_verifier.h x509.c x509.h \
-	builder.c builder.h rsaref/pkcs11t.h rsaref/pkcs11.h \
-	rsaref/unix.h rsaref/pkcs11f.h dnskey.c dnskey.h
-@USE_ADNS_TRUE@am__objects_1 = dnskey.$(OBJEXT)
-am_pluto_OBJECTS = ac.$(OBJEXT) alg_info.$(OBJEXT) ca.$(OBJEXT) \
-	certs.$(OBJEXT) connections.$(OBJEXT) constants.$(OBJEXT) \
-	cookie.$(OBJEXT) crl.$(OBJEXT) crypto.$(OBJEXT) \
-	db_ops.$(OBJEXT) defs.$(OBJEXT) demux.$(OBJEXT) \
-	event_queue.$(OBJEXT) fetch.$(OBJEXT) foodgroups.$(OBJEXT) \
-	ike_alg.$(OBJEXT) ipsec_doi.$(OBJEXT) kernel.$(OBJEXT) \
-	kernel_alg.$(OBJEXT) kernel_pfkey.$(OBJEXT) keys.$(OBJEXT) \
-	lex.$(OBJEXT) log.$(OBJEXT) myid.$(OBJEXT) modecfg.$(OBJEXT) \
-	nat_traversal.$(OBJEXT) ocsp.$(OBJEXT) packet.$(OBJEXT) \
-	pkcs7.$(OBJEXT) plugin_list.$(OBJEXT) pluto.$(OBJEXT) \
-	plutomain.$(OBJEXT) rcv_whack.$(OBJEXT) server.$(OBJEXT) \
-	smartcard.$(OBJEXT) spdb.$(OBJEXT) state.$(OBJEXT) \
-	timer.$(OBJEXT) vendor.$(OBJEXT) virtual.$(OBJEXT) \
-	whack_attribute.$(OBJEXT) xauth_manager.$(OBJEXT) \
-	x509.$(OBJEXT) builder.$(OBJEXT) $(am__objects_1)
-pluto_OBJECTS = $(am_pluto_OBJECTS)
-pluto_DEPENDENCIES = $(LIBSTRONGSWANDIR)/libstrongswan.la \
-	$(LIBFREESWANDIR)/libfreeswan.a $(LIBHYDRADIR)/libhydra.la \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(_pluto_adns_SOURCES) $(pluto_SOURCES)
-DIST_SOURCES = $(am___pluto_adns_SOURCES_DIST) \
-	$(am__pluto_SOURCES_DIST)
-RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
-	html-recursive info-recursive install-data-recursive \
-	install-dvi-recursive install-exec-recursive \
-	install-html-recursive install-info-recursive \
-	install-pdf-recursive install-ps-recursive install-recursive \
-	installcheck-recursive installdirs-recursive pdf-recursive \
-	ps-recursive uninstall-recursive
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-man8dir = $(mandir)/man8
-NROFF = nroff
-MANS = $(dist_man_MANS)
-RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
-  distclean-recursive maintainer-clean-recursive
-AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
-	$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
-	distdir
-ETAGS = etags
-CTAGS = ctags
-DIST_SUBDIRS = . plugins/xauth
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-am__relativize = \
-  dir0=`pwd`; \
-  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
-  sed_rest='s,^[^/]*/*,,'; \
-  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
-  sed_butlast='s,/*[^/]*$$,,'; \
-  while test -n "$$dir1"; do \
-    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
-    if test "$$first" != "."; then \
-      if test "$$first" = ".."; then \
-        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
-        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
-      else \
-        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
-        if test "$$first2" = "$$first"; then \
-          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
-        else \
-          dir2="../$$dir2"; \
-        fi; \
-        dir0="$$dir0"/"$$first"; \
-      fi; \
-    fi; \
-    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
-  done; \
-  reldir="$$dir2"
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-c_plugins = @c_plugins@
-clearsilver_LIBS = @clearsilver_LIBS@
-datadir = @datadir@
-datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-imcvdir = @imcvdir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgroup = @ipsecgroup@
-ipseclibdir = @ipseclibdir@
-ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
-libdir = @libdir@
-libexecdir = @libexecdir@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
-manager_plugins = @manager_plugins@
-mandir = @mandir@
-medsrv_plugins = @medsrv_plugins@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
-pcsclite_CFLAGS = @pcsclite_CFLAGS@
-pcsclite_LIBS = @pcsclite_LIBS@
-pdfdir = @pdfdir@
-piddir = @piddir@
-pki_plugins = @pki_plugins@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-pool_plugins = @pool_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-s_plugins = @s_plugins@
-sbindir = @sbindir@
-scepclient_plugins = @scepclient_plugins@
-scripts_plugins = @scripts_plugins@
-sharedstatedir = @sharedstatedir@
-soup_CFLAGS = @soup_CFLAGS@
-soup_LIBS = @soup_LIBS@
-srcdir = @srcdir@
-starter_plugins = @starter_plugins@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-systemdsystemunitdir = @systemdsystemunitdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-pluto_SOURCES = ac.c ac.h alg_info.c alg_info.h ca.c ca.h certs.c \
-	certs.h connections.c connections.h constants.c constants.h \
-	cookie.c cookie.h crl.c crl.h crypto.c crypto.h db_ops.c \
-	db_ops.h defs.c defs.h demux.c demux.h event_queue.c \
-	event_queue.h fetch.c fetch.h foodgroups.c foodgroups.h \
-	ike_alg.c ike_alg.h ipsec_doi.c ipsec_doi.h kameipsec.h \
-	kernel.c kernel.h kernel_alg.c kernel_alg.h kernel_pfkey.c \
-	kernel_pfkey.h keys.c keys.h lex.c lex.h log.c log.h myid.c \
-	myid.h modecfg.c modecfg.h nat_traversal.c nat_traversal.h \
-	ocsp.c ocsp.h packet.c packet.h pkcs7.c pkcs7.h plugin_list.c \
-	plugin_list.h pluto.c pluto.h plutomain.c rcv_whack.c \
-	rcv_whack.h server.c server.h smartcard.c smartcard.h spdb.c \
-	spdb.h state.c state.h timer.c timer.h vendor.c vendor.h \
-	virtual.c virtual.h whack_attribute.c whack_attribute.h \
-	xauth/xauth_manager.c xauth/xauth_manager.h \
-	xauth/xauth_provider.h xauth/xauth_verifier.h x509.c x509.h \
-	builder.c builder.h rsaref/pkcs11t.h rsaref/pkcs11.h \
-	rsaref/unix.h rsaref/pkcs11f.h $(am__append_2)
-@USE_ADNS_TRUE@_pluto_adns_SOURCES = \
-@USE_ADNS_TRUE@adns.c adns.h
-
-LIBSTRONGSWANDIR = $(top_builddir)/src/libstrongswan
-LIBFREESWANDIR = $(top_builddir)/src/libfreeswan
-LIBHYDRADIR = $(top_builddir)/src/libhydra
-INCLUDES = \
--I${linux_headers} \
--I$(top_srcdir)/src/libstrongswan \
--I$(top_srcdir)/src/libfreeswan \
--I$(top_srcdir)/src/libhydra \
--I$(top_srcdir)/src/whack
-
-AM_CFLAGS = -rdynamic -DIPSEC_DIR=\"${ipsecdir}\" \
-	-DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
-	-DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \
-	-DPLUGINS=\""${pluto_plugins}\"" \
-	-DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" \
-	-DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DDEBUG $(am__append_3) \
-	$(am__append_4) $(am__append_5) $(am__append_6) \
-	$(am__append_7) $(am__append_9) $(am__append_10)
-pluto_LDADD = $(LIBSTRONGSWANDIR)/libstrongswan.la \
-	$(LIBFREESWANDIR)/libfreeswan.a $(LIBHYDRADIR)/libhydra.la \
-	-lresolv $(PTHREADLIB) $(DLLIB) $(am__append_8)
-@USE_ADNS_TRUE@_pluto_adns_LDADD = \
-@USE_ADNS_TRUE@$(LIBFREESWANDIR)/libfreeswan.a \
-@USE_ADNS_TRUE@-lresolv $(DLLIB)
-
-dist_man_MANS = pluto.8
-EXTRA_DIST = Android.mk
-
-# build optional plugins
-########################
-SUBDIRS = . $(am__append_11)
-all: all-recursive
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/pluto/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/pluto/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
-	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
-	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
-	for p in $$list; do echo "$$p $$p"; done | \
-	sed 's/$(EXEEXT)$$//' | \
-	while read p p1; do if test -f $$p || test -f $$p1; \
-	  then echo "$$p"; echo "$$p"; else :; fi; \
-	done | \
-	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
-	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
-	sed 'N;N;N;s,\n, ,g' | \
-	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
-	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
-	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
-	    else { print "f", $$3 "/" $$4, $$1; } } \
-	  END { for (d in files) print "f", d, files[d] }' | \
-	while read type dir files; do \
-	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
-	    test -z "$$files" || { \
-	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
-	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
-	    } \
-	; done
-
-uninstall-ipsecPROGRAMS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
-	files=`for p in $$list; do echo "$$p"; done | \
-	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-	      -e 's/$$/$(EXEEXT)/' `; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
-
-clean-ipsecPROGRAMS:
-	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
-	echo " rm -f" $$list; \
-	rm -f $$list || exit $$?; \
-	test -n "$(EXEEXT)" || exit 0; \
-	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
-	echo " rm -f" $$list; \
-	rm -f $$list
-_pluto_adns$(EXEEXT): $(_pluto_adns_OBJECTS) $(_pluto_adns_DEPENDENCIES) 
-	@rm -f _pluto_adns$(EXEEXT)
-	$(LINK) $(_pluto_adns_OBJECTS) $(_pluto_adns_LDADD) $(LIBS)
-pluto$(EXEEXT): $(pluto_OBJECTS) $(pluto_DEPENDENCIES) 
-	@rm -f pluto$(EXEEXT)
-	$(LINK) $(pluto_OBJECTS) $(pluto_LDADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ac.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/adns.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/alg_info.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/builder.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ca.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certs.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connections.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constants.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cookie.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crl.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/db_ops.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/defs.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/demux.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnskey.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/event_queue.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetch.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/foodgroups.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_doi.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_alg.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keys.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lex.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/modecfg.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/myid.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nat_traversal.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plugin_list.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pluto.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plutomain.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rcv_whack.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/server.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/smartcard.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/spdb.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/state.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/timer.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vendor.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/virtual.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/whack_attribute.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_manager.Po@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-xauth_manager.o: xauth/xauth_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xauth_manager.o -MD -MP -MF $(DEPDIR)/xauth_manager.Tpo -c -o xauth_manager.o `test -f 'xauth/xauth_manager.c' || echo '$(srcdir)/'`xauth/xauth_manager.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/xauth_manager.Tpo $(DEPDIR)/xauth_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='xauth/xauth_manager.c' object='xauth_manager.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xauth_manager.o `test -f 'xauth/xauth_manager.c' || echo '$(srcdir)/'`xauth/xauth_manager.c
-
-xauth_manager.obj: xauth/xauth_manager.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xauth_manager.obj -MD -MP -MF $(DEPDIR)/xauth_manager.Tpo -c -o xauth_manager.obj `if test -f 'xauth/xauth_manager.c'; then $(CYGPATH_W) 'xauth/xauth_manager.c'; else $(CYGPATH_W) '$(srcdir)/xauth/xauth_manager.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/xauth_manager.Tpo $(DEPDIR)/xauth_manager.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='xauth/xauth_manager.c' object='xauth_manager.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xauth_manager.obj `if test -f 'xauth/xauth_manager.c'; then $(CYGPATH_W) 'xauth/xauth_manager.c'; else $(CYGPATH_W) '$(srcdir)/xauth/xauth_manager.c'; fi`
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-install-man8: $(dist_man_MANS)
-	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list=''; test -n "$(man8dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.8[a-z]*$$/p'; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man8:
-	@$(NORMAL_UNINSTALL)
-	@list=''; test -n "$(man8dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.8[a-z]*$$/p'; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
-
-# This directory's subdirectories are mostly independent; you can cd
-# into them and run `make' without going through this Makefile.
-# To change the values of `make' variables: instead of editing Makefiles,
-# (1) if the variable is set in `config.status', edit `config.status'
-#     (which will cause the Makefiles to be regenerated when you run `make');
-# (2) otherwise, pass the desired values on the `make' command line.
-$(RECURSIVE_TARGETS):
-	@fail= failcom='exit 1'; \
-	for f in x $$MAKEFLAGS; do \
-	  case $$f in \
-	    *=* | --[!k]*);; \
-	    *k*) failcom='fail=yes';; \
-	  esac; \
-	done; \
-	dot_seen=no; \
-	target=`echo $@ | sed s/-recursive//`; \
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  echo "Making $$target in $$subdir"; \
-	  if test "$$subdir" = "."; then \
-	    dot_seen=yes; \
-	    local_target="$$target-am"; \
-	  else \
-	    local_target="$$target"; \
-	  fi; \
-	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	  || eval $$failcom; \
-	done; \
-	if test "$$dot_seen" = "no"; then \
-	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
-	fi; test -z "$$fail"
-
-$(RECURSIVE_CLEAN_TARGETS):
-	@fail= failcom='exit 1'; \
-	for f in x $$MAKEFLAGS; do \
-	  case $$f in \
-	    *=* | --[!k]*);; \
-	    *k*) failcom='fail=yes';; \
-	  esac; \
-	done; \
-	dot_seen=no; \
-	case "$@" in \
-	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
-	  *) list='$(SUBDIRS)' ;; \
-	esac; \
-	rev=''; for subdir in $$list; do \
-	  if test "$$subdir" = "."; then :; else \
-	    rev="$$subdir $$rev"; \
-	  fi; \
-	done; \
-	rev="$$rev ."; \
-	target=`echo $@ | sed s/-recursive//`; \
-	for subdir in $$rev; do \
-	  echo "Making $$target in $$subdir"; \
-	  if test "$$subdir" = "."; then \
-	    local_target="$$target-am"; \
-	  else \
-	    local_target="$$target"; \
-	  fi; \
-	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	  || eval $$failcom; \
-	done && test -z "$$fail"
-tags-recursive:
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
-	done
-ctags-recursive:
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
-	done
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
-	  include_option=--etags-include; \
-	  empty_fix=.; \
-	else \
-	  include_option=--include; \
-	  empty_fix=; \
-	fi; \
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
-	    test ! -f $$subdir/TAGS || \
-	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
-	  fi; \
-	done; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@list='$(MANS)'; if test -n "$$list"; then \
-	  list=`for p in $$list; do \
-	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
-	  if test -n "$$list" && \
-	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
-	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
-	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
-	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
-	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
-	    exit 1; \
-	  else :; fi; \
-	else :; fi
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
-	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
-	    $(am__relativize); \
-	    new_distdir=$$reldir; \
-	    dir1=$$subdir; dir2="$(top_distdir)"; \
-	    $(am__relativize); \
-	    new_top_distdir=$$reldir; \
-	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
-	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
-	    ($(am__cd) $$subdir && \
-	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="$$new_top_distdir" \
-	        distdir="$$new_distdir" \
-		am__remove_distdir=: \
-		am__skip_length_check=: \
-		am__skip_mode_fix=: \
-	        distdir) \
-	      || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-recursive
-all-am: Makefile $(PROGRAMS) $(MANS)
-installdirs: installdirs-recursive
-installdirs-am:
-	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-recursive
-install-exec: install-exec-recursive
-install-data: install-data-recursive
-uninstall: uninstall-recursive
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-recursive
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-recursive
-
-clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
-	mostlyclean-am
-
-distclean: distclean-recursive
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-recursive
-
-dvi-am:
-
-html: html-recursive
-
-html-am:
-
-info: info-recursive
-
-info-am:
-
-install-data-am: install-ipsecPROGRAMS install-man
-
-install-dvi: install-dvi-recursive
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-recursive
-
-install-html-am:
-
-install-info: install-info-recursive
-
-install-info-am:
-
-install-man: install-man8
-
-install-pdf: install-pdf-recursive
-
-install-pdf-am:
-
-install-ps: install-ps-recursive
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-recursive
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-recursive
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-recursive
-
-pdf-am:
-
-ps: ps-recursive
-
-ps-am:
-
-uninstall-am: uninstall-ipsecPROGRAMS uninstall-man
-
-uninstall-man: uninstall-man8
-
-.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
-	install-am install-strip tags-recursive
-
-.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
-	all all-am check check-am clean clean-generic \
-	clean-ipsecPROGRAMS clean-libtool ctags ctags-recursive \
-	distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipsecPROGRAMS install-man install-man8 \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	installdirs-am maintainer-clean maintainer-clean-generic \
-	mostlyclean mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
-	uninstall uninstall-am uninstall-ipsecPROGRAMS uninstall-man \
-	uninstall-man8
-
-
-plutomain.o :	$(top_builddir)/config.status
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/pluto/ac.c b/src/pluto/ac.c
deleted file mode 100644
index cd8007aea..000000000
--- a/src/pluto/ac.c
+++ /dev/null
@@ -1,298 +0,0 @@
-/* Support of X.509 attribute certificates
- * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
- * Copyright (C) 2003 Martin Berner, Lukas Suter
- * Copyright (C) 2009 Andreas Steffen
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/stat.h>
-#include <time.h>
-
-#include <debug.h>
-#include <utils/enumerator.h>
-#include <utils/linked_list.h>
-#include <credentials/certificates/ac.h>
-
-#include "ac.h"
-#include "ca.h"
-#include "certs.h"
-#include "fetch.h"
-#include "log.h"
-
-/**
- * Chained list of X.509 attribute certificates
- */
-static linked_list_t *acerts   = NULL;
-
-/**
- * Initialize the linked list of attribute certificates
- */
-void ac_initialize(void)
-{
-	acerts = linked_list_create();
-}
-
-/**
- * Free the linked list of attribute certificates
- */
-void ac_finalize(void)
-{
-	if (acerts)
-	{
-		acerts->destroy_offset(acerts, offsetof(certificate_t, destroy));
-	}
-}
-
-/**
- *  Get a X.509 attribute certificate for a given holder
- */
-certificate_t* ac_get_cert(identification_t *issuer, chunk_t serial)
-{
-	enumerator_t *enumerator;
-	certificate_t *cert, *found = NULL;
-
-	enumerator = acerts->create_enumerator(acerts);
-	while (enumerator->enumerate(enumerator, &cert))
-	{
-		ac_t *ac = (ac_t*)cert;
-
-		if (issuer->equals(issuer, ac->get_holderIssuer(ac)) &&
-			  chunk_equals(serial, ac->get_holderSerial(ac)))
-		{
-			found = cert;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return found;
-}
-
-/**
- * Verifies a X.509 attribute certificate
- */
-bool ac_verify_cert(certificate_t *cert, bool strict)
-{
-	ac_t *ac = (ac_t*)cert;
-	identification_t *subject = cert->get_subject(cert);
-	identification_t *issuer  = cert->get_issuer(cert);
-	chunk_t authKeyID = ac->get_authKeyIdentifier(ac);
-	cert_t *aacert;
-	time_t notBefore, valid_until;
-
-	DBG1(DBG_LIB, "holder: '%Y'", subject);
-	DBG1(DBG_LIB, "issuer: '%Y'", issuer);
-
-	if (!cert->get_validity(cert, NULL, NULL, &valid_until))
-	{
-		DBG1(DBG_LIB, "attribute certificate is invalid (valid from %T to %T)",
-			 &notBefore, FALSE, &valid_until, FALSE);
-		return FALSE;
-	}
-	DBG1(DBG_LIB, "attribute certificate is valid until %T", &valid_until,
-		 FALSE);
-
-	lock_authcert_list("verify_x509acert");
-	aacert = get_authcert(issuer, authKeyID, X509_AA);
-	unlock_authcert_list("verify_x509acert");
-
-	if (aacert == NULL)
-	{
-		DBG1(DBG_LIB, "issuer aacert not found");
-		return FALSE;
-	}
-	DBG2(DBG_LIB, "issuer aacert found");
-
-	if (!cert->issued_by(cert, aacert->cert))
-	{
-		DBG1(DBG_LIB, "attribute certificate signature is invalid");
-		return FALSE;
-	}
-	DBG1(DBG_LIB, "attribute certificate signature is valid");
-
-	return verify_x509cert(aacert, strict, &valid_until);
-}
-
-/**
- *  Add a X.509 attribute certificate to the chained list
- */
-static void ac_add_cert(certificate_t *cert)
-{
-	ac_t *ac = (ac_t*)cert;
-	identification_t *hIssuer = ac->get_holderIssuer(ac);
-	chunk_t hSerial = ac->get_holderSerial(ac);
-
-	enumerator_t *enumerator;
-	certificate_t *cert_old;
-
-	enumerator = acerts->create_enumerator(acerts);
-	while (enumerator->enumerate(enumerator, &cert_old))
-	{
-		ac_t *ac_old = (ac_t*)cert_old;
-
-		if (hIssuer->equals(hIssuer, ac_old->get_holderIssuer(ac_old)) &&
-			   chunk_equals(hSerial, ac_old->get_holderSerial(ac_old)))
-		{
-			if (certificate_is_newer(cert, cert_old))
-			{
-				acerts->remove_at(acerts, enumerator);
-				cert_old->destroy(cert_old);
-			}
-			else
-			{
-				cert->destroy(cert);
-				cert = NULL;
-			}
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (cert)
-	{
-		acerts->insert_last(acerts, cert);
-	}
-}
-
-/**
- * Check if at least one peer attribute matches a connection attribute
- */
-bool match_group_membership(ietf_attributes_t *peer_attributes, char *conn,
-							ietf_attributes_t *conn_attributes)
-{
-	bool match;
-
-	if (conn_attributes == NULL)
-	{
-		return TRUE;
-	}
-
-	match = conn_attributes->matches(conn_attributes, peer_attributes);
-	DBG1(DBG_LIB, "%s: peer with attributes '%s' is %sa member of the "
-		 "groups '%s'", conn, peer_attributes->get_string(peer_attributes),
-		 match ? "" : "not ", conn_attributes->get_string(conn_attributes));
-
-	return match;
-}
-
-/**
- * Loads X.509 attribute certificates
- */
-void ac_load_certs(void)
-{
-	enumerator_t *enumerator;
-	struct stat st;
-	char *file;
-
-	DBG1(DBG_LIB, "loading attribute certificates from '%s'", A_CERT_PATH);
-
-	enumerator = enumerator_create_directory(A_CERT_PATH);
-	if (!enumerator)
-	{
-		return;
-	}
-
-	while (enumerator->enumerate(enumerator, NULL, &file, &st))
-	{
-		certificate_t *cert;
-
-		if (!S_ISREG(st.st_mode))
-		{
-			/* skip special file */
-			continue;
-		}
-		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
-								  BUILD_FROM_FILE, file, BUILD_END);
-		if (cert)
-		{
-			DBG1(DBG_LIB, "  loaded attribute certificate from '%s'", file);
-			ac_add_cert(cert);
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- *  List all X.509 attribute certificates in the chained list
- */
-void ac_list_certs(bool utc)
-{
-	enumerator_t *enumerator;
-	certificate_t *cert;
-	time_t now;
-
-	/* determine the current time */
-	time(&now);
-
-	if (acerts->get_count(acerts) > 0)
-	{
-		whack_log(RC_COMMENT, " ");
-		whack_log(RC_COMMENT, "List of X.509 Attribute Certificates:");
-	}
-
-	enumerator = acerts->create_enumerator(acerts);
-	while (enumerator->enumerate(enumerator, &cert))
-	{
-		ac_t *ac = (ac_t*)cert;
-		identification_t *entityName, *holderIssuer, *issuer;
-		chunk_t holderSerial, serial, authKeyID;
-		time_t notBefore, notAfter;
-		ietf_attributes_t *groups;
-
-		whack_log(RC_COMMENT, " ");
-
-		entityName = cert->get_subject(cert);
-		if (entityName)
-		{
-			whack_log(RC_COMMENT, "  holder:   \"%Y\"", entityName);
-		}
-
-		holderIssuer = ac->get_holderIssuer(ac);
-		if (holderIssuer)
-		{
-			whack_log(RC_COMMENT, "  hissuer:  \"%Y\"", holderIssuer);
-		}
-
-		holderSerial = chunk_skip_zero(ac->get_holderSerial(ac));
-		if (holderSerial.ptr)
-		{
-			whack_log(RC_COMMENT, "  hserial:   %#B", &holderSerial);
-		}
-
-		groups = ac->get_groups(ac);
-		if (groups)
-		{
-			whack_log(RC_COMMENT, "  groups:    %s", groups->get_string(groups));
-			groups->destroy(groups);
-		}
-
-		issuer = cert->get_issuer(cert);
-		whack_log(RC_COMMENT, "  issuer:   \"%Y\"", issuer);
-
-		serial = chunk_skip_zero(ac->get_serial(ac));
-		whack_log(RC_COMMENT, "  serial:    %#B", &serial);
-
-		cert->get_validity(cert, &now, &notBefore, &notAfter);
-		whack_log(RC_COMMENT, "  validity:  not before %T %s",
-				&notBefore, utc,
-				(notBefore < now)?"ok":"fatal (not valid yet)");
-		whack_log(RC_COMMENT, "             not after  %T %s", &notAfter, utc,
-				check_expiry(notAfter, ACERT_WARNING_INTERVAL, TRUE));
-
-		authKeyID = ac->get_authKeyIdentifier(ac);
-		if (authKeyID.ptr)
-		{
-			whack_log(RC_COMMENT, "  authkey:   %#B", &authKeyID);
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
diff --git a/src/pluto/ac.h b/src/pluto/ac.h
deleted file mode 100644
index d4e0c1590..000000000
--- a/src/pluto/ac.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/* Support of X.509 attribute certificates
- * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
- * Copyright (C) 2003 Martin Berner, Lukas Suter
- * Copyright (C) 2009 Andreas Steffen
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _AC_H
-#define _AC_H
-
-#include <utils/identification.h>
-#include <credentials/certificates/certificate.h>
-#include <credentials/ietf_attributes/ietf_attributes.h>
-
-/* access structure for an X.509 attribute certificate */
-
-extern void ac_initialize(void);
-extern void ac_finalize(void);
-extern void ac_load_certs(void);
-extern void ac_list_certs(bool utc);
-
-extern certificate_t* ac_get_cert(identification_t *issuer, chunk_t serial);
-
-extern bool ac_verify_cert(certificate_t *ac, bool strict);
-
-extern bool match_group_membership(ietf_attributes_t *peer_attributes,
-								   char *conn,
-								   ietf_attributes_t *conn_attributes);
-
-#endif /* _AC_H */
diff --git a/src/pluto/adns.c b/src/pluto/adns.c
deleted file mode 100644
index 76b459216..000000000
--- a/src/pluto/adns.c
+++ /dev/null
@@ -1,610 +0,0 @@
-/* Pluto Asynchronous DNS Helper Program -- for internal use only!
- * Copyright (C) 2002  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/* This program executes as multiple processes.  The Master process
- * receives queries (struct adns_query messages) from Pluto and distributes
- * them amongst Worker processes.  These Worker processes are created
- * by the Master whenever a query arrives and no existing Worker is free.
- * At most MAX_WORKERS will be created; after that, the Master will queue
- * queries until a Worker becomes free.  When a Worker has an answer from
- * the resolver, it sends the answer as a struct adns_answer message to the
- * Master.  The Master then forwards the answer to Pluto, noting that
- * the Worker is free to accept another query.
- *
- * The protocol is simple: Pluto sends a sequence of queries and receives
- * a sequence of answers.  select(2) is used by Pluto and by the Master
- * process to decide when to read, but writes are done without checking
- * for readiness.  Communications is via pipes.  Since only one process
- * can write to each pipe, messages will not be interleaved.  Fixed length
- * records are used for simplicity.
- *
- * Pluto needs a way to indicate to the Master when to shut down
- * and the Master needs to indicate this to each worker.  EOF on the pipe
- * signifies this.
- *
- * The interfaces between these components are considered private to
- * Pluto.  This allows us to get away with less checking.  This is a
- * reason to use pipes instead of TCP/IP.
- *
- * Although the code uses plain old UNIX processes, it could be modified
- * to use threads.  That might reduce resource requirements.  It would
- * preclude running on systems without thread-safe resolvers.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <string.h>
-#include <errno.h>
-#include <unistd.h>
-#include <syslog.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include <netdb.h>      /* ??? for h_errno */
-
-#include <freeswan.h>
-
-/* GCC magic! */
-#ifdef GCC_LINT
-# define UNUSED __attribute__ ((unused))
-#else
-# define UNUSED /* ignore */
-#endif
-
-#include "constants.h"
-#include "adns.h"       /* needs <resolv.h> */
-
-/* shared by all processes */
-
-static const char *name;        /* program name, for messages */
-
-static bool debug = FALSE;
-
-/* Read a variable-length record from a pipe (and no more!).
- * First bytes must be a size_t containing the length.
- * HES_CONTINUE if record read
- * HES_OK if EOF
- * HES_IO_ERROR_IN if errno tells the tale.
- * Others are errors.
- */
-static enum helper_exit_status
-read_pipe(int fd, unsigned char *stuff, size_t minlen, size_t maxlen)
-{
-	size_t n = 0;
-	size_t goal = minlen;
-
-	do {
-		ssize_t m = read(fd, stuff + n, goal - n);
-
-		if (m == -1)
-		{
-			if (errno != EINTR)
-			{
-				syslog(LOG_ERR, "Input error on pipe: %s", strerror(errno));
-				return HES_IO_ERROR_IN;
-			}
-		}
-		else if (m == 0)
-		{
-			return HES_OK;      /* treat empty message as EOF */
-		}
-		else
-		{
-			n += m;
-			if (n >= sizeof(size_t))
-			{
-				goal = *(size_t *)(void *)stuff;
-				if (goal < minlen || maxlen < goal)
-				{
-					if (debug)
-						fprintf(stderr, "%lu : [%lu, %lu]\n"
-							, (unsigned long)goal
-							, (unsigned long)minlen, (unsigned long)maxlen);
-					return HES_BAD_LEN;
-				}
-			}
-		}
-	} while (n < goal);
-
-	return HES_CONTINUE;
-}
-
-/* Write a variable-length record to a pipe.
- * First bytes must be a size_t containing the length.
- * HES_CONTINUE if record written
- * Others are errors.
- */
-static enum helper_exit_status
-write_pipe(int fd, const unsigned char *stuff)
-{
-	size_t len = *(const size_t *)(const void *)stuff;
-	size_t n = 0;
-
-	do {
-		ssize_t m = write(fd, stuff + n, len - n);
-
-		if (m == -1)
-		{
-			/* error, but ignore and retry if EINTR */
-			if (errno != EINTR)
-			{
-				syslog(LOG_ERR, "Output error from master: %s", strerror(errno));
-				return HES_IO_ERROR_OUT;
-			}
-		}
-		else
-		{
-			n += m;
-		}
-	} while (n != len);
-	return HES_CONTINUE;
-}
-
-/**************** worker process ****************/
-
-/* The interface in RHL6.x and BIND distribution 8.2.2 are different,
- * so we build some of our own :-(
- */
-
-/* Support deprecated interface to allow for older releases of the resolver.
- * Fake new interface!
- * See resolver(3) bind distribution (should be in RHL6.1, but isn't).
- * __RES was 19960801 in RHL6.2, an old resolver.
- */
-
-#if (__RES) <= 19960801
-# define OLD_RESOLVER   1
-#endif
-
-#ifdef OLD_RESOLVER
-
-# define res_ninit(statp) res_init()
-# define res_nquery(statp, dname, class, type, answer, anslen) \
-	res_query(dname, class, type, answer, anslen)
-# define res_nclose(statp) res_close()
-
-static struct __res_state *statp = &_res;
-
-#else /* !OLD_RESOLVER */
-
-static struct __res_state my_res_state /* = { 0 } */;
-static res_state statp = &my_res_state;
-
-#endif /* !OLD_RESOLVER */
-
-static int
-worker(int qfd, int afd)
-{
-	{
-		int r = res_ninit(statp);
-
-		if (r != 0)
-		{
-			syslog(LOG_ERR, "cannot initialize resolver");
-			return HES_RES_INIT;
-		}
-#ifndef OLD_RESOLVER
-		statp->options |= RES_ROTATE;
-#endif
-		statp->options |= RES_DEBUG;
-	}
-
-	for (;;)
-	{
-		struct adns_query q;
-		struct adns_answer a;
-
-		enum helper_exit_status r = read_pipe(qfd, (unsigned char *)&q
-			, sizeof(q), sizeof(q));
-
-		if (r != HES_CONTINUE)
-			return r;   /* some kind of exit */
-
-		if (q.qmagic != ADNS_Q_MAGIC)
-		{
-			syslog(LOG_ERR, "error in input from master: bad magic");
-			return HES_BAD_MAGIC;
-		}
-
-		a.amagic = ADNS_A_MAGIC;
-		a.serial = q.serial;
-		a.continuation = NULL;
-
-		a.result = res_nquery(statp, q.name_buf, C_IN, q.type, a.ans, sizeof(a.ans));
-		a.h_errno_val = h_errno;
-
-		a.len = offsetof(struct adns_answer, ans) + (a.result < 0? 0 : a.result);
-
-#ifdef DEBUG
-		if (((q.debugging & IMPAIR_DELAY_ADNS_KEY_ANSWER) && q.type == T_KEY)
-		|| ((q.debugging & IMPAIR_DELAY_ADNS_TXT_ANSWER) && q.type == T_TXT))
-			sleep(30);  /* delay the answer */
-#endif
-
-		/* write answer, possibly a bit at a time */
-		r = write_pipe(afd, (const unsigned char *)&a);
-
-		if (r != HES_CONTINUE)
-			return r;   /* some kind of exit */
-	}
-}
-
-/**************** master process ****************/
-
-bool eof_from_pluto = FALSE;
-#define PLUTO_QFD       0       /* queries come on stdin */
-#define PLUTO_AFD       1       /* answers go out on stdout */
-
-#ifndef MAX_WORKERS
-# define MAX_WORKERS 10 /* number of in-flight queries */
-#endif
-
-struct worker_info {
-	int qfd;    /* query pipe's file descriptor */
-	int afd;    /* answer pipe's file descriptor */
-	pid_t pid;
-	bool busy;
-	void *continuation; /* of outstanding request */
-};
-
-static struct worker_info wi[MAX_WORKERS];
-static struct worker_info *wi_roof = wi;
-
-/* request FIFO */
-
-struct query_list {
-	struct query_list *next;
-	struct adns_query aq;
-};
-
-static struct query_list *oldest_query = NULL;
-static struct query_list *newest_query; /* undefined when oldest == NULL */
-static struct query_list *free_queries = NULL;
-
-static bool
-spawn_worker(void)
-{
-	int qfds[2];
-	int afds[2];
-	pid_t p;
-
-	if (pipe(qfds) != 0 || pipe(afds) != 0)
-	{
-		syslog(LOG_ERR, "pipe(2) failed: %s", strerror(errno));
-		exit(HES_PIPE);
-	}
-
-	wi_roof->qfd = qfds[1];     /* write end of query pipe */
-	wi_roof->afd = afds[0];     /* read end of answer pipe */
-
-	p = fork();
-	if (p == -1)
-	{
-		/* fork failed: ignore if at least one worker exists */
-		if (wi_roof == wi)
-		{
-			syslog(LOG_ERR, "fork(2) error creating first worker: %s", strerror(errno));
-			exit(HES_FORK);
-		}
-		close(qfds[0]);
-		close(qfds[1]);
-		close(afds[0]);
-		close(afds[1]);
-		return FALSE;
-	}
-	else if (p == 0)
-	{
-		/* child */
-		struct worker_info *w;
-
-		close(PLUTO_QFD);
-		close(PLUTO_AFD);
-		/* close all master pipes, including ours */
-		for (w = wi; w <= wi_roof; w++)
-		{
-			close(w->qfd);
-			close(w->afd);
-		}
-		exit(worker(qfds[0], afds[1]));
-	}
-	else
-	{
-		/* parent */
-		struct worker_info *w = wi_roof++;
-
-		w->pid = p;
-		w->busy = FALSE;
-		close(qfds[0]);
-		close(afds[1]);
-		return TRUE;
-	}
-}
-
-static void
-send_eof(struct worker_info *w)
-{
-	pid_t p;
-	int status;
-
-	close(w->qfd);
-	w->qfd = NULL_FD;
-
-	close(w->afd);
-	w->afd = NULL_FD;
-
-	/* reap child */
-	p = waitpid(w->pid, &status, 0);
-	/* ignore result -- what could we do with it? */
-}
-
-static void
-forward_query(struct worker_info *w)
-{
-	struct query_list *q = oldest_query;
-
-	if (q == NULL)
-	{
-		if (eof_from_pluto)
-			send_eof(w);
-	}
-	else
-	{
-		enum helper_exit_status r
-			= write_pipe(w->qfd, (const unsigned char *) &q->aq);
-
-		if (r != HES_CONTINUE)
-			exit(r);
-
-		w->busy = TRUE;
-
-		oldest_query = q->next;
-		q->next = free_queries;
-		free_queries = q;
-	}
-}
-
-static void
-query(void)
-{
-	struct query_list *q = free_queries;
-	enum helper_exit_status r;
-
-	/* find an unused queue entry */
-	if (q == NULL)
-	{
-		q = malloc(sizeof(*q));
-		if (q == NULL)
-		{
-			syslog(LOG_ERR, "malloc(3) failed");
-			exit(HES_MALLOC);
-		}
-	}
-	else
-	{
-		free_queries = q->next;
-	}
-
-	r = read_pipe(PLUTO_QFD, (unsigned char *)&q->aq
-		, sizeof(q->aq), sizeof(q->aq));
-
-	if (r == HES_OK)
-	{
-		/* EOF: we're done, except for unanswered queries */
-		struct worker_info *w;
-
-		eof_from_pluto = TRUE;
-		q->next = free_queries;
-		free_queries = q;
-
-		/* Send bye-bye to unbusy processes.
-		 * Note that if there are queued queries, there won't be
-		 * any non-busy workers.
-		 */
-		for (w = wi; w != wi_roof; w++)
-			if (!w->busy)
-				send_eof(w);
-	}
-	else if (r != HES_CONTINUE)
-	{
-		exit(r);
-	}
-	else if (q->aq.qmagic != ADNS_Q_MAGIC)
-	{
-		syslog(LOG_ERR, "error in query from Pluto: bad magic");
-		exit(HES_BAD_MAGIC);
-	}
-	else
-	{
-		struct worker_info *w;
-
-		/* got a query */
-
-		/* add it to FIFO */
-		q->next = NULL;
-		if (oldest_query == NULL)
-			oldest_query = q;
-		else
-			newest_query->next = q;
-		newest_query = q;
-
-		/* See if any worker available */
-		for (w = wi; ; w++)
-		{
-			if (w == wi_roof)
-			{
-				/* no free worker */
-				if (w == wi + MAX_WORKERS)
-					break;      /* no more to be created */
-				/* make a new one */
-				if (!spawn_worker())
-					break;      /* cannot create one at this time */
-			}
-			if (!w->busy)
-			{
-				/* assign first to free worker */
-				forward_query(w);
-				break;
-			}
-		}
-	}
-	return;
-}
-
-static void
-answer(struct worker_info *w)
-{
-	struct adns_answer a;
-	enum helper_exit_status r = read_pipe(w->afd, (unsigned char *)&a
-		, offsetof(struct adns_answer, ans), sizeof(a));
-
-	if (r == HES_OK)
-	{
-		/* unexpected EOF */
-		syslog(LOG_ERR, "unexpected EOF from worker");
-		exit(HES_IO_ERROR_IN);
-	}
-	else if (r != HES_CONTINUE)
-	{
-		exit(r);
-	}
-	else if (a.amagic != ADNS_A_MAGIC)
-	{
-		syslog(LOG_ERR, "Input from worker error: bad magic");
-		exit(HES_BAD_MAGIC);
-	}
-	else if (a.continuation != w->continuation)
-	{
-		/* answer doesn't match query */
-		syslog(LOG_ERR, "Input from worker error: continuation mismatch");
-		exit(HES_SYNC);
-	}
-	else
-	{
-		/* pass the answer on to Pluto */
-		enum helper_exit_status r
-			= write_pipe(PLUTO_AFD, (const unsigned char *) &a);
-
-		if (r != HES_CONTINUE)
-			exit(r);
-		w->busy = FALSE;
-		forward_query(w);
-	}
-}
-
-/* assumption: input limited; accept blocking on output */
-static int
-master(void)
-{
-	for (;;)
-	{
-		fd_set readfds;
-		int maxfd = PLUTO_QFD;          /* approximate lower bound */
-		int ndes = 0;
-		struct worker_info *w;
-
-		FD_ZERO(&readfds);
-		if (!eof_from_pluto)
-		{
-			FD_SET(PLUTO_QFD, &readfds);
-			ndes++;
-		}
-		for (w = wi; w != wi_roof; w++)
-		{
-			if (w->busy)
-			{
-				FD_SET(w->afd, &readfds);
-				ndes++;
-				if (maxfd < w->afd)
-					maxfd = w->afd;
-			}
-		}
-
-		if (ndes == 0)
-			return HES_OK;      /* done! */
-
-		do {
-			ndes = select(maxfd + 1, &readfds, NULL, NULL, NULL);
-		} while (ndes == -1 && errno == EINTR);
-		if (ndes == -1)
-		{
-			syslog(LOG_ERR, "select(2) error: %s", strerror(errno));
-			exit(HES_IO_ERROR_SELECT);
-		}
-		else if (ndes > 0)
-		{
-			if (FD_ISSET(PLUTO_QFD, &readfds))
-			{
-				query();
-				ndes--;
-			}
-			for (w = wi; ndes > 0 && w != wi_roof; w++)
-			{
-				if (w->busy && FD_ISSET(w->afd, &readfds))
-				{
-					answer(w);
-					ndes--;
-				}
-			}
-		}
-	}
-}
-
-/* Not to be invoked by strangers -- user hostile.
- * Mandatory args: query-fd answer-fd
- * Optional arg: -d, signifying "debug".
- */
-
-static void
-adns_usage(const char *fmt, const char *arg)
-{
-	const char **sp = ipsec_copyright_notice();
-
-	fprintf(stderr, "INTERNAL TO PLUTO: DO NOT EXECUTE\n");
-
-	fprintf(stderr, fmt, arg);
-	fprintf(stderr, "\nstrongSwan "VERSION"\n");
-
-	for (; *sp != NULL; sp++)
-		fprintf(stderr, "%s\n", *sp);
-
-	syslog(LOG_ERR, fmt, arg);
-	exit(HES_INVOCATION);
-}
-
-int
-main(int argc UNUSED, char **argv)
-{
-	int i = 1;
-
-	name = argv[0];
-
-	while (i < argc)
-	{
-		if (streq(argv[i], "-d"))
-		{
-			i++;
-			debug = TRUE;
-		}
-		else
-		{
-			adns_usage("unexpected argument \"%s\"", argv[i]);
-			/*NOTREACHED*/
-		}
-	}
-
-	return master();
-}
diff --git a/src/pluto/adns.h b/src/pluto/adns.h
deleted file mode 100644
index dfbcbaf16..000000000
--- a/src/pluto/adns.h
+++ /dev/null
@@ -1,78 +0,0 @@
-/* Pluto Asynchronous DNS Helper Program's Header
- * Copyright (C) 2002  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef ADNS
-
-/* dummy struct to make compilers happy */
-struct adns_query {
-};
-
-#else /* rest of file */
-
-/* The interface in RHL6.x and BIND distribution 8.2.2 are different,
- * so we build some of our own :-(
- */
-
-# ifndef NS_MAXDNAME
-#   define NS_MAXDNAME MAXDNAME /* I hope this is long enough for IPv6 */
-# endif
-
-# ifndef NS_PACKETSZ
-#   define NS_PACKETSZ PACKETSZ
-# endif
-
-/* protocol version */
-
-#define ADNS_Q_MAGIC (((((('d' << 8) + 'n') << 8) + 's') << 8) + 4)
-#define ADNS_A_MAGIC (((((('d' << 8) + 'n') << 8) + 's') << 8) + 128 + 4)
-
-/* note: both struct adns_query and struct adns_answer must start with
- * size_t len;
- */
-
-struct adns_query {
-	size_t len;
-	unsigned int qmagic;
-	unsigned long serial;
-	lset_t debugging;   /* only used #ifdef DEBUG, but don't want layout to change */
-	u_char name_buf[NS_MAXDNAME + 2];
-	int type;   /* T_KEY or T_TXT */
-};
-
-struct adns_answer {
-	size_t len;
-	unsigned int amagic;
-	unsigned long serial;
-	struct adns_continuation *continuation;
-	int result;
-	int h_errno_val;
-	u_char ans[NS_PACKETSZ * 10];   /* very probably bigger than necessary */
-};
-
-enum helper_exit_status {
-	HES_CONTINUE = -1,  /* not an exit */
-	HES_OK = 0, /* all's well that ends well (perhaps EOF) */
-	HES_INVOCATION,     /* improper invocation */
-	HES_IO_ERROR_SELECT,        /* IO error in select() */
-	HES_MALLOC, /* malloc failed */
-	HES_IO_ERROR_IN,    /* error reading pipe */
-	HES_IO_ERROR_OUT,   /* error reading pipe */
-	HES_PIPE,   /* pipe(2) failed */
-	HES_SYNC,   /* answer from worker doesn't match query */
-	HES_FORK,   /* fork(2) failed */
-	HES_RES_INIT,       /* resolver initialization failed */
-	HES_BAD_LEN,        /* implausible .len field */
-	HES_BAD_MAGIC,      /* .magic field wrong */
-};
-#endif /* ADNS */
diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c
deleted file mode 100644
index fe27c10b2..000000000
--- a/src/pluto/alg_info.c
+++ /dev/null
@@ -1,683 +0,0 @@
-/*
- * Algorithm info parsing and creation functions
- * Copyright (C) JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <netinet/in.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <ctype.h>
-#include <freeswan.h>
-#include <pfkeyv2.h>
-
-#include <utils.h>
-#include <utils/lexparser.h>
-#include <crypto/diffie_hellman.h>
-#include <crypto/transform.h>
-#include <crypto/proposal/proposal_keywords.h>
-
-
-#include "alg_info.h"
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "whack.h"
-#include "crypto.h"
-#include "kernel_alg.h"
-#include "ike_alg.h"
-
-/*
- * sadb/ESP aa attrib converters
- */
-int alg_info_esp_aa2sadb(int auth)
-{
-	int sadb_aalg = 0;
-
-	switch(auth)
-	{
-		case AUTH_ALGORITHM_HMAC_MD5:
-		case AUTH_ALGORITHM_HMAC_SHA1:
-			sadb_aalg = auth + 1;
-			break;
-		default:
-			sadb_aalg = auth;
-	}
-	return sadb_aalg;
-}
-
-int alg_info_esp_sadb2aa(int sadb_aalg)
-{
-	int auth = 0;
-
-	switch(sadb_aalg)
-	{
-		case SADB_AALG_MD5HMAC:
-		case SADB_AALG_SHA1HMAC:
-			auth = sadb_aalg - 1;
-			break;
-		default:
-			auth = sadb_aalg;
-	}
-	return auth;
-}
-
-void alg_info_free(struct alg_info *alg_info)
-{
-	free(alg_info);
-}
-
-/*
- * Raw add routine: only checks for no duplicates
- */
-static void __alg_info_esp_add(struct alg_info_esp *alg_info, int ealg_id,
-							   unsigned ek_bits, int aalg_id, unsigned ak_bits)
-{
-	struct esp_info *esp_info = alg_info->esp;
-	unsigned cnt = alg_info->alg_info_cnt, i;
-
-	/* check for overflows */
-	passert(cnt < countof(alg_info->esp));
-
-	/* dont add duplicates */
-	for (i = 0; i < cnt; i++)
-	{
-		if (esp_info[i].esp_ealg_id == ealg_id
-		&& (!ek_bits || esp_info[i].esp_ealg_keylen == ek_bits)
-		&& esp_info[i].esp_aalg_id == aalg_id
-		&& (!ak_bits || esp_info[i].esp_aalg_keylen == ak_bits))
-		{
-			return;
-		}
-	}
-
-	esp_info[cnt].esp_ealg_id = ealg_id;
-	esp_info[cnt].esp_ealg_keylen = ek_bits;
-	esp_info[cnt].esp_aalg_id = aalg_id;
-	esp_info[cnt].esp_aalg_keylen = ak_bits;
-
-	/* sadb values */
-	esp_info[cnt].encryptalg = ealg_id;
-	esp_info[cnt].authalg = alg_info_esp_aa2sadb(aalg_id);
-	alg_info->alg_info_cnt++;
-
-	DBG(DBG_CRYPT,
-		DBG_log("esp alg added: %s_%d/%s, cnt=%d",
-				enum_show(&esp_transform_names, ealg_id), ek_bits,
-				enum_show(&auth_alg_names, aalg_id),
-				alg_info->alg_info_cnt)
-	)
-}
-
-/**
- * Returns true if the given alg is an authenticated encryption algorithm
- */
-static bool is_authenticated_encryption(int ealg_id)
-{
-	switch (ealg_id)
-	{
-		case ESP_AES_CCM_8:
-		case ESP_AES_CCM_12:
-		case ESP_AES_CCM_16:
-		case ESP_AES_GCM_8:
-		case ESP_AES_GCM_12:
-		case ESP_AES_GCM_16:
-		case ESP_AES_GMAC:
-			return TRUE;
-	}
-	return FALSE;
-}
-
-/*
- * Add ESP alg info _with_ logic (policy):
- */
-static void alg_info_esp_add(struct alg_info *alg_info, int ealg_id,
-							 int ek_bits, int aalg_id, int ak_bits)
-{
-	/* Policy: default to 3DES */
-	if (ealg_id == 0)
-	{
-		ealg_id = ESP_3DES;
-	}
-	if (ealg_id > 0)
-	{
-		if (is_authenticated_encryption(ealg_id))
-		{
-			__alg_info_esp_add((struct alg_info_esp *)alg_info,
-								ealg_id, ek_bits,
-								AUTH_ALGORITHM_NONE, 0);
-		}
-		else if (aalg_id > 0)
-		{
-			__alg_info_esp_add((struct alg_info_esp *)alg_info,
-								ealg_id, ek_bits,
-								aalg_id, ak_bits);
-		}
-		else
-		{
-			/* Policy: default to SHA-1 and MD5 */
-			__alg_info_esp_add((struct alg_info_esp *)alg_info,
-								ealg_id, ek_bits,
-								AUTH_ALGORITHM_HMAC_SHA1, ak_bits);
-			__alg_info_esp_add((struct alg_info_esp *)alg_info,
-								ealg_id, ek_bits,
-								AUTH_ALGORITHM_HMAC_MD5, ak_bits);
-		}
-	}
-}
-
-static void __alg_info_ike_add (struct alg_info_ike *alg_info, int ealg_id,
-								unsigned ek_bits, int aalg_id, unsigned ak_bits,
-								int modp_id)
-{
-	struct ike_info *ike_info = alg_info->ike;
-	unsigned cnt = alg_info->alg_info_cnt;
-	unsigned i;
-
-	/* check for overflows */
-	passert(cnt < countof(alg_info->ike));
-
-	/* dont add duplicates */
-   for (i = 0; i < cnt; i++)
-   {
-		if (ike_info[i].ike_ealg == ealg_id
-		&& (!ek_bits || ike_info[i].ike_eklen == ek_bits)
-		&&  ike_info[i].ike_halg == aalg_id
-		&& (!ak_bits || ike_info[i].ike_hklen == ak_bits)
-		&&  ike_info[i].ike_modp==modp_id)
-			return;
-	}
-
-	ike_info[cnt].ike_ealg = ealg_id;
-	ike_info[cnt].ike_eklen = ek_bits;
-	ike_info[cnt].ike_halg = aalg_id;
-	ike_info[cnt].ike_hklen = ak_bits;
-	ike_info[cnt].ike_modp = modp_id;
-	alg_info->alg_info_cnt++;
-
-	DBG(DBG_CRYPT,
-		DBG_log("ikg alg added: %s_%d/%s/%s, cnt=%d",
-				enum_show(&oakley_enc_names, ealg_id), ek_bits,
-				enum_show(&oakley_hash_names, aalg_id),
-				enum_show(&oakley_group_names, modp_id),
-				alg_info->alg_info_cnt)
-	)
-}
-
-/*
- * Proposals will be built by looping over default_ike_groups array and
- * merging alg_info (ike_info) contents
- */
-
-static int default_ike_groups[] = {
-	MODP_1536_BIT,
-	MODP_1024_BIT
-};
-
-/*
- *      Add IKE alg info _with_ logic (policy):
- */
-static void alg_info_ike_add (struct alg_info *alg_info, int ealg_id,
-							  int ek_bits, int aalg_id, int ak_bits, int modp_id)
-{
-	int i = 0;
-	int n_groups = countof(default_ike_groups);
-
-	/* if specified modp_id avoid loop over default_ike_groups */
-	if (modp_id)
-	{
-		n_groups=0;
-		goto in_loop;
-	}
-
-	for (; n_groups--; i++)
-	{
-		modp_id = default_ike_groups[i];
-in_loop:
-		/* Policy: default to 3DES */
-		if (ealg_id == 0)
-		{
-			ealg_id = OAKLEY_3DES_CBC;
-		}
-		if (ealg_id > 0)
-		{
-			if (aalg_id > 0)
-			{
-				__alg_info_ike_add((struct alg_info_ike *)alg_info,
-								   ealg_id, ek_bits,
-								   aalg_id, ak_bits,
-								   modp_id);
-			}
-			else
-			{
-				/* Policy: default to MD5 and SHA */
-				__alg_info_ike_add((struct alg_info_ike *)alg_info,
-								   ealg_id, ek_bits,
-								   OAKLEY_MD5, ak_bits,
-								   modp_id);
-				__alg_info_ike_add((struct alg_info_ike *)alg_info,
-								   ealg_id, ek_bits,
-								   OAKLEY_SHA, ak_bits,
-								   modp_id);
-			}
-		}
-	}
-}
-
-static status_t alg_info_add(chunk_t alg, unsigned protoid,
-							 int *ealg, size_t *ealg_keysize,
-							 int *aalg, size_t *aalg_keysize, int *dh_group)
-{
-	const proposal_token_t *token = proposal_get_token(alg.ptr, alg.len);
-
-	if (token == NULL)
-	{
-		return FAILED;
-	}
-	switch (token->type)
-	{
-		case ENCRYPTION_ALGORITHM:
-			if (*ealg != 0)
-			{
-				return FAILED;
-			}
-			*ealg = (protoid == PROTO_ISAKMP) ?
-					 oakley_from_encryption_algorithm(token->algorithm) :
-					 esp_from_encryption_algorithm(token->algorithm);
-			if (*ealg == 0)
-			{
-				return FAILED;
-			}
-			*ealg_keysize = token->keysize;
-			break;
-		case INTEGRITY_ALGORITHM:
-			if (*aalg != 0)
-			{
-				return FAILED;
-			}
-			*aalg = (protoid == PROTO_ISAKMP) ?
-					 oakley_from_integrity_algorithm(token->algorithm) :
-					 esp_from_integrity_algorithm(token->algorithm);
-			if (*aalg == 0)
-			{
-				return FAILED;
-			}
-			*aalg_keysize = token->keysize;
-			break;
-		case DIFFIE_HELLMAN_GROUP:
-			if (protoid == PROTO_ISAKMP)
-			{
-				if (*dh_group != 0)
-				{
-					return FAILED;
-				}
-				*dh_group = token->algorithm;
-			}
-			break;
-		default:
-			return FAILED;
-	}
-	return SUCCESS;
-}
-
-
-static status_t alg_info_parse_str(struct alg_info *alg_info, char *alg_str)
-{
-	char *strict, *single;
-	status_t status = SUCCESS;
-
-	strict = alg_str + strlen(alg_str) - 1;
-	if (*strict == '!')
-	{
-		alg_info->alg_info_flags |= ALG_INFO_F_STRICT;
-		*strict = '\0';
-	}
-	while ((single = strsep(&alg_str, ",")))
-	{
-		chunk_t string = { (u_char *)single, strlen(single) };
-		int ealg = 0;
-		int aalg = 0;
-		int dh_group = 0;
-		size_t ealg_keysize = 0;
-		size_t aalg_keysize = 0;
-
-		eat_whitespace(&string);
-
-		if (string.len > 0)
-		{
-			chunk_t alg;
-
-			/* get all token, separated by '-' */
-			while (extract_token(&alg, '-', &string))
-			{
-				status |= alg_info_add(alg, alg_info->alg_info_protoid,
-									   &ealg, &ealg_keysize,
-									   &aalg, &aalg_keysize, &dh_group);
-			}
-			if (string.len)
-			{
-				status |= alg_info_add(string, alg_info->alg_info_protoid,
-									   &ealg, &ealg_keysize,
-									   &aalg, &aalg_keysize, &dh_group);
-			}
-		}
-		if (status == SUCCESS)
-
-		{
-			switch (alg_info->alg_info_protoid)
-			{
-				case PROTO_IPSEC_ESP:
-					alg_info_esp_add(alg_info, ealg, ealg_keysize,
-											   aalg, aalg_keysize);
-					break;
-				case PROTO_ISAKMP:
-					alg_info_ike_add(alg_info, ealg, ealg_keysize,
-											   aalg, aalg_keysize,
-											   dh_group);
-					break;
-				default:
-					break;
-			}
-		}
-	}
-	return status;
-}
-
-struct alg_info_esp *alg_info_esp_create_from_str(char *alg_str)
-{
-	struct alg_info_esp *alg_info_esp;
-	char esp_buf[BUF_LEN];
-	char *pfs_name;
-	status_t status = SUCCESS;
-	/*
-	 * alg_info storage should be sized dynamically
-	 * but this may require 2passes to know
-	 * transform count in advance.
-	 */
-	alg_info_esp = malloc_thing (struct alg_info_esp);
-	zero(alg_info_esp);
-
-	pfs_name=strchr(alg_str, ';');
-	if (pfs_name)
-	{
-		memcpy(esp_buf, alg_str, pfs_name-alg_str);
-		esp_buf[pfs_name-alg_str] = 0;
-		alg_str = esp_buf;
-		pfs_name++;
-
-		/* if pfs strings AND first char is not '0' */
-		if (*pfs_name && pfs_name[0] != '0')
-		{
-			const proposal_token_t *token;
-
-			token = proposal_get_token(pfs_name, strlen(pfs_name));
-			if (token == NULL || token->type != DIFFIE_HELLMAN_GROUP)
-			{
-				/* Bomb if pfsgroup not found */
-				DBG(DBG_CRYPT,
-					DBG_log("alg_info_esp_create_from_str(): pfsgroup \"%s\" not found"
-						, pfs_name)
-				)
-				status = FAILED;
-				goto out;
-			}
-			alg_info_esp->esp_pfsgroup = token->algorithm;
-		}
-	}
-	else
-	{
-		alg_info_esp->esp_pfsgroup = 0;
-	}
-	alg_info_esp->alg_info_protoid = PROTO_IPSEC_ESP;
-	status = alg_info_parse_str((struct alg_info *)alg_info_esp, alg_str);
-
-out:
-	if (status == SUCCESS)
-	{
-		alg_info_esp->ref_cnt = 1;
-		return alg_info_esp;
-	}
-	else
-	{
-		free(alg_info_esp);
-		return NULL;
-	}
-}
-
-struct alg_info_ike *alg_info_ike_create_from_str(char *alg_str)
-{
-	struct alg_info_ike *alg_info_ike;
-	/*
-	 * alg_info storage should be sized dynamically
-	 * but this may require 2passes to know
-	 * transform count in advance.
-	 */
-	alg_info_ike = malloc_thing (struct alg_info_ike);
-	zero(alg_info_ike);
-	alg_info_ike->alg_info_protoid = PROTO_ISAKMP;
-
-	if (alg_info_parse_str((struct alg_info *)alg_info_ike, alg_str) == SUCCESS)
-	{
-		alg_info_ike->ref_cnt = 1;
-		return alg_info_ike;
-	}
-	else
-	{
-		free(alg_info_ike);
-		return NULL;
-	}
-}
-
-/*
- *      alg_info struct can be shared by
- *      several connections instances,
- *      handle free() with ref_cnts
- */
-void
-alg_info_addref(struct alg_info *alg_info)
-{
-	if (alg_info != NULL)
-	{
-		alg_info->ref_cnt++;
-	}
-}
-
-void
-alg_info_delref(struct alg_info **alg_info_p)
-{
-	struct alg_info *alg_info = *alg_info_p;
-
-	if (alg_info != NULL)
-	{
-		passert(alg_info->ref_cnt != 0);
-		alg_info->ref_cnt--;
-		if (alg_info->ref_cnt == 0)
-		{
-			alg_info_free(alg_info);
-		}
-		*alg_info_p = NULL;
-	}
-}
-
-/* snprint already parsed transform list (alg_info) */
-int
-alg_info_snprint(char *buf, int buflen, struct alg_info *alg_info)
-{
-	char *ptr = buf;
-	int np = 0;
-	struct esp_info *esp_info;
-	struct ike_info *ike_info;
-	int cnt;
-
-	switch (alg_info->alg_info_protoid) {
-	case PROTO_IPSEC_ESP:
-		{
-			struct alg_info_esp *alg_info_esp = (struct alg_info_esp *)alg_info;
-
-			ALG_INFO_ESP_FOREACH(alg_info_esp, esp_info, cnt)
-			{
-				np = snprintf(ptr, buflen, "%s",
-						enum_show(&esp_transform_names, esp_info->esp_ealg_id));
-				ptr += np;
-				buflen -= np;
-				if (esp_info->esp_ealg_keylen)
-				{
-					np = snprintf(ptr, buflen, "_%zu", esp_info->esp_ealg_keylen);
-					ptr += np;
-					buflen -= np;
-				}
-				np = snprintf(ptr, buflen, "/%s, ",
-						enum_show(&auth_alg_names, esp_info->esp_aalg_id));
-				ptr += np;
-				buflen -= np;
-				if (buflen < 0)
-					goto out;
-			}
-			if (alg_info_esp->esp_pfsgroup)
-			{
-				np = snprintf(ptr, buflen, "; pfsgroup=%s; ",
-						enum_show(&oakley_group_names, alg_info_esp->esp_pfsgroup));
-				ptr += np;
-				buflen -= np;
-				if (buflen < 0)
-					goto out;
-			}
-			break;
-		}
-
-	case PROTO_ISAKMP:
-		ALG_INFO_IKE_FOREACH((struct alg_info_ike *)alg_info, ike_info, cnt)
-		{
-			np = snprintf(ptr, buflen, "%s",
-					enum_show(&oakley_enc_names, ike_info->ike_ealg));
-			ptr += np;
-			buflen -= np;
-			if (ike_info->ike_eklen)
-			{
-				np = snprintf(ptr, buflen, "_%zu", ike_info->ike_eklen);
-				ptr += np;
-				buflen -= np;
-			}
-			np = snprintf(ptr, buflen, "/%s/%s, ",
-					enum_show(&oakley_hash_names, ike_info->ike_halg),
-					enum_show(&oakley_group_names, ike_info->ike_modp));
-			ptr += np;
-			buflen -= np;
-			if (buflen < 0)
-				goto out;
-		}
-		break;
-	default:
-		np = snprintf(buf, buflen, "INVALID protoid=%d\n"
-				, alg_info->alg_info_protoid);
-		ptr += np;
-		buflen -= np;
-		goto out;
-   }
-
-   np = snprintf(ptr, buflen, "%s"
-			, alg_info->alg_info_flags & ALG_INFO_F_STRICT?
-			"strict":"");
-   ptr += np;
-   buflen -= np;
-out:
-	if (buflen < 0)
-	{
-		loglog(RC_LOG_SERIOUS
-			, "buffer space exhausted in alg_info_snprint_ike(), buflen=%d"
-			, buflen);
-	}
-
-	return ptr - buf;
-}
-
-int alg_info_snprint_esp(char *buf, int buflen, struct alg_info_esp *alg_info)
-{
-	char *ptr = buf;
-
-	int cnt = alg_info->alg_info_cnt;
-	struct esp_info *esp_info = alg_info->esp;
-
-	while (cnt--)
-	{
-		if (kernel_alg_esp_enc_ok(esp_info->esp_ealg_id, 0, NULL)
-		&&  kernel_alg_esp_auth_ok(esp_info->esp_aalg_id, NULL))
-		{
-			u_int eklen = (esp_info->esp_ealg_keylen)
-					? esp_info->esp_ealg_keylen
-					: kernel_alg_esp_enc_keylen(esp_info->esp_ealg_id)
-							* BITS_PER_BYTE;
-
-			u_int aklen = esp_info->esp_aalg_keylen
-					? esp_info->esp_aalg_keylen
-					: kernel_alg_esp_auth_keylen(esp_info->esp_aalg_id)
-							* BITS_PER_BYTE;
-
-			int ret = snprintf(ptr, buflen, "%d_%03d-%d_%03d, ",
-						   esp_info->esp_ealg_id, eklen,
-						   esp_info->esp_aalg_id, aklen);
-			ptr += ret;
-			buflen -= ret;
-			if (buflen < 0)
-				break;
-		}
-		esp_info++;
-	}
-	return ptr - buf;
-}
-
-int alg_info_snprint_ike(char *buf, int buflen, struct alg_info_ike *alg_info)
-{
-	char *ptr = buf;
-
-	int cnt = alg_info->alg_info_cnt;
-	struct ike_info *ike_info = alg_info->ike;
-
-	while (cnt--)
-	{
-		struct encrypt_desc *enc_desc = ike_alg_get_crypter(ike_info->ike_ealg);
-		struct hash_desc *hash_desc = ike_alg_get_hasher(ike_info->ike_halg);
-		struct dh_desc *dh_desc = ike_alg_get_dh_group(ike_info->ike_modp);
-
-		if (enc_desc &&  hash_desc && dh_desc)
-		{
-
-			u_int eklen = (ike_info->ike_eklen)
-						? ike_info->ike_eklen
-						: enc_desc->keydeflen;
-
-			u_int aklen = (ike_info->ike_hklen)
-						? ike_info->ike_hklen
-						: hash_desc->hash_digest_size * BITS_PER_BYTE;
-
-			int ret = snprintf(ptr, buflen, "%d_%03d-%d_%03d-%d, ",
-						   ike_info->ike_ealg, eklen,
-						   ike_info->ike_halg, aklen,
-						   ike_info->ike_modp);
-			ptr += ret;
-			buflen -= ret;
-			if (buflen < 0)
-				break;
-		}
-		ike_info++;
-	}
-	return ptr - buf;
-}
-
diff --git a/src/pluto/alg_info.h b/src/pluto/alg_info.h
deleted file mode 100644
index 85b88ddff..000000000
--- a/src/pluto/alg_info.h
+++ /dev/null
@@ -1,80 +0,0 @@
-/* Algorithm info parsing and creation functions
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef ALG_INFO_H
-#define ALG_INFO_H
-
-struct esp_info {
-		u_int8_t transid;       /* ESP transform */
-		u_int16_t auth;         /* AUTH */
-		size_t enckeylen;       /* keylength for ESP transform */
-		size_t authkeylen;      /* keylength for AUTH */
-		u_int8_t encryptalg;    /* normally  encryptalg=transid */
-		u_int8_t authalg;       /* normally  authalg=auth+1 */
-};
-
-struct ike_info {
-		u_int16_t ike_ealg;     /* high 16 bit nums for reserved */
-		u_int8_t ike_halg;
-		size_t ike_eklen;
-		size_t ike_hklen;
-		u_int16_t ike_modp;
-};
-
-#define ALG_INFO_COMMON \
-		int alg_info_cnt;               \
-		int ref_cnt;                    \
-		unsigned alg_info_flags;        \
-		unsigned alg_info_protoid
-
-struct alg_info {
-		ALG_INFO_COMMON;
-};
-
-struct alg_info_esp {
-		ALG_INFO_COMMON;
-		struct esp_info esp[64];
-		int esp_pfsgroup;
-};
-
-struct alg_info_ike {
-		ALG_INFO_COMMON;
-		struct ike_info ike[64];
-};
-#define esp_ealg_id transid
-#define esp_aalg_id auth
-#define esp_ealg_keylen enckeylen       /* bits */
-#define esp_aalg_keylen authkeylen      /* bits */
-
-/*      alg_info_flags bits */
-#define ALG_INFO_F_STRICT       0x01
-
-extern int alg_info_esp_aa2sadb(int auth);
-extern int alg_info_esp_sadb2aa(int sadb_aalg);
-extern void alg_info_free(struct alg_info *alg_info);
-extern void alg_info_addref(struct alg_info *alg_info);
-extern void alg_info_delref(struct alg_info **alg_info);
-extern struct alg_info_esp* alg_info_esp_create_from_str(char *alg_str);
-extern struct alg_info_ike* alg_info_ike_create_from_str(char *alg_str);
-extern int alg_info_parse(const char *str);
-extern int alg_info_snprint(char *buf, int buflen, struct alg_info *alg_info);
-extern int alg_info_snprint_esp(char *buf, int buflen
-	, struct alg_info_esp *alg_info);
-extern int alg_info_snprint_ike(char *buf, int buflen
-	, struct alg_info_ike *alg_info);
-#define ALG_INFO_ESP_FOREACH(ai, ai_esp, i) \
-		for (i=(ai)->alg_info_cnt,ai_esp=(ai)->esp; i--; ai_esp++)
-#define ALG_INFO_IKE_FOREACH(ai, ai_ike, i) \
-		for (i=(ai)->alg_info_cnt,ai_ike=(ai)->ike; i--; ai_ike++)
-#endif /* ALG_INFO_H */
diff --git a/src/pluto/builder.c b/src/pluto/builder.c
deleted file mode 100644
index a6e05a330..000000000
--- a/src/pluto/builder.c
+++ /dev/null
@@ -1,150 +0,0 @@
-/* Pluto certificate/CRL/AC builder hooks.
- * Copyright (C) 2002-2009 Andreas Steffen
- * Copyright (C) 2009 Martin Willi
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "builder.h"
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-#include <time.h>
-
-#include <freeswan.h>
-
-#include <library.h>
-#include <credentials/certificates/certificate.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "certs.h"
-#include "crl.h"
-
-/**
- * Load a certificate
- */
-static cert_t *builder_load_cert(certificate_type_t type, va_list args)
-{
-	x509_flag_t flags = 0;
-	chunk_t blob = chunk_empty;
-	bool pgp = FALSE;
-
-	while (TRUE)
-	{
-		switch (va_arg(args, builder_part_t))
-		{
-			case BUILD_BLOB_PGP:
-				pgp = TRUE;
-				/* FALL */
-			case BUILD_BLOB_ASN1_DER:
-				blob = va_arg(args, chunk_t);
-				continue;
-			case BUILD_X509_FLAG:
-				flags |= va_arg(args, x509_flag_t);
-				continue;
-			case BUILD_END:
-				break;
-			default:
-				return NULL;
-		}
-		break;
-	}
-	if (blob.ptr)
-	{
-		cert_t *cert = malloc_thing(cert_t);
-
-		*cert = cert_empty;
-
-		if (pgp)
-		{
-			cert->cert = lib->creds->create(lib->creds,
-										   CRED_CERTIFICATE, CERT_GPG,
-										   BUILD_BLOB_PGP, blob,
-										   BUILD_END);
-		}
-		else
-		{
-			cert->cert = lib->creds->create(lib->creds,
-										   CRED_CERTIFICATE, CERT_X509,
-										   BUILD_BLOB_ASN1_DER, blob,
-										   BUILD_X509_FLAG, flags,
-										   BUILD_END);
-		}
-		if (cert->cert)
-		{
-			return cert;
-		}
-		plog("  error in X.509 certificate");
-		cert_free(cert);
-	}
-	return NULL;
-}
-
-/**
- * Load a CRL
- */
-static x509crl_t *builder_load_crl(certificate_type_t type, va_list args)
-{
-	chunk_t blob = chunk_empty;
-	x509crl_t *crl;
-
-	while (TRUE)
-	{
-		switch (va_arg(args, builder_part_t))
-		{
-			case BUILD_BLOB_ASN1_DER:
-				blob = va_arg(args, chunk_t);
-				continue;
-			case BUILD_END:
-				break;
-			default:
-				return NULL;
-		}
-		break;
-	}
-	if (blob.ptr)
-	{
-		crl = malloc_thing(x509crl_t);
-		crl->next = NULL;
-		crl->distributionPoints = linked_list_create();
-		crl->crl = lib->creds->create(lib->creds,
-									  CRED_CERTIFICATE, CERT_X509_CRL,
-									  BUILD_BLOB_ASN1_DER, blob,
-									  BUILD_END);
-		if (crl->crl)
-		{
-			return crl;
-		}
-		plog("  error in X.509 crl");
-		free_crl(crl);
-	}
-	return NULL;
-}
-
-void init_builder(void)
-{
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT, FALSE,
-							(builder_function_t)builder_load_cert);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL, FALSE,
-							(builder_function_t)builder_load_crl);
-}
-
-void free_builder(void)
-{
-	lib->creds->remove_builder(lib->creds, (builder_function_t)builder_load_cert);
-	lib->creds->remove_builder(lib->creds, (builder_function_t)builder_load_crl);
-}
-
diff --git a/src/pluto/builder.h b/src/pluto/builder.h
deleted file mode 100644
index 784751b7c..000000000
--- a/src/pluto/builder.h
+++ /dev/null
@@ -1,24 +0,0 @@
-/* Pluto certificate/CRL/AC builder hooks.
- * Copyright (C) 2009 Martin Willi
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _BUILDER_H
-#define _BUILDER_H
-
-/* register credential builder hooks */
-extern void init_builder();
-/* unregister credential builder hooks */
-extern void free_builder();
-
-#endif /* _BUILDER_H */
diff --git a/src/pluto/ca.c b/src/pluto/ca.c
deleted file mode 100644
index 827b98121..000000000
--- a/src/pluto/ca.c
+++ /dev/null
@@ -1,712 +0,0 @@
-/* Certification Authority (CA) support for IKE authentication
- * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <time.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-
-#include <debug.h>
-#include <utils/enumerator.h>
-#include <credentials/certificates/x509.h>
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "x509.h"
-#include "ca.h"
-#include "certs.h"
-#include "whack.h"
-#include "fetch.h"
-#include "smartcard.h"
-
-/* chained list of X.509 authority certificates (ca, aa, and ocsp) */
-
-static cert_t *x509authcerts = NULL;
-
-/* chained list of X.509 certification authority information records */
-
-static ca_info_t *ca_infos = NULL;
-
-/*
- * Checks if CA a is trusted by CA b
- */
-bool trusted_ca(identification_t *a, identification_t *b, int *pathlen)
-{
-	bool match = FALSE;
-
-	/* no CA b specified -> any CA a is accepted */
-	if (b == NULL)
-	{
-		*pathlen = (a == NULL) ? 0 : X509_MAX_PATH_LEN;
-		return TRUE;
-	}
-
-	/* no CA a specified -> trust cannot be established */
-	if (a == NULL)
-	{
-		*pathlen = X509_MAX_PATH_LEN;
-		return FALSE;
-	}
-
-	*pathlen = 0;
-
-	/* CA a equals CA b -> we have a match */
-	if (a->equals(a, b))
-	{
-		return TRUE;
-	}
-
-	/* CA a might be a subordinate CA of b */
-	lock_authcert_list("trusted_ca");
-
-	while ((*pathlen)++ < X509_MAX_PATH_LEN)
-	{
-		certificate_t *certificate;
-		identification_t *issuer;
-		cert_t *cacert;
-
-		cacert = get_authcert(a, chunk_empty, X509_CA);
-		if (cacert == NULL)
-		{
-			break;
-		}
-		certificate = cacert->cert;
-
-		/* is the certificate self-signed? */
-		{
-			x509_t *x509 = (x509_t*)certificate;
-
-			if (x509->get_flags(x509) & X509_SELF_SIGNED)
-			{
-				break;
-			}
-		}
-
-		/* does the issuer of CA a match CA b? */
-		issuer = certificate->get_issuer(certificate);
-		match = b->equals(b, issuer);
-
-		/* we have a match and exit the loop */
-		if (match)
-		{
-			break;
-		}
-		/* go one level up in the CA chain */
-		a = issuer;
-	}
-
-	unlock_authcert_list("trusted_ca");
-	return match;
-}
-
-/*
- * does our CA match one of the requested CAs?
- */
-bool match_requested_ca(linked_list_t *requested_ca, identification_t *our_ca,
-						int *our_pathlen)
-{
-	identification_t *ca;
-	enumerator_t *enumerator;
-
-	/* if no ca is requested than any ca will match */
-	if (requested_ca == NULL || requested_ca->get_count(requested_ca) == 0)
-	{
-		*our_pathlen = 0;
-		return TRUE;
-	}
-
-	*our_pathlen = X509_MAX_PATH_LEN + 1;
-
-	enumerator = requested_ca->create_enumerator(requested_ca);
-	while (enumerator->enumerate(enumerator, &ca))
-	{
-		int pathlen;
-
-		if (trusted_ca(our_ca, ca, &pathlen) && pathlen < *our_pathlen)
-		{
-			*our_pathlen = pathlen;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (*our_pathlen > X509_MAX_PATH_LEN)
-	{
-		*our_pathlen = X509_MAX_PATH_LEN;
-		return FALSE;
-	}
-	else
-	{
-		return TRUE;
-	}
-}
-
-/*
- *  free the first authority certificate in the chain
- */
-static void free_first_authcert(void)
-{
-	cert_t *first = x509authcerts;
-
-	x509authcerts = first->next;
-	cert_free(first);
-}
-
-/*
- *  free  all CA certificates
- */
-void free_authcerts(void)
-{
-	lock_authcert_list("free_authcerts");
-
-	while (x509authcerts != NULL)
-	{
-		free_first_authcert();
-	}
-	unlock_authcert_list("free_authcerts");
-}
-
-/*
- *  get a X.509 authority certificate with a given subject or keyid
- */
-cert_t* get_authcert(identification_t *subject, chunk_t keyid,
-						 x509_flag_t auth_flags)
-{
-	cert_t *cert, *prev_cert = NULL;
-
-	/* the authority certificate list is empty */
-	if (x509authcerts == NULL)
-	{
-		return NULL;
-	}
-
-	for (cert = x509authcerts; cert != NULL; prev_cert = cert, cert = cert->next)
-	{
-		certificate_t *certificate = cert->cert;
-		x509_t *x509 = (x509_t*)certificate;
-
-		/* skip non-matching types of authority certificates */
-		if (!(x509->get_flags(x509) & auth_flags))
-		{
-			continue;
-		}
-
-		/* compare the keyid with the certificate's subjectKeyIdentifier */
-		if (keyid.ptr)
-		{
-			chunk_t subjectKeyId;
-
-			subjectKeyId = x509->get_subjectKeyIdentifier(x509);
-			if (subjectKeyId.ptr && !chunk_equals(keyid, subjectKeyId))
-			{
-				continue;
-			}
-		}
-
-		/* compare the subjectDistinguishedNames */
-		if (!(subject && certificate->has_subject(certificate, subject)) &&
-			 (subject || !keyid.ptr))
-		{
-			continue;
-		}
-
-		/* found the authcert */
-		if (cert != x509authcerts)
-		{
-			/* bring the certificate up front */
-			prev_cert->next = cert->next;
-			cert->next = x509authcerts;
-			x509authcerts = cert;
-		}
-		return cert;
-	}
-	return NULL;
-}
-
-/*
- * add an authority certificate to the chained list
- */
-cert_t* add_authcert(cert_t *cert, x509_flag_t auth_flags)
-{
-	certificate_t *certificate = cert->cert;
-	x509_t *x509 = (x509_t*)certificate;
-	cert_t *old_cert;
-
-	lock_authcert_list("add_authcert");
-
-	old_cert = get_authcert(certificate->get_subject(certificate),
-							x509->get_subjectKeyIdentifier(x509),
-							auth_flags);
-	if (old_cert)
-	{
-		if (certificate->equals(certificate, old_cert->cert))
-		{
-			DBG(DBG_CONTROL | DBG_PARSING ,
-				DBG_log("  authcert is already present and identical")
-			)
-			unlock_authcert_list("add_authcert");
-
-			cert_free(cert);
-			return old_cert;
-		}
-		else
-		{
-			/* cert is already present but will be replaced by new cert */
-			free_first_authcert();
-			DBG(DBG_CONTROL | DBG_PARSING ,
-				DBG_log("  existing authcert deleted")
-			)
-		}
-	}
-
-	/* add new authcert to chained list */
-	cert->next = x509authcerts;
-	x509authcerts = cert;
-	cert_share(cert);  /* set count to one */
-	DBG(DBG_CONTROL | DBG_PARSING,
-		DBG_log("  authcert inserted")
-	)
-	unlock_authcert_list("add_authcert");
-	return cert;
-}
-
-/*
- *  Loads authority certificates
- */
-void load_authcerts(char *type, char *path, x509_flag_t auth_flags)
-{
-	enumerator_t *enumerator;
-	struct stat st;
-	char *file;
-
-	DBG1(DBG_LIB, "loading %s certificates from '%s'", type, path);
-
-	enumerator = enumerator_create_directory(path);
-	if (!enumerator)
-	{
-		DBG1(DBG_LIB, "  reading directory '%s' failed", path);
-		return;
-	}
-
-	while (enumerator->enumerate(enumerator, NULL, &file, &st))
-	{
-		cert_t *cert;
-
-		if (!S_ISREG(st.st_mode))
-		{
-			/* skip special file */
-			continue;
-		}
-		cert = load_cert(file, type, auth_flags);
-		if (cert)
-		{
-			add_authcert(cert, auth_flags);
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/*
- *  list all X.509 authcerts with given auth flags in a chained list
- */
-void list_authcerts(const char *caption, x509_flag_t auth_flags, bool utc)
-{
-	lock_authcert_list("list_authcerts");
-	list_x509cert_chain(caption, x509authcerts, auth_flags, utc);
-	unlock_authcert_list("list_authcerts");
-}
-
-/*
- * get a cacert with a given subject or keyid from an alternative list
- */
-static const cert_t* get_alt_cacert(identification_t *subject, chunk_t keyid,
-										const cert_t *cert)
-{
-	if (cert == NULL)
-	{
-		return NULL;
-	}
-	for (; cert != NULL; cert = cert->next)
-	{
-		certificate_t *certificate = cert->cert;
-
-		/* compare the keyid with the certificate's subjectKeyIdentifier */
-		if (keyid.ptr)
-		{
-			x509_t *x509 = (x509_t*)certificate;
-			chunk_t subjectKeyId;
-
-			subjectKeyId = x509->get_subjectKeyIdentifier(x509);
-			if (subjectKeyId.ptr && !chunk_equals(keyid, subjectKeyId))
-			{
-				continue;
-			}
-		}
-
-		/* compare the subjectDistinguishedNames */
-		if (!certificate->has_subject(certificate, subject))
-		{
-			continue;
-		}
-
-		/* we found the cacert */
-		return cert;
-	}
-	return NULL;
-}
-
-/* establish trust into a candidate authcert by going up the trust chain.
- * validity and revocation status are not checked.
- */
-bool trust_authcert_candidate(const cert_t *cert, const cert_t *alt_chain)
-{
-	int pathlen;
-
-	lock_authcert_list("trust_authcert_candidate");
-
-	for (pathlen = 0; pathlen < X509_MAX_PATH_LEN; pathlen++)
-	{
-		certificate_t *certificate = cert->cert;
-		x509_t *x509 = (x509_t*)certificate;
-		identification_t *subject = certificate->get_subject(certificate);
-		identification_t *issuer = certificate->get_issuer(certificate);
-		chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
-		const cert_t *authcert = NULL;
-
-		DBG(DBG_CONTROL,
-			DBG_log("subject: '%Y'", subject);
-			DBG_log("issuer:  '%Y'", issuer);
-			if (authKeyID.ptr != NULL)
-			{
-				DBG_log("authkey:  %#B", &authKeyID);
-			}
-		)
-
-		/* search in alternative chain first */
-		authcert = get_alt_cacert(issuer, authKeyID, alt_chain);
-
-		if (authcert != NULL)
-		{
-			DBG(DBG_CONTROL,
-				DBG_log("issuer cacert found in alternative chain")
-			)
-		}
-		else
-		{
-			/* search in trusted chain */
-			authcert = get_authcert(issuer, authKeyID, X509_CA);
-
-			if (authcert != NULL)
-			{
-				DBG(DBG_CONTROL,
-					DBG_log("issuer cacert found")
-				)
-			}
-			else
-			{
-				plog("issuer cacert not found");
-				unlock_authcert_list("trust_authcert_candidate");
-				return FALSE;
-			}
-		}
-
-		if (!certificate->issued_by(certificate, authcert->cert))
-		{
-			plog("certificate signature is invalid");
-			unlock_authcert_list("trust_authcert_candidate");
-			return FALSE;
-		}
-		DBG(DBG_CONTROL,
-			DBG_log("certificate signature is valid")
-		)
-
-		/* check if cert is a self-signed root ca */
-		if (pathlen > 0 && (x509->get_flags(x509) & X509_SELF_SIGNED))
-		{
-			DBG(DBG_CONTROL,
-				DBG_log("reached self-signed root ca")
-			)
-			unlock_authcert_list("trust_authcert_candidate");
-			return TRUE;
-		}
-
-		/* go up one step in the trust chain */
-		cert = authcert;
-	}
-	plog("maximum ca path length of %d levels exceeded", X509_MAX_PATH_LEN);
-	unlock_authcert_list("trust_authcert_candidate");
-	return FALSE;
-}
-
-/*
- *  get a CA info record with a given authName or authKeyID
- */
-ca_info_t* get_ca_info(identification_t *name, chunk_t keyid)
-{
-	ca_info_t *ca= ca_infos;
-
-	while (ca != NULL)
-	{
-		if ((keyid.ptr) ? same_keyid(keyid, ca->authKeyID)
-			: name->equals(name, ca->authName))
-		{
-			return ca;
-		}
-		ca = ca->next;
-	}
-	return NULL;
-}
-
-
-/*
- *  free the dynamic memory used by a ca_info record
- */
-static void
-free_ca_info(ca_info_t* ca_info)
-{
-	if (ca_info == NULL)
-	{
-		return;
-	}
-	ca_info->crluris->destroy_function(ca_info->crluris, free);
-	DESTROY_IF(ca_info->authName);
-	free(ca_info->name);
-	free(ca_info->ldaphost);
-	free(ca_info->ldapbase);
-	free(ca_info->ocspuri);
-	free(ca_info->authKeyID.ptr);
-	free(ca_info);
-}
-
-/*
- *  free  all CA certificates
- */
-void free_ca_infos(void)
-{
-	while (ca_infos != NULL)
-	{
-		ca_info_t *ca = ca_infos;
-
-		ca_infos = ca_infos->next;
-		free_ca_info(ca);
-	}
-}
-
-/*
- * find a CA information record by name and optionally delete it
- */
-bool find_ca_info_by_name(const char *name, bool delete)
-{
-	ca_info_t **ca_p = &ca_infos;
-	ca_info_t *ca = *ca_p;
-
-	while (ca != NULL)
-	{
-		/* is there already an entry? */
-		if (streq(name, ca->name))
-		{
-			if (delete)
-			{
-				lock_ca_info_list("find_ca_info_by_name");
-				*ca_p = ca->next;
-				free_ca_info(ca);
-				plog("deleting ca description \"%s\"", name);
-				unlock_ca_info_list("find_ca_info_by_name");
-			}
-			return TRUE;
-		}
-		ca_p = &ca->next;
-		ca = *ca_p;
-	}
-	return FALSE;
-}
-
-/*
- * Create an empty ca_info_t record
- */
-ca_info_t* create_ca_info(void)
-{
-	ca_info_t *ca_info = malloc_thing(ca_info_t);
-
-	memset(ca_info, 0, sizeof(ca_info_t));
-	ca_info->crluris = linked_list_create();
-
-	return ca_info;
-}
-
-/**
- * Adds a CA description to a chained list
- */
-void add_ca_info(const whack_message_t *msg)
-{
-	smartcard_t *sc = NULL;
-	cert_t *cert = NULL;
-	bool cached_cert = FALSE;
-
-	if (find_ca_info_by_name(msg->name, FALSE))
-	{
-		loglog(RC_DUPNAME, "attempt to redefine ca record \"%s\"", msg->name);
-		return;
-	}
-
-	if (scx_on_smartcard(msg->cacert))
-	{
-		/* load CA cert from smartcard */
-		cert = scx_load_cert(msg->cacert, &sc, &cached_cert);
-	}
-	else
-	{
-		/* load CA cert from file */
-		cert = load_ca_cert(msg->cacert);
-	}
-
-	if (cert)
-	{
-		certificate_t *certificate = cert->cert;
-		x509_t *x509 = (x509_t*)certificate;
-		identification_t *subject = certificate->get_subject(certificate);
-		chunk_t subjectKeyID = x509->get_subjectKeyIdentifier(x509);
-		ca_info_t *ca = NULL;
-
-		/* does the authname already exist? */
-		ca = get_ca_info(subject, subjectKeyID);
-
-		if (ca != NULL)
-		{
-			/* ca_info is already present */
-			loglog(RC_DUPNAME, "  duplicate ca information in record \"%s\" found,"
-							   "ignoring \"%s\"", ca->name, msg->name);
-			cert_free(cert);
-			return;
-		}
-
-		plog("added ca description \"%s\"", msg->name);
-
-		/* create and initialize new ca_info record */
-		ca = create_ca_info();
-
-		/* name */
-		ca->name = clone_str(msg->name);
-
-		/* authName */
-		ca->authName = subject->clone(subject);
-		DBG(DBG_CONTROL,
-			DBG_log("authname: '%Y'", subject)
-		)
-
-		/* authKeyID */
-		if (subjectKeyID.ptr)
-		{
-			ca->authKeyID = chunk_clone(subjectKeyID);
-			DBG(DBG_CONTROL | DBG_PARSING ,
-				DBG_log("authkey:  %#B", &subjectKeyID)
-			)
-		}
-
-		/* ldaphost */
-		ca->ldaphost = clone_str(msg->ldaphost);
-
-		/* ldapbase */
-		ca->ldapbase = clone_str(msg->ldapbase);
-
-		/* ocspuri */
-		if (msg->ocspuri != NULL)
-		{
-			if (strncasecmp(msg->ocspuri, "http", 4) == 0)
-				ca->ocspuri = clone_str(msg->ocspuri);
-			else
-				plog("  ignoring ocspuri with unknown protocol");
-		}
-
-		/* add crl uris */
-		add_distribution_point(ca->crluris, msg->crluri);
-		add_distribution_point(ca->crluris, msg->crluri2);
-
-		/* strictrlpolicy */
-		ca->strictcrlpolicy = msg->whack_strict;
-
-		/* insert ca_info record into the chained list */
-		lock_ca_info_list("add_ca_info");
-
-		ca->next = ca_infos;
-		ca_infos = ca;
-
-		unlock_ca_info_list("add_ca_info");
-
-		/* add cacert to list of authcerts */
-		cert = add_authcert(cert, X509_CA);
-		if (!cached_cert && sc != NULL)
-		{
-			if (sc->last_cert != NULL)
-			{
-				sc->last_cert->count--;
-			}
-			sc->last_cert = cert;
-			cert_share(sc->last_cert);
-		}
-		if (sc != NULL)
-			time(&sc->last_load);
-	}
-}
-
-/*
- * list all ca_info records in the chained list
- */
-void list_ca_infos(bool utc)
-{
-	ca_info_t *ca = ca_infos;
-
-	if (ca != NULL)
-	{
-		whack_log(RC_COMMENT, " ");
-		whack_log(RC_COMMENT, "List of X.509 CA Information Records:");
-	}
-
-	while (ca != NULL)
-	{
-		/* strictpolicy per CA not supported yet
-		 *
-		whack_log(RC_COMMENT, "%T, \"%s\", strictcrlpolicy: %s"
-				, &ca->installed, utc, ca->name
-				, ca->strictcrlpolicy? "yes":"no");
-		*/
-		whack_log(RC_COMMENT, " ");
-		whack_log(RC_COMMENT, "  authname: \"%Y\"", ca->authName);
-		if (ca->ldaphost)
-		{
-			whack_log(RC_COMMENT, "  ldaphost: '%s'", ca->ldaphost);
-		}
-		if (ca->ldapbase)
-		{
-			whack_log(RC_COMMENT, "  ldapbase: '%s'", ca->ldapbase);
-		}
-		if (ca->ocspuri)
-		{
-			whack_log(RC_COMMENT, "  ocspuri:  '%s'", ca->ocspuri);
-		}
-
-		list_distribution_points(ca->crluris);
-
-		if (ca->authKeyID.ptr)
-		{
-			whack_log(RC_COMMENT, "  authkey:   %#B", &ca->authKeyID);
-		}
-		ca = ca->next;
-	}
-}
-
diff --git a/src/pluto/ca.h b/src/pluto/ca.h
deleted file mode 100644
index d964a694a..000000000
--- a/src/pluto/ca.h
+++ /dev/null
@@ -1,58 +0,0 @@
-/* Certification Authority (CA) support for IKE authentication
- * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _CA_H
-#define _CA_H
-
-#include <utils/linked_list.h>
-#include <utils/identification.h>
-
-#include "certs.h"
-#include "whack.h"
-
-/* CA info structures */
-
-typedef struct ca_info ca_info_t;
-
-struct ca_info {
-	ca_info_t        *next;
-	char             *name;
-	identification_t *authName;
-	chunk_t           authKeyID;
-	char             *ldaphost;
-	char             *ldapbase;
-	char             *ocspuri;
-	linked_list_t    *crluris;
-	bool              strictcrlpolicy;
-};
-
-extern bool trusted_ca(identification_t *a, identification_t *b, int *pathlen);
-extern bool match_requested_ca(linked_list_t *requested_ca,
-							   identification_t *our_ca, int *our_pathlen);
-extern cert_t* get_authcert(identification_t *subject, chunk_t keyid,
-								x509_flag_t auth_flags);
-extern void load_authcerts(char *type, char *path, x509_flag_t auth_flags);
-extern cert_t* add_authcert(cert_t *cert, x509_flag_t auth_flags);
-extern void free_authcerts(void);
-extern void list_authcerts(const char *caption, x509_flag_t auth_flags, bool utc);
-extern bool trust_authcert_candidate(const cert_t *cert, const cert_t *alt_chain);
-extern ca_info_t* get_ca_info(identification_t *name, chunk_t keyid);
-extern bool find_ca_info_by_name(const char *name, bool delete);
-extern void add_ca_info(const whack_message_t *msg);
-extern void delete_ca_info(const char *name);
-extern void free_ca_infos(void);
-extern void list_ca_infos(bool utc);
-
-#endif /* _CA_H */
-
diff --git a/src/pluto/certs.c b/src/pluto/certs.c
deleted file mode 100644
index e866022df..000000000
--- a/src/pluto/certs.c
+++ /dev/null
@@ -1,268 +0,0 @@
-/* Certificate support for IKE authentication
- * Copyright (C) 2002-2009 Andreas Steffen
- *
- * HSR - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-#include <time.h>
-
-#include <freeswan.h>
-
-#include <library.h>
-#include <asn1/asn1.h>
-#include <credentials/certificates/certificate.h>
-#include <credentials/certificates/pgp_certificate.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "certs.h"
-#include "whack.h"
-#include "fetch.h"
-#include "keys.h"
-#include "builder.h"
-
-/**
- * Initialization
- */
-const cert_t cert_empty = {
-	NULL   , /* cert */
-	NULL   , /* *next */
-	  0    , /* count */
-	FALSE    /* smartcard */
-};
-
-/**
- * Chained lists of X.509 and PGP end entity certificates
- */
-static cert_t *certs = NULL;
-
-/**
- *  Free a pluto certificate
- */
-void cert_free(cert_t *cert)
-{
-	if (cert)
-	{
-		certificate_t *certificate = cert->cert;
-
-		if (certificate)
-		{
-			certificate->destroy(certificate);
-		}
-		free(cert);
-	}
-}
-
-/**
- *  Add a pluto end entity certificate to the chained list
- */
-cert_t* cert_add(cert_t *cert)
-{
-	certificate_t *certificate = cert->cert;
-	cert_t *c;
-
-	lock_certs_and_keys("cert_add");
-
-	for (c = certs; c != NULL; c = c->next)
-	{
-		if (certificate->equals(certificate, c->cert))
-		{	/* already in chain, free cert */
-			unlock_certs_and_keys("cert_add");
-			cert_free(cert);
-			return c;
-		}
-	}
-
-	/* insert new cert at the root of the chain */
-	cert->next = certs;
-	certs = cert;
-	DBG(DBG_CONTROL | DBG_PARSING,
-		DBG_log("  cert inserted")
-	)
-	unlock_certs_and_keys("cert_add");
-	return cert;
-}
-
-/**
- *  Loads a X.509 or OpenPGP certificate
- */
-cert_t* load_cert(char *filename, const char *label, x509_flag_t flags)
-{
-	cert_t *cert;
-
-	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT,
-							  BUILD_FROM_FILE, filename,
-							  BUILD_X509_FLAG, flags,
-							  BUILD_END);
-	if (cert)
-	{
-		plog("  loaded %s certificate from '%s'", label, filename);
-	}
-	return cert;
-}
-
-/**
- *  Loads a host certificate
- */
-cert_t* load_host_cert(char *filename)
-{
-	char *path = concatenate_paths(HOST_CERT_PATH, filename);
-
-	return load_cert(path, "host", X509_NONE);
-}
-
-/**
- *  Loads a CA certificate
- */
-cert_t* load_ca_cert(char *filename)
-{
-	char *path = concatenate_paths(CA_CERT_PATH, filename);
-
-	return load_cert(path, "CA", X509_NONE);
-}
-
-/**
- * for each link pointing to the certificate increase the count by one
- */
-void cert_share(cert_t *cert)
-{
-	if (cert != NULL)
-	{
-		cert->count++;
-	}
-}
-
-/*  release of a certificate decreases the count by one
- *  the certificate is freed when the counter reaches zero
- */
-void cert_release(cert_t *cert)
-{
-	if (cert && --cert->count == 0)
-	{
-		cert_t **pp = &certs;
-		while (*pp != cert)
-		{
-			pp = &(*pp)->next;
-		}
-		*pp = cert->next;
-		cert_free(cert);
-	}
-}
-
-/**
- * Get a X.509 certificate with a given issuer found at a certain position
- */
-cert_t* get_x509cert(identification_t *issuer, chunk_t keyid, cert_t *chain)
-{
-	cert_t *cert = chain ? chain->next : certs;
-
-	while (cert)
-	{
-		certificate_t *certificate = cert->cert;
-		x509_t *x509 = (x509_t*)certificate;
-		chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
-
-		if (keyid.ptr ? same_keyid(keyid, authKeyID) :
-			certificate->has_issuer(certificate, issuer))
-		{
-			return cert;
-		}
-		cert = cert->next;
-	}
-	return NULL;
-}
-
-/**
- *  List all PGP end certificates in a chained list
- */
-void list_pgp_end_certs(bool utc)
-{
-	cert_t *cert = certs;
-	time_t now = time(NULL);
-	bool first = TRUE;
-
-
-	while (cert != NULL)
-	{
-		certificate_t *certificate = cert->cert;
-
-		if (certificate->get_type(certificate) == CERT_GPG)
-		{
-			time_t created, until;
-			public_key_t *key;
-			identification_t *userid = certificate->get_subject(certificate);
-			pgp_certificate_t *pgp_cert = (pgp_certificate_t*)certificate;
-			chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
-
-			if (first)
-			{
-				whack_log(RC_COMMENT, " ");
-				whack_log(RC_COMMENT, "List of PGP End Entity Certificates:");
-				first = false;
-			}
-			whack_log(RC_COMMENT, " ");
-			whack_log(RC_COMMENT, "  userid:   '%Y'", userid);
-			whack_log(RC_COMMENT, "  digest:    %#B", &fingerprint);
-
-			/* list validity */
-			certificate->get_validity(certificate, &now, &created, &until);
-			whack_log(RC_COMMENT, "  created:   %T", &created, utc);
-			whack_log(RC_COMMENT, "  until:     %T %s%s", &until, utc,
-					check_expiry(until, CA_CERT_WARNING_INTERVAL, TRUE),
-					(until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":"");
-
-			key = certificate->get_public_key(certificate);
-			if (key)
-			{
-				chunk_t keyid;
-
-				whack_log(RC_COMMENT, "  pubkey:    %N %4d bits%s",
-						key_type_names, key->get_type(key),
-						key->get_keysize(key),
-						has_private_key(cert)? ", has private key" : "");
-				if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &keyid))
-				{
-					whack_log(RC_COMMENT, "  keyid:     %#B", &keyid);
-				}
-				if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &keyid))
-				{
-					whack_log(RC_COMMENT, "  subjkey:   %#B", &keyid);
-				}
-			}
-		}
-		cert = cert->next;
-	}
-}
-
-/**
- * List all X.509 end certificates in a chained list
- */
-void list_x509_end_certs(bool utc)
-{
-	list_x509cert_chain("End Entity", certs, X509_NONE, utc);
-}
-
-/**
- *  list all X.509 and OpenPGP end certificates
- */
-void cert_list(bool utc)
-{
-	list_x509_end_certs(utc);
-	list_pgp_end_certs(utc);
-}
-
diff --git a/src/pluto/certs.h b/src/pluto/certs.h
deleted file mode 100644
index b31c4c3ed..000000000
--- a/src/pluto/certs.h
+++ /dev/null
@@ -1,80 +0,0 @@
-/* Certificate support for IKE authentication
- * Copyright (C) 2002-2009 Andreas Steffen
- *
- * HSR - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _CERTS_H
-#define _CERTS_H
-
-#include <credentials/keys/private_key.h>
-#include <credentials/certificates/certificate.h>
-#include <credentials/certificates/x509.h>
-
-#include <freeswan.h>
-
-#include "defs.h"
-
-/* path definitions for private keys, end certs,
- * cacerts, attribute certs and crls
- */
-#define PRIVATE_KEY_PATH  IPSEC_CONFDIR "/ipsec.d/private"
-#define HOST_CERT_PATH    IPSEC_CONFDIR "/ipsec.d/certs"
-#define CA_CERT_PATH      IPSEC_CONFDIR "/ipsec.d/cacerts"
-#define A_CERT_PATH       IPSEC_CONFDIR "/ipsec.d/acerts"
-#define AA_CERT_PATH      IPSEC_CONFDIR "/ipsec.d/aacerts"
-#define OCSP_CERT_PATH    IPSEC_CONFDIR "/ipsec.d/ocspcerts"
-#define CRL_PATH          IPSEC_CONFDIR "/ipsec.d/crls"
-#define REQ_PATH          IPSEC_CONFDIR "/ipsec.d/reqs"
-
-/* advance warning of imminent expiry of
- * cacerts, public keys, and crls
- */
-#define CA_CERT_WARNING_INTERVAL        30 /* days */
-#define OCSP_CERT_WARNING_INTERVAL      30 /* days */
-#define PUBKEY_WARNING_INTERVAL          7 /* days */
-#define CRL_WARNING_INTERVAL             7 /* days */
-#define ACERT_WARNING_INTERVAL           1 /* day */
-
-/* access structure for a pluto certificate */
-
-typedef struct cert_t cert_t;
-
-struct cert_t {
-	certificate_t  *cert;
-	cert_t         *next;
-	int             count;
-	bool            smartcard;
-};
-
-/* used for initialization */
-extern const cert_t cert_empty;
-
-/*  do not send certificate requests
- *  flag set in plutomain.c and used in ipsec_doi.c
- */
-extern bool no_cr_send;
-
-extern cert_t* load_cert(char *filename, const char *label, x509_flag_t flags);
-extern cert_t* load_host_cert(char *filename);
-extern cert_t* load_ca_cert(char *filename);
-extern cert_t* cert_add(cert_t *cert);
-extern void cert_free(cert_t *cert);
-extern void cert_share(cert_t *cert);
-extern void cert_release(cert_t *cert);
-extern void cert_list(bool utc);
-extern cert_t* get_x509cert(identification_t *issuer, chunk_t keyid, cert_t* chain);
-
-#endif /* _CERTS_H */
-
-
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
deleted file mode 100644
index 27cec40fc..000000000
--- a/src/pluto/connections.c
+++ /dev/null
@@ -1,4507 +0,0 @@
-/* information about connections between hosts and clients
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-#include <stdio.h>
-#include <stddef.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <netinet/in.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <arpa/nameser.h>       /* missing from <resolv.h> on old systems */
-#include <sys/queue.h>
-
-#include <freeswan.h>
-#include "kameipsec.h"
-
-#include <hydra.h>
-#include <credentials/certificates/ac.h>
-#include <credentials/keys/private_key.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "myid.h"
-#include "x509.h"
-#include "ca.h"
-#include "crl.h"
-#include "certs.h"
-#include "ac.h"
-#include "smartcard.h"
-#include "fetch.h"
-#include "connections.h"
-#include "foodgroups.h"
-#include "demux.h"
-#include "state.h"
-#include "timer.h"
-#include "ipsec_doi.h"  /* needs demux.h and state.h */
-#include "server.h"
-#include "kernel.h"
-#include "log.h"
-#include "keys.h"
-#include "adns.h"       /* needs <resolv.h> */
-#include "dnskey.h"     /* needs keys.h and adns.h */
-#include "whack.h"
-#include "alg_info.h"
-#include "ike_alg.h"
-#include "kernel_alg.h"
-#include "nat_traversal.h"
-#include "virtual.h"
-#include "whack_attribute.h"
-#include "modecfg.h"
-
-static void flush_pending_by_connection(connection_t *c);  /* forward */
-
-static connection_t *connections = NULL;
-
-/* struct host_pair: a nexus of information about a pair of hosts.
- * A host is an IP address, UDP port pair.  This is a debatable choice:
- * - should port be considered (no choice of port in standard)?
- * - should ID be considered (hard because not always known)?
- * - should IP address matter on our end (we don't know our end)?
- * Only oriented connections are registered.
- * Unoriented connections are kept on the unoriented_connections
- * linked list (using hp_next).  For them, host_pair is NULL.
- */
-
-struct host_pair {
-	struct {
-		ip_address addr;
-		u_int16_t port; /* host order */
-	} me, him;
-	bool initial_connection_sent;
-	connection_t *connections;     /* connections with this pair */
-	struct pending *pending;    /* awaiting Keying Channel */
-	struct host_pair *next;
-};
-
-static struct host_pair *host_pairs = NULL;
-
-static connection_t *unoriented_connections = NULL;
-
-/**
- * Check if an id was instantiated by assigning to it the current IP address
- */
-bool his_id_was_instantiated(const connection_t *c)
-{
-	if (c->kind != CK_INSTANCE)
-	{
-		return FALSE;
-	}
-	if (id_is_ipaddr(c->spd.that.id))
-	{
-		identification_t *host;
-		bool equal;
-
-		host = identification_create_from_sockaddr((sockaddr_t*)&c->spd.that.host_addr);
-		equal = host->equals(host, c->spd.that.id);
-		host->destroy(host);
-		return equal;
-	}
-	else
-	{
-		return TRUE;
-	}
-}
-
-/**
- * Check to see that IDs of peers match
- */
-bool same_peer_ids(const connection_t *c, const connection_t *d,
-				   identification_t *his_id)
-{
-	return d->spd.this.id->equals(d->spd.this.id, c->spd.this.id) &&
-		   d->spd.that.id->equals(d->spd.that.id,
-								  his_id ? his_id : c->spd.that.id);
-}
-
-static struct host_pair *find_host_pair(const ip_address *myaddr,
-										u_int16_t myport,
-										const ip_address *hisaddr,
-										u_int16_t hisport)
-{
-	struct host_pair *p, *prev;
-
-	/* default hisaddr to an appropriate any */
-	if (hisaddr == NULL)
-		hisaddr = aftoinfo(addrtypeof(myaddr))->any;
-
-	if (nat_traversal_enabled)
-	{
-		/**
-		 * port is not relevant in host_pair. with nat_traversal we
-		 * always use pluto_port (500)
-		 */
-		myport = pluto_port;
-		hisport = pluto_port;
-	}
-
-	for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next)
-	{
-		if (sameaddr(&p->me.addr, myaddr) && p->me.port == myport
-		&&  sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport)
-		{
-			if (prev)
-			{
-				prev->next = p->next;   /* remove p from list */
-				p->next = host_pairs;   /* and stick it on front */
-				host_pairs = p;
-			}
-			break;
-		}
-	}
-	return p;
-}
-
-/* find head of list of connections with this pair of hosts */
-static connection_t *find_host_pair_connections(const ip_address *myaddr,
-													 u_int16_t myport,
-													 const ip_address *hisaddr,
-														u_int16_t hisport)
-{
-	struct host_pair *hp = find_host_pair(myaddr, myport, hisaddr, hisport);
-
-	if (nat_traversal_enabled && hp && hisaddr)
-	{
-		connection_t *c;
-
-		for (c = hp->connections; c != NULL; c = c->hp_next)
-		{
-			if (c->spd.this.host_port == myport && c->spd.that.host_port == hisport)
-				return c;
-		}
-		return NULL;
-	}
-	return hp == NULL? NULL : hp->connections;
-}
-
-static void connect_to_host_pair(connection_t *c)
-{
-	if (oriented(*c))
-	{
-		struct host_pair *hp;
-
-		ip_address his_addr = (c->spd.that.allow_any)
-							  ? *aftoinfo(addrtypeof(&c->spd.that.host_addr))->any
-							  : c->spd.that.host_addr;
-
-		hp = find_host_pair(&c->spd.this.host_addr, c->spd.this.host_port
-			, &his_addr, c->spd.that.host_port);
-
-		if (hp == NULL)
-		{
-			/* no suitable host_pair -- build one */
-			hp = malloc_thing(struct host_pair);
-			hp->me.addr = c->spd.this.host_addr;
-			hp->him.addr = his_addr;
-			hp->me.port = nat_traversal_enabled ? pluto_port : c->spd.this.host_port;
-			hp->him.port = nat_traversal_enabled ? pluto_port : c->spd.that.host_port;
-			hp->initial_connection_sent = FALSE;
-			hp->connections = NULL;
-			hp->pending = NULL;
-			hp->next = host_pairs;
-			host_pairs = hp;
-		}
-		c->host_pair = hp;
-		c->hp_next = hp->connections;
-		hp->connections = c;
-	}
-	else
-	{
-		/* since this connection isn't oriented, we place it
-		 * in the unoriented_connections list instead.
-		 */
-		c->host_pair = NULL;
-		c->hp_next = unoriented_connections;
-		unoriented_connections = c;
-	}
-}
-
-/* find a connection by name.
- * If strict, don't accept a CK_INSTANCE.
- * Move the winner (if any) to the front.
- * If none is found, and strict, a diagnostic is logged to whack.
- */
-connection_t *con_by_name(const char *nm, bool strict)
-{
-	connection_t *p, *prev;
-
-	for (prev = NULL, p = connections; ; prev = p, p = p->ac_next)
-	{
-		if (p == NULL)
-		{
-			if (strict)
-				whack_log(RC_UNKNOWN_NAME
-					, "no connection named \"%s\"", nm);
-			break;
-		}
-		if (streq(p->name, nm)
-		&& (!strict || p->kind != CK_INSTANCE))
-		{
-			if (prev)
-			{
-				prev->ac_next = p->ac_next;     /* remove p from list */
-				p->ac_next = connections;       /* and stick it on front */
-				connections = p;
-			}
-			break;
-		}
-	}
-	return p;
-}
-
-void release_connection(connection_t *c, bool relations)
-{
-	if (c->kind == CK_INSTANCE)
-	{
-		/* This does everything we need.
-		 * Note that we will be called recursively by delete_connection,
-		 * but kind will be CK_GOING_AWAY.
-		 */
-		delete_connection(c, relations);
-	}
-	else
-	{
-		flush_pending_by_connection(c);
-		delete_states_by_connection(c, relations);
-		unroute_connection(c);
-	}
-}
-
-/* Delete a connection */
-
-#define list_rm(etype, enext, e, ehead) { \
-		etype **ep; \
-		for (ep = &(ehead); *ep != (e); ep = &(*ep)->enext) \
-			passert(*ep != NULL);    /* we must not come up empty-handed */ \
-		*ep = (e)->enext; \
-	}
-
-
-void delete_connection(connection_t *c, bool relations)
-{
-	modecfg_attribute_t *ca;
-	connection_t *old_cur_connection;
-	identification_t *client_id;
-
-	old_cur_connection = cur_connection == c? NULL : cur_connection;
-#ifdef DEBUG
-	lset_t old_cur_debugging = cur_debugging;
-#endif
-
-	set_cur_connection(c);
-
-	/* Must be careful to avoid circularity:
-	 * we mark c as going away so it won't get deleted recursively.
-	 */
-	passert(c->kind != CK_GOING_AWAY);
-	if (c->kind == CK_INSTANCE)
-	{
-		plog("deleting connection \"%s\" instance with peer %s {isakmp=#%lu/ipsec=#%lu}"
-			 , c->name
-			 , ip_str(&c->spd.that.host_addr)
-			 , c->newest_isakmp_sa, c->newest_ipsec_sa);
-		c->kind = CK_GOING_AWAY;
-	}
-	else
-	{
-		plog("deleting connection");
-	}
-	release_connection(c, relations);   /* won't delete c */
-
-	if (c->kind == CK_GROUP)
-	{
-		delete_group(c);
-	}
-
-	/* free up any logging resources */
-	perpeer_logfree(c);
-
-	/* find and delete c from connections list */
-	list_rm(connection_t, ac_next, c, connections);
-	cur_connection = old_cur_connection;
-
-	/* find and delete c from the host pair list */
-	if (c->host_pair == NULL)
-	{
-		if (c->ikev1)
-		{
-			list_rm(connection_t, hp_next, c, unoriented_connections);
-		}
-	}
-	else
-	{
-		struct host_pair *hp = c->host_pair;
-
-		list_rm(connection_t, hp_next, c, hp->connections);
-		c->host_pair = NULL;    /* redundant, but safe */
-
-		/* if there are no more connections with this host_pair
-		 * and we haven't even made an initial contact, let's delete
-		 * this guy in case we were created by an attempted DOS attack.
-		 */
-		if (hp->connections == NULL
-		&& !hp->initial_connection_sent)
-		{
-			passert(hp->pending == NULL);       /* ??? must deal with this! */
-			list_rm(struct host_pair, next, hp, host_pairs);
-			free(hp);
-		}
-	}
-	if (c->kind != CK_GOING_AWAY)
-	{
-		free(c->spd.that.virt);
-	}
-
-	client_id = (c->xauth_identity) ? c->xauth_identity : c->spd.that.id;
-
-	/* release virtual IP address lease if any */
-	if (c->spd.that.modecfg && c->spd.that.pool &&
-		!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip))
-	{
-		hydra->attributes->release_address(hydra->attributes, c->spd.that.pool,
-										   c->spd.that.host_srcip, client_id);
-	}
-
-	/* release requested attributes if any */
-	if (c->requested)
-	{
-		c->requested->destroy_function(c->requested,
-									  (void*)modecfg_attribute_destroy);
-	}
-
-	/* release other attributes if any */
-	if (c->attributes)
-	{
-		while (c->attributes->remove_last(c->attributes, (void **)&ca) == SUCCESS)
-		{
-			hydra->attributes->release(hydra->attributes, ca->handler,
-									   client_id, ca->type, ca->value);
-			modecfg_attribute_destroy(ca);
-		}
-		c->attributes->destroy(c->attributes);
-	}
-
-	if (c->kind != CK_GOING_AWAY)
-	{
-		whack_attr->del_pool(whack_attr, c->name);
-	}
-
-	/* free internal data */
-#ifdef DEBUG
-	cur_debugging = old_cur_debugging;
-#endif
-	free(c->name);
-	DESTROY_IF(c->xauth_identity);
-	DESTROY_IF(c->spd.this.id);
-	DESTROY_IF(c->spd.this.ca);
-	DESTROY_IF(c->spd.this.groups);
-	DESTROY_IF(c->spd.this.host_srcip);
-	free(c->spd.this.updown);
-	free(c->spd.this.pool);
-	DESTROY_IF(c->spd.that.id);
-	DESTROY_IF(c->spd.that.ca);
-	DESTROY_IF(c->spd.that.groups);
-	DESTROY_IF(c->spd.that.host_srcip);
-	free(c->spd.that.updown);
-	free(c->spd.that.pool);
-	if (c->requested_ca)
-	{
-		c->requested_ca->destroy_offset(c->requested_ca,
-										offsetof(identification_t, destroy));
-	}
-#ifdef ADNS
-	gw_delref(&c->gw_info);
-#endif
-	lock_certs_and_keys("delete_connection");
-	cert_release(c->spd.this.cert);
-	scx_release(c->spd.this.sc);
-	cert_release(c->spd.that.cert);
-	scx_release(c->spd.that.sc);
-	unlock_certs_and_keys("delete_connection");
-
-	alg_info_delref((struct alg_info **)&c->alg_info_esp);
-	alg_info_delref((struct alg_info **)&c->alg_info_ike);
-
-	free(c);
-}
-
-/* Delete connections with the specified name */
-void delete_connections_by_name(const char *name, bool strict)
-{
-	connection_t *c = con_by_name(name, strict);
-
-	for (; c != NULL; c = con_by_name(name, FALSE))
-		delete_connection(c, FALSE);
-}
-
-void delete_every_connection(void)
-{
-	while (connections)
-	{
-		delete_connection(connections, TRUE);
-	}
-}
-
-void release_dead_interfaces(void)
-{
-	struct host_pair *hp;
-
-	for (hp = host_pairs; hp != NULL; hp = hp->next)
-	{
-		connection_t **pp
-			, *p;
-
-		for (pp = &hp->connections; (p = *pp) != NULL; )
-		{
-			if (p->interface->change == IFN_DELETE)
-			{
-				/* this connection's interface is going away */
-				enum connection_kind k = p->kind;
-
-				release_connection(p, TRUE);
-
-				if (k <= CK_PERMANENT)
-				{
-					/* The connection should have survived release:
-					 * move it to the unoriented_connections list.
-					 */
-					passert(p == *pp);
-
-					p->interface = NULL;
-
-					*pp = p->hp_next;   /* advance *pp */
-					p->host_pair = NULL;
-					p->hp_next = unoriented_connections;
-					unoriented_connections = p;
-				}
-				else
-				{
-					/* The connection should have vanished,
-					 * but the previous connection remains.
-					 */
-					passert(p != *pp);
-				}
-			}
-			else
-			{
-				pp = &p->hp_next;       /* advance pp */
-			}
-		}
-	}
-}
-
-/* adjust orientations of connections to reflect newly added interfaces */
-void check_orientations(void)
-{
-	/* try to orient all the unoriented connections */
-	{
-		connection_t *c = unoriented_connections;
-
-		unoriented_connections = NULL;
-
-		while (c)
-		{
-			connection_t *nxt = c->hp_next;
-
-			(void)orient(c);
-			connect_to_host_pair(c);
-			c = nxt;
-		}
-	}
-
-	/* Check that no oriented connection has become double-oriented.
-	 * In other words, the far side must not match one of our new interfaces.
-	 */
-	{
-		struct iface *i;
-
-		for (i = interfaces; i != NULL; i = i->next)
-		{
-			if (i->change == IFN_ADD)
-			{
-				struct host_pair *hp;
-
-				for (hp = host_pairs; hp != NULL; hp = hp->next)
-				{
-					if (sameaddr(&hp->him.addr, &i->addr)
-						&& hp->him.port == pluto_port)
-					{
-						/* bad news: the whole chain of connections
-						 * hanging off this host pair has both sides
-						 * matching an interface.
-						 * We'll get rid of them, using orient and
-						 * connect_to_host_pair.  But we'll be lazy
-						 * and not ditch the host_pair itself (the
-						 * cost of leaving it is slight and cannot
-						 * be induced by a foe).
-						 */
-						connection_t *c = hp->connections;
-
-						hp->connections = NULL;
-						while (c)
-						{
-							connection_t *nxt = c->hp_next;
-
-							c->interface = NULL;
-							(void)orient(c);
-							connect_to_host_pair(c);
-							c = nxt;
-						}
-					}
-				}
-			}
-		}
-	}
-}
-
-static err_t default_end(struct end *e, ip_address *dflt_nexthop)
-{
-	err_t ugh = NULL;
-	int af = addrtypeof(&e->host_addr);
-
-	if (af != AF_INET && af != AF_INET6)
-	{
-		return "unknown address family in default_end";
-	}
-
-	/* default ID to IP (but only if not NO_IP -- WildCard) */
-	if (e->id->get_type(e->id) == ID_ANY && !isanyaddr(&e->host_addr))
-	{
-		e->id->destroy(e->id);
-		e->id = identification_create_from_sockaddr((sockaddr_t*)&e->host_addr);
-		e->has_id_wildcards = FALSE;
-	}
-
-	/* default nexthop to other side */
-	if (isanyaddr(&e->host_nexthop))
-	{
-		e->host_nexthop = *dflt_nexthop;
-	}
-
-	/* default client to subnet containing only self
-	 * XXX This may mean that the client's address family doesn't match
-	 * tunnel_addr_family.
-	 */
-	if (!e->has_client)
-	{
-		ugh = addrtosubnet(&e->host_addr, &e->client);
-	}
-	return ugh;
-}
-
-/* Format the topology of a connection end, leaving out defaults.
- * Largest left end looks like: client === host : port [ host_id ] --- hop
- * Note: if that==NULL, skip nexthop
- * Returns strlen of formated result (length excludes NUL at end).
- */
-size_t format_end(char *buf, size_t buf_len, const struct end *this,
-				 const struct end *that, bool is_left, lset_t policy)
-{
-	char client[BUF_LEN];
-	const char *client_sep = "";
-	char protoport[sizeof(":255/65535")];
-	const char *host = NULL;
-	char host_space[ADDRTOT_BUF];
-	char host_port[sizeof(":65535")];
-	char host_id[BUF_LEN + 2];
-	char hop[ADDRTOT_BUF];
-	const char *hop_sep = "";
-	const char *open_brackets  = "";
-	const char *close_brackets = "";
-
-	if (isanyaddr(&this->host_addr))
-	{
-		switch (policy & (POLICY_GROUP | POLICY_OPPO))
-		{
-		case POLICY_GROUP:
-			host = "%group";
-			break;
-		case POLICY_OPPO:
-			host = "%opportunistic";
-			break;
-		case POLICY_GROUP | POLICY_OPPO:
-			host = "%opportunisticgroup";
-			break;
-		default:
-			host = "%any";
-			break;
-		}
-	}
-
-	client[0] = '\0';
-
-	if (is_virtual_end(this) && isanyaddr(&this->host_addr))
-	{
-		host = "%virtual";
-	}
-
-	/* [client===] */
-	if (this->has_client)
-	{
-		ip_address client_net, client_mask;
-
-		networkof(&this->client, &client_net);
-		maskof(&this->client, &client_mask);
-		client_sep = "===";
-
-		/* {client_subnet_wildcard} */
-		if (this->has_client_wildcard)
-		{
-			open_brackets  = "{";
-			close_brackets = "}";
-		}
-
-		if (isanyaddr(&client_net) && isanyaddr(&client_mask)
-		&& (policy & (POLICY_GROUP | POLICY_OPPO)))
-		{
-			client_sep = "";    /* boring case */
-		}
-		else if (subnetisnone(&this->client))
-		{
-			strncpy(client, "?", sizeof(client));
-		}
-		else
-		{
-			subnettot(&this->client, 0, client, sizeof(client));
-		}
-	}
-	else if (this->modecfg && this->host_srcip->is_anyaddr(this->host_srcip))
-	{
-		/* we are mode config client, or a server with a pool */
-		client_sep = "===";
-		client[0] = '%';
-		strncpy(client+1, this->pool ?: "modecfg", sizeof(client)-1);
-	}
-
-	/* host */
-	if (host == NULL)
-	{
-		addrtot(&this->host_addr, 0, host_space, sizeof(host_space));
-		host = host_space;
-	}
-
-	host_port[0] = '\0';
-	if (this->host_port != IKE_UDP_PORT)
-	{
-		snprintf(host_port, sizeof(host_port), ":%u", this->host_port);
-	}
-
-	/* payload portocol and port */
-	protoport[0] = '\0';
-	if (this->has_port_wildcard)
-	{
-		snprintf(protoport, sizeof(protoport), ":%u/%%any", this->protocol);
-	}
-	else if (this->port || this->protocol)
-	{
-		snprintf(protoport, sizeof(protoport), ":%u/%u", this->protocol
-			, this->port);
-	}
-
-	/* id */
-	snprintf(host_id, sizeof(host_id), "[%Y]", this->id);
-
-	/* [---hop] */
-	hop[0] = '\0';
-	hop_sep = "";
-	if (that && !sameaddr(&this->host_nexthop, &that->host_addr))
-	{
-		addrtot(&this->host_nexthop, 0, hop, sizeof(hop));
-		hop_sep = "---";
-	}
-
-	if (is_left)
-	{
-		snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s%s"
-			, open_brackets, client, close_brackets, client_sep
-			, this->allow_any? "%":""
-			, host, host_port, host_id, protoport
-			, hop_sep, hop);
-	}
-	else
-	{
-		snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s%s"
-			, hop, hop_sep
-			, this->allow_any? "%":""
-			, host, host_port, host_id, protoport, client_sep
-			, open_brackets, client, close_brackets);
-	}
-	return strlen(buf);
-}
-
-/* format topology of a connection.
- * Two symmetric ends separated by ...
- */
-#define CONNECTION_BUF  (2 * (END_BUF - 1) + 4)
-
-static size_t format_connection(char *buf, size_t buf_len,
-								const connection_t *c,
-								struct spd_route *sr)
-{
-	size_t w = format_end(buf, buf_len, &sr->this, &sr->that, TRUE, LEMPTY);
-
-	w += snprintf(buf + w, buf_len - w, "...");
-	return w + format_end(buf + w, buf_len - w, &sr->that, &sr->this, FALSE, c->policy);
-}
-
-static void unshare_connection_strings(connection_t *c)
-{
-	c->name = clone_str(c->name);
-	if (c->xauth_identity)
-	{
-		c->xauth_identity = c->xauth_identity->clone(c->xauth_identity);
-	}
-	c->spd.this.id = c->spd.this.id->clone(c->spd.this.id);
-	c->spd.this.pool = clone_str(c->spd.this.pool);
-	c->spd.this.updown = clone_str(c->spd.this.updown);
-	c->spd.this.host_srcip = c->spd.this.host_srcip->clone(c->spd.this.host_srcip);
-	scx_share(c->spd.this.sc);
-	cert_share(c->spd.this.cert);
-	if (c->spd.this.ca)
-	{
-		c->spd.this.ca = c->spd.this.ca->clone(c->spd.this.ca);
-	}
-	if (c->spd.this.groups)
-	{
-		c->spd.this.groups = c->spd.this.groups->get_ref(c->spd.this.groups);
-	}
-	c->spd.that.id = c->spd.that.id->clone(c->spd.that.id);
-	c->spd.that.pool = clone_str(c->spd.that.pool);
-	c->spd.that.updown = clone_str(c->spd.that.updown);
-	c->spd.that.host_srcip = c->spd.that.host_srcip->clone(c->spd.that.host_srcip);
-	scx_share(c->spd.that.sc);
-	cert_share(c->spd.that.cert);
-	if (c->spd.that.ca)
-	{
-		c->spd.that.ca = c->spd.that.ca->clone(c->spd.that.ca);
-	}
-	if (c->spd.that.groups)
-	{
-		c->spd.that.groups = c->spd.that.groups->get_ref(c->spd.that.groups);
-	}
-
-	/* increment references to algo's */
-	alg_info_addref((struct alg_info *)c->alg_info_esp);
-	alg_info_addref((struct alg_info *)c->alg_info_ike);
-}
-
-static void load_end_certificate(char *filename, struct end *dst)
-{
-	time_t notBefore, notAfter;
-	cert_t *cert = NULL;
-	certificate_t *certificate;
-	bool cached_cert = FALSE;
-
-	/* initialize end certificate */
-	dst->cert = NULL;
-
-	/* initialize smartcard info record */
-	dst->sc = NULL;
-
-	if (filename)
-	{
-		if (scx_on_smartcard(filename))
-		{
-			/* load cert from smartcard */
-			cert = scx_load_cert(filename, &dst->sc, &cached_cert);
-		}
-		else
-		{
-			/* load cert from file */
-			cert = load_host_cert(filename);
-		}
-	}
-
-	if (cert)
-	{
-		certificate = cert->cert;
-
-		if (dst->id->get_type(dst->id) == ID_ANY ||
-			!certificate->has_subject(certificate, dst->id))
-		{
-			plog( "  id '%Y' not confirmed by certificate, defaulting to '%Y'",
-				 dst->id, certificate->get_subject(certificate));
-			dst->id->destroy(dst->id);
-			dst->id = certificate->get_subject(certificate);
-			dst->id = dst->id->clone(dst->id);
-		}
-
-		if (cached_cert)
-		{
-			dst->cert = cert;
-		}
-		else
-		{
-			if (!certificate->get_validity(certificate, NULL, &notBefore, &notAfter))
-			{
-				plog("certificate is invalid (valid from %T to %T)",
-					 &notBefore, FALSE, &notAfter, FALSE);
-				cert_free(cert);
-				return;
-			}
-			DBG(DBG_CONTROL,
-				DBG_log("certificate is valid")
-			)
-			add_public_key_from_cert(cert, notAfter, DAL_LOCAL);
-			dst->cert = cert_add(cert);
-		}
-		certificate = dst->cert->cert;
-
-		/* if no CA is defined, use issuer as default */
-		if (dst->ca == NULL && certificate->get_type(certificate) == CERT_X509)
-		{
-			identification_t *issuer;
-
-			issuer = certificate->get_issuer(certificate);
-			dst->ca = issuer->clone(issuer);
-		}
-
-		/* cache the certificate that was last retrieved from the smartcard */
-		if (dst->sc)
-		{
-			if (!dst->sc->last_cert ||
-			    !certificate->equals(certificate, dst->sc->last_cert->cert))
-			{
-				lock_certs_and_keys("load_end_certificates");
-				cert_release(dst->sc->last_cert);
-				dst->sc->last_cert = dst->cert;
-				cert_share(dst->cert);
-				unlock_certs_and_keys("load_end_certificates");
-			}
-			time(&dst->sc->last_load);
-		}
-	}
-	scx_share(dst->sc);
-	cert_share(dst->cert);
-}
-
-static bool extract_end(struct end *dst, const whack_end_t *src,
-						const char *name, bool is_left)
-{
-	bool same_ca = FALSE;
-
-	dst->is_left = is_left;
-	dst->id = identification_create_from_string(src->id);
-	dst->ca = NULL;
-
-	/* decode CA distinguished name, if any */
-	if (src->ca)
-	{
-		if streq(src->ca, "%same")
-		{
-			same_ca = TRUE;
-		}
-		else if (!streq(src->ca, "%any"))
-		{
-			dst->ca = identification_create_from_string(src->ca);
-			if (dst->ca->get_type(dst->ca) != ID_DER_ASN1_DN)
-			{
-				plog("bad CA string '%s', ignored", src->ca);
-				dst->ca->destroy(dst->ca);
-				dst->ca = NULL;
-			}
-		}
-	}
-
-	/* load local end certificate and extract ID, if any */
-	load_end_certificate(src->cert, dst);
-
-	/* does id has wildcards? */
-	dst->has_id_wildcards = dst->id->contains_wildcards(dst->id);
-
-	/* decode group attributes, if any */
-	if (src->groups)
-	{
-		dst->groups = ietf_attributes_create_from_string(src->groups);
-	}
-
-	/* the rest is simple copying of corresponding fields */
-	dst->host_addr = src->host_addr;
-	dst->host_nexthop = src->host_nexthop;
-	dst->host_srcip = host_create_from_sockaddr((sockaddr_t*)&src->host_srcip);
-	dst->has_natip = src->has_natip;
-	dst->client = src->client;
-	dst->protocol = src->protocol;
-	dst->port = src->port;
-	dst->has_port_wildcard = src->has_port_wildcard;
-	dst->key_from_DNS_on_demand = src->key_from_DNS_on_demand;
-	dst->has_client = src->has_client;
-	dst->has_client_wildcard = src->has_client_wildcard;
-	dst->modecfg = src->modecfg;
-	dst->hostaccess = src->hostaccess;
-	dst->allow_any = src->allow_any;
-	dst->sendcert = src->sendcert;
-	dst->updown = clone_str(src->updown);
-	dst->host_port = src->host_port;
-
-	/* if the sourceip netmask is zero a named pool exists */
-	if (src->sourceip_mask == 0)
-	{
-		dst->pool = clone_str(src->sourceip);
-	}
-
-	/* if host sourceip is defined but no client is present
-	 * behind the host then set client to sourceip/32
-	 */
-	if (!dst->host_srcip->is_anyaddr(dst->host_srcip) &&
-		!dst->has_natip && !dst->has_client)
-	{
-		ip_address addr;
-		err_t ugh;
-
-		addr = *(ip_address*)dst->host_srcip->get_sockaddr(dst->host_srcip);
-		ugh = addrtosubnet(&addr, &dst->client);
-
-		if (ugh)
-		{
-			plog("could not assign host sourceip to client subnet");
-		}
-		else
-		{
-			dst->has_client = TRUE;
-		}
-	}
-	return same_ca;
-}
-
-static bool check_connection_end(const whack_end_t *this,
-								 const whack_end_t *that,
-								 const whack_message_t *wm)
-{
-	if (wm->addr_family != addrtypeof(&this->host_addr)
-	|| wm->addr_family != addrtypeof(&this->host_nexthop)
-	|| (this->has_client? wm->tunnel_addr_family : wm->addr_family)
-	  != subnettypeof(&this->client)
-	|| subnettypeof(&this->client) != subnettypeof(&that->client))
-	{
-		/* this should have been diagnosed by whack, so we need not be clear
-		 * !!! overloaded use of RC_CLASH
-		 */
-		loglog(RC_CLASH, "address family inconsistency in connection");
-		return FALSE;
-	}
-
-	if (isanyaddr(&that->host_addr))
-	{
-		/* other side is wildcard: we must check if other conditions met */
-		if (isanyaddr(&this->host_addr))
-		{
-			loglog(RC_ORIENT, "connection must specify host IP address for our side");
-			return FALSE;
-		}
-	}
-
-	if (this->virt && (!isanyaddr(&this->host_addr) || this->has_client))
-	{
-		loglog(RC_CLASH,
-			"virtual IP must only be used with %%any and without client");
-		return FALSE;
-	}
-
-	return TRUE;        /* happy */
-}
-
-connection_t *find_connection_by_reqid(uint32_t reqid)
-{
-	connection_t *c;
-
-	reqid &= ~3;
-	for (c = connections; c != NULL; c = c->ac_next)
-	{
-		if (c->spd.reqid == reqid)
-		{
-			return c;
-		}
-	}
-
-	return NULL;
-}
-
-static uint32_t gen_reqid(void)
-{
-	uint32_t start;
-	static uint32_t reqid = IPSEC_MANUAL_REQID_MAX & ~3;
-
-	start = reqid;
-	do {
-		reqid += 4;
-		if (reqid == 0)
-		{
-			reqid = (IPSEC_MANUAL_REQID_MAX & ~3) + 4;
-		}
-		if (!find_connection_by_reqid(reqid))
-		{
-			return reqid;
-		}
-	} while (reqid != start);
-
-	exit_log("unable to allocate reqid");
-	return 0; /* never reached ... */
-}
-
-void add_connection(const whack_message_t *wm)
-{
-	if (con_by_name(wm->name, FALSE) != NULL)
-	{
-		loglog(RC_DUPNAME, "attempt to redefine connection \"%s\"", wm->name);
-	}
-	else if (wm->right.protocol != wm->left.protocol)
-	{
-		/* this should haven been diagnosed by whack
-		 * !!! overloaded use of RC_CLASH
-		 */
-		loglog(RC_CLASH, "the protocol must be the same for leftport and rightport");
-	}
-	else if (check_connection_end(&wm->right, &wm->left, wm)
-	&& check_connection_end(&wm->left, &wm->right, wm))
-	{
-		bool same_rightca, same_leftca;
-		connection_t *c = malloc_thing(connection_t);
-
-		zero(c);
-		c->name   = clone_str(wm->name);
-		c->ikev1  = wm->ikev1;
-		c->policy = wm->policy;
-
-		if ((c->policy & POLICY_COMPRESS) && !can_do_IPcomp)
-		{
-			loglog(RC_COMMENT
-				, "ignoring --compress in \"%s\" because kernel does not support IPCOMP"
-				, c->name);
-		}
-
-		if (wm->esp)
-		{
-			 DBG(DBG_CONTROL,
-				DBG_log("from whack: got --esp=%s", wm->esp ? wm->esp: "NULL")
-			)
-			c->alg_info_esp = alg_info_esp_create_from_str(wm->esp? wm->esp : "");
-
-			DBG(DBG_CRYPT|DBG_CONTROL,
-				static char buf[BUF_LEN]="<NULL>";
-
-				if (c->alg_info_esp)
-				{
-					alg_info_snprint(buf, sizeof(buf)
-							,(struct alg_info *)c->alg_info_esp);
-				}
-				DBG_log("esp proposal: %s", buf);
-			)
-			if (c->alg_info_esp)
-			{
-				if (c->alg_info_esp->alg_info_cnt == 0)
-				{
-					 loglog(RC_LOG_SERIOUS, "got 0 esp transforms");
-				}
-			}
-			else
-			{
-				loglog(RC_LOG_SERIOUS, "syntax error in esp string");
-			}
-		}
-
-		if (wm->ike)
-		{
-			DBG(DBG_CONTROL,
-				DBG_log("from whack: got --ike=%s", wm->ike ? wm->ike: "NULL")
-			)
-			c->alg_info_ike= alg_info_ike_create_from_str(wm->ike? wm->ike : "");
-
-			DBG(DBG_CRYPT|DBG_CONTROL,
-				static char buf[BUF_LEN]="<NULL>";
-
-				if (c->alg_info_ike)
-				{
-					alg_info_snprint(buf, sizeof(buf)
-							, (struct alg_info *)c->alg_info_ike);
-				}
-				DBG_log("ike proposal: %s", buf);
-			)
-			if (c->alg_info_ike)
-			{
-				if (c->alg_info_ike->alg_info_cnt == 0)
-				{
-					loglog(RC_LOG_SERIOUS, "got 0 ike transforms");
-				}
-			}
-			else
-			{
-				loglog(RC_LOG_SERIOUS, "syntax error in ike string");
-			}
-		}
-
-		if (wm->xauth_identity)
-		{
-			c->xauth_identity
-					= identification_create_from_string(wm->xauth_identity);
-		}
-
-		c->sa_ike_life_seconds = wm->sa_ike_life_seconds;
-		c->sa_ipsec_life_seconds = wm->sa_ipsec_life_seconds;
-		c->sa_rekey_margin = wm->sa_rekey_margin;
-		c->sa_rekey_fuzz = wm->sa_rekey_fuzz;
-		c->sa_keying_tries = wm->sa_keying_tries;
-
-		/* RFC 3706 DPD */
-		c->dpd_delay = wm->dpd_delay;
-		c->dpd_timeout = wm->dpd_timeout;
-		c->dpd_action = wm->dpd_action;
-
-		c->addr_family = wm->addr_family;
-		c->tunnel_addr_family = wm->tunnel_addr_family;
-
-		c->requested_ca = NULL;
-		same_leftca  = extract_end(&c->spd.this, &wm->left, wm->name, TRUE);
-		same_rightca = extract_end(&c->spd.that, &wm->right, wm->name, FALSE);
-
-		if (same_rightca && c->spd.this.ca)
-		{
-			c->spd.that.ca = c->spd.this.ca->clone(c->spd.this.ca);
-		}
-		else if (same_leftca && c->spd.that.ca)
-		{
-			c->spd.this.ca = c->spd.that.ca->clone(c->spd.that.ca);
-		}
-
-		default_end(&c->spd.this, &c->spd.that.host_addr);
-		default_end(&c->spd.that, &c->spd.this.host_addr);
-
-		/* force any wildcard host IP address, any wildcard subnet
-		 * or any wildcard ID to that end
-		 */
-		if (isanyaddr(&c->spd.this.host_addr) || c->spd.this.has_client_wildcard
-		|| c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards
-		|| c->spd.this.allow_any)
-		{
-			struct end t = c->spd.this;
-
-			c->spd.this = c->spd.that;
-			c->spd.that = t;
-		}
-
-		c->spd.next = NULL;
-		c->spd.reqid = wm->reqid ?: gen_reqid();
-
-		c->spd.mark_in.value = wm->mark_in.value;
-		c->spd.mark_in.mask = wm->mark_in.mask;
-		c->spd.mark_out.value = wm->mark_out.value;
-		c->spd.mark_out.mask = wm->mark_out.mask;
-
-		/* set internal fields */
-		c->instance_serial = 0;
-		c->ac_next = connections;
-		connections = c;
-		c->interface = NULL;
-		c->spd.routing = RT_UNROUTED;
-		c->newest_isakmp_sa = SOS_NOBODY;
-		c->newest_ipsec_sa = SOS_NOBODY;
-		c->spd.eroute_owner = SOS_NOBODY;
-
-		if (c->policy & POLICY_GROUP)
-		{
-			c->kind = CK_GROUP;
-			add_group(c);
-		}
-		else if ((isanyaddr(&c->spd.that.host_addr) && !NEVER_NEGOTIATE(c->policy))
-		|| c->spd.that.has_client_wildcard || c->spd.that.has_port_wildcard
-		|| c->spd.that.has_id_wildcards || c->spd.that.allow_any)
-		{
-			/* Opportunistic or Road Warrior or wildcard client subnet
-			 * or wildcard ID */
-			c->kind = CK_TEMPLATE;
-		}
-		else
-		{
-			c->kind = CK_PERMANENT;
-		}
-		set_policy_prio(c);     /* must be after kind is set */
-
-#ifdef DEBUG
-		c->extra_debugging = wm->debugging;
-#endif
-
-		c->gw_info = NULL;
-
-		passert(!(wm->left.virt && wm->right.virt));
-		if (wm->left.virt || wm->right.virt)
-		{
-			passert(isanyaddr(&c->spd.that.host_addr));
-			c->spd.that.virt = create_virtual(c,
-				wm->left.virt ? wm->left.virt : wm->right.virt);
-			if (c->spd.that.virt)
-				c->spd.that.has_client = TRUE;
-		}
-
-		(void)orient(c);
-
-		/* if rightsourceip defines a subnet then create an in-memory pool */
-		if (whack_attr->add_pool(whack_attr, c->name,
-							c->spd.this.is_left ? &wm->right : &wm->left))
-		{
-			c->spd.that.pool = clone_str(c->name);
-			c->spd.that.modecfg = TRUE;
-			c->spd.that.has_client = FALSE;
-			/* reset the host_srcip so that it gets assigned in modecfg */
-			DESTROY_IF(c->spd.that.host_srcip);
-			c->spd.that.host_srcip = host_create_any(AF_INET);
-		}
-
-		if (c->ikev1)
-		{
-			connect_to_host_pair(c);
-		}
-
-		/* log all about this connection */
-		plog("added connection description \"%s\"", c->name);
-		DBG(DBG_CONTROL,
-			char topo[BUF_LEN];
-
-			(void) format_connection(topo, sizeof(topo), c, &c->spd);
-
-			DBG_log("%s", topo);
-
-			/* Make sure that address families can be correctly inferred
-			 * from printed ends.
-			 */
-			passert(c->addr_family == addrtypeof(&c->spd.this.host_addr)
-				&& c->addr_family == addrtypeof(&c->spd.this.host_nexthop)
-				&& (c->spd.this.has_client? c->tunnel_addr_family : c->addr_family)
-				  == subnettypeof(&c->spd.this.client)
-
-				&& c->addr_family == addrtypeof(&c->spd.that.host_addr)
-				&& c->addr_family == addrtypeof(&c->spd.that.host_nexthop)
-				&& (c->spd.that.has_client? c->tunnel_addr_family : c->addr_family)
-				  == subnettypeof(&c->spd.that.client));
-
-			DBG_log("ike_life: %lus; ipsec_life: %lus; rekey_margin: %lus;"
-				" rekey_fuzz: %lu%%; keyingtries: %lu; policy: %s"
-				, (unsigned long) c->sa_ike_life_seconds
-				, (unsigned long) c->sa_ipsec_life_seconds
-				, (unsigned long) c->sa_rekey_margin
-				, (unsigned long) c->sa_rekey_fuzz
-				, (unsigned long) c->sa_keying_tries
-				, prettypolicy(c->policy));
-		);
-	}
-}
-
-/* Derive a template connection from a group connection and target.
- * Similar to instantiate().  Happens at whack --listen.
- * Returns name of new connection.  May be NULL.
- * Caller is responsible for freeing.
- */
-char *add_group_instance(connection_t *group, const ip_subnet *target)
-{
-	char namebuf[100], targetbuf[SUBNETTOT_BUF];
-	connection_t *t;
-	char *name = NULL;
-
-	passert(group->kind == CK_GROUP);
-	passert(oriented(*group));
-
-	/* manufacture a unique name for this template */
-	subnettot(target, 0, targetbuf, sizeof(targetbuf));
-	snprintf(namebuf, sizeof(namebuf), "%s#%s", group->name, targetbuf);
-
-	if (con_by_name(namebuf, FALSE) != NULL)
-	{
-		loglog(RC_DUPNAME, "group name + target yields duplicate name \"%s\""
-			, namebuf);
-	}
-	else
-	{
-		t = clone_thing(*group);
-		t->name = namebuf;
-		unshare_connection_strings(t);
-		name = clone_str(t->name);
-		t->spd.that.client = *target;
-		t->policy &= ~(POLICY_GROUP | POLICY_GROUTED);
-		t->kind = isanyaddr(&t->spd.that.host_addr) && !NEVER_NEGOTIATE(t->policy)
-			? CK_TEMPLATE : CK_INSTANCE;
-
-		/* reset log file info */
-		t->log_file_name = NULL;
-		t->log_file = NULL;
-		t->log_file_err = FALSE;
-
-		t->spd.reqid = gen_reqid();
-
-		if (t->spd.that.virt)
-		{
-			DBG_log("virtual_ip not supported in group instance");
-			t->spd.that.virt = NULL;
-		}
-
-		/* add to connections list */
-		t->ac_next = connections;
-		connections = t;
-
-		/* same host_pair as parent: stick after parent on list */
-		group->hp_next = t;
-
-		/* route if group is routed */
-		if (group->policy & POLICY_GROUTED)
-		{
-			if (!trap_connection(t))
-				whack_log(RC_ROUTE, "could not route");
-		}
-	}
-	return name;
-}
-
-/* an old target has disappeared for a group: delete instance */
-void remove_group_instance(const connection_t *group USED_BY_DEBUG,
-						   const char *name)
-{
-	passert(group->kind == CK_GROUP);
-	passert(oriented(*group));
-
-	delete_connections_by_name(name, FALSE);
-}
-
-/* Common part of instantiating a Road Warrior or Opportunistic connection.
- * his_id can be used to carry over an ID discovered in Phase 1.
- * It must not disagree with the one in c, but if that is unspecified,
- * the new connection will use his_id.
- * If his_id is NULL, and c.that.id is uninstantiated (ID_ANY), the
- * new connection will continue to have an uninstantiated that.id.
- * Note: instantiation does not affect port numbers.
- *
- * Note that instantiate can only deal with a single SPD/eroute.
- */
-static connection_t *instantiate(connection_t *c, const ip_address *him,
-								 u_int16_t his_port, identification_t *his_id)
-{
-	connection_t *d;
-
-	passert(c->kind == CK_TEMPLATE);
-	passert(c->spd.next == NULL);
-
-	c->instance_serial++;
-	d = clone_thing(*c);
-	d->spd.that.allow_any = FALSE;
-
-	if (his_id)
-	{
-		d->spd.that.id = his_id;
-		d->spd.that.has_id_wildcards = FALSE;
-	}
-	unshare_connection_strings(d);
-	if (d->spd.this.groups)
-	{
-		d->spd.this.groups = d->spd.this.groups->get_ref(d->spd.this.groups);
-	}
-	if (d->spd.that.groups)
-	{
-		d->spd.that.groups = d->spd.that.groups->get_ref(d->spd.that.groups);
-	}
-	d->kind = CK_INSTANCE;
-
-	passert(oriented(*d));
-	d->spd.that.host_addr = *him;
-	setportof(htons(c->spd.that.port), &d->spd.that.host_addr);
-
-	if (his_port) d->spd.that.host_port = his_port;
-
-	default_end(&d->spd.that, &d->spd.this.host_addr);
-
-	/* We cannot guess what our next_hop should be, but if it was
-	 * explicitly specified as 0.0.0.0, we set it to be him.
-	 * (whack will not allow nexthop to be elided in RW case.)
-	 */
-	default_end(&d->spd.this, &d->spd.that.host_addr);
-	d->spd.next = NULL;
-	d->spd.reqid = gen_reqid();
-
-	/* set internal fields */
-	d->ac_next = connections;
-	connections = d;
-	d->spd.routing = RT_UNROUTED;
-	d->newest_isakmp_sa = SOS_NOBODY;
-	d->newest_ipsec_sa = SOS_NOBODY;
-	d->spd.eroute_owner = SOS_NOBODY;
-
-	/* reset log file info */
-	d->log_file_name = NULL;
-	d->log_file = NULL;
-	d->log_file_err = FALSE;
-
-	connect_to_host_pair(d);
-
-	if (sameaddr(&d->spd.that.host_addr, &d->spd.this.host_nexthop))
-	{
-		d->spd.this.host_nexthop = *him;
-	}
-	return d;
-}
-
-connection_t *rw_instantiate(connection_t *c, const ip_address *him,
-							 u_int16_t his_port, const ip_subnet *his_net,
-							 identification_t *his_id)
-{
-	connection_t *d = instantiate(c, him, his_port, his_id);
-
-	if (d && his_net && is_virtual_connection(c))
-	{
-		d->spd.that.client = *his_net;
-		d->spd.that.virt = NULL;
-		if (subnetishost(his_net) && addrinsubnet(him, his_net))
-			d->spd.that.has_client = FALSE;
-	}
-
-	if (d->policy & POLICY_OPPO)
-	{
-		/* This must be before we know the client addresses.
-		 * Fill in one that is impossible.  This prevents anyone else from
-		 * trying to use this connection to get to a particular client
-		 */
-		d->spd.that.client = *aftoinfo(subnettypeof(&d->spd.that.client))->none;
-	}
-	DBG(DBG_CONTROL
-		, DBG_log("instantiated \"%s\" for %s" , d->name, ip_str(him)));
-	return d;
-}
-
-#ifdef ADNS
-
-connection_t *oppo_instantiate(connection_t *c, const ip_address *him,
-							   identification_t *his_id, struct gw_info *gw,
-							   const ip_address *our_client USED_BY_DEBUG,
-							   const ip_address *peer_client)
-{
-	connection_t *d = instantiate(c, him, 0, his_id);
-
-	passert(d->spd.next == NULL);
-
-	/* fill in our client side */
-	if (d->spd.this.has_client)
-	{
-		/* there was a client in the abstract connection
-		 * so we demand that the required client is within that subnet.
-		 */
-		passert(addrinsubnet(our_client, &d->spd.this.client));
-		happy(addrtosubnet(our_client, &d->spd.this.client));
-		/* opportunistic connections do not use port selectors */
-		setportof(0, &d->spd.this.client.addr);
-	}
-	else
-	{
-		/* there was no client in the abstract connection
-		 * so we demand that the required client be the host
-		 */
-		passert(sameaddr(our_client, &d->spd.this.host_addr));
-	}
-
-	/* fill in peer's client side.
-	 * If the client is the peer, excise the client from the connection.
-	 */
-	passert((d->policy & POLICY_OPPO)
-		&& addrinsubnet(peer_client, &d->spd.that.client));
-	happy(addrtosubnet(peer_client, &d->spd.that.client));
-	/* opportunistic connections do not use port selectors */
-	setportof(0, &d->spd.that.client.addr);
-
-	if (sameaddr(peer_client, &d->spd.that.host_addr))
-		d->spd.that.has_client = FALSE;
-
-	passert(d->gw_info == NULL);
-	gw_addref(gw);
-	d->gw_info = gw;
-
-	/* Adjust routing if something is eclipsing c.
-	 * It must be a %hold for us (hard to passert this).
-	 * If there was another instance eclipsing, we'd be using it.
-	 */
-	if (c->spd.routing == RT_ROUTED_ECLIPSED)
-		d->spd.routing = RT_ROUTED_PROSPECTIVE;
-
-	/* Remember if the template is routed:
-	 * if so, this instance applies for initiation
-	 * even if it is created for responding.
-	 */
-	if (routed(c->spd.routing))
-		d->instance_initiation_ok = TRUE;
-
-	DBG(DBG_CONTROL,
-		char topo[BUF_LEN];
-
-		(void) format_connection(topo, sizeof(topo), d, &d->spd);
-		DBG_log("instantiated \"%s\": %s", d->name, topo);
-	);
-	return d;
-}
-
-#endif /* ADNS */
-
-/* priority formatting */
-void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF])
-{
-	if (pp == BOTTOM_PRIO)
-	{
-		snprintf(buf, POLICY_PRIO_BUF, "0");
-	}
-	else
-	{
-		snprintf(buf, POLICY_PRIO_BUF, "%lu,%lu"
-			, pp>>16, (pp & ~(~(policy_prio_t)0 << 16)) >> 8);
-	}
-}
-
-/* Format any information needed to identify an instance of a connection.
- * Fills any needed information into buf which MUST be big enough.
- * Road Warrior: peer's IP address
- * Opportunistic: [" " myclient "==="] " ..." peer ["===" hisclient] '\0'
- */
-static size_t fmt_client(const ip_subnet *client, const ip_address *gw,
-						 const char *prefix, char buf[ADDRTOT_BUF])
-{
-	if (subnetisaddr(client, gw))
-	{
-		buf[0] = '\0';  /* compact denotation for "self" */
-	}
-	else
-	{
-		char *ap;
-
-		strcpy(buf, prefix);
-		ap = buf + strlen(prefix);
-		if (subnetisnone(client))
-			strcpy(ap, "?");    /* unknown */
-		else
-			subnettot(client, 0, ap, SUBNETTOT_BUF);
-	}
-	return strlen(buf);
-}
-
-void fmt_conn_instance(const connection_t *c, char buf[CONN_INST_BUF])
-{
-	char *p = buf;
-
-	*p = '\0';
-
-	if (c->kind == CK_INSTANCE)
-	{
-		if (c->instance_serial != 0)
-		{
-			snprintf(p, CONN_INST_BUF, "[%lu]", c->instance_serial);
-			p += strlen(p);
-		}
-
-		if (c->policy & POLICY_OPPO)
-		{
-			size_t w = fmt_client(&c->spd.this.client, &c->spd.this.host_addr, " ", p);
-
-			p += w;
-
-			strcpy(p, w == 0? " ..." : "=== ...");
-			p += strlen(p);
-
-			addrtot(&c->spd.that.host_addr, 0, p, ADDRTOT_BUF);
-			p += strlen(p);
-
-			(void) fmt_client(&c->spd.that.client, &c->spd.that.host_addr, "===", p);
-		}
-		else
-		{
-			*p++ = ' ';
-			addrtot(&c->spd.that.host_addr, 0, p, ADDRTOT_BUF);
-#
-			if (c->spd.that.host_port != pluto_port)
-			{
-				p += strlen(p);
-				sprintf(p, ":%d", c->spd.that.host_port);
-			}
-		}
-	}
-}
-
-/* Find an existing connection for a trapped outbound packet.
- * This is attempted before we bother with gateway discovery.
- *   + this connection is routed or instance_of_routed_template
- *     (i.e. approved for on-demand)
- *   + this subnet contains our_client (or we are our_client)
- *   + that subnet contains peer_client (or peer is peer_client)
- *   + don't care about Phase 1 IDs (we don't know)
- * Note: result may still need to be instantiated.
- * The winner has the highest policy priority.
- *
- * If there are several with that priority, we give preference to
- * the first one that is an instance.
- *
- * See also build_outgoing_opportunistic_connection.
- */
-connection_t *find_connection_for_clients(struct spd_route **srp,
-										  const ip_address *our_client,
-										  const ip_address *peer_client,
-										  int transport_proto)
-{
-	connection_t *c = connections, *best = NULL;
-	policy_prio_t best_prio = BOTTOM_PRIO;
-	struct spd_route *sr;
-	struct spd_route *best_sr = NULL;
-	int our_port  = ntohs(portof(our_client));
-	int peer_port = ntohs(portof(peer_client));
-
-	passert(!isanyaddr(our_client) && !isanyaddr(peer_client));
-#ifdef DEBUG
-	if (DBGP(DBG_CONTROL))
-	{
-		char ocb[ADDRTOT_BUF], pcb[ADDRTOT_BUF];
-
-		addrtot(our_client, 0, ocb, sizeof(ocb));
-		addrtot(peer_client, 0, pcb, sizeof(pcb));
-		DBG_log("find_connection: "
-				"looking for policy for connection: %s:%d/%d -> %s:%d/%d"
-				, ocb, transport_proto, our_port, pcb, transport_proto, peer_port);
-	}
-#endif /* DEBUG */
-
-	for (c = connections; c != NULL; c = c->ac_next)
-	{
-		if (c->kind == CK_GROUP)
-		{
-			continue;
-		}
-
-		for (sr = &c->spd; best!=c && sr; sr = sr->next)
-		{
-			if ((routed(sr->routing) || c->instance_initiation_ok)
-			&& addrinsubnet(our_client, &sr->this.client)
-			&& addrinsubnet(peer_client, &sr->that.client)
-			&& addrinsubnet(peer_client, &sr->that.client)
-			&& (!sr->this.protocol || transport_proto == sr->this.protocol)
-			&& (!sr->this.port || our_port == sr->this.port)
-			&& (!sr->that.port || peer_port == sr->that.port))
-			{
-				char cib[CONN_INST_BUF];
-				char cib2[CONN_INST_BUF];
-
-				policy_prio_t prio = 8 * (c->prio + (c->kind == CK_INSTANCE))
-								   + 2 * (sr->this.port == our_port)
-								   + 2 * (sr->that.port == peer_port)
-								   +     (sr->this.protocol == transport_proto);
-
-#ifdef DEBUG
-				if (DBGP(DBG_CONTROL|DBG_CONTROLMORE))
-				{
-					char c_ocb[SUBNETTOT_BUF], c_pcb[SUBNETTOT_BUF];
-
-					subnettot(&c->spd.this.client, 0, c_ocb, sizeof(c_ocb));
-					subnettot(&c->spd.that.client, 0, c_pcb, sizeof(c_pcb));
-					DBG_log("find_connection: conn \"%s\"%s has compatible peers: %s->%s [pri: %ld]"
-							, c->name
-							, (fmt_conn_instance(c, cib), cib)
-							, c_ocb, c_pcb, prio);
-				}
-#endif /* DEBUG */
-
-				if (best == NULL)
-				{
-					best = c;
-					best_sr = sr;
-					best_prio = prio;
-				}
-
-				DBG(DBG_CONTROLMORE,
-					DBG_log("find_connection: "
-							"comparing best \"%s\"%s [pri:%ld]{%p} (child %s) to \"%s\"%s [pri:%ld]{%p} (child %s)"
-							, best->name
-							, (fmt_conn_instance(best, cib), cib)
-							, best_prio
-							, best
-							, (best->policy_next ? best->policy_next->name : "none")
-							, c->name
-							, (fmt_conn_instance(c, cib2), cib2)
-							, prio
-							, c
-							, (c->policy_next ? c->policy_next->name : "none")));
-
-				if (prio > best_prio)
-				{
-					best = c;
-					best_sr = sr;
-					best_prio = prio;
-				}
-			}
-		}
-	}
-
-	if (best && NEVER_NEGOTIATE(best->policy))
-	{
-		best = NULL;
-	}
-	if (srp && best)
-	{
-		*srp = best_sr;
-	}
-
-#ifdef DEBUG
-	if (DBGP(DBG_CONTROL))
-	{
-		if (best)
-		{
-			char cib[CONN_INST_BUF];
-			DBG_log("find_connection: concluding with \"%s\"%s [pri:%ld]{%p} kind=%s"
-					, best->name
-					, (fmt_conn_instance(best, cib), cib)
-					, best_prio
-					, best
-					, enum_name(&connection_kind_names, best->kind));
-		} else {
-			DBG_log("find_connection: concluding with empty");
-		}
-	}
-#endif /* DEBUG */
-
-	return best;
-}
-
-#ifdef ADNS
-
-/* Find and instantiate a connection for an outgoing Opportunistic connection.
- * We've already discovered its gateway.
- * We look for a the connection such that:
- *   + this is one of our interfaces
- *   + this subnet contains our_client (or we are our_client)
- *     (we will specialize the client).  We prefer the smallest such subnet.
- *   + that subnet contains peer_clent (we will specialize the client).
- *     We prefer the smallest such subnet.
- *   + is opportunistic
- *   + that peer is NO_IP
- *   + don't care about Phase 1 IDs (probably should be default)
- * We could look for a connection that already had the desired peer
- * (rather than NO_IP) specified, but it doesn't seem worth the
- * bother.
- *
- * We look for the routed policy applying to the narrowest subnets.
- * We only succeed if we find such a policy AND it is satisfactory.
- *
- * The body of the inner loop is a lot like that in
- * find_connection_for_clients.  In this case, we know the gateways
- * that we need to instantiate an opportunistic connection.
- */
-connection_t *build_outgoing_opportunistic_connection(struct gw_info *gw,
-											const ip_address *our_client,
-											const ip_address *peer_client)
-{
-	struct iface *p;
-	connection_t *best = NULL;
-	struct spd_route *sr, *bestsr;
-	char ocb[ADDRTOT_BUF], pcb[ADDRTOT_BUF];
-
-	addrtot(our_client, 0, ocb, sizeof(ocb));
-	addrtot(peer_client, 0, pcb, sizeof(pcb));
-
-	/* for each of our addresses... */
-	for (p = interfaces; p != NULL; p = p->next)
-	{
-		/* go through those connections with our address and NO_IP as hosts
-		 * We cannot know what port the peer would use, so we assume
-		 * that it is pluto_port (makes debugging easier).
-		 */
-		connection_t *c = find_host_pair_connections(&p->addr, pluto_port,
-										 (ip_address *)NULL, pluto_port);
-
-		for (; c != NULL; c = c->hp_next)
-		{
-			DBG(DBG_OPPO,
-				DBG_log("checking %s", c->name));
-			if (c->kind == CK_GROUP)
-			{
-				continue;
-			}
-
-			for (sr = &c->spd; best!=c && sr; sr = sr->next)
-			{
-				if (routed(sr->routing)
-				&& addrinsubnet(our_client, &sr->this.client)
-				&& addrinsubnet(peer_client, &sr->that.client))
-				{
-					if (best == NULL)
-					{
-						best = c;
-						break;
-					}
-
-					DBG(DBG_OPPO,
-						DBG_log("comparing best %s to %s"
-								, best->name, c->name));
-
-					for (bestsr = &best->spd; best!=c && bestsr; bestsr=bestsr->next)
-					{
-						if (!subnetinsubnet(&bestsr->this.client, &sr->this.client)
-						|| (samesubnet(&bestsr->this.client, &sr->this.client)
-							 && !subnetinsubnet(&bestsr->that.client
-												, &sr->that.client)))
-						{
-							best = c;
-						}
-					}
-				}
-			}
-		}
-	}
-
-	if (best == NULL || NEVER_NEGOTIATE(best->policy) ||
-	   (best->policy & POLICY_OPPO) == LEMPTY || best->kind != CK_TEMPLATE)
-	{
-		return NULL;
-	}
-	else
-	{
-		chunk_t encoding = gw->gw_id->get_encoding(gw->gw_id);
-		id_type_t type   = gw->gw_id->get_type(gw->gw_id);
-		ip_address ip_addr;
-
-		initaddr(encoding.ptr, encoding.len,
-				(type == ID_IPV4_ADDR) ? AF_INET : AF_INET6, &ip_addr);
-
-		return oppo_instantiate(best, &ip_addr, NULL, gw, our_client, peer_client);
-	}
-}
-
-#endif /* ADNS */
-
-bool orient(connection_t *c)
-{
-	struct spd_route *sr;
-
-	if (!oriented(*c))
-	{
-		struct iface *p;
-
-		for (sr = &c->spd; sr; sr = sr->next)
-		{
-			/* Note: this loop does not stop when it finds a match:
-			 * it continues checking to catch any ambiguity.
-			 */
-			for (p = interfaces; p != NULL; p = p->next)
-			{
-				if (p->ike_float)
-				{
-					continue;
-				}
-
-				for (;;)
-				{
-					/* check if this interface matches this end */
-					if (sameaddr(&sr->this.host_addr, &p->addr)
-						&& sr->this.host_port == pluto_port)
-					{
-						if (oriented(*c))
-						{
-							if (c->interface == p)
-								loglog(RC_LOG_SERIOUS
-									   , "both sides of \"%s\" are our interface %s!"
-									   , c->name, p->rname);
-							else
-								loglog(RC_LOG_SERIOUS, "two interfaces match \"%s\" (%s, %s)"
-									   , c->name, c->interface->rname, p->rname);
-							c->interface = NULL;        /* withdraw orientation */
-							return FALSE;
-						}
-						c->interface = p;
-					}
-
-					/* done with this interface if it doesn't match that end */
-					if (!(sameaddr(&sr->that.host_addr, &p->addr)
-						&& sr->that.host_port == pluto_port))
-						break;
-
-					/* swap ends and try again.
-					 * It is a little tricky to see that this loop will stop.
-					 * Only continue if the far side matches.
-					 * If both sides match, there is an error-out.
-					 */
-					{
-						struct end t = sr->this;
-
-						sr->this = sr->that;
-						sr->that = t;
-					}
-				}
-			}
-		}
-	}
-	return oriented(*c);
-}
-
-void initiate_connection(const char *name, int whackfd)
-{
-	connection_t *c = con_by_name(name, TRUE);
-
-	if (c && c->ikev1)
-	{
-		set_cur_connection(c);
-		if (!oriented(*c))
-		{
-			loglog(RC_ORIENT, "we have no ipsecN interface for either end of this connection");
-		}
-		else if (NEVER_NEGOTIATE(c->policy))
-		{
-			loglog(RC_INITSHUNT
-				, "cannot initiate an authby=never connection");
-		}
-		else if (c->kind != CK_PERMANENT && !c->spd.that.allow_any)
-		{
-			if (isanyaddr(&c->spd.that.host_addr))
-				loglog(RC_NOPEERIP, "cannot initiate connection without knowing peer IP address");
-			else
-				loglog(RC_WILDCARD, "cannot initiate connection with ID wildcards");
-		}
-		else
-		{
-			/* do we have to prompt for a PIN code? */
-			if (c->spd.this.sc && !c->spd.this.sc->valid && whackfd != NULL_FD)
-			{
-				scx_get_pin(c->spd.this.sc, whackfd);
-			}
-			if (c->spd.this.sc && !c->spd.this.sc->valid)
-			{
-				loglog(RC_NOVALIDPIN, "cannot initiate connection without valid PIN");
-			}
-			else
-			{
-
-				if (c->spd.that.allow_any)
-				{
-					c = instantiate(c, &c->spd.that.host_addr,
-									c->spd.that.host_port, c->spd.that.id);
-				}
-
-				/* We will only request an IPsec SA if policy isn't empty
-				 * (ignoring Main Mode items).
-				 * This is a fudge, but not yet important.
-				 * If we are to proceed asynchronously, whackfd will be NULL_FD.
-				 */
-				c->policy |= POLICY_UP;
-				ipsecdoi_initiate(whackfd, c, c->policy, 1, SOS_NOBODY);
-				whackfd = NULL_FD;      /* protect from close */
-			}
-		}
-		reset_cur_connection();
-	}
-	close_any(whackfd);
-}
-
-/* (Possibly) Opportunistic Initiation:
- * Knowing clients (single IP addresses), try to build an tunnel.
- * This may involve discovering a gateway and instantiating an
- * Opportunistic connection.  Called when a packet is caught by
- * a %trap, or when whack --oppohere --oppothere is used.
- * It may turn out that an existing or non-opporunistic connnection
- * can handle the traffic.
- *
- * Most of the code will be restarted if an ADNS request is made
- * to discover the gateway.  The only difference between the first
- * and second entry is whether gateways_from_dns is NULL or not.
- *      initiate_opportunistic: initial entrypoint
- *      continue_oppo: where we pickup when ADNS result arrives
- *      initiate_opportunistic_body: main body shared by above routines
- *      cannot_oppo: a helper function to log a diagnostic
- * This structure repeats a lot of code when the ADNS result arrives.
- * This seems like a waste, but anything learned the first time through
- * may no longer be true!
- *
- * After the first IKE message is sent, the regular state machinery
- * carries negotiation forward.
- */
-
-enum find_oppo_step {
-	fos_start,
-	fos_myid_ip_txt,
-	fos_myid_hostname_txt,
-	fos_myid_ip_key,
-	fos_myid_hostname_key,
-	fos_our_client,
-	fos_our_txt,
-#ifdef USE_KEYRR
-	fos_our_key,
-#endif /* USE_KEYRR */
-	fos_his_client,
-	fos_done
-};
-
-#ifdef DEBUG
-static const char *const oppo_step_name[] = {
-	"fos_start",
-	"fos_myid_ip_txt",
-	"fos_myid_hostname_txt",
-	"fos_myid_ip_key",
-	"fos_myid_hostname_key",
-	"fos_our_client",
-	"fos_our_txt",
-#ifdef USE_KEYRR
-	"fos_our_key",
-#endif /* USE_KEYRR */
-	"fos_his_client",
-	"fos_done"
-};
-#endif /* DEBUG */
-
-struct find_oppo_bundle {
-	enum find_oppo_step step;
-	err_t want;
-	bool failure_ok;            /* if true, continue_oppo should not die on DNS failure */
-	ip_address our_client;      /* not pointer! */
-	ip_address peer_client;
-	int transport_proto;
-	bool held;
-	policy_prio_t policy_prio;
-	ipsec_spi_t failure_shunt;  /* in host order!  0 for delete. */
-	int whackfd;
-};
-
-struct find_oppo_continuation {
-	struct adns_continuation ac;        /* common prefix */
-	struct find_oppo_bundle b;
-};
-
-static void cannot_oppo(connection_t *c, struct find_oppo_bundle *b, err_t ugh)
-{
-	char pcb[ADDRTOT_BUF];
-	char ocb[ADDRTOT_BUF];
-
-	addrtot(&b->peer_client, 0, pcb, sizeof(pcb));
-	addrtot(&b->our_client, 0, ocb, sizeof(ocb));
-
-	DBG(DBG_DNS | DBG_OPPO, DBG_log("Can't Opportunistically initiate for %s to %s: %s"
-		, ocb, pcb, ugh));
-
-	whack_log(RC_OPPOFAILURE
-		, "Can't Opportunistically initiate for %s to %s: %s"
-		, ocb, pcb, ugh);
-
-	if (c && c->policy_next)
-	{
-		/* there is some policy that comes afterwards */
-		struct spd_route *shunt_spd;
-		connection_t *nc = c->policy_next;
-		struct state *st;
-
-		passert(c->kind == CK_TEMPLATE);
-		passert(c->policy_next->kind == CK_PERMANENT);
-
-		DBG(DBG_OPPO, DBG_log("OE failed for %s to %s, but %s overrides shunt"
-							  , ocb, pcb, c->policy_next->name));
-
-		/*
-		 * okay, here we need add to the "next" policy, which is ought
-		 * to be an instance.
-		 * We will add another entry to the spd_route list for the specific
-		 * situation that we have.
-		 */
-
-		shunt_spd = clone_thing(nc->spd);
-
-		shunt_spd->next = nc->spd.next;
-		nc->spd.next = shunt_spd;
-
-		happy(addrtosubnet(&b->peer_client, &shunt_spd->that.client));
-
-		if (sameaddr(&b->peer_client, &shunt_spd->that.host_addr))
-			shunt_spd->that.has_client = FALSE;
-
-		/*
-		 * override the tunnel destination with the one from the secondaried
-		 * policy
-		 */
-		shunt_spd->that.host_addr = nc->spd.that.host_addr;
-
-		/* now, lookup the state, and poke it up.
-		 */
-
-		st = state_with_serialno(nc->newest_ipsec_sa);
-
-		/* XXX what to do if the IPSEC SA has died? */
-		passert(st != NULL);
-
-		/* link the new connection instance to the state's list of
-		 * connections
-		 */
-
-		DBG(DBG_OPPO, DBG_log("installing state: %ld for %s to %s"
-							  , nc->newest_ipsec_sa
-							  , ocb, pcb));
-
-#ifdef DEBUG
-		if (DBGP(DBG_OPPO | DBG_CONTROLMORE))
-		{
-			char state_buf[LOG_WIDTH];
-			char state_buf2[LOG_WIDTH];
-			time_t n = now();
-
-			fmt_state(FALSE, st, n
-					  , state_buf, sizeof(state_buf)
-					  , state_buf2, sizeof(state_buf2));
-			DBG_log("cannot_oppo, failure SA1: %s", state_buf);
-			DBG_log("cannot_oppo, failure SA2: %s", state_buf2);
-		}
-#endif /* DEBUG */
-
-		if (!route_and_eroute(c, shunt_spd, st))
-		{
-			whack_log(RC_OPPOFAILURE
-					  , "failed to instantiate shunt policy %s for %s to %s"
-					  , c->name
-					  , ocb, pcb);
-		}
-		return;
-	}
-}
-
-static void initiate_opportunistic_body(struct find_oppo_bundle *b
-	, struct adns_continuation *ac, err_t ac_ugh);      /* forward */
-
-void initiate_opportunistic(const ip_address *our_client,
-							const ip_address *peer_client, int transport_proto,
-							bool held, int whackfd)
-{
-	struct find_oppo_bundle b;
-
-	b.want = (whackfd == NULL_FD ? "whack" : "acquire");
-	b.failure_ok = FALSE;
-	b.our_client = *our_client;
-	b.peer_client = *peer_client;
-	b.transport_proto = transport_proto;
-	b.held = held;
-	b.policy_prio = BOTTOM_PRIO;
-	b.failure_shunt = 0;
-	b.whackfd = whackfd;
-	b.step = fos_start;
-	initiate_opportunistic_body(&b, NULL, NULL);
-}
-
-#ifdef ADNS
-
-static void continue_oppo(struct adns_continuation *acr, err_t ugh)
-{
-	struct find_oppo_continuation *cr = (void *)acr;    /* inherit, damn you! */
-	connection_t *c;
-	bool was_held = cr->b.held;
-	int whackfd = cr->b.whackfd;
-
-	/* note: cr->id has no resources; cr->sgw_id is ID_ANY:
-	 * neither need freeing.
-	 */
-	whack_log_fd = whackfd;
-
-#ifdef DEBUG
-	/* if we're going to ignore the error, at least note it in debugging log */
-	if (cr->b.failure_ok && ugh)
-	{
-		DBG(DBG_CONTROL | DBG_DNS,
-			{
-				char ocb[ADDRTOT_BUF];
-				char pcb[ADDRTOT_BUF];
-
-				addrtot(&cr->b.our_client, 0, ocb, sizeof(ocb));
-				addrtot(&cr->b.peer_client, 0, pcb, sizeof(pcb));
-				DBG_log("continuing from failed DNS lookup for %s, %s to %s: %s"
-					, cr->b.want, ocb, pcb, ugh);
-			});
-	}
-#endif
-
-	if (!cr->b.failure_ok && ugh)
-	{
-		c = find_connection_for_clients(NULL, &cr->b.our_client, &cr->b.peer_client
-			, cr->b.transport_proto);
-		cannot_oppo(c, &cr->b
-					, builddiag("%s: %s", cr->b.want, ugh));
-	}
-	else if (was_held && !cr->b.held)
-	{
-		/* was_held indicates we were started due to a %trap firing
-		 * (as opposed to a "whack --oppohere --oppothere").
-		 * Since the %hold has gone, we can assume that somebody else
-		 * has beaten us to the punch.  We can go home.  But lets log it.
-		 */
-		char ocb[ADDRTOT_BUF];
-		char pcb[ADDRTOT_BUF];
-
-		addrtot(&cr->b.our_client, 0, ocb, sizeof(ocb));
-		addrtot(&cr->b.peer_client, 0, pcb, sizeof(pcb));
-
-		loglog(RC_COMMENT
-			, "%%hold otherwise handled during DNS lookup for Opportunistic Initiation for %s to %s"
-			, ocb, pcb);
-	}
-	else
-	{
-		initiate_opportunistic_body(&cr->b, &cr->ac, ugh);
-		whackfd = NULL_FD;      /* was handed off */
-	}
-
-	whack_log_fd = NULL_FD;
-	close_any(whackfd);
-}
-
-#endif /* ADNS */
-
-#ifdef USE_KEYRR
-static err_t check_key_recs(enum myid_state try_state, const connection_t *c,
-							struct adns_continuation *ac)
-{
-	/* Check if KEY lookup yielded good results.
-	 * Looking up based on our ID.  Used if
-	 * client is ourself, or if TXT had no public key.
-	 * Note: if c is different this time, there is
-	 * a chance that we did the wrong query.
-	 * If so, treat as a kind of failure.
-	 */
-	enum myid_state old_myid_state = myid_state;
-	private_key_t *private;
-	err_t ugh = NULL;
-
-	myid_state = try_state;
-
-	if (old_myid_state != myid_state && old_myid_state == MYID_SPECIFIED)
-	{
-		ugh = "%myid was specified while we were guessing";
-	}
-	else if ((private = get_private_key(c)) == NULL)
-	{
-		ugh = "we don't know our own RSA key";
-	}
-	else if (!same_id(&ac->id, &c->spd.this.id))
-	{
-		ugh = "our ID changed underfoot";
-	}
-	else
-	{
-		/* Similar to code in RSA_check_signature
-		 * for checking the other side.
-		 */
-		pubkey_list_t *kr;
-
-		ugh = "no KEY RR found for us";
-		for (kr = ac->keys_from_dns; kr != NULL; kr = kr->next)
-		{
-			ugh = "all our KEY RRs have the wrong public key";
-			if (kr->key->alg == PUBKEY_ALG_RSA
-			&& private->belongs_to(private, &kr->key->public_key))
-			{
-				ugh = NULL;     /* good! */
-				break;
-			}
-		}
-	}
-	if (ugh)
-	{
-		myid_state = old_myid_state;
-	}
-	return ugh;
-}
-#endif /* USE_KEYRR */
-
-#ifdef ADNS
-
-static err_t check_txt_recs(enum myid_state try_state, const connection_t *c,
-							struct adns_continuation *ac)
-{
-	/* Check if TXT lookup yielded good results.
-	 * Looking up based on our ID.  Used if
-	 * client is ourself, or if TXT had no public key.
-	 * Note: if c is different this time, there is
-	 * a chance that we did the wrong query.
-	 * If so, treat as a kind of failure.
-	 */
-	enum myid_state old_myid_state = myid_state;
-	private_key_t *private;
-	err_t ugh = NULL;
-
-	myid_state = try_state;
-
-	if (old_myid_state != myid_state
-	&& old_myid_state == MYID_SPECIFIED)
-	{
-		ugh = "%myid was specified while we were guessing";
-	}
-	else if ((private = get_private_key(c)) == NULL)
-	{
-		ugh = "we don't know our own RSA key";
-	}
-	else if (!ac->id->equals(ac->id, c->spd.this.id))
-	{
-		ugh = "our ID changed underfoot";
-	}
-	else
-	{
-		/* Similar to code in RSA_check_signature
-		 * for checking the other side.
-		 */
-		struct gw_info *gwp;
-
-		ugh = "no TXT RR found for us";
-		for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
-		{
-			public_key_t *pub_key = gwp->key->public_key;
-
-			ugh = "all our TXT RRs have the wrong public key";
-			if (pub_key->get_type(pub_key) == KEY_RSA &&
-			    private->belongs_to(private, pub_key))
-			{
-				ugh = NULL;     /* good! */
-				break;
-			}
-		}
-	}
-	if (ugh)
-	{
-		myid_state = old_myid_state;
-	}
-	return ugh;
-}
-
-#endif /* ADNS */
-
-
-/* note: gateways_from_dns must be NULL iff this is the first call */
-static void initiate_opportunistic_body(struct find_oppo_bundle *b,
-										struct adns_continuation *ac,
-										err_t ac_ugh)
-{
-	connection_t *c;
-	struct spd_route *sr;
-
-	/* What connection shall we use?
-	 * First try for one that explicitly handles the clients.
-	 */
-	DBG(DBG_CONTROL,
-		{
-			char ours[ADDRTOT_BUF];
-			char his[ADDRTOT_BUF];
-			int ourport;
-			int hisport;
-
-			addrtot(&b->our_client, 0, ours, sizeof(ours));
-			addrtot(&b->peer_client, 0, his, sizeof(his));
-			ourport = ntohs(portof(&b->our_client));
-			hisport = ntohs(portof(&b->peer_client));
-			DBG_log("initiate on demand from %s:%d to %s:%d proto=%d state: %s because: %s"
-				, ours, ourport, his, hisport, b->transport_proto
-				, oppo_step_name[b->step], b->want);
-		});
-	if (isanyaddr(&b->our_client) || isanyaddr(&b->peer_client))
-	{
-		cannot_oppo(NULL, b, "impossible IP address");
-	}
-	else if ((c = find_connection_for_clients(&sr
-											  , &b->our_client
-											  , &b->peer_client
-											  , b->transport_proto)) == NULL)
-	{
-		/* No connection explicitly handles the clients and there
-		 * are no Opportunistic connections -- whine and give up.
-		 * The failure policy cannot be gotten from a connection; we pick %pass.
-		 */
-		cannot_oppo(NULL, b, "no routed Opportunistic template covers this pair");
-	}
-	else if (c->kind != CK_TEMPLATE)
-	{
-		/* We've found a connection that can serve.
-		 * Do we have to initiate it?
-		 * Not if there is currently an IPSEC SA.
-		 * But if there is an IPSEC SA, then the kernel would not
-		 * have generated the acquire.  So we assume that there isn't one.
-		 * This may be redundant if a non-opportunistic
-		 * negotiation is already being attempted.
-		 */
-
-		/* If we are to proceed asynchronously, b->whackfd will be NULL_FD. */
-
-		if(c->kind == CK_INSTANCE)
-		{
-			char cib[CONN_INST_BUF];
-			/* there is already an instance being negotiated, no nothing */
-			DBG(DBG_CONTROL, DBG_log("found existing instance \"%s\"%s, rekeying it"
-									 , c->name
-									 , (fmt_conn_instance(c, cib), cib)));
-			/* XXX-mcr - return; */
-		}
-
-		/* otherwise, there is some kind of static conn that can handle
-		 * this connection, so we initiate it */
-
-		if (b->held)
-		{
-			/* what should we do on failure? */
-			(void) assign_hold(c, sr, b->transport_proto, &b->our_client, &b->peer_client);
-		}
-		ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
-		b->whackfd = NULL_FD;   /* protect from close */
-	}
-#ifdef ADNS
-	else
-	{
-		/* We are handling an opportunistic situation.
-		 * This involves several DNS lookup steps that require suspension.
-		 * Note: many facts might change while we're suspended.
-		 * Here be dragons.
-		 *
-		 * The first chunk of code handles the result of the previous
-		 * DNS query (if any).  It also selects the kind of the next step.
-		 * The second chunk initiates the next DNS query (if any).
-		 */
-		enum find_oppo_step next_step = fos_myid_ip_txt;
-		err_t ugh = ac_ugh;
-		char mycredentialstr[BUF_LEN];
-		char cib[CONN_INST_BUF];
-
-		DBG(DBG_CONTROL, DBG_log("creating new instance from \"%s\"%s",
-								 c->name, (fmt_conn_instance(c, cib), cib)));
-		snprintf(mycredentialstr, BUF_LEN, "%Y", sr->this.id);
-
-		/* handle any DNS answer; select next step */
-		switch (b->step)
-		{
-		case fos_start:
-			/* just starting out: select first query step */
-			next_step = fos_myid_ip_txt;
-			break;
-
-		case fos_myid_ip_txt:   /* TXT for our default IP address as %myid */
-			ugh = check_txt_recs(MYID_IP, c, ac);
-			if (ugh)
-			{
-				/* cannot use our IP as OE identitiy for initiation */
-				DBG(DBG_OPPO,
-					DBG_log("can not use our IP (%Y:TXT) as identity: %s",
-							myids[MYID_IP], ugh));
-				if (!logged_myid_ip_txt_warning)
-				{
-					loglog(RC_LOG_SERIOUS,
-							"can not use our IP (%Y:TXT) as identity: %s",
-							myids[MYID_IP], ugh);
-					logged_myid_ip_txt_warning = TRUE;
-				}
-
-				next_step = fos_myid_hostname_txt;
-				ugh = NULL;     /* failure can be recovered from */
-			}
-			else
-			{
-				/* we can use our IP as OE identity for initiation */
-				if (!logged_myid_ip_txt_warning)
-				{
-					loglog(RC_LOG_SERIOUS,
-							"using our IP (%Y:TXT) as identity!",
-							myids[MYID_IP]);
-					logged_myid_ip_txt_warning = TRUE;
-				}
-
-				next_step = fos_our_client;
-			}
-			break;
-
-		case fos_myid_hostname_txt:     /* TXT for our hostname as %myid */
-			ugh = check_txt_recs(MYID_HOSTNAME, c, ac);
-			if (ugh)
-			{
-				/* cannot use our hostname as OE identitiy for initiation */
-				DBG(DBG_OPPO,
-					DBG_log("can not use our hostname (%Y:TXT) as identity: %s",
-							myids[MYID_HOSTNAME], ugh));
-				if (!logged_myid_fqdn_txt_warning)
-				{
-					loglog(RC_LOG_SERIOUS,
-							"can not use our hostname (%Y:TXT) as identity: %s",
-							myids[MYID_HOSTNAME], ugh);
-					logged_myid_fqdn_txt_warning = TRUE;
-				}
-#ifdef USE_KEYRR
-				next_step = fos_myid_ip_key;
-				ugh = NULL;     /* failure can be recovered from */
-#endif
-			}
-			else
-			{
-				/* we can use our hostname as OE identity for initiation */
-				if (!logged_myid_fqdn_txt_warning)
-				{
-					loglog(RC_LOG_SERIOUS,
-							"using our hostname (%Y:TXT) as identity!",
-							myids[MYID_HOSTNAME]);
-					logged_myid_fqdn_txt_warning = TRUE;
-				}
-				next_step = fos_our_client;
-			}
-			break;
-
-#ifdef USE_KEYRR
-		case fos_myid_ip_key:   /* KEY for our default IP address as %myid */
-			ugh = check_key_recs(MYID_IP, c, ac);
-			if (ugh)
-			{
-				/* cannot use our IP as OE identitiy for initiation */
-				DBG(DBG_OPPO,
-					DBG_log("can not use our IP (%Y:KEY) as identity: %s",
-							myids[MYID_IP], ugh));
-				if (!logged_myid_ip_key_warning)
-				{
-					loglog(RC_LOG_SERIOUS,
-							"can not use our IP (%Y:KEY) as identity: %s",
-							myids[MYID_IP], ugh);
-					logged_myid_ip_key_warning = TRUE;
-				}
-
-				next_step = fos_myid_hostname_key;
-				ugh = NULL;     /* failure can be recovered from */
-			}
-			else
-			{
-				/* we can use our IP as OE identity for initiation */
-				if (!logged_myid_ip_key_warning)
-				{
-					loglog(RC_LOG_SERIOUS,
-							"using our IP (%Y:KEY) as identity!",
-							myids[MYID_IP]);
-					logged_myid_ip_key_warning = TRUE;
-				}
-				next_step = fos_our_client;
-			}
-			break;
-
-		case fos_myid_hostname_key:     /* KEY for our hostname as %myid */
-			ugh = check_key_recs(MYID_HOSTNAME, c, ac);
-			if (ugh)
-			{
-				/* cannot use our IP as OE identitiy for initiation */
-				DBG(DBG_OPPO,
-					DBG_log("can not use our hostname (%Y:KEY) as identity: %s",
-							myids[MYID_HOSTNAME], ugh));
-				if (!logged_myid_fqdn_key_warning)
-				{
-					loglog(RC_LOG_SERIOUS,
-							"can not use our hostname (%Y:KEY) as identity: %s",
-							myids[MYID_HOSTNAME], ugh);
-					logged_myid_fqdn_key_warning = TRUE;
-				}
-				next_step = fos_myid_hostname_key;
-				ugh = NULL;     /* failure can be recovered from */
-			}
-			else
-			{
-				/* we can use our IP as OE identity for initiation */
-				if (!logged_myid_fqdn_key_warning)
-				{
-					loglog(RC_LOG_SERIOUS,
-							"using our hostname (%Y:KEY) as identity!",
-							myids[MYID_HOSTNAME]);
-					logged_myid_fqdn_key_warning = TRUE;
-				}
-				next_step = fos_our_client;
-			}
-			break;
-#endif
-
-		case fos_our_client:    /* TXT for our client */
-			{
-				/* Our client is not us: we must check the TXT records.
-				 * Note: if c is different this time, there is
-				 * a chance that we did the wrong query.
-				 * If so, treat as a kind of failure.
-				 */
-				private_key_t *private = get_private_key(c);
-
-				next_step = fos_his_client;     /* normal situation */
-
-				if (private == NULL)
-				{
-					ugh = "we don't know our own RSA key";
-				}
-				else if (sameaddr(&sr->this.host_addr, &b->our_client))
-				{
-					/* this wasn't true when we started -- bail */
-					ugh = "our IP address changed underfoot";
-				}
-				else if (!ac->sgw_id->equals(ac->sgw_id, sr->this.id))
-				{
-					/* this wasn't true when we started -- bail */
-					ugh = "our ID changed underfoot";
-				}
-				else
-				{
-					/* Similar to code in quick_inI1_outR1_tail
-					 * for checking the other side.
-					 */
-					struct gw_info *gwp;
-
-					ugh = "no TXT RR for our client delegates us";
-					for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
-					{
-						ugh = "TXT RR for our client has wrong key";
-						/* If there is a key from the TXT record,
-						 * we count it as a win if we match the key.
-						 * If there was no key, we have a tentative win:
-						 * we need to check our KEY record to be sure.
-						 */
-						if (!gwp->gw_key_present)
-						{
-							/* Success, but the TXT had no key
-							 * so we must check our our own KEY records.
-							 */
-							next_step = fos_our_txt;
-							ugh = NULL; /* good! */
-							break;
-						}
-						if (private->belongs_to(private, gwp->key->public_key))
-						{
-							ugh = NULL; /* good! */
-							break;
-						}
-					}
-				}
-			}
-			break;
-
-		case fos_our_txt:       /* TXT for us */
-			{
-				/* Check if TXT lookup yielded good results.
-				 * Looking up based on our ID.  Used if
-				 * client is ourself, or if TXT had no public key.
-				 * Note: if c is different this time, there is
-				 * a chance that we did the wrong query.
-				 * If so, treat as a kind of failure.
-				 */
-				private_key_t *private = get_private_key(c);
-
-				next_step = fos_his_client;     /* unless we decide to look for KEY RR */
-
-				if (private == NULL)
-				{
-					ugh = "we don't know our own RSA key";
-				}
-				else if (!ac->id->equals(ac->id, c->spd.this.id))
-				{
-					ugh = "our ID changed underfoot";
-				}
-				else
-				{
-					/* Similar to code in RSA_check_signature
-					 * for checking the other side.
-					 */
-					struct gw_info *gwp;
-
-					ugh = "no TXT RR for us";
-					for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
-					{
-						ugh = "TXT RR for us has wrong key";
-						if (gwp->gw_key_present &&
-							private->belongs_to(private, gwp->key->public_key))
-						{
-							DBG(DBG_CONTROL,
-								DBG_log("initiate on demand found TXT with right public key at: %s"
-										, mycredentialstr));
-							ugh = NULL;
-							break;
-						}
-					}
-#ifdef USE_KEYRR
-					if (ugh)
-					{
-						/* if no TXT with right key, try KEY */
-						DBG(DBG_CONTROL,
-							DBG_log("will try for KEY RR since initiate on demand found %s: %s"
-									, ugh, mycredentialstr));
-						next_step = fos_our_key;
-						ugh = NULL;
-					}
-#endif
-				}
-			}
-			break;
-
-#ifdef USE_KEYRR
-		case fos_our_key:       /* KEY for us */
-			{
-				/* Check if KEY lookup yielded good results.
-				 * Looking up based on our ID.  Used if
-				 * client is ourself, or if TXT had no public key.
-				 * Note: if c is different this time, there is
-				 * a chance that we did the wrong query.
-				 * If so, treat as a kind of failure.
-				 */
-				private_key_t *private = get_private_key(c);
-
-				next_step = fos_his_client;     /* always */
-
-				if (private == NULL)
-				{
-					ugh = "we don't know our own RSA key";
-				}
-				else if (!same_id(&ac->id, &c->spd.this.id))
-				{
-					ugh = "our ID changed underfoot";
-				}
-				else
-				{
-					/* Similar to code in RSA_check_signature
-					 * for checking the other side.
-					 */
-					pubkey_list_t *kr;
-
-					ugh = "no KEY RR found for us (and no good TXT RR)";
-					for (kr = ac->keys_from_dns; kr != NULL; kr = kr->next)
-					{
-						ugh = "all our KEY RRs have the wrong public key (and no good TXT RR)";
-						if (kr->key->alg == PUBKEY_ALG_RSA
-						&& private->belongs_to(private, kr->key->public_key))
-						{
-							/* do this only once a day */
-							if (!logged_txt_warning)
-							{
-								loglog(RC_LOG_SERIOUS
-									   , "found KEY RR but not TXT RR for %s. See http://www.freeswan.org/err/txt-change.html."
-									   , mycredentialstr);
-								logged_txt_warning = TRUE;
-							}
-							ugh = NULL; /* good! */
-							break;
-						}
-					}
-				}
-			}
-			break;
-#endif /* USE_KEYRR */
-
-		case fos_his_client:    /* TXT for his client */
-			{
-				/* We've finished last DNS queries: TXT for his client.
-				 * Using the information, try to instantiate a connection
-				 * and start negotiating.
-				 * We now know the peer.  The chosing of "c" ignored this,
-				 * so we will disregard its current value.
-				 * !!! We need to randomize the entry in gw that we choose.
-				 */
-				next_step = fos_done;   /* no more queries */
-
-				c = build_outgoing_opportunistic_connection(ac->gateways_from_dns
-															, &b->our_client
-															, &b->peer_client);
-
-				if (c == NULL)
-				{
-					/* We cannot seem to instantiate a suitable connection:
-					 * complain clearly.
-					 */
-					char ocb[ADDRTOT_BUF], pcb[ADDRTOT_BUF];
-
-					addrtot(&b->our_client, 0, ocb, sizeof(ocb));
-					addrtot(&b->peer_client, 0, pcb, sizeof(pcb));
-					loglog(RC_OPPOFAILURE,
-							"no suitable connection for opportunism "
-							"between %s and %s with %Y as peer",
-							 ocb, pcb, ac->gateways_from_dns->gw_id);
-				}
-				else
-				{
-					/* If we are to proceed asynchronously, b->whackfd will be NULL_FD. */
-					passert(c->kind == CK_INSTANCE);
-					passert(c->gw_info != NULL);
-					passert(HAS_IPSEC_POLICY(c->policy));
-					passert(LHAS(LELEM(RT_UNROUTED) | LELEM(RT_ROUTED_PROSPECTIVE), c->spd.routing));
-					if (b->held)
-					{
-						/* what should we do on failure? */
-						(void) assign_hold(c, &c->spd
-										   , b->transport_proto
-										   , &b->our_client, &b->peer_client);
-					}
-					c->gw_info->key->last_tried_time = now();
-					ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
-					b->whackfd = NULL_FD;       /* protect from close */
-				}
-			}
-			break;
-
-		default:
-			bad_case(b->step);
-		}
-
-		/* the second chunk: initiate the next DNS query (if any) */
-		DBG(DBG_CONTROL,
-		{
-			char ours[ADDRTOT_BUF];
-			char his[ADDRTOT_BUF];
-
-			addrtot(&b->our_client, 0, ours, sizeof(ours));
-			addrtot(&b->peer_client, 0, his, sizeof(his));
-			DBG_log("initiate on demand from %s to %s new state: %s with ugh: %s"
-					, ours, his, oppo_step_name[b->step], ugh ? ugh : "ok");
-		});
-
-		if (ugh)
-		{
-			b->policy_prio = c->prio;
-			b->failure_shunt = shunt_policy_spi(c, FALSE);
-			cannot_oppo(c, b, ugh);
-		}
-		else if (next_step == fos_done)
-		{
-			/* nothing to do */
-		}
-		else
-		{
-			/* set up the next query */
-			struct find_oppo_continuation *cr = malloc_thing(struct find_oppo_continuation);
-			identification_t *id;
-
-			b->policy_prio = c->prio;
-			b->failure_shunt = shunt_policy_spi(c, FALSE);
-			cr->b = *b; /* copy; start hand off of whackfd */
-			cr->b.failure_ok = FALSE;
-			cr->b.step = next_step;
-
-			for (sr = &c->spd
-			; sr!=NULL && !sameaddr(&sr->this.host_addr, &b->our_client)
-			; sr = sr->next)
-				;
-
-			if (sr == NULL)
-				sr = &c->spd;
-
-			/* If a %hold shunt has replaced the eroute for this template,
-			 * record this fact.
-			 */
-			if (b->held
-			&& sr->routing == RT_ROUTED_PROSPECTIVE && eclipsable(sr))
-			{
-				sr->routing = RT_ROUTED_ECLIPSED;
-				eclipse_count++;
-			}
-
-			/* Switch to issue next query.
-			 * A case may turn out to be unnecessary.  If so, it falls
-			 * through to the next case.
-			 * Figuring out what %myid can stand for must be done before
-			 * our client credentials are looked up: we must know what
-			 * the client credentials may use to identify us.
-			 * On the other hand, our own credentials should be looked
-			 * up after our clients in case our credentials are not
-			 * needed at all.
-			 * XXX this is a wasted effort if we don't have credentials
-			 * BUT they are not needed.
-			 */
-			switch (next_step)
-			{
-			case fos_myid_ip_txt:
-				if (c->spd.this.id->get_type(c->spd.this.id) == ID_MYID
-				&& myid_state != MYID_SPECIFIED)
-				{
-					cr->b.failure_ok = TRUE;
-					cr->b.want = b->want = "TXT record for IP address as %myid";
-					ugh = start_adns_query(myids[MYID_IP], myids[MYID_IP],
-										   T_TXT, continue_oppo, &cr->ac);
-					break;
-				}
-				cr->b.step = fos_myid_hostname_txt;
-				/* fall through */
-
-			case fos_myid_hostname_txt:
-				if (c->spd.this.id->get_type(c->spd.this.id) == ID_MYID
-				&& myid_state != MYID_SPECIFIED)
-				{
-#ifdef USE_KEYRR
-					cr->b.failure_ok = TRUE;
-#else
-					cr->b.failure_ok = FALSE;
-#endif
-					cr->b.want = b->want = "TXT record for hostname as %myid";
-					ugh = start_adns_query(myids[MYID_HOSTNAME],
-										   myids[MYID_HOSTNAME],
-										   T_TXT, continue_oppo, &cr->ac);
-					break;
-				}
-
-#ifdef USE_KEYRR
-				cr->b.step = fos_myid_ip_key;
-				/* fall through */
-
-			case fos_myid_ip_key:
-				if (c->spd.this.id.kind == ID_MYID
-				&& myid_state != MYID_SPECIFIED)
-				{
-					cr->b.failure_ok = TRUE;
-					cr->b.want = b->want = "KEY record for IP address as %myid (no good TXT)";
-					ugh = start_adns_query(myids[MYID_IP], NULL, /* security gateway meaningless */
-										   T_KEY, continue_oppo, &cr->ac);
-					break;
-				}
-				cr->b.step = fos_myid_hostname_key;
-				/* fall through */
-
-			case fos_myid_hostname_key:
-				if (c->spd.this.id.kind == ID_MYID
-				&& myid_state != MYID_SPECIFIED)
-				{
-					cr->b.failure_ok = FALSE;           /* last attempt! */
-					cr->b.want = b->want = "KEY record for hostname as %myid (no good TXT)";
-					ugh = start_adns_query(myids[MYID_HOSTNAME], NULL, /* security gateway meaningless */
-										   T_KEY, continue_oppo, &cr->ac);
-					break;
-				}
-#endif
-				cr->b.step = fos_our_client;
-				/* fall through */
-
-			case fos_our_client:        /* TXT for our client */
-				if (!sameaddr(&c->spd.this.host_addr, &b->our_client))
-				{
-					/* Check that at least one TXT(reverse(b->our_client)) is workable.
-					 * Note: {unshare|free}_id_content not needed for id: ephemeral.
-					 */
-					cr->b.want = b->want = "our client's TXT record";
-					id = identification_create_from_sockaddr((sockaddr_t*)&b->our_client);
-					ugh = start_adns_query(id, c->spd.this.id, /* we are the security gateway */
-										   T_TXT, continue_oppo, &cr->ac);
-					id->destroy(id);
-					break;
-				}
-				cr->b.step = fos_our_txt;
-				/* fall through */
-
-			case fos_our_txt:   /* TXT for us */
-				cr->b.failure_ok = b->failure_ok = TRUE;
-				cr->b.want = b->want = "our TXT record";
-				ugh = start_adns_query(sr->this.id, sr->this.id, /* we are the security gateway */
-									   T_TXT, continue_oppo, &cr->ac);
-				break;
-
-#ifdef USE_KEYRR
-			case fos_our_key:   /* KEY for us */
-				cr->b.want = b->want = "our KEY record";
-				cr->b.failure_ok = b->failure_ok = FALSE;
-				ugh = start_adns_query(sr->this.id, NULL,  /* security gateway meaningless */
-									   T_KEY, continue_oppo, &cr->ac);
-				break;
-#endif /* USE_KEYRR */
-
-			case fos_his_client:        /* TXT for his client */
-				/* note: {unshare|free}_id_content not needed for id: ephemeral */
-				cr->b.want = b->want = "target's TXT record";
-				cr->b.failure_ok = b->failure_ok = FALSE;
-				id = identification_create_from_sockaddr((sockaddr_t*)&b->peer_client);
-				ugh = start_adns_query(id, NULL, /* security gateway unconstrained */
-									   T_TXT, continue_oppo, &cr->ac);
-				id->destroy(id);
-				break;
-
-			default:
-				bad_case(next_step);
-			}
-
-			if (ugh == NULL)
-				b->whackfd = NULL_FD;   /* complete hand-off */
-			else
-				cannot_oppo(c, b, ugh);
-		}
-	}
-#endif /* ADNS */
-	close_any(b->whackfd);
-}
-
-void terminate_connection(const char *nm)
-{
-	/* Loop because more than one may match (master and instances)
-	 * But at least one is required (enforced by con_by_name).
-	 */
-	connection_t *c = con_by_name(nm, TRUE);
-
-	if (c == NULL || !c->ikev1)
-		return;
-
-	do
-	{
-		connection_t *n = c->ac_next;  /* grab this before c might disappear */
-
-		if (streq(c->name, nm)
-		&& c->kind >= CK_PERMANENT
-		&& !NEVER_NEGOTIATE(c->policy))
-		{
-			set_cur_connection(c);
-			plog("terminating SAs using this connection");
-			c->policy &= ~POLICY_UP;
-			flush_pending_by_connection(c);
-			delete_states_by_connection(c, FALSE);
-			if (c->kind == CK_INSTANCE)
-				delete_connection(c, FALSE);
-			reset_cur_connection();
-		}
-		c = n;
-	} while (c);
-}
-
-/* an ISAKMP SA has been established.
- * Note the serial number, and release any connections with
- * the same peer ID but different peer IP address.
- */
-bool uniqueIDs = FALSE; /* --uniqueids? */
-
-void ISAKMP_SA_established(connection_t *c, so_serial_t serial)
-{
-	c->newest_isakmp_sa = serial;
-
-	/* the connection is now oriented so that we are able to determine
-	 * whether we are a mode config server with a virtual IP to send.
-	 */
-	if (!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip) &&
-	    !c->spd.that.has_natip)
-	{
-		c->spd.that.modecfg = TRUE;
-	}
-
-	if (uniqueIDs)
-	{
-		/* for all connections: if the same Phase 1 IDs are used
-		 * for a different IP address, unorient that connection.
-		 */
-		connection_t *d;
-
-		for (d = connections; d != NULL; )
-		{
-			connection_t *next = d->ac_next;       /* might move underneath us */
-
-			if (d->kind >= CK_PERMANENT &&
-				c->spd.this.id->equals(c->spd.this.id, d->spd.this.id) &&
-				c->spd.that.id->equals(c->spd.that.id, d->spd.that.id) &&
-				!sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr))
-			{
-				release_connection(d, FALSE);
-			}
-			d = next;
-		}
-	}
-}
-
-/* Find the connection to connection c's peer's client with the
- * largest value of .routing.  All other things being equal,
- * preference is given to c.  If none is routed, return NULL.
- *
- * If erop is non-null, set *erop to a connection sharing both
- * our client subnet and peer's client subnet with the largest value
- * of .routing.  If none is erouted, set *erop to NULL.
- *
- * The return value is used to find other connections sharing a route.
- * *erop is used to find other connections sharing an eroute.
- */
-connection_t *route_owner(connection_t *c, struct spd_route **srp,
-						  connection_t **erop, struct spd_route **esrp)
-{
-	connection_t *d
-		, *best_ro = c
-		, *best_ero = c;
-	struct spd_route *srd, *src;
-	struct spd_route *best_sr, *best_esr;
-	enum routing_t best_routing, best_erouting;
-
-	passert(oriented(*c));
-	best_sr  = NULL;
-	best_esr = NULL;
-	best_routing = c->spd.routing;
-	best_erouting = best_routing;
-
-	for (d = connections; d != NULL; d = d->ac_next)
-	{
-		for (srd = &d->spd; srd; srd = srd->next)
-		{
-			if (srd->routing == RT_UNROUTED)
-				continue;
-
-			for (src = &c->spd; src; src=src->next)
-			{
-				if (!samesubnet(&src->that.client, &srd->that.client))
-				{
-					continue;
-				}
-				if (src->that.protocol != srd->that.protocol)
-				{
-					continue;
-				}
-				if (src->that.port != srd->that.port)
-				{
-					continue;
-				}
-				if (src->mark_out.value != srd->mark_out.value)
-				{
-					continue;
-				}
-				passert(oriented(*d));
-				if (srd->routing > best_routing)
-				{
-					best_ro = d;
-					best_sr = srd;
-					best_routing = srd->routing;
-				}
-
-				if (!samesubnet(&src->this.client, &srd->this.client))
-				{
-					continue;
-				}
-				if (src->this.protocol != srd->this.protocol)
-				{
-					continue;
-				}
-				if (src->this.port != srd->this.port)
-				{
-					continue;
-				}
-				if (src->mark_in.value != srd->mark_in.value)
-				{
-					continue;
-				}
-				if (srd->routing > best_erouting)
-				{
-					best_ero = d;
-					best_esr = srd;
-					best_erouting = srd->routing;
-				}
-			}
-		}
-	}
-
-	DBG(DBG_CONTROL,
-		{
-			char cib[CONN_INST_BUF];
-			err_t m = builddiag("route owner of \"%s\"%s %s:"
-				, c->name
-				, (fmt_conn_instance(c, cib), cib)
-				, enum_name(&routing_story, c->spd.routing));
-
-			if (!routed(best_ro->spd.routing))
-				m = builddiag("%s NULL", m);
-			else if (best_ro == c)
-				m = builddiag("%s self", m);
-			else
-				m = builddiag("%s \"%s\"%s %s", m
-					, best_ro->name
-					, (fmt_conn_instance(best_ro, cib), cib)
-					, enum_name(&routing_story, best_ro->spd.routing));
-
-			if (erop)
-			{
-				m = builddiag("%s; eroute owner:", m);
-				if (!erouted(best_ero->spd.routing))
-					m = builddiag("%s NULL", m);
-				else if (best_ero == c)
-					m = builddiag("%s self", m);
-				else
-					m = builddiag("%s \"%s\"%s %s", m
-						, best_ero->name
-						, (fmt_conn_instance(best_ero, cib), cib)
-						, enum_name(&routing_story, best_ero->spd.routing));
-			}
-
-			DBG_log("%s", m);
-		});
-
-	if (erop)
-	{
-		*erop = erouted(best_erouting)? best_ero : NULL;
-	}
-	if (srp)
-	{
-		*srp = best_sr;
-		if (esrp)
-		{
-			*esrp = best_esr;
-		}
-	}
-
-	return routed(best_routing)? best_ro : NULL;
-}
-
-/* Find a connection that owns the shunt eroute between subnets.
- * There ought to be only one.
- * This might get to be a bottleneck -- try hashing if it does.
- */
-connection_t *shunt_owner(const ip_subnet *ours, const ip_subnet *his)
-{
-	connection_t *c;
-	struct spd_route *sr;
-
-	for (c = connections; c != NULL; c = c->ac_next)
-	{
-		for (sr = &c->spd; sr; sr = sr->next)
-		{
-			if (shunt_erouted(sr->routing)
-			&& samesubnet(ours, &sr->this.client)
-			&& samesubnet(his, &sr->that.client))
-				return c;
-		}
-	}
-	return NULL;
-}
-
-/* Find some connection with this pair of hosts.
- * We don't know enough to chose amongst those available.
- * ??? no longer usefully different from find_host_pair_connections
- */
-connection_t *find_host_connection(const ip_address *me, u_int16_t my_port,
-								   const ip_address *him, u_int16_t his_port,
-								   lset_t policy)
-{
-	connection_t *c = find_host_pair_connections(me, my_port, him, his_port);
-
-	if (policy != LEMPTY)
-	{
-		lset_t auth_requested  = policy & POLICY_ID_AUTH_MASK;
-
-		/* if we have requirements for the policy,
-		 * choose the first matching connection.
-		 */
-		while (c)
-		{
-			if (c->policy & auth_requested)
-			{
-				break;
-			}
-			c = c->hp_next;
-		}
-	}
-	return c;
-}
-
-/* given an up-until-now satisfactory connection, find the best connection
- * now that we just got the Phase 1 Id Payload from the peer.
- *
- * Comments in the code describe the (tricky!) matching criteria.
- * Although this routine could handle the initiator case,
- * it isn't currently called in this case.
- * If it were, it could "upgrade" an Opportunistic Connection
- * to a Road Warrior Connection if a suitable Peer ID were found.
- *
- * In RFC 2409 "The Internet Key Exchange (IKE)",
- * in 5.1 "IKE Phase 1 Authenticated With Signatures", describing Main
- * Mode:
- *
- *         Initiator                          Responder
- *        -----------                        -----------
- *         HDR, SA                     -->
- *                                     <--    HDR, SA
- *         HDR, KE, Ni                 -->
- *                                     <--    HDR, KE, Nr
- *         HDR*, IDii, [ CERT, ] SIG_I -->
- *                                     <--    HDR*, IDir, [ CERT, ] SIG_R
- *
- * In 5.4 "Phase 1 Authenticated With a Pre-Shared Key":
- *
- *               HDR, SA             -->
- *                                   <--    HDR, SA
- *               HDR, KE, Ni         -->
- *                                   <--    HDR, KE, Nr
- *               HDR*, IDii, HASH_I  -->
- *                                   <--    HDR*, IDir, HASH_R
- *
- * refine_host_connection could be called in two case:
- *
- * - the Responder receives the IDii payload:
- *   + [PSK] after using PSK to decode this message
- *   + before sending its IDir payload
- *   + before using its ID in HASH_R computation
- *   + [DSig] before using its private key to sign SIG_R
- *   + before using the Initiator's ID in HASH_I calculation
- *   + [DSig] before using the Initiator's public key to check SIG_I
- *
- * - the Initiator receives the IDir payload:
- *   + [PSK] after using PSK to encode previous message and decode this message
- *   + after sending its IDii payload
- *   + after using its ID in HASH_I computation
- *   + [DSig] after using its private key to sign SIG_I
- *   + before using the Responder's ID to compute HASH_R
- *   + [DSig] before using Responder's public key to check SIG_R
- *
- * refine_host_connection can choose a different connection, as long as
- * nothing already used is changed.
- *
- * In the Initiator case, the particular connection might have been
- * specified by whatever provoked Pluto to initiate.  For example:
- *      whack --initiate connection-name
- * The advantages of switching connections when we're the Initiator seem
- * less important than the disadvantages, so after FreeS/WAN 1.9, we
- * don't do this.
- */
-#define PRIO_NO_MATCH_FOUND     2048
-
-connection_t *refine_host_connection(const struct state *st,
-									 identification_t *peer_id,
-									 identification_t *peer_ca)
-{
-	connection_t *c = st->st_connection;
-	connection_t *d;
-	connection_t *best_found = NULL;
-	u_int16_t auth = st->st_oakley.auth;
-	lset_t auth_policy = POLICY_PSK;
-	const chunk_t *psk = NULL;
-	bool wcpip; /* wildcard Peer IP? */
-	int best_prio = PRIO_NO_MATCH_FOUND;
-	int our_pathlen, peer_pathlen;
-
-	if (c->spd.that.id->equals(c->spd.that.id, peer_id) &&
-		trusted_ca(peer_ca, c->spd.that.ca, &peer_pathlen) &&
-		peer_pathlen == 0 &&
-		match_requested_ca(c->requested_ca, c->spd.this.ca, &our_pathlen) &&
-		our_pathlen == 0)
-	{
-		DBG(DBG_CONTROL,
-			DBG_log("current connection is a full match"
-					" -- no need to look further");
-		)
-		return c;
-	}
-
-	switch (auth)
-	{
-	case OAKLEY_PRESHARED_KEY:
-		auth_policy = POLICY_PSK;
-		psk = get_preshared_secret(c);
-		/* It should be virtually impossible to fail to find PSK:
-		 * we just used it to decode the current message!
-		 */
-		if (psk == NULL)
-		{
-			return NULL;        /* cannot determine PSK! */
-		}
-		break;
-	case XAUTHInitPreShared:
-	case XAUTHRespPreShared:
-		auth_policy = POLICY_XAUTH_PSK;
-		psk = get_preshared_secret(c);
-		if (psk == NULL)
-		{
-			return NULL;        /* cannot determine PSK! */
-		}
-		break;
-	case OAKLEY_RSA_SIG:
-	case OAKLEY_ECDSA_256:
-	case OAKLEY_ECDSA_384:
-	case OAKLEY_ECDSA_521:
-		auth_policy = POLICY_PUBKEY;
-		break;
-	case XAUTHInitRSA:
-	case XAUTHRespRSA:
-		auth_policy = POLICY_XAUTH_RSASIG;
-		break;
-	default:
-		bad_case(auth);
-	}
-
-	/* The current connection won't do: search for one that will.
-	 * First search for one with the same pair of hosts.
-	 * If that fails, search for a suitable Road Warrior or Opportunistic
-	 * connection (i.e. wildcard peer IP).
-	 * We need to match:
-	 * - peer_id (slightly complicated by instantiation)
-	 * - if PSK auth, the key must not change (we used it to decode message)
-	 * - policy-as-used must be acceptable to new connection
-	 */
-	d = c->host_pair->connections;
-	for (wcpip = FALSE; ; wcpip = TRUE)
-	{
-		for (; d != NULL; d = d->hp_next)
-		{
-			const char *match_name[] = {"no", "ok"};
-
-			id_match_t match_level = peer_id->matches(peer_id, d->spd.that.id);
-
-			bool matching_id = match_level > ID_MATCH_NONE;
-
-			bool matching_auth = (d->policy & auth_policy) != LEMPTY;
-
-			bool matching_trust = trusted_ca(peer_ca
-										, d->spd.that.ca, &peer_pathlen);
-			bool matching_request = match_requested_ca(c->requested_ca
-										, d->spd.this.ca, &our_pathlen);
-			bool match = matching_id && matching_auth && matching_trust;
-
-			int prio = (ID_MATCH_PERFECT) * !matching_request +
-						ID_MATCH_PERFECT - match_level;
-
-			prio = (X509_MAX_PATH_LEN + 1) * prio + peer_pathlen;
-			prio = (X509_MAX_PATH_LEN + 1) * prio + our_pathlen;
-
-			DBG(DBG_CONTROLMORE,
-				DBG_log("%s: %s match (id: %s, auth: %s, trust: %s, request: %s, prio: %4d)"
-					, d->name
-					, match ? "full":" no"
-					, match_name[matching_id]
-					, match_name[matching_auth]
-					, match_name[matching_trust]
-					, match_name[matching_request]
-					, match ? prio:PRIO_NO_MATCH_FOUND)
-			)
-
-			/* do we have a match? */
-			if (!match)
-			{
-				continue;
-			}
-
-			/* ignore group connections */
-			if (d->policy & POLICY_GROUP)
-			{
-				continue;
-			}
-
-			if (c->spd.that.host_port != d->spd.that.host_port
-			&& d->kind == CK_INSTANCE)
-			{
-				continue;
-			}
-
-			switch (auth)
-			{
-			case OAKLEY_PRESHARED_KEY:
-			case XAUTHInitPreShared:
-			case XAUTHRespPreShared:
-				/* secret must match the one we already used */
-				{
-					const chunk_t *dpsk = get_preshared_secret(d);
-
-					if (dpsk == NULL)
-					{
-						continue;       /* no secret */
-					}
-					if (psk != dpsk)
-					{
-						if (psk->len != dpsk->len
-						|| memcmp(psk->ptr, dpsk->ptr, psk->len) != 0)
-						{
-							continue;   /* different secret */
-						}
-					}
-				}
-				break;
-
-			case OAKLEY_RSA_SIG:
-			case OAKLEY_ECDSA_256:
-			case OAKLEY_ECDSA_384:
-			case OAKLEY_ECDSA_521:
-			case XAUTHInitRSA:
-			case XAUTHRespRSA:
-				/*
-				 * We must at least be able to find our private key
-				.*/
-				if (d->spd.this.sc == NULL              /* no smartcard */
-				&& get_private_key(d) == NULL)      /* no private key */
-				{
-					continue;
-				}
-				break;
-
-			default:
-				bad_case(auth);
-			}
-
-			/* d has passed all the tests.
-			 * We'll go with it if the Peer ID was an exact match.
-			 */
-			if (prio == 0)
-			{
-				return d;
-			}
-
-			/* We'll remember it as best_found in case an exact
-			 * match doesn't come along.
-			 */
-			if (prio < best_prio)
-			{
-				best_found = d;
-				best_prio = prio;
-			}
-		}
-		if (wcpip)
-			return best_found;  /* been around twice already */
-
-		/* Starting second time around.
-		 * We're willing to settle for a connection that needs Peer IP
-		 * instantiated: Road Warrior or Opportunistic.
-		 * Look on list of connections for host pair with wildcard Peer IP
-		 */
-		d = find_host_pair_connections(&c->spd.this.host_addr, c->spd.this.host_port
-			, (ip_address *)NULL, c->spd.that.host_port);
-	}
-}
-
-/**
- * With virtual addressing, we must not allow someone to use an already
- * used (by another id) addr/net.
- */
-static bool is_virtual_net_used(const ip_subnet *peer_net,
-								identification_t *peer_id)
-{
-	connection_t *d;
-
-	for (d = connections; d != NULL; d = d->ac_next)
-	{
-		switch (d->kind)
-		{
-		case CK_PERMANENT:
-		case CK_INSTANCE:
-			if ((subnetinsubnet(peer_net,&d->spd.that.client) ||
-				 subnetinsubnet(&d->spd.that.client,peer_net))
-			&& !d->spd.that.id->equals(d->spd.that.id, peer_id))
-			{
-				char client[SUBNETTOT_BUF];
-
-				subnettot(peer_net, 0, client, sizeof(client));
-				plog("Virtual IP %s is already used by '%Y'",
-						 client, d->spd.that.id);
-				plog("Your ID is '%Y'", peer_id);
-
-				return TRUE; /* already used by another one */
-			}
-			break;
-		case CK_GOING_AWAY:
-		default:
-		break;
-		}
-	}
-	return FALSE; /* you can safely use it */
-}
-
-/* find_client_connection: given a connection suitable for ISAKMP
- * (i.e. the hosts match), find a one suitable for IPSEC
- * (i.e. with matching clients).
- *
- * If we don't find an exact match (not even our current connection),
- * we try for one that still needs instantiation.  Try Road Warrior
- * abstract connections and the Opportunistic abstract connections.
- * This requires inverse instantiation: abstraction.
- *
- * After failing to find an exact match, we abstract the peer
- * to be NO_IP (the wildcard value).  This enables matches with
- * Road Warrior and Opportunistic abstract connections.
- *
- * After failing that search, we also abstract the Phase 1 peer ID
- * if possible.  If the peer's ID was the peer's IP address, we make
- * it NO_ID; instantiation will make it the peer's IP address again.
- *
- * If searching for a Road Warrior abstract connection fails,
- * and conditions are suitable, we search for the best Opportunistic
- * abstract connection.
- *
- * Note: in the end, both Phase 1 IDs must be preserved, after any
- * instantiation.  They are the IDs that have been authenticated.
- */
-
-#define PATH_WEIGHT     1
-#define WILD_WEIGHT     (X509_MAX_PATH_LEN+1)
-#define PRIO_WEIGHT     (ID_MATCH_PERFECT+1) * WILD_WEIGHT
-
-/* fc_try: a helper function for find_client_connection */
-static connection_t *fc_try(const connection_t *c, struct host_pair *hp,
-							identification_t *peer_id,
-							const ip_subnet *our_net,
-							const ip_subnet *peer_net,
-							const u_int8_t our_protocol,
-							const u_int16_t our_port,
-							const u_int8_t peer_protocol,
-							const u_int16_t peer_port,
-							identification_t *peer_ca,
-							ietf_attributes_t *peer_attributes)
-{
-	connection_t *d;
-	connection_t *best = NULL;
-	policy_prio_t best_prio = BOTTOM_PRIO;
-	id_match_t match_level;
-	int pathlen;
-
-
-	const bool peer_net_is_host = subnetisaddr(peer_net, &c->spd.that.host_addr);
-
-	for (d = hp->connections; d != NULL; d = d->hp_next)
-	{
-		struct spd_route *sr;
-
-		if (d->policy & POLICY_GROUP)
-		{
-			continue;
-		}
-
-		match_level = c->spd.that.id->matches(c->spd.that.id, d->spd.that.id);
-
-		if (!(c->spd.this.id->equals(c->spd.this.id, d->spd.this.id) &&
-			(match_level > ID_MATCH_NONE) &&
-			trusted_ca(peer_ca, d->spd.that.ca, &pathlen) &&
-			match_group_membership(peer_attributes, d->name, d->spd.that.groups)))
-		{
-			continue;
-		}
-
-		/* compare protocol and ports */
-		if (d->spd.this.protocol != our_protocol
-		||  d->spd.this.port != our_port
-		||  d->spd.that.protocol != peer_protocol
-		|| (d->spd.that.port != peer_port && !d->spd.that.has_port_wildcard))
-		{
-			continue;
-		}
-
-		/* non-Opportunistic case:
-		 * our_client must match.
-		 *
-		 * So must peer_client, but the testing is complicated
-		 * by the fact that the peer might be a wildcard
-		 * and if so, the default value of that.client
-		 * won't match the default peer_net.  The appropriate test:
-		 *
-		 * If d has a peer client, it must match peer_net.
-		 * If d has no peer client, peer_net must just have peer itself.
-		 */
-
-		for (sr = &d->spd; best != d && sr != NULL; sr = sr->next)
-		{
-			policy_prio_t prio;
-#ifdef DEBUG
-			if (DBGP(DBG_CONTROLMORE))
-			{
-				char s1[SUBNETTOT_BUF],d1[SUBNETTOT_BUF];
-				char s3[SUBNETTOT_BUF],d3[SUBNETTOT_BUF];
-
-				subnettot(our_net,  0, s1, sizeof(s1));
-				subnettot(peer_net, 0, d1, sizeof(d1));
-				subnettot(&sr->this.client,  0, s3, sizeof(s3));
-				subnettot(&sr->that.client,  0, d3, sizeof(d3));
-				DBG_log("  fc_try trying "
-						"%s:%s:%d/%d -> %s:%d/%d vs %s:%s:%d/%d -> %s:%d/%d"
-						, c->name, s1, c->spd.this.protocol, c->spd.this.port
-								 , d1, c->spd.that.protocol, c->spd.that.port
-						, d->name, s3, sr->this.protocol, sr->this.port
-								 , d3, sr->that.protocol, sr->that.port);
-			}
-#endif /* DEBUG */
-
-			if (!samesubnet(&sr->this.client, our_net))
-			{
-				continue;
-			}
-			if (sr->that.has_client)
-			{
-				if (sr->that.has_client_wildcard)
-				{
-					if (!subnetinsubnet(peer_net, &sr->that.client))
-					{
-						continue;
-					}
-				}
-				else
-				{
-					if (!samesubnet(&sr->that.client, peer_net) && !is_virtual_connection(d))
-					{
-						continue;
-					}
-					if (is_virtual_connection(d)
-					&& (!is_virtual_net_allowed(d, peer_net, &c->spd.that.host_addr)
-						|| is_virtual_net_used(peer_net, peer_id?peer_id:c->spd.that.id)))
-					{
-						continue;
-					}
-				}
-			}
-			else
-			{
-				host_t *vip = c->spd.that.host_srcip;
-
-				if (!peer_net_is_host && !(sr->that.modecfg && c->spd.that.modecfg &&
-						subnetisaddr(peer_net, (ip_address*)vip->get_sockaddr(vip))))
-				{
-					continue;
-				}
-			}
-
-			/* We've run the gauntlet -- success:
-			 * We've got an exact match of subnets.
-			 * The connection is feasible, but we continue looking for the best.
-			 * The highest priority wins, implementing eroute-like rule.
-			 * - a routed connection is preferrred
-			 * - given that, the smallest number of ID wildcards are preferred
-			 * - given that, the shortest CA pathlength is preferred
-			 */
-			prio = PRIO_WEIGHT * routed(sr->routing)
-				 + WILD_WEIGHT * match_level
-				 + PATH_WEIGHT * (X509_MAX_PATH_LEN - pathlen)
-				 + 1;
-			if (prio > best_prio)
-			{
-				best = d;
-				best_prio = prio;
-			}
-		}
-	}
-
-	if (best && NEVER_NEGOTIATE(best->policy))
-	{
-		best = NULL;
-	}
-	DBG(DBG_CONTROLMORE,
-		DBG_log("  fc_try concluding with %s [%ld]"
-				, (best ? best->name : "none"), best_prio)
-	)
-	return best;
-}
-
-static connection_t *fc_try_oppo(const connection_t *c,
-								 struct host_pair *hp,
-								 const ip_subnet *our_net,
-								 const ip_subnet *peer_net,
-								 const u_int8_t our_protocol,
-								 const u_int16_t our_port,
-								 const u_int8_t peer_protocol,
-								 const u_int16_t peer_port,
-								 identification_t *peer_ca,
-								 ietf_attributes_t *peer_attributes)
-{
-	connection_t *d;
-	connection_t *best = NULL;
-	policy_prio_t best_prio = BOTTOM_PRIO;
-	id_match_t match_level;
-	int pathlen;
-
-	for (d = hp->connections; d != NULL; d = d->hp_next)
-	{
-		struct spd_route *sr;
-		policy_prio_t prio;
-
-		if (d->policy & POLICY_GROUP)
-		{
-			continue;
-		}
-		match_level = c->spd.that.id->matches(c->spd.that.id, c->spd.that.id);
-
-		if (!(c->spd.this.id->equals(c->spd.this.id, d->spd.this.id) &&
-			(match_level > ID_MATCH_NONE) &&
-			trusted_ca(peer_ca, d->spd.that.ca, &pathlen) &&
-			match_group_membership(peer_attributes, d->name, d->spd.that.groups)))
-		{
-			continue;
-		}
-
-		/* compare protocol and ports */
-		if (d->spd.this.protocol != our_protocol
-		||  d->spd.this.port != our_port
-		||  d->spd.that.protocol != peer_protocol
-		|| (d->spd.that.port != peer_port && !d->spd.that.has_port_wildcard))
-		{
-			continue;
-		}
-
-		/* Opportunistic case:
-		 * our_net must be inside d->spd.this.client
-		 * and peer_net must be inside d->spd.that.client
-		 * Note: this host_pair chain also has shunt
-		 * eroute conns (clear, drop), but they won't
-		 * be marked as opportunistic.
-		 */
-		for (sr = &d->spd; sr != NULL; sr = sr->next)
-		{
-#ifdef DEBUG
-			if (DBGP(DBG_CONTROLMORE))
-			{
-				char s1[SUBNETTOT_BUF],d1[SUBNETTOT_BUF];
-				char s3[SUBNETTOT_BUF],d3[SUBNETTOT_BUF];
-
-				subnettot(our_net,  0, s1, sizeof(s1));
-				subnettot(peer_net, 0, d1, sizeof(d1));
-				subnettot(&sr->this.client,  0, s3, sizeof(s3));
-				subnettot(&sr->that.client,  0, d3, sizeof(d3));
-				DBG_log("  fc_try_oppo trying %s:%s -> %s vs %s:%s -> %s"
-						, c->name, s1, d1, d->name, s3, d3);
-			}
-#endif /* DEBUG */
-
-			if (!subnetinsubnet(our_net, &sr->this.client)
-			|| !subnetinsubnet(peer_net, &sr->that.client))
-			{
-				continue;
-			}
-
-			/* The connection is feasible, but we continue looking for the best.
-			 * The highest priority wins, implementing eroute-like rule.
-			 * - our smallest client subnet is preferred (longest mask)
-			 * - given that, his smallest client subnet is preferred
-			 * - given that, a routed connection is preferrred
-			 * - given that, the smallest number of ID wildcards are preferred
-			 * - given that, the shortest CA pathlength is preferred
-			 */
-			prio = PRIO_WEIGHT * (d->prio + routed(sr->routing))
-				 + WILD_WEIGHT * match_level
-				 + PATH_WEIGHT * (X509_MAX_PATH_LEN - pathlen);
-			if (prio > best_prio)
-			{
-				best = d;
-				best_prio = prio;
-			}
-		}
-	}
-
-	/* if the best wasn't opportunistic, we fail: it must be a shunt */
-	if (best && (NEVER_NEGOTIATE(best->policy) ||
-	   (best->policy & POLICY_OPPO) == LEMPTY))
-	{
-		best = NULL;
-	}
-
-	DBG(DBG_CONTROLMORE,
-		DBG_log("  fc_try_oppo concluding with %s [%ld]"
-				, (best ? best->name : "none"), best_prio)
-	)
-	return best;
-
-}
-
-/*
- * get the peer's CA and group attributes
- */
-void get_peer_ca_and_groups(connection_t *c,
-							identification_t **peer_ca,
-							ietf_attributes_t **peer_attributes)
-{
-	struct state *p1st;
-
-	*peer_ca = NULL;
-	*peer_attributes = NULL;
-
-	p1st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES);
-	if (p1st && p1st->st_peer_pubkey && p1st->st_peer_pubkey->issuer)
-	{
-		certificate_t *cert;
-
-		cert = ac_get_cert(p1st->st_peer_pubkey->issuer,
-						   p1st->st_peer_pubkey->serial);
-		if (cert && ac_verify_cert(cert, strict_crl_policy))
-		{
-			ac_t *ac = (ac_t*)cert;
-
-			*peer_attributes = ac->get_groups(ac);
-		}
-		else
-		{
-			DBG(DBG_CONTROL,
-				DBG_log("no valid attribute cert found")
-			)
-		}
-		*peer_ca = p1st->st_peer_pubkey->issuer;
-	}
-}
-
-connection_t *find_client_connection(connection_t *c,
-									 const ip_subnet *our_net,
-									 const ip_subnet *peer_net,
-									 const u_int8_t our_protocol,
-									 const u_int16_t our_port,
-									 const u_int8_t peer_protocol,
-									 const u_int16_t peer_port)
-{
-	connection_t *d;
-	struct spd_route *sr;
-	ietf_attributes_t *peer_attributes = NULL;
-	identification_t *peer_ca;
-
-	get_peer_ca_and_groups(c, &peer_ca, &peer_attributes);
-
-#ifdef DEBUG
-	if (DBGP(DBG_CONTROLMORE))
-	{
-		char s1[SUBNETTOT_BUF],d1[SUBNETTOT_BUF];
-
-		subnettot(our_net,  0, s1, sizeof(s1));
-		subnettot(peer_net, 0, d1, sizeof(d1));
-
-		DBG_log("find_client_connection starting with %s"
-			, (c ? c->name : "(none)"));
-		DBG_log("  looking for %s:%d/%d -> %s:%d/%d"
-			, s1, our_protocol, our_port
-			, d1, peer_protocol, peer_port);
-	}
-#endif /* DEBUG */
-
-	/* give priority to current connection
-	 * but even greater priority to a routed concrete connection
-	 */
-	{
-		connection_t *unrouted = NULL;
-		int srnum = -1;
-
-		for (sr = &c->spd; unrouted == NULL && sr != NULL; sr = sr->next)
-		{
-			srnum++;
-
-#ifdef DEBUG
-			if (DBGP(DBG_CONTROLMORE))
-			{
-				char s2[SUBNETTOT_BUF],d2[SUBNETTOT_BUF];
-
-				subnettot(&sr->this.client, 0, s2, sizeof(s2));
-				subnettot(&sr->that.client, 0, d2, sizeof(d2));
-				DBG_log("  concrete checking against sr#%d %s -> %s"
-						, srnum, s2, d2);
-			}
-#endif /* DEBUG */
-
-			if (samesubnet(&sr->this.client, our_net)
-			&& samesubnet(&sr->that.client, peer_net)
-			&& sr->this.protocol == our_protocol
-			&& sr->this.port == our_port
-			&& sr->that.protocol == peer_protocol
-			&& sr->that.port == peer_port
-			&& match_group_membership(peer_attributes, c->name, sr->that.groups))
-			{
-				passert(oriented(*c));
-				if (routed(sr->routing))
-				{
-					DESTROY_IF(peer_attributes);
-					return c;
-				}
-				unrouted = c;
-			}
-		}
-
-		/* exact match? */
-		d = fc_try(c, c->host_pair, NULL, our_net, peer_net
-			, our_protocol, our_port, peer_protocol, peer_port
-			, peer_ca, peer_attributes);
-
-		DBG(DBG_CONTROLMORE,
-			DBG_log("  fc_try %s gives %s"
-					, c->name
-					, (d ? d->name : "none"))
-		)
-
-		if (d == NULL)
-		{
-			d = unrouted;
-		}
-	}
-
-	if (d == NULL)
-	{
-		/* look for an abstract connection to match */
-		struct spd_route *sr;
-		struct host_pair *hp = NULL;
-
-		for (sr = &c->spd; hp==NULL && sr != NULL; sr = sr->next)
-		{
-			hp = find_host_pair(&sr->this.host_addr
-								, sr->this.host_port
-								, NULL
-								, sr->that.host_port);
-#ifdef DEBUG
-			if (DBGP(DBG_CONTROLMORE))
-			{
-				char s2[SUBNETTOT_BUF],d2[SUBNETTOT_BUF];
-
-				subnettot(&sr->this.client, 0, s2, sizeof(s2));
-				subnettot(&sr->that.client, 0, d2, sizeof(d2));
-
-				DBG_log("  checking hostpair %s -> %s is %s"
-						, s2, d2
-						, (hp ? "found" : "not found"));
-			}
-#endif /* DEBUG */
-		}
-
-		if (hp)
-		{
-			/* RW match with actual peer_id or abstract peer_id? */
-			d = fc_try(c, hp, NULL, our_net, peer_net
-				, our_protocol, our_port, peer_protocol, peer_port
-				, peer_ca, peer_attributes);
-
-			if (d == NULL
-			&& subnetishost(our_net)
-			&& subnetishost(peer_net))
-			{
-				/* Opportunistic match?
-				 * Always use abstract peer_id.
-				 * Note that later instantiation will result in the same peer_id.
-				 */
-				d = fc_try_oppo(c, hp, our_net, peer_net
-					, our_protocol, our_port, peer_protocol, peer_port
-					, peer_ca, peer_attributes);
-			}
-		}
-	}
-
-	DBG(DBG_CONTROLMORE,
-		DBG_log("  concluding with d = %s"
-				, (d ? d->name : "none"))
-	)
-	DESTROY_IF(peer_attributes);
-	return d;
-}
-
-int connection_compare(const connection_t *ca, const connection_t *cb)
-{
-	int ret;
-
-	/* DBG_log("comparing %s to %s", ca->name, cb->name);  */
-
-	ret = strcasecmp(ca->name, cb->name);
-	if (ret)
-	{
-		return ret;
-	}
-
-	ret = ca->kind - cb->kind;  /* note: enum connection_kind behaves like int */
-	if (ret)
-	{
-		return ret;
-	}
-
-	/* same name, and same type */
-	switch (ca->kind)
-	{
-	case CK_INSTANCE:
-		return ca->instance_serial < cb->instance_serial ? -1
-			: ca->instance_serial > cb->instance_serial ? 1
-			: 0;
-
-	default:
-		return ca->prio < cb->prio ? -1
-			: ca->prio > cb->prio ? 1
-			: 0;
-	}
-}
-
-static int connection_compare_qsort(const void *a, const void *b)
-{
-	return connection_compare(*(const connection_t *const *)a
-							, *(const connection_t *const *)b);
-}
-
-void show_connections_status(bool all, const char *name)
-{
-	connection_t *c;
-	int count, i;
-	connection_t **array;
-
-	/* make an array of connections, and sort it */
-	count = 0;
-	for (c = connections; c != NULL; c = c->ac_next)
-	{
-		if (c->ikev1 && (name == NULL || streq(c->name, name)))
-			count++;
-	}
-	array = malloc(sizeof(connection_t *)*count);
-
-	count=0;
-	for (c = connections; c != NULL; c = c->ac_next)
-	{
-		if (c->ikev1 && (name == NULL || streq(c->name, name)))
-			array[count++]=c;
-	}
-
-	/* sort it! */
-	qsort(array, count, sizeof(connection_t *), connection_compare_qsort);
-
-	for (i = 0; i < count; i++)
-	{
-		const char *ifn;
-		char instance[1 + 10 + 1];
-		char prio[POLICY_PRIO_BUF];
-
-		c = array[i];
-
-		ifn = oriented(*c)? c->interface->rname : "";
-
-		instance[0] = '\0';
-		if (c->kind == CK_INSTANCE && c->instance_serial != 0)
-			snprintf(instance, sizeof(instance), "[%lu]", c->instance_serial);
-
-		/* show topology */
-		{
-			char topo[BUF_LEN];
-			struct spd_route *sr = &c->spd;
-			int num=0;
-
-			while (sr)
-			{
-				(void) format_connection(topo, sizeof(topo), c, sr);
-				whack_log(RC_COMMENT, "\"%s\"%s: %s; %s; eroute owner: #%lu"
-						  , c->name, instance, topo
-						  , enum_name(&routing_story, sr->routing)
-						  , sr->eroute_owner);
-				sr = sr->next;
-				num++;
-			}
-		}
-
-		if (all)
-		{
-			/* show CAs if defined */
-			if (c->spd.this.ca && c->spd.that.ca)
-			{
-				whack_log(RC_COMMENT, "\"%s\"%s:   CAs: \"%Y\"...\"%Y\"",
-						  c->name, instance, c->spd.this.ca, c->spd.that.ca);
-			}
-			else if (c->spd.this.ca)
-			{
-				whack_log(RC_COMMENT, "\"%s\"%s:   CAs: \"%Y\"...%%any",
-						  c->name, instance, c->spd.this.ca);
-
-			}
-			else if (c->spd.that.ca)
-			{
-				whack_log(RC_COMMENT, "\"%s\"%s:   CAs: %%any...\"%Y\"",
-						  c->name, instance, c->spd.that.ca);
-			}
-
-			/* show group attributes if defined */
-			if (c->spd.that.groups)
-			{
-				whack_log(RC_COMMENT, "\"%s\"%s:   groups: %s"
-					, c->name
-					, instance
-					, c->spd.that.groups->get_string(c->spd.that.groups));
-			}
-
-			whack_log(RC_COMMENT
-				, "\"%s\"%s:   ike_life: %lus; ipsec_life: %lus;"
-				" rekey_margin: %lus; rekey_fuzz: %lu%%; keyingtries: %lu"
-				, c->name
-				, instance
-				, (unsigned long) c->sa_ike_life_seconds
-				, (unsigned long) c->sa_ipsec_life_seconds
-				, (unsigned long) c->sa_rekey_margin
-				, (unsigned long) c->sa_rekey_fuzz
-				, (unsigned long) c->sa_keying_tries);
-
-			/* show DPD parameters if defined */
-
-			if (c->dpd_action != DPD_ACTION_NONE)
-				whack_log(RC_COMMENT
-					, "\"%s\"%s:   dpd_action: %N;"
-					" dpd_delay: %lus; dpd_timeout: %lus;"
-					, c->name
-					, instance
-					, dpd_action_names, c->dpd_action
-					, (unsigned long) c->dpd_delay
-					, (unsigned long) c->dpd_timeout);
-
-			if (c->policy_next)
-			{
-				whack_log(RC_COMMENT
-					, "\"%s\"%s:   policy_next: %s"
-					, c->name, instance, c->policy_next->name);
-			}
-
-			/* Note: we display key_from_DNS_on_demand as if policy [lr]KOD */
-			fmt_policy_prio(c->prio, prio);
-			whack_log(RC_COMMENT
-				, "\"%s\"%s:   policy: %s%s%s; prio: %s; interface: %s; "
-				, c->name
-				, instance
-				, prettypolicy(c->policy)
-				, c->spd.this.key_from_DNS_on_demand? "+lKOD" : ""
-				, c->spd.that.key_from_DNS_on_demand? "+rKOD" : ""
-				, prio
-				, ifn);
-		}
-
-		whack_log(RC_COMMENT
-			, "\"%s\"%s:   newest ISAKMP SA: #%ld; newest IPsec SA: #%ld; "
-			, c->name
-			, instance
-			, c->newest_isakmp_sa
-			, c->newest_ipsec_sa);
-
-		if (all)
-		{
-			ike_alg_show_connection(c, instance);
-			kernel_alg_show_connection(c, instance);
-		}
-	}
-	if (count > 0)
-		whack_log(RC_COMMENT, BLANK_FORMAT);    /* spacer */
-
-	free(array);
-}
-
-/* struct pending, the structure representing Quick Mode
- * negotiations delayed until a Keying Channel has been negotiated.
- * Essentially, a pending call to quick_outI1.
- */
-
-struct pending {
-	int whack_sock;
-	struct state *isakmp_sa;
-	connection_t *connection;
-	lset_t policy;
-	unsigned long try;
-	so_serial_t replacing;
-
-	struct pending *next;
-};
-
-/* queue a Quick Mode negotiation pending completion of a suitable Main Mode */
-void add_pending(int whack_sock, struct state *isakmp_sa, connection_t *c,
-				 lset_t policy, unsigned long try, so_serial_t replacing)
-{
-	bool already_queued = FALSE;
-	struct pending *p = c->host_pair->pending;
-
-	while (p)
-	{
-		if (streq(c->name, p->connection->name))
-		{
-			already_queued = TRUE;
-			break;
-		}
-		p = p->next;
-	}
-	DBG(DBG_CONTROL,
-		DBG_log("Queuing pending Quick Mode with %s \"%s\"%s"
-				, ip_str(&c->spd.that.host_addr)
-				, c->name
-				, already_queued? " already done" : "")
-	)
-	if (already_queued)
-		return;
-
-	p = malloc_thing(struct pending);
-	p->whack_sock = whack_sock;
-	p->isakmp_sa = isakmp_sa;
-	p->connection = c;
-	p->policy = policy;
-	p->try = try;
-	p->replacing = replacing;
-	p->next = c->host_pair->pending;
-	c->host_pair->pending = p;
-}
-
-/* Release all the whacks awaiting the completion of this state.
- * This is accomplished by closing all the whack socket file descriptors.
- * We go to a lot of trouble to tell each whack, but to not tell it twice.
- */
-void release_pending_whacks(struct state *st, err_t story)
-{
-	struct pending *p;
-	struct stat stst;
-
-	if (st->st_whack_sock == NULL_FD || fstat(st->st_whack_sock, &stst) != 0)
-		zero(&stst);    /* resulting st_dev/st_ino ought to be distinct */
-
-	release_whack(st);
-
-	for (p = st->st_connection->host_pair->pending; p != NULL; p = p->next)
-	{
-		if (p->isakmp_sa == st && p->whack_sock != NULL_FD)
-		{
-			struct stat pst;
-
-			if (fstat(p->whack_sock, &pst) == 0
-			&& (stst.st_dev != pst.st_dev || stst.st_ino != pst.st_ino))
-			{
-				passert(whack_log_fd == NULL_FD);
-				whack_log_fd = p->whack_sock;
-				whack_log(RC_COMMENT
-					, "%s for ISAKMP SA, but releasing whack for pending IPSEC SA"
-					, story);
-				whack_log_fd = NULL_FD;
-			}
-			close(p->whack_sock);
-			p->whack_sock = NULL_FD;
-		}
-	}
-}
-
-static void delete_pending(struct pending **pp)
-{
-	struct pending *p = *pp;
-
-	*pp = p->next;
-	if (p->connection)
-	{
-		connection_discard(p->connection);
-	}
-	close_any(p->whack_sock);
-	free(p);
-}
-
-void unpend(struct state *st)
-{
-	struct pending **pp
-		, *p;
-
-	for (pp = &st->st_connection->host_pair->pending; (p = *pp) != NULL; )
-	{
-		if (p->isakmp_sa == st)
-		{
-			DBG(DBG_CONTROL, DBG_log("unqueuing pending Quick Mode with %s \"%s\""
-				, ip_str(&p->connection->spd.that.host_addr)
-				, p->connection->name));
-			(void) quick_outI1(p->whack_sock, st, p->connection, p->policy
-				, p->try, p->replacing);
-			p->whack_sock = NULL_FD;    /* ownership transferred */
-			p->connection = NULL;       /* ownership transferred */
-			delete_pending(pp);
-		}
-		else
-		{
-			pp = &p->next;
-		}
-	}
-}
-
-/* a Main Mode negotiation has been replaced; update any pending */
-void update_pending(struct state *os, struct state *ns)
-{
-	struct pending *p;
-
-	for (p = os->st_connection->host_pair->pending; p != NULL; p = p->next)
-	{
-		if (p->isakmp_sa == os)
-			p->isakmp_sa = ns;
-		if (p->connection->spd.this.host_port != ns->st_connection->spd.this.host_port)
-		{
-			p->connection->spd.this.host_port = ns->st_connection->spd.this.host_port;
-			p->connection->spd.that.host_port = ns->st_connection->spd.that.host_port;
-		}
-	}
-}
-
-/* a Main Mode negotiation has failed; discard any pending */
-void flush_pending_by_state(struct state *st)
-{
-	struct host_pair *hp = st->st_connection->host_pair;
-
-	if (hp)
-	{
-		struct pending **pp
-			, *p;
-
-		for (pp = &hp->pending; (p = *pp) != NULL; )
-		{
-			if (p->isakmp_sa == st)
-				delete_pending(pp);
-			else
-				pp = &p->next;
-		}
-	}
-}
-
-/* a connection has been deleted; discard any related pending */
-static void flush_pending_by_connection(connection_t *c)
-{
-	if (c->host_pair)
-	{
-		struct pending **pp
-			, *p;
-
-		for (pp = &c->host_pair->pending; (p = *pp) != NULL; )
-		{
-			if (p->connection == c)
-			{
-				p->connection = NULL;   /* prevent delete_pending from releasing */
-				delete_pending(pp);
-			}
-			else
-			{
-				pp = &p->next;
-			}
-		}
-	}
-}
-
-void show_pending_phase2(const struct host_pair *hp, const struct state *st)
-{
-	const struct pending *p;
-
-	for (p = hp->pending; p != NULL; p = p->next)
-	{
-		if (p->isakmp_sa == st)
-		{
-			/* connection-name state-number [replacing state-number] */
-			char cip[CONN_INST_BUF];
-
-			fmt_conn_instance(p->connection, cip);
-			whack_log(RC_COMMENT, "#%lu: pending Phase 2 for \"%s\"%s replacing #%lu"
-				, p->isakmp_sa->st_serialno
-				, p->connection->name
-				, cip
-				, p->replacing);
-		}
-	}
-}
-
-/* Delete a connection if it is an instance and it is no longer in use.
- * We must be careful to avoid circularity:
- * we don't touch it if it is CK_GOING_AWAY.
- */
-void connection_discard(connection_t *c)
-{
-	if (c->kind == CK_INSTANCE)
-	{
-		/* see if it is being used by a pending */
-		struct pending *p;
-
-		for (p = c->host_pair->pending; p != NULL; p = p->next)
-			if (p->connection == c)
-				return; /* in use, so we're done */
-
-		if (!states_use_connection(c))
-			delete_connection(c, FALSE);
-	}
-}
-
-
-/* A template connection's eroute can be eclipsed by
- * either a %hold or an eroute for an instance iff
- * the template is a /32 -> /32.  This requires some special casing.
- */
-
-long eclipse_count = 0;
-
-connection_t *eclipsed(connection_t *c, struct spd_route **esrp)
-{
-	connection_t *ue;
-	struct spd_route *sr1 = &c->spd;
-
-	ue = NULL;
-
-	while (sr1 && ue)
-	{
-		for (ue = connections; ue != NULL; ue = ue->ac_next)
-		{
-			struct spd_route *srue = &ue->spd;
-
-			while (srue	&& srue->routing == RT_ROUTED_ECLIPSED
-			&& !(samesubnet(&sr1->this.client, &srue->this.client)
-				 && samesubnet(&sr1->that.client, &srue->that.client)))
-			{
-				srue = srue->next;
-			}
-			if (srue && srue->routing == RT_ROUTED_ECLIPSED)
-			{
-				*esrp = srue;
-				break;
-			}
-		}
-	}
-	return ue;
-}
-
-/*
- * Local Variables:
- * c-basic-offset:4
- * c-style: pluto
- * End:
- */
diff --git a/src/pluto/connections.h b/src/pluto/connections.h
deleted file mode 100644
index e3775fcb0..000000000
--- a/src/pluto/connections.h
+++ /dev/null
@@ -1,366 +0,0 @@
-/* information about connections between hosts and clients
- * Copyright (C) 1998-2001  D. Hugh Redelmeier
- * Copyright (C) 2009-2010  Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _CONNECTIONS_H
-#define _CONNECTIONS_H
-
-#include <sys/queue.h>
-
-#include <utils/host.h>
-#include <utils/linked_list.h>
-#include <utils/identification.h>
-#include <credentials/ietf_attributes/ietf_attributes.h>
-
-#include "certs.h"
-#include "smartcard.h"
-#include "whack.h"
-
-/* There are two kinds of connections:
- * - ISAKMP connections, between hosts (for IKE communication)
- * - IPsec connections, between clients (for secure IP communication)
- *
- * An ISAKMP connection looks like:
- *   host<--->host
- *
- * An IPsec connection looks like:
- *   client-subnet<-->host<->nexthop<--->nexthop<->host<-->client-subnet
- *
- * For the connection to be relevant to this instance of Pluto,
- * exactly one of the hosts must be a public interface of our machine
- * known to this instance.
- *
- * The client subnet might simply be the host -- this is a
- * representation of "host mode".
- *
- * Each nexthop defaults to the neighbouring host's IP address.
- * The nexthop is a property of the pair of hosts, not each
- * individually.  It is only needed for IPsec because of the
- * way IPsec is mixed into the kernel routing logic.  Furthermore,
- * only this end's nexthop is actually used.  Eventually, nexthop
- * will be unnecessary.
- *
- * Other information represented:
- * - each connection has a name: a chunk of uninterpreted text
- *   that is unique for each connection.
- * - security requirements (currently just the "policy" flags from
- *   the whack command to initiate the connection, but eventually
- *   much more.  Different for ISAKMP and IPsec connections.
- * - rekeying parameters:
- *   + time an SA may live
- *   + time before SA death that a rekeying should be attempted
- *     (only by the initiator)
- *   + number of times to attempt rekeying
- * - With the current KLIPS, we must route packets for a client
- *   subnet through the ipsec interface (ipsec0).  Only one
- *   gateway can get traffic for a specific (client) subnet.
- *   Furthermore, if the routing isn't in place, packets will
- *   be sent in the clear.
- *   "routing" indicates whether the routing has been done for
- *   this connection.  Note that several connections may claim
- *   the same routing, as long as they agree about where the
- *   packets are to be sent.
- * - With the current KLIPS, only one outbound IPsec SA bundle can be
- *   used for a particular client.  This is due to a limitation
- *   of using only routing for selection.  So only one IPsec state (SA)
- *   may "own" the eroute.  "eroute_owner" is the serial number of
- *   this state, SOS_NOBODY if there is none.  "routing" indicates
- *   what kind of erouting has been done for this connection, if any.
- *
- * Details on routing is in constants.h
- *
- * Operations on Connections:
- *
- * - add a new connection (with all details) [whack command]
- * - delete a connection (by name) [whack command]
- * - initiate a connection (by name) [whack command]
- * - find a connection (by IP addresses of hosts)
- *   [response to peer request; finding ISAKMP connection for IPsec connection]
- *
- * Some connections are templates, missing the address of the peer
- * (represented by INADDR_ANY).  These are always arranged so that the
- * missing end is "that" (there can only be one missing end).  These can
- * be instantiated (turned into real connections) by Pluto in one of two
- * different ways: Road Warrior Instantiation or Opportunistic
- * Instantiation.  A template connection is marked for Opportunistic
- * Instantiation by specifying the peer client as 0.0.0.0/32 (or the IPV6
- * equivalent).  Otherwise, it is suitable for Road Warrior Instantiation.
- *
- * Instantiation creates a new temporary connection, with the missing
- * details filled in.  The resulting template lasts only as long as there
- * is a state that uses it.
- */
-
-/* connection policy priority: how important this policy is
- * - used to implement eroute-like precedence (augmented by a small
- *   bonus for a routed connection).
- * - a whole number
- * - larger is more important
- * - three subcomponents.  In order of decreasing significance:
- *   + length of source subnet mask (8 bits)
- *   + length of destination subnet mask (8 bits)
- *   + bias (8 bit)
- * - a bias of 1 is added to allow prio BOTTOM_PRIO to be less than all
- *   normal priorities
- * - other bias values are created on the fly to give mild preference
- *   to certaion conditions (eg. routedness)
- * - priority is inherited -- an instance of a policy has the same priority
- *   as the original policy, even though its subnets might be smaller.
- * - display format: n,m
- */
-typedef unsigned long policy_prio_t;
-#define BOTTOM_PRIO   ((policy_prio_t)0)        /* smaller than any real prio */
-#define set_policy_prio(c) { (c)->prio = \
-		((policy_prio_t)(c)->spd.this.client.maskbits << 16) \
-		| ((policy_prio_t)(c)->spd.that.client.maskbits << 8) \
-		| (policy_prio_t)1; }
-#define POLICY_PRIO_BUF (3+1+3+1)
-extern void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF]);
-
-struct virtual_t;
-
-struct end {
-	identification_t *id;
-	ip_address host_addr, host_nexthop;
-	host_t *host_srcip;
-	ip_subnet client;
-
-	bool is_left;
-	bool key_from_DNS_on_demand;
-	bool has_client;
-	bool has_client_wildcard;
-	bool has_port_wildcard;
-	bool has_id_wildcards;
-	bool has_natip;
-	char *updown;
-	u_int16_t host_port;        /* host order */
-	u_int16_t port;             /* host order */
-	u_int8_t protocol;
-	cert_t *cert;               /* end certificate */
-	identification_t *ca;       /* CA distinguished name */
-	ietf_attributes_t *groups;  /* access control groups */
-	smartcard_t *sc;            /* smartcard reader and key info */
-	struct virtual_t *virt;
-	bool modecfg;               /* this end: request local address from server */
-								/* that end: give local addresses to clients */
-	char *pool;					/* name of an associated virtual IP address pool */
-	bool hostaccess;            /* allow access to host via iptables INPUT/OUTPUT */
-								/* rules if client behind host is a subnet */
-	bool allow_any;             /* IP address is subject to change */
-	certpolicy_t sendcert;      /* whether or not to send the certificate */
-};
-
-struct spd_route {
-	struct spd_route *next;
-	struct end this;
-	struct end that;
-	so_serial_t eroute_owner;
-	enum routing_t routing;     /* level of routing in place */
-	uint32_t reqid;
-	mark_t mark_in;
-	mark_t mark_out;
-};
-
-typedef struct connection connection_t;
-
-struct connection {
-	char *name;
-	bool ikev1;
-
-	lset_t policy;
-	time_t sa_ike_life_seconds;
-	time_t sa_ipsec_life_seconds;
-	time_t sa_rekey_margin;
-	unsigned long sa_rekey_fuzz;
-	unsigned long sa_keying_tries;
-
-	identification_t *xauth_identity;     /* XAUTH identity */
-
-	/* RFC 3706 DPD */
-	time_t dpd_delay;
-	time_t dpd_timeout;
-	dpd_action_t dpd_action;
-
-	char              *log_file_name;     /* name of log file */
-	FILE              *log_file;          /* possibly open FILE */
-	TAILQ_ENTRY(connection) log_link;     /* linked list of open conns */
-	bool               log_file_err;      /* only bitch once */
-
-	struct spd_route spd;
-
-	/* internal fields: */
-
-	unsigned long instance_serial;
-	policy_prio_t prio;
-	bool instance_initiation_ok;        /* this is an instance of a policy that mandates initiate */
-	enum connection_kind kind;
-	const struct iface *interface;      /* filled in iff oriented */
-
-	so_serial_t /* state object serial number */
-		newest_isakmp_sa,
-		newest_ipsec_sa;
-
-
-#ifdef DEBUG
-	lset_t extra_debugging;
-#endif
-
-	/* note: if the client is the gateway, the following must be equal */
-	sa_family_t addr_family;            /* between gateways */
-	sa_family_t tunnel_addr_family;     /* between clients */
-
-	connection_t *policy_next;          /* if multiple policies,
-										   next one to apply */
-	struct gw_info *gw_info;
-	struct alg_info_esp *alg_info_esp;
-	struct alg_info_ike *alg_info_ike;
-	struct host_pair *host_pair;
-	connection_t *hp_next;              /* host pair list link */
-	connection_t *ac_next;              /* all connections list link */
-	linked_list_t *requested_ca;        /* collected certificate requests */
-	linked_list_t *requested;           /* requested attributes with handlers */
-	linked_list_t *attributes;          /* configuration attributes with handlers */
-	bool got_certrequest;
-};
-
-#define oriented(c) ((c).interface != NULL)
-extern bool orient(connection_t *c);
-
-extern bool same_peer_ids(const connection_t *c, const connection_t *d,
-						  identification_t *his_id);
-
-/* Format the topology of a connection end, leaving out defaults.
- * Largest left end looks like: client === host : port [ host_id ] --- hop
- * Note: if that==NULL, skip nexthop
- */
-#define END_BUF (SUBNETTOT_BUF + ADDRTOT_BUF + IDTOA_BUF + ADDRTOT_BUF + 10)
-extern size_t format_end(char *buf, size_t buf_len, const struct end *this,
-						 const struct end *that, bool is_left, lset_t policy);
-
-extern void add_connection(const whack_message_t *wm);
-extern void initiate_connection(const char *name, int whackfd);
-extern void initiate_opportunistic(const ip_address *our_client,
-								   const ip_address *peer_client,
-								   int transport_proto, bool held, int whackfd);
-extern void terminate_connection(const char *nm);
-extern void release_connection(connection_t *c, bool relations);
-extern void delete_connection(connection_t *c, bool relations);
-extern void delete_connections_by_name(const char *name, bool strict);
-extern void delete_every_connection(void);
-extern char *add_group_instance(connection_t *group, const ip_subnet *target);
-extern void remove_group_instance(const connection_t *group, const char *name);
-extern void release_dead_interfaces(void);
-extern void check_orientations(void);
-extern connection_t *route_owner(connection_t *c, struct spd_route **srp,
-								 connection_t **erop, struct spd_route **esrp);
-extern connection_t *shunt_owner(const ip_subnet *ours, const ip_subnet *his);
-
-extern bool uniqueIDs;  /* --uniqueids? */
-extern void ISAKMP_SA_established(connection_t *c, so_serial_t serial);
-
-#define id_is_ipaddr(id) ((id)->get_type(id) == ID_IPV4_ADDR || \
-						  (id)->get_type(id) == ID_IPV6_ADDR)
-extern bool his_id_was_instantiated(const connection_t *c);
-
-struct state;   /* forward declaration of tag (defined in state.h) */
-
-extern connection_t* con_by_name(const char *nm, bool strict);
-extern connection_t* find_host_connection(const ip_address *me,
-										  u_int16_t my_port,
-										  const ip_address *him,
-										  u_int16_t his_port, lset_t policy);
-extern connection_t* refine_host_connection(const struct state *st,
-											identification_t *id,
-											identification_t *peer_ca);
-extern connection_t* find_client_connection(connection_t *c,
-											const ip_subnet *our_net,
-											const ip_subnet *peer_net,
-											const u_int8_t our_protocol,
-											const u_int16_t out_port,
-											const u_int8_t peer_protocol,
-											const u_int16_t peer_port);
-extern connection_t* find_connection_by_reqid(uint32_t reqid);
-extern connection_t* find_connection_for_clients(struct spd_route **srp,
-												 const ip_address *our_client,
-												 const ip_address *peer_client,
-												 int transport_proto);
-extern void get_peer_ca_and_groups(connection_t *c,
-								   identification_t **peer_ca,
-								   ietf_attributes_t **peer_attributes);
-
-/* instantiating routines
- * Note: connection_discard() is in state.h because all its work
- * is looking through state objects.
- */
-struct gw_info; /* forward declaration of tag (defined in dnskey.h) */
-struct alg_info;        /* forward declaration of tag (defined in alg_info.h) */
-extern connection_t *rw_instantiate(connection_t *c,
-									const ip_address *him,
-									u_int16_t his_port,
-									const ip_subnet *his_net,
-									identification_t *his_id);
-
-extern connection_t *oppo_instantiate(connection_t *c,
-									  const ip_address *him,
-									  identification_t *his_id,
-									  struct gw_info *gw,
-									  const ip_address *our_client,
-									  const ip_address *peer_client);
-
-extern connection_t
-  *build_outgoing_opportunistic_connection(struct gw_info *gw,
-										   const ip_address *our_client,
-										   const ip_address *peer_client);
-
-#define CONN_INST_BUF	BUF_LEN
-
-extern void fmt_conn_instance(const connection_t *c, char buf[CONN_INST_BUF]);
-
-/* operations on "pending", the structure representing Quick Mode
- * negotiations delayed until a Keying Channel has been negotiated.
- */
-
-struct pending; /* forward declaration (opaque outside connections.c) */
-
-extern void add_pending(int whack_sock, struct state *isakmp_sa,
-						connection_t *c, lset_t policy, unsigned long try,
-						so_serial_t replacing);
-
-extern void release_pending_whacks(struct state *st, err_t story);
-extern void unpend(struct state *st);
-extern void update_pending(struct state *os, struct state *ns);
-extern void flush_pending_by_state(struct state *st);
-extern void show_pending_phase2(const struct host_pair *hp, const struct state *st);
-
-extern void connection_discard(connection_t *c);
-
-/* A template connection's eroute can be eclipsed by
- * either a %hold or an eroute for an instance iff
- * the template is a /32 -> /32.  This requires some special casing.
- */
-#define eclipsable(sr) (subnetishost(&(sr)->this.client) && subnetishost(&(sr)->that.client))
-extern long eclipse_count;
-extern connection_t *eclipsed(connection_t *c, struct spd_route **);
-
-
-/* print connection status */
-
-extern void show_connections_status(bool all, const char *name);
-extern int  connection_compare(const connection_t *ca
-	, const connection_t *cb);
-extern void update_host_pair(const char *why, connection_t *c
-	, const ip_address *myaddr, u_int16_t myport
-	, const ip_address *hisaddr, u_int16_t hisport);
-
-#endif /* _CONNECTIONS_H */
diff --git a/src/pluto/constants.c b/src/pluto/constants.c
deleted file mode 100644
index 73ec0bc54..000000000
--- a/src/pluto/constants.c
+++ /dev/null
@@ -1,1401 +0,0 @@
-/* tables of names for values defined in constants.h
- * Copyright (C) 1998-2002 D. Hugh Redelmeier.
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/*
- * Note that the array sizes are all specified; this is to enable range
- * checking by code that only includes constants.h.
- */
-
-#include <stddef.h>
-#include <string.h>
-#include <stdio.h>
-#include <netinet/in.h>
-
-#include <freeswan.h>
-
-#include <attributes/attributes.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "packet.h"
-
-/* string naming compile-time options that have interop implications */
-
-const char compile_time_interop_options[] = ""
-#ifdef THREADS
-		" THREADS"
-#endif
-#ifdef SMARTCARD
-		" SMARTCARD"
-#endif
-#ifdef VENDORID
-		" VENDORID"
-#endif
-#ifdef CISCO_QUIRKS
-		" CISCO_QUIRKS"
-#endif
-#ifdef USE_KEYRR
-		" KEYRR"
-#endif
-	;
-
-/* version */
-
-static const char *const version_name[] = {
-		"ISAKMP Version 1.0",
-};
-
-enum_names version_names =
-	{ ISAKMP_MAJOR_VERSION<<ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION,
-		ISAKMP_MAJOR_VERSION<<ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION,
-		version_name, NULL };
-
-/* RFC 3706 Dead Peer Detection */
-
-ENUM(dpd_action_names, DPD_ACTION_NONE, DPD_ACTION_RESTART,
-	"none",
-	"clear",
-	"hold",
-	"restart"
-);
-
-/* Timer events */
-
-ENUM(timer_event_names, EVENT_NULL, EVENT_LOG_DAILY,
-	"EVENT_NULL",
-	"EVENT_REINIT_SECRET",
-	"EVENT_SO_DISCARD",
-	"EVENT_RETRANSMIT",
-	"EVENT_SA_REPLACE",
-	"EVENT_SA_REPLACE_IF_USED",
-	"EVENT_SA_EXPIRE",
-	"EVENT_NAT_T_KEEPALIVE",
-	"EVENT_DPD",
-	"EVENT_DPD_TIMEOUT",
-	"EVENT_LOG_DAILY"
-);
-
-/* Domain of Interpretation */
-
-static const char *const doi_name[] = {
-		"ISAKMP_DOI_ISAKMP",
-		"ISAKMP_DOI_IPSEC",
-};
-
-enum_names doi_names = { ISAKMP_DOI_ISAKMP, ISAKMP_DOI_IPSEC, doi_name, NULL };
-
-/* debugging settings: a set of selections for reporting
- * These would be more naturally situated in log.h,
- * but they are shared with whack.
- * It turns out that "debug-" is clutter in all contexts this is used,
- * so we leave it off.
- */
-#ifdef DEBUG
-const char *const debug_bit_names[] = {
-	"raw",
-	"crypt",
-	"parsing",
-	"emitting",
-	"control",
-	"lifecycle",
-	"kernel",
-	"dns",
-	"natt",
-	"oppo",
-	"controlmore",
-
-	"private",
-
-	"impair-delay-adns-key-answer",
-	"impair-delay-adns-txt-answer",
-	"impair-bust-mi2",
-	"impair-bust-mr2",
-
-	NULL
-};
-#endif
-
-/* State of exchanges */
-
-static const char *const state_name[] = {
-	"STATE_UNDEFINED",
-
-	"STATE_MAIN_R0",
-	"STATE_MAIN_I1",
-	"STATE_MAIN_R1",
-	"STATE_MAIN_I2",
-	"STATE_MAIN_R2",
-	"STATE_MAIN_I3",
-	"STATE_MAIN_R3",
-	"STATE_MAIN_I4",
-
-	"STATE_QUICK_R0",
-	"STATE_QUICK_I1",
-	"STATE_QUICK_R1",
-	"STATE_QUICK_I2",
-	"STATE_QUICK_R2",
-
-	"STATE_INFO",
-	"STATE_INFO_PROTECTED",
-
-	"STATE_XAUTH_I0",
-	"STATE_XAUTH_R1",
-	"STATE_XAUTH_I1",
-	"STATE_XAUTH_R2",
-	"STATE_XAUTH_I2",
-	"STATE_XAUTH_R3",
-
-	"STATE_MODE_CFG_R0",
-	"STATE_MODE_CFG_I1",
-	"STATE_MODE_CFG_R1",
-	"STATE_MODE_CFG_I2",
-
-	"STATE_MODE_CFG_I0",
-	"STATE_MODE_CFG_R3",
-	"STATE_MODE_CFG_I3",
-	"STATE_MODE_CFG_R4",
-
-	"STATE_IKE_ROOF"
-};
-
-enum_names state_names =
-	{ STATE_UNDEFINED, STATE_IKE_ROOF-1, state_name, NULL };
-
-/* story for state */
-
-const char *const state_story[] = {
-	"undefined state after error",			 /* STATE_UNDEFINED */
-	"expecting MI1",                         /* STATE_MAIN_R0 */
-	"sent MI1, expecting MR1",               /* STATE_MAIN_I1 */
-	"sent MR1, expecting MI2",               /* STATE_MAIN_R1 */
-	"sent MI2, expecting MR2",               /* STATE_MAIN_I2 */
-	"sent MR2, expecting MI3",               /* STATE_MAIN_R2 */
-	"sent MI3, expecting MR3",               /* STATE_MAIN_I3 */
-	"sent MR3, ISAKMP SA established",       /* STATE_MAIN_R3 */
-	"ISAKMP SA established",                 /* STATE_MAIN_I4 */
-
-	"expecting QI1",                         /* STATE_QUICK_R0 */
-	"sent QI1, expecting QR1",               /* STATE_QUICK_I1 */
-	"sent QR1, inbound IPsec SA installed, expecting QI2",  /* STATE_QUICK_R1 */
-	"sent QI2, IPsec SA established",        /* STATE_QUICK_I2 */
-	"IPsec SA established",                  /* STATE_QUICK_R2 */
-
-	"got Informational Message in clear",    /* STATE_INFO */
-	"got encrypted Informational Message",   /* STATE_INFO_PROTECTED */
-
-	"expecting XAUTH request",               /* STATE_XAUTH_I0 */
-	"sent XAUTH request, expecting reply",   /* STATE_XAUTH_R1 */
-	"sent XAUTH reply, expecting status",    /* STATE_XAUTH_I1 */
-	"sent XAUTH status, expecting ack",      /* STATE_XAUTH_R2 */
-	"sent XAUTH ack, established",           /* STATE_XAUTH_I2 */
-	"received XAUTH ack, established",       /* STATE_XAUTH_R3 */
-
-	"expecting ModeCfg request",             /* STATE_MODE_CFG_R0 */
-	"sent ModeCfg request, expecting reply", /* STATE_MODE_CFG_I1 */
-	"sent ModeCfg reply, established",       /* STATE_MODE_CFG_R1 */
-	"received ModeCfg reply, established",   /* STATE_MODE_CFG_I2 */
-
-	"expecting ModeCfg set",                 /* STATE_MODE_CFG_I0 */
-	"sent ModeCfg set, expecting ack",       /* STATE_MODE_CFG_R3 */
-	"sent ModeCfg ack, established",         /* STATE_MODE_CFG_I3 */
-	"received ModeCfg ack, established",     /* STATE_MODE_CFG_R4 */
-};
-
-/* kind of struct connection */
-
-static const char *const connection_kind_name[] = {
-	"CK_GROUP",         /* policy group: instantiates to template */
-	"CK_TEMPLATE",      /* abstract connection, with wildcard */
-	"CK_PERMANENT",     /* normal connection */
-	"CK_INSTANCE",      /* instance of template, created for a particular attempt */
-	"CK_GOING_AWAY"     /* instance being deleted -- don't delete again */
-};
-
-enum_names connection_kind_names =
-	{ CK_GROUP, CK_GOING_AWAY, connection_kind_name, NULL };
-
-/* routing status names */
-
-static const char *const routing_story_strings[] = {
-	"unrouted", /* RT_UNROUTED: unrouted */
-	"unrouted HOLD",    /* RT_UNROUTED_HOLD: unrouted, but HOLD shunt installed */
-	"eroute eclipsed",  /* RT_ROUTED_ECLIPSED: RT_ROUTED_PROSPECTIVE except bare HOLD or instance has eroute */
-	"prospective erouted",      /* RT_ROUTED_PROSPECTIVE: routed, and prospective shunt installed */
-	"erouted HOLD",     /* RT_ROUTED_HOLD: routed, and HOLD shunt installed */
-	"fail erouted",     /* RT_ROUTED_FAILURE: routed, and failure-context shunt eroute installed */
-	"erouted",  /* RT_ROUTED_TUNNEL: routed, and erouted to an IPSEC SA group */
-	"keyed, unrouted",  /* RT_UNROUTED_KEYED: was routed+keyed, but it got turned into an outer policy */
-};
-
-enum_names routing_story =
-	{ RT_UNROUTED, RT_ROUTED_TUNNEL, routing_story_strings, NULL};
-
-/* Payload types (RFC 2408 "ISAKMP" section 3.1) */
-
-const char *const payload_name[] = {
-	"ISAKMP_NEXT_NONE",
-	"ISAKMP_NEXT_SA",
-	"ISAKMP_NEXT_P",
-	"ISAKMP_NEXT_T",
-	"ISAKMP_NEXT_KE",
-	"ISAKMP_NEXT_ID",
-	"ISAKMP_NEXT_CERT",
-	"ISAKMP_NEXT_CR",
-	"ISAKMP_NEXT_HASH",
-	"ISAKMP_NEXT_SIG",
-	"ISAKMP_NEXT_NONCE",
-	"ISAKMP_NEXT_N",
-	"ISAKMP_NEXT_D",
-	"ISAKMP_NEXT_VID",
-	"ISAKMP_NEXT_MODECFG",
-	"ISAKMP_NEXT_15",
-	"ISAKMP_NEXT_16",
-	"ISAKMP_NEXT_17",
-	"ISAKMP_NEXT_18",
-	"ISAKMP_NEXT_19",
-	"ISAKMP_NEXT_NAT-D",
-	"ISAKMP_NEXT_NAT-OA",
-	NULL
-};
-
-const char *const payload_name_nat_d[] = {
-	"ISAKMP_NEXT_NAT-D",
-	"ISAKMP_NEXT_NAT-OA", NULL
-};
-
-static enum_names payload_names_nat_d =
-	{ ISAKMP_NEXT_NATD_DRAFTS, ISAKMP_NEXT_NATOA_DRAFTS, payload_name_nat_d, NULL };
-
-enum_names payload_names =
-	{ ISAKMP_NEXT_NONE, ISAKMP_NEXT_NATOA_RFC, payload_name, &payload_names_nat_d };
-
-/* Exchange types (note: two discontinuous ranges) */
-
-static const char *const exchange_name[] = {
-	"ISAKMP_XCHG_NONE",
-	"ISAKMP_XCHG_BASE",
-	"ISAKMP_XCHG_IDPROT",
-	"ISAKMP_XCHG_AO",
-	"ISAKMP_XCHG_AGGR",
-	"ISAKMP_XCHG_INFO",
-	"ISAKMP_XCHG_MODE_CFG",
-};
-
-static const char *const exchange_name2[] = {
-	"ISAKMP_XCHG_QUICK",
-	"ISAKMP_XCHG_NGRP",
-	"ISAKMP_XCHG_ACK_INFO",
-};
-
-static enum_names exchange_desc2 =
-	{ ISAKMP_XCHG_QUICK, ISAKMP_XCHG_ACK_INFO, exchange_name2, NULL };
-
-enum_names exchange_names =
-	{ ISAKMP_XCHG_NONE, ISAKMP_XCHG_MODE_CFG, exchange_name, &exchange_desc2 };
-
-/* Flag BITS */
-const char *const flag_bit_names[] = {
-	"ISAKMP_FLAG_ENCRYPTION",
-	"ISAKMP_FLAG_COMMIT",
-	NULL
-};
-
-/* Situation BITS definition for IPsec DOI */
-
-const char *const sit_bit_names[] = {
-	"SIT_IDENTITY_ONLY",
-	"SIT_SECRECY",
-	"SIT_INTEGRITY",
-	NULL
-};
-
-/* Protocol IDs (RFC 2407 "IPsec DOI" section 4.4.1) */
-
-static const char *const protocol_name[] = {
-	"PROTO_ISAKMP",
-	"PROTO_IPSEC_AH",
-	"PROTO_IPSEC_ESP",
-	"PROTO_IPCOMP",
-};
-
-enum_names protocol_names =
-	{ PROTO_ISAKMP, PROTO_IPCOMP, protocol_name, NULL };
-
-/* IPsec ISAKMP transform values */
-
-static const char *const isakmp_transform_name[] = {
-	"KEY_IKE",
-};
-
-enum_names isakmp_transformid_names =
-	{ KEY_IKE, KEY_IKE, isakmp_transform_name, NULL };
-
-/* IPsec AH transform values */
-
-static const char *const ah_transform_name[] = {
-	"HMAC_MD5",
-	"HMAC_SHA1",
-	"DES_MAC",
-	"HMAC_SHA2_256",
-	"HMAC_SHA2_384",
-	"HMAC_SHA2_512",
-	"HMAC_RIPEMD",
-	"AES_XCBC_96",
-	"SIG_RSA",
-	"AES_128_GMAC",
-	"AES_192_GMAC",
-	"AES_256_GMAC"
-};
-
-static const char *const ah_transform_name_high[] = {
-	"HMAC_SHA2_256_96"
-};
-
-enum_names ah_transform_names_high =
-	{ AH_SHA2_256_96, AH_SHA2_256_96, ah_transform_name_high, NULL };
-
-enum_names ah_transform_names =
-	{ AH_MD5, AH_AES_256_GMAC, ah_transform_name, &ah_transform_names_high };
-
-/* IPsec ESP transform values */
-
-static const char *const esp_transform_name[] = {
-	"DES_IV64",
-	"DES_CBC",
-	"3DES_CBC",
-	"RC5_CBC",
-	"IDEA_CBC",
-	"CAST_CBC",
-	"BLOWFISH_CBC",
-	"3IDEA",
-	"DES_IV32",
-	"RC4",
-	"NULL",
-	"AES_CBC",
-	"AES_CTR",
-	"AES_CCM_8",
-	"AES_CCM_12",
-	"AES_CCM_16",
-	"UNASSIGNED_17",
-	"AES_GCM_8",
-	"AES_GCM_12",
-	"AES_GCM_16",
-	"SEED_CBC",
-	"CAMELLIA_CBC",
-	"AES_GMAC"
-};
-
-static const char *const esp_transform_name_high[] = {
-	"SERPENT_CBC",
-	"TWOFISH_CBC"
-};
-
-enum_names esp_transform_names_high =
-	{ ESP_SERPENT, ESP_TWOFISH, esp_transform_name_high, NULL };
-
-enum_names esp_transform_names =
-	{ ESP_DES_IV64, ESP_AES_GMAC, esp_transform_name, &esp_transform_names_high };
-
-/* IPCOMP transform values */
-
-static const char *const ipcomp_transform_name[] = {
-	"IPCOMP_OUI",
-	"IPCOMP_DEFLATE",
-	"IPCOMP_LZS",
-	"IPCOMP_LZJH",
-};
-
-enum_names ipcomp_transformid_names =
-	{ IPCOMP_OUI, IPCOMP_LZJH, ipcomp_transform_name, NULL };
-
-/* Identification type values */
-
-static const char *const ident_name[] = {
-	"ID_IPV4_ADDR",
-	"ID_FQDN",
-	"ID_USER_FQDN",
-	"ID_IPV4_ADDR_SUBNET",
-	"ID_IPV6_ADDR",
-	"ID_IPV6_ADDR_SUBNET",
-	"ID_IPV4_ADDR_RANGE",
-	"ID_IPV6_ADDR_RANGE",
-	"ID_DER_ASN1_DN",
-	"ID_DER_ASN1_GN",
-	"ID_KEY_ID",
-};
-
-enum_names ident_names =
-	{ ID_IPV4_ADDR, ID_KEY_ID, ident_name, NULL };
-
-/* Certificate type values */
-
-static const char *const cert_type_name[] = {
-	"CERT_NONE",
-	"CERT_PKCS7_WRAPPED_X509",
-	"CERT_PGP",
-	"CERT_DNS_SIGNED_KEY",
-	"CERT_X509_SIGNATURE",
-	"CERT_X509_KEY_EXCHANGE",
-	"CERT_KERBEROS_TOKENS",
-	"CERT_CRL",
-	"CERT_ARL",
-	"CERT_SPKI",
-	"CERT_X509_ATTRIBUTE",
-};
-
-enum_names cert_type_names =
-	{ CERT_NONE, CERT_X509_ATTRIBUTE, cert_type_name, NULL };
-
-/* Certificate policy names */
-
-ENUM(cert_policy_names, CERT_ALWAYS_SEND, CERT_NEVER_SEND,
-	"ALWAYS_SEND",
-	"SEND_IF_ASKED",
-	"NEVER_SEND",
-);
-
-/* Goal BITs for establishing an SA
- * Note: we drop the POLICY_ prefix so that logs are more concise.
- */
-
-const char *const sa_policy_bit_names[] = {
-	"PSK",
-	"PUBKEY",
-	"ENCRYPT",
-	"AUTHENTICATE",
-	"COMPRESS",
-	"TUNNEL",
-	"PFS",
-	"DISABLEARRIVALCHECK",
-	"SHUNT0",
-	"SHUNT1",
-	"FAILSHUNT0",
-	"FAILSHUNT1",
-	"DONTREKEY",
-	"OPPORTUNISTIC",
-	"GROUP",
-	"GROUTED",
-	"UP",
-	"MODECFGPUSH",
-	"XAUTHPSK",
-	"XAUTHRSASIG",
-	"XAUTHSERVER",
-	"DONTREAUTH",
-	"BEET",
-	"MOBIKE",
-	"PROXY",
-	NULL
-};
-
-const char *const policy_shunt_names[4] = {
-	"TRAP",
-	"PASS",
-	"DROP",
-	"REJECT",
-};
-
-const char *const policy_fail_names[4] = {
-	"NONE",
-	"PASS",
-	"DROP",
-	"REJECT",
-};
-
-/* Oakley transform attributes
- * oakley_attr_bit_names does double duty: it is used for enum names
- * and bit names.
- */
-
-const char *const oakley_attr_bit_names[] = {
-	"OAKLEY_ENCRYPTION_ALGORITHM",
-	"OAKLEY_HASH_ALGORITHM",
-	"OAKLEY_AUTHENTICATION_METHOD",
-	"OAKLEY_GROUP_DESCRIPTION",
-	"OAKLEY_GROUP_TYPE",
-	"OAKLEY_GROUP_PRIME",
-	"OAKLEY_GROUP_GENERATOR_ONE",
-	"OAKLEY_GROUP_GENERATOR_TWO",
-	"OAKLEY_GROUP_CURVE_A",
-	"OAKLEY_GROUP_CURVE_B",
-	"OAKLEY_LIFE_TYPE",
-	"OAKLEY_LIFE_DURATION",
-	"OAKLEY_PRF",
-	"OAKLEY_KEY_LENGTH",
-	"OAKLEY_FIELD_SIZE",
-	"OAKLEY_GROUP_ORDER",
-	"OAKLEY_BLOCK_SIZE",
-	NULL
-};
-
-static const char *const oakley_var_attr_name[] = {
-	"OAKLEY_GROUP_PRIME (variable length)",
-	"OAKLEY_GROUP_GENERATOR_ONE (variable length)",
-	"OAKLEY_GROUP_GENERATOR_TWO (variable length)",
-	"OAKLEY_GROUP_CURVE_A (variable length)",
-	"OAKLEY_GROUP_CURVE_B (variable length)",
-	NULL,
-	"OAKLEY_LIFE_DURATION (variable length)",
-	NULL,
-	NULL,
-	NULL,
-	"OAKLEY_GROUP_ORDER (variable length)",
-};
-
-static enum_names oakley_attr_desc_tv = {
-	OAKLEY_ENCRYPTION_ALGORITHM + ISAKMP_ATTR_AF_TV,
-	OAKLEY_GROUP_ORDER + ISAKMP_ATTR_AF_TV, oakley_attr_bit_names, NULL };
-
-enum_names oakley_attr_names = {
-	OAKLEY_GROUP_PRIME, OAKLEY_GROUP_ORDER,
-	oakley_var_attr_name, &oakley_attr_desc_tv };
-
-/* for each Oakley attribute, which enum_names describes its values? */
-enum_names *oakley_attr_val_descs[] = {
-	NULL,                   /* (none) */
-	&oakley_enc_names,      /* OAKLEY_ENCRYPTION_ALGORITHM */
-	&oakley_hash_names,     /* OAKLEY_HASH_ALGORITHM */
-	&oakley_auth_names,     /* OAKLEY_AUTHENTICATION_METHOD */
-	&oakley_group_names,    /* OAKLEY_GROUP_DESCRIPTION */
-	&oakley_group_type_names,/* OAKLEY_GROUP_TYPE */
-	NULL,                   /* OAKLEY_GROUP_PRIME */
-	NULL,                   /* OAKLEY_GROUP_GENERATOR_ONE */
-	NULL,                   /* OAKLEY_GROUP_GENERATOR_TWO */
-	NULL,                   /* OAKLEY_GROUP_CURVE_A */
-	NULL,                   /* OAKLEY_GROUP_CURVE_B */
-	&oakley_lifetime_names, /* OAKLEY_LIFE_TYPE */
-	NULL,                   /* OAKLEY_LIFE_DURATION */
-	&oakley_prf_names,      /* OAKLEY_PRF */
-	NULL,                   /* OAKLEY_KEY_LENGTH */
-	NULL,                   /* OAKLEY_FIELD_SIZE */
-	NULL,                   /* OAKLEY_GROUP_ORDER */
-};
-
-/* IPsec DOI attributes (RFC 2407 "IPsec DOI" section 4.5) */
-
-static const char *const ipsec_attr_name[] = {
-	"SA_LIFE_TYPE",
-	"SA_LIFE_DURATION",
-	"GROUP_DESCRIPTION",
-	"ENCAPSULATION_MODE",
-	"AUTH_ALGORITHM",
-	"KEY_LENGTH",
-	"KEY_ROUNDS",
-	"COMPRESS_DICT_SIZE",
-	"COMPRESS_PRIVATE_ALG",
-};
-
-static const char *const ipsec_var_attr_name[] = {
-	"SA_LIFE_DURATION (variable length)",
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	"COMPRESS_PRIVATE_ALG (variable length)",
-};
-
-static enum_names ipsec_attr_desc_tv = {
-	SA_LIFE_TYPE + ISAKMP_ATTR_AF_TV,
-	COMPRESS_PRIVATE_ALG + ISAKMP_ATTR_AF_TV,
-	ipsec_attr_name, NULL };
-
-enum_names ipsec_attr_names = {
-	SA_LIFE_DURATION, COMPRESS_PRIVATE_ALG,
-	ipsec_var_attr_name, &ipsec_attr_desc_tv };
-
-/* for each IPsec attribute, which enum_names describes its values? */
-enum_names *ipsec_attr_val_descs[] = {
-	NULL,                   /* (none) */
-	&sa_lifetime_names,     /* SA_LIFE_TYPE */
-	NULL,                   /* SA_LIFE_DURATION */
-	&oakley_group_names,    /* GROUP_DESCRIPTION */
-	&enc_mode_names,                /* ENCAPSULATION_MODE */
-	&auth_alg_names,                /* AUTH_ALGORITHM */
-	NULL,                   /* KEY_LENGTH */
-	NULL,                   /* KEY_ROUNDS */
-	NULL,                   /* COMPRESS_DICT_SIZE */
-	NULL,                   /* COMPRESS_PRIVATE_ALG */
-};
-
-/* SA Lifetime Type attribute */
-
-static const char *const sa_lifetime_name[] = {
-	"SA_LIFE_TYPE_SECONDS",
-	"SA_LIFE_TYPE_KBYTES",
-};
-
-enum_names sa_lifetime_names =
-	{ SA_LIFE_TYPE_SECONDS, SA_LIFE_TYPE_KBYTES, sa_lifetime_name, NULL };
-
-/* Encapsulation Mode attribute */
-
-static const char *const enc_mode_name[] = {
-	"ENCAPSULATION_MODE_TUNNEL",
-	"ENCAPSULATION_MODE_TRANSPORT",
-	"ENCAPSULATION_MODE_UDP_TUNNEL",
-	"ENCAPSULATION_MODE_UDP_TRANSPORT",
-};
-
-static const char *const enc_udp_mode_name[] = {
-		"ENCAPSULATION_MODE_UDP_TUNNEL",
-		"ENCAPSULATION_MODE_UDP_TRANSPORT",
-	};
-
-static enum_names enc_udp_mode_names =
-	{ ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS, ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS, enc_udp_mode_name, NULL };
-
-enum_names enc_mode_names =
-	{ ENCAPSULATION_MODE_TUNNEL, ENCAPSULATION_MODE_UDP_TRANSPORT_RFC, enc_mode_name, &enc_udp_mode_names };
-
-/* Auth Algorithm attribute */
-
-static const char *const auth_alg_name[] = {
-    "AUTH_NONE",
-	"HMAC_MD5",
-	"HMAC_SHA1",
-	"DES_MAC",
-	"KPDK",
-	"HMAC_SHA2_256",
-	"HMAC_SHA2_384",
-	"HMAC_SHA2_512",
-	"HMAC_RIPEMD",
-	"AES_XCBC_96",
-	"SIG_RSA"
-};
-
-static const char *const extended_auth_alg_name[] = {
-	"NULL",
-	"HMAC_SHA2_256_96"
-};
-
-enum_names extended_auth_alg_names =
-	{ AUTH_ALGORITHM_NULL, AUTH_ALGORITHM_HMAC_SHA2_256_96,
-		extended_auth_alg_name, NULL };
-
-enum_names auth_alg_names =
-	{ AUTH_ALGORITHM_NONE, AUTH_ALGORITHM_SIG_RSA,
-		auth_alg_name, &extended_auth_alg_names };
-
-/* From draft-beaulieu-ike-xauth */
-static const char *const xauth_type_name[] = {
-	"Generic",
-	"RADIUS-CHAP",
-	"OTP",
-	"S/KEY",
-};
-
-enum_names xauth_type_names =
-	{ XAUTH_TYPE_GENERIC, XAUTH_TYPE_SKEY, xauth_type_name, NULL};
-
-/* From draft-beaulieu-ike-xauth */
-static const char *const xauth_attr_tv_name[] = {
-	"XAUTH_TYPE",
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	"XAUTH_STATUS",
-};
-
-enum_names xauth_attr_tv_names = {
-	XAUTH_TYPE   + ISAKMP_ATTR_AF_TV,
-	XAUTH_STATUS + ISAKMP_ATTR_AF_TV, xauth_attr_tv_name, NULL };
-
-static const char *const unity_attr_name[] = {
-	"UNITY_BANNER",
-	"UNITY_SAVE_PASSWD",
-	"UNITY_DEF_DOMAIN",
-	"UNITY_SPLITDNS_NAME",
-	"UNITY_SPLIT_INCLUDE",
-	"UNITY_NATT_PORT",
-	"UNITY_LOCAL_LAN",
-	"UNITY_PFS",
-	"UNITY_FW_TYPE",
-	"UNITY_BACKUP_SERVERS",
-	"UNITY_DDNS_HOSTNAME",
-};
-
-enum_names unity_attr_names =
-	{ UNITY_BANNER , UNITY_DDNS_HOSTNAME, unity_attr_name , &xauth_attr_tv_names };
-
-static const char *const microsoft_attr_name[] = {
-	"INTERNAL_IP4_SERVER",
-	"INTERNAL_IP6_SERVER",
-};
-
-enum_names microsoft_attr_names =
-	{ INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, microsoft_attr_name , &unity_attr_names };
-
-static const char *const xauth_attr_name[] = {
-	"XAUTH_USER_NAME",
-	"XAUTH_USER_PASSWORD",
-	"XAUTH_PASSCODE",
-	"XAUTH_MESSAGE",
-	"XAUTH_CHALLENGE",
-	"XAUTH_DOMAIN",
-	"XAUTH_STATUS (wrong TLV syntax, should be TV)",
-	"XAUTH_NEXT_PIN",
-	"XAUTH_ANSWER",
-};
-
-enum_names xauth_attr_names =
-	{ XAUTH_USER_NAME , XAUTH_ANSWER, xauth_attr_name , &microsoft_attr_names };
-
-static const char *const modecfg_attr_name[] = {
-	"INTERNAL_IP4_ADDRESS",
-	"INTERNAL_IP4_NETMASK",
-	"INTERNAL_IP4_DNS",
-	"INTERNAL_IP4_NBNS",
-	"INTERNAL_ADDRESS_EXPIRY",
-	"INTERNAL_IP4_DHCP",
-	"APPLICATION_VERSION",
-	"INTERNAL_IP6_ADDRESS",
-	"INTERNAL_IP6_NETMASK",
-	"INTERNAL_IP6_DNS",
-	"INTERNAL_IP6_NBNS",
-	"INTERNAL_IP6_DHCP",
-	"INTERNAL_IP4_SUBNET",
-	"SUPPORTED_ATTRIBUTES",
-	"INTERNAL_IP6_SUBNET",
-};
-
-enum_names modecfg_attr_names =
-	{ INTERNAL_IP4_ADDRESS, INTERNAL_IP6_SUBNET, modecfg_attr_name , &xauth_attr_names };
-
-/* Oakley Lifetime Type attribute */
-
-static const char *const oakley_lifetime_name[] = {
-	"OAKLEY_LIFE_SECONDS",
-	"OAKLEY_LIFE_KILOBYTES",
-};
-
-enum_names oakley_lifetime_names =
-	{ OAKLEY_LIFE_SECONDS, OAKLEY_LIFE_KILOBYTES, oakley_lifetime_name, NULL };
-
-/* Oakley PRF attribute (none defined) */
-
-enum_names oakley_prf_names =
-	{ 1, 0, NULL, NULL };
-
-/* Oakley Encryption Algorithm attribute */
-
-static const char *const oakley_enc_name[] = {
-	"DES_CBC",
-	"IDEA_CBC",
-	"BLOWFISH_CBC",
-	"RC5_R16_B64_CBC",
-	"3DES_CBC",
-	"CAST_CBC",
-	"AES_CBC",
-	"CAMELLIA_CBC"
-};
-
-#ifdef NO_EXTRA_IKE
-enum_names oakley_enc_names =
-	{ OAKLEY_DES_CBC, OAKLEY_CAMELLIA_CBC, oakley_enc_name, NULL };
-#else
-static const char *const oakley_enc_name_draft_aes_cbc_02[] = {
-	"MARS_CBC"       /*      65001   */,
-	"RC6_CBC"        /*      65002   */,
-	"ID_65003"       /*      65003   */,
-	"SERPENT_CBC"    /*      65004   */,
-	"TWOFISH_CBC"    /*      65005   */,
-};
-
-static const char *const oakley_enc_name_ssh[] = {
-	"TWOFISH_CBC_SSH",
-};
-
-enum_names oakley_enc_names_ssh =
-	{ OAKLEY_TWOFISH_CBC_SSH, OAKLEY_TWOFISH_CBC_SSH, oakley_enc_name_ssh
-		, NULL };
-
-enum_names oakley_enc_names_draft_aes_cbc_02 =
-	{ OAKLEY_MARS_CBC, OAKLEY_TWOFISH_CBC, oakley_enc_name_draft_aes_cbc_02
-		, &oakley_enc_names_ssh };
-
-enum_names oakley_enc_names =
-	{ OAKLEY_DES_CBC, OAKLEY_CAMELLIA_CBC, oakley_enc_name
-		, &oakley_enc_names_draft_aes_cbc_02 };
-#endif
-
-/* Oakley Hash Algorithm attribute */
-
-static const char *const oakley_hash_name[] = {
-	"HMAC_MD5",
-	"HMAC_SHA1",
-	"HMAC_TIGER",
-	"HMAC_SHA2_256",
-	"HMAC_SHA2_384",
-	"HMAC_SHA2_512",
-};
-
-enum_names oakley_hash_names =
-	{ OAKLEY_MD5, OAKLEY_SHA2_512, oakley_hash_name, NULL };
-
-/* Oakley Authentication Method attribute */
-
-static const char *const oakley_auth_name1[] = {
-	"pre-shared key",
-	"DSS signature",
-	"RSA signature",
-	"RSA encryption",
-	"RSA encryption revised",
-	"ElGamal encryption",
-	"ELGamal encryption revised",
-	"ECDSA signature",
-	"ECDSA-256 signature",
-	"ECDSA-384 signature",
-	"ECDSA-521-signature",
-};
-
-static const char *const oakley_auth_name2[] = {
-	"HybridInitRSA",
-	"HybridRespRSA",
-	"HybridInitDSS",
-	"HybridRespDSS",
-};
-
-static const char *const oakley_auth_name3[] = {
-	"XAUTHInitPreShared",
-	"XAUTHRespPreShared",
-	"XAUTHInitDSS",
-	"XAUTHRespDSS",
-	"XAUTHInitRSA",
-	"XAUTHRespRSA",
-	"XAUTHInitRSAEncryption",
-	"XAUTHRespRSAEncryption",
-	"XAUTHInitRSARevisedEncryption",
-	"XAUTHRespRSARevisedEncryption",
-};
-
-static enum_names oakley_auth_names1 =
-	{ OAKLEY_PRESHARED_KEY, OAKLEY_ECDSA_521
-		, oakley_auth_name1, NULL };
-
-static enum_names oakley_auth_names2 =
-	{ HybridInitRSA, HybridRespDSS
-		, oakley_auth_name2, &oakley_auth_names1 };
-
-enum_names oakley_auth_names =
-	{ XAUTHInitPreShared, XAUTHRespRSARevisedEncryption
-		, oakley_auth_name3, &oakley_auth_names2 };
-
-/* Oakley Group Description attribute */
-
-static const char *const oakley_group_name[] = {
-	"MODP_768",
-	"MODP_1024",
-	"GP_155",
-	"GP_185",
-	"MODP_1536",
-};
-
-static const char *const oakley_group_name_rfc3526[] = {
-	"MODP_2048",
-	"MODP_3072",
-	"MODP_4096",
-	"MODP_6144",
-	"MODP_8192"
-};
-
-static const char *const oakley_group_name_rfc4753[] = {
-	"ECP_256",
-	"ECP_384",
-	"ECP_521"
-};
-
-static const char *const oakley_group_name_rfc5114[] = {
-	"MODP_1024_160",
-	"MODP_2048_224",
-	"MODP_2048_256",
-	"ECP_192",
-	"ECP_224"
-};
-
-enum_names oakley_group_names_rfc5114 =
-	{ MODP_1024_160, ECP_224_BIT,
-			oakley_group_name_rfc5114, NULL };
-
-enum_names oakley_group_names_rfc4753 =
-	{ ECP_256_BIT, ECP_521_BIT,
-			oakley_group_name_rfc4753, &oakley_group_names_rfc5114 };
-
-enum_names oakley_group_names_rfc3526 =
-	{ MODP_2048_BIT, MODP_8192_BIT,
-			oakley_group_name_rfc3526, &oakley_group_names_rfc4753 };
-
-enum_names oakley_group_names =
-	{ MODP_768_BIT, MODP_1536_BIT,
-			oakley_group_name, &oakley_group_names_rfc3526 };
-
-/* Oakley Group Type attribute */
-
-static const char *const oakley_group_type_name[] = {
-	"OAKLEY_GROUP_TYPE_MODP",
-	"OAKLEY_GROUP_TYPE_ECP",
-	"OAKLEY_GROUP_TYPE_EC2N",
-};
-
-enum_names oakley_group_type_names =
-	{ OAKLEY_GROUP_TYPE_MODP, OAKLEY_GROUP_TYPE_EC2N, oakley_group_type_name, NULL };
-
-/* Notify messages -- error types */
-
-static const char *const notification_name[] = {
-	"INVALID_PAYLOAD_TYPE",
-	"DOI_NOT_SUPPORTED",
-	"SITUATION_NOT_SUPPORTED",
-	"INVALID_COOKIE",
-	"INVALID_MAJOR_VERSION",
-	"INVALID_MINOR_VERSION",
-	"INVALID_EXCHANGE_TYPE",
-	"INVALID_FLAGS",
-	"INVALID_MESSAGE_ID",
-	"INVALID_PROTOCOL_ID",
-	"INVALID_SPI",
-	"INVALID_TRANSFORM_ID",
-	"ATTRIBUTES_NOT_SUPPORTED",
-	"NO_PROPOSAL_CHOSEN",
-	"BAD_PROPOSAL_SYNTAX",
-	"PAYLOAD_MALFORMED",
-	"INVALID_KEY_INFORMATION",
-	"INVALID_ID_INFORMATION",
-	"INVALID_CERT_ENCODING",
-	"INVALID_CERTIFICATE",
-	"CERT_TYPE_UNSUPPORTED",
-	"INVALID_CERT_AUTHORITY",
-	"INVALID_HASH_INFORMATION",
-	"AUTHENTICATION_FAILED",
-	"INVALID_SIGNATURE",
-	"ADDRESS_NOTIFICATION",
-	"NOTIFY_SA_LIFETIME",
-	"CERTIFICATE_UNAVAILABLE",
-	"UNSUPPORTED_EXCHANGE_TYPE",
-	"UNEQUAL_PAYLOAD_LENGTHS",
-};
-
-static const char *const notification_status_name[] = {
-	"CONNECTED",
-};
-
-static const char *const ipsec_notification_name[] = {
-	"IPSEC_RESPONDER_LIFETIME",
-	"IPSEC_REPLAY_STATUS",
-	"IPSEC_INITIAL_CONTACT",
-};
-
-static const char *const notification_dpd_name[] = {
-	"R_U_THERE",
-	"R_U_THERE_ACK",
-};
-
-static const char *const notification_juniper_name[] = {
-	"NS_NHTB_INFORM",
-};
-
-enum_names notification_juniper_names =
-	{ NS_NHTB_INFORM, NS_NHTB_INFORM,
-		notification_juniper_name, NULL };
-
-enum_names notification_dpd_names =
-	{ R_U_THERE, R_U_THERE_ACK,
-		notification_dpd_name, &notification_juniper_names };
-
-enum_names ipsec_notification_names =
-	{ IPSEC_RESPONDER_LIFETIME, IPSEC_INITIAL_CONTACT,
-		ipsec_notification_name, &notification_dpd_names };
-
-enum_names notification_status_names =
-	{ ISAKMP_CONNECTED, ISAKMP_CONNECTED,
-		notification_status_name, &ipsec_notification_names };
-
-enum_names notification_names =
-	{ ISAKMP_INVALID_PAYLOAD_TYPE, ISAKMP_UNEQUAL_PAYLOAD_LENGTHS,
-		notification_name, &notification_status_names };
-
-/* MODECFG
- * From draft-dukes-ike-mode-cfg
- */
-const char *const attr_msg_type_name[] = {
-	"ISAKMP_CFG_RESERVED",
-	"ISAKMP_CFG_REQUEST",
-	"ISAKMP_CFG_REPLY",
-	"ISAKMP_CFG_SET",
-	"ISAKMP_CFG_ACK",
-	NULL
-};
-
-enum_names attr_msg_type_names =
-	{ 0 , ISAKMP_CFG_ACK, attr_msg_type_name , NULL };
-
-/* socket address family info */
-
-static const char *const af_inet_name[] = {
-	"AF_INET",
-};
-
-static const char *const af_inet6_name[] = {
-	"AF_INET6",
-};
-
-static enum_names af_names6 = { AF_INET6, AF_INET6, af_inet6_name, NULL };
-
-enum_names af_names = { AF_INET, AF_INET, af_inet_name, &af_names6 };
-
-static ip_address ipv4_any, ipv6_any;
-static ip_subnet ipv4_wildcard, ipv6_wildcard;
-static ip_subnet ipv4_all, ipv6_all;
-
-const struct af_info af_inet4_info = {
-	AF_INET,
-	"AF_INET",
-	sizeof(struct in_addr),
-	sizeof(struct sockaddr_in),
-	32,
-	ID_IPV4_ADDR, ID_IPV4_ADDR_SUBNET, ID_IPV4_ADDR_RANGE,
-	&ipv4_any, &ipv4_wildcard, &ipv4_all,
-};
-
-const struct af_info af_inet6_info = {
-	AF_INET6,
-	"AF_INET6",
-	sizeof(struct in6_addr),
-	sizeof(struct sockaddr_in6),
-	128,
-	ID_IPV6_ADDR, ID_IPV6_ADDR_SUBNET, ID_IPV6_ADDR_RANGE,
-	&ipv6_any, &ipv6_wildcard, &ipv6_all,
-};
-
-const struct af_info *
-aftoinfo(int af)
-{
-	switch (af)
-	{
-		case AF_INET:
-			return &af_inet4_info;
-		case AF_INET6:
-			return &af_inet6_info;
-		default:
-			return NULL;
-	}
-}
-
-bool subnetisnone(const ip_subnet *sn)
-{
-	ip_address base;
-
-	networkof(sn, &base);
-	return isanyaddr(&base) && subnetishost(sn);
-}
-
-#ifdef ADNS
-
-/* BIND enumerated types */
-
-#include <arpa/nameser.h>
-
-static const char *const rr_type_name[] = {
-	"T_A",  /* 1 host address */
-	"T_NS", /* 2 authoritative server */
-	"T_MD", /* 3 mail destination */
-	"T_MF", /* 4 mail forwarder */
-	"T_CNAME",      /* 5 canonical name */
-	"T_SOA",        /* 6 start of authority zone */
-	"T_MB", /* 7 mailbox domain name */
-	"T_MG", /* 8 mail group member */
-	"T_MR", /* 9 mail rename name */
-	"T_NULL",       /* 10 null resource record */
-	"T_WKS",        /* 11 well known service */
-	"T_PTR",        /* 12 domain name pointer */
-	"T_HINFO",      /* 13 host information */
-	"T_MINFO",      /* 14 mailbox information */
-	"T_MX", /* 15 mail routing information */
-	"T_TXT",        /* 16 text strings */
-	"T_RP", /* 17 responsible person */
-	"T_AFSDB",      /* 18 AFS cell database */
-	"T_X25",        /* 19 X_25 calling address */
-	"T_ISDN",       /* 20 ISDN calling address */
-	"T_RT", /* 21 router */
-	"T_NSAP",       /* 22 NSAP address */
-	"T_NSAP_PTR",   /* 23 reverse NSAP lookup (deprecated) */
-	"T_SIG",        /* 24 security signature */
-	"T_KEY",        /* 25 security key */
-	"T_PX", /* 26 X.400 mail mapping */
-	"T_GPOS",       /* 27 geographical position (withdrawn) */
-	"T_AAAA",       /* 28 IP6 Address */
-	"T_LOC",        /* 29 Location Information */
-	"T_NXT",        /* 30 Next Valid Name in Zone */
-	"T_EID",        /* 31 Endpoint identifier */
-	"T_NIMLOC",     /* 32 Nimrod locator */
-	"T_SRV",        /* 33 Server selection */
-	"T_ATMA",       /* 34 ATM Address */
-	"T_NAPTR",      /* 35 Naming Authority PoinTeR */
-	NULL
-};
-
-enum_names rr_type_names = { T_A, T_NAPTR, rr_type_name, NULL };
-
-/* Query type values which do not appear in resource records */
-static const char *const rr_qtype_name[] = {
-	"T_IXFR",       /* 251 incremental zone transfer */
-	"T_AXFR",       /* 252 transfer zone of authority */
-	"T_MAILB",      /* 253 transfer mailbox records */
-	"T_MAILA",      /* 254 transfer mail agent records */
-	"T_ANY",        /* 255 wildcard match */
-	NULL
-};
-
-enum_names rr_qtype_names = { T_IXFR, T_ANY, rr_qtype_name, &rr_type_names };
-
-static const char *const rr_class_name[] = {
-	"C_IN", /* 1 the arpa internet */
-	NULL
-};
-
-enum_names rr_class_names = { C_IN, C_IN, rr_class_name, NULL };
-
-#endif /* ADNS */
-
-/*
- * NAT-Traversal defines for nat_traveral type from nat_traversal.h
- *
- */
-const char *const natt_type_bitnames[] = {
-	"draft-ietf-ipsec-nat-t-ike-00/01",    /* 0 */
-	"draft-ietf-ipsec-nat-t-ike-02/03",
-	"RFC 3947",
-	"3",                                   /* 3 */
-	"4",   "5",   "6",   "7",
-	"8",   "9",   "10",  "11",
-	"12",  "13",  "14",  "15",
-	"16",  "17",  "18",  "19",
-	"20",  "21",  "22",  "23",
-	"24",  "25",  "26",  "27",
-	"28",  "29",
-	"nat is behind me",
-	"nat is behind peer"
-};
-
-/* look up enum names in an enum_names */
-
-const char* enum_name(enum_names *ed, unsigned long val)
-{
-	enum_names  *p;
-
-	for (p = ed; p != NULL; p = p->en_next_range)
-	{
-		if (p->en_first <= val && val <= p->en_last)
-			return p->en_names[val - p->en_first];
-	}
-	return NULL;
-}
-
-/* find or construct a string to describe an enum value
- * Result may be in STATIC buffer!
- */
-const char *
-enum_show(enum_names *ed, unsigned long val)
-{
-	const char *p = enum_name(ed, val);
-
-	if (p == NULL)
-	{
-		static char buf[12];    /* only one!  I hope that it is big enough */
-
-		snprintf(buf, sizeof(buf), "%lu??", val);
-		p = buf;
-	}
-	return p;
-}
-
-
-static char bitnamesbuf[200];   /* only one!  I hope that it is big enough! */
-
-int
-enum_search(enum_names *ed, const char *str)
-{
-	enum_names  *p;
-	const char *ptr;
-	unsigned en;
-
-	for (p = ed; p != NULL; p = p->en_next_range)
-	{
-		for (en = p->en_first; en <= p->en_last ;en++)
-		{
-			ptr = p->en_names[en - p->en_first];
-			if (ptr == 0)
-			{
-				continue;
-			}
-			if (streq(ptr, str))
-			{
-				return en;
-			}
-		}
-	}
-	return -1;
-}
-
-/* construct a string to name the bits on in a set
- * Result may be in STATIC buffer!
- * Note: prettypolicy depends on internal details.
- */
-const char* bitnamesof(const char *const table[], lset_t val)
-{
-	char *p = bitnamesbuf;
-	lset_t bit;
-	const char *const *tp;
-
-	if (val == 0)
-		return "none";
-
-	for (tp = table, bit = 01; val != 0; bit <<= 1)
-	{
-		if (val & bit)
-		{
-			const char *n = *tp;
-			size_t nl;
-
-			if (n == NULL || *n == '\0')
-			{
-				/* no name for this bit, so use hex */
-				static char flagbuf[sizeof("0x80000000")];
-
-				snprintf(flagbuf, sizeof(flagbuf), "0x%llx", bit);
-				n = flagbuf;
-			}
-
-			nl = strlen(n);
-
-			if (p != bitnamesbuf && p < bitnamesbuf+sizeof(bitnamesbuf) - 1)
-				*p++ = '+';
-
-			if (bitnamesbuf+sizeof(bitnamesbuf) - p > (ptrdiff_t)nl)
-			{
-				strcpy(p, n);
-				p += nl;
-			}
-			val -= bit;
-		}
-		if (*tp != NULL)
-			tp++;   /* move on, but not past end */
-	}
-	*p = '\0';
-	return bitnamesbuf;
-}
-
-/* print a policy: like bitnamesof, but it also does the non-bitfields.
- * Suppress the shunt and fail fields if 0.
- */
-const char* prettypolicy(lset_t policy)
-{
-	const char *bn = bitnamesof(sa_policy_bit_names
-		, policy & ~(POLICY_SHUNT_MASK | POLICY_FAIL_MASK));
-	size_t len;
-	lset_t shunt = (policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT;
-	lset_t fail = (policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT;
-
-	if (bn != bitnamesbuf)
-		bitnamesbuf[0] = '\0';
-	len = strlen(bitnamesbuf);
-	if (shunt != 0)
-	{
-		snprintf(bitnamesbuf + len, sizeof(bitnamesbuf) - len, "+%s"
-			, policy_shunt_names[shunt]);
-		len += strlen(bitnamesbuf + len);
-	}
-	if (fail != 0)
-	{
-		snprintf(bitnamesbuf + len, sizeof(bitnamesbuf) - len, "+failure%s"
-			, policy_fail_names[fail]);
-		len += strlen(bitnamesbuf + len);
-	}
-	if (NEVER_NEGOTIATE(policy))
-	{
-		snprintf(bitnamesbuf + len, sizeof(bitnamesbuf) - len, "+NEVER_NEGOTIATE");
-		len += strlen(bitnamesbuf + len);
-	}
-	return bitnamesbuf;
-}
-
-/* test a set by seeing if all bits have names */
-
-bool testset(const char *const table[], lset_t val)
-{
-	lset_t bit;
-	const char *const *tp;
-
-	for (tp = table, bit = 01; val != 0; bit <<= 1, tp++)
-	{
-		const char *n = *tp;
-
-		if (n == NULL || ((val & bit) && *n == '\0'))
-			return FALSE;
-		val &= ~bit;
-	}
-	return TRUE;
-}
-
-
-const char sparse_end[] = "end of sparse names";
-
-/* look up enum names in a sparse_names */
-const char *sparse_name(sparse_names sd, unsigned long val)
-{
-	const struct sparse_name *p;
-
-	for (p = sd; p->name != sparse_end; p++)
-		if (p->val == val)
-			return p->name;
-	return NULL;
-}
-
-/* find or construct a string to describe an sparse value
- * Result may be in STATIC buffer!
- */
-const char* sparse_val_show(sparse_names sd, unsigned long val)
-{
-	const char *p = sparse_name(sd, val);
-
-	if (p == NULL)
-	{
-		static char buf[12];    /* only one!  I hope that it is big enough */
-
-		snprintf(buf, sizeof(buf), "%lu??", val);
-		p = buf;
-	}
-	return p;
-}
-
-void init_constants(void)
-{
-	happy(anyaddr(AF_INET, &ipv4_any));
-	happy(anyaddr(AF_INET6, &ipv6_any));
-
-	happy(addrtosubnet(&ipv4_any, &ipv4_wildcard));
-	happy(addrtosubnet(&ipv6_any, &ipv6_wildcard));
-
-	happy(initsubnet(&ipv4_any, 0, '0', &ipv4_all));
-	happy(initsubnet(&ipv6_any, 0, '0', &ipv6_all));
-}
-
-u_char secret_of_the_day[HASH_SIZE_SHA1];
-
-
diff --git a/src/pluto/constants.h b/src/pluto/constants.h
deleted file mode 100644
index c931f1782..000000000
--- a/src/pluto/constants.h
+++ /dev/null
@@ -1,1099 +0,0 @@
-/* manifest constants
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _CONSTANTS_H
-#define _CONSTANTS_H
-
-#include <freeswan.h>
-
-#include <kernel/kernel_ipsec.h>
-
-#include <utils.h>
-#include <utils/identification.h>
-#include <crypto/hashers/hasher.h>
-
-extern const char compile_time_interop_options[];
-
-extern void init_constants(void);
-
-/*
- * NOTE:For debugging purposes, constants.c has tables to map numbers back to names.
- * Any changes here should be reflected there.
- */
-
-/* Many routines return only success or failure, but wish to describe
- * the failure in a message.  We use the convention that they return
- * a NULL on success and a pointer to constant string on failure.
- * The fact that the string is a constant is limiting, but it
- * avoids storage management issues: the recipient is allowed to assume
- * that the string will live "long enough" (usually forever).
- * <freeswan.h> defines err_t for this return type.
- */
-
-#define NULL_FD (-1)    /* NULL file descriptor */
-#define dup_any(fd) ((fd) == NULL_FD? NULL_FD : dup(fd))
-#define close_any(fd) { if ((fd) != NULL_FD) { close(fd); (fd) = NULL_FD; } }
-
-/* set type with room for at least 64 elements for ALG opts (was 32 in stock FS) */
-
-typedef unsigned long long lset_t;
-#define LEMPTY 0ULL
-#define LELEM(opt) (1ULL << (opt))
-#define LRANGE(lwb, upb) LRANGES(LELEM(lwb), LELEM(upb))
-#define LRANGES(first, last) (last - first + last)
-#define LHAS(set, elem)  ((LELEM(elem) & (set)) != LEMPTY)
-#define LIN(subset, set)  (((subset) & (set)) == (subset))
-#define LDISJOINT(a, b)  (((a) & (b)) == LEMPTY)
-
-/* Control and lock pathnames */
-#ifndef IPSEC_PIDDIR
-# define IPSEC_PIDDIR "/var/run"
-#endif
-#ifndef DEFAULT_CTLBASE
-# define DEFAULT_CTLBASE IPSEC_PIDDIR "/pluto"
-#endif
-
-#define CTL_SUFFIX ".ctl"       /* for UNIX domain socket pathname */
-#define LOCK_SUFFIX ".pid"      /* for pluto's lock */
-#define INFO_SUFFIX ".info"     /* for UNIX domain socket for apps */
-
-/* Routines to check and display values.
- *
- * An enum_names describes an enumeration.
- * enum_name() returns the name of an enum value, or NULL if invalid.
- * enum_show() is like enum_name, except it formats a numeric representation
- *    for any invalid value (in a static area!)
- *
- * bitnames() formats a display of a set of named bits (in a static area)
- */
-
-struct enum_names {
-	unsigned long en_first;  /* first value in range */
-	unsigned long en_last;   /* last value in range (inclusive) */
-	const char *const *en_names;
-	const struct enum_names *en_next_range;     /* descriptor of next range */
-};
-
-typedef const struct enum_names enum_names;
-
-extern const char *enum_name(enum_names *ed, unsigned long val);
-extern const char *enum_show(enum_names *ed, unsigned long val);
-extern int enum_search(enum_names *ed, const char *string);
-
-extern bool testset(const char *const table[], lset_t val);
-extern const char *bitnamesof(const char *const table[], lset_t val);
-
-/* sparse_names is much like enum_names, except values are
- * not known to be contiguous or ordered.
- * The array of names is ended with one with the name sparse_end
- * (this avoids having to reserve a value to signify the end).
- * Often appropriate for enums defined by others.
- */
-struct sparse_name {
-	unsigned long val;
-	const char *const name;
-};
-typedef const struct sparse_name sparse_names[];
-
-extern const char *sparse_name(sparse_names sd, unsigned long val);
-extern const char *sparse_val_show(sparse_names sd, unsigned long val);
-extern const char sparse_end[];
-
-#define FULL_INET_ADDRESS_SIZE    6
-
-/* limits on nonce sizes.  See RFC2409 "The internet key exchange (IKE)" 5 */
-#define MINIMUM_NONCE_SIZE      8       /* bytes */
-#define DEFAULT_NONCE_SIZE      16      /* bytes */
-#define MAXIMUM_NONCE_SIZE      256     /* bytes */
-
-#define COOKIE_SIZE 8
-#define MAX_ISAKMP_SPI_SIZE 16
-
-#define DES_CBC_BLOCK_SIZE      (64 / BITS_PER_BYTE)
-
-/* Maximum is required for SHA2_512 */
-#define MAX_DIGEST_LEN          HASH_SIZE_SHA512
-
-/* RFC 2404 "HMAC-SHA-1-96" section 3 */
-#define HMAC_SHA1_KEY_LEN       HASH_SIZE_SHA1
-
-/* RFC 2403 "HMAC-MD5-96" section 3 */
-#define HMAC_MD5_KEY_LEN        HASH_SIZE_MD5
-
-#define IKE_UDP_PORT    500
-
-/* IPsec AH transform values
- * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.3
- * and in http://www.iana.org/assignments/isakmp-registry
- */
-enum ipsec_authentication_algo {
-	AH_NONE         = 0,
-	AH_MD5          = 2,
-	AH_SHA          = 3,
-	AH_DES          = 4,
-	AH_SHA2_256     = 5,
-	AH_SHA2_384     = 6,
-	AH_SHA2_512     = 7,
-	AH_RIPEMD       = 8,
-	AH_AES_XCBC_MAC = 9,
-	AH_RSA          = 10,
-	AH_AES_128_GMAC = 11,
-	AH_AES_192_GMAC = 12,
-	AH_AES_256_GMAC = 13,
-	AH_SHA2_256_96  = 252
-};
-
-extern enum_names ah_transform_names;
-
-/* IPsec ESP transform values
- * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.4
- * and from http://www.iana.org/assignments/isakmp-registry
- */
-
-enum ipsec_cipher_algo {
-	ESP_NONE          = 0,
-	ESP_DES_IV64      = 1,
-	ESP_DES           = 2,
-	ESP_3DES          = 3,
-	ESP_RC5           = 4,
-	ESP_IDEA          = 5,
-	ESP_CAST          = 6,
-	ESP_BLOWFISH      = 7,
-	ESP_3IDEA         = 8,
-	ESP_DES_IV32      = 9,
-	ESP_RC4           = 10,
-	ESP_NULL          = 11,
-	ESP_AES           = 12,
-	ESP_AES_CTR       = 13,
-	ESP_AES_CCM_8     = 14,
-	ESP_AES_CCM_12    = 15,
-	ESP_AES_CCM_16    = 16,
-	ESP_UNASSIGNED_17 = 17,
-	ESP_AES_GCM_8     = 18,
-	ESP_AES_GCM_12    = 19,
-	ESP_AES_GCM_16    = 20,
-	ESP_SEED_CBC      = 21,
-	ESP_CAMELLIA      = 22,
-	ESP_AES_GMAC      = 23,
-	ESP_SERPENT       = 252,
-	ESP_TWOFISH       = 253
-};
-
-extern enum_names esp_transform_names;
-
-/* IPCOMP transform values
- * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5
- * now defined in kernel/kernel_ipsec.h
- */
-
-extern enum_names ipcomp_transformid_names;
-
-/* Certificate type values
- * RFC 2408 ISAKMP, chapter 3.9
- */
-enum ipsec_cert_type {
-	CERT_NONE=                0,
-	CERT_PKCS7_WRAPPED_X509=  1,
-	CERT_PGP=                 2,
-	CERT_DNS_SIGNED_KEY=      3,
-	CERT_X509_SIGNATURE=      4,
-	CERT_X509_KEY_EXCHANGE=   5,
-	CERT_KERBEROS_TOKENS=     6,
-	CERT_CRL=                 7,
-	CERT_ARL=                 8,
-	CERT_SPKI=                9,
-	CERT_X509_ATTRIBUTE=      10,
-	CERT_RAW_RSA_KEY=         11
-};
-
-/* RFC 2560 OCSP - certificate status */
-
-typedef enum {
-	CERT_GOOD =         0,
-	CERT_REVOKED =      1,
-	CERT_UNKNOWN =      2,
-	CERT_UNDEFINED =    3
-} cert_status_t;
-
-/* RFC 3706 Dead Peer Detection */
-
-extern enum_name_t *dpd_action_names;
-
-typedef enum {
-	DPD_ACTION_NONE =    0,
-	DPD_ACTION_CLEAR =   1,
-	DPD_ACTION_HOLD  =   2,
-	DPD_ACTION_RESTART = 3,
-	DPD_ACTION_UNKNOWN = 4
-} dpd_action_t;
-
-/* Timer events */
-
-extern enum_name_t *timer_event_names;
-
-enum event_type {
-	EVENT_NULL, /* non-event */
-	EVENT_REINIT_SECRET,        /* Refresh cookie secret */
-	EVENT_SO_DISCARD,           /* discard unfinished state object */
-	EVENT_RETRANSMIT,           /* Retransmit packet */
-	EVENT_SA_REPLACE,           /* SA replacement event */
-	EVENT_SA_REPLACE_IF_USED,   /* SA replacement event */
-	EVENT_SA_EXPIRE,            /* SA expiration event */
-	EVENT_NAT_T_KEEPALIVE,      /* NAT Traversal Keepalive */
-	EVENT_DPD,                  /* dead peer detection */
-	EVENT_DPD_TIMEOUT,          /* dead peer detection timeout */
-	EVENT_LOG_DAILY             /* reset certain log events/stats */
-};
-
-#define EVENT_REINIT_SECRET_DELAY               3600 /* 1 hour */
-#define EVENT_RETRANSMIT_DELAY_0                10   /* 10 seconds */
-
-/* Misc. stuff */
-
-#define MAXIMUM_RETRANSMISSIONS              2
-#define MAXIMUM_RETRANSMISSIONS_INITIAL      20
-
-#define MAX_INPUT_UDP_SIZE             65536
-#define MAX_OUTPUT_UDP_SIZE            65536
-
-/* Version numbers */
-
-#define ISAKMP_MAJOR_VERSION   0x1
-#define ISAKMP_MINOR_VERSION   0x0
-
-extern enum_names version_names;
-
-/* Domain of Interpretation */
-
-extern enum_names doi_names;
-
-#define ISAKMP_DOI_ISAKMP          0
-#define ISAKMP_DOI_IPSEC           1
-
-/* IPsec DOI things */
-
-#define IPSEC_DOI_SITUATION_LENGTH 4
-#define IPSEC_DOI_LDI_LENGTH       4
-#define IPSEC_DOI_SPI_SIZE         4
-
-/* SPI value 0 is invalid and values 1-255 are reserved to IANA.
- * ESP: RFC 2402 2.4; AH: RFC 2406 2.1
- * IPComp RFC 2393 substitutes a CPI in the place of an SPI.
- * see also draft-shacham-ippcp-rfc2393bis-05.txt.
- * We (FreeS/WAN) reserve 0x100 to 0xFFF for manual keying, so
- * Pluto won't generate these values.
- */
-#define IPSEC_DOI_SPI_MIN          0x100
-#define IPSEC_DOI_SPI_OUR_MIN      0x1000
-
-/* debugging settings: a set of selections for reporting
- * These would be more naturally situated in log.h,
- * but they are shared with whack.
- * IMPAIR_* actually change behaviour, usually badly,
- * to aid in testing.  Naturally, these are not included in ALL.
- *
- * NOTE: changes here must be done in concert with changes to DBGOPT_*
- * in whack.c.  A change to WHACK_MAGIC in whack.h will be required too.
- */
-#ifdef DEBUG
-extern const char *const debug_bit_names[];
-#endif
-
-#define DBG_RAW         LELEM(0)        /* raw packet I/O */
-#define DBG_CRYPT       LELEM(1)        /* encryption/decryption of messages */
-#define DBG_PARSING     LELEM(2)        /* show decoding of messages */
-#define DBG_EMITTING    LELEM(3)        /* show encoding of messages */
-#define DBG_CONTROL     LELEM(4)        /* control flow within Pluto */
-#define DBG_LIFECYCLE   LELEM(5)        /* SA lifecycle */
-#define DBG_KERNEL      LELEM(6)        /* messages to kernel */
-#define DBG_DNS         LELEM(7)        /* DNS activity */
-#define DBG_NATT        LELEM(8)        /* NAT-T */
-#define DBG_OPPO        LELEM(9)        /* opportunism */
-#define DBG_CONTROLMORE LELEM(10)       /* more detailed debugging */
-
-#define DBG_PRIVATE     LELEM(11)       /* private information: DANGER! */
-
-#define IMPAIR0 12      /* first bit for IMPAIR_* */
-
-#define IMPAIR_DELAY_ADNS_KEY_ANSWER    LELEM(IMPAIR0+0)        /* sleep before answering */
-#define IMPAIR_DELAY_ADNS_TXT_ANSWER    LELEM(IMPAIR0+1)        /* sleep before answering */
-#define IMPAIR_BUST_MI2 LELEM(IMPAIR0+2)        /* make MI2 really large */
-#define IMPAIR_BUST_MR2 LELEM(IMPAIR0+3)        /* make MI2 really large */
-
-#define DBG_NONE        0       /* no options on, including impairments */
-#define DBG_ALL         LRANGES(DBG_RAW, DBG_CONTROLMORE)  /* all logging options on EXCEPT DBG_PRIVATE */
-
-/* State of exchanges
- *
- * The name of the state describes the last message sent, not the
- * message currently being input or output (except during retry).
- * In effect, the state represents the last completed action.
- *
- * Messages are named [MQ][IR]n where
- * - M stands for Main Mode (Phase 1);
- *   Q stands for Quick Mode (Phase 2)
- * - I stands for Initiator;
- *   R stands for Responder
- * - n, a digit, stands for the number of the message
- *
- * It would be more convenient if each state accepted a message
- * and produced one.  This is the case for states at the start
- * or end of an exchange.  To fix this, we pretend that there are
- * MR0 and QR0 messages before the MI1 and QR1 messages.  Similarly,
- * we pretend that there are MR4 and QR2 messages.
- *
- * STATE_MAIN_R0 and STATE_QUICK_R0 are intermediate states (not
- * retained between messages) representing the state that accepts the
- * first message of an exchange has been read but not processed.
- *
- * state_microcode state_microcode_table in demux.c describes
- * other important details.
- */
-
-extern enum_names state_names;
-extern const char *const state_story[];
-
-enum state_kind {
-	STATE_UNDEFINED,    /* 0 -- most likely accident */
-
-	/* IKE states */
-
-	STATE_MAIN_R0,
-	STATE_MAIN_I1,
-	STATE_MAIN_R1,
-	STATE_MAIN_I2,
-	STATE_MAIN_R2,
-	STATE_MAIN_I3,
-	STATE_MAIN_R3,
-	STATE_MAIN_I4,
-
-	STATE_QUICK_R0,
-	STATE_QUICK_I1,
-	STATE_QUICK_R1,
-	STATE_QUICK_I2,
-	STATE_QUICK_R2,
-
-	STATE_INFO,
-	STATE_INFO_PROTECTED,
-
-	/* XAUTH states */
-
-	STATE_XAUTH_I0,              /* initiator state (client) */
-	STATE_XAUTH_R1,              /* responder state (server) */
-	STATE_XAUTH_I1,
-	STATE_XAUTH_R2,
-	STATE_XAUTH_I2,
-	STATE_XAUTH_R3,
-
-	/* Mode Config pull states */
-
-	STATE_MODE_CFG_R0,           /* responder state (server) */
-	STATE_MODE_CFG_I1,           /* initiator state (client) */
-	STATE_MODE_CFG_R1,
-	STATE_MODE_CFG_I2,
-
-	/* Mode Config push states */
-
-	STATE_MODE_CFG_I0,           /* initiator state (client) */
-	STATE_MODE_CFG_R3,           /* responder state (server) */
-	STATE_MODE_CFG_I3,
-	STATE_MODE_CFG_R4,
-
-	STATE_IKE_ROOF
-};
-
-#define STATE_IKE_FLOOR STATE_MAIN_R0
-
-#define PHASE1_INITIATOR_STATES  (LELEM(STATE_MAIN_I1) | LELEM(STATE_MAIN_I2) \
-	| LELEM(STATE_MAIN_I3) | LELEM(STATE_MAIN_I4))
-#define ISAKMP_SA_ESTABLISHED_STATES ( \
-	  LELEM(STATE_MAIN_R3)     | LELEM(STATE_MAIN_I4)     \
-	| LELEM(STATE_XAUTH_R1)    | LELEM(STATE_XAUTH_R2) | LELEM(STATE_XAUTH_R3) \
-	| LELEM(STATE_XAUTH_I1)    | LELEM(STATE_XAUTH_I2)    \
-	| LELEM(STATE_MODE_CFG_I1) | LELEM(STATE_MODE_CFG_R1) | LELEM(STATE_MODE_CFG_I2) \
-	| LELEM(STATE_MODE_CFG_R3) | LELEM(STATE_MODE_CFG_I3) | LELEM(STATE_MODE_CFG_R4))
-
-#define IS_PHASE1(s) ((STATE_MAIN_R0 <= (s) && (s) <= STATE_MAIN_I4) \
-				   || (STATE_XAUTH_I0 <= (s) && (s) <= STATE_XAUTH_R3) \
-				   || (STATE_MODE_CFG_R0 <= (s) && (s) <= STATE_MODE_CFG_R4))
-
-#define IS_QUICK(s) (STATE_QUICK_R0 <= (s) && (s) <= STATE_QUICK_R2)
-#define IS_ISAKMP_ENCRYPTED(s) (STATE_MAIN_I2 <= (s))
-
-#define IS_ISAKMP_SA_ESTABLISHED(s) (        \
-				   (s) == STATE_MAIN_R3      \
-				|| (s) == STATE_MAIN_I4      \
-				|| (s) == STATE_XAUTH_I2     \
-				|| (s) == STATE_XAUTH_R3     \
-				|| (s) == STATE_MODE_CFG_R1  \
-				|| (s) == STATE_MODE_CFG_I2  \
-				|| (s) == STATE_MODE_CFG_I3  \
-				|| (s) == STATE_MODE_CFG_R4)
-
-#define IS_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_I2 || (s) == STATE_QUICK_R2)
-#define IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_R1)
-
-/* kind of struct connection
- * Ordered (mostly) by concreteness.  Order is exploited.
- */
-
-extern enum_names connection_kind_names;
-
-enum connection_kind {
-	CK_GROUP,           /* policy group: instantiates to template */
-	CK_TEMPLATE,        /* abstract connection, with wildcard */
-	CK_PERMANENT,       /* normal connection */
-	CK_INSTANCE,        /* instance of template, created for a particular attempt */
-	CK_GOING_AWAY       /* instance being deleted -- don't delete again */
-};
-
-
-/* routing status.
- * Note: routing ignores source address, but erouting does not!
- * Note: a connection can only be routed if it is NEVER_NEGOTIATE
- * or HAS_IPSEC_POLICY.
- */
-
-extern enum_names routing_story;
-
-/* note that this is assumed to be ordered! */
-enum routing_t {
-	RT_UNROUTED,        /* unrouted */
-	RT_UNROUTED_HOLD,   /* unrouted, but HOLD shunt installed */
-	RT_ROUTED_ECLIPSED, /* RT_ROUTED_PROSPECTIVE except bare HOLD or instance has eroute */
-	RT_ROUTED_PROSPECTIVE,      /* routed, and prospective shunt installed */
-	RT_ROUTED_HOLD,     /* routed, and HOLD shunt installed */
-	RT_ROUTED_FAILURE,  /* routed, and failure-context shunt installed */
-	RT_ROUTED_TUNNEL,   /* routed, and erouted to an IPSEC SA group */
-	RT_UNROUTED_KEYED   /* keyed, but not routed, on purpose */
-};
-
-#define routed(rs) ((rs) > RT_UNROUTED_HOLD)
-#define erouted(rs) ((rs) != RT_UNROUTED)
-#define shunt_erouted(rs) (erouted(rs) && (rs) != RT_ROUTED_TUNNEL)
-
-/* Payload types
- * RFC2408 Internet Security Association and Key Management Protocol (ISAKMP)
- * section 3.1
- *
- * RESERVED 14-127
- * Private USE 128-255
- */
-
-extern enum_names payload_names;
-extern const char *const payload_name[];
-
-#define ISAKMP_NEXT_NONE       0        /* No other payload following */
-#define ISAKMP_NEXT_SA         1        /* Security Association */
-#define ISAKMP_NEXT_P          2        /* Proposal */
-#define ISAKMP_NEXT_T          3        /* Transform */
-#define ISAKMP_NEXT_KE         4        /* Key Exchange */
-#define ISAKMP_NEXT_ID         5        /* Identification */
-#define ISAKMP_NEXT_CERT       6        /* Certificate */
-#define ISAKMP_NEXT_CR         7        /* Certificate Request */
-#define ISAKMP_NEXT_HASH       8        /* Hash */
-#define ISAKMP_NEXT_SIG        9        /* Signature */
-#define ISAKMP_NEXT_NONCE      10       /* Nonce */
-#define ISAKMP_NEXT_N          11       /* Notification */
-#define ISAKMP_NEXT_D          12       /* Delete */
-#define ISAKMP_NEXT_VID        13       /* Vendor ID */
-#define ISAKMP_NEXT_ATTR       14       /* Mode config Attribute */
-
-#define ISAKMP_NEXT_NATD_RFC   20       /* NAT-Traversal: NAT-D (rfc) */
-#define ISAKMP_NEXT_NATOA_RFC  21       /* NAT-Traversal: NAT-OA (rfc) */
-#define ISAKMP_NEXT_ROOF       22       /* roof on payload types */
-
-#define ISAKMP_NEXT_NATD_DRAFTS   130   /* NAT-Traversal: NAT-D (drafts) */
-#define ISAKMP_NEXT_NATOA_DRAFTS  131   /* NAT-Traversal: NAT-OA (drafts) */
-
-/* These values are to be used within the Type field of an Attribute (14)
- * ISAKMP payload.
- */
-#define ISAKMP_CFG_REQUEST         1
-#define ISAKMP_CFG_REPLY           2
-#define ISAKMP_CFG_SET             3
-#define ISAKMP_CFG_ACK             4
-
-extern enum_names attr_msg_type_names;
-
-extern enum_names modecfg_attr_names;
-
-/* XAUTH authentication types */
-#define XAUTH_TYPE_GENERIC 0
-#define XAUTH_TYPE_CHAP    1
-#define XAUTH_TYPE_OTP     2
-#define XAUTH_TYPE_SKEY    3
-
-/* Values for XAUTH_STATUS */
-#define XAUTH_STATUS_FAIL       0
-#define XAUTH_STATUS_OK         1
-
-extern enum_names xauth_type_names;
-
-/* Exchange types
- * RFC2408 "Internet Security Association and Key Management Protocol (ISAKMP)"
- * section 3.1
- *
- * ISAKMP Future Use     6 - 31
- * DOI Specific Use     32 - 239
- * Private Use         240 - 255
- *
- * Note: draft-ietf-ipsec-dhless-enc-mode-00.txt Appendix A
- * defines "DHless RSA Encryption" as 6.
- */
-
-extern enum_names exchange_names;
-
-#define ISAKMP_XCHG_NONE       0
-#define ISAKMP_XCHG_BASE       1
-#define ISAKMP_XCHG_IDPROT     2        /* ID Protection */
-#define ISAKMP_XCHG_AO         3        /* Authentication Only */
-#define ISAKMP_XCHG_AGGR       4        /* Aggressive */
-#define ISAKMP_XCHG_INFO       5        /* Informational */
-#define ISAKMP_XCHG_MODE_CFG   6        /* Mode Config */
-
-/* Extra exchange types, defined by Oakley
- * RFC2409 "The Internet Key Exchange (IKE)", near end of Appendix A
- */
-#define ISAKMP_XCHG_QUICK      32       /* Oakley Quick Mode */
-#define ISAKMP_XCHG_NGRP       33       /* Oakley New Group Mode */
-/* added in draft-ietf-ipsec-ike-01.txt, near end of Appendix A */
-#define ISAKMP_XCHG_ACK_INFO   34       /* Oakley Acknowledged Informational */
-
-/* Flag bits */
-
-extern const char *const flag_bit_names[];
-
-#define ISAKMP_FLAG_ENCRYPTION   0x1
-#define ISAKMP_FLAG_COMMIT       0x2
-
-/* Situation definition for IPsec DOI */
-
-extern const char *const sit_bit_names[];
-
-#define SIT_IDENTITY_ONLY        0x01
-#define SIT_SECRECY              0x02
-#define SIT_INTEGRITY            0x04
-
-/* Protocol IDs
- * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.1
- */
-
-extern enum_names protocol_names;
-
-#define PROTO_ISAKMP             1
-#define PROTO_IPSEC_AH           2
-#define PROTO_IPSEC_ESP          3
-#define PROTO_IPCOMP             4
-
-/* warning: trans_show uses enum_show, so same static buffer is used */
-#define trans_show(p, t) \
-	((p)==PROTO_IPSEC_AH ? enum_show(&ah_transformid_names, (t)) \
-	: (p)==PROTO_IPSEC_ESP ? enum_show(&esp_transformid_names, (t)) \
-	: (p)==PROTO_IPCOMP ? enum_show(&ipcomp_transformid_names, (t)) \
-	: "??")
-
-#define KEY_IKE               1
-
-extern enum_names isakmp_transformid_names;
-
-/* the following are from RFC 2393/draft-shacham-ippcp-rfc2393bis-05.txt 3.3 */
-typedef u_int16_t cpi_t;
-#define IPCOMP_CPI_SIZE          2
-#define IPCOMP_FIRST_NEGOTIATED  256
-#define IPCOMP_LAST_NEGOTIATED   61439
-
-/* Identification type values
- * RFC 2407 The Internet IP security Domain of Interpretation for ISAKMP 4.6.2.1
- */
-
-extern enum_names ident_names;
-extern enum_names cert_type_names;
-
-extern enum_name_t *cert_policy_names;
-
-typedef enum certpolicy {
-	CERT_ALWAYS_SEND   = 0,
-	CERT_SEND_IF_ASKED = 1,
-	CERT_NEVER_SEND    = 2,
-
-	CERT_YES_SEND      = 3,       /* synonym for CERT_ALWAYS_SEND */
-	CERT_NO_SEND       = 4        /* synonym for CERT_NEVER_SEND  */
-} certpolicy_t;
-
-/* Policies for establishing an SA
- *
- * These are used to specify attributes (eg. encryption) and techniques
- * (eg PFS) for an SA.
- * Note: certain CD_ definitions in whack.c parallel these -- keep them
- * in sync!
- */
-
-extern const char *const sa_policy_bit_names[];
-extern const char *prettypolicy(lset_t policy);
-
-/* ISAKMP auth techniques (none means never negotiate) */
-#define POLICY_PSK           LELEM(0)
-#define POLICY_PUBKEY        LELEM(1)
-
-#define POLICY_ISAKMP_SHIFT     0       /* log2(POLICY_PSK) */
-#define POLICY_ID_AUTH_MASK     (POLICY_PSK | POLICY_PUBKEY | POLICY_XAUTH_PSK | POLICY_XAUTH_RSASIG)
-#define POLICY_ISAKMP_MASK      POLICY_ID_AUTH_MASK     /* all so far */
-
-/* Quick Mode (IPSEC) attributes */
-#define POLICY_ENCRYPT       LELEM(2)   /* must be first of IPSEC policies */
-#define POLICY_AUTHENTICATE  LELEM(3)   /* must be second */
-#define POLICY_COMPRESS      LELEM(4)   /* must be third */
-#define POLICY_TUNNEL        LELEM(5)
-#define POLICY_PFS           LELEM(6)
-#define POLICY_DISABLEARRIVALCHECK  LELEM(7)    /* suppress tunnel egress address checking */
-
-#define POLICY_IPSEC_SHIFT      2       /* log2(POLICY_ENCRYPT) */
-#define POLICY_IPSEC_MASK       LRANGES(POLICY_ENCRYPT, POLICY_DISABLEARRIVALCHECK)
-
-/* shunt attributes: what to do when routed without tunnel (2 bits) */
-#define POLICY_SHUNT_SHIFT      8       /* log2(POLICY_SHUNT_PASS) */
-#define POLICY_SHUNT_MASK       (03ul << POLICY_SHUNT_SHIFT)
-
-#define POLICY_SHUNT_TRAP       (0ul << POLICY_SHUNT_SHIFT) /* default: negotiate */
-#define POLICY_SHUNT_PASS       (1ul << POLICY_SHUNT_SHIFT)
-#define POLICY_SHUNT_DROP       (2ul << POLICY_SHUNT_SHIFT)
-#define POLICY_SHUNT_REJECT     (3ul << POLICY_SHUNT_SHIFT)
-
-/* fail attributes: what to do with failed negotiation (2 bits) */
-
-#define POLICY_FAIL_SHIFT       10      /* log2(POLICY_FAIL_PASS) */
-#define POLICY_FAIL_MASK        (03ul << POLICY_FAIL_SHIFT)
-
-#define POLICY_FAIL_NONE     (0ul << POLICY_FAIL_SHIFT) /* default */
-#define POLICY_FAIL_PASS     (1ul << POLICY_FAIL_SHIFT)
-#define POLICY_FAIL_DROP     (2ul << POLICY_FAIL_SHIFT)
-#define POLICY_FAIL_REJECT   (3ul << POLICY_FAIL_SHIFT)
-
-/* connection policy
- * Other policies could vary per state object.  These live in connection.
- */
-#define POLICY_DONT_REKEY       LELEM(12)       /* don't rekey state either Phase */
-#define POLICY_OPPO             LELEM(13)       /* is this opportunistic? */
-#define POLICY_GROUP            LELEM(14)       /* is this a group template? */
-#define POLICY_GROUTED          LELEM(15)       /* do we want this group routed? */
-#define POLICY_UP               LELEM(16)       /* do we want this up? */
-#define POLICY_MODECFG_PUSH     LELEM(17)       /* is modecfg pushed by server? */
-#define POLICY_XAUTH_PSK        LELEM(18)       /* do we support XAUTH????PreShared? */
-#define POLICY_XAUTH_RSASIG     LELEM(19)       /* do we support XAUTH????RSA? */
-#define POLICY_XAUTH_SERVER     LELEM(20)       /* are we an XAUTH server? */
-#define POLICY_DONT_REAUTH      LELEM(21)       /* don't reauthenticate on rekeying, IKEv2 only */
-#define POLICY_BEET             LELEM(22)       /* bound end2end tunnel, IKEv2 */
-#define POLICY_MOBIKE           LELEM(23)       /* enable MOBIKE for IKEv2  */
-#define POLICY_FORCE_ENCAP      LELEM(24)       /* force UDP encapsulation (IKEv2)  */
-#define POLICY_PROXY            LELEM(25)       /* proxy transport mode (MIPv6) */
-
-/* Any IPsec policy?  If not, a connection description
- * is only for ISAKMP SA, not IPSEC SA.  (A pun, I admit.)
- * Note: a connection can only be routed if it is NEVER_NEGOTIATE
- * or HAS_IPSEC_POLICY.
- */
-#define HAS_IPSEC_POLICY(p) (((p) & POLICY_IPSEC_MASK) != 0)
-
-/* Don't allow negotiation? */
-#define NEVER_NEGOTIATE(p)  (LDISJOINT((p), POLICY_ID_AUTH_MASK))
-
-
-/* Oakley transform attributes
- * draft-ietf-ipsec-ike-01.txt appendix A
- */
-
-extern enum_names oakley_attr_names;
-extern const char *const oakley_attr_bit_names[];
-
-#define OAKLEY_ENCRYPTION_ALGORITHM    1
-#define OAKLEY_HASH_ALGORITHM          2
-#define OAKLEY_AUTHENTICATION_METHOD   3
-#define OAKLEY_GROUP_DESCRIPTION       4
-#define OAKLEY_GROUP_TYPE              5
-#define OAKLEY_GROUP_PRIME             6        /* B/V */
-#define OAKLEY_GROUP_GENERATOR_ONE     7        /* B/V */
-#define OAKLEY_GROUP_GENERATOR_TWO     8        /* B/V */
-#define OAKLEY_GROUP_CURVE_A           9        /* B/V */
-#define OAKLEY_GROUP_CURVE_B          10        /* B/V */
-#define OAKLEY_LIFE_TYPE              11
-#define OAKLEY_LIFE_DURATION          12        /* B/V */
-#define OAKLEY_PRF                    13
-#define OAKLEY_KEY_LENGTH             14
-#define OAKLEY_FIELD_SIZE             15
-#define OAKLEY_GROUP_ORDER            16        /* B/V */
-#define OAKLEY_BLOCK_SIZE             17
-
-/* for each Oakley attribute, which enum_names describes its values? */
-extern enum_names *oakley_attr_val_descs[];
-
-/* IPsec DOI attributes
- * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.5
- */
-
-extern enum_names ipsec_attr_names;
-
-#define SA_LIFE_TYPE             1
-#define SA_LIFE_DURATION         2      /* B/V */
-#define GROUP_DESCRIPTION        3
-#define ENCAPSULATION_MODE       4
-#define AUTH_ALGORITHM           5
-#define KEY_LENGTH               6
-#define KEY_ROUNDS               7
-#define COMPRESS_DICT_SIZE       8
-#define COMPRESS_PRIVATE_ALG     9      /* B/V */
-
-/* for each IPsec attribute, which enum_names describes its values? */
-extern enum_names *ipsec_attr_val_descs[];
-
-/* SA Lifetime Type attribute
- * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.5
- * Default time specified in 4.5
- *
- * There are two defaults for IPSEC SA lifetime, SA_LIFE_DURATION_DEFAULT,
- * and PLUTO_SA_LIFE_DURATION_DEFAULT.
- * SA_LIFE_DURATION_DEFAULT is specified in RFC2407 "The Internet IP
- * Security Domain of Interpretation for ISAKMP" 4.5.  It applies when
- * an ISAKMP negotiation does not explicitly specify a life duration.
- * PLUTO_SA_LIFE_DURATION_DEFAULT is specified in pluto(8).  It applies
- * when a connection description does not specify --ipseclifetime.
- * The value of SA_LIFE_DURATION_MAXIMUM is our local policy.
- */
-
-extern enum_names sa_lifetime_names;
-
-#define SA_LIFE_TYPE_SECONDS   1
-#define SA_LIFE_TYPE_KBYTES    2
-
-#define SA_LIFE_DURATION_DEFAULT          28800 /* eight hours (RFC2407 4.5) */
-#define PLUTO_SA_LIFE_DURATION_DEFAULT     3600 /* one hour    (pluto(8)) */
-#define SA_LIFE_DURATION_MAXIMUM          86400 /* one day */
-
-#define SA_REPLACEMENT_MARGIN_DEFAULT       540 /* (IPSEC & IKE) nine minutes */
-#define SA_REPLACEMENT_FUZZ_DEFAULT         100 /* (IPSEC & IKE) 100% of MARGIN */
-#define SA_REPLACEMENT_RETRIES_DEFAULT        3 /* (IPSEC & IKE) */
-
-#define SA_LIFE_DURATION_K_DEFAULT  0xFFFFFFFFlu
-
-/* Encapsulation Mode attribute */
-
-extern enum_names enc_mode_names;
-
-#define ENCAPSULATION_MODE_UNSPECIFIED 0        /* not legal -- used internally */
-#define ENCAPSULATION_MODE_TUNNEL      1
-#define ENCAPSULATION_MODE_TRANSPORT   2
-
-#define ENCAPSULATION_MODE_UDP_TUNNEL_RFC          3
-#define ENCAPSULATION_MODE_UDP_TRANSPORT_RFC       4
-
-#define ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS       61443
-#define ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS    61444
-
-/* Auth Algorithm attribute */
-
-extern enum_names auth_alg_names, extended_auth_alg_names;
-
-#define AUTH_ALGORITHM_NONE                0  /* our private designation */
-#define AUTH_ALGORITHM_HMAC_MD5            1
-#define AUTH_ALGORITHM_HMAC_SHA1           2
-#define AUTH_ALGORITHM_DES_MAC             3
-#define AUTH_ALGORITHM_KPDK                4
-#define AUTH_ALGORITHM_HMAC_SHA2_256       5
-#define AUTH_ALGORITHM_HMAC_SHA2_384       6
-#define AUTH_ALGORITHM_HMAC_SHA2_512       7
-#define AUTH_ALGORITHM_HMAC_RIPEMD         8
-#define AUTH_ALGORITHM_AES_XCBC_MAC        9
-#define AUTH_ALGORITHM_SIG_RSA            10
-#define AUTH_ALGORITHM_AES_128_GMAC       11
-#define AUTH_ALGORITHM_AES_192_GMAC       12
-#define AUTH_ALGORITHM_AES_256_GMAC       13
-#define AUTH_ALGORITHM_NULL              251
-#define AUTH_ALGORITHM_HMAC_SHA2_256_96  252
-
-/* Oakley Lifetime Type attribute
- * draft-ietf-ipsec-ike-01.txt appendix A
- * As far as I can see, there is not specification for
- * OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT.  This could lead to interop problems!
- * For no particular reason, we chose three hours.
- * The value of OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM is our local policy.
- */
-extern enum_names oakley_lifetime_names;
-
-#define OAKLEY_LIFE_SECONDS   1
-#define OAKLEY_LIFE_KILOBYTES 2
-
-#define OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT 10800   /* three hours */
-#define OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM 86400   /* one day */
-
-/* Oakley PRF attribute (none defined)
- * draft-ietf-ipsec-ike-01.txt appendix A
- */
-extern enum_names oakley_prf_names;
-
-/* HMAC (see rfc2104.txt) */
-
-#define HMAC_IPAD            0x36
-#define HMAC_OPAD            0x5C
-
-/* Oakley Encryption Algorithm attribute
- * draft-ietf-ipsec-ike-01.txt appendix A
- * and from http://www.isi.edu/in-notes/iana/assignments/ipsec-registry
- */
-
-extern enum_names oakley_enc_names;
-
-#define OAKLEY_DES_CBC                  1
-#define OAKLEY_IDEA_CBC                 2
-#define OAKLEY_BLOWFISH_CBC             3
-#define OAKLEY_RC5_R16_B64_CBC          4
-#define OAKLEY_3DES_CBC                 5
-#define OAKLEY_CAST_CBC                 6
-#define OAKLEY_AES_CBC                  7
-#define OAKLEY_CAMELLIA_CBC             8
-
-#define OAKLEY_MARS_CBC                 65001
-#define OAKLEY_RC6_CBC                  65002
-#define OAKLEY_ID_65003                 65003
-#define OAKLEY_SERPENT_CBC              65004
-#define OAKLEY_TWOFISH_CBC              65005
-
-#define OAKLEY_TWOFISH_CBC_SSH          65289
-
-#define OAKLEY_ENCRYPT_MAX              65535   /* pretty useless :) */
-
-/* Oakley Hash Algorithm attribute
- * draft-ietf-ipsec-ike-01.txt appendix A
- * and from http://www.isi.edu/in-notes/iana/assignments/ipsec-registry
- */
-
-extern enum_names oakley_hash_names;
-
-#define OAKLEY_MD5              1
-#define OAKLEY_SHA              2
-#define OAKLEY_TIGER            3
-#define OAKLEY_SHA2_256         4
-#define OAKLEY_SHA2_384         5
-#define OAKLEY_SHA2_512         6
-
-#define OAKLEY_HASH_MAX         7
-
-/* Oakley Authentication Method attribute
- * draft-ietf-ipsec-ike-01.txt appendix A
- * Goofy Hybrid extensions from draft-ietf-ipsec-isakmp-hybrid-auth-05.txt
- * Goofy XAUTH extensions from draft-ietf-ipsec-isakmp-xauth-06.txt
- */
-
-extern enum_names oakley_auth_names;
-
-#define OAKLEY_PRESHARED_KEY       1
-#define OAKLEY_DSS_SIG             2
-#define OAKLEY_RSA_SIG             3
-#define OAKLEY_RSA_ENC             4
-#define OAKLEY_RSA_ENC_REV         5
-#define OAKLEY_ELGAMAL_ENC         6
-#define OAKLEY_ELGAMAL_ENC_REV     7
-#define OAKLEY_ECDSA_SIG           8
-#define OAKLEY_ECDSA_256           9
-#define OAKLEY_ECDSA_384          10
-#define OAKLEY_ECDSA_521          11
-
-#define OAKLEY_AUTH_ROOF          12    /* roof on auth values THAT WE SUPPORT */
-
-#define HybridInitRSA                   64221
-#define HybridRespRSA                   64222
-#define HybridInitDSS                   64223
-#define HybridRespDSS                   64224
-
-#define XAUTHInitPreShared              65001
-#define XAUTHRespPreShared              65002
-#define XAUTHInitDSS                    65003
-#define XAUTHRespDSS                    65004
-#define XAUTHInitRSA                    65005
-#define XAUTHRespRSA                    65006
-#define XAUTHInitRSAEncryption          65007
-#define XAUTHRespRSAEncryption          65008
-#define XAUTHInitRSARevisedEncryption   65009
-#define XAUTHRespRSARevisedEncryption   65010
-
-/* Oakley Group Description attribute
- * draft-ietf-ipsec-ike-01.txt appendix A
- */
-extern enum_names oakley_group_names;
-
-/*      you must also touch: constants.c, crypto.c */
-
-/* Oakley Group Type attribute
- * draft-ietf-ipsec-ike-01.txt appendix A
- */
-extern enum_names oakley_group_type_names;
-
-#define OAKLEY_GROUP_TYPE_MODP     1
-#define OAKLEY_GROUP_TYPE_ECP      2
-#define OAKLEY_GROUP_TYPE_EC2N     3
-
-
-/* Notify messages -- error types
- * See RFC2408 ISAKMP 3.14.1
- */
-
-extern enum_names notification_names;
-extern enum_names ipsec_notification_names;
-
-typedef enum {
-	ISAKMP_NOTHING_WRONG =              0,  /* unofficial! */
-
-	ISAKMP_INVALID_PAYLOAD_TYPE =       1,
-	ISAKMP_DOI_NOT_SUPPORTED =          2,
-	ISAKMP_SITUATION_NOT_SUPPORTED =    3,
-	ISAKMP_INVALID_COOKIE =             4,
-	ISAKMP_INVALID_MAJOR_VERSION =      5,
-	ISAKMP_INVALID_MINOR_VERSION =      6,
-	ISAKMP_INVALID_EXCHANGE_TYPE =      7,
-	ISAKMP_INVALID_FLAGS =              8,
-	ISAKMP_INVALID_MESSAGE_ID =         9,
-	ISAKMP_INVALID_PROTOCOL_ID =       10,
-	ISAKMP_INVALID_SPI =               11,
-	ISAKMP_INVALID_TRANSFORM_ID =      12,
-	ISAKMP_ATTRIBUTES_NOT_SUPPORTED =  13,
-	ISAKMP_NO_PROPOSAL_CHOSEN =        14,
-	ISAKMP_BAD_PROPOSAL_SYNTAX =       15,
-	ISAKMP_PAYLOAD_MALFORMED =         16,
-	ISAKMP_INVALID_KEY_INFORMATION =   17,
-	ISAKMP_INVALID_ID_INFORMATION =    18,
-	ISAKMP_INVALID_CERT_ENCODING =     19,
-	ISAKMP_INVALID_CERTIFICATE =       20,
-	ISAKMP_CERT_TYPE_UNSUPPORTED =     21,
-	ISAKMP_INVALID_CERT_AUTHORITY =    22,
-	ISAKMP_INVALID_HASH_INFORMATION =  23,
-	ISAKMP_AUTHENTICATION_FAILED =     24,
-	ISAKMP_INVALID_SIGNATURE =         25,
-	ISAKMP_ADDRESS_NOTIFICATION =      26,
-	ISAKMP_NOTIFY_SA_LIFETIME =        27,
-	ISAKMP_CERTIFICATE_UNAVAILABLE =   28,
-	ISAKMP_UNSUPPORTED_EXCHANGE_TYPE = 29,
-	ISAKMP_UNEQUAL_PAYLOAD_LENGTHS =   30,
-
-	/* ISAKMP status type */
-	ISAKMP_CONNECTED =              16384,
-
-	/* IPSEC DOI additions; status types (RFC2407 IPSEC DOI 4.6.3)
-	 * These must be sent under the protection of an ISAKMP SA.
-	 */
-	IPSEC_RESPONDER_LIFETIME =      24576,
-	IPSEC_REPLAY_STATUS =           24577,
-	IPSEC_INITIAL_CONTACT =         24578,
-
-	/* RFC 3706 DPD */
-	R_U_THERE =                     36136,
-	R_U_THERE_ACK =                 36137,
-
-	/* Juniper SRX private use */
-	NS_NHTB_INFORM =                40001
-
-	} notification_t;
-
-
-/* Public key algorithm number
- * Same numbering as used in DNSsec
- * See RFC 2535 DNSsec 3.2 The KEY Algorithm Number Specification.
- * Also found in BIND 8.2.2 include/isc/dst.h as DST algorithm codes.
- */
-
-enum pubkey_alg
-{
-	PUBKEY_ALG_RSA = 1,
-	PUBKEY_ALG_DSA = 3,
-};
-
-/* Limits on size of RSA moduli.
- * The upper bound matches that of DNSsec (see RFC 2537).
- * The lower bound must be more than 11 octets for certain
- * the encoding to work, but it must be much larger for any
- * real security.  For now, we require 512 bits.
- */
-
-#define RSA_MIN_OCTETS_RFC      12
-
-#define RSA_MIN_OCTETS  (512 / BITS_PER_BYTE)
-#define RSA_MIN_OCTETS_UGH      "RSA modulus too small for security: less than 512 bits"
-
-#define RSA_MAX_OCTETS  (8192 / BITS_PER_BYTE)
-#define RSA_MAX_OCTETS_UGH      "RSA modulus too large: more than 8192 bits"
-
-/* Note: RFC 2537 encoding adds a few bytes.  If you use a small
- * modulus like 3, the overhead is only 2 bytes
- */
-#define RSA_MAX_ENCODING_BYTES  (RSA_MAX_OCTETS + 2)
-
-/* socket address family info */
-
-struct af_info
-{
-	int af;
-	const char *name;
-	size_t ia_sz;
-	size_t sa_sz;
-	int mask_cnt;
-	u_int8_t id_addr, id_subnet, id_range;
-	const ip_address *any;
-	const ip_subnet *none;      /* 0.0.0.0/32 or IPv6 equivalent */
-	const ip_subnet *all;       /* 0.0.0.0/0 or IPv6 equivalent */
-};
-
-extern const struct af_info
-	af_inet4_info,
-	af_inet6_info;
-
-extern const struct af_info *aftoinfo(int af);
-
-extern enum_names af_names;
-
-#define subnetisaddr(sn, a) (subnetishost(sn) && addrinsubnet((a), (sn)))
-extern bool subnetisnone(const ip_subnet *sn);
-
-/* BIND enumerated types */
-
-extern enum_names
-	rr_qtype_names,
-	rr_type_names,
-	rr_class_names;
-
-/* How authenticated is info that might have come from DNS?
- * In order of increasing confidence.
- */
-enum dns_auth_level {
-	DAL_UNSIGNED,       /* AD in response, but no signature: no authentication */
-	DAL_NOTSEC, /* no AD in response: authentication impossible */
-	DAL_SIGNED, /* AD and signature in response: authentic */
-	DAL_LOCAL   /* locally provided (pretty good) */
-};
-
-/*
- * define a macro for use in error messages
- */
-
-#ifdef USE_KEYRR
-#define RRNAME "TXT or KEY"
-#else
-#define RRNAME "TXT"
-#endif
-
-/* natt traversal types */
-extern const char *const natt_type_bitnames[];
-
-/* secret value for responder cookies */
-extern u_char secret_of_the_day[HASH_SIZE_SHA1];
-
-#endif /* _CONSTANTS_H */
diff --git a/src/pluto/cookie.c b/src/pluto/cookie.c
deleted file mode 100644
index 00c863f18..000000000
--- a/src/pluto/cookie.c
+++ /dev/null
@@ -1,73 +0,0 @@
-/* cookie generation/verification routines.
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-
-#include <freeswan.h>
-
-#include <library.h>
-#include <crypto/rngs/rng.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "cookie.h"
-
-const u_char zero_cookie[COOKIE_SIZE];  /* guaranteed 0 */
-
-/* Generate a cookie.
- * First argument is true if we're to create an Initiator cookie.
- * Length SHOULD be a multiple of sizeof(u_int32_t).
- */
-void get_cookie(bool initiator, u_int8_t *cookie, int length, ip_address *addr)
-{
-	hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	u_char buffer[HASH_SIZE_SHA1];
-
-	do {
-		if (initiator)
-		{
-			rng_t *rng;
-
-			rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
-			rng->get_bytes(rng, length, cookie);
-			rng->destroy(rng);
-		}
-		else  /* Responder cookie */
-		{
-			chunk_t addr_chunk, secret_chunk, counter_chunk;
-			size_t addr_len;
-			static u_int32_t counter = 0;
-			unsigned char addr_buf[
-				sizeof(union {struct in_addr A; struct in6_addr B;})];
-
-			addr_len = addrbytesof(addr, addr_buf, sizeof(addr_buf));
-			addr_chunk = chunk_create(addr_buf, addr_len);
-			secret_chunk = chunk_create(secret_of_the_day, HASH_SIZE_SHA1);
-			counter++;
-			counter_chunk = chunk_create((void *) &counter, sizeof(counter));
-			hasher->get_hash(hasher, addr_chunk, NULL);
-			hasher->get_hash(hasher, secret_chunk, NULL);
-			hasher->get_hash(hasher, counter_chunk, buffer);
-			memcpy(cookie, buffer, length);
-		}
-	} while (is_zero_cookie(cookie));   /* probably never loops */
-
-	hasher->destroy(hasher);
-}
diff --git a/src/pluto/cookie.h b/src/pluto/cookie.h
deleted file mode 100644
index 809d66491..000000000
--- a/src/pluto/cookie.h
+++ /dev/null
@@ -1,22 +0,0 @@
-/* cookie generation/verification routines.
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <freeswan.h>
-
-extern const u_char zero_cookie[COOKIE_SIZE];   /* guaranteed 0 */
-
-extern void get_cookie(bool initiator, u_int8_t *cookie, int length,
-					   ip_address *addr);
-
-#define is_zero_cookie(cookie) all_zero((cookie), COOKIE_SIZE)
diff --git a/src/pluto/crl.c b/src/pluto/crl.c
deleted file mode 100644
index c49b09e19..000000000
--- a/src/pluto/crl.c
+++ /dev/null
@@ -1,541 +0,0 @@
-/* Support of X.509 certificate revocation lists (CRLs)
- * Copyright (C) 2000-2009 Andreas Steffen
- *
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-#include <dirent.h>
-#include <time.h>
-#include <sys/types.h>
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "x509.h"
-#include "crl.h"
-#include "ca.h"
-#include "certs.h"
-#include "keys.h"
-#include "whack.h"
-#include "fetch.h"
-#include "builder.h"
-
-
-/* chained lists of X.509 crls */
-
-static x509crl_t  *x509crls = NULL;
-
-/**
- *  Get the X.509 CRL with a given issuer
- */
-static x509crl_t* get_x509crl(identification_t *issuer, chunk_t keyid)
-{
-	x509crl_t *x509crl = x509crls;
-	x509crl_t *prev_crl = NULL;
-
-	while (x509crl != NULL)
-	{
-		certificate_t *cert_crl = x509crl->crl;
-		crl_t *crl = (crl_t*)cert_crl;
-		identification_t *crl_issuer = cert_crl->get_issuer(cert_crl);
-		chunk_t authKeyID = crl->get_authKeyIdentifier(crl);
-
-		if ((keyid.ptr && authKeyID.ptr)? same_keyid(keyid, authKeyID) :
-			issuer->equals(issuer, crl_issuer))
-		{
-			if (x509crl != x509crls)
-			{
-				/* bring the CRL up front */
-				prev_crl->next = x509crl->next;
-				x509crl->next = x509crls;
-				x509crls = x509crl;
-			}
-			return x509crl;
-		}
-		prev_crl = x509crl;
-		x509crl = x509crl->next;
-	}
-	return NULL;
-}
-
-/**
- *  Free the dynamic memory used to store CRLs
- */
-void free_crl(x509crl_t *crl)
-{
-	DESTROY_IF(crl->crl);
-	crl->distributionPoints->destroy_function(crl->distributionPoints, free);
-	free(crl);
-}
-
-static void free_first_crl(void)
-{
-	x509crl_t *crl = x509crls;
-
-	x509crls = crl->next;
-	free_crl(crl);
-}
-
-void free_crls(void)
-{
-	lock_crl_list("free_crls");
-
-	while (x509crls != NULL)
-	{
-		free_first_crl();
-	}
-
-	unlock_crl_list("free_crls");
-}
-
-/**
- * Insert X.509 CRL into chained list
- */
-bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl)
-{
-	certificate_t *cert_crl = x509crl->crl;
-	crl_t *crl = (crl_t*)cert_crl;
-	identification_t *issuer = cert_crl->get_issuer(cert_crl);
-	chunk_t authKeyID = crl->get_authKeyIdentifier(crl);
-	cert_t *issuer_cert;
-	x509crl_t *oldcrl;
-	time_t now, nextUpdate;
-	bool valid_sig;
-
-	/* add distribution point */
-	add_distribution_point(x509crl->distributionPoints, crl_uri);
-
-	lock_authcert_list("insert_crl");
-
-	/* get the issuer cacert */
-	issuer_cert = get_authcert(issuer, authKeyID, X509_CA);
-	if (issuer_cert == NULL)
-	{
-		plog("crl issuer cacert not found");
-		free_crl(x509crl);
-		unlock_authcert_list("insert_crl");
-		return FALSE;
-	}
-	DBG(DBG_CONTROL,
-		DBG_log("crl issuer cacert found")
-	)
-
-	/* check the issuer's signature of the crl */
-	valid_sig = cert_crl->issued_by(cert_crl, issuer_cert->cert);
-	unlock_authcert_list("insert_crl");
-
-	if (!valid_sig)
-	{
-		free_crl(x509crl);
-		return FALSE;
-	}
-	DBG(DBG_CONTROL,
-		DBG_log("crl signature is valid")
-	)
-
-	/* note the current time */
-	time(&now);
-
-	lock_crl_list("insert_crl");
-	oldcrl = get_x509crl(issuer, authKeyID);
-
-	if (oldcrl != NULL)
-	{
-		certificate_t *old_cert_crl = oldcrl->crl;
-
-		if (crl_is_newer((crl_t*)cert_crl, (crl_t*)old_cert_crl))
-		{
-			/* keep any known CRL distribution points */
-			add_distribution_points(x509crl->distributionPoints,
-									oldcrl->distributionPoints);
-
-			/* now delete the old CRL */
-			free_first_crl();
-			DBG(DBG_CONTROL,
-				DBG_log("thisUpdate is newer - existing crl deleted")
-			)
-		}
-		else
-		{
-			unlock_crl_list("insert_crls");
-			DBG(DBG_CONTROL,
-				DBG_log("thisUpdate is not newer - existing crl not replaced");
-			)
-			free_crl(x509crl);
-			old_cert_crl->get_validity(old_cert_crl, &now, NULL, &nextUpdate);
-			return nextUpdate - now > 2*crl_check_interval;
-		}
-	}
-
-	/* insert new CRL */
-	x509crl->next = x509crls;
-	x509crls = x509crl;
-
-	unlock_crl_list("insert_crl");
-
-	/* If crl caching is enabled then the crl is saved locally.
-	 * Only http or ldap URIs are cached but not local file URIs.
-	 * The CRL's authorityKeyIdentifier is used as a unique filename
-	 */
-	if (cache_crl && strncasecmp(crl_uri, "file", 4) != 0)
-	{
-		char buf[BUF_LEN];
-		chunk_t hex, encoding;
-
-		hex = chunk_to_hex(crl->get_authKeyIdentifier(crl), NULL, FALSE);
-		snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_PATH, hex.ptr);
-		free(hex.ptr);
-
-		if (cert_crl->get_encoding(cert_crl, CERT_ASN1_DER, &encoding))
-		{
-			chunk_write(encoding, buf, "crl", 022, TRUE);
-			free(encoding.ptr);
-		}
-	}
-
-	/* is the fetched crl valid? */
-	cert_crl->get_validity(cert_crl, &now, NULL, &nextUpdate);
-	return nextUpdate - now > 2*crl_check_interval;
-}
-
-/**
- *  Loads CRLs
- */
-void load_crls(void)
-{
-	struct dirent **filelist;
-	u_char buf[BUF_LEN];
-	u_char *save_dir;
-	int n;
-
-	/* change directory to specified path */
-	save_dir = getcwd(buf, BUF_LEN);
-	if (chdir(CRL_PATH))
-	{
-		plog("Could not change to directory '%s'", CRL_PATH);
-	}
-	else
-	{
-		plog("Changing to directory '%s'", CRL_PATH);
-		n = scandir(CRL_PATH, &filelist, file_select, alphasort);
-
-		if (n < 0)
-			plog("  scandir() error");
-		else
-		{
-			while (n--)
-			{
-				char *filename = filelist[n]->d_name;
-				x509crl_t *x509crl;
-
-				x509crl = lib->creds->create(lib->creds, CRED_CERTIFICATE,
-										 CERT_PLUTO_CRL,
-										 BUILD_FROM_FILE, filename, BUILD_END);
-				if (x509crl)
-				{
-					char crl_uri[BUF_LEN];
-
-					plog("  loaded crl from '%s'", filename);
-					snprintf(crl_uri, BUF_LEN, "file://%s/%s", CRL_PATH, filename);
-					insert_crl(x509crl, crl_uri, FALSE);
-				}
-				free(filelist[n]);
-			}
-			free(filelist);
-		}
-	}
-	/* restore directory path */
-	ignore_result(chdir(save_dir));
-}
-
-
-/*  Checks if the current certificate is revoked. It goes through the
- *  list of revoked certificates of the corresponding crl. Either the
- *  status CERT_GOOD or CERT_REVOKED is returned
- */
-static cert_status_t check_revocation(crl_t *crl, chunk_t cert_serial,
-									  time_t *revocationDate,
-									  crl_reason_t *revocationReason)
-{
-	enumerator_t *enumerator;
-	cert_status_t status;
-	chunk_t serial;
-
-	DBG(DBG_CONTROL,
-		DBG_log("serial number: %#B", &cert_serial)
-	)
-	*revocationDate = UNDEFINED_TIME;
-	*revocationReason = CRL_REASON_UNSPECIFIED;
-	status = CERT_GOOD;
-
-	enumerator = crl->create_enumerator(crl);
-	while (enumerator->enumerate(enumerator, &serial,
-								 revocationDate, revocationReason))
-	{
-		if (chunk_equals(serial, cert_serial))
-		{
-			status = CERT_REVOKED;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return status;
-}
-
-/*
- * check if any crls are about to expire
- */
-void check_crls(void)
-{
-	x509crl_t *x509crl;
-	time_t now, nextUpdate, time_left;
-
-	lock_crl_list("check_crls");
-	time(&now);
-	x509crl = x509crls;
-
-	while (x509crl != NULL)
-	{
-		certificate_t *cert_crl = x509crl->crl;
-		crl_t *crl = (crl_t*)cert_crl;
-		identification_t *issuer = cert_crl->get_issuer(cert_crl);
-		chunk_t authKeyID = crl->get_authKeyIdentifier(crl);
-
-		cert_crl->get_validity(cert_crl, &now, NULL, &nextUpdate);
-		time_left = nextUpdate - now;
-
-		DBG(DBG_CONTROL,
-			DBG_log("issuer: '%Y'", issuer);
-			if (authKeyID.ptr)
-			{
-				DBG_log("authkey: %#B", &authKeyID);
-			}
-			DBG_log("%ld seconds left", time_left)
-		)
-		if (time_left < 2*crl_check_interval)
-		{
-			fetch_req_t *req = build_crl_fetch_request(issuer, authKeyID,
-											x509crl->distributionPoints);
-			add_crl_fetch_request(req);
-		}
-		x509crl = x509crl->next;
-	}
-	unlock_crl_list("check_crls");
-}
-
-/*
- * verify if a cert hasn't been revoked by a crl
- */
-cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate,
-							crl_reason_t *revocationReason)
-{
-	certificate_t *certificate = cert->cert;
-	x509_t *x509 = (x509_t*)certificate;
-	identification_t *issuer = certificate->get_issuer(certificate);
-	chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
-	x509crl_t *x509crl;
-	ca_info_t *ca;
-	enumerator_t *enumerator;
-	x509_cdp_t *cdp;
-
-	ca = get_ca_info(issuer, authKeyID);
-
-	*revocationDate = UNDEFINED_TIME;
-	*revocationReason = CRL_REASON_UNSPECIFIED;
-
-	lock_crl_list("verify_by_crl");
-	x509crl = get_x509crl(issuer, authKeyID);
-
-	if (x509crl == NULL)
-	{
-		linked_list_t *crluris;
-
-		unlock_crl_list("verify_by_crl");
-		plog("crl not found");
-
-		crluris = linked_list_create();
-		if (ca)
-		{
-			add_distribution_points(crluris, ca->crluris);
-		}
-
-		enumerator = x509->create_crl_uri_enumerator(x509);
-		while (enumerator->enumerate(enumerator, &cdp))
-		{
-			add_distribution_point(crluris, cdp->uri);
-		}
-		enumerator->destroy(enumerator);
-
-		if (crluris->get_count(crluris) > 0)
-		{
-			fetch_req_t *req;
-
-			req = build_crl_fetch_request(issuer, authKeyID, crluris);
-			crluris->destroy_function(crluris, free);
-			add_crl_fetch_request(req);
-			wake_fetch_thread("verify_by_crl");
-			return CERT_UNKNOWN;
-		}
-		else
-		{
-			crluris->destroy(crluris);
-			return CERT_UNDEFINED;
-		}
-	}
-	else
-	{
-		certificate_t *cert_crl = x509crl->crl;
-		crl_t *crl = (crl_t*)cert_crl;
-		chunk_t authKeyID = crl->get_authKeyIdentifier(crl);
-		cert_t *issuer_cert;
-		bool trusted, valid;
-
-		DBG(DBG_CONTROL,
-			DBG_log("crl found")
-		)
-
-		if (ca)
-		{
-			add_distribution_points(x509crl->distributionPoints, ca->crluris);
-		}
-
-		enumerator = x509->create_crl_uri_enumerator(x509);
-		while (enumerator->enumerate(enumerator, &cdp))
-		{
-			add_distribution_point(x509crl->distributionPoints, cdp->uri);
-		}
-		enumerator->destroy(enumerator);
-
-		lock_authcert_list("verify_by_crl");
-
-		issuer_cert = get_authcert(issuer, authKeyID, X509_CA);
-		trusted = issuer_cert ? cert_crl->issued_by(cert_crl, issuer_cert->cert)
-							  : FALSE;
-
-		unlock_authcert_list("verify_by_crl");
-
-		if (trusted)
-		{
-			cert_status_t status;
-
-			DBG(DBG_CONTROL,
-				DBG_log("crl signature is valid")
-			)
-
-			/* return the expiration date */
-			valid = cert_crl->get_validity(cert_crl, NULL, NULL, until);
-
-			/* has the certificate been revoked? */
-			status = check_revocation(crl, x509->get_serial(x509), revocationDate
-								, revocationReason);
-
-			if (valid)
-			{
-				unlock_crl_list("verify_by_crl");
-				DBG(DBG_CONTROL,
-					DBG_log("crl is valid: until %T", until, FALSE)
-				)
-			}
-			else
-			{
-				fetch_req_t *req;
-
-				DBG(DBG_CONTROL,
-					DBG_log("crl is stale: since %T", until, FALSE)
-				)
-
-				/* try to fetch a crl update */
-				req = build_crl_fetch_request(issuer, authKeyID,
-											  x509crl->distributionPoints);
-				unlock_crl_list("verify_by_crl");
-
-				add_crl_fetch_request(req);
-				wake_fetch_thread("verify_by_crl");
-			}
-			return status;
-		}
-		else
-		{
-			unlock_crl_list("verify_by_crl");
-			plog("crl signature is invalid");
-			return CERT_UNKNOWN;
-		}
-	}
-}
-
-/*
- *  list all X.509 crls in the chained list
- */
-void list_crls(bool utc, bool strict)
-{
-	x509crl_t *x509crl;
-
-	lock_crl_list("list_crls");
-	x509crl = x509crls;
-
-	if (x509crl)
-	{
-		whack_log(RC_COMMENT, " ");
-		whack_log(RC_COMMENT, "List of X.509 CRLs:");
-	}
-
-	while (x509crl)
-	{
-		certificate_t *cert_crl = x509crl->crl;
-		crl_t *crl = (crl_t*)cert_crl;
-		chunk_t serial, authKeyID;
-		time_t thisUpdate, nextUpdate;
-		u_int revoked = 0;
-		enumerator_t *enumerator;
-
-		whack_log(RC_COMMENT, " ");
-		whack_log(RC_COMMENT, "  issuer:   \"%Y\"",
-				cert_crl->get_issuer(cert_crl));
-		serial = chunk_skip_zero(crl->get_serial(crl));
-		if (serial.ptr)
-		{
-			whack_log(RC_COMMENT, "  serial:    %#B", &serial);
-		}
-
-		/* count number of revoked certificates in CRL */
-		enumerator = crl->create_enumerator(crl);
-		while (enumerator->enumerate(enumerator, NULL, NULL, NULL))
-		{
-			revoked++;
-		}
-		enumerator->destroy(enumerator);
-		whack_log(RC_COMMENT, "  revoked:   %d certificates", revoked);
-
-		list_distribution_points(x509crl->distributionPoints);
-
-		cert_crl->get_validity(cert_crl, NULL, &thisUpdate, &nextUpdate);
-		whack_log(RC_COMMENT, "  updates:   this %T", &thisUpdate, utc);
-		whack_log(RC_COMMENT, "             next %T %s", &nextUpdate, utc,
-				check_expiry(nextUpdate, CRL_WARNING_INTERVAL, strict));
-		authKeyID = crl->get_authKeyIdentifier(crl);
-		if (authKeyID.ptr)
-		{
-			whack_log(RC_COMMENT, "  authkey:   %#B", &authKeyID);
-		}
-
-		x509crl = x509crl->next;
-	}
-	unlock_crl_list("list_crls");
-}
-
diff --git a/src/pluto/crl.h b/src/pluto/crl.h
deleted file mode 100644
index 43bafe145..000000000
--- a/src/pluto/crl.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/* Support of X.509 certificate revocation lists (CRLs)
- * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "constants.h"
-
-#include <utils/linked_list.h>
-#include <credentials/certificates/certificate.h>
-#include <credentials/certificates/crl.h>
-
-/* storage structure for an X.509 CRL */
-
-typedef struct x509crl x509crl_t;
-
-struct x509crl {
-	certificate_t *crl;
-	x509crl_t     *next;
-	linked_list_t *distributionPoints;
-};
-
-/* apply a strict CRL policy
- * flag set in plutomain.c and used in ipsec_doi.c and rcv_whack.c
- */
-extern bool strict_crl_policy;
-
-/*
- * cache the retrieved CRLs by storing them locally as a file
- */
-extern bool cache_crls;
-
-/*
- * check periodically for expired crls
- */
-extern long crl_check_interval;
-extern void load_crls(void);
-extern void check_crls(void);
-extern bool insert_crl(x509crl_t *crl, char *crl_uri, bool cache_crl);
-extern cert_status_t verify_by_crl(cert_t *cert, time_t *until,
-								   time_t *revocationDate,
-								   crl_reason_t *revocationReason);
-extern void list_crls(bool utc, bool strict);
-extern void free_crls(void);
-extern void free_crl(x509crl_t *crl);
diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c
deleted file mode 100644
index a4f678222..000000000
--- a/src/pluto/crypto.c
+++ /dev/null
@@ -1,698 +0,0 @@
-/* crypto interfaces
- *
- * Copyright (C) 2010 Tobias Brunner
- * Copyright (C) 2007-2009 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * Copyright (C) 1998-2001 D. Hugh Redelmeier
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "crypto.h"
-#include "log.h"
-
-static struct encrypt_desc encrypt_desc_3des =
-{
-	algo_type:        IKE_ALG_ENCRYPT,
-	algo_id:          OAKLEY_3DES_CBC,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-
-	enc_blocksize:    DES_BLOCK_SIZE,
-	keydeflen:        DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
-	keyminlen:        DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
-	keymaxlen:        DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
-};
-
-#define  AES_KEY_MIN_LEN	128
-#define  AES_KEY_DEF_LEN	128
-#define  AES_KEY_MAX_LEN	256
-
-static struct encrypt_desc encrypt_desc_aes =
-{
-	algo_type:        IKE_ALG_ENCRYPT,
-	algo_id:          OAKLEY_AES_CBC,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-
-	enc_blocksize:    AES_BLOCK_SIZE,
-	keyminlen:        AES_KEY_MIN_LEN,
-	keydeflen:        AES_KEY_DEF_LEN,
-	keymaxlen:        AES_KEY_MAX_LEN,
-};
-
-#define  CAMELLIA_KEY_MIN_LEN	128
-#define  CAMELLIA_KEY_DEF_LEN	128
-#define  CAMELLIA_KEY_MAX_LEN	256
-
-static struct encrypt_desc encrypt_desc_camellia =
-{
-	algo_type:        IKE_ALG_ENCRYPT,
-	algo_id:          OAKLEY_CAMELLIA_CBC,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-
-	enc_blocksize:    CAMELLIA_BLOCK_SIZE,
-	keyminlen:        CAMELLIA_KEY_MIN_LEN,
-	keydeflen:        CAMELLIA_KEY_DEF_LEN,
-	keymaxlen:        CAMELLIA_KEY_MAX_LEN,
-};
-
-#define  BLOWFISH_KEY_MIN_LEN	128
-#define  BLOWFISH_KEY_MAX_LEN	448
-
-static struct encrypt_desc encrypt_desc_blowfish =
-{
-	algo_type:        IKE_ALG_ENCRYPT,
-	algo_id:          OAKLEY_BLOWFISH_CBC,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-
-	enc_blocksize:    BLOWFISH_BLOCK_SIZE,
-	keyminlen:        BLOWFISH_KEY_MIN_LEN,
-	keydeflen:        BLOWFISH_KEY_MIN_LEN,
-	keymaxlen:        BLOWFISH_KEY_MAX_LEN,
-};
-
-#define  SERPENT_KEY_MIN_LEN	128
-#define  SERPENT_KEY_DEF_LEN	128
-#define  SERPENT_KEY_MAX_LEN	256
-
-static struct encrypt_desc encrypt_desc_serpent =
-{
-	algo_type:        IKE_ALG_ENCRYPT,
-	algo_id:          OAKLEY_SERPENT_CBC,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-
-	enc_blocksize:    SERPENT_BLOCK_SIZE,
-	keyminlen:        SERPENT_KEY_MIN_LEN,
-	keydeflen:        SERPENT_KEY_DEF_LEN,
-	keymaxlen:        SERPENT_KEY_MAX_LEN,
-};
-
-#define  TWOFISH_KEY_MIN_LEN	128
-#define  TWOFISH_KEY_DEF_LEN	128
-#define  TWOFISH_KEY_MAX_LEN	256
-
-static struct encrypt_desc encrypt_desc_twofish =
-{
-	algo_type:        IKE_ALG_ENCRYPT,
-	algo_id:          OAKLEY_TWOFISH_CBC,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-
-	enc_blocksize:    TWOFISH_BLOCK_SIZE,
-	keydeflen:        TWOFISH_KEY_MIN_LEN,
-	keyminlen:        TWOFISH_KEY_DEF_LEN,
-	keymaxlen:        TWOFISH_KEY_MAX_LEN,
-};
-
-static struct encrypt_desc encrypt_desc_twofish_ssh =
-{
-	algo_type:        IKE_ALG_ENCRYPT,
-	algo_id:          OAKLEY_TWOFISH_CBC_SSH,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-
-	enc_blocksize:    TWOFISH_BLOCK_SIZE,
-	keydeflen:        TWOFISH_KEY_MIN_LEN,
-	keyminlen:        TWOFISH_KEY_DEF_LEN,
-	keymaxlen:        TWOFISH_KEY_MAX_LEN,
-};
-
-static struct hash_desc hash_desc_md5 =
-{
-	algo_type:        IKE_ALG_HASH,
-	algo_id:          OAKLEY_MD5,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	hash_digest_size: HASH_SIZE_MD5,
-};
-
-static struct hash_desc hash_desc_sha1 =
-{
-	algo_type:        IKE_ALG_HASH,
-	algo_id:          OAKLEY_SHA,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	hash_digest_size: HASH_SIZE_SHA1,
-};
-
-static struct hash_desc hash_desc_sha2_256 = {
-	algo_type:        IKE_ALG_HASH,
-	algo_id:          OAKLEY_SHA2_256,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	hash_digest_size: HASH_SIZE_SHA256,
-};
-
-static struct hash_desc hash_desc_sha2_384 = {
-	algo_type:        IKE_ALG_HASH,
-	algo_id:          OAKLEY_SHA2_384,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	hash_digest_size: HASH_SIZE_SHA384,
-};
-
-static struct hash_desc hash_desc_sha2_512 = {
-	algo_type:        IKE_ALG_HASH,
-	algo_id:          OAKLEY_SHA2_512,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	hash_digest_size: HASH_SIZE_SHA512,
-};
-
-const struct dh_desc unset_group = {
-	algo_type:        IKE_ALG_DH_GROUP,
-	algo_id:          MODP_NONE,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	ke_size:          0
-};
-
-static struct dh_desc dh_desc_modp_1024 = {
-	algo_type:        IKE_ALG_DH_GROUP,
-	algo_id:          MODP_1024_BIT,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	ke_size:          1024 / BITS_PER_BYTE
-};
-
-static struct dh_desc dh_desc_modp_1536 = {
-	algo_type:        IKE_ALG_DH_GROUP,
-	algo_id:          MODP_1536_BIT,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	ke_size:          1536 / BITS_PER_BYTE
-};
-
-static struct dh_desc dh_desc_modp_2048 = {
-	algo_type:        IKE_ALG_DH_GROUP,
-	algo_id:          MODP_2048_BIT,
-	algo_next:        NULL,
-	ke_size:          2048 / BITS_PER_BYTE
-};
-
-static struct dh_desc dh_desc_modp_3072 = {
-	algo_type:        IKE_ALG_DH_GROUP,
-	algo_id:          MODP_3072_BIT,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	ke_size:          3072 / BITS_PER_BYTE
-};
-
-static struct dh_desc dh_desc_modp_4096 = {
-	algo_type:        IKE_ALG_DH_GROUP,
-	algo_id:          MODP_4096_BIT,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	ke_size:          4096 / BITS_PER_BYTE
-};
-
-static struct dh_desc dh_desc_modp_6144 = {
-	algo_type:        IKE_ALG_DH_GROUP,
-	algo_id:          MODP_6144_BIT,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	ke_size:          6144 / BITS_PER_BYTE
-};
-
-static struct dh_desc dh_desc_modp_8192 = {
-	algo_type:        IKE_ALG_DH_GROUP,
-	algo_id:          MODP_8192_BIT,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	ke_size:          8192 / BITS_PER_BYTE
-};
-
-static struct dh_desc dh_desc_ecp_256 = {
-	algo_type:        IKE_ALG_DH_GROUP,
-	algo_id:          ECP_256_BIT,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	ke_size:          2*256 / BITS_PER_BYTE
-};
-
-static struct dh_desc dh_desc_ecp_384 = {
-	algo_type:        IKE_ALG_DH_GROUP,
-	algo_id:          ECP_384_BIT,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	ke_size:          2*384 / BITS_PER_BYTE
-};
-
-static struct dh_desc dh_desc_ecp_521 = {
-	algo_type:        IKE_ALG_DH_GROUP,
-	algo_id:          ECP_521_BIT,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	ke_size:          2*528 / BITS_PER_BYTE
-};
-
-static struct dh_desc dh_desc_modp_1024_160 = {
-	algo_type:        IKE_ALG_DH_GROUP,
-	algo_id:          MODP_1024_160,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	ke_size:          1024 / BITS_PER_BYTE
-};
-
-static struct dh_desc dh_desc_modp_2048_224 = {
-	algo_type:        IKE_ALG_DH_GROUP,
-	algo_id:          MODP_2048_224,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	ke_size:          2048 / BITS_PER_BYTE
-};
-
-static struct dh_desc dh_desc_modp_2048_256 = {
-	algo_type:        IKE_ALG_DH_GROUP,
-	algo_id:          MODP_2048_256,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	ke_size:          2048 / BITS_PER_BYTE
-};
-
-static struct dh_desc dh_desc_ecp_192 = {
-	algo_type:        IKE_ALG_DH_GROUP,
-	algo_id:          ECP_192_BIT,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	ke_size:          2*192 / BITS_PER_BYTE
-};
-
-static struct dh_desc dh_desc_ecp_224 = {
-	algo_type:  IKE_ALG_DH_GROUP,
-	algo_id:    ECP_224_BIT,
-	plugin_name:      NULL,
-	algo_next:        NULL,
-	ke_size:          2*224 / BITS_PER_BYTE
-};
-
-bool init_crypto(void)
-{
-	enumerator_t *enumerator;
-	encryption_algorithm_t encryption_alg;
-	hash_algorithm_t hash_alg;
-	diffie_hellman_group_t dh_group;
-	const char *plugin_name;
-	bool no_md5  = TRUE;
-	bool no_sha1 = TRUE;
-
-	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &hash_alg, &plugin_name))
-	{
-		const struct hash_desc *desc;
-
-		switch (hash_alg)
-		{
-			case HASH_SHA1:
-				desc = &hash_desc_sha1;
-				no_sha1 = FALSE;
-				break;
-			case HASH_SHA256:
-				desc = &hash_desc_sha2_256;
-				break;
-			case HASH_SHA384:
-				desc = &hash_desc_sha2_384;
-				break;
-			case HASH_SHA512:
-				desc = &hash_desc_sha2_512;
-				break;
-			case HASH_MD5:
-				desc = &hash_desc_md5;
-				no_md5 = FALSE;
-				break;
-			default:
-				continue;
-		}
-		ike_alg_add((struct ike_alg *)desc, plugin_name);
-	}
-	enumerator->destroy(enumerator);
-
-	if (no_sha1 || no_md5)
-	{
-		plog("pluto cannot run without a %s%s%s hasher",
-			 (no_sha1) ? "SHA-1" : "",
-			 (no_sha1 && no_md5) ? " and " : "",
-			 (no_md5) ? "MD5" : "");
-		return FALSE;
-	}
-
-	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &encryption_alg, &plugin_name))
-	{
-		const struct encrypt_desc *desc;
-
-		switch (encryption_alg)
-		{
-			case ENCR_3DES:
-				desc = &encrypt_desc_3des;
-				break;
-			case ENCR_BLOWFISH:
-				desc = &encrypt_desc_blowfish;
-				break;
-			case ENCR_AES_CBC:
-				desc = &encrypt_desc_aes;
-				break;
-			case ENCR_CAMELLIA_CBC:
-				desc = &encrypt_desc_camellia;
-				break;
-			case ENCR_TWOFISH_CBC:
-				desc = &encrypt_desc_twofish;
-				ike_alg_add((struct ike_alg *)&encrypt_desc_twofish_ssh,
-							plugin_name);
-				break;
-			case ENCR_SERPENT_CBC:
-				desc = &encrypt_desc_serpent;
-				break;
-			default:
-				continue;
-		}
-		ike_alg_add((struct ike_alg *)desc, plugin_name);
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &dh_group, &plugin_name))
-	{
-		const struct dh_desc *desc;
-
-		switch (dh_group)
-		{
-			case MODP_1024_BIT:
-				desc = &dh_desc_modp_1024;
-				break;
-			case MODP_1536_BIT:
-				desc = &dh_desc_modp_1536;
-				break;
-			case MODP_2048_BIT:
-				desc = &dh_desc_modp_2048;
-				break;
-			case MODP_3072_BIT:
-				desc = &dh_desc_modp_3072;
-				break;
-			case MODP_4096_BIT:
-				desc = &dh_desc_modp_4096;
-				break;
-			case MODP_6144_BIT:
-				desc = &dh_desc_modp_6144;
-				break;
-			case MODP_8192_BIT:
-				desc = &dh_desc_modp_8192;
-				break;
-			case ECP_256_BIT:
-				desc = &dh_desc_ecp_256;
-				break;
-			case ECP_384_BIT:
-				desc = &dh_desc_ecp_384;
-				break;
-			case ECP_521_BIT:
-				desc = &dh_desc_ecp_521;
-				break;
-			case MODP_1024_160:
-				desc = &dh_desc_modp_1024_160;
-				break;
-			case MODP_2048_224:
-				desc = &dh_desc_modp_2048_224;
-				break;
-			case MODP_2048_256:
-				desc = &dh_desc_modp_2048_256;
-				break;
-			case ECP_192_BIT:
-				desc = &dh_desc_ecp_192;
-				break;
-			case ECP_224_BIT:
-				desc = &dh_desc_ecp_224;
-				break;
-			default:
-				continue;
-		}
-		ike_alg_add((struct ike_alg *)desc, plugin_name);
-	}
-	enumerator->destroy(enumerator);
-	return TRUE;
-}
-
-void free_crypto(void)
-{
-	/* currently nothing to do */
-}
-
-/**
- * Converts IKEv1 encryption algorithm name to crypter name
- */
-encryption_algorithm_t oakley_to_encryption_algorithm(int alg)
-{
-	switch (alg)
-	{
-		case OAKLEY_DES_CBC:
-			return ENCR_DES;
-		case OAKLEY_IDEA_CBC:
-			return ENCR_IDEA;
-		case OAKLEY_BLOWFISH_CBC:
-			return ENCR_BLOWFISH;
-		case OAKLEY_RC5_R16_B64_CBC:
-			return ENCR_RC5;
-		case OAKLEY_3DES_CBC:
-			return ENCR_3DES;
-		case OAKLEY_CAST_CBC:
-			return ENCR_CAST;
-		case OAKLEY_AES_CBC:
-			return ENCR_AES_CBC;
-		case OAKLEY_CAMELLIA_CBC:
-			return ENCR_CAMELLIA_CBC;
-		case OAKLEY_SERPENT_CBC:
-			return ENCR_SERPENT_CBC;
-		case OAKLEY_TWOFISH_CBC:
-		case OAKLEY_TWOFISH_CBC_SSH:
-			return ENCR_TWOFISH_CBC;
-		default:
-			return ENCR_UNDEFINED;
-	}
-}
-
-/**
- * Converts IKEv1 hash algorithm name to hasher name
- */
-hash_algorithm_t oakley_to_hash_algorithm(int alg)
-{
-	switch (alg)
-	{
-		case OAKLEY_MD5:
-			return HASH_MD5;
-		case OAKLEY_SHA:
-			return HASH_SHA1;
-		case OAKLEY_SHA2_256:
-			return HASH_SHA256;
-		case OAKLEY_SHA2_384:
-			return HASH_SHA384;
-		case OAKLEY_SHA2_512:
-			return HASH_SHA512;
-		default:
-			return HASH_UNKNOWN;
-	}
-}
-
-/**
- * Converts IKEv1 hash algorithm name to IKEv2 prf name
- */
-pseudo_random_function_t oakley_to_prf(int alg)
-{
-	switch (alg)
-	{
-		case OAKLEY_MD5:
-			return PRF_HMAC_MD5;
-		case OAKLEY_SHA:
-			return PRF_HMAC_SHA1;
-		case OAKLEY_SHA2_256:
-			return PRF_HMAC_SHA2_256;
-		case OAKLEY_SHA2_384:
-			return PRF_HMAC_SHA2_384;
-		case OAKLEY_SHA2_512:
-			return PRF_HMAC_SHA2_512;
-		default:
-			return PRF_UNDEFINED;
-	}
-}
-
-/**
- * Maps IKEv1 authentication method to IKEv2 signature scheme
- */
-signature_scheme_t oakley_to_signature_scheme(int method)
-{
-	switch (method)
-	{
-		case OAKLEY_RSA_SIG:
-		case XAUTHInitRSA:
-		case XAUTHRespRSA:
-			return SIGN_RSA_EMSA_PKCS1_NULL;
-		case OAKLEY_ECDSA_256:
-		case OAKLEY_ECDSA_384:
-		case OAKLEY_ECDSA_521:
-			return SIGN_ECDSA_WITH_NULL;
-		default:
-			return SIGN_UNKNOWN;
-	}
-}
-
-/**
- * Table to map IKEv2 encryption algorithms to IKEv1 (or IKEv1 ESP) and back
- */
-struct {
-	encryption_algorithm_t alg;
-	int oakley;
-	int esp;
-} encr_map[] = {
-	{ENCR_DES,                OAKLEY_DES_CBC,         ESP_DES       },
-	{ENCR_3DES,               OAKLEY_3DES_CBC,        ESP_3DES      },
-	{ENCR_RC5,                OAKLEY_RC5_R16_B64_CBC, ESP_RC5       },
-	{ENCR_IDEA,               OAKLEY_IDEA_CBC,        ESP_IDEA      },
-	{ENCR_CAST,               OAKLEY_CAST_CBC,        ESP_CAST      },
-	{ENCR_BLOWFISH,           OAKLEY_BLOWFISH_CBC,    ESP_BLOWFISH  },
-	{ENCR_AES_CBC,            OAKLEY_AES_CBC,         ESP_AES       },
-	{ENCR_CAMELLIA_CBC,       OAKLEY_CAMELLIA_CBC,    ESP_CAMELLIA  },
-	{ENCR_SERPENT_CBC,        OAKLEY_SERPENT_CBC,     ESP_SERPENT   },
-	{ENCR_TWOFISH_CBC,        OAKLEY_TWOFISH_CBC,     ESP_TWOFISH   },
-	{ENCR_NULL,               0,                      ESP_NULL      },
-	{ENCR_AES_CTR,            0,                      ESP_AES_CTR   },
-	{ENCR_AES_CCM_ICV8,       0,                      ESP_AES_CCM_8 },
-	{ENCR_AES_CCM_ICV12,      0,                      ESP_AES_CCM_12},
-	{ENCR_AES_CCM_ICV16,      0,                      ESP_AES_CCM_16},
-	{ENCR_AES_GCM_ICV8,       0,                      ESP_AES_GCM_8 },
-	{ENCR_AES_GCM_ICV12,      0,                      ESP_AES_GCM_12},
-	{ENCR_AES_GCM_ICV16,      0,                      ESP_AES_GCM_16},
-	{ENCR_NULL_AUTH_AES_GMAC, 0,                      ESP_AES_GMAC  },
-};
-
-/**
- * Converts IKEv2 encryption to IKEv1 encryption algorithm
- */
-int oakley_from_encryption_algorithm(encryption_algorithm_t alg)
-{
-	int i;
-	for (i = 0; i < countof(encr_map); i++)
-	{
-		if (encr_map[i].alg == alg)
-		{
-			return encr_map[i].oakley;
-		}
-	}
-	return 0;
-}
-
-/**
- * Converts IKEv2 encryption to IKEv1 ESP encryption algorithm
- */
-int esp_from_encryption_algorithm(encryption_algorithm_t alg)
-{
-	int i;
-	for (i = 0; i < countof(encr_map); i++)
-	{
-		if (encr_map[i].alg == alg)
-		{
-			return encr_map[i].esp;
-		}
-	}
-	return 0;
-}
-
-/**
- * Converts IKEv1 ESP encryption to IKEv2 algorithm
- */
-encryption_algorithm_t encryption_algorithm_from_esp(int esp)
-{
-	int i;
-	for (i = 0; i < countof(encr_map); i++)
-	{
-		if (encr_map[i].esp == esp)
-		{
-			return encr_map[i].alg;
-		}
-	}
-	return 0;
-}
-
-/**
- * Table to map IKEv2 integrity algorithms to IKEv1 (or IKEv1 ESP) and back
- */
-struct {
-	integrity_algorithm_t alg;
-	int oakley;
-	int esp;
-} auth_map[] = {
-	{AUTH_HMAC_MD5_96,       OAKLEY_MD5,      AUTH_ALGORITHM_HMAC_MD5        },
-	{AUTH_HMAC_SHA1_96,      OAKLEY_SHA,      AUTH_ALGORITHM_HMAC_SHA1       },
-	{AUTH_HMAC_SHA2_256_96,  0,               AUTH_ALGORITHM_HMAC_SHA2_256_96},
-	{AUTH_HMAC_SHA2_256_128, OAKLEY_SHA2_256, AUTH_ALGORITHM_HMAC_SHA2_256   },
-	{AUTH_HMAC_SHA2_384_192, OAKLEY_SHA2_384, AUTH_ALGORITHM_HMAC_SHA2_384   },
-	{AUTH_HMAC_SHA2_512_256, OAKLEY_SHA2_512, AUTH_ALGORITHM_HMAC_SHA2_512   },
-	{AUTH_AES_XCBC_96,       0,               AUTH_ALGORITHM_AES_XCBC_MAC    },
-	{AUTH_AES_128_GMAC,      0,               AUTH_ALGORITHM_AES_128_GMAC    },
-	{AUTH_AES_192_GMAC,      0,               AUTH_ALGORITHM_AES_192_GMAC    },
-	{AUTH_AES_256_GMAC,      0,               AUTH_ALGORITHM_AES_256_GMAC    },
-};
-
-
-/**
- * Converts IKEv2 integrity to IKEv1 hash algorithm
- */
-int oakley_from_integrity_algorithm(integrity_algorithm_t alg)
-{
-	int i;
-	for (i = 0; i < countof(auth_map); i++)
-	{
-		if (auth_map[i].alg == alg)
-		{
-			return auth_map[i].oakley;
-		}
-	}
-	return 0;
-}
-
-/**
- * Converts IKEv2 integrity to IKEv1 ESP authentication algorithm
- */
-int esp_from_integrity_algorithm(integrity_algorithm_t alg)
-{
-	int i;
-	for (i = 0; i < countof(auth_map); i++)
-	{
-		if (auth_map[i].alg == alg)
-		{
-			return auth_map[i].esp;
-		}
-	}
-	return 0;
-}
-
-/**
- * Converts IKEv1 ESP authentication to IKEv2 integrity algorithm
- */
-integrity_algorithm_t integrity_algorithm_from_esp(int esp)
-{
-	int i;
-	for (i = 0; i < countof(auth_map); i++)
-	{
-		if (auth_map[i].esp == esp)
-		{
-			return auth_map[i].alg;
-		}
-	}
-	return 0;
-}
-
diff --git a/src/pluto/crypto.h b/src/pluto/crypto.h
deleted file mode 100644
index 16ad12780..000000000
--- a/src/pluto/crypto.h
+++ /dev/null
@@ -1,64 +0,0 @@
-/* crypto interfaces
- *
- * Copyright (C) 2010 Tobias Brunner
- * Copyright (C) 2009 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * Copyright (C) 1998, 1999  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <crypto/crypters/crypter.h>
-#include <crypto/signers/signer.h>
-#include <crypto/hashers/hasher.h>
-#include <crypto/prfs/prf.h>
-#include <credentials/keys/public_key.h>
-
-#include "ike_alg.h"
-
-extern bool init_crypto(void);
-extern void free_crypto(void);
-
-extern const struct dh_desc unset_group;      /* magic signifier */
-
-/* unification of cryptographic encoding/decoding algorithms
- * The IV is taken from and returned to st->st_new_iv.
- * This allows the old IV to be retained.
- * Use update_iv to commit to the new IV (for example, once a packet has
- * been validated).
- */
-
-#define MAX_OAKLEY_KEY_LEN0  (3 * DES_CBC_BLOCK_SIZE)
-#define MAX_OAKLEY_KEY_LEN  (256/BITS_PER_BYTE)
-
-struct state;   /* forward declaration, dammit */
-
-#define update_iv(st)   memcpy((st)->st_iv, (st)->st_new_iv \
-	, (st)->st_iv_len = (st)->st_new_iv_len)
-
-#define set_ph1_iv(st, iv) \
-	passert((st)->st_ph1_iv_len <= sizeof((st)->st_ph1_iv)); \
-	memcpy((st)->st_ph1_iv, (iv), (st)->st_ph1_iv_len);
-
-/* unification of cryptographic hashing mechanisms */
-
-extern encryption_algorithm_t oakley_to_encryption_algorithm(int alg);
-extern hash_algorithm_t oakley_to_hash_algorithm(int alg);
-extern pseudo_random_function_t oakley_to_prf(int alg);
-extern signature_scheme_t oakley_to_signature_scheme(int method);
-extern int oakley_from_encryption_algorithm(encryption_algorithm_t alg);
-extern int oakley_from_integrity_algorithm(integrity_algorithm_t alg);
-extern int esp_from_encryption_algorithm(encryption_algorithm_t alg);
-extern int esp_from_integrity_algorithm(integrity_algorithm_t alg);
-extern encryption_algorithm_t encryption_algorithm_from_esp(int esp);
-extern integrity_algorithm_t integrity_algorithm_from_esp(int esp);
-
diff --git a/src/pluto/db_ops.c b/src/pluto/db_ops.c
deleted file mode 100644
index 547ea5f22..000000000
--- a/src/pluto/db_ops.c
+++ /dev/null
@@ -1,412 +0,0 @@
-/* Dynamic db (proposal, transforms, attributes) handling.
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/*
- * The stratedy is to have (full contained) struct db_prop in db_context
- * pointing to ONE dynamically sizable transform vector (trans0).
- * Each transform stores attrib. in ONE dyn. sizable attribute vector (attrs0)
- * in a "serialized" way (attributes storage is used in linear sequence for
- * subsecuent transforms).
- *
- * Resizing for both trans0 and attrs0 is supported:
- * - For trans0: quite simple, just allocate and copy trans. vector content
- *               also update trans_cur (by offset)
- * - For attrs0: after allocating and copying attrs, I must rewrite each
- *               trans->attrs present in trans0; to achieve this, calculate
- *               attrs pointer offset (new minus old) and iterate over
- *               each transform "adding" this difference.
- *               also update attrs_cur (by offset)
- *
- * db_context structure:
- *      +---------------------+
- *      |  prop               |
- *      |    .protoid         |
- *      |    .trans           | --+
- *      |    .trans_cnt       |   |
- *      +---------------------+ <-+
- *      |  trans0             | ----> { trans#1 | ... | trans#i | ...   }
- *      +---------------------+                       ^
- *      |  trans_cur          | ----------------------' current transf.
- *      +---------------------+
- *      |  attrs0             | ----> { attr#1 | ... | attr#j | ...  }
- *      +---------------------+                      ^
- *      |  attrs_cur          | ---------------------' current attr.
- *      +---------------------+
- *      | max_trans,max_attrs |  max_trans/attrs: number of elem. of each vector
- *      +---------------------+
- *
- * See testing examples at end for interface usage.
- */
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <malloc.h>
-#include <sys/types.h>
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "state.h"
-#include "packet.h"
-#include "spdb.h"
-#include "db_ops.h"
-#include "log.h"
-#include "whack.h"
-
-#include <assert.h>
-
-#ifdef NOT_YET
-/*
- *      Allocator cache:
- *      Because of the single-threaded nature of pluto/spdb.c,
- *      alloc()/free() is exercised many times with very small
- *      lifetime objects.
- *      Just caching last object (currently it will select the
- *      largest) will avoid this allocation mas^Wperturbations
- *
- */
-struct db_ops_alloc_cache {
-		void *ptr;
-		int size;
-};
-#endif
-
-#ifndef NO_DB_OPS_STATS
-/*
- *      stats: do account for allocations
- *      displayed in db_ops_show_status()
- */
-struct db_ops_stats {
-		int st_curr_cnt;        /* current number of allocations */
-		int st_total_cnt;       /* total allocations so far */
-		size_t st_maxsz;        /* max. size requested */
-};
-#define DB_OPS_ZERO { 0, 0, 0};
-#define DB_OPS_STATS_DESC   "{curr_cnt, total_cnt, maxsz}"
-#define DB_OPS_STATS_STR(name)  name "={%d,%d,%d} "
-#define DB_OPS_STATS_F(st) (st).st_curr_cnt, (st).st_total_cnt, (int)(st).st_maxsz
-static struct db_ops_stats db_context_st = DB_OPS_ZERO;
-static struct db_ops_stats db_trans_st = DB_OPS_ZERO;
-static struct db_ops_stats db_attrs_st = DB_OPS_ZERO;
-static __inline__ void *malloc_bytes_st(size_t size, struct db_ops_stats *st)
-{
-		void *ptr = malloc(size);
-		if (ptr)
-		{
-				st->st_curr_cnt++;
-				st->st_total_cnt++;
-				if (size > st->st_maxsz) st->st_maxsz=size;
-		}
-		return ptr;
-}
-#define ALLOC_BYTES_ST(z,st) malloc_bytes_st(z, &st);
-#define PFREE_ST(p,st)         do { st.st_curr_cnt--; free(p);  } while (0);
-
-#else
-
-#define ALLOC_BYTES_ST(z,n) malloc(z);
-#define PFREE_ST(p,n)         free(p);
-
-#endif /* NO_DB_OPS_STATS */
-/*      Initialize db object
- *      max_trans and max_attrs can be 0, will be dynamically expanded
- *      as a result of "add" operations
- */
-int
-db_prop_init(struct db_context *ctx, u_int8_t protoid, int max_trans, int max_attrs)
-{
-		ctx->trans0 = NULL;
-		ctx->attrs0 = NULL;
-
-		if (max_trans > 0) { /* quite silly if not */
-				ctx->trans0 = ALLOC_BYTES_ST ( sizeof(struct db_trans) * max_trans,
-								db_trans_st);
-				memset(ctx->trans0, '\0', sizeof(struct db_trans) * max_trans);
-		}
-
-		if (max_attrs > 0) { /* quite silly if not */
-				ctx->attrs0 = ALLOC_BYTES_ST (sizeof(struct db_attr) * max_attrs,
-								db_attrs_st);
-				memset(ctx->attrs0, '\0', sizeof(struct db_attr) * max_attrs);
-		}
-
-		ctx->max_trans = max_trans;
-		ctx->max_attrs = max_attrs;
-		ctx->trans_cur = ctx->trans0;
-		ctx->attrs_cur = ctx->attrs0;
-		ctx->prop.protoid = protoid;
-		ctx->prop.trans = ctx->trans0;
-		ctx->prop.trans_cnt = 0;
-		return 0;
-}
-
-/*      Expand storage for transforms by number delta_trans */
-static int
-db_trans_expand(struct db_context *ctx, int delta_trans)
-{
-		int ret = -1;
-		struct db_trans *new_trans, *old_trans;
-		int max_trans = ctx->max_trans + delta_trans;
-		int offset;
-
-		old_trans = ctx->trans0;
-		new_trans = ALLOC_BYTES_ST ( sizeof (struct db_trans) * max_trans,
-						db_trans_st);
-		if (!new_trans)
-				goto out;
-		memcpy(new_trans, old_trans, ctx->max_trans * sizeof(struct db_trans));
-
-		/* update trans0 (obviously) */
-		ctx->trans0 = ctx->prop.trans = new_trans;
-		/* update trans_cur (by offset) */
-		offset = (char *)(new_trans) - (char *)(old_trans);
-
-		{
-		  char *cctx = (char *)(ctx->trans_cur);
-
-		  cctx += offset;
-		  ctx->trans_cur = (struct db_trans *)cctx;
-		}
-		/* update elem count */
-		ctx->max_trans = max_trans;
-		PFREE_ST(old_trans, db_trans_st);
-		ret = 0;
-out:
-		return ret;
-}
-/*
- *      Expand storage for attributes by delta_attrs number AND
- *      rewrite trans->attr pointers
- */
-static int
-db_attrs_expand(struct db_context *ctx, int delta_attrs)
-{
-		int ret = -1;
-		struct db_attr *new_attrs, *old_attrs;
-		struct db_trans *t;
-		int ti;
-		int max_attrs = ctx->max_attrs + delta_attrs;
-		int offset;
-
-		old_attrs = ctx->attrs0;
-		new_attrs = ALLOC_BYTES_ST ( sizeof (struct db_attr) * max_attrs,
-						db_attrs_st);
-		if (!new_attrs)
-				goto out;
-
-		memcpy(new_attrs, old_attrs, ctx->max_attrs * sizeof(struct db_attr));
-
-		/* update attrs0 and attrs_cur (obviously) */
-		offset = (char *)(new_attrs) - (char *)(old_attrs);
-
-		{
-		  char *actx = (char *)(ctx->attrs0);
-
-		  actx += offset;
-		  ctx->attrs0 = (struct db_attr *)actx;
-
-		  actx = (char *)ctx->attrs_cur;
-		  actx += offset;
-		  ctx->attrs_cur = (struct db_attr *)actx;
-		}
-
-		/* for each transform, rewrite attrs pointer by offsetting it */
-		for (t=ctx->prop.trans, ti=0; ti < ctx->prop.trans_cnt; t++, ti++) {
-				char *actx = (char *)(t->attrs);
-
-				actx += offset;
-				t->attrs = (struct db_attr *)actx;
-		}
-		/* update elem count */
-		ctx->max_attrs = max_attrs;
-		PFREE_ST(old_attrs, db_attrs_st);
-		ret = 0;
-out:
-		return ret;
-}
-/*      Allocate a new db object */
-struct db_context *
-db_prop_new(u_int8_t protoid, int max_trans, int max_attrs)
-{
-		struct db_context *ctx;
-		ctx = ALLOC_BYTES_ST ( sizeof (struct db_context), db_context_st);
-		if (!ctx) goto out;
-
-		if (db_prop_init(ctx, protoid, max_trans, max_attrs) < 0) {
-				PFREE_ST(ctx, db_context_st);
-				ctx=NULL;
-		}
-out:
-		return ctx;
-}
-/*      Free a db object */
-void
-db_destroy(struct db_context *ctx)
-{
-		if (ctx->trans0) PFREE_ST(ctx->trans0, db_trans_st);
-		if (ctx->attrs0) PFREE_ST(ctx->attrs0, db_attrs_st);
-		PFREE_ST(ctx, db_context_st);
-}
-/*      Start a new transform, expand trans0 is needed */
-int
-db_trans_add(struct db_context *ctx, u_int8_t transid)
-{
-		/*      skip incrementing current trans pointer the 1st time*/
-		if (ctx->trans_cur && ctx->trans_cur->attr_cnt)
-				ctx->trans_cur++;
-		/*
-		 *      Strategy: if more space is needed, expand by
-		 *                <current_size>/2 + 1
-		 *
-		 *      This happens to produce a "reasonable" sequence
-		 *      after few allocations, eg.:
-		 *      0,1,2,4,8,13,20,31,47
-		 */
-		if ((ctx->trans_cur - ctx->trans0) >= ctx->max_trans) {
-				/* XXX:jjo if fails should shout and flag it */
-				if (db_trans_expand(ctx, ctx->max_trans/2 + 1)<0)
-						return -1;
-		}
-		ctx->trans_cur->transid = transid;
-		ctx->trans_cur->attrs=ctx->attrs_cur;
-		ctx->trans_cur->attr_cnt = 0;
-		ctx->prop.trans_cnt++;
-		return 0;
-}
-/*      Add attr copy to current transform, expanding attrs0 if needed */
-int
-db_attr_add(struct db_context *ctx, const struct db_attr *a)
-{
-		/*
-		 *      Strategy: if more space is needed, expand by
-		 *                <current_size>/2 + 1
-		 */
-		if ((ctx->attrs_cur - ctx->attrs0) >= ctx->max_attrs) {
-				/* XXX:jjo if fails should shout and flag it */
-				if (db_attrs_expand(ctx, ctx->max_attrs/2 + 1) < 0)
-						return -1;
-		}
-		*ctx->attrs_cur++=*a;
-		ctx->trans_cur->attr_cnt++;
-		return 0;
-}
-/*      Add attr copy (by value) to current transform,
- *      expanding attrs0 if needed, just calls db_attr_add().
- */
-int
-db_attr_add_values(struct db_context *ctx,  u_int16_t type, u_int16_t val)
-{
-		struct db_attr attr;
-		attr.type = type;
-		attr.val = val;
-		return db_attr_add (ctx, &attr);
-}
-#ifndef NO_DB_OPS_STATS
-int
-db_ops_show_status(void)
-{
-		whack_log(RC_COMMENT, "stats " __FILE__ ": "
-						DB_OPS_STATS_DESC " :"
-						DB_OPS_STATS_STR("context")
-						DB_OPS_STATS_STR("trans")
-						DB_OPS_STATS_STR("attrs"),
-						DB_OPS_STATS_F(db_context_st),
-						DB_OPS_STATS_F(db_trans_st),
-						DB_OPS_STATS_F(db_attrs_st)
-						);
-		return 0;
-}
-#endif /* NO_DB_OPS_STATS */
-/*
- * From below to end just testing stuff ....
- */
-#ifdef TEST
-static void db_prop_print(struct db_prop *p)
-{
-		struct db_trans *t;
-		struct db_attr *a;
-		int ti, ai;
-		enum_names *n, *n_at, *n_av;
-		printf("protoid=\"%s\"\n", enum_name(&protocol_names, p->protoid));
-		for (ti=0, t=p->trans; ti< p->trans_cnt; ti++, t++) {
-				switch( t->transid) {
-						case PROTO_ISAKMP:
-								n=&isakmp_transformid_names;break;
-						case PROTO_IPSEC_ESP:
-								n=&esp_transformid_names;break;
-						default:
-								continue;
-				}
-				printf("  transid=\"%s\"\n",
-						enum_name(n, t->transid));
-				for (ai=0, a=t->attrs; ai < t->attr_cnt; ai++, a++) {
-						int i;
-						switch( t->transid) {
-								case PROTO_ISAKMP:
-										n_at=&oakley_attr_names;
-										i=a->type|ISAKMP_ATTR_AF_TV;
-										n_av=oakley_attr_val_descs[(i)&ISAKMP_ATTR_RTYPE_MASK];
-										break;
-								case PROTO_IPSEC_ESP:
-										n_at=&ipsec_attr_names;
-										i=a->type|ISAKMP_ATTR_AF_TV;
-										n_av=ipsec_attr_val_descs[(i)&ISAKMP_ATTR_RTYPE_MASK];
-										break;
-								default:
-										continue;
-						}
-						printf("    type=\"%s\" value=\"%s\"\n",
-								enum_name(n_at, i),
-								enum_name(n_av, a->val));
-				}
-		}
-
-}
-static void db_print(struct db_context *ctx)
-{
-		printf("trans_cur diff=%d, attrs_cur diff=%d\n",
-						ctx->trans_cur - ctx->trans0,
-						ctx->attrs_cur - ctx->attrs0);
-		db_prop_print(&ctx->prop);
-}
-
-void
-passert_fail(const char *pred_str, const char *file_str, unsigned long line_no);
-void abort(void);
-void
-passert_fail(const char *pred_str, const char *file_str, unsigned long line_no)
-{
-	fprintf(stderr, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
-	abort();    /* exiting correctly doesn't always work */
-}
-int main(void) {
-		struct db_context *ctx=db_prop_new(PROTO_ISAKMP, 0, 0);
-		db_trans_add(ctx, KEY_IKE);
-		db_attr_add_values(ctx, OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC);
-		db_attr_add_values(ctx, OAKLEY_HASH_ALGORITHM, OAKLEY_MD5);
-		db_attr_add_values(ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG);
-		db_attr_add_values(ctx, OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024);
-		db_trans_add(ctx, KEY_IKE);
-		db_attr_add_values(ctx, OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_AES_CBC);
-		db_attr_add_values(ctx, OAKLEY_HASH_ALGORITHM, OAKLEY_MD5);
-		db_attr_add_values(ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY);
-		db_attr_add_values(ctx, OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536);
-		db_trans_add(ctx, ESP_3DES);
-		db_attr_add_values(ctx, AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1);
-		db_print(ctx);
-		db_destroy(ctx);
-		return 0;
-}
-#endif
diff --git a/src/pluto/db_ops.h b/src/pluto/db_ops.h
deleted file mode 100644
index 464c245dd..000000000
--- a/src/pluto/db_ops.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/* Dynamic db (proposal, transforms, attributes) handling.
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _DB_OPS_H
-#define _DB_OPS_H
-
-/*
- *      Main db object, (quite proposal "oriented")
- */
-#ifndef NO_DB_CONTEXT
-struct db_context {
-		struct db_prop prop;            /* proposal buffer (not pointer) */
-		struct db_trans *trans0;        /* transf. list, dynamically sized */
-		struct db_trans *trans_cur;     /* current transform ptr */
-		struct db_attr *attrs0;         /* attr. list, dynamically sized */
-		struct db_attr *attrs_cur;      /* current attribute ptr */
-		int max_trans;                  /* size of trans list */
-		int max_attrs;                  /* size of attrs list */
-};
-/*
- *      Allocate a new db object
- */
-struct db_context * db_prop_new(u_int8_t protoid, int max_trans, int max_attrs);
-/*      Initialize object for proposal building  */
-int db_prop_init(struct db_context *ctx, u_int8_t protoid, int max_trans, int max_attrs);
-/*      Free all resourses for this db */
-void db_destroy(struct db_context *ctx);
-
-/*      Start a new transform */
-int db_trans_add(struct db_context *ctx, u_int8_t transid);
-/*      Add a new attribute by copying db_attr content */
-int db_attr_add(struct db_context *db_ctx, const struct db_attr *attr);
-/*      Add a new attribute by value */
-int db_attr_add_values(struct db_context *ctx,  u_int16_t type, u_int16_t val);
-
-/*      Get proposal from db object */
-static __inline__ struct db_prop *db_prop_get(struct db_context *ctx) {
-		return &ctx->prop;
-}
-/*      Show stats (allocation, etc) */
-#endif /* NO_DB_CONTEXT */
-int db_ops_show_status(void);
-#endif /* _DB_OPS_H */
diff --git a/src/pluto/defs.c b/src/pluto/defs.c
deleted file mode 100644
index 7f3a819de..000000000
--- a/src/pluto/defs.c
+++ /dev/null
@@ -1,145 +0,0 @@
-/* misc. universal things
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <stdio.h>
-#include <dirent.h>
-#include <inttypes.h>
-#include <time.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "whack.h"      /* for RC_LOG_SERIOUS */
-
-bool
-all_zero(const unsigned char *m, size_t len)
-{
-	size_t i;
-
-	for (i = 0; i != len; i++)
-		if (m[i] != '\0')
-			return FALSE;
-	return TRUE;
-}
-
-/*  Note that there may be as many as six IDs that are temporary at
- *  one time before unsharing the two ends of a connection. So we need
- *  at least six temporary buffers for DER_ASN1_DN IDs.
- *  We rotate them. Be careful!
- */
-#define MAX_BUF         10
-
-char*
-temporary_cyclic_buffer(void)
-{
-	static char buf[MAX_BUF][BUF_LEN];  /* MAX_BUF internal buffers */
-	static int counter = 0;                     /* cyclic counter */
-
-	if (++counter == MAX_BUF) counter = 0;      /* next internal buffer */
-	return buf[counter];                        /* assign temporary buffer */
-}
-
-/* concatenates two sub paths into a string with a maximum size of BUF_LEN
- * use for temporary storage only
- */
-char* concatenate_paths(char *a, char *b)
-{
-	char *c;
-
-	if (*b == '/' || *b == '.')
-		return b;
-
-	c = temporary_cyclic_buffer();
-	snprintf(c, BUF_LEN, "%s/%s", a, b);
-	return c;
-}
-
-/* moves a chunk to a memory position, chunk is freed afterwards
- * position pointer is advanced after the insertion point
- */
-void
-mv_chunk(u_char **pos, chunk_t content)
-{
-	if (content.len > 0)
-	{
-		chunkcpy(*pos, content);
-		free(content.ptr);
-	}
-}
-
-/*  checks if the expiration date has been reached and
- *  warns during the warning_interval of the imminent
- *  expiry. strict=TRUE declares a fatal error,
- *  strict=FALSE issues a warning upon expiry.
- */
-const char*
-check_expiry(time_t expiration_date, int warning_interval, bool strict)
-{
-	time_t now, time_left;
-
-	if (expiration_date == UNDEFINED_TIME)
-	  return "ok (expires never)";
-
-	/* determine the current time */
-	time(&now);
-
-	time_left = (expiration_date - now);
-	if (time_left < 0)
-		return strict? "fatal (expired)" : "warning (expired)";
-
-	if (time_left > 86400*warning_interval)
-		return "ok";
-	{
-		static char buf[35]; /* temporary storage */
-		const char* unit = "second";
-
-		if (time_left > 172800)
-		{
-			time_left /= 86400;
-			unit = "day";
-		}
-		else if (time_left > 7200)
-		{
-			time_left /= 3600;
-			unit = "hour";
-		}
-		else if (time_left > 120)
-		{
-			time_left /= 60;
-			unit = "minute";
-		}
-		snprintf(buf, 35, "warning (expires in %" PRIu64 " %s%s)",
-				 (u_int64_t)time_left, unit, (time_left == 1) ? "" : "s");
-		return buf;
-	}
-}
-
-
-/*
- *  Filter eliminating the directory entries '.' and '..'
- */
-int
-file_select(const struct dirent *entry)
-{
-	return strcmp(entry->d_name, "." ) &&
-		   strcmp(entry->d_name, "..");
-}
-
-
diff --git a/src/pluto/defs.h b/src/pluto/defs.h
deleted file mode 100644
index 532652e5b..000000000
--- a/src/pluto/defs.h
+++ /dev/null
@@ -1,79 +0,0 @@
-/* misc. universal things
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _DEFS_H
-#define _DEFS_H
-
-#include <string.h>
-#include <sys/types.h>
-
-#include <chunk.h>
-
-#ifdef DEBUG
-# define USED_BY_DEBUG  /* ignore */
-#else
-# define USED_BY_DEBUG  UNUSED
-#endif
-
-/* type of serial number of a state object
- * Needed in connections.h and state.h; here to simplify dependencies.
- */
-typedef unsigned long so_serial_t;
-#define SOS_NOBODY      0       /* null serial number */
-#define SOS_FIRST       1       /* first normal serial number */
-
-/* memory allocation */
-
-#define clone_thing(orig) clalloc((void *)&(orig), sizeof(orig))
-
-#define clone_str(str) \
-	((str) == NULL? NULL : strdup(str))
-
-#define replace(p, q) \
-	{ free(p); (p) = (q); }
-
-#define chunkcpy(dst, chunk) \
-	{ memcpy(dst, chunk.ptr, chunk.len); dst += chunk.len;}
-
-extern char* temporary_cyclic_buffer(void);
-extern char* concatenate_paths(char *a, char *b);
-
-/* move a chunk to a memory position and free it after insertion */
-extern void mv_chunk(u_char **pos, chunk_t content);
-
-/* warns a predefined interval before expiry */
-extern const char* check_expiry(time_t expiration_date,
-	int warning_interval, bool strict);
-
-#define MAX_PROMPT_PASS_TRIALS  5
-#define PROMPT_PASS_LEN         64
-
-/* filter eliminating the directory entries '.' and '..' */
-typedef struct dirent dirent_t;
-extern int file_select(const dirent_t *entry);
-
-/* cleanly exit Pluto */
-extern void exit_pluto(int /*status*/) NEVER_RETURNS;
-
-/* zero all bytes */
-#define zero(x) memset((x), '\0', sizeof(*(x)))
-
-/* are all bytes 0? */
-extern bool all_zero(const unsigned char *m, size_t len);
-
-/* pad_up(n, m) is the amount to add to n to make it a multiple of m */
-#define pad_up(n, m) (((m) - 1) - (((n) + (m) - 1) % (m)))
-
-#endif /* _DEFS_H */
diff --git a/src/pluto/demux.c b/src/pluto/demux.c
deleted file mode 100644
index 612e0813c..000000000
--- a/src/pluto/demux.c
+++ /dev/null
@@ -1,2527 +0,0 @@
-/* demultiplex incoming IKE messages
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/* Ordering Constraints on Payloads
- *
- * rfc2409: The Internet Key Exchange (IKE)
- *
- * 5 Exchanges:
- *   "The SA payload MUST precede all other payloads in a phase 1 exchange."
- *
- *   "Except where otherwise noted, there are no requirements for ISAKMP
- *    payloads in any message to be in any particular order."
- *
- * 5.3 Phase 1 Authenticated With a Revised Mode of Public Key Encryption:
- *
- *   "If the HASH payload is sent it MUST be the first payload of the
- *    second message exchange and MUST be followed by the encrypted
- *    nonce. If the HASH payload is not sent, the first payload of the
- *    second message exchange MUST be the encrypted nonce."
- *
- *   "Save the requirements on the location of the optional HASH payload
- *    and the mandatory nonce payload there are no further payload
- *    requirements. All payloads-- in whatever order-- following the
- *    encrypted nonce MUST be encrypted with Ke_i or Ke_r depending on the
- *    direction."
- *
- * 5.5 Phase 2 - Quick Mode
- *
- *   "In Quick Mode, a HASH payload MUST immediately follow the ISAKMP
- *    header and a SA payload MUST immediately follow the HASH."
- *   [NOTE: there may be more than one SA payload, so this is not
- *    totally reasonable.  Probably all SAs should be so constrained.]
- *
- *   "If ISAKMP is acting as a client negotiator on behalf of another
- *    party, the identities of the parties MUST be passed as IDci and
- *    then IDcr."
- *
- *   "With the exception of the HASH, SA, and the optional ID payloads,
- *    there are no payload ordering restrictions on Quick Mode."
- */
-
-/* Unfolding of Identity -- a central mystery
- *
- * This concerns Phase 1 identities, those of the IKE hosts.
- * These are the only ones that are authenticated.  Phase 2
- * identities are for IPsec SAs.
- *
- * There are three case of interest:
- *
- * (1) We initiate, based on a whack command specifying a Connection.
- *     We know the identity of the peer from the Connection.
- *
- * (2) (to be implemented) we initiate based on a flow from our client
- *     to some IP address.
- *     We immediately know one of the peer's client IP addresses from
- *     the flow.  We must use this to figure out the peer's IP address
- *     and Id.  To be solved.
- *
- * (3) We respond to an IKE negotiation.
- *     We immediately know the peer's IP address.
- *     We get an ID Payload in Main I2.
- *
- *     Unfortunately, this is too late for a number of things:
- *     - the ISAKMP SA proposals have already been made (Main I1)
- *       AND one accepted (Main R1)
- *     - the SA includes a specification of the type of ID
- *       authentication so this is negotiated without being told the ID.
- *     - with Preshared Key authentication, Main I2 is encrypted
- *       using the key, so it cannot be decoded to reveal the ID
- *       without knowing (or guessing) which key to use.
- *
- *     There are three reasonable choices here for the responder:
- *     + assume that the initiator is making wise offers since it
- *       knows the IDs involved.  We can balk later (but not gracefully)
- *       when we find the actual initiator ID
- *     + attempt to infer identity by IP address.  Again, we can balk
- *       when the true identity is revealed.  Actually, it is enough
- *       to infer properties of the identity (eg. SA properties and
- *       PSK, if needed).
- *     + make all properties universal so discrimination based on
- *       identity isn't required.  For example, always accept the same
- *       kinds of encryption.  Accept Public Key Id authentication
- *       since the Initiator presumably has our public key and thinks
- *       we must have / can find his.  This approach is weakest
- *       for preshared key since the actual key must be known to
- *       decrypt the Initiator's ID Payload.
- *     These choices can be blended.  For example, a class of Identities
- *     can be inferred, sufficient to select a preshared key but not
- *     sufficient to infer a unique identity.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/time.h>   /* only used for belt-and-suspenders select call */
-#include <sys/poll.h>   /* only used for forensic poll call */
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <sys/queue.h>
-
-#if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
-#  include <asm/types.h>        /* for __u8, __u32 */
-#  include <linux/errqueue.h>
-#  include <sys/uio.h>  /* struct iovec */
-#endif
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "cookie.h"
-#include "connections.h"
-#include "state.h"
-#include "packet.h"
-#include "crypto.h"
-#include "ike_alg.h"
-#include "log.h"
-#include "demux.h"      /* needs packet.h */
-#include "ipsec_doi.h"  /* needs demux.h and state.h */
-#include "timer.h"
-#include "whack.h"      /* requires connections.h */
-#include "server.h"
-#include "nat_traversal.h"
-#include "vendor.h"
-#include "modecfg.h"
-
-/* This file does basic header checking and demux of
- * incoming packets.
- */
-
-/* forward declarations */
-static bool read_packet(struct msg_digest *md);
-static void process_packet(struct msg_digest **mdp);
-
-/* Reply messages are built in this buffer.
- * Only one state transition function can be using it at a time
- * so suspended STFs must save and restore it.
- * It could be an auto variable of complete_state_transition except for the fact
- * that when a suspended STF resumes, its reply message buffer
- * must be at the same location -- there are pointers into it.
- */
-u_int8_t reply_buffer[MAX_OUTPUT_UDP_SIZE];
-
-/* state_microcode is a tuple of information parameterizing certain
- * centralized processing of a packet.  For example, it roughly
- * specifies what payloads are expected in this message.
- * The microcode is selected primarily based on the state.
- * In Phase 1, the payload structure often depends on the
- * authentication technique, so that too plays a part in selecting
- * the state_microcode to use.
- */
-
-struct state_microcode {
-	enum state_kind state, next_state;
-	lset_t flags;
-	lset_t req_payloads;        /* required payloads (allows just one) */
-	lset_t opt_payloads;        /* optional payloads (any mumber) */
-	/* if not ISAKMP_NEXT_NONE, process_packet will emit HDR with this as np */
-	u_int8_t first_out_payload;
-	enum event_type timeout_event;
-	state_transition_fn *processor;
-};
-
-/* State Microcode Flags, in several groups */
-
-/* Oakley Auth values: to which auth values does this entry apply?
- * Most entries will use SMF_ALL_AUTH because they apply to all.
- * Note: SMF_ALL_AUTH matches 0 for those circumstances when no auth
- * has been set.
- */
-#define SMF_ALL_AUTH    LRANGE(0, OAKLEY_AUTH_ROOF-1)
-#define SMF_PSK_AUTH    LELEM(OAKLEY_PRESHARED_KEY)
-#define SMF_DS_AUTH     (LELEM(OAKLEY_DSS_SIG)   | LELEM(OAKLEY_RSA_SIG)   | \
-						 LELEM(OAKLEY_ECDSA_SIG) | LELEM(OAKLEY_ECDSA_256) | \
-						 LELEM(OAKLEY_ECDSA_384) | LELEM(OAKLEY_ECDSA_521))
-#define SMF_PKE_AUTH    (LELEM(OAKLEY_RSA_ENC) | LELEM(OAKLEY_ELGAMAL_ENC))
-#define SMF_RPKE_AUTH   (LELEM(OAKLEY_RSA_ENC_REV) | LELEM(OAKLEY_ELGAMAL_ENC_REV))
-
-/* misc flags */
-
-#define SMF_INITIATOR   LELEM(OAKLEY_AUTH_ROOF + 0)
-#define SMF_FIRST_ENCRYPTED_INPUT       LELEM(OAKLEY_AUTH_ROOF + 1)
-#define SMF_INPUT_ENCRYPTED     LELEM(OAKLEY_AUTH_ROOF + 2)
-#define SMF_OUTPUT_ENCRYPTED    LELEM(OAKLEY_AUTH_ROOF + 3)
-#define SMF_RETRANSMIT_ON_DUPLICATE     LELEM(OAKLEY_AUTH_ROOF + 4)
-
-#define SMF_ENCRYPTED (SMF_INPUT_ENCRYPTED | SMF_OUTPUT_ENCRYPTED)
-
-/* this state generates a reply message */
-#define SMF_REPLY   LELEM(OAKLEY_AUTH_ROOF + 5)
-
-/* this state completes P1, so any pending P2 negotiations should start */
-#define SMF_RELEASE_PENDING_P2  LELEM(OAKLEY_AUTH_ROOF + 6)
-
-/* end of flags */
-
-
-static state_transition_fn      /* forward declaration */
-	unexpected,
-	informational;
-
-/* state_microcode_table is a table of all state_microcode tuples.
- * It must be in order of state (the first element).
- * After initialization, ike_microcode_index[s] points to the
- * first entry in state_microcode_table for state s.
- * Remember that each state name in Main or Quick Mode describes
- * what has happened in the past, not what this message is.
- */
-
-static const struct state_microcode
-	*ike_microcode_index[STATE_IKE_ROOF - STATE_IKE_FLOOR];
-
-static const struct state_microcode state_microcode_table[] = {
-#define PT(n) ISAKMP_NEXT_##n
-#define P(n) LELEM(PT(n))
-
-	/***** Phase 1 Main Mode *****/
-
-	/* No state for main_outI1: --> HDR, SA */
-
-	/* STATE_MAIN_R0: I1 --> R1
-	 * HDR, SA --> HDR, SA
-	 */
-	{ STATE_MAIN_R0, STATE_MAIN_R1
-	, SMF_ALL_AUTH | SMF_REPLY
-	, P(SA), P(VID) | P(CR), PT(NONE)
-	, EVENT_RETRANSMIT, main_inI1_outR1},
-
-	/* STATE_MAIN_I1: R1 --> I2
-	 * HDR, SA --> auth dependent
-	 * SMF_PSK_AUTH, SMF_DS_AUTH: --> HDR, KE, Ni
-	 * SMF_PKE_AUTH:
-	 *  --> HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
-	 * SMF_RPKE_AUTH:
-	 *  --> HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
-	 * Note: since we don't know auth at start, we cannot differentiate
-	 * microcode entries based on it.
-	 */
-	{ STATE_MAIN_I1, STATE_MAIN_I2
-	, SMF_ALL_AUTH | SMF_INITIATOR | SMF_REPLY
-	, P(SA), P(VID) | P(CR), PT(NONE) /* don't know yet */
-	, EVENT_RETRANSMIT, main_inR1_outI2 },
-
-	/* STATE_MAIN_R1: I2 --> R2
-	 * SMF_PSK_AUTH, SMF_DS_AUTH: HDR, KE, Ni --> HDR, KE, Nr
-	 * SMF_PKE_AUTH: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
-	 *      --> HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
-	 * SMF_RPKE_AUTH:
-	 *      HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
-	 *      --> HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
-	 */
-	{ STATE_MAIN_R1, STATE_MAIN_R2
-	, SMF_PSK_AUTH | SMF_DS_AUTH | SMF_REPLY
-	, P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(KE)
-	, EVENT_RETRANSMIT, main_inI2_outR2 },
-
-	{ STATE_MAIN_R1, STATE_UNDEFINED
-	, SMF_PKE_AUTH | SMF_REPLY
-	, P(KE) | P(ID) | P(NONCE), P(VID) | P(CR) | P(HASH), PT(KE)
-	, EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
-
-	{ STATE_MAIN_R1, STATE_UNDEFINED
-	, SMF_RPKE_AUTH | SMF_REPLY
-	, P(NONCE) | P(KE) | P(ID), P(VID) | P(CR) | P(HASH) | P(CERT), PT(NONCE)
-	, EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
-
-	/* for states from here on, output message must be encrypted */
-
-	/* STATE_MAIN_I2: R2 --> I3
-	 * SMF_PSK_AUTH: HDR, KE, Nr --> HDR*, IDi1, HASH_I
-	 * SMF_DS_AUTH: HDR, KE, Nr --> HDR*, IDi1, [ CERT, ] SIG_I
-	 * SMF_PKE_AUTH: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
-	 *      --> HDR*, HASH_I
-	 * SMF_RPKE_AUTH: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
-	 *      --> HDR*, HASH_I
-	 */
-	{ STATE_MAIN_I2, STATE_MAIN_I3
-	, SMF_PSK_AUTH | SMF_DS_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
-	, P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(ID)
-	, EVENT_RETRANSMIT, main_inR2_outI3 },
-
-	{ STATE_MAIN_I2, STATE_UNDEFINED
-	, SMF_PKE_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
-	, P(KE) | P(ID) | P(NONCE), P(VID) | P(CR), PT(HASH)
-	, EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
-
-	{ STATE_MAIN_I2, STATE_UNDEFINED
-	, SMF_ALL_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
-	, P(NONCE) | P(KE) | P(ID), P(VID) | P(CR), PT(HASH)
-	, EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
-
-	/* for states from here on, input message must be encrypted */
-
-	/* STATE_MAIN_R2: I3 --> R3
-	 * SMF_PSK_AUTH: HDR*, IDi1, HASH_I --> HDR*, IDr1, HASH_R
-	 * SMF_DS_AUTH: HDR*, IDi1, [ CERT, ] SIG_I --> HDR*, IDr1, [ CERT, ] SIG_R
-	 * SMF_PKE_AUTH, SMF_RPKE_AUTH: HDR*, HASH_I --> HDR*, HASH_R
-	 */
-	{ STATE_MAIN_R2, STATE_MAIN_R3
-	, SMF_PSK_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
-	  | SMF_REPLY | SMF_RELEASE_PENDING_P2
-	, P(ID) | P(HASH), P(VID) | P(CR), PT(NONE)
-	, EVENT_SA_REPLACE, main_inI3_outR3 },
-
-	{ STATE_MAIN_R2, STATE_MAIN_R3
-	, SMF_DS_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
-	  | SMF_REPLY | SMF_RELEASE_PENDING_P2
-	, P(ID) | P(SIG), P(VID) | P(CR) | P(CERT), PT(NONE)
-	, EVENT_SA_REPLACE, main_inI3_outR3 },
-
-	{ STATE_MAIN_R2, STATE_UNDEFINED
-	, SMF_PKE_AUTH | SMF_RPKE_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
-	  | SMF_REPLY | SMF_RELEASE_PENDING_P2
-	, P(HASH), P(VID) | P(CR), PT(NONE)
-	, EVENT_SA_REPLACE, unexpected /* ??? not yet implemented */ },
-
-	/* STATE_MAIN_I3: R3 --> done
-	 * SMF_PSK_AUTH: HDR*, IDr1, HASH_R --> done
-	 * SMF_DS_AUTH: HDR*, IDr1, [ CERT, ] SIG_R --> done
-	 * SMF_PKE_AUTH, SMF_RPKE_AUTH: HDR*, HASH_R --> done
-	 * May initiate quick mode by calling quick_outI1
-	 */
-	{ STATE_MAIN_I3, STATE_MAIN_I4
-	, SMF_PSK_AUTH | SMF_INITIATOR
-	  | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
-	, P(ID) | P(HASH), P(VID) | P(CR), PT(NONE)
-	, EVENT_SA_REPLACE, main_inR3 },
-
-	{ STATE_MAIN_I3, STATE_MAIN_I4
-	, SMF_DS_AUTH | SMF_INITIATOR
-	  | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
-	, P(ID) | P(SIG), P(VID) | P(CR) | P(CERT), PT(NONE)
-	, EVENT_SA_REPLACE, main_inR3 },
-
-	{ STATE_MAIN_I3, STATE_UNDEFINED
-	, SMF_PKE_AUTH | SMF_RPKE_AUTH | SMF_INITIATOR
-	  | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
-	, P(HASH), P(VID) | P(CR), PT(NONE)
-	, EVENT_SA_REPLACE, unexpected /* ??? not yet implemented */ },
-
-	/* STATE_MAIN_R3: can only get here due to packet loss */
-	{ STATE_MAIN_R3, STATE_UNDEFINED
-	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RETRANSMIT_ON_DUPLICATE
-	, LEMPTY, LEMPTY
-	, PT(NONE), EVENT_NULL, unexpected },
-
-	/* STATE_MAIN_I4: can only get here due to packet loss */
-	{ STATE_MAIN_I4, STATE_UNDEFINED
-	, SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED
-	, LEMPTY, LEMPTY
-	, PT(NONE), EVENT_NULL, unexpected },
-
-
-	/***** Phase 2 Quick Mode *****/
-
-	/* No state for quick_outI1:
-	 * --> HDR*, HASH(1), SA, Nr [, KE ] [, IDci, IDcr ]
-	 */
-
-	/* STATE_QUICK_R0:
-	 * HDR*, HASH(1), SA, Ni [, KE ] [, IDci, IDcr ] -->
-	 * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ]
-	 * Installs inbound IPsec SAs.
-	 * Because it may suspend for asynchronous DNS, first_out_payload
-	 * is set to NONE to suppress early emission of HDR*.
-	 * ??? it is legal to have multiple SAs, but we don't support it yet.
-	 */
-	{ STATE_QUICK_R0, STATE_QUICK_R1
-	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
-	, P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(NONE)
-	, EVENT_RETRANSMIT, quick_inI1_outR1 },
-
-	/* STATE_QUICK_I1:
-	 * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ] -->
-	 * HDR*, HASH(3)
-	 * Installs inbound and outbound IPsec SAs, routing, etc.
-	 * ??? it is legal to have multiple SAs, but we don't support it yet.
-	 */
-	{ STATE_QUICK_I1, STATE_QUICK_I2
-	, SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED | SMF_REPLY
-	, P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(HASH)
-	, EVENT_SA_REPLACE, quick_inR1_outI2 },
-
-	/* STATE_QUICK_R1: HDR*, HASH(3) --> done
-	 * Installs outbound IPsec SAs, routing, etc.
-	 */
-	{ STATE_QUICK_R1, STATE_QUICK_R2
-	, SMF_ALL_AUTH | SMF_ENCRYPTED
-	, P(HASH), LEMPTY, PT(NONE)
-	, EVENT_SA_REPLACE, quick_inI2 },
-
-	/* STATE_QUICK_I2: can only happen due to lost packet */
-	{ STATE_QUICK_I2, STATE_UNDEFINED
-	, SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED | SMF_RETRANSMIT_ON_DUPLICATE
-	, LEMPTY, LEMPTY, PT(NONE)
-	, EVENT_NULL, unexpected },
-
-	/* STATE_QUICK_R2: can only happen due to lost packet */
-	{ STATE_QUICK_R2, STATE_UNDEFINED
-	, SMF_ALL_AUTH | SMF_ENCRYPTED
-	, LEMPTY, LEMPTY, PT(NONE)
-	, EVENT_NULL, unexpected },
-
-
-	/***** informational messages *****/
-
-	/* STATE_INFO: */
-	{ STATE_INFO, STATE_UNDEFINED
-	, SMF_ALL_AUTH
-	, LEMPTY, LEMPTY, PT(NONE)
-	, EVENT_NULL, informational },
-
-	/* STATE_INFO_PROTECTED: */
-	{ STATE_INFO_PROTECTED, STATE_UNDEFINED
-	, SMF_ALL_AUTH | SMF_ENCRYPTED
-	, P(HASH), LEMPTY, PT(NONE)
-	, EVENT_NULL, informational },
-
-	/* XAUTH state transitions */
-	{ STATE_XAUTH_I0, STATE_XAUTH_I1
-	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
-	, P(ATTR) | P(HASH), P(VID), PT(HASH)
-	, EVENT_RETRANSMIT, xauth_inI0 },
-
-	{ STATE_XAUTH_R1, STATE_XAUTH_R2
-	, SMF_ALL_AUTH | SMF_ENCRYPTED
-	, P(ATTR) | P(HASH), P(VID), PT(HASH)
-	, EVENT_RETRANSMIT, xauth_inR1 },
-
-	{ STATE_XAUTH_I1, STATE_XAUTH_I2
-	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
-	, P(ATTR) | P(HASH), P(VID), PT(HASH)
-	, EVENT_SA_REPLACE, xauth_inI1 },
-
-	{ STATE_XAUTH_R2, STATE_XAUTH_R3
-	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
-	, P(ATTR) | P(HASH), P(VID), PT(NONE)
-	, EVENT_SA_REPLACE, xauth_inR2 },
-
-	{ STATE_XAUTH_I2, STATE_UNDEFINED
-	, SMF_ALL_AUTH | SMF_ENCRYPTED
-	, LEMPTY, LEMPTY, PT(NONE)
-	, EVENT_NULL, unexpected },
-
-	{ STATE_XAUTH_R3, STATE_UNDEFINED
-	, SMF_ALL_AUTH | SMF_ENCRYPTED
-	, LEMPTY, LEMPTY, PT(NONE)
-	, EVENT_NULL, unexpected },
-
-	/* ModeCfg pull mode state transitions */
-
-	{ STATE_MODE_CFG_R0, STATE_MODE_CFG_R1
-	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
-	, P(ATTR) | P(HASH), P(VID), PT(HASH)
-	, EVENT_SA_REPLACE, modecfg_inR0 },
-
-	{ STATE_MODE_CFG_I1, STATE_MODE_CFG_I2
-	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
-	, P(ATTR) | P(HASH), P(VID), PT(HASH)
-	, EVENT_SA_REPLACE, modecfg_inI1 },
-
-	{ STATE_MODE_CFG_R1, STATE_UNDEFINED
-	, SMF_ALL_AUTH | SMF_ENCRYPTED
-	, LEMPTY, LEMPTY, PT(NONE)
-	, EVENT_NULL, unexpected },
-
-	{ STATE_MODE_CFG_I2, STATE_UNDEFINED
-	, SMF_ALL_AUTH | SMF_ENCRYPTED
-	, LEMPTY, LEMPTY, PT(NONE)
-	, EVENT_NULL, unexpected },
-
-   /* ModeCfg push mode state transitions */
-
-	{ STATE_MODE_CFG_I0, STATE_MODE_CFG_I3
-	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
-	, P(ATTR) | P(HASH), P(VID), PT(HASH)
-	, EVENT_SA_REPLACE, modecfg_inI0 },
-
-	{ STATE_MODE_CFG_R3, STATE_MODE_CFG_R4
-	, SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
-	, P(ATTR) | P(HASH), P(VID), PT(HASH)
-	, EVENT_SA_REPLACE, modecfg_inR3 },
-
-	{ STATE_MODE_CFG_I3, STATE_UNDEFINED
-	, SMF_ALL_AUTH | SMF_ENCRYPTED
-	, LEMPTY, LEMPTY, PT(NONE)
-	, EVENT_NULL, unexpected },
-
-	{ STATE_MODE_CFG_R4, STATE_UNDEFINED
-	, SMF_ALL_AUTH | SMF_ENCRYPTED
-	, LEMPTY, LEMPTY, PT(NONE)
-	, EVENT_NULL, unexpected },
-
-#undef P
-#undef PT
-};
-
-void
-init_demux(void)
-{
-	/* fill ike_microcode_index:
-	 * make ike_microcode_index[s] point to first entry in
-	 * state_microcode_table for state s (backward scan makes this easier).
-	 * Check that table is in order -- catch coding errors.
-	 * For what it's worth, this routine is idempotent.
-	 */
-	const struct state_microcode *t;
-
-	for (t = &state_microcode_table[countof(state_microcode_table) - 1];;)
-	{
-		passert(STATE_IKE_FLOOR <= t->state && t->state < STATE_IKE_ROOF);
-		ike_microcode_index[t->state - STATE_IKE_FLOOR] = t;
-		if (t == state_microcode_table)
-			break;
-		t--;
-		passert(t[0].state <= t[1].state);
-	}
-}
-
-/* Process any message on the MSG_ERRQUEUE
- *
- * This information is generated because of the IP_RECVERR socket option.
- * The API is sparsely documented, and may be LINUX-only, and only on
- * fairly recent versions at that (hence the conditional compilation).
- *
- * - ip(7) describes IP_RECVERR
- * - recvmsg(2) describes MSG_ERRQUEUE
- * - readv(2) describes iovec
- * - cmsg(3) describes how to process auxiliary messages
- *
- * ??? we should link this message with one we've sent
- * so that the diagnostic can refer to that negotiation.
- *
- * ??? how long can the messge be?
- *
- * ??? poll(2) has a very incomplete description of the POLL* events.
- * We assume that POLLIN, POLLOUT, and POLLERR are all we need to deal with
- * and that POLLERR will be on iff there is a MSG_ERRQUEUE message.
- *
- * We have to code around a couple of surprises:
- *
- * - Select can say that a socket is ready to read from, and
- *   yet a read will hang.  It turns out that a message available on the
- *   MSG_ERRQUEUE will cause select to say something is pending, but
- *   a normal read will hang.  poll(2) can tell when a MSG_ERRQUEUE
- *   message is pending.
- *
- *   This is dealt with by calling check_msg_errqueue after select
- *   has indicated that there is something to read, but before the
- *   read is performed.  check_msg_errqueue will return TRUE if there
- *   is something left to read.
- *
- * - A write to a socket may fail because there is a pending MSG_ERRQUEUE
- *   message, without there being anything wrong with the write.  This
- *   makes for confusing diagnostics.
- *
- *   To avoid this, we call check_msg_errqueue before a write.  True,
- *   there is a race condition (a MSG_ERRQUEUE message might arrive
- *   between the check and the write), but we should eliminate many
- *   of the problematic events.  To narrow the window, the poll(2)
- *   will await until an event happens (in the case or a write,
- *   POLLOUT; this should be benign for POLLIN).
- */
-
-#if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
-static bool
-check_msg_errqueue(const struct iface *ifp, short interest)
-{
-	struct pollfd pfd;
-
-	pfd.fd = ifp->fd;
-	pfd.events = interest | POLLPRI | POLLOUT;
-
-	while (pfd.revents = 0
-	, poll(&pfd, 1, -1) > 0 && (pfd.revents & POLLERR))
-	{
-		u_int8_t buffer[3000];  /* hope that this is big enough */
-		union
-		{
-			struct sockaddr sa;
-			struct sockaddr_in sa_in4;
-			struct sockaddr_in6 sa_in6;
-		} from;
-
-		int from_len = sizeof(from);
-
-		int packet_len;
-
-		struct msghdr emh;
-		struct iovec eiov;
-		union {
-			/* force alignment (not documented as necessary) */
-			struct cmsghdr ecms;
-
-			/* how much space is enough? */
-			unsigned char space[256];
-		} ecms_buf;
-
-		struct cmsghdr *cm;
-		char fromstr[sizeof(" for message to  port 65536") + INET6_ADDRSTRLEN];
-		struct state *sender = NULL;
-
-		zero(&from.sa);
-		from_len = sizeof(from);
-
-		emh.msg_name = &from.sa;        /* ??? filled in? */
-		emh.msg_namelen = sizeof(from);
-		emh.msg_iov = &eiov;
-		emh.msg_iovlen = 1;
-		emh.msg_control = &ecms_buf;
-		emh.msg_controllen = sizeof(ecms_buf);
-		emh.msg_flags = 0;
-
-		eiov.iov_base = buffer; /* see readv(2) */
-		eiov.iov_len = sizeof(buffer);
-
-		packet_len = recvmsg(ifp->fd, &emh, MSG_ERRQUEUE);
-
-		if (packet_len == -1)
-		{
-			log_errno((e, "recvmsg(,, MSG_ERRQUEUE) on %s failed in comm_handle"
-				, ifp->rname));
-			break;
-		}
-		else if (packet_len == sizeof(buffer))
-		{
-			plog("MSG_ERRQUEUE message longer than %lu bytes; truncated"
-				, (unsigned long) sizeof(buffer));
-		}
-		else
-		{
-			sender = find_sender((size_t) packet_len, buffer);
-		}
-
-		DBG_cond_dump(DBG_ALL, "rejected packet:\n", buffer, packet_len);
-		DBG_cond_dump(DBG_ALL, "control:\n", emh.msg_control, emh.msg_controllen);
-		/* ??? Andi Kleen <ak@suse.de> and misc documentation
-		 * suggests that name will have the original destination
-		 * of the packet.  We seem to see msg_namelen == 0.
-		 * Andi says that this is a kernel bug and has fixed it.
-		 * Perhaps in 2.2.18/2.4.0.
-		 */
-		passert(emh.msg_name == &from.sa);
-		DBG_cond_dump(DBG_ALL, "name:\n", emh.msg_name
-			, emh.msg_namelen);
-
-		fromstr[0] = '\0';      /* usual case :-( */
-		switch (from.sa.sa_family)
-		{
-		char as[INET6_ADDRSTRLEN];
-
-		case AF_INET:
-			if (emh.msg_namelen == sizeof(struct sockaddr_in))
-				snprintf(fromstr, sizeof(fromstr)
-				, " for message to %s port %u"
-					, inet_ntop(from.sa.sa_family
-					, &from.sa_in4.sin_addr, as, sizeof(as))
-					, ntohs(from.sa_in4.sin_port));
-			break;
-		case AF_INET6:
-			if (emh.msg_namelen == sizeof(struct sockaddr_in6))
-				snprintf(fromstr, sizeof(fromstr)
-					, " for message to %s port %u"
-					, inet_ntop(from.sa.sa_family
-					, &from.sa_in6.sin6_addr, as, sizeof(as))
-					, ntohs(from.sa_in6.sin6_port));
-			break;
-		}
-
-		for (cm = CMSG_FIRSTHDR(&emh)
-		; cm != NULL
-		; cm = CMSG_NXTHDR(&emh,cm))
-		{
-			if (cm->cmsg_level == SOL_IP
-			&& cm->cmsg_type == IP_RECVERR)
-			{
-				/* ip(7) and recvmsg(2) specify:
-				 * ee_origin is SO_EE_ORIGIN_ICMP for ICMP
-				 *  or SO_EE_ORIGIN_LOCAL for locally generated errors.
-				 * ee_type and ee_code are from the ICMP header.
-				 * ee_info is the discovered MTU for EMSGSIZE errors
-				 * ee_data is not used.
-				 *
-				 * ??? recvmsg(2) says "SOCK_EE_OFFENDER" but
-				 * means "SO_EE_OFFENDER".  The OFFENDER is really
-				 * the router that complained.  As such, the port
-				 * is meaningless.
-				 */
-
-				/* ??? cmsg(3) claims that CMSG_DATA returns
-				 * void *, but RFC 2292 and /usr/include/bits/socket.h
-				 * say unsigned char *.  The manual is being fixed.
-				 */
-				struct sock_extended_err *ee = (void *)CMSG_DATA(cm);
-				const char *offstr = "unspecified";
-				char offstrspace[INET6_ADDRSTRLEN];
-				char orname[50];
-
-				if (cm->cmsg_len > CMSG_LEN(sizeof(struct sock_extended_err)))
-				{
-					const struct sockaddr *offender = SO_EE_OFFENDER(ee);
-
-					switch (offender->sa_family)
-					{
-					case AF_INET:
-						offstr = inet_ntop(offender->sa_family
-							, &((const struct sockaddr_in *)offender)->sin_addr
-							, offstrspace, sizeof(offstrspace));
-						break;
-					case AF_INET6:
-						offstr = inet_ntop(offender->sa_family
-							, &((const struct sockaddr_in6 *)offender)->sin6_addr
-							, offstrspace, sizeof(offstrspace));
-						break;
-					default:
-						offstr = "unknown";
-						break;
-					}
-				}
-
-				switch (ee->ee_origin)
-				{
-				case SO_EE_ORIGIN_NONE:
-					snprintf(orname, sizeof(orname), "none");
-					break;
-				case SO_EE_ORIGIN_LOCAL:
-					snprintf(orname, sizeof(orname), "local");
-					break;
-				case SO_EE_ORIGIN_ICMP:
-					snprintf(orname, sizeof(orname)
-						, "ICMP type %d code %d (not authenticated)"
-						, ee->ee_type, ee->ee_code
-						);
-					break;
-				case SO_EE_ORIGIN_ICMP6:
-					snprintf(orname, sizeof(orname)
-						, "ICMP6 type %d code %d (not authenticated)"
-						, ee->ee_type, ee->ee_code
-						);
-					break;
-				default:
-					snprintf(orname, sizeof(orname), "invalid origin %lu"
-						, (unsigned long) ee->ee_origin);
-					break;
-				}
-
-				{
-					struct state *old_state = cur_state;
-
-					cur_state = sender;
-
-					/* note dirty trick to suppress ~ at start of format
-					 * if we know what state to blame.
-					 */
-					if ((packet_len == 1) && (buffer[0] == 0xff)
-#ifdef DEBUG
-						&& ((cur_debugging & DBG_NATT) == 0)
-#endif
-						) {
-							/* don't log NAT-T keepalive related errors unless NATT debug is
-							 * enabled
-							 */
-					}
-					else
-					plog((sender != NULL) + "~"
-						"ERROR: asynchronous network error report on %s"
-						"%s"
-						", complainant %s"
-						": %s"
-						" [errno %lu, origin %s"
-						/* ", pad %d, info %ld" */
-						/* ", data %ld" */
-						"]"
-						, ifp->rname
-						, fromstr
-						, offstr
-						, strerror(ee->ee_errno)
-						, (unsigned long) ee->ee_errno
-						, orname
-						/* , ee->ee_pad, (unsigned long)ee->ee_info */
-						/* , (unsigned long)ee->ee_data */
-						);
-					cur_state = old_state;
-				}
-			}
-			else
-			{
-				/* .cmsg_len is a kernel_size_t(!), but the value
-				 * certainly ought to fit in an unsigned long.
-				 */
-				plog("unknown cmsg: level %d, type %d, len %lu"
-					, cm->cmsg_level, cm->cmsg_type
-					, (unsigned long) cm->cmsg_len);
-			}
-		}
-	}
-	return (pfd.revents & interest) != 0;
-}
-#endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
-
-bool
-send_packet(struct state *st, const char *where)
-{
-	connection_t *c = st->st_connection;
-	int port_buf;
-	bool err;
-	u_int8_t ike_pkt[MAX_OUTPUT_UDP_SIZE];
-	u_int8_t *ptr;
-	unsigned long len;
-
-	if (c->interface->ike_float && st->st_tpacket.len != 1)
-	{
-		if ((unsigned long) st->st_tpacket.len > (MAX_OUTPUT_UDP_SIZE-sizeof(u_int32_t)))
-		{
-			DBG_log("send_packet(): really too big");
-			return FALSE;
-		}
-		ptr = ike_pkt;
-		/** Add Non-ESP marker **/
-		memset(ike_pkt, 0, sizeof(u_int32_t));
-		memcpy(ike_pkt + sizeof(u_int32_t), st->st_tpacket.ptr,
-			(unsigned long)st->st_tpacket.len);
-		len = (unsigned long) st->st_tpacket.len + sizeof(u_int32_t);
-	}
-	else
-	{
-		ptr = st->st_tpacket.ptr;
-		len = (unsigned long) st->st_tpacket.len;
-	}
-
-	DBG(DBG_RAW,
-		{
-			DBG_log("sending %lu bytes for %s through %s to %s:%u:"
-				, (unsigned long) st->st_tpacket.len
-				, where
-				, c->interface->rname
-				, ip_str(&c->spd.that.host_addr)
-				, (unsigned)c->spd.that.host_port);
-			DBG_dump_chunk(NULL, st->st_tpacket);
-		});
-
-	/* XXX: Not very clean.  We manipulate the port of the ip_address to
-	 * have a port in the sockaddr*, but we retain the original port
-	 * and restore it afterwards.
-	 */
-
-	port_buf = portof(&c->spd.that.host_addr);
-	setportof(htons(c->spd.that.host_port), &c->spd.that.host_addr);
-
-#if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
-	(void) check_msg_errqueue(c->interface, POLLOUT);
-#endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
-
-	err = sendto(c->interface->fd
-		, ptr, len, 0
-		, sockaddrof(&c->spd.that.host_addr)
-		, sockaddrlenof(&c->spd.that.host_addr)) != (ssize_t)len;
-
-	/* restore port */
-	setportof(port_buf, &c->spd.that.host_addr);
-
-	if (err)
-	{
-	   /* do not log NAT-T Keep Alive packets */
-		if (streq(where, "NAT-T Keep Alive"))
-			return FALSE;
-		log_errno((e, "sendto on %s to %s:%u failed in %s"
-			, c->interface->rname
-			, ip_str(&c->spd.that.host_addr)
-			, (unsigned)c->spd.that.host_port
-			, where));
-		return FALSE;
-	}
-	else
-	{
-		return TRUE;
-	}
-}
-
-static stf_status
-unexpected(struct msg_digest *md)
-{
-	loglog(RC_LOG_SERIOUS, "unexpected message received in state %s"
-		, enum_name(&state_names, md->st->st_state));
-	return STF_IGNORE;
-}
-
-static stf_status
-informational(struct msg_digest *md UNUSED)
-{
-	struct payload_digest *const n_pld = md->chain[ISAKMP_NEXT_N];
-
-	/* If the Notification Payload is not null... */
-	if (n_pld != NULL)
-	{
-		pb_stream *const n_pbs = &n_pld->pbs;
-		struct isakmp_notification *const n = &n_pld->payload.notification;
-		int disp_len;
-		char disp_buf[200];
-
-		/* Switch on Notification Type (enum) */
-		switch (n->isan_type)
-		{
-		case R_U_THERE:
-			return dpd_inI_outR(md->st, n, n_pbs);
-
-		case R_U_THERE_ACK:
-			return dpd_inR(md->st, n, n_pbs);
-		default:
-			if (pbs_left(n_pbs) >= sizeof(disp_buf)-1)
-				disp_len = sizeof(disp_buf)-1;
-			else
-				disp_len = pbs_left(n_pbs);
-			memcpy(disp_buf, n_pbs->cur, disp_len);
-			disp_buf[disp_len] = '\0';
-			break;
-		}
-	}
-	return STF_IGNORE;
-}
-
-/* message digest allocation and deallocation */
-
-static struct msg_digest *md_pool = NULL;
-
-/* free_md_pool is only used to avoid leak reports */
-void
-free_md_pool(void)
-{
-	for (;;)
-	{
-		struct msg_digest *md = md_pool;
-
-		if (md == NULL)
-			break;
-		md_pool = md->next;
-		free(md);
-	}
-}
-
-static struct msg_digest *
-malloc_md(void)
-{
-	struct msg_digest *md = md_pool;
-
-	/* convenient initializer:
-	 * - all pointers NULL
-	 * - .note = NOTHING_WRONG
-	 * - .encrypted = FALSE
-	 */
-	static const struct msg_digest blank_md = {
-		.next = NULL,
-	};
-
-	if (md == NULL)
-	{
-		md = malloc_thing(struct msg_digest);
-		zero(md);
-	}
-	else
-		md_pool = md->next;
-
-	*md = blank_md;
-	md->digest_roof = md->digest;
-
-	/* note: although there may be multiple msg_digests at once
-	 * (due to suspended state transitions), there is a single
-	 * global reply_buffer.  It will need to be saved and restored.
-	 */
-	init_pbs(&md->reply, reply_buffer, sizeof(reply_buffer), "reply packet");
-
-	return md;
-}
-
-void
-release_md(struct msg_digest *md)
-{
-	chunk_free(&md->raw_packet);
-	free(md->packet_pbs.start);
-	md->packet_pbs.start = NULL;
-	md->next = md_pool;
-	md_pool = md;
-}
-
-/* wrapper for read_packet and process_packet
- *
- * The main purpose of this wrapper is to factor out teardown code
- * from the many return points in process_packet.  This amounts to
- * releasing the msg_digest and resetting global variables.
- *
- * When processing of a packet is suspended (STF_SUSPEND),
- * process_packet sets md to NULL to prevent the msg_digest being freed.
- * Someone else must ensure that msg_digest is freed eventually.
- *
- * read_packet is broken out to minimize the lifetime of the
- * enormous input packet buffer, an auto.
- */
-void
-comm_handle(const struct iface *ifp)
-{
-	static struct msg_digest *md;
-
-#if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
-	/* Even though select(2) says that there is a message,
-	 * it might only be a MSG_ERRQUEUE message.  At least
-	 * sometimes that leads to a hanging recvfrom.  To avoid
-	 * what appears to be a kernel bug, check_msg_errqueue
-	 * uses poll(2) and tells us if there is anything for us
-	 * to read.
-	 *
-	 * This is early enough that teardown isn't required:
-	 * just return on failure.
-	 */
-	if (!check_msg_errqueue(ifp, POLLIN))
-		return; /* no normal message to read */
-#endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
-
-	md = malloc_md();
-	md->iface = ifp;
-
-	if (read_packet(md))
-		process_packet(&md);
-
-	if (md != NULL)
-		release_md(md);
-
-	cur_state = NULL;
-	reset_cur_connection();
-	cur_from = NULL;
-}
-
-/* read the message.
- * Since we don't know its size, we read it into
- * an overly large buffer and then copy it to a
- * new, properly sized buffer.
- */
-static bool
-read_packet(struct msg_digest *md)
-{
-	const struct iface *ifp = md->iface;
-	int packet_len;
-	u_int8_t *buffer;
-	u_int8_t *buffer_nat;
-	union
-	{
-		struct sockaddr sa;
-		struct sockaddr_in sa_in4;
-		struct sockaddr_in6 sa_in6;
-	} from;
-	int from_len = sizeof(from);
-	err_t from_ugh = NULL;
-	static const char undisclosed[] = "unknown source";
-
-	happy(anyaddr(addrtypeof(&ifp->addr), &md->sender));
-	zero(&from.sa);
-	ioctl(ifp->fd, FIONREAD, &packet_len);
-	buffer = malloc(packet_len);
-	packet_len = recvfrom(ifp->fd, buffer, packet_len, 0
-		, &from.sa, &from_len);
-
-	/* First: digest the from address.
-	 * We presume that nothing here disturbs errno.
-	 */
-	if (packet_len == -1
-	&& from_len == sizeof(from)
-	&& all_zero((const void *)&from.sa, sizeof(from)))
-	{
-		/* "from" is untouched -- not set by recvfrom */
-		from_ugh = undisclosed;
-	}
-	else if (from_len
-	< (int) (offsetof(struct sockaddr, sa_family) + sizeof(from.sa.sa_family)))
-	{
-		from_ugh = "truncated";
-	}
-	else
-	{
-		const struct af_info *afi = aftoinfo(from.sa.sa_family);
-
-		if (afi == NULL)
-		{
-			from_ugh = "unexpected Address Family";
-		}
-		else if (from_len != (int)afi->sa_sz)
-		{
-			from_ugh = "wrong length";
-		}
-		else
-		{
-			switch (from.sa.sa_family)
-			{
-			case AF_INET:
-				from_ugh = initaddr((void *) &from.sa_in4.sin_addr
-					, sizeof(from.sa_in4.sin_addr), AF_INET, &md->sender);
-				md->sender_port = ntohs(from.sa_in4.sin_port);
-				break;
-			case AF_INET6:
-				from_ugh = initaddr((void *) &from.sa_in6.sin6_addr
-					, sizeof(from.sa_in6.sin6_addr), AF_INET6, &md->sender);
-				md->sender_port = ntohs(from.sa_in6.sin6_port);
-				break;
-			}
-		}
-	}
-
-	/* now we report any actual I/O error */
-	if (packet_len == -1)
-	{
-		if (from_ugh == undisclosed
-		&& errno == ECONNREFUSED)
-		{
-			/* Tone down scary message for vague event:
-			 * We get "connection refused" in response to some
-			 * datagram we sent, but we cannot tell which one.
-			 */
-			plog("some IKE message we sent has been rejected with ECONNREFUSED (kernel supplied no details)");
-		}
-		else if (from_ugh != NULL)
-		{
-			log_errno((e, "recvfrom on %s failed; Pluto cannot decode source sockaddr in rejection: %s"
-				, ifp->rname, from_ugh));
-		}
-		else
-		{
-			log_errno((e, "recvfrom on %s from %s:%u failed"
-				, ifp->rname
-				, ip_str(&md->sender), (unsigned)md->sender_port));
-		}
-		free(buffer);
-		return FALSE;
-	}
-	else if (from_ugh != NULL)
-	{
-		plog("recvfrom on %s returned malformed source sockaddr: %s"
-			, ifp->rname, from_ugh);
-		free(buffer);
-		return FALSE;
-	}
-	cur_from = &md->sender;
-	cur_from_port = md->sender_port;
-
-	if (ifp->ike_float == TRUE)
-	{
-		u_int32_t non_esp;
-
-		if (packet_len < (int)sizeof(u_int32_t))
-		{
-			plog("recvfrom %s:%u too small packet (%d)"
-				, ip_str(cur_from), (unsigned) cur_from_port, packet_len);
-			free(buffer);
-			return FALSE;
-		}
-		memcpy(&non_esp, buffer, sizeof(u_int32_t));
-		if (non_esp != 0)
-		{
-			plog("recvfrom %s:%u has no Non-ESP marker"
-				, ip_str(cur_from), (unsigned) cur_from_port);
-			free(buffer);
-			return FALSE;
-		}
-		packet_len -= sizeof(u_int32_t);
-		buffer_nat = malloc(packet_len);
-		memcpy(buffer_nat, buffer + sizeof(u_int32_t), packet_len);
-		free(buffer);
-		buffer = buffer_nat;
-	}
-
-	/* Clone actual message contents
-	 * and set up md->packet_pbs to describe it.
-	 */
-	init_pbs(&md->packet_pbs, buffer, packet_len, "packet");
-
-	DBG(DBG_RAW | DBG_CRYPT | DBG_PARSING | DBG_CONTROL,
-		{
-			DBG_log(BLANK_FORMAT);
-			DBG_log("*received %d bytes from %s:%u on %s"
-				, (int) pbs_room(&md->packet_pbs)
-				, ip_str(cur_from), (unsigned) cur_from_port
-				, ifp->rname);
-		});
-
-	DBG(DBG_RAW,
-		DBG_dump("", md->packet_pbs.start, pbs_room(&md->packet_pbs)));
-
-		if ((pbs_room(&md->packet_pbs)==1) && (md->packet_pbs.start[0]==0xff))
-		{
-			/**
-			 * NAT-T Keep-alive packets should be discarded by kernel ESPinUDP
-			 * layer. But bogus keep-alive packets (sent with a non-esp marker)
-			 * can reach this point. Complain and discard them.
-			 */
-			DBG(DBG_NATT,
-				DBG_log("NAT-T keep-alive (bogus ?) should not reach this point. "
-						"Ignored. Sender: %s:%u", ip_str(cur_from),
-						(unsigned) cur_from_port);
-			)
-			return FALSE;
-		}
-
-#define IKEV2_VERSION_OFFSET    17
-#define IKEV2_VERSION           0x20
-
-	/* ignore IKEv2 packets - they will be handled by charon */
-	if (pbs_room(&md->packet_pbs) > IKEV2_VERSION_OFFSET
-	&&  (md->packet_pbs.start[IKEV2_VERSION_OFFSET] & 0xF0) == IKEV2_VERSION)
-	{
-		DBG(DBG_CONTROLMORE,
-			DBG_log("  ignoring IKEv2 packet")
-		)
-		return FALSE;
-	}
-
-	return TRUE;
-}
-
-/* process an input packet, possibly generating a reply.
- *
- * If all goes well, this routine eventually calls a state-specific
- * transition function.
- */
-static void
-process_packet(struct msg_digest **mdp)
-{
-	struct msg_digest *md = *mdp;
-	const struct state_microcode *smc;
-	bool new_iv_set = FALSE;
-	bool restore_iv = FALSE;
-	u_char new_iv[MAX_DIGEST_LEN];
-	u_int new_iv_len = 0;
-
-	struct state *st = NULL;
-	enum state_kind from_state = STATE_UNDEFINED;       /* state we started in */
-
-#define SEND_NOTIFICATION(t) { \
-	if (st) send_notification_from_state(st, from_state, t); \
-	else send_notification_from_md(md, t); }
-
-	if (!in_struct(&md->hdr, &isakmp_hdr_desc, &md->packet_pbs, &md->message_pbs))
-	{
-		/* Identify specific failures:
-		 * - bad ISAKMP major/minor version numbers
-		 */
-		if (md->packet_pbs.roof - md->packet_pbs.cur >= (ptrdiff_t)isakmp_hdr_desc.size)
-		{
-			struct isakmp_hdr *hdr = (struct isakmp_hdr *)md->packet_pbs.cur;
-			if ((hdr->isa_version >> ISA_MAJ_SHIFT) != ISAKMP_MAJOR_VERSION)
-			{
-				SEND_NOTIFICATION(ISAKMP_INVALID_MAJOR_VERSION);
-				return;
-			}
-			else if ((hdr->isa_version & ISA_MIN_MASK) != ISAKMP_MINOR_VERSION)
-			{
-				SEND_NOTIFICATION(ISAKMP_INVALID_MINOR_VERSION);
-				return;
-			}
-		}
-		SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
-		return;
-	}
-
-	if (md->packet_pbs.roof != md->message_pbs.roof)
-	{
-		plog("size (%u) differs from size specified in ISAKMP HDR (%u)"
-			, (unsigned) pbs_room(&md->packet_pbs), md->hdr.isa_length);
-#ifdef CISCO_QUIRKS
-		if (pbs_room(&md->packet_pbs) - md->hdr.isa_length == 16)
-			plog("Cisco VPN client appends 16 surplus NULL bytes");
-		else
-#endif
-		return;
-	}
-
-	switch (md->hdr.isa_xchg)
-	{
-#ifdef NOTYET
-	case ISAKMP_XCHG_NONE:
-	case ISAKMP_XCHG_BASE:
-#endif
-
-	case ISAKMP_XCHG_IDPROT:    /* part of a Main Mode exchange */
-		if (md->hdr.isa_msgid != MAINMODE_MSGID)
-		{
-			plog("Message ID was 0x%08lx but should be zero in Main Mode",
-				(unsigned long) md->hdr.isa_msgid);
-			SEND_NOTIFICATION(ISAKMP_INVALID_MESSAGE_ID);
-			return;
-		}
-
-		if (is_zero_cookie(md->hdr.isa_icookie))
-		{
-			plog("Initiator Cookie must not be zero in Main Mode message");
-			SEND_NOTIFICATION(ISAKMP_INVALID_COOKIE);
-			return;
-		}
-
-		if (is_zero_cookie(md->hdr.isa_rcookie))
-		{
-			/* initial message from initiator
-			 * ??? what if this is a duplicate of another message?
-			 */
-			if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
-			{
-				plog("initial Main Mode message is invalid:"
-					" its Encrypted Flag is on");
-				SEND_NOTIFICATION(ISAKMP_INVALID_FLAGS);
-				return;
-			}
-
-			/* don't build a state until the message looks tasty */
-			from_state = STATE_MAIN_R0;
-		}
-		else
-		{
-			/* not an initial message */
-
-			st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
-				, &md->sender, md->hdr.isa_msgid);
-
-			if (st == NULL)
-			{
-				/* perhaps this is a first message from the responder
-				 * and contains a responder cookie that we've not yet seen.
-				 */
-				st = find_state(md->hdr.isa_icookie, zero_cookie
-					, &md->sender, md->hdr.isa_msgid);
-
-				if (st == NULL)
-				{
-					plog("Main Mode message is part of an unknown exchange");
-					/* XXX Could send notification back */
-					return;
-				}
-			}
-			set_cur_state(st);
-			from_state = st->st_state;
-		}
-		break;
-
-#ifdef NOTYET
-	case ISAKMP_XCHG_AO:
-	case ISAKMP_XCHG_AGGR:
-#endif
-
-	case ISAKMP_XCHG_INFO:      /* an informational exchange */
-		st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
-			, &md->sender, MAINMODE_MSGID);
-
-		if (st != NULL)
-			set_cur_state(st);
-
-		if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
-		{
-			if (st == NULL)
-			{
-				plog("Informational Exchange is for an unknown (expired?) SA");
-				/* XXX Could send notification back */
-				return;
-			}
-
-			if (!IS_ISAKMP_ENCRYPTED(st->st_state))
-			{
-				loglog(RC_LOG_SERIOUS, "encrypted Informational Exchange message is invalid"
-					" because no key is known");
-				/* XXX Could send notification back */
-				return;
-			}
-
-			if (md->hdr.isa_msgid == MAINMODE_MSGID)
-			{
-				loglog(RC_LOG_SERIOUS, "Informational Exchange message is invalid because"
-					" it has a Message ID of 0");
-				/* XXX Could send notification back */
-				return;
-			}
-
-			if (!reserve_msgid(st, md->hdr.isa_msgid))
-			{
-				loglog(RC_LOG_SERIOUS, "Informational Exchange message is invalid because"
-					" it has a previously used Message ID (0x%08lx)"
-					, (unsigned long)md->hdr.isa_msgid);
-				/* XXX Could send notification back */
-				return;
-			}
-
-			if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-			{
-				memcpy(st->st_ph1_iv, st->st_new_iv, st->st_new_iv_len);
-				st->st_ph1_iv_len = st->st_new_iv_len;
-
-				/* backup new_iv */
-				new_iv_len = st->st_new_iv_len;
-				passert(new_iv_len <= MAX_DIGEST_LEN)
-				memcpy(new_iv, st->st_new_iv, new_iv_len);
-				restore_iv = TRUE;
-			}
-			init_phase2_iv(st, &md->hdr.isa_msgid);
-			new_iv_set = TRUE;
-
-			from_state = STATE_INFO_PROTECTED;
-		}
-		else
-		{
-			if (st != NULL && IS_ISAKMP_ENCRYPTED(st->st_state))
-			{
-				loglog(RC_LOG_SERIOUS, "Informational Exchange message"
-					" must be encrypted");
-				/* XXX Could send notification back */
-				return;
-			}
-			from_state = STATE_INFO;
-		}
-		break;
-
-	case ISAKMP_XCHG_QUICK:     /* part of a Quick Mode exchange */
-		if (is_zero_cookie(md->hdr.isa_icookie))
-		{
-			plog("Quick Mode message is invalid because"
-				" it has an Initiator Cookie of 0");
-			SEND_NOTIFICATION(ISAKMP_INVALID_COOKIE);
-			return;
-		}
-
-		if (is_zero_cookie(md->hdr.isa_rcookie))
-		{
-			plog("Quick Mode message is invalid because"
-				" it has a Responder Cookie of 0");
-			SEND_NOTIFICATION(ISAKMP_INVALID_COOKIE);
-			return;
-		}
-
-		if (md->hdr.isa_msgid == MAINMODE_MSGID)
-		{
-			plog("Quick Mode message is invalid because"
-				" it has a Message ID of 0");
-			SEND_NOTIFICATION(ISAKMP_INVALID_MESSAGE_ID);
-			return;
-		}
-
-		st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
-			, &md->sender, md->hdr.isa_msgid);
-
-		if (st == NULL)
-		{
-			/* No appropriate Quick Mode state.
-			 * See if we have a Main Mode state.
-			 * ??? what if this is a duplicate of another message?
-			 */
-			st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
-				, &md->sender, MAINMODE_MSGID);
-
-			if (st == NULL)
-			{
-				plog("Quick Mode message is for a non-existent (expired?)"
-					" ISAKMP SA");
-				/* XXX Could send notification back */
-				return;
-			}
-
-			set_cur_state(st);
-
-			if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-			{
-				loglog(RC_LOG_SERIOUS, "Quick Mode message is unacceptable because"
-					" it is for an incomplete ISAKMP SA");
-				SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED /* XXX ? */);
-				return;
-			}
-
-			/* only accept this new Quick Mode exchange if it has a unique message ID */
-			if (!reserve_msgid(st, md->hdr.isa_msgid))
-			{
-				loglog(RC_LOG_SERIOUS, "Quick Mode I1 message is unacceptable because"
-					" it uses a previously used Message ID 0x%08lx"
-					" (perhaps this is a duplicated packet)"
-					, (unsigned long) md->hdr.isa_msgid);
-				SEND_NOTIFICATION(ISAKMP_INVALID_MESSAGE_ID);
-				return;
-			}
-
-			/* Quick Mode Initial IV */
-			init_phase2_iv(st, &md->hdr.isa_msgid);
-			new_iv_set = TRUE;
-
-			from_state = STATE_QUICK_R0;
-		}
-		else
-		{
-			set_cur_state(st);
-			from_state = st->st_state;
-		}
-
-		break;
-
-	case ISAKMP_XCHG_MODE_CFG:
-		if (is_zero_cookie(md->hdr.isa_icookie))
-		{
-			plog("ModeCfg message is invalid because"
-				" it has an Initiator Cookie of 0");
-			/* XXX Could send notification back */
-			return;
-		}
-
-		if (is_zero_cookie(md->hdr.isa_rcookie))
-		{
-			plog("ModeCfg message is invalid because"
-				" it has a Responder Cookie of 0");
-			/* XXX Could send notification back */
-			return;
-		}
-
-		if (md->hdr.isa_msgid == 0)
-		{
-			plog("ModeCfg message is invalid because"
-				" it has a Message ID of 0");
-			/* XXX Could send notification back */
-			return;
-		}
-
-		st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
-						, &md->sender, md->hdr.isa_msgid);
-
-		if (st == NULL)
-		{
-			bool has_xauth_policy;
-
-			/* No appropriate ModeCfg state.
-			 * See if we have a Main Mode state.
-			 * ??? what if this is a duplicate of another message?
-			 */
-			st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
-							, &md->sender, 0);
-
-			if (st == NULL)
-			{
-				plog("ModeCfg message is for a non-existent (expired?)"
-					" ISAKMP SA");
-				/* XXX Could send notification back */
-				return;
-			}
-
-			set_cur_state(st);
-
-			/* the XAUTH_STATUS message might have a new msgid */
-			if (st->st_state == STATE_XAUTH_I1)
-			{
-				init_phase2_iv(st, &md->hdr.isa_msgid);
-				new_iv_set = TRUE;
-				from_state = st->st_state;
-				break;
-			}
-
-			if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-			{
-				loglog(RC_LOG_SERIOUS, "ModeCfg message is unacceptable because"
-						" it is for an incomplete ISAKMP SA (state=%s)"
-						, enum_name(&state_names, st->st_state));
-				/* XXX Could send notification back */
-				return;
-			}
-			init_phase2_iv(st, &md->hdr.isa_msgid);
-			new_iv_set = TRUE;
-
-			/*
-			 * okay, now we have to figure out if we are receiving a bogus
-			 * new message in an outstanding XAUTH server conversation
-			 * (i.e. a reply to our challenge)
-			 * (this occurs with some broken other implementations).
-			 *
-			 * or if receiving for the first time, an XAUTH challenge.
-			 *
-			 * or if we are getting a MODECFG request.
-			 *
-			 * we distinguish these states because we can not both be an
-			 * XAUTH server and client, and our policy tells us which
-			 * one we are.
-			 *
-			 * to complicate further, it is normal to start a new msgid
-			 * when going from one state to another, or when restarting
-			 * the challenge.
-			 *
-			 */
-
-			has_xauth_policy = (st->st_connection->policy
-							   & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK))
-							   != LEMPTY;
-
-			if (has_xauth_policy && !st->st_xauth.started
-			&& IS_PHASE1(st->st_state))
-			{
-				from_state = STATE_XAUTH_I0;
-			}
-			else if (st->st_connection->spd.that.modecfg
-			&& IS_PHASE1(st->st_state))
-			{
-				from_state = STATE_MODE_CFG_R0;
-			}
-			else if (st->st_connection->spd.this.modecfg
-			&& IS_PHASE1(st->st_state))
-			{
-				from_state = STATE_MODE_CFG_I0;
-			}
-			else
-			{
-				/* XXX check if we are being a mode config server here */
-				plog("received ModeCfg message when in state %s, and we aren't mode config client"
-					 , enum_name(&state_names, st->st_state));
-				return;
-			}
-		}
-		else
-		{
-			set_cur_state(st);
-			from_state = st->st_state;
-		}
-		break;
-
-#ifdef NOTYET
-	case ISAKMP_XCHG_NGRP:
-	case ISAKMP_XCHG_ACK_INFO:
-#endif
-
-	default:
-		plog("unsupported exchange type %s in message"
-			, enum_show(&exchange_names, md->hdr.isa_xchg));
-		SEND_NOTIFICATION(ISAKMP_UNSUPPORTED_EXCHANGE_TYPE);
-		return;
-	}
-
-	/* We have found a from_state, and perhaps a state object.
-	 * If we need to build a new state object,
-	 * we wait until the packet has been sanity checked.
-	 */
-
-	/* We don't support the Commit Flag.  It is such a bad feature.
-	 * It isn't protected -- neither encrypted nor authenticated.
-	 * A man in the middle turns it on, leading to DoS.
-	 * We just ignore it, with a warning.
-	 * By placing the check here, we could easily add a policy bit
-	 * to a connection to suppress the warning.  This might be useful
-	 * because the Commit Flag is expected from some peers.
-	 */
-	if (md->hdr.isa_flags & ISAKMP_FLAG_COMMIT)
-	{
-		plog("IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag");
-	}
-
-	/* Set smc to describe this state's properties.
-	 * Look up the appropriate microcode based on state and
-	 * possibly Oakley Auth type.
-	 */
-	passert(STATE_IKE_FLOOR <= from_state && from_state < STATE_IKE_ROOF);
-	smc = ike_microcode_index[from_state - STATE_IKE_FLOOR];
-
-	if (st != NULL)
-	{
-		u_int16_t auth;
-
-		switch (st->st_oakley.auth)
-		{
-		case XAUTHInitPreShared:
-		case XAUTHRespPreShared:
-			auth = OAKLEY_PRESHARED_KEY;
-			break;
-		case XAUTHInitRSA:
-		case XAUTHRespRSA:
-			auth = OAKLEY_RSA_SIG;
-			break;
-		default:
-			auth = st->st_oakley.auth;
-		}
-
-		while (!LHAS(smc->flags, auth))
-		{
-			smc++;
-			passert(smc->state == from_state);
-		}
-	}
-
-	/* Ignore a packet if the state has a suspended state transition
-	 * Probably a duplicated packet but the original packet is not yet
-	 * recorded in st->st_rpacket, so duplicate checking won't catch.
-	 * ??? Should the packet be recorded earlier to improve diagnosis?
-	 */
-	if (st != NULL && st->st_suspended_md != NULL)
-	{
-		loglog(RC_LOG, "discarding packet received during DNS lookup in %s"
-			, enum_name(&state_names, st->st_state));
-		return;
-	}
-
-	/* Detect and handle duplicated packets.
-	 * This won't work for the initial packet of an exchange
-	 * because we won't have a state object to remember it.
-	 * If we are in a non-receiving state (terminal), and the preceding
-	 * state did transmit, then the duplicate may indicate that that
-	 * transmission wasn't received -- retransmit it.
-	 * Otherwise, just discard it.
-	 * ??? Notification packets are like exchanges -- I hope that
-	 * they are idempotent!
-	 */
-	if (st != NULL
-	&& st->st_rpacket.ptr != NULL
-	&& st->st_rpacket.len == pbs_room(&md->packet_pbs)
-	&& memeq(st->st_rpacket.ptr, md->packet_pbs.start, st->st_rpacket.len))
-	{
-		if (smc->flags & SMF_RETRANSMIT_ON_DUPLICATE)
-		{
-			if (st->st_retransmit < MAXIMUM_RETRANSMISSIONS)
-			{
-				st->st_retransmit++;
-				loglog(RC_RETRANSMISSION
-					, "retransmitting in response to duplicate packet; already %s"
-					, enum_name(&state_names, st->st_state));
-				send_packet(st, "retransmit in response to duplicate");
-			}
-			else
-			{
-				loglog(RC_LOG_SERIOUS, "discarding duplicate packet -- exhausted retransmission; already %s"
-					, enum_name(&state_names, st->st_state));
-			}
-		}
-		else
-		{
-			loglog(RC_LOG_SERIOUS, "discarding duplicate packet; already %s"
-				, enum_name(&state_names, st->st_state));
-		}
-		return;
-	}
-
-	if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
-	{
-		DBG(DBG_CRYPT, DBG_log("received encrypted packet from %s:%u"
-			, ip_str(&md->sender), (unsigned)md->sender_port));
-
-		if (st == NULL)
-		{
-			plog("discarding encrypted message for an unknown ISAKMP SA");
-			SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED /* XXX ? */);
-			return;
-		}
-		if (st->st_skeyid_e.ptr == (u_char *) NULL)
-		{
-			loglog(RC_LOG_SERIOUS, "discarding encrypted message"
-				" because we haven't yet negotiated keying materiel");
-			SEND_NOTIFICATION(ISAKMP_INVALID_FLAGS);
-			return;
-		}
-
-		/* Mark as encrypted */
-		md->encrypted = TRUE;
-
-		DBG(DBG_CRYPT, DBG_log("decrypting %u bytes using algorithm %s"
-			, (unsigned) pbs_left(&md->message_pbs)
-			, enum_show(&oakley_enc_names, st->st_oakley.encrypt)));
-
-		/* do the specified decryption
-		 *
-		 * IV is from st->st_iv or (if new_iv_set) st->st_new_iv.
-		 * The new IV is placed in st->st_new_iv
-		 *
-		 * See RFC 2409 "IKE" Appendix B
-		 *
-		 * XXX The IV should only be updated really if the packet
-		 * is successfully processed.
-		 * We should keep this value, check for a success return
-		 * value from the parsing routines and then replace.
-		 *
-		 * Each post phase 1 exchange generates IVs from
-		 * the last phase 1 block, not the last block sent.
-		 */
-		{
-			size_t crypter_block_size, crypter_iv_size;
-			encryption_algorithm_t enc_alg;
-			crypter_t *crypter;
-			chunk_t data, iv;
-		    char *new_iv;
-
-			enc_alg = oakley_to_encryption_algorithm(st->st_oakley.encrypt);
-			crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, st->st_enc_key.len);
-			crypter_block_size = crypter->get_block_size(crypter);
-			crypter_iv_size = crypter->get_iv_size(crypter);
-
-			if (pbs_left(&md->message_pbs) % crypter_block_size != 0)
-			{
-				loglog(RC_LOG_SERIOUS, "malformed message: not a multiple of encryption blocksize");
-				SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
-				return;
-			}
-
-			/* XXX Detect weak keys */
-
-			/* grab a copy of raw packet (for duplicate packet detection) */
-			md->raw_packet = chunk_create(md->packet_pbs.start, pbs_room(&md->packet_pbs));
-			md->raw_packet = chunk_clone(md->raw_packet);
-
-			data = chunk_create(md->message_pbs.cur, pbs_left(&md->message_pbs));
-
-			/* Decrypt everything after header */
-			if (!new_iv_set)
-			{
-				/* use old IV */
-				passert(st->st_iv_len <= sizeof(st->st_new_iv));
-				st->st_new_iv_len = st->st_iv_len;
-				memcpy(st->st_new_iv, st->st_iv, st->st_new_iv_len);
-			}
-
-			/* form iv by truncation */
-			st->st_new_iv_len = crypter_iv_size;
-			iv = chunk_create(st->st_new_iv, st->st_new_iv_len);
-			new_iv = alloca(crypter_iv_size);
-			memcpy(new_iv, data.ptr + data.len - crypter_iv_size,
-				   crypter_iv_size);
-
-			crypter->set_key(crypter, st->st_enc_key);
-			crypter->decrypt(crypter, data, iv, NULL);
-			crypter->destroy(crypter);
-
-			memcpy(st->st_new_iv, new_iv, crypter_iv_size);
-			if (restore_iv)
-			{
-				memcpy(st->st_new_iv, new_iv, new_iv_len);
-				st->st_new_iv_len = new_iv_len;
-			}
-		}
-
-		DBG_cond_dump(DBG_CRYPT, "decrypted:\n", md->message_pbs.cur
-			, md->message_pbs.roof - md->message_pbs.cur);
-
-		DBG_cond_dump(DBG_CRYPT, "next IV:"
-			, st->st_new_iv, st->st_new_iv_len);
-	}
-	else
-	{
-		/* packet was not encryped -- should it have been? */
-
-		if (smc->flags & SMF_INPUT_ENCRYPTED)
-		{
-			loglog(RC_LOG_SERIOUS, "packet rejected: should have been encrypted");
-			SEND_NOTIFICATION(ISAKMP_INVALID_FLAGS);
-			return;
-		}
-	}
-
-	/* Digest the message.
-	 * Padding must be removed to make hashing work.
-	 * Padding comes from encryption (so this code must be after decryption).
-	 * Padding rules are described before the definition of
-	 * struct isakmp_hdr in packet.h.
-	 */
-	{
-		struct payload_digest *pd = md->digest;
-		int np = md->hdr.isa_np;
-		lset_t needed = smc->req_payloads;
-		const char *excuse
-			= LIN(SMF_PSK_AUTH | SMF_FIRST_ENCRYPTED_INPUT, smc->flags)
-				? "probable authentication failure (mismatch of preshared secrets?): "
-				: "";
-
-		while (np != ISAKMP_NEXT_NONE)
-		{
-			struct_desc *sd = np < ISAKMP_NEXT_ROOF? payload_descs[np] : NULL;
-
-			if (pd == &md->digest[PAYLIMIT])
-			{
-				loglog(RC_LOG_SERIOUS, "more than %d payloads in message; ignored", PAYLIMIT);
-				SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
-				return;
-			}
-
-			switch (np)
-			{
-				case ISAKMP_NEXT_NATD_RFC:
-				case ISAKMP_NEXT_NATOA_RFC:
-					if (!st || !(st->nat_traversal & NAT_T_WITH_RFC_VALUES))
-					{
-						/*
-						 * don't accept NAT-D/NAT-OA reloc directly in message, unless
-						 * we're using NAT-T RFC
-						 */
-						sd = NULL;
-					}
-					break;
-			}
-
-			if (sd == NULL)
-			{
-				/* payload type is out of range or requires special handling */
-				switch (np)
-				{
-				case ISAKMP_NEXT_ID:
-					sd = IS_PHASE1(from_state)
-						? &isakmp_identification_desc : &isakmp_ipsec_identification_desc;
-					break;
-				case ISAKMP_NEXT_NATD_DRAFTS:
-					np = ISAKMP_NEXT_NATD_RFC;  /* NAT-D relocated */
-					sd = payload_descs[np];
-					break;
-				case ISAKMP_NEXT_NATOA_DRAFTS:
-					np = ISAKMP_NEXT_NATOA_RFC;  /* NAT-OA relocated */
-					sd = payload_descs[np];
-					break;
-				default:
-					loglog(RC_LOG_SERIOUS, "%smessage ignored because it contains an unknown or"
-						" unexpected payload type (%s) at the outermost level"
-						, excuse, enum_show(&payload_names, np));
-					SEND_NOTIFICATION(ISAKMP_INVALID_PAYLOAD_TYPE);
-					return;
-				}
-			}
-
-			{
-				lset_t s = LELEM(np);
-
-				if (LDISJOINT(s
-				, needed | smc->opt_payloads| LELEM(ISAKMP_NEXT_N) | LELEM(ISAKMP_NEXT_D)))
-				{
-					loglog(RC_LOG_SERIOUS, "%smessage ignored because it "
-						   "contains an unexpected payload type (%s)"
-						, excuse, enum_show(&payload_names, np));
-					SEND_NOTIFICATION(ISAKMP_INVALID_PAYLOAD_TYPE);
-					return;
-				}
-				needed &= ~s;
-			}
-
-			if (!in_struct(&pd->payload, sd, &md->message_pbs, &pd->pbs))
-			{
-				loglog(RC_LOG_SERIOUS, "%smalformed payload in packet", excuse);
-				if (md->hdr.isa_xchg != ISAKMP_XCHG_INFO)
-					SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
-				return;
-			}
-
-			/* place this payload at the end of the chain for this type */
-			{
-				struct payload_digest **p;
-
-				for (p = &md->chain[np]; *p != NULL; p = &(*p)->next)
-					;
-				*p = pd;
-				pd->next = NULL;
-			}
-
-			np = pd->payload.generic.isag_np;
-			pd++;
-
-			/* since we've digested one payload happily, it is probably
-			 * the case that any decryption worked.  So we will not suggest
-			 * encryption failure as an excuse for subsequent payload
-			 * problems.
-			 */
-			excuse = "";
-		}
-
-		md->digest_roof = pd;
-
-		DBG(DBG_PARSING,
-			if (pbs_left(&md->message_pbs) != 0)
-				DBG_log("removing %d bytes of padding", (int) pbs_left(&md->message_pbs)));
-
-		md->message_pbs.roof = md->message_pbs.cur;
-
-		/* check that all mandatory payloads appeared */
-
-		if (needed != 0)
-		{
-			loglog(RC_LOG_SERIOUS, "message for %s is missing payloads %s"
-				, enum_show(&state_names, from_state)
-				, bitnamesof(payload_name, needed));
-			SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
-			return;
-		}
-	}
-
-	/* more sanity checking: enforce most ordering constraints */
-
-	if (IS_PHASE1(from_state))
-	{
-		/* rfc2409: The Internet Key Exchange (IKE), 5 Exchanges:
-		 * "The SA payload MUST precede all other payloads in a phase 1 exchange."
-		 */
-		if (md->chain[ISAKMP_NEXT_SA] != NULL
-		&& md->hdr.isa_np != ISAKMP_NEXT_SA)
-		{
-			loglog(RC_LOG_SERIOUS, "malformed Phase 1 message: does not start with an SA payload");
-			SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
-			return;
-		}
-	}
-	else if (IS_QUICK(from_state))
-	{
-		/* rfc2409: The Internet Key Exchange (IKE), 5.5 Phase 2 - Quick Mode
-		 *
-		 * "In Quick Mode, a HASH payload MUST immediately follow the ISAKMP
-		 *  header and a SA payload MUST immediately follow the HASH."
-		 * [NOTE: there may be more than one SA payload, so this is not
-		 *  totally reasonable.  Probably all SAs should be so constrained.]
-		 *
-		 * "If ISAKMP is acting as a client negotiator on behalf of another
-		 *  party, the identities of the parties MUST be passed as IDci and
-		 *  then IDcr."
-		 *
-		 * "With the exception of the HASH, SA, and the optional ID payloads,
-		 *  there are no payload ordering restrictions on Quick Mode."
-		 */
-
-		if (md->hdr.isa_np != ISAKMP_NEXT_HASH)
-		{
-			loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: does not start with a HASH payload");
-			SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
-			return;
-		}
-
-		{
-			struct payload_digest *p;
-			int i;
-
-			for (p = md->chain[ISAKMP_NEXT_SA], i = 1; p != NULL
-			; p = p->next, i++)
-			{
-				if (p != &md->digest[i])
-				{
-					loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: SA payload is in wrong position");
-					SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
-					return;
-				}
-			}
-		}
-
-		/* rfc2409: The Internet Key Exchange (IKE), 5.5 Phase 2 - Quick Mode:
-		 * "If ISAKMP is acting as a client negotiator on behalf of another
-		 *  party, the identities of the parties MUST be passed as IDci and
-		 *  then IDcr."
-		 */
-		{
-			struct payload_digest *id = md->chain[ISAKMP_NEXT_ID];
-
-			if (id != NULL)
-			{
-				if (id->next == NULL || id->next->next != NULL)
-				{
-					loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
-						" if any ID payload is present,"
-						" there must be exactly two");
-					SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
-					return;
-				}
-				if (id+1 != id->next)
-				{
-					loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
-						" the ID payloads are not adjacent");
-					SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
-					return;
-				}
-			}
-		}
-	}
-
-	/* Ignore payloads that we don't handle:
-	 * Delete, Notification, VendorID
-	 */
-	/* XXX Handle deletions */
-	/* XXX Handle Notifications */
-	/* XXX Handle VID payloads */
-	{
-		struct payload_digest *p;
-
-		for (p = md->chain[ISAKMP_NEXT_N]; p != NULL; p = p->next)
-		{
-			if (p->payload.notification.isan_type != R_U_THERE
-			&&  p->payload.notification.isan_type != R_U_THERE_ACK)
-			{
-				loglog(RC_LOG_SERIOUS, "ignoring informational payload, type %s"
-					, enum_show(&notification_names, p->payload.notification.isan_type));
-			}
-			DBG_cond_dump(DBG_PARSING, "info:", p->pbs.cur, pbs_left(&p->pbs));
-		}
-
-		for (p = md->chain[ISAKMP_NEXT_D]; p != NULL; p = p->next)
-		{
-			accept_delete(st, md, p);
-			DBG_cond_dump(DBG_PARSING, "del:", p->pbs.cur, pbs_left(&p->pbs));
-		}
-
-		for (p = md->chain[ISAKMP_NEXT_VID]; p != NULL; p = p->next)
-		{
-			handle_vendorid(md, p->pbs.cur, pbs_left(&p->pbs));
-		}
-	}
-	md->from_state = from_state;
-	md->smc = smc;
-	md->st = st;
-
-	/* possibly fill in hdr */
-	if (smc->first_out_payload != ISAKMP_NEXT_NONE)
-		echo_hdr(md, (smc->flags & SMF_OUTPUT_ENCRYPTED) != 0
-			, smc->first_out_payload);
-
-	complete_state_transition(mdp, smc->processor(md));
-}
-
-/* complete job started by the state-specific state transition function */
-
-void
-complete_state_transition(struct msg_digest **mdp, stf_status result)
-{
-	bool has_xauth_policy;
-	bool is_xauth_server;
-	struct msg_digest *md = *mdp;
-	const struct state_microcode *smc = md->smc;
-	enum state_kind from_state = md->from_state;
-	struct state *st;
-
-	cur_state = st = md->st;    /* might have changed */
-
-	/* If state has DPD support, import it */
-	if (st && md->dpd)
-		st->st_dpd = TRUE;
-
-	switch (result)
-	{
-		case STF_IGNORE:
-			break;
-
-		case STF_SUSPEND:
-			/* the stf didn't complete its job: don't relase md */
-			*mdp = NULL;
-			break;
-
-		case STF_OK:
-			/* advance the state */
-			st->st_state = smc->next_state;
-
-			/* Delete previous retransmission event.
-			 * New event will be scheduled below.
-			 */
-			delete_event(st);
-
-			/* replace previous receive packet with latest */
-
-			free(st->st_rpacket.ptr);
-
-			if (md->encrypted)
-			{
-				/* if encrypted, duplication already done */
-				st->st_rpacket = md->raw_packet;
-				md->raw_packet.ptr = NULL;
-			}
-			else
-			{
-				st->st_rpacket = chunk_create(md->packet_pbs.start,
-											  pbs_room(&md->packet_pbs));
-				st->st_rpacket = chunk_clone(st->st_rpacket);
-			}
-
-			/* free previous transmit packet */
-			chunk_free(&st->st_tpacket);
-
-			/* if requested, send the new reply packet */
-			if (smc->flags & SMF_REPLY)
-			{
-				close_output_pbs(&md->reply);   /* good form, but actually a no-op */
-
-				st->st_tpacket = chunk_create(md->reply.start, pbs_offset(&md->reply));
-				st->st_tpacket = chunk_clone(st->st_tpacket);
-
-				if (nat_traversal_enabled)
-					nat_traversal_change_port_lookup(md, md->st);
-
-				/* actually send the packet
-				 * Note: this is a great place to implement "impairments"
-				 * for testing purposes.  Suppress or duplicate the
-				 * send_packet call depending on st->st_state.
-				 */
-				send_packet(st, enum_name(&state_names, from_state));
-			}
-
-			/* Schedule for whatever timeout is specified */
-			{
-				time_t delay = UNDEFINED_TIME;
-				enum event_type kind = smc->timeout_event;
-				bool agreed_time = FALSE;
-				connection_t *c = st->st_connection;
-
-				switch (kind)
-				{
-				case EVENT_RETRANSMIT:  /* Retransmit packet */
-					delay = EVENT_RETRANSMIT_DELAY_0;
-					break;
-
-				case EVENT_SA_REPLACE:  /* SA replacement event */
-					if (IS_PHASE1(st->st_state))
-					{
-						/* Note: we will defer to the "negotiated" (dictated)
-						 * lifetime if we are POLICY_DONT_REKEY.
-						 * This allows the other side to dictate
-						 * a time we would not otherwise accept
-						 * but it prevents us from having to initiate
-						 * rekeying.  The negative consequences seem
-						 * minor.
-						 */
-						delay = c->sa_ike_life_seconds;
-						if ((c->policy & POLICY_DONT_REKEY)
-						|| delay >= st->st_oakley.life_seconds)
-						{
-							agreed_time = TRUE;
-							delay = st->st_oakley.life_seconds;
-						}
-					}
-					else
-					{
-						/* Delay is min of up to four things:
-						 * each can limit the lifetime.
-						 */
-						delay = c->sa_ipsec_life_seconds;
-						if (st->st_ah.present
-						&& delay >= st->st_ah.attrs.life_seconds)
-						{
-							agreed_time = TRUE;
-							delay = st->st_ah.attrs.life_seconds;
-						}
-						if (st->st_esp.present
-						&& delay >= st->st_esp.attrs.life_seconds)
-						{
-							agreed_time = TRUE;
-							delay = st->st_esp.attrs.life_seconds;
-						}
-						if (st->st_ipcomp.present
-						&& delay >= st->st_ipcomp.attrs.life_seconds)
-						{
-							agreed_time = TRUE;
-							delay = st->st_ipcomp.attrs.life_seconds;
-						}
-					}
-
-					/* By default, we plan to rekey.
-					 *
-					 * If there isn't enough time to rekey, plan to
-					 * expire.
-					 *
-					 * If we are --dontrekey, a lot more rules apply.
-					 * If we are the Initiator, use REPLACE_IF_USED.
-					 * If we are the Responder, and the dictated time
-					 * was unacceptable (too large), plan to REPLACE
-					 * (the only way to ratchet down the time).
-					 * If we are the Responder, and the dictated time
-					 * is acceptable, plan to EXPIRE.
-					 *
-					 * Important policy lies buried here.
-					 * For example, we favour the initiator over the
-					 * responder by making the initiator start rekeying
-					 * sooner.  Also, fuzz is only added to the
-					 * initiator's margin.
-					 *
-					 * Note: for ISAKMP SA, we let the negotiated
-					 * time stand (implemented by earlier logic).
-					 */
-					if (agreed_time
-					&& (c->policy & POLICY_DONT_REKEY))
-					{
-						kind = (smc->flags & SMF_INITIATOR)
-							? EVENT_SA_REPLACE_IF_USED
-							: EVENT_SA_EXPIRE;
-					}
-					if (kind != EVENT_SA_EXPIRE)
-					{
-						unsigned long marg = c->sa_rekey_margin;
-
-						if (smc->flags & SMF_INITIATOR)
-							marg += marg
-								* c->sa_rekey_fuzz / 100.E0
-								* (rand() / (RAND_MAX + 1.E0));
-						else
-							marg /= 2;
-
-						if ((unsigned long)delay > marg)
-						{
-							delay -= marg;
-							st->st_margin = marg;
-						}
-						else
-						{
-							kind = EVENT_SA_EXPIRE;
-						}
-					}
-					break;
-
-				case EVENT_NULL:                /* non-event */
-				case EVENT_REINIT_SECRET:       /* Refresh cookie secret */
-				default:
-					bad_case(kind);
-				}
-				event_schedule(kind, delay, st);
-			}
-
-			/* tell whack and log of progress */
-			{
-				const char *story = state_story[st->st_state];
-				enum rc_type w = RC_NEW_STATE + st->st_state;
-				char sadetails[128];
-
-				sadetails[0]='\0';
-
-				if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
-				{
-					char *b = sadetails;
-					const char *ini = " {";
-					const char *fin = "";
-
-					/* -1 is to leave space for "fin" */
-
-					if (st->st_esp.present)
-					{
-						snprintf(b, sizeof(sadetails)-(b-sadetails)-1
-								 , "%sESP=>0x%08x <0x%08x"
-								 , ini
-								 , ntohl(st->st_esp.attrs.spi)
-								 , ntohl(st->st_esp.our_spi));
-						ini = " ";
-						fin = "}";
-					}
-					/* advance b to end of string */
-					b = b + strlen(b);
-
-					if (st->st_ah.present)
-					{
-						snprintf(b, sizeof(sadetails)-(b-sadetails)-1
-								 , "%sAH=>0x%08x <0x%08x"
-								 , ini
-								 , ntohl(st->st_ah.attrs.spi)
-								 , ntohl(st->st_ah.our_spi));
-						ini = " ";
-						fin = "}";
-					}
-					/* advance b to end of string */
-					b = b + strlen(b);
-
-					if (st->st_ipcomp.present)
-					{
-						snprintf(b, sizeof(sadetails)-(b-sadetails)-1
-								 , "%sIPCOMP=>0x%08x <0x%08x"
-								 , ini
-								 , ntohl(st->st_ipcomp.attrs.spi)
-								 , ntohl(st->st_ipcomp.our_spi));
-						ini = " ";
-						fin = "}";
-					}
-					/* advance b to end of string */
-					b = b + strlen(b);
-
-					if (st->nat_traversal)
-					{
-						char oa[ADDRTOT_BUF];
-						addrtot(&st->nat_oa, 0, oa, sizeof(oa));
-						snprintf(b, sizeof(sadetails)-(b-sadetails)-1
-								 , "%sNATOA=%s"
-								 , ini, oa);
-						ini = " ";
-						fin = "}";
-					}
-
-					/* advance b to end of string */
-					b = b + strlen(b);
-
-					if (st->st_dpd)
-					{
-						snprintf(b, sizeof(sadetails)-(b-sadetails)-1
-								 , "%sDPD"
-								 , ini);
-						ini = " ";
-						fin = "}";
-					}
-
-					strcat(b, fin);
-				}
-
-				if (IS_ISAKMP_SA_ESTABLISHED(st->st_state)
-				||  IS_IPSEC_SA_ESTABLISHED(st->st_state))
-				{
-					/* log our success */
-					plog("%s%s", story, sadetails);
-					w = RC_SUCCESS;
-				}
-
-				/* tell whack our progress */
-				whack_log(w
-					, "%s: %s%s"
-					, enum_name(&state_names, st->st_state)
-					, story, sadetails);
-			}
-
-			has_xauth_policy = (st->st_connection->policy
-							   & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK))
-							   != LEMPTY;
-			is_xauth_server =  (st->st_connection->policy
-							   & POLICY_XAUTH_SERVER)
-							   != LEMPTY;
-
-			/* Should we start XAUTH as a server */
-			if (has_xauth_policy && is_xauth_server
-			&& IS_ISAKMP_SA_ESTABLISHED(st->st_state)
-			&& !st->st_xauth.started)
-			{
-				DBG(DBG_CONTROL,
-					DBG_log("starting XAUTH server")
-				)
-				xauth_send_request(st);
-				break;
-			}
-
-			/* Wait for XAUTH request from server */
-			if (has_xauth_policy && !is_xauth_server
-			&& IS_ISAKMP_SA_ESTABLISHED(st->st_state)
-			&& !st->st_xauth.started)
-			{
-				DBG(DBG_CONTROL,
-					DBG_log("waiting for XAUTH request from server")
-				)
-				break;
-			}
-
-			/* Should we start ModeConfig as a client? */
-			if (st->st_connection->spd.this.modecfg
-			&& IS_ISAKMP_SA_ESTABLISHED(st->st_state)
-			&& !(st->st_connection->policy & POLICY_MODECFG_PUSH)
-			&& !st->st_modecfg.started)
-			{
-				DBG(DBG_CONTROL,
-					DBG_log("starting ModeCfg client in pull mode")
-				)
-				modecfg_send_request(st);
-				break;
-			}
-
-			/* Should we start ModeConfig as a server? */
-			if (st->st_connection->spd.that.modecfg
-			&& IS_ISAKMP_SA_ESTABLISHED(st->st_state)
-			&& !st->st_modecfg.started
-			&& (st->st_connection->policy & POLICY_MODECFG_PUSH))
-			{
-				DBG(DBG_CONTROL,
-					DBG_log("starting ModeCfg server in push mode")
-				)
-				modecfg_send_set(st);
-				break;
-			}
-
-			/* Wait for ModeConfig set from server */
-			if (st->st_connection->spd.this.modecfg
-			&& IS_ISAKMP_SA_ESTABLISHED(st->st_state)
-			&& !st->st_modecfg.vars_set)
-			{
-				DBG(DBG_CONTROL,
-					DBG_log("waiting for ModeCfg set from server")
-				)
-				break;
-			}
-
-			if (smc->flags & SMF_RELEASE_PENDING_P2)
-			{
-				/* Initiate any Quick Mode negotiations that
-				 * were waiting to piggyback on this Keying Channel.
-				 *
-				 * ??? there is a potential race condition
-				 * if we are the responder: the initial Phase 2
-				 * message might outrun the final Phase 1 message.
-				 * I think that retransmission will recover.
-				 */
-				unpend(st);
-			}
-
-			if (IS_ISAKMP_SA_ESTABLISHED(st->st_state)
-			||  IS_IPSEC_SA_ESTABLISHED(st->st_state))
-				release_whack(st);
-			break;
-
-		case STF_INTERNAL_ERROR:
-			whack_log(RC_INTERNALERR + md->note
-				, "%s: internal error"
-				, enum_name(&state_names, st->st_state));
-
-			DBG(DBG_CONTROL,
-				DBG_log("state transition function for %s had internal error"
-					, enum_name(&state_names, from_state)));
-			break;
-
-		default:        /* a shortcut to STF_FAIL, setting md->note */
-			passert(result > STF_FAIL);
-			md->note = result - STF_FAIL;
-			result = STF_FAIL;
-			/* FALL THROUGH ... */
-		case STF_FAIL:
-			/* As it is, we act as if this message never happened:
-			 * whatever retrying was in place, remains in place.
-			 */
-			whack_log(RC_NOTIFICATION + md->note
-				, "%s: %s"
-				, enum_name(&state_names, (st == NULL)? STATE_MAIN_R0:st->st_state)
-				, enum_name(&notification_names, md->note));
-
-			SEND_NOTIFICATION(md->note);
-
-			DBG(DBG_CONTROL,
-				DBG_log("state transition function for %s failed: %s"
-					, enum_name(&state_names, from_state)
-					, enum_name(&notification_names, md->note)));
-			break;
-	}
-}
diff --git a/src/pluto/demux.h b/src/pluto/demux.h
deleted file mode 100644
index 6ce53c14f..000000000
--- a/src/pluto/demux.h
+++ /dev/null
@@ -1,97 +0,0 @@
-/* demultiplex incoming IKE messages
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _DEMUX_H
-#define _DEMUX_H
-
-#include "packet.h"
-#include "state.h"
-
-extern void init_demux(void);
-extern bool send_packet(struct state *st, const char *where);
-extern void comm_handle(const struct iface *ifp);
-
-extern u_int8_t reply_buffer[MAX_OUTPUT_UDP_SIZE];
-
-/* State transition function infrastructure
- *
- * com_handle parses a message, decides what state object it applies to,
- * and calls the appropriate state transition function (STF).
- * These declarations define the interface to these functions.
- *
- * Each STF must be able to be restarted up to any failure point:
- * a later message will cause the state to be re-entered.  This
- * explains the use of the replace macro and the care in handling
- * MP_INT members of struct state.
- */
-
-struct payload_digest {
-	pb_stream pbs;
-	union payload payload;
-	struct payload_digest *next;   /* of same kind */
-};
-
-/* message digest
- * Note: raw_packet and packet_pbs are "owners" of space on heap.
- */
-
-struct msg_digest {
-	struct msg_digest *next;    /* for free list */
-	chunk_t raw_packet;         /* if encrypted, received packet before decryption */
-	const struct iface *iface;  /* interface on which message arrived */
-	ip_address sender;  /* where message came from */
-	u_int16_t sender_port;      /* host order */
-	pb_stream packet_pbs;       /* whole packet */
-	pb_stream message_pbs;      /* message to be processed */
-	struct isakmp_hdr hdr;      /* message's header */
-	bool encrypted;             /* was it encrypted? */
-	enum state_kind from_state; /* state we started in */
-	const struct state_microcode *smc;  /* microcode for initial state */
-	struct state *st;           /* current state object */
-	pb_stream reply;            /* room for reply */
-	pb_stream rbody;            /* room for reply body (after header) */
-	notification_t note;        /* reason for failure */
-	bool dpd;                   /* peer supports RFC 3706 DPD */
-	bool openpgp;               /* peer supports OpenPGP certificates */
-	bool ms_nt5;                /* peer is a windows 2000+ host */
-
-#   define PAYLIMIT 40
-	struct payload_digest
-		digest[PAYLIMIT],
-		*digest_roof,
-		*chain[ISAKMP_NEXT_ROOF];
-		unsigned short nat_traversal_vid;
-};
-
-extern void release_md(struct msg_digest *md);
-
-/* status for state-transition-function
- * Note: STF_FAIL + notification_t means fail with that notification
- */
-
-typedef enum {
-	STF_IGNORE, /* don't respond */
-	STF_SUSPEND,    /* unfinished -- don't release resources */
-	STF_OK,     /* success */
-	STF_INTERNAL_ERROR, /* discard everything, we failed */
-	STF_FAIL    /* discard everything, something failed.  notification_t added. */
-} stf_status;
-
-typedef stf_status state_transition_fn(struct msg_digest *md);
-
-extern void complete_state_transition(struct msg_digest **mdp, stf_status result);
-
-extern void free_md_pool(void);
-
-#endif /* _DEMUX_H */
diff --git a/src/pluto/dnskey.c b/src/pluto/dnskey.c
deleted file mode 100644
index 91b1b6ac1..000000000
--- a/src/pluto/dnskey.c
+++ /dev/null
@@ -1,1590 +0,0 @@
-/* Find public key in DNS
- * Copyright (C) 2000-2002  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <stddef.h>
-#include <string.h>
-#include <errno.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include <netdb.h>      /* ??? for h_errno */
-#include <sys/queue.h>
-
-#include <freeswan.h>
-
-#include <utils/identification.h>
-#include <credentials/keys/public_key.h>
-
-#include "constants.h"
-#include "adns.h"       /* needs <resolv.h> */
-#include "defs.h"
-#include "log.h"
-#include "myid.h"
-#include "connections.h"
-#include "keys.h"           /* needs connections.h */
-#include "dnskey.h"
-#include "packet.h"
-#include "timer.h"
-
-/* somebody has to decide */
-#define MAX_TXT_RDATA   ((MAX_KEY_BYTES * 8 / 6) + 40)  /* somewhat arbitrary overkill */
-
-/* ADNS stuff */
-
-int adns_qfd = NULL_FD, /* file descriptor for sending queries to adns (O_NONBLOCK) */
-	adns_afd = NULL_FD; /* file descriptor for receiving answers from adns */
-static pid_t adns_pid = 0;
-const char *pluto_adns_option = NULL;   /* path from --pluto_adns */
-
-int adns_restart_count;
-#define ADNS_RESTART_MAX 20
-
-void
-init_adns(void)
-{
-	const char *adns_path = pluto_adns_option;
-	static const char adns_name[] = "_pluto_adns";
-	const char *helper_bin_dir = getenv("IPSEC_LIBDIR");
-	char adns_path_space[4096]; /* plenty long? */
-	int qfds[2];
-	int afds[2];
-
-	/* find a pathname to the ADNS program */
-	if (adns_path == NULL)
-	{
-		/* pathname was not specified as an option: build it.
-		 * First, figure out the directory to be used.
-		 */
-		ssize_t n;
-
-		if (helper_bin_dir != NULL)
-		{
-			n = strlen(helper_bin_dir);
-			if ((size_t)n <= sizeof(adns_path_space) - sizeof(adns_name))
-			{
-				strcpy(adns_path_space, helper_bin_dir);
-				if (n > 0 && adns_path_space[n -1] != '/')
-				{
-					adns_path_space[n++] = '/';
-				}
-			}
-		}
-		else
-		{
-			/* The program will be in the same directory as Pluto,
-			 * so we use the sympolic link /proc/self/exe to
-			 * tell us of the path prefix.
-			 */
-			n = readlink("/proc/self/exe", adns_path_space, sizeof(adns_path_space));
-
-			if (n < 0)
-			{
-				exit_log_errno((e
-					, "readlink(\"/proc/self/exe\") failed in init_adns()"));
-			}
-		}
-
-		if ((size_t)n > sizeof(adns_path_space) - sizeof(adns_name))
-		{
-			exit_log("path to %s is too long", adns_name);
-		}
-
-		while (n > 0 && adns_path_space[n - 1] != '/')
-		{
-			n--;
-		}
-		strcpy(adns_path_space + n, adns_name);
-		adns_path = adns_path_space;
-	}
-	if (access(adns_path, X_OK) < 0)
-	{
-		exit_log_errno((e, "%s missing or not executable", adns_path));
-	}
-
-	if (pipe(qfds) != 0 || pipe(afds) != 0)
-	{
-		exit_log_errno((e, "pipe(2) failed in init_adns()"));
-	}
-
-	adns_pid = fork();
-	switch (adns_pid)
-	{
-	case -1:
-		exit_log_errno((e, "fork() failed in init_adns()"));
-
-	case 0:
-		/* child */
-		{
-			/* Make stdin and stdout our pipes.
-			 * Take care to handle case where pipes already use these fds.
-			 */
-			if (afds[1] == 0)
-			{
-				afds[1] = dup(afds[1]); /* avoid being overwritten */
-			}
-			if (qfds[0] != 0)
-			{
-				dup2(qfds[0], 0);
-				close(qfds[0]);
-			}
-			if (afds[1] != 1)
-			{
-				dup2(afds[1], 1);
-				close(qfds[1]);
-			}
-			if (afds[0] > 1)
-			{
-				close(afds[0]);
-			}
-			if (afds[1] > 1)
-			{
-				close(afds[1]);
-			}
-			DBG(DBG_DNS, execlp(adns_path, adns_name, "-d", NULL));
-
-			execlp(adns_path, adns_name, NULL);
-			exit_log_errno((e, "execlp of %s failed", adns_path));
-		}
-	default:
-		/* parent */
-		close(qfds[0]);
-		adns_qfd = qfds[1];
-		adns_afd = afds[0];
-		close(afds[1]);
-		fcntl(adns_qfd, F_SETFD, FD_CLOEXEC);
-		fcntl(adns_afd, F_SETFD, FD_CLOEXEC);
-		fcntl(adns_qfd, F_SETFL, O_NONBLOCK);
-		break;
-	}
-}
-
-void
-stop_adns(void)
-{
-	close_any(adns_qfd);
-	adns_qfd = NULL_FD;
-	close_any(adns_afd);
-	adns_afd = NULL_FD;
-
-	if (adns_pid != 0)
-	{
-		int status;
-		pid_t p = waitpid(adns_pid, &status, 0);
-
-		if (p == -1)
-		{
-			log_errno((e, "waitpid for ADNS process failed"));
-		}
-		else if (WIFEXITED(status))
-		{
-			if (WEXITSTATUS(status) != 0)
-			{
-				plog("ADNS process exited with status %d"
-					, (int) WEXITSTATUS(status));
-			}
-		}
-		else if (WIFSIGNALED(status))
-		{
-			plog("ADNS process terminated by signal %d", (int)WTERMSIG(status));
-		}
-		else
-		{
-			plog("wait for end of ADNS process returned odd status 0x%x\n"
-				, status);
-		}
-	}
-}
-
-
-
-/* tricky macro to pass any hot potato */
-#define TRY(x)  { err_t ugh = x; if (ugh != NULL) return ugh; }
-
-
-/* Process TXT X-IPsec-Server record, accumulating relevant ones
- * in cr->gateways_from_dns, a list sorted by "preference".
- *
- * Format of TXT record body: X-IPsec-Server ( nnn ) = iii kkk
- *  nnn is a 16-bit unsigned integer preference
- *  iii is @FQDN or dotted-decimal IPv4 address or colon-hex IPv6 address
- *  kkk is an optional RSA public signing key in base 64.
- *
- * NOTE: we've got to be very wary of anything we find -- bad guys
- * might have prepared it.
- */
-
-#define our_TXT_attr_string "X-IPsec-Server"
-static const char our_TXT_attr[] = our_TXT_attr_string;
-
-identification_t* decode_iii(u_char **pp)
-{
-	identification_t *gw_id;
-	u_char *p = *pp + strspn(*pp, " \t");
-	u_char *e = p + strcspn(p, " \t");
-	u_char under = *e;
-
-	if (p == e)
-	{
-		return NULL;
-	}
-	*e = '\0';
-	gw_id = identification_create_from_string(p);
-	*e = under;
-	*pp = e + strspn(e, " \t");
-
-	return gw_id;
-}
-
-static err_t process_txt_rr_body(u_char *str, bool doit,
-								 enum dns_auth_level dns_auth_level,
-								 struct adns_continuation *const cr)
-{
-	identification_t *client_id = cr->id;   /* subject of query */
-	u_char *p = str;
-	unsigned long pref = 0;
-	struct gw_info gi;
-
-	p += strspn(p, " \t");      /* ignore leading whitespace */
-
-	/* is this for us? */
-	if (strncasecmp(p, our_TXT_attr, sizeof(our_TXT_attr)-1) != 0)
-	{
-		return NULL;    /* neither interesting nor bad */
-	}
-
-	p += sizeof(our_TXT_attr) - 1;      /* ignore our attribute name */
-	p += strspn(p, " \t");      /* ignore leading whitespace */
-
-	/* decode '(' nnn ')' */
-	if (*p != '(')
-	{
-		return "X-IPsec-Server missing '('";
-	}
-
-	{
-		char *e;
-
-		p++;
-		pref = strtoul(p, &e, 0);
-		if ((u_char *)e == p)
-		{
-			return "malformed X-IPsec-Server priority";
-		}
-		p = e + strspn(e, " \t");
-
-		if (*p != ')')
-		{
-			return "X-IPsec-Server priority missing ')'";
-		}
-		p++;
-		p += strspn(p, " \t");
-
-		if (pref > 0xFFFF)
-		{
-			return "X-IPsec-Server priority larger than 0xFFFF";
-		}
-	}
-
-	/* time for '=' */
-
-	if (*p != '=')
-	{
-		return "X-IPsec-Server priority missing '='";
-	}
-	p++;
-	p += strspn(p, " \t");
-
-	/* Decode iii (Security Gateway ID). */
-	zero(&gi);  /* before first use */
-
-	gi.gw_id = decode_iii(&p);
-	if (gi.gw_id == NULL)
-	{
-		return "TXT " our_TXT_attr_string " badly formed (no gateway specified)";
-	}
-
-	if (!cr->sgw_specified)
-	{
-		/* we don't know the peer's ID (because we are initiating
-		 * and we don't know who to initiate with.
-		 * So we're looking for gateway specs with an IP address
-		 */
-		if (gi.gw_id->get_type(gi.gw_id) != ID_IPV4_ADDR &&
-			gi.gw_id->get_type(gi.gw_id) != ID_IPV6_ADDR)
-		{
-			DBG(DBG_DNS,
-				DBG_log("TXT %s record for '%Y': security gateway '%Y';"
-						" ignored because gateway's IP is unspecified",
-						our_TXT_attr, client_id, gi.gw_id);
-				)
-			return NULL;        /* we cannot use this record, but it isn't wrong */
-		}
-	}
-	else
-	{
-		/* We do know the peer's ID (because we are responding)
-		 * So we're looking for gateway specs specifying this known ID.
-		 */
-		identification_t *peer_id = cr->sgw_id;
-
-		if (!peer_id->equals(peer_id, gi.gw_id))
-		{
-			DBG(DBG_DNS,
-				DBG_log("TXT %s record for '%Y': security gateway '%Y';"
-						" ignored -- looking to confirm '%Y' as gateway",
-						our_TXT_attr, client_id, gi.gw_id, peer_id);
-				)
-			return NULL;        /* we cannot use this record, but it isn't wrong */
-		}
-	}
-
-	if (doit)
-	{
-		/* really accept gateway */
-		struct gw_info **gwip;  /* gateway insertion point */
-
-		gi.client_id = client_id;      /* will need to unshare_id_content */
-
-		/* decode optional kkk: base 64 encoding of key */
-
-		gi.gw_key_present = *p != '\0';
-		if (gi.gw_key_present)
-		{
-			/* Decode base 64 encoding of key.
-			 * Similar code is in process_lwdnsq_key.
-			 */
-			u_char buf[RSA_MAX_ENCODING_BYTES];  /* plenty of space for binary form of public key */
-			size_t sz;
-			err_t ugh;
-			chunk_t rfc3110_chunk;
-			public_key_t *key;
-
-			ugh = ttodatav(p, 0, 64, buf, sizeof(buf), &sz,
-						diag_space, sizeof(diag_space), TTODATAV_SPACECOUNTS);
-			if (ugh)
-			{
-				return builddiag("malformed key data: %s", ugh);
-			}
-			if (sz > sizeof(buf))
-			{
-				return builddiag("key data larger than %lu bytes",
-								 (unsigned long) sizeof(buf));
-			}
-			rfc3110_chunk = chunk_create(buf, sz);
-			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-										BUILD_BLOB_DNSKEY, rfc3110_chunk,
-										BUILD_END);
-			if (key == NULL)
-			{
-				return builddiag("invalid key data");
-			}
-
-			/* now find a key entry to put it in */
-			gi.key = public_key_from_rsa(key);
-
-			unreference_key(&cr->last_info);
-			cr->last_info = reference_key(gi.key);
-		}
-
-		/* we're home free!  Allocate everything and add to gateways list. */
-		gi.refcnt = 1;
-		gi.pref = pref;
-		gi.key->dns_auth_level = dns_auth_level;
-		gi.key->last_tried_time = gi.key->last_worked_time = NO_TIME;
-
-		/* find insertion point */
-		for (gwip = &cr->gateways_from_dns; *gwip != NULL && (*gwip)->pref < pref; gwip = &(*gwip)->next)
-			;
-
-		DBG(DBG_DNS,
-			{
-				chunk_t keyid;
-				public_key_t *key = gi.key->public_key;
-
-				if (gi.gw_key_present &&
-					key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &keyid))
-				{
-					DBG_log("gateway for %s is %s with key %#B",
-							client_id, gi.gw_id, &keyid);
-				}
-				else
-				{
-					DBG_log("gateway for '%Y' is '%Y'; no key specified",
-							client_id, gi.gw_id);
-				}
-			});
-
-		gi.next = *gwip;
-		*gwip = clone_thing(gi);
-		(*gwip)->gw_id = (*gwip)->gw_id->clone((*gwip)->gw_id);
-		(*gwip)->client_id = (*gwip)->client_id->clone((*gwip)->client_id);
-	}
-
-	return NULL;
-}
-
-static const char *
-rr_typename(int type)
-{
-	switch (type)
-	{
-	case T_TXT:
-		return "TXT";
-	case T_KEY:
-		return "KEY";
-	default:
-		return "???";
-	}
-}
-
-
-/* structure of Query Reply (RFC 1035 4.1.1):
- *
- *  +---------------------+
- *  |        Header       |
- *  +---------------------+
- *  |       Question      | the question for the name server
- *  +---------------------+
- *  |        Answer       | RRs answering the question
- *  +---------------------+
- *  |      Authority      | RRs pointing toward an authority
- *  +---------------------+
- *  |      Additional     | RRs holding additional information
- *  +---------------------+
- */
-
-/* Header section format (as modified by RFC 2535 6.1):
- *                                  1  1  1  1  1  1
- *    0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
- *  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
- *  |                      ID                       |
- *  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
- *  |QR|   Opcode  |AA|TC|RD|RA| Z|AD|CD|   RCODE   |
- *  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
- *  |                    QDCOUNT                    |
- *  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
- *  |                    ANCOUNT                    |
- *  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
- *  |                    NSCOUNT                    |
- *  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
- *  |                    ARCOUNT                    |
- *  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
- */
-struct qr_header {
-	u_int16_t   id;     /* 16-bit identifier to match query */
-
-	u_int16_t   stuff;  /* packed crud: */
-
-#define QRS_QR  0x8000  /* QR: on if this is a response */
-
-#define QRS_OPCODE_SHIFT        11  /* OPCODE field */
-#define QRS_OPCODE_MASK 0xF
-#define QRSO_QUERY      0   /* standard query */
-#define QRSO_IQUERY     1   /* inverse query */
-#define QRSO_STATUS     2   /* server status request query */
-
-#define QRS_AA 0x0400   /* AA: on if Authoritative Answer */
-#define QRS_TC 0x0200   /* TC: on if truncation happened */
-#define QRS_RD 0x0100   /* RD: on if recursion desired */
-#define QRS_RA 0x0080   /* RA: on if recursion available */
-#define QRS_Z  0x0040   /* Z: reserved; must be zero */
-#define QRS_AD 0x0020   /* AD: on if authentic data (RFC 2535) */
-#define QRS_CD 0x0010   /* AD: on if checking disabled (RFC 2535) */
-
-#define QRS_RCODE_SHIFT 0 /* RCODE field: response code */
-#define QRS_RCODE_MASK  0xF
-#define QRSR_OK     0
-
-
-	u_int16_t qdcount;      /* number of entries in question section */
-	u_int16_t ancount;      /* number of resource records in answer section */
-	u_int16_t nscount;      /* number of name server resource records in authority section */
-	u_int16_t arcount;      /* number of resource records in additional records section */
-};
-
-static field_desc qr_header_fields[] = {
-	{ ft_nat, 16/BITS_PER_BYTE, "ID", NULL },
-	{ ft_nat, 16/BITS_PER_BYTE, "stuff", NULL },
-	{ ft_nat, 16/BITS_PER_BYTE, "QD Count", NULL },
-	{ ft_nat, 16/BITS_PER_BYTE, "Answer Count", NULL },
-	{ ft_nat, 16/BITS_PER_BYTE, "Authority Count", NULL },
-	{ ft_nat, 16/BITS_PER_BYTE, "Additional Count", NULL },
-	{ ft_end, 0, NULL, NULL }
-};
-
-static struct_desc qr_header_desc = {
-	"Query Response Header",
-	qr_header_fields,
-	sizeof(struct qr_header)
-};
-
-/* Messages for codes in RCODE (see RFC 1035 4.1.1) */
-static const err_t rcode_text[QRS_RCODE_MASK + 1] = {
-	NULL,   /* not an error */
-	"Format error - The name server was unable to interpret the query",
-	"Server failure - The name server was unable to process this query"
-		" due to a problem with the name server",
-	"Name Error - Meaningful only for responses from an authoritative name"
-		" server, this code signifies that the domain name referenced in"
-		" the query does not exist",
-	"Not Implemented - The name server does not support the requested"
-		" kind of query",
-	"Refused - The name server refuses to perform the specified operation"
-		" for policy reasons",
-	/* the rest are reserved for future use */
-	};
-
-/* throw away a possibly compressed domain name */
-
-static err_t
-eat_name(pb_stream *pbs)
-{
-	u_char name_buf[NS_MAXDNAME + 2];
-	u_char *ip = pbs->cur;
-	unsigned oi = 0;
-	unsigned jump_count = 0;
-
-	for (;;)
-	{
-		u_int8_t b;
-
-		if (ip >= pbs->roof)
-			return "ran out of message while skipping domain name";
-
-		b = *ip++;
-		if (jump_count == 0)
-			pbs->cur = ip;
-
-		if (b == 0)
-			break;
-
-		switch (b & 0xC0)
-		{
-			case 0x00:
-				/* we grab the next b characters */
-				if (oi + b > NS_MAXDNAME)
-					return "domain name too long";
-
-				if (pbs->roof - ip <= b)
-					return "domain name falls off end of message";
-
-				if (oi != 0)
-					name_buf[oi++] = '.';
-
-				memcpy(name_buf + oi, ip, b);
-				oi += b;
-				ip += b;
-				if (jump_count == 0)
-					pbs->cur = ip;
-				break;
-
-			case 0xC0:
-				{
-					unsigned ix;
-
-					if (ip >= pbs->roof)
-						return "ran out of message in middle of compressed domain name";
-
-					ix = ((b & ~0xC0u) << 8) | *ip++;
-					if (jump_count == 0)
-						pbs->cur = ip;
-
-					if (ix >= pbs_room(pbs))
-						return "impossible compressed domain name";
-
-					/* Avoid infinite loop.
-					 * There can be no more jumps than there are bytes
-					 * in the packet.  Not a tight limit, but good enough.
-					 */
-					jump_count++;
-					if (jump_count > pbs_room(pbs))
-						return "loop in compressed domain name";
-
-					ip = pbs->start + ix;
-				}
-				break;
-
-			default:
-				return "invalid code in label";
-		}
-	}
-
-	name_buf[oi++] = '\0';
-
-	DBG(DBG_DNS, DBG_log("skipping name %s", name_buf));
-
-	return NULL;
-}
-
-static err_t
-eat_name_helpfully(pb_stream *pbs, const char *context)
-{
-	err_t ugh = eat_name(pbs);
-
-	return ugh == NULL? ugh
-		: builddiag("malformed name within DNS record of %s: %s", context, ugh);
-}
-
-/* non-variable part of 4.1.2 Question Section entry:
- *                                 1  1  1  1  1  1
- *   0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
- * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
- * |                                               |
- * /                     QNAME                     /
- * /                                               /
- * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
- * |                     QTYPE                     |
- * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
- * |                     QCLASS                    |
- * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
- */
-
-struct qs_fixed {
-	u_int16_t qtype;
-	u_int16_t qclass;
-};
-
-static field_desc qs_fixed_fields[] = {
-	{ ft_loose_enum, 16/BITS_PER_BYTE, "QTYPE", &rr_qtype_names },
-	{ ft_loose_enum, 16/BITS_PER_BYTE, "QCLASS", &rr_class_names },
-	{ ft_end, 0, NULL, NULL }
-};
-
-static struct_desc qs_fixed_desc = {
-	"Question Section entry fixed part",
-	qs_fixed_fields,
-	sizeof(struct qs_fixed)
-};
-
-/* 4.1.3. Resource record format:
- *                                 1  1  1  1  1  1
- *   0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
- * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
- * |                                               |
- * /                                               /
- * /                      NAME                     /
- * |                                               |
- * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
- * |                      TYPE                     |
- * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
- * |                     CLASS                     |
- * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
- * |                      TTL                      |
- * |                                               |
- * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
- * |                   RDLENGTH                    |
- * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
- * /                     RDATA                     /
- * /                                               /
- * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
- */
-
-struct rr_fixed {
-	u_int16_t type;
-	u_int16_t class;
-	u_int32_t ttl;      /* actually signed */
-	u_int16_t rdlength;
-};
-
-
-static field_desc rr_fixed_fields[] = {
-	{ ft_loose_enum, 16/BITS_PER_BYTE, "type", &rr_type_names },
-	{ ft_loose_enum, 16/BITS_PER_BYTE, "class", &rr_class_names },
-	{ ft_nat, 32/BITS_PER_BYTE, "TTL", NULL },
-	{ ft_nat, 16/BITS_PER_BYTE, "RD length", NULL },
-	{ ft_end, 0, NULL, NULL }
-};
-
-static struct_desc rr_fixed_desc = {
-	"Resource Record fixed part",
-	rr_fixed_fields,
-	/* note: following is tricky: avoids padding problems */
-	offsetof(struct rr_fixed, rdlength) + sizeof(u_int16_t)
-};
-
-/* RFC 1035 3.3.14: TXT RRs have text in the RDATA field.
- * It is in the form of a sequence of <character-string>s as described in 3.3.
- * unpack_txt_rdata() deals with this peculiar representation.
- */
-
-/* RFC 2535 3.1 KEY RDATA format:
- *
- *                      1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * |             flags             |    protocol   |   algorithm   |
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * |                                                               /
- * /                          public key                           /
- * /                                                               /
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
- */
-
-struct key_rdata {
-	u_int16_t flags;
-	u_int8_t protocol;
-	u_int8_t algorithm;
-};
-
-static field_desc key_rdata_fields[] = {
-	{ ft_nat, 16/BITS_PER_BYTE, "flags", NULL },
-	{ ft_nat, 8/BITS_PER_BYTE, "protocol", NULL },
-	{ ft_nat, 8/BITS_PER_BYTE, "algorithm", NULL },
-	{ ft_end, 0, NULL, NULL }
-};
-
-static struct_desc key_rdata_desc = {
-	"KEY RR RData fixed part",
-	key_rdata_fields,
-	sizeof(struct key_rdata)
-};
-
-/* RFC 2535 4.1 SIG RDATA format:
- *
- *                      1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * |        type covered           |  algorithm    |     labels    |
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * |                         original TTL                          |
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * |                      signature expiration                     |
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * |                      signature inception                      |
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * |            key  tag           |                               |
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+         signer's name         +
- * |                                                               /
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-/
- * /                                                               /
- * /                            signature                          /
- * /                                                               /
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-
-struct sig_rdata {
-	u_int16_t type_covered;
-	u_int8_t algorithm;
-	u_int8_t labels;
-	u_int32_t original_ttl;
-	u_int32_t sig_expiration;
-	u_int32_t sig_inception;
-	u_int16_t key_tag;
-};
-
-static field_desc sig_rdata_fields[] = {
-	{ ft_nat, 16/BITS_PER_BYTE, "type_covered", NULL},
-	{ ft_nat, 8/BITS_PER_BYTE, "algorithm", NULL},
-	{ ft_nat, 8/BITS_PER_BYTE, "labels", NULL},
-	{ ft_nat, 32/BITS_PER_BYTE, "original ttl", NULL},
-	{ ft_nat, 32/BITS_PER_BYTE, "sig expiration", NULL},
-	{ ft_nat, 32/BITS_PER_BYTE, "sig inception", NULL},
-	{ ft_nat, 16/BITS_PER_BYTE, "key tag", NULL},
-	{ ft_end, 0, NULL, NULL }
-};
-
-static struct_desc sig_rdata_desc = {
-	"SIG RR RData fixed part",
-	sig_rdata_fields,
-	sizeof(struct sig_rdata)
-};
-
-/* handle a KEY Resource Record. */
-
-#ifdef USE_KEYRR
-static err_t
-process_key_rr(u_char *ptr, size_t len
-, bool doit     /* should we capture information? */
-, enum dns_auth_level dns_auth_level
-, struct adns_continuation *const cr)
-{
-	pb_stream pbs;
-	struct key_rdata kr;
-
-	if (len < sizeof(struct key_rdata))
-		return "KEY Resource Record's RD Length is too small";
-
-	init_pbs(&pbs, ptr, len, "KEY RR");
-
-	if (!in_struct(&kr, &key_rdata_desc, &pbs, NULL))
-		return "failed to get fixed part of KEY Resource Record RDATA";
-
-	if (kr.protocol == 4        /* IPSEC (RFC 2535 3.1.3) */
-	&& kr.algorithm == 1        /* RSA/MD5 (RFC 2535 3.2) */
-	&& (kr.flags & 0x8000) == 0 /* use for authentication (3.1.2) */
-	&& (kr.flags & 0x2CF0) == 0)        /* must be zero */
-	{
-		/* we have what seems to be a tasty key */
-
-		if (doit)
-		{
-			chunk_t k = { pbs.cur, pbs_left(&pbs) };
-
-			TRY(add_public_key(&cr->id, dns_auth_level, PUBKEY_ALG_RSA, &k
-				, &cr->keys_from_dns));
-		}
-	}
-	return NULL;
-}
-#endif /* USE_KEYRR */
-
-
-/* unpack TXT rr RDATA into C string.
- * A sequence of <character-string>s as described in RFC 1035 3.3.
- * We concatenate them.
- */
-static err_t
-unpack_txt_rdata(u_char *d, size_t dlen, const u_char *s, size_t slen)
-{
-	size_t i = 0
-		, o = 0;
-
-	while (i < slen)
-	{
-		size_t cl = s[i++];
-
-		if (i + cl > slen)
-			return "TXT rr RDATA representation malformed";
-
-		if (o + cl >= dlen)
-			return "TXT rr RDATA too large";
-
-		memcpy(d + o, s + i, cl);
-		i += cl;
-		o += cl;
-	}
-	d[o] = '\0';
-	if (strlen(d) != o)
-		return "TXT rr RDATA contains a NUL";
-
-	return NULL;
-}
-
-static err_t
-process_txt_rr(u_char *rdata, size_t rdlen
-, bool doit     /* should we capture information? */
-, enum dns_auth_level dns_auth_level
-, struct adns_continuation *const cr)
-{
-	u_char str[RSA_MAX_ENCODING_BYTES * 8 / 6 + 20];    /* space for unpacked RDATA */
-
-	TRY(unpack_txt_rdata(str, sizeof(str), rdata, rdlen));
-	return process_txt_rr_body(str, doit, dns_auth_level, cr);
-}
-
-static err_t
-process_answer_section(pb_stream *pbs
-, bool doit     /* should we capture information? */
-, enum dns_auth_level *dns_auth_level
-, u_int16_t ancount     /* number of RRs in the answer section */
-, struct adns_continuation *const cr)
-{
-	const int type = cr->query.type;    /* type of RR of interest */
-	unsigned c;
-
-	DBG(DBG_DNS, DBG_log("*Answer Section:"));
-
-	for (c = 0; c != ancount; c++)
-	{
-		struct rr_fixed rrf;
-		size_t tail;
-
-		/* ??? do we need to match the name? */
-
-		TRY(eat_name_helpfully(pbs, "Answer Section"));
-
-		if (!in_struct(&rrf, &rr_fixed_desc, pbs, NULL))
-			return "failed to get fixed part of Answer Section Resource Record";
-
-		if (rrf.rdlength > pbs_left(pbs))
-			return "RD Length extends beyond end of message";
-
-		/* ??? should we care about ttl? */
-
-		tail = rrf.rdlength;
-
-		if (rrf.type == type && rrf.class == C_IN)
-		{
-			err_t ugh = NULL;
-
-			switch (type)
-			{
-#ifdef USE_KEYRR
-			case T_KEY:
-				ugh = process_key_rr(pbs->cur, tail, doit, *dns_auth_level, cr);
-				break;
-#endif /* USE_KEYRR */
-			case T_TXT:
-				ugh = process_txt_rr(pbs->cur, tail, doit, *dns_auth_level, cr);
-				break;
-			case T_SIG:
-				/* Check if SIG RR authenticates what we are learning.
-				 * The RRset covered by a SIG must have the same owner,
-				 * class, and type.
-				 * For us, the class is always C_IN, so that matches.
-				 * We decode the SIG RR's fixed part to check
-				 * that the type_covered field matches our query type
-				 * (this may be redundant).
-				 * We don't check the owner (apparently this is the
-				 * name on the record) -- we assume that it matches
-				 * or we would not have been given this SIG in the
-				 * Answer Section.
-				 *
-				 * We only look on first pass, and only if we've something
-				 * to learn.  This cuts down on useless decoding.
-				 */
-				if (!doit && *dns_auth_level == DAL_UNSIGNED)
-				{
-					struct sig_rdata sr;
-
-					if (!in_struct(&sr, &sig_rdata_desc, pbs, NULL))
-						ugh = "failed to get fixed part of SIG Resource Record RDATA";
-					else if (sr.type_covered == type)
-						*dns_auth_level = DAL_SIGNED;
-				}
-				break;
-			default:
-				ugh = builddiag("unexpected RR type %d", type);
-				break;
-			}
-			if (ugh != NULL)
-				return ugh;
-		}
-		in_raw(NULL, tail, pbs, "RR RDATA");
-	}
-
-	return doit
-		&& cr->gateways_from_dns == NULL
-#ifdef USE_KEYRR
-		&& cr->keys_from_dns == NULL
-#endif /* USE_KEYRR */
-		? builddiag("no suitable %s record found in DNS", rr_typename(type))
-		: NULL;
-}
-
-/* process DNS answer -- TXT or KEY query */
-
-static err_t
-process_dns_answer(struct adns_continuation *const cr
-, u_char ans[], int anslen)
-{
-	const int type = cr->query.type;    /* type of record being sought */
-	int r;      /* all-purpose return value holder */
-	u_int16_t c;        /* number of current RR in current answer section */
-	pb_stream pbs;
-	u_int8_t *ans_start;        /* saved position of answer section */
-	struct qr_header qr_header;
-	enum dns_auth_level dns_auth_level;
-
-	init_pbs(&pbs, ans, anslen, "Query Response Message");
-
-	/* decode and check header */
-
-	if (!in_struct(&qr_header, &qr_header_desc, &pbs, NULL))
-		return "malformed header";
-
-	/* ID: nothing to do with us */
-
-	/* stuff -- lots of things */
-	if ((qr_header.stuff & QRS_QR) == 0)
-		return "not a response?!?";
-
-	if (((qr_header.stuff >> QRS_OPCODE_SHIFT) & QRS_OPCODE_MASK) != QRSO_QUERY)
-		return "unexpected opcode";
-
-	/* I don't think we care about AA */
-
-	if (qr_header.stuff & QRS_TC)
-		return "response truncated";
-
-	/* I don't think we care about RD, RA, or CD */
-
-	/* AD means "authentic data" */
-	dns_auth_level = qr_header.stuff & QRS_AD? DAL_UNSIGNED : DAL_NOTSEC;
-
-	if (qr_header.stuff & QRS_Z)
-		return "Z bit is not zero";
-
-	r = (qr_header.stuff >> QRS_RCODE_SHIFT) & QRS_RCODE_MASK;
-	if (r != 0)
-		return r < (int)countof(rcode_text)? rcode_text[r] : "unknown rcode";
-
-	if (qr_header.ancount == 0)
-		return builddiag("no %s RR found by DNS", rr_typename(type));
-
-	/* end of header checking */
-
-	/* Question Section processing */
-
-	/* 4.1.2. Question section format:
-	 *                                 1  1  1  1  1  1
-	 *   0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-	 * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-	 * |                                               |
-	 * /                     QNAME                     /
-	 * /                                               /
-	 * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-	 * |                     QTYPE                     |
-	 * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-	 * |                     QCLASS                    |
-	 * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-	 */
-
-	DBG(DBG_DNS, DBG_log("*Question Section:"));
-
-	for (c = 0; c != qr_header.qdcount; c++)
-	{
-		struct qs_fixed qsf;
-
-		TRY(eat_name_helpfully(&pbs, "Question Section"));
-
-		if (!in_struct(&qsf, &qs_fixed_desc, &pbs, NULL))
-			return "failed to get fixed part of Question Section";
-
-		if (qsf.qtype != type)
-			return "unexpected QTYPE in Question Section";
-
-		if (qsf.qclass != C_IN)
-			return "unexpected QCLASS in Question Section";
-	}
-
-	/* rest of sections are made up of Resource Records */
-
-	/* Answer Section processing -- error checking, noting T_SIG */
-
-	ans_start = pbs.cur;        /* remember start of answer section */
-
-	TRY(process_answer_section(&pbs, FALSE, &dns_auth_level
-		, qr_header.ancount, cr));
-
-	/* Authority Section processing (just sanity checking) */
-
-	DBG(DBG_DNS, DBG_log("*Authority Section:"));
-
-	for (c = 0; c != qr_header.nscount; c++)
-	{
-		struct rr_fixed rrf;
-		size_t tail;
-
-		TRY(eat_name_helpfully(&pbs, "Authority Section"));
-
-		if (!in_struct(&rrf, &rr_fixed_desc, &pbs, NULL))
-			return "failed to get fixed part of Authority Section Resource Record";
-
-		if (rrf.rdlength > pbs_left(&pbs))
-			return "RD Length extends beyond end of message";
-
-		/* ??? should we care about ttl? */
-
-		tail = rrf.rdlength;
-
-		in_raw(NULL, tail, &pbs, "RR RDATA");
-	}
-
-	/* Additional Section processing (just sanity checking) */
-
-	DBG(DBG_DNS, DBG_log("*Additional Section:"));
-
-	for (c = 0; c != qr_header.arcount; c++)
-	{
-		struct rr_fixed rrf;
-		size_t tail;
-
-		TRY(eat_name_helpfully(&pbs, "Additional Section"));
-
-		if (!in_struct(&rrf, &rr_fixed_desc, &pbs, NULL))
-			return "failed to get fixed part of Additional Section Resource Record";
-
-		if (rrf.rdlength > pbs_left(&pbs))
-			return "RD Length extends beyond end of message";
-
-		/* ??? should we care about ttl? */
-
-		tail = rrf.rdlength;
-
-		in_raw(NULL, tail, &pbs, "RR RDATA");
-	}
-
-	/* done all sections */
-
-	/* ??? is padding legal, or can we complain if more left in record? */
-
-	/* process Answer Section again -- accept contents */
-
-	pbs.cur = ans_start;        /* go back to start of answer section */
-
-	return process_answer_section(&pbs, TRUE, &dns_auth_level
-		, qr_header.ancount, cr);
-}
-
-/****************************************************************/
-
-static err_t build_dns_name(u_char name_buf[NS_MAXDNAME + 2],
-							unsigned long serial USED_BY_DEBUG,
-							identification_t *id,
-							const char *typename USED_BY_DEBUG,
-							identification_t *gw USED_BY_DEBUG)
-{
-	/* note: all end in "." to suppress relative searches */
-	id = resolve_myid(id);
-
-	switch (id->get_type(id))
-	{
-		case ID_IPV4_ADDR:
-		{
-			chunk_t b = id->get_encoding(id);
-
-			snprintf(name_buf, NS_MAXDNAME + 2, "%d.%d.%d.%d.in-addr.arpa.",
-							   b.ptr[3], b.ptr[2], b.ptr[1], b.ptr[0]);
-			break;
-		}
-		case ID_IPV6_ADDR:
-		{
-			chunk_t b = id->get_encoding(id);
-			size_t bl;
-			u_char *op = name_buf;
-			static const char suffix[] = "IP6.INT.";
-
-			for (bl = b.len; bl-- != 0; )
-			{
-				if (op + 4 + sizeof(suffix) >= name_buf + NS_MAXDNAME + 1)
-				{
-					return "IPv6 reverse name too long";
-				}
-				op += sprintf(op, "%x.%x.", b.ptr[bl] & 0xF, b.ptr[bl] >> 4);
-			}
-			strcpy(op, suffix);
-			break;
-		}
-		case ID_FQDN:
-		{
-			if (snprintf(name_buf, NS_MAXDNAME + 2, "%Y.", id) > NS_MAXDNAME + 1)
-			{
-				return "FQDN too long for domain name";
-			}
-			break;
-		}
-		default:
-			return "can only query DNS for key for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR";
-	}
-
-	DBG(DBG_CONTROL | DBG_DNS,
-		DBG_log("DNS query %lu for %s for %s (gw: %Y)",	serial, typename, name_buf, gw)
-	)
-	return NULL;
-}
-
-void gw_addref(struct gw_info *gw)
-{
-	if (gw != NULL)
-	{
-		DBG(DBG_DNS, DBG_log("gw_addref: %p refcnt: %d++", gw, gw->refcnt))
-		gw->refcnt++;
-	}
-}
-
-void gw_delref(struct gw_info **gwp)
-{
-	struct gw_info *gw = *gwp;
-
-	if (gw != NULL)
-	{
-		DBG(DBG_DNS, DBG_log("gw_delref: %p refcnt: %d--", gw, gw->refcnt));
-
-		passert(gw->refcnt != 0);
-		gw->refcnt--;
-		if (gw->refcnt == 0)
-		{
-			DESTROY_IF(gw->client_id);
-			DESTROY_IF(gw->gw_id);
-			if (gw->gw_key_present)
-			{
-				unreference_key(&gw->key);
-			}
-			gw_delref(&gw->next);
-			free(gw);   /* trickery could make this a tail-call */
-		}
-		*gwp = NULL;
-	}
-}
-
-static int adns_in_flight = 0;  /* queries outstanding */
-
-/* Start an asynchronous DNS query.
- *
- * For KEY record, the result will be a list in cr->keys_from_dns.
- * For TXT records, the result will be a list in cr->gateways_from_dns.
- *
- * If sgw_id is null, only consider TXT records that specify an
- * IP address for the gatway: we need this in the initiation case.
- *
- * If sgw_id is non-null, only consider TXT records that specify
- * this id as the security gatway; this is useful to the Responder
- * for confirming claims of gateways.
- *
- * Continuation cr gives information for continuing when the result shows up.
- *
- * Two kinds of errors must be handled: synchronous (immediate)
- * and asynchronous.  Synchronous errors are indicated by the returned
- * value of start_adns_query; in this case, the continuation will
- * have been freed and the continuation routine will not be called.
- * Asynchronous errors are indicated by the ugh parameter passed to the
- * continuation routine.
- *
- * After the continuation routine has completed, handle_adns_answer
- * will free the continuation.  The continuation routine should have
- * freed any axiliary resources.
- *
- * Note: in the synchronous error case, start_adns_query will have
- * freed the continuation; this means that the caller will have to
- * be very careful to release any auxiliary resources that were in
- * the continuation record without using the continuation record.
- *
- * Either there will be an error result passed to the continuation routine,
- * or the results will be in cr->keys_from_dns or cr->gateways_from_dns.
- * The result variables must by left NULL by the continutation routine.
- * The continuation routine is responsible for establishing and
- * disestablishing any logging context (whack_log_fd, cur_*).
- */
-
-static struct adns_continuation *continuations = NULL;  /* newest of queue */
-static struct adns_continuation *next_query = NULL;     /* oldest not sent */
-
-static struct adns_continuation *continuation_for_qtid(unsigned long qtid)
-{
-	struct adns_continuation *cr = NULL;
-
-	if (qtid != 0)
-	{
-		for (cr = continuations; cr != NULL && cr->qtid != qtid; cr = cr->previous)
-			;
-	}
-	return cr;
-}
-
-static void release_adns_continuation(struct adns_continuation *cr)
-{
-	passert(cr != next_query);
-	gw_delref(&cr->gateways_from_dns);
-#ifdef USE_KEYRR
-	free_public_keys(&cr->keys_from_dns);
-#endif /* USE_KEYRR */
-	cr->id = cr->id->clone(cr->id);
-	cr->sgw_id = cr->sgw_id->clone(cr->sgw_id);
-
-	/* unlink from doubly-linked list */
-	if (cr->next == NULL)
-	{
-		continuations = cr->previous;
-	}
-	else
-	{
-		cr->next->previous = cr->previous;
-	}
-
-	if (cr->previous != NULL)
-	{
-		cr->previous->next = cr->next;
-	}
-
-	free(cr);
-}
-
-err_t start_adns_query(identification_t *id,     /* domain to query */
-					   identification_t *sgw_id, /* if non-null, any accepted gw_info must match */
-					   int type,                 /* T_TXT or T_KEY, selecting rr type of interest */
-					   cont_fn_t cont_fn,
-					   struct adns_continuation *cr)
-{
-	static unsigned long qtid = 1;      /* query transaction id; NOTE: static */
-	const char *typename = rr_typename(type);
-
-	if(adns_pid == 0 && adns_restart_count < ADNS_RESTART_MAX)
-	{
-		plog("ADNS helper was not running. Restarting attempt %d",adns_restart_count);
-		init_adns();
-	}
-
-	/* Splice this in at head of doubly-linked list of continuations.
-	 * Note: this must be done before any release_adns_continuation().
-	 */
-	cr->next = NULL;
-	cr->previous = continuations;
-	if (continuations != NULL)
-	{
-		continuations->next = cr;
-	}
-	continuations = cr;
-
-	cr->qtid = qtid++;
-	cr->type = type;
-	cr->cont_fn = cont_fn;
-	cr->id = id->clone(id);
-	cr->sgw_specified = (sgw_id != NULL);
-	cr->sgw_id = cr->sgw_specified ?
-						sgw_id->clone(sgw_id) :
-						identification_create_from_string("%any");
-	cr->gateways_from_dns = NULL;
-#ifdef USE_KEYRR
-	cr->keys_from_dns = NULL;
-#endif /* USE_KEYRR */
-
-#ifdef DEBUG
-	cr->debugging = cur_debugging;
-#else
-	cr->debugging = LEMPTY;
-#endif
-
-	zero(&cr->query);
-	{
-		err_t ugh = build_dns_name(cr->query.name_buf, cr->qtid, id,
-								   typename, cr->sgw_id);
-
-		if (ugh)
-		{
-			release_adns_continuation(cr);
-			return ugh;
-		}
-	}
-
-	if (next_query == NULL)
-		next_query = cr;
-
-	unsent_ADNS_queries = TRUE;
-
-	return NULL;
-}
-
-/* send remaining ADNS queries (until pipe full or none left)
- *
- * This is a co-routine, so it uses static variables to
- * preserve state across calls.
- */
-bool unsent_ADNS_queries = FALSE;
-
-void
-send_unsent_ADNS_queries(void)
-{
-	static const unsigned char *buf_end = NULL; /* NOTE STATIC */
-	static const unsigned char *buf_cur = NULL; /* NOTE STATIC */
-
-	if (adns_qfd == NULL_FD)
-		return; /* nothing useful to do */
-
-	for (;;)
-	{
-		if (buf_cur != buf_end)
-		{
-			static int try = 0; /* NOTE STATIC */
-			size_t n = buf_end - buf_cur;
-			ssize_t r = write(adns_qfd, buf_cur, n);
-
-			if (r == -1)
-			{
-				switch (errno)
-				{
-				case EINTR:
-					continue;   /* try again now */
-				case EAGAIN:
-					DBG(DBG_DNS, DBG_log("EAGAIN writing to ADNS"));
-					break;      /* try again later */
-				default:
-					try++;
-					log_errno((e, "error %d writing DNS query", try));
-					break;      /* try again later */
-				}
-				unsent_ADNS_queries = TRUE;
-				break;  /* done! */
-			}
-			else
-			{
-				passert(r >= 0);
-				try = 0;
-				buf_cur += r;
-			}
-		}
-		else
-		{
-			if (next_query == NULL)
-			{
-				unsent_ADNS_queries = FALSE;
-				break;  /* done! */
-			}
-
-			next_query->query.debugging = next_query->debugging;
-			next_query->query.serial = next_query->qtid;
-			next_query->query.len = sizeof(next_query->query);
-			next_query->query.qmagic = ADNS_Q_MAGIC;
-			next_query->query.type = next_query->type;
-			buf_cur = (const void *)&next_query->query;
-			buf_end = buf_cur + sizeof(next_query->query);
-
-			next_query = next_query->next;
-			adns_in_flight++;
-		}
-	}
-}
-
-static void recover_adns_die(void)
-{
-	struct adns_continuation *cr = NULL;
-
-	adns_pid = 0;
-	if(adns_restart_count < ADNS_RESTART_MAX) {
-		adns_restart_count++;
-
-		/* next DNS query will restart it */
-
-		/* we have to walk the list of the outstanding requests,
-		 * and redo them!
-		 */
-
-		cr = continuations;
-
-		/* find the head of the list */
-		if(continuations != NULL) {
-			for (; cr->previous != NULL; cr = cr->previous);
-		}
-
-		next_query = cr;
-
-		if(next_query != NULL) {
-			unsent_ADNS_queries = TRUE;
-		}
-	}
-}
-
-void reset_adns_restart_count(void)
-{
-	adns_restart_count=0;
-}
-
-void handle_adns_answer(void)
-{
-  /* These are retained across calls to handle_adns_answer. */
-	static size_t buflen = 0;   /* bytes in answer buffer */
-	static struct adns_answer buf;
-
-	ssize_t n;
-
-	passert(buflen < sizeof(buf));
-	n = read(adns_afd, (unsigned char *)&buf + buflen, sizeof(buf) - buflen);
-
-	if (n < 0)
-	{
-		if (errno != EINTR)
-		{
-			log_errno((e, "error reading answer from adns"));
-			/* ??? how can we recover? */
-		}
-		n = 0;  /* now n reflects amount read */
-	}
-	else if (n == 0)
-	{
-		/* EOF */
-		if (adns_in_flight != 0)
-		{
-			plog("EOF from ADNS with %d queries outstanding (restarts %d)"
-				 , adns_in_flight, adns_restart_count);
-			recover_adns_die();
-		}
-		if (buflen != 0)
-		{
-			plog("EOF from ADNS with %lu bytes of a partial answer outstanding"
-				 "(restarts %d)"
-				 , (unsigned long)buflen
-				 ,  adns_restart_count);
-			recover_adns_die();
-		}
-		stop_adns();
-		return;
-	}
-	else
-	{
-		passert(adns_in_flight > 0);
-	}
-
-	buflen += n;
-	while (buflen >= offsetof(struct adns_answer, ans) && buflen >= buf.len)
-	{
-		/* we've got a tasty answer -- process it */
-		err_t ugh;
-		struct adns_continuation *cr = continuation_for_qtid(buf.serial);       /* assume it works */
-		const char *typename = rr_typename(cr->query.type);
-		const char *name_buf = cr->query.name_buf;
-
-#ifdef USE_KEYRR
-		passert(cr->keys_from_dns == NULL);
-#endif /* USE_KEYRR */
-		passert(cr->gateways_from_dns == NULL);
-		adns_in_flight--;
-		if (buf.result == -1)
-		{
-			/* newer resolvers support statp->res_h_errno as well as h_errno.
-			 * That might be better, but older resolvers don't.
-			 * See resolver(3), if you have it.
-			 * The undocumented(!) h_errno values are defined in
-			 * /usr/include/netdb.h.
-			 */
-			switch (buf.h_errno_val)
-			{
-			case NO_DATA:
-				ugh = builddiag("no %s record for %s", typename, name_buf);
-				break;
-			case HOST_NOT_FOUND:
-				ugh = builddiag("no host %s for %s record", name_buf, typename);
-				break;
-			default:
-				ugh = builddiag("failure querying DNS for %s of %s: %s"
-					, typename, name_buf, hstrerror(buf.h_errno_val));
-				break;
-			}
-		}
-		else if (buf.result > (int) sizeof(buf.ans))
-		{
-			ugh = builddiag("(INTERNAL ERROR) answer too long (%ld) for buffer"
-				, (long)buf.result);
-		}
-		else
-		{
-			ugh = process_dns_answer(cr, buf.ans, buf.result);
-			if (ugh != NULL)
-				ugh = builddiag("failure processing %s record of DNS answer for %s: %s"
-					, typename, name_buf, ugh);
-		}
-		DBG(DBG_RAW | DBG_CRYPT | DBG_PARSING | DBG_CONTROL | DBG_DNS,
-			DBG_log(BLANK_FORMAT);
-			if (ugh == NULL)
-				DBG_log("asynch DNS answer %lu for %s of %s"
-					, cr->query.serial, typename, name_buf);
-			else
-				DBG_log("asynch DNS answer %lu %s", cr->query.serial, ugh);
-			);
-
-		passert(GLOBALS_ARE_RESET());
-		cr->cont_fn(cr, ugh);
-		reset_globals();
-		release_adns_continuation(cr);
-
-		/* shift out answer that we've consumed */
-		buflen -= buf.len;
-		memmove((unsigned char *)&buf, (unsigned char *)&buf + buf.len, buflen);
-	}
-}
diff --git a/src/pluto/dnskey.h b/src/pluto/dnskey.h
deleted file mode 100644
index 39a406cbd..000000000
--- a/src/pluto/dnskey.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/* Find public key in DNS
- * Copyright (C) 2000-2002  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <utils/identification.h>
-
-extern int adns_qfd;   /* file descriptor for sending queries to adns */
-extern int adns_afd;   /* file descriptor for receiving answers from adns */
-extern const char *pluto_adns_option;   /* path from --pluto_adns */
-extern void init_adns(void);
-extern void stop_adns(void);
-extern void handle_adns_answer(void);
-
-extern bool unsent_ADNS_queries;
-extern void send_unsent_ADNS_queries(void);
-
-/* (common prefix of) stuff remembered between async query and answer.
- * Filled in by start_adns_query.
- * Freed by call to release_adns_continuation.
- */
-
-struct adns_continuation;       /* forward declaration (not far!) */
-
-typedef void (*cont_fn_t)(struct adns_continuation *cr, err_t ugh);
-
-struct adns_continuation {
-	unsigned long qtid;    /* query transaction id number */
-	int type;              /* T_TXT or T_KEY, selecting rr type of interest */
-	cont_fn_t cont_fn;     /* function to carry on suspended work */
-	identification_t *id;  /* subject of query */
-	bool sgw_specified;
-	identification_t *sgw_id; /* peer, if constrained */
-	lset_t debugging;      /* only used #ifdef DEBUG, but don't want layout to change */
-	struct gw_info *gateways_from_dns;  /* answer, if looking for our TXT rrs */
-#ifdef USE_KEYRR
-	struct pubkey_list *keys_from_dns;  /* answer, if looking for KEY rrs */
-#endif
-	struct adns_continuation *previous, *next;
-	struct pubkey *last_info;  /* the last structure we accumulated */
-	struct adns_query query;
-};
-
-extern err_t start_adns_query(identification_t *id       /* domain to query */
-	, identification_t *sgw_id   /* if non-null, any accepted gw_info must match */
-	, int type  /* T_TXT or T_KEY, selecting rr type of interest */
-	, cont_fn_t cont_fn /* continuation function */
-	, struct adns_continuation *cr);
-
-
-/* Gateway info gleaned from reverse DNS of client */
-struct gw_info {
-	unsigned refcnt;             /* reference counted! */
-	unsigned pref;               /* preference: lower is better */
-#define NO_TIME ((time_t) -2)    /* time_t value meaning "not_yet" */
-	identification_t* client_id; /* id of client of peer */
-	identification_t* gw_id;     /* id of peer (if id_is_ipaddr, .ip_addr is address) */
-	bool gw_key_present;
-	struct pubkey *key;
-	struct gw_info *next;
-};
-
-extern void gw_addref(struct gw_info *gw);
-extern void gw_delref(struct gw_info **gwp);
-extern void reset_adns_restart_count(void);
-
diff --git a/src/pluto/event_queue.c b/src/pluto/event_queue.c
deleted file mode 100644
index 602a013ee..000000000
--- a/src/pluto/event_queue.c
+++ /dev/null
@@ -1,195 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <unistd.h>
-#include <fcntl.h>
-
-#include "event_queue.h"
-
-#include <debug.h>
-#include <threading/mutex.h>
-#include <utils/linked_list.h>
-
-typedef struct private_event_queue_t private_event_queue_t;
-
-/**
- * Private data of event_queue_t class.
- */
-struct private_event_queue_t {
-	/**
-	 * Public event_queue_t interface.
-	 */
-	event_queue_t public;
-
-	/**
-	 * List of queued events (event_t*).
-	 */
-	linked_list_t *events;
-
-	/**
-	 * Mutex for event list.
-	 */
-	mutex_t *mutex;
-
-	/**
-	 * Read end of the notification pipe.
-	 */
-	int read_fd;
-
-	/**
-	 * Write end of the notification pipe.
-	 */
-	int write_fd;
-
-};
-
-typedef struct event_t event_t;
-
-struct event_t {
-	/**
-	 * Callback function.
-	 */
-	void (*callback)(void *data);
-
-	/**
-	 * Data to supply to the callback.
-	 */
-	void *data;
-
-	/**
-	 * Cleanup function.
-	 */
-	void (*cleanup)(void *data);
-};
-
-static event_t *event_create(void (*callback)(void *data), void *data,
-							 void (*cleanup)(void *data))
-{
-	event_t *this;
-	INIT(this,
-		.callback = callback,
-		.data = data,
-		.cleanup = cleanup,
-	);
-	return this;
-}
-
-static void event_destroy(event_t *this)
-{
-	if (this->cleanup)
-	{
-		this->cleanup(this->data);
-	}
-	free(this);
-}
-
-METHOD(event_queue_t, get_event_fd, int,
-	   private_event_queue_t *this)
-{
-	return this->read_fd;
-}
-
-METHOD(event_queue_t, handle, void,
-	   private_event_queue_t *this)
-{
-	char buf[10];
-	linked_list_t *events;
-	event_t *event;
-	this->mutex->lock(this->mutex);
-	/* flush pipe */
-	while (read(this->read_fd, &buf, sizeof(buf)) == sizeof(buf));
-	/* replace the list, so we can unlock the mutex while executing the jobs */
-	events = this->events;
-	this->events = linked_list_create();
-	this->mutex->unlock(this->mutex);
-
-	while (events->remove_first(events, (void**)&event) == SUCCESS)
-	{
-		event->callback(event->data);
-		event_destroy(event);
-	}
-	events->destroy(events);
-}
-
-METHOD(event_queue_t, queue, void,
-	   private_event_queue_t *this, void (*callback)(void *data), void *data,
-	   void (*cleanup)(void *data))
-{
-	event_t *event = event_create(callback, data, cleanup);
-	char c = 0;
-	this->mutex->lock(this->mutex);
-	this->events->insert_last(this->events, event);
-	ignore_result(write(this->write_fd, &c, 1));
-	this->mutex->unlock(this->mutex);
-}
-
-METHOD(event_queue_t, destroy, void,
-	   private_event_queue_t *this)
-{
-	this->mutex->lock(this->mutex);
-	this->events->destroy_function(this->events, (void*)event_destroy);
-	this->mutex->unlock(this->mutex);
-	this->mutex->destroy(this->mutex);
-	close(this->read_fd);
-	close(this->write_fd);
-	free(this);
-}
-
-static bool set_nonblock(int socket)
-{
-	int flags = fcntl(socket, F_GETFL);
-	return flags != -1 && fcntl(socket, F_SETFL, flags | O_NONBLOCK) != -1;
-}
-
-static bool set_cloexec(int socket)
-{
-	int flags = fcntl(socket, F_GETFD);
-	return flags != -1 && fcntl(socket, F_SETFD, flags | FD_CLOEXEC) != -1;
-}
-
-/*
- * Described in header.
- */
-event_queue_t *event_queue_create()
-{
-	private_event_queue_t *this;
-	int fd[2];
-
-	INIT(this,
-		.public = {
-			.get_event_fd = _get_event_fd,
-			.handle = _handle,
-			.queue = _queue,
-			.destroy = _destroy,
-		},
-		.events = linked_list_create(),
-		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
-	);
-
-	if (pipe(fd) == -1 ||
-		!set_nonblock(fd[0]) || !set_cloexec(fd[0]) ||
-		!set_nonblock(fd[1]) || !set_cloexec(fd[1]))
-	{
-		DBG1(DBG_JOB, "failed to create pipe for job queue");
-		_destroy(this);
-		return NULL;
-	}
-
-	this->read_fd = fd[0];
-	this->write_fd = fd[1];
-
-	return &this->public;
-}
-
diff --git a/src/pluto/event_queue.h b/src/pluto/event_queue.h
deleted file mode 100644
index 343729e25..000000000
--- a/src/pluto/event_queue.h
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup event_queue event_queue
- * @{ @ingroup pluto
- */
-
-#ifndef EVENT_QUEUE_H_
-#define EVENT_QUEUE_H_
-
-typedef struct event_queue_t event_queue_t;
-
-/**
- * The event queue facility can be used to synchronize thread-pool threads
- * with the pluto main thread.  That is, all queued callbacks are executed
- * asynchronously by the pluto main thread.
- */
-struct event_queue_t {
-
-	/**
-	 * Returns the file descriptor used to notify the main thread.
-	 *
-	 * @return				fd to use in the main thread
-	 */
-	int (*get_event_fd) (event_queue_t *this);
-
-	/**
-	 * Handle all queued events.
-	 */
-	void (*handle) (event_queue_t *this);
-
-	/**
-	 * Add an event to the queue.
-	 *
-	 * @param callback		callback function to add to the queue
-	 * @param data			data supplied to the callback function
-	 * @param cleanup		optional cleanup function
-	 */
-	void (*queue) (event_queue_t *this, void (*callback)(void *data),
-				   void *data, void (*cleanup)(void *data));
-
-	/**
-	 * Destroy this instance.
-	 */
-	void (*destroy) (event_queue_t *this);
-
-};
-
-/**
- * Create the event queue.
- *
- * @return					created object
- */
-event_queue_t *event_queue_create();
-
-#endif /** EVENT_QUEUE_H_ @}*/
diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c
deleted file mode 100644
index 3dfc1386f..000000000
--- a/src/pluto/fetch.c
+++ /dev/null
@@ -1,766 +0,0 @@
-/* Dynamic fetching of X.509 CRLs
- * Copyright (C) 2002 Stephane Laroche <stephane.laroche@colubris.com>
- * Copyright (C) 2002-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <errno.h>
-#include <sys/time.h>
-#include <time.h>
-#include <string.h>
-
-#ifdef THREADS
-#include <pthread.h>
-#endif
-
-#include <freeswan.h>
-
-#include <library.h>
-#include <debug.h>
-#include <asn1/asn1.h>
-#include <credentials/certificates/certificate.h>
-#ifdef THREADS
-#include <threading/thread.h>
-#endif
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "x509.h"
-#include "ca.h"
-#include "whack.h"
-#include "ocsp.h"
-#include "crl.h"
-#include "fetch.h"
-#include "builder.h"
-
-fetch_req_t empty_fetch_req = {
-	NULL    , /* next */
-		  0 , /* trials */
-    NULL    , /* issuer */
-  { NULL, 0}, /* authKeyID */
-	NULL      /* distributionPoints */
-};
-
-/* chained list of crl fetch requests */
-static fetch_req_t *crl_fetch_reqs  = NULL;
-
-/* chained list of ocsp fetch requests */
-static ocsp_location_t *ocsp_fetch_reqs = NULL;
-
-#ifdef THREADS
-static thread_t *thread;
-static pthread_mutex_t certs_and_keys_mutex  = PTHREAD_MUTEX_INITIALIZER;
-static pthread_mutex_t authcert_list_mutex   = PTHREAD_MUTEX_INITIALIZER;
-static pthread_mutex_t crl_list_mutex        = PTHREAD_MUTEX_INITIALIZER;
-static pthread_mutex_t ocsp_cache_mutex      = PTHREAD_MUTEX_INITIALIZER;
-static pthread_mutex_t ca_info_list_mutex    = PTHREAD_MUTEX_INITIALIZER;
-static pthread_mutex_t crl_fetch_list_mutex  = PTHREAD_MUTEX_INITIALIZER;
-static pthread_mutex_t ocsp_fetch_list_mutex = PTHREAD_MUTEX_INITIALIZER;
-static pthread_mutex_t fetch_wake_mutex      = PTHREAD_MUTEX_INITIALIZER;
-static pthread_cond_t  fetch_wake_cond       = PTHREAD_COND_INITIALIZER;
-
-/**
- * lock access to my certs and keys
- */
-void lock_certs_and_keys(const char *who)
-{
-	pthread_mutex_lock(&certs_and_keys_mutex);
-	DBG(DBG_CONTROLMORE,
-		DBG_log("certs and keys locked by '%s'", who)
-	)
-}
-
-/**
- * Unlock access to my certs and keys
- */
-void unlock_certs_and_keys(const char *who)
-{
-	DBG(DBG_CONTROLMORE,
-		DBG_log("certs and keys unlocked by '%s'", who)
-	)
-	pthread_mutex_unlock(&certs_and_keys_mutex);
-}
-
-/**
- * Lock access to the chained authcert list
- */
-void lock_authcert_list(const char *who)
-{
-	pthread_mutex_lock(&authcert_list_mutex);
-	DBG(DBG_CONTROLMORE,
-		DBG_log("authcert list locked by '%s'", who)
-	)
-}
-
-/**
- * Unlock access to the chained authcert list
- */
-void unlock_authcert_list(const char *who)
-{
-	DBG(DBG_CONTROLMORE,
-		DBG_log("authcert list unlocked by '%s'", who)
-	)
-	pthread_mutex_unlock(&authcert_list_mutex);
-}
-
-/**
- * Lock access to the chained crl list
- */
-void lock_crl_list(const char *who)
-{
-	pthread_mutex_lock(&crl_list_mutex);
-	DBG(DBG_CONTROLMORE,
-		DBG_log("crl list locked by '%s'", who)
-	)
-}
-
-/**
- * Unlock access to the chained crl list
- */
-void unlock_crl_list(const char *who)
-{
-	DBG(DBG_CONTROLMORE,
-		DBG_log("crl list unlocked by '%s'", who)
-	)
-	pthread_mutex_unlock(&crl_list_mutex);
-}
-
-/**
- * Lock access to the ocsp cache
- */
-extern void lock_ocsp_cache(const char *who)
-{
-	pthread_mutex_lock(&ocsp_cache_mutex);
-	DBG(DBG_CONTROLMORE,
-		DBG_log("ocsp cache locked by '%s'", who)
-	)
-}
-
-/**
- * Unlock access to the ocsp cache
- */
-extern void unlock_ocsp_cache(const char *who)
-{
-	DBG(DBG_CONTROLMORE,
-		DBG_log("ocsp cache unlocked by '%s'", who)
-	)
-	pthread_mutex_unlock(&ocsp_cache_mutex);
-}
-
-/**
- * Lock access to the ca info list
- */
-extern void lock_ca_info_list(const char *who)
-{
-	pthread_mutex_lock(&ca_info_list_mutex);
-	DBG(DBG_CONTROLMORE,
-		DBG_log("ca info list locked by '%s'", who)
-	)
-}
-
-/**
- * Unlock access to the ca info list
- */
-extern void unlock_ca_info_list(const char *who)
-{
-	DBG(DBG_CONTROLMORE,
-		DBG_log("ca info list unlocked by '%s'", who)
-	)
-	pthread_mutex_unlock(&ca_info_list_mutex);
-}
-
-/**
- * Lock access to the chained crl fetch request list
- */
-static void lock_crl_fetch_list(const char *who)
-{
-	pthread_mutex_lock(&crl_fetch_list_mutex);
-	DBG(DBG_CONTROLMORE,
-		DBG_log("crl fetch request list locked by '%s'", who)
-	)
-}
-
-/**
- * Unlock access to the chained crl fetch request list
- */
-static void unlock_crl_fetch_list(const char *who)
-{
-	DBG(DBG_CONTROLMORE,
-		DBG_log("crl fetch request list unlocked by '%s'", who)
-	)
-	pthread_mutex_unlock(&crl_fetch_list_mutex);
-}
-
-/**
- * Lock access to the chained ocsp fetch request list
- */
-static void lock_ocsp_fetch_list(const char *who)
-{
-	pthread_mutex_lock(&ocsp_fetch_list_mutex);
-	DBG(DBG_CONTROLMORE,
-		DBG_log("ocsp fetch request list locked by '%s'", who)
-	)
-}
-
-/**
- * Unlock access to the chained ocsp fetch request list
- */
-static void unlock_ocsp_fetch_list(const char *who)
-{
-	DBG(DBG_CONTROLMORE,
-		DBG_log("ocsp fetch request list unlocked by '%s'", who)
-	)
-	pthread_mutex_unlock(&ocsp_fetch_list_mutex);
-}
-
-/**
- * Wakes up the sleeping fetch thread
- */
-void wake_fetch_thread(const char *who)
-{
-	if (crl_check_interval > 0)
-	{
-		DBG(DBG_CONTROLMORE,
-			DBG_log("fetch thread wake call by '%s'", who)
-		)
-		pthread_mutex_lock(&fetch_wake_mutex);
-		pthread_cond_signal(&fetch_wake_cond);
-		pthread_mutex_unlock(&fetch_wake_mutex);
-	}
-}
-#else /* !THREADS */
-#define lock_crl_fetch_list(who)    /* do nothing */
-#define unlock_crl_fetch_list(who)  /* do nothing */
-#define lock_ocsp_fetch_list(who)   /* do nothing */
-#define unlock_ocsp_fetch_list(who) /* do nothing */
-#endif /* !THREADS */
-
-/**
- *  Free the dynamic memory used to store fetch requests
- */
-static void free_fetch_request(fetch_req_t *req)
-{
-	req->distributionPoints->destroy_function(req->distributionPoints, free);
-	DESTROY_IF(req->issuer);
-	free(req->authKeyID.ptr);
-	free(req);
-}
-
-#ifdef THREADS
-/**
- * Fetch an ASN.1 blob coded in PEM or DER format from a URL
- */
-x509crl_t* fetch_crl(char *url)
-{
-	x509crl_t *crl;
-	chunk_t blob;
-
-	DBG1(DBG_LIB, "  fetching crl from '%s' ...", url);
-	if (lib->fetcher->fetch(lib->fetcher, url, &blob, FETCH_END) != SUCCESS)
-	{
-		DBG1(DBG_LIB, "crl fetching failed");
-		return FALSE;
-	}
-	crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL,
-							 BUILD_BLOB_PEM, blob, BUILD_END);
-	free(blob.ptr);
-	if (!crl)
-	{
-		DBG1(DBG_LIB, "crl fetched successfully but data coded in unknown "
-			 "format");
-	}
-	return crl;
-}
-
-/**
- * Complete a distributionPoint URI with ca information
- */
-static char* complete_uri(char *distPoint, const char *ldaphost)
-{
-	char *symbol = strchr(distPoint, ':');
-
-	if (symbol)
-	{
-		int type_len = symbol - distPoint;
-
-		if (type_len >= 4 && strncasecmp(distPoint, "ldap", 4) == 0)
-		{
-			char *ptr  = symbol + 1;
-			int len = strlen(distPoint) - (type_len + 1);
-
-			if (len > 2 && *ptr++ == '/' && *ptr++ == '/')
-			{
-				len -= 2;
-				symbol = strchr(ptr, '/');
-
-				if (symbol && symbol - ptr == 0 && ldaphost)
-				{
-					char uri[BUF_LEN];
-
-					/* insert the ldaphost into the uri */
-					snprintf(uri, BUF_LEN, "%.*s%s%.*s",
-							 (int)strlen(distPoint) - len, distPoint, ldaphost,
-							 len, symbol);
-					return strdup(uri);
-				}
-			}
-		}
-	}
-
-	/* default action:  copy distributionPoint without change */
-	return strdup(distPoint);
-}
-
-/**
- * Try to fetch the crls defined by the fetch requests
- */
-static void fetch_crls(bool cache_crls)
-{
-	fetch_req_t *req;
-	fetch_req_t **reqp;
-
-	lock_crl_fetch_list("fetch_crls");
-	req  =  crl_fetch_reqs;
-	reqp = &crl_fetch_reqs;
-
-	while (req != NULL)
-	{
-		enumerator_t *enumerator;
-		char *point;
-		bool valid_crl = FALSE;
-		const char *ldaphost;
-		ca_info_t *ca;
-
-		lock_ca_info_list("fetch_crls");
-
-		ca = get_ca_info(req->issuer, req->authKeyID);
-		ldaphost = (ca == NULL)? NULL : ca->ldaphost;
-
-		enumerator = req->distributionPoints->create_enumerator(req->distributionPoints);
-		while (enumerator->enumerate(enumerator, &point))
-		{
-			x509crl_t *crl;
-			char *uri;
-
-			uri = complete_uri(point, ldaphost);
-			crl = fetch_crl(uri);
-			free(uri);
-
-			if (crl)
-			{
-				if (insert_crl(crl, point, cache_crls))
-				{
-					DBG(DBG_CONTROL,
-						DBG_log("we have a valid crl")
-					)
-					valid_crl = TRUE;
-					break;
-				}
-			}
-		}
-		enumerator->destroy(enumerator);
-		unlock_ca_info_list("fetch_crls");
-
-		if (valid_crl)
-		{
-			/* delete fetch request */
-			fetch_req_t *req_free = req;
-
-			req   = req->next;
-			*reqp = req;
-			free_fetch_request(req_free);
-		}
-		else
-		{
-			/* try again next time */
-			req->trials++;
-			reqp = &req->next;
-			req  =  req->next;
-		}
-	}
-	unlock_crl_fetch_list("fetch_crls");
-}
-
-static void fetch_ocsp_status(ocsp_location_t* location)
-{
-	chunk_t request = build_ocsp_request(location);
-	chunk_t response = chunk_empty;
-
-	DBG1(DBG_LIB, "  requesting ocsp status from '%s' ...", location->uri);
-	if (lib->fetcher->fetch(lib->fetcher, location->uri, &response,
-							FETCH_REQUEST_DATA, request,
-							FETCH_REQUEST_TYPE, "application/ocsp-request",
-							FETCH_END) == SUCCESS)
-	{
-		parse_ocsp(location, response);
-	}
-	else
-	{
-		DBG1(DBG_LIB, "ocsp request to %s failed", location->uri);
-	}
-
-	free(request.ptr);
-	chunk_free(&location->nonce);
-
-	/* increment the trial counter of the unresolved fetch requests */
-	{
-		ocsp_certinfo_t *certinfo = location->certinfo;
-
-		while (certinfo != NULL)
-		{
-			certinfo->trials++;
-			certinfo = certinfo->next;
-		}
-	}
-}
-
-/**
- * Try to fetch the necessary ocsp information
- */
-static void fetch_ocsp(void)
-{
-	ocsp_location_t *location;
-
-	lock_ocsp_fetch_list("fetch_ocsp");
-	location = ocsp_fetch_reqs;
-
-	/* fetch the ocps status for all locations */
-	while (location != NULL)
-	{
-		if (location->certinfo != NULL)
-		{
-			fetch_ocsp_status(location);
-		}
-		location = location->next;
-	}
-
-	unlock_ocsp_fetch_list("fetch_ocsp");
-}
-
-static void* fetch_thread(void *arg)
-{
-	struct timespec wait_interval;
-
-	/* the fetching thread is only cancellable while waiting for new events */
-	thread_cancelability(FALSE);
-
-	DBG(DBG_CONTROL,
-		DBG_log("fetch thread started")
-	)
-
-	pthread_mutex_lock(&fetch_wake_mutex);
-
-	while(1)
-	{
-		int status;
-
-		wait_interval.tv_nsec = 0;
-		wait_interval.tv_sec = time(NULL) + crl_check_interval;
-
-		DBG(DBG_CONTROL,
-			DBG_log("next regular crl check in %ld seconds", crl_check_interval)
-		)
-
-		thread_cancelability(TRUE);
-		status = pthread_cond_timedwait(&fetch_wake_cond, &fetch_wake_mutex
-										, &wait_interval);
-		thread_cancelability(FALSE);
-
-		if (status == ETIMEDOUT)
-		{
-			DBG(DBG_CONTROL,
-				DBG_log(" ");
-				DBG_log("*time to check crls and the ocsp cache")
-			)
-			check_ocsp();
-			check_crls();
-		}
-		else
-		{
-			DBG(DBG_CONTROL,
-				DBG_log("fetch thread was woken up")
-			)
-		}
-		fetch_ocsp();
-		fetch_crls(cache_crls);
-	}
-	return NULL;
-}
-#endif /* THREADS*/
-
-/**
- * Initializes curl and starts the fetching thread
- */
-void fetch_initialize(void)
-{
-	if (crl_check_interval > 0)
-	{
-#ifdef THREADS
-		thread = thread_create((thread_main_t)fetch_thread, NULL);
-		if (thread == NULL)
-		{
-			plog("fetching thread could not be started");
-		}
-#else   /* !THREADS */
-		plog("warning: not compiled with pthread support");
-#endif  /* !THREADS */
-	}
-}
-
-/**
- * Terminates the fetching thread
- */
-void fetch_finalize(void)
-{
-	if (crl_check_interval > 0)
-	{
-#ifdef THREADS
-		if (thread)
-		{
-			thread->cancel(thread);
-			thread->join(thread);
-		}
-#endif
-	}
-}
-
-void free_crl_fetch(void)
-{
-   lock_crl_fetch_list("free_crl_fetch");
-
-	while (crl_fetch_reqs != NULL)
-	{
-		fetch_req_t *req = crl_fetch_reqs;
-		crl_fetch_reqs = req->next;
-		free_fetch_request(req);
-	}
-
-	unlock_crl_fetch_list("free_crl_fetch");
-}
-
-/**
- * Free the chained list of ocsp requests
- */
-void free_ocsp_fetch(void)
-{
-	lock_ocsp_fetch_list("free_ocsp_fetch");
-	free_ocsp_locations(&ocsp_fetch_reqs);
-	unlock_ocsp_fetch_list("free_ocsp_fetch");
-}
-
-
-/**
- * Add an additional distribution point
- */
-void add_distribution_point(linked_list_t *points, char *new_point)
-{
-	char *point;
-	bool add = TRUE;
-	enumerator_t *enumerator;
-
-	if (new_point == NULL || *new_point == '\0')
-	{
-		return;
-	}
-
-	enumerator = points->create_enumerator(points);
-	while (enumerator->enumerate(enumerator, &point))
-	{
-		if (streq(point, new_point))
-		{
-			add = FALSE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (add)
-	{
-		points->insert_last(points, strdup(new_point));
-	}
-}
-
-/**
- * Add additional distribution points
- */
-void add_distribution_points(linked_list_t *points, linked_list_t *new_points)
-{
-	char *new_point;
-	enumerator_t *enumerator;
-
-	enumerator = new_points->create_enumerator(new_points);
-	while (enumerator->enumerate(enumerator, &new_point))
-	{
-		bool add = TRUE;
-		char *point;
-		enumerator_t *enumerator;
-
-		enumerator = points->create_enumerator(points);
-		while (enumerator->enumerate(enumerator, &point))
-		{
-			if (streq(point, new_point))
-			{
-				add = FALSE;
-				break;
-			}
-		}
-		enumerator->destroy(enumerator);
-
-		if (add)
-		{
-			points->insert_last(points, strdup(new_point));
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-fetch_req_t* build_crl_fetch_request(identification_t *issuer,
-									 chunk_t authKeyID,
-									 linked_list_t *distributionPoints)
-{
-	char *point;
-	enumerator_t *enumerator;
-	fetch_req_t *req = malloc_thing(fetch_req_t);
-
-	memset(req, 0, sizeof(fetch_req_t));
-	req->distributionPoints = linked_list_create();
-
-	/* clone fields */
-	req->issuer = issuer->clone(issuer);
-	req->authKeyID = chunk_clone(authKeyID);
-
-	/* copy distribution points */
-	enumerator = distributionPoints->create_enumerator(distributionPoints);
-	while (enumerator->enumerate(enumerator, &point))
-	{
-		req->distributionPoints->insert_last(req->distributionPoints,
-											 strdup(point));
-	}
-	enumerator->destroy(enumerator);
-
-	return req;
-}
-
-/**
- * Add a crl fetch request to the chained list
- */
-void add_crl_fetch_request(fetch_req_t *req)
-{
-	fetch_req_t *r;
-
-	lock_crl_fetch_list("add_crl_fetch_request");
-	r = crl_fetch_reqs;
-
-	while (r != NULL)
-	{
-		if (req->authKeyID.ptr ? same_keyid(req->authKeyID, r->authKeyID) :
-			req->issuer->equals(req->issuer, r->issuer))
-		{
-			/* there is already a fetch request */
-			DBG(DBG_CONTROL,
-				DBG_log("crl fetch request already exists")
-			)
-
-			/* there might be new distribution points */
-			add_distribution_points(r->distributionPoints,
-									req->distributionPoints);
-
-			unlock_crl_fetch_list("add_crl_fetch_request");
-			free_fetch_request(req);
-			return;
-		}
-		r = r->next;
-	}
-
-	/* insert new fetch request at the head of the queue */
-	req->next = crl_fetch_reqs;
-	crl_fetch_reqs = req;
-
-	DBG(DBG_CONTROL,
-		DBG_log("crl fetch request added")
-	)
-	unlock_crl_fetch_list("add_crl_fetch_request");
-}
-
-/**
- * Add an ocsp fetch request to the chained list
- */
-void add_ocsp_fetch_request(ocsp_location_t *location, chunk_t serialNumber)
-{
-	ocsp_certinfo_t certinfo;
-
-	certinfo.serialNumber = serialNumber;
-
-	lock_ocsp_fetch_list("add_ocsp_fetch_request");
-	add_certinfo(location, &certinfo, &ocsp_fetch_reqs, TRUE);
-	unlock_ocsp_fetch_list("add_ocsp_fetch_request");
-}
-
-/**
- * List all distribution points
- */
-void list_distribution_points(linked_list_t *distributionPoints)
-{
-	char *point;
-	bool first_point = TRUE;
-	enumerator_t *enumerator;
-
-	enumerator = distributionPoints->create_enumerator(distributionPoints);
-	while (enumerator->enumerate(enumerator, &point))
-	{
-		whack_log(RC_COMMENT, "  %s '%s'",
-				 (first_point)? "distPts: " : "         ", point);
-		first_point = FALSE;
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- *  List all fetch requests in the chained list
- */
-void list_crl_fetch_requests(bool utc)
-{
-	fetch_req_t *req;
-
-	lock_crl_fetch_list("list_crl_fetch_requests");
-	req = crl_fetch_reqs;
-
-	if (req != NULL)
-	{
-		whack_log(RC_COMMENT, " ");
-		whack_log(RC_COMMENT, "List of CRL Fetch Requests:");
-	}
-
-	while (req != NULL)
-	{
-		whack_log(RC_COMMENT, " ");
-		whack_log(RC_COMMENT, "  trials:    %d", req->trials);
-		whack_log(RC_COMMENT, "  issuer:   \"%Y\"", req->issuer);
-		if (req->authKeyID.ptr)
-		{
-			whack_log(RC_COMMENT, "  authkey:   %#B", &req->authKeyID);
-		}
-		list_distribution_points(req->distributionPoints);
-		req = req->next;
-	}
-	unlock_crl_fetch_list("list_crl_fetch_requests");
-}
-
-void list_ocsp_fetch_requests(bool utc)
-{
-	lock_ocsp_fetch_list("list_ocsp_fetch_requests");
-	list_ocsp_locations(ocsp_fetch_reqs, TRUE, utc, FALSE);
-	unlock_ocsp_fetch_list("list_ocsp_fetch_requests");
-
-}
diff --git a/src/pluto/fetch.h b/src/pluto/fetch.h
deleted file mode 100644
index 265dc5fe7..000000000
--- a/src/pluto/fetch.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/* Dynamic fetching of X.509 CRLs
- * Copyright (C) 2002 Stephane Laroche <stephane.laroche@colubris.com>
- * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <utils/linked_list.h>
-#include <utils/identification.h>
-
-#include "x509.h"
-
-#define FETCH_CMD_TIMEOUT       10      /* seconds */
-
-struct ocsp_location;   /* forward declaration of ocsp_location defined in ocsp.h */
-
-typedef enum {
-	FETCH_GET =  1,
-	FETCH_POST = 2
-} fetch_request_t;
-
-typedef struct fetch_req fetch_req_t;
-
-struct fetch_req {
-	fetch_req_t      *next;
-	int               trials;
-	identification_t *issuer;
-	chunk_t           authKeyID;
-	linked_list_t    *distributionPoints;
-};
-
-#ifdef THREADS
-extern void lock_crl_list(const char *who);
-extern void unlock_crl_list(const char *who);
-extern void lock_ocsp_cache(const char *who);
-extern void unlock_ocsp_cache(const char *who);
-extern void lock_ca_info_list(const char *who);
-extern void unlock_ca_info_list(const char *who);
-extern void lock_authcert_list(const char *who);
-extern void unlock_authcert_list(const char *who);
-extern void lock_certs_and_keys(const char *who);
-extern void unlock_certs_and_keys(const char *who);
-extern void wake_fetch_thread(const char *who);
-#else
-#define lock_crl_list(who)          /* do nothing */
-#define unlock_crl_list(who)        /* do nothing */
-#define lock_ocsp_cache(who)        /* do nothing */
-#define unlock_ocsp_cache(who)      /* do nothing */
-#define lock_ca_info_list(who)      /* do nothing */
-#define unlock_ca_info_list(who)    /* do nothing */
-#define lock_authcert_list(who)     /* do nothing */
-#define unlock_authcert_list(who)   /* do nothing */
-#define lock_certs_and_keys(who)    /* do nothing */
-#define unlock_certs_and_keys(who)  /* do nothing */
-#define wake_fetch_thread(who)      /* do nothing */
-#endif
-extern void fetch_initialize(void);
-extern void fetch_finalize(void);
-extern void free_crl_fetch(void);
-extern void free_ocsp_fetch(void);
-extern void add_distribution_point(linked_list_t *points, char* new_point);
-extern void add_distribution_points(linked_list_t *points,
-									linked_list_t *new_points);
-extern fetch_req_t* build_crl_fetch_request(identification_t *issuer,
-											chunk_t authKeyID,
-											linked_list_t *distributionPoints);
-extern void add_crl_fetch_request(fetch_req_t *req);
-extern void add_ocsp_fetch_request(struct ocsp_location *location,
-								   chunk_t serialNumber);
-extern void list_distribution_points(linked_list_t *distributionPoints);
-extern void list_crl_fetch_requests(bool utc);
-extern void list_ocsp_fetch_requests(bool utc);
-extern size_t write_buffer(void *ptr, size_t size, size_t nmemb, void *data);
-
diff --git a/src/pluto/foodgroups.c b/src/pluto/foodgroups.c
deleted file mode 100644
index e4f9a1d01..000000000
--- a/src/pluto/foodgroups.c
+++ /dev/null
@@ -1,450 +0,0 @@
-/* Implement policy groups-style control files (aka "foodgroups")
- * Copyright (C) 2002  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-#include <stdio.h>
-#include <stddef.h>
-#include <stdlib.h>
-#include <sys/queue.h>
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "connections.h"
-#include "foodgroups.h"
-#include "kernel.h"
-#include "lex.h"
-#include "log.h"
-#include "whack.h"
-
-
-/* Food group config files are found in directory fg_path */
-
-#ifndef POLICYGROUPSDIR
-#define POLICYGROUPSDIR IPSEC_CONFDIR "/ipsec.d/policies"
-#endif
-
-const char *policygroups_dir = POLICYGROUPSDIR;
-
-static char *fg_path = NULL;
-static size_t fg_path_space = 0;
-
-
-/* Groups is a list of connections that are policy groups.
- * The list is updated as group connections are added and deleted.
- */
-
-struct fg_groups {
-	struct fg_groups *next;
-	connection_t *connection;
-};
-
-static struct fg_groups *groups = NULL;
-
-
-/* Targets is a list of pairs: subnet and its policy group.
- * This list is bulk-updated on whack --listen and
- * incrementally updated when group connections are deleted.
- *
- * It is ordered by source subnet, and if those are equal, then target subnet.
- * A subnet is compared by comparing the network, and if those are equal,
- * comparing the mask.
- */
-
-struct fg_targets {
-	struct fg_targets *next;
-	struct fg_groups *group;
-	ip_subnet subnet;
-	char *name; /* name of instance of group conn */
-};
-
-static struct fg_targets *targets = NULL;
-
-struct fg_targets *new_targets;
-
-/* ipcmp compares the two ip_address values a and b.
- * It returns -1, 0, or +1 if a is, respectively,
- * less than, equal to, or greater than b.
- */
-static int ipcmp(ip_address *a, ip_address *b)
-{
-	if (addrtypeof(a) != addrtypeof(b))
-	{
-		return addrtypeof(a) < addrtypeof(b)? -1 : 1;
-	}
-	else if (sameaddr(a, b))
-	{
-		return 0;
-	}
-	else
-	{
-		const struct sockaddr *sa = sockaddrof(a)
-			, *sb = sockaddrof(b);
-
-		passert(addrtypeof(a) == AF_INET);      /* not yet implemented IPv6 version :-( */
-		return (ntohl(((const struct sockaddr_in *)sa)->sin_addr.s_addr)
-			< ntohl(((const struct sockaddr_in *)sb)->sin_addr.s_addr))
-			? -1 : 1;
-	}
-}
-
-/* subnetcmp compares the two ip_subnet values a and b.
- * It returns -1, 0, or +1 if a is, respectively,
- * less than, equal to, or greater than b.
- */
-static int subnetcmp(const ip_subnet *a, const ip_subnet *b)
-{
-	ip_address neta, maska, netb, maskb;
-	int r;
-
-	networkof(a, &neta);
-	maskof(a, &maska);
-	networkof(b, &netb);
-	maskof(b, &maskb);
-	r = ipcmp(&neta, &netb);
-	if (r == 0)
-		r = ipcmp(&maska, &maskb);
-	return r;
-}
-
-static void read_foodgroup(struct fg_groups *g)
-{
-	const char *fgn = g->connection->name;
-	const ip_subnet *lsn = &g->connection->spd.this.client;
-	size_t plen = strlen(policygroups_dir) + 1 + strlen(fgn) + 1;
-	struct file_lex_position flp_space;
-
-	if (plen > fg_path_space)
-	{
-		free(fg_path);
-		fg_path_space = plen + 10;
-		fg_path = malloc(fg_path_space);
-	}
-	snprintf(fg_path, fg_path_space, "%s/%s", policygroups_dir, fgn);
-	if (!lexopen(&flp_space, fg_path, TRUE))
-	{
-		DBG(DBG_CONTROL, DBG_log("no group file \"%s\"", fg_path));
-	}
-	else
-	{
-		plog("loading group \"%s\"", fg_path);
-		for (;;)
-		{
-			switch (flp->bdry)
-			{
-			case B_none:
-				{
-					/* !!! this test is not sufficient for distinguishing address families.
-					 * We need a notation to specify that a FQDN is to be resolved to IPv6.
-					 */
-					const struct af_info *afi = strchr(tok, ':') == NULL
-						? &af_inet4_info: &af_inet6_info;
-					ip_subnet sn;
-					err_t ugh;
-
-					if (strchr(tok, '/') == NULL)
-					{
-						/* no /, so treat as /32 or V6 equivalent */
-						ip_address t;
-
-						ugh = ttoaddr(tok, 0, afi->af, &t);
-						if (ugh == NULL)
-							ugh = addrtosubnet(&t, &sn);
-					}
-					else
-					{
-						ugh = ttosubnet(tok, 0, afi->af, &sn);
-					}
-
-					if (ugh != NULL)
-					{
-						loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s \"%s\""
-							, flp->filename, flp->lino, ugh, tok);
-					}
-					else if (afi->af != AF_INET)
-					{
-						loglog(RC_LOG_SERIOUS
-							, "\"%s\" line %d: unsupported Address Family \"%s\""
-							, flp->filename, flp->lino, tok);
-					}
-					else
-					{
-						/* Find where new entry ought to go in new_targets. */
-						struct fg_targets **pp;
-						int r;
-
-						for (pp = &new_targets; ; pp = &(*pp)->next)
-						{
-							if (*pp == NULL)
-							{
-								r = -1; /* end of list is infinite */
-								break;
-							}
-							r = subnetcmp(lsn, &(*pp)->group->connection->spd.this.client);
-							if (r == 0)
-								r = subnetcmp(&sn, &(*pp)->subnet);
-							if (r <= 0)
-								break;
-						}
-
-						if (r == 0)
-						{
-							char source[SUBNETTOT_BUF];
-
-							subnettot(lsn, 0, source, sizeof(source));
-							loglog(RC_LOG_SERIOUS
-								, "\"%s\" line %d: subnet \"%s\", source %s, already \"%s\""
-								, flp->filename
-								, flp->lino
-								, tok
-								, source
-								, (*pp)->group->connection->name);
-						}
-						else
-						{
-							struct fg_targets *f = malloc_thing(struct fg_targets);
-
-							f->next = *pp;
-							f->group = g;
-							f->subnet = sn;
-							f->name = NULL;
-							*pp = f;
-						}
-					}
-				}
-				(void)shift();  /* next */
-				continue;
-
-			case B_record:
-				flp->bdry = B_none;     /* eat the Record Boundary */
-				(void)shift();  /* get real first token */
-				continue;
-
-			case B_file:
-				break;  /* done */
-			}
-			break;      /* if we reach here, out of loop */
-		}
-		lexclose();
-	}
-}
-
-static void free_targets(void)
-{
-	while (targets != NULL)
-	{
-		struct fg_targets *t = targets;
-
-		targets = t->next;
-		free(t->name);
-		free(t);
-	}
-}
-
-void load_groups(void)
-{
-	passert(new_targets == NULL);
-
-	/* for each group, add config file targets into new_targets */
-	{
-		struct fg_groups *g;
-
-		for (g = groups; g != NULL; g = g->next)
-			if (oriented(*g->connection))
-				read_foodgroup(g);
-	}
-
-	/* dump new_targets */
-	DBG(DBG_CONTROL,
-		{
-			struct fg_targets *t;
-
-			for (t = new_targets; t != NULL; t = t->next)
-			{
-				char asource[SUBNETTOT_BUF];
-				char atarget[SUBNETTOT_BUF];
-
-				subnettot(&t->group->connection->spd.this.client
-					, 0, asource, sizeof(asource));
-				subnettot(&t->subnet, 0, atarget, sizeof(atarget));
-				DBG_log("%s->%s %s"
-					, asource, atarget
-					, t->group->connection->name);
-			}
-		});
-
-	/* determine and deal with differences between targets and new_targets.
-	 * structured like a merge.
-	 */
-	{
-		struct fg_targets *op = targets
-			, *np = new_targets;
-
-		while (op != NULL && np != NULL)
-		{
-			int r = subnetcmp(&op->group->connection->spd.this.client
-				, &np->group->connection->spd.this.client);
-
-			if (r == 0)
-				r = subnetcmp(&op->subnet, &np->subnet);
-
-			if (r == 0 && op->group == np->group)
-			{
-				/* unchanged -- steal name & skip over */
-				np->name = op->name;
-				op->name = NULL;
-				op = op->next;
-				np = np->next;
-			}
-			else
-			{
-				/* note: following cases overlap! */
-				if (r <= 0)
-				{
-					remove_group_instance(op->group->connection, op->name);
-					op = op->next;
-				}
-				if (r >= 0)
-				{
-					np->name = add_group_instance(np->group->connection, &np->subnet);
-					np = np->next;
-				}
-			}
-		}
-		for (; op != NULL; op = op->next)
-			remove_group_instance(op->group->connection, op->name);
-		for (; np != NULL; np = np->next)
-			np->name = add_group_instance(np->group->connection, &np->subnet);
-
-		/* update: new_targets replaces targets */
-		free_targets();
-		targets = new_targets;
-		new_targets = NULL;
-	}
-}
-
-
-void add_group(connection_t *c)
-{
-	struct fg_groups *g = malloc_thing(struct fg_groups);
-
-	g->next = groups;
-	groups = g;
-
-	g->connection = c;
-}
-
-static struct fg_groups *find_group(const connection_t *c)
-{
-	struct fg_groups *g;
-
-	for (g = groups; g != NULL && g->connection != c; g = g->next)
-		;
-	return g;
-}
-
-void route_group(connection_t *c)
-{
-	/* it makes no sense to route a connection that is ISAKMP-only */
-	if (!NEVER_NEGOTIATE(c->policy) && !HAS_IPSEC_POLICY(c->policy))
-	{
-		loglog(RC_ROUTE, "cannot route an ISAKMP-only group connection");
-	}
-	else
-	{
-		struct fg_groups *g = find_group(c);
-		struct fg_targets *t;
-
-		passert(g != NULL);
-		g->connection->policy |= POLICY_GROUTED;
-		for (t = targets; t != NULL; t = t->next)
-		{
-			if (t->group == g)
-			{
-				connection_t *ci = con_by_name(t->name, FALSE);
-
-				if (ci != NULL)
-				{
-					set_cur_connection(ci);
-					if (!trap_connection(ci))
-						whack_log(RC_ROUTE, "could not route");
-					set_cur_connection(c);
-				}
-			}
-		}
-	}
-}
-
-void unroute_group(connection_t *c)
-{
-	struct fg_groups *g = find_group(c);
-	struct fg_targets *t;
-
-	passert(g != NULL);
-	g->connection->policy &= ~POLICY_GROUTED;
-	for (t = targets; t != NULL; t = t->next)
-	{
-		if (t->group == g)
-		{
-			connection_t *ci = con_by_name(t->name, FALSE);
-
-			if (ci != NULL)
-			{
-				set_cur_connection(ci);
-				unroute_connection(ci);
-				set_cur_connection(c);
-			}
-		}
-	}
-}
-
-void delete_group(const connection_t *c)
-{
-	struct fg_groups *g;
-
-	/* find and remove from groups */
-	{
-		struct fg_groups **pp;
-
-		for (pp = &groups; (g = *pp)->connection != c; pp = &(*pp)->next)
-			;
-
-		*pp = g->next;
-	}
-
-	/* find and remove from targets */
-	{
-		struct fg_targets **pp;
-
-		for (pp = &targets; *pp != NULL; )
-		{
-			struct fg_targets *t = *pp;
-
-			if (t->group == g)
-			{
-				*pp = t->next;
-				remove_group_instance(t->group->connection, t->name);
-				free(t);
-				/* pp is ready for next iteration */
-			}
-			else
-			{
-				pp = &t->next;
-			}
-		}
-	}
-
-	free(g);
-}
diff --git a/src/pluto/foodgroups.h b/src/pluto/foodgroups.h
deleted file mode 100644
index b6d3386ae..000000000
--- a/src/pluto/foodgroups.h
+++ /dev/null
@@ -1,22 +0,0 @@
-/* Implement policygroups-style control files (aka "foodgroups")
- * Copyright (C) 2002  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-struct connection;      /* forward declaration */
-extern void add_group(struct connection *c);
-extern void route_group(struct connection *c);
-extern void unroute_group(struct connection *c);
-extern void delete_group(const struct connection *c);
-
-extern const char *policygroups_dir;
-extern void load_groups(void);
diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c
deleted file mode 100644
index 3061630e0..000000000
--- a/src/pluto/ike_alg.c
+++ /dev/null
@@ -1,452 +0,0 @@
-/* IKE modular algorithm handling interface
- * Copyright (C) JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <sys/queue.h>
-
-#include <freeswan.h>
-
-#include <library.h>
-#include <debug.h>
-#include <credentials/keys/public_key.h>
-#include <credentials/keys/private_key.h>
-#include <crypto/hashers/hasher.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/prfs/prf.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "crypto.h"
-#include "state.h"
-#include "packet.h"
-#include "keys.h"
-#include "log.h"
-#include "whack.h"
-#include "spdb.h"
-#include "alg_info.h"
-#include "ike_alg.h"
-#include "db_ops.h"
-#include "connections.h"
-#include "kernel.h"
-
-#define return_on(var, val) do { var=val;goto return_out; } while(0);
-
-/**
- * IKE algorithm list handling - registration and lookup
- */
-
-/* Modular IKE algorithm storage structure */
-
-static struct ike_alg *ike_alg_base[IKE_ALG_MAX+1] = {NULL, NULL};
-
-/**
- * Return ike_algo object by {type, id}
- */
-static struct ike_alg *ike_alg_find(u_int algo_type, u_int algo_id,
-									u_int keysize __attribute__((unused)))
-{
-	struct ike_alg *e = ike_alg_base[algo_type];
-
-	while (e != NULL && algo_id > e->algo_id)
-	{
-		e = e->algo_next;
-	}
-	return (e != NULL && e->algo_id == algo_id) ? e : NULL;
-}
-
-/**
- * "raw" ike_alg list adding function
- */
-int ike_alg_add(struct ike_alg* a, const char *plugin_name)
-{
-	if (a->algo_type > IKE_ALG_MAX)
-	{
-		plog("ike_alg: Not added, invalid algorithm type");
-		return -EINVAL;
-	}
-
-	if (ike_alg_find(a->algo_type, a->algo_id, 0) != NULL)
-	{
-		plog("ike_alg: Not added, algorithm already exists");
-		return -EEXIST;
-	}
-
-	{
-		struct ike_alg **ep = &ike_alg_base[a->algo_type];
-		struct ike_alg *e = *ep;
-
-		while (e != NULL && a->algo_id > e->algo_id)
-		{
-			ep = &e->algo_next;
-			e = *ep;
-		}
-		*ep = a;
-		a->plugin_name = plugin_name;
-		a->algo_next = e;
-		return 0;
-	}
-}
-
-/**
- * Get IKE hash algorithm
- */
-struct hash_desc *ike_alg_get_hasher(u_int alg)
-{
-	return (struct hash_desc *) ike_alg_find(IKE_ALG_HASH, alg, 0);
-}
-
-/**
- * Get IKE encryption algorithm
- */
-struct encrypt_desc *ike_alg_get_crypter(u_int alg)
-{
-	return (struct encrypt_desc *) ike_alg_find(IKE_ALG_ENCRYPT, alg, 0);
-}
-
-/**
- * Get IKE dh group
- */
-struct dh_desc *ike_alg_get_dh_group(u_int alg)
-{
-	return (struct dh_desc *) ike_alg_find(IKE_ALG_DH_GROUP, alg, 0);
-}
-
-/**
- * Get pfsgroup for this connection
- */
-const struct dh_desc *ike_alg_pfsgroup(connection_t *c, lset_t policy)
-{
-	const struct dh_desc *ret = NULL;
-
-	if ((policy & POLICY_PFS) &&
-		c->alg_info_esp && c->alg_info_esp->esp_pfsgroup)
-	{
-		ret = ike_alg_get_dh_group(c->alg_info_esp->esp_pfsgroup);
-	}
-	return ret;
-}
-
-/**
- * Create an OAKLEY proposal based on alg_info and policy
- */
-struct db_context *ike_alg_db_new(connection_t *c, lset_t policy)
-{
-	struct alg_info_ike *ai = c->alg_info_ike;
-	struct db_context *db_ctx = NULL;
-	struct ike_info *ike_info;
-	u_int ealg, halg, modp, eklen = 0;
-	int i;
-
-	bool is_xauth_server = (policy & POLICY_XAUTH_SERVER) != LEMPTY;
-
-	if (!ai)
-	{
-		whack_log(RC_LOG_SERIOUS, "no IKE algorithms "
-								  "for this connection "
-								  "(check ike algorithm string)");
-		goto fail;
-	}
-	policy &= POLICY_ID_AUTH_MASK;
-	db_ctx = db_prop_new(PROTO_ISAKMP, 8, 8 * 5);
-
-	/* for each group */
-	ALG_INFO_IKE_FOREACH(ai, ike_info, i)
-	{
-		ealg = ike_info->ike_ealg;
-		halg = ike_info->ike_halg;
-		modp = ike_info->ike_modp;
-		eklen= ike_info->ike_eklen;
-
-		if (!ike_alg_get_crypter(ealg))
-		{
-			plog("ike alg: crypter %s not present",
-					enum_show(&oakley_enc_names, ealg));
-			continue;
-		}
-		if (!ike_alg_get_hasher(halg))
-		{
-			plog("ike alg: hasher %s not present",
-					enum_show(&oakley_hash_names, halg));
-			continue;
-		}
-		if (!ike_alg_get_dh_group(modp))
-		{
-			plog("ike alg: dh group %s not present",
-					enum_show(&oakley_group_names, modp));
-			continue;
-		}
-
-		if (policy & POLICY_PUBKEY)
-		{
-			int auth_method = 0, key_size = 0;
-			key_type_t key_type = KEY_ANY;
-
-			if (c->spd.this.cert)
-			{
-				certificate_t *certificate = c->spd.this.cert->cert;
-				public_key_t *key = certificate->get_public_key(certificate);
-
-				if (key == NULL)
-				{
-					plog("ike alg: unable to retrieve my public key");
-					continue;
-				}
-				key_type = key->get_type(key);
-				key_size = key->get_keysize(key);
-				key->destroy(key);
-			}
-			else
-			{
-				private_key_t *key = get_private_key(c);
-
-				if (key == NULL)
-				{
-					plog("ike alg: unable to retrieve my private key");
-					continue;
-				}
-				key_type = key->get_type(key);
-				key_size = key->get_keysize(key);
-			}
-			switch (key_type)
-			{
-				case KEY_RSA:
-					auth_method = OAKLEY_RSA_SIG;
-					break;
-				case KEY_ECDSA:
-					switch (key_size)
-					{
-						case 256:
-							auth_method = OAKLEY_ECDSA_256;
-							break;
-						case 384:
-							auth_method = OAKLEY_ECDSA_384;
-							break;
-						case 521:
-							auth_method = OAKLEY_ECDSA_521;
-							break;
-						default:
-							continue;
-					}
-					break;
-				default:
-					continue;
-			}
-			db_trans_add(db_ctx, KEY_IKE);
-			db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
-			db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
-			if (eklen)
-			{
-				db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
-			}
-			db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD, auth_method);
-			db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
-		}
-
-		if (policy & POLICY_PSK)
-		{
-			db_trans_add(db_ctx, KEY_IKE);
-			db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
-			db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
-			if (eklen)
-			{
-				db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
-			}
-			db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY);
-			db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
-		}
-
-		if (policy & POLICY_XAUTH_RSASIG)
-		{
-			db_trans_add(db_ctx, KEY_IKE);
-			db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
-			db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
-			if (eklen)
-			{
-				db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
-			}
-			db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD
-				, is_xauth_server ? XAUTHRespRSA : XAUTHInitRSA);
-			db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
-		}
-
-		if (policy & POLICY_XAUTH_PSK)
-		{
-			db_trans_add(db_ctx, KEY_IKE);
-			db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
-			db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
-			if (eklen)
-			{
-				db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
-			}
-			db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD
-				, is_xauth_server ? XAUTHRespPreShared : XAUTHInitPreShared);
-			db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
-		}
-	}
-fail:
-	return db_ctx;
-}
-
-/**
- * Print the name of an algorithm plus the name of the plugin that registered it
- */
-static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type,
-					  const char *plugin_name)
-{
-	char alg_name[BUF_LEN];
-	int alg_name_len;
-
-	alg_name_len = sprintf(alg_name, " %s[%s]", enum_name(alg_names, alg_type),
-						   plugin_name);
-	if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE)
-	{
-		whack_log(RC_COMMENT, "%s", buf);
-		*len = sprintf(buf, "             ");
-	}
-	sprintf(buf + *len, "%s", alg_name);
-	*len += alg_name_len;
-}
-
-/**
- * Show registered IKE algorithms
- */
-void ike_alg_list(void)
-{
-	rng_quality_t quality;
-	enumerator_t *enumerator;
-	const char *plugin_name;
-	char buf[BUF_LEN];
-	int len;
-	struct ike_alg *a;
-
-	whack_log(RC_COMMENT, " ");
-	whack_log(RC_COMMENT, "List of registered IKEv1 Algorithms:");
-	whack_log(RC_COMMENT, " ");
-
-	len = sprintf(buf, "  encryption:");
-	for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next)
-	{
-	    print_alg(buf, &len, &oakley_enc_names, a->algo_id, a->plugin_name);
-	}
-	whack_log(RC_COMMENT, "%s", buf);
-
-	len = sprintf(buf, "  integrity: ");
-	for (a = ike_alg_base[IKE_ALG_HASH]; a != NULL; a = a->algo_next)
-	{
-	    print_alg(buf, &len, &oakley_hash_names, a->algo_id, a->plugin_name);
-	}
-	whack_log(RC_COMMENT, "%s", buf);
-
-	len = sprintf(buf, "  dh-group:  ");
-	for (a = ike_alg_base[IKE_ALG_DH_GROUP]; a != NULL; a = a->algo_next)
-	{
-	    print_alg(buf, &len, &oakley_group_names, a->algo_id, a->plugin_name);
-	}
-	whack_log(RC_COMMENT, "%s", buf);
-
-	len = sprintf(buf, "  random-gen:");
-	enumerator = lib->crypto->create_rng_enumerator(lib->crypto);
-	while (enumerator->enumerate(enumerator, &quality, &plugin_name))
-	{
-	    len += sprintf(buf + len, " %N[%s]", rng_quality_names, quality,
-											 plugin_name);
-	}
-	enumerator->destroy(enumerator);
-	whack_log(RC_COMMENT, "%s", buf);
-}
-
-/**
- * Show IKE algorithms for this connection (result from ike= string)
- * and newest SA
- */
-void ike_alg_show_connection(connection_t *c, const char *instance)
-{
-	struct state *st = state_with_serialno(c->newest_isakmp_sa);
-
-	if (st)
-	{
-		if (st->st_oakley.encrypt == OAKLEY_3DES_CBC)
-		{
-			whack_log(RC_COMMENT,
-					"\"%s\"%s:   IKE proposal: %s/%s/%s",
-					c->name, instance,
-					enum_show(&oakley_enc_names, st->st_oakley.encrypt),
-					enum_show(&oakley_hash_names, st->st_oakley.hash),
-					enum_show(&oakley_group_names, st->st_oakley.group->algo_id)
-			);
-		}
-		else
-		{
-			whack_log(RC_COMMENT,
-					"\"%s\"%s:   IKE proposal: %s_%u/%s/%s",
-					c->name, instance,
-					enum_show(&oakley_enc_names, st->st_oakley.encrypt),
-					st->st_oakley.enckeylen,
-					enum_show(&oakley_hash_names, st->st_oakley.hash),
-					enum_show(&oakley_group_names, st->st_oakley.group->algo_id)
-			);
-		}
-	}
-}
-
-/**
- * ML: make F_STRICT logic consider enc,hash/auth,modp algorithms
- */
-bool ike_alg_ok_final(u_int ealg, u_int key_len, u_int aalg, u_int group,
-					  struct alg_info_ike *alg_info_ike)
-{
-	/*
-	 * simple test to discard low key_len, will accept it only
-	 * if specified in "esp" string
-	 */
-	bool ealg_insecure = (key_len < 128);
-
-	if (ealg_insecure
-	|| (alg_info_ike && alg_info_ike->alg_info_flags & ALG_INFO_F_STRICT))
-	{
-		int i;
-		struct ike_info *ike_info;
-
-		if (alg_info_ike)
-		{
-			ALG_INFO_IKE_FOREACH(alg_info_ike, ike_info, i)
-			{
-				if (ike_info->ike_ealg == ealg
-				&& (ike_info->ike_eklen == 0 || key_len == 0 || ike_info->ike_eklen == key_len)
-				&& ike_info->ike_halg == aalg
-				&& ike_info->ike_modp == group)
-				{
-					if (ealg_insecure)
-						loglog(RC_LOG_SERIOUS, "You should NOT use insecure IKE algorithms (%s)!"
-								, enum_name(&oakley_enc_names, ealg));
-					return TRUE;
-				}
-			}
-		}
-		plog("Oakley Transform [%s (%d), %s, %s] refused due to %s"
-				, enum_name(&oakley_enc_names, ealg), key_len
-				, enum_name(&oakley_hash_names, aalg)
-				, enum_name(&oakley_group_names, group)
-				, ealg_insecure ?
-					"insecure key_len and enc. alg. not listed in \"ike\" string" : "strict flag"
-		);
-		return FALSE;
-	}
-	return TRUE;
-}
-
diff --git a/src/pluto/ike_alg.h b/src/pluto/ike_alg.h
deleted file mode 100644
index c3ce8bb38..000000000
--- a/src/pluto/ike_alg.h
+++ /dev/null
@@ -1,76 +0,0 @@
-/* IKE modular algorithm handling interface
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _IKE_ALG_H
-#define _IKE_ALG_H
-
-#include <freeswan.h>
-
-#include "connections.h"
-
-struct ike_alg {
-	u_int16_t algo_type;
-	u_int16_t algo_id;
-	const char *plugin_name;
-	struct ike_alg *algo_next;
-};
-
-struct encrypt_desc {
-	u_int16_t algo_type;
-	u_int16_t algo_id;
-	const char *plugin_name;
-	struct ike_alg *algo_next;
-
-	size_t enc_blocksize;
-	u_int keydeflen;
-	u_int keymaxlen;
-	u_int keyminlen;
-};
-
-struct hash_desc {
-	u_int16_t algo_type;
-	u_int16_t algo_id;
-	const char *plugin_name;
-	struct ike_alg *algo_next;
-
-	size_t hash_digest_size;
-};
-
-struct dh_desc {
-	u_int16_t algo_type;
-	u_int16_t algo_id;
-	const char *plugin_name;
-	struct ike_alg *algo_next;
-
-	size_t ke_size;
-};
-
-#define IKE_ALG_ENCRYPT         0
-#define IKE_ALG_HASH            1
-#define IKE_ALG_DH_GROUP		2
-#define IKE_ALG_MAX             IKE_ALG_DH_GROUP
-
-extern int ike_alg_add(struct ike_alg *a, const char *plugin_name);
-extern struct hash_desc *ike_alg_get_hasher(u_int alg);
-extern struct encrypt_desc *ike_alg_get_crypter(u_int alg);
-extern struct dh_desc *ike_alg_get_dh_group(u_int alg);
-extern const struct dh_desc* ike_alg_pfsgroup(struct connection *c, lset_t policy);
-extern struct db_context * ike_alg_db_new(struct connection *c, lset_t policy);
-extern void ike_alg_list(void);
-extern void ike_alg_show_connection(struct connection *c, const char *instance);
-extern bool ike_alg_ok_final(u_int ealg, u_int key_len, u_int aalg, u_int group
-	, struct alg_info_ike *alg_info_ike);
-extern int ike_alg_init(void);
-
-#endif /* _IKE_ALG_H */
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
deleted file mode 100644
index 3e7adcc40..000000000
--- a/src/pluto/ipsec_doi.c
+++ /dev/null
@@ -1,5921 +0,0 @@
-/* IPsec DOI and Oakley resolution routines
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stddef.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <arpa/nameser.h>       /* missing from <resolv.h> on old systems */
-#include <sys/queue.h>
-
-#include <freeswan.h>
-
-#include <library.h>
-#include <asn1/asn1.h>
-#include <crypto/hashers/hasher.h>
-#include <crypto/prfs/prf.h>
-#include <crypto/rngs/rng.h>
-#include <credentials/keys/private_key.h>
-#include <credentials/keys/public_key.h>
-#include <utils/identification.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "myid.h"
-#include "state.h"
-#include "x509.h"
-#include "ac.h"
-#include "crl.h"
-#include "ca.h"
-#include "certs.h"
-#include "smartcard.h"
-#include "connections.h"
-#include "keys.h"
-#include "packet.h"
-#include "demux.h"      /* needs packet.h */
-#include "adns.h"       /* needs <resolv.h> */
-#include "dnskey.h"     /* needs keys.h and adns.h */
-#include "kernel.h"
-#include "log.h"
-#include "cookie.h"
-#include "server.h"
-#include "spdb.h"
-#include "timer.h"
-#include "ipsec_doi.h"  /* needs demux.h and state.h */
-#include "whack.h"
-#include "fetch.h"
-#include "pkcs7.h"
-#include "crypto.h"
-#include "vendor.h"
-#include "alg_info.h"
-#include "ike_alg.h"
-#include "kernel_alg.h"
-#include "nat_traversal.h"
-#include "virtual.h"
-
-/*
- * are we sending Pluto's Vendor ID?
- */
-#ifdef VENDORID
-#define SEND_PLUTO_VID  1
-#else /* !VENDORID */
-#define SEND_PLUTO_VID  0
-#endif /* !VENDORID */
-
-/*
- * are we sending an XAUTH VID?
- */
-#ifdef XAUTH_VID
-#define SEND_XAUTH_VID  1
-#else /* !XAUTH_VID */
-#define SEND_XAUTH_VID  0
-#endif /* !XAUTH_VID */
-
-/*
- * are we sending a Cisco Unity VID?
- */
-#ifdef CISCO_QUIRKS
-#define SEND_CISCO_UNITY_VID    1
-#else /* !CISCO_QUIRKS */
-#define SEND_CISCO_UNITY_VID    0
-#endif /* !CISCO_QUIRKS */
-
-/* MAGIC: perform f, a function that returns notification_t
- * and return from the ENCLOSING stf_status returning function if it fails.
- */
-#define RETURN_STF_FAILURE(f) \
-	{ int r = (f); if (r != ISAKMP_NOTHING_WRONG) return STF_FAIL + r; }
-
-/* The endpoint(s) for which an SA is getting installed, so keying material
- * can be properly wiped.
- */
-enum endpoint {
-	EP_LOCAL  = 1,
-	EP_REMOTE = 1 << 1,
-};
-
-/* create output HDR as replica of input HDR */
-void echo_hdr(struct msg_digest *md, bool enc, u_int8_t np)
-{
-	struct isakmp_hdr r_hdr = md->hdr;  /* mostly same as incoming header */
-
-	r_hdr.isa_flags &= ~ISAKMP_FLAG_COMMIT;     /* we won't ever turn on this bit */
-	if (enc)
-	{
-		r_hdr.isa_flags |= ISAKMP_FLAG_ENCRYPTION;
-	}
-	/* some day, we may have to set r_hdr.isa_version */
-	r_hdr.isa_np = np;
-	if (!out_struct(&r_hdr, &isakmp_hdr_desc, &md->reply, &md->rbody))
-	{
-		impossible();   /* surely must have room and be well-formed */
-	}
-}
-
-/* Compute DH shared secret from our local secret and the peer's public value.
- * We make the leap that the length should be that of the group
- * (see quoted passage at start of ACCEPT_KE).
- */
-static void compute_dh_shared(struct state *st, const chunk_t g)
-{
-	passert(st->st_dh);
-	st->st_dh->set_other_public_value(st->st_dh, g);
-	st->st_dh->get_shared_secret(st->st_dh, &st->st_shared);
-	DBG_cond_dump_chunk(DBG_CRYPT, "DH shared secret:\n", st->st_shared);
-}
-
-/* if we haven't already done so, compute a local DH secret (st->st_sec) and
- * the corresponding public value (g).  This is emitted as a KE payload.
- */
-static bool build_and_ship_KE(struct state *st, chunk_t *g,
-							  const struct dh_desc *group,
-							  pb_stream *outs, u_int8_t np)
-{
-	if (st->st_dh == NULL)
-	{
-		st->st_dh = lib->crypto->create_dh(lib->crypto, group->algo_id);
-		if (st->st_dh == NULL)
-		{
-			plog("Diffie Hellman group %N is not available",
-				 diffie_hellman_group_names, group->algo_id);
-			return FALSE;
-		}
-	}
-	st->st_dh->get_my_public_value(st->st_dh, g);
-	DBG(DBG_CRYPT,
-		DBG_dump_chunk("Public DH value sent:\n", *g)
-	)
-	return out_generic_chunk(np, &isakmp_keyex_desc, outs, *g, "keyex value");
-}
-
-/* accept_ke
- *
- * Check and accept DH public value (Gi or Gr) from peer's message.
- * According to RFC2409 "The Internet key exchange (IKE)" 5:
- *  The Diffie-Hellman public value passed in a KE payload, in either
- *  a phase 1 or phase 2 exchange, MUST be the length of the negotiated
- *  Diffie-Hellman group enforced, if necessary, by pre-pending the
- *  value with zeros.
- */
-static notification_t accept_KE(chunk_t *dest, const char *val_name,
-								const struct dh_desc *gr,
-								pb_stream *pbs)
-{
-	if (pbs_left(pbs) != gr->ke_size)
-	{
-		loglog(RC_LOG_SERIOUS, "KE has %u byte DH public value; %u required"
-			, (unsigned) pbs_left(pbs), gr->ke_size);
-		/* XXX Could send notification back */
-		return ISAKMP_INVALID_KEY_INFORMATION;
-	}
-	free(dest->ptr);
-	*dest = chunk_create(pbs->cur, pbs_left(pbs));
-	*dest = chunk_clone(*dest);
-	DBG_cond_dump_chunk(DBG_CRYPT, "DH public value received:\n", *dest);
-	return ISAKMP_NOTHING_WRONG;
-}
-
-/* accept_PFS_KE
- *
- * Check and accept optional Quick Mode KE payload for PFS.
- * Extends ACCEPT_PFS to check whether KE is allowed or required.
- */
-static notification_t accept_PFS_KE(struct msg_digest *md, chunk_t *dest,
-									const char *val_name, const char *msg_name)
-{
-	struct state *st = md->st;
-	struct payload_digest *const ke_pd = md->chain[ISAKMP_NEXT_KE];
-
-	if (ke_pd == NULL)
-	{
-		if (st->st_pfs_group != NULL)
-		{
-			loglog(RC_LOG_SERIOUS, "missing KE payload in %s message", msg_name);
-			return ISAKMP_INVALID_KEY_INFORMATION;
-		}
-	}
-	else
-	{
-		if (st->st_pfs_group == NULL)
-		{
-			loglog(RC_LOG_SERIOUS, "%s message KE payload requires a GROUP_DESCRIPTION attribute in SA"
-				, msg_name);
-			return ISAKMP_INVALID_KEY_INFORMATION;
-		}
-		if (ke_pd->next != NULL)
-		{
-			loglog(RC_LOG_SERIOUS, "%s message contains several KE payloads; we accept at most one", msg_name);
-			return ISAKMP_INVALID_KEY_INFORMATION;     /* ??? */
-		}
-		return accept_KE(dest, val_name, st->st_pfs_group, &ke_pd->pbs);
-	}
-	return ISAKMP_NOTHING_WRONG;
-}
-
-static bool build_and_ship_nonce(chunk_t *n, pb_stream *outs, u_int8_t np,
-								 const char *name)
-{
-	rng_t *rng;
-
-	free(n->ptr);
-	*n = chunk_create(malloc(DEFAULT_NONCE_SIZE), DEFAULT_NONCE_SIZE);
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	rng->get_bytes(rng, DEFAULT_NONCE_SIZE, n->ptr);
-	rng->destroy(rng);
-	return out_generic_chunk(np, &isakmp_nonce_desc, outs, *n, name);
-}
-
-static linked_list_t* collect_rw_ca_candidates(struct msg_digest *md)
-{
-	linked_list_t *list = linked_list_create();
-	connection_t *d;
-
-	d = find_host_connection(&md->iface->addr, pluto_port, (ip_address*)NULL,
-							  md->sender_port, LEMPTY);
-
-	for (; d != NULL; d = d->hp_next)
-	{
-		/* must be a road warrior connection */
-		if (d->kind == CK_TEMPLATE && !(d->policy & POLICY_OPPO) &&
-			d->spd.that.ca)
-		{
-			enumerator_t *enumerator;
-			identification_t *ca;
-			bool new_entry = TRUE;
-
-			enumerator = list->create_enumerator(list);
-			while (enumerator->enumerate(enumerator, &ca))
-			{
-				if (ca->equals(ca, d->spd.that.ca))
-				{
-					new_entry = FALSE;
-					break;
-				}
-			}
-			enumerator->destroy(enumerator);
-
-			if (new_entry)
-			{
-				list->insert_last(list, d->spd.that.ca->clone(d->spd.that.ca));
-			}
-		}
-	}
-	return list;
-}
-
-static bool build_and_ship_CR(u_int8_t type, chunk_t ca, pb_stream *outs,
-							  u_int8_t np)
-{
-	pb_stream cr_pbs;
-	struct isakmp_cr cr_hd;
-	cr_hd.isacr_np = np;
-	cr_hd.isacr_type = type;
-
-	/* build CR header */
-	if (!out_struct(&cr_hd, &isakmp_ipsec_cert_req_desc, outs, &cr_pbs))
-	{
-		return FALSE;
-	}
-	if (ca.ptr != NULL)
-	{
-		/* build CR body containing the distinguished name of the CA */
-		if (!out_chunk(ca, &cr_pbs, "CA"))
-			return FALSE;
-	}
-	close_output_pbs(&cr_pbs);
-	return TRUE;
-}
-
-/* Send a notification to the peer.  We could decide
- * whether to send the notification, based on the type and the
- * destination, if we care to.
- */
-static void send_notification(struct state *sndst, u_int16_t type,
-							  struct state *encst, msgid_t msgid,
-							  u_char *icookie, u_char *rcookie,
-							  u_char *spi, size_t spisize, u_char protoid)
-{
-	u_char buffer[1024];
-	pb_stream pbs, r_hdr_pbs;
-	u_char *r_hashval    = NULL;  /* where in reply to jam hash value */
-	u_char *r_hash_start = NULL;  /* start of what is to be hashed */
-
-	passert((sndst) && (sndst->st_connection));
-
-	plog("sending %snotification %s to %s:%u"
-		, encst ? "encrypted " : ""
-		, enum_name(&notification_names, type)
-		, ip_str(&sndst->st_connection->spd.that.host_addr)
-		, (unsigned)sndst->st_connection->spd.that.host_port);
-
-	memset(buffer, 0, sizeof(buffer));
-	init_pbs(&pbs, buffer, sizeof(buffer), "ISAKMP notify");
-
-	/* HDR* */
-	{
-		struct isakmp_hdr hdr;
-
-		hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
-		hdr.isa_np = encst ? ISAKMP_NEXT_HASH : ISAKMP_NEXT_N;
-		hdr.isa_xchg = ISAKMP_XCHG_INFO;
-		hdr.isa_msgid = msgid;
-		hdr.isa_flags = encst ? ISAKMP_FLAG_ENCRYPTION : 0;
-		if (icookie)
-		{
-			memcpy(hdr.isa_icookie, icookie, COOKIE_SIZE);
-		}
-		if (rcookie)
-		{
-			memcpy(hdr.isa_rcookie, rcookie, COOKIE_SIZE);
-		}
-		if (!out_struct(&hdr, &isakmp_hdr_desc, &pbs, &r_hdr_pbs))
-		{
-			impossible();
-		}
-	}
-
-	/* HASH -- value to be filled later */
-	if (encst)
-	{
-		pb_stream hash_pbs;
-		if (!out_generic(ISAKMP_NEXT_N, &isakmp_hash_desc, &r_hdr_pbs, &hash_pbs))
-		{
-			impossible();
-		}
-		r_hashval = hash_pbs.cur;  /* remember where to plant value */
-		if (!out_zero(
-		encst->st_oakley.hasher->hash_digest_size, &hash_pbs, "HASH"))
-		{
-			impossible();
-		}
-		close_output_pbs(&hash_pbs);
-		r_hash_start = r_hdr_pbs.cur; /* hash from after HASH */
-	}
-
-	/* Notification Payload */
-	{
-		pb_stream not_pbs;
-		struct isakmp_notification isan;
-
-		isan.isan_doi = ISAKMP_DOI_IPSEC;
-		isan.isan_np = ISAKMP_NEXT_NONE;
-		isan.isan_type = type;
-		isan.isan_spisize = spisize;
-		isan.isan_protoid = protoid;
-
-		if (!out_struct(&isan, &isakmp_notification_desc, &r_hdr_pbs, &not_pbs)
-			|| !out_raw(spi, spisize, &not_pbs, "spi"))
-		{
-			impossible();
-		}
-		close_output_pbs(&not_pbs);
-	}
-
-	/* calculate hash value and patch into Hash Payload */
-	if (encst)
-	{
-		chunk_t msgid_chunk = chunk_from_thing(msgid);
-		chunk_t msg_chunk = { r_hash_start, r_hdr_pbs.cur-r_hash_start };
-		pseudo_random_function_t prf_alg;
-		prf_t *prf;
-
-		prf_alg = oakley_to_prf(encst->st_oakley.hash);
-		prf = lib->crypto->create_prf(lib->crypto, prf_alg);
-		prf->set_key(prf, encst->st_skeyid_a);
-		prf->get_bytes(prf, msgid_chunk, NULL);
-		prf->get_bytes(prf, msg_chunk, r_hashval);
-
-		DBG(DBG_CRYPT,
-			DBG_log("HASH computed:");
-			DBG_dump("", r_hashval, prf->get_block_size(prf));
-		)
-		prf->destroy(prf);
-	}
-
-	/* Encrypt message (preserve st_iv and st_new_iv) */
-	if (encst)
-	{
-		u_char old_iv[MAX_DIGEST_LEN];
-		u_char new_iv[MAX_DIGEST_LEN];
-
-		u_int old_iv_len = encst->st_iv_len;
-		u_int new_iv_len = encst->st_new_iv_len;
-
-		if (old_iv_len > MAX_DIGEST_LEN || new_iv_len > MAX_DIGEST_LEN)
-		{
-			impossible();
-		}
-		memcpy(old_iv, encst->st_iv, old_iv_len);
-		memcpy(new_iv, encst->st_new_iv, new_iv_len);
-
-		if (!IS_ISAKMP_SA_ESTABLISHED(encst->st_state))
-		{
-			memcpy(encst->st_ph1_iv, encst->st_new_iv, encst->st_new_iv_len);
-			encst->st_ph1_iv_len = encst->st_new_iv_len;
-		}
-		init_phase2_iv(encst, &msgid);
-		if (!encrypt_message(&r_hdr_pbs, encst))
-		{
-			impossible();
-		}
-
-		/* restore preserved st_iv and st_new_iv */
-		memcpy(encst->st_iv, old_iv, old_iv_len);
-		memcpy(encst->st_new_iv, new_iv, new_iv_len);
-		encst->st_iv_len = old_iv_len;
-		encst->st_new_iv_len = new_iv_len;
-	}
-	else
-	{
-		close_output_pbs(&r_hdr_pbs);
-	}
-
-	/* Send packet (preserve st_tpacket) */
-	{
-		chunk_t saved_tpacket = sndst->st_tpacket;
-
-		sndst->st_tpacket = chunk_create(pbs.start, pbs_offset(&pbs));
-		send_packet(sndst, "ISAKMP notify");
-		sndst->st_tpacket = saved_tpacket;
-	}
-}
-
-void send_notification_from_state(struct state *st, enum state_kind state,
-								  u_int16_t type)
-{
-	struct state *p1st;
-
-	passert(st);
-
-	if (state == STATE_UNDEFINED)
-		state = st->st_state;
-
-	if (IS_QUICK(state))
-	{
-		p1st = find_phase1_state(st->st_connection, ISAKMP_SA_ESTABLISHED_STATES);
-		if ((p1st == NULL) || (!IS_ISAKMP_SA_ESTABLISHED(p1st->st_state)))
-		{
-			loglog(RC_LOG_SERIOUS,
-				"no Phase1 state for Quick mode notification");
-			return;
-		}
-		send_notification(st, type, p1st, generate_msgid(p1st),
-			st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
-	}
-	else if (IS_ISAKMP_ENCRYPTED(state) && st->st_enc_key.ptr != NULL)
-	{
-		send_notification(st, type, st, generate_msgid(st),
-			st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
-	}
-	else
-	{
-		/* no ISAKMP SA established - don't encrypt notification */
-		send_notification(st, type, NULL, 0,
-			st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
-	}
-}
-
-void send_notification_from_md(struct msg_digest *md, u_int16_t type)
-{
-	/**
-	 * Create a dummy state to be able to use send_packet in
-	 * send_notification
-	 *
-	 * we need to set:
-	 *   st_connection->that.host_addr
-	 *   st_connection->that.host_port
-	 *   st_connection->interface
-	 */
-	struct state st;
-	connection_t cnx;
-
-	passert(md);
-
-	memset(&st, 0, sizeof(st));
-	memset(&cnx, 0, sizeof(cnx));
-	st.st_connection = &cnx;
-	cnx.spd.that.host_addr = md->sender;
-	cnx.spd.that.host_port = md->sender_port;
-	cnx.interface = md->iface;
-
-	send_notification(&st, type, NULL, 0,
-		md->hdr.isa_icookie, md->hdr.isa_rcookie, NULL, 0, PROTO_ISAKMP);
-}
-
-/* Send a Delete Notification to announce deletion of ISAKMP SA or
- * inbound IPSEC SAs.  Does nothing if no such SAs are being deleted.
- * Delete Notifications cannot announce deletion of outbound IPSEC/ISAKMP SAs.
- */
-void send_delete(struct state *st)
-{
-	pb_stream reply_pbs;
-	pb_stream r_hdr_pbs;
-	msgid_t     msgid;
-	u_char buffer[8192];
-	struct state *p1st;
-	ip_said said[EM_MAXRELSPIS];
-	ip_said *ns = said;
-	u_char
-		*r_hashval,     /* where in reply to jam hash value */
-		*r_hash_start;  /* start of what is to be hashed */
-	bool isakmp_sa = FALSE;
-
-	if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
-	{
-		p1st = find_phase1_state(st->st_connection, ISAKMP_SA_ESTABLISHED_STATES);
-		if (p1st == NULL)
-		{
-			DBG(DBG_CONTROL, DBG_log("no Phase 1 state for Delete"));
-			return;
-		}
-
-		if (st->st_ah.present)
-		{
-			ns->spi = st->st_ah.our_spi;
-			ns->dst = st->st_connection->spd.this.host_addr;
-			ns->proto = PROTO_IPSEC_AH;
-			ns++;
-		}
-		if (st->st_esp.present)
-		{
-			ns->spi = st->st_esp.our_spi;
-			ns->dst = st->st_connection->spd.this.host_addr;
-			ns->proto = PROTO_IPSEC_ESP;
-			ns++;
-		}
-
-		passert(ns != said);    /* there must be some SAs to delete */
-	}
-	else if (IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-	{
-		p1st = st;
-		isakmp_sa = TRUE;
-	}
-	else
-	{
-		return; /* nothing to do */
-	}
-
-	msgid = generate_msgid(p1st);
-
-	zero(buffer);
-	init_pbs(&reply_pbs, buffer, sizeof(buffer), "delete msg");
-
-	/* HDR* */
-	{
-		struct isakmp_hdr hdr;
-
-		hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
-		hdr.isa_np = ISAKMP_NEXT_HASH;
-		hdr.isa_xchg = ISAKMP_XCHG_INFO;
-		hdr.isa_msgid = msgid;
-		hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
-		memcpy(hdr.isa_icookie, p1st->st_icookie, COOKIE_SIZE);
-		memcpy(hdr.isa_rcookie, p1st->st_rcookie, COOKIE_SIZE);
-		if (!out_struct(&hdr, &isakmp_hdr_desc, &reply_pbs, &r_hdr_pbs))
-			impossible();
-	}
-
-	/* HASH -- value to be filled later */
-	{
-		pb_stream hash_pbs;
-
-		if (!out_generic(ISAKMP_NEXT_D, &isakmp_hash_desc, &r_hdr_pbs, &hash_pbs))
-		{
-			impossible();
-		}
-		r_hashval = hash_pbs.cur;       /* remember where to plant value */
-		if (!out_zero(p1st->st_oakley.hasher->hash_digest_size, &hash_pbs, "HASH(1)"))
-		{
-			impossible();
-		}
-		close_output_pbs(&hash_pbs);
-		r_hash_start = r_hdr_pbs.cur;   /* hash from after HASH(1) */
-	}
-
-	/* Delete Payloads */
-	if (isakmp_sa)
-	{
-		pb_stream del_pbs;
-		struct isakmp_delete isad;
-		u_char isakmp_spi[2*COOKIE_SIZE];
-
-		isad.isad_doi = ISAKMP_DOI_IPSEC;
-		isad.isad_np = ISAKMP_NEXT_NONE;
-		isad.isad_spisize = (2 * COOKIE_SIZE);
-		isad.isad_protoid = PROTO_ISAKMP;
-		isad.isad_nospi = 1;
-
-		memcpy(isakmp_spi, st->st_icookie, COOKIE_SIZE);
-		memcpy(isakmp_spi+COOKIE_SIZE, st->st_rcookie, COOKIE_SIZE);
-
-		if (!out_struct(&isad, &isakmp_delete_desc, &r_hdr_pbs, &del_pbs)
-		|| !out_raw(&isakmp_spi, (2*COOKIE_SIZE), &del_pbs, "delete payload"))
-		{
-			impossible();
-		}
-		close_output_pbs(&del_pbs);
-	}
-	else
-	{
-		while (ns != said)
-		{
-
-			pb_stream del_pbs;
-			struct isakmp_delete isad;
-
-			ns--;
-			isad.isad_doi = ISAKMP_DOI_IPSEC;
-			isad.isad_np = ns == said? ISAKMP_NEXT_NONE : ISAKMP_NEXT_D;
-			isad.isad_spisize = sizeof(ipsec_spi_t);
-			isad.isad_protoid = ns->proto;
-
-			isad.isad_nospi = 1;
-			if (!out_struct(&isad, &isakmp_delete_desc, &r_hdr_pbs, &del_pbs)
-			|| !out_raw(&ns->spi, sizeof(ipsec_spi_t), &del_pbs, "delete payload"))
-			{
-				impossible();
-			}
-			close_output_pbs(&del_pbs);
-		}
-	}
-
-	/* calculate hash value and patch into Hash Payload */
-	{
-		chunk_t msgid_chunk = chunk_from_thing(msgid);
-		chunk_t msg_chunk = { r_hash_start, r_hdr_pbs.cur-r_hash_start };
-		pseudo_random_function_t prf_alg;
-		prf_t *prf;
-
-		prf_alg = oakley_to_prf(p1st->st_oakley.hash);
-		prf = lib->crypto->create_prf(lib->crypto, prf_alg);
-		prf->set_key(prf, p1st->st_skeyid_a);
-		prf->get_bytes(prf, msgid_chunk, NULL);
-		prf->get_bytes(prf, msg_chunk, r_hashval);
-
-		DBG(DBG_CRYPT,
-			DBG_log("HASH(1) computed:");
-			DBG_dump("", r_hashval, prf->get_block_size(prf));
-		)
-
-		prf->destroy(prf);
-	}
-
-	/* Do a dance to avoid needing a new state object.
-	 * We use the Phase 1 State.  This is the one with right
-	 * IV, for one thing.
-	 * The tricky bits are:
-	 * - we need to preserve (save/restore) st_iv (but not st_iv_new)
-	 * - we need to preserve (save/restore) st_tpacket.
-	 */
-	{
-		u_char old_iv[MAX_DIGEST_LEN];
-		chunk_t saved_tpacket = p1st->st_tpacket;
-
-		memcpy(old_iv, p1st->st_iv, p1st->st_iv_len);
-		init_phase2_iv(p1st, &msgid);
-
-		if (!encrypt_message(&r_hdr_pbs, p1st))
-		{
-			impossible();
-		}
-		p1st->st_tpacket = chunk_create(reply_pbs.start, pbs_offset(&reply_pbs));
-		send_packet(p1st, "delete notify");
-		p1st->st_tpacket = saved_tpacket;
-
-		/* get back old IV for this state */
-		memcpy(p1st->st_iv, old_iv, p1st->st_iv_len);
-	}
-}
-
-void accept_delete(struct state *st, struct msg_digest *md,
-				   struct payload_digest *p)
-{
-	struct isakmp_delete *d = &(p->payload.delete);
-	identification_t *this_id = NULL, *that_id = NULL;
-	ip_address peer_addr;
-	size_t sizespi;
-	int i;
-
-	if (!md->encrypted)
-	{
-		loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: not encrypted");
-		return;
-	}
-
-	if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-	{
-		/* can't happen (if msg is encrypt), but just to be sure */
-		loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: "
-		"ISAKMP SA not established");
-		return;
-	}
-
-	if (d->isad_nospi == 0)
-	{
-		loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: no SPI");
-		return;
-	}
-
-	switch (d->isad_protoid)
-	{
-	case PROTO_ISAKMP:
-		sizespi = 2 * COOKIE_SIZE;
-		break;
-	case PROTO_IPSEC_AH:
-	case PROTO_IPSEC_ESP:
-		sizespi = sizeof(ipsec_spi_t);
-		break;
-	case PROTO_IPCOMP:
-		/* nothing interesting to delete */
-		return;
-	default:
-		loglog(RC_LOG_SERIOUS
-			, "ignoring Delete SA payload: unknown Protocol ID (%s)"
-			, enum_show(&protocol_names, d->isad_protoid));
-		return;
-	}
-
-	if (d->isad_spisize != sizespi)
-	{
-		loglog(RC_LOG_SERIOUS
-			, "ignoring Delete SA payload: bad SPI size (%d) for %s"
-			, d->isad_spisize, enum_show(&protocol_names, d->isad_protoid));
-		return;
-	}
-
-	if (pbs_left(&p->pbs) != d->isad_nospi * sizespi)
-	{
-		loglog(RC_LOG_SERIOUS
-			, "ignoring Delete SA payload: invalid payload size");
-		return;
-	}
-
-	if (d->isad_protoid == PROTO_ISAKMP)
-	{
-		struct end *this = &st->st_connection->spd.this;
-		struct end *that = &st->st_connection->spd.that;
-		this_id = this->id->clone(this->id);
-		that_id = that->id->clone(that->id);
-		peer_addr = st->st_connection->spd.that.host_addr;
-	}
-
-	for (i = 0; i < d->isad_nospi; i++)
-	{
-		u_char *spi = p->pbs.cur + (i * sizespi);
-
-		if (d->isad_protoid == PROTO_ISAKMP)
-		{
-			/**
-			 * ISAKMP
-			 */
-			struct state *dst = find_state(spi /*iCookie*/
-				, spi+COOKIE_SIZE /*rCookie*/
-				, &peer_addr
-				, MAINMODE_MSGID);
-
-			if (dst == NULL)
-			{
-				loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: "
-					"ISAKMP SA not found (maybe expired)");
-			}
-			else if (! this_id->equals(this_id, dst->st_connection->spd.this.id) ||
-					 ! that_id->equals(that_id, dst->st_connection->spd.that.id))
-			{
-				/* we've not authenticated the relevant identities */
-				loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: "
-					"ISAKMP SA used to convey Delete has different IDs from ISAKMP SA it deletes");
-			}
-			else
-			{
-				connection_t *oldc;
-
-				oldc = cur_connection;
-				set_cur_connection(dst->st_connection);
-
-				if (nat_traversal_enabled)
-				{
-					nat_traversal_change_port_lookup(md, dst);
-				}
-				loglog(RC_LOG_SERIOUS, "received Delete SA payload: "
-					"deleting ISAKMP State #%lu", dst->st_serialno);
-				delete_state(dst);
-				set_cur_connection(oldc);
-			}
-		}
-		else
-		{
-			/**
-			 * IPSEC (ESP/AH)
-			 */
-			bool bogus;
-			struct state *dst = find_phase2_state_to_delete(st
-				, d->isad_protoid
-				, *(ipsec_spi_t *)spi   /* network order */
-				, &bogus);
-
-			if (dst == NULL)
-			{
-				loglog(RC_LOG_SERIOUS
-					   , "ignoring Delete SA payload: %s SA(0x%08lx) not found (%s)"
-					   , enum_show(&protocol_names, d->isad_protoid)
-					   , (unsigned long)ntohl((unsigned long)*(ipsec_spi_t *)spi)
-					   , bogus ? "our SPI - bogus implementation" : "maybe expired");
-			}
-			else
-			{
-				connection_t *rc = dst->st_connection;
-				connection_t *oldc;
-
-				oldc = cur_connection;
-				set_cur_connection(rc);
-
-				if (nat_traversal_enabled)
-				{
-					nat_traversal_change_port_lookup(md, dst);
-				}
-				if (rc->newest_ipsec_sa == dst->st_serialno
-				&& (rc->policy & POLICY_UP))
-				{
-					/* Last IPSec SA for a permanent connection that we
-					 * have initiated.  Replace it in a few seconds.
-					 *
-					 * Useful if the other peer is rebooting.
-					 */
-#define DELETE_SA_DELAY  EVENT_RETRANSMIT_DELAY_0
-					if (dst->st_event != NULL
-					&& dst->st_event->ev_type == EVENT_SA_REPLACE
-					&& dst->st_event->ev_time <= DELETE_SA_DELAY + now())
-					{
-						/* Patch from Angus Lees to ignore retransmited
-						 * Delete SA.
-						 */
-						loglog(RC_LOG_SERIOUS, "received Delete SA payload: "
-							"already replacing IPSEC State #%lu in %d seconds"
-							, dst->st_serialno, (int)(dst->st_event->ev_time - now()));
-					}
-					else
-					{
-						loglog(RC_LOG_SERIOUS, "received Delete SA payload: "
-							"replace IPSEC State #%lu in %d seconds"
-							, dst->st_serialno, DELETE_SA_DELAY);
-						dst->st_margin = DELETE_SA_DELAY;
-						delete_event(dst);
-						event_schedule(EVENT_SA_REPLACE, DELETE_SA_DELAY, dst);
-					}
-				}
-				else
-				{
-					loglog(RC_LOG_SERIOUS, "received Delete SA(0x%08lx) payload: "
-						   "deleting IPSEC State #%lu"
-						   , (unsigned long)ntohl((unsigned long)*(ipsec_spi_t *)spi)
-						   , dst->st_serialno);
-					delete_state(dst);
-				}
-
-				/* reset connection */
-				set_cur_connection(oldc);
-			}
-		}
-	}
-
-	if (d->isad_protoid == PROTO_ISAKMP)
-	{
-		this_id->destroy(this_id);
-		that_id->destroy(that_id);
-	}
-}
-
-/* The whole message must be a multiple of 4 octets.
- * I'm not sure where this is spelled out, but look at
- * rfc2408 3.6 Transform Payload.
- * Note: it talks about 4 BYTE boundaries!
- */
-void close_message(pb_stream *pbs)
-{
-	size_t padding =  pad_up(pbs_offset(pbs), 4);
-
-	if (padding != 0)
-	{
-		(void) out_zero(padding, pbs, "message padding");
-	}
-	close_output_pbs(pbs);
-}
-
-/* Initiate an Oakley Main Mode exchange.
- * --> HDR;SA
- * Note: this is not called from demux.c
- */
-static stf_status
-main_outI1(int whack_sock, connection_t *c, struct state *predecessor
-	, lset_t policy, unsigned long try)
-{
-	struct state *st = new_state();
-	pb_stream reply;    /* not actually a reply, but you know what I mean */
-	pb_stream rbody;
-	int vids_to_send = 0;
-
-	/* set up new state */
-	st->st_connection = c;
-	set_cur_state(st);  /* we must reset before exit */
-	st->st_policy = policy & ~POLICY_IPSEC_MASK;
-	st->st_whack_sock = whack_sock;
-	st->st_try = try;
-	st->st_state = STATE_MAIN_I1;
-
-	/* determine how many Vendor ID payloads we will be sending */
-	if (SEND_PLUTO_VID)
-	{
-		vids_to_send++;
-	}
-	if (SEND_CISCO_UNITY_VID)
-	{
-		vids_to_send++;
-	}
-	if (c->spd.this.cert &&
-		c->spd.this.cert->cert->get_type(c->spd.this.cert->cert) == CERT_GPG)
-	{
-		vids_to_send++;
-	}
-	if (SEND_XAUTH_VID)
-	{
-		vids_to_send++;
-	}
-
-	/* always send DPD Vendor ID */
-	vids_to_send++;
-
-	if (nat_traversal_enabled)
-	{
-		vids_to_send++;
-	}
-
-   get_cookie(TRUE, st->st_icookie, COOKIE_SIZE, &c->spd.that.host_addr);
-
-	insert_state(st);   /* needs cookies, connection, and msgid (0) */
-
-	if (HAS_IPSEC_POLICY(policy))
-	{
-		add_pending(dup_any(whack_sock), st, c, policy, 1
-			, predecessor == NULL? SOS_NOBODY : predecessor->st_serialno);
-	}
-	if (predecessor == NULL)
-	{
-		plog("initiating Main Mode");
-	}
-	else
-	{
-		plog("initiating Main Mode to replace #%lu", predecessor->st_serialno);
-	}
-
-	/* set up reply */
-	init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "reply packet");
-
-	/* HDR out */
-	{
-		struct isakmp_hdr hdr;
-
-		zero(&hdr);     /* default to 0 */
-		hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
-		hdr.isa_np = ISAKMP_NEXT_SA;
-		hdr.isa_xchg = ISAKMP_XCHG_IDPROT;
-		memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
-		/* R-cookie, flags and MessageID are left zero */
-
-		if (!out_struct(&hdr, &isakmp_hdr_desc, &reply, &rbody))
-		{
-			reset_cur_state();
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	/* SA out */
-	{
-		u_char *sa_start = rbody.cur;
-
-		if (!out_sa(&rbody, &oakley_sadb, st, TRUE
-		, vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE))
-		{
-			reset_cur_state();
-			return STF_INTERNAL_ERROR;
-		}
-
-		/* save initiator SA for later HASH */
-		passert(st->st_p1isa.ptr == NULL);      /* no leak!  (MUST be first time) */
-		st->st_p1isa = chunk_create(sa_start, rbody.cur - sa_start);
-		st->st_p1isa = chunk_clone(st->st_p1isa);
-	}
-
-	/* if enabled send Pluto Vendor ID */
-	if (SEND_PLUTO_VID)
-	{
-		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-		, &rbody, VID_STRONGSWAN))
-		{
-			reset_cur_state();
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	/* if enabled send Cisco Unity Vendor ID */
-	if (SEND_CISCO_UNITY_VID)
-	{
-		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-		, &rbody, VID_CISCO_UNITY))
-		{
-			reset_cur_state();
-			return STF_INTERNAL_ERROR;
-		}
-	}
-	/* if we  have an OpenPGP certificate we assume an
-	 * OpenPGP peer and have to send the Vendor ID
-	 */
-	if (c->spd.this.cert &&
-		c->spd.this.cert->cert->get_type(c->spd.this.cert->cert) == CERT_GPG)
-	{
-		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-		, &rbody, VID_OPENPGP))
-		{
-			reset_cur_state();
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	/* Announce our ability to do eXtended AUTHentication to the peer */
-	if (SEND_XAUTH_VID)
-	{
-		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-		, &rbody, VID_MISC_XAUTH))
-		{
-			reset_cur_state();
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	/* Announce our ability to do Dead Peer Detection to the peer */
-	{
-		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-		, &rbody, VID_MISC_DPD))
-		{
-			reset_cur_state();
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	if (nat_traversal_enabled)
-	{
-		/* Add supported NAT-Traversal VID */
-		if (!nat_traversal_add_vid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-		, &rbody))
-		{
-			reset_cur_state();
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	close_message(&rbody);
-	close_output_pbs(&reply);
-	st->st_tpacket = chunk_create(reply.start, pbs_offset(&reply));
-	st->st_tpacket = chunk_clone(st->st_tpacket);
-
-	/* Transmit */
-
-	send_packet(st, "main_outI1");
-
-	/* Set up a retransmission event, half a minute henceforth */
-	delete_event(st);
-	event_schedule(EVENT_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0, st);
-
-	if (predecessor != NULL)
-	{
-		update_pending(predecessor, st);
-		whack_log(RC_NEW_STATE + STATE_MAIN_I1
-			, "%s: initiate, replacing #%lu"
-			, enum_name(&state_names, st->st_state)
-			, predecessor->st_serialno);
-	}
-	else
-	{
-		whack_log(RC_NEW_STATE + STATE_MAIN_I1
-			, "%s: initiate", enum_name(&state_names, st->st_state));
-	}
-	reset_cur_state();
-	return STF_OK;
-}
-
-void ipsecdoi_initiate(int whack_sock, connection_t *c, lset_t policy,
-					   unsigned long try, so_serial_t replacing)
-{
-	/* If there's already an ISAKMP SA established, use that and
-	 * go directly to Quick Mode.  We are even willing to use one
-	 * that is still being negotiated, but only if we are the Initiator
-	 * (thus we can be sure that the IDs are not going to change;
-	 * other issues around intent might matter).
-	 * Note: there is no way to initiate with a Road Warrior.
-	 */
-	struct state *st = find_phase1_state(c
-		, ISAKMP_SA_ESTABLISHED_STATES | PHASE1_INITIATOR_STATES);
-
-	if (st == NULL)
-	{
-		(void) main_outI1(whack_sock, c, NULL, policy, try);
-	}
-	else if (HAS_IPSEC_POLICY(policy))
-	{
-		if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-		{
-			/* leave our Phase 2 negotiation pending */
-			add_pending(whack_sock, st, c, policy, try, replacing);
-		}
-		else
-		{
-			/* ??? we assume that peer_nexthop_sin isn't important:
-			 * we already have it from when we negotiated the ISAKMP SA!
-			 * It isn't clear what to do with the error return.
-			 */
-			(void) quick_outI1(whack_sock, st, c, policy, try, replacing);
-		}
-	}
-	else
-	{
-		close_any(whack_sock);
-	}
-}
-
-/* Replace SA with a fresh one that is similar
- *
- * Shares some logic with ipsecdoi_initiate, but not the same!
- * - we must not reuse the ISAKMP SA if we are trying to replace it!
- * - if trying to replace IPSEC SA, use ipsecdoi_initiate to build
- *   ISAKMP SA if needed.
- * - duplicate whack fd, if live.
- * Does not delete the old state -- someone else will do that.
- */
-void ipsecdoi_replace(struct state *st, unsigned long try)
-{
-	int whack_sock = dup_any(st->st_whack_sock);
-	lset_t policy = st->st_policy;
-
-	if (IS_PHASE1(st->st_state))
-	{
-		passert(!HAS_IPSEC_POLICY(policy));
-		(void) main_outI1(whack_sock, st->st_connection, st, policy, try);
-	}
-	else
-	{
-		/* Add features of actual old state to policy.  This ensures
-		 * that rekeying doesn't downgrade security.  I admit that
-		 * this doesn't capture everything.
-		 */
-		if (st->st_pfs_group != NULL)
-			policy |= POLICY_PFS;
-		if (st->st_ah.present)
-		{
-			policy |= POLICY_AUTHENTICATE;
-			if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-				policy |= POLICY_TUNNEL;
-		}
-		if (st->st_esp.present && st->st_esp.attrs.transid != ESP_NULL)
-		{
-			policy |= POLICY_ENCRYPT;
-			if (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-				policy |= POLICY_TUNNEL;
-		}
-		if (st->st_ipcomp.present)
-		{
-			policy |= POLICY_COMPRESS;
-			if (st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-				policy |= POLICY_TUNNEL;
-		}
-		passert(HAS_IPSEC_POLICY(policy));
-		ipsecdoi_initiate(whack_sock, st->st_connection, policy, try
-			, st->st_serialno);
-	}
-}
-
-/* SKEYID for preshared keys.
- * See draft-ietf-ipsec-ike-01.txt 4.1
- */
-static bool skeyid_preshared(struct state *st)
-{
-	const chunk_t *pss = get_preshared_secret(st->st_connection);
-
-	if (pss == NULL)
-	{
-		loglog(RC_LOG_SERIOUS, "preshared secret disappeared!");
-		return FALSE;
-	}
-	else
-	{
-		pseudo_random_function_t prf_alg;
-		prf_t *prf;
-
-		prf_alg = oakley_to_prf(st->st_oakley.hash);
-		prf = lib->crypto->create_prf(lib->crypto, prf_alg);
-		if (prf == NULL)
-		{
-			loglog(RC_LOG_SERIOUS, "%N not available to compute skeyid",
-									pseudo_random_function_names, prf_alg);
-			return FALSE;
-		}
-		free(st->st_skeyid.ptr);
-		prf->set_key(prf, *pss);
-		prf->allocate_bytes(prf, st->st_ni, NULL);
-		prf->allocate_bytes(prf, st->st_nr, &st->st_skeyid);
-		prf->destroy(prf);
-		return TRUE;
-	}
-}
-
-static bool skeyid_digisig(struct state *st)
-{
-	chunk_t nir;
-	pseudo_random_function_t prf_alg;
-	prf_t *prf;
-
-	prf_alg = oakley_to_prf(st->st_oakley.hash);
-	prf = lib->crypto->create_prf(lib->crypto, prf_alg);
-	if (prf == NULL)
-	{
-		loglog(RC_LOG_SERIOUS, "%N not available to compute skeyid",
-								pseudo_random_function_names, prf_alg);
-		return FALSE;
-	}
-	free(st->st_skeyid.ptr);
-	nir = chunk_cat("cc", st->st_ni, st->st_nr);
-	prf->set_key(prf, nir);
-	prf->allocate_bytes(prf, st->st_shared, &st->st_skeyid);
-	prf->destroy(prf);
-	free(nir.ptr);
-	return TRUE;
-}
-
-/* Generate the SKEYID_* and new IV
- * See draft-ietf-ipsec-ike-01.txt 4.1
- */
-static bool generate_skeyids_iv(struct state *st)
-{
-	/* Generate the SKEYID */
-	switch (st->st_oakley.auth)
-	{
-		case OAKLEY_PRESHARED_KEY:
-		case XAUTHInitPreShared:
-		case XAUTHRespPreShared:
-			if (!skeyid_preshared(st))
-			{
-				return FALSE;
-			}
-			break;
-
-		case OAKLEY_RSA_SIG:
-		case OAKLEY_ECDSA_256:
-		case OAKLEY_ECDSA_384:
-		case OAKLEY_ECDSA_521:
-		case XAUTHInitRSA:
-		case XAUTHRespRSA:
-			if (!skeyid_digisig(st))
-			{
-				return FALSE;
-			}
-			break;
-
-		case OAKLEY_DSS_SIG:
-			/* XXX */
-
-		case OAKLEY_RSA_ENC:
-		case OAKLEY_RSA_ENC_REV:
-		case OAKLEY_ELGAMAL_ENC:
-		case OAKLEY_ELGAMAL_ENC_REV:
-			/* XXX */
-
-		default:
-			bad_case(st->st_oakley.auth);
-	}
-
-	/* generate SKEYID_* from SKEYID */
-	{
-		chunk_t seed_skeyid_d = chunk_from_chars(0x00);
-		chunk_t seed_skeyid_a = chunk_from_chars(0x01);
-		chunk_t seed_skeyid_e = chunk_from_chars(0x02);
-		chunk_t icookie = { st->st_icookie, COOKIE_SIZE };
-		chunk_t rcookie = { st->st_rcookie, COOKIE_SIZE };
-		pseudo_random_function_t prf_alg;
-		prf_t *prf;
-
-		prf_alg = oakley_to_prf(st->st_oakley.hash);
-		prf = lib->crypto->create_prf(lib->crypto, prf_alg);
-		prf->set_key(prf, st->st_skeyid);
-
-		/* SKEYID_D */
-		free(st->st_skeyid_d.ptr);
-		prf->allocate_bytes(prf, st->st_shared, NULL);
-		prf->allocate_bytes(prf, icookie, NULL);
-		prf->allocate_bytes(prf, rcookie, NULL);
-		prf->allocate_bytes(prf, seed_skeyid_d, &st->st_skeyid_d);
-
-		/* SKEYID_A */
-		free(st->st_skeyid_a.ptr);
-		prf->allocate_bytes(prf, st->st_skeyid_d, NULL);
-		prf->allocate_bytes(prf, st->st_shared, NULL);
-		prf->allocate_bytes(prf, icookie, NULL);
-		prf->allocate_bytes(prf, rcookie, NULL);
-		prf->allocate_bytes(prf, seed_skeyid_a, &st->st_skeyid_a);
-
-		/* SKEYID_E */
-		free(st->st_skeyid_e.ptr);
-		prf->allocate_bytes(prf, st->st_skeyid_a, NULL);
-		prf->allocate_bytes(prf, st->st_shared, NULL);
-		prf->allocate_bytes(prf, icookie, NULL);
-		prf->allocate_bytes(prf, rcookie, NULL);
-		prf->allocate_bytes(prf, seed_skeyid_e, &st->st_skeyid_e);
-
-		prf->destroy(prf);
-	}
-
-	/* generate IV */
-	{
-		hash_algorithm_t hash_alg;
-		hasher_t *hasher;
-
-		hash_alg = oakley_to_hash_algorithm(st->st_oakley.hash);
-		hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
-		st->st_new_iv_len = hasher->get_hash_size(hasher);
-		passert(st->st_new_iv_len <= sizeof(st->st_new_iv));
-
-		DBG(DBG_CRYPT,
-			DBG_dump_chunk("DH_i:", st->st_gi);
-			DBG_dump_chunk("DH_r:", st->st_gr);
-		);
-
-		hasher->get_hash(hasher, st->st_gi, NULL);
-		hasher->get_hash(hasher, st->st_gr, st->st_new_iv);
-		hasher->destroy(hasher);
-	}
-
-	/* Oakley Keying Material
-	 * Derived from Skeyid_e: if it is not big enough, generate more
-	 * using the PRF.
-	 * See RFC 2409 "IKE" Appendix B
-	 */
-	{
-		size_t keysize = st->st_oakley.enckeylen/BITS_PER_BYTE;
-
-		/* free any existing key */
-		free(st->st_enc_key.ptr);
-
-		if (keysize > st->st_skeyid_e.len)
-		{
-			u_char keytemp[MAX_OAKLEY_KEY_LEN + MAX_DIGEST_LEN];
-			chunk_t seed = chunk_from_chars(0x00);
-			size_t prf_block_size, i;
-			pseudo_random_function_t prf_alg;
-			prf_t *prf;
-
-			prf_alg = oakley_to_prf(st->st_oakley.hash);
-			prf = lib->crypto->create_prf(lib->crypto, prf_alg);
-			prf->set_key(prf, st->st_skeyid_e);
-			prf_block_size = prf->get_block_size(prf);
-
-			for (i = 0;;)
-			{
-				prf->get_bytes(prf, seed, &keytemp[i]);
-				i += prf_block_size;
-				if (i >= keysize)
-				{
-					break;
-				}
-				seed = chunk_create(&keytemp[i-prf_block_size], prf_block_size);
-			}
-			prf->destroy(prf);
-			st->st_enc_key = chunk_create(keytemp, keysize);
-		}
-		else
-		{
-			st->st_enc_key = chunk_create(st->st_skeyid_e.ptr, keysize);
-		}
-		st->st_enc_key = chunk_clone(st->st_enc_key);
-	}
-
-	DBG(DBG_CRYPT,
-		DBG_dump_chunk("Skeyid:  ", st->st_skeyid);
-		DBG_dump_chunk("Skeyid_d:", st->st_skeyid_d);
-		DBG_dump_chunk("Skeyid_a:", st->st_skeyid_a);
-		DBG_dump_chunk("Skeyid_e:", st->st_skeyid_e);
-		DBG_dump_chunk("enc key:", st->st_enc_key);
-		DBG_dump("IV:", st->st_new_iv, st->st_new_iv_len));
-	return TRUE;
-}
-
-/* Generate HASH_I or HASH_R for ISAKMP Phase I.
- * This will *not* generate other hash payloads (eg. Phase II or Quick Mode,
- * New Group Mode, or ISAKMP Informational Exchanges).
- * If the hashi argument is TRUE, generate HASH_I; if FALSE generate HASH_R.
- * If hashus argument is TRUE, we're generating a hash for our end.
- * See RFC2409 IKE 5.
- */
- static void main_mode_hash(struct state *st, chunk_t *hash, bool hashi,
-							 const pb_stream *idpl)
-{
-	chunk_t icookie = { st->st_icookie, COOKIE_SIZE };
-	chunk_t rcookie = { st->st_rcookie, COOKIE_SIZE };
-	chunk_t sa_body = { st->st_p1isa.ptr + sizeof(struct isakmp_generic),
-						st->st_p1isa.len - sizeof(struct isakmp_generic) };
-	chunk_t id_body = { idpl->start + sizeof(struct isakmp_generic),
-						pbs_offset(idpl) - sizeof(struct isakmp_generic) };
-	pseudo_random_function_t prf_alg;
-	prf_t *prf;
-
-	switch (st->st_oakley.auth)
-	{
-		case OAKLEY_ECDSA_256:
-			prf_alg = PRF_HMAC_SHA2_256;
-			break;
-		case OAKLEY_ECDSA_384:
-			prf_alg = PRF_HMAC_SHA2_384;
-			break;
-		case OAKLEY_ECDSA_521:
-			prf_alg = PRF_HMAC_SHA2_512;
-			break;
-		default:
-			prf_alg = oakley_to_prf(st->st_oakley.hash);
-	}
-	prf = lib->crypto->create_prf(lib->crypto, prf_alg);
-	prf->set_key(prf, st->st_skeyid);
-
-	if (hashi)
-	{
-		prf->get_bytes(prf, st->st_gi, NULL);
-		prf->get_bytes(prf, st->st_gr, NULL);
-		prf->get_bytes(prf, icookie, NULL);
-		prf->get_bytes(prf, rcookie, NULL);
-	}
-	else
-	{
-		prf->get_bytes(prf, st->st_gr, NULL);
-		prf->get_bytes(prf, st->st_gi, NULL);
-		prf->get_bytes(prf, rcookie, NULL);
-		prf->get_bytes(prf, icookie, NULL);
-	}
-
-	DBG(DBG_CRYPT,
-		DBG_log("hashing %u bytes of SA", sa_body.len)
-	)
-	prf->get_bytes(prf, sa_body, NULL);
-
-	/* Hash identification payload, without generic payload header.
-	 * We used to reconstruct ID Payload for this purpose, but now
-	 * we use the bytes as they appear on the wire to avoid
-	 * "spelling problems".
-	 */
-	prf->get_bytes(prf, id_body, hash->ptr);
-	hash->len = prf->get_block_size(prf);
-	prf->destroy(prf);
-}
-
-/* Create a public key signature of a hash.
- * Poorly specified in draft-ietf-ipsec-ike-01.txt 6.1.1.2.
- * Use PKCS#1 version 1.5 encryption of hash (called
- * RSAES-PKCS1-V1_5) in PKCS#2.
- */
-static size_t sign_hash(signature_scheme_t scheme, connection_t *c,
-						u_char sig_val[RSA_MAX_OCTETS], chunk_t hash)
-{
-	size_t sz = 0;
-	smartcard_t *sc = c->spd.this.sc;
-
-	if (sc == NULL)             /* no smartcard */
-	{
-		chunk_t sig;
-		private_key_t *private = get_private_key(c);
-
-		if (private == NULL)
-		{
-			return 0;   /* failure: no key to use */
-		}
-		if (!private->sign(private, scheme, hash, &sig))
-		{
-			return 0;
-		}
-		memcpy(sig_val, sig.ptr, sig.len);
-		sz = sig.len;
-		free(sig.ptr);
-	}
-	else if (sc->valid) /* if valid pin then sign hash on the smartcard */
-	{
-		lock_certs_and_keys("sign_hash");
-		if (!scx_establish_context(sc) || !scx_login(sc))
-		{
-			scx_release_context(sc);
-			unlock_certs_and_keys("sign_hash");
-			return 0;
-		}
-
-		sz = scx_get_keylength(sc);
-		if (sz == 0)
-		{
-			plog("failed to get keylength from smartcard");
-			scx_release_context(sc);
-			unlock_certs_and_keys("sign_hash");
-			return 0;
-		}
-
-		DBG(DBG_CONTROL | DBG_CRYPT,
-			DBG_log("signing hash with private key from smartcard (slot: %d, id: %s)"
-				, (int)sc->slot, sc->id)
-		)
-		sz = scx_sign_hash(sc, hash.ptr, hash.len, sig_val, sz) ? sz : 0;
-		if (!pkcs11_keep_state)
-		{
-			scx_release_context(sc);
-		}
-		unlock_certs_and_keys("sign_hash");
-	}
-	return sz;
-}
-
-/* Check signature against all public keys we can find.
- * If we need keys from DNS KEY records, and they haven't been fetched,
- * return STF_SUSPEND to ask for asynch DNS lookup.
- *
- * Note: parameter keys_from_dns contains results of DNS lookup for key
- * or is NULL indicating lookup not yet tried.
- *
- * take_a_crack is a helper function.  Mostly forensic.
- * If only we had coroutines.
- */
-struct tac_state {
-	struct state *st;
-	chunk_t hash;
-	chunk_t sig;
-	int tried_cnt;      /* number of keys tried */
-};
-
-static bool take_a_crack(struct tac_state *s, pubkey_t *kr)
-{
-	public_key_t *pub_key = kr->public_key;
-	chunk_t keyid = chunk_empty;
-	signature_scheme_t scheme;
-
-	s->tried_cnt++;
-	scheme = oakley_to_signature_scheme(s->st->st_oakley.auth);
-	pub_key->get_fingerprint(pub_key, KEYID_PUBKEY_INFO_SHA1, &keyid);
-
-	if (pub_key->verify(pub_key, scheme, s->hash, s->sig))
-	{
-		DBG(DBG_CRYPT | DBG_CONTROL,
-			DBG_log("%s check passed with keyid %#B",
-					enum_show(&oakley_auth_names, s->st->st_oakley.auth), &keyid)
-		)
-		unreference_key(&s->st->st_peer_pubkey);
-		s->st->st_peer_pubkey = reference_key(kr);
-		return TRUE;
-	}
-	else
-	{
-		DBG(DBG_CRYPT,
-			DBG_log("%s check failed with keyid %#B",
-					enum_show(&oakley_auth_names, s->st->st_oakley.auth), &keyid)
-		)
-		return FALSE;
-	}
-}
-
-static stf_status check_signature(key_type_t key_type, identification_t* peer,
-								  struct state *st, chunk_t hash,
-								  const pb_stream *sig_pbs,
-#ifdef USE_KEYRR
-								  const pubkey_list_t *keys_from_dns,
-#endif /* USE_KEYRR */
-								  const struct gw_info *gateways_from_dns)
-{
-	const connection_t *c = st->st_connection;
-	struct tac_state s;
-
-	s.st = st;
-	s.hash = hash;
-	s.sig  = chunk_create(sig_pbs->cur, pbs_left(sig_pbs));
-	s.tried_cnt = 0;
-
-	/* try all gateway records hung off c */
-	if (c->policy & POLICY_OPPO)
-	{
-		struct gw_info *gw;
-
-		for (gw = c->gw_info; gw != NULL; gw = gw->next)
-		{
-			/* only consider entries that have a key and are for our peer */
-			if (gw->gw_key_present &&
-				gw->gw_id->equals(gw->gw_id, c->spd.that.id) &&
-				take_a_crack(&s, gw->key))
-			{
-				return STF_OK;
-			}
-		}
-	}
-
-	/* try all appropriate Public keys */
-	{
-		pubkey_list_t *p, **pp;
-
-		pp = &pubkeys;
-
-		for (p = pubkeys; p != NULL; p = *pp)
-		{
-			pubkey_t *key = p->key;
-			key_type_t type = key->public_key->get_type(key->public_key);
-
-			if (type == key_type && peer->equals(peer, key->id))
-			{
-				time_t now = time(NULL);
-
-				/* check if found public key has expired */
-				if (key->until_time != UNDEFINED_TIME && key->until_time < now)
-				{
-					loglog(RC_LOG_SERIOUS,
-						"cached public key has expired and has been deleted");
-					*pp = free_public_keyentry(p);
-					continue; /* continue with next public key */
-				}
-				if (take_a_crack(&s, key))
-				{
-					return STF_OK;
-				}
-			}
-			pp = &p->next;
-		}
-   }
-
-	/* if no key was found and that side of connection is
-	 * key_from_DNS_on_demand then go search DNS for keys for peer.
-	 */
-	if (s.tried_cnt == 0 && c->spd.that.key_from_DNS_on_demand)
-	{
-		if (gateways_from_dns != NULL)
-		{
-			/* TXT keys */
-			const struct gw_info *gwp;
-
-			for (gwp = gateways_from_dns; gwp != NULL; gwp = gwp->next)
-			{
-				if (gwp->gw_key_present && take_a_crack(&s, gwp->key))
-				{
-					return STF_OK;
-				}
-			}
-		}
-#ifdef USE_KEYRR
-		else if (keys_from_dns != NULL)
-		{
-			/* KEY keys */
-			const pubkey_list_t *kr;
-
-			for (kr = keys_from_dns; kr != NULL; kr = kr->next)
-			{
-				if (kr->key->alg == PUBKEY_ALG_RSA && take_a_crack(&s, kr->key))
-				{
-					return STF_OK;
-				}
-			}
-		}
-#endif /* USE_KEYRR */
-		else
-		{
-			/* nothing yet: ask for asynch DNS lookup */
-			return STF_SUSPEND;
-		}
-	}
-
-	/* no acceptable key was found: diagnose */
-	{
-		if (s.tried_cnt == 0)
-		{
-			loglog(RC_LOG_SERIOUS, "no public key known for '%Y'", peer);
-		}
-		else if (s.tried_cnt == 1)
-		{
-			loglog(RC_LOG_SERIOUS, "signature check for '%Y' failed: "
-					" wrong key?; tried %d", peer, s.tried_cnt);
-			DBG(DBG_CONTROL,
-				DBG_log("public key for '%Y' failed: "
-						"decrypted SIG payload into a malformed ECB", peer)
-			)
-		}
-		else
-		{
-			loglog(RC_LOG_SERIOUS, "signature check for '%Y' failed: "
-					  "tried %d keys but none worked.", peer, s.tried_cnt);
-			DBG(DBG_CONTROL,
-				DBG_log("all %d public keys for '%Y' failed: "
-						"best decrypted SIG payload into a malformed ECB",
-						s.tried_cnt, peer)
-			)
-		}
-		return STF_FAIL + ISAKMP_INVALID_KEY_INFORMATION;
-	}
-}
-
-static notification_t accept_nonce(struct msg_digest *md, chunk_t *dest,
-								   const char *name)
-{
-	pb_stream *nonce_pbs = &md->chain[ISAKMP_NEXT_NONCE]->pbs;
-	size_t len = pbs_left(nonce_pbs);
-
-	if (len < MINIMUM_NONCE_SIZE || MAXIMUM_NONCE_SIZE < len)
-	{
-		loglog(RC_LOG_SERIOUS, "%s length not between %d and %d"
-			, name , MINIMUM_NONCE_SIZE, MAXIMUM_NONCE_SIZE);
-		return ISAKMP_PAYLOAD_MALFORMED;       /* ??? */
-	}
-	free(dest->ptr);
-	*dest = chunk_create(nonce_pbs->cur, len);
-	*dest = chunk_clone(*dest);
-	return ISAKMP_NOTHING_WRONG;
-}
-
-/* encrypt message, sans fixed part of header
- * IV is fetched from st->st_new_iv and stored into st->st_iv.
- * The theory is that there will be no "backing out", so we commit to IV.
- * We also close the pbs.
- */
-bool encrypt_message(pb_stream *pbs, struct state *st)
-{
-	u_int8_t *enc_start = pbs->start + sizeof(struct isakmp_hdr);
-	size_t enc_len = pbs_offset(pbs) - sizeof(struct isakmp_hdr);
-	chunk_t data, iv;
-    char *new_iv;
-	size_t crypter_block_size, crypter_iv_size;
-	encryption_algorithm_t enc_alg;
-	crypter_t *crypter;
-
-	DBG_cond_dump(DBG_CRYPT | DBG_RAW, "encrypting:\n", enc_start, enc_len);
-	enc_alg = oakley_to_encryption_algorithm(st->st_oakley.encrypt);
-	crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, st->st_enc_key.len);
-	crypter_block_size = crypter->get_block_size(crypter);
-	crypter_iv_size = crypter->get_iv_size(crypter);
-
-	/* Pad up to multiple of encryption blocksize.
-	 * See the description associated with the definition of
-	 * struct isakmp_hdr in packet.h.
-	 */
-	{
-		size_t padding = pad_up(enc_len, crypter_block_size);
-
-		if (padding != 0)
-		{
-			if (!out_zero(padding, pbs, "encryption padding"))
-				return FALSE;
-			enc_len += padding;
-		}
-	}
-
-	DBG(DBG_CRYPT, DBG_log("encrypting using %s", enum_show(&oakley_enc_names, st->st_oakley.encrypt)));
-	data = chunk_create(enc_start, enc_len);
-
-	/* form iv by truncation */
-	st->st_new_iv_len = crypter_iv_size;
-	iv = chunk_create(st->st_new_iv, st->st_new_iv_len);
-
-	crypter->set_key(crypter, st->st_enc_key);
-	crypter->encrypt(crypter, data, iv, NULL);
-	crypter->destroy(crypter);
-
-	new_iv = data.ptr + data.len - crypter_iv_size;
-	memcpy(st->st_new_iv, new_iv, crypter_iv_size);
-	update_iv(st);
-	DBG_cond_dump(DBG_CRYPT, "next IV:", st->st_iv, st->st_iv_len);
-	close_message(pbs);
-	return TRUE;
-}
-
-/* Compute HASH(1), HASH(2) of Quick Mode.
- * HASH(1) is part of Quick I1 message.
- * HASH(2) is part of Quick R1 message.
- * Used by: quick_outI1, quick_inI1_outR1 (twice), quick_inR1_outI2
- * (see RFC 2409 "IKE" 5.5, pg. 18 or draft-ietf-ipsec-ike-01.txt 6.2 pg 25)
- */
-static size_t quick_mode_hash12(u_char *dest, u_char *start, u_char *roof,
-								const struct state *st,	const msgid_t *msgid,
-								bool hash2)
-{
-	chunk_t msgid_chunk = chunk_from_thing(*msgid);
-	chunk_t msg_chunk = { start, roof - start };
-	pseudo_random_function_t prf_alg;
-	prf_t *prf;
-	size_t prf_block_size;
-
-	prf_alg = oakley_to_prf(st->st_oakley.hash);
-	prf = lib->crypto->create_prf(lib->crypto, prf_alg);
-	prf->set_key(prf, st->st_skeyid_a);
-	prf->get_bytes(prf, msgid_chunk, NULL);
-	if (hash2)
-	{
-		prf->get_bytes(prf, st->st_ni, NULL); /* include Ni_b in the hash */
-	}
-	prf->get_bytes(prf, msg_chunk, dest);
-	prf_block_size = prf->get_block_size(prf);
-	prf->destroy(prf);
-
-	DBG(DBG_CRYPT,
-		DBG_log("HASH(%d) computed:", hash2 + 1);
-		DBG_dump("", dest, prf_block_size)
-	)
-	return prf_block_size;
-}
-
-/* Compute HASH(3) in Quick Mode (part of Quick I2 message).
- * Used by: quick_inR1_outI2, quick_inI2
- * See RFC2409 "The Internet Key Exchange (IKE)" 5.5.
- * NOTE: this hash (unlike HASH(1) and HASH(2)) ONLY covers the
- * Message ID and Nonces.  This is a mistake.
- */
-static size_t quick_mode_hash3(u_char *dest, struct state *st)
-{
-	chunk_t seed_chunk = chunk_from_chars(0x00);
-	chunk_t msgid_chunk = chunk_from_thing(st->st_msgid);
-	pseudo_random_function_t prf_alg;
-	prf_t *prf;
-	size_t prf_block_size;
-
-	prf_alg = oakley_to_prf(st->st_oakley.hash);
-	prf = lib->crypto->create_prf(lib->crypto, prf_alg);
-	prf->set_key(prf, st->st_skeyid_a);
-	prf->get_bytes(prf, seed_chunk, NULL );
-	prf->get_bytes(prf, msgid_chunk, NULL);
-	prf->get_bytes(prf, st->st_ni, NULL);
-	prf->get_bytes(prf, st->st_nr, dest);
-	prf_block_size = prf->get_block_size(prf);
-	prf->destroy(prf);
-
-	DBG_cond_dump(DBG_CRYPT, "HASH(3) computed:", dest, prf_block_size);
-	return prf_block_size;
-}
-
-/* Compute Phase 2 IV.
- * Uses Phase 1 IV from st_iv; puts result in st_new_iv.
- */
-void init_phase2_iv(struct state *st, const msgid_t *msgid)
-{
-	chunk_t iv_chunk = { st->st_ph1_iv, st->st_ph1_iv_len };
-	chunk_t msgid_chunk = chunk_from_thing(*msgid);
-	hash_algorithm_t hash_alg;
-	hasher_t *hasher;
-
-	hash_alg = oakley_to_hash_algorithm(st->st_oakley.hash);
-	hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
-
-	DBG_cond_dump(DBG_CRYPT, "last Phase 1 IV:",
-				  st->st_ph1_iv, st->st_ph1_iv_len);
-
-	st->st_new_iv_len = hasher->get_hash_size(hasher);
-	passert(st->st_new_iv_len <= sizeof(st->st_new_iv));
-
-	hasher->get_hash(hasher, iv_chunk, NULL);
-	hasher->get_hash(hasher, msgid_chunk, st->st_new_iv);
-	hasher->destroy(hasher);
-
-	DBG_cond_dump(DBG_CRYPT, "computed Phase 2 IV:",
-				  st->st_new_iv, st->st_new_iv_len);
-}
-
-/* Initiate quick mode.
- * --> HDR*, HASH(1), SA, Nr [, KE ] [, IDci, IDcr ]
- * (see RFC 2409 "IKE" 5.5)
- * Note: this is not called from demux.c
- */
-
-static bool emit_subnet_id(ip_subnet *net, u_int8_t np, u_int8_t protoid,
-						   u_int16_t port, pb_stream *outs)
-{
-	struct isakmp_ipsec_id id;
-	pb_stream id_pbs;
-	ip_address ta;
-	const unsigned char *tbp;
-	size_t tal;
-
-	id.isaiid_np = np;
-	id.isaiid_idtype = subnetishost(net)
-					   ? aftoinfo(subnettypeof(net))->id_addr
-					   : aftoinfo(subnettypeof(net))->id_subnet;
-	id.isaiid_protoid = protoid;
-	id.isaiid_port = port;
-
-	if (!out_struct(&id, &isakmp_ipsec_identification_desc, outs, &id_pbs))
-	{
-		return FALSE;
-	}
-	networkof(net, &ta);
-	tal = addrbytesptr(&ta, &tbp);
-	if (!out_raw(tbp, tal, &id_pbs, "client network"))
-	{
-		return FALSE;
-	}
-	if (!subnetishost(net))
-	{
-		maskof(net, &ta);
-		tal = addrbytesptr(&ta, &tbp);
-		if (!out_raw(tbp, tal, &id_pbs, "client mask"))
-		{
-			return FALSE;
-		}
-	}
-	close_output_pbs(&id_pbs);
-	return TRUE;
-}
-
-stf_status quick_outI1(int whack_sock, struct state *isakmp_sa,
-					   connection_t *c, lset_t policy, unsigned long try,
-					   so_serial_t replacing)
-{
-	struct state *st = duplicate_state(isakmp_sa);
-	pb_stream reply;    /* not really a reply */
-	pb_stream rbody;
-	u_char      /* set by START_HASH_PAYLOAD: */
-		*r_hashval,     /* where in reply to jam hash value */
-		*r_hash_start;  /* start of what is to be hashed */
-	bool has_client = c->spd.this.has_client || c->spd.that.has_client ||
-					  c->spd.this.protocol || c->spd.that.protocol ||
-					  c->spd.this.port || c->spd.that.port;
-	bool send_natoa = FALSE;
-	u_int8_t np = ISAKMP_NEXT_NONE;
-	connection_t *ph1_c = isakmp_sa->st_connection;
-
-	if (c->spd.this.modecfg && !c->spd.this.has_client &&
-		c->spd.this.host_srcip->is_anyaddr(c->spd.this.host_srcip))
-	{
-		host_t * ph1_srcip = ph1_c->spd.this.host_srcip;
-
-		if (ph1_c->spd.this.modecfg && !ph1_srcip->is_anyaddr(ph1_srcip))
-		{
-			c->spd.this.host_srcip->destroy(c->spd.this.host_srcip);
-			c->spd.this.host_srcip = ph1_srcip->clone(ph1_srcip);
-			c->spd.this.client = ph1_c->spd.this.client;
-			c->spd.this.has_client = TRUE;
-			plog("inheriting virtual IP source address %H from ModeCfg", ph1_srcip);
-		}
-	}
-
-	if (ph1_c->policy & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK) &&
-		ph1_c->xauth_identity && !c->xauth_identity)
-	{
-		DBG(DBG_CONTROL,
-			DBG_log("inheriting XAUTH identity %Y", ph1_c->xauth_identity)
-		)
-		c->xauth_identity = ph1_c->xauth_identity->clone(ph1_c->xauth_identity);
-	}
-
-	st->st_whack_sock = whack_sock;
-	st->st_connection = c;
-	set_cur_state(st);  /* we must reset before exit */
-	st->st_policy = policy;
-	st->st_try = try;
-
-	st->st_myuserprotoid = c->spd.this.protocol;
-	st->st_peeruserprotoid = c->spd.that.protocol;
-	st->st_myuserport = c->spd.this.port;
-	st->st_peeruserport = c->spd.that.port;
-
-	st->st_msgid = generate_msgid(isakmp_sa);
-	st->st_state = STATE_QUICK_I1;
-
-	insert_state(st);   /* needs cookies, connection, and msgid */
-
-	if (replacing == SOS_NOBODY)
-	{
-		plog("initiating Quick Mode %s {using isakmp#%lu}",
-			 prettypolicy(policy), isakmp_sa->st_serialno);
-	}
-	else
-	{
-		plog("initiating Quick Mode %s to replace #%lu {using isakmp#%lu}",
-			 prettypolicy(policy), replacing, isakmp_sa->st_serialno);
-	}
-	if (isakmp_sa->nat_traversal & NAT_T_DETECTED)
-	{
-		/* Duplicate nat_traversal status in new state */
-		st->nat_traversal = isakmp_sa->nat_traversal;
-
-		if (isakmp_sa->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
-		{
-			has_client = TRUE;
-		}
-	   nat_traversal_change_port_lookup(NULL, st);
-	}
-	else
-	{
-		st->nat_traversal = 0;
-	}
-
-	/* are we going to send a NAT-OA payload? */
-	if ((st->nat_traversal & NAT_T_WITH_NATOA)
-	&& !(st->st_policy & POLICY_TUNNEL)
-	&& (st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME)))
-	{
-		send_natoa = TRUE;
-		np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ?
-				  ISAKMP_NEXT_NATOA_RFC : ISAKMP_NEXT_NATOA_DRAFTS;
-	}
-
-	/* set up reply */
-	init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "reply packet");
-
-	/* HDR* out */
-	{
-		struct isakmp_hdr hdr;
-
-		hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
-		hdr.isa_np = ISAKMP_NEXT_HASH;
-		hdr.isa_xchg = ISAKMP_XCHG_QUICK;
-		hdr.isa_msgid = st->st_msgid;
-		hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
-		memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
-		memcpy(hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
-		if (!out_struct(&hdr, &isakmp_hdr_desc, &reply, &rbody))
-		{
-			reset_cur_state();
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	/* HASH(1) -- create and note space to be filled later */
-	START_HASH_PAYLOAD(rbody, ISAKMP_NEXT_SA);
-
-	/* SA out */
-
-	/*
-	 * See if pfs_group has been specified for this conn,
-	 * if not, fallback to old use-same-as-P1 behaviour
-	 */
-#ifndef NO_IKE_ALG
-	if (st->st_connection)
-	{
-			st->st_pfs_group = ike_alg_pfsgroup(st->st_connection, policy);
-	}
-	if (!st->st_pfs_group)
-#endif
-	/* If PFS specified, use the same group as during Phase 1:
-	 * since no negotiation is possible, we pick one that is
-	 * very likely supported.
-	 */
-			st->st_pfs_group = policy & POLICY_PFS? isakmp_sa->st_oakley.group : NULL;
-
-	/* Emit SA payload based on a subset of the policy bits.
-	 * POLICY_COMPRESS is considered iff we can do IPcomp.
-	 */
-	{
-		lset_t pm = POLICY_ENCRYPT | POLICY_AUTHENTICATE;
-
-		if (can_do_IPcomp)
-		{
-			pm |= POLICY_COMPRESS;
-		}
-		if (!out_sa(&rbody,
-			&ipsec_sadb[(st->st_policy & pm) >> POLICY_IPSEC_SHIFT],
-			st, FALSE, ISAKMP_NEXT_NONCE))
-		{
-			reset_cur_state();
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	/* Ni out */
-	if (!build_and_ship_nonce(&st->st_ni, &rbody
-	, policy & POLICY_PFS? ISAKMP_NEXT_KE : has_client? ISAKMP_NEXT_ID : np
-	, "Ni"))
-	{
-		reset_cur_state();
-		return STF_INTERNAL_ERROR;
-	}
-
-	/* [ KE ] out (for PFS) */
-
-	if (st->st_pfs_group != NULL)
-	{
-		if (!build_and_ship_KE(st, &st->st_gi, st->st_pfs_group
-		, &rbody, has_client? ISAKMP_NEXT_ID : np))
-		{
-			reset_cur_state();
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	/* [ IDci, IDcr ] out */
-	if (has_client)
-	{
-		/* IDci (we are initiator), then IDcr (peer is responder) */
-		if (!emit_subnet_id(&c->spd.this.client
-		  , ISAKMP_NEXT_ID, st->st_myuserprotoid, st->st_myuserport, &rbody)
-		|| !emit_subnet_id(&c->spd.that.client
-		  , np, st->st_peeruserprotoid, st->st_peeruserport, &rbody))
-		{
-			reset_cur_state();
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	/* Send NAT-OA if our address is NATed */
-	if (send_natoa)
-	{
-		if (!nat_traversal_add_natoa(ISAKMP_NEXT_NONE, &rbody, st))
-		{
-			reset_cur_state();
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	/* finish computing  HASH(1), inserting it in output */
-	(void) quick_mode_hash12(r_hashval, r_hash_start, rbody.cur
-		, st, &st->st_msgid, FALSE);
-
-	/* encrypt message, except for fixed part of header */
-
-	init_phase2_iv(isakmp_sa, &st->st_msgid);
-	st->st_new_iv_len = isakmp_sa->st_new_iv_len;
-	memcpy(st->st_new_iv, isakmp_sa->st_new_iv, st->st_new_iv_len);
-
-	if (!encrypt_message(&rbody, st))
-	{
-		reset_cur_state();
-		return STF_INTERNAL_ERROR;
-	}
-
-	/* save packet, now that we know its size */
-	st->st_tpacket = chunk_create(reply.start, pbs_offset(&reply));
-	st->st_tpacket = chunk_clone(st->st_tpacket);
-
-	/* send the packet */
-
-	send_packet(st, "quick_outI1");
-
-	delete_event(st);
-	event_schedule(EVENT_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0, st);
-
-	if (replacing == SOS_NOBODY)
-	{
-		whack_log(RC_NEW_STATE + STATE_QUICK_I1
-			, "%s: initiate"
-			, enum_name(&state_names, st->st_state));
-	}
-	else
-	{
-		whack_log(RC_NEW_STATE + STATE_QUICK_I1
-			, "%s: initiate to replace #%lu"
-			, enum_name(&state_names, st->st_state)
-			, replacing);
-	}
-	reset_cur_state();
-	return STF_OK;
-}
-
-
-/*
- * Decode the CERT payload of Phase 1.
- */
-static void decode_cert(struct msg_digest *md)
-{
-	struct payload_digest *p;
-
-	for (p = md->chain[ISAKMP_NEXT_CERT]; p != NULL; p = p->next)
-	{
-		struct isakmp_cert *const cert = &p->payload.cert;
-		chunk_t blob;
-		time_t valid_until;
-		blob.ptr = p->pbs.cur;
-		blob.len = pbs_left(&p->pbs);
-		if (cert->isacert_type == CERT_X509_SIGNATURE)
-		{
-			cert_t x509cert = cert_empty;
-
-			x509cert.cert = lib->creds->create(lib->creds,
-											   CRED_CERTIFICATE, CERT_X509,
-											   BUILD_BLOB_ASN1_DER, blob,
-											   BUILD_END);
-			if (x509cert.cert)
-			{
-				if (verify_x509cert(&x509cert, strict_crl_policy, &valid_until))
-				{
-					DBG(DBG_PARSING,
-						DBG_log("Public key validated")
-					)
-					add_public_key_from_cert(&x509cert, valid_until, DAL_SIGNED);
-				}
-				else
-				{
-					plog("X.509 certificate rejected");
-				}
-				x509cert.cert->destroy(x509cert.cert);
-			}
-			else
-			{
-				plog("Syntax error in X.509 certificate");
-			}
-		}
-		else if (cert->isacert_type == CERT_PKCS7_WRAPPED_X509)
-		{
-			linked_list_t *certs = linked_list_create();
-
-			if (pkcs7_parse_signedData(blob, NULL, certs, NULL, NULL))
-			{
-				store_x509certs(certs, strict_crl_policy);
-			}
-			else
-			{
-				plog("Syntax error in PKCS#7 wrapped X.509 certificates");
-			}
-			certs->destroy_offset(certs, offsetof(certificate_t, destroy));
-		}
-		else
-		{
-			loglog(RC_LOG_SERIOUS, "ignoring %s certificate payload",
-				   enum_show(&cert_type_names, cert->isacert_type));
-			DBG_cond_dump_chunk(DBG_PARSING, "CERT:\n", blob);
-		}
-	}
-}
-
-/*
- * Decode the CR payload of Phase 1.
- */
-static void decode_cr(struct msg_digest *md, connection_t *c)
-{
-	struct payload_digest *p;
-
-	for (p = md->chain[ISAKMP_NEXT_CR]; p != NULL; p = p->next)
-	{
-		struct isakmp_cr *const cr = &p->payload.cr;
-		chunk_t ca_name;
-
-		ca_name.len = pbs_left(&p->pbs);
-		ca_name.ptr = (ca_name.len > 0)? p->pbs.cur : NULL;
-
-		DBG_cond_dump_chunk(DBG_PARSING, "CR", ca_name);
-
-		if (cr->isacr_type == CERT_X509_SIGNATURE)
-		{
-			if (ca_name.len > 0)
-			{
-				identification_t *ca;
-
-				if (!is_asn1(ca_name))
-				{
-					continue;
-				}
-				if (c->requested_ca == NULL)
-				{
-					c->requested_ca = linked_list_create();
-				}
-				ca = identification_create_from_encoding(ID_DER_ASN1_DN, ca_name);
-				c->requested_ca->insert_last(c->requested_ca, ca);
-				DBG(DBG_PARSING | DBG_CONTROL,
-					DBG_log("requested CA: \"%Y\"", ca)
-				)
-			}
-			else
-			{
-				DBG(DBG_PARSING | DBG_CONTROL,
-					DBG_log("requested CA: %%any")
-				)
-			}
-			c->got_certrequest = TRUE;
-		}
-		else
-		{
-			loglog(RC_LOG_SERIOUS, "ignoring %s certificate request payload",
-				   enum_show(&cert_type_names, cr->isacr_type));
-		}
-	}
-}
-
-/* Decode the ID payload of Phase 1 (main_inI3_outR3 and main_inR3)
- * Note: we may change connections as a result.
- * We must be called before SIG or HASH are decoded since we
- * may change the peer's public key or ID.
- */
-static bool decode_peer_id(struct msg_digest *md, identification_t **peer)
-{
-	struct state *const st = md->st;
-	struct payload_digest *const id_pld = md->chain[ISAKMP_NEXT_ID];
-	const pb_stream *const id_pbs = &id_pld->pbs;
-	struct isakmp_id *const id = &id_pld->payload.id;
-	chunk_t id_payload;
-
-	/* I think that RFC2407 (IPSEC DOI) 4.6.2 is confused.
-	 * It talks about the protocol ID and Port fields of the ID
-	 * Payload, but they don't exist as such in Phase 1.
-	 * We use more appropriate names.
-	 * isaid_doi_specific_a is in place of Protocol ID.
-	 * isaid_doi_specific_b is in place of Port.
-	 * Besides, there is no good reason for allowing these to be
-	 * other than 0 in Phase 1.
-	 */
-	if ((st->nat_traversal & NAT_T_WITH_PORT_FLOATING)
-	&&   id->isaid_doi_specific_a == IPPROTO_UDP
-	&&  (id->isaid_doi_specific_b == 0 || id->isaid_doi_specific_b == NAT_T_IKE_FLOAT_PORT))
-	{
-		DBG_log("protocol/port in Phase 1 ID Payload is %d/%d. "
-				"accepted with port_floating NAT-T",
-				id->isaid_doi_specific_a, id->isaid_doi_specific_b);
-	}
-	else if (!(id->isaid_doi_specific_a == 0 && id->isaid_doi_specific_b == 0)
-		 &&  !(id->isaid_doi_specific_a == IPPROTO_UDP && id->isaid_doi_specific_b == IKE_UDP_PORT))
-	{
-		loglog(RC_LOG_SERIOUS, "protocol/port in Phase 1 ID Payload must be 0/0 or %d/%d"
-			" but are %d/%d"
-			, IPPROTO_UDP, IKE_UDP_PORT
-			, id->isaid_doi_specific_a, id->isaid_doi_specific_b);
-		return FALSE;
-	}
-
-	id_payload = chunk_create(id_pbs->cur, pbs_left(id_pbs));
-
-	switch (id->isaid_idtype)
-	{
-		case ID_IPV4_ADDR:
-			if (id_payload.len != 4)
-			{
-				loglog(RC_LOG_SERIOUS, "improper %s Phase 1 ID payload",
-								enum_show(&ident_names, id->isaid_idtype));
-				return FALSE;
-			}
-			break;
-		case ID_IPV6_ADDR:
-			if (id_payload.len != 16)
-			{
-				loglog(RC_LOG_SERIOUS, "improper %s Phase 1 ID payload",
-								enum_show(&ident_names, id->isaid_idtype));
-				return FALSE;
-			}
-			break;
-		case ID_USER_FQDN:
-		case ID_FQDN:
-			if (memchr(id_payload.ptr, '\0', id_payload.len) != NULL)
-			{
-				loglog(RC_LOG_SERIOUS, "%s Phase 1 ID payload contains "
-									   "a NUL character",
-								enum_show(&ident_names, id->isaid_idtype));
-				return FALSE;
-			}
-			break;
-		case ID_KEY_ID:
-		case ID_DER_ASN1_DN:
-			break;
-		default:
-			/* XXX Could send notification back */
-			loglog(RC_LOG_SERIOUS, "unacceptable identity type (%s) "
-								   "in Phase 1 ID payload",
-								enum_show(&ident_names, id->isaid_idtype));
-			return FALSE;
-	}
-	*peer = identification_create_from_encoding(id->isaid_idtype, id_payload);
-
-	plog("Peer ID is %s: '%Y'",	enum_show(&ident_names, id->isaid_idtype),
-								*peer);
-
-	/* check for certificates */
-	decode_cert(md);
-	return TRUE;
-}
-
-/* Now that we've decoded the ID payload, let's see if we
- * need to switch connections.
- * We must not switch horses if we initiated:
- * - if the initiation was explicit, we'd be ignoring user's intent
- * - if opportunistic, we'll lose our HOLD info
- */
-static bool switch_connection(struct msg_digest *md, identification_t *peer,
-							  bool initiator)
-{
-	struct state *const st = md->st;
-	connection_t *c = st->st_connection;
-	identification_t *peer_ca;
-
-	peer_ca = st->st_peer_pubkey ? st->st_peer_pubkey->issuer : NULL;
-	if (peer_ca)
-	{
-		DBG(DBG_CONTROL,
-			DBG_log("peer CA:      \"%Y\"", peer_ca)
-		)
-	}
-	else
-	{
-		DBG(DBG_CONTROL,
-			DBG_log("peer CA:      %%none")
-		)
-	}
-
-	if (initiator)
-	{
-		int pathlen;
-
-		if (!peer->equals(peer, c->spd.that.id))
-		{
-			loglog(RC_LOG_SERIOUS,
-					"we require peer to have ID '%Y', but peer declares '%Y'",
-					c->spd.that.id, peer);
-			return FALSE;
-		}
-
-		if (c->spd.that.ca)
-		{
-			DBG(DBG_CONTROL,
-				DBG_log("required CA:  \"%s\"", c->spd.that.ca);
-			)
-		}
-		else
-		{
-			DBG(DBG_CONTROL,
-				DBG_log("required CA:  %%none");
-			)
-		}
-
-		if (!trusted_ca(peer_ca, c->spd.that.ca, &pathlen))
-		{
-			loglog(RC_LOG_SERIOUS
-				, "we don't accept the peer's CA");
-			return FALSE;
-		}
-	}
-	else
-	{
-		connection_t *r;
-
-		/* check for certificate requests */
-		decode_cr(md, c);
-
-		r = refine_host_connection(st, peer, peer_ca);
-
-		/* delete the collected certificate requests */
-		if (c->requested_ca)
-		{
-			c->requested_ca->destroy_offset(c->requested_ca,
-									 offsetof(identification_t, destroy));
-			c->requested_ca = NULL;
-		}
-
-		if (r == NULL)
-		{
-			loglog(RC_LOG_SERIOUS, "no suitable connection for peer '%Y'", peer);
-			return FALSE;
-		}
-
-		if (r->spd.this.ca)
-		{
-			DBG(DBG_CONTROL,
-				DBG_log("offered CA:   \"%Y\"", r->spd.this.ca)
-			)
-		}
-		else
-		{
-			DBG(DBG_CONTROL,
-				DBG_log("offered CA:   %%none")
-			)
-		}
-
-		if (r != c)
-		{
-			/* apparently, r is an improvement on c -- replace */
-
-			DBG(DBG_CONTROL
-				, DBG_log("switched from \"%s\" to \"%s\"", c->name, r->name));
-			if (r->kind == CK_TEMPLATE)
-			{
-				/* instantiate it, filling in peer's ID */
-				r = rw_instantiate(r, &c->spd.that.host_addr
-						, c->spd.that.host_port, NULL, peer);
-			}
-
-			/* copy certificate request info */
-			r->got_certrequest = c->got_certrequest;
-
-			st->st_connection = r;      /* kill reference to c */
-			set_cur_connection(r);
-			connection_discard(c);
-		}
-		else if (c->spd.that.has_id_wildcards)
-		{
-			c->spd.that.id->destroy(c->spd.that.id);
-			c->spd.that.id = peer->clone(peer);
-			c->spd.that.has_id_wildcards = FALSE;
-		}
-	}
-	return TRUE;
-}
-
-/* Decode the variable part of an ID packet (during Quick Mode).
- * This is designed for packets that identify clients, not peers.
- * Rejects 0.0.0.0/32 or IPv6 equivalent because
- * (1) it is wrong and (2) we use this value for inband signalling.
- */
-static bool decode_net_id(struct isakmp_ipsec_id *id, pb_stream *id_pbs,
-						  ip_subnet *net, const char *which)
-{
-	const struct af_info *afi = NULL;
-
-	/* Note: the following may be a pointer into static memory
-	 * that may be recycled, but only if the type is not known.
-	 * That case is disposed of very early -- in the first switch.
-	 */
-	const char *idtypename = enum_show(&ident_names, id->isaiid_idtype);
-
-	switch (id->isaiid_idtype)
-	{
-		case ID_IPV4_ADDR:
-		case ID_IPV4_ADDR_SUBNET:
-		case ID_IPV4_ADDR_RANGE:
-			afi = &af_inet4_info;
-			break;
-		case ID_IPV6_ADDR:
-		case ID_IPV6_ADDR_SUBNET:
-		case ID_IPV6_ADDR_RANGE:
-			afi = &af_inet6_info;
-			break;
-		case ID_FQDN:
-			return TRUE;
-		default:
-			/* XXX support more */
-			loglog(RC_LOG_SERIOUS, "unsupported ID type %s"
-				, idtypename);
-			/* XXX Could send notification back */
-			return FALSE;
-	}
-
-	switch (id->isaiid_idtype)
-	{
-		case ID_IPV4_ADDR:
-		case ID_IPV6_ADDR:
-		{
-			ip_address temp_address;
-			err_t ugh;
-
-			ugh = initaddr(id_pbs->cur, pbs_left(id_pbs), afi->af, &temp_address);
-
-			if (ugh != NULL)
-			{
-				loglog(RC_LOG_SERIOUS, "%s ID payload %s has wrong length in Quick I1 (%s)"
-					, which, idtypename, ugh);
-				/* XXX Could send notification back */
-				return FALSE;
-			}
-			if (isanyaddr(&temp_address))
-			{
-				loglog(RC_LOG_SERIOUS, "%s ID payload %s is invalid (%s) in Quick I1"
-					, which, idtypename, ip_str(&temp_address));
-				/* XXX Could send notification back */
-				return FALSE;
-			}
-			happy(addrtosubnet(&temp_address, net));
-			DBG(DBG_PARSING | DBG_CONTROL
-				, DBG_log("%s is %s", which, ip_str(&temp_address)));
-			break;
-		}
-
-		case ID_IPV4_ADDR_SUBNET:
-		case ID_IPV6_ADDR_SUBNET:
-		{
-			ip_address temp_address, temp_mask;
-			err_t ugh;
-
-			if (pbs_left(id_pbs) != 2 * afi->ia_sz)
-			{
-				loglog(RC_LOG_SERIOUS, "%s ID payload %s wrong length in Quick I1"
-					, which, idtypename);
-				/* XXX Could send notification back */
-				return FALSE;
-			}
-			ugh = initaddr(id_pbs->cur
-				, afi->ia_sz, afi->af, &temp_address);
-			if (ugh == NULL)
-			{
-				ugh = initaddr(id_pbs->cur + afi->ia_sz
-					, afi->ia_sz, afi->af, &temp_mask);
-			}
-			if (ugh == NULL)
-			{
-				ugh = initsubnet(&temp_address, masktocount(&temp_mask)
-					, '0', net);
-			}
-			if (ugh == NULL && subnetisnone(net))
-			{
-				ugh = "contains only anyaddr";
-			}
-			if (ugh != NULL)
-			{
-				loglog(RC_LOG_SERIOUS, "%s ID payload %s bad subnet in Quick I1 (%s)"
-					, which, idtypename, ugh);
-				/* XXX Could send notification back */
-				return FALSE;
-			}
-			DBG(DBG_PARSING | DBG_CONTROL,
-				{
-					char temp_buff[SUBNETTOT_BUF];
-
-					subnettot(net, 0, temp_buff, sizeof(temp_buff));
-					DBG_log("%s is subnet %s", which, temp_buff);
-				});
-			break;
-		}
-
-		case ID_IPV4_ADDR_RANGE:
-		case ID_IPV6_ADDR_RANGE:
-		{
-			ip_address temp_address_from, temp_address_to;
-			err_t ugh;
-
-			if (pbs_left(id_pbs) != 2 * afi->ia_sz)
-			{
-				loglog(RC_LOG_SERIOUS, "%s ID payload %s wrong length in Quick I1"
-					, which, idtypename);
-				/* XXX Could send notification back */
-				return FALSE;
-			}
-			ugh = initaddr(id_pbs->cur, afi->ia_sz, afi->af, &temp_address_from);
-			if (ugh == NULL)
-			{
-				ugh = initaddr(id_pbs->cur + afi->ia_sz
-					, afi->ia_sz, afi->af, &temp_address_to);
-			}
-			if (ugh != NULL)
-			{
-				loglog(RC_LOG_SERIOUS, "%s ID payload %s malformed (%s) in Quick I1"
-					, which, idtypename, ugh);
-				/* XXX Could send notification back */
-				return FALSE;
-			}
-
-			ugh = rangetosubnet(&temp_address_from, &temp_address_to, net);
-			if (ugh == NULL && subnetisnone(net))
-			{
-				ugh = "contains only anyaddr";
-			}
-			if (ugh != NULL)
-			{
-				char temp_buff1[ADDRTOT_BUF], temp_buff2[ADDRTOT_BUF];
-
-				addrtot(&temp_address_from, 0, temp_buff1, sizeof(temp_buff1));
-				addrtot(&temp_address_to, 0, temp_buff2, sizeof(temp_buff2));
-				loglog(RC_LOG_SERIOUS, "%s ID payload in Quick I1, %s"
-					" %s - %s unacceptable: %s"
-					, which, idtypename, temp_buff1, temp_buff2, ugh);
-				return FALSE;
-			}
-			DBG(DBG_PARSING | DBG_CONTROL,
-				{
-					char temp_buff[SUBNETTOT_BUF];
-
-					subnettot(net, 0, temp_buff, sizeof(temp_buff));
-					DBG_log("%s is subnet %s (received as range)"
-						, which, temp_buff);
-				});
-			break;
-		}
-	}
-
-	/* set the port selector */
-	setportof(htons(id->isaiid_port), &net->addr);
-
-	DBG(DBG_PARSING | DBG_CONTROL,
-		DBG_log("%s protocol/port is %d/%d", which, id->isaiid_protoid, id->isaiid_port)
-	)
-
-	return TRUE;
-}
-
-/* like decode, but checks that what is received matches what was sent */
-static bool check_net_id(struct isakmp_ipsec_id *id, pb_stream *id_pbs,
-						 u_int8_t *protoid, u_int16_t *port, ip_subnet *net,
-						 const char *which)
-{
-	ip_subnet net_temp;
-
-	if (!decode_net_id(id, id_pbs, &net_temp, which))
-	{
-		return FALSE;
-	}
-	if (!samesubnet(net, &net_temp)
-	|| *protoid != id->isaiid_protoid || *port != id->isaiid_port)
-	{
-		loglog(RC_LOG_SERIOUS, "%s ID returned doesn't match my proposal", which);
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/*
- * look for the existence of a non-expiring preloaded public key
- */
-static bool has_preloaded_public_key(struct state *st)
-{
-	connection_t *c = st->st_connection;
-
-	/* do not consider rw connections since
-	 * the peer's identity must be known
-	 */
-	if (c->kind == CK_PERMANENT)
-	{
-		pubkey_list_t *p;
-
-		/* look for a matching RSA public key */
-		for (p = pubkeys; p != NULL; p = p->next)
-		{
-			pubkey_t *key = p->key;
-			key_type_t type = key->public_key->get_type(key->public_key);
-
-			if (type == KEY_RSA &&
-				c->spd.that.id->equals(c->spd.that.id, key->id) &&
-				key->until_time == UNDEFINED_TIME)
-			{
-				/* found a preloaded public key */
-				return TRUE;
-			}
-		}
-	}
-	return FALSE;
-}
-
-/* Compute keying material for an SA
- */
-static void compute_keymat_internal(struct state *st, u_int8_t protoid,
-									ipsec_spi_t spi, size_t needed_len,
-									u_char **keymat_out)
-{
-	size_t i = 0, prf_block_size, needed_space;
-	chunk_t protoid_chunk = chunk_from_thing(protoid);
-	chunk_t spi_chunk = chunk_from_thing(spi);
-	pseudo_random_function_t prf_alg = oakley_to_prf(st->st_oakley.hash);
-	prf_t *prf = lib->crypto->create_prf(lib->crypto, prf_alg);
-
-	prf->set_key(prf, st->st_skeyid_d);
-	prf_block_size = prf->get_block_size(prf);
-
-	/* Although only needed_len bytes are desired, we must round up to a
-	 * multiple of prf_block_size so that the buffer isn't overrun */
-	needed_space = needed_len + pad_up(needed_len, prf_block_size);
-	replace(*keymat_out, malloc(needed_space));
-
-	for (;;)
-	{
-		char *keymat_i = (*keymat_out) + i;
-		chunk_t keymat = { keymat_i,  prf_block_size };
-
-		if (st->st_shared.ptr != NULL)
-		{	/* PFS: include the g^xy */
-			prf->get_bytes(prf, st->st_shared, NULL);
-		}
-		prf->get_bytes(prf, protoid_chunk, NULL);
-		prf->get_bytes(prf, spi_chunk, NULL);
-		prf->get_bytes(prf, st->st_ni, NULL);
-		prf->get_bytes(prf, st->st_nr, keymat_i);
-
-		i += prf_block_size;
-		if (i >= needed_space)
-		{
-			break;
-		}
-
-		/* more keying material needed: prepare to go around again */
-		prf->get_bytes(prf, keymat, NULL);
-	}
-	prf->destroy(prf);
-}
-
-/*
- * Produce the new key material of Quick Mode.
- * RFC 2409 "IKE" section 5.5
- * specifies how this is to be done.
- */
-static void compute_proto_keymat(struct state *st, u_int8_t protoid,
-								 struct ipsec_proto_info *pi, enum endpoint ep)
-{
-	size_t needed_len = 0; /* bytes of keying material needed */
-
-	/* Add up the requirements for keying material
-	 * (It probably doesn't matter if we produce too much!)
-	 */
-	switch (protoid)
-	{
-		case PROTO_IPSEC_ESP:
-		{
-			needed_len = kernel_alg_esp_enc_keylen(pi->attrs.transid);
-
-			if (needed_len && pi->attrs.key_len)
-			{
-				needed_len = pi->attrs.key_len / BITS_PER_BYTE;
-			}
-
-			switch (pi->attrs.transid)
-			{
-				case ESP_NULL:
-					needed_len = 0;
-					break;
-				case ESP_AES_CCM_8:
-				case ESP_AES_CCM_12:
-				case ESP_AES_CCM_16:
-					needed_len += 3;
-					break;
-				case ESP_AES_GCM_8:
-				case ESP_AES_GCM_12:
-				case ESP_AES_GCM_16:
-				case ESP_AES_CTR:
-				case ESP_AES_GMAC:
-					needed_len += 4;
-					break;
-				default:
-					if (needed_len == 0)
-					{
-						bad_case(pi->attrs.transid);
-					}
-			}
-
-			if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL))
-			{
-				needed_len += kernel_alg_esp_auth_keylen(pi->attrs.auth);
-			}
-			else
-			{
-				switch (pi->attrs.auth)
-				{
-					case AUTH_ALGORITHM_NONE:
-						break;
-					case AUTH_ALGORITHM_HMAC_MD5:
-						needed_len += HMAC_MD5_KEY_LEN;
-						break;
-					case AUTH_ALGORITHM_HMAC_SHA1:
-						needed_len += HMAC_SHA1_KEY_LEN;
-						break;
-					case AUTH_ALGORITHM_DES_MAC:
-					default:
-						bad_case(pi->attrs.auth);
-				}
-			}
-			break;
-		}
-		case PROTO_IPSEC_AH:
-		{
-			switch (pi->attrs.transid)
-			{
-				case AH_MD5:
-					needed_len = HMAC_MD5_KEY_LEN;
-					break;
-				case AH_SHA:
-					needed_len = HMAC_SHA1_KEY_LEN;
-					break;
-				default:
-					bad_case(pi->attrs.transid);
-			}
-			break;
-		}
-		default:
-			bad_case(protoid);
-	}
-
-	pi->keymat_len = needed_len;
-
-	if (ep & EP_LOCAL)
-	{
-		compute_keymat_internal(st, protoid, pi->our_spi, needed_len,
-								&pi->our_keymat);
-		DBG(DBG_CRYPT,
-			DBG_dump("KEYMAT computed:\n", pi->our_keymat,
-					 pi->keymat_len));
-	}
-	if (ep & EP_REMOTE)
-	{
-		compute_keymat_internal(st, protoid, pi->attrs.spi, needed_len,
-								&pi->peer_keymat);
-		DBG(DBG_CRYPT,
-			DBG_dump("Peer KEYMAT computed:\n", pi->peer_keymat,
-					 pi->keymat_len));
-	}
-}
-
-static void compute_keymats(struct state *st, enum endpoint ep)
-{
-	if (st->st_ah.present)
-	{
-		compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah, ep);
-	}
-	if (st->st_esp.present)
-	{
-		compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp, ep);
-	}
-}
-
-static void wipe_proto_keymat(struct ipsec_proto_info *pi, enum endpoint ep)
-{
-	if (ep & EP_LOCAL)
-	{
-		memwipe(pi->our_keymat, pi->keymat_len);
-	}
-	if (ep & EP_REMOTE)
-	{
-		memwipe(pi->peer_keymat, pi->keymat_len);
-	}
-}
-
-static void wipe_keymats(struct state *st, enum endpoint ep)
-{
-	if (st->st_ah.present)
-	{
-		wipe_proto_keymat(&st->st_ah, ep);
-	}
-	if (st->st_esp.present)
-	{
-		wipe_proto_keymat(&st->st_esp, ep);
-	}
-}
-
-static bool uses_pubkey_auth(int auth)
-{
-	switch (auth)
-	{
-		case OAKLEY_RSA_SIG:
-		case OAKLEY_ECDSA_SIG:
-		case OAKLEY_ECDSA_256:
-		case OAKLEY_ECDSA_384:
-		case OAKLEY_ECDSA_521:
-		case XAUTHInitRSA:
-		case XAUTHRespRSA:
-			return TRUE;
-		default:
-			return FALSE;
-	}
-}
-
-/* build an ID payload
- * Note: no memory is allocated for the body of the payload (tl->ptr).
- * We assume it will end up being a pointer into a sufficiently
- * stable datastructure.  It only needs to last a short time.
- */
-static void build_id_payload(struct isakmp_ipsec_id *hd, chunk_t *tl, struct end *end)
-{
-	identification_t *id = resolve_myid(end->id);
-
-	zero(hd);
-	hd->isaiid_idtype = id->get_type(id);
-
-	switch (id->get_type(id))
-	{
-		case ID_ANY:
-			hd->isaiid_idtype = aftoinfo(addrtypeof(&end->host_addr))->id_addr;
-			tl->len = addrbytesptr(&end->host_addr,
-						(const unsigned char **)&tl->ptr); /* sets tl->ptr too */
-			break;
-		case ID_IPV4_ADDR:
-		case ID_IPV6_ADDR:
-		case ID_FQDN:
-		case ID_USER_FQDN:
-		case ID_DER_ASN1_DN:
-		case ID_KEY_ID:
-			*tl = id->get_encoding(id);
-			break;
-		default:
-			bad_case(id->get_type(id));
-	}
-}
-
-/* State Transition Functions.
- *
- * The definition of state_microcode_table in demux.c is a good
- * overview of these routines.
- *
- * - Called from process_packet; result handled by complete_state_transition
- * - struct state_microcode member "processor" points to these
- * - these routine definitionss are in state order
- * - these routines must be restartable from any point of error return:
- *   beware of memory allocated before any error.
- * - output HDR is usually emitted by process_packet (if state_microcode
- *   member first_out_payload isn't ISAKMP_NEXT_NONE).
- *
- * The transition functions' functions include:
- * - process and judge payloads
- * - update st_iv (result of decryption is in st_new_iv)
- * - build reply packet
- */
-
-/* Handle a Main Mode Oakley first packet (responder side).
- * HDR;SA --> HDR;SA
- */
-stf_status main_inI1_outR1(struct msg_digest *md)
-{
-	struct payload_digest *const sa_pd = md->chain[ISAKMP_NEXT_SA];
-	struct state *st;
-	connection_t *c;
-	struct isakmp_proposal proposal;
-	pb_stream proposal_pbs;
-	pb_stream r_sa_pbs;
-	u_int32_t ipsecdoisit;
-	lset_t policy = LEMPTY;
-	int vids_to_send = 0;
-
-	/* We preparse the peer's proposal in order to determine
-	 * the requested authentication policy (RSA or PSK)
-	 */
-	RETURN_STF_FAILURE(preparse_isakmp_sa_body(&sa_pd->payload.sa
-		, &sa_pd->pbs, &ipsecdoisit, &proposal_pbs, &proposal));
-
-	backup_pbs(&proposal_pbs);
-	RETURN_STF_FAILURE(parse_isakmp_policy(&proposal_pbs
-					 , proposal.isap_notrans, &policy));
-	restore_pbs(&proposal_pbs);
-
-	/* We are only considering candidate connections that match
-	 * the requested authentication policy (RSA or PSK)
-	 */
-	c = find_host_connection(&md->iface->addr, pluto_port
-						   , &md->sender, md->sender_port, policy);
-
-	if (c == NULL && md->iface->ike_float)
-	{
-		c = find_host_connection(&md->iface->addr, NAT_T_IKE_FLOAT_PORT
-				, &md->sender, md->sender_port, policy);
-	}
-
-	if (c == NULL)
-	{
-		/* See if a wildcarded connection can be found.
-		 * We cannot pick the right connection, so we're making a guess.
-		 * All Road Warrior connections are fair game:
-		 * we pick the first we come across (if any).
-		 * If we don't find any, we pick the first opportunistic
-		 * with the smallest subnet that includes the peer.
-		 * There is, of course, no necessary relationship between
-		 * an Initiator's address and that of its client,
-		 * but Food Groups kind of assumes one.
-		 */
-		{
-			connection_t *d;
-
-			d = find_host_connection(&md->iface->addr
-				, pluto_port, (ip_address*)NULL, md->sender_port, policy);
-
-			for (; d != NULL; d = d->hp_next)
-			{
-				if (d->kind == CK_GROUP)
-				{
-					/* ignore */
-				}
-				else
-				{
-					if (d->kind == CK_TEMPLATE && !(d->policy & POLICY_OPPO))
-					{
-						/* must be Road Warrior: we have a winner */
-						c = d;
-						break;
-					}
-
-					/* Opportunistic or Shunt: pick tightest match */
-					if (addrinsubnet(&md->sender, &d->spd.that.client)
-					&& (c == NULL || !subnetinsubnet(&c->spd.that.client, &d->spd.that.client)))
-						c = d;
-				}
-			}
-		}
-
-		if (c == NULL)
-		{
-			loglog(RC_LOG_SERIOUS, "initial Main Mode message received on %s:%u"
-				" but no connection has been authorized%s%s"
-				, ip_str(&md->iface->addr), ntohs(portof(&md->iface->addr))
-				, (policy != LEMPTY) ? " with policy=" : ""
-				, (policy != LEMPTY) ? bitnamesof(sa_policy_bit_names, policy) : "");
-			/* XXX notification is in order! */
-			return STF_IGNORE;
-		}
-		else if (c->kind != CK_TEMPLATE)
-		{
-			loglog(RC_LOG_SERIOUS, "initial Main Mode message received on %s:%u"
-				" but \"%s\" forbids connection"
-				, ip_str(&md->iface->addr), pluto_port, c->name);
-			/* XXX notification is in order! */
-			return STF_IGNORE;
-		}
-		else
-		{
-			/* Create a temporary connection that is a copy of this one.
-			 * His ID isn't declared yet.
-			 */
-			c = rw_instantiate(c, &md->sender, md->sender_port, NULL, NULL);
-		}
-	}
-	else if (c->kind == CK_TEMPLATE)
-	{
-		/* Create an instance
-		 * This is a rare case: wildcard peer ID but static peer IP address
-		 */
-		 c = rw_instantiate(c, &md->sender, md->sender_port, NULL, c->spd.that.id);
-	}
-
-	/* Set up state */
-	md->st = st = new_state();
-	st->st_connection = c;
-	set_cur_state(st);  /* (caller will reset cur_state) */
-	st->st_try = 0;     /* not our job to try again from start */
-	st->st_policy = c->policy & ~POLICY_IPSEC_MASK;     /* only as accurate as connection */
-
-	memcpy(st->st_icookie, md->hdr.isa_icookie, COOKIE_SIZE);
-	get_cookie(FALSE, st->st_rcookie, COOKIE_SIZE, &md->sender);
-
-	insert_state(st);   /* needs cookies, connection, and msgid (0) */
-
-	st->st_doi = ISAKMP_DOI_IPSEC;
-	st->st_situation = SIT_IDENTITY_ONLY; /* We only support this */
-
-	if ((c->kind == CK_INSTANCE) && (c->spd.that.host_port != pluto_port))
-	{
-	   plog("responding to Main Mode from unknown peer %s:%u"
-			, ip_str(&c->spd.that.host_addr), c->spd.that.host_port);
-	}
-	else if (c->kind == CK_INSTANCE)
-	{
-		plog("responding to Main Mode from unknown peer %s"
-			, ip_str(&c->spd.that.host_addr));
-	}
-	else
-	{
-		plog("responding to Main Mode");
-	}
-
-	/* parse_isakmp_sa also spits out a winning SA into our reply,
-	 * so we have to build our md->reply and emit HDR before calling it.
-	 */
-
-	/* determine how many Vendor ID payloads we will be sending */
-	if (SEND_PLUTO_VID)
-	{
-		vids_to_send++;
-	}
-	if (SEND_CISCO_UNITY_VID)
-	{
-		vids_to_send++;
-	}
-	if (md->openpgp)
-	{
-		vids_to_send++;
-	}
-	if (SEND_XAUTH_VID)
-	{
-		vids_to_send++;
-	}
-	/* always send DPD Vendor ID */
-		vids_to_send++;
-	if (md->nat_traversal_vid && nat_traversal_enabled)
-	{
-		vids_to_send++;
-	}
-
-	/* HDR out.
-	 * We can't leave this to comm_handle() because we must
-	 * fill in the cookie.
-	 */
-	{
-		struct isakmp_hdr r_hdr = md->hdr;
-
-		r_hdr.isa_flags &= ~ISAKMP_FLAG_COMMIT; /* we won't ever turn on this bit */
-		memcpy(r_hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
-		r_hdr.isa_np = ISAKMP_NEXT_SA;
-		if (!out_struct(&r_hdr, &isakmp_hdr_desc, &md->reply, &md->rbody))
-			return STF_INTERNAL_ERROR;
-	}
-
-	/* start of SA out */
-	{
-		struct isakmp_sa r_sa = sa_pd->payload.sa;
-
-		r_sa.isasa_np = vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE;
-
-		if (!out_struct(&r_sa, &isakmp_sa_desc, &md->rbody, &r_sa_pbs))
-			return STF_INTERNAL_ERROR;
-	}
-
-	/* SA body in and out */
-	RETURN_STF_FAILURE(parse_isakmp_sa_body(ipsecdoisit, &proposal_pbs
-		,&proposal, &r_sa_pbs, st, FALSE));
-
-	/* if enabled send Pluto Vendor ID */
-	if (SEND_PLUTO_VID)
-	{
-		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-		, &md->rbody, VID_STRONGSWAN))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	/* if enabled send Cisco Unity Vendor ID */
-	if (SEND_CISCO_UNITY_VID)
-	{
-		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-		, &md->rbody, VID_CISCO_UNITY))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	/*
-	 * if the peer sent an OpenPGP Vendor ID we offer the same capability
-	 */
-	if (md->openpgp)
-	{
-		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-		, &md->rbody, VID_OPENPGP))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	/* Announce our ability to do eXtended AUTHentication to the peer */
-	if (SEND_XAUTH_VID)
-	{
-		if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-		, &md->rbody, VID_MISC_XAUTH))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	/* Announce our ability to do Dead Peer Detection to the peer */
-	if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-	, &md->rbody, VID_MISC_DPD))
-	{
-		return STF_INTERNAL_ERROR;
-	}
-
-	if (md->nat_traversal_vid && nat_traversal_enabled)
-	{
-		/* reply if NAT-Traversal draft is supported */
-		st->nat_traversal = nat_traversal_vid_to_method(md->nat_traversal_vid);
-
-		if (st->nat_traversal
-		&& !out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-		, &md->rbody, md->nat_traversal_vid))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	close_message(&md->rbody);
-
-	/* save initiator SA for HASH */
-	free(st->st_p1isa.ptr);
-	st->st_p1isa = chunk_create(sa_pd->pbs.start, pbs_room(&sa_pd->pbs));
-	st->st_p1isa = chunk_clone(st->st_p1isa);
-
-	return STF_OK;
-}
-
-/* STATE_MAIN_I1: HDR, SA --> auth dependent
- * PSK_AUTH, DS_AUTH: --> HDR, KE, Ni
- *
- * The following are not yet implemented:
- * PKE_AUTH: --> HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
- * RPKE_AUTH: --> HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
- *                <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
- *
- * We must verify that the proposal received matches one we sent.
- */
-stf_status main_inR1_outI2(struct msg_digest *md)
-{
-	struct state *const st = md->st;
-
-	u_int8_t np = ISAKMP_NEXT_NONE;
-
-	/* verify echoed SA */
-	{
-		u_int32_t ipsecdoisit;
-		pb_stream proposal_pbs;
-		struct isakmp_proposal proposal;
-		struct payload_digest *const sapd = md->chain[ISAKMP_NEXT_SA];
-
-		RETURN_STF_FAILURE(preparse_isakmp_sa_body(&sapd->payload.sa
-			,&sapd->pbs, &ipsecdoisit, &proposal_pbs, &proposal));
-		if (proposal.isap_notrans != 1)
-		{
-			loglog(RC_LOG_SERIOUS, "a single Transform is required in a selecting Oakley Proposal; found %u"
-			, (unsigned)proposal.isap_notrans);
-			RETURN_STF_FAILURE(ISAKMP_BAD_PROPOSAL_SYNTAX);
-		}
-		RETURN_STF_FAILURE(parse_isakmp_sa_body(ipsecdoisit
-			, &proposal_pbs, &proposal, NULL, st, TRUE));
-	}
-
-	if (nat_traversal_enabled && md->nat_traversal_vid)
-	{
-		st->nat_traversal = nat_traversal_vid_to_method(md->nat_traversal_vid);
-		plog("enabling possible NAT-traversal with method %s"
-			 , bitnamesof(natt_type_bitnames, st->nat_traversal));
-	}
-	if (st->nat_traversal & NAT_T_WITH_NATD)
-	{
-		np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ?
-				ISAKMP_NEXT_NATD_RFC : ISAKMP_NEXT_NATD_DRAFTS;
-	}
-
-	/**************** build output packet HDR;KE;Ni ****************/
-
-	/* HDR out.
-	 * We can't leave this to comm_handle() because the isa_np
-	 * depends on the type of Auth (eventually).
-	 */
-	echo_hdr(md, FALSE, ISAKMP_NEXT_KE);
-
-	/* KE out */
-	if (!build_and_ship_KE(st, &st->st_gi, st->st_oakley.group
-	, &md->rbody, ISAKMP_NEXT_NONCE))
-	{
-		return STF_INTERNAL_ERROR;
-	}
-
-#ifdef DEBUG
-	/* Ni out */
-	if (!build_and_ship_nonce(&st->st_ni, &md->rbody
-	, (cur_debugging & IMPAIR_BUST_MI2)? ISAKMP_NEXT_VID : np, "Ni"))
-	{
-		return STF_INTERNAL_ERROR;
-	}
-	if (cur_debugging & IMPAIR_BUST_MI2)
-	{
-		/* generate a pointless large VID payload to push message over MTU */
-		pb_stream vid_pbs;
-
-		if (!out_generic(np, &isakmp_vendor_id_desc, &md->rbody, &vid_pbs))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-		if (!out_zero(1500 /*MTU?*/, &vid_pbs, "Filler VID"))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-		close_output_pbs(&vid_pbs);
-	}
-#else
-	/* Ni out */
-	if (!build_and_ship_nonce(&st->st_ni, &md->rbody, np, "Ni"))
-	{
-		return STF_INTERNAL_ERROR;
-	}
-#endif
-
-	if (st->nat_traversal & NAT_T_WITH_NATD)
-	{
-		if (!nat_traversal_add_natd(ISAKMP_NEXT_NONE, &md->rbody, md))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	/* finish message */
-	close_message(&md->rbody);
-
-	/* Reinsert the state, using the responder cookie we just received */
-	unhash_state(st);
-	memcpy(st->st_rcookie, md->hdr.isa_rcookie, COOKIE_SIZE);
-	insert_state(st);   /* needs cookies, connection, and msgid (0) */
-
-	return STF_OK;
-}
-
-/* STATE_MAIN_R1:
- * PSK_AUTH, DS_AUTH: HDR, KE, Ni --> HDR, KE, Nr
- *
- * The following are not yet implemented:
- * PKE_AUTH: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
- *          --> HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
- * RPKE_AUTH:
- *          HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
- *          --> HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
- */
-stf_status main_inI2_outR2(struct msg_digest *md)
-{
-	struct state *const st = md->st;
-	pb_stream *keyex_pbs = &md->chain[ISAKMP_NEXT_KE]->pbs;
-
-	/* send CR if auth is RSA or ECDSA and no preloaded public key exists*/
-	bool pubkey_auth = uses_pubkey_auth(st->st_oakley.auth);
-	bool send_cr = !no_cr_send && pubkey_auth && !has_preloaded_public_key(st);
-
-	u_int8_t np = ISAKMP_NEXT_NONE;
-
-	/* KE in */
-	RETURN_STF_FAILURE(accept_KE(&st->st_gi, "Gi", st->st_oakley.group, keyex_pbs));
-
-	/* Ni in */
-	RETURN_STF_FAILURE(accept_nonce(md, &st->st_ni, "Ni"));
-
-	if (st->nat_traversal & NAT_T_WITH_NATD)
-	{
-	   nat_traversal_natd_lookup(md);
-
-	   np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ?
-				ISAKMP_NEXT_NATD_RFC : ISAKMP_NEXT_NATD_DRAFTS;
-	}
-	if (st->nat_traversal)
-	{
-	   nat_traversal_show_result(st->nat_traversal, md->sender_port);
-	}
-	if (st->nat_traversal & NAT_T_WITH_KA)
-	{
-	   nat_traversal_new_ka_event();
-	}
-
-	/* decode certificate requests */
-	st->st_connection->got_certrequest = FALSE;
-	decode_cr(md, st->st_connection);
-
-	/**************** build output packet HDR;KE;Nr ****************/
-
-	/* HDR out done */
-
-	/* KE out */
-	if (!build_and_ship_KE(st, &st->st_gr, st->st_oakley.group
-	, &md->rbody, ISAKMP_NEXT_NONCE))
-	{
-		return STF_INTERNAL_ERROR;
-	}
-
-#ifdef DEBUG
-	/* Nr out */
-	if (!build_and_ship_nonce(&st->st_nr, &md->rbody,
-	   (cur_debugging & IMPAIR_BUST_MR2)? ISAKMP_NEXT_VID
-		: (send_cr? ISAKMP_NEXT_CR : np), "Nr"))
-	{
-		return STF_INTERNAL_ERROR;
-	}
-	if (cur_debugging & IMPAIR_BUST_MR2)
-	{
-		/* generate a pointless large VID payload to push message over MTU */
-		pb_stream vid_pbs;
-
-		if (!out_generic((send_cr)? ISAKMP_NEXT_CR : np,
-			&isakmp_vendor_id_desc, &md->rbody, &vid_pbs))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-		if (!out_zero(1500 /*MTU?*/, &vid_pbs, "Filler VID"))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-		close_output_pbs(&vid_pbs);
-	}
-#else
-	/* Nr out */
-	if (!build_and_ship_nonce(&st->st_nr, &md->rbody,
-		(send_cr)? ISAKMP_NEXT_CR : np, "Nr"))
-		return STF_INTERNAL_ERROR;
-#endif
-
-	/* CR out */
-	if (send_cr)
-	{
-		if (st->st_connection->kind == CK_PERMANENT)
-		{
-			identification_t *ca = st->st_connection->spd.that.ca;
-			chunk_t cr = (ca) ? ca->get_encoding(ca) : chunk_empty;
-
-			if (!build_and_ship_CR(CERT_X509_SIGNATURE, cr, &md->rbody, np))
-			{
-				return STF_INTERNAL_ERROR;
-			}
-		}
-		else
-		{
-			linked_list_t *list = collect_rw_ca_candidates(md);
-			int count = list->get_count(list);
-			bool error = FALSE;
-
-			if (count)
-			{
-				enumerator_t *enumerator;
-				identification_t *ca;
-
-				enumerator = list->create_enumerator(list);
-				while (enumerator->enumerate(enumerator, &ca))
-				{
-					if (!build_and_ship_CR(CERT_X509_SIGNATURE,
-										   ca->get_encoding(ca), &md->rbody,
-										   --count ? ISAKMP_NEXT_CR : np))
-					{
-						error = TRUE;
-						break;
-					}
-				}
-				enumerator->destroy(enumerator);
-			}
-			else
-			{
-				if (!build_and_ship_CR(CERT_X509_SIGNATURE, chunk_empty,
-									   &md->rbody, np))
-				{
-					error = TRUE;
-				}
-			}
-			list->destroy_offset(list, offsetof(identification_t, destroy));
-			if (error)
-			{
-				return STF_INTERNAL_ERROR;
-			}
-		}
-	}
-
-	if (st->nat_traversal & NAT_T_WITH_NATD)
-	{
-	   if (!nat_traversal_add_natd(ISAKMP_NEXT_NONE, &md->rbody, md))
-		{
-		   return STF_INTERNAL_ERROR;
-		}
-	}
-
-	/* finish message */
-	close_message(&md->rbody);
-
-	/* next message will be encrypted, but not this one.
-	 * We could defer this calculation.
-	 */
-	compute_dh_shared(st, st->st_gi);
-	if (!generate_skeyids_iv(st))
-	{
-		return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED;
-	}
-	update_iv(st);
-
-	return STF_OK;
-}
-
-/* STATE_MAIN_I2:
- * SMF_PSK_AUTH: HDR, KE, Nr --> HDR*, IDi1, HASH_I
- * SMF_DS_AUTH: HDR, KE, Nr --> HDR*, IDi1, [ CERT, ] SIG_I
- *
- * The following are not yet implemented.
- * SMF_PKE_AUTH: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
- *          --> HDR*, HASH_I
- * SMF_RPKE_AUTH: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
- *          --> HDR*, HASH_I
- */
-stf_status main_inR2_outI3(struct msg_digest *md)
-{
-	struct state *const st = md->st;
-	pb_stream *const keyex_pbs = &md->chain[ISAKMP_NEXT_KE]->pbs;
-	pb_stream id_pbs;   /* ID Payload; also used for hash calculation */
-
-	connection_t *c = st->st_connection;
-	certpolicy_t cert_policy = c->spd.this.sendcert;
-	cert_t *mycert = c->spd.this.cert;
-	bool requested, send_cert, send_cr;
-	bool pubkey_auth = uses_pubkey_auth(st->st_oakley.auth);
-
-	int auth_payload = pubkey_auth ? ISAKMP_NEXT_SIG : ISAKMP_NEXT_HASH;
-
-	/* KE in */
-	RETURN_STF_FAILURE(accept_KE(&st->st_gr, "Gr", st->st_oakley.group, keyex_pbs));
-
-	/* Nr in */
-	RETURN_STF_FAILURE(accept_nonce(md, &st->st_nr, "Nr"));
-
-	/* decode certificate requests */
-	c->got_certrequest = FALSE;
-	decode_cr(md, c);
-
-	/* free collected certificate requests since as initiator
-	 * we don't heed them anyway
-	 */
-	if (c->requested_ca)
-	{
-		c->requested_ca->destroy_offset(c->requested_ca,
-								 offsetof(identification_t, destroy));
-		c->requested_ca = NULL;
-	}
-
-	/* send certificate if auth is RSA, we have one and we want
-	 * or are requested to send it
-	 */
-	requested = cert_policy == CERT_SEND_IF_ASKED && c->got_certrequest;
-	send_cert = pubkey_auth && mycert &&
-				mycert->cert->get_type(mycert->cert) == CERT_X509 &&
-				(cert_policy == CERT_ALWAYS_SEND || requested);
-
-	/* send certificate request if we don't have a preloaded RSA public key */
-	send_cr = !no_cr_send && send_cert && !has_preloaded_public_key(st);
-
-	/* done parsing; initialize crypto  */
-	compute_dh_shared(st, st->st_gr);
-	if (!generate_skeyids_iv(st))
-	{
-		return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED;
-	}
-	if (st->nat_traversal & NAT_T_WITH_NATD)
-	{
-		nat_traversal_natd_lookup(md);
-	}
-	if (st->nat_traversal)
-	{
-		nat_traversal_show_result(st->nat_traversal, md->sender_port);
-	}
-	if (st->nat_traversal & NAT_T_WITH_KA)
-	{
-		nat_traversal_new_ka_event();
-	}
-
-	/*************** build output packet HDR*;IDii;HASH/SIG_I ***************/
-	/* ??? NOTE: this is almost the same as main_inI3_outR3's code */
-
-	/* HDR* out done */
-
-	/* IDii out */
-	{
-		struct isakmp_ipsec_id id_hd;
-		chunk_t id_b;
-
-		build_id_payload(&id_hd, &id_b, &c->spd.this);
-		id_hd.isaiid_np = (send_cert)? ISAKMP_NEXT_CERT : auth_payload;
-		if (!out_struct(&id_hd, &isakmp_ipsec_identification_desc, &md->rbody, &id_pbs)
-		|| !out_chunk(id_b, &id_pbs, "my identity"))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-		close_output_pbs(&id_pbs);
-	}
-
-	/* CERT out */
-	if (pubkey_auth)
-	{
-		DBG(DBG_CONTROL,
-			DBG_log("our certificate policy is %N", cert_policy_names, cert_policy)
-		)
-		if (mycert && mycert->cert->get_type(mycert->cert) == CERT_X509)
-		{
-			const char *request_text = "";
-
-			if (cert_policy == CERT_SEND_IF_ASKED)
-			{
-				request_text = (send_cert)? "upon request":"without request";
-			}
-			plog("we have a cert %s sending it %s"
-				, send_cert? "and are":"but are not", request_text);
-		}
-		else
-		{
-			plog("we don't have a cert");
-		}
-	}
-	if (send_cert)
-	{
-		bool success = FALSE;
-		chunk_t cert_encoding;
-		pb_stream cert_pbs;
-
-		struct isakmp_cert cert_hd;
-		cert_hd.isacert_np = (send_cr)? ISAKMP_NEXT_CR : ISAKMP_NEXT_SIG;
-		cert_hd.isacert_type = CERT_X509_SIGNATURE;
-
-		if (!out_struct(&cert_hd, &isakmp_ipsec_certificate_desc, &md->rbody, &cert_pbs))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-		if (mycert->cert->get_encoding(mycert->cert, CERT_ASN1_DER,
-									   &cert_encoding))
-		{
-			success = out_chunk(cert_encoding, &cert_pbs, "CERT");
-			free(cert_encoding.ptr);
-		}
-		if (!success)
-		{
-			return STF_INTERNAL_ERROR;
-		}
-		close_output_pbs(&cert_pbs);
-	}
-
-	/* CR out */
-	if (send_cr)
-	{
-		identification_t *ca = st->st_connection->spd.that.ca;
-		chunk_t cr = (ca) ? ca->get_encoding(ca) : chunk_empty;
-
-		if (!build_and_ship_CR(CERT_X509_SIGNATURE, cr, &md->rbody, ISAKMP_NEXT_SIG))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-   /* HASH_I or SIG_I out */
-	{
-		chunk_t hash = chunk_alloca(MAX_DIGEST_LEN);
-
-		main_mode_hash(st, &hash, TRUE, &id_pbs);
-
-		if (auth_payload == ISAKMP_NEXT_HASH)
-		{
-			/* HASH_I out */
-			if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_hash_desc, &md->rbody,
-								 hash.ptr, hash.len, "HASH_I"))
-			{
-				return STF_INTERNAL_ERROR;
-			}
-		}
-		else
-		{
-			/* SIG_I out */
-			u_char sig_val[RSA_MAX_OCTETS];
-			signature_scheme_t scheme;
-			size_t sig_len;
-
-			scheme = oakley_to_signature_scheme(st->st_oakley.auth);
-
-			sig_len = sign_hash(scheme, c, sig_val, hash);
-			if (sig_len == 0)
-			{
-				loglog(RC_LOG_SERIOUS, "unable to locate my private key for signature");
-				return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED;
-			}
-
-			if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_signature_desc
-			, &md->rbody, sig_val, sig_len, "SIG_I"))
-			{
-				return STF_INTERNAL_ERROR;
-			}
-		}
-	}
-
-	/* encrypt message, except for fixed part of header */
-
-	/* st_new_iv was computed by generate_skeyids_iv */
-	if (!encrypt_message(&md->rbody, st))
-	{
-		return STF_INTERNAL_ERROR;      /* ??? we may be partly committed */
-	}
-	return STF_OK;
-}
-
-/* Shared logic for asynchronous lookup of DNS KEY records.
- * Used for STATE_MAIN_R2 and STATE_MAIN_I3.
- */
-
-enum key_oppo_step {
-	kos_null,
-	kos_his_txt
-#ifdef USE_KEYRR
-	, kos_his_key
-#endif
-};
-
-struct key_continuation {
-	struct adns_continuation ac;        /* common prefix */
-	struct msg_digest *md;
-	enum   key_oppo_step step;
-	bool                 failure_ok;
-	err_t                last_ugh;
-};
-
-typedef stf_status (key_tail_fn)(struct msg_digest *md
-								  , struct key_continuation *kc);
-
-static void report_key_dns_failure(identification_t *id, err_t ugh)
-{
-	loglog(RC_LOG_SERIOUS, "no RSA public key known for '%Y'"
-		"; DNS search for KEY failed (%s)", id, ugh);
-}
-
-
-/* Processs the Main Mode ID Payload and the Authenticator
- * (Hash or Signature Payload).
- * If a DNS query is still needed to get the other host's public key,
- * the query is initiated and STF_SUSPEND is returned.
- * Note: parameter kc is a continuation containing the results from
- * the previous DNS query, or NULL indicating no query has been issued.
- */
-static stf_status
-main_id_and_auth(struct msg_digest *md
-				 , bool initiator       /* are we the Initiator? */
-				 , cont_fn_t cont_fn    /* continuation function */
-				 , const struct key_continuation *kc    /* current state, can be NULL */
-)
-{
-	chunk_t hash = chunk_alloca(MAX_DIGEST_LEN);
-	struct state *st = md->st;
-	identification_t *peer;
-	stf_status r = STF_OK;
-
-	/* ID Payload in */
-	if (!decode_peer_id(md, &peer))
-	{
-		return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
-	}
-
-	/* Hash the ID Payload.
-	 * main_mode_hash requires idpl->cur to be at end of payload
-	 * so we temporarily set if so.
-	 */
-	{
-		pb_stream *idpl = &md->chain[ISAKMP_NEXT_ID]->pbs;
-		u_int8_t *old_cur = idpl->cur;
-
-		idpl->cur = idpl->roof;
-		main_mode_hash(st, &hash, !initiator, idpl);
-		idpl->cur = old_cur;
-	}
-
-	switch (st->st_oakley.auth)
-	{
-	case OAKLEY_PRESHARED_KEY:
-	case XAUTHInitPreShared:
-	case XAUTHRespPreShared:
-		{
-			pb_stream *const hash_pbs = &md->chain[ISAKMP_NEXT_HASH]->pbs;
-
-			if (pbs_left(hash_pbs) != hash.len
-			|| memcmp(hash_pbs->cur, hash.ptr, hash.len) != 0)
-			{
-				DBG_cond_dump(DBG_CRYPT, "received HASH:"
-					, hash_pbs->cur, pbs_left(hash_pbs));
-				loglog(RC_LOG_SERIOUS, "received Hash Payload does not match computed value");
-				/* XXX Could send notification back */
-				r = STF_FAIL + ISAKMP_INVALID_HASH_INFORMATION;
-			}
-		}
-		break;
-
-	case OAKLEY_RSA_SIG:
-	case XAUTHInitRSA:
-	case XAUTHRespRSA:
-		r = check_signature(KEY_RSA, peer, st, hash,
-							&md->chain[ISAKMP_NEXT_SIG]->pbs,
-#ifdef USE_KEYRR
-							kc == NULL ? NULL : kc->ac.keys_from_dns,
-#endif /* USE_KEYRR */
-							kc == NULL ? NULL : kc->ac.gateways_from_dns
-			);
-
-		if (r == STF_SUSPEND)
-		{
-			err_t ugh = NULL;
-#ifdef ADNS
-			/* initiate/resume asynchronous DNS lookup for key */
-			struct key_continuation *nkc = malloc_thing(struct key_continuation);
-			enum key_oppo_step step_done = kc == NULL? kos_null : kc->step;
-
-			/* Record that state is used by a suspended md */
-			passert(st->st_suspended_md == NULL);
-			st->st_suspended_md = md;
-
-			nkc->failure_ok = FALSE;
-			nkc->md = md;
-
-			switch (step_done)
-			{
-			case kos_null:
-				/* first try: look for the TXT records */
-				nkc->step = kos_his_txt;
-#ifdef USE_KEYRR
-				nkc->failure_ok = TRUE;
-#endif
-				ugh = start_adns_query(peer, peer, T_TXT, cont_fn, &nkc->ac);
-				break;
-
-#ifdef USE_KEYRR
-			case kos_his_txt:
-				/* second try: look for the KEY records */
-				nkc->step = kos_his_key;
-				ugh = start_adns_query(peer, NULL, T_KEY, cont_fn, &nkc->ac);
-				break;
-#endif /* USE_KEYRR */
-
-			default:
-				bad_case(step_done);
-			}
-#else /* ADNS */
-			ugh = "adns not supported";
-#endif /* ADNS */
-			if (ugh != NULL)
-			{
-				report_key_dns_failure(peer, ugh);
-				st->st_suspended_md = NULL;
-				r = STF_FAIL + ISAKMP_INVALID_KEY_INFORMATION;
-			}
-		}
-		break;
-
-	case OAKLEY_ECDSA_256:
-	case OAKLEY_ECDSA_384:
-	case OAKLEY_ECDSA_521:
-		r = check_signature(KEY_ECDSA, peer, st, hash,
-							&md->chain[ISAKMP_NEXT_SIG]->pbs,
-#ifdef USE_KEYRR
-							NULL,
-#endif /* USE_KEYRR */
-							NULL);
-		break;
-
-	default:
-		bad_case(st->st_oakley.auth);
-	}
-	if (r != STF_OK)
-	{
-		peer->destroy(peer);
-		return r;
-	}
-	DBG(DBG_CRYPT, DBG_log("authentication succeeded"));
-
-	/*
-	 * With the peer ID known, let's see if we need to switch connections.
-	 */
-	if (!switch_connection(md, peer, initiator))
-	{
-		r = STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
-	}
-	peer->destroy(peer);
-	return r;
-}
-
-/* This continuation is called as part of either
- * the main_inI3_outR3 state or main_inR3 state.
- *
- * The "tail" function is the corresponding tail
- * function main_inI3_outR3_tail | main_inR3_tail,
- * either directly when the state is started, or via
- * adns continuation.
- *
- * Basically, we go around in a circle:
- *   main_in?3* -> key_continue
- *                ^            \
- *               /              V
- *             adns            main_in?3*_tail
- *              ^               |
- *               \              V
- *                main_id_and_auth
- *
- * until such time as main_id_and_auth is able
- * to find authentication, or we run out of things
- * to try.
- */
-static void key_continue(struct adns_continuation *cr, err_t ugh,
-						 key_tail_fn *tail)
-{
-	struct key_continuation *kc = (void *)cr;
-	struct state *st = kc->md->st;
-
-	passert(cur_state == NULL);
-
-	/* if st == NULL, our state has been deleted -- just clean up */
-	if (st != NULL)
-	{
-		stf_status r;
-
-		passert(st->st_suspended_md == kc->md);
-		st->st_suspended_md = NULL;     /* no longer connected or suspended */
-		cur_state = st;
-
-		if (!kc->failure_ok && ugh != NULL)
-		{
-			report_key_dns_failure(st->st_connection->spd.that.id, ugh);
-			r = STF_FAIL + ISAKMP_INVALID_KEY_INFORMATION;
-		}
-		else
-		{
-
-#ifdef USE_KEYRR
-			passert(kc->step == kos_his_txt || kc->step == kos_his_key);
-#else
-			passert(kc->step == kos_his_txt);
-#endif
-			kc->last_ugh = ugh; /* record previous error in case we need it */
-			r = (*tail)(kc->md, kc);
-		}
-		complete_state_transition(&kc->md, r);
-	}
-	if (kc->md != NULL)
-	{
-		release_md(kc->md);
-	}
-	cur_state = NULL;
-}
-
-/* STATE_MAIN_R2:
- * PSK_AUTH: HDR*, IDi1, HASH_I --> HDR*, IDr1, HASH_R
- * DS_AUTH: HDR*, IDi1, [ CERT, ] SIG_I --> HDR*, IDr1, [ CERT, ] SIG_R
- * PKE_AUTH, RPKE_AUTH: HDR*, HASH_I --> HDR*, HASH_R
- *
- * Broken into parts to allow asynchronous DNS lookup.
- *
- * - main_inI3_outR3 to start
- * - main_inI3_outR3_tail to finish or suspend for DNS lookup
- * - main_inI3_outR3_continue to start main_inI3_outR3_tail again
- */
-static key_tail_fn main_inI3_outR3_tail;        /* forward */
-
-stf_status main_inI3_outR3(struct msg_digest *md)
-{
-	return main_inI3_outR3_tail(md, NULL);
-}
-
-static void main_inI3_outR3_continue(struct adns_continuation *cr, err_t ugh)
-{
-	key_continue(cr, ugh, main_inI3_outR3_tail);
-}
-
-static stf_status
-main_inI3_outR3_tail(struct msg_digest *md
-, struct key_continuation *kc)
-{
-	struct state *const st = md->st;
-	u_int8_t auth_payload;
-	pb_stream r_id_pbs; /* ID Payload; also used for hash calculation */
-	certpolicy_t cert_policy;
-	cert_t *mycert;
-	bool pubkey_auth, send_cert, requested;
-
-	/* ID and HASH_I or SIG_I in
-	 * Note: this may switch the connection being used!
-	 */
-	{
-		stf_status r = main_id_and_auth(md, FALSE
-										, main_inI3_outR3_continue
-										, kc);
-
-		if (r != STF_OK)
-		{
-			return r;
-		}
-	}
-
-	/* send certificate if pubkey authentication is used, we have one
-	 * and we want or are requested to send it
-	 */
-	cert_policy = st->st_connection->spd.this.sendcert;
-	mycert = st->st_connection->spd.this.cert;
-	requested = cert_policy == CERT_SEND_IF_ASKED
-				&& st->st_connection->got_certrequest;
-	pubkey_auth = uses_pubkey_auth(st->st_oakley.auth);
-	send_cert = pubkey_auth	&& mycert &&
-				mycert->cert->get_type(mycert->cert) == CERT_X509 &&
-				(cert_policy == CERT_ALWAYS_SEND || requested);
-
-	/*************** build output packet HDR*;IDir;HASH/SIG_R ***************/
-	/* proccess_packet() would automatically generate the HDR*
-	 * payload if smc->first_out_payload is not ISAKMP_NEXT_NONE.
-	 * We don't do this because we wish there to be no partially
-	 * built output packet if we need to suspend for asynch DNS.
-	 */
-	/* ??? NOTE: this is almost the same as main_inR2_outI3's code */
-
-	/* HDR* out
-	 * If auth were PKE_AUTH or RPKE_AUTH, ISAKMP_NEXT_HASH would
-	 * be first payload.
-	 */
-	echo_hdr(md, TRUE, ISAKMP_NEXT_ID);
-
-	auth_payload = pubkey_auth ? ISAKMP_NEXT_SIG : ISAKMP_NEXT_HASH;
-
-	/* IDir out */
-	{
-		/* id_hd should be struct isakmp_id, but struct isakmp_ipsec_id
-		 * allows build_id_payload() to work for both phases.
-		 */
-		struct isakmp_ipsec_id id_hd;
-		chunk_t id_b;
-
-		build_id_payload(&id_hd, &id_b, &st->st_connection->spd.this);
-		id_hd.isaiid_np = (send_cert)? ISAKMP_NEXT_CERT : auth_payload;
-		if (!out_struct(&id_hd, &isakmp_ipsec_identification_desc, &md->rbody, &r_id_pbs)
-		|| !out_chunk(id_b, &r_id_pbs, "my identity"))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-		close_output_pbs(&r_id_pbs);
-	}
-
-	/* CERT out */
-	if (pubkey_auth)
-	{
-		DBG(DBG_CONTROL,
-			DBG_log("our certificate policy is %N", cert_policy_names, cert_policy)
-		)
-		if (mycert && mycert->cert->get_type(mycert->cert) == CERT_X509)
-		{
-			const char *request_text = "";
-
-			if (cert_policy == CERT_SEND_IF_ASKED)
-			{
-				request_text = (send_cert)? "upon request":"without request";
-			}
-			plog("we have a cert %s sending it %s"
-				, send_cert? "and are":"but are not", request_text);
-		}
-		else
-		{
-			plog("we don't have a cert");
-		}
-	}
-	if (send_cert)
-	{
-		bool success = FALSE;
-		chunk_t cert_encoding;
-		pb_stream cert_pbs;
-		struct isakmp_cert cert_hd;
-
-		cert_hd.isacert_np = ISAKMP_NEXT_SIG;
-		cert_hd.isacert_type = CERT_X509_SIGNATURE;
-
-		if (!out_struct(&cert_hd, &isakmp_ipsec_certificate_desc, &md->rbody, &cert_pbs))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-		if (mycert->cert->get_encoding(mycert->cert, CERT_ASN1_DER,
-									   &cert_encoding))
-		{
-			success = out_chunk(cert_encoding, &cert_pbs, "CERT");
-			free(cert_encoding.ptr);
-		}
-		if (!success)
-		{
-			return STF_INTERNAL_ERROR;
-		}
-		close_output_pbs(&cert_pbs);
-	}
-
-	/* HASH_R or SIG_R out */
-	{
-		chunk_t hash = chunk_alloca(MAX_DIGEST_LEN);
-
-		main_mode_hash(st, &hash, FALSE, &r_id_pbs);
-
-		if (auth_payload == ISAKMP_NEXT_HASH)
-		{
-			/* HASH_R out */
-			if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_hash_desc, &md->rbody,
-								 hash.ptr, hash.len, "HASH_R"))
-			{
-				return STF_INTERNAL_ERROR;
-			}
-		}
-		else
-		{
-			/* SIG_R out */
-			u_char sig_val[RSA_MAX_OCTETS];
-			signature_scheme_t scheme;
-			size_t sig_len;
-
-			scheme = oakley_to_signature_scheme(st->st_oakley.auth);
-
-			sig_len = sign_hash(scheme, st->st_connection, sig_val, hash);
-			if (sig_len == 0)
-			{
-				loglog(RC_LOG_SERIOUS, "unable to locate my private key for signature");
-				return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED;
-			}
-
-			if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_signature_desc
-			, &md->rbody, sig_val, sig_len, "SIG_R"))
-			{
-				return STF_INTERNAL_ERROR;
-			}
-		}
-	}
-
-	/* encrypt message, sans fixed part of header */
-
-	if (!encrypt_message(&md->rbody, st))
-	{
-		return STF_INTERNAL_ERROR;      /* ??? we may be partly committed */
-	}
-
-	/* Last block of Phase 1 (R3), kept for Phase 2 IV generation */
-	DBG_cond_dump(DBG_CRYPT, "last encrypted block of Phase 1:"
-		, st->st_new_iv, st->st_new_iv_len);
-
-	ISAKMP_SA_established(st->st_connection, st->st_serialno);
-
-	/* Save Phase 1 IV */
-	st->st_ph1_iv_len = st->st_new_iv_len;
-	set_ph1_iv(st, st->st_new_iv);
-
-	return STF_OK;
-}
-
-/* STATE_MAIN_I3:
- * Handle HDR*;IDir;HASH/SIG_R from responder.
- *
- * Broken into parts to allow asynchronous DNS for KEY records.
- *
- * - main_inR3 to start
- * - main_inR3_tail to finish or suspend for DNS lookup
- * - main_inR3_continue to start main_inR3_tail again
- */
-
-static key_tail_fn main_inR3_tail;      /* forward */
-
-stf_status main_inR3(struct msg_digest *md)
-{
-	return main_inR3_tail(md, NULL);
-}
-
-static void main_inR3_continue(struct adns_continuation *cr, err_t ugh)
-{
-	key_continue(cr, ugh, main_inR3_tail);
-}
-
-static stf_status main_inR3_tail(struct msg_digest *md,
-								 struct key_continuation *kc)
-{
-	struct state *const st = md->st;
-
-	/* ID and HASH_R or SIG_R in
-	 * Note: this may switch the connection being used!
-	 */
-	{
-		stf_status r = main_id_and_auth(md, TRUE, main_inR3_continue, kc);
-
-		if (r != STF_OK)
-		{
-			return r;
-		}
-	}
-
-	/**************** done input ****************/
-
-	ISAKMP_SA_established(st->st_connection, st->st_serialno);
-
-	/* Save Phase 1 IV */
-	st->st_ph1_iv_len = st->st_new_iv_len;
-	set_ph1_iv(st, st->st_new_iv);
-
-
-	update_iv(st);      /* finalize our Phase 1 IV */
-
-	return STF_OK;
-}
-
-/* Handle first message of Phase 2 -- Quick Mode.
- * HDR*, HASH(1), SA, Ni [, KE ] [, IDci, IDcr ] -->
- * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ]
- * (see RFC 2409 "IKE" 5.5)
- * Installs inbound IPsec SAs.
- * Although this seems early, we know enough to do so, and
- * this way we know that it is soon enough to catch all
- * packets that other side could send using this IPsec SA.
- *
- * Broken into parts to allow asynchronous DNS for TXT records:
- *
- * - quick_inI1_outR1 starts the ball rolling.
- *   It checks and parses enough to learn the Phase 2 IDs
- *
- * - quick_inI1_outR1_tail does the rest of the job
- *   unless DNS must be consulted.  In that case,
- *   it starts a DNS query, salts away what is needed
- *   to continue, and suspends.  Calls
- *   + quick_inI1_outR1_start_query
- *   + quick_inI1_outR1_process_answer
- *
- * - quick_inI1_outR1_continue will restart quick_inI1_outR1_tail
- *   when DNS comes back with an answer.
- *
- * A big chunk of quick_inI1_outR1_tail is executed twice.
- * This is necessary because the set of connections
- * might change while we are awaiting DNS.
- * When first called, gateways_from_dns == NULL.  If DNS is
- * consulted asynchronously, gateways_from_dns != NULL the second time.
- * Remember that our state object might disappear too!
- *
- *
- * If the connection is opportunistic, we must verify delegation.
- *
- * 1. Check that we are authorized to be SG for
- *    our client.  We look for the TXT record that
- *    delegates us.  We also check that the public
- *    key (if present) matches the private key we used.
- *    Eventually, we should probably require DNSsec
- *    authentication for our side.
- *
- * 2. If our client TXT record did not include a
- *    public key, check the KEY record indicated
- *    by the identity in the TXT record.
- *
- * 3. If the peer's client is the peer itself, we
- *    consider it authenticated.  Otherwise, we check
- *    the TXT record for the client to see that
- *    the identity of the SG matches the peer and
- *    that some public key (if present in the TXT)
- *    matches.  We need not check the public key if
- *    it isn't in the TXT record.
- *
- * Since p isn't yet instantiated, we need to look
- * in c for description of peer.
- *
- * We cannot afford to block waiting for a DNS query.
- * The code here is structured as two halves:
- * - process the result of just completed
- *   DNS query (if any)
- * - if another query is needed, initiate the next
- *   DNS query and suspend
- */
-
-enum verify_oppo_step {
-	vos_fail,
-	vos_start,
-	vos_our_client,
-	vos_our_txt,
-#ifdef USE_KEYRR
-	vos_our_key,
-#endif /* USE_KEYRR */
-	vos_his_client,
-	vos_done
-};
-
-static const char *const verify_step_name[] = {
-  "vos_fail",
-  "vos_start",
-  "vos_our_client",
-  "vos_our_txt",
-#ifdef USE_KEYRR
-  "vos_our_key",
-#endif /* USE_KEYRR */
-  "vos_his_client",
-  "vos_done"
-};
-
-/* hold anything we can handle of a Phase 2 ID */
-struct p2id {
-	ip_subnet net;
-	u_int8_t proto;
-	u_int16_t port;
-};
-
-struct verify_oppo_bundle {
-	enum verify_oppo_step step;
-	bool failure_ok;      /* if true, quick_inI1_outR1_continue will try
-						   * other things on DNS failure */
-	struct msg_digest *md;
-	struct p2id my, his;
-	unsigned int new_iv_len;    /* p1st's might change */
-	u_char new_iv[MAX_DIGEST_LEN];
-	/* int whackfd; */  /* not needed because we are Responder */
-};
-
-struct verify_oppo_continuation {
-	struct adns_continuation ac;        /* common prefix */
-	struct verify_oppo_bundle b;
-};
-
-static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b
-	, struct adns_continuation *ac);
-
-stf_status quick_inI1_outR1(struct msg_digest *md)
-{
-	const struct state *const p1st = md->st;
-	connection_t *c = p1st->st_connection;
-	struct payload_digest *const id_pd = md->chain[ISAKMP_NEXT_ID];
-	struct verify_oppo_bundle b;
-
-	/* HASH(1) in */
-	CHECK_QUICK_HASH(md
-		, quick_mode_hash12(hash_val, hash_pbs->roof, md->message_pbs.roof
-			, p1st, &md->hdr.isa_msgid, FALSE)
-		, "HASH(1)", "Quick I1");
-
-	/* [ IDci, IDcr ] in
-	 * We do this now (probably out of physical order) because
-	 * we wish to select the correct connection before we consult
-	 * it for policy.
-	 */
-
-	if (id_pd != NULL)
-	{
-		/* ??? we are assuming IPSEC_DOI */
-
-		/* IDci (initiator is peer) */
-
-		if (!decode_net_id(&id_pd->payload.ipsec_id, &id_pd->pbs
-		, &b.his.net, "peer client"))
-		{
-			return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
-		}
-
-		/* Hack for MS 818043 NAT-T Update */
-
-		if (id_pd->payload.ipsec_id.isaiid_idtype == ID_FQDN)
-		{
-			happy(addrtosubnet(&c->spd.that.host_addr, &b.his.net));
-		}
-
-		/* End Hack for MS 818043 NAT-T Update */
-
-		b.his.proto = id_pd->payload.ipsec_id.isaiid_protoid;
-		b.his.port = id_pd->payload.ipsec_id.isaiid_port;
-		b.his.net.addr.u.v4.sin_port = htons(b.his.port);
-
-		/* IDcr (we are responder) */
-
-		if (!decode_net_id(&id_pd->next->payload.ipsec_id, &id_pd->next->pbs
-		, &b.my.net, "our client"))
-		{
-			return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
-		}
-		b.my.proto = id_pd->next->payload.ipsec_id.isaiid_protoid;
-		b.my.port = id_pd->next->payload.ipsec_id.isaiid_port;
-		b.my.net.addr.u.v4.sin_port = htons(b.my.port);
-	}
-	else
-	{
-		/* implicit IDci and IDcr: peer and self */
-		if (!sameaddrtype(&c->spd.this.host_addr, &c->spd.that.host_addr))
-		{
-			return STF_FAIL;
-		}
-		happy(addrtosubnet(&c->spd.this.host_addr, &b.my.net));
-		happy(addrtosubnet(&c->spd.that.host_addr, &b.his.net));
-		b.his.proto = b.my.proto = 0;
-		b.his.port = b.my.port = 0;
-	}
-	b.step = vos_start;
-	b.md = md;
-	b.new_iv_len = p1st->st_new_iv_len;
-	memcpy(b.new_iv, p1st->st_new_iv, p1st->st_new_iv_len);
-	return quick_inI1_outR1_tail(&b, NULL);
-}
-
-#ifdef ADNS
-
-static void
-report_verify_failure(struct verify_oppo_bundle *b, err_t ugh)
-{
-	struct state *st = b->md->st;
-	char fgwb[ADDRTOT_BUF]
-		, cb[ADDRTOT_BUF];
-	ip_address client;
-	err_t which = NULL;
-
-	switch (b->step)
-	{
-	case vos_our_client:
-	case vos_our_txt:
-#ifdef USE_KEYRR
-	case vos_our_key:
-#endif /* USE_KEYRR */
-		which = "our";
-		networkof(&b->my.net, &client);
-		break;
-
-	case vos_his_client:
-		which = "his";
-		networkof(&b->his.net, &client);
-		break;
-
-	case vos_start:
-	case vos_done:
-	case vos_fail:
-	default:
-		bad_case(b->step);
-	}
-
-	addrtot(&st->st_connection->spd.that.host_addr, 0, fgwb, sizeof(fgwb));
-	addrtot(&client, 0, cb, sizeof(cb));
-	loglog(RC_OPPOFAILURE
-		, "gateway %s wants connection with %s as %s client, but DNS fails to confirm delegation: %s"
-		, fgwb, cb, which, ugh);
-}
-
-static void quick_inI1_outR1_continue(struct adns_continuation *cr, err_t ugh)
-{
-	stf_status r;
-	struct verify_oppo_continuation *vc = (void *)cr;
-	struct verify_oppo_bundle *b = &vc->b;
-	struct state *st = b->md->st;
-
-	passert(cur_state == NULL);
-	/* if st == NULL, our state has been deleted -- just clean up */
-	if (st != NULL)
-	{
-		passert(st->st_suspended_md == b->md);
-		st->st_suspended_md = NULL;     /* no longer connected or suspended */
-		cur_state = st;
-		if (!b->failure_ok && ugh != NULL)
-		{
-			report_verify_failure(b, ugh);
-			r = STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
-		}
-		else
-		{
-			r = quick_inI1_outR1_tail(b, cr);
-		}
-		complete_state_transition(&b->md, r);
-	}
-	if (b->md != NULL)
-	{
-		release_md(b->md);
-	}
-	cur_state = NULL;
-}
-
-static stf_status quick_inI1_outR1_start_query(struct verify_oppo_bundle *b,
-											   enum verify_oppo_step next_step)
-{
-	struct msg_digest *md = b->md;
-	struct state *p1st = md->st;
-	connection_t *c = p1st->st_connection;
-	struct verify_oppo_continuation *vc = malloc_thing(struct verify_oppo_continuation);
-	identification_t *id;           /* subject of query */
-	identification_t *our_id;       /* needed for myid playing */
-	identification_t *our_id_space; /* ephemeral: no need for unshare_id_content */
-	ip_address client;
-	err_t ugh = NULL;
-
-	/* Record that state is used by a suspended md */
-	b->step = next_step;    /* not just vc->b.step */
-	vc->b = *b;
-	passert(p1st->st_suspended_md == NULL);
-	p1st->st_suspended_md = b->md;
-
-	DBG(DBG_CONTROL,
-		{
-			char ours[SUBNETTOT_BUF];
-			char his[SUBNETTOT_BUF];
-
-			subnettot(&c->spd.this.client, 0, ours, sizeof(ours));
-			subnettot(&c->spd.that.client, 0, his, sizeof(his));
-
-			DBG_log("responding with DNS query - from %s to %s new state: %s"
-					, ours, his, verify_step_name[b->step]);
-		});
-
-	/* Resolve %myid in a cheesy way.
-	 * We have to do the resolution because start_adns_query
-	 * et al have insufficient information to do so.
-	 * If %myid is already known, we'll use that value
-	 * (XXX this may be a mistake: it could be stale).
-	 * If %myid is unknown, we should check to see if
-	 * there are credentials for the IP address or the FQDN.
-	 * Instead, we'll just assume the IP address since we are
-	 * acting as the responder and only the IP address would
-	 * have gotten it to us.
-	 * We don't even try to do this for the other side:
-	 * %myid makes no sense for the other side (but it is syntactically
-	 * legal).
-	 */
-	our_id = resolve_myid(c->spd.this.id);
-	if (our_id->get_type(our_id) == ID_ANY)
-	{
-		our_id_space = identification_create_from_sockaddr((sockaddr_t*)&c->spd.this.host_addr);
-		our_id = our_id_space;
-	}
-
-	switch (next_step)
-	{
-	case vos_our_client:
-		networkof(&b->my.net, &client);
-		id = identification_create_from_sockaddr((sockaddr_t*)&client);
-		vc->b.failure_ok = b->failure_ok = FALSE;
-		ugh = start_adns_query(id
-			, our_id
-			, T_TXT
-			, quick_inI1_outR1_continue
-			, &vc->ac);
-		break;
-
-	case vos_our_txt:
-		vc->b.failure_ok = b->failure_ok = TRUE;
-		ugh = start_adns_query(our_id
-			, our_id    /* self as SG */
-			, T_TXT
-			, quick_inI1_outR1_continue
-			, &vc->ac);
-		break;
-
-#ifdef USE_KEYRR
-	case vos_our_key:
-		vc->b.failure_ok = b->failure_ok = FALSE;
-		ugh = start_adns_query(our_id
-			, NULL
-			, T_KEY
-			, quick_inI1_outR1_continue
-			, &vc->ac);
-		break;
-#endif
-
-	case vos_his_client:
-		networkof(&b->his.net, &client);
-		id = identification_create_from_sockaddr((sockaddr_t*)&client);
-		vc->b.failure_ok = b->failure_ok = FALSE;
-		ugh = start_adns_query(id
-			, c->spd.that.id
-			, T_TXT
-			, quick_inI1_outR1_continue
-			, &vc->ac);
-		break;
-
-	default:
-		bad_case(next_step);
-	}
-
-	if (ugh != NULL)
-	{
-		/* note: we'd like to use vc->b but vc has been freed
-		 * so we have to use b.  This is why we plunked next_state
-		 * into b, not just vc->b.
-		 */
-		report_verify_failure(b, ugh);
-		p1st->st_suspended_md = NULL;
-		return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
-	}
-	else
-	{
-		return STF_SUSPEND;
-	}
-}
-
-static enum verify_oppo_step quick_inI1_outR1_process_answer(
-										struct verify_oppo_bundle *b,
-										struct adns_continuation *ac,
-										struct state *p1st)
-{
-	connection_t *c = p1st->st_connection;
-	enum verify_oppo_step next_step = vos_our_client;
-	err_t ugh = NULL;
-
-	DBG(DBG_CONTROL,
-		{
-			char ours[SUBNETTOT_BUF];
-			char his[SUBNETTOT_BUF];
-
-			subnettot(&c->spd.this.client, 0, ours, sizeof(ours));
-			subnettot(&c->spd.that.client, 0, his, sizeof(his));
-			DBG_log("responding on demand from %s to %s state: %s"
-					, ours, his, verify_step_name[b->step]);
-		});
-
-	/* process just completed DNS query (if any) */
-	switch (b->step)
-	{
-	case vos_start:
-		/* no query to digest */
-		next_step = vos_our_client;
-		break;
-
-	case vos_our_client:
-		next_step = vos_his_client;
-		{
-			private_key_t *private = get_private_key(c);
-			struct gw_info *gwp;
-
-			if (private == NULL)
-			{
-				ugh = "we don't know our own key";
-				break;
-			}
-			ugh = "our client does not delegate us as its Security Gateway";
-			for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
-			{
-				ugh = "our client delegates us as its Security Gateway but with the wrong public key";
-				/* If there is no key in the TXT record,
-				 * we count it as a win, but we will have
-				 * to separately fetch and check the KEY record.
-				 * If there is a key from the TXT record,
-				 * we count it as a win if we match the key.
-				 */
-				if (!gwp->gw_key_present)
-				{
-					next_step = vos_our_txt;
-					ugh = NULL; /* good! */
-					break;
-				}
-				else if (private->belongs_to(private, gwp->key->public_key))
-				{
-					ugh = NULL; /* good! */
-					break;
-				}
-			}
-		}
-		break;
-
-	case vos_our_txt:
-		next_step = vos_his_client;
-		{
-			private_key_t *private = get_private_key(c);
-
-			if (private == NULL)
-			{
-				ugh = "we don't know our own key";
-				break;
-			}
-			{
-				struct gw_info *gwp;
-
-				for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
-				{
-#ifdef USE_KEYRR
-					/* not an error yet, because we have to check KEY RR as well */
-					ugh = NULL;
-#else
-					ugh = "our client delegation depends on our " RRNAME " record, but it has the wrong public key";
-#endif
-					if (gwp->gw_key_present
-					&& private->belongs_to(private, gwp->key->public_key))
-					{
-						ugh = NULL;     /* good! */
-						break;
-					}
-#ifdef USE_KEYRR
-					next_step = vos_our_key;
-#endif
-				}
-			}
-		}
-		break;
-
-#ifdef USE_KEYRR
-	case vos_our_key:
-		next_step = vos_his_client;
-		{
-			private_key_t *private = get_private_key(c);
-
-			if (private == NULL)
-			{
-				ugh = "we don't know our own key";
-				break;
-			}
-			{
-				pubkey_list_t *kp;
-
-				ugh = "our client delegation depends on our missing " RRNAME " record";
-				for (kp = ac->keys_from_dns; kp != NULL; kp = kp->next)
-				{
-					ugh = "our client delegation depends on our " RRNAME " record, but it has the wrong public key";
-					if (private->belongs_to(private, kp->key->public_key))
-					{
-						/* do this only once a day */
-						if (!logged_txt_warning)
-						{
-							loglog(RC_LOG_SERIOUS, "found KEY RR but not TXT RR. See http://www.freeswan.org/err/txt-change.html.");
-							logged_txt_warning = TRUE;
-						}
-						ugh = NULL;     /* good! */
-						break;
-					}
-				}
-			}
-		}
-		break;
-#endif /* USE_KEYRR */
-
-	case vos_his_client:
-		next_step = vos_done;
-		{
-			public_key_t *pub_key;
-			struct gw_info *gwp;
-
-			/* check that the public key that authenticated
-			 * the ISAKMP SA (p1st) will do for this gateway.
-			 */
-			pub_key = p1st->st_peer_pubkey->public_key;
-
-			ugh = "peer's client does not delegate to peer";
-			for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
-			{
-				ugh = "peer and its client disagree about public key";
-				/* If there is a key from the TXT record,
-				 * we count it as a win if we match the key.
-				 * If there was no key, we claim a match since
-				 * it implies fetching a KEY from the same
-				 * place we must have gotten it.
-				 */
-				if (!gwp->gw_key_present ||
-					pub_key->equals(pub_key, gwp->key->public_key))
-				{
-					ugh = NULL; /* good! */
-					break;
-				}
-			}
-		}
-		break;
-
-	default:
-		bad_case(b->step);
-	}
-
-	if (ugh != NULL)
-	{
-		report_verify_failure(b, ugh);
-		next_step = vos_fail;
-	}
-	return next_step;
-}
-
-#endif /* ADNS */
-
-static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
-										struct adns_continuation *ac)
-{
-	struct msg_digest *md = b->md;
-	struct state *const p1st = md->st;
-	connection_t *c = p1st->st_connection;
-	struct payload_digest *const id_pd = md->chain[ISAKMP_NEXT_ID];
-	ip_subnet *our_net = &b->my.net
-		, *his_net = &b->his.net;
-
-	u_char      /* set by START_HASH_PAYLOAD: */
-		*r_hashval,     /* where in reply to jam hash value */
-		*r_hash_start;  /* from where to start hashing */
-
-	/* Now that we have identities of client subnets, we must look for
-	 * a suitable connection (our current one only matches for hosts).
-	 */
-	{
-		connection_t *p = find_client_connection(c
-			, our_net, his_net, b->my.proto, b->my.port, b->his.proto, b->his.port);
-
-		if (p == NULL)
-		{
-			/* This message occurs in very puzzling circumstances
-			 * so we must add as much information and beauty as we can.
-			 */
-			struct end
-				me = c->spd.this,
-				he = c->spd.that;
-			char buf[2*SUBNETTOT_BUF + 2*ADDRTOT_BUF + 2*BUF_LEN + 2*ADDRTOT_BUF + 12]; /* + 12 for separating */
-			size_t l;
-
-			me.client = *our_net;
-			me.has_client = !subnetisaddr(our_net, &me.host_addr);
-			me.protocol = b->my.proto;
-			me.port = b->my.port;
-
-			he.client = *his_net;
-			he.has_client = !subnetisaddr(his_net, &he.host_addr);
-			he.protocol = b->his.proto;
-			he.port = b->his.port;
-
-			l = format_end(buf, sizeof(buf), &me, NULL, TRUE, LEMPTY);
-			l += snprintf(buf + l, sizeof(buf) - l, "...");
-			(void)format_end(buf + l, sizeof(buf) - l, &he, NULL, FALSE, LEMPTY);
-			plog("cannot respond to IPsec SA request"
-				" because no connection is known for %s"
-				, buf);
-			return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
-		}
-		else if (p != c)
-		{
-			/* We've got a better connection: it can support the
-			 * specified clients.  But it may need instantiation.
-			 */
-			if (p->kind == CK_TEMPLATE)
-			{
-				/* Yup, it needs instantiation.  How much?
-				 * Is it a Road Warrior connection (simple)
-				 * or is it an Opportunistic connection (needing gw validation)?
-				 */
-				if (p->policy & POLICY_OPPO)
-				{
-#ifdef ADNS
-					/* Opportunistic case: delegation must be verified.
-					 * Here be dragons.
-					 */
-					enum verify_oppo_step next_step;
-					ip_address our_client, his_client;
-
-					passert(subnetishost(our_net) && subnetishost(his_net));
-					networkof(our_net, &our_client);
-					networkof(his_net, &his_client);
-
-					next_step = quick_inI1_outR1_process_answer(b, ac, p1st);
-					if (next_step == vos_fail)
-					{
-						return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
-					}
-
-					/* short circuit: if peer's client is self,
-					 * accept that we've verified delegation in Phase 1
-					 */
-					if (next_step == vos_his_client
-					&& sameaddr(&c->spd.that.host_addr, &his_client))
-					{
-						next_step = vos_done;
-					}
-
-					/* the second chunk: initiate the next DNS query (if any) */
-					DBG(DBG_CONTROL,
-						{
-							char ours[SUBNETTOT_BUF];
-							char his[SUBNETTOT_BUF];
-
-							subnettot(&c->spd.this.client, 0, ours, sizeof(ours));
-							subnettot(&c->spd.that.client, 0, his, sizeof(his));
-
-							DBG_log("responding on demand from %s to %s new state: %s"
-									, ours, his, verify_step_name[next_step]);
-						});
-
-					/* start next DNS query and suspend (if necessary) */
-					if (next_step != vos_done)
-					{
-						return quick_inI1_outR1_start_query(b, next_step);
-					}
-
-					/* Instantiate inbound Opportunistic connection,
-					 * carrying over authenticated peer ID
-					 * and filling in a few more details.
-					 * We used to include gateways_from_dns, but that
-					 * seems pointless at this stage of negotiation.
-					 * We should record DNS sec use, if any -- belongs in
-					 * state during perhaps.
-					 */
-					p = oppo_instantiate(p, &c->spd.that.host_addr, c->spd.that.id
-						, NULL, &our_client, &his_client);
-#else /* ADNS */
-					plog("opportunistic connections not supported because"
-						 " adns is not available");
-					return STF_INTERNAL_ERROR;
-#endif /* ADNS */
-				}
-				else
-				{
-					/* Plain Road Warrior:
-					 * instantiate, carrying over authenticated peer ID
-					 */
-					host_t *vip = c->spd.that.host_srcip;
-
-					p = rw_instantiate(p, &c->spd.that.host_addr, md->sender_port
-								, his_net, c->spd.that.id);
-
-					/* inherit any virtual IP assigned by a Mode Config exchange */
-					if (p->spd.that.modecfg && c->spd.that.modecfg &&
-						subnetisaddr(his_net, (ip_address*)vip->get_sockaddr(vip)))
-					{
-						DBG(DBG_CONTROL,
-							DBG_log("inheriting virtual IP source address %H from ModeCfg", vip)
-						)
-						p->spd.that.host_srcip->destroy(p->spd.that.host_srcip);
-						p->spd.that.host_srcip = vip->clone(vip);
-						p->spd.that.client = c->spd.that.client;
-						p->spd.that.has_client = TRUE;
-					}
-
-					if (c->policy & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK) &&
-						c->xauth_identity && !p->xauth_identity)
-					{
-						DBG(DBG_CONTROL,
-							DBG_log("inheriting XAUTH identity %Y", c->xauth_identity)
-						)
-						p->xauth_identity = c->xauth_identity->clone(c->xauth_identity);
-					}
-				}
-			}
-#ifdef DEBUG
-			/* temporarily bump up cur_debugging to get "using..." message
-			 * printed if we'd want it with new connection.
-			 */
-			{
-				lset_t old_cur_debugging = cur_debugging;
-
-				cur_debugging |= p->extra_debugging;
-				DBG(DBG_CONTROL, DBG_log("using connection \"%s\"", p->name));
-				cur_debugging = old_cur_debugging;
-			}
-#endif
-			c = p;
-		}
-		/* fill in the client's true ip address/subnet */
-		if (p->spd.that.has_client_wildcard)
-		{
-			p->spd.that.client = *his_net;
-			p->spd.that.has_client_wildcard = FALSE;
-		}
-		else if (is_virtual_connection(c))
-		{
-			c->spd.that.client = *his_net;
-			c->spd.that.virt = NULL;
-			if (subnetishost(his_net) && addrinsubnet(&c->spd.that.host_addr, his_net))
-			{
-				c->spd.that.has_client = FALSE;
-			}
-		}
-
-		/* fill in the client's true port */
-		if (p->spd.that.has_port_wildcard)
-		{
-			int port = htons(b->his.port);
-
-			setportof(port, &p->spd.that.host_addr);
-			setportof(port, &p->spd.that.client.addr);
-
-			p->spd.that.port = b->his.port;
-			p->spd.that.has_port_wildcard = FALSE;
-		}
-	}
-
-	/* now that we are sure of our connection, create our new state */
-	{
-		enum endpoint ep = EP_LOCAL;
-		struct state *const st = duplicate_state(p1st);
-
-		/* first: fill in missing bits of our new state object
-		 * note: we don't copy over st_peer_pubkey, the public key
-		 * that authenticated the ISAKMP SA.  We only need it in this
-		 * routine, so we can "reach back" to p1st to get it.
-		 */
-
-		if (st->st_connection != c)
-		{
-			connection_t *t = st->st_connection;
-
-			st->st_connection = c;
-			set_cur_connection(c);
-			connection_discard(t);
-		}
-
-		st->st_try = 0; /* not our job to try again from start */
-
-		st->st_msgid = md->hdr.isa_msgid;
-
-		st->st_new_iv_len = b->new_iv_len;
-		memcpy(st->st_new_iv, b->new_iv, b->new_iv_len);
-
-		set_cur_state(st);      /* (caller will reset) */
-		md->st = st;    /* feed back new state */
-
-		st->st_peeruserprotoid = b->his.proto;
-		st->st_peeruserport = b->his.port;
-		st->st_myuserprotoid = b->my.proto;
-		st->st_myuserport = b->my.port;
-
-		insert_state(st);       /* needs cookies, connection, and msgid */
-
-		/* copy the connection's
-		 * IPSEC policy into our state.  The ISAKMP policy is water under
-		 * the bridge, I think.  It will reflect the ISAKMP SA that we
-		 * are using.
-		 */
-		st->st_policy = (p1st->st_policy & POLICY_ISAKMP_MASK)
-			| (c->policy & ~POLICY_ISAKMP_MASK);
-
-		if (p1st->nat_traversal & NAT_T_DETECTED)
-		{
-			st->nat_traversal = p1st->nat_traversal;
-			nat_traversal_change_port_lookup(md, md->st);
-		}
-		else
-		{
-			st->nat_traversal = 0;
-		}
-		if ((st->nat_traversal & NAT_T_DETECTED)
-		&&  (st->nat_traversal & NAT_T_WITH_NATOA))
-		{
-			nat_traversal_natoa_lookup(md);
-		}
-
-		/* Start the output packet.
-		 *
-		 * proccess_packet() would automatically generate the HDR*
-		 * payload if smc->first_out_payload is not ISAKMP_NEXT_NONE.
-		 * We don't do this because we wish there to be no partially
-		 * built output packet if we need to suspend for asynch DNS.
-		 *
-		 * We build the reply packet as we parse the message since
-		 * the parse_ipsec_sa_body emits the reply SA
-		 */
-
-		/* HDR* out */
-		echo_hdr(md, TRUE, ISAKMP_NEXT_HASH);
-
-		/* HASH(2) out -- first pass */
-		START_HASH_PAYLOAD(md->rbody, ISAKMP_NEXT_SA);
-
-		/* process SA (in and out) */
-		{
-			struct payload_digest *const sapd = md->chain[ISAKMP_NEXT_SA];
-			pb_stream r_sa_pbs;
-			struct isakmp_sa sa = sapd->payload.sa;
-
-			/* sa header is unchanged -- except for np */
-			sa.isasa_np = ISAKMP_NEXT_NONCE;
-			if (!out_struct(&sa, &isakmp_sa_desc, &md->rbody, &r_sa_pbs))
-			{
-				return STF_INTERNAL_ERROR;
-			}
-
-			/* parse and accept body */
-			st->st_pfs_group = &unset_group;
-			RETURN_STF_FAILURE(parse_ipsec_sa_body(&sapd->pbs
-					, &sapd->payload.sa, &r_sa_pbs, FALSE, st));
-		}
-
-		passert(st->st_pfs_group != &unset_group);
-
-		if ((st->st_policy & POLICY_PFS) && st->st_pfs_group == NULL)
-		{
-			loglog(RC_LOG_SERIOUS, "we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION");
-			return STF_FAIL + ISAKMP_NO_PROPOSAL_CHOSEN;
-		}
-
-		/* Ni in */
-		RETURN_STF_FAILURE(accept_nonce(md, &st->st_ni, "Ni"));
-
-		/* [ KE ] in (for PFS) */
-		RETURN_STF_FAILURE(accept_PFS_KE(md, &st->st_gi, "Gi", "Quick Mode I1"));
-
-		plog("responding to Quick Mode");
-
-		/**** finish reply packet: Nr [, KE ] [, IDci, IDcr ] ****/
-
-		/* Nr out */
-		if (!build_and_ship_nonce(&st->st_nr, &md->rbody
-		, st->st_pfs_group != NULL? ISAKMP_NEXT_KE : id_pd != NULL? ISAKMP_NEXT_ID : ISAKMP_NEXT_NONE
-		, "Nr"))
-		 {
-			return STF_INTERNAL_ERROR;
-		}
-
-		/* [ KE ] out (for PFS) */
-
-		if (st->st_pfs_group != NULL)
-		{
-			if (!build_and_ship_KE(st, &st->st_gr, st->st_pfs_group
-			, &md->rbody, id_pd != NULL? ISAKMP_NEXT_ID : ISAKMP_NEXT_NONE))
-			{
-				return STF_INTERNAL_ERROR;
-			}
-
-			/* MPZ-Operations might be done after sending the packet... */
-			compute_dh_shared(st, st->st_gi);
-		}
-
-		/* [ IDci, IDcr ] out */
-		if  (id_pd != NULL)
-		{
-			struct isakmp_ipsec_id *p = (void *)md->rbody.cur;  /* UGH! */
-
-			if (!out_raw(id_pd->pbs.start, pbs_room(&id_pd->pbs), &md->rbody, "IDci"))
-			{
-				return STF_INTERNAL_ERROR;
-			}
-			p->isaiid_np = ISAKMP_NEXT_ID;
-
-			p = (void *)md->rbody.cur;  /* UGH! */
-
-			if (!out_raw(id_pd->next->pbs.start, pbs_room(&id_pd->next->pbs), &md->rbody, "IDcr"))
-			{
-				return STF_INTERNAL_ERROR;
-			}
-			p->isaiid_np = ISAKMP_NEXT_NONE;
-		}
-
-		if ((st->nat_traversal & NAT_T_WITH_NATOA)
-		&& (st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
-		&& (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TRANSPORT))
-		{
-			/** Send NAT-OA if our address is NATed and if we use Transport Mode */
-			if (!nat_traversal_add_natoa(ISAKMP_NEXT_NONE, &md->rbody, md->st))
-			{
-				return STF_INTERNAL_ERROR;
-			}
-		}
-		if ((st->nat_traversal & NAT_T_DETECTED)
-		&& (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TRANSPORT)
-		&& (c->spd.that.has_client))
-		{
-			/** Remove client **/
-			addrtosubnet(&c->spd.that.host_addr, &c->spd.that.client);
-			c->spd.that.has_client = FALSE;
-		}
-
-		/* Compute reply HASH(2) and insert in output */
-		(void)quick_mode_hash12(r_hashval, r_hash_start, md->rbody.cur
-			, st, &st->st_msgid, TRUE);
-
-		/* Derive new keying material */
-		compute_keymats(st, ep);
-
-		/* Tell the kernel to establish the new inbound SA
-		 * (unless the commit bit is set -- which we don't support).
-		 * We do this before any state updating so that
-		 * failure won't look like success.
-		 */
-		if (!install_inbound_ipsec_sa(st))
-		{
-			wipe_keymats(st, ep);
-			return STF_INTERNAL_ERROR;  /* ??? we may be partly committed */
-		}
-		wipe_keymats(st, ep);
-
-		/* encrypt message, except for fixed part of header */
-
-		if (!encrypt_message(&md->rbody, st))
-		{
-			return STF_INTERNAL_ERROR;  /* ??? we may be partly committed */
-		}
-
-		return STF_OK;
-	}
-}
-
-/*
- * Initialize RFC 3706 Dead Peer Detection
- */
-static void dpd_init(struct state *st)
-{
-	struct state *p1st = find_state(st->st_icookie, st->st_rcookie
-								, &st->st_connection->spd.that.host_addr, 0);
-
-	if (p1st == NULL)
-	{
-		loglog(RC_LOG_SERIOUS, "could not find phase 1 state for DPD");
-	}
-	else if (p1st->st_dpd)
-	{
-		plog("Dead Peer Detection (RFC 3706) enabled");
-		/* randomize the first DPD event */
-
-		event_schedule(EVENT_DPD
-			, (0.5 + rand()/(RAND_MAX + 1.E0)) * st->st_connection->dpd_delay
-			, st);
-	}
-}
-
-/* Handle (the single) message from Responder in Quick Mode.
- * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ] -->
- * HDR*, HASH(3)
- * (see RFC 2409 "IKE" 5.5)
- * Installs inbound and outbound IPsec SAs, routing, etc.
- */
-stf_status quick_inR1_outI2(struct msg_digest *md)
-{
-	enum endpoint ep = EP_LOCAL | EP_REMOTE;
-	struct state *const st = md->st;
-	const connection_t *c = st->st_connection;
-
-	/* HASH(2) in */
-	CHECK_QUICK_HASH(md
-		, quick_mode_hash12(hash_val, hash_pbs->roof, md->message_pbs.roof
-			, st, &st->st_msgid, TRUE)
-		, "HASH(2)", "Quick R1");
-
-	/* SA in */
-	{
-		struct payload_digest *const sa_pd = md->chain[ISAKMP_NEXT_SA];
-
-		RETURN_STF_FAILURE(parse_ipsec_sa_body(&sa_pd->pbs
-			, &sa_pd->payload.sa, NULL, TRUE, st));
-	}
-
-	/* Nr in */
-	RETURN_STF_FAILURE(accept_nonce(md, &st->st_nr, "Nr"));
-
-	/* [ KE ] in (for PFS) */
-	RETURN_STF_FAILURE(accept_PFS_KE(md, &st->st_gr, "Gr", "Quick Mode R1"));
-
-	if (st->st_pfs_group != NULL)
-	{
-		compute_dh_shared(st, st->st_gr);
-	}
-
-	/* [ IDci, IDcr ] in; these must match what we sent */
-
-	{
-		struct payload_digest *const id_pd = md->chain[ISAKMP_NEXT_ID];
-
-		if (id_pd != NULL)
-		{
-			/* ??? we are assuming IPSEC_DOI */
-
-			/* IDci (we are initiator) */
-
-			if (!check_net_id(&id_pd->payload.ipsec_id, &id_pd->pbs
-			, &st->st_myuserprotoid, &st->st_myuserport
-			, &st->st_connection->spd.this.client
-			, "our client"))
-			{
-				return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
-			}
-
-			/* IDcr (responder is peer) */
-
-			if (!check_net_id(&id_pd->next->payload.ipsec_id, &id_pd->next->pbs
-			, &st->st_peeruserprotoid, &st->st_peeruserport
-			, &st->st_connection->spd.that.client
-			, "peer client"))
-			{
-				return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
-			}
-		}
-		else
-		{
-			/* no IDci, IDcr: we must check that the defaults match our proposal */
-			if (!subnetisaddr(&c->spd.this.client, &c->spd.this.host_addr)
-			|| !subnetisaddr(&c->spd.that.client, &c->spd.that.host_addr))
-			{
-				loglog(RC_LOG_SERIOUS, "IDci, IDcr payloads missing in message"
-					" but default does not match proposal");
-				return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
-			}
-		}
-	}
-
-	/* check the peer's group attributes */
-	{
-		identification_t *peer_ca = NULL;
-		ietf_attributes_t *peer_attributes = NULL;
-		bool match;
-
-		get_peer_ca_and_groups(st->st_connection, &peer_ca, &peer_attributes);
-		match = match_group_membership(peer_attributes,
-									   st->st_connection->name,
-									   st->st_connection->spd.that.groups);
-		DESTROY_IF(peer_attributes);
-
-		if (!match)
-		{
-			ietf_attributes_t *groups = st->st_connection->spd.that.groups;
-
-			loglog(RC_LOG_SERIOUS,
-				   "peer with attributes '%s' is not a member of the groups '%s'",
-					peer_attributes->get_string(peer_attributes),
-					groups->get_string(groups));
-			return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
-		}
-	}
-
-	if ((st->nat_traversal & NAT_T_DETECTED)
-	&&  (st->nat_traversal & NAT_T_WITH_NATOA))
-	{
-		nat_traversal_natoa_lookup(md);
-	}
-
-	/* ??? We used to copy the accepted proposal into the state, but it was
-	 * never used.  From sa_pd->pbs.start, length pbs_room(&sa_pd->pbs).
-	 */
-
-	/**************** build reply packet HDR*, HASH(3) ****************/
-
-	/* HDR* out done */
-
-	/* HASH(3) out -- since this is the only content, no passes needed */
-	{
-		u_char  /* set by START_HASH_PAYLOAD: */
-			*r_hashval, /* where in reply to jam hash value */
-			*r_hash_start;      /* start of what is to be hashed */
-
-		START_HASH_PAYLOAD(md->rbody, ISAKMP_NEXT_NONE);
-		(void)quick_mode_hash3(r_hashval, st);
-	}
-
-	/* Derive new keying material */
-	compute_keymats(st, ep);
-
-	/* Tell the kernel to establish the inbound, outbound, and routing part
-	 * of the new SA (unless the commit bit is set -- which we don't support).
-	 * We do this before any state updating so that
-	 * failure won't look like success.
-	 */
-	if (!install_ipsec_sa(st, TRUE))
-	{
-		wipe_keymats(st, ep);
-		return STF_INTERNAL_ERROR;
-	}
-	wipe_keymats(st, ep);
-
-	/* encrypt message, except for fixed part of header */
-
-	if (!encrypt_message(&md->rbody, st))
-	{
-		return STF_INTERNAL_ERROR;      /* ??? we may be partly committed */
-	}
-	DBG(DBG_CONTROLMORE,
-		DBG_log("inR1_outI2: instance %s[%ld], setting newest_ipsec_sa to #%ld (was #%ld) (spd.eroute=#%ld)"
-							   , st->st_connection->name
-							   , st->st_connection->instance_serial
-							   , st->st_serialno
-							   , st->st_connection->newest_ipsec_sa
-							   , st->st_connection->spd.eroute_owner)
-	)
-	st->st_connection->newest_ipsec_sa = st->st_serialno;
-
-	/* note (presumed) success */
-	if (c->gw_info != NULL)
-	{
-		c->gw_info->key->last_worked_time = now();
-	}
-
-	/* If we want DPD on this connection then initialize it */
-	if (st->st_connection->dpd_action != DPD_ACTION_NONE)
-	{
-		dpd_init(st);
-	}
-	return STF_OK;
-}
-
-/* Handle last message of Quick Mode.
- * HDR*, HASH(3) -> done
- * (see RFC 2409 "IKE" 5.5)
- * Installs outbound IPsec SAs, routing, etc.
- */
-stf_status quick_inI2(struct msg_digest *md)
-{
-	enum endpoint ep = EP_REMOTE;
-	struct state *const st = md->st;
-
-	/* HASH(3) in */
-	CHECK_QUICK_HASH(md, quick_mode_hash3(hash_val, st)
-		, "HASH(3)", "Quick I2");
-
-	/* Derive keying material */
-	compute_keymats(st, ep);
-
-	/* Tell the kernel to establish the outbound and routing part of the new SA
-	 * (the previous state established inbound)
-	 * (unless the commit bit is set -- which we don't support).
-	 * We do this before any state updating so that
-	 * failure won't look like success.
-	 */
-	if (!install_ipsec_sa(st, FALSE))
-	{
-		wipe_keymats(st, ep);
-		return STF_INTERNAL_ERROR;
-	}
-	wipe_keymats(st, ep);
-
-	DBG(DBG_CONTROLMORE,
-		DBG_log("inI2: instance %s[%ld], setting newest_ipsec_sa to #%ld (was #%ld) (spd.eroute=#%ld)"
-							   , st->st_connection->name
-							   , st->st_connection->instance_serial
-							   , st->st_serialno
-							   , st->st_connection->newest_ipsec_sa
-							   , st->st_connection->spd.eroute_owner)
-	)
-	st->st_connection->newest_ipsec_sa = st->st_serialno;
-
-	update_iv(st);      /* not actually used, but tidy */
-
-	/* note (presumed) success */
-	{
-		struct gw_info *gw = st->st_connection->gw_info;
-
-		if (gw != NULL)
-		{
-			gw->key->last_worked_time = now();
-		}
-	}
-
-	/* If we want DPD on this connection then initialize it */
-	if (st->st_connection->dpd_action != DPD_ACTION_NONE)
-	{
-		dpd_init(st);
-	}
-	return STF_OK;
-}
-
-static stf_status send_isakmp_notification(struct state *st, u_int16_t type,
-										   const void *data, size_t len)
-{
-	msgid_t msgid;
-	pb_stream reply;
-	pb_stream rbody;
-	u_char
-		*r_hashval,     /* where in reply to jam hash value */
-		*r_hash_start;  /* start of what is to be hashed */
-
-	msgid = generate_msgid(st);
-
-	init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "ISAKMP notify");
-
-	/* HDR* */
-	{
-		struct isakmp_hdr hdr;
-
-		hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
-		hdr.isa_np = ISAKMP_NEXT_HASH;
-		hdr.isa_xchg = ISAKMP_XCHG_INFO;
-		hdr.isa_msgid = msgid;
-		hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
-		memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
-		memcpy(hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
-		if (!out_struct(&hdr, &isakmp_hdr_desc, &reply, &rbody))
-		{
-			impossible();
-		}
-	}
-	/* HASH -- create and note space to be filled later */
-	START_HASH_PAYLOAD(rbody, ISAKMP_NEXT_N);
-
-	/* NOTIFY */
-	{
-		pb_stream notify_pbs;
-		struct isakmp_notification isan;
-
-		isan.isan_np = ISAKMP_NEXT_NONE;
-		isan.isan_doi = ISAKMP_DOI_IPSEC;
-		isan.isan_protoid = PROTO_ISAKMP;
-		isan.isan_spisize = COOKIE_SIZE * 2;
-		isan.isan_type = type;
-		if (!out_struct(&isan, &isakmp_notification_desc, &rbody, &notify_pbs))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-		if (!out_raw(st->st_icookie, COOKIE_SIZE, &notify_pbs, "notify icookie"))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-		if (!out_raw(st->st_rcookie, COOKIE_SIZE, &notify_pbs, "notify rcookie"))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-		if (data != NULL && len > 0)
-		{
-			if (!out_raw(data, len, &notify_pbs, "notify data"))
-			{
-				return STF_INTERNAL_ERROR;
-			}
-		}
-		close_output_pbs(&notify_pbs);
-	}
-
-	{
-		/* finish computing HASH */
-		chunk_t msgid_chunk = chunk_from_thing(msgid);
-		chunk_t msg_chunk = { r_hash_start, rbody.cur-r_hash_start };
-		pseudo_random_function_t prf_alg;
-		prf_t *prf;
-
-		prf_alg = oakley_to_prf(st->st_oakley.hash);
-		prf = lib->crypto->create_prf(lib->crypto, prf_alg);
-		prf->set_key(prf, st->st_skeyid_a);
-		prf->get_bytes(prf, msgid_chunk, NULL);
-		prf->get_bytes(prf, msg_chunk, r_hashval);
-
-		DBG(DBG_CRYPT,
-			DBG_log("HASH computed:");
-			DBG_dump("", r_hashval, prf->get_block_size(prf));
-		)
-		prf->destroy(prf);
-	}
-
-	/* Encrypt message (preserve st_iv and st_new_iv) */
-	{
-		u_char old_iv[MAX_DIGEST_LEN];
-		u_char new_iv[MAX_DIGEST_LEN];
-
-		u_int old_iv_len = st->st_iv_len;
-		u_int new_iv_len = st->st_new_iv_len;
-
-		if (old_iv_len > MAX_DIGEST_LEN || new_iv_len > MAX_DIGEST_LEN)
-			return STF_INTERNAL_ERROR;
-
-		memcpy(old_iv, st->st_iv, old_iv_len);
-		memcpy(new_iv, st->st_new_iv, new_iv_len);
-
-		init_phase2_iv(st, &msgid);
-		if (!encrypt_message(&rbody, st))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-
-		/* restore preserved st_iv and st_new_iv */
-		memcpy(st->st_iv, old_iv, old_iv_len);
-		memcpy(st->st_new_iv, new_iv, new_iv_len);
-		st->st_iv_len = old_iv_len;
-		st->st_new_iv_len = new_iv_len;
-	}
-
-	/* Send packet (preserve st_tpacket) */
-	{
-		chunk_t saved_tpacket = st->st_tpacket;
-
-		st->st_tpacket = chunk_create(reply.start, pbs_offset(&reply));
-		send_packet(st, "ISAKMP notify");
-		st->st_tpacket = saved_tpacket;
-	}
-
-	return STF_IGNORE;
-}
-
-/*
- * DPD Out Initiator
- */
-void dpd_outI(struct state *p2st)
-{
-	struct state *st;
-	u_int32_t seqno;
-	time_t tm;
-	time_t idle_time;
-	time_t delay = p2st->st_connection->dpd_delay;
-	time_t timeout = p2st->st_connection->dpd_timeout;
-
-	/* find the newest related Phase 1 state */
-	st = find_phase1_state(p2st->st_connection, ISAKMP_SA_ESTABLISHED_STATES);
-
-	if (st == NULL)
-	{
-		loglog(RC_LOG_SERIOUS, "DPD: Could not find newest phase 1 state");
-		return;
-	}
-
-	/* If no DPD, then get out of here */
-	if (!st->st_dpd)
-	{
-		return;
-	}
-
-	/* schedule the next periodic DPD event */
-	event_schedule(EVENT_DPD, delay, p2st);
-
-	/* Current time */
-	tm = now();
-
-	/* Make sure we really need to invoke DPD */
-	if (!was_eroute_idle(p2st, delay, &idle_time))
-	{
-		DBG(DBG_CONTROL,
-			DBG_log("recent eroute activity %u seconds ago, "
-					"no need to send DPD notification"
-				  , (int)idle_time)
-		)
-		st->st_last_dpd = tm;
-		delete_dpd_event(st);
-		return;
-	}
-
-	/* If an R_U_THERE has been sent or received recently, or if a
-	 * companion Phase 2 SA has shown eroute activity,
-	 * then we don't need to invoke DPD.
-	 */
-	if (tm < st->st_last_dpd + delay)
-	{
-		DBG(DBG_CONTROL,
-			DBG_log("recent DPD activity %u seconds ago, "
-					"no need to send DPD notification"
-				  , (int)(tm - st->st_last_dpd))
-		)
-		return;
-	}
-
-	if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-		return;
-
-	if (!st->st_dpd_seqno)
-	{
-		rng_t *rng;
-
-		/* Get a non-zero random value that has room to grow */
-		rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-		rng->get_bytes(rng, sizeof(st->st_dpd_seqno), (u_char *)&st->st_dpd_seqno);
-		rng->destroy(rng);
-		st->st_dpd_seqno &= 0x7fff;
-		st->st_dpd_seqno++;
-	}
-	seqno = htonl(st->st_dpd_seqno);
-
-	if (send_isakmp_notification(st, R_U_THERE, &seqno, sizeof(seqno)) != STF_IGNORE)
-	{
-		loglog(RC_LOG_SERIOUS, "DPD: Could not send R_U_THERE");
-		return;
-	}
-	DBG(DBG_CONTROL,
-		DBG_log("sent DPD notification R_U_THERE with seqno = %u", st->st_dpd_seqno)
-	)
-	st->st_dpd_expectseqno = st->st_dpd_seqno++;
-	st->st_last_dpd = tm;
-	/* Only schedule a new timeout if there isn't one currently,
-	 * or if it would be sooner than the current timeout. */
-	if (st->st_dpd_event == NULL
-	|| st->st_dpd_event->ev_time > tm + timeout)
-	{
-		delete_dpd_event(st);
-		event_schedule(EVENT_DPD_TIMEOUT, timeout, st);
-	}
-}
-
-/*
- * DPD in Initiator, out Responder
- */
-stf_status
-dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *pbs)
-{
-   time_t tm = now();
-	u_int32_t seqno;
-
-	if (st == NULL || !IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-	{
-		loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISAKMP SA");
-		return STF_IGNORE;
-	}
-	if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2)
-	{
-		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid SPI length (%d)", n->isan_spisize);
-		return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
-	}
-
-	if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0)
-	{
-#ifdef APPLY_CRISCO
-		/* Ignore it, cisco sends odd icookies */
-#else
-		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid icookie (broken Cisco?)");
-		return STF_FAIL + ISAKMP_INVALID_COOKIE;
-#endif
-	}
-	pbs->cur += COOKIE_SIZE;
-
-	if (memcmp(pbs->cur, st->st_rcookie, COOKIE_SIZE) != 0)
-	{
-		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid rcookie (broken Cisco?)");
-		return STF_FAIL + ISAKMP_INVALID_COOKIE;
-	}
-	pbs->cur += COOKIE_SIZE;
-
-	if (pbs_left(pbs) != sizeof(seqno))
-	{
-		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid data length (%d)"
-			, (int) pbs_left(pbs));
-		return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
-	}
-
-	seqno = ntohl(*(u_int32_t *)pbs->cur);
-	DBG(DBG_CONTROL,
-		DBG_log("received DPD notification R_U_THERE with seqno = %u", seqno)
-	)
-
-	if (st->st_dpd_peerseqno && seqno <= st->st_dpd_peerseqno) {
-		loglog(RC_LOG_SERIOUS, "DPD: Received old or duplicate R_U_THERE");
-		return STF_IGNORE;
-	}
-
-	st->st_dpd_peerseqno = seqno;
-	delete_dpd_event(st);
-
-	if (send_isakmp_notification(st, R_U_THERE_ACK, pbs->cur, pbs_left(pbs)) != STF_IGNORE)
-	{
-		loglog(RC_LOG_SERIOUS, "DPD Info: could not send R_U_THERE_ACK");
-		return STF_IGNORE;
-	}
-	DBG(DBG_CONTROL,
-		DBG_log("sent DPD notification R_U_THERE_ACK with seqno = %u", seqno)
-	)
-
-	st->st_last_dpd = tm;
-	return STF_IGNORE;
-}
-
-/*
- * DPD out Responder
- */
-stf_status dpd_inR(struct state *st, struct isakmp_notification *const n,
-				   pb_stream *pbs)
-{
-	u_int32_t seqno;
-
-	if (st == NULL || !IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-	{
-		loglog(RC_LOG_SERIOUS
-			, "DPD: Received R_U_THERE_ACK for unestablished ISAKMP SA");
-		return STF_FAIL;
-	}
-
-   if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2)
-	{
-		loglog(RC_LOG_SERIOUS
-			, "DPD: R_U_THERE_ACK has invalid SPI length (%d)"
-			, n->isan_spisize);
-		return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
-	}
-
-	if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0)
-	{
-#ifdef APPLY_CRISCO
-		/* Ignore it, cisco sends odd icookies */
-#else
-		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE_ACK has invalid icookie");
-		return STF_FAIL + ISAKMP_INVALID_COOKIE;
-#endif
-	}
-	pbs->cur += COOKIE_SIZE;
-
-	if (memcmp(pbs->cur, st->st_rcookie, COOKIE_SIZE) != 0)
-	{
-#ifdef APPLY_CRISCO
-		/* Ignore it, cisco sends odd icookies */
-#else
-		loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE_ACK has invalid rcookie");
-		return STF_FAIL + ISAKMP_INVALID_COOKIE;
-#endif
-	}
-	pbs->cur += COOKIE_SIZE;
-
-	if (pbs_left(pbs) != sizeof(seqno))
-	{
-		loglog(RC_LOG_SERIOUS
-			, " DPD: R_U_THERE_ACK has invalid data length (%d)"
-			, (int) pbs_left(pbs));
-		return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
-	}
-
-	seqno = ntohl(*(u_int32_t *)pbs->cur);
-	DBG(DBG_CONTROL,
-		DBG_log("received DPD notification R_U_THERE_ACK with seqno = %u"
-		, seqno)
-	)
-
-	if (!st->st_dpd_expectseqno && seqno != st->st_dpd_expectseqno)
-	{
-		loglog(RC_LOG_SERIOUS
-			, "DPD: R_U_THERE_ACK has unexpected sequence number %u (expected %u)"
-			, seqno, st->st_dpd_expectseqno);
-		return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
-	}
-
-	st->st_dpd_expectseqno = 0;
-	delete_dpd_event(st);
-	return STF_IGNORE;
-}
-
-/*
- * DPD Timeout Function
- *
- * This function is called when a timeout DPD_EVENT occurs.  We set clear/trap
- * both the SA and the eroutes, depending on what the connection definition
- * tells us (either 'hold' or 'clear')
- */
-void
-dpd_timeout(struct state *st)
-{
-	struct state *newest_phase1_st;
-	connection_t *c = st->st_connection;
-	int action = st->st_connection->dpd_action;
-	char cname[BUF_LEN];
-
-	passert(action == DPD_ACTION_HOLD
-		 || action == DPD_ACTION_CLEAR
-		 || DPD_ACTION_RESTART);
-
-	/* is there a newer phase1_state? */
-	newest_phase1_st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES);
-	if (newest_phase1_st != NULL && newest_phase1_st != st)
-	{
-		plog("DPD: Phase1 state #%ld has been superseded by #%ld"
-			 " - timeout ignored"
-			 , st->st_serialno, newest_phase1_st->st_serialno);
-		return;
-	}
-
-	loglog(RC_LOG_SERIOUS, "DPD: No response from peer - declaring peer dead");
-
-	/* delete the state, which is probably in phase 2 */
-	set_cur_connection(c);
-	plog("DPD: Terminating all SAs using this connection");
-	delete_states_by_connection(c, TRUE);
-	reset_cur_connection();
-
-	switch (action)
-	{
-	case DPD_ACTION_HOLD:
-		/* dpdaction=hold - Wipe the SA's but %trap the eroute so we don't
-		 * leak traffic.  Also, being in %trap means new packets will
-		 * force an initiation of the conn again.
-		 */
-		loglog(RC_LOG_SERIOUS, "DPD: Putting connection \"%s\" into %%trap", c->name);
-		if (c->kind == CK_INSTANCE)
-		{
-			delete_connection(c, TRUE);
-		}
-		break;
-	case DPD_ACTION_CLEAR:
-		/* dpdaction=clear - Wipe the SA & eroute - everything */
-		loglog(RC_LOG_SERIOUS, "DPD: Clearing connection \"%s\"", c->name);
-		unroute_connection(c);
-		if (c->kind == CK_INSTANCE)
-		{
-			delete_connection(c, TRUE);
-		}
-		break;
-	case DPD_ACTION_RESTART:
-		/* dpdaction=restart - Restart connection,
-		 * except if roadwarrior connection
-		 */
-		loglog(RC_LOG_SERIOUS, "DPD: Restarting connection \"%s\"", c->name);
-		unroute_connection(c);
-
-		/* caching the connection name before deletion */
-		strncpy(cname, c->name, BUF_LEN);
-		cname[BUF_LEN-1] = '\0';
-
-		if (c->kind == CK_INSTANCE)
-		{
-			delete_connection(c, TRUE);
-		}
-		initiate_connection(cname, NULL_FD);
-		break;
-	default:
-		loglog(RC_LOG_SERIOUS, "DPD: unknown action");
-	}
-}
-
diff --git a/src/pluto/ipsec_doi.h b/src/pluto/ipsec_doi.h
deleted file mode 100644
index c11edaa94..000000000
--- a/src/pluto/ipsec_doi.h
+++ /dev/null
@@ -1,108 +0,0 @@
-/* IPsec DOI and Oakley resolution routines
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _IPSEC_DOI_H
-#define _IPSEC_DOI_H
-
-#include "defs.h"
-
-extern void echo_hdr(struct msg_digest *md, bool enc, u_int8_t np);
-
-extern void ipsecdoi_initiate(int whack_sock, struct connection *c
-	, lset_t policy, unsigned long try, so_serial_t replacing);
-
-extern void ipsecdoi_replace(struct state *st, unsigned long try);
-
-extern void init_phase2_iv(struct state *st, const msgid_t *msgid);
-
-extern stf_status quick_outI1(int whack_sock
-	, struct state *isakmp_sa
-	, struct connection *c
-	, lset_t policy
-	, unsigned long try
-	, so_serial_t replacing);
-
-extern state_transition_fn
-	main_inI1_outR1,
-	main_inR1_outI2,
-	main_inI2_outR2,
-	main_inR2_outI3,
-	main_inI3_outR3,
-	main_inR3,
-	quick_inI1_outR1,
-	quick_inR1_outI2,
-	quick_inI2;
-
-extern void send_delete(struct state *st);
-extern void accept_delete(struct state *st, struct msg_digest *md
-	, struct payload_digest *p);
-extern void close_message(pb_stream *pbs);
-extern bool encrypt_message(pb_stream *pbs, struct state *st);
-
-
-extern void send_notification_from_state(struct state *st,
-	enum state_kind state, u_int16_t type);
-extern void send_notification_from_md(struct msg_digest *md, u_int16_t type);
-
-extern const char *init_pluto_vendorid(void);
-
-extern void dpd_outI(struct state *st);
-extern stf_status dpd_inI_outR(struct state *st
-			, struct isakmp_notification *const n, pb_stream *n_pbs);
-extern stf_status dpd_inR(struct state *st
-			, struct isakmp_notification *const n, pb_stream *n_pbs);
-extern void dpd_timeout(struct state *st);
-
-/* START_HASH_PAYLOAD
- *
- * Emit a to-be-filled-in hash payload, noting the field start (r_hashval)
- * and the start of the part of the message to be hashed (r_hash_start).
- * This macro is magic.
- * - it can cause the caller to return
- * - it references variables local to the caller (r_hashval, r_hash_start, st)
- */
-#define START_HASH_PAYLOAD(rbody, np) { \
-	pb_stream hash_pbs; \
-	if (!out_generic(np, &isakmp_hash_desc, &(rbody), &hash_pbs)) \
-		return STF_INTERNAL_ERROR; \
-	r_hashval = hash_pbs.cur;   /* remember where to plant value */ \
-	if (!out_zero(st->st_oakley.hasher->hash_digest_size, &hash_pbs, "HASH")) \
-		return STF_INTERNAL_ERROR; \
-	close_output_pbs(&hash_pbs); \
-	r_hash_start = (rbody).cur; /* hash from after HASH payload */ \
-}
-
-/* CHECK_QUICK_HASH
- *
- * This macro is magic -- it cannot be expressed as a function.
- * - it causes the caller to return!
- * - it declares local variables and expects the "do_hash" argument
- *   expression to reference them (hash_val, hash_pbs)
- */
-#define CHECK_QUICK_HASH(md, do_hash, hash_name, msg_name) { \
-		pb_stream *const hash_pbs = &md->chain[ISAKMP_NEXT_HASH]->pbs; \
-		u_char hash_val[MAX_DIGEST_LEN]; \
-		size_t hash_len = do_hash; \
-		if (pbs_left(hash_pbs) != hash_len \
-		|| memcmp(hash_pbs->cur, hash_val, hash_len) != 0) \
-		{ \
-			DBG_cond_dump(DBG_CRYPT, "received " hash_name ":", hash_pbs->cur, pbs_left(hash_pbs)); \
-			loglog(RC_LOG_SERIOUS, "received " hash_name " does not match computed value in " msg_name); \
-			/* XXX Could send notification back */ \
-			return STF_FAIL + ISAKMP_INVALID_HASH_INFORMATION; \
-		} \
-	}
-
-#endif /* _IPSEC_DOI_H */
-
diff --git a/src/pluto/kameipsec.h b/src/pluto/kameipsec.h
deleted file mode 100644
index 5e9d8ce99..000000000
--- a/src/pluto/kameipsec.h
+++ /dev/null
@@ -1,47 +0,0 @@
-#ifndef __IPSEC_H
-#define __IPSEC_H 1
-
-/* The definitions, required to talk to KAME racoon IKE. */
-
-#define IPSEC_PORT_ANY          0
-#define IPSEC_ULPROTO_ANY       255
-#define IPSEC_PROTO_ANY         255
-
-enum {
-		IPSEC_MODE_ANY          = 0,    /* We do not support this for SA */
-		IPSEC_MODE_TRANSPORT    = 1,
-		IPSEC_MODE_TUNNEL       = 2
-};
-
-enum {
-		IPSEC_DIR_ANY           = 0,
-		IPSEC_DIR_INBOUND       = 1,
-		IPSEC_DIR_OUTBOUND      = 2,
-		IPSEC_DIR_FWD           = 3,    /* It is our own */
-		IPSEC_DIR_MAX           = 4,
-		IPSEC_DIR_INVALID       = 5
-};
-
-enum {
-		IPSEC_POLICY_DISCARD    = 0,
-		IPSEC_POLICY_NONE       = 1,
-		IPSEC_POLICY_IPSEC      = 2,
-		IPSEC_POLICY_ENTRUST    = 3,
-		IPSEC_POLICY_BYPASS     = 4
-};
-
-enum {
-		IPSEC_LEVEL_DEFAULT     = 0,
-		IPSEC_LEVEL_USE         = 1,
-		IPSEC_LEVEL_REQUIRE     = 2,
-		IPSEC_LEVEL_UNIQUE      = 3
-};
-
-#define IPSEC_MANUAL_REQID_MAX  0x3fff
-
-#define IPSEC_REPLAYWSIZE  32
-
-#define IP_IPSEC_POLICY 16
-#define IPV6_IPSEC_POLICY 34
-
-#endif  /* __IPSEC_H */
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
deleted file mode 100644
index e4729ef08..000000000
--- a/src/pluto/kernel.c
+++ /dev/null
@@ -1,2114 +0,0 @@
-/* routines that interface with the kernel's IPsec mechanism
- *
- * Copyright (C) 2010 Tobias Brunner
- * Copyright (C) 2009 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * Copyright (C) 1998-2002  D. Hugh Redelmeier
- * Copyright (C) 1997 Angelos D. Keromytis
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-#include <string.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <sys/queue.h>
-#include <sys/wait.h>
-
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <freeswan.h>
-
-#include <library.h>
-#include <hydra.h>
-#include <crypto/rngs/rng.h>
-#include <kernel/kernel_listener.h>
-
-#include <signal.h>
-#include <sys/time.h>   /* for select(2) */
-#include <sys/types.h>  /* for select(2) */
-#include <pfkeyv2.h>
-#include <pfkey.h>
-#include "kameipsec.h"
-
-#include "constants.h"
-#include "defs.h"
-#include "connections.h"
-#include "state.h"
-#include "timer.h"
-#include "kernel.h"
-#include "kernel_pfkey.h"
-#include "log.h"
-#include "ca.h"
-#include "server.h"
-#include "whack.h"      /* for RC_LOG_SERIOUS */
-#include "keys.h"
-#include "crypto.h"
-#include "nat_traversal.h"
-#include "alg_info.h"
-#include "kernel_alg.h"
-#include "pluto.h"
-
-
-bool can_do_IPcomp = TRUE;  /* can system actually perform IPCOMP? */
-
-/* test if the routes required for two different connections agree
- * It is assumed that the destination subnets agree; we are only
- * testing that the interfaces and nexthops match.
- */
-#define routes_agree(c, d) ((c)->interface == (d)->interface \
-		&& sameaddr(&(c)->spd.this.host_nexthop, &(d)->spd.this.host_nexthop))
-
-/* forward declaration */
-static bool shunt_eroute(connection_t *c, struct spd_route *sr,
-						 enum routing_t rt_kind, unsigned int op,
-						 const char *opname);
-
-static void set_text_said(char *text_said, const ip_address *dst,
-						  ipsec_spi_t spi, int proto);
-
-/**
- * Default IPsec SA config (e.g. to install trap policies).
- */
-static ipsec_sa_cfg_t null_ipsec_sa = {
-	.mode = MODE_TRANSPORT,
-	.esp = {
-		.use = TRUE,
-	},
-};
-
-/**
- * Helper function that converts an ip_subnet to a traffic_selector_t.
- */
-static traffic_selector_t *traffic_selector_from_subnet(const ip_subnet *client,
-														const u_int8_t proto)
-{
-	traffic_selector_t *ts;
-	host_t *net;
-	net = host_create_from_sockaddr((sockaddr_t*)&client->addr);
-	ts = traffic_selector_create_from_subnet(net, client->maskbits, proto,
-											 net->get_port(net));
-	return ts;
-}
-
-/**
- * Helper function that converts a traffic_selector_t to an ip_subnet.
- */
-static ip_subnet subnet_from_traffic_selector(traffic_selector_t *ts)
-{
-	ip_subnet subnet;
-	host_t *net;
-	u_int8_t mask;
-	ts->to_subnet(ts, &net, &mask);
-	subnet.addr = *(ip_address*)net->get_sockaddr(net);
-	subnet.maskbits = mask;
-	net->destroy(net);
-	return subnet;
-}
-
-
-void record_and_initiate_opportunistic(const ip_subnet *ours,
-									   const ip_subnet *his,
-									   int transport_proto, const char *why)
-{
-	ip_address src, dst;
-	passert(samesubnettype(ours, his));
-
-	/* actually initiate opportunism */
-	networkof(ours, &src);
-	networkof(his, &dst);
-	initiate_opportunistic(&src, &dst, transport_proto, TRUE, NULL_FD);
-}
-
-/* Generate Unique SPI numbers.
- *
- * The returned SPI is in network byte order.
- */
-ipsec_spi_t get_ipsec_spi(ipsec_spi_t avoid, int proto, struct spd_route *sr,
-						  bool tunnel)
-{
-	host_t *host_src, *host_dst;
-	u_int32_t spi;
-
-	host_src = host_create_from_sockaddr((sockaddr_t*)&sr->that.host_addr);
-	host_dst = host_create_from_sockaddr((sockaddr_t*)&sr->this.host_addr);
-
-	if (hydra->kernel_interface->get_spi(hydra->kernel_interface, host_src,
-								host_dst, proto, sr->reqid, &spi) != SUCCESS)
-	{
-		spi = 0;
-	}
-
-	host_src->destroy(host_src);
-	host_dst->destroy(host_dst);
-
-	return spi;
-}
-
-/* Generate Unique CPI numbers.
- * The result is returned as an SPI (4 bytes) in network order!
- * The real bits are in the nework-low-order 2 bytes.
- */
-ipsec_spi_t get_my_cpi(struct spd_route *sr, bool tunnel)
-{
-	host_t *host_src, *host_dst;
-	u_int16_t cpi;
-
-	host_src = host_create_from_sockaddr((sockaddr_t*)&sr->that.host_addr);
-	host_dst = host_create_from_sockaddr((sockaddr_t*)&sr->this.host_addr);
-
-	if (hydra->kernel_interface->get_cpi(hydra->kernel_interface, host_src,
-										 host_dst, sr->reqid, &cpi) != SUCCESS)
-
-	{
-		cpi = 0;
-	}
-
-	host_src->destroy(host_src);
-	host_dst->destroy(host_dst);
-
-	return htonl((u_int32_t)ntohs(cpi));
-}
-
-/* Replace the shell metacharacters ', \, ", `, and $ in a character string
- * by escape sequences consisting of their octal values
- */
-static void escape_metachar(const char *src, char *dst, size_t dstlen)
-{
-	while (*src != '\0' && dstlen > 4)
-	{
-		switch (*src)
-		{
-		case '\'':
-		case '\\':
-		case '"':
-		case '`':
-		case '$':
-			sprintf(dst,"\\%s%o", (*src < 64)?"0":"", *src);
-			dst += 4;
-			dstlen -= 4;
-			break;
-		default:
-			*dst++ = *src;
-			dstlen--;
-		}
-		src++;
-	}
-	*dst = '\0';
-}
-
-/* invoke the updown script to do the routing and firewall commands required
- *
- * The user-specified updown script is run.  Parameters are fed to it in
- * the form of environment variables.  All such environment variables
- * have names starting with "PLUTO_".
- *
- * The operation to be performed is specified by PLUTO_VERB.  This
- * verb has a suffix "-host" if the client on this end is just the
- * host; otherwise the suffix is "-client".  If the address family
- * of the host is IPv6, an extra suffix of "-v6" is added.
- *
- * "prepare-host" and "prepare-client" are used to delete a route
- * that may exist (due to forces outside of Pluto).  It is used to
- * prepare for pluto creating a route.
- *
- * "route-host" and "route-client" are used to install a route.
- * Since routing is based only on destination, the PLUTO_MY_CLIENT_*
- * values are probably of no use (using them may signify a bug).
- *
- * "unroute-host" and "unroute-client" are used to delete a route.
- * Since routing is based only on destination, the PLUTO_MY_CLIENT_*
- * values are probably of no use (using them may signify a bug).
- *
- * "up-host" and "up-client" are run when an eroute is added (not replaced).
- * They are useful for adjusting a firewall: usually for adding a rule
- * to let processed packets flow between clients.  Note that only
- * one eroute may exist for a pair of client subnets but inbound
- * IPsec SAs may persist without an eroute.
- *
- * "down-host" and "down-client" are run when an eroute is deleted.
- * They are useful for adjusting a firewall.
- */
-
-#ifndef DEFAULT_UPDOWN
-# define DEFAULT_UPDOWN "ipsec _updown"
-#endif
-
-static bool do_command(connection_t *c, struct spd_route *sr, struct state *st,
-					   const char *verb)
-{
-	char cmd[1536];     /* arbitrary limit on shell command length */
-	const char *verb_suffix;
-
-	/* figure out which verb suffix applies */
-	{
-		const char *hs, *cs;
-
-		switch (addrtypeof(&sr->this.host_addr))
-		{
-			case AF_INET:
-				hs = "-host";
-				cs = "-client";
-				break;
-			case AF_INET6:
-				hs = "-host-v6";
-				cs = "-client-v6";
-				break;
-			default:
-				loglog(RC_LOG_SERIOUS, "unknown address family");
-				return FALSE;
-		}
-		verb_suffix = subnetisaddr(&sr->this.client, &sr->this.host_addr)
-			? hs : cs;
-	}
-
-	/* form the command string */
-	{
-		char
-			nexthop_str[sizeof("PLUTO_NEXT_HOP='' ") +ADDRTOT_BUF] = "",
-			srcip_str[sizeof("PLUTO_MY_SOURCEIP='' ")+ADDRTOT_BUF] = "",
-			me_str[ADDRTOT_BUF],
-			myid_str[BUF_LEN],
-			myclient_str[SUBNETTOT_BUF],
-			myclientnet_str[ADDRTOT_BUF],
-			myclientmask_str[ADDRTOT_BUF],
-			peer_str[ADDRTOT_BUF],
-			peerid_str[BUF_LEN],
-			peerclient_str[SUBNETTOT_BUF],
-			peerclientnet_str[ADDRTOT_BUF],
-			peerclientmask_str[ADDRTOT_BUF],
-			peerca_str[BUF_LEN],
-			mark_in[BUF_LEN] = "",
-			mark_out[BUF_LEN] = "",
-			udp_encap[BUF_LEN] = "",
-			xauth_id_str[BUF_LEN] = "",
-			secure_myid_str[BUF_LEN] = "",
-			secure_peerid_str[BUF_LEN] = "",
-			secure_peerca_str[BUF_LEN] = "",
-			secure_xauth_id_str[BUF_LEN] = "";
-		ip_address ta;
-		pubkey_list_t *p;
-
-		if (addrbytesptr(&sr->this.host_nexthop, NULL)
-		&& !isanyaddr(&sr->this.host_nexthop))
-		{
-			char *n;
-
-			strcpy(nexthop_str, "PLUTO_NEXT_HOP='");
-			n = nexthop_str + strlen(nexthop_str);
-
-			addrtot(&sr->this.host_nexthop, 0
-					,n , sizeof(nexthop_str)-strlen(nexthop_str));
-			strncat(nexthop_str, "' ", sizeof(nexthop_str));
-		}
-
-		if (!sr->this.host_srcip->is_anyaddr(sr->this.host_srcip))
-		{
-			char *n;
-
-			strcpy(srcip_str, "PLUTO_MY_SOURCEIP='");
-			n = srcip_str + strlen(srcip_str);
-			snprintf(n, sizeof(srcip_str)-strlen(srcip_str), "%H",
-						sr->this.host_srcip);
-			strncat(srcip_str, "' ", sizeof(srcip_str));
-		}
-
-		if (sr->mark_in.value)
-		{
-			snprintf(mark_in, sizeof(mark_in), "PLUTO_MARK_IN='%u/0x%08x' ",
-					 sr->mark_in.value, sr->mark_in.mask);
-		}
-
-		if (sr->mark_out.value)
-		{
-			snprintf(mark_out, sizeof(mark_out), "PLUTO_MARK_OUT='%u/0x%08x' ",
-					 sr->mark_out.value, sr->mark_out.mask);
-		}
-
-		if (st && (st->nat_traversal & NAT_T_DETECTED))
-		{
-			snprintf(udp_encap, sizeof(udp_encap), "PLUTO_UDP_ENC='%u' ",
-					 sr->that.host_port);
-		}
-
-		addrtot(&sr->this.host_addr, 0, me_str, sizeof(me_str));
-		snprintf(myid_str, sizeof(myid_str), "%Y", sr->this.id);
-		escape_metachar(myid_str, secure_myid_str, sizeof(secure_myid_str));
-		subnettot(&sr->this.client, 0, myclient_str, sizeof(myclientnet_str));
-		networkof(&sr->this.client, &ta);
-		addrtot(&ta, 0, myclientnet_str, sizeof(myclientnet_str));
-		maskof(&sr->this.client, &ta);
-		addrtot(&ta, 0, myclientmask_str, sizeof(myclientmask_str));
-
-		if (c->xauth_identity &&
-			c->xauth_identity->get_type(c->xauth_identity) != ID_ANY)
-		{
-			snprintf(xauth_id_str, sizeof(xauth_id_str), "%Y", c->xauth_identity);
-			escape_metachar(xauth_id_str, secure_xauth_id_str,
-					 sizeof(secure_xauth_id_str));
-			snprintf(xauth_id_str, sizeof(xauth_id_str), "PLUTO_XAUTH_ID='%s' ",
-					 secure_xauth_id_str);
-		}
-
-		addrtot(&sr->that.host_addr, 0, peer_str, sizeof(peer_str));
-		snprintf(peerid_str, sizeof(peerid_str), "%Y", sr->that.id);
-		escape_metachar(peerid_str, secure_peerid_str, sizeof(secure_peerid_str));
-		subnettot(&sr->that.client, 0, peerclient_str, sizeof(peerclientnet_str));
-		networkof(&sr->that.client, &ta);
-		addrtot(&ta, 0, peerclientnet_str, sizeof(peerclientnet_str));
-		maskof(&sr->that.client, &ta);
-		addrtot(&ta, 0, peerclientmask_str, sizeof(peerclientmask_str));
-
-		for (p = pubkeys; p != NULL; p = p->next)
-		{
-			pubkey_t *key = p->key;
-			key_type_t type = key->public_key->get_type(key->public_key);
-			int pathlen;
-
-			if (type == KEY_RSA &&
-				sr->that.id->equals(sr->that.id, key->id) &&
-				trusted_ca(key->issuer, sr->that.ca, &pathlen))
-			{
-				if (key->issuer)
-				{
-					snprintf(peerca_str, BUF_LEN, "%Y", key->issuer);
-					escape_metachar(peerca_str, secure_peerca_str, BUF_LEN);
-				}
-				else
-				{
-					secure_peerca_str[0] = '\0';
-				}
-				break;
-			}
-		}
-
-		if (-1 == snprintf(cmd, sizeof(cmd)
-			, "2>&1 "   /* capture stderr along with stdout */
-			"PLUTO_VERSION='1.1' "      /* change VERSION when interface spec changes */
-			"PLUTO_VERB='%s%s' "
-			"PLUTO_CONNECTION='%s' "
-			"%s"        /* optional PLUTO_NEXT_HOP */
-			"PLUTO_INTERFACE='%s' "
-			"%s"        /* optional PLUTO_HOST_ACCESS */
-			"PLUTO_REQID='%u' "
-			"PLUTO_ME='%s' "
-			"PLUTO_MY_ID='%s' "
-			"PLUTO_MY_CLIENT='%s' "
-			"PLUTO_MY_CLIENT_NET='%s' "
-			"PLUTO_MY_CLIENT_MASK='%s' "
-			"PLUTO_MY_PORT='%u' "
-			"PLUTO_MY_PROTOCOL='%u' "
-			"PLUTO_PEER='%s' "
-			"PLUTO_PEER_ID='%s' "
-			"PLUTO_PEER_CLIENT='%s' "
-			"PLUTO_PEER_CLIENT_NET='%s' "
-			"PLUTO_PEER_CLIENT_MASK='%s' "
-			"PLUTO_PEER_PORT='%u' "
-			"PLUTO_PEER_PROTOCOL='%u' "
-			"PLUTO_PEER_CA='%s' "
-			"%s"        /* optional PLUTO_MY_SRCIP */
-			"%s"        /* optional PLUTO_XAUTH_ID */
-			"%s"        /* optional PLUTO_MARK_IN */
-			"%s"        /* optional PLUTO_MARK_OUT */
-			"%s"        /* optional PLUTO_UDP_ENC */
-			"%s"        /* actual script */
-			, verb, verb_suffix
-			, c->name
-			, nexthop_str
-			, c->interface->vname
-			, sr->this.hostaccess? "PLUTO_HOST_ACCESS='1' " : ""
-			, sr->reqid
-			, me_str
-			, secure_myid_str
-			, myclient_str
-			, myclientnet_str
-			, myclientmask_str
-			, sr->this.port
-			, sr->this.protocol
-			, peer_str
-			, secure_peerid_str
-			, peerclient_str
-			, peerclientnet_str
-			, peerclientmask_str
-			, sr->that.port
-			, sr->that.protocol
-			, secure_peerca_str
-			, srcip_str
-			, xauth_id_str
-			, mark_in
-			, mark_out
-			, udp_encap
-			, sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown))
-		{
-			loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix);
-			return FALSE;
-		}
-	}
-
-	DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
-		, verb, verb_suffix, cmd));
-
-	/* invoke the script, catching stderr and stdout
-	 * It may be of concern that some file descriptors will
-	 * be inherited.  For the ones under our control, we
-	 * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
-	 * Any used by library routines (perhaps the resolver or syslog)
-	 * will remain.
-	 */
-	FILE *f = popen(cmd, "r");
-
-	if (f == NULL)
-	{
-		loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
-		return FALSE;
-	}
-
-	/* log any output */
-	for (;;)
-	{
-		/* if response doesn't fit in this buffer, it will be folded */
-		char resp[256];
-
-		if (fgets(resp, sizeof(resp), f) == NULL)
-		{
-			if (ferror(f))
-			{
-				log_errno((e, "fgets failed on output of %s%s command"
-					, verb, verb_suffix));
-				return FALSE;
-			}
-			else
-			{
-				passert(feof(f));
-				break;
-			}
-		}
-		else
-		{
-			char *e = resp + strlen(resp);
-
-			if (e > resp && e[-1] == '\n')
-				e[-1] = '\0';       /* trim trailing '\n' */
-			plog("%s%s output: %s", verb, verb_suffix, resp);
-		}
-	}
-
-	/* report on and react to return code */
-	{
-		int r = pclose(f);
-
-		if (r == -1)
-		{
-			log_errno((e, "pclose failed for %s%s command"
-				, verb, verb_suffix));
-			return FALSE;
-		}
-		else if (WIFEXITED(r))
-		{
-			if (WEXITSTATUS(r) != 0)
-			{
-				loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
-					, verb, verb_suffix, WEXITSTATUS(r));
-				return FALSE;
-			}
-		}
-		else if (WIFSIGNALED(r))
-		{
-			loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
-				, verb, verb_suffix, WTERMSIG(r));
-			return FALSE;
-		}
-		else
-		{
-			loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
-				, verb, verb_suffix, r);
-			return FALSE;
-		}
-	}
-	return TRUE;
-}
-
-/* Check that we can route (and eroute).  Diagnose if we cannot. */
-
-enum routability {
-	route_impossible = 0,
-	route_easy = 1,
-	route_nearconflict = 2,
-	route_farconflict = 3
-};
-
-static enum routability could_route(connection_t *c)
-{
-	struct spd_route *esr, *rosr;
-	connection_t *ero      /* who, if anyone, owns our eroute? */
-		, *ro = route_owner(c, &rosr, &ero, &esr); /* who owns our route? */
-
-	/* it makes no sense to route a connection that is ISAKMP-only */
-	if (!NEVER_NEGOTIATE(c->policy) && !HAS_IPSEC_POLICY(c->policy))
-	{
-		loglog(RC_ROUTE, "cannot route an ISAKMP-only connection");
-		return route_impossible;
-	}
-
-	/* if this is a Road Warrior template, we cannot route.
-	 * Opportunistic template is OK.
-	 */
-	if (c->kind == CK_TEMPLATE && !(c->policy & POLICY_OPPO))
-	{
-		loglog(RC_ROUTE, "cannot route Road Warrior template");
-		return route_impossible;
-	}
-
-	/* if we don't know nexthop, we cannot route */
-	if (isanyaddr(&c->spd.this.host_nexthop))
-	{
-		loglog(RC_ROUTE, "cannot route connection without knowing our nexthop");
-		return route_impossible;
-	}
-
-	/* if routing would affect IKE messages, reject */
-	if (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
-	 && c->spd.this.host_port != IKE_UDP_PORT
-	 && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
-	{
-		loglog(RC_LOG_SERIOUS, "cannot install route: peer is within its client");
-		return route_impossible;
-	}
-
-	/* If there is already a route for peer's client subnet
-	 * and it disagrees about interface or nexthop, we cannot steal it.
-	 * Note: if this connection is already routed (perhaps for another
-	 * state object), the route will agree.
-	 * This is as it should be -- it will arise during rekeying.
-	 */
-	if (ro != NULL && !routes_agree(ro, c))
-	{
-		loglog(RC_LOG_SERIOUS, "cannot route -- route already in use for \"%s\""
-			, ro->name);
-		return route_impossible;  /* another connection already
-									 using the eroute */
-	}
-
-	/* if there is an eroute for another connection, there is a problem */
-	if (ero != NULL && ero != c)
-	{
-		connection_t *ero2, *ero_top;
-		connection_t *inside, *outside;
-
-		/*
-		 * note, wavesec (PERMANENT) goes *outside* and
-		 * OE goes *inside* (TEMPLATE)
-		 */
-		inside = NULL;
-		outside= NULL;
-		if (ero->kind == CK_PERMANENT
-		   && c->kind == CK_TEMPLATE)
-		{
-			outside = ero;
-			inside = c;
-		}
-		else if (c->kind == CK_PERMANENT
-				&& ero->kind == CK_TEMPLATE)
-		{
-			outside = c;
-			inside = ero;
-		}
-
-		/* okay, check again, with correct order */
-		if (outside && outside->kind == CK_PERMANENT
-			&& inside && inside->kind == CK_TEMPLATE)
-		{
-			char inst[CONN_INST_BUF];
-
-			/* this is a co-terminal attempt of the "near" kind. */
-			/* when chaining, we chain from inside to outside */
-
-			/* XXX permit multiple deep connections? */
-			passert(inside->policy_next == NULL);
-
-			inside->policy_next = outside;
-
-			/* since we are going to steal the eroute from the secondary
-			 * policy, we need to make sure that it no longer thinks that
-			 * it owns the eroute.
-			 */
-			outside->spd.eroute_owner = SOS_NOBODY;
-			outside->spd.routing = RT_UNROUTED_KEYED;
-
-			/* set the priority of the new eroute owner to be higher
-			 * than that of the current eroute owner
-			 */
-			inside->prio = outside->prio + 1;
-
-			fmt_conn_instance(inside, inst);
-
-			loglog(RC_LOG_SERIOUS
-				   , "conflict on eroute (%s), switching eroute to %s and linking %s"
-				   , inst, inside->name, outside->name);
-
-			return route_nearconflict;
-		}
-
-		/* look along the chain of policies for one with the same name */
-		ero_top = ero;
-
-		for (ero2 = ero; ero2 != NULL; ero2 = ero->policy_next)
-		{
-			if (ero2->kind == CK_TEMPLATE
-			&& streq(ero2->name, c->name))
-				break;
-		}
-
-		/* If we fell of the end of the list, then we found no TEMPLATE
-		 * so there must be a conflict that we can't resolve.
-		 * As the names are not equal, then we aren't replacing/rekeying.
-		 */
-		if (ero2 == NULL)
-		{
-			char inst[CONN_INST_BUF];
-
-			fmt_conn_instance(ero, inst);
-
-			loglog(RC_LOG_SERIOUS
-				, "cannot install eroute -- it is in use for \"%s\"%s #%lu"
-				, ero->name, inst, esr->eroute_owner);
-			return route_impossible;
-		}
-	}
-	return route_easy;
-}
-
-bool trap_connection(connection_t *c)
-{
-	switch (could_route(c))
-	{
-	case route_impossible:
-		return FALSE;
-
-	case route_nearconflict:
-	case route_easy:
-		/* RT_ROUTED_TUNNEL is treated specially: we don't override
-		 * because we don't want to lose track of the IPSEC_SAs etc.
-		 */
-		if (c->spd.routing < RT_ROUTED_TUNNEL)
-		{
-			return route_and_eroute(c, &c->spd, NULL);
-		}
-		return TRUE;
-
-	case route_farconflict:
-		return FALSE;
-	}
-
-	return FALSE;
-}
-
-/**
- * Delete any eroute for a connection and unroute it if route isn't shared
- */
-void unroute_connection(connection_t *c)
-{
-	struct spd_route *sr;
-	enum routing_t cr;
-
-	for (sr = &c->spd; sr; sr = sr->next)
-	{
-		cr = sr->routing;
-
-		if (erouted(cr))
-		{
-			/* cannot handle a live one */
-			passert(sr->routing != RT_ROUTED_TUNNEL);
-			shunt_eroute(c, sr, RT_UNROUTED, ERO_DELETE, "delete");
-		}
-
-		sr->routing = RT_UNROUTED;  /* do now so route_owner won't find us */
-
-		/* only unroute if no other connection shares it */
-		if (routed(cr) && route_owner(c, NULL, NULL, NULL) == NULL)
-		{
-			(void) do_command(c, sr, NULL, "unroute");
-		}
-	}
-}
-
-
-static void set_text_said(char *text_said, const ip_address *dst,
-						  ipsec_spi_t spi, int proto)
-{
-	ip_said said;
-
-	initsaid(dst, spi, proto, &said);
-	satot(&said, 0, text_said, SATOT_BUF);
-}
-
-
-/**
- * Setup an IPsec route entry.
- * op is one of the ERO_* operators.
- */
-static bool raw_eroute(const ip_address *this_host,
-					   const ip_subnet *this_client,
-					   const ip_address *that_host,
-					   const ip_subnet *that_client,
-					   mark_t mark,
-					   ipsec_spi_t spi,
-					   unsigned int proto,
-					   unsigned int satype,
-					   unsigned int transport_proto,
-					   ipsec_sa_cfg_t *sa,
-					   unsigned int op,
-					   const char *opname USED_BY_DEBUG)
-{
-	traffic_selector_t *ts_src, *ts_dst;
-	host_t *host_src, *host_dst;
-	policy_type_t type = POLICY_IPSEC;
-	policy_dir_t dir = POLICY_OUT;
-	policy_priority_t priority = POLICY_PRIORITY_DEFAULT;
-	char text_said[SATOT_BUF];
-	bool ok = TRUE,
-		 deleting = (op & ERO_MASK) == ERO_DELETE,
-		 replacing = op & (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT);
-
-	set_text_said(text_said, that_host, spi, proto);
-
-	DBG(DBG_CONTROL | DBG_KERNEL,
-		{
-			int sport = ntohs(portof(&this_client->addr));
-			int dport = ntohs(portof(&that_client->addr));
-			char mybuf[SUBNETTOT_BUF];
-			char peerbuf[SUBNETTOT_BUF];
-
-			subnettot(this_client, 0, mybuf, sizeof(mybuf));
-			subnettot(that_client, 0, peerbuf, sizeof(peerbuf));
-			DBG_log("%s eroute %s:%d -> %s:%d => %s:%d"
-				, opname, mybuf, sport, peerbuf, dport
-				, text_said, transport_proto);
-		});
-
-	if (satype == SADB_X_SATYPE_INT)
-	{
-		switch (ntohl(spi))
-		{
-			case SPI_PASS:
-				type = POLICY_PASS;
-				break;
-			case SPI_DROP:
-			case SPI_REJECT:
-				type = POLICY_DROP;
-				break;
-			case SPI_TRAP:
-			case SPI_TRAPSUBNET:
-			case SPI_HOLD:
-				if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
-				{
-					return TRUE;
-				}
-				priority = POLICY_PRIORITY_ROUTED;
-				break;
-		}
-	}
-
-	if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
-	{
-		dir = POLICY_IN;
-	}
-
-	host_src = host_create_from_sockaddr((sockaddr_t*)this_host);
-	host_dst = host_create_from_sockaddr((sockaddr_t*)that_host);
-	ts_src = traffic_selector_from_subnet(this_client, transport_proto);
-	ts_dst = traffic_selector_from_subnet(that_client, transport_proto);
-
-	if (deleting || replacing)
-	{
-		hydra->kernel_interface->del_policy(hydra->kernel_interface,
-						ts_src, ts_dst, dir, sa->reqid, mark, priority);
-	}
-
-	if (!deleting)
-	{
-		ok = hydra->kernel_interface->add_policy(hydra->kernel_interface,
-						host_src, host_dst, ts_src, ts_dst, dir, type, sa,
-						mark, priority) == SUCCESS;
-	}
-
-	if (dir == POLICY_IN)
-	{	/* handle forward policy */
-		dir = POLICY_FWD;
-		if (deleting || replacing)
-		{
-			hydra->kernel_interface->del_policy(hydra->kernel_interface,
-						ts_src, ts_dst, dir, sa->reqid, mark, priority);
-		}
-
-		if (!deleting && ok &&
-			(sa->mode == MODE_TUNNEL || satype == SADB_X_SATYPE_INT))
-		{
-			ok = hydra->kernel_interface->add_policy(hydra->kernel_interface,
-						host_src, host_dst, ts_src, ts_dst, dir, type, sa,
-						mark, priority) == SUCCESS;
-		}
-	}
-
-	host_src->destroy(host_src);
-	host_dst->destroy(host_dst);
-	ts_src->destroy(ts_src);
-	ts_dst->destroy(ts_dst);
-
-	return ok;
-}
-
-static bool eroute_connection(struct spd_route *sr, ipsec_spi_t spi,
-							  unsigned int proto, unsigned int satype,
-							  ipsec_sa_cfg_t *sa, unsigned int op,
-							  const char *opname)
-{
-	const ip_address *peer = &sr->that.host_addr;
-	char buf2[256];
-	bool ok;
-
-	snprintf(buf2, sizeof(buf2)
-			 , "eroute_connection %s", opname);
-
-	if (proto == SA_INT)
-	{
-		peer = aftoinfo(addrtypeof(peer))->any;
-	}
-	ok = raw_eroute(peer, &sr->that.client,
-					&sr->this.host_addr, &sr->this.client, sr->mark_in,
-					spi, proto, satype, sr->this.protocol,
-					sa, op | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT), buf2);
-	return raw_eroute(&sr->this.host_addr, &sr->this.client, peer,
-					  &sr->that.client, sr->mark_out, spi, proto, satype,
-					  sr->this.protocol, sa, op, buf2) && ok;
-}
-
-/* assign a bare hold to a connection */
-
-bool assign_hold(connection_t *c USED_BY_DEBUG, struct spd_route *sr,
-				 int transport_proto,
-				 const ip_address *src,
-				 const ip_address *dst)
-{
-	/* either the automatically installed %hold eroute is broad enough
-	 * or we try to add a broader one and delete the automatic one.
-	 * Beware: this %hold might be already handled, but still squeak
-	 * through because of a race.
-	 */
-	enum routing_t ro = sr->routing     /* routing, old */
-		, rn = ro;                      /* routing, new */
-
-	passert(LHAS(LELEM(CK_PERMANENT) | LELEM(CK_INSTANCE), c->kind));
-	/* figure out what routing should become */
-	switch (ro)
-	{
-	case RT_UNROUTED:
-		rn = RT_UNROUTED_HOLD;
-		break;
-	case RT_ROUTED_PROSPECTIVE:
-		rn = RT_ROUTED_HOLD;
-		break;
-	default:
-		/* no change: this %hold is old news and should just be deleted */
-		break;
-	}
-
-	/* We need a broad %hold
-	 * First we ensure that there is a broad %hold.
-	 * There may already be one (race condition): no need to create one.
-	 * There may already be a %trap: replace it.
-	 * There may not be any broad eroute: add %hold.
-	 */
-	if (rn != ro)
-	{
-		if (erouted(ro)
-		? !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT,
-							 &null_ipsec_sa, ERO_REPLACE,
-							 "replace %trap with broad %hold")
-		: !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT,
-							 &null_ipsec_sa, ERO_ADD, "add broad %hold"))
-		{
-			return FALSE;
-		}
-	}
-	sr->routing = rn;
-	return TRUE;
-}
-
-/* install or remove eroute for SA Group */
-static bool sag_eroute(struct state *st, struct spd_route *sr,
-					   unsigned op, const char *opname)
-{
-	u_int inner_proto, inner_satype;
-	ipsec_spi_t inner_spi = 0;
-	ipsec_sa_cfg_t sa = {
-		.mode = MODE_TRANSPORT,
-	};
-	bool tunnel = FALSE;
-
-	if (st->st_ah.present)
-	{
-		inner_spi = st->st_ah.attrs.spi;
-		inner_proto = SA_AH;
-		inner_satype = SADB_SATYPE_AH;
-		sa.ah.use = TRUE;
-		sa.ah.spi = inner_spi;
-		tunnel |= st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
-	}
-
-	if (st->st_esp.present)
-	{
-		inner_spi = st->st_esp.attrs.spi;
-		inner_proto = SA_ESP;
-		inner_satype = SADB_SATYPE_ESP;
-		sa.esp.use = TRUE;
-		sa.esp.spi = inner_spi;
-		tunnel |= st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
-	}
-
-	if (st->st_ipcomp.present)
-	{
-		inner_spi = st->st_ipcomp.attrs.spi;
-		inner_proto = SA_COMP;
-		inner_satype = SADB_X_SATYPE_COMP;
-		sa.ipcomp.transform = st->st_ipcomp.attrs.transid;
-		sa.ipcomp.cpi = htons(ntohl(inner_spi));
-		tunnel |= st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
-	}
-
-	if (!sa.ah.use && !sa.esp.use && !sa.ipcomp.transform)
-	{
-		impossible();   /* no transform at all! */
-	}
-
-	if (tunnel)
-	{
-		inner_spi = st->st_tunnel_out_spi;
-		inner_proto = SA_IPIP;
-		inner_satype = SADB_X_SATYPE_IPIP;
-		sa.mode = MODE_TUNNEL;
-	}
-
-	sa.reqid = sr->reqid;
-
-	return eroute_connection(sr, inner_spi, inner_proto, inner_satype,
-							 &sa, op, opname);
-}
-
-/* compute a (host-order!) SPI to implement the policy in connection c */
-ipsec_spi_t
-shunt_policy_spi(connection_t *c, bool prospective)
-{
-	/* note: these are in host order :-( */
-	static const ipsec_spi_t shunt_spi[] =
-	{
-		SPI_TRAP,       /* --initiateontraffic */
-		SPI_PASS,       /* --pass */
-		SPI_DROP,       /* --drop */
-		SPI_REJECT,     /* --reject */
-	};
-
-	static const ipsec_spi_t fail_spi[] =
-	{
-		0,      /* --none*/
-		SPI_PASS,       /* --failpass */
-		SPI_DROP,       /* --faildrop */
-		SPI_REJECT,     /* --failreject */
-	};
-
-	return prospective
-		? shunt_spi[(c->policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT]
-		: fail_spi[(c->policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT];
-}
-
-/* Add/replace/delete a shunt eroute.
- * Such an eroute determines the fate of packets without the use
- * of any SAs.  These are defaults, in effect.
- * If a negotiation has not been attempted, use %trap.
- * If negotiation has failed, the choice between %trap/%pass/%drop/%reject
- * is specified in the policy of connection c.
- */
-static bool shunt_eroute(connection_t *c, struct spd_route *sr,
-						 enum routing_t rt_kind,
-						 unsigned int op, const char *opname)
-{
-	/* We are constructing a special SAID for the eroute.
-	 * The destination doesn't seem to matter, but the family does.
-	 * The protocol is SA_INT -- mark this as shunt.
-	 * The satype has no meaning, but is required for PF_KEY header!
-	 * The SPI signifies the kind of shunt.
-	 */
-	ipsec_spi_t spi = shunt_policy_spi(c, rt_kind == RT_ROUTED_PROSPECTIVE);
-
-	if (spi == 0)
-	{
-		/* we're supposed to end up with no eroute: rejig op and opname */
-		switch (op)
-		{
-		case ERO_REPLACE:
-			/* replace with nothing == delete */
-			op = ERO_DELETE;
-			opname = "delete";
-			break;
-		case ERO_ADD:
-			/* add nothing == do nothing */
-			return TRUE;
-		case ERO_DELETE:
-			/* delete remains delete */
-			break;
-		default:
-			bad_case(op);
-		}
-	}
-	if (sr->routing == RT_ROUTED_ECLIPSED && c->kind == CK_TEMPLATE)
-	{
-		/* We think that we have an eroute, but we don't.
-		 * Adjust the request and account for eclipses.
-		 */
-		passert(eclipsable(sr));
-		switch (op)
-		{
-		case ERO_REPLACE:
-			/* really an add */
-			op = ERO_ADD;
-			opname = "replace eclipsed";
-			eclipse_count--;
-			break;
-		case ERO_DELETE:
-			/* delete unnecessary: we don't actually have an eroute */
-			eclipse_count--;
-			return TRUE;
-		case ERO_ADD:
-		default:
-			bad_case(op);
-		}
-	}
-	else if (eclipse_count > 0 && op == ERO_DELETE && eclipsable(sr))
-	{
-		/* maybe we are uneclipsing something */
-		struct spd_route *esr;
-		connection_t *ue = eclipsed(c, &esr);
-
-		if (ue != NULL)
-		{
-			esr->routing = RT_ROUTED_PROSPECTIVE;
-			return shunt_eroute(ue, esr
-								, RT_ROUTED_PROSPECTIVE, ERO_REPLACE, "restoring eclipsed");
-		}
-	}
-
-	return eroute_connection(sr, htonl(spi), SA_INT, SADB_X_SATYPE_INT,
-							 &null_ipsec_sa, op, opname);
-}
-
-static bool setup_half_ipsec_sa(struct state *st, bool inbound)
-{
-	host_t *host_src, *host_dst;
-	connection_t *c = st->st_connection;
-	struct end *src, *dst;
-	ipsec_mode_t mode = MODE_TRANSPORT;
-	ipsec_sa_cfg_t sa = { .mode = 0 };
-	lifetime_cfg_t lt_none = { .time = { .rekey = 0 } };
-	mark_t mark;
-	bool ok = TRUE;
-	/* SPIs, saved for undoing, if necessary */
-	struct kernel_sa said[EM_MAXRELSPIS], *said_next = said;
-	if (inbound)
-	{
-		src = &c->spd.that;
-		dst = &c->spd.this;
-		mark = c->spd.mark_in;
-	}
-	else
-	{
-		src = &c->spd.this;
-		dst = &c->spd.that;
-		mark = c->spd.mark_out;
-	}
-
-	host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
-	host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
-
-	if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
-		|| st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
-		|| st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-	{
-		mode = MODE_TUNNEL;
-	}
-
-	sa.mode = mode;
-	sa.reqid = c->spd.reqid;
-
-	memset(said, 0, sizeof(said));
-
-	/* set up IPCOMP SA, if any */
-
-	if (st->st_ipcomp.present)
-	{
-		ipsec_spi_t ipcomp_spi = inbound ? st->st_ipcomp.our_spi
-										 : st->st_ipcomp.attrs.spi;
-
-		switch (st->st_ipcomp.attrs.transid)
-		{
-			case IPCOMP_DEFLATE:
-				break;
-
-			default:
-				loglog(RC_LOG_SERIOUS, "IPCOMP transform %s not implemented",
-					   enum_name(&ipcomp_transformid_names,
-								 st->st_ipcomp.attrs.transid));
-				goto fail;
-		}
-
-		sa.ipcomp.cpi = htons(ntohl(ipcomp_spi));
-		sa.ipcomp.transform = st->st_ipcomp.attrs.transid;
-
-		said_next->spi = ipcomp_spi;
-		said_next->proto = IPPROTO_COMP;
-
-		if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
-						host_dst, ipcomp_spi, said_next->proto, c->spd.reqid,
-						mark, 0, &lt_none, ENCR_UNDEFINED, chunk_empty,
-						AUTH_UNDEFINED, chunk_empty, mode,
-						st->st_ipcomp.attrs.transid, 0 /* cpi */, FALSE, FALSE,
-						inbound, NULL, NULL) != SUCCESS)
-		{
-			goto fail;
-		}
-		said_next++;
-		mode = MODE_TRANSPORT;
-	}
-
-	/* set up ESP SA, if any */
-
-	if (st->st_esp.present)
-	{
-		ipsec_spi_t esp_spi = inbound ? st->st_esp.our_spi
-									  : st->st_esp.attrs.spi;
-		u_char *esp_dst_keymat = inbound ? st->st_esp.our_keymat
-										 : st->st_esp.peer_keymat;
-		bool encap = st->nat_traversal & NAT_T_DETECTED;
-		encryption_algorithm_t enc_alg;
-		integrity_algorithm_t auth_alg;
-		const struct esp_info *ei;
-		chunk_t enc_key, auth_key;
-		u_int16_t key_len;
-
-		if ((ei = kernel_alg_esp_info(st->st_esp.attrs.transid,
-									  st->st_esp.attrs.auth)) == NULL)
-		{
-			loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s"
-				   " not implemented yet",
-				   enum_name(&esp_transform_names, st->st_esp.attrs.transid),
-				   enum_name(&auth_alg_names, st->st_esp.attrs.auth));
-			goto fail;
-		}
-
-		key_len = st->st_esp.attrs.key_len / 8;
-		if (key_len)
-		{
-			/* XXX: must change to check valid _range_ key_len */
-			if (key_len > ei->enckeylen)
-			{
-				loglog(RC_LOG_SERIOUS, "ESP transform %s: key_len=%d > %d",
-					enum_name(&esp_transform_names, st->st_esp.attrs.transid),
-					(int)key_len, (int)ei->enckeylen);
-				goto fail;
-			}
-		}
-		else
-		{
-			key_len = ei->enckeylen;
-		}
-
-		switch (ei->transid)
-		{
-			case ESP_3DES:
-				/* 168 bits in kernel, need 192 bits for keymat_len */
-				if (key_len == 21)
-				{
-					key_len = 24;
-				}
-				break;
-			case ESP_DES:
-				/* 56 bits in kernel, need 64 bits for keymat_len */
-				if (key_len == 7)
-				{
-					key_len = 8;
-				}
-				break;
-			case ESP_AES_CCM_8:
-			case ESP_AES_CCM_12:
-			case ESP_AES_CCM_16:
-				key_len += 3;
-				break;
-			case ESP_AES_GCM_8:
-			case ESP_AES_GCM_12:
-			case ESP_AES_GCM_16:
-			case ESP_AES_CTR:
-			case ESP_AES_GMAC:
-				key_len += 4;
-				break;
-			default:
-				break;
-		}
-
-		if (encap)
-		{
-			host_src->set_port(host_src, src->host_port);
-			host_dst->set_port(host_dst, dst->host_port);
-			// st->nat_oa is currently unused
-		}
-
-		/* divide up keying material */
-		enc_alg = encryption_algorithm_from_esp(st->st_esp.attrs.transid);
-		enc_key.ptr = esp_dst_keymat;
-		enc_key.len = key_len;
-		auth_alg = integrity_algorithm_from_esp(st->st_esp.attrs.auth);
-		auth_alg = auth_alg ? : AUTH_UNDEFINED;
-		auth_key.ptr = esp_dst_keymat + key_len;
-		auth_key.len = ei->authkeylen;
-
-		sa.esp.use = TRUE;
-		sa.esp.spi = esp_spi;
-
-		said_next->spi = esp_spi;
-		said_next->proto = IPPROTO_ESP;
-
-		if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
-						host_dst, esp_spi, said_next->proto, c->spd.reqid,
-						mark, 0, &lt_none, enc_alg, enc_key,
-						auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */,
-						encap, FALSE, inbound, NULL, NULL) != SUCCESS)
-		{
-			goto fail;
-		}
-		said_next++;
-		mode = MODE_TRANSPORT;
-	}
-
-	/* set up AH SA, if any */
-
-	if (st->st_ah.present)
-	{
-		ipsec_spi_t ah_spi = inbound ? st->st_ah.our_spi
-									 : st->st_ah.attrs.spi;
-		u_char *ah_dst_keymat = inbound ? st->st_ah.our_keymat
-										: st->st_ah.peer_keymat;
-		integrity_algorithm_t auth_alg;
-		chunk_t auth_key;
-
-		auth_alg = integrity_algorithm_from_esp(st->st_ah.attrs.auth);
-		auth_key.ptr = ah_dst_keymat;
-		auth_key.len = st->st_ah.keymat_len;
-
-		sa.ah.use = TRUE;
-		sa.ah.spi = ah_spi;
-
-		said_next->spi = ah_spi;
-		said_next->proto = IPPROTO_AH;
-
-		if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
-						host_dst, ah_spi, said_next->proto, c->spd.reqid,
-						mark, 0, &lt_none, ENCR_UNDEFINED, chunk_empty,
-						auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */,
-						FALSE, FALSE, inbound, NULL, NULL) != SUCCESS)
-		{
-			goto fail;
-		}
-		said_next++;
-		mode = MODE_TRANSPORT;
-	}
-
-	goto cleanup;
-
-fail:
-	/* undo the done SPIs */
-	while (said_next-- != said)
-	{
-		hydra->kernel_interface->del_sa(hydra->kernel_interface, host_src,
-										host_dst, said_next->spi,
-										said_next->proto, 0 /* cpi */,
-										mark);
-	}
-	ok = FALSE;
-
-cleanup:
-	host_src->destroy(host_src);
-	host_dst->destroy(host_dst);
-	return ok;
-}
-
-static bool teardown_half_ipsec_sa(struct state *st, bool inbound)
-{
-	connection_t *c = st->st_connection;
-	const struct end *src, *dst;
-	host_t *host_src, *host_dst;
-	ipsec_spi_t spi;
-	mark_t mark;
-	bool result = TRUE;
-
-	if (inbound)
-	{
-		src = &c->spd.that;
-		dst = &c->spd.this;
-		mark = c->spd.mark_in;
-	}
-	else
-	{
-		src = &c->spd.this;
-		dst = &c->spd.that;
-		mark = c->spd.mark_out;
-	}
-
-	host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
-	host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
-
-	if (st->st_ah.present)
-	{
-		spi = inbound ? st->st_ah.our_spi : st->st_ah.attrs.spi;
-		result &= hydra->kernel_interface->del_sa(hydra->kernel_interface,
-								host_src, host_dst, spi, IPPROTO_AH,
-								0 /* cpi */, mark) == SUCCESS;
-	}
-
-	if (st->st_esp.present)
-	{
-		spi = inbound ? st->st_esp.our_spi : st->st_esp.attrs.spi;
-		result &= hydra->kernel_interface->del_sa(hydra->kernel_interface,
-								host_src, host_dst, spi, IPPROTO_ESP,
-								0 /* cpi */, mark) == SUCCESS;
-	}
-
-	if (st->st_ipcomp.present)
-	{
-		spi = inbound ? st->st_ipcomp.our_spi : st->st_ipcomp.attrs.spi;
-		result &= hydra->kernel_interface->del_sa(hydra->kernel_interface,
-								host_src, host_dst, spi, IPPROTO_COMP,
-								0 /* cpi */, mark) == SUCCESS;
-	}
-
-	host_src->destroy(host_src);
-	host_dst->destroy(host_dst);
-
-	return result;
-}
-
-/*
- * get information about a given sa
- */
-bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
-{
-	connection_t *c = st->st_connection;
-	traffic_selector_t *ts_src = NULL, *ts_dst = NULL;
-	host_t *host_src = NULL, *host_dst = NULL;
-	const struct end *src, *dst;
-	ipsec_spi_t spi;
-	mark_t mark;
-	u_int64_t bytes_kernel = 0;
-	bool result = FALSE;
-
-	*use_time = UNDEFINED_TIME;
-
-	if (!st->st_esp.present)
-	{
-		goto failed;
-	}
-
-	if (inbound)
-	{
-		src = &c->spd.that;
-		dst = &c->spd.this;
-		mark = c->spd.mark_in;
-		spi = st->st_esp.our_spi;
-	}
-	else
-	{
-		src = &c->spd.this;
-		dst = &c->spd.that;
-		mark = c->spd.mark_out;
-		spi = st->st_esp.attrs.spi;
-	}
-
-	host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
-	host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
-
-	switch(hydra->kernel_interface->query_sa(hydra->kernel_interface, host_src,
-											 host_dst, spi, IPPROTO_ESP,
-											 mark, &bytes_kernel))
-	{
-		case FAILED:
-			goto failed;
-		case SUCCESS:
-			*bytes = bytes_kernel;
-			break;
-		case NOT_SUPPORTED:
-		default:
-			break;
-	}
-
-	if (st->st_serialno == c->spd.eroute_owner)
-	{
-		u_int32_t time_kernel;
-
-		ts_src = traffic_selector_from_subnet(&src->client, src->protocol);
-		ts_dst = traffic_selector_from_subnet(&dst->client, dst->protocol);
-
-		if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
-							ts_src, ts_dst, inbound ? POLICY_IN : POLICY_OUT,
-							mark, &time_kernel) != SUCCESS)
-		{
-			goto failed;
-		}
-		*use_time = time_kernel;
-
-		if (inbound &&
-			st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-		{
-			if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
-							ts_src, ts_dst, POLICY_FWD, mark,
-							&time_kernel) != SUCCESS)
-			{
-				goto failed;
-			}
-			*use_time = max(*use_time, time_kernel);
-		}
-	}
-
-	result = TRUE;
-
-failed:
-	DESTROY_IF(host_src);
-	DESTROY_IF(host_dst);
-	DESTROY_IF(ts_src);
-	DESTROY_IF(ts_dst);
-	return result;
-}
-
-/**
- * Handler for kernel events (called by thread-pool thread)
- */
-kernel_listener_t *kernel_handler;
-
-/**
- * Data for acquire events
- */
-typedef struct {
-	/** Subnets */
-	ip_subnet src, dst;
-	/** Transport protocol */
-	int proto;
-} acquire_data_t;
-
-/**
- * Callback for acquire events (called by main thread)
- */
-void handle_acquire(acquire_data_t *this)
-{
-	record_and_initiate_opportunistic(&this->src, &this->dst, this->proto,
-									  "%acquire");
-}
-
-METHOD(kernel_listener_t, acquire, bool,
-	   kernel_listener_t *this, u_int32_t reqid,
-	   traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
-{
-	if (src_ts && dst_ts)
-	{
-		acquire_data_t *data;
-		DBG(DBG_CONTROL,
-			DBG_log("creating acquire event for policy %R === %R "
-					"with reqid {%u}", src_ts, dst_ts, reqid));
-		INIT(data,
-			.src = subnet_from_traffic_selector(src_ts),
-			.dst = subnet_from_traffic_selector(dst_ts),
-			.proto = src_ts->get_protocol(src_ts),
-		);
-		pluto->events->queue(pluto->events, (void*)handle_acquire, data, free);
-	}
-	else
-	{
-		DBG(DBG_CONTROL,
-			DBG_log("ignoring acquire without traffic selectors for policy "
-					"with reqid {%u}", reqid));
-	}
-	DESTROY_IF(src_ts);
-	DESTROY_IF(dst_ts);
-	return TRUE;
-}
-
-/**
- * Data for mapping events
- */
-typedef struct {
-	/** reqid, spi of affected SA */
-	u_int32_t reqid, spi;
-	/** new endpont */
-	ip_address new_end;
-} mapping_data_t;
-
-/**
- * Callback for mapping events (called by main thread)
- */
-void handle_mapping(mapping_data_t *this)
-{
-	process_nat_t_new_mapping(this->reqid, this->spi, &this->new_end);
-}
-
-
-METHOD(kernel_listener_t, mapping, bool,
-	   kernel_listener_t *this, u_int32_t reqid, u_int32_t spi, host_t *remote)
-{
-	mapping_data_t *data;
-	DBG(DBG_CONTROL,
-		DBG_log("creating mapping event for SA with SPI %.8x and reqid {%u}",
-				spi, reqid));
-	INIT(data,
-		.reqid = reqid,
-		.spi = spi,
-		.new_end = *(ip_address*)remote->get_sockaddr(remote),
-	);
-	pluto->events->queue(pluto->events, (void*)handle_mapping, data, free);
-	return TRUE;
-}
-
-void init_kernel(void)
-{
-	/* register SA types that we can negotiate */
-	can_do_IPcomp = FALSE;  /* until we get a response from the kernel */
-	pfkey_register();
-
-	INIT(kernel_handler,
-		.acquire = _acquire,
-		.mapping = _mapping,
-	);
-	hydra->kernel_interface->add_listener(hydra->kernel_interface,
-										  kernel_handler);
-}
-
-void kernel_finalize()
-{
-	hydra->kernel_interface->remove_listener(hydra->kernel_interface,
-											 kernel_handler);
-	free(kernel_handler);
-}
-
-/* Note: install_inbound_ipsec_sa is only used by the Responder.
- * The Responder will subsequently use install_ipsec_sa for the outbound.
- * The Initiator uses install_ipsec_sa to install both at once.
- */
-bool install_inbound_ipsec_sa(struct state *st)
-{
-	connection_t *const c = st->st_connection;
-
-	/* If our peer has a fixed-address client, check if we already
-	 * have a route for that client that conflicts.  We will take this
-	 * as proof that that route and the connections using it are
-	 * obsolete and should be eliminated.  Interestingly, this is
-	 * the only case in which we can tell that a connection is obsolete.
-	 */
-	passert(c->kind == CK_PERMANENT || c->kind == CK_INSTANCE);
-	if (c->spd.that.has_client)
-	{
-		for (;;)
-		{
-			struct spd_route *esr;
-			connection_t *o = route_owner(c, &esr, NULL, NULL);
-
-			if (o == NULL)
-			{
-				break;  /* nobody has a route */
-			}
-
-			/* note: we ignore the client addresses at this end */
-			if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr) &&
-				o->interface == c->interface)
-			{
-				break;  /* existing route is compatible */
-			}
-
-			if (o->kind == CK_TEMPLATE && streq(o->name, c->name))
-			{
-				break;  /* ??? is this good enough?? */
-			}
-
-			loglog(RC_LOG_SERIOUS, "route to peer's client conflicts with \"%s\" %s; releasing old connection to free the route"
-				, o->name, ip_str(&o->spd.that.host_addr));
-			release_connection(o, FALSE);
-		}
-	}
-
-	DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa() checking if we can route"));
-	/* check that we will be able to route and eroute */
-	switch (could_route(c))
-	{
-		case route_easy:
-		case route_nearconflict:
-			break;
-		default:
-			return FALSE;
-	}
-
-	/* (attempt to) actually set up the SAs */
-	return setup_half_ipsec_sa(st, TRUE);
-}
-
-/* Install a route and then a prospective shunt eroute or an SA group eroute.
- * Assumption: could_route gave a go-ahead.
- * Any SA Group must have already been created.
- * On failure, steps will be unwound.
- */
-bool route_and_eroute(connection_t *c, struct spd_route *sr, struct state *st)
-{
-	struct spd_route *esr;
-	struct spd_route *rosr;
-	connection_t *ero      /* who, if anyone, owns our eroute? */
-		, *ro = route_owner(c, &rosr, &ero, &esr);
-	bool eroute_installed = FALSE
-		, firewall_notified = FALSE
-		, route_installed = FALSE;
-
-	connection_t *ero_top;
-
-	DBG(DBG_CONTROLMORE,
-		DBG_log("route_and_eroute with c: %s (next: %s) ero:%s esr:{%p} ro:%s rosr:{%p} and state: %lu"
-				, c->name
-				, (c->policy_next ? c->policy_next->name : "none")
-				, ero ? ero->name : "null"
-				, esr
-				, ro ? ro->name : "null"
-				, rosr
-				, st ? st->st_serialno : 0));
-
-	/* look along the chain of policies for one with the same name */
-	ero_top = ero;
-
-#if 0
-	/* XXX - mcr this made sense before, and likely will make sense
-	 * again, so I'l leaving this to remind me what is up */
-	if (ero!= NULL && ero->routing == RT_UNROUTED_KEYED)
-		ero = NULL;
-
-	for (ero2 = ero; ero2 != NULL; ero2 = ero->policy_next)
-		if ((ero2->kind == CK_TEMPLATE || ero2->kind==CK_SECONDARY)
-		&& streq(ero2->name, c->name))
-			break;
-#endif
-
-	/* install the eroute */
-
-	if (ero != NULL)
-	{
-		/* We're replacing an eroute */
-
-		/* if no state provided, then install a shunt for later */
-		if (st == NULL)
-		{
-			eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE
-											, ERO_REPLACE, "replace");
-		}
-		else
-		{
-			eroute_installed = sag_eroute(st, sr, ERO_REPLACE, "replace");
-		}
-#if 0
-		/* XXX - MCR. I previously felt that this was a bogus check */
-		if (ero != NULL && ero != c && esr != sr)
-		{
-			/* By elimination, we must be eclipsing ero.  Check. */
-			passert(ero->kind == CK_TEMPLATE && streq(ero->name, c->name));
-			passert(LHAS(LELEM(RT_ROUTED_PROSPECTIVE) | LELEM(RT_ROUTED_ECLIPSED)
-				, esr->routing));
-			passert(samesubnet(&esr->this.client, &sr->this.client)
-				&& samesubnet(&esr->that.client, &sr->that.client));
-		}
-#endif
-	}
-	else
-	{
-		/* we're adding an eroute */
-
-		/* if no state provided, then install a shunt for later */
-		if (st == NULL)
-		{
-			eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE
-											, ERO_ADD, "add");
-		}
-		else
-		{
-			eroute_installed = sag_eroute(st, sr, ERO_ADD, "add");
-		}
-	}
-
-	/* notify the firewall of a new tunnel */
-
-	if (eroute_installed)
-	{
-		/* do we have to notify the firewall?  Yes, if we are installing
-		 * a tunnel eroute and the firewall wasn't notified
-		 * for a previous tunnel with the same clients.  Any Previous
-		 * tunnel would have to be for our connection, so the actual
-		 * test is simple.
-		 */
-		firewall_notified = st == NULL  /* not a tunnel eroute */
-			|| sr->eroute_owner != SOS_NOBODY   /* already notified */
-			|| do_command(c, sr, st, "up"); /* go ahead and notify */
-	}
-
-	/* install the route */
-
-	DBG(DBG_CONTROL,
-		DBG_log("route_and_eroute: firewall_notified: %s"
-				, firewall_notified ? "true" : "false"));
-	if (!firewall_notified)
-	{
-		/* we're in trouble -- don't do routing */
-	}
-	else if (ro == NULL)
-	{
-		/* a new route: no deletion required, but preparation is */
-		(void) do_command(c, sr, st, "prepare");    /* just in case; ignore failure */
-		route_installed = do_command(c, sr, st, "route");
-	}
-	else if (routed(sr->routing) || routes_agree(ro, c))
-	{
-		route_installed = TRUE; /* nothing to be done */
-	}
-	else
-	{
-		/* Some other connection must own the route
-		 * and the route must disagree.  But since could_route
-		 * must have allowed our stealing it, we'll do so.
-		 *
-		 * A feature of LINUX allows us to install the new route
-		 * before deleting the old if the nexthops differ.
-		 * This reduces the "window of vulnerability" when packets
-		 * might flow in the clear.
-		 */
-		if (sameaddr(&sr->this.host_nexthop, &esr->this.host_nexthop))
-		{
-			(void) do_command(ro, sr, st, "unroute");
-			route_installed = do_command(c, sr, st, "route");
-		}
-		else
-		{
-			route_installed = do_command(c, sr, st, "route");
-			(void) do_command(ro, sr, st, "unroute");
-		}
-
-		/* record unrouting */
-		if (route_installed)
-		{
-			do {
-				passert(!erouted(rosr->routing));
-				rosr->routing = RT_UNROUTED;
-
-				/* no need to keep old value */
-				ro = route_owner(c, &rosr, NULL, NULL);
-			} while (ro != NULL);
-		}
-	}
-
-	/* all done -- clean up */
-	if (route_installed)
-	{
-		/* Success! */
-
-		if (ero != NULL && ero != c)
-		{
-			/* check if ero is an ancestor of c. */
-			connection_t *ero2;
-
-			for (ero2 = c; ero2 != NULL && ero2 != c; ero2 = ero2->policy_next)
-				;
-
-			if (ero2 == NULL)
-			{
-				/* By elimination, we must be eclipsing ero.  Checked above. */
-				if (ero->spd.routing != RT_ROUTED_ECLIPSED)
-				{
-					ero->spd.routing = RT_ROUTED_ECLIPSED;
-					eclipse_count++;
-				}
-			}
-		}
-
-		if (st == NULL)
-		{
-			passert(sr->eroute_owner == SOS_NOBODY);
-			sr->routing = RT_ROUTED_PROSPECTIVE;
-		}
-		else
-		{
-			char cib[CONN_INST_BUF];
-			sr->routing = RT_ROUTED_TUNNEL;
-
-			DBG(DBG_CONTROL,
-				DBG_log("route_and_eroute: instance \"%s\"%s, setting eroute_owner {spd=%p,sr=%p} to #%ld (was #%ld) (newest_ipsec_sa=#%ld)"
-						, st->st_connection->name
-						, (fmt_conn_instance(st->st_connection, cib), cib)
-						, &st->st_connection->spd, sr
-						, st->st_serialno
-						, sr->eroute_owner
-						, st->st_connection->newest_ipsec_sa));
-			sr->eroute_owner = st->st_serialno;
-		}
-
-		return TRUE;
-	}
-	else
-	{
-		/* Failure!  Unwind our work. */
-		if (firewall_notified && sr->eroute_owner == SOS_NOBODY)
-			(void) do_command(c, sr, st, "down");
-
-		if (eroute_installed)
-		{
-			/* Restore original eroute, if we can.
-			 * Since there is nothing much to be done if the restoration
-			 * fails, ignore success or failure.
-			 */
-			if (ero != NULL)
-			{
-				/* restore ero's former glory */
-				if (esr->eroute_owner == SOS_NOBODY)
-				{
-					/* note: normal or eclipse case */
-					(void) shunt_eroute(ero, esr
-										, esr->routing, ERO_REPLACE, "restore");
-				}
-				else
-				{
-					/* Try to find state that owned eroute.
-					 * Don't do anything if it cannot be found.
-					 * This case isn't likely since we don't run
-					 * the updown script when replacing a SA group
-					 * with its successor (for the same conn).
-					 */
-					struct state *ost = state_with_serialno(esr->eroute_owner);
-
-					if (ost != NULL)
-						(void) sag_eroute(ost, esr, ERO_REPLACE, "restore");
-				}
-			}
-			else
-			{
-				/* there was no previous eroute: delete whatever we installed */
-				if (st == NULL)
-				{
-					(void) shunt_eroute(c, sr, sr->routing, ERO_DELETE, "delete");
-				}
-				else
-				{
-					(void) sag_eroute(st, sr, ERO_DELETE, "delete");
-				}
-			}
-		}
-
-		return FALSE;
-	}
-}
-
-bool install_ipsec_sa(struct state *st, bool inbound_also)
-{
-	struct spd_route *sr;
-
-	DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() for #%ld: %s"
-							 , st->st_serialno
-							 , inbound_also?
-							 "inbound and outbound" : "outbound only"));
-
-	switch (could_route(st->st_connection))
-	{
-		case route_easy:
-		case route_nearconflict:
-			break;
-		default:
-			return FALSE;
-	}
-
-	/* (attempt to) actually set up the SA group */
-	if ((inbound_also && !setup_half_ipsec_sa(st, TRUE)) ||
-		!setup_half_ipsec_sa(st, FALSE))
-	{
-		return FALSE;
-	}
-
-	for (sr = &st->st_connection->spd; sr != NULL; sr = sr->next)
-	{
-		DBG(DBG_CONTROL, DBG_log("sr for #%ld: %s"
-								 , st->st_serialno
-								 , enum_name(&routing_story, sr->routing)));
-
-		/*
-		 * if the eroute owner is not us, then make it us.
-		 * See test co-terminal-02, pluto-rekey-01, pluto-unit-02/oppo-twice
-		 */
-		pexpect(sr->eroute_owner == SOS_NOBODY
-				|| sr->routing >= RT_ROUTED_TUNNEL);
-
-		if (sr->eroute_owner != st->st_serialno
-			&& sr->routing != RT_UNROUTED_KEYED)
-		{
-			if (!route_and_eroute(st->st_connection, sr, st))
-			{
-				delete_ipsec_sa(st, FALSE);
-				/* XXX go and unroute any SRs that were successfully
-				 * routed already.
-				 */
-				return FALSE;
-			}
-		}
-	}
-
-	return TRUE;
-}
-
-/* delete an IPSEC SA.
- * we may not succeed, but we bull ahead anyway because
- * we cannot do anything better by recognizing failure
- */
-void delete_ipsec_sa(struct state *st, bool inbound_only)
-{
-	if (!inbound_only)
-	{
-		/* If the state is the eroute owner, we must adjust
-		 * the routing for the connection.
-		 */
-		connection_t *c = st->st_connection;
-		struct spd_route *sr;
-
-		passert(st->st_connection);
-
-		for (sr = &c->spd; sr; sr = sr->next)
-		{
-			if (sr->eroute_owner == st->st_serialno
-			&& sr->routing == RT_ROUTED_TUNNEL)
-			{
-				sr->eroute_owner = SOS_NOBODY;
-
-				/* Routing should become RT_ROUTED_FAILURE,
-				 * but if POLICY_FAIL_NONE, then we just go
-				 * right back to RT_ROUTED_PROSPECTIVE as if no
-				 * failure happened.
-				 */
-				sr->routing = (c->policy & POLICY_FAIL_MASK) == POLICY_FAIL_NONE
-					? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE;
-
-				(void) do_command(c, sr, st, "down");
-				if ((c->policy & POLICY_DONT_REKEY)	&& c->kind == CK_INSTANCE)
-				{
-					/* in this special case, even if the connection
-					 * is still alive (due to an ISAKMP SA),
-					 * we get rid of routing.
-					 * Even though there is still an eroute, the c->routing
-					 * setting will convince unroute_connection to delete it.
-					 * unroute_connection would be upset if c->routing == RT_ROUTED_TUNNEL
-					 */
-					unroute_connection(c);
-				}
-				else
-				{
-					(void) shunt_eroute(c, sr, sr->routing, ERO_REPLACE, "replace with shunt");
-				}
-			}
-		}
-		(void) teardown_half_ipsec_sa(st, FALSE);
-	}
-	(void) teardown_half_ipsec_sa(st, TRUE);
-}
-
-static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound)
-{
-	connection_t *c = st->st_connection;
-	host_t *host_src, *host_dst, *new_src, *new_dst;
-	ipsec_spi_t spi = inbound ? st->st_esp.our_spi : st->st_esp.attrs.spi;
-	struct end *src = inbound ? &c->spd.that : &c->spd.this,
-			   *dst = inbound ? &c->spd.this : &c->spd.that;
-	mark_t mark = inbound ? c->spd.mark_in : c->spd.mark_out;
-	bool result;
-
-	host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
-	host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
-
-	new_src = host_src->clone(host_src);
-	new_dst = host_dst->clone(host_dst);
-	new_src->set_port(new_src, src->host_port);
-	new_dst->set_port(new_dst, dst->host_port);
-
-	result = hydra->kernel_interface->update_sa(hydra->kernel_interface,
-					spi, IPPROTO_ESP, 0 /* cpi */, host_src, host_dst,
-					new_src, new_dst, TRUE /* encap */, TRUE /* new_encap */,
-					mark) == SUCCESS;
-
-	host_src->destroy(host_src);
-	host_dst->destroy(host_dst);
-	new_src->destroy(new_src);
-	new_dst->destroy(new_dst);
-
-	return result;
-}
-
-bool update_ipsec_sa (struct state *st)
-{
-	if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
-	{
-		if (st->st_esp.present && (
-		   (!update_nat_t_ipsec_esp_sa (st, TRUE)) ||
-		   (!update_nat_t_ipsec_esp_sa (st, FALSE))))
-		{
-			return FALSE;
-		}
-	}
-	else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state))
-	{
-		if (st->st_esp.present && !update_nat_t_ipsec_esp_sa (st, FALSE))
-		{
-			return FALSE;
-		}
-	}
-	else
-	{
-		DBG_log("assert failed at %s:%d st_state=%d", __FILE__, __LINE__, st->st_state);
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/* Check if there was traffic on given SA during the last idle_max
- * seconds. If TRUE, the SA was idle and DPD exchange should be performed.
- * If FALSE, DPD is not necessary. We also return TRUE for errors, as they
- * could mean that the SA is broken and needs to be replace anyway.
- */
-bool was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time)
-{
-	time_t use_time;
-	u_int bytes;
-	int ret = TRUE;
-
-	passert(st != NULL);
-
-	if (get_sa_info(st, TRUE, &bytes, &use_time) && use_time != UNDEFINED_TIME)
-	{
-		*idle_time = time_monotonic(NULL) - use_time;
-		ret = *idle_time >= idle_max;
-	}
-
-	return ret;
-}
diff --git a/src/pluto/kernel.h b/src/pluto/kernel.h
deleted file mode 100644
index 1fa11c50e..000000000
--- a/src/pluto/kernel.h
+++ /dev/null
@@ -1,118 +0,0 @@
-/* declarations of routines that interface with the kernel's IPsec mechanism
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "connections.h"
-
-extern bool can_do_IPcomp;  /* can system actually perform IPCOMP? */
-
-/* Declare eroute things early enough for uses.
- *
- * Flags are encoded above the low-order byte of verbs.
- * "real" eroutes are only outbound.  Inbound eroutes don't exist,
- * but an addflow with an INBOUND flag allows IPIP tunnels to be
- * limited to appropriate source and destination addresses.
- */
-
-#define ERO_MASK        0xFF
-#define ERO_FLAG_SHIFT  8
-
-#define ERO_DELETE      SADB_X_DELFLOW
-#define ERO_ADD SADB_X_ADDFLOW
-#define ERO_REPLACE     (SADB_X_ADDFLOW | (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT))
-
-struct pfkey_proto_info {
-		int proto;
-		int encapsulation;
-		unsigned reqid;
-};
-struct sadb_msg;
-
-struct kernel_sa {
-		const ip_address *src;
-		const ip_address *dst;
-
-		const ip_subnet *src_client;
-		const ip_subnet *dst_client;
-
-		ipsec_spi_t spi;
-		unsigned proto;
-		unsigned satype;
-		unsigned transport_proto;
-		unsigned replay_window;
-		unsigned reqid;
-
-		unsigned authalg;
-		unsigned authkeylen;
-		char *authkey;
-
-		unsigned encalg;
-		unsigned enckeylen;
-		char *enckey;
-
-		unsigned compalg;
-
-		int encapsulation;
-
-		u_int16_t natt_sport, natt_dport;
-		u_int8_t transid, natt_type;
-		ip_address *natt_oa;
-
-		const char *text_said;
-};
-
-/* A netlink header defines EM_MAXRELSPIS, the max number of SAs in a group.
- * Is there a PF_KEY equivalent?
- */
-#ifndef EM_MAXRELSPIS
-# define EM_MAXRELSPIS 4        /* AH ESP IPCOMP IPIP */
-#endif
-
-extern void record_and_initiate_opportunistic(const ip_subnet *
-											  , const ip_subnet *
-											  , int transport_proto
-											  , const char *why);
-
-extern void init_kernel(void);
-extern void kernel_finalize(void);
-
-extern bool trap_connection(struct connection *c);
-extern void unroute_connection(struct connection *c);
-
-extern bool assign_hold(struct connection *c
-						, struct spd_route *sr
-						, int transport_proto
-						, const ip_address *src, const ip_address *dst);
-
-extern ipsec_spi_t shunt_policy_spi(struct connection *c, bool prospective);
-
-
-struct state;   /* forward declaration of tag */
-extern ipsec_spi_t get_ipsec_spi(ipsec_spi_t avoid
-								 , int proto
-								 , struct spd_route *sr
-								 , bool tunnel_mode);
-extern ipsec_spi_t get_my_cpi(struct spd_route *sr, bool tunnel_mode);
-
-extern bool install_inbound_ipsec_sa(struct state *st);
-extern bool install_ipsec_sa(struct state *st, bool inbound_also);
-extern void delete_ipsec_sa(struct state *st, bool inbound_only);
-extern bool route_and_eroute(struct connection *c
-							 , struct spd_route *sr
-							 , struct state *st);
-extern bool was_eroute_idle(struct state *st, time_t idle_max
-	, time_t *idle_time);
-extern bool get_sa_info(struct state *st, bool inbound, u_int *bytes
-	, time_t *use_time);
-
-extern bool update_ipsec_sa(struct state *st);
diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c
deleted file mode 100644
index b4b18fd80..000000000
--- a/src/pluto/kernel_alg.c
+++ /dev/null
@@ -1,663 +0,0 @@
-/* Kernel runtime algorithm handling interface
- * Copyright (C) JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <unistd.h>
-#include <sys/queue.h>
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "connections.h"
-#include "state.h"
-#include "packet.h"
-#include "spdb.h"
-#include "kernel.h"
-#include "kernel_alg.h"
-#include "alg_info.h"
-#include "log.h"
-#include "whack.h"
-#include "db_ops.h"
-
-/* ALG storage */
-static struct sadb_alg esp_aalg[SADB_AALG_MAX+1];
-static struct sadb_alg esp_ealg[SADB_EALG_MAX+1];
-static int esp_ealg_num = 0;
-static int esp_aalg_num = 0;
-
-#define ESP_EALG_PRESENT(algo) (((algo)<=SADB_EALG_MAX)&&(esp_ealg[(algo)].sadb_alg_id==(algo)))
-#define ESP_EALG_FOR_EACH_UPDOWN(algo) \
-		for (algo=SADB_EALG_MAX; algo >0 ; algo--) \
-				if (ESP_EALG_PRESENT(algo))
-#define ESP_AALG_PRESENT(algo) ((algo<=SADB_AALG_MAX)&&(esp_aalg[(algo)].sadb_alg_id==(algo)))
-#define ESP_AALG_FOR_EACH_UPDOWN(algo) \
-		for (algo=SADB_AALG_MAX; algo >0 ; algo--) \
-				if (ESP_AALG_PRESENT(algo))
-
-static struct sadb_alg* sadb_alg_ptr (int satype, int exttype, int alg_id,
-									  int rw)
-{
-	struct sadb_alg *alg_p = NULL;
-
-	switch (exttype)
-	{
-	case SADB_EXT_SUPPORTED_AUTH:
-		if (alg_id > SADB_AALG_MAX)
-			return NULL;
-		break;
-	case SADB_EXT_SUPPORTED_ENCRYPT:
-		if (alg_id > SADB_EALG_MAX)
-			return NULL;
-		break;
-	default:
-		return NULL;
-	}
-
-	switch (satype)
-	{
-	case SADB_SATYPE_ESP:
-		alg_p = (exttype == SADB_EXT_SUPPORTED_ENCRYPT)?
-					&esp_ealg[alg_id] : &esp_aalg[alg_id];
-		/* get for write: increment elem count */
-		if (rw)
-		{
-			(exttype == SADB_EXT_SUPPORTED_ENCRYPT)?
-				esp_ealg_num++ : esp_aalg_num++;
-		}
-		break;
-	case SADB_SATYPE_AH:
-	default:
-		return NULL;
-	}
-
-	return alg_p;
-}
-
-const struct sadb_alg* kernel_alg_sadb_alg_get(int satype, int exttype,
-											   int alg_id)
-{
-	return sadb_alg_ptr(satype, exttype, alg_id, 0);
-}
-
-/*
- *      Forget previous registration
- */
-static void kernel_alg_init(void)
-{
-	DBG(DBG_KERNEL,
-		DBG_log("alg_init(): memset(%p, 0, %d) memset(%p, 0, %d)",
-				&esp_aalg,  (int)sizeof (esp_aalg),
-				&esp_ealg,  (int)sizeof (esp_ealg))
-	)
-	memset (&esp_aalg, 0, sizeof (esp_aalg));
-	memset (&esp_ealg, 0, sizeof (esp_ealg));
-	esp_ealg_num=esp_aalg_num = 0;
-}
-
-static int kernel_alg_add(int satype, int exttype,
-						  const struct sadb_alg *sadb_alg)
-{
-	struct sadb_alg *alg_p = NULL;
-	int alg_id = sadb_alg->sadb_alg_id;
-
-	DBG(DBG_KERNEL,
-		DBG_log("kernel_alg_add(): satype=%d, exttype=%d, alg_id=%d",
-				satype, exttype, sadb_alg->sadb_alg_id)
-	)
-	if (!(alg_p = sadb_alg_ptr(satype, exttype, alg_id, 1)))
-		return -1;
-
-	/* This logic "mimics" KLIPS: first algo implementation will be used */
-	if (alg_p->sadb_alg_id)
-	{
-		DBG(DBG_KERNEL,
-			DBG_log("kernel_alg_add(): discarding already setup "
-					"satype=%d, exttype=%d, alg_id=%d",
-					satype, exttype, sadb_alg->sadb_alg_id)
-		)
-		return 0;
-	}
-	*alg_p = *sadb_alg;
-	return 1;
-}
-
-bool kernel_alg_esp_enc_ok(u_int alg_id, u_int key_len,
-					struct alg_info_esp *alg_info __attribute__((unused)))
-{
-	struct sadb_alg *alg_p = NULL;
-
-	/*
-	 * test #1: encrypt algo must be present
-	 */
-	int ret = ESP_EALG_PRESENT(alg_id);
-	if (!ret) goto out;
-
-	alg_p = &esp_ealg[alg_id];
-
-	/*
-	 * test #2: if key_len specified, it must be in range
-	 */
-	if (key_len
-	&& (key_len < alg_p->sadb_alg_minbits || key_len > alg_p->sadb_alg_maxbits))
-	{
-		plog("kernel_alg_db_add() key_len not in range: alg_id=%d, "
-			 "key_len=%d, alg_minbits=%d, alg_maxbits=%d"
-			 , alg_id, key_len
-			 , alg_p->sadb_alg_minbits
-			 , alg_p->sadb_alg_maxbits);
-		ret = FALSE;
-	}
-
-out:
-	if (ret)
-	{
-		DBG(DBG_KERNEL,
-			DBG_log("kernel_alg_esp_enc_ok(%d,%d): "
-					"alg_id=%d, "
-					"alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
-					"res=%d, ret=%d"
-					, alg_id, key_len
-					, alg_p->sadb_alg_id
-					, alg_p->sadb_alg_ivlen
-					, alg_p->sadb_alg_minbits
-					, alg_p->sadb_alg_maxbits
-					, alg_p->sadb_alg_reserved
-					, ret);
-		)
-	}
-	else
-	{
-		DBG(DBG_KERNEL,
-			DBG_log("kernel_alg_esp_enc_ok(%d,%d): NO", alg_id, key_len);
-		)
-	}
-	return ret;
-}
-
-/*
- * ML: make F_STRICT logic consider enc,auth algorithms
- */
-bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg,
-							 struct alg_info_esp *alg_info)
-{
-	int ealg_insecure;
-
-	/*
-	 * key_len passed comes from esp_attrs read from peer
-	 * For many older algorithms (eg 3DES) this key_len is fixed
-	 * and get passed as 0.
-	 * ... then get default key_len
-	 */
-	if (key_len == 0)
-		key_len = kernel_alg_esp_enc_keylen(ealg) * BITS_PER_BYTE;
-
-	/*
-	 * simple test to toss low key_len, will accept it only
-	 * if specified in "esp" string
-	 */
-	ealg_insecure = (key_len < 128) ;
-
-	if (ealg_insecure
-	|| (alg_info && alg_info->alg_info_flags & ALG_INFO_F_STRICT))
-	{
-		int i;
-		struct esp_info *esp_info;
-
-		if (alg_info)
-		{
-			ALG_INFO_ESP_FOREACH(alg_info, esp_info, i)
-			{
-				if (esp_info->esp_ealg_id == ealg
-				&& (esp_info->esp_ealg_keylen == 0 || key_len == 0
-					|| esp_info->esp_ealg_keylen == key_len)
-				&&  esp_info->esp_aalg_id == aalg)
-				{
-					if (ealg_insecure)
-					{
-						loglog(RC_LOG_SERIOUS
-							, "You should NOT use insecure ESP algorithms [%s (%d)]!"
-							, enum_name(&esp_transform_names, ealg), key_len);
-					}
-					return TRUE;
-				}
-			}
-		}
-		plog("IPSec Transform [%s (%d), %s] refused due to %s",
-				enum_name(&esp_transform_names, ealg), key_len,
-				enum_name(&auth_alg_names, aalg),
-				ealg_insecure ? "insecure key_len and enc. alg. not listed in \"esp\" string" : "strict flag");
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/**
- * Load kernel_alg arrays pluto's SADB_REGISTER user by pluto/kernel.c
- */
-void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
-{
-	/* Trick: one 'type-mangle-able' pointer to ease offset/assign */
-	union {
-		const struct sadb_msg *msg;
-		const struct sadb_supported *supported;
-		const struct sadb_ext *ext;
-		const struct sadb_alg *alg;
-		const char *ch;
-	} sadb;
-
-	int satype;
-	int msglen;
-	int i = 0;
-
-	/* Initialize alg arrays */
-	kernel_alg_init();
-	satype = msg_buf->sadb_msg_satype;
-	sadb.msg = msg_buf;
-	msglen = sadb.msg->sadb_msg_len*IPSEC_PFKEYv2_ALIGN;
-	msglen -= sizeof(struct sadb_msg);
-	buflen -= sizeof(struct sadb_msg);
-	passert(buflen > 0);
-
-	sadb.msg++;
-
-	while (msglen)
-	{
-		int supp_exttype = sadb.supported->sadb_supported_exttype;
-		int supp_len = sadb.supported->sadb_supported_len*IPSEC_PFKEYv2_ALIGN;
-
-		DBG(DBG_KERNEL,
-			DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: "
-					"sadb_msg_len=%d sadb_supported_len=%d"
-					, satype==SADB_SATYPE_ESP? "ESP" : "AH"
-					, msg_buf->sadb_msg_len, supp_len)
-		)
-		sadb.supported++;
-		msglen -= supp_len;
-		buflen -= supp_len;
-		passert(buflen >= 0);
-
-		for (supp_len -= sizeof(struct sadb_supported);
-			 supp_len;
-			 supp_len -= sizeof(struct sadb_alg), sadb.alg++,i++)
-		{
-			kernel_alg_add(satype, supp_exttype, sadb.alg);
-
-			DBG(DBG_KERNEL,
-				DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: "
-						"alg[%d], exttype=%d, satype=%d, alg_id=%d, "
-						"alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
-						"res=%d"
-						, satype == SADB_SATYPE_ESP? "ESP" : "AH"
-						, i
-						, supp_exttype
-						, satype
-						, sadb.alg->sadb_alg_id
-						, sadb.alg->sadb_alg_ivlen
-						, sadb.alg->sadb_alg_minbits
-						, sadb.alg->sadb_alg_maxbits
-						, sadb.alg->sadb_alg_reserved)
-			)
-			/* if AES_CBC is registered then also register AES_CCM and AES_GCM */
-			if (satype == SADB_SATYPE_ESP &&
-				supp_exttype == SADB_EXT_SUPPORTED_ENCRYPT &&
-				sadb.alg->sadb_alg_id == SADB_X_EALG_AESCBC)
-			{
-				struct sadb_alg alg = *sadb.alg;
-				int alg_id;
-
-				for (alg_id = SADB_X_EALG_AES_CCM_ICV8;
-					 alg_id <= SADB_X_EALG_AES_GCM_ICV16; alg_id++)
-				{
-					if (alg_id != ESP_UNASSIGNED_17)
-					{
-						alg.sadb_alg_id = alg_id;
-						kernel_alg_add(satype, supp_exttype, &alg);
-					}
-				}
-
-				/* also register AES_GMAC */
-				alg.sadb_alg_id = SADB_X_EALG_NULL_AES_GMAC;
-				kernel_alg_add(satype, supp_exttype, &alg);
-			}
-			/* if SHA2_256 is registered then also register SHA2_256_96 */
-			if (satype == SADB_SATYPE_ESP &&
-				supp_exttype == SADB_EXT_SUPPORTED_AUTH &&
-				sadb.alg->sadb_alg_id == SADB_X_AALG_SHA2_256HMAC)
-			{
-				struct sadb_alg alg = *sadb.alg;
-
-				alg.sadb_alg_id = SADB_X_AALG_SHA2_256_96HMAC;
-				kernel_alg_add(satype, supp_exttype, &alg);
-			}
-		}
-	}
-}
-
-u_int kernel_alg_esp_enc_keylen(u_int alg_id)
-{
-	u_int keylen = 0;
-
-	if (!ESP_EALG_PRESENT(alg_id))
-	{
-		goto none;
-	}
-	keylen = esp_ealg[alg_id].sadb_alg_maxbits/BITS_PER_BYTE;
-
-	switch (alg_id)
-	{
-		/*
-		 * this is veryUgly[TM]
-		 * Peer should have sent KEY_LENGTH attribute for ESP_AES
-		 * but if not do force it to 128 instead of using sadb_alg_maxbits
-		 * from kernel.
-		 */
-		case ESP_AES:
-			keylen = 128/BITS_PER_BYTE;
-			break;
-	}
-
-none:
-	DBG(DBG_KERNEL,
-		DBG_log("kernel_alg_esp_enc_keylen(): alg_id=%d, keylen=%d",
-				alg_id, keylen)
-	)
-	return keylen;
-}
-
-struct sadb_alg* kernel_alg_esp_sadb_alg(u_int alg_id)
-{
-	struct sadb_alg *sadb_alg = (ESP_EALG_PRESENT(alg_id))
-				? &esp_ealg[alg_id] : NULL;
-
-	DBG(DBG_KERNEL,
-		DBG_log("kernel_alg_esp_sadb_alg(): alg_id=%d, sadb_alg=%p"
-				, alg_id, sadb_alg)
-	)
-	return sadb_alg;
-}
-
-/**
- * Print the name of a kernel algorithm
- */
-static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type)
-{
-	char alg_name[BUF_LEN];
-	int alg_name_len;
-
-	alg_name_len = sprintf(alg_name, " %s", enum_name(alg_names, alg_type));
-	if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE)
-	{
-		whack_log(RC_COMMENT, "%s", buf);
-		*len = sprintf(buf, "             ");
-	}
-	sprintf(buf + *len, "%s", alg_name);
-	*len += alg_name_len;
-}
-
-void kernel_alg_list(void)
-{
-	char buf[BUF_LEN];
-	int len;
-	u_int sadb_id;
-
-	whack_log(RC_COMMENT, " ");
-	whack_log(RC_COMMENT, "List of registered ESP Algorithms:");
-	whack_log(RC_COMMENT, " ");
-
-	len = sprintf(buf, "  encryption:");
-	for (sadb_id = 1; sadb_id <= SADB_EALG_MAX; sadb_id++)
-	{
-		if (ESP_EALG_PRESENT(sadb_id))
-		{
-			print_alg(buf, &len, &esp_transform_names, sadb_id);
-		}
-	}
-	whack_log(RC_COMMENT, "%s", buf);
-
-	len = sprintf(buf, "  integrity: ");
-	for (sadb_id = 1; sadb_id <= SADB_AALG_MAX; sadb_id++)
-	{
-		if (ESP_AALG_PRESENT(sadb_id))
-		{
-			u_int aaid = alg_info_esp_sadb2aa(sadb_id);
-
-			print_alg(buf, &len, &auth_alg_names, aaid);
-		}
-	}
-	whack_log(RC_COMMENT, "%s", buf);
-}
-
-void kernel_alg_show_connection(connection_t *c, const char *instance)
-{
-	struct state *st = state_with_serialno(c->newest_ipsec_sa);
-
-	if (st && st->st_esp.present)
-	{
-		const char *aalg_name, *pfsgroup_name;
-
-		aalg_name = (c->policy & POLICY_AUTHENTICATE) ?
-					enum_show(&ah_transform_names, st->st_ah.attrs.transid):
-					enum_show(&auth_alg_names, st->st_esp.attrs.auth);
-
-		pfsgroup_name = (c->policy & POLICY_PFS) ?
-						(c->alg_info_esp && c->alg_info_esp->esp_pfsgroup) ?
-							enum_show(&oakley_group_names,
-										  c->alg_info_esp->esp_pfsgroup) :
-							"<Phase1>" : "<N/A>";
-
-		if (st->st_esp.attrs.key_len)
-		{
-			whack_log(RC_COMMENT, "\"%s\"%s:   ESP%s proposal: %s_%u/%s/%s",
-				c->name, instance,
-				(st->st_ah.present) ? "/AH" : "",
-				enum_show(&esp_transform_names, st->st_esp.attrs.transid),
-				st->st_esp.attrs.key_len, aalg_name, pfsgroup_name);
-		}
-		else
-		{
-			whack_log(RC_COMMENT, "\"%s\"%s:   ESP%s proposal: %s/%s/%s",
-				c->name, instance,
-				(st->st_ah.present) ? "/AH" : "",
-				enum_show(&esp_transform_names, st->st_esp.attrs.transid),
-				aalg_name, pfsgroup_name);
-		}
-	}
-}
-
-bool kernel_alg_esp_auth_ok(u_int auth,
-							struct alg_info_esp *alg_info __attribute__((unused)))
-{
-	return ESP_AALG_PRESENT(alg_info_esp_aa2sadb(auth));
-}
-
-u_int kernel_alg_esp_auth_keylen(u_int auth)
-{
-	u_int sadb_aalg = alg_info_esp_aa2sadb(auth);
-
-	u_int a_keylen = (sadb_aalg)
-				   ? esp_aalg[sadb_aalg].sadb_alg_maxbits/BITS_PER_BYTE
-				   : 0;
-
-	DBG(DBG_CONTROL | DBG_CRYPT | DBG_PARSING,
-		DBG_log("kernel_alg_esp_auth_keylen(auth=%d, sadb_aalg=%d): "
-				"a_keylen=%d", auth, sadb_aalg, a_keylen)
-	)
-	return a_keylen;
-}
-
-struct esp_info* kernel_alg_esp_info(int transid, int auth)
-{
-	int sadb_aalg, sadb_ealg;
-	static struct esp_info ei_buf;
-
-	sadb_ealg = transid;
-	sadb_aalg = alg_info_esp_aa2sadb(auth);
-
-	if (!ESP_EALG_PRESENT(sadb_ealg))
-		goto none;
-	if (!ESP_AALG_PRESENT(sadb_aalg))
-		goto none;
-
-	memset(&ei_buf, 0, sizeof (ei_buf));
-	ei_buf.transid = transid;
-	ei_buf.auth = auth;
-
-	/* don't return "default" keylen because this value is used from
-	 * setup_half_ipsec_sa() to "validate" keylen
-	 * In effect,  enckeylen will be used as "max" value
-	 */
-	ei_buf.enckeylen = esp_ealg[sadb_ealg].sadb_alg_maxbits/BITS_PER_BYTE;
-	ei_buf.authkeylen = esp_aalg[sadb_aalg].sadb_alg_maxbits/BITS_PER_BYTE;
-	ei_buf.encryptalg = sadb_ealg;
-	ei_buf.authalg = sadb_aalg;
-
-	DBG(DBG_PARSING,
-		DBG_log("kernel_alg_esp_info():"
-				"transid=%d, auth=%d, ei=%p, "
-				"enckeylen=%d, authkeylen=%d, encryptalg=%d, authalg=%d",
-				transid, auth, &ei_buf,
-				(int)ei_buf.enckeylen, (int)ei_buf.authkeylen,
-				ei_buf.encryptalg, ei_buf.authalg)
-	)
-	return &ei_buf;
-
-none:
-	DBG(DBG_PARSING,
-		DBG_log("kernel_alg_esp_info():"
-				"transid=%d, auth=%d, ei=NULL",
-				transid, auth)
-	)
-	return NULL;
-}
-
-static void kernel_alg_policy_algorithms(struct esp_info *esp_info)
-{
-	u_int ealg_id = esp_info->esp_ealg_id;
-
-	switch(ealg_id)
-	{
-	case 0:
-	case ESP_DES:
-	case ESP_3DES:
-	case ESP_NULL:
-	case ESP_CAST:
-			break;
-	default:
-		if (!esp_info->esp_ealg_keylen)
-		{
-			/* algos that need  KEY_LENGTH
-			 *
-			 * Note: this is a very dirty hack ;-)
-			 * Idea: Add a key_length_needed attribute to
-			 * esp_ealg ??
-			 */
-			esp_info->esp_ealg_keylen = esp_ealg[ealg_id].sadb_alg_maxbits;
-		}
-	}
-}
-
-static bool kernel_alg_db_add(struct db_context *db_ctx,
-							  struct esp_info *esp_info, lset_t policy)
-{
-	u_int ealg_id, aalg_id;
-
-	ealg_id = esp_info->esp_ealg_id;
-
-	if (!ESP_EALG_PRESENT(ealg_id))
-	{
-		DBG_log("kernel_alg_db_add() kernel enc ealg_id=%d not present", ealg_id);
-		return FALSE;
-	}
-
-	if (!(policy & POLICY_AUTHENTICATE) &&    /* skip ESP auth attrs for AH */
-		esp_info->esp_aalg_id != AUTH_ALGORITHM_NONE)
-	{
-		aalg_id = alg_info_esp_aa2sadb(esp_info->esp_aalg_id);
-
-		if (!ESP_AALG_PRESENT(aalg_id))
-		{
-			DBG_log("kernel_alg_db_add() kernel auth aalg_id=%d not present",
-					aalg_id);
-			return FALSE;
-		}
-	}
-
-	/* do algo policy */
-	kernel_alg_policy_algorithms(esp_info);
-
-	/*  open new transformation */
-	db_trans_add(db_ctx, ealg_id);
-
-	/* add ESP auth attr if not AH or AEAD */
-	if (!(policy & POLICY_AUTHENTICATE) &&
-		esp_info->esp_aalg_id != AUTH_ALGORITHM_NONE)
-	{
-		db_attr_add_values(db_ctx, AUTH_ALGORITHM, esp_info->esp_aalg_id);
-	}
-
-	/* add keylength if specified in esp= string */
-	if (esp_info->esp_ealg_keylen)
-	{
-		db_attr_add_values(db_ctx, KEY_LENGTH, esp_info->esp_ealg_keylen);
-	}
-
-	return TRUE;
-}
-
-/*
- *      Create proposal with runtime kernel algos, merging
- *      with passed proposal if not NULL
- *
- *      for now this function does free() previous returned
- *      malloced pointer (this quirk allows easier spdb.c change)
- */
-struct db_context* kernel_alg_db_new(struct alg_info_esp *alg_info,
-									 lset_t policy)
-{
-	const struct esp_info *esp_info;
-	struct esp_info tmp_esp_info;
-	struct db_context *ctx_new = NULL;
-	u_int trans_cnt = esp_ealg_num * esp_aalg_num;
-
-	if (!(policy & POLICY_ENCRYPT))     /* not possible, I think  */
-	{
-		return NULL;
-	}
-
-	/* pass aprox. number of transforms and attributes */
-	ctx_new = db_prop_new(PROTO_IPSEC_ESP, trans_cnt, trans_cnt * 2);
-
-	if (alg_info)
-	{
-		int i;
-
-		ALG_INFO_ESP_FOREACH(alg_info, esp_info, i)
-		{
-			tmp_esp_info = *esp_info;
-			kernel_alg_db_add(ctx_new, &tmp_esp_info, policy);
-		}
-	}
-	return ctx_new;
-}
-
diff --git a/src/pluto/kernel_alg.h b/src/pluto/kernel_alg.h
deleted file mode 100644
index 4c757db41..000000000
--- a/src/pluto/kernel_alg.h
+++ /dev/null
@@ -1,43 +0,0 @@
-/* Kernel runtime algorithm handling interface definitions
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _KERNEL_ALG_H
-#define _KERNEL_ALG_H
-
-#include "alg_info.h"
-#include "spdb.h"
-
-/* status info */
-extern void kernel_alg_show_status(void);
-void kernel_alg_show_connection(struct connection *c, const char *instance);
-
-/* Registration messages from pluto */
-extern void kernel_alg_register_pfkey(const struct sadb_msg *msg, int buflen);
-
-/* ESP interface */
-extern struct sadb_alg *kernel_alg_esp_sadb_alg(u_int alg_id);
-extern u_int kernel_alg_esp_ivlen(u_int alg_id);
-extern bool kernel_alg_esp_enc_ok(u_int alg_id, u_int key_len, struct alg_info_esp *nfo);
-extern bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg, struct alg_info_esp *alg_info);
-extern u_int kernel_alg_esp_enc_keylen(u_int alg_id);
-extern bool kernel_alg_esp_auth_ok(u_int auth, struct alg_info_esp *nfo);
-extern u_int kernel_alg_esp_auth_keylen(u_int auth);
-extern void kernel_alg_list(void);
-
-/* get sadb_alg for passed args */
-extern const struct sadb_alg * kernel_alg_sadb_alg_get(int satype, int exttype, int alg_id);
-
-extern struct db_context * kernel_alg_db_new(struct alg_info_esp *ai, lset_t policy);
-struct esp_info * kernel_alg_esp_info(int esp_id, int auth_id);
-#endif /* _KERNEL_ALG_H */
diff --git a/src/pluto/kernel_pfkey.c b/src/pluto/kernel_pfkey.c
deleted file mode 100644
index 77fff2f9e..000000000
--- a/src/pluto/kernel_pfkey.c
+++ /dev/null
@@ -1,380 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- * Copyright (C) 2003 Herbert Xu.
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
- * Copyright (C) 1997 Angelos D. Keromytis.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <errno.h>
-#include <unistd.h>
-
-#include <sys/select.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-
-#include <freeswan.h>
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "constants.h"
-#include "kernel.h"
-#include "kernel_pfkey.h"
-#include "log.h"
-#include "whack.h"      /* for RC_LOG_SERIOUS */
-#include "kernel_alg.h"
-
-
-static int pfkeyfd = NULL_FD;
-
-typedef u_int32_t pfkey_seq_t;
-static pfkey_seq_t pfkey_seq = 0; /* sequence number for our PF_KEY messages */
-
-static pid_t pid;
-
-#define NE(x) { x, #x } /* Name Entry -- shorthand for sparse_names */
-
-static sparse_names pfkey_type_names = {
-		NE(SADB_RESERVED),
-		NE(SADB_GETSPI),
-		NE(SADB_UPDATE),
-		NE(SADB_ADD),
-		NE(SADB_DELETE),
-		NE(SADB_GET),
-		NE(SADB_ACQUIRE),
-		NE(SADB_REGISTER),
-		NE(SADB_EXPIRE),
-		NE(SADB_FLUSH),
-		NE(SADB_DUMP),
-		NE(SADB_X_PROMISC),
-		NE(SADB_X_PCHANGE),
-		NE(SADB_X_GRPSA),
-		NE(SADB_X_ADDFLOW),
-		NE(SADB_X_DELFLOW),
-		NE(SADB_X_DEBUG),
-		NE(SADB_X_NAT_T_NEW_MAPPING),
-		NE(SADB_MAX),
-		{ 0, sparse_end }
-};
-
-#undef NE
-
-typedef union {
-		unsigned char bytes[PFKEYv2_MAX_MSGSIZE];
-		struct sadb_msg msg;
-	} pfkey_buf;
-
-static bool
-pfkey_input_ready(void)
-{
-	int ndes;
-	fd_set readfds;
-	struct timeval tm = { .tv_sec = 0 }; /* don't wait, polling */
-
-	FD_ZERO(&readfds);  /* we only care about pfkeyfd */
-	FD_SET(pfkeyfd, &readfds);
-
-	do {
-		ndes = select(pfkeyfd + 1, &readfds, NULL, NULL, &tm);
-	} while (ndes == -1 && errno == EINTR);
-
-	if (ndes < 0)
-	{
-		log_errno((e, "select() failed in pfkey_get()"));
-		return FALSE;
-	}
-	else if (ndes == 0)
-	{
-		return FALSE;   /* nothing to read */
-	}
-	passert(ndes == 1 && FD_ISSET(pfkeyfd, &readfds));
-	return TRUE;
-}
-
-/* get a PF_KEY message from kernel.
- * Returns TRUE if message found, FALSE if no message pending,
- * and aborts or keeps trying when an error is encountered.
- * The only validation of the message is that the message length
- * received matches that in the message header, and that the message
- * is for this process.
- */
-static bool
-pfkey_get(pfkey_buf *buf)
-{
-	for (;;)
-	{
-		/* len must be less than PFKEYv2_MAX_MSGSIZE,
-		 * so it should fit in an int.  We use this fact when printing it.
-		 */
-		ssize_t len;
-
-		if (!pfkey_input_ready())
-		{
-			return FALSE;
-		}
-
-		len = read(pfkeyfd, buf->bytes, sizeof(buf->bytes));
-
-		if (len < 0)
-		{
-			if (errno == EAGAIN)
-			{
-				return FALSE;
-			}
-			log_errno((e, "read() failed in pfkey_get()"));
-			return FALSE;
-		}
-		else if ((size_t)len < sizeof(buf->msg))
-		{
-			plog("pfkey_get read truncated PF_KEY message: %d bytes; ignoring",
-				 (int)len);
-		}
-		else if ((size_t)len != buf->msg.sadb_msg_len * IPSEC_PFKEYv2_ALIGN)
-		{
-			plog("pfkey_get read PF_KEY message with length %d that doesn't"
-				 " equal sadb_msg_len %u * %u; ignoring message", (int)len,
-				 (unsigned)buf->msg.sadb_msg_len, (unsigned)IPSEC_PFKEYv2_ALIGN);
-		}
-		else if (buf->msg.sadb_msg_pid != (unsigned)pid)
-		{
-			/* not for us: ignore */
-			DBG(DBG_KERNEL,
-				DBG_log("pfkey_get: ignoring PF_KEY %s message %u for process"
-						" %u", sparse_val_show(pfkey_type_names,
-											   buf->msg.sadb_msg_type),
-						buf->msg.sadb_msg_seq, buf->msg.sadb_msg_pid));
-		}
-		else
-		{
-			DBG(DBG_KERNEL,
-				DBG_log("pfkey_get: %s message %u",
-						sparse_val_show(pfkey_type_names,
-										buf->msg.sadb_msg_type),
-						buf->msg.sadb_msg_seq));
-			return TRUE;
-		}
-	}
-}
-
-/* get a response to a specific message */
-static bool
-pfkey_get_response(pfkey_buf *buf, pfkey_seq_t seq)
-{
-	while (pfkey_get(buf))
-	{
-		if (buf->msg.sadb_msg_seq == seq)
-		{
-			return TRUE;
-		}
-	}
-	return FALSE;
-}
-
-static bool
-pfkey_build(int error, const char *description, const char *text_said,
-			struct sadb_ext *extensions[SADB_EXT_MAX + 1])
-{
-	if (error != 0)
-	{
-		loglog(RC_LOG_SERIOUS, "building of %s %s failed, code %d", description,
-							   text_said, error);
-		pfkey_extensions_free(extensions);
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/* pfkey_extensions_init + pfkey_build + pfkey_msg_hdr_build */
-static bool
-pfkey_msg_start(u_int8_t msg_type, u_int8_t satype, const char *description,
-				const char *text_said,
-				struct sadb_ext *extensions[SADB_EXT_MAX + 1])
-{
-	pfkey_extensions_init(extensions);
-	return pfkey_build(pfkey_msg_hdr_build(&extensions[0], msg_type, satype, 0,
-										   ++pfkey_seq, pid),
-					   description, text_said, extensions);
-}
-
-/* Finish (building, sending, accepting response for) PF_KEY message.
- * If response isn't NULL, the response from the kernel will be
- * placed there (and its errno field will not be examined).
- * Returns TRUE iff all appears well.
- */
-static bool
-finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1],
-				 const char *description, const char *text_said,
-				 pfkey_buf *response)
-{
-	struct sadb_msg *pfkey_msg;
-	bool success = TRUE;
-	int error;
-
-	error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN);
-
-	if (error != 0)
-	{
-		loglog(RC_LOG_SERIOUS, "pfkey_msg_build of %s %s failed, code %d",
-							   description, text_said, error);
-		success = FALSE;
-	}
-	else
-	{
-		size_t len = pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN;
-
-		DBG(DBG_KERNEL,
-			DBG_log("finish_pfkey_msg: %s message %u for %s %s",
-					sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type),
-					pfkey_msg->sadb_msg_seq, description, text_said);
-			DBG_dump(NULL, (void *) pfkey_msg, len));
-
-		ssize_t r = write(pfkeyfd, pfkey_msg, len);
-
-		if (r != (ssize_t)len)
-		{
-			if (r < 0)
-			{
-				log_errno((e, "pfkey write() of %s message %u for %s %s"
-						  " failed", sparse_val_show(pfkey_type_names,
-							pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
-						  description, text_said));
-			}
-			else
-			{
-				loglog(RC_LOG_SERIOUS, "ERROR: pfkey write() of %s message"
-					   " %u for %s %s truncated: %ld instead of %ld",
-					   sparse_val_show(pfkey_type_names,
-							pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
-						description, text_said, (long)r, (long)len);
-			}
-			success = FALSE;
-
-			/* if we were compiled with debugging, but we haven't already
-			 * dumped the command, do so.
-			 */
-#ifdef DEBUG
-			if ((cur_debugging & DBG_KERNEL) == 0)
-				DBG_dump(NULL, (void *) pfkey_msg, len);
-#endif
-		}
-		else
-		{
-			/* Check response from kernel.
-			 * It ought to be an echo, perhaps with additional info.
-			 * If the caller wants it, response will point to space.
-			 */
-			pfkey_buf b;
-			pfkey_buf *bp = response != NULL? response : &b;
-
-			if (!pfkey_get_response(bp,
-						((struct sadb_msg *)extensions[0])->sadb_msg_seq))
-			{
-				loglog(RC_LOG_SERIOUS, "ERROR: no response to our PF_KEY %s"
-					   " message for %s %s", sparse_val_show(pfkey_type_names,
-							pfkey_msg->sadb_msg_type), description, text_said);
-				success = FALSE;
-			}
-			else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
-			{
-				loglog(RC_LOG_SERIOUS, "ERROR: response to our PF_KEY %s"
-					   " message for %s %s was of wrong type (%s)",
-					   sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type),
-					   description, text_said, sparse_val_show(pfkey_type_names,
-							bp->msg.sadb_msg_type));
-				success = FALSE;
-			}
-			else if (response == NULL && bp->msg.sadb_msg_errno != 0)
-			{
-				/* Kernel is signalling a problem */
-				loglog(RC_LOG_SERIOUS, "ERROR: PF_KEY %s response for %s %s"
-					   " included errno %u: %s",
-					   sparse_val_show(pfkey_type_names,
-							pfkey_msg->sadb_msg_type), description, text_said,
-					   (unsigned) bp->msg.sadb_msg_errno,
-					   strerror(bp->msg.sadb_msg_errno));
-				success = FALSE;
-			}
-		}
-	}
-	pfkey_extensions_free(extensions);
-	pfkey_msg_free(&pfkey_msg);
-	return success;
-}
-
-/* Process a SADB_REGISTER message from the kernel.
- * This will be a response to one of ours, but it may be asynchronous
- * (if kernel modules are loaded and unloaded).
- * Some sanity checking has already been performed.
- */
-static void
-pfkey_register_response(const struct sadb_msg *msg)
-{
-	/* Find out what the kernel can support.
-	 */
-	switch (msg->sadb_msg_satype)
-	{
-	case SADB_SATYPE_ESP:
-#ifndef NO_KERNEL_ALG
-		kernel_alg_register_pfkey(msg, sizeof (pfkey_buf));
-#endif
-		break;
-	case SADB_X_SATYPE_IPCOMP:
-		/* ??? There ought to be an extension to list the
-		 * supported algorithms, but RFC 2367 doesn't
-		 * list one for IPcomp.
-		 */
-		can_do_IPcomp = TRUE;
-		break;
-	default:
-		break;
-	}
-}
-
-/**  register SA types that can be negotiated */
-static void
-pfkey_register_proto(unsigned satype, const char *satypename)
-{
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-	pfkey_buf pfb;
-
-	if (!(pfkey_msg_start(SADB_REGISTER, satype, satypename, NULL, extensions)
-		  && finish_pfkey_msg(extensions, satypename, "", &pfb)))
-	{
-		/* ??? should this be loglog */
-		plog("no kernel support for %s", satypename);
-	}
-	else
-	{
-		pfkey_register_response(&pfb.msg);
-		DBG(DBG_KERNEL,
-			DBG_log("%s registered with kernel.", satypename));
-	}
-}
-
-void
-pfkey_register(void)
-{
-	pid = getpid();
-
-	pfkeyfd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
-	if (pfkeyfd == -1)
-	{
-		exit_log_errno((e, "socket() in init_pfkeyfd()"));
-	}
-
-	pfkey_register_proto(SADB_SATYPE_AH, "AH");
-	pfkey_register_proto(SADB_SATYPE_ESP, "ESP");
-	pfkey_register_proto(SADB_X_SATYPE_IPCOMP, "IPCOMP");
-
-	close(pfkeyfd);
-}
diff --git a/src/pluto/kernel_pfkey.h b/src/pluto/kernel_pfkey.h
deleted file mode 100644
index b50ad6c37..000000000
--- a/src/pluto/kernel_pfkey.h
+++ /dev/null
@@ -1,20 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * Register our capabilities via PF_KEY, also learn the kernel's capabilities,
- * i.e. the supported algorithms.
- */
-void pfkey_register();
diff --git a/src/pluto/keys.c b/src/pluto/keys.c
deleted file mode 100644
index c5adbfd11..000000000
--- a/src/pluto/keys.c
+++ /dev/null
@@ -1,1474 +0,0 @@
-/* mechanisms for preshared keys (public, private, and preshared secrets)
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <unistd.h>
-#include <errno.h>
-#include <time.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <arpa/nameser.h>       /* missing from <resolv.h> on old systems */
-#include <sys/queue.h>
-
-#ifdef HAVE_GLOB_H
-#include <glob.h>
-#ifndef GLOB_ABORTED
-# define GLOB_ABORTED    GLOB_ABEND     /* fix for old versions */
-#endif
-#endif
-
-#include <freeswan.h>
-
-#include <library.h>
-#include <asn1/asn1.h>
-#include <credentials/certificates/pgp_certificate.h>
-#include <credentials/sets/mem_cred.h>
-#include <credentials/sets/callback_cred.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "x509.h"
-#include "certs.h"
-#include "smartcard.h"
-#include "connections.h"
-#include "state.h"
-#include "lex.h"
-#include "keys.h"
-#include "adns.h"       /* needs <resolv.h> */
-#include "dnskey.h"     /* needs keys.h and adns.h */
-#include "log.h"
-#include "whack.h"      /* for RC_LOG_SERIOUS */
-#include "timer.h"
-#include "fetch.h"
-
-const char *shared_secrets_file = SHARED_SECRETS_FILE;
-
-
-typedef enum secret_kind_t secret_kind_t;
-
-enum secret_kind_t {
-	SECRET_PSK,
-	SECRET_PUBKEY,
-	SECRET_XAUTH,
-	SECRET_PIN
-};
-
-typedef struct secret_t secret_t;
-
-struct secret_t {
-	linked_list_t *ids;
-	secret_kind_t kind;
-	union {
-		chunk_t        preshared_secret;
-		private_key_t *private_key;
-		smartcard_t   *smartcard;
-	} u;
-	secret_t *next;
-};
-
-/*
- * free a public key struct
- */
-static void free_public_key(pubkey_t *pk)
-{
-	DESTROY_IF(pk->id);
-	DESTROY_IF(pk->public_key);
-	DESTROY_IF(pk->issuer);
-	free(pk->serial.ptr);
-	free(pk);
-}
-
-secret_t *secrets = NULL;
-
-/**
- * Find the secret associated with the combination of me and the peer.
- */
-const secret_t* match_secret(identification_t *my_id, identification_t *his_id,
-							 secret_kind_t kind)
-{
-	enum {      /* bits */
-		match_default = 0x01,
-		match_him     = 0x02,
-		match_me      = 0x04
-	};
-
-	unsigned int best_match = 0;
-	secret_t *s, *best = NULL;
-
-	for (s = secrets; s != NULL; s = s->next)
-	{
-		unsigned int match = 0;
-
-		if (s->kind != kind)
-		{
-			continue;
-		}
-
-		if (s->ids->get_count(s->ids) == 0)
-		{
-			/* a default (signified by lack of ids):
-			 * accept if no more specific match found
-			 */
-			match = match_default;
-		}
-		else
-		{
-			/* check if both ends match ids */
-			enumerator_t *enumerator;
-			identification_t *id;
-
-			enumerator = s->ids->create_enumerator(s->ids);
-			while (enumerator->enumerate(enumerator, &id))
-			{
-				if (my_id->equals(my_id, id))
-				{
-					match |= match_me;
-				}
-				if (his_id->equals(his_id, id))
-				{
-					match |= match_him;
-				}
-			}
-			enumerator->destroy(enumerator);
-
-			/* If our end matched the only id in the list,
-			 * default to matching any peer.
-			 * A more specific match will trump this.
-			 */
-			if (match == match_me && s->ids->get_count(s->ids) == 1)
-			{
-				match |= match_default;
-			}
-		}
-
-		switch (match)
-		{
-			case match_me:
-				/* if this is an asymmetric (eg. public key) system,
-				 * allow this-side-only match to count, even if
-				 * there are other ids in the list.
-				 */
-				if (kind != SECRET_PUBKEY)
-				{
-					break;
-				}
-				/* FALLTHROUGH */
-			case match_default:              /* default all */
-			case match_me | match_default:   /* default peer */
-			case match_me | match_him:       /* explicit */
-				if (match == best_match)
-				{
-					/* two good matches are equally good: do they agree? */
-					bool same = FALSE;
-
-					switch (kind)
-					{
-					case SECRET_PSK:
-					case SECRET_XAUTH:
-						same = chunk_equals(s->u.preshared_secret,
-											best->u.preshared_secret);
-						break;
-					case SECRET_PUBKEY:
-						same = s->u.private_key->equals(s->u.private_key,
-														best->u.private_key);
-						break;
-					default:
-						bad_case(kind);
-					}
-					if (!same)
-					{
-						loglog(RC_LOG_SERIOUS, "multiple ipsec.secrets entries with "
-							"distinct secrets match endpoints: first secret used");
-						best = s;       /* list is backwards: take latest in list */
-					}
-				}
-				else if (match > best_match)
-				{
-					/* this is the best match so far */
-					best_match = match;
-					best = s;
-				}
-		}
-	}
-	return best;
-}
-
-/**
- * Retrieves an XAUTH secret primarily based on the user ID and
- * secondarily based on the server ID
- */
-bool get_xauth_secret(identification_t *user, identification_t *server,
-					  chunk_t *secret)
-{
-	const secret_t *s;
-
-	s = match_secret(user, server, SECRET_XAUTH);
-	if (s)
-	{
-		*secret = chunk_clone(s->u.preshared_secret);
-		return TRUE;
-	}
-	else
-	{
-		*secret = chunk_empty;
-		return FALSE;
-	}
-}
-
-/**
- * We match the ID (if none, the IP address). Failure is indicated by a NULL.
- */
-static const secret_t* get_secret(const connection_t *c, secret_kind_t kind)
-{
-	identification_t *my_id, *his_id;
-	const secret_t *best;
-
-	my_id  = c->spd.this.id;
-
-	if (his_id_was_instantiated(c))
-	{
-		/* roadwarrior: replace him with 0.0.0.0 */
-		his_id = identification_create_from_string("%any");
-	}
-	else if (kind == SECRET_PSK && (c->policy & (POLICY_PSK | POLICY_XAUTH_PSK)) &&
-		((c->kind == CK_TEMPLATE &&
-		 c->spd.that.id->get_type(c->spd.that.id) == ID_ANY) ||
-		(c->kind == CK_INSTANCE && id_is_ipaddr(c->spd.that.id))))
-	{
-		/* roadwarrior: replace him with 0.0.0.0 */
-		his_id = identification_create_from_string("%any");
-	}
-	else
-	{
-		his_id = c->spd.that.id->clone(c->spd.that.id);
-	}
-
-	best = match_secret(my_id, his_id, kind);
-
-	his_id->destroy(his_id);
-	return best;
-}
-
-/* find the appropriate preshared key (see get_secret).
- * Failure is indicated by a NULL pointer.
- * Note: the result is not to be freed by the caller.
- */
-const chunk_t* get_preshared_secret(const connection_t *c)
-{
-	const secret_t *s = get_secret(c, SECRET_PSK);
-
-	DBG(DBG_PRIVATE,
-		if (s == NULL)
-			DBG_log("no Preshared Key Found");
-		else
-			DBG_dump_chunk("Preshared Key", s->u.preshared_secret);
-	)
-	return s == NULL? NULL : &s->u.preshared_secret;
-}
-
-/* check the existence of a private key matching a public key contained
- * in an X.509 or OpenPGP certificate
- */
-bool has_private_key(cert_t *cert)
-{
-	secret_t *s;
-	bool has_key = FALSE;
-	public_key_t *pub_key = cert->cert->get_public_key(cert->cert);
-
-	for (s = secrets; s != NULL; s = s->next)
-	{
-		if (s->kind == SECRET_PUBKEY &&
-			s->u.private_key->belongs_to(s->u.private_key, pub_key))
-		{
-			has_key = TRUE;
-			break;
-		}
-	}
-	pub_key->destroy(pub_key);
-	return has_key;
-}
-
-/*
- * get the matching private key belonging to a given X.509 certificate
- */
-private_key_t* get_x509_private_key(const cert_t *cert)
-{
-	public_key_t *public_key = cert->cert->get_public_key(cert->cert);
-	private_key_t *private_key = NULL;
-	secret_t *s;
-
-	for (s = secrets; s != NULL; s = s->next)
-	{
-
-		if (s->kind == SECRET_PUBKEY &&
-			s->u.private_key->belongs_to(s->u.private_key, public_key))
-		{
-			private_key = s->u.private_key;
-			break;
-		}
-	}
-	public_key->destroy(public_key);
-	return private_key;
-}
-
-/* find the appropriate private key (see get_secret).
- * Failure is indicated by a NULL pointer.
- */
-private_key_t* get_private_key(const connection_t *c)
-{
-	const secret_t *s, *best = NULL;
-
-	/* is a certificate assigned to this connection? */
-	if (c->spd.this.cert)
-	{
-		certificate_t *certificate;
-		public_key_t *pub_key;
-
-		certificate = c->spd.this.cert->cert;
-		pub_key = certificate->get_public_key(certificate);
-
-		for (s = secrets; s != NULL; s = s->next)
-		{
-			if (s->kind == SECRET_PUBKEY &&
-				s->u.private_key->belongs_to(s->u.private_key, pub_key))
-			{
-				best = s;
-				break; /* found the private key - no sense in searching further */
-			}
-		}
-		pub_key->destroy(pub_key);
-	}
-	else
-	{
-		best = get_secret(c, SECRET_PUBKEY);
-	}
-	return best ? best->u.private_key : NULL;
-}
-
-/* digest a secrets file
- *
- * The file is a sequence of records.  A record is a maximal sequence of
- * tokens such that the first, and only the first, is in the first column
- * of a line.
- *
- * Tokens are generally separated by whitespace and are key words, ids,
- * strings, or data suitable for ttodata(3).  As a nod to convention,
- * a trailing ":" on what would otherwise be a token is taken as a
- * separate token.  If preceded by whitespace, a "#" is taken as starting
- * a comment: it and the rest of the line are ignored.
- *
- * One kind of record is an include directive.  It starts with "include".
- * The filename is the only other token in the record.
- * If the filename does not start with /, it is taken to
- * be relative to the directory containing the current file.
- *
- * The other kind of record describes a key.  It starts with a
- * sequence of ids and ends with key information.  Each id
- * is an IP address, a Fully Qualified Domain Name (which will immediately
- * be resolved), or @FQDN which will be left as a name.
- *
- * The key part can be in several forms.
- *
- * The old form of the key is still supported: a simple
- * quoted strings (with no escapes) is taken as a preshred key.
- *
- * The new form starts the key part with a ":".
- *
- * For Preshared Key, use the "PSK" keyword, and follow it by a string
- * or a data token suitable for ttodata(3).
- *
- * For RSA Private Key, use the "RSA" keyword, followed by a
- * brace-enclosed list of key field keywords and data values.
- * The data values are large integers to be decoded by ttodata(3).
- * The fields are a subset of those used by BIND 8.2 and have the
- * same names.
- */
-
-/* parse PSK from file */
-static err_t process_psk_secret(chunk_t *psk)
-{
-	err_t ugh = NULL;
-
-	if (*tok == '"' || *tok == '\'')
-	{
-		chunk_t secret = { tok + 1, flp->cur - tok  -2 };
-
-		*psk = chunk_clone(secret);
-		(void) shift();
-	}
-	else
-	{
-		char buf[BUF_LEN];      /* limit on size of binary representation of key */
-		size_t sz;
-
-		ugh = ttodatav(tok, flp->cur - tok, 0, buf, sizeof(buf), &sz
-			, diag_space, sizeof(diag_space), TTODATAV_SPACECOUNTS);
-		if (ugh != NULL)
-		{
-			/* ttodata didn't like PSK data */
-			ugh = builddiag("PSK data malformed (%s): %s", ugh, tok);
-		}
-		else
-		{
-			chunk_t secret = { buf, sz };
-			*psk = chunk_clone(secret);
-			(void) shift();
-		}
-	}
-	return ugh;
-}
-
-typedef enum rsa_private_key_part_t rsa_private_key_part_t;
-
-enum rsa_private_key_part_t {
-	RSA_PART_MODULUS          = 0,
-	RSA_PART_PUBLIC_EXPONENT  = 1,
-	RSA_PART_PRIVATE_EXPONENT = 2,
-	RSA_PART_PRIME1           = 3,
-	RSA_PART_PRIME2           = 4,
-	RSA_PART_EXPONENT1        = 5,
-	RSA_PART_EXPONENT2        = 6,
-	RSA_PART_COEFFICIENT      = 7
-};
-
-const char *rsa_private_key_part_names[] = {
-	"Modulus",
-	"PublicExponent",
-	"PrivateExponent",
-	"Prime1",
-	"Prime2",
-	"Exponent1",
-	"Exponent2",
-	"Coefficient"
-};
-
-/**
- * Parse fields of an RSA private key in BIND 8.2's representation
- * consistiong of a braced list of keyword and value pairs in required order.
- */
-static err_t process_rsa_secret(private_key_t **key)
-{
-	chunk_t rsa_chunk[countof(rsa_private_key_part_names)];
-	u_char buf[RSA_MAX_ENCODING_BYTES];   /* limit on size of binary representation of key */
-	rsa_private_key_part_t part, p;
-	size_t sz;
-	err_t ugh;
-
-	for (part = RSA_PART_MODULUS; part <= RSA_PART_COEFFICIENT; part++)
-	{
-		const char *keyword = rsa_private_key_part_names[part];
-
-		if (!shift())
-		{
-			ugh = "premature end of RSA key";
-			goto end;
-		}
-		if (!tokeqword(keyword))
-		{
-			ugh = builddiag("%s keyword not found where expected in RSA key"
-				, keyword);
-			goto end;
-		}
-		if (!(shift() && (!tokeq(":") || shift())))   /* ignore optional ":" */
-		{
-			ugh = "premature end of RSA key";
-			goto end;
-		}
-		ugh = ttodatav(tok, flp->cur - tok, 0, buf, sizeof(buf), &sz,
-					   diag_space, sizeof(diag_space), TTODATAV_SPACECOUNTS);
-		if (ugh)
-		{
-			ugh = builddiag("RSA data malformed (%s): %s", ugh, tok);
-			goto end;
-		}
-		rsa_chunk[part] = chunk_create(buf, sz);
-		rsa_chunk[part] = chunk_clone(rsa_chunk[part]);
-	}
-
-	/* We require an (indented) '}' and the end of the record.
-	 * We break down the test so that the diagnostic will be more helpful.
-	 * Some people don't seem to wish to indent the brace!
-	 */
-	if (!shift() || !tokeq("}"))
-	{
-		ugh = "malformed end of RSA private key -- indented '}' required";
-		goto end;
-	}
-	if (shift())
-	{
-		ugh = "malformed end of RSA private key -- unexpected token after '}'";
-		goto end;
-	}
-
-	*key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-					BUILD_RSA_MODULUS,  rsa_chunk[RSA_PART_MODULUS],
-					BUILD_RSA_PUB_EXP,  rsa_chunk[RSA_PART_PUBLIC_EXPONENT],
-					BUILD_RSA_PRIV_EXP, rsa_chunk[RSA_PART_PRIVATE_EXPONENT],
-					BUILD_RSA_PRIME1,   rsa_chunk[RSA_PART_PRIME1],
-					BUILD_RSA_PRIME2,   rsa_chunk[RSA_PART_PRIME2],
-					BUILD_RSA_EXP1,     rsa_chunk[RSA_PART_EXPONENT1],
-					BUILD_RSA_EXP2,     rsa_chunk[RSA_PART_EXPONENT2],
-					BUILD_RSA_COEFF,    rsa_chunk[RSA_PART_COEFFICIENT],
-					BUILD_END);
-
-	if (*key == NULL)
-	{
-		ugh = "parsing of RSA private key failed";
-	}
-
-end:
-	/* clean up and return */
-	for (p = RSA_PART_MODULUS ; p < part; p++)
-	{
-		chunk_clear(&rsa_chunk[p]);
-	}
-	return ugh;
-}
-
-/* struct used to prompt for a secret passphrase
- * from a console with file descriptor fd
- */
-typedef struct {
-	char secret[PROMPT_PASS_LEN+1];
-	bool prompt;
-	int fd;
-	int try;
-} prompt_pass_t;
-
-/**
- * Passphrase callback to read from whack fd
- */
-static shared_key_t* whack_pass_cb(prompt_pass_t *pass, shared_key_type_t type,
-								identification_t *me, identification_t *other,
-								id_match_t *match_me, id_match_t *match_other)
-{
-	int n;
-
-	if (type != SHARED_ANY && type != SHARED_PRIVATE_KEY_PASS)
-	{
-		return NULL;
-	}
-
-	if (pass->try > MAX_PROMPT_PASS_TRIALS)
-	{
-		whack_log(RC_LOG_SERIOUS, "invalid passphrase, too many trials");
-		return NULL;
-	}
-	if (pass->try == 1)
-	{
-		whack_log(RC_ENTERSECRET, "need passphrase for 'private key'");
-	}
-	else
-	{
-		whack_log(RC_ENTERSECRET, "invalid passphrase, please try again");
-	}
-	pass->try++;
-
-	n = read(pass->fd, pass->secret, PROMPT_PASS_LEN);
-	if (n == -1)
-	{
-		whack_log(RC_LOG_SERIOUS, "read(whackfd) failed");
-		return NULL;
-	}
-	pass->secret[n-1] = '\0';
-
-	if (strlen(pass->secret) == 0)
-	{
-		whack_log(RC_LOG_SERIOUS, "no passphrase entered, aborted");
-		return NULL;
-	}
-	if (match_me)
-	{
-		*match_me = ID_MATCH_PERFECT;
-	}
-	if (match_other)
-	{
-		*match_other = ID_MATCH_NONE;
-	}
-	return shared_key_create(SHARED_PRIVATE_KEY_PASS,
-				chunk_clone(chunk_create(pass->secret, strlen(pass->secret))));
-}
-
-/**
- *  Loads a PKCS#1 or PGP private key file
- */
-static private_key_t* load_private_key(char* filename, prompt_pass_t *pass,
-									   key_type_t type)
-{
-	private_key_t *key = NULL;
-	char *path;
-
-	path = concatenate_paths(PRIVATE_KEY_PATH, filename);
-	if (pass && pass->prompt && pass->fd != NULL_FD)
-	{	/* use passphrase callback */
-		callback_cred_t *cb;
-
-		cb = callback_cred_create_shared((void*)whack_pass_cb, pass);
-		lib->credmgr->add_local_set(lib->credmgr, &cb->set);
-
-		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-								 BUILD_FROM_FILE, path, BUILD_END);
-		lib->credmgr->remove_local_set(lib->credmgr, &cb->set);
-		cb->destroy(cb);
-		if (key)
-		{
-			whack_log(RC_SUCCESS, "valid passphrase");
-		}
-	}
-	else if (pass)
-	{	/* use a given passphrase */
-		mem_cred_t *mem;
-		shared_key_t *shared;
-
-		mem = mem_cred_create();
-		lib->credmgr->add_local_set(lib->credmgr, &mem->set);
-		shared = shared_key_create(SHARED_PRIVATE_KEY_PASS,
-				chunk_clone(chunk_create(pass->secret, strlen(pass->secret))));
-		mem->add_shared(mem, shared, NULL);
-		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-								 BUILD_FROM_FILE, path, BUILD_END);
-		lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
-		mem->destroy(mem);
-	}
-	else
-	{	/* no passphrase */
-		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-								 BUILD_FROM_FILE, path, BUILD_END);
-
-	}
-	if (key)
-	{
-		plog("  loaded private key from '%s'", filename);
-	}
-	else
-	{
-		plog("  syntax error in private key file");
-	}
-	return key;
-}
-
-/**
- * process a key file protected with optional passphrase which can either be
- * read from ipsec.secrets or prompted for by using whack
- */
-static err_t process_keyfile(private_key_t **key, key_type_t type, int whackfd)
-{
-	char filename[BUF_LEN];
-	prompt_pass_t pass;
-
-	memset(filename,'\0', BUF_LEN);
-	memset(pass.secret,'\0', sizeof(pass.secret));
-	pass.prompt = FALSE;
-	pass.fd = whackfd;
-	pass.try = 1;
-
-	/* we expect the filename of a PKCS#1 private key file */
-
-	if (*tok == '"' || *tok == '\'')  /* quoted filename */
-		memcpy(filename, tok+1, flp->cur - tok - 2);
-	else
-		memcpy(filename, tok, flp->cur - tok);
-
-	if (shift())
-	{
-		/* we expect an appended passphrase or passphrase prompt*/
-		if (tokeqword("%prompt"))
-		{
-			if (pass.fd == NULL_FD)
-			{
-				return "Private key file -- enter passphrase using 'ipsec secrets'";
-			}
-			pass.prompt = TRUE;
-		}
-		else
-		{
-			char *passphrase = tok;
-			size_t len = flp->cur - passphrase;
-
-			if (*tok == '"' || *tok == '\'')  /* quoted passphrase */
-			{
-				passphrase++;
-				len -= 2;
-			}
-			if (len > PROMPT_PASS_LEN)
-			{
-				return "Private key file -- passphrase exceeds 64 characters";
-			}
-			memcpy(pass.secret, passphrase, len);
-		}
-		if (shift())
-		{
-			return "Private key file -- unexpected token after passphrase";
-		}
-	}
-	*key = load_private_key(filename, &pass, type);
-
-	return *key ? NULL : "Private key file -- could not be loaded";
-}
-
-/**
- * Process pin read from ipsec.secrets or prompted for it using whack
- */
-static err_t process_pin(secret_t *s, int whackfd)
-{
-	smartcard_t *sc;
-	const char *pin_status = "no pin";
-
-	s->kind = SECRET_PIN;
-
-	/* looking for the smartcard keyword */
-	if (!shift() || strncmp(tok, SCX_TOKEN, strlen(SCX_TOKEN)) != 0)
-		 return "PIN keyword must be followed by %smartcard<reader>:<id>";
-
-	sc = scx_add(scx_parse_number_slot_id(tok + strlen(SCX_TOKEN)));
-	s->u.smartcard = sc;
-	scx_share(sc);
-	if (sc->pin.ptr != NULL)
-	{
-		scx_release_context(sc);
-		scx_free_pin(&sc->pin);
-	}
-	sc->valid = FALSE;
-
-	if (!shift())
-		return "PIN statement must be terminated either by <pin code>, %pinpad or %prompt";
-
-	if (tokeqword("%prompt"))
-	{
-		shift();
-		/* if whackfd exists, whack will be used to prompt for a pin */
-		if (whackfd != NULL_FD)
-			pin_status = scx_get_pin(sc, whackfd) ? "valid pin" : "invalid pin";
-		else
-			pin_status = "pin entry via prompt";
-	}
-	else if (tokeqword("%pinpad"))
-	{
-		chunk_t empty_pin = { "", 0 };
-
-		shift();
-
-		/* pin will be entered via pin pad during verification */
-		sc->pin = chunk_clone(empty_pin);
-		sc->pinpad = TRUE;
-		sc->valid = TRUE;
-		pin_status = "pin entry via pad";
-		if (pkcs11_keep_state)
-		{
-			scx_verify_pin(sc);
-		}
-	}
-	else
-	{
-		/* we read the pin directly from ipsec.secrets */
-		err_t ugh = process_psk_secret(&sc->pin);
-		if (ugh != NULL)
-		return ugh;
-		/* verify the pin */
-		pin_status = scx_verify_pin(sc) ? "valid PIN" : "invalid PIN";
-	}
-#ifdef SMARTCARD
-	{
-		char buf[BUF_LEN];
-
-		if (sc->any_slot)
-			snprintf(buf, BUF_LEN, "any slot");
-		else
-			snprintf(buf, BUF_LEN, "slot: %lu", sc->slot);
-
-		plog("  %s for #%d (%s, id: %s)"
-			, pin_status, sc->number, scx_print_slot(sc, ""), sc->id);
-	}
-#else
-	plog("  warning: SMARTCARD support is deactivated in pluto/Makefile!");
-#endif
-	return NULL;
-}
-
-static void log_psk(char *label, secret_t *s)
-{
-	int n = 0;
-	char buf[BUF_LEN];
-	enumerator_t *enumerator;
-	identification_t *id;
-
-	if (s->ids->get_count(s->ids) == 0)
-	{
-		n = snprintf(buf, BUF_LEN, "%%any");
-	}
-	else
-	{
-		enumerator = s->ids->create_enumerator(s->ids);
-		while(enumerator->enumerate(enumerator, &id))
-		{
-			n += snprintf(buf + n, BUF_LEN - n, "%Y ", id);
-			if (n >= BUF_LEN)
-			{
-				n = BUF_LEN - 1;
-				break;
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	plog("  loaded %s secret for %.*s", label, n, buf);
-}
-
-static void process_secret(secret_t *s, int whackfd)
-{
-	err_t ugh = NULL;
-
-	s->kind = SECRET_PSK;  /* default */
-	if (tokeqword("psk"))
-	{
-		log_psk("PSK", s);
-
-		/* preshared key: quoted string or ttodata format */
-		ugh = !shift()? "unexpected end of record in PSK"
-			: process_psk_secret(&s->u.preshared_secret);
-	}
-	else if (tokeqword("xauth"))
-	{
-		s->kind = SECRET_XAUTH;
-		log_psk("XAUTH", s);
-
-		/* xauth secret: quoted string or ttodata format */
-		ugh = !shift()? "unexpected end of record in XAUTH"
-			: process_psk_secret(&s->u.preshared_secret);
-	}
-	else if (tokeqword("rsa"))
-	{
-		/* RSA key: the fun begins.
-		 * A braced list of keyword and value pairs.
-		 */
-		s->kind = SECRET_PUBKEY;
-		if (!shift())
-		{
-			ugh = "bad RSA key syntax";
-		}
-		else if (tokeq("{"))
-		{
-			ugh = process_rsa_secret(&s->u.private_key);
-		}
-		else
-		{
-		   ugh = process_keyfile(&s->u.private_key, KEY_RSA, whackfd);
-		}
-	}
-	else if (tokeqword("ecdsa"))
-	{
-		s->kind = SECRET_PUBKEY;
-		if (!shift())
-		{
-			ugh = "bad ECDSA key syntax";
-		}
-		else
-		{
-		   ugh = process_keyfile(&s->u.private_key, KEY_ECDSA, whackfd);
-		}
-	}
-	else if (tokeqword("pin"))
-	{
-		ugh = process_pin(s, whackfd);
-	}
-	else
-	{
-		ugh = builddiag("unrecognized key format: %s", tok);
-	}
-
-	if (ugh != NULL)
-	{
-		loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s"
-			, flp->filename, flp->lino, ugh);
-		s->ids->destroy_offset(s->ids, offsetof(identification_t, destroy));
-		free(s);
-	}
-	else if (flushline("expected record boundary in key"))
-	{
-		/* gauntlet has been run: install new secret */
-		lock_certs_and_keys("process_secret");
-		s->next = secrets;
-		secrets = s;
-		unlock_certs_and_keys("process_secrets");
-	}
-}
-
-static void process_secrets_file(const char *file_pat, int whackfd);    /* forward declaration */
-
-static void process_secret_records(int whackfd)
-{
-	/* read records from ipsec.secrets and load them into our table */
-	for (;;)
-	{
-		(void)flushline(NULL);  /* silently ditch leftovers, if any */
-		if (flp->bdry == B_file)
-		{
-			break;
-		}
-		flp->bdry = B_none;     /* eat the Record Boundary */
-		(void)shift();  /* get real first token */
-
-		if (tokeqword("include"))
-		{
-			/* an include directive */
-			char fn[MAX_TOK_LEN];       /* space for filename (I hope) */
-			char *p = fn;
-			char *end_prefix = strrchr(flp->filename, '/');
-
-			if (!shift())
-			{
-				loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end of include directive"
-					, flp->filename, flp->lino);
-				continue;   /* abandon this record */
-			}
-
-			/* if path is relative and including file's pathname has
-			 * a non-empty dirname, prefix this path with that dirname.
-			 */
-			if (tok[0] != '/' && end_prefix != NULL)
-			{
-				size_t pl = end_prefix - flp->filename + 1;
-
-				/* "clamp" length to prevent problems now;
-				 * will be rediscovered and reported later.
-				 */
-				if (pl > sizeof(fn))
-				{
-					pl = sizeof(fn);
-				}
-				memcpy(fn, flp->filename, pl);
-				p += pl;
-			}
-			if (flp->cur - tok >= &fn[sizeof(fn)] - p)
-			{
-				loglog(RC_LOG_SERIOUS, "\"%s\" line %d: include pathname too long"
-					, flp->filename, flp->lino);
-				continue;   /* abandon this record */
-			}
-			strcpy(p, tok);
-			(void) shift();     /* move to Record Boundary, we hope */
-			if (flushline("ignoring malformed INCLUDE -- expected Record Boundary after filename"))
-			{
-				process_secrets_file(fn, whackfd);
-				tok = NULL;     /* correct, but probably redundant */
-			}
-		}
-		else
-		{
-			/* expecting a list of indices and then the key info */
-			secret_t *s = malloc_thing(secret_t);
-
-			zero(s);
-			s->ids = linked_list_create();
-			s->kind = SECRET_PSK;  /* default */
-			s->u.preshared_secret = chunk_empty;
-			s->next = NULL;
-
-			for (;;)
-			{
-				if (tokeq(":"))
-				{
-					/* found key part */
-					shift();    /* discard explicit separator */
-					process_secret(s, whackfd);
-					break;
-				}
-				else
-				{
-					identification_t *id;
-
-					id = identification_create_from_string(tok);
-					s->ids->insert_last(s->ids, id);
-
-					if (!shift())
-					{
-						/* unexpected Record Boundary or EOF */
-						loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end"
-							   " of id list", flp->filename, flp->lino);
-						s->ids->destroy_offset(s->ids,
-										offsetof(identification_t, destroy));
-						free(s);
-						break;
-					}
-				}
-			}
-		}
-	}
-}
-
-static int globugh(const char *epath, int eerrno)
-{
-	log_errno_routine(eerrno, "problem with secrets file \"%s\"", epath);
-	return 1;   /* stop glob */
-}
-
-static void process_secrets_file(const char *file_pat, int whackfd)
-{
-	struct file_lex_position pos;
-	char **fnp;
-
-	pos.depth = flp == NULL? 0 : flp->depth + 1;
-
-	if (pos.depth > 10)
-	{
-		loglog(RC_LOG_SERIOUS, "preshared secrets file \"%s\" nested too deeply", file_pat);
-		return;
-	}
-
-#ifdef HAVE_GLOB_H
-	/* do globbing */
-	{
-		glob_t globbuf;
-		int r = glob(file_pat, GLOB_ERR, globugh, &globbuf);
-
-		if (r != 0)
-		{
-			switch (r)
-			{
-			case GLOB_NOSPACE:
-				loglog(RC_LOG_SERIOUS, "out of space processing secrets filename \"%s\"", file_pat);
-				break;
-			case GLOB_ABORTED:
-				break;  /* already logged */
-			case GLOB_NOMATCH:
-				loglog(RC_LOG_SERIOUS, "no secrets filename matched \"%s\"", file_pat);
-				break;
-			default:
-				loglog(RC_LOG_SERIOUS, "unknown glob error %d", r);
-				break;
-			}
-			globfree(&globbuf);
-			return;
-		}
-
-		/* for each file... */
-		for (fnp = globbuf.gl_pathv; *fnp != NULL; fnp++)
-		{
-			if (lexopen(&pos, *fnp, FALSE))
-			{
-				plog("loading secrets from \"%s\"", *fnp);
-				flushline("file starts with indentation (continuation notation)");
-				process_secret_records(whackfd);
-				lexclose();
-			}
-		}
-
-		globfree(&globbuf);
-	}
-#else /* HAVE_GLOB_H */
-	/* if glob(3) is not available, try to load pattern directly */
-	if (lexopen(&pos, file_pat, FALSE))
-	{
-		plog("loading secrets from \"%s\"", file_pat);
-		flushline("file starts with indentation (continuation notation)");
-		process_secret_records(whackfd);
-		lexclose();
-	}
-#endif /* HAVE_GLOB_H */
-}
-
-void free_preshared_secrets(void)
-{
-	lock_certs_and_keys("free_preshared_secrets");
-
-	if (secrets != NULL)
-	{
-		secret_t *s, *ns;
-
-		plog("forgetting secrets");
-
-		for (s = secrets; s != NULL; s = ns)
-		{
-			ns = s->next;
-			s->ids->destroy_offset(s->ids, offsetof(identification_t, destroy));
-
-			switch (s->kind)
-			{
-				case SECRET_PSK:
-				case SECRET_XAUTH:
-					free(s->u.preshared_secret.ptr);
-					break;
-				case SECRET_PUBKEY:
-					DESTROY_IF(s->u.private_key);
-					break;
-				case SECRET_PIN:
-					scx_release(s->u.smartcard);
-					break;
-				default:
-					bad_case(s->kind);
-			}
-			free(s);
-		}
-		secrets = NULL;
-	}
-
-	unlock_certs_and_keys("free_preshard_secrets");
-}
-
-void load_preshared_secrets(int whackfd)
-{
-	free_preshared_secrets();
-	(void) process_secrets_file(shared_secrets_file, whackfd);
-}
-
-/* public key machinery
- * Note: caller must set dns_auth_level.
- */
-
-pubkey_t* public_key_from_rsa(public_key_t *key)
-{
-	pubkey_t *p = malloc_thing(pubkey_t);
-
-	zero(p);
-	p->id = identification_create_from_string("%any");  /* don't know, doesn't matter */
-	p->issuer = NULL;
-	p->serial = chunk_empty;
-	p->public_key = key;
-
-	/* note that we return a 1 reference count upon creation:
-	 * invariant: recount > 0.
-	 */
-	p->refcnt = 1;
-	return p;
-}
-
-/* Free a public key record.
- * As a convenience, this returns a pointer to next.
- */
-pubkey_list_t* free_public_keyentry(pubkey_list_t *p)
-{
-	pubkey_list_t *nxt = p->next;
-
-	if (p->key != NULL)
-	{
-		unreference_key(&p->key);
-	}
-	free(p);
-	return nxt;
-}
-
-void free_public_keys(pubkey_list_t **keys)
-{
-	while (*keys != NULL)
-	{
-		*keys = free_public_keyentry(*keys);
-	}
-}
-
-/* root of chained public key list */
-
-pubkey_list_t *pubkeys = NULL;  /* keys from ipsec.conf */
-
-void free_remembered_public_keys(void)
-{
-	free_public_keys(&pubkeys);
-}
-
-/**
- * Transfer public keys from *keys list to front of pubkeys list
- */
-void transfer_to_public_keys(struct gw_info *gateways_from_dns
-#ifdef USE_KEYRR
-, pubkey_list_t **keys
-#endif /* USE_KEYRR */
-)
-{
-	{
-		struct gw_info *gwp;
-
-		for (gwp = gateways_from_dns; gwp != NULL; gwp = gwp->next)
-		{
-			pubkey_list_t *pl = malloc_thing(pubkey_list_t);
-
-			pl->key = gwp->key; /* note: this is a transfer */
-			gwp->key = NULL;    /* really, it is! */
-			pl->next = pubkeys;
-			pubkeys = pl;
-		}
-	}
-
-#ifdef USE_KEYRR
-	{
-		pubkey_list_t **pp = keys;
-
-		while (*pp != NULL)
-		{
-			pp = &(*pp)->next;
-		}
-		*pp = pubkeys;
-		pubkeys = *keys;
-		*keys = NULL;
-	}
-#endif /* USE_KEYRR */
-}
-
-
-static void install_public_key(pubkey_t *pk, pubkey_list_t **head)
-{
-	pubkey_list_t *p = malloc_thing(pubkey_list_t);
-
-	/* install new key at front */
-	p->key = reference_key(pk);
-	p->next = *head;
-	*head = p;
-}
-
-void delete_public_keys(identification_t *id, key_type_t type,
-						identification_t *issuer, chunk_t serial)
-{
-	pubkey_list_t **pp, *p;
-	pubkey_t *pk;
-	key_type_t pk_type;
-
-	for (pp = &pubkeys; (p = *pp) != NULL; )
-	{
-		pk = p->key;
-		pk_type = pk->public_key->get_type(pk->public_key);
-
-		if (id->equals(id, pk->id) && pk_type == type
-		&& (issuer == NULL || pk->issuer == NULL
-			|| issuer->equals(issuer, pk->issuer))
-		&& (serial.ptr == NULL || chunk_equals(serial, pk->serial)))
-		{
-			*pp = free_public_keyentry(p);
-		}
-		else
-		{
-			pp = &p->next;
-		}
-	}
-}
-
-pubkey_t* reference_key(pubkey_t *pk)
-{
-	DBG(DBG_CONTROLMORE,
-		DBG_log("  ref key: %p %p cnt %d '%Y'",
-				 pk, pk->public_key, pk->refcnt, pk->id)
-	)
-	pk->refcnt++;
-	return pk;
-}
-
-void unreference_key(pubkey_t **pkp)
-{
-	pubkey_t *pk = *pkp;
-
-	if (pk == NULL)
-	{
-		return;
-	}
-
-	DBG(DBG_CONTROLMORE,
-		DBG_log("unref key: %p %p cnt %d '%Y'",
-				 pk, pk->public_key, pk->refcnt, pk->id)
-	)
-
-	/* cancel out the pointer */
-	*pkp = NULL;
-
-	passert(pk->refcnt != 0);
-	pk->refcnt--;
-	if (pk->refcnt == 0)
-	{
-		free_public_key(pk);
-	}
-}
-
-bool add_public_key(identification_t *id, enum dns_auth_level dns_auth_level,
-					enum pubkey_alg alg, chunk_t rfc3110_key,
-					pubkey_list_t **head)
-{
-	public_key_t *key = NULL;
-	pubkey_t *pk;
-
-   /* first: algorithm-specific decoding of key chunk */
-	switch (alg)
-	{
-		case PUBKEY_ALG_RSA:
-			key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
-										BUILD_BLOB_DNSKEY, rfc3110_key,
-										BUILD_END);
-			if (key == NULL)
-			{
-				return FALSE;
-			}
-			break;
-		default:
-			bad_case(alg);
-	}
-
-	pk = malloc_thing(pubkey_t);
-	zero(pk);
-	pk->public_key = key;
-	pk->id = id->clone(id);
-	pk->dns_auth_level = dns_auth_level;
-	pk->until_time = UNDEFINED_TIME;
-	pk->issuer = NULL;
-	pk->serial = chunk_empty;
-	install_public_key(pk, head);
-	return TRUE;
-}
-
-/**
- * Extract id and public key a certificate and insert it into a pubkeyrec
- */
-void add_public_key_from_cert(cert_t *cert , time_t until,
-							  enum dns_auth_level dns_auth_level)
-{
-	certificate_t *certificate = cert->cert;
-	identification_t *subject = certificate->get_subject(certificate);
-	identification_t *issuer = NULL;
-	identification_t *id;
-	chunk_t serialNumber = chunk_empty;
-	pubkey_t *pk;
-	key_type_t pk_type;
-
-	/* ID type: ID_DER_ASN1_DN  (X.509 subject field) */
-	pk = malloc_thing(pubkey_t);
-	zero(pk);
-	pk->public_key = certificate->get_public_key(certificate);
-	pk_type = pk->public_key->get_type(pk->public_key);
-	pk->id = subject->clone(subject);
-	pk->dns_auth_level = dns_auth_level;
-	pk->until_time = until;
-	if (certificate->get_type(certificate) == CERT_X509)
-	{
-		x509_t *x509 = (x509_t*)certificate;
-
-		issuer = certificate->get_issuer(certificate);
-		serialNumber = x509->get_serial(x509);
-		pk->issuer = issuer->clone(issuer);
-		pk->serial = chunk_clone(serialNumber);
-	}
-	delete_public_keys(pk->id, pk_type, pk->issuer, pk->serial);
-	install_public_key(pk, &pubkeys);
-
-	if (certificate->get_type(certificate) == CERT_X509)
-	{
-		x509_t *x509 = (x509_t*)certificate;
-		enumerator_t *enumerator;
-
-		/* insert all subjectAltNames from X.509 certificates */
-		enumerator = x509->create_subjectAltName_enumerator(x509);
-		while (enumerator->enumerate(enumerator, &id))
-		{
-			if (id->get_type(id) != ID_ANY)
-			{
-				pk = malloc_thing(pubkey_t);
-				zero(pk);
-				pk->id = id->clone(id);
-				pk->public_key = certificate->get_public_key(certificate);
-				pk->dns_auth_level = dns_auth_level;
-				pk->until_time = until;
-				pk->issuer = issuer->clone(issuer);
-				pk->serial = chunk_clone(serialNumber);
-				delete_public_keys(pk->id, pk_type, pk->issuer, pk->serial);
-				install_public_key(pk, &pubkeys);
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	else
-	{
-		pgp_certificate_t *pgp_cert = (pgp_certificate_t*)certificate;
-		chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
-
-		/* add v3 or v4 PGP fingerprint */
-		pk = malloc_thing(pubkey_t);
-		zero(pk);
-		pk->id = identification_create_from_encoding(ID_KEY_ID, fingerprint);
-		pk->public_key = certificate->get_public_key(certificate);
-		pk->dns_auth_level = dns_auth_level;
-		pk->until_time = until;
-		delete_public_keys(pk->id, pk_type, pk->issuer, pk->serial);
-		install_public_key(pk, &pubkeys);
-	}
-}
-
-/*  when a X.509 certificate gets revoked, all instances of
- *  the corresponding public key must be removed
- */
-void remove_x509_public_key(const cert_t *cert)
-{
-	public_key_t *revoked_key = cert->cert->get_public_key(cert->cert);
-	pubkey_list_t *p, **pp;
-
-	p  = pubkeys;
-	pp = &pubkeys;
-
-	while(p != NULL)
-	{
-		if (revoked_key->equals(revoked_key, p->key->public_key))
-		{
-			/* remove p from list and free memory */
-			*pp = free_public_keyentry(p);
-			loglog(RC_LOG_SERIOUS, "invalid public key deleted");
-		}
-		else
-		{
-			pp = &p->next;
-		}
-		p =*pp;
-	}
-	revoked_key->destroy(revoked_key);
-}
-
-/*
- *  list all public keys in the chained list
- */
-void list_public_keys(bool utc)
-{
-	pubkey_list_t *p = pubkeys;
-	chunk_t serial;
-
-	if (p != NULL)
-	{
-		whack_log(RC_COMMENT, " ");
-		whack_log(RC_COMMENT, "List of Public Keys:");
-	}
-
-	while (p != NULL)
-	{
-		pubkey_t *key = p->key;
-		public_key_t *public = key->public_key;
-		chunk_t keyid;
-
-		whack_log(RC_COMMENT, " ");
-		whack_log(RC_COMMENT, "  identity: '%Y'", key->id);
-		whack_log(RC_COMMENT, "  pubkey:    %N %4d bits, until %T %s",
-			key_type_names, public->get_type(public),
-			public->get_keysize(public),
-			&key->until_time, utc,
-			check_expiry(key->until_time, PUBKEY_WARNING_INTERVAL, TRUE));
-		if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
-		{
-			whack_log(RC_COMMENT,"  keyid:     %#B", &keyid);
-		}
-		if (key->issuer)
-		{
-			whack_log(RC_COMMENT,"  issuer:   \"%Y\"", key->issuer);
-		}
-		if (key->serial.len)
-		{
-			serial = chunk_skip_zero(key->serial);
-			whack_log(RC_COMMENT,"  serial:    %#B", &serial);
-		}
-		p = p->next;
-	}
-}
diff --git a/src/pluto/keys.h b/src/pluto/keys.h
deleted file mode 100644
index 73cc21392..000000000
--- a/src/pluto/keys.h
+++ /dev/null
@@ -1,93 +0,0 @@
-/* mechanisms for preshared keys (public, private, and preshared secrets)
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
- * Copyright (C) 2009 Andreas Steffen, Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _KEYS_H
-#define _KEYS_H
-
-#include <utils/identification.h>
-#include <credentials/keys/private_key.h>
-#include <credentials/keys/public_key.h>
-
-#include "certs.h"
-#include "connections.h"
-
-#ifndef SHARED_SECRETS_FILE
-# define SHARED_SECRETS_FILE  IPSEC_CONFDIR "/ipsec.secrets"
-#endif
-
-const char *shared_secrets_file;
-
-extern void load_preshared_secrets(int whackfd);
-extern void free_preshared_secrets(void);
-
-extern void xauth_defaults(void);
-
-extern bool get_xauth_secret(identification_t *user, identification_t *server,
-							 chunk_t *secret);
-extern const chunk_t *get_preshared_secret(const connection_t *c);
-extern private_key_t *get_private_key(const connection_t *c);
-extern private_key_t *get_x509_private_key(const cert_t *cert);
-
-/* public key machinery  */
-
-typedef struct pubkey pubkey_t;
-
-struct pubkey {
-	identification_t *id;
-	unsigned refcnt;    /* reference counted! */
-	enum dns_auth_level dns_auth_level;
-	char *dns_sig;
-	time_t last_tried_time, last_worked_time, until_time;
-	identification_t *issuer;
-	chunk_t serial;
-	public_key_t *public_key;
-};
-
-typedef struct pubkey_list pubkey_list_t;
-
-struct pubkey_list {
-	pubkey_t *key;
-	pubkey_list_t *next;
-};
-
-extern pubkey_list_t *pubkeys;  /* keys from ipsec.conf or from certs */
-
-extern pubkey_t *public_key_from_rsa(public_key_t *key);
-extern pubkey_list_t *free_public_keyentry(pubkey_list_t *p);
-extern void free_public_keys(pubkey_list_t **keys);
-extern void free_remembered_public_keys(void);
-extern void delete_public_keys(identification_t *id, key_type_t type,
-							   identification_t *issuer, chunk_t serial);
-extern pubkey_t *reference_key(pubkey_t *pk);
-extern void unreference_key(pubkey_t **pkp);
-extern bool add_public_key(identification_t *id,
-						   enum dns_auth_level dns_auth_level,
-						   enum pubkey_alg alg,
-						   chunk_t rfc3110_key,
-						   pubkey_list_t **head);
-extern bool has_private_key(cert_t *cert);
-extern void add_public_key_from_cert(cert_t *cert, time_t until,
-									 enum dns_auth_level dns_auth_level);
-extern void remove_x509_public_key(const cert_t *cert);
-extern void list_public_keys(bool utc);
-
-struct gw_info; /* forward declaration of tag (defined in dnskey.h) */
-extern void transfer_to_public_keys(struct gw_info *gateways_from_dns
-#ifdef USE_KEYRR
-	, pubkey_list_t **keys
-#endif /* USE_KEYRR */
-	);
-
-#endif /* _KEYS_H */
diff --git a/src/pluto/lex.c b/src/pluto/lex.c
deleted file mode 100644
index d5ebdaba9..000000000
--- a/src/pluto/lex.c
+++ /dev/null
@@ -1,211 +0,0 @@
-/* lexer (lexical analyzer) for control files
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <string.h>
-#include <ctype.h>
-#include <unistd.h>
-#include <errno.h>
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "whack.h"      /* for RC_LOG_SERIOUS */
-#include "lex.h"
-
-struct file_lex_position *flp = NULL;
-
-/* Open a file for lexical processing.
- * new_flp and name must point into storage with will live
- * at least until the file is closed.
- */
-bool
-lexopen(struct file_lex_position *new_flp, const char *name, bool optional)
-{
-	FILE *f = fopen(name, "r");
-
-	if (f == NULL)
-	{
-		if (!optional || errno != ENOENT)
-			log_errno((e, "could not open \"%s\"", name));
-		return FALSE;
-	}
-	else
-	{
-		new_flp->previous = flp;
-		flp = new_flp;
-		flp->filename = name;
-		flp->fp = f;
-		flp->lino = 0;
-		flp->bdry = B_none;
-
-		flp->cur = flp->buffer; /* nothing loaded yet */
-		flp->under = *flp->cur = '\0';
-
-		(void) shift(); /* prime tok */
-		return TRUE;
-	}
-}
-
-void
-lexclose(void)
-{
-	fclose(flp->fp);
-	flp = flp->previous;
-}
-
-/* Token decoding: shift() loads the next token into tok.
- * Iff a token starts at the left margin, it is considered
- * to be the first in a record.  We create a special condition,
- * Record Boundary (analogous to EOF), just before such a token.
- * We are unwilling to shift through a record boundary:
- * it must be overridden first.
- * Returns FALSE iff Record Boundary or EOF (i.e. no token);
- * tok will then be NULL.
- */
-
-char *tok;
-#define tokeq(s) (streq(tok, (s)))
-#define tokeqword(s) (strcasecmp(tok, (s)) == 0)
-
-bool
-shift(void)
-{
-	char *p = flp->cur;
-	char *sor = NULL;   /* start of record for any new lines */
-
-	passert(flp->bdry == B_none);
-
-	*p = flp->under;
-	flp->under = '\0';
-
-	for (;;)
-	{
-		switch (*p)
-		{
-		case '\0':      /* end of line */
-		case '#':       /* comment to end of line: treat as end of line */
-			/* get the next line */
-			if (fgets(flp->buffer, sizeof(flp->buffer)-1, flp->fp) == NULL)
-			{
-				flp->bdry = B_file;
-				tok = flp->cur = NULL;
-				return FALSE;
-			}
-			else
-			{
-				/* strip trailing whitespace, including \n */
-
-				for (p = flp->buffer+strlen(flp->buffer)-1
-				; p>flp->buffer && isspace(p[-1]); p--)
-					;
-				*p = '\0';
-
-				flp->lino++;
-				sor = p = flp->buffer;
-			}
-			break;      /* try again for a token */
-
-		case ' ':       /* whitespace */
-		case '\t':
-			p++;
-			break;      /* try again for a token */
-
-		case '"':       /* quoted token */
-		case '\'':
-			if (p != sor)
-			{
-				/* we have a quoted token: note and advance to its end */
-				tok = p;
-				p = strchr(p+1, *p);
-				if (p == NULL)
-				{
-					loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unterminated string"
-						, flp->filename, flp->lino);
-					p = tok + strlen(tok);
-				}
-				else
-				{
-					p++;        /* include delimiter in token */
-				}
-
-				/* remember token delimiter and replace with '\0' */
-				flp->under = *p;
-				*p = '\0';
-				flp->cur = p;
-				return TRUE;
-			}
-			/* FALL THROUGH */
-		default:
-			if (p != sor)
-			{
-				/* we seem to have a token: note and advance to its end */
-				tok = p;
-
-				if (p[0] == '0' && p[1] == 't')
-				{
-					/* 0t... token goes to end of line */
-					p += strlen(p);
-				}
-				else
-				{
-					/* "ordinary" token: up to whitespace or end of line */
-					do {
-						p++;
-					} while (*p != '\0' && !isspace(*p))
-						;
-
-					/* fudge to separate ':' from a preceding adjacent token */
-					if (p-1 > tok && p[-1] == ':')
-						p--;
-				}
-
-				/* remember token delimiter and replace with '\0' */
-				flp->under = *p;
-				*p = '\0';
-				flp->cur = p;
-				return TRUE;
-			}
-
-			/* we have a start-of-record: return it, deferring "real" token */
-			flp->bdry = B_record;
-			tok = NULL;
-			flp->under = *p;
-			flp->cur = p;
-			return FALSE;
-		}
-	}
-}
-
-/* ensures we are at a Record (or File) boundary, optionally warning if not */
-
-bool
-flushline(const char *m)
-{
-	if (flp->bdry != B_none)
-	{
-		return TRUE;
-	}
-	else
-	{
-		if (m != NULL)
-			loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s", flp->filename, flp->lino, m);
-		do {} while (shift());
-		return FALSE;
-	}
-}
diff --git a/src/pluto/lex.h b/src/pluto/lex.h
deleted file mode 100644
index aa0be7829..000000000
--- a/src/pluto/lex.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/* lexer (lexical analyzer) for control files
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#define MAX_TOK_LEN 2048    /* includes terminal '\0' */
-struct file_lex_position
-{
-	int depth;  /* how deeply we are nested */
-	const char *filename;
-	FILE *fp;
-	enum { B_none, B_record, B_file } bdry;     /* current boundary */
-	int lino;   /* line number in file */
-	char buffer[MAX_TOK_LEN + 1];    /* note: one extra char for our use (jamming '"') */
-	char *cur;  /* cursor */
-	char under; /* except in shift(): character originally at *cur */
-	struct file_lex_position *previous;
-};
-
-extern struct file_lex_position *flp;
-
-extern bool lexopen(struct file_lex_position *new_flp, const char *name, bool optional);
-extern void lexclose(void);
-
-
-/* Token decoding: shift() loads the next token into tok.
- * Iff a token starts at the left margin, it is considered
- * to be the first in a record.  We create a special condition,
- * Record Boundary (analogous to EOF), just before such a token.
- * We are unwilling to shift through a record boundary:
- * it must be overridden first.
- * Returns FALSE iff Record Boundary or EOF (i.e. no token);
- * tok will then be NULL.
- */
-
-extern char *tok;
-#define tokeq(s) (streq(tok, (s)))
-#define tokeqword(s) (strcasecmp(tok, (s)) == 0)
-
-extern bool shift(void);
-extern bool flushline(const char *m);
diff --git a/src/pluto/log.c b/src/pluto/log.c
deleted file mode 100644
index f6fa226d5..000000000
--- a/src/pluto/log.c
+++ /dev/null
@@ -1,946 +0,0 @@
-/* error logging functions
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001 D. Hugh Redelmeier.
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <stdarg.h>
-#include <syslog.h>
-#include <errno.h>
-#include <string.h>
-#include <unistd.h>
-#include <signal.h>     /* used only if MSG_NOSIGNAL not defined */
-#include <sys/queue.h>
-#include <libgen.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-
-#ifdef ANDROID
-#include <android/log.h>
-#endif
-
-#include <freeswan.h>
-#include <library.h>
-#include <debug.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "server.h"
-#include "state.h"
-#include "connections.h"
-#include "myid.h"
-#include "kernel.h"
-#include "whack.h"
-#include "whack_attribute.h"
-#include "timer.h"
-
-/* close one per-peer log */
-static void perpeer_logclose(connection_t *c);     /* forward */
-
-
-bool
-	log_to_stderr = TRUE,       /* should log go to stderr? */
-	log_to_syslog = TRUE,       /* should log go to syslog? */
-	log_to_perpeer= FALSE;      /* should log go to per-IP file? */
-
-bool
-	logged_txt_warning = FALSE;  /* should we complain about finding KEY? */
-
-/* should we complain when we find no local id */
-bool
-	logged_myid_fqdn_txt_warning = FALSE,
-	logged_myid_ip_txt_warning   = FALSE,
-	logged_myid_fqdn_key_warning = FALSE,
-	logged_myid_ip_key_warning   = FALSE;
-
-/* may include trailing / */
-const char *base_perpeer_logdir = PERPEERLOGDIR;
-static int perpeer_count = 0;
-
-/* from sys/queue.h */
-static TAILQ_HEAD(perpeer, connection) perpeer_list;
-
-
-/* Context for logging.
- *
- * Global variables: must be carefully adjusted at transaction boundaries!
- * If the context provides a whack file descriptor, messages
- * should be copied to it -- see whack_log()
- */
-int whack_log_fd = NULL_FD;     /* only set during whack_handle() */
-struct state *cur_state = NULL; /* current state, for diagnostics */
-connection_t *cur_connection = NULL;       /* current connection, for diagnostics */
-const ip_address *cur_from = NULL;      /* source of current current message */
-u_int16_t cur_from_port;        /* host order */
-
-/**
- * pluto dbg function for libstrongswan
- */
-static void pluto_dbg(debug_t group, level_t level, char *fmt, ...)
-{
-	int priority = LOG_INFO;
-	int debug_level;
-	char buffer[8192];
-	char *current = buffer, *next;
-	va_list args;
-
-	if (cur_debugging & DBG_PRIVATE)
-	{
-		debug_level = 4;
-	}
-	else if (cur_debugging & DBG_RAW)
-	{
-		debug_level = 3;
-	}
-	else if (cur_debugging & DBG_PARSING)
-	{
-		debug_level = 2;
-	}
-	else
-	{
-		debug_level = 1;
-	}
-
-	if (level <= debug_level)
-	{
-		va_start(args, fmt);
-
-		if (log_to_stderr)
-		{
-			if (level > 1)
-			{
-				fprintf(stderr, "| ");
-			}
-			vfprintf(stderr, fmt, args);
-			fprintf(stderr, "\n");
-		}
-		if (log_to_syslog
-#ifdef ANDROID
-			|| TRUE
-#endif
-			)
-		{
-			/* write in memory buffer first */
-			vsnprintf(buffer, sizeof(buffer), fmt, args);
-
-			/* do a syslog with every line */
-			while (current)
-			{
-				next = strchr(current, '\n');
-				if (next)
-				{
-					*(next++) = '\0';
-				}
-				syslog(priority, "%s%s\n", (level > 1)? "| ":"", current);
-#ifdef ANDROID
-				__android_log_print(level > 1 ? ANDROID_LOG_DEBUG
-											  : ANDROID_LOG_INFO, "pluto",
-									"%s%s\n", level > 1 ? "| " : "", current);
-#endif
-				current = next;
-			}
-		}
-		va_end(args);
-	}
-}
-
-void
-init_log(const char *program)
-{
-	/* enable pluto debugging hook for libstrongswan */
-	dbg = pluto_dbg;
-
-	if (log_to_stderr)
-	{
-		setbuf(stderr, NULL);
-	}
-	if (log_to_syslog)
-	{
-		openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
-	}
-	TAILQ_INIT(&perpeer_list);
-}
-
-void
-close_peerlog(void)
-{
-	/* exit if the queue has not been initialized */
-	if (perpeer_list.tqh_first == NULL)
-	  return;
-
-	/* end of queue is given by pointer to "HEAD" */
-	while (TAILQ_LAST(&perpeer_list, perpeer) != (void *)&perpeer_list)
-	   perpeer_logclose(TAILQ_LAST(&perpeer_list, perpeer));
-}
-
-void
-close_log(void)
-{
-	if (log_to_syslog)
-		closelog();
-
-	close_peerlog();
-}
-
-/* Sanitize character string in situ: turns dangerous characters into \OOO.
- * With a bit of work, we could use simpler reps for \\, \r, etc.,
- * but this is only to protect against something that shouldn't be used.
- * Truncate resulting string to what fits in buffer.
- */
-static size_t
-sanitize(char *buf, size_t size)
-{
-#   define UGLY_WIDTH   4       /* width for ugly character: \OOO */
-	size_t len;
-	size_t added = 0;
-	char *p;
-
-	passert(size >= UGLY_WIDTH);        /* need room to swing cat */
-
-	/* find right side of string to be sanitized and count
-	 * number of columns to be added.  Stop on end of string
-	 * or lack of room for more result.
-	 */
-	for (p = buf; *p != '\0' && &p[added] < &buf[size - UGLY_WIDTH]; )
-	{
-		unsigned char c = *p++;
-
-		if (c == '\\' || !isprint(c))
-			added += UGLY_WIDTH - 1;
-	}
-
-	/* at this point, p points after last original character to be
-	 * included.  added is how many characters are added to sanitize.
-	 * so p[added] will point after last sanitized character.
-	 */
-
-	p[added] = '\0';
-	len = &p[added] - buf;
-
-	/* scan backwards, copying characters to their new home
-	 * and inserting the expansions for ugly characters.
-	 * It is finished when no more shifting is required.
-	 * This is a predecrement loop.
-	 */
-	while (added != 0)
-	{
-		char fmtd[UGLY_WIDTH + 1];
-		unsigned char c;
-
-		while ((c = *--p) != '\\' && isprint(c))
-			p[added] = c;
-		added -= UGLY_WIDTH - 1;
-		snprintf(fmtd, sizeof(fmtd), "\\%03o", c);
-		memcpy(p + added, fmtd, UGLY_WIDTH);
-	}
-	return len;
-#   undef UGLY_WIDTH
-}
-
-/* format a string for the log, with suitable prefixes.
- * A format starting with ~ indicates that this is a reprocessing
- * of the message, so prefixing and quoting is suppressed.
- */
-static void
-fmt_log(char *buf, size_t buf_len, const char *fmt, va_list ap)
-{
-	bool reproc = *fmt == '~';
-	size_t ps;
-	connection_t *c = cur_state != NULL ? cur_state->st_connection
-		: cur_connection;
-
-	buf[0] = '\0';
-	if (reproc)
-		fmt++;  /* ~ at start of format suppresses this prefix */
-	else if (c != NULL)
-	{
-		/* start with name of connection */
-		char *const be = buf + buf_len;
-		char *bp = buf;
-
-		snprintf(bp, be - bp, "\"%s\"", c->name);
-		bp += strlen(bp);
-
-		/* if it fits, put in any connection instance information */
-		if (be - bp > CONN_INST_BUF)
-		{
-			fmt_conn_instance(c, bp);
-			bp += strlen(bp);
-		}
-
-		if (cur_state != NULL)
-		{
-			/* state number */
-			snprintf(bp, be - bp, " #%lu", cur_state->st_serialno);
-			bp += strlen(bp);
-		}
-		snprintf(bp, be - bp, ": ");
-	}
-	else if (cur_from != NULL)
-	{
-		/* peer's IP address */
-		/* Note: must not use ip_str() because our caller might! */
-		char ab[ADDRTOT_BUF];
-
-		(void) addrtot(cur_from, 0, ab, sizeof(ab));
-		snprintf(buf, buf_len, "packet from %s:%u: "
-			, ab, (unsigned)cur_from_port);
-	}
-
-	ps = strlen(buf);
-	vsnprintf(buf + ps, buf_len - ps, fmt, ap);
-	if (!reproc)
-		(void)sanitize(buf, buf_len);
-}
-
-static void
-perpeer_logclose(connection_t *c)
-{
-	/* only free/close things if we had used them! */
-	if (c->log_file != NULL)
-	{
-		passert(perpeer_count > 0);
-
-		TAILQ_REMOVE(&perpeer_list, c, log_link);
-		perpeer_count--;
-		fclose(c->log_file);
-		c->log_file=NULL;
-	}
-}
-
-void
-perpeer_logfree(connection_t *c)
-{
-	perpeer_logclose(c);
-	if (c->log_file_name != NULL)
-	{
-		free(c->log_file_name);
-		c->log_file_name = NULL;
-		c->log_file_err = FALSE;
-	}
-}
-
-/* open the per-peer log */
-static void
-open_peerlog(connection_t *c)
-{
-	syslog(LOG_INFO, "opening log file for conn %s", c->name);
-
-	if (c->log_file_name == NULL)
-	{
-		char peername[ADDRTOT_BUF], dname[ADDRTOT_BUF];
-		int  peernamelen, lf_len;
-
-		addrtot(&c->spd.that.host_addr, 'Q', peername, sizeof(peername));
-		peernamelen = strlen(peername);
-
-		/* copy IP address, turning : and . into / */
-		{
-			char ch, *p, *q;
-
-			p = peername;
-			q = dname;
-			do {
-				ch = *p++;
-				if (ch == '.' || ch == ':')
-					ch = '/';
-				*q++ = ch;
-			} while (ch != '\0');
-		}
-
-		lf_len = peernamelen * 2
-			+ strlen(base_perpeer_logdir)
-			+ sizeof("//.log")
-			+ 1;
-		c->log_file_name = malloc(lf_len);
-
-		fprintf(stderr, "base dir |%s| dname |%s| peername |%s|"
-				, base_perpeer_logdir, dname, peername);
-		snprintf(c->log_file_name, lf_len, "%s/%s/%s.log"
-				 , base_perpeer_logdir, dname, peername);
-
-		syslog(LOG_DEBUG, "conn %s logfile is %s", c->name, c->log_file_name);
-	}
-
-	/* now open the file, creating directories if necessary */
-
-	{  /* create the directory */
-		char *dname;
-		int   bpl_len = strlen(base_perpeer_logdir);
-		char *slashloc;
-
-		dname = clone_str(c->log_file_name);
-		dname = dirname(dname);
-
-		if (access(dname, W_OK) != 0)
-		{
-			if (errno != ENOENT)
-			{
-				if (c->log_file_err)
-				{
-					syslog(LOG_CRIT, "can not write to %s: %s"
-						   , dname, strerror(errno));
-					c->log_file_err = TRUE;
-					free(dname);
-					return;
-				}
-			}
-
-			/* directory does not exist, walk path creating dirs */
-			/* start at base_perpeer_logdir */
-			slashloc = dname + bpl_len;
-			slashloc++;    /* since, by construction there is a slash
-							  right there */
-
-			while (*slashloc != '\0')
-			{
-				char saveslash;
-
-				/* look for next slash */
-				while (*slashloc != '\0' && *slashloc != '/') slashloc++;
-
-				saveslash = *slashloc;
-
-				*slashloc = '\0';
-
-				if (mkdir(dname, 0750) != 0 && errno != EEXIST)
-				{
-					syslog(LOG_CRIT, "can not create dir %s: %s"
-						   , dname, strerror(errno));
-					c->log_file_err = TRUE;
-					free(dname);
-					return;
-				}
-				syslog(LOG_DEBUG, "created new directory %s", dname);
-				*slashloc = saveslash;
-				slashloc++;
-			}
-		}
-		free(dname);
-	}
-
-	c->log_file = fopen(c->log_file_name, "a");
-	if (c->log_file == NULL)
-	{
-		if (c->log_file_err)
-		{
-			syslog(LOG_CRIT, "logging system can not open %s: %s"
-				   , c->log_file_name, strerror(errno));
-			c->log_file_err = TRUE;
-		}
-		return;
-	}
-
-	/* look for a connection to close! */
-	while (perpeer_count >= MAX_PEERLOG_COUNT)
-	{
-		/* can not be NULL because perpeer_count > 0 */
-		passert(TAILQ_LAST(&perpeer_list, perpeer) != (void *)&perpeer_list);
-
-		perpeer_logclose(TAILQ_LAST(&perpeer_list, perpeer));
-	}
-
-	/* insert this into the list */
-	TAILQ_INSERT_HEAD(&perpeer_list, c, log_link);
-	passert(c->log_file != NULL);
-	perpeer_count++;
-}
-
-/* log a line to cur_connection's log */
-static void
-peerlog(const char *prefix, const char *m)
-{
-	if (cur_connection == NULL)
-	{
-		/* we can not log it in this case. Oh well. */
-		return;
-	}
-
-	if (cur_connection->log_file == NULL)
-	{
-		open_peerlog(cur_connection);
-	}
-
-	/* despite our attempts above, we may not be able to open the file. */
-	if (cur_connection->log_file != NULL)
-	{
-		char datebuf[32];
-		time_t n;
-		struct tm *t;
-
-		time(&n);
-		t = localtime(&n);
-
-		strftime(datebuf, sizeof(datebuf), "%Y-%m-%d %T", t);
-		fprintf(cur_connection->log_file, "%s %s%s\n", datebuf, prefix, m);
-
-		/* now move it to the front of the list */
-		TAILQ_REMOVE(&perpeer_list, cur_connection, log_link);
-		TAILQ_INSERT_HEAD(&perpeer_list, cur_connection, log_link);
-	}
-}
-
-void
-plog(const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	fmt_log(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "%s\n", m);
-	if (log_to_syslog)
-		syslog(LOG_WARNING, "%s", m);
-	if (log_to_perpeer)
-		peerlog("", m);
-#ifdef ANDROID
-	__android_log_print(ANDROID_LOG_WARN, "pluto", "%s\n", m);
-#endif
-
-	whack_log(RC_LOG, "~%s", m);
-}
-
-void
-loglog(int mess_no, const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	fmt_log(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "%s\n", m);
-	if (log_to_syslog)
-		syslog(LOG_WARNING, "%s", m);
-	if (log_to_perpeer)
-		peerlog("", m);
-#ifdef ANDROID
-	__android_log_print(ANDROID_LOG_WARN, "pluto", "%s\n", m);
-#endif
-
-	whack_log(mess_no, "~%s", m);
-}
-
-void
-log_errno_routine(int e, const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	fmt_log(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
-	if (log_to_syslog)
-		syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
-	if (log_to_perpeer)
-		peerlog(strerror(e), m);
-#ifdef ANDROID
-	__android_log_print(ANDROID_LOG_ERROR, "pluto", "ERROR: %s. Errno %d: %s\n",
-						m, e, strerror(e));
-#endif
-
-	whack_log(RC_LOG_SERIOUS
-		, "~ERROR: %s. Errno %d: %s", m, e, strerror(e));
-}
-
-void
-exit_log(const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	fmt_log(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "FATAL ERROR: %s\n", m);
-	if (log_to_syslog)
-		syslog(LOG_ERR, "FATAL ERROR: %s", m);
-	if (log_to_perpeer)
-		peerlog("FATAL ERROR: ", m);
-#ifdef ANDROID
-	__android_log_print(ANDROID_LOG_ERROR, "pluto", "FATAL ERROR: %s\n", m);
-#endif
-
-	whack_log(RC_LOG_SERIOUS, "~FATAL ERROR: %s", m);
-
-	exit_pluto(1);
-}
-
-void
-exit_log_errno_routine(int e, const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	fmt_log(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
-	if (log_to_syslog)
-		syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
-	if (log_to_perpeer)
-		peerlog(strerror(e), m);
-#ifdef ANDROID
-	__android_log_print(ANDROID_LOG_ERROR, "pluto", "FATAL ERROR: %s. "
-						"Errno %d: %s\n", m, e, strerror(e));
-#endif
-
-	whack_log(RC_LOG_SERIOUS
-		, "~FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
-
-	exit_pluto(1);
-}
-
-/* emit message to whack.
- * form is "ddd statename text" where
- * - ddd is a decimal status code (RC_*) as described in whack.h
- * - text is a human-readable annotation
- */
-#ifdef DEBUG
-static volatile sig_atomic_t dying_breath = FALSE;
-#endif
-
-void
-whack_log(int mess_no, const char *message, ...)
-{
-	int wfd = whack_log_fd != NULL_FD ? whack_log_fd
-		: cur_state != NULL ? cur_state->st_whack_sock
-		: NULL_FD;
-
-	if (wfd != NULL_FD
-#ifdef DEBUG
-	|| dying_breath
-#endif
-	)
-	{
-		va_list args;
-		char m[LOG_WIDTH];      /* longer messages will be truncated */
-		int prelen = snprintf(m, sizeof(m), "%03d ", mess_no);
-
-		passert(prelen >= 0);
-
-		va_start(args, message);
-		fmt_log(m+prelen, sizeof(m)-prelen, message, args);
-		va_end(args);
-
-#if DEBUG
-		if (dying_breath)
-		{
-			/* status output copied to log */
-			if (log_to_stderr)
-				fprintf(stderr, "%s\n", m + prelen);
-			if (log_to_syslog)
-				syslog(LOG_WARNING, "%s", m + prelen);
-			if (log_to_perpeer)
-				peerlog("", m);
-#ifdef ANDROID
-			__android_log_print(ANDROID_LOG_WARN, "pluto", "%s\n", m + prelen);
-#endif
-		}
-#endif
-
-		if (wfd != NULL_FD)
-		{
-			/* write to whack socket, but suppress possible SIGPIPE */
-			size_t len = strlen(m);
-#ifdef MSG_NOSIGNAL     /* depends on version of glibc??? */
-			m[len] = '\n';      /* don't need NUL, do need NL */
-			(void) send(wfd, m, len + 1, MSG_NOSIGNAL);
-#else /* !MSG_NOSIGNAL */
-			int r;
-			struct sigaction act
-				, oldact;
-
-			m[len] = '\n';      /* don't need NUL, do need NL */
-			act.sa_handler = SIG_IGN;
-			sigemptyset(&act.sa_mask);
-			act.sa_flags = 0;   /* no nothing */
-			r = sigaction(SIGPIPE, &act, &oldact);
-			passert(r == 0);
-
-			(void) write(wfd, m, len + 1);
-
-			r = sigaction(SIGPIPE, &oldact, NULL);
-			passert(r == 0);
-#endif /* !MSG_NOSIGNAL */
-		}
-	}
-}
-
-/* Build up a diagnostic in a static buffer.
- * Although this would be a generally useful function, it is very
- * hard to come up with a discipline that prevents different uses
- * from interfering.  It is intended that by limiting it to building
- * diagnostics, we will avoid this problem.
- * Juggling is performed to allow an argument to be a previous
- * result: the new string may safely depend on the old one.  This
- * restriction is not checked in any way: violators will produce
- * confusing results (without crashing!).
- */
-char diag_space[sizeof(diag_space)];
-
-err_t
-builddiag(const char *fmt, ...)
-{
-	static char diag_space[LOG_WIDTH];  /* longer messages will be truncated */
-	char t[sizeof(diag_space)]; /* build result here first */
-	va_list args;
-
-	va_start(args, fmt);
-	t[0] = '\0';        /* in case nothing terminates string */
-	vsnprintf(t, sizeof(t), fmt, args);
-	va_end(args);
-	strcpy(diag_space, t);
-	return diag_space;
-}
-
-/* Debugging message support */
-
-#ifdef DEBUG
-
-void
-switch_fail(int n, const char *file_str, unsigned long line_no)
-{
-	char buf[30];
-
-	snprintf(buf, sizeof(buf), "case %d unexpected", n);
-	passert_fail(buf, file_str, line_no);
-}
-
-void
-passert_fail(const char *pred_str, const char *file_str, unsigned long line_no)
-{
-	/* we will get a possibly unplanned prefix.  Hope it works */
-	loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
-	if (!dying_breath)
-	{
-		dying_breath = TRUE;
-		show_status(TRUE, NULL);
-	}
-	abort();    /* exiting correctly doesn't always work */
-}
-
-void
-pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no)
-{
-	/* we will get a possibly unplanned prefix.  Hope it works */
-	loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
-}
-
-lset_t
-	base_debugging = DBG_NONE,  /* default to reporting nothing */
-	cur_debugging =  DBG_NONE;
-
-void
-extra_debugging(const connection_t *c)
-{
-	if(c == NULL)
-	{
-		reset_debugging();
-		return;
-	}
-
-	if (c!= NULL && c->extra_debugging != 0)
-	{
-		plog("enabling for connection: %s"
-			, bitnamesof(debug_bit_names, c->extra_debugging & ~cur_debugging));
-		cur_debugging |= c->extra_debugging;
-	}
-}
-
-/* log a debugging message (prefixed by "| ") */
-
-void
-DBG_log(const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	(void)sanitize(m, sizeof(m));
-
-	if (log_to_stderr)
-		fprintf(stderr, "| %s\n", m);
-	if (log_to_syslog)
-		syslog(LOG_DEBUG, "| %s", m);
-	if (log_to_perpeer)
-		peerlog("| ", m);
-#ifdef ANDROID
-	__android_log_print(ANDROID_LOG_DEBUG, "pluto", "| %s\n", m);
-#endif
-}
-
-/* dump raw bytes in hex to stderr (for lack of any better destination) */
-
-void
-DBG_dump(const char *label, const void *p, size_t len)
-{
-#   define DUMP_LABEL_WIDTH 20  /* arbitrary modest boundary */
-#   define DUMP_WIDTH   (4 * (1 + 4 * 3) + 1)
-	char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH];
-	char *bp;
-	const unsigned char *cp = p;
-
-	bp = buf;
-
-	if (label != NULL && label[0] != '\0')
-	{
-		/* Handle the label.  Care must be taken to avoid buffer overrun. */
-		size_t llen = strlen(label);
-
-		if (llen + 1 > sizeof(buf))
-		{
-			DBG_log("%s", label);
-		}
-		else
-		{
-			strcpy(buf, label);
-			if (buf[llen-1] == '\n')
-			{
-				buf[llen-1] = '\0';     /* get rid of newline */
-				DBG_log("%s", buf);
-			}
-			else if (llen < DUMP_LABEL_WIDTH)
-			{
-				bp = buf + llen;
-			}
-			else
-			{
-				DBG_log("%s", buf);
-			}
-		}
-	}
-
-	do {
-		int i, j;
-
-		for (i = 0; len!=0 && i!=4; i++)
-		{
-			*bp++ = ' ';
-			for (j = 0; len!=0 && j!=4; len--, j++)
-			{
-				static const char hexdig[] = "0123456789abcdef";
-
-				*bp++ = ' ';
-				*bp++ = hexdig[(*cp >> 4) & 0xF];
-				*bp++ = hexdig[*cp & 0xF];
-				cp++;
-			}
-		}
-		*bp = '\0';
-		DBG_log("%s", buf);
-		bp = buf;
-	} while (len != 0);
-#   undef DUMP_LABEL_WIDTH
-#   undef DUMP_WIDTH
-}
-
-#endif /* DEBUG */
-
-static void show_loaded_plugins()
-{
-	whack_log(RC_COMMENT, "loaded plugins: %s",
-			  lib->plugins->loaded_plugins(lib->plugins));
-}
-
-void show_status(bool all, const char *name)
-{
-	if (all)
-	{
-		whack_log(RC_COMMENT, "Status of IKEv1 pluto daemon (strongSwan "VERSION"):");
-		show_ifaces_status();
-		show_myid_status();
-		show_loaded_plugins();
-		show_debug_status();
-		show_pools(name);
-		whack_log(RC_COMMENT, BLANK_FORMAT);    /* spacer */
-	}
-	show_connections_status(all, name);
-	show_states_status(all, name);
-}
-
-/* ip_str: a simple to use variant of addrtot.
- * It stores its result in a static buffer.
- * This means that newer calls overwrite the storage of older calls.
- * Note: this is not used in any of the logging functions, so their
- * callers may use it.
- */
-const char *
-ip_str(const ip_address *src)
-{
-	static char buf[ADDRTOT_BUF];
-
-	addrtot(src, 0, buf, sizeof(buf));
-	return buf;
-}
-
-/*
- * a routine that attempts to schedule itself daily.
- *
- */
-
-void
-daily_log_reset(void)
-{
-	/* now perform actions */
-	logged_txt_warning = FALSE;
-
-	logged_myid_fqdn_txt_warning = FALSE;
-	logged_myid_ip_txt_warning   = FALSE;
-	logged_myid_fqdn_key_warning = FALSE;
-	logged_myid_ip_key_warning   = FALSE;
-}
-
-void
-daily_log_event(void)
-{
-	struct tm lt;
-	time_t t, interval;
-
-	/* attempt to schedule oneself to midnight, local time
-	 * do this by getting seconds in the day, and delaying
-	 * by 86400 - 3600*hours - 60*minutes - seconds.
-	 */
-	time(&t);
-	localtime_r(&t, &lt);
-	interval = 3600 * (24 - lt.tm_hour) - 60 * lt.tm_min - lt.tm_sec;
-
-	event_schedule(EVENT_LOG_DAILY, interval, NULL);
-	daily_log_reset();
-}
-
-/*
- * Local Variables:
- * c-basic-offset:4
- * c-style: pluto
- * End:
- */
diff --git a/src/pluto/log.h b/src/pluto/log.h
deleted file mode 100644
index 52c01bbd4..000000000
--- a/src/pluto/log.h
+++ /dev/null
@@ -1,234 +0,0 @@
-/* logging definitions
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <freeswan.h>
-
-#define LOG_WIDTH   1024    /* roof of number of chars in log line */
-
-#ifndef PERPEERLOGDIR
-#define PERPEERLOGDIR "/var/log/pluto/peer"
-#endif
-
-/* our versions of assert: log result */
-
-#ifdef DEBUG
-
-extern void passert_fail(const char *pred_str
-	, const char *file_str, unsigned long line_no) NEVER_RETURNS;
-
-extern void pexpect_log(const char *pred_str
-						, const char *file_str, unsigned long line_no);
-
-# define impossible() passert_fail("impossible", __FILE__, __LINE__)
-
-extern void switch_fail(int n
-	, const char *file_str, unsigned long line_no) NEVER_RETURNS;
-
-# define bad_case(n) switch_fail((int) n, __FILE__, __LINE__)
-
-# define passert(pred) { \
-		if (!(pred)) \
-			passert_fail(#pred, __FILE__, __LINE__); \
-	}
-
-# define pexpect(pred) { \
-		if (!(pred)) \
-			pexpect_log(#pred, __FILE__, __LINE__); \
-	}
-
-/* assert that an err_t is NULL; evaluate exactly once */
-# define happy(x) { \
-		err_t ugh = x; \
-		if (ugh != NULL) \
-			passert_fail(ugh, __FILE__, __LINE__); \
-	}
-
-#else /*!DEBUG*/
-
-# define impossible() abort()
-# define bad_case(n) abort()
-# define passert(pred)  { }     /* do nothing */
-# define happy(x)  { (void) x; }        /* evaluate non-judgementally */
-
-#endif /*!DEBUG*/
-
-
-extern bool
-	log_to_stderr,      /* should log go to stderr? */
-	log_to_syslog,      /* should log go to syslog? */
-	log_to_perpeer;     /* should log go to per-IP file? */
-
-extern const char *base_perpeer_logdir;
-
-/* maximum number of files to keep open for per-peer log files */
-#define MAX_PEERLOG_COUNT 16
-
-/* Context for logging.
- *
- * Global variables: must be carefully adjusted at transaction boundaries!
- * All are to be left in RESET condition and will be checked.
- * There are several pairs of routines to set and reset them.
- * If the context provides a whack file descriptor, messages
- * should be copied to it -- see whack_log()
- */
-extern int whack_log_fd;        /* only set during whack_handle() */
-extern struct state *cur_state; /* current state, for diagnostics */
-extern struct connection *cur_connection;       /* current connection, for diagnostics */
-extern const ip_address *cur_from;      /* source of current current message */
-extern u_int16_t cur_from_port; /* host order */
-
-#ifdef DEBUG
-
-  extern lset_t cur_debugging;  /* current debugging level */
-
-  extern void extra_debugging(const struct connection *c);
-
-# define reset_debugging() { cur_debugging = base_debugging; }
-
-# define GLOBALS_ARE_RESET() (whack_log_fd == NULL_FD \
-	&& cur_state == NULL \
-	&& cur_connection == NULL \
-	&& cur_from == NULL \
-	&& cur_debugging == base_debugging)
-
-#else /*!DEBUG*/
-
-# define extra_debugging(c)  { }
-
-# define reset_debugging() { }
-
-# define GLOBALS_ARE_RESET() (whack_log_fd == NULL_FD \
-	&& cur_state == NULL \
-	&& cur_connection == NULL \
-	&& cur_from == NULL)
-
-#endif /*!DEBUG*/
-
-#define reset_globals() { \
-	whack_log_fd = NULL_FD; \
-	cur_state = NULL; \
-	cur_from = NULL; \
-	reset_cur_connection(); \
-	}
-
-
-#define set_cur_connection(c) { \
-	cur_connection = (c); \
-	extra_debugging(c); \
-	}
-
-#define reset_cur_connection() { \
-	cur_connection = NULL; \
-	reset_debugging(); \
-	}
-
-
-#define set_cur_state(s) { \
-	cur_state = (s); \
-	extra_debugging((s)->st_connection); \
-	}
-
-#define reset_cur_state() { \
-	cur_state = NULL; \
-	reset_debugging(); \
-	}
-
-extern void init_log(const char *program);
-extern void close_log(void);
-extern void plog(const char *message, ...) PRINTF_LIKE(1);
-extern void exit_log(const char *message, ...) PRINTF_LIKE(1) NEVER_RETURNS;
-
-/* close of all per-peer logging */
-extern void close_peerlog(void);
-
-/* free all per-peer log resources */
-extern void perpeer_logfree(struct connection *c);
-
-
-
-/* the following routines do a dance to capture errno before it is changed
- * A call must doubly parenthesize the argument list (no varargs macros).
- * The first argument must be "e", the local variable that captures errno.
- */
-#define log_errno(a) { int e = errno; log_errno_routine a; }
-extern void log_errno_routine(int e, const char *message, ...) PRINTF_LIKE(2);
-#define exit_log_errno(a) { int e = errno; exit_log_errno_routine a; }
-extern void exit_log_errno_routine(int e, const char *message, ...) PRINTF_LIKE(2) NEVER_RETURNS NEVER_RETURNS;
-
-extern void whack_log(int mess_no, const char *message, ...) PRINTF_LIKE(2);
-
-/* Log to both main log and whack log
- * Much like log, actually, except for specifying mess_no.
- */
-extern void loglog(int mess_no, const char *message, ...) PRINTF_LIKE(2);
-
-/* show status, usually on whack log */
-extern void show_status(bool all, const char *name);
-
-/* Build up a diagnostic in a static buffer.
- * Although this would be a generally useful function, it is very
- * hard to come up with a discipline that prevents different uses
- * from interfering.  It is intended that by limiting it to building
- * diagnostics, we will avoid this problem.
- * Juggling is performed to allow an argument to be a previous
- * result: the new string may safely depend on the old one.  This
- * restriction is not checked in any way: violators will produce
- * confusing results (without crashing!).
- */
-extern char diag_space[LOG_WIDTH];      /* output buffer, but can be occupied at call */
-extern err_t builddiag(const char *fmt, ...) PRINTF_LIKE(1);
-
-#ifdef DEBUG
-
-extern lset_t base_debugging;   /* bits selecting what to report */
-
-#define DBGP(cond)         (cur_debugging & (cond))
-#define DBG(cond, action)   { if (DBGP(cond)) { action ; } }
-
-extern void DBG_log(const char *message, ...) PRINTF_LIKE(1);
-extern void DBG_dump(const char *label, const void *p, size_t len);
-#define DBG_dump_chunk(label, ch) DBG_dump(label, (ch).ptr, (ch).len)
-
-#else /*!DEBUG*/
-
-#define DBG(cond, action)       { }     /* do nothing */
-
-#endif /*!DEBUG*/
-
-#define DBG_cond_dump(cond, label, p, len) DBG(cond, DBG_dump(label, p, len))
-#define DBG_cond_dump_chunk(cond, label, ch) DBG(cond, DBG_dump_chunk(label, ch))
-
-
-/* ip_str: a simple to use variant of addrtot.
- * It stores its result in a static buffer.
- * This means that newer calls overwrite the storage of older calls.
- * Note: this is not used in any of the logging functions, so their
- * callers may use it.
- */
-extern const char *ip_str(const ip_address *src);
-
-/*
- * call this routine to reset daily items.
- */
-extern void daily_log_reset(void);
-extern void daily_log_event(void);
-
-/*
- * some events are to be logged only occasionally.
- */
-extern bool logged_txt_warning;
-extern bool logged_myid_ip_txt_warning;
-extern bool logged_myid_ip_key_warning;
-extern bool logged_myid_fqdn_txt_warning;
-extern bool logged_myid_fqdn_key_warning;
diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c
deleted file mode 100644
index 8298ea601..000000000
--- a/src/pluto/modecfg.c
+++ /dev/null
@@ -1,1263 +0,0 @@
-/* Mode config related functions
- * Copyright (C) 2001-2002 Colubris Networks
- * Copyright (C) 2003 Sean Mathews - Nu Tech Software Solutions, inc.
- * Copyright (C) 2003-2004 Xelerance Corporation
- * Copyright (C) 2006-2010 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * This code originally written by Colubris Networks, Inc.
- * Extraction of patch and porting to 1.99 codebases by Xelerance Corporation
- * Porting to 2.x by Sean Mathews
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <freeswan.h>
-
-#include <library.h>
-#include <hydra.h>
-#include <utils/linked_list.h>
-#include <crypto/prfs/prf.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "state.h"
-#include "demux.h"
-#include "timer.h"
-#include "ipsec_doi.h"
-#include "log.h"
-#include "crypto.h"
-#include "modecfg.h"
-#include "whack.h"
-#include "pluto.h"
-
-#define MAX_XAUTH_TRIES         3
-
-#define DEFAULT_UNITY_BANNER	"Welcome to strongSwan - the Linux VPN Solution!\n"
-
-/**
- * Creates a modecfg_attribute_t object
- */
-static modecfg_attribute_t *modecfg_attribute_create(configuration_attribute_type_t type,
-													 chunk_t value)
-{
-	modecfg_attribute_t *this;
-
-	this = malloc_thing(modecfg_attribute_t);
-	this->type = ((u_int16_t)type) & 0x7FFF;
-	this->is_tv = FALSE;
-	this->value = chunk_clone(value);
-	this->handler = NULL;
-
-	return this;
-}
-
-/**
- * Creates a modecfg_attribute_t object coded in TV format
- */
-static modecfg_attribute_t *modecfg_attribute_create_tv(configuration_attribute_type_t type,
-															 size_t value)
-{
-	modecfg_attribute_t *this;
-
-	this = modecfg_attribute_create(type, chunk_empty);
-	this->value.len = value;
-	this->is_tv = TRUE;
-
-	return this;
-}
-
-/**
- * Destroys a modecfg_attribute_t object
- */
-void modecfg_attribute_destroy(modecfg_attribute_t *this)
-{
-	free(this->value.ptr);
-	free(this);
-}
-
-/**
- * Get attributes to be sent to client
- */
-static void get_attributes(connection_t *c, linked_list_t *ca_list)
-{
-	configuration_attribute_type_t type;
-	identification_t *client_id;
-	modecfg_attribute_t *ca;
-	enumerator_t *enumerator;
-	chunk_t value;
-	host_t *vip = NULL, *requested_vip = NULL;
-	bool want_unity_banner = FALSE;
-	int family;
-
-#ifdef CISCO_QUIRKS
-	/* always send banner in ModeCfg push mode */
-	if (ca_list->get_count(ca_list) == 0)
-	{
-		want_unity_banner = TRUE;
-	}
-#endif
-
-	/* scan list of requested attributes in ModeCfg pull mode */
-	while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS)
-	{
-		switch (ca->type)
-		{
-			case INTERNAL_IP4_ADDRESS:
-			case INTERNAL_IP6_ADDRESS:
-			{
-				int family;
-
-				family = (ca->type == INTERNAL_IP4_ADDRESS) ? AF_INET : AF_INET6;
-				DESTROY_IF(requested_vip);
-				requested_vip = (ca->value.len) ?
-								host_create_from_chunk(family, ca->value, 0) :
-								host_create_any(family);
-				plog("peer requested virtual IP %H", requested_vip);
-				break;
-			}
-#ifdef CISCO_QUIRKS
-			case UNITY_BANNER:
-				want_unity_banner = TRUE;
-				break;
-#endif
-			default:
-				break;
-		}
-		modecfg_attribute_destroy(ca);
-	}
-
-	if (requested_vip == NULL)
-	{
-		requested_vip = host_create_any(AF_INET);
-	}
-
-	client_id = (c->xauth_identity) ? c->xauth_identity : c->spd.that.id;
-
-	/* if no virtual IP has been assigned yet - acquire one */
-	if (c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip))
-	{
-		if (c->spd.that.pool)
-		{
-			vip = hydra->attributes->acquire_address(hydra->attributes,
-								c->spd.that.pool, client_id, requested_vip);
-			if (vip)
-			{
-				c->spd.that.host_srcip->destroy(c->spd.that.host_srcip);
-				c->spd.that.host_srcip = vip;
-			}
-		}
-		else
-		{
-			plog("no virtual IP found");
-		}
-	}
-
-	requested_vip->destroy(requested_vip);
-
-	/* if we have a virtual IP address - send it */
-	if (!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip))
-	{
-		vip = c->spd.that.host_srcip;
-		plog("assigning virtual IP %H to peer", vip);
-		family = vip->get_family(vip);
-		ca = modecfg_attribute_create((family == AF_INET) ?
-									   INTERNAL_IP4_ADDRESS :
-									   INTERNAL_IP6_ADDRESS,
-									   vip->get_address(vip));
-		ca_list->insert_last(ca_list, ca);
-
-		/* set the remote client subnet to virtual IP */
-		c->spd.that.client.addr     = *(ip_address*)vip->get_sockaddr(vip);
-		c->spd.that.client.maskbits = (family == AF_INET) ? 32 : 128;
-		c->spd.that.has_client      = TRUE;
-	}
-
-	/* assign attributes from registered providers */
-	enumerator = hydra->attributes->create_responder_enumerator(hydra->attributes,
-											c->spd.that.pool, client_id, vip);
-	while (enumerator->enumerate(enumerator, &type, &value))
-	{
-		ca = modecfg_attribute_create(type, value);
-		ca_list->insert_last(ca_list, ca);
-		if (type == UNITY_BANNER)
-		{
-			want_unity_banner = FALSE;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	if (want_unity_banner)
-	{
-		ca = modecfg_attribute_create(UNITY_BANNER,
-									  chunk_create(DEFAULT_UNITY_BANNER,
-									  strlen(DEFAULT_UNITY_BANNER)));
-		ca_list->insert_last(ca_list, ca);
-	}
-}
-
-/**
- * Set srcip and client subnet to internal IP address
- */
-static bool set_attributes(connection_t *c, linked_list_t *ca_list)
-{
-	host_t *vip, *srcip;
-	modecfg_attribute_t *ca, *ca_handler;
-	enumerator_t *enumerator;
-	bool vip_set = FALSE;
-
-	enumerator = ca_list->create_enumerator(ca_list);
-	while (enumerator->enumerate(enumerator, &ca))
-	{
-		int family = AF_INET6;
-		attribute_handler_t *handler = NULL;
-		enumerator_t *e;
-
-		switch (ca->type)
-		{
-			case INTERNAL_IP4_ADDRESS:
-				family = AF_INET;
-				/* fall */
-			case INTERNAL_IP6_ADDRESS:
-				if (ca->value.len == 0)
-				{
-					vip = host_create_any(family);
-				}
-				else
-				{
-					/* skip prefix byte in IPv6 payload*/
-					if (family == AF_INET6)
-					{
-						ca->value.len = 16;
-					}
-					vip = host_create_from_chunk(family, ca->value, 0);
-				}
-				if (vip)
-				{
-					srcip = c->spd.this.host_srcip;
-
-					if (srcip->is_anyaddr(srcip) || srcip->equals(srcip, vip))
-					{
-						plog("setting virtual IP source address to %H", vip);
-					}
-					else
-					{
-						plog("replacing virtual IP source address %H by %H",
-							  srcip, vip);
-					}
-					srcip->destroy(srcip);
-					c->spd.this.host_srcip = vip;
-
-					/* setting client subnet to vip/32 */
-					addrtosubnet((ip_address*)vip->get_sockaddr(vip),
-								 &c->spd.this.client);
-					setportof(0, &c->spd.this.client.addr);
-					c->spd.this.has_client = TRUE;
-
-					vip_set = TRUE;
-				}
-				continue;
-			case APPLICATION_VERSION:
-#ifdef CISCO_QUIRKS
-			case UNITY_BANNER:
-#endif
-				if (ca->value.len > 0)
-				{
-					DBG(DBG_PARSING | DBG_CONTROLMORE,
-						DBG_log("   '%.*s'", ca->value.len, ca->value.ptr)
-					)
-				}
-				break;
-			default:
-				break;
-		}
-
-		/* find the first handler which requested this attribute */
-		e = c->requested->create_enumerator(c->requested);
-		while (e->enumerate(e, &ca_handler))
-		{
-			if (ca_handler->type == ca->type)
-			{
-				handler = ca_handler->handler;
-				break;
-			}
-		}
-		e->destroy(e);
-
-		/* and pass it to the handle function */
-		handler = hydra->attributes->handle(hydra->attributes,
-							 c->spd.that.id, handler, ca->type, ca->value);
-		if (handler)
-		{
-			ca_handler = modecfg_attribute_create(ca->type, ca->value);
-			ca_handler->handler = handler;
-
-			if (c->attributes == NULL)
-			{
-				c->attributes = linked_list_create();
-			}
-			c->attributes->insert_last(c->attributes, ca_handler);
-		}
-	}
-	enumerator->destroy(enumerator);
-	c->requested->destroy_function(c->requested, (void*)modecfg_attribute_destroy);
-	c->requested = NULL;
-	return vip_set;
-}
-
-/**
- * Register configuration attribute handlers
- */
-static void register_attribute_handlers(connection_t *c)
-{
-	configuration_attribute_type_t type;
-	modecfg_attribute_t *ca;
-	chunk_t value;
-	attribute_handler_t *handler;
-	enumerator_t *enumerator;
-
-	/* add configuration attributes requested by handlers */
-	if (c->requested == NULL)
-	{
-		c->requested = linked_list_create();
-	}
-	enumerator = hydra->attributes->create_initiator_enumerator(
-							hydra->attributes,c->spd.that.id, c->spd.this.host_srcip);
-	while (enumerator->enumerate(enumerator, &handler, &type, &value))
-	{
-		ca = modecfg_attribute_create(type, value);
-		ca->handler = handler;
-		c->requested->insert_last(c->requested, ca);
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Compute HASH of Mode Config.
- */
-static size_t modecfg_hash(u_char *dest, u_char *start, u_char *roof,
-						   const struct state *st)
-{
-	chunk_t msgid_chunk = chunk_from_thing(st->st_msgid);
-	chunk_t msg_chunk = { start, roof - start };
-	size_t prf_block_size;
-	pseudo_random_function_t prf_alg;
-	prf_t *prf;
-
-	prf_alg = oakley_to_prf(st->st_oakley.hash);
-	prf = lib->crypto->create_prf(lib->crypto, prf_alg);
-	prf->set_key(prf, st->st_skeyid_a);
-	prf->get_bytes(prf, msgid_chunk, NULL);
-	prf->get_bytes(prf, msg_chunk, dest);
-	prf_block_size = prf->get_block_size(prf);
-	prf->destroy(prf);
-
-	DBG(DBG_CRYPT,
-		DBG_log("ModeCfg HASH computed:");
-		DBG_dump("", dest, prf_block_size)
-	)
-	return prf_block_size;
-}
-
-
-/**
- * Generate an IKE message containing ModeCfg information (eg: IP, DNS, WINS)
- */
-static stf_status modecfg_build_msg(struct state *st, pb_stream *rbody,
-									u_int16_t msg_type,	linked_list_t *ca_list,
-									u_int16_t ap_id)
-{
-	u_char *r_hash_start, *r_hashval;
-	struct isakmp_mode_attr attrh;
-	struct isakmp_attribute attr;
-	pb_stream strattr,attrval;
-	enumerator_t *enumerator;
-	modecfg_attribute_t *ca;
-
-	START_HASH_PAYLOAD(*rbody, ISAKMP_NEXT_ATTR);
-
-	attrh.isama_np         = ISAKMP_NEXT_NONE;
-	attrh.isama_type       = msg_type;
-	attrh.isama_identifier = ap_id;
-
-	if (!out_struct(&attrh, &isakmp_attr_desc, rbody, &strattr))
-	{
-		return STF_INTERNAL_ERROR;
-	}
-
-	enumerator = ca_list->create_enumerator(ca_list);
-	while (enumerator->enumerate(enumerator, &ca))
-	{
-		DBG(DBG_CONTROLMORE,
-			DBG_log("building %N attribute", configuration_attribute_type_names, ca->type)
-		)
-		if (ca->is_tv)
-		{
-			attr.isaat_af_type = ca->type | ISAKMP_ATTR_AF_TV;
-			attr.isaat_lv = ca->value.len;
-			out_struct(&attr, &isakmp_modecfg_attribute_desc, &strattr, &attrval);
-		}
-		else
-		{
-			char buf[BUF_LEN];
-
-			attr.isaat_af_type = ca->type | ISAKMP_ATTR_AF_TLV;
-			out_struct(&attr, &isakmp_modecfg_attribute_desc, &strattr, &attrval);
-			snprintf(buf, BUF_LEN, "%N", configuration_attribute_type_names, ca->type);
-			out_raw(ca->value.ptr, ca->value.len, &attrval, buf);
-		}
-		close_output_pbs(&attrval);
-	}
-	enumerator->destroy(enumerator);
-	close_output_pbs(&strattr);
-
-	modecfg_hash(r_hashval, r_hash_start, rbody->cur, st);
-	close_message(rbody);
-	encrypt_message(rbody, st);
-	return STF_OK;
-}
-
-/**
- * Send ModeCfg message
- */
-static stf_status modecfg_send_msg(struct state *st, int isama_type,
-								   linked_list_t *ca_list)
-{
-	pb_stream msg;
-	pb_stream rbody;
-	char buf[BUF_LEN];
-
-	/* set up attr */
-	init_pbs(&msg, buf, sizeof(buf), "ModeCfg msg buffer");
-
-	/* this is the beginning of a new exchange */
-	st->st_msgid = generate_msgid(st);
-	init_phase2_iv(st, &st->st_msgid);
-
-	/* HDR out */
-	{
-		struct isakmp_hdr hdr;
-
-		zero(&hdr);     /* default to 0 */
-		hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
-		hdr.isa_np = ISAKMP_NEXT_HASH;
-		hdr.isa_xchg = ISAKMP_XCHG_MODE_CFG;
-		hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
-		memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
-		memcpy(hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
-		hdr.isa_msgid = st->st_msgid;
-
-		if (!out_struct(&hdr, &isakmp_hdr_desc, &msg, &rbody))
-		{
-			return STF_INTERNAL_ERROR;
-		}
-	}
-
-	/* ATTR out with isama_id of 0 */
-	modecfg_build_msg(st, &rbody, isama_type, ca_list, 0);
-
-	free(st->st_tpacket.ptr);
-	st->st_tpacket = chunk_create(msg.start, pbs_offset(&msg));
-	st->st_tpacket = chunk_clone(st->st_tpacket);
-
-	/* Transmit */
-	send_packet(st, "ModeCfg msg");
-
-	if (st->st_event->ev_type != EVENT_RETRANSMIT)
-	{
-		delete_event(st);
-		event_schedule(EVENT_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0, st);
-	}
-	return STF_OK;
-}
-
-/**
- * Parse a ModeCfg attribute payload
- */
-static stf_status modecfg_parse_attributes(pb_stream *attrs, linked_list_t *ca_list)
-{
-	struct isakmp_attribute attr;
-	pb_stream strattr;
-	u_int16_t attr_type;
-	u_int16_t attr_len;
-	chunk_t attr_chunk;
-	modecfg_attribute_t *ca;
-
-	while (pbs_left(attrs) >= sizeof(struct isakmp_attribute))
-	{
-		if (!in_struct(&attr, &isakmp_modecfg_attribute_desc, attrs, &strattr))
-		{
-			return STF_FAIL;
-		}
-		attr_type = attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK;
-		attr_len  = attr.isaat_lv;
-		DBG(DBG_CONTROLMORE,
-			DBG_log("processing %N attribute",
-					configuration_attribute_type_names, attr_type)
-		)
-
-		switch (attr_type)
-		{
-			case INTERNAL_IP4_ADDRESS:
-			case INTERNAL_IP4_NETMASK:
-			case INTERNAL_IP4_DNS:
-			case INTERNAL_IP4_NBNS:
-			case INTERNAL_ADDRESS_EXPIRY:
-			case INTERNAL_IP4_DHCP:
-				if (attr_len != 4 && attr_len != 0)
-				{
-					goto error;
-				}
-				break;
-			case INTERNAL_IP4_SUBNET:
-				if (attr_len != 8 && attr_len != 0)
-				{
-					goto error;
-				}
-				break;
-			case INTERNAL_IP6_NETMASK:
-			case INTERNAL_IP6_DNS:
-			case INTERNAL_IP6_NBNS:
-			case INTERNAL_IP6_DHCP:
-				if (attr_len != 16 && attr_len != 0)
-				{
-					goto error;
-				}
-				break;
-			case INTERNAL_IP6_ADDRESS:
-				if (attr_len != 17 && attr_len != 16 && attr_len != 0)
-				{
-					goto error;
-				}
-				break;
-			case INTERNAL_IP6_SUBNET:
-				if (attr_len != 17 && attr_len != 0)
-				{
-					goto error;
-				}
-				break;
-			case SUPPORTED_ATTRIBUTES:
-				if (attr_len % 2)
-				{
-					goto error;
-				}
-				break;
-			case APPLICATION_VERSION:
-				break;
-			/* XAUTH attributes */
-			case XAUTH_TYPE:
-			case XAUTH_STATUS:
-			case XAUTH_USER_NAME:
-			case XAUTH_USER_PASSWORD:
-			case XAUTH_PASSCODE:
-			case XAUTH_MESSAGE:
-			case XAUTH_CHALLENGE:
-			case XAUTH_DOMAIN:
-			case XAUTH_NEXT_PIN:
-			case XAUTH_ANSWER:
-				break;
-			/* Microsoft attributes */
-			case INTERNAL_IP4_SERVER:
-			case INTERNAL_IP6_SERVER:
-				break;
-			/* Cisco Unity attributes */
-			case UNITY_BANNER:
-			case UNITY_SAVE_PASSWD:
-			case UNITY_DEF_DOMAIN:
-			case UNITY_SPLITDNS_NAME:
-			case UNITY_SPLIT_INCLUDE:
-			case UNITY_NATT_PORT:
-			case UNITY_LOCAL_LAN:
-			case UNITY_PFS:
-			case UNITY_FW_TYPE:
-			case UNITY_BACKUP_SERVERS:
-			case UNITY_DDNS_HOSTNAME:
-				break;
-			default:
-				plog("unknown attribute type (%u)", attr_type);
-				continue;
-		}
-
-		/* add attribute */
-		if (attr.isaat_af_type & ISAKMP_ATTR_AF_TV)
-		{
-			ca = modecfg_attribute_create_tv(attr_type, attr_len);
-		}
-		else
-		{
-			attr_chunk = chunk_create(strattr.cur, attr_len);
-			ca = modecfg_attribute_create(attr_type, attr_chunk);
-		}
-		ca_list->insert_last(ca_list, ca);
-	}
-	return STF_OK;
-
-error:
-	plog("%N attribute has invalid size of %u octets",
-		 configuration_attribute_type_names, attr_type, attr_len);
-	return STF_FAIL;
-}
-
-/**
- * Parse a ModeCfg message
- */
-static stf_status modecfg_parse_msg(struct msg_digest *md, int isama_type,
-									u_int16_t *isama_id, linked_list_t *ca_list)
-{
-	modecfg_attribute_t *ca;
-	struct state *const st = md->st;
-	struct payload_digest *p;
-	stf_status stat;
-
-	st->st_msgid = md->hdr.isa_msgid;
-
-	CHECK_QUICK_HASH(md, modecfg_hash(hash_val, hash_pbs->roof,
-					 md->message_pbs.roof, st), "MODECFG-HASH", "ISAKMP_CFG_MSG");
-
-	/* process the ModeCfg payloads received */
-	for (p = md->chain[ISAKMP_NEXT_ATTR]; p != NULL; p = p->next)
-	{
-		if (p->payload.attribute.isama_type == isama_type)
-		{
-			*isama_id = p->payload.attribute.isama_identifier;
-
-			stat = modecfg_parse_attributes(&p->pbs, ca_list);
-			if (stat == STF_OK)
-			{
-				/* return with a valid set of attributes */
-				return STF_OK;
-			}
-		}
-		else
-		{
-			plog("expected %s, got %s instead (ignored)"
-				, enum_name(&attr_msg_type_names, isama_type)
-				, enum_name(&attr_msg_type_names, p->payload.attribute.isama_type));
-
-			stat = modecfg_parse_attributes(&p->pbs, ca_list);
-		}
-
-		/* abort if a parsing error occurred */
-		if (stat != STF_OK)
-		{
-			ca_list->destroy_function(ca_list, (void*)modecfg_attribute_destroy);
-			return stat;
-		}
-
-		/* discard the parsed attributes and look for another payload */
-		while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS) {}
-	}
-	return STF_IGNORE;
-}
-
-/**
- * Used in ModeCfg pull mode on the client (initiator)
- *   called in demux.c
- *   client -> CFG_REQUEST
- *   STF_OK transitions to STATE_MODE_CFG_I1
- */
-stf_status modecfg_send_request(struct state *st)
-{
-	connection_t *c = st->st_connection;
-	stf_status stat;
-	modecfg_attribute_t *ca;
-	enumerator_t *enumerator;
-	int family;
-	chunk_t value;
-	host_t *vip;
-	linked_list_t *ca_list = linked_list_create();
-
-	vip = c->spd.this.host_srcip;
-	value = vip->is_anyaddr(vip) ? chunk_empty : vip->get_address(vip);
-	family = vip->get_family(vip);
-	ca = modecfg_attribute_create((family == AF_INET) ?
-								   INTERNAL_IP4_ADDRESS : INTERNAL_IP6_ADDRESS,
-								   value);
-	ca_list->insert_last(ca_list, ca);
-
-	register_attribute_handlers(c);
-	enumerator = c->requested->create_enumerator(c->requested);
-	while (enumerator->enumerate(enumerator, &ca))
-	{
-		ca = modecfg_attribute_create(ca->type, chunk_empty);
-		ca_list->insert_last(ca_list, ca);
-	}
-	enumerator->destroy(enumerator);
-
-	plog("sending ModeCfg request");
-
-	st->st_state = STATE_MODE_CFG_I1;
-	stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, ca_list);
-	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
-	if (stat == STF_OK)
-	{
-		st->st_modecfg.started = TRUE;
-	}
-	return stat;
-}
-
-/**
- * Used in ModeCfg pull mode on the server (responder)
- *   called in demux.c from STATE_MODE_CFG_R0
- *   server <- CFG_REQUEST
- *   server -> CFG_REPLY
- *   STF_OK transitions to  STATE_MODE_CFG_R0
- */
-stf_status modecfg_inR0(struct msg_digest *md)
-{
-	struct state *const st = md->st;
-	u_int16_t isama_id;
-	stf_status stat, stat_build;
-	linked_list_t *ca_list = linked_list_create();
-
-	plog("parsing ModeCfg request");
-
-	stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, ca_list);
-	if (stat != STF_OK)
-	{
-		return stat;
-	}
-
-	/* build the CFG_REPLY */
-	get_attributes(st->st_connection, ca_list);
-
-	plog("sending ModeCfg reply");
-
-	stat_build = modecfg_build_msg(st, &md->rbody, ISAKMP_CFG_REPLY,
-								   ca_list, isama_id);
-	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
-
-	if (stat_build != STF_OK)
-	{
-		return stat_build;
-	}
-	st->st_msgid = 0;
-	return STF_OK;
-}
-
-/**
- * Used in ModeCfg pull mode on the client (initiator)
- *   called in demux.c from STATE_MODE_CFG_I1
- *   client <- CFG_REPLY
- *   STF_OK transitions to  STATE_MODE_CFG_I2
- */
-stf_status modecfg_inI1(struct msg_digest *md)
-{
-	struct state *const st = md->st;
-	u_int16_t isama_id;
-	stf_status stat;
-	linked_list_t *ca_list = linked_list_create();
-
-	plog("parsing ModeCfg reply");
-
-	stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, ca_list);
-	if (stat != STF_OK)
-	{
-		return stat;
-	}
-	st->st_modecfg.vars_set = set_attributes(st->st_connection, ca_list);
-	st->st_msgid = 0;
-	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
-	return STF_OK;
-}
-
-/**
- * Used in ModeCfg push mode on the server (responder)
- *   called in demux.c
- *   server -> CFG_SET
- *   STF_OK transitions to STATE_MODE_CFG_R3
- */
-stf_status modecfg_send_set(struct state *st)
-{
-	stf_status stat;
-	linked_list_t *ca_list = linked_list_create();
-
-
-	plog("sending ModeCfg set");
-
-	get_attributes(st->st_connection, ca_list);
-	st->st_state = STATE_MODE_CFG_R3;
-	stat = modecfg_send_msg(st, ISAKMP_CFG_SET, ca_list);
-	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
-	if (stat == STF_OK)
-	{
-		st->st_modecfg.started = TRUE;
-	}
-	return stat;
-}
-
-/**
- * Used in ModeCfg push mode on the client (initiator)
- *   called in demux.c from STATE_MODE_CFG_I0
- *   client <- CFG_SET
- *   client -> CFG_ACK
- *   STF_OK transitions to  STATE_MODE_CFG_I3
- */
-stf_status modecfg_inI0(struct msg_digest *md)
-{
-	struct state *const st = md->st;
-	u_int16_t isama_id;
-	stf_status stat, stat_build;
-	modecfg_attribute_t *ca;
-	linked_list_t *ca_list, *ca_ack_list;
-
-	plog("parsing ModeCfg set");
-
-	ca_list = linked_list_create();
-	stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, ca_list);
-	if (stat != STF_OK)
-	{
-		return stat;
-	}
-	register_attribute_handlers(st->st_connection);
-	st->st_modecfg.vars_set = set_attributes(st->st_connection, ca_list);
-
-	/* prepare ModeCfg ack which sends zero length attributes */
-	ca_ack_list = linked_list_create();
-	while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS)
-	{
-		switch (ca->type)
-		{
-			case INTERNAL_IP4_ADDRESS:
-			case INTERNAL_IP4_DNS:
-			case INTERNAL_IP4_NBNS:
-			case APPLICATION_VERSION:
-			case INTERNAL_IP6_ADDRESS:
-			case INTERNAL_IP6_DNS:
-			case INTERNAL_IP6_NBNS:
-#ifdef CISCO_QUIRKS
-			case UNITY_BANNER:
-#endif
-				/* supported attributes */
-				ca->value.len = 0;
-				ca_ack_list->insert_last(ca_ack_list, ca);
-				break;
-			default:
-				/* unsupportd attributes */
-				modecfg_attribute_destroy(ca);
-		}
-	}
-	ca_list->destroy(ca_list);
-
-	plog("sending ModeCfg ack");
-
-	stat_build = modecfg_build_msg(st, &md->rbody, ISAKMP_CFG_ACK,
-								   ca_ack_list, isama_id);
-	ca_ack_list->destroy_function(ca_ack_list, (void *)modecfg_attribute_destroy);
-	if (stat_build != STF_OK)
-	{
-		return stat_build;
-	}
-	st->st_msgid = 0;
-	return STF_OK;
-}
-
-/**
- * Used in ModeCfg push mode on the server (responder)
- *   called in demux.c from STATE_MODE_CFG_R3
- *   server <- CFG_ACK
- *   STF_OK transitions to  STATE_MODE_CFG_R4
- */
-stf_status modecfg_inR3(struct msg_digest *md)
-{
-	struct state *const st = md->st;
-	u_int16_t isama_id;
-	stf_status stat;
-	linked_list_t *ca_list = linked_list_create();
-
-	plog("parsing ModeCfg ack");
-
-	stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, ca_list);
-	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
-	if (stat != STF_OK)
-	{
-		return stat;
-	}
-	st->st_msgid = 0;
-	return STF_OK;
-}
-
-/**
- * Used on the XAUTH server (responder)
- *   called in demux.c
- *   server -> CFG_REQUEST
- *   STF_OK transitions to STATE_XAUTH_R1
- */
-stf_status xauth_send_request(struct state *st)
-{
-	stf_status stat;
-	modecfg_attribute_t *ca;
-	linked_list_t *ca_list = linked_list_create();
-
-	ca = modecfg_attribute_create(XAUTH_USER_NAME, chunk_empty);
-	ca_list->insert_last(ca_list, ca);
-	ca = modecfg_attribute_create(XAUTH_USER_PASSWORD, chunk_empty);
-	ca_list->insert_last(ca_list, ca);
-
-	plog("sending XAUTH request");
-	st->st_state = STATE_XAUTH_R1;
-	stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, ca_list);
-	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
-	if (stat == STF_OK)
-	{
-		st->st_xauth.started = TRUE;
-	}
-	return stat;
-}
-
-/**
- * Used on the XAUTH client (initiator)
- *   called in demux.c from STATE_XAUTH_I0
- *   client <- CFG_REQUEST
- *   client -> CFG_REPLY
- *   STF_OK transitions to  STATE_XAUTH_I1
- */
-stf_status xauth_inI0(struct msg_digest *md)
-{
-	struct state *const st = md->st;
-	connection_t *c = st->st_connection;
-	u_int16_t isama_id;
-	stf_status stat, stat_build;
-	modecfg_attribute_t *ca;
-	bool xauth_user_name_present = FALSE;
-	bool xauth_user_password_present = FALSE;
-	bool xauth_type_present = FALSE;
-	chunk_t xauth_user_name, xauth_user_password;
-	identification_t *user_id;
-	linked_list_t *ca_list = linked_list_create();
-
-	plog("parsing XAUTH request");
-
-	stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, ca_list);
-	if (stat != STF_OK)
-	{
-		return stat;
-	}
-
-	while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS)
-	{
-		switch (ca->type)
-		{
-			case XAUTH_TYPE:
-				if (ca->value.len != XAUTH_TYPE_GENERIC)
-				{
-					plog("xauth type %s is not supported",
-						  enum_name(&xauth_type_names, ca->value.len));
-					stat = STF_FAIL;
-				}
-				else
-				{
-					xauth_type_present = TRUE;
-				}
-				break;
-			case XAUTH_USER_NAME:
-				xauth_user_name_present = TRUE;
-				break;
-			case XAUTH_USER_PASSWORD:
-				xauth_user_password_present = TRUE;
-				break;
-			case XAUTH_MESSAGE:
-				if (ca->value.len)
-				{
-					DBG(DBG_PARSING | DBG_CONTROLMORE,
-						DBG_log("   '%.*s'", ca->value.len, ca->value.ptr)
-					)
-				}
-				break;
-			default:
-				break;
-		}
-		modecfg_attribute_destroy(ca);
-	}
-
-	if (!xauth_user_name_present)
-	{
-		plog("user name attribute is missing in XAUTH request");
-		stat = STF_FAIL;
-	}
-	if (!xauth_user_password_present)
-	{
-		plog("user password attribute is missing in XAUTH request");
-		stat = STF_FAIL;
-	}
-
-	/* prepare XAUTH reply */
-	if (stat == STF_OK)
-	{
-		/* get user credentials using a plugin function */
-		if (!pluto->xauth->get_secret(pluto->xauth, c, &xauth_user_password))
-		{
-			plog("xauth user credentials not found");
-			stat = STF_FAIL;
-		}
-	}
-	if (stat == STF_OK)
-	{
-		/* insert xauth type if present */
-		if (xauth_type_present)
-		{
-			ca = modecfg_attribute_create_tv(XAUTH_TYPE, XAUTH_TYPE_GENERIC);
-			ca_list->insert_last(ca_list, ca);
-		}
-
-		/* insert xauth user name */
-		user_id = (c->xauth_identity) ? c->xauth_identity : c->spd.this.id;
-		xauth_user_name = user_id->get_encoding(user_id);
-		DBG(DBG_CONTROL,
-			DBG_log("my xauth user name is '%.*s'", xauth_user_name.len,
-													xauth_user_name.ptr)
-		)
-		ca = modecfg_attribute_create(XAUTH_USER_NAME, xauth_user_name);
-		ca_list->insert_last(ca_list, ca);
-
-		/* insert xauth user password */
-		DBG(DBG_PRIVATE,
-			DBG_log("my xauth user password is '%.*s'",	xauth_user_password.len,
-														xauth_user_password.ptr)
-		)
-		ca = modecfg_attribute_create(XAUTH_USER_PASSWORD, xauth_user_password);
-		ca_list->insert_last(ca_list, ca);
-		chunk_clear(&xauth_user_password);
-	}
-	else
-	{
-		ca = modecfg_attribute_create_tv(XAUTH_STATUS, XAUTH_STATUS_FAIL);
-		ca_list->insert_last(ca_list, ca);
-	}
-
-	plog("sending XAUTH reply");
-	stat_build = modecfg_build_msg(st, &md->rbody, ISAKMP_CFG_REPLY,
-								   ca_list, isama_id);
-	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
-	if (stat_build != STF_OK)
-	{
-		return stat_build;
-	}
-	if (stat == STF_OK)
-	{
-		st->st_xauth.started = TRUE;
-		st->st_msgid = 0;
-		return STF_OK;
-	}
-	else
-	{
-		/* send XAUTH reply msg and then delete ISAKMP SA */
-		free(st->st_tpacket.ptr);
-		st->st_tpacket = chunk_create(md->reply.start, pbs_offset(&md->reply));
-		st->st_tpacket = chunk_clone(st->st_tpacket);
-		send_packet(st, "XAUTH reply msg");
-		delete_state(st);
-		return STF_IGNORE;
-	}
-}
-
-/**
- *  Used on the XAUTH server (responder)
- *    called in demux.c from STATE_XAUTH_R1
-      server <- CFG_REPLY
-      server -> CFG_SET
-      STF_OK transitions to  STATE_XAUTH_R2
- */
-stf_status xauth_inR1(struct msg_digest *md)
-{
-	struct state *const st = md->st;
-	connection_t *c = st->st_connection;
-	u_int16_t isama_id;
-	stf_status stat, stat_build;
-	chunk_t xauth_user_name, xauth_user_password;
-	int xauth_status = XAUTH_STATUS_OK;
-	modecfg_attribute_t *ca;
-	linked_list_t *ca_list = linked_list_create();
-
-	plog("parsing XAUTH reply");
-
-	stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, ca_list);
-	if (stat != STF_OK)
-	{
-		return stat;
-	}
-
-	/* initialize xauth_secret */
-	xauth_user_name = chunk_empty;
-	xauth_user_password = chunk_empty;
-
-	while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS)
-	{
-		switch (ca->type)
-		{
-			case XAUTH_STATUS:
-				xauth_status = ca->value.len;
-				break;
-			case XAUTH_USER_NAME:
-				xauth_user_name = chunk_clone(ca->value);
-				break;
-			case XAUTH_USER_PASSWORD:
-				xauth_user_password = chunk_clone(ca->value);
-				break;
-			default:
-				break;
-		}
-		modecfg_attribute_destroy(ca);
-	}
-	/* did the client return an XAUTH FAIL status? */
-	if (xauth_status == XAUTH_STATUS_FAIL)
-	{
-		plog("received FAIL status in XAUTH reply");
-
-		/* client is not able to do XAUTH, delete ISAKMP SA */
-		free(xauth_user_name.ptr);
-		free(xauth_user_password.ptr);
-		delete_state(st);
-		ca_list->destroy(ca_list);
-		return STF_IGNORE;
-	}
-
-	/* check XAUTH reply */
-	if (xauth_user_name.ptr == NULL)
-	{
-		plog("user name attribute is missing in XAUTH reply");
-		st->st_xauth.status = FALSE;
-	}
-	else if (xauth_user_password.ptr == NULL)
-	{
-		plog("user password attribute is missing in XAUTH reply");
-		st->st_xauth.status = FALSE;
-	}
-	else
-	{
-		DBG(DBG_CONTROL,
-			DBG_log("peer xauth user name is '%.*s'", xauth_user_name.len,
-													  xauth_user_name.ptr)
-		)
-		DESTROY_IF(c->xauth_identity);
-		c->xauth_identity = identification_create_from_data(xauth_user_name);
-
-		DBG(DBG_PRIVATE,
-			DBG_log("peer xauth user password is '%.*s'", xauth_user_password.len,
-														  xauth_user_password.ptr)
-		)
-		/* verify the user credentials using a plugin function */
-		st->st_xauth.status = pluto->xauth->verify_secret(pluto->xauth, c,
-														  xauth_user_password);
-		plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
-	}
-	chunk_clear(&xauth_user_name);
-	chunk_clear(&xauth_user_password);
-
-	plog("sending XAUTH status");
-	xauth_status = (st->st_xauth.status) ? XAUTH_STATUS_OK : XAUTH_STATUS_FAIL;
-	ca = modecfg_attribute_create_tv(XAUTH_STATUS, xauth_status);
-	ca_list->insert_last(ca_list, ca);
-	stat_build = modecfg_send_msg(st, ISAKMP_CFG_SET, ca_list);
-	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
-	if (stat_build != STF_OK)
-	{
-		return stat_build;
-	}
-	return STF_OK;
-}
-
-/**
- * Used on the XAUTH client (initiator)
- *   called in demux.c from STATE_XAUTH_I1
- *   client <- CFG_SET
- *   client -> CFG_ACK
- *   STF_OK transitions to  STATE_XAUTH_I2
- */
-stf_status xauth_inI1(struct msg_digest *md)
-{
-	struct state *const st = md->st;
-	u_int16_t isama_id;
-	stf_status stat, stat_build;
-	modecfg_attribute_t *ca;
-	linked_list_t *ca_list = linked_list_create();
-
-	plog("parsing XAUTH status");
-	stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, ca_list);
-	if (stat != STF_OK)
-	{
-		/* notification payload - not exactly the right choice, but okay */
-		md->note = ISAKMP_ATTRIBUTES_NOT_SUPPORTED;
-		return stat;
-	}
-
-	st->st_xauth.status = FALSE;
-	while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS)
-	{
-		if (ca->type == XAUTH_STATUS)
-		{
-			st->st_xauth.status = (ca->value.len == XAUTH_STATUS_OK);
-		}
-		modecfg_attribute_destroy(ca);
-	}
-	plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
-
-	plog("sending XAUTH ack");
-	stat_build = modecfg_build_msg(st, &md->rbody, ISAKMP_CFG_ACK, ca_list, isama_id);
-	ca_list->destroy(ca_list);
-
-	if (stat_build != STF_OK)
-	{
-		return stat_build;
-	}
-	if (st->st_xauth.status)
-	{
-		st->st_msgid = 0;
-		return STF_OK;
-	}
-	else
-	{
-		/* send XAUTH ack msg and then delete ISAKMP SA */
-		free(st->st_tpacket.ptr);
-		st->st_tpacket = chunk_create(md->reply.start, pbs_offset(&md->reply));
-		st->st_tpacket = chunk_clone(st->st_tpacket);
-		send_packet(st, "XAUTH ack msg");
-		delete_state(st);
-		return STF_IGNORE;
-	}
-}
-
-/**
- * Used on the XAUTH server (responder)
- *   called in demux.c from STATE_XAUTH_R2
- *   server <- CFG_ACK
- *   STF_OK transitions to  STATE_XAUTH_R3
- */
-stf_status xauth_inR2(struct msg_digest *md)
-{
-	struct state *const st = md->st;
-	u_int16_t isama_id;
-	stf_status stat;
-	linked_list_t *ca_list = linked_list_create();
-
-	plog("parsing XAUTH ack");
-
-	stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, ca_list);
-	if (stat != STF_OK)
-	{
-		return stat;
-	}
-	ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy);
-	st->st_msgid = 0;
-	if (st->st_xauth.status)
-	{
-		return STF_OK;
-	}
-	else
-	{
-		delete_state(st);
-		return STF_IGNORE;
-	}
-
-}
diff --git a/src/pluto/modecfg.h b/src/pluto/modecfg.h
deleted file mode 100644
index 7adf18682..000000000
--- a/src/pluto/modecfg.h
+++ /dev/null
@@ -1,78 +0,0 @@
-/* Mode Config related functions
- * Copyright (C) 2001-2002 Colubris Networks
- * Copyright (C) 2003-2004 Xelerance Corporation
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _MODECFG_H
-#define _MODECFG_H
-
-#include <chunk.h>
-#include <attributes/attribute_handler.h>
-
-#include "state.h"
-#include "demux.h"
-
-typedef struct modecfg_attribute_t modecfg_attribute_t;
-
-/**
- * Defines a modecfg_attribute_t object.
- */
-struct modecfg_attribute_t {
-	/**
-	 * Type of the attribute.
-	 */
-	u_int16_t type;
-
-	/**
-	 * Attribute is coded as TV
-	 */
-	bool is_tv;
-
-	/**
-	 * Attribute value as chunk.
-	 */
-	chunk_t value;
-
-	/**
-	 * Attribute handler.
-	 */
-	attribute_handler_t *handler;
-};
-
-/* Destroys a modecfg_attribute_t object */
-extern void modecfg_attribute_destroy(modecfg_attribute_t *this);
-
-/* ModeConfig pull mode start function */
-extern stf_status modecfg_send_request(struct state *st);
-
-/* ModeConfig pull mode state transition functions */
-extern stf_status modecfg_inR0(struct msg_digest *md);
-extern stf_status modecfg_inI1(struct msg_digest *md);
-
-/* ModeConfig push mode start function */
-extern stf_status modecfg_send_set(struct state *st);
-
-/* ModeConfig push mode state transition functions */
-extern stf_status modecfg_inI0(struct msg_digest *md);
-extern stf_status modecfg_inR3(struct msg_digest *md);
-
-/* XAUTH start function */
-extern stf_status xauth_send_request(struct state *st);
-
-/* XAUTH state transition funcgtions */
-extern stf_status xauth_inI0(struct msg_digest *md);
-extern stf_status xauth_inR1(struct msg_digest *md);
-extern stf_status xauth_inI1(struct msg_digest *md);
-extern stf_status xauth_inR2(struct msg_digest *md);
-
-#endif /* _MODECFG_H */
diff --git a/src/pluto/myid.c b/src/pluto/myid.c
deleted file mode 100644
index c90d14ef8..000000000
--- a/src/pluto/myid.c
+++ /dev/null
@@ -1,121 +0,0 @@
-/* identity representation, as in IKE ID Payloads (RFC 2407 DOI 4.6.2.1)
- * Copyright (C) 1999-2001  D. Hugh Redelmeier
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <errno.h>
-#include <unistd.h>
-
-#ifndef HOST_NAME_MAX        /* POSIX 1003.1-2001 says <unistd.h> defines this */
-# define HOST_NAME_MAX  255 /* upper bound, according to SUSv2 */
-#endif
-
-#include <utils/identification.h>
-
-#include <freeswan.h>
-
-#include "myid.h"
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "connections.h"
-#include "packet.h"
-#include "whack.h"
-
-enum myid_state myid_state = MYID_UNKNOWN;
-
-identification_t *myids[MYID_SPECIFIED+1];    /* %myid */
-
-/**
- * Fills in myid from environment variable IPSECmyid or defaultrouteaddr
- */
-void init_myid(void)
-{
-	myid_state = MYID_UNKNOWN;
-	{
-		enum myid_state s;
-
-		for (s = MYID_UNKNOWN; s <= MYID_SPECIFIED; s++)
-		{
-			myids[s] = identification_create_from_string("%any");
-		}
-	}
-	set_myid(MYID_SPECIFIED, getenv("IPSECmyid"));
-	set_myid(MYID_IP, getenv("defaultrouteaddr"));
-	set_myFQDN();
-}
-
-/**
- *  Free myid module
- */
-void free_myid(void)
-{
-	enum myid_state s;
-
-	for (s = MYID_UNKNOWN; s <= MYID_SPECIFIED; s++)
-	{
-		DESTROY_IF(myids[s]);
-	}
-}
-
-void set_myid(enum myid_state s, char *idstr)
-{
-	if (idstr)
-	{
-		myids[s]->destroy(myids[s]);
-		myids[s] = identification_create_from_string(idstr);
-		if (s == MYID_SPECIFIED)
-		{
-				myid_state = MYID_SPECIFIED;
-		}
-	}
-}
-
-void set_myFQDN(void)
-{
-	char FQDN[HOST_NAME_MAX + 1];
-	int r = gethostname(FQDN, sizeof(FQDN));
-	size_t len;
-
-	if (r != 0)
-	{
-		log_errno((e, "gethostname() failed in set_myFQDN"));
-	}
-	else
-	{
-		FQDN[sizeof(FQDN) - 1] = '\0';  /* insurance */
-		len = strlen(FQDN);
-
-		if (len > 0 && FQDN[len-1] == '.')
-		{
-			/* nuke trailing . */
-			FQDN[len-1] = '\0';
-		}
-		if (!strcaseeq(FQDN, "localhost.localdomain"))
-		{
-			myids[MYID_HOSTNAME]->destroy(myids[MYID_HOSTNAME]);
-			myids[MYID_HOSTNAME] = identification_create_from_string(FQDN);
-		}
-	}
-}
-
-void show_myid_status(void)
-{
-	whack_log(RC_COMMENT, "%%myid = '%Y'", myids[myid_state]);
-}
-
-/*
- * Local Variables:
- * c-basic-offset:4
- * c-style: pluto
- * End:
- */
diff --git a/src/pluto/myid.h b/src/pluto/myid.h
deleted file mode 100644
index 012a34968..000000000
--- a/src/pluto/myid.h
+++ /dev/null
@@ -1,38 +0,0 @@
-/* identity representation, as in IKE ID Payloads (RFC 2407 DOI 4.6.2.1)
- * Copyright (C) 1999-2001  D. Hugh Redelmeier
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _MYID_H
-#define _MYID_H
-
-#include <utils/identification.h>
-
-extern void init_myid(void);
-extern void free_myid(void);
-
-enum myid_state {
-	MYID_UNKNOWN,       /* not yet figured out */
-	MYID_HOSTNAME,      /* our current hostname */
-	MYID_IP,            /* our default IP address */
-	MYID_SPECIFIED      /* as specified by ipsec.conf */
-};
-
-extern enum myid_state myid_state;
-extern identification_t* myids[MYID_SPECIFIED+1];  /* %myid */
-extern void set_myid(enum myid_state s, char *);
-extern void show_myid_status(void);
-extern void set_myFQDN(void);
-
-#define resolve_myid(id) ((id)->get_type(id) == ID_MYID? myids[myid_state] : (id))
-
-#endif /* _MYID_H */
diff --git a/src/pluto/nat_traversal.c b/src/pluto/nat_traversal.c
deleted file mode 100644
index 28be76825..000000000
--- a/src/pluto/nat_traversal.c
+++ /dev/null
@@ -1,845 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Copyright (C) 2009 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- * Copyright (C) 2002-2005 Mathieu Lafon
- * Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <stdarg.h>
-#include <syslog.h>
-#include <errno.h>
-#include <string.h>
-#include <unistd.h>
-#include <signal.h>     /* used only if MSG_NOSIGNAL not defined */
-#include <sys/queue.h>
-
-#include <library.h>
-#include <crypto/hashers/hasher.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "server.h"
-#include "state.h"
-#include "connections.h"
-#include "packet.h"
-#include "demux.h"
-#include "kernel.h"
-#include "whack.h"
-#include "timer.h"
-#include "cookie.h"
-#include "crypto.h"
-#include "vendor.h"
-#include "ike_alg.h"
-#include "nat_traversal.h"
-
-/* #define FORCE_NAT_TRAVERSAL */
-#define NAT_D_DEBUG
-#define NAT_T_SUPPORT_LAST_DRAFTS
-
-#ifndef SOL_UDP
-#define SOL_UDP 17
-#endif
-
-#ifndef UDP_ESPINUDP
-#define UDP_ESPINUDP    100
-#endif
-
-#define DEFAULT_KEEP_ALIVE_PERIOD  20
-
-#ifdef _IKE_ALG_H
-/* Alg patch: hash_digest_len -> hash_digest_size */
-#define hash_digest_len hash_digest_size
-#endif
-
-bool nat_traversal_enabled = FALSE;
-bool nat_traversal_support_non_ike = FALSE;
-bool nat_traversal_support_port_floating = FALSE;
-
-static unsigned int _kap = 0;
-static unsigned int _ka_evt = 0;
-static bool _force_ka = 0;
-
-static const char *natt_version = "0.6c";
-
-void init_nat_traversal (bool activate, unsigned int keep_alive_period,
-		bool fka, bool spf)
-{
-	nat_traversal_enabled = activate;
-	nat_traversal_support_non_ike = activate;
-#ifdef NAT_T_SUPPORT_LAST_DRAFTS
-	nat_traversal_support_port_floating = activate ? spf : FALSE;
-#endif
-	_force_ka = fka;
-	_kap = keep_alive_period ? keep_alive_period : DEFAULT_KEEP_ALIVE_PERIOD;
-	plog("  including NAT-Traversal patch (Version %s)%s%s%s"
-		 , natt_version, activate ? "" : " [disabled]"
-		 , activate & fka ? " [Force KeepAlive]" : ""
-		 , activate & !spf ? " [Port Floating disabled]" : "");
-}
-
-static void disable_nat_traversal (int type)
-{
-	if (type == ESPINUDP_WITH_NON_IKE)
-		nat_traversal_support_non_ike = FALSE;
-	else
-		nat_traversal_support_port_floating = FALSE;
-
-	if (!nat_traversal_support_non_ike &&
-		!nat_traversal_support_port_floating)
-			nat_traversal_enabled = FALSE;
-}
-
-static void _natd_hash(const struct hash_desc *oakley_hasher, char *hash,
-		u_int8_t *icookie, u_int8_t *rcookie,
-		const ip_address *ip, u_int16_t port)
-{
-	if (is_zero_cookie(icookie))
-	{
-		DBG_log("_natd_hash: Warning, icookie is zero !!");
-	}
-	if (is_zero_cookie(rcookie))
-	{
-		DBG_log("_natd_hash: Warning, rcookie is zero !!");
-	}
-
-	/**
-	 * draft-ietf-ipsec-nat-t-ike-01.txt
-	 *
-	 *   HASH = HASH(CKY-I | CKY-R | IP | Port)
-	 *
-	 * All values in network order
-	 */
-	{
-		chunk_t icookie_chunk = { icookie, COOKIE_SIZE };
-		chunk_t rcookie_chunk = { rcookie, COOKIE_SIZE };
-		chunk_t port_chunk = chunk_from_thing(port);
-		chunk_t addr_chunk;
-		hash_algorithm_t hash_alg;
-		hasher_t *hasher;
-		size_t hash_size;
-
-		hash_alg = oakley_to_hash_algorithm(oakley_hasher->algo_id);
-		hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
-		hasher->get_hash(hasher, icookie_chunk, NULL);
-		hasher->get_hash(hasher, rcookie_chunk, NULL);
-		switch (addrtypeof(ip))
-		{
-			case AF_INET:
-				addr_chunk = chunk_from_thing(ip->u.v4.sin_addr.s_addr);
-				break;
-			case AF_INET6:
-				addr_chunk = chunk_from_thing(ip->u.v6.sin6_addr.s6_addr);
-				break;
-			default:
-				addr_chunk = chunk_empty; /* should never occur */
-		}
-		hasher->get_hash(hasher, addr_chunk, NULL);
-		hasher->get_hash(hasher, port_chunk, hash);
-		hash_size = hasher->get_hash_size(hasher);
-		hasher->destroy(hasher);
-#ifdef NAT_D_DEBUG
-		DBG(DBG_NATT,
-			DBG_dump_chunk("_natd_hash: icookie=", icookie_chunk);
-			DBG_dump_chunk("_natd_hash: rcookie=", rcookie_chunk);
-			DBG_dump_chunk("_natd_hash: ip=", addr_chunk);
-			DBG_log("_natd_hash: port=%d", port);
-			DBG_dump("_natd_hash: hash=", hash, hash_size);
-		)
-#endif
-	}
-}
-
-/* Add NAT-Traversal VIDs (supported ones)
- * used when we are Initiator
- */
-bool nat_traversal_add_vid(u_int8_t np, pb_stream *outs)
-{
-	bool r = TRUE;
-
-	if (nat_traversal_support_port_floating)
-	{
-		u_int8_t last_np = nat_traversal_support_non_ike ?
-								ISAKMP_NEXT_VID : np;
-
-		if (r)
-			r = out_vendorid(ISAKMP_NEXT_VID, outs, VID_NATT_RFC);
-		if (r)
-			r = out_vendorid(ISAKMP_NEXT_VID, outs, VID_NATT_IETF_03);
-		if (r)
-			r = out_vendorid(ISAKMP_NEXT_VID, outs, VID_NATT_IETF_02);
-		if (r)
-			r = out_vendorid(last_np, outs, VID_NATT_IETF_02_N);
-	}
-	if (nat_traversal_support_non_ike)
-	{
-		if (r)
-			r = out_vendorid(np, outs, VID_NATT_IETF_00);
-	}
-	return r;
-}
-
-u_int32_t nat_traversal_vid_to_method(unsigned short nat_t_vid)
-{
-	switch (nat_t_vid)
-	{
-	case VID_NATT_IETF_00:
-		return LELEM(NAT_TRAVERSAL_IETF_00_01);
-	case VID_NATT_IETF_02:
-	case VID_NATT_IETF_02_N:
-	case VID_NATT_IETF_03:
-		return LELEM(NAT_TRAVERSAL_IETF_02_03);
-	case VID_NATT_RFC:
-		return LELEM(NAT_TRAVERSAL_RFC);
-	}
-	return 0;
-}
-
-void nat_traversal_natd_lookup(struct msg_digest *md)
-{
-	char hash[MAX_DIGEST_LEN];
-	struct payload_digest *p;
-	struct state *st = md->st;
-	int i;
-
-	if (!st || !md->iface || !st->st_oakley.hasher)
-	{
-		loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
-				, __FILE__, __LINE__);
-		return;
-	}
-
-	/** Count NAT-D **/
-	for (p = md->chain[ISAKMP_NEXT_NATD_RFC], i=0; p != NULL; p = p->next, i++);
-
-	/*
-	 * We need at least 2 NAT-D (1 for us, many for peer)
-	 */
-	if (i < 2)
-	{
-		loglog(RC_LOG_SERIOUS,
-			"NAT-Traversal: Only %d NAT-D - Aborting NAT-Traversal negotiation", i);
-		st->nat_traversal = 0;
-		return;
-	}
-
-	/*
-	 * First one with my IP & port
-	 */
-	p = md->chain[ISAKMP_NEXT_NATD_RFC];
-	_natd_hash(st->st_oakley.hasher, hash, st->st_icookie, st->st_rcookie,
-		&(md->iface->addr), ntohs(st->st_connection->spd.this.host_port));
-
-	if (!(pbs_left(&p->pbs) == st->st_oakley.hasher->hash_digest_len &&
-		  memeq(p->pbs.cur, hash, st->st_oakley.hasher->hash_digest_len)))
-	{
-#ifdef NAT_D_DEBUG
-		DBG(DBG_NATT,
-			DBG_log("NAT_TRAVERSAL_NAT_BHND_ME");
-			DBG_dump("expected NAT-D:", hash
-						, st->st_oakley.hasher->hash_digest_len);
-			DBG_dump("received NAT-D:", p->pbs.cur, pbs_left(&p->pbs));
-		)
-#endif
-		st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_ME);
-	}
-
-	/*
-	 * The others with sender IP & port
-	 */
-	_natd_hash(st->st_oakley.hasher, hash, st->st_icookie, st->st_rcookie,
-				&(md->sender), ntohs(md->sender_port));
-	for (p = p->next, i=0 ; p != NULL; p = p->next)
-	{
-		if (pbs_left(&p->pbs) == st->st_oakley.hasher->hash_digest_len &&
-			memeq(p->pbs.cur, hash, st->st_oakley.hasher->hash_digest_len))
-		{
-			i++;
-		}
-	}
-	if (!i)
-	{
-#ifdef NAT_D_DEBUG
-		DBG(DBG_NATT,
-			DBG_log("NAT_TRAVERSAL_NAT_BHND_PEER");
-			DBG_dump("expected NAT-D:", hash
-						, st->st_oakley.hasher->hash_digest_len);
-			p = md->chain[ISAKMP_NEXT_NATD_RFC];
-			for (p = p->next, i=0 ; p != NULL; p = p->next)
-			{
-				DBG_dump("received NAT-D:", p->pbs.cur, pbs_left(&p->pbs));
-			}
-		)
-#endif
-		st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_PEER);
-	}
-#ifdef FORCE_NAT_TRAVERSAL
-	st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_PEER);
-	st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_ME);
-#endif
-}
-
-bool nat_traversal_add_natd(u_int8_t np, pb_stream *outs,
-		struct msg_digest *md)
-{
-	char hash[MAX_DIGEST_LEN];
-	struct state *st = md->st;
-
-	if (!st || !st->st_oakley.hasher)
-	{
-		loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
-						, __FILE__, __LINE__);
-		return FALSE;
-	}
-
-	DBG(DBG_EMITTING,
-		DBG_log("sending NATD payloads")
-	)
-
-	/*
-	 * First one with sender IP & port
-	 */
-	_natd_hash(st->st_oakley.hasher, hash, st->st_icookie,
-		is_zero_cookie(st->st_rcookie) ? md->hdr.isa_rcookie : st->st_rcookie,
-		&(md->sender),
-#ifdef FORCE_NAT_TRAVERSAL
-		0
-#else
-		ntohs(md->sender_port)
-#endif
-	);
-	if (!out_generic_raw((st->nat_traversal & NAT_T_WITH_RFC_VALUES
-		? ISAKMP_NEXT_NATD_RFC : ISAKMP_NEXT_NATD_DRAFTS), &isakmp_nat_d, outs,
-		hash, st->st_oakley.hasher->hash_digest_len, "NAT-D"))
-	{
-		return FALSE;
-	}
-
-	/*
-	 * Second one with my IP & port
-	 */
-	_natd_hash(st->st_oakley.hasher, hash, st->st_icookie,
-		is_zero_cookie(st->st_rcookie) ? md->hdr.isa_rcookie : st->st_rcookie,
-		&(md->iface->addr),
-#ifdef FORCE_NAT_TRAVERSAL
-		0
-#else
-		ntohs(st->st_connection->spd.this.host_port)
-#endif
-	);
-	return (out_generic_raw(np, &isakmp_nat_d, outs,
-		hash, st->st_oakley.hasher->hash_digest_len, "NAT-D"));
-}
-
-/*
- * nat_traversal_natoa_lookup()
- *
- * Look for NAT-OA in message
- */
-void nat_traversal_natoa_lookup(struct msg_digest *md)
-{
-	struct payload_digest *p;
-	struct state *st = md->st;
-	int i;
-	ip_address ip;
-
-	if (!st || !md->iface)
-	{
-		loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
-				, __FILE__, __LINE__);
-		return;
-	}
-
-	/* Initialize NAT-OA */
-	anyaddr(AF_INET, &st->nat_oa);
-
-	/* Count NAT-OA **/
-	for (p = md->chain[ISAKMP_NEXT_NATOA_RFC], i=0; p != NULL; p = p->next, i++);
-
-	DBG(DBG_NATT,
-		DBG_log("NAT-Traversal: received %d NAT-OA.", i)
-	)
-
-	if (i == 0)
-		return;
-
-	if (!(st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_PEER)))
-	{
-		loglog(RC_LOG_SERIOUS, "NAT-Traversal: received %d NAT-OA. "
-						"ignored because peer is not NATed", i);
-		return;
-	}
-
-	if (i > 1)
-	{
-		loglog(RC_LOG_SERIOUS, "NAT-Traversal: received %d NAT-OA. "
-				"using first, ignoring others", i);
-	}
-
-	/* Take first */
-	p = md->chain[ISAKMP_NEXT_NATOA_RFC];
-
-	DBG(DBG_PARSING,
-		DBG_dump("NAT-OA:", p->pbs.start, pbs_room(&p->pbs));
-	);
-
-	switch (p->payload.nat_oa.isanoa_idtype)
-	{
-	case ID_IPV4_ADDR:
-		if (pbs_left(&p->pbs) == sizeof(struct in_addr))
-		{
-			initaddr(p->pbs.cur, pbs_left(&p->pbs), AF_INET, &ip);
-		}
-		else
-		{
-			loglog(RC_LOG_SERIOUS, "NAT-Traversal: received IPv4 NAT-OA "
-						"with invalid IP size (%d)", (int)pbs_left(&p->pbs));
-			return;
-		}
-		break;
-	case ID_IPV6_ADDR:
-		if (pbs_left(&p->pbs) == sizeof(struct in6_addr))
-		{
-			initaddr(p->pbs.cur, pbs_left(&p->pbs), AF_INET6, &ip);
-		}
-		else
-		{
-			loglog(RC_LOG_SERIOUS, "NAT-Traversal: received IPv6 NAT-OA "
-						"with invalid IP size (%d)", (int)pbs_left(&p->pbs));
-			return;
-		}
-		break;
-	default:
-		loglog(RC_LOG_SERIOUS, "NAT-Traversal: "
-						"invalid ID Type (%d) in NAT-OA - ignored",
-						p->payload.nat_oa.isanoa_idtype);
-			return;
-	}
-
-	DBG(DBG_NATT,
-		{
-			char ip_t[ADDRTOT_BUF];
-			addrtot(&ip, 0, ip_t, sizeof(ip_t));
-
-			DBG_log("received NAT-OA: %s", ip_t);
-		}
-	)
-
-	if (isanyaddr(&ip))
-		loglog(RC_LOG_SERIOUS, "NAT-Traversal: received %%any NAT-OA...");
-	else
-		st->nat_oa = ip;
-}
-
-bool nat_traversal_add_natoa(u_int8_t np, pb_stream *outs,
-		struct state *st)
-{
-	struct isakmp_nat_oa natoa;
-	pb_stream pbs;
-	unsigned char ip_val[sizeof(struct in6_addr)];
-	size_t ip_len = 0;
-	ip_address *ip;
-
-	if ((!st) || (!st->st_connection))
-	{
-		loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
-						, __FILE__, __LINE__);
-		return FALSE;
-	}
-	ip = &(st->st_connection->spd.this.host_addr);
-
-	memset(&natoa, 0, sizeof(natoa));
-	natoa.isanoa_np = np;
-
-	switch (addrtypeof(ip))
-	{
-	case AF_INET:
-		ip_len = sizeof(ip->u.v4.sin_addr.s_addr);
-		memcpy(ip_val, &ip->u.v4.sin_addr.s_addr, ip_len);
-		natoa.isanoa_idtype = ID_IPV4_ADDR;
-		break;
-	case AF_INET6:
-		ip_len = sizeof(ip->u.v6.sin6_addr.s6_addr);
-		memcpy(ip_val, &ip->u.v6.sin6_addr.s6_addr, ip_len);
-		natoa.isanoa_idtype = ID_IPV6_ADDR;
-		break;
-	default:
-		loglog(RC_LOG_SERIOUS, "NAT-Traversal: "
-						"invalid addrtypeof()=%d", addrtypeof(ip));
-		return FALSE;
-	}
-
-	if (!out_struct(&natoa, &isakmp_nat_oa, outs, &pbs))
-		return FALSE;
-
-	if (!out_raw(ip_val, ip_len, &pbs, "NAT-OA"))
-		return FALSE;
-
-	DBG(DBG_NATT,
-		DBG_dump("NAT-OA (S):", ip_val, ip_len)
-	)
-
-	close_output_pbs(&pbs);
-	return TRUE;
-}
-
-void nat_traversal_show_result (u_int32_t nt, u_int16_t sport)
-{
-	const char *mth = NULL, *rslt = NULL;
-
-	switch (nt & NAT_TRAVERSAL_METHOD)
-	{
-	case LELEM(NAT_TRAVERSAL_IETF_00_01):
-		mth = natt_type_bitnames[0];
-		break;
-	case LELEM(NAT_TRAVERSAL_IETF_02_03):
-		mth = natt_type_bitnames[1];
-		break;
-	case LELEM(NAT_TRAVERSAL_RFC):
-		mth = natt_type_bitnames[2];
-		break;
-	}
-
-	switch (nt & NAT_T_DETECTED)
-	{
-	case 0:
-		rslt = "no NAT detected";
-		break;
-	case LELEM(NAT_TRAVERSAL_NAT_BHND_ME):
-		rslt = "i am NATed";
-		break;
-	case LELEM(NAT_TRAVERSAL_NAT_BHND_PEER):
-		rslt = "peer is NATed";
-		break;
-	case LELEM(NAT_TRAVERSAL_NAT_BHND_ME) | LELEM(NAT_TRAVERSAL_NAT_BHND_PEER):
-		rslt = "both are NATed";
-		break;
-	}
-
-	loglog(RC_LOG_SERIOUS,
-		"NAT-Traversal: Result using %s: %s",
-		mth ? mth : "unknown method",
-		rslt ? rslt : "unknown result"
-	);
-
-	if ((nt & LELEM(NAT_TRAVERSAL_NAT_BHND_PEER))
-	&&  (sport == IKE_UDP_PORT)
-	&&  ((nt & NAT_T_WITH_PORT_FLOATING)==0))
-	{
-		loglog(RC_LOG_SERIOUS,
-				"Warning: peer is NATed but source port is still udp/%d. "
-				"Ipsec-passthrough NAT device suspected -- NAT-T may not work.",
-				IKE_UDP_PORT
-		);
-	}
-}
-
-int nat_traversal_espinudp_socket (int sk, u_int32_t type)
-{
-	int r = setsockopt(sk, SOL_UDP, UDP_ESPINUDP, &type, sizeof(type));
-
-	if (r < 0 && errno == ENOPROTOOPT)
-	{
-		loglog(RC_LOG_SERIOUS,
-				"NAT-Traversal: ESPINUDP(%d) not supported by kernel -- "
-				"NAT-T disabled", type);
-		disable_nat_traversal(type);
-	}
-	return r;
-}
-
-void nat_traversal_new_ka_event (void)
-{
-	if (_ka_evt)
-		return;  /* event already scheduled */
-
-	event_schedule(EVENT_NAT_T_KEEPALIVE, _kap, NULL);
-	_ka_evt = 1;
-}
-
-static void nat_traversal_send_ka (struct state *st)
-{
-	static unsigned char ka_payload = 0xff;
-	chunk_t sav;
-
-	DBG(DBG_NATT,
-		DBG_log("ka_event: send NAT-KA to %s:%d",
-				ip_str(&st->st_connection->spd.that.host_addr),
-				st->st_connection->spd.that.host_port);
-	)
-
-	/* save state chunk */
-	sav = st->st_tpacket;
-
-	/* send keep alive */
-	st->st_tpacket = chunk_create(&ka_payload, 1);
-	send_packet(st, "NAT-T Keep Alive");
-
-	/* restore state chunk */
-	st->st_tpacket = sav;
-}
-
-/**
- * Find ISAKMP States with NAT-T and send keep-alive
- */
-static void nat_traversal_ka_event_state (struct state *st, void *data)
-{
-	unsigned int *_kap_st = (unsigned int *)data;
-	const connection_t *c = st->st_connection;
-
-	if (!c)
-		return;
-
-	if ((st->st_state == STATE_MAIN_R3 || st->st_state == STATE_MAIN_I4)
-	&&  (st->nat_traversal & NAT_T_DETECTED)
-	&&  ((st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME)) || _force_ka))
-	{
-		/*
-		 * - ISAKMP established
-		 * - NAT-Traversal detected
-		 * - NAT-KeepAlive needed (we are NATed)
-		 */
-		if (c->newest_isakmp_sa != st->st_serialno)
-		{
-			/*
-			 * if newest is also valid, ignore this one, we will only use
-			 * newest.
-			 */
-			struct state *st_newest;
-
-			st_newest = state_with_serialno(c->newest_isakmp_sa);
-			if (st_newest
-			&& (st_newest->st_state == STATE_MAIN_R3 || st_newest->st_state == STATE_MAIN_I4)
-			&& (st_newest->nat_traversal & NAT_T_DETECTED)
-			&& ((st_newest->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME)) || _force_ka))
-			{
-				return;
-			}
-		}
-		set_cur_state(st);
-		nat_traversal_send_ka(st);
-		reset_cur_state();
-		(*_kap_st)++;
-	}
-}
-
-void nat_traversal_ka_event (void)
-{
-	unsigned int _kap_st = 0;
-
-	_ka_evt = 0;  /* ready to be reschedule */
-
-	for_each_state((void *)nat_traversal_ka_event_state, &_kap_st);
-
-	/* if there are still states who needs Keep-Alive, schedule new event */
-	if (_kap_st)
-		nat_traversal_new_ka_event();
-}
-
-struct _new_mapp_nfo {
-		ip_address addr;
-		u_int16_t sport, dport;
-};
-
-static void nat_traversal_find_new_mapp_state (struct state *st, void *data)
-{
-	connection_t *c = st->st_connection;
-	struct _new_mapp_nfo *nfo = (struct _new_mapp_nfo *)data;
-
-	if (c != NULL
-	&& sameaddr(&c->spd.that.host_addr, &(nfo->addr))
-	&&  c->spd.that.host_port == nfo->sport)
-	{
-
-		/* change host port */
-		c->spd.that.host_port = nfo->dport;
-
-		if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
-		||  IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state))
-		{
-			if (!update_ipsec_sa(st))
-			{
-				/*
-				 * If ipsec update failed, restore old port or we'll
-				 * not be able to update anymore.
-				 */
-				c->spd.that.host_port = nfo->sport;
-			}
-		}
-	}
-}
-
-static int nat_traversal_new_mapping(const ip_address *src, u_int16_t sport,
-		const ip_address *dst, u_int16_t dport)
-{
-	char srca[ADDRTOT_BUF], dsta[ADDRTOT_BUF];
-	struct _new_mapp_nfo nfo;
-
-	addrtot(src, 0, srca, ADDRTOT_BUF);
-	addrtot(dst, 0, dsta, ADDRTOT_BUF);
-
-	if (!sameaddr(src, dst))
-	{
-		loglog(RC_LOG_SERIOUS, "nat_traversal_new_mapping: "
-				"address change currently not supported [%s:%d,%s:%d]",
-				srca, sport, dsta, dport);
-		return -1;
-	}
-
-	if (sport == dport)
-	{
-		/* no change */
-		return 0;
-	}
-
-	DBG_log("NAT-T: new mapping %s:%d/%d)", srca, sport, dport);
-
-	nfo.addr = *src;
-	nfo.sport = sport;
-	nfo.dport = dport;
-
-	for_each_state((void *)nat_traversal_find_new_mapp_state, &nfo);
-
-	return 0;
-}
-
-void nat_traversal_change_port_lookup(struct msg_digest *md, struct state *st)
-{
-	connection_t *c = st ? st->st_connection : NULL;
-	struct iface *i = NULL;
-
-	if ((st == NULL) || (c == NULL))
-		return;
-
-	if (md)
-	{
-		/*
-		 * If source port has changed, update (including other states and
-		 * established kernel SA)
-		 */
-		if (c->spd.that.host_port != md->sender_port)
-		{
-			nat_traversal_new_mapping(&c->spd.that.host_addr, c->spd.that.host_port,
-						&c->spd.that.host_addr, md->sender_port);
-		}
-
-		/*
-		 * If interface type has changed, update local port (500/4500)
-		 */
-		if ((c->spd.this.host_port == NAT_T_IKE_FLOAT_PORT && !md->iface->ike_float)
-		||  (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT &&  md->iface->ike_float))
-		{
-			c->spd.this.host_port = (md->iface->ike_float)
-				? NAT_T_IKE_FLOAT_PORT : pluto_port;
-
-			DBG(DBG_NATT,
-				DBG_log("NAT-T: updating local port to %d", c->spd.this.host_port);
-			);
-		}
-	}
-
-	/*
-	 * If we're initiator and NAT-T (with port floating) is detected, we
-	 * need to change port (MAIN_I3 or QUICK_I1)
-	 */
-	if ((st->st_state == STATE_MAIN_I3 || st->st_state == STATE_QUICK_I1)
-	&&  (st->nat_traversal & NAT_T_WITH_PORT_FLOATING)
-	&&  (st->nat_traversal & NAT_T_DETECTED)
-	&&  (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT))
-	{
-		DBG(DBG_NATT,
-			DBG_log("NAT-T: floating to port %d", NAT_T_IKE_FLOAT_PORT);
-		)
-		c->spd.this.host_port = NAT_T_IKE_FLOAT_PORT;
-		c->spd.that.host_port = NAT_T_IKE_FLOAT_PORT;
-		/*
-		 * Also update pending connections or they will be deleted if uniqueids
-		 * option is set.
-		 */
-		update_pending(st, st);
-	}
-
-	/*
-	 * Find valid interface according to local port (500/4500)
-	 */
-	if ((c->spd.this.host_port == NAT_T_IKE_FLOAT_PORT && !c->interface->ike_float)
-	||  (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT &&  c->interface->ike_float))
-	{
-		for (i = interfaces; i !=  NULL; i = i->next)
-		{
-			if (sameaddr(&c->interface->addr, &i->addr)
-			&& i->ike_float != c->interface->ike_float)
-			{
-				DBG(DBG_NATT,
-					DBG_log("NAT-T: using interface %s:%d", i->rname,
-						i->ike_float ? NAT_T_IKE_FLOAT_PORT : pluto_port);
-				)
-				c->interface = i;
-				break;
-			}
-		}
-	}
-}
-
-struct _new_kernel_mapp_nfo {
-		u_int32_t reqid;
-		u_int32_t spi;
-		ip_address *addr;
-};
-
-static void nat_t_new_kernel_mapp (struct state *st, void *data)
-{
-	connection_t *c = st->st_connection;
-	struct _new_kernel_mapp_nfo *nfo = (struct _new_kernel_mapp_nfo *)data;
-
-	if (c != NULL && st->st_esp.present
-		&&  nfo->spi == st->st_esp.our_spi
-		&&  nfo->reqid == c->spd.reqid)
-	{
-		u_int16_t port = ntohs(portof(nfo->addr));
-
-		DBG(DBG_NATT, {
-			char text_said[SATOT_BUF];
-			char olda[ADDRTOT_BUF];
-			char newa[ADDRTOT_BUF];
-			ip_said said;
-
-			initsaid(&c->spd.that.host_addr, nfo->spi, SA_ESP, &said);
-			satot(&said, 0, text_said, SATOT_BUF);
-			addrtot(&c->spd.that.host_addr, 0, olda, ADDRTOT_BUF);
-			addrtot(nfo->addr, 0, newa, ADDRTOT_BUF);
-
-			DBG_log("new kernel mapping %s %s:%d %s:%d",
-					text_said, olda, c->spd.that.host_port, newa, port);
-		})
-
-		nat_traversal_new_mapping(&c->spd.that.host_addr, c->spd.that.host_port,
-								  nfo->addr, port);
-	}
-}
-
-void process_nat_t_new_mapping(u_int32_t reqid, u_int32_t spi,
-							   ip_address *new_end)
-{
-	struct _new_kernel_mapp_nfo nfo = {
-		.reqid = reqid,
-		.spi = spi,
-		.addr = new_end,
-	};
-	for_each_state((void *)nat_t_new_kernel_mapp, &nfo);
-}
-
diff --git a/src/pluto/nat_traversal.h b/src/pluto/nat_traversal.h
deleted file mode 100644
index 80bdaf787..000000000
--- a/src/pluto/nat_traversal.h
+++ /dev/null
@@ -1,152 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- * Copyright (C) 2002-2003 Mathieu Lafon
- * Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _NAT_TRAVERSAL_H
-#define _NAT_TRAVERSAL_H
-
-#include "packet.h"
-
-#define NAT_TRAVERSAL_IETF_00_01     1
-#define NAT_TRAVERSAL_IETF_02_03     2
-#define NAT_TRAVERSAL_RFC            3
-
-#define NAT_TRAVERSAL_NAT_BHND_ME    30
-#define NAT_TRAVERSAL_NAT_BHND_PEER  31
-
-#define NAT_TRAVERSAL_METHOD  (0xffffffff - LELEM(30) - LELEM(31))
-
-/**
- * NAT-Traversal methods which need NAT-D
- */
-#define NAT_T_WITH_NATD \
-		( LELEM(NAT_TRAVERSAL_IETF_00_01) | LELEM(NAT_TRAVERSAL_IETF_02_03) | \
-		LELEM(NAT_TRAVERSAL_RFC) )
-/**
- * NAT-Traversal methods which need NAT-OA
- */
-#define NAT_T_WITH_NATOA \
-		( LELEM(NAT_TRAVERSAL_IETF_00_01) | LELEM(NAT_TRAVERSAL_IETF_02_03) | \
-		LELEM(NAT_TRAVERSAL_RFC) )
-/**
- * NAT-Traversal methods which use NAT-KeepAlive
- */
-#define NAT_T_WITH_KA \
-		( LELEM(NAT_TRAVERSAL_IETF_00_01) | LELEM(NAT_TRAVERSAL_IETF_02_03) | \
-		LELEM(NAT_TRAVERSAL_RFC) )
-/**
- * NAT-Traversal methods which use floating port
- */
-#define NAT_T_WITH_PORT_FLOATING \
-		( LELEM(NAT_TRAVERSAL_IETF_02_03) | LELEM(NAT_TRAVERSAL_RFC) )
-
-/**
- * NAT-Traversal methods which use officials values (RFC)
- */
-#define NAT_T_WITH_RFC_VALUES \
-		( LELEM(NAT_TRAVERSAL_RFC) )
-
-/**
- * NAT-Traversal detected
- */
-#define NAT_T_DETECTED \
-		( LELEM(NAT_TRAVERSAL_NAT_BHND_ME) | LELEM(NAT_TRAVERSAL_NAT_BHND_PEER) )
-
-/**
- * NAT-T Port Floating
- */
-#define NAT_T_IKE_FLOAT_PORT     4500
-
-void init_nat_traversal (bool activate, unsigned int keep_alive_period,
-		bool fka, bool spf);
-
-extern bool nat_traversal_enabled;
-extern bool nat_traversal_support_non_ike;
-extern bool nat_traversal_support_port_floating;
-
-/**
- * NAT-D
- */
-void nat_traversal_natd_lookup(struct msg_digest *md);
-#ifndef PB_STREAM_UNDEFINED
-bool nat_traversal_add_natd(u_int8_t np, pb_stream *outs,
-		struct msg_digest *md);
-#endif
-
-/**
- * NAT-OA
- */
-void nat_traversal_natoa_lookup(struct msg_digest *md);
-#ifndef PB_STREAM_UNDEFINED
-bool nat_traversal_add_natoa(u_int8_t np, pb_stream *outs,
-		struct state *st);
-#endif
-
-/**
- * NAT-keep_alive
- */
-void nat_traversal_new_ka_event (void);
-void nat_traversal_ka_event (void);
-
-void nat_traversal_show_result (u_int32_t nt, u_int16_t sport);
-
-int nat_traversal_espinudp_socket (int sk, u_int32_t type);
-
-/**
- * Vendor ID
- */
-#ifndef PB_STREAM_UNDEFINED
-bool nat_traversal_add_vid(u_int8_t np, pb_stream *outs);
-#endif
-u_int32_t nat_traversal_vid_to_method(unsigned short nat_t_vid);
-
-void nat_traversal_change_port_lookup(struct msg_digest *md, struct state *st);
-
-/**
- * New NAT mapping
- */
-void process_nat_t_new_mapping(u_int32_t reqid, u_int32_t spi,
-							   ip_address *new_end);
-
-/**
- * IKE port floating
- */
-bool
-nat_traversal_port_float(struct state *st, struct msg_digest *md, bool in);
-
-/**
- * Encapsulation mode macro (see demux.c)
- */
-#define NAT_T_ENCAPSULATION_MODE(st,nat_t_policy) ( \
-		((st)->nat_traversal & NAT_T_DETECTED) \
-				? ( ((nat_t_policy) & POLICY_TUNNEL) \
-						? ( ((st)->nat_traversal & NAT_T_WITH_RFC_VALUES) \
-								? (ENCAPSULATION_MODE_UDP_TUNNEL_RFC) \
-								: (ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS) \
-						  ) \
-						: ( ((st)->nat_traversal & NAT_T_WITH_RFC_VALUES) \
-								? (ENCAPSULATION_MODE_UDP_TRANSPORT_RFC) \
-								: (ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS) \
-						  ) \
-				  ) \
-				: ( ((st)->st_policy & POLICY_TUNNEL) \
-						? (ENCAPSULATION_MODE_TUNNEL) \
-						: (ENCAPSULATION_MODE_TRANSPORT) \
-				  ) \
-		)
-
-#endif /* _NAT_TRAVERSAL_H */
-
diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c
deleted file mode 100644
index c299e3d39..000000000
--- a/src/pluto/ocsp.c
+++ /dev/null
@@ -1,1558 +0,0 @@
-/* Support of the Online Certificate Status Protocol (OCSP)
- * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <unistd.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-
-#include <freeswan.h>
-
-#include <library.h>
-#include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-#include <asn1/oid.h>
-#include <crypto/rngs/rng.h>
-#include <crypto/hashers/hasher.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "x509.h"
-#include "crl.h"
-#include "ca.h"
-#include "certs.h"
-#include "smartcard.h"
-#include "whack.h"
-#include "keys.h"
-#include "fetch.h"
-#include "ocsp.h"
-
-#define NONCE_LENGTH            16
-
-static const char *const cert_status_names[] = {
-	"good",
-	"revoked",
-	"unknown",
-	"undefined"
-};
-
-
-static const char *const response_status_names[] = {
-	"successful",
-	"malformed request",
-	"internal error",
-	"try later",
-	"status #4",
-	"signature required",
-	"unauthorized"
-};
-
-/* response container */
-typedef struct response response_t;
-
-struct response {
-	chunk_t          tbs;
-	identification_t *responder_id_name;
-	chunk_t           responder_id_key;
-	time_t            produced_at;
-	chunk_t           responses;
-	chunk_t           nonce;
-	int               algorithm;
-	chunk_t           signature;
-};
-
-const response_t empty_response = {
-	{ NULL, 0 }   ,     /* tbs */
-	  NULL        ,     /* responder_id_name */
-	{ NULL, 0 }   ,     /* responder_id_key */
-	UNDEFINED_TIME,     /* produced_at */
-	{ NULL, 0 }   ,     /* single_response */
-	{ NULL, 0 }   ,     /* nonce */
-	OID_UNKNOWN   ,     /* signature_algorithm */
-	{ NULL, 0 }         /* signature */
-};
-
-/* single response container */
-typedef struct single_response single_response_t;
-
-struct single_response {
-	single_response_t *next;
-	int               hash_algorithm;
-	chunk_t           issuer_name_hash;
-	chunk_t           issuer_key_hash;
-	chunk_t           serialNumber;
-	cert_status_t     status;
-	time_t            revocationTime;
-	crl_reason_t      revocationReason;
-	time_t            thisUpdate;
-	time_t            nextUpdate;
-};
-
-const single_response_t empty_single_response = {
-	  NULL                , /* *next */
-	OID_UNKNOWN           , /* hash_algorithm */
-	{ NULL, 0 }           , /* issuer_name_hash */
-	{ NULL, 0 }           , /* issuer_key_hash */
-	{ NULL, 0 }           , /* serial_number */
-	CERT_UNDEFINED        , /* status */
-	UNDEFINED_TIME        , /* revocationTime */
-	CRL_REASON_UNSPECIFIED, /* revocationReason */
-	UNDEFINED_TIME        , /* this_update */
-	UNDEFINED_TIME          /* next_update */
-};
-
-
-/* list of single requests */
-typedef struct request_list request_list_t;
-struct request_list {
-	chunk_t request;
-	request_list_t *next;
-};
-
-/* some OCSP specific prefabricated ASN.1 constants */
-static const chunk_t ASN1_nonce_oid = chunk_from_chars(
-	0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
-);
-static const chunk_t ASN1_response_oid = chunk_from_chars(
-	0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
-);
-static const chunk_t ASN1_response_content = chunk_from_chars(
-	0x04, 0x0D,
-		  0x30, 0x0B,
-				0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
-);
-
-/* default OCSP uri */
-static chunk_t ocsp_default_uri;
-
-/* ocsp cache: pointer to first element */
-static ocsp_location_t *ocsp_cache = NULL;
-
-/* static temporary storage for ocsp requestor information */
-static cert_t *ocsp_requestor_cert = NULL;
-
-static smartcard_t *ocsp_requestor_sc = NULL;
-
-static private_key_t *ocsp_requestor_key = NULL;
-
-/**
- * ASN.1 definition of ocspResponse
- */
-static const asn1Object_t ocspResponseObjects[] = {
-	{ 0, "OCSPResponse",			ASN1_SEQUENCE,		ASN1_NONE }, /* 0 */
-	{ 1,   "responseStatus",		ASN1_ENUMERATED,	ASN1_BODY }, /* 1 */
-	{ 1,   "responseBytesContext",	ASN1_CONTEXT_C_0,	ASN1_OPT  }, /* 2 */
-	{ 2,     "responseBytes",		ASN1_SEQUENCE,		ASN1_NONE }, /* 3 */
-	{ 3,       "responseType",		ASN1_OID,			ASN1_BODY }, /* 4 */
-	{ 3,       "response",			ASN1_OCTET_STRING,	ASN1_BODY }, /* 5 */
-	{ 1,   "end opt",				ASN1_EOC,			ASN1_END  }, /* 6 */
-	{ 0, "exit",					ASN1_EOC,			ASN1_EXIT }
-};
-#define OCSP_RESPONSE_STATUS	1
-#define OCSP_RESPONSE_TYPE		4
-#define OCSP_RESPONSE			5
-
-/**
- * ASN.1 definition of basicResponse
- */
-static const asn1Object_t basicResponseObjects[] = {
-	{ 0, "BasicOCSPResponse",				ASN1_SEQUENCE,			ASN1_NONE }, /*  0 */
-	{ 1,   "tbsResponseData",				ASN1_SEQUENCE,			ASN1_OBJ  }, /*  1 */
-	{ 2,     "versionContext",				ASN1_CONTEXT_C_0,		ASN1_NONE |
-																	ASN1_DEF  }, /*  2 */
-	{ 3,       "version",					ASN1_INTEGER,			ASN1_BODY }, /*  3 */
-	{ 2,     "responderIdContext",			ASN1_CONTEXT_C_1,		ASN1_OPT  }, /*  4 */
-	{ 3,       "responderIdByName",			ASN1_SEQUENCE,			ASN1_OBJ  }, /*  5 */
-	{ 2,     "end choice",					ASN1_EOC,				ASN1_END  }, /*  6 */
-	{ 2,     "responderIdContext",			ASN1_CONTEXT_C_2,		ASN1_OPT  }, /*  7 */
-	{ 3,       "responderIdByKey",			ASN1_OCTET_STRING,		ASN1_BODY }, /*  8 */
-	{ 2,     "end choice",					ASN1_EOC,				ASN1_END  }, /*  9 */
-	{ 2,     "producedAt",					ASN1_GENERALIZEDTIME,	ASN1_BODY }, /* 10 */
-	{ 2,     "responses",					ASN1_SEQUENCE,			ASN1_OBJ  }, /* 11 */
-	{ 2,     "responseExtensionsContext",	ASN1_CONTEXT_C_1,		ASN1_OPT  }, /* 12 */
-	{ 3,       "responseExtensions",		ASN1_SEQUENCE,			ASN1_LOOP }, /* 13 */
-	{ 4,         "extension",				ASN1_SEQUENCE,			ASN1_NONE }, /* 14 */
-	{ 5,           "extnID",				ASN1_OID,				ASN1_BODY }, /* 15 */
-	{ 5,           "critical",				ASN1_BOOLEAN,			ASN1_BODY |
-																	ASN1_DEF  }, /* 16 */
-	{ 5,           "extnValue",				ASN1_OCTET_STRING,		ASN1_BODY }, /* 17 */
-	{ 3,       "end loop",					ASN1_EOC,				ASN1_END  }, /* 18 */
-	{ 2,     "end opt",						ASN1_EOC,				ASN1_END  }, /* 19 */
-	{ 1,   "signatureAlgorithm",			ASN1_EOC,				ASN1_RAW  }, /* 20 */
-	{ 1,   "signature",						ASN1_BIT_STRING,		ASN1_BODY }, /* 21 */
-	{ 1,   "certsContext",					ASN1_CONTEXT_C_0,		ASN1_OPT  }, /* 22 */
-	{ 2,     "certs",						ASN1_SEQUENCE,			ASN1_LOOP }, /* 23 */
-	{ 3,       "certificate",				ASN1_SEQUENCE,			ASN1_RAW  }, /* 24 */
-	{ 2,     "end loop",					ASN1_EOC,				ASN1_END  }, /* 25 */
-	{ 1,   "end opt",						ASN1_EOC,				ASN1_END  }, /* 26 */
-	{ 0, "exit",							ASN1_EOC,				ASN1_EXIT }
-};
-#define BASIC_RESPONSE_TBS_DATA		 1
-#define BASIC_RESPONSE_VERSION		 3
-#define BASIC_RESPONSE_ID_BY_NAME	 5
-#define BASIC_RESPONSE_ID_BY_KEY	 8
-#define BASIC_RESPONSE_PRODUCED_AT	10
-#define BASIC_RESPONSE_RESPONSES	11
-#define BASIC_RESPONSE_EXT_ID		15
-#define BASIC_RESPONSE_CRITICAL		16
-#define BASIC_RESPONSE_EXT_VALUE	17
-#define BASIC_RESPONSE_ALGORITHM	20
-#define BASIC_RESPONSE_SIGNATURE	21
-#define BASIC_RESPONSE_CERTIFICATE	24
-
-/**
- * ASN.1 definition of responses
- */
-static const asn1Object_t responsesObjects[] = {
-	{ 0, "responses",			ASN1_SEQUENCE,	ASN1_LOOP }, /* 0 */
-	{ 1,   "singleResponse",	ASN1_EOC,		ASN1_RAW  }, /* 1 */
-	{ 0, "end loop",			ASN1_EOC,		ASN1_END  }, /* 2 */
-	{ 0, "exit",				ASN1_EOC,		ASN1_EXIT }
-};
-#define RESPONSES_SINGLE_RESPONSE	1
-
-/**
- * ASN.1 definition of singleResponse
- */
-static const asn1Object_t singleResponseObjects[] = {
-	{ 0, "singleResponse",				ASN1_SEQUENCE,			ASN1_BODY }, /*  0 */
-	{ 1,   "certID",					ASN1_SEQUENCE,			ASN1_NONE }, /*  1 */
-	{ 2,     "algorithm",				ASN1_EOC,				ASN1_RAW  }, /*  2 */
-	{ 2,     "issuerNameHash",			ASN1_OCTET_STRING,		ASN1_BODY }, /*  3 */
-	{ 2,     "issuerKeyHash",			ASN1_OCTET_STRING,		ASN1_BODY }, /*  4 */
-	{ 2,     "serialNumber",			ASN1_INTEGER,			ASN1_BODY }, /*  5 */
-	{ 1,   "certStatusGood",			ASN1_CONTEXT_S_0,		ASN1_OPT  }, /*  6 */
-	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /*  7 */
-	{ 1,   "certStatusRevoked",			ASN1_CONTEXT_C_1,		ASN1_OPT  }, /*  8 */
-	{ 2,     "revocationTime",			ASN1_GENERALIZEDTIME,	ASN1_BODY }, /*  9 */
-	{ 2,     "revocationReason",		ASN1_CONTEXT_C_0,		ASN1_OPT  }, /* 10 */
-	{ 3,       "crlReason",				ASN1_ENUMERATED,		ASN1_BODY }, /* 11 */
-	{ 2,     "end opt",					ASN1_EOC,				ASN1_END  }, /* 12 */
-	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /* 13 */
-	{ 1,   "certStatusUnknown",			ASN1_CONTEXT_S_2,		ASN1_OPT  }, /* 14 */
-	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /* 15 */
-	{ 1,   "thisUpdate",				ASN1_GENERALIZEDTIME,	ASN1_BODY }, /* 16 */
-	{ 1,   "nextUpdateContext",			ASN1_CONTEXT_C_0,		ASN1_OPT  }, /* 17 */
-	{ 2,     "nextUpdate",				ASN1_GENERALIZEDTIME,	ASN1_BODY }, /* 18 */
-	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /* 19 */
-	{ 1,   "singleExtensionsContext",	ASN1_CONTEXT_C_1,		ASN1_OPT  }, /* 20 */
-	{ 2,     "singleExtensions",		ASN1_SEQUENCE,			ASN1_LOOP }, /* 21 */
-	{ 3,       "extension",				ASN1_SEQUENCE,			ASN1_NONE }, /* 22 */
-	{ 4,         "extnID",				ASN1_OID,				ASN1_BODY }, /* 23 */
-	{ 4,         "critical",			ASN1_BOOLEAN,			ASN1_BODY |
-																ASN1_DEF  }, /* 24 */
-	{ 4,         "extnValue",			ASN1_OCTET_STRING,		ASN1_BODY }, /* 25 */
-	{ 2,     "end loop",				ASN1_EOC,				ASN1_END  }, /* 26 */
-	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /* 27 */
-	{ 0, "exit",						ASN1_EOC,				ASN1_EXIT }
-};
-#define SINGLE_RESPONSE_ALGORITHM					 2
-#define SINGLE_RESPONSE_ISSUER_NAME_HASH			 3
-#define SINGLE_RESPONSE_ISSUER_KEY_HASH				 4
-#define SINGLE_RESPONSE_SERIAL_NUMBER				 5
-#define SINGLE_RESPONSE_CERT_STATUS_GOOD			 6
-#define SINGLE_RESPONSE_CERT_STATUS_REVOKED			 8
-#define SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME	 9
-#define SINGLE_RESPONSE_CERT_STATUS_CRL_REASON		11
-#define SINGLE_RESPONSE_CERT_STATUS_UNKNOWN			14
-#define SINGLE_RESPONSE_THIS_UPDATE					16
-#define SINGLE_RESPONSE_NEXT_UPDATE					18
-#define SINGLE_RESPONSE_EXT_ID						23
-#define SINGLE_RESPONSE_CRITICAL					24
-#define SINGLE_RESPONSE_EXT_VALUE					25
-
-/*
- * Build an ocsp location from certificate information
- * without unsharing its contents
- */
-static bool build_ocsp_location(const cert_t *cert, ocsp_location_t *location)
-{
-	certificate_t *certificate = cert->cert;
-	identification_t *issuer = certificate->get_issuer(certificate);
-	x509_t *x509 = (x509_t*)certificate;
-	chunk_t issuer_dn = issuer->get_encoding(issuer);
-	chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
-	hasher_t *hasher;
-	static u_char digest[HASH_SIZE_SHA1];  /* temporary storage */
-
-	enumerator_t *enumerator = x509->create_ocsp_uri_enumerator(x509);
-
-	location->uri = NULL;
-	while (enumerator->enumerate(enumerator, &location->uri))
-	{
-		break;
-	}
-	enumerator->destroy(enumerator);
-
-	if (location->uri == NULL)
-	{
-		ca_info_t *ca = get_ca_info(issuer, authKeyID);
-		if (ca && ca->ocspuri)
-		{
-			location->uri = ca->ocspuri;
-		}
-		else
-		{   /* abort if no ocsp location uri is defined */
-			return FALSE;
-		}
-	}
-
-	/* compute authNameID from as SHA-1 hash of issuer DN */
-	location->authNameID = chunk_create(digest, HASH_SIZE_SHA1);
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (hasher == NULL)
-	{
-		return FALSE;
-	}
-	hasher->get_hash(hasher, issuer_dn, digest);
-	hasher->destroy(hasher);
-
-	location->next = NULL;
-	location->issuer = issuer;
-	location->authKeyID = authKeyID;
-
-	if (authKeyID.ptr == NULL)
-	{
-		cert_t *authcert = get_authcert(issuer, authKeyID, X509_CA);
-
-		if (authcert)
-		{
-			x509_t *x509 = (x509_t*)authcert->cert;
-
-			location->authKeyID = x509->get_subjectKeyIdentifier(x509);
-		}
-	}
-
-	location->nonce = chunk_empty;
-	location->certinfo = NULL;
-
-	return TRUE;
-}
-
-/**
- * Compare two ocsp locations for equality
- */
-static bool same_ocsp_location(const ocsp_location_t *a, const ocsp_location_t *b)
-{
-	return ((a->authKeyID.ptr)
-				? same_keyid(a->authKeyID, b->authKeyID)
-				: a->issuer->equals(a->issuer, b->issuer))
-			&& streq(a->uri, b->uri);
-}
-
-/**
- * Find an existing ocsp location in a chained list
- */
-ocsp_location_t* get_ocsp_location(const ocsp_location_t * loc, ocsp_location_t *chain)
-{
-
-	while (chain)
-	{
-		if (same_ocsp_location(loc, chain))
-			return chain;
-		chain = chain->next;
-	}
-	return NULL;
-}
-
-/**
- * Retrieves the status of a cert from the ocsp cache
- * returns CERT_UNDEFINED if no status is found
- */
-static cert_status_t get_ocsp_status(const ocsp_location_t *loc,
-									 chunk_t serialNumber,
-									 time_t *nextUpdate, time_t *revocationTime,
-									 crl_reason_t *revocationReason)
-{
-	ocsp_certinfo_t *certinfo, **certinfop;
-	int cmp = -1;
-
-	/* find location */
-	ocsp_location_t *location = get_ocsp_location(loc, ocsp_cache);
-
-	if (location == NULL)
-		return CERT_UNDEFINED;
-
-	/* traverse list of certinfos in increasing order */
-	certinfop = &location->certinfo;
-	certinfo = *certinfop;
-
-	while (certinfo)
-	{
-		cmp = chunk_compare(serialNumber, certinfo->serialNumber);
-		if (cmp <= 0)
-			break;
-		certinfop = &certinfo->next;
-		certinfo = *certinfop;
-	}
-
-	if (cmp == 0)
-	{
-		*nextUpdate = certinfo->nextUpdate;
-		*revocationTime = certinfo->revocationTime;
-		*revocationReason = certinfo->revocationReason;
-		return certinfo->status;
-	}
-
-	return CERT_UNDEFINED;
-}
-
-/**
- * Verify the ocsp status of a certificate
- */
-cert_status_t verify_by_ocsp(const cert_t *cert, time_t *until,
-							 time_t *revocationDate,
-							 crl_reason_t *revocationReason)
-{
-	x509_t *x509 = (x509_t*)cert->cert;
-	chunk_t serialNumber = x509->get_serial(x509);
-	cert_status_t status;
-	ocsp_location_t location;
-	time_t nextUpdate = UNDEFINED_TIME;
-
-	*revocationDate = UNDEFINED_TIME;
-	*revocationReason = CRL_REASON_UNSPECIFIED;
-
-	/* is an ocsp location defined? */
-	if (!build_ocsp_location(cert, &location))
-	{
-		return CERT_UNDEFINED;
-	}
-
-	lock_ocsp_cache("verify_by_ocsp");
-	status = get_ocsp_status(&location, serialNumber, &nextUpdate
-		, revocationDate, revocationReason);
-	unlock_ocsp_cache("verify_by_ocsp");
-
-	if (status == CERT_UNDEFINED || nextUpdate < time(NULL))
-	{
-		plog("ocsp status is stale or not in cache");
-		add_ocsp_fetch_request(&location, serialNumber);
-
-		/* inititate fetching of ocsp status */
-		wake_fetch_thread("verify_by_ocsp");
-	}
-	*until = nextUpdate;
-	return status;
-}
-
-/**
- * Check if an ocsp status is about to expire
- */
-void check_ocsp(void)
-{
-	ocsp_location_t *location;
-
-	lock_ocsp_cache("check_ocsp");
-	location = ocsp_cache;
-
-	while (location)
-	{
-		char buf[BUF_LEN];
-		bool first = TRUE;
-		ocsp_certinfo_t *certinfo = location->certinfo;
-
-		while (certinfo)
-		{
-			if (!certinfo->once)
-			{
-				time_t time_left = certinfo->nextUpdate - time(NULL);
-
-				DBG(DBG_CONTROL,
-					if (first)
-					{
-						DBG_log("issuer: \"%Y\"", location->issuer);
-						if (location->authKeyID.ptr)
-						{
-							datatot(location->authKeyID.ptr, location->authKeyID.len
-								, ':', buf, BUF_LEN);
-							DBG_log("authkey: %s", buf);
-						}
-						first = FALSE;
-					}
-					datatot(certinfo->serialNumber.ptr, certinfo->serialNumber.len
-						, ':', buf, BUF_LEN);
-					DBG_log("serial: %s, %ld seconds left", buf, time_left)
-				)
-
-				if (time_left < 2*crl_check_interval)
-					add_ocsp_fetch_request(location, certinfo->serialNumber);
-			}
-			certinfo = certinfo->next;
-		}
-		location = location->next;
-	}
-	unlock_ocsp_cache("check_ocsp");
-}
-
-/**
- *  frees the allocated memory of a certinfo struct
- */
-static void free_certinfo(ocsp_certinfo_t *certinfo)
-{
-	free(certinfo->serialNumber.ptr);
-	free(certinfo);
-}
-
-/**
- * frees all certinfos in a chained list
- */
-static void free_certinfos(ocsp_certinfo_t *chain)
-{
-	ocsp_certinfo_t *certinfo;
-
-	while (chain)
-	{
-		certinfo = chain;
-		chain = chain->next;
-		free_certinfo(certinfo);
-	}
-}
-
-/**
- * Frees the memory allocated to an ocsp location including all certinfos
- */
-static void free_ocsp_location(ocsp_location_t* location)
-{
-	DESTROY_IF(location->issuer);
-	free(location->authNameID.ptr);
-	free(location->authKeyID.ptr);
-	free(location->uri);
-	free_certinfos(location->certinfo);
-	free(location);
-}
-
-/*
- * Free a chained list of ocsp locations
- */
-void free_ocsp_locations(ocsp_location_t **chain)
-{
-	while (*chain)
-	{
-		ocsp_location_t *location = *chain;
-		*chain = location->next;
-		free_ocsp_location(location);
-	}
-}
-
-/**
- * Free the ocsp cache
- */
-void free_ocsp_cache(void)
-{
-	lock_ocsp_cache("free_ocsp_cache");
-	free_ocsp_locations(&ocsp_cache);
-	unlock_ocsp_cache("free_ocsp_cache");
-}
-
-/**
- * Frees the ocsp cache and global variables
- */
-void free_ocsp(void)
-{
-	free(ocsp_default_uri.ptr);
-	free_ocsp_cache();
-}
-
-/**
- * List a chained list of ocsp_locations
- */
-void list_ocsp_locations(ocsp_location_t *location, bool requests,
-						 bool utc, bool strict)
-{
-	bool first = TRUE;
-
-	while (location)
-	{
-		ocsp_certinfo_t *certinfo = location->certinfo;
-
-		if (certinfo)
-		{
-			if (first)
-			{
-				whack_log(RC_COMMENT, " ");
-				whack_log(RC_COMMENT, "List of OCSP %s:", requests ?
-					"Fetch Requests" : "Responses");
-				first = FALSE;
-			}
-			whack_log(RC_COMMENT, " ");
-			if (location->issuer)
-			{
-				whack_log(RC_COMMENT, "  issuer:   \"%Y\"", location->issuer);
-			}
-			whack_log(RC_COMMENT, "  uri:      '%s'", location->uri);
-			if (location->authNameID.ptr)
-			{
-				whack_log(RC_COMMENT, "  authname:  %#B", &location->authNameID);
-			}
-			if (location->authKeyID.ptr)
-			{
-				whack_log(RC_COMMENT, "  authkey:   %#B", &location->authKeyID);
-			}
-			while (certinfo)
-			{
-				chunk_t serial = chunk_skip_zero(certinfo->serialNumber);
-
-				if (requests)
-				{
-					whack_log(RC_COMMENT, "  serial:    %#B, %d trials",
-						 &serial, certinfo->trials);
-				}
-				else if (certinfo->once)
-				{
-					whack_log(RC_COMMENT, "  serial:    %#B, %s, once%s",
-						&serial, cert_status_names[certinfo->status],
-						(certinfo->nextUpdate < time(NULL))? " (expired)": "");
-				}
-				else
-				{
-					whack_log(RC_COMMENT, "  serial:    %#B, %s, until %T %s",
-						&serial, cert_status_names[certinfo->status],
-						&certinfo->nextUpdate, utc,
-						check_expiry(certinfo->nextUpdate, OCSP_WARNING_INTERVAL, strict));
-				}
-				certinfo = certinfo->next;
-			}
-		}
-		location = location->next;
-	}
-}
-
-/**
- * List the ocsp cache
- */
-void list_ocsp_cache(bool utc, bool strict)
-{
-	lock_ocsp_cache("list_ocsp_cache");
-	list_ocsp_locations(ocsp_cache, FALSE, utc, strict);
-	unlock_ocsp_cache("list_ocsp_cache");
-}
-
-static bool get_ocsp_requestor_cert(ocsp_location_t *location)
-{
-	cert_t *cert = NULL;
-
-	/* initialize temporary static storage */
-	ocsp_requestor_cert = NULL;
-	ocsp_requestor_sc   = NULL;
-	ocsp_requestor_key  = NULL;
-
-	for (;;)
-	{
-		certificate_t *certificate;
-
-		/* looking for a certificate from the same issuer */
-		cert = get_x509cert(location->issuer, location->authKeyID, cert);
-		if (cert == NULL)
-		{
-			break;
-		}
-		certificate = cert->cert;
-		DBG(DBG_CONTROL,
-			DBG_log("candidate: '%Y'", certificate->get_subject(certificate));
-		)
-
-		if (cert->smartcard)
-		{
-			/* look for a matching private key on a smartcard */
-			smartcard_t *sc = scx_get(cert);
-
-			if (sc)
-			{
-				DBG(DBG_CONTROL,
-					DBG_log("matching smartcard found")
-				)
-				if (sc->valid)
-				{
-					ocsp_requestor_cert = cert;
-					ocsp_requestor_sc = sc;
-					return TRUE;
-				}
-				plog("unable to sign ocsp request without PIN");
-			}
-		}
-		else
-		{
-			/* look for a matching private key in the chained list */
-			private_key_t *private = get_x509_private_key(cert);
-
-			if (private)
-			{
-				DBG(DBG_CONTROL,
-					DBG_log("matching private key found")
-				)
-				ocsp_requestor_cert = cert;
-				ocsp_requestor_key = private;
-				return TRUE;
-			}
-		}
-	}
-	return FALSE;
-}
-
-static chunk_t sc_build_sha1_signature(chunk_t tbs, smartcard_t *sc)
-{
-	hasher_t *hasher;
-	u_char *pos;
-	chunk_t digest;
-	chunk_t digest_info, sigdata;
-	size_t siglen = 0;
-
-	if (!scx_establish_context(sc) || !scx_login(sc))
-	{
-		scx_release_context(sc);
-		return chunk_empty;
-	}
-
-	siglen = scx_get_keylength(sc);
-
-	if (siglen == 0)
-	{
-		plog("failed to get keylength from smartcard");
-		scx_release_context(sc);
-		return chunk_empty;
-	}
-
-	DBG(DBG_CONTROL | DBG_CRYPT,
-		DBG_log("signing hash with RSA key from smartcard (slot: %d, id: %s)"
-			, (int)sc->slot, sc->id)
-	)
-
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (hasher == NULL)
-	{
-		return chunk_empty;
-	}
-	hasher->allocate_hash(hasher, tbs, &digest);
-	hasher->destroy(hasher);
-
-	/* according to PKCS#1 v2.1 digest must be packaged into
-	 * an ASN.1 structure for encryption
-	 */
-	digest_info = asn1_wrap(ASN1_SEQUENCE, "mm"
-		, asn1_algorithmIdentifier(OID_SHA1)
-		, asn1_wrap(ASN1_OCTET_STRING, "m", digest));
-
-	pos = asn1_build_object(&sigdata, ASN1_BIT_STRING, 1 + siglen);
-	*pos++ = 0x00;
-	scx_sign_hash(sc, digest_info.ptr, digest_info.len, pos, siglen);
-	free(digest_info.ptr);
-
-	if (!pkcs11_keep_state)
-	{
-		scx_release_context(sc);
-	}
-	return sigdata;
-}
-
-/**
- * build signature into ocsp request gets built only if a request cert
- * with a corresponding private key is found
- */
-static chunk_t build_signature(chunk_t tbsRequest)
-{
-	chunk_t sigdata, cert, certs = chunk_empty;
-
-	if (ocsp_requestor_sc)
-	{
-		/* RSA signature is done on smartcard */
-		sigdata = sc_build_sha1_signature(tbsRequest, ocsp_requestor_sc);
-	}
-	else
-	{
-		/* RSA signature is done in software */
-		sigdata = x509_build_signature(tbsRequest, OID_SHA1, ocsp_requestor_key,
-									   TRUE);
-	}
-	if (sigdata.ptr == NULL)
-	{
-		return chunk_empty;
-	}
-
-	/* include our certificate */
-	if (ocsp_requestor_cert->cert->get_encoding(ocsp_requestor_cert->cert,
-												CERT_ASN1_DER, &cert))
-	{
-		certs = asn1_wrap(ASN1_CONTEXT_C_0, "m",
-					asn1_wrap(ASN1_SEQUENCE, "m", cert));
-	}
-	/* build signature comprising algorithm, signature and cert */
-	return asn1_wrap(ASN1_CONTEXT_C_0, "m"
-				, asn1_wrap(ASN1_SEQUENCE, "mmm"
-					, asn1_algorithmIdentifier(OID_SHA1_WITH_RSA)
-					, sigdata
-					, certs
-				  )
-		   );
-}
-
-/**
- * Build request (into requestList)
- * no singleRequestExtensions used
- */
-static chunk_t build_request(ocsp_location_t *location, ocsp_certinfo_t *certinfo)
-{
-	chunk_t reqCert = asn1_wrap(ASN1_SEQUENCE, "mmmm"
-				, asn1_algorithmIdentifier(OID_SHA1)
-				, asn1_simple_object(ASN1_OCTET_STRING, location->authNameID)
-				, asn1_simple_object(ASN1_OCTET_STRING, location->authKeyID)
-				, asn1_simple_object(ASN1_INTEGER, certinfo->serialNumber));
-
-	return asn1_wrap(ASN1_SEQUENCE, "m", reqCert);
-}
-
-/**
- * build requestList (into TBSRequest)
- */
-static chunk_t build_request_list(ocsp_location_t *location)
-{
-	chunk_t requestList;
-	request_list_t *reqs = NULL;
-	ocsp_certinfo_t *certinfo = location->certinfo;
-	u_char *pos;
-
-	size_t datalen = 0;
-
-	/* build content */
-	while (certinfo)
-	{
-		/* build request for every certificate in list
-		 * and store them in a chained list
-		 */
-		request_list_t *req = malloc_thing(request_list_t);
-
-		req->request = build_request(location, certinfo);
-		req->next = reqs;
-		reqs = req;
-
-		datalen += req->request.len;
-		certinfo = certinfo->next;
-	}
-
-	pos = asn1_build_object(&requestList, ASN1_SEQUENCE, datalen);
-
-	/* copy all in chained list, free list afterwards */
-	while (reqs)
-	{
-		request_list_t *req = reqs;
-
-		mv_chunk(&pos, req->request);
-		reqs = reqs->next;
-		free(req);
-	}
-
-	return requestList;
-}
-
-/**
- * Build requestorName (into TBSRequest)
- */
-static chunk_t build_requestor_name(void)
-{
-	certificate_t *certificate = ocsp_requestor_cert->cert;
-	identification_t *subject = certificate->get_subject(certificate);
-
-	return asn1_wrap(ASN1_CONTEXT_C_1, "m"
-				, asn1_simple_object(ASN1_CONTEXT_C_4
-					, subject->get_encoding(subject)));
-}
-
-/**
- * build nonce extension (into requestExtensions)
- */
-static chunk_t build_nonce_extension(ocsp_location_t *location)
-{
-	rng_t *rng;
-
-	/* generate a random nonce */
-	location->nonce.ptr = malloc(NONCE_LENGTH),
-	location->nonce.len = NONCE_LENGTH;
-	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
-	rng->get_bytes(rng, location->nonce.len, location->nonce.ptr);
-	rng->destroy(rng);
-
-	return asn1_wrap(ASN1_SEQUENCE, "cm"
-				, ASN1_nonce_oid
-				, asn1_simple_object(ASN1_OCTET_STRING, location->nonce));
-}
-
-/**
- * Build requestExtensions (into TBSRequest)
- */
-static chunk_t build_request_ext(ocsp_location_t *location)
-{
-	return asn1_wrap(ASN1_CONTEXT_C_2, "m"
-				, asn1_wrap(ASN1_SEQUENCE, "mm"
-					, build_nonce_extension(location)
-					, asn1_wrap(ASN1_SEQUENCE, "cc"
-						, ASN1_response_oid
-						, ASN1_response_content
-					  )
-				  )
-			);
-}
-
-/**
- * Build TBSRequest (into OCSPRequest)
- */
-static chunk_t build_tbs_request(ocsp_location_t *location, bool has_requestor_cert)
-{
-	/* version is skipped since the default is ok */
-	return asn1_wrap(ASN1_SEQUENCE, "mmm"
-				, (has_requestor_cert)
-						? build_requestor_name()
-						: chunk_empty
-				, build_request_list(location)
-				, build_request_ext(location));
-}
-
-/**
- * Assembles an ocsp request to given location
- * and sets nonce field in location to the sent nonce
- */
-chunk_t build_ocsp_request(ocsp_location_t *location)
-{
-	bool has_requestor_cert;
-	chunk_t tbsRequest, signature;
-
-	DBG(DBG_CONTROL,
-		DBG_log("assembling ocsp request");
-		DBG_log("issuer: \"%Y\"", location->issuer);
-		if (location->authKeyID.ptr)
-		{
-			DBG_log("authkey: %#B", &location->authKeyID);
-		}
-	)
-	lock_certs_and_keys("build_ocsp_request");
-
-	/* looks for requestor cert and matching private key */
-	has_requestor_cert = get_ocsp_requestor_cert(location);
-
-	/* build content */
-	tbsRequest = build_tbs_request(location, has_requestor_cert);
-
-	/* sign tbsReuqest */
-	signature = (has_requestor_cert)? build_signature(tbsRequest)
-									: chunk_empty;
-
-	unlock_certs_and_keys("build_ocsp_request");
-
-	return asn1_wrap(ASN1_SEQUENCE, "mm"
-				, tbsRequest
-				, signature);
-}
-
-/**
- * Check if the OCSP response has a valid signature
- */
-static bool valid_ocsp_response(response_t *res)
-{
-	int pathlen, pathlen_constraint;
-	cert_t *authcert;
-
-	lock_authcert_list("valid_ocsp_response");
-
-	authcert = get_authcert(res->responder_id_name, res->responder_id_key,
-							X509_OCSP_SIGNER | X509_CA);
-	if (authcert == NULL)
-	{
-		plog("no matching ocsp signer cert found");
-		unlock_authcert_list("valid_ocsp_response");
-		return FALSE;
-	}
-	DBG(DBG_CONTROL,
-		DBG_log("ocsp signer cert found")
-	)
-
-	if (!x509_check_signature(res->tbs, res->signature, res->algorithm,
-							  authcert->cert))
-	{
-		plog("signature of ocsp response is invalid");
-		unlock_authcert_list("valid_ocsp_response");
-		return FALSE;
-	}
-	DBG(DBG_CONTROL,
-		DBG_log("signature of ocsp response is valid")
-	)
-
-
-	for (pathlen = -1; pathlen <= X509_MAX_PATH_LEN; pathlen++)
-	{
-		cert_t *cert = authcert;
-		certificate_t *certificate = cert->cert;
-		x509_t *x509 = (x509_t*)certificate;
-		identification_t *subject = certificate->get_subject(certificate);
-		identification_t *issuer  = certificate->get_issuer(certificate);
-		chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
-		time_t not_before, not_after;
-
-		DBG(DBG_CONTROL,
-			DBG_log("subject: '%Y'", subject);
-			DBG_log("issuer:  '%Y'", issuer);
-			if (authKeyID.ptr)
-			{
-				DBG_log("authkey:  %#B", &authKeyID);
-			}
-		)
-
-		if (!certificate->get_validity(certificate, NULL, &not_before, &not_after))
-		{
-			plog("certificate is invalid (valid from %T to %T)",
-				 &not_before, FALSE, &not_after, FALSE);
-
-			unlock_authcert_list("valid_ocsp_response");
-			return FALSE;
-		}
-		DBG(DBG_CONTROL,
-			DBG_log("certificate is valid")
-		)
-
-		authcert = get_authcert(issuer, authKeyID, X509_CA);
-		if (authcert == NULL)
-		{
-			plog("issuer cacert not found");
-			unlock_authcert_list("valid_ocsp_response");
-			return FALSE;
-		}
-		DBG(DBG_CONTROL,
-			DBG_log("issuer cacert found")
-		)
-
-		if (!certificate->issued_by(certificate, authcert->cert))
-		{
-			plog("certificate signature is invalid");
-			unlock_authcert_list("valid_ocsp_response");
-			return FALSE;
-		}
-		DBG(DBG_CONTROL,
-			DBG_log("certificate signature is valid")
-		)
-
-		/* check path length constraint */
-		pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN);
-		if (pathlen_constraint != X509_NO_CONSTRAINT &&
-			pathlen > pathlen_constraint)
-		{
-			plog("path length of %d violates constraint of %d",
-				 pathlen, pathlen_constraint);
-			return FALSE;
-		}
-
-		/* check if cert is self-signed */
-		if (x509->get_flags(x509) & X509_SELF_SIGNED)
-		{
-			DBG(DBG_CONTROL,
-				DBG_log("reached self-signed root ca with a path length of %d",
-						pathlen)
-			)
-			unlock_authcert_list("valid_ocsp_response");
-			return TRUE;
-		}
-	}
-	plog("maximum path length of %d exceeded", X509_MAX_PATH_LEN);
-	unlock_authcert_list("valid_ocsp_response");
-	return FALSE;
-}
-
-/**
- * Parse a basic OCSP response
- */
-static bool parse_basic_ocsp_response(chunk_t blob, int level0, response_t *res)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	u_int version;
-	int objectID;
-	int extn_oid = OID_UNKNOWN;
-	bool success = FALSE;
-	bool critical;
-
-	parser = asn1_parser_create(basicResponseObjects, blob);
-	parser->set_top_level(parser, level0);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-		case BASIC_RESPONSE_TBS_DATA:
-			res->tbs = object;
-			break;
-		case BASIC_RESPONSE_VERSION:
-			version = (object.len)? (1 + (u_int)*object.ptr) : 1;
-			if (version != OCSP_BASIC_RESPONSE_VERSION)
-			{
-				plog("wrong ocsp basic response version (version= %i)",  version);
-				goto end;
-			}
-			break;
-		case BASIC_RESPONSE_ID_BY_NAME:
-			res->responder_id_name = identification_create_from_encoding(
-										ID_DER_ASN1_DN, object);
-			DBG(DBG_PARSING,
-				DBG_log("  '%Y'", res->responder_id_name)
-			)
-			break;
-		case BASIC_RESPONSE_ID_BY_KEY:
-			res->responder_id_key = object;
-			break;
-		case BASIC_RESPONSE_PRODUCED_AT:
-			res->produced_at = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
-			break;
-		case BASIC_RESPONSE_RESPONSES:
-			res->responses = object;
-			break;
-		case BASIC_RESPONSE_EXT_ID:
-			extn_oid = asn1_known_oid(object);
-			break;
-		case BASIC_RESPONSE_CRITICAL:
-			critical = object.len && *object.ptr;
-			DBG(DBG_PARSING,
-				DBG_log("  %s",(critical)?"TRUE":"FALSE");
-			)
-			break;
-		case BASIC_RESPONSE_EXT_VALUE:
-			if (extn_oid == OID_NONCE)
-				res->nonce = object;
-			break;
-		case BASIC_RESPONSE_ALGORITHM:
-			res->algorithm = asn1_parse_algorithmIdentifier(object,
-								parser->get_level(parser)+1, NULL);
-			break;
-		case BASIC_RESPONSE_SIGNATURE:
-			res->signature = object;
-			break;
-		case BASIC_RESPONSE_CERTIFICATE:
-			{
-				cert_t *cert = malloc_thing(cert_t);
-				x509_t *x509;
-
-				*cert = cert_empty;
-				cert->cert = lib->creds->create(lib->creds,
-										  CRED_CERTIFICATE, CERT_X509,
-										  BUILD_BLOB_ASN1_DER, object,
-										  BUILD_END);
-				if (cert->cert == NULL)
-				{
-					DBG(DBG_CONTROL | DBG_PARSING,
-						DBG_log("parsing of embedded ocsp certificate failed")
-					)
-					cert_free(cert);
-					break;
-				}
-				x509 = (x509_t*)cert->cert;
-
-				if ((x509->get_flags(x509) & X509_OCSP_SIGNER) &&
-					trust_authcert_candidate(cert, NULL))
-				{
-					add_authcert(cert, X509_OCSP_SIGNER);
-				}
-				else
-				{
-					DBG(DBG_CONTROL | DBG_PARSING,
-						DBG_log("embedded ocsp certificate rejected")
-					)
-					cert_free(cert);
-				}
-			}
-			break;
-		}
-	}
-	success = parser->success(parser);
-
-end:
-	parser->destroy(parser);
-	return success;
-
-}
-
-
-/**
- * Parse an ocsp response and return the result as a response_t struct
- */
-static response_status parse_ocsp_response(chunk_t blob, response_t * res)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-	int ocspResponseType = OID_UNKNOWN;
-	bool success = FALSE;
-	response_status rStatus = STATUS_INTERNALERROR;
-
-	parser = asn1_parser_create(ocspResponseObjects, blob);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID) {
-		case OCSP_RESPONSE_STATUS:
-			rStatus = (response_status) *object.ptr;
-
-			switch (rStatus)
-			{
-			case STATUS_SUCCESSFUL:
-				break;
-			case STATUS_MALFORMEDREQUEST:
-			case STATUS_INTERNALERROR:
-			case STATUS_TRYLATER:
-			case STATUS_SIGREQUIRED:
-			case STATUS_UNAUTHORIZED:
-				plog("ocsp response: server said '%s'"
-					, response_status_names[rStatus]);
-				goto end;
-			default:
-				goto end;
-			}
-			break;
-		case OCSP_RESPONSE_TYPE:
-			ocspResponseType = asn1_known_oid(object);
-			break;
-		case OCSP_RESPONSE:
-			{
-				switch (ocspResponseType) {
-				case OID_BASIC:
-					success = parse_basic_ocsp_response(object,
-									parser->get_level(parser)+1, res);
-					break;
-				default:
-					DBG(DBG_CONTROL,
-						DBG_log("ocsp response is not of type BASIC");
-						DBG_dump_chunk("ocsp response OID: ", object);
-					)
-					goto end;
-				}
-			}
-			break;
-		}
-	}
-	success &= parser->success(parser);
-
-end:
-	parser->destroy(parser);
-	return rStatus;
-}
-
-/**
- * Parse a basic OCSP response
- */
-static bool parse_ocsp_single_response(chunk_t blob, int level0,
-									   single_response_t *sres)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	u_int extn_oid;
-	int objectID;
-	bool critical;
-	bool success = FALSE;
-
-	parser = asn1_parser_create(singleResponseObjects, blob);
-	parser->set_top_level(parser, level0);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
-		{
-		case SINGLE_RESPONSE_ALGORITHM:
-			sres->hash_algorithm = asn1_parse_algorithmIdentifier(object,
-										parser->get_level(parser)+1, NULL);
-			break;
-		case SINGLE_RESPONSE_ISSUER_NAME_HASH:
-			sres->issuer_name_hash = object;
-			break;
-		case SINGLE_RESPONSE_ISSUER_KEY_HASH:
-			sres->issuer_key_hash = object;
-			break;
-		case SINGLE_RESPONSE_SERIAL_NUMBER:
-			sres->serialNumber = object;
-			break;
-		case SINGLE_RESPONSE_CERT_STATUS_GOOD:
-			sres->status = CERT_GOOD;
-			break;
-		case SINGLE_RESPONSE_CERT_STATUS_REVOKED:
-			sres->status = CERT_REVOKED;
-			break;
-		case SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME:
-			sres->revocationTime = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
-			break;
-		case SINGLE_RESPONSE_CERT_STATUS_CRL_REASON:
-			sres->revocationReason = (object.len == 1)
-				? *object.ptr : CRL_REASON_UNSPECIFIED;
-			break;
-		case SINGLE_RESPONSE_CERT_STATUS_UNKNOWN:
-			sres->status = CERT_UNKNOWN;
-			break;
-		case SINGLE_RESPONSE_THIS_UPDATE:
-			sres->thisUpdate = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
-			break;
-		case SINGLE_RESPONSE_NEXT_UPDATE:
-			sres->nextUpdate = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
-			break;
-		case SINGLE_RESPONSE_EXT_ID:
-			extn_oid = asn1_known_oid(object);
-			break;
-		case SINGLE_RESPONSE_CRITICAL:
-			critical = object.len && *object.ptr;
-			DBG(DBG_PARSING,
-				DBG_log("  %s",(critical)?"TRUE":"FALSE");
-			)
-		case SINGLE_RESPONSE_EXT_VALUE:
-			break;
-		}
-	}
-	success = parser->success(parser);
-	parser->destroy(parser);
-	return success;
-}
-
-/**
- * Add an ocsp location to a chained list
- */
-ocsp_location_t* add_ocsp_location(const ocsp_location_t *loc,
-								   ocsp_location_t **chain)
-{
-	ocsp_location_t *location = malloc_thing(ocsp_location_t);
-
-	/* unshare location fields */
-	location->issuer = loc->issuer->clone(loc->issuer);
-	location->authNameID = chunk_clone(loc->authNameID);
-	location->authKeyID = chunk_clone(loc->authKeyID);
-	location->uri = strdup(loc->uri);
-	location->certinfo = NULL;
-
-	/* insert new ocsp location in front of chain */
-	location->next = *chain;
-	*chain = location;
-
-	DBG(DBG_CONTROL,
-		DBG_log("new ocsp location added")
-	)
-
-	return location;
-}
-
-/**
- * add a certinfo struct to a chained list
- */
-void add_certinfo(ocsp_location_t *loc, ocsp_certinfo_t *info,
-				  ocsp_location_t **chain, bool request)
-{
-	ocsp_location_t *location;
-	ocsp_certinfo_t *certinfo, **certinfop;
-	char buf[BUF_LEN];
-	time_t now;
-	int cmp = -1;
-
-	location = get_ocsp_location(loc, *chain);
-	if (location == NULL)
-	{
-		location = add_ocsp_location(loc, chain);
-	}
-
-	/* traverse list of certinfos in increasing order */
-	certinfop = &location->certinfo;
-	certinfo = *certinfop;
-
-	while (certinfo)
-	{
-		cmp = chunk_compare(info->serialNumber, certinfo->serialNumber);
-		if (cmp <= 0)
-			break;
-		certinfop = &certinfo->next;
-		certinfo = *certinfop;
-	}
-
-	if (cmp != 0)
-	{
-		/* add a new certinfo entry */
-		ocsp_certinfo_t *cnew = malloc_thing(ocsp_certinfo_t);
-
-		cnew->serialNumber = chunk_clone(info->serialNumber);
-		cnew->next = certinfo;
-		cnew->trials = 0;
-		*certinfop = cnew;
-		certinfo = cnew;
-	}
-
-	DBG(DBG_CONTROL,
-		datatot(info->serialNumber.ptr, info->serialNumber.len, ':'
-			, buf, BUF_LEN);
-		DBG_log("ocsp %s for serial %s %s"
-			, request?"fetch request":"certinfo"
-			, buf
-			, (cmp == 0)? (request?"already exists":"updated"):"added")
-	)
-
-	time(&now);
-
-	if (request)
-	{
-		certinfo->status = CERT_UNDEFINED;
-
-		if (cmp != 0)
-		{
-			certinfo->thisUpdate = now;
-		}
-		certinfo->nextUpdate = UNDEFINED_TIME;
-	}
-	else
-	{
-		certinfo->status = info->status;
-		certinfo->revocationTime = info->revocationTime;
-		certinfo->revocationReason = info->revocationReason;
-
-		certinfo->thisUpdate = (info->thisUpdate != UNDEFINED_TIME)?
-			info->thisUpdate : now;
-
-		certinfo->once = (info->nextUpdate == UNDEFINED_TIME);
-
-		certinfo->nextUpdate = (certinfo->once)?
-			(now + OCSP_DEFAULT_VALID_TIME) : info->nextUpdate;
-	}
-}
-
-/**
- * Process received ocsp single response and add it to ocsp cache
- */
-static void process_single_response(ocsp_location_t *location,
-									single_response_t *sres)
-{
-	ocsp_certinfo_t *certinfo, **certinfop;
-	int cmp = -1;
-
-	if (sres->hash_algorithm != OID_SHA1)
-	{
-		plog("only SHA-1 hash supported in OCSP single response");
-		return;
-	}
-	if (!(chunk_equals(sres->issuer_name_hash, location->authNameID)
-	&&   chunk_equals(sres->issuer_key_hash, location->authKeyID)))
-	{
-		plog("ocsp single response has wrong issuer");
-		return;
-	}
-
-	/* traverse list of certinfos in increasing order */
-	certinfop = &location->certinfo;
-	certinfo = *certinfop;
-
-	while (certinfo)
-	{
-		cmp = chunk_compare(sres->serialNumber, certinfo->serialNumber);
-		if (cmp <= 0)
-			break;
-		certinfop = &certinfo->next;
-		certinfo = *certinfop;
-	}
-
-	if (cmp != 0)
-	{
-		plog("received unrequested cert status from ocsp server");
-		return;
-	}
-
-	/* unlink cert from ocsp fetch request list */
-	*certinfop = certinfo->next;
-
-	/* update certinfo using the single response information */
-	certinfo->thisUpdate = sres->thisUpdate;
-	certinfo->nextUpdate = sres->nextUpdate;
-	certinfo->status = sres->status;
-	certinfo->revocationTime = sres->revocationTime;
-	certinfo->revocationReason = sres->revocationReason;
-
-	/* add or update certinfo in ocsp cache */
-	lock_ocsp_cache("process_single_response");
-	add_certinfo(location, certinfo, &ocsp_cache, FALSE);
-	unlock_ocsp_cache("process_single_response");
-
-	/* free certinfo unlinked from ocsp fetch request list */
-	free_certinfo(certinfo);
-}
-
-/**
- *  Destroy a response_t object
- */
-static void free_response(response_t *res)
-{
-	DESTROY_IF(res->responder_id_name);
-}
-
-/**
- *  Parse and verify ocsp response and update the ocsp cache
- */
-void parse_ocsp(ocsp_location_t *location, chunk_t blob)
-{
-	response_t res = empty_response;
-
-	/* parse the ocsp response without looking at the single responses yet */
-	response_status status = parse_ocsp_response(blob, &res);
-
-	if (status != STATUS_SUCCESSFUL)
-	{
-		plog("error in ocsp response");
-		goto free;
-	}
-	/* check if there was a nonce in the request */
-	if (location->nonce.ptr && res.nonce.ptr == NULL)
-	{
-		plog("ocsp response contains no nonce, replay attack possible");
-	}
-	/* check if the nonce is identical */
-	if (res.nonce.ptr && !chunk_equals(res.nonce, location->nonce))
-	{
-		plog("invalid nonce in ocsp response");
-		goto free;
-	}
-	/* check if the response is signed by a trusted key */
-	if (!valid_ocsp_response(&res))
-	{
-		plog("invalid ocsp response");
-		goto free;
-	}
-	DBG(DBG_CONTROL,
-		DBG_log("valid ocsp response")
-	)
-
-	/* now parse the single responses one at a time */
-	{
-		asn1_parser_t *parser;
-		chunk_t object;
-		int objectID;
-
-		parser = asn1_parser_create(responsesObjects, res.responses);
-
-		while (parser->iterate(parser, &objectID, &object))
-		{
-			if (objectID == RESPONSES_SINGLE_RESPONSE)
-			{
-				single_response_t sres = empty_single_response;
-
-				if (!parse_ocsp_single_response(object,
-										parser->get_level(parser)+1, &sres))
-				{
-					goto end;
-				}
-				process_single_response(location, &sres);
-			}
-		}
-end:
-		parser->destroy(parser);
-	}
-
-free:
-	free_response(&res);
-}
diff --git a/src/pluto/ocsp.h b/src/pluto/ocsp.h
deleted file mode 100644
index 977cca3c8..000000000
--- a/src/pluto/ocsp.h
+++ /dev/null
@@ -1,85 +0,0 @@
-/* Support of the Online Certificate Status Protocol (OCSP) Support
- * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
- * Zuercher Hochschule Winterthur
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "constants.h"
-
-#include <credentials/certificates/crl.h>
-
-/* constants */
-
-#define OCSP_BASIC_RESPONSE_VERSION     1
-#define OCSP_DEFAULT_VALID_TIME         120  /* validity of one-time response in seconds */
-#define OCSP_WARNING_INTERVAL           2    /* days */
-
-/* OCSP response status */
-
-typedef enum {
-	STATUS_SUCCESSFUL =         0,
-	STATUS_MALFORMEDREQUEST =   1,
-	STATUS_INTERNALERROR =      2,
-	STATUS_TRYLATER =           3,
-	STATUS_SIGREQUIRED =        5,
-	STATUS_UNAUTHORIZED=        6
-} response_status;
-
-/* OCSP access structures */
-
-typedef struct ocsp_certinfo ocsp_certinfo_t;
-
-struct ocsp_certinfo {
-	ocsp_certinfo_t  *next;
-	int              trials;
-	chunk_t          serialNumber;
-	cert_status_t    status;
-	bool             once;
-	crl_reason_t     revocationReason;
-	time_t           revocationTime;
-	time_t           thisUpdate;
-	time_t           nextUpdate;
-};
-
-typedef struct ocsp_location ocsp_location_t;
-
-struct ocsp_location {
-	ocsp_location_t  *next;
-	identification_t *issuer;
-	chunk_t           authNameID;
-	chunk_t           authKeyID;
-	chunk_t           nonce;
-	char             *uri;
-	ocsp_certinfo_t  *certinfo;
-};
-
-extern ocsp_location_t* get_ocsp_location(const ocsp_location_t *loc
-	, ocsp_location_t *chain);
-extern ocsp_location_t* add_ocsp_location(const ocsp_location_t *loc
-	, ocsp_location_t **chain);
-extern void add_certinfo(ocsp_location_t *loc, ocsp_certinfo_t *info
-	, ocsp_location_t **chain, bool request);
-extern void check_ocsp(void);
-extern cert_status_t verify_by_ocsp(const cert_t *cert, time_t *until
-	, time_t *revocationTime, crl_reason_t *revocationReason);
-extern bool ocsp_set_request_cert(char* path);
-extern void ocsp_set_default_uri(char* uri);
-extern void ocsp_cache_add_cert(const cert_t* cert);
-extern chunk_t build_ocsp_request(ocsp_location_t* location);
-extern void parse_ocsp(ocsp_location_t* location, chunk_t blob);
-extern void list_ocsp_locations(ocsp_location_t *location, bool requests
-	, bool utc, bool strict);
-extern void list_ocsp_cache(bool utc, bool strict);
-extern void free_ocsp_locations(ocsp_location_t **chain);
-extern void free_ocsp_cache(void);
-extern void free_ocsp(void);
-extern void ocsp_purge_cache(void);
diff --git a/src/pluto/packet.c b/src/pluto/packet.c
deleted file mode 100644
index 35fc4afcc..000000000
--- a/src/pluto/packet.c
+++ /dev/null
@@ -1,1242 +0,0 @@
-/* parsing packets: formats and tools
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <netinet/in.h>
-#include <string.h>
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "packet.h"
-#include "whack.h"      /* for RC_LOG_SERIOUS */
-
-/* ISAKMP Header: for all messages
- * layout from RFC 2408 "ISAKMP" section 3.1
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                          Initiator                            !
- * !                            Cookie                             !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                          Responder                            !
- * !                            Cookie                             !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !  Next Payload ! MjVer ! MnVer ! Exchange Type !     Flags     !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                          Message ID                           !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                            Length                             !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-
-static field_desc isa_fields[] = {
-	{ ft_raw, COOKIE_SIZE, "initiator cookie", NULL },
-	{ ft_raw, COOKIE_SIZE, "responder cookie", NULL },
-	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-	{ ft_enum, 8/BITS_PER_BYTE, "ISAKMP version", &version_names },
-	{ ft_enum, 8/BITS_PER_BYTE, "exchange type", &exchange_names },
-	{ ft_set, 8/BITS_PER_BYTE, "flags", flag_bit_names },
-	{ ft_raw, 32/BITS_PER_BYTE, "message ID", NULL },
-	{ ft_len, 32/BITS_PER_BYTE, "length", NULL },
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc isakmp_hdr_desc = { "ISAKMP Message", isa_fields, sizeof(struct isakmp_hdr) };
-
-/* Generic portion of all ISAKMP payloads.
- * layout from RFC 2408 "ISAKMP" section 3.2
- * This describes the first 32-bit chunk of all payloads.
- * The previous next payload depends on the actual payload type.
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-
-static field_desc isag_fields[] = {
-	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc isakmp_generic_desc = { "ISAKMP Generic Payload", isag_fields, sizeof(struct isakmp_generic) };
-
-
-/* ISAKMP Data Attribute (generic representation within payloads)
- * layout from RFC 2408 "ISAKMP" section 3.3
- * This is not a payload type.
- * In TLV format, this is followed by a value field.
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !A!       Attribute Type        !    AF=0  Attribute Length     !
- * !F!                             !    AF=1  Attribute Value      !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * .                   AF=0  Attribute Value                       .
- * .                   AF=1  Not Transmitted                       .
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-
-/* Oakley Attributes */
-static field_desc isaat_fields_oakley[] = {
-	{ ft_af_enum, 16/BITS_PER_BYTE, "af+type", &oakley_attr_names },
-	{ ft_lv, 16/BITS_PER_BYTE, "length/value", NULL },
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc isakmp_oakley_attribute_desc = {
-	"ISAKMP Oakley attribute",
-	isaat_fields_oakley, sizeof(struct isakmp_attribute) };
-
-/* IPsec DOI Attributes */
-static field_desc isaat_fields_ipsec[] = {
-	{ ft_af_enum, 16/BITS_PER_BYTE, "af+type", &ipsec_attr_names },
-	{ ft_lv, 16/BITS_PER_BYTE, "length/value", NULL },
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc isakmp_ipsec_attribute_desc = {
-	"ISAKMP IPsec DOI attribute",
-	isaat_fields_ipsec, sizeof(struct isakmp_attribute) };
-
-/* Mode Config Attributes */
-static field_desc isaat_fields_modecfg[] = {
-	{ ft_af_loose_enum, 16/BITS_PER_BYTE, "ModeCfg attr type", &modecfg_attr_names },
-	{ ft_lv, 16/BITS_PER_BYTE, "length/value", NULL },
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc isakmp_modecfg_attribute_desc = {
-	"ISAKMP ModeCfg attribute",
-	isaat_fields_modecfg, sizeof(struct isakmp_attribute) };
-
-/* ISAKMP Security Association Payload
- * layout from RFC 2408 "ISAKMP" section 3.4
- * A variable length Situation follows.
- * Previous next payload: ISAKMP_NEXT_SA
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !              Domain of Interpretation  (DOI)                  !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                           Situation                           ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-static field_desc isasa_fields[] = {
-	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
-	{ ft_enum, 32/BITS_PER_BYTE, "DOI", &doi_names },
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc isakmp_sa_desc = { "ISAKMP Security Association Payload", isasa_fields, sizeof(struct isakmp_sa) };
-
-static field_desc ipsec_sit_field[] = {
-	{ ft_set, 32/BITS_PER_BYTE, "IPsec DOI SIT", &sit_bit_names },
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc ipsec_sit_desc = { "IPsec DOI SIT", ipsec_sit_field, sizeof(u_int32_t) };
-
-/* ISAKMP Proposal Payload
- * layout from RFC 2408 "ISAKMP" section 3.5
- * A variable length SPI follows.
- * Previous next payload: ISAKMP_NEXT_P
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !  Proposal #   !  Protocol-Id  !    SPI Size   !# of Transforms!
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                        SPI (variable)                         !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-static field_desc isap_fields[] = {
-	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
-	{ ft_nat, 8/BITS_PER_BYTE, "proposal number", NULL },
-	{ ft_enum, 8/BITS_PER_BYTE, "protocol ID", &protocol_names },
-	{ ft_nat, 8/BITS_PER_BYTE, "SPI size", NULL },
-	{ ft_nat, 8/BITS_PER_BYTE, "number of transforms", NULL },
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc isakmp_proposal_desc = { "ISAKMP Proposal Payload", isap_fields, sizeof(struct isakmp_proposal) };
-
-/* ISAKMP Transform Payload
- * layout from RFC 2408 "ISAKMP" section 3.6
- * Variable length SA Attributes follow.
- * Previous next payload: ISAKMP_NEXT_T
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !  Transform #  !  Transform-Id !           RESERVED2           !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                        SA Attributes                          ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-
-/* PROTO_ISAKMP */
-static field_desc isat_fields_isakmp[] = {
-	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
-	{ ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
-	{ ft_enum, 8/BITS_PER_BYTE, "transform ID", &isakmp_transformid_names },
-	{ ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc isakmp_isakmp_transform_desc = {
-	"ISAKMP Transform Payload (ISAKMP)",
-	isat_fields_isakmp, sizeof(struct isakmp_transform) };
-
-/* PROTO_IPSEC_AH */
-static field_desc isat_fields_ah[] = {
-	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
-	{ ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
-	{ ft_enum, 8/BITS_PER_BYTE, "transform ID", &ah_transform_names },
-	{ ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc isakmp_ah_transform_desc = {
-	"ISAKMP Transform Payload (AH)",
-	isat_fields_ah, sizeof(struct isakmp_transform) };
-
-/* PROTO_IPSEC_ESP */
-static field_desc isat_fields_esp[] = {
-	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
-	{ ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
-	{ ft_enum, 8/BITS_PER_BYTE, "transform ID", &esp_transform_names },
-	{ ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc isakmp_esp_transform_desc = {
-	"ISAKMP Transform Payload (ESP)",
-	isat_fields_esp, sizeof(struct isakmp_transform) };
-
-/* PROTO_IPCOMP */
-static field_desc isat_fields_ipcomp[] = {
-	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
-	{ ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
-	{ ft_enum, 8/BITS_PER_BYTE, "transform ID", &ipcomp_transformid_names },
-	{ ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc isakmp_ipcomp_transform_desc = {
-	"ISAKMP Transform Payload (COMP)",
-	isat_fields_ipcomp, sizeof(struct isakmp_transform) };
-
-
-/* ISAKMP Key Exchange Payload: no fixed fields beyond the generic ones.
- * layout from RFC 2408 "ISAKMP" section 3.7
- * Variable Key Exchange Data follow the generic fields.
- * Previous next payload: ISAKMP_NEXT_KE
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                       Key Exchange Data                       ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-struct_desc isakmp_keyex_desc = { "ISAKMP Key Exchange Payload", isag_fields, sizeof(struct isakmp_generic) };
-
-/* ISAKMP Identification Payload
- * layout from RFC 2408 "ISAKMP" section 3.8
- * See "struct identity" declared later.
- * Variable length Identification Data follow.
- * Previous next payload: ISAKMP_NEXT_ID
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !   ID Type     !             DOI Specific ID Data              !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                   Identification Data                         ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-static field_desc isaid_fields[] = {
-	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
-	{ ft_enum, 8/BITS_PER_BYTE, "ID type", &ident_names },      /* ??? depends on DOI? */
-	{ ft_nat, 8/BITS_PER_BYTE, "DOI specific A", NULL },        /* ??? depends on DOI? */
-	{ ft_nat, 16/BITS_PER_BYTE, "DOI specific B", NULL },       /* ??? depends on DOI? */
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc isakmp_identification_desc = { "ISAKMP Identification Payload", isaid_fields, sizeof(struct isakmp_id) };
-
-/* IPSEC Identification Payload Content
- * layout from RFC 2407 "IPsec DOI" section 4.6.2
- * See struct isakmp_id declared earlier.
- * Note: Hashing skips the ISAKMP generic payload header
- * Variable length Identification Data follow.
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !  Next Payload !   RESERVED    !        Payload Length         !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !   ID Type     !  Protocol ID  !             Port              !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ~                     Identification Data                       ~
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-static field_desc isaiid_fields[] = {
-	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
-	{ ft_enum, 8/BITS_PER_BYTE, "ID type", &ident_names },
-	{ ft_nat, 8/BITS_PER_BYTE, "Protocol ID", NULL },   /* ??? UDP/TCP or 0? */
-	{ ft_nat, 16/BITS_PER_BYTE, "port", NULL },
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc isakmp_ipsec_identification_desc = { "ISAKMP Identification Payload (IPsec DOI)", isaiid_fields, sizeof(struct isakmp_ipsec_id) };
-
-/* ISAKMP Certificate Payload: oddball fixed field beyond the generic ones.
- * layout from RFC 2408 "ISAKMP" section 3.9
- * Variable length Certificate Data follow the generic fields.
- * Previous next payload: ISAKMP_NEXT_CERT.
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Cert Encoding !                                               !
- * +-+-+-+-+-+-+-+-+                                               !
- * ~                       Certificate Data                        ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-static field_desc isacert_fields[] = {
-	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
-	{ ft_enum, 8/BITS_PER_BYTE, "cert encoding", &cert_type_names },
-	{ ft_end, 0, NULL, NULL }
-};
-
-/* Note: the size field of isakmp_ipsec_certificate_desc cannot be
- * sizeof(struct isakmp_cert) because that will rounded up for padding.
- */
- struct_desc isakmp_ipsec_certificate_desc = { "ISAKMP Certificate Payload", isacert_fields, ISAKMP_CERT_SIZE };
-
-/* ISAKMP Certificate Request Payload: oddball field beyond the generic ones.
- * layout from RFC 2408 "ISAKMP" section 3.10
- * Variable length Certificate Types and Certificate Authorities follow.
- * Previous next payload: ISAKMP_NEXT_CR.
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !  Cert. Type   !                                               !
- * +-+-+-+-+-+-+-+-+                                               !
- * ~                    Certificate Authority                      ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-static field_desc isacr_fields[] = {
-	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
-	{ ft_enum, 8/BITS_PER_BYTE, "cert type", &cert_type_names },
-	{ ft_end, 0, NULL, NULL }
-};
-
-/* Note: the size field of isakmp_ipsec_cert_req_desc cannot be
- * sizeof(struct isakmp_cr) because that will rounded up for padding.
- */
-struct_desc isakmp_ipsec_cert_req_desc = { "ISAKMP Certificate RequestPayload", isacr_fields, ISAKMP_CR_SIZE };
-
-/* ISAKMP Hash Payload: no fixed fields beyond the generic ones.
- * layout from RFC 2408 "ISAKMP" section 3.11
- * Variable length Hash Data follow.
- * Previous next payload: ISAKMP_NEXT_HASH.
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                           Hash Data                           ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-struct_desc isakmp_hash_desc = { "ISAKMP Hash Payload", isag_fields, sizeof(struct isakmp_generic) };
-
-/* ISAKMP Signature Payload: no fixed fields beyond the generic ones.
- * layout from RFC 2408 "ISAKMP" section 3.12
- * Variable length Signature Data follow.
- * Previous next payload: ISAKMP_NEXT_SIG.
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                         Signature Data                        ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-struct_desc isakmp_signature_desc = { "ISAKMP Signature Payload", isag_fields, sizeof(struct isakmp_generic) };
-
-/* ISAKMP Nonce Payload: no fixed fields beyond the generic ones.
- * layout from RFC 2408 "ISAKMP" section 3.13
- * Variable length Nonce Data follow.
- * Previous next payload: ISAKMP_NEXT_NONCE.
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                            Nonce Data                         ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-struct_desc isakmp_nonce_desc = { "ISAKMP Nonce Payload", isag_fields, sizeof(struct isakmp_generic) };
-
-/* ISAKMP Notification Payload
- * layout from RFC 2408 "ISAKMP" section 3.14
- * This is followed by a variable length SPI
- * and then possibly by variable length Notification Data.
- * Previous next payload: ISAKMP_NEXT_N
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !              Domain of Interpretation  (DOI)                  !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !  Protocol-ID  !   SPI Size    !      Notify Message Type      !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                Security Parameter Index (SPI)                 ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                       Notification Data                       ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-static field_desc isan_fields[] = {
-	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
-	{ ft_enum, 32/BITS_PER_BYTE, "DOI", &doi_names },
-	{ ft_nat, 8/BITS_PER_BYTE, "protocol ID", NULL },   /* ??? really enum: ISAKMP, IPSEC, ESP, ... */
-	{ ft_nat, 8/BITS_PER_BYTE, "SPI size", NULL },
-	{ ft_enum, 16/BITS_PER_BYTE, "Notify Message Type", &notification_names },
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc isakmp_notification_desc = { "ISAKMP Notification Payload", isan_fields, sizeof(struct isakmp_notification) };
-
-/* ISAKMP Delete Payload
- * layout from RFC 2408 "ISAKMP" section 3.15
- * This is followed by a variable length SPI.
- * Previous next payload: ISAKMP_NEXT_D
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !              Domain of Interpretation  (DOI)                  !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !  Protocol-Id  !   SPI Size    !           # of SPIs           !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~               Security Parameter Index(es) (SPI)              ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-static field_desc isad_fields[] = {
-	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
-	{ ft_enum, 32/BITS_PER_BYTE, "DOI", &doi_names },
-	{ ft_nat, 8/BITS_PER_BYTE, "protocol ID", NULL },   /* ??? really enum: ISAKMP, IPSEC */
-	{ ft_nat, 8/BITS_PER_BYTE, "SPI size", NULL },
-	{ ft_nat, 16/BITS_PER_BYTE, "number of SPIs", NULL },
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc isakmp_delete_desc = { "ISAKMP Delete Payload", isad_fields, sizeof(struct isakmp_delete) };
-
-/* ISAKMP Vendor ID Payload
- * layout from RFC 2408 "ISAKMP" section 3.15
- * This is followed by a variable length VID.
- * Previous next payload: ISAKMP_NEXT_VID
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                        Vendor ID (VID)                        ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-struct_desc isakmp_vendor_id_desc = { "ISAKMP Vendor ID Payload", isag_fields, sizeof(struct isakmp_generic) };
-
-/* MODECFG */
-/*
- * From draft-dukes-ike-mode-cfg
-3.2. Attribute Payload
-						   1                   2                   3
-	   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	 ! Next Payload  !   RESERVED    !         Payload Length        !
-	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	 !     Type      !   RESERVED    !           Identifier          !
-	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	 !                                                               !
-	 ~                           Attributes                          ~
-	 !                                                               !
-	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-static field_desc isaattr_fields[] = {
-	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
-	{ ft_enum, 8/BITS_PER_BYTE, "Attr Msg Type", &attr_msg_type_names },
-	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-	{ ft_nat, 16/BITS_PER_BYTE, "Identifier", NULL },
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc isakmp_attr_desc = { "ISAKMP Mode Attribute", isaattr_fields, sizeof(struct isakmp_mode_attr) };
-
-/* ISAKMP NAT-Traversal NAT-D
- * layout from draft-ietf-ipsec-nat-t-ike-01.txt section 3.2
- *
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                 HASH of the address and port                  !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-struct_desc isakmp_nat_d = { "ISAKMP NAT-D Payload", isag_fields, sizeof(struct isakmp_generic) };
-
-/* ISAKMP NAT-Traversal NAT-OA
- * layout from draft-ietf-ipsec-nat-t-ike-01.txt section 4.2
- *
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !   ID Type     !   RESERVED    !            RESERVED           !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !         IPv4 (4 octets) or IPv6 address (16 octets)           !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-static field_desc isanat_oa_fields[] = {
-	{ ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
-	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
-	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
-	{ ft_enum, 8/BITS_PER_BYTE, "ID type", &ident_names },
-	{ ft_mbz, 24/BITS_PER_BYTE, NULL, NULL },
-	{ ft_end, 0, NULL, NULL }
-};
-
-struct_desc isakmp_nat_oa = { "ISAKMP NAT-OA Payload", isanat_oa_fields, sizeof(struct isakmp_nat_oa) };
-
-/* descriptor for each payload type
- *
- * There is a slight problem in that some payloads differ, depending
- * on the mode.  Since this is table only used for top-level payloads,
- * Proposal and Transform payloads need not be handled.
- * That leaves only Identification payloads as a problem.
- * We make all these entries NULL
- */
-struct_desc *const payload_descs[ISAKMP_NEXT_ROOF] = {
-	NULL,                               /* 0 ISAKMP_NEXT_NONE (No other payload following) */
-	&isakmp_sa_desc,                    /* 1 ISAKMP_NEXT_SA (Security Association) */
-	NULL,                               /* 2 ISAKMP_NEXT_P (Proposal) */
-	NULL,                               /* 3 ISAKMP_NEXT_T (Transform) */
-	&isakmp_keyex_desc,                 /* 4 ISAKMP_NEXT_KE (Key Exchange) */
-	NULL,                               /* 5 ISAKMP_NEXT_ID (Identification) */
-	&isakmp_ipsec_certificate_desc,     /* 6 ISAKMP_NEXT_CERT (Certificate) */
-	&isakmp_ipsec_cert_req_desc,        /* 7 ISAKMP_NEXT_CR (Certificate Request) */
-	&isakmp_hash_desc,                  /* 8 ISAKMP_NEXT_HASH (Hash) */
-	&isakmp_signature_desc,             /* 9 ISAKMP_NEXT_SIG (Signature) */
-	&isakmp_nonce_desc,                 /* 10 ISAKMP_NEXT_NONCE (Nonce) */
-	&isakmp_notification_desc,          /* 11 ISAKMP_NEXT_N (Notification) */
-	&isakmp_delete_desc,                /* 12 ISAKMP_NEXT_D (Delete) */
-	&isakmp_vendor_id_desc,             /* 13 ISAKMP_NEXT_VID (Vendor ID) */
-	&isakmp_attr_desc,                  /* 14 ISAKMP_NEXT_ATTR (Mode Config) */
-	NULL,                               /* 15 */
-	NULL,                               /* 16 */
-	NULL,                               /* 17 */
-	NULL,                               /* 18 */
-	NULL,                               /* 19 */
-	&isakmp_nat_d,                      /* 20=130 ISAKMP_NEXT_NATD (NAT-D) */
-	&isakmp_nat_oa,                     /* 20=131 ISAKMP_NEXT_NATOA (NAT-OA) */
-};
-
-void
-init_pbs(pb_stream *pbs, u_int8_t *start, size_t len, const char *name)
-{
-	pbs->container = NULL;
-	pbs->desc = NULL;
-	pbs->name = name;
-	pbs->start = pbs->cur = start;
-	pbs->roof = start + len;
-	pbs->lenfld = NULL;
-	pbs->lenfld_desc = NULL;
-}
-
-#ifdef DEBUG
-
-/* print a host struct
- *
- * This code assumes that the network and host structure
- * members have the same alignment and size!  This requires
- * that all padding be explicit.
- */
-void
-DBG_print_struct(const char *label, const void *struct_ptr
-, struct_desc *sd, bool len_meaningful)
-{
-	bool immediate = FALSE;
-	const u_int8_t *inp = struct_ptr;
-	field_desc *fp;
-
-	DBG_log("%s%s:", label, sd->name);
-
-	for (fp = sd->fields; fp->field_type != ft_end; fp++)
-	{
-		int i = fp->size;
-		u_int32_t n = 0;
-
-		switch (fp->field_type)
-		{
-		case ft_mbz:    /* must be zero */
-			inp += i;
-			break;
-		case ft_nat:            /* natural number (may be 0) */
-		case ft_len:            /* length of this struct and any following crud */
-		case ft_lv:             /* length/value field of attribute */
-		case ft_enum:           /* value from an enumeration */
-		case ft_loose_enum:     /* value from an enumeration with only some names known */
-		case ft_af_enum:        /* Attribute Format + value from an enumeration */
-		case ft_af_loose_enum:  /* Attribute Format + value from an enumeration */
-		case ft_set:            /* bits representing set */
-			switch (i)
-			{
-			case 8/BITS_PER_BYTE:
-				n = *(const u_int8_t *)inp;
-				break;
-			case 16/BITS_PER_BYTE:
-				n = *(const u_int16_t *)inp;
-				break;
-			case 32/BITS_PER_BYTE:
-				n = *(const u_int32_t *)inp;
-				break;
-			default:
-				bad_case(i);
-			}
-			switch (fp->field_type)
-			{
-			case ft_len:        /* length of this struct and any following crud */
-			case ft_lv:         /* length/value field of attribute */
-				if (!immediate && !len_meaningful)
-					break;
-				/* FALL THROUGH */
-			case ft_nat:        /* natural number (may be 0) */
-				DBG_log("   %s: %lu", fp->name, (unsigned long)n);
-				break;
-			case ft_af_enum:       /* Attribute Format + value from an enumeration */
-			case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
-				if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
-					immediate = TRUE;
-				/* FALL THROUGH */
-			case ft_enum:       /* value from an enumeration */
-			case ft_loose_enum: /* value from an enumeration with only some names known */
-				DBG_log("   %s: %s", fp->name, enum_show(fp->desc, n));
-				break;
-			case ft_set:        /* bits representing set */
-				DBG_log("   %s: %s", fp->name, bitnamesof(fp->desc, n));
-				break;
-			default:
-				bad_case(fp->field_type);
-			}
-			inp += i;
-			break;
-
-		case ft_raw:    /* bytes to be left in network-order */
-			{
-				char m[50];     /* arbitrary limit on name width in log */
-
-				snprintf(m, sizeof(m), "   %s:", fp->name);
-				DBG_dump(m, inp, i);
-				inp += i;
-			}
-			break;
-		default:
-			bad_case(fp->field_type);
-		}
-	}
-}
-
-static void
-DBG_prefix_print_struct(const pb_stream *pbs
-, const char *label, const void *struct_ptr
-, struct_desc *sd, bool len_meaningful)
-{
-	/* print out a title, with a prefix of asterisks to show
-	 * the nesting level.
-	 */
-	char space[40];     /* arbitrary limit on label+flock-of-* */
-	size_t len = strlen(label);
-
-	if (sizeof(space) <= len)
-	{
-		DBG_print_struct(label, struct_ptr, sd, len_meaningful);
-	}
-	else
-	{
-		const pb_stream *p = pbs;
-		char *pre = &space[sizeof(space) - (len + 1)];
-
-		strcpy(pre, label);
-
-		/* put at least one * out */
-		for (;;)
-		{
-			if (pre <= space)
-				break;
-			*--pre = '*';
-			if (p == NULL)
-				break;
-			p = p->container;
-		}
-		DBG_print_struct(pre, struct_ptr, sd, len_meaningful);
-	}
-}
-
-#endif
-
-/* "parse" a network struct into a host struct.
- *
- * This code assumes that the network and host structure
- * members have the same alignment and size!  This requires
- * that all padding be explicit.
- *
- * If obj_pbs is supplied, a new pb_stream is created for the
- * variable part of the structure (this depends on their
- * being one length field in the structure).  The cursor of this
- * new PBS is set to after the parsed part of the struct.
- *
- * This routine returns TRUE iff it succeeds.
- */
-
-bool
-in_struct(void *struct_ptr, struct_desc *sd
-, pb_stream *ins, pb_stream *obj_pbs)
-{
-	err_t ugh = NULL;
-	u_int8_t *cur = ins->cur;
-
-	if (ins->roof - cur < (ptrdiff_t)sd->size)
-	{
-		ugh = builddiag("not enough room in input packet for %s", sd->name);
-	}
-	else
-	{
-		u_int8_t *roof = cur + sd->size;    /* may be changed by a length field */
-		u_int8_t *outp = struct_ptr;
-		bool immediate = FALSE;
-		field_desc *fp;
-
-		for (fp = sd->fields; ugh == NULL; fp++)
-		{
-			size_t i = fp->size;
-
-			passert(ins->roof - cur >= (ptrdiff_t)i);
-			passert(cur - ins->cur <= (ptrdiff_t)(sd->size - i));
-			passert(outp - (cur - ins->cur) == struct_ptr);
-
-#if 0
-			DBG(DBG_PARSING, DBG_log("%d %s"
-				, (int) (cur - ins->cur), fp->name == NULL? "" : fp->name));
-#endif
-			switch (fp->field_type)
-			{
-			case ft_mbz:        /* must be zero */
-				for (; i != 0; i--)
-				{
-					if (*cur++ != 0)
-					{
-						ugh = builddiag("byte %d of %s must be zero, but is not"
-							, (int) (cur - ins->cur), sd->name);
-						break;
-					}
-					*outp++ = '\0';     /* probably redundant */
-				}
-				break;
-
-			case ft_nat:           /* natural number (may be 0) */
-			case ft_len:           /* length of this struct and any following crud */
-			case ft_lv:            /* length/value field of attribute */
-			case ft_enum:          /* value from an enumeration */
-			case ft_loose_enum:    /* value from an enumeration with only some names known */
-			case ft_af_enum:       /* Attribute Format + value from an enumeration */
-			case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
-			case ft_set:           /* bits representing set */
-			{
-				u_int32_t n = 0;
-
-				for (; i != 0; i--)
-					n = (n << BITS_PER_BYTE) | *cur++;
-
-				switch (fp->field_type)
-				{
-				case ft_len:    /* length of this struct and any following crud */
-				case ft_lv:     /* length/value field of attribute */
-				{
-					u_int32_t len = fp->field_type == ft_len? n
-						: immediate? sd->size : n + sd->size;
-
-					if (len < sd->size)
-					{
-						ugh = builddiag("%s of %s is smaller than minimum"
-							, fp->name, sd->name);
-					}
-					else if (pbs_left(ins) < len)
-					{
-						ugh = builddiag("%s of %s is larger than can fit"
-							, fp->name, sd->name);
-					}
-					else
-					{
-						roof = ins->cur + len;
-					}
-					break;
-				}
-				case ft_af_loose_enum:  /* Attribute Format + value from an enumeration */
-					if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
-						immediate = TRUE;
-					break;
-				case ft_af_enum:        /* Attribute Format + value from an enumeration */
-					if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
-						immediate = TRUE;
-					/* FALL THROUGH */
-				case ft_enum:   /* value from an enumeration */
-					if (enum_name(fp->desc, n) == NULL)
-					{
-						ugh = builddiag("%s of %s has an unknown value: %lu"
-							, fp->name, sd->name, (unsigned long)n);
-					}
-					/* FALL THROUGH */
-				case ft_loose_enum:     /* value from an enumeration with only some names known */
-					break;
-				case ft_set:    /* bits representing set */
-					if (!testset(fp->desc, n))
-					{
-						ugh = builddiag("bitset %s of %s has unknown member(s): %s"
-							, fp->name, sd->name, bitnamesof(fp->desc, n));
-					}
-					break;
-				default:
-						break;
-				}
-				i = fp->size;
-				switch (i)
-				{
-				case 8/BITS_PER_BYTE:
-					*(u_int8_t *)outp = n;
-					break;
-				case 16/BITS_PER_BYTE:
-					*(u_int16_t *)outp = n;
-					break;
-				case 32/BITS_PER_BYTE:
-					*(u_int32_t *)outp = n;
-					break;
-				default:
-					bad_case(i);
-				}
-				outp += i;
-				break;
-			}
-
-			case ft_raw:        /* bytes to be left in network-order */
-				for (; i != 0; i--)
-				{
-					*outp++ = *cur++;
-				}
-				break;
-
-			case ft_end:        /* end of field list */
-				passert(cur == ins->cur + sd->size);
-				if (obj_pbs != NULL)
-				{
-					init_pbs(obj_pbs, ins->cur, roof - ins->cur, sd->name);
-					obj_pbs->container = ins;
-					obj_pbs->desc = sd;
-					obj_pbs->cur = cur;
-				}
-				ins->cur = roof;
-				DBG(DBG_PARSING
-					, DBG_prefix_print_struct(ins, "parse ", struct_ptr, sd, TRUE));
-				return TRUE;
-
-			default:
-				bad_case(fp->field_type);
-			}
-		}
-	}
-
-	/* some failure got us here: report it */
-	loglog(RC_LOG_SERIOUS, ugh);
-	return FALSE;
-}
-
-bool
-in_raw(void *bytes, size_t len, pb_stream *ins, const char *name)
-{
-	if (pbs_left(ins) < len)
-	{
-		loglog(RC_LOG_SERIOUS, "not enough bytes left to get %s from %s", name, ins->name);
-		return FALSE;
-	}
-	else
-	{
-		if (bytes == NULL)
-		{
-			DBG(DBG_PARSING
-				, DBG_log("skipping %u raw bytes of %s (%s)"
-					, (unsigned) len, ins->name, name);
-				  DBG_dump(name, ins->cur, len));
-		}
-		else
-		{
-			memcpy(bytes, ins->cur, len);
-			DBG(DBG_PARSING
-				, DBG_log("parsing %u raw bytes of %s into %s"
-					, (unsigned) len, ins->name, name);
-				  DBG_dump(name, bytes, len));
-		}
-		ins->cur += len;
-		return TRUE;
-	}
-}
-
-/* "emit" a host struct into a network packet.
- *
- * This code assumes that the network and host structure
- * members have the same alignment and size!  This requires
- * that all padding be explicit.
- *
- * If obj_pbs is non-NULL, its pbs describes a new output stream set up
- * to contain the object.  The cursor will be left at the variable part.
- * This new stream must subsequently be finalized by close_output_pbs().
- *
- * The value of any field of type ft_len is computed, not taken
- * from the input struct.  The length is actually filled in when
- * the object's output stream is finalized.  If obj_pbs is NULL,
- * finalization is done by out_struct before it returns.
- *
- * This routine returns TRUE iff it succeeds.
- */
-
-bool
-out_struct(const void *struct_ptr, struct_desc *sd
-, pb_stream *outs, pb_stream *obj_pbs)
-{
-	err_t ugh = NULL;
-	const u_int8_t *inp = struct_ptr;
-	u_int8_t *cur = outs->cur;
-
-	DBG(DBG_EMITTING
-		, DBG_prefix_print_struct(outs, "emit ", struct_ptr, sd, obj_pbs==NULL));
-
-	if (outs->roof - cur < (ptrdiff_t)sd->size)
-	{
-		ugh = builddiag("not enough room left in output packet to place %s"
-			, sd->name);
-	}
-	else
-	{
-		bool immediate = FALSE;
-		pb_stream obj;
-		field_desc *fp;
-
-		obj.lenfld = NULL;  /* until a length field is discovered */
-		obj.lenfld_desc = NULL;
-
-		for (fp = sd->fields; ugh == NULL; fp++)
-		{
-			size_t i = fp->size;
-
-			passert(outs->roof - cur >= (ptrdiff_t)i);
-			passert(cur - outs->cur <= (ptrdiff_t)(sd->size - i));
-			passert(inp - (cur - outs->cur) == struct_ptr);
-
-#if 0
-			DBG(DBG_EMITTING, DBG_log("%d %s"
-				, (int) (cur - outs->cur), fp->name == NULL? "" : fp->name);
-#endif
-			switch (fp->field_type)
-			{
-			case ft_mbz:        /* must be zero */
-				inp += i;
-				for (; i != 0; i--)
-					*cur++ = '\0';
-				break;
-			case ft_nat:           /* natural number (may be 0) */
-			case ft_len:           /* length of this struct and any following crud */
-			case ft_lv:            /* length/value field of attribute */
-			case ft_enum:          /* value from an enumeration */
-			case ft_loose_enum:    /* value from an enumeration with only some names known */
-			case ft_af_enum:       /* Attribute Format + value from an enumeration */
-			case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
-			case ft_set:           /* bits representing set */
-			{
-				u_int32_t n = 0;
-
-				switch (i)
-				{
-				case 8/BITS_PER_BYTE:
-					n = *(const u_int8_t *)inp;
-					break;
-				case 16/BITS_PER_BYTE:
-					n = *(const u_int16_t *)inp;
-					break;
-				case 32/BITS_PER_BYTE:
-					n = *(const u_int32_t *)inp;
-					break;
-				default:
-					bad_case(i);
-				}
-
-				switch (fp->field_type)
-				{
-				case ft_len:    /* length of this struct and any following crud */
-				case ft_lv:     /* length/value field of attribute */
-					if (immediate)
-						break;  /* not a length */
-					/* We can't check the length because it will likely
-					 * be filled in after variable part is supplied.
-					 * We do record where this is so that it can be
-					 * filled in by a subsequent close_output_pbs().
-					 */
-					passert(obj.lenfld == NULL);        /* only one ft_len allowed */
-					obj.lenfld = cur;
-					obj.lenfld_desc = fp;
-					break;
-				case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
-					if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
-						immediate = TRUE;
-					break;
-				case ft_af_enum:        /* Attribute Format + value from an enumeration */
-					if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
-						immediate = TRUE;
-					/* FALL THROUGH */
-				case ft_enum:   /* value from an enumeration */
-					if (enum_name(fp->desc, n) == NULL)
-					{
-						ugh = builddiag("%s of %s has an unknown value: %lu"
-							, fp->name, sd->name, (unsigned long)n);
-					}
-					/* FALL THROUGH */
-				case ft_loose_enum:     /* value from an enumeration with only some names known */
-					break;
-				case ft_set:    /* bits representing set */
-					if (!testset(fp->desc, n))
-					{
-						ugh = builddiag("bitset %s of %s has unknown member(s): %s"
-							, fp->name, sd->name, bitnamesof(fp->desc, n));
-					}
-					break;
-				default:
-					break;
-				}
-
-				while (i-- != 0)
-				{
-					cur[i] = (u_int8_t)n;
-					n >>= BITS_PER_BYTE;
-				}
-				inp += fp->size;
-				cur += fp->size;
-				break;
-			}
-			case ft_raw:        /* bytes to be left in network-order */
-				for (; i != 0; i--)
-					*cur++ = *inp++;
-				break;
-			case ft_end:        /* end of field list */
-				passert(cur == outs->cur + sd->size);
-
-				obj.container = outs;
-				obj.desc = sd;
-				obj.name = sd->name;
-				obj.start = outs->cur;
-				obj.cur = cur;
-				obj.roof = outs->roof;  /* limit of possible */
-				/* obj.lenfld and obj.lenfld_desc already set */
-
-				if (obj_pbs == NULL)
-				{
-					close_output_pbs(&obj); /* fill in length field, if any */
-				}
-				else
-				{
-					/* We set outs->cur to outs->roof so that
-					 * any attempt to output something into outs
-					 * before obj is closed will trigger an error.
-					 */
-					outs->cur = outs->roof;
-
-					*obj_pbs = obj;
-				}
-				return TRUE;
-
-			default:
-				bad_case(fp->field_type);
-			}
-		}
-	}
-
-	/* some failure got us here: report it */
-	loglog(RC_LOG_SERIOUS, ugh);        /* ??? serious, but errno not relevant */
-	return FALSE;
-}
-
-bool
-out_generic(u_int8_t np, struct_desc *sd
-, pb_stream *outs, pb_stream *obj_pbs)
-{
-	struct isakmp_generic gen;
-
-	passert(sd->fields == isakmp_generic_desc.fields);
-	gen.isag_np = np;
-	return out_struct(&gen, sd, outs, obj_pbs);
-}
-
-bool
-out_generic_raw(u_int8_t np, struct_desc *sd
-, pb_stream *outs, const void *bytes, size_t len, const char *name)
-{
-	pb_stream pbs;
-
-	if (!out_generic(np, sd, outs, &pbs)
-	|| !out_raw(bytes, len, &pbs, name))
-		return FALSE;
-	close_output_pbs(&pbs);
-	return TRUE;
-}
-
-bool
-out_raw(const void *bytes, size_t len, pb_stream *outs, const char *name)
-{
-	if (pbs_left(outs) < len)
-	{
-		loglog(RC_LOG_SERIOUS, "not enough room left to place %lu bytes of %s in %s"
-			, (unsigned long) len, name, outs->name);
-		return FALSE;
-	}
-	else
-	{
-		DBG(DBG_EMITTING
-			, DBG_log("emitting %u raw bytes of %s into %s"
-				, (unsigned) len, name, outs->name);
-			  DBG_dump(name, bytes, len));
-		memcpy(outs->cur, bytes, len);
-		outs->cur += len;
-		return TRUE;
-	}
-}
-
-bool
-out_zero(size_t len, pb_stream *outs, const char *name)
-{
-	if (pbs_left(outs) < len)
-	{
-		loglog(RC_LOG_SERIOUS, "not enough room left to place %s in %s", name, outs->name);
-		return FALSE;
-	}
-	else
-	{
-		DBG(DBG_EMITTING, DBG_log("emitting %u zero bytes of %s into %s"
-			, (unsigned) len, name, outs->name));
-		memset(outs->cur, 0x00, len);
-		outs->cur += len;
-		return TRUE;
-	}
-}
-
-/* Record current length.
- * Note: currently, this may be repeated any number of times;
- * the last one wins.
- */
-void
-close_output_pbs(pb_stream *pbs)
-{
-	if (pbs->lenfld != NULL)
-	{
-		u_int32_t len = pbs_offset(pbs);
-		int i = pbs->lenfld_desc->size;
-
-		if (pbs->lenfld_desc->field_type == ft_lv)
-			len -= sizeof(struct isakmp_attribute);
-		DBG(DBG_EMITTING, DBG_log("emitting length of %s: %lu"
-			, pbs->name, (unsigned long) len));
-		while (i-- != 0)
-		{
-			pbs->lenfld[i] = (u_int8_t)len;
-			len >>= BITS_PER_BYTE;
-		}
-	}
-	if (pbs->container != NULL)
-		pbs->container->cur = pbs->cur; /* pass space utilization up */
-}
diff --git a/src/pluto/packet.h b/src/pluto/packet.h
deleted file mode 100644
index 1510b81a0..000000000
--- a/src/pluto/packet.h
+++ /dev/null
@@ -1,653 +0,0 @@
-/* parsing packets: formats and tools
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _PACKET_H
-#define _PACKET_H
-
-/* a struct_desc describes a structure for the struct I/O routines.
- * This requires arrays of field_desc values to describe struct fields.
- */
-
-typedef const struct struct_desc {
-	const char *name;
-	const struct field_desc *fields;
-	size_t size;
-} struct_desc;
-
-/* Note: if an ft_af_enum field has the ISAKMP_ATTR_AF_TV bit set,
- * the subsequent ft_lv field will be interpreted as an immediate value.
- * This matches how attributes are encoded.
- * See RFC 2408 "ISAKMP" 3.3
- */
-
-enum field_type {
-	ft_mbz,           /* must be zero */
-	ft_nat,           /* natural number (may be 0) */
-	ft_len,           /* length of this struct and any following crud */
-	ft_lv,            /* length/value field of attribute */
-	ft_enum,          /* value from an enumeration */
-	ft_loose_enum,    /* value from an enumeration with only some names known */
-	ft_af_loose_enum, /* Attribute Format + enumeration, some names known */
-	ft_af_enum,       /* Attribute Format + value from an enumeration */
-	ft_set,           /* bits representing set */
-	ft_raw,           /* bytes to be left in network-order */
-	ft_end,           /* end of field list */
-};
-
-typedef const struct field_desc {
-	enum field_type field_type;
-	int size;   /* size, in bytes, of field */
-	const char *name;
-	const void *desc;   /* enum_names for enum or char *[] for bits */
-} field_desc;
-
-/* The formatting of input and output of packets is done
- * through packet_byte_stream objects.
- * These describe a stream of bytes in memory.
- * Several routines are provided to manipulate these objects
- * Actual packet transfer is done elsewhere.
- */
-typedef struct packet_byte_stream {
-	struct packet_byte_stream *container;   /* PBS of which we are part */
-	struct_desc *desc;
-	const char *name;   /* what does this PBS represent? */
-	u_int8_t
-		*start,
-		*cur,   /* current position in stream */
-		*roof;  /* byte after last in PBS (actually just a limit on output) */
-	/* For an output PBS, the length field will be filled in later so
-	 * we need to record its particulars.  Note: it may not be aligned.
-	 */
-	u_int8_t *lenfld;
-	field_desc *lenfld_desc;
-} pb_stream;
-
-/* For an input PBS, pbs_offset is amount of stream processed.
- * For an output PBS, pbs_offset is current size of stream.
- * For an input PBS, pbs_room is size of stream.
- * For an output PBS, pbs_room is maximum size allowed.
- */
-#define pbs_offset(pbs) ((size_t)((pbs)->cur - (pbs)->start))
-#define pbs_room(pbs) ((size_t)((pbs)->roof - (pbs)->start))
-#define pbs_left(pbs) ((size_t)((pbs)->roof - (pbs)->cur))
-
-extern void init_pbs(pb_stream *pbs, u_int8_t *start, size_t len, const char *name);
-
-extern bool in_struct(void *struct_ptr, struct_desc *sd,
-	pb_stream *ins, pb_stream *obj_pbs);
-extern bool in_raw(void *bytes, size_t len, pb_stream *ins, const char *name);
-
-extern bool out_struct(const void *struct_ptr, struct_desc *sd,
-	pb_stream *outs, pb_stream *obj_pbs);
-extern bool out_generic(u_int8_t np, struct_desc *sd,
-	pb_stream *outs, pb_stream *obj_pbs);
-extern bool out_generic_raw(u_int8_t np, struct_desc *sd,
-	pb_stream *outs, const void *bytes, size_t len, const char *name);
-#define out_generic_chunk(np, sd, outs, ch, name) \
-		out_generic_raw(np, sd, outs, (ch).ptr, (ch).len, name)
-extern bool out_zero(size_t len, pb_stream *outs, const char *name);
-extern bool out_raw(const void *bytes, size_t len, pb_stream *outs, const char *name);
-#define out_chunk(ch, outs, name) out_raw((ch).ptr, (ch).len, (outs), (name))
-extern void close_output_pbs(pb_stream *pbs);
-
-#ifdef DEBUG
-extern void DBG_print_struct(const char *label, const void *struct_ptr,
-	struct_desc *sd, bool len_meaningful);
-#endif
-
-/* ISAKMP Header: for all messages
- * layout from RFC 2408 "ISAKMP" section 3.1
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                          Initiator                            !
- * !                            Cookie                             !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                          Responder                            !
- * !                            Cookie                             !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !  Next Payload ! MjVer ! MnVer ! Exchange Type !     Flags     !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                          Message ID                           !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                            Length                             !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * Although the drafts are a little unclear, there are a few
- * places that specify that messages should be padded with 0x00
- * octets (bytes) to make the length a multiple of something.
- *
- * RFC 2408 "ISAKMP" 3.6 specifies that all messages will be
- * padded to be a multiple of 4 octets in length.
- * ??? This looks vestigial, and we ignore this requirement.
- *
- * RFC 2409 "IKE" Appedix B specifies:
- *     Each message should be padded up to the nearest block size
- *     using bytes containing 0x00.
- * ??? This does not appear to be limited to encrypted messages,
- * but it surely must be: the block size is meant to be the encryption
- * block size, and that is meaningless for a non-encrypted message.
- *
- * RFC 2409 "IKE" 5.3 specifies:
- *     Encrypted payloads are padded up to the nearest block size.
- *     All padding bytes, except for the last one, contain 0x00. The
- *     last byte of the padding contains the number of the padding
- *     bytes used, excluding the last one. Note that this means there
- *     will always be padding.
- * ??? This is nuts since payloads are not padded, messages are.
- * It also contradicts Appendix B.  So we ignore it.
- *
- * Summary: we pad encrypted output messages with 0x00 to bring them
- * up to a multiple of the encryption block size.  On input, we require
- * that any encrypted portion of a message be a multiple of the encryption
- * block size.   After any decryption, we ignore padding (any bytes after
- * the first payload that specifies a next payload of none; we don't
- * require them to be zero).
- */
-
-struct isakmp_hdr
-{
-	u_int8_t    isa_icookie[COOKIE_SIZE];
-	u_int8_t    isa_rcookie[COOKIE_SIZE];
-	u_int8_t    isa_np;                 /* Next payload */
-	u_int8_t    isa_version;    /* high-order 4 bits: Major; low order 4: Minor */
-#define ISA_MAJ_SHIFT   4
-#define ISA_MIN_MASK    (~((~0u) << ISA_MAJ_SHIFT))
-	u_int8_t    isa_xchg;               /* Exchange type */
-	u_int8_t    isa_flags;
-	u_int32_t   isa_msgid;              /* Message ID (RAW) */
-	u_int32_t   isa_length;             /* Length of message */
-};
-
-extern struct_desc isakmp_hdr_desc;
-
-/* Generic portion of all ISAKMP payloads.
- * layout from RFC 2408 "ISAKMP" section 3.2
- * This describes the first 32-bit chunk of all payloads.
- * The previous next payload depends on the actual payload type.
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-struct isakmp_generic
-{
-	u_int8_t    isag_np;
-	u_int8_t    isag_reserved;
-	u_int16_t   isag_length;
-};
-
-extern struct_desc isakmp_generic_desc;
-
-/* ISAKMP Data Attribute (generic representation within payloads)
- * layout from RFC 2408 "ISAKMP" section 3.3
- * This is not a payload type.
- * In TLV format, this is followed by a value field.
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !A!       Attribute Type        !    AF=0  Attribute Length     !
- * !F!                             !    AF=1  Attribute Value      !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * .                   AF=0  Attribute Value                       .
- * .                   AF=1  Not Transmitted                       .
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-struct isakmp_attribute
-{
-	/* The high order bit of isaat_af_type is the Attribute Format
-	 * If it is off, the format is TLV: lv is the length of the following
-	 * attribute value.
-	 * If it is on, the format is TV: lv is the value of the attribute.
-	 * ISAKMP_ATTR_AF_MASK is the mask in host form.
-	 *
-	 * The low order 15 bits of isaat_af_type is the Attribute Type.
-	 * ISAKMP_ATTR_RTYPE_MASK is the mask in host form.
-	 */
-	u_int16_t isaat_af_type;   /* high order bit: AF; lower 15: rtype */
-	u_int16_t isaat_lv;                 /* Length or value */
-};
-
-#define ISAKMP_ATTR_AF_MASK 0x8000
-#define ISAKMP_ATTR_AF_TV ISAKMP_ATTR_AF_MASK /* value in lv */
-#define ISAKMP_ATTR_AF_TLV 0 /* length in lv; value follows */
-
-#define ISAKMP_ATTR_RTYPE_MASK 0x7FFF
-
-extern struct_desc
-	isakmp_oakley_attribute_desc,
-	isakmp_ipsec_attribute_desc;
-
-/* ISAKMP Security Association Payload
- * layout from RFC 2408 "ISAKMP" section 3.4
- * A variable length Situation follows.
- * Previous next payload: ISAKMP_NEXT_SA
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !              Domain of Interpretation  (DOI)                  !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                           Situation                           ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-struct isakmp_sa
-{
-	u_int8_t  isasa_np;                 /* Next payload */
-	u_int8_t  isasa_reserved;
-	u_int16_t isasa_length;             /* Payload length */
-	u_int32_t isasa_doi;                /* DOI */
-};
-
-extern struct_desc isakmp_sa_desc;
-
-extern struct_desc ipsec_sit_desc;
-
-/* ISAKMP Proposal Payload
- * layout from RFC 2408 "ISAKMP" section 3.5
- * A variable length SPI follows.
- * Previous next payload: ISAKMP_NEXT_P
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !  Proposal #   !  Protocol-Id  !    SPI Size   !# of Transforms!
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                        SPI (variable)                         !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-struct isakmp_proposal
-{
-	u_int8_t    isap_np;
-	u_int8_t    isap_reserved;
-	u_int16_t   isap_length;
-	u_int8_t    isap_proposal;
-	u_int8_t    isap_protoid;
-	u_int8_t    isap_spisize;
-	u_int8_t    isap_notrans;           /* Number of transforms */
-};
-
-extern struct_desc isakmp_proposal_desc;
-
-/* ISAKMP Transform Payload
- * layout from RFC 2408 "ISAKMP" section 3.6
- * Variable length SA Attributes follow.
- * Previous next payload: ISAKMP_NEXT_T
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !  Transform #  !  Transform-Id !           RESERVED2           !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                        SA Attributes                          ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-struct isakmp_transform
-{
-	u_int8_t    isat_np;
-	u_int8_t    isat_reserved;
-	u_int16_t   isat_length;
-	u_int8_t    isat_transnum;          /* Number of the transform */
-	u_int8_t    isat_transid;
-	u_int16_t   isat_reserved2;
-};
-
-extern struct_desc
-	isakmp_isakmp_transform_desc,
-	isakmp_ah_transform_desc,
-	isakmp_esp_transform_desc,
-	isakmp_ipcomp_transform_desc;
-
-/* ISAKMP Key Exchange Payload: no fixed fields beyond the generic ones.
- * layout from RFC 2408 "ISAKMP" section 3.7
- * Variable Key Exchange Data follow the generic fields.
- * Previous next payload: ISAKMP_NEXT_KE
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                       Key Exchange Data                       ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-extern struct_desc isakmp_keyex_desc;
-
-/* ISAKMP Identification Payload
- * layout from RFC 2408 "ISAKMP" section 3.8
- * See "struct identity" declared later.
- * Variable length Identification Data follow.
- * Previous next payload: ISAKMP_NEXT_ID
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !   ID Type     !             DOI Specific ID Data              !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                   Identification Data                         ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-struct isakmp_id
-{
-	u_int8_t    isaid_np;
-	u_int8_t    isaid_reserved;
-	u_int16_t   isaid_length;
-	u_int8_t    isaid_idtype;
-	u_int8_t    isaid_doi_specific_a;
-	u_int16_t   isaid_doi_specific_b;
-};
-
-extern struct_desc isakmp_identification_desc;
-
-/* IPSEC Identification Payload Content
- * layout from RFC 2407 "IPsec DOI" section 4.6.2
- * See struct isakmp_id declared earlier.
- * Note: Hashing skips the ISAKMP generic payload header
- * Variable length Identification Data follow.
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !  Next Payload !   RESERVED    !        Payload Length         !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !   ID Type     !  Protocol ID  !             Port              !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ~                     Identification Data                       ~
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-struct isakmp_ipsec_id
-{
-	u_int8_t    isaiid_np;
-	u_int8_t    isaiid_reserved;
-	u_int16_t   isaiid_length;
-	u_int8_t    isaiid_idtype;
-	u_int8_t    isaiid_protoid;
-	u_int16_t   isaiid_port;
-};
-
-extern struct_desc isakmp_ipsec_identification_desc;
-
-/* ISAKMP Certificate Payload: no fixed fields beyond the generic ones.
- * layout from RFC 2408 "ISAKMP" section 3.9
- * Variable length Certificate Data follow the generic fields.
- * Previous next payload: ISAKMP_NEXT_CERT.
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Cert Encoding !                                               !
- * +-+-+-+-+-+-+-+-+                                               !
- * ~                       Certificate Data                        ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-struct isakmp_cert
-{
-	u_int8_t    isacert_np;
-	u_int8_t    isacert_reserved;
-	u_int16_t   isacert_length;
-	u_int8_t    isacert_type;
-};
-
-/* NOTE: this packet type has a fixed portion that is not a
- * multiple of 4 octets.  This means that sizeof(struct isakmp_cert)
- * yields the wrong value for the length.
- */
-#define ISAKMP_CERT_SIZE                5
-
-extern struct_desc isakmp_ipsec_certificate_desc;
-
-/* ISAKMP Certificate Request Payload: no fixed fields beyond the generic ones.
- * layout from RFC 2408 "ISAKMP" section 3.10
- * Variable length Certificate Types and Certificate Authorities follow.
- * Previous next payload: ISAKMP_NEXT_CR.
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !  Cert. Type   !                                               !
- * +-+-+-+-+-+-+-+-+                                               !
- * ~                    Certificate Authority                      ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-struct isakmp_cr
-{
-	u_int8_t    isacr_np;
-	u_int8_t    isacr_reserved;
-	u_int16_t   isacr_length;
-	u_int8_t    isacr_type;
-};
-
-/* NOTE: this packet type has a fixed portion that is not a
- * multiple of 4 octets.  This means that sizeof(struct isakmp_cr)
- * yields the wrong value for the length.
- */
-#define ISAKMP_CR_SIZE          5
-
-extern struct_desc isakmp_ipsec_cert_req_desc;
-
-/* ISAKMP Hash Payload: no fixed fields beyond the generic ones.
- * layout from RFC 2408 "ISAKMP" section 3.11
- * Variable length Hash Data follow.
- * Previous next payload: ISAKMP_NEXT_HASH.
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                           Hash Data                           ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-extern struct_desc isakmp_hash_desc;
-
-/* ISAKMP Signature Payload: no fixed fields beyond the generic ones.
- * layout from RFC 2408 "ISAKMP" section 3.12
- * Variable length Signature Data follow.
- * Previous next payload: ISAKMP_NEXT_SIG.
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                         Signature Data                        ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-extern struct_desc isakmp_signature_desc;
-
-/* ISAKMP Nonce Payload: no fixed fields beyond the generic ones.
- * layout from RFC 2408 "ISAKMP" section 3.13
- * Variable length Nonce Data follow.
- * Previous next payload: ISAKMP_NEXT_NONCE.
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                            Nonce Data                         ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-extern struct_desc isakmp_nonce_desc;
-
-/* ISAKMP Notification Payload
- * layout from RFC 2408 "ISAKMP" section 3.14
- * This is followed by a variable length SPI
- * and then possibly by variable length Notification Data.
- * Previous next payload: ISAKMP_NEXT_N
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !              Domain of Interpretation  (DOI)                  !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !  Protocol-ID  !   SPI Size    !      Notify Message Type      !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                Security Parameter Index (SPI)                 ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                       Notification Data                       ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-struct isakmp_notification
-{
-	u_int8_t    isan_np;
-	u_int8_t    isan_reserved;
-	u_int16_t   isan_length;
-	u_int32_t   isan_doi;
-	u_int8_t    isan_protoid;
-	u_int8_t    isan_spisize;
-	u_int16_t   isan_type;
-};
-
-extern struct_desc isakmp_notification_desc;
-
-/* ISAKMP Delete Payload
- * layout from RFC 2408 "ISAKMP" section 3.15
- * This is followed by a variable length SPI.
- * Previous next payload: ISAKMP_NEXT_D
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !              Domain of Interpretation  (DOI)                  !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !  Protocol-Id  !   SPI Size    !           # of SPIs           !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~               Security Parameter Index(es) (SPI)              ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-struct isakmp_delete
-{
-	u_int8_t    isad_np;
-	u_int8_t    isad_reserved;
-	u_int16_t   isad_length;
-	u_int32_t   isad_doi;
-	u_int8_t    isad_protoid;
-	u_int8_t    isad_spisize;
-	u_int16_t   isad_nospi;
-};
-
-extern struct_desc isakmp_delete_desc;
-
-/* From draft-dukes-ike-mode-cfg
-3.2. Attribute Payload
-						   1                   2                   3
-	   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	 ! Next Payload  !   RESERVED    !         Payload Length        !
-	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	 !     Type      !   RESERVED    !           Identifier          !
-	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-	 !                                                               !
-	 !                                                               !
-	 ~                           Attributes                          ~
-	 !                                                               !
-	 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-struct isakmp_mode_attr
-{
-	u_int8_t    isama_np;
-	u_int8_t    isama_reserved;
-	u_int16_t   isama_length;
-	u_int8_t    isama_type;
-	u_int8_t    isama_reserved2;
-	u_int16_t   isama_identifier;
-};
-
-extern struct_desc isakmp_attr_desc;
-extern struct_desc isakmp_modecfg_attribute_desc;
-
-/* ISAKMP Vendor ID Payload
- * layout from RFC 2408 "ISAKMP" section 3.15
- * This is followed by a variable length VID.
- * Previous next payload: ISAKMP_NEXT_VID
- *                      1                   2                   3
- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ! Next Payload  !   RESERVED    !         Payload Length        !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * !                                                               !
- * ~                        Vendor ID (VID)                        ~
- * !                                                               !
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-extern struct_desc isakmp_vendor_id_desc;
-
-struct isakmp_nat_oa
-{
-	u_int8_t    isanoa_np;
-	u_int8_t    isanoa_reserved_1;
-	u_int16_t   isanoa_length;
-	u_int8_t    isanoa_idtype;
-	u_int8_t    isanoa_reserved_2;
-	u_int16_t   isanoa_reserved_3;
-};
-
-extern struct_desc isakmp_nat_d;
-extern struct_desc isakmp_nat_oa;
-
-/* union of all payloads */
-
-union payload {
-	struct isakmp_generic generic;
-	struct isakmp_sa sa;
-	struct isakmp_proposal proposal;
-	struct isakmp_transform transform;
-	struct isakmp_id id;    /* Main Mode */
-	struct isakmp_cert cert;
-	struct isakmp_cr cr;
-	struct isakmp_ipsec_id ipsec_id;    /* Quick Mode */
-	struct isakmp_notification notification;
-	struct isakmp_delete delete;
-	struct isakmp_nat_oa nat_oa;
-	struct isakmp_mode_attr attribute;
-};
-
-/* descriptor for each payload type
- *
- * There is a slight problem in that some payloads differ, depending
- * on the mode.  Since this is table only used for top-level payloads,
- * Proposal and Transform payloads need not be handled.
- * That leaves only Identification payloads as a problem.
- * We make all these entries NULL
- */
-extern struct_desc *const payload_descs[ISAKMP_NEXT_ROOF];
-
-#endif /* _PACKET_H */
diff --git a/src/pluto/pkcs7.c b/src/pluto/pkcs7.c
deleted file mode 100644
index 10b2a4d5a..000000000
--- a/src/pluto/pkcs7.c
+++ /dev/null
@@ -1,755 +0,0 @@
-/* Support of PKCS#7 data structures
- * Copyright (C) 2005 Jan Hutter, Martin Willi
- * Copyright (C) 2002-2009 Andreas Steffen
- *
- * HSR Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-
-#include <library.h>
-#include <debug.h>
-#include <asn1/asn1.h>
-#include <asn1/asn1_parser.h>
-#include <asn1/oid.h>
-#include <crypto/rngs/rng.h>
-#include <crypto/crypters/crypter.h>
-#include <credentials/certificates/x509.h>
-
-#include "pkcs7.h"
-
-const contentInfo_t empty_contentInfo = {
-	OID_UNKNOWN , /* type */
-	{ NULL, 0 }   /* content */
-};
-
-/**
- * ASN.1 definition of the PKCS#7 ContentInfo type
- */
-static const asn1Object_t contentInfoObjects[] = {
-	{ 0, "contentInfo",                     ASN1_SEQUENCE,     ASN1_NONE          }, /*  0 */
-	{ 1,   "contentType",                   ASN1_OID,          ASN1_BODY          }, /*  1 */
-	{ 1,   "content",                       ASN1_CONTEXT_C_0,  ASN1_OPT|ASN1_BODY }, /*  2 */
-	{ 1,   "end opt",                       ASN1_EOC,          ASN1_END           }, /*  3 */
-	{ 0, "exit",                            ASN1_EOC,          ASN1_EXIT          }
-};
-#define PKCS7_INFO_TYPE         1
-#define PKCS7_INFO_CONTENT      2
-
-/**
- * ASN.1 definition of the PKCS#7 signedData type
- */
-static const asn1Object_t signedDataObjects[] = {
-	{ 0, "signedData",                      ASN1_SEQUENCE,     ASN1_NONE          }, /*  0 */
-	{ 1,   "version",                       ASN1_INTEGER,      ASN1_BODY          }, /*  1 */
-	{ 1,   "digestAlgorithms",              ASN1_SET,          ASN1_LOOP          }, /*  2 */
-	{ 2,     "algorithm",                   ASN1_EOC,          ASN1_RAW           }, /*  3 */
-	{ 1,   "end loop",                      ASN1_EOC,          ASN1_END           }, /*  4 */
-	{ 1,   "contentInfo",                   ASN1_EOC,          ASN1_RAW           }, /*  5 */
-	{ 1,   "certificates",                  ASN1_CONTEXT_C_0,  ASN1_OPT|ASN1_LOOP }, /*  6 */
-	{ 2,      "certificate",                ASN1_SEQUENCE,     ASN1_OBJ           }, /*  7 */
-	{ 1,   "end opt or loop",               ASN1_EOC,          ASN1_END           }, /*  8 */
-	{ 1,   "crls",                          ASN1_CONTEXT_C_1,  ASN1_OPT|ASN1_LOOP }, /*  9 */
-	{ 2,      "crl",                        ASN1_SEQUENCE,     ASN1_OBJ           }, /* 10 */
-	{ 1,   "end opt or loop",               ASN1_EOC,          ASN1_END           }, /* 11 */
-	{ 1,   "signerInfos",                   ASN1_SET,          ASN1_LOOP          }, /* 12 */
-	{ 2,     "signerInfo",                  ASN1_SEQUENCE,     ASN1_NONE          }, /* 13 */
-	{ 3,       "version",                   ASN1_INTEGER,      ASN1_BODY          }, /* 14 */
-	{ 3,       "issuerAndSerialNumber",     ASN1_SEQUENCE,     ASN1_BODY          }, /* 15 */
-	{ 4,         "issuer",                  ASN1_SEQUENCE,     ASN1_OBJ           }, /* 16 */
-	{ 4,         "serial",                  ASN1_INTEGER,      ASN1_BODY          }, /* 17 */
-	{ 3,       "digestAlgorithm",           ASN1_EOC,          ASN1_RAW           }, /* 18 */
-	{ 3,       "authenticatedAttributes",   ASN1_CONTEXT_C_0,  ASN1_OPT|ASN1_OBJ  }, /* 19 */
-	{ 3,       "end opt",                   ASN1_EOC,          ASN1_END           }, /* 20 */
-	{ 3,       "digestEncryptionAlgorithm", ASN1_EOC,          ASN1_RAW           }, /* 21 */
-	{ 3,       "encryptedDigest",           ASN1_OCTET_STRING, ASN1_BODY          }, /* 22 */
-	{ 3,       "unauthenticatedAttributes", ASN1_CONTEXT_C_1,  ASN1_OPT           }, /* 23 */
-	{ 3,       "end opt",                   ASN1_EOC,          ASN1_END           }, /* 24 */
-	{ 1,   "end loop",                      ASN1_EOC,          ASN1_END           }, /* 25 */
-	{ 0, "exit",                            ASN1_EOC,          ASN1_EXIT          }
-};
-#define PKCS7_SIGNED_VERSION             1
-#define PKCS7_DIGEST_ALG                 3
-#define PKCS7_SIGNED_CONTENT_INFO        5
-#define PKCS7_SIGNED_CERT                7
-#define PKCS7_SIGNER_INFO               13
-#define PKCS7_SIGNER_INFO_VERSION       14
-#define PKCS7_SIGNED_ISSUER             16
-#define PKCS7_SIGNED_SERIAL_NUMBER      17
-#define PKCS7_DIGEST_ALGORITHM          18
-#define PKCS7_AUTH_ATTRIBUTES           19
-#define PKCS7_DIGEST_ENC_ALGORITHM      21
-#define PKCS7_ENCRYPTED_DIGEST          22
-
-/**
- * ASN.1 definition of the PKCS#7 envelopedData type
- */
-static const asn1Object_t envelopedDataObjects[] = {
-	{ 0, "envelopedData",                  ASN1_SEQUENCE,     ASN1_NONE }, /*  0 */
-	{ 1,   "version",                      ASN1_INTEGER,      ASN1_BODY }, /*  1 */
-	{ 1,   "recipientInfos",               ASN1_SET,          ASN1_LOOP }, /*  2 */
-	{ 2,     "recipientInfo",              ASN1_SEQUENCE,     ASN1_BODY }, /*  3 */
-	{ 3,       "version",                  ASN1_INTEGER,      ASN1_BODY }, /*  4 */
-	{ 3,       "issuerAndSerialNumber",    ASN1_SEQUENCE,     ASN1_BODY }, /*  5 */
-	{ 4,         "issuer",                 ASN1_SEQUENCE,     ASN1_OBJ  }, /*  6 */
-	{ 4,         "serial",                 ASN1_INTEGER,      ASN1_BODY }, /*  7 */
-	{ 3,       "encryptionAlgorithm",      ASN1_EOC,          ASN1_RAW  }, /*  8 */
-	{ 3,       "encryptedKey",             ASN1_OCTET_STRING, ASN1_BODY }, /*  9 */
-	{ 1,   "end loop",                     ASN1_EOC,          ASN1_END  }, /* 10 */
-	{ 1,   "encryptedContentInfo",         ASN1_SEQUENCE,     ASN1_OBJ  }, /* 11 */
-	{ 2,     "contentType",                ASN1_OID,          ASN1_BODY }, /* 12 */
-	{ 2,     "contentEncryptionAlgorithm", ASN1_EOC,          ASN1_RAW  }, /* 13 */
-	{ 2,     "encryptedContent",           ASN1_CONTEXT_S_0,  ASN1_BODY }, /* 14 */
-	{ 0, "exit",                           ASN1_EOC,          ASN1_EXIT }
-};
-#define PKCS7_ENVELOPED_VERSION          1
-#define PKCS7_RECIPIENT_INFO_VERSION     4
-#define PKCS7_ISSUER                     6
-#define PKCS7_SERIAL_NUMBER              7
-#define PKCS7_ENCRYPTION_ALG             8
-#define PKCS7_ENCRYPTED_KEY              9
-#define PKCS7_CONTENT_TYPE              12
-#define PKCS7_CONTENT_ENC_ALGORITHM     13
-#define PKCS7_ENCRYPTED_CONTENT         14
-#define PKCS7_ENVELOPED_ROOF            15
-
-/**
- * Parse PKCS#7 ContentInfo object
- */
-bool pkcs7_parse_contentInfo(chunk_t blob, u_int level0, contentInfo_t *cInfo)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int objectID;
-	bool success = FALSE;
-
-	parser = asn1_parser_create(contentInfoObjects, blob);
-	parser->set_top_level(parser, level0);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		if (objectID == PKCS7_INFO_TYPE)
-		{
-			cInfo->type = asn1_known_oid(object);
-			if (cInfo->type < OID_PKCS7_DATA
-			||  cInfo->type > OID_PKCS7_ENCRYPTED_DATA)
-			{
-				DBG1(DBG_LIB, "unknown pkcs7 content type");
-				goto end;
-			}
-		}
-		else if (objectID == PKCS7_INFO_CONTENT)
-		{
-			cInfo->content = object;
-		}
-	}
-	success = parser->success(parser);
-
-end:
-	parser->destroy(parser);
-	return success;
-}
-
-/**
- * Parse a PKCS#7 signedData object
- */
-bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data,
-							linked_list_t *certs,
-							chunk_t *attributes, certificate_t *cacert)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int digest_alg = OID_UNKNOWN;
-	int enc_alg    = OID_UNKNOWN;
-	int signerInfos = 0;
-	int version;
-	int objectID;
-	bool success = FALSE;
-
-	contentInfo_t cInfo = empty_contentInfo;
-	chunk_t encrypted_digest = chunk_empty;
-
-	if (!pkcs7_parse_contentInfo(blob, 0, &cInfo))
-	{
-		return FALSE;
-	}
-	if (cInfo.type != OID_PKCS7_SIGNED_DATA)
-	{
-		DBG1(DBG_LIB, "pkcs7 content type is not signedData");
-		return FALSE;
-	}
-
-	parser = asn1_parser_create(signedDataObjects, cInfo.content);
-	parser->set_top_level(parser, 2);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		u_int level = parser->get_level(parser);
-
-		switch (objectID)
-		{
-		case PKCS7_SIGNED_VERSION:
-			version = object.len ? (int)*object.ptr : 0;
-			DBG2(DBG_LIB, "  v%d", version);
-			break;
-		case PKCS7_DIGEST_ALG:
-			digest_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
-			break;
-		case PKCS7_SIGNED_CONTENT_INFO:
-			if (data != NULL)
-			{
-				pkcs7_parse_contentInfo(object, level, data);
-			}
-			break;
-		case PKCS7_SIGNED_CERT:
-			{
-				certificate_t *cert;
-
-				DBG2(DBG_LIB, "  parsing pkcs7-wrapped certificate");
-				cert = lib->creds->create(lib->creds,
-								  		  CRED_CERTIFICATE, CERT_X509,
-								  		  BUILD_BLOB_ASN1_DER, object,
-								  		  BUILD_END);
-				if (cert)
-				{
-					certs->insert_last(certs, cert);
-				}
-			}
-			break;
-		case PKCS7_SIGNER_INFO:
-			signerInfos++;
-			DBG2(DBG_LIB, "  signer #%d", signerInfos);
-			break;
-		case PKCS7_SIGNER_INFO_VERSION:
-			version = object.len ? (int)*object.ptr : 0;
-			DBG2(DBG_LIB, "  v%d", version);
-			break;
-		case PKCS7_SIGNED_ISSUER:
-			{
-				identification_t *issuer = identification_create_from_encoding(
-													ID_DER_ASN1_DN, object);
-				DBG2(DBG_LIB, "  \"%Y\"", issuer);
-				issuer->destroy(issuer);
-				break;
-			}
-		case PKCS7_AUTH_ATTRIBUTES:
-			if (attributes != NULL)
-			{
-				*attributes = object;
-				*attributes->ptr = ASN1_SET;
-			}
-			break;
-		case PKCS7_DIGEST_ALGORITHM:
-			digest_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
-			break;
-		case PKCS7_DIGEST_ENC_ALGORITHM:
-			enc_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
-			break;
-		case PKCS7_ENCRYPTED_DIGEST:
-			encrypted_digest = object;
-		}
-	}
-	success = parser->success(parser);
-	parser->destroy(parser);
-	if (!success)
-	{
-		return FALSE;
-	}
-
-	/* check the signature only if a cacert is available */
-	if (cacert != NULL)
-	{
-		public_key_t *key;
-		signature_scheme_t scheme;
-
-		scheme = signature_scheme_from_oid(digest_alg);
-		if (scheme == SIGN_UNKNOWN)
-		{
-			DBG1(DBG_LIB, "unsupported signature scheme");
-			return FALSE;
-		}
-		if (signerInfos == 0)
-		{
-			DBG1(DBG_LIB, "no signerInfo object found");
-			return FALSE;
-		}
-		else if (signerInfos > 1)
-		{
-			DBG1(DBG_LIB, "more than one signerInfo object found");
-			return FALSE;
-		}
-		if (attributes->ptr == NULL)
-		{
-			DBG1(DBG_LIB, "no authenticatedAttributes object found");
-			return FALSE;
-		}
-		if (enc_alg != OID_RSA_ENCRYPTION)
-		{
-			DBG1(DBG_LIB, "only RSA digest encryption supported");
-			return FALSE;
-		}
-
-		/* verify the signature */
-		key = cacert->get_public_key(cacert);
-		if (key == NULL)
-		{
-			DBG1(DBG_LIB, "no public key found in CA certificate");
-			return FALSE;
-		}
-		if (key->verify(key, scheme, *attributes, encrypted_digest))
-		{
-			DBG2(DBG_LIB, "signature is valid");
-		}
-		else
-		{
-			DBG1(DBG_LIB, "invalid signature");
-			success = FALSE;
-		}
-		key->destroy(key);
-	}
-	return success;
-}
-
-/**
- * Parse a PKCS#7 envelopedData object
- */
-bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
-							   chunk_t serialNumber,
-							   private_key_t *key)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	chunk_t iv                = chunk_empty;
-	chunk_t symmetric_key     = chunk_empty;
-	chunk_t encrypted_content = chunk_empty;
-
-	crypter_t *crypter = NULL;
-
-	int enc_alg         = OID_UNKNOWN;
-	int content_enc_alg = OID_UNKNOWN;
-	int version;
-	int objectID;
-	bool success = FALSE;
-
-	contentInfo_t cInfo = empty_contentInfo;
-	*data = chunk_empty;
-
-	if (!pkcs7_parse_contentInfo(blob, 0, &cInfo))
-	{
-		goto failed;
-	}
-	if (cInfo.type != OID_PKCS7_ENVELOPED_DATA)
-	{
-		DBG1(DBG_LIB, "pkcs7 content type is not envelopedData");
-		goto failed;
-	}
-
-	parser = asn1_parser_create(envelopedDataObjects, cInfo.content);
-	parser->set_top_level(parser, 2);
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		u_int level = parser->get_level(parser);
-
-		switch (objectID)
-		{
-		case PKCS7_ENVELOPED_VERSION:
-			version = object.len ? (int)*object.ptr : 0;
-			DBG2(DBG_LIB, "  v%d", version);
-			if (version != 0)
-			{
-				DBG1(DBG_LIB, "envelopedData version is not 0");
-				goto end;
-			}
-			break;
-		case PKCS7_RECIPIENT_INFO_VERSION:
-			version = object.len ? (int)*object.ptr : 0;
-			DBG2(DBG_LIB, "  v%d", version);
-			if (version != 0)
-			{
-				DBG1(DBG_LIB, "recipient info version is not 0");
-				goto end;
-			}
-			break;
-		case PKCS7_ISSUER:
-			{
-				identification_t *issuer = identification_create_from_encoding(
-													ID_DER_ASN1_DN, object);
-				DBG2(DBG_LIB, "  \"%Y\"", issuer);
-				issuer->destroy(issuer);
-				break;
-			}
-		case PKCS7_SERIAL_NUMBER:
-			if (!chunk_equals(serialNumber, object))
-			{
-				DBG1(DBG_LIB, "serial numbers do not match");
-				goto end;
-			}
-			break;
-		case PKCS7_ENCRYPTION_ALG:
-			enc_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
-			if (enc_alg != OID_RSA_ENCRYPTION)
-			{
-				DBG1(DBG_LIB, "only rsa encryption supported");
-				goto end;
-			}
-			break;
-		case PKCS7_ENCRYPTED_KEY:
-			if (!key->decrypt(key, ENCRYPT_RSA_PKCS1, object, &symmetric_key))
-			{
-				DBG1(DBG_LIB, "symmetric key could not be decrypted with rsa");
-				goto end;
-			}
-			DBG4(DBG_LIB, "symmetric key %B", &symmetric_key);
-			break;
-		case PKCS7_CONTENT_TYPE:
-			if (asn1_known_oid(object) != OID_PKCS7_DATA)
-			{
-				 DBG1(DBG_LIB, "encrypted content not of type pkcs7 data");
-				 goto end;
-			}
-			break;
-		case PKCS7_CONTENT_ENC_ALGORITHM:
-			content_enc_alg = asn1_parse_algorithmIdentifier(object, level, &iv);
-
-			if (content_enc_alg == OID_UNKNOWN)
-			{
-				DBG1(DBG_LIB, "unknown content encryption algorithm");
-				goto end;
-			}
-			if (!asn1_parse_simple_object(&iv, ASN1_OCTET_STRING, level+1, "IV"))
-			{
-				DBG1(DBG_LIB, "IV could not be parsed");
-				goto end;
-			}
-			break;
-		case PKCS7_ENCRYPTED_CONTENT:
-			encrypted_content = object;
-			break;
-		}
-	}
-	success = parser->success(parser);
-
-end:
-	parser->destroy(parser);
-	if (!success)
-	{
-		goto failed;
-	}
-	success = FALSE;
-
-	/* decrypt the content */
-	{
-		encryption_algorithm_t alg;
-		size_t key_size;
-		crypter_t *crypter;
-
-		alg = encryption_algorithm_from_oid(content_enc_alg, &key_size);
-		if (alg == ENCR_UNDEFINED)
-		{
-			DBG1(DBG_LIB, "unsupported content encryption algorithm");
-			goto failed;
-		}
-		crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size);
-		if (crypter == NULL)
-		{
-			DBG1(DBG_LIB, "crypter %N not available", encryption_algorithm_names, alg);
-			goto failed;
-		}
-		if (symmetric_key.len != crypter->get_key_size(crypter))
-		{
-			DBG1(DBG_LIB, "symmetric key length %d is wrong", symmetric_key.len);
-			goto failed;
-		}
-		if (iv.len != crypter->get_iv_size(crypter))
-		{
-			DBG1(DBG_LIB, "IV length %d is wrong", iv.len);
-			goto failed;
-		}
-		crypter->set_key(crypter, symmetric_key);
-		crypter->decrypt(crypter, encrypted_content, iv, data);
-		DBG4(DBG_LIB, "decrypted content with padding: %B", data);
-	}
-
-	/* remove the padding */
-	{
-		u_char *pos = data->ptr + data->len - 1;
-		u_char pattern = *pos;
-		size_t padding = pattern;
-
-		if (padding > data->len)
-		{
-			DBG1(DBG_LIB, "padding greater than data length");
-			goto failed;
-		}
-		data->len -= padding;
-
-		while (padding-- > 0)
-		{
-			if (*pos-- != pattern)
-			{
-				DBG1(DBG_LIB, "wrong padding pattern");
-				goto failed;
-			}
-		}
-	}
-	success = TRUE;
-
-failed:
-	DESTROY_IF(crypter);
-	chunk_clear(&symmetric_key);
-	if (!success)
-	{
-		free(data->ptr);
-	}
-	return success;
-}
-
-/**
- * @brief Builds a contentType attribute
- *
- * @return ASN.1 encoded contentType attribute
- */
-chunk_t pkcs7_contentType_attribute(void)
-{
-	return asn1_wrap(ASN1_SEQUENCE, "mm",
-						asn1_build_known_oid(OID_PKCS9_CONTENT_TYPE),
-						asn1_wrap(ASN1_SET, "m",
-							asn1_build_known_oid(OID_PKCS7_DATA)));
-}
-
-/**
- * @brief Builds a messageDigest attribute
- *
- *
- * @param[in] blob content to create digest of
- * @param[in] digest_alg digest algorithm to be used
- * @return ASN.1 encoded messageDigest attribute
- *
- */
-chunk_t pkcs7_messageDigest_attribute(chunk_t content, int digest_alg)
-{
-	chunk_t digest;
-	hash_algorithm_t hash_alg;
-	hasher_t *hasher;
-
-	hash_alg = hasher_algorithm_from_oid(digest_alg);
-	hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
-	hasher->allocate_hash(hasher, content, &digest);
-	hasher->destroy(hasher);
-
-	return asn1_wrap(ASN1_SEQUENCE, "mm",
-				asn1_build_known_oid(OID_PKCS9_MESSAGE_DIGEST),
-				asn1_wrap(ASN1_SET, "m",
-					asn1_wrap(ASN1_OCTET_STRING, "m", digest)));
-}
-
-/**
- * build a DER-encoded contentInfo object
- */
-static chunk_t pkcs7_build_contentInfo(contentInfo_t *cInfo)
-{
-	return (cInfo->content.ptr) ?
-				asn1_wrap(ASN1_SEQUENCE, "mm",
-					asn1_build_known_oid(cInfo->type),
-					asn1_simple_object(ASN1_CONTEXT_C_0, cInfo->content)) :
-				asn1_build_known_oid(cInfo->type);
-}
-
-/**
- * build issuerAndSerialNumber object
- */
-chunk_t pkcs7_build_issuerAndSerialNumber(certificate_t *cert)
-{
-	identification_t *issuer = cert->get_issuer(cert);
-	x509_t *x509 = (x509_t*)cert;
-
-	return asn1_wrap(ASN1_SEQUENCE, "cm",
-					 issuer->get_encoding(issuer),
-					 asn1_integer("c", x509->get_serial(x509)));
-}
-
-/**
- * create a signed pkcs7 contentInfo object
- */
-chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
-							   certificate_t *cert, int digest_alg,
-							   private_key_t *key)
-{
-	contentInfo_t pkcs7Data, signedData;
-	chunk_t authenticatedAttributes = chunk_empty;
-	chunk_t encryptedDigest = chunk_empty;
-	chunk_t signerInfo, cInfo, signature, encoding = chunk_empty;;
-	signature_scheme_t scheme = signature_scheme_from_oid(digest_alg);
-
-	if (attributes.ptr)
-	{
-		if (key->sign(key, scheme, attributes, &signature))
-		{
-			encryptedDigest = asn1_wrap(ASN1_OCTET_STRING, "m", signature);
-			authenticatedAttributes = chunk_clone(attributes);
-			*authenticatedAttributes.ptr = ASN1_CONTEXT_C_0;
-		}
-	}
-	else if (data.ptr)
-	{
-		if (key->sign(key, scheme, data, &signature))
-		{
-			encryptedDigest = asn1_wrap(ASN1_OCTET_STRING, "m", signature);
-		}
-	}
-	signerInfo = asn1_wrap(ASN1_SEQUENCE, "cmmmmm"
-				, ASN1_INTEGER_1
-				, pkcs7_build_issuerAndSerialNumber(cert)
-				, asn1_algorithmIdentifier(digest_alg)
-				, authenticatedAttributes
-				, asn1_algorithmIdentifier(OID_RSA_ENCRYPTION)
-				, encryptedDigest);
-
-	pkcs7Data.type    = OID_PKCS7_DATA;
-	pkcs7Data.content = (data.ptr == NULL)? chunk_empty
-				: asn1_simple_object(ASN1_OCTET_STRING, data);
-
-	cert->get_encoding(cert, CERT_ASN1_DER, &encoding);
-	signedData.type = OID_PKCS7_SIGNED_DATA;
-	signedData.content = asn1_wrap(ASN1_SEQUENCE, "cmmmm"
-				, ASN1_INTEGER_1
-				, asn1_wrap(ASN1_SET, "m", asn1_algorithmIdentifier(digest_alg))
-				, pkcs7_build_contentInfo(&pkcs7Data)
-				, asn1_wrap(ASN1_CONTEXT_C_0, "m", encoding)
-				, asn1_wrap(ASN1_SET, "m", signerInfo));
-
-	cInfo = pkcs7_build_contentInfo(&signedData);
-	DBG3(DBG_LIB, "signedData %B", &cInfo);
-
-	free(pkcs7Data.content.ptr);
-	free(signedData.content.ptr);
-	return cInfo;
-}
-
-/**
- * create a symmetrically encrypted pkcs7 contentInfo object
- */
-chunk_t pkcs7_build_envelopedData(chunk_t data, certificate_t *cert, int enc_alg)
-{
-	encryption_algorithm_t alg;
-	size_t alg_key_size;
-	chunk_t symmetricKey, protectedKey, iv, in, out;
-	crypter_t *crypter;
-
-	alg = encryption_algorithm_from_oid(enc_alg, &alg_key_size);
-	crypter = lib->crypto->create_crypter(lib->crypto, alg,
-										  alg_key_size/BITS_PER_BYTE);
-	if (crypter == NULL)
-	{
-		DBG1(DBG_LIB, "crypter for %N not available", encryption_algorithm_names, alg);
-		return chunk_empty;
-	}
-
-	/* generate a true random symmetric encryption key and a pseudo-random iv */
-	{
-		rng_t *rng;
-
-		rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
-		rng->allocate_bytes(rng, crypter->get_key_size(crypter), &symmetricKey);
-		DBG4(DBG_LIB, "symmetric encryption key %B", &symmetricKey);
-		rng->destroy(rng);
-
-		rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-		rng->allocate_bytes(rng, crypter->get_iv_size(crypter), &iv);
-		DBG4(DBG_LIB, "initialization vector: %B", &iv);
-		rng->destroy(rng);
-	}
-
-	/* pad the data to a multiple of the block size */
-	{
-		size_t block_size = crypter->get_block_size(crypter);
-		size_t padding = block_size - data.len % block_size;
-
-		in.len = data.len + padding;
-		in.ptr = malloc(in.len);
-
-		DBG2(DBG_LIB, "padding %u bytes of data to multiple block size of %u bytes",
-			 data.len, in.len);
-
-		/* copy data */
-		memcpy(in.ptr, data.ptr, data.len);
-		/* append padding */
-		memset(in.ptr + data.len, padding, padding);
-	}
-	DBG3(DBG_LIB, "padded unencrypted data %B", &in);
-
-	/* symmetric encryption of data object */
-	crypter->set_key(crypter, symmetricKey);
-	crypter->encrypt(crypter, in, iv, &out);
-	crypter->destroy(crypter);
-	chunk_clear(&in);
-    DBG3(DBG_LIB, "encrypted data %B", &out);
-
-	/* protect symmetric key by public key encryption */
-	{
-		public_key_t *key = cert->get_public_key(cert);
-
-		if (key == NULL)
-		{
-			DBG1(DBG_LIB, "public key not found in encryption certificate");
-			chunk_clear(&symmetricKey);
-			chunk_free(&iv);
-			chunk_free(&out);
-			return chunk_empty;
-		}
-		key->encrypt(key, ENCRYPT_RSA_PKCS1, symmetricKey, &protectedKey);
-		key->destroy(key);
-	}
-
-	/* build pkcs7 enveloped data object */
-	{
-
-		chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "mm"
-					, asn1_build_known_oid(enc_alg)
-					, asn1_simple_object(ASN1_OCTET_STRING, iv));
-
-		chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "mmm"
-					, asn1_build_known_oid(OID_PKCS7_DATA)
-					, contentEncryptionAlgorithm
-					, asn1_wrap(ASN1_CONTEXT_S_0, "m", out));
-
-		chunk_t encryptedKey = asn1_wrap(ASN1_OCTET_STRING, "m"
-					, protectedKey);
-
-		chunk_t recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmmm"
-					, ASN1_INTEGER_0
-					, pkcs7_build_issuerAndSerialNumber(cert)
-					, asn1_algorithmIdentifier(OID_RSA_ENCRYPTION)
-					, encryptedKey);
-
-		chunk_t cInfo;
-		contentInfo_t envelopedData;
-
-		envelopedData.type = OID_PKCS7_ENVELOPED_DATA;
-		envelopedData.content = asn1_wrap(ASN1_SEQUENCE, "cmm"
-					, ASN1_INTEGER_0
-					, asn1_wrap(ASN1_SET, "m", recipientInfo)
-					, encryptedContentInfo);
-
-		cInfo = pkcs7_build_contentInfo(&envelopedData);
-		DBG3(DBG_LIB, "envelopedData %B", &cInfo);
-
-		chunk_free(&envelopedData.content);
-		chunk_free(&iv);
-		chunk_clear(&symmetricKey);
-		return cInfo;
-	}
-}
diff --git a/src/pluto/pkcs7.h b/src/pluto/pkcs7.h
deleted file mode 100644
index 1743ea9c4..000000000
--- a/src/pluto/pkcs7.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/* Support of PKCS#7 data structures
- * Copyright (C) 2005 Jan Hutter, Martin Willi
- * Copyright (C) 2002-2009 Andreas Steffen
- *
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _PKCS7_H
-#define _PKCS7_H
-
-#include <utils/linked_list.h>
-#include <crypto/crypters/crypter.h>
-#include <credentials/keys/private_key.h>
-#include <credentials/certificates/certificate.h>
-
-/* Access structure for a PKCS#7 ContentInfo object */
-
-typedef struct contentInfo contentInfo_t;
-
-struct contentInfo {
-	int     type;
-	chunk_t content;
-};
-
-extern const contentInfo_t empty_contentInfo;
-
-extern bool pkcs7_parse_contentInfo(chunk_t blob, u_int level0,
-									contentInfo_t *cInfo);
-extern bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data,
-								   linked_list_t *cert, chunk_t *attributes,
-								   certificate_t *cacert);
-extern bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
-									  chunk_t serialNumber, private_key_t *key);
-extern chunk_t pkcs7_contentType_attribute(void);
-extern chunk_t pkcs7_messageDigest_attribute(chunk_t content, int digest_alg);
-extern chunk_t pkcs7_build_issuerAndSerialNumber(certificate_t *cert);
-extern chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
-									  certificate_t *cert, int digest_alg,
-									  private_key_t *key);
-extern chunk_t pkcs7_build_envelopedData(chunk_t data, certificate_t *cert,
-										 int enc_alg);
-
-#endif /* _PKCS7_H */
diff --git a/src/pluto/plugin_list.c b/src/pluto/plugin_list.c
deleted file mode 100644
index 499218904..000000000
--- a/src/pluto/plugin_list.c
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * Copyright (C) 2011 Martin Willi, revosec AG
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <whack.h>
-#include <log.h>
-
-#include <library.h>
-#include <utils/linked_list.h>
-
-/**
- * List loaded plugin information
- */
-void plugin_list(void)
-{
-	plugin_feature_t *features, *fp;
-	enumerator_t *enumerator;
-	linked_list_t *list;
-	plugin_t *plugin;
-	int count, i;
-	bool loaded;
-	char *str;
-
-	whack_log(RC_COMMENT, " ");
-	whack_log(RC_COMMENT, "List of loaded Plugins:");
-	whack_log(RC_COMMENT, " ");
-
-	enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
-	while (enumerator->enumerate(enumerator, &plugin, &list))
-	{
-		whack_log(RC_COMMENT, "%s:", plugin->get_name(plugin));
-		if (plugin->get_features)
-		{
-			count = plugin->get_features(plugin, &features);
-			for (i = 0; i < count; i++)
-			{
-				str = plugin_feature_get_string(&features[i]);
-				switch (features[i].kind)
-				{
-					case FEATURE_PROVIDE:
-						fp = &features[i];
-						loaded = list->find_first(list, NULL,
-												  (void**)&fp) == SUCCESS;
-						whack_log(RC_COMMENT, "    %s%s",
-								  str, loaded ? "" : " (not loaded)");
-						break;
-					case FEATURE_DEPENDS:
-						whack_log(RC_COMMENT, "        %s", str);
-						break;
-					case FEATURE_SDEPEND:
-						whack_log(RC_COMMENT, "        %s(soft)", str);
-						break;
-					default:
-						break;
-				}
-				free(str);
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-}
diff --git a/src/pluto/plugin_list.h b/src/pluto/plugin_list.h
deleted file mode 100644
index 62e4a167d..000000000
--- a/src/pluto/plugin_list.h
+++ /dev/null
@@ -1,21 +0,0 @@
-/* Generates a list of all loaded plugins and their dependencies
- * Copyright (C) 2011 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _PLUGIN_LIST_H
-#define _PLUGIN_LIST_H
-
-extern void plugin_list(void);
-
-#endif /* _PLUGIN_LIST_H */
diff --git a/src/pluto/plugins/xauth/Makefile.am b/src/pluto/plugins/xauth/Makefile.am
deleted file mode 100644
index 354325b35..000000000
--- a/src/pluto/plugins/xauth/Makefile.am
+++ /dev/null
@@ -1,15 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-		   -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/whack \
-		   -I$(top_srcdir)/src/pluto
-
-AM_CFLAGS = -rdynamic
-
-plugin_LTLIBRARIES = libstrongswan-xauth.la
-
-libstrongswan_xauth_la_SOURCES = \
-	xauth_plugin.h xauth_plugin.c \
-	xauth_default_provider.c xauth_default_provider.h \
-	xauth_default_verifier.c xauth_default_verifier.h
-
-libstrongswan_xauth_la_LDFLAGS = -module -avoid-version
diff --git a/src/pluto/plugins/xauth/Makefile.in b/src/pluto/plugins/xauth/Makefile.in
deleted file mode 100644
index 5a575548e..000000000
--- a/src/pluto/plugins/xauth/Makefile.in
+++ /dev/null
@@ -1,603 +0,0 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-subdir = src/pluto/plugins/xauth
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(plugindir)"
-LTLIBRARIES = $(plugin_LTLIBRARIES)
-libstrongswan_xauth_la_LIBADD =
-am_libstrongswan_xauth_la_OBJECTS = xauth_plugin.lo \
-	xauth_default_provider.lo xauth_default_verifier.lo
-libstrongswan_xauth_la_OBJECTS = $(am_libstrongswan_xauth_la_OBJECTS)
-libstrongswan_xauth_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libstrongswan_xauth_la_LDFLAGS) $(LDFLAGS) -o $@
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_xauth_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_xauth_la_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-c_plugins = @c_plugins@
-clearsilver_LIBS = @clearsilver_LIBS@
-datadir = @datadir@
-datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-imcvdir = @imcvdir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgroup = @ipsecgroup@
-ipseclibdir = @ipseclibdir@
-ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
-libdir = @libdir@
-libexecdir = @libexecdir@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
-manager_plugins = @manager_plugins@
-mandir = @mandir@
-medsrv_plugins = @medsrv_plugins@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
-pcsclite_CFLAGS = @pcsclite_CFLAGS@
-pcsclite_LIBS = @pcsclite_LIBS@
-pdfdir = @pdfdir@
-piddir = @piddir@
-pki_plugins = @pki_plugins@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-pool_plugins = @pool_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-s_plugins = @s_plugins@
-sbindir = @sbindir@
-scepclient_plugins = @scepclient_plugins@
-scripts_plugins = @scripts_plugins@
-sharedstatedir = @sharedstatedir@
-soup_CFLAGS = @soup_CFLAGS@
-soup_LIBS = @soup_LIBS@
-srcdir = @srcdir@
-starter_plugins = @starter_plugins@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-systemdsystemunitdir = @systemdsystemunitdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-		   -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/whack \
-		   -I$(top_srcdir)/src/pluto
-
-AM_CFLAGS = -rdynamic
-plugin_LTLIBRARIES = libstrongswan-xauth.la
-libstrongswan_xauth_la_SOURCES = \
-	xauth_plugin.h xauth_plugin.c \
-	xauth_default_provider.c xauth_default_provider.h \
-	xauth_default_verifier.c xauth_default_verifier.h
-
-libstrongswan_xauth_la_LDFLAGS = -module -avoid-version
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/pluto/plugins/xauth/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/pluto/plugins/xauth/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
-	}
-
-uninstall-pluginLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
-	done
-
-clean-pluginLTLIBRARIES:
-	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
-	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libstrongswan-xauth.la: $(libstrongswan_xauth_la_OBJECTS) $(libstrongswan_xauth_la_DEPENDENCIES) 
-	$(libstrongswan_xauth_la_LINK) -rpath $(plugindir) $(libstrongswan_xauth_la_OBJECTS) $(libstrongswan_xauth_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_default_provider.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_default_verifier.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_plugin.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(LTLIBRARIES)
-installdirs:
-	for dir in "$(DESTDIR)$(plugindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-pluginLTLIBRARIES
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-pluginLTLIBRARIES
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libtool clean-pluginLTLIBRARIES ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-pluginLTLIBRARIES \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/pluto/plugins/xauth/xauth_default_provider.c b/src/pluto/plugins/xauth/xauth_default_provider.c
deleted file mode 100644
index 77c5facc4..000000000
--- a/src/pluto/plugins/xauth/xauth_default_provider.c
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * Copyright (C) 2010 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <keys.h>
-
-#include "xauth_default_provider.h"
-
-typedef struct private_xauth_default_provider_t private_xauth_default_provider_t;
-
-/**
- * private data of xauth_default_provider
- */
-struct private_xauth_default_provider_t {
-
-	/**
-	 * public functions
-	 */
-	xauth_provider_t public;
-};
-
-METHOD(xauth_provider_t, get_secret, bool,
-	private_xauth_default_provider_t *this, connection_t *c, chunk_t *secret)
-{
-	identification_t *user, *server;
-
-	server = c->spd.that.id;
-	user = (c->xauth_identity) ? c->xauth_identity : c->spd.this.id;
-
-	return get_xauth_secret(user, server, secret);
-}
-
-METHOD(xauth_provider_t, destroy, void,
-	private_xauth_default_provider_t *this)
-{
-	free(this);
-}
-
-/*
- * Described in header.
- */
-xauth_provider_t *xauth_default_provider_create()
-{
-	private_xauth_default_provider_t *this;
-
-	INIT(this,
-		.public = {
-			.get_secret = _get_secret,
-			.destroy = _destroy,
-		 }
-	);
-
-	return &this->public;
-}
-
diff --git a/src/pluto/plugins/xauth/xauth_default_provider.h b/src/pluto/plugins/xauth/xauth_default_provider.h
deleted file mode 100644
index ff1a91d16..000000000
--- a/src/pluto/plugins/xauth/xauth_default_provider.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2010 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup xauth_default_provider xauth_default_provider
- * @{ @ingroup xauth
- */
-
-#ifndef XAUTH_DEFAULT_PROVIDER_H_
-#define XAUTH_DEFAULT_PROVIDER_H_
-
-#include <xauth/xauth_provider.h>
-
-
-/**
- * Create an xauth_default_provider instance.
- */
-xauth_provider_t *xauth_default_provider_create();
-
-#endif /** XAUTH_DEFAULT_PROVIDER_H_ @}*/
-
diff --git a/src/pluto/plugins/xauth/xauth_default_verifier.c b/src/pluto/plugins/xauth/xauth_default_verifier.c
deleted file mode 100644
index ca2e36aa0..000000000
--- a/src/pluto/plugins/xauth/xauth_default_verifier.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Copyright (C) 2010 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <keys.h>
-
-#include "xauth_default_verifier.h"
-
-typedef struct private_xauth_default_verifier_t private_xauth_default_verifier_t;
-
-/**
- * private data of xauth_default_verifier
- */
-struct private_xauth_default_verifier_t {
-
-	/**
-	 * public functions
-	 */
-	xauth_verifier_t public;
-};
-
-METHOD(xauth_verifier_t, verify_secret, bool,
-	private_xauth_default_verifier_t *this, connection_t *c, chunk_t secret)
-{
-	identification_t *user, *server;
-	chunk_t xauth_secret;
-	bool success = FALSE;
-
-	server = c->spd.this.id;
-	user = (c->xauth_identity) ? c->xauth_identity : c->spd.that.id;
-
-	if (get_xauth_secret(user, server, &xauth_secret))
-	{
-		success = chunk_equals(secret, xauth_secret);
-
-		if (!success && secret.len && secret.ptr[secret.len - 1] == 0)
-		{	/* fix for null-terminated passwords (e.g. from Android 4) */
-			secret.len--;
-			success = chunk_equals(secret, xauth_secret);
-		}
-
-		chunk_clear(&xauth_secret);
-	}
-	return success;
-}
-
-METHOD(xauth_verifier_t, destroy, void,
-	private_xauth_default_verifier_t *this)
-{
-	free(this);
-}
-
-
-/*
- * Described in header.
- */
-xauth_verifier_t *xauth_default_verifier_create()
-{
-	private_xauth_default_verifier_t *this;
-
-	INIT(this,
-		.public = {
-			.verify_secret = _verify_secret,
-			.destroy = _destroy,
-		 }
-	);
-
-	return &this->public;
-}
-
diff --git a/src/pluto/plugins/xauth/xauth_default_verifier.h b/src/pluto/plugins/xauth/xauth_default_verifier.h
deleted file mode 100644
index e5814d7b4..000000000
--- a/src/pluto/plugins/xauth/xauth_default_verifier.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2010 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup xauth_default_verifier xauth_default_verifier
- * @{ @ingroup xauth
- */
-
-#ifndef XAUTH_DEFAULT_VERIFIER_H_
-#define XAUTH_DEFAULT_VERIFIER_H_
-
-#include <xauth/xauth_verifier.h>
-
-
-/**
- * Create an xauth_default_verifier instance.
- */
-xauth_verifier_t *xauth_default_verifier_create();
-
-#endif /** XAUTH_DEFAULT_VERIFIER_H_ @}*/
-
diff --git a/src/pluto/plugins/xauth/xauth_plugin.c b/src/pluto/plugins/xauth/xauth_plugin.c
deleted file mode 100644
index bfc4820ed..000000000
--- a/src/pluto/plugins/xauth/xauth_plugin.c
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2010 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <pluto.h>
-
-#include "xauth_plugin.h"
-#include "xauth_default_provider.h"
-#include "xauth_default_verifier.h"
-
-METHOD(plugin_t, get_name, char*,
-	xauth_plugin_t *this)
-{
-	return "xauth";
-}
-
-METHOD(plugin_t, destroy, void,
-	xauth_plugin_t *this)
-{
-	free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *xauth_plugin_create()
-{
-	xauth_plugin_t *this;
-
-	INIT(this,
-		.plugin = {
-			.get_name = _get_name,
-			.reload = (void*)return_false,
-			.destroy = _destroy,
-		},
-	);
-
-	pluto->xauth->add_provider(pluto->xauth, xauth_default_provider_create());
-	pluto->xauth->add_verifier(pluto->xauth, xauth_default_verifier_create());
-
-	return &this->plugin;
-}
-
diff --git a/src/pluto/plugins/xauth/xauth_plugin.h b/src/pluto/plugins/xauth/xauth_plugin.h
deleted file mode 100644
index 4f14828d2..000000000
--- a/src/pluto/plugins/xauth/xauth_plugin.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2010 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup xauth xauth
- * @ingroup pplugins
- *
- * @defgroup xauth_plugin xauth_plugin
- * @{ @ingroup xauth
- */
-
-#ifndef XAUTH_PLUGIN_H_
-#define XAUTH_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct xauth_plugin_t xauth_plugin_t;
-
-/**
- * XAUTH plugin
- */
-struct xauth_plugin_t {
-
-	/**
-	 * implements plugin interface
-	 */
-	plugin_t plugin;
-};
-
-#endif /** XAUTH_PLUGIN_H_ @}*/
diff --git a/src/pluto/pluto.8 b/src/pluto/pluto.8
deleted file mode 100644
index ed6f78050..000000000
--- a/src/pluto/pluto.8
+++ /dev/null
@@ -1,1594 +0,0 @@
-.TH IPSEC_PLUTO 8 "28 March 1999"
-.SH NAME
-pluto \- IPsec IKE keying daemon and control interface
-.PP
-whack \- control interface for IKE keying daemon
-.SH SYNOPSIS
-.na
-.nh
-.HP
-.ft B
-ipsec pluto
-[\-\-help]
-[\-\-version]
-[\-\-optionsfrom\ \c
-\fIfilename\fP]
-[\-\-nofork]
-[\-\-stderrlog]
-[\-\-uniqueids]
-[\fB\-\-interface\fP \fIinterfacename\fP]
-[\-\-ikeport\ \c
-\fIportnumber\fP]
-[\-\-ctlbase\ \c
-\fIpath\fP]
-[\-\-secretsfile\ \c
-\fIsecrets\(hyfile\fP]
-[\-\-adns \fIpathname\fP]
-[\-\-lwdnsq \fIpathname\fP]
-[\-\-perpeerlog]
-[\-\-perpeerlogbase\ \c
-\fIdirname\fP]
-[\-\-debug\(hynone]
-[\-\-debug\(hyall]
-[\-\-debug\(hyraw]
-[\-\-debug\(hycrypt]
-[\-\-debug\(hyparsing]
-[\-\-debug\(hyemitting]
-[\-\-debug\(hycontrol]
-[\-\-debug\(hylifecycle]
-[\-\-debug\(hykernel]
-[\-\-debug\(hydns]
-[\-\-debug\(hyoppo]
-[\-\-debug\(hyprivate]
-.HP
-.ft B
-ipsec whack
-[\-\-help]
-[\-\-version]
-.HP
-.ft B
-ipsec whack
-\-\-name\ \c
-\fIconnection-name\fP
-.br
-[\-\-id\ \c
-\fIid\fP] \c
-[\-\-host\ \c
-\fIip\(hyaddress\fP]
-[\-\-ikeport\ \c
-\fIport\(hynumber\fP]
-[\-\-nexthop\ \c
-\fIip\(hyaddress\fP]
-[\-\-client\ \c
-\fIsubnet\fP]
-[\-\-dnskeyondemand]
-[\-\-updown\ \c
-\fIupdown\fP]
-.br
-\-\-to
-.br
-[\-\-id\ \c
-\fIid\fP]
-[\-\-host\ \c
-\fIip\(hyaddress\fP]
-[\-\-ikeport\ \c
-\fIport\(hynumber\fP]
-[\-\-nexthop\ \c
-\fIip\(hyaddress\fP]
-[\-\-client\ \c
-\fIsubnet\fP]
-[\-\-dnskeyondemand]
-[\-\-updown\ \c
-\fIupdown\fP]
-.br
-[\-\-psk]
-[\-\-rsasig]
-[\-\-encrypt]
-[\-\-authenticate]
-[\-\-compress]
-[\-\-tunnel]
-[\-\-pfs]
-[\-\-disablearrivalcheck]
-[\-\-ipv4]
-[\-\-ipv6]
-[\-\-tunnelipv4]
-[\-\-tunnelipv6]
-[\-\-ikelifetime\ \c
-\fIseconds\fP]
-[\-\-ipseclifetime\ \c
-\fIseconds\fP]
-[\-\-rekeymargin\ \c
-\fIseconds\fP]
-[\-\-rekeyfuzz\ \c
-\fIpercentage\fP]
-[\-\-keyingtries\ \c
-\fIcount\fP]
-[\-\-dontrekey]
-[\-\-delete]
-[\-\-ctlbase\ \c
-\fIpath\fP]
-[\-\-optionsfrom\ \c
-\fIfilename\fP]
-[\-\-label\ \c
-\fIstring\fP]
-.HP
-.ft B
-ipsec whack
-\-\-keyid\ \c
-\fIid\fP
-[\-\-addkey]
-[\-\-pubkeyrsa\ \c
-\fIkey\fP]
-[\-\-ctlbase\ \c
-\fIpath\fP]
-[\-\-optionsfrom\ \c
-\fIfilename\fP]
-[\-\-label\ \c
-\fIstring\fP]
-.HP
-.ft B
-ipsec whack
-\-\-myid\ \c
-\fIid\fP
-.HP
-.ft B
-ipsec whack
-\-\-listen|\-\-unlisten
-[\-\-ctlbase\ \c
-\fIpath\fP]
-[\-\-optionsfrom\ \c
-\fIfilename\fP]
-[\-\-label\ \c
-\fIstring\fP]
-.HP
-.ft B
-ipsec whack
-\-\-route|\-\-unroute
-\-\-name\ \c
-\fIconnection-name\fP
-[\-\-ctlbase\ \c
-\fIpath\fP]
-[\-\-optionsfrom\ \c
-\fIfilename\fP]
-[\-\-label\ \c
-\fIstring\fP]
-.HP
-.ft B
-ipsec whack
-\-\-initiate|\-\-terminate
-\-\-name\ \c
-\fIconnection-name\fP
-[\-\-asynchronous]
-[\-\-ctlbase\ \c
-\fIpath\fP]
-[\-\-optionsfrom\ \c
-\fIfilename\fP]
-[\-\-label\ \c
-\fIstring\fP]
-.HP
-.ft B
-ipsec whack
-[\-\-tunnelipv4]
-[\-\-tunnelipv6]
-\-\-oppohere \fIip\(hyaddress\fP
-\-\-oppothere \fIip\(hyaddress\fP
-.HP
-.ft B
-ipsec whack
-\-\-delete
-\-\-name\ \c
-\fIconnection-name\fP
-[\-\-ctlbase\ \c
-\fIpath\fP]
-[\-\-optionsfrom\ \c
-\fIfilename\fP]
-[\-\-label\ \c
-\fIstring\fP]
-.HP
-.ft B
-ipsec whack
-\-\-deletestate\ \c
-\fIstate-number\fP
-[\-\-ctlbase\ \c
-\fIpath\fP]
-[\-\-optionsfrom\ \c
-\fIfilename\fP]
-[\-\-label\ \c
-\fIstring\fP]
-.HP
-.ft B
-ipsec whack
-[\-\-name\ \c
-\fIconnection-name\fP]
-[\-\-debug\(hynone]
-[\-\-debug\(hyall]
-[\-\-debug\(hyraw]
-[\-\-debug\(hycrypt]
-[\-\-debug\(hyparsing]
-[\-\-debug\(hyemitting]
-[\-\-debug\(hycontrol]
-[\-\-debug\(hylifecycle]
-[\-\-debug\(hykernel]
-[\-\-debug\(hydns]
-[\-\-debug\(hyoppo]
-[\-\-debug\(hyprivate]
-[\-\-ctlbase\ \c
-\fIpath\fP]
-[\-\-optionsfrom\ \c
-\fIfilename\fP]
-[\-\-label\ \c
-\fIstring\fP]
-.HP
-.ft B
-ipsec whack
-\-\-status
-[\-\-ctlbase\ \c
-\fIpath\fP]
-[\-\-optionsfrom\ \c
-\fIfilename\fP]
-[\-\-label\ \c
-\fIstring\fP]
-.HP
-.ft B
-ipsec whack
-\-\-shutdown
-[\-\-ctlbase\ \c
-\fIpath\fP]
-[\-\-optionsfrom\ \c
-\fIfilename\fP]
-[\-\-label\ \c
-\fIstring\fP]
-.ft R
-.hy
-.ad
-.SH DESCRIPTION
-.BR pluto
-is an IKE (``IPsec Key Exchange'') daemon.
-.BR whack
-is an auxiliary program to allow requests to be made to a running
-.BR pluto .
-.LP
-.BR pluto
-is used to automatically build shared ``security associations'' on a
-system that has IPsec, the secure IP protocol.
-In other words,
-.BR pluto
-can eliminate much of the work of manual keying.
-The actual
-secure transmission of packets is the responsibility of the Linux kernel.
-\fIipsec_auto\fP(8) provides a more convenient interface to
-\fBpluto\fP and \fBwhack\fP.
-.SS IKE's Job
-.LP
-A \fISecurity Association\fP (\fISA\fP) is an agreement between two network nodes on
-how to process certain traffic between them.  This processing involves
-encapsulation, authentication, encryption, or compression.
-.LP
-IKE can be deployed on a network node to negotiate Security
-Associations for that node.  These IKE implementations can only
-negotiate with other IKE implementations, so IKE must be on each node
-that is to be an endpoint of an IKE-negotiated Security Association.
-No other nodes need to be running IKE.
-.LP
-An IKE instance (i.e. an IKE implementation on a particular network
-node) communicates with another IKE instance using UDP IP packets, so
-there must be a route between the nodes in each direction.
-.LP
-The negotiation of Security Associations requires a number of choices
-that involve tradeoffs between security, convenience, trust, and
-efficiency.  These are policy issues and are normally specified to the
-IKE instance by the system administrator.
-.LP
-IKE deals with two kinds of Security Associations.  The first part of
-a negotiation between IKE instances is to build an ISAKMP SA.  An
-ISAKMP SA is used to protect communication between the two IKEs.
-IPsec SAs can then be built by the IKEs \- these are used to carry
-protected IP traffic between the systems.
-.LP
-The negotiation of the ISAKMP SA is known as Phase 1.  In theory,
-Phase 1 can be accomplished by a couple of different exchange types,
-but we only implement one called Main Mode (we don't implement
-Aggressive Mode).
-.LP
-Any negotiation under the protection of an ISAKMP SA, including the
-negotiation of IPsec SAs, is part of Phase 2.  The exchange type
-that we use to negotiate an IPsec SA is called Quick Mode.
-.LP
-IKE instances must be able to authenticate each other as part of their
-negotiation of an ISAKMP SA.  This can be done by several mechanisms
-described in the draft standards.
-.LP
-IKE negotiation can be initiated by any instance with any other.  If
-both can find an agreeable set of characteristics for a Security
-Association, and both recognize each others authenticity, they can set
-up a Security Association.  The standards do not specify what causes
-an IKE instance to initiate a negotiation.
-.LP
-In summary, an IKE instance is prepared to automate the management of
-Security Associations in an IPsec environment, but a number of issues
-are considered policy and are left in the system administrator's hands.
-.SS Pluto
-.LP
-\fBpluto\fP is an implementation of IKE.  It runs as a daemon on a network
-node.  Currently, this network node must be a Linux 2.6 system running the
-native \fBNETKEY\fP IPsec stack.
-.LP
-\fBpluto\fP only implements a subset of IKE.  This is enough for it to
-interoperate with other instances of \fBpluto\fP, and many other IKE
-implementations.  We are working on implementing more of IKE.
-.LP
-The policy for acceptable characteristics for Security Associations is
-mostly hardwired into the code of \fBpluto\fP (spdb.c).  Eventually
-this will be moved into a security policy database with reasonable
-expressive power and more convenience.
-.LP
-\fBpluto\fP uses shared secrets or RSA signatures to authenticate
-peers with whom it is negotiating.
-.LP
-\fBpluto\fP initiates negotiation of a Security Association when it is
-manually prodded: the program \fBwhack\fP is run to trigger this.
-It will also initiate a negotiation when the Linux kernel traps an outbound
-packet for Opportunistic Encryption.
-.LP
-\fBpluto\fP implements ISAKMP SAs itself.  After it has negotiated the
-characteristics of an IPsec SA, it directs the Linux kernel to implement it.
-It also invokes a script to adjust any firewall and issue \fIroute\fP(8)
-commands.
-.LP
-When \fBpluto\fP shuts down, it closes all Security Associations.
-.SS Before Running Pluto
-.LP
-\fBpluto\fP runs as a daemon with userid root.  Before running it, a few
-things must be set up.
-.LP
-\fBpluto\fP requires a Linux 2.6 kernel with the modules for the native IPsec
-stack enabled.
-.LP
-\fBpluto\fP supports multiple public networks (that is, networks
-that are considered insecure and thus need to have their traffic
-encrypted or authenticated).  It discovers the
-public interfaces to use by looking at all interfaces that are
-configured (the \fB\-\-interface\fP option can be used to limit
-the interfaces considered).
-It does this only when \fBwhack\fP tells it to \-\-listen,
-so the interfaces must be configured by then.
-\fIifconfig\fP(8) with the \fB\-a\fP flag will show
-the name and status of each network interface.
-.LP
-\fBpluto\fP requires a database of preshared secrets and RSA private keys.
-This is described in the
-.IR ipsec.secrets (5).
-\fBpluto\fP is told of RSA public keys via \fBwhack\fP commands.
-If the connection is Opportunistic, and no RSA public key is known,
-\fBpluto\fP will attempt to fetch RSA keys using the Domain Name System.
-.SS ipsec.secrets file
-.LP
-A \fBpluto\fP daemon and another IKE daemon (for example, another instance
-of \fBpluto\fP) must convince each other that they are who they are supposed
-to be before any negotiation can succeed.  This authentication is
-accomplished by using either secrets that have been shared beforehand
-(manually) or by using RSA signatures.  There are other techniques,
-but they have not been implemented in \fBpluto\fP.
-.LP
-The file \fI/etc/ipsec.secrets\fP is used to keep preshared secret keys
-and RSA private keys for
-authentication with other IKE daemons.  For debugging, there is an
-argument to the \fBpluto\fP command to use a different file.
-This file is described in
-.IR ipsec.secrets (5).
-.SS Running Pluto
-.LP
-To fire up the daemon, just type \fBpluto\fP (be sure to be running as
-the superuser).
-The default IKE port number is 500, the UDP port assigned by IANA for IKE Daemons.
-\fBpluto\fP must be run by the superuser to be able to use the UDP 500 port.
-.LP
-\fBpluto\fP attempts to create a lockfile with the name
-\fI/var/run/pluto.pid\fP.  If the lockfile cannot be created,
-\fBpluto\fP exits \- this prevents multiple \fBpluto\fPs from
-competing  Any ``leftover'' lockfile must be removed before
-\fBpluto\fP will run.  \fBpluto\fP writes its pid into this file so
-that scripts can find it.  This lock will not function properly if it
-is on an NFS volume (but sharing locks on multiple machines doesn't
-make sense anyway).
-.LP
-\fBpluto\fP then forks and the parent exits.  This is the conventional
-``daemon fork''.  It can make debugging awkward, so there is an option
-to suppress this fork.
-.LP
-All logging, including diagnostics, is sent to
-.IR syslog (3)
-with facility=authpriv;
-it decides where to put these messages (possibly in /var/log/secure).
-Since this too can make debugging awkward, there is an option to
-steer logging to stderr.
-.LP
-If the \fB\-\-perpeerlog\fP option is given, then pluto will open
-a log file per connection. By default, this is in /var/log/pluto/peer,
-in a subdirectory formed by turning all dot (.) [IPv4} or colon (:)
-[IPv6] into slashes (/).
-.LP
-The base directory can be changed with the \fB\-\-perpeerlogbase\fP.
-.LP
-Once \fBpluto\fP is started, it waits for requests from \fBwhack\fP.
-.SS Pluto's Internal State
-.LP
-To understand how to use \fBpluto\fP, it is helpful to understand a little
-about its internal state.  Furthermore, the terminology is needed to decipher
-some of the diagnostic messages.
-.LP
-The \fI(potential) connection\fP database describes attributes of a
-connection.  These include the IP addresses of the hosts and client
-subnets and the security characteristics desired.  \fBpluto\fP
-requires this information (simply called a connection) before it can
-respond to a request to build an SA.  Each connection is given a name
-when it is created, and all references are made using this name.
-.LP
-During the IKE exchange to build an SA, the information about the
-negotiation is represented in a \fIstate object\fP.  Each state object
-reflects how far the negotiation has reached.  Once the negotiation is
-complete and the SA established, the state object remains to represent
-the SA.  When the SA is terminated, the state object is discarded.
-Each State object is given a serial number and this is used to refer
-to the state objects in logged messages.
-.LP
-Each state object corresponds to a connection and can be thought of
-as an instantiation of that connection.
-At any particular time, there may be any number of state objects
-corresponding to a particular connection.
-Often there is one representing an ISAKMP SA and another representing
-an IPsec SA.
-.LP
-Each connection may be routed, and must be while it has an IPsec SA.
-The connection specifies the characteristics of the route: the
-interface on this machine, the ``gateway'' (the nexthop),
-and the peer's client subnet.  Two
-connections may not be simultaneously routed if they are for the same
-peer's client subnet but use different interfaces or gateways
-(\fBpluto\fP's logic does not reflect any advanced routing capabilities).
-.LP
-Each eroute is associated with the state object for an IPsec SA
-because it has the particular characteristics of the SA.
-Two eroutes conflict if they specify the identical local
-and remote clients (unlike for routes, the local clients are
-taken into account).
-.LP
-When \fBpluto\fP needs to install a route for a connection,
-it must make sure that no conflicting route is in use.  If another
-connection has a conflicting route, that route will be taken down, as long
-as there is no IPsec SA instantiating that connection.
-If there is such an IPsec SA, the attempt to install a route will fail.
-.LP
-There is an exception.  If \fBpluto\fP, as Responder, needs to install
-a route to a fixed client subnet for a connection, and there is
-already a conflicting route, then the SAs using the route are deleted
-to make room for the new SAs.  The rationale is that the new
-connection is probably more current.  The need for this usually is a
-product of Road Warrior connections (these are explained later; they
-cannot be used to initiate).
-.LP
-When \fBpluto\fP needs to install an eroute for an IPsec SA (for a
-state object), first the state object's connection must be routed (if
-this cannot be done, the eroute and SA will not be installed).
-If a conflicting eroute is already in place for another connection,
-the eroute and SA will not be installed (but note that the routing
-exception mentioned above may have already deleted potentially conflicting SAs).
-If another IPsec
-SA for the same connection already has an eroute, all its outgoing traffic
-is taken over by the new eroute.  The incoming traffic will still be
-processed.  This characteristic is exploited during rekeying.
-.LP
-Some of these routing characteristics are specific to \fBKLIPS\fP, the FreeS/WAN
-implementation of IPsec and are not relevant when running pluto on the native
-Linux 2.6 IPsec stack.
-.SS Using Whack
-.LP
-\fBwhack\fP is used to command a running \fBpluto\fP.
-\fBwhack\fP uses a UNIX domain socket to speak to \fBpluto\fP
-(by default, \fI/var/pluto.ctl\fP).
-.LP
-\fBwhack\fP has an intricate argument syntax.
-This syntax allows many different functions to be specified.
-The help form shows the usage or version information.
-The connection form gives \fBpluto\fP a description of a potential connection.
-The public key form informs \fBpluto\fP of the RSA public key for a potential peer.
-The delete form deletes a connection description and all SAs corresponding
-to it.
-The listen form tells \fBpluto\fP to start or stop listening on the public interfaces
-for IKE requests from peers.
-The route form tells \fBpluto\fP to set up routing for a connection;
-the unroute form undoes this.
-The initiate form tells \fBpluto\fP to negotiate an SA corresponding to a connection.
-The terminate form tells \fBpluto\fP to remove all SAs corresponding to a connection,
-including those being negotiated.
-The status form displays the \fBpluto\fP's internal state.
-The debug form tells \fBpluto\fP to change the selection of debugging output
-``on the fly''.  The shutdown form tells
-\fBpluto\fP to shut down, deleting all SAs.
-.LP
-Most options are specific to one of the forms, and will be described
-with that form.  There are three options that apply to all forms.
-.TP
-\fB\-\-ctlbase\fP\ \fIpath\fP
-\fIpath\fP.ctl is used as the UNIX domain socket for talking
-to \fBpluto\fP.
-This option facilitates debugging.
-.TP
-\fB\-\-optionsfrom\fP\ \fIfilename\fP
-adds the contents of the file to the argument list.
-.TP
-\fB\-\-label\fP\ \fIstring\fP
-adds the string to all error messages generated by \fBwhack\fP.
-.LP
-The help form of \fBwhack\fP is self-explanatory.
-.TP
-\fB\-\-help\fP
-display the usage message.
-.TP
-\fB\-\-version\fP
-display the version of \fBwhack\fP.
-.LP
-The connection form describes a potential connection to \fBpluto\fP.
-\fBpluto\fP needs to know what connections can and should be negotiated.
-When \fBpluto\fP is the initiator, it needs to know what to propose.
-When \fBpluto\fP is the responder, it needs to know enough to decide whether
-is is willing to set up the proposed connection.
-.LP
-The description of a potential connection can specify a large number
-of details.  Each connection has a unique name.  This name will appear
-in a updown shell command, so it should not contain punctuation
-that would make the command ill-formed.
-.TP
-\fB\-\-name\fP\ \fIconnection-name\fP
-.LP
-The topology of
-a connection is symmetric, so to save space here is half a picture:
-
-\ \ \ client_subnet<\-\->host:ikeport<\-\->nexthop<\-\-\-
-
-A similar trick is used in the flags.  The same flag names are used for
-both ends.  Those before the \fB\-\-to\fP flag describe the left side
-and those afterwards describe the right side.  When \fBpluto\fP attempts
-to use the connection, it decides whether it is the left side or the right
-side of the connection, based on the IP numbers of its interfaces.
-.TP
-\fB\-\-id\fP\ \fIid\fP
-the identity of the end.  Currently, this can be an IP address (specified
-as dotted quad or as a Fully Qualified Domain Name, which will be resolved
-immediately) or as a Fully Qualified Domain Name itself (prefixed by ``@''
-to signify that it should not be resolved), or as user@FQDN, or as the
-magic value \fB%myid\fP.
-\fBPluto\fP only authenticates the identity, and does not use it for
-addressing, so, for example, an IP address need not be the one to which
-packets are to be sent.  If the option is absent, the
-identity defaults to the IP address specified by \fB\-\-host\fP.
-\fB%myid\fP allows the identity to be separately specified (by the \fBpluto\fP or \fBwhack\fP option \fB\-\-myid\fP
-or by the \fBipsec.conf\fP(5) \fBconfig setup\fP parameter \fPmyid\fP).
-Otherwise, \fBpluto\fP tries to guess what \fB%myid\fP should stand for:
-the IP address of \fB%defaultroute\fP, if it is supported by a suitable TXT record in the reverse domain for that IP address,
-or the system's hostname, if it is supported by a suitable TXT record in its forward domain.
-.\" The identity is transmitted in the IKE protocol, and is what is authenticated.
-.TP
-\fB\-\-host\fP\ \fIip\(hyaddress\fP
-.TP
-\fB\-\-host\fP\ \fB%any\fP
-.TP
-\fB\-\-host\fP\ \fB%opportunistic\fP
-the IP address of the end (generally the public interface).
-If \fBpluto\fP is to act as a responder
-for IKE negotiations initiated from unknown IP addresses (the
-``Road Warrior'' case), the
-IP address should be specified as \fB%any\fP (currently,
-the obsolete notation \fB0.0.0.0\fP is also accepted for this).
-If \fBpluto\fP is to opportunistically initiate the connection,
-use \fB%opportunistic\fP
-.TP
-\fB\-\-ikeport\fP\ \fIport\(hynumber\fP
-the UDP port that IKE listens to on that host.  The default is 500.
-(\fBpluto\fP on this machine uses the port specified by its own command
-line argument, so this only affects where \fBpluto\fP sends messages.)
-.TP
-\fB\-\-nexthop\fP\ \fIip\(hyaddress\fP
-where to route packets for the peer's client (presumably for the peer too,
-but it will not be used for this).
-When \fBpluto\fP installs an IPsec SA, it issues a route command.
-It uses the nexthop as the gateway.
-The default is the peer's IP address (this can be explicitly written as
-\fB%direct\fP; the obsolete notation \fB0.0.0.0\fP is accepted).
-This option is necessary if \fBpluto\fP's host's interface used for sending
-packets to the peer is neither point-to-point nor directly connected to the
-peer.
-.TP
-\fB\-\-client\fP\ \fIsubnet\fP
-the subnet for which the IPsec traffic will be destined.  If not specified,
-the host will be the client.
-The subnet can be specified in any of the forms supported by \fIipsec_atosubnet\fP(3).
-The general form is \fIaddress\fP/\fImask\fP.  The \fIaddress\fP can be either
-a domain name or four decimal numbers (specifying octets) separated by dots.
-The most convenient form of the \fImask\fP is a decimal integer, specifying
-the number of leading one bits in the mask.  So, for example, 10.0.0.0/8
-would specify the class A network ``Net 10''.
-.TP
-\fB\-\-dnskeyondemand]\fP
-specifies that when an RSA public key is needed to authenticate this
-host, and it isn't already known, fetch it from DNS.
-.TP
-\fB\-\-updown\fP\ \fIupdown\fP
-specifies an external shell command to be run whenever \fBpluto\fP
-brings up or down a connection.
-The script is used to build a shell command, so it may contain positional
-parameters, but ought not to have punctuation that would cause the
-resulting command to be ill-formed.
-The default is \fIipsec _updown\fP.
-.TP
-\fB\-\-to\fP
-separates the specification of the left and right ends of the connection.
-.LP
-The potential connection description also specifies characteristics of
-rekeying and security.
-.TP
-\fB\-\-psk\fP
-Propose and allow preshared secret authentication for IKE peers.  This authentication
-requires that each side use the same secret.  May be combined with \fB\-\-rsasig\fP;
-at least one must be specified.
-.TP
-\fB\-\-rsasig\fP
-Propose and allow RSA signatures for authentication of IKE peers.  This authentication
-requires that each side have have a private key of its own and know the
-public key of its peer.  May be combined with \fB\-\-psk\fP;
-at least one must be specified.
-.TP
-\fB\-\-encrypt\fP
-All proposed or accepted IPsec SAs will include non-null ESP.
-The actual choices of transforms are wired into \fBpluto\fP.
-.TP
-\fB\-\-authenticate\fP
-All proposed IPsec SAs will include AH.
-All accepted IPsec SAs will include AH or ESP with authentication.
-The actual choices of transforms are wired into \fBpluto\fP.
-Note that this has nothing to do with IKE authentication.
-.TP
-\fB\-\-compress\fP
-All proposed IPsec SAs will include IPCOMP (compression).
-This will be ignored if the kernel is not configured with IPCOMP support.
-.TP
-\fB\-\-tunnel\fP
-the IPsec SA should use tunneling.  Implicit if the SA is for clients.
-Must only be used with \fB\-\-authenticate\fP or \fB\-\-encrypt\fP.
-.TP
-\fB\-\-ipv4\fP
-The host addresses will be interpreted as IPv4 addresses.  This is the
-default.  Note that for a connection, all host addresses must be of
-the same Address Family (IPv4 and IPv6 use different Address Families).
-.TP
-\fB\-\-ipv6\fP
-The host addresses (including nexthop) will be interpreted as IPv6 addresses.
-Note that for a connection, all host addresses must be of
-the same Address Family (IPv4 and IPv6 use different Address Families).
-.TP
-\fB\-\-tunnelipv4\fP
-The client addresses will be interpreted as IPv4 addresses.  The default is
-to match what the host will be.  This does not imply \fB\-\-tunnel\fP so the
-flag can be safely used when no tunnel is actually specified.
-Note that for a connection, all tunnel addresses must be of the same
-Address Family.
-.TP
-\fB\-\-tunnelipv6\fP
-The client addresses will be interpreted as IPv6 addresses.  The default is
-to match what the host will be.  This does not imply \fB\-\-tunnel\fP so the
-flag can be safely used when no tunnel is actually specified.
-Note that for a connection, all tunnel addresses must be of the same
-Address Family.
-.TP
-\fB\-\-pfs\fP
-There should be Perfect Forward Secrecy \- new keying material will
-be generated for each IPsec SA rather than being derived from the ISAKMP
-SA keying material.
-Since the group to be used cannot be negotiated (a dubious feature of the
-standard), \fBpluto\fP will propose the same group that was used during Phase 1.
-We don't implement a stronger form of PFS which would require that the
-ISAKMP SA be deleted after the IPSEC SA is negotiated.
-.TP
-\fB\-\-disablearrivalcheck\fP
-If the connection is a tunnel, allow packets arriving through the tunnel
-to have any source and destination addresses.
-.LP
-If none of the \fB\-\-encrypt\fP, \fB\-\-authenticate\fP, \fB\-\-compress\fP,
-or \fB\-\-pfs\fP flags is given, the initiating the connection will
-only build an ISAKMP SA.  For such a connection, client subnets have
-no meaning and must not be specified.
-.LP
-More work is needed to allow for flexible policies.  Currently
-policy is hardwired in the source file spdb.c.  The ISAKMP SAs may use
-Oakley groups MODP1024 and MODP1536; 3DES encryption; SHA1-96
-and MD5-96 authentication.  The IPsec SAs may use 3DES and
-MD5-96 or SHA1-96 for ESP, or just MD5-96 or SHA1-96 for AH.
-IPCOMP Compression is always Deflate.
-.TP
-\fB\-\-ikelifetime\fP\ \fIseconds\fP
-how long \fBpluto\fP will propose that an ISAKMP SA be allowed to live.
-The default is 10800 (three hours) and the maximum is 86400 (one day).
-This option will not affect what is accepted.
-\fBpluto\fP will reject proposals that exceed the maximum.
-.TP
-\fB\-\-ipseclifetime\fP\ \fIseconds\fP
-how long \fBpluto\fP will propose that an IPsec SA be allowed to live.
-The default is 3600 (one hour) and the maximum is 86400 (one day).
-This option will not affect what is accepted.
-\fBpluto\fP will reject proposals that exceed the maximum.
-.TP
-\fB\-\-rekeymargin\fP\ \fIseconds\fP
-how long before an SA's expiration should \fBpluto\fP try to negotiate
-a replacement SA.  This will only happen if \fBpluto\fP was the initiator.
-The default is 540 (nine minutes).
-.TP
-\fB\-\-rekeyfuzz\fP\ \fIpercentage\fP
-maximum size of random component to add to rekeymargin, expressed as
-a percentage of rekeymargin.  \fBpluto\fP will select a delay uniformly
-distributed within this range.  By default, the percentage will be 100.
-If greater determinism is desired, specify 0.  It may be appropriate
-for the percentage to be much larger than 100.
-.TP
-\fB\-\-keyingtries\fP\ \fIcount\fP
-how many times \fBpluto\fP should try to negotiate an SA,
-either for the first time or for rekeying.
-A value of 0 is interpreted as a very large number: never give up.
-The default is three.
-.TP
-\fB\-\-dontrekey\fP
-A misnomer.
-Only rekey a connection if we were the Initiator and there was recent
-traffic on the existing connection.
-This applies to Phase 1 and Phase 2.
-This is currently the only automatic way for a connection to terminate.
-It may be useful with Road Warrior or Opportunistic connections.
-.br
-Since SA lifetime negotiation is take-it-or-leave it, a Responder
-normally uses the shorter of the negotiated or the configured lifetime.
-This only works because if the lifetime is shorter than negotiated,
-the Responder will rekey in time so that everything works.
-This interacts badly with \fB\-\-dontrekey\fP.  In this case,
-the Responder will end up rekeying to rectify a shortfall in an IPsec SA
-lifetime; for an ISAKMP SA, the Responder will accept the negotiated
-lifetime.
-.TP
-\fB\-\-delete\fP
-when used in the connection form, it causes any previous connection
-with this name to be deleted before this one is added.  Unlike a
-normal delete, no diagnostic is produced if there was no previous
-connection to delete.  Any routing in place for the connection is undone.
-.LP
-The delete form deletes a named connection description and any
-SAs established or negotiations initiated using this connection.
-Any routing in place for the connection is undone.
-.TP
-\fB\-\-delete\fP
-.TP
-\fB\-\-name\fP\ \fIconnection-name\fP
-.LP
-The deletestate form deletes the state object with the specified serial number.
-This is useful for selectively deleting instances of connections.
-.TP
-\fB\-\-deletestate\fP\ \fIstate-number\fP
-.LP
-The route form of the \fBwhack\fP command tells \fBpluto\fP to set up
-routing for a connection.
-Although like a traditional route, it uses an ipsec device as a
-virtual interface.
-Once routing is set up, no packets will be
-sent ``in the clear'' to the peer's client specified in the connection.
-A TRAP shunt eroute will be installed; if outbound traffic is caught,
-Pluto will initiate the connection.
-An explicit \fBwhack\fP route is not always needed: if it hasn't been
-done when an IPsec SA is being installed, one will be automatically attempted.
-.LP
-When a routing is attempted for a connection, there must not already
-be a routing for a different connection with the same subnet but different
-interface or destination, or if
-there is, it must not be being used by an IPsec SA.  Otherwise the
-attempt will fail.
-.TP
-\fB\-\-route\fP
-.TP
-\fB\-\-name\fP\ \fIconnection-name\fP
-.LP
-The unroute form of the \fBwhack\fP command tells \fBpluto\fP to undo
-a routing.  \fBpluto\fP will refuse if an IPsec SA is using the connection.
-If another connection is sharing the same routing, it will be left in place.
-Without a routing, packets will be sent without encryption or authentication.
-.TP
-\fB\-\-unroute\fP
-.TP
-\fB\-\-name\fP\ \fIconnection-name\fP
-.LP
-The initiate form tells \fBpluto\fP to initiate a negotiation with another
-\fBpluto\fP (or other IKE daemon) according to the named connection.
-Initiation requires a route that \fB\-\-route\fP would provide;
-if none is in place at the time an IPsec SA is being installed,
-\fBpluto\fP attempts to set one up.
-.TP
-\fB\-\-initiate\fP
-.TP
-\fB\-\-name\fP\ \fIconnection-name\fP
-.TP
-\fB\-\-asynchronous
-.LP
-The initiate form of the \fBwhack\fP command will relay back from
-\fBpluto\fP status information via the UNIX domain socket (unless
-\-\-asynchronous is specified).  The status information is meant to
-look a bit like that from \fBFTP\fP.  Currently \fBwhack\fP simply
-copies this to stderr.  When the request is finished (eg. the SAs are
-established or \fBpluto\fP gives up), \fBpluto\fP closes the channel,
-causing \fBwhack\fP to terminate.
-.LP
-The opportunistic initiate form is mainly used for debugging.
-.TP
-\fB\-\-tunnelipv4\fP
-.TP
-\fB\-\-tunnelipv6\fP
-.TP
-\fB\-\-oppohere\fP\ \fIip-address\fP
-.TP
-\fB\-\-oppothere\fP\ \fIip-address\fP
-.LP
-This will cause \fBpluto\fP to attempt to opportunistically initiate a
-connection from here to the there, even if a previous attempt
-had been made.
-The whack log will show the progress of this attempt.
-.LP
-The terminate form tells \fBpluto\fP to delete any SAs that use the specified
-connection and to stop any negotiations in process.
-It does not prevent new negotiations from starting (the delete form
-has this effect).
-.TP
-\fB\-\-terminate\fP
-.TP
-\fB\-\-name\fP\ \fIconnection-name\fP
-.LP
-The public key for informs \fBpluto\fP of the RSA public key for a potential peer.
-Private keys must be kept secret, so they are kept in
-.IR ipsec.secrets (5).
-.TP
-\fB\-\-keyid\ \fP\fIid\fP
-specififies the identity of the peer for which a public key should be used.
-Its form is identical to the identity in the connection.
-If no public key is specified, \fBpluto\fP attempts to find KEY records
-from DNS for the id (if a FQDN) or through reverse lookup (if an IP address).
-Note that there several interesting ways in which this is not secure.
-.TP
-\fB\-\-addkey\fP
-specifies that the new key is added to the collection; otherwise the
-new key replaces any old ones.
-.TP
-\fB\-\-pubkeyrsa\ \fP\fIkey\fP
-specifies the value of the RSA public key.  It is a sequence of bytes
-as described in RFC 2537 ``RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)''.
-It is denoted in a way suitable for \fIipsec_ttodata\fP(3).
-For example, a base 64 numeral starts with 0s.
-.LP
-The listen form tells \fBpluto\fP to start listening for IKE requests
-on its public interfaces.  To avoid race conditions, it is normal to
-load the appropriate connections into \fBpluto\fP before allowing it
-to listen.  If \fBpluto\fP isn't listening, it is pointless to
-initiate negotiations, so it will refuse requests to do so.  Whenever
-the listen form is used, \fBpluto\fP looks for public interfaces and
-will notice when new ones have been added and when old ones have been
-removed.  This is also the trigger for \fBpluto\fP to read the
-\fIipsec.secrets\fP file.  So listen may useful more than once.
-.TP
-\fB\-\-listen\fP
-start listening for IKE traffic on public interfaces.
-.TP
-\fB\-\-unlisten\fP
-stop listening for IKE traffic on public interfaces.
-.LP
-The status form will display information about the internal state of
-\fBpluto\fP: information about each potential connection, about
-each state object, and about each shunt that \fBpluto\fP is managing
-without an associated connection.
-.TP
-\fB\-\-status\fP
-.LP
-The shutdown form is the proper way to shut down \fBpluto\fP.
-It will tear down the SAs on this machine that \fBpluto\fP has negotiated.
-It does not inform its peers, so the SAs on their machines remain.
-.TP
-\fB\-\-shutdown\fP
-.SS Examples
-.LP
-It would be normal to start \fBpluto\fP in one of the system initialization
-scripts.  It needs to be run by the superuser.  Generally, no arguments are needed.
-To run in manually, the superuser can simply type
-
-\ \ \ ipsec pluto
-
-The command will immediately return, but a \fBpluto\fP process will be left
-running, waiting for requests from \fBwhack\fP or a peer.
-.LP
-Using \fBwhack\fP, several potential connections would be described:
-.HP
-.na
-\ \ \ ipsec whack \-\-name\ silly
-\-\-host\ 127.0.0.1 \-\-to \-\-host\ 127.0.0.2
-\-\-ikelifetime\ 900 \-\-ipseclifetime\ 800 \-\-keyingtries\ 3
-.ad
-.LP
-Since this silly connection description specifies neither encryption,
-authentication, nor tunneling, it could only be used to establish
-an ISAKMP SA.
-.HP
-.na
-\ \ \ ipsec whack \-\-name\ secret \-\-host\ 10.0.0.1 \-\-client\ 10.0.1.0/24
-\-\-to \-\-host\ 10.0.0.2 \-\-client\ 10.0.2.0/24
-\-\-encrypt
-.ad
-.LP
-This is something that must be done on both sides.  If the other
-side is \fBpluto\fP, the same \fBwhack\fP command could be used on it
-(the command syntax is designed to not distinguish which end is ours).
-.LP
-Now that the connections are specified, \fBpluto\fP is ready to handle
-requests and replies via the public interfaces.  We must tell it to discover
-those interfaces and start accepting messages from peers:
-
-\ \ \ ipsec whack \-\-listen
-.LP
-If we don't immediately wish to bring up a secure connection between
-the two clients, we might wish to prevent insecure traffic.
-The routing form asks \fBpluto\fP to cause the packets sent from
-our client to the peer's client to be routed through the ipsec0
-device; if there is no SA, they will be discarded:
-
-\ \ \ ipsec whack \-\-route secret
-.LP
-Finally, we are ready to get \fBpluto\fP to initiate negotiation
-for an IPsec SA (and implicitly, an ISAKMP SA):
-
-\ \ \ ipsec whack \-\-initiate\ \-\-name\ secret
-
-A small log of interesting events will appear on standard output
-(other logging is sent to syslog).
-.LP
-\fBwhack\fP can also be used to terminate \fBpluto\fP cleanly, tearing down
-all SAs that it has negotiated.
-
-\ \ \ ipsec whack \-\-shutdown
-
-Notification of any IPSEC SA deletion, but not ISAKMP SA deletion
-is sent to the peer.  Unfortunately, such Notification is not reliable.
-Furthermore, \fBpluto\fP itself ignores Notifications.
-.SS The updown command
-.LP
-Whenever \fBpluto\fP brings a connection up or down, it invokes
-the updown command.  This command is specified using the \fB\-\-updown\fP
-option.  This allows for customized control over routing and firewall manipulation.
-.LP
-The updown is invoked for five different operations.  Each of
-these operations can be for our client subnet or for our host itself.
-.TP
-\fBprepare-host\fP or \fBprepare-client\fP
-is run before bringing up a new connection if no other connection
-with the same clients is up.  Generally, this is useful for deleting a
-route that might have been set up before \fBpluto\fP was run or
-perhaps by some agent not known to \fBpluto\fP.
-.TP
-\fBroute-host\fP or \fBroute-client\fP
-is run when bringing up a connection for a new peer client subnet
-(even if \fBprepare-host\fP or \fBprepare-client\fP was run).  The
-command should install a suitable route.  Routing decisions are based
-only on the destination (peer's client) subnet address, unlike eroutes
-which discriminate based on source too.
-.TP
-\fBunroute-host\fP or \fBunroute-client\fP
-is run when bringing down the last connection for a particular peer
-client subnet.  It should undo what the \fBroute-host\fP or \fBroute-client\fP
-did.
-.TP
-\fBup-host\fP or \fBup-client\fP
-is run when bringing up a tunnel eroute with a pair of client subnets
-that does not already have a tunnel eroute.
-This command should install firewall rules as appropriate.
-It is generally a good idea to allow IKE messages (UDP port 500)
-travel between the hosts.
-.TP
-\fBdown-host\fP or \fBdown-client\fP
-is run when bringing down the eroute for a pair of client subnets.
-This command should delete firewall rules as appropriate.  Note that
-there may remain some inbound IPsec SAs with these client subnets.
-.LP
-The script is passed a large number of environment variables to specify
-what needs to be done.
-.TP
-\fBPLUTO_VERSION\fP
-indicates what version of this interface is being used.  This document
-describes version 1.1.  This is upwardly compatible with version 1.0.
-.TP
-\fBPLUTO_VERB\fP
-specifies the name of the operation to be performed
-(\fBprepare-host\fP,r \fBprepare-client\fP,
-\fBup-host\fP, \fBup-client\fP,
-\fBdown-host\fP, or \fBdown-client\fP).  If the address family for
-security gateway to security gateway communications is IPv6, then
-a suffix of \-v6 is added to the verb.
-.TP
-\fBPLUTO_CONNECTION\fP
-is the name of the connection for which we are routing.
-.TP
-\fBPLUTO_NEXT_HOP\fP
-is the next hop to which packets bound for the peer must be sent.
-.TP
-\fBPLUTO_INTERFACE\fP
-is the name of the ipsec interface to be used.
-.TP
-\fBPLUTO_ME\fP
-is the IP address of our host.
-.TP
-\fBPLUTO_MY_CLIENT\fP
-is the IP address / count of our client subnet.
-If the client is just the host, this will be the host's own IP address / max
-(where max is 32 for IPv4 and 128 for IPv6).
-.TP
-\fBPLUTO_MY_CLIENT_NET\fP
-is the IP address of our client net.
-If the client is just the host, this will be the host's own IP address.
-.TP
-\fBPLUTO_MY_CLIENT_MASK\fP
-is the mask for our client net.
-If the client is just the host, this will be 255.255.255.255.
-.TP
-\fBPLUTO_PEER\fP
-is the IP address of our peer.
-.TP
-\fBPLUTO_PEER_CLIENT\fP
-is the IP address / count of the peer's client subnet.
-If the client is just the peer, this will be the peer's own IP address / max
-(where max is 32 for IPv4 and 128 for IPv6).
-.TP
-\fBPLUTO_PEER_CLIENT_NET\fP
-is the IP address of the peer's client net.
-If the client is just the peer, this will be the peer's own IP address.
-.TP
-\fBPLUTO_PEER_CLIENT_MASK\fP
-is the mask for the peer's client net.
-If the client is just the peer, this will be 255.255.255.255.
-.LP
-All output sent by the script to stderr or stdout is logged.  The
-script should return an exit status of 0 if and only if it succeeds.
-.LP
-\fBPluto\fP waits for the script to finish and will not do any other
-processing while it is waiting.
-The script may assume that \fBpluto\fP will not change anything
-while the script runs.
-The script should avoid doing anything that takes much time and it
-should not issue any command that requires processing by \fBpluto\fP.
-Either of these activities could be performed by a background
-subprocess of the script.
-.SS Rekeying
-.LP
-When an SA that was initiated by \fBpluto\fP has only a bit of
-lifetime left,
-\fBpluto\fP will initiate the creation of a new SA.  This applies to
-ISAKMP and IPsec SAs.
-The rekeying will be initiated when the SA's remaining lifetime is
-less than the rekeymargin plus a random percentage, between 0 and
-rekeyfuzz, of the rekeymargin.
-.LP
-Similarly, when an SA that was initiated by the peer has only a bit of
-lifetime left, \fBpluto\fP will try to initiate the creation of a
-replacement.
-To give preference to the initiator, this rekeying will only be initiated
-when the SA's remaining lifetime is half of rekeymargin.
-If rekeying is done by the responder, the roles will be reversed: the
-responder for the old SA will be the initiator for the replacement.
-The former initiator might also initiate rekeying, so there may
-be redundant SAs created.
-To avoid these complications, make sure that rekeymargin is generous.
-.LP
-One risk of having the former responder initiate is that perhaps
-none of its proposals is acceptable to the former initiator
-(they have not been used in a successful negotiation).
-To reduce the chances of this happening, and to prevent loss of security,
-the policy settings are taken from the old SA (this is the case even if
-the former initiator is initiating).
-These may be stricter than those of the connection.
-.LP
-\fBpluto\fP will not rekey an SA if that SA is not the most recent of its
-type (IPsec or ISAKMP) for its potential connection.
-This avoids creating redundant SAs.
-.LP
-The random component in the rekeying time (rekeyfuzz) is intended to
-make certain pathological patterns of rekeying unstable.  If both
-sides decide to rekey at the same time, twice as many SAs as necessary
-are created.  This could become a stable pattern without the
-randomness.
-.LP
-Another more important case occurs when a security gateway has SAs
-with many other security gateways.  Each of these connections might
-need to be rekeyed at the same time.  This would cause a high peek
-requirement for resources (network bandwidth, CPU time, entropy for
-random numbers).  The rekeyfuzz can be used to stagger the rekeying
-times.
-.LP
-Once a new set of SAs has been negotiated, \fBpluto\fP will never send
-traffic on a superseded one.  Traffic will be accepted on an old SA
-until it expires.
-.SS Selecting a Connection When Responding: Road Warrior Support
-.LP
-When \fBpluto\fP receives an initial Main Mode message, it needs to
-decide which connection this message is for.  It picks based solely on
-the source and destination IP addresses of the message.  There might
-be several connections with suitable IP addresses, in which case one
-of them is arbitrarily chosen.  (The ISAKMP SA proposal contained in
-the message could be taken into account, but it is not.)
-.LP
-The ISAKMP SA is negotiated before the parties pass further
-identifying information, so all ISAKMP SA characteristics specified in
-the connection description should be the same for every connection
-with the same two host IP addresses.  At the moment, the only
-characteristic that might differ is authentication method.
-.LP
-Up to this point,
-all configuring has presumed that the IP addresses
-are known to all parties ahead of time.  This will not work
-when either end is mobile (or assigned a dynamic IP address for other
-reasons).  We call this situation ``Road Warrior''.  It is fairly tricky
-and has some important limitations, most of which are features of
-the IKE protocol.
-.LP
-Only the initiator may be mobile:
-the initiator may have an IP number unknown to the responder.  When
-the responder doesn't recognize the IP address on the first Main Mode
-packet, it looks for a connection with itself as one end and \fB%any\fP
-as the other.
-If it cannot find one, it refuses to negotiate.  If it
-does find one, it creates a temporary connection that is a duplicate
-except with the \fB%any\fP replaced by the source IP address from the
-packet; if there was no identity specified for the peer, the new IP
-address will be used.
-.LP
-When \fBpluto\fP is using one of these temporary connections and
-needs to find the preshared secret or RSA private key in \fIipsec.secrets\fP,
-and and the connection specified no identity for the peer, \fB%any\fP
-is used as its identity.  After all, the real IP address was apparently
-unknown to the configuration, so it is unreasonable to require that
-it be used in this table.
-.LP
-Part way into the Phase 1 (Main Mode) negotiation using one of these
-temporary connection descriptions, \fBpluto\fP will be receive an
-Identity Payload.  At this point, \fBpluto\fP checks for a more
-appropriate connection, one with an identity for the peer that matches
-the payload but which would use the same keys so-far used for
-authentication.  If it finds one, it will switch to using this better
-connection (or a temporary derived from this, if it has \fB%any\fP
-for the peer's IP address).  It may even turn out that no connection
-matches the newly discovered identity, including the current connection;
-if so, \fBpluto\fP terminates negotiation.
-.LP
-Unfortunately, if preshared secret authentication is being used, the
-Identity Payload is encrypted using this secret, so the secret must be
-selected by the responder without knowing this payload.  This
-limits there to being at most one preshared secret for all Road Warrior
-systems connecting to a host.  RSA Signature authentications does not
-require that the responder know how to select the initiator's public key
-until after the initiator's Identity Payload is decoded (using the
-responder's private key, so that must be preselected).
-.LP
-When \fBpluto\fP is responding to a Quick Mode negotiation via one of these
-temporary connection descriptions, it may well find that the subnets
-specified by the initiator don't match those in the temporary
-connection description.  If so, it will look for a connection with
-matching subnets, its own host address, a peer address of \fB%any\fP
-and matching identities.
-If it finds one, a new temporary connection is derived from this one
-and used for the Quick Mode negotiation of IPsec SAs.  If it does not
-find one, \fBpluto\fP terminates negotiation.
-.LP
-Be sure to specify an appropriate nexthop for the responder
-to send a message to the initiator: \fBpluto\fP has no way of guessing
-it (if forwarding isn't required, use an explicit \fB%direct\fP as the nexthop
-and the IP address of the initiator will be filled in; the obsolete
-notation \fB0.0.0.0\fP is still accepted).
-.LP
-\fBpluto\fP has no special provision for the initiator side.  The current
-(possibly dynamic) IP address and nexthop must be used in defining
-connections.  These must be
-properly configured each time the initiator's IP address changes.
-\fBpluto\fP has no mechanism to do this automatically.
-.LP
-Although we call this Road Warrior Support, it could also be used to
-support encrypted connections with anonymous initiators.  The
-responder's organization could announce the preshared secret that would be used
-with unrecognized initiators and let anyone connect.  Of course the initiator's
-identity would not be authenticated.
-.LP
-If any Road Warrior connections are supported, \fBpluto\fP cannot
-reject an exchange initiated by an unknown host until it has
-determined that the secret is not shared or the signature is invalid.
-This must await the
-third Main Mode message from the initiator.  If no Road Warrior
-connection is supported, the first message from an unknown source
-would be rejected.  This has implications for ease of debugging
-configurations and for denial of service attacks.
-.LP
-Although a Road Warrior connection must be initiated by the mobile
-side, the other side can and will rekey using the temporary connection
-it has created.  If the Road Warrior wishes to be able to disconnect,
-it is probably wise to set \fB\-\-keyingtries\fP to 1 in the
-connection on the non-mobile side to prevent it trying to rekey the
-connection.  Unfortunately, there is no mechanism to unroute the
-connection automatically.
-.SS Debugging
-.LP
-\fBpluto\fP accepts several optional arguments, useful mostly for debugging.
-Except for \fB\-\-interface\fP, each should appear at most once.
-.TP
-\fB\-\-interface\fP \fIinterfacename\fP
-specifies that the named real public network interface should be considered.
-The interface name specified should not be \fBipsec\fP\fIN\fP.
-If the option doesn't appear, all interfaces are considered.
-To specify several interfaces, use the option once for each.
-One use of this option is to specify which interface should be used
-when two or more share the same IP address.
-.TP
-\fB\-\-ikeport\fP \fIport-number\fP
-changes the UDP port that \fBpluto\fP will use
-(default, specified by IANA: 500)
-.TP
-\fB\-\-ctlbase\fP \fIpath\fP
-basename for control files.
-\fIpath\fP.ctl is the socket through which \fBwhack\fP communicates with
-\fBpluto\fP.
-\fIpath\fP.pid is the lockfile to prevent multiple \fBpluto\fP instances.
-The default is \fI/var/run/pluto\fP).
-.TP
-\fB\-\-secretsfile\fP \fIfile\fP
-specifies the file for authentication secrets
-(default: \fI/etc/ipsec.secrets\fP).
-This name is subject to ``globbing'' as in \fIsh\fP(1),
-so every file with a matching name is processed.
-Quoting is generally needed to prevent the shell from doing the globbing.
-.TP
-\fB\-\-adns\fP \fIpathname\fP
-.TP
-\fB\-\-lwdnsq\fP \fIpathname\fP
-specifies where to find \fBpluto\fP's helper program for asynchronous DNS lookup.
-\fBpluto\fP can be built to use one of two helper programs: \fB_pluto_adns\fP
-or \fBlwdnsq\fP.  You must use the program for which it was built.
-By default, \fBpluto\fP will look for the program in
-\fB$IPSEC_DIR\fP (if that environment variable is defined) or, failing that,
-in the same directory as \fBpluto\fP.
-.TP
-\fB\-\-nofork\fP
-disable ``daemon fork'' (default is to fork).  In addition, after the
-lock file and control socket are created, print the line ``Pluto
-initialized'' to standard out.
-.TP
-\fB\-\-uniqueids\fP
-if this option has been selected, whenever a new ISAKMP SA is
-established, any connection with the same Peer ID but a different
-Peer IP address is unoriented (causing all its SAs to be deleted).
-This helps clean up dangling SAs when a connection is lost and
-then regained at another IP address.
-.TP
-\fB\-\-stderrlog\fP
-log goes to standard out {default is to use \fIsyslogd\fP(8))
-.LP
-\fBpluto\fP is willing to produce a prodigious amount of debugging
-information.  To do so, it must be compiled with \-DDEBUG.  There are
-several classes of debugging output, and \fBpluto\fP may be directed to
-produce a selection of them.  All lines of
-debugging output are prefixed with ``|\ '' to distinguish them from error
-messages.
-.LP
-When \fBpluto\fP is invoked, it may be given arguments to specify
-which classes to output.  The current options are:
-.TP
-\fB\-\-debug-raw\fP
-show the raw bytes of messages
-.TP
-\fB\-\-debug-crypt\fP
-show the encryption and decryption of messages
-.TP
-\fB\-\-debug-parsing\fP
-show the structure of input messages
-.TP
-\fB\-\-debug-emitting\fP
-show the structure of output messages
-.TP
-\fB\-\-debug-control\fP
-show \fBpluto\fP's decision making
-.TP
-\fB\-\-debug-lifecycle\fP
-[this option is temporary] log more detail of lifecycle of SAs
-.TP
-\fB\-\-debug-kernel\fP
-show \fBpluto\fP's interaction with the kernel
-.TP
-\fB\-\-debug-dns\fP
-show \fBpluto\fP's interaction with \fBDNS\fP for KEY and TXT records
-.TP
-\fB\-\-debug-oppo\fP
-show why \fBpluto\fP didn't find a suitable DNS TXT record to authorize opportunistic initiation
-.TP
-\fB\-\-debug-all\fP
-all of the above
-.TP
-\fB\-\-debug-private\fP
-allow debugging output with private keys.
-.TP
-\fB\-\-debug-none\fP
-none of the above
-.LP
-The debug form of the
-\fBwhack\fP command will change the selection in a running
-\fBpluto\fP.
-If a connection name is specified, the flags are added whenever
-\fBpluto\fP has identified that it is dealing with that connection.
-Unfortunately, this is often part way into the operation being observed.
-.LP
-For example, to start a \fBpluto\fP with a display of the structure of input
-and output:
-.IP
-pluto \-\-debug-emitting \-\-debug-parsing
-.LP
-To later change this \fBpluto\fP to only display raw bytes:
-.IP
-whack \-\-debug-raw
-.LP
-For testing, SSH's IKE test page is quite useful:
-.IP
-\fIhttp://isakmp-test.ssh.fi/\fP
-.LP
-Hint: ISAKMP SAs are often kept alive by IKEs even after the IPsec SA
-is established.  This allows future IPsec SA's to be negotiated
-directly.  If one of the IKEs is restarted, the other may try to use
-the ISAKMP SA but the new IKE won't know about it.  This can lead to
-much confusion.  \fBpluto\fP is not yet smart enough to get out of such a
-mess.
-.SS Pluto's Behaviour When Things Go Wrong
-.LP
-When \fBpluto\fP doesn't understand or accept a message, it just
-ignores the message.  It is not yet capable of communicating the
-problem to the other IKE daemon (in the future it might use
-Notifications to accomplish this in many cases).  It does log a diagnostic.
-.LP
-When \fBpluto\fP gets no response from a message, it resends the same
-message (a message will be sent at most three times).  This is
-appropriate: UDP is unreliable.
-.LP
-When pluto gets a message that it has already seen, there are many
-cases when it notices and discards it.  This too is appropriate for UDP.
-.LP
-Combine these three rules, and you can explain many apparently
-mysterious behaviours.  In a \fBpluto\fP log, retrying isn't usually the
-interesting event.  The critical thing is either earlier (\fBpluto\fP
-got a message which it didn't like and so ignored, so it was still
-awaiting an acceptable message and got impatient) or on the other
-system (\fBpluto\fP didn't send a reply because it wasn't happy with
-the previous message).
-.SS Notes
-.LP
-Each IPsec SA is assigned an SPI, a 32-bit number used to refer to the SA.
-The IKE protocol lets the destination of the SA choose the SPI.
-The range 0 to 0xFF is reserved for IANA.
-\fBPluto\fP also avoids choosing an SPI in the range 0x100 to 0xFFF,
-leaving these SPIs free for manual keying.
-Remember that the peer, if not \fBpluto\fP, may well chose
-SPIs in this range.
-.SS Policies
-.LP
-This catalogue of policies may be of use when trying to configure
-\fBPluto\fP and another IKE implementation to interoperate.
-.LP
-In Phase 1, only Main Mode is supported.  We are not sure that
-Aggressive Mode is secure.  For one thing, it does not support
-identity protection.  It may allow more severe Denial Of Service
-attacks.
-.LP
-No Informational Exchanges are supported.  These are optional and
-since their delivery is not assured, they must not matter.
-It is the case that some IKE implementations won't interoperate
-without Informational Exchanges, but we feel they are broken.
-.LP
-No Informational Payloads are supported.  These are optional, but
-useful.  It is of concern that these payloads are not authenticated in
-Phase 1, nor in those Phase 2 messages authenticated with HASH(3).
-.IP \(bu \w'\(bu\ 'u
-Diffie Hellman Groups MODP 1024 and MODP 1536 (2 and 5)
-are supported.
-Group MODP768 (1) is not supported because it is too weak.
-.IP \(bu
-Host authetication can be done by RSA Signatures or Pre-Shared
-Secrets.
-.IP \(bu
-3DES CBC (Cypher Block Chaining mode) is the only encryption
-supported, both for ISAKMP SAs and IPSEC SAs.
-.IP \(bu
-MD5 and SHA1 hashing are supported for packet authentication in both
-kinds of SAs.
-.IP \(bu
-The ESP, AH, or AH plus ESP are supported.  If, and only if, AH and
-ESP are combined, the ESP need not have its own authentication
-component.  The selection is controlled by the \-\-encrypt and
-\-\-authenticate flags.
-.IP \(bu
-Each of these may be combined with IPCOMP Deflate compression,
-but only if the potential connection specifies compression and only
-if the kernel is configured with IPCOMP support.
-.IP \(bu
-The IPSEC SAs may be tunnel or transport mode, where appropriate.
-The \-\-tunnel flag controls this when \fBpluto\fP is initiating.
-.IP \(bu
-When responding to an ISAKMP SA proposal, the maximum acceptable
-lifetime is eight hours.  The default is one hour.  There is no
-minimum.  The \-\-ikelifetime flag controls this when \fBpluto\fP
-is initiating.
-.IP \(bu
-When responding to an IPSEC SA proposal, the maximum acceptable
-lifetime is one day.  The default is eight hours.  There is no
-minimum.  The \-\-ipseclifetime flag controls this when \fBpluto\fP
-is initiating.
-.IP \(bu
-PFS is acceptable, and will be proposed if the \-\-pfs flag was
-specified.  The DH group proposed will be the same as negotiated for
-Phase 1.
-.SH SIGNALS
-.LP
-\fBPluto\fP responds to \fBSIGHUP\fP by issuing a suggestion that ``\fBwhack\fP
-\-\-listen'' might have been intended.
-.LP
-\fBPluto\fP exits when it receives \fBSIGTERM\fP.
-.SH EXIT STATUS
-.LP
-\fBpluto\fP normally forks a daemon process, so the exit status is
-normally a very preliminary result.
-.TP
-0
-means that all is OK so far.
-.TP
-1
-means that something was wrong.
-.TP
-10
-means that the lock file already exists.
-.LP
-If \fBwhack\fP detects a problem, it will return an exit status of 1.
-If it received progress messages from \fBpluto\fP, it returns as status
-the value of the numeric prefix from the last such message
-that was not a message sent to syslog or a comment
-(but the prefix for success is treated as 0).
-Otherwise, the exit status is 0.
-.SH FILES
-\fI/var/run/pluto.pid\fP
-.br
-\fI/var/run/pluto.ctl\fP
-.br
-\fI/etc/ipsec.secrets\fP
-.br
-\fI$IPSEC_LIBDIR/_pluto_adns\fP
-.br
-\fI$IPSEC_EXECDIR/lwdnsq\fP
-.br
-\fI/dev/urandom\fP
-.SH ENVIRONMENT
-\fIIPSEC_LIBDIR\fP
-.br
-\fIIPSEC_EXECDIR\fP
-.br
-\fIIPSECmyid\fP
-.SH SEE ALSO
-.LP
-The rest of the FreeS/WAN distribution, in particular \fIipsec\fP(8).
-.LP
-\fIipsec_auto\fP(8) is designed to make using \fBpluto\fP more pleasant.
-Use it!
-.LP
-.IR ipsec.secrets (5)
-describes the format of the secrets file.
-.LP
-\fIipsec_atoaddr\fP(3), part of the FreeS/WAN distribution, describes the
-forms that IP addresses may take.
-\fIipsec_atosubnet\fP(3), part of the FreeS/WAN distribution, describes the
-forms that subnet specifications.
-.LP
-For more information on IPsec, the mailing list, and the relevant
-documents, see:
-.IP
-.nh
-\fIhttp://www.ietf.cnri.reston.va.us/html.charters/ipsec-charter.html\fP
-.hy
-.LP
-At the time of writing, the most relevant IETF RFCs are:
-.IP
-RFC2409 The Internet Key Exchange (IKE)
-.IP
-RFC2408 Internet Security Association and Key Management Protocol (ISAKMP)
-.IP
-RFC2407 The Internet IP Security Domain of Interpretation for ISAKMP
-.LP
-The FreeS/WAN web site <htp://www.freeswan.org>
-and the mailing lists described there.
-.SH HISTORY
-This code is released under the GPL terms.
-See the accompanying file COPYING-2.0 for more details.
-The GPL does NOT apply to those pieces of code written by others
-which are included in this distribution, except as noted by the
-individual authors.
-.LP
-This software was originally written
-for the FreeS/WAN project
-<http://www.freeswan.org>
-by Angelos D. Keromytis
-(angelos@dsl.cis.upenn.edu), in May/June 1997, in Athens, Greece.
-Thanks go to John Ioannidis for his help.
-.LP
-It is currently (2000)
-being developed and maintained by D. Hugh Redelmeier
-(hugh@mimosa.com), in Canada.  The regulations of Greece and Canada
-allow us to make the code freely redistributable.
-.LP
-Kai Martius (admin@imib.med.tu-dresden.de) contributed the initial
-version of the code supporting PFS.
-.LP
-Richard Guy Briggs <rgb@conscoop.ottawa.on.ca> and Peter Onion
-<ponion@srd.bt.co.uk> added the PFKEY2 support.
-.LP
-We gratefully acknowledge that we use parts of Eric Young's \fIlibdes\fP
-package; see \fI../libdes/COPYRIGHT\fP.
-.SH BUGS
-.BR pluto
-is a work-in-progress.  It currently has many limitations.
-For example, it ignores notification messages that it receives, and
-it generates only Delete Notifications and those only for IPSEC SAs.
-.LP
-\fBpluto\fP does not support the Commit Flag.
-The Commit Flag is a bad feature of the IKE protocol.
-It isn't protected -- neither encrypted nor authenticated.
-A man in the middle could turn it on, leading to DoS.
-We just ignore it, with a warning.
-This should let us interoperate with
-implementations that insist on it, with minor damage.
-.LP
-\fBpluto\fP does not check that the SA returned by the Responder
-is actually one that was proposed.  It only checks that the SA is
-acceptable.  The difference is not large, but can show up in attributes
-such as SA lifetime.
-.LP
-There is no good way for a connection to be automatically terminated.
-This is a problem for Road Warrior and Opportunistic connections.
-The \fB\-\-dontrekey\fP option does prevent the SAs from
-being rekeyed on expiry.
-Additionally, if a Road Warrior connection has a client subnet with a fixed IP
-address, a negotiation with that subnet will cause any other
-connection instantiations with that same subnet to be unoriented
-(deleted, in effect).
-See also the \-\-uniqueids option for an extension of this.
-.LP
-When \fBpluto\fP sends a message to a peer that has disappeared,
-\fBpluto\fP receives incomplete information from the kernel, so it
-logs the unsatisfactory message ``some IKE message we sent has been
-rejected with ECONNREFUSED (kernel supplied no details)''.  John
-Denker suggests that this command is useful for tracking down the
-source of these problems:
-.br
-	tcpdump \-i eth0 icmp[0] != 8 and icmp[0] != 0
-.br
-Substitute your public interface for eth0 if it is different.
-.LP
-The word ``authenticate'' is used for two different features.  We must
-authenticate each IKE peer to the other.  This is an important task of
-Phase 1.  Each packet must be authenticated, both in IKE and in IPsec,
-and the method for IPsec is negotiated as an AH SA or part of an ESP SA.
-Unfortunately, the protocol has no mechanism for authenticating the Phase 2
-identities.
-.LP
-Bugs should be reported to the <users@lists.freeswan.org> mailing list.
-Caution: we cannot accept
-actual code from US residents, or even US citizens living outside the
-US, because that would bring FreeS/WAN under US export law.  Some
-other countries cause similar problems.  In general, we would prefer
-that you send detailed problem reports rather than code:  we want
-FreeS/WAN to be unquestionably freely exportable, which means being
-very careful about where the code comes from, and for a small bug fix,
-that is often more time-consuming than just reinventing the fix
-ourselves.
diff --git a/src/pluto/pluto.c b/src/pluto/pluto.c
deleted file mode 100644
index 66fdb30b9..000000000
--- a/src/pluto/pluto.c
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * Copyright (C) 2010 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "pluto.h"
-
-#include <debug.h>
-
-typedef struct private_pluto_t private_pluto_t;
-
-/**
- * Private additions to pluto_t.
- */
-struct private_pluto_t {
-
-	/**
-	 * Public members of pluto_t.
-	 */
-	pluto_t public;
-};
-
-/**
- * Single instance of pluto_t.
- */
-pluto_t *pluto;
-
-/**
- * Described in header.
- */
-void pluto_deinit()
-{
-	private_pluto_t *this = (private_pluto_t*)pluto;
-	this->public.events->destroy(this->public.events);
-	this->public.xauth->destroy(this->public.xauth);
-	free(this);
-	pluto = NULL;
-}
-
-/**
- * Described in header.
- */
-bool pluto_init(char *file)
-{
-	private_pluto_t *this;
-
-	INIT(this,
-		.public = {
-			.events = event_queue_create(),
-			.xauth = xauth_manager_create(),
-		},
-	);
-	pluto = &this->public;
-
-	if (lib->integrity &&
-		!lib->integrity->check_file(lib->integrity, "pluto", file))
-	{
-		DBG1(DBG_LIB, "integrity check of pluto failed");
-		return FALSE;
-	}
-	return TRUE;
-}
-
diff --git a/src/pluto/pluto.h b/src/pluto/pluto.h
deleted file mode 100644
index 2440093ca..000000000
--- a/src/pluto/pluto.h
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * Copyright (C) 2010 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup pluto pluto
- *
- * @defgroup xauth xauth
- * @ingroup pluto
- *
- * @defgroup pplugins plugins
- * @ingroup pluto
- *
- * @addtogroup pluto
- * @{
- */
-
-#ifndef PLUTO_H_
-#define PLUTO_H_
-
-typedef struct pluto_t pluto_t;
-
-#include <event_queue.h>
-#include <xauth/xauth_manager.h>
-
-#include <library.h>
-
-/**
- * Pluto daemon support object.
- */
-struct pluto_t {
-
-	/**
-	 * event queue (callbacks, executed by the pluto main thread)
-	 */
-	event_queue_t *events;
-
-	/**
-	 * manager for payload attributes
-	 */
-	xauth_manager_t *xauth;
-
-};
-
-/**
- * The single instance of pluto_t.
- *
- * Set between calls to pluto_init() and pluto_deinit() calls.
- */
-extern pluto_t *pluto;
-
-/**
- * Initialize pluto.
- *
- * @return				FALSE if integrity check failed
- */
-bool pluto_init(char *file);
-
-/**
- * Deinitialize pluto.
- */
-void pluto_deinit(void);
-
-#endif /** PLUTO_H_ @}*/
-
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
deleted file mode 100644
index dbc857ce2..000000000
--- a/src/pluto/plutomain.c
+++ /dev/null
@@ -1,852 +0,0 @@
-/* Pluto main program
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001 D. Hugh Redelmeier.
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <ctype.h>
-#include <errno.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <fcntl.h>
-#include <getopt.h>
-#include <resolv.h>
-#include <arpa/nameser.h>       /* missing from <resolv.h> on old systems */
-#include <sys/queue.h>
-#include <sys/prctl.h>
-#include <signal.h>
-#include <pwd.h>
-#include <grp.h>
-
-#ifdef CAPABILITIES
-#ifdef HAVE_SYS_CAPABILITY_H
-#include <sys/capability.h>
-#endif /* HAVE_SYS_CAPABILITY_H */
-#endif /* CAPABILITIES */
-
-#include <freeswan.h>
-
-#include <hydra.h>
-#include <library.h>
-#include <debug.h>
-#include <utils/enumerator.h>
-#include <utils/optionsfrom.h>
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "myid.h"
-#include "ca.h"
-#include "certs.h"
-#include "ac.h"
-#include "connections.h"
-#include "foodgroups.h"
-#include "packet.h"
-#include "demux.h"      /* needs packet.h */
-#include "server.h"
-#include "kernel.h"
-#include "log.h"
-#include "keys.h"
-#include "adns.h"       /* needs <resolv.h> */
-#include "dnskey.h"     /* needs keys.h and adns.h */
-#include "state.h"
-#include "ipsec_doi.h"  /* needs demux.h and state.h */
-#include "ocsp.h"
-#include "crl.h"
-#include "fetch.h"
-#include "crypto.h"
-#include "nat_traversal.h"
-#include "virtual.h"
-#include "timer.h"
-#include "vendor.h"
-#include "builder.h"
-#include "whack_attribute.h"
-#include "pluto.h"
-
-#ifdef ANDROID
-#include <private/android_filesystem_config.h> /* for AID_VPN */
-#endif
-
-/**
- * Number of threads in the thread pool, if not specified in config.
- */
-#define DEFAULT_THREADS 4
-
-/**
- * PID file, in which pluto stores its process id
- */
-static char pluto_lock[sizeof(ctl_addr.sun_path)] = DEFAULT_CTLBASE LOCK_SUFFIX;
-
-/**
- * TRUE if the lock has been checked.  This helps to avoid any unintended
- * deletion of the lock or control socket.
- */
-static bool pluto_lock_checked = FALSE;
-
-/**
- * Global reference to PID file (required to truncate, if undeletable)
- */
-static FILE *pidfile = NULL;
-
-
-static void usage(const char *mess)
-{
-	if (mess != NULL && *mess != '\0')
-		fprintf(stderr, "%s\n", mess);
-	fprintf(stderr
-		, "Usage: pluto"
-			" [--help]"
-			" [--version]"
-			" [--optionsfrom <filename>]"
-			" \\\n\t"
-			"[--nofork]"
-			" [--stderrlog]"
-			" [--nocrsend]"
-			" \\\n\t"
-			"[--strictcrlpolicy]"
-			" [--crlcheckinterval <interval>]"
-			" [--cachecrls]"
-			" [--uniqueids]"
-			" \\\n\t"
-			"[--interface <ifname>]"
-			" [--ikeport <port-number>]"
-			" \\\n\t"
-			"[--ctlbase <path>]"
-			" \\\n\t"
-			"[--perpeerlogbase <path>] [--perpeerlog]"
-			" \\\n\t"
-			"[--secretsfile <secrets-file>]"
-			" [--policygroupsdir <policygroups-dir>]"
-			" \\\n\t"
-			"[--adns <pathname>]"
-			"[--pkcs11module <path>]"
-			"[--pkcs11keepstate]"
-			"[--pkcs11initargs <string>]"
-#ifdef DEBUG
-			" \\\n\t"
-			"[--debug-none]"
-			" [--debug-all]"
-			" \\\n\t"
-			"[--debug-raw]"
-			" [--debug-crypt]"
-			" [--debug-parsing]"
-			" [--debug-emitting]"
-			" \\\n\t"
-			"[--debug-control]"
-			" [--debug-lifecycle]"
-			" [--debug-kernel]"
-			" [--debug-dns]"
-			" \\\n\t"
-			"[--debug-oppo]"
-			" [--debug-controlmore]"
-			" [--debug-private]"
-			" [--debug-natt]"
-#endif
-		    " \\\n\t"
-			"[--nat_traversal] [--keep_alive <delay_sec>]"
-			" \\\n\t"
-			"[--force_keepalive] [--disable_port_floating]"
-		    " \\\n\t"
-		    "[--virtual_private <network_list>]"
-			"\n"
-		    "strongSwan "VERSION"\n");
-	exit_pluto(mess == NULL? 0 : 1);
-}
-
-static bool check_lock()
-{
-	struct stat stb;
-	FILE *fpid;
-
-	if (stat(pluto_lock, &stb) == 0)
-	{
-		fpid = fopen(pluto_lock, "r");
-		if (fpid)
-		{
-			char buf[64];
-			pid_t pid = 0;
-
-			memset(buf, 0, sizeof(buf));
-			if (fread(buf, 1, sizeof(buf), fpid))
-			{
-				buf[sizeof(buf) - 1] = '\0';
-				pid = atoi(buf);
-			}
-			fclose(fpid);
-			if (pid && kill(pid, 0) == 0)
-			{	/* such a process is running */
-				return TRUE;
-			}
-		}
-		fprintf(stderr, "pluto: removing lock file \"%s\", process not "
-				"running\n", pluto_lock);
-		unlink(pluto_lock);
-	}
-	pluto_lock_checked = TRUE;
-	return FALSE;
-}
-
-static void fill_lock(void)
-{
-	pidfile = fopen(pluto_lock, "w");
-	if (pidfile)
-	{
-		fprintf(pidfile, "%u\n", (u_int)getpid());
-		fflush(pidfile);
-	}
-	/* keep pidfile open so we can truncate it, if we cannot delete it */
-}
-
-static void delete_lock(void)
-{
-	/* because unlinking the PID file may fail, we truncate it to ensure the
-	 * daemon can be properly restarted.  one probable cause for this is the
-	 * combination of not running as root and the effective user lacking
-	 * permissions on the parent dir(s) of the PID file */
-	if (pluto_lock_checked)
-	{
-		if (pidfile)
-		{
-			ignore_result(ftruncate(fileno(pidfile), 0));
-			fclose(pidfile);
-		}
-		unlink(pluto_lock);
-		/* delete this here to avoid that exit_pluto calls delete the socket */
-		delete_ctl_socket();
-	}
-}
-
-
-/* by default pluto sends certificate requests to its peers */
-bool no_cr_send = FALSE;
-
-/* by default the CRL policy is lenient */
-bool strict_crl_policy = FALSE;
-
-/* by default CRLs are cached locally as files */
-bool cache_crls = FALSE;
-
-/* by default pluto does not check crls dynamically */
-long crl_check_interval = 0;
-
-/* path to the PKCS#11 module */
-char *pkcs11_module_path = NULL;
-
-/* by default pluto logs out after every smartcard use */
-bool pkcs11_keep_state = FALSE;
-
-/* by default pluto does not allow pkcs11 proxy access via whack */
-bool pkcs11_proxy = FALSE;
-
-/* argument string to pass to PKCS#11 module.
- * Not used for compliant modules, just for NSS softoken
- */
-static const char *pkcs11_init_args = NULL;
-
-/* options read by optionsfrom */
-options_t *options;
-
-int main(int argc, char **argv)
-{
-	bool fork_desired = TRUE;
-	bool log_to_stderr_desired = FALSE;
-	bool nat_traversal = FALSE;
-	bool nat_t_spf = TRUE;  /* support port floating */
-	unsigned int keep_alive = 0;
-	bool force_keepalive = FALSE;
-	char *virtual_private = NULL;
-#ifdef CAPABILITIES
-	int keep[] = {
-			CAP_NET_ADMIN,
-			CAP_NET_BIND_SERVICE,
-#ifdef ANDROID
-			CAP_NET_RAW,
-#endif
-	};
-#endif /* CAPABILITIES */
-
-	/* initialize library and optionsfrom */
-	if (!library_init(NULL))
-	{
-		library_deinit();
-		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
-	}
-	if (!libhydra_init("pluto"))
-	{
-		libhydra_deinit();
-		library_deinit();
-		exit(SS_RC_INITIALIZATION_FAILED);
-	}
-	if (!pluto_init(argv[0]))
-	{
-		pluto_deinit();
-		libhydra_deinit();
-		library_deinit();
-		exit(SS_RC_DAEMON_INTEGRITY);
-	}
-	options = options_create();
-
-	/* handle arguments */
-	for (;;)
-	{
-#       define DBG_OFFSET 256
-		static const struct option long_opts[] = {
-			/* name, has_arg, flag, val */
-			{ "help", no_argument, NULL, 'h' },
-			{ "version", no_argument, NULL, 'v' },
-			{ "optionsfrom", required_argument, NULL, '+' },
-			{ "nofork", no_argument, NULL, 'd' },
-			{ "stderrlog", no_argument, NULL, 'e' },
-			{ "nocrsend", no_argument, NULL, 'c' },
-			{ "strictcrlpolicy", no_argument, NULL, 'r' },
-			{ "crlcheckinterval", required_argument, NULL, 'x'},
-			{ "cachecrls", no_argument, NULL, 'C' },
-			{ "uniqueids", no_argument, NULL, 'u' },
-			{ "interface", required_argument, NULL, 'i' },
-			{ "ikeport", required_argument, NULL, 'p' },
-			{ "ctlbase", required_argument, NULL, 'b' },
-			{ "secretsfile", required_argument, NULL, 's' },
-			{ "foodgroupsdir", required_argument, NULL, 'f' },
-			{ "perpeerlogbase", required_argument, NULL, 'P' },
-			{ "perpeerlog", no_argument, NULL, 'l' },
-			{ "policygroupsdir", required_argument, NULL, 'f' },
-			{ "adns", required_argument, NULL, 'a' },
-			{ "pkcs11module", required_argument, NULL, 'm' },
-			{ "pkcs11keepstate", no_argument, NULL, 'k' },
-			{ "pkcs11initargs", required_argument, NULL, 'z' },
-			{ "pkcs11proxy", no_argument, NULL, 'y' },
-			{ "nat_traversal", no_argument, NULL, '1' },
-			{ "keep_alive", required_argument, NULL, '2' },
-			{ "force_keepalive", no_argument, NULL, '3' },
-			{ "disable_port_floating", no_argument, NULL, '4' },
-			{ "debug-natt", no_argument, NULL, '5' },
-			{ "virtual_private", required_argument, NULL, '6' },
-#ifdef DEBUG
-			{ "debug-none", no_argument, NULL, 'N' },
-			{ "debug-all", no_argument, NULL, 'A' },
-			{ "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
-			{ "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
-			{ "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
-			{ "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
-			{ "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
-			{ "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
-			{ "debug-klips", no_argument, NULL, DBG_KERNEL + DBG_OFFSET },
-			{ "debug-kernel", no_argument, NULL, DBG_KERNEL + DBG_OFFSET },
-			{ "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
-			{ "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
-			{ "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
-			{ "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
-
-			{ "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET },
-			{ "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET },
-			{ "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET },
-			{ "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },
-#endif
-			{ 0,0,0,0 }
-			};
-		/* Note: we don't like the way short options get parsed
-		 * by getopt_long, so we simply pass an empty string as
-		 * the list.  It could be "hvdenp:l:s:" "NARXPECK".
-		 */
-		int c = getopt_long(argc, argv, "", long_opts, NULL);
-
-		/* Note: "breaking" from case terminates loop */
-		switch (c)
-		{
-		case EOF:       /* end of flags */
-			break;
-
-		case 0: /* long option already handled */
-			continue;
-
-		case ':':       /* diagnostic already printed by getopt_long */
-		case '?':       /* diagnostic already printed by getopt_long */
-			usage("");
-			break;   /* not actually reached */
-
-		case 'h':       /* --help */
-			usage(NULL);
-			break;      /* not actually reached */
-
-		case 'v':       /* --version */
-			{
-				const char **sp = ipsec_copyright_notice();
-
-				printf("strongSwan "VERSION"%s\n", compile_time_interop_options);
-				for (; *sp != NULL; sp++)
-					puts(*sp);
-			}
-			exit_pluto(0);
-			break;      /* not actually reached */
-
-		case '+':       /* --optionsfrom <filename> */
-			if (!options->from(options, optarg, &argc, &argv, optind))
-			{
-				exit_pluto(1);
-			}
-			continue;
-
-		case 'd':       /* --nofork*/
-			fork_desired = FALSE;
-			continue;
-
-		case 'e':       /* --stderrlog */
-			log_to_stderr_desired = TRUE;
-			continue;
-
-		case 'c':       /* --nocrsend */
-			no_cr_send = TRUE;
-			continue;
-
-		case 'r':       /* --strictcrlpolicy */
-			strict_crl_policy = TRUE;
-			continue;
-
-		case 'x':       /* --crlcheckinterval <time>*/
-			if (optarg == NULL || !isdigit(optarg[0]))
-				usage("missing interval time");
-
-			{
-				char *endptr;
-				long interval = strtol(optarg, &endptr, 0);
-
-				if (*endptr != '\0' || endptr == optarg
-				|| interval <= 0)
-					usage("<interval-time> must be a positive number");
-				crl_check_interval = interval;
-			}
-			continue;
-
-		case 'C':       /* --cachecrls */
-			cache_crls = TRUE;
-			continue;
-
-		case 'u':       /* --uniqueids */
-			uniqueIDs = TRUE;
-			continue;
-
-		case 'i':       /* --interface <ifname> */
-			if (!use_interface(optarg))
-				usage("too many --interface specifications");
-			continue;
-
-		case 'p':       /* --port <portnumber> */
-			if (optarg == NULL || !isdigit(optarg[0]))
-				usage("missing port number");
-
-			{
-				char *endptr;
-				long port = strtol(optarg, &endptr, 0);
-
-				if (*endptr != '\0' || endptr == optarg
-				|| port <= 0 || port > 0x10000)
-					usage("<port-number> must be a number between 1 and 65535");
-				pluto_port = port;
-			}
-			continue;
-
-		case 'b':       /* --ctlbase <path> */
-			if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
-			, "%s%s", optarg, CTL_SUFFIX) == -1)
-				usage("<path>" CTL_SUFFIX " too long for sun_path");
-			if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path)
-			, "%s%s", optarg, INFO_SUFFIX) == -1)
-				usage("<path>" INFO_SUFFIX " too long for sun_path");
-			if (snprintf(pluto_lock, sizeof(pluto_lock)
-			, "%s%s", optarg, LOCK_SUFFIX) == -1)
-				usage("<path>" LOCK_SUFFIX " must fit");
-			continue;
-
-		case 's':       /* --secretsfile <secrets-file> */
-			shared_secrets_file = optarg;
-			continue;
-
-		case 'f':       /* --policygroupsdir <policygroups-dir> */
-			policygroups_dir = optarg;
-			continue;
-#ifdef ADNS
-		case 'a':       /* --adns <pathname> */
-			pluto_adns_option = optarg;
-			continue;
-#endif
-		case 'm':       /* --pkcs11module <pathname> */
-			pkcs11_module_path = optarg;
-			continue;
-
-		case 'k':       /* --pkcs11keepstate */
-			pkcs11_keep_state = TRUE;
-			continue;
-
-		case 'y':       /* --pkcs11proxy */
-			pkcs11_proxy = TRUE;
-			continue;
-
-		case 'z':       /* --pkcs11initargs */
-			pkcs11_init_args = optarg;
-			continue;
-
-#ifdef DEBUG
-		case 'N':       /* --debug-none */
-			base_debugging = DBG_NONE;
-			continue;
-
-		case 'A':       /* --debug-all */
-			base_debugging = DBG_ALL;
-			continue;
-#endif
-
-		case 'P':       /* --perpeerlogbase */
-			base_perpeer_logdir = optarg;
-			continue;
-
-		case 'l':
-			log_to_perpeer = TRUE;
-			continue;
-
-		case '1':       /* --nat_traversal */
-			nat_traversal = TRUE;
-			continue;
-		case '2':       /* --keep_alive */
-			keep_alive = atoi(optarg);
-			continue;
-		case '3':       /* --force_keepalive */
-			force_keepalive = TRUE;
-			continue;
-		case '4':       /* --disable_port_floating */
-			nat_t_spf = FALSE;
-			continue;
-		case '5':       /* --debug-nat_t */
-			base_debugging |= DBG_NATT;
-			continue;
-		case '6':       /* --virtual_private */
-			virtual_private = optarg;
-			continue;
-
-		default:
-#ifdef DEBUG
-			if (c >= DBG_OFFSET)
-			{
-				base_debugging |= c - DBG_OFFSET;
-				continue;
-			}
-#       undef DBG_OFFSET
-#endif
-			bad_case(c);
-		}
-		break;
-	}
-	if (optind != argc)
-		usage("unexpected argument");
-	reset_debugging();
-
-	if (check_lock())
-	{
-		fprintf(stderr, "pluto: lock file \"%s\" already exists\n", pluto_lock);
-		exit_pluto(10);
-	}
-
-	/* select between logging methods */
-
-	if (log_to_stderr_desired)
-	{
-		log_to_syslog = FALSE;
-	}
-	else
-	{
-		log_to_stderr = FALSE;
-	}
-
-	/* set the logging function of pfkey debugging */
-#ifdef DEBUG
-	pfkey_debug_func = DBG_log;
-#else
-	pfkey_debug_func = NULL;
-#endif
-
-	/* create control socket.
-	 * We must create it before the parent process returns so that
-	 * there will be no race condition in using it.  The easiest
-	 * place to do this is before the daemon fork.
-	 */
-	{
-		err_t ugh = init_ctl_socket();
-
-		if (ugh != NULL)
-		{
-			fprintf(stderr, "pluto: %s", ugh);
-			exit_pluto(1);
-		}
-	}
-
-	/* If not suppressed, do daemon fork */
-
-	if (fork_desired)
-	{
-		{
-			pid_t pid = fork();
-
-			if (pid < 0)
-			{
-				int e = errno;
-
-				fprintf(stderr, "pluto: fork failed (%d %s)\n",
-					errno, strerror(e));
-				exit_pluto(1);
-			}
-
-			if (pid != 0)
-			{
-				/* parent: die
-				 * must not use exit_pluto: lock would be removed!
-				 */
-				exit(0);
-			}
-			/* child: fill PID into lock file */
-			fill_lock();
-		}
-
-		if (setsid() < 0)
-		{
-			int e = errno;
-
-			fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
-				errno, strerror(e));
-			exit_pluto(1);
-		}
-	}
-	else
-	{
-		/* no daemon fork: we have to fill in lock file */
-		fill_lock();
-		fprintf(stdout, "Pluto initialized\n");
-		fflush(stdout);
-	}
-
-	/* Redirect stdin, stdout and stderr to /dev/null
-	 */
-	{
-		int fd;
-		if ((fd = open("/dev/null", O_RDWR)) == -1)
-			abort();
-		if (dup2(fd, 0) != 0)
-			abort();
-		if (dup2(fd, 1) != 1)
-			abort();
-		if (!log_to_stderr && dup2(fd, 2) != 2)
-			abort();
-		close(fd);
-	}
-
-	/* for uncritical pseudo random numbers */
-	srand(time(NULL) + getpid());
-
-	init_constants();
-	init_log("pluto");
-
-	/* Note: some scripts may look for this exact message -- don't change
-	 * ipsec barf was one, but it no longer does.
-	 */
-	plog("Starting IKEv1 pluto daemon (strongSwan "VERSION")%s",
-		 compile_time_interop_options);
-
-	if (lib->integrity)
-	{
-		plog("integrity tests enabled:");
-		plog("lib    'libstrongswan': passed file and segment integrity tests");
-		plog("lib    'libhydra': passed file and segment integrity tests");
-		plog("daemon 'pluto': passed file integrity test");
-	}
-
-	/* load plugins, further infrastructure may need it */
-	if (!lib->plugins->load(lib->plugins, NULL,
-			lib->settings->get_str(lib->settings, "pluto.load", PLUGINS)))
-	{
-		exit(SS_RC_INITIALIZATION_FAILED);
-	}
-	DBG1(DBG_DMN, "loaded plugins: %s",
-		 lib->plugins->loaded_plugins(lib->plugins));
-
-	init_builder();
-	if (!init_secret() || !init_crypto())
-	{
-		plog("initialization failed - aborting pluto");
-		exit_pluto(SS_RC_INITIALIZATION_FAILED);
-	}
-	init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
-	init_virtual_ip(virtual_private);
-	scx_init(pkcs11_module_path, pkcs11_init_args);
-	init_states();
-	init_demux();
-	init_kernel();
-#ifdef ADNS
-	init_adns();
-#endif
-	init_myid();
-	fetch_initialize();
-	ac_initialize();
-	whack_attribute_initialize();
-
-	/* drop unneeded capabilities and change UID/GID */
-	prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
-
-#ifdef IPSEC_GROUP
-	{
-		struct group group, *grp;
-		char buf[1024];
-
-		if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 ||
-			grp == NULL || setgid(grp->gr_gid) != 0)
-		{
-			plog("unable to change daemon group");
-			abort();
-		}
-	}
-#endif
-#ifdef IPSEC_USER
-	{
-		struct passwd passwd, *pwp;
-		char buf[1024];
-
-		if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 ||
-			pwp == NULL || setuid(pwp->pw_uid) != 0)
-		{
-			plog("unable to change daemon user");
-			abort();
-		}
-	}
-#endif
-#ifdef ANDROID
-	if (setuid(AID_VPN) != 0)
-	{
-		plog("unable to change daemon user");
-		abort();
-	}
-#endif
-
-#ifdef CAPABILITIES_LIBCAP
-	{
-		cap_t caps;
-		caps = cap_init();
-		cap_set_flag(caps, CAP_EFFECTIVE, countof(keep), keep, CAP_SET);
-		cap_set_flag(caps, CAP_INHERITABLE, countof(keep), keep, CAP_SET);
-		cap_set_flag(caps, CAP_PERMITTED, countof(keep), keep, CAP_SET);
-		if (cap_set_proc(caps) != 0)
-		{
-			plog("unable to drop daemon capabilities");
-			abort();
-		}
-		cap_free(caps);
-	}
-#endif /* CAPABILITIES_LIBCAP */
-#ifdef CAPABILITIES_NATIVE
-	{
-		struct __user_cap_data_struct caps = { .effective = 0 };
-		struct __user_cap_header_struct header = {
-			.version = _LINUX_CAPABILITY_VERSION,
-		};
-		int i;
-		for (i = 0; i < countof(keep); i++)
-		{
-			caps.effective |= 1 << keep[i];
-			caps.permitted |= 1 << keep[i];
-			caps.inheritable |= 1 << keep[i];
-		}
-		if (capset(&header, &caps) != 0)
-		{
-			plog("unable to drop daemon capabilities");
-			abort();
-		}
-	}
-#endif /* CAPABILITIES_NATIVE */
-
-	/* loading X.509 CA certificates */
-	load_authcerts("ca", CA_CERT_PATH, X509_CA);
-	/* loading X.509 AA certificates */
-	load_authcerts("aa", AA_CERT_PATH, X509_AA);
-	/* loading X.509 OCSP certificates */
-	load_authcerts("ocsp", OCSP_CERT_PATH, X509_OCSP_SIGNER);
-	/* loading X.509 CRLs */
-	load_crls();
-	/* loading attribute certificates (experimental) */
-	ac_load_certs();
-
-	lib->processor->set_threads(lib->processor,
-			lib->settings->get_int(lib->settings, "pluto.threads",
-								   DEFAULT_THREADS));
-
-	daily_log_event();
-	call_server();
-	return -1;  /* Shouldn't ever reach this */
-}
-
-/* leave pluto, with status.
- * Once child is launched, parent must not exit this way because
- * the lock would be released.
- *
- *  0 OK
- *  1 general discomfort
- * 10 lock file exists
- */
-void exit_pluto(int status)
-{
-	lib->processor->set_threads(lib->processor, 0);
-	reset_globals();    /* needed because we may be called in odd state */
-	free_preshared_secrets();
-	free_remembered_public_keys();
-	delete_every_connection();
-	whack_attribute_finalize(); /* free in-memory pools */
-	kernel_finalize();
-	fetch_finalize();           /* stop fetching thread */
-	free_crl_fetch();           /* free chain of crl fetch requests */
-	free_ocsp_fetch();          /* free chain of ocsp fetch requests */
-	free_authcerts();           /* free chain of X.509 authority certificates */
-	free_crls();                /* free chain of X.509 CRLs */
-	free_ca_infos();            /* free chain of X.509 CA information records */
-	free_ocsp();                /* free ocsp cache */
-	free_ifaces();
-	ac_finalize();              /* free X.509 attribute certificates */
-	scx_finalize();             /* finalize and unload PKCS #11 module */
-#ifdef ADNS
-	stop_adns();
-#endif
-	free_md_pool();
-	free_crypto();
-	free_myid();                /* free myids */
-	free_events();              /* free remaining events */
-	free_vendorid();            /* free all vendor id records */
-	free_builder();
-	delete_lock();
-	options->destroy(options);
-	pluto_deinit();
-	lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
-	lib->plugins->unload(lib->plugins);
-	libhydra_deinit();
-	library_deinit();
-	close_log();
-	exit(status);
-}
-
-/*
- * Local Variables:
- * c-basic-offset:4
- * c-style: pluto
- * End:
- */
diff --git a/src/pluto/rcv_whack.c b/src/pluto/rcv_whack.c
deleted file mode 100644
index 0a7b33ab5..000000000
--- a/src/pluto/rcv_whack.c
+++ /dev/null
@@ -1,728 +0,0 @@
-/* whack communicating routines
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <arpa/nameser.h>       /* missing from <resolv.h> on old systems */
-#include <sys/queue.h>
-#include <fcntl.h>
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "ca.h"
-#include "certs.h"
-#include "ac.h"
-#include "smartcard.h"
-#include "connections.h"
-#include "foodgroups.h"
-#include "whack.h"      /* needs connections.h */
-#include "packet.h"
-#include "demux.h"      /* needs packet.h */
-#include "state.h"
-#include "ipsec_doi.h"  /* needs demux.h and state.h */
-#include "kernel.h"
-#include "rcv_whack.h"
-#include "log.h"
-#include "keys.h"
-#include "adns.h"       /* needs <resolv.h> */
-#include "dnskey.h"     /* needs keys.h and adns.h */
-#include "server.h"
-#include "fetch.h"
-#include "ocsp.h"
-#include "crl.h"
-#include "myid.h"
-#include "kernel_alg.h"
-#include "ike_alg.h"
-#include "plugin_list.h"
-#include "whack_attribute.h"
-
-/* helper variables and function to decode strings from whack message */
-
-static char *next_str
-	, *str_roof;
-
-static bool unpack_str(char **p)
-{
-	char *end = memchr(next_str, '\0', str_roof - next_str);
-
-	if (end == NULL)
-	{
-		return FALSE;   /* fishy: no end found */
-	}
-	else
-	{
-		*p = next_str == end? NULL : next_str;
-		next_str = end + 1;
-		return TRUE;
-	}
-}
-
-/* bits loading keys from asynchronous DNS */
-
-enum key_add_attempt {
-	ka_TXT,
-#ifdef USE_KEYRR
-	ka_KEY,
-#endif
-	ka_roof     /* largest value + 1 */
-};
-
-struct key_add_common {
-	int refCount;
-	char *diag[ka_roof];
-	int whack_fd;
-	bool success;
-};
-
-struct key_add_continuation {
-	struct adns_continuation ac;        /* common prefix */
-	struct key_add_common *common;      /* common data */
-	enum key_add_attempt lookingfor;
-};
-
-static void key_add_ugh(identification_t *keyid, err_t ugh)
-{
-	loglog(RC_NOKEY, "failure to fetch key for %'Y' from DNS: %s", keyid, ugh);
-}
-
-/* last one out: turn out the lights */
-static void key_add_merge(struct key_add_common *oc, identification_t *keyid)
-{
-	if (oc->refCount == 0)
-	{
-		enum key_add_attempt kaa;
-
-		/* if no success, print all diagnostics */
-		if (!oc->success)
-		{
-			for (kaa = ka_TXT; kaa != ka_roof; kaa++)
-			{
-				key_add_ugh(keyid, oc->diag[kaa]);
-			}
-		}
-		for (kaa = ka_TXT; kaa != ka_roof; kaa++)
-		{
-			free(oc->diag[kaa]);
-		}
-		close(oc->whack_fd);
-		free(oc);
-	}
-}
-
-#ifdef ADNS
-
-static void key_add_continue(struct adns_continuation *ac, err_t ugh)
-{
-	struct key_add_continuation *kc = (void *) ac;
-	struct key_add_common *oc = kc->common;
-
-	passert(whack_log_fd == NULL_FD);
-	whack_log_fd = oc->whack_fd;
-
-	if (ugh != NULL)
-	{
-		oc->diag[kc->lookingfor] = clone_str(ugh);
-	}
-	else
-	{
-		oc->success = TRUE;
-		transfer_to_public_keys(kc->ac.gateways_from_dns
-#ifdef USE_KEYRR
-			, &kc->ac.keys_from_dns
-#endif /* USE_KEYRR */
-			);
-	}
-
-	oc->refCount--;
-	key_add_merge(oc, ac->id);
-	whack_log_fd = NULL_FD;
-}
-
-#endif /* ADNS */
-
-static void key_add_request(const whack_message_t *msg)
-{
-	identification_t *key_id;
-
-	key_id = identification_create_from_string(msg->keyid);
-
-	if (!msg->whack_addkey)
-	{
-		delete_public_keys(key_id, msg->pubkey_alg, NULL, chunk_empty);
-	}
-	if (msg->keyval.len == 0)
-	{
-		struct key_add_common *oc = malloc_thing(struct key_add_common);
-		enum key_add_attempt kaa;
-		err_t ugh;
-
-		/* initialize state shared by queries */
-		oc->refCount = 0;
-		oc->whack_fd = dup_any(whack_log_fd);
-		oc->success = FALSE;
-
-		for (kaa = ka_TXT; kaa != ka_roof; kaa++)
-		{
-			struct key_add_continuation *kc;
-
-			oc->diag[kaa] = NULL;
-			oc->refCount++;
-			kc = malloc_thing(struct key_add_continuation);
-			kc->common = oc;
-			kc->lookingfor = kaa;
-			ugh = NULL;
-
-			switch (kaa)
-			{
-#ifdef ADNS
-				case ka_TXT:
-					ugh = start_adns_query(key_id
-							, key_id        /* same */
-							, T_TXT
-							, key_add_continue
-							, &kc->ac);
-					break;
-#endif /* ADNS */
-#ifdef USE_KEYRR
-				case ka_KEY:
-					ugh = start_adns_query(key_id
-							, NULL
-							, T_KEY
-							, key_add_continue
-							, &kc->ac);
-					break;
-#endif /* USE_KEYRR */
-				default:
-					bad_case(kaa);      /* suppress gcc warning */
-			}
-			if (ugh)
-			{
-				oc->diag[kaa] = clone_str(ugh);
-				oc->refCount--;
-			}
-		}
-
-		/* Done launching queries. Handle total failure case. */
-		key_add_merge(oc, key_id);
-	}
-	else
-	{
-		if (!add_public_key(key_id, DAL_LOCAL, msg->pubkey_alg, msg->keyval,
-			&pubkeys))
-		{
-			loglog(RC_LOG_SERIOUS, "failed to add public key");
-		}
-	}
-	key_id->destroy(key_id);
-}
-
-/* Handle a kernel request. Supposedly, there's a message in
- * the kernelsock socket.
- */
-void whack_handle(int whackctlfd)
-{
-	whack_message_t msg;
-	struct sockaddr_un whackaddr;
-	int whackaddrlen = sizeof(whackaddr);
-	int whackfd = accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen);
-	/* Note: actual value in n should fit in int.  To print, cast to int. */
-	ssize_t n;
-
-	if (whackfd < 0)
-	{
-		log_errno((e, "accept() failed in whack_handle()"));
-		return;
-	}
-	if (fcntl(whackfd, F_SETFD, FD_CLOEXEC) < 0)
-	{
-		log_errno((e, "failed to set CLOEXEC in whack_handle()"));
-		close(whackfd);
-		return;
-	}
-
-	n = read(whackfd, &msg, sizeof(msg));
-
-	if (n == -1)
-	{
-		log_errno((e, "read() failed in whack_handle()"));
-		close(whackfd);
-		return;
-	}
-
-	whack_log_fd = whackfd;
-
-	/* sanity check message */
-	{
-		err_t ugh = NULL;
-
-		next_str = msg.string;
-		str_roof = (char *)&msg + n;
-
-		if ((size_t)n < offsetof(whack_message_t, whack_shutdown) + sizeof(msg.whack_shutdown))
-		{
-			ugh = builddiag("ignoring runt message from whack: got %d bytes", (int)n);
-		}
-		else if (msg.magic != WHACK_MAGIC)
-		{
-			if (msg.magic == WHACK_BASIC_MAGIC)
-			{
-				/* Only shutdown command.  Simpler inter-version compatibility. */
-				if (msg.whack_shutdown)
-				{
-					plog("shutting down");
-					exit_pluto(0);      /* delete lock and leave, with 0 status */
-				}
-				ugh = "";       /* bail early, but without complaint */
-			}
-			else
-			{
-				ugh = builddiag("ignoring message from whack with bad magic %d; should be %d; probably wrong version"
-					, msg.magic, WHACK_MAGIC);
-			}
-		}
-		else if (next_str > str_roof)
-		{
-			ugh = builddiag("ignoring truncated message from whack: got %d bytes; expected %u"
-				, (int) n, (unsigned) sizeof(msg));
-		}
-		else if (!unpack_str(&msg.name)         /* string  1 */
-		|| !unpack_str(&msg.left.id)            /* string  2 */
-		|| !unpack_str(&msg.left.cert)          /* string  3 */
-		|| !unpack_str(&msg.left.ca)            /* string  4 */
-		|| !unpack_str(&msg.left.groups)        /* string  5 */
-		|| !unpack_str(&msg.left.updown)        /* string  6 */
-		|| !unpack_str(&msg.left.sourceip)      /* string  7 */
-		|| !unpack_str(&msg.left.virt)          /* string  8 */
-		|| !unpack_str(&msg.right.id)           /* string  9 */
-		|| !unpack_str(&msg.right.cert)         /* string 10 */
-		|| !unpack_str(&msg.right.ca)           /* string 11 */
-		|| !unpack_str(&msg.right.groups)       /* string 12 */
-		|| !unpack_str(&msg.right.updown)       /* string 13 */
-		|| !unpack_str(&msg.right.sourceip)     /* string 14 */
-		|| !unpack_str(&msg.right.virt)         /* string 15 */
-		|| !unpack_str(&msg.keyid)              /* string 16 */
-		|| !unpack_str(&msg.myid)               /* string 17 */
-		|| !unpack_str(&msg.cacert)             /* string 18 */
-		|| !unpack_str(&msg.ldaphost)           /* string 19 */
-		|| !unpack_str(&msg.ldapbase)           /* string 20 */
-		|| !unpack_str(&msg.crluri)             /* string 21 */
-		|| !unpack_str(&msg.crluri2)            /* string 22 */
-		|| !unpack_str(&msg.ocspuri)            /* string 23 */
-		|| !unpack_str(&msg.ike)                /* string 24 */
-		|| !unpack_str(&msg.esp)                /* string 25 */
-		|| !unpack_str(&msg.sc_data)            /* string 26 */
-		|| !unpack_str(&msg.whack_lease_ip)     /* string 27 */
-		|| !unpack_str(&msg.whack_lease_id)     /* string 28 */
-		|| !unpack_str(&msg.xauth_identity)     /* string 29 */
-		|| str_roof - next_str != (ptrdiff_t)msg.keyval.len)    /* check chunk */
-		{
-			ugh = "message from whack contains bad string";
-		}
-		else
-		{
-			msg.keyval.ptr = next_str;  /* grab chunk */
-		}
-
-		if (ugh != NULL)
-		{
-			if (*ugh != '\0')
-				loglog(RC_BADWHACKMESSAGE, "%s", ugh);
-			whack_log_fd = NULL_FD;
-			close(whackfd);
-			return;
-		}
-	}
-
-	if (msg.whack_options)
-	{
-#ifdef DEBUG
-		if (msg.name == NULL)
-		{
-			/* we do a two-step so that if either old or new would
-			 * cause the message to print, it will be printed.
-			 */
-			cur_debugging |= msg.debugging;
-			DBG(DBG_CONTROL
-				, DBG_log("base debugging = %s"
-					, bitnamesof(debug_bit_names, msg.debugging)));
-			cur_debugging = base_debugging = msg.debugging;
-		}
-		else if (!msg.whack_connection)
-		{
-			connection_t *c = con_by_name(msg.name, TRUE);
-
-			if (c != NULL)
-			{
-				c->extra_debugging = msg.debugging;
-				DBG(DBG_CONTROL
-					, DBG_log("\"%s\" extra_debugging = %s"
-						, c->name
-						, bitnamesof(debug_bit_names, c->extra_debugging)));
-			}
-		}
-#endif
-	}
-
-	if (msg.whack_myid)
-	{
-		set_myid(MYID_SPECIFIED, msg.myid);
-	}
-
-	/* Deleting combined with adding a connection works as replace.
-	 * To make this more useful, in only this combination,
-	 * delete will silently ignore the lack of the connection.
-	 */
-	if (msg.whack_delete)
-	{
-		if (msg.whack_ca)
-		{
-			find_ca_info_by_name(msg.name, TRUE);
-		}
-		else
-		{
-			delete_connections_by_name(msg.name, !msg.whack_connection);
-		}
-	}
-
-	if (msg.whack_deletestate)
-	{
-		struct state *st = state_with_serialno(msg.whack_deletestateno);
-
-		if (st == NULL)
-		{
-			loglog(RC_UNKNOWN_NAME, "no state #%lu to delete"
-				, msg.whack_deletestateno);
-		}
-		else
-		{
-			delete_state(st);
-		}
-	}
-
-	if (msg.whack_crash)
-	{
-		delete_states_by_peer(&msg.whack_crash_peer);
-	}
-
-	if (msg.whack_connection)
-	{
-		add_connection(&msg);
-	}
-
-	if (msg.whack_ca && msg.cacert != NULL)
-	{
-		add_ca_info(&msg);
-	}
-
-	/* process "listen" before any operation that could require it */
-	if (msg.whack_listen)
-	{
-		close_peerlog();    /* close any open per-peer logs */
-		plog("listening for IKE messages");
-		listening = TRUE;
-		daily_log_reset();
-#ifdef ADNS
-		reset_adns_restart_count();
-#endif
-		set_myFQDN();
-		find_ifaces();
-		load_preshared_secrets(NULL_FD);
-		load_groups();
-	}
-	if (msg.whack_unlisten)
-	{
-		plog("no longer listening for IKE messages");
-		listening = FALSE;
-	}
-
-	if (msg.whack_reread & REREAD_SECRETS)
-	{
-		load_preshared_secrets(whackfd);
-	}
-
-	if (msg.whack_reread & REREAD_CACERTS)
-	{
-		load_authcerts("ca", CA_CERT_PATH, X509_CA);
-	}
-
-	if (msg.whack_reread & REREAD_AACERTS)
-	{
-		load_authcerts("aa", AA_CERT_PATH, X509_AA);
-	}
-
-	if (msg.whack_reread & REREAD_OCSPCERTS)
-	{
-		load_authcerts("ocsp", OCSP_CERT_PATH, X509_OCSP_SIGNER);
-	}
-
-	if (msg.whack_reread & REREAD_ACERTS)
-	{
-		ac_load_certs();
-	}
-
-	if (msg.whack_reread & REREAD_CRLS)
-	{
-		load_crls();
-	}
-
-	if (msg.whack_purgeocsp)
-	{
-		free_ocsp_fetch();
-		free_ocsp_cache();
-	}
-
-	if (msg.whack_leases)
-	{
-		list_leases(msg.name, msg.whack_lease_ip, msg.whack_lease_id);
-	}
-
-	if (msg.whack_list & LIST_PUBKEYS)
-	{
-		list_public_keys(msg.whack_utc);
-	}
-
-	if (msg.whack_list & LIST_CERTS)
-	{
-		cert_list(msg.whack_utc);
-	}
-
-	if (msg.whack_list & LIST_CACERTS)
-	{
-		list_authcerts("CA", X509_CA, msg.whack_utc);
-	}
-
-	if (msg.whack_list & LIST_AACERTS)
-	{
-		list_authcerts("AA", X509_AA, msg.whack_utc);
-	}
-
-	if (msg.whack_list & LIST_OCSPCERTS)
-	{
-		list_authcerts("OCSP", X509_OCSP_SIGNER, msg.whack_utc);
-	}
-
-	if (msg.whack_list & LIST_ACERTS)
-	{
-		ac_list_certs(msg.whack_utc);
-	}
-
-	if (msg.whack_list & LIST_CAINFOS)
-	{
-		list_ca_infos(msg.whack_utc);
-	}
-
-	if (msg.whack_list & LIST_CRLS)
-	{
-		list_crls(msg.whack_utc, strict_crl_policy);
-		list_crl_fetch_requests(msg.whack_utc);
-	}
-
-	if (msg.whack_list & LIST_OCSP)
-	{
-		list_ocsp_cache(msg.whack_utc, strict_crl_policy);
-		list_ocsp_fetch_requests(msg.whack_utc);
-	}
-
-	if (msg.whack_list & LIST_CARDS)
-	{
-		scx_list(msg.whack_utc);
-	}
-
-	if (msg.whack_list & LIST_ALGS)
-	{
-		ike_alg_list();
-		kernel_alg_list();
-	}
-
-	if (msg.whack_list & LIST_PLUGINS)
-	{
-		plugin_list();
-	}
-
-	if (msg.whack_key)
-	{
-		/* add a public key */
-		key_add_request(&msg);
-	}
-
-	if (msg.whack_route)
-	{
-		if (!listening)
-		{
-			whack_log(RC_DEAF, "need --listen before --route");
-		}
-		if (msg.name == NULL)
-		{
-			whack_log(RC_UNKNOWN_NAME
-				, "whack --route requires a connection name");
-		}
-		else
-		{
-			connection_t *c = con_by_name(msg.name, TRUE);
-
-			if (c != NULL && c->ikev1)
-			{
-				set_cur_connection(c);
-				if (!oriented(*c))
-				{
-					whack_log(RC_ORIENT
-						, "we have no ipsecN interface for either end of this connection");
-				}
-				else if (c->policy & POLICY_GROUP)
-				{
-					route_group(c);
-				}
-				else if (!trap_connection(c))
-				{
-					whack_log(RC_ROUTE, "could not route");
-				}
-				reset_cur_connection();
-			}
-		}
-	}
-
-	if (msg.whack_unroute)
-	{
-		if (msg.name == NULL)
-		{
-			whack_log(RC_UNKNOWN_NAME
-				, "whack --unroute requires a connection name");
-		}
-		else
-		{
-			connection_t *c = con_by_name(msg.name, TRUE);
-
-			if (c != NULL && c->ikev1)
-			{
-				struct spd_route *sr;
-				int fail = 0;
-
-				set_cur_connection(c);
-
-				for (sr = &c->spd; sr != NULL; sr = sr->next)
-				{
-					if (sr->routing >= RT_ROUTED_TUNNEL)
-					{
-						fail++;
-					}
-				}
-				if (fail > 0)
-				{
-					whack_log(RC_RTBUSY, "cannot unroute: route busy");
-				}
-				else if (c->policy & POLICY_GROUP)
-				{
-					unroute_group(c);
-				}
-				else
-				{
-					unroute_connection(c);
-				}
-				reset_cur_connection();
-			}
-		}
-	}
-
-	if (msg.whack_initiate)
-	{
-		if (!listening)
-		{
-			whack_log(RC_DEAF, "need --listen before --initiate");
-		}
-		else if (msg.name == NULL)
-		{
-			whack_log(RC_UNKNOWN_NAME
-				, "whack --initiate requires a connection name");
-		}
-		else
-		{
-			initiate_connection(msg.name
-				, msg.whack_async? NULL_FD : dup_any(whackfd));
-		}
-	}
-
-	if (msg.whack_oppo_initiate)
-	{
-		if (!listening)
-		{
-			whack_log(RC_DEAF, "need --listen before opportunistic initiation");
-		}
-		else
-		{
-			initiate_opportunistic(&msg.oppo_my_client, &msg.oppo_peer_client, 0
-				, FALSE
-				, msg.whack_async? NULL_FD : dup_any(whackfd));
-		}
-	}
-
-	if (msg.whack_terminate)
-	{
-		if (msg.name == NULL)
-		{
-			whack_log(RC_UNKNOWN_NAME
-				, "whack --terminate requires a connection name");
-		}
-		else
-		{
-			terminate_connection(msg.name);
-		}
-	}
-
-	if (msg.whack_status)
-	{
-		show_status(msg.whack_statusall, msg.name);
-	}
-
-	if (msg.whack_shutdown)
-	{
-		plog("shutting down");
-		exit_pluto(0);  /* delete lock and leave, with 0 status */
-	}
-
-	if (msg.whack_sc_op != SC_OP_NONE)
-	{
-		if (pkcs11_proxy)
-		{
-			scx_op_via_whack(msg.sc_data, msg.inbase, msg.outbase
-						   , msg.whack_sc_op, msg.keyid, whackfd);
-		}
-		else
-		{
-		   plog("pkcs11 access to smartcard not allowed (set pkcs11proxy=yes)");
-		}
-	}
-
-	whack_log_fd = NULL_FD;
-	close(whackfd);
-}
-
-/*
- * Local Variables:
- * c-basic-offset:4
- * c-style: pluto
- * End:
- */
diff --git a/src/pluto/rcv_whack.h b/src/pluto/rcv_whack.h
deleted file mode 100644
index 66edaaf80..000000000
--- a/src/pluto/rcv_whack.h
+++ /dev/null
@@ -1,15 +0,0 @@
-/* whack communicating routines
- * Copyright (C) 1998, 1999  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-extern void whack_handle(int kernelfd);
diff --git a/src/pluto/rsaref/pkcs11.h b/src/pluto/rsaref/pkcs11.h
deleted file mode 100644
index 3283bdc89..000000000
--- a/src/pluto/rsaref/pkcs11.h
+++ /dev/null
@@ -1,299 +0,0 @@
-/* pkcs11.h include file for PKCS #11. */
-/* $Revision: 1.2 $ */
-
-/* License to copy and use this software is granted provided that it is
- * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
- * (Cryptoki)" in all material mentioning or referencing this software.
-
- * License is also granted to make and use derivative works provided that
- * such works are identified as "derived from the RSA Security Inc. PKCS #11
- * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
- * referencing the derived work.
-
- * RSA Security Inc. makes no representations concerning either the
- * merchantability of this software or the suitability of this software for
- * any particular purpose. It is provided "as is" without express or implied
- * warranty of any kind.
- */
-
-#ifndef _PKCS11_H_
-#define _PKCS11_H_ 1
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* Before including this file (pkcs11.h) (or pkcs11t.h by
- * itself), 6 platform-specific macros must be defined.  These
- * macros are described below, and typical definitions for them
- * are also given.  Be advised that these definitions can depend
- * on both the platform and the compiler used (and possibly also
- * on whether a Cryptoki library is linked statically or
- * dynamically).
- *
- * In addition to defining these 6 macros, the packing convention
- * for Cryptoki structures should be set.  The Cryptoki
- * convention on packing is that structures should be 1-byte
- * aligned.
- *
- * If you're using Microsoft Developer Studio 5.0 to produce
- * Win32 stuff, this might be done by using the following
- * preprocessor directive before including pkcs11.h or pkcs11t.h:
- *
- * #pragma pack(push, cryptoki, 1)
- *
- * and using the following preprocessor directive after including
- * pkcs11.h or pkcs11t.h:
- *
- * #pragma pack(pop, cryptoki)
- *
- * If you're using an earlier version of Microsoft Developer
- * Studio to produce Win16 stuff, this might be done by using
- * the following preprocessor directive before including
- * pkcs11.h or pkcs11t.h:
- *
- * #pragma pack(1)
- *
- * In a UNIX environment, you're on your own for this.  You might
- * not need to do (or be able to do!) anything.
- *
- *
- * Now for the macros:
- *
- *
- * 1. CK_PTR: The indirection string for making a pointer to an
- * object.  It can be used like this:
- *
- * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
- *
- * If you're using Microsoft Developer Studio 5.0 to produce
- * Win32 stuff, it might be defined by:
- *
- * #define CK_PTR *
- *
- * If you're using an earlier version of Microsoft Developer
- * Studio to produce Win16 stuff, it might be defined by:
- *
- * #define CK_PTR far *
- *
- * In a typical UNIX environment, it might be defined by:
- *
- * #define CK_PTR *
- *
- *
- * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
- * an exportable Cryptoki library function definition out of a
- * return type and a function name.  It should be used in the
- * following fashion to define the exposed Cryptoki functions in
- * a Cryptoki library:
- *
- * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
- *   CK_VOID_PTR pReserved
- * )
- * {
- *   ...
- * }
- *
- * If you're using Microsoft Developer Studio 5.0 to define a
- * function in a Win32 Cryptoki .dll, it might be defined by:
- *
- * #define CK_DEFINE_FUNCTION(returnType, name) \
- *   returnType __declspec(dllexport) name
- *
- * If you're using an earlier version of Microsoft Developer
- * Studio to define a function in a Win16 Cryptoki .dll, it
- * might be defined by:
- *
- * #define CK_DEFINE_FUNCTION(returnType, name) \
- *   returnType __export _far _pascal name
- *
- * In a UNIX environment, it might be defined by:
- *
- * #define CK_DEFINE_FUNCTION(returnType, name) \
- *   returnType name
- *
- *
- * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
- * an importable Cryptoki library function declaration out of a
- * return type and a function name.  It should be used in the
- * following fashion:
- *
- * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
- *   CK_VOID_PTR pReserved
- * );
- *
- * If you're using Microsoft Developer Studio 5.0 to declare a
- * function in a Win32 Cryptoki .dll, it might be defined by:
- *
- * #define CK_DECLARE_FUNCTION(returnType, name) \
- *   returnType __declspec(dllimport) name
- *
- * If you're using an earlier version of Microsoft Developer
- * Studio to declare a function in a Win16 Cryptoki .dll, it
- * might be defined by:
- *
- * #define CK_DECLARE_FUNCTION(returnType, name) \
- *   returnType __export _far _pascal name
- *
- * In a UNIX environment, it might be defined by:
- *
- * #define CK_DECLARE_FUNCTION(returnType, name) \
- *   returnType name
- *
- *
- * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
- * which makes a Cryptoki API function pointer declaration or
- * function pointer type declaration out of a return type and a
- * function name.  It should be used in the following fashion:
- *
- * // Define funcPtr to be a pointer to a Cryptoki API function
- * // taking arguments args and returning CK_RV.
- * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
- *
- * or
- *
- * // Define funcPtrType to be the type of a pointer to a
- * // Cryptoki API function taking arguments args and returning
- * // CK_RV, and then define funcPtr to be a variable of type
- * // funcPtrType.
- * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
- * funcPtrType funcPtr;
- *
- * If you're using Microsoft Developer Studio 5.0 to access
- * functions in a Win32 Cryptoki .dll, in might be defined by:
- *
- * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
- *   returnType __declspec(dllimport) (* name)
- *
- * If you're using an earlier version of Microsoft Developer
- * Studio to access functions in a Win16 Cryptoki .dll, it might
- * be defined by:
- *
- * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
- *   returnType __export _far _pascal (* name)
- *
- * In a UNIX environment, it might be defined by:
- *
- * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
- *   returnType (* name)
- *
- *
- * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
- * a function pointer type for an application callback out of
- * a return type for the callback and a name for the callback.
- * It should be used in the following fashion:
- *
- * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
- *
- * to declare a function pointer, myCallback, to a callback
- * which takes arguments args and returns a CK_RV.  It can also
- * be used like this:
- *
- * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
- * myCallbackType myCallback;
- *
- * If you're using Microsoft Developer Studio 5.0 to do Win32
- * Cryptoki development, it might be defined by:
- *
- * #define CK_CALLBACK_FUNCTION(returnType, name) \
- *   returnType (* name)
- *
- * If you're using an earlier version of Microsoft Developer
- * Studio to do Win16 development, it might be defined by:
- *
- * #define CK_CALLBACK_FUNCTION(returnType, name) \
- *   returnType _far _pascal (* name)
- *
- * In a UNIX environment, it might be defined by:
- *
- * #define CK_CALLBACK_FUNCTION(returnType, name) \
- *   returnType (* name)
- *
- *
- * 6. NULL_PTR: This macro is the value of a NULL pointer.
- *
- * In any ANSI/ISO C environment (and in many others as well),
- * this should best be defined by
- *
- * #ifndef NULL_PTR
- * #define NULL_PTR 0
- * #endif
- */
-
-
-/* All the various Cryptoki types and #define'd values are in the
- * file pkcs11t.h. */
-#include "pkcs11t.h"
-
-#define __PASTE(x,y)      x##y
-
-
-/* ==============================================================
- * Define the "extern" form of all the entry points.
- * ==============================================================
- */
-
-#define CK_NEED_ARG_LIST  1
-#define CK_PKCS11_FUNCTION_INFO(name) \
-  extern CK_DECLARE_FUNCTION(CK_RV, name)
-
-/* pkcs11f.h has all the information about the Cryptoki
- * function prototypes. */
-#include "pkcs11f.h"
-
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-
-/* ==============================================================
- * Define the typedef form of all the entry points.  That is, for
- * each Cryptoki function C_XXX, define a type CK_C_XXX which is
- * a pointer to that kind of function.
- * ==============================================================
- */
-
-#define CK_NEED_ARG_LIST  1
-#define CK_PKCS11_FUNCTION_INFO(name) \
-  typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
-
-/* pkcs11f.h has all the information about the Cryptoki
- * function prototypes. */
-#include "pkcs11f.h"
-
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-
-/* ==============================================================
- * Define structed vector of entry points.  A CK_FUNCTION_LIST
- * contains a CK_VERSION indicating a library's Cryptoki version
- * and then a whole slew of function pointers to the routines in
- * the library.  This type was declared, but not defined, in
- * pkcs11t.h.
- * ==============================================================
- */
-
-#define CK_PKCS11_FUNCTION_INFO(name) \
-  __PASTE(CK_,name) name;
-
-struct CK_FUNCTION_LIST {
-
-  CK_VERSION    version;  /* Cryptoki version */
-
-/* Pile all the function pointers into the CK_FUNCTION_LIST. */
-/* pkcs11f.h has all the information about the Cryptoki
- * function prototypes. */
-#include "pkcs11f.h"
-
-};
-
-#undef CK_PKCS11_FUNCTION_INFO
-
-
-#undef __PASTE
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/src/pluto/rsaref/pkcs11f.h b/src/pluto/rsaref/pkcs11f.h
deleted file mode 100644
index 54b884aed..000000000
--- a/src/pluto/rsaref/pkcs11f.h
+++ /dev/null
@@ -1,912 +0,0 @@
-/* pkcs11f.h include file for PKCS #11. */
-/* $Revision: 1.2 $ */
-
-/* License to copy and use this software is granted provided that it is
- * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
- * (Cryptoki)" in all material mentioning or referencing this software.
-
- * License is also granted to make and use derivative works provided that
- * such works are identified as "derived from the RSA Security Inc. PKCS #11
- * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
- * referencing the derived work.
-
- * RSA Security Inc. makes no representations concerning either the
- * merchantability of this software or the suitability of this software for
- * any particular purpose. It is provided "as is" without express or implied
- * warranty of any kind.
- */
-
-/* This header file contains pretty much everything about all the */
-/* Cryptoki function prototypes.  Because this information is */
-/* used for more than just declaring function prototypes, the */
-/* order of the functions appearing herein is important, and */
-/* should not be altered. */
-
-/* General-purpose */
-
-/* C_Initialize initializes the Cryptoki library. */
-CK_PKCS11_FUNCTION_INFO(C_Initialize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
-                            * cast to CK_C_INITIALIZE_ARGS_PTR
-                            * and dereferenced */
-);
-#endif
-
-
-/* C_Finalize indicates that an application is done with the
- * Cryptoki library. */
-CK_PKCS11_FUNCTION_INFO(C_Finalize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
-);
-#endif
-
-
-/* C_GetInfo returns general information about Cryptoki. */
-CK_PKCS11_FUNCTION_INFO(C_GetInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_INFO_PTR   pInfo  /* location that receives information */
-);
-#endif
-
-
-/* C_GetFunctionList returns the function list. */
-CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
-                                            * function list */
-);
-#endif
-
-
-
-/* Slot and token management */
-
-/* C_GetSlotList obtains a list of slots in the system. */
-CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_BBOOL       tokenPresent,  /* only slots with tokens? */
-  CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
-  CK_ULONG_PTR   pulCount       /* receives number of slots */
-);
-#endif
-
-
-/* C_GetSlotInfo obtains information about a particular slot in
- * the system. */
-CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID       slotID,  /* the ID of the slot */
-  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
-);
-#endif
-
-
-/* C_GetTokenInfo obtains information about a particular token
- * in the system. */
-CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID        slotID,  /* ID of the token's slot */
-  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
-);
-#endif
-
-
-/* C_GetMechanismList obtains a list of mechanism types
- * supported by a token. */
-CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,          /* ID of token's slot */
-  CK_MECHANISM_TYPE_PTR pMechanismList,  /* gets mech. array */
-  CK_ULONG_PTR          pulCount         /* gets # of mechs. */
-);
-#endif
-
-
-/* C_GetMechanismInfo obtains information about a particular
- * mechanism possibly supported by a token. */
-CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,  /* ID of the token's slot */
-  CK_MECHANISM_TYPE     type,    /* type of mechanism */
-  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism info */
-);
-#endif
-
-
-/* C_InitToken initializes a token. */
-CK_PKCS11_FUNCTION_INFO(C_InitToken)
-#ifdef CK_NEED_ARG_LIST
-/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
-(
-  CK_SLOT_ID      slotID,    /* ID of the token's slot */
-  CK_UTF8CHAR_PTR pPin,      /* the SO's initial PIN */
-  CK_ULONG        ulPinLen,  /* length in bytes of the PIN */
-  CK_UTF8CHAR_PTR pLabel     /* 32-byte token label (blank padded) */
-);
-#endif
-
-
-/* C_InitPIN initializes the normal user's PIN. */
-CK_PKCS11_FUNCTION_INFO(C_InitPIN)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_UTF8CHAR_PTR   pPin,      /* the normal user's PIN */
-  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
-);
-#endif
-
-
-/* C_SetPIN modifies the PIN of the user who is logged in. */
-CK_PKCS11_FUNCTION_INFO(C_SetPIN)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_UTF8CHAR_PTR   pOldPin,   /* the old PIN */
-  CK_ULONG          ulOldLen,  /* length of the old PIN */
-  CK_UTF8CHAR_PTR   pNewPin,   /* the new PIN */
-  CK_ULONG          ulNewLen   /* length of the new PIN */
-);
-#endif
-
-
-
-/* Session management */
-
-/* C_OpenSession opens a session between an application and a
- * token. */
-CK_PKCS11_FUNCTION_INFO(C_OpenSession)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,        /* the slot's ID */
-  CK_FLAGS              flags,         /* from CK_SESSION_INFO */
-  CK_VOID_PTR           pApplication,  /* passed to callback */
-  CK_NOTIFY             Notify,        /* callback function */
-  CK_SESSION_HANDLE_PTR phSession      /* gets session handle */
-);
-#endif
-
-
-/* C_CloseSession closes a session between an application and a
- * token. */
-CK_PKCS11_FUNCTION_INFO(C_CloseSession)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-/* C_CloseAllSessions closes all sessions with a token. */
-CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID     slotID  /* the token's slot */
-);
-#endif
-
-
-/* C_GetSessionInfo obtains information about the session. */
-CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE   hSession,  /* the session's handle */
-  CK_SESSION_INFO_PTR pInfo      /* receives session info */
-);
-#endif
-
-
-/* C_GetOperationState obtains the state of the cryptographic operation
- * in a session. */
-CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,             /* session's handle */
-  CK_BYTE_PTR       pOperationState,      /* gets state */
-  CK_ULONG_PTR      pulOperationStateLen  /* gets state length */
-);
-#endif
-
-
-/* C_SetOperationState restores the state of the cryptographic
- * operation in a session. */
-CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR      pOperationState,      /* holds state */
-  CK_ULONG         ulOperationStateLen,  /* holds state length */
-  CK_OBJECT_HANDLE hEncryptionKey,       /* en/decryption key */
-  CK_OBJECT_HANDLE hAuthenticationKey    /* sign/verify key */
-);
-#endif
-
-
-/* C_Login logs a user into a token. */
-CK_PKCS11_FUNCTION_INFO(C_Login)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_USER_TYPE      userType,  /* the user type */
-  CK_UTF8CHAR_PTR   pPin,      /* the user's PIN */
-  CK_ULONG          ulPinLen   /* the length of the PIN */
-);
-#endif
-
-
-/* C_Logout logs a user out from a token. */
-CK_PKCS11_FUNCTION_INFO(C_Logout)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-
-/* Object management */
-
-/* C_CreateObject creates a new object. */
-CK_PKCS11_FUNCTION_INFO(C_CreateObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
-  CK_ULONG          ulCount,     /* attributes in template */
-  CK_OBJECT_HANDLE_PTR phObject  /* gets new object's handle. */
-);
-#endif
-
-
-/* C_CopyObject copies an object, creating a new object for the
- * copy. */
-CK_PKCS11_FUNCTION_INFO(C_CopyObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,    /* the session's handle */
-  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
-  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
-  CK_ULONG             ulCount,     /* attributes in template */
-  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
-);
-#endif
-
-
-/* C_DestroyObject destroys an object. */
-CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hObject    /* the object's handle */
-);
-#endif
-
-
-/* C_GetObjectSize gets the size of an object in bytes. */
-CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
-  CK_ULONG_PTR      pulSize    /* receives size of object */
-);
-#endif
-
-
-/* C_GetAttributeValue obtains the value of one or more object
- * attributes. */
-CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs; gets vals */
-  CK_ULONG          ulCount     /* attributes in template */
-);
-#endif
-
-
-/* C_SetAttributeValue modifies the value of one or more object
- * attributes */
-CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs and values */
-  CK_ULONG          ulCount     /* attributes in template */
-);
-#endif
-
-
-/* C_FindObjectsInit initializes a search for token and session
- * objects that match a template. */
-CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
-  CK_ULONG          ulCount     /* attrs in search template */
-);
-#endif
-
-
-/* C_FindObjects continues a search for token and session
- * objects that match a template, obtaining additional object
- * handles. */
-CK_PKCS11_FUNCTION_INFO(C_FindObjects)
-#ifdef CK_NEED_ARG_LIST
-(
- CK_SESSION_HANDLE    hSession,          /* session's handle */
- CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
- CK_ULONG             ulMaxObjectCount,  /* max handles to get */
- CK_ULONG_PTR         pulObjectCount     /* actual # returned */
-);
-#endif
-
-
-/* C_FindObjectsFinal finishes a search for token and session
- * objects. */
-CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-
-/* Encryption and decryption */
-
-/* C_EncryptInit initializes an encryption operation. */
-CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
-);
-#endif
-
-
-/* C_Encrypt encrypts single-part data. */
-CK_PKCS11_FUNCTION_INFO(C_Encrypt)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pData,               /* the plaintext data */
-  CK_ULONG          ulDataLen,           /* bytes of plaintext */
-  CK_BYTE_PTR       pEncryptedData,      /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedDataLen  /* gets c-text size */
-);
-#endif
-
-
-/* C_EncryptUpdate continues a multiple-part encryption
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,           /* session's handle */
-  CK_BYTE_PTR       pPart,              /* the plaintext data */
-  CK_ULONG          ulPartLen,          /* plaintext data len */
-  CK_BYTE_PTR       pEncryptedPart,     /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedPartLen /* gets c-text size */
-);
-#endif
-
-
-/* C_EncryptFinal finishes a multiple-part encryption
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,                /* session handle */
-  CK_BYTE_PTR       pLastEncryptedPart,      /* last c-text */
-  CK_ULONG_PTR      pulLastEncryptedPartLen  /* gets last size */
-);
-#endif
-
-
-/* C_DecryptInit initializes a decryption operation. */
-CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of decryption key */
-);
-#endif
-
-
-/* C_Decrypt decrypts encrypted data in a single part. */
-CK_PKCS11_FUNCTION_INFO(C_Decrypt)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,           /* session's handle */
-  CK_BYTE_PTR       pEncryptedData,     /* ciphertext */
-  CK_ULONG          ulEncryptedDataLen, /* ciphertext length */
-  CK_BYTE_PTR       pData,              /* gets plaintext */
-  CK_ULONG_PTR      pulDataLen          /* gets p-text size */
-);
-#endif
-
-
-/* C_DecryptUpdate continues a multiple-part decryption
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* encrypted data */
-  CK_ULONG          ulEncryptedPartLen,  /* input length */
-  CK_BYTE_PTR       pPart,               /* gets plaintext */
-  CK_ULONG_PTR      pulPartLen           /* p-text size */
-);
-#endif
-
-
-/* C_DecryptFinal finishes a multiple-part decryption
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pLastPart,      /* gets plaintext */
-  CK_ULONG_PTR      pulLastPartLen  /* p-text size */
-);
-#endif
-
-
-
-/* Message digesting */
-
-/* C_DigestInit initializes a message-digesting operation. */
-CK_PKCS11_FUNCTION_INFO(C_DigestInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
-);
-#endif
-
-
-/* C_Digest digests data in a single part. */
-CK_PKCS11_FUNCTION_INFO(C_Digest)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_BYTE_PTR       pData,        /* data to be digested */
-  CK_ULONG          ulDataLen,    /* bytes of data to digest */
-  CK_BYTE_PTR       pDigest,      /* gets the message digest */
-  CK_ULONG_PTR      pulDigestLen  /* gets digest length */
-);
-#endif
-
-
-/* C_DigestUpdate continues a multiple-part message-digesting
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* data to be digested */
-  CK_ULONG          ulPartLen  /* bytes of data to be digested */
-);
-#endif
-
-
-/* C_DigestKey continues a multi-part message-digesting
- * operation, by digesting the value of a secret key as part of
- * the data already digested. */
-CK_PKCS11_FUNCTION_INFO(C_DigestKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hKey       /* secret key to digest */
-);
-#endif
-
-
-/* C_DigestFinal finishes a multiple-part message-digesting
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_BYTE_PTR       pDigest,      /* gets the message digest */
-  CK_ULONG_PTR      pulDigestLen  /* gets byte count of digest */
-);
-#endif
-
-
-
-/* Signing and MACing */
-
-/* C_SignInit initializes a signature (private key encryption)
- * operation, where the signature is (will be) an appendix to
- * the data, and plaintext cannot be recovered from the
- *signature. */
-CK_PKCS11_FUNCTION_INFO(C_SignInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of signature key */
-);
-#endif
-
-
-/* C_Sign signs (encrypts with private key) data in a single
- * part, where the signature is (will be) an appendix to the
- * data, and plaintext cannot be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_Sign)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pData,           /* the data to sign */
-  CK_ULONG          ulDataLen,       /* count of bytes to sign */
-  CK_BYTE_PTR       pSignature,      /* gets the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-);
-#endif
-
-
-/* C_SignUpdate continues a multiple-part signature operation,
- * where the signature is (will be) an appendix to the data,
- * and plaintext cannot be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* the data to sign */
-  CK_ULONG          ulPartLen  /* count of bytes to sign */
-);
-#endif
-
-
-/* C_SignFinal finishes a multiple-part signature operation,
- * returning the signature. */
-CK_PKCS11_FUNCTION_INFO(C_SignFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pSignature,      /* gets the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-);
-#endif
-
-
-/* C_SignRecoverInit initializes a signature operation, where
- * the data can be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
-  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
-);
-#endif
-
-
-/* C_SignRecover signs data in a single operation, where the
- * data can be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_SignRecover)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pData,           /* the data to sign */
-  CK_ULONG          ulDataLen,       /* count of bytes to sign */
-  CK_BYTE_PTR       pSignature,      /* gets the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-);
-#endif
-
-
-
-/* Verifying signatures and MACs */
-
-/* C_VerifyInit initializes a verification operation, where the
- * signature is an appendix to the data, and plaintext cannot
- *  cannot be recovered from the signature (e.g. DSA). */
-CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
-  CK_OBJECT_HANDLE  hKey         /* verification key */
-);
-#endif
-
-
-/* C_Verify verifies a signature in a single-part operation,
- * where the signature is an appendix to the data, and plaintext
- * cannot be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_Verify)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pData,          /* signed data */
-  CK_ULONG          ulDataLen,      /* length of signed data */
-  CK_BYTE_PTR       pSignature,     /* signature */
-  CK_ULONG          ulSignatureLen  /* signature length*/
-);
-#endif
-
-
-/* C_VerifyUpdate continues a multiple-part verification
- * operation, where the signature is an appendix to the data,
- * and plaintext cannot be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* signed data */
-  CK_ULONG          ulPartLen  /* length of signed data */
-);
-#endif
-
-
-/* C_VerifyFinal finishes a multiple-part verification
- * operation, checking the signature. */
-CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pSignature,     /* signature to verify */
-  CK_ULONG          ulSignatureLen  /* signature length */
-);
-#endif
-
-
-/* C_VerifyRecoverInit initializes a signature verification
- * operation, where the data is recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
-  CK_OBJECT_HANDLE  hKey         /* verification key */
-);
-#endif
-
-
-/* C_VerifyRecover verifies a signature in a single-part
- * operation, where the data is recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pSignature,      /* signature to verify */
-  CK_ULONG          ulSignatureLen,  /* signature length */
-  CK_BYTE_PTR       pData,           /* gets signed data */
-  CK_ULONG_PTR      pulDataLen       /* gets signed data len */
-);
-#endif
-
-
-
-/* Dual-function cryptographic operations */
-
-/* C_DigestEncryptUpdate continues a multiple-part digesting
- * and encryption operation. */
-CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pPart,               /* the plaintext data */
-  CK_ULONG          ulPartLen,           /* plaintext length */
-  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
-);
-#endif
-
-
-/* C_DecryptDigestUpdate continues a multiple-part decryption and
- * digesting operation. */
-CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
-  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
-  CK_BYTE_PTR       pPart,               /* gets plaintext */
-  CK_ULONG_PTR      pulPartLen           /* gets plaintext len */
-);
-#endif
-
-
-/* C_SignEncryptUpdate continues a multiple-part signing and
- * encryption operation. */
-CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pPart,               /* the plaintext data */
-  CK_ULONG          ulPartLen,           /* plaintext length */
-  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
-);
-#endif
-
-
-/* C_DecryptVerifyUpdate continues a multiple-part decryption and
- * verify operation. */
-CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
-  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
-  CK_BYTE_PTR       pPart,               /* gets plaintext */
-  CK_ULONG_PTR      pulPartLen           /* gets p-text length */
-);
-#endif
-
-
-
-/* Key management */
-
-/* C_GenerateKey generates a secret key, creating a new key
- * object. */
-CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,    /* the session's handle */
-  CK_MECHANISM_PTR     pMechanism,  /* key generation mech. */
-  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new key */
-  CK_ULONG             ulCount,     /* # of attrs in template */
-  CK_OBJECT_HANDLE_PTR phKey        /* gets handle of new key */
-);
-#endif
-
-
-/* C_GenerateKeyPair generates a public-key/private-key pair,
- * creating new key objects. */
-CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,                    /* session
-                                                     * handle */
-  CK_MECHANISM_PTR     pMechanism,                  /* key-gen
-                                                     * mech. */
-  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template
-                                                     * for pub.
-                                                     * key */
-  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub.
-                                                     * attrs. */
-  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template
-                                                     * for priv.
-                                                     * key */
-  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.
-                                                     * attrs. */
-  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub.
-                                                     * key
-                                                     * handle */
-  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets
-                                                     * priv. key
-                                                     * handle */
-);
-#endif
-
-
-/* C_WrapKey wraps (i.e., encrypts) a key. */
-CK_PKCS11_FUNCTION_INFO(C_WrapKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
-  CK_OBJECT_HANDLE  hWrappingKey,    /* wrapping key */
-  CK_OBJECT_HANDLE  hKey,            /* key to be wrapped */
-  CK_BYTE_PTR       pWrappedKey,     /* gets wrapped key */
-  CK_ULONG_PTR      pulWrappedKeyLen /* gets wrapped key size */
-);
-#endif
-
-
-/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
- * key object. */
-CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,          /* session's handle */
-  CK_MECHANISM_PTR     pMechanism,        /* unwrapping mech. */
-  CK_OBJECT_HANDLE     hUnwrappingKey,    /* unwrapping key */
-  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
-  CK_ULONG             ulWrappedKeyLen,   /* wrapped key len */
-  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
-  CK_ULONG             ulAttributeCount,  /* template length */
-  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
-);
-#endif
-
-
-/* C_DeriveKey derives a key from a base key, creating a new key
- * object. */
-CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,          /* session's handle */
-  CK_MECHANISM_PTR     pMechanism,        /* key deriv. mech. */
-  CK_OBJECT_HANDLE     hBaseKey,          /* base key */
-  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
-  CK_ULONG             ulAttributeCount,  /* template length */
-  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
-);
-#endif
-
-
-
-/* Random number generation */
-
-/* C_SeedRandom mixes additional seed material into the token's
- * random number generator. */
-CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pSeed,     /* the seed material */
-  CK_ULONG          ulSeedLen  /* length of seed material */
-);
-#endif
-
-
-/* C_GenerateRandom generates random data. */
-CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_BYTE_PTR       RandomData,  /* receives the random data */
-  CK_ULONG          ulRandomLen  /* # of bytes to generate */
-);
-#endif
-
-
-
-/* Parallel function management */
-
-/* C_GetFunctionStatus is a legacy function; it obtains an
- * updated status of a function running in parallel with an
- * application. */
-CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-/* C_CancelFunction is a legacy function; it cancels a function
- * running in parallel. */
-CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-
-/* Functions added in for Cryptoki Version 2.01 or later */
-
-/* C_WaitForSlotEvent waits for a slot event (token insertion,
- * removal, etc.) to occur. */
-CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_FLAGS flags,        /* blocking/nonblocking flag */
-  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
-  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
-);
-#endif
diff --git a/src/pluto/rsaref/pkcs11t.h b/src/pluto/rsaref/pkcs11t.h
deleted file mode 100644
index 3da20b215..000000000
--- a/src/pluto/rsaref/pkcs11t.h
+++ /dev/null
@@ -1,1685 +0,0 @@
-/* pkcs11t.h include file for PKCS #11. */
-/* $Revision: 1.2 $ */
-
-/* License to copy and use this software is granted provided that it is
- * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
- * (Cryptoki)" in all material mentioning or referencing this software.
-
- * License is also granted to make and use derivative works provided that
- * such works are identified as "derived from the RSA Security Inc. PKCS #11
- * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
- * referencing the derived work.
-
- * RSA Security Inc. makes no representations concerning either the
- * merchantability of this software or the suitability of this software for
- * any particular purpose. It is provided "as is" without express or implied
- * warranty of any kind.
- */
-
-/* See top of pkcs11.h for information about the macros that
- * must be defined and the structure-packing conventions that
- * must be set before including this file. */
-
-#ifndef _PKCS11T_H_
-#define _PKCS11T_H_ 1
-
-#define CK_TRUE 1
-#define CK_FALSE 0
-
-#ifndef CK_DISABLE_TRUE_FALSE
-#ifndef FALSE
-#define FALSE CK_FALSE
-#endif
-
-#ifndef TRUE
-#define TRUE CK_TRUE
-#endif
-#endif
-
-/* an unsigned 8-bit value */
-typedef unsigned char     CK_BYTE;
-
-/* an unsigned 8-bit character */
-typedef CK_BYTE           CK_CHAR;
-
-/* an 8-bit UTF-8 character */
-typedef CK_BYTE           CK_UTF8CHAR;
-
-/* a BYTE-sized Boolean flag */
-typedef CK_BYTE           CK_BBOOL;
-
-/* an unsigned value, at least 32 bits long */
-typedef unsigned long int CK_ULONG;
-
-/* a signed value, the same size as a CK_ULONG */
-/* CK_LONG is new for v2.0 */
-typedef long int          CK_LONG;
-
-/* at least 32 bits; each bit is a Boolean flag */
-typedef CK_ULONG          CK_FLAGS;
-
-
-/* some special values for certain CK_ULONG variables */
-#define CK_UNAVAILABLE_INFORMATION (~0UL)
-#define CK_EFFECTIVELY_INFINITE    0
-
-
-typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
-typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
-typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
-typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
-typedef void        CK_PTR   CK_VOID_PTR;
-
-/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
-typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
-
-
-/* The following value is always invalid if used as a session */
-/* handle or object handle */
-#define CK_INVALID_HANDLE 0
-
-
-typedef struct CK_VERSION {
-  CK_BYTE       major;  /* integer portion of version number */
-  CK_BYTE       minor;  /* 1/100ths portion of version number */
-} CK_VERSION;
-
-typedef CK_VERSION CK_PTR CK_VERSION_PTR;
-
-
-typedef struct CK_INFO {
-  /* manufacturerID and libraryDecription have been changed from
-   * CK_CHAR to CK_UTF8CHAR for v2.10 */
-  CK_VERSION    cryptokiVersion;     /* Cryptoki interface ver */
-  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
-  CK_FLAGS      flags;               /* must be zero */
-
-  /* libraryDescription and libraryVersion are new for v2.0 */
-  CK_UTF8CHAR   libraryDescription[32];  /* blank padded */
-  CK_VERSION    libraryVersion;          /* version of library */
-} CK_INFO;
-
-typedef CK_INFO CK_PTR    CK_INFO_PTR;
-
-
-/* CK_NOTIFICATION enumerates the types of notifications that
- * Cryptoki provides to an application */
-/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
- * for v2.0 */
-typedef CK_ULONG CK_NOTIFICATION;
-#define CKN_SURRENDER       0
-
-
-typedef CK_ULONG          CK_SLOT_ID;
-
-typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
-
-
-/* CK_SLOT_INFO provides information about a slot */
-typedef struct CK_SLOT_INFO {
-  /* slotDescription and manufacturerID have been changed from
-   * CK_CHAR to CK_UTF8CHAR for v2.10 */
-  CK_UTF8CHAR   slotDescription[64];  /* blank padded */
-  CK_UTF8CHAR   manufacturerID[32];   /* blank padded */
-  CK_FLAGS      flags;
-
-  /* hardwareVersion and firmwareVersion are new for v2.0 */
-  CK_VERSION    hardwareVersion;  /* version of hardware */
-  CK_VERSION    firmwareVersion;  /* version of firmware */
-} CK_SLOT_INFO;
-
-/* flags: bit flags that provide capabilities of the slot
- *      Bit Flag              Mask        Meaning
- */
-#define CKF_TOKEN_PRESENT     0x00000001  /* a token is there */
-#define CKF_REMOVABLE_DEVICE  0x00000002  /* removable devices*/
-#define CKF_HW_SLOT           0x00000004  /* hardware slot */
-
-typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
-
-
-/* CK_TOKEN_INFO provides information about a token */
-typedef struct CK_TOKEN_INFO {
-  /* label, manufacturerID, and model have been changed from
-   * CK_CHAR to CK_UTF8CHAR for v2.10 */
-  CK_UTF8CHAR   label[32];           /* blank padded */
-  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
-  CK_UTF8CHAR   model[16];           /* blank padded */
-  CK_CHAR       serialNumber[16];    /* blank padded */
-  CK_FLAGS      flags;               /* see below */
-
-  /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
-   * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
-   * changed from CK_USHORT to CK_ULONG for v2.0 */
-  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
-  CK_ULONG      ulSessionCount;        /* sess. now open */
-  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
-  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
-  CK_ULONG      ulMaxPinLen;           /* in bytes */
-  CK_ULONG      ulMinPinLen;           /* in bytes */
-  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
-  CK_ULONG      ulFreePublicMemory;    /* in bytes */
-  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
-  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
-
-  /* hardwareVersion, firmwareVersion, and time are new for
-   * v2.0 */
-  CK_VERSION    hardwareVersion;       /* version of hardware */
-  CK_VERSION    firmwareVersion;       /* version of firmware */
-  CK_CHAR       utcTime[16];           /* time */
-} CK_TOKEN_INFO;
-
-/* The flags parameter is defined as follows:
- *      Bit Flag                    Mask        Meaning
- */
-#define CKF_RNG                     0x00000001  /* has random #
-                                                 * generator */
-#define CKF_WRITE_PROTECTED         0x00000002  /* token is
-                                                 * write-
-                                                 * protected */
-#define CKF_LOGIN_REQUIRED          0x00000004  /* user must
-                                                 * login */
-#define CKF_USER_PIN_INITIALIZED    0x00000008  /* normal user's
-                                                 * PIN is set */
-
-/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
- * that means that *every* time the state of cryptographic
- * operations of a session is successfully saved, all keys
- * needed to continue those operations are stored in the state */
-#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020
-
-/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
- * that the token has some sort of clock.  The time on that
- * clock is returned in the token info structure */
-#define CKF_CLOCK_ON_TOKEN          0x00000040
-
-/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
- * set, that means that there is some way for the user to login
- * without sending a PIN through the Cryptoki library itself */
-#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
-
-/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
- * that means that a single session with the token can perform
- * dual simultaneous cryptographic operations (digest and
- * encrypt; decrypt and digest; sign and encrypt; and decrypt
- * and sign) */
-#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200
-
-/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
- * token has been initialized using C_InitializeToken or an
- * equivalent mechanism outside the scope of PKCS #11.
- * Calling C_InitializeToken when this flag is set will cause
- * the token to be reinitialized. */
-#define CKF_TOKEN_INITIALIZED       0x00000400
-
-/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
- * true, the token supports secondary authentication for
- * private key objects. This flag is deprecated in v2.11 and
-   onwards. */
-#define CKF_SECONDARY_AUTHENTICATION  0x00000800
-
-/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
- * incorrect user login PIN has been entered at least once
- * since the last successful authentication. */
-#define CKF_USER_PIN_COUNT_LOW       0x00010000
-
-/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
- * supplying an incorrect user PIN will it to become locked. */
-#define CKF_USER_PIN_FINAL_TRY       0x00020000
-
-/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
- * user PIN has been locked. User login to the token is not
- * possible. */
-#define CKF_USER_PIN_LOCKED          0x00040000
-
-/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
- * the user PIN value is the default value set by token
- * initialization or manufacturing, or the PIN has been
- * expired by the card. */
-#define CKF_USER_PIN_TO_BE_CHANGED   0x00080000
-
-/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
- * incorrect SO login PIN has been entered at least once since
- * the last successful authentication. */
-#define CKF_SO_PIN_COUNT_LOW         0x00100000
-
-/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
- * supplying an incorrect SO PIN will it to become locked. */
-#define CKF_SO_PIN_FINAL_TRY         0x00200000
-
-/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
- * PIN has been locked. SO login to the token is not possible.
- */
-#define CKF_SO_PIN_LOCKED            0x00400000
-
-/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
- * the SO PIN value is the default value set by token
- * initialization or manufacturing, or the PIN has been
- * expired by the card. */
-#define CKF_SO_PIN_TO_BE_CHANGED     0x00800000
-
-typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
-
-
-/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
- * identifies a session */
-typedef CK_ULONG          CK_SESSION_HANDLE;
-
-typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
-
-
-/* CK_USER_TYPE enumerates the types of Cryptoki users */
-/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_USER_TYPE;
-/* Security Officer */
-#define CKU_SO    0
-/* Normal user */
-#define CKU_USER  1
-/* Context specific (added in v2.20) */
-#define CKU_CONTEXT_SPECIFIC   2
-
-/* CK_STATE enumerates the session states */
-/* CK_STATE has been changed from an enum to a CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_STATE;
-#define CKS_RO_PUBLIC_SESSION  0
-#define CKS_RO_USER_FUNCTIONS  1
-#define CKS_RW_PUBLIC_SESSION  2
-#define CKS_RW_USER_FUNCTIONS  3
-#define CKS_RW_SO_FUNCTIONS    4
-
-
-/* CK_SESSION_INFO provides information about a session */
-typedef struct CK_SESSION_INFO {
-  CK_SLOT_ID    slotID;
-  CK_STATE      state;
-  CK_FLAGS      flags;          /* see below */
-
-  /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG      ulDeviceError;  /* device-dependent error code */
-} CK_SESSION_INFO;
-
-/* The flags are defined in the following table:
- *      Bit Flag                Mask        Meaning
- */
-#define CKF_RW_SESSION          0x00000002  /* session is r/w */
-#define CKF_SERIAL_SESSION      0x00000004  /* no parallel */
-
-typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
-
-
-/* CK_OBJECT_HANDLE is a token-specific identifier for an
- * object  */
-typedef CK_ULONG          CK_OBJECT_HANDLE;
-
-typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
-
-
-/* CK_OBJECT_CLASS is a value that identifies the classes (or
- * types) of objects that Cryptoki recognizes.  It is defined
- * as follows: */
-/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_OBJECT_CLASS;
-
-/* The following classes of objects are defined: */
-/* CKO_HW_FEATURE is new for v2.10 */
-/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
-/* CKO_MECHANISM is new for v2.20 */
-#define CKO_DATA              0x00000000
-#define CKO_CERTIFICATE       0x00000001
-#define CKO_PUBLIC_KEY        0x00000002
-#define CKO_PRIVATE_KEY       0x00000003
-#define CKO_SECRET_KEY        0x00000004
-#define CKO_HW_FEATURE        0x00000005
-#define CKO_DOMAIN_PARAMETERS 0x00000006
-#define CKO_MECHANISM         0x00000007
-#define CKO_VENDOR_DEFINED    0x80000000
-
-typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
-
-/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
- * value that identifies the hardware feature type of an object
- * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
-typedef CK_ULONG          CK_HW_FEATURE_TYPE;
-
-/* The following hardware feature types are defined */
-/* CKH_USER_INTERFACE is new for v2.20 */
-#define CKH_MONOTONIC_COUNTER  0x00000001
-#define CKH_CLOCK           0x00000002
-#define CKH_USER_INTERFACE  0x00000003
-#define CKH_VENDOR_DEFINED  0x80000000
-
-/* CK_KEY_TYPE is a value that identifies a key type */
-/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG          CK_KEY_TYPE;
-
-/* the following key types are defined: */
-#define CKK_RSA             0x00000000
-#define CKK_DSA             0x00000001
-#define CKK_DH              0x00000002
-
-/* CKK_ECDSA and CKK_KEA are new for v2.0 */
-/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
-#define CKK_ECDSA           0x00000003
-#define CKK_EC              0x00000003
-#define CKK_X9_42_DH        0x00000004
-#define CKK_KEA             0x00000005
-
-#define CKK_GENERIC_SECRET  0x00000010
-#define CKK_RC2             0x00000011
-#define CKK_RC4             0x00000012
-#define CKK_DES             0x00000013
-#define CKK_DES2            0x00000014
-#define CKK_DES3            0x00000015
-
-/* all these key types are new for v2.0 */
-#define CKK_CAST            0x00000016
-#define CKK_CAST3           0x00000017
-/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
-#define CKK_CAST5           0x00000018
-#define CKK_CAST128         0x00000018
-#define CKK_RC5             0x00000019
-#define CKK_IDEA            0x0000001A
-#define CKK_SKIPJACK        0x0000001B
-#define CKK_BATON           0x0000001C
-#define CKK_JUNIPER         0x0000001D
-#define CKK_CDMF            0x0000001E
-#define CKK_AES             0x0000001F
-
-/* BlowFish and TwoFish are new for v2.20 */
-#define CKK_BLOWFISH        0x00000020
-#define CKK_TWOFISH         0x00000021
-
-#define CKK_VENDOR_DEFINED  0x80000000
-
-
-/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
- * type */
-/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
- * for v2.0 */
-typedef CK_ULONG          CK_CERTIFICATE_TYPE;
-
-/* The following certificate types are defined: */
-/* CKC_X_509_ATTR_CERT is new for v2.10 */
-/* CKC_WTLS is new for v2.20 */
-#define CKC_X_509           0x00000000
-#define CKC_X_509_ATTR_CERT 0x00000001
-#define CKC_WTLS            0x00000002
-#define CKC_VENDOR_DEFINED  0x80000000
-
-
-/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
- * type */
-/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
-
-/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
-   consists of an array of values. */
-#define CKF_ARRAY_ATTRIBUTE    0x40000000
-
-/* The following attribute types are defined: */
-#define CKA_CLASS              0x00000000
-#define CKA_TOKEN              0x00000001
-#define CKA_PRIVATE            0x00000002
-#define CKA_LABEL              0x00000003
-#define CKA_APPLICATION        0x00000010
-#define CKA_VALUE              0x00000011
-
-/* CKA_OBJECT_ID is new for v2.10 */
-#define CKA_OBJECT_ID          0x00000012
-
-#define CKA_CERTIFICATE_TYPE   0x00000080
-#define CKA_ISSUER             0x00000081
-#define CKA_SERIAL_NUMBER      0x00000082
-
-/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new
- * for v2.10 */
-#define CKA_AC_ISSUER          0x00000083
-#define CKA_OWNER              0x00000084
-#define CKA_ATTR_TYPES         0x00000085
-
-/* CKA_TRUSTED is new for v2.11 */
-#define CKA_TRUSTED            0x00000086
-
-/* CKA_CERTIFICATE_CATEGORY ...
- * CKA_CHECK_VALUE are new for v2.20 */
-#define CKA_CERTIFICATE_CATEGORY        0x00000087
-#define CKA_JAVA_MIDP_SECURITY_DOMAIN   0x00000088
-#define CKA_URL                         0x00000089
-#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008A
-#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008B
-#define CKA_CHECK_VALUE                 0x00000090
-
-#define CKA_KEY_TYPE           0x00000100
-#define CKA_SUBJECT            0x00000101
-#define CKA_ID                 0x00000102
-#define CKA_SENSITIVE          0x00000103
-#define CKA_ENCRYPT            0x00000104
-#define CKA_DECRYPT            0x00000105
-#define CKA_WRAP               0x00000106
-#define CKA_UNWRAP             0x00000107
-#define CKA_SIGN               0x00000108
-#define CKA_SIGN_RECOVER       0x00000109
-#define CKA_VERIFY             0x0000010A
-#define CKA_VERIFY_RECOVER     0x0000010B
-#define CKA_DERIVE             0x0000010C
-#define CKA_START_DATE         0x00000110
-#define CKA_END_DATE           0x00000111
-#define CKA_MODULUS            0x00000120
-#define CKA_MODULUS_BITS       0x00000121
-#define CKA_PUBLIC_EXPONENT    0x00000122
-#define CKA_PRIVATE_EXPONENT   0x00000123
-#define CKA_PRIME_1            0x00000124
-#define CKA_PRIME_2            0x00000125
-#define CKA_EXPONENT_1         0x00000126
-#define CKA_EXPONENT_2         0x00000127
-#define CKA_COEFFICIENT        0x00000128
-#define CKA_PRIME              0x00000130
-#define CKA_SUBPRIME           0x00000131
-#define CKA_BASE               0x00000132
-
-/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
-#define CKA_PRIME_BITS         0x00000133
-#define CKA_SUBPRIME_BITS      0x00000134
-#define CKA_SUB_PRIME_BITS     CKA_SUBPRIME_BITS
-/* (To retain backwards-compatibility) */
-
-#define CKA_VALUE_BITS         0x00000160
-#define CKA_VALUE_LEN          0x00000161
-
-/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
- * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
- * and CKA_EC_POINT are new for v2.0 */
-#define CKA_EXTRACTABLE        0x00000162
-#define CKA_LOCAL              0x00000163
-#define CKA_NEVER_EXTRACTABLE  0x00000164
-#define CKA_ALWAYS_SENSITIVE   0x00000165
-
-/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
-#define CKA_KEY_GEN_MECHANISM  0x00000166
-
-#define CKA_MODIFIABLE         0x00000170
-
-/* CKA_ECDSA_PARAMS is deprecated in v2.11,
- * CKA_EC_PARAMS is preferred. */
-#define CKA_ECDSA_PARAMS       0x00000180
-#define CKA_EC_PARAMS          0x00000180
-
-#define CKA_EC_POINT           0x00000181
-
-/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
- * are new for v2.10. Deprecated in v2.11 and onwards. */
-#define CKA_SECONDARY_AUTH     0x00000200
-#define CKA_AUTH_PIN_FLAGS     0x00000201
-
-/* CKA_ALWAYS_AUTHENTICATE ...
- * CKA_UNWRAP_TEMPLATE are new for v2.20 */
-#define CKA_ALWAYS_AUTHENTICATE  0x00000202
-
-#define CKA_WRAP_WITH_TRUSTED    0x00000210
-#define CKA_WRAP_TEMPLATE        (CKF_ARRAY_ATTRIBUTE|0x00000211)
-#define CKA_UNWRAP_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000212)
-
-/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
- * are new for v2.10 */
-#define CKA_HW_FEATURE_TYPE    0x00000300
-#define CKA_RESET_ON_INIT      0x00000301
-#define CKA_HAS_RESET          0x00000302
-
-/* The following attributes are new for v2.20 */
-#define CKA_PIXEL_X                     0x00000400
-#define CKA_PIXEL_Y                     0x00000401
-#define CKA_RESOLUTION                  0x00000402
-#define CKA_CHAR_ROWS                   0x00000403
-#define CKA_CHAR_COLUMNS                0x00000404
-#define CKA_COLOR                       0x00000405
-#define CKA_BITS_PER_PIXEL              0x00000406
-#define CKA_CHAR_SETS                   0x00000480
-#define CKA_ENCODING_METHODS            0x00000481
-#define CKA_MIME_TYPES                  0x00000482
-#define CKA_MECHANISM_TYPE              0x00000500
-#define CKA_REQUIRED_CMS_ATTRIBUTES     0x00000501
-#define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502
-#define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503
-#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600)
-
-#define CKA_VENDOR_DEFINED     0x80000000
-
-
-/* CK_ATTRIBUTE is a structure that includes the type, length
- * and value of an attribute */
-typedef struct CK_ATTRIBUTE {
-  CK_ATTRIBUTE_TYPE type;
-  CK_VOID_PTR       pValue;
-
-  /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
-  CK_ULONG          ulValueLen;  /* in bytes */
-} CK_ATTRIBUTE;
-
-typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
-
-
-/* CK_DATE is a structure that defines a date */
-typedef struct CK_DATE{
-  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
-  CK_CHAR       month[2];  /* the month ("01" - "12") */
-  CK_CHAR       day[2];    /* the day   ("01" - "31") */
-} CK_DATE;
-
-
-/* CK_MECHANISM_TYPE is a value that identifies a mechanism
- * type */
-/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_MECHANISM_TYPE;
-
-/* the following mechanism types are defined: */
-#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
-#define CKM_RSA_PKCS                   0x00000001
-#define CKM_RSA_9796                   0x00000002
-#define CKM_RSA_X_509                  0x00000003
-
-/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
- * are new for v2.0.  They are mechanisms which hash and sign */
-#define CKM_MD2_RSA_PKCS               0x00000004
-#define CKM_MD5_RSA_PKCS               0x00000005
-#define CKM_SHA1_RSA_PKCS              0x00000006
-
-/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
- * CKM_RSA_PKCS_OAEP are new for v2.10 */
-#define CKM_RIPEMD128_RSA_PKCS         0x00000007
-#define CKM_RIPEMD160_RSA_PKCS         0x00000008
-#define CKM_RSA_PKCS_OAEP              0x00000009
-
-/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
- * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
-#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000A
-#define CKM_RSA_X9_31                  0x0000000B
-#define CKM_SHA1_RSA_X9_31             0x0000000C
-#define CKM_RSA_PKCS_PSS               0x0000000D
-#define CKM_SHA1_RSA_PKCS_PSS          0x0000000E
-
-#define CKM_DSA_KEY_PAIR_GEN           0x00000010
-#define CKM_DSA                        0x00000011
-#define CKM_DSA_SHA1                   0x00000012
-#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
-#define CKM_DH_PKCS_DERIVE             0x00000021
-
-/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
- * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
- * v2.11 */
-#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030
-#define CKM_X9_42_DH_DERIVE            0x00000031
-#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032
-#define CKM_X9_42_MQV_DERIVE           0x00000033
-
-/* CKM_SHA256/384/512 are new for v2.20 */
-#define CKM_SHA256_RSA_PKCS            0x00000040
-#define CKM_SHA384_RSA_PKCS            0x00000041
-#define CKM_SHA512_RSA_PKCS            0x00000042
-#define CKM_SHA256_RSA_PKCS_PSS        0x00000043
-#define CKM_SHA384_RSA_PKCS_PSS        0x00000044
-#define CKM_SHA512_RSA_PKCS_PSS        0x00000045
-
-#define CKM_RC2_KEY_GEN                0x00000100
-#define CKM_RC2_ECB                    0x00000101
-#define CKM_RC2_CBC                    0x00000102
-#define CKM_RC2_MAC                    0x00000103
-
-/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
-#define CKM_RC2_MAC_GENERAL            0x00000104
-#define CKM_RC2_CBC_PAD                0x00000105
-
-#define CKM_RC4_KEY_GEN                0x00000110
-#define CKM_RC4                        0x00000111
-#define CKM_DES_KEY_GEN                0x00000120
-#define CKM_DES_ECB                    0x00000121
-#define CKM_DES_CBC                    0x00000122
-#define CKM_DES_MAC                    0x00000123
-
-/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
-#define CKM_DES_MAC_GENERAL            0x00000124
-#define CKM_DES_CBC_PAD                0x00000125
-
-#define CKM_DES2_KEY_GEN               0x00000130
-#define CKM_DES3_KEY_GEN               0x00000131
-#define CKM_DES3_ECB                   0x00000132
-#define CKM_DES3_CBC                   0x00000133
-#define CKM_DES3_MAC                   0x00000134
-
-/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
- * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
- * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
-#define CKM_DES3_MAC_GENERAL           0x00000135
-#define CKM_DES3_CBC_PAD               0x00000136
-#define CKM_CDMF_KEY_GEN               0x00000140
-#define CKM_CDMF_ECB                   0x00000141
-#define CKM_CDMF_CBC                   0x00000142
-#define CKM_CDMF_MAC                   0x00000143
-#define CKM_CDMF_MAC_GENERAL           0x00000144
-#define CKM_CDMF_CBC_PAD               0x00000145
-
-/* the following four DES mechanisms are new for v2.20 */
-#define CKM_DES_OFB64                  0x00000150
-#define CKM_DES_OFB8                   0x00000151
-#define CKM_DES_CFB64                  0x00000152
-#define CKM_DES_CFB8                   0x00000153
-
-#define CKM_MD2                        0x00000200
-
-/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
-#define CKM_MD2_HMAC                   0x00000201
-#define CKM_MD2_HMAC_GENERAL           0x00000202
-
-#define CKM_MD5                        0x00000210
-
-/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
-#define CKM_MD5_HMAC                   0x00000211
-#define CKM_MD5_HMAC_GENERAL           0x00000212
-
-#define CKM_SHA_1                      0x00000220
-
-/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
-#define CKM_SHA_1_HMAC                 0x00000221
-#define CKM_SHA_1_HMAC_GENERAL         0x00000222
-
-/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC,
- * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
- * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
-#define CKM_RIPEMD128                  0x00000230
-#define CKM_RIPEMD128_HMAC             0x00000231
-#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232
-#define CKM_RIPEMD160                  0x00000240
-#define CKM_RIPEMD160_HMAC             0x00000241
-#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242
-
-/* CKM_SHA256/384/512 are new for v2.20 */
-#define CKM_SHA256                     0x00000250
-#define CKM_SHA256_HMAC                0x00000251
-#define CKM_SHA256_HMAC_GENERAL        0x00000252
-#define CKM_SHA384                     0x00000260
-#define CKM_SHA384_HMAC                0x00000261
-#define CKM_SHA384_HMAC_GENERAL        0x00000262
-#define CKM_SHA512                     0x00000270
-#define CKM_SHA512_HMAC                0x00000271
-#define CKM_SHA512_HMAC_GENERAL        0x00000272
-
-/* All of the following mechanisms are new for v2.0 */
-/* Note that CAST128 and CAST5 are the same algorithm */
-#define CKM_CAST_KEY_GEN               0x00000300
-#define CKM_CAST_ECB                   0x00000301
-#define CKM_CAST_CBC                   0x00000302
-#define CKM_CAST_MAC                   0x00000303
-#define CKM_CAST_MAC_GENERAL           0x00000304
-#define CKM_CAST_CBC_PAD               0x00000305
-#define CKM_CAST3_KEY_GEN              0x00000310
-#define CKM_CAST3_ECB                  0x00000311
-#define CKM_CAST3_CBC                  0x00000312
-#define CKM_CAST3_MAC                  0x00000313
-#define CKM_CAST3_MAC_GENERAL          0x00000314
-#define CKM_CAST3_CBC_PAD              0x00000315
-#define CKM_CAST5_KEY_GEN              0x00000320
-#define CKM_CAST128_KEY_GEN            0x00000320
-#define CKM_CAST5_ECB                  0x00000321
-#define CKM_CAST128_ECB                0x00000321
-#define CKM_CAST5_CBC                  0x00000322
-#define CKM_CAST128_CBC                0x00000322
-#define CKM_CAST5_MAC                  0x00000323
-#define CKM_CAST128_MAC                0x00000323
-#define CKM_CAST5_MAC_GENERAL          0x00000324
-#define CKM_CAST128_MAC_GENERAL        0x00000324
-#define CKM_CAST5_CBC_PAD              0x00000325
-#define CKM_CAST128_CBC_PAD            0x00000325
-#define CKM_RC5_KEY_GEN                0x00000330
-#define CKM_RC5_ECB                    0x00000331
-#define CKM_RC5_CBC                    0x00000332
-#define CKM_RC5_MAC                    0x00000333
-#define CKM_RC5_MAC_GENERAL            0x00000334
-#define CKM_RC5_CBC_PAD                0x00000335
-#define CKM_IDEA_KEY_GEN               0x00000340
-#define CKM_IDEA_ECB                   0x00000341
-#define CKM_IDEA_CBC                   0x00000342
-#define CKM_IDEA_MAC                   0x00000343
-#define CKM_IDEA_MAC_GENERAL           0x00000344
-#define CKM_IDEA_CBC_PAD               0x00000345
-#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
-#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
-#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
-#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
-#define CKM_XOR_BASE_AND_DATA          0x00000364
-#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
-#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
-#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
-#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
-
-/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
- * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
- * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
-#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373
-#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374
-#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375
-#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376
-#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377
-
-/* CKM_TLS_PRF is new for v2.20 */
-#define CKM_TLS_PRF                    0x00000378
-
-#define CKM_SSL3_MD5_MAC               0x00000380
-#define CKM_SSL3_SHA1_MAC              0x00000381
-#define CKM_MD5_KEY_DERIVATION         0x00000390
-#define CKM_MD2_KEY_DERIVATION         0x00000391
-#define CKM_SHA1_KEY_DERIVATION        0x00000392
-
-/* CKM_SHA256/384/512 are new for v2.20 */
-#define CKM_SHA256_KEY_DERIVATION      0x00000393
-#define CKM_SHA384_KEY_DERIVATION      0x00000394
-#define CKM_SHA512_KEY_DERIVATION      0x00000395
-
-#define CKM_PBE_MD2_DES_CBC            0x000003A0
-#define CKM_PBE_MD5_DES_CBC            0x000003A1
-#define CKM_PBE_MD5_CAST_CBC           0x000003A2
-#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
-#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
-#define CKM_PBE_MD5_CAST128_CBC        0x000003A4
-#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
-#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5
-#define CKM_PBE_SHA1_RC4_128           0x000003A6
-#define CKM_PBE_SHA1_RC4_40            0x000003A7
-#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
-#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
-#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
-#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
-
-/* CKM_PKCS5_PBKD2 is new for v2.10 */
-#define CKM_PKCS5_PBKD2                0x000003B0
-
-#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0
-
-/* WTLS mechanisms are new for v2.20 */
-#define CKM_WTLS_PRE_MASTER_KEY_GEN         0x000003D0
-#define CKM_WTLS_MASTER_KEY_DERIVE          0x000003D1
-#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC   0x000003D2
-#define CKM_WTLS_PRF                        0x000003D3
-#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE  0x000003D4
-#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE  0x000003D5
-
-#define CKM_KEY_WRAP_LYNKS             0x00000400
-#define CKM_KEY_WRAP_SET_OAEP          0x00000401
-
-/* CKM_CMS_SIG is new for v2.20 */
-#define CKM_CMS_SIG                    0x00000500
-
-/* Fortezza mechanisms */
-#define CKM_SKIPJACK_KEY_GEN           0x00001000
-#define CKM_SKIPJACK_ECB64             0x00001001
-#define CKM_SKIPJACK_CBC64             0x00001002
-#define CKM_SKIPJACK_OFB64             0x00001003
-#define CKM_SKIPJACK_CFB64             0x00001004
-#define CKM_SKIPJACK_CFB32             0x00001005
-#define CKM_SKIPJACK_CFB16             0x00001006
-#define CKM_SKIPJACK_CFB8              0x00001007
-#define CKM_SKIPJACK_WRAP              0x00001008
-#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
-#define CKM_SKIPJACK_RELAYX            0x0000100a
-#define CKM_KEA_KEY_PAIR_GEN           0x00001010
-#define CKM_KEA_KEY_DERIVE             0x00001011
-#define CKM_FORTEZZA_TIMESTAMP         0x00001020
-#define CKM_BATON_KEY_GEN              0x00001030
-#define CKM_BATON_ECB128               0x00001031
-#define CKM_BATON_ECB96                0x00001032
-#define CKM_BATON_CBC128               0x00001033
-#define CKM_BATON_COUNTER              0x00001034
-#define CKM_BATON_SHUFFLE              0x00001035
-#define CKM_BATON_WRAP                 0x00001036
-
-/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
- * CKM_EC_KEY_PAIR_GEN is preferred */
-#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
-#define CKM_EC_KEY_PAIR_GEN            0x00001040
-
-#define CKM_ECDSA                      0x00001041
-#define CKM_ECDSA_SHA1                 0x00001042
-
-/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
- * are new for v2.11 */
-#define CKM_ECDH1_DERIVE               0x00001050
-#define CKM_ECDH1_COFACTOR_DERIVE      0x00001051
-#define CKM_ECMQV_DERIVE               0x00001052
-
-#define CKM_JUNIPER_KEY_GEN            0x00001060
-#define CKM_JUNIPER_ECB128             0x00001061
-#define CKM_JUNIPER_CBC128             0x00001062
-#define CKM_JUNIPER_COUNTER            0x00001063
-#define CKM_JUNIPER_SHUFFLE            0x00001064
-#define CKM_JUNIPER_WRAP               0x00001065
-#define CKM_FASTHASH                   0x00001070
-
-/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
- * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
- * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
- * new for v2.11 */
-#define CKM_AES_KEY_GEN                0x00001080
-#define CKM_AES_ECB                    0x00001081
-#define CKM_AES_CBC                    0x00001082
-#define CKM_AES_MAC                    0x00001083
-#define CKM_AES_MAC_GENERAL            0x00001084
-#define CKM_AES_CBC_PAD                0x00001085
-
-/* BlowFish and TwoFish are new for v2.20 */
-#define CKM_BLOWFISH_KEY_GEN           0x00001090
-#define CKM_BLOWFISH_CBC               0x00001091
-#define CKM_TWOFISH_KEY_GEN            0x00001092
-#define CKM_TWOFISH_CBC                0x00001093
-
-
-/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
-#define CKM_DES_ECB_ENCRYPT_DATA       0x00001100
-#define CKM_DES_CBC_ENCRYPT_DATA       0x00001101
-#define CKM_DES3_ECB_ENCRYPT_DATA      0x00001102
-#define CKM_DES3_CBC_ENCRYPT_DATA      0x00001103
-#define CKM_AES_ECB_ENCRYPT_DATA       0x00001104
-#define CKM_AES_CBC_ENCRYPT_DATA       0x00001105
-
-#define CKM_DSA_PARAMETER_GEN          0x00002000
-#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001
-#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002
-
-#define CKM_VENDOR_DEFINED             0x80000000
-
-typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
-
-
-/* CK_MECHANISM is a structure that specifies a particular
- * mechanism  */
-typedef struct CK_MECHANISM {
-  CK_MECHANISM_TYPE mechanism;
-  CK_VOID_PTR       pParameter;
-
-  /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG          ulParameterLen;  /* in bytes */
-} CK_MECHANISM;
-
-typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
-
-
-/* CK_MECHANISM_INFO provides information about a particular
- * mechanism */
-typedef struct CK_MECHANISM_INFO {
-    CK_ULONG    ulMinKeySize;
-    CK_ULONG    ulMaxKeySize;
-    CK_FLAGS    flags;
-} CK_MECHANISM_INFO;
-
-/* The flags are defined as follows:
- *      Bit Flag               Mask        Meaning */
-#define CKF_HW                 0x00000001  /* performed by HW */
-
-/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
- * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
- * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
- * and CKF_DERIVE are new for v2.0.  They specify whether or not
- * a mechanism can be used for a particular task */
-#define CKF_ENCRYPT            0x00000100
-#define CKF_DECRYPT            0x00000200
-#define CKF_DIGEST             0x00000400
-#define CKF_SIGN               0x00000800
-#define CKF_SIGN_RECOVER       0x00001000
-#define CKF_VERIFY             0x00002000
-#define CKF_VERIFY_RECOVER     0x00004000
-#define CKF_GENERATE           0x00008000
-#define CKF_GENERATE_KEY_PAIR  0x00010000
-#define CKF_WRAP               0x00020000
-#define CKF_UNWRAP             0x00040000
-#define CKF_DERIVE             0x00080000
-
-/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
- * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
- * describe a token's EC capabilities not available in mechanism
- * information. */
-#define CKF_EC_F_P             0x00100000
-#define CKF_EC_F_2M            0x00200000
-#define CKF_EC_ECPARAMETERS    0x00400000
-#define CKF_EC_NAMEDCURVE      0x00800000
-#define CKF_EC_UNCOMPRESS      0x01000000
-#define CKF_EC_COMPRESS        0x02000000
-
-#define CKF_EXTENSION          0x80000000 /* FALSE for this version */
-
-typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
-
-
-/* CK_RV is a value that identifies the return value of a
- * Cryptoki function */
-/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG          CK_RV;
-
-#define CKR_OK                                0x00000000
-#define CKR_CANCEL                            0x00000001
-#define CKR_HOST_MEMORY                       0x00000002
-#define CKR_SLOT_ID_INVALID                   0x00000003
-
-/* CKR_FLAGS_INVALID was removed for v2.0 */
-
-/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
-#define CKR_GENERAL_ERROR                     0x00000005
-#define CKR_FUNCTION_FAILED                   0x00000006
-
-/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
- * and CKR_CANT_LOCK are new for v2.01 */
-#define CKR_ARGUMENTS_BAD                     0x00000007
-#define CKR_NO_EVENT                          0x00000008
-#define CKR_NEED_TO_CREATE_THREADS            0x00000009
-#define CKR_CANT_LOCK                         0x0000000A
-
-#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
-#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
-#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
-#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
-#define CKR_DATA_INVALID                      0x00000020
-#define CKR_DATA_LEN_RANGE                    0x00000021
-#define CKR_DEVICE_ERROR                      0x00000030
-#define CKR_DEVICE_MEMORY                     0x00000031
-#define CKR_DEVICE_REMOVED                    0x00000032
-#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
-#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
-#define CKR_FUNCTION_CANCELED                 0x00000050
-#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
-
-/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
-#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
-
-#define CKR_KEY_HANDLE_INVALID                0x00000060
-
-/* CKR_KEY_SENSITIVE was removed for v2.0 */
-
-#define CKR_KEY_SIZE_RANGE                    0x00000062
-#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
-
-/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
- * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
- * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
- * v2.0 */
-#define CKR_KEY_NOT_NEEDED                    0x00000064
-#define CKR_KEY_CHANGED                       0x00000065
-#define CKR_KEY_NEEDED                        0x00000066
-#define CKR_KEY_INDIGESTIBLE                  0x00000067
-#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
-#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
-#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
-
-#define CKR_MECHANISM_INVALID                 0x00000070
-#define CKR_MECHANISM_PARAM_INVALID           0x00000071
-
-/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
- * were removed for v2.0 */
-#define CKR_OBJECT_HANDLE_INVALID             0x00000082
-#define CKR_OPERATION_ACTIVE                  0x00000090
-#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
-#define CKR_PIN_INCORRECT                     0x000000A0
-#define CKR_PIN_INVALID                       0x000000A1
-#define CKR_PIN_LEN_RANGE                     0x000000A2
-
-/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
-#define CKR_PIN_EXPIRED                       0x000000A3
-#define CKR_PIN_LOCKED                        0x000000A4
-
-#define CKR_SESSION_CLOSED                    0x000000B0
-#define CKR_SESSION_COUNT                     0x000000B1
-#define CKR_SESSION_HANDLE_INVALID            0x000000B3
-#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
-#define CKR_SESSION_READ_ONLY                 0x000000B5
-#define CKR_SESSION_EXISTS                    0x000000B6
-
-/* CKR_SESSION_READ_ONLY_EXISTS and
- * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
-#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
-#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
-
-#define CKR_SIGNATURE_INVALID                 0x000000C0
-#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
-#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
-#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
-#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
-#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
-#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
-#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
-#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
-#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
-#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
-#define CKR_USER_NOT_LOGGED_IN                0x00000101
-#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
-#define CKR_USER_TYPE_INVALID                 0x00000103
-
-/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
- * are new to v2.01 */
-#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
-#define CKR_USER_TOO_MANY_TYPES               0x00000105
-
-#define CKR_WRAPPED_KEY_INVALID               0x00000110
-#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
-#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
-#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
-#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
-#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
-
-/* These are new to v2.0 */
-#define CKR_RANDOM_NO_RNG                     0x00000121
-
-/* These are new to v2.11 */
-#define CKR_DOMAIN_PARAMS_INVALID             0x00000130
-
-/* These are new to v2.0 */
-#define CKR_BUFFER_TOO_SMALL                  0x00000150
-#define CKR_SAVED_STATE_INVALID               0x00000160
-#define CKR_INFORMATION_SENSITIVE             0x00000170
-#define CKR_STATE_UNSAVEABLE                  0x00000180
-
-/* These are new to v2.01 */
-#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
-#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
-#define CKR_MUTEX_BAD                         0x000001A0
-#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
-
-/* This is new to v2.20 */
-#define CKR_FUNCTION_REJECTED                 0x00000200
-
-#define CKR_VENDOR_DEFINED                    0x80000000
-
-
-/* CK_NOTIFY is an application callback that processes events */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_NOTIFICATION   event,
-  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
-);
-
-
-/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
- * version and pointers of appropriate types to all the
- * Cryptoki functions */
-/* CK_FUNCTION_LIST is new for v2.0 */
-typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
-
-typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
-
-typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
-
-
-/* CK_CREATEMUTEX is an application callback for creating a
- * mutex object */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
-  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
-);
-
-
-/* CK_DESTROYMUTEX is an application callback for destroying a
- * mutex object */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_LOCKMUTEX is an application callback for locking a mutex */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_UNLOCKMUTEX is an application callback for unlocking a
- * mutex */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_C_INITIALIZE_ARGS provides the optional arguments to
- * C_Initialize */
-typedef struct CK_C_INITIALIZE_ARGS {
-  CK_CREATEMUTEX CreateMutex;
-  CK_DESTROYMUTEX DestroyMutex;
-  CK_LOCKMUTEX LockMutex;
-  CK_UNLOCKMUTEX UnlockMutex;
-  CK_FLAGS flags;
-  CK_VOID_PTR pReserved;
-} CK_C_INITIALIZE_ARGS;
-
-/* flags: bit flags that provide capabilities of the slot
- *      Bit Flag                           Mask       Meaning
- */
-#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
-#define CKF_OS_LOCKING_OK                  0x00000002
-
-typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
-
-
-/* additional flags for parameters to functions */
-
-/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
-#define CKF_DONT_BLOCK     1
-
-/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10.
- * CK_RSA_PKCS_OAEP_MGF_TYPE  is used to indicate the Message
- * Generation Function (MGF) applied to a message block when
- * formatting a message block for the PKCS #1 OAEP encryption
- * scheme. */
-typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
-
-typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
-
-/* The following MGFs are defined */
-/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512
- * are new for v2.20 */
-#define CKG_MGF1_SHA1         0x00000001
-#define CKG_MGF1_SHA256       0x00000002
-#define CKG_MGF1_SHA384       0x00000003
-#define CKG_MGF1_SHA512       0x00000004
-
-/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10.
- * CK_RSA_PKCS_OAEP_SOURCE_TYPE  is used to indicate the source
- * of the encoding parameter when formatting a message block
- * for the PKCS #1 OAEP encryption scheme. */
-typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
-
-typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
-
-/* The following encoding parameter sources are defined */
-#define CKZ_DATA_SPECIFIED    0x00000001
-
-/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10.
- * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
- * CKM_RSA_PKCS_OAEP mechanism. */
-typedef struct CK_RSA_PKCS_OAEP_PARAMS {
-        CK_MECHANISM_TYPE hashAlg;
-        CK_RSA_PKCS_MGF_TYPE mgf;
-        CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
-        CK_VOID_PTR pSourceData;
-        CK_ULONG ulSourceDataLen;
-} CK_RSA_PKCS_OAEP_PARAMS;
-
-typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
-
-/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11.
- * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
- * CKM_RSA_PKCS_PSS mechanism(s). */
-typedef struct CK_RSA_PKCS_PSS_PARAMS {
-        CK_MECHANISM_TYPE    hashAlg;
-        CK_RSA_PKCS_MGF_TYPE mgf;
-        CK_ULONG             sLen;
-} CK_RSA_PKCS_PSS_PARAMS;
-
-typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
-
-/* CK_EC_KDF_TYPE is new for v2.11. */
-typedef CK_ULONG CK_EC_KDF_TYPE;
-
-/* The following EC Key Derivation Functions are defined */
-#define CKD_NULL                 0x00000001
-#define CKD_SHA1_KDF             0x00000002
-
-/* CK_ECDH1_DERIVE_PARAMS is new for v2.11.
- * CK_ECDH1_DERIVE_PARAMS provides the parameters to the
- * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
- * where each party contributes one key pair.
- */
-typedef struct CK_ECDH1_DERIVE_PARAMS {
-  CK_EC_KDF_TYPE kdf;
-  CK_ULONG ulSharedDataLen;
-  CK_BYTE_PTR pSharedData;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-} CK_ECDH1_DERIVE_PARAMS;
-
-typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
-
-
-/* CK_ECDH2_DERIVE_PARAMS is new for v2.11.
- * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
- * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */
-typedef struct CK_ECDH2_DERIVE_PARAMS {
-  CK_EC_KDF_TYPE kdf;
-  CK_ULONG ulSharedDataLen;
-  CK_BYTE_PTR pSharedData;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-} CK_ECDH2_DERIVE_PARAMS;
-
-typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
-
-typedef struct CK_ECMQV_DERIVE_PARAMS {
-  CK_EC_KDF_TYPE kdf;
-  CK_ULONG ulSharedDataLen;
-  CK_BYTE_PTR pSharedData;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-  CK_OBJECT_HANDLE publicKey;
-} CK_ECMQV_DERIVE_PARAMS;
-
-typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
-
-/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
- * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */
-typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
-typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
-
-/* The following X9.42 DH key derivation functions are defined
-   (besides CKD_NULL already defined : */
-#define CKD_SHA1_KDF_ASN1        0x00000003
-#define CKD_SHA1_KDF_CONCATENATE 0x00000004
-
-/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11.
- * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
- * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
- * contributes one key pair */
-typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
-  CK_X9_42_DH_KDF_TYPE kdf;
-  CK_ULONG ulOtherInfoLen;
-  CK_BYTE_PTR pOtherInfo;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-} CK_X9_42_DH1_DERIVE_PARAMS;
-
-typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
-
-/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11.
- * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
- * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
- * mechanisms, where each party contributes two key pairs */
-typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
-  CK_X9_42_DH_KDF_TYPE kdf;
-  CK_ULONG ulOtherInfoLen;
-  CK_BYTE_PTR pOtherInfo;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-} CK_X9_42_DH2_DERIVE_PARAMS;
-
-typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
-
-typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
-  CK_X9_42_DH_KDF_TYPE kdf;
-  CK_ULONG ulOtherInfoLen;
-  CK_BYTE_PTR pOtherInfo;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-  CK_OBJECT_HANDLE publicKey;
-} CK_X9_42_MQV_DERIVE_PARAMS;
-
-typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
-
-/* CK_KEA_DERIVE_PARAMS provides the parameters to the
- * CKM_KEA_DERIVE mechanism */
-/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
-typedef struct CK_KEA_DERIVE_PARAMS {
-  CK_BBOOL      isSender;
-  CK_ULONG      ulRandomLen;
-  CK_BYTE_PTR   pRandomA;
-  CK_BYTE_PTR   pRandomB;
-  CK_ULONG      ulPublicDataLen;
-  CK_BYTE_PTR   pPublicData;
-} CK_KEA_DERIVE_PARAMS;
-
-typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
-
-
-/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
- * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
- * holds the effective keysize */
-typedef CK_ULONG          CK_RC2_PARAMS;
-
-typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
-
-
-/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
- * mechanism */
-typedef struct CK_RC2_CBC_PARAMS {
-  /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-
-  CK_BYTE       iv[8];            /* IV for CBC mode */
-} CK_RC2_CBC_PARAMS;
-
-typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
-
-
-/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
- * CKM_RC2_MAC_GENERAL mechanism */
-/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef struct CK_RC2_MAC_GENERAL_PARAMS {
-  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
-} CK_RC2_MAC_GENERAL_PARAMS;
-
-typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
-  CK_RC2_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
- * CKM_RC5_MAC mechanisms */
-/* CK_RC5_PARAMS is new for v2.0 */
-typedef struct CK_RC5_PARAMS {
-  CK_ULONG      ulWordsize;  /* wordsize in bits */
-  CK_ULONG      ulRounds;    /* number of rounds */
-} CK_RC5_PARAMS;
-
-typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
-
-
-/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
- * mechanism */
-/* CK_RC5_CBC_PARAMS is new for v2.0 */
-typedef struct CK_RC5_CBC_PARAMS {
-  CK_ULONG      ulWordsize;  /* wordsize in bits */
-  CK_ULONG      ulRounds;    /* number of rounds */
-  CK_BYTE_PTR   pIv;         /* pointer to IV */
-  CK_ULONG      ulIvLen;     /* length of IV in bytes */
-} CK_RC5_CBC_PARAMS;
-
-typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
-
-
-/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
- * CKM_RC5_MAC_GENERAL mechanism */
-/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef struct CK_RC5_MAC_GENERAL_PARAMS {
-  CK_ULONG      ulWordsize;   /* wordsize in bits */
-  CK_ULONG      ulRounds;     /* number of rounds */
-  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
-} CK_RC5_MAC_GENERAL_PARAMS;
-
-typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
-  CK_RC5_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
- * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
- * the MAC */
-/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
-
-typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
-
-/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */
-typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
-  CK_BYTE      iv[8];
-  CK_BYTE_PTR  pData;
-  CK_ULONG     length;
-} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
-  CK_BYTE      iv[16];
-  CK_BYTE_PTR  pData;
-  CK_ULONG     length;
-} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
- * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
-/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
-typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
-  CK_ULONG      ulPasswordLen;
-  CK_BYTE_PTR   pPassword;
-  CK_ULONG      ulPublicDataLen;
-  CK_BYTE_PTR   pPublicData;
-  CK_ULONG      ulPAndGLen;
-  CK_ULONG      ulQLen;
-  CK_ULONG      ulRandomLen;
-  CK_BYTE_PTR   pRandomA;
-  CK_BYTE_PTR   pPrimeP;
-  CK_BYTE_PTR   pBaseG;
-  CK_BYTE_PTR   pSubprimeQ;
-} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
-
-typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
-  CK_SKIPJACK_PRIVATE_WRAP_PTR;
-
-
-/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
- * CKM_SKIPJACK_RELAYX mechanism */
-/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
-typedef struct CK_SKIPJACK_RELAYX_PARAMS {
-  CK_ULONG      ulOldWrappedXLen;
-  CK_BYTE_PTR   pOldWrappedX;
-  CK_ULONG      ulOldPasswordLen;
-  CK_BYTE_PTR   pOldPassword;
-  CK_ULONG      ulOldPublicDataLen;
-  CK_BYTE_PTR   pOldPublicData;
-  CK_ULONG      ulOldRandomLen;
-  CK_BYTE_PTR   pOldRandomA;
-  CK_ULONG      ulNewPasswordLen;
-  CK_BYTE_PTR   pNewPassword;
-  CK_ULONG      ulNewPublicDataLen;
-  CK_BYTE_PTR   pNewPublicData;
-  CK_ULONG      ulNewRandomLen;
-  CK_BYTE_PTR   pNewRandomA;
-} CK_SKIPJACK_RELAYX_PARAMS;
-
-typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
-  CK_SKIPJACK_RELAYX_PARAMS_PTR;
-
-
-typedef struct CK_PBE_PARAMS {
-  CK_BYTE_PTR      pInitVector;
-  CK_UTF8CHAR_PTR  pPassword;
-  CK_ULONG         ulPasswordLen;
-  CK_BYTE_PTR      pSalt;
-  CK_ULONG         ulSaltLen;
-  CK_ULONG         ulIteration;
-} CK_PBE_PARAMS;
-
-typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
-
-
-/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
- * CKM_KEY_WRAP_SET_OAEP mechanism */
-/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
-typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
-  CK_BYTE       bBC;     /* block contents byte */
-  CK_BYTE_PTR   pX;      /* extra data */
-  CK_ULONG      ulXLen;  /* length of extra data in bytes */
-} CK_KEY_WRAP_SET_OAEP_PARAMS;
-
-typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
-  CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
-
-
-typedef struct CK_SSL3_RANDOM_DATA {
-  CK_BYTE_PTR  pClientRandom;
-  CK_ULONG     ulClientRandomLen;
-  CK_BYTE_PTR  pServerRandom;
-  CK_ULONG     ulServerRandomLen;
-} CK_SSL3_RANDOM_DATA;
-
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
-  CK_SSL3_RANDOM_DATA RandomInfo;
-  CK_VERSION_PTR pVersion;
-} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
-
-
-typedef struct CK_SSL3_KEY_MAT_OUT {
-  CK_OBJECT_HANDLE hClientMacSecret;
-  CK_OBJECT_HANDLE hServerMacSecret;
-  CK_OBJECT_HANDLE hClientKey;
-  CK_OBJECT_HANDLE hServerKey;
-  CK_BYTE_PTR      pIVClient;
-  CK_BYTE_PTR      pIVServer;
-} CK_SSL3_KEY_MAT_OUT;
-
-typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
-
-
-typedef struct CK_SSL3_KEY_MAT_PARAMS {
-  CK_ULONG                ulMacSizeInBits;
-  CK_ULONG                ulKeySizeInBits;
-  CK_ULONG                ulIVSizeInBits;
-  CK_BBOOL                bIsExport;
-  CK_SSL3_RANDOM_DATA     RandomInfo;
-  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-} CK_SSL3_KEY_MAT_PARAMS;
-
-typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
-
-/* CK_TLS_PRF_PARAMS is new for version 2.20 */
-typedef struct CK_TLS_PRF_PARAMS {
-  CK_BYTE_PTR  pSeed;
-  CK_ULONG     ulSeedLen;
-  CK_BYTE_PTR  pLabel;
-  CK_ULONG     ulLabelLen;
-  CK_BYTE_PTR  pOutput;
-  CK_ULONG_PTR pulOutputLen;
-} CK_TLS_PRF_PARAMS;
-
-typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
-
-/* WTLS is new for version 2.20 */
-typedef struct CK_WTLS_RANDOM_DATA {
-  CK_BYTE_PTR pClientRandom;
-  CK_ULONG    ulClientRandomLen;
-  CK_BYTE_PTR pServerRandom;
-  CK_ULONG    ulServerRandomLen;
-} CK_WTLS_RANDOM_DATA;
-
-typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
-
-typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
-  CK_MECHANISM_TYPE   DigestMechanism;
-  CK_WTLS_RANDOM_DATA RandomInfo;
-  CK_BYTE_PTR         pVersion;
-} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
-
-typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-  CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
-
-typedef struct CK_WTLS_PRF_PARAMS {
-  CK_MECHANISM_TYPE DigestMechanism;
-  CK_BYTE_PTR       pSeed;
-  CK_ULONG          ulSeedLen;
-  CK_BYTE_PTR       pLabel;
-  CK_ULONG          ulLabelLen;
-  CK_BYTE_PTR       pOutput;
-  CK_ULONG_PTR      pulOutputLen;
-} CK_WTLS_PRF_PARAMS;
-
-typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
-
-typedef struct CK_WTLS_KEY_MAT_OUT {
-  CK_OBJECT_HANDLE hMacSecret;
-  CK_OBJECT_HANDLE hKey;
-  CK_BYTE_PTR      pIV;
-} CK_WTLS_KEY_MAT_OUT;
-
-typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
-
-typedef struct CK_WTLS_KEY_MAT_PARAMS {
-  CK_MECHANISM_TYPE       DigestMechanism;
-  CK_ULONG                ulMacSizeInBits;
-  CK_ULONG                ulKeySizeInBits;
-  CK_ULONG                ulIVSizeInBits;
-  CK_ULONG                ulSequenceNumber;
-  CK_BBOOL                bIsExport;
-  CK_WTLS_RANDOM_DATA     RandomInfo;
-  CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-} CK_WTLS_KEY_MAT_PARAMS;
-
-typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
-
-/* CMS is new for version 2.20 */
-typedef struct CK_CMS_SIG_PARAMS {
-  CK_OBJECT_HANDLE      certificateHandle;
-  CK_MECHANISM_PTR      pSigningMechanism;
-  CK_MECHANISM_PTR      pDigestMechanism;
-  CK_UTF8CHAR_PTR       pContentType;
-  CK_BYTE_PTR           pRequestedAttributes;
-  CK_ULONG              ulRequestedAttributesLen;
-  CK_BYTE_PTR           pRequiredAttributes;
-  CK_ULONG              ulRequiredAttributesLen;
-} CK_CMS_SIG_PARAMS;
-
-typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
-
-typedef struct CK_KEY_DERIVATION_STRING_DATA {
-  CK_BYTE_PTR pData;
-  CK_ULONG    ulLen;
-} CK_KEY_DERIVATION_STRING_DATA;
-
-typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
-  CK_KEY_DERIVATION_STRING_DATA_PTR;
-
-
-/* The CK_EXTRACT_PARAMS is used for the
- * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
- * of the base key should be used as the first bit of the
- * derived key */
-/* CK_EXTRACT_PARAMS is new for v2.0 */
-typedef CK_ULONG CK_EXTRACT_PARAMS;
-
-typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
-
-/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10.
- * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
- * indicate the Pseudo-Random Function (PRF) used to generate
- * key bits using PKCS #5 PBKDF2. */
-typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
-
-typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
-
-/* The following PRFs are defined in PKCS #5 v2.0. */
-#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001
-
-
-/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10.
- * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
- * source of the salt value when deriving a key using PKCS #5
- * PBKDF2. */
-typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
-
-typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
-
-/* The following salt value sources are defined in PKCS #5 v2.0. */
-#define CKZ_SALT_SPECIFIED        0x00000001
-
-/* CK_PKCS5_PBKD2_PARAMS is new for v2.10.
- * CK_PKCS5_PBKD2_PARAMS is a structure that provides the
- * parameters to the CKM_PKCS5_PBKD2 mechanism. */
-typedef struct CK_PKCS5_PBKD2_PARAMS {
-        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE           saltSource;
-        CK_VOID_PTR                                pSaltSourceData;
-        CK_ULONG                                   ulSaltSourceDataLen;
-        CK_ULONG                                   iterations;
-        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-        CK_VOID_PTR                                pPrfData;
-        CK_ULONG                                   ulPrfDataLen;
-        CK_UTF8CHAR_PTR                            pPassword;
-        CK_ULONG_PTR                               ulPasswordLen;
-} CK_PKCS5_PBKD2_PARAMS;
-
-typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
-
-#endif
diff --git a/src/pluto/rsaref/unix.h b/src/pluto/rsaref/unix.h
deleted file mode 100644
index 2e7eb6663..000000000
--- a/src/pluto/rsaref/unix.h
+++ /dev/null
@@ -1,24 +0,0 @@
-
-
-#ifndef UNIX_H
-#define UNIX_H
-
-#define CK_PTR *
-
-#define CK_DEFINE_FUNCTION(returnType, name) \
-   returnType name
-
-#define CK_DECLARE_FUNCTION(returnType, name) \
-   returnType name
-
-#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
-   returnType (* name)
-
-#define CK_CALLBACK_FUNCTION(returnType, name) \
-   returnType (* name)
-
-#ifndef NULL_PTR
-#define NULL_PTR 0
-#endif
-
-#endif
diff --git a/src/pluto/server.c b/src/pluto/server.c
deleted file mode 100644
index 167b1d4c7..000000000
--- a/src/pluto/server.c
+++ /dev/null
@@ -1,910 +0,0 @@
-/* get-next-event loop
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <string.h>
-#include <errno.h>
-#include <signal.h>
-#include <ctype.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#ifdef SOLARIS
-# include <sys/sockio.h>        /* for Solaris 2.6: defines SIOCGIFCONF */
-#endif
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <sys/time.h>
-#include <netdb.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <net/if.h>
-#include <sys/ioctl.h>
-#include <resolv.h>
-#include <arpa/nameser.h>       /* missing from <resolv.h> on old systems */
-#include <sys/queue.h>
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "state.h"
-#include "connections.h"
-#include "kernel.h"
-#include "log.h"
-#include "server.h"
-#include "timer.h"
-#include "packet.h"
-#include "demux.h"  /* needs packet.h */
-#include "rcv_whack.h"
-#include "keys.h"
-#include "adns.h"       /* needs <resolv.h> */
-#include "dnskey.h"     /* needs keys.h and adns.h */
-#include "whack.h"      /* for RC_LOG_SERIOUS */
-#include "pluto.h"
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-#include "kameipsec.h"
-#include "nat_traversal.h"
-
-/*
- *  Server main loop and socket initialization routines.
- */
-
-static const int on = TRUE;     /* by-reference parameter; constant, we hope */
-
-/* control (whack) socket */
-int ctl_fd = NULL_FD;   /* file descriptor of control (whack) socket */
-struct sockaddr_un ctl_addr = { AF_UNIX, DEFAULT_CTLBASE CTL_SUFFIX };
-
-/* info (showpolicy) socket */
-int policy_fd = NULL_FD;
-struct sockaddr_un info_addr= { AF_UNIX, DEFAULT_CTLBASE INFO_SUFFIX };
-
-/* Initialize the control socket.
- * Note: this is called very early, so little infrastructure is available.
- * It is important that the socket is created before the original
- * Pluto process returns.
- */
-err_t
-init_ctl_socket(void)
-{
-	err_t failed = NULL;
-
-	delete_ctl_socket();        /* preventative medicine */
-	ctl_fd = socket(AF_UNIX, SOCK_STREAM, 0);
-	if (ctl_fd == -1)
-		failed = "create";
-	else if (fcntl(ctl_fd, F_SETFD, FD_CLOEXEC) == -1)
-		failed = "fcntl FD+CLOEXEC";
-	else if (setsockopt(ctl_fd, SOL_SOCKET, SO_REUSEADDR, (const void *)&on, sizeof(on)) < 0)
-		failed = "setsockopt";
-	else
-	{
-		/* to keep control socket secure, use umask */
-		mode_t ou = umask(~S_IRWXU);
-
-		if (bind(ctl_fd, (struct sockaddr *)&ctl_addr
-		, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
-			failed = "bind";
-		umask(ou);
-	}
-
-	/* 5 is a haphazardly chosen limit for the backlog.
-	 * Rumour has it that this is the max on BSD systems.
-	 */
-	if (failed == NULL && listen(ctl_fd, 5) < 0)
-		failed = "listen() on";
-
-	return failed == NULL? NULL : builddiag("could not %s control socket: %d %s"
-			, failed, errno, strerror(errno));
-}
-
-void
-delete_ctl_socket(void)
-{
-	/* Is noting failure useful?  Not when used as preventative medicine. */
-	unlink(ctl_addr.sun_path);
-}
-
-bool listening = FALSE; /* should we pay attention to IKE messages? */
-
-struct iface *interfaces = NULL;        /* public interfaces */
-
-/* Initialize the interface sockets. */
-
-static void
-mark_ifaces_dead(void)
-{
-	struct iface *p;
-
-	for (p = interfaces; p != NULL; p = p->next)
-		p->change = IFN_DELETE;
-}
-
-static void
-free_dead_ifaces(void)
-{
-	struct iface *p;
-	bool some_dead = FALSE
-		, some_new = FALSE;
-
-	for (p = interfaces; p != NULL; p = p->next)
-	{
-		if (p->change == IFN_DELETE)
-		{
-			plog("shutting down interface %s/%s %s"
-				, p->vname, p->rname, ip_str(&p->addr));
-			some_dead = TRUE;
-		}
-		else if (p->change == IFN_ADD)
-		{
-			some_new = TRUE;
-		}
-	}
-
-	if (some_dead)
-	{
-		struct iface **pp;
-
-		release_dead_interfaces();
-		for (pp = &interfaces; (p = *pp) != NULL; )
-		{
-			if (p->change == IFN_DELETE)
-			{
-				*pp = p->next;  /* advance *pp */
-				free(p->vname);
-				free(p->rname);
-				close(p->fd);
-				free(p);
-			}
-			else
-			{
-				pp = &p->next;  /* advance pp */
-			}
-		}
-	}
-
-	/* this must be done after the release_dead_interfaces
-	 * in case some to the newly unoriented connections can
-	 * become oriented here.
-	 */
-	if (some_dead || some_new)
-		check_orientations();
-}
-
-void
-free_ifaces(void)
-{
-	mark_ifaces_dead();
-	free_dead_ifaces();
-}
-
-struct raw_iface {
-	ip_address addr;
-	char name[IFNAMSIZ + 20];   /* what would be a safe size? */
-	struct raw_iface *next;
-};
-
-/* Called to handle --interface <ifname>
- * Semantics: if specified, only these (real) interfaces are considered.
- */
-static const char *pluto_ifn[10];
-static int pluto_ifn_roof = 0;
-
-bool
-use_interface(const char *rifn)
-{
-	if (pluto_ifn_roof >= (int)countof(pluto_ifn))
-	{
-		return FALSE;
-	}
-	else
-	{
-		pluto_ifn[pluto_ifn_roof++] = rifn;
-		return TRUE;
-	}
-}
-
-static struct raw_iface *
-find_raw_ifaces4(void)
-{
-	int j;      /* index into buf */
-	struct ifconf ifconf;
-	struct ifreq buf[300];      /* for list of interfaces -- arbitrary limit */
-	struct raw_iface *rifaces = NULL;
-	int master_sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);    /* Get a UDP socket */
-
-	/* get list of interfaces with assigned IPv4 addresses from system */
-
-	if (master_sock == -1)
-		exit_log_errno((e, "socket() failed in find_raw_ifaces4()"));
-
-	if (setsockopt(master_sock, SOL_SOCKET, SO_REUSEADDR
-	, (const void *)&on, sizeof(on)) < 0)
-		exit_log_errno((e, "setsockopt() in find_raw_ifaces4()"));
-
-	/* bind the socket */
-	{
-		ip_address any;
-
-		happy(anyaddr(AF_INET, &any));
-		setportof(htons(pluto_port), &any);
-		if (bind(master_sock, sockaddrof(&any), sockaddrlenof(&any)) < 0)
-			exit_log_errno((e, "bind() failed in find_raw_ifaces4()"));
-	}
-
-	/* Get local interfaces.  See netdevice(7). */
-	ifconf.ifc_len = sizeof(buf);
-	ifconf.ifc_buf = (void *) buf;
-	zero(buf);
-
-	if (ioctl(master_sock, SIOCGIFCONF, &ifconf) == -1)
-		exit_log_errno((e, "ioctl(SIOCGIFCONF) in find_raw_ifaces4()"));
-
-	/* Add an entry to rifaces for each interesting interface. */
-	for (j = 0; (j+1) * sizeof(*buf) <= (size_t)ifconf.ifc_len; j++)
-	{
-		struct raw_iface ri;
-		const struct sockaddr_in *rs = (struct sockaddr_in *) &buf[j].ifr_addr;
-		struct ifreq auxinfo;
-
-		/* ignore all but AF_INET interfaces */
-		if (rs->sin_family != AF_INET)
-			continue;   /* not interesting */
-
-		/* build a NUL-terminated copy of the rname field */
-		memcpy(ri.name, buf[j].ifr_name, IFNAMSIZ);
-		ri.name[IFNAMSIZ] = '\0';
-
-		/* ignore if our interface names were specified, and this isn't one */
-		if (pluto_ifn_roof != 0)
-		{
-			int i;
-
-			for (i = 0; i != pluto_ifn_roof; i++)
-				if (streq(ri.name, pluto_ifn[i]))
-					break;
-			if (i == pluto_ifn_roof)
-				continue;       /* not found -- skip */
-		}
-
-		/* Find out stuff about this interface.  See netdevice(7). */
-		zero(&auxinfo); /* paranoia */
-		memcpy(auxinfo.ifr_name, buf[j].ifr_name, IFNAMSIZ);
-		if (ioctl(master_sock, SIOCGIFFLAGS, &auxinfo) == -1)
-			exit_log_errno((e
-				, "ioctl(SIOCGIFFLAGS) for %s in find_raw_ifaces4()"
-				, ri.name));
-		if (!(auxinfo.ifr_flags & IFF_UP))
-			continue;   /* ignore an interface that isn't UP */
-
-		/* ignore unconfigured interfaces */
-		if (rs->sin_addr.s_addr == 0)
-			continue;
-
-		happy(initaddr((const void *)&rs->sin_addr, sizeof(struct in_addr)
-			, AF_INET, &ri.addr));
-
-		DBG(DBG_CONTROL, DBG_log("found %s with address %s"
-			, ri.name, ip_str(&ri.addr)));
-		ri.next = rifaces;
-		rifaces = clone_thing(ri);
-	}
-
-	close(master_sock);
-
-	return rifaces;
-}
-
-static struct raw_iface *
-find_raw_ifaces6(void)
-{
-
-	/* Get list of interfaces with IPv6 addresses from system from /proc/net/if_inet6).
-	 *
-	 * Documentation of format?
-	 * RTFS: linux-2.2.16/net/ipv6/addrconf.c:iface_proc_info()
-	 *       linux-2.4.9-13/net/ipv6/addrconf.c:iface_proc_info()
-	 *
-	 * Sample from Gerhard's laptop:
-	 *  00000000000000000000000000000001 01 80 10 80       lo
-	 *  30490009000000000000000000010002 02 40 00 80   ipsec0
-	 *  30490009000000000000000000010002 07 40 00 80     eth0
-	 *  fe80000000000000025004fffefd5484 02 0a 20 80   ipsec0
-	 *  fe80000000000000025004fffefd5484 07 0a 20 80     eth0
-	 *
-	 * Each line contains:
-	 * - IPv6 address: 16 bytes, in hex, no punctuation
-	 * - ifindex: 1 byte, in hex
-	 * - prefix_len: 1 byte, in hex
-	 * - scope (e.g. global, link local): 1 byte, in hex
-	 * - flags: 1 byte, in hex
-	 * - device name: string, followed by '\n'
-	 */
-	struct raw_iface *rifaces = NULL;
-	static const char proc_name[] = "/proc/net/if_inet6";
-	FILE *proc_sock = fopen(proc_name, "r");
-
-	if (proc_sock == NULL)
-	{
-		DBG(DBG_CONTROL, DBG_log("could not open %s", proc_name));
-	}
-	else
-	{
-		for (;;)
-		{
-			struct raw_iface ri;
-			unsigned short xb[8];       /* IPv6 address as 8 16-bit chunks */
-			char sb[8*5];       /* IPv6 address as string-with-colons */
-			unsigned int if_idx;        /* proc field, not used */
-			unsigned int plen;  /* proc field, not used */
-			unsigned int scope; /* proc field, used to exclude link-local */
-			unsigned int dad_status;    /* proc field, not used */
-			/* ??? I hate and distrust scanf -- DHR */
-			int r = fscanf(proc_sock
-				, "%4hx%4hx%4hx%4hx%4hx%4hx%4hx%4hx"
-				  " %02x %02x %02x %02x %20s\n"
-				, xb+0, xb+1, xb+2, xb+3, xb+4, xb+5, xb+6, xb+7
-				, &if_idx, &plen, &scope, &dad_status, ri.name);
-
-			/* ??? we should diagnose any problems */
-			if (r != 13)
-				break;
-
-			/* ignore addresses with link local scope.
-			 * From linux-2.4.9-13/include/net/ipv6.h:
-			 * IPV6_ADDR_LINKLOCAL      0x0020U
-			 * IPV6_ADDR_SCOPE_MASK     0x00f0U
-			 */
-			if ((scope & 0x00f0U) == 0x0020U)
-				continue;
-
-			snprintf(sb, sizeof(sb)
-				, "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
-				, xb[0], xb[1], xb[2], xb[3], xb[4], xb[5], xb[6], xb[7]);
-
-			happy(ttoaddr(sb, 0, AF_INET6, &ri.addr));
-
-			if (!isunspecaddr(&ri.addr))
-			{
-				DBG(DBG_CONTROL
-					, DBG_log("found %s with address %s"
-						, ri.name, sb));
-				ri.next = rifaces;
-				rifaces = clone_thing(ri);
-			}
-		}
-		fclose(proc_sock);
-	}
-
-	return rifaces;
-}
-
-static int
-create_socket(struct raw_iface *ifp, const char *v_name, int port)
-{
-	int fd = socket(addrtypeof(&ifp->addr), SOCK_DGRAM, IPPROTO_UDP);
-	int fcntl_flags;
-
-	if (fd < 0)
-	{
-		log_errno((e, "socket() in process_raw_ifaces()"));
-		return -1;
-	}
-
-	/* Set socket Nonblocking */
-	if ((fcntl_flags=fcntl(fd, F_GETFL)) >= 0) {
-		if (!(fcntl_flags & O_NONBLOCK)) {
-			fcntl_flags |= O_NONBLOCK;
-			fcntl(fd, F_SETFL, fcntl_flags);
-		}
-	}
-
-	if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
-	{
-		log_errno((e, "fcntl(,, FD_CLOEXEC) in process_raw_ifaces()"));
-		close(fd);
-		return -1;
-	}
-
-	if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR
-	, (const void *)&on, sizeof(on)) < 0)
-	{
-		log_errno((e, "setsockopt SO_REUSEADDR in process_raw_ifaces()"));
-		close(fd);
-		return -1;
-	}
-
-	/* To improve error reporting.  See ip(7). */
-#if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
-	if (setsockopt(fd, SOL_IP, IP_RECVERR
-	, (const void *)&on, sizeof(on)) < 0)
-	{
-		log_errno((e, "setsockopt IP_RECVERR in process_raw_ifaces()"));
-		close(fd);
-		return -1;
-	}
-#endif
-
-	/* With IPv6, there is no fragmentation after
-	 * it leaves our interface.  PMTU discovery
-	 * is mandatory but doesn't work well with IKE (why?).
-	 * So we must set the IPV6_USE_MIN_MTU option.
-	 * See draft-ietf-ipngwg-rfc2292bis-01.txt 11.1
-	 */
-#ifdef IPV6_USE_MIN_MTU /* YUCK: not always defined */
-	if (addrtypeof(&ifp->addr) == AF_INET6
-	&& setsockopt(fd, SOL_SOCKET, IPV6_USE_MIN_MTU
-	  , (const void *)&on, sizeof(on)) < 0)
-	{
-		log_errno((e, "setsockopt IPV6_USE_MIN_MTU in process_raw_ifaces()"));
-		close(fd);
-		return -1;
-	}
-#endif
-
-	{
-		struct sadb_x_policy policy;
-		int level, opt;
-
-		policy.sadb_x_policy_len = sizeof(policy) / IPSEC_PFKEYv2_ALIGN;
-		policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-		policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-		policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
-		policy.sadb_x_policy_reserved = 0;
-		policy.sadb_x_policy_id = 0;
-		policy.sadb_x_policy_reserved2 = 0;
-
-		if (addrtypeof(&ifp->addr) == AF_INET6)
-		{
-			level = IPPROTO_IPV6;
-			opt = IPV6_IPSEC_POLICY;
-		}
-		else
-		{
-			level = IPPROTO_IP;
-			opt = IP_IPSEC_POLICY;
-		}
-
-		if (setsockopt(fd, level, opt
-		  , &policy, sizeof(policy)) < 0)
-		{
-			log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
-			close(fd);
-			return -1;
-		}
-
-		policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
-
-		if (setsockopt(fd, level, opt
-		  , &policy, sizeof(policy)) < 0)
-		{
-			log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
-			close(fd);
-			return -1;
-		}
-	}
-
-	setportof(htons(port), &ifp->addr);
-	if (bind(fd, sockaddrof(&ifp->addr), sockaddrlenof(&ifp->addr)) < 0)
-	{
-		log_errno((e, "bind() for %s/%s %s:%u in process_raw_ifaces()"
-			, ifp->name, v_name
-			, ip_str(&ifp->addr), (unsigned) port));
-		close(fd);
-		return -1;
-	}
-	setportof(htons(pluto_port), &ifp->addr);
-	return fd;
-}
-
-static void
-process_raw_ifaces(struct raw_iface *rifaces)
-{
-	struct raw_iface *ifp;
-
-	/* For each real interface...
-	 */
-	for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
-	{
-		struct raw_iface *v = NULL;
-		bool after = FALSE; /* has vfp passed ifp on the list? */
-		bool bad = FALSE;
-		struct raw_iface *vfp;
-
-		for (vfp = rifaces; vfp != NULL; vfp = vfp->next)
-		{
-			if (vfp == ifp)
-			{
-				after = TRUE;
-			}
-			else if (sameaddr(&ifp->addr, &vfp->addr))
-			{
-				/* ugh: a second interface with the same IP address
-				 * "after" allows us to avoid double reporting.
-				 */
-				if (after)
-				{
-					bad = TRUE;
-					break;
-				}
-				continue;
-			}
-		}
-
-		if (bad)
-			continue;
-
-		v = ifp;
-
-		/* We've got all we need; see if this is a new thing:
-		 * search old interfaces list.
-		 */
-		{
-			struct iface **p = &interfaces;
-
-			for (;;)
-			{
-				struct iface *q = *p;
-
-				/* search is over if at end of list */
-				if (q == NULL)
-				{
-					/* matches nothing -- create a new entry */
-					int fd = create_socket(ifp, v->name, pluto_port);
-
-					if (fd < 0)
-						break;
-
-					if (nat_traversal_support_non_ike
-					&& addrtypeof(&ifp->addr) == AF_INET)
-					{
-						nat_traversal_espinudp_socket(fd, ESPINUDP_WITH_NON_IKE);
-					}
-
-					q = malloc_thing(struct iface);
-					zero(q);
-					q->rname = clone_str(ifp->name);
-					q->vname = clone_str(v->name);
-					q->addr = ifp->addr;
-					q->fd = fd;
-					q->next = interfaces;
-					q->change = IFN_ADD;
-					interfaces = q;
-					plog("adding interface %s/%s %s:%d"
-						, q->vname, q->rname, ip_str(&q->addr), pluto_port);
-
-					if (nat_traversal_support_port_floating
-					&& addrtypeof(&ifp->addr) == AF_INET)
-					{
-						fd = create_socket(ifp, v->name, NAT_T_IKE_FLOAT_PORT);
-						if (fd < 0)
-							break;
-						nat_traversal_espinudp_socket(fd,
-							ESPINUDP_WITH_NON_ESP);
-						q = malloc_thing(struct iface);
-						zero(q);
-						q->rname = clone_str(ifp->name);
-						q->vname = clone_str(v->name);
-						q->addr = ifp->addr;
-						setportof(htons(NAT_T_IKE_FLOAT_PORT), &q->addr);
-						q->fd = fd;
-						q->next = interfaces;
-						q->change = IFN_ADD;
-						q->ike_float = TRUE;
-						interfaces = q;
-						plog("adding interface %s/%s %s:%d",
-						q->vname, q->rname, ip_str(&q->addr), NAT_T_IKE_FLOAT_PORT);
-					}
-					break;
-				}
-
-				/* search over if matching old entry found */
-				if (streq(q->rname, ifp->name)
-				&& streq(q->vname, v->name)
-				&& sameaddr(&q->addr, &ifp->addr))
-				{
-					/* matches -- rejuvinate old entry */
-					q->change = IFN_KEEP;
-
-					/* look for other interfaces to keep (due to NAT-T) */
-					for (q = q->next ; q ; q = q->next)
-					{
-						if (streq(q->rname, ifp->name)
-						&& streq(q->vname, v->name)
-						&& sameaddr(&q->addr, &ifp->addr))
-						{
-							q->change = IFN_KEEP;
-						}
-					}
-					break;
-				}
-
-				/* try again */
-				p = &q->next;
-			} /* for (;;) */
-		}
-	}
-
-	/* delete the raw interfaces list */
-	while (rifaces != NULL)
-	{
-		struct raw_iface *t = rifaces;
-
-		rifaces = t->next;
-		free(t);
-	}
-}
-
-void
-find_ifaces(void)
-{
-	mark_ifaces_dead();
-	process_raw_ifaces(find_raw_ifaces4());
-	process_raw_ifaces(find_raw_ifaces6());
-
-	free_dead_ifaces();     /* ditch remaining old entries */
-
-	if (interfaces == NULL)
-		loglog(RC_LOG_SERIOUS, "no public interfaces found");
-}
-
-void
-show_ifaces_status(void)
-{
-	struct iface *p;
-
-	for (p = interfaces; p != NULL; p = p->next)
-		whack_log(RC_COMMENT, "interface %s/%s %s:%d"
-			, p->vname, p->rname, ip_str(&p->addr), ntohs(portof(&p->addr)));
-}
-
-void
-show_debug_status(void)
-{
-#ifdef DEBUG
-	whack_log(RC_COMMENT, "debug options: %s"
-		, bitnamesof(debug_bit_names, cur_debugging));
-#endif
-}
-
-static volatile sig_atomic_t sighupflag = FALSE;
-
-static void
-huphandler(int sig UNUSED)
-{
-	sighupflag = TRUE;
-}
-
-static volatile sig_atomic_t sigtermflag = FALSE;
-
-static void
-termhandler(int sig UNUSED)
-{
-	sigtermflag = TRUE;
-}
-
-/* call_server listens for incoming ISAKMP packets and Whack messages,
- * and handles timer events.
- */
-void
-call_server(void)
-{
-	struct iface *ifp;
-
-	/* catch SIGHUP and SIGTERM */
-	{
-		int r;
-		struct sigaction act;
-
-		act.sa_handler = &huphandler;
-		sigemptyset(&act.sa_mask);
-		act.sa_flags = 0;       /* no SA_ONESHOT, no SA_RESTART, no nothing */
-		r = sigaction(SIGHUP, &act, NULL);
-		passert(r == 0);
-
-		act.sa_handler = &termhandler;
-		r = sigaction(SIGTERM, &act, NULL);
-		r = sigaction(SIGINT, &act, NULL);
-		passert(r == 0);
-	}
-
-	for (;;)
-	{
-		fd_set readfds;
-		fd_set writefds;
-		int ndes, events_fd;
-
-		/* wait for next interesting thing */
-
-		for (;;)
-		{
-			long next_time = next_event();   /* time to any pending timer event */
-			int maxfd = ctl_fd;
-
-			if (sigtermflag)
-				exit_pluto(0);
-
-			if (sighupflag)
-			{
-				/* Ignorant folks think poking any daemon with SIGHUP
-				 * is polite.  We catch it and tell them otherwise.
-				 * There is one use: unsticking a hung recvfrom.
-				 * This sticking happens sometimes -- kernel bug?
-				 */
-				sighupflag = FALSE;
-				plog("Pluto ignores SIGHUP -- perhaps you want \"whack --listen\"");
-			}
-
-			FD_ZERO(&readfds);
-			FD_ZERO(&writefds);
-			FD_SET(ctl_fd, &readfds);
-
-#ifdef ADNS
-			/* the only write file-descriptor of interest */
-			if (adns_qfd != NULL_FD && unsent_ADNS_queries)
-			{
-				if (maxfd < adns_qfd)
-					maxfd = adns_qfd;
-				FD_SET(adns_qfd, &writefds);
-			}
-
-			if (adns_afd != NULL_FD)
-			{
-				if (maxfd < adns_afd)
-					maxfd = adns_afd;
-				FD_SET(adns_afd, &readfds);
-			}
-#endif /* ADNS */
-
-			events_fd = pluto->events->get_event_fd(pluto->events);
-			if (maxfd < events_fd)
-				maxfd = events_fd;
-			FD_SET(events_fd, &readfds);
-
-			if (listening)
-			{
-				for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
-				{
-					if (maxfd < ifp->fd)
-						maxfd = ifp->fd;
-					passert(!FD_ISSET(ifp->fd, &readfds));
-					FD_SET(ifp->fd, &readfds);
-				}
-			}
-
-			if (next_time == -1)
-			{
-				/* select without timer */
-
-				ndes = select(maxfd + 1, &readfds, &writefds, NULL, NULL);
-			}
-			else if (next_time == 0)
-			{
-				/* timer without select: there is a timer event pending,
-				 * and it should fire now so don't bother to do the select.
-				 */
-				ndes = 0;       /* signify timer expiration */
-			}
-			else
-			{
-				/* select with timer */
-
-				struct timeval tm;
-
-				tm.tv_sec = next_time;
-				tm.tv_usec = 0;
-				ndes = select(maxfd + 1, &readfds, &writefds, NULL, &tm);
-			}
-
-			if (ndes != -1)
-				break;  /* success */
-
-			if (errno != EINTR)
-				exit_log_errno((e, "select() failed in call_server()"));
-
-			/* retry if terminated by signal */
-		}
-
-		/* figure out what is interesting */
-
-		if (ndes == 0)
-		{
-			/* timer event */
-
-			DBG(DBG_CONTROL,
-				DBG_log(BLANK_FORMAT);
-				DBG_log("*time to handle event"));
-
-			handle_timer_event();
-			passert(GLOBALS_ARE_RESET());
-		}
-		else
-		{
-			/* at least one file descriptor is ready */
-
-#ifdef ADNS
-			if (adns_qfd != NULL_FD && FD_ISSET(adns_qfd, &writefds))
-			{
-				passert(ndes > 0);
-				send_unsent_ADNS_queries();
-				passert(GLOBALS_ARE_RESET());
-				ndes--;
-			}
-
-			if (adns_afd != NULL_FD && FD_ISSET(adns_afd, &readfds))
-			{
-				passert(ndes > 0);
-				DBG(DBG_CONTROL,
-					DBG_log(BLANK_FORMAT);
-					DBG_log("*received adns message"));
-				handle_adns_answer();
-				passert(GLOBALS_ARE_RESET());
-				ndes--;
-			}
-#endif /* ADNS*/
-
-			if (FD_ISSET(events_fd, &readfds))
-			{
-				passert(ndes > 0);
-				DBG(DBG_CONTROL,
-					DBG_log(BLANK_FORMAT);
-					DBG_log("*handling asynchronous events"));
-				pluto->events->handle(pluto->events);
-				passert(GLOBALS_ARE_RESET());
-				ndes--;
-			}
-
-			for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
-			{
-				if (FD_ISSET(ifp->fd, &readfds))
-				{
-					/* comm_handle will print DBG_CONTROL intro,
-					 * with more info than we have here.
-					 */
-
-					passert(ndes > 0);
-					comm_handle(ifp);
-					passert(GLOBALS_ARE_RESET());
-					ndes--;
-				}
-			}
-
-			if (FD_ISSET(ctl_fd, &readfds))
-			{
-				passert(ndes > 0);
-				DBG(DBG_CONTROL,
-					DBG_log(BLANK_FORMAT);
-					DBG_log("*received whack message"));
-				whack_handle(ctl_fd);
-				passert(GLOBALS_ARE_RESET());
-				ndes--;
-			}
-
-			passert(ndes == 0);
-		}
-	}
-}
-
-/*
- * Local Variables:
- * c-basic-offset: 4
- * End Variables:
- */
diff --git a/src/pluto/server.h b/src/pluto/server.h
deleted file mode 100644
index b8123f6dc..000000000
--- a/src/pluto/server.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/* get-next-event loop
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-extern int ctl_fd;      /* file descriptor of control (whack) socket */
-extern struct sockaddr_un ctl_addr;     /* address of control (whack) socket */
-
-extern int info_fd;     /* file descriptor of control (info) socket */
-extern struct sockaddr_un info_addr;    /* address of control (info) socket */
-
-extern err_t init_ctl_socket(void);
-extern void delete_ctl_socket(void);
-
-extern bool listening;  /* should we pay attention to IKE messages? */
-
-
-/* interface: a terminal point for IKE traffic, IPsec transport mode
- * and IPsec tunnels.
- * Essentially:
- * - an IP device (eg. eth1), and
- * - its partner, an ipsec device (eg. ipsec0), and
- * - their shared IP address (eg. 10.7.3.2)
- * Note: the port for IKE is always implicitly UDP/pluto_port.
- */
-struct iface {
-	char *vname;        /* virtual (ipsec) device name */
-	char *rname;        /* real device name */
-	ip_address addr;    /* interface IP address */
-	int fd;     /* file descriptor of socket for IKE UDP messages */
-	struct iface *next;
-	bool ike_float;
-	enum { IFN_ADD, IFN_KEEP, IFN_DELETE } change;
-};
-
-extern struct iface *interfaces;        /* public interfaces */
-
-extern bool use_interface(const char *rifn);
-extern void find_ifaces(void);
-extern void show_ifaces_status(void);
-extern void free_ifaces(void);
-extern void show_debug_status(void);
-extern void call_server(void);
-
-/* in rcv_info.c */
-extern err_t init_info_socket(void);
-extern void delete_info_socket(void);
diff --git a/src/pluto/smartcard.c b/src/pluto/smartcard.c
deleted file mode 100644
index 85e246ac4..000000000
--- a/src/pluto/smartcard.c
+++ /dev/null
@@ -1,1940 +0,0 @@
-/* Support of smartcards and cryptotokens
- * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
- * Copyright (C) 2004 David Buechi, Michael Meier
- * Zuercher Hochschule Winterthur, Switzerland
- *
- * Copyright (C) 2005 Michael Joosten
- *
- * Copyright (C) 2005 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <errno.h>
-#include <string.h>
-#include <time.h>
-#include <dlfcn.h>
-
-#include <freeswan.h>
-
-#include <asn1/asn1.h>
-#include <credentials/keys/public_key.h>
-#include <credentials/certificates/x509.h>
-
-#include "constants.h"
-
-#ifdef SMARTCARD
-#include "rsaref/unix.h"
-#include "rsaref/pkcs11.h"
-#endif
-
-#include "defs.h"
-#include "log.h"
-#include "x509.h"
-#include "ca.h"
-#include "certs.h"
-#include "keys.h"
-#include "smartcard.h"
-#include "whack.h"
-#include "fetch.h"
-
-#define DEFAULT_BASE    16
-
-/* chained list of smartcard records */
-static smartcard_t *smartcards   = NULL;
-
-/* number of generated sc objects */
-static int sc_number = 0;
-
-const smartcard_t empty_sc = {
-	  NULL         , /* next */
-			0      , /* last_load */
-	  NULL         , /* last_cert */
-			0      , /* count */
-			0      , /* number */
-	  999999       , /* slot */
-	  NULL         , /* id */
-	  NULL         , /* label */
-	{ NULL, 0 }    , /* pin */
-	  FALSE        , /* pinpad */
-	  FALSE        , /* valid */
-	  FALSE        , /* session_opened */
-	  FALSE        , /* logged_in */
-	  TRUE         , /* any_slot */
-			0L     , /* session */
-};
-
-#ifdef SMARTCARD        /* compile with smartcard support */
-
-#define SCX_MAGIC       0xd00bed00
-
-struct scx_pkcs11_module {
-		u_int _magic;
-		void *handle;
-};
-
-typedef struct scx_pkcs11_module scx_pkcs11_module_t;
-
-/* PKCS #11 cryptoki context */
-static bool scx_initialized = FALSE;
-static scx_pkcs11_module_t *pkcs11_module = NULL_PTR;
-static CK_FUNCTION_LIST_PTR pkcs11_functions = NULL_PTR;
-
-/* crytoki v2.11 - return values of PKCS #11 functions*/
-
-static const char *const pkcs11_return_name[] = {
-		"CKR_OK",
-		"CKR_CANCEL",
-		"CKR_HOST_MEMORY",
-		"CKR_SLOT_ID_INVALID",
-		"CKR_FLAGS_INVALID",
-		"CKR_GENERAL_ERROR",
-		"CKR_FUNCTION_FAILED",
-		"CKR_ARGUMENTS_BAD",
-		"CKR_NO_EVENT",
-		"CKR_NEED_TO_CREATE_THREADS",
-		"CKR_CANT_LOCK"
-	};
-
-static const char *const pkcs11_return_name_10[] = {
-		"CKR_ATTRIBUTE_READ_ONLY",
-		"CKR_ATTRIBUTE_SENSITIVE",
-		"CKR_ATTRIBUTE_TYPE_INVALID",
-		"CKR_ATTRIBUTE_VALUE_INVALID"
-	};
-
-static const char *const pkcs11_return_name_20[] = {
-		"CKR_DATA_INVALID",
-		"CKR_DATA_LEN_RANGE"
-	};
-
-static const char *const pkcs11_return_name_30[] = {
-		"CKR_DEVICE_ERROR",
-		"CKR_DEVICE_MEMORY",
-		"CKR_DEVICE_REMOVED"
-	};
-
-static const char *const pkcs11_return_name_40[] = {
-		"CKR_ENCRYPTED_DATA_INVALID",
-		"CKR_ENCRYPTED_DATA_LEN_RANGE"
-	};
-
-static const char *const pkcs11_return_name_50[] = {
-		"CKR_FUNCTION_CANCELED",
-		"CKR_FUNCTION_NOT_PARALLEL",
-		"CKR_0x52_UNDEFINED",
-		"CKR_0x53_UNDEFINED",
-		"CKR_FUNCTION_NOT_SUPPORTED"
-	};
-
-static const char *const pkcs11_return_name_60[] = {
-		"CKR_KEY_HANDLE_INVALID",
-		"CKR_KEY_SENSITIVE",
-		"CKR_KEY_SIZE_RANGE",
-		"CKR_KEY_TYPE_INCONSISTENT",
-		"CKR_KEY_NOT_NEEDED",
-		"CKR_KEY_CHANGED",
-		"CKR_KEY_NEEDED",
-		"CKR_KEY_INDIGESTIBLE",
-		"CKR_KEY_FUNCTION_NOT_PERMITTED",
-		"CKR_KEY_NOT_WRAPPABLE",
-		"CKR_KEY_UNEXTRACTABLE"
-	 };
-
-static const char *const pkcs11_return_name_70[] = {
-		"CKR_MECHANISM_INVALID",
-		"CKR_MECHANISM_PARAM_INVALID"
-	 };
-
-static const char *const pkcs11_return_name_80[] = {
-		"CKR_OBJECT_HANDLE_INVALID"
-	 };
-
-static const char *const pkcs11_return_name_90[] = {
-		"CKR_OPERATION_ACTIVE",
-		"CKR_OPERATION_NOT_INITIALIZED"
-	 };
-
-static const char *const pkcs11_return_name_A0[] = {
-		"CKR_PIN_INCORRECT",
-		"CKR_PIN_INVALID",
-		"CKR_PIN_LEN_RANGE",
-		"CKR_PIN_EXPIRED",
-		"CKR_PIN_LOCKED"
-	 };
-
-static const char *const pkcs11_return_name_B0[] = {
-		"CKR_SESSION_CLOSED",
-		"CKR_SESSION_COUNT",
-		"CKR_0xB2_UNDEFINED",
-		"CKR_SESSION_HANDLE_INVALID",
-		"CKR_SESSION_PARALLEL_NOT_SUPPORTED",
-		"CKR_SESSION_READ_ONLY",
-		"CKR_SESSION_EXISTS",
-		"CKR_SESSION_READ_ONLY_EXISTS",
-		"CKR_SESSION_READ_WRITE_SO_EXISTS"
-	 };
-
-static const char *const pkcs11_return_name_C0[] = {
-		"CKR_SIGNATURE_INVALID",
-		"CKR_SIGNATURE_LEN_RANGE"
-	 };
-
-static const char *const pkcs11_return_name_D0[] = {
-		"CKR_TEMPLATE_INCOMPLETE",
-		"CKR_TEMPLATE_INCONSISTENT"
-	 };
-
-static const char *const pkcs11_return_name_E0[] = {
-		"CKR_TOKEN_NOT_PRESENT",
-		"CKR_TOKEN_NOT_RECOGNIZED",
-		"CKR_TOKEN_WRITE_PROTECTED"
-	 };
-
-static const char *const pkcs11_return_name_F0[] = {
-		"CKR_UNWRAPPING_KEY_HANDLE_INVALID",
-		"CKR_UNWRAPPING_KEY_SIZE_RANGE",
-		"CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT"
-	 };
-
-static const char *const pkcs11_return_name_100[] = {
-		"CKR_USER_ALREADY_LOGGED_IN",
-		"CKR_USER_NOT_LOGGED_IN",
-		"CKR_USER_PIN_NOT_INITIALIZED",
-		"CKR_USER_TYPE_INVALID",
-		"CKR_USER_ANOTHER_ALREADY_LOGGED_IN",
-		"CKR_USER_TOO_MANY_TYPES"
-	 };
-
-static const char *const pkcs11_return_name_110[] = {
-		"CKR_WRAPPED_KEY_INVALID",
-		"CKR_0x111_UNDEFINED",
-		"CKR_WRAPPED_KEY_LEN_RANGE",
-		"CKR_WRAPPING_KEY_HANDLE_INVALID",
-		"CKR_WRAPPING_KEY_SIZE_RANGE",
-		"CKR_WRAPPING_KEY_TYPE_INCONSISTENT"
-	 };
-
-static const char *const pkcs11_return_name_120[] = {
-		"CKR_RANDOM_SEED_NOT_SUPPORTED",
-		"CKR_RANDOM_NO_RNG"
-	 };
-
-static const char *const pkcs11_return_name_130[] = {
-		"CKR_DOMAIN_PARAMS_INVALID"
-	 };
-
-static const char *const pkcs11_return_name_150[] = {
-		"CKR_BUFFER_TOO_SMALL"
-	 };
-
-static const char *const pkcs11_return_name_160[] = {
-		"CKR_SAVED_STATE_INVALID"
-	 };
-
-static const char *const pkcs11_return_name_170[] = {
-		"CKR_INFORMATION_SENSITIVE"
-	 };
-
-static const char *const pkcs11_return_name_180[] = {
-		"CKR_STATE_UNSAVEABLE"
-	 };
-
-static const char *const pkcs11_return_name_190[] = {
-		"CKR_CRYPTOKI_NOT_INITIALIZED",
-		"CKR_CRYPTOKI_ALREADY_INITIALIZED"
-	 };
-
-static const char *const pkcs11_return_name_1A0[] = {
-		"CKR_MUTEX_BAD",
-		"CKR_MUTEX_NOT_LOCKED"
-	 };
-
-static const char *const pkcs11_return_name_200[] = {
-		"CKR_FUNCTION_REJECTED"
-	 };
-
-static const char *const pkcs11_return_name_vendor[] = {
-		"CKR_VENDOR_DEFINED"
-	 };
-
-static enum_names pkcs11_return_names_vendor =
-	{ CKR_VENDOR_DEFINED, CKR_VENDOR_DEFINED
-		, pkcs11_return_name_vendor, NULL };
-
-static enum_names pkcs11_return_names_200 =
-	{ CKR_FUNCTION_REJECTED, CKR_FUNCTION_REJECTED
-		, pkcs11_return_name_200, &pkcs11_return_names_vendor };
-
-static enum_names pkcs11_return_names_1A0 =
-	{ CKR_MUTEX_BAD, CKR_MUTEX_NOT_LOCKED
-		, pkcs11_return_name_1A0, &pkcs11_return_names_200 };
-
-static enum_names pkcs11_return_names_190 =
-	{ CKR_CRYPTOKI_NOT_INITIALIZED, CKR_CRYPTOKI_ALREADY_INITIALIZED
-		, pkcs11_return_name_190, &pkcs11_return_names_1A0 };
-
-static enum_names pkcs11_return_names_180 =
-	{ CKR_STATE_UNSAVEABLE, CKR_STATE_UNSAVEABLE
-		, pkcs11_return_name_180, &pkcs11_return_names_190 };
-
-static enum_names pkcs11_return_names_170 =
-	{ CKR_INFORMATION_SENSITIVE, CKR_INFORMATION_SENSITIVE
-		, pkcs11_return_name_170, &pkcs11_return_names_180 };
-
-static enum_names pkcs11_return_names_160 =
-	{ CKR_SAVED_STATE_INVALID, CKR_SAVED_STATE_INVALID
-		, pkcs11_return_name_160, &pkcs11_return_names_170 };
-
-static enum_names pkcs11_return_names_150 =
-	{ CKR_BUFFER_TOO_SMALL, CKR_BUFFER_TOO_SMALL
-		, pkcs11_return_name_150, &pkcs11_return_names_160 };
-
-static enum_names pkcs11_return_names_130 =
-	{ CKR_DOMAIN_PARAMS_INVALID, CKR_DOMAIN_PARAMS_INVALID
-		, pkcs11_return_name_130, &pkcs11_return_names_150 };
-
-static enum_names pkcs11_return_names_120 =
-	{ CKR_RANDOM_SEED_NOT_SUPPORTED, CKR_RANDOM_NO_RNG
-		, pkcs11_return_name_120, &pkcs11_return_names_130 };
-
-static enum_names pkcs11_return_names_110 =
-	{ CKR_WRAPPED_KEY_INVALID, CKR_WRAPPING_KEY_TYPE_INCONSISTENT
-		, pkcs11_return_name_110, &pkcs11_return_names_120 };
-
-static enum_names pkcs11_return_names_100 =
-	{ CKR_USER_ALREADY_LOGGED_IN, CKR_USER_TOO_MANY_TYPES
-		, pkcs11_return_name_100, &pkcs11_return_names_110 };
-
-static enum_names pkcs11_return_names_F0 =
-	{ CKR_UNWRAPPING_KEY_HANDLE_INVALID, CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT
-		, pkcs11_return_name_F0, &pkcs11_return_names_100 };
-
-static enum_names pkcs11_return_names_E0 =
-	{ CKR_TOKEN_NOT_PRESENT, CKR_TOKEN_WRITE_PROTECTED
-		, pkcs11_return_name_E0, &pkcs11_return_names_F0 };
-
-static enum_names pkcs11_return_names_D0 =
-	{ CKR_TEMPLATE_INCOMPLETE, CKR_TEMPLATE_INCONSISTENT
-		, pkcs11_return_name_D0,&pkcs11_return_names_E0 };
-
-static enum_names pkcs11_return_names_C0 =
-	{ CKR_SIGNATURE_INVALID, CKR_SIGNATURE_LEN_RANGE
-		, pkcs11_return_name_C0, &pkcs11_return_names_D0 };
-
-static enum_names pkcs11_return_names_B0 =
-	{ CKR_SESSION_CLOSED, CKR_SESSION_READ_WRITE_SO_EXISTS
-		, pkcs11_return_name_B0, &pkcs11_return_names_C0 };
-
-static enum_names pkcs11_return_names_A0 =
-	{ CKR_PIN_INCORRECT, CKR_PIN_LOCKED
-		, pkcs11_return_name_A0, &pkcs11_return_names_B0 };
-
-static enum_names pkcs11_return_names_90 =
-	{ CKR_OPERATION_ACTIVE, CKR_OPERATION_NOT_INITIALIZED
-		, pkcs11_return_name_90, &pkcs11_return_names_A0 };
-
-static enum_names pkcs11_return_names_80 =
-	{ CKR_OBJECT_HANDLE_INVALID, CKR_OBJECT_HANDLE_INVALID
-		, pkcs11_return_name_80, &pkcs11_return_names_90 };
-
-static enum_names pkcs11_return_names_70 =
-	{ CKR_MECHANISM_INVALID, CKR_MECHANISM_PARAM_INVALID
-		, pkcs11_return_name_70, &pkcs11_return_names_80 };
-
-static enum_names pkcs11_return_names_60 =
-	{ CKR_KEY_HANDLE_INVALID, CKR_KEY_UNEXTRACTABLE
-		, pkcs11_return_name_60, &pkcs11_return_names_70 };
-
-static enum_names pkcs11_return_names_50 =
-	{ CKR_FUNCTION_CANCELED, CKR_FUNCTION_NOT_SUPPORTED
-		, pkcs11_return_name_50, &pkcs11_return_names_60 };
-
-static enum_names pkcs11_return_names_40 =
-	{ CKR_ENCRYPTED_DATA_INVALID, CKR_ENCRYPTED_DATA_LEN_RANGE
-		, pkcs11_return_name_40, &pkcs11_return_names_50 };
-
-static enum_names pkcs11_return_names_30 =
-	{ CKR_DEVICE_ERROR, CKR_DEVICE_REMOVED
-		, pkcs11_return_name_30, &pkcs11_return_names_40 };
-
-static enum_names pkcs11_return_names_20 =
-	{ CKR_DATA_INVALID, CKR_DATA_LEN_RANGE
-		, pkcs11_return_name_20, &pkcs11_return_names_30 };
-
-static enum_names pkcs11_return_names_10 =
-	{ CKR_ATTRIBUTE_READ_ONLY, CKR_ATTRIBUTE_VALUE_INVALID
-		, pkcs11_return_name_10, &pkcs11_return_names_20};
-
-static enum_names pkcs11_return_names =
-	{ CKR_OK, CKR_CANT_LOCK
-		, pkcs11_return_name, &pkcs11_return_names_10};
-
-/*
- * Unload a PKCS#11 module.
- * The calling application is responsible for cleaning up
- * and calling C_Finalize()
- */
-static CK_RV scx_unload_pkcs11_module(scx_pkcs11_module_t *mod)
-{
-	if (!mod || mod->_magic != SCX_MAGIC)
-		return CKR_ARGUMENTS_BAD;
-
-	if (dlclose(mod->handle) < 0)
-		return CKR_FUNCTION_FAILED;
-
-	memset(mod, 0, sizeof(*mod));
-	free(mod);
-	return CKR_OK;
-}
-
-static scx_pkcs11_module_t* scx_load_pkcs11_module(const char *name,
-								 CK_FUNCTION_LIST_PTR_PTR funcs)
-{
-	CK_RV (*c_get_function_list)(CK_FUNCTION_LIST_PTR_PTR);
-	scx_pkcs11_module_t *mod;
-	void *handle;
-	int rv;
-
-	if (name == NULL || *name == '\0')
-		return NULL;
-
-	/* Try to load PKCS#11 library module*/
-	handle = dlopen(name, RTLD_NOW);
-	if (handle == NULL)
-		return NULL;
-
-	mod = malloc_thing(scx_pkcs11_module_t);
-	mod->_magic = SCX_MAGIC;
-	mod->handle = handle;
-
-   /* Get the list of function pointers */
-	c_get_function_list = (CK_RV (*)(CK_FUNCTION_LIST_PTR_PTR))
-			dlsym(mod->handle, "C_GetFunctionList");
-	if (!c_get_function_list)
-		goto failed;
-
-	rv = c_get_function_list(funcs);
-	if (rv == CKR_OK)
-		return mod;
-
-failed: scx_unload_pkcs11_module(mod);
-		return NULL;
-}
-
-/*
- * retrieve a certificate object
- */
-static cert_t* scx_find_cert_object(CK_SESSION_HANDLE session,
-									CK_OBJECT_HANDLE object, smartcard_t *sc)
-{
-	size_t hex_len, label_len;
-	u_char *hex_id = NULL;
-	cert_t *cert;
-	chunk_t blob;
-
-	CK_ATTRIBUTE attr[] = {
-		{ CKA_ID,    NULL_PTR, 0L },
-		{ CKA_LABEL, NULL_PTR, 0L },
-		{ CKA_VALUE, NULL_PTR, 0L }
-	};
-
-	/* get the length of the attributes first */
-	CK_RV rv = pkcs11_functions->C_GetAttributeValue(session, object, attr, 3);
-	if (rv != CKR_OK)
-	{
-		plog("couldn't read the attribute sizes: %s"
-			, enum_show(&pkcs11_return_names, rv));
-		return NULL;
-	}
-
-	free(sc->label);
-
-	hex_id    = malloc(attr[0].ulValueLen);
-	hex_len   = attr[0].ulValueLen;
-	sc->label = malloc(attr[1].ulValueLen + 1);
-	label_len = attr[1].ulValueLen;
-	blob.ptr  = malloc(attr[2].ulValueLen);
-	blob.len  = attr[2].ulValueLen;
-
-	attr[0].pValue = hex_id;
-	attr[1].pValue = sc->label;
-	attr[2].pValue = blob.ptr;
-
-	/* now get the attributes */
-	rv = pkcs11_functions->C_GetAttributeValue(session, object, attr, 3);
-	if (rv != CKR_OK)
-	{
-		plog("couldn't read the attributes: %s"
-			, enum_show(&pkcs11_return_names, rv));
-		free(hex_id);
-		free(sc->label);
-		free(blob.ptr);
-		return NULL;
-	}
-
-	free(sc->id);
-
-	/* convert id from hex to ASCII */
-	sc->id = malloc(2*hex_len + 1);
-	datatot(hex_id, hex_len, 16, sc->id, 2*hex_len + 1);
-	free(hex_id);
-
-	/* safeguard in case the label is not null terminated */
-	sc->label[label_len] = '\0';
-
-	/* parse the retrieved cert */
-
-	/* initialize the return argument */
-	cert = malloc_thing(cert_t);
-	*cert = cert_empty;
-	cert->smartcard = TRUE;
-	cert->cert = lib->creds->create(lib->creds,
-									CRED_CERTIFICATE, CERT_X509,
-									BUILD_BLOB_ASN1_DER, blob,
-									BUILD_END);
-	if (cert->cert)
-	{
-		return cert;
-	}
-
-	plog("failed to load cert from smartcard, error in X.509 certificate");
-	cert_free(cert);
-	return NULL;
-}
-
-
-/*
- * search a given slot for PKCS#11 certificate objects
- */
-static void scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
-{
-	CK_RV rv;
-	CK_OBJECT_CLASS class = CKO_CERTIFICATE;
-	CK_ATTRIBUTE attr[] = {{ CKA_CLASS, &class, sizeof(class) }};
-
-	rv = pkcs11_functions->C_FindObjectsInit(session, attr, 1);
-	if (rv != CKR_OK)
-	{
-		plog("error in C_FindObjectsInit: %s"
-			, enum_show(&pkcs11_return_names, rv));
-		return;
-	}
-
-	for (;;)
-	{
-		CK_OBJECT_HANDLE object;
-		CK_ULONG obj_count = 0;
-		time_t valid_until;
-		smartcard_t *sc;
-		cert_t *cert;
-		certificate_t *certificate;
-		x509_t *x509;
-
-		rv = pkcs11_functions->C_FindObjects(session, &object, 1, &obj_count);
-		if (rv != CKR_OK)
-		{
-			plog("error in C_FindObjects: %s"
-				, enum_show(&pkcs11_return_names, rv));
-			break;
-		}
-
-		/* no objects left */
-		if (obj_count == 0)
-			break;
-
-		/* create and initialize a new smartcard object */
-		sc  = malloc_thing(smartcard_t);
-		*sc = empty_sc;
-		sc->any_slot = FALSE;
-		sc->slot  = slot;
-		cert = scx_find_cert_object(session, object, sc);
-		if (!cert)
-		{
-			scx_free(sc);
-			continue;
-		}
-		DBG(DBG_CONTROL,
-			DBG_log("found cert in %s with id: %s, label: '%s'"
-				, scx_print_slot(sc, ""), sc->id, sc->label)
-		)
-
-		/* check validity of certificate */
-		certificate = cert->cert;
-		if (!certificate->get_validity(certificate, NULL, NULL, &valid_until))
-		{
-			cert_free(cert);
-			scx_free(sc);
-			continue;
-		}
-		DBG(DBG_CONTROL,
-			DBG_log("  certificate is valid")
-		)
-
-		sc = scx_add(sc);
-
-		/* put end entity and ca certificates into different chains */
-		x509 = (x509_t*)certificate;
-		if (x509->get_flags(x509) & X509_CA)
-		{
-			sc->last_cert = add_authcert(cert, X509_CA);
-		}
-		else
-		{
-			add_public_key_from_cert(cert, valid_until, DAL_LOCAL);
-			sc->last_cert = cert_add(cert);
-		}
-
-		cert_share(sc->last_cert);
-		time(&sc->last_load);
-	}
-
-	rv = pkcs11_functions->C_FindObjectsFinal(session);
-	if (rv != CKR_OK)
-	{
-		plog("error in C_FindObjectsFinal: %s"
-				, enum_show(&pkcs11_return_names, rv));
-	}
-}
-
-/*
- * search all slots for PKCS#11 certificate objects
- */
-static void scx_find_all_cert_objects(void)
-{
-	CK_RV rv;
-	CK_SLOT_ID_PTR slots = NULL_PTR;
-	CK_ULONG slot_count = 0;
-	CK_ULONG i;
-
-	if (!scx_initialized)
-	{
-		plog("pkcs11 module not initialized");
-		return;
-	}
-
-	/* read size, always returns CKR_OK ! */
-	rv = pkcs11_functions->C_GetSlotList(FALSE, NULL_PTR, &slot_count);
-
-	/* allocate memory for the slots */
-	slots = (CK_SLOT_ID *)malloc(slot_count * sizeof(CK_SLOT_ID));
-
-	rv = pkcs11_functions->C_GetSlotList(FALSE, slots, &slot_count);
-	if (rv != CKR_OK)
-	{
-		plog("error in C_GetSlotList: %s", enum_show(&pkcs11_return_names, rv));
-		free(slots);
-		return;
-	}
-
-	/* look in every slot for certificate objects */
-	for (i = 0; i < slot_count; i++)
-	{
-		CK_SLOT_ID slot = slots[i];
-		CK_SLOT_INFO info;
-		CK_SESSION_HANDLE session;
-
-		rv = pkcs11_functions->C_GetSlotInfo(slot, &info);
-
-		if (rv != CKR_OK)
-		{
-			plog("error in C_GetSlotInfo: %s"
-				, enum_show(&pkcs11_return_names, rv));
-			continue;
-		}
-
-		if (!(info.flags & CKF_TOKEN_PRESENT))
-		{
-			plog("no token present in slot %lu", slot);
-			continue;
-		}
-
-		rv = pkcs11_functions->C_OpenSession(slot
-				, CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &session);
-		if (rv != CKR_OK)
-		{
-			plog("failed to open a session on slot %lu: %s"
-				, slot, enum_show(&pkcs11_return_names, rv));
-			continue;
-		}
-		DBG(DBG_CONTROLMORE,
-			DBG_log("pkcs11 session #%ld for searching slot %lu", session, slot)
-		)
-		scx_find_cert_objects(slot, session);
-
-		rv = pkcs11_functions->C_CloseSession(session);
-		if (rv != CKR_OK)
-		{
-			plog("error in C_CloseSession: %s"
-				, enum_show(&pkcs11_return_names, rv));
-		}
-	}
-	free(slots);
-}
-#endif
-
-/*
- * load and initialize PKCS#11 cryptoki module
- *
- * init_args should be unused when we have a PKCS#11 compliant module,
- * but NSS softoken breaks that API.
- */
-void scx_init(const char* module, const char *init_args)
-{
-#ifdef SMARTCARD
-	CK_C_INITIALIZE_ARGS args = { .pReserved = (char *)init_args, };
-	CK_RV rv;
-
-	if (scx_initialized)
-	{
-		plog("weird - pkcs11 module seems already to be initialized");
-		return;
-	}
-
-	if (module == NULL)
-#ifdef PKCS11_DEFAULT_LIB
-		module = PKCS11_DEFAULT_LIB;
-#else
-	{
-		plog("no pkcs11 module defined");
-		return;
-	}
-#endif
-
-	DBG(DBG_CONTROL | DBG_CRYPT,
-		DBG_log("pkcs11 module '%s' loading...", module)
-	)
-	pkcs11_module = scx_load_pkcs11_module(module, &pkcs11_functions);
-	if (pkcs11_module == NULL)
-	{
-		 plog("failed to load pkcs11 module '%s'", module);
-		 return;
-	}
-
-	DBG(DBG_CONTROL | DBG_CRYPT,
-		DBG_log("pkcs11 module initializing...")
-	)
-	rv = pkcs11_functions->C_Initialize(init_args ? &args : NULL);
-	if (rv != CKR_OK)
-	{
-		plog("failed to initialize pkcs11 module: %s"
-			, enum_show(&pkcs11_return_names, rv));
-		return;
-	}
-
-	scx_initialized = TRUE;
-	DBG(DBG_CONTROL | DBG_CRYPT,
-		DBG_log("pkcs11 module loaded and initialized")
-	)
-
-	scx_find_all_cert_objects();
-#endif
-}
-
-/*
- * finalize and unload PKCS#11 cryptoki module
- */
-void scx_finalize(void)
-{
-#ifdef SMARTCARD
-	while (smartcards != NULL)
-	{
-		scx_release(smartcards);
-	}
-
-	if (pkcs11_functions != NULL_PTR)
-	{
-		pkcs11_functions->C_Finalize(NULL_PTR);
-		pkcs11_functions = NULL_PTR;
-	}
-
-	if (pkcs11_module != NULL)
-	{
-		scx_unload_pkcs11_module(pkcs11_module);
-		pkcs11_module = NULL;
-	}
-
-	scx_initialized = FALSE;
-	DBG(DBG_CONTROL | DBG_CRYPT,
-		DBG_log("pkcs11 module finalized and unloaded")
-	)
-#endif
-}
-
-/*
- * does a filename contain the token %smartcard?
- */
-bool scx_on_smartcard(const char *filename)
-{
-	return strneq(filename, SCX_TOKEN, strlen(SCX_TOKEN));
-}
-
-#ifdef SMARTCARD
-/*
- * find a specific object on the smartcard
- */
-static bool scx_pkcs11_find_object(CK_SESSION_HANDLE session,
-								   CK_OBJECT_HANDLE_PTR object,
-								   CK_OBJECT_CLASS class, const char* id)
-{
-	size_t len;
-	char buf[BUF_LEN];
-	CK_RV rv;
-	CK_ULONG obj_count = 0;
-	CK_ULONG attr_count = 1;
-
-	CK_ATTRIBUTE attr[] = {
-		{ CKA_CLASS, &class, sizeof(class) },
-		{ CKA_ID, &buf, 0L }
-	};
-
-	if (id != NULL)
-	{
-		ttodata(id, strlen(id), 16, buf, BUF_LEN, &len);
-		attr[1].ulValueLen = len;
-		attr_count = 2;
-	}
-
-	/* get info for certificate with id */
-	rv = pkcs11_functions->C_FindObjectsInit(session, attr, attr_count);
-	if (rv != CKR_OK)
-	{
-		plog("error in C_FindObjectsInit: %s"
-				, enum_show(&pkcs11_return_names, rv));
-		return FALSE;
-	}
-
-	rv = pkcs11_functions->C_FindObjects(session, object, 1,  &obj_count);
-	if (rv != CKR_OK)
-	{
-		plog("error in C_FindObjects: %s"
-				, enum_show(&pkcs11_return_names, rv));
-		return FALSE;
-	}
-
-	rv = pkcs11_functions->C_FindObjectsFinal(session);
-	if (rv != CKR_OK)
-	{
-		plog("error in C_FindObjectsFinal: %s"
-				, enum_show(&pkcs11_return_names, rv));
-		return FALSE;
-	}
-
-	return (obj_count != 0);
-}
-
-/*
- * check if a given certificate object id is found in a slot
- */
-static bool scx_find_cert_id_in_slot(smartcard_t *sc, CK_SLOT_ID slot)
-{
-	CK_SESSION_HANDLE session;
-	CK_OBJECT_HANDLE object;
-	CK_SLOT_INFO info;
-
-	CK_RV rv = pkcs11_functions->C_GetSlotInfo(slot, &info);
-
-	if (rv != CKR_OK)
-	{
-		plog("error in C_GetSlotInfo: %s"
-			, enum_show(&pkcs11_return_names, rv));
-		 return FALSE;
-	}
-
-	if (!(info.flags & CKF_TOKEN_PRESENT))
-	{
-		plog("no token present in slot %lu", slot);
-		return FALSE;
-	}
-
-	rv = pkcs11_functions->C_OpenSession(slot
-				, CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &session);
-	if (rv != CKR_OK)
-	{
-		plog("failed to open a session on slot %lu: %s"
-			, slot, enum_show(&pkcs11_return_names, rv));
-		return FALSE;
-	}
-	DBG(DBG_CONTROLMORE,
-		DBG_log("pkcs11 session #%ld for searching slot %lu", session, slot)
-	)
-
-	/* check if there is a certificate on the card in the specified slot */
-	if (scx_pkcs11_find_object(session, &object, CKO_CERTIFICATE, sc->id))
-	{
-		sc->slot = slot;
-		sc->any_slot = FALSE;
-		sc->session = session;
-		sc->session_opened = TRUE;
-		return TRUE;
-	}
-
-	rv = pkcs11_functions->C_CloseSession(session);
-	if (rv != CKR_OK)
-	{
-		plog("error in C_CloseSession: %s"
-				, enum_show(&pkcs11_return_names, rv));
-	}
-	return FALSE;
-}
-#endif
-
-/*
- * Connect to the smart card in the reader and select the correct slot
- */
-bool scx_establish_context(smartcard_t *sc)
-{
-#ifdef SMARTCARD
-	bool id_found = FALSE;
-
-	if (!scx_initialized)
-	{
-		plog("pkcs11 module not initialized");
-		return FALSE;
-	}
-
-	if (sc->session_opened)
-	{
-		DBG(DBG_CONTROL | DBG_CRYPT,
-			DBG_log("pkcs11 session #%ld already open", sc->session)
-		)
-		return TRUE;
-	}
-
-	if (!sc->any_slot)
-		id_found = scx_find_cert_id_in_slot(sc, sc->slot);
-
-	if (!id_found)
-	{
-		CK_RV rv;
-		CK_SLOT_ID slot;
-		CK_SLOT_ID_PTR slots = NULL_PTR;
-		CK_ULONG slot_count = 0;
-		CK_ULONG i;
-
-		/* read size, always returns CKR_OK ! */
-		rv = pkcs11_functions->C_GetSlotList(FALSE, NULL_PTR, &slot_count);
-
-		/* allocate memory for the slots */
-		slots = (CK_SLOT_ID *)malloc(slot_count * sizeof(CK_SLOT_ID));
-
-		rv = pkcs11_functions->C_GetSlotList(FALSE, slots, &slot_count);
-		if (rv != CKR_OK)
-		{
-			plog("error in C_GetSlotList: %s"
-				, enum_show(&pkcs11_return_names, rv));
-			free(slots);
-			return FALSE;
-		}
-
-		/* look in every slot for a certificate with a given object ID */
-		for (i = 0; i < slot_count; i++)
-		{
-			slot = slots[i];
-			id_found = scx_find_cert_id_in_slot(sc, slot);
-			if (id_found)
-				break;
-		}
-		free(slots);
-	}
-
-	if (id_found)
-	{
-		DBG(DBG_CONTROL | DBG_CRYPT,
-			DBG_log("found token with id %s in slot %lu", sc->id, sc->slot);
-			DBG_log("pkcs11 session #%ld opened", sc->session)
-		)
-	}
-	else
-	{
-		plog("  no certificate with id %s found on smartcard", sc->id);
-	}
-	return id_found;
-#else
-	plog("warning: SMARTCARD support is deactivated in pluto/Makefile!");
-	return FALSE;
-#endif
-}
-
-/*
- * log in to a session
- */
-bool scx_login(smartcard_t *sc)
-{
-#ifdef SMARTCARD
-	CK_RV rv;
-
-	if (sc->logged_in)
-	{
-		DBG(DBG_CONTROL | DBG_CRYPT,
-			DBG_log("pkcs11 session #%ld login already done", sc->session)
-		)
-		return TRUE;
-	}
-
-	if (sc->pin.ptr == NULL)
-	{
-		plog("unable to log in without PIN!");
-		return FALSE;
-	}
-
-	if (!sc->session_opened)
-	{
-		plog("session not opened");
-		return FALSE;
-	}
-
-	rv = pkcs11_functions->C_Login(sc->session, CKU_USER
-								, (CK_UTF8CHAR *) sc->pin.ptr, sc->pin.len);
-	if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
-	{
-		plog("unable to login: %s"
-			, enum_show(&pkcs11_return_names, rv));
-		return FALSE;
-	}
-	DBG(DBG_CONTROL | DBG_CRYPT,
-		DBG_log("pkcs11 session #%ld login successful", sc->session)
-	)
-	sc->logged_in = TRUE;
-	return TRUE;
-#else
-   return FALSE;
-#endif
-}
-
-#ifdef SMARTCARD
-/*
- * logout from a session
- */
-static void scx_logout(smartcard_t *sc)
-{
-	CK_RV rv;
-
-	rv = pkcs11_functions->C_Logout(sc->session);
-	if (rv != CKR_OK)
-		plog("error in C_Logout: %s"
-			, enum_show(&pkcs11_return_names, rv));
-	else
-		DBG(DBG_CONTROL | DBG_CRYPT,
-			DBG_log("pkcs11 session #%ld logout", sc->session)
-		)
-	sc->logged_in = FALSE;
-}
-#endif
-
-
-/*
- * Release context and disconnect from card
- */
-void scx_release_context(smartcard_t *sc)
-{
-#ifdef SMARTCARD
-	CK_RV rv;
-
-	if (!scx_initialized)
-		return;
-
-	if (sc->session_opened)
-	{
-		if (sc->logged_in)
-			scx_logout(sc);
-
-		sc->session_opened = FALSE;
-
-		rv = pkcs11_functions->C_CloseSession(sc->session);
-		if (rv != CKR_OK)
-			plog("error in C_CloseSession: %s"
-				, enum_show(&pkcs11_return_names, rv));
-		else
-			DBG(DBG_CONTROL | DBG_CRYPT,
-				DBG_log("pkcs11 session #%ld closed", sc->session)
-			)
-	}
-#endif
-}
-
-/*
- * Load host certificate from smartcard
- */
-cert_t* scx_load_cert(const char *filename, smartcard_t **scp, bool *cached)
-{
-#ifdef SMARTCARD        /* compile with smartcard support */
-	const char *number_slot_id = filename + strlen(SCX_TOKEN);
-	CK_OBJECT_HANDLE object;
-	smartcard_t *sc;
-	cert_t *cert = NULL;
-
-	/* return the smartcard object */
-	*scp = sc = scx_add(scx_parse_number_slot_id(number_slot_id));
-
-	/* is there a cached smartcard certificate? */
-	*cached = sc->last_cert &&
-			  (time(NULL) - sc->last_load) < SCX_CERT_CACHE_INTERVAL;
-
-	if (*cached)
-	{
-		plog("  using cached cert from smartcard #%d (%s, id: %s, label: '%s')"
-				, sc->number
-				, scx_print_slot(sc, "")
-				, sc->id
-				, sc->label);
-		return sc->last_cert;
-	}
-
-	if (!scx_establish_context(sc))
-	{
-		scx_release_context(sc);
-		return NULL;
-	}
-
-	/* find the certificate object */
-	if (!scx_pkcs11_find_object(sc->session, &object, CKO_CERTIFICATE, sc->id))
-	{
-		scx_release_context(sc);
-		return NULL;
-	}
-
-	/* retrieve the certificate object */
-	cert = scx_find_cert_object(sc->session, object, sc);
-	if (cert == NULL)
-	{
-		scx_release_context(sc);
-		return NULL;
-	}
-
-	if (!pkcs11_keep_state)
-	{
-		scx_release_context(sc);
-	}
-	plog("  loaded cert from smartcard #%d (%s, id: %s, label: '%s')"
-		, sc->number
-		, scx_print_slot(sc, "")
-		, sc->id
-		, sc->label);
-
-	return cert;
-#else
-	plog("  warning: SMARTCARD support is deactivated in pluto/Makefile!");
-	return NULL;
-#endif
-}
-
-/*
- * parse slot number and key id
- * the following syntax is allowed
- *               number   slot   id
- * %smartcard      1       -     -
- * %smartcard#2    2       -     -
- * %smartcard0     -       0     -
- * %smartcard:45   -       -     45
- * %smartcard0:45  -       0     45
- */
-smartcard_t* scx_parse_number_slot_id(const char *number_slot_id)
-{
-	int len = strlen(number_slot_id);
-	smartcard_t *sc = malloc_thing(smartcard_t);
-
-	/* assign default values */
-	*sc = empty_sc;
-
-	if (len == 0)                       /* default: use certificate #1 */
-	{
-		sc->number = 1;
-	}
-	else if (*number_slot_id == '#')    /* #number scheme */
-	{
-		err_t ugh;
-		unsigned long ul;
-
-		ugh = atoul(number_slot_id+1, len-1 , 10, &ul);
-		if (ugh == NULL)
-			sc->number = (int)ul;
-		else
-			plog("error parsing smartcard number: %s", ugh);
-	}
-	else                                /* slot:id scheme */
-	{
-		int slot_len = len;
-		char *p = strchr(number_slot_id, ':');
-
-		if (p != NULL)
-		{
-			int id_len = len - (p + 1 - number_slot_id);
-			slot_len -= (1 + id_len);
-
-			if (id_len > 0)             /* we have an id */
-				sc->id = p + 1;
-		}
-		if (slot_len > 0)               /* we have a slot */
-		{
-			err_t ugh = NULL;
-			unsigned long ul;
-
-			ugh = atoul(number_slot_id, slot_len, 10, &ul);
-			if (ugh == NULL)
-			{
-				sc->slot = ul;
-				sc->any_slot = FALSE;
-			}
-			else
-				plog("error parsing smartcard slot number: %s", ugh);
-		}
-	}
-	/* unshare the id string */
-	sc->id = clone_str(sc->id);
-	return sc;
-}
-
-/*
- * Verify pin on card
- */
-bool scx_verify_pin(smartcard_t *sc)
-{
-#ifdef SMARTCARD
-	CK_RV rv;
-
-	if (!sc->pinpad)
-		sc->valid = FALSE;
-
-	if (sc->pin.ptr == NULL)
-	{
-		plog("unable to verify without PIN");
-		return FALSE;
-	}
-
-	/* establish context */
-	if (!scx_establish_context(sc))
-	{
-		scx_release_context(sc);
-		return FALSE;
-	}
-
-	rv = pkcs11_functions->C_Login(sc->session, CKU_USER,
-							  (CK_UTF8CHAR *) sc->pin.ptr, sc->pin.len);
-	if (rv == CKR_OK || rv == CKR_USER_ALREADY_LOGGED_IN)
-	{
-		sc->valid = TRUE;
-		sc->logged_in = TRUE;
-		DBG(DBG_CONTROL | DBG_CRYPT,
-			DBG_log((rv == CKR_OK)
-				? "PIN code correct"
-				: "already logged in, no PIN entry required");
-			DBG_log("pkcs11 session #%ld login successful", sc->session)
-		)
-	}
-	else
-	{
-		DBG(DBG_CONTROL | DBG_CRYPT,
-			DBG_log("PIN code incorrect")
-		)
-	}
-	if (!pkcs11_keep_state)
-		scx_release_context(sc);
-#else
-	sc->valid = FALSE;
-#endif
-	return sc->valid;
-}
-
-/*
- * Sign hash on smartcard
- */
-bool scx_sign_hash(smartcard_t *sc, const u_char *in, size_t inlen, u_char *out,
-				   size_t outlen)
-{
-#ifdef SMARTCARD
-	CK_RV rv;
-	CK_OBJECT_HANDLE object;
-	CK_ULONG siglen = (CK_ULONG)outlen;
-	CK_BBOOL sign_flag, decrypt_flag;
-	CK_ATTRIBUTE attr[] = {
-		{ CKA_SIGN,    &sign_flag,    sizeof(sign_flag) },
-		{ CKA_DECRYPT, &decrypt_flag, sizeof(decrypt_flag) }
-	};
-
-	if (!sc->logged_in)
-		return FALSE;
-
-	if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id))
-	{
-		plog("unable to find private key with id '%s'", sc->id);
-		return FALSE;
-	}
-
-	rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 2);
-	if (rv != CKR_OK)
-	{
-		plog("couldn't read the private key attributes: %s"
-			, enum_show(&pkcs11_return_names, rv));
-		return FALSE;
-	}
-	DBG(DBG_CONTROL,
-		DBG_log("RSA key flags: sign = %s, decrypt = %s"
-			, (sign_flag)?    "true":"false"
-			, (decrypt_flag)? "true":"false")
-	)
-
-	if (sign_flag)
-	{
-		CK_MECHANISM mech  = { CKM_RSA_PKCS, NULL_PTR, 0 };
-
-		rv = pkcs11_functions->C_SignInit(sc->session, &mech, object);
-		if (rv != CKR_OK)
-		{
-			plog("error in C_SignInit: %s"
-				, enum_show(&pkcs11_return_names, rv));
-			return FALSE;
-		}
-
-		rv = pkcs11_functions->C_Sign(sc->session, (CK_BYTE_PTR)in, inlen
-				, out, &siglen);
-		if (rv != CKR_OK)
-		{
-			plog("error in C_Sign: %s"
-				, enum_show(&pkcs11_return_names, rv));
-			return FALSE;
-		}
-	}
-	else if (decrypt_flag)
-	{
-		CK_MECHANISM mech = { CKM_RSA_X_509, NULL_PTR, 0 };
-		size_t padlen;
-		u_char *p = out ;
-
-		/* PKCS#1 v1.5 8.1 encryption-block formatting */
-		*p++ = 0x00;
-		*p++ = 0x01;    /* BT (block type) 01 */
-		padlen = outlen - 3 - inlen;
-		memset(p, 0xFF, padlen);
-		p += padlen;
-		*p++ = 0x00;
-		memcpy(p, in, inlen);
-
-		rv = pkcs11_functions->C_DecryptInit(sc->session, &mech, object);
-		if (rv != CKR_OK)
-		{
-			plog("error in C_DecryptInit: %s"
-				, enum_show(&pkcs11_return_names, rv));
-			return FALSE;
-		}
-
-		rv = pkcs11_functions->C_Decrypt(sc->session, out, outlen
-				, out, &siglen);
-		if (rv != CKR_OK)
-		{
-			plog("error in C_Decrypt: %s"
-				, enum_show(&pkcs11_return_names, rv));
-			return FALSE;
-		}
-	}
-	else
-	{
-		plog("private key has neither sign nor decrypt flag set");
-		return FALSE;
-	}
-
-	if (siglen > (CK_ULONG)outlen)
-	{
-		plog("signature length (%lu) larger than allocated buffer (%d)"
-			, siglen, (int)outlen);
-		return FALSE;
-	}
-	return TRUE;
-#else
-	return FALSE;
-#endif
-}
-
-/*
- * encrypt data block with an RSA public key
- */
-bool scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen, u_char *out,
-				 size_t *outlen)
-{
-#ifdef SMARTCARD
-	CK_RV rv;
-	CK_OBJECT_HANDLE object;
-	CK_ULONG len = (CK_ULONG)(*outlen);
-	CK_BBOOL encrypt_flag;
-	CK_ATTRIBUTE attr[] = {
-		{ CKA_MODULUS,         NULL_PTR, 0L },
-		{ CKA_PUBLIC_EXPONENT, NULL_PTR, 0L },
-		{ CKA_ENCRYPT,         &encrypt_flag, sizeof(encrypt_flag) }
-	};
-	CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 };
-
-	if (!scx_establish_context(sc))
-	{
-		scx_release_context(sc);
-			return FALSE;
-	}
-
-	if (!scx_pkcs11_find_object(sc->session, &object, CKO_PUBLIC_KEY, sc->id))
-	{
-		plog("unable to find public key with id '%s'", sc->id);
-		return FALSE;
-	}
-
-	rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 3);
-	if (rv != CKR_OK)
-	{
-		plog("couldn't read the public key attributes: %s"
-			, enum_show(&pkcs11_return_names, rv));
-		scx_release_context(sc);
-		return FALSE;
-	}
-
-	if (!encrypt_flag)
-	{
-		plog("public key cannot be used for encryption");
-		scx_release_context(sc);
-		return FALSE;
-	}
-
-	/* there must be enough space left for the PKCS#1 v1.5 padding */
-	if (inlen > attr[0].ulValueLen - 11)
-	{
-		plog("smartcard input data length (%d) exceeds maximum of %lu bytes"
-				, (int)inlen, attr[0].ulValueLen - 11);
-		if (!pkcs11_keep_state)
-			scx_release_context(sc);
-		return FALSE;
-	}
-
-	rv = pkcs11_functions->C_EncryptInit(sc->session, &mech, object);
-
-	if (rv != CKR_OK)
-	{
-		if (rv == CKR_FUNCTION_NOT_SUPPORTED)
-		{
-			public_key_t *key;
-			chunk_t rsa_modulus, rsa_exponent, rsa_key, cipher_text;
-			chunk_t plain_text = {(u_char*)in, inlen};
-
-			DBG(DBG_CONTROL,
-				DBG_log("doing RSA encryption in software")
-			)
-			attr[0].pValue = malloc(attr[0].ulValueLen);
-			attr[1].pValue = malloc(attr[1].ulValueLen);
-
-			rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 2);
-			if (rv != CKR_OK)
-			{
-				plog("couldn't read modulus and public exponent: %s"
-					, enum_show(&pkcs11_return_names, rv));
-				free(attr[0].pValue);
-				free(attr[1].pValue);
-				scx_release_context(sc);
-				return FALSE;
-			}
-			rsa_modulus  = chunk_create((u_char*) attr[0].pValue,
-									    (size_t)  attr[0].ulValueLen);
-			rsa_exponent = chunk_create((u_char*) attr[1].pValue,
-									    (size_t)  attr[1].ulValueLen);
-			rsa_key = asn1_wrap(ASN1_SEQUENCE, "mm",
-								asn1_integer("m", rsa_modulus),
-								asn1_integer("m", rsa_exponent));
-			key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
-								BUILD_BLOB_ASN1_DER, rsa_key, BUILD_END);
-			free(rsa_key.ptr);
-			if (key == NULL)
-			{
-				return FALSE;
-			}
-			key->encrypt(key, ENCRYPT_RSA_PKCS1, plain_text, &cipher_text);
-			key->destroy(key);
-
-			if (cipher_text.ptr == NULL)
-			{
-				plog("smartcard input data length is too large");
-				if (!pkcs11_keep_state)
-				{
-					scx_release_context(sc);
-				}
-				return FALSE;
-			}
-
-			memcpy(out, cipher_text.ptr, cipher_text.len);
-			*outlen = cipher_text.len;
-			free(cipher_text.ptr);
-
-			if (!pkcs11_keep_state)
-			{
-				scx_release_context(sc);
-			}
-			return TRUE;
-		}
-		else
-		{
-			plog("error in C_EncryptInit: %s"
-				, enum_show(&pkcs11_return_names, rv));
-			scx_release_context(sc);
-			return FALSE;
-		}
-	}
-
-	DBG(DBG_CONTROL,
-		DBG_log("doing RSA encryption on smartcard")
-	)
-	rv = pkcs11_functions->C_Encrypt(sc->session, (u_char*)in, inlen
-				, out, &len);
-	if (rv != CKR_OK)
-	{
-		plog("error in C_Encrypt: %s"
-			, enum_show(&pkcs11_return_names, rv));
-		scx_release_context(sc);
-		return FALSE;
-	}
-	if (!pkcs11_keep_state)
-		scx_release_context(sc);
-
-	*outlen = (size_t)len;
-	return TRUE;
-#else
-	return FALSE;
-#endif
-}
-/*
- * decrypt a data block with an RSA private key
- */
-bool scx_decrypt(smartcard_t *sc, const u_char *in, size_t inlen, u_char *out,
-				 size_t *outlen)
-{
-#ifdef SMARTCARD
-	CK_RV rv;
-	CK_OBJECT_HANDLE object;
-	CK_ULONG len = (CK_ULONG)(*outlen);
-	CK_BBOOL decrypt_flag;
-	CK_ATTRIBUTE attr[] = {
-		{ CKA_DECRYPT, &decrypt_flag, sizeof(decrypt_flag) }
-	};
-	CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 };
-
-	if (!scx_establish_context(sc) || !scx_login(sc))
-	{
-		scx_release_context(sc);
-			return FALSE;
-	}
-
-	if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id))
-	{
-		plog("unable to find private key with id '%s'", sc->id);
-		return FALSE;
-	}
-
-	rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 1);
-	if (rv != CKR_OK)
-	{
-		plog("couldn't read the private key attributes: %s"
-			, enum_show(&pkcs11_return_names, rv));
-		return FALSE;
-	}
-
-	if (!decrypt_flag)
-	{
-		plog("private key cannot be used for decryption");
-		scx_release_context(sc);
-		return FALSE;
-	}
-
-	DBG(DBG_CONTROL,
-		DBG_log("doing RSA decryption on smartcard")
-	)
-	rv = pkcs11_functions->C_DecryptInit(sc->session, &mech, object);
-	if (rv != CKR_OK)
-	{
-		plog("error in C_DecryptInit: %s"
-			, enum_show(&pkcs11_return_names, rv));
-		scx_release_context(sc);
-		return FALSE;
-	}
-
-	rv = pkcs11_functions->C_Decrypt(sc->session, (u_char*)in, inlen
-				, out, &len);
-	if (rv != CKR_OK)
-	{
-		plog("error in C_Decrypt: %s"
-			, enum_show(&pkcs11_return_names, rv));
-		scx_release_context(sc);
-		return FALSE;
-	}
-	if (!pkcs11_keep_state)
-		scx_release_context(sc);
-
-	*outlen = (size_t)len;
-	return TRUE;
-#else
-	return FALSE;
-#endif
-}
-
-/* receive an encrypted data block via whack,
- * decrypt it using a private RSA key and
- * return the decrypted data block via whack
- */
-bool scx_op_via_whack(const char* msg, int inbase, int outbase, sc_op_t op,
-					  const char* keyid, int whackfd)
-{
-	char inbuf[RSA_MAX_OCTETS];
-	char outbuf[2*RSA_MAX_OCTETS + 1];
-	size_t outlen = sizeof(inbuf);
-	size_t inlen;
-	smartcard_t *sc,*sc_new;
-
-	const char *number_slot_id = "";
-
-	err_t ugh = ttodata(msg, 0, inbase, inbuf, sizeof(inbuf), &inlen);
-
-	/* no prefix - use default base */
-	if (ugh != NULL  && inbase == 0)
-	   ugh = ttodata(msg, 0, DEFAULT_BASE, inbuf, sizeof(inbuf), &inlen);
-
-	if (ugh != NULL)
-	{
-		plog("format error in smartcard input data: %s", ugh);
-		return FALSE;
-	}
-
-	if (keyid != NULL)
-	{
-		number_slot_id = (strneq(keyid, SCX_TOKEN, strlen(SCX_TOKEN)))
-						 ? keyid + strlen(SCX_TOKEN) : keyid;
-	}
-
-	sc_new = scx_parse_number_slot_id(number_slot_id);
-	sc = scx_add(sc_new);
-	if (sc == sc_new)
-		scx_share(sc);
-
-	DBG((op == SC_OP_ENCRYPT)? DBG_PRIVATE:DBG_RAW,
-		DBG_dump("smartcard input data:\n", inbuf, inlen)
-	)
-
-	if (op == SC_OP_DECRYPT)
-	{
-		if (!sc->valid && whackfd != NULL_FD)
-			scx_get_pin(sc, whackfd);
-
-		if (!sc->valid)
-		{
-			loglog(RC_NOVALIDPIN, "cannot decrypt without valid PIN");
-			return FALSE;
-		}
-	}
-
-	DBG(DBG_CONTROL | DBG_CRYPT,
-		DBG_log("using RSA key from smartcard (slot: %d, id: %s)"
-			, (int)sc->slot, sc->id)
-	)
-
-	switch (op)
-	{
-	case SC_OP_ENCRYPT:
-		if (!scx_encrypt(sc, inbuf, inlen, inbuf, &outlen))
-			return FALSE;
-		break;
-	case SC_OP_DECRYPT:
-		if (!scx_decrypt(sc, inbuf, inlen, inbuf, &outlen))
-			return FALSE;
-		break;
-	default:
-		break;
-	}
-
-	DBG((op == SC_OP_DECRYPT)? DBG_PRIVATE:DBG_RAW,
-		DBG_dump("smartcard output data:\n", inbuf, outlen)
-	)
-
-	if (outbase == 0)  /* use default base */
-		outbase = DEFAULT_BASE;
-
-	if (outbase == 256) /* ascii plain text */
-		whack_log(RC_COMMENT, "%.*s", (int)outlen, inbuf);
-	else
-	{
-		outlen = datatot(inbuf, outlen, outbase, outbuf, sizeof(outbuf));
-		if (outlen == 0)
-		{
-			plog("error in output format conversion");
-			return FALSE;
-		}
-		whack_log(RC_COMMENT, "%s", outbuf);
-	}
-	return TRUE;
-}
-
- /*
- * get length of RSA key in bytes
- */
-size_t scx_get_keylength(smartcard_t *sc)
-{
-#ifdef SMARTCARD
-	CK_RV rv;
-	CK_OBJECT_HANDLE object;
-	CK_ATTRIBUTE attr[] = {{ CKA_MODULUS, NULL_PTR, 0}};
-
-	if (!sc->logged_in)
-		return FALSE;
-
-	if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id))
-	{
-		plog("unable to find private key with id '%s'", sc->id);
-		return FALSE;
-	}
-
-	/* get the length of the private key */
-	rv = pkcs11_functions->C_GetAttributeValue(sc->session, object
-				, (CK_ATTRIBUTE_PTR)&attr, 1);
-	if (rv != CKR_OK)
-	{
-		plog("failed to get key length: %s"
-			, enum_show(&pkcs11_return_names, rv));
-		return FALSE;
-	}
-
-	return attr[0].ulValueLen;  /*Return key length in bytes */
-#else
-	return 0;
-#endif
-}
-
-/*
- * prompt for pin and verify it
- */
-bool scx_get_pin(smartcard_t *sc, int whackfd)
-{
-#ifdef SMARTCARD
-	char pin[BUF_LEN];
-	int i, n;
-
-	whack_log(RC_ENTERSECRET, "need PIN for #%d (%s, id: %s, label: '%s')"
-		, sc->number, scx_print_slot(sc, ""), sc->id, sc->label);
-
-	for (i = 0; i < SCX_MAX_PIN_TRIALS; i++)
-	{
-		if (i > 0)
-			whack_log(RC_ENTERSECRET, "invalid PIN, please try again");
-
-		n = read(whackfd, pin, BUF_LEN);
-
-		if (n == -1)
-		{
-			whack_log(RC_LOG_SERIOUS, "read(whackfd) failed");
-			return FALSE;
-		}
-
-		if (strlen(pin) == 0)
-		{
-			whack_log(RC_LOG_SERIOUS, "no PIN entered, aborted");
-			return FALSE;
-		}
-
-		sc->pin.ptr = pin;
-		sc->pin.len = strlen(pin);
-
-		/* verify the pin */
-		if (scx_verify_pin(sc))
-		{
-			sc->pin = chunk_create(pin, strlen(pin));
-			sc->pin = chunk_clone(sc->pin);
-			break;
-		}
-
-		/* wrong pin - we try another round */
-		sc->pin = chunk_empty;
-	}
-
-	if (sc->valid)
-		whack_log(RC_SUCCESS, "valid PIN");
-	else
-		whack_log(RC_LOG_SERIOUS, "invalid PIN, too many trials");
-#else
-	sc->valid = FALSE;
-	whack_log(RC_LOG_SERIOUS, "SMARTCARD support is deactivated in pluto/Makefile!");
-#endif
-	return sc->valid;
-}
-
-
-/*
- * free the pin code
- */
-void scx_free_pin(chunk_t *pin)
-{
-	if (pin->ptr != NULL)
-	{
-		/* clear pin field in memory */
-		memset(pin->ptr, '\0', pin->len);
-		free(pin->ptr);
-		*pin = chunk_empty;
-	}
-}
-
-/*
- * frees a smartcard record
- */
-void scx_free(smartcard_t *sc)
-{
-	if (sc != NULL)
-	{
-		scx_release_context(sc);
-		cert_release(sc->last_cert);
-		free(sc->id);
-		free(sc->label);
-		scx_free_pin(&sc->pin);
-		free(sc);
-	}
-}
-
-/*  release of a smartcard record decreases the count by one
- "  the record is freed when the counter reaches zero
- */
-void scx_release(smartcard_t *sc)
-{
-	if (sc != NULL && --sc->count == 0)
-	{
-		smartcard_t **pp = &smartcards;
-		while (*pp != sc)
-			pp = &(*pp)->next;
-		*pp = sc->next;
-		scx_free(sc);
-	}
-}
-
-/*
- *  compare two smartcard records by comparing their slots and ids
- */
-static bool scx_same(smartcard_t *a, smartcard_t *b)
-{
-	if  (a->number && b->number)
-	{
-		/* same number */
-		return a->number == b->number;
-	}
-	else
-	{
-		/* same id and/or same slot */
-		return (!a->id || (b->id && streq(a->id, b->id)))
-			&& (a->any_slot || b->any_slot || a->slot == b->slot);
-	}
-}
-
-/*  for each link pointing to the smartcard record
- "  increase the count by one
- */
-void scx_share(smartcard_t *sc)
-{
-	if (sc != NULL)
-		sc->count++;
-}
-
-/*
- *  adds a smartcard record to the chained list
- */
-smartcard_t* scx_add(smartcard_t *smartcard)
-{
-	smartcard_t *sc = smartcards;
-	smartcard_t **psc = &smartcards;
-
-	while (sc != NULL)
-	{
-		if (scx_same(smartcard, sc)) /* already in chain, free smartcard record */
-		{
-			scx_free(smartcard);
-			return sc;
-		}
-		psc = &sc->next;
-		sc = sc->next;
-	}
-
-	/* insert new smartcard record at the end of the chain */
-	*psc = smartcard;
-	smartcard->number = ++sc_number;
-	smartcard->count = 1;
-	DBG(DBG_CONTROL | DBG_PARSING,
-		DBG_log("  smartcard #%d added", sc_number)
-	)
-	return smartcard;
-}
-
-/*
- * get the smartcard that belongs to an X.509 certificate
- */
-smartcard_t* scx_get(cert_t *cert)
-{
-	smartcard_t *sc = smartcards;
-
-	while (sc != NULL)
-	{
-		if (sc->last_cert == cert)
-		{
-			return sc;
-		}
-		sc = sc->next;
-	}
-	return NULL;
-}
-
-/*
- * prints either the slot number or 'any slot'
- */
-char *scx_print_slot(smartcard_t *sc, const char *whitespace)
-{
-	char *buf = temporary_cyclic_buffer();
-
-	if (sc->any_slot)
-		snprintf(buf, BUF_LEN, "any slot");
-	else
-		snprintf(buf, BUF_LEN, "slot: %s%lu", whitespace, sc->slot);
-	return buf;
-}
-
-/*
- *  list all smartcard info records in a chained list
- */
-void scx_list(bool utc)
-{
-	smartcard_t *sc = smartcards;
-
-	if (sc != NULL)
-	{
-		whack_log(RC_COMMENT, " ");
-		whack_log(RC_COMMENT, "List of Smartcard Objects:");
-	}
-
-	while (sc != NULL)
-	{
-		whack_log(RC_COMMENT, " ");
-		whack_log(RC_COMMENT, "  %s, session %s, logged %s, has %s"
-			, scx_print_slot(sc, "    ")
-			, sc->session_opened? "opened" : "closed"
-			, sc->logged_in? "in" : "out"
-			, sc->pinpad? "pin pad"
-				: ((sc->pin.ptr == NULL)? "no pin"
-					: sc->valid? "valid pin" : "invalid pin"));
-		if (sc->id != NULL)
-			whack_log(RC_COMMENT, "  id:       %s", sc->id);
-		if (sc->label != NULL)
-			whack_log(RC_COMMENT, "  label:   '%s'", sc->label);
-		if (sc->last_cert)
-		{
-			certificate_t *certificate = sc->last_cert->cert;
-
-			whack_log(RC_COMMENT, "  subject: '%Y'",
-					  certificate->get_subject(certificate));
-		}
-		sc = sc->next;
-	}
-}
diff --git a/src/pluto/smartcard.h b/src/pluto/smartcard.h
deleted file mode 100644
index 7a2229794..000000000
--- a/src/pluto/smartcard.h
+++ /dev/null
@@ -1,100 +0,0 @@
-/* Support of smartcards and cryptotokens
- * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
- * Copyright (C) 2004 David Buechi, Michael Meier
- * Zuercher Hochschule Winterthur
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _SMARTCARD_H
-#define _SMARTCARD_H
-
-#include "certs.h"
-
-#define SCX_TOKEN                 "%smartcard"
-#define SCX_CERT_CACHE_INTERVAL   60 /* seconds */
-#define SCX_MAX_PIN_TRIALS        3
-
-/* smartcard operations, update copy in whack.h */
-
-#ifndef SC_OP_T
-#define SC_OP_T
-typedef enum {
-	SC_OP_NONE =    0,
-	SC_OP_ENCRYPT = 1,
-	SC_OP_DECRYPT = 2,
-	SC_OP_SIGN =    3,
-} sc_op_t;
-#endif /* SC_OP_T */
-
-/* smartcard record */
-
-typedef struct smartcard smartcard_t;
-
-struct smartcard {
-	smartcard_t  *next;
-	time_t        last_load;
-	cert_t        *last_cert;
-	int           count;
-	int           number;
-	unsigned long slot;
-	char          *id;
-	char         *label;
-	chunk_t       pin;
-	bool          pinpad;
-	bool          valid;
-	bool          session_opened;
-	bool          logged_in;
-	bool          any_slot;
-	long          session;
-};
-
-extern const smartcard_t empty_sc;
-
-/*  keep a PKCS#11 login during the lifetime of pluto
- *  flag set in plutomain.c and used in ipsec_doi.c and ocsp.c
- */
-extern bool pkcs11_keep_state;
-
-/* allow other applications access to pluto's PKCS#11 interface
- * via whack. Could be used e.g. for disk encryption
- */
-extern bool pkcs11_proxy;
-
-extern smartcard_t* scx_parse_number_slot_id(const char *number_slot_id);
-extern void scx_init(const char *module, const char *init_args);
-extern void scx_finalize(void);
-extern bool scx_establish_context(smartcard_t *sc);
-extern bool scx_login(smartcard_t *sc);
-extern bool scx_on_smartcard(const char *filename);
-extern cert_t* scx_load_cert(const char *filename, smartcard_t **scp, bool *cached);
-extern bool scx_verify_pin(smartcard_t *sc);
-extern void scx_share(smartcard_t *sc);
-extern bool scx_sign_hash(smartcard_t *sc, const u_char *in, size_t inlen
-	, u_char *out, size_t outlen);
-extern bool scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen
-	, u_char *out, size_t *outlen);
-extern bool scx_decrypt(smartcard_t *sc, const u_char *in, size_t inlen
-	, u_char *out, size_t *outlen);
-extern bool scx_op_via_whack(const char* msg, int inbase, int outbase
-	, sc_op_t op, const char *keyid, int whackfd);
-extern bool scx_get_pin(smartcard_t *sc, int whackfd);
-extern size_t scx_get_keylength(smartcard_t *sc);
-extern smartcard_t* scx_add(smartcard_t *sc);
-extern smartcard_t* scx_get(cert_t *cert);
-extern void scx_release(smartcard_t *sc);
-extern void scx_release_context(smartcard_t *sc);
-extern void scx_free_pin(chunk_t *pin);
-extern void scx_free(smartcard_t *sc);
-extern void scx_list(bool utc);
-extern char *scx_print_slot(smartcard_t *sc, const char *whitespace);
-
-#endif /* _SMARTCARD_H */
diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c
deleted file mode 100644
index 06fe7d7c8..000000000
--- a/src/pluto/spdb.c
+++ /dev/null
@@ -1,2315 +0,0 @@
-/* Security Policy Data Base (such as it is)
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <sys/queue.h>
-
-#include <freeswan.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "connections.h"
-#include "state.h"
-#include "packet.h"
-#include "keys.h"
-#include "kernel.h"
-#include "log.h"
-#include "spdb.h"
-#include "whack.h"
-#include "crypto.h"
-#include "alg_info.h"
-#include "kernel_alg.h"
-#include "ike_alg.h"
-#include "db_ops.h"
-#include "nat_traversal.h"
-
-#define AD(x) x, countof(x)     /* Array Description */
-#define AD_NULL NULL, 0
-
-/**************** Oakely (main mode) SA database ****************/
-
-/* array of proposals to be conjoined (can only be one for Oakley) */
-
-static struct db_prop oakley_pc[] =
-	{ { PROTO_ISAKMP, AD_NULL } };
-
-/* array of proposal conjuncts (can only be one) */
-
-static struct db_prop_conj oakley_props[] = { { AD(oakley_pc) } };
-
-/* the sadb entry */
-struct db_sa oakley_sadb = { AD(oakley_props) };
-
-/**************** IPsec (quick mode) SA database ****************/
-
-/* arrays of attributes for transforms */
-
-static struct db_attr espsha1_attr[] = {
-	{ AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1 },
-	};
-
-static struct db_attr ah_HMAC_SHA1_attr[] = {
-	{ AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1 },
-	};
-
-/* arrays of transforms, each in in preference order */
-
-static struct db_trans espa_trans[] = {
-	{ ESP_3DES, AD(espsha1_attr) },
-	};
-
-static struct db_trans esp_trans[] = {
-	{ ESP_3DES, AD_NULL },
-	};
-
-#ifdef SUPPORT_ESP_NULL
-static struct db_trans espnull_trans[] = {
-	{ ESP_NULL, AD(espsha1_attr) },
-	};
-#endif /* SUPPORT_ESP_NULL */
-
-static struct db_trans ah_trans[] = {
-	{ AH_SHA, AD(ah_HMAC_SHA1_attr) },
-	};
-
-static struct db_trans ipcomp_trans[] = {
-	{ IPCOMP_DEFLATE, AD_NULL },
-	};
-
-/* arrays of proposals to be conjoined */
-
-static struct db_prop ah_pc[] = {
-	{ PROTO_IPSEC_AH, AD(ah_trans) },
-	};
-
-#ifdef SUPPORT_ESP_NULL
-static struct db_prop espnull_pc[] = {
-	{ PROTO_IPSEC_ESP, AD(espnull_trans) },
-	};
-#endif /* SUPPORT_ESP_NULL */
-
-static struct db_prop esp_pc[] = {
-	{ PROTO_IPSEC_ESP, AD(espa_trans) },
-	};
-
-static struct db_prop ah_esp_pc[] = {
-	{ PROTO_IPSEC_AH, AD(ah_trans) },
-	{ PROTO_IPSEC_ESP, AD(esp_trans) },
-	};
-
-static struct db_prop compress_pc[] = {
-	{ PROTO_IPCOMP, AD(ipcomp_trans) },
-	};
-
-static struct db_prop ah_compress_pc[] = {
-	{ PROTO_IPSEC_AH, AD(ah_trans) },
-	{ PROTO_IPCOMP, AD(ipcomp_trans) },
-	};
-
-#ifdef SUPPORT_ESP_NULL
-static struct db_prop espnull_compress_pc[] = {
-	{ PROTO_IPSEC_ESP, AD(espnull_trans) },
-	{ PROTO_IPCOMP, AD(ipcomp_trans) },
-	};
-#endif /* SUPPORT_ESP_NULL */
-
-static struct db_prop esp_compress_pc[] = {
-	{ PROTO_IPSEC_ESP, AD(espa_trans) },
-	{ PROTO_IPCOMP, AD(ipcomp_trans) },
-	};
-
-static struct db_prop ah_esp_compress_pc[] = {
-	{ PROTO_IPSEC_AH, AD(ah_trans) },
-	{ PROTO_IPSEC_ESP, AD(esp_trans) },
-	{ PROTO_IPCOMP, AD(ipcomp_trans) },
-	};
-
-/* arrays of proposal alternatives (each element is a conjunction) */
-
-static struct db_prop_conj ah_props[] = {
-	{ AD(ah_pc) },
-#ifdef SUPPORT_ESP_NULL
-	{ AD(espnull_pc) }
-#endif
-	};
-
-static struct db_prop_conj esp_props[] =
-	{ { AD(esp_pc) } };
-
-static struct db_prop_conj ah_esp_props[] =
-	{ { AD(ah_esp_pc) } };
-
-static struct db_prop_conj compress_props[] = {
-	{ AD(compress_pc) },
-	};
-
-static struct db_prop_conj ah_compress_props[] = {
-	{ AD(ah_compress_pc) },
-#ifdef SUPPORT_ESP_NULL
-	{ AD(espnull_compress_pc) }
-#endif
-	};
-
-static struct db_prop_conj esp_compress_props[] =
-	{ { AD(esp_compress_pc) } };
-
-static struct db_prop_conj ah_esp_compress_props[] =
-	{ { AD(ah_esp_compress_pc) } };
-
-/* The IPsec sadb is subscripted by a bitset (subset of policy)
- * with members from { POLICY_ENCRYPT, POLICY_AUTHENTICATE, POLICY_COMPRESS }
- * shifted right by POLICY_IPSEC_SHIFT.
- */
-struct db_sa ipsec_sadb[1 << 3] = {
-	{ AD_NULL },        /* none */
-	{ AD(esp_props) },  /* POLICY_ENCRYPT */
-	{ AD(ah_props) },   /* POLICY_AUTHENTICATE */
-	{ AD(ah_esp_props) },       /* POLICY_ENCRYPT+POLICY_AUTHENTICATE */
-	{ AD(compress_props) },     /* POLICY_COMPRESS */
-	{ AD(esp_compress_props) }, /* POLICY_ENCRYPT+POLICY_COMPRESS */
-	{ AD(ah_compress_props) },  /* POLICY_AUTHENTICATE+POLICY_COMPRESS */
-	{ AD(ah_esp_compress_props) },      /* POLICY_ENCRYPT+POLICY_AUTHENTICATE+POLICY_COMPRESS */
-	};
-
-#undef AD
-#undef AD_NULL
-
-/* output an attribute (within an SA) */
-static bool
-out_attr(int type
-, unsigned long val
-, struct_desc *attr_desc
-, enum_names **attr_val_descs USED_BY_DEBUG
-, pb_stream *pbs)
-{
-	struct isakmp_attribute attr;
-
-	if (val >> 16 == 0)
-	{
-		/* short value: use TV form */
-		attr.isaat_af_type = type | ISAKMP_ATTR_AF_TV;
-		attr.isaat_lv = val;
-		if (!out_struct(&attr, attr_desc, pbs, NULL))
-			return FALSE;
-	}
-	else
-	{
-		/* This is a real fudge!  Since we rarely use long attributes
-		 * and since this is the only place where we can cause an
-		 * ISAKMP message length to be other than a multiple of 4 octets,
-		 * we force the length of the value to be a multiple of 4 octets.
-		 * Furthermore, we only handle values up to 4 octets in length.
-		 * Voila: a fixed format!
-		 */
-		pb_stream val_pbs;
-		u_int32_t nval = htonl(val);
-
-		attr.isaat_af_type = type | ISAKMP_ATTR_AF_TLV;
-		if (!out_struct(&attr, attr_desc, pbs, &val_pbs)
-		|| !out_raw(&nval, sizeof(nval), &val_pbs, "long attribute value"))
-			return FALSE;
-		close_output_pbs(&val_pbs);
-	}
-	DBG(DBG_EMITTING,
-		enum_names *d = attr_val_descs[type];
-
-		if (d != NULL)
-			DBG_log("    [%lu is %s]"
-				, val, enum_show(d, val)));
-	return TRUE;
-}
-#define return_on(var, val) do { var=val;goto return_out; } while(0)
-/* Output an SA, as described by a db_sa.
- * This has the side-effect of allocating SPIs for us.
- */
-bool
-out_sa(pb_stream *outs
-, struct db_sa *sadb
-, struct state *st
-, bool oakley_mode
-, u_int8_t np)
-{
-	pb_stream sa_pbs;
-	int pcn;
-	bool ret = FALSE;
-	bool ah_spi_generated = FALSE
-		, esp_spi_generated = FALSE
-		, ipcomp_cpi_generated = FALSE;
-#if !defined NO_KERNEL_ALG || !defined NO_IKE_ALG
-	struct db_context *db_ctx = NULL;
-#endif
-
-	/* SA header out */
-	{
-		struct isakmp_sa sa;
-
-		sa.isasa_np = np;
-		st->st_doi = sa.isasa_doi = ISAKMP_DOI_IPSEC;   /* all we know */
-		if (!out_struct(&sa, &isakmp_sa_desc, outs, &sa_pbs))
-			return_on(ret, FALSE);
-	}
-
-	/* within SA: situation out */
-	st->st_situation = SIT_IDENTITY_ONLY;
-	if (!out_struct(&st->st_situation, &ipsec_sit_desc, &sa_pbs, NULL))
-		return_on(ret, FALSE);
-
-	/* within SA: Proposal Payloads
-	 *
-	 * Multiple Proposals with the same number are simultaneous
-	 * (conjuncts) and must deal with different protocols (AH or ESP).
-	 * Proposals with different numbers are alternatives (disjuncts),
-	 * in preference order.
-	 * Proposal numbers must be monotonic.
-	 * See RFC 2408 "ISAKMP" 4.2
-	 */
-
-	for (pcn = 0; pcn != sadb->prop_conj_cnt; pcn++)
-	{
-		struct db_prop_conj *pc = &sadb->prop_conjs[pcn];
-		int pn;
-
-		for (pn = 0; pn != pc->prop_cnt; pn++)
-		{
-			struct db_prop *p = &pc->props[pn];
-			pb_stream proposal_pbs;
-			struct isakmp_proposal proposal;
-			struct_desc *trans_desc = NULL;
-			struct_desc *attr_desc = NULL;
-			enum_names **attr_val_descs = NULL;
-			int tn;
-			bool tunnel_mode;
-
-			tunnel_mode = (pn == pc->prop_cnt-1)
-				&& (st->st_policy & POLICY_TUNNEL);
-
-			/* Proposal header */
-			proposal.isap_np = pcn == sadb->prop_conj_cnt-1 && pn == pc->prop_cnt-1
-				? ISAKMP_NEXT_NONE : ISAKMP_NEXT_P;
-			proposal.isap_proposal = pcn;
-			proposal.isap_protoid = p->protoid;
-			proposal.isap_spisize = oakley_mode ? 0
-				: p->protoid == PROTO_IPCOMP ? IPCOMP_CPI_SIZE
-				: IPSEC_DOI_SPI_SIZE;
-
-			/* In quick mode ONLY, create proposal for runtime kernel algos.
-			 *  Replace ESP proposals with runtime created one
-			 */
-			if (!oakley_mode && p->protoid == PROTO_IPSEC_ESP)
-			{
-				DBG(DBG_CONTROL | DBG_CRYPT,
-					if (st->st_connection->alg_info_esp)
-					{
-						static char buf[BUF_LEN]="";
-
-						alg_info_snprint(buf, sizeof (buf),
-								(struct alg_info *)st->st_connection->alg_info_esp);
-						DBG_log("esp proposal: %s", buf);
-					}
-				)
-				db_ctx = kernel_alg_db_new(st->st_connection->alg_info_esp, st->st_policy);
-				p = db_prop_get(db_ctx);
-
-				if (!p || p->trans_cnt == 0)
-				{
-					loglog(RC_LOG_SERIOUS,
-						"empty IPSEC SA proposal to send "
-						"(no kernel algorithms for esp selection)");
-					return_on(ret, FALSE);
-				}
-			}
-
-			if (oakley_mode && p->protoid == PROTO_ISAKMP)
-			{
-				DBG(DBG_CONTROL | DBG_CRYPT,
-					if (st->st_connection->alg_info_ike)
-					{
-						static char buf[BUF_LEN]="";
-
-						alg_info_snprint(buf, sizeof (buf),
-								(struct alg_info *)st->st_connection->alg_info_ike);
-						DBG_log("ike proposal: %s", buf);
-					}
-				)
-				db_ctx = ike_alg_db_new(st->st_connection, st->st_policy);
-				p = db_prop_get(db_ctx);
-
-				if (!p || p->trans_cnt == 0)
-				{
-					loglog(RC_LOG_SERIOUS,
-						"empty ISAKMP SA proposal to send "
-						"(no algorithms for ike selection?)");
-					return_on(ret, FALSE);
-				}
-			}
-
-			proposal.isap_notrans = p->trans_cnt;
-			if (!out_struct(&proposal, &isakmp_proposal_desc, &sa_pbs, &proposal_pbs))
-				return_on(ret, FALSE);
-
-			/* Per-protocols stuff:
-			 * Set trans_desc.
-			 * Set attr_desc.
-			 * Set attr_val_descs.
-			 * If not oakley_mode, emit SPI.
-			 * We allocate SPIs on demand.
-			 * All ESPs in an SA will share a single SPI.
-			 * All AHs in an SAwill share a single SPI.
-			 * AHs' SPI will be distinct from ESPs'.
-			 * This latter is needed because KLIPS doesn't
-			 * use the protocol when looking up a (dest, protocol, spi).
-			 * ??? If multiple ESPs are composed, how should their SPIs
-			 * be allocated?
-			 */
-			{
-				ipsec_spi_t *spi_ptr = NULL;
-				int proto = 0;
-				bool *spi_generated = NULL;
-
-				switch (p->protoid)
-				{
-				case PROTO_ISAKMP:
-					passert(oakley_mode);
-					trans_desc = &isakmp_isakmp_transform_desc;
-					attr_desc = &isakmp_oakley_attribute_desc;
-					attr_val_descs = oakley_attr_val_descs;
-					/* no SPI needed */
-					break;
-				case PROTO_IPSEC_AH:
-					passert(!oakley_mode);
-					trans_desc = &isakmp_ah_transform_desc;
-					attr_desc = &isakmp_ipsec_attribute_desc;
-					attr_val_descs = ipsec_attr_val_descs;
-					spi_ptr = &st->st_ah.our_spi;
-					spi_generated = &ah_spi_generated;
-					proto = IPPROTO_AH;
-					break;
-				case PROTO_IPSEC_ESP:
-					passert(!oakley_mode);
-					trans_desc = &isakmp_esp_transform_desc;
-					attr_desc = &isakmp_ipsec_attribute_desc;
-					attr_val_descs = ipsec_attr_val_descs;
-					spi_ptr = &st->st_esp.our_spi;
-					spi_generated = &esp_spi_generated;
-					proto = IPPROTO_ESP;
-					break;
-				case PROTO_IPCOMP:
-					passert(!oakley_mode);
-					trans_desc = &isakmp_ipcomp_transform_desc;
-					attr_desc = &isakmp_ipsec_attribute_desc;
-					attr_val_descs = ipsec_attr_val_descs;
-
-					/* a CPI isn't quite the same as an SPI
-					 * so we use specialized code to emit it.
-					 */
-					if (!ipcomp_cpi_generated)
-					{
-						st->st_ipcomp.our_spi = get_my_cpi(
-							&st->st_connection->spd, tunnel_mode);
-						if (st->st_ipcomp.our_spi == 0)
-							return_on(ret, FALSE);      /* problem generating CPI */
-
-						ipcomp_cpi_generated = TRUE;
-					}
-					/* CPI is stored in network low order end of an
-					 * ipsec_spi_t.  So we start a couple of bytes in.
-					 */
-					if (!out_raw((u_char *)&st->st_ipcomp.our_spi
-					 + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
-					, IPCOMP_CPI_SIZE
-					, &proposal_pbs, "CPI"))
-						return_on(ret, FALSE);
-					break;
-				default:
-					bad_case(p->protoid);
-				}
-				if (spi_ptr != NULL)
-				{
-					if (!*spi_generated)
-					{
-						*spi_ptr = get_ipsec_spi(0
-							, proto
-							, &st->st_connection->spd
-							, tunnel_mode);
-						if (*spi_ptr == 0)
-							return_on(ret, FALSE);
-						*spi_generated = TRUE;
-					}
-					if (!out_raw((u_char *)spi_ptr, IPSEC_DOI_SPI_SIZE
-					, &proposal_pbs, "SPI"))
-						return_on(ret, FALSE);
-				}
-			}
-
-			/* within proposal: Transform Payloads */
-			for (tn = 0; tn != p->trans_cnt; tn++)
-			{
-				struct db_trans *t = &p->trans[tn];
-				pb_stream trans_pbs;
-				struct isakmp_transform trans;
-				int an;
-
-				trans.isat_np = (tn == p->trans_cnt - 1)
-					? ISAKMP_NEXT_NONE : ISAKMP_NEXT_T;
-				trans.isat_transnum = tn;
-				trans.isat_transid = t->transid;
-				if (!out_struct(&trans, trans_desc, &proposal_pbs, &trans_pbs))
-					return_on(ret, FALSE);
-
-				/* Within transform: Attributes. */
-
-				/* For Phase 2 / Quick Mode, GROUP_DESCRIPTION is
-				 * automatically generated because it must be the same
-				 * in every transform.  Except IPCOMP.
-				 */
-				if (p->protoid != PROTO_IPCOMP && st->st_pfs_group != NULL)
-				{
-					passert(!oakley_mode);
-					passert(st->st_pfs_group != &unset_group);
-					out_attr(GROUP_DESCRIPTION, st->st_pfs_group->algo_id
-						, attr_desc, attr_val_descs
-						, &trans_pbs);
-				}
-
-				/* automatically generate duration
-				 * and, for Phase 2 / Quick Mode, encapsulation.
-				 */
-				if (oakley_mode)
-				{
-					out_attr(OAKLEY_LIFE_TYPE, OAKLEY_LIFE_SECONDS
-						, attr_desc, attr_val_descs
-						, &trans_pbs);
-					out_attr(OAKLEY_LIFE_DURATION
-						, st->st_connection->sa_ike_life_seconds
-						, attr_desc, attr_val_descs
-						, &trans_pbs);
-				}
-				else
-				{
-					/* RFC 2407 (IPSEC DOI) 4.5 specifies that
-					 * the default is "unspecified (host-dependent)".
-					 * This makes little sense, so we always specify it.
-					 *
-					 * Unlike other IPSEC transforms, IPCOMP defaults
-					 * to Transport Mode, so we can exploit the default
-					 * (draft-shacham-ippcp-rfc2393bis-05.txt 4.1).
-					 */
-					if (p->protoid != PROTO_IPCOMP
-					|| st->st_policy & POLICY_TUNNEL)
-					{
-#ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
-						if ((st->nat_traversal & NAT_T_DETECTED)
-						&& !(st->st_policy & POLICY_TUNNEL))
-						{
-							/* Inform user that we will not respect policy and only
-							 * propose Tunnel Mode
-							 */
-							loglog(RC_LOG_SERIOUS, "NAT-Traversal: "
-								"Transport Mode not allowed due to security concerns -- "
-								"using Tunnel mode");
-						}
-#endif
-						out_attr(ENCAPSULATION_MODE
-#ifdef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
-							, NAT_T_ENCAPSULATION_MODE(st, st->st_policy)
-#else
-								/* If NAT-T is detected, use UDP_TUNNEL as long as Transport
-								 * Mode has security concerns.
-								 *
-								 * User has been informed of that
-								 */
-							, NAT_T_ENCAPSULATION_MODE(st, POLICY_TUNNEL)
-#endif
-							, attr_desc, attr_val_descs
-							, &trans_pbs);
-					}
-					out_attr(SA_LIFE_TYPE, SA_LIFE_TYPE_SECONDS
-						, attr_desc, attr_val_descs
-						, &trans_pbs);
-					out_attr(SA_LIFE_DURATION
-						, st->st_connection->sa_ipsec_life_seconds
-						, attr_desc, attr_val_descs
-						, &trans_pbs);
-				}
-
-				/* spit out attributes from table */
-				for (an = 0; an != t->attr_cnt; an++)
-				{
-					struct db_attr *a = &t->attrs[an];
-
-					out_attr(a->type, a->val
-						, attr_desc, attr_val_descs
-						, &trans_pbs);
-				}
-
-				close_output_pbs(&trans_pbs);
-			}
-			close_output_pbs(&proposal_pbs);
-		}
-		/* end of a conjunction of proposals */
-	}
-	close_output_pbs(&sa_pbs);
-	ret = TRUE;
-
-return_out:
-
-#if !defined NO_KERNEL_ALG || !defined NO_IKE_ALG
-	if (db_ctx)
-			db_destroy(db_ctx);
-#endif
-	return ret;
-}
-
-/* Handle long form of duration attribute.
- * The code is can only handle values that can fit in unsigned long.
- * "Clamping" is probably an acceptable way to impose this limitation.
- */
-static u_int32_t decode_long_duration(pb_stream *pbs)
-{
-	u_int32_t val = 0;
-
-	/* ignore leading zeros */
-	while (pbs_left(pbs) != 0 && *pbs->cur == '\0')
-		pbs->cur++;
-
-	if (pbs_left(pbs) > sizeof(val))
-	{
-		/* "clamp" too large value to max representable value */
-		val = UINT32_MAX;
-		DBG(DBG_PARSING, DBG_log("   too large duration clamped to: %lu"
-			, (unsigned long)val));
-	}
-	else
-	{
-		/* decode number */
-		while (pbs_left(pbs) != 0)
-			val = (val << BITS_PER_BYTE) | *pbs->cur++;
-		DBG(DBG_PARSING, DBG_log("   long duration: %lu", (unsigned long)val));
-	}
-	return val;
-}
-
-/* Preparse the body of an ISAKMP SA Payload and
- * return body of ISAKMP Proposal Payload
- *
- * Only IPsec DOI is accepted (what is the ISAKMP DOI?).
- * Error response is rudimentary.
- */
-notification_t
-preparse_isakmp_sa_body(const struct isakmp_sa *sa
-					  , pb_stream *sa_pbs
-					  , u_int32_t *ipsecdoisit
-					  , pb_stream *proposal_pbs
-					  , struct isakmp_proposal *proposal)
-{
-	/* DOI */
-	if (sa->isasa_doi != ISAKMP_DOI_IPSEC)
-	{
-		loglog(RC_LOG_SERIOUS, "Unknown/unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
-		/* XXX Could send notification back */
-		return ISAKMP_DOI_NOT_SUPPORTED;
-	}
-
-	/* Situation */
-	if (!in_struct(ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
-	{
-		return ISAKMP_SITUATION_NOT_SUPPORTED;
-	}
-	if (*ipsecdoisit != SIT_IDENTITY_ONLY)
-	{
-		loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
-			, bitnamesof(sit_bit_names, *ipsecdoisit));
-		/* XXX Could send notification back */
-		return ISAKMP_SITUATION_NOT_SUPPORTED;
-	}
-
-	/* The rules for ISAKMP SAs are scattered.
-	 * RFC 2409 "IKE" section 5 says that there
-	 * can only be one SA, and it can have only one proposal in it.
-	 * There may well be multiple transforms.
-	 */
-	if (!in_struct(proposal, &isakmp_proposal_desc, sa_pbs, proposal_pbs))
-	{
-		return ISAKMP_PAYLOAD_MALFORMED;
-	}
-	if (proposal->isap_np != ISAKMP_NEXT_NONE)
-	{
-		loglog(RC_LOG_SERIOUS, "Proposal Payload must be alone in Oakley SA; found %s following Proposal"
-			, enum_show(&payload_names, proposal->isap_np));
-		return ISAKMP_PAYLOAD_MALFORMED;
-	}
-
-	if (proposal->isap_protoid != PROTO_ISAKMP)
-	{
-		loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) found in Oakley Proposal"
-			, enum_show(&protocol_names, proposal->isap_protoid));
-		return ISAKMP_INVALID_PROTOCOL_ID;
-	}
-
-	/* Just what should we accept for the SPI field?
-	 * The RFC is sort of contradictory.  We will ignore the SPI
-	 * as long as it is of the proper size.
-	 *
-	 * From RFC2408 2.4 Identifying Security Associations:
-	 *   During phase 1 negotiations, the initiator and responder cookies
-	 *   determine the ISAKMP SA. Therefore, the SPI field in the Proposal
-	 *   payload is redundant and MAY be set to 0 or it MAY contain the
-	 *   transmitting entity's cookie.
-	 *
-	 * From RFC2408 3.5 Proposal Payload:
-	 *    o  SPI Size (1 octet) - Length in octets of the SPI as defined by
-	 *       the Protocol-Id.  In the case of ISAKMP, the Initiator and
-	 *       Responder cookie pair from the ISAKMP Header is the ISAKMP SPI,
-	 *       therefore, the SPI Size is irrelevant and MAY be from zero (0) to
-	 *       sixteen (16).  If the SPI Size is non-zero, the content of the
-	 *       SPI field MUST be ignored.  If the SPI Size is not a multiple of
-	 *       4 octets it will have some impact on the SPI field and the
-	 *       alignment of all payloads in the message.  The Domain of
-	 *       Interpretation (DOI) will dictate the SPI Size for other
-	 *       protocols.
-	 */
-	if (proposal->isap_spisize == 0)
-	{
-		/* empty (0) SPI -- fine */
-	}
-	else if (proposal->isap_spisize <= MAX_ISAKMP_SPI_SIZE)
-	{
-		u_char junk_spi[MAX_ISAKMP_SPI_SIZE];
-
-		if (!in_raw(junk_spi, proposal->isap_spisize, proposal_pbs, "Oakley SPI"))
-			return ISAKMP_PAYLOAD_MALFORMED;
-	}
-	else
-	{
-		loglog(RC_LOG_SERIOUS, "invalid SPI size (%u) in Oakley Proposal"
-			, (unsigned)proposal->isap_spisize);
-		return ISAKMP_INVALID_SPI;
-	}
-	return ISAKMP_NOTHING_WRONG;
-}
-
-static struct {
-	u_int8_t *start;
-	u_int8_t *cur;
-	u_int8_t *roof;
-} backup;
-
-/**
- * Backup the pointer into a pb_stream
- */
-void backup_pbs(pb_stream *pbs)
-{
-	backup.start = pbs->start;
-	backup.cur   = pbs->cur;
-	backup.roof  = pbs->roof;
-}
-
-/**
- * Restore the pointer into a pb_stream
- */
-void restore_pbs(pb_stream *pbs)
-{
-	pbs->start = backup.start;
-	pbs->cur   = backup.cur;
-	pbs->roof  = backup.roof;
-}
-
-/**
- * Parse an ISAKMP Proposal Payload for RSA and PSK authentication policies
- */
-notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans,
-								   lset_t *policy)
-{
-	int last_transnum = -1;
-
-	*policy = LEMPTY;
-
-	while (notrans--)
-	{
-		pb_stream trans_pbs;
-		u_char *attr_start;
-		size_t attr_len;
-		struct isakmp_transform trans;
-
-		if (!in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs))
-		{
-			return ISAKMP_BAD_PROPOSAL_SYNTAX;
-		}
-		if (trans.isat_transnum <= last_transnum)
-		{
-			/* picky, picky, picky */
-			loglog(RC_LOG_SERIOUS, "Transform Numbers are not monotonically increasing"
-				" in Oakley Proposal");
-			return ISAKMP_BAD_PROPOSAL_SYNTAX;
-		}
-		last_transnum = trans.isat_transnum;
-
-		if (trans.isat_transid != KEY_IKE)
-		{
-			loglog(RC_LOG_SERIOUS, "expected KEY_IKE but found %s in Oakley Transform"
-				, enum_show(&isakmp_transformid_names, trans.isat_transid));
-			return ISAKMP_INVALID_TRANSFORM_ID;
-		}
-
-		attr_start = trans_pbs.cur;
-		attr_len = pbs_left(&trans_pbs);
-
-		/* preprocess authentication attributes only */
-		while (pbs_left(&trans_pbs) != 0)
-		{
-			struct isakmp_attribute a;
-			pb_stream attr_pbs;
-
-			if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
-			{
-				return ISAKMP_BAD_PROPOSAL_SYNTAX;
-			}
-			passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
-
-			switch (a.isaat_af_type)
-			{
-			case OAKLEY_AUTHENTICATION_METHOD | ISAKMP_ATTR_AF_TV:
-				switch (a.isaat_lv)
-				{
-				case OAKLEY_PRESHARED_KEY:
-					*policy |= POLICY_PSK;
-					break;
-				case OAKLEY_RSA_SIG:
-				case OAKLEY_ECDSA_256:
-				case OAKLEY_ECDSA_384:
-				case OAKLEY_ECDSA_521:
-					*policy |= POLICY_PUBKEY;
-					break;
-				case XAUTHInitPreShared:
-					*policy |= POLICY_XAUTH_SERVER;
-					/* fall through */
-				case XAUTHRespPreShared:
-					*policy |= POLICY_XAUTH_PSK;
-					break;
-				case XAUTHInitRSA:
-					*policy |= POLICY_XAUTH_SERVER;
-					/* fall through */
-				case XAUTHRespRSA:
-					*policy |= POLICY_XAUTH_RSASIG;
-					break;
-				default:
-					break;
-				}
-				break;
-			default:
-				break;
-			}
-		}
-	}
-	DBG(DBG_CONTROL|DBG_PARSING,
-		DBG_log("preparse_isakmp_policy: peer requests %s authentication"
-				, prettypolicy(*policy))
-	)
-	return ISAKMP_NOTHING_WRONG;
-}
-
-/**
- * Check that we can find a preshared secret
- */
-static err_t find_preshared_key(struct state* st)
-{
-	err_t ugh = NULL;
-	connection_t *c = st->st_connection;
-
-	if (get_preshared_secret(c) == NULL)
-	{
-		char his_id[BUF_LEN];
-
-		if (his_id_was_instantiated(c))
-		{
-			strcpy(his_id, "%any");
-		}
-		else
-		{
-			snprintf(his_id, sizeof(his_id), "%Y", c->spd.that.id);
-		}
-		ugh = builddiag("Can't authenticate: no preshared key found "
-						"for '%Y' and '%s'", c->spd.this.id, his_id);
-	}
-	return ugh;
-}
-
-/* Parse the body of an ISAKMP SA Payload (i.e. Phase 1 / Main Mode).
- * Various shortcuts are taken.  In particular, the policy, such as
- * it is, is hardwired.
- *
- * If r_sa is non-NULL, the body of an SA representing the selected
- * proposal is emitted.
- *
- * This routine is used by main_inI1_outR1() and main_inR1_outI2().
- */
-notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
-									pb_stream *proposal_pbs,
-									struct isakmp_proposal *proposal,
-									pb_stream *r_sa_pbs,
-									struct state *st,
-									bool initiator)
-{
-	connection_t *c = st->st_connection;
-	unsigned no_trans_left;
-
-	/* for each transform payload... */
-	no_trans_left = proposal->isap_notrans;
-
-	for (;;)
-	{
-		pb_stream trans_pbs;
-		u_char *attr_start;
-		size_t attr_len;
-		struct isakmp_transform trans;
-		lset_t seen_attrs = 0;
-		lset_t seen_durations = 0;
-		u_int16_t life_type = 0;
-		struct oakley_trans_attrs ta = { .encrypter = NULL };
-		err_t ugh = NULL;       /* set to diagnostic when problem detected */
-
-		/* initialize only optional field in ta */
-		ta.life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;    /* When this SA expires (seconds) */
-
-		if (no_trans_left == 0)
-		{
-			loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
-			return ISAKMP_BAD_PROPOSAL_SYNTAX;
-		}
-
-		in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs);
-		attr_start = trans_pbs.cur;
-		attr_len = pbs_left(&trans_pbs);
-
-		/* process all the attributes that make up the transform */
-
-		while (pbs_left(&trans_pbs) != 0)
-		{
-			struct isakmp_attribute a;
-			pb_stream attr_pbs;
-			u_int32_t val;      /* room for larger values */
-
-			if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
-				return ISAKMP_BAD_PROPOSAL_SYNTAX;
-
-			passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
-
-			if (LHAS(seen_attrs, a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK))
-			{
-				loglog(RC_LOG_SERIOUS, "repeated %s attribute in Oakley Transform %u"
-					, enum_show(&oakley_attr_names, a.isaat_af_type)
-					, trans.isat_transnum);
-				return ISAKMP_BAD_PROPOSAL_SYNTAX;
-			}
-
-			seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK);
-
-			val = a.isaat_lv;
-
-			DBG(DBG_PARSING,
-			{
-				enum_names *vdesc = oakley_attr_val_descs
-					[a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK];
-
-				if (vdesc != NULL)
-				{
-					const char *nm = enum_name(vdesc, val);
-
-					if (nm != NULL)
-						DBG_log("   [%u is %s]", (unsigned)val, nm);
-				}
-			});
-
-			switch (a.isaat_af_type)
-			{
-			case OAKLEY_ENCRYPTION_ALGORITHM | ISAKMP_ATTR_AF_TV:
-				if (ike_alg_get_crypter(val))
-				{
-					ta.encrypt = val;
-					ta.encrypter = ike_alg_get_crypter(val);
-					ta.enckeylen = ta.encrypter->keydeflen;
-				}
-				else
-				{
-					ugh = builddiag("%s is not supported"
-							, enum_show(&oakley_enc_names, val));
-				}
-				break;
-
-			case OAKLEY_HASH_ALGORITHM | ISAKMP_ATTR_AF_TV:
-				if (ike_alg_get_hasher(val))
-				{
-					ta.hash = val;
-					ta.hasher = ike_alg_get_hasher(val);
-				}
-				else
-				{
-					ugh = builddiag("%s is not supported"
-							, enum_show(&oakley_hash_names, val));
-				}
-				break;
-
-			case OAKLEY_AUTHENTICATION_METHOD | ISAKMP_ATTR_AF_TV:
-				{
-					/* check that authentication method is acceptable */
-					lset_t iap = st->st_policy & POLICY_ID_AUTH_MASK;
-
-					/* is the initiator the XAUTH client? */
-					bool xauth_init = ( initiator && (st->st_policy & POLICY_XAUTH_SERVER) == LEMPTY)
-								   || (!initiator && (st->st_policy & POLICY_XAUTH_SERVER) != LEMPTY);
-
-					switch (val)
-					{
-					case OAKLEY_PRESHARED_KEY:
-						if ((iap & POLICY_PSK) == LEMPTY)
-						{
-							ugh = "policy does not allow pre-shared key authentication";
-						}
-						else
-						{
-							ugh = find_preshared_key(st);
-							ta.auth = OAKLEY_PRESHARED_KEY;
-						}
-						break;
-					case XAUTHInitPreShared:
-						if ((iap & POLICY_XAUTH_PSK) == LEMPTY || !xauth_init)
-						{
-							ugh = "policy does not allow XAUTHInitPreShared authentication";
-						}
-						else
-						{
-							ugh = find_preshared_key(st);
-							ta.auth = XAUTHInitPreShared;
-						}
-						break;
-					case XAUTHRespPreShared:
-						if ((iap & POLICY_XAUTH_PSK) == LEMPTY || xauth_init)
-						{
-							ugh = "policy does not allow XAUTHRespPreShared authentication";
-						}
-						else
-						{
-							ugh = find_preshared_key(st);
-							ta.auth = XAUTHRespPreShared;
-						}
-						break;
-					case OAKLEY_RSA_SIG:
-					case OAKLEY_ECDSA_256:
-					case OAKLEY_ECDSA_384:
-					case OAKLEY_ECDSA_521:
-						if ((iap & POLICY_PUBKEY) == LEMPTY)
-						{
-							ugh = "policy does not allow public key authentication";
-						}
-						else
-						{
-							ta.auth = val;
-						}
-						break;
-					case XAUTHInitRSA:
-						if ((iap & POLICY_XAUTH_RSASIG) == LEMPTY || !xauth_init)
-						{
-							ugh = "policy does not allow XAUTHInitRSA authentication";
-						}
-						else
-						{
-							ta.auth = XAUTHInitRSA;
-						}
-						break;
-					case XAUTHRespRSA:
-						if ((iap & POLICY_XAUTH_RSASIG) == LEMPTY || xauth_init)
-						{
-							ugh = "policy does not allow XAUTHRespRSA authentication";
-						}
-						else
-						{
-							ta.auth = XAUTHRespRSA;
-						}
-						break;
-					default:
-						ugh = builddiag("Pluto does not support %s authentication"
-							, enum_show(&oakley_auth_names, val));
-						break;
-					}
-				}
-				break;
-
-			case OAKLEY_GROUP_DESCRIPTION | ISAKMP_ATTR_AF_TV:
-				ta.group = ike_alg_get_dh_group(val);
-				if (ta.group == NULL)
-				{
-					ugh = builddiag("%s is not supported"
-							, enum_show(&oakley_group_names, val));
-				}
-				break;
-
-			case OAKLEY_LIFE_TYPE | ISAKMP_ATTR_AF_TV:
-				switch (val)
-				{
-				case OAKLEY_LIFE_SECONDS:
-				case OAKLEY_LIFE_KILOBYTES:
-					if (LHAS(seen_durations, val))
-					{
-						loglog(RC_LOG_SERIOUS
-								, "attribute OAKLEY_LIFE_TYPE value %s repeated"
-								, enum_show(&oakley_lifetime_names, val));
-						return ISAKMP_BAD_PROPOSAL_SYNTAX;
-					}
-					seen_durations |= LELEM(val);
-					life_type = val;
-					break;
-				default:
-					ugh = builddiag("unknown value %s"
-							, enum_show(&oakley_lifetime_names, val));
-					break;
-				}
-				break;
-
-			case OAKLEY_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
-				val = decode_long_duration(&attr_pbs);
-				/* fall through */
-			case OAKLEY_LIFE_DURATION | ISAKMP_ATTR_AF_TV:
-				if (!LHAS(seen_attrs, OAKLEY_LIFE_TYPE))
-				{
-					ugh = "OAKLEY_LIFE_DURATION attribute not preceded by OAKLEY_LIFE_TYPE attribute";
-					break;
-				}
-				seen_attrs &= ~(LELEM(OAKLEY_LIFE_DURATION) | LELEM(OAKLEY_LIFE_TYPE));
-
-				switch (life_type)
-				{
-				case OAKLEY_LIFE_SECONDS:
-					if (val > OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM)
-					{
-#ifdef CISCO_QUIRKS
-						plog("peer requested %lu seconds"
-										" which exceeds our limit %d seconds"
-										, (long) val
-										, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
-						plog("lifetime reduced to %d seconds "
-										"(todo: IPSEC_RESPONDER_LIFETIME notification)"
-										, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
-						val = OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM;
-#else
-						ugh = builddiag("peer requested %lu seconds"
-										" which exceeds our limit %d seconds"
-										, (long) val
-										, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
-#endif
-					}
-					ta.life_seconds = val;
-					break;
-				case OAKLEY_LIFE_KILOBYTES:
-					ta.life_kilobytes = val;
-					break;
-				default:
-					bad_case(life_type);
-				}
-				break;
-
-			case OAKLEY_KEY_LENGTH | ISAKMP_ATTR_AF_TV:
-				if ((seen_attrs & LELEM(OAKLEY_ENCRYPTION_ALGORITHM)) == 0)
-				{
-					ugh = "OAKLEY_KEY_LENGTH attribute not preceded by "
-						  "OAKLEY_ENCRYPTION_ALGORITHM attribute";
-					break;
-				}
-				if (ta.encrypter == NULL)
-				{
-					ugh = "NULL encrypter with seen OAKLEY_ENCRYPTION_ALGORITHM";
-					break;
-				}
-				/*
-				 * check if this keylen is compatible with specified algorithm
-				 */
-				if (val
-				&& (val < ta.encrypter->keyminlen || val > ta.encrypter->keymaxlen))
-				{
-					ugh = "peer proposed key length not valid for "
-						  "encryption algorithm specified";
-				}
-				ta.enckeylen = val;
-				break;
-#if 0 /* not yet supported */
-			case OAKLEY_GROUP_TYPE | ISAKMP_ATTR_AF_TV:
-			case OAKLEY_PRF | ISAKMP_ATTR_AF_TV:
-			case OAKLEY_FIELD_SIZE | ISAKMP_ATTR_AF_TV:
-
-			case OAKLEY_GROUP_PRIME | ISAKMP_ATTR_AF_TV:
-			case OAKLEY_GROUP_PRIME | ISAKMP_ATTR_AF_TLV:
-			case OAKLEY_GROUP_GENERATOR_ONE | ISAKMP_ATTR_AF_TV:
-			case OAKLEY_GROUP_GENERATOR_ONE | ISAKMP_ATTR_AF_TLV:
-			case OAKLEY_GROUP_GENERATOR_TWO | ISAKMP_ATTR_AF_TV:
-			case OAKLEY_GROUP_GENERATOR_TWO | ISAKMP_ATTR_AF_TLV:
-			case OAKLEY_GROUP_CURVE_A | ISAKMP_ATTR_AF_TV:
-			case OAKLEY_GROUP_CURVE_A | ISAKMP_ATTR_AF_TLV:
-			case OAKLEY_GROUP_CURVE_B | ISAKMP_ATTR_AF_TV:
-			case OAKLEY_GROUP_CURVE_B | ISAKMP_ATTR_AF_TLV:
-			case OAKLEY_GROUP_ORDER | ISAKMP_ATTR_AF_TV:
-			case OAKLEY_GROUP_ORDER | ISAKMP_ATTR_AF_TLV:
-#endif
-			default:
-				/* fix compiler warning */
-				memset(&ta, 0, sizeof(ta));
-				ugh = "unsupported OAKLEY attribute";
-				break;
-			}
-
-			if (ugh != NULL)
-			{
-				loglog(RC_LOG_SERIOUS, "%s.  Attribute %s"
-					, ugh, enum_show(&oakley_attr_names, a.isaat_af_type));
-				break;
-			}
-		}
-
-		/*
-		 * ML: at last check for allowed transforms in alg_info_ike
-		 *     (ALG_INFO_F_STRICT flag)
-		 */
-		if (ugh == NULL)
-		{
-			if (!ike_alg_ok_final(ta.encrypt, ta.enckeylen, ta.hash,
-				ta.group ? ta.group->algo_id : -1, c->alg_info_ike))
-			{
-				ugh = "OAKLEY proposal refused";
-			}
-		}
-
-		if (ugh == NULL)
-		{
-			/* a little more checking is in order */
-			{
-				lset_t missing
-					= ~seen_attrs
-					& (LELEM(OAKLEY_ENCRYPTION_ALGORITHM)
-					  | LELEM(OAKLEY_HASH_ALGORITHM)
-					  | LELEM(OAKLEY_AUTHENTICATION_METHOD)
-					  | LELEM(OAKLEY_GROUP_DESCRIPTION));
-
-				if (missing)
-				{
-					loglog(RC_LOG_SERIOUS, "missing mandatory attribute(s) %s in Oakley Transform %u"
-						, bitnamesof(oakley_attr_bit_names, missing)
-						, trans.isat_transnum);
-					return ISAKMP_BAD_PROPOSAL_SYNTAX;
-				}
-			}
-			/* We must have liked this transform.
-			 * Lets finish early and leave.
-			 */
-
-			DBG(DBG_PARSING | DBG_CRYPT
-				, DBG_log("Oakley Transform %u accepted", trans.isat_transnum));
-
-			if (r_sa_pbs != NULL)
-			{
-				struct isakmp_proposal r_proposal = *proposal;
-				pb_stream r_proposal_pbs;
-				struct isakmp_transform r_trans = trans;
-				pb_stream r_trans_pbs;
-
-				/* Situation */
-				if (!out_struct(&ipsecdoisit, &ipsec_sit_desc, r_sa_pbs, NULL))
-					impossible();
-
-				/* Proposal */
-#ifdef EMIT_ISAKMP_SPI
-				r_proposal.isap_spisize = COOKIE_SIZE;
-#else
-				r_proposal.isap_spisize = 0;
-#endif
-				r_proposal.isap_notrans = 1;
-				if (!out_struct(&r_proposal, &isakmp_proposal_desc, r_sa_pbs, &r_proposal_pbs))
-					impossible();
-
-				/* SPI */
-#ifdef EMIT_ISAKMP_SPI
-				if (!out_raw(my_cookie, COOKIE_SIZE, &r_proposal_pbs, "SPI"))
-					impossible();
-				r_proposal.isap_spisize = COOKIE_SIZE;
-#else
-				/* none (0) */
-#endif
-
-				/* Transform */
-				r_trans.isat_np = ISAKMP_NEXT_NONE;
-				if (!out_struct(&r_trans, &isakmp_isakmp_transform_desc, &r_proposal_pbs, &r_trans_pbs))
-					impossible();
-
-				if (!out_raw(attr_start, attr_len, &r_trans_pbs, "attributes"))
-					impossible();
-				close_output_pbs(&r_trans_pbs);
-				close_output_pbs(&r_proposal_pbs);
-				close_output_pbs(r_sa_pbs);
-			}
-
-			/* copy over the results */
-			st->st_oakley = ta;
-			return ISAKMP_NOTHING_WRONG;
-		}
-
-		/* on to next transform */
-		no_trans_left--;
-
-		if (trans.isat_np == ISAKMP_NEXT_NONE)
-		{
-			if (no_trans_left != 0)
-			{
-				loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
-				return ISAKMP_BAD_PROPOSAL_SYNTAX;
-			}
-			break;
-		}
-		if (trans.isat_np != ISAKMP_NEXT_T)
-		{
-			loglog(RC_LOG_SERIOUS, "unexpected %s payload in Oakley Proposal"
-				, enum_show(&payload_names, proposal->isap_np));
-			return ISAKMP_BAD_PROPOSAL_SYNTAX;
-		}
-	}
-	loglog(RC_LOG_SERIOUS, "no acceptable Oakley Transform");
-	return ISAKMP_NO_PROPOSAL_CHOSEN;
-}
-
-/* Parse the body of an IPsec SA Payload (i.e. Phase 2 / Quick Mode).
- *
- * The main routine is parse_ipsec_sa_body; other functions defined
- * between here and there are just helpers.
- *
- * Various shortcuts are taken.  In particular, the policy, such as
- * it is, is hardwired.
- *
- * If r_sa is non-NULL, the body of an SA representing the selected
- * proposal is emitted into it.
- *
- * If "selection" is true, the SA is supposed to represent the
- * single transform that the peer has accepted.
- * ??? We only check that it is acceptable, not that it is one that we offered!
- *
- * Only IPsec DOI is accepted (what is the ISAKMP DOI?).
- * Error response is rudimentary.
- *
- * Since all ISAKMP groups in all SA Payloads must match, st->st_pfs_group
- * holds this across multiple payloads.
- * &unset_group signifies not yet "set"; NULL signifies NONE.
- *
- * This routine is used by quick_inI1_outR1() and quick_inR1_outI2().
- */
-
-static const struct ipsec_trans_attrs null_ipsec_trans_attrs = {
-	0,                                  /* transid (NULL, for now) */
-	0,                                  /* spi */
-	SA_LIFE_DURATION_DEFAULT,           /* life_seconds */
-	SA_LIFE_DURATION_K_DEFAULT,         /* life_kilobytes */
-	ENCAPSULATION_MODE_UNSPECIFIED,     /* encapsulation */
-	AUTH_ALGORITHM_NONE,                /* auth */
-	0,                                  /* key_len */
-	0,                                  /* key_rounds */
-};
-
-static bool parse_ipsec_transform(struct isakmp_transform *trans,
-								  struct ipsec_trans_attrs *attrs,
-								  pb_stream *prop_pbs,
-								  pb_stream *trans_pbs,
-								  struct_desc *trans_desc,
-								  int previous_transnum, /* or -1 if none */
-								  bool selection, bool is_last, bool is_ipcomp,
-								  struct state *st)  /* current state object */
-{
-	lset_t seen_attrs = 0;
-	lset_t seen_durations = 0;
-	u_int16_t life_type = 0;
-	const struct dh_desc *pfs_group = NULL;
-
-	if (!in_struct(trans, trans_desc, prop_pbs, trans_pbs))
-	{
-		return FALSE;
-	}
-	if (trans->isat_transnum <= previous_transnum)
-	{
-		loglog(RC_LOG_SERIOUS, "Transform Numbers in Proposal are not monotonically increasing");
-		return FALSE;
-	}
-
-	switch (trans->isat_np)
-	{
-		case ISAKMP_NEXT_T:
-			if (is_last)
-			{
-				loglog(RC_LOG_SERIOUS, "Proposal Payload has more Transforms than specified");
-				return FALSE;
-			}
-			break;
-		case ISAKMP_NEXT_NONE:
-			if (!is_last)
-			{
-				loglog(RC_LOG_SERIOUS, "Proposal Payload has fewer Transforms than specified");
-				return FALSE;
-			}
-			break;
-		default:
-			loglog(RC_LOG_SERIOUS, "expecting Transform Payload, but found %s in Proposal"
-				, enum_show(&payload_names, trans->isat_np));
-			return FALSE;
-	}
-
-	*attrs = null_ipsec_trans_attrs;
-	attrs->transid = trans->isat_transid;
-
-	while (pbs_left(trans_pbs) != 0)
-	{
-		struct isakmp_attribute a;
-		pb_stream attr_pbs;
-		enum_names *vdesc;
-		u_int32_t val;  /* room for larger value */
-		bool ipcomp_inappropriate = is_ipcomp;  /* will get reset if OK */
-
-		if (!in_struct(&a, &isakmp_ipsec_attribute_desc, trans_pbs, &attr_pbs))
-			return FALSE;
-
-		passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
-
-		if (LHAS(seen_attrs, a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK))
-		{
-			loglog(RC_LOG_SERIOUS, "repeated %s attribute in IPsec Transform %u"
-				, enum_show(&ipsec_attr_names, a.isaat_af_type)
-				, trans->isat_transnum);
-			return FALSE;
-		}
-
-		seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK);
-
-		val = a.isaat_lv;
-
-		vdesc  = ipsec_attr_val_descs[a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK];
-		if (vdesc != NULL)
-		{
-			if (enum_name(vdesc, val) == NULL)
-			{
-				loglog(RC_LOG_SERIOUS, "invalid value %u for attribute %s in IPsec Transform"
-					, (unsigned)val, enum_show(&ipsec_attr_names, a.isaat_af_type));
-				return FALSE;
-			}
-			DBG(DBG_PARSING
-				, if ((a.isaat_af_type & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
-					DBG_log("   [%u is %s]"
-						, (unsigned)val, enum_show(vdesc, val)));
-		}
-
-		switch (a.isaat_af_type)
-		{
-			case SA_LIFE_TYPE | ISAKMP_ATTR_AF_TV:
-				ipcomp_inappropriate = FALSE;
-				if (LHAS(seen_durations, val))
-				{
-					loglog(RC_LOG_SERIOUS, "attribute SA_LIFE_TYPE value %s repeated in message"
-						, enum_show(&sa_lifetime_names, val));
-					return FALSE;
-				}
-				seen_durations |= LELEM(val);
-				life_type = val;
-				break;
-			case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
-				val = decode_long_duration(&attr_pbs);
-				/* fall through */
-			case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TV:
-				ipcomp_inappropriate = FALSE;
-				if (!LHAS(seen_attrs, SA_LIFE_DURATION))
-				{
-					loglog(RC_LOG_SERIOUS, "SA_LIFE_DURATION IPsec attribute not preceded by SA_LIFE_TYPE attribute");
-					return FALSE;
-				}
-				seen_attrs &= ~(LELEM(SA_LIFE_DURATION) | LELEM(SA_LIFE_TYPE));
-
-				switch (life_type)
-				{
-					case SA_LIFE_TYPE_SECONDS:
-						/* silently limit duration to our maximum */
-						attrs->life_seconds = val <= SA_LIFE_DURATION_MAXIMUM
-							? val : SA_LIFE_DURATION_MAXIMUM;
-						break;
-					case SA_LIFE_TYPE_KBYTES:
-						attrs->life_kilobytes = val;
-						break;
-					default:
-						bad_case(life_type);
-				}
-				break;
-			case GROUP_DESCRIPTION | ISAKMP_ATTR_AF_TV:
-				if (is_ipcomp)
-				{
-					/* Accept reluctantly.  Should not happen, according to
-					 * draft-shacham-ippcp-rfc2393bis-05.txt 4.1.
-					 */
-					ipcomp_inappropriate = FALSE;
-					loglog(RC_COMMENT
-						, "IPCA (IPcomp SA) contains GROUP_DESCRIPTION."
-						"  Ignoring inapproprate attribute.");
-				}
-				pfs_group = ike_alg_get_dh_group(val);
-				if (pfs_group == NULL)
-				{
-					loglog(RC_LOG_SERIOUS, "only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported for PFS");
-					return FALSE;
-				}
-				break;
-			case ENCAPSULATION_MODE | ISAKMP_ATTR_AF_TV:
-				ipcomp_inappropriate = FALSE;
-				switch (val)
-				{
-				case ENCAPSULATION_MODE_TUNNEL:
-				case ENCAPSULATION_MODE_TRANSPORT:
-					if (st->nat_traversal & NAT_T_DETECTED)
-					{
-						loglog(RC_LOG_SERIOUS
-							, "%s must only be used if NAT-Traversal is not detected"
-							, enum_name(&enc_mode_names, val));
-						/*
-						 * Accept it anyway because SSH-Sentinel does not
-						 * use UDP_TUNNEL or UDP_TRANSPORT for the diagnostic.
-						 *
-						 * remove when SSH-Sentinel is fixed
-						 */
-#ifdef I_DONT_CARE_OF_SSH_SENTINEL
-						return FALSE;
-#endif
-					}
-					attrs->encapsulation = val;
-					break;
-				case ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS:
-#ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
-					loglog(RC_LOG_SERIOUS
-						, "NAT-Traversal: Transport mode disabled due to security concerns");
-					return FALSE;
-#endif
-				case ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS:
-					if (st->nat_traversal & NAT_T_WITH_RFC_VALUES)
-					{
-						loglog(RC_LOG_SERIOUS
-							, "%s must only be used with old IETF drafts"
-							, enum_name(&enc_mode_names, val));
-						return FALSE;
-					}
-					else if (st->nat_traversal & NAT_T_DETECTED)
-					{
-						attrs->encapsulation = val
-								- ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS
-								+ ENCAPSULATION_MODE_TUNNEL;
-					}
-					else
-					{
-						loglog(RC_LOG_SERIOUS
-							, "%s must only be used if NAT-Traversal is detected"
-							, enum_name(&enc_mode_names, val));
-						return FALSE;
-					}
-					break;
-					case ENCAPSULATION_MODE_UDP_TRANSPORT_RFC:
-#ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
-						loglog(RC_LOG_SERIOUS
-							, "NAT-Traversal: Transport mode disabled due "
-							  "to security concerns");
-						return FALSE;
-#endif
-					case ENCAPSULATION_MODE_UDP_TUNNEL_RFC:
-						if ((st->nat_traversal & NAT_T_DETECTED)
-						&& (st->nat_traversal & NAT_T_WITH_RFC_VALUES))
-						{
-							attrs->encapsulation = val
-										- ENCAPSULATION_MODE_UDP_TUNNEL_RFC
-										+ ENCAPSULATION_MODE_TUNNEL;
-						}
-						else if (st->nat_traversal & NAT_T_DETECTED)
-						{
-							loglog(RC_LOG_SERIOUS
-								, "%s must only be used with NAT-T RFC"
-								, enum_name(&enc_mode_names, val));
-							return FALSE;
-						}
-						else
-						{
-							loglog(RC_LOG_SERIOUS
-								, "%s must only be used if NAT-Traversal is detected"
-								, enum_name(&enc_mode_names, val));
-							return FALSE;
-						}
-						break;
-					default:
-						loglog(RC_LOG_SERIOUS
-							, "unknown ENCAPSULATION_MODE %d in IPSec SA", val);
-						return FALSE;
-				}
-				break;
-			case AUTH_ALGORITHM | ISAKMP_ATTR_AF_TV:
-				attrs->auth = val;
-				break;
-			case KEY_LENGTH | ISAKMP_ATTR_AF_TV:
-				attrs->key_len = val;
-				break;
-			case KEY_ROUNDS | ISAKMP_ATTR_AF_TV:
-				attrs->key_rounds = val;
-				break;
-#if 0 /* not yet implemented */
-			case COMPRESS_DICT_SIZE | ISAKMP_ATTR_AF_TV:
-				break;
-			case COMPRESS_PRIVATE_ALG | ISAKMP_ATTR_AF_TV:
-				break;
-
-			case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
-				break;
-			case COMPRESS_PRIVATE_ALG | ISAKMP_ATTR_AF_TLV:
-				break;
-#endif
-			default:
-				loglog(RC_LOG_SERIOUS, "unsupported IPsec attribute %s"
-					, enum_show(&ipsec_attr_names, a.isaat_af_type));
-				return FALSE;
-		}
-		if (ipcomp_inappropriate)
-		{
-			loglog(RC_LOG_SERIOUS, "IPsec attribute %s inappropriate for IPCOMP"
-				, enum_show(&ipsec_attr_names, a.isaat_af_type));
-			return FALSE;
-		}
-	}
-
-	/* Although an IPCOMP SA (IPCA) ought not to have a pfs_group,
-	 * if it does, demand that it be consistent.
-	 * See draft-shacham-ippcp-rfc2393bis-05.txt 4.1.
-	 */
-	if (!is_ipcomp || pfs_group != NULL)
-	{
-		if (st->st_pfs_group == &unset_group)
-			st->st_pfs_group = pfs_group;
-
-		if (st->st_pfs_group != pfs_group)
-		{
-			loglog(RC_LOG_SERIOUS, "GROUP_DESCRIPTION inconsistent with that of %s in IPsec SA"
-				, selection? "the Proposal" : "a previous Transform");
-			return FALSE;
-		}
-	}
-
-	if (LHAS(seen_attrs, SA_LIFE_DURATION))
-	{
-		loglog(RC_LOG_SERIOUS, "SA_LIFE_TYPE IPsec attribute not followed by SA_LIFE_DURATION attribute in message");
-		return FALSE;
-	}
-
-	if (!LHAS(seen_attrs, ENCAPSULATION_MODE))
-	{
-		if (is_ipcomp)
-		{
-			/* draft-shacham-ippcp-rfc2393bis-05.txt 4.1:
-			 * "If the Encapsulation Mode is unspecified,
-			 * the default value of Transport Mode is assumed."
-			 * This contradicts/overrides the DOI (quuoted below).
-			 */
-			attrs->encapsulation = ENCAPSULATION_MODE_TRANSPORT;
-		}
-		else
-		{
-			/* ??? Technically, RFC 2407 (IPSEC DOI) 4.5 specifies that
-			 * the default is "unspecified (host-dependent)".
-			 * This makes little sense, so we demand that it be specified.
-			 */
-			loglog(RC_LOG_SERIOUS, "IPsec Transform must specify ENCAPSULATION_MODE");
-			return FALSE;
-		}
-	}
-
-	/* ??? should check for key_len and/or key_rounds if required */
-
-	return TRUE;
-}
-
-static void
-echo_proposal(
-	struct isakmp_proposal r_proposal,  /* proposal to emit */
-	struct isakmp_transform r_trans,    /* winning transformation within it */
-	u_int8_t np,                        /* Next Payload for proposal */
-	pb_stream *r_sa_pbs,                /* SA PBS into which to emit */
-	struct ipsec_proto_info *pi,        /* info about this protocol instance */
-	struct_desc *trans_desc,            /* descriptor for this transformation */
-	pb_stream *trans_pbs,               /* PBS for incoming transform */
-	struct spd_route *sr,               /* host details for the association */
-	bool tunnel_mode)                   /* true for inner most tunnel SA */
-{
-	pb_stream r_proposal_pbs;
-	pb_stream r_trans_pbs;
-
-	/* Proposal */
-	r_proposal.isap_np = np;
-	r_proposal.isap_notrans = 1;
-	if (!out_struct(&r_proposal, &isakmp_proposal_desc, r_sa_pbs, &r_proposal_pbs))
-		impossible();
-
-	/* allocate and emit our CPI/SPI */
-	if (r_proposal.isap_protoid == PROTO_IPCOMP)
-	{
-		/* CPI is stored in network low order end of an
-		 * ipsec_spi_t.  So we start a couple of bytes in.
-		 * Note: we may fail to generate a satisfactory CPI,
-		 * but we'll ignore that.
-		 */
-		pi->our_spi = get_my_cpi(sr, tunnel_mode);
-		out_raw((u_char *) &pi->our_spi
-			 + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
-			, IPCOMP_CPI_SIZE
-			, &r_proposal_pbs, "CPI");
-	}
-	else
-	{
-		pi->our_spi = get_ipsec_spi(pi->attrs.spi
-			, r_proposal.isap_protoid == PROTO_IPSEC_AH ?
-				IPPROTO_AH : IPPROTO_ESP
-			, sr
-			, tunnel_mode);
-		/* XXX should check for errors */
-		out_raw((u_char *) &pi->our_spi, IPSEC_DOI_SPI_SIZE
-			, &r_proposal_pbs, "SPI");
-	}
-
-	/* Transform */
-	r_trans.isat_np = ISAKMP_NEXT_NONE;
-	if (!out_struct(&r_trans, trans_desc, &r_proposal_pbs, &r_trans_pbs))
-		impossible();
-
-	/* Transform Attributes: pure echo */
-	trans_pbs->cur = trans_pbs->start + sizeof(struct isakmp_transform);
-	if (!out_raw(trans_pbs->cur, pbs_left(trans_pbs)
-	, &r_trans_pbs, "attributes"))
-		impossible();
-
-	close_output_pbs(&r_trans_pbs);
-	close_output_pbs(&r_proposal_pbs);
-}
-
-notification_t
-parse_ipsec_sa_body(
-	pb_stream *sa_pbs,          /* body of input SA Payload */
-	const struct isakmp_sa *sa, /* header of input SA Payload */
-	pb_stream *r_sa_pbs,        /* if non-NULL, where to emit body of winning SA */
-	bool selection,             /* if this SA is a selection, only one transform may appear */
-	struct state *st)           /* current state object */
-{
-	const connection_t *c = st->st_connection;
-	u_int32_t ipsecdoisit;
-	pb_stream next_proposal_pbs;
-
-	struct isakmp_proposal next_proposal;
-	ipsec_spi_t next_spi;
-
-	bool next_full = TRUE;
-
-	/* DOI */
-	if (sa->isasa_doi != ISAKMP_DOI_IPSEC)
-	{
-		loglog(RC_LOG_SERIOUS, "Unknown or unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
-		/* XXX Could send notification back */
-		return ISAKMP_DOI_NOT_SUPPORTED;
-	}
-
-	/* Situation */
-	if (!in_struct(&ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
-		return ISAKMP_SITUATION_NOT_SUPPORTED;
-
-	if (ipsecdoisit != SIT_IDENTITY_ONLY)
-	{
-		loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
-			, bitnamesof(sit_bit_names, ipsecdoisit));
-		/* XXX Could send notification back */
-		return ISAKMP_SITUATION_NOT_SUPPORTED;
-	}
-
-	/* The rules for IPsec SAs are scattered.
-	 * RFC 2408 "ISAKMP" section 4.2 gives some info.
-	 * There may be multiple proposals.  Those with identical proposal
-	 * numbers must be considered as conjuncts.  Those with different
-	 * numbers are disjuncts.
-	 * Each proposal may have several transforms, each considered
-	 * an alternative.
-	 * Each transform may have several attributes, all applying.
-	 *
-	 * To handle the way proposals are combined, we need to do a
-	 * look-ahead.
-	 */
-
-	if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
-		return ISAKMP_BAD_PROPOSAL_SYNTAX;
-
-	/* for each conjunction of proposals... */
-	while (next_full)
-	{
-		int propno = next_proposal.isap_proposal;
-		pb_stream ah_prop_pbs, esp_prop_pbs, ipcomp_prop_pbs;
-		struct isakmp_proposal ah_proposal = {0, 0, 0, 0, 0, 0, 0};
-		struct isakmp_proposal esp_proposal = {0, 0, 0, 0, 0, 0, 0};
-		struct isakmp_proposal ipcomp_proposal = {0, 0, 0, 0, 0, 0, 0};
-		ipsec_spi_t ah_spi = 0;
-		ipsec_spi_t esp_spi = 0;
-		ipsec_spi_t ipcomp_cpi = 0;
-		bool ah_seen = FALSE;
-		bool esp_seen = FALSE;
-		bool ipcomp_seen = FALSE;
-		bool tunnel_mode = FALSE;
-		int inner_proto = 0;
-		u_int16_t well_known_cpi = 0;
-
-		pb_stream ah_trans_pbs, esp_trans_pbs, ipcomp_trans_pbs;
-		struct isakmp_transform ah_trans, esp_trans, ipcomp_trans;
-		struct ipsec_trans_attrs ah_attrs, esp_attrs, ipcomp_attrs;
-
-		/* for each proposal in the conjunction */
-		do {
-
-			if (next_proposal.isap_protoid == PROTO_IPCOMP)
-			{
-				/* IPCOMP CPI */
-				if (next_proposal.isap_spisize == IPSEC_DOI_SPI_SIZE)
-				{
-					/* This code is to accommodate those peculiar
-					 * implementations that send a CPI in the bottom of an
-					 * SPI-sized field.
-					 * See draft-shacham-ippcp-rfc2393bis-05.txt 4.1
-					 */
-					u_int8_t filler[IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE];
-
-					if (!in_raw(filler, sizeof(filler)
-					 , &next_proposal_pbs, "CPI filler")
-					|| !all_zero(filler, sizeof(filler)))
-						return ISAKMP_INVALID_SPI;
-				}
-				else if (next_proposal.isap_spisize != IPCOMP_CPI_SIZE)
-				{
-					loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper CPI size (%u)"
-						, next_proposal.isap_spisize);
-					return ISAKMP_INVALID_SPI;
-				}
-
-				/* We store CPI in the low order of a network order
-				 * ipsec_spi_t.  So we start a couple of bytes in.
-				 */
-				zero(&next_spi);
-				if (!in_raw((u_char *)&next_spi
-				  + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
-				, IPCOMP_CPI_SIZE, &next_proposal_pbs, "CPI"))
-					return ISAKMP_INVALID_SPI;
-
-				/* If sanity ruled, CPIs would have to be such that
-				 * the SAID (the triple (CPI, IPCOM, destination IP))
-				 * would be unique, just like for SPIs.  But there is a
-				 * perversion where CPIs can be well-known and consequently
-				 * the triple is not unique.  We hide this fact from
-				 * ourselves by fudging the top 16 bits to make
-				 * the property true internally!
-				 */
-				switch (ntohl(next_spi))
-				{
-				case IPCOMP_DEFLATE:
-					well_known_cpi = ntohl(next_spi);
-					next_spi = uniquify_his_cpi(next_spi, st);
-					if (next_spi == 0)
-					{
-						loglog(RC_LOG_SERIOUS
-							, "IPsec Proposal contains well-known CPI that I cannot uniquify");
-						return ISAKMP_INVALID_SPI;
-					}
-					break;
-				default:
-					if (ntohl(next_spi) < IPCOMP_FIRST_NEGOTIATED
-					|| ntohl(next_spi) > IPCOMP_LAST_NEGOTIATED)
-					{
-						loglog(RC_LOG_SERIOUS, "IPsec Proposal contains CPI from non-negotiated range (0x%lx)"
-							, (unsigned long) ntohl(next_spi));
-						return ISAKMP_INVALID_SPI;
-					}
-					break;
-				}
-			}
-			else
-			{
-				/* AH or ESP SPI */
-				if (next_proposal.isap_spisize != IPSEC_DOI_SPI_SIZE)
-				{
-					loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper SPI size (%u)"
-						, next_proposal.isap_spisize);
-					return ISAKMP_INVALID_SPI;
-				}
-
-				if (!in_raw((u_char *)&next_spi, sizeof(next_spi), &next_proposal_pbs, "SPI"))
-					return ISAKMP_INVALID_SPI;
-
-				/* SPI value 0 is invalid and values 1-255 are reserved to IANA.
-				 * RFC 2402 (ESP) 2.4, RFC 2406 (AH) 2.1
-				 * IPCOMP???
-				 */
-				if (ntohl(next_spi) < IPSEC_DOI_SPI_MIN)
-				{
-					loglog(RC_LOG_SERIOUS, "IPsec Proposal contains invalid SPI (0x%lx)"
-						, (unsigned long) ntohl(next_spi));
-					return ISAKMP_INVALID_SPI;
-				}
-			}
-
-			if (next_proposal.isap_notrans == 0)
-			{
-				loglog(RC_LOG_SERIOUS, "IPsec Proposal contains no Transforms");
-				return ISAKMP_BAD_PROPOSAL_SYNTAX;
-			}
-
-			switch (next_proposal.isap_protoid)
-			{
-			case PROTO_IPSEC_AH:
-				if (ah_seen)
-				{
-					loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous AH Proposals");
-					return ISAKMP_BAD_PROPOSAL_SYNTAX;
-				}
-				ah_seen = TRUE;
-				ah_prop_pbs = next_proposal_pbs;
-				ah_proposal = next_proposal;
-				ah_spi = next_spi;
-				break;
-
-			case PROTO_IPSEC_ESP:
-				if (esp_seen)
-				{
-					loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous ESP Proposals");
-					return ISAKMP_BAD_PROPOSAL_SYNTAX;
-				}
-				esp_seen = TRUE;
-				esp_prop_pbs = next_proposal_pbs;
-				esp_proposal = next_proposal;
-				esp_spi = next_spi;
-				break;
-
-			case PROTO_IPCOMP:
-				if (ipcomp_seen)
-				{
-					loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous IPCOMP Proposals");
-					return ISAKMP_BAD_PROPOSAL_SYNTAX;
-				}
-				ipcomp_seen = TRUE;
-				ipcomp_prop_pbs = next_proposal_pbs;
-				ipcomp_proposal = next_proposal;
-				ipcomp_cpi = next_spi;
-				break;
-
-			default:
-				loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) in IPsec Proposal"
-					, enum_show(&protocol_names, next_proposal.isap_protoid));
-				return ISAKMP_INVALID_PROTOCOL_ID;
-			}
-
-			/* refill next_proposal */
-			if (next_proposal.isap_np == ISAKMP_NEXT_NONE)
-			{
-				next_full = FALSE;
-				break;
-			}
-			else if (next_proposal.isap_np != ISAKMP_NEXT_P)
-			{
-				loglog(RC_LOG_SERIOUS, "unexpected in Proposal: %s"
-					, enum_show(&payload_names, next_proposal.isap_np));
-				return ISAKMP_BAD_PROPOSAL_SYNTAX;
-			}
-
-			if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
-				return ISAKMP_BAD_PROPOSAL_SYNTAX;
-		} while (next_proposal.isap_proposal == propno);
-
-		/* Now that we have all conjuncts, we should try
-		 * the Cartesian product of eachs tranforms!
-		 * At the moment, we take short-cuts on account of
-		 * our rudimentary hard-wired policy.
-		 * For now, we find an acceptable AH (if any)
-		 * and then an acceptable ESP.  The only interaction
-		 * is that the ESP acceptance can know whether there
-		 * was an acceptable AH and hence not require an AUTH.
-		 */
-
-		if (ah_seen)
-		{
-			int previous_transnum = -1;
-			int tn;
-
-			for (tn = 0; tn != ah_proposal.isap_notrans; tn++)
-			{
-				int ok_transid = 0;
-				bool ok_auth = FALSE;
-
-				if (!parse_ipsec_transform(&ah_trans
-				, &ah_attrs
-				, &ah_prop_pbs
-				, &ah_trans_pbs
-				, &isakmp_ah_transform_desc
-				, previous_transnum
-				, selection
-				, tn == ah_proposal.isap_notrans - 1
-				, FALSE
-				, st))
-					return ISAKMP_BAD_PROPOSAL_SYNTAX;
-
-				previous_transnum = ah_trans.isat_transnum;
-
-				/* we must understand ah_attrs.transid
-				 * COMBINED with ah_attrs.auth.
-				 * See RFC 2407 "IPsec DOI" section 4.4.3
-				 * The following combinations are legal,
-				 * but we don't implement all of them:
-				 * It seems as if each auth algorithm
-				 * only applies to one ah transid.
-				 * AH_MD5, AUTH_ALGORITHM_HMAC_MD5
-				 * AH_MD5, AUTH_ALGORITHM_KPDK (unimplemented)
-				 * AH_SHA, AUTH_ALGORITHM_HMAC_SHA1
-				 * AH_DES, AUTH_ALGORITHM_DES_MAC (unimplemented)
-				 */
-				switch (ah_attrs.auth)
-				{
-					case AUTH_ALGORITHM_NONE:
-						loglog(RC_LOG_SERIOUS, "AUTH_ALGORITHM attribute missing in AH Transform");
-						return ISAKMP_BAD_PROPOSAL_SYNTAX;
-
-					case AUTH_ALGORITHM_HMAC_MD5:
-						ok_auth = TRUE;
-						/* fall through */
-					case AUTH_ALGORITHM_KPDK:
-						ok_transid = AH_MD5;
-						break;
-
-					case AUTH_ALGORITHM_HMAC_SHA1:
-						ok_auth = TRUE;
-						ok_transid = AH_SHA;
-						break;
-
-					case AUTH_ALGORITHM_DES_MAC:
-						ok_transid = AH_DES;
-						break;
-				}
-				if (ah_attrs.transid != ok_transid)
-				{
-					loglog(RC_LOG_SERIOUS, "%s attribute inappropriate in %s Transform"
-						, enum_name(&auth_alg_names, ah_attrs.auth)
-						, enum_show(&ah_transform_names, ah_attrs.transid));
-					return ISAKMP_BAD_PROPOSAL_SYNTAX;
-				}
-				if (!ok_auth)
-				{
-					DBG(DBG_CONTROL | DBG_CRYPT
-						, DBG_log("%s attribute unsupported"
-							" in %s Transform from %s"
-							, enum_name(&auth_alg_names, ah_attrs.auth)
-							, enum_show(&ah_transform_names, ah_attrs.transid)
-							, ip_str(&c->spd.that.host_addr)));
-					continue;   /* try another */
-				}
-				break;  /* we seem to be happy */
-			}
-			if (tn == ah_proposal.isap_notrans)
-				continue;       /* we didn't find a nice one */
-			ah_attrs.spi = ah_spi;
-			inner_proto = IPPROTO_AH;
-			if (ah_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-				tunnel_mode = TRUE;
-		}
-
-		if (esp_seen)
-		{
-			int previous_transnum = -1;
-			int tn;
-
-			for (tn = 0; tn != esp_proposal.isap_notrans; tn++)
-			{
-				if (!parse_ipsec_transform(&esp_trans
-				, &esp_attrs
-				, &esp_prop_pbs
-				, &esp_trans_pbs
-				, &isakmp_esp_transform_desc
-				, previous_transnum
-				, selection
-				, tn == esp_proposal.isap_notrans - 1
-				, FALSE
-				, st))
-					return ISAKMP_BAD_PROPOSAL_SYNTAX;
-
-				previous_transnum = esp_trans.isat_transnum;
-
-				/* set default key length for AES encryption */
-				if (!esp_attrs.key_len && esp_attrs.transid == ESP_AES)
-				{
-					esp_attrs.key_len = 128; /* bits */
-				}
-
-				if (!kernel_alg_esp_enc_ok(esp_attrs.transid, esp_attrs.key_len
-					,c->alg_info_esp))
-				{
-					switch (esp_attrs.transid)
-					{
-					case ESP_3DES:
-						break;
-#ifdef SUPPORT_ESP_NULL /* should be about as secure as AH-only */
-					case ESP_NULL:
-						if (esp_attrs.auth == AUTH_ALGORITHM_NONE)
-						{
-							loglog(RC_LOG_SERIOUS, "ESP_NULL requires auth algorithm");
-							return BAD_PROPOSAL_SYNTAX;
-						}
-						if (st->st_policy & POLICY_ENCRYPT)
-						{
-							DBG(DBG_CONTROL | DBG_CRYPT
-									, DBG_log("ESP_NULL Transform Proposal from %s"
-										" does not satisfy POLICY_ENCRYPT"
-										, ip_str(&c->spd.that.host_addr)));
-							continue;   /* try another */
-						}
-						break;
-#endif
-					default:
-						DBG(DBG_CONTROL | DBG_CRYPT
-							, DBG_log("unsupported ESP Transform %s from %s"
-								, enum_show(&esp_transform_names, esp_attrs.transid)
-								, ip_str(&c->spd.that.host_addr)));
-						continue;   /* try another */
-					}
-				}
-
-				if (!kernel_alg_esp_auth_ok(esp_attrs.auth, c->alg_info_esp))
-				{
-					switch (esp_attrs.auth)
-					{
-					case AUTH_ALGORITHM_NONE:
-						if (!ah_seen)
-						{
-							DBG(DBG_CONTROL | DBG_CRYPT
-								, DBG_log("ESP from %s must either have AUTH or be combined with AH"
-									, ip_str(&c->spd.that.host_addr)));
-							continue;   /* try another */
-						}
-						break;
-					case AUTH_ALGORITHM_HMAC_MD5:
-					case AUTH_ALGORITHM_HMAC_SHA1:
-						break;
-					default:
-						DBG(DBG_CONTROL | DBG_CRYPT
-							, DBG_log("unsupported ESP auth alg %s from %s"
-								, enum_show(&auth_alg_names, esp_attrs.auth)
-								, ip_str(&c->spd.that.host_addr)));
-						continue;   /* try another */
-					}
-				}
-
-				/* A last check for allowed transforms in alg_info_esp
-				 * (ALG_INFO_F_STRICT flag)
-				 */
-				if (!kernel_alg_esp_ok_final(esp_attrs.transid, esp_attrs.key_len
-					,esp_attrs.auth, c->alg_info_esp))
-				{
-					continue;
-				}
-
-				if (ah_seen && ah_attrs.encapsulation != esp_attrs.encapsulation)
-				{
-					/* ??? This should be an error, but is it? */
-					DBG(DBG_CONTROL | DBG_CRYPT
-						, DBG_log("AH and ESP transforms disagree about encapsulation; TUNNEL presumed"));
-				}
-
-				break;  /* we seem to be happy */
-			}
-			if (tn == esp_proposal.isap_notrans)
-				continue;       /* we didn't find a nice one */
-
-			esp_attrs.spi = esp_spi;
-			inner_proto = IPPROTO_ESP;
-			if (esp_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-				tunnel_mode = TRUE;
-		}
-		else if (st->st_policy & POLICY_ENCRYPT)
-		{
-			DBG(DBG_CONTROL | DBG_CRYPT
-				, DBG_log("policy for \"%s\" requires encryption but ESP not in Proposal from %s"
-					, c->name, ip_str(&c->spd.that.host_addr)));
-			continue;   /* we needed encryption, but didn't find ESP */
-		}
-		else if ((st->st_policy & POLICY_AUTHENTICATE) && !ah_seen)
-		{
-			DBG(DBG_CONTROL | DBG_CRYPT
-				, DBG_log("policy for \"%s\" requires authentication"
-					" but none in Proposal from %s"
-					, c->name, ip_str(&c->spd.that.host_addr)));
-			continue;   /* we need authentication, but we found neither ESP nor AH */
-		}
-
-		if (ipcomp_seen)
-		{
-			int previous_transnum = -1;
-			int tn;
-
-#ifdef NEVER    /* we think IPcomp is working now */
-			/**** FUDGE TO PREVENT UNREQUESTED IPCOMP:
-			 **** NEEDED BECAUSE OUR IPCOMP IS EXPERIMENTAL (UNSTABLE).
-			 ****/
-			if (!(st->st_policy & POLICY_COMPRESS))
-			{
-				plog("compression proposed by %s, but policy for \"%s\" forbids it"
-					, ip_str(&c->spd.that.host_addr), c->name);
-				continue;       /* unwanted compression proposal */
-			}
-#endif
-			if (!can_do_IPcomp)
-			{
-				plog("compression proposed by %s, but kernel does not support IPCOMP"
-					, ip_str(&c->spd.that.host_addr));
-				continue;
-			}
-
-			if (well_known_cpi != 0 && !ah_seen && !esp_seen)
-			{
-				plog("illegal proposal: bare IPCOMP used with well-known CPI");
-				return ISAKMP_BAD_PROPOSAL_SYNTAX;
-			}
-
-			for (tn = 0; tn != ipcomp_proposal.isap_notrans; tn++)
-			{
-				if (!parse_ipsec_transform(&ipcomp_trans
-				, &ipcomp_attrs
-				, &ipcomp_prop_pbs
-				, &ipcomp_trans_pbs
-				, &isakmp_ipcomp_transform_desc
-				, previous_transnum
-				, selection
-				, tn == ipcomp_proposal.isap_notrans - 1
-				, TRUE
-				, st))
-					return ISAKMP_BAD_PROPOSAL_SYNTAX;
-
-				previous_transnum = ipcomp_trans.isat_transnum;
-
-				if (well_known_cpi != 0 && ipcomp_attrs.transid != well_known_cpi)
-				{
-					plog("illegal proposal: IPCOMP well-known CPI disagrees with transform");
-					return ISAKMP_BAD_PROPOSAL_SYNTAX;
-				}
-
-				switch (ipcomp_attrs.transid)
-				{
-					case IPCOMP_DEFLATE:    /* all we can handle! */
-						break;
-
-					default:
-						DBG(DBG_CONTROL | DBG_CRYPT
-							, DBG_log("unsupported IPCOMP Transform %s from %s"
-								, enum_show(&ipcomp_transformid_names, ipcomp_attrs.transid)
-								, ip_str(&c->spd.that.host_addr)));
-						continue;   /* try another */
-				}
-
-				if (ah_seen && ah_attrs.encapsulation != ipcomp_attrs.encapsulation)
-				{
-					/* ??? This should be an error, but is it? */
-					DBG(DBG_CONTROL | DBG_CRYPT
-						, DBG_log("AH and IPCOMP transforms disagree about encapsulation; TUNNEL presumed"));
-				} else if (esp_seen && esp_attrs.encapsulation != ipcomp_attrs.encapsulation)
-				{
-					/* ??? This should be an error, but is it? */
-					DBG(DBG_CONTROL | DBG_CRYPT
-						, DBG_log("ESP and IPCOMP transforms disagree about encapsulation; TUNNEL presumed"));
-				}
-
-				break;  /* we seem to be happy */
-			}
-			if (tn == ipcomp_proposal.isap_notrans)
-				continue;       /* we didn't find a nice one */
-			ipcomp_attrs.spi = ipcomp_cpi;
-			inner_proto = IPPROTO_COMP;
-			if (ipcomp_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-				tunnel_mode = TRUE;
-		}
-
-		/* Eureka: we liked what we saw -- accept it. */
-
-		if (r_sa_pbs != NULL)
-		{
-			/* emit what we've accepted */
-
-			/* Situation */
-			if (!out_struct(&ipsecdoisit, &ipsec_sit_desc, r_sa_pbs, NULL))
-				impossible();
-
-			/* AH proposal */
-			if (ah_seen)
-				echo_proposal(ah_proposal
-					, ah_trans
-					, esp_seen || ipcomp_seen? ISAKMP_NEXT_P : ISAKMP_NEXT_NONE
-					, r_sa_pbs
-					, &st->st_ah
-					, &isakmp_ah_transform_desc
-					, &ah_trans_pbs
-					, &st->st_connection->spd
-					, tunnel_mode && inner_proto == IPPROTO_AH);
-
-			/* ESP proposal */
-			if (esp_seen)
-				echo_proposal(esp_proposal
-					, esp_trans
-					, ipcomp_seen? ISAKMP_NEXT_P : ISAKMP_NEXT_NONE
-					, r_sa_pbs
-					, &st->st_esp
-					, &isakmp_esp_transform_desc
-					, &esp_trans_pbs
-					, &st->st_connection->spd
-					, tunnel_mode && inner_proto == IPPROTO_ESP);
-
-			/* IPCOMP proposal */
-			if (ipcomp_seen)
-				echo_proposal(ipcomp_proposal
-					, ipcomp_trans
-					, ISAKMP_NEXT_NONE
-					, r_sa_pbs
-					, &st->st_ipcomp
-					, &isakmp_ipcomp_transform_desc
-					, &ipcomp_trans_pbs
-					, &st->st_connection->spd
-					, tunnel_mode && inner_proto == IPPROTO_COMP);
-
-			close_output_pbs(r_sa_pbs);
-		}
-
-		/* save decoded version of winning SA in state */
-
-		st->st_ah.present = ah_seen;
-		if (ah_seen)
-			st->st_ah.attrs = ah_attrs;
-
-		st->st_esp.present = esp_seen;
-		if (esp_seen)
-			st->st_esp.attrs = esp_attrs;
-
-		st->st_ipcomp.present = ipcomp_seen;
-		if (ipcomp_seen)
-			st->st_ipcomp.attrs = ipcomp_attrs;
-
-		return ISAKMP_NOTHING_WRONG;
-	}
-
-	loglog(RC_LOG_SERIOUS, "no acceptable Proposal in IPsec SA");
-	return ISAKMP_NO_PROPOSAL_CHOSEN;
-}
diff --git a/src/pluto/spdb.h b/src/pluto/spdb.h
deleted file mode 100644
index 8a0bffbbd..000000000
--- a/src/pluto/spdb.h
+++ /dev/null
@@ -1,110 +0,0 @@
-/* Security Policy Data Base (such as it is)
- * Copyright (C) 1998, 1999  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _SPDB_H
-#define _SPDB_H
-
-#include "packet.h"
-
-/* database of SA properties */
-
-/* Attribute type and value pair.
- * Note: only "basic" values are represented so far.
- */
-struct db_attr {
-	u_int16_t type;     /* ISAKMP_ATTR_AF_TV is implied; 0 for end */
-	u_int16_t val;
-};
-
-/* transform */
-struct db_trans {
-	u_int8_t transid;   /* Transform-Id */
-	struct db_attr *attrs;      /* array */
-	int attr_cnt;       /* number of elements */
-};
-
-/* proposal */
-struct db_prop {
-	u_int8_t protoid;   /* Protocol-Id */
-	struct db_trans *trans;     /* array (disjunction) */
-	int trans_cnt;      /* number of elements */
-	/* SPI size and value isn't part of DB */
-};
-
-/* conjunction of proposals */
-struct db_prop_conj {
-	struct db_prop *props;      /* array */
-	int prop_cnt;       /* number of elements */
-};
-
-/* security association */
-struct db_sa {
-	struct db_prop_conj *prop_conjs;    /* array */
-	int prop_conj_cnt;  /* number of elements */
-	/* Hardwired for now;
-	 * DOI: ISAKMP_DOI_IPSEC
-	 * Situation: SIT_IDENTITY_ONLY
-	 */
-};
-
-/* The oakley sadb */
-extern struct db_sa oakley_sadb;
-
-/* The ipsec sadb is subscripted by a bitset with members
- * from POLICY_ENCRYPT, POLICY_AUTHENTICATE, POLICY_COMPRESS
- */
-extern struct db_sa ipsec_sadb[1 << 3];
-
-/* forward declaration */
-struct state;
-
-extern bool out_sa(
-	pb_stream *outs,
-	struct db_sa *sadb,
-	struct state *st,
-	bool oakley_mode,
-	u_int8_t np);
-
-extern notification_t preparse_isakmp_sa_body(
-	const struct isakmp_sa *sa, /* header of input SA Payload */
-	pb_stream *sa_pbs,          /* body of input SA Payload */
-	u_int32_t *ipsecdoisit,     /* IPsec DOI SIT bitset */
-	pb_stream *proposal_pbs,    /* body of proposal Payload */
-	struct isakmp_proposal *proposal);
-
-extern notification_t parse_isakmp_policy(
-	pb_stream *proposal_pbs,    /* body of proposal Payload */
-	u_int notrans,              /* number of transforms */
-	lset_t *policy);            /* RSA, PSK or XAUTH policy */
-
-extern notification_t parse_isakmp_sa_body(
-	u_int32_t ipsecdoisit,      /* IPsec DOI SIT bitset */
-	pb_stream *proposal_pbs,    /* body of proposal Payload */
-	struct isakmp_proposal *proposal,
-	pb_stream *r_sa_pbs,        /* if non-NULL, where to emit winning SA */
-	struct state *st,           /* current state object */
-	bool initiator);            /* is caller initiator? */
-
-extern notification_t parse_ipsec_sa_body(
-	pb_stream *sa_pbs,          /* body of input SA Payload */
-	const struct isakmp_sa *sa, /* header of input SA Payload */
-	pb_stream *r_sa_pbs,        /* if non-NULL, where to emit winning SA */
-	bool selection,             /* if this SA is a selection, only one transform can appear */
-	struct state *st);          /* current state object */
-
-extern void backup_pbs(pb_stream *pbs);
-extern void restore_pbs(pb_stream *pbs);
-
-#endif /* _SPDB_H */
-
diff --git a/src/pluto/state.c b/src/pluto/state.c
deleted file mode 100644
index f5185888e..000000000
--- a/src/pluto/state.c
+++ /dev/null
@@ -1,952 +0,0 @@
-/* routines for state objects
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <fcntl.h>
-#include <sys/queue.h>
-
-#include <freeswan.h>
-
-#include <library.h>
-#include <crypto/rngs/rng.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "connections.h"
-#include "state.h"
-#include "kernel.h"
-#include "log.h"
-#include "packet.h"     /* so we can calculate sizeof(struct isakmp_hdr) */
-#include "keys.h"       /* for free_public_key */
-#include "timer.h"
-#include "whack.h"
-#include "demux.h"      /* needs packet.h */
-#include "ipsec_doi.h"  /* needs demux.h and state.h */
-#include "crypto.h"
-
-/*
- * Global variables: had to go somewhere, might as well be this file.
- */
-
-u_int16_t pluto_port = IKE_UDP_PORT;    /* Pluto's port */
-
-/*
- * This file has the functions that handle the
- * state hash table and the Message ID list.
- */
-
-/* Message-IDs
- *
- * A Message ID is contained in each IKE message header.
- * For Phase 1 exchanges (Main and Aggressive), it will be zero.
- * For other exchanges, which must be under the protection of an
- * ISAKMP SA, the Message ID must be unique within that ISAKMP SA.
- * Effectively, this labels the message as belonging to a particular
- * exchange.
- * BTW, we feel this uniqueness allows rekeying to be somewhat simpler
- * than specified by draft-jenkins-ipsec-rekeying-06.txt.
- *
- * A MessageID is a 32 bit unsigned number.  We represent the value
- * internally in network order -- they are just blobs to us.
- * They are unsigned numbers to make hashing and comparing easy.
- *
- * The following mechanism is used to allocate message IDs.  This
- * requires that we keep track of which numbers have already been used
- * so that we don't allocate one in use.
- */
-
-struct msgid_list
-{
-	msgid_t               msgid; /* network order */
-	struct msgid_list     *next;
-};
-
-bool reserve_msgid(struct state *isakmp_sa, msgid_t msgid)
-{
-	struct msgid_list *p;
-
-	passert(msgid != MAINMODE_MSGID);
-	passert(IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state));
-
-	for (p = isakmp_sa->st_used_msgids; p != NULL; p = p->next)
-		if (p->msgid == msgid)
-			return FALSE;
-
-	p = malloc_thing(struct msgid_list);
-	p->msgid = msgid;
-	p->next = isakmp_sa->st_used_msgids;
-	isakmp_sa->st_used_msgids = p;
-	return TRUE;
-}
-
-msgid_t generate_msgid(struct state *isakmp_sa)
-{
-	int timeout = 100;  /* only try so hard for unique msgid */
-	msgid_t msgid;
-	rng_t *rng;
-
-	passert(IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state));
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-
-	for (;;)
-	{
-		rng->get_bytes(rng, sizeof(msgid), (void *) &msgid);
-		if (msgid != 0 && reserve_msgid(isakmp_sa, msgid))
-		{
-			break;
-		}
-		if (--timeout == 0)
-		{
-			plog("gave up looking for unique msgid; using 0x%08lx"
-				, (unsigned long) msgid);
-			break;
-		}
-	}
-	rng->destroy(rng);
-	return msgid;
-}
-
-
-/* state table functions */
-
-#define STATE_TABLE_SIZE 32
-
-static struct state *statetable[STATE_TABLE_SIZE];
-
-static struct state **state_hash(const u_char *icookie, const u_char *rcookie,
-								 const ip_address *peer)
-{
-	u_int i = 0, j;
-	const unsigned char *byte_ptr;
-	size_t length = addrbytesptr(peer, &byte_ptr);
-
-	DBG(DBG_RAW | DBG_CONTROL,
-		DBG_dump("ICOOKIE:", icookie, COOKIE_SIZE);
-		DBG_dump("RCOOKIE:", rcookie, COOKIE_SIZE);
-		DBG_dump("peer:", byte_ptr, length));
-
-	/* XXX the following hash is pretty pathetic */
-
-	for (j = 0; j < COOKIE_SIZE; j++)
-		i = i * 407 + icookie[j] + rcookie[j];
-
-	for (j = 0; j < length; j++)
-		i = i * 613 + byte_ptr[j];
-
-	i = i % STATE_TABLE_SIZE;
-
-	DBG(DBG_CONTROL, DBG_log("state hash entry %d", i));
-
-	return &statetable[i];
-}
-
-/* Get a state object.
- * Caller must schedule an event for this object so that it doesn't leak.
- * Caller must insert_state().
- */
-struct state *new_state(void)
-{
-	/* initialized all to zero & NULL */
-	static const struct state blank_state = {
-		.st_serialno = 0,
-	};
-	static so_serial_t next_so = SOS_FIRST;
-	struct state *st;
-
-	st = clone_thing(blank_state);
-	st->st_serialno = next_so++;
-	passert(next_so > SOS_FIRST);       /* overflow can't happen! */
-	st->st_whack_sock = NULL_FD;
-	DBG(DBG_CONTROL, DBG_log("creating state object #%lu at %p",
-		st->st_serialno, (void *) st));
-	return st;
-}
-
-/*
- * Initialize the state table (and mask*).
- */
-void init_states(void)
-{
-	int i;
-
-	for (i = 0; i < STATE_TABLE_SIZE; i++)
-		statetable[i] = (struct state *) NULL;
-}
-
-/* Find the state object with this serial number.
- * This allows state object references that don't turn into dangerous
- * dangling pointers: reference a state by its serial number.
- * Returns NULL if there is no such state.
- * If this turns out to be a significant CPU hog, it could be
- * improved to use a hash table rather than sequential seartch.
- */
-struct state *state_with_serialno(so_serial_t sn)
-{
-	if (sn >= SOS_FIRST)
-	{
-		struct state *st;
-		int i;
-
-		for (i = 0; i < STATE_TABLE_SIZE; i++)
-			for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
-				if (st->st_serialno == sn)
-					return st;
-	}
-	return NULL;
-}
-
-/* Insert a state object in the hash table. The object is inserted
- * at the beginning of list.
- * Needs cookies, connection, and msgid.
- */
-void insert_state(struct state *st)
-{
-	struct state **p = state_hash(st->st_icookie, st->st_rcookie
-		, &st->st_connection->spd.that.host_addr);
-
-	passert(st->st_hashchain_prev == NULL && st->st_hashchain_next == NULL);
-
-	if (*p != NULL)
-	{
-		passert((*p)->st_hashchain_prev == NULL);
-		(*p)->st_hashchain_prev = st;
-	}
-	st->st_hashchain_next = *p;
-	*p = st;
-
-	/* Ensure that somebody is in charge of killing this state:
-	 * if no event is scheduled for it, schedule one to discard the state.
-	 * If nothing goes wrong, this event will be replaced by
-	 * a more appropriate one.
-	 */
-	if (st->st_event == NULL)
-		event_schedule(EVENT_SO_DISCARD, 0, st);
-}
-
-/* unlink a state object from the hash table, but don't free it
- */
-void unhash_state(struct state *st)
-{
-	/* unlink from forward chain */
-	struct state **p = st->st_hashchain_prev == NULL
-		? state_hash(st->st_icookie, st->st_rcookie
-					 , &st->st_connection->spd.that.host_addr)
-		: &st->st_hashchain_prev->st_hashchain_next;
-
-	/* unlink from forward chain */
-	passert(*p == st);
-	*p = st->st_hashchain_next;
-
-	/* unlink from backward chain */
-	if (st->st_hashchain_next != NULL)
-	{
-		passert(st->st_hashchain_next->st_hashchain_prev == st);
-		st->st_hashchain_next->st_hashchain_prev = st->st_hashchain_prev;
-	}
-
-	st->st_hashchain_next = st->st_hashchain_prev = NULL;
-}
-
-/* Free the Whack socket file descriptor.
- * This has the side effect of telling Whack that we're done.
- */
-void release_whack(struct state *st)
-{
-	close_any(st->st_whack_sock);
-}
-
-/**
- * Delete a state object
- */
-void delete_state(struct state *st)
-{
-	connection_t *const c = st->st_connection;
-	struct state *old_cur_state = cur_state == st? NULL : cur_state;
-
-	set_cur_state(st);
-
-	/* If DPD is enabled on this state object, clear any pending events */
-	if(st->st_dpd_event != NULL)
-			delete_dpd_event(st);
-
-	/* if there is a suspended state transition, disconnect us */
-	if (st->st_suspended_md != NULL)
-	{
-		passert(st->st_suspended_md->st == st);
-		st->st_suspended_md->st = NULL;
-	}
-
-	/* tell the other side of any IPSEC SAs that are going down */
-	if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
-	|| IS_ISAKMP_SA_ESTABLISHED(st->st_state))
-		send_delete(st);
-
-	delete_event(st);   /* delete any pending timer event */
-
-	/* Ditch anything pending on ISAKMP SA being established.
-	 * Note: this must be done before the unhash_state to prevent
-	 * flush_pending_by_state inadvertently and prematurely
-	 * deleting our connection.
-	 */
-	flush_pending_by_state(st);
-
-	/* effectively, this deletes any ISAKMP SA that this state represents */
-	unhash_state(st);
-
-	/* tell kernel to delete any IPSEC SA
-	 * ??? we ought to tell peer to delete IPSEC SAs
-	 */
-	if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
-		delete_ipsec_sa(st, FALSE);
-	else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state))
-		delete_ipsec_sa(st, TRUE);
-
-	if (c->newest_ipsec_sa == st->st_serialno)
-		c->newest_ipsec_sa = SOS_NOBODY;
-
-	if (c->newest_isakmp_sa == st->st_serialno)
-		c->newest_isakmp_sa = SOS_NOBODY;
-
-	st->st_connection = NULL;   /* we might be about to free it */
-	cur_state = old_cur_state;  /* without st_connection, st isn't complete */
-	connection_discard(c);
-
-	release_whack(st);
-
-	/* from here on we are just freeing RAM */
-
-	{
-		struct msgid_list *p = st->st_used_msgids;
-
-		while (p != NULL)
-		{
-			struct msgid_list *q = p;
-			p = p->next;
-			free(q);
-		}
-	}
-
-	unreference_key(&st->st_peer_pubkey);
-
-	DESTROY_IF(st->st_dh);
-
-	chunk_clear(&st->st_tpacket);
-	chunk_clear(&st->st_rpacket);
-	chunk_clear(&st->st_p1isa);
-	chunk_clear(&st->st_gi);
-	chunk_clear(&st->st_gr);
-	chunk_clear(&st->st_shared);
-	chunk_clear(&st->st_ni);
-	chunk_clear(&st->st_nr);
-	chunk_clear(&st->st_skeyid);
-	chunk_clear(&st->st_skeyid_d);
-	chunk_clear(&st->st_skeyid_a);
-	chunk_clear(&st->st_skeyid_e);
-	chunk_clear(&st->st_enc_key);
-
-	free(st->st_ah.our_keymat);
-	free(st->st_ah.peer_keymat);
-	free(st->st_esp.our_keymat);
-	free(st->st_esp.peer_keymat);
-
-	free(st);
-}
-
-/**
- * Is a connection in use by some state?
- */
-bool states_use_connection(connection_t *c)
-{
-	/* are there any states still using it? */
-	struct state *st = NULL;
-	int i;
-
-	for (i = 0; st == NULL && i < STATE_TABLE_SIZE; i++)
-		for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
-			if (st->st_connection == c)
-				return TRUE;
-
-	return FALSE;
-}
-
-/**
- * Delete all states that were created for a given connection.
- * if relations == TRUE, then also delete states that share
- * the same phase 1 SA.
- */
-void delete_states_by_connection(connection_t *c, bool relations)
-{
-	int pass;
-	/* this kludge avoids an n^2 algorithm */
-	enum connection_kind ck = c->kind;
-	struct spd_route *sr;
-
-	/* save this connection's isakmp SA, since it will get set to later SOS_NOBODY */
-	so_serial_t parent_sa = c->newest_isakmp_sa;
-
-	if (ck == CK_INSTANCE)
-		c->kind = CK_GOING_AWAY;
-
-	/* We take two passes so that we delete any ISAKMP SAs last.
-	 * This allows Delete Notifications to be sent.
-	 * ?? We could probably double the performance by caching any
-	 * ISAKMP SA states found in the first pass, avoiding a second.
-	 */
-	for (pass = 0; pass != 2; pass++)
-	{
-		int i;
-
-		/* For each hash chain... */
-		for (i = 0; i < STATE_TABLE_SIZE; i++)
-		{
-			struct state *st;
-
-			/* For each state in the hash chain... */
-			for (st = statetable[i]; st != NULL; )
-			{
-				struct state *this = st;
-
-				st = st->st_hashchain_next;     /* before this is deleted */
-
-
-				if ((this->st_connection == c
-						|| (relations && parent_sa != SOS_NOBODY
-						&& this->st_clonedfrom == parent_sa))
-						&& (pass == 1 || !IS_ISAKMP_SA_ESTABLISHED(this->st_state)))
-				{
-					struct state *old_cur_state
-						= cur_state == this? NULL : cur_state;
-#ifdef DEBUG
-					lset_t old_cur_debugging = cur_debugging;
-#endif
-
-					set_cur_state(this);
-					plog("deleting state (%s)"
-						, enum_show(&state_names, this->st_state));
-					delete_state(this);
-					cur_state = old_cur_state;
-#ifdef DEBUG
-					cur_debugging = old_cur_debugging;
-#endif
-				}
-			}
-		}
-	}
-
-	sr = &c->spd;
-	while (sr != NULL)
-	{
-		passert(sr->eroute_owner == SOS_NOBODY);
-		passert(sr->routing != RT_ROUTED_TUNNEL);
-		sr = sr->next;
-	}
-	c->kind = ck;
-}
-
-/**
- * Walk through the state table, and delete each state whose phase 1 (IKE)
- * peer is among those given.
- */
-void delete_states_by_peer(ip_address *peer)
-{
-	char peerstr[ADDRTOT_BUF];
-	int i;
-
-	addrtot(peer, 0, peerstr, sizeof(peerstr));
-
-	/* For each hash chain... */
-	for (i = 0; i < STATE_TABLE_SIZE; i++)
-	{
-		struct state *st;
-
-		/* For each state in the hash chain... */
-		for (st = statetable[i]; st != NULL; )
-		{
-			struct state *this = st;
-			struct spd_route *sr;
-			connection_t *c = this->st_connection;
-
-			st = st->st_hashchain_next; /* before this is deleted */
-
-			/* ??? Is it not the case that the peer is the same for all spds? */
-			for (sr = &c->spd; sr != NULL; sr = sr->next)
-			{
-				if (sameaddr(&sr->that.host_addr, peer))
-				{
-					plog("peer %s for connection %s deleting - claimed to have crashed"
-						 , peerstr
-						 , c->name);
-					delete_states_by_connection(c, TRUE);
-					if (c->kind == CK_INSTANCE)
-						delete_connection(c, TRUE);
-					break;      /* can only delete it once */
-				}
-			}
-		}
-	}
-}
-
-/* Duplicate a Phase 1 state object, to create a Phase 2 object.
- * Caller must schedule an event for this object so that it doesn't leak.
- * Caller must insert_state().
- */
-struct state *duplicate_state(struct state *st)
-{
-	struct state *nst;
-
-	DBG(DBG_CONTROL, DBG_log("duplicating state object #%lu",
-		st->st_serialno));
-
-	/* record use of the Phase 1 state */
-	st->st_outbound_count++;
-	st->st_outbound_time = now();
-
-	nst = new_state();
-
-	memcpy(nst->st_icookie, st->st_icookie, COOKIE_SIZE);
-	memcpy(nst->st_rcookie, st->st_rcookie, COOKIE_SIZE);
-
-	nst->st_connection = st->st_connection;
-	nst->st_doi = st->st_doi;
-	nst->st_situation = st->st_situation;
-	nst->st_clonedfrom = st->st_serialno;
-	nst->st_oakley = st->st_oakley;
-	nst->st_modecfg = st->st_modecfg;
-	nst->st_skeyid_d = chunk_clone(st->st_skeyid_d);
-	nst->st_skeyid_a = chunk_clone(st->st_skeyid_a);
-	nst->st_skeyid_e = chunk_clone(st->st_skeyid_e);
-	nst->st_enc_key = chunk_clone(st->st_enc_key);
-
-	return nst;
-}
-
-#if 1
-void for_each_state(void *(f)(struct state *, void *data), void *data)
-{
-		struct state *st, *ocs = cur_state;
-		int i;
-		for (i=0; i<STATE_TABLE_SIZE; i++) {
-				for (st = statetable[i]; st != NULL; st = st->st_hashchain_next) {
-						set_cur_state(st);
-						f(st, data);
-				}
-		}
-		cur_state = ocs;
-}
-#endif
-
-/**
- * Find a state object.
- */
-struct state *find_state(const u_char *icookie, const u_char *rcookie,
-						 const ip_address *peer, msgid_t msgid)
-{
-	struct state *st = *state_hash(icookie, rcookie, peer);
-
-	while (st != (struct state *) NULL)
-	{
-		if (sameaddr(peer, &st->st_connection->spd.that.host_addr)
-		&& memeq(icookie, st->st_icookie, COOKIE_SIZE)
-		&& memeq(rcookie, st->st_rcookie, COOKIE_SIZE)
-		&& msgid == st->st_msgid)
-		{
-			break;
-		}
-		else
-		{
-			st = st->st_hashchain_next;
-		}
-	}
-	DBG(DBG_CONTROL,
-		if (st == NULL)
-			DBG_log("state object not found");
-		else
-			DBG_log("state object #%lu found, in %s"
-				, st->st_serialno
-				, enum_show(&state_names, st->st_state)));
-
-	return st;
-}
-
-/**
- * Find the state that sent a packet
- * ??? this could be expensive -- it should be rate-limited to avoid DoS
- */
-struct state *find_sender(size_t packet_len, u_char *packet)
-{
-	int i;
-	struct state *st;
-
-	if (packet_len >= sizeof(struct isakmp_hdr))
-	{
-		for (i = 0; i < STATE_TABLE_SIZE; i++)
-		{
-			for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
-			{
-				if (st->st_tpacket.ptr != NULL
-				&& st->st_tpacket.len == packet_len
-				&& memeq(st->st_tpacket.ptr, packet, packet_len))
-				{
-					return st;
-				}
-			}
-		}
-	}
-	return NULL;
-}
-
-struct state *find_phase2_state_to_delete(const struct state *p1st,
-										  u_int8_t protoid, ipsec_spi_t spi,
-										  bool *bogus)
-{
-	struct state *st;
-	int i;
-
-	*bogus = FALSE;
-	for (i = 0; i < STATE_TABLE_SIZE; i++)
-	{
-		for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
-		{
-			if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
-			&& p1st->st_connection->host_pair == st->st_connection->host_pair
-			&& same_peer_ids(p1st->st_connection, st->st_connection, NULL))
-			{
-				struct ipsec_proto_info *pr = protoid == PROTO_IPSEC_AH
-					? &st->st_ah : &st->st_esp;
-
-				if (pr->present)
-				{
-					if (pr->attrs.spi == spi)
-						return st;
-					if (pr->our_spi == spi)
-						*bogus = TRUE;
-				}
-			}
-		}
-	}
-	return NULL;
-}
-
-/**
- * Find newest Phase 1 negotiation state object for suitable for connection c
- */
-struct state *find_phase1_state(const connection_t *c, lset_t ok_states)
-{
-	struct state
-		*st,
-		*best = NULL;
-	int i;
-
-	for (i = 0; i < STATE_TABLE_SIZE; i++)
-		for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
-			if (LHAS(ok_states, st->st_state)
-			&& c->host_pair == st->st_connection->host_pair
-			&& same_peer_ids(c, st->st_connection, NULL)
-			&& (best == NULL || best->st_serialno < st->st_serialno))
-				best = st;
-
-	return best;
-}
-
-void state_eroute_usage(ip_subnet *ours, ip_subnet *his, unsigned long count,
-						time_t nw)
-{
-	struct state *st;
-	int i;
-
-	for (i = 0; i < STATE_TABLE_SIZE; i++)
-	{
-		for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
-		{
-			connection_t *c = st->st_connection;
-
-			/* XXX spd-enum */
-			if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
-				&& c->spd.eroute_owner == st->st_serialno
-				&& c->spd.routing == RT_ROUTED_TUNNEL
-				&& samesubnet(&c->spd.this.client, ours)
-				&& samesubnet(&c->spd.that.client, his))
-			{
-				if (st->st_outbound_count != count)
-				{
-					st->st_outbound_count = count;
-					st->st_outbound_time = nw;
-				}
-				return;
-			}
-		}
-	}
-	DBG(DBG_CONTROL,
-		{
-			char ourst[SUBNETTOT_BUF];
-			char hist[SUBNETTOT_BUF];
-
-			subnettot(ours, 0, ourst, sizeof(ourst));
-			subnettot(his, 0, hist, sizeof(hist));
-			DBG_log("unknown tunnel eroute %s -> %s found in scan"
-				, ourst, hist);
-		});
-}
-
-void fmt_state(bool all, struct state *st, time_t n, char *state_buf,
-			   size_t state_buf_len, char *state_buf2, size_t state_buf2_len)
-{
-	/* what the heck is interesting about a state? */
-	const connection_t *c = st->st_connection;
-
-	long delta = st->st_event->ev_time >= n
-		? (long)(st->st_event->ev_time - n)
-		: -(long)(n - st->st_event->ev_time);
-
-	char inst[CONN_INST_BUF];
-	const char *np1 = c->newest_isakmp_sa == st->st_serialno
-		? "; newest ISAKMP" : "";
-	const char *np2 = c->newest_ipsec_sa == st->st_serialno
-		? "; newest IPSEC" : "";
-	/* XXX spd-enum */
-	const char *eo = c->spd.eroute_owner == st->st_serialno
-		? "; eroute owner" : "";
-	const char *dpd = (all && st->st_dpd && c->dpd_action != DPD_ACTION_NONE)
-					  ? "; DPD active" : "";
-
-	passert(st->st_event != 0);
-
-	fmt_conn_instance(c, inst);
-
-	snprintf(state_buf, state_buf_len
-		, "#%lu: \"%s\"%s %s (%s); %N in %lds%s%s%s%s"
-		, st->st_serialno
-		, c->name, inst
-		, enum_name(&state_names, st->st_state)
-		, state_story[st->st_state]
-		, timer_event_names, st->st_event->ev_type
-		, delta
-		, np1, np2, eo, dpd);
-
-	/* print out SPIs if SAs are established */
-	if (state_buf2_len != 0)
-		state_buf2[0] = '\0';   /* default to empty */
-	if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
-	{
-
-		bool tunnel;
-		char buf[SATOT_BUF*6 + 2*20 + 1];
-		const char *p_end = buf + sizeof(buf);
-		char *p = buf;
-
-#       define add_said(adst, aspi, aproto) { \
-			ip_said s; \
-			\
-			initsaid(adst, aspi, aproto, &s); \
-			if (p < p_end - 1) \
-			{ \
-				*p++ = ' '; \
-				p += satot(&s, 0, p, p_end - p) - 1; \
-			} \
-		}
-
-#       define add_sa_info(st, inbound) { \
-			u_int bytes; \
-			time_t use_time; \
-			\
-			if (get_sa_info(st, inbound, &bytes, &use_time)) \
-			{ \
-				p += snprintf(p, p_end - p, " (%'u bytes", bytes); \
-				if (bytes > 0 && use_time != UNDEFINED_TIME) \
-					p += snprintf(p, p_end - p, ", %ds ago", (int)(now - use_time)); \
-				p += snprintf(p, p_end - p, ")"); \
-			} \
-		}
-
-		*p = '\0';
-		if (st->st_ah.present)
-		{
-			add_said(&c->spd.that.host_addr, st->st_ah.attrs.spi, SA_AH);
-			add_said(&c->spd.this.host_addr, st->st_ah.our_spi, SA_AH);
-		}
-		if (st->st_esp.present)
-		{
-			time_t now = time_monotonic(NULL);
-
-			add_said(&c->spd.that.host_addr, st->st_esp.attrs.spi, SA_ESP);
-			add_sa_info(st, FALSE);
-			add_said(&c->spd.this.host_addr, st->st_esp.our_spi, SA_ESP);
-			add_sa_info(st, TRUE);
-		}
-		if (st->st_ipcomp.present)
-		{
-			add_said(&c->spd.that.host_addr, st->st_ipcomp.attrs.spi, SA_COMP);
-			add_said(&c->spd.this.host_addr, st->st_ipcomp.our_spi, SA_COMP);
-		}
-		tunnel =  st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
-			   || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
-			   || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
-		p += snprintf(p, p_end - p, "; %s", tunnel? "tunnel":"transport");
-
-		snprintf(state_buf2, state_buf2_len
-			, "#%lu: \"%s\"%s%s"
-			, st->st_serialno
-			, c->name, inst
-			, buf);
-
-#       undef add_said
-#       undef add_sa_info
-	}
-}
-
-/*
- * sorting logic is:
- *
- *  name
- *  type
- *  instance#
- *  isakmp_sa (XXX probably wrong)
- *
- */
-static int state_compare(const void *a, const void *b)
-{
-	const struct state *sap = *(const struct state *const *)a;
-	connection_t *ca = sap->st_connection;
-	const struct state *sbp = *(const struct state *const *)b;
-	connection_t *cb = sbp->st_connection;
-
-	/* DBG_log("comparing %s to %s", ca->name, cb->name); */
-
-	return connection_compare(ca, cb);
-}
-
-void show_states_status(bool all, const char *name)
-{
-	time_t n = now();
-	int i;
-	char state_buf[LOG_WIDTH];
-	char state_buf2[LOG_WIDTH];
-	int count;
-	struct state **array;
-
-	/* make count of states */
-	count = 0;
-	for (i = 0; i < STATE_TABLE_SIZE; i++)
-	{
-		struct state *st;
-
-		for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
-		{
-			if (name == NULL || streq(name, st->st_connection->name))
-				count++;
-		}
-	}
-
-	/* build the array */
-	array = malloc(sizeof(struct state *)*count);
-	count = 0;
-	for (i = 0; i < STATE_TABLE_SIZE; i++)
-	{
-		struct state *st;
-
-		for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
-		{
-			if (name == NULL || streq(name, st->st_connection->name))
-				array[count++]=st;
-		}
-	}
-
-	/* sort it! */
-	qsort(array, count, sizeof(struct state *), state_compare);
-
-	/* now print sorted results */
-	for (i = 0; i < count; i++)
-	{
-		struct state *st;
-
-		st = array[i];
-
-		fmt_state(all, st, n
-				  , state_buf, sizeof(state_buf)
-				  , state_buf2, sizeof(state_buf2));
-		whack_log(RC_COMMENT, state_buf);
-		if (state_buf2[0] != '\0')
-			whack_log(RC_COMMENT, state_buf2);
-
-		/* show any associated pending Phase 2s */
-		if (IS_PHASE1(st->st_state))
-			show_pending_phase2(st->st_connection->host_pair, st);
-	}
-	if (count > 0)
-		whack_log(RC_COMMENT, BLANK_FORMAT);    /* spacer */
-
-	/* free the array */
-	free(array);
-}
-
-/* Muck with high-order 16 bits of this SPI in order to make
- * the corresponding SAID unique.
- * Its low-order 16 bits hold a well-known IPCOMP CPI.
- * Oh, and remember that SPIs are stored in network order.
- * Kludge!!!  So I name it with the non-English word "uniquify".
- * If we can't find one easily, return 0 (a bad SPI,
- * no matter what order) indicating failure.
- */
-ipsec_spi_t uniquify_his_cpi(ipsec_spi_t cpi, struct state *st)
-{
-	int tries = 0;
-	int i;
-	rng_t *rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-
-startover:
-
-	/* network order makes first two bytes our target */
-	rng->get_bytes(rng, 2, (u_char *)&cpi);
-
-	/* Make sure that the result is unique.
-	 * Hard work.  If there is no unique value, we'll loop forever!
-	 */
-	for (i = 0; i < STATE_TABLE_SIZE; i++)
-	{
-		struct state *s;
-
-		for (s = statetable[i]; s != NULL; s = s->st_hashchain_next)
-		{
-			if (s->st_ipcomp.present
-			&& sameaddr(&s->st_connection->spd.that.host_addr
-			  , &st->st_connection->spd.that.host_addr)
-			&& cpi == s->st_ipcomp.attrs.spi)
-			{
-				if (++tries == 20)
-				{
-					rng->destroy(rng);
-					return 0;   /* FAILURE */
-				}
-				goto startover;
-			}
-		}
-	}
-	rng->destroy(rng);
-	return cpi;
-}
-
-/*
- * Local Variables:
- * c-basic-offset:4
- * End:
- */
diff --git a/src/pluto/state.h b/src/pluto/state.h
deleted file mode 100644
index a307d9f69..000000000
--- a/src/pluto/state.h
+++ /dev/null
@@ -1,274 +0,0 @@
-/* state and event objects
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _STATE_H
-#define _STATE_H
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <time.h>
-
-#include <crypto/diffie_hellman.h>
-
-#include "defs.h"
-#include "connections.h"
-
-/* Message ID mechanism.
- *
- * A Message ID is contained in each IKE message header.
- * For Phase 1 exchanges (Main and Aggressive), it will be zero.
- * For other exchanges, which must be under the protection of an
- * ISAKMP SA, the Message ID must be unique within that ISAKMP SA.
- * Effectively, this labels the message as belonging to a particular
- * exchange.
- *
- * RFC2408 "ISAKMP" 3.1 "ISAKMP Header Format" (near end) states that
- * the Message ID must be unique.  We interpret this to be "unique within
- * one ISAKMP SA".
- *
- * BTW, we feel this uniqueness allows rekeying to be somewhat simpler
- * than specified by draft-jenkins-ipsec-rekeying-06.txt.
- */
-
-typedef u_int32_t msgid_t;      /* Network order! */
-#define MAINMODE_MSGID    ((msgid_t) 0)
-
-struct state;   /* forward declaration of tag */
-extern bool reserve_msgid(struct state *isakmp_sa, msgid_t msgid);
-extern msgid_t generate_msgid(struct state *isakmp_sa);
-
-
-/* Oakley (Phase 1 / Main Mode) transform and attributes
- * This is a flattened/decoded version of what is represented
- * in the Transaction Payload.
- * Names are chosen to match corresponding names in state.
- */
-struct oakley_trans_attrs {
-	u_int16_t encrypt;          /* Encryption algorithm */
-	u_int16_t enckeylen;        /* encryption key len (bits) */
-	const struct encrypt_desc *encrypter;   /* package of encryption routines */
-	u_int16_t hash;             /* Hash algorithm */
-	const struct hash_desc *hasher;         /* package of hashing routines */
-	u_int16_t auth;             /* Authentication method */
-	const struct dh_desc *group;            /* Diffie-Hellman group */
-	time_t life_seconds;        /* When this SA expires (seconds) */
-	u_int32_t life_kilobytes;   /* When this SA is exhausted (kilobytes) */
-#if 0 /* not yet */
-	u_int16_t prf;              /* Pseudo Random Function */
-#endif
-};
-
-/* IPsec (Phase 2 / Quick Mode) transform and attributes
- * This is a flattened/decoded version of what is represented
- * by a Transaction Payload.  There may be one for AH, one
- * for ESP, and a funny one for IPCOMP.
- */
-struct ipsec_trans_attrs {
-	u_int8_t transid;   /* transform id */
-	ipsec_spi_t spi;    /* his SPI */
-	time_t life_seconds;                /* When this SA expires */
-	u_int32_t life_kilobytes;   /* When this SA expires */
-	u_int16_t encapsulation;
-	u_int16_t auth;
-	u_int16_t key_len;
-	u_int16_t key_rounds;
-#if 0 /* not implemented yet */
-	u_int16_t cmprs_dict_sz;
-	u_int32_t cmprs_alg;
-#endif
-};
-
-/* IPsec per protocol state information */
-struct ipsec_proto_info {
-	bool present;       /* was this transform specified? */
-	struct ipsec_trans_attrs attrs;
-	ipsec_spi_t our_spi;
-	u_int16_t keymat_len;       /* same for both */
-	u_char *our_keymat;
-	u_char *peer_keymat;
-};
-
-/* state object: record the state of a (possibly nascent) SA
- *
- * Invariants (violated only during short transitions):
- * - each state object will be in statetable exactly once.
- * - each state object will always have a pending event.
- *   This prevents leaks.
- */
-struct state
-{
-	so_serial_t        st_serialno;            /* serial number (for seniority) */
-	so_serial_t        st_clonedfrom;          /* serial number of parent */
-
-	struct connection *st_connection;          /* connection for this SA */
-
-	int                st_whack_sock;          /* fd for our Whack TCP socket.
-												* Single copy: close when freeing struct.
-												*/
-
-	struct msg_digest *st_suspended_md;        /* suspended state-transition */
-
-	struct oakley_trans_attrs st_oakley;
-
-	struct ipsec_proto_info st_ah;
-	struct ipsec_proto_info st_esp;
-	struct ipsec_proto_info st_ipcomp;
-	ipsec_spi_t        st_tunnel_in_spi;          /* KLUDGE */
-	ipsec_spi_t        st_tunnel_out_spi;         /* KLUDGE */
-
-	const struct dh_desc *st_pfs_group;        /* group for Phase 2 PFS */
-
-	u_int32_t          st_doi;                 /* Domain of Interpretation */
-	u_int32_t          st_situation;
-
-	lset_t             st_policy;              /* policy for IPsec SA */
-
-	msgid_t            st_msgid;               /* MSG-ID from header.  Network Order! */
-
-	/* only for a state representing an ISAKMP SA */
-	struct msgid_list  *st_used_msgids;        /* used-up msgids */
-
-/* symmetric stuff */
-
-  /* initiator stuff */
-	chunk_t            st_gi;                  /* Initiator public value */
-	u_int8_t           st_icookie[COOKIE_SIZE];/* Initiator Cookie */
-	chunk_t            st_ni;                  /* Ni nonce */
-
-  /* responder stuff */
-	chunk_t            st_gr;                  /* Responder public value */
-	u_int8_t           st_rcookie[COOKIE_SIZE];/* Responder Cookie */
-	chunk_t            st_nr;                  /* Nr nonce */
-
-
-  /* my stuff */
-
-	chunk_t            st_tpacket;             /* Transmitted packet */
-
-	/* Phase 2 ID payload info about my user */
-	u_int8_t           st_myuserprotoid;       /* IDcx.protoid */
-	u_int16_t          st_myuserport;
-
-  /* his stuff */
-
-	chunk_t            st_rpacket;             /* Received packet */
-
-	/* Phase 2 ID payload info about peer's user */
-	u_int8_t           st_peeruserprotoid;     /* IDcx.protoid */
-	u_int16_t          st_peeruserport;
-
-/* end of symmetric stuff */
-
-	diffie_hellman_t  *st_dh;                  /* Our local DH secret value */
-	chunk_t            st_shared;              /* Derived shared secret
-												* Note: during Quick Mode,
-												* presence indicates PFS
-												* selected.
-												*/
-
-	/* In a Phase 1 state, preserve peer's public key after authentication */
-	struct pubkey     *st_peer_pubkey;
-
-	enum state_kind    st_state;               /* State of exchange */
-	u_int8_t           st_retransmit;          /* Number of retransmits */
-	unsigned long      st_try;                 /* number of times rekeying attempted */
-											   /* 0 means the only time */
-	time_t             st_margin;              /* life after EVENT_SA_REPLACE */
-	unsigned long      st_outbound_count;      /* traffic through eroute */
-	time_t             st_outbound_time;       /* time of last change to st_outbound_count */
-	chunk_t            st_p1isa;               /* Phase 1 initiator SA (Payload) for HASH */
-	chunk_t            st_skeyid;              /* Key material */
-	chunk_t            st_skeyid_d;            /* KM for non-ISAKMP key derivation */
-	chunk_t            st_skeyid_a;            /* KM for ISAKMP authentication */
-	chunk_t            st_skeyid_e;            /* KM for ISAKMP encryption */
-	u_char             st_iv[MAX_DIGEST_LEN];  /* IV for encryption */
-	u_char             st_new_iv[MAX_DIGEST_LEN];
-	u_char             st_ph1_iv[MAX_DIGEST_LEN]; /* IV at end if phase 1 */
-	unsigned int       st_iv_len;
-	unsigned int       st_new_iv_len;
-	unsigned int       st_ph1_iv_len;
-
-	chunk_t            st_enc_key;             /* Oakley Encryption key */
-
-	struct event      *st_event;               /* backpointer for certain events */
-	struct state      *st_hashchain_next;      /* Next in list */
-	struct state      *st_hashchain_prev;      /* Previous in list */
-
-	struct {
-		bool vars_set;
-		bool started;
-	} st_modecfg;
-
-	struct {
-		int attempt;
-		bool started;
-		bool status;
-	} st_xauth;
-
-	u_int32_t         nat_traversal;
-	ip_address        nat_oa;
-
-	/* RFC 3706 Dead Peer Detection */
-	bool                st_dpd;                 /* Peer supports DPD */
-	time_t              st_last_dpd;            /* Time of last DPD transmit */
-	u_int32_t           st_dpd_seqno;           /* Next R_U_THERE to send */
-	u_int32_t           st_dpd_expectseqno;     /* Next R_U_THERE_ACK to receive */
-	u_int32_t           st_dpd_peerseqno;       /* global variables */
-	struct event        *st_dpd_event;          /* backpointer for DPD events */
-
-	u_int32_t         st_seen_vendorid;         /* Bit field about recognized Vendor ID */
-};
-
-/* global variables */
-
-extern u_int16_t pluto_port;    /* Pluto's port */
-
-extern bool states_use_connection(struct connection *c);
-
-/* state functions */
-
-extern struct state *new_state(void);
-extern void init_states(void);
-extern void insert_state(struct state *st);
-extern void unhash_state(struct state *st);
-extern void release_whack(struct state *st);
-extern void state_eroute_usage(ip_subnet *ours, ip_subnet *his
-	, unsigned long count, time_t nw);
-extern void delete_state(struct state *st);
-extern void delete_states_by_connection(struct connection *c, bool relations);
-
-extern struct state
-	*duplicate_state(struct state *st),
-	*find_state(const u_char *icookie
-		, const u_char *rcookie
-		, const ip_address *peer
-		, msgid_t msgid),
-	*state_with_serialno(so_serial_t sn),
-	*find_phase2_state_to_delete(const struct state *p1st, u_int8_t protoid
-		, ipsec_spi_t spi, bool *bogus),
-	*find_phase1_state(const struct connection *c, lset_t ok_states),
-	*find_sender(size_t packet_len, u_char *packet);
-
-extern void show_states_status(bool all, const char *name);
-extern void for_each_state(void *(f)(struct state *, void *data), void *data);
-extern ipsec_spi_t uniquify_his_cpi(ipsec_spi_t cpi, struct state *st);
-extern void fmt_state(bool all, struct state *st, time_t n
-					 , char *state_buf, size_t state_buf_len
-					 , char *state_buf2, size_t state_buf_len2);
-extern void delete_states_by_peer(ip_address *peer);
-
-#endif /* _STATE_H */
diff --git a/src/pluto/timer.c b/src/pluto/timer.c
deleted file mode 100644
index 1d34d2c54..000000000
--- a/src/pluto/timer.c
+++ /dev/null
@@ -1,551 +0,0 @@
-/* timer event handling
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <time.h>
-#include <unistd.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <sys/queue.h>
-
-#include <freeswan.h>
-
-#include <library.h>
-#include <crypto/rngs/rng.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "connections.h"
-#include "state.h"
-#include "demux.h"
-#include "ipsec_doi.h"  /* needs demux.h and state.h */
-#include "kernel.h"
-#include "server.h"
-#include "log.h"
-#include "timer.h"
-#include "whack.h"
-#include "nat_traversal.h"
-
-/**
- * monotonic version of time(3)
- */
-time_t now(void)
-{
-	return time_monotonic(NULL);
-}
-
-/* This file has the event handling routines. Events are
- * kept as a linked list of event structures. These structures
- * have information like event type, expiration time and a pointer
- * to event specific data (for example, to a state structure).
- */
-
-static struct event *evlist = (struct event *) NULL;
-
-/**
- * This routine places an event in the event list.
- */
-void event_schedule(enum event_type type, time_t tm, struct state *st)
-{
-	struct event *ev = malloc_thing(struct event);
-
-	ev->ev_type = type;
-	ev->ev_time = tm + now();
-	ev->ev_state = st;
-
-	/* If the event is associated with a state, put a backpointer to the
-	 * event in the state object, so we can find and delete the event
-	 * if we need to (for example, if we receive a reply).
-	 */
-	if (st != NULL)
-	{
-		if (type == EVENT_DPD || type == EVENT_DPD_TIMEOUT)
-		{
-			passert(st->st_dpd_event == NULL);
-			st->st_dpd_event = ev;
-		}
-		else
-		{
-			passert(st->st_event == NULL);
-			st->st_event = ev;
-		}
-	}
-
-	DBG(DBG_CONTROL,
-		if (st == NULL)
-			DBG_log("inserting event %N, timeout in %lu seconds"
-				, timer_event_names, type, (unsigned long)tm);
-		else
-			DBG_log("inserting event %N, timeout in %lu seconds for #%lu"
-				, timer_event_names, type, (unsigned long)tm
-				, ev->ev_state->st_serialno));
-
-	if (evlist == (struct event *) NULL
-	|| evlist->ev_time >= ev->ev_time)
-	{
-		ev->ev_next = evlist;
-		evlist = ev;
-	}
-	else
-	{
-		struct event *evt;
-
-		for (evt = evlist; evt->ev_next != NULL; evt = evt->ev_next)
-			if (evt->ev_next->ev_time >= ev->ev_time)
-				break;
-
-#ifdef NEVER    /* this seems to be overkill */
-		DBG(DBG_CONTROL,
-			if (evt->ev_state == NULL)
-				DBG_log("event added after event %N"
-					, timer_event_names, evt->ev_type);
-			else
-				DBG_log("event added after event %N for #%lu"
-					, timer_event_names, evt->ev_type,
-					, evt->ev_state->st_serialno));
-#endif /* NEVER */
-
-		ev->ev_next = evt->ev_next;
-		evt->ev_next = ev;
-	}
-}
-
-/**
- * Generate the secret value for responder cookies, and
- * schedule an event for refresh.
- */
-bool init_secret(void)
-{
-	rng_t *rng;
-
-	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
-
-	if (rng == NULL)
-	{
-		plog("secret initialization failed, no RNG supported");
-		return FALSE;
-	}
-	rng->get_bytes(rng, sizeof(secret_of_the_day), secret_of_the_day);
-	rng->destroy(rng);
-    event_schedule(EVENT_REINIT_SECRET, EVENT_REINIT_SECRET_DELAY, NULL);
-	return true;
-}
-
-/**
- * Handle the first event on the list.
- */
-void handle_timer_event(void)
-{
-	time_t tm;
-	struct event *ev = evlist;
-	int type;
-	struct state *st;
-	connection_t *c = NULL;
-	ip_address peer;
-
-	if (ev == (struct event *) NULL)    /* Just paranoid */
-	{
-		DBG(DBG_CONTROL, DBG_log("empty event list, yet we're called"));
-		return;
-	}
-
-	type = ev->ev_type;
-	st = ev->ev_state;
-
-	tm = now();
-
-	if (tm < ev->ev_time)
-	{
-		DBG(DBG_CONTROL, DBG_log("called while no event expired (%lu/%lu, %N)"
-			, (unsigned long)tm, (unsigned long)ev->ev_time
-			, timer_event_names, type));
-
-		/* This will happen if the most close-to-expire event was
-		 * a retransmission or cleanup, and we received a packet
-		 * at the same time as the event expired. Due to the processing
-		 * order in call_server(), the packet processing will happen first,
-		 * and the event will be removed.
-		 */
-		return;
-	}
-
-	evlist = evlist->ev_next;           /* Ok, we'll handle this event */
-
-	DBG(DBG_CONTROL,
-		if (evlist != (struct event *) NULL)
-			DBG_log("event after this is %N in %ld seconds"
-				, timer_event_names, evlist->ev_type
-				, (long) (evlist->ev_time - tm)));
-
-	/* for state-associated events, pick up the state pointer
-	 * and remove the backpointer from the state object.
-	 * We'll eventually either schedule a new event, or delete the state.
-	 */
-	passert(GLOBALS_ARE_RESET());
-	if (st != NULL)
-	{
-		c = st->st_connection;
-		if (type  == EVENT_DPD || type == EVENT_DPD_TIMEOUT)
-		{
-			passert(st->st_dpd_event == ev);
-			st->st_dpd_event = NULL;
-		}
-		else
-		{
-			passert(st->st_event == ev);
-			st->st_event = NULL;
-		}
-		peer = c->spd.that.host_addr;
-		set_cur_state(st);
-	}
-
-	switch (type)
-	{
-		case EVENT_REINIT_SECRET:
-			passert(st == NULL);
-			DBG(DBG_CONTROL, DBG_log("event EVENT_REINIT_SECRET handled"));
-			init_secret();
-			break;
-
-		case EVENT_LOG_DAILY:
-			daily_log_event();
-			break;
-
-		case EVENT_RETRANSMIT:
-			/* Time to retransmit, or give up.
-			 *
-			 * Generally, we'll only try to send the message
-			 * MAXIMUM_RETRANSMISSIONS times.  Each time we double
-			 * our patience.
-			 *
-			 * As a special case, if this is the first initiating message
-			 * of a Main Mode exchange, and we have been directed to try
-			 * forever, we'll extend the number of retransmissions to
-			 * MAXIMUM_RETRANSMISSIONS_INITIAL times, with all these
-			 * extended attempts having the same patience.  The intention
-			 * is to reduce the bother when nobody is home.
-			 */
-			{
-				time_t delay = 0;
-
-				DBG(DBG_CONTROL, DBG_log(
-					"handling event EVENT_RETRANSMIT for %s \"%s\" #%lu"
-					, ip_str(&peer), c->name, st->st_serialno));
-
-				if (st->st_retransmit < MAXIMUM_RETRANSMISSIONS)
-					delay = EVENT_RETRANSMIT_DELAY_0 << (st->st_retransmit + 1);
-				else if (st->st_state == STATE_MAIN_I1
-				&& c->sa_keying_tries == 0
-				&& st->st_retransmit < MAXIMUM_RETRANSMISSIONS_INITIAL)
-					delay = EVENT_RETRANSMIT_DELAY_0 << MAXIMUM_RETRANSMISSIONS;
-
-				if (delay != 0)
-				{
-					st->st_retransmit++;
-					whack_log(RC_RETRANSMISSION
-						, "%s: retransmission; will wait %lus for response"
-						, enum_name(&state_names, st->st_state)
-						, (unsigned long)delay);
-					send_packet(st, "EVENT_RETRANSMIT");
-					event_schedule(EVENT_RETRANSMIT, delay, st);
-				}
-				else
-				{
-					/* check if we've tried rekeying enough times.
-					 * st->st_try == 0 means that this should be the only try.
-					 * c->sa_keying_tries == 0 means that there is no limit.
-					 */
-					unsigned long try = st->st_try;
-					unsigned long try_limit = c->sa_keying_tries;
-					const char *details = "";
-
-					switch (st->st_state)
-					{
-					case STATE_MAIN_I3:
-						details = ".  Possible authentication failure:"
-							" no acceptable response to our"
-							" first encrypted message";
-						break;
-					case STATE_MAIN_I1:
-						details = ".  No response (or no acceptable response) to our"
-							" first IKE message";
-						break;
-					case STATE_QUICK_I1:
-						if (c->newest_ipsec_sa == SOS_NOBODY)
-							details = ".  No acceptable response to our"
-								" first Quick Mode message:"
-								" perhaps peer likes no proposal";
-						break;
-					default:
-						break;
-					}
-					loglog(RC_NORETRANSMISSION
-						, "max number of retransmissions (%d) reached %s%s"
-						, st->st_retransmit
-						, enum_show(&state_names, st->st_state), details);
-					if (try != 0 && try != try_limit)
-					{
-						/* A lot like EVENT_SA_REPLACE, but over again.
-						 * Since we know that st cannot be in use,
-						 * we can delete it right away.
-						 */
-						char story[80]; /* arbitrary limit */
-
-						try++;
-						snprintf(story, sizeof(story), try_limit == 0
-							? "starting keying attempt %ld of an unlimited number"
-							: "starting keying attempt %ld of at most %ld"
-							, try, try_limit);
-
-						if (st->st_whack_sock != NULL_FD)
-						{
-							/* Release whack because the observer will get bored. */
-							loglog(RC_COMMENT, "%s, but releasing whack"
-								, story);
-							release_pending_whacks(st, story);
-						}
-						else
-						{
-							/* no whack: just log to syslog */
-							plog("%s", story);
-						}
-						ipsecdoi_replace(st, try);
-					}
-					delete_state(st);
-				}
-			}
-			break;
-
-		case EVENT_SA_REPLACE:
-		case EVENT_SA_REPLACE_IF_USED:
-			{
-				so_serial_t newest = IS_PHASE1(st->st_state)
-					? c->newest_isakmp_sa : c->newest_ipsec_sa;
-
-				if (newest != st->st_serialno
-				&& newest != SOS_NOBODY)
-				{
-					/* not very interesting: no need to replace */
-					DBG(DBG_LIFECYCLE
-						, plog("not replacing stale %s SA: #%lu will do"
-							, IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"
-							, newest));
-				}
-				else if (type == EVENT_SA_REPLACE_IF_USED
-				&& st->st_outbound_time <= tm - c->sa_rekey_margin)
-				{
-					/* we observed no recent use: no need to replace
-					 *
-					 * The sampling effects mean that st_outbound_time
-					 * could be up to SHUNT_SCAN_INTERVAL more recent
-					 * than actual traffic because the sampler looks at change
-					 * over that interval.
-					 * st_outbound_time could also not yet reflect traffic
-					 * in the last SHUNT_SCAN_INTERVAL.
-					 * We expect that SHUNT_SCAN_INTERVAL is smaller than
-					 * c->sa_rekey_margin so that the effects of this will
-					 * be unimportant.
-					 * This is just an optimization: correctness is not
-					 * at stake.
-					 *
-					 * Note: we are abusing the DBG mechanism to control
-					 * normal log output.
-					 */
-					DBG(DBG_LIFECYCLE
-						, plog("not replacing stale %s SA: inactive for %lus"
-							, IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"
-							, (unsigned long)(tm - st->st_outbound_time)));
-				}
-				else
-				{
-					DBG(DBG_LIFECYCLE
-						, plog("replacing stale %s SA"
-							, IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"));
-					ipsecdoi_replace(st, 1);
-				}
-				delete_dpd_event(st);
-				event_schedule(EVENT_SA_EXPIRE, st->st_margin, st);
-			}
-			break;
-
-		case EVENT_SA_EXPIRE:
-			{
-				const char *satype;
-				so_serial_t latest;
-
-				if (IS_PHASE1(st->st_state))
-				{
-					satype = "ISAKMP";
-					latest = c->newest_isakmp_sa;
-				}
-				else
-				{
-					satype = "IPsec";
-					latest = c->newest_ipsec_sa;
-				}
-
-				if (st->st_serialno != latest)
-				{
-					/* not very interesting: already superseded */
-					DBG(DBG_LIFECYCLE
-						, plog("%s SA expired (superseded by #%lu)"
-							, satype, latest));
-				}
-				else
-				{
-					plog("%s SA expired (%s)", satype
-						, (c->policy & POLICY_DONT_REKEY)
-							? "--dontrekey"
-							: "LATEST!"
-						);
-				}
-			}
-			/* FALLTHROUGH */
-		case EVENT_SO_DISCARD:
-			/* Delete this state object.  It must be in the hash table. */
-			delete_state(st);
-			break;
-
-		case EVENT_DPD:
-			dpd_outI(st);
-			break;
-		case EVENT_DPD_TIMEOUT:
-			dpd_timeout(st);
-			break;
-		case EVENT_NAT_T_KEEPALIVE:
-			nat_traversal_ka_event();
-			break;
-		default:
-			loglog(RC_LOG_SERIOUS, "INTERNAL ERROR: ignoring unknown expiring event %N"
-				, timer_event_names, type);
-	}
-
-	free(ev);
-	reset_cur_state();
-}
-
-/**
- * Return the time until the next event in the queue
- * expires (never negative), or -1 if no jobs in queue.
- */
-long next_event(void)
-{
-	time_t tm;
-
-	if (evlist == (struct event *) NULL)
-		return -1;
-
-	tm = now();
-
-	DBG(DBG_CONTROL,
-		if (evlist->ev_state == NULL)
-			DBG_log("next event %N in %ld seconds"
-				, timer_event_names, evlist->ev_type
-				, (long)evlist->ev_time - (long)tm);
-		else
-			DBG_log("next event %N in %ld seconds for #%lu"
-				, timer_event_names, evlist->ev_type
-				, (long)evlist->ev_time - (long)tm
-				, evlist->ev_state->st_serialno));
-
-	if (evlist->ev_time - tm <= 0)
-		return 0;
-	else
-		return evlist->ev_time - tm;
-}
-
-/**
- * Delete an event.
- */
-void delete_event(struct state *st)
-{
-	if (st->st_event != (struct event *) NULL)
-	{
-		struct event **ev;
-
-		for (ev = &evlist; ; ev = &(*ev)->ev_next)
-		{
-			if (*ev == NULL)
-			{
-				DBG(DBG_CONTROL, DBG_log("event %N to be deleted not found",
-					timer_event_names, st->st_event->ev_type));
-				break;
-			}
-			if ((*ev) == st->st_event)
-			{
-				*ev = (*ev)->ev_next;
-
-				if (st->st_event->ev_type == EVENT_RETRANSMIT)
-				{
-					st->st_retransmit = 0;
-				}
-				free(st->st_event);
-				st->st_event = (struct event *) NULL;
-
-				break;
-			}
-		}
-	}
-}
-
-/**
- * Delete a DPD event.
- */
-void delete_dpd_event(struct state *st)
-{
-	if (st->st_dpd_event != (struct event *) NULL)
-	{
-		struct event **ev;
-
-		for (ev = &evlist; ; ev = &(*ev)->ev_next)
-		{
-			if (*ev == NULL)
-			{
-				DBG(DBG_CONTROL, DBG_log("event %N to be deleted not found",
-					timer_event_names, st->st_dpd_event->ev_type));
-				break;
-			}
-			if ((*ev) == st->st_dpd_event)
-			{
-				*ev = (*ev)->ev_next;
-				free(st->st_dpd_event);
-				st->st_dpd_event = (struct event *) NULL;
-				break;
-			}
-		}
-	}
-}
-
-/**
- * Free remaining events
- */
-void free_events(void)
-{
-	struct event *ev_tmp, *ev;
-
-	ev = evlist;
-	evlist = NULL;
-
-	while (ev)
-	{
-		ev_tmp = ev;
-		ev = ev->ev_next;
-		free(ev_tmp);
-	}
-}
-
diff --git a/src/pluto/timer.h b/src/pluto/timer.h
deleted file mode 100644
index c8e9b727c..000000000
--- a/src/pluto/timer.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/* timing machinery
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-extern time_t now(void);        /* careful version of time(2) */
-
-struct state;   /* forward declaration */
-
-struct event
-{
-	time_t          ev_time;
-	int             ev_type;        /* Event type */
-	struct state   *ev_state;       /* Pointer to relevant state (if any) */
-	struct event   *ev_next;        /* Pointer to next event */
-};
-
-extern void event_schedule(enum event_type type, time_t tm, struct state *st);
-extern void handle_timer_event(void);
-extern long next_event(void);
-extern void delete_event(struct state *st);
-extern void delete_dpd_event(struct state *st);
-extern void daily_log_event(void);
-extern void free_events(void);
-extern bool init_secret(void);
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
deleted file mode 100644
index 6cc599d8d..000000000
--- a/src/pluto/vendor.c
+++ /dev/null
@@ -1,511 +0,0 @@
-/* ISAKMP VendorID
- * Copyright (C) 2002-2005 Mathieu Lafon - Arkoon Network Security
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <sys/queue.h>
-#include <freeswan.h>
-
-#include <library.h>
-#include <crypto/hashers/hasher.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "connections.h"
-#include "packet.h"
-#include "demux.h"
-#include "whack.h"
-#include "vendor.h"
-#include "kernel.h"
-#include "nat_traversal.h"
-
-/**
- * Unknown/Special VID:
- *
- * SafeNet SoftRemote 8.0.0:
- *  47bbe7c993f1fc13b4e6d0db565c68e5010201010201010310382e302e3020284275696c6420313029000000
- *  >> 382e302e3020284275696c6420313029 = '8.0.0 (Build 10)'
- *  da8e937880010000
- *
- * SafeNet SoftRemote 9.0.1
- *  47bbe7c993f1fc13b4e6d0db565c68e5010201010201010310392e302e3120284275696c6420313229000000
- *  >> 392e302e3120284275696c6420313229 = '9.0.1 (Build 12)'
- *  da8e937880010000
- *
- * Netscreen:
- *  d6b45f82f24bacb288af59a978830ab7
- *  cf49908791073fb46439790fdeb6aeed981101ab0000000500000300
- *
- * Cisco:
- *  1f07f70eaa6514d3b0fa96542a500300 (VPN 3000 version 3.0.0)
- *  1f07f70eaa6514d3b0fa96542a500301 (VPN 3000 version 3.0.1)
- *  1f07f70eaa6514d3b0fa96542a500305 (VPN 3000 version 3.0.5)
- *  1f07f70eaa6514d3b0fa96542a500407 (VPN 3000 version 4.0.7)
- *  (Can you see the pattern?)
- *  afcad71368a1f1c96b8696fc77570100 (Non-RFC Dead Peer Detection ?)
- *  c32364b3b4f447eb17c488ab2a480a57
- *  6d761ddc26aceca1b0ed11fabbb860c4
- *  5946c258f99a1a57b03eb9d1759e0f24 (From a Cisco VPN 3k)
- *  ebbc5b00141d0c895e11bd395902d690 (From a Cisco VPN 3k)
- *
- * Microsoft L2TP (???):
- *  47bbe7c993f1fc13b4e6d0db565c68e5010201010201010310382e312e3020284275696c6420313029000000
- *  >> 382e312e3020284275696c6420313029 = '8.1.0 (Build 10)'
- *  3025dbd21062b9e53dc441c6aab5293600000000
- *  da8e937880010000
- *
- * 3COM-superstack
- *    da8e937880010000
- *    404bf439522ca3f6
- *
-
- * If someone know what they mean, mail me.
- */
-
-#define MAX_LOG_VID_LEN    32
-
-#define VID_KEEP                   0x0000
-#define VID_MD5HASH                0x0001
-#define VID_STRING                 0x0002
-#define VID_FSWAN_HASH             0x0004
-
-#define VID_SUBSTRING_DUMPHEXA     0x0100
-#define VID_SUBSTRING_DUMPASCII    0x0200
-#define VID_SUBSTRING_MATCH        0x0400
-#define VID_SUBSTRING  (VID_SUBSTRING_DUMPHEXA | VID_SUBSTRING_DUMPASCII | VID_SUBSTRING_MATCH)
-
-struct vid_struct {
-		enum known_vendorid id;
-		unsigned short flags;
-		const char *data;
-		const char *descr;
-		chunk_t vid;
-};
-
-#define DEC_MD5_VID_D(id,str,descr) \
-		{ VID_##id, VID_MD5HASH, str, descr, { NULL, 0 } },
-#define DEC_MD5_VID(id,str) \
-		{ VID_##id, VID_MD5HASH, str, NULL, { NULL, 0 } },
-
-static struct vid_struct _vid_tab[] = {
-
-		/* Implementation names */
-
-		{ VID_OPENPGP, VID_STRING, "OpenPGP10171", "OpenPGP", { NULL, 0 } },
-
-		DEC_MD5_VID(KAME_RACOON, "KAME/racoon")
-
-		{ VID_MS_NT5, VID_MD5HASH | VID_SUBSTRING_DUMPHEXA,
-				"MS NT5 ISAKMPOAKLEY", NULL, { NULL, 0 } },
-
-		DEC_MD5_VID(SSH_SENTINEL, "SSH Sentinel")
-		DEC_MD5_VID(SSH_SENTINEL_1_1, "SSH Sentinel 1.1")
-		DEC_MD5_VID(SSH_SENTINEL_1_2, "SSH Sentinel 1.2")
-		DEC_MD5_VID(SSH_SENTINEL_1_3, "SSH Sentinel 1.3")
-		DEC_MD5_VID(SSH_SENTINEL_1_4, "SSH Sentinel 1.4")
-		DEC_MD5_VID(SSH_SENTINEL_1_4_1, "SSH Sentinel 1.4.1")
-
-		/* These ones come from SSH vendors.txt */
-		DEC_MD5_VID(SSH_IPSEC_1_1_0,
-				"Ssh Communications Security IPSEC Express version 1.1.0")
-		DEC_MD5_VID(SSH_IPSEC_1_1_1,
-				"Ssh Communications Security IPSEC Express version 1.1.1")
-		DEC_MD5_VID(SSH_IPSEC_1_1_2,
-				"Ssh Communications Security IPSEC Express version 1.1.2")
-		DEC_MD5_VID(SSH_IPSEC_1_2_1,
-				"Ssh Communications Security IPSEC Express version 1.2.1")
-		DEC_MD5_VID(SSH_IPSEC_1_2_2,
-				"Ssh Communications Security IPSEC Express version 1.2.2")
-		DEC_MD5_VID(SSH_IPSEC_2_0_0,
-				"SSH Communications Security IPSEC Express version 2.0.0")
-		DEC_MD5_VID(SSH_IPSEC_2_1_0,
-				"SSH Communications Security IPSEC Express version 2.1.0")
-		DEC_MD5_VID(SSH_IPSEC_2_1_1,
-				"SSH Communications Security IPSEC Express version 2.1.1")
-		DEC_MD5_VID(SSH_IPSEC_2_1_2,
-				"SSH Communications Security IPSEC Express version 2.1.2")
-		DEC_MD5_VID(SSH_IPSEC_3_0_0,
-				"SSH Communications Security IPSEC Express version 3.0.0")
-		DEC_MD5_VID(SSH_IPSEC_3_0_1,
-				"SSH Communications Security IPSEC Express version 3.0.1")
-		DEC_MD5_VID(SSH_IPSEC_4_0_0,
-				"SSH Communications Security IPSEC Express version 4.0.0")
-		DEC_MD5_VID(SSH_IPSEC_4_0_1,
-				"SSH Communications Security IPSEC Express version 4.0.1")
-		DEC_MD5_VID(SSH_IPSEC_4_1_0,
-				"SSH Communications Security IPSEC Express version 4.1.0")
-		DEC_MD5_VID(SSH_IPSEC_4_2_0,
-				"SSH Communications Security IPSEC Express version 4.2.0")
-
-		/* note: md5('CISCO-UNITY') = 12f5f28c457168a9702d9fe274cc02d4 */
-		{ VID_CISCO_UNITY, VID_KEEP, NULL, "Cisco-Unity",
-		  { "\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00", 16 } },
-
-		{ VID_CISCO3K, VID_KEEP | VID_SUBSTRING_MATCH, NULL, "Cisco VPN 3000 Series" ,
-		  { "\x1f\x07\xf7\x0e\xaa\x65\x14\xd3\xb0\xfa\x96\x54\x2a\x50", 14 } },
-
-		{ VID_CISCO_IOS, VID_KEEP | VID_SUBSTRING_MATCH,
-		  NULL, "Cisco IOS Device", { "\x3e\x98\x40\x48", 4 } },
-
-		/*
-		 * Timestep VID seen:
-		 *   - 54494d455354455020312053475720313532302033313520322e303145303133
-		 *     = 'TIMESTEP 1 SGW 1520 315 2.01E013'
-		 */
-		{ VID_TIMESTEP, VID_STRING | VID_SUBSTRING_DUMPASCII, "TIMESTEP",
-				NULL, { NULL, 0 } },
-
-		/*
-		 * Netscreen:
-		 * 4865617274426561745f4e6f74696679386b0100  (HeartBeat_Notify + 386b0100)
-		 */
-		{ VID_MISC_HEARTBEAT_NOTIFY, VID_STRING | VID_SUBSTRING_DUMPHEXA,
-				"HeartBeat_Notify", "HeartBeat Notify", { NULL, 0 } },
-		/*
-		 * MacOS X
-		 */
-		{ VID_MACOSX, VID_STRING|VID_SUBSTRING_DUMPHEXA, "Mac OSX 10.x",
-		  "\x4d\xf3\x79\x28\xe9\xfc\x4f\xd1\xb3\x26\x21\x70\xd5\x15\xc6\x62", { NULL, 0 } },
-
-		/* NCP */
-		{ VID_NCP_SERVER, VID_KEEP | VID_SUBSTRING_MATCH, NULL, "NCP Server",
-			{ "\xc6\xf5\x7a\xc3\x98\xf4\x93\x20\x81\x45\xb7\x58", 12 } },
-		{ VID_NCP_CLIENT, VID_KEEP | VID_SUBSTRING_MATCH, NULL, "NCP Client",
-			{ "\xeb\x4c\x1b\x78\x8a\xfd\x4a\x9c\xb7\x73\x0a\x68", 12 } },
-
-		/*
-		 * Windows Vista (and Windows Server 2008?)
-		 */
-		DEC_MD5_VID(VISTA_AUTHIP, "MS-Negotiation Discovery Capable")
-		DEC_MD5_VID(VISTA_AUTHIP2, "IKE CGA version 1")
-		DEC_MD5_VID(VISTA_AUTHIP3, "MS-MamieExists")
-
-		/*
-		 * strongSwan
-		 */
-		DEC_MD5_VID(STRONGSWAN,       "strongSwan")
-
-		DEC_MD5_VID(STRONGSWAN_4_3_5, "strongSwan 4.3.5")
-		DEC_MD5_VID(STRONGSWAN_4_3_4, "strongSwan 4.3.4")
-		DEC_MD5_VID(STRONGSWAN_4_3_3, "strongSwan 4.3.3")
-		DEC_MD5_VID(STRONGSWAN_4_3_2, "strongSwan 4.3.2")
-		DEC_MD5_VID(STRONGSWAN_4_3_1, "strongSwan 4.3.1")
-		DEC_MD5_VID(STRONGSWAN_4_3_0, "strongSwan 4.3.0")
-		DEC_MD5_VID(STRONGSWAN_4_2_17,"strongSwan 4.2.17")
-		DEC_MD5_VID(STRONGSWAN_4_2_16,"strongSwan 4.2.16")
-		DEC_MD5_VID(STRONGSWAN_4_2_15,"strongSwan 4.2.15")
-		DEC_MD5_VID(STRONGSWAN_4_2_14,"strongSwan 4.2.14")
-		DEC_MD5_VID(STRONGSWAN_4_2_13,"strongSwan 4.2.13")
-		DEC_MD5_VID(STRONGSWAN_4_2_12,"strongSwan 4.2.12")
-		DEC_MD5_VID(STRONGSWAN_4_2_11,"strongSwan 4.2.11")
-		DEC_MD5_VID(STRONGSWAN_4_2_10,"strongSwan 4.2.10")
-		DEC_MD5_VID(STRONGSWAN_4_2_9, "strongSwan 4.2.9")
-		DEC_MD5_VID(STRONGSWAN_4_2_8, "strongSwan 4.2.8")
-		DEC_MD5_VID(STRONGSWAN_4_2_7, "strongSwan 4.2.7")
-		DEC_MD5_VID(STRONGSWAN_4_2_6, "strongSwan 4.2.6")
-		DEC_MD5_VID(STRONGSWAN_4_2_5, "strongSwan 4.2.5")
-		DEC_MD5_VID(STRONGSWAN_4_2_4, "strongSwan 4.2.4")
-		DEC_MD5_VID(STRONGSWAN_4_2_3, "strongSwan 4.2.3")
-		DEC_MD5_VID(STRONGSWAN_4_2_2, "strongSwan 4.2.2")
-		DEC_MD5_VID(STRONGSWAN_4_2_1, "strongSwan 4.2.1")
-		DEC_MD5_VID(STRONGSWAN_4_2_0, "strongSwan 4.2.0")
-		DEC_MD5_VID(STRONGSWAN_4_1_11,"strongSwan 4.1.11")
-		DEC_MD5_VID(STRONGSWAN_4_1_10,"strongSwan 4.1.10")
-		DEC_MD5_VID(STRONGSWAN_4_1_9, "strongSwan 4.1.9")
-		DEC_MD5_VID(STRONGSWAN_4_1_8, "strongSwan 4.1.8")
-		DEC_MD5_VID(STRONGSWAN_4_1_7, "strongSwan 4.1.7")
-		DEC_MD5_VID(STRONGSWAN_4_1_6, "strongSwan 4.1.6")
-		DEC_MD5_VID(STRONGSWAN_4_1_5, "strongSwan 4.1.5")
-		DEC_MD5_VID(STRONGSWAN_4_1_4, "strongSwan 4.1.4")
-		DEC_MD5_VID(STRONGSWAN_4_1_3, "strongSwan 4.1.3")
-		DEC_MD5_VID(STRONGSWAN_4_1_2, "strongSwan 4.1.2")
-		DEC_MD5_VID(STRONGSWAN_4_1_1, "strongSwan 4.1.1")
-		DEC_MD5_VID(STRONGSWAN_4_1_0, "strongSwan 4.1.0")
-
-		DEC_MD5_VID(STRONGSWAN_2_8_11,"strongSwan 2.8.11")
-		DEC_MD5_VID(STRONGSWAN_2_8_10,"strongSwan 2.8.10")
-		DEC_MD5_VID(STRONGSWAN_2_8_9, "strongSwan 2.8.9")
-		DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.8")
-		DEC_MD5_VID(STRONGSWAN_2_8_7, "strongSwan 2.8.7")
-		DEC_MD5_VID(STRONGSWAN_2_8_6, "strongSwan 2.8.6")
-		DEC_MD5_VID(STRONGSWAN_2_8_5, "strongSwan 2.8.5")
-		DEC_MD5_VID(STRONGSWAN_2_8_4, "strongSwan 2.8.4")
-		DEC_MD5_VID(STRONGSWAN_2_8_3, "strongSwan 2.8.3")
-		DEC_MD5_VID(STRONGSWAN_2_8_2, "strongSwan 2.8.2")
-		DEC_MD5_VID(STRONGSWAN_2_8_1, "strongSwan 2.8.1")
-		DEC_MD5_VID(STRONGSWAN_2_8_0, "strongSwan 2.8.0")
-
-		/* NAT-Traversal */
-
-		DEC_MD5_VID(NATT_STENBERG_01, "draft-stenberg-ipsec-nat-traversal-01")
-		DEC_MD5_VID(NATT_STENBERG_02, "draft-stenberg-ipsec-nat-traversal-02")
-		DEC_MD5_VID(NATT_HUTTUNEN, "ESPThruNAT")
-		DEC_MD5_VID(NATT_HUTTUNEN_ESPINUDP, "draft-huttunen-ipsec-esp-in-udp-00.txt")
-		DEC_MD5_VID(NATT_IETF_00, "draft-ietf-ipsec-nat-t-ike-00")
-		DEC_MD5_VID(NATT_IETF_02, "draft-ietf-ipsec-nat-t-ike-02")
-		/* hash in draft-ietf-ipsec-nat-t-ike-02 contains '\n'... Accept both */
-		DEC_MD5_VID_D(NATT_IETF_02_N, "draft-ietf-ipsec-nat-t-ike-02\n", "draft-ietf-ipsec-nat-t-ike-02_n")
-		DEC_MD5_VID(NATT_IETF_03, "draft-ietf-ipsec-nat-t-ike-03")
-		DEC_MD5_VID(NATT_RFC, "RFC 3947")
-
-		/* misc */
-
-		{ VID_MISC_XAUTH, VID_KEEP, NULL, "XAUTH",
-			{ "\x09\x00\x26\x89\xdf\xd6\xb7\x12", 8 } },
-
-		{ VID_MISC_DPD, VID_KEEP, NULL, "Dead Peer Detection",
-			{ "\xaf\xca\xd7\x13\x68\xa1\xf1\xc9\x6b\x86\x96\xfc\x77\x57\x01\x00", 16 } },
-
-		DEC_MD5_VID(MISC_FRAGMENTATION, "FRAGMENTATION")
-
-		DEC_MD5_VID(INITIAL_CONTACT, "Vid-Initial-Contact")
-
-		/**
-		 * Cisco VPN 3000
-		 */
-		{ VID_MISC_FRAGMENTATION, VID_MD5HASH | VID_SUBSTRING_DUMPHEXA,
-			"FRAGMENTATION", NULL, { NULL, 0 } },
-
-		/* -- */
-		{ 0, 0, NULL, NULL, { NULL, 0 } }
-
-};
-
-static const char _hexdig[] = "0123456789abcdef";
-
-static int _vid_struct_init = 0;
-
-void init_vendorid(void)
-{
-	hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
-	struct vid_struct *vid;
-
-	for (vid = _vid_tab; vid->id; vid++)
-	{
-		if (vid->flags & VID_STRING)
-		{
-			/** VendorID is a string **/
-			vid->vid = chunk_create((u_char *)vid->data, strlen(vid->data));
-			vid->vid = chunk_clone(vid->vid);
-		}
-		else if (vid->flags & VID_MD5HASH)
-		{
-			chunk_t vid_data = { (u_char *)vid->data, strlen(vid->data) };
-
-			/** VendorID is a string to hash with MD5 **/
-			hasher->allocate_hash(hasher, vid_data, &vid->vid);
-		}
-
-		if (vid->descr == NULL)
-		{
-			/** Find something to display **/
-			vid->descr = vid->data;
-		}
-	}
-	hasher->destroy(hasher);
-	_vid_struct_init = 1;
-}
-
-void free_vendorid(void)
-{
-	struct vid_struct *vid;
-
-	for (vid = _vid_tab; vid->id; vid++)
-	{
-		if (vid->flags & (VID_STRING | VID_MD5HASH | VID_FSWAN_HASH))
-		{
-			free(vid->vid.ptr);
-		}
-	}
-}
-
-static void handle_known_vendorid (struct msg_digest *md, const char *vidstr,
-								   size_t len, struct vid_struct *vid)
-{
-	char vid_dump[128];
-	bool vid_useful = FALSE;
-	size_t i, j;
-
-	switch (vid->id)
-	 {
-		/* Remote side is a strongSwan host */
-		case VID_STRONGSWAN:
-			vid_useful = TRUE;
-			break;
-
-		/* Remote side supports OpenPGP certificates */
-		case VID_OPENPGP:
-			md->openpgp = TRUE;
-			vid_useful = TRUE;
-			break;
-
-		/* Remote side is a Windows 2000+ host */
-		case VID_MS_NT5:
-			md->ms_nt5 = TRUE;
-			vid_useful = TRUE;
-			break;
-
-		/*
-		 * Use most recent supported NAT-Traversal method and ignore the
-		 * other ones (implementations will send all supported methods but
-		 * only one will be used)
-		 *
-		 * Note: most recent == higher id in vendor.h
-		 */
-		case VID_NATT_IETF_00:
-			if (!nat_traversal_support_non_ike)
-				break;
-			if ((nat_traversal_enabled) && (!md->nat_traversal_vid))
-			{
-				md->nat_traversal_vid = vid->id;
-				vid_useful = TRUE;
-			}
-			break;
-		case VID_NATT_IETF_02:
-		case VID_NATT_IETF_02_N:
-		case VID_NATT_IETF_03:
-		case VID_NATT_RFC:
-			if (nat_traversal_support_port_floating
-			&& md->nat_traversal_vid < vid->id)
-			{
-				md->nat_traversal_vid = vid->id;
-				vid_useful = TRUE;
-			}
-			break;
-
-		/* Remote side would like to do DPD with us on this connection */
-		case VID_MISC_DPD:
-			md->dpd = TRUE;
-			vid_useful = TRUE;
-			break;
-		case VID_MISC_XAUTH:
-			vid_useful = TRUE;
-			break;
-		default:
-			break;
-	}
-
-	if (vid->flags & VID_SUBSTRING_DUMPHEXA)
-	{
-		/* Dump description + Hexa */
-		memset(vid_dump, 0, sizeof(vid_dump));
-		snprintf(vid_dump, sizeof(vid_dump), "%s ",
-				 vid->descr ? vid->descr : "");
-		for (i = strlen(vid_dump), j = vid->vid.len;
-			 j < len && i < sizeof(vid_dump) - 2;
-			 i += 2, j++)
-		{
-			vid_dump[i] = _hexdig[(vidstr[j] >> 4) & 0xF];
-			vid_dump[i+1] = _hexdig[vidstr[j] & 0xF];
-		}
-	}
-	else if (vid->flags & VID_SUBSTRING_DUMPASCII)
-	{
-		/* Dump ASCII content */
-		memset(vid_dump, 0, sizeof(vid_dump));
-		for (i = 0; i < len && i < sizeof(vid_dump) - 1; i++)
-		{
-			vid_dump[i] = (isprint(vidstr[i])) ? vidstr[i] : '.';
-		}
-	}
-	else
-	{
-		/* Dump description (descr) */
-		snprintf(vid_dump, sizeof(vid_dump), "%s",
-				 vid->descr ? vid->descr : "");
-	}
-
-	loglog(RC_LOG_SERIOUS, "%s Vendor ID payload [%s]",
-			vid_useful ? "received" : "ignoring", vid_dump);
-}
-
-void handle_vendorid (struct msg_digest *md, const char *vid, size_t len)
-{
-	struct vid_struct *pvid;
-
-	if (!_vid_struct_init)
-		init_vendorid();
-
-	/*
-	 * Find known VendorID in _vid_tab
-	 */
-	for (pvid = _vid_tab; pvid->id; pvid++)
-	{
-		if (pvid->vid.ptr && vid && pvid->vid.len && len)
-		{
-			if (pvid->vid.len == len)
-			{
-				if (memeq(pvid->vid.ptr, vid, len))
-				{
-					handle_known_vendorid(md, vid, len, pvid);
-					return;
-				}
-			}
-			else if ((pvid->vid.len < len) && (pvid->flags & VID_SUBSTRING))
-			{
-				if (memeq(pvid->vid.ptr, vid, pvid->vid.len))
-				{
-					handle_known_vendorid(md, vid, len, pvid);
-					return;
-				}
-			}
-		}
-	}
-
-	/*
-	 * Unknown VendorID. Log the beginning.
-	 */
-	{
-		char log_vid[2*MAX_LOG_VID_LEN+1];
-		size_t i;
-
-		memset(log_vid, 0, sizeof(log_vid));
-
-		for (i = 0; i < len && i < MAX_LOG_VID_LEN; i++)
-		{
-			log_vid[2*i] = _hexdig[(vid[i] >> 4) & 0xF];
-			log_vid[2*i+1] = _hexdig[vid[i] & 0xF];
-		}
-		loglog(RC_LOG_SERIOUS, "ignoring Vendor ID payload [%s%s]",
-			   log_vid, (len>MAX_LOG_VID_LEN) ? "..." : "");
-	}
-}
-
-/**
- * Add a vendor id payload to the msg
- */
-bool out_vendorid (u_int8_t np, pb_stream *outs, enum known_vendorid vid)
-{
-	struct vid_struct *pvid;
-
-	if (!_vid_struct_init)
-		init_vendorid();
-
-	for (pvid = _vid_tab; pvid->id && pvid->id != vid; pvid++);
-
-	if (pvid->id != vid)
-		return STF_INTERNAL_ERROR; /* not found */
-	if (!pvid->vid.ptr)
-		return STF_INTERNAL_ERROR; /* not initialized */
-
-	DBG(DBG_EMITTING,
-		DBG_log("out_vendorid(): sending [%s]", pvid->descr)
-	)
-	return out_generic_raw(np, &isakmp_vendor_id_desc, outs,
-				pvid->vid.ptr, pvid->vid.len, "V_ID");
-}
-
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
deleted file mode 100644
index ac6b0d420..000000000
--- a/src/pluto/vendor.h
+++ /dev/null
@@ -1,137 +0,0 @@
-/* FreeS/WAN ISAKMP VendorID
- * Copyright (C) 2002-2003 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _VENDOR_H_
-#define _VENDOR_H_
-
-enum known_vendorid {
-/* 1 - 100 : Implementation names */
-  VID_OPENPGP                   =  1,
-  VID_KAME_RACOON               =  2,
-  VID_MS_NT5                    =  3,
-  VID_SSH_SENTINEL              =  4,
-  VID_SSH_SENTINEL_1_1          =  5,
-  VID_SSH_SENTINEL_1_2          =  6,
-  VID_SSH_SENTINEL_1_3          =  7,
-  VID_SSH_SENTINEL_1_4          =  8,
-  VID_SSH_SENTINEL_1_4_1        =  9,
-  VID_SSH_IPSEC_1_1_0           = 10,
-  VID_SSH_IPSEC_1_1_1           = 11,
-  VID_SSH_IPSEC_1_1_2           = 12,
-  VID_SSH_IPSEC_1_2_1           = 13,
-  VID_SSH_IPSEC_1_2_2           = 14,
-  VID_SSH_IPSEC_2_0_0           = 15,
-  VID_SSH_IPSEC_2_1_0           = 16,
-  VID_SSH_IPSEC_2_1_1           = 17,
-  VID_SSH_IPSEC_2_1_2           = 18,
-  VID_SSH_IPSEC_3_0_0           = 19,
-  VID_SSH_IPSEC_3_0_1           = 20,
-  VID_SSH_IPSEC_4_0_0           = 21,
-  VID_SSH_IPSEC_4_0_1           = 22,
-  VID_SSH_IPSEC_4_1_0           = 23,
-  VID_SSH_IPSEC_4_2_0           = 24,
-  VID_CISCO_UNITY               = 25,
-  VID_CISCO3K                   = 26,
-  VID_CISCO_IOS                 = 27,
-  VID_TIMESTEP                  = 28,
-  VID_SAFENET                   = 29,
-  VID_MACOSX                    = 30,
-  VID_NCP_SERVER                = 31,
-  VID_NCP_CLIENT                = 32,
-  VID_VISTA_AUTHIP              = 33,
-  VID_VISTA_AUTHIP2             = 34,
-  VID_VISTA_AUTHIP3             = 35,
-
-  VID_STRONGSWAN                = 36,
-
-  VID_STRONGSWAN_2_8_0          = 37,
-  VID_STRONGSWAN_2_8_1          = 38,
-  VID_STRONGSWAN_2_8_2          = 39,
-  VID_STRONGSWAN_2_8_3          = 40,
-  VID_STRONGSWAN_2_8_4          = 41,
-  VID_STRONGSWAN_2_8_5          = 42,
-  VID_STRONGSWAN_2_8_6          = 43,
-  VID_STRONGSWAN_2_8_7          = 44,
-  VID_STRONGSWAN_2_8_8          = 45,
-  VID_STRONGSWAN_2_8_9          = 46,
-  VID_STRONGSWAN_2_8_10         = 47,
-  VID_STRONGSWAN_2_8_11         = 48,
-
-  VID_STRONGSWAN_4_1_0          = 88,
-  VID_STRONGSWAN_4_1_1          = 89,
-  VID_STRONGSWAN_4_1_2          = 90,
-  VID_STRONGSWAN_4_1_3          = 91,
-  VID_STRONGSWAN_4_1_4          = 92,
-  VID_STRONGSWAN_4_1_5          = 93,
-  VID_STRONGSWAN_4_1_6          = 94,
-  VID_STRONGSWAN_4_1_7          = 95,
-  VID_STRONGSWAN_4_1_8          = 96,
-  VID_STRONGSWAN_4_1_9          = 97,
-  VID_STRONGSWAN_4_1_10         = 98,
-  VID_STRONGSWAN_4_1_11         = 99,
-  VID_STRONGSWAN_4_2_0          =100,
-  VID_STRONGSWAN_4_2_1          =101,
-  VID_STRONGSWAN_4_2_2          =102,
-  VID_STRONGSWAN_4_2_3          =103,
-  VID_STRONGSWAN_4_2_4          =104,
-  VID_STRONGSWAN_4_2_5          =105,
-  VID_STRONGSWAN_4_2_6          =106,
-  VID_STRONGSWAN_4_2_7          =107,
-  VID_STRONGSWAN_4_2_8          =108,
-  VID_STRONGSWAN_4_2_9          =109,
-  VID_STRONGSWAN_4_2_10         =110,
-  VID_STRONGSWAN_4_2_11         =111,
-  VID_STRONGSWAN_4_2_12         =112,
-  VID_STRONGSWAN_4_2_13         =113,
-  VID_STRONGSWAN_4_2_14         =114,
-  VID_STRONGSWAN_4_2_15         =115,
-  VID_STRONGSWAN_4_2_16         =116,
-  VID_STRONGSWAN_4_2_17         =117,
-  VID_STRONGSWAN_4_3_0          =118,
-  VID_STRONGSWAN_4_3_1          =119,
-  VID_STRONGSWAN_4_3_2          =120,
-  VID_STRONGSWAN_4_3_3          =121,
-  VID_STRONGSWAN_4_3_4          =122,
-  VID_STRONGSWAN_4_3_5          =123,
-
-  /* 101 - 200 : NAT-Traversal */
-  VID_NATT_STENBERG_01          =151,
-  VID_NATT_STENBERG_02          =152,
-  VID_NATT_HUTTUNEN             =153,
-  VID_NATT_HUTTUNEN_ESPINUDP    =154,
-  VID_NATT_IETF_00              =155,
-  VID_NATT_IETF_02_N            =156,
-  VID_NATT_IETF_02              =157,
-  VID_NATT_IETF_03              =158,
-  VID_NATT_RFC                  =159,
-
-  /* 201 - 300 : Misc */
-  VID_MISC_XAUTH                =201,
-  VID_MISC_DPD                  =202,
-  VID_MISC_HEARTBEAT_NOTIFY     =203,
-  VID_MISC_FRAGMENTATION        =204,
-  VID_INITIAL_CONTACT           =205,
-  VID_CISCO3K_FRAGMENTATION     =206
-};
-
-void init_vendorid(void);
-void free_vendorid(void);
-
-struct msg_digest;
-void handle_vendorid (struct msg_digest *md, const char *vid, size_t len);
-
-bool out_vendorid (u_int8_t np, pb_stream *outs, enum known_vendorid vid);
-
-#endif /* _VENDOR_H_ */
-
diff --git a/src/pluto/virtual.c b/src/pluto/virtual.c
deleted file mode 100644
index 3e8d5fcba..000000000
--- a/src/pluto/virtual.c
+++ /dev/null
@@ -1,325 +0,0 @@
-/* FreeS/WAN Virtual IP Management
- * Copyright (C) 2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <freeswan.h>
-
-#include <stdlib.h>
-#include <string.h>
-#include <sys/queue.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "connections.h"
-#include "whack.h"
-#include "virtual.h"
-
-#define F_VIRTUAL_NO          1
-#define F_VIRTUAL_DHCP        2
-#define F_VIRTUAL_IKE_CONFIG  4
-#define F_VIRTUAL_PRIVATE     8
-#define F_VIRTUAL_ALL         16
-#define F_VIRTUAL_HOST        32
-
-struct virtual_t {
-	unsigned short flags;
-	unsigned short n_net;
-	ip_subnet net[0];
-};
-
-static ip_subnet *private_net_ok=NULL, *private_net_ko=NULL;
-static unsigned short private_net_ok_len=0, private_net_ko_len=0;
-
-/**
- * read %v4:x.x.x.x/y or %v6:xxxxxxxxx/yy
- * or %v4:!x.x.x.x/y if dstko not NULL
- */
-static bool
-_read_subnet(const char *src, size_t len, ip_subnet *dst, ip_subnet *dstko,
-	bool *isok)
-{
-	bool ok;
-	int af;
-
-	if ((len > 4) && (strneq(src, "%v4:", 4)))
-	{
-		af = AF_INET;
-	}
-	else if ((len > 4) && (strneq(src, "%v6:", 4)))
-	{
-		af = AF_INET6;
-	}
-	else
-	{
-		return FALSE;
-	}
-
-	ok = (src[4] != '!');
-	src += ok ? 4 : 5;
-	len -= ok ? 4 : 5;
-
-	if (!len)
-		return FALSE;
-	if (!ok && !dstko)
-		return FALSE;
-
-	passert ( ((ok)?(dst):(dstko))!=NULL );
-
-	if (ttosubnet(src, len, af, ((ok)?(dst):(dstko))))
-	{
-		return FALSE;
-	}
-	if (isok)
-		*isok = ok;
-	return TRUE;
-}
-
-void
-init_virtual_ip(const char *private_list)
-{
-	const char *next, *str=private_list;
-	unsigned short ign = 0, i_ok, i_ko;
-	ip_subnet sub;
-	bool ok;
-
-	/** Count **/
-	private_net_ok_len=0;
-	private_net_ko_len=0;
-
-	while (str)
-	{
-		next = strchr(str,',');
-		if (!next)
-			next = str + strlen(str);
-		if (_read_subnet(str, next-str, &sub, &sub, &ok))
-			if (ok)
-				private_net_ok_len++;
-			else
-				private_net_ko_len++;
-		else
-			ign++;
-		str = *next ? next+1 : NULL;
-	}
-
-	if (!ign)
-	{
-		/** Allocate **/
-		if (private_net_ok_len)
-		{
-			private_net_ok = (ip_subnet *)malloc(private_net_ok_len * sizeof(ip_subnet));
-		}
-		if (private_net_ko_len)
-		{
-			private_net_ko = (ip_subnet *)malloc(private_net_ko_len * sizeof(ip_subnet));
-		}
-		if ((private_net_ok_len && !private_net_ok)
-		||  (private_net_ko_len && !private_net_ko))
-		{
-			loglog(RC_LOG_SERIOUS,
-				"can't alloc in init_virtual_ip");
-			free(private_net_ok);
-			private_net_ok = NULL;
-			free(private_net_ko);
-			private_net_ko = NULL;
-		}
-		else
-		{
-			/** Fill **/
-			str = private_list;
-			i_ok = 0;
-			i_ko = 0;
-
-			while (str)
-			{
-				next = strchr(str,',');
-				if (!next)
-					next = str + strlen(str);
-				if (_read_subnet(str, next-str,
-				   &(private_net_ok[i_ok]), &(private_net_ko[i_ko]), &ok))
-				{
-					if (ok)
-						i_ok++;
-					else
-						i_ko++;
-				}
-				str = *next ? next+1 : NULL;
-			}
-		}
-	}
-	else
-		loglog(RC_LOG_SERIOUS,
-			"%d bad entries in virtual_private - none loaded", ign);
-}
-
-/**
- * virtual string must be :
- * {vhost,vnet}:[%method]*
- *
- * vhost = accept only a host (/32)
- * vnet  = accept any network
- *
- * %no   = no virtual IP (accept public IP)
- * %dhcp = accept DHCP SA (0.0.0.0/0) of affected IP  [not implemented]
- * %ike  = accept affected IKE Config Mode IP         [not implemented]
- * %priv = accept system-wide private net list
- * %v4:x = accept ipv4 in list 'x'
- * %v6:x = accept ipv6 in list 'x'
- * %all  = accept all ips                             [only for testing]
- *
- * ex: vhost:%no,%dhcp,%priv,%v4:192.168.1.0/24
- */
-struct virtual_t
-*create_virtual(const connection_t *c, const char *string)
-{
-	unsigned short flags=0, n_net=0, i;
-	const char *str = string, *next, *first_net=NULL;
-	ip_subnet sub;
-	struct virtual_t *v;
-
-	if (!string || string[0] == '\0')
-		return NULL;
-
-	if (strlen(string) >= 6 && strneq(string,"vhost:",6))
-	{
-		flags |= F_VIRTUAL_HOST;
-		str += 6;
-	}
-	else if (strlen(string) >= 5 && strneq(string,"vnet:",5))
-		str += 5;
-	else
-		goto fail;
-
-	/**
-	 * Parse string : fill flags & count subnets
-	 */
-	while ((str) && (*str))
-	{
-		next = strchr(str,',');
-		if (!next) next = str + strlen(str);
-		if (next-str == 3 && strneq(str, "%no", 3))
-			flags |= F_VIRTUAL_NO;
-#if 0
-		else if (next-str == 4 && strneq(str, "%ike", 4))
-			flags |= F_VIRTUAL_IKE_CONFIG;
-		else if (next-str == 5 && strneq(str, "%dhcp", 5))
-			flags |= F_VIRTUAL_DHCP;
-#endif
-		else if (next-str == 5 && strneq(str, "%priv", 5))
-			flags |= F_VIRTUAL_PRIVATE;
-		else if (next-str == 4 && strneq(str, "%all", 4))
-			flags |= F_VIRTUAL_ALL;
-		else if (_read_subnet(str, next-str, &sub, NULL, NULL))
-		{
-			n_net++;
-			if (!first_net)
-				first_net = str;
-		}
-		else
-			goto fail;
-
-		str = *next ? next+1 : NULL;
-	}
-
-	v = (struct virtual_t *)malloc(sizeof(struct virtual_t) +
-								  (n_net * sizeof(ip_subnet)));
-	if (!v) goto fail;
-
-	v->flags = flags;
-	v->n_net = n_net;
-	if (n_net && first_net)
-	{
-		/**
-		 * Save subnets in newly allocated struct
-		 */
-		for (str = first_net, i = 0; str && *str; )
-		{
-			next = strchr(str,',');
-			if (!next) next = str + strlen(str);
-			if (_read_subnet(str, next-str, &(v->net[i]), NULL, NULL))
-				i++;
-			str = *next ? next+1 : NULL;
-		}
-	}
-
-	return v;
-
-fail:
-	plog("invalid virtual string [%s] - "
-		"virtual selection disabled for connection '%s'", string, c->name);
-	return NULL;
-}
-
-bool
-is_virtual_end(const struct end *that)
-{
-	return ((that->virt)?TRUE:FALSE);
-}
-
-bool
-is_virtual_connection(const connection_t *c)
-{
-	return ((c->spd.that.virt)?TRUE:FALSE);
-}
-
-static bool net_in_list(const ip_subnet *peer_net, const ip_subnet *list,
-						unsigned short len)
-{
-	unsigned short i;
-
-	if (!list || !len)
-		return FALSE;
-
-	for (i = 0; i < len; i++)
-	{
-		if (subnetinsubnet(peer_net, &(list[i])))
-			return TRUE;
-	}
-	return FALSE;
-}
-
-bool is_virtual_net_allowed(const connection_t *c, const ip_subnet *peer_net,
-							const ip_address *his_addr)
-{
-	if (c->spd.that.virt == NULL)
-		return FALSE;
-
-	if ((c->spd.that.virt->flags & F_VIRTUAL_HOST)
-	&&  !subnetishost(peer_net))
-		return FALSE;
-
-	if ((c->spd.that.virt->flags & F_VIRTUAL_NO)
-	&&  subnetishost(peer_net) &&  addrinsubnet(his_addr, peer_net))
-		return TRUE;
-
-	if ((c->spd.that.virt->flags & F_VIRTUAL_PRIVATE)
-	&&   net_in_list(peer_net, private_net_ok, private_net_ok_len)
-	&&  !net_in_list(peer_net, private_net_ko, private_net_ko_len))
-		return TRUE;
-
-	if (c->spd.that.virt->n_net
-	&&  net_in_list(peer_net, c->spd.that.virt->net, c->spd.that.virt->n_net))
-		return TRUE;
-
-	if (c->spd.that.virt->flags & F_VIRTUAL_ALL)
-	{
-		/** %all must only be used for testing - log it **/
-		loglog(RC_LOG_SERIOUS, "Warning - "
-			"v%s:%%all must only be used for testing",
-			(c->spd.that.virt->flags & F_VIRTUAL_HOST) ? "host" : "net");
-		return TRUE;
-	}
-
-	return FALSE;
-}
-
diff --git a/src/pluto/virtual.h b/src/pluto/virtual.h
deleted file mode 100644
index e64407c81..000000000
--- a/src/pluto/virtual.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/* FreeS/WAN Virtual IP Management
- * Copyright (C) 2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _VIRTUAL_IP_H
-#define _VIRTUAL_IP_H
-
-extern void init_virtual_ip(const char *private_list);
-
-extern struct virtual_t *create_virtual(const struct connection *c,
-	const char *string);
-
-extern bool is_virtual_end(const struct end *that);
-extern bool is_virtual_connection(const struct connection *c);
-extern bool is_virtual_net_allowed(const struct connection *c,
-	const ip_subnet *peer_net, const ip_address *his_addr);
-
-#endif /* _VIRTUAL_IP_H */
-
diff --git a/src/pluto/whack_attribute.c b/src/pluto/whack_attribute.c
deleted file mode 100644
index 6a12f0c09..000000000
--- a/src/pluto/whack_attribute.c
+++ /dev/null
@@ -1,365 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "whack_attribute.h"
-
-#include "log.h"
-
-/* these are defined as constants in constant.h but redefined as enum values in
- * attributes/attributes.h */
-#undef INTERNAL_IP4_SERVER
-#undef INTERNAL_IP6_SERVER
-
-#include <hydra.h>
-#include <attributes/mem_pool.h>
-#include <utils/linked_list.h>
-#include <threading/rwlock.h>
-
-typedef struct private_whack_attribute_t private_whack_attribute_t;
-
-/**
- * private data of whack_attribute
- */
-struct private_whack_attribute_t {
-
-	/**
-	 * public functions
-	 */
-	whack_attribute_t public;
-
-	/**
-	 * list of pools, contains mem_pool_t
-	 */
-	linked_list_t *pools;
-
-	/**
-	 * rwlock to lock access to pools
-	 */
-	rwlock_t *lock;
-};
-
-/**
- * global object
- */
-whack_attribute_t *whack_attr;
-
-/**
- * compare pools by name
- */
-static bool pool_match(mem_pool_t *current, char *name)
-{
-	return name && streq(name, current->get_name(current));
-}
-
-/**
- * find a pool by name
- */
-static mem_pool_t *find_pool(private_whack_attribute_t *this, char *name)
-{
-	mem_pool_t *found;
-	if (this->pools->find_first(this->pools, (linked_list_match_t)pool_match,
-		(void**)&found, name) == SUCCESS)
-	{
-		return found;
-	}
-	return NULL;
-}
-
-METHOD(attribute_provider_t, acquire_address, host_t*,
-	   private_whack_attribute_t *this, char *name, identification_t *id,
-	   host_t *requested)
-{
-	mem_pool_t *pool;
-	host_t *addr = NULL;
-	this->lock->read_lock(this->lock);
-	pool = find_pool(this, name);
-	if (pool)
-	{
-		addr = pool->acquire_address(pool, id, requested);
-	}
-	this->lock->unlock(this->lock);
-	return addr;
-}
-
-METHOD(attribute_provider_t, release_address, bool,
-	   private_whack_attribute_t *this, char *name, host_t *address,
-	   identification_t *id)
-{
-	mem_pool_t *pool;
-	bool found = FALSE;
-	this->lock->read_lock(this->lock);
-	pool = find_pool(this, name);
-	if (pool)
-	{
-		found = pool->release_address(pool, address, id);
-	}
-	this->lock->unlock(this->lock);
-	return found;
-}
-
-METHOD(whack_attribute_t, add_pool, bool,
-	   private_whack_attribute_t *this, const char *name,
-	   const whack_end_t *right)
-{
-	mem_pool_t *pool;
-	host_t *base = NULL;
-	u_int32_t bits = 0;
-
-	/* named pool */
-	if (right->sourceip_mask <= 0)
-	{
-		return FALSE;
-	}
-
-	/* if %config, add an empty pool, otherwise */
-	if (right->sourceip)
-	{
-		DBG(DBG_CONTROL,
-			DBG_log("adding virtual IP address pool '%s': %s/%d",
-					name, right->sourceip, right->sourceip_mask);
-		);
-		base = host_create_from_string(right->sourceip, 0);
-		if (!base)
-		{
-			loglog(RC_LOG_SERIOUS, "virtual IP address invalid, discarded");
-			return FALSE;
-		}
-		bits = right->sourceip_mask;
-	}
-	pool = mem_pool_create((char*)name, base, bits);
-	DESTROY_IF(base);
-
-	this->lock->write_lock(this->lock);
-	this->pools->insert_last(this->pools, pool);
-	this->lock->unlock(this->lock);
-	return TRUE;
-}
-
-METHOD(whack_attribute_t, del_pool, void,
-	   private_whack_attribute_t *this, char *name)
-{
-	enumerator_t *enumerator;
-	mem_pool_t *pool;
-
-	this->lock->write_lock(this->lock);
-	enumerator = this->pools->create_enumerator(this->pools);
-	while (enumerator->enumerate(enumerator, &pool))
-	{
-		if (streq(name, pool->get_name(pool)))
-		{
-			DBG(DBG_CONTROL,
-				DBG_log("deleting virtual IP address pool '%s'", name)
-			);
-			this->pools->remove_at(this->pools, enumerator);
-			pool->destroy(pool);
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-}
-
-/**
- * Pool enumerator filter function, converts pool_t to name, size, ...
- */
-static bool pool_filter(void *lock, mem_pool_t **poolp, const char **name,
-						void *d1, u_int *size, void *d2, u_int *online,
-						void *d3, u_int *offline)
-{
-	mem_pool_t *pool = *poolp;
-	*name = pool->get_name(pool);
-	*size = pool->get_size(pool);
-	*online = pool->get_online(pool);
-	*offline = pool->get_offline(pool);
-	return TRUE;
-}
-
-METHOD(whack_attribute_t, create_pool_enumerator, enumerator_t*,
-	   private_whack_attribute_t *this)
-{
-	this->lock->read_lock(this->lock);
-	return enumerator_create_filter(this->pools->create_enumerator(this->pools),
-									(void*)pool_filter,
-									this->lock, (void*)this->lock->unlock);
-}
-
-METHOD(whack_attribute_t, create_lease_enumerator, enumerator_t*,
-	   private_whack_attribute_t *this, char *name)
-{
-	mem_pool_t *pool;
-	this->lock->read_lock(this->lock);
-	pool = find_pool(this, name);
-	if (!pool)
-	{
-		this->lock->unlock(this->lock);
-		return NULL;
-	}
-	return enumerator_create_cleaner(pool->create_lease_enumerator(pool),
-									 (void*)this->lock->unlock, this->lock);
-}
-
-/**
- * see header file
- */
-void whack_attribute_finalize()
-{
-	private_whack_attribute_t *this;
-
-	if (whack_attr)
-	{
- 		this = (private_whack_attribute_t*)whack_attr;
-		hydra->attributes->remove_provider(hydra->attributes,
-									   &this->public.provider);
-		this->lock->destroy(this->lock);
-		this->pools->destroy_offset(this->pools, offsetof(mem_pool_t, destroy));
-		free(this);
-	}
-}
-
-/**
- * see header file
- */
-void whack_attribute_initialize()
-{
-	private_whack_attribute_t *this;
-
-	INIT(this,
-		.public = {
-			.provider = {
-				.acquire_address = _acquire_address,
-				.release_address = _release_address,
-				.create_attribute_enumerator = enumerator_create_empty,
-			},
-			.add_pool = _add_pool,
-			.del_pool = _del_pool,
-			.create_pool_enumerator = _create_pool_enumerator,
-			.create_lease_enumerator = _create_lease_enumerator,
-		},
-		.pools = linked_list_create(),
-		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
-	);
-
-	hydra->attributes->add_provider(hydra->attributes, &this->public.provider);
-
-	whack_attr = &this->public;
-}
-
-/**
- * list leases of a single pool
- */
-static void pool_leases(char *pool, host_t *address,
-						identification_t *identification,
-						u_int size, u_int online, u_int offline)
-{
-
-	enumerator_t *enumerator;
-	identification_t *id;
-	host_t *lease;
-	bool on, found = FALSE;
-
-	whack_log(RC_COMMENT, "Leases in pool '%s', usage: %lu/%lu, %lu online",
-			  pool, online + offline, size, online);
-	enumerator = whack_attr->create_lease_enumerator(whack_attr, pool);
-	while (enumerator && enumerator->enumerate(enumerator, &id, &lease, &on))
-	{
-		if ((!address && !identification) ||
-			(address && address->ip_equals(address, lease)) ||
-			(identification && identification->equals(identification, id)))
-		{
-			whack_log(RC_COMMENT, "  %15H   %s   '%Y'",
-					  lease, on ? "online" : "offline", id);
-			found = TRUE;
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (!found)
-	{
-		whack_log(RC_COMMENT, "  no matching leases found");
-	}
-}
-
-/**
- * see header file
- */
-void list_leases(char *name, char *addr, char *id)
-{
-	identification_t *identification = NULL;
-	host_t *address = NULL;
-	bool found = FALSE;
-	enumerator_t *enumerator;
-	u_int size, online, offline;
-	char *pool;
-
-	if (addr)
-	{
-		address = host_create_from_string(addr, 0);
-	}
-	if (id)
-	{
-		identification = identification_create_from_string(id);
-	}
-
-	enumerator = whack_attr->create_pool_enumerator(whack_attr);
-	while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
-	{
-		if (!name || streq(name, pool))
-		{
-			pool_leases(pool, address, identification, size, online, offline);
-			found = TRUE;
-		}
-	}
-	enumerator->destroy(enumerator);
-	if (!found)
-	{
-		if (name)
-		{
-			whack_log(RC_COMMENT, "pool '%s' not found", name);
-		}
-		else
-		{
-			whack_log(RC_COMMENT, "no pools found");
-		}
-	}
-	DESTROY_IF(identification);
-	DESTROY_IF(address);
-}
-
-/**
- * see header file
- */
-void show_pools(const char *name)
-{
-	enumerator_t *enumerator;
-	u_int size, online, offline;
-	char *pool;
-	bool first = TRUE;
-
-	enumerator = whack_attr->create_pool_enumerator(whack_attr);
-	while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
-	{
-		if (name && !streq(name, pool))
-		{
-			continue;
-		}
-		if (first)
-		{
-			first = FALSE;
-			whack_log(RC_COMMENT, "Virtual IP pools (size/online/offline):");
-		}
-		whack_log(RC_COMMENT, "\"%s\": %u/%u/%u", pool, size, online, offline);
-	}
-	enumerator->destroy(enumerator);
-}
diff --git a/src/pluto/whack_attribute.h b/src/pluto/whack_attribute.h
deleted file mode 100644
index 58441b973..000000000
--- a/src/pluto/whack_attribute.h
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup whack_attribute
- * @{ @ingroup pluto
- */
-
-#ifndef WHACK_ATTRIBUTE_H_
-#define WHACK_ATTRIBUTE_H_
-
-#include <whack.h>
-#include <attributes/attribute_provider.h>
-
-typedef struct whack_attribute_t whack_attribute_t;
-
-/**
- * Whack attribute provider (basically an in-memory IP address pool)
- */
-struct whack_attribute_t {
-
-	/**
-	 * Implements attribute provider interface
-	 */
-	attribute_provider_t provider;
-
-	/**
-	 * Add a virtual IP address pool.
-	 *
-	 * @param name		name of the pool
-	 * @param right		"right" end of whack message
-	 * @return			TRUE, if the pool was successfully added
-	 */
-	bool (*add_pool)(whack_attribute_t *this, const char *name,
-					 const whack_end_t *right);
-
-	/**
-	 * Remove a virtual IP address pool.
-	 *
-	 * @param name		name of the pool
-	 */
-	void (*del_pool)(whack_attribute_t *this, char *name);
-
-	/**
-	 * Create an enumerator over installed pools.
-	 *
-	 * Enumerator enumerates over
-	 * char *pool, u_int size, u_int offline, u_int online.
-	 *
-	 * @return			enumerator
-	 */
-	enumerator_t* (*create_pool_enumerator)(whack_attribute_t *this);
-
-	/**
-	 * Create an enumerator over the leases of a pool.
-	 *
-	 * Enumerator enumerates over
-	 * identification_t *id, host_t *address, bool online
-	 *
-	 * @param name		name of the pool to enumerate
-	 * @return			enumerator, NULL if pool not found
-	 */
-	enumerator_t* (*create_lease_enumerator)(whack_attribute_t *this,
-											 char *name);
-};
-
-/**
- * Global object to manage pools. Set between calls to
- * whack_attribute_initialize() and whack_attribute_finalize().
- */
-extern whack_attribute_t *whack_attr;
-
-/**
- * Initialize the whack attribute provider
- */
-void whack_attribute_initialize();
-
-/**
- * Finalize the whack attribute provider
- */
-void whack_attribute_finalize();
-
-/**
- * List the leases matching the given parameters.
- *
- * @param name		name of the pool, NULL for all pools
- * @param addr		ip address of the lease to list, NULL to ignore
- * @param id		id of the lease to list, NULL to ignore
- */
-void list_leases(char *name, char *addr, char *id);
-
-/**
- * List either all pools or the pool with a given name
- *
- * @param name		name of the pool, NULL for all pools
- */
-void show_pools(const char *name);
-
-#endif /** WHACK_ATTRIBUTE_H_ @}*/
diff --git a/src/pluto/x509.c b/src/pluto/x509.c
deleted file mode 100644
index f017e5775..000000000
--- a/src/pluto/x509.c
+++ /dev/null
@@ -1,463 +0,0 @@
-/* Support of X.509 certificates
- * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
- * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
- * Copyright (C) 2002 Mario Strasser
- * Copyright (C) 2000-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-#include <dirent.h>
-#include <time.h>
-#include <sys/types.h>
-
-#include <freeswan.h>
-
-#include <asn1/asn1.h>
-#include <crypto/hashers/hasher.h>
-#include <utils/enumerator.h>
-#include <utils/identification.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "log.h"
-#include "x509.h"
-#include "crl.h"
-#include "ca.h"
-#include "certs.h"
-#include "keys.h"
-#include "whack.h"
-#include "fetch.h"
-#include "ocsp.h"
-
-/**
- * Check for equality between two key identifiers
- */
-bool same_keyid(chunk_t a, chunk_t b)
-{
-	if (a.ptr == NULL || b.ptr == NULL)
-	{
-		return FALSE;
-	}
-	return chunk_equals(a, b);
-}
-
-/**
- * Stores a chained list of end certs and CA certs
- */
-void store_x509certs(linked_list_t *certs, bool strict)
-{
-	cert_t *x509cert, *cacerts = NULL;
-	certificate_t *cert;
-	enumerator_t *enumerator;
-
-	/* first extract CA certs, ignoring self-signed root CA certs */
-
-	enumerator = certs->create_enumerator(certs);
-	while (enumerator->enumerate(enumerator, &cert))
-	{
-		x509_t *x509 = (x509_t*)cert;
-		x509_flag_t flags;
-
-		flags = x509->get_flags(x509);
-		if (flags & X509_CA)
-		{
-			/* we don't accept self-signed CA certs */
-			if (flags & X509_SELF_SIGNED)
-			{
-				plog("self-signed cacert rejected");
-			}
-			else
-			{
-				/* insertion into temporary chain of candidate CA certs */
-				x509cert = malloc_thing(cert_t);
-				*x509cert = cert_empty;
-				x509cert->cert = cert->get_ref(cert);
-				x509cert->next = cacerts;
-				cacerts = x509cert;
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	/* now verify the candidate CA certs */
-
-	while (cacerts)
-	{
-		cert_t *cert = cacerts;
-
-		cacerts = cacerts->next;
-
-		if (trust_authcert_candidate(cert, cacerts))
-		{
-			add_authcert(cert, X509_CA);
-		}
-		else
-		{
-			plog("intermediate cacert rejected");
-			cert_free(cert);
-		}
-	}
-
-	/* now verify the end certificates */
-
-	enumerator = certs->create_enumerator(certs);
-	while (enumerator->enumerate(enumerator, &cert))
-	{
-		time_t valid_until;
-		x509_t *x509 = (x509_t*)cert;
-
-		if (!(x509->get_flags(x509) & X509_CA))
-		{
-			x509cert = malloc_thing(cert_t);
-			*x509cert = cert_empty;
-			x509cert->cert = cert->get_ref(cert);
-
-			if (verify_x509cert(x509cert, strict, &valid_until))
-			{
-				DBG(DBG_CONTROL | DBG_PARSING,
-					DBG_log("public key validated")
-				)
-				add_public_key_from_cert(x509cert, valid_until, DAL_SIGNED);
-			}
-			else
-			{
-				plog("X.509 certificate rejected");
-				cert_free(x509cert);
-			}
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Check if a signature over binary blob is genuine
- */
-bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm,
-						  certificate_t *issuer_cert)
-{
-	bool success;
-	public_key_t *key;
-	signature_scheme_t scheme;
-
-	scheme = signature_scheme_from_oid(algorithm);
-	if (scheme == SIGN_UNKNOWN)
-	{
-		return FALSE;
-	}
-
-	key = issuer_cert->get_public_key(issuer_cert);
-	if (key == NULL)
-	{
-		return FALSE;
-	}
-	success = key->verify(key, scheme, tbs, sig);
-	key->destroy(key);
-
-	return success;
-}
-
-/**
- * Build an ASN.1 encoded PKCS#1 signature over a binary blob
- */
-chunk_t x509_build_signature(chunk_t tbs, int algorithm, private_key_t *key,
-							 bool bit_string)
-{
-	chunk_t signature;
-	signature_scheme_t scheme = signature_scheme_from_oid(algorithm);
-
-	if (scheme == SIGN_UNKNOWN || !key->sign(key, scheme, tbs, &signature))
-	{
-		return chunk_empty;
-	}
-	return (bit_string) ? asn1_bitstring("m", signature)
-						: asn1_wrap(ASN1_OCTET_STRING, "m", signature);
-}
-
-/**
- * Verifies a X.509 certificate
- */
-bool verify_x509cert(cert_t *cert, bool strict, time_t *until)
-{
-	int pathlen, pathlen_constraint;
-
-	*until = 0;
-
-	for (pathlen = -1; pathlen <= X509_MAX_PATH_LEN; pathlen++)
-	{
-		certificate_t *certificate = cert->cert;
-		identification_t *subject = certificate->get_subject(certificate);
-		identification_t *issuer  = certificate->get_issuer(certificate);
-		x509_t *x509 = (x509_t*)certificate;
-		chunk_t authKeyID = x509->get_authKeyIdentifier(x509);
-		cert_t *issuer_cert;
-		time_t notBefore, notAfter;
-		bool valid;
-
-		DBG(DBG_CONTROL,
-			DBG_log("subject: '%Y'", subject);
-			DBG_log("issuer:  '%Y'", issuer);
-			if (authKeyID.ptr)
-			{
-				DBG_log("authkey:  %#B", &authKeyID);
-			}
-		)
-
-		valid = certificate->get_validity(certificate, NULL,
-										  &notBefore, &notAfter);
-		if (*until == UNDEFINED_TIME || notAfter < *until)
-		{
-			*until = notAfter;
-		}
-		if (!valid)
-		{
-			plog("certificate is invalid (valid from %T to %T)",
-				 &notBefore, FALSE, &notAfter, FALSE);
-			return FALSE;
-		}
-		DBG(DBG_CONTROL,
-			DBG_log("certificate is valid")
-		)
-
-		lock_authcert_list("verify_x509cert");
-		issuer_cert = get_authcert(issuer, authKeyID, X509_CA);
-		if (issuer_cert == NULL)
-		{
-			plog("issuer cacert not found");
-			unlock_authcert_list("verify_x509cert");
-			return FALSE;
-		}
-		DBG(DBG_CONTROL,
-			DBG_log("issuer cacert found")
-		)
-
-		if (!certificate->issued_by(certificate, issuer_cert->cert))
-		{
-			plog("certificate signature is invalid");
-			unlock_authcert_list("verify_x509cert");
-			return FALSE;
-		}
-		DBG(DBG_CONTROL,
-			DBG_log("certificate signature is valid")
-		)
-		unlock_authcert_list("verify_x509cert");
-
-		/* check path length constraint */
-		pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN);
-		if (pathlen_constraint != X509_NO_CONSTRAINT &&
-			pathlen > pathlen_constraint)
-		{
-			plog("path length of %d violates constraint of %d",
-				 pathlen, pathlen_constraint);
-			return FALSE;
-		}
-
-		/* check if cert is a self-signed root ca */
-		if (pathlen >= 0 && (x509->get_flags(x509) & X509_SELF_SIGNED))
-		{
-			DBG(DBG_CONTROL,
-				DBG_log("reached self-signed root ca with a path length of %d",
-						 pathlen)
-			)
-			return TRUE;
-		}
-		else
-		{
-			time_t nextUpdate = *until;
-			time_t revocationDate = UNDEFINED_TIME;
-			crl_reason_t revocationReason = CRL_REASON_UNSPECIFIED;
-
-			/* first check certificate revocation using ocsp */
-			cert_status_t status = verify_by_ocsp(cert, &nextUpdate
-				, &revocationDate, &revocationReason);
-
-			/* if ocsp service is not available then fall back to crl */
-			if ((status == CERT_UNDEFINED)
-			||  (status == CERT_UNKNOWN && strict))
-			{
-				status = verify_by_crl(cert, &nextUpdate, &revocationDate
-					, &revocationReason);
-			}
-
-			switch (status)
-			{
-			case CERT_GOOD:
-				/* if status information is stale */
-				if (strict && nextUpdate < time(NULL))
-				{
-					DBG(DBG_CONTROL,
-						DBG_log("certificate is good but status is stale")
-					)
-					remove_x509_public_key(cert);
-					return FALSE;
-				}
-				DBG(DBG_CONTROL,
-					DBG_log("certificate is good")
-				)
-
-				/* with strict crl policy the public key must have the same
-				 * lifetime as the validity of the ocsp status or crl lifetime
-				 */
-				if (strict && nextUpdate < *until)
-				{
-					*until = nextUpdate;
-				}
-				break;
-			case CERT_REVOKED:
-				plog("certificate was revoked on %T, reason: %N"
-					, &revocationDate, TRUE
-					, crl_reason_names, revocationReason);
-				remove_x509_public_key(cert);
-				return FALSE;
-			case CERT_UNKNOWN:
-			case CERT_UNDEFINED:
-			default:
-				plog("certificate status unknown");
-				if (strict)
-				{
-					remove_x509_public_key(cert);
-					return FALSE;
-				}
-				break;
-			}
-		}
-
-		/* go up one step in the trust chain */
-		cert = issuer_cert;
-	}
-	plog("maximum path length of %d exceeded", X509_MAX_PATH_LEN);
-	return FALSE;
-}
-
-/**
- * List all X.509 certs in a chained list
- */
-void list_x509cert_chain(const char *caption, cert_t* cert,
-						 x509_flag_t flags, bool utc)
-{
-	bool first = TRUE;
-	time_t now;
-
-	/* determine the current time */
-	time(&now);
-
-	while (cert)
-	{
-		certificate_t *certificate = cert->cert;
-		x509_t *x509 = (x509_t*)certificate;
-
-		if (certificate->get_type(certificate) == CERT_X509 &&
-		   (flags == X509_NONE || (flags & x509->get_flags(x509))))
-		{
-			enumerator_t *enumerator;
-			char buf[BUF_LEN];
-			char *pos = buf;
-			int len = BUF_LEN, pathlen;
-			bool first_altName = TRUE;
-			identification_t *id;
-			time_t notBefore, notAfter;
-			public_key_t *key;
-			chunk_t serial, keyid, subjkey, authkey;
-
-			if (first)
-			{
-				whack_log(RC_COMMENT, " ");
-				whack_log(RC_COMMENT, "List of X.509 %s Certificates:", caption);
-				first = FALSE;
-			}
-			whack_log(RC_COMMENT, " ");
-
-			enumerator = x509->create_subjectAltName_enumerator(x509);
-			while (enumerator->enumerate(enumerator, &id))
-			{
-				int written;
-
-				if (first_altName)
-				{
-					written = snprintf(pos, len, "%Y", id);
-					first_altName = FALSE;
-				}
-				else
-				{
-					written = snprintf(pos, len, ", %Y", id);
-				}
-				if (written < 0 || written >= len)
-				{
-					break;
-				}
-				pos += written;
-				len -= written;
-			}
-			enumerator->destroy(enumerator);
-			if (!first_altName)
-			{
-				whack_log(RC_COMMENT, "  altNames:  %s", buf);
-			}
-
-			whack_log(RC_COMMENT, "  subject:  \"%Y\"",
-				certificate->get_subject(certificate));
-			whack_log(RC_COMMENT, "  issuer:   \"%Y\"",
-				certificate->get_issuer(certificate));
-				serial = chunk_skip_zero(x509->get_serial(x509));
-			whack_log(RC_COMMENT, "  serial:    %#B", &serial);
-
-			/* list validity */
-			certificate->get_validity(certificate, &now, &notBefore, &notAfter);
-			whack_log(RC_COMMENT, "  validity:  not before %T %s",
-				&notBefore, utc,
-				(notBefore < now)?"ok":"fatal (not valid yet)");
-			whack_log(RC_COMMENT, "             not after  %T %s",
-				&notAfter, utc,
-				check_expiry(notAfter, CA_CERT_WARNING_INTERVAL, TRUE));
-
-			key = certificate->get_public_key(certificate);
-			if (key)
-			{
-				whack_log(RC_COMMENT, "  pubkey:    %N %4d bits%s",
-					key_type_names, key->get_type(key),
-					key->get_keysize(key),
-					cert->smartcard ? ", on smartcard" :
-					(has_private_key(cert)? ", has private key" : ""));
-
-				if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &keyid))
-				{
-					whack_log(RC_COMMENT, "  keyid:     %#B", &keyid);
-				}
-				if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &subjkey))
-				{
-					whack_log(RC_COMMENT, "  subjkey:   %#B", &subjkey);
-				}
-				key->destroy(key);
-			}
-
-			/* list optional authorityKeyIdentifier */
-			authkey = x509->get_authKeyIdentifier(x509);
-			if (authkey.ptr)
-			{
-				whack_log(RC_COMMENT, "  authkey:   %#B", &authkey);
-			}
-
-			/* list optional pathLenConstraint */
-			pathlen = x509->get_constraint(x509, X509_PATH_LEN);
-			if (pathlen != X509_NO_CONSTRAINT)
-			{
-				whack_log(RC_COMMENT, "  pathlen:   %d", pathlen);
-			}
-
-		}
-		cert = cert->next;
-	}
-}
-
diff --git a/src/pluto/x509.h b/src/pluto/x509.h
deleted file mode 100644
index 3101724a6..000000000
--- a/src/pluto/x509.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/* Support of X.509 certificates
- * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
- * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
- * Copyright (C) 2002 Mario Strasser
- * Copyright (C) 2000-2009 Andreas Steffen, Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _X509_H
-#define _X509_H
-
-#include <utils/identification.h>
-#include <utils/linked_list.h>
-#include <credentials/keys/private_key.h>
-#include <credentials/certificates/x509.h>
-
-#include "constants.h"
-#include "certs.h"
-
-#define X509_MAX_PATH_LEN				 7
-
-extern bool same_keyid(chunk_t a, chunk_t b);
-extern bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm,
-								 certificate_t *issuer_cert);
-extern chunk_t x509_build_signature(chunk_t tbs, int algorithm,
-									private_key_t *key, bool bit_string);
-extern bool verify_x509cert(cert_t *cert, bool strict, time_t *until);
-extern void store_x509certs(linked_list_t *certs, bool strict);
-extern void list_x509cert_chain(const char *caption, cert_t* cert,
-								x509_flag_t flags, bool utc);
-extern void list_x509_end_certs(bool utc);
-
-#endif /* _X509_H */
diff --git a/src/pluto/xauth/xauth_manager.c b/src/pluto/xauth/xauth_manager.c
deleted file mode 100644
index 2e57ccefa..000000000
--- a/src/pluto/xauth/xauth_manager.c
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * Copyright (C) 2010 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "xauth_manager.h"
-
-typedef struct private_xauth_manager_t private_xauth_manager_t;
-
-/**
- * private data of xauth_manager
- */
-struct private_xauth_manager_t {
-
-	/**
-	 * public functions
-	 */
-	xauth_manager_t public;
-
-	/**
-	 * list of registered secret providers
-	 */
-	linked_list_t *providers;
-
-	/**
-	 * list of registered secret verifiers
-	 */
-	linked_list_t *verifiers;
-};
-
-METHOD(xauth_manager_t, get_secret, bool,
-	private_xauth_manager_t *this, connection_t *c, chunk_t *secret)
-{
-	xauth_provider_t *provider;
-	enumerator_t *enumerator;
- 	bool success = FALSE;
-
-	*secret = chunk_empty;
-
-	enumerator = this->providers->create_enumerator(this->providers);
-	while (enumerator->enumerate(enumerator, &provider))
-	{
-		if (provider->get_secret(provider, c, secret))
-		{
-			success = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return success;
-}
-
-METHOD(xauth_manager_t, verify_secret, bool,
-	private_xauth_manager_t *this, connection_t *c, chunk_t secret)
-{
-	xauth_verifier_t *verifier;
-	enumerator_t *enumerator;
-	bool success = FALSE;
-
-	enumerator = this->verifiers->create_enumerator(this->verifiers);
-	while (enumerator->enumerate(enumerator, &verifier))
-	{
-		if (verifier->verify_secret(verifier, c, secret))
-		{
-			success = TRUE;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return success;
-}
-
-METHOD(xauth_manager_t, add_provider, void,
-	private_xauth_manager_t *this,	xauth_provider_t *provider)
-{
-	this->providers->insert_last(this->providers, provider);
-}
-
-METHOD(xauth_manager_t, add_verifier, void,
-	private_xauth_manager_t *this,	xauth_verifier_t *verifier)
-{
-	this->verifiers->insert_last(this->verifiers, verifier);
-}
-
-METHOD(xauth_manager_t, destroy, void,
-	private_xauth_manager_t *this)
-{
-	this->providers->destroy_offset(this->providers,
-									offsetof(xauth_provider_t, destroy));
-	this->verifiers->destroy_offset(this->verifiers,
-									offsetof(xauth_verifier_t, destroy));
-	free(this);
-}
-
-/*
- * Described in header.
- */
-xauth_manager_t *xauth_manager_create()
-{
-	private_xauth_manager_t *this;
-
-	INIT(this,
-		.public = {
-			.get_secret = _get_secret,
-			.verify_secret = _verify_secret,
-			.add_provider = _add_provider,
-			.add_verifier = _add_verifier,
-			.destroy = _destroy,
-		 }
-	);
-
-	this->providers = linked_list_create();
-	this->verifiers = linked_list_create();
-
-	return &this->public;
-}
-
diff --git a/src/pluto/xauth/xauth_manager.h b/src/pluto/xauth/xauth_manager.h
deleted file mode 100644
index 843eb2ff0..000000000
--- a/src/pluto/xauth/xauth_manager.h
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- * Copyright (C) 2010 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup xauth_manager xauth_manager
- * @{ @ingroup xauth
- */
-
-#ifndef XAUTH_MANAGER_H_
-#define XAUTH_MANAGER_H_
-
-#include "xauth_provider.h"
-#include "xauth_verifier.h"
-
-typedef struct xauth_manager_t xauth_manager_t;
-
-/**
- * An xauth_manager registers xauth_providers and xauth_verifiers.
- */
-struct xauth_manager_t {
-
-	/**
-	 * Register an xauth_provider
-	 *
-	 * @param provider		xauth_provider to be registered
-	 */
-	void (*add_provider)(xauth_manager_t *this, xauth_provider_t *provider);
-
-	/**
-	 * Register an xauth_verifier
-	 *
-	 * @param verifier		xauth_verifier to be registered
-	 */
-	void (*add_verifier)(xauth_manager_t *this, xauth_verifier_t *verifier);
-
-	/**
-	 * Use registered providers to retrieve an XAUTH user secret
-     * based on connection information.
-	 *
-	 * @param c				connection information
-	 * @param secret		secret if found, chunk_empty otherwise
-	 * @return				TRUE if a matching secret was found
-	 */
-	bool (*get_secret)(xauth_manager_t *this, connection_t *c, chunk_t *secret);
-
-	/**
-	 * Use registered verifiers to verify an XAUTH user secret 
-	 * based on connection information
-	 *
-	 * @param c				connection information
-	 * @param secret		secret to be compared
-	 * @return				TRUE if secret matches
-	 */
-	bool (*verify_secret)(xauth_manager_t *this, connection_t *c, chunk_t secret);
-
-	/**
-	 * Destroy an xauth_verifier instance.
-	 */
-	void (*destroy)(xauth_manager_t *this);
-};
-
-/**
- * Create an xauth_manager instance.
- */
-xauth_manager_t *xauth_manager_create();
-
-#endif /** XAUTH_MANAGER_H_ @}*/
-
diff --git a/src/pluto/xauth/xauth_provider.h b/src/pluto/xauth/xauth_provider.h
deleted file mode 100644
index 90adbff50..000000000
--- a/src/pluto/xauth/xauth_provider.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2010 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup xauth_provider xauth_provider
- * @{ @ingroup xauth
- */
-
-#ifndef XAUTH_PROVIDER_H_
-#define XAUTH_PROVIDER_H_
-
-#include <library.h>
-
-#include <connections.h>
-
-typedef struct xauth_provider_t xauth_provider_t;
-
-/**
- * An xauth provider retrieves xauth user secrets on the client side. 
- */
-struct xauth_provider_t {
-
-	/**
-	 * Retrieve an XAUTH user secret based on connection information.
-	 *
-	 * @param c				connection information
-	 * @param secret		secret if found, chunk_empty otherwise
-	 * @return				TRUE if a matching secret was found
-	 */
-	bool (*get_secret)(xauth_provider_t *this, connection_t *c, chunk_t *secret);
-
-	/**
-	 * Destroy an xauth_provider instance.
-	 */
-	void (*destroy)(xauth_provider_t *this);
-};
-
-/**
- * Create an xauth_provider instance.
- */
-xauth_provider_t *xauth_provider_create();
-
-#endif /** XAUTH_PROVIDER_H_ @}*/
-
diff --git a/src/pluto/xauth/xauth_verifier.h b/src/pluto/xauth/xauth_verifier.h
deleted file mode 100644
index 7c9ff3a7f..000000000
--- a/src/pluto/xauth/xauth_verifier.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2010 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup xauth_verifier xauth_verifier
- * @{ @ingroup xauth
- */
-
-#ifndef XAUTH_VERIFIER_H_
-#define XAUTH_VERIFIER_H_
-
-#include <library.h>
-
-#include <connections.h>
-
-typedef struct xauth_verifier_t xauth_verifier_t;
-
-/**
- * An xauth verifier verifies xauth user secrets on the server side.
- */
-struct xauth_verifier_t {
-
-	/**
-	 * Verify an XAUTH user secret base on connection information
-	 *
-	 * @param c				connection information
-	 * @param secret		secret to be compared
-	 * @return				TRUE if secret matches
-	 */
-	bool (*verify_secret)(xauth_verifier_t *this, connection_t *c, chunk_t secret);
-
-	/**
-	 * Destroy an xauth_verifier instance.
-	 */
-	void (*destroy)(xauth_verifier_t *this);
-};
-
-/**
- * Create an xauth_verifier instance.
- */
-xauth_verifier_t *xauth_verifier_create();
-
-#endif /** XAUTH_VERIFIER_H_ @}*/
-
diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am
index 897b49ac3..c911be1c4 100644
--- a/src/scepclient/Makefile.am
+++ b/src/scepclient/Makefile.am
@@ -1,54 +1,16 @@
 ipsec_PROGRAMS = scepclient
-scepclient_SOURCES = scepclient.c scep.c scep.h loglite.c
+scepclient_SOURCES = \
+scepclient.c scep.c scep.h
 
 scepclient.o :	$(top_builddir)/config.status
 
-PLUTODIR=$(top_srcdir)/src/pluto
-OPENACDIR=$(top_srcdir)/src/openac
-WHACKDIR=$(top_srcdir)/src/whack
-LIBFREESWANDIR=$(top_srcdir)/src/libfreeswan
-LIBSTRONGSWANDIR=$(top_srcdir)/src/libstrongswan
-LIBHYDRADIR=$(top_srcdir)/src/libhydra
-LIBCRYPTODIR=$(top_srcdir)/src/libcrypto
-
-INCLUDES = \
--I$(LIBFREESWANDIR) \
--I$(LIBSTRONGSWANDIR) \
--I$(LIBHYDRADIR) \
--I$(PLUTODIR) \
--I$(LIBCRYPTODIR) \
--I$(WHACKDIR)
-
-AM_CFLAGS = \
--DIPSEC_CONFDIR=\"${sysconfdir}\" \
--DPLUGINS=\""${scepclient_plugins}\"" \
--DDEBUG -DNO_PLUTO
-
-LIBSTRONGSWANBUILDDIR=$(top_builddir)/src/libstrongswan
-LIBFREESWANBUILDDIR=$(top_builddir)/src/libfreeswan
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DPLUGINS=\""${scepclient_plugins}\""
 
 scepclient_LDADD = \
-constants.o defs.o lex.o pkcs7.o \
-$(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \
-$(LIBFREESWANBUILDDIR)/libfreeswan.a
-
-# This compile option activates smartcard support
-if USE_SMARTCARD
-  AM_CFLAGS += -DSMARTCARD
-  scepclient_LDADD += $(DLLIB)
-endif
+$(top_builddir)/src/libstrongswan/libstrongswan.la
 
 dist_man_MANS = scepclient.8
-
-constants.o :	$(PLUTODIR)/constants.c $(PLUTODIR)/constants.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-defs.o : 	$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-lex.o :		$(PLUTODIR)/lex.c $(PLUTODIR)/lex.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-pkcs7.o :	$(PLUTODIR)/pkcs7.c $(PLUTODIR)/pkcs7.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 576a8fb17..19a7a5d6b 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -35,10 +52,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 ipsec_PROGRAMS = scepclient$(EXEEXT)
-
-# This compile option activates smartcard support
-@USE_SMARTCARD_TRUE@am__append_1 = -DSMARTCARD
-@USE_SMARTCARD_TRUE@am__append_2 = $(DLLIB)
 subdir = src/scepclient
 DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in
@@ -51,37 +64,55 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
 PROGRAMS = $(ipsec_PROGRAMS)
-am_scepclient_OBJECTS = scepclient.$(OBJEXT) scep.$(OBJEXT) \
-	loglite.$(OBJEXT)
+am_scepclient_OBJECTS = scepclient.$(OBJEXT) scep.$(OBJEXT)
 scepclient_OBJECTS = $(am_scepclient_OBJECTS)
-am__DEPENDENCIES_1 =
-@USE_SMARTCARD_TRUE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1)
-scepclient_DEPENDENCIES = constants.o defs.o lex.o pkcs7.o \
-	$(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \
-	$(LIBFREESWANBUILDDIR)/libfreeswan.a $(am__DEPENDENCIES_2)
-DEFAULT_INCLUDES = -I.@am__isrc@
+scepclient_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(scepclient_SOURCES)
 DIST_SOURCES = $(scepclient_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -103,6 +134,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man_MANS)
@@ -112,21 +149,28 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -135,13 +179,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -154,6 +201,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -181,11 +229,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -193,6 +243,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -201,8 +252,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -211,14 +260,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -232,17 +286,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -252,16 +306,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -289,30 +342,18 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-scepclient_SOURCES = scepclient.c scep.c scep.h loglite.c
-PLUTODIR = $(top_srcdir)/src/pluto
-OPENACDIR = $(top_srcdir)/src/openac
-WHACKDIR = $(top_srcdir)/src/whack
-LIBFREESWANDIR = $(top_srcdir)/src/libfreeswan
-LIBSTRONGSWANDIR = $(top_srcdir)/src/libstrongswan
-LIBHYDRADIR = $(top_srcdir)/src/libhydra
-LIBCRYPTODIR = $(top_srcdir)/src/libcrypto
-INCLUDES = \
--I$(LIBFREESWANDIR) \
--I$(LIBSTRONGSWANDIR) \
--I$(LIBHYDRADIR) \
--I$(PLUTODIR) \
--I$(LIBCRYPTODIR) \
--I$(WHACKDIR)
-
-AM_CFLAGS = -DIPSEC_CONFDIR=\"${sysconfdir}\" \
-	-DPLUGINS=\""${scepclient_plugins}\"" -DDEBUG -DNO_PLUTO \
-	$(am__append_1)
-LIBSTRONGSWANBUILDDIR = $(top_builddir)/src/libstrongswan
-LIBFREESWANBUILDDIR = $(top_builddir)/src/libfreeswan
-scepclient_LDADD = constants.o defs.o lex.o pkcs7.o \
-	$(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \
-	$(LIBFREESWANBUILDDIR)/libfreeswan.a $(am__append_2)
+scepclient_SOURCES = \
+scepclient.c scep.c scep.h
+
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DPLUGINS=\""${scepclient_plugins}\""
+
+scepclient_LDADD = \
+$(top_builddir)/src/libstrongswan/libstrongswan.la
+
 dist_man_MANS = scepclient.8
 all: all-am
 
@@ -350,8 +391,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -391,9 +435,9 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-scepclient$(EXEEXT): $(scepclient_OBJECTS) $(scepclient_DEPENDENCIES) 
+scepclient$(EXEEXT): $(scepclient_OBJECTS) $(scepclient_DEPENDENCIES) $(EXTRA_scepclient_DEPENDENCIES) 
 	@rm -f scepclient$(EXEEXT)
-	$(LINK) $(scepclient_OBJECTS) $(scepclient_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(scepclient_OBJECTS) $(scepclient_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -401,30 +445,29 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/loglite.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scep.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scepclient.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -433,11 +476,18 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-man8: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list=''; test -n "$(man8dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.8[a-z]*$$/p'; \
+	@list1=''; \
+	list2='$(dist_man_MANS)'; \
+	test -n "$(man8dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.8[a-z]*$$/p'; \
+	fi; \
 	} | while read p; do \
 	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; echo "$$p"; \
@@ -466,9 +516,7 @@ uninstall-man8:
 	  sed -n '/\.8[a-z]*$$/p'; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
+	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -582,10 +630,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -690,18 +743,6 @@ uninstall-man: uninstall-man8
 
 scepclient.o :	$(top_builddir)/config.status
 
-constants.o :	$(PLUTODIR)/constants.c $(PLUTODIR)/constants.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-defs.o : 	$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-lex.o :		$(PLUTODIR)/lex.c $(PLUTODIR)/lex.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
-pkcs7.o :	$(PLUTODIR)/pkcs7.c $(PLUTODIR)/pkcs7.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/scepclient/loglite.c b/src/scepclient/loglite.c
deleted file mode 100644
index 96dc54390..000000000
--- a/src/scepclient/loglite.c
+++ /dev/null
@@ -1,350 +0,0 @@
-/* error logging functions
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <stdarg.h>
-#include <syslog.h>
-#include <errno.h>
-#include <string.h>
-#include <unistd.h>
-#include <signal.h>     /* used only if MSG_NOSIGNAL not defined */
-#include <libgen.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-
-#include <freeswan.h>
-#include <debug.h>
-
-#include <constants.h>
-#include <defs.h>
-#include <log.h>
-#include <whack.h>
-
-bool
-	log_to_stderr = FALSE,      /* should log go to stderr? */
-	log_to_syslog = TRUE;       /* should log go to syslog? */
-
-/**
- * @brief scepclient dbg function
- */
-static void scepclient_dbg(debug_t group, level_t level, char *fmt, ...)
-{
-	int priority = LOG_INFO;
-	int debug_level;
-	char buffer[8192];
-	char *current = buffer, *next;
-	va_list args;
-
-	if (cur_debugging & DBG_PRIVATE)
-	{
-		debug_level = 4;
-	}
-	else if (cur_debugging & DBG_RAW)
-	{
-		debug_level = 3;
-	}
-	else if (cur_debugging & DBG_PARSING)
-	{
-		debug_level = 2;
-	}
-	else
-	{
-		debug_level = 1;
-	}
-
-	if (level <= debug_level)
-	{
-		if (log_to_stderr)
-		{
-			if (level > 1)
-			{
-				fprintf(stderr, "| ");
-			}
-			va_start(args, fmt);
-			vfprintf(stderr, fmt, args);
-			va_end(args);
-			fprintf(stderr, "\n");
-		}
-		if (log_to_syslog)
-		{
-			/* write in memory buffer first */
-			va_start(args, fmt);
-			vsnprintf(buffer, sizeof(buffer), fmt, args);
-			va_end(args);
-
-			/* do a syslog with every line */
-			while (current)
-			{
-				next = strchr(current, '\n');
-				if (next)
-				{
-					*(next++) = '\0';
-				}
-				syslog(priority, "%s%s\n", (level > 1)? "| ":"", current);
-				current = next;
-			}
-		}
-	}
-}
-
-void init_log(const char *program)
-{
-	/* enable scepclient bugging hook */
-	dbg = scepclient_dbg;
-
-	if (log_to_stderr)
-	{
-		setbuf(stderr, NULL);
-	}
-	if (log_to_syslog)
-	{
-		openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
-	}
-}
-
-void close_log(void)
-{
-	if (log_to_syslog)
-		closelog();
-}
-
-void plog(const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "%s\n", m);
-	if (log_to_syslog)
-		syslog(LOG_WARNING, "%s", m);
-}
-
-void loglog(int mess_no, const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "%s\n", m);
-	if (log_to_syslog)
-		syslog(LOG_WARNING, "%s", m);
-}
-
-void log_errno_routine(int e, const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
-	if (log_to_syslog)
-		syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
-}
-
-void exit_log(const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "FATAL ERROR: %s\n", m);
-	if (log_to_syslog)
-		syslog(LOG_ERR, "FATAL ERROR: %s", m);
-	exit(1);
-}
-
-void exit_log_errno_routine(int e, const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
-	if (log_to_syslog)
-		syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
-	exit(1);
-}
-
-void whack_log(int mess_no, const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	fprintf(stderr, "%s\n", m);
-}
-
-/* Build up a diagnostic in a static buffer.
- * Although this would be a generally useful function, it is very
- * hard to come up with a discipline that prevents different uses
- * from interfering.  It is intended that by limiting it to building
- * diagnostics, we will avoid this problem.
- * Juggling is performed to allow an argument to be a previous
- * result: the new string may safely depend on the old one.  This
- * restriction is not checked in any way: violators will produce
- * confusing results (without crashing!).
- */
-char diag_space[sizeof(diag_space)];
-
-err_t builddiag(const char *fmt, ...)
-{
-	static char diag_space[LOG_WIDTH];  /* longer messages will be truncated */
-	char t[sizeof(diag_space)]; /* build result here first */
-	va_list args;
-
-	va_start(args, fmt);
-	t[0] = '\0';        /* in case nothing terminates string */
-	vsnprintf(t, sizeof(t), fmt, args);
-	va_end(args);
-	strcpy(diag_space, t);
-	return diag_space;
-}
-
-/* Debugging message support */
-
-#ifdef DEBUG
-
-void switch_fail(int n, const char *file_str, unsigned long line_no)
-{
-	char buf[30];
-
-	snprintf(buf, sizeof(buf), "case %d unexpected", n);
-	passert_fail(buf, file_str, line_no);
-}
-
-void passert_fail(const char *pred_str, const char *file_str, unsigned long line_no)
-{
-	/* we will get a possibly unplanned prefix.  Hope it works */
-	loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
-	abort();    /* exiting correctly doesn't always work */
-}
-
-lset_t
-	base_debugging = DBG_NONE,  /* default to reporting nothing */
-	cur_debugging =  DBG_NONE;
-
-void pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no)
-{
-	/* we will get a possibly unplanned prefix.  Hope it works */
-	loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
-}
-
-/* log a debugging message (prefixed by "| ") */
-
-void DBG_log(const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "| %s\n", m);
-	if (log_to_syslog)
-		syslog(LOG_DEBUG, "| %s", m);
-}
-
-/* dump raw bytes in hex to stderr (for lack of any better destination) */
-
-void DBG_dump(const char *label, const void *p, size_t len)
-{
-#   define DUMP_LABEL_WIDTH 20  /* arbitrary modest boundary */
-#   define DUMP_WIDTH   (4 * (1 + 4 * 3) + 1)
-	char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH];
-	char *bp;
-	const unsigned char *cp = p;
-
-	bp = buf;
-
-	if (label != NULL && label[0] != '\0')
-	{
-		/* Handle the label.  Care must be taken to avoid buffer overrun. */
-		size_t llen = strlen(label);
-
-		if (llen + 1 > sizeof(buf))
-		{
-			DBG_log("%s", label);
-		}
-		else
-		{
-			strcpy(buf, label);
-			if (buf[llen-1] == '\n')
-			{
-				buf[llen-1] = '\0';     /* get rid of newline */
-				DBG_log("%s", buf);
-			}
-			else if (llen < DUMP_LABEL_WIDTH)
-			{
-				bp = buf + llen;
-			}
-			else
-			{
-				DBG_log("%s", buf);
-			}
-		}
-	}
-
-	do {
-		int i, j;
-
-		for (i = 0; len!=0 && i!=4; i++)
-		{
-			*bp++ = ' ';
-			for (j = 0; len!=0 && j!=4; len--, j++)
-			{
-				static const char hexdig[] = "0123456789abcdef";
-
-				*bp++ = ' ';
-				*bp++ = hexdig[(*cp >> 4) & 0xF];
-				*bp++ = hexdig[*cp & 0xF];
-				cp++;
-			}
-		}
-		*bp = '\0';
-		DBG_log("%s", buf);
-		bp = buf;
-	} while (len != 0);
-#   undef DUMP_LABEL_WIDTH
-#   undef DUMP_WIDTH
-}
-
-#endif /* DEBUG */
diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c
index 29f6eab70..5bb29bbd8 100644
--- a/src/scepclient/scep.c
+++ b/src/scepclient/scep.c
@@ -1,11 +1,5 @@
-/**
- * @file scep.c
- * @brief SCEP specific functions
- *
- * Contains functions to build SCEP request's and to parse SCEP reply's.
- */
-
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005 Jan Hutter, Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -23,32 +17,16 @@
 #include <string.h>
 #include <stdlib.h>
 
-#include <freeswan.h>
-
 #include <library.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <asn1/oid.h>
 #include <crypto/rngs/rng.h>
 #include <crypto/hashers/hasher.h>
 
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/fetch.h"
-#include "../pluto/log.h"
-
 #include "scep.h"
 
-static const chunk_t ASN1_messageType_oid = chunk_from_chars(
-	0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x02
-);
-static const chunk_t ASN1_senderNonce_oid = chunk_from_chars(
-	0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x05
-);
-static const chunk_t ASN1_transId_oid = chunk_from_chars(
-	0x06, 0x0A, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x07
-);
-
 static const char *pkiStatus_values[] = { "0", "2", "3" };
 
 static const char *pkiStatus_names[] = {
@@ -86,170 +64,61 @@ const scep_attributes_t empty_scep_attributes = {
 	{ NULL, 0 }        , /* recipientNonce */
 };
 
-/* ASN.1 definition of the X.501 atttribute type */
-
-static const asn1Object_t attributesObjects[] = {
-	{ 0, "attributes",    ASN1_SET,       ASN1_LOOP }, /* 0 */
-	{ 1,   "attribute",   ASN1_SEQUENCE,  ASN1_NONE }, /* 1 */
-	{ 2,     "type",      ASN1_OID,       ASN1_BODY }, /* 2 */
-	{ 2,     "values",    ASN1_SET,       ASN1_LOOP }, /* 3 */
-	{ 3,       "value",   ASN1_EOC,       ASN1_RAW  }, /* 4 */
-	{ 2,     "end loop",  ASN1_EOC,       ASN1_END  }, /* 5 */
-	{ 0, "end loop",      ASN1_EOC,       ASN1_END  }, /* 6 */
-	{ 0, "exit",          ASN1_EOC,       ASN1_EXIT	}
-};
-#define ATTRIBUTE_OBJ_TYPE      2
-#define ATTRIBUTE_OBJ_VALUE     4
-
 /**
- * Extract and store an attribute
+ * Extract X.501 attributes
  */
-static bool extract_attribute(int oid, chunk_t object, u_int level,
-							  scep_attributes_t *attrs)
+void extract_attributes(pkcs7_t *pkcs7, enumerator_t *enumerator,
+						scep_attributes_t *attrs)
 {
-	asn1_t type = ASN1_EOC;
-	const char *name = "none";
+	chunk_t attr;
 
-	switch (oid)
+	if (pkcs7->get_attribute(pkcs7, OID_PKI_MESSAGE_TYPE, enumerator, &attr))
 	{
-	case OID_PKCS9_CONTENT_TYPE:
-		type = ASN1_OID;
-		name = "contentType";
-		break;
-	case OID_PKCS9_SIGNING_TIME:
-		type = ASN1_UTCTIME;
-		name = "signingTime";
-		break;
-	case OID_PKCS9_MESSAGE_DIGEST:
-		type = ASN1_OCTET_STRING;
-		name = "messageDigest";
-		break;
-	case OID_PKI_MESSAGE_TYPE:
-		type = ASN1_PRINTABLESTRING;
-		name = "messageType";
-		break;
-	case OID_PKI_STATUS:
-		type = ASN1_PRINTABLESTRING;
-		name = "pkiStatus";
-		break;
-	case OID_PKI_FAIL_INFO:
-		type = ASN1_PRINTABLESTRING;
-		name = "failInfo";
-		break;
-	case OID_PKI_SENDER_NONCE:
-		type = ASN1_OCTET_STRING;
-		name = "senderNonce";
-		 break;
-	case OID_PKI_RECIPIENT_NONCE:
-		type = ASN1_OCTET_STRING;
-		name = "recipientNonce";
-		break;
-	case OID_PKI_TRANS_ID:
-		type = ASN1_PRINTABLESTRING;
-		name = "transID";
-		break;
-	default:
-		break;
-	}
-
-	if (type == ASN1_EOC)
-		return TRUE;
-
-	if (!asn1_parse_simple_object(&object, type, level+1, name))
-		return FALSE;
+		scep_msg_t m;
 
-	switch (oid)
-	{
-	case OID_PKCS9_CONTENT_TYPE:
-		break;
-	case OID_PKCS9_SIGNING_TIME:
-		break;
-	case OID_PKCS9_MESSAGE_DIGEST:
-		break;
-	case OID_PKI_MESSAGE_TYPE:
+		for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
 		{
-			scep_msg_t m;
-
-			for (m = SCEP_CertRep_MSG; m < SCEP_Unknown_MSG; m++)
+			if (strncmp(msgType_values[m], attr.ptr, attr.len) == 0)
 			{
-				if (strncmp(msgType_values[m], object.ptr, object.len) == 0)
-					attrs->msgType = m;
+				attrs->msgType = m;
 			}
-			DBG(DBG_CONTROL,
-				DBG_log("messageType:  %s", msgType_names[attrs->msgType])
-			)
 		}
-		break;
-	case OID_PKI_STATUS:
-		{
-			pkiStatus_t s;
+		DBG2(DBG_APP, "messageType:  %s", msgType_names[attrs->msgType]);
+		free(attr.ptr);
+	}
+	if (pkcs7->get_attribute(pkcs7, OID_PKI_STATUS, enumerator, &attr))
+	{
+		pkiStatus_t s;
 
-			for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
+		for (s = SCEP_SUCCESS; s < SCEP_UNKNOWN; s++)
+		{
+			if (strncmp(pkiStatus_values[s], attr.ptr, attr.len) == 0)
 			{
-				if (strncmp(pkiStatus_values[s], object.ptr, object.len) == 0)
-					attrs->pkiStatus = s;
+				attrs->pkiStatus = s;
 			}
-			DBG(DBG_CONTROL,
-				DBG_log("pkiStatus:    %s", pkiStatus_names[attrs->pkiStatus])
-			)
 		}
-		break;
-	case OID_PKI_FAIL_INFO:
-		if (object.len == 1
-		&& *object.ptr >= '0' && *object.ptr <= '4')
+		DBG2(DBG_APP, "pkiStatus:    %s", pkiStatus_names[attrs->pkiStatus]);
+		free(attr.ptr);
+	}
+	if (pkcs7->get_attribute(pkcs7, OID_PKI_FAIL_INFO, enumerator, &attr))
+	{
+		if (attr.len == 1 && *attr.ptr >= '0' && *attr.ptr <= '4')
 		{
-			attrs->failInfo = (failInfo_t)(*object.ptr - '0');
+			attrs->failInfo = (failInfo_t)(*attr.ptr - '0');
 		}
 		if (attrs->failInfo != SCEP_unknown_REASON)
-			plog("failInfo:     %s", failInfo_reasons[attrs->failInfo]);
-		break;
-	case OID_PKI_SENDER_NONCE:
-		attrs->senderNonce = object;
-		break;
-	case OID_PKI_RECIPIENT_NONCE:
-		attrs->recipientNonce = object;
-		break;
-	case OID_PKI_TRANS_ID:
-		attrs->transID = object;
-	}
-	return TRUE;
-}
-
-/**
- * Parse X.501 attributes
- */
-bool parse_attributes(chunk_t blob, scep_attributes_t *attrs)
-{
-	asn1_parser_t *parser;
-	chunk_t object;
-	int oid = OID_UNKNOWN;
-	int objectID;
-	bool success = FALSE;
-
-	parser = asn1_parser_create(attributesObjects, blob);
-	DBG(DBG_CONTROL | DBG_PARSING,
-		DBG_log("parsing attributes")
-	)
-
-	while (parser->iterate(parser, &objectID, &object))
-	{
-		switch (objectID)
 		{
-		case ATTRIBUTE_OBJ_TYPE:
-			oid = asn1_known_oid(object);
-			break;
-		case ATTRIBUTE_OBJ_VALUE:
-			if (!extract_attribute(oid, object, parser->get_level(parser), attrs))
-			{
-				goto end;
-			}
+			DBG1(DBG_APP, "failInfo:     %s", failInfo_reasons[attrs->failInfo]);
 		}
+		free(attr.ptr);
 	}
-	success = parser->success(parser);
 
-end:
-	parser->destroy(parser);
-	return success;
+	pkcs7->get_attribute(pkcs7, OID_PKI_SENDER_NONCE, enumerator,
+						 &attrs->senderNonce);
+	pkcs7->get_attribute(pkcs7, OID_PKI_RECIPIENT_NONCE, enumerator,
+						 &attrs->recipientNonce);
+	pkcs7->get_attribute(pkcs7, OID_PKI_TRANS_ID, enumerator,
+						 &attrs->transID);
 }
 
 /**
@@ -262,7 +131,11 @@ chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10)
 	hasher_t *hasher;
 
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
-	hasher->get_hash(hasher, pkcs10, digest.ptr);
+	if (!hasher || !hasher->get_hash(hasher, pkcs10, digest.ptr))
+	{
+		DESTROY_IF(hasher);
+		return chunk_empty;
+	}
 	hasher->destroy(hasher);
 
 	return chunk_to_hex(digest, NULL, FALSE);
@@ -278,8 +151,7 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID,
 	chunk_t digest = chunk_alloca(HASH_SIZE_MD5);
 	chunk_t keyEncoding = chunk_empty, keyInfo;
 	hasher_t *hasher;
-	bool msb_set;
-	u_char *pos;
+	int zeros = 0, msb_set = 0;
 
 	key->get_encoding(key, PUBKEY_ASN1_DER, &keyEncoding);
 
@@ -288,108 +160,115 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID,
 						asn1_bitstring("m", keyEncoding));
 
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
-	hasher->get_hash(hasher, keyInfo, digest.ptr);
-	hasher->destroy(hasher);
+	if (!hasher || !hasher->get_hash(hasher, keyInfo, digest.ptr))
+	{
+		memset(digest.ptr, 0, digest.len);
+	}
+	DESTROY_IF(hasher);
 	free(keyInfo.ptr);
 
-	/* is the most significant bit of the digest set? */
-	msb_set = (*digest.ptr & 0x80) == 0x80;
-
-	/* allocate space for the serialNumber */
-	serialNumber->len = msb_set + digest.len;
-	serialNumber->ptr = malloc(serialNumber->len);
-
-	/* the serial number as the two's complement of the digest */
-	pos = serialNumber->ptr;
+	/* the serialNumber should be valid ASN1 integer content:
+	 * remove leading zeros, add one if MSB is set (two's complement) */
+	while (zeros < digest.len)
+	{
+		if (digest.ptr[zeros])
+		{
+			if (digest.ptr[zeros] & 0x80)
+			{
+				msb_set = 1;
+			}
+			break;
+		}
+		zeros++;
+	}
+	*serialNumber = chunk_alloc(digest.len - zeros + msb_set);
 	if (msb_set)
 	{
-		*pos++ = 0x00;
+		serialNumber->ptr[0] = 0x00;
 	}
-	memcpy(pos, digest.ptr, digest.len);
+	memcpy(serialNumber->ptr + msb_set, digest.ptr + zeros,
+		   digest.len - zeros);
 
 	/* the transaction id is the serial number in hex format */
-	transID->len = 2*digest.len;
-	transID->ptr = malloc(transID->len + 1);
-	datatot(digest.ptr, digest.len, 16, transID->ptr, transID->len + 1);
+	*transID = chunk_to_hex(digest, NULL, TRUE);
 }
 
 /**
- * Builds a transId attribute
- */
-chunk_t scep_transId_attribute(chunk_t transID)
-{
-	return asn1_wrap(ASN1_SEQUENCE, "cm"
-				, ASN1_transId_oid
-				, asn1_wrap(ASN1_SET, "m"
-					, asn1_simple_object(ASN1_PRINTABLESTRING, transID)
-				  )
-			  );
-}
-
-/**
- * Builds a messageType attribute
- */
-chunk_t scep_messageType_attribute(scep_msg_t m)
-{
-	chunk_t msgType = {
-		(u_char*)msgType_values[m],
-		strlen(msgType_values[m])
-	};
-
-	return asn1_wrap(ASN1_SEQUENCE, "cm"
-				, ASN1_messageType_oid
-				, asn1_wrap(ASN1_SET, "m"
-					, asn1_simple_object(ASN1_PRINTABLESTRING, msgType)
-				  )
-			  );
-}
-
-/**
- * Builds a senderNonce attribute
+ * Builds a pkcs7 enveloped and signed scep request
  */
-chunk_t scep_senderNonce_attribute(void)
+chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
+					certificate_t *enc_cert, encryption_algorithm_t enc_alg,
+					size_t key_size, certificate_t *signer_cert,
+					hash_algorithm_t digest_alg, private_key_t *private_key)
 {
-	const size_t nonce_len = 16;
-	u_char nonce_buf[nonce_len];
-	chunk_t senderNonce = { nonce_buf, nonce_len };
+	chunk_t request;
+	container_t *container;
+	char nonce[16];
 	rng_t *rng;
+	chunk_t senderNonce, msgType;
 
+	/* generate senderNonce */
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	rng->get_bytes(rng, nonce_len, nonce_buf);
+	if (!rng || !rng->get_bytes(rng, sizeof(nonce), nonce))
+	{
+		DESTROY_IF(rng);
+		return chunk_empty;
+	}
 	rng->destroy(rng);
 
-	return asn1_wrap(ASN1_SEQUENCE, "cm"
-				, ASN1_senderNonce_oid
-				, asn1_wrap(ASN1_SET, "m"
-					, asn1_simple_object(ASN1_OCTET_STRING, senderNonce)
-				  )
-			  );
-}
+	/* encrypt data in enveloped-data PKCS#7 */
+	container = lib->creds->create(lib->creds,
+					CRED_CONTAINER, CONTAINER_PKCS7_ENVELOPED_DATA,
+					BUILD_BLOB, data,
+					BUILD_CERT, enc_cert,
+					BUILD_ENCRYPTION_ALG, enc_alg,
+					BUILD_KEY_SIZE, (int)key_size,
+					BUILD_END);
+	if (!container)
+	{
+		return chunk_empty;
+	}
+	if (!container->get_encoding(container, &request))
+	{
+		container->destroy(container);
+		return chunk_empty;
+	}
+	container->destroy(container);
+
+	/* sign enveloped-data in a signed-data PKCS#7 */
+	senderNonce = asn1_wrap(ASN1_OCTET_STRING, "c", chunk_from_thing(nonce));
+	transID = asn1_wrap(ASN1_PRINTABLESTRING, "c", transID);
+	msgType = asn1_wrap(ASN1_PRINTABLESTRING, "c",
+						chunk_create((char*)msgType_values[msg],
+									 strlen(msgType_values[msg])));
+
+	container = lib->creds->create(lib->creds,
+					CRED_CONTAINER, CONTAINER_PKCS7_SIGNED_DATA,
+					BUILD_BLOB, request,
+					BUILD_SIGNING_CERT, signer_cert,
+					BUILD_SIGNING_KEY, private_key,
+					BUILD_DIGEST_ALG, digest_alg,
+					BUILD_PKCS7_ATTRIBUTE, OID_PKI_SENDER_NONCE, senderNonce,
+					BUILD_PKCS7_ATTRIBUTE, OID_PKI_TRANS_ID, transID,
+					BUILD_PKCS7_ATTRIBUTE, OID_PKI_MESSAGE_TYPE, msgType,
+					BUILD_END);
+
+	free(request.ptr);
+	free(senderNonce.ptr);
+	free(transID.ptr);
+	free(msgType.ptr);
+
+	if (!container)
+	{
+		return chunk_empty;
+	}
+	if (!container->get_encoding(container, &request))
+	{
+		container->destroy(container);
+		return chunk_empty;
+	}
+	container->destroy(container);
 
-/**
- * Builds a pkcs7 enveloped and signed scep request
- */
-chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
-						   certificate_t *enc_cert, int enc_alg,
-						   certificate_t *signer_cert, int digest_alg,
-						   private_key_t *private_key)
-{
-	chunk_t envelopedData, attributes, request;
-
-	envelopedData = pkcs7_build_envelopedData(data, enc_cert, enc_alg);
-
-	attributes = asn1_wrap(ASN1_SET, "mmmmm"
-					, pkcs7_contentType_attribute()
-					, pkcs7_messageDigest_attribute(envelopedData
-						, digest_alg)
-					, scep_transId_attribute(transID)
-					, scep_messageType_attribute(msg)
-					, scep_senderNonce_attribute());
-
-	request = pkcs7_build_signedData(envelopedData, attributes
-					, signer_cert, digest_alg, private_key);
-	free(envelopedData.ptr);
-	free(attributes.ptr);
 	return request;
 }
 
@@ -406,11 +285,12 @@ static char* escape_http_request(chunk_t req)
 	int n     = 0;
 
 	/* compute and allocate the size of the base64-encoded request */
-	int len = 1 + 4*((req.len + 2)/3);
+	int len = 1 + 4 * ((req.len + 2) / 3);
 	char *encoded_req = malloc(len);
 
 	/* do the base64 conversion */
-	len = datatot(req.ptr, req.len, 64, encoded_req, len);
+	chunk_t base64 = chunk_to_base64(req, encoded_req);
+	len = base64.len + 1;
 
 	/* compute newline characters to be inserted every 64 characters */
 	lines = (len - 2) / 64;
@@ -420,10 +300,12 @@ static char* escape_http_request(chunk_t req)
 	while (*p1 != '\0')
 	{
 		if (*p1++ == '+')
+		{
 			plus++;
+		}
 	}
 
-	escaped_req = malloc(len + 3*(lines + plus));
+	escaped_req = malloc(len + 3 * (lines + plus));
 
 	/* escape special characters in the request */
 	p1 = encoded_req;
@@ -456,19 +338,24 @@ static char* escape_http_request(chunk_t req)
 /**
  * Send a SCEP request via HTTP and wait for a response
  */
-bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
-					   bool http_get_request, chunk_t *response)
+bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
+					   bool http_get_request, u_int timeout, char *src,
+					   chunk_t *response)
 {
 	int len;
 	status_t status;
 	char *complete_url = NULL;
+	host_t *srcip = NULL;
 
 	/* initialize response */
 	*response = chunk_empty;
 
-	DBG(DBG_CONTROL,
-		DBG_log("sending scep request to '%s'", url)
-	)
+	if (src)
+	{
+		srcip = host_create_from_string(src, 0);
+	}
+
+	DBG2(DBG_APP, "sending scep request to '%s'", url);
 
 	if (op == SCEP_PKI_OPERATION)
 	{
@@ -476,7 +363,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 
 		if (http_get_request)
 		{
-			char *escaped_req = escape_http_request(pkcs7);
+			char *escaped_req = escape_http_request(msg);
 
 			/* form complete url */
 			len = strlen(url) + 20 + strlen(operation) + strlen(escaped_req) + 1;
@@ -487,9 +374,11 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 
 			status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
 										 FETCH_HTTP_VERSION_1_0,
+										 FETCH_TIMEOUT, timeout,
 										 FETCH_REQUEST_HEADER, "Pragma:",
 										 FETCH_REQUEST_HEADER, "Host:",
 										 FETCH_REQUEST_HEADER, "Accept:",
+										 FETCH_SOURCEIP, srcip,
 										 FETCH_END);
 		}
 		else /* HTTP_POST */
@@ -500,46 +389,85 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 			snprintf(complete_url, len, "%s?operation=%s", url, operation);
 
 			status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
-										 FETCH_REQUEST_DATA, pkcs7,
+										 FETCH_HTTP_VERSION_1_0,
+										 FETCH_TIMEOUT, timeout,
+										 FETCH_REQUEST_DATA, msg,
 										 FETCH_REQUEST_TYPE, "",
 										 FETCH_REQUEST_HEADER, "Expect:",
+										 FETCH_SOURCEIP, srcip,
 										 FETCH_END);
 		}
 	}
 	else  /* SCEP_GET_CA_CERT */
 	{
 		const char operation[] = "GetCACert";
+		int i;
+
+		/* escape spaces, TODO: complete URL escape */
+		for (i = 0; i < msg.len; i++)
+		{
+			if (msg.ptr[i] == ' ')
+			{
+				msg.ptr[i] = '+';
+			}
+		}
 
 		/* form complete url */
-		len = strlen(url) + 32 + strlen(operation) + 1;
+		len = strlen(url) + 32 + strlen(operation) + msg.len + 1;
 		complete_url = malloc(len);
-		snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier"
-				, url, operation);
+		snprintf(complete_url, len, "%s?operation=%s&message=%.*s",
+				 url, operation, (int)msg.len, msg.ptr);
 
 		status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
+									 FETCH_HTTP_VERSION_1_0,
+									 FETCH_TIMEOUT, timeout,
+									 FETCH_SOURCEIP, srcip,
 									 FETCH_END);
 	}
 
+	DESTROY_IF(srcip);
 	free(complete_url);
 	return (status == SUCCESS);
 }
 
-err_t scep_parse_response(chunk_t response, chunk_t transID, contentInfo_t *data,
-						  scep_attributes_t *attrs, certificate_t *signer_cert)
+err_t scep_parse_response(chunk_t response, chunk_t transID,
+						  container_t **out, scep_attributes_t *attrs)
 {
-	chunk_t attributes;
-
-	if (!pkcs7_parse_signedData(response, data, NULL, &attributes, signer_cert))
+	enumerator_t *enumerator;
+	bool verified = FALSE;
+	container_t *container;
+	auth_cfg_t *auth;
+
+	container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+								   BUILD_BLOB_ASN1_DER, response, BUILD_END);
+	if (!container)
 	{
 		return "error parsing the scep response";
 	}
-	if (!parse_attributes(attributes, attrs))
+	if (container->get_type(container) != CONTAINER_PKCS7_SIGNED_DATA)
 	{
-		return "error parsing the scep response attributes";
+		container->destroy(container);
+		return "scep response is not PKCS#7 signed-data";
+	}
+
+	enumerator = container->create_signature_enumerator(container);
+	while (enumerator->enumerate(enumerator, &auth))
+	{
+		verified = TRUE;
+		extract_attributes((pkcs7_t*)container, enumerator, attrs);
+		if (!chunk_equals(transID, attrs->transID))
+		{
+			enumerator->destroy(enumerator);
+			container->destroy(container);
+			return "transaction ID of scep response does not match";
+		}
 	}
-	if (!chunk_equals(transID, attrs->transID))
+	enumerator->destroy(enumerator);
+	if (!verified)
 	{
-		return "transaction ID of scep response does not match";
+		container->destroy(container);
+		return "unable to verify PKCS#7 container";
 	}
+	*out = container;
 	return NULL;
 }
diff --git a/src/scepclient/scep.h b/src/scepclient/scep.h
index f64c6b1cc..4ef5eaf8e 100644
--- a/src/scepclient/scep.h
+++ b/src/scepclient/scep.h
@@ -1,11 +1,5 @@
-/**
- * @file scep.h
- * @brief SCEP specific functions
- *
- * Contains functions to build and parse SCEP requests and replies
- */
-
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005 Jan Hutter, Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -23,11 +17,9 @@
 #ifndef _SCEP_H
 #define _SCEP_H
 
+#include <credentials/containers/pkcs7.h>
 #include <credentials/certificates/certificate.h>
 
-#include "../pluto/defs.h"
-#include "../pluto/pkcs7.h"
-
 /* supported SCEP operation types */
 typedef enum {
 	SCEP_PKI_OPERATION,
@@ -74,22 +66,22 @@ typedef struct {
 
 extern const scep_attributes_t empty_scep_attributes;
 
-extern bool parse_attributes(chunk_t blob, scep_attributes_t *attrs);
-extern void scep_generate_transaction_id(public_key_t *key,
-										 chunk_t *transID,
-										 chunk_t *serialNumber);
-extern chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10);
-extern chunk_t scep_transId_attribute(chunk_t transaction_id);
-extern chunk_t scep_messageType_attribute(scep_msg_t m);
-extern chunk_t scep_senderNonce_attribute(void);
-extern chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
-								  certificate_t *enc_cert, int enc_alg,
-								  certificate_t *signer_cert, int digest_alg,
-								  private_key_t *private_key);
-extern bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
-							  bool http_get_request, chunk_t *response);
-extern err_t scep_parse_response(chunk_t response, chunk_t transID,
-								 contentInfo_t *data, scep_attributes_t *attrs,
-								 certificate_t *signer_cert);
+bool parse_attributes(chunk_t blob, scep_attributes_t *attrs);
+void scep_generate_transaction_id(public_key_t *key,
+								  chunk_t *transID,
+								  chunk_t *serialNumber);
+chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10);
+chunk_t scep_transId_attribute(chunk_t transaction_id);
+chunk_t scep_messageType_attribute(scep_msg_t m);
+chunk_t scep_senderNonce_attribute(void);
+chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
+						certificate_t *enc_cert, encryption_algorithm_t enc_alg,
+						size_t key_size, certificate_t *signer_cert,
+						hash_algorithm_t digest_alg, private_key_t *private_key);
+bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
+					   bool http_get_request, u_int timeout, char *src,
+					   chunk_t *response);
+err_t scep_parse_response(chunk_t response, chunk_t transID,
+						  container_t **out, scep_attributes_t *attrs);
 
 #endif /* _SCEP_H */
diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8
index 72750e155..bf71bf85c 100644
--- a/src/scepclient/scepclient.8
+++ b/src/scepclient/scepclient.8
@@ -1,5 +1,5 @@
-.\" 
-.TH "IPSEC_SCEPCLIENT" "8" "29 September 2005" "Jan Hutter, Martin Willi" ""
+.\"
+.TH "IPSEC_SCEPCLIENT" "8" "2012-05-11" "strongSwan" ""
 .SH "NAME"
 ipsec scepclient \- Client for the SCEP protocol
 .SH "SYNOPSIS"
@@ -7,7 +7,7 @@ ipsec scepclient \- Client for the SCEP protocol
 .sp
 .B ipsec scepclient
 .B \-\-help
-.br 
+.br
 .B ipsec scepclient
 .B \-\-version
 .SH "DESCRIPTION"
@@ -19,7 +19,7 @@ is designed to be used for certificate enrollment on machines using the OpenSour
 .SH "FEATURES"
 .BR scepclient
 implements the following features of SCEP:
-.br 
+.br
 .IP "\-" 4
 Automatic enrollment of client certificate using a preshared secret
 .IP "\-" 4
@@ -31,7 +31,7 @@ Acquisition of CA certificate(s)
 .B \-v, \-\-version
 .RS 4
 Display the version of ipsec scepclient.
-.PP 
+.PP
 .RE
 .B \-h, \-\-help
 .RS 4
@@ -43,17 +43,17 @@ Display usage of ipsec scepclient.
 .RS 4
 Full HTTP URL of the SCEP server to be used for certificate enrollment and CA certificate acquisition.
 .RE
-.PP 
+.PP
 .B \-+, \-\-optionsfrom \fIfilename\fP
 .RS 4
 Reads additional options from \fIfilename\fP.
 .RE
-.PP 
+.PP
 .B \-f, \-\-force
 .RS 4
 Overwrite existing output file[s].
 .RE
-.PP 
+.PP
 .B \-q, \-\-quiet
 .RS 4
 Do not write log output to stderr.
@@ -62,7 +62,9 @@ Do not write log output to stderr.
 .SS Options for CA Certificate Acquisition
 .B \-o, \-\-out cacert[=\fIfilename\fP]
 .RS 4
-Output file of acquired CA certificate. If more then one CA certificate is available, \fIfilename\fP is used as prefix for the resulting files.
+Output file of acquired CA certificate. If more then one CA certificate is
+available, \fIfilename\fP is used as prefix for the resulting files (refer to
+EXAMPLES below for details).
 .br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
 .RE
@@ -70,41 +72,50 @@ The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
 .SS Options For Certificate Enrollment
 .B \-i, \-\-in \fItype\fP[=\fIfilename\fP]
 .RS 4
-Input file for certificate enrollment. This option can be specified multiple times to specify input files for every \fItype\fP. 
-Input files can bei either DER or PEM encoded.
-.PP 
+Input file for certificate enrollment. This option can be specified multiple times to specify input files for every \fItype\fP.
+Input files can be either DER or PEM encoded.
+.PP
 Supported values for \fItype\fP:
 .IP "\fBpkcs1\fP" 12
 RSA private key in PKCS#1 file format. If no input of this type is specified, a RSA key gets generated.
 .br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/private/myKey.der.
+.IP "\fBpkcs10\fP" 12
+PKCS#10 certificate request to be used in the SCEP request. If no input of this type is specified, a request is generated.
+.br
+The default \fIfilename\fP is $CONFDIR/ipsec.d/req/myReq.der.
 .IP "\fBcacert\-enc\fP" 12
-CA certificate to encrypt the SCEP request. Has to be specified for certificate enrollment. 
-.br 
+CA certificate to encrypt the SCEP request. Has to be specified for certificate enrollment.
+.br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
 .IP "\fBcacert\-sig\fP" 12
-CA certificate to check signature of SCEP reply. Has to be specified for certificate enrollment. 
-.br 
+CA certificate to check signature of SCEP reply. Has to be specified for certificate enrollment.
+.br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
+.IP "\fBcert-self\fP" 12
+Certificate to be used in the SCEP request.  If it is not specified a
+self-signed certificate is generated automatically.
+.br
+The default \fIfilename\fP is $CONFDIR/ipsec.d/certs/selfCert.der.
 .RE
-.PP 
+.PP
 .B \-k, \-\-keylength \fIbits\fP
 .RS 4
 sets the key length for RSA key generation. The default length for a generated rsa key is set to 2048 bit.
 .RE
-.PP 
+.PP
 .B \-D, \-\-days \fIdays\fP
 .RS 4
 Validity of the self-signed X.509 certificate in days. The default is 1825 days (5 years).
 .RE
-.PP 
+.PP
 .B \-S, \-\-startdate \fIYYMMDDHHMMSS\fPZ
 .RS 4
-defines the \fBnotBefore\fP date when the X.509 certificate  becomes  valid. 
+defines the \fBnotBefore\fP date when the X.509 certificate  becomes  valid.
 The  date has the format \fIYYMMDDHHMMSS\fP and  must be specified in UTC (Zulu time).
 If the \fB--startdate\fP option is not specified then the current date is taken as a default.
 .RE
-.PP 
+.PP
 .B \-E, \-\-enddate \fIYYMMDDHHMMSS\fPZ
 .RS 4
 defines the \fBnotAfter\fP date when the X.509 certificate will expire.
@@ -118,12 +129,12 @@ adding the validity interval specified by the \fB--days\fP option to the \fBnotB
 Distinguished name as comma separated list of relative distinguished names. Use quotation marks for a distinguished name containing spaces. If the \fB\-\-dn\fP parameter is missing then the default "C=CH, O=Linux strongSwan, CN=\fIhostname\fP"
 is used with \fIhostname\fP being the return value of the \fIgethostname\fP() function.
 .RE
-.PP 
+.PP
 .B \-s, \-\-subjectAltName \fItype\fP=\fIvalue\fP
 .RS 4
 Include subjectAltName in certificate request. This option can be specified multiple times to specify a subjectAltName
 for every \fItype\fP.
-.PP 
+.PP
 Supported values for \fItype\fP:
 .IP "\fBemail\fP" 12
 subjectAltName is a email address.
@@ -132,25 +143,35 @@ subjectAltName is a hostname.
 .IP "\fBip\fP" 12
 subjectAltName is a IP address.
 .RE
-.PP 
+.PP
 .B \-p, \-\-password \fIpw\fP
 .RS 4
 Password to be included as a \fIchallenge password\fP in SCEP request.
 If \fIpw\fP is \fB%prompt\fP', the password gets prompted for on the command line.
 .IP
 \- In automatic mode, this password corresponds to the preshared secret for the given enrollment.
-.IP 
+.IP
 \- In manual mode, this password can be used to later revoke the corresponding certificate.
 .RE
-.PP 
-.B \-a, \-\-algorithm \fIalgo\fP
+.PP
+.B \-a, \-\-algorithm [\fItype\fP=]\fIalgo\fP
 .RS 4
-Change symmetric algorithm to use for encryption of certificate Request.
-The default is \fB3des\-cbc\fP.
-.PP 
-Supported values for \fIalgo\fP:
+Change the algorithms to be used when generating and transporting (PKCS#7)
+certificate requests (PKCS#10).
+.PP
+Supported values for \fItype\fP:
+.IP "\fBenc\fP" 12
+symmetric encryption algorithm in PKCS#7
+.IP "\fBdgst\fP" 12
+hash algorithm for message digest in PKCS#7
+.IP "\fBsig\fP" 12
+hash algorithm for the signature in PKCS#10
+.PP
+If \fItype\fP is not specified \fBenc\fP is assumed.
+.PP
+Supported values for \fIalgo\fP (\fBenc\fP):
 .IP "\fBdes\fP" 12
-DES-CBC encryption (key size = 56 bit).
+DES-CBC encryption (key size = 56 bit). Default.
 .IP "\fB3des\fP" 12
 Triple DES-EDE-CBC encryption (key size = 168 bit).
 .IP "\fBaes128\fP" 12
@@ -165,56 +186,60 @@ Camellia-CBC encryption (key size = 128 bit).
 Camelllia-CBC encryption (key size = 192 bit).
 .IP "\fBcamellia256\fP" 12
 Camellia-CBC encryption (key size = 256 bit).
+.PP
+Supported values for \fIalgo\fP (\fBdgst\fP or \fBsig\fP):
+.PP
+\fBmd5\fP (default), \fBsha1\fP, \fBsha256\fP, \fBsha384\fP, \fBsha512\fP
 .RE
-.PP 
+.PP
 .B \-o, \-\-out \fItype\fP[=\fIfilename\fP]
 .RS 4
 Output file for certificate enrollment. This option can be specified multiple times to specify output files for every \fItype\fP.
-.PP 
+.PP
 Supported values for \fItype\fP:
 .IP "\fBpkcs1\fP" 12
 RSA private key in PKCS#1 file format. If specified, the RSA key used for enrollment is stored in file \fIfilename\fP.
 If none of the \fItypes\fP listed below are specified, \fBscepclient\fP will stop after outputting this file.
-.br 
+.br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/private/myKey.der.
 .IP "\fBpkcs10\fP" 12
 PKCS#10 certificate request. If specified, the PKCS#10 request used or certificate enrollment is stored in file \fIfilename\fP.
-If none of the \fItypes\fP listed below are specified, \fBscepclient\fP will stop after outputting this file. 
-.br 
+If none of the \fItypes\fP listed below are specified, \fBscepclient\fP will stop after outputting this file.
+.br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/req/myReq.der.
 .IP "\fBpkcs7\fP" 12
 PKCS#7 SCEP request as it is sent using HTTP to the SCEP server. If specified, this SCEP request is stored in file \fIfilename\fP.
 If none of \fItypes\fP listed below is not specified, \fBscepclient\fP will stop after outputting this file.
-.br 
+.br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/req/pkcs7.der.
 .IP "\fBcert-self\fP" 12
 Self-signed certificate. If specified the self-signed certificate is stored in file \fIfilename\fP.
-.br 
+.br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/certs/selfCert.der.
 .IP "\fBcert\fP" 12
 Enrolled certificate. This \fItype\fP must be specified for certificate enrollment.
 The enrolled certificate is stored in file \fIfilename\fP.
-.br 
+.br
 The default \fIfilename\fP is set to $CONFDIR/ipsec.d/certs/myCert.der.
 .RE
-.PP 
+.PP
 .B \-m, \-\-method \fImethod\fP
 .RS 4
 Change HTTP request method for certificate enrollment. Default is \fBget\fP.
-.PP 
+.PP
 Supported values for \fImethod\fP:
 .IP "\fBpost\fP" 12
 Certificate enrollment using HTTP POST. Must be supported by the given SCEP server.
 .IP "\fBget\fP" 12
 Certificate enrollment using HTTP GET.
 .RE
-.PP 
+.PP
 .B \-t, \-\-interval \fIseconds\fP
 .RS 4
 Set interval time in seconds when polling in manual mode.
 The default interval is set to 5 seconds.
 .RE
-.PP 
+.PP
 .B \-x, \-\-maxpolltime \fIseconds\fP
 .RS 4
 Set max time in seconds to poll in manual mode.
@@ -222,64 +247,41 @@ The default max time is set to unlimited.
 .RE
 
 .SS Debugging Output Options:
-.B \-A, \-\-debug\-all
-.RS 4
-Log everything except private data.
-.RE
-.PP 
-.B \-P, \-\-debug\-parsing
-.RS 4
-Log parsing relevant stuff.
-.RE
-.PP 
-.B \-R, \-\-debug\-raw
+.B \-l, \-\-debug \fIlevel\fP
 .RS 4
-Log raw hex dumps.
-.RE
-.PP 
-.B \-C, \-\-debug\-control
-.RS 4
-Log information about control flow.
-.RE
-.PP 
-.B \-M, \-\-debug\-controlmore
-.RS 4
-Log more detailed information about control flow.
-.RE
-.PP 
-.B \-X, \-\-debug\-private
-.RS 4
-Log sensitive data (e.g. private keys).
+Changes the log level (-1..4, default: 1)
 .RE
 .SH "EXAMPLES"
 .B  ipsec scepclient \-\-out caCert \-\-url http://scepserver/cgi\-bin/pkiclient.exe \-f
 .RS 4
 Acquire CA certificate from SCEP server and store it in the default file $CONFDIR/ipsec.d/cacerts/caCert.der.
-If more then one CA certificate is returned, store them in files named caCert.der\-1', caCert.der\-2', etc. 
-.br 
-Existing files are overwritten.
+If more then one CA certificate is returned, store them in files named
+\'caCert\-1.der\', \'caCert\-2.der\', etc.
+If an RA certificate is returned, store it in a file named \'caCert\-ra.der\'.
+If more than one RA certificate is returned, store them in files named
+\'caCert\-ra\-1.der\', \'caCert\-ra\-2.der\', etc.
 .RE
-.PP 
+.PP
 .B  ipsec scepclient \-\-out pkcs1=joeKey.der \-k 1024
 .RS 4
 Generate RSA private key with key length of 1024 bit and store it in file joeKey.der.
 .RE
-.PP 
+.PP
 .B  ipsec scepclient \-\-in pkcs1=joeKey.der \-\-out pkcs10=joeReq.der \e
-.br 
+.br
 .B \-\-dn \*(rqC=AT, CN=John Doe\*(rq \-s email=john@doe.com \-p mypassword
 .RS 4
 Generate a PKCS#10 request and store it in file joeReq.der. Use the RSA private key joeKey.der
-created earlier to sign the PKCS#10\-Request. In addition to the distinguished name include a 
+created earlier to sign the PKCS#10\-Request. In addition to the distinguished name include a
 email\-subjectAltName and a challenge password in the request.
 .RE
-.PP 
+.PP
 .B  ipsec scepclient \-\-out pkcs1=joeKey.der \-\-out cert==joeCert.der \e
-.br 
+.br
 .B \-\-dn \*(rqC=CH, CN=John Doe\*(rq \-k 512 \-p 5xH2pnT7wq \e
-.br 
+.br
 .B \-\-url http://scep.hsr.ch/cgi\-bin/pkiclient.exe \e
-.br 
+.br
 .B \-\-in cacert\-enc=caCert.der \-\-in cacert\-sig=caCert.der
 .RS 4
 Generate a new RSA key for the request and store it in joeKey.der. Then enroll a certificate and store as joeCert.der.
@@ -292,9 +294,9 @@ caCert.der.
 \fB\-\-optionsfrom\fP seems to have parsing problems reading option files containing strings in quotation marks.
 .SH "COPYRIGHT"
 Copyright (C) 2005 Jan Hutter, Martin Willi
-.br 
+.br
 Hochschule fuer Technik Rapperswil
-.PP 
+.PP
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-.PP 
+.PP
 This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 0b54eeee3..1267370ba 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005 Jan Hutter, Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,17 +14,6 @@
  * for more details.
  */
 
-/**
- * @file main.c
- * @brief scepclient main program
- */
-
-/**
- * @mainpage SCEP for Linux strongSwan
- *
- * Documentation of SCEP for Linux StrongSwan
- */
-
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -32,16 +22,16 @@
 #include <ctype.h>
 #include <unistd.h>
 #include <time.h>
-
-#include <freeswan.h>
+#include <limits.h>
+#include <syslog.h>
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <asn1/asn1.h>
 #include <asn1/oid.h>
 #include <utils/optionsfrom.h>
-#include <utils/enumerator.h>
-#include <utils/linked_list.h>
+#include <collections/enumerator.h>
+#include <collections/linked_list.h>
 #include <crypto/hashers/hasher.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/proposal/proposal_keywords.h>
@@ -50,20 +40,21 @@
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/pkcs10.h>
+#include <credentials/sets/mem_cred.h>
 #include <plugins/plugin.h>
 
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
-#include "../pluto/certs.h"
-#include "../pluto/pkcs7.h"
-
 #include "scep.h"
 
 /*
  * definition of some defaults
  */
 
+/* some paths */
+#define REQ_PATH                        IPSEC_CONFDIR "/ipsec.d/reqs"
+#define HOST_CERT_PATH                  IPSEC_CONFDIR "/ipsec.d/certs"
+#define CA_CERT_PATH                    IPSEC_CONFDIR "/ipsec.d/cacerts"
+#define PRIVATE_KEY_PATH                IPSEC_CONFDIR "/ipsec.d/private"
+
 /* default name of DER-encoded PKCS#1 private key file */
 #define DEFAULT_FILENAME_PKCS1          "myKey.der"
 
@@ -100,6 +91,9 @@
 /* default distinguished name */
 #define DEFAULT_DN "C=CH, O=Linux strongSwan, CN="
 
+/* minimum RSA key size */
+#define RSA_MIN_OCTETS (512 / BITS_PER_BYTE)
+
 /* challenge password buffer size */
 #define MAX_PASSWORD_LENGTH 256
 
@@ -119,13 +113,18 @@ long crl_check_interval = 0;
 /* by default pluto logs out after every smartcard use */
 bool pkcs11_keep_state = FALSE;
 
+/* by default HTTP fetch timeout is 30s */
+static u_int http_timeout = 30;
+
+/* address to bind for HTTP fetches */
+static char* http_bind = NULL;
+
 /* options read by optionsfrom */
 options_t *options;
 
 /*
  * Global variables
  */
-
 chunk_t pkcs1;
 chunk_t pkcs7;
 chunk_t challengePassword;
@@ -148,16 +147,129 @@ certificate_t *x509_ca_enc     = NULL;
 certificate_t *x509_ca_sig     = NULL;
 certificate_t *pkcs10_req      = NULL;
 
+mem_cred_t *creds              = NULL;
+
+/* logging */
+static bool log_to_stderr = TRUE;
+static bool log_to_syslog = TRUE;
+static level_t default_loglevel = 1;
+
+/**
+ * logging function for scepclient
+ */
+static void scepclient_dbg(debug_t group, level_t level, char *fmt, ...)
+{
+	char buffer[8192];
+	char *current = buffer, *next;
+	va_list args;
+
+	if (level <= default_loglevel)
+	{
+		if (log_to_stderr)
+		{
+			va_start(args, fmt);
+			vfprintf(stderr, fmt, args);
+			va_end(args);
+			fprintf(stderr, "\n");
+		}
+		if (log_to_syslog)
+		{
+			/* write in memory buffer first */
+			va_start(args, fmt);
+			vsnprintf(buffer, sizeof(buffer), fmt, args);
+			va_end(args);
+
+			/* do a syslog with every line */
+			while (current)
+			{
+				next = strchr(current, '\n');
+				if (next)
+				{
+					*(next++) = '\0';
+				}
+				syslog(LOG_INFO, "%s\n", current);
+				current = next;
+			}
+		}
+	}
+}
+
+/**
+ * Initialize logging to stderr/syslog
+ */
+static void init_log(const char *program)
+{
+	dbg = scepclient_dbg;
+
+	if (log_to_stderr)
+	{
+		setbuf(stderr, NULL);
+	}
+	if (log_to_syslog)
+	{
+		openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
+	}
+}
+
+/**
+ * join two paths if filename is not absolute
+ */
+static void join_paths(char *target, size_t target_size, char *parent,
+					   char *filename)
+{
+	if (*filename == '/' || *filename == '.')
+	{
+		snprintf(target, target_size, "%s", filename);
+	}
+	else
+	{
+		snprintf(target, target_size, "%s/%s", parent, filename);
+	}
+}
+
+/**
+ * add a suffix to a given filename, properly handling extensions like '.der'
+ */
+static void add_path_suffix(char *target, size_t target_size, char *filename,
+							char *suffix_fmt, ...)
+{
+	char suffix[PATH_MAX], *start, *dot;
+	va_list args;
+
+	va_start(args, suffix_fmt);
+	vsnprintf(suffix, sizeof(suffix), suffix_fmt, args);
+	va_end(args);
+
+	start = strrchr(filename, '/');
+	start = start ?: filename;
+	dot = strrchr(start, '.');
+
+	if (!dot || dot == start || dot[1] == '\0')
+	{	/* no extension add suffix at the end */
+		snprintf(target, target_size, "%s%s", filename, suffix);
+	}
+	else
+	{	/* add the suffix between the filename and the extension */
+		snprintf(target, target_size, "%.*s%s%s", (int)(dot - filename),
+				 filename, suffix, dot);
+	}
+}
+
 /**
  * @brief exit scepclient
  *
  * @param status 0 = OK, 1 = general discomfort
  */
-static void
-exit_scepclient(err_t message, ...)
+static void exit_scepclient(err_t message, ...)
 {
 	int status = 0;
 
+	if (creds)
+	{
+		lib->credmgr->remove_set(lib->credmgr, &creds->set);
+		creds->destroy(creds);
+	}
+
 	DESTROY_IF(subject);
 	DESTROY_IF(private_key);
 	DESTROY_IF(public_key);
@@ -183,7 +295,7 @@ exit_scepclient(err_t message, ...)
 	if (message != NULL && *message != '\0')
 	{
 		va_list args;
-		char m[LOG_WIDTH];      /* longer messages will be truncated */
+		char m[8192];
 
 		va_start(args, message);
 		vsnprintf(m, sizeof(m), message, args);
@@ -193,7 +305,6 @@ exit_scepclient(err_t message, ...)
 		status = -1;
 	}
 	library_deinit();
-	close_log();
 	exit(status);
 }
 
@@ -201,8 +312,7 @@ exit_scepclient(err_t message, ...)
  * @brief prints the program version and exits
  *
  */
-static void
-version(void)
+static void version(void)
 {
 	printf("scepclient %s\n", scepclient_version);
 	exit_scepclient(NULL);
@@ -214,31 +324,38 @@ version(void)
  * If message is set, program is exitet with 1 (error)
  * @param message message in case of an error
  */
-static void
-usage(const char *message)
+static void usage(const char *message)
 {
 	fprintf(stderr,
 		"Usage: scepclient\n"
 		" --help (-h)                       show usage and exit\n"
 		" --version (-v)                    show version and exit\n"
 		" --quiet (-q)                      do not write log output to stderr\n"
-		" --in (-i) <type>[=<filename>]     use <filename> of <type> for input \n"
-		"                                   <type> = pkcs1 | cacert-enc |  cacert-sig\n"
-		"                                   - if no pkcs1 input is defined, a \n"
-		"                                     RSA key will be generated\n"
+		" --in (-i) <type>[=<filename>]     use <filename> of <type> for input\n"
+		"                                   <type> = pkcs1 | pkcs10 | cert-self\n"
+		"                                            cacert-enc | cacert-sig\n"
+		"                                   - if no pkcs1 input is defined, an RSA\n"
+		"                                     key will be generated\n"
+		"                                   - if no pkcs10 input is defined, a\n"
+		"                                     PKCS#10 request will be generated\n"
+		"                                   - if no cert-self input is defined, a\n"
+		"                                     self-signed certificate will be generated\n"
 		"                                   - if no filename is given, default is used\n"
 		" --out (-o) <type>[=<filename>]    write output of <type> to <filename>\n"
 		"                                   multiple outputs are allowed\n"
-		"                                   <type> = pkcs1 | pkcs10 | pkcs7 | cert-self | cert | cacert\n"
+		"                                   <type> = pkcs1 | pkcs10 | pkcs7 | cert-self |\n"
+		"                                            cert | cacert\n"
 		"                                   - type cacert defines filename prefix of\n"
 		"                                     received CA certificate(s)\n"
 		"                                   - if no filename is given, default is used\n"
 		" --optionsfrom (-+) <filename>     reads additional options from given file\n"
 		" --force (-f)                      force existing file(s)\n"
+		" --httptimeout (-T)                timeout for HTTP operations (default: 30s)\n"
+		" --bind (-b)                       source address to bind for HTTP operations\n"
 		"\n"
 		"Options for key generation (pkcs1):\n"
 		" --keylength (-k) <bits>           key length for RSA key generation\n"
-											"(default: 2048 bits)\n"
+		"                                   (default: 2048 bits)\n"
 		"\n"
 		"Options for validity:\n"
 		" --days (-D) <days>                validity in days\n"
@@ -250,27 +367,29 @@ usage(const char *message)
 		" --subjectAltName (-s) <t>=<v>     include subjectAltName in certificate request\n"
 		"                                   <t> =  email | dns | ip \n"
 		" --password (-p) <pw>              challenge password\n"
-		"                                   - if pw is '%%prompt', password gets prompted for\n"
-		" --algorithm (-a) <algo>           use specified algorithm for PKCS#7 encryption\n"
-		"                                   <algo> = des | 3des (default) | aes128| aes192 | \n"
-		"                                   aes256 | camellia128 | camellia192 | camellia256\n"
+		"                                   - use '%%prompt' as pw for a password prompt\n"
+		" --algorithm (-a) [<type>=]<algo>  algorithm to be used for PKCS#7 encryption,\n"
+		"                                   PKCS#7 digest or PKCS#10 signature\n"
+		"                                   <type> = enc | dgst | sig\n"
+		"                                   - if no type is given enc is assumed\n"
+		"                                   <algo> = des (default) | 3des | aes128 |\n"
+		"                                            aes192 | aes256 | camellia128 |\n"
+		"                                            camellia192 | camellia256\n"
+		"                                   <algo> = md5 (default) | sha1 | sha256 |\n"
+		"                                            sha384 | sha512\n"
 		"\n"
+		"Options for CA certificate acquisition:\n"
+		" --caname (-c) <name>              name of CA to fetch CA certificate(s)\n"
+		"                                   (default: CAIdentifier)\n"
 		"Options for enrollment (cert):\n"
 		" --url (-u) <url>                  url of the SCEP server\n"
 		" --method (-m) post | get          http request type\n"
-		" --interval (-t) <seconds>         manual mode poll interval in seconds (default 20s)\n"
+		" --interval (-t) <seconds>         poll interval in seconds (default 20s)\n"
 		" --maxpolltime (-x) <seconds>      max poll time in seconds when in manual mode\n"
 		"                                   (default: unlimited)\n"
-#ifdef DEBUG
 		"\n"
 		"Debugging output:\n"
-		" --debug-all (-A)                  show everything except private\n"
-		" --debug-parsing (-P)              show parsing relevant stuff\n"
-		" --debug-raw (-R)                  show raw hex dumps\n"
-		" --debug-control (-C)              show control flow output\n"
-		" --debug-controlmore (-M)          show more control flow\n"
-		" --debug-private (-X)              show sensitive data (private keys, etc.)\n"
-#endif
+		" --debug (-l) <level>              changes the log level (-1..4, default: 1)\n"
 		);
 	exit_scepclient(message);
 }
@@ -295,7 +414,7 @@ int main(int argc, char **argv)
 		CERT_SELF  =  0x08,
 		CERT       =  0x10,
 		CACERT_ENC =  0x20,
-		CACERT_SIG =  0x40
+		CACERT_SIG =  0x40,
 	} scep_filetype_t;
 
 	/* filetype to read from, defaults to "generate a key" */
@@ -306,6 +425,8 @@ int main(int argc, char **argv)
 
 	/* input files */
 	char *file_in_pkcs1      = DEFAULT_FILENAME_PKCS1;
+	char *file_in_pkcs10     = DEFAULT_FILENAME_PKCS10;
+	char *file_in_cert_self  = DEFAULT_FILENAME_CERT_SELF;
 	char *file_in_cacert_enc = DEFAULT_FILENAME_CACERT_ENC;
 	char *file_in_cacert_sig = DEFAULT_FILENAME_CACERT_SIG;
 
@@ -337,18 +458,22 @@ int main(int argc, char **argv)
 	/* challenge password */
 	char challenge_password_buffer[MAX_PASSWORD_LENGTH];
 
-	/* symmetric encryption algorithm used by pkcs7, default is 3DES */
-	int pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
+	/* symmetric encryption algorithm used by pkcs7, default is DES */
+	encryption_algorithm_t pkcs7_symmetric_cipher = ENCR_DES;
+	size_t pkcs7_key_size = 0;
 
-	/* digest algorithm used by pkcs7, default is SHA-1 */
-	int pkcs7_digest_alg = OID_SHA1;
+	/* digest algorithm used by pkcs7, default is MD5 */
+	hash_algorithm_t pkcs7_digest_alg = HASH_MD5;
 
-	/* signature algorithm used by pkcs10, default is SHA-1 */
-	hash_algorithm_t pkcs10_signature_alg = HASH_SHA1;
+	/* signature algorithm used by pkcs10, default is MD5 */
+	hash_algorithm_t pkcs10_signature_alg = HASH_MD5;
 
 	/* URL of the SCEP-Server */
 	char *scep_url = NULL;
 
+	/* Name of CA to fetch CA certs for */
+	char *ca_name = "CAIdentifier";
+
 	/* http request method, default is GET */
 	bool http_get_request = TRUE;
 
@@ -388,7 +513,6 @@ int main(int argc, char **argv)
 	scep_response     = chunk_empty;
 	subjectAltNames   = linked_list_create();
 	options           = options_create();
-	log_to_stderr     = TRUE;
 
 	for (;;)
 	{
@@ -398,9 +522,12 @@ int main(int argc, char **argv)
 			{ "version", no_argument, NULL, 'v' },
 			{ "optionsfrom", required_argument, NULL, '+' },
 			{ "quiet", no_argument, NULL, 'q' },
+			{ "debug", required_argument, NULL, 'l' },
 			{ "in", required_argument, NULL, 'i' },
 			{ "out", required_argument, NULL, 'o' },
 			{ "force", no_argument, NULL, 'f' },
+			{ "httptimeout", required_argument, NULL, 'T' },
+			{ "bind", required_argument, NULL, 'b' },
 			{ "keylength", required_argument, NULL, 'k' },
 			{ "dn", required_argument, NULL, 'd' },
 			{ "days", required_argument, NULL, 'D' },
@@ -410,39 +537,36 @@ int main(int argc, char **argv)
 			{ "password", required_argument, NULL, 'p' },
 			{ "algorithm", required_argument, NULL, 'a' },
 			{ "url", required_argument, NULL, 'u' },
+			{ "caname", required_argument, NULL, 'c'},
 			{ "method", required_argument, NULL, 'm' },
 			{ "interval", required_argument, NULL, 't' },
 			{ "maxpolltime", required_argument, NULL, 'x' },
-#ifdef DEBUG
-			{ "debug-all", no_argument, NULL, 'A' },
-			{ "debug-parsing", no_argument, NULL, 'P'},
-			{ "debug-raw", no_argument, NULL, 'R'},
-			{ "debug-control", no_argument, NULL, 'C'},
-			{ "debug-controlmore", no_argument, NULL, 'M'},
-			{ "debug-private", no_argument, NULL, 'X'},
-#endif
 			{ 0,0,0,0 }
 		};
 
 		/* parse next option */
-		int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:m:t:x:APRCMS", long_opts, NULL);
+		int c = getopt_long(argc, argv, "hv+:qi:o:fk:d:s:p:a:u:c:m:t:x:APRCMS", long_opts, NULL);
 
 		switch (c)
 		{
-		case EOF:       /* end of flags */
-			break;
+			case EOF:       /* end of flags */
+				break;
 
-		case 'h':       /* --help */
-			usage(NULL);
+			case 'h':       /* --help */
+				usage(NULL);
 
-		case 'v':       /* --version */
-			version();
+			case 'v':       /* --version */
+				version();
 
-		case 'q':       /* --quiet */
-			log_to_stderr = FALSE;
-			continue;
+			case 'q':       /* --quiet */
+				log_to_stderr = FALSE;
+				continue;
+
+			case 'l':		/* --debug <level> */
+				default_loglevel = atoi(optarg);
+				continue;
 
-		case 'i':       /* --in <type> [= <filename>] */
+			case 'i':       /* --in <type> [= <filename>] */
 			{
 				char *filename = strstr(optarg, "=");
 
@@ -459,6 +583,12 @@ int main(int argc, char **argv)
 					if (filename)
 						file_in_pkcs1 = filename;
 				}
+				else if (strcaseeq("pkcs10", optarg))
+				{
+					filetype_in |= PKCS10;
+					if (filename)
+						file_in_pkcs10 = filename;
+				}
 				else if (strcaseeq("cacert-enc", optarg))
 				{
 					filetype_in |= CACERT_ENC;
@@ -469,7 +599,13 @@ int main(int argc, char **argv)
 				{
 					filetype_in |= CACERT_SIG;
 					if (filename)
-						 file_in_cacert_sig = filename;
+						file_in_cacert_sig = filename;
+				}
+				else if (strcaseeq("cert-self", optarg))
+				{
+					filetype_in |= CERT_SELF;
+					if (filename)
+						file_in_cert_self = filename;
 				}
 				else
 				{
@@ -478,7 +614,7 @@ int main(int argc, char **argv)
 				continue;
 			}
 
-		case 'o':       /* --out <type> [= <filename>] */
+			case 'o':       /* --out <type> [= <filename>] */
 			{
 				char *filename = strstr(optarg, "=");
 
@@ -532,18 +668,30 @@ int main(int argc, char **argv)
 				continue;
 			}
 
-		case 'f':       /* --force */
-			force = TRUE;
-			continue;
+			case 'f':       /* --force */
+				force = TRUE;
+				continue;
 
-		case '+':       /* --optionsfrom <filename> */
-			if (!options->from(options, optarg, &argc, &argv, optind))
-			{
-				exit_scepclient("optionsfrom failed");
-			}
-			continue;
+			case 'T':       /* --httptimeout */
+				http_timeout = atoi(optarg);
+				if (http_timeout <= 0)
+				{
+					usage("invalid httptimeout specified");
+				}
+				continue;
+
+			case 'b':       /* --bind */
+				http_bind = optarg;
+				continue;
+
+			case '+':       /* --optionsfrom <filename> */
+				if (!options->from(options, optarg, &argc, &argv, optind))
+				{
+					exit_scepclient("optionsfrom failed");
+				}
+				continue;
 
-		case 'k':        /* --keylength <length> */
+			case 'k':        /* --keylength <length> */
 			{
 				div_t q;
 
@@ -561,45 +709,56 @@ int main(int argc, char **argv)
 				continue;
 			}
 
-		case 'D':       /* --days */
-			if (optarg == NULL || !isdigit(optarg[0]))
-				usage("missing number of days");
-			{
-				char *endptr;
-				long days = strtol(optarg, &endptr, 0);
+			case 'D':       /* --days */
+				if (optarg == NULL || !isdigit(optarg[0]))
+				{
+					usage("missing number of days");
+				}
+				else
+				{
+					char *endptr;
+					long days = strtol(optarg, &endptr, 0);
 
-				if (*endptr != '\0' || endptr == optarg
-				|| days <= 0)
-					usage("<days> must be a positive number");
-				validity = 24*3600*days;
-			}
-			continue;
+					if (*endptr != '\0' || endptr == optarg
+					|| days <= 0)
+						usage("<days> must be a positive number");
+					validity = 24*3600*days;
+				}
+				continue;
 
-		case 'S':       /* --startdate */
-			if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
-				usage("date format must be YYMMDDHHMMSSZ");
-			{
-				chunk_t date = { optarg, 13 };
-				notBefore = asn1_to_time(&date, ASN1_UTCTIME);
-			}
-			continue;
+			case 'S':       /* --startdate */
+				if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
+				{
+					usage("date format must be YYMMDDHHMMSSZ");
+				}
+				else
+				{
+					chunk_t date = { optarg, 13 };
+					notBefore = asn1_to_time(&date, ASN1_UTCTIME);
+				}
+				continue;
 
-		case 'E':       /* --enddate */
-			if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
-				usage("date format must be YYMMDDHHMMSSZ");
-			{
-				chunk_t date = { optarg, 13 };
-				notAfter = asn1_to_time(&date, ASN1_UTCTIME);
-			}
-			continue;
+			case 'E':       /* --enddate */
+				if (optarg == NULL || strlen(optarg) != 13 || optarg[12] != 'Z')
+				{
+					usage("date format must be YYMMDDHHMMSSZ");
+				}
+				else
+				{
+					chunk_t date = { optarg, 13 };
+					notAfter = asn1_to_time(&date, ASN1_UTCTIME);
+				}
+				continue;
 
-		case 'd':       /* --dn */
-			if (distinguishedName)
-				usage("only one distinguished name allowed");
-			distinguishedName = optarg;
-			continue;
+			case 'd':       /* --dn */
+				if (distinguishedName)
+				{
+					usage("only one distinguished name allowed");
+				}
+				distinguishedName = optarg;
+				continue;
 
-		case 's':       /* --subjectAltName */
+			case 's':       /* --subjectAltName */
 			{
 				char *value = strstr(optarg, "=");
 
@@ -612,7 +771,7 @@ int main(int argc, char **argv)
 				}
 
 				if (strcaseeq("email", optarg) ||
-					strcaseeq("dns", optarg)   ||
+					strcaseeq("dns", optarg) ||
 					strcaseeq("ip", optarg))
 				{
 					subjectAltNames->insert_last(subjectAltNames,
@@ -626,126 +785,155 @@ int main(int argc, char **argv)
 				}
 			}
 
-		case 'p':       /* --password */
-			if (challengePassword.len > 0)
-			{
-				usage("only one challenge password allowed");
-			}
-			if (strcaseeq("%prompt", optarg))
-			{
-				printf("Challenge password: ");
-				if (fgets(challenge_password_buffer, sizeof(challenge_password_buffer)-1, stdin))
+			case 'p':       /* --password */
+				if (challengePassword.len > 0)
+				{
+					usage("only one challenge password allowed");
+				}
+				if (strcaseeq("%prompt", optarg))
 				{
-					challengePassword.ptr = challenge_password_buffer;
-					/* discard the terminating '\n' from the input */
-					challengePassword.len = strlen(challenge_password_buffer) - 1;
+					printf("Challenge password: ");
+					if (fgets(challenge_password_buffer,
+							sizeof(challenge_password_buffer) - 1, stdin))
+					{
+						challengePassword.ptr = challenge_password_buffer;
+						/* discard the terminating '\n' from the input */
+						challengePassword.len = strlen(challenge_password_buffer) - 1;
+					}
+					else
+					{
+						usage("challenge password could not be read");
+					}
 				}
 				else
 				{
-					usage("challenge password could not be read");
+					challengePassword.ptr = optarg;
+					challengePassword.len = strlen(optarg);
 				}
-			}
-			else
-			{
-				challengePassword.ptr = optarg;
-				challengePassword.len = strlen(optarg);
-			}
-			continue;
+				continue;
 
-		case 'u':       /* -- url */
-			if (scep_url)
-			{
-				usage("only one URL argument allowed");
-			}
-			scep_url = optarg;
-			continue;
+			case 'u':       /* -- url */
+				if (scep_url)
+				{
+					usage("only one URL argument allowed");
+				}
+				scep_url = optarg;
+				continue;
 
-		case 'm':       /* --method */
-			if (strcaseeq("get", optarg))
-			{
-				http_get_request = TRUE;
-			}
-			else if (strcaseeq("post", optarg))
-			{
-				http_get_request = FALSE;
-			}
-			else
-			{
-				usage("invalid http request method specified");
-			}
-			continue;
+			case 'c':       /* -- caname */
+				ca_name = optarg;
+				continue;
 
-		case 't':       /* --interval */
-			poll_interval = atoi(optarg);
-			if (poll_interval <= 0)
-			{
-				usage("invalid interval specified");
-			}
-			continue;
+			case 'm':       /* --method */
+				if (strcaseeq("get", optarg))
+				{
+					http_get_request = TRUE;
+				}
+				else if (strcaseeq("post", optarg))
+				{
+					http_get_request = FALSE;
+				}
+				else
+				{
+					usage("invalid http request method specified");
+				}
+				continue;
 
-		case 'x':       /* --maxpolltime */
-			max_poll_time = atoi(optarg);
-			continue;
+			case 't':       /* --interval */
+				poll_interval = atoi(optarg);
+				if (poll_interval <= 0)
+				{
+					usage("invalid interval specified");
+				}
+				continue;
 
-		case 'a':       /*--algorithm */
-		{
-			const proposal_token_t *token;
+			case 'x':       /* --maxpolltime */
+				max_poll_time = atoi(optarg);
+				continue;
 
-			token = proposal_get_token(optarg, strlen(optarg));
-			if (token == NULL || token->type != ENCRYPTION_ALGORITHM)
+			case 'a':       /*--algorithm [<type>=]algo */
 			{
-				usage("invalid algorithm specified");
-			}
-			pkcs7_symmetric_cipher = encryption_algorithm_to_oid(
-										token->algorithm, token->keysize);
-			if (pkcs7_symmetric_cipher == OID_UNKNOWN)
-			{
-				usage("unsupported encryption algorithm specified");
+				const proposal_token_t *token;
+				char *type = optarg;
+				char *algo = strstr(optarg, "=");
+
+				if (algo)
+				{
+					*algo = '\0';
+					algo++;
+				}
+				else
+				{
+					type = "enc";
+					algo = optarg;
+				}
+
+				if (strcaseeq("enc", type))
+				{
+					token = lib->proposal->get_token(lib->proposal, algo);
+					if (token == NULL || token->type != ENCRYPTION_ALGORITHM)
+					{
+						usage("invalid algorithm specified");
+					}
+					pkcs7_symmetric_cipher = token->algorithm;
+					pkcs7_key_size = token->keysize;
+					if (encryption_algorithm_to_oid(token->algorithm,
+								token->keysize) == OID_UNKNOWN)
+					{
+						usage("unsupported encryption algorithm specified");
+					}
+				}
+				else if (strcaseeq("dgst", type) ||
+						 strcaseeq("sig", type))
+				{
+					hash_algorithm_t hash;
+
+					token = lib->proposal->get_token(lib->proposal, algo);
+					if (token == NULL || token->type != INTEGRITY_ALGORITHM)
+					{
+						usage("invalid algorithm specified");
+					}
+					hash = hasher_algorithm_from_integrity(token->algorithm,
+														   NULL);
+					if (hash == OID_UNKNOWN)
+					{
+						usage("invalid algorithm specified");
+					}
+					if (strcaseeq("dgst", type))
+					{
+						pkcs7_digest_alg = hash;
+					}
+					else
+					{
+						pkcs10_signature_alg = hash;
+					}
+				}
+				else
+				{
+					usage("invalid --algorithm type");
+				}
+				continue;
 			}
-			continue;
-		}
-#ifdef DEBUG
-		case 'A':       /* --debug-all */
-			base_debugging |= DBG_ALL;
-			continue;
-		case 'P':       /* debug parsing */
-			base_debugging |= DBG_PARSING;
-			continue;
-		case 'R':       /* debug raw */
-			base_debugging |= DBG_RAW;
-			continue;
-		case 'C':       /* debug control */
-			base_debugging |= DBG_CONTROL;
-			continue;
-		case 'M':       /* debug control more */
-			base_debugging |= DBG_CONTROLMORE;
-			continue;
-		case 'X':       /* debug private */
-			base_debugging |= DBG_PRIVATE;
-			continue;
-#endif
-		default:
-			usage("unknown option");
+			default:
+				usage("unknown option");
 		}
 		/* break from loop */
 		break;
 	}
-	cur_debugging = base_debugging;
 
 	init_log("scepclient");
 
 	/* load plugins, further infrastructure may need it */
-	if (!lib->plugins->load(lib->plugins, NULL,
+	if (!lib->plugins->load(lib->plugins,
 			lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS)))
 	{
 		exit_scepclient("plugin loading failed");
 	}
-	DBG1(DBG_LIB, "  loaded plugins: %s",
-		 lib->plugins->loaded_plugins(lib->plugins));
+	lib->plugins->status(lib->plugins, LEVEL_DIAG);
 
 	if ((filetype_out == 0) && (!request_ca_certificate))
 	{
-		usage ("--out filetype required");
+		usage("--out filetype required");
 	}
 	if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0))
 	{
@@ -767,27 +955,107 @@ int main(int argc, char **argv)
 	/* get CA cert */
 	if (request_ca_certificate)
 	{
-		char *path = concatenate_paths(CA_CERT_PATH, file_out_ca_cert);
+		char ca_path[PATH_MAX];
+		container_t *container;
+		pkcs7_t *pkcs7;
 
-		if (!scep_http_request(scep_url, chunk_empty, SCEP_GET_CA_CERT,
-							   http_get_request, &scep_response))
+		if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)),
+							   SCEP_GET_CA_CERT, http_get_request,
+							   http_timeout, http_bind, &scep_response))
 		{
 			exit_scepclient("did not receive a valid scep response");
 		}
 
-		if (!chunk_write(scep_response, path, "ca cert",  0022, force))
+		join_paths(ca_path, sizeof(ca_path), CA_CERT_PATH, file_out_ca_cert);
+
+		pkcs7 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
+								BUILD_BLOB_ASN1_DER, scep_response, BUILD_END);
+
+		if (!pkcs7)
+		{	/* no PKCS#7 encoded CA+RA certificates, assume simple CA cert */
+
+			DBG1(DBG_APP, "unable to parse PKCS#7, assuming plain CA cert");
+			if (!chunk_write(scep_response, ca_path, "ca cert",  0022, force))
+			{
+				exit_scepclient("could not write ca cert file '%s'", ca_path);
+			}
+		}
+		else
 		{
-			exit_scepclient("could not write ca cert file '%s'", path);
+			enumerator_t *enumerator;
+			certificate_t *cert;
+			int ra_certs = 0, ca_certs = 0;
+			int ra_index = 1, ca_index = 1;
+
+			enumerator = pkcs7->create_cert_enumerator(pkcs7);
+			while (enumerator->enumerate(enumerator, &cert))
+			{
+				x509_t *x509 = (x509_t*)cert;
+				if (x509->get_flags(x509) & X509_CA)
+				{
+					ca_certs++;
+				}
+				else
+				{
+					ra_certs++;
+				}
+			}
+			enumerator->destroy(enumerator);
+
+			enumerator = pkcs7->create_cert_enumerator(pkcs7);
+			while (enumerator->enumerate(enumerator, &cert))
+			{
+				x509_t *x509 = (x509_t*)cert;
+				bool ca_cert = x509->get_flags(x509) & X509_CA;
+				char cert_path[PATH_MAX], *path = ca_path;
+
+				if (ca_cert && ca_certs > 1)
+				{
+					add_path_suffix(cert_path, sizeof(cert_path), ca_path,
+									"-%.1d", ca_index++);
+					path = cert_path;
+				}
+				else if (!ca_cert)
+				{	/* use CA name as base for RA certs */
+					if (ra_certs > 1)
+					{
+						add_path_suffix(cert_path, sizeof(cert_path), ca_path,
+										"-ra-%.1d", ra_index++);
+					}
+					else
+					{
+						add_path_suffix(cert_path, sizeof(cert_path), ca_path,
+										"-ra");
+					}
+					path = cert_path;
+				}
+
+				if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) ||
+					!chunk_write(encoding, path,
+								 ca_cert ? "ca cert" : "ra cert", 0022, force))
+				{
+					exit_scepclient("could not write cert file '%s'", path);
+				}
+				chunk_free(&encoding);
+			}
+			enumerator->destroy(enumerator);
+			container = &pkcs7->container;
+			container->destroy(container);
 		}
 		exit_scepclient(NULL); /* no further output required */
 	}
 
+	creds = mem_cred_create();
+	lib->credmgr->add_set(lib->credmgr, &creds->set);
+
 	/*
 	 * input of PKCS#1 file
 	 */
 	if (filetype_in & PKCS1)    /* load an RSA key pair from file */
 	{
-		char *path = concatenate_paths(PRIVATE_KEY_PATH, file_in_pkcs1);
+		char path[PATH_MAX];
+
+		join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_in_pkcs1);
 
 		private_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
 										 BUILD_FROM_FILE, path, BUILD_END);
@@ -802,13 +1070,14 @@ int main(int argc, char **argv)
 	{
 		exit_scepclient("no RSA private key available");
 	}
+	creds->add_key(creds, private_key->get_ref(private_key));
 	public_key = private_key->get_public_key(private_key);
 
 	/* check for minimum key length */
 	if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS / BITS_PER_BYTE)
 	{
-		exit_scepclient("length of RSA key has to be at least %d bits"
-			,RSA_MIN_OCTETS * BITS_PER_BYTE);
+		exit_scepclient("length of RSA key has to be at least %d bits",
+						RSA_MIN_OCTETS * BITS_PER_BYTE);
 	}
 
 	/*
@@ -816,13 +1085,19 @@ int main(int argc, char **argv)
 	 */
 	if (filetype_in & PKCS10)
 	{
-		/* user wants to load a pkcs10 request
-		 * operation is not yet supported
-		 * would require a PKCS#10 parsing function
+		char path[PATH_MAX];
 
-		pkcs10 = pkcs10_read_from_file(file_in_pkcs10);
+		join_paths(path, sizeof(path), REQ_PATH, file_in_pkcs10);
 
-		 */
+		pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+										CERT_PKCS10_REQUEST, BUILD_FROM_FILE,
+										path, BUILD_END);
+		if (!pkcs10_req)
+		{
+			exit_scepclient("could not read certificate request '%s'", path);
+		}
+		subject = pkcs10_req->get_subject(pkcs10_req);
+		subject = subject->clone(subject);
 	}
 	else
 	{
@@ -840,41 +1115,39 @@ int main(int argc, char **argv)
 			distinguishedName = buf;
 		}
 
-		DBG(DBG_CONTROL,
-			DBG_log("dn: '%s'", distinguishedName);
-		)
+		DBG2(DBG_APP, "dn: '%s'", distinguishedName);
 		subject = identification_create_from_string(distinguishedName);
 		if (subject->get_type(subject) != ID_DER_ASN1_DN)
 		{
 			exit_scepclient("parsing of distinguished name failed");
 		}
 
-		DBG(DBG_CONTROL,
-			DBG_log("building pkcs10 object:")
-		)
+		DBG2(DBG_APP, "building pkcs10 object:");
 		pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
-						CERT_PKCS10_REQUEST,
-						BUILD_SIGNING_KEY, private_key,
-						BUILD_SUBJECT, subject,
-						BUILD_SUBJECT_ALTNAMES, subjectAltNames,
-						BUILD_CHALLENGE_PWD, challengePassword,
-						BUILD_DIGEST_ALG, pkcs10_signature_alg,
-						BUILD_END);
+										CERT_PKCS10_REQUEST,
+										BUILD_SIGNING_KEY, private_key,
+										BUILD_SUBJECT, subject,
+										BUILD_SUBJECT_ALTNAMES, subjectAltNames,
+										BUILD_CHALLENGE_PWD, challengePassword,
+										BUILD_DIGEST_ALG, pkcs10_signature_alg,
+										BUILD_END);
 		if (!pkcs10_req)
 		{
 			exit_scepclient("generating pkcs10 request failed");
 		}
-		pkcs10_req->get_encoding(pkcs10_req, CERT_ASN1_DER, &pkcs10_encoding);
-		fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding);
-		plog("  fingerprint:    %s", fingerprint.ptr);
 	}
+	pkcs10_req->get_encoding(pkcs10_req, CERT_ASN1_DER, &pkcs10_encoding);
+	fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding);
+	DBG1(DBG_APP, "  fingerprint:    %s", fingerprint.ptr);
 
 	/*
 	 * output of PKCS#10 file
 	 */
 	if (filetype_out & PKCS10)
 	{
-		char *path = concatenate_paths(REQ_PATH, file_out_pkcs10);
+		char path[PATH_MAX];
+
+		join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs10);
 
 		if (!chunk_write(pkcs10_encoding, path, "pkcs10",  0022, force))
 		{
@@ -893,11 +1166,11 @@ int main(int argc, char **argv)
 	 */
 	if (filetype_out & PKCS1)
 	{
-		char *path = concatenate_paths(PRIVATE_KEY_PATH, file_out_pkcs1);
+		char path[PATH_MAX];
 
-		DBG(DBG_CONTROL,
-			DBG_log("building pkcs1 object:")
-		)
+		join_paths(path, sizeof(path), PRIVATE_KEY_PATH, file_out_pkcs1);
+
+		DBG2(DBG_APP, "building pkcs1 object:");
 		if (!private_key->get_encoding(private_key, PRIVKEY_ASN1_DER, &pkcs1) ||
 			!chunk_write(pkcs1, path, "pkcs1", 0066, force))
 		{
@@ -912,32 +1185,52 @@ int main(int argc, char **argv)
 	}
 
 	scep_generate_transaction_id(public_key, &transID, &serialNumber);
-	plog("  transaction ID: %.*s", (int)transID.len, transID.ptr);
-
-	notBefore = notBefore ? notBefore : time(NULL);
-	notAfter  = notAfter  ? notAfter  : (notBefore + validity);
-
-	/* generate a self-signed X.509 certificate */
-	x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-						BUILD_SIGNING_KEY, private_key,
-						BUILD_PUBLIC_KEY, public_key,
-						BUILD_SUBJECT, subject,
-						BUILD_NOT_BEFORE_TIME, notBefore,
-						BUILD_NOT_AFTER_TIME, notAfter,
-						BUILD_SERIAL, serialNumber,
-						BUILD_SUBJECT_ALTNAMES, subjectAltNames,
-						BUILD_END);
-	if (!x509_signer)
+	DBG1(DBG_APP, "  transaction ID: %.*s", (int)transID.len, transID.ptr);
+
+	/*
+	 * read or generate self-signed X.509 certificate
+	 */
+	if (filetype_in & CERT_SELF)
 	{
-		exit_scepclient("generating certificate failed");
+		char path[PATH_MAX];
+
+		join_paths(path, sizeof(path), HOST_CERT_PATH, file_in_cert_self);
+
+		x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+										 BUILD_FROM_FILE, path, BUILD_END);
+		if (!x509_signer)
+		{
+			exit_scepclient("could not read certificate file '%s'", path);
+		}
 	}
+	else
+	{
+		notBefore = notBefore ? notBefore : time(NULL);
+		notAfter  = notAfter  ? notAfter  : (notBefore + validity);
+		x509_signer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+										 BUILD_SIGNING_KEY, private_key,
+										 BUILD_PUBLIC_KEY, public_key,
+										 BUILD_SUBJECT, subject,
+										 BUILD_NOT_BEFORE_TIME, notBefore,
+										 BUILD_NOT_AFTER_TIME, notAfter,
+										 BUILD_SERIAL, serialNumber,
+										 BUILD_SUBJECT_ALTNAMES, subjectAltNames,
+										 BUILD_END);
+		if (!x509_signer)
+		{
+			exit_scepclient("generating certificate failed");
+		}
+	}
+	creds->add_cert(creds, TRUE, x509_signer->get_ref(x509_signer));
 
 	/*
 	 * output of self-signed X.509 certificate file
 	 */
 	if (filetype_out & CERT_SELF)
 	{
-		char *path = concatenate_paths(HOST_CERT_PATH, file_out_cert_self);
+		char path[PATH_MAX];
+
+		join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert_self);
 
 		if (!x509_signer->get_encoding(x509_signer, CERT_ASN1_DER, &encoding))
 		{
@@ -960,7 +1253,9 @@ int main(int argc, char **argv)
 	 * load ca encryption certificate
 	 */
 	{
-		char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_enc);
+		char path[PATH_MAX];
+
+		join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_enc);
 
 		x509_ca_enc = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 										 BUILD_FROM_FILE, path, BUILD_END);
@@ -985,13 +1280,15 @@ int main(int argc, char **argv)
 	}
 	else
 	{
-		DBG(DBG_CONTROL,
-			DBG_log("building pkcs7 request")
-		)
+		DBG2(DBG_APP, "building pkcs7 request");
 		pkcs7 = scep_build_request(pkcs10_encoding,
-						transID, SCEP_PKCSReq_MSG,
-						x509_ca_enc, pkcs7_symmetric_cipher,
-						x509_signer, pkcs7_digest_alg, private_key);
+								   transID, SCEP_PKCSReq_MSG, x509_ca_enc,
+								   pkcs7_symmetric_cipher, pkcs7_key_size,
+								   x509_signer, pkcs7_digest_alg, private_key);
+		if (!pkcs7.ptr)
+		{
+			exit_scepclient("failed to build pkcs7 request");
+		}
 	}
 
 	/*
@@ -999,11 +1296,14 @@ int main(int argc, char **argv)
 	 */
 	if (filetype_out & PKCS7)
 	{
-		char *path = concatenate_paths(REQ_PATH, file_out_pkcs7);
+		char path[PATH_MAX];
+
+		join_paths(path, sizeof(path), REQ_PATH, file_out_pkcs7);
 
 		if (!chunk_write(pkcs7, path, "pkcs7 encrypted request", 0022, force))
+		{
 			exit_scepclient("could not write pkcs7 file '%s'", path);
-;
+		}
 		filetype_out &= ~PKCS7;   /* delete PKCS7 flag */
 	}
 
@@ -1020,14 +1320,14 @@ int main(int argc, char **argv)
 		bool stored = FALSE;
 		certificate_t *cert;
 		enumerator_t  *enumerator;
-		char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_sig);
+		char path[PATH_MAX];
 		time_t poll_start = 0;
+		pkcs7_t *p7;
+		container_t *container = NULL;
+		chunk_t chunk;
+		scep_attributes_t attrs = empty_scep_attributes;
 
-		linked_list_t    *certs         = linked_list_create();
-		chunk_t           envelopedData = chunk_empty;
-		chunk_t           certData      = chunk_empty;
-		contentInfo_t     data          = empty_contentInfo;
-		scep_attributes_t attrs         = empty_scep_attributes;
+		join_paths(path, sizeof(path), CA_CERT_PATH, file_in_cacert_sig);
 
 		x509_ca_sig = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 										 BUILD_FROM_FILE, path, BUILD_END);
@@ -1036,13 +1336,14 @@ int main(int argc, char **argv)
 			exit_scepclient("could not load signature cacert file '%s'", path);
 		}
 
+		creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig));
+
 		if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
-			http_get_request, &scep_response))
+					http_get_request, http_timeout, http_bind, &scep_response))
 		{
 			exit_scepclient("did not receive a valid scep response");
 		}
-		ugh = scep_parse_response(scep_response, transID, &data, &attrs
-								 , x509_ca_sig);
+		ugh = scep_parse_response(scep_response, transID, &container, &attrs);
 		if (ugh != NULL)
 		{
 			exit_scepclient(ugh);
@@ -1053,45 +1354,46 @@ int main(int argc, char **argv)
 		{
 			identification_t *issuer = x509_ca_sig->get_subject(x509_ca_sig);
 
-			plog("  scep request pending, polling every %d seconds"
-				, poll_interval);
+			DBG1(DBG_APP, "  scep request pending, polling every %d seconds",
+				 poll_interval);
 			poll_start = time_monotonic(NULL);
 			issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc",
 									issuer->get_encoding(issuer),
-									subject);
+									subject->get_encoding(subject));
 		}
 		while (attrs.pkiStatus == SCEP_PENDING)
 		{
-			if (max_poll_time > 0
-			&& (time_monotonic(NULL) - poll_start >= max_poll_time))
+			if (max_poll_time > 0 &&
+				(time_monotonic(NULL) - poll_start >= max_poll_time))
 			{
 				exit_scepclient("maximum poll time reached: %d seconds"
 							   , max_poll_time);
 			}
-			DBG(DBG_CONTROL,
-				DBG_log("going to sleep for %d seconds", poll_interval)
-			)
+			DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval);
 			sleep(poll_interval);
 			free(scep_response.ptr);
+			container->destroy(container);
 
-			DBG(DBG_CONTROL,
-				DBG_log("fingerprint:    %.*s", (int)fingerprint.len, fingerprint.ptr);
-				DBG_log("transaction ID: %.*s", (int)transID.len, transID.ptr)
-			)
+			DBG2(DBG_APP, "fingerprint:    %.*s",
+				 (int)fingerprint.len, fingerprint.ptr);
+			DBG2(DBG_APP, "transaction ID: %.*s",
+				 (int)transID.len, transID.ptr);
 
 			chunk_free(&getCertInitial);
-			getCertInitial = scep_build_request(issuerAndSubject
-								, transID, SCEP_GetCertInitial_MSG
-								, x509_ca_enc, pkcs7_symmetric_cipher
-								, x509_signer, pkcs7_digest_alg, private_key);
-
+			getCertInitial = scep_build_request(issuerAndSubject,
+								transID, SCEP_GetCertInitial_MSG, x509_ca_enc,
+								pkcs7_symmetric_cipher, pkcs7_key_size,
+								x509_signer, pkcs7_digest_alg, private_key);
+			if (!getCertInitial.ptr)
+			{
+				exit_scepclient("failed to build scep request");
+			}
 			if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
-				http_get_request, &scep_response))
+					http_get_request, http_timeout, http_bind, &scep_response))
 			{
 				exit_scepclient("did not receive a valid scep response");
 			}
-			ugh = scep_parse_response(scep_response, transID, &data, &attrs
-									 , x509_ca_sig);
+			ugh = scep_parse_response(scep_response, transID, &container, &attrs);
 			if (ugh != NULL)
 			{
 				exit_scepclient(ugh);
@@ -1100,31 +1402,53 @@ int main(int argc, char **argv)
 
 		if (attrs.pkiStatus != SCEP_SUCCESS)
 		{
+			container->destroy(container);
 			exit_scepclient("reply status is not 'SUCCESS'");
 		}
 
-		envelopedData = data.content;
-
-		if (data.type != OID_PKCS7_DATA
-		|| !asn1_parse_simple_object(&envelopedData, ASN1_OCTET_STRING, 0, "data"))
+		if (!container->get_data(container, &chunk))
 		{
-			exit_scepclient("contentInfo is not of type 'data'");
+			container->destroy(container);
+			exit_scepclient("extracting signed-data failed");
 		}
-		if (!pkcs7_parse_envelopedData(envelopedData, &certData
-			, serialNumber, private_key))
+		container->destroy(container);
+
+		/* decrypt enveloped-data container */
+		container = lib->creds->create(lib->creds,
+									   CRED_CONTAINER, CONTAINER_PKCS7,
+									   BUILD_BLOB_ASN1_DER, chunk,
+									   BUILD_END);
+		free(chunk.ptr);
+		if (!container)
 		{
 			exit_scepclient("could not decrypt envelopedData");
 		}
-		if (!pkcs7_parse_signedData(certData, NULL, certs, NULL, NULL))
+
+		if (!container->get_data(container, &chunk))
+		{
+			container->destroy(container);
+			exit_scepclient("extracting encrypted-data failed");
+		}
+		container->destroy(container);
+
+		/* parse signed-data container */
+		container = lib->creds->create(lib->creds,
+									   CRED_CONTAINER, CONTAINER_PKCS7,
+									   BUILD_BLOB_ASN1_DER, chunk,
+									   BUILD_END);
+		free(chunk.ptr);
+		if (!container)
 		{
-			exit_scepclient("error parsing the scep response");
+			exit_scepclient("could not parse singed-data");
 		}
-		chunk_free(&certData);
+		/* no need to verify the signed-data container, the signature does NOT
+		 * cover the contained certificates */
 
 		/* store the end entity certificate */
-		path = concatenate_paths(HOST_CERT_PATH, file_out_cert);
+		join_paths(path, sizeof(path), HOST_CERT_PATH, file_out_cert);
 
-		enumerator = certs->create_enumerator(certs);
+		p7 = (pkcs7_t*)container;
+		enumerator = p7->create_cert_enumerator(p7);
 		while (enumerator->enumerate(enumerator, &cert))
 		{
 			x509_t *x509 = (x509_t*)cert;
@@ -1144,12 +1468,15 @@ int main(int argc, char **argv)
 				stored = TRUE;
 			}
 		}
-		certs->destroy_offset(certs, offsetof(certificate_t, destroy));
+		enumerator->destroy(enumerator);
+		container->destroy(container);
+		chunk_free(&attrs.transID);
+		chunk_free(&attrs.senderNonce);
+		chunk_free(&attrs.recipientNonce);
+
 		filetype_out &= ~CERT;   /* delete CERT flag */
 	}
 
 	exit_scepclient(NULL);
 	return -1; /* should never be reached */
 }
-
-
diff --git a/src/starter/Android.mk b/src/starter/Android.mk
index a82fe9385..91575c9ba 100644
--- a/src/starter/Android.mk
+++ b/src/starter/Android.mk
@@ -2,32 +2,26 @@ LOCAL_PATH := $(call my-dir)
 include $(CLEAR_VARS)
 
 # copy-n-paste from Makefile.am (update for LEX/YACC)
-LOCAL_SRC_FILES := \
+starter_SOURCES := \
 parser.c lexer.c ipsec-parser.h netkey.c args.h netkey.h \
-starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \
-starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
-keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
-exec.h invokecharon.h loglite.c klips.c klips.h
+starterstroke.c confread.c \
+starterstroke.h confread.h args.c \
+keywords.c files.h keywords.h cmp.c starter.c cmp.h invokecharon.c \
+invokecharon.h klips.c klips.h
+
+LOCAL_SRC_FILES := $(filter %.c,$(starter_SOURCES))
 
 # build starter ----------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
 	$(libvstr_PATH) \
 	$(strongswan_PATH)/src/libhydra \
-	$(strongswan_PATH)/src/libfreeswan \
 	$(strongswan_PATH)/src/libstrongswan \
-	$(strongswan_PATH)/src/libfreeswan \
-	$(strongswan_PATH)/src/pluto \
-	$(strongswan_PATH)/src/whack \
 	$(strongswan_PATH)/src/stroke
 
 LOCAL_CFLAGS := $(strongswan_CFLAGS) -DSTART_CHARON \
 	-DPLUGINS='"$(strongswan_STARTER_PLUGINS)"'
 
-ifneq ($(strongswan_BUILD_PLUTO),)
-LOCAL_CFLAGS += -DSTART_PLUTO
-endif
-
 LOCAL_MODULE := starter
 
 LOCAL_MODULE_TAGS := optional
@@ -37,11 +31,8 @@ LOCAL_ARM_MODE := arm
 LOCAL_PRELINK_MODULE := false
 
 LOCAL_REQUIRED_MODULES := stroke
-ifneq ($(strongswan_BUILD_PLUTO),)
-LOCAL_REQUIRED_MODULES += whack
-endif
 
-LOCAL_SHARED_LIBRARIES += libstrongswan libhydra libfreeswan
+LOCAL_SHARED_LIBRARIES += libstrongswan libhydra
 
 include $(BUILD_EXECUTABLE)
 
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 94ddf5aba..48110dd02 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -1,64 +1,51 @@
 ipsec_PROGRAMS = starter
 starter_SOURCES = \
 parser.y lexer.l ipsec-parser.h netkey.c args.h netkey.h \
-starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \
-starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
-keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
-exec.h invokecharon.h loglite.c klips.c klips.h
-
-INCLUDES = \
--I${linux_headers} \
--I$(top_srcdir)/src/libstrongswan \
--I$(top_srcdir)/src/libfreeswan \
--I$(top_srcdir)/src/libhydra \
--I$(top_srcdir)/src/pluto \
--I$(top_srcdir)/src/whack \
--I$(top_srcdir)/src/stroke
-
-AM_CFLAGS = \
--DIPSEC_DIR=\"${ipsecdir}\" \
--DIPSEC_CONFDIR=\"${sysconfdir}\" \
--DIPSEC_PIDDIR=\"${piddir}\" \
--DIPSEC_EAPDIR=\"${eapdir}\" \
--DDEV_RANDOM=\"${random_device}\" \
--DDEV_URANDOM=\"${urandom_device}\" \
--DPLUGINS=\""${starter_plugins}\"" \
--DDEBUG
+starterstroke.c confread.c \
+starterstroke.h confread.h args.c \
+keywords.c files.h keywords.h cmp.c starter.c cmp.h invokecharon.c \
+invokecharon.h klips.c klips.h
+
+AM_CPPFLAGS = \
+	-I${linux_headers} \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/stroke \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DIPSEC_EAPDIR=\"${eapdir}\" \
+	-DIPSEC_SCRIPT=\"${ipsec_script}\" \
+	-DDEV_RANDOM=\"${random_device}\" \
+	-DDEV_URANDOM=\"${urandom_device}\" \
+	-DPLUGINS=\""${starter_plugins}\"" \
+	-DDEBUG
 
 AM_YFLAGS = -v -d
 
-starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libhydra/libhydra.la $(SOCKLIB)
+starter_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libhydra/libhydra.la $(SOCKLIB) $(PTHREADLIB)
 EXTRA_DIST = keywords.txt ipsec.conf Android.mk
 MAINTAINERCLEANFILES = keywords.c
 BUILT_SOURCES = parser.h
 
-PLUTODIR=$(top_srcdir)/src/pluto
-SCEPCLIENTDIR=$(top_srcdir)/src/scepclient
-
-if USE_PLUTO
-  AM_CFLAGS += -DSTART_PLUTO
-endif
-
 if USE_CHARON
-  AM_CFLAGS += -DSTART_CHARON
+  AM_CPPFLAGS += -DSTART_CHARON
 endif
 
 if USE_LOAD_WARNING
-  AM_CFLAGS += -DLOAD_WARNING
+  AM_CPPFLAGS += -DLOAD_WARNING
 endif
 
 if USE_TOOLS
-  AM_CFLAGS += -DGENERATE_SELFCERT
+  AM_CPPFLAGS += -DGENERATE_SELFCERT
 endif
 
 keywords.c:	$(srcdir)/keywords.txt $(srcdir)/keywords.h
+		$(AM_V_GEN) \
 		$(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@
 
-defs.o:		$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
-		$(COMPILE) -c -o $@ $(PLUTODIR)/defs.c
-
 install-exec-local :
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true
@@ -68,4 +55,3 @@ install-exec-local :
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
 		test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
-
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index f2c0cc38e..4b09e5d8c 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -35,10 +52,9 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 ipsec_PROGRAMS = starter$(EXEEXT)
-@USE_PLUTO_TRUE@am__append_1 = -DSTART_PLUTO
-@USE_CHARON_TRUE@am__append_2 = -DSTART_CHARON
-@USE_LOAD_WARNING_TRUE@am__append_3 = -DLOAD_WARNING
-@USE_TOOLS_TRUE@am__append_4 = -DGENERATE_SELFCERT
+@USE_CHARON_TRUE@am__append_1 = -DSTART_CHARON
+@USE_LOAD_WARNING_TRUE@am__append_2 = -DLOAD_WARNING
+@USE_TOOLS_TRUE@am__append_3 = -DGENERATE_SELFCERT
 subdir = src/starter
 DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
 	lexer.c parser.c parser.h
@@ -51,69 +67,102 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)"
 PROGRAMS = $(ipsec_PROGRAMS)
 am_starter_OBJECTS = parser.$(OBJEXT) lexer.$(OBJEXT) netkey.$(OBJEXT) \
-	starterwhack.$(OBJEXT) starterstroke.$(OBJEXT) \
-	invokepluto.$(OBJEXT) confread.$(OBJEXT) interfaces.$(OBJEXT) \
-	args.$(OBJEXT) keywords.$(OBJEXT) cmp.$(OBJEXT) \
-	starter.$(OBJEXT) exec.$(OBJEXT) invokecharon.$(OBJEXT) \
-	loglite.$(OBJEXT) klips.$(OBJEXT)
+	starterstroke.$(OBJEXT) confread.$(OBJEXT) args.$(OBJEXT) \
+	keywords.$(OBJEXT) cmp.$(OBJEXT) starter.$(OBJEXT) \
+	invokecharon.$(OBJEXT) klips.$(OBJEXT)
 starter_OBJECTS = $(am_starter_OBJECTS)
 am__DEPENDENCIES_1 =
-starter_DEPENDENCIES = defs.o \
-	$(top_builddir)/src/libfreeswan/libfreeswan.a \
+starter_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la $(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I.@am__isrc@
+	$(top_builddir)/src/libhydra/libhydra.la $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS)
-LTLEXCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+LEXCOMPILE = $(LEX) $(AM_LFLAGS) $(LFLAGS)
+LTLEXCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(LEX) $(AM_LFLAGS) $(LFLAGS)
+AM_V_LEX = $(am__v_LEX_@AM_V@)
+am__v_LEX_ = $(am__v_LEX_@AM_DEFAULT_V@)
+am__v_LEX_0 = @echo "  LEX   " $@;
 YLWRAP = $(top_srcdir)/ylwrap
-YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS)
-LTYACCCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS)
+YACCCOMPILE = $(YACC) $(AM_YFLAGS) $(YFLAGS)
+LTYACCCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(YACC) $(AM_YFLAGS) $(YFLAGS)
+AM_V_YACC = $(am__v_YACC_@AM_V@)
+am__v_YACC_ = $(am__v_YACC_@AM_DEFAULT_V@)
+am__v_YACC_0 = @echo "  YACC  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(starter_SOURCES)
 DIST_SOURCES = $(starter_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -122,13 +171,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -141,6 +193,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -168,11 +221,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -180,6 +235,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -188,8 +244,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -198,14 +252,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -219,17 +278,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -239,16 +298,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -278,33 +336,25 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 starter_SOURCES = \
 parser.y lexer.l ipsec-parser.h netkey.c args.h netkey.h \
-starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \
-starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
-keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
-exec.h invokecharon.h loglite.c klips.c klips.h
-
-INCLUDES = \
--I${linux_headers} \
--I$(top_srcdir)/src/libstrongswan \
--I$(top_srcdir)/src/libfreeswan \
--I$(top_srcdir)/src/libhydra \
--I$(top_srcdir)/src/pluto \
--I$(top_srcdir)/src/whack \
--I$(top_srcdir)/src/stroke
-
-AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
-	-DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
-	-DIPSEC_EAPDIR=\"${eapdir}\" -DDEV_RANDOM=\"${random_device}\" \
+starterstroke.c confread.c \
+starterstroke.h confread.h args.c \
+keywords.c files.h keywords.h cmp.c starter.c cmp.h invokecharon.c \
+invokecharon.h klips.c klips.h
+
+AM_CPPFLAGS = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/stroke \
+	-DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${sysconfdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" \
+	-DIPSEC_SCRIPT=\"${ipsec_script}\" \
+	-DDEV_RANDOM=\"${random_device}\" \
 	-DDEV_URANDOM=\"${urandom_device}\" \
 	-DPLUGINS=\""${starter_plugins}\"" -DDEBUG $(am__append_1) \
-	$(am__append_2) $(am__append_3) $(am__append_4)
+	$(am__append_2) $(am__append_3)
 AM_YFLAGS = -v -d
-starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libhydra/libhydra.la $(SOCKLIB)
+starter_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libhydra/libhydra.la $(SOCKLIB) $(PTHREADLIB)
 EXTRA_DIST = keywords.txt ipsec.conf Android.mk
 MAINTAINERCLEANFILES = keywords.c
 BUILT_SOURCES = parser.h
-PLUTODIR = $(top_srcdir)/src/pluto
-SCEPCLIENTDIR = $(top_srcdir)/src/scepclient
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-am
 
@@ -342,8 +392,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -384,13 +437,11 @@ clean-ipsecPROGRAMS:
 	echo " rm -f" $$list; \
 	rm -f $$list
 parser.h: parser.c
-	@if test ! -f $@; then \
-	  rm -f parser.c; \
-	  $(MAKE) $(AM_MAKEFLAGS) parser.c; \
-	else :; fi
-starter$(EXEEXT): $(starter_OBJECTS) $(starter_DEPENDENCIES) 
+	@if test ! -f $@; then rm -f parser.c; else :; fi
+	@if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) parser.c; else :; fi
+starter$(EXEEXT): $(starter_OBJECTS) $(starter_DEPENDENCIES) $(EXTRA_starter_DEPENDENCIES) 
 	@rm -f starter$(EXEEXT)
-	$(LINK) $(starter_OBJECTS) $(starter_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(starter_OBJECTS) $(starter_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -401,46 +452,41 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/args.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cmp.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/confread.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/exec.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/interfaces.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/invokecharon.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/invokepluto.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keywords.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/klips.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexer.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/loglite.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/netkey.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parser.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/starter.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/starterstroke.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/starterwhack.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 .l.c:
-	$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
+	$(AM_V_LEX)$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
 
 .y.c:
-	$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h $*.h y.output $*.output -- $(YACCCOMPILE)
+	$(AM_V_YACC)$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h $*.h y.output $*.output -- $(YACCCOMPILE)
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -549,10 +595,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -658,13 +709,11 @@ uninstall-am: uninstall-ipsecPROGRAMS
 
 
 keywords.c:	$(srcdir)/keywords.txt $(srcdir)/keywords.h
+		$(AM_V_GEN) \
 		$(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@
 
-defs.o:		$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
-		$(COMPILE) -c -o $@ $(PLUTODIR)/defs.c
-
 install-exec-local :
-		test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
+		test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
 		test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true
diff --git a/src/starter/args.c b/src/starter/args.c
index 65d0a753c..5fbf51856 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -17,11 +17,8 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include <freeswan.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
+#include <library.h>
+#include <utils/debug.h>
 
 #include "keywords.h"
 #include "confread.h"
@@ -36,6 +33,7 @@ typedef enum {
 	ARG_TIME,
 	ARG_ULNG,
 	ARG_ULLI,
+	ARG_UBIN,
 	ARG_PCNT,
 	ARG_STR,
 	ARG_LST,
@@ -64,6 +62,7 @@ static const char *LST_unique[] = {
 	"yes",
 	"replace",
 	"keep",
+	"never",
 	 NULL
 };
 
@@ -89,13 +88,6 @@ static const char *LST_startup[] = {
 	 NULL
 };
 
-static const char *LST_packetdefault[] = {
-	"drop",
-	"reject",
-	"pass",
-	 NULL
-};
-
 static const char *LST_keyexchange[] = {
 	"ike",
 	"ikev1",
@@ -103,55 +95,24 @@ static const char *LST_keyexchange[] = {
 	 NULL
 };
 
-static const char *LST_pfsgroup[] = {
-	"modp1024",
-	"modp1536",
-	"modp2048",
-	"modp3072",
-	"modp4096",
-	"modp6144",
-	"modp8192",
-	"ecp192",
-	"ecp224",
-	"ecp256",
-	"ecp384",
-	"ecp521",
-	 NULL
-};
-
-static const char *LST_plutodebug[] = {
-	"none",
-	"all",
-	"raw",
-	"crypt",
-	"parsing",
-	"emitting",
-	"control",
-	"lifecycle",
-	"klips",
-	"kernel",
-	"dns",
-	"natt",
-	"oppo",
-	"controlmore",
-	"private",
+static const char *LST_authby[] = {
+	"psk",
+	"secret",
+	"pubkey",
+	"rsa",
+	"rsasig",
+	"ecdsa",
+	"ecdsasig",
+	"xauthpsk",
+	"xauthrsasig",
+	"never",
 	 NULL
 };
 
-static const char *LST_klipsdebug[] = {
-	"tunnel",
-	"tunnel-xmit",
-	"pfkey",
-	"xform",
-	"eroute",
-	"spi",
-	"radij",
-	"esp",
-	"ah",
-	"ipcomp",
-	"verbose",
-	"all",
-	"none",
+static const char *LST_fragmentation[] = {
+	"no",
+	"yes",
+	"force",
 	 NULL
 };
 
@@ -164,53 +125,29 @@ typedef struct {
 static const token_info_t token_info[] =
 {
 	/* config setup keywords */
-	{ ARG_LST,  offsetof(starter_config_t, setup.interfaces), NULL                 },
-	{ ARG_STR,  offsetof(starter_config_t, setup.dumpdir), NULL                    },
-	{ ARG_ENUM, offsetof(starter_config_t, setup.charonstart), LST_bool            },
-	{ ARG_ENUM, offsetof(starter_config_t, setup.plutostart), LST_bool             },
-
-	/* pluto/charon keywords */
-	{ ARG_LST,  offsetof(starter_config_t, setup.plutodebug), LST_plutodebug       },
 	{ ARG_STR,  offsetof(starter_config_t, setup.charondebug),  NULL               },
-	{ ARG_STR,  offsetof(starter_config_t, setup.prepluto), NULL                   },
-	{ ARG_STR,  offsetof(starter_config_t, setup.postpluto), NULL                  },
-	{ ARG_STR,  offsetof(starter_config_t, setup.plutostderrlog), NULL             },
 	{ ARG_ENUM, offsetof(starter_config_t, setup.uniqueids), LST_unique            },
-	{ ARG_UINT, offsetof(starter_config_t, setup.overridemtu), NULL                },
-	{ ARG_TIME, offsetof(starter_config_t, setup.crlcheckinterval), NULL           },
 	{ ARG_ENUM, offsetof(starter_config_t, setup.cachecrls), LST_bool              },
 	{ ARG_ENUM, offsetof(starter_config_t, setup.strictcrlpolicy), LST_strict      },
-	{ ARG_ENUM, offsetof(starter_config_t, setup.nocrsend), LST_bool               },
-	{ ARG_ENUM, offsetof(starter_config_t, setup.nat_traversal), LST_bool          },
-	{ ARG_TIME, offsetof(starter_config_t, setup.keep_alive), NULL                 },
-	{ ARG_ENUM, offsetof(starter_config_t, setup.force_keepalive), LST_bool        },
-	{ ARG_STR,  offsetof(starter_config_t, setup.virtual_private), NULL            },
-	{ ARG_STR,  offsetof(starter_config_t, setup.pkcs11module), NULL               },
-	{ ARG_STR,  offsetof(starter_config_t, setup.pkcs11initargs), NULL             },
-	{ ARG_ENUM, offsetof(starter_config_t, setup.pkcs11keepstate), LST_bool        },
-	{ ARG_ENUM, offsetof(starter_config_t, setup.pkcs11proxy), LST_bool            },
-
-	/* KLIPS keywords */
-	{ ARG_LST,  offsetof(starter_config_t, setup.klipsdebug), LST_klipsdebug       },
-	{ ARG_ENUM, offsetof(starter_config_t, setup.fragicmp), LST_bool               },
-	{ ARG_STR,  offsetof(starter_config_t, setup.packetdefault), LST_packetdefault },
-	{ ARG_ENUM, offsetof(starter_config_t, setup.hidetos), LST_bool                },
+	{ ARG_MISC, 0, NULL  /* KW_PKCS11_DEPRECATED */                                },
+	{ ARG_MISC, 0, NULL  /* KW_SETUP_DEPRECATED */                                 },
 
 	/* conn section keywords */
 	{ ARG_STR,  offsetof(starter_conn_t, name), NULL                               },
 	{ ARG_ENUM, offsetof(starter_conn_t, startup), LST_startup                     },
 	{ ARG_ENUM, offsetof(starter_conn_t, keyexchange), LST_keyexchange             },
 	{ ARG_MISC, 0, NULL  /* KW_TYPE */                                             },
-	{ ARG_MISC, 0, NULL  /* KW_PFS */                                              },
 	{ ARG_MISC, 0, NULL  /* KW_COMPRESS */                                         },
 	{ ARG_ENUM, offsetof(starter_conn_t, install_policy), LST_bool                 },
+	{ ARG_ENUM, offsetof(starter_conn_t, aggressive), LST_bool                     },
 	{ ARG_MISC, 0, NULL  /* KW_AUTH */                                             },
-	{ ARG_MISC, 0, NULL  /* KW_AUTHBY */                                           },
-	{ ARG_MISC, 0, NULL  /* KW_EAP */                                              },
+	{ ARG_STR,  offsetof(starter_conn_t, authby), LST_authby                       },
 	{ ARG_STR,  offsetof(starter_conn_t, eap_identity), NULL                       },
 	{ ARG_STR,  offsetof(starter_conn_t, aaa_identity), NULL                       },
 	{ ARG_MISC, 0, NULL  /* KW_MOBIKE */                                           },
 	{ ARG_MISC, 0, NULL  /* KW_FORCEENCAPS */                                      },
+	{ ARG_ENUM, offsetof(starter_conn_t, fragmentation), LST_fragmentation         },
+	{ ARG_UBIN, offsetof(starter_conn_t, ikedscp), NULL                            },
 	{ ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL                },
 	{ ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL              },
 	{ ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL                    },
@@ -224,7 +161,6 @@ static const token_info_t token_info[] =
 	{ ARG_MISC, 0, NULL  /* KW_REAUTH */                                           },
 	{ ARG_STR,  offsetof(starter_conn_t, ike), NULL                                },
 	{ ARG_STR,  offsetof(starter_conn_t, esp), NULL                                },
-	{ ARG_STR,  offsetof(starter_conn_t, pfsgroup), LST_pfsgroup                   },
 	{ ARG_TIME, offsetof(starter_conn_t, dpd_delay), NULL                          },
 	{ ARG_TIME, offsetof(starter_conn_t, dpd_timeout), NULL                        },
 	{ ARG_ENUM, offsetof(starter_conn_t, dpd_action), LST_dpd_action               },
@@ -241,28 +177,27 @@ static const token_info_t token_info[] =
 	{ ARG_MISC, 0, NULL  /* KW_MARK_IN */                                          },
 	{ ARG_MISC, 0, NULL  /* KW_MARK_OUT */                                         },
 	{ ARG_MISC, 0, NULL  /* KW_TFC */                                              },
+	{ ARG_MISC, 0, NULL  /* KW_PFS_DEPRECATED */                                   },
+	{ ARG_MISC, 0, NULL  /* KW_CONN_DEPRECATED */                                  },
 
 	/* ca section keywords */
 	{ ARG_STR,  offsetof(starter_ca_t, name), NULL                                 },
 	{ ARG_ENUM, offsetof(starter_ca_t, startup), LST_startup                       },
 	{ ARG_STR,  offsetof(starter_ca_t, cacert), NULL                               },
-	{ ARG_STR,  offsetof(starter_ca_t, ldaphost), NULL                             },
-	{ ARG_STR,  offsetof(starter_ca_t, ldapbase), NULL                             },
 	{ ARG_STR,  offsetof(starter_ca_t, crluri), NULL                               },
 	{ ARG_STR,  offsetof(starter_ca_t, crluri2), NULL                              },
 	{ ARG_STR,  offsetof(starter_ca_t, ocspuri), NULL                              },
 	{ ARG_STR,  offsetof(starter_ca_t, ocspuri2), NULL                             },
 	{ ARG_STR,  offsetof(starter_ca_t, certuribase), NULL                          },
+	{ ARG_MISC, 0, NULL  /* KW_CA_DEPRECATED */                                    },
 
 	/* end keywords */
 	{ ARG_STR,  offsetof(starter_end_t, host), NULL                                },
 	{ ARG_UINT, offsetof(starter_end_t, ikeport), NULL                             },
-	{ ARG_MISC, 0, NULL  /* KW_NEXTHOP */                                          },
-	{ ARG_STR, offsetof(starter_end_t, subnet), NULL                               },
-	{ ARG_MISC, 0, NULL  /* KW_SUBNETWITHIN */                                     },
+	{ ARG_STR,  offsetof(starter_end_t, subnet), NULL                              },
 	{ ARG_MISC, 0, NULL  /* KW_PROTOPORT */                                        },
 	{ ARG_STR,  offsetof(starter_end_t, sourceip), NULL                            },
-	{ ARG_MISC, 0, NULL  /* KW_NATIP */                                            },
+	{ ARG_STR,  offsetof(starter_end_t, dns), NULL                                 },
 	{ ARG_ENUM, offsetof(starter_end_t, firewall), LST_bool                        },
 	{ ARG_ENUM, offsetof(starter_end_t, hostaccess), LST_bool                      },
 	{ ARG_ENUM, offsetof(starter_end_t, allow_any), LST_bool                       },
@@ -279,7 +214,8 @@ static const token_info_t token_info[] =
 	{ ARG_STR,  offsetof(starter_end_t, ca), NULL                                  },
 	{ ARG_STR,  offsetof(starter_end_t, ca2), NULL                                 },
 	{ ARG_STR,  offsetof(starter_end_t, groups), NULL                              },
-	{ ARG_STR,  offsetof(starter_end_t, iface), NULL                               }
+	{ ARG_STR,  offsetof(starter_end_t, groups2), NULL                             },
+	{ ARG_MISC, 0, NULL  /* KW_END_DEPRECATED */                                   },
 };
 
 static void free_list(char **list)
@@ -298,7 +234,7 @@ char** new_list(char *value)
 	char *val, *b, *e, *end, **ret;
 	int count;
 
-	val = value ? clone_str(value) : NULL;
+	val = strdupnull(value);
 	if (!val)
 	{
 		return NULL;
@@ -326,7 +262,7 @@ char** new_list(char *value)
 		for (e = b; (*e != '\0'); e++);
 		if (e != b)
 		{
-			ret[count++] = clone_str(b);
+			ret[count++] = strdupnull(b);
 		}
 		b = e + 1;
 	}
@@ -347,23 +283,20 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
 
 	int index = -1;  /* used for enumeration arguments */
 
-	lset_t *seen = (lset_t *)base;    /* seen flags are at the top of the struct */
-	lset_t f = LELEM(token - first);  /* compute flag position of argument */
+	seen_t *seen = (seen_t*)base; /* seen flags are at the top of the struct */
 
 	*assigned = FALSE;
 
-	DBG(DBG_CONTROLMORE,
-		DBG_log("  %s=%s", kw->entry->name, kw->value)
-	)
+	DBG3(DBG_APP, "  %s=%s", kw->entry->name, kw->value);
 
-	if (*seen & f)
+	if (*seen & SEEN_KW(token, first))
 	{
-		plog("# duplicate '%s' option", kw->entry->name);
+		DBG1(DBG_APP, "# duplicate '%s' option", kw->entry->name);
 		return FALSE;
 	}
 
 	/* set flag that this argument has been seen */
-	*seen |= f;
+	*seen |= SEEN_KW(token, first);
 
 	/* is there a keyword list? */
 	if (list != NULL && token_info[token].type != ARG_LST)
@@ -377,7 +310,7 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
 		}
 		if (!match)
 		{
-			plog("# bad value: %s=%s", kw->entry->name, kw->value);
+			DBG1(DBG_APP, "# bad value: %s=%s", kw->entry->name, kw->value);
 			return FALSE;
 		}
 	}
@@ -385,14 +318,14 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
 	switch (token_info[token].type)
 	{
 	case ARG_NONE:
-		plog("# option '%s' not supported yet", kw->entry->name);
+		DBG1(DBG_APP, "# option '%s' not supported yet", kw->entry->name);
 		return FALSE;
 	case ARG_ENUM:
 		{
 			if (index < 0)
 			{
-				plog("# bad enumeration value: %s=%s (%d)"
-					, kw->entry->name, kw->value, index);
+				DBG1(DBG_APP, "# bad enumeration value: %s=%s (%d)",
+					 kw->entry->name, kw->value, index);
 				return FALSE;
 			}
 
@@ -418,7 +351,8 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
 
 			if (*endptr != '\0')
 			{
-				plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+				DBG1(DBG_APP, "# bad integer value: %s=%s", kw->entry->name,
+					 kw->value);
 				return FALSE;
 			}
 		}
@@ -435,7 +369,8 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
 			{
 				if (*endptr != '\0')
 				{
-					plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+					DBG1(DBG_APP, "# bad integer value: %s=%s", kw->entry->name,
+						 kw->value);
 					return FALSE;
 				}
 			}
@@ -443,7 +378,8 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
 			{
 				if ((*endptr != '%') || (endptr[1] != '\0') || endptr == kw->value)
 				{
-					plog("# bad percent value: %s=%s", kw->entry->name, kw->value);
+					DBG1(DBG_APP, "# bad percent value: %s=%s", kw->entry->name,
+						 kw->value);
 					return FALSE;
 				}
 			}
@@ -459,7 +395,23 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
 
 			if (*endptr != '\0')
 			{
-				plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+				DBG1(DBG_APP, "# bad integer value: %s=%s", kw->entry->name,
+					 kw->value);
+				return FALSE;
+			}
+		}
+		break;
+	case ARG_UBIN:
+		{
+			char *endptr;
+			u_int *u = (u_int *)p;
+
+			*u = strtoul(kw->value, &endptr, 2);
+
+			if (*endptr != '\0')
+			{
+				DBG1(DBG_APP, "# bad binary value: %s=%s", kw->entry->name,
+					 kw->value);
 				return FALSE;
 			}
 		}
@@ -494,7 +446,8 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
 					break;
 				}
 			}
-			plog("# bad duration value: %s=%s", kw->entry->name, kw->value);
+			DBG1(DBG_APP, "# bad duration value: %s=%s", kw->entry->name,
+				 kw->value);
 			return FALSE;
 		}
 	case ARG_STR:
@@ -505,7 +458,7 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
 			free(*cp);
 
 			/* assign the new string */
-			*cp = clone_str(kw->value);
+			*cp = strdupnull(kw->value);
 		}
 		break;
 	case ARG_LST:
@@ -537,7 +490,8 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
 					}
 					if (!match)
 					{
-						plog("# bad value: %s=%s", kw->entry->name, *lst);
+						DBG1(DBG_APP, "# bad value: %s=%s",
+							 kw->entry->name, *lst);
 						return FALSE;
 					}
 				}
@@ -604,7 +558,7 @@ void clone_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
 			char **cp1 = (char **)(base1 + token_info[token].offset);
 			char **cp2 = (char **)(base2 + token_info[token].offset);
 
-			*cp1 = clone_str(*cp2);
+			*cp1 = strdupnull(*cp2);
 		}
 	}
 }
diff --git a/src/starter/cmp.c b/src/starter/cmp.c
index 0727cf5f0..cea864a4a 100644
--- a/src/starter/cmp.c
+++ b/src/starter/cmp.c
@@ -14,62 +14,40 @@
 
 #include <string.h>
 
-#include <freeswan.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-
 #include "confread.h"
 #include "args.h"
-#include "interfaces.h"
 #include "cmp.h"
 
 #define VARCMP(obj) if (c1->obj != c2->obj) return FALSE
-#define ADDCMP(obj) if (!sameaddr(&c1->obj,&c2->obj)) return FALSE
-#define SUBCMP(obj) if (!samesubnet(&c1->obj,&c2->obj)) return FALSE
 #define STRCMP(obj) if (strcmp(c1->obj,c2->obj)) return FALSE
 
-static bool
-starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
+static bool starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
 {
 	if ((c1 == NULL) || (c2 == NULL))
 		return FALSE;
 
-	if (c2->dns_failed)
-	{
-		c2->addr = c1->addr;
-	}
-	else
-	{
-		ADDCMP(addr);
-	}
-	VARCMP(ikeport);
-	ADDCMP(nexthop);
-	VARCMP(has_client);
-	VARCMP(has_client_wildcard);
-	VARCMP(has_port_wildcard);
-	VARCMP(has_natip);
-	VARCMP(has_virt);
 	VARCMP(modecfg);
-	VARCMP(port);
+	VARCMP(from_port);
+	VARCMP(to_port);
 	VARCMP(protocol);
 
 	return cmp_args(KW_END_FIRST, KW_END_LAST, (char *)c1, (char *)c2);
- }
+}
 
-bool
-starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2)
+bool starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2)
 {
 	if ((c1 == NULL) || (c2 == NULL))
 		return FALSE;
 
-	VARCMP(policy);
-	VARCMP(addr_family);
-	VARCMP(tunnel_addr_family);
+	VARCMP(mode);
+	VARCMP(proxy_mode);
+	VARCMP(options);
 	VARCMP(mark_in.value);
 	VARCMP(mark_in.mask);
 	VARCMP(mark_out.value);
 	VARCMP(mark_in.mask);
+	VARCMP(tfc);
+	VARCMP(sa_keying_tries);
 
 	if (!starter_cmp_end(&c1->left, &c2->left))
 		return FALSE;
@@ -79,37 +57,10 @@ starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2)
 	return cmp_args(KW_CONN_NAME, KW_CONN_LAST, (char *)c1, (char *)c2);
 }
 
-bool
-starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2)
+bool starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2)
 {
 	if (c1 ==  NULL || c2 == NULL)
 		return FALSE;
 
 	return cmp_args(KW_CA_NAME, KW_CA_LAST, (char *)c1, (char *)c2);
 }
-
-bool
-starter_cmp_klips(starter_config_t *c1, starter_config_t *c2)
-{
-	if ((c1 == NULL) || (c2 == NULL))
-		return FALSE;
-
-	return cmp_args(KW_KLIPS_FIRST, KW_KLIPS_LAST, (char *)c1, (char *)c2);
-}
-
-bool
-starter_cmp_pluto(starter_config_t *c1, starter_config_t *c2)
-{
-	if ((c1 == NULL) || (c2 == NULL))
-		return FALSE;
-
-	return cmp_args(KW_PLUTO_FIRST, KW_PLUTO_LAST, (char *)c1, (char *)c2);
-}
-
-bool
-starter_cmp_defaultroute(defaultroute_t *d1, defaultroute_t *d2)
-{
-	if ((d1 == NULL) || (d2 == NULL))
-		return FALSE;
-	return memcmp(d1, d2, sizeof(defaultroute_t)) == 0;
-}
diff --git a/src/starter/cmp.h b/src/starter/cmp.h
index cda6e44b9..c33ce8ec2 100644
--- a/src/starter/cmp.h
+++ b/src/starter/cmp.h
@@ -15,13 +15,8 @@
 #ifndef _STARTER_CMP_H_
 #define _STARTER_CMP_H_
 
-#include "interfaces.h"
-
-extern bool starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2);
-extern bool starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2);
-extern bool starter_cmp_klips(starter_config_t *c1, starter_config_t *c2);
-extern bool starter_cmp_pluto(starter_config_t *c1, starter_config_t *c2);
-extern bool starter_cmp_defaultroute(defaultroute_t *d1, defaultroute_t *d2);
+bool starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2);
+bool starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2);
 
 #endif
 
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 627601e88..2fb022692 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -19,40 +19,79 @@
 #include <stdlib.h>
 #include <string.h>
 #include <assert.h>
+#include <netdb.h>
 
-#include <freeswan.h>
-
-#include <eap/eap.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
+#include <library.h>
+#include <utils/debug.h>
 
 #include "keywords.h"
 #include "confread.h"
 #include "args.h"
 #include "files.h"
-#include "interfaces.h"
 
-/* strings containing a colon are interpreted as an IPv6 address */
-#define ip_version(string)	(strchr(string, '.') ? AF_INET : AF_INET6)
+#define IKE_LIFETIME_DEFAULT         10800 /* 3 hours */
+#define IPSEC_LIFETIME_DEFAULT        3600 /* 1 hour */
+#define SA_REPLACEMENT_MARGIN_DEFAULT  540 /* 9 minutes */
+#define SA_REPLACEMENT_FUZZ_DEFAULT    100 /* 100% of margin */
+#define SA_REPLACEMENT_RETRIES_DEFAULT   3
 
 static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
 static const char esp_defaults[] = "aes128-sha1,3des-sha1";
 
-static const char firewall_defaults[] = "ipsec _updown iptables";
+static const char firewall_defaults[] = IPSEC_SCRIPT " _updown iptables";
 
 static bool daemon_exists(char *daemon, char *path)
 {
 	struct stat st;
 	if (stat(path, &st) != 0)
 	{
-		plog("Disabling %sstart option, '%s' not found", daemon, path);
+		DBG1(DBG_APP, "Disabling %sstart option, '%s' not found", daemon, path);
 		return FALSE;
 	}
 	return TRUE;
 }
 
+/**
+ * Process deprecated keywords
+ */
+static bool is_deprecated(kw_token_t token, kw_list_t *kw, char *name)
+{
+	switch (token)
+	{
+		case KW_SETUP_DEPRECATED:
+		case KW_PKCS11_DEPRECATED:
+			DBG1(DBG_APP, "# deprecated keyword '%s' in config setup",
+				 kw->entry->name);
+			break;
+		case KW_CONN_DEPRECATED:
+		case KW_END_DEPRECATED:
+		case KW_PFS_DEPRECATED:
+			DBG1(DBG_APP, "# deprecated keyword '%s' in conn '%s'",
+				 kw->entry->name, name);
+			break;
+		case KW_CA_DEPRECATED:
+			DBG1(DBG_APP, "# deprecated keyword '%s' in ca '%s'",
+				 kw->entry->name, name);
+			break;
+		default:
+			return FALSE;
+	}
+	/* additional messages for some */
+	switch (token)
+	{
+		case KW_PKCS11_DEPRECATED:
+			DBG1(DBG_APP, "  use the 'pkcs11' plugin instead", kw->entry->name);
+			break;
+		case KW_PFS_DEPRECATED:
+			DBG1(DBG_APP, "  PFS is enabled by specifying a DH group in the "
+				 "'esp' cipher suite", kw->entry->name);
+			break;
+		default:
+			break;
+	}
+	return TRUE;
+}
+
 static void default_values(starter_config_t *cfg)
 {
 	if (cfg == NULL)
@@ -60,7 +99,7 @@ static void default_values(starter_config_t *cfg)
 
 	memset(cfg, 0, sizeof(struct starter_config));
 
-    /* is there enough space for all seen flags? */
+	/* is there enough space for all seen flags? */
 	assert(KW_SETUP_LAST - KW_SETUP_FIRST <
 		sizeof(cfg->setup.seen) * BITS_PER_BYTE);
 	assert(KW_CONN_LAST  - KW_CONN_FIRST <
@@ -70,66 +109,55 @@ static void default_values(starter_config_t *cfg)
 	assert(KW_CA_LAST - KW_CA_FIRST <
 		sizeof(cfg->ca_default.seen) * BITS_PER_BYTE);
 
-	cfg->setup.seen        = LEMPTY;
-	cfg->setup.fragicmp    = TRUE;
-	cfg->setup.hidetos     = TRUE;
+	cfg->setup.seen        = SEEN_NONE;
 	cfg->setup.uniqueids   = TRUE;
-	cfg->setup.interfaces  = new_list("%defaultroute");
 
 #ifdef START_CHARON
 	cfg->setup.charonstart = TRUE;
 #endif
-#ifdef START_PLUTO
-	cfg->setup.plutostart  = TRUE;
-#endif
 
-	cfg->conn_default.seen    = LEMPTY;
+	cfg->conn_default.seen    = SEEN_NONE;
 	cfg->conn_default.startup = STARTUP_NO;
 	cfg->conn_default.state   = STATE_IGNORE;
-	cfg->conn_default.policy  = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_PUBKEY |
-								POLICY_PFS | POLICY_MOBIKE;
+	cfg->conn_default.mode    = MODE_TUNNEL;
+	cfg->conn_default.options = SA_OPTION_MOBIKE;
 
-	cfg->conn_default.ike                   = clone_str(ike_defaults);
-	cfg->conn_default.esp                   = clone_str(esp_defaults);
-	cfg->conn_default.sa_ike_life_seconds   = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;
-	cfg->conn_default.sa_ipsec_life_seconds = PLUTO_SA_LIFE_DURATION_DEFAULT;
+	cfg->conn_default.ike                   = strdupnull(ike_defaults);
+	cfg->conn_default.esp                   = strdupnull(esp_defaults);
+	cfg->conn_default.sa_ike_life_seconds   = IKE_LIFETIME_DEFAULT;
+	cfg->conn_default.sa_ipsec_life_seconds = IPSEC_LIFETIME_DEFAULT;
 	cfg->conn_default.sa_rekey_margin       = SA_REPLACEMENT_MARGIN_DEFAULT;
 	cfg->conn_default.sa_rekey_fuzz         = SA_REPLACEMENT_FUZZ_DEFAULT;
 	cfg->conn_default.sa_keying_tries       = SA_REPLACEMENT_RETRIES_DEFAULT;
-	cfg->conn_default.addr_family           = AF_INET;
-	cfg->conn_default.tunnel_addr_family    = AF_INET;
-	cfg->conn_default.install_policy	= TRUE;
-	cfg->conn_default.dpd_delay		=  30; /* seconds */
-	cfg->conn_default.dpd_timeout		= 150; /* seconds */
+	cfg->conn_default.install_policy        = TRUE;
+	cfg->conn_default.dpd_delay             =  30; /* seconds */
+	cfg->conn_default.dpd_timeout           = 150; /* seconds */
 
-	cfg->conn_default.left.seen  = LEMPTY;
-	cfg->conn_default.right.seen = LEMPTY;
+	cfg->conn_default.left.seen  = SEEN_NONE;
+	cfg->conn_default.right.seen = SEEN_NONE;
 
 	cfg->conn_default.left.sendcert  = CERT_SEND_IF_ASKED;
 	cfg->conn_default.right.sendcert = CERT_SEND_IF_ASKED;
 
-	anyaddr(AF_INET, &cfg->conn_default.left.addr);
-	anyaddr(AF_INET, &cfg->conn_default.left.nexthop);
-	anyaddr(AF_INET, &cfg->conn_default.right.addr);
-	anyaddr(AF_INET, &cfg->conn_default.right.nexthop);
 	cfg->conn_default.left.ikeport = 500;
 	cfg->conn_default.right.ikeport = 500;
 
-	cfg->ca_default.seen = LEMPTY;
+	cfg->conn_default.left.to_port = 0xffff;
+	cfg->conn_default.right.to_port = 0xffff;
+
+	cfg->ca_default.seen = SEEN_NONE;
 }
 
-#define KW_POLICY_FLAG(sy, sn, fl) \
-		if (streq(kw->value, sy)) { conn->policy |= fl; } \
-		else if (streq(kw->value, sn)) { conn->policy &= ~fl; } \
-		else { plog("# bad policy value: %s=%s", kw->entry->name, kw->value); cfg->err++; }
+#define KW_SA_OPTION_FLAG(sy, sn, fl) \
+		if (streq(kw->value, sy)) { conn->options |= fl; } \
+		else if (streq(kw->value, sn)) { conn->options &= ~fl; } \
+		else { DBG1(DBG_APP, "# bad option value: %s=%s", kw->entry->name, kw->value); cfg->err++; }
 
 static void load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
 {
 	kw_list_t *kw;
 
-	DBG(DBG_CONTROL,
-		DBG_log("Loading config setup")
-    )
+	DBG2(DBG_APP, "Loading config setup");
 
 	for (kw = cfgp->config_setup; kw; kw = kw->next)
 	{
@@ -139,45 +167,49 @@ static void load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
 
 		if ((int)token < KW_SETUP_FIRST || token > KW_SETUP_LAST)
 		{
-			plog("# unsupported keyword '%s' in config setup", kw->entry->name);
+			DBG1(DBG_APP, "# unsupported keyword '%s' in config setup",
+				 kw->entry->name);
 			cfg->err++;
 			continue;
 		}
 
+		if (is_deprecated(token, kw, ""))
+		{
+			cfg->non_fatal_err++;
+			continue;
+		}
+
 		if (!assign_arg(token, KW_SETUP_FIRST, kw, (char *)cfg, &assigned))
 		{
-			plog("  bad argument value in config setup");
+			DBG1(DBG_APP, "  bad argument value in config setup");
 			cfg->err++;
 			continue;
 		}
 	}
 
-	/* verify the executables are actually available (some distros split
-	 * packages but enabled both) */
+	/* verify the executables are actually available */
 #ifdef START_CHARON
 	cfg->setup.charonstart = cfg->setup.charonstart &&
-							 daemon_exists("charon", CHARON_CMD);
+							 daemon_exists(daemon_name, cmd);
 #else
 	cfg->setup.charonstart = FALSE;
 #endif
-#ifdef START_PLUTO
-	cfg->setup.plutostart = cfg->setup.plutostart &&
-							daemon_exists("pluto", PLUTO_CMD);
-#else
-	cfg->setup.plutostart = FALSE;
-#endif
 }
 
 static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
 				   kw_list_t *kw, char *conn_name, starter_config_t *cfg)
 {
-	err_t ugh = NULL;
 	bool assigned = FALSE;
-	bool has_port_wildcard;        /* set if port is %any */
 
 	char *name  = kw->entry->name;
 	char *value = kw->value;
 
+	if (is_deprecated(token, kw, conn_name))
+	{
+		cfg->non_fatal_err++;
+		return;
+	}
+
 	if (!assign_arg(token, KW_END_FIRST, kw, (char *)end, &assigned))
 		goto err;
 
@@ -185,157 +217,25 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
 	switch (token)
 	{
 	case KW_HOST:
-		free(end->host);
-		end->host = NULL;
-		if (streq(value, "%defaultroute"))
+		if (value && strlen(value) > 0 && value[0] == '%')
 		{
-			if (cfg->defaultroute.defined)
-			{
-				end->addr    = cfg->defaultroute.addr;
-				end->nexthop = cfg->defaultroute.nexthop;
-			}
-			else if (!cfg->defaultroute.supported)
+			if (streq(value, "%defaultroute"))
 			{
-				plog("%%defaultroute not supported, fallback to %%any");
+				value = "%any";
 			}
-			else
-			{
-				plog("# default route not known: %s=%s", name, value);
-				goto err;
-			}
-		}
-		else if (streq(value, "%any") || streq(value, "%any4"))
-		{
-			anyaddr(conn->addr_family, &end->addr);
-		}
-		else if (streq(value, "%any6"))
-		{
-			conn->addr_family = AF_INET6;
-			anyaddr(conn->addr_family, &end->addr);
-		}
-		else if (streq(value, "%group"))
-		{
-			ip_address any;
-
-			conn->policy |= POLICY_GROUP | POLICY_TUNNEL;
-			anyaddr(conn->addr_family, &end->addr);
-			anyaddr(conn->tunnel_addr_family, &any);
-			end->has_client = TRUE;
-		}
-		else
-		{
-			/* check for allow_any prefix */
-			if (value[0] == '%')
-			{
+			if (!streq(value, "%any") && !streq(value, "%any4") &&
+				!streq(value, "%any6"))
+			{	/* allow_any prefix */
 				end->allow_any = TRUE;
 				value++;
 			}
-			conn->addr_family = ip_version(value);
-			ugh = ttoaddr(value, 0, conn->addr_family, &end->addr);
-			if (ugh != NULL)
-			{
-				plog("# bad addr: %s=%s [%s]", name, value, ugh);
-				if (streq(ugh, "does not look numeric and name lookup failed"))
-				{
-					end->dns_failed = TRUE;
-					anyaddr(conn->addr_family, &end->addr);
-				}
-				else
-				{
-					goto err;
-				}
-			}
-			end->host = clone_str(value);
-		}
-		break;
-	case KW_SUBNET:
-		if ((strlen(value) >= 6 && strncmp(value,"vhost:",6) == 0)
-		||  (strlen(value) >= 5 && strncmp(value,"vnet:",5) == 0))
-		{
-			/* used by pluto only */
-			end->has_virt = TRUE;
-		}
-		else
-		{
-			ip_subnet net;
-			char *pos;
-			int len = 0;
-
-			end->has_client = TRUE;
-			conn->tunnel_addr_family = ip_version(value);
-
-			pos = strchr(value, ',');
-			if (pos)
-			{
-				len = pos - value;
-			}
-			ugh = ttosubnet(value, len, ip_version(value), &net);
-			if (ugh != NULL)
-			{
-				plog("# bad subnet: %s=%s [%s]", name, value, ugh);
-				goto err;
-			}
 		}
+		free(end->host);
+		end->host = strdupnull(value);
 		break;
 	case KW_SOURCEIP:
-		if (end->has_natip)
-		{
-			plog("# natip and sourceip cannot be defined at the same time");
-			goto err;
-		}
-		if (value[0] == '%')
-		{
-			if (streq(value, "%modeconfig") || streq(value, "%modecfg") ||
-				streq(value, "%config") || streq(value, "%cfg"))
-			{
-				/* request ip via config payload */
-				free(end->sourceip);
-				end->sourceip = NULL;
-				end->sourceip_mask = 1;
-			}
-			else
-			{	/* %poolname, strip %, serve ip requests */
-				free(end->sourceip);
-				end->sourceip = clone_str(value+1);
-				end->sourceip_mask = 0;
-			}
-			end->modecfg = TRUE;
-		}
-		else
-		{
-			char *pos;
-			ip_address addr;
-			ip_subnet net;
-
-			conn->tunnel_addr_family = ip_version(value);
-			pos = strchr(value, '/');
-
-			if (pos)
-			{	/* CIDR notation, address pool */
-				ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &net);
-				if (ugh != NULL)
-				{
-					plog("# bad subnet: %s=%s [%s]", name, value, ugh);
-					goto err;
-				 }
-				*pos = '\0';
-				free(end->sourceip);
-				end->sourceip = clone_str(value);
-				end->sourceip_mask = atoi(pos + 1);
-			}
-			else
-			{	/* fixed srcip */
-				ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
-				if (ugh != NULL)
-				{
-					plog("# bad addr: %s=%s [%s]", name, value, ugh);
-					goto err;
-				}
-				end->sourceip_mask = (conn->tunnel_addr_family == AF_INET) ?
-									  32 : 128;
-			}
-		}
-		conn->policy |= POLICY_TUNNEL;
+		conn->mode = MODE_TUNNEL;
+		conn->proxy_mode = FALSE;
 		break;
 	case KW_SENDCERT:
 		if (end->sendcert == CERT_YES_SEND)
@@ -357,139 +257,119 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
 	/* individual processing of keywords that were not assigned automatically */
 	switch (token)
 	{
-	case KW_NEXTHOP:
-		if (streq(value, "%defaultroute"))
+	case KW_PROTOPORT:
+	{
+		struct protoent *proto;
+		struct servent *svc;
+		char *sep, *port = "", *endptr;
+		long int p;
+
+		sep = strchr(value, '/');
+		if (sep)
+		{	/* protocol/port */
+			*sep = '\0';
+			port = sep + 1;
+		}
+
+		if (streq(value, "%any"))
+		{
+			end->protocol = 0;
+		}
+		else
 		{
-			if (cfg->defaultroute.defined)
+			proto = getprotobyname(value);
+			if (proto)
 			{
-				end->nexthop = cfg->defaultroute.nexthop;
+				end->protocol = proto->p_proto;
 			}
 			else
 			{
-				plog("# default route not known: %s=%s", name, value);
-				goto err;
+				p = strtol(value, &endptr, 0);
+				if ((*value && *endptr) || p < 0 || p > 0xff)
+				{
+					DBG1(DBG_APP, "# bad protocol: %s=%s", name, value);
+					goto err;
+				}
+				end->protocol = (u_int8_t)p;
 			}
 		}
-		else if (streq(value, "%direct"))
+		if (streq(port, "%any"))
 		{
-			ugh = anyaddr(conn->addr_family, &end->nexthop);
+			end->from_port = 0;
+			end->to_port = 0xffff;
 		}
-		else
+		else if (streq(port, "%opaque"))
 		{
-			conn->addr_family = ip_version(value);
-			ugh = ttoaddr(value, 0, conn->addr_family, &end->nexthop);
+			end->from_port = 0xffff;
+			end->to_port = 0;
 		}
-		if (ugh != NULL)
+		else if (*port)
 		{
-			plog("# bad addr: %s=%s [%s]", name, value, ugh);
-			goto err;
-		}
-		break;
-	case KW_SUBNETWITHIN:
-	{
-		ip_subnet net;
-
-		end->has_client = TRUE;
-		end->has_client_wildcard = TRUE;
-		conn->tunnel_addr_family = ip_version(value);
-
-		ugh = ttosubnet(value, 0, ip_version(value), &net);
-		if (ugh != NULL)
-		{
-			plog("# bad subnet: %s=%s [%s]", name, value, ugh);
-			goto err;
-		}
-		end->subnet = clone_str(value);
-		break;
-	}
-	case KW_PROTOPORT:
-		ugh = ttoprotoport(value, 0, &end->protocol, &end->port, &has_port_wildcard);
-		end->has_port_wildcard = has_port_wildcard;
-		break;
-	case KW_NATIP:
-		if (end->sourceip)
-		{
-			plog("# natip and sourceip cannot be defined at the same time");
-			goto err;
-		}
-		if (streq(value, "%defaultroute"))
-		{
-			char buf[64];
-
-			if (cfg->defaultroute.defined)
+			svc = getservbyname(port, NULL);
+			if (svc)
 			{
-				addrtot(&cfg->defaultroute.addr, 0, buf, sizeof(buf));
-				end->sourceip = clone_str(buf);
+				end->from_port = end->to_port = ntohs(svc->s_port);
 			}
 			else
 			{
-				plog("# default route not known: %s=%s", name, value);
-				goto err;
+				p = strtol(port, &endptr, 0);
+				if (p < 0 || p > 0xffff)
+				{
+					DBG1(DBG_APP, "# bad port: %s=%s", name, port);
+					goto err;
+				}
+				end->from_port = p;
+				if (*endptr == '-')
+				{
+					port = endptr + 1;
+					p = strtol(port, &endptr, 0);
+					if (p < 0 || p > 0xffff)
+					{
+						DBG1(DBG_APP, "# bad port: %s=%s", name, port);
+						goto err;
+					}
+				}
+				end->to_port = p;
+				if (*endptr)
+				{
+					DBG1(DBG_APP, "# bad port: %s=%s", name, port);
+					goto err;
+				}
 			}
 		}
-		else
-		{
-			ip_address addr;
-
-			conn->tunnel_addr_family = ip_version(value);
-			ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
-			if (ugh != NULL)
-			{
-				plog("# bad addr: %s=%s [%s]", name, value, ugh);
-				goto err;
-			}
-			end->sourceip = clone_str(value);
+		if (sep)
+		{	/* restore the original text in case also= is used */
+			*sep = '/';
 		}
-		end->has_natip = TRUE;
-		conn->policy |= POLICY_TUNNEL;
 		break;
+	}
 	default:
 		break;
 	}
 	return;
 
 err:
-	plog("  bad argument value in conn '%s'", conn_name);
+	DBG1(DBG_APP, "  bad argument value in conn '%s'", conn_name);
 	cfg->err++;
 }
 
 /*
- * handles left|right=<FQDN> DNS resolution failure
- */
-static void handle_dns_failure(const char *label, starter_end_t *end,
-							   starter_config_t *cfg, starter_conn_t *conn)
-{
-	if (end->dns_failed)
-	{
-		if (end->allow_any)
-		{
-			plog("# fallback to %s=%%any due to '%%' prefix or %sallowany=yes",
-				label, label);
-		}
-		else if (!end->host || conn->keyexchange == KEY_EXCHANGE_IKEV1)
-		{
-			/* declare an error */
-			cfg->err++;
-		}
-	}
-}
-
-/*
  * handles left|rightfirewall and left|rightupdown parameters
  */
 static void handle_firewall(const char *label, starter_end_t *end,
 							starter_config_t *cfg)
 {
-	if (end->firewall && (end->seen & LELEM(KW_FIREWALL - KW_END_FIRST)))
+	if (end->firewall && (end->seen & SEEN_KW(KW_FIREWALL, KW_END_FIRST)))
 	{
 		if (end->updown != NULL)
 		{
-			plog("# cannot have both %sfirewall and %supdown", label, label);
+			DBG1(DBG_APP, "# cannot have both %sfirewall and %supdown", label,
+				 label);
 			cfg->err++;
 		}
 		else
 		{
-			end->updown = clone_str(firewall_defaults);
+			end->updown = strdupnull(firewall_defaults);
 			end->firewall = FALSE;
 		}
 	}
@@ -497,16 +377,16 @@ static void handle_firewall(const char *label, starter_end_t *end,
 
 static bool handle_mark(char *value, mark_t *mark)
 {
-	char *pos, *endptr;
+	char *sep, *endptr;
 
-	pos = strchr(value, '/');
-	if (pos)
+	sep = strchr(value, '/');
+	if (sep)
 	{
-		*pos = '\0';
-		mark->mask = strtoul(pos+1, &endptr, 0);
+		*sep = '\0';
+		mark->mask = strtoul(sep+1, &endptr, 0);
 		if (*endptr != '\0')
 		{
-			plog("# invalid mark mask: %s", pos+1);
+			DBG1(DBG_APP, "# invalid mark mask: %s", sep+1);
 			return FALSE;
 		}
 	}
@@ -523,10 +403,16 @@ static bool handle_mark(char *value, mark_t *mark)
 		mark->value = strtoul(value, &endptr, 0);
 		if (*endptr != '\0')
 		{
-			plog("# invalid mark value: %s", value);
+			DBG1(DBG_APP, "# invalid mark value: %s", value);
 			return FALSE;
 		}
 	}
+	if (sep)
+	{	/* restore the original text in case also= is used */
+		*sep = '/';
+	}
+	/* apply the mask to ensure the value is in range */
+	mark->value &= mark->mask;
 	return TRUE;
 }
 
@@ -566,28 +452,32 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 			{
 				also_t *also = malloc_thing(also_t);
 
-				also->name = clone_str(kw->value);
+				also->name = strdupnull(kw->value);
 				also->next = conn->also;
 				conn->also = also;
 
-				DBG(DBG_CONTROL,
-					DBG_log("  also=%s", kw->value)
-				)
+				DBG2(DBG_APP, "  also=%s", kw->value);
 			}
 			continue;
 		}
 
 		if (token < KW_CONN_FIRST || token > KW_CONN_LAST)
 		{
-			plog("# unsupported keyword '%s' in conn '%s'"
-				, kw->entry->name, conn_name);
+			DBG1(DBG_APP, "# unsupported keyword '%s' in conn '%s'",
+				 kw->entry->name, conn_name);
 			cfg->err++;
 			continue;
 		}
 
+		if (is_deprecated(token, kw, conn_name))
+		{
+			cfg->non_fatal_err++;
+			continue;
+		}
+
 		if (!assign_arg(token, KW_CONN_FIRST, kw, (char *)conn, &assigned))
 		{
-			plog("  bad argument value in conn '%s'", conn_name);
+			DBG1(DBG_APP, "  bad argument value in conn '%s'", conn_name);
 			cfg->err++;
 			continue;
 		}
@@ -598,125 +488,42 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 		switch (token)
 		{
 		case KW_TYPE:
-			conn->policy &= ~(POLICY_TUNNEL | POLICY_SHUNT_MASK);
+			conn->mode = MODE_TRANSPORT;
+			conn->proxy_mode = FALSE;
 			if (streq(kw->value, "tunnel"))
 			{
-				conn->policy |= POLICY_TUNNEL;
+				conn->mode = MODE_TUNNEL;
 			}
 			else if (streq(kw->value, "beet"))
 			{
-				conn->policy |= POLICY_BEET;
+				conn->mode = MODE_BEET;
 			}
 			else if (streq(kw->value, "transport_proxy"))
 			{
-				conn->policy |= POLICY_PROXY;
+				conn->mode = MODE_TRANSPORT;
+				conn->proxy_mode = TRUE;
 			}
 			else if (streq(kw->value, "passthrough") || streq(kw->value, "pass"))
 			{
-				conn->policy |= POLICY_SHUNT_PASS;
+				conn->mode = MODE_PASS;
 			}
-			else if (streq(kw->value, "drop"))
+			else if (streq(kw->value, "drop") || streq(kw->value, "reject"))
 			{
-				conn->policy |= POLICY_SHUNT_DROP;
+				conn->mode = MODE_DROP;
 			}
-			else if (streq(kw->value, "reject"))
+			else if (!streq(kw->value, "transport"))
 			{
-				conn->policy |= POLICY_SHUNT_REJECT;
-			}
-			else if (strcmp(kw->value, "transport") != 0)
-			{
-				plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
+				DBG1(DBG_APP, "# bad policy value: %s=%s", kw->entry->name,
+					 kw->value);
 				cfg->err++;
 			}
 			break;
-		case KW_PFS:
-			KW_POLICY_FLAG("yes", "no", POLICY_PFS)
-			break;
 		case KW_COMPRESS:
-			KW_POLICY_FLAG("yes", "no", POLICY_COMPRESS)
+			KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_COMPRESS)
 			break;
 		case KW_AUTH:
-			KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE)
+			KW_SA_OPTION_FLAG("ah", "esp", SA_OPTION_AUTHENTICATE)
 			break;
-		case KW_AUTHBY:
-			conn->policy &= ~(POLICY_ID_AUTH_MASK | POLICY_ENCRYPT);
-
-			if (!streq(kw->value, "never"))
-			{
-				char *value = kw->value;
-				char *second = strchr(kw->value, '|');
-
-				if (second != NULL)
-				{
-					*second = '\0';
-				}
-
-				/* also handles the cases secret|rsasig and rsasig|secret */
-				for (;;)
-				{
-					if (streq(value, "rsa")   || streq(value, "rsasig")   ||
-						streq(value, "ecdsa") || streq(value, "ecdsasig") ||
-						streq(value, "pubkey"))
-					{
-						conn->policy |= POLICY_PUBKEY | POLICY_ENCRYPT;
-					}
-					else if (streq(value, "secret") || streq(value, "psk"))
-					{
-						conn->policy |= POLICY_PSK | POLICY_ENCRYPT;
-					}
-					else if (streq(value, "xauthrsasig"))
-					{
-						conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT;
-					}
-					else if (streq(value, "xauthpsk") || streq(value, "eap"))
-					{
-						conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT;
-					}
-					else
-					{
-						plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
-						cfg->err++;
-						break;
-					}
-					if (second == NULL)
-					{
-						break;
-					}
-					value = second;
-					second = NULL; /* traverse the loop no more than twice */
-				}
-			}
-			break;
-		case KW_EAP:
-		{
-			char *sep;
-
-			/* check for vendor-type format */
-			sep = strchr(kw->value, '-');
-			if (sep)
-			{
-				*(sep++) = '\0';
-				conn->eap_type = atoi(kw->value);
-				conn->eap_vendor = atoi(sep);
-				if (conn->eap_type == 0 || conn->eap_vendor == 0)
-				{
-					plog("# invalid EAP type: %s=%s", kw->entry->name, kw->value);
-					cfg->err++;
-				}
-				break;
-			}
-			conn->eap_type = eap_type_from_string(kw->value);
-			if (conn->eap_type == 0)
-			{
-				conn->eap_type = atoi(kw->value);
-				if (conn->eap_type == 0)
-				{
-					plog("# unknown EAP type: %s=%s", kw->entry->name, kw->value);
-					cfg->err++;
-				}
-			}
-			break;
-		}
 		case KW_MARK:
 			if (!handle_mark(kw->value, &conn->mark_in))
 			{
@@ -749,7 +556,8 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 				conn->tfc = strtoul(kw->value, &endptr, 10);
 				if (*endptr != '\0')
 				{
-					plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+					DBG1(DBG_APP, "# bad integer value: %s=%s", kw->entry->name,
+						 kw->value);
 					cfg->err++;
 				}
 			}
@@ -766,36 +574,35 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 				conn->sa_keying_tries = strtoul(kw->value, &endptr, 10);
 				if (*endptr != '\0')
 				{
-					plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+					DBG1(DBG_APP, "# bad integer value: %s=%s", kw->entry->name,
+						 kw->value);
 					cfg->err++;
 				}
 			}
 			break;
 		case KW_REKEY:
-			KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY)
+			KW_SA_OPTION_FLAG("no", "yes", SA_OPTION_DONT_REKEY)
 			break;
 		case KW_REAUTH:
-			KW_POLICY_FLAG("no", "yes", POLICY_DONT_REAUTH)
+			KW_SA_OPTION_FLAG("no", "yes", SA_OPTION_DONT_REAUTH)
 			break;
 		case KW_MOBIKE:
-			KW_POLICY_FLAG("yes", "no", POLICY_MOBIKE)
+			KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_MOBIKE)
 			break;
 		case KW_FORCEENCAPS:
-			KW_POLICY_FLAG("yes", "no", POLICY_FORCE_ENCAP)
+			KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_FORCE_ENCAP)
 			break;
 		case KW_MODECONFIG:
-			KW_POLICY_FLAG("push", "pull", POLICY_MODECFG_PUSH)
+			KW_SA_OPTION_FLAG("push", "pull", SA_OPTION_MODECFG_PUSH)
 			break;
 		case KW_XAUTH:
-			KW_POLICY_FLAG("server", "client", POLICY_XAUTH_SERVER)
+			KW_SA_OPTION_FLAG("server", "client", SA_OPTION_XAUTH_SERVER)
 			break;
 		default:
 			break;
 		}
 	}
 
-	handle_dns_failure("left", &conn->left, cfg, conn);
-	handle_dns_failure("right", &conn->right, cfg, conn);
 	handle_firewall("left", &conn->left, cfg);
 	handle_firewall("right", &conn->right, cfg);
 }
@@ -806,7 +613,7 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 static void conn_default(char *name, starter_conn_t *conn, starter_conn_t *def)
 {
 	memcpy(conn, def, sizeof(starter_conn_t));
-	conn->name = clone_str(name);
+	conn->name = strdupnull(name);
 
 	clone_args(KW_CONN_FIRST, KW_CONN_LAST, (char *)conn, (char *)def);
 	clone_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->left, (char *)&def->left);
@@ -836,27 +643,32 @@ static void load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
 			{
 				also_t *also = malloc_thing(also_t);
 
-				also->name = clone_str(kw->value);
+				also->name = strdupnull(kw->value);
 				also->next = ca->also;
 				ca->also = also;
 
-				DBG(DBG_CONTROL,
-					DBG_log("  also=%s", kw->value)
-				)
+				DBG2(DBG_APP, "  also=%s", kw->value);
 			}
 			continue;
 		}
 
 		if (token < KW_CA_FIRST || token > KW_CA_LAST)
 		{
-			plog("# unsupported keyword '%s' in ca '%s'", kw->entry->name, ca_name);
+			DBG1(DBG_APP, "# unsupported keyword '%s' in ca '%s'",
+				 kw->entry->name, ca_name);
 			cfg->err++;
 			continue;
 		}
 
+		if (is_deprecated(token, kw, ca_name))
+		{
+			cfg->non_fatal_err++;
+			continue;
+		}
+
 		if (!assign_arg(token, KW_CA_FIRST, kw, (char *)ca, &assigned))
 		{
-			plog("  bad argument value in ca '%s'", ca_name);
+			DBG1(DBG_APP, "  bad argument value in ca '%s'", ca_name);
 			cfg->err++;
 		}
 	}
@@ -872,7 +684,7 @@ static void load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
 static void ca_default(char *name, starter_ca_t *ca, starter_ca_t *def)
 {
 	memcpy(ca, def, sizeof(starter_ca_t));
-	ca->name = clone_str(name);
+	ca->name = strdupnull(name);
 
 	clone_args(KW_CA_FIRST, KW_CA_LAST, (char *)ca, (char *)def);
 }
@@ -889,13 +701,12 @@ static void load_also_conns(starter_conn_t *conn, also_t *also,
 
 		if (kw == NULL)
 		{
-			plog("  conn '%s' cannot include '%s'", conn->name, also->name);
+			DBG1(DBG_APP, "  conn '%s' cannot include '%s'", conn->name,
+				 also->name);
 		}
 		else
 		{
-			DBG(DBG_CONTROL,
-				DBG_log("conn '%s' includes '%s'", conn->name, also->name)
-			)
+			DBG2(DBG_APP, "conn '%s' includes '%s'", conn->name, also->name);
 			/* only load if no error occurred in the first round */
 			if (cfg->err == 0)
 				load_conn(conn, kw, cfg);
@@ -918,7 +729,7 @@ static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn,
 		{
 			if (conn->visit == c->visit)
 			{
-				plog("# detected also loop");
+				DBG1(DBG_APP, "# detected also loop");
 				cfg->err++;
 				return NULL;
 			}
@@ -929,7 +740,7 @@ static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn,
 		c = c->next;
 	}
 
-	plog("# also '%s' not found", name);
+	DBG1(DBG_APP, "# also '%s' not found", name);
 	cfg->err++;
 	return NULL;
 }
@@ -945,13 +756,12 @@ static void load_also_cas(starter_ca_t *ca, also_t *also, starter_config_t *cfg)
 
 		if (kw == NULL)
 		{
-			plog("  ca '%s' cannot include '%s'", ca->name, also->name);
+			DBG1(DBG_APP, "  ca '%s' cannot include '%s'", ca->name,
+				 also->name);
 		}
 		else
 		{
-			DBG(DBG_CONTROL,
-				DBG_log("ca '%s' includes '%s'", ca->name, also->name)
-			)
+			DBG2(DBG_APP, "ca '%s' includes '%s'", ca->name, also->name);
 			/* only load if no error occurred in the first round */
 			if (cfg->err == 0)
 			load_ca(ca, kw, cfg);
@@ -974,7 +784,7 @@ static kw_list_t* find_also_ca(const char* name, starter_ca_t *ca,
 		{
 			if (ca->visit == c->visit)
 			{
-				plog("# detected also loop");
+				DBG1(DBG_APP, "# detected also loop");
 				cfg->err++;
 				return NULL;
 			}
@@ -985,7 +795,7 @@ static kw_list_t* find_also_ca(const char* name, starter_ca_t *ca,
 		c = c->next;
 	}
 
-	plog("# also '%s' not found", name);
+	DBG1(DBG_APP, "# also '%s' not found", name);
 	cfg->err++;
 	return NULL;
 }
@@ -1086,9 +896,6 @@ starter_config_t* confread_load(const char *file)
 	/* set default values */
 	default_values(cfg);
 
-	/* determine default route */
-	get_defaultroute(&cfg->defaultroute);
-
 	/* load config setup section */
 	load_setup(cfg, cfgp);
 
@@ -1100,15 +907,13 @@ starter_config_t* confread_load(const char *file)
 	{
 		if (streq(sca->name, "%default"))
 		{
-			DBG(DBG_CONTROL,
-				DBG_log("Loading ca %%default")
-			)
+			DBG2(DBG_APP, "Loading ca %%default");
 			load_ca(&cfg->ca_default, sca->kw, cfg);
 		}
 	}
 
 	/* parameters defined in ca %default sections can be overloads */
-	cfg->ca_default.seen = LEMPTY;
+	cfg->ca_default.seen = SEEN_NONE;
 
 	/* load other ca sections */
 	for (sca = cfgp->ca_first; sca; sca = sca->next)
@@ -1119,9 +924,7 @@ starter_config_t* confread_load(const char *file)
 		if (streq(sca->name, "%default"))
 			continue;
 
-		DBG(DBG_CONTROL,
-			DBG_log("Loading ca '%s'", sca->name)
-		)
+		DBG2(DBG_APP, "Loading ca '%s'", sca->name);
 		ca = malloc_thing(starter_ca_t);
 
 		ca_default(sca->name, ca, &cfg->ca_default);
@@ -1169,17 +972,15 @@ starter_config_t* confread_load(const char *file)
 	{
 		if (streq(sconn->name, "%default"))
 		{
-			DBG(DBG_CONTROL,
-				DBG_log("Loading conn %%default")
-			)
+			DBG2(DBG_APP, "Loading conn %%default");
 			load_conn(&cfg->conn_default, sconn->kw, cfg);
 		}
 	}
 
-	/* parameter defined in conn %default sections can be overloaded */
-	cfg->conn_default.seen       = LEMPTY;
-	cfg->conn_default.right.seen = LEMPTY;
-	cfg->conn_default.left.seen  = LEMPTY;
+	/* parameters defined in conn %default sections can be overloaded */
+	cfg->conn_default.seen       = SEEN_NONE;
+	cfg->conn_default.right.seen = SEEN_NONE;
+	cfg->conn_default.left.seen  = SEEN_NONE;
 
 	/* load other conn sections */
 	for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
@@ -1190,9 +991,7 @@ starter_config_t* confread_load(const char *file)
 		if (streq(sconn->name, "%default"))
 			continue;
 
-		DBG(DBG_CONTROL,
-			DBG_log("Loading conn '%s'", sconn->name)
-		)
+		DBG2(DBG_APP, "Loading conn '%s'", sconn->name);
 		conn = malloc_thing(starter_conn_t);
 
 		conn_default(sconn->name, conn, &cfg->conn_default);
@@ -1245,8 +1044,8 @@ starter_config_t* confread_load(const char *file)
 	total_err = cfg->err + cfg->non_fatal_err;
 	if (total_err > 0)
 	{
-		plog("### %d parsing error%s (%d fatal) ###"
-			, total_err, (total_err > 1)?"s":"", cfg->err);
+		DBG1(DBG_APP, "### %d parsing error%s (%d fatal) ###",
+			 total_err, (total_err > 1)?"s":"", cfg->err);
 	}
 
 	return cfg;
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 9cb919ce5..0690bed4e 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -16,12 +16,14 @@
 #ifndef _IPSEC_CONFREAD_H_
 #define _IPSEC_CONFREAD_H_
 
-#ifndef _FREESWAN_H
-#include <freeswan.h>
-#endif
+#include <kernel/kernel_ipsec.h>
 
 #include "ipsec-parser.h"
-#include "interfaces.h"
+
+/** to mark seen keywords */
+typedef u_int64_t seen_t;
+#define SEEN_NONE 0;
+#define SEEN_KW(kw, base) ((seen_t)1 << ((kw) - (base)))
 
 typedef enum {
 		STARTUP_NO,
@@ -39,21 +41,59 @@ typedef enum {
 } starter_state_t;
 
 typedef enum {
-		KEY_EXCHANGE_IKE,
-		KEY_EXCHANGE_IKEV1,
-		KEY_EXCHANGE_IKEV2
+		/* shared with ike_version_t */
+		KEY_EXCHANGE_IKE = 0,
+		KEY_EXCHANGE_IKEV1 = 1,
+		KEY_EXCHANGE_IKEV2 = 2,
 } keyexchange_t;
 
 typedef enum {
 		STRICT_NO,
 		STRICT_YES,
-		STRICT_IFURI
+		STRICT_IFURI,
 } strict_t;
 
+typedef enum {
+		CERT_ALWAYS_SEND,
+		CERT_SEND_IF_ASKED,
+		CERT_NEVER_SEND,
+		CERT_YES_SEND,		/* synonym for CERT_ALWAYS_SEND */
+		CERT_NO_SEND,		/* synonym for CERT_NEVER_SEND */
+} certpolicy_t;
+
+typedef enum {
+		DPD_ACTION_NONE,
+		DPD_ACTION_CLEAR,
+		DPD_ACTION_HOLD,
+		DPD_ACTION_RESTART,
+		DPD_ACTION_UNKNOW,
+} dpd_action_t;
+
+typedef enum {
+		/* same as in ike_cfg.h */
+		FRAGMENTATION_NO,
+		FRAGMENTATION_YES,
+		FRAGMENTATION_FORCE,
+} fragmentation_t;
+
+typedef enum {
+		/* IPsec options */
+		SA_OPTION_AUTHENTICATE	= 1 << 0, /* use AH instead of ESP? */
+		SA_OPTION_COMPRESS      = 1 << 1, /* use IPComp */
+
+		/* IKE and other other options */
+		SA_OPTION_DONT_REKEY	= 1 << 2, /* don't rekey state either Phase */
+		SA_OPTION_DONT_REAUTH	= 1 << 3, /* don't reauthenticate on rekeying, IKEv2 only */
+		SA_OPTION_MODECFG_PUSH	= 1 << 4, /* is modecfg pushed by server? */
+		SA_OPTION_XAUTH_SERVER  = 1 << 5, /* are we an XAUTH server? */
+		SA_OPTION_MOBIKE		= 1 << 6, /* enable MOBIKE for IKEv2  */
+		SA_OPTION_FORCE_ENCAP   = 1 << 7, /* force UDP encapsulation */
+} sa_option_t;
+
 typedef struct starter_end starter_end_t;
 
 struct starter_end {
-		lset_t          seen;
+		seen_t          seen;
 		char            *auth;
 		char            *auth2;
 		char            *id;
@@ -64,29 +104,22 @@ struct starter_end {
 		char            *ca;
 		char            *ca2;
 		char            *groups;
+		char            *groups2;
 		char            *cert_policy;
-		char            *iface;
 		char            *host;
-		ip_address      addr;
 		u_int           ikeport;
-		ip_address      nexthop;
 		char            *subnet;
-		bool            has_client;
-		bool            has_client_wildcard;
-		bool            has_port_wildcard;
-		bool            has_natip;
-		bool            has_virt;
 		bool            modecfg;
 		certpolicy_t    sendcert;
 		bool            firewall;
 		bool            hostaccess;
 		bool            allow_any;
-		bool            dns_failed;
 		char            *updown;
-		u_int16_t       port;
+		u_int16_t       from_port;
+		u_int16_t       to_port;
 		u_int8_t        protocol;
 		char            *sourceip;
-		int				sourceip_mask;
+		char            *dns;
 };
 
 typedef struct also also_t;
@@ -100,7 +133,7 @@ struct also {
 typedef struct starter_conn starter_conn_t;
 
 struct starter_conn {
-		lset_t          seen;
+		seen_t          seen;
 		char            *name;
 		also_t          *also;
 		kw_list_t       *kw;
@@ -109,35 +142,36 @@ struct starter_conn {
 		starter_state_t state;
 
 		keyexchange_t   keyexchange;
-		u_int32_t       eap_type;
-		u_int32_t       eap_vendor;
 		char            *eap_identity;
 		char            *aaa_identity;
 		char            *xauth_identity;
-		lset_t          policy;
+		char            *authby;
+		ipsec_mode_t    mode;
+		bool            proxy_mode;
+		fragmentation_t fragmentation;
+		u_int           ikedscp;
+		sa_option_t     options;
 		time_t          sa_ike_life_seconds;
 		time_t          sa_ipsec_life_seconds;
 		time_t          sa_rekey_margin;
-		u_int64_t	sa_ipsec_life_bytes;
-		u_int64_t	sa_ipsec_margin_bytes;
-		u_int64_t	sa_ipsec_life_packets;
-		u_int64_t	sa_ipsec_margin_packets;
+		u_int64_t       sa_ipsec_life_bytes;
+		u_int64_t       sa_ipsec_margin_bytes;
+		u_int64_t       sa_ipsec_life_packets;
+		u_int64_t       sa_ipsec_margin_packets;
 		unsigned long   sa_keying_tries;
 		unsigned long   sa_rekey_fuzz;
 		u_int32_t       reqid;
 		mark_t          mark_in;
 		mark_t          mark_out;
 		u_int32_t       tfc;
-		sa_family_t     addr_family;
-		sa_family_t     tunnel_addr_family;
 		bool            install_policy;
+		bool            aggressive;
 		starter_end_t   left, right;
 
 		unsigned long   id;
 
 		char            *esp;
 		char            *ike;
-		char            *pfsgroup;
 
 		time_t          dpd_delay;
 		time_t          dpd_timeout;
@@ -158,7 +192,7 @@ struct starter_conn {
 typedef struct starter_ca starter_ca_t;
 
 struct starter_ca {
-		lset_t          seen;
+		seen_t          seen;
 		char            *name;
 		also_t          *also;
 		kw_list_t       *kw;
@@ -167,13 +201,11 @@ struct starter_ca {
 		starter_state_t state;
 
 		char            *cacert;
-		char            *ldaphost;
-		char            *ldapbase;
 		char            *crluri;
 		char            *crluri2;
 		char            *ocspuri;
 		char            *ocspuri2;
-		char        *certuribase;
+		char            *certuribase;
 
 		bool            strict;
 
@@ -184,43 +216,14 @@ typedef struct starter_config starter_config_t;
 
 struct starter_config {
 		struct {
-				lset_t  seen;
-				char    **interfaces;
-				char    *dumpdir;
-				bool    charonstart;
-				bool    plutostart;
-
-				/* pluto/charon keywords */
-				char     **plutodebug;
+				seen_t  seen;
+				bool     charonstart;
 				char     *charondebug;
-				char     *prepluto;
-				char     *postpluto;
-				char     *plutostderrlog;
 				bool     uniqueids;
-				u_int    overridemtu;
-				time_t   crlcheckinterval;
 				bool     cachecrls;
 				strict_t strictcrlpolicy;
-				bool     nocrsend;
-				bool     nat_traversal;
-				time_t   keep_alive;
-				u_int    force_keepalive;
-				char     *virtual_private;
-				char     *pkcs11module;
-				char     *pkcs11initargs;
-				bool     pkcs11keepstate;
-				bool     pkcs11proxy;
-
-				/* KLIPS keywords */
-				char    **klipsdebug;
-				bool    fragicmp;
-				char    *packetdefault;
-				bool    hidetos;
 		} setup;
 
-		/* information about the default route */
-		defaultroute_t defaultroute;
-
 		/* number of encountered parsing errors */
 		u_int err;
 		u_int non_fatal_err;
@@ -245,4 +248,3 @@ extern starter_config_t *confread_load(const char *file);
 extern void confread_free(starter_config_t *cfg);
 
 #endif /* _IPSEC_CONFREAD_H_ */
-
diff --git a/src/starter/exec.c b/src/starter/exec.c
deleted file mode 100644
index d4c4f0657..000000000
--- a/src/starter/exec.c
+++ /dev/null
@@ -1,52 +0,0 @@
-/* strongSwan IPsec exec helper function
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <stdarg.h>
-#include <string.h>
-#include <stdio.h>
-
-#include <freeswan.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
-
-#include "exec.h"
-
-#define BUF_SIZE  2048
-
-/**
- * TODO:
- * o log stdout with LOG_LEVEL_INFO and stderr with LOG_LEVEL_ERR
- */
-
-int
-starter_exec(const char *fmt, ...)
-{
-	va_list args;
-	static char buf[BUF_SIZE];
-	int r;
-
-	va_start (args, fmt);
-	vsnprintf(buf, BUF_SIZE-1, fmt, args);
-	buf[BUF_SIZE - 1] = '\0';
-	va_end(args);
-	r = system(buf);
-	DBG(DBG_CONTROL,
-		DBG_log("starter_exec(%s) = %d", buf, r)
-	)
-	return r;
-}
-
diff --git a/src/starter/exec.h b/src/starter/exec.h
deleted file mode 100644
index 6a6414578..000000000
--- a/src/starter/exec.h
+++ /dev/null
@@ -1,21 +0,0 @@
-/* strongSwan IPsec starter exec helper function
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _STARTER_EXEC_H_
-#define _STARTER_EXEC_H_
-
-extern int starter_exec (const char *fmt, ...);
-
-#endif /* _STARTER_EXEC_H_ */
-
diff --git a/src/starter/files.h b/src/starter/files.h
index 88857c0b2..76cdaa986 100644
--- a/src/starter/files.h
+++ b/src/starter/files.h
@@ -15,8 +15,6 @@
 #ifndef _STARTER_FILES_H_
 #define _STARTER_FILES_H_
 
-#define STARTER_PID_FILE IPSEC_PIDDIR "/starter.pid"
-
 #define PROC_NETKEY             "/proc/net/pfkey"
 #define PROC_KLIPS              "/proc/net/pf_key"
 #define PROC_MODULES    "/proc/modules"
@@ -24,13 +22,11 @@
 #define CONFIG_FILE     IPSEC_CONFDIR "/ipsec.conf"
 #define SECRETS_FILE    IPSEC_CONFDIR "/ipsec.secrets"
 
-#define PLUTO_CMD       IPSEC_DIR "/pluto"
-#define PLUTO_CTL_FILE  IPSEC_PIDDIR "/pluto.ctl"
-#define PLUTO_PID_FILE  IPSEC_PIDDIR "/pluto.pid"
-
-#define CHARON_CMD      IPSEC_DIR "/charon"
 #define CHARON_CTL_FILE IPSEC_PIDDIR "/charon.ctl"
-#define CHARON_PID_FILE IPSEC_PIDDIR "/charon.pid"
+
+extern char *daemon_name;
+extern char *cmd;
+extern char *pid_file;
 
 #define DYNIP_DIR       IPSEC_PIDDIR "/dynip"
 
diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c
deleted file mode 100644
index 4a2ae0a57..000000000
--- a/src/starter/interfaces.c
+++ /dev/null
@@ -1,213 +0,0 @@
-/* strongSwan IPsec interfaces management
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *               2009 Heiko Hund - Astaro AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-
-#include <freeswan.h>
-
-#include <constants.h>
-#include <defs.h>
-#include <log.h>
-
-#include "interfaces.h"
-#include "exec.h"
-#include "files.h"
-
-#ifdef START_PLUTO
-
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <linux/rtnetlink.h>
-#ifdef HAVE_SYS_SOCKIO_H
-#include <sys/sockio.h>
-#endif
-
-/*
- * Get the default route information via rtnetlink
- */
-void
-get_defaultroute(defaultroute_t *defaultroute)
-{
-	union {
-		struct {
-			struct nlmsghdr nh;
-			struct rtmsg    rt;
-		} m;
-		char buf[4096];
-	} rtu;
-
-	struct nlmsghdr *nh;
-	uint32_t best_metric = ~0;
-	ssize_t msglen;
-	int fd;
-
-	memset(&rtu, 0, sizeof(rtu));
-	rtu.m.nh.nlmsg_len = NLMSG_LENGTH(sizeof(rtu.m.rt));
-	rtu.m.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
-	rtu.m.nh.nlmsg_type = RTM_GETROUTE;
-	rtu.m.rt.rtm_family = AF_INET;
-	rtu.m.rt.rtm_table = RT_TABLE_UNSPEC;
-	rtu.m.rt.rtm_protocol = RTPROT_UNSPEC;
-	rtu.m.rt.rtm_type = RTN_UNICAST;
-
-	fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE);
-	if (fd == -1)
-	{
-		plog("could not create rtnetlink socket");
-		return;
-	}
-
-	if (send(fd, &rtu, rtu.m.nh.nlmsg_len, 0) == -1)
-	{
-		plog("could not write to rtnetlink socket");
-		close(fd);
-		return;
-	}
-
-	msglen = recv(fd, &rtu, sizeof(rtu), MSG_WAITALL);
-	if (msglen == -1)
-	{
-		plog("could not read from rtnetlink socket");
-		close(fd);
-		return;
-	}
-
-	close(fd);
-
-	for (nh = &rtu.m.nh; NLMSG_OK(nh, msglen); nh = NLMSG_NEXT(nh, msglen))
-	{
-		struct rtmsg *rt;
-		struct rtattr *rta;
-		uint32_t rtalen, metric = 0;
-		struct in_addr gw = { .s_addr = INADDR_ANY };
-		int iface_idx = -1;
-
-		if (nh->nlmsg_type == NLMSG_ERROR)
-		{
-			plog("error from rtnetlink");
-			return;
-		}
-
-		if (nh->nlmsg_type == NLMSG_DONE)
-			break;
-
-		rt = NLMSG_DATA(nh);
-		if ( rt->rtm_dst_len != 0
-		||  (rt->rtm_table != RT_TABLE_MAIN
-		  && rt->rtm_table != RT_TABLE_DEFAULT) )
-			continue;
-
-		rta = RTM_RTA(rt);
-		rtalen = RTM_PAYLOAD(nh);
-		while ( RTA_OK(rta, rtalen) )
-		{
-			switch (rta->rta_type)
-			{
-			case RTA_GATEWAY:
-				gw = *(struct in_addr *) RTA_DATA(rta);
-				break;
-			case RTA_OIF:
-				iface_idx = *(int *) RTA_DATA(rta);
-				break;
-			case RTA_PRIORITY:
-				metric = *(uint32_t *) RTA_DATA(rta);
-				break;
-			}
-			rta = RTA_NEXT(rta, rtalen);
-		}
-
-		if (metric < best_metric
-		&&  iface_idx != -1)
-		{
-			struct ifreq req;
-
-			fd = socket(AF_INET, SOCK_DGRAM, 0);
-			if (fd < 0)
-			{
-				plog("could not open AF_INET socket");
-				break;
-			}
-			memset(&req, 0, sizeof(req));
-			req.ifr_ifindex = iface_idx;
-			if (ioctl(fd, SIOCGIFNAME, &req) < 0 ||
-				ioctl(fd, SIOCGIFADDR, &req) < 0)
-			{
-				plog("could not read interface data, ignoring route");
-				close(fd);
-				break;
-			}
-
-			strncpy(defaultroute->iface, req.ifr_name, IFNAMSIZ);
-			defaultroute->iface[IFNAMSIZ-1] = '\0';
-			defaultroute->addr.u.v4 = *((struct sockaddr_in *) &req.ifr_addr);
-			defaultroute->nexthop.u.v4.sin_family = AF_INET;
-
-			if (gw.s_addr == INADDR_ANY)
-			{
-				if (ioctl(fd, SIOCGIFDSTADDR, &req) < 0 ||
-					((struct sockaddr_in*) &req.ifr_dstaddr)->sin_addr.s_addr == INADDR_ANY)
-				{
-					DBG_log("Ignoring default route to device %s because we can't get it's destination",
-							req.ifr_name);
-					close(fd);
-					break;
-				}
-
-				defaultroute->nexthop.u.v4 = *((struct sockaddr_in *) &req.ifr_dstaddr);
-			}
-			else
-				defaultroute->nexthop.u.v4.sin_addr = gw;
-
-			close(fd);
-
-			DBG(DBG_CONTROL,
-				char addr[20];
-				char nexthop[20];
-				addrtot(&defaultroute->addr, 0, addr, sizeof(addr));
-				addrtot(&defaultroute->nexthop, 0, nexthop, sizeof(nexthop));
-
-				DBG_log(
-					( !defaultroute->defined
-					? "Default route found: iface=%s, addr=%s, nexthop=%s"
-					: "Better default route: iface=%s, addr=%s, nexthop=%s"
-					), defaultroute->iface, addr, nexthop
-				)
-			);
-
-			best_metric = metric;
-			defaultroute->defined = TRUE;
-		}
-	}
-	defaultroute->supported = TRUE;
-
-	if (!defaultroute->defined)
-		plog("no default route - cannot cope with %%defaultroute!!!");
-}
-
-#else /* !START_PLUTO */
-
-/**
- * Pluto disabled, fall back to %any
- */
-void
-get_defaultroute(defaultroute_t *defaultroute)
-{
-	defaultroute->supported = FALSE;
-}
-#endif /* START_PLUTO */
-
diff --git a/src/starter/interfaces.h b/src/starter/interfaces.h
deleted file mode 100644
index ff8535f0e..000000000
--- a/src/starter/interfaces.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/* strongSwan IPsec interfaces management
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _STARTER_INTERFACES_H_
-#define _STARTER_INTERFACES_H_
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <net/if.h>
-
-#include "../pluto/constants.h"
-
-typedef struct {
-	bool defined;
-	bool supported;
-	char iface[IFNAMSIZ];
-	ip_address addr;
-	ip_address nexthop;
-} defaultroute_t;
-
-extern void get_defaultroute(defaultroute_t *defaultroute);
-
-
-#endif /* _STARTER_INTERFACES_H_ */
-
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index e88939415..d981f6c17 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -23,11 +23,8 @@
 #include <stdlib.h>
 #include <errno.h>
 
-#include <freeswan.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
+#include <library.h>
+#include <utils/debug.h>
 
 #include "confread.h"
 #include "invokecharon.h"
@@ -49,22 +46,22 @@ void starter_charon_sigchild(pid_t pid, int status)
 		if (status == SS_RC_LIBSTRONGSWAN_INTEGRITY ||
 			status == SS_RC_DAEMON_INTEGRITY)
 		{
-			plog("charon has quit: integrity test of %s failed",
-				  (status == 64) ? "libstrongswan" : "charon");
+			DBG1(DBG_APP, "%s has quit: integrity test of %s failed",
+				 daemon_name, (status == 64) ? "libstrongswan" : daemon_name);
 			_stop_requested = 1;
 		}
 		else if (status == SS_RC_INITIALIZATION_FAILED)
 		{
-			plog("charon has quit: initialization failed");
+			DBG1(DBG_APP, "%s has quit: initialization failed", daemon_name);
 			_stop_requested = 1;
 		}
 		if (!_stop_requested)
 		{
-			plog("charon has died -- restart scheduled (%dsec)"
-				, CHARON_RESTART_DELAY);
+			DBG1(DBG_APP, "%s has died -- restart scheduled (%dsec)",
+				 daemon_name, CHARON_RESTART_DELAY);
 			alarm(CHARON_RESTART_DELAY);   // restart in 5 sec
 		}
-		unlink(CHARON_PID_FILE);
+		unlink(pid_file);
 	}
 }
 
@@ -91,7 +88,8 @@ int starter_stop_charon (void)
 			else if (i == 40)
 			{
 				kill(pid, SIGKILL);
-				plog("starter_stop_charon(): charon does not respond, sending KILL");
+				DBG1(DBG_APP, "starter_stop_charon(): %s does not respond, sending KILL",
+					 daemon_name);
 			}
 			else
 			{
@@ -101,15 +99,15 @@ int starter_stop_charon (void)
 		}
 		if (_charon_pid == 0)
 		{
-			plog("charon stopped after %d ms", 200*i);
+			DBG1(DBG_APP, "%s stopped after %d ms", daemon_name, 200*i);
 			return 0;
 		}
-		plog("starter_stop_charon(): can't stop charon !!!");
+		DBG1(DBG_APP, "starter_stop_charon(): can't stop %s !!!", daemon_name);
 		return -1;
 	}
 	else
 	{
-		plog("stater_stop_charon(): charon was not started...");
+		DBG1(DBG_APP, "stater_stop_charon(): %s was not started...", daemon_name);
 	}
 	return -1;
 }
@@ -122,7 +120,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
 	char buffer[BUF_LEN];
 	int argc = 1;
 	char *arg[] = {
-		CHARON_CMD, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+		cmd, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 		NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 		NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 		NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
@@ -133,7 +131,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
 		argc = 0;
 		arg[argc++] = "/usr/bin/gdb";
 		arg[argc++] = "--args";
-		arg[argc++] = CHARON_CMD;
+		arg[argc++] = cmd;
 		}
 	if (!no_fork)
 	{
@@ -175,7 +173,8 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
 
 	if (_charon_pid)
 	{
-		plog("starter_start_charon(): charon already started...");
+		DBG1(DBG_APP, "starter_start_charon(): %s already started...",
+			 daemon_name);
 		return -1;
 	}
 	else
@@ -187,34 +186,37 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
 		switch (pid)
 		{
 		case -1:
-			plog("can't fork(): %s", strerror(errno));
+			DBG1(DBG_APP, "can't fork(): %s", strerror(errno));
 			return -1;
 		case 0:
 			/* child */
 			setsid();
+			closefrom(3);
 			sigprocmask(SIG_SETMASK, 0, NULL);
 			/* disable glibc's malloc checker, conflicts with leak detective */
 			setenv("MALLOC_CHECK_", "0", 1);
 			execv(arg[0], arg);
-			plog("can't execv(%s,...): %s", arg[0], strerror(errno));
+			DBG1(DBG_APP, "can't execv(%s,...): %s", arg[0], strerror(errno));
 			exit(1);
 		default:
 			/* father */
-				_charon_pid = pid;
-				for (i = 0; i < 500 && _charon_pid; i++)
+			_charon_pid = pid;
+			for (i = 0; i < 500 && _charon_pid; i++)
 			{
 				/* wait for charon for a maximum of 500 x 20 ms = 10 s */
 				usleep(20000);
-				if (stat(CHARON_PID_FILE, &stb) == 0)
+				if (stat(pid_file, &stb) == 0)
 				{
-					plog("charon (%d) started after %d ms", _charon_pid, 20*(i+1));
+					DBG1(DBG_APP, "%s (%d) started after %d ms", daemon_name,
+						 _charon_pid, 20*(i+1));
 					return 0;
 				}
 			}
 			if (_charon_pid)
 			{
 				/* If charon is started but with no ctl file, stop it */
-				plog("charon too long to start... - kill kill");
+				DBG1(DBG_APP, "%s too long to start... - kill kill",
+					 daemon_name);
 				for (i = 0; i < 20 && (pid = _charon_pid) != 0; i++)
 				{
 					if (i == 0)
@@ -234,7 +236,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
 			}
 			else
 			{
-				plog("charon refused to be started");
+				DBG1(DBG_APP, "%s refused to be started", daemon_name);
 			}
 			return -1;
 		}
diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c
deleted file mode 100644
index 70c0692ea..000000000
--- a/src/starter/invokepluto.c
+++ /dev/null
@@ -1,327 +0,0 @@
-/* strongSwan Pluto launcher
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <signal.h>
-#include <string.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <fcntl.h>
-
-#include <freeswan.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
-
-#include "confread.h"
-#include "invokepluto.h"
-#include "files.h"
-#include "starterwhack.h"
-#
-static int _pluto_pid = 0;
-static int _stop_requested;
-
-pid_t
-starter_pluto_pid(void)
-{
-	return _pluto_pid;
-}
-
-void
-starter_pluto_sigchild(pid_t pid, int status)
-{
-	if (pid == _pluto_pid)
-	{
-		_pluto_pid = 0;
-		if (status == SS_RC_LIBSTRONGSWAN_INTEGRITY ||
-			status == SS_RC_DAEMON_INTEGRITY)
-		{
-			plog("pluto has quit: integrity test of %s failed",
-				  (status == 64) ? "libstrongswan" : "pluto");
-			_stop_requested = 1;
-		}
-		else if (status == SS_RC_INITIALIZATION_FAILED)
-		{
-			plog("pluto has quit: initialization failed");
-			_stop_requested = 1;
-		}
-		if (!_stop_requested)
-		{
-			plog("pluto has died -- restart scheduled (%dsec)"
-				, PLUTO_RESTART_DELAY);
-			alarm(PLUTO_RESTART_DELAY);   // restart in 5 sec
-		}
-		unlink(PLUTO_PID_FILE);
-	}
-}
-
-int
-starter_stop_pluto (void)
-{
-	int i;
-	pid_t pid = _pluto_pid;
-
-	if (pid)
-	{
-		_stop_requested = 1;
-
-		if (starter_whack_shutdown() == 0)
-		{
-			for (i = 0; i < 400; i++)
-			{
-				usleep(20000); /* sleep for 20 ms */
-				if (_pluto_pid == 0)
-				{
-					plog("pluto stopped after %d ms", 20*(i+1));
-					return 0;
-				}
-			}
-		}
-		/* be more and more aggressive */
-		for (i = 0; i < 20 && (pid = _pluto_pid) != 0; i++)
-		{
-
-			if (i < 10)
-			{
-				kill(pid, SIGTERM);
-			}
-			if (i == 10)
-			{
-				kill(pid, SIGKILL);
-				plog("starter_stop_pluto(): pluto does not respond, sending KILL");
-			}
-			else
-			{
-				kill(pid, SIGKILL);
-			}
-			usleep(100000); /* sleep for 100 ms */
-		}
-		if (_pluto_pid == 0)
-		{
-			plog("pluto stopped after %d ms", 8000 + 100*i);
-			return 0;
-		}
-		plog("starter_stop_pluto(): can't stop pluto !!!");
-		return -1;
-	}
-	else
-	{
-		plog("stater_stop_pluto(): pluto is not started...");
-	}
-	return -1;
-}
-
-#define ADD_DEBUG(v) { \
-		for (l = cfg->setup.plutodebug; l && *l; l++) if (streq(*l, v)) \
-				arg[argc++] = "--debug-" v; \
-		}
-
-int
-starter_start_pluto (starter_config_t *cfg, bool no_fork, bool attach_gdb)
-{
-	struct stat stb;
-	int i;
-	pid_t pid;
-	char **l;
-	int argc = 2;
-	char *arg[] = {
-			  PLUTO_CMD, "--nofork"
-			, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
-			, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
-			, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
-			, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
-		};
-
-	printf ("starter_start_pluto entered\n");
-
-	if (attach_gdb)
-	{
-		argc = 0;
-		arg[argc++] = "/usr/bin/gdb";
-		arg[argc++] = "--args";
-		arg[argc++] = PLUTO_CMD;
-		arg[argc++] = "--nofork";
-		}
-	if (cfg->setup.plutostderrlog || no_fork)
-	{
-		arg[argc++] = "--stderrlog";
-	}
-	if (cfg->setup.uniqueids)
-	{
-		arg[argc++] = "--uniqueids";
-	}
-	ADD_DEBUG("none")
-	ADD_DEBUG("all")
-	ADD_DEBUG("raw")
-	ADD_DEBUG("crypt")
-	ADD_DEBUG("parsing")
-	ADD_DEBUG("emitting")
-	ADD_DEBUG("control")
-	ADD_DEBUG("lifecycle")
-	ADD_DEBUG("klips")
-	ADD_DEBUG("kernel")
-	ADD_DEBUG("dns")
-	ADD_DEBUG("natt")
-	ADD_DEBUG("oppo")
-	ADD_DEBUG("controlmore")
-	ADD_DEBUG("private")
-	if (cfg->setup.crlcheckinterval > 0)
-	{
-		static char buf1[15];
-
-		arg[argc++] = "--crlcheckinterval";
-		snprintf(buf1, sizeof(buf1), "%d", (int)cfg->setup.crlcheckinterval);
-		arg[argc++] = buf1;
-	}
-	if (cfg->setup.cachecrls)
-	{
-		arg[argc++] = "--cachecrls";
-	}
-	if (cfg->setup.strictcrlpolicy)
-	{
-		arg[argc++] = "--strictcrlpolicy";
-	}
-	if (cfg->setup.nocrsend)
-	{
-		arg[argc++] = "--nocrsend";
-	}
-	if (cfg->setup.nat_traversal)
-	{
-		arg[argc++] = "--nat_traversal";
-	}
-	if (cfg->setup.force_keepalive)
-	{
-		arg[argc++] = "--force_keepalive";
-	}
-	if (cfg->setup.keep_alive)
-	{
-		static char buf2[15];
-
-		arg[argc++] = "--keep_alive";
-		snprintf(buf2, sizeof(buf2), "%d", (int)cfg->setup.keep_alive);
-		arg[argc++] = buf2;
-	}
-	if (cfg->setup.virtual_private)
-	{
-		arg[argc++] = "--virtual_private";
-		arg[argc++] = cfg->setup.virtual_private;
-	}
-	if (cfg->setup.pkcs11module)
-	{
-		arg[argc++] = "--pkcs11module";
-		arg[argc++] = cfg->setup.pkcs11module;
-	}
-	if (cfg->setup.pkcs11initargs)
-	{
-		arg[argc++] = "--pkcs11initargs";
-		arg[argc++] = cfg->setup.pkcs11initargs;
-	}
-	if (cfg->setup.pkcs11keepstate)
-	{
-		arg[argc++] = "--pkcs11keepstate";
-	}
-	if (cfg->setup.pkcs11proxy)
-	{
-		arg[argc++] = "--pkcs11proxy";
-	}
-
-	if (_pluto_pid)
-	{
-		plog("starter_start_pluto(): pluto already started...");
-		return -1;
-	}
-	else
-	{
-		unlink(PLUTO_CTL_FILE);
-		_stop_requested = 0;
-
-		if (cfg->setup.prepluto)
-			ignore_result(system(cfg->setup.prepluto));
-
-		pid = fork();
-		switch (pid)
-		{
-		case -1:
-			plog("can't fork(): %s", strerror(errno));
-			return -1;
-		case 0:
-			/* child */
-			if (cfg->setup.plutostderrlog)
-			{
-				int f = creat(cfg->setup.plutostderrlog, 00644);
-
-				/* redirect stderr to file */
-				if (f < 0)
-				{
-					plog("couldn't open stderr redirection file '%s'",
-						  cfg->setup.plutostderrlog);
-				}
-				else
-				{
-					dup2(f, 2);
-				}
-			}
-			setsid();
-			sigprocmask(SIG_SETMASK, 0, NULL);
-			/* disable glibc's malloc checker, conflicts with leak detective */
-			setenv("MALLOC_CHECK_", "0", 1);
-			execv(arg[0], arg);
-			plog("can't execv(%s,...): %s", arg[0], strerror(errno));
-			exit(1);
-		default:
-			/* father */
-			_pluto_pid = pid;
-			for (i = 0; i < 500 && _pluto_pid; i++)
-			{
-				/* wait for pluto for a maximum of 500 x 20 ms = 10 s */
-				usleep(20000);
-				if (stat(PLUTO_CTL_FILE, &stb) == 0)
-				{
-					plog("pluto (%d) started after %d ms", _pluto_pid, 20*(i+1));
-					if (cfg->setup.postpluto)
-					{
-						ignore_result(system(cfg->setup.postpluto));
-					}
-					return 0;
-				}
-			}
-			if (_pluto_pid)
-			{
-				/* If pluto is started but with no ctl file, stop it */
-				plog("pluto too long to start... - kill kill");
-				for (i = 0; i < 20 && (pid = _pluto_pid) != 0; i++)
-				{
-					if (i < 10)
-					{
-						kill(pid, SIGTERM);
-					}
-					else
-					{
-						kill(pid, SIGKILL);
-					}
-					usleep(20000); /* sleep for 20 ms */
-				}
-			}
-			else
-			{
-				plog("pluto refused to be started");
-			}
-			return -1;
-		}
-	}
-	return -1;
-}
diff --git a/src/starter/invokepluto.h b/src/starter/invokepluto.h
deleted file mode 100644
index c87f50c2a..000000000
--- a/src/starter/invokepluto.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/* strongSwan pluto launcher
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _STARTER_PLUTO_H_
-#define _STARTER_PLUTO_H_
-
-#define PLUTO_RESTART_DELAY    5
-
-extern void starter_pluto_sigchild (pid_t pid, int status);
-extern pid_t starter_pluto_pid (void);
-extern int starter_stop_pluto (void);
-extern int starter_start_pluto (struct starter_config *cfg, bool no_fork, bool attach_gdb);
-
-#endif /* _STARTER_PLUTO_H_ */
-
diff --git a/src/starter/ipsec.conf b/src/starter/ipsec.conf
index b1e5d5e0c..a33d68c0a 100644
--- a/src/starter/ipsec.conf
+++ b/src/starter/ipsec.conf
@@ -3,20 +3,14 @@
 # basic configuration
 
 config setup
-	# plutodebug=all
-	# crlcheckinterval=600
 	# strictcrlpolicy=yes
-	# cachecrls=yes
-	# nat_traversal=yes
-	# charonstart=no
-	# plutostart=no
+	# uniqueids = no
 
 # Add connections here.
 
 # Sample VPN connections
 
 #conn sample-self-signed
-#      left=%defaultroute
 #      leftsubnet=10.1.0.0/16
 #      leftcert=selfCert.der
 #      leftsendcert=never
@@ -26,11 +20,9 @@ config setup
 #      auto=start
 
 #conn sample-with-ca-cert
-#      left=%defaultroute
 #      leftsubnet=10.1.0.0/16
 #      leftcert=myCert.pem
 #      right=192.168.0.2
 #      rightsubnet=10.2.0.0/16
 #      rightid="C=CH, O=Linux strongSwan CN=peer name"
-#      keyexchange=ikev2
 #      auto=start
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index edb55ae7f..20ec1501d 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -30,7 +30,7 @@ error "gperf generated tables don't work with this execution character set. Plea
 #endif
 
 
-/* strongSwan keywords
+/*
  * Copyright (C) 2005 Andreas Steffen
  * Hochschule fuer Technik Rapperswil, Switzerland
  *
@@ -54,12 +54,12 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 131
+#define TOTAL_KEYWORDS 138
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
 #define MIN_HASH_VALUE 9
-#define MAX_HASH_VALUE 246
-/* maximum key range = 238, duplicates = 0 */
+#define MAX_HASH_VALUE 257
+/* maximum key range = 249, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -73,34 +73,34 @@ hash (str, len)
      register const char *str;
      register unsigned int len;
 {
-  static const unsigned char asso_values[] =
+  static const unsigned short asso_values[] =
     {
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247,  12,
-      126, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247,  51, 247,  11,   1,  92,
-       43,   0,   6,   0, 110,   0, 247, 120,  56,  37,
-       27,  72,  43,   1,  16,   0,   5,  75,   1, 247,
-      247,  11,   5, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
-      247, 247, 247, 247, 247, 247
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258,  14,
+      129, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258,   3, 258,  31,   1,  83,
+       50,   5,   4,   1,  60,   1, 258, 121,  62,   5,
+       33,  51,  41,   2,  22,   1,  25, 103,   1, 258,
+      258,   8,   2, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+      258, 258, 258, 258, 258, 258
     };
   register int hval = len;
 
@@ -123,166 +123,174 @@ hash (str, len)
 
 static const struct kw_entry wordlist[] =
   {
-    {"pfs",               KW_PFS},
-    {"right",             KW_RIGHT},
+    {"pfs",               KW_PFS_DEPRECATED},
     {"rightgroups",       KW_RIGHTGROUPS},
+    {"aggressive",        KW_AGGRESSIVE},
     {"lifetime",          KW_KEYLIFE},
+    {"rightsigkey",       KW_RIGHTSIGKEY},
+    {"lifebytes",         KW_LIFEBYTES},
+    {"keyingtries",       KW_KEYINGTRIES},
+    {"leftsigkey",        KW_LEFTSIGKEY},
+    {"keylife",           KW_KEYLIFE},
+    {"leftrsasigkey",     KW_LEFTSIGKEY},
+    {"right",             KW_RIGHT},
+    {"leftcertpolicy",    KW_LEFTCERTPOLICY},
     {"left",              KW_LEFT},
     {"rightsubnet",       KW_RIGHTSUBNET},
     {"rightikeport",      KW_RIGHTIKEPORT},
     {"rightsendcert",     KW_RIGHTSENDCERT},
+    {"leftgroups",        KW_LEFTGROUPS},
+    {"rightrsasigkey",    KW_RIGHTSIGKEY},
     {"leftcert",          KW_LEFTCERT},
-    {"keep_alive",        KW_KEEP_ALIVE},
-    {"keyingtries",       KW_KEYINGTRIES},
-    {"leftsendcert",      KW_LEFTSENDCERT},
-    {"keylife",           KW_KEYLIFE},
-    {"lifebytes",         KW_LIFEBYTES},
     {"lifepackets",       KW_LIFEPACKETS},
-    {"leftrsasigkey",     KW_LEFTRSASIGKEY},
-    {"leftcertpolicy",    KW_LEFTCERTPOLICY},
-    {"leftgroups",        KW_LEFTGROUPS},
-    {"leftca",            KW_LEFTCA},
-    {"rightallowany",     KW_RIGHTALLOWANY},
     {"uniqueids",         KW_UNIQUEIDS},
-    {"leftprotoport",     KW_LEFTPROTOPORT},
-    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
-    {"virtual_private",   KW_VIRTUAL_PRIVATE},
-    {"certuribase",       KW_CERTURIBASE},
-    {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
-    {"interfaces",        KW_INTERFACES},
-    {"reqid",             KW_REQID},
-    {"rightid",           KW_RIGHTID},
-    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
+    {"leftdns",           KW_LEFTDNS},
+    {"leftsendcert",      KW_LEFTSENDCERT},
+    {"rightsubnetwithin", KW_RIGHTSUBNET},
+    {"rightallowany",     KW_RIGHTALLOWANY},
+    {"keep_alive",        KW_SETUP_DEPRECATED},
     {"rightsourceip",     KW_RIGHTSOURCEIP},
     {"type",              KW_TYPE},
-    {"inactivity",        KW_INACTIVITY},
-    {"leftnexthop",       KW_LEFTNEXTHOP},
-    {"mark_in",           KW_MARK_IN},
+    {"rightid",           KW_RIGHTID},
+    {"rightdns",          KW_RIGHTDNS},
+    {"reqid",             KW_REQID},
+    {"certuribase",       KW_CERTURIBASE},
+    {"leftnexthop",       KW_LEFT_DEPRECATED},
+    {"mobike",	           KW_MOBIKE},
+    {"leftprotoport",     KW_LEFTPROTOPORT},
+    {"compress",          KW_COMPRESS},
+    {"me_peerid",         KW_ME_PEERID},
+    {"interfaces",        KW_SETUP_DEPRECATED},
+    {"virtual_private",   KW_SETUP_DEPRECATED},
+    {"lefthostaccess",    KW_LEFTHOSTACCESS},
+    {"leftca",            KW_LEFTCA},
+    {"righthostaccess",   KW_RIGHTHOSTACCESS},
+    {"rightfirewall",     KW_RIGHTFIREWALL},
     {"rightprotoport",    KW_RIGHTPROTOPORT},
-    {"margintime",        KW_REKEYMARGIN},
-    {"marginbytes",       KW_MARGINBYTES},
-    {"marginpackets",     KW_MARGINPACKETS},
-    {"leftnatip",         KW_LEFTNATIP},
-    {"mediated_by",       KW_MEDIATED_BY},
-    {"ldapbase",          KW_LDAPBASE},
+    {"inactivity",        KW_INACTIVITY},
     {"leftfirewall",      KW_LEFTFIREWALL},
-    {"rightfirewall",     KW_RIGHTFIREWALL},
-    {"crluri",            KW_CRLURI},
-    {"mobike",	           KW_MOBIKE},
-    {"rightnatip",        KW_RIGHTNATIP},
-    {"rightnexthop",      KW_RIGHTNEXTHOP},
-    {"mediation",         KW_MEDIATION},
+    {"esp",               KW_ESP},
+    {"rightnexthop",      KW_RIGHT_DEPRECATED},
+    {"forceencaps",       KW_FORCEENCAPS},
     {"leftallowany",      KW_LEFTALLOWANY},
+    {"crluri",            KW_CRLURI},
     {"leftupdown",        KW_LEFTUPDOWN},
-    {"overridemtu",       KW_OVERRIDEMTU},
-    {"aaa_identity",      KW_AAA_IDENTITY},
-    {"esp",               KW_ESP},
+    {"mark_in",           KW_MARK_IN},
+    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
+    {"force_keepalive",   KW_SETUP_DEPRECATED},
+    {"marginbytes",       KW_MARGINBYTES},
+    {"mediated_by",       KW_MEDIATED_BY},
+    {"marginpackets",     KW_MARGINPACKETS},
+    {"margintime",        KW_REKEYMARGIN},
+    {"rightauth",         KW_RIGHTAUTH},
+    {"fragmentation",     KW_FRAGMENTATION},
+    {"pfsgroup",          KW_PFS_DEPRECATED},
     {"crluri1",           KW_CRLURI},
-    {"lefthostaccess",    KW_LEFTHOSTACCESS},
-    {"leftsubnet",        KW_LEFTSUBNET},
+    {"rightcertpolicy",   KW_RIGHTCERTPOLICY},
+    {"hidetos",           KW_SETUP_DEPRECATED},
+    {"keyexchange",       KW_KEYEXCHANGE},
+    {"leftsourceip",      KW_LEFTSOURCEIP},
+    {"ocspuri",           KW_OCSPURI},
     {"leftid",            KW_LEFTID},
-    {"forceencaps",       KW_FORCEENCAPS},
-    {"eap",               KW_EAP},
-    {"nat_traversal",     KW_NAT_TRAVERSAL},
-    {"me_peerid",         KW_ME_PEERID},
-    {"rightcert",         KW_RIGHTCERT},
+    {"eap",               KW_CONN_DEPRECATED},
     {"installpolicy",     KW_INSTALLPOLICY},
-    {"authby",            KW_AUTHBY},
-    {"klipsdebug",        KW_KLIPSDEBUG},
+    {"also",              KW_ALSO},
+    {"rightcert",         KW_RIGHTCERT},
+    {"overridemtu",       KW_SETUP_DEPRECATED},
+    {"mediation",         KW_MEDIATION},
     {"rightca",           KW_RIGHTCA},
-    {"mark_out",          KW_MARK_OUT},
-    {"rightupdown",       KW_RIGHTUPDOWN},
-    {"keyexchange",       KW_KEYEXCHANGE},
-    {"ocspuri",           KW_OCSPURI},
-    {"compress",          KW_COMPRESS},
-    {"rightcertpolicy",   KW_RIGHTCERTPOLICY},
-    {"cacert",            KW_CACERT},
-    {"eap_identity",      KW_EAP_IDENTITY},
-    {"hidetos",           KW_HIDETOS},
-    {"ike",               KW_IKE},
-    {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
-    {"righthostaccess",   KW_RIGHTHOSTACCESS},
-    {"packetdefault",     KW_PACKETDEFAULT},
-    {"dpdaction",         KW_DPDACTION},
+    {"klipsdebug",        KW_SETUP_DEPRECATED},
+    {"ldapbase",          KW_CA_DEPRECATED},
     {"ocspuri1",          KW_OCSPURI},
-    {"pfsgroup",          KW_PFSGROUP},
-    {"rightauth",         KW_RIGHTAUTH},
-    {"also",              KW_ALSO},
-    {"leftsourceip",      KW_LEFTSOURCEIP},
-    {"rightid2",          KW_RIGHTID2},
-    {"dumpdir",           KW_DUMPDIR},
-    {"rekey",             KW_REKEY},
-    {"ikelifetime",       KW_IKELIFETIME},
     {"dpdtimeout",        KW_DPDTIMEOUT},
-    {"ldaphost",          KW_LDAPHOST},
+    {"aaa_identity",      KW_AAA_IDENTITY},
+    {"ike",               KW_IKE},
+    {"charondebug",       KW_CHARONDEBUG},
+    {"mark_out",          KW_MARK_OUT},
+    {"dumpdir",           KW_SETUP_DEPRECATED},
+    {"rekey",             KW_REKEY},
+    {"rightid2",          KW_RIGHTID2},
     {"rekeyfuzz",         KW_REKEYFUZZ},
+    {"eap_identity",      KW_EAP_IDENTITY},
+    {"rightgroups2",      KW_RIGHTGROUPS2},
+    {"ikelifetime",       KW_IKELIFETIME},
+    {"leftsubnet",        KW_LEFTSUBNET},
+    {"rightupdown",       KW_RIGHTUPDOWN},
+    {"authby",            KW_AUTHBY},
     {"leftcert2",         KW_LEFTCERT2},
+    {"nat_traversal",     KW_SETUP_DEPRECATED},
+    {"dpdaction",         KW_DPDACTION},
+    {"xauth_identity",    KW_XAUTH_IDENTITY},
+    {"charonstart",       KW_SETUP_DEPRECATED},
+    {"leftsubnetwithin",  KW_LEFTSUBNET},
+    {"reauth",            KW_REAUTH},
+    {"modeconfig",        KW_MODECONFIG},
+    {"ldaphost",          KW_CA_DEPRECATED},
     {"leftikeport",       KW_LEFTIKEPORT},
-    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
-    {"plutostderrlog",    KW_PLUTOSTDERRLOG},
-    {"plutostart",        KW_PLUTOSTART},
+    {"crlcheckinterval",  KW_SETUP_DEPRECATED},
+    {"dpddelay",          KW_DPDDELAY},
+    {"cacert",            KW_CACERT},
+    {"leftgroups2",       KW_LEFTGROUPS2},
     {"rightauth2",        KW_RIGHTAUTH2},
+    {"tfc",               KW_TFC},
+    {"postpluto",         KW_SETUP_DEPRECATED},
+    {"rekeymargin",       KW_REKEYMARGIN},
     {"leftca2",           KW_LEFTCA2},
+    {"packetdefault",     KW_SETUP_DEPRECATED},
     {"mark",              KW_MARK},
-    {"force_keepalive",   KW_FORCE_KEEPALIVE},
+    {"leftauth",          KW_LEFTAUTH},
+    {"plutostderrlog",    KW_SETUP_DEPRECATED},
     {"auto",              KW_AUTO},
-    {"charondebug",       KW_CHARONDEBUG},
-    {"dpddelay",          KW_DPDDELAY},
-    {"xauth_identity",    KW_XAUTH_IDENTITY},
-    {"charonstart",       KW_CHARONSTART},
-    {"fragicmp",          KW_FRAGICMP},
-    {"prepluto",          KW_PREPLUTO},
+    {"fragicmp",          KW_SETUP_DEPRECATED},
     {"closeaction",       KW_CLOSEACTION},
-    {"leftid2",           KW_LEFTID2},
-    {"plutodebug",        KW_PLUTODEBUG},
-    {"tfc",               KW_TFC},
+    {"prepluto",          KW_SETUP_DEPRECATED},
     {"auth",              KW_AUTH},
-    {"rekeymargin",       KW_REKEYMARGIN},
-    {"modeconfig",        KW_MODECONFIG},
-    {"leftauth",          KW_LEFTAUTH},
+    {"leftid2",           KW_LEFTID2},
+    {"nocrsend",          KW_SETUP_DEPRECATED},
     {"xauth",             KW_XAUTH},
+    {"plutostart",        KW_SETUP_DEPRECATED},
     {"cachecrls",         KW_CACHECRLS},
     {"crluri2",           KW_CRLURI2},
-    {"postpluto",         KW_POSTPLUTO},
-    {"nocrsend",          KW_NOCRSEND},
-    {"leftauth2",         KW_LEFTAUTH2},
     {"rightca2",          KW_RIGHTCA2},
     {"rightcert2",        KW_RIGHTCERT2},
-    {"pkcs11module",      KW_PKCS11MODULE},
-    {"reauth",            KW_REAUTH},
-    {"pkcs11initargs",    KW_PKCS11INITARGS},
-    {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
+    {"plutodebug",        KW_SETUP_DEPRECATED},
+    {"pkcs11initargs",    KW_PKCS11_DEPRECATED},
+    {"pkcs11module",      KW_PKCS11_DEPRECATED},
+    {"pkcs11proxy",       KW_PKCS11_DEPRECATED},
+    {"pkcs11keepstate",   KW_PKCS11_DEPRECATED},
     {"ocspuri2",          KW_OCSPURI2},
-    {"pkcs11proxy",       KW_PKCS11PROXY}
+    {"leftauth2",         KW_LEFTAUTH2},
+    {"ikedscp",           KW_IKEDSCP,}
   };
 
 static const short lookup[] =
   {
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,   0,
-      1,   2,  -1,  -1,   3,   4,   5,   6,   7,   8,
-     -1,   9,  10,  11,  12,  -1,  13,  -1,  14,  -1,
-     15,  16,  17,  -1,  18,  19,  20,  -1,  -1,  -1,
-     21,  22,  23,  24,  25,  -1,  -1,  -1,  26,  27,
-     28,  -1,  29,  -1,  -1,  -1,  30,  -1,  31,  32,
-     33,  34,  35,  -1,  36,  37,  -1,  38,  -1,  39,
-     40,  -1,  -1,  41,  42,  43,  -1,  -1,  44,  45,
-     46,  -1,  47,  -1,  48,  49,  50,  51,  52,  53,
-     -1,  54,  55,  -1,  -1,  -1,  56,  -1,  57,  58,
-     59,  60,  -1,  61,  -1,  -1,  62,  63,  64,  65,
-     66,  -1,  67,  68,  69,  70,  -1,  71,  72,  73,
-     74,  -1,  75,  76,  77,  78,  79,  80,  81,  82,
-     83,  -1,  84,  85,  86,  87,  88,  89,  90,  91,
-     92,  93,  94,  -1,  95,  96,  97,  98,  -1,  -1,
-     99, 100,  -1,  -1, 101,  -1, 102,  -1,  -1, 103,
-     -1, 104, 105,  -1, 106,  -1,  -1,  -1,  -1,  -1,
-    107, 108,  -1,  -1,  -1,  -1,  -1, 109,  -1,  -1,
-     -1,  -1, 110,  -1, 111,  -1,  -1,  -1,  -1,  -1,
-     -1,  -1,  -1, 112, 113, 114,  -1, 115,  -1, 116,
-     -1, 117,  -1,  -1, 118, 119,  -1,  -1,  -1, 120,
-     -1,  -1,  -1,  -1,  -1, 121, 122,  -1,  -1,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1, 123,  -1, 124,  -1,
-     -1,  -1,  -1,  -1,  -1,  -1, 125, 126, 127, 128,
-     -1,  -1, 129,  -1,  -1,  -1, 130
+     -1,  -1,  -1,  -1,  -1,   1,  -1,  -1,   2,   3,
+     -1,  -1,   4,   5,  -1,  -1,   6,  -1,   7,   8,
+     -1,   9,  10,  -1,  -1,  -1,  11,  -1,  12,  13,
+     14,  15,  16,  -1,  -1,  -1,  17,  18,  19,  20,
+     21,  22,  -1,  23,  24,  -1,  25,  26,  27,  -1,
+     28,  29,  30,  -1,  -1,  31,  32,  -1,  33,  34,
+     35,  -1,  36,  37,  38,  39,  -1,  40,  41,  -1,
+     -1,  42,  43,  44,  45,  -1,  46,  -1,  47,  -1,
+     48,  49,  50,  51,  52,  53,  54,  -1,  55,  56,
+     57,  58,  59,  -1,  60,  61,  62,  -1,  63,  -1,
+     64,  -1,  65,  66,  67,  68,  69,  70,  71,  72,
+     -1,  73,  74,  75,  76,  77,  -1,  -1,  78,  -1,
+     -1,  79,  80,  -1,  81,  -1,  82,  83,  84,  85,
+     86,  87,  88,  -1,  89,  -1,  90,  91,  -1,  92,
+     93,  -1,  94,  95,  -1,  -1,  -1,  -1,  96,  97,
+     98,  99, 100, 101,  -1, 102, 103, 104,  -1, 105,
+    106, 107, 108, 109, 110, 111, 112, 113, 114,  -1,
+    115, 116,  -1, 117,  -1, 118,  -1,  -1, 119, 120,
+     -1,  -1, 121,  -1,  -1, 122,  -1, 123,  -1, 124,
+     -1, 125,  -1,  -1,  -1,  -1,  -1, 126,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1, 127, 128,  -1, 129,  -1, 130,  -1,  -1,  -1,
+     -1,  -1,  -1, 131,  -1, 132,  -1, 133, 134,  -1,
+     -1,  -1,  -1, 135,  -1,  -1,  -1,  -1,  -1,  -1,
+    136,  -1,  -1,  -1,  -1,  -1,  -1, 137
   };
 
 #ifdef __GNUC__
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 02be919ea..83ce4a7dd 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -1,4 +1,4 @@
-/* strongSwan keywords
+/*
  * Copyright (C) 2005 Andreas Steffen
  * Hochschule fuer Technik Rapperswil, Switzerland
  *
@@ -18,62 +18,32 @@
 
 typedef enum {
 	/* config setup keywords */
-	KW_INTERFACES,
-	KW_DUMPDIR,
-	KW_CHARONSTART,
-	KW_PLUTOSTART,
-
-	/* pluto/charon keywords */
-	KW_PLUTODEBUG,
 	KW_CHARONDEBUG,
-	KW_PREPLUTO,
-	KW_POSTPLUTO,
-	KW_PLUTOSTDERRLOG,
 	KW_UNIQUEIDS,
-	KW_OVERRIDEMTU,
-	KW_CRLCHECKINTERVAL,
 	KW_CACHECRLS,
 	KW_STRICTCRLPOLICY,
-	KW_NOCRSEND,
-	KW_NAT_TRAVERSAL,
-	KW_KEEP_ALIVE,
-	KW_FORCE_KEEPALIVE,
-	KW_VIRTUAL_PRIVATE,
-	KW_PKCS11MODULE,
-	KW_PKCS11INITARGS,
-	KW_PKCS11KEEPSTATE,
-	KW_PKCS11PROXY,
-
-#define KW_PLUTO_FIRST  KW_PLUTODEBUG
-#define KW_PLUTO_LAST   KW_PKCS11PROXY
-
-	/* KLIPS keywords */
-	KW_KLIPSDEBUG,
-	KW_FRAGICMP,
-	KW_PACKETDEFAULT,
-	KW_HIDETOS,
-
-#define KW_KLIPS_FIRST  KW_KLIPSDEBUG
-#define KW_KLIPS_LAST   KW_HIDETOS
-
-#define KW_SETUP_FIRST  KW_INTERFACES
-#define KW_SETUP_LAST   KW_HIDETOS
+	KW_PKCS11_DEPRECATED,
+	KW_SETUP_DEPRECATED,
+
+#define KW_SETUP_FIRST  KW_CHARONDEBUG
+#define KW_SETUP_LAST   KW_SETUP_DEPRECATED
 
 	/* conn section keywords */
 	KW_CONN_NAME,
 	KW_CONN_SETUP,
 	KW_KEYEXCHANGE,
 	KW_TYPE,
-	KW_PFS,
 	KW_COMPRESS,
 	KW_INSTALLPOLICY,
+	KW_AGGRESSIVE,
 	KW_AUTH,
 	KW_AUTHBY,
-	KW_EAP,
 	KW_EAP_IDENTITY,
 	KW_AAA_IDENTITY,
 	KW_MOBIKE,
 	KW_FORCEENCAPS,
+	KW_FRAGMENTATION,
+	KW_IKEDSCP,
 	KW_IKELIFETIME,
 	KW_KEYLIFE,
 	KW_REKEYMARGIN,
@@ -87,7 +57,6 @@ typedef enum {
 	KW_REAUTH,
 	KW_IKE,
 	KW_ESP,
-	KW_PFSGROUP,
 	KW_DPDDELAY,
 	KW_DPDTIMEOUT,
 	KW_DPDACTION,
@@ -104,34 +73,33 @@ typedef enum {
 	KW_MARK_IN,
 	KW_MARK_OUT,
 	KW_TFC,
+	KW_PFS_DEPRECATED,
+	KW_CONN_DEPRECATED,
 
 #define KW_CONN_FIRST   KW_CONN_SETUP
-#define KW_CONN_LAST    KW_TFC
+#define KW_CONN_LAST    KW_CONN_DEPRECATED
 
-   /* ca section keywords */
+	/* ca section keywords */
 	KW_CA_NAME,
 	KW_CA_SETUP,
 	KW_CACERT,
-	KW_LDAPHOST,
-	KW_LDAPBASE,
 	KW_CRLURI,
 	KW_CRLURI2,
 	KW_OCSPURI,
 	KW_OCSPURI2,
 	KW_CERTURIBASE,
+	KW_CA_DEPRECATED,
 
 #define KW_CA_FIRST     KW_CA_SETUP
-#define KW_CA_LAST      KW_CERTURIBASE
+#define KW_CA_LAST      KW_CA_DEPRECATED
 
-   /* end keywords */
+	/* end keywords */
 	KW_HOST,
 	KW_IKEPORT,
-	KW_NEXTHOP,
 	KW_SUBNET,
-	KW_SUBNETWITHIN,
 	KW_PROTOPORT,
 	KW_SOURCEIP,
-	KW_NATIP,
+	KW_DNS,
 	KW_FIREWALL,
 	KW_HOSTACCESS,
 	KW_ALLOWANY,
@@ -140,7 +108,7 @@ typedef enum {
 	KW_AUTH2,
 	KW_ID,
 	KW_ID2,
-	KW_RSASIGKEY,
+	KW_SIGKEY,
 	KW_CERT,
 	KW_CERT2,
 	KW_CERTPOLICY,
@@ -148,20 +116,19 @@ typedef enum {
 	KW_CA,
 	KW_CA2,
 	KW_GROUPS,
-	KW_IFACE,
+	KW_GROUPS2,
+	KW_END_DEPRECATED,
 
 #define KW_END_FIRST    KW_HOST
-#define KW_END_LAST     KW_IFACE
+#define KW_END_LAST     KW_END_DEPRECATED
 
-   /* left end keywords */
+	/* left end keywords */
 	KW_LEFT,
 	KW_LEFTIKEPORT,
-	KW_LEFTNEXTHOP,
 	KW_LEFTSUBNET,
-	KW_LEFTSUBNETWITHIN,
 	KW_LEFTPROTOPORT,
 	KW_LEFTSOURCEIP,
-	KW_LEFTNATIP,
+	KW_LEFTDNS,
 	KW_LEFTFIREWALL,
 	KW_LEFTHOSTACCESS,
 	KW_LEFTALLOWANY,
@@ -170,7 +137,7 @@ typedef enum {
 	KW_LEFTAUTH2,
 	KW_LEFTID,
 	KW_LEFTID2,
-	KW_LEFTRSASIGKEY,
+	KW_LEFTSIGKEY,
 	KW_LEFTCERT,
 	KW_LEFTCERT2,
 	KW_LEFTCERTPOLICY,
@@ -178,19 +145,19 @@ typedef enum {
 	KW_LEFTCA,
 	KW_LEFTCA2,
 	KW_LEFTGROUPS,
+	KW_LEFTGROUPS2,
+	KW_LEFT_DEPRECATED,
 
 #define KW_LEFT_FIRST   KW_LEFT
-#define KW_LEFT_LAST    KW_LEFTGROUPS
+#define KW_LEFT_LAST    KW_LEFT_DEPRECATED
 
-   /* right end keywords */
+	/* right end keywords */
 	KW_RIGHT,
 	KW_RIGHTIKEPORT,
-	KW_RIGHTNEXTHOP,
 	KW_RIGHTSUBNET,
-	KW_RIGHTSUBNETWITHIN,
 	KW_RIGHTPROTOPORT,
 	KW_RIGHTSOURCEIP,
-	KW_RIGHTNATIP,
+	KW_RIGHTDNS,
 	KW_RIGHTFIREWALL,
 	KW_RIGHTHOSTACCESS,
 	KW_RIGHTALLOWANY,
@@ -199,7 +166,7 @@ typedef enum {
 	KW_RIGHTAUTH2,
 	KW_RIGHTID,
 	KW_RIGHTID2,
-	KW_RIGHTRSASIGKEY,
+	KW_RIGHTSIGKEY,
 	KW_RIGHTCERT,
 	KW_RIGHTCERT2,
 	KW_RIGHTCERTPOLICY,
@@ -207,15 +174,16 @@ typedef enum {
 	KW_RIGHTCA,
 	KW_RIGHTCA2,
 	KW_RIGHTGROUPS,
+	KW_RIGHTGROUPS2,
+	KW_RIGHT_DEPRECATED,
 
 #define KW_RIGHT_FIRST  KW_RIGHT
-#define KW_RIGHT_LAST   KW_RIGHTGROUPS
+#define KW_RIGHT_LAST   KW_RIGHT_DEPRECATED
 
 	/* general section keywords */
 	KW_ALSO,
-	KW_AUTO
+	KW_AUTO,
 
 } kw_token_t;
 
 #endif /* _KEYWORDS_H_ */
-
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 548fa2f70..20d35ded0 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -1,5 +1,5 @@
 %{
-/* strongSwan keywords
+/*
  * Copyright (C) 2005 Andreas Steffen
  * Hochschule fuer Technik Rapperswil, Switzerland
  *
@@ -24,61 +24,39 @@ struct kw_entry {
     kw_token_t token;
 };
 %%
-interfaces,        KW_INTERFACES
-dumpdir,           KW_DUMPDIR
-charonstart,       KW_CHARONSTART
-plutostart,        KW_PLUTOSTART
-klipsdebug,        KW_KLIPSDEBUG
-plutodebug,        KW_PLUTODEBUG
+# regular keywords
 charondebug,       KW_CHARONDEBUG
-prepluto,          KW_PREPLUTO
-postpluto,         KW_POSTPLUTO
-plutostderrlog,    KW_PLUTOSTDERRLOG
-fragicmp,          KW_FRAGICMP
-packetdefault,     KW_PACKETDEFAULT
-hidetos,           KW_HIDETOS
 uniqueids,         KW_UNIQUEIDS
-overridemtu,       KW_OVERRIDEMTU
-crlcheckinterval,  KW_CRLCHECKINTERVAL
 cachecrls,         KW_CACHECRLS
 strictcrlpolicy,   KW_STRICTCRLPOLICY
-nocrsend,          KW_NOCRSEND
-nat_traversal,     KW_NAT_TRAVERSAL
-keep_alive,        KW_KEEP_ALIVE
-force_keepalive,   KW_FORCE_KEEPALIVE
-virtual_private,   KW_VIRTUAL_PRIVATE
-eap,               KW_EAP
-eap_identity,      KW_EAP_IDENTITY
-aaa_identity,      KW_AAA_IDENTITY
-mobike,	           KW_MOBIKE
-forceencaps,       KW_FORCEENCAPS
-pkcs11module,      KW_PKCS11MODULE
-pkcs11initargs,    KW_PKCS11INITARGS
-pkcs11keepstate,   KW_PKCS11KEEPSTATE
-pkcs11proxy,       KW_PKCS11PROXY
 keyexchange,       KW_KEYEXCHANGE
 type,              KW_TYPE
-pfs,               KW_PFS
 compress,          KW_COMPRESS
 installpolicy,     KW_INSTALLPOLICY
+aggressive,        KW_AGGRESSIVE
 auth,              KW_AUTH
 authby,            KW_AUTHBY
+eap_identity,      KW_EAP_IDENTITY
+aaa_identity,      KW_AAA_IDENTITY
+mobike,	           KW_MOBIKE
+forceencaps,       KW_FORCEENCAPS
+fragmentation,     KW_FRAGMENTATION
+ikedscp,           KW_IKEDSCP,
+ikelifetime,       KW_IKELIFETIME
+lifetime,          KW_KEYLIFE
 keylife,           KW_KEYLIFE
 rekeymargin,       KW_REKEYMARGIN
-lifetime,          KW_KEYLIFE
 margintime,        KW_REKEYMARGIN
 lifebytes,         KW_LIFEBYTES
 marginbytes,       KW_MARGINBYTES
 lifepackets,       KW_LIFEPACKETS
 marginpackets,     KW_MARGINPACKETS
-ikelifetime,       KW_IKELIFETIME
 keyingtries,       KW_KEYINGTRIES
 rekeyfuzz,         KW_REKEYFUZZ
 rekey,             KW_REKEY
 reauth,            KW_REAUTH
-esp,               KW_ESP
 ike,               KW_IKE
-pfsgroup,          KW_PFSGROUP
+esp,               KW_ESP
 dpddelay,          KW_DPDDELAY
 dpdtimeout,        KW_DPDTIMEOUT
 dpdaction,         KW_DPDACTION
@@ -96,8 +74,6 @@ mark_in,           KW_MARK_IN
 mark_out,          KW_MARK_OUT
 tfc,               KW_TFC
 cacert,            KW_CACERT
-ldaphost,          KW_LDAPHOST
-ldapbase,          KW_LDAPBASE
 crluri,            KW_CRLURI
 crluri1,           KW_CRLURI
 crluri2,           KW_CRLURI2
@@ -107,21 +83,21 @@ ocspuri2,          KW_OCSPURI2
 certuribase,       KW_CERTURIBASE
 left,              KW_LEFT
 leftikeport,       KW_LEFTIKEPORT
-leftnexthop,       KW_LEFTNEXTHOP
 leftsubnet,        KW_LEFTSUBNET
-leftsubnetwithin,  KW_LEFTSUBNETWITHIN
+leftsubnetwithin,  KW_LEFTSUBNET
 leftprotoport,     KW_LEFTPROTOPORT
 leftsourceip,      KW_LEFTSOURCEIP
-leftnatip,         KW_LEFTNATIP
+leftdns,           KW_LEFTDNS
 leftfirewall,      KW_LEFTFIREWALL
 lefthostaccess,    KW_LEFTHOSTACCESS
 leftallowany,      KW_LEFTALLOWANY
 leftupdown,        KW_LEFTUPDOWN
-leftid,            KW_LEFTID
-leftid2,           KW_LEFTID2
 leftauth,          KW_LEFTAUTH
 leftauth2,         KW_LEFTAUTH2
-leftrsasigkey,     KW_LEFTRSASIGKEY
+leftid,            KW_LEFTID
+leftid2,           KW_LEFTID2
+leftsigkey,        KW_LEFTSIGKEY
+leftrsasigkey,     KW_LEFTSIGKEY
 leftcert,          KW_LEFTCERT
 leftcert2,         KW_LEFTCERT2
 leftcertpolicy,    KW_LEFTCERTPOLICY
@@ -129,23 +105,24 @@ leftsendcert,      KW_LEFTSENDCERT
 leftca,            KW_LEFTCA
 leftca2,           KW_LEFTCA2
 leftgroups,        KW_LEFTGROUPS
+leftgroups2,       KW_LEFTGROUPS2
 right,             KW_RIGHT
 rightikeport,      KW_RIGHTIKEPORT
-rightnexthop,      KW_RIGHTNEXTHOP
 rightsubnet,       KW_RIGHTSUBNET
-rightsubnetwithin, KW_RIGHTSUBNETWITHIN
+rightsubnetwithin, KW_RIGHTSUBNET
 rightprotoport,    KW_RIGHTPROTOPORT
 rightsourceip,     KW_RIGHTSOURCEIP
-rightnatip,        KW_RIGHTNATIP
+rightdns,          KW_RIGHTDNS
 rightfirewall,     KW_RIGHTFIREWALL
 righthostaccess,   KW_RIGHTHOSTACCESS
 rightallowany,     KW_RIGHTALLOWANY
 rightupdown,       KW_RIGHTUPDOWN
-rightid,           KW_RIGHTID
-rightid2,          KW_RIGHTID2
 rightauth,         KW_RIGHTAUTH
 rightauth2,        KW_RIGHTAUTH2
-rightrsasigkey,    KW_RIGHTRSASIGKEY
+rightid,           KW_RIGHTID
+rightid2,          KW_RIGHTID2
+rightsigkey,       KW_RIGHTSIGKEY
+rightrsasigkey,    KW_RIGHTSIGKEY
 rightcert,         KW_RIGHTCERT
 rightcert2,        KW_RIGHTCERT2
 rightcertpolicy,   KW_RIGHTCERTPOLICY
@@ -153,5 +130,37 @@ rightsendcert,     KW_RIGHTSENDCERT
 rightca,           KW_RIGHTCA
 rightca2,          KW_RIGHTCA2
 rightgroups,       KW_RIGHTGROUPS
+rightgroups2,      KW_RIGHTGROUPS2
 also,              KW_ALSO
 auto,              KW_AUTO
+# deprecated/removed keywords
+interfaces,        KW_SETUP_DEPRECATED
+dumpdir,           KW_SETUP_DEPRECATED
+charonstart,       KW_SETUP_DEPRECATED
+plutostart,        KW_SETUP_DEPRECATED
+klipsdebug,        KW_SETUP_DEPRECATED
+plutodebug,        KW_SETUP_DEPRECATED
+prepluto,          KW_SETUP_DEPRECATED
+postpluto,         KW_SETUP_DEPRECATED
+plutostderrlog,    KW_SETUP_DEPRECATED
+fragicmp,          KW_SETUP_DEPRECATED
+packetdefault,     KW_SETUP_DEPRECATED
+hidetos,           KW_SETUP_DEPRECATED
+overridemtu,       KW_SETUP_DEPRECATED
+crlcheckinterval,  KW_SETUP_DEPRECATED
+nocrsend,          KW_SETUP_DEPRECATED
+nat_traversal,     KW_SETUP_DEPRECATED
+keep_alive,        KW_SETUP_DEPRECATED
+force_keepalive,   KW_SETUP_DEPRECATED
+virtual_private,   KW_SETUP_DEPRECATED
+pkcs11module,      KW_PKCS11_DEPRECATED
+pkcs11initargs,    KW_PKCS11_DEPRECATED
+pkcs11keepstate,   KW_PKCS11_DEPRECATED
+pkcs11proxy,       KW_PKCS11_DEPRECATED
+ldaphost,          KW_CA_DEPRECATED
+ldapbase,          KW_CA_DEPRECATED
+pfs,               KW_PFS_DEPRECATED
+pfsgroup,          KW_PFS_DEPRECATED
+eap,               KW_CONN_DEPRECATED
+leftnexthop,       KW_LEFT_DEPRECATED
+rightnexthop,      KW_RIGHT_DEPRECATED
diff --git a/src/starter/klips.c b/src/starter/klips.c
index 79bd25c44..22165465f 100644
--- a/src/starter/klips.c
+++ b/src/starter/klips.c
@@ -16,16 +16,12 @@
 #include <sys/stat.h>
 #include <stdlib.h>
 
-#include <freeswan.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
+#include <library.h>
+#include <utils/debug.h>
 
 #include "files.h"
 
-bool
-starter_klips_init(void)
+bool starter_klips_init(void)
 {
 	struct stat stb;
 
@@ -40,9 +36,7 @@ starter_klips_init(void)
 		/* now test again */
 		if (stat(PROC_KLIPS, &stb) != 0)
 		{
-			DBG(DBG_CONTROL,
-				DBG_log("kernel appears to lack the KLIPS IPsec stack")
-			)
+			DBG2(DBG_APP, "kernel appears to lack the KLIPS IPsec stack");
 			return FALSE;
 		}
 	}
@@ -52,29 +46,25 @@ starter_klips_init(void)
 	ignore_result(system("modprobe -qv ipsec_blowfish"));
 	ignore_result(system("modprobe -qv ipsec_sha2"));
 
-	DBG(DBG_CONTROL,
-		DBG_log("Found KLIPS IPsec stack")
-	)
-
+	DBG2(DBG_APP, "found KLIPS IPsec stack");
 	return TRUE;
 }
 
-void
-starter_klips_cleanup(void)
+void starter_klips_cleanup(void)
 {
 	if (system("type eroute > /dev/null 2>&1") == 0)
 	{
 		ignore_result(system("spi --clear"));
 		ignore_result(system("eroute --clear"));
 	}
-		else if (system("type setkey > /dev/null 2>&1") == 0)
+	else if (system("type setkey > /dev/null 2>&1") == 0)
 	{
 		ignore_result(system("setkey -F"));
 		ignore_result(system("setkey -FP"));
 	}
 	else
 	{
-		plog("WARNING: cannot flush IPsec state/policy database");
+		DBG1(DBG_APP, "WARNING: cannot flush IPsec state/policy database");
 	}
 }
 
diff --git a/src/starter/loglite.c b/src/starter/loglite.c
deleted file mode 100644
index c88b33bfd..000000000
--- a/src/starter/loglite.c
+++ /dev/null
@@ -1,297 +0,0 @@
-/* error logging functions
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <stdarg.h>
-#include <syslog.h>
-#include <errno.h>
-#include <string.h>
-#include <unistd.h>
-#include <signal.h>     /* used only if MSG_NOSIGNAL not defined */
-#include <libgen.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-
-#include <freeswan.h>
-
-#include <constants.h>
-#include <defs.h>
-#include <log.h>
-#include <whack.h>
-
-#ifndef LOG_AUTHPRIV
-#define LOG_AUTHPRIV LOG_AUTH
-#endif
-
-bool
-	log_to_stderr = FALSE,      /* should log go to stderr? */
-	log_to_syslog = TRUE;       /* should log go to syslog? */
-
-void
-init_log(const char *program)
-{
-	if (log_to_stderr)
-		setbuf(stderr, NULL);
-	if (log_to_syslog)
-		openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
-}
-
-void
-close_log(void)
-{
-	if (log_to_syslog)
-		closelog();
-}
-
-void
-plog(const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "%s\n", m);
-	if (log_to_syslog)
-		syslog(LOG_WARNING, "%s", m);
-}
-
-void
-loglog(int mess_no, const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "%s\n", m);
-	if (log_to_syslog)
-		syslog(LOG_WARNING, "%s", m);
-}
-
-void
-log_errno_routine(int e, const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
-	if (log_to_syslog)
-		syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
-}
-
-void
-exit_log(const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "FATAL ERROR: %s\n", m);
-	if (log_to_syslog)
-		syslog(LOG_ERR, "FATAL ERROR: %s", m);
-	exit(1);
-}
-
-void
-exit_log_errno_routine(int e, const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
-	if (log_to_syslog)
-		syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
-	exit(1);
-}
-
-void
-whack_log(int mess_no, const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	fprintf(stderr, "%s\n", m);
-}
-
-/* Build up a diagnostic in a static buffer.
- * Although this would be a generally useful function, it is very
- * hard to come up with a discipline that prevents different uses
- * from interfering.  It is intended that by limiting it to building
- * diagnostics, we will avoid this problem.
- * Juggling is performed to allow an argument to be a previous
- * result: the new string may safely depend on the old one.  This
- * restriction is not checked in any way: violators will produce
- * confusing results (without crashing!).
- */
-char diag_space[sizeof(diag_space)];
-
-err_t
-builddiag(const char *fmt, ...)
-{
-	static char diag_space[LOG_WIDTH];  /* longer messages will be truncated */
-	char t[sizeof(diag_space)]; /* build result here first */
-	va_list args;
-
-	va_start(args, fmt);
-	t[0] = '\0';        /* in case nothing terminates string */
-	vsnprintf(t, sizeof(t), fmt, args);
-	va_end(args);
-	strcpy(diag_space, t);
-	return diag_space;
-}
-
-/* Debugging message support */
-
-#ifdef DEBUG
-
-void
-switch_fail(int n, const char *file_str, unsigned long line_no)
-{
-	char buf[30];
-
-	snprintf(buf, sizeof(buf), "case %d unexpected", n);
-	passert_fail(buf, file_str, line_no);
-}
-
-void
-passert_fail(const char *pred_str, const char *file_str, unsigned long line_no)
-{
-	/* we will get a possibly unplanned prefix.  Hope it works */
-	loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
-	abort();    /* exiting correctly doesn't always work */
-}
-
-lset_t
-	base_debugging = DBG_NONE,  /* default to reporting nothing */
-	cur_debugging =  DBG_NONE;
-
-void
-pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no)
-{
-	/* we will get a possibly unplanned prefix.  Hope it works */
-	loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
-}
-
-/* log a debugging message (prefixed by "| ") */
-
-void
-DBG_log(const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "| %s\n", m);
-	if (log_to_syslog)
-		syslog(LOG_DEBUG, "| %s", m);
-}
-
-/* dump raw bytes in hex to stderr (for lack of any better destination) */
-
-void
-DBG_dump(const char *label, const void *p, size_t len)
-{
-#   define DUMP_LABEL_WIDTH 20  /* arbitrary modest boundary */
-#   define DUMP_WIDTH   (4 * (1 + 4 * 3) + 1)
-	char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH];
-	char *bp;
-	const unsigned char *cp = p;
-
-	bp = buf;
-
-	if (label != NULL && label[0] != '\0')
-	{
-		/* Handle the label.  Care must be taken to avoid buffer overrun. */
-		size_t llen = strlen(label);
-
-		if (llen + 1 > sizeof(buf))
-		{
-			DBG_log("%s", label);
-		}
-		else
-		{
-			strcpy(buf, label);
-			if (buf[llen-1] == '\n')
-			{
-				buf[llen-1] = '\0';     /* get rid of newline */
-				DBG_log("%s", buf);
-			}
-			else if (llen < DUMP_LABEL_WIDTH)
-			{
-				bp = buf + llen;
-			}
-			else
-			{
-				DBG_log("%s", buf);
-			}
-		}
-	}
-
-	do {
-		int i, j;
-
-		for (i = 0; len!=0 && i!=4; i++)
-		{
-			*bp++ = ' ';
-			for (j = 0; len!=0 && j!=4; len--, j++)
-			{
-				static const char hexdig[] = "0123456789abcdef";
-
-				*bp++ = ' ';
-				*bp++ = hexdig[(*cp >> 4) & 0xF];
-				*bp++ = hexdig[*cp & 0xF];
-				cp++;
-			}
-		}
-		*bp = '\0';
-		DBG_log("%s", buf);
-		bp = buf;
-	} while (len != 0);
-#   undef DUMP_LABEL_WIDTH
-#   undef DUMP_WIDTH
-}
-
-#endif /* DEBUG */
diff --git a/src/starter/netkey.c b/src/starter/netkey.c
index 6646195cb..2b500bab4 100644
--- a/src/starter/netkey.c
+++ b/src/starter/netkey.c
@@ -16,17 +16,13 @@
 #include <sys/stat.h>
 #include <stdlib.h>
 
-#include <freeswan.h>
+#include <library.h>
 #include <hydra.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
+#include <utils/debug.h>
 
 #include "files.h"
 
-bool
-starter_netkey_init(void)
+bool starter_netkey_init(void)
 {
 	struct stat stb;
 
@@ -41,9 +37,7 @@ starter_netkey_init(void)
 		/* now test again */
 		if (stat(PROC_NETKEY, &stb) != 0)
 		{
-			DBG(DBG_CONTROL,
-				DBG_log("kernel appears to lack the native netkey IPsec stack")
-			)
+			DBG2(DBG_APP, "kernel appears to lack the native netkey IPsec stack");
 			return FALSE;
 		}
 	}
@@ -58,15 +52,19 @@ starter_netkey_init(void)
 		ignore_result(system("modprobe -qv xfrm_user"));
 	}
 
-	DBG(DBG_CONTROL,
-		DBG_log("Found netkey IPsec stack")
-	)
+	DBG2(DBG_APP, "found netkey IPsec stack");
 	return TRUE;
 }
 
-void
-starter_netkey_cleanup(void)
+void starter_netkey_cleanup(void)
 {
+	if (!lib->plugins->load(lib->plugins,
+			lib->settings->get_str(lib->settings, "starter.load", PLUGINS)))
+	{
+		DBG1(DBG_APP, "unable to load kernel plugins");
+		return;
+	}
 	hydra->kernel_interface->flush_sas(hydra->kernel_interface);
 	hydra->kernel_interface->flush_policies(hydra->kernel_interface);
+	lib->plugins->unload(lib->plugins);
 }
diff --git a/src/starter/parser.c b/src/starter/parser.c
index ef668027d..9a5831ef8 100644
--- a/src/starter/parser.c
+++ b/src/starter/parser.c
@@ -1,10 +1,8 @@
+/* A Bison parser, made by GNU Bison 2.5.  */
 
-/* A Bison parser, made by GNU Bison 2.4.1.  */
-
-/* Skeleton implementation for Bison's Yacc-like parsers in C
+/* Bison implementation for Yacc-like parsers in C
    
-      Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
-   Free Software Foundation, Inc.
+      Copyright (C) 1984, 1989-1990, 2000-2011 Free Software Foundation, Inc.
    
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -46,7 +44,7 @@
 #define YYBISON 1
 
 /* Bison version.  */
-#define YYBISON_VERSION "2.4.1"
+#define YYBISON_VERSION "2.5"
 
 /* Skeleton name.  */
 #define YYSKELETON_NAME "yacc.c"
@@ -67,7 +65,7 @@
 
 /* Copy the first part of user declarations.  */
 
-/* Line 189 of yacc.c  */
+/* Line 268 of yacc.c  */
 #line 1 "parser.y"
 
 /* strongSwan config file parser (parser.y)
@@ -88,11 +86,9 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include <freeswan.h>
+#include <library.h>
+#include <utils/debug.h>
 
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
 #include "ipsec-parser.h"
 
 #define YYERROR_VERBOSE
@@ -122,8 +118,8 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len);
 
 
 
-/* Line 189 of yacc.c  */
-#line 127 "parser.c"
+/* Line 268 of yacc.c  */
+#line 123 "parser.c"
 
 /* Enabling traces.  */
 #ifndef YYDEBUG
@@ -181,13 +177,13 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len);
 typedef union YYSTYPE
 {
 
-/* Line 214 of yacc.c  */
-#line 54 "parser.y"
+/* Line 293 of yacc.c  */
+#line 52 "parser.y"
  char *s; 
 
 
-/* Line 214 of yacc.c  */
-#line 191 "parser.c"
+/* Line 293 of yacc.c  */
+#line 187 "parser.c"
 } YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
@@ -198,8 +194,8 @@ typedef union YYSTYPE
 /* Copy the second part of user declarations.  */
 
 
-/* Line 264 of yacc.c  */
-#line 203 "parser.c"
+/* Line 343 of yacc.c  */
+#line 199 "parser.c"
 
 #ifdef short
 # undef short
@@ -249,7 +245,7 @@ typedef short int yytype_int16;
 #define YYSIZE_MAXIMUM ((YYSIZE_T) -1)
 
 #ifndef YY_
-# if YYENABLE_NLS
+# if defined YYENABLE_NLS && YYENABLE_NLS
 #  if ENABLE_NLS
 #   include <libintl.h> /* INFRINGES ON USER NAME SPACE */
 #   define YY_(msgid) dgettext ("bison-runtime", msgid)
@@ -302,11 +298,11 @@ YYID (yyi)
 #    define alloca _alloca
 #   else
 #    define YYSTACK_ALLOC alloca
-#    if ! defined _ALLOCA_H && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+#    if ! defined _ALLOCA_H && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
      || defined __cplusplus || defined _MSC_VER)
 #     include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
-#     ifndef _STDLIB_H
-#      define _STDLIB_H 1
+#     ifndef EXIT_SUCCESS
+#      define EXIT_SUCCESS 0
 #     endif
 #    endif
 #   endif
@@ -329,24 +325,24 @@ YYID (yyi)
 #  ifndef YYSTACK_ALLOC_MAXIMUM
 #   define YYSTACK_ALLOC_MAXIMUM YYSIZE_MAXIMUM
 #  endif
-#  if (defined __cplusplus && ! defined _STDLIB_H \
+#  if (defined __cplusplus && ! defined EXIT_SUCCESS \
        && ! ((defined YYMALLOC || defined malloc) \
 	     && (defined YYFREE || defined free)))
 #   include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
-#   ifndef _STDLIB_H
-#    define _STDLIB_H 1
+#   ifndef EXIT_SUCCESS
+#    define EXIT_SUCCESS 0
 #   endif
 #  endif
 #  ifndef YYMALLOC
 #   define YYMALLOC malloc
-#   if ! defined malloc && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+#   if ! defined malloc && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
      || defined __cplusplus || defined _MSC_VER)
 void *malloc (YYSIZE_T); /* INFRINGES ON USER NAME SPACE */
 #   endif
 #  endif
 #  ifndef YYFREE
 #   define YYFREE free
-#   if ! defined free && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+#   if ! defined free && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
      || defined __cplusplus || defined _MSC_VER)
 void free (void *); /* INFRINGES ON USER NAME SPACE */
 #   endif
@@ -375,23 +371,7 @@ union yyalloc
      ((N) * (sizeof (yytype_int16) + sizeof (YYSTYPE)) \
       + YYSTACK_GAP_MAXIMUM)
 
-/* Copy COUNT objects from FROM to TO.  The source and destination do
-   not overlap.  */
-# ifndef YYCOPY
-#  if defined __GNUC__ && 1 < __GNUC__
-#   define YYCOPY(To, From, Count) \
-      __builtin_memcpy (To, From, (Count) * sizeof (*(From)))
-#  else
-#   define YYCOPY(To, From, Count)		\
-      do					\
-	{					\
-	  YYSIZE_T yyi;				\
-	  for (yyi = 0; yyi < (Count); yyi++)	\
-	    (To)[yyi] = (From)[yyi];		\
-	}					\
-      while (YYID (0))
-#  endif
-# endif
+# define YYCOPY_NEEDED 1
 
 /* Relocate STACK from its old location to the new one.  The
    local variables YYSIZE and YYSTACKSIZE give the old and new number of
@@ -411,6 +391,26 @@ union yyalloc
 
 #endif
 
+#if defined YYCOPY_NEEDED && YYCOPY_NEEDED
+/* Copy COUNT objects from FROM to TO.  The source and destination do
+   not overlap.  */
+# ifndef YYCOPY
+#  if defined __GNUC__ && 1 < __GNUC__
+#   define YYCOPY(To, From, Count) \
+      __builtin_memcpy (To, From, (Count) * sizeof (*(From)))
+#  else
+#   define YYCOPY(To, From, Count)		\
+      do					\
+	{					\
+	  YYSIZE_T yyi;				\
+	  for (yyi = 0; yyi < (Count); yyi++)	\
+	    (To)[yyi] = (From)[yyi];		\
+	}					\
+      while (YYID (0))
+#  endif
+# endif
+#endif /* !YYCOPY_NEEDED */
+
 /* YYFINAL -- State number of the termination state.  */
 #define YYFINAL  2
 /* YYLAST -- Last index in YYTABLE.  */
@@ -487,8 +487,8 @@ static const yytype_int8 yyrhs[] =
 /* YYRLINE[YYN] -- source line where rule number YYN was defined.  */
 static const yytype_uint8 yyrline[] =
 {
-       0,    65,    65,    66,    70,    75,    74,    80,    79,    96,
-      95,   111,   110,   116,   120,   121,   125,   150,   154
+       0,    63,    63,    64,    68,    73,    72,    78,    77,    94,
+      93,   109,   108,   114,   118,   119,   123,   148,   152
 };
 #endif
 
@@ -528,8 +528,8 @@ static const yytype_uint8 yyr2[] =
        5,     0,     4,     1,     4,     0,     3,     2,     0
 };
 
-/* YYDEFACT[STATE-NAME] -- Default rule to reduce with in state
-   STATE-NUM when YYTABLE doesn't specify something else to do.  Zero
+/* YYDEFACT[STATE-NAME] -- Default reduction number in state STATE-NUM.
+   Performed when YYTABLE doesn't specify something else to do.  Zero
    means the default is an error.  */
 static const yytype_uint8 yydefact[] =
 {
@@ -564,8 +564,7 @@ static const yytype_int8 yypgoto[] =
 
 /* YYTABLE[YYPACT[STATE-NUM]].  What to do in state STATE-NUM.  If
    positive, shift that token.  If negative, reduce the rule which
-   number is the opposite.  If zero, do what YYDEFACT says.
-   If YYTABLE_NINF, syntax error.  */
+   number is the opposite.  If YYTABLE_NINF, syntax error.  */
 #define YYTABLE_NINF -1
 static const yytype_uint8 yytable[] =
 {
@@ -574,6 +573,12 @@ static const yytype_uint8 yytable[] =
       24,    28,    30,    31,     0,     0,     0,    32
 };
 
+#define yypact_value_is_default(yystate) \
+  ((yystate) == (-20))
+
+#define yytable_value_is_error(yytable_value) \
+  YYID (0)
+
 static const yytype_int8 yycheck[] =
 {
        0,     7,    21,    22,    12,     5,     6,    12,     8,     9,
@@ -603,9 +608,18 @@ static const yytype_uint8 yystos[] =
 
 /* Like YYERROR except do call yyerror.  This remains here temporarily
    to ease the transition to the new meaning of YYERROR, for GCC.
-   Once GCC version 2 has supplanted version 1, this can go.  */
+   Once GCC version 2 has supplanted version 1, this can go.  However,
+   YYFAIL appears to be in use.  Nevertheless, it is formally deprecated
+   in Bison 2.4.2's NEWS entry, where a plan to phase it out is
+   discussed.  */
 
 #define YYFAIL		goto yyerrlab
+#if defined YYFAIL
+  /* This is here to suppress warnings from the GCC cpp's
+     -Wunused-macros.  Normally we don't worry about that warning, but
+     some users do, and we want to make it easy for users to remove
+     YYFAIL uses, which will produce warnings from Bison 2.5.  */
+#endif
 
 #define YYRECOVERING()  (!!yyerrstatus)
 
@@ -615,7 +629,6 @@ do								\
     {								\
       yychar = (Token);						\
       yylval = (Value);						\
-      yytoken = YYTRANSLATE (yychar);				\
       YYPOPSTACK (1);						\
       goto yybackup;						\
     }								\
@@ -657,19 +670,10 @@ while (YYID (0))
 #endif
 
 
-/* YY_LOCATION_PRINT -- Print the location on the stream.
-   This macro was not mandated originally: define only if we know
-   we won't break user code: when these are the locations we know.  */
+/* This macro is provided for backward compatibility. */
 
 #ifndef YY_LOCATION_PRINT
-# if YYLTYPE_IS_TRIVIAL
-#  define YY_LOCATION_PRINT(File, Loc)			\
-     fprintf (File, "%d.%d-%d.%d",			\
-	      (Loc).first_line, (Loc).first_column,	\
-	      (Loc).last_line,  (Loc).last_column)
-# else
-#  define YY_LOCATION_PRINT(File, Loc) ((void) 0)
-# endif
+# define YY_LOCATION_PRINT(File, Loc) ((void) 0)
 #endif
 
 
@@ -861,7 +865,6 @@ int yydebug;
 # define YYMAXDEPTH 10000
 #endif
 
-
 
 #if YYERROR_VERBOSE
 
@@ -964,115 +967,142 @@ yytnamerr (char *yyres, const char *yystr)
 }
 # endif
 
-/* Copy into YYRESULT an error message about the unexpected token
-   YYCHAR while in state YYSTATE.  Return the number of bytes copied,
-   including the terminating null byte.  If YYRESULT is null, do not
-   copy anything; just return the number of bytes that would be
-   copied.  As a special case, return 0 if an ordinary "syntax error"
-   message will do.  Return YYSIZE_MAXIMUM if overflow occurs during
-   size calculation.  */
-static YYSIZE_T
-yysyntax_error (char *yyresult, int yystate, int yychar)
-{
-  int yyn = yypact[yystate];
+/* Copy into *YYMSG, which is of size *YYMSG_ALLOC, an error message
+   about the unexpected token YYTOKEN for the state stack whose top is
+   YYSSP.
 
-  if (! (YYPACT_NINF < yyn && yyn <= YYLAST))
-    return 0;
-  else
+   Return 0 if *YYMSG was successfully written.  Return 1 if *YYMSG is
+   not large enough to hold the message.  In that case, also set
+   *YYMSG_ALLOC to the required number of bytes.  Return 2 if the
+   required number of bytes is too large to store.  */
+static int
+yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
+                yytype_int16 *yyssp, int yytoken)
+{
+  YYSIZE_T yysize0 = yytnamerr (0, yytname[yytoken]);
+  YYSIZE_T yysize = yysize0;
+  YYSIZE_T yysize1;
+  enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 };
+  /* Internationalized format string. */
+  const char *yyformat = 0;
+  /* Arguments of yyformat. */
+  char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
+  /* Number of reported tokens (one for the "unexpected", one per
+     "expected"). */
+  int yycount = 0;
+
+  /* There are many possibilities here to consider:
+     - Assume YYFAIL is not used.  It's too flawed to consider.  See
+       <http://lists.gnu.org/archive/html/bison-patches/2009-12/msg00024.html>
+       for details.  YYERROR is fine as it does not invoke this
+       function.
+     - If this state is a consistent state with a default action, then
+       the only way this function was invoked is if the default action
+       is an error action.  In that case, don't check for expected
+       tokens because there are none.
+     - The only way there can be no lookahead present (in yychar) is if
+       this state is a consistent state with a default action.  Thus,
+       detecting the absence of a lookahead is sufficient to determine
+       that there is no unexpected or expected token to report.  In that
+       case, just report a simple "syntax error".
+     - Don't assume there isn't a lookahead just because this state is a
+       consistent state with a default action.  There might have been a
+       previous inconsistent state, consistent state with a non-default
+       action, or user semantic action that manipulated yychar.
+     - Of course, the expected token list depends on states to have
+       correct lookahead information, and it depends on the parser not
+       to perform extra reductions after fetching a lookahead from the
+       scanner and before detecting a syntax error.  Thus, state merging
+       (from LALR or IELR) and default reductions corrupt the expected
+       token list.  However, the list is correct for canonical LR with
+       one exception: it will still contain any token that will not be
+       accepted due to an error action in a later state.
+  */
+  if (yytoken != YYEMPTY)
     {
-      int yytype = YYTRANSLATE (yychar);
-      YYSIZE_T yysize0 = yytnamerr (0, yytname[yytype]);
-      YYSIZE_T yysize = yysize0;
-      YYSIZE_T yysize1;
-      int yysize_overflow = 0;
-      enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 };
-      char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
-      int yyx;
-
-# if 0
-      /* This is so xgettext sees the translatable formats that are
-	 constructed on the fly.  */
-      YY_("syntax error, unexpected %s");
-      YY_("syntax error, unexpected %s, expecting %s");
-      YY_("syntax error, unexpected %s, expecting %s or %s");
-      YY_("syntax error, unexpected %s, expecting %s or %s or %s");
-      YY_("syntax error, unexpected %s, expecting %s or %s or %s or %s");
-# endif
-      char *yyfmt;
-      char const *yyf;
-      static char const yyunexpected[] = "syntax error, unexpected %s";
-      static char const yyexpecting[] = ", expecting %s";
-      static char const yyor[] = " or %s";
-      char yyformat[sizeof yyunexpected
-		    + sizeof yyexpecting - 1
-		    + ((YYERROR_VERBOSE_ARGS_MAXIMUM - 2)
-		       * (sizeof yyor - 1))];
-      char const *yyprefix = yyexpecting;
-
-      /* Start YYX at -YYN if negative to avoid negative indexes in
-	 YYCHECK.  */
-      int yyxbegin = yyn < 0 ? -yyn : 0;
-
-      /* Stay within bounds of both yycheck and yytname.  */
-      int yychecklim = YYLAST - yyn + 1;
-      int yyxend = yychecklim < YYNTOKENS ? yychecklim : YYNTOKENS;
-      int yycount = 1;
-
-      yyarg[0] = yytname[yytype];
-      yyfmt = yystpcpy (yyformat, yyunexpected);
-
-      for (yyx = yyxbegin; yyx < yyxend; ++yyx)
-	if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR)
-	  {
-	    if (yycount == YYERROR_VERBOSE_ARGS_MAXIMUM)
-	      {
-		yycount = 1;
-		yysize = yysize0;
-		yyformat[sizeof yyunexpected - 1] = '\0';
-		break;
-	      }
-	    yyarg[yycount++] = yytname[yyx];
-	    yysize1 = yysize + yytnamerr (0, yytname[yyx]);
-	    yysize_overflow |= (yysize1 < yysize);
-	    yysize = yysize1;
-	    yyfmt = yystpcpy (yyfmt, yyprefix);
-	    yyprefix = yyor;
-	  }
+      int yyn = yypact[*yyssp];
+      yyarg[yycount++] = yytname[yytoken];
+      if (!yypact_value_is_default (yyn))
+        {
+          /* Start YYX at -YYN if negative to avoid negative indexes in
+             YYCHECK.  In other words, skip the first -YYN actions for
+             this state because they are default actions.  */
+          int yyxbegin = yyn < 0 ? -yyn : 0;
+          /* Stay within bounds of both yycheck and yytname.  */
+          int yychecklim = YYLAST - yyn + 1;
+          int yyxend = yychecklim < YYNTOKENS ? yychecklim : YYNTOKENS;
+          int yyx;
+
+          for (yyx = yyxbegin; yyx < yyxend; ++yyx)
+            if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR
+                && !yytable_value_is_error (yytable[yyx + yyn]))
+              {
+                if (yycount == YYERROR_VERBOSE_ARGS_MAXIMUM)
+                  {
+                    yycount = 1;
+                    yysize = yysize0;
+                    break;
+                  }
+                yyarg[yycount++] = yytname[yyx];
+                yysize1 = yysize + yytnamerr (0, yytname[yyx]);
+                if (! (yysize <= yysize1
+                       && yysize1 <= YYSTACK_ALLOC_MAXIMUM))
+                  return 2;
+                yysize = yysize1;
+              }
+        }
+    }
 
-      yyf = YY_(yyformat);
-      yysize1 = yysize + yystrlen (yyf);
-      yysize_overflow |= (yysize1 < yysize);
-      yysize = yysize1;
+  switch (yycount)
+    {
+# define YYCASE_(N, S)                      \
+      case N:                               \
+        yyformat = S;                       \
+      break
+      YYCASE_(0, YY_("syntax error"));
+      YYCASE_(1, YY_("syntax error, unexpected %s"));
+      YYCASE_(2, YY_("syntax error, unexpected %s, expecting %s"));
+      YYCASE_(3, YY_("syntax error, unexpected %s, expecting %s or %s"));
+      YYCASE_(4, YY_("syntax error, unexpected %s, expecting %s or %s or %s"));
+      YYCASE_(5, YY_("syntax error, unexpected %s, expecting %s or %s or %s or %s"));
+# undef YYCASE_
+    }
 
-      if (yysize_overflow)
-	return YYSIZE_MAXIMUM;
+  yysize1 = yysize + yystrlen (yyformat);
+  if (! (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM))
+    return 2;
+  yysize = yysize1;
 
-      if (yyresult)
-	{
-	  /* Avoid sprintf, as that infringes on the user's name space.
-	     Don't have undefined behavior even if the translation
-	     produced a string with the wrong number of "%s"s.  */
-	  char *yyp = yyresult;
-	  int yyi = 0;
-	  while ((*yyp = *yyf) != '\0')
-	    {
-	      if (*yyp == '%' && yyf[1] == 's' && yyi < yycount)
-		{
-		  yyp += yytnamerr (yyp, yyarg[yyi++]);
-		  yyf += 2;
-		}
-	      else
-		{
-		  yyp++;
-		  yyf++;
-		}
-	    }
-	}
-      return yysize;
+  if (*yymsg_alloc < yysize)
+    {
+      *yymsg_alloc = 2 * yysize;
+      if (! (yysize <= *yymsg_alloc
+             && *yymsg_alloc <= YYSTACK_ALLOC_MAXIMUM))
+        *yymsg_alloc = YYSTACK_ALLOC_MAXIMUM;
+      return 1;
     }
+
+  /* Avoid sprintf, as that infringes on the user's name space.
+     Don't have undefined behavior even if the translation
+     produced a string with the wrong number of "%s"s.  */
+  {
+    char *yyp = *yymsg;
+    int yyi = 0;
+    while ((*yyp = *yyformat) != '\0')
+      if (*yyp == '%' && yyformat[1] == 's' && yyi < yycount)
+        {
+          yyp += yytnamerr (yyp, yyarg[yyi++]);
+          yyformat += 2;
+        }
+      else
+        {
+          yyp++;
+          yyformat++;
+        }
+  }
+  return 0;
 }
 #endif /* YYERROR_VERBOSE */
-
 
 /*-----------------------------------------------.
 | Release the memory associated to this symbol.  |
@@ -1105,6 +1135,7 @@ yydestruct (yymsg, yytype, yyvaluep)
     }
 }
 
+
 /* Prevent warnings from -Wmissing-prototypes.  */
 #ifdef YYPARSE_PARAM
 #if defined __STDC__ || defined __cplusplus
@@ -1131,10 +1162,9 @@ YYSTYPE yylval;
 int yynerrs;
 
 
-
-/*-------------------------.
-| yyparse or yypush_parse.  |
-`-------------------------*/
+/*----------.
+| yyparse.  |
+`----------*/
 
 #ifdef YYPARSE_PARAM
 #if (defined __STDC__ || defined __C99__FUNC__ \
@@ -1158,8 +1188,6 @@ yyparse ()
 #endif
 #endif
 {
-
-
     int yystate;
     /* Number of tokens to shift before error messages enabled.  */
     int yyerrstatus;
@@ -1314,7 +1342,7 @@ yybackup:
 
   /* First try to decide what to do without reference to lookahead token.  */
   yyn = yypact[yystate];
-  if (yyn == YYPACT_NINF)
+  if (yypact_value_is_default (yyn))
     goto yydefault;
 
   /* Not known => get a lookahead token if don't already have one.  */
@@ -1345,8 +1373,8 @@ yybackup:
   yyn = yytable[yyn];
   if (yyn <= 0)
     {
-      if (yyn == 0 || yyn == YYTABLE_NINF)
-	goto yyerrlab;
+      if (yytable_value_is_error (yyn))
+        goto yyerrlab;
       yyn = -yyn;
       goto yyreduce;
     }
@@ -1401,8 +1429,8 @@ yyreduce:
     {
         case 4:
 
-/* Line 1455 of yacc.c  */
-#line 71 "parser.y"
+/* Line 1806 of yacc.c  */
+#line 69 "parser.y"
     {
 		free((yyvsp[(2) - (3)].s));
 	}
@@ -1410,8 +1438,8 @@ yyreduce:
 
   case 5:
 
-/* Line 1455 of yacc.c  */
-#line 75 "parser.y"
+/* Line 1806 of yacc.c  */
+#line 73 "parser.y"
     {
 		_parser_kw = &(_parser_cfg->config_setup);
 		_parser_kw_last = NULL;
@@ -1420,12 +1448,12 @@ yyreduce:
 
   case 7:
 
-/* Line 1455 of yacc.c  */
-#line 80 "parser.y"
+/* Line 1806 of yacc.c  */
+#line 78 "parser.y"
     {
 		section_list_t *section = malloc_thing(section_list_t);
-		
-		section->name = clone_str((yyvsp[(2) - (3)].s));
+
+		section->name = strdupnull((yyvsp[(2) - (3)].s));
 		section->kw = NULL;
 		section->next = NULL;
 		_parser_kw = &(section->kw);
@@ -1441,11 +1469,11 @@ yyreduce:
 
   case 9:
 
-/* Line 1455 of yacc.c  */
-#line 96 "parser.y"
+/* Line 1806 of yacc.c  */
+#line 94 "parser.y"
     {
 		section_list_t *section = malloc_thing(section_list_t);
-		section->name = clone_str((yyvsp[(2) - (3)].s));
+		section->name = strdupnull((yyvsp[(2) - (3)].s));
 		section->kw = NULL;
 		section->next = NULL;
 		_parser_kw = &(section->kw);
@@ -1461,8 +1489,8 @@ yyreduce:
 
   case 11:
 
-/* Line 1455 of yacc.c  */
-#line 111 "parser.y"
+/* Line 1806 of yacc.c  */
+#line 109 "parser.y"
     {
 		extern void _parser_y_include (const char *f);
 		_parser_y_include((yyvsp[(2) - (2)].s));
@@ -1472,8 +1500,8 @@ yyreduce:
 
   case 16:
 
-/* Line 1455 of yacc.c  */
-#line 126 "parser.y"
+/* Line 1806 of yacc.c  */
+#line 124 "parser.y"
     {
 		kw_list_t  *new;
 		kw_entry_t *entry = in_word_set((yyvsp[(1) - (3)].s), strlen((yyvsp[(1) - (3)].s)));
@@ -1487,7 +1515,7 @@ yyreduce:
 		{
 			new = (kw_list_t *)malloc_thing(kw_list_t);
 			new->entry = entry;
-			new->value = clone_str((yyvsp[(3) - (3)].s));
+			new->value = strdupnull((yyvsp[(3) - (3)].s));
 			new->next = NULL;
 			if (_parser_kw_last)
 				_parser_kw_last->next = new;
@@ -1502,8 +1530,8 @@ yyreduce:
 
   case 17:
 
-/* Line 1455 of yacc.c  */
-#line 151 "parser.y"
+/* Line 1806 of yacc.c  */
+#line 149 "parser.y"
     {
 		free((yyvsp[(1) - (2)].s));
 	  }
@@ -1511,10 +1539,21 @@ yyreduce:
 
 
 
-/* Line 1455 of yacc.c  */
-#line 1516 "parser.c"
+/* Line 1806 of yacc.c  */
+#line 1544 "parser.c"
       default: break;
     }
+  /* User semantic actions sometimes alter yychar, and that requires
+     that yytoken be updated with the new translation.  We take the
+     approach of translating immediately before every use of yytoken.
+     One alternative is translating here after every semantic action,
+     but that translation would be missed if the semantic action invokes
+     YYABORT, YYACCEPT, or YYERROR immediately after altering yychar or
+     if it invokes YYBACKUP.  In the case of YYABORT or YYACCEPT, an
+     incorrect destructor might then be invoked immediately.  In the
+     case of YYERROR or YYBACKUP, subsequent parser actions might lead
+     to an incorrect destructor call or verbose syntax error message
+     before the lookahead is translated.  */
   YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
 
   YYPOPSTACK (yylen);
@@ -1542,6 +1581,10 @@ yyreduce:
 | yyerrlab -- here on detecting error |
 `------------------------------------*/
 yyerrlab:
+  /* Make sure we have latest lookahead translation.  See comments at
+     user semantic actions for why this is necessary.  */
+  yytoken = yychar == YYEMPTY ? YYEMPTY : YYTRANSLATE (yychar);
+
   /* If not already recovering from an error, report this error.  */
   if (!yyerrstatus)
     {
@@ -1549,37 +1592,36 @@ yyerrlab:
 #if ! YYERROR_VERBOSE
       yyerror (YY_("syntax error"));
 #else
+# define YYSYNTAX_ERROR yysyntax_error (&yymsg_alloc, &yymsg, \
+                                        yyssp, yytoken)
       {
-	YYSIZE_T yysize = yysyntax_error (0, yystate, yychar);
-	if (yymsg_alloc < yysize && yymsg_alloc < YYSTACK_ALLOC_MAXIMUM)
-	  {
-	    YYSIZE_T yyalloc = 2 * yysize;
-	    if (! (yysize <= yyalloc && yyalloc <= YYSTACK_ALLOC_MAXIMUM))
-	      yyalloc = YYSTACK_ALLOC_MAXIMUM;
-	    if (yymsg != yymsgbuf)
-	      YYSTACK_FREE (yymsg);
-	    yymsg = (char *) YYSTACK_ALLOC (yyalloc);
-	    if (yymsg)
-	      yymsg_alloc = yyalloc;
-	    else
-	      {
-		yymsg = yymsgbuf;
-		yymsg_alloc = sizeof yymsgbuf;
-	      }
-	  }
-
-	if (0 < yysize && yysize <= yymsg_alloc)
-	  {
-	    (void) yysyntax_error (yymsg, yystate, yychar);
-	    yyerror (yymsg);
-	  }
-	else
-	  {
-	    yyerror (YY_("syntax error"));
-	    if (yysize != 0)
-	      goto yyexhaustedlab;
-	  }
+        char const *yymsgp = YY_("syntax error");
+        int yysyntax_error_status;
+        yysyntax_error_status = YYSYNTAX_ERROR;
+        if (yysyntax_error_status == 0)
+          yymsgp = yymsg;
+        else if (yysyntax_error_status == 1)
+          {
+            if (yymsg != yymsgbuf)
+              YYSTACK_FREE (yymsg);
+            yymsg = (char *) YYSTACK_ALLOC (yymsg_alloc);
+            if (!yymsg)
+              {
+                yymsg = yymsgbuf;
+                yymsg_alloc = sizeof yymsgbuf;
+                yysyntax_error_status = 2;
+              }
+            else
+              {
+                yysyntax_error_status = YYSYNTAX_ERROR;
+                yymsgp = yymsg;
+              }
+          }
+        yyerror (yymsgp);
+        if (yysyntax_error_status == 2)
+          goto yyexhaustedlab;
       }
+# undef YYSYNTAX_ERROR
 #endif
     }
 
@@ -1638,7 +1680,7 @@ yyerrlab1:
   for (;;)
     {
       yyn = yypact[yystate];
-      if (yyn != YYPACT_NINF)
+      if (!yypact_value_is_default (yyn))
 	{
 	  yyn += YYTERROR;
 	  if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYTERROR)
@@ -1697,8 +1739,13 @@ yyexhaustedlab:
 
 yyreturn:
   if (yychar != YYEMPTY)
-     yydestruct ("Cleanup: discarding lookahead",
-		 yytoken, &yylval);
+    {
+      /* Make sure we have latest lookahead translation.  See comments at
+         user semantic actions for why this is necessary.  */
+      yytoken = YYTRANSLATE (yychar);
+      yydestruct ("Cleanup: discarding lookahead",
+                  yytoken, &yylval);
+    }
   /* Do not reclaim the symbols of the rule which action triggered
      this YYABORT or YYACCEPT.  */
   YYPOPSTACK (yylen);
@@ -1723,8 +1770,8 @@ yyreturn:
 
 
 
-/* Line 1675 of yacc.c  */
-#line 157 "parser.y"
+/* Line 2067 of yacc.c  */
+#line 155 "parser.y"
 
 
 void yyerror(const char *s)
@@ -1794,7 +1841,7 @@ config_parsed_t *parser_load_conf(const char *file)
 
 	if (err)
 	{
-		plog("%s", parser_errstring);
+		DBG1(DBG_APP, "%s", parser_errstring);
 
 		if (cfg)
 			parser_free_conf(cfg);
diff --git a/src/starter/parser.h b/src/starter/parser.h
index f0e666bb5..7007dfef5 100644
--- a/src/starter/parser.h
+++ b/src/starter/parser.h
@@ -1,10 +1,8 @@
+/* A Bison parser, made by GNU Bison 2.5.  */
 
-/* A Bison parser, made by GNU Bison 2.4.1.  */
-
-/* Skeleton interface for Bison's Yacc-like parsers in C
+/* Bison interface for Yacc-like parsers in C
    
-      Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
-   Free Software Foundation, Inc.
+      Copyright (C) 1984, 1989-1990, 2000-2011 Free Software Foundation, Inc.
    
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -70,13 +68,13 @@
 typedef union YYSTYPE
 {
 
-/* Line 1676 of yacc.c  */
-#line 54 "parser.y"
+/* Line 2068 of yacc.c  */
+#line 52 "parser.y"
  char *s; 
 
 
-/* Line 1676 of yacc.c  */
-#line 80 "parser.h"
+/* Line 2068 of yacc.c  */
+#line 78 "parser.h"
 } YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
diff --git a/src/starter/parser.y b/src/starter/parser.y
index dfaec9ee8..2cf0501f4 100644
--- a/src/starter/parser.y
+++ b/src/starter/parser.y
@@ -17,11 +17,9 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include <freeswan.h>
+#include <library.h>
+#include <utils/debug.h>
 
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
 #include "ipsec-parser.h"
 
 #define YYERROR_VERBOSE
@@ -63,7 +61,7 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len);
 
 config_file:
 	config_file section_or_include
-	| /* NULL */                
+	| /* NULL */
 	;
 
 section_or_include:
@@ -79,8 +77,8 @@ section_or_include:
 	| CONN STRING EOL
 	{
 		section_list_t *section = malloc_thing(section_list_t);
-		
-		section->name = clone_str($2);
+
+		section->name = strdupnull($2);
 		section->kw = NULL;
 		section->next = NULL;
 		_parser_kw = &(section->kw);
@@ -95,7 +93,7 @@ section_or_include:
 	| CA STRING EOL
 	{
 		section_list_t *section = malloc_thing(section_list_t);
-		section->name = clone_str($2);
+		section->name = strdupnull($2);
 		section->kw = NULL;
 		section->next = NULL;
 		_parser_kw = &(section->kw);
@@ -136,7 +134,7 @@ statement_kw:
 		{
 			new = (kw_list_t *)malloc_thing(kw_list_t);
 			new->entry = entry;
-			new->value = clone_str($3);
+			new->value = strdupnull($3);
 			new->next = NULL;
 			if (_parser_kw_last)
 				_parser_kw_last->next = new;
@@ -223,7 +221,7 @@ config_parsed_t *parser_load_conf(const char *file)
 
 	if (err)
 	{
-		plog("%s", parser_errstring);
+		DBG1(DBG_APP, "%s", parser_errstring);
 
 		if (cfg)
 			parser_free_conf(cfg);
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 44e21431c..06eb142bd 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -12,12 +12,16 @@
  * for more details.
  */
 
+#define _GNU_SOURCE
+
+#include <sys/select.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <sys/stat.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <signal.h>
+#include <syslog.h>
 #include <unistd.h>
 #include <sys/time.h>
 #include <time.h>
@@ -26,25 +30,111 @@
 #include <fcntl.h>
 #include <pwd.h>
 #include <grp.h>
+#include <pthread.h>
 
-#include <freeswan.h>
 #include <library.h>
 #include <hydra.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
+#include <utils/backtrace.h>
+#include <threading/thread.h>
+#include <utils/debug.h>
 
 #include "confread.h"
 #include "files.h"
-#include "starterwhack.h"
 #include "starterstroke.h"
-#include "invokepluto.h"
 #include "invokecharon.h"
 #include "netkey.h"
 #include "klips.h"
 #include "cmp.h"
-#include "interfaces.h"
+
+#ifndef LOG_AUTHPRIV
+#define LOG_AUTHPRIV LOG_AUTH
+#endif
+
+#define CHARON_RESTART_DELAY 5
+
+static const char* cmd_default = IPSEC_DIR "/charon";
+static const char* pid_file_default = IPSEC_PIDDIR "/charon.pid";
+static const char* starter_pid_file_default = IPSEC_PIDDIR "/starter.pid";
+
+char *daemon_name = NULL;
+char *cmd = NULL;
+char *pid_file = NULL;
+char *starter_pid_file = NULL;
+
+static char *config_file = NULL;
+
+/* logging */
+static bool log_to_stderr = TRUE;
+static bool log_to_syslog = TRUE;
+static level_t current_loglevel = 1;
+
+/**
+ * logging function for scepclient
+ */
+static void starter_dbg(debug_t group, level_t level, char *fmt, ...)
+{
+	char buffer[8192];
+	char *current = buffer, *next;
+	va_list args;
+
+	if (level <= current_loglevel)
+	{
+		if (log_to_stderr)
+		{
+			va_start(args, fmt);
+			vfprintf(stderr, fmt, args);
+			va_end(args);
+			fprintf(stderr, "\n");
+		}
+		if (log_to_syslog)
+		{
+			/* write in memory buffer first */
+			va_start(args, fmt);
+			vsnprintf(buffer, sizeof(buffer), fmt, args);
+			va_end(args);
+
+			/* do a syslog with every line */
+			while (current)
+			{
+				next = strchr(current, '\n');
+				if (next)
+				{
+					*(next++) = '\0';
+				}
+				syslog(LOG_INFO, "%s\n", current);
+				current = next;
+			}
+		}
+	}
+}
+
+/**
+ * Initialize logging to stderr/syslog
+ */
+static void init_log(const char *program)
+{
+	dbg = starter_dbg;
+
+	if (log_to_stderr)
+	{
+		setbuf(stderr, NULL);
+	}
+	if (log_to_syslog)
+	{
+		openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
+	}
+}
+
+/**
+ * Deinitialize logging to syslog
+ */
+static void close_log()
+{
+	if (log_to_syslog)
+	{
+		closelog();
+	}
+}
 
 /**
  * Return codes defined by Linux Standard Base Core Specification 3.1
@@ -68,7 +158,10 @@
 
 static unsigned int _action_ = 0;
 
-static void fsig(int signal)
+/**
+ * Handle signals in the main thread
+ */
+static void signal_handler(int signal)
 {
 	switch (signal)
 	{
@@ -80,27 +173,22 @@ static void fsig(int signal)
 
 			while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
 			{
-				if (pid == starter_pluto_pid())
-				{
-					name = " (Pluto)";
-				}
 				if (pid == starter_charon_pid())
 				{
-					name = " (Charon)";
+					if (asprintf(&name, " (%s)", daemon_name) < 0)
+					{
+						 name = NULL;
+					}
 				}
 				if (WIFSIGNALED(status))
 				{
-					DBG(DBG_CONTROL,
-						DBG_log("child %d%s has been killed by sig %d\n",
-								pid, name?name:"", WTERMSIG(status))
-					   )
+					DBG2(DBG_APP, "child %d%s has been killed by sig %d\n",
+						 pid, name?name:"", WTERMSIG(status));
 				}
 				else if (WIFSTOPPED(status))
 				{
-					DBG(DBG_CONTROL,
-						DBG_log("child %d%s has been stopped by sig %d\n",
-								pid, name?name:"", WSTOPSIG(status))
-					   )
+					DBG2(DBG_APP, "child %d%s has been stopped by sig %d\n",
+						 pid, name?name:"", WSTOPSIG(status));
 				}
 				else if (WIFEXITED(status))
 				{
@@ -109,35 +197,27 @@ static void fsig(int signal)
 					{
 						_action_ =  FLAG_ACTION_QUIT;
 					}
-					DBG(DBG_CONTROL,
-						DBG_log("child %d%s has quit (exit code %d)\n",
-								pid, name?name:"", exit_status)
-					   )
+					DBG2(DBG_APP, "child %d%s has quit (exit code %d)\n",
+						 pid, name?name:"", exit_status);
 				}
 				else
 				{
-					DBG(DBG_CONTROL,
-						DBG_log("child %d%s has quit", pid, name?name:"")
-					   )
-				}
-				if (pid == starter_pluto_pid())
-				{
-					starter_pluto_sigchild(pid, exit_status);
+					DBG2(DBG_APP, "child %d%s has quit", pid, name?name:"");
 				}
 				if (pid == starter_charon_pid())
 				{
 					starter_charon_sigchild(pid, exit_status);
 				}
 			}
+
+			if (name)
+			{
+				free(name);
+			}
 		}
 		break;
 
-		case SIGPIPE:
-			/** ignore **/
-			break;
-
 		case SIGALRM:
-			_action_ |= FLAG_ACTION_START_PLUTO;
 			_action_ |= FLAG_ACTION_START_CHARON;
 			break;
 
@@ -157,11 +237,27 @@ static void fsig(int signal)
 			break;
 
 		default:
-			plog("fsig(): unknown signal %d -- investigate", signal);
+			DBG1(DBG_APP, "fsig(): unknown signal %d -- investigate", signal);
 			break;
 	}
 }
 
+/**
+ * Handle fatal signals raised by threads
+ */
+static void fatal_signal_handler(int signal)
+{
+	backtrace_t *backtrace;
+
+	DBG1(DBG_APP, "thread %u received %d", thread_current_id(), signal);
+	backtrace = backtrace_create(2);
+	backtrace->log(backtrace, stderr, TRUE);
+	backtrace->destroy(backtrace);
+
+	DBG1(DBG_APP, "killing ourself, received critical signal");
+	abort();
+}
+
 #ifdef GENERATE_SELFCERT
 static void generate_selfcert()
 {
@@ -197,11 +293,11 @@ static void generate_selfcert()
 			}
 		}
 #endif
-		setegid(gid);
-		seteuid(uid);
-		ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
-		seteuid(0);
-		setegid(0);
+		ignore_result(setegid(gid));
+		ignore_result(seteuid(uid));
+		ignore_result(system(IPSEC_SCRIPT " scepclient --out pkcs1 --out cert-self --quiet"));
+		ignore_result(seteuid(0));
+		ignore_result(setegid(0));
 
 		/* ipsec.secrets is root readable only */
 		oldmask = umask(0066);
@@ -244,16 +340,63 @@ static bool check_pid(char *pid_file)
 				return TRUE;
 			}
 		}
-		plog("removing pidfile '%s', process not running", pid_file);
+		DBG1(DBG_APP, "removing pidfile '%s', process not running", pid_file);
 		unlink(pid_file);
 	}
 	return FALSE;
 }
 
+/* Set daemon name and adjust command and pid filenames accordingly */
+static bool set_daemon_name()
+{
+	if (!daemon_name)
+	{
+		daemon_name = "charon";
+	}
+
+	if (asprintf(&cmd, IPSEC_DIR"/%s", daemon_name) < 0)
+	{
+		 cmd = (char*)cmd_default;
+	}
+
+	if (asprintf(&pid_file, IPSEC_PIDDIR"/%s.pid", daemon_name) < 0)
+	{
+		 pid_file = (char*)pid_file_default;
+	}
+
+	if (asprintf(&starter_pid_file, IPSEC_PIDDIR"/starter.%s.pid",
+				 daemon_name) < 0)
+	{
+		 starter_pid_file = (char*)starter_pid_file_default;
+	}
+
+	return TRUE;
+}
+
+static void cleanup()
+{
+	if (cmd != cmd_default)
+	{
+		free(cmd);
+	}
+
+	if (pid_file != pid_file_default)
+	{
+		free(pid_file);
+	}
+
+	if (starter_pid_file != starter_pid_file_default)
+	{
+		free(starter_pid_file);
+	}
+}
+
 static void usage(char *name)
 {
-	fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] "
-			"[--debug|--debug-more|--debug-all]\n");
+	fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>]\n"
+			"               [--debug|--debug-more|--debug-all|--nolog]\n"
+			"               [--attach-gdb] [--daemon <name>]\n"
+			"               [--conf <path to ipsec.conf>]\n");
 	exit(LSB_RC_INVALID_ARGUMENT);
 }
 
@@ -264,21 +407,18 @@ int main (int argc, char **argv)
 	starter_conn_t *conn, *conn2;
 	starter_ca_t *ca, *ca2;
 
+	struct sigaction action;
 	struct stat stb;
 
 	int i;
 	int id = 1;
-	struct timeval tv;
+	struct timespec ts;
 	unsigned long auto_update = 0;
 	time_t last_reload;
 	bool no_fork = FALSE;
 	bool attach_gdb = FALSE;
 	bool load_warning = FALSE;
 
-	/* global variables defined in log.h */
-	log_to_stderr = TRUE;
-	base_debugging = DBG_NONE;
-
 	library_init(NULL);
 	atexit(library_deinit);
 
@@ -290,15 +430,19 @@ int main (int argc, char **argv)
 	{
 		if (streq(argv[i], "--debug"))
 		{
-			base_debugging |= DBG_CONTROL;
+			current_loglevel = 2;
 		}
 		else if (streq(argv[i], "--debug-more"))
 		{
-			base_debugging |= DBG_CONTROLMORE;
+			current_loglevel = 3;
 		}
 		else if (streq(argv[i], "--debug-all"))
 		{
-			base_debugging |= DBG_ALL;
+			current_loglevel = 4;
+		}
+		else if (streq(argv[i], "--nolog"))
+		{
+			current_loglevel = 0;
 		}
 		else if (streq(argv[i], "--nofork"))
 		{
@@ -315,26 +459,36 @@ int main (int argc, char **argv)
 			if (!auto_update)
 				usage(argv[0]);
 		}
+		else if (streq(argv[i], "--daemon") && i+1 < argc)
+		{
+			daemon_name = argv[++i];
+		}
+		else if (streq(argv[i], "--conf") && i+1 < argc)
+		{
+			config_file = argv[++i];
+		}
 		else
 		{
 			usage(argv[0]);
 		}
 	}
 
-	/* Init */
-	init_log("ipsec_starter");
-	cur_debugging = base_debugging;
+	if (!set_daemon_name())
+	{
+		DBG1(DBG_APP, "unable to set daemon name");
+		exit(LSB_RC_FAILURE);
+	}
+	if (!config_file)
+	{
+		config_file = CONFIG_FILE;
+	}
 
-	signal(SIGHUP,  fsig);
-	signal(SIGCHLD, fsig);
-	signal(SIGPIPE, fsig);
-	signal(SIGINT,  fsig);
-	signal(SIGTERM, fsig);
-	signal(SIGQUIT, fsig);
-	signal(SIGALRM, fsig);
-	signal(SIGUSR1, fsig);
+	init_log("ipsec_starter");
 
-	plog("Starting strongSwan "VERSION" IPsec [starter]...");
+	DBG1(DBG_APP, "Starting %sSwan "VERSION" IPsec [starter]...",
+		lib->settings->get_bool(lib->settings,
+			"charon.i_dont_care_about_security_and_use_aggressive_mode_psk",
+				FALSE) ? "weak" : "strong");
 
 #ifdef LOAD_WARNING
 	load_warning = TRUE;
@@ -342,35 +496,26 @@ int main (int argc, char **argv)
 
 	if (lib->settings->get_bool(lib->settings, "starter.load_warning", load_warning))
 	{
-		if (lib->settings->get_str(lib->settings, "charon.load", NULL) ||
-			lib->settings->get_str(lib->settings, "pluto.load", NULL))
+		if (lib->settings->get_str(lib->settings, "charon.load", NULL))
 		{
-			plog("!! Your strongswan.conf contains manual plugin load options for");
-			plog("!! pluto and/or charon. This is recommended for experts only, see");
-			plog("!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad");
+			DBG1(DBG_APP, "!! Your strongswan.conf contains manual plugin load options for charon.");
+			DBG1(DBG_APP, "!! This is recommended for experts only, see");
+			DBG1(DBG_APP, "!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad");
 		}
 	}
 
 	/* verify that we can start */
 	if (getuid() != 0)
 	{
-		plog("permission denied (must be superuser)");
+		DBG1(DBG_APP, "permission denied (must be superuser)");
+		cleanup();
 		exit(LSB_RC_NOT_ALLOWED);
 	}
 
-	if (check_pid(PLUTO_PID_FILE))
-	{
-		plog("pluto is already running (%s exists) -- skipping pluto start",
-			 PLUTO_PID_FILE);
-	}
-	else
-	{
-		_action_ |= FLAG_ACTION_START_PLUTO;
-	}
-	if (check_pid(CHARON_PID_FILE))
+	if (check_pid(pid_file))
 	{
-		plog("charon is already running (%s exists) -- skipping charon start",
-			 CHARON_PID_FILE);
+		DBG1(DBG_APP, "%s is already running (%s exists) -- skipping daemon start",
+			 daemon_name, pid_file);
 	}
 	else
 	{
@@ -378,45 +523,49 @@ int main (int argc, char **argv)
 	}
 	if (stat(DEV_RANDOM, &stb) != 0)
 	{
-		plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
+		DBG1(DBG_APP, "unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
+		cleanup();
 		exit(LSB_RC_FAILURE);
 	}
 
 	if (stat(DEV_URANDOM, &stb)!= 0)
 	{
-		plog("unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
+		DBG1(DBG_APP, "unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
+		cleanup();
 		exit(LSB_RC_FAILURE);
 	}
 
-	cfg = confread_load(CONFIG_FILE);
+	cfg = confread_load(config_file);
 	if (cfg == NULL || cfg->err > 0)
 	{
-		plog("unable to start strongSwan -- fatal errors in config");
+		DBG1(DBG_APP, "unable to start strongSwan -- fatal errors in config");
 		if (cfg)
 		{
 			confread_free(cfg);
 		}
+		cleanup();
 		exit(LSB_RC_INVALID_ARGUMENT);
 	}
 
 	/* determine if we have a native netkey IPsec stack */
 	if (!starter_netkey_init())
 	{
-		plog("no netkey IPsec stack detected");
+		DBG1(DBG_APP, "no netkey IPsec stack detected");
 		if (!starter_klips_init())
 		{
-			plog("no KLIPS IPsec stack detected");
-			plog("no known IPsec stack detected, ignoring!");
+			DBG1(DBG_APP, "no KLIPS IPsec stack detected");
+			DBG1(DBG_APP, "no known IPsec stack detected, ignoring!");
 		}
 	}
 
 	last_reload = time_monotonic(NULL);
 
-	if (check_pid(STARTER_PID_FILE))
+	if (check_pid(starter_pid_file))
 	{
-		plog("starter is already running (%s exists) -- no fork done",
-			 STARTER_PID_FILE);
+		DBG1(DBG_APP, "starter is already running (%s exists) -- no fork done",
+			 starter_pid_file);
 		confread_free(cfg);
+		cleanup();
 		exit(LSB_RC_SUCCESS);
 	}
 
@@ -435,6 +584,7 @@ int main (int argc, char **argv)
 			{
 				int fnull;
 
+				close_log();
 				closefrom(3);
 
 				fnull = open("/dev/null", O_RDWR);
@@ -447,20 +597,22 @@ int main (int argc, char **argv)
 				}
 
 				setsid();
+				init_log("ipsec_starter");
 			}
 			break;
 			case -1:
-				plog("can't fork: %s", strerror(errno));
+				DBG1(DBG_APP, "can't fork: %s", strerror(errno));
 				break;
 			default:
 				confread_free(cfg);
+				cleanup();
 				exit(LSB_RC_SUCCESS);
 		}
 	}
 
-	/* save pid file in /var/run/starter.pid */
+	/* save pid file in /var/run/starter[.daemon_name].pid */
 	{
-		FILE *fd = fopen(STARTER_PID_FILE, "w");
+		FILE *fd = fopen(starter_pid_file, "w");
 
 		if (fd)
 		{
@@ -469,33 +621,55 @@ int main (int argc, char **argv)
 		}
 	}
 
-	/* load plugins */
-	if (!lib->plugins->load(lib->plugins, NULL,
-			lib->settings->get_str(lib->settings, "starter.load", PLUGINS)))
-	{
-		exit(LSB_RC_FAILURE);
-	}
+	/* we handle these signals only in pselect() */
+	memset(&action, 0, sizeof(action));
+	sigemptyset(&action.sa_mask);
+	sigaddset(&action.sa_mask, SIGHUP);
+	sigaddset(&action.sa_mask, SIGINT);
+	sigaddset(&action.sa_mask, SIGTERM);
+	sigaddset(&action.sa_mask, SIGQUIT);
+	sigaddset(&action.sa_mask, SIGALRM);
+	sigaddset(&action.sa_mask, SIGUSR1);
+	pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL);
+
+	/* install a handler for fatal signals */
+	action.sa_handler = fatal_signal_handler;
+	sigaction(SIGSEGV, &action, NULL);
+	sigaction(SIGILL, &action, NULL);
+	sigaction(SIGBUS, &action, NULL);
+	action.sa_handler = SIG_IGN;
+	sigaction(SIGPIPE, &action, NULL);
+
+	/* install main signal handler */
+	action.sa_handler = signal_handler;
+	sigaction(SIGHUP, &action, NULL);
+	sigaction(SIGINT, &action, NULL);
+	sigaction(SIGTERM, &action, NULL);
+	sigaction(SIGQUIT, &action, NULL);
+	sigaction(SIGALRM, &action, NULL);
+	sigaction(SIGUSR1, &action, NULL);
+	/* this is not blocked above as we want to receive it asynchronously */
+	sigaction(SIGCHLD, &action, NULL);
+
+	/* empty mask for pselect() call below */
+	sigemptyset(&action.sa_mask);
 
 	for (;;)
 	{
 		/*
-		 * Stop pluto/charon (if started) and exit
+		 * Stop charon (if started) and exit
 		 */
 		if (_action_ & FLAG_ACTION_QUIT)
 		{
-			if (starter_pluto_pid())
-			{
-				starter_stop_pluto();
-			}
 			if (starter_charon_pid())
 			{
 				starter_stop_charon();
 			}
 			starter_netkey_cleanup();
 			confread_free(cfg);
-			unlink(STARTER_PID_FILE);
-			plog("ipsec starter stopped");
-			lib->plugins->unload(lib->plugins);
+			unlink(starter_pid_file);
+			cleanup();
+			DBG1(DBG_APP, "ipsec starter stopped");
 			close_log();
 			exit(LSB_RC_SUCCESS);
 		}
@@ -505,7 +679,7 @@ int main (int argc, char **argv)
 		 */
 		if (_action_ & FLAG_ACTION_RELOAD)
 		{
-			if (starter_pluto_pid() || starter_charon_pid())
+			if (starter_charon_pid())
 			{
 				for (conn = cfg->conn_first; conn; conn = conn->next)
 				{
@@ -513,12 +687,12 @@ int main (int argc, char **argv)
 					{
 						if (starter_charon_pid())
 						{
+							if (conn->startup == STARTUP_ROUTE)
+							{
+								starter_stroke_unroute_conn(conn);
+							}
 							starter_stroke_del_conn(conn);
 						}
-						if (starter_pluto_pid())
-						{
-							starter_whack_del_conn(conn);
-						}
 						conn->state = STATE_TO_ADD;
 					}
 				}
@@ -530,10 +704,6 @@ int main (int argc, char **argv)
 						{
 							starter_stroke_del_ca(ca);
 						}
-						if (starter_pluto_pid())
-						{
-							starter_whack_del_ca(ca);
-						}
 						ca->state = STATE_TO_ADD;
 					}
 				}
@@ -546,96 +716,72 @@ int main (int argc, char **argv)
 		 */
 		if (_action_ & FLAG_ACTION_UPDATE)
 		{
-			DBG(DBG_CONTROL,
-				DBG_log("Reloading config...")
-			   );
-			new_cfg = confread_load(CONFIG_FILE);
+			DBG2(DBG_APP, "Reloading config...");
+			new_cfg = confread_load(config_file);
 
-			if (new_cfg && (new_cfg->err + new_cfg->non_fatal_err == 0))
+			if (new_cfg && (new_cfg->err == 0))
 			{
 				/* Switch to new config. New conn will be loaded below */
-				if (!starter_cmp_defaultroute(&new_cfg->defaultroute
-								   , &cfg->defaultroute))
-				{
-					_action_ |= FLAG_ACTION_LISTEN;
-				}
 
-				if (!starter_cmp_pluto(cfg, new_cfg))
-				{
-					plog("Pluto has changed");
-					if (starter_pluto_pid())
-						starter_stop_pluto();
-					_action_ &= ~FLAG_ACTION_LISTEN;
-					_action_ |= FLAG_ACTION_START_PLUTO;
-				}
-				else
+				/* Look for new connections that are already loaded */
+				for (conn = cfg->conn_first; conn; conn = conn->next)
 				{
-					/* Only reload conn and ca sections if pluto is not killed */
-
-					/* Look for new connections that are already loaded */
-					for (conn = cfg->conn_first; conn; conn = conn->next)
+					if (conn->state == STATE_ADDED)
 					{
-						if (conn->state == STATE_ADDED)
+						for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next)
 						{
-							for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next)
+							if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2))
 							{
-								if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2))
-								{
-									conn->state = STATE_REPLACED;
-									conn2->state = STATE_ADDED;
-									conn2->id = conn->id;
-									break;
-								}
+								conn->state = STATE_REPLACED;
+								conn2->state = STATE_ADDED;
+								conn2->id = conn->id;
+								break;
 							}
 						}
 					}
+				}
 
-					/* Remove conn sections that have become unused */
-					for (conn = cfg->conn_first; conn; conn = conn->next)
+				/* Remove conn sections that have become unused */
+				for (conn = cfg->conn_first; conn; conn = conn->next)
+				{
+					if (conn->state == STATE_ADDED)
 					{
-						if (conn->state == STATE_ADDED)
+						if (starter_charon_pid())
 						{
-							if (starter_charon_pid())
+							if (conn->startup == STARTUP_ROUTE)
 							{
-								starter_stroke_del_conn(conn);
-							}
-							if (starter_pluto_pid())
-							{
-								starter_whack_del_conn(conn);
+								starter_stroke_unroute_conn(conn);
 							}
+							starter_stroke_del_conn(conn);
 						}
 					}
+				}
 
-					/* Look for new ca sections that are already loaded */
-					for (ca = cfg->ca_first; ca; ca = ca->next)
+				/* Look for new ca sections that are already loaded */
+				for (ca = cfg->ca_first; ca; ca = ca->next)
+				{
+					if (ca->state == STATE_ADDED)
 					{
-						if (ca->state == STATE_ADDED)
+						for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next)
 						{
-							for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next)
+							if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2))
 							{
-								if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2))
-								{
-									ca->state = STATE_REPLACED;
-									ca2->state = STATE_ADDED;
-									break;
-								}
+								ca->state = STATE_REPLACED;
+								ca2->state = STATE_ADDED;
+								break;
 							}
 						}
 					}
+				}
 
-					/* Remove ca sections that have become unused */
-					for (ca = cfg->ca_first; ca; ca = ca->next)
+				/* Remove ca sections that have become unused */
+				for (ca = cfg->ca_first; ca; ca = ca->next)
+				{
+					if (ca->state == STATE_ADDED)
 					{
-						if (ca->state == STATE_ADDED)
+						if (starter_charon_pid())
 						{
-							if (starter_charon_pid())
-							{
-								starter_stroke_del_ca(ca);
-							}
-							if (starter_pluto_pid())
-							{
-								starter_whack_del_ca(ca);
-							}
+							starter_stroke_del_ca(ca);
 						}
 					}
 				}
@@ -644,7 +790,7 @@ int main (int argc, char **argv)
 			}
 			else
 			{
-				plog("can't reload config file due to errors -- keeping old one");
+				DBG1(DBG_APP, "can't reload config file due to errors -- keeping old one");
 				if (new_cfg)
 				{
 					confread_free(new_cfg);
@@ -655,77 +801,43 @@ int main (int argc, char **argv)
 		}
 
 		/*
-		 * Start pluto
+		 * Start daemon
 		 */
-		if (_action_ & FLAG_ACTION_START_PLUTO)
+		if (_action_ & FLAG_ACTION_START_CHARON)
 		{
-			if (cfg->setup.plutostart && !starter_pluto_pid())
+			if (cfg->setup.charonstart && !starter_charon_pid())
 			{
-				DBG(DBG_CONTROL,
-					DBG_log("Attempting to start pluto...")
-				   );
-
-				if (starter_start_pluto(cfg, no_fork, attach_gdb) == 0)
-				{
-					starter_whack_listen();
-				}
-				else
+				DBG2(DBG_APP, "Attempting to start %s...", daemon_name);
+				if (starter_start_charon(cfg, no_fork, attach_gdb))
 				{
 					/* schedule next try */
-					alarm(PLUTO_RESTART_DELAY);
+					alarm(CHARON_RESTART_DELAY);
 				}
+				starter_stroke_configure(cfg);
 			}
-			_action_ &= ~FLAG_ACTION_START_PLUTO;
+			_action_ &= ~FLAG_ACTION_START_CHARON;
 
 			for (ca = cfg->ca_first; ca; ca = ca->next)
 			{
 				if (ca->state == STATE_ADDED)
+				{
 					ca->state = STATE_TO_ADD;
+				}
 			}
 
 			for (conn = cfg->conn_first; conn; conn = conn->next)
 			{
 				if (conn->state == STATE_ADDED)
-					conn->state = STATE_TO_ADD;
-			}
-		}
-
-		/*
-		 * Start charon
-		 */
-		if (_action_ & FLAG_ACTION_START_CHARON)
-		{
-			if (cfg->setup.charonstart && !starter_charon_pid())
-			{
-				DBG(DBG_CONTROL,
-					DBG_log("Attempting to start charon...")
-				   );
-				if (starter_start_charon(cfg, no_fork, attach_gdb))
 				{
-					/* schedule next try */
-					alarm(PLUTO_RESTART_DELAY);
+					conn->state = STATE_TO_ADD;
 				}
-				starter_stroke_configure(cfg);
-			}
-			_action_ &= ~FLAG_ACTION_START_CHARON;
-		}
-
-		/*
-		 * Tell pluto to reread its interfaces
-		 */
-		if (_action_ & FLAG_ACTION_LISTEN)
-		{
-			if (starter_pluto_pid())
-			{
-				starter_whack_listen();
-				_action_ &= ~FLAG_ACTION_LISTEN;
 			}
 		}
 
 		/*
 		 * Add stale conn and ca sections
 		 */
-		if (starter_pluto_pid() || starter_charon_pid())
+		if (starter_charon_pid())
 		{
 			for (ca = cfg->ca_first; ca; ca = ca->next)
 			{
@@ -735,10 +847,6 @@ int main (int argc, char **argv)
 					{
 						starter_stroke_add_ca(ca);
 					}
-					if (starter_pluto_pid())
-					{
-						starter_whack_add_ca(ca);
-					}
 					ca->state = STATE_ADDED;
 				}
 			}
@@ -756,44 +864,20 @@ int main (int argc, char **argv)
 					{
 						starter_stroke_add_conn(cfg, conn);
 					}
-					if (starter_pluto_pid())
-					{
-						starter_whack_add_conn(conn);
-					}
 					conn->state = STATE_ADDED;
 
 					if (conn->startup == STARTUP_START)
 					{
-						if (conn->keyexchange != KEY_EXCHANGE_IKEV1)
-						{
-							if (starter_charon_pid())
-							{
-								starter_stroke_initiate_conn(conn);
-							}
-						}
-						else
+						if (starter_charon_pid())
 						{
-							if (starter_pluto_pid())
-							{
-								starter_whack_initiate_conn(conn);
-							}
+							starter_stroke_initiate_conn(conn);
 						}
 					}
 					else if (conn->startup == STARTUP_ROUTE)
 					{
-						if (conn->keyexchange != KEY_EXCHANGE_IKEV1)
-						{
-							if (starter_charon_pid())
-							{
-								starter_stroke_route_conn(conn);
-							}
-						}
-						else
+						if (starter_charon_pid())
 						{
-							if (starter_pluto_pid())
-							{
-								starter_whack_route_conn(conn);
-							}
+							starter_stroke_route_conn(conn);
 						}
 					}
 				}
@@ -807,15 +891,17 @@ int main (int argc, char **argv)
 		{
 			time_t now = time_monotonic(NULL);
 
-			tv.tv_sec = (now < last_reload + auto_update)
-					? (last_reload + auto_update-now) : 0;
-			tv.tv_usec = 0;
+			ts.tv_sec = (now < last_reload + auto_update) ?
+						(last_reload + auto_update - now) : 0;
+			ts.tv_nsec = 0;
 		}
 
 		/*
 		 * Wait for something to happen
 		 */
-		if (select(0, NULL, NULL, NULL, auto_update ? &tv : NULL) == 0)
+		if (!_action_ &&
+			pselect(0, NULL, NULL, NULL, auto_update ? &ts : NULL,
+					&action.sa_mask) == 0)
 		{
 			/* timeout -> auto_update */
 			_action_ |= FLAG_ACTION_UPDATE;
@@ -823,4 +909,3 @@ int main (int argc, char **argv)
 	}
 	exit(LSB_RC_SUCCESS);
 }
-
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index ae04c20dd..cc447c41f 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -1,4 +1,4 @@
-/* Stroke for charon is the counterpart to whack from pluto
+/*
  * Copyright (C) 2006 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -26,11 +26,8 @@
 
 #include <credentials/auth_cfg.h>
 
-#include <freeswan.h>
-
-#include <constants.h>
-#include <defs.h>
-#include <log.h>
+#include <library.h>
+#include <utils/debug.h>
 
 #include <stroke_msg.h>
 
@@ -73,12 +70,12 @@ static int send_stroke_msg (stroke_msg_t *msg)
 
 	if (sock < 0)
 	{
-		plog("socket() failed: %s", strerror(errno));
+		DBG1(DBG_APP, "socket() failed: %s", strerror(errno));
 		return -1;
 	}
 	if (connect(sock, (struct sockaddr *)&ctl_addr, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
 	{
-		plog("connect(charon_ctl) failed: %s", strerror(errno));
+		DBG1(DBG_APP, "connect(charon_ctl) failed: %s", strerror(errno));
 		close(sock);
 		return -1;
 	}
@@ -86,18 +83,18 @@ static int send_stroke_msg (stroke_msg_t *msg)
 	/* send message */
 	if (write(sock, msg, msg->length) != msg->length)
 	{
-		plog("write(charon_ctl) failed: %s", strerror(errno));
+		DBG1(DBG_APP, "write(charon_ctl) failed: %s", strerror(errno));
 		close(sock);
 		return -1;
 	}
 	while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
 	{
 		buffer[byte_count] = '\0';
-		plog("%s", buffer);
+		DBG1(DBG_APP, "%s", buffer);
 	}
 	if (byte_count < 0)
 	{
-		plog("read() failed: %s", strerror(errno));
+		DBG1(DBG_APP, "read() failed: %s", strerror(errno));
 	}
 
 	close(sock);
@@ -117,47 +114,8 @@ static char* connection_name(starter_conn_t *conn)
 	return conn->name;
 }
 
-static void ip_address2string(ip_address *addr, char *buffer, size_t len)
-{
-	switch (((struct sockaddr*)addr)->sa_family)
-	{
-		case AF_INET6:
-		{
-			struct sockaddr_in6* sin6 = (struct sockaddr_in6*)addr;
-			u_int8_t zeroes[IPV6_LEN];
-
-			memset(zeroes, 0, IPV6_LEN);
-			if (memcmp(zeroes, &(sin6->sin6_addr.s6_addr), IPV6_LEN) &&
-				inet_ntop(AF_INET6, &sin6->sin6_addr, buffer, len))
-			{
-				return;
-			}
-			snprintf(buffer, len, "%%any6");
-			break;
-		}
-		case AF_INET:
-		{
-			struct sockaddr_in* sin = (struct sockaddr_in*)addr;
-			u_int8_t zeroes[IPV4_LEN];
-
-			memset(zeroes, 0, IPV4_LEN);
-			if (memcmp(zeroes, &(sin->sin_addr.s_addr), IPV4_LEN) &&
-				inet_ntop(AF_INET, &sin->sin_addr, buffer, len))
-			{
-				return;
-			}
-			/* fall through to default */
-		}
-		default:
-			snprintf(buffer, len, "%%any");
-			break;
-	}
-}
-
 static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end)
 {
-	char buffer[INET6_ADDRSTRLEN];
-
 	msg_end->auth = push_string(msg, conn_end->auth);
 	msg_end->auth2 = push_string(msg, conn_end->auth2);
 	msg_end->id = push_string(msg, conn_end->id);
@@ -169,6 +127,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
 	msg_end->ca = push_string(msg, conn_end->ca);
 	msg_end->ca2 = push_string(msg, conn_end->ca2);
 	msg_end->groups = push_string(msg, conn_end->groups);
+	msg_end->groups2 = push_string(msg, conn_end->groups2);
 	msg_end->updown = push_string(msg, conn_end->updown);
 	if (conn_end->host)
 	{
@@ -176,18 +135,19 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
 	}
 	else
 	{
-		ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
-		msg_end->address = push_string(msg, buffer);
+		msg_end->address = push_string(msg, "%any");
 	}
 	msg_end->ikeport = conn_end->ikeport;
 	msg_end->subnets = push_string(msg, conn_end->subnet);
 	msg_end->sourceip = push_string(msg, conn_end->sourceip);
-	msg_end->sourceip_mask = conn_end->sourceip_mask;
+	msg_end->dns = push_string(msg, conn_end->dns);
 	msg_end->sendcert = conn_end->sendcert;
 	msg_end->hostaccess = conn_end->hostaccess;
-	msg_end->tohost = !conn_end->has_client;
+	msg_end->tohost = !conn_end->subnet;
+	msg_end->allow_any = conn_end->allow_any;
 	msg_end->protocol = conn_end->protocol;
-	msg_end->port = conn_end->port;
+	msg_end->from_port = conn_end->from_port;
+	msg_end->to_port = conn_end->to_port;
 }
 
 int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
@@ -197,60 +157,18 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	memset(&msg, 0, sizeof(msg));
 	msg.type = STR_ADD_CONN;
 	msg.length = offsetof(stroke_msg_t, buffer);
-	msg.add_conn.ikev2 = conn->keyexchange != KEY_EXCHANGE_IKEV1;
+	msg.add_conn.version = conn->keyexchange;
 	msg.add_conn.name = push_string(&msg, connection_name(conn));
-
-	/* PUBKEY is preferred to PSK and EAP */
-	if (conn->policy & POLICY_PUBKEY)
-	{
-		msg.add_conn.auth_method = AUTH_CLASS_PUBKEY;
-	}
-	else if (conn->policy & POLICY_PSK)
-	{
-		msg.add_conn.auth_method = AUTH_CLASS_PSK;
-	}
-	else if (conn->policy & POLICY_XAUTH_PSK)
-	{
-		msg.add_conn.auth_method = AUTH_CLASS_EAP;
-	}
-	else
-	{
-		msg.add_conn.auth_method = AUTH_CLASS_ANY;
-	}
-	msg.add_conn.eap_type = conn->eap_type;
-	msg.add_conn.eap_vendor = conn->eap_vendor;
 	msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
 	msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity);
+	msg.add_conn.xauth_identity = push_string(&msg, conn->xauth_identity);
 
-	if (conn->policy & POLICY_TUNNEL)
-	{
-		msg.add_conn.mode = MODE_TUNNEL;
-	}
-	else if (conn->policy & POLICY_BEET)
-	{
-		msg.add_conn.mode = MODE_BEET;
-	}
-	else if (conn->policy & POLICY_PROXY)
-	{
-		msg.add_conn.mode = MODE_TRANSPORT;
-		msg.add_conn.proxy_mode = TRUE;
-	}
-	else if (conn->policy & POLICY_SHUNT_PASS)
-	{
-		msg.add_conn.mode = MODE_PASS;
-	}
-	else if (conn->policy & (POLICY_SHUNT_DROP | POLICY_SHUNT_REJECT))
-	{
-		msg.add_conn.mode = MODE_DROP;
-	}
-	else
-	{
-		msg.add_conn.mode = MODE_TRANSPORT;
-	}
+	msg.add_conn.mode = conn->mode;
+	msg.add_conn.proxy_mode = conn->proxy_mode;
 
-	if (!(conn->policy & POLICY_DONT_REKEY))
+	if (!(conn->options & SA_OPTION_DONT_REKEY))
 	{
-		msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
+		msg.add_conn.rekey.reauth = !(conn->options & SA_OPTION_DONT_REAUTH);
 		msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
 		msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
 		msg.add_conn.rekey.margin = conn->sa_rekey_margin;
@@ -261,15 +179,19 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 		msg.add_conn.rekey.tries = conn->sa_keying_tries;
 		msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
 	}
-	msg.add_conn.mobike = (conn->policy & POLICY_MOBIKE) != 0;
-	msg.add_conn.force_encap = (conn->policy & POLICY_FORCE_ENCAP) != 0;
-	msg.add_conn.ipcomp = (conn->policy & POLICY_COMPRESS) != 0;
+	msg.add_conn.mobike = conn->options & SA_OPTION_MOBIKE;
+	msg.add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP;
+	msg.add_conn.fragmentation = conn->fragmentation;
+	msg.add_conn.ikedscp = conn->ikedscp;
+	msg.add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS;
 	msg.add_conn.install_policy = conn->install_policy;
-	msg.add_conn.crl_policy = cfg->setup.strictcrlpolicy;
+	msg.add_conn.aggressive = conn->aggressive;
+	msg.add_conn.crl_policy = (crl_policy_t)cfg->setup.strictcrlpolicy;
 	msg.add_conn.unique = cfg->setup.uniqueids;
 	msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
 	msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
 	msg.add_conn.dpd.delay = conn->dpd_delay;
+	msg.add_conn.dpd.timeout = conn->dpd_timeout;
 	msg.add_conn.dpd.action = conn->dpd_action;
 	msg.add_conn.close_action = conn->close_action;
 	msg.add_conn.inactivity = conn->inactivity;
@@ -286,6 +208,48 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
 	starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
 
+	if (!msg.add_conn.me.auth && !msg.add_conn.other.auth &&
+		 conn->authby)
+	{	/* leftauth/rightauth not set, use legacy options */
+		if (streq(conn->authby, "rsa")   || streq(conn->authby, "rsasig")   ||
+			streq(conn->authby, "ecdsa") || streq(conn->authby, "ecdsasig") ||
+			streq(conn->authby, "pubkey"))
+		{
+			msg.add_conn.me.auth = push_string(&msg, "pubkey");
+			msg.add_conn.other.auth = push_string(&msg, "pubkey");
+		}
+		else if (streq(conn->authby, "secret") || streq(conn->authby, "psk"))
+		{
+			msg.add_conn.me.auth = push_string(&msg, "psk");
+			msg.add_conn.other.auth = push_string(&msg, "psk");
+		}
+		else if (streq(conn->authby, "xauthrsasig"))
+		{
+			msg.add_conn.me.auth = push_string(&msg, "pubkey");
+			msg.add_conn.other.auth = push_string(&msg, "pubkey");
+			if (conn->options & SA_OPTION_XAUTH_SERVER)
+			{
+				msg.add_conn.other.auth2 = push_string(&msg, "xauth");
+			}
+			else
+			{
+				msg.add_conn.me.auth2 = push_string(&msg, "xauth");
+			}
+		}
+		else if (streq(conn->authby, "xauthpsk"))
+		{
+			msg.add_conn.me.auth = push_string(&msg, "psk");
+			msg.add_conn.other.auth = push_string(&msg, "psk");
+			if (conn->options & SA_OPTION_XAUTH_SERVER)
+			{
+				msg.add_conn.other.auth2 = push_string(&msg, "xauth");
+			}
+			else
+			{
+				msg.add_conn.me.auth2 = push_string(&msg, "xauth");
+			}
+		}
+	}
 	return send_stroke_msg(&msg);
 }
 
@@ -309,6 +273,16 @@ int starter_stroke_route_conn(starter_conn_t *conn)
 	return send_stroke_msg(&msg);
 }
 
+int starter_stroke_unroute_conn(starter_conn_t *conn)
+{
+	stroke_msg_t msg;
+
+	msg.type = STR_UNROUTE;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.route.name = push_string(&msg, connection_name(conn));
+	return send_stroke_msg(&msg);
+}
+
 int starter_stroke_initiate_conn(starter_conn_t *conn)
 {
 	stroke_msg_t msg;
@@ -358,4 +332,3 @@ int starter_stroke_configure(starter_config_t *cfg)
 	}
 	return 0;
 }
-
diff --git a/src/starter/starterstroke.h b/src/starter/starterstroke.h
index f9b01c99a..126486325 100644
--- a/src/starter/starterstroke.h
+++ b/src/starter/starterstroke.h
@@ -1,5 +1,6 @@
-/* Stroke for charon is the counterpart to whack from pluto
- * Copyright (C) 2006 Martin Willi - Hochschule fuer Technik Rapperswil
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -17,12 +18,13 @@
 
 #include "confread.h"
 
-extern int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn);
-extern int starter_stroke_del_conn(starter_conn_t *conn);
-extern int starter_stroke_route_conn(starter_conn_t *conn);
-extern int starter_stroke_initiate_conn(starter_conn_t *conn);
-extern int starter_stroke_add_ca(starter_ca_t *ca);
-extern int starter_stroke_del_ca(starter_ca_t *ca);
-extern int starter_stroke_configure(starter_config_t *cfg);
+int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn);
+int starter_stroke_del_conn(starter_conn_t *conn);
+int starter_stroke_route_conn(starter_conn_t *conn);
+int starter_stroke_unroute_conn(starter_conn_t *conn);
+int starter_stroke_initiate_conn(starter_conn_t *conn);
+int starter_stroke_add_ca(starter_ca_t *ca);
+int starter_stroke_del_ca(starter_ca_t *ca);
+int starter_stroke_configure(starter_config_t *cfg);
 
 #endif /* _STARTER_STROKE_H_ */
diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c
deleted file mode 100644
index b7d916eae..000000000
--- a/src/starter/starterwhack.c
+++ /dev/null
@@ -1,420 +0,0 @@
-/* strongSwan whack functions to communicate with pluto (whack.c)
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <stddef.h>
-#include <unistd.h>
-#include <string.h>
-#include <errno.h>
-
-#include <freeswan.h>
-
-#include <constants.h>
-#include <defs.h>
-#include <log.h>
-#include <whack.h>
-
-#include "starterwhack.h"
-#include "confread.h"
-#include "files.h"
-
-#define ip_version(string)      (strchr(string, '.') ? AF_INET : AF_INET6)
-
-static int pack_str (char **p, char **next, char **roof)
-{
-	const char *s = (*p==NULL) ? "" : *p;    /* note: NULL becomes ""! */
-	size_t len = strlen(s) + 1;
-
-	if ((*roof - *next) < len)
-	{
-		return 0;       /* not enough space */
-	}
-	else
-	{
-		strcpy(*next, s);
-		*next += len;
-		*p = NULL;   /* don't send pointers on the wire! */
-		return 1;
-	}
-}
-
-static int send_whack_msg (whack_message_t *msg)
-{
-	struct sockaddr_un ctl_addr;
-	int sock;
-	ssize_t len;
-	char *str_next, *str_roof;
-
-	ctl_addr.sun_family = AF_UNIX;
-	strcpy(ctl_addr.sun_path, PLUTO_CTL_FILE);
-
-	/* pack strings */
-	str_next = (char *)msg->string;
-	str_roof = (char *)&msg->string[sizeof(msg->string)];
-
-	if (!pack_str(&msg->name,           &str_next, &str_roof)
-	||  !pack_str(&msg->left.id,        &str_next, &str_roof)
-	||  !pack_str(&msg->left.cert,      &str_next, &str_roof)
-	||  !pack_str(&msg->left.ca,        &str_next, &str_roof)
-	||  !pack_str(&msg->left.groups,    &str_next, &str_roof)
-	||  !pack_str(&msg->left.updown,    &str_next, &str_roof)
-	||  !pack_str(&msg->left.sourceip,  &str_next, &str_roof)
-	||  !pack_str(&msg->left.virt,      &str_next, &str_roof)
-	||  !pack_str(&msg->right.id,       &str_next, &str_roof)
-	||  !pack_str(&msg->right.cert,     &str_next, &str_roof)
-	||  !pack_str(&msg->right.ca,       &str_next, &str_roof)
-	||  !pack_str(&msg->right.groups,   &str_next, &str_roof)
-	||  !pack_str(&msg->right.updown,   &str_next, &str_roof)
-	||  !pack_str(&msg->right.sourceip, &str_next, &str_roof)
-	||  !pack_str(&msg->right.virt,     &str_next, &str_roof)
-	||  !pack_str(&msg->keyid,          &str_next, &str_roof)
-	||  !pack_str(&msg->myid,           &str_next, &str_roof)
-	||  !pack_str(&msg->cacert,         &str_next, &str_roof)
-	||  !pack_str(&msg->ldaphost,       &str_next, &str_roof)
-	||  !pack_str(&msg->ldapbase,       &str_next, &str_roof)
-	||  !pack_str(&msg->crluri,         &str_next, &str_roof)
-	||  !pack_str(&msg->crluri2,        &str_next, &str_roof)
-	||  !pack_str(&msg->ocspuri,        &str_next, &str_roof)
-	||  !pack_str(&msg->ike,            &str_next, &str_roof)
-	||  !pack_str(&msg->esp,            &str_next, &str_roof)
-	||  !pack_str(&msg->sc_data,        &str_next, &str_roof)
-	||  !pack_str(&msg->whack_lease_ip, &str_next, &str_roof)
-	||  !pack_str(&msg->whack_lease_id, &str_next, &str_roof)
-	||  !pack_str(&msg->xauth_identity, &str_next, &str_roof)
-	||  (str_roof - str_next < msg->keyval.len))
-	{
-		plog("send_wack_msg(): can't pack strings");
-		return -1;
-	}
-	if (msg->keyval.ptr)
-	{
-		memcpy(str_next, msg->keyval.ptr, msg->keyval.len);
-	}
-	msg->keyval.ptr = NULL;
-	str_next += msg->keyval.len;
-	len = str_next - (char *)msg;
-
-	/* connect to pluto ctl */
-	sock = socket(AF_UNIX, SOCK_STREAM, 0);
-	if (sock < 0)
-	{
-		plog("socket() failed: %s", strerror(errno));
-		return -1;
-	}
-	if (connect(sock, (struct sockaddr *)&ctl_addr,
-		offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
-	{
-		plog("connect(pluto_ctl) failed: %s", strerror(errno));
-		close(sock);
-		return -1;
-	}
-
-	/* send message */
-	if (write(sock, msg, len) != len)
-	{
-		plog("write(pluto_ctl) failed: %s", strerror(errno));
-		close(sock);
-		return -1;
-	}
-
-	/* TODO: read reply */
-	close(sock);
-	return 0;
-}
-
-static void init_whack_msg(whack_message_t *msg)
-{
-	memset(msg, 0, sizeof(whack_message_t));
-	msg->magic = WHACK_MAGIC;
-}
-
-static char *connection_name(starter_conn_t *conn, char *buf, size_t size)
-{
-	/* if connection name is '%auto', create a new name like conn_xxxxx */
-	if (streq(conn->name, "%auto"))
-	{
-		snprintf(buf, size, "conn_%ld", conn->id);
-		return buf;
-	}
-	return conn->name;
-}
-
-static void set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family)
-{
-	w->id                  = end->id;
-	w->cert                = end->cert;
-	w->ca                  = end->ca;
-	w->groups              = end->groups;
-	w->host_addr           = end->addr;
-	w->has_client          = end->has_client;
-	w->sourceip            = end->sourceip;
-	w->sourceip_mask       = end->sourceip_mask;
-
-	if (end->sourceip && end->sourceip_mask > 0)
-	{
-		ttoaddr(end->sourceip, 0, ip_version(end->sourceip), &w->host_srcip);
-		w->has_srcip = !end->has_natip;
-	}
-	else
-	{
-		anyaddr(AF_INET, &w->host_srcip);
-	}
-
-	if (family == AF_INET6 && isanyaddr(&end->nexthop))
-	{
-		anyaddr(AF_INET6, &end->nexthop);
-	}
-	w->host_nexthop        = end->nexthop;
-
-	if (w->has_client)
-	{
-		char *pos;
-		int len = 0;
-
-		pos = strchr(end->subnet, ',');
-		if (pos)
-		{
-			len = pos - end->subnet;
-		}
-		ttosubnet(end->subnet, len, ip_version(end->subnet), &w->client);
-	}
-	else
-	{
-		if (end->has_virt)
-		{
-			w->virt = end->subnet;
-		}
-		w->client.addr.u.v4.sin_family = addrtypeof(&w->host_addr);
-	}
-
-	w->has_client_wildcard = end->has_client_wildcard;
-	w->has_port_wildcard   = end->has_port_wildcard;
-	w->has_natip           = end->has_natip;
-	w->allow_any           = end->allow_any && !end->dns_failed;
-	w->modecfg             = end->modecfg;
-	w->hostaccess          = end->hostaccess;
-	w->sendcert            = end->sendcert;
-	w->updown              = end->updown;
-	w->host_port           = IKE_UDP_PORT;
-	w->port                = end->port;
-	w->protocol            = end->protocol;
-
-	if (w->port != 0)
-	{
-		int port = htons(w->port);
-
-		setportof(port, &w->host_addr);
-		setportof(port, &w->client.addr);
-	}
-}
-
-static int
-starter_whack_add_pubkey (starter_conn_t *conn, starter_end_t *end
-, const char *lr)
-{
-	const char *err;
-	static char keyspace[1024 + 4];
-	char buf[ADDRTOT_BUF], name[32];
-	whack_message_t msg;
-
-	init_whack_msg(&msg);
-	connection_name(conn, name, sizeof(name));
-
-	msg.whack_key = TRUE;
-	msg.pubkey_alg = PUBKEY_ALG_RSA;
-	if (end->rsakey)
-	{
-		/* special values to ignore */
-		if (streq(end->rsakey, "")
-		||  streq(end->rsakey, "%none")
-		||  streq(end->rsakey, "%cert")
-		||  streq(end->rsakey, "0x00"))
-		{
-			return 0;
-		}
-		err = atobytes(end->rsakey, 0, keyspace, sizeof(keyspace), &msg.keyval.len);
-		if (err)
-		{
-			plog("conn %s/%s: rsakey malformed [%s]", name, lr, err);
-			return 1;
-		}
-		if (end->id)
-		{
-			msg.keyid = end->id;
-		}
-		else
-		{
-			addrtot(&end->addr, 0, buf, sizeof(buf));
-			msg.keyid = buf;
-		}
-		msg.keyval.ptr = keyspace;
-		return send_whack_msg(&msg);
-	}
-	return 0;
-}
-
-int starter_whack_add_conn(starter_conn_t *conn)
-{
-	char esp_buf[256], name[32];
-	whack_message_t msg;
-	int r;
-
-	init_whack_msg(&msg);
-
-	msg.whack_connection = TRUE;
-	msg.name = connection_name(conn, name, sizeof(name));
-
-	msg.ikev1                 = conn->keyexchange == KEY_EXCHANGE_IKEV1;
-	msg.addr_family           = conn->addr_family;
-	msg.tunnel_addr_family    = conn->tunnel_addr_family;
-	msg.sa_ike_life_seconds   = conn->sa_ike_life_seconds;
-	msg.sa_ipsec_life_seconds = conn->sa_ipsec_life_seconds;
-	msg.sa_rekey_margin       = conn->sa_rekey_margin;
-	msg.sa_rekey_fuzz         = conn->sa_rekey_fuzz;
-	msg.sa_keying_tries       = conn->sa_keying_tries;
-	msg.policy                = conn->policy;
-	msg.xauth_identity        = conn->xauth_identity;
-	msg.reqid                 = conn->reqid;
-	msg.mark_in.value         = conn->mark_in.value;
-	msg.mark_in.mask          = conn->mark_in.mask;
-	msg.mark_out.value        = conn->mark_out.value;
-	msg.mark_out.mask         = conn->mark_out.mask;
-
-	/*
-	 * Make sure the IKEv2-only policy bits are unset for IKEv1 connections
-	 */
-	msg.policy &= ~POLICY_DONT_REAUTH;
-	msg.policy &= ~POLICY_BEET;
-	msg.policy &= ~POLICY_MOBIKE;
-	msg.policy &= ~POLICY_FORCE_ENCAP;
-
-	set_whack_end(&msg.left, &conn->left, conn->addr_family);
-	set_whack_end(&msg.right, &conn->right, conn->addr_family);
-
-	msg.esp = conn->esp;
-	msg.ike = conn->ike;
-	msg.pfsgroup = conn->pfsgroup;
-
-	/* taken from pluto/whack.c */
-	if (msg.pfsgroup)
-	{
-		snprintf(esp_buf, sizeof (esp_buf), "%s;%s"
-				   , msg.esp ? msg.esp : ""
-				   , msg.pfsgroup ? msg.pfsgroup : "");
-		msg.esp = esp_buf;
-
-		DBG(DBG_CONTROL,
-			DBG_log("Setting --esp=%s", msg.esp)
-		)
-	}
-	msg.dpd_delay   = conn->dpd_delay;
-	msg.dpd_timeout = conn->dpd_timeout;
-	msg.dpd_action  = conn->dpd_action;
-/*  msg.dpd_count = conn->dpd_count; not supported yet by strongSwan */
-
-	r =  send_whack_msg(&msg);
-
-	if (r == 0 && (conn->policy & POLICY_PUBKEY))
-	{
-		r += starter_whack_add_pubkey (conn, &conn->left, "left");
-		r += starter_whack_add_pubkey (conn, &conn->right, "right");
-	}
-
-	return r;
-}
-
-int starter_whack_del_conn(starter_conn_t *conn)
-{
-	char name[32];
-	whack_message_t msg;
-
-	init_whack_msg(&msg);
-	msg.whack_delete = TRUE;
-	msg.name = connection_name(conn, name, sizeof(name));
-	return send_whack_msg(&msg);
-}
-
-int starter_whack_route_conn(starter_conn_t *conn)
-{
-	char name[32];
-	whack_message_t msg;
-
-	init_whack_msg(&msg);
-	msg.whack_route = TRUE;
-	msg.name = connection_name(conn, name, sizeof(name));
-	return send_whack_msg(&msg);
-}
-
-int starter_whack_initiate_conn(starter_conn_t *conn)
-{
-	char name[32];
-	whack_message_t msg;
-
-	init_whack_msg(&msg);
-	msg.whack_initiate = TRUE;
-	msg.whack_async = TRUE;
-	msg.name = connection_name(conn, name, sizeof(name));
-	return send_whack_msg(&msg);
-}
-
-int starter_whack_listen(void)
-{
-	whack_message_t msg;
-	init_whack_msg(&msg);
-	msg.whack_listen = TRUE;
-	return send_whack_msg(&msg);
-}
-
-int starter_whack_shutdown(void)
-{
-	whack_message_t msg;
-
-	init_whack_msg(&msg);
-	msg.whack_shutdown = TRUE;
-	return send_whack_msg(&msg);
-}
-
-int starter_whack_add_ca(starter_ca_t *ca)
-{
-	whack_message_t msg;
-
-	init_whack_msg(&msg);
-
-	msg.whack_ca     = TRUE;
-	msg.name         = ca->name;
-	msg.cacert       = ca->cacert;
-	msg.ldaphost     = ca->ldaphost;
-	msg.ldapbase     = ca->ldapbase;
-	msg.crluri       = ca->crluri;
-	msg.crluri2      = ca->crluri2;
-	msg.ocspuri      = ca->ocspuri;
-	msg.whack_strict = ca->strict;
-
-	return send_whack_msg(&msg);
-}
-
-int starter_whack_del_ca(starter_ca_t *ca)
-{
-	whack_message_t msg;
-
-	init_whack_msg(&msg);
-
-	msg.whack_delete = TRUE;
-	msg.whack_ca     = TRUE;
-	msg.name         = ca->name;
-
-	return send_whack_msg(&msg);
-}
diff --git a/src/starter/starterwhack.h b/src/starter/starterwhack.h
deleted file mode 100644
index d56b02421..000000000
--- a/src/starter/starterwhack.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/* FreeS/WAN whack functions to communicate with pluto (whack.h)
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _STARTER_WHACK_H_
-#define _STARTER_WHACK_H_
-
-#include "confread.h"
-
-extern int starter_whack_add_conn(starter_conn_t *conn);
-extern int starter_whack_del_conn(starter_conn_t *conn);
-extern int starter_whack_route_conn(starter_conn_t *conn);
-extern int starter_whack_initiate_conn(starter_conn_t *conn);
-extern int starter_whack_listen(void);
-extern int starter_whack_shutdown(void);
-extern int starter_whack_add_ca(starter_ca_t *ca);
-extern int starter_whack_del_ca(starter_ca_t *ca);
-
-#endif /* _STARTER_WHACK_H_ */
-
diff --git a/src/stroke/Android.mk b/src/stroke/Android.mk
index 69b3e54ca..320314c4d 100644
--- a/src/stroke/Android.mk
+++ b/src/stroke/Android.mk
@@ -2,9 +2,11 @@ LOCAL_PATH := $(call my-dir)
 include $(CLEAR_VARS)
 
 # copy-n-paste from Makefile.am
-LOCAL_SRC_FILES := \
+stroke_SOURCES := \
 stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h
 
+LOCAL_SRC_FILES := $(filter %.c,$(stroke_SOURCES))
+
 # build stroke -----------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
diff --git a/src/stroke/Makefile.am b/src/stroke/Makefile.am
index f93680b64..ed170bd08 100644
--- a/src/stroke/Makefile.am
+++ b/src/stroke/Makefile.am
@@ -4,11 +4,13 @@ stroke_SOURCES = \
 stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h
 
 stroke_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
 EXTRA_DIST = stroke_keywords.txt Android.mk
 BUILT_SOURCES = stroke_keywords.c
 MAINTAINERCLEANFILES = stroke_keywords.c
-AM_CFLAGS = -DIPSEC_PIDDIR=\"${piddir}\"
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_PIDDIR=\"${piddir}\"
 
 stroke_keywords.c:	$(srcdir)/stroke_keywords.txt $(srcdir)/stroke_keywords.h
+		$(AM_V_GEN) \
 		$(GPERF) -m 10 -D -C -G -t < $(srcdir)/stroke_keywords.txt > $@
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 946bacc20..21f9349cd 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -46,10 +63,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 am__installdirs = "$(DESTDIR)$(ipsecdir)"
@@ -60,42 +78,70 @@ am__DEPENDENCIES_1 =
 stroke_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I.@am__isrc@
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
 SOURCES = $(stroke_SOURCES)
 DIST_SOURCES = $(stroke_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -104,13 +150,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -123,6 +172,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -150,11 +200,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -162,6 +214,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -170,8 +223,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -180,14 +231,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -201,17 +257,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -221,16 +277,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -262,11 +317,13 @@ stroke_SOURCES = \
 stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h
 
 stroke_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
 EXTRA_DIST = stroke_keywords.txt Android.mk
 BUILT_SOURCES = stroke_keywords.c
 MAINTAINERCLEANFILES = stroke_keywords.c
-AM_CFLAGS = -DIPSEC_PIDDIR=\"${piddir}\"
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-DIPSEC_PIDDIR=\"${piddir}\"
+
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-am
 
@@ -304,8 +361,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -345,9 +405,9 @@ clean-ipsecPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-stroke$(EXEEXT): $(stroke_OBJECTS) $(stroke_DEPENDENCIES) 
+stroke$(EXEEXT): $(stroke_OBJECTS) $(stroke_DEPENDENCIES) $(EXTRA_stroke_DEPENDENCIES) 
 	@rm -f stroke$(EXEEXT)
-	$(LINK) $(stroke_OBJECTS) $(stroke_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(stroke_OBJECTS) $(stroke_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -359,25 +419,25 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_keywords.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -486,10 +546,15 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
@@ -592,6 +657,7 @@ uninstall-am: uninstall-ipsecPROGRAMS
 
 
 stroke_keywords.c:	$(srcdir)/stroke_keywords.txt $(srcdir)/stroke_keywords.h
+		$(AM_V_GEN) \
 		$(GPERF) -m 10 -D -C -G -t < $(srcdir)/stroke_keywords.txt > $@
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index bb299567b..75f014516 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -36,6 +36,8 @@ struct stroke_token {
     stroke_keyword_t kw;
 };
 
+static int output_verbosity = 1; /* CONTROL */
+
 static char* push_string(stroke_msg_t *msg, char *string)
 {
 	unsigned long string_start = msg->length;
@@ -61,7 +63,7 @@ static int send_stroke_msg (stroke_msg_t *msg)
 	ctl_addr.sun_family = AF_UNIX;
 	strcpy(ctl_addr.sun_path, STROKE_SOCKET);
 
-	msg->output_verbosity = 1; /* CONTROL */
+	msg->output_verbosity = output_verbosity;
 
 	sock = socket(AF_UNIX, SOCK_STREAM, 0);
 	if (sock < 0)
@@ -91,11 +93,11 @@ static int send_stroke_msg (stroke_msg_t *msg)
 
 		/* we prompt if we receive a magic keyword */
 		if ((byte_count >= 12 &&
-			 strcmp(buffer + byte_count - 12, "Passphrase:\n") == 0) ||
+			 streq(buffer + byte_count - 12, "Passphrase:\n")) ||
 			(byte_count >= 10 &&
-			 strcmp(buffer + byte_count - 10, "Password:\n") == 0) ||
+			 streq(buffer + byte_count - 10, "Password:\n")) ||
 			(byte_count >= 5 &&
-			 strcmp(buffer + byte_count - 5, "PIN:\n") == 0))
+			 streq(buffer + byte_count - 5, "PIN:\n")))
 		{
 			/* remove trailing newline */
 			pass = strrchr(buffer, '\n');
@@ -140,23 +142,25 @@ static int add_connection(char *name,
 	msg.type = STR_ADD_CONN;
 
 	msg.add_conn.name = push_string(&msg, name);
-	msg.add_conn.ikev2 = 1;
-	msg.add_conn.auth_method = 2;
+	msg.add_conn.version = 2;
 	msg.add_conn.mode = 1;
 	msg.add_conn.mobike = 1;
 	msg.add_conn.dpd.action = 1;
+	msg.add_conn.install_policy = 1;
 
 	msg.add_conn.me.id = push_string(&msg, my_id);
 	msg.add_conn.me.address = push_string(&msg, my_addr);
 	msg.add_conn.me.ikeport = 500;
 	msg.add_conn.me.subnets = push_string(&msg, my_nets);
 	msg.add_conn.me.sendcert = 1;
+	msg.add_conn.me.to_port = 65535;
 
 	msg.add_conn.other.id = push_string(&msg, other_id);
 	msg.add_conn.other.address = push_string(&msg, other_addr);
 	msg.add_conn.other.ikeport = 500;
 	msg.add_conn.other.subnets = push_string(&msg, other_nets);
 	msg.add_conn.other.sendcert = 1;
+	msg.add_conn.other.to_port = 65535;
 
 	return send_stroke_msg(&msg);
 }
@@ -319,6 +323,8 @@ static int purge(stroke_keyword_t kw)
 
 static int export_flags[] = {
 	EXPORT_X509,
+	EXPORT_CONN_CERT,
+	EXPORT_CONN_CHAIN,
 };
 
 static int export(stroke_keyword_t kw, char *selector)
@@ -364,6 +370,17 @@ static int user_credentials(char *name, char *user, char *pass)
 	return send_stroke_msg(&msg);
 }
 
+static int counters(int reset, char *name)
+{
+	stroke_msg_t msg;
+
+	msg.type = STR_COUNTERS;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.counters.name = push_string(&msg, name);
+	msg.counters.reset = reset;
+
+	return send_stroke_msg(&msg);
+}
 
 static int set_loglevel(char *type, u_int level)
 {
@@ -390,7 +407,7 @@ static void exit_usage(char *error)
 	printf("Usage:\n");
 	printf("  Add a connection:\n");
 	printf("    stroke add NAME MY_ID OTHER_ID MY_ADDR OTHER_ADDR\\\n");
-	printf("           MY_NET OTHER_NET MY_NETBITS OTHER_NETBITS\n");
+	printf("           MY_NET OTHER_NET\n");
 	printf("    where: ID is any IKEv2 ID \n");
 	printf("           ADDR is a IPv4 address\n");
 	printf("           NET is a IPv4 subnet in CIDR notation\n");
@@ -400,22 +417,28 @@ static void exit_usage(char *error)
 	printf("  Initiate a connection:\n");
 	printf("    stroke up NAME\n");
 	printf("    where: NAME is a connection name added with \"stroke add\"\n");
+	printf("  Initiate a connection without blocking:\n");
+	printf("    stroke up-nb NAME\n");
+	printf("    where: NAME is a connection name added with \"stroke add\"\n");
 	printf("  Terminate a connection:\n");
 	printf("    stroke down NAME\n");
 	printf("    where: NAME is a connection name added with \"stroke add\"\n");
+	printf("  Terminate a connection without blocking:\n");
+	printf("    stroke down-nb NAME\n");
+	printf("    where: NAME is a connection name added with \"stroke add\"\n");
 	printf("  Terminate a connection by remote srcip:\n");
 	printf("    stroke down-srcip START [END]\n");
 	printf("    where: START and optional END define the clients source IP\n");
 	printf("  Set loglevel for a logging type:\n");
 	printf("    stroke loglevel TYPE LEVEL\n");
-	printf("    where: TYPE is any|dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|tnc|imc|imv|pts|tls|lib\n");
+	printf("    where: TYPE is any|dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|tnc|imc|imv|pts|tls|esp|lib\n");
 	printf("           LEVEL is -1|0|1|2|3|4\n");
 	printf("  Show connection status:\n");
 	printf("    stroke status\n");
 	printf("  Show extended status information:\n");
 	printf("    stroke statusall\n");
 	printf("  Show extended status information without blocking:\n");
-	printf("    stroke statusallnb\n");
+	printf("    stroke statusall-nb\n");
 	printf("  Show list of authority and attribute certificates:\n");
 	printf("    stroke listcacerts|listocspcerts|listaacerts|listacerts\n");
 	printf("  Show list of end entity certificates, ca info records  and crls:\n");
@@ -436,6 +459,8 @@ static void exit_usage(char *error)
 	printf("    stroke purgeike\n");
 	printf("  Export credentials to the console:\n");
 	printf("    stroke exportx509 DN\n");
+	printf("    stroke exportconncert connname\n");
+	printf("    stroke exportconnchain connname\n");
 	printf("  Show current memory usage:\n");
 	printf("    stroke memusage\n");
 	printf("  Show leases of a pool:\n");
@@ -445,6 +470,8 @@ static void exit_usage(char *error)
 	printf("    where: NAME is a connection name added with \"stroke add\"\n");
 	printf("           USERNAME is the username\n");
 	printf("           PASSWORD is the optional password, you'll be asked to enter it if not given\n");
+	printf("  Show IKE counters:\n");
+	printf("    stroke listcounters [connection-name]\n");
 	exit_error(error);
 }
 
@@ -471,7 +498,7 @@ int main(int argc, char *argv[])
 	switch (token->kw)
 	{
 		case STROKE_ADD:
-			if (argc < 11)
+			if (argc < 9)
 			{
 				exit_usage("\"add\" needs more parameters...");
 			}
@@ -488,6 +515,9 @@ int main(int argc, char *argv[])
 			}
 			res = del_connection(argv[2]);
 			break;
+		case STROKE_UP_NOBLK:
+			output_verbosity = -1;
+			/* fall-through */
 		case STROKE_UP:
 			if (argc < 3)
 			{
@@ -495,6 +525,9 @@ int main(int argc, char *argv[])
 			}
 			res = initiate_connection(argv[2]);
 			break;
+		case STROKE_DOWN_NOBLK:
+			output_verbosity = -1;
+			/* fall-through */
 		case STROKE_DOWN:
 			if (argc < 3)
 			{
@@ -554,7 +587,7 @@ int main(int argc, char *argv[])
 		case STROKE_LIST_ALGS:
 		case STROKE_LIST_PLUGINS:
 		case STROKE_LIST_ALL:
-			res = list(token->kw, argc > 2 && strcmp(argv[2], "--utc") == 0);
+			res = list(token->kw, argc > 2 && streq(argv[2], "--utc"));
 			break;
 		case STROKE_REREAD_SECRETS:
 		case STROKE_REREAD_CACERTS:
@@ -572,9 +605,11 @@ int main(int argc, char *argv[])
 			res = purge(token->kw);
 			break;
 		case STROKE_EXPORT_X509:
+		case STROKE_EXPORT_CONN_CERT:
+		case STROKE_EXPORT_CONN_CHAIN:
 			if (argc != 3)
 			{
-				exit_usage("\"exportx509\" needs a distinguished name");
+				exit_usage("\"export\" needs a name");
 			}
 			res = export(token->kw, argv[2]);
 			break;
@@ -593,6 +628,11 @@ int main(int argc, char *argv[])
 			}
 			res = user_credentials(argv[2], argv[3], argc > 4 ? argv[4] : NULL);
 			break;
+		case STROKE_COUNTERS:
+		case STROKE_COUNTERS_RESET:
+			res = counters(token->kw == STROKE_COUNTERS_RESET,
+						   argc > 2 ? argv[2] : NULL);
+			break;
 		default:
 			exit_usage(NULL);
 	}
diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c
index b5ca2e143..ed0c4ceb4 100644
--- a/src/stroke/stroke_keywords.c
+++ b/src/stroke/stroke_keywords.c
@@ -54,12 +54,12 @@ struct stroke_token {
     stroke_keyword_t kw;
 };
 
-#define TOTAL_KEYWORDS 41
+#define TOTAL_KEYWORDS 48
 #define MIN_WORD_LENGTH 2
 #define MAX_WORD_LENGTH 15
-#define MIN_HASH_VALUE 2
-#define MAX_HASH_VALUE 44
-/* maximum key range = 43, duplicates = 0 */
+#define MIN_HASH_VALUE 3
+#define MAX_HASH_VALUE 59
+/* maximum key range = 57, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -75,32 +75,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 15, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45,  0, 30,  1,
-       1, 15, 45, 15, 45, 30, 45, 13,  0,  0,
-      45,  9,  3, 45,  6, 18,  1,  0, 45, 45,
-       5,  0, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45, 45, 45, 45, 45,
-      45, 45, 45, 45, 45, 45
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 25, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60,  0, 18,  1,
+       1, 15, 60, 23, 60, 23, 60, 11,  0,  7,
+      60, 24, 14, 60,  6,  9, 16,  9, 60, 60,
+       2,  3, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60, 60, 60, 60, 60,
+      60, 60, 60, 60, 60, 60
     };
   register int hval = len;
 
@@ -125,17 +125,15 @@ hash (str, len)
 
 static const struct stroke_token wordlist[] =
   {
-    {"up",              STROKE_UP},
     {"add",             STROKE_ADD},
     {"del",             STROKE_DEL},
     {"down",            STROKE_DOWN},
     {"listall",         STROKE_LIST_ALL},
-    {"delete",          STROKE_DELETE},
     {"listcrls",        STROKE_LIST_CRLS},
-    {"rekey",           STROKE_REKEY},
+    {"up",              STROKE_UP},
     {"listaacerts",     STROKE_LIST_AACERTS},
     {"listcacerts",     STROKE_LIST_CACERTS},
-    {"listplugins",     STROKE_LIST_PLUGINS},
+    {"rekey",           STROKE_REKEY},
     {"rereadall",       STROKE_REREAD_ALL},
     {"listcerts",       STROKE_LIST_CERTS},
     {"rereadcrls",      STROKE_REREAD_CRLS},
@@ -143,37 +141,47 @@ static const struct stroke_token wordlist[] =
     {"rereadaacerts",   STROKE_REREAD_AACERTS},
     {"rereadcacerts",   STROKE_REREAD_CACERTS},
     {"leases",          STROKE_LEASES},
-    {"unroute",         STROKE_UNROUTE},
-    {"listalgs",        STROKE_LIST_ALGS},
+    {"listcounters",    STROKE_COUNTERS},
+    {"delete",          STROKE_DELETE},
     {"status",          STROKE_STATUS},
     {"listacerts",      STROKE_LIST_ACERTS},
     {"route",           STROKE_ROUTE},
     {"statusall",       STROKE_STATUSALL},
-    {"purgeocsp",       STROKE_PURGE_OCSP},
+    {"rereadsecrets",   STROKE_REREAD_SECRETS},
     {"statusallnb",     STROKE_STATUSALL_NOBLK},
-    {"rereadocspcerts", STROKE_REREAD_OCSPCERTS},
-    {"user-creds",      STROKE_USER_CREDS},
-    {"down-srcip",      STROKE_DOWN_SRCIP},
-    {"purgecrls",       STROKE_PURGE_CRLS},
-    {"listgroups",      STROKE_LIST_GROUPS},
-    {"listocsp",        STROKE_LIST_OCSP},
+    {"statusall-nb",    STROKE_STATUSALL_NOBLK},
+    {"listalgs",        STROKE_LIST_ALGS},
+    {"up-nb",           STROKE_UP_NOBLK},
     {"exportx509",      STROKE_EXPORT_X509},
-    {"rereadsecrets",   STROKE_REREAD_SECRETS},
+    {"listplugins",     STROKE_LIST_PLUGINS},
+    {"listcainfos",     STROKE_LIST_CAINFOS},
+    {"exportconncert",  STROKE_EXPORT_CONN_CERT},
+    {"exportconnchain", STROKE_EXPORT_CONN_CHAIN},
     {"loglevel",        STROKE_LOGLEVEL},
-    {"purgeike",        STROKE_PURGE_IKE},
+    {"purgeocsp",       STROKE_PURGE_OCSP},
+    {"unroute",         STROKE_UNROUTE},
+    {"listocsp",        STROKE_LIST_OCSP},
+    {"down-srcip",      STROKE_DOWN_SRCIP},
+    {"listpubkeys",     STROKE_LIST_PUBKEYS},
+    {"purgecrls",       STROKE_PURGE_CRLS},
+    {"rereadocspcerts", STROKE_REREAD_OCSPCERTS},
     {"listocspcerts",   STROKE_LIST_OCSPCERTS},
     {"memusage",        STROKE_MEMUSAGE},
-    {"listcainfos",     STROKE_LIST_CAINFOS},
+    {"purgeike",        STROKE_PURGE_IKE},
+    {"user-creds",      STROKE_USER_CREDS},
+    {"down-nb",         STROKE_DOWN_NOBLK},
     {"purgecerts",      STROKE_PURGE_CERTS},
-    {"listpubkeys",     STROKE_LIST_PUBKEYS}
+    {"listgroups",      STROKE_LIST_GROUPS},
+    {"resetcounters",   STROKE_COUNTERS_RESET}
   };
 
 static const short lookup[] =
   {
-    -1, -1,  0,  1,  2,  3, -1,  4,  5,  6, -1,  7,  8,  9,
-    10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23,
-    24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37,
-    38, 39, 40
+    -1, -1, -1,  0,  1,  2, -1,  3, -1,  4, -1,  5,  6,  7,
+     8,  9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21,
+    22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35,
+    36, 37, 38, 39, 40, 41, 42, -1, 43, 44, -1, -1, 45, -1,
+    -1, 46, -1, 47
   };
 
 #ifdef __GNUC__
diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h
index 554d071f3..4a1016277 100644
--- a/src/stroke/stroke_keywords.h
+++ b/src/stroke/stroke_keywords.h
@@ -23,7 +23,9 @@ typedef enum {
 	STROKE_ROUTE,
 	STROKE_UNROUTE,
 	STROKE_UP,
+	STROKE_UP_NOBLK,
 	STROKE_DOWN,
+	STROKE_DOWN_NOBLK,
 	STROKE_DOWN_SRCIP,
 	STROKE_REKEY,
 	STROKE_LOGLEVEL,
@@ -55,9 +57,13 @@ typedef enum {
 	STROKE_PURGE_CERTS,
 	STROKE_PURGE_IKE,
 	STROKE_EXPORT_X509,
+	STROKE_EXPORT_CONN_CERT,
+	STROKE_EXPORT_CONN_CHAIN,
 	STROKE_LEASES,
 	STROKE_MEMUSAGE,
 	STROKE_USER_CREDS,
+	STROKE_COUNTERS,
+	STROKE_COUNTERS_RESET,
 } stroke_keyword_t;
 
 #define STROKE_LIST_FIRST		STROKE_LIST_PUBKEYS
@@ -70,4 +76,3 @@ typedef struct stroke_token stroke_token_t;
 extern const stroke_token_t* in_word_set(register const char *str, register unsigned int len);
 
 #endif /* _STROKE_KEYWORDS_H_ */
-
diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt
index 1d7ab8a45..ceb0dd253 100644
--- a/src/stroke/stroke_keywords.txt
+++ b/src/stroke/stroke_keywords.txt
@@ -30,13 +30,16 @@ delete,          STROKE_DELETE
 route,           STROKE_ROUTE
 unroute,         STROKE_UNROUTE
 up,              STROKE_UP
+up-nb,           STROKE_UP_NOBLK
 down,            STROKE_DOWN
+down-nb,         STROKE_DOWN_NOBLK
 down-srcip,      STROKE_DOWN_SRCIP
 rekey,           STROKE_REKEY
 loglevel,        STROKE_LOGLEVEL
 status,          STROKE_STATUS
 statusall,       STROKE_STATUSALL
 statusallnb,     STROKE_STATUSALL_NOBLK
+statusall-nb,    STROKE_STATUSALL_NOBLK
 listpubkeys,     STROKE_LIST_PUBKEYS
 listcerts,       STROKE_LIST_CERTS
 listcacerts,     STROKE_LIST_CACERTS
@@ -62,6 +65,10 @@ purgecrls,       STROKE_PURGE_CRLS
 purgecerts,      STROKE_PURGE_CERTS
 purgeike,        STROKE_PURGE_IKE
 exportx509,      STROKE_EXPORT_X509
+exportconncert,  STROKE_EXPORT_CONN_CERT
+exportconnchain, STROKE_EXPORT_CONN_CHAIN
 leases,          STROKE_LEASES
 memusage,        STROKE_MEMUSAGE
 user-creds,      STROKE_USER_CREDS
+listcounters,    STROKE_COUNTERS
+resetcounters,   STROKE_COUNTERS_RESET
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 434122511..a4dfc5e7a 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -123,6 +123,10 @@ typedef enum export_flag_t export_flag_t;
 enum export_flag_t {
 	/** export an X509 certificate */
 	EXPORT_X509 =		0x0001,
+	/** export an X509 end entity certificate for a connection */
+	EXPORT_CONN_CERT =	0x0002,
+	/** export the complete trust chain of a connection */
+	EXPORT_CONN_CHAIN =	0x0004,
 };
 
 /**
@@ -152,18 +156,21 @@ struct stroke_end_t {
 	char *ca;
 	char *ca2;
 	char *groups;
+	char *groups2;
 	char *cert_policy;
 	char *updown;
 	char *address;
 	u_int16_t ikeport;
 	char *sourceip;
-	int sourceip_mask;
+	char *dns;
 	char *subnets;
 	int sendcert;
 	int hostaccess;
 	int tohost;
+	int allow_any;
 	u_int8_t protocol;
-	u_int16_t port;
+	u_int16_t from_port;
+	u_int16_t to_port;
 };
 
 typedef struct stroke_msg_t stroke_msg_t;
@@ -221,6 +228,8 @@ struct stroke_msg_t {
 		STR_MEMUSAGE,
 		/* set username and password for a connection */
 		STR_USER_CREDS,
+		/* print/reset counters */
+		STR_COUNTERS,
 		/* more to come */
 	} type;
 
@@ -242,16 +251,15 @@ struct stroke_msg_t {
 		/* data for STR_ADD_CONN */
 		struct {
 			char *name;
-			int ikev2;
-			/* next three are deprecated, use stroke_end_t.auth instead */
-			int auth_method;
-			u_int32_t eap_type;
-			u_int32_t eap_vendor;
+			int version;
 			char *eap_identity;
 			char *aaa_identity;
+			char *xauth_identity;
 			int mode;
 			int mobike;
+			int aggressive;
 			int force_encap;
+			int fragmentation;
 			int ipcomp;
 			time_t inactivity;
 			int proxy_mode;
@@ -259,6 +267,7 @@ struct stroke_msg_t {
 			int close_action;
 			u_int32_t reqid;
 			u_int32_t tfc;
+			u_int8_t ikedscp;
 
 			crl_policy_t crl_policy;
 			int unique;
@@ -280,6 +289,7 @@ struct stroke_msg_t {
 			} rekey;
 			struct {
 				time_t delay;
+				time_t timeout;
 				int action;
 			} dpd;
 			struct {
@@ -350,6 +360,13 @@ struct stroke_msg_t {
 			char *username;
 			char *password;
 		} user_creds;
+
+		/* data for STR_COUNTERS */
+		struct {
+			/* reset or print counters? */
+			int reset;
+			char *name;
+		} counters;
 	};
 	char buffer[STROKE_BUF_LEN];
 };
diff --git a/src/whack/Android.mk b/src/whack/Android.mk
deleted file mode 100644
index bf5ec0e98..000000000
--- a/src/whack/Android.mk
+++ /dev/null
@@ -1,30 +0,0 @@
-LOCAL_PATH := $(call my-dir)
-include $(CLEAR_VARS)
-
-# copy-n-paste from Makefile.am
-LOCAL_SRC_FILES := \
-whack.c whack.h
-
-# build whack ------------------------------------------------------------------
-
-LOCAL_C_INCLUDES += \
-	$(libvstr_PATH) \
-	$(strongswan_PATH)/src/libstrongswan \
-	$(strongswan_PATH)/src/libfreeswan \
-	$(strongswan_PATH)/src/libhydra \
-	$(strongswan_PATH)/src/pluto
-
-LOCAL_CFLAGS := $(strongswan_CFLAGS)
-
-LOCAL_MODULE := whack
-
-LOCAL_MODULE_TAGS := optional
-
-LOCAL_ARM_MODE := arm
-
-LOCAL_PRELINK_MODULE := false
-
-LOCAL_SHARED_LIBRARIES += libstrongswan libfreeswan
-
-include $(BUILD_EXECUTABLE)
-
diff --git a/src/whack/Makefile.am b/src/whack/Makefile.am
deleted file mode 100644
index 23374475e..000000000
--- a/src/whack/Makefile.am
+++ /dev/null
@@ -1,18 +0,0 @@
-ipsec_PROGRAMS = whack
-
-whack_SOURCES = \
-whack.c whack.h
-
-INCLUDES = \
--I$(top_srcdir)/src/libstrongswan \
--I$(top_srcdir)/src/libfreeswan \
--I$(top_srcdir)/src/libhydra \
--I$(top_srcdir)/src/pluto
-
-whack_LDADD = \
-$(top_builddir)/src/libstrongswan/libstrongswan.la \
-$(top_builddir)/src/libfreeswan/libfreeswan.a
-
-AM_CFLAGS = -DDEBUG -DIPSEC_PIDDIR=\"${piddir}\"
-
-EXTRA_DIST = Android.mk
diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in
deleted file mode 100644
index fd768e995..000000000
--- a/src/whack/Makefile.in
+++ /dev/null
@@ -1,595 +0,0 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-ipsec_PROGRAMS = whack$(EXEEXT)
-subdir = src/whack
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(ipsecdir)"
-PROGRAMS = $(ipsec_PROGRAMS)
-am_whack_OBJECTS = whack.$(OBJEXT)
-whack_OBJECTS = $(am_whack_OBJECTS)
-whack_DEPENDENCIES =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libfreeswan/libfreeswan.a
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
-SOURCES = $(whack_SOURCES)
-DIST_SOURCES = $(whack_SOURCES)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GPERF = @GPERF@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PTHREADLIB = @PTHREADLIB@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYINCLUDE = @RUBYINCLUDE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-c_plugins = @c_plugins@
-clearsilver_LIBS = @clearsilver_LIBS@
-datadir = @datadir@
-datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-imcvdir = @imcvdir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsecdir = @ipsecdir@
-ipsecgroup = @ipsecgroup@
-ipseclibdir = @ipseclibdir@
-ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
-libdir = @libdir@
-libexecdir = @libexecdir@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
-manager_plugins = @manager_plugins@
-mandir = @mandir@
-medsrv_plugins = @medsrv_plugins@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
-pcsclite_CFLAGS = @pcsclite_CFLAGS@
-pcsclite_LIBS = @pcsclite_LIBS@
-pdfdir = @pdfdir@
-piddir = @piddir@
-pki_plugins = @pki_plugins@
-plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
-pool_plugins = @pool_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-s_plugins = @s_plugins@
-sbindir = @sbindir@
-scepclient_plugins = @scepclient_plugins@
-scripts_plugins = @scripts_plugins@
-sharedstatedir = @sharedstatedir@
-soup_CFLAGS = @soup_CFLAGS@
-soup_LIBS = @soup_LIBS@
-srcdir = @srcdir@
-starter_plugins = @starter_plugins@
-strongswan_conf = @strongswan_conf@
-sysconfdir = @sysconfdir@
-systemdsystemunitdir = @systemdsystemunitdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-whack_SOURCES = \
-whack.c whack.h
-
-INCLUDES = \
--I$(top_srcdir)/src/libstrongswan \
--I$(top_srcdir)/src/libfreeswan \
--I$(top_srcdir)/src/libhydra \
--I$(top_srcdir)/src/pluto
-
-whack_LDADD = \
-$(top_builddir)/src/libstrongswan/libstrongswan.la \
-$(top_builddir)/src/libfreeswan/libfreeswan.a
-
-AM_CFLAGS = -DDEBUG -DIPSEC_PIDDIR=\"${piddir}\"
-EXTRA_DIST = Android.mk
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/whack/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/whack/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
-	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
-	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
-	for p in $$list; do echo "$$p $$p"; done | \
-	sed 's/$(EXEEXT)$$//' | \
-	while read p p1; do if test -f $$p || test -f $$p1; \
-	  then echo "$$p"; echo "$$p"; else :; fi; \
-	done | \
-	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
-	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
-	sed 'N;N;N;s,\n, ,g' | \
-	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
-	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
-	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
-	    else { print "f", $$3 "/" $$4, $$1; } } \
-	  END { for (d in files) print "f", d, files[d] }' | \
-	while read type dir files; do \
-	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
-	    test -z "$$files" || { \
-	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
-	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
-	    } \
-	; done
-
-uninstall-ipsecPROGRAMS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
-	files=`for p in $$list; do echo "$$p"; done | \
-	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-	      -e 's/$$/$(EXEEXT)/' `; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
-
-clean-ipsecPROGRAMS:
-	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
-	echo " rm -f" $$list; \
-	rm -f $$list || exit $$?; \
-	test -n "$(EXEEXT)" || exit 0; \
-	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
-	echo " rm -f" $$list; \
-	rm -f $$list
-whack$(EXEEXT): $(whack_OBJECTS) $(whack_DEPENDENCIES) 
-	@rm -f whack$(EXEEXT)
-	$(LINK) $(whack_OBJECTS) $(whack_LDADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/whack.Po@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	set x; \
-	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(PROGRAMS)
-installdirs:
-	for dir in "$(DESTDIR)$(ipsecdir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
-	mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-ipsecPROGRAMS
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-ipsecPROGRAMS
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-ipsecPROGRAMS clean-libtool ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am \
-	install-ipsecPROGRAMS install-man install-pdf install-pdf-am \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-ipsecPROGRAMS
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/whack/whack.c b/src/whack/whack.c
deleted file mode 100644
index a7945d6d8..000000000
--- a/src/whack/whack.c
+++ /dev/null
@@ -1,1959 +0,0 @@
-/* command interface to Pluto
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <string.h>
-#include <ctype.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <getopt.h>
-#include <assert.h>
-
-#include <freeswan.h>
-
-#include <utils/optionsfrom.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "whack.h"
-
-static void help(void)
-{
-	fprintf(stderr
-		, "Usage:\n\n"
-		"all forms:"
-			" [--optionsfrom <filename>]"
-			" [--ctlbase <path>]"
-			" [--label <string>]"
-			"\n\n"
-		"help: whack"
-			" [--help]"
-			" [--version]"
-			"\n\n"
-		"connection: whack"
-			" --name <connection_name>"
-			" \\\n   "
-			" [--ipv4 | --ipv6]"
-			" [--tunnelipv4 | --tunnelipv6]"
-			" \\\n   "
-			" (--host <ip-address> | --id <identity>)"
-			" \\\n   "
-			" [--cert <path>]"
-			" [--ca <distinguished name>]"
-			" [--sendcert <policy>]"
-			" \\\n   "
-			" [--groups <access control groups>]"
-			" \\\n   "
-			" [--ikeport <port-number>]"
-			" [--nexthop <ip-address>]"
-			" [--srcip <ip-address>]"
-			" \\\n   "
-			" [--client <subnet> | --clientwithin <address range>]"
-			" [--clientprotoport <protocol>/<port>]"
-			" \\\n   "
-			" [--dnskeyondemand]"
-			" [--updown <updown>]"
-			" \\\n   "
-			" --to"
-			" (--host <ip-address> | --id <identity>)"
-			" \\\n   "
-			" [--cert <path>]"
-			" [--ca <distinguished name>]"
-			" [--sendcert <policy>]"
-			" \\\n   "
-			" [--ikeport <port-number>]"
-			" [--nexthop <ip-address>]"
-			" [--srcip <ip-address>]"
-			" \\\n   "
-			" [--client <subnet> | --clientwithin <address range>]"
-			" [--clientprotoport <protocol>/<port>]"
-			" \\\n   "
-			" [--dnskeyondemand]"
-			" [--updown <updown>]"
-			" [--psk]"
-			" [--rsasig]"
-			" \\\n   "
-			" [--encrypt]"
-			" [--authenticate]"
-			" [--compress]"
-			" [--tunnel]"
-			" [--pfs]"
-			" \\\n   "
-			" [--ikelifetime <seconds>]"
-			" [--ipseclifetime <seconds>]"
-			" \\\n   "
-			" [--reykeymargin <seconds>]"
-			" [--reykeyfuzz <percentage>]"
-			" \\\n   "
-			" [--keyingtries <count>]"
-			" \\\n   "
-			" [--esp <esp-algos>]"
-			" \\\n   "
-			" [--dontrekey]"
-
-			" [--dpdaction (none|clear|hold|restart)]"
-			" \\\n   "
-			" [--dpddelay <seconds> --dpdtimeout <seconds>]"
-			" \\\n   "
-			" [--initiateontraffic|--pass|--drop|--reject]"
-			" \\\n   "
-			" [--failnone|--failpass|--faildrop|--failreject]"
-			"\n\n"
-		"routing: whack"
-			" (--route | --unroute)"
-			" --name <connection_name>"
-			"\n\n"
-		"initiation:"
-			"\n "
-			" whack"
-			" (--initiate | --terminate)"
-			" --name <connection_name>"
-			" [--asynchronous]"
-			"\n\n"
-		"opportunistic initiation: whack"
-			" [--tunnelipv4 | --tunnelipv6]"
-			" \\\n   "
-			" --oppohere <ip-address>"
-			" --oppothere <ip-address>"
-			"\n\n"
-		"delete: whack"
-			" --delete"
-			" (--name <connection_name> | --caname <ca name>)"
-			"\n\n"
-		"deletestate: whack"
-			" --deletestate <state_object_number>"
-			" --crash <ip-address>"
-			"\n\n"
-		"pubkey: whack"
-			" --keyid <id>"
-			" [--addkey]"
-			" [--pubkeyrsa <key>]"
-			"\n\n"
-		"myid: whack"
-			" --myid <id>"
-			"\n\n"
-		"ca: whack"
-			" --caname <name>"
-			" --cacert <path>"
-			" \\\n   "
-			" [--ldaphost <hostname>]"
-			" [--ldapbase <base>]"
-			" \\\n   "
-			" [--crluri <uri>]"
-			" [--crluri2 <uri>]"
-			" [--ocspuri <uri>]"
-			" [--strictcrlpolicy]"
-			"\n\n"
-#ifdef DEBUG
-		"debug: whack [--name <connection_name>]"
-			" \\\n   "
-			" [--debug-none]"
-			" [--debug-all]"
-			" \\\n   "
-			" [--debug-raw]"
-			" [--debug-crypt]"
-			" [--debug-parsing]"
-			" [--debug-emitting]"
-			" \\\n   "
-			" [--debug-control]"
-			" [--debug-lifecycle]"
-			" [--debug-kernel]"
-			" [--debug-dns]"
-			" \\\n   "
-			" [--debug-natt]"
-			" [--debug-oppo]"
-			" [--debug-controlmore]"
-			" [--debug-private]"
-			"\n\n"
-#endif
-		"leases: whack --leases"
-			" [--name <connection_name>]"
-			" [--lease-addr <ip-address> | --lease-id <identity>]"
-			"\n\n"
-		"listen: whack"
-			" (--listen | --unlisten)"
-			"\n\n"
-		"list: whack [--utc]"
-			" [--listalgs]"
-			" [--listpubkeys]"
-			" [--listcerts]"
-			" [--listcacerts]"
-			" \\\n   "
-			" [--listacerts]"
-			" [--listaacerts]"
-			" [--listocspcerts]"
-			" [--listgroups]"
-			" \\\n   "
-			" [--listcainfos]"
-			" [--listcrls]"
-			" [--listocsp]"
-			" [--listcards]"
-			" [--listplugins]"
-			" [--listall]"
-			"\n\n"
-		"purge: whack"
-			" [--purgeocsp]"
-			"\n\n"
-		"reread: whack"
-			" [--rereadsecrets]"
-			" [--rereadcacerts]"
-			" [--rereadaacerts]"
-			" \\\n   "
-			" [--rereadocspcerts]"
-			" [--rereadacerts]"
-			" [--rereadcrls]"
-			" [--rereadall]"
-			"\n\n"
-		"status: whack"
-			" [--name <connection_name>] --status|--statusall"
-			"\n\n"
-		"scdecrypt: whack"
-			" --scencrypt|scdecrypt <value>"
-			" [--inbase <base>]"
-			" [--outbase <base>]"
-			" [--keyid <id>]"
-			"\n\n"
-		"shutdown: whack"
-			" --shutdown"
-			"\n\n"
-		"strongSwan "VERSION"\n");
-}
-
-static const char *label = NULL;        /* --label operand, saved for diagnostics */
-
-static const char *name = NULL; /* --name operand, saved for diagnostics */
-
-/* options read by optionsfrom */
-options_t *options;
-
-/**
- * exit whack after cleaning up
- */
-static void whack_exit(int status)
-{
-	options->destroy(options);
-	exit(status);
-}
-
-/**
- * print a string as a diagnostic, then exit whack unhappily
- */
-static void diag(const char *mess)
-{
-	if (mess != NULL)
-	{
-		fprintf(stderr, "whack error: ");
-		if (label != NULL)
-		{
-			fprintf(stderr, "%s ", label);
-		}
-		if (name != NULL)
-		{
-			fprintf(stderr, "\"%s\" ", name);
-		}
-		fprintf(stderr, "%s\n", mess);
-	}
-	whack_exit(RC_WHACK_PROBLEM);
-}
-
-/* conditially calls diag; prints second arg, if non-NULL, as quoted string */
-static void diagq(err_t ugh, const char *this)
-{
-	if (ugh != NULL)
-	{
-		if (this == NULL)
-		{
-			diag(ugh);
-		}
-		else
-		{
-			char buf[120];      /* arbitrary limit */
-
-			snprintf(buf, sizeof(buf), "%s \"%s\"", ugh, this);
-			diag(buf);
-		}
-	}
-}
-
-/* complex combined operands return one of these enumerated values
- * Note: these become flags in an lset_t.  Since there are more than
- * 32, we partition them into:
- * - OPT_* options (most random options)
- * - LST_* options (list various internal data)
- * - DBGOPT_* option (DEBUG options)
- * - END_* options (End description options)
- * - CD_* options (Connection Description options)
- * - CA_* options (CA description options)
- */
-enum {
-#   define OPT_FIRST    OPT_CTLBASE
-	OPT_CTLBASE,
-	OPT_NAME,
-
-	OPT_CD,
-
-	OPT_KEYID,
-	OPT_ADDKEY,
-	OPT_PUBKEYRSA,
-
-	OPT_MYID,
-
-	OPT_ROUTE,
-	OPT_UNROUTE,
-
-	OPT_INITIATE,
-	OPT_TERMINATE,
-	OPT_DELETE,
-	OPT_DELETESTATE,
-	OPT_LISTEN,
-	OPT_UNLISTEN,
-
-	OPT_LEASES,
-	OPT_LEASEADDR,
-	OPT_LEASEID,
-
-	OPT_PURGEOCSP,
-
-	OPT_REREADSECRETS,
-	OPT_REREADCACERTS,
-	OPT_REREADAACERTS,
-	OPT_REREADOCSPCERTS,
-	OPT_REREADACERTS,
-	OPT_REREADCRLS,
-	OPT_REREADALL,
-
-	OPT_STATUS,
-	OPT_STATUSALL,
-	OPT_SHUTDOWN,
-
-	OPT_OPPO_HERE,
-	OPT_OPPO_THERE,
-
-	OPT_ASYNC,
-	OPT_DELETECRASH,
-
-#   define OPT_LAST OPT_ASYNC   /* last "normal" option */
-
-/* Smartcard options */
-
-#   define SC_FIRST SC_ENCRYPT  /* first smartcard option */
-
-	SC_ENCRYPT,
-	SC_DECRYPT,
-	SC_INBASE,
-	SC_OUTBASE,
-
-#   define SC_LAST SC_OUTBASE   /* last "smartcard" option */
-
-/* List options */
-
-#   define LST_FIRST LST_UTC    /* first list option */
-	LST_UTC,
-	LST_ALGS,
-	LST_PUBKEYS,
-	LST_CERTS,
-	LST_CACERTS,
-	LST_ACERTS,
-	LST_AACERTS,
-	LST_OCSPCERTS,
-	LST_GROUPS,
-	LST_CAINFOS,
-	LST_CRLS,
-	LST_OCSP,
-	LST_CARDS,
-	LST_PLUGINS,
-	LST_ALL,
-
-#   define LST_LAST LST_ALL     /* last list option */
-
-/* Connection End Description options */
-
-#   define END_FIRST END_HOST   /* first end description */
-	END_HOST,
-	END_ID,
-	END_CERT,
-	END_CA,
-	END_SENDCERT,
-	END_GROUPS,
-	END_IKEPORT,
-	END_NEXTHOP,
-	END_CLIENT,
-	END_CLIENTWITHIN,
-	END_CLIENTPROTOPORT,
-	END_DNSKEYONDEMAND,
-	END_SRCIP,
-	END_HOSTACCESS,
-	END_UPDOWN,
-
-#define END_LAST  END_UPDOWN    /* last end description*/
-
-/* Connection Description options -- segregated */
-
-#   define CD_FIRST CD_TO       /* first connection description */
-	CD_TO,
-
-#   define CD_POLICY_FIRST  CD_PSK
-	CD_PSK,     /* same order as POLICY_* */
-	CD_RSASIG,  /* same order as POLICY_* */
-	CD_ENCRYPT, /* same order as POLICY_* */
-	CD_AUTHENTICATE,    /* same order as POLICY_* */
-	CD_COMPRESS,        /* same order as POLICY_* */
-	CD_TUNNEL,  /* same order as POLICY_* */
-	CD_PFS,     /* same order as POLICY_* */
-	CD_DISABLEARRIVALCHECK,     /* same order as POLICY_* */
-	CD_SHUNT0,  /* same order as POLICY_* */
-	CD_SHUNT1,  /* same order as POLICY_* */
-	CD_FAIL0,   /* same order as POLICY_* */
-	CD_FAIL1,   /* same order as POLICY_* */
-	CD_DONT_REKEY,      /* same order as POLICY_* */
-
-	CD_TUNNELIPV4,
-	CD_TUNNELIPV6,
-	CD_CONNIPV4,
-	CD_CONNIPV6,
-
-	CD_IKELIFETIME,
-	CD_IPSECLIFETIME,
-	CD_RKMARGIN,
-	CD_RKFUZZ,
-	CD_KTRIES,
-	CD_DPDACTION,
-	CD_DPDDELAY,
-	CD_DPDTIMEOUT,
-	CD_IKE,
-	CD_PFSGROUP,
-	CD_ESP,
-
-#   define CD_LAST CD_ESP       /* last connection description */
-
-/* Certificate Authority (CA) description options */
-
-#   define CA_FIRST CA_NAME     /* first ca description */
-
-	CA_NAME,
-	CA_CERT,
-	CA_LDAPHOST,
-	CA_LDAPBASE,
-	CA_CRLURI,
-	CA_CRLURI2,
-	CA_OCSPURI,
-	CA_STRICT
-
-#   define CA_LAST CA_STRICT    /* last ca description */
-
-#ifdef DEBUG    /* must be last so others are less than 32 to fit in lset_t */
-#   define DBGOPT_FIRST DBGOPT_NONE
-	,
-	/* NOTE: these definitions must match DBG_* and IMPAIR_* in constants.h */
-	DBGOPT_NONE,
-	DBGOPT_ALL,
-
-	DBGOPT_RAW,         /* same order as DBG_* */
-	DBGOPT_CRYPT,       /* same order as DBG_* */
-	DBGOPT_PARSING,     /* same order as DBG_* */
-	DBGOPT_EMITTING,    /* same order as DBG_* */
-	DBGOPT_CONTROL,     /* same order as DBG_* */
-	DBGOPT_LIFECYCLE,   /* same order as DBG_* */
-	DBGOPT_KERNEL,      /* same order as DBG_* */
-	DBGOPT_DNS,         /* same order as DBG_* */
-	DBGOPT_NATT,        /* same order as DBG_* */
-	DBGOPT_OPPO,        /* same order as DBG_* */
-	DBGOPT_CONTROLMORE, /* same order as DBG_* */
-
-	DBGOPT_PRIVATE,     /* same order as DBG_* */
-
-	DBGOPT_IMPAIR_DELAY_ADNS_KEY_ANSWER,        /* same order as IMPAIR_* */
-	DBGOPT_IMPAIR_DELAY_ADNS_TXT_ANSWER,        /* same order as IMPAIR_* */
-	DBGOPT_IMPAIR_BUST_MI2,     /* same order as IMPAIR_* */
-	DBGOPT_IMPAIR_BUST_MR2      /* same order as IMPAIR_* */
-
-#   define DBGOPT_LAST DBGOPT_IMPAIR_BUST_MR2
-#endif
-
-};
-
-/* Carve up space for result from getop_long.
- * Stupidly, the only result is an int.
- * Numeric arg is bit immediately left of basic value.
- *
- */
-#define OPTION_OFFSET   256     /* to get out of the way of letter options */
-#define NUMERIC_ARG (1 << 9)    /* expect a numeric argument */
-#define AUX_SHIFT   10  /* amount to shift for aux information */
-
-static const struct option long_opts[] = {
-#   define OO   OPTION_OFFSET
-	/* name, has_arg, flag, val */
-
-	{ "help", no_argument, NULL, 'h' },
-	{ "version", no_argument, NULL, 'v' },
-	{ "optionsfrom", required_argument, NULL, '+' },
-	{ "label", required_argument, NULL, 'l' },
-
-	{ "ctlbase", required_argument, NULL, OPT_CTLBASE + OO },
-	{ "name", required_argument, NULL, OPT_NAME + OO },
-
-	{ "keyid", required_argument, NULL, OPT_KEYID + OO },
-	{ "addkey", no_argument, NULL, OPT_ADDKEY + OO },
-	{ "pubkeyrsa", required_argument, NULL, OPT_PUBKEYRSA + OO },
-
-	{ "myid", required_argument, NULL, OPT_MYID + OO },
-
-	{ "route", no_argument, NULL, OPT_ROUTE + OO },
-	{ "unroute", no_argument, NULL, OPT_UNROUTE + OO },
-
-	{ "initiate", no_argument, NULL, OPT_INITIATE + OO },
-	{ "terminate", no_argument, NULL, OPT_TERMINATE + OO },
-	{ "delete", no_argument, NULL, OPT_DELETE + OO },
-	{ "deletestate", required_argument, NULL, OPT_DELETESTATE + OO + NUMERIC_ARG },
-	{ "crash", required_argument, NULL, OPT_DELETECRASH + OO },
-	{ "listen", no_argument, NULL, OPT_LISTEN + OO },
-	{ "unlisten", no_argument, NULL, OPT_UNLISTEN + OO },
-
-	{ "leases", no_argument, NULL, OPT_LEASES + OO },
-	{ "lease-addr", required_argument, NULL, OPT_LEASEADDR + OO },
-	{ "lease-id", required_argument, NULL, OPT_LEASEID + OO },
-
-	{ "purgeocsp", no_argument, NULL, OPT_PURGEOCSP + OO },
-
-	{ "rereadsecrets", no_argument, NULL, OPT_REREADSECRETS + OO },
-	{ "rereadcacerts", no_argument, NULL, OPT_REREADCACERTS + OO },
-	{ "rereadaacerts", no_argument, NULL, OPT_REREADAACERTS + OO },
-	{ "rereadocspcerts", no_argument, NULL, OPT_REREADOCSPCERTS + OO },
-	{ "rereadacerts", no_argument, NULL, OPT_REREADACERTS + OO },
-	{ "rereadcrls", no_argument, NULL, OPT_REREADCRLS + OO },
-	{ "rereadall", no_argument, NULL, OPT_REREADALL + OO },
-	{ "status", no_argument, NULL, OPT_STATUS + OO },
-	{ "statusall", no_argument, NULL, OPT_STATUSALL + OO },
-	{ "shutdown", no_argument, NULL, OPT_SHUTDOWN + OO },
-
-	{ "oppohere", required_argument, NULL, OPT_OPPO_HERE + OO },
-	{ "oppothere", required_argument, NULL, OPT_OPPO_THERE + OO },
-
-	{ "asynchronous", no_argument, NULL, OPT_ASYNC + OO },
-
-	/* smartcard options */
-
-	{ "scencrypt", required_argument, NULL, SC_ENCRYPT + OO },
-	{ "scdecrypt", required_argument, NULL, SC_DECRYPT + OO },
-	{ "inbase", required_argument, NULL, SC_INBASE + OO },
-	{ "outbase", required_argument, NULL, SC_OUTBASE + OO },
-
-	/* list options */
-
-	{ "utc", no_argument, NULL, LST_UTC + OO },
-	{ "listalgs", no_argument, NULL, LST_ALGS + OO },
-	{ "listpubkeys", no_argument, NULL, LST_PUBKEYS + OO },
-	{ "listcerts", no_argument, NULL, LST_CERTS + OO },
-	{ "listcacerts", no_argument, NULL, LST_CACERTS + OO },
-	{ "listacerts", no_argument, NULL, LST_ACERTS + OO },
-	{ "listaacerts", no_argument, NULL, LST_AACERTS + OO },
-	{ "listocspcerts", no_argument, NULL, LST_OCSPCERTS + OO },
-	{ "listgroups", no_argument, NULL, LST_GROUPS + OO },
-	{ "listcainfos", no_argument, NULL, LST_CAINFOS + OO },
-	{ "listcrls", no_argument, NULL, LST_CRLS + OO },
-	{ "listocsp", no_argument, NULL, LST_OCSP + OO },
-	{ "listcards", no_argument, NULL, LST_CARDS + OO },
-	{ "listplugins", no_argument, NULL, LST_PLUGINS + OO },
-	{ "listall", no_argument, NULL, LST_ALL + OO },
-
-	/* options for an end description */
-
-	{ "host", required_argument, NULL, END_HOST + OO },
-	{ "id", required_argument, NULL, END_ID + OO },
-	{ "cert", required_argument, NULL, END_CERT + OO },
-	{ "ca", required_argument, NULL, END_CA + OO },
-	{ "sendcert", required_argument, NULL, END_SENDCERT + OO },
-	{ "groups", required_argument, NULL, END_GROUPS + OO },
-	{ "ikeport", required_argument, NULL, END_IKEPORT + OO + NUMERIC_ARG },
-	{ "nexthop", required_argument, NULL, END_NEXTHOP + OO },
-	{ "client", required_argument, NULL, END_CLIENT + OO },
-	{ "clientwithin", required_argument, NULL, END_CLIENTWITHIN + OO },
-	{ "clientprotoport", required_argument, NULL, END_CLIENTPROTOPORT + OO },
-	{ "dnskeyondemand", no_argument, NULL, END_DNSKEYONDEMAND + OO },
-	{ "srcip",  required_argument, NULL, END_SRCIP + OO },
-	{ "hostaccess", no_argument, NULL, END_HOSTACCESS + OO },
-	{ "updown", required_argument, NULL, END_UPDOWN + OO },
-
-	/* options for a connection description */
-
-	{ "to", no_argument, NULL, CD_TO + OO },
-
-	{ "psk", no_argument, NULL, CD_PSK + OO },
-	{ "rsasig", no_argument, NULL, CD_RSASIG + OO },
-
-	{ "encrypt", no_argument, NULL, CD_ENCRYPT + OO },
-	{ "authenticate", no_argument, NULL, CD_AUTHENTICATE + OO },
-	{ "compress", no_argument, NULL, CD_COMPRESS + OO },
-	{ "tunnel", no_argument, NULL, CD_TUNNEL + OO },
-	{ "tunnelipv4", no_argument, NULL, CD_TUNNELIPV4 + OO },
-	{ "tunnelipv6", no_argument, NULL, CD_TUNNELIPV6 + OO },
-	{ "pfs", no_argument, NULL, CD_PFS + OO },
-	{ "disablearrivalcheck", no_argument, NULL, CD_DISABLEARRIVALCHECK + OO },
-	{ "initiateontraffic", no_argument, NULL
-		, CD_SHUNT0 + (POLICY_SHUNT_TRAP >> POLICY_SHUNT_SHIFT << AUX_SHIFT) + OO },
-	{ "pass", no_argument, NULL
-		, CD_SHUNT0 + (POLICY_SHUNT_PASS >> POLICY_SHUNT_SHIFT << AUX_SHIFT) + OO },
-	{ "drop", no_argument, NULL
-		, CD_SHUNT0 + (POLICY_SHUNT_DROP >> POLICY_SHUNT_SHIFT << AUX_SHIFT) + OO },
-	{ "reject", no_argument, NULL
-		, CD_SHUNT0 + (POLICY_SHUNT_REJECT >> POLICY_SHUNT_SHIFT << AUX_SHIFT) + OO },
-	{ "failnone", no_argument, NULL
-		, CD_FAIL0 + (POLICY_FAIL_NONE >> POLICY_FAIL_SHIFT << AUX_SHIFT) + OO },
-	{ "failpass", no_argument, NULL
-		, CD_FAIL0 + (POLICY_FAIL_PASS >> POLICY_FAIL_SHIFT << AUX_SHIFT) + OO },
-	{ "faildrop", no_argument, NULL
-		, CD_FAIL0 + (POLICY_FAIL_DROP >> POLICY_FAIL_SHIFT << AUX_SHIFT) + OO },
-	{ "failreject", no_argument, NULL
-		, CD_FAIL0 + (POLICY_FAIL_REJECT >> POLICY_FAIL_SHIFT << AUX_SHIFT) + OO },
-	{ "dontrekey", no_argument, NULL, CD_DONT_REKEY + OO },
-	{ "ipv4", no_argument, NULL, CD_CONNIPV4 + OO },
-	{ "ipv6", no_argument, NULL, CD_CONNIPV6 + OO },
-
-	{ "ikelifetime", required_argument, NULL, CD_IKELIFETIME + OO + NUMERIC_ARG },
-	{ "ipseclifetime", required_argument, NULL, CD_IPSECLIFETIME + OO + NUMERIC_ARG },
-	{ "rekeymargin", required_argument, NULL, CD_RKMARGIN + OO + NUMERIC_ARG },
-	{ "rekeywindow", required_argument, NULL, CD_RKMARGIN + OO + NUMERIC_ARG }, /* OBSOLETE */
-	{ "rekeyfuzz", required_argument, NULL, CD_RKFUZZ + OO + NUMERIC_ARG },
-	{ "keyingtries", required_argument, NULL, CD_KTRIES + OO + NUMERIC_ARG },
-	{ "dpdaction", required_argument, NULL, CD_DPDACTION + OO },
-	{ "dpddelay", required_argument, NULL, CD_DPDDELAY + OO + NUMERIC_ARG },
-	{ "dpdtimeout", required_argument, NULL, CD_DPDTIMEOUT + OO + NUMERIC_ARG },
-	{ "ike", required_argument, NULL, CD_IKE + OO },
-	{ "pfsgroup", required_argument, NULL, CD_PFSGROUP + OO },
-	{ "esp", required_argument, NULL, CD_ESP + OO },
-
-	/* options for a ca description */
-
-	{ "caname", required_argument, NULL, CA_NAME + OO },
-	{ "cacert", required_argument, NULL, CA_CERT + OO },
-	{ "ldaphost", required_argument, NULL, CA_LDAPHOST + OO },
-	{ "ldapbase", required_argument, NULL, CA_LDAPBASE + OO },
-	{ "crluri", required_argument, NULL, CA_CRLURI + OO },
-	{ "crluri2", required_argument, NULL, CA_CRLURI2 + OO },
-	{ "ocspuri", required_argument, NULL, CA_OCSPURI + OO },
-	{ "strictcrlpolicy", no_argument, NULL, CA_STRICT + OO },
-
-#ifdef DEBUG
-	{ "debug-none", no_argument, NULL, DBGOPT_NONE + OO },
-	{ "debug-all]", no_argument, NULL, DBGOPT_ALL + OO },
-	{ "debug-raw", no_argument, NULL, DBGOPT_RAW + OO },
-	{ "debug-crypt", no_argument, NULL, DBGOPT_CRYPT + OO },
-	{ "debug-parsing", no_argument, NULL, DBGOPT_PARSING + OO },
-	{ "debug-emitting", no_argument, NULL, DBGOPT_EMITTING + OO },
-	{ "debug-control", no_argument, NULL, DBGOPT_CONTROL + OO },
-	{ "debug-lifecycle", no_argument, NULL, DBGOPT_LIFECYCLE + OO },
-	{ "debug-klips", no_argument, NULL, DBGOPT_KERNEL + OO },
-	{ "debug-kernel", no_argument, NULL, DBGOPT_KERNEL + OO },
-	{ "debug-dns", no_argument, NULL, DBGOPT_DNS + OO },
-	{ "debug-natt", no_argument, NULL, DBGOPT_NATT + OO },
-	{ "debug-oppo", no_argument, NULL, DBGOPT_OPPO + OO },
-	{ "debug-controlmore", no_argument, NULL, DBGOPT_CONTROLMORE + OO },
-	{ "debug-private", no_argument, NULL, DBGOPT_PRIVATE + OO },
-
-	{ "impair-delay-adns-key-answer", no_argument, NULL, DBGOPT_IMPAIR_DELAY_ADNS_KEY_ANSWER + OO },
-	{ "impair-delay-adns-txt-answer", no_argument, NULL, DBGOPT_IMPAIR_DELAY_ADNS_TXT_ANSWER + OO },
-	{ "impair-bust-mi2", no_argument, NULL, DBGOPT_IMPAIR_BUST_MI2 + OO },
-	{ "impair-bust-mr2", no_argument, NULL, DBGOPT_IMPAIR_BUST_MR2 + OO },
-#endif
-#   undef OO
-	{ 0,0,0,0 }
-};
-
-struct sockaddr_un ctl_addr = { AF_UNIX, DEFAULT_CTLBASE CTL_SUFFIX };
-
-/* helper variables and function to encode strings from whack message */
-
-static char	*next_str,*str_roof;
-
-static bool pack_str(char **p)
-{
-	const char *s = *p == NULL? "" : *p;        /* note: NULL becomes ""! */
-	size_t len = strlen(s) + 1;
-
-	if (str_roof - next_str < (ptrdiff_t)len)
-	{
-		return FALSE;   /* fishy: no end found */
-	}
-	else
-	{
-		strcpy(next_str, s);
-		next_str += len;
-		*p = NULL;      /* don't send pointers on the wire! */
-		return TRUE;
-	}
-}
-
-static void check_life_time(time_t life, time_t limit, const char *which,
-							const whack_message_t *msg)
-{
-	time_t mint = msg->sa_rekey_margin * (100 + msg->sa_rekey_fuzz) / 100;
-
-	if (life > limit)
-	{
-		char buf[200];  /* arbitrary limit */
-
-		snprintf(buf, sizeof(buf)
-			, "%s [%lu seconds] must be less than %lu seconds"
-			, which, (unsigned long)life, (unsigned long)limit);
-		diag(buf);
-	}
-	if ((msg->policy & POLICY_DONT_REKEY) == LEMPTY && life <= mint)
-	{
-		char buf[200];  /* arbitrary limit */
-
-		snprintf(buf, sizeof(buf)
-			, "%s [%lu] must be greater than"
-			" rekeymargin*(100+rekeyfuzz)/100 [%lu*(100+%lu)/100 = %lu]"
-			, which
-			, (unsigned long)life
-			, (unsigned long)msg->sa_rekey_margin
-			, (unsigned long)msg->sa_rekey_fuzz
-			, (unsigned long)mint);
-		diag(buf);
-	}
-}
-
-static void clear_end(whack_end_t *e)
-{
-	zero(e);
-	e->id = NULL;
-	e->cert = NULL;
-	e->ca = NULL;
-	e->updown = NULL;
-	e->host_port = IKE_UDP_PORT;
-}
-
-static void update_ports(whack_message_t *m)
-{
-	int port;
-
-	if (m->left.port != 0) {
-		port = htons(m->left.port);
-		setportof(port, &m->left.host_addr);
-		setportof(port, &m->left.client.addr);
-	}
-	if (m->right.port != 0) {
-		port = htons(m->right.port);
-		setportof(port, &m->right.host_addr);
-		setportof(port, &m->right.client.addr);
-	}
-}
-
-static void check_end(whack_end_t *this, whack_end_t *that,
-					  bool default_nexthop, sa_family_t caf, sa_family_t taf)
-{
-	if (caf != addrtypeof(&this->host_addr))
-		diag("address family of host inconsistent");
-
-	if (default_nexthop)
-	{
-		if (isanyaddr(&that->host_addr))
-			diag("our nexthop must be specified when other host is a %any or %opportunistic");
-		this->host_nexthop = that->host_addr;
-	}
-
-	if (caf != addrtypeof(&this->host_nexthop))
-		diag("address family of nexthop inconsistent");
-
-	if (this->has_client)
-	{
-		if (taf != subnettypeof(&this->client))
-			diag("address family of client subnet inconsistent");
-	}
-	else
-	{
-		/* fill in anyaddr-anyaddr as (missing) client subnet */
-		ip_address cn;
-
-		diagq(anyaddr(caf, &cn), NULL);
-		diagq(rangetosubnet(&cn, &cn, &this->client), NULL);
-	}
-
-	/* fill in anyaddr if source IP is not defined */
-	if (!this->has_srcip)
-		diagq(anyaddr(caf, &this->host_srcip), optarg);
-
-   /* check protocol */
-	if (this->protocol != that->protocol)
-		diag("the protocol for leftprotoport and rightprotoport must be the same");
-}
-
-static void get_secret(int sock)
-{
-	const char *buf = NULL, *secret;
-	int len;
-
-	fflush(stdout);
-	usleep(20000); /* give fflush time for flushing */
-#ifdef HAVE_GETPASS
-	buf = getpass("Enter: ");
-#endif
-	secret = (buf == NULL)? "" : buf;
-
-	/* send the secret to pluto */
-	len = strlen(secret) + 1;
-	if (write(sock, secret, len) != len)
-	{
-		int e = errno;
-
-		fprintf(stderr, "whack: write() failed (%d %s)\n", e, strerror(e));
-		exit(RC_WHACK_PROBLEM);
-	}
-}
-
-/* This is a hack for initiating ISAKMP exchanges. */
-
-int main(int argc, char **argv)
-{
-	whack_message_t msg;
-	char esp_buf[256];  /* uses snprintf */
-	lset_t
-		opts_seen = LEMPTY,
-		sc_seen = LEMPTY,
-		lst_seen = LEMPTY,
-		cd_seen = LEMPTY,
-		ca_seen = LEMPTY,
-		end_seen = LEMPTY,
-		end_seen_before_to = LEMPTY;
-	const char
-		*af_used_by = NULL,
-		*tunnel_af_used_by = NULL;
-
-	/* check division of numbering space */
-#ifdef DEBUG
-	assert(OPTION_OFFSET + DBGOPT_LAST < NUMERIC_ARG);
-#else
-	assert(OPTION_OFFSET + CA_LAST < NUMERIC_ARG);
-#endif
-	assert(OPT_LAST - OPT_FIRST < (sizeof opts_seen * BITS_PER_BYTE));
-	assert(SC_LAST  - SC_FIRST  < (sizeof sc_seen   * BITS_PER_BYTE));
-	assert(LST_LAST - LST_FIRST < (sizeof lst_seen  * BITS_PER_BYTE));
-	assert(END_LAST - END_FIRST < (sizeof end_seen  * BITS_PER_BYTE));
-	assert(CD_LAST  - CD_FIRST  < (sizeof cd_seen   * BITS_PER_BYTE));
-	assert(CA_LAST  - CA_FIRST  < (sizeof ca_seen   * BITS_PER_BYTE));
-#ifdef DEBUG    /* must be last so others are less than (sizeof cd_seen * BITS_PER_BYTE) to fit in lset_t */
-	assert(DBGOPT_LAST - DBGOPT_FIRST < (sizeof cd_seen * BITS_PER_BYTE));
-#endif
-	/* check that POLICY bit assignment matches with CD_ */
-	assert(LELEM(CD_DONT_REKEY - CD_POLICY_FIRST) == POLICY_DONT_REKEY);
-
-	zero(&msg);
-
-	clear_end(&msg.right);      /* left set from this after --to */
-
-	msg.name = NULL;
-	msg.keyid = NULL;
-	msg.keyval.ptr = NULL;
-	msg.esp = NULL;
-	msg.ike = NULL;
-	msg.pfsgroup = NULL;
-
-   /* if a connection is added via whack then we assume IKEv1 */
-	msg.ikev1 = TRUE;
-
-	msg.sa_ike_life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;
-	msg.sa_ipsec_life_seconds = PLUTO_SA_LIFE_DURATION_DEFAULT;
-	msg.sa_rekey_margin = SA_REPLACEMENT_MARGIN_DEFAULT;
-	msg.sa_rekey_fuzz = SA_REPLACEMENT_FUZZ_DEFAULT;
-	msg.sa_keying_tries = SA_REPLACEMENT_RETRIES_DEFAULT;
-
-	msg.addr_family = AF_INET;
-	msg.tunnel_addr_family = AF_INET;
-
-	msg.cacert = NULL;
-	msg.ldaphost = NULL;
-	msg.ldapbase = NULL;
-	msg.crluri = NULL;
-	msg.crluri2 = NULL;
-	msg.ocspuri = NULL;
-
-	options = options_create();
-
-	for (;;)
-	{
-		int long_index;
-		unsigned long opt_whole = 0;  /* numeric argument for some flags */
-
-		/* Note: we don't like the way short options get parsed
-		 * by getopt_long, so we simply pass an empty string as
-		 * the list.  It could be "hp:d:c:o:eatfs" "NARXPECK".
-		 */
-		int c = getopt_long(argc, argv, "", long_opts, &long_index) - OPTION_OFFSET;
-		int aux = 0;
-
-		/* decode a numeric argument, if expected */
-		if (0 <= c)
-		{
-			if (c & NUMERIC_ARG)
-			{
-				char *endptr;
-
-				c -= NUMERIC_ARG;
-				opt_whole = strtoul(optarg, &endptr, 0);
-
-				if (*endptr != '\0' || endptr == optarg)
-					diagq("badly formed numeric argument", optarg);
-			}
-			if (c >= (1 << AUX_SHIFT))
-			{
-				aux = c >> AUX_SHIFT;
-				c -= aux << AUX_SHIFT;
-			}
-		}
-
-		/* per-class option processing */
-		if (0 <= c && c <= OPT_LAST)
-		{
-			/* OPT_* options get added to opts_seen.
-			 * Reject repeated options (unless later code intervenes).
-			 */
-			lset_t f = LELEM(c);
-
-			if (opts_seen & f)
-				diagq("duplicated flag", long_opts[long_index].name);
-			opts_seen |= f;
-		}
-		else if (SC_FIRST <= c && c <= SC_LAST)
-		{
-			/* SC_* options get added to sc_seen.
-			 * Reject repeated options (unless later code intervenes).
-			 */
-			lset_t f = LELEM(c - SC_FIRST);
-
-			if (sc_seen & f)
-				diagq("duplicated flag", long_opts[long_index].name);
-			sc_seen |= f;
-		}
-		else if (LST_FIRST <= c && c <= LST_LAST)
-		{
-			/* LST_* options get added to lst_seen.
-			 * Reject repeated options (unless later code intervenes).
-			 */
-			lset_t f = LELEM(c - LST_FIRST);
-
-			if (lst_seen & f)
-				diagq("duplicated flag", long_opts[long_index].name);
-			lst_seen |= f;
-		}
-#ifdef DEBUG
-		else if (DBGOPT_FIRST <= c && c <= DBGOPT_LAST)
-		{
-			msg.whack_options = TRUE;
-		}
-#endif
-		else if (END_FIRST <= c && c <= END_LAST)
-		{
-			/* END_* options are added to end_seen.
-			 * Reject repeated options (unless later code intervenes).
-			 */
-			lset_t f = LELEM(c - END_FIRST);
-
-			if (end_seen & f)
-				diagq("duplicated flag", long_opts[long_index].name);
-			end_seen |= f;
-			opts_seen |= LELEM(OPT_CD);
-		}
-		else if (CD_FIRST <= c && c <= CD_LAST)
-		{
-			/* CD_* options are added to cd_seen.
-			 * Reject repeated options (unless later code intervenes).
-			 */
-			lset_t f = LELEM(c - CD_FIRST);
-
-			if (cd_seen & f)
-				diagq("duplicated flag", long_opts[long_index].name);
-			cd_seen |= f;
-			opts_seen |= LELEM(OPT_CD);
-		}
-		else if (CA_FIRST <= c && c <= CA_LAST)
-		{
-			/* CA_* options are added to ca_seen.
-			 * Reject repeated options (unless later code intervenes).
-			 */
-			lset_t f = LELEM(c - CA_FIRST);
-
-			if (ca_seen & f)
-				diagq("duplicated flag", long_opts[long_index].name);
-			ca_seen |= f;
-		}
-
-		/* Note: "break"ing from switch terminates loop.
-		 * most cases should end with "continue".
-		 */
-		switch (c)
-		{
-		case EOF - OPTION_OFFSET:       /* end of flags */
-			break;
-
-		case 0 - OPTION_OFFSET: /* long option already handled */
-			continue;
-
-		case ':' - OPTION_OFFSET:       /* diagnostic already printed by getopt_long */
-		case '?' - OPTION_OFFSET:       /* diagnostic already printed by getopt_long */
-			diag(NULL); /* print no additional diagnostic, but exit sadly */
-			break;      /* not actually reached */
-
-		case 'h' - OPTION_OFFSET:       /* --help */
-			help();
-			whack_exit(0);              /* GNU coding standards say to stop here */
-
-		case 'v' - OPTION_OFFSET:       /* --version */
-			{
-				const char **sp = ipsec_copyright_notice();
-
-				printf("strongSwan "VERSION"\n");
-				for (; *sp != NULL; sp++)
-					puts(*sp);
-			}
-			whack_exit(0);   /* GNU coding standards say to stop here */
-
-		case 'l' - OPTION_OFFSET:       /* --label <string> */
-			label = optarg;             /* remember for diagnostics */
-			continue;
-
-		case '+' - OPTION_OFFSET:       /* --optionsfrom <filename> */
-			if (!options->from(options, optarg, &argc, &argv, optind))
-			{
-				fprintf(stderr, "optionsfrom failed");
-				whack_exit(RC_WHACK_PROBLEM);
-			}
-			continue;
-
-		/* the rest of the options combine in complex ways */
-
-		case OPT_CTLBASE:       /* --port <ctlbase> */
-			if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
-			, "%s%s", optarg, CTL_SUFFIX) == -1)
-				diag("<ctlbase>" CTL_SUFFIX " must be fit in a sun_addr");
-			continue;
-
-		case OPT_NAME:  /* --name <connection-name> */
-			name = optarg;
-			msg.name = optarg;
-			continue;
-
-		case OPT_KEYID: /* --keyid <identity> */
-			msg.whack_key = !msg.whack_sc_op;
-			msg.keyid = optarg; /* decoded by Pluto */
-			continue;
-
-		case OPT_MYID:  /* --myid <identity> */
-			msg.whack_myid = TRUE;
-			msg.myid = optarg;  /* decoded by Pluto */
-			continue;
-
-		case OPT_ADDKEY:        /* --addkey */
-			msg.whack_addkey = TRUE;
-			continue;
-
-		case OPT_PUBKEYRSA:     /* --pubkeyrsa <key> */
-			{
-				static char keyspace[RSA_MAX_ENCODING_BYTES];   /* room for 8K bit key */
-				char diag_space[TTODATAV_BUF];
-				const char *ugh = ttodatav(optarg, 0, 0
-					, keyspace, sizeof(keyspace)
-					, &msg.keyval.len, diag_space, sizeof(diag_space)
-					, TTODATAV_SPACECOUNTS);
-
-				if (ugh != NULL)
-				{
-					char ugh_space[80]; /* perhaps enough space */
-
-					snprintf(ugh_space, sizeof(ugh_space)
-						, "RSA public-key data malformed (%s)", ugh);
-					diagq(ugh_space, optarg);
-				}
-				msg.pubkey_alg = PUBKEY_ALG_RSA;
-				msg.keyval.ptr = keyspace;
-			}
-			continue;
-
-		case OPT_ROUTE: /* --route */
-			msg.whack_route = TRUE;
-			continue;
-
-		case OPT_UNROUTE:       /* --unroute */
-			msg.whack_unroute = TRUE;
-			continue;
-
-		case OPT_INITIATE:      /* --initiate */
-			msg.whack_initiate = TRUE;
-			continue;
-
-		case OPT_TERMINATE:     /* --terminate */
-			msg.whack_terminate = TRUE;
-			continue;
-
-		case OPT_DELETE:        /* --delete */
-			msg.whack_delete = TRUE;
-			continue;
-
-		case OPT_DELETESTATE:   /* --deletestate <state_object_number> */
-			msg.whack_deletestate = TRUE;
-			msg.whack_deletestateno = opt_whole;
-			continue;
-
-		case OPT_DELETECRASH:   /* --crash <ip-address> */
-			msg.whack_crash = TRUE;
-			tunnel_af_used_by = long_opts[long_index].name;
-			diagq(ttoaddr(optarg, 0, msg.tunnel_addr_family, &msg.whack_crash_peer), optarg);
-			if (isanyaddr(&msg.whack_crash_peer))
-				diagq("0.0.0.0 or 0::0 isn't a valid client address", optarg);
-			continue;
-
-		case OPT_LEASES:        /* --leases */
-			msg.whack_leases = TRUE;
-			continue;
-
-		case OPT_LEASEADDR:     /* --lease-addr <ip-address> */
-			msg.whack_lease_ip = optarg;      /* decoded by Pluto */
-			continue;
-
-		case OPT_LEASEID:       /* --lease-id <identity> */
-			msg.whack_lease_id = optarg;      /* decoded by Pluto */
-			continue;
-
-		case OPT_LISTEN:        /* --listen */
-			msg.whack_listen = TRUE;
-			continue;
-
-		case OPT_UNLISTEN:      /* --unlisten */
-			msg.whack_unlisten = TRUE;
-			continue;
-
-		case OPT_PURGEOCSP:     /* --purgeocsp */
-			msg.whack_purgeocsp = TRUE;
-			continue;
-
-		case OPT_REREADSECRETS:   /* --rereadsecrets */
-		case OPT_REREADCACERTS:   /* --rereadcacerts */
-		case OPT_REREADAACERTS:   /* --rereadaacerts */
-		case OPT_REREADOCSPCERTS: /* --rereadocspcerts */
-		case OPT_REREADACERTS:    /* --rereadacerts */
-		case OPT_REREADCRLS:      /* --rereadcrls */
-			msg.whack_reread |= LELEM(c-OPT_REREADSECRETS);
-			continue;
-
-		case OPT_REREADALL:     /* --rereadall */
-			msg.whack_reread = REREAD_ALL;
-			continue;
-
-		case OPT_STATUSALL:     /* --statusall */
-			msg.whack_statusall = TRUE;
-			/* fall through */
-
-		case OPT_STATUS:        /* --status */
-			msg.whack_status = TRUE;
-			continue;
-
-		case OPT_SHUTDOWN:      /* --shutdown */
-			msg.whack_shutdown = TRUE;
-			continue;
-
-		case OPT_OPPO_HERE:     /* --oppohere <ip-address> */
-			tunnel_af_used_by = long_opts[long_index].name;
-			diagq(ttoaddr(optarg, 0, msg.tunnel_addr_family, &msg.oppo_my_client), optarg);
-			if (isanyaddr(&msg.oppo_my_client))
-				diagq("0.0.0.0 or 0::0 isn't a valid client address", optarg);
-			continue;
-
-		case OPT_OPPO_THERE:    /* --oppohere <ip-address> */
-			tunnel_af_used_by = long_opts[long_index].name;
-			diagq(ttoaddr(optarg, 0, msg.tunnel_addr_family, &msg.oppo_peer_client), optarg);
-			if (isanyaddr(&msg.oppo_peer_client))
-				diagq("0.0.0.0 or 0::0 isn't a valid client address", optarg);
-			continue;
-
-		case OPT_ASYNC:
-			msg.whack_async = TRUE;
-			continue;
-
-		/* Smartcard options */
-
-		case SC_ENCRYPT:        /* --scencrypt <plaintext data> */
-		case SC_DECRYPT:        /* --scdecrypt <encrypted data> */
-			msg.whack_sc_op = 1 + c - SC_ENCRYPT;
-			msg.whack_key = FALSE;
-			msg.sc_data = optarg;
-			continue;
-
-		case SC_INBASE:         /* --inform  <format> */
-		case SC_OUTBASE:        /* --outform <format> */
-		   {
-				int base = 0;
-
-				if (streq(optarg, "16") || strcaseeq(optarg, "hex"))
-					base = 16;
-				else if (streq(optarg, "64") || strcaseeq(optarg, "base64"))
-					base = 64;
-				else if (streq(optarg, "256") || strcaseeq(optarg, "text")
-					  || strcaseeq(optarg, "ascii"))
-					base = 256;
-				else
-					diagq("not a valid base", optarg);
-
-				if (c == SC_INBASE)
-					msg.inbase = base;
-				else
-					msg.outbase = base;
-			}
-			continue;
-
-		/* List options */
-
-		case LST_UTC:           /* --utc */
-			msg.whack_utc = TRUE;
-			continue;
-
-		case LST_ALGS:          /* --listalgs */
-		case LST_PUBKEYS:       /* --listpubkeys */
-		case LST_CERTS:         /* --listcerts */
-		case LST_CACERTS:       /* --listcacerts */
-		case LST_ACERTS:        /* --listacerts */
-		case LST_AACERTS:       /* --listaacerts */
-		case LST_OCSPCERTS:     /* --listocspcerts */
-		case LST_GROUPS:        /* --listgroups */
-		case LST_CAINFOS:       /* --listcainfos */
-		case LST_CRLS:          /* --listcrls */
-		case LST_OCSP:          /* --listocsp */
-		case LST_CARDS:         /* --listcards */
-		case LST_PLUGINS:       /* --listplugins */
-			msg.whack_list |= LELEM(c - LST_ALGS);
-			continue;
-
-		case LST_ALL:   /* --listall */
-			msg.whack_list = LIST_ALL;
-			continue;
-
-		/* Connection Description options */
-
-		case END_HOST:  /* --host <ip-address> */
-		{
-			lset_t new_policy = LEMPTY;
-
-			af_used_by = long_opts[long_index].name;
-			diagq(anyaddr(msg.addr_family, &msg.right.host_addr), optarg);
-			if (streq(optarg, "%any"))
-			{
-			}
-			else if (streq(optarg, "%opportunistic"))
-			{
-				/* always use tunnel mode; mark as opportunistic */
-				new_policy |= POLICY_TUNNEL | POLICY_OPPO;
-			}
-			else if (streq(optarg, "%group"))
-			{
-				/* always use tunnel mode; mark as group */
-				new_policy |= POLICY_TUNNEL | POLICY_GROUP;
-			}
-			else if (streq(optarg, "%opportunisticgroup"))
-			{
-				/* always use tunnel mode; mark as opportunistic */
-				new_policy |= POLICY_TUNNEL | POLICY_OPPO | POLICY_GROUP;
-			}
-			else
-			{
-				diagq(ttoaddr(optarg, 0, msg.addr_family
-					, &msg.right.host_addr), optarg);
-			}
-
-			msg.policy |= new_policy;
-
-			if (new_policy & (POLICY_OPPO | POLICY_GROUP))
-			{
-				if (!LHAS(end_seen, END_CLIENT - END_FIRST))
-				{
-					/* set host to 0.0.0 and --client to 0.0.0.0/0
-					 * or IPV6 equivalent
-					 */
-					ip_address any;
-
-					tunnel_af_used_by = optarg;
-					diagq(anyaddr(msg.tunnel_addr_family, &any), optarg);
-					diagq(initsubnet(&any, 0, '0', &msg.right.client), optarg);
-				}
-				msg.right.has_client = TRUE;
-			}
-			if (new_policy & POLICY_GROUP)
-			{
-				/* client subnet must not be specified by user:
-				 * it will come from the group's file.
-				 */
-				if (LHAS(end_seen, END_CLIENT - END_FIRST))
-					diag("--host %group clashes with --client");
-
-				end_seen |= LELEM(END_CLIENT - END_FIRST);
-			}
-			if (new_policy & POLICY_OPPO)
-				msg.right.key_from_DNS_on_demand = TRUE;
-			continue;
-		}
-		case END_ID:    /* --id <identity> */
-			msg.right.id = optarg;      /* decoded by Pluto */
-			continue;
-
-		case END_CERT:  /* --cert <path> */
-			msg.right.cert = optarg;    /* decoded by Pluto */
-			continue;
-
-		case END_CA:    /* --ca <distinguished name> */
-			msg.right.ca = optarg;      /* decoded by Pluto */
-			continue;
-
-		case END_SENDCERT:
-			if (streq(optarg, "yes") || streq(optarg, "always"))
-			{
-				msg.right.sendcert = CERT_ALWAYS_SEND;
-			}
-			else if (streq(optarg, "no") || streq(optarg, "never"))
-			{
-				msg.right.sendcert = CERT_NEVER_SEND;
-			}
-			else if (streq(optarg, "ifasked"))
-			{
-				msg.right.sendcert = CERT_SEND_IF_ASKED;
-			}
-			else
-			{
-				diagq("whack sendcert value is not legal", optarg);
-			}
-			continue;
-
-		case END_GROUPS:/* --groups <access control groups> */
-			msg.right.groups = optarg;  /* decoded by Pluto */
-			continue;
-
-		case END_IKEPORT:       /* --ikeport <port-number> */
-			if (opt_whole<=0 || opt_whole >= 0x10000)
-				diagq("<port-number> must be a number between 1 and 65535", optarg);
-			msg.right.host_port = opt_whole;
-			continue;
-
-		case END_NEXTHOP:       /* --nexthop <ip-address> */
-			af_used_by = long_opts[long_index].name;
-			if (streq(optarg, "%direct"))
-				diagq(anyaddr(msg.addr_family
-					, &msg.right.host_nexthop), optarg);
-			else
-				diagq(ttoaddr(optarg, 0, msg.addr_family
-					, &msg.right.host_nexthop), optarg);
-			continue;
-
-		case END_SRCIP:        /* --srcip <ip-address> */
-			af_used_by = long_opts[long_index].name;
-			if (streq(optarg, "%modeconfig") || streq(optarg, "%modecfg"))
-			{
-				msg.right.modecfg = TRUE;
-			}
-			else
-			{
-				diagq(ttoaddr(optarg, 0, msg.addr_family
-					, &msg.right.host_srcip), optarg);
-				msg.right.has_srcip = TRUE;
-			}
-			msg.policy |= POLICY_TUNNEL;        /* srcip => tunnel */
-			continue;
-
-		case END_CLIENT:        /* --client <subnet> */
-			if (end_seen & LELEM(END_CLIENTWITHIN - END_FIRST))
-				diag("--client conflicts with --clientwithin");
-			tunnel_af_used_by = long_opts[long_index].name;
-			if ((strlen(optarg) >= 6 && strncmp(optarg,"vhost:",6) == 0)
-			||  (strlen(optarg) >= 5 && strncmp(optarg,"vnet:",5) == 0))
-			{
-				msg.right.virt = optarg;
-			}
-			else
-			{
-				diagq(ttosubnet(optarg, 0, msg.tunnel_addr_family, &msg.right.client), optarg);
-				msg.right.has_client = TRUE;
-			}
-			msg.policy |= POLICY_TUNNEL;        /* client => tunnel */
-			continue;
-
-		case END_CLIENTWITHIN:  /* --clienwithin <address range> */
-			if (end_seen & LELEM(END_CLIENT - END_FIRST))
-				diag("--clientwithin conflicts with --client");
-			tunnel_af_used_by = long_opts[long_index].name;
-			diagq(ttosubnet(optarg, 0, msg.tunnel_addr_family, &msg.right.client), optarg);
-			msg.right.has_client = TRUE;
-			msg.policy |= POLICY_TUNNEL;        /* client => tunnel */
-			msg.right.has_client_wildcard = TRUE;
-			continue;
-
-		case END_CLIENTPROTOPORT: /* --clientprotoport <protocol>/<port> */
-			diagq(ttoprotoport(optarg, 0, &msg.right.protocol, &msg.right.port
-				, &msg.right.has_port_wildcard), optarg);
-			continue;
-
-		case END_DNSKEYONDEMAND:        /* --dnskeyondemand */
-			msg.right.key_from_DNS_on_demand = TRUE;
-			continue;
-
-		case END_HOSTACCESS:    /* --hostaccess */
-			msg.right.hostaccess = TRUE;
-			continue;
-
-		case END_UPDOWN:        /* --updown <updown> */
-			msg.right.updown = optarg;
-			continue;
-
-		case CD_TO:             /* --to */
-			/* process right end, move it to left, reset it */
-			if (!LHAS(end_seen, END_HOST - END_FIRST))
-				diag("connection missing --host before --to");
-			msg.left = msg.right;
-			clear_end(&msg.right);
-			end_seen_before_to = end_seen;
-			end_seen = LEMPTY;
-			continue;
-
-		case CD_PSK:            /* --psk */
-		case CD_RSASIG:         /* --rsasig */
-		case CD_ENCRYPT:        /* --encrypt */
-		case CD_AUTHENTICATE:   /* --authenticate */
-		case CD_COMPRESS:       /* --compress */
-		case CD_TUNNEL:         /* --tunnel */
-		case CD_PFS:            /* --pfs */
-		case CD_DISABLEARRIVALCHECK:    /* --disablearrivalcheck */
-		case CD_DONT_REKEY:     /* --donotrekey */
-			msg.policy |= LELEM(c - CD_POLICY_FIRST);
-			continue;
-
-		/* --initiateontraffic
-		 * --pass
-		 * --drop
-		 * --reject
-		 */
-		case CD_SHUNT0:
-			msg.policy = (msg.policy & ~POLICY_SHUNT_MASK)
-				| ((lset_t)aux << POLICY_SHUNT_SHIFT);
-			continue;
-
-		/* --failnone
-		 * --failpass
-		 * --faildrop
-		 * --failreject
-		 */
-		case CD_FAIL0:
-			msg.policy = (msg.policy & ~POLICY_FAIL_MASK)
-				| ((lset_t)aux << POLICY_FAIL_SHIFT);
-			continue;
-
-		case CD_IKELIFETIME:    /* --ikelifetime <seconds> */
-			msg.sa_ike_life_seconds = opt_whole;
-			continue;
-
-		case CD_IPSECLIFETIME:  /* --ipseclifetime <seconds> */
-			msg.sa_ipsec_life_seconds = opt_whole;
-			continue;
-
-		case CD_RKMARGIN:       /* --rekeymargin <seconds> */
-			msg.sa_rekey_margin = opt_whole;
-			continue;
-
-		case CD_RKFUZZ: /* --rekeyfuzz <percentage> */
-			msg.sa_rekey_fuzz = opt_whole;
-			continue;
-
-		case CD_KTRIES: /* --keyingtries <count> */
-			msg.sa_keying_tries = opt_whole;
-			continue;
-
-		case CD_DPDACTION:
-			if (streq(optarg, "none"))
-				msg.dpd_action = DPD_ACTION_NONE;
-			else if (streq(optarg, "clear"))
-				msg.dpd_action = DPD_ACTION_CLEAR;
-			else if (streq(optarg, "hold"))
-				msg.dpd_action = DPD_ACTION_HOLD;
-			else if (streq(optarg, "restart"))
-				msg.dpd_action = DPD_ACTION_RESTART;
-			else
-				msg.dpd_action = DPD_ACTION_UNKNOWN;
-			continue;
-
-		case CD_DPDDELAY:
-			msg.dpd_delay = opt_whole;
-			continue;
-
-		case CD_DPDTIMEOUT:
-			msg.dpd_timeout = opt_whole;
-			continue;
-
-		case CD_IKE:    /* --ike <ike_alg1,ike_alg2,...> */
-			msg.ike = optarg;
-			continue;
-
-		case CD_PFSGROUP:       /* --pfsgroup modpXXXX */
-			msg.pfsgroup = optarg;
-			continue;
-
-		case CD_ESP:    /* --esp <esp_alg1,esp_alg2,...> */
-			msg.esp = optarg;
-			continue;
-
-		case CD_CONNIPV4:
-			if (LHAS(cd_seen, CD_CONNIPV6 - CD_FIRST))
-				diag("--ipv4 conflicts with --ipv6");
-
-			/* Since this is the default, the flag is redundant.
-			 * So we don't need to set msg.addr_family
-			 * and we don't need to check af_used_by
-			 * and we don't have to consider defaulting tunnel_addr_family.
-			 */
-			continue;
-
-		case CD_CONNIPV6:
-			if (LHAS(cd_seen, CD_CONNIPV4 - CD_FIRST))
-				diag("--ipv6 conflicts with --ipv4");
-
-			if (af_used_by != NULL)
-				diagq("--ipv6 must precede", af_used_by);
-
-			af_used_by = long_opts[long_index].name;
-			msg.addr_family = AF_INET6;
-
-			/* Consider defaulting tunnel_addr_family to AF_INET6.
-			 * Do so only if it hasn't yet been specified or used.
-			 */
-			if (LDISJOINT(cd_seen, LELEM(CD_TUNNELIPV4 - CD_FIRST) | LELEM(CD_TUNNELIPV6 - CD_FIRST))
-			&& tunnel_af_used_by == NULL)
-				msg.tunnel_addr_family = AF_INET6;
-			continue;
-
-		case CD_TUNNELIPV4:
-			if (LHAS(cd_seen, CD_TUNNELIPV6 - CD_FIRST))
-				diag("--tunnelipv4 conflicts with --tunnelipv6");
-
-			if (tunnel_af_used_by != NULL)
-				diagq("--tunnelipv4 must precede", af_used_by);
-
-			msg.tunnel_addr_family = AF_INET;
-			continue;
-
-		case CD_TUNNELIPV6:
-			if (LHAS(cd_seen, CD_TUNNELIPV4 - CD_FIRST))
-				diag("--tunnelipv6 conflicts with --tunnelipv4");
-
-			if (tunnel_af_used_by != NULL)
-				diagq("--tunnelipv6 must precede", af_used_by);
-
-			msg.tunnel_addr_family = AF_INET6;
-			continue;
-
-		case CA_NAME:           /* --caname <name> */
-			msg.name = optarg;
-			msg.whack_ca = TRUE;
-			continue;
-		case CA_CERT:           /* --cacert <path> */
-			msg.cacert = optarg;
-			continue;
-		case CA_LDAPHOST:       /* --ldaphost <hostname> */
-			msg.ldaphost = optarg;
-			continue;
-		case CA_LDAPBASE:       /* --ldapbase <base> */
-			msg.ldapbase = optarg;
-			continue;
-		case CA_CRLURI:         /* --crluri <uri> */
-			msg.crluri = optarg;
-			continue;
-		case CA_CRLURI2:        /* --crluri2 <uri> */
-			msg.crluri2 = optarg;
-			continue;
-		case CA_OCSPURI:        /* --ocspuri <uri> */
-			msg.ocspuri = optarg;
-			continue;
-		case CA_STRICT:         /* --strictcrlpolicy */
-			msg.whack_strict = TRUE;
-			continue;
-
-#ifdef DEBUG
-		case DBGOPT_NONE:       /* --debug-none */
-			msg.debugging = DBG_NONE;
-			continue;
-
-		case DBGOPT_ALL:        /* --debug-all */
-			msg.debugging |= DBG_ALL;   /* note: does not include PRIVATE */
-			continue;
-
-		case DBGOPT_RAW:        /* --debug-raw */
-		case DBGOPT_CRYPT:      /* --debug-crypt */
-		case DBGOPT_PARSING:    /* --debug-parsing */
-		case DBGOPT_EMITTING:   /* --debug-emitting */
-		case DBGOPT_CONTROL:    /* --debug-control */
-		case DBGOPT_LIFECYCLE:  /* --debug-lifecycle */
-		case DBGOPT_KERNEL:     /* --debug-kernel, --debug-klips */
-		case DBGOPT_DNS:        /* --debug-dns */
-		case DBGOPT_NATT:       /* --debug-natt */
-		case DBGOPT_OPPO:       /* --debug-oppo */
-		case DBGOPT_CONTROLMORE: /* --debug-controlmore */
-		case DBGOPT_PRIVATE:    /* --debug-private */
-		case DBGOPT_IMPAIR_DELAY_ADNS_KEY_ANSWER:       /* --impair-delay-adns-key-answer */
-		case DBGOPT_IMPAIR_DELAY_ADNS_TXT_ANSWER:       /* --impair-delay-adns-txt-answer */
-		case DBGOPT_IMPAIR_BUST_MI2:    /* --impair_bust_mi2 */
-		case DBGOPT_IMPAIR_BUST_MR2:    /* --impair_bust_mr2 */
-			msg.debugging |= LELEM(c-DBGOPT_RAW);
-			continue;
-#endif
-		default:
-			assert(FALSE);      /* unknown return value */
-		}
-		break;
-	}
-
-	if (optind != argc)
-	{
-		/* If you see this message unexpectedly, perhaps the
-		 * case for the previous option ended with "break"
-		 * instead of "continue"
-		 */
-		diagq("unexpected argument", argv[optind]);
-	}
-
-	/* For each possible form of the command, figure out if an argument
-	 * suggests whether that form was intended, and if so, whether all
-	 * required information was supplied.
-	 */
-
-	/* check opportunistic initiation simulation request */
-	switch (opts_seen & (LELEM(OPT_OPPO_HERE) | LELEM(OPT_OPPO_THERE)))
-	{
-	case LELEM(OPT_OPPO_HERE):
-	case LELEM(OPT_OPPO_THERE):
-		diag("--oppohere and --oppothere must be used together");
-		/*NOTREACHED*/
-	case LELEM(OPT_OPPO_HERE) | LELEM(OPT_OPPO_THERE):
-		msg.whack_oppo_initiate = TRUE;
-		if (LIN(cd_seen, LELEM(CD_TUNNELIPV4 - CD_FIRST) | LELEM(CD_TUNNELIPV6 - CD_FIRST)))
-			opts_seen &= ~LELEM(OPT_CD);
-		break;
-	}
-
-	/* check leases */
-	if (LHAS(opts_seen, OPT_LEASEADDR) && LHAS(opts_seen, OPT_LEASEID))
-	{
-		diag("--lease-addr and --lease-id cannot be used together");
-	}
-
-	/* check connection description */
-	if (LHAS(opts_seen, OPT_CD))
-	{
-		if (!LHAS(cd_seen, CD_TO-CD_FIRST))
-			diag("connection description option, but no --to");
-
-		if (!LHAS(end_seen, END_HOST-END_FIRST))
-			diag("connection missing --host after --to");
-
-		if (isanyaddr(&msg.left.host_addr)
-		&& isanyaddr(&msg.right.host_addr))
-			diag("hosts cannot both be 0.0.0.0 or 0::0");
-
-		if (msg.policy & POLICY_OPPO)
-		{
-			if ((msg.policy & (POLICY_PSK | POLICY_PUBKEY)) != POLICY_PUBKEY)
-				diag("only PUBKEY is supported for opportunism");
-			if ((msg.policy & POLICY_PFS) == 0)
-				diag("PFS required for opportunism");
-			if ((msg.policy & POLICY_ENCRYPT) == 0)
-				diag("encryption required for opportunism");
-		}
-
-		check_end(&msg.left, &msg.right, !LHAS(end_seen_before_to, END_NEXTHOP-END_FIRST)
-			, msg.addr_family, msg.tunnel_addr_family);
-
-		check_end(&msg.right, &msg.left, !LHAS(end_seen, END_NEXTHOP-END_FIRST)
-			, msg.addr_family, msg.tunnel_addr_family);
-
-		if (subnettypeof(&msg.left.client) != subnettypeof(&msg.right.client))
-			diag("endpoints clash: one is IPv4 and the other is IPv6");
-
-		if (NEVER_NEGOTIATE(msg.policy))
-		{
-			/* we think this is just a shunt (because he didn't specify
-			 * a host authentication method).  If he didn't specify a
-			 * shunt type, he's probably gotten it wrong.
-			 */
-			if ((msg.policy & POLICY_SHUNT_MASK) == POLICY_SHUNT_TRAP)
-				diag("non-shunt connection must have --psk or --rsasig or both");
-		}
-		else
-		{
-			/* not just a shunt: a real ipsec connection */
-			if ((msg.policy & POLICY_ID_AUTH_MASK) == LEMPTY)
-				diag("must specify --rsasig or --psk for a connection");
-
-			if (!HAS_IPSEC_POLICY(msg.policy)
-			&& (msg.left.has_client || msg.right.has_client))
-				diag("must not specify clients for ISAKMP-only connection");
-		}
-
-		msg.whack_connection = TRUE;
-	}
-
-	/* decide whether --name is mandatory or forbidden */
-	if (!LDISJOINT(opts_seen
-	, LELEM(OPT_ROUTE) | LELEM(OPT_UNROUTE)
-	| LELEM(OPT_INITIATE) | LELEM(OPT_TERMINATE)
-	| LELEM(OPT_DELETE) | LELEM(OPT_CD)))
-	{
-		if (!LHAS(opts_seen, OPT_NAME) && !msg.whack_ca)
-			diag("missing --name <connection_name>");
-	}
-	else if (!msg.whack_options && !msg.whack_status && !msg.whack_leases)
-	{
-		if (LHAS(opts_seen, OPT_NAME))
-			diag("no reason for --name");
-	}
-
-	if (!LDISJOINT(opts_seen, LELEM(OPT_PUBKEYRSA) | LELEM(OPT_ADDKEY)))
-	{
-		if (!LHAS(opts_seen, OPT_KEYID))
-			diag("--addkey and --pubkeyrsa require --keyid");
-	}
-
-	if (!(msg.whack_connection || msg.whack_key || msg.whack_myid
-	|| msg.whack_delete || msg.whack_deletestate
-	|| msg.whack_initiate || msg.whack_oppo_initiate || msg.whack_terminate
-	|| msg.whack_route || msg.whack_unroute || msg.whack_listen
-	|| msg.whack_unlisten || msg.whack_list || msg.whack_purgeocsp
-	|| msg.whack_reread || msg.whack_ca || msg.whack_status
-	|| msg.whack_options || msg.whack_shutdown || msg.whack_sc_op
-	|| msg.whack_leases))
-	{
-		diag("no action specified; try --help for hints");
-	}
-
-	update_ports(&msg);
-
-	/* tricky quick and dirty check for wild values */
-	if (msg.sa_rekey_margin != 0
-	&& msg.sa_rekey_fuzz * msg.sa_rekey_margin * 4 / msg.sa_rekey_margin / 4
-	 != msg.sa_rekey_fuzz)
-		diag("rekeymargin or rekeyfuzz values are so large that they cause oveflow");
-
-	check_life_time (msg.sa_ike_life_seconds, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM
-		, "ikelifetime", &msg);
-
-	check_life_time(msg.sa_ipsec_life_seconds, SA_LIFE_DURATION_MAXIMUM
-		, "ipseclifetime", &msg);
-
-	if (msg.dpd_action == DPD_ACTION_UNKNOWN)
-		diag("dpdaction must be \"none\", \"clear\", \"hold\" or \"restart\"");
-
-	if (msg.dpd_action != DPD_ACTION_NONE)
-	{
-		if (msg.dpd_delay <= 0)
-			diag("dpddelay must be larger than zero");
-
-		if (msg.dpd_timeout <= 0)
-			diag("dpdtimeout must be larger than zero");
-
-		if (msg.dpd_timeout <= msg.dpd_delay)
-			diag("dpdtimeout must be larger than dpddelay");
-	}
-
-	/* pack strings for inclusion in message */
-	next_str = msg.string;
-	str_roof = &msg.string[sizeof(msg.string)];
-
-	/* build esp message as esp="<esp>;<pfsgroup>" */
-	if (msg.pfsgroup) {
-			snprintf(esp_buf, sizeof (esp_buf), "%s;%s",
-					msg.esp ? msg.esp : "",
-					msg.pfsgroup ? msg.pfsgroup : "");
-			msg.esp=esp_buf;
-	}
-	if (!pack_str(&msg.name)             /* string  1 */
-	||  !pack_str(&msg.left.id)          /* string  2 */
-	||  !pack_str(&msg.left.cert)        /* string  3 */
-	||  !pack_str(&msg.left.ca)          /* string  4 */
-	||  !pack_str(&msg.left.groups)      /* string  5 */
-	||  !pack_str(&msg.left.updown)      /* string  6 */
-	||  !pack_str(&msg.left.sourceip)    /* string  7 */
-	||  !pack_str(&msg.left.virt)        /* string  8 */
-	||  !pack_str(&msg.right.id)         /* string  9 */
-	||  !pack_str(&msg.right.cert)       /* string 10 */
-	||  !pack_str(&msg.right.ca)         /* string 11 */
-	||  !pack_str(&msg.right.groups)     /* string 12 */
-	||  !pack_str(&msg.right.updown)     /* string 13 */
-	||  !pack_str(&msg.right.sourceip)   /* string 14 */
-	||  !pack_str(&msg.right.virt)       /* string 15 */
-	||  !pack_str(&msg.keyid)            /* string 16 */
-	||  !pack_str(&msg.myid)             /* string 17 */
-	||  !pack_str(&msg.cacert)           /* string 18 */
-	||  !pack_str(&msg.ldaphost)         /* string 19 */
-	||  !pack_str(&msg.ldapbase)         /* string 20 */
-	||  !pack_str(&msg.crluri)           /* string 21 */
-	||  !pack_str(&msg.crluri2)          /* string 22 */
-	||  !pack_str(&msg.ocspuri)          /* string 23 */
-	||  !pack_str(&msg.ike)              /* string 24 */
-	||  !pack_str(&msg.esp)              /* string 25 */
-	||  !pack_str(&msg.sc_data)          /* string 26 */
-	||  !pack_str(&msg.whack_lease_ip)   /* string 27 */
-	||  !pack_str(&msg.whack_lease_id)   /* string 28 */
-	||  !pack_str(&msg.xauth_identity)   /* string 29 */
-	||  str_roof - next_str < (ptrdiff_t)msg.keyval.len)
-		diag("too many bytes of strings to fit in message to pluto");
-
-	memcpy(next_str, msg.keyval.ptr, msg.keyval.len);
-	msg.keyval.ptr = NULL;
-	next_str += msg.keyval.len;
-
-	msg.magic = ((opts_seen & ~LELEM(OPT_SHUTDOWN))
-				| sc_seen | lst_seen | cd_seen | ca_seen) != LEMPTY
-			|| msg.whack_options
-		? WHACK_MAGIC : WHACK_BASIC_MAGIC;
-
-	/* send message to Pluto */
-	if (access(ctl_addr.sun_path, R_OK | W_OK) < 0)
-	{
-		int e = errno;
-
-		switch (e)
-		{
-		case EACCES:
-			fprintf(stderr, "whack: no right to communicate with pluto (access(\"%s\"))\n"
-				, ctl_addr.sun_path);
-			break;
-		case ENOENT:
-			fprintf(stderr, "whack: Pluto is not running (no \"%s\")\n"
-				, ctl_addr.sun_path);
-			break;
-		default:
-			fprintf(stderr, "whack: access(\"%s\") failed with %d %s\n"
-				, ctl_addr.sun_path, errno, strerror(e));
-			break;
-		}
-		whack_exit(RC_WHACK_PROBLEM);
-	}
-	else
-	{
-		int sock = socket(AF_UNIX, SOCK_STREAM, 0);
-		int exit_status = 0;
-		ssize_t len = next_str - (char *)&msg;
-
-		if (sock == -1)
-		{
-			int e = errno;
-
-			fprintf(stderr, "whack: socket() failed (%d %s)\n", e, strerror(e));
-			whack_exit(RC_WHACK_PROBLEM);
-		}
-
-		if (connect(sock, (struct sockaddr *)&ctl_addr
-		, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
-		{
-			int e = errno;
-
-			fprintf(stderr, "whack:%s connect() for \"%s\" failed (%d %s)\n"
-				, e == ECONNREFUSED? " is Pluto running? " : ""
-				, ctl_addr.sun_path, e, strerror(e));
-			whack_exit(RC_WHACK_PROBLEM);
-		}
-
-		if (write(sock, &msg, len) != len)
-		{
-			int e = errno;
-
-			fprintf(stderr, "whack: write() failed (%d %s)\n", e, strerror(e));
-			whack_exit(RC_WHACK_PROBLEM);
-		}
-
-		/* for now, just copy reply back to stdout */
-
-		{
-			char buf[4097];     /* arbitrary limit on log line length */
-			char *be = buf;
-
-			for (;;)
-			{
-				char *ls = buf;
-				ssize_t rl = read(sock, be, (buf + sizeof(buf)-1) - be);
-
-				if (rl < 0)
-				{
-					int e = errno;
-
-					fprintf(stderr, "whack: read() failed (%d %s)\n", e, strerror(e));
-					whack_exit(RC_WHACK_PROBLEM);
-				}
-				if (rl == 0)
-				{
-					if (be != buf)
-						fprintf(stderr, "whack: last line from pluto too long or unterminated\n");
-					break;
-				}
-
-				be += rl;
-				*be = '\0';
-
-				for (;;)
-				{
-					char *le = strchr(ls, '\n');
-
-					if (le == NULL)
-					{
-						/* move last, partial line to start of buffer */
-						memmove(buf, ls, be-ls);
-						be -= ls - buf;
-						break;
-					}
-
-					le++;       /* include NL in line */
-					ignore_result(write(1, ls, le - ls));
-
-					/* figure out prefix number
-					 * and how it should affect our exit status
-					 */
-					{
-						unsigned long s = strtoul(ls, NULL, 10);
-
-						switch (s)
-						{
-						case RC_COMMENT:
-						case RC_LOG:
-							/* ignore */
-							break;
-						case RC_SUCCESS:
-							/* be happy */
-							exit_status = 0;
-							break;
-						case RC_ENTERSECRET:
-							get_secret(sock);
-							break;
-						/* case RC_LOG_SERIOUS: */
-						default:
-							/* pass through */
-							exit_status = s;
-							break;
-						}
-					}
-					ls = le;
-				}
-			}
-		}
-		whack_exit(exit_status);
-	}
-	return -1; /* should never be reached */
-}
diff --git a/src/whack/whack.h b/src/whack/whack.h
deleted file mode 100644
index c92eaf3cf..000000000
--- a/src/whack/whack.h
+++ /dev/null
@@ -1,352 +0,0 @@
-/* Structure of messages from whack to Pluto proper.
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _WHACK_H
-#define _WHACK_H
-
-#include <freeswan.h>
-
-#include <defs.h>
-#include <constants.h>
-
-/* copy of smartcard operations, defined in smartcard.h */
-#ifndef SC_OP_T
-#define SC_OP_T
-typedef enum {
-	SC_OP_NONE =    0,
-	SC_OP_ENCRYPT = 1,
-	SC_OP_DECRYPT = 2,
-	SC_OP_SIGN =    3,
-} sc_op_t;
-#endif /* SC_OP_T */
-
-/* Since the message remains on one host, native representation is used.
- * Think of this as horizontal microcode: all selected operations are
- * to be done (in the order declared here).
- *
- * MAGIC is used to help detect version mismatches between whack and Pluto.
- * Whenever the interface (i.e. this struct) changes in form or
- * meaning, change this value (probably by changing the last number).
- *
- * If the command only requires basic actions (status or shutdown),
- * it is likely that the relevant part of the message changes less frequently.
- * Whack uses WHACK_BASIC_MAGIC in those cases.
- *
- * NOTE: no value of WHACK_BASIC_MAGIC may equal any value of WHACK_MAGIC.
- * Otherwise certain version mismatches will not be detected.
- */
-
-#define WHACK_BASIC_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 24)
-#define WHACK_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 30)
-
-typedef struct whack_end whack_end_t;
-
-/* struct whack_end is a lot like connection.h's struct end
- * It differs because it is going to be shipped down a socket
- * and because whack is a separate program from pluto.
- */
-struct whack_end {
-	char *id;           /* id string (if any) -- decoded by pluto */
-	char *cert;         /* path string (if any) -- loaded by pluto  */
-	char *ca;           /* distinguished name string (if any) -- parsed by pluto */
-	char *groups;       /* access control groups (if any) -- parsed by pluto */
-	char *sourceip;		/* source IP address or pool identifier -- parsed by pluto */
-	int   sourceip_mask;
-	ip_address host_addr;
-	ip_address host_nexthop;
-	ip_address host_srcip;
-	ip_subnet client;
-	bool key_from_DNS_on_demand;
-	bool has_client;
-	bool has_client_wildcard;
-	bool has_port_wildcard;
-	bool has_srcip;
-	bool has_natip;
-	bool modecfg;
-	bool hostaccess;
-	bool allow_any;
-	certpolicy_t sendcert;
-	char *updown;               /* string */
-	u_int16_t host_port;        /* host order */
-	u_int16_t port;             /* host order */
-	u_int8_t protocol;
-	char *virt;
- };
-
-typedef struct whack_message whack_message_t;
-
-struct whack_message {
-	unsigned int magic;
-
-	/* for WHACK_STATUS: */
-	bool whack_status;
-	bool whack_statusall;
-
-
-	/* for WHACK_SHUTDOWN */
-	bool whack_shutdown;
-
-	/* END OF BASIC COMMANDS
-	 * If you change anything earlier in this struct, update WHACK_BASIC_MAGIC.
-	 */
-
-	/* name is used in connection, ca and initiate */
-	size_t name_len;    /* string 1 */
-	char *name;
-
-	/* for WHACK_OPTIONS: */
-
-	bool whack_options;
-
-	lset_t debugging;   /* only used #ifdef DEBUG, but don't want layout to change */
-
-	/* for WHACK_CONNECTION */
-
-	bool whack_connection;
-	bool whack_async;
-	bool ikev1;
-
-	lset_t policy;
-	time_t sa_ike_life_seconds;
-	time_t sa_ipsec_life_seconds;
-	time_t sa_rekey_margin;
-	unsigned long sa_rekey_fuzz;
-	unsigned long sa_keying_tries;
-
-	/* For DPD 3706 - Dead Peer Detection */
-	time_t dpd_delay;
-	time_t dpd_timeout;
-	dpd_action_t dpd_action;
-
-
-	/* Assign optional fixed reqid and xfrm marks to IPsec SA */
-	u_int32_t reqid;
-	struct {
-		u_int32_t value;
-		u_int32_t mask;
-	} mark_in, mark_out;
-
-	/*  note that each end contains string 2/5.id, string 3/6 cert,
-	 *  and string 4/7 updown
-	 */
-	whack_end_t left;
-	whack_end_t right;
-
-	/* note: if the client is the gateway, the following must be equal */
-	sa_family_t addr_family;    /* between gateways */
-	sa_family_t tunnel_addr_family;     /* between clients */
-
-	char *ike;          /* ike algo string (separated by commas) */
-	char *pfsgroup;     /* pfsgroup will be "encapsulated" in esp string for pluto */
-	char *esp;          /* esp algo string (separated by commas) */
-
-	/* for WHACK_KEY: */
-	bool whack_key;
-	bool whack_addkey;
-	char *keyid;        /* string 8 */
-	enum pubkey_alg pubkey_alg;
-	chunk_t keyval;     /* chunk */
-
-	/* for WHACK_MYID: */
-	bool whack_myid;
-	char *myid; /* string 7 */
-
-	/* for WHACK_ROUTE: */
-	bool whack_route;
-
-	/* for WHACK_UNROUTE: */
-	bool whack_unroute;
-
-	/* for WHACK_INITIATE: */
-	bool whack_initiate;
-
-	/* for WHACK_OPINITIATE */
-	bool whack_oppo_initiate;
-	ip_address oppo_my_client, oppo_peer_client;
-
-	/* for WHACK_TERMINATE: */
-	bool whack_terminate;
-
-	/* for WHACK_DELETE: */
-	bool whack_delete;
-
-	/* for WHACK_DELETESTATE: */
-	bool whack_deletestate;
-	so_serial_t whack_deletestateno;
-
-	/* for WHACK_LEASES: */
-	bool whack_leases;
-	char *whack_lease_ip, *whack_lease_id;
-
-	/* for WHACK_LISTEN: */
-	bool whack_listen, whack_unlisten;
-
-	/* for WHACK_CRASH - note if a remote peer is known to have rebooted */
-	bool whack_crash;
-	ip_address whack_crash_peer;
-
-	/* for WHACK_LIST */
-	bool whack_utc;
-	lset_t whack_list;
-
-	/* for WHACK_PURGEOCSP */
-	bool whack_purgeocsp;
-
-	/* for WHACK_REREAD */
-	u_char whack_reread;
-
-	/* for WHACK_CA */
-	bool whack_ca;
-	bool whack_strict;
-
-	char *cacert;
-	char *ldaphost;
-	char *ldapbase;
-	char *crluri;
-	char *crluri2;
-	char *ocspuri;
-
-	/* for WHACK_SC_OP */
-	sc_op_t whack_sc_op;
-	int inbase, outbase;
-	char *sc_data;
-
-	/* XAUTH user identity */
-	char *xauth_identity;
-
-	/* space for strings (hope there is enough room):
-	 * Note that pointers don't travel on wire.
-	 *  1 connection name
-	 *  2 left's id
-	 *  3 left's cert
-	 *  4 left's ca
-	 *  5 left's groups
-	 *  6 left's updown
-	 *  7 left's source ip
-	 *  8 left's virtual ip ranges
-	 *  9 right's id
-	 * 10 right's cert
-	 * 11 right's ca
-	 * 12 right's groups
-	 * 13 right's updown
-	 * 14 right's source ip
-	 * 15 right's virtual ip ranges
-	 * 16 keyid
-	 * 17 myid
-	 * 18 cacert
-	 * 19 ldaphost
-	 * 20 ldapbase
-	 * 21 crluri
-	 * 22 crluri2
-	 * 23 ocspuri
-	 * 24 ike
-	 * 25 esp
-	 * 26 smartcard data
-	 * 27 whack leases ip argument
-	 * 28 whack leases id argument
-	 * 29 xauth identity
-	 * plus keyval (limit: 8K bits + overhead), a chunk.
-	 */
-	size_t str_size;
-	char string[2048];
-};
-
-/* Codes for status messages returned to whack.
- * These are 3 digit decimal numerals.  The structure
- * is inspired by section 4.2 of RFC959 (FTP).
- * Since these will end up as the exit status of whack, they
- * must be less than 256.
- * NOTE: ipsec_auto(8) knows about some of these numbers -- change carefully.
- */
-enum rc_type {
-	RC_COMMENT,         /* non-commital utterance (does not affect exit status) */
-	RC_WHACK_PROBLEM,   /* whack-detected problem */
-	RC_LOG,             /* message aimed at log (does not affect exit status) */
-	RC_LOG_SERIOUS,     /* serious message aimed at log (does not affect exit status) */
-	RC_SUCCESS,         /* success (exit status 0) */
-
-	/* failure, but not definitive */
-
-	RC_RETRANSMISSION = 10,
-
-	/* improper request */
-
-	RC_DUPNAME = 20,    /* attempt to reuse a connection name */
-	RC_UNKNOWN_NAME,    /* connection name unknown or state number */
-	RC_ORIENT,          /* cannot orient connection: neither end is us */
-	RC_CLASH,           /* clash between two Road Warrior connections OVERLOADED */
-	RC_DEAF,            /* need --listen before --initiate */
-	RC_ROUTE,           /* cannot route */
-	RC_RTBUSY,          /* cannot unroute: route busy */
-	RC_BADID,           /* malformed --id */
-	RC_NOKEY,           /* no key found through DNS */
-	RC_NOPEERIP,        /* cannot initiate when peer IP is unknown */
-	RC_INITSHUNT,       /* cannot initiate a shunt-oly connection */
-	RC_WILDCARD,        /* cannot initiate when ID has wildcards */
-	RC_NOVALIDPIN,      /* cannot initiate without valid PIN */
-
-	/* permanent failure */
-
-	RC_BADWHACKMESSAGE = 30,
-	RC_NORETRANSMISSION,
-	RC_INTERNALERR,
-	RC_OPPOFAILURE,     /* Opportunism failed */
-
-	/* entry of secrets */
-	RC_ENTERSECRET = 40,
-
-	/* progress: start of range for successful state transition.
-	 * Actual value is RC_NEW_STATE plus the new state code.
-	 */
-	RC_NEW_STATE = 100,
-
-	/* start of range for notification.
-	 * Actual value is RC_NOTIFICATION plus code for notification
-	 * that should be generated by this Pluto.
-	 */
-	RC_NOTIFICATION = 200       /* as per IKE notification messages */
-};
-
-/* options of whack --list*** command */
-
-#define LIST_NONE       0x0000  /* don't list anything */
-#define LIST_ALGS       0x0001  /* list all registered IKE algorithms */
-#define LIST_PUBKEYS    0x0002  /* list all public keys */
-#define LIST_CERTS      0x0004  /* list all host/user certs */
-#define LIST_CACERTS    0x0008  /* list all ca certs */
-#define LIST_ACERTS     0x0010  /* list all attribute certs */
-#define LIST_AACERTS    0x0020  /* list all aa certs */
-#define LIST_OCSPCERTS  0x0040  /* list all ocsp certs */
-#define LIST_GROUPS     0x0080  /* list all access control groups */
-#define LIST_CAINFOS    0x0100  /* list all ca information records */
-#define LIST_CRLS       0x0200  /* list all crls */
-#define LIST_OCSP       0x0400  /* list all ocsp cache entries */
-#define LIST_CARDS      0x0800  /* list all smartcard records */
-#define LIST_PLUGINS    0x1000  /* list all plugins with dependencies */
-
-#define LIST_ALL        LRANGES(LIST_ALGS, LIST_PLUGINS) /* all list options */
-
-/* options of whack --reread*** command */
-
-#define REREAD_NONE       0x00  /* don't reread anything */
-#define REREAD_SECRETS    0x01  /* reread /etc/ipsec.secrets */
-#define REREAD_CACERTS    0x02  /* reread certs in /etc/ipsec.d/cacerts */
-#define REREAD_AACERTS    0x04  /* reread certs in /etc/ipsec.d/aacerts */
-#define REREAD_OCSPCERTS  0x08  /* reread certs in /etc/ipsec.d/ocspcerts */
-#define REREAD_ACERTS     0x10  /* reread certs in /etc/ipsec.d/acerts */
-#define REREAD_CRLS       0x20  /* reread crls in /etc/ipsec.d/crls */
-
-#define REREAD_ALL      LRANGES(REREAD_SECRETS, REREAD_CRLS)  /* all reread options */
-
-#endif /* _WHACK_H */
diff --git a/testing/INSTALL b/testing/INSTALL
deleted file mode 100644
index bb4272eaf..000000000
--- a/testing/INSTALL
+++ /dev/null
@@ -1,145 +0,0 @@
-
-                 -------------------------------
-	          strongSwan UML - Installation
-                 -------------------------------
-
-
-Contents
---------
-
-   1. Making the host system UML-capable
-   2. Installing the required files
-   3. Creating the UML testing environment
-
-
-1. Making the host system UML-capable
-   ----------------------------------
-
-   UML instances can be run on both Linux 2.4 and Linux 2.6 kernels.
-   If you are using a vanilla kernel from kernel.org then you must first
-   apply the host SKAS patch available from
-
-    http://www.user-mode-linux.org/~blaisorblade/patches/
-
-   and recompile and reboot your host kernel. Some Linux distributions as e.g.
-   SuSE already include the SKAS patch in their kernels.
-
-   You will also need the UML utilities (uml_mconsole and uml_switch)
-   available from
-
-   http://prdownloads.sourceforge.net/user-mode-linux/uml_utilities_20040406.tar.bz2
-
-   Many Linux distributions offer the UML utilities as a package.
-
-
-2. Installing the required files
-   -----------------------------
-
-First create a directory where you want the strongSwan UML testing environment
-to be located.The default directory is "~/strongswan-testing". If you choose a
-different location, please adapt the UMLTESTDIR variable in "testing.conf"
-accordingly.
-
-    mkdir ~/strongswan-testing
-
-Now copy the "testing" subdirectory coming with the strongSwan distribution to
-the UML testing environment:
-
-    cp -r testing ~/strongswan-testing
-   
-Next you need to copy several files into the ~/strongswan-testing directory that
-are required for the strongSwan testing environment:
-
-    * A vanilla Linux kernel on which the UML kernel will be based on.
-      We recommend the use of
-
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.36.tar.bz2
-
-    * The Linux kernel 2.6.36 does not require any patches for the uml guest kernel
-      to successfully start up.
-
-    * The matching .config file required to compile the UML kernel:
-
-      http://download.strongswan.org/uml/.config-2.6.36
-
-    * A gentoo-based UML file system (compressed size 130 MBytes) found at
-
-      http://download.strongswan.org/uml/gentoo-fs-20100830.tar.bz2
-
-    * The latest strongSwan distribution
-
-      http://download.strongswan.org/strongswan-4.5.1.tar.bz2
-
-
-3. Creating the environment
-   ------------------------
-
-Now change into the testing subdirectory
-
-    cd ~/strongswan-testing/testing
-
-and make the UML testing environment:
-
-    ./make-testing <hosts>
-
-The "make-testing" script calls a series of subscripts which can be
-enabled or disabled individually by setting the corresponding flags
-in "testing.conf":
-
-    if [ $ENABLE_BUILD_UMLKERNEL = "yes" ]
-    then
-        scripts/build-umlkernel
-    fi
-
-builds an UML kernel out of the vanilla Linux kernel and the corresponding
-UML kernel patch.
-
-    if [ $ENABLE_BUILD_HOSTCONFIG = "yes" ]
-    then
-        scripts/build-hostconfig
-    fi
-
-generates the default configurations for the UML hosts alice, venus, moon,
-carol, winnetou, dave, sun, and bob by replacing the wildcards PH_IP_ALICE,
-etc. by the actual IP addresses defined in "testing.conf".
-
-    if [ $ENABLE_BUILD_UMLROOTFS = "yes" ]
-    then
-        scripts/build-umlrootfs
-    fi
-
-takes the gentoo-based UML file system and compiles the latest strongSwan
-distribution into it.
-
-    if [ $ENABLE_BUILD_SSHKEYS = "yes" ]
-    then
-        scripts/build-sshkeys
-    fi
-
-adds the common RSA public key of the UML instances to your ~/.ssh/known_hosts
-directory so that you can log onto the UML instances using ssh without typing
-in a password. The "scripts/build-sshkeys" script should only be run once.
-
-    if [ $ENABLE_BUILD_UMLHOSTFS = "yes" ]
-    then
-        scripts/build-umlhostfs <hosts>
-    fi
-
-creates the customized UML file systems for the instances given as command line 
-arguments by adding the default host configurations to the UML root file system.
-If the "make-starting" scripts is called without any arguments then by default
-the UML file systems are created for the hosts alice, venus, moon, carol,
-winnetou, dave, sun, and bob. Each UML root file system has as size defined by
-the ROOTFSSIZE in testing.conf which by default is 544 MBytes. Thus all 8 UML
-hosts plus the master copy will require a total of 5 GBytes of disk space.
-
-    if [ $ENABLE_START_TESTING = "yes" ]
-    then
-       ./start-testing <hosts>
-    fi
-
-starts the automated testing. More details on the tests you'll find in the
-README document.
-
------------------------------------------------------------------------------
-
diff --git a/testing/Makefile.am b/testing/Makefile.am
index 2aa7d70bc..305bf7f72 100644
--- a/testing/Makefile.am
+++ b/testing/Makefile.am
@@ -1,11 +1,4 @@
-noinst_SCRIPTS = do-tests
-CLEANFILES = do-tests
-EXTRA_DIST = do-tests.in make-testing start-testing stop-testing \
-             testing.conf ssh_config hosts images scripts tests INSTALL README
-
-do-tests : do-tests.in
-	sed \
-	-e "s:\@routing_table\@:$(routing_table):" \
-	$(srcdir)/$@.in > $@
-	chmod +x $@
+EXTRA_DIST = do-tests make-testing start-testing stop-testing \
+             testing.conf ssh_config config hosts images scripts tests \
+			 README
 
diff --git a/testing/Makefile.in b/testing/Makefile.in
index 883a8cbc2..c1f3e6269 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,8 +14,24 @@
 # PARTICULAR PURPOSE.
 
 @SET_MAKE@
-
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -35,8 +51,7 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = testing
-DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
-	INSTALL
+DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -46,34 +61,52 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-SCRIPTS = $(noinst_SCRIPTS)
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BFDLIB = @BFDLIB@
 BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
@@ -82,13 +115,16 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -101,6 +137,7 @@ LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MYSQLCFLAG = @MYSQLCFLAG@
 MYSQLCONFIG = @MYSQLCONFIG@
@@ -128,11 +165,13 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -140,6 +179,7 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
@@ -148,8 +188,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -158,14 +196,19 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 h_plugins = @h_plugins@
@@ -179,17 +222,17 @@ imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
 maemo_CFLAGS = @maemo_CFLAGS@
 maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
@@ -199,16 +242,15 @@ mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
@@ -236,10 +278,9 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-noinst_SCRIPTS = do-tests
-CLEANFILES = do-tests
-EXTRA_DIST = do-tests.in make-testing start-testing stop-testing \
-             testing.conf ssh_config hosts images scripts tests INSTALL README
+EXTRA_DIST = do-tests make-testing start-testing stop-testing \
+             testing.conf ssh_config config hosts images scripts tests \
+			 README
 
 all: all-am
 
@@ -319,7 +360,7 @@ distdir: $(DISTFILES)
 	done
 check-am: all-am
 check: check-am
-all-am: Makefile $(SCRIPTS)
+all-am: Makefile
 installdirs:
 install: install-am
 install-exec: install-exec-am
@@ -331,14 +372,18 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
 
 clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@@ -427,12 +472,6 @@ uninstall-am:
 	mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am
 
 
-do-tests : do-tests.in
-	sed \
-	-e "s:\@routing_table\@:$(routing_table):" \
-	$(srcdir)/$@.in > $@
-	chmod +x $@
-
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/testing/README b/testing/README
index 097b4264d..a62497269 100644
--- a/testing/README
+++ b/testing/README
@@ -1,158 +1,88 @@
 
-                 ------------------------------------
-	          strongSwan UML - Running the Tests
-                 ------------------------------------
+                 ------------------------------
+                  strongSwan Integration Tests
+                 ------------------------------
 
 
 Contents
 --------
 
-   1. Starting up the UML testing environment
-   2. Running the automated tests
-   3. Manual testing
+   1. Building the testing environment
+   2. Starting up the testing environment
+   3. Running the automated tests
+   4. Manual testing
 
 
-1. Starting up the UML testing environment
-   ---------------------------------------
-  
-When the strongSwan UML testing environment has been put into place by
-running the "make-testing" script then you are ready to start up the
-UML instances by calling
+1. Building the testing environment
+   --------------------------------
 
-    ./start-testing <hosts>
-    
-This main script first calls the subscript
+The testing environment can be built with the "make-testing" script after
+adjusting the variables in the testing.conf file.  By default everything is
+built when executing the script.  Setting any of the ENABLE_BUILD_* variables
+in the configuration file to "no" will not build those parts.
 
-    scripts/start-switches
 
-that starts the three UML switches umlswitch0, umlswitch1, and umlswitch2
-which are connecting the UML instances among each other and via tun/tap
-devices also make them accessible from the host system.
-      
-Then depending on the setting of the UMLSTARTMODE variable defined
-in "testing.conf", the UML instances given on the command line are started
-up with different terminals:
+2. Starting up the testing environment
+   -----------------------------------
 
-If you are running the KDE graphical environment then by setting
+When the strongSwan testing environment has been put into place by running
+the "make-testing" script you are ready to start up the KVM instances by
+executing the "start-testing" script.
 
-    UMLSTARTMODE=konsole
-    
-the script
 
-    scripts/kstart-umls <hosts>
-     
-is called which starts up each of the UML instances defined by <hosts> in
-a KDE konsole. If
-
-    UMLSTARTMODE=xterm
-
-is set then
- 
-    scripts/xstart-umls <hosts>
-    
-starts up the UML instances in an xterm each. And with the choice
-
-    UMLSTARTMODE=screen
-   
-the instances are started up by
-
-    scripts/start-umls <hosts>
-    
-in the background but the Linux command "screen -r <host>" can be used to
-connect a terminal to the UML instance <host> if desired.
-
-
-    if [ $ENABLE_DO_TESTS = "yes" ]
-    then
-        do-tests
-    fi
-
-either executes all the tests defined in the "testing/tests" directory
-if the variable SELECTEDTESTSONLY in "testing.conf" is set to "no" or the
-selected tests defined by the string in SELELECTEDTESTS if SELECTEDTESTSONLY
-is set to "yes".
-
-    if [ $ENABLE_STOP_TESTING = "yes" ]
-    then
-        stop-testing <hosts>
-    fi
-
-stops the both the UML switches and the UML instances designated by the
-<hosts> argument.
-
-
-2. Running the automated tests
+3. Running the automated tests
    ---------------------------
 
 The script
 
     ./do-tests <testnames>
 
-runs the automated tests. With an empty <testnames> argument the tests
-as defined in "testing.conf" are executed, otherwise the tests enumerated
-by the <testnames> argument will be run as shown in the example below.
+runs the automated tests.  If the <testnames> argument is omitted all tests
+are executed, otherwise only the tests listed will be run as shown in the
+example below:
 
-    ./do-tests net2net-psk net2net-cert
+    ./do-tests ikev2/net2net-psk ikev2/net2net-cert
 
 Each test is divided into the following phases:
 
-    * scripts/load-testconfig <testname>
-      loads the UML hosts with test specific settings if such are provided.
-      
-    * next the "pretest.dat" script found in each test directory is executed.
-      Among other commands, strongSwan is started on the IPsec hosts.
+    * Load the test-specific guest configuration if any is provided.
 
-    * the "evaltest.dat" script evaluates if the test has been successful.
-      
-    * the "posttest.dat" script terminates the test e.g. by stopping
-      strongSwan on the IPsec hosts.
+    * Next the "pretest.dat" script found in each test directory is executed.
+      Among other commands, strongSwan is started on the IPsec hosts.
 
-    * scripts/restore-defaults <testname>
-      restores the default settings on the UML hosts.
+    * The "evaltest.dat" script evaluates if the test has been successful.
 
-The test results and configuration settings for all tests settings are stored
-in a folder labeled with the current date in the directory
-  
-    ~/strongswan-testing/testresults
-     
-the same results are also automatically transferred to the Apache server
-running on UML instance "winnetou" and can be accessed via the URL
+    * The "posttest.dat" script terminates the test e.g. by stopping
+      strongSwan on the IPsec hosts.  It is also responsible to cleaning up
+      things (e.g. firewall rules) set up in "pretest.dat".
 
-    http://192.168.0.150/testresults/
+    * Restore the default configuration on every host (new files have to be
+      deleted manually in "posttest.dat").
 
+The test results and configuration files for all tests are stored in a
+folder labeled with the current date and time in the $TESTRESULTSDIR directory.
 
-3. Manual testing
-   --------------
-   
-The greates flexibility can be achieved with manual testing. Just set
-   
-    ENABLE_DO_TESTS="no"
-    ENABLE_STOP_TESTING="no"
-       
-in "testing.conf" and start the UML instances that you want to experiment with
-by calling
+The same results are also automatically transferred to the Apache server
+running on guest "winnetou" and can be accessed via the URL
 
-    ./start-testing <hosts>
-    
-If you want to preload a test scenario with configurations differing from
-the default values, e.g. when using Preshared Keys then you can do this
-with the command
+    http://192.168.0.150/testresults/
 
-    scripts/load-testconfig net2net-psk
-    
-You can then log onto any UML instance using its konsole, xterm or screen
-terminal as root with the default password
 
-    tuxmux
-    
-You can then execute any commands the UML instances, including changing
-and recompiling the strongSwan source code located in the /root directory.
+4. Manual testing
+   --------------
 
-After you have finished testing, the default configuration settings can
-restored with the command
+Instead of running tests automatically with "do-tests" it is possible to
+preload a test scenario with the script:
 
-    scripts/restore-defaults net2net-psk
+    scripts/load-testconfig <testname>
 
+Individual configuration files can be changed and any command can be executed by
+logging into a guest host directly (via SSH or a console window).  No password
+is required to login as root.  The sources for every software built during
+"make-testing" are mounted at /root/shared/, which allows you to change and
+recompile these components.
 
------------------------------------------------------------------------------
+After you have finished testing, the default configuration can be restored
+with the following command (newly created files have to be deleted manually)
 
+    scripts/restore-defaults
diff --git a/testing/config/kernel/config-3.10 b/testing/config/kernel/config-3.10
new file mode 100644
index 000000000..9f0aa895b
--- /dev/null
+++ b/testing/config/kernel/config-3.10
@@ -0,0 +1,1952 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 3.10.0 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_CPU_AUTOPROBE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+# CONFIG_FHANDLE is not set
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_GENERIC_HARDIRQS=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_HARDIRQS=y
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_WANTS_PROT_NUMA_PROT_NONE=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+CONFIG_UIDGID_CONVERTED=y
+# CONFIG_UIDGID_STRICT_TYPE_CHECKS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HOTPLUG=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+# CONFIG_EXPERT is not set
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_PCI_QUIRKS=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_MODULES_USE_ELF_RELA=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_INTEL_LPSS is not set
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_CC_STACKPROTECTOR is not set
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS is not set
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_PROC_EVENT=y
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ACPI_BLACKLIST_YEAR=0
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+CONFIG_CPU_IDLE=y
+# CONFIG_CPU_IDLE_MULTIPLE_DRIVERS is not set
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_ARCH_SUPPORTS_MSI=y
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+CONFIG_HAVE_TEXT_POKE_SMP=y
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+CONFIG_NET_IP_TUNNEL=y
+# CONFIG_ARPD is not set
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_PRIVACY is not set
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NETFILTER_TPROXY is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_IP6_NF_TARGET_MASQUERADE=y
+CONFIG_IP6_NF_TARGET_NPT=y
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_MMAP is not set
+# CONFIG_NETLINK_DIAG is not set
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+CONFIG_FW_LOADER_USER_HELPER=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_DA is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_INTEL_MID_PTI is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ATMEL_SSC is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_PCH_PHUB is not set
+# CONFIG_SRAM is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_VMWARE_VMCI is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_MII is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+# CONFIG_VHOST_NET is not set
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+# CONFIG_NET_DSA_MV88E6060 is not set
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+# CONFIG_NET_DSA_MV88E6131 is not set
+# CONFIG_NET_DSA_MV88E6123_61_65 is not set
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+CONFIG_NET_CADENCE=y
+# CONFIG_ARM_AT91_ETHER is not set
+# CONFIG_MACB is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+# CONFIG_NET_CALXEDA_XGMAC is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_PCH_GBE is not set
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+CONFIG_WLAN=y
+# CONFIG_AIRO is not set
+# CONFIG_ATMEL is not set
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+# CONFIG_INPUT_EVDEV is not set
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+CONFIG_FIX_EARLYCON_MEM=y
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_TIMBERDALE is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_PCH_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+
+#
+# Qualcomm MSM SSBI bus support
+#
+# CONFIG_SSBI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+# CONFIG_PTP_1588_CLOCK_PCH is not set
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+CONFIG_GPIO_DEVRES=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_BATTERY_GOLDFISH is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+# CONFIG_SENSORS_APPLESMC is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_CS5535 is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_VGASTATE is not set
+# CONFIG_VIDEO_OUTPUT_CONTROL is not set
+# CONFIG_FB is not set
+# CONFIG_EXYNOS_VIDEO is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_UCLOGIC is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_HID_LOGITECH_DJ is not set
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_PS3REMOTE is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+CONFIG_USB_ARCH_HAS_OHCI=y
+CONFIG_USB_ARCH_HAS_EHCI=y
+CONFIG_USB_ARCH_HAS_XHCI=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# USB port drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+CONFIG_RTC_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_XO15_EBOOK is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_PVPANIC is not set
+
+#
+# Hardware Spinlock drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+# CONFIG_F2FS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+# CONFIG_PRINTK_TIME is not set
+CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_MAGIC_SYSRQ is not set
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_DEBUG_KERNEL=y
+# CONFIG_DEBUG_SHIRQ is not set
+# CONFIG_LOCKUP_DETECTOR is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_TIMER_STATS is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_RT_MUTEX_TESTER is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+# CONFIG_DEBUG_WRITECOUNT is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER_X86=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+CONFIG_CRYPTO_LZO=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+# CONFIG_AVERAGE is not set
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
diff --git a/testing/config/kernel/config-3.5 b/testing/config/kernel/config-3.5
new file mode 100644
index 000000000..9494331eb
--- /dev/null
+++ b/testing/config/kernel/config-3.5
@@ -0,0 +1,1817 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86_64 3.5.3 Kernel Configuration
+#
+CONFIG_64BIT=y
+# CONFIG_X86_32 is not set
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+# CONFIG_RWSEM_GENERIC_SPINLOCK is not set
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_DEFAULT_IDLE=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_CPU_AUTOPROBE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_HAVE_IRQ_WORK=y
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_EXPERIMENTAL=y
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_FHANDLE is not set
+# CONFIG_TASKSTATS is not set
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_GENERIC_HARDIRQS=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_HARDIRQS=y
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+# CONFIG_EXPERT is not set
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_HOTPLUG=y
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_PCI_QUIRKS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+# CONFIG_INLINE_SPIN_TRYLOCK is not set
+# CONFIG_INLINE_SPIN_TRYLOCK_BH is not set
+# CONFIG_INLINE_SPIN_LOCK is not set
+# CONFIG_INLINE_SPIN_LOCK_BH is not set
+# CONFIG_INLINE_SPIN_LOCK_IRQ is not set
+# CONFIG_INLINE_SPIN_LOCK_IRQSAVE is not set
+# CONFIG_INLINE_SPIN_UNLOCK_BH is not set
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+# CONFIG_INLINE_SPIN_UNLOCK_IRQRESTORE is not set
+# CONFIG_INLINE_READ_TRYLOCK is not set
+# CONFIG_INLINE_READ_LOCK is not set
+# CONFIG_INLINE_READ_LOCK_BH is not set
+# CONFIG_INLINE_READ_LOCK_IRQ is not set
+# CONFIG_INLINE_READ_LOCK_IRQSAVE is not set
+CONFIG_INLINE_READ_UNLOCK=y
+# CONFIG_INLINE_READ_UNLOCK_BH is not set
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+# CONFIG_INLINE_READ_UNLOCK_IRQRESTORE is not set
+# CONFIG_INLINE_WRITE_TRYLOCK is not set
+# CONFIG_INLINE_WRITE_LOCK is not set
+# CONFIG_INLINE_WRITE_LOCK_BH is not set
+# CONFIG_INLINE_WRITE_LOCK_IRQ is not set
+# CONFIG_INLINE_WRITE_LOCK_IRQSAVE is not set
+CONFIG_INLINE_WRITE_UNLOCK=y
+# CONFIG_INLINE_WRITE_UNLOCK_BH is not set
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+# CONFIG_INLINE_WRITE_UNLOCK_IRQRESTORE is not set
+# CONFIG_MUTEX_SPIN_ON_OWNER is not set
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+CONFIG_PARAVIRT_GUEST=y
+# CONFIG_PARAVIRT_TIME_ACCOUNTING is not set
+# CONFIG_XEN is not set
+# CONFIG_XEN_PRIVILEGED_GUEST is not set
+CONFIG_KVM_CLOCK=y
+CONFIG_KVM_GUEST=y
+CONFIG_PARAVIRT=y
+CONFIG_PARAVIRT_CLOCK=y
+# CONFIG_PARAVIRT_DEBUG is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_CMPXCHG=y
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_XADD=y
+CONFIG_X86_WP_WORKS_OK=y
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_CC_STACKPROTECTOR is not set
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS is not set
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_PROC_EVENT=y
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ACPI_BLACKLIST_YEAR=0
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_BGRT is not set
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCI_CNB20LE_QUIRK is not set
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_ARCH_SUPPORTS_MSI=y
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+# CONFIG_IA32_EMULATION is not set
+# CONFIG_COMPAT_FOR_U64_ALIGNMENT is not set
+CONFIG_HAVE_TEXT_POKE_SMP=y
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+# CONFIG_ARPD is not set
+# CONFIG_SYN_COOKIES is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_PRIVACY is not set
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_SIT is not set
+# CONFIG_IPV6_TUNNEL is not set
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_TPROXY is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+# CONFIG_NETFILTER_XT_TARGET_CT is not set
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_QUEUE=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+# CONFIG_NF_NAT_SIP is not set
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+# CONFIG_NET_DSA is not set
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_WAN_ROUTER is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+# CONFIG_DMA_SHARED_BUFFER is not set
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_DA is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+
+#
+# DRBD disabled because PROC_FS, INET or CONNECTOR not selected
+#
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_INTEL_MID_PTI is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_VMWARE_BALLOON is not set
+# CONFIG_PCH_PHUB is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_MII is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+# CONFIG_NET_CALXEDA_XGMAC is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_ZNET is not set
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_PCH_GBE is not set
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SEEQ=y
+# CONFIG_SEEQ8005 is not set
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+CONFIG_WLAN=y
+# CONFIG_AIRO is not set
+# CONFIG_ATMEL is not set
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+# CONFIG_INPUT_EVDEV is not set
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_OMAP4 is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+CONFIG_FIX_EARLYCON_MEM=y
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_TIMBERDALE is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_PCH_UART is not set
+# CONFIG_SERIAL_XILINX_PS_UART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_RTC is not set
+# CONFIG_GEN_RTC is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+
+#
+# Enable Device Drivers -> PPS to see the PTP clock options.
+#
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+# CONFIG_SENSORS_APPLESMC is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_CS5535 is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_STUB_POULSBO is not set
+# CONFIG_VGASTATE is not set
+# CONFIG_VIDEO_OUTPUT_CONTROL is not set
+# CONFIG_FB is not set
+# CONFIG_EXYNOS_VIDEO is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_USB_ARCH_HAS_OHCI=y
+CONFIG_USB_ARCH_HAS_EHCI=y
+CONFIG_USB_ARCH_HAS_XHCI=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
+#
+# CONFIG_USB_GADGET is not set
+
+#
+# OTG and related infrastructure
+#
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+CONFIG_VIRTIO=y
+CONFIG_VIRTIO_RING=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_HYPERV is not set
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_XO15_EBOOK is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_APPLE_GMUX is not set
+
+#
+# Hardware Spinlock drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers (EXPERIMENTAL)
+#
+
+#
+# Rpmsg drivers (EXPERIMENTAL)
+#
+# CONFIG_VIRT_DRIVERS is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_VME_BUS is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+# CONFIG_PRINTK_TIME is not set
+CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_MAGIC_SYSRQ is not set
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_DEBUG_KERNEL=y
+# CONFIG_DEBUG_SHIRQ is not set
+# CONFIG_LOCKUP_DETECTOR is not set
+# CONFIG_HARDLOCKUP_DETECTOR is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_TIMER_STATS is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_RT_MUTEX_TESTER is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+# CONFIG_DEBUG_WRITECOUNT is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_BOOT_PRINTK_DELAY is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+# CONFIG_CRYPTO_AES_X86_64 is not set
+# CONFIG_CRYPTO_AES_NI_INTEL is not set
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+# CONFIG_CRYPTO_BLOWFISH_X86_64 is not set
+CONFIG_CRYPTO_CAMELLIA=y
+# CONFIG_CRYPTO_CAMELLIA_X86_64 is not set
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+# CONFIG_CRYPTO_SALSA20_X86_64 is not set
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+# CONFIG_CRYPTO_SERPENT_SSE2_X86_64 is not set
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+# CONFIG_CRYPTO_TWOFISH_X86_64 is not set
+# CONFIG_CRYPTO_TWOFISH_X86_64_3WAY is not set
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+# CONFIG_CRYPTO_LZO is not set
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_VHOST_NET is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+# CONFIG_AVERAGE is not set
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
diff --git a/testing/config/kernel/config-3.6 b/testing/config/kernel/config-3.6
new file mode 100644
index 000000000..8755bf772
--- /dev/null
+++ b/testing/config/kernel/config-3.6
@@ -0,0 +1,1830 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86_64 3.6.11 Kernel Configuration
+#
+CONFIG_64BIT=y
+# CONFIG_X86_32 is not set
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+# CONFIG_RWSEM_GENERIC_SPINLOCK is not set
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_DEFAULT_IDLE=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_CPU_AUTOPROBE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_HAVE_IRQ_WORK=y
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_EXPERIMENTAL=y
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_FHANDLE is not set
+# CONFIG_TASKSTATS is not set
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_GENERIC_HARDIRQS=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_HARDIRQS=y
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+# CONFIG_EXPERT is not set
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_HOTPLUG=y
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_PCI_QUIRKS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+# CONFIG_INLINE_SPIN_TRYLOCK is not set
+# CONFIG_INLINE_SPIN_TRYLOCK_BH is not set
+# CONFIG_INLINE_SPIN_LOCK is not set
+# CONFIG_INLINE_SPIN_LOCK_BH is not set
+# CONFIG_INLINE_SPIN_LOCK_IRQ is not set
+# CONFIG_INLINE_SPIN_LOCK_IRQSAVE is not set
+# CONFIG_INLINE_SPIN_UNLOCK_BH is not set
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+# CONFIG_INLINE_SPIN_UNLOCK_IRQRESTORE is not set
+# CONFIG_INLINE_READ_TRYLOCK is not set
+# CONFIG_INLINE_READ_LOCK is not set
+# CONFIG_INLINE_READ_LOCK_BH is not set
+# CONFIG_INLINE_READ_LOCK_IRQ is not set
+# CONFIG_INLINE_READ_LOCK_IRQSAVE is not set
+CONFIG_INLINE_READ_UNLOCK=y
+# CONFIG_INLINE_READ_UNLOCK_BH is not set
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+# CONFIG_INLINE_READ_UNLOCK_IRQRESTORE is not set
+# CONFIG_INLINE_WRITE_TRYLOCK is not set
+# CONFIG_INLINE_WRITE_LOCK is not set
+# CONFIG_INLINE_WRITE_LOCK_BH is not set
+# CONFIG_INLINE_WRITE_LOCK_IRQ is not set
+# CONFIG_INLINE_WRITE_LOCK_IRQSAVE is not set
+CONFIG_INLINE_WRITE_UNLOCK=y
+# CONFIG_INLINE_WRITE_UNLOCK_BH is not set
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+# CONFIG_INLINE_WRITE_UNLOCK_IRQRESTORE is not set
+# CONFIG_MUTEX_SPIN_ON_OWNER is not set
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+CONFIG_PARAVIRT_GUEST=y
+# CONFIG_PARAVIRT_TIME_ACCOUNTING is not set
+# CONFIG_XEN is not set
+# CONFIG_XEN_PRIVILEGED_GUEST is not set
+CONFIG_KVM_CLOCK=y
+CONFIG_KVM_GUEST=y
+CONFIG_PARAVIRT=y
+CONFIG_PARAVIRT_CLOCK=y
+# CONFIG_PARAVIRT_DEBUG is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_CMPXCHG=y
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_XADD=y
+CONFIG_X86_WP_WORKS_OK=y
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_CC_STACKPROTECTOR is not set
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS is not set
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_PROC_EVENT=y
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ACPI_BLACKLIST_YEAR=0
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_BGRT is not set
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCI_CNB20LE_QUIRK is not set
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_ARCH_SUPPORTS_MSI=y
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+# CONFIG_IA32_EMULATION is not set
+# CONFIG_COMPAT_FOR_U64_ALIGNMENT is not set
+CONFIG_HAVE_TEXT_POKE_SMP=y
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+# CONFIG_ARPD is not set
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_PRIVACY is not set
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_SIT is not set
+# CONFIG_IPV6_TUNNEL is not set
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+# CONFIG_NETFILTER_TPROXY is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+# CONFIG_NETFILTER_XT_TARGET_CT is not set
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_QUEUE=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+# CONFIG_NF_NAT_SIP is not set
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+# CONFIG_NET_DSA is not set
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_WAN_ROUTER is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+# CONFIG_DMA_SHARED_BUFFER is not set
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_DA is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+
+#
+# DRBD disabled because PROC_FS, INET or CONNECTOR not selected
+#
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_INTEL_MID_PTI is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_VMWARE_BALLOON is not set
+# CONFIG_PCH_PHUB is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_MII is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+# CONFIG_NET_CALXEDA_XGMAC is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_ZNET is not set
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_PCH_GBE is not set
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SEEQ=y
+# CONFIG_SEEQ8005 is not set
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+CONFIG_WLAN=y
+# CONFIG_AIRO is not set
+# CONFIG_ATMEL is not set
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+# CONFIG_INPUT_EVDEV is not set
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_OMAP4 is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+CONFIG_FIX_EARLYCON_MEM=y
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_TIMBERDALE is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_PCH_UART is not set
+# CONFIG_SERIAL_XILINX_PS_UART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_RTC is not set
+# CONFIG_GEN_RTC is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+
+#
+# Enable Device Drivers -> PPS to see the PTP clock options.
+#
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+# CONFIG_SENSORS_APPLESMC is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_CS5535 is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_STUB_POULSBO is not set
+# CONFIG_VGASTATE is not set
+# CONFIG_VIDEO_OUTPUT_CONTROL is not set
+# CONFIG_FB is not set
+# CONFIG_EXYNOS_VIDEO is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_USB_ARCH_HAS_OHCI=y
+CONFIG_USB_ARCH_HAS_EHCI=y
+CONFIG_USB_ARCH_HAS_XHCI=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
+#
+# CONFIG_USB_GADGET is not set
+
+#
+# OTG and related infrastructure
+#
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+CONFIG_VIRTIO=y
+CONFIG_VIRTIO_RING=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_HYPERV is not set
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_XO15_EBOOK is not set
+# CONFIG_SAMSUNG_Q10 is not set
+
+#
+# Hardware Spinlock drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers (EXPERIMENTAL)
+#
+
+#
+# Rpmsg drivers (EXPERIMENTAL)
+#
+# CONFIG_VIRT_DRIVERS is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+# CONFIG_PRINTK_TIME is not set
+CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_MAGIC_SYSRQ is not set
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_DEBUG_KERNEL=y
+# CONFIG_DEBUG_SHIRQ is not set
+# CONFIG_LOCKUP_DETECTOR is not set
+# CONFIG_HARDLOCKUP_DETECTOR is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_TIMER_STATS is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_RT_MUTEX_TESTER is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+# CONFIG_DEBUG_WRITECOUNT is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_BOOT_PRINTK_DELAY is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER_X86=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+# CONFIG_CRYPTO_AES_X86_64 is not set
+# CONFIG_CRYPTO_AES_NI_INTEL is not set
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+# CONFIG_CRYPTO_BLOWFISH_X86_64 is not set
+CONFIG_CRYPTO_CAMELLIA=y
+# CONFIG_CRYPTO_CAMELLIA_X86_64 is not set
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+# CONFIG_CRYPTO_SALSA20_X86_64 is not set
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+# CONFIG_CRYPTO_SERPENT_SSE2_X86_64 is not set
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+# CONFIG_CRYPTO_LZO is not set
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_VHOST_NET is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+# CONFIG_AVERAGE is not set
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
diff --git a/testing/config/kernel/config-3.8 b/testing/config/kernel/config-3.8
new file mode 100644
index 000000000..bbd423ecf
--- /dev/null
+++ b/testing/config/kernel/config-3.8
@@ -0,0 +1,1863 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86_64 3.8.1 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_DEFAULT_IDLE=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_CPU_AUTOPROBE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_HAVE_IRQ_WORK=y
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_EXPERIMENTAL=y
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+# CONFIG_FHANDLE is not set
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_GENERIC_HARDIRQS=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_HARDIRQS=y
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_WANTS_PROT_NUMA_PROT_NONE=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+# CONFIG_EXPERT is not set
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_HOTPLUG=y
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_PCI_QUIRKS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_GENERIC_SIGALTSTACK=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+CONFIG_PARAVIRT_GUEST=y
+# CONFIG_PARAVIRT_TIME_ACCOUNTING is not set
+# CONFIG_XEN is not set
+# CONFIG_XEN_PRIVILEGED_GUEST is not set
+CONFIG_KVM_GUEST=y
+CONFIG_PARAVIRT=y
+CONFIG_PARAVIRT_CLOCK=y
+# CONFIG_PARAVIRT_DEBUG is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_CC_STACKPROTECTOR is not set
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS is not set
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_PROC_EVENT=y
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+# CONFIG_ACPI_INITRD_TABLE_OVERRIDE is not set
+CONFIG_ACPI_BLACKLIST_YEAR=0
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+CONFIG_CPU_IDLE=y
+# CONFIG_CPU_IDLE_MULTIPLE_DRIVERS is not set
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_ARCH_SUPPORTS_MSI=y
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+CONFIG_HAVE_TEXT_POKE_SMP=y
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+# CONFIG_ARPD is not set
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_PRIVACY is not set
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NETFILTER_TPROXY is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_QUEUE=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_IP6_NF_TARGET_MASQUERADE=y
+CONFIG_IP6_NF_TARGET_NPT=y
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_WAN_ROUTER is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_DA is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_INTEL_MID_PTI is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_VMWARE_BALLOON is not set
+# CONFIG_PCH_PHUB is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_MII is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+# CONFIG_NET_DSA_MV88E6060 is not set
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+# CONFIG_NET_DSA_MV88E6131 is not set
+# CONFIG_NET_DSA_MV88E6123_61_65 is not set
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+CONFIG_NET_CADENCE=y
+# CONFIG_ARM_AT91_ETHER is not set
+# CONFIG_MACB is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+# CONFIG_NET_CALXEDA_XGMAC is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_ZNET is not set
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_PCH_GBE is not set
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SEEQ=y
+# CONFIG_SEEQ8005 is not set
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+CONFIG_WLAN=y
+# CONFIG_AIRO is not set
+# CONFIG_ATMEL is not set
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+# CONFIG_INPUT_EVDEV is not set
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+CONFIG_FIX_EARLYCON_MEM=y
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_TIMBERDALE is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_PCH_UART is not set
+# CONFIG_SERIAL_ARC is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_RTC is not set
+# CONFIG_GEN_RTC is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+# CONFIG_PTP_1588_CLOCK_PCH is not set
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+# CONFIG_SENSORS_APPLESMC is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_FAIR_SHARE is not set
+CONFIG_STEP_WISE=y
+# CONFIG_USER_SPACE is not set
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_CS5535 is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_STUB_POULSBO is not set
+# CONFIG_VGASTATE is not set
+# CONFIG_VIDEO_OUTPUT_CONTROL is not set
+# CONFIG_FB is not set
+# CONFIG_EXYNOS_VIDEO is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_USB_ARCH_HAS_OHCI=y
+CONFIG_USB_ARCH_HAS_EHCI=y
+CONFIG_USB_ARCH_HAS_XHCI=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
+#
+# CONFIG_USB_GADGET is not set
+
+#
+# OTG and related infrastructure
+#
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_HYPERV is not set
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_XO15_EBOOK is not set
+# CONFIG_SAMSUNG_Q10 is not set
+
+#
+# Hardware Spinlock drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers (EXPERIMENTAL)
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers (EXPERIMENTAL)
+#
+# CONFIG_VIRT_DRIVERS is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+# CONFIG_F2FS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+# CONFIG_PRINTK_TIME is not set
+CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_MAGIC_SYSRQ is not set
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_DEBUG_KERNEL=y
+# CONFIG_DEBUG_SHIRQ is not set
+# CONFIG_LOCKUP_DETECTOR is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_TIMER_STATS is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_RT_MUTEX_TESTER is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+# CONFIG_DEBUG_WRITECOUNT is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_BOOT_PRINTK_DELAY is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER_X86=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+CONFIG_CRYPTO_LZO=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_VHOST_NET is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_PERCPU_RWSEM=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+# CONFIG_AVERAGE is not set
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
diff --git a/testing/config/kernel/config-3.9 b/testing/config/kernel/config-3.9
new file mode 100644
index 000000000..e42cd049b
--- /dev/null
+++ b/testing/config/kernel/config-3.9
@@ -0,0 +1,1892 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 3.9.0 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_DEFAULT_IDLE=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_CPU_AUTOPROBE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+# CONFIG_FHANDLE is not set
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_GENERIC_HARDIRQS=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_HARDIRQS=y
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_ALWAYS_USE_PERSISTENT_CLOCK=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_WANTS_PROT_NUMA_PROT_NONE=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+CONFIG_UIDGID_CONVERTED=y
+# CONFIG_UIDGID_STRICT_TYPE_CHECKS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+# CONFIG_EXPERT is not set
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_HOTPLUG=y
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_PCI_QUIRKS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_MODULES_USE_ELF_RELA=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_INTEL_LPSS is not set
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+CONFIG_PARAVIRT_GUEST=y
+# CONFIG_PARAVIRT_TIME_ACCOUNTING is not set
+# CONFIG_XEN is not set
+# CONFIG_XEN_PRIVILEGED_GUEST is not set
+CONFIG_KVM_GUEST=y
+CONFIG_PARAVIRT=y
+CONFIG_PARAVIRT_CLOCK=y
+# CONFIG_PARAVIRT_DEBUG is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_CC_STACKPROTECTOR is not set
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS is not set
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_PROC_EVENT=y
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ACPI_BLACKLIST_YEAR=0
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+CONFIG_CPU_IDLE=y
+# CONFIG_CPU_IDLE_MULTIPLE_DRIVERS is not set
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_ARCH_SUPPORTS_MSI=y
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+CONFIG_HAVE_TEXT_POKE_SMP=y
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+# CONFIG_ARPD is not set
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_PRIVACY is not set
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NETFILTER_TPROXY is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_IP6_NF_TARGET_MASQUERADE=y
+CONFIG_IP6_NF_TARGET_NPT=y
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+CONFIG_FW_LOADER_USER_HELPER=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_DA is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_INTEL_MID_PTI is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ATMEL_SSC is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_VMWARE_BALLOON is not set
+# CONFIG_PCH_PHUB is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_VMWARE_VMCI is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_MII is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+# CONFIG_NET_DSA_MV88E6060 is not set
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+# CONFIG_NET_DSA_MV88E6131 is not set
+# CONFIG_NET_DSA_MV88E6123_61_65 is not set
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+CONFIG_NET_CADENCE=y
+# CONFIG_ARM_AT91_ETHER is not set
+# CONFIG_MACB is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+# CONFIG_NET_CALXEDA_XGMAC is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_PCH_GBE is not set
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+CONFIG_WLAN=y
+# CONFIG_AIRO is not set
+# CONFIG_ATMEL is not set
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+# CONFIG_INPUT_EVDEV is not set
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+CONFIG_FIX_EARLYCON_MEM=y
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_TIMBERDALE is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_PCH_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_RTC is not set
+# CONFIG_GEN_RTC is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+# CONFIG_PTP_1588_CLOCK_PCH is not set
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+CONFIG_GPIO_DEVRES=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_BATTERY_GOLDFISH is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+# CONFIG_SENSORS_APPLESMC is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_CS5535 is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+# CONFIG_VGASTATE is not set
+# CONFIG_VIDEO_OUTPUT_CONTROL is not set
+# CONFIG_FB is not set
+# CONFIG_EXYNOS_VIDEO is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_USB_ARCH_HAS_OHCI=y
+CONFIG_USB_ARCH_HAS_EHCI=y
+CONFIG_USB_ARCH_HAS_XHCI=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
+#
+# CONFIG_OMAP_USB3 is not set
+# CONFIG_OMAP_CONTROL_USB is not set
+# CONFIG_USB_GADGET is not set
+
+#
+# OTG and related infrastructure
+#
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_HYPERV is not set
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_XO15_EBOOK is not set
+# CONFIG_SAMSUNG_Q10 is not set
+
+#
+# Hardware Spinlock drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+# CONFIG_VIRT_DRIVERS is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+# CONFIG_F2FS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+# CONFIG_PRINTK_TIME is not set
+CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_MAGIC_SYSRQ is not set
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_DEBUG_KERNEL=y
+# CONFIG_DEBUG_SHIRQ is not set
+# CONFIG_LOCKUP_DETECTOR is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_TIMER_STATS is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_RT_MUTEX_TESTER is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+# CONFIG_DEBUG_WRITECOUNT is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER_X86=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+CONFIG_CRYPTO_LZO=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_VHOST_NET is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+# CONFIG_AVERAGE is not set
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
diff --git a/testing/config/kvm/alice.xml b/testing/config/kvm/alice.xml
new file mode 100644
index 000000000..620ce5116
--- /dev/null
+++ b/testing/config/kvm/alice.xml
@@ -0,0 +1,72 @@
+<domain type='kvm'>
+  <name>alice</name>
+  <uuid>1f35c25d-6a7b-4ee1-2461-d7e530e7b2a9</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/alice.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:9a:e2:de'/>
+      <source network='vnet2'/>
+      <target dev='alice-eth0'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <interface type='network'>
+      <mac address='52:54:00:3b:0c:d7'/>
+      <source network='vnet1'/>
+      <target dev='alice-eth1'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/bob.xml b/testing/config/kvm/bob.xml
new file mode 100644
index 000000000..caa1631cf
--- /dev/null
+++ b/testing/config/kvm/bob.xml
@@ -0,0 +1,65 @@
+<domain type='kvm'>
+  <name>bob</name>
+  <uuid>72728516-377f-f5be-ea1d-b1f1e851538f</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/bob.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:40:85:6b'/>
+      <source network='vnet3'/>
+      <target dev='bob-eth0'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/carol.xml b/testing/config/kvm/carol.xml
new file mode 100644
index 000000000..8f768ff5c
--- /dev/null
+++ b/testing/config/kvm/carol.xml
@@ -0,0 +1,65 @@
+<domain type='kvm'>
+  <name>carol</name>
+  <uuid>6bc2eef5-7faf-cde0-5f27-6fc29f93bc3d</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/carol.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:ae:f1:f8'/>
+      <source network='vnet1'/>
+      <target dev='carol-eth0'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/dave.xml b/testing/config/kvm/dave.xml
new file mode 100644
index 000000000..3ae1da021
--- /dev/null
+++ b/testing/config/kvm/dave.xml
@@ -0,0 +1,65 @@
+<domain type='kvm'>
+  <name>dave</name>
+  <uuid>05f1debe-4e38-4f3d-10a0-c07fbb70d816</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/dave.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:b9:15:a9'/>
+      <source network='vnet1'/>
+      <target dev='dave-eth0'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/moon.xml b/testing/config/kvm/moon.xml
new file mode 100644
index 000000000..975e3cec6
--- /dev/null
+++ b/testing/config/kvm/moon.xml
@@ -0,0 +1,72 @@
+<domain type='kvm'>
+  <name>moon</name>
+  <uuid>b5e00ad3-1c81-3b2a-7f66-cdf8727b3c65</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/moon.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:43:e3:35'/>
+      <source network='vnet2'/>
+      <target dev='moon-eth1'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
+    </interface>
+    <interface type='network'>
+      <mac address='52:54:00:c7:b8:b0'/>
+      <source network='vnet1'/>
+      <target dev='moon-eth0'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/sun.xml b/testing/config/kvm/sun.xml
new file mode 100644
index 000000000..9d05027f9
--- /dev/null
+++ b/testing/config/kvm/sun.xml
@@ -0,0 +1,72 @@
+<domain type='kvm'>
+  <name>sun</name>
+  <uuid>35341843-346c-a63a-786b-9df0fd5e6264</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/sun.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:77:43:ea'/>
+      <source network='vnet1'/>
+      <target dev='sun-eth0'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <interface type='network'>
+      <mac address='52:54:00:0f:97:db'/>
+      <source network='vnet3'/>
+      <target dev='sun-eth1'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/venus.xml b/testing/config/kvm/venus.xml
new file mode 100644
index 000000000..7a65ace75
--- /dev/null
+++ b/testing/config/kvm/venus.xml
@@ -0,0 +1,65 @@
+<domain type='kvm'>
+  <name>venus</name>
+  <uuid>f0838df9-7cc0-84f5-6c14-2d16ab002e8d</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/venus.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:69:d3:80'/>
+      <source network='vnet2'/>
+      <target dev='venus-eth0'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/config/kvm/vnet1.xml b/testing/config/kvm/vnet1.xml
new file mode 100644
index 000000000..94097ab6f
--- /dev/null
+++ b/testing/config/kvm/vnet1.xml
@@ -0,0 +1,11 @@
+<network>
+  <name>vnet1</name>
+  <uuid>1d6ac7c7-60d9-56c1-a7df-210d3d0cc6d1</uuid>
+  <forward dev='lo' mode='route'>
+    <interface dev='lo'/>
+  </forward>
+  <bridge name='test-br0' stp='on' delay='0' />
+  <mac address='52:54:00:97:F9:FD'/>
+  <ip address='192.168.0.254' netmask='255.255.255.0'>
+  </ip>
+</network>
diff --git a/testing/config/kvm/vnet2.xml b/testing/config/kvm/vnet2.xml
new file mode 100644
index 000000000..b21e7ed1f
--- /dev/null
+++ b/testing/config/kvm/vnet2.xml
@@ -0,0 +1,11 @@
+<network>
+  <name>vnet2</name>
+  <uuid>b5147a7d-e184-5c9e-3838-4621796ba95c</uuid>
+  <forward dev='lo' mode='route'>
+    <interface dev='lo'/>
+  </forward>
+  <bridge name='test-br1' stp='on' delay='0' />
+  <mac address='52:54:00:05:F3:34'/>
+  <ip address='10.1.0.254' netmask='255.255.0.0'>
+  </ip>
+</network>
diff --git a/testing/config/kvm/vnet3.xml b/testing/config/kvm/vnet3.xml
new file mode 100644
index 000000000..f46d9ec09
--- /dev/null
+++ b/testing/config/kvm/vnet3.xml
@@ -0,0 +1,11 @@
+<network>
+  <name>vnet3</name>
+  <uuid>5c537abc-c116-90e9-a0ef-886340d4c356</uuid>
+  <forward dev='lo' mode='route'>
+    <interface dev='lo'/>
+  </forward>
+  <bridge name='test-br2' stp='on' delay='0' />
+  <mac address='52:54:00:62:4C:69'/>
+  <ip address='10.2.0.254' netmask='255.255.0.0'>
+  </ip>
+</network>
diff --git a/testing/config/kvm/winnetou.xml b/testing/config/kvm/winnetou.xml
new file mode 100644
index 000000000..9410c73b8
--- /dev/null
+++ b/testing/config/kvm/winnetou.xml
@@ -0,0 +1,65 @@
+<domain type='kvm'>
+  <name>winnetou</name>
+  <uuid>b1d3d2f7-e20b-ab95-277e-66d4cac33cc3</uuid>
+  <memory unit='KiB'>131072</memory>
+  <currentMemory unit='KiB'>131072</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc'>hvm</type>
+	<kernel>/var/run/kvm-swan-kernel</kernel>
+    <cmdline>root=/dev/vda1 loglevel=1</cmdline>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <emulator>/usr/bin/kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' cache='writethrough'/>
+      <source file='/var/lib/libvirt/images/winnetou.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/run/kvm-swan-hostfs'/>
+      <target dir='/hostshare'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:4b:23:fa'/>
+      <source network='vnet1'/>
+      <target dev='winnetou-eth0'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <target port='0'/>
+    </serial>
+    <console type='pty'>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='tablet' bus='usb'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='-1' autoport='yes'/>
+    <sound model='ich6'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </sound>
+    <video>
+      <model type='cirrus' vram='9216' heads='1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/testing/do-tests b/testing/do-tests
new file mode 100755
index 000000000..979cb487f
--- /dev/null
+++ b/testing/do-tests
@@ -0,0 +1,792 @@
+#!/bin/bash
+# Automatically execute the strongSwan test cases
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/testing.conf
+. $DIR/scripts/function.sh
+SSHCONF="-F $DIR/ssh_config"
+
+[ -d $DIR/hosts ] || die "Directory 'hosts' not found"
+[ -d $DIR/tests ] || die "Directory 'tests' not found"
+[ -d $BUILDDIR ] ||
+	die "Directory '$BUILDDIR' does not exist, please run make-testing first"
+
+ln -sfT $DIR $TESTDIR/testing
+
+##############################################################################
+# take care of new path and file variables
+#
+
+[ -d $TESTRESULTSDIR ] || mkdir $TESTRESULTSDIR
+
+TESTDATE=`date +%Y%m%d-%H%M-%S`
+
+TODAYDIR=$TESTRESULTSDIR/$TESTDATE
+mkdir $TODAYDIR
+TESTRESULTSHTML=$TODAYDIR/all.html
+INDEX=$TODAYDIR/index.html
+DEFAULTTESTSDIR=$TESTDIR/testing/tests
+
+SOURCEIP_ROUTING_TABLE=220
+
+testnumber="0"
+failed_cnt="0"
+passed_cnt="0"
+
+
+##############################################################################
+# copy default tests to $BUILDDIR
+#
+
+TESTSDIR=$BUILDDIR/tests
+[ -d $TESTSDIR ] || mkdir $TESTSDIR
+
+##############################################################################
+# assign IP for each host to hostname
+#
+
+for host in $STRONGSWANHOSTS
+do
+    eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
+    eval ipv6_${host}="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
+
+    case $host in
+    moon)
+        eval ipv4_moon1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        eval ipv6_moon1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        ;;
+    sun)
+        eval ipv4_sun1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        eval ipv6_sun1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        ;;
+    alice)
+        eval ipv4_alice1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        eval ipv6_alice1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        ;;
+    venus)
+        ;;
+    bob)
+        ;;
+    carol)
+        eval ipv4_carol1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        eval ipv6_carol1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+         ;;
+    dave)
+        eval ipv4_dave1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        eval ipv6_dave1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        ;;
+    winnetou)
+        ;;
+    esac
+done
+
+
+##############################################################################
+# open ssh sessions
+#
+for host in $STRONGSWANHOSTS
+do
+    ssh $SSHCONF -N root@`eval echo \\\$ipv4_$host` >/dev/null 2>&1 &
+    eval ssh_pid_$host="`echo $!`"
+    do_on_exit kill `eval echo \\\$ssh_pid_$host`
+done
+
+
+##############################################################################
+# create header for the results html file
+#
+
+ENVIRONMENT_HEADER=$(cat <<@EOF
+  <table border="0" cellspacing="2" cellpadding="2">
+    <tr valign="top">
+      <td><b>Host</b></td>
+      <td colspan="3">`uname -a`</td>
+    </tr>
+    <tr valign="top">
+      <td><b>Guest kernel</b></td>
+      <td colspan="3">$KERNELVERSION</td>
+    </tr>
+    <tr valign="top">
+      <td><b>strongSwan</b></td>
+      <td colspan="3">$SWANVERSION</td>
+    </tr>
+    <tr valign="top">
+      <td><b>Date</b></td>
+      <td colspan="3">$TESTDATE</td>
+    </tr>
+    <tr>
+      <td width="100">&nbsp;</td>
+      <td width="300">&nbsp;</td>
+      <td width=" 50">&nbsp;</td>
+      <td >&nbsp;</td>
+    </tr>
+@EOF
+)
+
+cat > $INDEX <<@EOF
+<html>
+<head>
+  <title>strongSwan KVM Tests</title>
+</head>
+<body>
+  <h2>strongSwan KVM Tests</h2>
+  $ENVIRONMENT_HEADER
+@EOF
+
+cat > $TESTRESULTSHTML <<@EOF
+<html>
+<head>
+  <title>strongSwan KVM Tests - All Tests</title>
+</head>
+<body>
+  <div><a href="index.html">strongSwan KVM Tests</a> / All Tests</div>
+  <h2>All Tests</h2>
+  $ENVIRONMENT_HEADER
+    <tr align="left">
+      <th>Number</th>
+      <th>Test</th>
+      <th colspan="2">Result</th>
+    </tr>
+@EOF
+
+echo "Guest kernel : $KERNELVERSION"
+echo "strongSwan   : $SWANVERSION"
+echo "Date         : $TESTDATE"
+echo
+
+
+##############################################################################
+# enter specific test directory
+#
+
+if [ $# -gt 0 ]
+then
+    TESTS=$*
+else
+    # set internal field seperator
+    TESTS="`ls $DEFAULTTESTSDIR`"
+fi
+
+for SUBDIR in $TESTS
+do
+    SUBTESTS="`basename $SUBDIR`"
+
+    if [ $SUBTESTS = $SUBDIR ]
+    then
+	SUBTESTS="`ls $DEFAULTTESTSDIR/$SUBDIR`"
+    else
+	SUBDIR="`dirname $SUBDIR`"
+    fi
+
+    if [ ! -d $TODAYDIR/$SUBDIR ]
+    then
+	mkdir $TODAYDIR/$SUBDIR
+	if [ $testnumber == 0 ]
+	then
+	    FIRST="<b>Category</b>"
+	else
+	    FIRST="&nbsp;"
+	fi
+	echo "    <tr>" >> $INDEX
+    echo "      <td>$FIRST</td>">> $INDEX
+    echo "      <td><a href=\"$SUBDIR/index.html\">$SUBDIR</a></td>" >> $INDEX
+    echo "      <td align=\"right\">x</td>" >> $INDEX
+    echo "      <td>&nbsp;</td>" >> $INDEX
+    echo "    </tr>" >> $INDEX
+	SUBTESTSINDEX=$TODAYDIR/$SUBDIR/index.html
+	cat > $SUBTESTSINDEX <<@EOF
+<html>
+<head>
+  <title>strongSwan $SUBDIR Tests</title>
+</head>
+<body>
+  <div><a href="../index.html">strongSwan KVM Tests</a> / $SUBDIR</div>
+  <h2>strongSwan $SUBDIR Tests</h2>
+  <table border="0" cellspacing="2" cellpadding="2">
+    <tr valign="top">
+      <td><b>Guest kernel</b></td>
+      <td colspan="3">$KERNELVERSION</td>
+    </tr>
+    <tr valign="top">
+      <td><b>strongSwan</b></td>
+      <td colspan="3">$SWANVERSION</td>
+    </tr>
+    <tr valign="top">
+      <td><b>Date</b></td>
+      <td colspan="3">$TESTDATE</td>
+    </tr>
+    <tr>
+      <td width="100">&nbsp;</td>
+      <td width="300">&nbsp;</td>
+      <td width=" 50">&nbsp;</td>
+      <td >&nbsp;</td>
+    </tr>
+    <tr align="left">
+       <th>Number</th>
+       <th>Test</th>
+       <th colspan="2">Result</th>
+    </tr>
+@EOF
+    fi
+
+    for name in $SUBTESTS
+    do
+	let "testnumber += 1"
+	testname=$SUBDIR/$name
+	log_action " $testnumber $testname:"
+
+	if [ ! -d $DEFAULTTESTSDIR/${testname} ]
+	then
+	    echo "is missing..skipped"
+	    continue
+	fi
+
+	if [ $SUBDIR = "ipv6" -o $name = "rw-psk-ipv6" ]
+	then
+	    IPROUTE_CMD="ip -6 route list table $SOURCEIP_ROUTING_TABLE"
+	    IPROUTE_DSP=$IPROUTE_CMD
+	    IPTABLES_CMD="ip6tables -v -n -L"
+	    IPTABLES_DSP="ip6tables -L"
+	else
+	    IPROUTE_CMD="ip route list table $SOURCEIP_ROUTING_TABLE"
+	    IPROUTE_DSP=$IPROUTE_CMD
+	    IPTABLES_CMD="iptables -v -n -L"
+	    IPTABLES_DSP="iptables -L"
+	fi
+
+	if [ $name = "net2net-ip4-in-ip6-ikev2" -o $name = "net2net-ip6-in-ip4-ikev2" ]
+	then
+	    IPROUTE_CMD="ip route list table $SOURCEIP_ROUTING_TABLE; echo; ip -6 route list table $SOURCEIP_ROUTING_TABLE"
+	    IPROUTE_DSP="ip (-6) route list table $SOURCEIP_ROUTING_TABLE"
+	    IPTABLES_CMD="iptables -v -n -L ; echo ; ip6tables -v -n -L"
+	    IPTABLES_DSP="iptables -L ; ip6tables -L"
+	fi
+
+	[ -f $DEFAULTTESTSDIR/${testname}/description.txt ] || die "!! File 'description.txt' is missing"
+	[ -f $DEFAULTTESTSDIR/${testname}/test.conf ]       || die "!! File 'test.conf' is missing"
+	[ -f $DEFAULTTESTSDIR/${testname}/pretest.dat ]     || die "!! File 'pretest.dat' is missing"
+	[ -f $DEFAULTTESTSDIR/${testname}/posttest.dat ]    || die "!! File 'posttest.dat' is missing"
+	[ -f $DEFAULTTESTSDIR/${testname}/evaltest.dat ]    || die "!! File 'evaltest.dat' is missing"
+
+	TESTRESULTDIR=$TODAYDIR/$testname
+	mkdir -p $TESTRESULTDIR
+	CONSOLE_LOG=$TESTRESULTDIR/console.log
+	touch $CONSOLE_LOG
+
+	TESTDIR=$TESTSDIR/${testname}
+	rm -rf $TESTDIR
+	mkdir -p $TESTDIR
+	cp -rfp $DEFAULTTESTSDIR/${testname}/* $TESTDIR
+
+
+	##############################################################################
+	# replace IP wildcards with actual IPv4 and IPv6 addresses
+	#
+
+	for host in $STRONGSWANHOSTS
+	do
+	    case $host in
+	    moon)
+		searchandreplace PH_IP_MOON1     $ipv4_moon1 $TESTDIR
+		searchandreplace PH_IP_MOON      $ipv4_moon  $TESTDIR
+		searchandreplace PH_IP6_MOON1    $ipv6_moon1 $TESTDIR
+		searchandreplace PH_IP6_MOON     $ipv6_moon  $TESTDIR
+		;;
+	    sun)
+		searchandreplace PH_IP_SUN1      $ipv4_sun1 $TESTDIR
+		searchandreplace PH_IP_SUN       $ipv4_sun  $TESTDIR
+		searchandreplace PH_IP6_SUN1     $ipv6_sun1 $TESTDIR
+		searchandreplace PH_IP6_SUN      $ipv6_sun  $TESTDIR
+		;;
+	    alice)
+		searchandreplace PH_IP_ALICE1    $ipv4_alice1 $TESTDIR
+		searchandreplace PH_IP_ALICE     $ipv4_alice  $TESTDIR
+		searchandreplace PH_IP6_ALICE1   $ipv6_alice1 $TESTDIR
+		searchandreplace PH_IP6_ALICE    $ipv6_alice  $TESTDIR
+		;;
+	    venus)
+		searchandreplace PH_IP_VENUS     $ipv4_venus $TESTDIR
+		searchandreplace PH_IP6_VENUS    $ipv6_venus $TESTDIR
+		;;
+	    bob)
+		searchandreplace PH_IP_BOB       $ipv4_bob $TESTDIR
+		searchandreplace PH_IPV6_BOB     $ipv6_bob $TESTDIR
+		;;
+	    carol)
+		searchandreplace PH_IP_CAROL1    $ipv4_carol1 $TESTDIR
+		searchandreplace PH_IP_CAROL     $ipv4_carol  $TESTDIR
+		searchandreplace PH_IP6_CAROL1   $ipv6_carol1 $TESTDIR
+		searchandreplace PH_IP6_CAROL    $ipv6_carol  $TESTDIR
+		;;
+	    dave)
+		searchandreplace PH_IP_DAVE1     $ipv4_dave1 $TESTDIR
+		searchandreplace PH_IP_DAVE      $ipv4_dave  $TESTDIR
+		searchandreplace PH_IP6_DAVE1    $ipv6_dave1 $TESTDIR
+		searchandreplace PH_IP6_DAVE     $ipv6_dave  $TESTDIR
+		;;
+	    winnetou)
+		searchandreplace PH_IP_WINNETOU  $ipv4_winnetou $TESTDIR
+		searchandreplace PH_IP6_WINNETOU $ipv6_winnetou $TESTDIR
+		;;
+	    esac
+	done
+
+
+	##########################################################################
+	# copy test specific configurations to uml hosts and clear auth.log files
+	#
+
+	$DIR/scripts/load-testconfig $testname
+	unset RADIUSHOSTS
+	source $TESTDIR/test.conf
+
+
+	##########################################################################
+	# run tcpdump in the background
+	#
+
+	if [ "$TCPDUMPHOSTS" != "" ]
+	then
+	    echo -e "TCPDUMP\n" >> $CONSOLE_LOG 2>&1
+
+	    for host_iface in $TCPDUMPHOSTS
+	    do
+		host=`echo $host_iface | awk -F ":" '{print $1}'`
+		iface=`echo $host_iface | awk -F ":" '{if ($2 != "") { print $2 } else { printf("eth0") }}'`
+		tcpdump_cmd="tcpdump -i $iface not port ssh and not port domain > /tmp/tcpdump.log 2>&1 &"
+		echo "${host}# $tcpdump_cmd" >> $CONSOLE_LOG
+		ssh $SSHCONF root@`eval echo \\\$ipv4_$host '$tcpdump_cmd'`
+		eval TDUP_${host}="true"
+	    done
+	fi
+
+
+	##########################################################################
+	# execute pre-test commands
+	#
+
+	echo -n "pre.."
+	echo -e "\nPRE-TEST\n" >> $CONSOLE_LOG 2>&1
+
+	eval `awk -F "::" '{
+	    if ($2 != "")
+	    {
+		printf("echo \"%s# %s\"; ", $1, $2)
+		printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
+		printf("echo;\n")
+	    }
+	}' $TESTDIR/pretest.dat` >> $CONSOLE_LOG 2>&1
+
+
+	##########################################################################
+	# stop tcpdump
+	#
+
+	function stop_tcpdump {
+	    echo "${1}# killall tcpdump" >> $CONSOLE_LOG
+	    eval ssh $SSHCONF root@\$ipv4_${1} killall tcpdump
+	    eval TDUP_${1}="false"
+	    echo ""
+	}
+
+
+	##########################################################################
+	# get and evaluate test results
+	#
+
+	echo -n "test.."
+	echo -e "\nTEST\n" >> $CONSOLE_LOG 2>&1
+
+	STATUS="passed"
+
+	eval `awk -F "::" '{
+	    host=$1
+	    command=$2
+	    pattern=$3
+	    hit=$4
+	    if (command != "")
+	    {
+		if (command == "tcpdump")
+		{
+		    printf("if [ \044TDUP_%s == \"true\" ]; then stop_tcpdump %s; fi; \n", host, host)
+		    printf("echo \"%s# cat /tmp/tcpdump.log | grep \047%s\047  [%s]\"; ", host, pattern, hit)
+		    printf("ssh \044SSHCONF root@\044ipv4_%s cat /tmp/tcpdump.log | grep \"%s\"; ", host, pattern)
+		}
+		else
+		{
+		    printf("echo \"%s# %s | grep \047%s\047  [%s]\"; ", host, command, pattern, hit)
+		    printf("ssh \044SSHCONF root@\044ipv4_%s %s | grep \"%s\"; ",  host, command, pattern)
+		}
+		printf("cmd_exit=\044?; ")
+		printf("echo; ")
+		printf("if [ \044cmd_exit -eq 0 -a \"%s\" = \"NO\"  ] ", hit)
+		printf("|| [ \044cmd_exit -ne 0 -a \"%s\" = \"YES\" ] ", hit)
+		printf("; then STATUS=\"failed\"; fi; \n")
+	    }
+	}' $TESTDIR/evaltest.dat` >> $CONSOLE_LOG 2>&1
+
+
+	##########################################################################
+	# set counters
+	#
+
+	if [ $STATUS = "failed" ]
+	then
+	    let "failed_cnt += 1"
+	else
+	    let "passed_cnt += 1"
+	fi
+
+
+	##########################################################################
+	# log statusall and listall output
+	# get copies of ipsec.conf, ipsec.secrets
+	# create index.html for the given test case
+
+	cat > $TESTRESULTDIR/index.html <<@EOF
+<html>
+<head>
+  <title>Test $testname</title>
+</head>
+<body>
+<table border="0" cellpadding="0" cellspacing="0" width="600">
+  <tr><td>
+    <div><a href="../../index.html">strongSwan KVM Tests</a> / <a href="../index.html">$SUBDIR</a> / $name</div>
+    <h2>Test $testname</h2>
+    <h3>Description</h3>
+@EOF
+
+	cat $TESTDIR/description.txt >> $TESTRESULTDIR/index.html
+
+	cat >> $TESTRESULTDIR/index.html <<@EOF
+    <ul>
+      <li><a href="console.log">console.log</a></li>
+    </ul>
+    <img src="../../images/$DIAGRAM" alt="$VIRTHOSTS">
+@EOF
+
+	for host in $IPSECHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+
+	    for command in statusall listall
+	    do
+		ssh $SSHCONF $HOSTLOGIN ipsec $command \
+		    > $TESTRESULTDIR/${host}.$command 2>/dev/null
+	    done
+
+	    for file in strongswan.conf ipsec.conf ipsec.secrets
+	    do
+		scp $SSHCONF $HOSTLOGIN:/etc/$file \
+		    $TESTRESULTDIR/${host}.$file  > /dev/null 2>&1
+	    done
+
+	    scp $SSHCONF $HOSTLOGIN:/etc/ipsec.d/ipsec.sql \
+		$TESTRESULTDIR/${host}.ipsec.sql  > /dev/null 2>&1
+
+	    ssh $SSHCONF $HOSTLOGIN ip -s xfrm policy \
+		    > $TESTRESULTDIR/${host}.ip.policy 2>/dev/null
+	    ssh $SSHCONF $HOSTLOGIN ip -s xfrm state \
+		    > $TESTRESULTDIR/${host}.ip.state 2>/dev/null
+	    ssh $SSHCONF $HOSTLOGIN $IPROUTE_CMD \
+		    > $TESTRESULTDIR/${host}.ip.route 2>/dev/null
+	    ssh $SSHCONF $HOSTLOGIN $IPTABLES_CMD \
+		    > $TESTRESULTDIR/${host}.iptables 2>/dev/null
+	    chmod a+r $TESTRESULTDIR/*
+	    cat >> $TESTRESULTDIR/index.html <<@EOF
+    <h3>$host</h3>
+      <table border="0" cellspacing="0" width="600">
+      <tr>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.ipsec.conf">ipsec.conf</a></li>
+	    <li><a href="$host.ipsec.secrets">ipsec.secrets</a></li>
+	    <li><a href="$host.ipsec.sql">ipsec.sql</a></li>
+	    <li><a href="$host.strongswan.conf">strongswan.conf</a></li>
+	  </ul>
+	</td>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.statusall">ipsec statusall</a></li>
+	    <li><a href="$host.listall">ipsec listall</a></li>
+	    <li><a href="$host.auth.log">auth.log</a></li>
+	    <li><a href="$host.daemon.log">daemon.log</a></li>
+	  </ul>
+      </td>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.ip.policy">ip -s xfrm policy</a></li>
+	    <li><a href="$host.ip.state">ip -s xfrm state</a></li>
+	    <li><a href="$host.ip.route">$IPROUTE_DSP</a></li>
+	    <li><a href="$host.iptables">$IPTABLES_DSP</a></li>
+	  </ul>
+      </td>
+    </tr>
+    </table>
+@EOF
+
+	done
+
+	for host in $RADIUSHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+
+	    for file in clients.conf eap.conf radiusd.conf proxy.conf users
+	    do
+		scp $SSHCONF $HOSTLOGIN:/etc/freeradius/$file \
+		    $TESTRESULTDIR/${host}.$file  > /dev/null 2>&1
+	    done
+
+		scp $SSHCONF $HOSTLOGIN:/etc/strongswan.conf \
+		    $TESTRESULTDIR/${host}.strongswan.conf  > /dev/null 2>&1
+
+	    scp $SSHCONF $HOSTLOGIN:/var/log/freeradius/radius.log \
+		$TESTRESULTDIR/${host}.radius.log  > /dev/null 2>&1
+
+	    ssh $SSHCONF $HOSTLOGIN grep imcv /var/log/daemon.log \
+		>> $TESTRESULTDIR/${host}.daemon.log 2>/dev/null
+
+	    chmod a+r $TESTRESULTDIR/*
+	    cat >> $TESTRESULTDIR/index.html <<@EOF
+    <h3>$host</h3>
+      <table border="0" cellspacing="0" width="600">
+      <tr>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.clients.conf">clients.conf</a></li>
+	    <li><a href="$host.radiusd.conf">radiusd.conf</a></li>
+	    <li><a href="$host.strongswan.conf">strongswan.conf</a></li>
+	  </ul>
+	</td>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.eap.conf">eap.conf</a></li>
+	    <li><a href="$host.radius.log">radius.log</a></li>
+	    <li><a href="$host.daemon.log">daemon.log</a></li>
+	  </ul>
+      </td>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.proxy.conf">proxy.conf</a></li>
+	    <li><a href="$host.users">users</a></li>
+	  </ul>
+      </td>
+    </tr>
+    </table>
+@EOF
+
+	done
+
+	cat >> $TESTRESULTDIR/index.html <<@EOF
+	<h3>tcpdump</h3>
+	<ul>
+@EOF
+
+	for host in $TCPDUMPHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+
+		scp $SSHCONF $HOSTLOGIN:/tmp/tcpdump.log \
+			$TESTRESULTDIR/${host}.tcpdump.log > /dev/null 2>&1
+
+	    cat >> $TESTRESULTDIR/index.html <<@EOF
+	    <li><a href="$host.tcpdump.log">$host tcpdump.log</a></li>
+@EOF
+
+	done
+
+	cat >> $TESTRESULTDIR/index.html <<@EOF
+	</ul>
+@EOF
+
+	cat >> $TESTRESULTDIR/index.html <<@EOF
+  </td></tr>
+</table>
+</body>
+</html>
+@EOF
+
+
+	##########################################################################
+	# execute post-test commands
+	#
+
+	echo -n "post"
+	echo -e "\nPOST-TEST\n" >> $CONSOLE_LOG 2>&1
+
+	eval `awk -F "::" '{
+	    if ($2 != "")
+	    {
+		printf("echo \"%s# %s\"; ", $1, $2)
+		printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
+		printf("echo;\n")
+	    }
+	}' $TESTDIR/posttest.dat` >> $CONSOLE_LOG 2>&1
+
+
+	##########################################################################
+	# get a copy of /var/log/auth.log
+	#
+
+	for host in $IPSECHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+	    ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated|imcv' \
+		/var/log/auth.log" >> $TESTRESULTDIR/${host}.auth.log
+	done
+
+
+	##########################################################################
+	# get a copy of /var/log/daemon.log
+	#
+
+	for host in $IPSECHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+	    ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated|imcv' \
+		/var/log/daemon.log" >> $TESTRESULTDIR/${host}.daemon.log
+	done
+
+
+	##########################################################################
+	# stop tcpdump if necessary
+	#
+
+	for host in $TCPDUMPHOSTS
+	do
+	    if [ "`eval echo \\\$TDUP_${host}`" = "true" ]
+	    then
+		echo "${host}# killall tcpdump" >> $CONSOLE_LOG
+		eval ssh $SSHCONF root@\$ipv4_$host killall tcpdump
+		eval TDUP_${host}="false"
+	    fi
+	done
+
+
+	##########################################################################
+	# copy default host config back if necessary
+	#
+
+	$DIR/scripts/restore-defaults $testname
+
+
+	##########################################################################
+	# write test status to html file
+	#
+
+	if [ $STATUS = "passed" ]
+	then
+		COLOR="green"
+		log_status 0
+	else
+		COLOR="red"
+		log_status 1
+	fi
+
+	cat >> $TESTRESULTSHTML << @EOF
+  <tr>
+    <td>$testnumber</td>
+    <td><a href="$testname/index.html">$testname</a></td>
+    <td><a href="$testname/console.log"><font color="$COLOR">$STATUS</font></a></td>
+    <td>&nbsp;</td>
+  </tr>
+@EOF
+	cat >> $SUBTESTSINDEX << @EOF
+  <tr>
+    <td>$testnumber</td>
+    <td><a href="$name/index.html">$name</a></td>
+    <td><a href="$name/console.log"><font color="$COLOR">$STATUS</font></a></td>
+    <td>&nbsp;</td>
+  </tr>
+@EOF
+
+
+	##########################################################################
+	# remove any charon.pid files that still may exist
+	#
+
+	for host in $IPSECHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+	    ssh $SSHCONF $HOSTLOGIN 'if [ -f /var/run/charon.pid ]; then rm /var/run/charon.pid; echo "    removed charon.pid on `hostname`"; fi'
+	done
+
+    done
+
+done
+
+
+##############################################################################
+# finish the results html file
+#
+
+cat >> $TESTRESULTSHTML << @EOF
+    <tr>
+      <td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td>
+    </tr>
+    <tr>
+      <td><b>Passed</b></td><td><b><font color="green">$passed_cnt</font></b></td><td>&nbsp;</td><td>&nbsp;</td>
+    </tr>
+    <tr>
+      <td><b>Failed</b></td><td><b><font color="red">$failed_cnt</font></b></td><td>&nbsp;</td><td>&nbsp;</td>
+    </tr>
+  </table>
+</body>
+</html>
+@EOF
+
+let "all_cnt = $passed_cnt + $failed_cnt"
+
+cat >> $INDEX << @EOF
+    <tr>
+      <td>&nbsp;</td>
+      <td><a href="all.html"><b>all</b></a></td>
+      <td align="right"><b>$all_cnt</b></td>
+      <td>&nbsp;</td>
+    </tr>
+    <tr>
+      <td><b>Failed</b></td>
+      <td>&nbsp;</td>
+      <td align="right"><b><font color="red">$failed_cnt</font></b></td>
+      <td>&nbsp;</td>
+    </tr>
+  </table>
+</body>
+</html>
+@EOF
+
+echo
+echo_ok     "Passed : $passed_cnt"
+echo_failed "Failed : $failed_cnt"
+echo
+
+
+##############################################################################
+# copy the test results to the apache server
+#
+
+HTDOCS="/var/www"
+
+ssh $SSHCONF root@${ipv4_winnetou} mkdir -p $HTDOCS/testresults > /dev/null 2>&1
+scp $SSHCONF -r $TODAYDIR root@${ipv4_winnetou}:$HTDOCS/testresults > /dev/null 2>&1
+ssh $SSHCONF root@${ipv4_winnetou} ln -s $HTDOCS/images $HTDOCS/testresults/$TESTDATE/images > /dev/null 2>&1
+echo
+echo "The results are available in $TODAYDIR"
+echo "or via the link http://$ipv4_winnetou/testresults/$TESTDATE"
+
+ENDDATE=`date +%Y%m%d-%H%M`
+echo
+echo "Finished : $ENDDATE"
diff --git a/testing/do-tests.in b/testing/do-tests.in
deleted file mode 100755
index 67c2e7ad6..000000000
--- a/testing/do-tests.in
+++ /dev/null
@@ -1,799 +0,0 @@
-#!/bin/bash
-# Automatically execute the strongSwan test cases
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/scripts/function.sh
-
-[ -f $DIR/testing.conf ] || die "Configuration file 'testing.conf' not found"
-[ -d $DIR/hosts ] || die "Directory 'hosts' not found"
-[ -d $DIR/tests ] || die "Directory 'tests' not found"
-
-source $DIR/testing.conf
-
-
-##############################################################################
-# test if UMLs have been built at all
-#
-
-[ -d $BUILDDIR ] || die "Directory '$BUILDDIR' does not exist. Please run 'make-testing'first."
-
-
-##############################################################################
-# take care of new path and file variables
-#
-
-[ -d $TESTRESULTSDIR ] || mkdir $TESTRESULTSDIR
-
-TESTDATE=`date +%Y%m%d-%H%M`
-
-TODAYDIR=$TESTRESULTSDIR/$TESTDATE
-mkdir $TODAYDIR
-TESTRESULTSHTML=$TODAYDIR/all.html
-INDEX=$TODAYDIR/index.html
-DEFAULTTESTSDIR=$UMLTESTDIR/testing/tests
-
-SOURCEIP_ROUTING_TABLE=@routing_table@
-
-testnumber="0"
-failed_cnt="0"
-passed_cnt="0"
-
-
-##############################################################################
-# copy default tests to $BUILDDIR
-#
-
-TESTSDIR=$BUILDDIR/tests
-[ -d $TESTSDIR ] || mkdir $TESTSDIR
-
-##############################################################################
-# assign IP for each host to hostname
-#
-
-for host in $STRONGSWANHOSTS
-do
-    eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    eval ipv6_${host}="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-
-    case $host in
-    moon)
-        eval ipv4_moon1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        eval ipv6_moon1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        ;;
-    sun)
-        eval ipv4_sun1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        eval ipv6_sun1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        ;;
-    alice)
-        eval ipv4_alice1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        eval ipv6_alice1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        ;;
-    venus)
-        ;;
-    bob)
-        ;;
-    carol)
-        eval ipv4_carol1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        eval ipv6_carol1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-         ;;
-    dave)
-        eval ipv4_dave1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        eval ipv6_dave1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        ;;
-    winnetou)
-        ;;
-    esac
-done
-
-
-##############################################################################
-# open ssh sessions
-#
-for host in $STRONGSWANHOSTS
-do
-    ssh $SSHCONF -N root@`eval echo \\\$ipv4_$host` &
-    eval ssh_pid_$host="`echo $!`"
-done
-
-
-##############################################################################
-# create header for the results html file
-#
-
-KERNEL_VERSION=`basename $KERNEL .tar.bz2`
-IPSEC_VERSION=`basename $STRONGSWAN .tar.bz2`
-
-ENVIRONMENT_HEADER=$(cat <<@EOF
-  <table border="0" cellspacing="2">
-    <tr valign="top">
-      <td><b>Host:</b></td>
-      <td colspan="3">`uname -a`</td>
-    </tr>
-    <tr valign="top">
-      <td><b>UML kernel: &nbsp;</b></td>
-      <td colspan="3">$KERNEL_VERSION</td>
-    </tr>
-    <tr valign="top">
-      <td><b>IPsec:</b></td>
-      <td colspan="3">$IPSEC_VERSION</td>
-    </tr>
-    <tr valign="top">
-      <td><b>Date:</b></td>
-      <td colspan="3">$TESTDATE</td>
-    </tr>
-    <tr>
-      <td width="100">&nbsp;</td>
-      <td width="200">&nbsp;</td>
-      <td width=" 50">&nbsp;</td>
-      <td >&nbsp;</td>
-    </tr>
-@EOF
-)
-
-cat > $INDEX <<@EOF
-<html>
-<head>
-  <title>strongSwan UML Tests</title>
-</head>
-<body>
-  <h2>strongSwan UML Tests</h2>
-  $ENVIRONMENT_HEADER
-@EOF
-
-cat > $TESTRESULTSHTML <<@EOF
-<html>
-<head>
-  <title>strongSwan UML Tests - All Tests</title>
-</head>
-<body>
-  <div><a href="index.html">strongSwan UML Tests</a> / All Tests</div>
-  <h2>All Tests</h2>
-  $ENVIRONMENT_HEADER
-    <tr align="left">
-      <th>Number</th>
-      <th>Test</th>
-      <th colspan="2">Result</th>
-    </tr>
-@EOF
-
-cecho "UML kernel: $KERNEL_VERSION"
-cecho "IPsec:      $IPSEC_VERSION"
-cecho "Date:       $TESTDATE"
-cecho ""
-
-
-##############################################################################
-# enter specific test directory
-#
-
-if [ $# -gt 0 ]
-then
-    TESTS=$*
-elif [ $SELECTEDTESTSONLY = "yes" ]
-then
-    # set internal field seperator
-    TESTS=$SELECTEDTESTS
-else
-    # set internal field seperator
-    TESTS="`ls $DEFAULTTESTSDIR`"
-fi
-
-for SUBDIR in $TESTS
-do
-    SUBTESTS="`basename $SUBDIR`"
-
-    if [ $SUBTESTS = $SUBDIR ]
-    then
-	SUBTESTS="`ls $DEFAULTTESTSDIR/$SUBDIR`"
-    else
-	SUBDIR="`dirname $SUBDIR`"
-    fi
-
-    if [ ! -d $TODAYDIR/$SUBDIR ]
-    then
-	mkdir $TODAYDIR/$SUBDIR
-	if [ $testnumber == 0 ]
-	then
-	    FIRST="<b>Category:</b"
-	else
-	    FIRST="&nbsp;"
-	fi
-	echo "    <tr>" >> $INDEX
-    echo "      <td>$FIRST</td>">> $INDEX
-    echo "      <td><a href=\"$SUBDIR/index.html\">$SUBDIR</a></td>" >> $INDEX
-    echo "      <td align=\"right\">x</td>" >> $INDEX
-    echo "      <td>&nbsp;</td>" >> $INDEX
-    echo "    </tr>" >> $INDEX
-	SUBTESTSINDEX=$TODAYDIR/$SUBDIR/index.html
-	cat > $SUBTESTSINDEX <<@EOF
-<html>
-<head>
-  <title>strongSwan $SUBDIR Tests</title>
-</head>
-<body>
-  <div><a href="../index.html">strongSwan UML Tests</a> / $SUBDIR</div>
-  <h2>strongSwan $SUBDIR Tests</h2>
-  <table border="0" cellspacing="2">
-    <tr valign="top">
-      <td><b>UML kernel: &nbsp;</b></td>
-      <td colspan="3">$KERNEL_VERSION</td>
-    </tr>
-    <tr valign="top">
-      <td><b>IPsec:</b></td>
-      <td colspan="3">$IPSEC_VERSION</td>
-    </tr>
-    <tr valign="top">
-      <td><b>Date:</b></td>
-      <td colspan="3">$TESTDATE</td>
-    </tr>
-    <tr>
-      <td width="100">&nbsp;</td>
-      <td width="200">&nbsp;</td>
-      <td width=" 50">&nbsp;</td>
-      <td >&nbsp;</td>
-    </tr>
-    <tr align="left">
-       <th>Number</th>
-       <th>Test</th>
-       <th colspan="2">Result</th>
-    </tr>
-@EOF
-    fi
-
-    for name in $SUBTESTS
-    do
-	let "testnumber += 1"
-	testname=$SUBDIR/$name
-	cecho-n " $testnumber $testname.."
-
-	if [ ! -d $DEFAULTTESTSDIR/${testname} ]
-	then
-	    cecho "is missing..skipped"
-	    continue
-	fi
-
-	if [ $SUBDIR = "ipv6" -o $name = "rw-psk-ipv6" ]
-	then
-	    IPTABLES_CMD="ip6tables -v -n -L"
-	    IPTABLES_DSP="ip6tables -L"
-	else
-	    IPTABLES_CMD="iptables -v -n -L"
-	    IPTABLES_DSP="iptables -L"
-	fi
-
-	if [ $name = "net2net-ip4-in-ip6-ikev2" -o $name = "net2net-ip6-in-ip4-ikev2" ]
-	then
-	    IPTABLES_CMD="iptables -v -n -L ; echo ; ip6tables -v -n -L"
-	    IPTABLES_DSP="iptables -L ; ip6tables -L"
-	fi
-
-	[ -f $DEFAULTTESTSDIR/${testname}/description.txt ] || die "!! File 'description.txt' is missing"
-	[ -f $DEFAULTTESTSDIR/${testname}/test.conf ]       || die "!! File 'test.conf' is missing"
-	[ -f $DEFAULTTESTSDIR/${testname}/pretest.dat ]     || die "!! File 'pretest.dat' is missing"
-	[ -f $DEFAULTTESTSDIR/${testname}/posttest.dat ]    || die "!! File 'posttest.dat' is missing"
-	[ -f $DEFAULTTESTSDIR/${testname}/evaltest.dat ]    || die "!! File 'evaltest.dat' is missing"
-
-	TESTRESULTDIR=$TODAYDIR/$testname
-	mkdir -p $TESTRESULTDIR
-	CONSOLE_LOG=$TESTRESULTDIR/console.log
-	touch $CONSOLE_LOG
-
-	TESTDIR=$TESTSDIR/${testname}
-	rm -rf $TESTDIR
-	mkdir -p $TESTDIR
-	cp -rfp $DEFAULTTESTSDIR/${testname}/* $TESTDIR
-
-
-	##############################################################################
-	# replace IP wildcards with actual IPv4 and IPv6 addresses
-	#
-
-	for host in $STRONGSWANHOSTS
-	do
-	    case $host in
-	    moon)
-		searchandreplace PH_IP_MOON1     $ipv4_moon1 $TESTDIR
-		searchandreplace PH_IP_MOON      $ipv4_moon  $TESTDIR
-		searchandreplace PH_IP6_MOON1    $ipv6_moon1 $TESTDIR
-		searchandreplace PH_IP6_MOON     $ipv6_moon  $TESTDIR
-		;;
-	    sun)
-		searchandreplace PH_IP_SUN1      $ipv4_sun1 $TESTDIR
-		searchandreplace PH_IP_SUN       $ipv4_sun  $TESTDIR
-		searchandreplace PH_IP6_SUN1     $ipv6_sun1 $TESTDIR
-		searchandreplace PH_IP6_SUN      $ipv6_sun  $TESTDIR
-		;;
-	    alice)
-		searchandreplace PH_IP_ALICE1    $ipv4_alice1 $TESTDIR
-		searchandreplace PH_IP_ALICE     $ipv4_alice  $TESTDIR
-		searchandreplace PH_IP6_ALICE1   $ipv6_alice1 $TESTDIR
-		searchandreplace PH_IP6_ALICE    $ipv6_alice  $TESTDIR
-		;;
-	    venus)
-		searchandreplace PH_IP_VENUS     $ipv4_venus $TESTDIR
-		searchandreplace PH_IP6_VENUS    $ipv6_venus $TESTDIR
-		;;
-	    bob)
-		searchandreplace PH_IP_BOB       $ipv4_bob $TESTDIR
-		searchandreplace PH_IPV6_BOB     $ipv6_bob $TESTDIR
-		;;
-	    carol)
-		searchandreplace PH_IP_CAROL1    $ipv4_carol1 $TESTDIR
-		searchandreplace PH_IP_CAROL     $ipv4_carol  $TESTDIR
-		searchandreplace PH_IP6_CAROL1   $ipv6_carol1 $TESTDIR
-		searchandreplace PH_IP6_CAROL    $ipv6_carol  $TESTDIR
-		;;
-	    dave)
-		searchandreplace PH_IP_DAVE1     $ipv4_dave1 $TESTDIR
-		searchandreplace PH_IP_DAVE      $ipv4_dave  $TESTDIR
-		searchandreplace PH_IP6_DAVE1    $ipv6_dave1 $TESTDIR
-		searchandreplace PH_IP6_DAVE     $ipv6_dave  $TESTDIR
-		;;
-	    winnetou)
-		searchandreplace PH_IP_WINNETOU  $ipv4_winnetou $TESTDIR
-		searchandreplace PH_IP6_WINNETOU $ipv6_winnetou $TESTDIR
-		;;
-	    esac
-	done
-
-
-	##########################################################################
-	# copy test specific configurations to uml hosts and clear auth.log files
-	#
-
-	$DIR/scripts/load-testconfig $testname
-	unset RADIUSHOSTS
-	source $TESTDIR/test.conf
-
-
-	##########################################################################
-	# run tcpdump in the background
-	#
-
-	if [ "$TCPDUMPHOSTS" != "" ]
-	then
-	    echo -e "TCPDUMP\n" >> $CONSOLE_LOG 2>&1
-
-	    for host_iface in $TCPDUMPHOSTS
-	    do
-		host=`echo $host_iface | awk -F ":" '{print $1}'`
-		iface=`echo $host_iface | awk -F ":" '{if ($2 != "") { print $2 } else { printf("eth0") }}'`
-		tcpdump_cmd="tcpdump -i $iface not port ssh and not port domain > /tmp/tcpdump.log 2>&1 &"
-		echo "${host}# $tcpdump_cmd" >> $CONSOLE_LOG
-		ssh $SSHCONF root@`eval echo \\\$ipv4_$host '$tcpdump_cmd'`
-		eval TDUP_${host}="true"
-	    done
-	fi
-
-
-	##########################################################################
-	# execute pre-test commands
-	#
-
-	cecho-n "pre.."
-	echo -e "\nPRE-TEST\n" >> $CONSOLE_LOG 2>&1
-
-	eval `awk -F "::" '{
-	    if ($2 != "")
-	    {
-		printf("echo \"%s# %s\"; ", $1, $2)
-		printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
-		printf("echo;\n")
-	    }
-	}' $TESTDIR/pretest.dat` >> $CONSOLE_LOG 2>&1
-
-
-	##########################################################################
-	# stop tcpdump
-	#
-
-	function stop_tcpdump {
-	    echo "${1}# killall tcpdump" >> $CONSOLE_LOG
-	    eval ssh $SSHCONF root@\$ipv4_${1} killall tcpdump
-	    eval TDUP_${1}="false"
-	    echo ""
-	}
-
-
-	##########################################################################
-	# get and evaluate test results
-	#
-
-	cecho-n "test.."
-	echo -e "\nTEST\n" >> $CONSOLE_LOG 2>&1
-
-	STATUS="passed"
-
-	eval `awk -F "::" '{
-	    host=$1
-	    command=$2
-	    pattern=$3
-	    hit=$4
-	    if (command != "")
-	    {
-		if (command == "tcpdump")
-		{
-		    printf("if [ \044TDUP_%s == \"true\" ]; then stop_tcpdump %s; fi; \n", host, host)
-		    printf("echo \"%s# cat /tmp/tcpdump.log | grep \047%s\047  [%s]\"; ", host, pattern, hit)
-		    printf("ssh \044SSHCONF root@\044ipv4_%s cat /tmp/tcpdump.log | grep \"%s\"; ", host, pattern)
-		}
-		else
-		{
-		    printf("echo \"%s# %s | grep \047%s\047  [%s]\"; ", host, command, pattern, hit)
-		    printf("ssh \044SSHCONF root@\044ipv4_%s %s | grep \"%s\"; ",  host, command, pattern)
-		}
-		printf("cmd_exit=\044?; ")
-		printf("echo; ")
-		printf("if [ \044cmd_exit -eq 0 -a \"%s\" = \"NO\"  ] ", hit)
-		printf("|| [ \044cmd_exit -ne 0 -a \"%s\" = \"YES\" ] ", hit)
-		printf("; then STATUS=\"failed\"; fi; \n")
-	    }
-	}' $TESTDIR/evaltest.dat` >> $CONSOLE_LOG 2>&1
-
-
-	##########################################################################
-	# set counters
-	#
-
-	if [ $STATUS = "failed" ]
-	then
-	    let "failed_cnt += 1"
-	else
-	    let "passed_cnt += 1"
-	fi
-
-
-	##########################################################################
-	# log statusall and listall output
-	# get copies of ipsec.conf, ipsec.secrets
-	# create index.html for the given test case
-
-	cat > $TESTRESULTDIR/index.html <<@EOF
-<html>
-<head>
-  <title>Test $testname</title>
-</head>
-<body>
-<table border="0" cellpadding="0" cellspacing="0" width="600">
-  <tr><td>
-    <div><a href="../../index.html">strongSwan UML Tests</a> / <a href="../index.html">$SUBDIR</a> / $name</div>
-    <h2>Test $testname</h2>
-    <h3>Description</h3>
-@EOF
-
-	cat $TESTDIR/description.txt >> $TESTRESULTDIR/index.html
-
-	cat >> $TESTRESULTDIR/index.html <<@EOF
-    <ul>
-      <li><a href="console.log">console.log</a></li>
-    </ul>
-    <img src="../../images/$DIAGRAM" alt="$UMLHOSTS">
-@EOF
-
-	for host in $IPSECHOSTS
-	do
-	    eval HOSTLOGIN=root@\$ipv4_${host}
-
-	    for command in statusall listall
-	    do
-		ssh $SSHCONF $HOSTLOGIN ipsec $command \
-		    > $TESTRESULTDIR/${host}.$command 2>/dev/null
-	    done
-
-	    for file in strongswan.conf ipsec.conf ipsec.secrets
-	    do
-		scp $SSHCONF $HOSTLOGIN:/etc/$file \
-		    $TESTRESULTDIR/${host}.$file  > /dev/null 2>&1
-	    done
-
-	    scp $SSHCONF $HOSTLOGIN:/etc/ipsec.d/ipsec.sql \
-	    	$TESTRESULTDIR/${host}.ipsec.sql  > /dev/null 2>&1
-
-	    ssh $SSHCONF $HOSTLOGIN ip -s xfrm policy \
-		    > $TESTRESULTDIR/${host}.ip.policy 2>/dev/null
-	    ssh $SSHCONF $HOSTLOGIN ip -s xfrm state \
-		    > $TESTRESULTDIR/${host}.ip.state 2>/dev/null
-	    ssh $SSHCONF $HOSTLOGIN ip route list table $SOURCEIP_ROUTING_TABLE \
-		    > $TESTRESULTDIR/${host}.ip.route 2>/dev/null
-	    ssh $SSHCONF $HOSTLOGIN $IPTABLES_CMD \
-		    > $TESTRESULTDIR/${host}.iptables 2>/dev/null
-	    chmod a+r $TESTRESULTDIR/*
-	    cat >> $TESTRESULTDIR/index.html <<@EOF
-    <h3>$host</h3>
-      <table border="0" cellspacing="0" width="600">
-      <tr>
-	<td valign="top">
-	  <ul>
-	    <li><a href="$host.ipsec.conf">ipsec.conf</a></li>
-	    <li><a href="$host.ipsec.secrets">ipsec.secrets</a></li>
-	    <li><a href="$host.ipsec.sql">ipsec.sql</a></li>
-	    <li><a href="$host.strongswan.conf">strongswan.conf</a></li>
-	  </ul>
-	</td>
-	<td valign="top">
-	  <ul>
-	    <li><a href="$host.statusall">ipsec statusall</a></li>
-	    <li><a href="$host.listall">ipsec listall</a></li>
-	    <li><a href="$host.auth.log">auth.log</a></li>
-	    <li><a href="$host.daemon.log">daemon.log</a></li>
-	  </ul>
-      </td>
-	<td valign="top">
-	  <ul>
-	    <li><a href="$host.ip.policy">ip -s xfrm policy</a></li>
-	    <li><a href="$host.ip.state">ip -s xfrm state</a></li>
-	    <li><a href="$host.ip.route">ip route list table $SOURCEIP_ROUTING_TABLE</a></li>
-	    <li><a href="$host.iptables">$IPTABLES_DSP</a></li>
-	  </ul>
-      </td>
-    </tr>
-    </table>
-@EOF
-
-	done
-
-	for host in $RADIUSHOSTS
-	do
-	    eval HOSTLOGIN=root@\$ipv4_${host}
-
-	    for file in clients.conf eap.conf radiusd.conf proxy.conf users
-	    do
-		scp $SSHCONF $HOSTLOGIN:/etc/raddb/$file \
-		    $TESTRESULTDIR/${host}.$file  > /dev/null 2>&1
-	    done
-
-		scp $SSHCONF $HOSTLOGIN:/etc/strongswan.conf \
-		    $TESTRESULTDIR/${host}.strongswan.conf  > /dev/null 2>&1
-
-	    scp $SSHCONF $HOSTLOGIN:/var/log/radius/radius.log \
-	    	$TESTRESULTDIR/${host}.radius.log  > /dev/null 2>&1
-
-	    chmod a+r $TESTRESULTDIR/*
-	    cat >> $TESTRESULTDIR/index.html <<@EOF
-    <h3>$host</h3>
-      <table border="0" cellspacing="0" width="600">
-      <tr>
-	<td valign="top">
-	  <ul>
-	    <li><a href="$host.clients.conf">clients.conf</a></li>
-	    <li><a href="$host.radiusd.conf">radiusd.conf</a></li>
-	    <li><a href="$host.strongswan.conf">strongswan.conf</a></li>
-	  </ul>
-	</td>
-	<td valign="top">
-	  <ul>
-	    <li><a href="$host.eap.conf">eap.conf</a></li>
-	    <li><a href="$host.radius.log">radius.log</a></li>
-	    <li><a href="$host.daemon.log">daemon.log</a></li>
-	  </ul>
-      </td>
-	<td valign="top">
-	  <ul>
-	    <li><a href="$host.proxy.conf">proxy.conf</a></li>
-	    <li><a href="$host.users">users</a></li>
-	  </ul>
-      </td>
-    </tr>
-    </table>
-@EOF
-
-	done
-
-	cat >> $TESTRESULTDIR/index.html <<@EOF
-  </td></tr>
-</table>
-</body>
-</html>
-@EOF
-
-
-	##########################################################################
-	# execute post-test commands
-	#
-
-	cecho-n "post.."
-	echo -e "\nPOST-TEST\n" >> $CONSOLE_LOG 2>&1
-
-	eval `awk -F "::" '{
-	    if ($2 != "")
-	    {
-		printf("echo \"%s# %s\"; ", $1, $2)
-		printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
-		printf("echo;\n")
-	    }
-	}' $TESTDIR/posttest.dat` >> $CONSOLE_LOG 2>&1
-
-
-	##########################################################################
-	# get a copy of /var/log/auth.log
-	#
-
-	for host in $IPSECHOSTS
-	do
-	    eval HOSTLOGIN=root@\$ipv4_${host}
-	    ssh $SSHCONF $HOSTLOGIN grep pluto /var/log/auth.log \
-		> $TESTRESULTDIR/${host}.auth.log
-	    echo >> $TESTRESULTDIR/${host}.auth.log
-	    ssh $SSHCONF $HOSTLOGIN grep charon /var/log/auth.log \
-		>> $TESTRESULTDIR/${host}.auth.log
-	done
-
-
-	##########################################################################
-	# get a copy of /var/log/daemon.log
-	#
-
-	for host in $IPSECHOSTS
-	do
-	    eval HOSTLOGIN=root@\$ipv4_${host}
-	    ssh $SSHCONF $HOSTLOGIN grep pluto /var/log/daemon.log \
-		> $TESTRESULTDIR/${host}.daemon.log
-	    echo >> $TESTRESULTDIR/${host}.daemon.log
-	    ssh $SSHCONF $HOSTLOGIN grep charon /var/log/daemon.log \
-		>> $TESTRESULTDIR/${host}.daemon.log
-	done
-
-
-	##########################################################################
-	# get a copy of /var/log/daemon.log
-	#
-
-	for host in $RADIUSHOSTS
-	do
-	    eval HOSTLOGIN=root@\$ipv4_${host}
-	    ssh $SSHCONF $HOSTLOGIN grep imcv /var/log/daemon.log \
-		>> $TESTRESULTDIR/${host}.daemon.log
-	done
-
-
-	##########################################################################
-	# stop tcpdump if necessary
-	#
-
-	for host in $TCPDUMPHOSTS
-	do
-	    if [ "`eval echo \\\$TDUP_${host}`" = "true" ]
-	    then
-		echo "${host}# killall tcpdump" >> $CONSOLE_LOG
-		eval ssh $SSHCONF root@\$ipv4_$host killall tcpdump
-		eval TDUP_${host}="false"
-	    fi
-	done
-
-
-	##########################################################################
-	# copy default host config back if necessary
-	#
-
-	$DIR/scripts/restore-defaults $testname
-
-
-	##########################################################################
-	# write test status to html file
-	#
-
-	if [ $STATUS = "passed" ]
-	then
-	    COLOR="green"
-	    cecho "\033[1;32m$STATUS"
-	else
-	    COLOR="red"
-	    cecho "$STATUS"
-	fi
-
-	cat >> $TESTRESULTSHTML << @EOF
-  <tr>
-    <td>$testnumber</td>
-    <td><a href="$testname/index.html">$testname</a></td>
-    <td><a href="$testname/console.log"><font color="$COLOR">$STATUS</font></a></td>
-    <td>&nbsp;</td>
-  </tr>
-@EOF
-	cat >> $SUBTESTSINDEX << @EOF
-  <tr>
-    <td>$testnumber</td>
-    <td><a href="$name/index.html">$name</a></td>
-    <td><a href="$name/console.log"><font color="$COLOR">$STATUS</font></a></td>
-    <td>&nbsp;</td>
-  </tr>
-@EOF
-
-
-	##########################################################################
-	# remove any charon.pid files that still may exist
-	#
-
-	for host in $IPSECHOSTS
-	do
-	    eval HOSTLOGIN=root@\$ipv4_${host}
-	    ssh $SSHCONF $HOSTLOGIN 'if [ -f /var/run/charon.pid ]; then rm /var/run/charon.pid; echo "    removed charon.pid on `hostname`"; fi'
-	done
-
-    done
-
-done
-
-
-##############################################################################
-# finish the results html file
-#
-
-cat >> $TESTRESULTSHTML << @EOF
-    <tr>
-      <td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td>
-    </tr>
-    <tr>
-      <td><b>Passed:</b></td><td><b><font color="green">$passed_cnt</font></b></td><td>&nbsp;</td><td>&nbsp;</td>
-    </tr>
-    <tr>
-      <td><b>Failed:</b></td><td><b><font color="red">$failed_cnt</font></b></td><td>&nbsp;</td><td>&nbsp;</td>
-    </tr>
-  </table>
-</body>
-</html>
-@EOF
-
-let "all_cnt = $passed_cnt + $failed_cnt"
-
-cat >> $INDEX << @EOF
-    <tr>
-      <td>&nbsp;</td>
-      <td><a href="all.html"><b>all</b></a></td>
-      <td align="right"><b>$all_cnt</b></td>
-      <td>&nbsp;</td>
-    </tr>
-    <tr>
-      <td><b>Failed:</b></td>
-      <td>&nbsp;</td>
-      <td align="right"><b><font color="red">$failed_cnt</font></b></td>
-      <td>&nbsp;</td>
-    </tr>
-  </table>
-</body>
-</html>
-@EOF
-
-cecho ""
-cecho "\033[1;32mPassed:   $passed_cnt"
-cecho "Failed:   $failed_cnt"
-cecho ""
-
-
-##############################################################################
-# copy the test results to the apache server
-#
-
-HTDOCS="/var/www/localhost/htdocs"
-
-cecho-n "Copying test results to winnetou.."
-ssh $SSHCONF root@${ipv4_winnetou} mkdir -p $HTDOCS/testresults > /dev/null 2>&1
-scp $SSHCONF -r $TODAYDIR root@${ipv4_winnetou}:$HTDOCS/testresults > /dev/null 2>&1
-ssh $SSHCONF root@${ipv4_winnetou} ln -s $HTDOCS/images $HTDOCS/testresults/$TESTDATE/images > /dev/null 2>&1
-cgecho "done"
-cecho ""
-cecho "The results are available in $TODAYDIR"
-cecho "or via the link http://$ipv4_winnetou/testresults/$TESTDATE"
-
-
-##########################################################################
-# close ssh sessions
-#
-for host in $STRONGSWANHOSTS
-do
-    kill `eval echo \\\$ssh_pid_$host`
-done
-
diff --git a/testing/hosts/alice/etc/conf.d/hostname b/testing/hosts/alice/etc/conf.d/hostname
deleted file mode 100644
index 2012e0451..000000000
--- a/testing/hosts/alice/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=alice
diff --git a/testing/hosts/alice/etc/conf.d/net b/testing/hosts/alice/etc/conf.d/net
deleted file mode 100644
index 41e8887c4..000000000
--- a/testing/hosts/alice/etc/conf.d/net
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_ALICE broadcast 10.1.255.255 netmask 255.255.0.0"
-              "PH_IP6_ALICE/16" )
-config_eth1=( "PH_IP_ALICE1 broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_ALICE1/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via PH_IP_MOON1" )
diff --git a/testing/hosts/alice/etc/freeradius/clients.conf b/testing/hosts/alice/etc/freeradius/clients.conf
new file mode 100644
index 000000000..5fb47a2ad
--- /dev/null
+++ b/testing/hosts/alice/etc/freeradius/clients.conf
@@ -0,0 +1,4 @@
+client 10.1.0.1 {
+  secret    = gv6URkSs
+  shortname = moon
+}
diff --git a/testing/hosts/alice/etc/freeradius/dictionary b/testing/hosts/alice/etc/freeradius/dictionary
new file mode 100644
index 000000000..59a874b3e
--- /dev/null
+++ b/testing/hosts/alice/etc/freeradius/dictionary
@@ -0,0 +1,32 @@
+#
+#	This is the master dictionary file, which references the
+#	pre-defined dictionary files included with the server.
+#
+#	Any new/changed attributes MUST be placed in this file, as
+#	the pre-defined dictionaries SHOULD NOT be edited.
+#
+#	$Id$
+#
+
+#
+#	The filename given here should be an absolute path.
+#
+$INCLUDE	/usr/local/share/freeradius/dictionary
+
+#
+#	Place additional attributes or $INCLUDEs here.  They will
+#	over-ride the definitions in the pre-defined dictionaries.
+#
+#	See the 'man' page for 'dictionary' for information on
+#	the format of the dictionary files.
+
+#
+#	If you want to add entries to the dictionary file,
+#	which are NOT going to be placed in a RADIUS packet,
+#	add them here.  The numbers you pick should be between
+#	3000 and 4000.
+#
+
+#ATTRIBUTE	My-Local-String		3000	string
+#ATTRIBUTE	My-Local-IPAddr		3001	ipaddr
+#ATTRIBUTE	My-Local-Integer	3002	integer
diff --git a/testing/hosts/alice/etc/freeradius/radiusd.conf b/testing/hosts/alice/etc/freeradius/radiusd.conf
new file mode 100644
index 000000000..e4f721738
--- /dev/null
+++ b/testing/hosts/alice/etc/freeradius/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/freeradius
+raddbdir = ${sysconfdir}/freeradius
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = freeradius
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = 10.1.0.10
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes
+  auth_badpass = yes
+  auth_goodpass = yes
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/hosts/alice/etc/hostname b/testing/hosts/alice/etc/hostname
new file mode 100644
index 000000000..c9fc40bfb
--- /dev/null
+++ b/testing/hosts/alice/etc/hostname
@@ -0,0 +1 @@
+alice
diff --git a/testing/hosts/alice/etc/init.d/iptables b/testing/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 1097ac5a4..000000000
--- a/testing/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/alice/etc/init.d/net.eth0 b/testing/hosts/alice/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/alice/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/alice/etc/init.d/net.eth1 b/testing/hosts/alice/etc/init.d/net.eth1
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/alice/etc/init.d/net.eth1
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/alice/etc/init.d/radiusd b/testing/hosts/alice/etc/init.d/radiusd
deleted file mode 100755
index 8334385f9..000000000
--- a/testing/hosts/alice/etc/init.d/radiusd
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/sbin/runscript
-
-opts="${opts} reload"
-
-depend() {
-	need net
-	use dns
-}
-
-checkconfig() {
-	# set the location of log files
-	if ! cd /var/log/radius ; then
-		eerror "Failed to change current directory to /var/log/radius"
-		return 1
-	fi
-
-	if [ ! -d /var/run/radiusd ] && ! mkdir /var/run/radiusd ; then
-		eerror "Failed to create /var/run/radiusd"
-		return 1
-	fi
-	
-	if [ ! -f /etc/raddb/radiusd.conf ] ; then
-		eerror "No /etc/raddb/radiusd.conf file exists!"
-		return 1
-	fi
-
-	RADIUSD_OPTS="-xx"
-	RADIUSD_USER=`grep '^ *user *=' /etc/raddb/radiusd.conf | cut -d ' ' -f 3`
-	RADIUSD_GROUP=`grep '^ *group *=' /etc/raddb/radiusd.conf | cut -d ' ' -f 3`
-	if [ -n "${RADIUSD_USER}" ] && ! getent passwd ${RADIUSD_USER} > /dev/null ; then
-		eerror "${RADIUSD_USER} user missing!"
-		return 1
-	fi
-	if [ -n "${RADIUSD_GROUP}" ] && ! getent group ${RADIUSD_GROUP} > /dev/null ; then
-		eerror "${RADIUSD_GROUP} group missing!"
-		return 1
-	fi
-
-	# radius.log is created before privileges are dropped - need to set proper permissions on it
-	[ -f radius.log ] || touch radius.log || return 1
-
-	chown -R "${RADIUSD_USER:-root}:${RADIUSD_GROUP:-root}" . /var/run/radiusd && \
-		chmod -R u+rwX,g+rX . /var/run/radiusd || return 1
-}
-
-start() {
-	checkconfig || return 1
-
-	ebegin "Starting radiusd"
-	start-stop-daemon --start --quiet --exec /usr/sbin/radiusd -- ${RADIUSD_OPTS} >/dev/null
-	eend $?
-}
-
-stop () {
-	ebegin "Stopping radiusd"
-	start-stop-daemon --stop --quiet --pidfile=/var/run/radiusd/radiusd.pid
-	eend $?
-}
-
-reload () {
-	ebegin "Reloading radiusd"
-	kill -HUP `</var/run/radiusd/radiusd.pid`
-	eend $?
-}
diff --git a/testing/hosts/alice/etc/ipsec.conf b/testing/hosts/alice/etc/ipsec.conf
index 134c1c032..6d8aa629d 100755..100644
--- a/testing/hosts/alice/etc/ipsec.conf
+++ b/testing/hosts/alice/etc/ipsec.conf
@@ -1,25 +1,19 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
 		
 conn nat-t
-	left=%defaultroute
+	left=%any
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
 	leftfirewall=yes
-	right=PH_IP_SUN
+	right=192.168.0.2
 	rightid=@sun.strongswan.org
 	rightsubnet=10.2.0.0/16
 	auto=add
diff --git a/testing/hosts/alice/etc/network/interfaces b/testing/hosts/alice/etc/network/interfaces
new file mode 100644
index 000000000..6fcbaa597
--- /dev/null
+++ b/testing/hosts/alice/etc/network/interfaces
@@ -0,0 +1,20 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 10.1.0.10
+	netmask 255.255.0.0
+	broadcast 10.1.255.255
+	gateway 10.1.0.1
+iface eth0 inet6 static
+	address fec1::10
+	netmask 16
+
+iface eth1 inet static
+	address 192.168.0.50
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+iface eth1 inet6 static
+	address fec0::5
+	netmask 16
diff --git a/testing/hosts/alice/etc/runlevels/default/net.eth0 b/testing/hosts/alice/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/alice/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/alice/etc/strongswan.conf b/testing/hosts/alice/etc/strongswan.conf
index 4c40f76cc..f7a87e90c 100644
--- a/testing/hosts/alice/etc/strongswan.conf
+++ b/testing/hosts/alice/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/hosts/bob/etc/conf.d/hostname b/testing/hosts/bob/etc/conf.d/hostname
deleted file mode 100644
index bbf5a2ea6..000000000
--- a/testing/hosts/bob/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=bob
diff --git a/testing/hosts/bob/etc/conf.d/net b/testing/hosts/bob/etc/conf.d/net
deleted file mode 100644
index bd0b3a5ce..000000000
--- a/testing/hosts/bob/etc/conf.d/net
+++ /dev/null
@@ -1,10 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_BOB broadcast 10.2.255.255 netmask 255.255.0.0"
-              "PH_IP6_BOB/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via PH_IP_SUN1" )
diff --git a/testing/hosts/bob/etc/hostname b/testing/hosts/bob/etc/hostname
new file mode 100644
index 000000000..696fb6baa
--- /dev/null
+++ b/testing/hosts/bob/etc/hostname
@@ -0,0 +1 @@
+bob
diff --git a/testing/hosts/bob/etc/init.d/iptables b/testing/hosts/bob/etc/init.d/iptables
deleted file mode 100755
index 7b8756b81..000000000
--- a/testing/hosts/bob/etc/init.d/iptables
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-			
-	# allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/bob/etc/init.d/net.eth0 b/testing/hosts/bob/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/bob/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/bob/etc/ipsec.conf b/testing/hosts/bob/etc/ipsec.conf
index 62c0ec787..5896c3436 100755..100644
--- a/testing/hosts/bob/etc/ipsec.conf
+++ b/testing/hosts/bob/etc/ipsec.conf
@@ -1,24 +1,18 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
 
 conn nat-t
-	left=%defaultroute
+	left=%any
 	leftcert=bobCert.pem
 	leftid=bob@strongswan.org
 	leftfirewall=yes
 	right=%any
-	rightsubnetwithin=10.1.0.0/16
+	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/hosts/bob/etc/network/interfaces b/testing/hosts/bob/etc/network/interfaces
new file mode 100644
index 000000000..eca4f8fe7
--- /dev/null
+++ b/testing/hosts/bob/etc/network/interfaces
@@ -0,0 +1,12 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 10.2.0.10
+	netmask 255.255.0.0
+	broadcast 10.2.255.255
+	gateway 10.2.0.1
+iface eth0 inet6 static
+	address fec2::10
+	netmask 16
diff --git a/testing/hosts/bob/etc/runlevels/default/net.eth0 b/testing/hosts/bob/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/bob/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/bob/etc/strongswan.conf b/testing/hosts/bob/etc/strongswan.conf
index 4c40f76cc..f7a87e90c 100644
--- a/testing/hosts/bob/etc/strongswan.conf
+++ b/testing/hosts/bob/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/hosts/carol/etc/conf.d/hostname b/testing/hosts/carol/etc/conf.d/hostname
deleted file mode 100644
index d5101b924..000000000
--- a/testing/hosts/carol/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=carol
diff --git a/testing/hosts/carol/etc/conf.d/net b/testing/hosts/carol/etc/conf.d/net
deleted file mode 100644
index f7f685942..000000000
--- a/testing/hosts/carol/etc/conf.d/net
+++ /dev/null
@@ -1,10 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_CAROL broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_CAROL/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via 192.168.0.254" )
diff --git a/testing/hosts/carol/etc/hostname b/testing/hosts/carol/etc/hostname
new file mode 100644
index 000000000..da4b06358
--- /dev/null
+++ b/testing/hosts/carol/etc/hostname
@@ -0,0 +1 @@
+carol
diff --git a/testing/hosts/carol/etc/init.d/iptables b/testing/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 6ff11a424..000000000
--- a/testing/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/carol/etc/init.d/net.eth0 b/testing/hosts/carol/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/carol/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/carol/etc/ipsec.conf b/testing/hosts/carol/etc/ipsec.conf
index 1def6ca99..d2d481b68 100755..100644
--- a/testing/hosts/carol/etc/ipsec.conf
+++ b/testing/hosts/carol/etc/ipsec.conf
@@ -1,24 +1,19 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
 
 conn home
-	left=PH_IP_CAROL
+	left=192.168.0.100
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
-	right=PH_IP_MOON
+	right=192.168.0.1
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
diff --git a/testing/hosts/carol/etc/network/interfaces b/testing/hosts/carol/etc/network/interfaces
new file mode 100644
index 000000000..67bc73359
--- /dev/null
+++ b/testing/hosts/carol/etc/network/interfaces
@@ -0,0 +1,12 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 192.168.0.100
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+	gateway 192.168.0.254
+iface eth0 inet6 static
+	address fec0::10
+	netmask 16
diff --git a/testing/hosts/carol/etc/runlevels/default/net.eth0 b/testing/hosts/carol/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/carol/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/carol/etc/strongswan.conf b/testing/hosts/carol/etc/strongswan.conf
index 4c40f76cc..f7a87e90c 100644
--- a/testing/hosts/carol/etc/strongswan.conf
+++ b/testing/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/hosts/dave/etc/conf.d/hostname b/testing/hosts/dave/etc/conf.d/hostname
deleted file mode 100644
index c3fabf331..000000000
--- a/testing/hosts/dave/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=dave
diff --git a/testing/hosts/dave/etc/conf.d/net b/testing/hosts/dave/etc/conf.d/net
deleted file mode 100644
index 2b902525a..000000000
--- a/testing/hosts/dave/etc/conf.d/net
+++ /dev/null
@@ -1,10 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_DAVE broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_DAVE/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via 192.168.0.254" )
diff --git a/testing/hosts/dave/etc/hostname b/testing/hosts/dave/etc/hostname
new file mode 100644
index 000000000..9fcf7b10e
--- /dev/null
+++ b/testing/hosts/dave/etc/hostname
@@ -0,0 +1 @@
+dave
diff --git a/testing/hosts/dave/etc/init.d/iptables b/testing/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index 6ff11a424..000000000
--- a/testing/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/dave/etc/init.d/net.eth0 b/testing/hosts/dave/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/dave/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/dave/etc/ipsec.conf b/testing/hosts/dave/etc/ipsec.conf
index c9d559f0d..5c546e260 100755..100644
--- a/testing/hosts/dave/etc/ipsec.conf
+++ b/testing/hosts/dave/etc/ipsec.conf
@@ -1,24 +1,19 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
 
 conn home
-	left=PH_IP_DAVE
+	left=192.168.0.200
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
-	right=PH_IP_MOON
+	right=192.168.0.1
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
diff --git a/testing/hosts/dave/etc/network/interfaces b/testing/hosts/dave/etc/network/interfaces
new file mode 100644
index 000000000..59e526751
--- /dev/null
+++ b/testing/hosts/dave/etc/network/interfaces
@@ -0,0 +1,12 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 192.168.0.200
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+	gateway 192.168.0.254
+iface eth0 inet6 static
+	address fec0::20
+	netmask 16
diff --git a/testing/hosts/dave/etc/runlevels/default/net.eth0 b/testing/hosts/dave/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/dave/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/dave/etc/strongswan.conf b/testing/hosts/dave/etc/strongswan.conf
index 4c40f76cc..f7a87e90c 100644
--- a/testing/hosts/dave/etc/strongswan.conf
+++ b/testing/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/hosts/default/etc/default/slapd b/testing/hosts/default/etc/default/slapd
new file mode 100644
index 000000000..a4a0a6e2a
--- /dev/null
+++ b/testing/hosts/default/etc/default/slapd
@@ -0,0 +1,45 @@
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF=/etc/ldap/slapd.conf
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+SLAPD_SERVICES="ldap:///"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work).  Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work).  Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab).  To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""
diff --git a/testing/hosts/default/etc/fstab b/testing/hosts/default/etc/fstab
new file mode 100644
index 000000000..12747232e
--- /dev/null
+++ b/testing/hosts/default/etc/fstab
@@ -0,0 +1 @@
+/hostshare /root/shared 9p trans=virtio,version=9p2000.L 0 0
diff --git a/testing/hosts/default/etc/ip6tables.flush b/testing/hosts/default/etc/ip6tables.flush
new file mode 100644
index 000000000..c3f5a9254
--- /dev/null
+++ b/testing/hosts/default/etc/ip6tables.flush
@@ -0,0 +1,15 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/hosts/default/etc/ip6tables.rules b/testing/hosts/default/etc/ip6tables.rules
new file mode 100644
index 000000000..6a2c6af8e
--- /dev/null
+++ b/testing/hosts/default/etc/ip6tables.rules
@@ -0,0 +1,39 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow last UDP fragment
+-A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# allow crl and certficate fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s fec0::15 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d fec0::15 -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/hosts/default/etc/iptables.drop b/testing/hosts/default/etc/iptables.drop
new file mode 100644
index 000000000..445c45669
--- /dev/null
+++ b/testing/hosts/default/etc/iptables.drop
@@ -0,0 +1,12 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
diff --git a/testing/hosts/default/etc/iptables.flush b/testing/hosts/default/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/hosts/default/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/hosts/default/etc/iptables.rules b/testing/hosts/default/etc/iptables.rules
new file mode 100644
index 000000000..c3f036cf9
--- /dev/null
+++ b/testing/hosts/default/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/hosts/default/etc/ld.so.conf.d/strongswan.conf b/testing/hosts/default/etc/ld.so.conf.d/strongswan.conf
new file mode 100644
index 000000000..8648d0185
--- /dev/null
+++ b/testing/hosts/default/etc/ld.so.conf.d/strongswan.conf
@@ -0,0 +1 @@
+/usr/local/lib/ipsec
diff --git a/testing/hosts/default/etc/profile.d/coredumps.sh b/testing/hosts/default/etc/profile.d/coredumps.sh
new file mode 100644
index 000000000..ea44c0ef6
--- /dev/null
+++ b/testing/hosts/default/etc/profile.d/coredumps.sh
@@ -0,0 +1,5 @@
+#!/bin/sh -e
+
+ulimit -c unlimited >/dev/null 2>&1
+install -m 1777 -d /var/local/dumps >/dev/null 2>&1
+echo "/var/local/dumps/core.%e.%p" > /proc/sys/kernel/core_pattern
diff --git a/testing/hosts/default/etc/pts/data.sql b/testing/hosts/default/etc/pts/data.sql
new file mode 100644
index 000000000..35fd65753
--- /dev/null
+++ b/testing/hosts/default/etc/pts/data.sql
@@ -0,0 +1,846 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 6.0 i686'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 6.0 x86_64'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Debian 8.0 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Debian 8.0 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+INSERT INTO directories (		/* 13 */
+  path
+) VALUES (
+ '/system/bin'
+);
+
+INSERT INTO directories (		/* 14 */
+  path
+) VALUES (
+ '/system/lib'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 4, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name
+) VALUES (
+  'Default'
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Linux', 1
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Android', 1
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Debian i686', 2
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 2
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 2
+);
+
+INSERT INTO groups (			/*  7 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 2
+);
+
+INSERT INTO groups (			/*  8 */
+  name
+) VALUES (
+  'Reference'
+);
+
+INSERT INTO groups (			/*  9 */
+  name, parent
+) VALUES (
+  'Ref. Android', 8
+);
+
+INSERT INTO groups (			/* 10 */
+  name, parent
+) VALUES (
+  'Ref. Linux', 8
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 1
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 4
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 7
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 13
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 19
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 10
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 16
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 22
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled',  1, 1
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+INSERT INTO policies (			/* 14 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/bin', 13, 0, 0
+);
+
+INSERT INTO policies (			/* 15 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/lib', 14, 0, 0
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  1, 1, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 3, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  3, 2, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 2, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 10, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  14, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  15, 9, 0
+);
+
diff --git a/testing/hosts/default/etc/pts/tables.sql b/testing/hosts/default/etc/pts/tables.sql
new file mode 100644
index 000000000..4cc959e09
--- /dev/null
+++ b/testing/hosts/default/etc/pts/tables.sql
@@ -0,0 +1,234 @@
+/* IMV PTS SQLite database */
+
+DROP TABLE IF EXISTS directories;
+CREATE TABLE directories (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  path TEXT NOT NULL
+);
+DROP INDEX IF EXISTS directories_path;
+CREATE INDEX directories_path ON directories (
+  path
+);
+
+DROP TABLE IF EXISTS files;
+CREATE TABLE files (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  dir INTEGER DEFAULT 0 REFERENCES directories(id),
+  name TEXT NOT NULL
+);
+DROP INDEX IF EXISTS files_name;
+CREATE INDEX files_name ON files (
+  name
+);
+
+DROP TABLE IF EXISTS products;
+CREATE TABLE products (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL
+);
+DROP INDEX IF EXISTS products_name;
+CREATE INDEX products_name ON products (
+  name
+);
+
+DROP TABLE IF EXISTS algorithms;
+CREATE TABLE algorithms (
+  id INTEGER PRIMARY KEY,
+  name VARCHAR(20) not NULL
+);
+
+DROP TABLE IF EXISTS file_hashes;
+CREATE TABLE file_hashes (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  file INTEGER NOT NULL REFERENCES files(id),
+  product INTEGER NOT NULL REFERENCES products(id),
+  device INTEGER DEFAULT 0,
+  key INTEGER DEFAULT 0 REFERENCES keys(id),
+  algo INTEGER NOT NULL REFERENCES algorithms(id),
+  hash BLOB NOT NULL
+);
+
+DROP TABLE IF EXISTS keys;
+CREATE TABLE keys (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  keyid BLOB NOT NULL,
+  owner TEXT NOT NULL
+);
+DROP INDEX IF EXISTS keys_keyid;
+CREATE INDEX keys_keyid ON keys (
+  keyid
+);
+DROP INDEX IF EXISTS keys_owner;
+CREATE INDEX keys_owner ON keys (
+  owner
+);
+
+DROP TABLE IF EXISTS groups;
+CREATE TABLE groups (
+  id INTEGER NOT NULL PRIMARY KEY,
+  name VARCHAR(50) NOT NULL UNIQUE,
+  parent INTEGER
+);
+
+DROP TABLE IF EXISTS groups_members;
+CREATE TABLE groups_members (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  group_id INTEGER NOT NULL REFERENCES groups(id),
+  device_id INTEGER NOT NULL REFERENCES devices(id),
+  UNIQUE (group_id, device_id)
+);
+
+DROP TABLE IF EXISTS groups_product_defaults;
+CREATE TABLE groups_product_defaults (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  group_id INTEGER NOT NULL REFERENCES groups(id),
+  product_id INTEGER NOT NULL REFERENCES products(id),
+  UNIQUE (group_id, product_id)
+);
+
+DROP TABLE IF EXISTS policies;
+CREATE TABLE policies (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  name VARCHAR(100) NOT NULL UNIQUE,
+  argument TEXT DEFAULT '' NOT NULL,
+  rec_fail INTEGER NOT NULL,
+  rec_noresult INTEGER NOT NULL,
+  file INTEGER DEFAULT 0 REFERENCES files(id),
+  dir INTEGER DEFAULT 0 REFERENCES directories(id)
+);
+
+DROP TABLE IF EXISTS enforcements;
+CREATE TABLE enforcements (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  policy INTEGER NOT NULL REFERENCES policies(id),
+  group_id INTEGER NOT NULL REFERENCES groups(id),
+  rec_fail INTEGER,
+  rec_noresult INTEGER,
+  max_age INTEGER NOT NULL,
+  UNIQUE (policy, group_id)
+);
+
+DROP TABLE IF EXISTS sessions;
+CREATE TABLE sessions (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  time INTEGER NOT NULL,
+  connection INTEGER NOT NULL,
+  identity INTEGER DEFAULT 0 REFERENCES identities(id),
+  device INTEGER DEFAULT 0 REFERENCES devices(id),
+  product INTEGER DEFAULT 0 REFERENCES products(id),
+  rec INTEGER DEFAULT 3
+);
+
+DROP TABLE IF EXISTS workitems;
+CREATE TABLE workitems (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  session INTEGER NOT NULL REFERENCES sessions(id),
+  enforcement INTEGER NOT NULL REFERENCES enforcements(id),
+  type INTEGER NOT NULL,
+  arg_str TEXT,
+  arg_int INTEGER DEFAULT 0,
+  rec_fail INTEGER NOT NULL,
+  rec_noresult INTEGER NOT NULL,
+  rec_final INTEGER,
+  result TEXT
+);
+DROP INDEX IF EXISTS workitems_session;
+CREATE INDEX workitems_sessions ON workitems (
+  session
+);
+
+DROP TABLE IF EXISTS results;
+CREATE TABLE results (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  session INTEGER NOT NULL REFERENCES measurements(id),
+  policy INTEGER NOT NULL REFERENCES policies(id),
+  rec INTEGER NOT NULL,
+  result TEXT NOT NULL
+);
+DROP INDEX IF EXISTS results_session;
+CREATE INDEX results_session ON results (
+  session
+);
+
+DROP TABLE IF EXISTS components;
+CREATE TABLE components (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  vendor_id INTEGER NOT NULL,
+  name INTEGER NOT NULL,
+  qualifier INTEGER DEFAULT 0
+);
+
+
+DROP TABLE IF EXISTS key_component;
+CREATE TABLE key_component (
+  key INTEGER NOT NULL,
+  component INTEGER NOT NULL,
+  depth INTEGER DEFAULT 0,
+  seq_no INTEGER DEFAULT 0,
+  PRIMARY KEY (key, component)
+);
+
+
+DROP TABLE IF EXISTS component_hashes;
+CREATE TABLE component_hashes (
+  component INTEGER NOT NULL,
+  key INTEGER NOT NULL,
+  seq_no INTEGER NOT NULL,
+  pcr INTEGER NOT NULL,
+  algo INTEGER NOT NULL,
+  hash BLOB NOT NULL,
+  PRIMARY KEY(component, key, seq_no, algo)
+);
+
+DROP TABLE IF EXISTS packages;
+CREATE TABLE packages (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL,
+  blacklist INTEGER DEFAULT 0
+);
+DROP INDEX IF EXISTS packages_name;
+CREATE INDEX packages_name ON packages (
+  name
+);
+
+DROP TABLE IF EXISTS versions;
+CREATE TABLE versions (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  package INTEGER NOT NULL REFERENCES packages(id),
+  product INTEGER NOT NULL REFERENCES products(id),
+  release TEXT NOT NULL,
+  security INTEGER DEFAULT 0,
+  blacklist INTEGER DEFAULT 0,
+  time INTEGER DEFAULT 0
+);
+DROP INDEX IF EXISTS versions_release;
+CREATE INDEX versions_release ON versions (
+  release
+);
+DROP INDEX IF EXISTS versions_package_product;
+CREATE INDEX versions_package_product ON versions (
+  package, product
+);
+
+DROP TABLE IF EXISTS devices;
+CREATE TABLE devices (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  description TEXT DEFAULT '',
+  value TEXT NOT NULL,
+  product INTEGER REFERENCES products(id),
+  created INTEGER
+);
+DROP INDEX IF EXISTS devices_id;
+CREATE INDEX devices_value ON devices (
+  value
+);
+
+DROP TABLE IF EXISTS identities;
+CREATE TABLE identities (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  value BLOB NOT NULL,
+  UNIQUE (type, value)
+);
+
diff --git a/testing/hosts/default/etc/rsyslog.conf b/testing/hosts/default/etc/rsyslog.conf
new file mode 100644
index 000000000..9f76da36e
--- /dev/null
+++ b/testing/hosts/default/etc/rsyslog.conf
@@ -0,0 +1,125 @@
+#  /etc/rsyslog.conf	Configuration file for rsyslog.
+#
+#			For more information see
+#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+
+
+#################
+#### MODULES ####
+#################
+
+$ModLoad imuxsock # provides support for local system logging
+$ModLoad imklog   # provides kernel logging support
+#$ModLoad immark  # provides --MARK-- message capability
+
+# Don't drop messages
+$SystemLogRateLimitInterval 0
+$RepeatedMsgReduction off
+
+# provides UDP syslog reception
+#$ModLoad imudp
+#$UDPServerRun 514
+
+# provides TCP syslog reception
+#$ModLoad imtcp
+#$InputTCPServerRun 514
+
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Where to place spool and state files
+#
+$WorkDirectory /var/spool/rsyslog
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+
+###############
+#### RULES ####
+###############
+
+#
+# First some standard log files.  Log by facility.
+#
+auth,authpriv.*			/var/log/auth.log
+*.*;auth,authpriv.none		-/var/log/syslog
+#cron.*				/var/log/cron.log
+daemon.*			/var/log/daemon.log
+kern.*				-/var/log/kern.log
+lpr.*				-/var/log/lpr.log
+mail.*				-/var/log/mail.log
+user.*				-/var/log/user.log
+
+#
+# Logging for the mail system.  Split it up so that
+# it is easy to write scripts to parse these files.
+#
+mail.info			-/var/log/mail.info
+mail.warn			-/var/log/mail.warn
+mail.err			/var/log/mail.err
+
+#
+# Logging for INN news system.
+#
+news.crit			/var/log/news/news.crit
+news.err			/var/log/news/news.err
+news.notice			-/var/log/news/news.notice
+
+#
+# Some "catch-all" log files.
+#
+*.=debug;\
+	auth,authpriv.none;\
+	news.none;mail.none	-/var/log/debug
+*.=info;*.=notice;*.=warn;\
+	auth,authpriv.none;\
+	cron,daemon.none;\
+	mail,news.none		-/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg				:omusrmsg:*
+
+#
+# I like to have messages displayed on the console, but only on a virtual
+# console I usually leave idle.
+#
+#daemon,mail.*;\
+#	news.=crit;news.=err;news.=notice;\
+#	*.=debug;*.=info;\
+#	*.=notice;*.=warn	/dev/tty8
+
+# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
+# you must invoke `xconsole' with the `-file' option:
+#
+#    $ xconsole -file /dev/xconsole [...]
+#
+# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
+#      busy site..
+#
+daemon.*;mail.*;\
+	news.err;\
+	*.=debug;*.=info;\
+	*.=notice;*.=warn	|/dev/xconsole
diff --git a/testing/hosts/default/etc/security/limits.conf b/testing/hosts/default/etc/security/limits.conf
new file mode 100644
index 000000000..2658b3236
--- /dev/null
+++ b/testing/hosts/default/etc/security/limits.conf
@@ -0,0 +1,58 @@
+# /etc/security/limits.conf
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain>        <type>  <item>  <value>
+#
+#Where:
+#<domain> can be:
+#        - an user name
+#        - a group name, with @group syntax
+#        - the wildcard *, for default entry
+#        - the wildcard %, can be also used with %group syntax,
+#                 for maxlogin limit
+#        - NOTE: group and wildcard limits are not applied to root.
+#          To apply a limit to the root user, <domain> must be
+#          the literal username root.
+#
+#<type> can have the two values:
+#        - "soft" for enforcing the soft limits
+#        - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+#        - core - limits the core file size (KB)
+#        - data - max data size (KB)
+#        - fsize - maximum filesize (KB)
+#        - memlock - max locked-in-memory address space (KB)
+#        - nofile - max number of open files
+#        - rss - max resident set size (KB)
+#        - stack - max stack size (KB)
+#        - cpu - max CPU time (MIN)
+#        - nproc - max number of processes
+#        - as - address space limit (KB)
+#        - maxlogins - max number of logins for this user
+#        - maxsyslogins - max number of logins on the system
+#        - priority - the priority to run user process with
+#        - locks - max number of file locks the user can hold
+#        - sigpending - max number of pending signals
+#        - msgqueue - max memory used by POSIX message queues (bytes)
+#        - nice - max nice priority allowed to raise to values: [-20, 19]
+#        - rtprio - max realtime priority
+#        - chroot - change root to directory (Debian-specific)
+#
+#<domain>      <type>  <item>         <value>
+#
+
+#*               soft    core            0
+#root            hard    core            100000
+#*               hard    rss             10000
+#@student        hard    nproc           20
+#@faculty        soft    nproc           20
+#@faculty        hard    nproc           50
+#ftp             hard    nproc           0
+#ftp             -       chroot          /ftp
+#@student        -       maxlogins       4
+
+* soft core unlimited
+
+# End of file
diff --git a/testing/hosts/default/etc/ssh/sshd_config b/testing/hosts/default/etc/ssh/sshd_config
new file mode 100644
index 000000000..07b7e78e5
--- /dev/null
+++ b/testing/hosts/default/etc/ssh/sshd_config
@@ -0,0 +1,13 @@
+Port 22
+Protocol 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+UsePrivilegeSeparation no
+PermitRootLogin yes
+StrictModes no
+PubkeyAuthentication no
+PermitEmptyPasswords yes
+PrintMotd no
+PrintLastLog no
+UsePAM no
diff --git a/testing/hosts/default/etc/sysctl.conf b/testing/hosts/default/etc/sysctl.conf
new file mode 100644
index 000000000..43010d52e
--- /dev/null
+++ b/testing/hosts/default/etc/sysctl.conf
@@ -0,0 +1,62 @@
+#
+# /etc/sysctl.conf - Configuration file for setting system variables
+# See /etc/sysctl.d/ for additonal system variables
+# See sysctl.conf (5) for information.
+#
+
+#kernel.domainname = example.com
+
+# Uncomment the following to stop low-level messages on console
+#kernel.printk = 3 4 1 3
+
+##############################################################3
+# Functions previously found in netbase
+#
+
+# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
+# Turn on Source Address Verification in all interfaces to
+# prevent some spoofing attacks
+#net.ipv4.conf.default.rp_filter=1
+#net.ipv4.conf.all.rp_filter=1
+
+# Uncomment the next line to enable TCP/IP SYN cookies
+# See http://lwn.net/Articles/277146/
+# Note: This may impact IPv6 TCP sessions too
+#net.ipv4.tcp_syncookies=1
+
+# Uncomment the next line to enable packet forwarding for IPv4
+net.ipv4.ip_forward=1
+
+# Uncomment the next line to enable packet forwarding for IPv6
+#  Enabling this option disables Stateless Address Autoconfiguration
+#  based on Router Advertisements for this host
+net.ipv6.conf.all.forwarding=1
+
+
+###################################################################
+# Additional settings - these settings can improve the network
+# security of the host and prevent against some network attacks
+# including spoofing attacks and man in the middle attacks through
+# redirection. Some network environments, however, require that these
+# settings are disabled so review and enable them as needed.
+#
+# Do not accept ICMP redirects (prevent MITM attacks)
+#net.ipv4.conf.all.accept_redirects = 0
+#net.ipv6.conf.all.accept_redirects = 0
+# _or_
+# Accept ICMP redirects only for gateways listed in our default
+# gateway list (enabled by default)
+# net.ipv4.conf.all.secure_redirects = 1
+#
+# Do not send ICMP redirects (we are not a router)
+#net.ipv4.conf.all.send_redirects = 0
+#
+# Do not accept IP source route packets (we are not a router)
+#net.ipv4.conf.all.accept_source_route = 0
+#net.ipv6.conf.all.accept_source_route = 0
+#
+# Log Martian Packets
+#net.ipv4.conf.all.log_martians = 1
+
+# Enable coredump for suid binaries
+fs.suid_dumpable = 1
diff --git a/testing/hosts/default/root/.bashrc b/testing/hosts/default/root/.bashrc
new file mode 100644
index 000000000..078dbd601
--- /dev/null
+++ b/testing/hosts/default/root/.bashrc
@@ -0,0 +1,11 @@
+# don't store duplicate entries in the history
+export HISTCONTROL=erasedups
+# use a simple prompt of host:pwd# (user is always root)
+PS1='\h:\w\$ '
+# set the terminal title to host:pwd
+case $TERM in
+xterm*)
+	PROMPT_COMMAND='echo -ne "\033]0;${HOSTNAME}:${PWD}\007"'
+	;;
+esac
+
diff --git a/testing/hosts/default/root/.ssh/config b/testing/hosts/default/root/.ssh/config
new file mode 100644
index 000000000..aa102a144
--- /dev/null
+++ b/testing/hosts/default/root/.ssh/config
@@ -0,0 +1,3 @@
+Host *
+	StrictHostKeyChecking no
+	UserKnownHostsFile /dev/null
diff --git a/testing/hosts/default/usr/local/bin/expect-connection b/testing/hosts/default/usr/local/bin/expect-connection
new file mode 100755
index 000000000..10a709255
--- /dev/null
+++ b/testing/hosts/default/usr/local/bin/expect-connection
@@ -0,0 +1,27 @@
+#!/bin/bash
+#
+# Wait until a given IPsec connection becomes available
+#
+# Params:
+# $1 - connection name
+# $2 - maximum time to wait in seconds, default is 5 seconds
+
+if [[ $# -lt 1 || $# -gt 2 ]]
+then
+	echo "invalid arguments"
+	exit 1
+fi
+
+secs=$2
+[ ! $secs ] && secs=5
+
+let steps=$secs*10
+for i in `seq 1 $steps`
+do
+	ipsec statusall 2>&1 | grep ^[[:space:]]*$1: >/dev/null
+	[ $? -eq 0 ] && exit 0
+	sleep 0.1
+done
+
+echo "Connection '$1' not available after $secs second(s)"
+exit 1
diff --git a/testing/hosts/default/usr/local/bin/expect-file b/testing/hosts/default/usr/local/bin/expect-file
new file mode 100755
index 000000000..6921b6638
--- /dev/null
+++ b/testing/hosts/default/usr/local/bin/expect-file
@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# Wait until a given file appears
+#
+# Params:
+# $1 - filename
+# $2 - maximum time to wait in seconds, default is 5 seconds
+
+if [[ $# -lt 1 || $# -gt 2 ]]
+then
+	echo "invalid arguments"
+	exit 1
+fi
+
+secs=$2
+[ ! $secs ] && secs=5
+
+let steps=$secs*10
+for i in `seq 1 $steps`
+do
+	# -f does not work for special files (e.g. UNIX domain sockets), use ls
+	# instead
+	ls $1 >/dev/null 2>&1
+	[ $? -eq 0 ] && exit 0
+	sleep 0.1
+done
+
+echo "File '$1' not available after $secs second(s)"
+exit 1
diff --git a/testing/hosts/moon/etc/conf.d/hostname b/testing/hosts/moon/etc/conf.d/hostname
deleted file mode 100644
index 78e695337..000000000
--- a/testing/hosts/moon/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=moon
diff --git a/testing/hosts/moon/etc/conf.d/net b/testing/hosts/moon/etc/conf.d/net
deleted file mode 100644
index 7f09fd8a5..000000000
--- a/testing/hosts/moon/etc/conf.d/net
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_MOON broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_MOON/16" )
-config_eth1=( "PH_IP_MOON1 broadcast 10.1.255.255 netmask 255.255.0.0"
-              "PH_IP6_MOON1/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via 192.168.0.254" )
diff --git a/testing/hosts/moon/etc/hostname b/testing/hosts/moon/etc/hostname
new file mode 100644
index 000000000..605185ef1
--- /dev/null
+++ b/testing/hosts/moon/etc/hostname
@@ -0,0 +1 @@
+moon
diff --git a/testing/hosts/moon/etc/init.d/iptables b/testing/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index f5fa80b26..000000000
--- a/testing/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/moon/etc/init.d/net.eth0 b/testing/hosts/moon/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/moon/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/moon/etc/init.d/net.eth1 b/testing/hosts/moon/etc/init.d/net.eth1
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/moon/etc/init.d/net.eth1
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/moon/etc/ipsec.conf b/testing/hosts/moon/etc/ipsec.conf
index b1e6549cf..623e75d0a 100755..100644
--- a/testing/hosts/moon/etc/ipsec.conf
+++ b/testing/hosts/moon/etc/ipsec.conf
@@ -1,31 +1,26 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
+	left=192.168.0.1
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
 
 conn net-net
 	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
+	right=192.168.0.2
 	rightsubnet=10.2.0.0/16
 	rightid=@sun.strongswan.org
 	auto=add
-        
+
 conn host-host
-	right=PH_IP_SUN
+	right=192.168.0.2
 	rightid=@sun.strongswan.org
 	auto=add
 
diff --git a/testing/hosts/moon/etc/network/interfaces b/testing/hosts/moon/etc/network/interfaces
new file mode 100644
index 000000000..fde2f102f
--- /dev/null
+++ b/testing/hosts/moon/etc/network/interfaces
@@ -0,0 +1,21 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 192.168.0.1
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+	gateway 192.168.0.254
+iface eth0 inet6 static
+	address fec0::1
+	netmask 16
+
+auto eth1
+iface eth1 inet static
+	address 10.1.0.1
+	netmask 255.255.0.0
+	broadcast 10.1.255.255
+iface eth1 inet6 static
+	address fec1::1
+	netmask 16
diff --git a/testing/hosts/moon/etc/rc.local b/testing/hosts/moon/etc/rc.local
new file mode 100755
index 000000000..8649a2bcb
--- /dev/null
+++ b/testing/hosts/moon/etc/rc.local
@@ -0,0 +1,20 @@
+#!/bin/sh -e
+#
+# rc.local
+#
+# This script is executed at the end of each multiuser runlevel.
+# Make sure that the script will "exit 0" on success or any other
+# value on error.
+#
+# In order to enable or disable this script just change the execution
+# bits.
+#
+
+# Disable checksum offloading on eth1 because it does not currently work with
+# libvirt and isc-dhcp-server running on venus, see [1]
+# [1] - https://bugs.mageia.org/show_bug.cgi?id=1243
+
+ethtool --offload eth1 tx off >/dev/null 2>&1
+ethtool --offload eth1 rx off >/dev/null 2>&1
+
+exit 0
diff --git a/testing/hosts/moon/etc/runlevels/default/net.eth0 b/testing/hosts/moon/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/moon/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/moon/etc/runlevels/default/net.eth1 b/testing/hosts/moon/etc/runlevels/default/net.eth1
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/moon/etc/runlevels/default/net.eth1
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/moon/etc/strongswan.conf b/testing/hosts/moon/etc/strongswan.conf
index 4c40f76cc..f7a87e90c 100644
--- a/testing/hosts/moon/etc/strongswan.conf
+++ b/testing/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/hosts/ssh_host_rsa_key.pub b/testing/hosts/ssh_host_rsa_key.pub
deleted file mode 100644
index a5f71de4e..000000000
--- a/testing/hosts/ssh_host_rsa_key.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAsxKfTm05po6leGD8C+M0eAR5EE4s1pQXc0D/dVlqrmfZ65h5BFQY9lnwpCvapV6OVqKWx8ICmeIH3OhaPxPPNKlU81f3d0xgh8BRJpWh459DYkRVa5f7ax5eeFE1lelj9s1d0seUl/IZolpJ8Wmt9TN1hwJ0mrkwN4670rb3urc=
diff --git a/testing/hosts/sun/etc/conf.d/hostname b/testing/hosts/sun/etc/conf.d/hostname
deleted file mode 100644
index bc042b68b..000000000
--- a/testing/hosts/sun/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=sun
diff --git a/testing/hosts/sun/etc/conf.d/net b/testing/hosts/sun/etc/conf.d/net
deleted file mode 100644
index 4a6370ab7..000000000
--- a/testing/hosts/sun/etc/conf.d/net
+++ /dev/null
@@ -1,14 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_SUN broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_SUN/16" )
-config_eth1=( "PH_IP_SUN1 broadcast 10.2.255.255 netmask 255.255.0.0"
-              "PH_IP6_SUN1/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via 192.168.0.254" )
-
-
diff --git a/testing/hosts/sun/etc/hostname b/testing/hosts/sun/etc/hostname
new file mode 100644
index 000000000..692699759
--- /dev/null
+++ b/testing/hosts/sun/etc/hostname
@@ -0,0 +1 @@
+sun
diff --git a/testing/hosts/sun/etc/init.d/iptables b/testing/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index aeaf472fb..000000000
--- a/testing/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-        # allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/sun/etc/init.d/net.eth0 b/testing/hosts/sun/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/sun/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/sun/etc/init.d/net.eth1 b/testing/hosts/sun/etc/init.d/net.eth1
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/sun/etc/init.d/net.eth1
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/sun/etc/ipsec.conf b/testing/hosts/sun/etc/ipsec.conf
index 083e58970..2f979f122 100755..100644
--- a/testing/hosts/sun/etc/ipsec.conf
+++ b/testing/hosts/sun/etc/ipsec.conf
@@ -1,37 +1,31 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_SUN
+	left=192.168.0.2
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftfirewall=yes
 
 conn net-net
 	leftsubnet=10.2.0.0/16
-	right=PH_IP_MOON
+	right=192.168.0.1
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
 
 conn host-host
-	right=PH_IP_MOON
+	right=192.168.0.1
 	rightid=@moon.strongswan.org
 	auto=add
 
 conn nat-t
 	leftsubnet=10.2.0.0/16
 	right=%any
-	rightsubnetwithin=10.1.0.0/16
+	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/hosts/sun/etc/network/interfaces b/testing/hosts/sun/etc/network/interfaces
new file mode 100644
index 000000000..841735af1
--- /dev/null
+++ b/testing/hosts/sun/etc/network/interfaces
@@ -0,0 +1,21 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 192.168.0.2
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+	gateway 192.168.0.254
+iface eth0 inet6 static
+	address fec0::2
+	netmask 16
+
+auto eth1
+iface eth1 inet static
+	address 10.2.0.1
+	netmask 255.255.0.0
+	broadcast 10.2.255.255
+iface eth1 inet6 static
+	address fec2::1
+	netmask 16
diff --git a/testing/hosts/sun/etc/runlevels/default/net.eth0 b/testing/hosts/sun/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/sun/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/sun/etc/runlevels/default/net.eth1 b/testing/hosts/sun/etc/runlevels/default/net.eth1
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/sun/etc/runlevels/default/net.eth1
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/sun/etc/strongswan.conf b/testing/hosts/sun/etc/strongswan.conf
index 4c40f76cc..f7a87e90c 100644
--- a/testing/hosts/sun/etc/strongswan.conf
+++ b/testing/hosts/sun/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/hosts/venus/etc/conf.d/hostname b/testing/hosts/venus/etc/conf.d/hostname
deleted file mode 100644
index c9e3dd1d4..000000000
--- a/testing/hosts/venus/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=venus
diff --git a/testing/hosts/venus/etc/conf.d/net b/testing/hosts/venus/etc/conf.d/net
deleted file mode 100644
index 43ec97807..000000000
--- a/testing/hosts/venus/etc/conf.d/net
+++ /dev/null
@@ -1,10 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_VENUS broadcast 10.1.255.255 netmask 255.255.0.0"
-              "PH_IP6_VENUS/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via PH_IP_MOON1" )
diff --git a/testing/hosts/venus/etc/hostname b/testing/hosts/venus/etc/hostname
new file mode 100644
index 000000000..acf16d8be
--- /dev/null
+++ b/testing/hosts/venus/etc/hostname
@@ -0,0 +1 @@
+venus
diff --git a/testing/hosts/venus/etc/init.d/iptables b/testing/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 1097ac5a4..000000000
--- a/testing/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/hosts/venus/etc/init.d/net.eth0 b/testing/hosts/venus/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/venus/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/venus/etc/ipsec.conf b/testing/hosts/venus/etc/ipsec.conf
index 86cd6c9d4..e4604cb44 100755..100644
--- a/testing/hosts/venus/etc/ipsec.conf
+++ b/testing/hosts/venus/etc/ipsec.conf
@@ -1,25 +1,19 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
 
 conn nat-t
-	left=%defaultroute
+	left=%any
 	leftcert=venusCert.pem
 	leftid=@venus.strongswan.org
 	leftfirewall=yes
-	right=PH_IP_SUN
+	right=192.168.0.2
 	rightid=@sun.strongswan.org
 	rightsubnet=10.2.0.0/16
 	auto=add
diff --git a/testing/hosts/venus/etc/network/interfaces b/testing/hosts/venus/etc/network/interfaces
new file mode 100644
index 000000000..9cbae6041
--- /dev/null
+++ b/testing/hosts/venus/etc/network/interfaces
@@ -0,0 +1,12 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 10.1.0.20
+	netmask 255.255.0.0
+	broadcast 10.1.255.255
+	gateway 10.1.0.1
+iface eth0 inet6 static
+	address fec1::20
+	netmask 16
diff --git a/testing/hosts/venus/etc/runlevels/default/net.eth0 b/testing/hosts/venus/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/venus/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/venus/etc/strongswan.conf b/testing/hosts/venus/etc/strongswan.conf
index 4c40f76cc..f7a87e90c 100644
--- a/testing/hosts/venus/etc/strongswan.conf
+++ b/testing/hosts/venus/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text b/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text
new file mode 100644
index 000000000..6f5f3011c
--- /dev/null
+++ b/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text
@@ -0,0 +1 @@
+AddType text/plain .iptables .log .sql
diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt b/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt
deleted file mode 100644
index 0de3b268d..000000000
--- a/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
-Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
-X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
-FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
-4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
-7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
-gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
-K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
-DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
-ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
-Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
-lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
-+g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
-UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
-0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
-gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
------END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt
deleted file mode 100644
index 956c217d9..000000000
--- a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEFTCCAv2gAwIBAgIBDjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDYwODE5MTcxNFoXDTEwMDYwNzE5MTcxNFowSjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAMTF3dpbm5l
-dG91LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAwBkz95BmByWVZaEW8cDbeuGr4C1caGAj4QPmuwaIriK+7XqXuh16Ahe3S5vZ
-F56WhUSvMDOIyULckKH84oSa3Jx/SCz0g7X42x8vZuq92tpsjcP/u7BlyqpBUtLa
-r14qm5wYw/1nQqMcSG3k9MQOQ+e9KgaGqpidxWM/8T4M/41AaFRBK2gQGBUULo26
-sjoq3af7Z2jYmWkP/kzj1CHLy9Mgt+UvhKeA+ag5cZnyOG596cqVjlKyqG7vdggk
-wW2n+/KDpHNOndYfT7GMFeGXUNzJPkCImWlttic7ssi0mjP3q3MuOP3FNHIRMd2H
-AcNcqT0bgdJHqnNzGv8C0Ei9XQIDAQABo4IBCTCCAQUwCQYDVR0TBAIwADALBgNV
-HQ8EBAMCA6gwHQYDVR0OBBYEFEMS0mbhrA4zDvmfKf4MntUNxkH4MG0GA1UdIwRm
-MGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcG
-A1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290
-IENBggEAMCIGA1UdEQQbMBmCF3dpbm5ldG91LnN0cm9uZ3N3YW4ub3JnMDkGA1Ud
-HwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dh
-bi5jcmwwDQYJKoZIhvcNAQEEBQADggEBACO4+j1Mwt/lbkopeSJst46uFh7OtegG
-6IWNE30i3l3FIn9slSwAOMtmZR0hAF8sExvk61EPlzCR/d9trSJ5+gyjPkeF/enw
-p61rxPMT13Grzomi9gYlk6Q/0zLmE9uYWEY69Q0bEIUcfdZfwB+F7kesa946JNMc
-yHfVEhKtvzmns9ueG0S/8E+6MPDeJv+JHQ++SdWSvOVg6JNxXDGusnim2fjM2Aln
-JmqA6iU4IaPl9DUCuXlLOVv/YhwhviNEbF94upyHq8xjOZdzPbKroHXg/2yvalAw
-4aXc/ZsnFxqsq3i6a2Fj1Y4J7gYsNO/HwA0xvKz3loOTqHaJqO/qeow=
------END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key
deleted file mode 100644
index 727027188..000000000
--- a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAwBkz95BmByWVZaEW8cDbeuGr4C1caGAj4QPmuwaIriK+7XqX
-uh16Ahe3S5vZF56WhUSvMDOIyULckKH84oSa3Jx/SCz0g7X42x8vZuq92tpsjcP/
-u7BlyqpBUtLar14qm5wYw/1nQqMcSG3k9MQOQ+e9KgaGqpidxWM/8T4M/41AaFRB
-K2gQGBUULo26sjoq3af7Z2jYmWkP/kzj1CHLy9Mgt+UvhKeA+ag5cZnyOG596cqV
-jlKyqG7vdggkwW2n+/KDpHNOndYfT7GMFeGXUNzJPkCImWlttic7ssi0mjP3q3Mu
-OP3FNHIRMd2HAcNcqT0bgdJHqnNzGv8C0Ei9XQIDAQABAoIBACYiWrCgl8B/c4Lz
-Uay4Tlm8hvQ/zQJjY3v93EXwbB21hBV8qrYlt9zGfHqj+5q2vsbB9c0pzdO2VDba
-EWueS2fUIWhglEG5VCebrztNCldx2O7jo9bMk8iBt+oLNaJunSK7ACeYHHGcE7dF
-KZh1eyd7z4+SMBWZqmhO5ZisasQoHCusVGepcyyMGQNkc3XKJ6resGAsOqrOoq7Q
-C4vO5Kkbnk8nnEGmQ/ldD8LwIyq1hzVLDiiqWXZgh6S5l4BEo7Dy3KYrZoZfVcZK
-GMVhAI2+uA1ZqY9twpwryT6VZ3eK4DXF/COQntiBW5pLOpaqTOnKqiVmZFwfbo3u
-cq8n5jkCgYEA5zgzRLifbM0q34c2HX8pTegh+BH7MGCxtcoU2uRPaXiGkqQObHI9
-aItrgUQp+pAmKSBnEWJKgKsOh2Uf5ogjIeNuruGG/AXw/Pw2ORHNueenhDuhu69T
-E2I4yxT3PPYbdzJ4ylBElfgm9WTrv7Wi7wSSfgQ6rEFdWukXa5vvsqMCgYEA1K+q
-m1Jv9MGVIVc6MxhuOOj2Ym+qcWt/Pjvg78rR8SRsKwHlGTuv1rdWUSXYDr3f2Nf7
-6DdbJtaSx5f8gY/UG34yGZx5FFbYV03vcCYBaLXsi/b6H7vb/VW74Y5g6bXqnprv
-4mcdVU7xfyNFgdbLPAP9sYVLijPYDwm0Qq3cz/8CgYBKSJz4BBR8AQI4JBl3qoXb
-mKtpJmW76iTN0amXlWgJ64XYkMptftpJvxj/w6V08WDBL77NL/XdlpcpWozAJJac
-6ZOCrcQPLd15eZH2Dck5Y7pG2l2gjbgz7wdt/0NbG3pBdj6mSNlwEPR7PDwdMD6z
-aZWi1LsA4lMaxO4YTVXZ3wKBgQCoFhTNH/+e/YawjNFQJFSn4WUnMn0Pmhc7xfLl
-T/NPkqtx6dN3d7ZmCQrMow33yJOqOje5tFXzgc0KtNE4S8Uj3T4XA5SlQGVFyjAa
-/85JRM2naA8RGVSpCCKuBeoNilnb8zL2SOvjyboN8oAyNuDzk2vh6ihjFsoASHkP
-4XwLXQKBgQC0k6rzt/plIwEiP56XXOqwOxJj6kuE/hx1zGIiGT6lWiOsih20Ym2T
-kYegVFvuDIWmSIAxGONWyee1lfnJbEuaHRixWQTnHUpqrU0FSnZTubnR3q/faZat
-hrvLDdpa0ydAKoMEn3qUPSrh3CdBfi3KTQAQn2Mlk7bGHh9ICWi3vA==
------END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/apache2/modules.d/00_mod_mime.conf b/testing/hosts/winnetou/etc/apache2/modules.d/00_mod_mime.conf
deleted file mode 100644
index 72b7e0ea4..000000000
--- a/testing/hosts/winnetou/etc/apache2/modules.d/00_mod_mime.conf
+++ /dev/null
@@ -1,61 +0,0 @@
-# DefaultType: the default MIME type the server will use for a document
-# if it cannot otherwise determine one, such as from filename extensions.
-# If your server contains mostly text or HTML documents, "text/plain" is
-# a good value.  If most of your content is binary, such as applications
-# or images, you may want to use "application/octet-stream" instead to
-# keep browsers from trying to display binary files as though they are
-# text.
-DefaultType text/plain
-
-<IfModule mime_module>
-# TypesConfig points to the file containing the list of mappings from
-# filename extension to MIME-type.
-TypesConfig /etc/mime.types
-
-# AddType allows you to add to or override the MIME configuration
-# file specified in TypesConfig for specific file types.
-#AddType application/x-gzip .tgz
-
-# AddEncoding allows you to have certain browsers uncompress
-# information on the fly. Note: Not all browsers support this.
-#AddEncoding x-compress .Z
-#AddEncoding x-gzip .gz .tgz
-
-# If the AddEncoding directives above are commented-out, then you
-# probably should define those extensions to indicate media types:
-AddType application/x-compress .Z
-AddType application/x-gzip .gz .tgz
-
-# AddHandler allows you to map certain file extensions to "handlers":
-# actions unrelated to filetype. These can be either built into the server
-# or added with the Action directive (see below)
-
-# To use CGI scripts outside of ScriptAliased directories:
-# (You will also need to add "ExecCGI" to the "Options" directive.)
-AddHandler cgi-script .cgi
-
-# For files that include their own HTTP headers:
-#AddHandler send-as-is asis
-
-# For server-parsed imagemap files:
-#AddHandler imap-file map
-
-# For type maps (negotiated resources):
-AddHandler type-map var
-
-# Filters allow you to process content before it is sent to the client.
-#
-# To parse .shtml files for server-side includes (SSI):
-# (You will also need to add "Includes" to the "Options" directive.)
-#AddType text/html .shtml
-#AddOutputFilter INCLUDES .shtml
-</IfModule>
-
-<IfModule mime_magic_module>
-# The mod_mime_magic module allows the server to use various hints from the
-# contents of the file itself to determine its type.  The MIMEMagicFile
-# directive tells the module where the hint definitions are located.
-MIMEMagicFile /etc/apache2/magic
-</IfModule>
-
-# vim: ts=4 filetype=apache
diff --git a/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost
new file mode 100644
index 000000000..b76080e37
--- /dev/null
+++ b/testing/hosts/winnetou/etc/apache2/sites-enabled/001-ocsp_vhost
@@ -0,0 +1,54 @@
+# OCSP Server
+
+Listen 8880
+
+AddHandler cgi-script .cgi
+
+<VirtualHost *:8880>
+    ServerAdmin  root@strongswan.org
+    DocumentRoot /etc/openssl/ocsp
+    ServerName   ocsp.strongswan.org
+    ServerAlias	 192.168.0.150
+    DirectoryIndex ocsp.cgi
+    <Directory "/etc/openssl/ocsp">
+       Options  +ExecCGI
+       Order allow,deny
+       Allow from all
+   </Directory>
+   ErrorLog     /var/log/apache2/ocsp/error_log
+   CustomLog    /var/log/apache2/ocsp/access_log combined
+</VirtualHost>
+
+Listen 8881
+
+<VirtualHost *:8881>
+    ServerAdmin  root@research.strongswan.org
+    DocumentRoot /etc/openssl/research/ocsp
+    ServerName   ocsp.research.strongswan.org
+    ServerAlias	 ocsp.strongswan.org 192.168.0.150
+    DirectoryIndex ocsp.cgi
+    <Directory "/etc/openssl/research/ocsp">
+       Options +ExecCGI
+       Order allow,deny
+       Allow from all
+   </Directory>
+   ErrorLog     /var/log/apache2/ocsp/error_log
+   CustomLog    /var/log/apache2/ocsp/access_log combined
+</VirtualHost>
+
+Listen 8882
+
+<VirtualHost *:8882>
+    ServerAdmin  root@sales.strongswan.org
+    DocumentRoot /etc/openssl/sales/ocsp
+    ServerName   ocsp.sales.strongswan.org
+    ServerAlias	 ocsp.strongswan.org 192.168.0.150
+    DirectoryIndex ocsp.cgi
+    <Directory "/etc/openssl/sales/ocsp">
+       Options +ExecCGI
+       Order allow,deny
+       Allow from all
+   </Directory>
+   ErrorLog     /var/log/apache2/ocsp/error_log
+   CustomLog    /var/log/apache2/ocsp/access_log combined
+</VirtualHost>
diff --git a/testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf b/testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf
deleted file mode 100644
index 9a32412db..000000000
--- a/testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf
+++ /dev/null
@@ -1,52 +0,0 @@
-# OCSP Server
-
-Listen 8880
-
-<VirtualHost *:8880>
-    ServerAdmin  root@strongswan.org
-    DocumentRoot /etc/openssl/ocsp
-    ServerName   ocsp.strongswan.org
-    ServerAlias	 192.168.0.150
-    DirectoryIndex ocsp.cgi
-    <Directory "/etc/openssl/ocsp">
-       Options  +ExecCGI
-       Order allow,deny
-       Allow from all
-   </Directory>
-   ErrorLog     /var/log/apache2/ocsp/error_log
-   CustomLog    /var/log/apache2/ocsp/access_log combined
-</VirtualHost>
-
-Listen 8881
-
-<VirtualHost *:8881>
-    ServerAdmin  root@research.strongswan.org
-    DocumentRoot /etc/openssl/research/ocsp
-    ServerName   ocsp.research.strongswan.org
-    ServerAlias	 ocsp.strongswan.org 192.168.0.150
-    DirectoryIndex ocsp.cgi
-    <Directory "/etc/openssl/research/ocsp">
-       Options +ExecCGI
-       Order allow,deny
-       Allow from all
-   </Directory>
-   ErrorLog     /var/log/apache2/ocsp/error_log
-   CustomLog    /var/log/apache2/ocsp/access_log combined
-</VirtualHost>
-
-Listen 8882
-
-<VirtualHost *:8882>
-    ServerAdmin  root@sales.strongswan.org
-    DocumentRoot /etc/openssl/sales/ocsp
-    ServerName   ocsp.sales.strongswan.org
-    ServerAlias	 ocsp.strongswan.org 192.168.0.150
-    DirectoryIndex ocsp.cgi
-    <Directory "/etc/openssl/sales/ocsp">
-       Options +ExecCGI
-       Order allow,deny
-       Allow from all
-   </Directory>
-   ErrorLog     /var/log/apache2/ocsp/error_log
-   CustomLog    /var/log/apache2/ocsp/access_log combined
-</VirtualHost>
diff --git a/testing/hosts/winnetou/etc/bind/K.+008+32329.key b/testing/hosts/winnetou/etc/bind/K.+008+32329.key
new file mode 100644
index 000000000..9f4e5ea5d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/K.+008+32329.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 32329, for .
+; Created: 20130213194956 (Wed Feb 13 20:49:56 2013)
+; Publish: 20130213194956 (Wed Feb 13 20:49:56 2013)
+; Activate: 20130213194956 (Wed Feb 13 20:49:56 2013)
+. IN DNSKEY 257 3 8 AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO O9fOgGnjzAk=
diff --git a/testing/hosts/winnetou/etc/bind/K.+008+32329.private b/testing/hosts/winnetou/etc/bind/K.+008+32329.private
new file mode 100644
index 000000000..8ad5cd6ae
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/K.+008+32329.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: tyyRqtq0WC+C9eXRs2rgjjdkHN32Nieg+qwhwDRqGpeVRNRr5zZfM3aZLsMZwjhnkaf7y/8iHiVAlCuV/0j9zYeOigICwrVsDlxFLYOJT5svoZ7Scu2805/gLQwcYutZwM42DlCgvQ5wW8xe5S068OSggx218NgNJzET29KiRz3xLHnnf8xPGmyxd4z2L45q4aqiEhlT4xVF1bC8k+J4IvsxrhsC22Ab4pJtDLvH+pc8hKirPAZC8LGwv3d+8P9ymn4rOKoDSgf4N+vK9zmdZ0J2triBjPtYIUXBxjU9bo9svmJ7iOeOXdZbGim7NPjocpE7EOET4U47186AaePMCQ==
+PublicExponent: AQAB
+PrivateExponent: cOOQ6uFa4DZ32aBHuvGVb1CH7JqHER0fQx4utswW0Ei3f/IChj6mMYtYIM+w4lfszIHg1vpoRnfi8u5hxTFw6egvWrKejO1OqRMIt2Inj94uXscJIDeQdkRD3r9mBzjQ2di8y9m5For9iDXODiPv/WKJ4gS/iq08ffjrKkEILirduFpG+EcopBy4MJeAMAkATkRsATEHgEbyqulP7gMwAnQ6vXFbTybfZQWWSgANabGikKMmGroJMChBGJ2Q9c7mHVpXu2IhMqYRKHWmBA5v/OrEc21dNxRGXsZuq+iu3P8o5MLHgX6YDB9nB3OVb47Prg/BxHYdQid2PwX0A0qZeQ==
+Prime1: 2ovikMXe1sTJ2xYPHgofDMmDXUwgpHu/nsCbdDHhyHIMllLXWsefuAFGQug/DDDg69oZGhNkah53uU9XAEyy6uiFJKgnzBTqCg+QmuZnuiuiQ4QjZ/g2x6R2MvzTZLOAQOaOLA3GVsgOh5msyO1kaatES4m2Pbp3xF6CYkhVRlc=
+Prime2: 1pDSXUoE/dwWCebwJHyKLQ3RSGn1o3EHeKZKnqZpABMSPs7imeoVQVZomidjUjHxkB9jbE8nqN15U/Ui4WuZKM+LPbiknaC+h2Y8v6p3u5XQSR0l1cWwdo7BZtdUkcuqSwpL0mnwnmLc6ZQrr13GXnk3qm1ymXST3MFWCWjyRJ8=
+Exponent1: 02q1b8XrT6qpd2a8kxvJc85RZWTqwxPviDzdZaeHuygRYy6apHgu24toE/umWj3CqIag9+fAoSP+P+cvy9tmzfbILnD5puSoj7kE88RmnePuIhBnTAIDxFgl/Cc2vNkk/iPLb3SX5YW9AJK6Ytm75LlI5SZAhTCpAe9HhJpi3Bs=
+Exponent2: deHfEY3nLCnMmegdK46Yw6QBxU0hvYgN2MVT3dIDghz4OzWi3Xjz8I+urHLTaIcz9kCoeQsL+QSk8fGOFlbtMLTGBUT6e/eidfU/jvXzDkaCxoiTDt2r05cevoezWN6SUuP3QEUgA4TBZjsXvSNCJwlmAeZbvd+ElRZLVKQp5nU=
+Coefficient: mtSrbS9kgU1yoTaaY4C6jTnfa43wvHi9pGHW5TUSjRQ9YnCsxy6GiuhmCcKB4iDUzWvIHehfGF5A8UaIF4GvIWcSj1FYO1uBrre5mKMxk89Y7oGtwF2qVbpPHAL4GKHPOUzmfr0vR+nT1PFs1Gr1BF+hkYgluh05KEu0flOZoAk=
+Created: 20130213194956
+Publish: 20130213194956
+Activate: 20130213194956
diff --git a/testing/hosts/winnetou/etc/bind/K.+008+43749.key b/testing/hosts/winnetou/etc/bind/K.+008+43749.key
new file mode 100644
index 000000000..de00dec2d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/K.+008+43749.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 43749, for .
+; Created: 20130213194939 (Wed Feb 13 20:49:39 2013)
+; Publish: 20130213194939 (Wed Feb 13 20:49:39 2013)
+; Activate: 20130213194939 (Wed Feb 13 20:49:39 2013)
+. IN DNSKEY 256 3 8 AwEAAdMS+CyW9m8yB6rwrqsdfMW41AWim1T/ehg4Un/9qADFEZN9T7NK 9PI+DD3Dr72Z2ZO4hrKXB2Xe0nlvsCUjTfCwdGqgz9YLv2WfXzqRksxF gQXmzAdG7JGH+7YmXq7AAF3246caa+wMXAGRdUUCiQf87CnAaZXJ1kUz wHw3Arp5
diff --git a/testing/hosts/winnetou/etc/bind/K.+008+43749.private b/testing/hosts/winnetou/etc/bind/K.+008+43749.private
new file mode 100644
index 000000000..fb0f442f3
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/K.+008+43749.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: 0xL4LJb2bzIHqvCuqx18xbjUBaKbVP96GDhSf/2oAMURk31Ps0r08j4MPcOvvZnZk7iGspcHZd7SeW+wJSNN8LB0aqDP1gu/ZZ9fOpGSzEWBBebMB0bskYf7tiZersAAXfbjpxpr7AxcAZF1RQKJB/zsKcBplcnWRTPAfDcCunk=
+PublicExponent: AQAB
+PrivateExponent: MWEqtiPLG1B1AsSz2ExZuFf5IihcdpIeGjRy+IZ7G1L/PaX/U06h51okuv5gytaHVEvDF1zF2ks6qjY62zVbMhr69/a6XjP6QWtiDmJgAnOjRqnKs8ZfEE3rsdauDtPPUIclNr9LnJtOz32oVlvxQXn/zVCE421eKlIKZIS0AEE=
+Prime1: 8iaE9VEf9lmYEBM7m5Z/maTvP+RjYvmVx7gdnBDzHkw1ZZkc/27sSI1bvgPZ55ZSiH+324OHwQp3A5m2P9th1Q==
+Prime2: 3yVw5TpfBOSteVUMtkvUqI7o0TnUoMeGuKZyXUo8GfQz8oGKoZgmdBJTETmmV4gXPtaEMFUxD4PhJw5ralrkFQ==
+Exponent1: QPWeY2Tw6xhb16whKHr2HhSF7iDpnIqR6LL2loBhh/YvuOKbSdbK4iexvcawtRS5bU691tBxIZMaHEgnAPhsRQ==
+Exponent2: iw5B9BcT73CxydJ+QXuv4fpsizWGk0rDYX4X9pq0KVhMpuqjAWBXVi21Jh7O0e00zyvO5G+ySwDb5gLOXVCWoQ==
+Coefficient: b46+74v/ETHVVKxqdXZWf9r5RL/08AyxScYrT5qDXhJ+QeGZa1jRxrWp469FWltzliP68jLh2om6F4IjAK5o0g==
+Created: 20130213194939
+Publish: 20130213194939
+Activate: 20130213194939
diff --git a/testing/hosts/winnetou/etc/bind/Korg.+008+24285.key b/testing/hosts/winnetou/etc/bind/Korg.+008+24285.key
new file mode 100644
index 000000000..44043b485
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/Korg.+008+24285.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 24285, for org.
+; Created: 20130213191908 (Wed Feb 13 20:19:08 2013)
+; Publish: 20130213191908 (Wed Feb 13 20:19:08 2013)
+; Activate: 20130213191908 (Wed Feb 13 20:19:08 2013)
+org. IN DNSKEY 256 3 8 AwEAAa6IO30MFlgyj0hJLe0vqvHLr1/4kRCNl/Biz7VYwgzRkiYxHxLJ U+i8/r9rEWU85Q6WEt77xQ+HyxzwmoXpSaMtymYifNFZnvwl31CbkzIB FTtBUQ3BCKZjv0WgpLExDqAKgclCWBZ1PrHvDn1HTl6mMgCpiWothzkn zoNbB0g9
diff --git a/testing/hosts/winnetou/etc/bind/Korg.+008+24285.private b/testing/hosts/winnetou/etc/bind/Korg.+008+24285.private
new file mode 100644
index 000000000..e707bb6bb
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/Korg.+008+24285.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: rog7fQwWWDKPSEkt7S+q8cuvX/iREI2X8GLPtVjCDNGSJjEfEslT6Lz+v2sRZTzlDpYS3vvFD4fLHPCahelJoy3KZiJ80Vme/CXfUJuTMgEVO0FRDcEIpmO/RaCksTEOoAqByUJYFnU+se8OfUdOXqYyAKmJai2HOSfOg1sHSD0=
+PublicExponent: AQAB
+PrivateExponent: Enac/HSL5Jasq7P6JM5XIi8vBVMRXZPtD+QUHxYdqSd+c4XcyKr9snBT7sIP3AreHHXp1ycBSMxPw2b8oc/1Fx5UcCdfL2Sygw2l9oDG2nVWX5taLZgNe1t+Bbsf7fqUxBu0fYHx42xvRHPNwV+8VsDa2TDGRImH8MlPuVbHt2E=
+Prime1: 375Bu+m6egBN6k2P82oE8mUuLVYnJDOQ90ipG6Vcfxy7HTzObX+Ismw171oMASLrwMV8UWohp8cbFiira/4ruQ==
+Prime2: x7G7d58Pycz+Wox3ez8/livTQ4wXYb/ykUzgycOVJaPPRX9siz10rVfl5Y3sXQlsR4xFSl6GKFAc11MbmS7qpQ==
+Exponent1: aPk+pgd28h6Kb8+MJkwrnf5St/qfyqBW924jyVDAIPM95u3MfBtF61BRzcaVs0LLEVqWhSwiNjF4R+E07CoIIQ==
+Exponent2: T3kaZJb3D5b3u02f13rqcXdrkrxUKeDcRptT8rhVyS8SNFRr/FYu8zXCFsOOx9ASOb9HbDuGJNENSVyX5TTYyQ==
+Coefficient: GsFR4s38eNTqazXvDLcSG+166dSIRRWUrIMR85veIchQY7lsFTRFEmwKX43OsXvSZUMIE2svwIgclhP/FefcUw==
+Created: 20130213191908
+Publish: 20130213191908
+Activate: 20130213191908
diff --git a/testing/hosts/winnetou/etc/bind/Korg.+008+51859.key b/testing/hosts/winnetou/etc/bind/Korg.+008+51859.key
new file mode 100644
index 000000000..7a617ecbe
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/Korg.+008+51859.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 51859, for org.
+; Created: 20130213191920 (Wed Feb 13 20:19:20 2013)
+; Publish: 20130213191920 (Wed Feb 13 20:19:20 2013)
+; Activate: 20130213191920 (Wed Feb 13 20:19:20 2013)
+org. IN DNSKEY 257 3 8 AwEAAfAyiINF1/fIyebiAZhG3kFxv1+j3D3TxNBPccbiVUgYSnse95mb mn40KgguCljoi6kDu10Qo+XUwpR78dGJiqvKfej7cz6wbIr5qu9Kv7f8 lJPRQ2igxZ/0ZCLXGbozRuQGy39klQeG98fwxNkzHqXRxkhyAgpY8E2B umRsi2Cca/vKF+6OpNx9b8RXIBcUTdhx0Vjg+3gYhSRR1rPB160sbaL+ v3Fxv9ZzOIY9ekforNxuqV9/U0DCiOhgpZC7H+5ShPb0VNzYvv0IwIAG VPVEJdh5SNPQ0LclPXcR3av+DpjvdY5oAOn/mLPCHjxBnzOl7Q3P43dL DtYdKb9mGnk=
diff --git a/testing/hosts/winnetou/etc/bind/Korg.+008+51859.private b/testing/hosts/winnetou/etc/bind/Korg.+008+51859.private
new file mode 100644
index 000000000..698cb4f80
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/Korg.+008+51859.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: 8DKIg0XX98jJ5uIBmEbeQXG/X6PcPdPE0E9xxuJVSBhKex73mZuafjQqCC4KWOiLqQO7XRCj5dTClHvx0YmKq8p96PtzPrBsivmq70q/t/yUk9FDaKDFn/RkItcZujNG5AbLf2SVB4b3x/DE2TMepdHGSHICCljwTYG6ZGyLYJxr+8oX7o6k3H1vxFcgFxRN2HHRWOD7eBiFJFHWs8HXrSxtov6/cXG/1nM4hj16R+is3G6pX39TQMKI6GClkLsf7lKE9vRU3Ni+/QjAgAZU9UQl2HlI09DQtyU9dxHdq/4OmO91jmgA6f+Ys8IePEGfM6XtDc/jd0sO1h0pv2YaeQ==
+PublicExponent: AQAB
+PrivateExponent: pJ69mNqhbZ0bYzW6Shcn9Ep1EqNHKsictvf7zocIU+TyBvfuUkSm2Z/+vqRvSwf1z9xS6TGiYr4yrXlU/nr5o0ugh7DuByT6/zSlxmLAiuR9H+HoBSlKyJnCl248n7TM/TL6/VB+Iy6JW2rUPtgeRR9EehpI87aI21Xx3SnXTFoUTP7Z9HwoWEPOaU1SfYvBDLjZ0GTtMJ4i/LRB/rC6sbetqru4MTCAhsr8VrcH6YsFu5JrlmG+/dTEi005DrZPUOnKaDf4w3TbgSeTfbFJmvpfOoJObGm+Pc1PtxgfVUVdDWGK/LSNbTdqPQkPGlOI1sUETFNMKOY0S66H5q44QQ==
+Prime1: /y8kGw8mAtAuvISUtlUao7srcSphvvMLpxvgOB22u2wgzD51VdPRr2Inv1SJN7SGoJ9ERNLnfBnc1KFBOqtvf5uOwHD4++U80H+qWS+1aNgmMEa+IQ5WamQSPvUWFkhF6TjJnwY4rATfK2FGh00n6O3IOMjDxYyDs/M/j62/VQ0=
+Prime2: 8PcgSGgYGveDwkocfVkF0uuWRMVtfY3O/tiYSuCfkFP/++7eKMXQekmBay+5a5YUSZ6UwDFqduC/tYIuvGBi0rv+lzZJ8ydz/sdmQ+aqS3/g6oerGaTUjRV560OKWCwiMIfwQqaN+ivXdBFgGCJnaah65wiQ9W0xeTJqORQxWB0=
+Exponent1: dL3+SJrPiu3u07PbzOZ2P317TFRVT2QlapfoJgQB+xBmmMniKBe1kATZpkBoXiGqjYUPWGUcHbw/OM9k5hBT/A8QaZ3FaoffIIunRRH8bjCkl+VlSf4jLp0Fc+Pv7NW3lhCyvJu+BYRdDJ1+BJwZrAhMVx4R4ih8gDDCXVrhc2k=
+Exponent2: QQvEuCb5UtY7yAevdxq/2rbjon7U1o6gMOUQ/y1xhUlXkY9igwkbBNewytlgKS2jHlhjeRodzidPONUCfrFaG97Jk9IA1lVxF3aGIZAzqhvEACtNQafgBJGmjp51yuVm+UjIz4UcUErjZx6FnR40Yi4rtw/16XpnX3r/d5b+1vU=
+Coefficient: hAE0/Fdc6enFMymrfGW8o4lDauKQj7yQ16hw3IoOlrRLUpXqLiEnk+J6kzkSqgiW+ZC2v5Qq8mTC/3Q//ddWgaLX/LlbItitTlhQCS7hlV33ZkyvLBBjonYztnI+LHnIkj/omjumEzeQGR40TAh4FAgByRNXG2IOrLavfR/iPC8=
+Created: 20130213191920
+Publish: 20130213191920
+Activate: 20130213191920
diff --git a/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.key b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.key
new file mode 100644
index 000000000..a2d755ff4
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 481, for strongswan.org.
+; Created: 20130213175556 (Wed Feb 13 18:55:56 2013)
+; Publish: 20130213175556 (Wed Feb 13 18:55:56 2013)
+; Activate: 20130213175556 (Wed Feb 13 18:55:56 2013)
+strongswan.org. IN DNSKEY 257 3 8 AwEAAcXfcWvCGzQq80q9JX1Wvz0lwA/fi1XZmega350wGR8WdFCklvmK fAzNaf1CrvN3bH9Gl2VEEhkYMF6h6kVFTU7taspq5t0bLwgCK/nS8QzK TLWvzWdyVayiHfij1PPwnQV5FADBTE5mMEkmn82+PKg6jaKs3ANsc0BP bGSsGIxhUKliLxJEd+6KSl/+ouQD9RfCD5sz9NIF+IXv1ZGp2Rjf+6vK bPO8f0hmttwE/OzKyBgysLBbd6fw2pKOBhunVFmUYPaHM9zLTydzuSIA X9iSeM6HtAvlKgK0JGgPEFrX+jPG6wDvJfzzakx85rMkRGc31NFiFLqM ooWxy1674/U=
diff --git a/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.private b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.private
new file mode 100644
index 000000000..cfa7e83c4
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: xd9xa8IbNCrzSr0lfVa/PSXAD9+LVdmZ6BrfnTAZHxZ0UKSW+Yp8DM1p/UKu83dsf0aXZUQSGRgwXqHqRUVNTu1qymrm3RsvCAIr+dLxDMpMta/NZ3JVrKId+KPU8/CdBXkUAMFMTmYwSSafzb48qDqNoqzcA2xzQE9sZKwYjGFQqWIvEkR37opKX/6i5AP1F8IPmzP00gX4he/VkanZGN/7q8ps87x/SGa23AT87MrIGDKwsFt3p/Dako4GG6dUWZRg9ocz3MtPJ3O5IgBf2JJ4zoe0C+UqArQkaA8QWtf6M8brAO8l/PNqTHzmsyREZzfU0WIUuoyihbHLXrvj9Q==
+PublicExponent: AQAB
+PrivateExponent: SIEdgEy5xx3N1B8Gs6yrmm5QuABDgAuh94iRU3miWt/RcxM8NuflmJNUOPbMQG4MFX76TqLotsVERAi0XPmN4FPig5U0TuR9EUQqdPo0VWlzPkfSzgr5Fa65qLfvegs6nhzFlZk+qqOLIeLDP5Jri4EZEPiiDacZfAEeSK0+uYDxxNCSShcYFqd9kIcqFS9pk0tcqVOZY55xjEHlk35+N08TvC+H6OnFyppz24TAuU9vqxtdGYEt6+BXnwG8MI6hCv16PkHJKeJVeC3tIl+cO+TYMMaWeI+8MXX+GIfyAOaAGj0pi3BnpUOiiLtwO0P3mi7mxB2/0Jzx2c8lLvLqaQ==
+Prime1: 8UFH1F2bt+1B2ssTHiPq+nqw/VYMTVUw+Hju79hVg2TugP0OEat00BqmZU4+bI1YscpwmWHZAU8wHvhMyjomol4+KplqxALXes3WMTijs9qXZIAX48yuakWyOrPLgUdNYwnvtcrC0vxJXk9G1lhOXDzHxmLD+HVd37SlUGvFvy8=
+Prime2: 0fdlpeBJzmDDLYz7GP2oCLhuxvUXl4xFKDDJMAikdjgpZI8wTHAyNOY9BQMZGDUkrozrxWzYpcDLyEuhVfQFl7fvlOy6c8cnHPar6JPLFhcV1g2tSiXGnUVfusVytwtDdApAPKVtFeaC3HX+jil0SmO4uqw6wXtkwwsH7aeMZhs=
+Exponent1: Utd/usSJ/BZUTrT805Sx02Dd9Z/eiY9/SVL9eQ5oDr5Rx6kdc6PUcME18gN0HAJNOn+xOnoG8hQnCftpIufk7ExAPJCBwNzY8SpNKomwbMnawn/ZtDdMjOFx2gZzEulRAXkf/uSpEZnf96pxQJkCD1ovn0e600459d8qBPt847E=
+Exponent2: Y+w99rwPw+Su3j2qvhDxZ/0F0y+O47OAsgjNpktmoVBG+rFeRfJbImuz/G+mAKxB4cP07IbJb9CZ6p97j2FLTBHgNdqXPUQ47ALEezHiw4eG/9CQeKoTpIMAdO1Ek7ILjuzV90au7G5ANtT8qQE3c7OTlVsjtzKXGG9mfYZwPaM=
+Coefficient: zqyn6OSkR2j10qY+a+Yma8kiOnUdcqvk1TW8CpG9+ch9T0mlCSiB7wPkWiIqkK8fP0qVkuurIvsxEARa0FFDTZDM5g5nJ8G26LsoNj1LA8hp0xH/UB/2pSXzo1Coc3f2VAuZEunFoNxEq0XBaZm4XLbPc3cOvVeL8WmSrf2K6lU=
+Created: 20130213175556
+Publish: 20130213175556
+Activate: 20130213175556
diff --git a/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.key b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.key
new file mode 100644
index 000000000..6f8eb8c70
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 9396, for strongswan.org.
+; Created: 20130213175239 (Wed Feb 13 18:52:39 2013)
+; Publish: 20130213175239 (Wed Feb 13 18:52:39 2013)
+; Activate: 20130213175239 (Wed Feb 13 18:52:39 2013)
+strongswan.org. IN DNSKEY 256 3 8 AwEAAa5Lb6qTxuy4ZJBDoDStnmstIU5nAsliu6UKZ6imLEg2ufAXfz7f fOtIh2/QECp80GgUDBStMvVJfRjXeJUgavM8d0Ob/rJfl1uH/buyO7Yj D+64n9t29pEuFKSAR+tYyUYk5iTidqE/CNltNkps9wc1wBAxK8ouSVXd bNvV9pvZ
diff --git a/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.private b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.private
new file mode 100644
index 000000000..2a91d9106
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: rktvqpPG7LhkkEOgNK2eay0hTmcCyWK7pQpnqKYsSDa58Bd/Pt9860iHb9AQKnzQaBQMFK0y9Ul9GNd4lSBq8zx3Q5v+sl+XW4f9u7I7tiMP7rif23b2kS4UpIBH61jJRiTmJOJ2oT8I2W02Smz3BzXAEDEryi5JVd1s29X2m9k=
+PublicExponent: AQAB
+PrivateExponent: rT8wnPZNGgnjc/60ZQha2p++ZodAHtt0N4XTKbEbfSBgzEUe52kQa3LppPvExebQ5VNf+sF6UJSesy2in2DczIqBOo2iftjKHXXWlnZN6ApN0v+oVmWxbvsEzODbeMOYklAzZd/QHvcNJCVHr+6WzxFlu5vnRwwF3vAEbFw+hIE=
+Prime1: 59ugOWNLFlyOP/m7iYkr3vrei7vhT0c1IvIlBYiDSX6Ns98reI21KFXHjAl7jfx0DjJXZBK4VYCfFm7/nFS7KQ==
+Prime2: wHFpgOLWd6AQfDscdkE7+rCHiaYKBADAUZ7smJni1rWFfQix+wm4qZRyrFjgT3mIZdWICJiFjh0qdrM9SvqhMQ==
+Exponent1: ndmuiaOKGV1GE1QoU4ip75MINEXjLSAjkvkcL1ozV7PrMUx8wgRoE1/jDPnfvljjgk7PpHgCO2Pn61QCfiJJkQ==
+Exponent2: vUKMdQIh1DIqJFNqEW7kkw5rrdcKwJcQjPUUUJv/OBP7fVVA3NfZsYVaJd+ecureVvBiwblml7ZdXbG3VPcZ8Q==
+Coefficient: D6wuDQKGBlZjXQov//tXMrwhWMFhNzXfBbZCSz7td3RLspi7TJkDBFIXmJolXCLpB+Y5TNOa/3FDA8rWEIQm9w==
+Created: 20130213175239
+Publish: 20130213175239
+Activate: 20130213175239
diff --git a/testing/hosts/winnetou/etc/bind/bind.keys b/testing/hosts/winnetou/etc/bind/bind.keys
new file mode 100644
index 000000000..b991fa3c4
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/bind.keys
@@ -0,0 +1,46 @@
+/* $Id: bind.keys,v 1.7 2011/01/03 23:45:07 each Exp $ */
+# The bind.keys file is used to override the built-in DNSSEC trust anchors
+# which are included as part of BIND 9.  As of the current release, the only
+# trust anchors it contains are those for the DNS root zone ("."), and for
+# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org").  Trust anchors
+# for any other zones MUST be configured elsewhere; if they are configured
+# here, they will not be recognized or used by named.
+#
+# The built-in trust anchors are provided for convenience of configuration.
+# They are not activated within named.conf unless specifically switched on.
+# To use the built-in root key, set "dnssec-validation auto;" in
+# named.conf options.  To use the built-in DLV key, set
+# "dnssec-lookaside auto;".  Without these options being set,
+# the keys in this file are ignored.
+#
+# This file is NOT expected to be user-configured.
+#
+# These keys are current as of January 2011.  If any key fails to
+# initialize correctly, it may have expired.  In that event you should
+# replace this file with a current version.  The latest version of
+# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
+
+managed-keys {
+	# ISC DLV: See https://www.isc.org/solutions/dlv for details.
+        # NOTE: This key is activated by setting "dnssec-lookaside auto;"
+        # in named.conf.
+	dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
+		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
+		1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
+		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
+		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
+		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
+		TDN0YUuWrBNh";
+
+	# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
+	# for current trust anchor information.
+        # NOTE: This key is activated by setting "dnssec-validation auto;"
+        # in named.conf.
+	. initial-key 257 3 8 "AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+		XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+		L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+		E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+		AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+		nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+		O9fOgGnjzAk=";
+};
diff --git a/testing/hosts/winnetou/etc/bind/db.org b/testing/hosts/winnetou/etc/bind/db.org
new file mode 100644
index 000000000..ecd2c23c1
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/db.org
@@ -0,0 +1,40 @@
+;
+; Zonefile for the org zone
+;
+$TTL	604800
+@		IN	SOA	ns1.org.	root.org. (
+				     1		; Serial
+				 604800		; Refresh
+				  86400		; Retry	
+				2419200		; Expire
+				 604800 )	; Negative Cache TTL
+;
+@		IN	NS	ns1.org.
+ns1		IN	A	192.168.0.150
+ns1		IN	AAAA	fe80::fcfd:c0ff:fea8:96
+;
+strongswan	IN	NS	ns1.strongswan.org.
+ns1.strongswan	IN	A	192.168.0.150
+ns1.strongswan	IN	AAAA	fe80::fcfd:c0ff:fea8:96
+;
+strongswan.org.	IN	DS	481 8 1 5B239B124E38890C1853F5ECF299DEDEB5537E55
+strongswan.org.	IN	DS	481 8 2 FEE6842CA2322347D818318D278A929E0B9FD82353B84AE94A6A4C7B 1DFB4FEE
+;
+; This is a zone-signing key, keyid 24285, for org.
+org.		IN	DNSKEY	256 3 8	(
+				AwEAAa6IO30MFlgyj0hJLe0vqvHLr1/4kRCNl/Biz7VYwgzRkiYxHxLJ
+				U+i8/r9rEWU85Q6WEt77xQ+HyxzwmoXpSaMtymYifNFZnvwl31CbkzIB
+				FTtBUQ3BCKZjv0WgpLExDqAKgclCWBZ1PrHvDn1HTl6mMgCpiWothzkn
+				zoNbB0g9
+				)
+;
+; This is a key-signing key, keyid 51859, for org.
+org.		IN	DNSKEY	257 3 8 (
+				AwEAAfAyiINF1/fIyebiAZhG3kFxv1+j3D3TxNBPccbiVUgYSnse95mb
+				mn40KgguCljoi6kDu10Qo+XUwpR78dGJiqvKfej7cz6wbIr5qu9Kv7f8
+				lJPRQ2igxZ/0ZCLXGbozRuQGy39klQeG98fwxNkzHqXRxkhyAgpY8E2B
+				umRsi2Cca/vKF+6OpNx9b8RXIBcUTdhx0Vjg+3gYhSRR1rPB160sbaL+
+				v3Fxv9ZzOIY9ekforNxuqV9/U0DCiOhgpZC7H+5ShPb0VNzYvv0IwIAG
+				VPVEJdh5SNPQ0LclPXcR3av+DpjvdY5oAOn/mLPCHjxBnzOl7Q3P43dL
+				DtYdKb9mGnk=
+				)
diff --git a/testing/hosts/winnetou/etc/bind/db.root b/testing/hosts/winnetou/etc/bind/db.root
new file mode 100644
index 000000000..cfbbbc8bf
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/db.root
@@ -0,0 +1,40 @@
+;
+; Zonefile for the root zone
+;
+$TTL	604800
+@		IN	SOA	ns1.	root. (
+				     1		; Serial
+				 604800		; Refresh
+				  86400		; Retry	
+				2419200		; Expire
+				 604800 )	; Negative Cache TTL
+;
+@		IN	NS	ns1.
+ns1		IN	A	192.168.0.150
+ns1		IN	AAAA	fe80::fcfd:c0ff:fea8:96
+;
+org		IN	NS	ns1.org.
+ns1.org		IN	A	192.168.0.150
+ns1.org		IN	AAAA	fe80::fcfd:c0ff:fea8:96
+;
+org.		IN	DS 	51859 8 1 5075E7B1185CFCC744364EC45D2E03CBA6178929
+org.		IN	DS 	51859 8 2 9122D2557F70A8CE5CB14E85BF5D966848FC7016A0E2E021012F33B8 398770A9
+;
+; This is a zone-signing key, keyid 43749, for .
+.		IN	DNSKEY	256 3 8	(
+				AwEAAdMS+CyW9m8yB6rwrqsdfMW41AWim1T/ehg4Un/9qADFEZN9T7NK
+				9PI+DD3Dr72Z2ZO4hrKXB2Xe0nlvsCUjTfCwdGqgz9YLv2WfXzqRksxF
+				gQXmzAdG7JGH+7YmXq7AAF3246caa+wMXAGRdUUCiQf87CnAaZXJ1kUz
+				wHw3Arp5
+				)
+;
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/hosts/winnetou/etc/bind/db.strongswan.org b/testing/hosts/winnetou/etc/bind/db.strongswan.org
new file mode 100644
index 000000000..dfd2705cb
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/db.strongswan.org
@@ -0,0 +1,88 @@
+;
+; Zonefile for the strongswan.org zone
+;
+$TTL	604800
+@		IN	SOA	ns1.strongswan.org.	root.strongswan.org. (
+				     1			; Serial
+				 604800			; Refresh
+				  86400			; Retry	
+				2419200			; Expire
+				 604800 )		; Negative Cache TTL
+;
+@		IN	NS	ns1.strongswan.org.
+ns1		IN	A	192.168.0.150	
+ns1		IN	AAAA	fe80::fcfd:c0ff:fea8:96
+;
+moon		IN	A	192.168.0.1
+sun		IN	A	192.168.0.2
+mars		IN	A	192.168.0.5
+alice1		IN	A	192.168.0.50
+carol		IN	A	192.168.0.100
+winnetou	IN	A	192.168.0.150
+dave		IN	A	192.168.0.200
+;
+ip6-moon	IN	AAAA	fe80::fcfd:c0ff:fea8:01
+ip6-sun		IN	AAAA	fe80::fcfd:c0ff:fea8:02
+ip6-carol	IN	AAAA	fe80::fcfd:c0ff:fea8:64
+ip6-winnetou	IN	AAAA	fe80::fcfd:c0ff:fea8:96
+ip6-dave	IN	AAAA	fe80::fcfd:c0ff:fea8:c8
+;
+crl		IN	CNAME	winnetou.strongswan.org.
+ldap		IN	CNAME	winnetou.strongswan.org.
+ocsp		IN	CNAME	winnetou.strongswan.org.
+;
+moon		IN	IPSECKEY ( 10 1 2 192.168.0.1
+				AwEAAcovYz3Uu7oFhiFbFaAxL3P1MxJPCzObmuE7tkiwK0xGjg8B5jD7
+				75IZe3cI9dv/6n5JYoaWbXWs8TvV5Dd6GCHYLeEC6t+ZY7SJBBoLD592
+				t54hUKo5Ag4/pSpnfbuHnJhikeTxVC/i8ElOnFyVTU+qdaF6p7VmUvGx
+				bvvctGaX99C39SC8mQIFNlk40s0x8r7tMOdhpWwC2dyC8M3vydQ0R7ap
+				j3YortKsEnpKlQSDj2bnUX5eCwZyyBZUdLzmifc6b8bjxyssRUmN27w
+				LF7BJFWBv6U8lbMd3xCxTRWD/u+WqzdlEzI200quviilK9VsDpqAaVNe
+				EMKt4OJdTwoc=
+				)
+sun		IN	IPSECKEY ( 10 1 2 192.168.0.2
+				AwEAAd+VVIpn6Q5jaU//EN6p6A5cSfUfhBK0mFa2laFFZh/Y0h66AXqq
+				rQ3X917h7YNsSk68oowY9h9I3gOx7hNVBsJr2VjdYC+b0q5NTha09/A5
+				mimv/prYj6o0yawxoPjoDs9Yh7D7Kf+F8fkgk0stlHJZX66J7dNrFXbg
+				1xBld+Ep5Or2FbEZ9QWUpRQTuhdpNt/49YuxQ59DemY9IRbwsrKCHH0m
+				GrJsDdqeb0ap+8QvSXHjCt1fr9MNKWaAFAQLKQI4e0da1ntPCEQLeE83
+				3+NNRBgGufk0KqGT3eAXqrxa9AEIUJnVcPexQdqUMjcUpXFb8WNzRWB8
+				Egh3BDK6FsE=
+				)
+carol		IN	IPSECKEY ( 10 1 2 192.168.0.100
+				AwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuukt
+				gXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo
+				5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6
+				q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF
+				5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5P
+				UdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3
+				WEKTAmsZrVE=
+				)
+dave		IN	IPSECKEY ( 10 1 2 192.168.0.200
+				AwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO0
+				4jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4b
+				V2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH
+				10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GK
+				qmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3
+				Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K
+				0J4a81Paq3U=
+				)
+;
+; This is a zone-signing key, keyid 9396, for strongswan.org.
+strongswan.org.	IN	DNSKEY	256 3 8	(
+				AwEAAa5Lb6qTxuy4ZJBDoDStnmstIU5nAsliu6UKZ6imLEg2ufAXfz7f
+				fOtIh2/QECp80GgUDBStMvVJfRjXeJUgavM8d0Ob/rJfl1uH/buyO7Yj
+				D+64n9t29pEuFKSAR+tYyUYk5iTidqE/CNltNkps9wc1wBAxK8ouSVXd
+				bNvV9pvZ
+				)
+;
+; This is a key-signing key, keyid 481, for strongswan.org.
+strongswan.org.	IN	DNSKEY	257 3 8	(
+				AwEAAcXfcWvCGzQq80q9JX1Wvz0lwA/fi1XZmega350wGR8WdFCklvmK
+			 	fAzNaf1CrvN3bH9Gl2VEEhkYMF6h6kVFTU7taspq5t0bLwgCK/nS8QzK
+				TLWvzWdyVayiHfij1PPwnQV5FADBTE5mMEkmn82+PKg6jaKs3ANsc0BP
+				bGSsGIxhUKliLxJEd+6KSl/+ouQD9RfCD5sz9NIF+IXv1ZGp2Rjf+6vK
+				bPO8f0hmttwE/OzKyBgysLBbd6fw2pKOBhunVFmUYPaHM9zLTydzuSIA
+				X9iSeM6HtAvlKgK0JGgPEFrX+jPG6wDvJfzzakx85rMkRGc31NFiFLqM
+				ooWxy1674/U=
+				)
diff --git a/testing/hosts/winnetou/etc/bind/named.conf.default-zones b/testing/hosts/winnetou/etc/bind/named.conf.default-zones
new file mode 100644
index 000000000..52a1e4c7c
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/named.conf.default-zones
@@ -0,0 +1,23 @@
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+
+zone "localhost" {
+	type master;
+	file "/etc/bind/db.local";
+};
+
+zone "127.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.127";
+};
+
+zone "0.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.0";
+};
+
+zone "255.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.255";
+};
+
diff --git a/testing/hosts/winnetou/etc/bind/named.conf.local b/testing/hosts/winnetou/etc/bind/named.conf.local
new file mode 100644
index 000000000..fa26fa9e5
--- /dev/null
+++ b/testing/hosts/winnetou/etc/bind/named.conf.local
@@ -0,0 +1,18 @@
+//
+// Do any local configuration here
+//
+
+zone "." {
+        type master;
+        file "/etc/bind/db.root.signed";
+};
+
+zone "org" {
+        type master;
+        file "/etc/bind/db.org.signed";
+};
+
+zone "strongswan.org" {
+        type master;
+        file "/etc/bind/db.strongswan.org.signed";
+};
diff --git a/testing/hosts/winnetou/etc/conf.d/hostname b/testing/hosts/winnetou/etc/conf.d/hostname
deleted file mode 100644
index 1bfa5acbd..000000000
--- a/testing/hosts/winnetou/etc/conf.d/hostname
+++ /dev/null
@@ -1 +0,0 @@
-HOSTNAME=winnetou
diff --git a/testing/hosts/winnetou/etc/conf.d/net b/testing/hosts/winnetou/etc/conf.d/net
deleted file mode 100644
index 7fbc37014..000000000
--- a/testing/hosts/winnetou/etc/conf.d/net
+++ /dev/null
@@ -1,10 +0,0 @@
-# /etc/conf.d/net:
-
-# This is basically the ifconfig argument without the ifconfig $iface
-#
-config_eth0=( "PH_IP_WINNETOU broadcast 192.168.0.255 netmask 255.255.255.0"
-              "PH_IP6_WINNETOU/16" )
-
-# For setting the default gateway
-#
-routes_eth0=( "default via 192.168.0.254" )
diff --git a/testing/hosts/winnetou/etc/conf.d/slapd b/testing/hosts/winnetou/etc/conf.d/slapd
deleted file mode 100644
index 8d9ac4787..000000000
--- a/testing/hosts/winnetou/etc/conf.d/slapd
+++ /dev/null
@@ -1,8 +0,0 @@
-# conf.d file for the openldap-2.1 series
-#
-# To enable both the standard unciphered server and the ssl encrypted
-# one uncomment this line or set any other server starting options
-# you may desire.
-#
-# OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
-OPTS="-4"
diff --git a/testing/hosts/winnetou/etc/init.d/apache2 b/testing/hosts/winnetou/etc/init.d/apache2
deleted file mode 100755
index 5f72d3090..000000000
--- a/testing/hosts/winnetou/etc/init.d/apache2
+++ /dev/null
@@ -1,121 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2007 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="configtest fullstatus graceful gracefulstop modules reload"
-
-depend() {
-	need net
-	use mysql dns logger netmount postgresql
-	after sshd
-}
-
-configtest() {
-	ebegin "Checking Apache Configuration"
-	checkconfig
-	eend $?
-}
-
-checkconfig() {
-	SERVERROOT="${SERVERROOT:-/usr/lib/apache2}"
-	if [ ! -d ${SERVERROOT} ]; then
-		eerror "SERVERROOT does not exist: ${SERVERROOT}"
-		return 1
-	fi
-
-	CONFIGFILE="${CONFIGFILE:-/etc/apache2/httpd.conf}"
-	[ "${CONFIGFILE#/}" = "${CONFIGFILE}" ] && CONFIGFILE="${SERVERROOT}/${CONFIGFILE}"
-	if [ ! -r "${CONFIGFILE}" ]; then
-		eerror "Unable to read configuration file: ${CONFIGFILE}"
-		return 1
-	fi
-
-	APACHE2_OPTS="${APACHE2_OPTS} -d ${SERVERROOT}"
-	APACHE2_OPTS="${APACHE2_OPTS} -f ${CONFIGFILE}"
-	[ -n "${STARTUPERRORLOG}" ] && APACHE2_OPTS="${APACHE2_OPTS} -E ${STARTUPERRORLOG}"
-
-	APACHE2="/usr/sbin/apache2"
-
-	${APACHE2} ${APACHE2_OPTS} -t 1>/dev/null 2>&1
-	ret=$?
-	if [ $ret -ne 0 ]; then
-		eerror "Apache2 has detected a syntax error in your configuration files:"
-		${APACHE2} ${APACHE2_OPTS} -t
-	fi
-
-	return $ret
-}
-
-start() {
-	checkconfig || return 1
-	ebegin "Starting apache2"
-	[ -f /var/log/apache2/ssl_scache ] && rm /var/log/apache2/ssl_scache
-
-	start-stop-daemon --start --exec ${APACHE2} -- ${APACHE2_OPTS} -k start
-	eend $?
-}
-
-stop() {
-	checkconfig || return 1
-	ebegin "Stopping apache2"
-	start-stop-daemon --stop --retry -TERM/5/-KILL/5 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-reload() {
-	RELOAD_TYPE="${RELOAD_TYPE:-graceful}"
-
-	checkconfig || return 1
-	if [ "${RELOAD_TYPE}" = "restart" ]; then
-		ebegin "Restarting apache2"
-		start-stop-daemon --stop --oknodo --signal HUP --exec ${APACHE2} --pidfile /var/run/apache2.pid
-		eend $?
-	elif [ "${RELOAD_TYPE}" = "graceful" ]; then
-		ebegin "Gracefully restarting apache2"
-		start-stop-daemon --stop --oknodo --signal USR1 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-		eend $?
-	else
-		eerror "${RELOAD_TYPE} is not a valid RELOAD_TYPE. Please edit /etc/conf.d/apache2"
-	fi
-}
-
-graceful() {
-	checkconfig || return 1
-	ebegin "Gracefully restarting apache2"
-	start-stop-daemon --stop --signal USR1 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-gracefulstop() {
-	checkconfig || return 1
-	
-	# zap!
-	if service_started "${myservice}"; then
-		mark_service_stopped "${myservice}"
-	fi
-
-	ebegin "Gracefully stopping apache2"
-	# 28 is SIGWINCH
-	start-stop-daemon --stop --signal 28 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-modules() {
-	checkconfig || return 1
-
-	${APACHE2} ${APACHE2_OPTS} -M 2>&1
-}
-
-status() {
-	LYNX="${LYNX:-lynx -dump}"
-	STATUSURL="${STATUSURL:-http://localhost/server-status}"
-	
-	${LYNX} ${STATUSURL} | awk ' /process$/ { print; exit } { print } '
-}
-
-fullstatus() {
-	LYNX="${LYNX:-lynx -dump}"
-	STATUSURL="${STATUSURL:-http://localhost/server-status}"
-	
-	${LYNX} ${STATUSURL}
-}
diff --git a/testing/hosts/winnetou/etc/init.d/net.eth0 b/testing/hosts/winnetou/etc/init.d/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/winnetou/etc/init.d/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/hosts/winnetou/etc/init.d/slapd b/testing/hosts/winnetou/etc/init.d/slapd
deleted file mode 100755
index d4c070b33..000000000
--- a/testing/hosts/winnetou/etc/init.d/slapd
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/strongswan/testing/hosts/winnetou/etc/init.d/slapd,v 1.2 2005/05/31 14:04:43 as Exp $
-
-depend() {
-	need net
-}
-
-start() {
-	ebegin "Starting ldap-server"
-	eval start-stop-daemon --start --quiet --pidfile /var/run/openldap/slapd.pid --exec /usr/lib/openldap/slapd -- -u ldap -g ldap "${OPTS}"
-	eend $?
-	if [ ! -e /var/lib/openldap-data/objectClass.bdb ]
-	then
-		sleep 5
-		ldapadd -x -D "cn=Manager, o=Linux strongSwan, c=CH" -w tuxmux -f /etc/openldap/ldif.txt
-	fi
-}
-
-stop() {
-	ebegin "Stopping ldap-server"
-	start-stop-daemon --stop --signal 2 --quiet --pidfile /var/run/openldap/slapd.pid 
-	eend $?
-}
diff --git a/testing/hosts/winnetou/etc/openldap/ldif.txt b/testing/hosts/winnetou/etc/ldap/ldif.txt
index 3eca4d6c6..d06621adb 100644
--- a/testing/hosts/winnetou/etc/openldap/ldif.txt
+++ b/testing/hosts/winnetou/etc/ldap/ldif.txt
@@ -28,7 +28,7 @@ cACertificate;binary:< file:///etc/openssl/research/researchCert.der
 
 dn: ou=Sales, o=Linux strongSwan, c=CH
 objectclass: organizationalUnit
-ou: Sales 
+ou: Sales
 
 dn: cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH
 objectClass: organizationalRole
@@ -37,4 +37,3 @@ objectClass: certificationAuthority
 authorityRevocationList;binary:< file:///etc/openssl/sales/sales.crl
 certificateRevocationList;binary:< file:///etc/openssl/sales/sales.crl
 cACertificate;binary:< file:///etc/openssl/sales/salesCert.der
-
diff --git a/testing/hosts/winnetou/etc/ldap/slapd.conf b/testing/hosts/winnetou/etc/ldap/slapd.conf
new file mode 100644
index 000000000..103d4573f
--- /dev/null
+++ b/testing/hosts/winnetou/etc/ldap/slapd.conf
@@ -0,0 +1,23 @@
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+
+moduleload	back_bdb.la
+
+include		/etc/ldap/schema/core.schema
+
+pidfile		/var/run/openldap/slapd.pid
+argsfile	/var/run/openldap/slapd.args
+
+#######################################################################
+# BDB database definitions
+#######################################################################
+
+database	bdb
+suffix		"o=Linux strongSwan,c=CH"
+rootdn		"cn=Manager,o=Linux strongSwan,c=CH"
+checkpoint	32	30
+rootpw		tuxmux
+directory	/var/lib/ldap
+index		objectClass	eq
diff --git a/testing/hosts/winnetou/etc/network/interfaces b/testing/hosts/winnetou/etc/network/interfaces
new file mode 100644
index 000000000..7bfb6a9f2
--- /dev/null
+++ b/testing/hosts/winnetou/etc/network/interfaces
@@ -0,0 +1,12 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+	address 192.168.0.150
+	netmask 255.255.255.0
+	broadcast 192.168.0.255
+	gateway 192.168.0.254
+iface eth0 inet6 static
+	address fec0::15
+	netmask 16
diff --git a/testing/hosts/winnetou/etc/openldap/slapd.conf b/testing/hosts/winnetou/etc/openldap/slapd.conf
deleted file mode 100644
index 5a99f955d..000000000
--- a/testing/hosts/winnetou/etc/openldap/slapd.conf
+++ /dev/null
@@ -1,68 +0,0 @@
-#
-# See slapd.conf(5) for details on configuration options.
-# This file should NOT be world readable.
-#
-include		/etc/openldap/schema/core.schema
-
-# Define global ACLs to disable default read access.
-
-# Do not enable referrals until AFTER you have a working directory
-# service AND an understanding of referrals.
-#referral	ldap://root.openldap.org
-
-pidfile		/var/run/openldap/slapd.pid
-argsfile	/var/run/openldap/slapd.args
-
-# Load dynamic backend modules:
-# modulepath	/usr/lib/openldap/openldap
-# moduleload	back_bdb.la
-# moduleload	back_ldap.la
-# moduleload	back_ldbm.la
-# moduleload	back_passwd.la
-# moduleload	back_shell.la
-
-# Sample security restrictions
-#	Require integrity protection (prevent hijacking)
-#	Require 112-bit (3DES or better) encryption for updates
-#	Require 63-bit encryption for simple bind
-# security ssf=1 update_ssf=112 simple_bind=64
-
-# Sample access control policy:
-#	Root DSE: allow anyone to read it
-#	Subschema (sub)entry DSE: allow anyone to read it
-#	Other DSEs:
-#		Allow self write access
-#		Allow authenticated users read access
-#		Allow anonymous users to authenticate
-#	Directives needed to implement policy:
-# access to dn.base="" by * read
-# access to dn.base="cn=Subschema" by * read
-# access to *
-#	by self write
-#	by users read
-#	by anonymous auth
-#
-# if no access controls are present, the default policy
-# allows anyone and everyone to read anything but restricts
-# updates to rootdn.  (e.g., "access to * by * read")
-#
-# rootdn can always read and write EVERYTHING!
-
-#######################################################################
-# BDB database definitions
-#######################################################################
-
-database	bdb
-suffix		"o=Linux strongSwan,c=CH"
-rootdn		"cn=Manager,o=Linux strongSwan,c=CH"
-checkpoint	32	30 # <kbyte> <min>
-# Cleartext passwords, especially for the rootdn, should
-# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
-# Use of strong authentication encouraged.
-rootpw		tuxmux	
-# The database directory MUST exist prior to running slapd AND 
-# should only be accessible by the slapd and slap tools.
-# Mode 700 recommended.
-directory	/var/lib/openldap-data
-# Indices to maintain
-index	objectClass	eq
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt b/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt
index 358e0fd3a..1f01a4c26 100644
--- a/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/index.txt
@@ -1,6 +1,13 @@
-V	130621144307Z		01	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 521 bit/CN=moon.strongswan.org
-R	130621161252Z	080622162459Z	02	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=carol@strongswan.org
-V	130621161359Z		03	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 384 bit/CN=dave@strongswan.org
-V	130621162918Z		04	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=carol@strongswan.org
+R	130621144307Z	130627211828Z,superseded	01	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 521 bit/CN=moon.strongswan.org
+R	130621161252Z	080622162459Z,keyCompromise	02	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=carol@strongswan.org
+R	130621161359Z	130627211849Z,superseded	03	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 384 bit/CN=dave@strongswan.org
+R	130621162918Z	130627211852Z,superseded	04	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=carol@strongswan.org
 V	140611160633Z		05	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=moon.strongswan.org
 V	140611160706Z		06	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 384 bit/CN=moon.strongswan.org
+V	180602071743Z		07	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=moon.strongswan.org
+V	180602072050Z		08	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 384 bit/CN=moon.strongswan.org
+V	180602072738Z		09	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=carol@strongswan.org
+V	180602073154Z		0A	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 384 bit/CN=carol@strongswan.org
+V	180602073328Z		0B	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 256 bit/CN=dave@strongswan.org
+V	180602073519Z		0C	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 384 bit/CN=dave@strongswan.org
+V	180602100216Z		0D	unknown	/C=CH/O=Linux strongSwan/OU=ECDSA 521 bit/CN=moon.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/08.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/08.pem
new file mode 100644
index 000000000..7bf96cdc8
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/08.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICdzCCAdqgAwIBAgIBCDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjA1MFoXDTE4MDYwMjA3MjA1MFowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAAQh4YOVBbRxtdaM7uJvDrZqt6a1jJo+rijEV5Nw1OqU5jlk
+srCtZwcZXrR67MlqzFNyvkHtbcWRuBjL55xjQE+YavKnltuKu42COUhWXh760M/c
+2SNzsjvsJgGXAsiPwiajgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVghNtb29uLnN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYoAMIGGAkE35mfDj/fFUXGsetoU9l9Kt3jbIKYugJgE
+2gmv/MW8jwrqoP7y6ATHXJkonA6AvEK+o0ZMrae55lIKPkBh5xk3XQJBfp5Eqg6Y
+efRIXUeLksM56fRjVwJS6es7qb8l1q6+c1wC1A3lEHQvAs+kJxFfFyni2oxA923F
+h2eoaYy9vSqET5Q=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/09.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/09.pem
new file mode 100644
index 000000000..a85635faf
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/09.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0A.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0A.pem
new file mode 100644
index 000000000..f43957143
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0A.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICfDCCAd2gAwIBAgIBCjAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzE1NFoXDTE4MDYwMjA3MzE1NFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMHYwEAYHKoZI
+zj0CAQYFK4EEACIDYgAERiDlh/bOFDq6bSRdDq2ivOcNcxWSGlO5dy5yBRvAhTWl
+NJcy93jxhDIzF5mxPpmgNXpdmSBRKbm3ydkw8LbWI+5/lje06Yl6nOLBO6Zb7GqH
+XFO+BqJrUxzbdHXwxWqto4GDMIGAMB8GA1UdIwQYMBaAFLpd+XG2E7Vq0d26Nreq
+0sHuj9jSMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1
+MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l
+Yy5jcmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIA8mbKzo+mp8umjvpoQUo5pIvR1CQQ
+lvBGCUWv7mtq1CVBXzv7Z+HQqPsrL388RymEErA7BzDMkPKTa5E3ZV5LL38CQgDx
++v/cIcJdYngOOF0IgVSDzcGgSvOmMlPF/D97eC4Od7XwdYl5p9Sxi4SjmDZZi4r/
+EArN3teDfoc7CZcRxWcDhQ==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0B.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0B.pem
new file mode 100644
index 000000000..c83be145d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0B.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBCzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzMyOFoXDTE4MDYwMjA3MzMyOFowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQ0aUuue3BcBvF6aEISID4c+mVBJyvSm2fPVRRkAQqh
+RktTHMYDWY6B8e/iGr4GDeF5bjr46vMB5eEtVx3chWbQo4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAd5ols9c
+CP6HPtfMXbPlSpUDKSRyB3c5Ix2Yn3z5ogMM1QSoS88FW8D7KKsb0qTY5TnlAls3
+45PmauVwEbI2cV6qAkIBphvsmhYWMnt/QMOij7DinihEL9Ib1vxOS2boUos6sHWi
+gj3wfHyfgHM3Pgt0YYoZxELDIxcLVJeoa1TmNey7IaI=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0C.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0C.pem
new file mode 100644
index 000000000..e97709a3f
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0C.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICeTCCAdqgAwIBAgIBDDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzUxOVoXDTE4MDYwMjA3MzUxOVowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwpnPP1dWQl4Dpr
+DokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6QqQt/AtuPjCL7r
+3k3F0Nsj/TGSjRmcMr6jgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIB/x2+UiGE5T7229M2Ic2BMYLWSBQlZJeT
+d3uniJb3NAkeQAhDgj0TOxVdMz1SkgScLRS2RKYpsxiVsV+tVuijTMQCQgHn1WtY
+iiSY7OWcX9hQEqWDV0TxoNcgInEhsmtMbseCpR0dYXYsm54oC0pqVBeKp0GC7KJr
+ZEmeb0/mRB56osgppA==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0D.pem b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0D.pem
new file mode 100644
index 000000000..25f0538a7
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/newcerts/0D.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICnTCCAf+gAwIBAgIBDTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODEwMDIxNloXDTE4MDYwMjEwMDIxNlowXTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsTDEVDU0Eg
+NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
+PQIBBgUrgQQAIwOBhgAEAGWctqQ4b4fNSACnlcg5A3nxHU5X5qir+Ep8QziYNokU
+ri9N6ZPX3ipNlVAi6AYS7MXWZCBiT2g0yGFfwSxPha/rATR3m7acgyGQt0BE2UJ0
+Z7ZfjkjUPaKKEhmw0fy2t5gUhPaXMBXnu5hGjUz4gaaApsaJtr5eEwdQ0II9DG71
+tSA2o4GBMH8wHwYDVR0jBBgwFoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0R
+BBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRw
+Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49
+BAMEA4GLADCBhwJBAjPn1KkfPOlfn51b6AtISSpccCsKJ6LhJiSLuQp0SzMrg3mv
+vSIkNpVrUigW0VVMwcanW3UuYKSxMBl3Z30+RpYCQgGh8v1XO4SO3DmVLD9+JLil
+9Dp0TNkzNLdOqeuIX6ili5yhnLU8chwSlpJ9d81FdAjHP9EDPO+7fTswC2vYL+Rm
+2A==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/serial b/testing/hosts/winnetou/etc/openssl/ecdsa/serial
index 2c7456e3e..ff470b05e 100644
--- a/testing/hosts/winnetou/etc/openssl/ecdsa/serial
+++ b/testing/hosts/winnetou/etc/openssl/ecdsa/serial
@@ -1 +1 @@
-07
+0E
diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl
index 60e53a0a4..839816bf5 100755
--- a/testing/hosts/winnetou/etc/openssl/generate-crl
+++ b/testing/hosts/winnetou/etc/openssl/generate-crl
@@ -16,30 +16,32 @@
 
 export COMMON_NAME=strongSwan
 
+ROOT=/var/www
+
 cd /etc/openssl
 openssl ca -gencrl -crldays 30 -config /etc/openssl/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out strongswan.crl
-cp strongswan.crl     /var/www/localhost/htdocs/
-cp strongswanCert.pem /var/www/localhost/htdocs/
-cp index.html         /var/www/localhost/htdocs/
+cp strongswan.crl     ${ROOT}
+cp strongswanCert.pem ${ROOT}
+cp index.html         ${ROOT}
 cd /etc/openssl/research
 openssl ca -gencrl -crldays 15 -config /etc/openssl/research/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out research.crl
-cp research.crl       /var/www/localhost/htdocs/
+cp research.crl       ${ROOT}
 cd /etc/openssl/sales
 openssl ca -gencrl -crldays 15 -config /etc/openssl/sales/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out sales.crl
-cp sales.crl         /var/www/localhost/htdocs/
+cp sales.crl         ${ROOT}
 cd /etc/openssl/ecdsa
 openssl ca -gencrl -crldays 15 -config /etc/openssl/ecdsa/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out strongswan_ec.crl
-cp strongswan_ec.crl /var/www/localhost/htdocs/
+cp strongswan_ec.crl ${ROOT}
 cd /etc/openssl/monster
 openssl ca -gencrl -crldays 15 -config /etc/openssl/monster/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out strongswan-monster.crl
-cp strongswan-monster.crl /var/www/localhost/htdocs/
+cp strongswan-monster.crl ${ROOT}
 cd /etc/openssl/rfc3779
 openssl ca -gencrl -crldays 15 -config /etc/openssl/rfc3779/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out strongswan_rfc3779.crl
-cp strongswan_rfc3779.crl /var/www/localhost/htdocs/
+cp strongswan_rfc3779.crl ${ROOT}
 
diff --git a/testing/hosts/winnetou/etc/openssl/index.html b/testing/hosts/winnetou/etc/openssl/index.html
index 1641768ae..8cbb2c482 100644
--- a/testing/hosts/winnetou/etc/openssl/index.html
+++ b/testing/hosts/winnetou/etc/openssl/index.html
@@ -20,10 +20,10 @@
     </li>
   </ul>
 
-  <h2>strongSwan UML Testing Environment</h2>
+  <h2>strongSwan Testing Environment</h2>
   <ul>
     <li>
-      <a href="testresults/">UML Test Results</a>
+      <a href="testresults/">Test Results</a>
     </li>
   </ul>
   <a href="images/umlArchitecture_large.png" target="_blank">
diff --git a/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index cb585ed08..a62fe16bd 100755
--- a/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey ocspKey.pem -rsigner ocspCert.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey ocspKey.pem -rsigner ocspCert.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi
index c193e8779..32405f81c 100755
--- a/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi
+++ b/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl/research
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA researchCert.pem \
-                      -rkey ocspKey.pem -rsigner ocspCert.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA researchCert.pem \
+	-rkey ocspKey.pem -rsigner ocspCert.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi
index c53cb9a76..74a2aebc2 100755
--- a/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi
+++ b/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl/sales
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA salesCert.pem \
-                      -rkey ocspKey.pem -rsigner ocspCert.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA salesCert.pem \
+	-rkey ocspKey.pem -rsigner ocspCert.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/hosts/winnetou/etc/runlevels/default/apache2 b/testing/hosts/winnetou/etc/runlevels/default/apache2
deleted file mode 100755
index 5f72d3090..000000000
--- a/testing/hosts/winnetou/etc/runlevels/default/apache2
+++ /dev/null
@@ -1,121 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2007 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="configtest fullstatus graceful gracefulstop modules reload"
-
-depend() {
-	need net
-	use mysql dns logger netmount postgresql
-	after sshd
-}
-
-configtest() {
-	ebegin "Checking Apache Configuration"
-	checkconfig
-	eend $?
-}
-
-checkconfig() {
-	SERVERROOT="${SERVERROOT:-/usr/lib/apache2}"
-	if [ ! -d ${SERVERROOT} ]; then
-		eerror "SERVERROOT does not exist: ${SERVERROOT}"
-		return 1
-	fi
-
-	CONFIGFILE="${CONFIGFILE:-/etc/apache2/httpd.conf}"
-	[ "${CONFIGFILE#/}" = "${CONFIGFILE}" ] && CONFIGFILE="${SERVERROOT}/${CONFIGFILE}"
-	if [ ! -r "${CONFIGFILE}" ]; then
-		eerror "Unable to read configuration file: ${CONFIGFILE}"
-		return 1
-	fi
-
-	APACHE2_OPTS="${APACHE2_OPTS} -d ${SERVERROOT}"
-	APACHE2_OPTS="${APACHE2_OPTS} -f ${CONFIGFILE}"
-	[ -n "${STARTUPERRORLOG}" ] && APACHE2_OPTS="${APACHE2_OPTS} -E ${STARTUPERRORLOG}"
-
-	APACHE2="/usr/sbin/apache2"
-
-	${APACHE2} ${APACHE2_OPTS} -t 1>/dev/null 2>&1
-	ret=$?
-	if [ $ret -ne 0 ]; then
-		eerror "Apache2 has detected a syntax error in your configuration files:"
-		${APACHE2} ${APACHE2_OPTS} -t
-	fi
-
-	return $ret
-}
-
-start() {
-	checkconfig || return 1
-	ebegin "Starting apache2"
-	[ -f /var/log/apache2/ssl_scache ] && rm /var/log/apache2/ssl_scache
-
-	start-stop-daemon --start --exec ${APACHE2} -- ${APACHE2_OPTS} -k start
-	eend $?
-}
-
-stop() {
-	checkconfig || return 1
-	ebegin "Stopping apache2"
-	start-stop-daemon --stop --retry -TERM/5/-KILL/5 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-reload() {
-	RELOAD_TYPE="${RELOAD_TYPE:-graceful}"
-
-	checkconfig || return 1
-	if [ "${RELOAD_TYPE}" = "restart" ]; then
-		ebegin "Restarting apache2"
-		start-stop-daemon --stop --oknodo --signal HUP --exec ${APACHE2} --pidfile /var/run/apache2.pid
-		eend $?
-	elif [ "${RELOAD_TYPE}" = "graceful" ]; then
-		ebegin "Gracefully restarting apache2"
-		start-stop-daemon --stop --oknodo --signal USR1 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-		eend $?
-	else
-		eerror "${RELOAD_TYPE} is not a valid RELOAD_TYPE. Please edit /etc/conf.d/apache2"
-	fi
-}
-
-graceful() {
-	checkconfig || return 1
-	ebegin "Gracefully restarting apache2"
-	start-stop-daemon --stop --signal USR1 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-gracefulstop() {
-	checkconfig || return 1
-	
-	# zap!
-	if service_started "${myservice}"; then
-		mark_service_stopped "${myservice}"
-	fi
-
-	ebegin "Gracefully stopping apache2"
-	# 28 is SIGWINCH
-	start-stop-daemon --stop --signal 28 --exec ${APACHE2} --pidfile /var/run/apache2.pid
-	eend $?
-}
-
-modules() {
-	checkconfig || return 1
-
-	${APACHE2} ${APACHE2_OPTS} -M 2>&1
-}
-
-status() {
-	LYNX="${LYNX:-lynx -dump}"
-	STATUSURL="${STATUSURL:-http://localhost/server-status}"
-	
-	${LYNX} ${STATUSURL} | awk ' /process$/ { print; exit } { print } '
-}
-
-fullstatus() {
-	LYNX="${LYNX:-lynx -dump}"
-	STATUSURL="${STATUSURL:-http://localhost/server-status}"
-	
-	${LYNX} ${STATUSURL}
-}
diff --git a/testing/hosts/winnetou/etc/runlevels/default/net.eth0 b/testing/hosts/winnetou/etc/runlevels/default/net.eth0
deleted file mode 100755
index 92b3851cf..000000000
--- a/testing/hosts/winnetou/etc/runlevels/default/net.eth0
+++ /dev/null
@@ -1,1124 +0,0 @@
-#!/sbin/runscript
-# Copyright (c) 2004-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Contributed by Roy Marples (uberlord@gentoo.org)
-# Many thanks to Aron Griffis (agriffis@gentoo.org)
-# for help, ideas and patches
-
-#NB: Config is in /etc/conf.d/net
-
-# For pcmcia users. note that pcmcia must be added to the same
-# runlevel as the net.* script that needs it.
-depend() {
-	need localmount
-	after bootmisc hostname
-	use isapnp isdn pcmcia usb wlan
-
-	# Load any custom depend functions for the given interface
-	# For example, br0 may need eth0 and eth1
-	local iface="${SVCNAME#*.}"
-	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
-
-	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
-		after net.lo net.lo0
-
-		# Support new style RC_NEED and RC_USE in one net file
-		local x="RC_NEED_${iface}"
-		[[ -n ${!x} ]] && need ${!x}
-		x="RC_USE_${iface}"
-		[[ -n ${!x} ]] && use ${!x}
-	fi
-
-	return 0
-}
-
-# Define where our modules are
-MODULES_DIR="${svclib}/net"
-
-# Make some wrappers to fudge after/before/need/use depend flags.
-# These are callbacks so MODULE will be set.
-after() {
-	eval "${MODULE}_after() { echo \"$*\"; }"
-}
-before() {
-	eval "${MODULE}_before() { echo \"$*\"; }"
-}
-need() {
-	eval "${MODULE}_need() { echo \"$*\"; }"
-}
-installed() {
-	# We deliberately misspell this as _installed will probably be used
-	# at some point
-	eval "${MODULE}_instlled() { echo \"$*\"; }"
-}
-provide() {
-	eval "${MODULE}_provide() { echo \"$*\"; }"
-}
-functions() {
-	eval "${MODULE}_functions() { echo \"$*\"; }"
-}
-variables() {
-	eval "${MODULE}_variables() { echo \"$*\"; }"
-}
-
-is_loopback() {
-	[[ $1 == "lo" || $1 == "lo0" ]]
-}
-
-# char* interface_device(char *iface)
-#
-# Gets the base device of the interface
-# Can handle eth0:1 and eth0.1
-# Which returns eth0 in this case
-interface_device() {
-	local dev="${1%%.*}"
-	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
-	echo "${dev}"
-}
-
-# char* interface_type(char* iface)
-#
-# Returns the base type of the interface
-# eth, ippp, etc
-interface_type() {
-	echo "${1%%[0-9]*}"
-}
-
-# int calculate_metric(char *interface, int base)
-#
-# Calculates the best metric for the interface
-# We use this when we add routes so we can prefer interfaces over each other
-calculate_metric() {
-	local iface="$1" metric="$2"
-
-	# Have we already got a metric?
-	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
-		/proc/net/route)
-	if [[ -n ${m} ]] ; then
-		echo "${m}"
-		return 0
-	fi
-
-	local i= dest= gw= flags= ref= u= m= mtu= metrics=
-	while read i dest gw flags ref u m mtu ; do
-		# Ignore lo
-		is_loopback "${i}" && continue
-		# We work out metrics from default routes only
-		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
-		metrics="${metrics}\n${m}"
-	done < /proc/net/route
-
-	# Now, sort our metrics
-	metrics=$(echo -e "${metrics}" | sort -n)
-
-	# Now, find the lowest we can use
-	local gotbase=false
-	for m in ${metrics} ; do
-		[[ ${m} -lt ${metric} ]] && continue
-		[[ ${m} == ${metric} ]] && ((metric++))
-		[[ ${m} -gt ${metric} ]] && break
-	done
-	
-	echo "${metric}"
-}
-
-# int netmask2cidr(char *netmask)
-#
-# Returns the CIDR of a given netmask
-netmask2cidr() {
-	local binary= i= bin=
-
-	for i in ${1//./ }; do
-		bin=""
-		while [[ ${i} != "0" ]] ; do
-			bin=$[${i}%2]${bin}
-			(( i=i>>1 ))
-		done
-		binary="${binary}${bin}"
-	done
-	binary="${binary%%0*}"
-	echo "${#binary}"
-}
-
-
-# bool is_function(char* name)
-#
-# Returns 0 if the given name is a shell function, otherwise 1
-is_function() {
-	[[ -z $1 ]] && return 1
-	[[ $(type -t "$1") == "function" ]]
-}
-
-# void function_wrap(char* source, char* target)
-#
-# wraps function calls - for example function_wrap(this, that)
-# maps function names this_* to that_*
-function_wrap() {
-	local i=
-
-	is_function "${2}_depend" && return
-
-	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
-		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
-	done
-}
-
-# char[] * expand_parameters(char *cmd)
-#
-# Returns an array after expanding parameters. For example
-# "192.168.{1..3}.{1..3}/24 brd +"
-# will return
-# "192.168.1.1/24 brd +"
-# "192.168.1.2/24 brd +"
-# "192.168.1.3/24 brd +"
-# "192.168.2.1/24 brd +"
-# "192.168.2.2/24 brd +"
-# "192.168.2.3/24 brd +"
-# "192.168.3.1/24 brd +"
-# "192.168.3.2/24 brd +"
-# "192.168.3.3/24 brd +"
-expand_parameters() {
-	local x=$(eval echo ${@// /_})
-	local -a a=( ${x} )
-
-	a=( "${a[@]/#/\"}" )
-	a=( "${a[@]/%/\"}" )
-	echo "${a[*]//_/ }"
-}
-
-# void configure_variables(char *interface, char *option1, [char *option2])
-#
-# Maps configuration options from <variable>_<option> to <variable>_<iface>
-# option2 takes precedence over option1
-configure_variables() {
-	local iface="$1" option1="$2" option2="$3"
-
-	local mod= func= x= i=
-	local -a ivars=() ovars1=() ovars2=()
-	local ifvar=$(bash_variable "${iface}")
-
-	for mod in ${MODULES[@]}; do
-		is_function ${mod}_variables || continue
-		for v in $(${mod}_variables) ; do
-			x=
-			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
-			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
-			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
-		done
-	done
-
-	return 0
-}
-# bool module_load_minimum(char *module)
-#
-# Does the minimum checking on a module - even when forcing
-module_load_minimum() {
-	local f="$1.sh" MODULE="${1##*/}"
-
-	if [[ ! -f ${f} ]] ; then
-		eerror "${f} does not exist"
-		return 1
-	fi
-
-	if ! source "${f}" ; then
-		eerror "${MODULE} failed a sanity check"
-		return 1
-	fi
-
-	for f in depend; do
-		is_function "${MODULE}_${f}" && continue
-		eerror "${MODULE}.sh does not support the required function ${f}"
-		return 1
-	done
-
-	return 0
-}
-
-# bool modules_load_auto()
-#
-# Load and check each module for sanity
-# If the module is not installed, the functions are to be removed
-modules_load_auto() {
-	local i j inst
-
-	# Populate the MODULES array
-	# Basically we treat evey file in ${MODULES_DIR} as a module
-	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
-		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
-	done
-	MODULES=( "${MODULES[@]}" )
-
-	# Each of these sources into the global namespace, so it's
-	# important that module functions and variables are prefixed with
-	# the module name, for example iproute2_
-
-	j="${#MODULES[@]}"
-	loaded_interface=false
-	for (( i=0; i<j; i++ )); do
-		MODULES[i]="${MODULES[i]%.sh*}"
-		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
-			eerror "interface is a reserved name - cannot load a module called interface"
-			return 1
-		fi
-		
-		(
-		u=0;
-		module_load_minimum "${MODULES[i]}" || u=1;
-		if [[ ${u} == 0 ]] ; then
-			inst="${MODULES[i]##*/}_check_installed";
-			if is_function "${inst}" ; then
-				${inst} false || u=1;
-			fi
-		fi
-		exit "${u}";
-		)
-
-		if [[ $? == 0 ]] ; then
-			source "${MODULES[i]}.sh"
-			MODULES[i]="${MODULES[i]##*/}"
-		else
-			unset MODULES[i]
-		fi
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	return 0
-}
-
-# bool modules_check_installed(void)
-#
-# Ensure that all modules have the required modules loaded
-# This enables us to remove modules from the MODULES array
-# Whilst other modules can still explicitly call them
-# One example of this is essidnet which configures network
-# settings for the specific ESSID connected to as the user
-# may be using a daemon to configure wireless instead of our
-# iwconfig module
-modules_check_installed() {
-	local i j missingdeps nmods="${#MODULES[@]}"
-
-	for (( i=0; i<nmods; i++ )); do
-		is_function "${MODULES[i]}_instlled" || continue
-		for j in $( ${MODULES[i]}_instlled ); do
-			missingdeps=true
-			if is_function "${j}_check_installed" ; then
-				${j}_check_installed && missingdeps=false
-			elif is_function "${j}_depend" ; then
-				missingdeps=false
-			fi
-			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-}
-
-# bool modules_check_user(void)
-modules_check_user() {
-	local iface="$1" ifvar=$(bash_variable "${IFACE}")
-	local i= j= k= l= nmods="${#MODULES[@]}"
-	local -a umods=()
-
-	# Has the interface got any specific modules?
-	umods="modules_${ifvar}[@]"
-	umods=( "${!umods}" )
-
-	# Global setting follows interface-specific setting
-	umods=( "${umods[@]}" "${modules[@]}" )
-
-	# Add our preferred modules
-	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
-	umods=( "${umods[@]}" "${pmods[@]}" )
-
-	# First we strip any modules that conflict from user settings
-	# So if the user specifies pump then we don't use dhcpcd
-	for (( i=0; i<${#umods[@]}; i++ )); do
-		# Some users will inevitably put "dhcp" in their modules
-		# list.  To keep users from screwing up their system this
-		# way, ignore this setting so that the default dhcp
-		# module will be used.
-		[[ ${umods[i]} == "dhcp" ]] && continue
-
-		# We remove any modules we explicitly don't want
-		if [[ ${umods[i]} == "!"* ]] ; then
-			for (( j=0; j<nmods; j++ )); do
-				[[ -z ${MODULES[j]} ]] && continue
-				if [[ ${umods[i]:1} == "${MODULES[j]}" \
-					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
-					# We may need to setup a class wrapper for it even though
-					# we don't use it directly
-					# However, we put it into an array and wrap later as
-					# another module may provide the same thing
-					${MODULES[j]}_check_installed \
-						&& WRAP_MODULES=(
-							"${WRAP_MODULES[@]}"
-							"${MODULES[j]} ${PROVIDES[j]}"
-						)
-					unset MODULES[j]
-					unset PROVIDES[j]
-				fi
-			done
-			continue
-		fi
-
-		if ! is_function "${umods[i]}_depend" ; then
-			# If the module is one of our preferred modules, then
-			# ignore this error; whatever is available will be
-			# used instead.
-			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
-
-			# The function may not exist because the modules software is
-			# not installed. Load the module and report its error
-			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
-				source "${MODULES_DIR}/${umods[i]}.sh"
-				is_function "${umods[i]}_check_installed" \
-					&& ${umods[i]}_check_installed true
-			else
-				eerror "The module \"${umods[i]}\" does not exist"
-			fi
-			return 1
-		fi
-
-		if is_function "${umods[i]}_provide" ; then
-			mod=$(${umods[i]}_provide)
-		else
-			mod="${umods[i]}"
-		fi
-		for (( j=0; j<nmods; j++ )); do
-			[[ -z ${MODULES[j]} ]] && continue
-			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
-				# We don't have a match - now ensure that we still provide an
-				# alternative. This is to handle our preferred modules.
-				for (( l=0; l<nmods; l++ )); do
-					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
-					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
-						unset MODULES[j]
-						unset PROVIDES[j]
-						break
-					fi
-				done
-			fi
-		done
-	done
-
-	# Then we strip conflicting modules.
-	# We only need to do this for 3rd party modules that conflict with
-	# our own modules and the preferred list AND the user modules
-	# list doesn't specify a preference.
-	for (( i=0; i<nmods-1; i++ )); do
-		[[ -z ${MODULES[i]} ]] && continue			
-		for (( j=i+1; j<nmods; j++)); do
-			[[ -z ${MODULES[j]} ]] && continue
-			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
-			&& unset MODULES[j] && unset PROVIDES[j]
-		done
-	done
-
-	MODULES=( "${MODULES[@]}" )
-	PROVIDES=( "${PROVIDES[@]}" )
-	return 0
-}
-
-# void modules_sort(void)
-#
-# Sort our modules
-modules_sort() {
-	local i= j= nmods=${#MODULES[@]} m=
-	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
-
-	# Make our provide list
-	for ((i=0; i<nmods; i++)); do
-		dead[i]="false"
-		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
-			local provided=false
-			for ((j=0; j<${#provide[@]}; j++)); do
-				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
-					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
-					provided=true
-				fi
-			done
-			if ! ${provided}; then
-				provide[j]="${PROVIDES[i]}"
-				provide_list[j]="${MODULES[i]}"
-			fi
-		fi
-	done
-
-	# Create an after array, which holds which modules the module at
-	# index i must be after
-	for ((i=0; i<nmods; i++)); do
-		if is_function "${MODULES[i]}_after" ; then
-			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
-		fi
-		if is_function "${MODULES[i]}_before" ; then
-			for m in $(${MODULES[i]}_before); do
-				for ((j=0; j<nmods; j++)) ; do
-					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
-						after[j]=" ${after[j]} ${MODULES[i]} "
-						break
-					fi
-				done
-			done
-		fi
-	done
-
-	# Replace the after list modules with real modules
-	for ((i=0; i<nmods; i++)); do
-		if [[ -n ${after[i]} ]] ; then
-			for ((j=0; j<${#provide[@]}; j++)); do
-				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
-			done
-		fi
-	done
-	
-	# We then use the below code to provide a topologial sort
-    module_after_visit() {
-        local name="$1" i= x=
-
-		for ((i=0; i<nmods; i++)); do
-			[[ ${MODULES[i]} == "$1" ]] && break
-		done
-
-        ${dead[i]} && return
-        dead[i]="true"
-
-        for x in ${after[i]} ; do
-            module_after_visit "${x}"
-        done
-
-        sorted=( "${sorted[@]}" "${MODULES[i]}" )
-		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
-    }
-
-	for x in ${MODULES[@]}; do
-		module_after_visit "${x}"
-	done
-
-	MODULES=( "${sorted[@]}" )
-	PROVIDES=( "${sortedp[@]}" )
-}
-
-# bool modules_check_depends(bool showprovides)
-modules_check_depends() {
-	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
-	local missingdeps= p= interface=false
-
-	for (( i=0; i<nmods; i++ )); do
-		if is_function "${MODULES[i]}_need" ; then
-			for needmod in $(${MODULES[i]}_need); do
-				missingdeps=true
-				for (( j=0; j<nmods; j++ )); do
-					if [[ ${needmod} == "${MODULES[j]}" \
-						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
-						missingdeps=false
-						break
-					fi
-				done
-				if ${missingdeps} ; then
-					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
-					return 1
-				fi
-			done
-		fi
-
-		if is_function "${MODULES[i]}_functions" ; then
-			for f in $(${MODULES[i]}_functions); do
-				if ! is_function "${f}" ; then
-					eerror "${MODULES[i]}: missing required function \"${f}\""
-					return 1
-				fi
-			done
-		fi
-
-		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
-
-		if ${showprovides} ; then
-			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
-			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
-		fi
-	done
-
-	if ! ${interface} ; then
-		eerror "no interface module has been loaded"
-		return 1
-	fi
-
-	return 0
-}
-
-# bool modules_load(char *iface, bool starting)
-#
-# Loads the defined handler and modules for the interface
-# Returns 0 on success, otherwise 1
-modules_load()  {
-	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
-	local -a x=()
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a PROVIDES=() WRAP_MODULES=()
-
-	if ! is_loopback "${iface}" ; then
-		x="modules_force_${iface}[@]"
-		[[ -n ${!x} ]] && modules_force=( "${!x}" )
-		if [[ -n ${modules_force} ]] ; then
-			ewarn "WARNING: You are forcing modules!"
-			ewarn "Do not complain or file bugs if things start breaking"
-			report=true
-		fi
-	fi
-
-	veinfo "Loading networking modules for ${iface}"
-	eindent
-
-	if [[ -z ${modules_force} ]] ; then
-		modules_load_auto || return 1
-	else
-		j="${#modules_force[@]}"
-		for (( i=0; i<j; i++ )); do
-			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
-			if is_function "${modules_force[i]}_check_installed" ; then
-				${modules_force[i]}_check_installed || unset modules_force[i]
-			fi
-		done
-		MODULES=( "${modules_force[@]}" )
-	fi
-
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		# Now load our dependencies - we need to use the MODULE variable
-		# here as the after/before/need functions use it
-		MODULE="${MODULES[i]}"
-		${MODULE}_depend
-
-		# expose does exactly the same thing as depend
-		# However it is more "correct" as it exposes things to other modules
-		# instead of depending on them ;)
-		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
-
-		# If no provide is given, assume module name
-		if is_function "${MODULES[i]}_provide" ; then
-			PROVIDES[i]=$(${MODULES[i]}_provide)
-		else
-			PROVIDES[i]="${MODULES[i]}"
-		fi
-	done
-
-	if [[ -n ${modules_force[@]} ]] ; then
-		# Strip any duplicate modules providing the same thing
-		j="${#MODULES[@]}"
-		for (( i=0; i<j-1; i++ )); do
-			[[ -z ${MODULES[i]} ]] && continue
-			for (( k=i+1; k<j; k++ )); do
-				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
-					unset MODULES[k]
-					unset PROVIDES[k]
-				fi
-			done
-		done
-		MODULES=( "${MODULES[@]}" )
-		PROVIDES=( "${PROVIDES[@]}" )
-	else
-		if ${starting}; then
-			modules_check_user "${iface}" || return 1
-		else
-			# Always prefer iproute2 for taking down interfaces
-			if is_function iproute2_provide ; then
-				function_wrap iproute2 "$(iproute2_provide)"
-			fi
-		fi
-	fi
-	
-	# Wrap our modules
-	j="${#MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
-	done
-	j="${#WRAP_MODULES[@]}"
-	for (( i=0; i<j; i++ )); do
-		function_wrap ${WRAP_MODULES[i]}
-	done
-	
-	if [[ -z ${modules_force[@]} ]] ; then
-		modules_check_installed || return 1
-		modules_sort || return 1
-	fi
-
-	veinfo "modules: ${MODULES[@]}"
-	eindent
-
-	${starting} && p=true
-	modules_check_depends "${p}" || return 1
-	return 0
-}
-
-# bool iface_start(char *interface)
-#
-# iface_start is called from start.  It's expected to start the base
-# interface (for example "eth0"), aliases (for example "eth0:1") and to start
-# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
-# calling itself recursively.
-iface_start() {
-	local iface="$1" mod config_counter="-1" x config_worked=false
-	local RC_INDENTATION="${RC_INDENTATION}"
-	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
-	local ifvar=$(bash_variable "$1") i= j= metric=0
-
-	# pre Start any modules with
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_start" ; then
-			${mod}_pre_start "${iface}" || { eend 1; return 1; }
-		fi
-	done
-
-	x="metric_${ifvar}"
-	# If we don't have a metric then calculate one
-	# Our modules will set the metric variable to a suitable base
-	# in their pre starts.
-	if [[ -z ${!x} ]] ; then
-		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
-	fi
-
-	# We now expand the configuration parameters and pray that the
-	# fallbacks expand to the same number as config or there will be
-	# trouble!
-	a="config_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		config=( "${config[@]}" "${b[@]}" )
-	done
-
-	a="fallback_${ifvar}[@]"
-	a=( "${!a}" )
-	for (( i=0; i<${#a[@]}; i++ )); do 
-		eval b=( $(expand_parameters "${a[i]}") )
-		fallback=( "${fallback[@]}" "${b[@]}" )
-	done
-
-	# We don't expand routes
-	fallback_route="fallback_route_${ifvar}[@]"
-	fallback_route=( "${!fallback_route}" )
-	
-	# We must support old configs
-	if [[ -z ${config} ]] ; then
-		interface_get_old_config "${iface}" || return 1
-		if [[ -n ${config} ]] ; then
-			ewarn "You are using a deprecated configuration syntax for ${iface}"
-			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
-		fi
-	fi
-
-	# Handle "noop" correctly
-	if [[ ${config[0]} == "noop" ]] ; then
-		if interface_is_up "${iface}" true ; then
-			einfo "Keeping current configuration for ${iface}"
-			eend 0
-			return 0
-		fi
-
-		# Remove noop from the config var
-		config=( "${config[@]:1}" )
-	fi
-
-	# Provide a default of DHCP if no configuration is set and we're auto
-	# Otherwise a default of NULL
-	if [[ -z ${config} ]] ; then
-		ewarn "Configuration not set for ${iface} - assuming DHCP"
-		if is_function "dhcp_start" ; then
-			config=( "dhcp" )
-		else
-			eerror "No DHCP client installed"
-			return 1
-		fi
-	fi
-
-	einfo "Bringing up ${iface}"
-	eindent
-	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
-		# Handle null and noop correctly
-		if [[ ${config[config_counter]} == "null" \
-			|| ${config[config_counter]} == "noop" ]] ; then
-			eend 0
-			config_worked=true
-			continue
-		fi
-
-		# We convert it to an array - this has the added
-		# bonus of trimming spaces!
-		conf=( ${config[config_counter]} )
-		einfo "${conf[0]}"
-
-		# Do we have a function for our config?
-		if is_function "${conf[0]}_start" ; then
-			eindent
-			${conf[0]}_start "${iface}" ; x=$?
-			eoutdent
-			[[ ${x} == 0 ]] && config_worked=true && continue
-			# We need to test to see if it's an IP address or a function
-			# We do this by testing if the 1st character is a digit
-		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
-			x="0"
-			if ! is_loopback "${iface}" ; then
-				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
-					if arping_address_exists "${iface}" "${conf[0]}" ; then
-						eerror "${conf[0]%%/*} already taken on ${iface}"
-						x="1"
-					fi
-				fi
-			fi
-			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
-			eend "${x}" && config_worked=true && continue
-		else
-			if [[ ${conf[0]} == "dhcp" ]] ; then
-				eerror "No DHCP client installed"
-			else
-				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
-			fi
-		fi
-
-		if [[ -n ${fallback[config_counter]} ]] ; then
-			einfo "Trying fallback configuration"
-			config[config_counter]="${fallback[config_counter]}"
-			fallback[config_counter]=""
-
-			# Do we have a fallback route?
-			if [[ -n ${fallback_route[config_counter]} ]] ; then
-				x="fallback_route[config_counter]"
-				eval "routes_${ifvar}=( \"\${!x}\" )"
-				fallback_route[config_counter]=""
-			fi
-
-			(( config_counter-- )) # since the loop will increment it
-			continue
-		fi
-	done
-	eoutdent
-
-	# We return failure if no configuration parameters worked
-	${config_worked} || return 1
-
-	# Start any modules with _post_start
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_post_start" ; then
-			${mod}_post_start "${iface}" || return 1
-		fi
-	done
-
-	return 0
-}
-
-# bool iface_stop(char *interface)
-#
-# iface_stop: bring down an interface.  Don't trust information in
-# /etc/conf.d/net since the configuration might have changed since
-# iface_start ran.  Instead query for current configuration and bring
-# down the interface.
-iface_stop() {
-	local iface="$1" i= aliases= need_begin=false mod=
-	local RC_INDENTATION="${RC_INDENTATION}"
-
-	# pre Stop any modules
-	for mod in ${MODULES[@]}; do
-		if is_function "${mod}_pre_stop" ; then
-			${mod}_pre_stop "${iface}" || return 1
-		fi
-	done
-
-	einfo "Bringing down ${iface}"
-	eindent
-
-	# Collect list of aliases for this interface.
-	# List will be in reverse order.
-	if interface_exists "${iface}" ; then
-		aliases=$(interface_get_aliases_rev "${iface}")
-	fi
-
-	# Stop aliases before primary interface.
-	# Note this must be done in reverse order, since ifconfig eth0:1 
-	# will remove eth0:2, etc.  It might be sufficient to simply remove 
-	# the base interface but we're being safe here.
-	for i in ${aliases} ${iface}; do
-		# Stop all our modules
-		for mod in ${MODULES[@]}; do
-			if is_function "${mod}_stop" ; then
-				${mod}_stop "${i}" || return 1
-			fi
-		done
-
-		# A module may have removed the interface
-		if ! interface_exists "${iface}" ; then
-			eend 0
-			continue
-		fi
-
-		# We don't delete ppp assigned addresses
-		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
-			# Delete all the addresses for this alias
-			interface_del_addresses "${i}"
-		fi
-
-		# Do final shut down of this alias
-		if [[ ${IN_BACKGROUND} != "true" \
-			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
-			ebegin "Shutting down ${i}"
-			interface_iface_stop "${i}"
-			eend "$?"
-		fi
-	done
-
-	# post Stop any modules
-	for mod in ${MODULES[@]}; do
-		# We have already taken down the interface, so no need to error
-		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
-	done
-
-	return 0
-}
-
-# bool run_start(char *iface)
-#
-# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
-# Returns 0 (success) unless preup or iface_start returns 1 (failure).
-# Ignores the return value from postup.
-# We cannot check that the device exists ourselves as modules like
-# tuntap make create it.
-run_start() {
-	local iface="$1" IFVAR=$(bash_variable "$1")
-
-	# We do this so users can specify additional addresses for lo if they
-	# need too - additional routes too
-	# However, no extra modules are loaded as they are just not needed
-	if [[ ${iface} == "lo" ]] ; then
-		metric_lo="0"
-		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
-	elif [[ ${iface} == "lo0" ]] ; then
-		metric_lo0="0"
-		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
-		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
-	fi
-
-	# We may not have a loaded module for ${iface}
-	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
-	# so we can work with this
-	# However, if they do the same with eth1 and try to start it
-	# but eth0 has not been loaded then the module gets loaded as
-	# eth0.
-	# Not much we can do about this :(
-	# Also, we cannot error here as some modules - such as bridge
-	# create interfaces
-	if ! interface_exists "${iface}" ; then
-		/sbin/modprobe "${iface}" &>/dev/null
-	fi
-
-	# Call user-defined preup function if it exists
-	if is_function preup ; then
-		einfo "Running preup function"
-		eindent
-		( preup "${iface}" )
-		eend "$?" "preup ${iface} failed" || return 1
-		eoutdent
-	fi
-
-	# If config is set to noop and the interface is up with an address
-	# then we don't start it
-	local config=
-	config="config_${IFVAR}[@]"
-	config=( "${!config}" )
-	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
-		einfo "Keeping current configuration for ${iface}"
-		eend 0
-	else
-		# Remove noop from the config var
-		[[ ${config[0]} == "noop" ]] \
-			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
-
-		# There may be existing ip address info - so we strip it
-		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
-			&& ${IN_BACKGROUND} != "true" ]] ; then
-			interface_del_addresses "${iface}"
-		fi
-
-		# Start the interface
-		if ! iface_start "${iface}" ; then
-			if [[ ${IN_BACKGROUND} != "true" ]] ; then
-				interface_exists "${iface}" && interface_down "${iface}"
-			fi
-			eend 1
-			return 1
-		fi
-	fi
-
-	# Call user-defined postup function if it exists
-	if is_function postup ; then
-		# We need to mark the service as started incase a
-		# postdown function wants to restart services that depend on us
-		mark_service_started "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postup function"
-		eindent
-		( postup "${iface}" )
-		eoutdent
-	fi
-
-	return 0
-}
-
-# bool run_stop(char *iface) {
-#
-# Brings down ${iface}.  If predown call returns non-zero, then
-# stop returns non-zero to indicate failure bringing down device.
-# In all other cases stop returns 0 to indicate success.
-run_stop() {
-	local iface="$1" IFVAR=$(bash_variable "$1") x
-
-	# Load our ESSID variable so users can use it in predown() instead
-	# of having to write code.
-	local ESSID=$(get_options ESSID) ESSIDVAR=
-	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
-
-	# Call user-defined predown function if it exists
-	if is_function predown ; then
-		einfo "Running predown function"
-		eindent
-		( predown "${iface}" )
-		eend $? "predown ${iface} failed" || return 1
-		eoutdent
-	elif is_net_fs / ; then
-		eerror "root filesystem is network mounted -- can't stop ${iface}"
-		return 1
-	elif is_union_fs / ; then
-		for x in $(unionctl "${dir}" --list \
-		| sed -e 's/^\(.*\) .*/\1/') ; do
-			if is_net_fs "${x}" ; then
-				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
-				return 1
-			fi
-		done
-	fi
-
-	iface_stop "${iface}" || return 1  # always succeeds, btw
-
-	# Release resolv.conf information.
-	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
-	
-	# Mark us as inactive if called from the background
-	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
-
-	# Call user-defined postdown function if it exists
-	if is_function postdown ; then
-		# We need to mark the service as stopped incase a
-		# postdown function wants to restart services that depend on us
-		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
-		end_service "net.${iface}" 0
-		einfo "Running postdown function"
-		eindent
-		( postdown "${iface}" )
-		eoutdent
-	fi
-
-
-	return 0
-}
-
-# bool run(char *iface, char *cmd)
-#
-# Main start/stop entry point
-# We load modules here and remove any functions that they
-# added as we may be called inside the same shell scope for another interface
-run() {
-	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
-	local starting=true
-	local -a MODULES=() mods=()
-	local IN_BACKGROUND="${IN_BACKGROUND}"
-
-	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
-		IN_BACKGROUND=true
-	else
-		IN_BACKGROUND=false
-	fi
-
-	# We need to override the exit function as runscript.sh now checks
-	# for it. We need it so we can mark the service as inactive ourselves.
-	unset -f exit
-
-	eindent
-	[[ ${cmd} == "stop" ]] && starting=false
-
-	# We force lo to only use these modules for a major speed boost
-	if is_loopback "${iface}" ; then	
-		modules_force=( "iproute2" "ifconfig" "system" )
-	fi
-
-	if modules_load "${iface}" "${starting}" ; then
-		if [[ ${cmd} == "stop" ]] ; then
-			# Reverse the module list for stopping
-			mods=( "${MODULES[@]}" )
-			for ((i = 0; i < ${#mods[@]}; i++)); do
-				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
-			done
-
-			run_stop "${iface}" && r=0
-		else
-			# Only hotplug on ethernet interfaces
-			if [[ ${IN_HOTPLUG} == 1 ]] ; then
-				if ! interface_is_ethernet "${iface}" ; then
-					eerror "We only hotplug for ethernet interfaces"
-					return 1
-				fi
-			fi
-
-			run_start "${iface}" && r=0
-		fi
-	fi
-
-	if [[ ${r} != "0" ]] ; then
-		if [[ ${cmd} == "start" ]] ; then
-			# Call user-defined failup if it exists
-			if is_function failup ; then
-				einfo "Running failup function"
-				eindent
-				( failup "${iface}" )
-				eoutdent
-			fi
-		else
-			# Call user-defined faildown if it exists
-			if is_function faildown ; then
-				einfo "Running faildown function"
-				eindent
-				( faildown "${iface}" )
-				eoutdent
-			fi
-		fi
-		[[ ${IN_BACKGROUND} == "true" ]] \
-			&& mark_service_inactive "net.${iface}"
-	fi
-
-	return "${r}"
-}
-
-# bool start(void)
-#
-# Start entry point so that we only have one function
-# which localises variables and unsets functions
-start() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Starting ${IFACE}"
-	run "${IFACE}" start
-}
-
-# bool stop(void)
-#
-# Stop entry point so that we only have one function
-# which localises variables and unsets functions
-stop() {
-	declare -r IFACE="${SVCNAME#*.}"
-	einfo "Stopping ${IFACE}"
-	run "${IFACE}" stop
-}
-
-# vim:ts=4
diff --git a/testing/images/a-m-c-w-d.png b/testing/images/a-m-c-w-d.png
index f0d758021..f0d758021 100755..100644
--- a/testing/images/a-m-c-w-d.png
+++ b/testing/images/a-m-c-w-d.png
diff --git a/testing/images/a-m-c-w.png b/testing/images/a-m-c-w.png
index 0e8ec3a74..0e8ec3a74 100755..100644
--- a/testing/images/a-m-c-w.png
+++ b/testing/images/a-m-c-w.png
diff --git a/testing/images/a-m-w-s-b.png b/testing/images/a-m-w-s-b.png
index e31fe5e9b..e31fe5e9b 100755..100644
--- a/testing/images/a-m-w-s-b.png
+++ b/testing/images/a-m-w-s-b.png
diff --git a/testing/images/a-v-m-c-w-d.png b/testing/images/a-v-m-c-w-d.png
index 1096af264..1096af264 100755..100644
--- a/testing/images/a-v-m-c-w-d.png
+++ b/testing/images/a-v-m-c-w-d.png
diff --git a/testing/images/a-v-m-w-s-b.png b/testing/images/a-v-m-w-s-b.png
index 53eafba3b..53eafba3b 100755..100644
--- a/testing/images/a-v-m-w-s-b.png
+++ b/testing/images/a-v-m-w-s-b.png
diff --git a/testing/images/m-c-w.png b/testing/images/m-c-w.png
index 066a8f8c6..066a8f8c6 100755..100644
--- a/testing/images/m-c-w.png
+++ b/testing/images/m-c-w.png
diff --git a/testing/images/m-w-s.png b/testing/images/m-w-s.png
index 14115c1f3..14115c1f3 100755..100644
--- a/testing/images/m-w-s.png
+++ b/testing/images/m-w-s.png
diff --git a/testing/make-testing b/testing/make-testing
index 7cd3324e0..84ac20bf2 100755
--- a/testing/make-testing
+++ b/testing/make-testing
@@ -1,87 +1,27 @@
 #!/bin/bash
-# Create the strongSwan UML testing environment
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
 
-DIR=`dirname $0`
+DIR=$(dirname `readlink -f $0`)
+. $DIR/testing.conf
 
-source $DIR/scripts/function.sh
+rm -f $LOGFILE
+mkdir -p $BUILDDIR
 
-[ -f $DIR/testing.conf ] || die "!! Configuration file 'testing.conf' not found."
-
-source $DIR/testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-##########################################################################
-# build the UML kernel based on a vanilla kernel form kernel.org
-# and a matching UML patch from user-mode-linux.sourceforge.net
-#
-if [ $ENABLE_BUILD_UMLKERNEL = "yes" ]
-then
-   cecho "Building uml kernel (scripts/build-umlkernel)"
-   $DIR/scripts/build-umlkernel
-fi
-
-##########################################################################
-# Adding the ssh RSA public keys to ~/.ssh/known_hosts
-#
-if [ $ENABLE_BUILD_SSHKEYS = "yes" ]
-then
-   cecho "Adding ssh public keys of the uml instances (scripts/build-sshkeys)"
-   $DIR/scripts/build-sshkeys
-fi
-
-##########################################################################
-# copy the default UML host configurations to $BUILDDIR
-# and assign actual IP addresses to the UML hosts
-#
-if [ $ENABLE_BUILD_HOSTCONFIG = "yes" ]
+if [ $ENABLE_BUILD_BASEIMAGE = "yes" ]
 then
-   cecho "Building host configurations (scripts/build-hostconfig)"
-   $DIR/scripts/build-hostconfig
+	$DIR/scripts/build-baseimage || exit 1
 fi
 
-##########################################################################
-# build a generic UML root file system based on a Gentoo root file system.
-# compile and install a specified strongSwan release into the file system.
-#
-if [ $ENABLE_BUILD_UMLROOTFS = "yes" ]
+if [ $ENABLE_BUILD_ROOTIMAGE = "yes" ]
 then
-   cecho "Building uml root file system with strongSwan (scripts/build-umlrootfs)"
-   $DIR/scripts/build-umlrootfs
+	$DIR/scripts/build-rootimage || exit 1
 fi
 
-##########################################################################
-# Creating the root filesystems for the specified UML instances
-#
-if [ $ENABLE_BUILD_UMLHOSTFS = "yes" ]
+if [ $ENABLE_BUILD_GUESTKERNEL = "yes" ]
 then
-   cecho "Building uml host root file systems (scripts/build-umlhostfs)"
-   $DIR/scripts/build-umlhostfs $HOSTS
+	$DIR/scripts/build-guestkernel || exit 1
 fi
 
-##########################################################################
-# Start up the UML switches and designated UML instances
-#
-if [ $ENABLE_START_TESTING = "yes" ]
+if [ $ENABLE_BUILD_GUESTIMAGES = "yes" ]
 then
-   cecho "Starting the uml switches and instances (start-testing)"
-   $DIR/start-testing $HOSTS
+	$DIR/scripts/build-guestimages $HOSTS || exit 1
 fi
diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage
new file mode 100755
index 000000000..354b48bd7
--- /dev/null
+++ b/testing/scripts/build-baseimage
@@ -0,0 +1,83 @@
+#!/bin/bash
+
+echo "Building base image"
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
+
+[ `id -u` -eq 0 ] || die "You must be root to run $0"
+
+check_commands debootstrap mkfs.ext3 partprobe qemu-img qemu-nbd sfdisk
+
+# package includes/excludes
+INC=build-essential,gperf,libgmp-dev,libldap2-dev,libcurl4-openssl-dev,ethtool
+INC=$INC,libxml2-dev,libtspi-dev,libsqlite3-dev,openssh-server,tcpdump,psmisc
+INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libxerces-c2-dev,libltdl-dev
+INC=$INC,liblog4cxx10-dev,libboost-thread-dev,libboost-system-dev,git-core
+INC=$INC,less,acpid,acpi-support-base,libldns-dev,libunbound-dev,dnsutils,screen
+INC=$INC,gnat,gprbuild,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev
+INC=$INC,libalog0.4.1-base-dev,hostapd,libsoup2.4-dev
+SERVICES="apache2 dbus isc-dhcp-server slapd bind9"
+INC=$INC,${SERVICES// /,}
+
+CACHEDIR=$BUILDDIR/cache
+APTCACHE=$LOOPDIR/var/cache/apt/archives
+
+mkdir -p $LOOPDIR
+mkdir -p $CACHEDIR
+mkdir -p $IMGDIR
+rm -f $BASEIMG
+
+echo "`date`, building $BASEIMG" >>$LOGFILE
+
+load_qemu_nbd
+
+log_action "Creating base image $BASEIMG"
+execute "qemu-img create -f $IMGEXT $BASEIMG ${BASEIMGSIZE}M"
+
+log_action "Connecting image to NBD device $NBDEV"
+execute "qemu-nbd -c $NBDEV $BASEIMG"
+do_on_exit qemu-nbd -d $NBDEV
+
+log_action "Partitioning disk"
+sfdisk /dev/nbd0 -D -uM >>$LOGFILE 2>&1 << EOF
+;
+EOF
+if [ $? != 0 ]
+then
+	log_status 1
+	exit 1
+else
+	log_status 0
+fi
+partprobe $NBDEV
+
+log_action "Creating ext3 filesystem"
+execute "mkfs.ext3 $NBDPARTITION"
+
+log_action "Mounting $NBDPARTITION to $LOOPDIR"
+execute "mount $NBDPARTITION $LOOPDIR"
+do_on_exit graceful_umount $LOOPDIR
+
+log_action "Using $CACHEDIR as archive for apt"
+mkdir -p $APTCACHE
+execute "mount -o bind $CACHEDIR $APTCACHE"
+do_on_exit graceful_umount $APTCACHE
+
+log_action "Running debootstrap ($BASEIMGSUITE, $BASEIMGARCH)"
+execute "debootstrap --arch=$BASEIMGARCH --include=$INC $BASEIMGSUITE $LOOPDIR $BASEIMGMIRROR"
+
+execute "mount -t proc none $LOOPDIR/proc"
+do_on_exit graceful_umount $LOOPDIR/proc
+
+for service in $SERVICES
+do
+	log_action "Stopping service $service"
+	execute_chroot "/etc/init.d/$service stop"
+	log_action "Disabling service $service"
+	execute_chroot "update-rc.d -f $service remove"
+done
+
+log_action "Disabling root password"
+execute_chroot "passwd -d root"
diff --git a/testing/scripts/build-guestimages b/testing/scripts/build-guestimages
new file mode 100755
index 000000000..f7fb1f85c
--- /dev/null
+++ b/testing/scripts/build-guestimages
@@ -0,0 +1,71 @@
+#!/bin/bash
+# create specific guest images
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+echo "Creating guest images"
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
+
+HOSTSDIR=$DIR/../hosts
+
+[ `id -u` -eq 0 ] || die "You must be root to run $0"
+[ -f $ROOTIMG ] || die "Root image $ROOTIMG not found"
+[ -f $HOSTDIR ] || die "Hosts directory $HOSTSDIR not found"
+
+check_commands partprobe qemu-img qemu-nbd
+
+load_qemu_nbd
+
+mkdir -p $IMGDIR
+mkdir -p $LOOPDIR
+
+# just to be sure
+do_on_exit qemu-nbd -d $NBDEV
+do_on_exit umount $LOOPDIR
+
+for host in $STRONGSWANHOSTS
+do
+	log_action "Creating guest image for $host"
+	execute "qemu-img create -b $ROOTIMG -f $IMGEXT $IMGDIR/$host.$IMGEXT" 0
+	execute "qemu-nbd -c $NBDEV $IMGDIR/$host.$IMGEXT" 0
+	partprobe $NBDEV
+	execute "mount $NBDPARTITION $LOOPDIR" 0
+	execute "cp -rf $HOSTSDIR/${host}/etc $LOOPDIR" 0
+	execute "cp -rf $HOSTSDIR/default/* $LOOPDIR" 0
+	execute_chroot "ldconfig" 0
+
+	if [ "$host" = "winnetou" ]
+	then
+		execute "mkdir $LOOPDIR/var/log/apache2/ocsp" 0
+		execute "cp -rf $DIR/../images $LOOPDIR/var/www/" 0
+		execute_chroot "ln -s /etc/openssl/certs /var/www/certs" 0
+		execute_chroot "/etc/openssl/generate-crl" 0
+		execute_chroot "update-rc.d apache2 defaults" 0
+		execute_chroot "update-rc.d slapd defaults" 0
+		execute_chroot "rm -rf /var/lib/ldap/*" 0
+		execute_chroot "slapadd -l /etc/ldap/ldif.txt -f /etc/ldap/slapd.conf" 0
+		execute_chroot "chown -R openldap:openldap /var/lib/ldap" 0
+		execute_chroot "dnssec-signzone -K /etc/bind -o strongswan.org. /etc/bind/db.strongswan.org" 0
+		execute_chroot "dnssec-signzone -K /etc/bind -o org. /etc/bind/db.org" 0
+		execute_chroot "dnssec-signzone -K /etc/bind -o . /etc/bind/db.root" 0
+		execute_chroot "update-rc.d bind9 defaults" 0
+	fi
+	sync
+	execute "umount -l $LOOPDIR" 0
+	execute "qemu-nbd -d $NBDEV" 0
+	log_status 0
+done
diff --git a/testing/scripts/build-guestkernel b/testing/scripts/build-guestkernel
new file mode 100755
index 000000000..66a9fe7a4
--- /dev/null
+++ b/testing/scripts/build-guestkernel
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
+
+echo "Building guest kernel version $KERNELVERSION"
+
+[ -f "$KERNELCONFIG" ] || die "Kernel config $KERNELCONFIG not found"
+
+check_commands bunzip2 bzcat make wget
+
+cd $BUILDDIR
+
+if [ ! -f "$KERNELTARBALL" ]
+then
+	url=ftp://ftp.kernel.org/pub/linux/kernel/v3.x/$KERNELTARBALL
+	log_action "Downloading $url"
+	execute "wget -q $url"
+fi
+
+if [[ $KERNELPATCH && ! -f "$KERNELPATCH" ]]
+then
+	url=http://download.strongswan.org/uml/$KERNELPATCH
+	log_action "Downloading $url"
+	execute "wget -q $url"
+fi
+
+log_action "Unpacking kernel"
+execute "tar xjf $KERNELTARBALL"
+
+KERNELDIR=$BUILDDIR/$KERNEL
+cd $KERNELDIR
+
+if [ $KERNELPATCH ]
+then
+	log_action "Applying kernel patch"
+	bzcat ../$KERNELPATCH | patch -p1 >>$LOGFILE 2>&1
+	log_status $?
+	[ $? -eq 0 ] || exit 1
+fi
+
+execute "cp $KERNELCONFIG .config" 0
+
+echo "Creating kernel configuration, you might get prompted for new parameters"
+make oldconfig 2>&1 | tee -a $LOGFILE
+
+log_action "Compiling the kernel"
+execute "make -j5"
diff --git a/testing/scripts/build-hostconfig b/testing/scripts/build-hostconfig
deleted file mode 100755
index 0ebbc5264..000000000
--- a/testing/scripts/build-hostconfig
+++ /dev/null
@@ -1,122 +0,0 @@
-#!/bin/bash
-# build the hosts configuration directory with the actual IP addresses
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found"
-[ -d $DIR/../hosts ]        || die "!! Directory 'hosts' not found"
-
-source $DIR/../testing.conf
-
-if [ ! -d $BUILDDIR ]
-then
-    cecho " * Creating directory '$BUILDDIR'"
-    mkdir $BUILDDIR
-fi
-
-########################################
-# copy default host configs to $BUILDDIR
-#
-
-HOSTCONFIGDIR=${BUILDDIR}/hosts
-
-if [ -d $HOSTCONFIGDIR ]
-then
-    rm -r $HOSTCONFIGDIR
-fi
-
-mkdir $HOSTCONFIGDIR
-cp -rfp ${UMLTESTDIR}/testing/hosts $BUILDDIR
-
-cecho " * Copied default host config directory to '$HOSTCONFIGDIR'"
-
-########################################
-# assign IP for each host to hostname
-#
-
-cecho-n " * Generate default config for.."
-
-HOSTIP=`ifconfig eth0 |grep inet |sed -e "s/.*inet addr://" -e "s/  Bcast.*//"`
-
-for host in $STRONGSWANHOSTS
-do
-    cecho-n "${host}.."
-    eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    eval ipv6_${host}="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-
-    [ "`eval echo \\\$ipv4_${host}`" != "$HOSTIP" ] || die "$host has the same IP as eth0 (Host)! Please change that."
-
-    case $host in
-    moon)
-        eval ipv4_moon1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        [ "`eval echo \\\$ipv4_moon1`" != "$HOSTIP" ] || die "eth1 of $host has the same IP as eth0 (Host)! Please change that."
-        searchandreplace PH_IP_MOON1 $ipv4_moon1 $HOSTCONFIGDIR
-        searchandreplace PH_IP_MOON  $ipv4_moon  $HOSTCONFIGDIR
-        eval ipv6_moon1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP6_MOON1 $ipv6_moon1 $HOSTCONFIGDIR
-        searchandreplace PH_IP6_MOON  $ipv6_moon  $HOSTCONFIGDIR
-        ;;
-    sun)
-        eval ipv4_sun1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        [ "`eval echo \\\$ipv4_sun1`" != "$HOSTIP" ] || die "eth1 of $host has the same IP as eth0 (Host)! Please change that."
-        searchandreplace PH_IP_SUN1 $ipv4_sun1 $HOSTCONFIGDIR
-        searchandreplace PH_IP_SUN  $ipv4_sun  $HOSTCONFIGDIR
-        eval ipv6_sun1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP6_SUN1 $ipv6_sun1 $HOSTCONFIGDIR
-        searchandreplace PH_IP6_SUN  $ipv6_sun  $HOSTCONFIGDIR
-        ;;
-    alice)
-        eval ipv4_alice1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP_ALICE1 $ipv4_alice1 $HOSTCONFIGDIR
-        searchandreplace PH_IP_ALICE  $ipv4_alice  $HOSTCONFIGDIR
-        eval ipv6_alice1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP6_ALICE1 $ipv6_alice1 $HOSTCONFIGDIR
-        searchandreplace PH_IP6_ALICE  $ipv6_alice  $HOSTCONFIGDIR
-        ;;
-    venus)
-        searchandreplace PH_IP_VENUS  $ipv4_venus $HOSTCONFIGDIR
-        searchandreplace PH_IP6_VENUS $ipv6_venus $HOSTCONFIGDIR
-        ;;
-    bob)
-        searchandreplace PH_IP_BOB  $ipv4_bob $HOSTCONFIGDIR
-        searchandreplace PH_IP6_BOB $ipv6_bob $HOSTCONFIGDIR
-        ;;
-    carol)
-        eval ipv4_carol1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP_CAROL1 $ipv4_carol1 $HOSTCONFIGDIR
-        searchandreplace PH_IP_CAROL  $ipv4_carol  $HOSTCONFIGDIR
-        eval ipv6_carol1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP6_CAROL1 $ipv6_carol1 $HOSTCONFIGDIR
-        searchandreplace PH_IP6_CAROL  $ipv6_carol  $HOSTCONFIGDIR
-        ;;
-    dave)
-        eval ipv4_dave1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP_DAVE1 $ipv4_dave1 $HOSTCONFIGDIR
-        searchandreplace PH_IP_DAVE  $ipv4_dave  $HOSTCONFIGDIR
-        eval ipv6_dave1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP6_DAVE1 $ipv6_dave1 $HOSTCONFIGDIR
-        searchandreplace PH_IP6_DAVE  $ipv6_dave  $HOSTCONFIGDIR
-        ;;
-    winnetou)
-        searchandreplace PH_IP_WINNETOU  $ipv4_winnetou $HOSTCONFIGDIR
-        searchandreplace PH_IP6_WINNETOU $ipv6_winnetou $HOSTCONFIGDIR
-        ;;
-    esac
-done
-
-cgecho "done"
diff --git a/testing/scripts/build-rootimage b/testing/scripts/build-rootimage
new file mode 100755
index 000000000..8e10ce5f3
--- /dev/null
+++ b/testing/scripts/build-rootimage
@@ -0,0 +1,67 @@
+#!/bin/bash
+# Create guest root image
+#
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+echo "Building root image"
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
+
+[ `id -u` -eq 0 ] || die "You must be root to run $0"
+[ -f "$BASEIMG" ] || die "Base image $BASEIMG not found"
+
+check_commands partprobe qemu-img qemu-nbd
+
+load_qemu_nbd
+
+mkdir -p $LOOPDIR
+mkdir -p $SHAREDDIR/compile
+mkdir -p $IMGDIR
+
+log_action "Creating root image $ROOTIMG"
+execute "qemu-img create -b $BASEIMG -f $IMGEXT $ROOTIMG"
+
+log_action "Connecting root image to NBD device $NBDEV"
+execute "qemu-nbd -c $NBDEV $ROOTIMG"
+do_on_exit qemu-nbd -d $NBDEV
+partprobe $NBDEV
+
+log_action "Mounting $NBDPARTITION to $LOOPDIR"
+execute "mount $NBDPARTITION $LOOPDIR"
+do_on_exit umount $LOOPDIR
+
+log_action "Mounting proc filesystem to $LOOPDIR/proc"
+execute "mount -t proc none $LOOPDIR/proc"
+do_on_exit umount $LOOPDIR/proc
+
+mkdir -p $LOOPDIR/root/shared
+log_action "Mounting $SHAREDDIR as /root/shared"
+execute "mount -o bind $SHAREDDIR $LOOPDIR/root/shared"
+do_on_exit umount $LOOPDIR/root/shared
+
+echo "Installing software from source"
+RECPDIR=$DIR/recipes
+RECIPES=`ls $RECPDIR/*.mk | xargs -n1 basename`
+execute "cp -r $RECPDIR/patches $LOOPDIR/root/shared/compile" 0
+for r in $RECIPES
+do
+	cp $RECPDIR/$r ${LOOPDIR}/root/shared/compile
+	log_action "Installing from recipe $r"
+	execute_chroot "make SWANVERSION=$SWANVERSION -C /root/shared/compile -f $r"
+done
+
+log_action "Removing /etc/resolv.conf"
+execute "rm -f $LOOPDIR/etc/resolv.conf"
diff --git a/testing/scripts/build-sshkeys b/testing/scripts/build-sshkeys
deleted file mode 100755
index 799078557..000000000
--- a/testing/scripts/build-sshkeys
+++ /dev/null
@@ -1,86 +0,0 @@
-#!/bin/bash
-# build the hosts configuration directory with the actual IP addresses
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found"
-[ -d $DIR/../hosts ]        || die "!! Directory 'hosts' not found"
-
-source $DIR/../testing.conf
-
-if [ ! -d $BUILDDIR ]
-then
-    cecho " * Creating directory '$BUILDDIR'"
-    mkdir $BUILDDIR
-fi
-
-LOGFILE=${BUILDDIR}/testing.log
-
-if [ ! -f $LOGFILE ]
-then
-    cecho-n " * Logfile '$LOGFILE' does not exist..creating.."
-    touch $LOGFILE
-    cgecho "done"
-fi
-
-if [ ! -d ~/.ssh ]
-then
-    cecho-n " * Creating directory '~/.ssh'.."
-    mkdir ~/.ssh
-    cgecho "done"
-fi
-
-if [ -f ~/.ssh/known_hosts ]
-then
-    cecho-n " * Backing up ~/.ssh/known_hosts to '~/.ssh/known_hosts.before_uml'.."
-    cp -fp ~/.ssh/known_hosts ~/.ssh/known_hosts.before_uml
-    cgecho "done"
-else
-    cecho-n " * Creating '~/.ssh/known_hosts'"
-    touch ~/.ssh/known_hosts
-    cgecho "done"
-fi
-
-for host in $HOSTNAMEIPV4
-do
-    HOSTNAME=`echo $host | awk -F, '{ print $1 }'`
-    IP=`echo $host | awk -F, '{ print $2 }'`
-    if [ `grep "$IP " ~/.ssh/known_hosts | wc -l` != "0" ]
-    then
-        cecho "!! Warning: An entry exists for the following IP address: $IP"
-    else
-	cecho-n " * Adding uml host $HOSTNAME ($IP) to '~/.ssh/known_hosts'.."
-	echo "$HOSTNAME,$IP `cat $DIR/../hosts/ssh_host_rsa_key.pub`" >> ~/.ssh/known_hosts
-	cgecho "done"
-    fi
-done
-
-#####################################
-# preparing ssh for PK authentication
-#
-
-cecho-n " * Checking for ssh rsa key '~/.ssh/id_rsa.pub'.."
-if [ -f ~/.ssh/id_rsa.pub ]
-then
-    cecho "already exists"
-else
-    cecho "not found"
-    cecho-n " * Generating ssh rsa key pair.."
-    echo "" | ssh-keygen -N "" -t rsa -f ~/.ssh/id_rsa >> $LOGFILE 2>&1
-    cgecho "done"
-fi
diff --git a/testing/scripts/build-umlhostfs b/testing/scripts/build-umlhostfs
deleted file mode 100755
index 75feaa4ed..000000000
--- a/testing/scripts/build-umlhostfs
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/bin/bash
-# create UML host file systems
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found."
-
-source $DIR/../testing.conf
-
-cd $BUILDDIR/root-fs
-
-[ -f gentoo-fs ] || die "!! Root file system 'gentoo-fs' not found."
-
-if [ ! -d $BUILDDIR ]
-then
-    cecho-n " * Directory '$BUILDDIR' does not exist..creating.."
-    mkdir $BUILDDIR
-    cgecho "done"
-fi
-
-LOGFILE=${BUILDDIR}/testing.log
-
-if [ ! -f $LOGFILE ]
-then
-    cecho-n " * Logfile '$LOGFILE' does not exist..creating.."
-    touch $LOGFILE
-    cgecho "done"
-fi
-
-LOOPDIR=loop
-
-if [ ! -d $LOOPDIR ]
-then
-    mkdir $LOOPDIR
-fi
-
-cecho-n " * Creating root filesystem for.."
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-for host in $HOSTS
-do
-    cecho-n "$host.."
-    cp gentoo-fs gentoo-fs-$host
-    mount -o loop gentoo-fs-$host $LOOPDIR
-    cp -rf $BUILDDIR/hosts/${host}/etc $LOOPDIR
-    if [ "$host" = "winnetou" ]
-    then
-    	mkdir $LOOPDIR/var/log/apache2/ocsp
-	cp -rf $UMLTESTDIR/testing/images $LOOPDIR/var/www/localhost/htdocs
-	chroot $LOOPDIR ln -s /etc/openssl/certs /var/www/localhost/htdocs/certs
-        chroot $LOOPDIR /etc/openssl/generate-crl >> $LOGFILE 2>&1
-    fi
-    chroot $LOOPDIR /etc/init.d/depscan.sh --update >> $LOGFILE 2>&1
-    umount $LOOPDIR
-done
-
-cgecho "done"
diff --git a/testing/scripts/build-umlkernel b/testing/scripts/build-umlkernel
deleted file mode 100755
index b9f0d710d..000000000
--- a/testing/scripts/build-umlkernel
+++ /dev/null
@@ -1,130 +0,0 @@
-#!/bin/bash
-# build an UML kernel based on a vanilla kernel and UML patch
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-cecho-n " * Looking for kernel at '$KERNEL'.."
-if [ -f "${KERNEL}" ]
-then
-    cecho "found it"
-    KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
-    cecho " * Kernel version is $KERNELVERSION"
-else
-    cecho "none"
-    exit
-fi
-
-if [ ${UMLPATCH} ]
-then
-    cecho-n " * Looking for uml patch at '$UMLPATCH'.."
-    if [ -f "${UMLPATCH}" ]
-    then
-	cecho "found it"
-    else
-	cecho "none"
-	exit
-    fi
-fi
-
-cecho-n " * Looking for kernel config at '$KERNELCONFIG'.."
-if [ -f "${KERNEL}" ]
-then
-    cecho "found it"
-else
-    cecho "none"
-    exit
-fi
-
-#######################################################
-# unpack kernel and create symlink
-#
-
-if [ ! -d $BUILDDIR ]
-then
-    cecho " * Creating directory '$BUILDDIR'"
-    mkdir $BUILDDIR
-fi
-
-cecho " * Changing to directory '$BUILDDIR'"
-cd $BUILDDIR
-
-LOGFILE=${BUILDDIR}/testing.log
-
-if [ ! -f $LOGFILE ]
-then
-    cecho-n " * Logfile '$LOGFILE' does not exist..creating.."
-    touch $LOGFILE
-    cgecho "done"
-fi
-
-cecho-n " * Unpacking kernel.."
-tar xjf $KERNEL >> $LOGFILE 2>&1
-cgecho "done"
-
-KERNELDIR=${BUILDDIR}/linux-${KERNELVERSION}
-
-if [ -d $KERNELDIR ]
-then
-    cecho " * Kernel directory is '$KERNELDIR'"
-    cecho " * Creating symlink 'linux'"
-    if [ -d linux ]
-    then
-	rm linux
-    fi
-    ln -s linux-${KERNELVERSION} linux
-else
-    cecho "!! Kernel directory '$KERNELDIR' can not be found"
-    exit
-fi
-
-#######################################################
-# patch kernel
-#
-
-cecho " * Changing to directory '$KERNELDIR'"
-cd $KERNELDIR
-
-if [ $UMLPATCH ]
-then
-    cecho-n " * Applying uml patch.."
-    bzcat $UMLPATCH | patch -p1 >> $LOGFILE 2>&1
-    cgecho  "done"
-fi
-
-#######################################################
-# copy our default .config to linux and build kernel
-#
-
-cp $KERNELCONFIG .config
-
-cecho "!!"
-cecho "!! Making .config for kernel. You might be prompted for new parameters!"
-cecho "!!"
-make oldconfig ARCH=um SUBARCH=i386 2>&1 | tee -a $LOGFILE
-
-cecho-n " * Now compiling uml kernel.."
-make linux ARCH=um SUBARCH=i386 >> $LOGFILE 2>&1
-cgecho "done"
-
-cecho-n " * Copying uml kernel to '${BUILDDIR}/linux-uml-${KERNELVERSION}'.."
-mv linux ${BUILDDIR}/linux-uml-${KERNELVERSION}
-cgecho "done"
diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs
deleted file mode 100755
index 4c066001c..000000000
--- a/testing/scripts/build-umlrootfs
+++ /dev/null
@@ -1,431 +0,0 @@
-#!/bin/bash
-# Create UML root filesystem
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-STRONGSWANVERSION=`basename $STRONGSWAN .tar.bz2`
-
-cecho-n " * Looking for strongSwan at '$STRONGSWAN'.."
-if [ -f "$STRONGSWAN" ]
-then
-    cecho "found it"
-    cecho " * strongSwan version is '$STRONGSWANVERSION'"
-else
-    cecho "none"
-    exit
-fi
-
-cecho-n " * Looking for gentoo root filesystem at '$ROOTFS'.."
-if [ -f "$ROOTFS" ]
-then
-    cecho "found it"
-else
-    cecho "none"
-    exit
-fi
-
-[ -d $BUILDDIR ] || die "!! Directory '$BUILDDIR' does not exist"
-
-HOSTCONFIGDIR=$BUILDDIR/hosts
-
-[ -d $HOSTCONFIGDIR ] || die "!! Directory '$HOSTCONFIGDIR' does not exist"
-
-LOGFILE=$BUILDDIR/testing.log
-
-if [ ! -f $LOGFILE ]
-then
-    cecho-n " * Logfile '$LOGFILE' does not exist..creating.."
-    touch $LOGFILE
-    cgecho "done"
-fi
-
-ROOTFSDIR=$BUILDDIR/root-fs
-
-if [ ! -d $ROOTFSDIR ]
-then
-    cecho-n " * Root file system directory '$ROOTFSDIR' does not exist..creating.."
-    mkdir $ROOTFSDIR
-    cgecho "done"
-fi
-
-cd $ROOTFSDIR
-
-LOOPDIR=$ROOTFSDIR/loop
-
-if [ ! -d $LOOPDIR ]
-then
-    mkdir $LOOPDIR
-fi
-
-######################################################
-# creating reiser-based uml root filesystem
-#
-
-cecho-n " * Building basic root filesystem (gentoo).."
-dd if=/dev/zero of=gentoo-fs count=$ROOTFSSIZE bs=1M >> $LOGFILE 2>&1
-mkreiserfs -q -f gentoo-fs       >> $LOGFILE 2>&1
-mount -o loop gentoo-fs $LOOPDIR >> $LOGFILE 2>&1
-tar xjpf $ROOTFS -C $LOOPDIR     >> $LOGFILE 2>&1
-cgecho "done"
-
-######################################################
-# remove /etc/resolv.conf
-#
-cecho " * Removing /etc/resolv.conf"
-rm -f $LOOPDIR/etc/resolv.conf
-
-######################################################
-# copying default /etc/hosts to the root filesystem
-#
-cecho " * Copying '$HOSTCONFIGDIR/default/etc/hosts' to the root filesystem"
-cp -fp $HOSTCONFIGDIR/default/etc/hosts $LOOPDIR/etc/hosts
-
-#####################################################
-# extracting strongSwan into the root filesystem
-#
-cecho " * Extracting strongSwan into the root filesystem"
-tar xjf $STRONGSWAN -C $LOOPDIR/root >> $LOGFILE 2>&1
-
-######################################################
-# setting up mountpoint for shared source tree
-#
-if [ "${SHAREDTREE+set}" = "set" ]; then
-    cecho " * setting up shared strongswan tree at '$SHAREDTREE'"
-    mkdir $LOOPDIR/root/strongswan-shared
-    echo "" >> $LOOPDIR/etc/fstab
-    echo "none /root/strongswan-shared hostfs $SHAREDTREE" >> $LOOPDIR/etc/fstab
-fi
-
-######################################################
-# installing strongSwan and setting the local timezone
-#
-
-INSTALLSHELL=${LOOPDIR}/install.sh
-
-cecho " * Preparing strongSwan installation script"
-echo "ln -sf /usr/share/zoneinfo/${TZUML} /etc/localtime" >> $INSTALLSHELL
-
-echo "cd /root/${STRONGSWANVERSION}" >> $INSTALLSHELL
-echo -n "./configure --sysconfdir=/etc" >> $INSTALLSHELL
-echo -n " --with-random-device=/dev/urandom" >> $INSTALLSHELL
-echo -n " --disable-load-warning" >> $INSTALLSHELL
-
-if [ "$USE_LIBCURL" = "yes" ]
-then
-    echo -n " --enable-curl" >> $INSTALLSHELL
-fi
-
-if [ "$USE_LDAP" = "yes" ]
-then
-    echo -n " --enable-ldap" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_AKA" = "yes" ]
-then
-    echo -n " --enable-eap-aka" >> $INSTALLSHELL
-    echo -n " --enable-eap-aka-3gpp2" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_SIM" = "yes" ]
-then
-    echo -n " --enable-eap-sim" >> $INSTALLSHELL
-    echo -n " --enable-eap-sim-file" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_MD5" = "yes" ]
-then
-    echo -n " --enable-eap-md5" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_MSCHAPV2" = "yes" ]
-then
-    echo -n " --enable-md4" >> $INSTALLSHELL
-    echo -n " --enable-eap-mschapv2" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_IDENTITY" = "yes" ]
-then
-    echo -n " --enable-eap-identity" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_RADIUS" = "yes" ]
-then
-    echo -n " --enable-eap-radius" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_TLS" = "yes" ]
-then
-    echo -n " --enable-eap-tls" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_TTLS" = "yes" ]
-then
-    echo -n " --enable-eap-ttls" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_PEAP" = "yes" ]
-then
-    echo -n " --enable-eap-peap" >> $INSTALLSHELL
-fi
-
-if [ "$USE_EAP_TNC" = "yes" ]
-then
-    echo -n " --enable-eap-tnc" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNC_PDP" = "yes" ]
-then
-    echo -n " --enable-tnc-pdp" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNC_IMC" = "yes" ]
-then
-    echo -n " --enable-tnc-imc" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNC_IMV" = "yes" ]
-then
-    echo -n " --enable-tnc-imv" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNCCS_11" = "yes" ]
-then
-    echo -n " --enable-tnccs-11" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNCCS_20" = "yes" ]
-then
-    echo -n " --enable-tnccs-20" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TNCCS_DYNAMIC" = "yes" ]
-then
-    echo -n " --enable-tnccs-dynamic" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMC_TEST" = "yes" ]
-then
-    echo -n " --enable-imc-test" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMV_TEST" = "yes" ]
-then
-    echo -n " --enable-imv-test" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMC_SCANNER" = "yes" ]
-then
-    echo -n " --enable-imc-scanner" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMV_SCANNER" = "yes" ]
-then
-    echo -n " --enable-imv-scanner" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMC_ATTESTATION" = "yes" ]
-then
-    echo -n " --enable-imc-attestation" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IMV_ATTESTATION" = "yes" ]
-then
-    echo -n " --enable-imv-attestation" >> $INSTALLSHELL
-fi
-
-if [ "$USE_SQL" = "yes" ]
-then
-    echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL
-    fi
-
-if [ "$USE_MEDIATION" = "yes" ]
-then
-    echo -n " --enable-mediation" >> $INSTALLSHELL
-fi
-
-if [ "$USE_OPENSSL" = "yes" ]
-then
-    echo -n " --enable-openssl" >> $INSTALLSHELL
-fi
-
-if [ "$USE_BLOWFISH" = "yes" ]
-then
-    echo -n " --enable-blowfish" >> $INSTALLSHELL
-fi
-
-if [ "$USE_KERNEL_PFKEY" = "yes" ]
-then
-    echo -n " --enable-kernel-pfkey" >> $INSTALLSHELL
-fi
-  
-if [ "$USE_INTEGRITY_TEST" = "yes" ]
-then
-    echo -n " --enable-integrity-test" >> $INSTALLSHELL
-fi
-
-if [ "$USE_LEAK_DETECTIVE" = "yes" ]
-then
-    echo -n " --enable-leak-detective" >> $INSTALLSHELL
-fi
-
-if [ "$USE_LOAD_TESTER" = "yes" ]
-then
-    echo -n " --enable-load-tester" >> $INSTALLSHELL
-fi
-
-if [ "$USE_TEST_VECTORS" = "yes" ]
-then
-    echo -n " --enable-test-vectors" >> $INSTALLSHELL
-fi
-
-if [ "$USE_GCRYPT" = "yes" ]
-then
-    echo -n " --enable-gcrypt" >> $INSTALLSHELL
-fi
-
-if [ "$USE_SOCKET_DEFAULT" = "yes" ]
-then
-    echo -n " --enable-socket-default" >> $INSTALLSHELL
-fi
-
-if [ "$USE_SOCKET_DYNAMIC" = "yes" ]
-then
-    echo -n " --enable-socket-dynamic" >> $INSTALLSHELL
-fi
-
-if [ "$USE_DHCP" = "yes" ]
-then
-    echo -n " --enable-dhcp" >> $INSTALLSHELL
-fi
-
-if [ "$USE_FARP" = "yes" ]
-then
-    echo -n " --enable-farp" >> $INSTALLSHELL
-fi
-
-if [ "$USE_ADDRBLOCK" = "yes" ]
-then
-    echo -n " --enable-addrblock" >> $INSTALLSHELL
-fi
-
-if [ "$USE_CTR" = "yes" ]
-then
-    echo -n " --enable-ctr" >> $INSTALLSHELL
-fi
-
-if [ "$USE_CCM" = "yes" ]
-then
-    echo -n " --enable-ccm" >> $INSTALLSHELL
-fi
-
-if [ "$USE_GCM" = "yes" ]
-then
-    echo -n " --enable-gcm" >> $INSTALLSHELL
-fi
-
-if [ "$USE_CMAC" = "yes" ]
-then
-    echo -n " --enable-cmac" >> $INSTALLSHELL
-fi
-
-if [ "$USE_HA" = "yes" ]
-then
-    echo -n " --enable-ha" >> $INSTALLSHELL
-fi
-
-if [ "$USE_AF_ALG" = "yes" ]
-then
-    echo -n " --enable-af-alg" >> $INSTALLSHELL
-fi
-
-if [ "$USE_WHITELIST" = "yes" ]
-then
-    echo -n " --enable-whitelist" >> $INSTALLSHELL
-fi
-
-if [ "$USE_PKCS8" = "yes" ]
-then
-    echo -n " --enable-pkcs8" >> $INSTALLSHELL
-fi
-
-if [ "$USE_IFMAP" = "yes" ]
-then
-    echo -n " --enable-tnc-ifmap" >> $INSTALLSHELL
-fi
-
-if [ "$USE_CISCO_QUIRKS" = "yes" ]
-then
-    echo -n " --enable-cisco-quirks" >> $INSTALLSHELL
-fi
-
-echo "" >> $INSTALLSHELL
-echo "make -j" >> $INSTALLSHELL
-echo "make install" >> $INSTALLSHELL
-echo "ldconfig" >> $INSTALLSHELL
-
-cecho-n " * Compiling $STRONGSWANVERSION within the root file system as chroot.."
-chroot $LOOPDIR /bin/bash /install.sh >> $LOGFILE 2>&1
-rm -f $INSTALLSHELL
-cgecho "done"
-
-######################################################
-# copying default /etc/ipsec.d/tables.sql to the root filesystem
-#
-cecho " * Copying '$HOSTCONFIGDIR/default/etc/ipsec.d/tables.sql' to the root filesystem"
-cp -fp $HOSTCONFIGDIR/default/etc/ipsec.d/tables.sql $LOOPDIR/etc/ipsec.d/tables.sql
-
-######################################################
-# copying the host's ssh public key
-#
-
-if [ ! -d $LOOPDIR/root/.ssh ]
-then
-    mkdir $LOOPDIR/root/.ssh
-fi
-cp ~/.ssh/id_rsa.pub $LOOPDIR/root/.ssh/authorized_keys
-
-######################################################
-# setup public key based login among all hosts
-#
-cp $LOOPDIR/etc/ssh/ssh_host_rsa_key $LOOPDIR/root/.ssh/id_rsa
-
-for host in $STRONGSWANHOSTS
-do
-    eval ip="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F- '{ print $1 }' | awk '{ print $1 }'`"
-    echo "$host,$ip `cat $HOSTCONFIGDIR/ssh_host_rsa_key.pub`" >> $LOOPDIR/root/.ssh/known_hosts
-    echo "`cat $HOSTCONFIGDIR/ssh_host_rsa_key.pub` root@$host" >> $LOOPDIR/root/.ssh/authorized_keys
-done
-
-######################################################
-# defining an empty modules.dep
-#
-
-if [ $UMLPATCH ]
-then
-    mkdir $LOOPDIR/lib/modules/`basename $UMLPATCH .bz2 | sed s/uml-patch-//`um
-    touch $LOOPDIR/lib/modules/`basename $UMLPATCH .bz2 | sed s/uml-patch-//`um/modules.dep
-else
-    mkdir $LOOPDIR/lib/modules/$KERNELVERSION
-    touch $LOOPDIR/lib/modules/$KERNELVERSION/modules.dep
-fi
-
-umount $LOOPDIR
diff --git a/testing/scripts/function.sh b/testing/scripts/function.sh
index e7ecbcf83..c4769678c 100755
--- a/testing/scripts/function.sh
+++ b/testing/scripts/function.sh
@@ -14,31 +14,146 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 
+export TERM=xterm
+RED=$(tput setaf 1)
+GREEN=$(tput setaf 2)
+NORMAL=$(tput op)
 
-############################################
-# print output in color
-#
+# exit with given error message
+# $1 - error message
+die() {
+	echo -e "${RED}$1${NORMAL}"
+	exit 1
+}
 
-function cecho {
-    echo -e "\033[1;31m$1\033[0m"
+# execute command
+# $1 - command to execute
+# $2 - whether or not to log command exit status
+#      (0 -> disable exit status logging)
+execute()
+{
+	cmd=${1}
+	echo $cmd >>$LOGFILE 2>&1
+	$cmd >>$LOGFILE 2>&1
+	status=$?
+	[ "$2" != 0 ] && log_status $status
+	if [ $status != 0 ]; then
+		echo
+		echo "! Command $cmd failed, exiting (status $status)"
+		echo "! Check why here $LOGFILE"
+		exit 1
+	fi
 }
-function cgecho {
-    echo -e "\033[1;32m$1\033[0m"
+
+# execute command in chroot
+# $1 - command to execute
+execute_chroot()
+{
+	execute "chroot $LOOPDIR $@"
 }
 
-function cecho-n {
-    echo -en "\033[1;31m$1\033[0m"
+# write green status message to console
+# $1 - msg
+echo_ok()
+{
+	echo -e "${GREEN}$1${NORMAL}"
 }
 
+# write red status message to console
+# $1 - msg
+echo_failed()
+{
+	echo -e "${RED}$1${NORMAL}"
+}
 
-#############################################
-# output all args to stderr and exit with
-# return code 1
-#
+# log an action
+# $1 - current action description
+log_action()
+{
+	/bin/echo -n "[....] $1 "
+}
 
-die() {
-    echo $* 1>&2
-    exit 1
+# log an action status
+# $1 - exit status of action
+log_status()
+{
+	tput hpa 0
+	if [ $1 -eq 0 ]; then
+		/bin/echo -ne "[${GREEN} ok ${NORMAL}"
+	else
+		/bin/echo -ne "[${RED}FAIL${NORMAL}"
+	fi
+	echo
+}
+
+# the following two functions are stolen from [1]
+# [1] - http://www.linuxjournal.com/content/use-bash-trap-statement-cleanup-temporary-files
+
+declare -a on_exit_items
+
+# perform registered actions on exit
+on_exit()
+{
+	for ((onex=${#on_exit_items[@]}-1; onex>=0; onex--))
+	do
+		echo "On_Exit: ${on_exit_items[$onex]}" >>$LOGFILE
+		${on_exit_items[$onex]} >>$LOGFILE 2>&1
+	done
+	on_exit_items=""
+	trap - EXIT
+}
+
+# register a command to execute when the calling script terminates. The
+# registered commands are called in FILO order.
+# $* - command to register
+do_on_exit()
+{
+	local n=${#on_exit_items[*]}
+	on_exit_items[$n]="$*"
+	if [ $n -eq 0 ]; then
+		trap on_exit EXIT
+	fi
+}
+
+# wait for a mount to disappear
+# $1 - device/image to wait for
+# $2 - maximum time to wait in seconds, default is 5 seconds
+graceful_umount()
+{
+	secs=$2
+	[ ! $secs ] && secs=5
+
+	let steps=$secs*100
+	for st in `seq 1 $steps`
+	do
+		umount $1 >>$LOGFILE 2>&1
+		mount | grep $1 >/dev/null 2>&1
+		[ $? -eq 0 ] || return 0
+		sleep 0.01
+	done
+
+	return 1
+}
+
+# load qemu NBD kernel module, if not already loaded
+load_qemu_nbd()
+{
+	lsmod | grep ^nbd[[:space:]]* >/dev/null 2>&1
+	if [ $? != 0 ]
+	then
+		log_action "Loading NBD kernel module"
+		execute "modprobe nbd max_part=16"
+	fi
+}
+
+# check if given commands exist in $PATH
+# $* - commands to check
+check_commands()
+{
+	for i in $*
+	do
+		command -v $i >/dev/null || { die "Required command $i not found"; exit 1; }
+	done
 }
 
 #############################################
@@ -55,13 +170,6 @@ function searchandreplace {
     [ -d "$DESTDIR" ] || die "$DESTDIR is not a directory!"
 
 
-    #########################
-    # create a temporary file
-    #
-
-    TMPFILE="/tmp/sr.$$"
-
-
     ###########################################
     # search and replace in each found file the
     # given string
@@ -69,59 +177,7 @@ function searchandreplace {
 
     for eachfoundfile in `find $DESTDIR -type f`
     do
-        sed -e "s/$SEARCHSTRING/$REPLACESTRING/g" "$eachfoundfile" > "$TMPFILE"
-        cp -f "$TMPFILE" "$eachfoundfile"
+        sed -i -e "s/$SEARCHSTRING/$REPLACESTRING/g" "$eachfoundfile"
     done
 
-
-    ###########################
-    # delete the temporary file
-    #
-
-    rm -f "$TMPFILE"
-
-}
-
-#############################################
-# add a bridge
-#
-
-function umlbr_add {
-	brctl addbr     "umlbr$1"
-	brctl setfd     "umlbr$1" 0
-	brctl setageing "umlbr$1" 3600
-	brctl stp       "umlbr$1" off
-	ifconfig        "umlbr$1" "$2" netmask "$3" up 
 }
-
-#############################################
-# delete a bridge
-#
-
-function umlbr_del {
-	ifconfig    "umlbr$1" down                     &> /dev/null 2>&1
-	brctl delbr "umlbr$1"                          &> /dev/null 2>&1
-}
-
-#############################################
-# add a tap interface to a bridge
-#
-
-function umlbr_add_tap {
-	tunctl -t "tap$1_$2"                           &> /dev/null 2>&1
-	ifconfig "tap$1_$2" 0.0.0.0 promisc up         &> /dev/null 2>&1
-	brctl addif "umlbr$1" "tap$1_$2"               &> /dev/null 2>&1
-	cecho-n "$2.."
- }
-
-#############################################
-# delete a tap interface from a bridge
-#
-
-function umlbr_del_tap {
-	ifconfig "umlbr$2" down                        &> /dev/null 2>&1
-	brctl delif "umlbr$1" "tap$1_$2"               &> /dev/null 2>&1
-	tunctl -d "tap$1_$2"                           &> /dev/null 2>&1
-	cecho-n "$2.."
- }
-
diff --git a/testing/scripts/gstart-umls b/testing/scripts/gstart-umls
deleted file mode 100755
index c6fcd26dc..000000000
--- a/testing/scripts/gstart-umls
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/bin/bash
-# starts the UML instances in an gnome-terminal (requires X11R6)
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-BOOTING_HOSTS=""
-count_max=12
-count=0
-
-#position of xterm window on the desktop
-x0=8
-y0=52
-dx=12
-dy=24
-
-for host in $HOSTS
-do
-    up=0
-
-    if [ -d ~/.uml/${host} ]
-    then
-	pid=`cat ~/.uml/${host}/pid`
-	up=`ps up $pid | wc -l`
-    fi
-    
-    if [ $up -eq 2 ]
-    then
-	cecho " * Great, ${host} is already running!"
-    else
-	rm -rf ~/.uml/${host}
-	BOOTING_HOSTS="$BOOTING_HOSTS ${host}"
-	let "count_max += 12"
-
-	UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host}
-	[ -f  $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found"
-
-	cecho-n " * Starting ${host}.."
-	eval gnome-terminal --title=${host} --geometry="+${x0}+${y0}" --show-menubar --execute "$UMLKERNEL \
-            umid=${host} \
-	    ubda=$UMLHOSTFS \
-	    \$SWITCH_${host} \
-	    mem=${MEM}M con=pty con0=fd:0,fd:1" &
-        cgecho "done"
-        sleep 15
-    fi
-    let "x0+=dx"
-    let "y0+=dy"
-done
-
-if [ -z "$BOOTING_HOSTS" ]
-then
-    exit 0
-fi
-
-cecho " * Waiting for the uml instances to finish booting"
-
-for host in $BOOTING_HOSTS
-do
-    cecho-n " * Checking on $host.."
-
-    while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ]
-    do
-	cecho-n "."
-	sleep 5
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    fi
-
-    up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-
-    while [ $count -lt $count_max ] && [ $up -eq 0 ]
-    do
-	cecho-n "."
-	sleep 5
-	up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    else
-	cgecho "up"
-    fi
-
-    if [ "$host" = "alice" ]
-    then
-	sleep 5
-	eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-	ssh root@$ipv4_alice /etc/init.d/net.eth1 stop
-    fi
-done
-
-cecho " * All uml instances are up now"
diff --git a/testing/scripts/install-shared b/testing/scripts/install-shared
deleted file mode 100755
index 4cfac9e77..000000000
--- a/testing/scripts/install-shared
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/bash
-# Install strongSwan from mounted strongswan-shared tree
-#
-# Copyright (C) 2006 Martin Willi
-# Hochschule fuer Technik Rapperswil
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-cecho "installing strongSwan from shared tree"
-cecho-n "  on: "
-
-for host in $STRONGSWANHOSTS
-do
-    eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    cecho-n "$host... "
-    ssh $HOSTLOGIN 'cd ~/strongswan-shared && make install' > /dev/null
-done
-
-cecho
diff --git a/testing/scripts/kstart-umls b/testing/scripts/kstart-umls
deleted file mode 100755
index 18dc64a9d..000000000
--- a/testing/scripts/kstart-umls
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/bin/bash
-# starts the UML instances in a konsole (requires KDE)
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-BOOTING_HOSTS=""
-count_max=12
-count=0
-
-#position of konsole window on the desktop
-x0=8
-y0=8
-dx=12
-dy=24
-
-for host in $HOSTS
-do
-    up=0
-
-    if [ -d ~/.uml/${host} ]
-    then
-	pid=`cat ~/.uml/${host}/pid`
-	up=`ps up $pid | wc -l`
-    fi
-
-    if [ $up -eq 2 ]
-    then
-	cecho " * Great, ${host} is already running!"
-    else
-	rm -rf ~/.uml/${host}
-	BOOTING_HOSTS="$BOOTING_HOSTS ${host}"
-	let "count_max += 12"
-
-	UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host}
-	[ -f  $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found"
-
-	cecho-n " * Starting ${host}.."
-	eval konsole -title ${host} --geometry "+${x0}+${y0}" -e "$UMLKERNEL \
-	    umid=${host} \
-	    ubda=$UMLHOSTFS \
-	    \$SWITCH_${host} \
-	    mem=${MEM}M con=pty con0=fd:0,fd:1" &
-        cgecho "done"
-        sleep 15
-    fi
-    let "x0+=dx"
-    let "y0+=dy"
-done
-
-if [ -z "$BOOTING_HOSTS" ]
-then
-    exit 0
-fi
-
-cecho " * Waiting for the uml instances to finish booting"
-
-for host in $BOOTING_HOSTS
-do
-    cecho-n " * Checking on $host.."
-
-    while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ]
-    do
-	cecho-n "."
-	sleep 5
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    fi
-
-    up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-
-    while [ $count -lt $count_max ] && [ $up -eq 0 ]
-    do
-	cecho-n "."
-	sleep 5
-	up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    else
-	cgecho "up"
-    fi
-
-    if [ "$host" = "alice" ]
-    then
-	sleep 5
-	eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-	ssh root@$ipv4_alice /etc/init.d/net.eth1 stop
-    fi
-done
-
-cecho " * All uml instances are up now"
diff --git a/testing/scripts/load-testconfig b/testing/scripts/load-testconfig
index 43100dbe0..5f35c129e 100755
--- a/testing/scripts/load-testconfig
+++ b/testing/scripts/load-testconfig
@@ -14,13 +14,10 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
+SSHCONF="-F $DIR/../ssh_config"
 
 ##########################################################################
 # load-testconfig requires a testname as an argument
@@ -58,17 +55,17 @@ for host in $IPSECHOSTS
 do
     eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
     ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/auth.log /var/log/daemon.log; \
-		    kill -SIGHUP `cat /var/run/syslogd.pid`' > /dev/null 2>&1
+		    kill -SIGHUP `cat /var/run/rsyslogd.pid`' > /dev/null 2>&1
 done
 
 
 ##########################################################################
-# clear radius.log and daemon.log on FreeRadius servers
+# clear daemon.log and radius.log on FreeRadius servers
 #
 
 for host in $RADIUSHOSTS
 do
     eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/radius/radius.log /var/log/daemon.log; \
-		    kill -SIGHUP `cat /var/run/syslogd.pid`' > /dev/null 2>&1
+    ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/daemon.log /var/log/freeradius/radius.log; \
+		    kill -SIGHUP `cat /var/run/rsyslogd.pid`' > /dev/null 2>&1
 done
diff --git a/testing/scripts/recipes/001_libtnc.mk b/testing/scripts/recipes/001_libtnc.mk
new file mode 100644
index 000000000..b835958b7
--- /dev/null
+++ b/testing/scripts/recipes/001_libtnc.mk
@@ -0,0 +1,31 @@
+#!/usr/bin/make
+
+PV  = 1.25
+PKG = libtnc-$(PV)
+TAR = $(PKG).tar.gz
+SRC = http://downloads.sourceforge.net/project/libtnc/libtnc/$(PV)/$(TAR)
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS = \
+	--sysconfdir=/etc
+
+all: install
+
+$(TAR):
+	wget $(SRC)
+
+.$(PKG)-unpacked: $(TAR)
+	tar xfz $(TAR)
+	@touch $@
+
+.$(PKG)-configured: .$(PKG)-unpacked
+	cd $(PKG) && ./configure $(CONFIG_OPTS)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-configured
+	cd $(PKG) && make -j $(NUM_CPUS)
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/002_tnc-fhh.mk b/testing/scripts/recipes/002_tnc-fhh.mk
new file mode 100644
index 000000000..397cef950
--- /dev/null
+++ b/testing/scripts/recipes/002_tnc-fhh.mk
@@ -0,0 +1,28 @@
+#!/usr/bin/make
+
+PKG = fhhtnc
+SRC = git://github.com/trustatfhh/tnc-fhh.git
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS = \
+	-DCOMPONENT=all \
+	-DNAL=8021x
+
+all: install
+
+.$(PKG)-cloned:
+	git clone $(SRC) $(PKG)
+	mkdir $(PKG)/build
+	@touch $@
+
+.$(PKG)-configured: .$(PKG)-cloned
+	cd $(PKG)/build && cmake $(CONFIG_OPTS) ../
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-configured
+	cd $(PKG)/build && make -j $(NUM_CPUS)
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG)/build && make install
diff --git a/testing/scripts/recipes/003_freeradius.mk b/testing/scripts/recipes/003_freeradius.mk
new file mode 100644
index 000000000..7b7a5fe82
--- /dev/null
+++ b/testing/scripts/recipes/003_freeradius.mk
@@ -0,0 +1,44 @@
+#!/usr/bin/make
+
+PV  = 2.2.0
+PKG = freeradius-server-$(PV)
+TAR = $(PKG).tar.bz2
+SRC = ftp://ftp.freeradius.org/pub/freeradius/$(TAR)
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS = \
+	--with-raddbdir=/etc/freeradius \
+	--sysconfdir=/etc \
+	--with-logdir=/var/log/freeradius \
+	--enable-developer \
+	--with-experimental-modules
+
+PATCHES = \
+	freeradius-eap-sim-identity \
+	freeradius-avp-size \
+	freeradius-tnc-fhh
+
+all: install
+
+$(TAR):
+	wget $(SRC)
+
+.$(PKG)-unpacked: $(TAR)
+	tar xfj $(TAR)
+	@touch $@
+
+.$(PKG)-patches-applied: .$(PKG)-unpacked
+	cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
+	@touch $@
+
+.$(PKG)-configured: .$(PKG)-patches-applied
+	cd $(PKG) && ./configure $(CONFIG_OPTS)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-configured
+	cd $(PKG) && make -j $(NUM_CPUS)
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/004_wpa_supplicant.mk b/testing/scripts/recipes/004_wpa_supplicant.mk
new file mode 100644
index 000000000..14b64ea78
--- /dev/null
+++ b/testing/scripts/recipes/004_wpa_supplicant.mk
@@ -0,0 +1,39 @@
+#!/usr/bin/make
+
+PV  = 2.0
+PKG = wpa_supplicant-$(PV)
+TAR = $(PKG).tar.gz
+SRC = http://hostap.epitest.fi/releases/$(TAR)
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS =
+
+PATCHES = \
+	wpa_supplicant-eap-tnc
+
+SUBDIR = wpa_supplicant
+
+all: install
+
+$(TAR):
+	wget $(SRC)
+
+.$(PKG)-unpacked: $(TAR)
+	tar xfz $(TAR)
+	@touch $@
+
+.$(PKG)-patches-applied: .$(PKG)-unpacked
+	cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
+	@touch $@
+
+.$(PKG)-configured: .$(PKG)-patches-applied
+	cp $(PKG)/$(SUBDIR)/defconfig $(PKG)/$(SUBDIR)/.config
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-configured
+	cd $(PKG)/$(SUBDIR) && make -j $(NUM_CPUS)
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG)/$(SUBDIR) && make install
diff --git a/testing/scripts/recipes/005_anet.mk b/testing/scripts/recipes/005_anet.mk
new file mode 100644
index 000000000..2a3023c42
--- /dev/null
+++ b/testing/scripts/recipes/005_anet.mk
@@ -0,0 +1,21 @@
+#!/usr/bin/make
+
+PKG = anet
+SRC = http://git.codelabs.ch/git/$(PKG).git
+REV = v0.2.2
+
+PREFIX = /usr/local/ada
+
+all: install
+
+.$(PKG)-cloned:
+	git clone $(SRC) $(PKG)
+	cd $(PKG) && git checkout $(REV)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-cloned
+	cd $(PKG) && make LIBRARY_KIND=static
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make PREFIX=$(PREFIX) LIBRARY_KIND=static install
diff --git a/testing/scripts/recipes/006_tkm-rpc.mk b/testing/scripts/recipes/006_tkm-rpc.mk
new file mode 100644
index 000000000..9e1d2cfc6
--- /dev/null
+++ b/testing/scripts/recipes/006_tkm-rpc.mk
@@ -0,0 +1,23 @@
+#!/usr/bin/make
+
+PKG = tkm-rpc
+SRC = http://git.codelabs.ch/git/$(PKG).git
+REV = v0.1
+
+PREFIX = /usr/local/ada
+
+export ADA_PROJECT_PATH=$(PREFIX)/lib/gnat
+
+all: install
+
+.$(PKG)-cloned:
+	git clone $(SRC) $(PKG)
+	cd $(PKG) && git checkout $(REV)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-cloned
+	cd $(PKG) && make
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make PREFIX=$(PREFIX) install
diff --git a/testing/scripts/recipes/007_x509-ada.mk b/testing/scripts/recipes/007_x509-ada.mk
new file mode 100644
index 000000000..121a14414
--- /dev/null
+++ b/testing/scripts/recipes/007_x509-ada.mk
@@ -0,0 +1,21 @@
+#!/usr/bin/make
+
+PKG = x509-ada
+SRC = http://git.codelabs.ch/git/$(PKG).git
+REV = v0.1
+
+PREFIX = /usr/local/ada
+
+all: install
+
+.$(PKG)-cloned:
+	git clone $(SRC) $(PKG)
+	cd $(PKG) && git checkout $(REV)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-cloned
+	cd $(PKG) && make tests && make
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make PREFIX=$(PREFIX) install
diff --git a/testing/scripts/recipes/008_xfrm-ada.mk b/testing/scripts/recipes/008_xfrm-ada.mk
new file mode 100644
index 000000000..6ad451340
--- /dev/null
+++ b/testing/scripts/recipes/008_xfrm-ada.mk
@@ -0,0 +1,23 @@
+#!/usr/bin/make
+
+PKG = xfrm-ada
+SRC = http://git.codelabs.ch/git/$(PKG).git
+REV = v0.1
+
+PREFIX = /usr/local/ada
+
+export ADA_PROJECT_PATH=$(PREFIX)/lib/gnat
+
+all: install
+
+.$(PKG)-cloned:
+	git clone $(SRC) $(PKG)
+	cd $(PKG) && git checkout $(REV)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-cloned
+	cd $(PKG) && make
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make PREFIX=$(PREFIX) install
diff --git a/testing/scripts/recipes/009_xfrm-proxy.mk b/testing/scripts/recipes/009_xfrm-proxy.mk
new file mode 100644
index 000000000..569fbfe3c
--- /dev/null
+++ b/testing/scripts/recipes/009_xfrm-proxy.mk
@@ -0,0 +1,21 @@
+#!/usr/bin/make
+
+PKG = xfrm-proxy
+SRC = http://git.codelabs.ch/git/$(PKG).git
+REV = v0.1
+
+export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
+
+all: install
+
+.$(PKG)-cloned:
+	git clone $(SRC) $(PKG)
+	cd $(PKG) && git checkout $(REV)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-cloned
+	cd $(PKG) && make
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/010_tkm.mk b/testing/scripts/recipes/010_tkm.mk
new file mode 100644
index 000000000..cf24e1e26
--- /dev/null
+++ b/testing/scripts/recipes/010_tkm.mk
@@ -0,0 +1,21 @@
+#!/usr/bin/make
+
+PKG = tkm
+SRC = http://git.codelabs.ch/git/$(PKG).git
+REV = v0.1
+
+export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
+
+all: install
+
+.$(PKG)-cloned:
+	git clone $(SRC) $(PKG)
+	cd $(PKG) && git checkout $(REV)
+	@touch $@
+
+.$(PKG)-built: .$(PKG)-cloned
+	cd $(PKG) && make
+	@touch $@
+
+install: .$(PKG)-built
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/011_openssl-fips.mk b/testing/scripts/recipes/011_openssl-fips.mk
new file mode 100644
index 000000000..5d28b181e
--- /dev/null
+++ b/testing/scripts/recipes/011_openssl-fips.mk
@@ -0,0 +1,23 @@
+#!/usr/bin/make
+
+PV  = 2.0.3
+PKG = openssl-fips-$(PV)
+TAR = $(PKG).tar.gz
+SRC = http://www.openssl.org/source/$(TAR)
+
+all: install
+
+$(TAR):
+	wget $(SRC)
+
+$(PKG): $(TAR)
+	tar xfz $(TAR)
+
+configure: $(PKG)
+	cd $(PKG) && ./config
+
+build: configure
+	cd $(PKG) && make
+
+install: build
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/012_openssl.mk b/testing/scripts/recipes/012_openssl.mk
new file mode 100644
index 000000000..9312445ce
--- /dev/null
+++ b/testing/scripts/recipes/012_openssl.mk
@@ -0,0 +1,13 @@
+#!/usr/bin/make
+
+PV  = 1.0.1e
+PKG = openssl-$(PV)
+SRC = http://download.strongswan.org/testing/openssl-fips/
+
+all: install
+
+$(PKG):
+	wget -r $(SRC) --no-directories --directory-prefix $(PKG) --accept deb
+
+install: $(PKG)
+	cd $(PKG) && dpkg -i *.deb
diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk
new file mode 100644
index 000000000..6240d4228
--- /dev/null
+++ b/testing/scripts/recipes/013_strongswan.mk
@@ -0,0 +1,98 @@
+#!/usr/bin/make
+
+PV  = $(SWANVERSION)
+PKG = strongswan-$(PV)
+TAR = $(PKG).tar.bz2
+SRC = http://download.strongswan.org/$(TAR)
+
+NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+
+CONFIG_OPTS = \
+	--sysconfdir=/etc \
+	--with-random-device=/dev/urandom \
+	--disable-load-warning \
+	--enable-curl \
+	--enable-soup \
+	--enable-ldap \
+	--enable-eap-aka \
+	--enable-eap-aka-3gpp2 \
+	--enable-eap-sim \
+	--enable-eap-sim-file \
+	--enable-eap-md5 \
+	--enable-md4 \
+	--enable-eap-mschapv2 \
+	--enable-eap-identity \
+	--enable-eap-radius \
+	--enable-eap-dynamic \
+	--enable-eap-tls \
+	--enable-eap-ttls \
+	--enable-eap-peap \
+	--enable-eap-tnc \
+	--enable-tnc-ifmap \
+	--enable-tnc-pdp \
+	--enable-tnc-imc \
+	--enable-tnc-imv \
+	--enable-tnccs-11 \
+	--enable-tnccs-20 \
+	--enable-tnccs-dynamic \
+	--enable-imc-test \
+	--enable-imv-test \
+	--enable-imc-scanner \
+	--enable-imv-scanner \
+	--enable-imc-os \
+	--enable-imv-os \
+	--enable-imc-attestation \
+	--enable-imv-attestation \
+	--enable-sql \
+	--enable-sqlite \
+	--enable-attr-sql \
+	--enable-mediation \
+	--enable-openssl \
+	--enable-blowfish \
+	--enable-kernel-pfkey \
+	--enable-integrity-test \
+	--enable-leak-detective \
+	--enable-load-tester \
+	--enable-test-vectors \
+	--enable-gcrypt \
+	--enable-socket-default \
+	--enable-socket-dynamic \
+	--enable-dhcp \
+	--enable-farp \
+	--enable-addrblock \
+	--enable-ctr \
+	--enable-ccm \
+	--enable-gcm \
+	--enable-cmac \
+	--enable-ha \
+	--enable-af-alg \
+	--enable-whitelist \
+	--enable-xauth-generic \
+	--enable-xauth-eap \
+	--enable-pkcs8 \
+	--enable-unity \
+	--enable-unbound \
+	--enable-ipseckey \
+	--enable-cmd \
+	--enable-libipsec \
+	--enable-kernel-libipsec \
+	--enable-tkm
+
+export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
+
+all: install
+
+$(TAR):
+	wget $(SRC)
+
+$(PKG): $(TAR)
+	tar xfj $(TAR)
+
+configure: $(PKG)
+	cd $(PKG) && ./configure $(CONFIG_OPTS)
+
+build: configure
+	cd $(PKG) && make -j $(NUM_CPUS)
+
+install: build
+	cd $(PKG) && make install
diff --git a/testing/scripts/recipes/patches/freeradius-avp-size b/testing/scripts/recipes/patches/freeradius-avp-size
new file mode 100644
index 000000000..e7e1f635b
--- /dev/null
+++ b/testing/scripts/recipes/patches/freeradius-avp-size
@@ -0,0 +1,18 @@
+diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+index 6c9bd13..3344c53 100644
+--- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
++++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+@@ -201,8 +201,11 @@ static VALUE_PAIR *diameter2vp(REQUEST *request, SSL *ssl,
+ 			goto next_attr;
+ 		}
+ 
+-		if (size > 253) {
+-			RDEBUG2("WARNING: diameter2vp skipping long attribute %u, attr");
++		/*
++		 * EAP-Message AVPs can be larger than 253 octets.
++		 */
++		if ((size > 253) && !((VENDOR(attr) == 0) && (attr == PW_EAP_MESSAGE))) {
++			RDEBUG2("WARNING: diameter2vp skipping long attribute %u", attr);
+ 			goto next_attr;
+ 		}
+ 
diff --git a/testing/scripts/recipes/patches/freeradius-eap-sim-identity b/testing/scripts/recipes/patches/freeradius-eap-sim-identity
new file mode 100644
index 000000000..1ab95ecc6
--- /dev/null
+++ b/testing/scripts/recipes/patches/freeradius-eap-sim-identity
@@ -0,0 +1,30 @@
+--- a/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c	2012-11-28 11:03:05.081225276 +0100
++++ b/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c	2012-11-28 11:46:59.746289881 +0100
+@@ -246,14 +246,21 @@
+	newvp->vp_integer = ess->sim_id++;
+	pairreplace(outvps, newvp);
+
++	ess->keys.identitylen = strlen(handler->identity);
++	memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen);
++
+	/* make a copy of the identity */
+	newvp = pairfind(*invps, ATTRIBUTE_EAP_SIM_BASE + PW_EAP_SIM_IDENTITY);
+-	if (newvp) {
+-		ess->keys.identitylen = newvp->length;
+-		memcpy(ess->keys.identity, newvp->vp_octets, newvp->length);
+-	} else {
+-		ess->keys.identitylen = strlen(handler->identity);
+-		memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen);
++	if (newvp && newvp->length > 2) {
++		uint16_t len;
++
++		memcpy(&len, newvp->vp_octets, sizeof(uint16_t));
++		len = ntohs(len);
++		if (len <= newvp->length - 2 && len <= MAX_STRING_LEN) {
++			ess->keys.identitylen = len;
++			memcpy(ess->keys.identity, newvp->vp_octets + 2,
++			       ess->keys.identitylen);
++		}
+	}
+
+	/* all set, calculate keys! */
diff --git a/testing/scripts/recipes/patches/freeradius-tnc-fhh b/testing/scripts/recipes/patches/freeradius-tnc-fhh
new file mode 100644
index 000000000..5abc6b25f
--- /dev/null
+++ b/testing/scripts/recipes/patches/freeradius-tnc-fhh
@@ -0,0 +1,6687 @@
+diff -u -r -N freeradius-server-2.2.0.orig/share/dictionary freeradius-server-2.2.0/share/dictionary
+--- freeradius-server-2.2.0.orig/share/dictionary	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/share/dictionary	2012-12-04 19:39:42.261423097 +0100
+@@ -196,6 +196,7 @@
+ $INCLUDE dictionary.starent
+ $INCLUDE dictionary.symbol
+ $INCLUDE dictionary.telebit
++$INCLUDE dictionary.tncfhh
+ $INCLUDE dictionary.terena
+ $INCLUDE dictionary.trapeze
+ $INCLUDE dictionary.tropos
+diff -u -r -N freeradius-server-2.2.0.orig/share/dictionary.tncfhh freeradius-server-2.2.0/share/dictionary.tncfhh
+--- freeradius-server-2.2.0.orig/share/dictionary.tncfhh	1970-01-01 01:00:00.000000000 +0100
++++ freeradius-server-2.2.0/share/dictionary.tncfhh	2012-12-04 19:39:49.645421869 +0100
+@@ -0,0 +1,20 @@
++# -*- text -*-
++# Dictionary for the tnc@fhh Server.
++#
++# Website: http://trust.inform.fh-hannover.de
++#
++# Version: 0.8.4
++# Author: Bastian Hellmann
++# Email: trust@f4-i.fh-hannover.de
++#
++
++VENDOR tncfhh	10000
++BEGIN-VENDOR tncfhh
++
++ATTRIBUTE	TNC-Status	1	integer
++
++VALUE	TNC-Status	Access	0 
++VALUE	TNC-Status	Isolate	1
++VALUE	TNC-Status	None	2
++
++END-VENDOR tncfhh
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure	2012-12-04 19:38:00.237420970 +0100
+@@ -1,61 +1,84 @@
+ #! /bin/sh
+ # From configure.in Revision.
+ # Guess values for system-dependent variables and create Makefiles.
+-# Generated by GNU Autoconf 2.61.
++# Generated by GNU Autoconf 2.67.
++#
+ #
+ # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+-# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
++# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
++# Foundation, Inc.
++#
++#
+ # This configure script is free software; the Free Software Foundation
+ # gives unlimited permission to copy, distribute and modify it.
+-## --------------------- ##
+-## M4sh Initialization.  ##
+-## --------------------- ##
++## -------------------- ##
++## M4sh Initialization. ##
++## -------------------- ##
+ 
+ # Be more Bourne compatible
+ DUALCASE=1; export DUALCASE # for MKS sh
+-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
++if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
+   emulate sh
+   NULLCMD=:
+-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
++  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+   # is contrary to our usage.  Disable this feature.
+   alias -g '${1+"$@"}'='"$@"'
+   setopt NO_GLOB_SUBST
+ else
+-  case `(set -o) 2>/dev/null` in
+-  *posix*) set -o posix ;;
++  case `(set -o) 2>/dev/null` in #(
++  *posix*) :
++    set -o posix ;; #(
++  *) :
++     ;;
+ esac
+-
+ fi
+ 
+ 
+-
+-
+-# PATH needs CR
+-# Avoid depending upon Character Ranges.
+-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+-as_cr_digits='0123456789'
+-as_cr_alnum=$as_cr_Letters$as_cr_digits
+-
+-# The user is always right.
+-if test "${PATH_SEPARATOR+set}" != set; then
+-  echo "#! /bin/sh" >conf$$.sh
+-  echo  "exit 0"   >>conf$$.sh
+-  chmod +x conf$$.sh
+-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+-    PATH_SEPARATOR=';'
++as_nl='
++'
++export as_nl
++# Printing a long string crashes Solaris 7 /usr/bin/printf.
++as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
++as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
++as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
++# Prefer a ksh shell builtin over an external printf program on Solaris,
++# but without wasting forks for bash or zsh.
++if test -z "$BASH_VERSION$ZSH_VERSION" \
++    && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
++  as_echo='print -r --'
++  as_echo_n='print -rn --'
++elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
++  as_echo='printf %s\n'
++  as_echo_n='printf %s'
++else
++  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
++    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
++    as_echo_n='/usr/ucb/echo -n'
+   else
+-    PATH_SEPARATOR=:
++    as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
++    as_echo_n_body='eval
++      arg=$1;
++      case $arg in #(
++      *"$as_nl"*)
++	expr "X$arg" : "X\\(.*\\)$as_nl";
++	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
++      esac;
++      expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
++    '
++    export as_echo_n_body
++    as_echo_n='sh -c $as_echo_n_body as_echo'
+   fi
+-  rm -f conf$$.sh
++  export as_echo_body
++  as_echo='sh -c $as_echo_body as_echo'
+ fi
+ 
+-# Support unset when possible.
+-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+-  as_unset=unset
+-else
+-  as_unset=false
++# The user is always right.
++if test "${PATH_SEPARATOR+set}" != set; then
++  PATH_SEPARATOR=:
++  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
++    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
++      PATH_SEPARATOR=';'
++  }
+ fi
+ 
+ 
+@@ -64,20 +87,18 @@
+ # there to prevent editors from complaining about space-tab.
+ # (If _AS_PATH_WALK were called with IFS unset, it would disable word
+ # splitting by setting IFS to empty value.)
+-as_nl='
+-'
+ IFS=" ""	$as_nl"
+ 
+ # Find who we are.  Look in the path if we contain no directory separator.
+-case $0 in
++case $0 in #((
+   *[\\/]* ) as_myself=$0 ;;
+   *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+ for as_dir in $PATH
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+-done
++    test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
++  done
+ IFS=$as_save_IFS
+ 
+      ;;
+@@ -88,354 +109,321 @@
+   as_myself=$0
+ fi
+ if test ! -f "$as_myself"; then
+-  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+-  { (exit 1); exit 1; }
++  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
++  exit 1
+ fi
+ 
+-# Work around bugs in pre-3.0 UWIN ksh.
+-for as_var in ENV MAIL MAILPATH
+-do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
++# Unset variables that we do not need and which cause bugs (e.g. in
++# pre-3.0 UWIN ksh).  But do not cause bugs in bash 2.01; the "|| exit 1"
++# suppresses any "Segmentation fault" message there.  '((' could
++# trigger a bug in pdksh 5.2.14.
++for as_var in BASH_ENV ENV MAIL MAILPATH
++do eval test x\${$as_var+set} = xset \
++  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
+ done
+ PS1='$ '
+ PS2='> '
+ PS4='+ '
+ 
+ # NLS nuisances.
+-for as_var in \
+-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+-  LC_TELEPHONE LC_TIME
+-do
+-  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+-    eval $as_var=C; export $as_var
+-  else
+-    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+-  fi
+-done
+-
+-# Required to use basename.
+-if expr a : '\(a\)' >/dev/null 2>&1 &&
+-   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+-  as_expr=expr
+-else
+-  as_expr=false
+-fi
+-
+-if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
+-  as_basename=basename
+-else
+-  as_basename=false
+-fi
+-
+-
+-# Name of the executable.
+-as_me=`$as_basename -- "$0" ||
+-$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+-	 X"$0" : 'X\(//\)$' \| \
+-	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+-echo X/"$0" |
+-    sed '/^.*\/\([^/][^/]*\)\/*$/{
+-	    s//\1/
+-	    q
+-	  }
+-	  /^X\/\(\/\/\)$/{
+-	    s//\1/
+-	    q
+-	  }
+-	  /^X\/\(\/\).*/{
+-	    s//\1/
+-	    q
+-	  }
+-	  s/.*/./; q'`
++LC_ALL=C
++export LC_ALL
++LANGUAGE=C
++export LANGUAGE
+ 
+ # CDPATH.
+-$as_unset CDPATH
+-
++(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+ 
+ if test "x$CONFIG_SHELL" = x; then
+-  if (eval ":") 2>/dev/null; then
+-  as_have_required=yes
++  as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
++  emulate sh
++  NULLCMD=:
++  # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which
++  # is contrary to our usage.  Disable this feature.
++  alias -g '\${1+\"\$@\"}'='\"\$@\"'
++  setopt NO_GLOB_SUBST
+ else
+-  as_have_required=no
++  case \`(set -o) 2>/dev/null\` in #(
++  *posix*) :
++    set -o posix ;; #(
++  *) :
++     ;;
++esac
+ fi
+-
+-  if test $as_have_required = yes && 	 (eval ":
+-(as_func_return () {
+-  (exit \$1)
+-}
+-as_func_success () {
+-  as_func_return 0
+-}
+-as_func_failure () {
+-  as_func_return 1
+-}
+-as_func_ret_success () {
+-  return 0
+-}
+-as_func_ret_failure () {
+-  return 1
+-}
++"
++  as_required="as_fn_return () { (exit \$1); }
++as_fn_success () { as_fn_return 0; }
++as_fn_failure () { as_fn_return 1; }
++as_fn_ret_success () { return 0; }
++as_fn_ret_failure () { return 1; }
+ 
+ exitcode=0
+-if as_func_success; then
+-  :
+-else
+-  exitcode=1
+-  echo as_func_success failed.
+-fi
+-
+-if as_func_failure; then
+-  exitcode=1
+-  echo as_func_failure succeeded.
+-fi
+-
+-if as_func_ret_success; then
+-  :
+-else
+-  exitcode=1
+-  echo as_func_ret_success failed.
+-fi
+-
+-if as_func_ret_failure; then
+-  exitcode=1
+-  echo as_func_ret_failure succeeded.
+-fi
+-
+-if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+-  :
++as_fn_success || { exitcode=1; echo as_fn_success failed.; }
++as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; }
++as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; }
++as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; }
++if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
++
++else
++  exitcode=1; echo positional parameters were not saved.
++fi
++test x\$exitcode = x0 || exit 1"
++  as_suggested="  as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
++  as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
++  eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
++  test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1
++test \$(( 1 + 1 )) = 2 || exit 1"
++  if (eval "$as_required") 2>/dev/null; then :
++  as_have_required=yes
+ else
+-  exitcode=1
+-  echo positional parameters were not saved.
++  as_have_required=no
+ fi
++  if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then :
+ 
+-test \$exitcode = 0) || { (exit 1); exit 1; }
+-
+-(
+-  as_lineno_1=\$LINENO
+-  as_lineno_2=\$LINENO
+-  test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" &&
+-  test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; }
+-") 2> /dev/null; then
+-  :
+ else
+-  as_candidate_shells=
+-    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
++  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
++as_found=false
+ for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  case $as_dir in
++  as_found=:
++  case $as_dir in #(
+ 	 /*)
+ 	   for as_base in sh bash ksh sh5; do
+-	     as_candidate_shells="$as_candidate_shells $as_dir/$as_base"
++	     # Try only shells that exist, to save several forks.
++	     as_shell=$as_dir/$as_base
++	     if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
++		    { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then :
++  CONFIG_SHELL=$as_shell as_have_required=yes
++		   if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then :
++  break 2
++fi
++fi
+ 	   done;;
+        esac
++  as_found=false
+ done
++$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } &&
++	      { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then :
++  CONFIG_SHELL=$SHELL as_have_required=yes
++fi; }
+ IFS=$as_save_IFS
+ 
+ 
+-      for as_shell in $as_candidate_shells $SHELL; do
+-	 # Try only shells that exist, to save several forks.
+-	 if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
+-		{ ("$as_shell") 2> /dev/null <<\_ASEOF
+-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+-  emulate sh
+-  NULLCMD=:
+-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+-  # is contrary to our usage.  Disable this feature.
+-  alias -g '${1+"$@"}'='"$@"'
+-  setopt NO_GLOB_SUBST
+-else
+-  case `(set -o) 2>/dev/null` in
+-  *posix*) set -o posix ;;
+-esac
+-
++      if test "x$CONFIG_SHELL" != x; then :
++  # We cannot yet assume a decent shell, so we have to provide a
++	# neutralization value for shells without unset; and this also
++	# works around shells that cannot unset nonexistent variables.
++	BASH_ENV=/dev/null
++	ENV=/dev/null
++	(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
++	export CONFIG_SHELL
++	exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
++fi
++
++    if test x$as_have_required = xno; then :
++  $as_echo "$0: This script requires a shell more modern than all"
++  $as_echo "$0: the shells that I found on your system."
++  if test x${ZSH_VERSION+set} = xset ; then
++    $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should"
++    $as_echo "$0: be upgraded to zsh 4.3.4 or later."
++  else
++    $as_echo "$0: Please tell bug-autoconf@gnu.org about your system,
++$0: including any error possibly output before this
++$0: message. Then install a modern shell, or manually run
++$0: the script under such a shell if you do have one."
++  fi
++  exit 1
+ fi
+-
+-
+-:
+-_ASEOF
+-}; then
+-  CONFIG_SHELL=$as_shell
+-	       as_have_required=yes
+-	       if { "$as_shell" 2> /dev/null <<\_ASEOF
+-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+-  emulate sh
+-  NULLCMD=:
+-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+-  # is contrary to our usage.  Disable this feature.
+-  alias -g '${1+"$@"}'='"$@"'
+-  setopt NO_GLOB_SUBST
+-else
+-  case `(set -o) 2>/dev/null` in
+-  *posix*) set -o posix ;;
+-esac
+-
+ fi
++fi
++SHELL=${CONFIG_SHELL-/bin/sh}
++export SHELL
++# Unset more variables known to interfere with behavior of common tools.
++CLICOLOR_FORCE= GREP_OPTIONS=
++unset CLICOLOR_FORCE GREP_OPTIONS
+ 
+-
+-:
+-(as_func_return () {
+-  (exit $1)
+-}
+-as_func_success () {
+-  as_func_return 0
+-}
+-as_func_failure () {
+-  as_func_return 1
+-}
+-as_func_ret_success () {
+-  return 0
+-}
+-as_func_ret_failure () {
+-  return 1
++## --------------------- ##
++## M4sh Shell Functions. ##
++## --------------------- ##
++# as_fn_unset VAR
++# ---------------
++# Portably unset VAR.
++as_fn_unset ()
++{
++  { eval $1=; unset $1;}
+ }
++as_unset=as_fn_unset
+ 
+-exitcode=0
+-if as_func_success; then
+-  :
+-else
+-  exitcode=1
+-  echo as_func_success failed.
+-fi
++# as_fn_set_status STATUS
++# -----------------------
++# Set $? to STATUS, without forking.
++as_fn_set_status ()
++{
++  return $1
++} # as_fn_set_status
+ 
+-if as_func_failure; then
+-  exitcode=1
+-  echo as_func_failure succeeded.
+-fi
++# as_fn_exit STATUS
++# -----------------
++# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
++as_fn_exit ()
++{
++  set +e
++  as_fn_set_status $1
++  exit $1
++} # as_fn_exit
++
++# as_fn_mkdir_p
++# -------------
++# Create "$as_dir" as a directory, including parents if necessary.
++as_fn_mkdir_p ()
++{
+ 
+-if as_func_ret_success; then
+-  :
+-else
+-  exitcode=1
+-  echo as_func_ret_success failed.
+-fi
++  case $as_dir in #(
++  -*) as_dir=./$as_dir;;
++  esac
++  test -d "$as_dir" || eval $as_mkdir_p || {
++    as_dirs=
++    while :; do
++      case $as_dir in #(
++      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
++      *) as_qdir=$as_dir;;
++      esac
++      as_dirs="'$as_qdir' $as_dirs"
++      as_dir=`$as_dirname -- "$as_dir" ||
++$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
++	 X"$as_dir" : 'X\(//\)[^/]' \| \
++	 X"$as_dir" : 'X\(//\)$' \| \
++	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
++$as_echo X"$as_dir" |
++    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\/\)[^/].*/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\/\)$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\).*/{
++	    s//\1/
++	    q
++	  }
++	  s/.*/./; q'`
++      test -d "$as_dir" && break
++    done
++    test -z "$as_dirs" || eval "mkdir $as_dirs"
++  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
+ 
+-if as_func_ret_failure; then
+-  exitcode=1
+-  echo as_func_ret_failure succeeded.
+-fi
+ 
+-if ( set x; as_func_ret_success y && test x = "$1" ); then
+-  :
++} # as_fn_mkdir_p
++# as_fn_append VAR VALUE
++# ----------------------
++# Append the text in VALUE to the end of the definition contained in VAR. Take
++# advantage of any shell optimizations that allow amortized linear growth over
++# repeated appends, instead of the typical quadratic growth present in naive
++# implementations.
++if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
++  eval 'as_fn_append ()
++  {
++    eval $1+=\$2
++  }'
+ else
+-  exitcode=1
+-  echo positional parameters were not saved.
+-fi
+-
+-test $exitcode = 0) || { (exit 1); exit 1; }
+-
+-(
+-  as_lineno_1=$LINENO
+-  as_lineno_2=$LINENO
+-  test "x$as_lineno_1" != "x$as_lineno_2" &&
+-  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; }
+-
+-_ASEOF
+-}; then
+-  break
+-fi
+-
+-fi
+-
+-      done
+-
+-      if test "x$CONFIG_SHELL" != x; then
+-  for as_var in BASH_ENV ENV
+-        do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+-        done
+-        export CONFIG_SHELL
+-        exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
+-fi
+-
+-
+-    if test $as_have_required = no; then
+-  echo This script requires a shell more modern than all the
+-      echo shells that I found on your system.  Please install a
+-      echo modern shell, or manually run the script under such a
+-      echo shell if you do have one.
+-      { (exit 1); exit 1; }
+-fi
+-
+-
+-fi
+-
+-fi
+-
++  as_fn_append ()
++  {
++    eval $1=\$$1\$2
++  }
++fi # as_fn_append
++
++# as_fn_arith ARG...
++# ------------------
++# Perform arithmetic evaluation on the ARGs, and store the result in the
++# global $as_val. Take advantage of shells that can avoid forks. The arguments
++# must be portable across $(()) and expr.
++if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
++  eval 'as_fn_arith ()
++  {
++    as_val=$(( $* ))
++  }'
++else
++  as_fn_arith ()
++  {
++    as_val=`expr "$@" || test $? -eq 1`
++  }
++fi # as_fn_arith
+ 
+ 
+-(eval "as_func_return () {
+-  (exit \$1)
+-}
+-as_func_success () {
+-  as_func_return 0
+-}
+-as_func_failure () {
+-  as_func_return 1
+-}
+-as_func_ret_success () {
+-  return 0
+-}
+-as_func_ret_failure () {
+-  return 1
+-}
++# as_fn_error STATUS ERROR [LINENO LOG_FD]
++# ----------------------------------------
++# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
++# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
++# script with STATUS, using 1 if that was 0.
++as_fn_error ()
++{
++  as_status=$1; test $as_status -eq 0 && as_status=1
++  if test "$4"; then
++    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++    $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
++  fi
++  $as_echo "$as_me: error: $2" >&2
++  as_fn_exit $as_status
++} # as_fn_error
+ 
+-exitcode=0
+-if as_func_success; then
+-  :
++if expr a : '\(a\)' >/dev/null 2>&1 &&
++   test "X`expr 00001 : '.*\(...\)'`" = X001; then
++  as_expr=expr
+ else
+-  exitcode=1
+-  echo as_func_success failed.
+-fi
+-
+-if as_func_failure; then
+-  exitcode=1
+-  echo as_func_failure succeeded.
++  as_expr=false
+ fi
+ 
+-if as_func_ret_success; then
+-  :
++if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
++  as_basename=basename
+ else
+-  exitcode=1
+-  echo as_func_ret_success failed.
+-fi
+-
+-if as_func_ret_failure; then
+-  exitcode=1
+-  echo as_func_ret_failure succeeded.
++  as_basename=false
+ fi
+ 
+-if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+-  :
++if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
++  as_dirname=dirname
+ else
+-  exitcode=1
+-  echo positional parameters were not saved.
++  as_dirname=false
+ fi
+ 
+-test \$exitcode = 0") || {
+-  echo No shell found that supports shell functions.
+-  echo Please tell autoconf@gnu.org about your system,
+-  echo including any error possibly output before this
+-  echo message
+-}
++as_me=`$as_basename -- "$0" ||
++$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
++	 X"$0" : 'X\(//\)$' \| \
++	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
++$as_echo X/"$0" |
++    sed '/^.*\/\([^/][^/]*\)\/*$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\/\(\/\/\)$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\/\(\/\).*/{
++	    s//\1/
++	    q
++	  }
++	  s/.*/./; q'`
+ 
++# Avoid depending upon Character Ranges.
++as_cr_letters='abcdefghijklmnopqrstuvwxyz'
++as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
++as_cr_Letters=$as_cr_letters$as_cr_LETTERS
++as_cr_digits='0123456789'
++as_cr_alnum=$as_cr_Letters$as_cr_digits
+ 
+ 
+-  as_lineno_1=$LINENO
+-  as_lineno_2=$LINENO
+-  test "x$as_lineno_1" != "x$as_lineno_2" &&
+-  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
+-
+-  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
+-  # uniformly replaced by the line number.  The first 'sed' inserts a
+-  # line-number line after each line using $LINENO; the second 'sed'
+-  # does the real work.  The second script uses 'N' to pair each
+-  # line-number line with the line containing $LINENO, and appends
+-  # trailing '-' during substitution so that $LINENO is not a special
+-  # case at line end.
+-  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
+-  # scripts with optimization help from Paolo Bonzini.  Blame Lee
+-  # E. McMahon (1931-1989) for sed's syntax.  :-)
++  as_lineno_1=$LINENO as_lineno_1a=$LINENO
++  as_lineno_2=$LINENO as_lineno_2a=$LINENO
++  eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" &&
++  test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || {
++  # Blame Lee E. McMahon (1931-1989) for sed's syntax.  :-)
+   sed -n '
+     p
+     /[$]LINENO/=
+@@ -452,8 +440,7 @@
+       s/-\n.*//
+     ' >$as_me.lineno &&
+   chmod +x "$as_me.lineno" ||
+-    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+-   { (exit 1); exit 1; }; }
++    { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
+ 
+   # Don't try to exec as it changes $[0], causing all sort of problems
+   # (the dirname of $[0] is not the place where we might find the
+@@ -463,49 +450,40 @@
+   exit
+ }
+ 
+-
+-if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+-  as_dirname=dirname
+-else
+-  as_dirname=false
+-fi
+-
+ ECHO_C= ECHO_N= ECHO_T=
+-case `echo -n x` in
++case `echo -n x` in #(((((
+ -n*)
+-  case `echo 'x\c'` in
++  case `echo 'xy\c'` in
+   *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+-  *)   ECHO_C='\c';;
++  xy)  ECHO_C='\c';;
++  *)   echo `echo ksh88 bug on AIX 6.1` > /dev/null
++       ECHO_T='	';;
+   esac;;
+ *)
+   ECHO_N='-n';;
+ esac
+ 
+-if expr a : '\(a\)' >/dev/null 2>&1 &&
+-   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+-  as_expr=expr
+-else
+-  as_expr=false
+-fi
+-
+ rm -f conf$$ conf$$.exe conf$$.file
+ if test -d conf$$.dir; then
+   rm -f conf$$.dir/conf$$.file
+ else
+   rm -f conf$$.dir
+-  mkdir conf$$.dir
++  mkdir conf$$.dir 2>/dev/null
+ fi
+-echo >conf$$.file
+-if ln -s conf$$.file conf$$ 2>/dev/null; then
+-  as_ln_s='ln -s'
+-  # ... but there are two gotchas:
+-  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+-  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+-  # In both cases, we have to default to `cp -p'.
+-  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
++if (echo >conf$$.file) 2>/dev/null; then
++  if ln -s conf$$.file conf$$ 2>/dev/null; then
++    as_ln_s='ln -s'
++    # ... but there are two gotchas:
++    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
++    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
++    # In both cases, we have to default to `cp -p'.
++    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
++      as_ln_s='cp -p'
++  elif ln conf$$.file conf$$ 2>/dev/null; then
++    as_ln_s=ln
++  else
+     as_ln_s='cp -p'
+-elif ln conf$$.file conf$$ 2>/dev/null; then
+-  as_ln_s=ln
++  fi
+ else
+   as_ln_s='cp -p'
+ fi
+@@ -513,7 +491,7 @@
+ rmdir conf$$.dir 2>/dev/null
+ 
+ if mkdir -p . 2>/dev/null; then
+-  as_mkdir_p=:
++  as_mkdir_p='mkdir -p "$as_dir"'
+ else
+   test -d ./-p && rmdir ./-p
+   as_mkdir_p=false
+@@ -530,12 +508,12 @@
+   as_test_x='
+     eval sh -c '\''
+       if test -d "$1"; then
+-        test -d "$1/.";
++	test -d "$1/.";
+       else
+-	case $1 in
+-        -*)set "./$1";;
++	case $1 in #(
++	-*)set "./$1";;
+ 	esac;
+-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
++	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
+ 	???[sx]*):;;*)false;;esac;fi
+     '\'' sh
+   '
+@@ -549,11 +527,11 @@
+ as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+ 
+ 
+-
+-exec 7<&0 </dev/null 6>&1
++test -n "$DJDIR" || exec 7<&0 </dev/null
++exec 6>&1
+ 
+ # Name of the host.
+-# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
++# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status,
+ # so uname gets run too.
+ ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
+ 
+@@ -568,7 +546,6 @@
+ subdirs=
+ MFLAGS=
+ MAKEFLAGS=
+-SHELL=${CONFIG_SHELL-/bin/sh}
+ 
+ # Identity of this package.
+ PACKAGE_NAME=
+@@ -576,58 +553,102 @@
+ PACKAGE_VERSION=
+ PACKAGE_STRING=
+ PACKAGE_BUGREPORT=
++PACKAGE_URL=
+ 
+ ac_unique_file="rlm_eap_tnc.c"
+-ac_subst_vars='SHELL
+-PATH_SEPARATOR
+-PACKAGE_NAME
+-PACKAGE_TARNAME
+-PACKAGE_VERSION
+-PACKAGE_STRING
+-PACKAGE_BUGREPORT
+-exec_prefix
+-prefix
+-program_transform_name
+-bindir
+-sbindir
+-libexecdir
+-datarootdir
+-datadir
+-sysconfdir
+-sharedstatedir
+-localstatedir
+-includedir
+-oldincludedir
+-docdir
+-infodir
+-htmldir
+-dvidir
+-pdfdir
+-psdir
+-libdir
+-localedir
+-mandir
+-DEFS
+-ECHO_C
+-ECHO_N
+-ECHO_T
+-LIBS
+-build_alias
+-host_alias
+-target_alias
+-CC
+-CFLAGS
+-LDFLAGS
+-CPPFLAGS
+-ac_ct_CC
+-EXEEXT
+-OBJEXT
+-eap_tnc_cflags
+-eap_tnc_ldflags
+-targetname
++# Factoring default headers for most tests.
++ac_includes_default="\
++#include <stdio.h>
++#ifdef HAVE_SYS_TYPES_H
++# include <sys/types.h>
++#endif
++#ifdef HAVE_SYS_STAT_H
++# include <sys/stat.h>
++#endif
++#ifdef STDC_HEADERS
++# include <stdlib.h>
++# include <stddef.h>
++#else
++# ifdef HAVE_STDLIB_H
++#  include <stdlib.h>
++# endif
++#endif
++#ifdef HAVE_STRING_H
++# if !defined STDC_HEADERS && defined HAVE_MEMORY_H
++#  include <memory.h>
++# endif
++# include <string.h>
++#endif
++#ifdef HAVE_STRINGS_H
++# include <strings.h>
++#endif
++#ifdef HAVE_INTTYPES_H
++# include <inttypes.h>
++#endif
++#ifdef HAVE_STDINT_H
++# include <stdint.h>
++#endif
++#ifdef HAVE_UNISTD_H
++# include <unistd.h>
++#endif"
++
++ac_subst_vars='LTLIBOBJS
+ LIBOBJS
+-LTLIBOBJS'
++targetname
++eap_tnc_ldflags
++eap_tnc_cflags
++EGREP
++GREP
++CPP
++OBJEXT
++EXEEXT
++ac_ct_CC
++CPPFLAGS
++LDFLAGS
++CFLAGS
++CC
++target_alias
++host_alias
++build_alias
++LIBS
++ECHO_T
++ECHO_N
++ECHO_C
++DEFS
++mandir
++localedir
++libdir
++psdir
++pdfdir
++dvidir
++htmldir
++infodir
++docdir
++oldincludedir
++includedir
++localstatedir
++sharedstatedir
++sysconfdir
++datadir
++datarootdir
++libexecdir
++sbindir
++bindir
++program_transform_name
++prefix
++exec_prefix
++PACKAGE_URL
++PACKAGE_BUGREPORT
++PACKAGE_STRING
++PACKAGE_VERSION
++PACKAGE_TARNAME
++PACKAGE_NAME
++PATH_SEPARATOR
++SHELL'
+ ac_subst_files=''
++ac_user_opts='
++enable_option_checking
++'
+       ac_precious_vars='build_alias
+ host_alias
+ target_alias
+@@ -635,12 +656,15 @@
+ CFLAGS
+ LDFLAGS
+ LIBS
+-CPPFLAGS'
++CPPFLAGS
++CPP'
+ 
+ 
+ # Initialize some variables set by options.
+ ac_init_help=
+ ac_init_version=false
++ac_unrecognized_opts=
++ac_unrecognized_sep=
+ # The variables have the same names as the options, with
+ # dashes changed to underlines.
+ cache_file=/dev/null
+@@ -696,8 +720,9 @@
+   fi
+ 
+   case $ac_option in
+-  *=*)	ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
+-  *)	ac_optarg=yes ;;
++  *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
++  *=)   ac_optarg= ;;
++  *)    ac_optarg=yes ;;
+   esac
+ 
+   # Accept the important Cygnus configure options, so we can diagnose typos.
+@@ -739,13 +764,20 @@
+     datarootdir=$ac_optarg ;;
+ 
+   -disable-* | --disable-*)
+-    ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
++    ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
+     # Reject names that are not valid shell variable names.
+-    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+-      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
+-   { (exit 1); exit 1; }; }
+-    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+-    eval enable_$ac_feature=no ;;
++    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
++      as_fn_error $? "invalid feature name: $ac_useropt"
++    ac_useropt_orig=$ac_useropt
++    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
++    case $ac_user_opts in
++      *"
++"enable_$ac_useropt"
++"*) ;;
++      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig"
++	 ac_unrecognized_sep=', ';;
++    esac
++    eval enable_$ac_useropt=no ;;
+ 
+   -docdir | --docdir | --docdi | --doc | --do)
+     ac_prev=docdir ;;
+@@ -758,13 +790,20 @@
+     dvidir=$ac_optarg ;;
+ 
+   -enable-* | --enable-*)
+-    ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
++    ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
+     # Reject names that are not valid shell variable names.
+-    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+-      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
+-   { (exit 1); exit 1; }; }
+-    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+-    eval enable_$ac_feature=\$ac_optarg ;;
++    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
++      as_fn_error $? "invalid feature name: $ac_useropt"
++    ac_useropt_orig=$ac_useropt
++    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
++    case $ac_user_opts in
++      *"
++"enable_$ac_useropt"
++"*) ;;
++      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig"
++	 ac_unrecognized_sep=', ';;
++    esac
++    eval enable_$ac_useropt=\$ac_optarg ;;
+ 
+   -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
+   | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
+@@ -955,22 +994,36 @@
+     ac_init_version=: ;;
+ 
+   -with-* | --with-*)
+-    ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
++    ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
+     # Reject names that are not valid shell variable names.
+-    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+-      { echo "$as_me: error: invalid package name: $ac_package" >&2
+-   { (exit 1); exit 1; }; }
+-    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+-    eval with_$ac_package=\$ac_optarg ;;
++    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
++      as_fn_error $? "invalid package name: $ac_useropt"
++    ac_useropt_orig=$ac_useropt
++    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
++    case $ac_user_opts in
++      *"
++"with_$ac_useropt"
++"*) ;;
++      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig"
++	 ac_unrecognized_sep=', ';;
++    esac
++    eval with_$ac_useropt=\$ac_optarg ;;
+ 
+   -without-* | --without-*)
+-    ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
++    ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'`
+     # Reject names that are not valid shell variable names.
+-    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+-      { echo "$as_me: error: invalid package name: $ac_package" >&2
+-   { (exit 1); exit 1; }; }
+-    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+-    eval with_$ac_package=no ;;
++    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
++      as_fn_error $? "invalid package name: $ac_useropt"
++    ac_useropt_orig=$ac_useropt
++    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
++    case $ac_user_opts in
++      *"
++"with_$ac_useropt"
++"*) ;;
++      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig"
++	 ac_unrecognized_sep=', ';;
++    esac
++    eval with_$ac_useropt=no ;;
+ 
+   --x)
+     # Obsolete; use --with-x.
+@@ -990,25 +1043,25 @@
+   | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
+     x_libraries=$ac_optarg ;;
+ 
+-  -*) { echo "$as_me: error: unrecognized option: $ac_option
+-Try \`$0 --help' for more information." >&2
+-   { (exit 1); exit 1; }; }
++  -*) as_fn_error $? "unrecognized option: \`$ac_option'
++Try \`$0 --help' for more information"
+     ;;
+ 
+   *=*)
+     ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
+     # Reject names that are not valid shell variable names.
+-    expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
+-      { echo "$as_me: error: invalid variable name: $ac_envvar" >&2
+-   { (exit 1); exit 1; }; }
++    case $ac_envvar in #(
++      '' | [0-9]* | *[!_$as_cr_alnum]* )
++      as_fn_error $? "invalid variable name: \`$ac_envvar'" ;;
++    esac
+     eval $ac_envvar=\$ac_optarg
+     export $ac_envvar ;;
+ 
+   *)
+     # FIXME: should be removed in autoconf 3.0.
+-    echo "$as_me: WARNING: you should use --build, --host, --target" >&2
++    $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2
+     expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+-      echo "$as_me: WARNING: invalid host type: $ac_option" >&2
++      $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2
+     : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
+     ;;
+ 
+@@ -1017,23 +1070,36 @@
+ 
+ if test -n "$ac_prev"; then
+   ac_option=--`echo $ac_prev | sed 's/_/-/g'`
+-  { echo "$as_me: error: missing argument to $ac_option" >&2
+-   { (exit 1); exit 1; }; }
++  as_fn_error $? "missing argument to $ac_option"
++fi
++
++if test -n "$ac_unrecognized_opts"; then
++  case $enable_option_checking in
++    no) ;;
++    fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;;
++    *)     $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;;
++  esac
+ fi
+ 
+-# Be sure to have absolute directory names.
++# Check all directory arguments for consistency.
+ for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
+ 		datadir sysconfdir sharedstatedir localstatedir includedir \
+ 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
+ 		libdir localedir mandir
+ do
+   eval ac_val=\$$ac_var
++  # Remove trailing slashes.
++  case $ac_val in
++    */ )
++      ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'`
++      eval $ac_var=\$ac_val;;
++  esac
++  # Be sure to have absolute directory names.
+   case $ac_val in
+     [\\/$]* | ?:[\\/]* )  continue;;
+     NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
+   esac
+-  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
+-   { (exit 1); exit 1; }; }
++  as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val"
+ done
+ 
+ # There might be people who depend on the old broken behavior: `$host'
+@@ -1047,8 +1113,8 @@
+ if test "x$host_alias" != x; then
+   if test "x$build_alias" = x; then
+     cross_compiling=maybe
+-    echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
+-    If a cross compiler is detected then cross compile mode will be used." >&2
++    $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
++    If a cross compiler is detected then cross compile mode will be used" >&2
+   elif test "x$build_alias" != "x$host_alias"; then
+     cross_compiling=yes
+   fi
+@@ -1063,23 +1129,21 @@
+ ac_pwd=`pwd` && test -n "$ac_pwd" &&
+ ac_ls_di=`ls -di .` &&
+ ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
+-  { echo "$as_me: error: Working directory cannot be determined" >&2
+-   { (exit 1); exit 1; }; }
++  as_fn_error $? "working directory cannot be determined"
+ test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
+-  { echo "$as_me: error: pwd does not report name of working directory" >&2
+-   { (exit 1); exit 1; }; }
++  as_fn_error $? "pwd does not report name of working directory"
+ 
+ 
+ # Find the source files, if location was not specified.
+ if test -z "$srcdir"; then
+   ac_srcdir_defaulted=yes
+   # Try the directory containing this script, then the parent directory.
+-  ac_confdir=`$as_dirname -- "$0" ||
+-$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+-	 X"$0" : 'X\(//\)[^/]' \| \
+-	 X"$0" : 'X\(//\)$' \| \
+-	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+-echo X"$0" |
++  ac_confdir=`$as_dirname -- "$as_myself" ||
++$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
++	 X"$as_myself" : 'X\(//\)[^/]' \| \
++	 X"$as_myself" : 'X\(//\)$' \| \
++	 X"$as_myself" : 'X\(/\)' \| . 2>/dev/null ||
++$as_echo X"$as_myself" |
+     sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ 	    s//\1/
+ 	    q
+@@ -1106,13 +1170,11 @@
+ fi
+ if test ! -r "$srcdir/$ac_unique_file"; then
+   test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
+-  { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
+-   { (exit 1); exit 1; }; }
++  as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir"
+ fi
+ ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
+ ac_abs_confdir=`(
+-	cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2
+-   { (exit 1); exit 1; }; }
++	cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg"
+ 	pwd)`
+ # When building in place, set srcdir=.
+ if test "$ac_abs_confdir" = "$ac_pwd"; then
+@@ -1152,7 +1214,7 @@
+       --help=short        display options specific to this package
+       --help=recursive    display the short help of all the included packages
+   -V, --version           display version information and exit
+-  -q, --quiet, --silent   do not print \`checking...' messages
++  -q, --quiet, --silent   do not print \`checking ...' messages
+       --cache-file=FILE   cache test results in FILE [disabled]
+   -C, --config-cache      alias for \`--cache-file=config.cache'
+   -n, --no-create         do not create output files
+@@ -1160,9 +1222,9 @@
+ 
+ Installation directories:
+   --prefix=PREFIX         install architecture-independent files in PREFIX
+-			  [$ac_default_prefix]
++                          [$ac_default_prefix]
+   --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
+-			  [PREFIX]
++                          [PREFIX]
+ 
+ By default, \`make install' will install all the files in
+ \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc.  You can specify
+@@ -1172,25 +1234,25 @@
+ For better control, use the options below.
+ 
+ Fine tuning of the installation directories:
+-  --bindir=DIR           user executables [EPREFIX/bin]
+-  --sbindir=DIR          system admin executables [EPREFIX/sbin]
+-  --libexecdir=DIR       program executables [EPREFIX/libexec]
+-  --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
+-  --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
+-  --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
+-  --libdir=DIR           object code libraries [EPREFIX/lib]
+-  --includedir=DIR       C header files [PREFIX/include]
+-  --oldincludedir=DIR    C header files for non-gcc [/usr/include]
+-  --datarootdir=DIR      read-only arch.-independent data root [PREFIX/share]
+-  --datadir=DIR          read-only architecture-independent data [DATAROOTDIR]
+-  --infodir=DIR          info documentation [DATAROOTDIR/info]
+-  --localedir=DIR        locale-dependent data [DATAROOTDIR/locale]
+-  --mandir=DIR           man documentation [DATAROOTDIR/man]
+-  --docdir=DIR           documentation root [DATAROOTDIR/doc/PACKAGE]
+-  --htmldir=DIR          html documentation [DOCDIR]
+-  --dvidir=DIR           dvi documentation [DOCDIR]
+-  --pdfdir=DIR           pdf documentation [DOCDIR]
+-  --psdir=DIR            ps documentation [DOCDIR]
++  --bindir=DIR            user executables [EPREFIX/bin]
++  --sbindir=DIR           system admin executables [EPREFIX/sbin]
++  --libexecdir=DIR        program executables [EPREFIX/libexec]
++  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
++  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
++  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
++  --libdir=DIR            object code libraries [EPREFIX/lib]
++  --includedir=DIR        C header files [PREFIX/include]
++  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
++  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
++  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
++  --infodir=DIR           info documentation [DATAROOTDIR/info]
++  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
++  --mandir=DIR            man documentation [DATAROOTDIR/man]
++  --docdir=DIR            documentation root [DATAROOTDIR/doc/PACKAGE]
++  --htmldir=DIR           html documentation [DOCDIR]
++  --dvidir=DIR            dvi documentation [DOCDIR]
++  --pdfdir=DIR            pdf documentation [DOCDIR]
++  --psdir=DIR             ps documentation [DOCDIR]
+ _ACEOF
+ 
+   cat <<\_ACEOF
+@@ -1207,12 +1269,14 @@
+   LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
+               nonstandard directory <lib dir>
+   LIBS        libraries to pass to the linker, e.g. -l<library>
+-  CPPFLAGS    C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
++  CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
+               you have headers in a nonstandard directory <include dir>
++  CPP         C preprocessor
+ 
+ Use these variables to override the choices made by `configure' or to help
+ it to find libraries and programs with nonstandard names/locations.
+ 
++Report bugs to the package provider.
+ _ACEOF
+ ac_status=$?
+ fi
+@@ -1220,15 +1284,17 @@
+ if test "$ac_init_help" = "recursive"; then
+   # If there are subdirs, report their specific --help.
+   for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
+-    test -d "$ac_dir" || continue
++    test -d "$ac_dir" ||
++      { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } ||
++      continue
+     ac_builddir=.
+ 
+ case "$ac_dir" in
+ .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+ *)
+-  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
++  ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
+   # A ".." for each directory in $ac_dir_suffix.
+-  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
++  ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
+   case $ac_top_builddir_sub in
+   "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+   *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+@@ -1264,7 +1330,7 @@
+       echo &&
+       $SHELL "$ac_srcdir/configure" --help=recursive
+     else
+-      echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
++      $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
+     fi || ac_status=$?
+     cd "$ac_pwd" || { ac_status=$?; break; }
+   done
+@@ -1274,21 +1340,305 @@
+ if $ac_init_version; then
+   cat <<\_ACEOF
+ configure
+-generated by GNU Autoconf 2.61
++generated by GNU Autoconf 2.67
+ 
+-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+-2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
++Copyright (C) 2010 Free Software Foundation, Inc.
+ This configure script is free software; the Free Software Foundation
+ gives unlimited permission to copy, distribute and modify it.
+ _ACEOF
+   exit
+ fi
++
++## ------------------------ ##
++## Autoconf initialization. ##
++## ------------------------ ##
++
++# ac_fn_c_try_compile LINENO
++# --------------------------
++# Try to compile conftest.$ac_ext, and return whether this succeeded.
++ac_fn_c_try_compile ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  rm -f conftest.$ac_objext
++  if { { ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_compile") 2>conftest.err
++  ac_status=$?
++  if test -s conftest.err; then
++    grep -v '^ *+' conftest.err >conftest.er1
++    cat conftest.er1 >&5
++    mv -f conftest.er1 conftest.err
++  fi
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then :
++  ac_retval=0
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_retval=1
++fi
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++  as_fn_set_status $ac_retval
++
++} # ac_fn_c_try_compile
++
++# ac_fn_c_try_link LINENO
++# -----------------------
++# Try to link conftest.$ac_ext, and return whether this succeeded.
++ac_fn_c_try_link ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  rm -f conftest.$ac_objext conftest$ac_exeext
++  if { { ac_try="$ac_link"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_link") 2>conftest.err
++  ac_status=$?
++  if test -s conftest.err; then
++    grep -v '^ *+' conftest.err >conftest.er1
++    cat conftest.er1 >&5
++    mv -f conftest.er1 conftest.err
++  fi
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest$ac_exeext && {
++	 test "$cross_compiling" = yes ||
++	 $as_test_x conftest$ac_exeext
++       }; then :
++  ac_retval=0
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_retval=1
++fi
++  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
++  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
++  # interfere with the next link command; also delete a directory that is
++  # left behind by Apple's compiler.  We do this before executing the actions.
++  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++  as_fn_set_status $ac_retval
++
++} # ac_fn_c_try_link
++
++# ac_fn_c_try_cpp LINENO
++# ----------------------
++# Try to preprocess conftest.$ac_ext, and return whether this succeeded.
++ac_fn_c_try_cpp ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  if { { ac_try="$ac_cpp conftest.$ac_ext"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err
++  ac_status=$?
++  if test -s conftest.err; then
++    grep -v '^ *+' conftest.err >conftest.er1
++    cat conftest.er1 >&5
++    mv -f conftest.er1 conftest.err
++  fi
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; } > conftest.i && {
++	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       }; then :
++  ac_retval=0
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++    ac_retval=1
++fi
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++  as_fn_set_status $ac_retval
++
++} # ac_fn_c_try_cpp
++
++# ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES
++# -------------------------------------------------------
++# Tests whether HEADER exists, giving a warning if it cannot be compiled using
++# the include files in INCLUDES and setting the cache variable VAR
++# accordingly.
++ac_fn_c_check_header_mongrel ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  if eval "test \"\${$3+set}\"" = set; then :
++  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
++$as_echo_n "checking for $2... " >&6; }
++if eval "test \"\${$3+set}\"" = set; then :
++  $as_echo_n "(cached) " >&6
++fi
++eval ac_res=\$$3
++	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
++$as_echo "$ac_res" >&6; }
++else
++  # Is the header compilable?
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5
++$as_echo_n "checking $2 usability... " >&6; }
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++$4
++#include <$2>
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"; then :
++  ac_header_compiler=yes
++else
++  ac_header_compiler=no
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5
++$as_echo "$ac_header_compiler" >&6; }
++
++# Is the header present?
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5
++$as_echo_n "checking $2 presence... " >&6; }
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <$2>
++_ACEOF
++if ac_fn_c_try_cpp "$LINENO"; then :
++  ac_header_preproc=yes
++else
++  ac_header_preproc=no
++fi
++rm -f conftest.err conftest.i conftest.$ac_ext
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5
++$as_echo "$ac_header_preproc" >&6; }
++
++# So?  What about this header?
++case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #((
++  yes:no: )
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5
++$as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
++$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
++    ;;
++  no:yes:* )
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5
++$as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2:     check for missing prerequisite headers?" >&5
++$as_echo "$as_me: WARNING: $2:     check for missing prerequisite headers?" >&2;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5
++$as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >&5
++$as_echo "$as_me: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >&2;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
++$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
++    ;;
++esac
++  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
++$as_echo_n "checking for $2... " >&6; }
++if eval "test \"\${$3+set}\"" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++  eval "$3=\$ac_header_compiler"
++fi
++eval ac_res=\$$3
++	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
++$as_echo "$ac_res" >&6; }
++fi
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++
++} # ac_fn_c_check_header_mongrel
++
++# ac_fn_c_try_run LINENO
++# ----------------------
++# Try to link conftest.$ac_ext, and return whether this succeeded. Assumes
++# that executables *can* be run.
++ac_fn_c_try_run ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  if { { ac_try="$ac_link"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_link") 2>&5
++  ac_status=$?
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; } && { ac_try='./conftest$ac_exeext'
++  { { case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_try") 2>&5
++  ac_status=$?
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; }; then :
++  ac_retval=0
++else
++  $as_echo "$as_me: program exited with status $ac_status" >&5
++       $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++       ac_retval=$ac_status
++fi
++  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++  as_fn_set_status $ac_retval
++
++} # ac_fn_c_try_run
++
++# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES
++# -------------------------------------------------------
++# Tests whether HEADER exists and can be compiled using the include files in
++# INCLUDES, setting the cache variable VAR accordingly.
++ac_fn_c_check_header_compile ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
++$as_echo_n "checking for $2... " >&6; }
++if eval "test \"\${$3+set}\"" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++$4
++#include <$2>
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"; then :
++  eval "$3=yes"
++else
++  eval "$3=no"
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++eval ac_res=\$$3
++	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
++$as_echo "$ac_res" >&6; }
++  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
++
++} # ac_fn_c_check_header_compile
+ cat >config.log <<_ACEOF
+ This file contains any messages produced by compilers while
+ running configure, to aid debugging if configure makes a mistake.
+ 
+ It was created by $as_me, which was
+-generated by GNU Autoconf 2.61.  Invocation command line was
++generated by GNU Autoconf 2.67.  Invocation command line was
+ 
+   $ $0 $@
+ 
+@@ -1324,8 +1674,8 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  echo "PATH: $as_dir"
+-done
++    $as_echo "PATH: $as_dir"
++  done
+ IFS=$as_save_IFS
+ 
+ } >&5
+@@ -1359,12 +1709,12 @@
+     | -silent | --silent | --silen | --sile | --sil)
+       continue ;;
+     *\'*)
+-      ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
++      ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
+     esac
+     case $ac_pass in
+-    1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;;
++    1) as_fn_append ac_configure_args0 " '$ac_arg'" ;;
+     2)
+-      ac_configure_args1="$ac_configure_args1 '$ac_arg'"
++      as_fn_append ac_configure_args1 " '$ac_arg'"
+       if test $ac_must_keep_next = true; then
+ 	ac_must_keep_next=false # Got value, back to normal.
+       else
+@@ -1380,13 +1730,13 @@
+ 	  -* ) ac_must_keep_next=true ;;
+ 	esac
+       fi
+-      ac_configure_args="$ac_configure_args '$ac_arg'"
++      as_fn_append ac_configure_args " '$ac_arg'"
+       ;;
+     esac
+   done
+ done
+-$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; }
+-$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; }
++{ ac_configure_args0=; unset ac_configure_args0;}
++{ ac_configure_args1=; unset ac_configure_args1;}
+ 
+ # When interrupted or exit'd, cleanup temporary files, and complete
+ # config.log.  We remove comments because anyway the quotes in there
+@@ -1398,11 +1748,9 @@
+   {
+     echo
+ 
+-    cat <<\_ASBOX
+-## ---------------- ##
++    $as_echo "## ---------------- ##
+ ## Cache variables. ##
+-## ---------------- ##
+-_ASBOX
++## ---------------- ##"
+     echo
+     # The following way of writing the cache mishandles newlines in values,
+ (
+@@ -1411,12 +1759,13 @@
+     case $ac_val in #(
+     *${as_nl}*)
+       case $ac_var in #(
+-      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+-echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
++      *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
++$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
+       esac
+       case $ac_var in #(
+       _ | IFS | as_nl) ;; #(
+-      *) $as_unset $ac_var ;;
++      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
++      *) { eval $ac_var=; unset $ac_var;} ;;
+       esac ;;
+     esac
+   done
+@@ -1435,128 +1784,136 @@
+ )
+     echo
+ 
+-    cat <<\_ASBOX
+-## ----------------- ##
++    $as_echo "## ----------------- ##
+ ## Output variables. ##
+-## ----------------- ##
+-_ASBOX
++## ----------------- ##"
+     echo
+     for ac_var in $ac_subst_vars
+     do
+       eval ac_val=\$$ac_var
+       case $ac_val in
+-      *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
++      *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+       esac
+-      echo "$ac_var='\''$ac_val'\''"
++      $as_echo "$ac_var='\''$ac_val'\''"
+     done | sort
+     echo
+ 
+     if test -n "$ac_subst_files"; then
+-      cat <<\_ASBOX
+-## ------------------- ##
++      $as_echo "## ------------------- ##
+ ## File substitutions. ##
+-## ------------------- ##
+-_ASBOX
++## ------------------- ##"
+       echo
+       for ac_var in $ac_subst_files
+       do
+ 	eval ac_val=\$$ac_var
+ 	case $ac_val in
+-	*\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
++	*\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+ 	esac
+-	echo "$ac_var='\''$ac_val'\''"
++	$as_echo "$ac_var='\''$ac_val'\''"
+       done | sort
+       echo
+     fi
+ 
+     if test -s confdefs.h; then
+-      cat <<\_ASBOX
+-## ----------- ##
++      $as_echo "## ----------- ##
+ ## confdefs.h. ##
+-## ----------- ##
+-_ASBOX
++## ----------- ##"
+       echo
+       cat confdefs.h
+       echo
+     fi
+     test "$ac_signal" != 0 &&
+-      echo "$as_me: caught signal $ac_signal"
+-    echo "$as_me: exit $exit_status"
++      $as_echo "$as_me: caught signal $ac_signal"
++    $as_echo "$as_me: exit $exit_status"
+   } >&5
+   rm -f core *.core core.conftest.* &&
+     rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
+     exit $exit_status
+ ' 0
+ for ac_signal in 1 2 13 15; do
+-  trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
++  trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal
+ done
+ ac_signal=0
+ 
+ # confdefs.h avoids OS command line length limits that DEFS can exceed.
+ rm -f -r conftest* confdefs.h
+ 
++$as_echo "/* confdefs.h */" > confdefs.h
++
+ # Predefined preprocessor variables.
+ 
+ cat >>confdefs.h <<_ACEOF
+ #define PACKAGE_NAME "$PACKAGE_NAME"
+ _ACEOF
+ 
+-
+ cat >>confdefs.h <<_ACEOF
+ #define PACKAGE_TARNAME "$PACKAGE_TARNAME"
+ _ACEOF
+ 
+-
+ cat >>confdefs.h <<_ACEOF
+ #define PACKAGE_VERSION "$PACKAGE_VERSION"
+ _ACEOF
+ 
+-
+ cat >>confdefs.h <<_ACEOF
+ #define PACKAGE_STRING "$PACKAGE_STRING"
+ _ACEOF
+ 
+-
+ cat >>confdefs.h <<_ACEOF
+ #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
+ _ACEOF
+ 
++cat >>confdefs.h <<_ACEOF
++#define PACKAGE_URL "$PACKAGE_URL"
++_ACEOF
++
+ 
+ # Let the site file select an alternate cache file if it wants to.
+-# Prefer explicitly selected file to automatically selected ones.
++# Prefer an explicitly selected file to automatically selected ones.
++ac_site_file1=NONE
++ac_site_file2=NONE
+ if test -n "$CONFIG_SITE"; then
+-  set x "$CONFIG_SITE"
++  # We do not want a PATH search for config.site.
++  case $CONFIG_SITE in #((
++    -*)  ac_site_file1=./$CONFIG_SITE;;
++    */*) ac_site_file1=$CONFIG_SITE;;
++    *)   ac_site_file1=./$CONFIG_SITE;;
++  esac
+ elif test "x$prefix" != xNONE; then
+-  set x "$prefix/share/config.site" "$prefix/etc/config.site"
++  ac_site_file1=$prefix/share/config.site
++  ac_site_file2=$prefix/etc/config.site
+ else
+-  set x "$ac_default_prefix/share/config.site" \
+-	"$ac_default_prefix/etc/config.site"
++  ac_site_file1=$ac_default_prefix/share/config.site
++  ac_site_file2=$ac_default_prefix/etc/config.site
+ fi
+-shift
+-for ac_site_file
++for ac_site_file in "$ac_site_file1" "$ac_site_file2"
+ do
+-  if test -r "$ac_site_file"; then
+-    { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
+-echo "$as_me: loading site script $ac_site_file" >&6;}
++  test "x$ac_site_file" = xNONE && continue
++  if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then
++    { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5
++$as_echo "$as_me: loading site script $ac_site_file" >&6;}
+     sed 's/^/| /' "$ac_site_file" >&5
+-    . "$ac_site_file"
++    . "$ac_site_file" \
++      || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "failed to load site script $ac_site_file
++See \`config.log' for more details" "$LINENO" 5 ; }
+   fi
+ done
+ 
+ if test -r "$cache_file"; then
+-  # Some versions of bash will fail to source /dev/null (special
+-  # files actually), so we avoid doing that.
+-  if test -f "$cache_file"; then
+-    { echo "$as_me:$LINENO: loading cache $cache_file" >&5
+-echo "$as_me: loading cache $cache_file" >&6;}
++  # Some versions of bash will fail to source /dev/null (special files
++  # actually), so we avoid doing that.  DJGPP emulates it as a regular file.
++  if test /dev/null != "$cache_file" && test -f "$cache_file"; then
++    { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5
++$as_echo "$as_me: loading cache $cache_file" >&6;}
+     case $cache_file in
+       [\\/]* | ?:[\\/]* ) . "$cache_file";;
+       *)                      . "./$cache_file";;
+     esac
+   fi
+ else
+-  { echo "$as_me:$LINENO: creating cache $cache_file" >&5
+-echo "$as_me: creating cache $cache_file" >&6;}
++  { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5
++$as_echo "$as_me: creating cache $cache_file" >&6;}
+   >$cache_file
+ fi
+ 
+@@ -1570,60 +1927,56 @@
+   eval ac_new_val=\$ac_env_${ac_var}_value
+   case $ac_old_set,$ac_new_set in
+     set,)
+-      { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
+-echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
++      { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
++$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
+       ac_cache_corrupted=: ;;
+     ,set)
+-      { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
+-echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
++      { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5
++$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
+       ac_cache_corrupted=: ;;
+     ,);;
+     *)
+       if test "x$ac_old_val" != "x$ac_new_val"; then
+-	{ echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
+-echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
+-	{ echo "$as_me:$LINENO:   former value:  $ac_old_val" >&5
+-echo "$as_me:   former value:  $ac_old_val" >&2;}
+-	{ echo "$as_me:$LINENO:   current value: $ac_new_val" >&5
+-echo "$as_me:   current value: $ac_new_val" >&2;}
+-	ac_cache_corrupted=:
++	# differences in whitespace do not lead to failure.
++	ac_old_val_w=`echo x $ac_old_val`
++	ac_new_val_w=`echo x $ac_new_val`
++	if test "$ac_old_val_w" != "$ac_new_val_w"; then
++	  { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5
++$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
++	  ac_cache_corrupted=:
++	else
++	  { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5
++$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;}
++	  eval $ac_var=\$ac_old_val
++	fi
++	{ $as_echo "$as_me:${as_lineno-$LINENO}:   former value:  \`$ac_old_val'" >&5
++$as_echo "$as_me:   former value:  \`$ac_old_val'" >&2;}
++	{ $as_echo "$as_me:${as_lineno-$LINENO}:   current value: \`$ac_new_val'" >&5
++$as_echo "$as_me:   current value: \`$ac_new_val'" >&2;}
+       fi;;
+   esac
+   # Pass precious variables to config.status.
+   if test "$ac_new_set" = set; then
+     case $ac_new_val in
+-    *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
++    *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
+     *) ac_arg=$ac_var=$ac_new_val ;;
+     esac
+     case " $ac_configure_args " in
+       *" '$ac_arg' "*) ;; # Avoid dups.  Use of quotes ensures accuracy.
+-      *) ac_configure_args="$ac_configure_args '$ac_arg'" ;;
++      *) as_fn_append ac_configure_args " '$ac_arg'" ;;
+     esac
+   fi
+ done
+ if $ac_cache_corrupted; then
+-  { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
+-echo "$as_me: error: changes in the environment can compromise the build" >&2;}
+-  { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
+-echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
+-   { (exit 1); exit 1; }; }
+-fi
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
++  { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++  { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5
++$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;}
++  as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5
++fi
++## -------------------- ##
++## Main body of script. ##
++## -------------------- ##
+ 
+ ac_ext=c
+ ac_cpp='$CPP $CPPFLAGS'
+@@ -1635,6 +1988,9 @@
+ 
+ 
+ 
++eap_tnc_cflags=
++eap_tnc_ldflags=-lnaaeap
++
+ if test x$with_rlm_eap_tnc != xno; then
+ 
+ 	ac_ext=c
+@@ -1645,10 +2001,10 @@
+ if test -n "$ac_tool_prefix"; then
+   # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
+ set dummy ${ac_tool_prefix}gcc; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$CC"; then
+   ac_cv_prog_CC="$CC" # Let the user override the test.
+@@ -1658,25 +2014,25 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     ac_cv_prog_CC="${ac_tool_prefix}gcc"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ fi
+ fi
+ CC=$ac_cv_prog_CC
+ if test -n "$CC"; then
+-  { echo "$as_me:$LINENO: result: $CC" >&5
+-echo "${ECHO_T}$CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
++$as_echo "$CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+ 
+@@ -1685,10 +2041,10 @@
+   ac_ct_CC=$CC
+   # Extract the first word of "gcc", so it can be a program name with args.
+ set dummy gcc; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$ac_ct_CC"; then
+   ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+@@ -1698,25 +2054,25 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     ac_cv_prog_ac_ct_CC="gcc"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ fi
+ fi
+ ac_ct_CC=$ac_cv_prog_ac_ct_CC
+ if test -n "$ac_ct_CC"; then
+-  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+-echo "${ECHO_T}$ac_ct_CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
++$as_echo "$ac_ct_CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+   if test "x$ac_ct_CC" = x; then
+@@ -1724,12 +2080,8 @@
+   else
+     case $cross_compiling:$ac_tool_warned in
+ yes:)
+-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+-whose name does not start with the host triplet.  If you think this
+-configuration is useful to you, please write to autoconf@gnu.org." >&5
+-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+-whose name does not start with the host triplet.  If you think this
+-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
++{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
++$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ ac_tool_warned=yes ;;
+ esac
+     CC=$ac_ct_CC
+@@ -1742,10 +2094,10 @@
+           if test -n "$ac_tool_prefix"; then
+     # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+ set dummy ${ac_tool_prefix}cc; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$CC"; then
+   ac_cv_prog_CC="$CC" # Let the user override the test.
+@@ -1755,25 +2107,25 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     ac_cv_prog_CC="${ac_tool_prefix}cc"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ fi
+ fi
+ CC=$ac_cv_prog_CC
+ if test -n "$CC"; then
+-  { echo "$as_me:$LINENO: result: $CC" >&5
+-echo "${ECHO_T}$CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
++$as_echo "$CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+ 
+@@ -1782,10 +2134,10 @@
+ if test -z "$CC"; then
+   # Extract the first word of "cc", so it can be a program name with args.
+ set dummy cc; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$CC"; then
+   ac_cv_prog_CC="$CC" # Let the user override the test.
+@@ -1796,18 +2148,18 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
+        ac_prog_rejected=yes
+        continue
+      fi
+     ac_cv_prog_CC="cc"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ if test $ac_prog_rejected = yes; then
+@@ -1826,11 +2178,11 @@
+ fi
+ CC=$ac_cv_prog_CC
+ if test -n "$CC"; then
+-  { echo "$as_me:$LINENO: result: $CC" >&5
+-echo "${ECHO_T}$CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
++$as_echo "$CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+ 
+@@ -1841,10 +2193,10 @@
+   do
+     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+ set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$CC"; then
+   ac_cv_prog_CC="$CC" # Let the user override the test.
+@@ -1854,25 +2206,25 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ fi
+ fi
+ CC=$ac_cv_prog_CC
+ if test -n "$CC"; then
+-  { echo "$as_me:$LINENO: result: $CC" >&5
+-echo "${ECHO_T}$CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
++$as_echo "$CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+ 
+@@ -1885,10 +2237,10 @@
+ do
+   # Extract the first word of "$ac_prog", so it can be a program name with args.
+ set dummy $ac_prog; ac_word=$2
+-{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
++$as_echo_n "checking for $ac_word... " >&6; }
++if test "${ac_cv_prog_ac_ct_CC+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   if test -n "$ac_ct_CC"; then
+   ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+@@ -1898,25 +2250,25 @@
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  for ac_exec_ext in '' $ac_executable_extensions; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
+   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+     ac_cv_prog_ac_ct_CC="$ac_prog"
+-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
++    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+   fi
+ done
+-done
++  done
+ IFS=$as_save_IFS
+ 
+ fi
+ fi
+ ac_ct_CC=$ac_cv_prog_ac_ct_CC
+ if test -n "$ac_ct_CC"; then
+-  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+-echo "${ECHO_T}$ac_ct_CC" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
++$as_echo "$ac_ct_CC" >&6; }
+ else
+-  { echo "$as_me:$LINENO: result: no" >&5
+-echo "${ECHO_T}no" >&6; }
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
+ fi
+ 
+ 
+@@ -1928,12 +2280,8 @@
+   else
+     case $cross_compiling:$ac_tool_warned in
+ yes:)
+-{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+-whose name does not start with the host triplet.  If you think this
+-configuration is useful to you, please write to autoconf@gnu.org." >&5
+-echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+-whose name does not start with the host triplet.  If you think this
+-configuration is useful to you, please write to autoconf@gnu.org." >&2;}
++{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
++$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ ac_tool_warned=yes ;;
+ esac
+     CC=$ac_ct_CC
+@@ -1943,51 +2291,37 @@
+ fi
+ 
+ 
+-test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
+-See \`config.log' for more details." >&5
+-echo "$as_me: error: no acceptable C compiler found in \$PATH
+-See \`config.log' for more details." >&2;}
+-   { (exit 1); exit 1; }; }
++test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "no acceptable C compiler found in \$PATH
++See \`config.log' for more details" "$LINENO" 5 ; }
+ 
+ # Provide some information about the compiler.
+-echo "$as_me:$LINENO: checking for C compiler version" >&5
+-ac_compiler=`set X $ac_compile; echo $2`
+-{ (ac_try="$ac_compiler --version >&5"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compiler --version >&5") 2>&5
+-  ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }
+-{ (ac_try="$ac_compiler -v >&5"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compiler -v >&5") 2>&5
+-  ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }
+-{ (ac_try="$ac_compiler -V >&5"
++$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5
++set X $ac_compile
++ac_compiler=$2
++for ac_option in --version -v -V -qversion; do
++  { { ac_try="$ac_compiler $ac_option >&5"
+ case "(($ac_try" in
+   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+   *) ac_try_echo=$ac_try;;
+ esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compiler -V >&5") 2>&5
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_compiler $ac_option >&5") 2>conftest.err
+   ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }
++  if test -s conftest.err; then
++    sed '10a\
++... rest of stderr output deleted ...
++         10q' conftest.err >conftest.er1
++    cat conftest.er1 >&5
++  fi
++  rm -f conftest.er1 conftest.err
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }
++done
+ 
+-cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -1999,42 +2333,38 @@
+ }
+ _ACEOF
+ ac_clean_files_save=$ac_clean_files
+-ac_clean_files="$ac_clean_files a.out a.exe b.out"
++ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out"
+ # Try to create an executable without -o first, disregard a.out.
+ # It will help us diagnose broken compilers, and finding out an intuition
+ # of exeext.
+-{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
+-echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; }
+-ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
+-#
+-# List of possible output files, starting from the most likely.
+-# The algorithm is not robust to junk in `.', hence go to wildcards (a.*)
+-# only as a last resort.  b.out is created by i960 compilers.
+-ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out'
+-#
+-# The IRIX 6 linker writes into existing files which may not be
+-# executable, retaining their permissions.  Remove them first so a
+-# subsequent execution test works.
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5
++$as_echo_n "checking whether the C compiler works... " >&6; }
++ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
++
++# The possible output files:
++ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*"
++
+ ac_rmfiles=
+ for ac_file in $ac_files
+ do
+   case $ac_file in
+-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
++    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
+     * ) ac_rmfiles="$ac_rmfiles $ac_file";;
+   esac
+ done
+ rm -f $ac_rmfiles
+ 
+-if { (ac_try="$ac_link_default"
++if { { ac_try="$ac_link_default"
+ case "(($ac_try" in
+   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+   *) ac_try_echo=$ac_try;;
+ esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
+   (eval "$ac_link_default") 2>&5
+   ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }; then
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; then :
+   # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
+ # So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
+ # in a Makefile.  We should not override ac_cv_exeext if it was cached,
+@@ -2044,14 +2374,14 @@
+ do
+   test -f "$ac_file" || continue
+   case $ac_file in
+-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj )
++    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj )
+ 	;;
+     [ab].out )
+ 	# We found the default executable, but exeext='' is most
+ 	# certainly right.
+ 	break;;
+     *.* )
+-        if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
++	if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
+ 	then :; else
+ 	   ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+ 	fi
+@@ -2070,116 +2400,132 @@
+ else
+   ac_file=''
+ fi
+-
+-{ echo "$as_me:$LINENO: result: $ac_file" >&5
+-echo "${ECHO_T}$ac_file" >&6; }
+-if test -z "$ac_file"; then
+-  echo "$as_me: failed program was:" >&5
++if test -z "$ac_file"; then :
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++$as_echo "$as_me: failed program was:" >&5
+ sed 's/^/| /' conftest.$ac_ext >&5
+ 
+-{ { echo "$as_me:$LINENO: error: C compiler cannot create executables
+-See \`config.log' for more details." >&5
+-echo "$as_me: error: C compiler cannot create executables
+-See \`config.log' for more details." >&2;}
+-   { (exit 77); exit 77; }; }
+-fi
+-
++{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error 77 "C compiler cannot create executables
++See \`config.log' for more details" "$LINENO" 5 ; }
++else
++  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5
++$as_echo_n "checking for C compiler default output file name... " >&6; }
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5
++$as_echo "$ac_file" >&6; }
+ ac_exeext=$ac_cv_exeext
+ 
++rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out
++ac_clean_files=$ac_clean_files_save
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5
++$as_echo_n "checking for suffix of executables... " >&6; }
++if { { ac_try="$ac_link"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_link") 2>&5
++  ac_status=$?
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; then :
++  # If both `conftest.exe' and `conftest' are `present' (well, observable)
++# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
++# work properly (i.e., refer to `conftest.exe'), while it won't with
++# `rm'.
++for ac_file in conftest.exe conftest conftest.*; do
++  test -f "$ac_file" || continue
++  case $ac_file in
++    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
++    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
++	  break;;
++    * ) break;;
++  esac
++done
++else
++  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "cannot compute suffix of executables: cannot compile and link
++See \`config.log' for more details" "$LINENO" 5 ; }
++fi
++rm -f conftest conftest$ac_cv_exeext
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5
++$as_echo "$ac_cv_exeext" >&6; }
++
++rm -f conftest.$ac_ext
++EXEEXT=$ac_cv_exeext
++ac_exeext=$EXEEXT
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <stdio.h>
++int
++main ()
++{
++FILE *f = fopen ("conftest.out", "w");
++ return ferror (f) || fclose (f) != 0;
++
++  ;
++  return 0;
++}
++_ACEOF
++ac_clean_files="$ac_clean_files conftest.out"
+ # Check that the compiler produces executables we can run.  If not, either
+ # the compiler is broken, or we cross compile.
+-{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5
+-echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; }
+-# FIXME: These cross compiler hacks should be removed for Autoconf 3.0
+-# If not cross compiling, check that we can run a simple program.
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5
++$as_echo_n "checking whether we are cross compiling... " >&6; }
+ if test "$cross_compiling" != yes; then
+-  if { ac_try='./$ac_file'
+-  { (case "(($ac_try" in
++  { { ac_try="$ac_link"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++  (eval "$ac_link") 2>&5
++  ac_status=$?
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }
++  if { ac_try='./conftest$ac_cv_exeext'
++  { { case "(($ac_try" in
+   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+   *) ac_try_echo=$ac_try;;
+ esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
+   (eval "$ac_try") 2>&5
+   ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }; }; then
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; }; then
+     cross_compiling=no
+   else
+     if test "$cross_compiling" = maybe; then
+ 	cross_compiling=yes
+     else
+-	{ { echo "$as_me:$LINENO: error: cannot run C compiled programs.
+-If you meant to cross compile, use \`--host'.
+-See \`config.log' for more details." >&5
+-echo "$as_me: error: cannot run C compiled programs.
++	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "cannot run C compiled programs.
+ If you meant to cross compile, use \`--host'.
+-See \`config.log' for more details." >&2;}
+-   { (exit 1); exit 1; }; }
++See \`config.log' for more details" "$LINENO" 5 ; }
+     fi
+   fi
+ fi
+-{ echo "$as_me:$LINENO: result: yes" >&5
+-echo "${ECHO_T}yes" >&6; }
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5
++$as_echo "$cross_compiling" >&6; }
+ 
+-rm -f a.out a.exe conftest$ac_cv_exeext b.out
++rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out
+ ac_clean_files=$ac_clean_files_save
+-# Check that the compiler produces executables we can run.  If not, either
+-# the compiler is broken, or we cross compile.
+-{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
+-echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; }
+-{ echo "$as_me:$LINENO: result: $cross_compiling" >&5
+-echo "${ECHO_T}$cross_compiling" >&6; }
+-
+-{ echo "$as_me:$LINENO: checking for suffix of executables" >&5
+-echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; }
+-if { (ac_try="$ac_link"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_link") 2>&5
+-  ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }; then
+-  # If both `conftest.exe' and `conftest' are `present' (well, observable)
+-# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
+-# work properly (i.e., refer to `conftest.exe'), while it won't with
+-# `rm'.
+-for ac_file in conftest.exe conftest conftest.*; do
+-  test -f "$ac_file" || continue
+-  case $ac_file in
+-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
+-    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+-	  break;;
+-    * ) break;;
+-  esac
+-done
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5
++$as_echo_n "checking for suffix of object files... " >&6; }
++if test "${ac_cv_objext+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+-  { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
+-See \`config.log' for more details." >&5
+-echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
+-See \`config.log' for more details." >&2;}
+-   { (exit 1); exit 1; }; }
+-fi
+-
+-rm -f conftest$ac_cv_exeext
+-{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
+-echo "${ECHO_T}$ac_cv_exeext" >&6; }
+-
+-rm -f conftest.$ac_ext
+-EXEEXT=$ac_cv_exeext
+-ac_exeext=$EXEEXT
+-{ echo "$as_me:$LINENO: checking for suffix of object files" >&5
+-echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; }
+-if test "${ac_cv_objext+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
+-else
+-  cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -2191,51 +2537,46 @@
+ }
+ _ACEOF
+ rm -f conftest.o conftest.obj
+-if { (ac_try="$ac_compile"
++if { { ac_try="$ac_compile"
+ case "(($ac_try" in
+   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+   *) ac_try_echo=$ac_try;;
+ esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
+   (eval "$ac_compile") 2>&5
+   ac_status=$?
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }; then
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; then :
+   for ac_file in conftest.o conftest.obj conftest.*; do
+   test -f "$ac_file" || continue;
+   case $ac_file in
+-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;;
++    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;;
+     *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
+        break;;
+   esac
+ done
+ else
+-  echo "$as_me: failed program was:" >&5
++  $as_echo "$as_me: failed program was:" >&5
+ sed 's/^/| /' conftest.$ac_ext >&5
+ 
+-{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
+-See \`config.log' for more details." >&5
+-echo "$as_me: error: cannot compute suffix of object files: cannot compile
+-See \`config.log' for more details." >&2;}
+-   { (exit 1); exit 1; }; }
++{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "cannot compute suffix of object files: cannot compile
++See \`config.log' for more details" "$LINENO" 5 ; }
+ fi
+-
+ rm -f conftest.$ac_cv_objext conftest.$ac_ext
+ fi
+-{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
+-echo "${ECHO_T}$ac_cv_objext" >&6; }
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5
++$as_echo "$ac_cv_objext" >&6; }
+ OBJEXT=$ac_cv_objext
+ ac_objext=$OBJEXT
+-{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+-echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
+-if test "${ac_cv_c_compiler_gnu+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5
++$as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
++if test "${ac_cv_c_compiler_gnu+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+-  cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -2249,54 +2590,34 @@
+   return 0;
+ }
+ _ACEOF
+-rm -f conftest.$ac_objext
+-if { (ac_try="$ac_compile"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compile") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest.$ac_objext; then
++if ac_fn_c_try_compile "$LINENO"; then :
+   ac_compiler_gnu=yes
+ else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-	ac_compiler_gnu=no
++  ac_compiler_gnu=no
+ fi
+-
+ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ ac_cv_c_compiler_gnu=$ac_compiler_gnu
+ 
+ fi
+-{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+-echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
+-GCC=`test $ac_compiler_gnu = yes && echo yes`
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5
++$as_echo "$ac_cv_c_compiler_gnu" >&6; }
++if test $ac_compiler_gnu = yes; then
++  GCC=yes
++else
++  GCC=
++fi
+ ac_test_CFLAGS=${CFLAGS+set}
+ ac_save_CFLAGS=$CFLAGS
+-{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+-echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_cc_g+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5
++$as_echo_n "checking whether $CC accepts -g... " >&6; }
++if test "${ac_cv_prog_cc_g+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   ac_save_c_werror_flag=$ac_c_werror_flag
+    ac_c_werror_flag=yes
+    ac_cv_prog_cc_g=no
+    CFLAGS="-g"
+-   cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -2307,34 +2628,11 @@
+   return 0;
+ }
+ _ACEOF
+-rm -f conftest.$ac_objext
+-if { (ac_try="$ac_compile"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compile") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest.$ac_objext; then
++if ac_fn_c_try_compile "$LINENO"; then :
+   ac_cv_prog_cc_g=yes
+ else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-	CFLAGS=""
+-      cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++  CFLAGS=""
++      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -2345,35 +2643,12 @@
+   return 0;
+ }
+ _ACEOF
+-rm -f conftest.$ac_objext
+-if { (ac_try="$ac_compile"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compile") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest.$ac_objext; then
+-  :
+-else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
++if ac_fn_c_try_compile "$LINENO"; then :
+ 
+-	ac_c_werror_flag=$ac_save_c_werror_flag
++else
++  ac_c_werror_flag=$ac_save_c_werror_flag
+ 	 CFLAGS="-g"
+-	 cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+ int
+@@ -2384,42 +2659,18 @@
+   return 0;
+ }
+ _ACEOF
+-rm -f conftest.$ac_objext
+-if { (ac_try="$ac_compile"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compile") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest.$ac_objext; then
++if ac_fn_c_try_compile "$LINENO"; then :
+   ac_cv_prog_cc_g=yes
+-else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-
+ fi
+-
+ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ fi
+-
+ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ fi
+-
+ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+    ac_c_werror_flag=$ac_save_c_werror_flag
+ fi
+-{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+-echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5
++$as_echo "$ac_cv_prog_cc_g" >&6; }
+ if test "$ac_test_CFLAGS" = set; then
+   CFLAGS=$ac_save_CFLAGS
+ elif test $ac_cv_prog_cc_g = yes; then
+@@ -2435,18 +2686,14 @@
+     CFLAGS=
+   fi
+ fi
+-{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
+-echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
+-if test "${ac_cv_prog_cc_c89+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5
++$as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
++if test "${ac_cv_prog_cc_c89+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   ac_cv_prog_cc_c89=no
+ ac_save_CC=$CC
+-cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ #include <stdarg.h>
+ #include <stdio.h>
+@@ -2503,31 +2750,9 @@
+ 	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+ do
+   CC="$ac_save_CC $ac_arg"
+-  rm -f conftest.$ac_objext
+-if { (ac_try="$ac_compile"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_compile") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest.$ac_objext; then
++  if ac_fn_c_try_compile "$LINENO"; then :
+   ac_cv_prog_cc_c89=$ac_arg
+-else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-
+ fi
+-
+ rm -f core conftest.err conftest.$ac_objext
+   test "x$ac_cv_prog_cc_c89" != "xno" && break
+ done
+@@ -2538,17 +2763,19 @@
+ # AC_CACHE_VAL
+ case "x$ac_cv_prog_cc_c89" in
+   x)
+-    { echo "$as_me:$LINENO: result: none needed" >&5
+-echo "${ECHO_T}none needed" >&6; } ;;
++    { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5
++$as_echo "none needed" >&6; } ;;
+   xno)
+-    { echo "$as_me:$LINENO: result: unsupported" >&5
+-echo "${ECHO_T}unsupported" >&6; } ;;
++    { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5
++$as_echo "unsupported" >&6; } ;;
+   *)
+     CC="$CC $ac_cv_prog_cc_c89"
+-    { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
+-echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
++    { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5
++$as_echo "$ac_cv_prog_cc_c89" >&6; } ;;
+ esac
++if test "x$ac_cv_prog_cc_c89" != xno; then :
+ 
++fi
+ 
+ ac_ext=c
+ ac_cpp='$CPP $CPPFLAGS'
+@@ -2557,81 +2784,474 @@
+ ac_compiler_gnu=$ac_cv_c_compiler_gnu
+ 
+ 
+-
+-{ echo "$as_me:$LINENO: checking for exchangeTNCCSMessages in -lTNCS" >&5
+-echo $ECHO_N "checking for exchangeTNCCSMessages in -lTNCS... $ECHO_C" >&6; }
+-if test "${ac_cv_lib_TNCS_exchangeTNCCSMessages+set}" = set; then
+-  echo $ECHO_N "(cached) $ECHO_C" >&6
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for processEAPTNCData in -lnaaeap" >&5
++$as_echo_n "checking for processEAPTNCData in -lnaaeap... " >&6; }
++if test "${ac_cv_lib_naaeap_processEAPTNCData+set}" = set; then :
++  $as_echo_n "(cached) " >&6
+ else
+   ac_check_lib_save_LIBS=$LIBS
+-LIBS="-lTNCS  $LIBS"
+-cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
++LIBS="-lnaaeap  $LIBS"
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++
++/* Override any GCC internal prototype to avoid an error.
++   Use char because int might match the return type of a GCC
++   builtin and then its argument prototype would still apply.  */
++#ifdef __cplusplus
++extern "C"
++#endif
++char processEAPTNCData ();
++int
++main ()
++{
++return processEAPTNCData ();
++  ;
++  return 0;
++}
++_ACEOF
++if ac_fn_c_try_link "$LINENO"; then :
++  ac_cv_lib_naaeap_processEAPTNCData=yes
++else
++  ac_cv_lib_naaeap_processEAPTNCData=no
++fi
++rm -f core conftest.err conftest.$ac_objext \
++    conftest$ac_exeext conftest.$ac_ext
++LIBS=$ac_check_lib_save_LIBS
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_naaeap_processEAPTNCData" >&5
++$as_echo "$ac_cv_lib_naaeap_processEAPTNCData" >&6; }
++if test "x$ac_cv_lib_naaeap_processEAPTNCData" = x""yes; then :
++  cat >>confdefs.h <<_ACEOF
++#define HAVE_LIBNAAEAP 1
++_ACEOF
++
++  LIBS="-lnaaeap $LIBS"
++
++else
++  fail="$fail -lnaaeap"
++fi
++
++	if test -x"$ac_cv_lib_NAAEAP_processEAPTNCData" == -x"no"; then
++		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the NAAEAP library was not found!" >&5
++$as_echo "$as_me: WARNING: the NAAEAP library was not found!" >&2;}
++		fail="$fail -lNAAEAP"
++	fi
++
++	ac_ext=c
++ac_cpp='$CPP $CPPFLAGS'
++ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
++ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
++ac_compiler_gnu=$ac_cv_c_compiler_gnu
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5
++$as_echo_n "checking how to run the C preprocessor... " >&6; }
++# On Suns, sometimes $CPP names a directory.
++if test -n "$CPP" && test -d "$CPP"; then
++  CPP=
++fi
++if test -z "$CPP"; then
++  if test "${ac_cv_prog_CPP+set}" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++      # Double quotes because CPP needs to be expanded
++    for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
++    do
++      ac_preproc_ok=false
++for ac_c_preproc_warn_flag in '' yes
++do
++  # Use a header file that comes with gcc, so configuring glibc
++  # with a fresh cross-compiler works.
++  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
++  # <limits.h> exists even on freestanding compilers.
++  # On the NeXT, cc -E runs the code through the compiler's parser,
++  # not just through cpp. "Syntax error" is here to catch this case.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#ifdef __STDC__
++# include <limits.h>
++#else
++# include <assert.h>
++#endif
++		     Syntax error
++_ACEOF
++if ac_fn_c_try_cpp "$LINENO"; then :
++
++else
++  # Broken: fails on valid input.
++continue
++fi
++rm -f conftest.err conftest.i conftest.$ac_ext
++
++  # OK, works on sane cases.  Now check whether nonexistent headers
++  # can be detected and how.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <ac_nonexistent.h>
++_ACEOF
++if ac_fn_c_try_cpp "$LINENO"; then :
++  # Broken: success on invalid input.
++continue
++else
++  # Passes both tests.
++ac_preproc_ok=:
++break
++fi
++rm -f conftest.err conftest.i conftest.$ac_ext
++
++done
++# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
++rm -f conftest.i conftest.err conftest.$ac_ext
++if $ac_preproc_ok; then :
++  break
++fi
++
++    done
++    ac_cv_prog_CPP=$CPP
++
++fi
++  CPP=$ac_cv_prog_CPP
++else
++  ac_cv_prog_CPP=$CPP
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5
++$as_echo "$CPP" >&6; }
++ac_preproc_ok=false
++for ac_c_preproc_warn_flag in '' yes
++do
++  # Use a header file that comes with gcc, so configuring glibc
++  # with a fresh cross-compiler works.
++  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
++  # <limits.h> exists even on freestanding compilers.
++  # On the NeXT, cc -E runs the code through the compiler's parser,
++  # not just through cpp. "Syntax error" is here to catch this case.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#ifdef __STDC__
++# include <limits.h>
++#else
++# include <assert.h>
++#endif
++		     Syntax error
++_ACEOF
++if ac_fn_c_try_cpp "$LINENO"; then :
++
++else
++  # Broken: fails on valid input.
++continue
++fi
++rm -f conftest.err conftest.i conftest.$ac_ext
++
++  # OK, works on sane cases.  Now check whether nonexistent headers
++  # can be detected and how.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <ac_nonexistent.h>
++_ACEOF
++if ac_fn_c_try_cpp "$LINENO"; then :
++  # Broken: success on invalid input.
++continue
++else
++  # Passes both tests.
++ac_preproc_ok=:
++break
++fi
++rm -f conftest.err conftest.i conftest.$ac_ext
++
++done
++# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
++rm -f conftest.i conftest.err conftest.$ac_ext
++if $ac_preproc_ok; then :
++
++else
++  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "C preprocessor \"$CPP\" fails sanity check
++See \`config.log' for more details" "$LINENO" 5 ; }
++fi
++
++ac_ext=c
++ac_cpp='$CPP $CPPFLAGS'
++ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
++ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
++ac_compiler_gnu=$ac_cv_c_compiler_gnu
++
++
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5
++$as_echo_n "checking for grep that handles long lines and -e... " >&6; }
++if test "${ac_cv_path_GREP+set}" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++  if test -z "$GREP"; then
++  ac_path_GREP_found=false
++  # Loop through the user's path and test for each of PROGNAME-LIST
++  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
++for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
++do
++  IFS=$as_save_IFS
++  test -z "$as_dir" && as_dir=.
++    for ac_prog in grep ggrep; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
++      ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
++      { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
++# Check for GNU ac_path_GREP and select it if it is found.
++  # Check for GNU $ac_path_GREP
++case `"$ac_path_GREP" --version 2>&1` in
++*GNU*)
++  ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
++*)
++  ac_count=0
++  $as_echo_n 0123456789 >"conftest.in"
++  while :
++  do
++    cat "conftest.in" "conftest.in" >"conftest.tmp"
++    mv "conftest.tmp" "conftest.in"
++    cp "conftest.in" "conftest.nl"
++    $as_echo 'GREP' >> "conftest.nl"
++    "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
++    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
++    as_fn_arith $ac_count + 1 && ac_count=$as_val
++    if test $ac_count -gt ${ac_path_GREP_max-0}; then
++      # Best one so far, save it but keep looking for a better one
++      ac_cv_path_GREP="$ac_path_GREP"
++      ac_path_GREP_max=$ac_count
++    fi
++    # 10*(2^10) chars as input seems more than enough
++    test $ac_count -gt 10 && break
++  done
++  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
++esac
++
++      $ac_path_GREP_found && break 3
++    done
++  done
++  done
++IFS=$as_save_IFS
++  if test -z "$ac_cv_path_GREP"; then
++    as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
++  fi
++else
++  ac_cv_path_GREP=$GREP
++fi
++
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5
++$as_echo "$ac_cv_path_GREP" >&6; }
++ GREP="$ac_cv_path_GREP"
++
++
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5
++$as_echo_n "checking for egrep... " >&6; }
++if test "${ac_cv_path_EGREP+set}" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++  if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
++   then ac_cv_path_EGREP="$GREP -E"
++   else
++     if test -z "$EGREP"; then
++  ac_path_EGREP_found=false
++  # Loop through the user's path and test for each of PROGNAME-LIST
++  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
++for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
++do
++  IFS=$as_save_IFS
++  test -z "$as_dir" && as_dir=.
++    for ac_prog in egrep; do
++    for ac_exec_ext in '' $ac_executable_extensions; do
++      ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
++      { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
++# Check for GNU ac_path_EGREP and select it if it is found.
++  # Check for GNU $ac_path_EGREP
++case `"$ac_path_EGREP" --version 2>&1` in
++*GNU*)
++  ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
++*)
++  ac_count=0
++  $as_echo_n 0123456789 >"conftest.in"
++  while :
++  do
++    cat "conftest.in" "conftest.in" >"conftest.tmp"
++    mv "conftest.tmp" "conftest.in"
++    cp "conftest.in" "conftest.nl"
++    $as_echo 'EGREP' >> "conftest.nl"
++    "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
++    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
++    as_fn_arith $ac_count + 1 && ac_count=$as_val
++    if test $ac_count -gt ${ac_path_EGREP_max-0}; then
++      # Best one so far, save it but keep looking for a better one
++      ac_cv_path_EGREP="$ac_path_EGREP"
++      ac_path_EGREP_max=$ac_count
++    fi
++    # 10*(2^10) chars as input seems more than enough
++    test $ac_count -gt 10 && break
++  done
++  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
++esac
++
++      $ac_path_EGREP_found && break 3
++    done
++  done
++  done
++IFS=$as_save_IFS
++  if test -z "$ac_cv_path_EGREP"; then
++    as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
++  fi
++else
++  ac_cv_path_EGREP=$EGREP
++fi
++
++   fi
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5
++$as_echo "$ac_cv_path_EGREP" >&6; }
++ EGREP="$ac_cv_path_EGREP"
++
++
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
++$as_echo_n "checking for ANSI C header files... " >&6; }
++if test "${ac_cv_header_stdc+set}" = set; then :
++  $as_echo_n "(cached) " >&6
++else
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <stdlib.h>
++#include <stdarg.h>
++#include <string.h>
++#include <float.h>
++
++int
++main ()
++{
++
++  ;
++  return 0;
++}
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"; then :
++  ac_cv_header_stdc=yes
++else
++  ac_cv_header_stdc=no
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++
++if test $ac_cv_header_stdc = yes; then
++  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <string.h>
++
+ _ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
++  $EGREP "memchr" >/dev/null 2>&1; then :
++
++else
++  ac_cv_header_stdc=no
++fi
++rm -f conftest*
++
++fi
++
++if test $ac_cv_header_stdc = yes; then
++  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <stdlib.h>
++
++_ACEOF
++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
++  $EGREP "free" >/dev/null 2>&1; then :
++
++else
++  ac_cv_header_stdc=no
++fi
++rm -f conftest*
++
++fi
++
++if test $ac_cv_header_stdc = yes; then
++  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
++  if test "$cross_compiling" = yes; then :
++  :
++else
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+-
+-/* Override any GCC internal prototype to avoid an error.
+-   Use char because int might match the return type of a GCC
+-   builtin and then its argument prototype would still apply.  */
+-#ifdef __cplusplus
+-extern "C"
++#include <ctype.h>
++#include <stdlib.h>
++#if ((' ' & 0x0FF) == 0x020)
++# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
++# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
++#else
++# define ISLOWER(c) \
++		   (('a' <= (c) && (c) <= 'i') \
++		     || ('j' <= (c) && (c) <= 'r') \
++		     || ('s' <= (c) && (c) <= 'z'))
++# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
+ #endif
+-char exchangeTNCCSMessages ();
++
++#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+ int
+ main ()
+ {
+-return exchangeTNCCSMessages ();
+-  ;
++  int i;
++  for (i = 0; i < 256; i++)
++    if (XOR (islower (i), ISLOWER (i))
++	|| toupper (i) != TOUPPER (i))
++      return 2;
+   return 0;
+ }
+ _ACEOF
+-rm -f conftest.$ac_objext conftest$ac_exeext
+-if { (ac_try="$ac_link"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+-  (eval "$ac_link") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest$ac_exeext &&
+-       $as_test_x conftest$ac_exeext; then
+-  ac_cv_lib_TNCS_exchangeTNCCSMessages=yes
++if ac_fn_c_try_run "$LINENO"; then :
++
+ else
+-  echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
++  ac_cv_header_stdc=no
++fi
++rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
++  conftest.$ac_objext conftest.beam conftest.$ac_ext
++fi
+ 
+-	ac_cv_lib_TNCS_exchangeTNCCSMessages=no
+ fi
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5
++$as_echo "$ac_cv_header_stdc" >&6; }
++if test $ac_cv_header_stdc = yes; then
++
++$as_echo "#define STDC_HEADERS 1" >>confdefs.h
+ 
+-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+-      conftest$ac_exeext conftest.$ac_ext
+-LIBS=$ac_check_lib_save_LIBS
+ fi
+-{ echo "$as_me:$LINENO: result: $ac_cv_lib_TNCS_exchangeTNCCSMessages" >&5
+-echo "${ECHO_T}$ac_cv_lib_TNCS_exchangeTNCCSMessages" >&6; }
+-if test $ac_cv_lib_TNCS_exchangeTNCCSMessages = yes; then
++
++# On IRIX 5.3, sys/types and inttypes.h are conflicting.
++for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
++		  inttypes.h stdint.h unistd.h
++do :
++  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
++ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
++"
++if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+   cat >>confdefs.h <<_ACEOF
+-#define HAVE_LIBTNCS 1
++#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+ _ACEOF
+ 
+-  LIBS="-lTNCS $LIBS"
++fi
++
++done
++
++
++for ac_header in naaeap/naaeap.h
++do :
++  ac_fn_c_check_header_mongrel "$LINENO" "naaeap/naaeap.h" "ac_cv_header_naaeap_naaeap_h" "$ac_includes_default"
++if test "x$ac_cv_header_naaeap_naaeap_h" = x""yes; then :
++  cat >>confdefs.h <<_ACEOF
++#define HAVE_NAAEAP_NAAEAP_H 1
++_ACEOF
+ 
++else
++  fail="$fail -Inaaeap.h"
+ fi
+ 
+-	if test "x$ac_cv_lib_tncs_exchangetnccsmessages" != xyes; then
+-		{ echo "$as_me:$LINENO: WARNING: the TNCS library isn't found!" >&5
+-echo "$as_me: WARNING: the TNCS library isn't found!" >&2;}
+-		fail="$fail -lTNCS"
++done
++
++	if test -x"$ac_cv_header_naaeap_h" == -x"no"; then
++		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the naaeap header was not found!" >&5
++$as_echo "$as_me: WARNING: the naaeap header was not found!" >&2;}
++		fail="$fail -Inaaeap.h"
+ 	fi
+ 
+ 	targetname=rlm_eap_tnc
+@@ -2642,14 +3262,12 @@
+ 
+ if test x"$fail" != x""; then
+ 	if test x"${enable_strict_dependencies}" = x"yes"; then
+-		{ { echo "$as_me:$LINENO: error: set --without-rlm_eap_tnc to disable it explicitly." >&5
+-echo "$as_me: error: set --without-rlm_eap_tnc to disable it explicitly." >&2;}
+-   { (exit 1); exit 1; }; }
++		as_fn_error $? "set --without-rlm_eap_tnc to disable it explicitly." "$LINENO" 5
+ 	else
+-		{ echo "$as_me:$LINENO: WARNING: silently not building rlm_eap_tnc." >&5
+-echo "$as_me: WARNING: silently not building rlm_eap_tnc." >&2;}
+-		{ echo "$as_me:$LINENO: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&5
+-echo "$as_me: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&2;};
++		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: silently not building rlm_eap_tnc." >&5
++$as_echo "$as_me: WARNING: silently not building rlm_eap_tnc." >&2;}
++		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&5
++$as_echo "$as_me: WARNING: FAILURE: rlm_eap_tnc requires: $fail." >&2;};
+ 		targetname=""
+ 	fi
+ fi
+@@ -2658,11 +3276,7 @@
+ 
+ 
+ 
+-
+-  unset ac_cv_env_LIBS_set
+-  unset ac_cv_env_LIBS_value
+-
+-  ac_config_files="$ac_config_files Makefile"
++ac_config_files="$ac_config_files Makefile"
+ 
+ cat >confcache <<\_ACEOF
+ # This file is a shell script that caches the results of configure
+@@ -2691,12 +3305,13 @@
+     case $ac_val in #(
+     *${as_nl}*)
+       case $ac_var in #(
+-      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+-echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
++      *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
++$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
+       esac
+       case $ac_var in #(
+       _ | IFS | as_nl) ;; #(
+-      *) $as_unset $ac_var ;;
++      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
++      *) { eval $ac_var=; unset $ac_var;} ;;
+       esac ;;
+     esac
+   done
+@@ -2704,8 +3319,8 @@
+   (set) 2>&1 |
+     case $as_nl`(ac_space=' '; set) 2>&1` in #(
+     *${as_nl}ac_space=\ *)
+-      # `set' does not quote correctly, so add quotes (double-quote
+-      # substitution turns \\\\ into \\, and sed turns \\ into \).
++      # `set' does not quote correctly, so add quotes: double-quote
++      # substitution turns \\\\ into \\, and sed turns \\ into \.
+       sed -n \
+ 	"s/'/'\\\\''/g;
+ 	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
+@@ -2728,12 +3343,12 @@
+ if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
+   if test -w "$cache_file"; then
+     test "x$cache_file" != "x/dev/null" &&
+-      { echo "$as_me:$LINENO: updating cache $cache_file" >&5
+-echo "$as_me: updating cache $cache_file" >&6;}
++      { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5
++$as_echo "$as_me: updating cache $cache_file" >&6;}
+     cat confcache >$cache_file
+   else
+-    { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
+-echo "$as_me: not updating unwritable cache $cache_file" >&6;}
++    { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5
++$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
+   fi
+ fi
+ rm -f confcache
+@@ -2750,6 +3365,12 @@
+ # take arguments), then branch to the quote section.  Otherwise,
+ # look for a macro that doesn't take arguments.
+ ac_script='
++:mline
++/\\$/{
++ N
++ s,\\\n,,
++ b mline
++}
+ t clear
+ :clear
+ s/^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 (][^	 (]*([^)]*)\)[	 ]*\(.*\)/-D\1=\2/g
+@@ -2776,14 +3397,15 @@
+ 
+ ac_libobjs=
+ ac_ltlibobjs=
++U=
+ for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
+   # 1. Remove the extension, and $U if already installed.
+   ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
+-  ac_i=`echo "$ac_i" | sed "$ac_script"`
++  ac_i=`$as_echo "$ac_i" | sed "$ac_script"`
+   # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
+   #    will be set to the directory where LIBOBJS objects are built.
+-  ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
+-  ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo'
++  as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext"
++  as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo'
+ done
+ LIBOBJS=$ac_libobjs
+ 
+@@ -2792,11 +3414,13 @@
+ 
+ 
+ : ${CONFIG_STATUS=./config.status}
++ac_write_fail=0
+ ac_clean_files_save=$ac_clean_files
+ ac_clean_files="$ac_clean_files $CONFIG_STATUS"
+-{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
+-echo "$as_me: creating $CONFIG_STATUS" >&6;}
+-cat >$CONFIG_STATUS <<_ACEOF
++{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5
++$as_echo "$as_me: creating $CONFIG_STATUS" >&6;}
++as_write_fail=0
++cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1
+ #! $SHELL
+ # Generated by $as_me.
+ # Run this file to recreate the current configuration.
+@@ -2806,59 +3430,79 @@
+ debug=false
+ ac_cs_recheck=false
+ ac_cs_silent=false
+-SHELL=\${CONFIG_SHELL-$SHELL}
+-_ACEOF
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
+-## --------------------- ##
+-## M4sh Initialization.  ##
+-## --------------------- ##
++SHELL=\${CONFIG_SHELL-$SHELL}
++export SHELL
++_ASEOF
++cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1
++## -------------------- ##
++## M4sh Initialization. ##
++## -------------------- ##
+ 
+ # Be more Bourne compatible
+ DUALCASE=1; export DUALCASE # for MKS sh
+-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
++if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
+   emulate sh
+   NULLCMD=:
+-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
++  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+   # is contrary to our usage.  Disable this feature.
+   alias -g '${1+"$@"}'='"$@"'
+   setopt NO_GLOB_SUBST
+ else
+-  case `(set -o) 2>/dev/null` in
+-  *posix*) set -o posix ;;
++  case `(set -o) 2>/dev/null` in #(
++  *posix*) :
++    set -o posix ;; #(
++  *) :
++     ;;
+ esac
+-
+ fi
+ 
+ 
+-
+-
+-# PATH needs CR
+-# Avoid depending upon Character Ranges.
+-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+-as_cr_digits='0123456789'
+-as_cr_alnum=$as_cr_Letters$as_cr_digits
+-
+-# The user is always right.
+-if test "${PATH_SEPARATOR+set}" != set; then
+-  echo "#! /bin/sh" >conf$$.sh
+-  echo  "exit 0"   >>conf$$.sh
+-  chmod +x conf$$.sh
+-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+-    PATH_SEPARATOR=';'
++as_nl='
++'
++export as_nl
++# Printing a long string crashes Solaris 7 /usr/bin/printf.
++as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
++as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
++as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
++# Prefer a ksh shell builtin over an external printf program on Solaris,
++# but without wasting forks for bash or zsh.
++if test -z "$BASH_VERSION$ZSH_VERSION" \
++    && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
++  as_echo='print -r --'
++  as_echo_n='print -rn --'
++elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
++  as_echo='printf %s\n'
++  as_echo_n='printf %s'
++else
++  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
++    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
++    as_echo_n='/usr/ucb/echo -n'
+   else
+-    PATH_SEPARATOR=:
++    as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
++    as_echo_n_body='eval
++      arg=$1;
++      case $arg in #(
++      *"$as_nl"*)
++	expr "X$arg" : "X\\(.*\\)$as_nl";
++	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
++      esac;
++      expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
++    '
++    export as_echo_n_body
++    as_echo_n='sh -c $as_echo_n_body as_echo'
+   fi
+-  rm -f conf$$.sh
++  export as_echo_body
++  as_echo='sh -c $as_echo_body as_echo'
+ fi
+ 
+-# Support unset when possible.
+-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+-  as_unset=unset
+-else
+-  as_unset=false
++# The user is always right.
++if test "${PATH_SEPARATOR+set}" != set; then
++  PATH_SEPARATOR=:
++  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
++    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
++      PATH_SEPARATOR=';'
++  }
+ fi
+ 
+ 
+@@ -2867,20 +3511,18 @@
+ # there to prevent editors from complaining about space-tab.
+ # (If _AS_PATH_WALK were called with IFS unset, it would disable word
+ # splitting by setting IFS to empty value.)
+-as_nl='
+-'
+ IFS=" ""	$as_nl"
+ 
+ # Find who we are.  Look in the path if we contain no directory separator.
+-case $0 in
++case $0 in #((
+   *[\\/]* ) as_myself=$0 ;;
+   *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+ for as_dir in $PATH
+ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+-done
++    test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
++  done
+ IFS=$as_save_IFS
+ 
+      ;;
+@@ -2891,32 +3533,111 @@
+   as_myself=$0
+ fi
+ if test ! -f "$as_myself"; then
+-  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+-  { (exit 1); exit 1; }
++  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
++  exit 1
+ fi
+ 
+-# Work around bugs in pre-3.0 UWIN ksh.
+-for as_var in ENV MAIL MAILPATH
+-do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
++# Unset variables that we do not need and which cause bugs (e.g. in
++# pre-3.0 UWIN ksh).  But do not cause bugs in bash 2.01; the "|| exit 1"
++# suppresses any "Segmentation fault" message there.  '((' could
++# trigger a bug in pdksh 5.2.14.
++for as_var in BASH_ENV ENV MAIL MAILPATH
++do eval test x\${$as_var+set} = xset \
++  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
+ done
+ PS1='$ '
+ PS2='> '
+ PS4='+ '
+ 
+ # NLS nuisances.
+-for as_var in \
+-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+-  LC_TELEPHONE LC_TIME
+-do
+-  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+-    eval $as_var=C; export $as_var
+-  else
+-    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
++LC_ALL=C
++export LC_ALL
++LANGUAGE=C
++export LANGUAGE
++
++# CDPATH.
++(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
++
++
++# as_fn_error STATUS ERROR [LINENO LOG_FD]
++# ----------------------------------------
++# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
++# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
++# script with STATUS, using 1 if that was 0.
++as_fn_error ()
++{
++  as_status=$1; test $as_status -eq 0 && as_status=1
++  if test "$4"; then
++    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++    $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
+   fi
+-done
++  $as_echo "$as_me: error: $2" >&2
++  as_fn_exit $as_status
++} # as_fn_error
++
++
++# as_fn_set_status STATUS
++# -----------------------
++# Set $? to STATUS, without forking.
++as_fn_set_status ()
++{
++  return $1
++} # as_fn_set_status
++
++# as_fn_exit STATUS
++# -----------------
++# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
++as_fn_exit ()
++{
++  set +e
++  as_fn_set_status $1
++  exit $1
++} # as_fn_exit
++
++# as_fn_unset VAR
++# ---------------
++# Portably unset VAR.
++as_fn_unset ()
++{
++  { eval $1=; unset $1;}
++}
++as_unset=as_fn_unset
++# as_fn_append VAR VALUE
++# ----------------------
++# Append the text in VALUE to the end of the definition contained in VAR. Take
++# advantage of any shell optimizations that allow amortized linear growth over
++# repeated appends, instead of the typical quadratic growth present in naive
++# implementations.
++if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
++  eval 'as_fn_append ()
++  {
++    eval $1+=\$2
++  }'
++else
++  as_fn_append ()
++  {
++    eval $1=\$$1\$2
++  }
++fi # as_fn_append
++
++# as_fn_arith ARG...
++# ------------------
++# Perform arithmetic evaluation on the ARGs, and store the result in the
++# global $as_val. Take advantage of shells that can avoid forks. The arguments
++# must be portable across $(()) and expr.
++if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
++  eval 'as_fn_arith ()
++  {
++    as_val=$(( $* ))
++  }'
++else
++  as_fn_arith ()
++  {
++    as_val=`expr "$@" || test $? -eq 1`
++  }
++fi # as_fn_arith
++
+ 
+-# Required to use basename.
+ if expr a : '\(a\)' >/dev/null 2>&1 &&
+    test "X`expr 00001 : '.*\(...\)'`" = X001; then
+   as_expr=expr
+@@ -2930,13 +3651,17 @@
+   as_basename=false
+ fi
+ 
++if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
++  as_dirname=dirname
++else
++  as_dirname=false
++fi
+ 
+-# Name of the executable.
+ as_me=`$as_basename -- "$0" ||
+ $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+ 	 X"$0" : 'X\(//\)$' \| \
+ 	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+-echo X/"$0" |
++$as_echo X/"$0" |
+     sed '/^.*\/\([^/][^/]*\)\/*$/{
+ 	    s//\1/
+ 	    q
+@@ -2951,104 +3676,103 @@
+ 	  }
+ 	  s/.*/./; q'`
+ 
+-# CDPATH.
+-$as_unset CDPATH
+-
+-
+-
+-  as_lineno_1=$LINENO
+-  as_lineno_2=$LINENO
+-  test "x$as_lineno_1" != "x$as_lineno_2" &&
+-  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
+-
+-  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
+-  # uniformly replaced by the line number.  The first 'sed' inserts a
+-  # line-number line after each line using $LINENO; the second 'sed'
+-  # does the real work.  The second script uses 'N' to pair each
+-  # line-number line with the line containing $LINENO, and appends
+-  # trailing '-' during substitution so that $LINENO is not a special
+-  # case at line end.
+-  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
+-  # scripts with optimization help from Paolo Bonzini.  Blame Lee
+-  # E. McMahon (1931-1989) for sed's syntax.  :-)
+-  sed -n '
+-    p
+-    /[$]LINENO/=
+-  ' <$as_myself |
+-    sed '
+-      s/[$]LINENO.*/&-/
+-      t lineno
+-      b
+-      :lineno
+-      N
+-      :loop
+-      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
+-      t loop
+-      s/-\n.*//
+-    ' >$as_me.lineno &&
+-  chmod +x "$as_me.lineno" ||
+-    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+-   { (exit 1); exit 1; }; }
+-
+-  # Don't try to exec as it changes $[0], causing all sort of problems
+-  # (the dirname of $[0] is not the place where we might find the
+-  # original and so on.  Autoconf is especially sensitive to this).
+-  . "./$as_me.lineno"
+-  # Exit status is that of the last command.
+-  exit
+-}
+-
+-
+-if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+-  as_dirname=dirname
+-else
+-  as_dirname=false
+-fi
++# Avoid depending upon Character Ranges.
++as_cr_letters='abcdefghijklmnopqrstuvwxyz'
++as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
++as_cr_Letters=$as_cr_letters$as_cr_LETTERS
++as_cr_digits='0123456789'
++as_cr_alnum=$as_cr_Letters$as_cr_digits
+ 
+ ECHO_C= ECHO_N= ECHO_T=
+-case `echo -n x` in
++case `echo -n x` in #(((((
+ -n*)
+-  case `echo 'x\c'` in
++  case `echo 'xy\c'` in
+   *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+-  *)   ECHO_C='\c';;
++  xy)  ECHO_C='\c';;
++  *)   echo `echo ksh88 bug on AIX 6.1` > /dev/null
++       ECHO_T='	';;
+   esac;;
+ *)
+   ECHO_N='-n';;
+ esac
+ 
+-if expr a : '\(a\)' >/dev/null 2>&1 &&
+-   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+-  as_expr=expr
+-else
+-  as_expr=false
+-fi
+-
+ rm -f conf$$ conf$$.exe conf$$.file
+ if test -d conf$$.dir; then
+   rm -f conf$$.dir/conf$$.file
+ else
+   rm -f conf$$.dir
+-  mkdir conf$$.dir
++  mkdir conf$$.dir 2>/dev/null
+ fi
+-echo >conf$$.file
+-if ln -s conf$$.file conf$$ 2>/dev/null; then
+-  as_ln_s='ln -s'
+-  # ... but there are two gotchas:
+-  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+-  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+-  # In both cases, we have to default to `cp -p'.
+-  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
++if (echo >conf$$.file) 2>/dev/null; then
++  if ln -s conf$$.file conf$$ 2>/dev/null; then
++    as_ln_s='ln -s'
++    # ... but there are two gotchas:
++    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
++    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
++    # In both cases, we have to default to `cp -p'.
++    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
++      as_ln_s='cp -p'
++  elif ln conf$$.file conf$$ 2>/dev/null; then
++    as_ln_s=ln
++  else
+     as_ln_s='cp -p'
+-elif ln conf$$.file conf$$ 2>/dev/null; then
+-  as_ln_s=ln
++  fi
+ else
+   as_ln_s='cp -p'
+ fi
+ rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+ rmdir conf$$.dir 2>/dev/null
+ 
++
++# as_fn_mkdir_p
++# -------------
++# Create "$as_dir" as a directory, including parents if necessary.
++as_fn_mkdir_p ()
++{
++
++  case $as_dir in #(
++  -*) as_dir=./$as_dir;;
++  esac
++  test -d "$as_dir" || eval $as_mkdir_p || {
++    as_dirs=
++    while :; do
++      case $as_dir in #(
++      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
++      *) as_qdir=$as_dir;;
++      esac
++      as_dirs="'$as_qdir' $as_dirs"
++      as_dir=`$as_dirname -- "$as_dir" ||
++$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
++	 X"$as_dir" : 'X\(//\)[^/]' \| \
++	 X"$as_dir" : 'X\(//\)$' \| \
++	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
++$as_echo X"$as_dir" |
++    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\/\)[^/].*/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\/\)$/{
++	    s//\1/
++	    q
++	  }
++	  /^X\(\/\).*/{
++	    s//\1/
++	    q
++	  }
++	  s/.*/./; q'`
++      test -d "$as_dir" && break
++    done
++    test -z "$as_dirs" || eval "mkdir $as_dirs"
++  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
++
++
++} # as_fn_mkdir_p
+ if mkdir -p . 2>/dev/null; then
+-  as_mkdir_p=:
++  as_mkdir_p='mkdir -p "$as_dir"'
+ else
+   test -d ./-p && rmdir ./-p
+   as_mkdir_p=false
+@@ -3065,12 +3789,12 @@
+   as_test_x='
+     eval sh -c '\''
+       if test -d "$1"; then
+-        test -d "$1/.";
++	test -d "$1/.";
+       else
+-	case $1 in
+-        -*)set "./$1";;
++	case $1 in #(
++	-*)set "./$1";;
+ 	esac;
+-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
++	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
+ 	???[sx]*):;;*)false;;esac;fi
+     '\'' sh
+   '
+@@ -3085,13 +3809,19 @@
+ 
+ 
+ exec 6>&1
++## ----------------------------------- ##
++## Main body of $CONFIG_STATUS script. ##
++## ----------------------------------- ##
++_ASEOF
++test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1
+ 
+-# Save the log message, to keep $[0] and so on meaningful, and to
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
++# Save the log message, to keep $0 and so on meaningful, and to
+ # report actual input values of CONFIG_FILES etc. instead of their
+ # values after options handling.
+ ac_log="
+ This file was extended by $as_me, which was
+-generated by GNU Autoconf 2.61.  Invocation command line was
++generated by GNU Autoconf 2.67.  Invocation command line was
+ 
+   CONFIG_FILES    = $CONFIG_FILES
+   CONFIG_HEADERS  = $CONFIG_HEADERS
+@@ -3104,59 +3834,74 @@
+ 
+ _ACEOF
+ 
+-cat >>$CONFIG_STATUS <<_ACEOF
++case $ac_config_files in *"
++"*) set x $ac_config_files; shift; ac_config_files=$*;;
++esac
++
++
++
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ # Files that config.status was made for.
+ config_files="$ac_config_files"
+ 
+ _ACEOF
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ ac_cs_usage="\
+-\`$as_me' instantiates files from templates according to the
+-current configuration.
++\`$as_me' instantiates files and other configuration actions
++from templates according to the current configuration.  Unless the files
++and actions are specified as TAGs, all are instantiated by default.
+ 
+-Usage: $0 [OPTIONS] [FILE]...
++Usage: $0 [OPTION]... [TAG]...
+ 
+   -h, --help       print this help, then exit
+   -V, --version    print version number and configuration settings, then exit
+-  -q, --quiet      do not print progress messages
++      --config     print configuration, then exit
++  -q, --quiet, --silent
++                   do not print progress messages
+   -d, --debug      don't remove temporary files
+       --recheck    update $as_me by reconfiguring in the same conditions
+-  --file=FILE[:TEMPLATE]
+-		   instantiate the configuration file FILE
++      --file=FILE[:TEMPLATE]
++                   instantiate the configuration file FILE
+ 
+ Configuration files:
+ $config_files
+ 
+-Report bugs to <bug-autoconf@gnu.org>."
++Report bugs to the package provider."
+ 
+ _ACEOF
+-cat >>$CONFIG_STATUS <<_ACEOF
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
++ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
+ ac_cs_version="\\
+ config.status
+-configured by $0, generated by GNU Autoconf 2.61,
+-  with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
++configured by $0, generated by GNU Autoconf 2.67,
++  with options \\"\$ac_cs_config\\"
+ 
+-Copyright (C) 2006 Free Software Foundation, Inc.
++Copyright (C) 2010 Free Software Foundation, Inc.
+ This config.status script is free software; the Free Software Foundation
+ gives unlimited permission to copy, distribute and modify it."
+ 
+ ac_pwd='$ac_pwd'
+ srcdir='$srcdir'
++test -n "\$AWK" || AWK=awk
+ _ACEOF
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
+-# If no file are specified by the user, then we need to provide default
+-# value.  By we need to know if files were specified by the user.
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
++# The default lists apply if the user does not specify any file.
+ ac_need_defaults=:
+ while test $# != 0
+ do
+   case $1 in
+-  --*=*)
++  --*=?*)
+     ac_option=`expr "X$1" : 'X\([^=]*\)='`
+     ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
+     ac_shift=:
+     ;;
++  --*=)
++    ac_option=`expr "X$1" : 'X\([^=]*\)='`
++    ac_optarg=
++    ac_shift=:
++    ;;
+   *)
+     ac_option=$1
+     ac_optarg=$2
+@@ -3169,25 +3914,30 @@
+   -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
+     ac_cs_recheck=: ;;
+   --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
+-    echo "$ac_cs_version"; exit ;;
++    $as_echo "$ac_cs_version"; exit ;;
++  --config | --confi | --conf | --con | --co | --c )
++    $as_echo "$ac_cs_config"; exit ;;
+   --debug | --debu | --deb | --de | --d | -d )
+     debug=: ;;
+   --file | --fil | --fi | --f )
+     $ac_shift
+-    CONFIG_FILES="$CONFIG_FILES $ac_optarg"
++    case $ac_optarg in
++    *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
++    '') as_fn_error $? "missing file argument" ;;
++    esac
++    as_fn_append CONFIG_FILES " '$ac_optarg'"
+     ac_need_defaults=false;;
+   --he | --h |  --help | --hel | -h )
+-    echo "$ac_cs_usage"; exit ;;
++    $as_echo "$ac_cs_usage"; exit ;;
+   -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+   | -silent | --silent | --silen | --sile | --sil | --si | --s)
+     ac_cs_silent=: ;;
+ 
+   # This is an error.
+-  -*) { echo "$as_me: error: unrecognized option: $1
+-Try \`$0 --help' for more information." >&2
+-   { (exit 1); exit 1; }; } ;;
++  -*) as_fn_error $? "unrecognized option: \`$1'
++Try \`$0 --help' for more information." ;;
+ 
+-  *) ac_config_targets="$ac_config_targets $1"
++  *) as_fn_append ac_config_targets " $1"
+      ac_need_defaults=false ;;
+ 
+   esac
+@@ -3202,30 +3952,32 @@
+ fi
+ 
+ _ACEOF
+-cat >>$CONFIG_STATUS <<_ACEOF
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ if \$ac_cs_recheck; then
+-  echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
+-  CONFIG_SHELL=$SHELL
++  set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
++  shift
++  \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
++  CONFIG_SHELL='$SHELL'
+   export CONFIG_SHELL
+-  exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
++  exec "\$@"
+ fi
+ 
+ _ACEOF
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ exec 5>>config.log
+ {
+   echo
+   sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
+ ## Running $as_me. ##
+ _ASBOX
+-  echo "$ac_log"
++  $as_echo "$ac_log"
+ } >&5
+ 
+ _ACEOF
+-cat >>$CONFIG_STATUS <<_ACEOF
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ _ACEOF
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ 
+ # Handling of arguments.
+ for ac_config_target in $ac_config_targets
+@@ -3233,9 +3985,7 @@
+   case $ac_config_target in
+     "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+ 
+-  *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
+-echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
+-   { (exit 1); exit 1; }; };;
++  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5 ;;
+   esac
+ done
+ 
+@@ -3260,7 +4010,7 @@
+   trap 'exit_status=$?
+   { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
+ ' 0
+-  trap '{ (exit 1); exit 1; }' 1 2 13 15
++  trap 'as_fn_exit 1' 1 2 13 15
+ }
+ # Create a (secure) tmp directory for tmp files.
+ 
+@@ -3271,145 +4021,177 @@
+ {
+   tmp=./conf$$-$RANDOM
+   (umask 077 && mkdir "$tmp")
+-} ||
+-{
+-   echo "$me: cannot create a temporary directory in ." >&2
+-   { (exit 1); exit 1; }
+-}
+-
+-#
+-# Set up the sed scripts for CONFIG_FILES section.
+-#
++} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5
+ 
+-# No need to generate the scripts if there are no CONFIG_FILES.
+-# This happens for instance when ./config.status config.h
++# Set up the scripts for CONFIG_FILES section.
++# No need to generate them if there are no CONFIG_FILES.
++# This happens for instance with `./config.status config.h'.
+ if test -n "$CONFIG_FILES"; then
+ 
+-_ACEOF
+ 
++ac_cr=`echo X | tr X '\015'`
++# On cygwin, bash can eat \r inside `` if the user requested igncr.
++# But we know of no other shell where ac_cr would be empty at this
++# point, so we can use a bashism as a fallback.
++if test "x$ac_cr" = x; then
++  eval ac_cr=\$\'\\r\'
++fi
++ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' </dev/null 2>/dev/null`
++if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then
++  ac_cs_awk_cr='\\r'
++else
++  ac_cs_awk_cr=$ac_cr
++fi
++
++echo 'BEGIN {' >"$tmp/subs1.awk" &&
++_ACEOF
+ 
+ 
++{
++  echo "cat >conf$$subs.awk <<_ACEOF" &&
++  echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' &&
++  echo "_ACEOF"
++} >conf$$subs.sh ||
++  as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
++ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'`
+ ac_delim='%!_!# '
+ for ac_last_try in false false false false false :; do
+-  cat >conf$$subs.sed <<_ACEOF
+-SHELL!$SHELL$ac_delim
+-PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim
+-PACKAGE_NAME!$PACKAGE_NAME$ac_delim
+-PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim
+-PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim
+-PACKAGE_STRING!$PACKAGE_STRING$ac_delim
+-PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim
+-exec_prefix!$exec_prefix$ac_delim
+-prefix!$prefix$ac_delim
+-program_transform_name!$program_transform_name$ac_delim
+-bindir!$bindir$ac_delim
+-sbindir!$sbindir$ac_delim
+-libexecdir!$libexecdir$ac_delim
+-datarootdir!$datarootdir$ac_delim
+-datadir!$datadir$ac_delim
+-sysconfdir!$sysconfdir$ac_delim
+-sharedstatedir!$sharedstatedir$ac_delim
+-localstatedir!$localstatedir$ac_delim
+-includedir!$includedir$ac_delim
+-oldincludedir!$oldincludedir$ac_delim
+-docdir!$docdir$ac_delim
+-infodir!$infodir$ac_delim
+-htmldir!$htmldir$ac_delim
+-dvidir!$dvidir$ac_delim
+-pdfdir!$pdfdir$ac_delim
+-psdir!$psdir$ac_delim
+-libdir!$libdir$ac_delim
+-localedir!$localedir$ac_delim
+-mandir!$mandir$ac_delim
+-DEFS!$DEFS$ac_delim
+-ECHO_C!$ECHO_C$ac_delim
+-ECHO_N!$ECHO_N$ac_delim
+-ECHO_T!$ECHO_T$ac_delim
+-LIBS!$LIBS$ac_delim
+-build_alias!$build_alias$ac_delim
+-host_alias!$host_alias$ac_delim
+-target_alias!$target_alias$ac_delim
+-CC!$CC$ac_delim
+-CFLAGS!$CFLAGS$ac_delim
+-LDFLAGS!$LDFLAGS$ac_delim
+-CPPFLAGS!$CPPFLAGS$ac_delim
+-ac_ct_CC!$ac_ct_CC$ac_delim
+-EXEEXT!$EXEEXT$ac_delim
+-OBJEXT!$OBJEXT$ac_delim
+-eap_tnc_cflags!$eap_tnc_cflags$ac_delim
+-eap_tnc_ldflags!$eap_tnc_ldflags$ac_delim
+-targetname!$targetname$ac_delim
+-LIBOBJS!$LIBOBJS$ac_delim
+-LTLIBOBJS!$LTLIBOBJS$ac_delim
+-_ACEOF
++  . ./conf$$subs.sh ||
++    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
+ 
+-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 49; then
++  ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X`
++  if test $ac_delim_n = $ac_delim_num; then
+     break
+   elif $ac_last_try; then
+-    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+-echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+-   { (exit 1); exit 1; }; }
++    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
+   else
+     ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+   fi
+ done
++rm -f conf$$subs.sh
+ 
+-ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+-if test -n "$ac_eof"; then
+-  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+-  ac_eof=`expr $ac_eof + 1`
+-fi
+-
+-cat >>$CONFIG_STATUS <<_ACEOF
+-cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof
+-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
+-_ACEOF
+-sed '
+-s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+-s/^/s,@/; s/!/@,|#_!!_#|/
+-:n
+-t n
+-s/'"$ac_delim"'$/,g/; t
+-s/$/\\/; p
+-N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+-' >>$CONFIG_STATUS <conf$$subs.sed
+-rm -f conf$$subs.sed
+-cat >>$CONFIG_STATUS <<_ACEOF
+-:end
+-s/|#_!!_#|//g
+-CEOF$ac_eof
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
++cat >>"\$tmp/subs1.awk" <<\\_ACAWK &&
+ _ACEOF
++sed -n '
++h
++s/^/S["/; s/!.*/"]=/
++p
++g
++s/^[^!]*!//
++:repl
++t repl
++s/'"$ac_delim"'$//
++t delim
++:nl
++h
++s/\(.\{148\}\)..*/\1/
++t more1
++s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/
++p
++n
++b repl
++:more1
++s/["\\]/\\&/g; s/^/"/; s/$/"\\/
++p
++g
++s/.\{148\}//
++t nl
++:delim
++h
++s/\(.\{148\}\)..*/\1/
++t more2
++s/["\\]/\\&/g; s/^/"/; s/$/"/
++p
++b
++:more2
++s/["\\]/\\&/g; s/^/"/; s/$/"\\/
++p
++g
++s/.\{148\}//
++t delim
++' <conf$$subs.awk | sed '
++/^[^""]/{
++  N
++  s/\n//
++}
++' >>$CONFIG_STATUS || ac_write_fail=1
++rm -f conf$$subs.awk
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
++_ACAWK
++cat >>"\$tmp/subs1.awk" <<_ACAWK &&
++  for (key in S) S_is_set[key] = 1
++  FS = ""
++
++}
++{
++  line = $ 0
++  nfields = split(line, field, "@")
++  substed = 0
++  len = length(field[1])
++  for (i = 2; i < nfields; i++) {
++    key = field[i]
++    keylen = length(key)
++    if (S_is_set[key]) {
++      value = S[key]
++      line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3)
++      len += length(value) + length(field[++i])
++      substed = 1
++    } else
++      len += 1 + keylen
++  }
++
++  print line
++}
+ 
++_ACAWK
++_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
++if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
++  sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g"
++else
++  cat
++fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \
++  || as_fn_error $? "could not setup config files machinery" "$LINENO" 5
++_ACEOF
+ 
+-# VPATH may cause trouble with some makes, so we remove $(srcdir),
+-# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
++# VPATH may cause trouble with some makes, so we remove sole $(srcdir),
++# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and
+ # trailing colons and then remove the whole line if VPATH becomes empty
+ # (actually we leave an empty line to preserve line numbers).
+ if test "x$srcdir" = x.; then
+-  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
+-s/:*\$(srcdir):*/:/
+-s/:*\${srcdir}:*/:/
+-s/:*@srcdir@:*/:/
+-s/^\([^=]*=[	 ]*\):*/\1/
++  ac_vpsub='/^[	 ]*VPATH[	 ]*=[	 ]*/{
++h
++s///
++s/^/:/
++s/[	 ]*$/:/
++s/:\$(srcdir):/:/g
++s/:\${srcdir}:/:/g
++s/:@srcdir@:/:/g
++s/^:*//
+ s/:*$//
++x
++s/\(=[	 ]*\).*/\1/
++G
++s/\n//
+ s/^[^=]*=[	 ]*$//
+ }'
+ fi
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ fi # test -n "$CONFIG_FILES"
+ 
+ 
+-for ac_tag in  :F $CONFIG_FILES
++eval set X "  :F $CONFIG_FILES      "
++shift
++for ac_tag
+ do
+   case $ac_tag in
+   :[FHLC]) ac_mode=$ac_tag; continue;;
+   esac
+   case $ac_mode$ac_tag in
+   :[FHL]*:*);;
+-  :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
+-echo "$as_me: error: Invalid tag $ac_tag." >&2;}
+-   { (exit 1); exit 1; }; };;
++  :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5 ;;
+   :[FH]-) ac_tag=-:-;;
+   :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
+   esac
+@@ -3437,26 +4219,34 @@
+ 	   [\\/$]*) false;;
+ 	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
+ 	   esac ||
+-	   { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
+-echo "$as_me: error: cannot find input file: $ac_f" >&2;}
+-   { (exit 1); exit 1; }; };;
++	   as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5 ;;
+       esac
+-      ac_file_inputs="$ac_file_inputs $ac_f"
++      case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
++      as_fn_append ac_file_inputs " '$ac_f'"
+     done
+ 
+     # Let's still pretend it is `configure' which instantiates (i.e., don't
+     # use $as_me), people would be surprised to read:
+     #    /* config.h.  Generated by config.status.  */
+-    configure_input="Generated from "`IFS=:
+-	  echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure."
++    configure_input='Generated from '`
++	  $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g'
++	`' by configure.'
+     if test x"$ac_file" != x-; then
+       configure_input="$ac_file.  $configure_input"
+-      { echo "$as_me:$LINENO: creating $ac_file" >&5
+-echo "$as_me: creating $ac_file" >&6;}
++      { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5
++$as_echo "$as_me: creating $ac_file" >&6;}
+     fi
++    # Neutralize special characters interpreted by sed in replacement strings.
++    case $configure_input in #(
++    *\&* | *\|* | *\\* )
++       ac_sed_conf_input=`$as_echo "$configure_input" |
++       sed 's/[\\\\&|]/\\\\&/g'`;; #(
++    *) ac_sed_conf_input=$configure_input;;
++    esac
+ 
+     case $ac_tag in
+-    *:-:* | *:-) cat >"$tmp/stdin";;
++    *:-:* | *:-) cat >"$tmp/stdin" \
++      || as_fn_error $? "could not create $ac_file" "$LINENO" 5  ;;
+     esac
+     ;;
+   esac
+@@ -3466,42 +4256,7 @@
+ 	 X"$ac_file" : 'X\(//\)[^/]' \| \
+ 	 X"$ac_file" : 'X\(//\)$' \| \
+ 	 X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
+-echo X"$ac_file" |
+-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+-	    s//\1/
+-	    q
+-	  }
+-	  /^X\(\/\/\)[^/].*/{
+-	    s//\1/
+-	    q
+-	  }
+-	  /^X\(\/\/\)$/{
+-	    s//\1/
+-	    q
+-	  }
+-	  /^X\(\/\).*/{
+-	    s//\1/
+-	    q
+-	  }
+-	  s/.*/./; q'`
+-  { as_dir="$ac_dir"
+-  case $as_dir in #(
+-  -*) as_dir=./$as_dir;;
+-  esac
+-  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
+-    as_dirs=
+-    while :; do
+-      case $as_dir in #(
+-      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
+-      *) as_qdir=$as_dir;;
+-      esac
+-      as_dirs="'$as_qdir' $as_dirs"
+-      as_dir=`$as_dirname -- "$as_dir" ||
+-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+-	 X"$as_dir" : 'X\(//\)[^/]' \| \
+-	 X"$as_dir" : 'X\(//\)$' \| \
+-	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
+-echo X"$as_dir" |
++$as_echo X"$ac_file" |
+     sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ 	    s//\1/
+ 	    q
+@@ -3519,20 +4274,15 @@
+ 	    q
+ 	  }
+ 	  s/.*/./; q'`
+-      test -d "$as_dir" && break
+-    done
+-    test -z "$as_dirs" || eval "mkdir $as_dirs"
+-  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
+-echo "$as_me: error: cannot create directory $as_dir" >&2;}
+-   { (exit 1); exit 1; }; }; }
++  as_dir="$ac_dir"; as_fn_mkdir_p
+   ac_builddir=.
+ 
+ case "$ac_dir" in
+ .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+ *)
+-  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
++  ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
+   # A ".." for each directory in $ac_dir_suffix.
+-  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
++  ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
+   case $ac_top_builddir_sub in
+   "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+   *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+@@ -3568,12 +4318,12 @@
+ 
+ _ACEOF
+ 
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ # If the template does not know about datarootdir, expand it.
+ # FIXME: This hack should be removed a few years after 2.60.
+ ac_datarootdir_hack=; ac_datarootdir_seen=
+-
+-case `sed -n '/datarootdir/ {
++ac_sed_dataroot='
++/datarootdir/ {
+   p
+   q
+ }
+@@ -3581,36 +4331,37 @@
+ /@docdir@/p
+ /@infodir@/p
+ /@localedir@/p
+-/@mandir@/p
+-' $ac_file_inputs` in
++/@mandir@/p'
++case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in
+ *datarootdir*) ac_datarootdir_seen=yes;;
+ *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
+-  { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
+-echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
++  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
++$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
+ _ACEOF
+-cat >>$CONFIG_STATUS <<_ACEOF
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+   ac_datarootdir_hack='
+   s&@datadir@&$datadir&g
+   s&@docdir@&$docdir&g
+   s&@infodir@&$infodir&g
+   s&@localedir@&$localedir&g
+   s&@mandir@&$mandir&g
+-    s&\\\${datarootdir}&$datarootdir&g' ;;
++  s&\\\${datarootdir}&$datarootdir&g' ;;
+ esac
+ _ACEOF
+ 
+ # Neutralize VPATH when `$srcdir' = `.'.
+ # Shell code in configure.ac might set extrasub.
+ # FIXME: do we really want to maintain this feature?
+-cat >>$CONFIG_STATUS <<_ACEOF
+-  sed "$ac_vpsub
++cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
++ac_sed_extra="$ac_vpsub
+ $extrasub
+ _ACEOF
+-cat >>$CONFIG_STATUS <<\_ACEOF
++cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ :t
+ /@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+-s&@configure_input@&$configure_input&;t t
++s|@configure_input@|$ac_sed_conf_input|;t t
+ s&@top_builddir@&$ac_top_builddir_sub&;t t
++s&@top_build_prefix@&$ac_top_build_prefix&;t t
+ s&@srcdir@&$ac_srcdir&;t t
+ s&@abs_srcdir@&$ac_abs_srcdir&;t t
+ s&@top_srcdir@&$ac_top_srcdir&;t t
+@@ -3619,21 +4370,24 @@
+ s&@abs_builddir@&$ac_abs_builddir&;t t
+ s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
+ $ac_datarootdir_hack
+-" $ac_file_inputs | sed -f "$tmp/subs-1.sed" >$tmp/out
++"
++eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \
++  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
+ 
+ test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
+   { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
+   { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
+-  { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+-which seems to be undefined.  Please make sure it is defined." >&5
+-echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+-which seems to be undefined.  Please make sure it is defined." >&2;}
++  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir'
++which seems to be undefined.  Please make sure it is defined" >&5
++$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
++which seems to be undefined.  Please make sure it is defined" >&2;}
+ 
+   rm -f "$tmp/stdin"
+   case $ac_file in
+-  -) cat "$tmp/out"; rm -f "$tmp/out";;
+-  *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;;
+-  esac
++  -) cat "$tmp/out" && rm -f "$tmp/out";;
++  *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";;
++  esac \
++  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
+  ;;
+ 
+ 
+@@ -3643,11 +4397,13 @@
+ done # for ac_tag
+ 
+ 
+-{ (exit 0); exit 0; }
++as_fn_exit 0
+ _ACEOF
+-chmod +x $CONFIG_STATUS
+ ac_clean_files=$ac_clean_files_save
+ 
++test $ac_write_fail = 0 ||
++  as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5
++
+ 
+ # configure is writing to config.log, and then calls config.status.
+ # config.status does its own redirection, appending to config.log.
+@@ -3667,7 +4423,10 @@
+   exec 5>>config.log
+   # Use ||, not &&, to avoid exiting from the if with $? = 1, which
+   # would make configure fail if this is the last instruction.
+-  $ac_cs_success || { (exit 1); exit 1; }
++  $ac_cs_success || as_fn_exit 1
++fi
++if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
++  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5
++$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
+ fi
+-
+ 
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/configure.in	2012-12-04 19:38:00.241420966 +0100
+@@ -2,12 +2,21 @@
+ AC_REVISION($Revision$)
+ AC_DEFUN(modname,[rlm_eap_tnc])
+ 
++eap_tnc_cflags=
++eap_tnc_ldflags=-lnaaeap
++
+ if test x$with_[]modname != xno; then
+ 
+-	AC_CHECK_LIB(TNCS, exchangeTNCCSMessages)
+-	if test "x$ac_cv_lib_tncs_exchangetnccsmessages" != xyes; then
+-		AC_MSG_WARN([the TNCS library isn't found!])
+-		fail="$fail -lTNCS"
++	AC_CHECK_LIB(naaeap,processEAPTNCData,,fail="$fail -lnaaeap",)
++	if test -x"$ac_cv_lib_NAAEAP_processEAPTNCData" == -x"no"; then
++		AC_MSG_WARN([the NAAEAP library was not found!])
++		fail="$fail -lNAAEAP"
++	fi
++	
++	AC_CHECK_HEADERS(naaeap/naaeap.h,,fail="$fail -Inaaeap.h",)
++	if test -x"$ac_cv_header_naaeap_h" == -x"no"; then
++		AC_MSG_WARN([the naaeap header was not found!])
++		fail="$fail -Inaaeap.h"
+ 	fi
+ 
+ 	targetname=modname
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c	2012-12-04 19:38:00.241420966 +0100
+@@ -1,12 +1,12 @@
+ /*
+  *   eap_tnc.c  EAP TNC functionality.
+  *
+- *   This software is Copyright (C) 2006,2007 FH Hannover
++ *   This software is Copyright (C) 2006-2009 FH Hannover
+  *
+  *   Portions of this code unrelated to FreeRADIUS are available
+  *   separately under a commercial license.  If you require an
+  *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
++ *   contact trust@f4-i.fh-hannover.de for details.
+  *
+  *   This program is free software; you can redistribute it and/or modify
+  *   it under the terms of the GNU General Public License as published by
+@@ -23,230 +23,41 @@
+  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+  *
+  */
+-#include <freeradius-devel/ident.h>
+-RCSID("$Id$")
+-
+-
+-/*
+- *
+- *  MD5 Packet Format in EAP Type-Data
+- *  --- ------ ------ -- --- ---------
+- *  0                   1                   2                   3
+- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Value-Size   |  Value ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Name ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- *
+- * EAP-TNC Packet Format in EAP Type-Data
+- * 
+- *  0                   1                   2                   3
+- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Flags  |Ver  | Data Length ...                                   
+- * |L M S R R|=1   |                                               
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |...            |  Data ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- 
+- *
+- */
+-
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include "eap.h"
+ 
+ #include "eap_tnc.h"
+ 
+-     /*
+-      *	WTF is wrong with htonl ?
+-      */
+-static uint32_t ByteSwap2 (uint32_t nLongNumber)
+-{
+-   return (((nLongNumber&0x000000FF)<<24)+((nLongNumber&0x0000FF00)<<8)+
+-   ((nLongNumber&0x00FF0000)>>8)+((nLongNumber&0xFF000000)>>24));
+-}
+-
+ /*
+- *      Allocate a new TNC_PACKET
++ *	Forms an EAP_REQUEST packet from the EAP_TNC specific data.
+  */
+-TNC_PACKET *eaptnc_alloc(void)
++int eaptnc_compose(EAP_HANDLER *handler, TNC_BufferReference request, TNC_UInt32 length, uint8_t code)
+ {
+-	TNC_PACKET   *rp;
+-
+-	if ((rp = malloc(sizeof(TNC_PACKET))) == NULL) {
+-		radlog(L_ERR, "rlm_eap_tnc: out of memory");
+-		return NULL;
++	// check parameters
++	if(handler == NULL || (request == NULL && length != 0) || (request != NULL && length < 1) || code > PW_EAP_MAX_CODES){
++		radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler == %p, request == %p, length == %lu, code == %u", handler, request, length, code);
++		return 0;
+ 	}
+-	memset(rp, 0, sizeof(TNC_PACKET));
+-	return rp;
+-}
+-
+-/*
+- *      Free TNC_PACKET
+- */
+-void eaptnc_free(TNC_PACKET **tnc_packet_ptr)
+-{
+-	TNC_PACKET *tnc_packet;
+-
+-	if (!tnc_packet_ptr) return;
+-	tnc_packet = *tnc_packet_ptr;
+-	if (tnc_packet == NULL) return;
+-
+-	if (tnc_packet->data) free(tnc_packet->data);
+ 
+-	free(tnc_packet);
+-
+-	*tnc_packet_ptr = NULL;
+-}
+-
+-/*
+- *	We expect only RESPONSE for which REQUEST, SUCCESS or FAILURE is sent back
+- */
+-TNC_PACKET *eaptnc_extract(EAP_DS *eap_ds)
+-{
+-	tnc_packet_t	*data;
+-	TNC_PACKET	*packet;
+-	/*
+-	 *	We need a response, of type EAP-TNC
+-     */
+-	if (!eap_ds 					 ||
+-	    !eap_ds->response 				 ||
+-	    (eap_ds->response->code != PW_TNC_RESPONSE)	 ||
+-	    eap_ds->response->type.type != PW_EAP_TNC	 ||
+-	    !eap_ds->response->type.data 		 ||
+-	    (eap_ds->response->length <= TNC_HEADER_LEN) ||
+-	    (eap_ds->response->type.data[0] <= 0)) {
+-		radlog(L_ERR, "rlm_eap_tnc: corrupted data");
+-		return NULL;
++	// further check parameters
++	if(handler->opaque == NULL || handler->eap_ds == NULL){
++		radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler->opaque == %p, handler->eap_ds == %p", handler->opaque, handler->eap_ds);
++		return 0;
+ 	}
+-	packet = eaptnc_alloc();
+-	if (!packet) return NULL;
+-
+ 
+-	packet->code = eap_ds->response->code;
+-	packet->id = eap_ds->response->id;
+-	packet->length = eap_ds->response->length; 
+-
+-	data = (tnc_packet_t *)eap_ds->response->type.data;
+-	/*
+-	 *	Already checked the size above.
+-	 */
+-    packet->flags_ver = data->flags_ver;
+-    unsigned char *ptr = (unsigned char*)data;
+-
+-
+-	DEBUG2("Flags/Ver: %x\n", packet->flags_ver);
+-	int thisDataLength;
+-    int dataStart;
+-    if(TNC_LENGTH_INCLUDED(packet->flags_ver)){
+-        DEBUG2("data_length included\n");
+-//        memcpy(&packet->flags_ver[1], &data->flags_ver[1], 4);
+-        //packet->data_length = data->data_length;
+-        memcpy(&packet->data_length, &ptr[1], TNC_DATA_LENGTH_LENGTH);
+-        DEBUG2("data_length: %x\n", packet->data_length);
+-        DEBUG2("data_length: %d\n", packet->data_length);
+-        DEBUG2("data_length: %x\n", ByteSwap2(packet->data_length));
+-        DEBUG2("data_length: %d\n", ByteSwap2(packet->data_length));
+-        packet->data_length = ByteSwap2(packet->data_length);
+-		thisDataLength = packet->length-TNC_PACKET_LENGTH; //1: we need space for flags_ver
+-        dataStart = TNC_DATA_LENGTH_LENGTH+TNC_FLAGS_VERSION_LENGTH;
+-    }else{
+-        DEBUG2("no data_length included\n");
+-	 	thisDataLength = packet->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
+-        packet->data_length = 0;
+-        dataStart = TNC_FLAGS_VERSION_LENGTH;
+-        
+-    }
+-	/*
+-	 *	Allocate room for the data, and copy over the data.
+-	 */
+-	packet->data = malloc(thisDataLength);
+-	if (packet->data == NULL) {
+-		radlog(L_ERR, "rlm_eap_tnc: out of memory");
+-		eaptnc_free(&packet);
+-		return NULL;
++	if(handler->eap_ds->request == NULL){
++		radlog(L_ERR, "rlm_eap_tnc: eaptnc_compose invalid parameters: handler->eap_ds->request == %p", handler->eap_ds->request);
++		return 0;
+ 	}
+-    
+-    memcpy(packet->data, &(eap_ds->response->type.data[dataStart]), thisDataLength);
+-
+-	return packet;
+-}
+ 
+-
+-/*
+- *	Compose the portions of the reply packet specific to the
+- *	EAP-TNC protocol, in the EAP reply typedata
+- */
+-int eaptnc_compose(EAP_DS *eap_ds, TNC_PACKET *reply)
+-{
+-	uint8_t *ptr;
+-
+-
+-	if (reply->code < 3) {
+-		//fill: EAP-Type (0x888e)
+-		eap_ds->request->type.type = PW_EAP_TNC;
+-        DEBUG2("TYPE: EAP-TNC set\n");
+-		rad_assert(reply->length > 0);
+-		
+-		//alloc enough space for whole TNC-Packet (from Code on)
+-		eap_ds->request->type.data = calloc(reply->length, sizeof(unsigned char*));
+-        DEBUG2("Malloc %d bytes for packet\n", reply->length);
+-		if (eap_ds->request->type.data == NULL) {
+-			radlog(L_ERR, "rlm_eap_tnc: out of memory");
+-			return 0;
+-		}
+-		//put pointer at position where data starts (behind Type)
+-		ptr = eap_ds->request->type.data;
+-		//*ptr = (uint8_t)(reply->data_length & 0xFF);
+-
+-		//ptr++;
+-		*ptr = reply->flags_ver;
+-        DEBUG2("Set Flags/Version: %d\n", *ptr);
+-		if(reply->data_length!=0){
+-            DEBUG2("Set data-length: %d\n", reply->data_length);
+-			ptr++; //move to start-position of "data_length"
+-            DEBUG2("Set data-length: %x\n", reply->data_length);
+-            DEBUG2("Set data-length (swapped): %x\n", ByteSwap2(reply->data_length));
+-            unsigned long swappedDataLength = ByteSwap2(reply->data_length);
+-            //DEBUG2("DATA-length: %d", reply->data_
+-            memcpy(ptr, &swappedDataLength, 4);
+-			//*ptr = swappedDataLength;
+-		}
+-		uint16_t thisDataLength=0;
+-		if(reply->data!=NULL){
+-            DEBUG2("Adding TNCCS-Data ");
+-			int offset;
+-			//if data_length-Field present
+-			if(reply->data_length !=0){
+-                DEBUG2("with Fragmentation\n");
+-				offset = TNC_DATA_LENGTH_LENGTH; //length of data_length-field: 4
+-				thisDataLength = reply->length-TNC_PACKET_LENGTH;
+-			}else{ //data_length-Field not present
+-                DEBUG2("without Fragmentation\n");
+-				offset = 1;
+-				thisDataLength = reply->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
+-			}
+-            DEBUG2("TNCCS-Datalength: %d\n", thisDataLength);
+-			ptr=ptr+offset; //move to start-position of "data"
+-			memcpy(ptr,reply->data, thisDataLength);
+-		}else{
+-            DEBUG2("No TNCCS-Data present");
+-        }
+-
+-		//the length of the TNC-packet (behind Type)
+-        if(reply->data_length!=0){
+-    		eap_ds->request->type.length = TNC_DATA_LENGTH_LENGTH+TNC_FLAGS_VERSION_LENGTH+thisDataLength; //4:data_length, 1: flags_ver
+-        }else{
+-            eap_ds->request->type.length = TNC_FLAGS_VERSION_LENGTH+thisDataLength; //1: flags_ver
+-        }
+-        DEBUG2("Packet built\n");
+-
+-	} else {
+-		eap_ds->request->type.length = 0;
+-	}
+-	eap_ds->request->code = reply->code;
++	// fill EAP data to handler
++	handler->eap_ds->request->code = code;
++	handler->eap_ds->request->type.type = PW_EAP_TNC;
++	// fill EAP TYPE specific data to handler
++	handler->eap_ds->request->type.length = length;
++	free(handler->eap_ds->request->type.data);
++	handler->eap_ds->request->type.data = request;
+ 
+ 	return 1;
+ }
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.h	2012-12-04 19:38:00.241420966 +0100
+@@ -1,10 +1,10 @@
+ /*
+- *   This software is Copyright (C) 2006,2007 FH Hannover
++ *   This software is Copyright (C) 2006-2009 FH Hannover
+  *
+  *   Portions of this code unrelated to FreeRADIUS are available
+  *   separately under a commercial license.  If you require an
+  *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
++ *   contact trust@f4-i.fh-hannover.de for details.
+  *
+  *   This program is free software; you can redistribute it and/or modify
+  *   it under the terms of the GNU General Public License as published by
+@@ -26,105 +26,20 @@
+ #define _EAP_TNC_H
+ 
+ #include "eap.h"
++#include <naaeap/naaeap.h>
+ 
+-#define PW_TNC_REQUEST	1
+-#define PW_TNC_RESPONSE		2
+-#define PW_TNC_SUCCESS		3
+-#define PW_TNC_FAILURE		4
+-#define PW_TNC_MAX_CODES	4
+-
+-#define TNC_HEADER_LEN 		4
+-#define TNC_CHALLENGE_LEN 	16
+-#define TNC_START_LEN 	8
+-
+-#define TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH 6
+-#define TNC_PACKET_LENGTH 10
+-#define TNC_DATA_LENGTH_LENGTH 4
+-#define TNC_FLAGS_VERSION_LENGTH 1
+-
+-typedef unsigned int VlanAccessMode;
+-
+-#define VLAN_ISOLATE 97
+-#define VLAN_ACCESS 2
+-/*
+- ****
+- * EAP - MD5 doesnot specify code, id & length but chap specifies them,
+- *	for generalization purpose, complete header should be sent
+- *	and not just value_size, value and name.
+- *	future implementation.
+- *
+- *	Huh? What does that mean?
+- */
++#define SET_START(x) 		((x) | (0x20))
+ 
+-/*
++/**
++ * Composes the EAP packet.
+  *
+- *  MD5 Packet Format in EAP Type-Data
+- *  --- ------ ------ -- --- ---------
+- *  0                   1                   2                   3
+- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Value-Size   |  Value ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Name ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- *
+- * EAP-TNC Packet Format in EAP Type-Data
+- * 
+- *  0                   1                   2                   3
+- *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |  Flags  |Ver  | Data Length ...                                   
+- * |L M S R R|=1   |                                               
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- * |...            |  Data ...
+- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+- 
++ * @param handler The EAP_HANDLER from tnc_initiate() or tnc_authenticate
++ * @param request The EAP_TNC packet received from NAA-TNCS
++ * @param length The length of the EAP_TNC packet received from NAA-TNCS
++ * @param code EAP_CODE for the request
+  *
++ * @return True if operation was successful, otherwise false.
+  */
+-
+-/* eap packet structure */
+-typedef struct tnc_packet_t {
+-/*
+-	uint8_t	code;
+-	uint8_t	id;
+-	uint16_t	length;
+-*/
+-	uint8_t	flags_ver;
+-	uint32_t data_length;
+-	uint8_t *data;
+-} tnc_packet_t;
+-
+-typedef struct tnc_packet {
+-	uint8_t		code;
+-	uint8_t		id;
+-	uint16_t	length;
+-	uint8_t	flags_ver;
+-	uint32_t data_length;
+-	uint8_t *data;
+-} TNC_PACKET;
+-
+-#define TNC_START(x) 		(((x) & 0x20) != 0)
+-#define TNC_MORE_FRAGMENTS(x) 	(((x) & 0x40) != 0)
+-#define TNC_LENGTH_INCLUDED(x) 	(((x) & 0x80) != 0)
+-#define TNC_RESERVED_EQ_NULL(x) (((x) & 0x10) == 0 && ((x) & 0x8) == 0)
+-#define TNC_VERSION_EQ_ONE(x) (((x) & 0x07) == 1)
+-
+-#define SET_START(x) 		((x) | (0x20))
+-#define SET_MORE_FRAGMENTS(x) 	((x) | (0x40))
+-#define SET_LENGTH_INCLUDED(x) 	((x) | (0x80))
+-
+-
+-/* function declarations here */
+-
+-TNC_PACKET 	*eaptnc_alloc(void);
+-void 		eaptnc_free(TNC_PACKET **tnc_packet_ptr);
+-
+-int 		eaptnc_compose(EAP_DS *auth, TNC_PACKET *reply);
+-TNC_PACKET 	*eaptnc_extract(EAP_DS *auth);
+-int 		eaptnc_verify(TNC_PACKET *pkt, VALUE_PAIR* pwd, uint8_t *ch);
+-
+-
+-
+-
++int eaptnc_compose(EAP_HANDLER *handler, TNC_BufferReference request, TNC_UInt32 length, uint8_t code);
+ 
+ #endif /*_EAP_TNC_H*/
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/Makefile.in	2012-12-04 19:38:49.277421870 +0100
+@@ -3,8 +3,8 @@
+ #
+ 
+ TARGET      = @targetname@
+-SRCS        = rlm_eap_tnc.c eap_tnc.c tncs_connect.c 
+-HEADERS     = eap_tnc.h tncs.h tncs_connect.h ../../eap.h ../../rlm_eap.h
++SRCS        = rlm_eap_tnc.c eap_tnc.c
++HEADERS     = eap_tnc.h ../../eap.h ../../rlm_eap.h
+ RLM_CFLAGS  = -I../.. -I../../libeap $(OPENSSL_INCLUDE) @eap_tnc_cflags@
+ RLM_LIBS    = @eap_tnc_ldflags@ ../../libeap/$(LIBPREFIX)freeradius-eap.la $(OPENSSL_LIBS)
+ RLM_INSTALL =
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c	2012-12-04 19:38:00.241420966 +0100
+@@ -1,12 +1,12 @@
+ /*
+  * rlm_eap_tnc.c    Handles that are called from eap
+  *
+- *   This software is Copyright (C) 2006,2007 FH Hannover
++ *   This software is Copyright (C) 2006-2009 FH Hannover
+  *
+  *   Portions of this code unrelated to FreeRADIUS are available
+  *   separately under a commercial license.  If you require an
+  *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
++ *   contact trust@f4-i.fh-hannover.de for details.
+  *
+  *   This program is free software; you can redistribute it and/or modify
+  *   it under the terms of the GNU General Public License as published by
+@@ -26,96 +26,262 @@
+  *   Copyright (C) 2007 Alan DeKok <aland@deployingradius.com>
+  */
+ 
+-#include <freeradius-devel/ident.h>
+-RCSID("$Id$")
++/*
++ * EAP-TNC Packet with EAP Header, general structure
++ *
++ *  0                   1                   2                   3
++ *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ * |      Code     |   Identifier  |            Length             |
++ * |               |               |                               |
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ * |      Type     |  Flags  | Ver |          Data Length          |
++ * |               |L M S R R| =1  |                               |
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ * |          Data Length          |           Data ...
++ * |                               |
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ */
+ 
+ #include <freeradius-devel/autoconf.h>
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
+ 
+-#include "tncs_connect.h"
+ #include "eap_tnc.h"
+-#include "tncs.h"
++#include <naaeap/naaeap.h>
+ #include <freeradius-devel/rad_assert.h>
++//#include <freeradius-devel/libradius.h>
+ 
+-typedef struct rlm_eap_tnc_t {
+-	char	*vlan_access;
+-	char	*vlan_isolate;
+-	char	*tnc_path;
+-} rlm_eap_tnc_t;
++#include <netinet/in.h>
+ 
+-static int sessionCounter=0;
++/**
++ * Calculates an identifying string based upon nas_port, nas_ip and nas_port_type.
++ * The maximum length of the calculated string is 70 (not including the trailing '\0').
++ *
++ * @return the number of bytes written to out (not including the trailing '\0')
++ */
++static uint32_t calculateConnectionString(RADIUS_PACKET* radius_packet, char *out, size_t outMaxLength)
++{
++	VALUE_PAIR *vp = NULL;
++	uint32_t nas_port = 0;
++	uint32_t nas_ip = 0;
++	uint32_t nas_port_type = 0;
++
++	char out_nas_port[11];
++	char out_nas_ip_byte_0[4];
++	char out_nas_ip_byte_1[4];
++	char out_nas_ip_byte_2[4];
++	char out_nas_ip_byte_3[4];
++	char out_nas_port_type[11];
++
++    // check for NULL
++	if (radius_packet == NULL) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: calculateConnectionString failed. radius_packet == NULL!");
++		return 0;
++	}
++
++	// read NAS port, ip and port type
++	for (vp = radius_packet->vps; vp; vp=vp->next) {
++		switch (vp->attribute) {
++		case PW_NAS_PORT:
++			nas_port = vp->vp_integer;
++			DEBUG("NAS scr port = %u\n", nas_port);
++			break;
++		case PW_NAS_IP_ADDRESS:
++			nas_ip = vp->vp_ipaddr;
++			DEBUG("NAS scr ip = %X\n", ntohl(nas_ip));
++			break;
++		case PW_NAS_PORT_TYPE:
++			nas_port_type = vp->vp_integer;
++			DEBUG("NAS scr port type = %u\n", nas_port_type);
++			break;
++		}
++	}
++
++	snprintf(out_nas_port, 11, "%u", nas_port);
++	snprintf(out_nas_ip_byte_0, 4, "%u", nas_ip & 0xFF);
++	snprintf(out_nas_ip_byte_1, 4, "%u", (nas_ip >> 8) & 0xFF);
++	snprintf(out_nas_ip_byte_2, 4, "%u", (nas_ip >> 16) & 0xFF);
++	snprintf(out_nas_ip_byte_3, 4, "%u", (nas_ip >> 24) & 0xFF);
++	snprintf(out_nas_port_type, 11, "%u", nas_port_type);
++
++	return snprintf(out, outMaxLength, "NAS Port: %s NAS IP: %s.%s.%s.%s NAS_PORT_TYPE: %s", out_nas_port, out_nas_ip_byte_3, out_nas_ip_byte_2, out_nas_ip_byte_1, out_nas_ip_byte_0, out_nas_port_type);
++}
++
++/*
++ * This function is called when the FreeRADIUS attach this module.
++ */
++static int tnc_attach(CONF_SECTION *conf, void **type_data)
++{
++    // initialize NAA-EAP
++	DEBUG2("TNC-ATTACH initializing NAA-EAP");
++	TNC_Result result = initializeDefault();
++	if (result != TNC_RESULT_SUCCESS) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_attach error while calling NAA-EAP initializeDefault()");
++		return -1;
++	}
++	return 0;
++}
++
++/*
++ * This function is called when the FreeRADIUS detach this module.
++ */
++static int tnc_detach(void *args)
++{
++    // terminate NAA-EAP
++	DEBUG2("TNC-TERMINATE terminating NAA-EAP");
++	TNC_Result result = terminate();
++	if (result != TNC_RESULT_SUCCESS) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_attach error while calling NAA-EAP terminate()");
++		return -1;
++	}
++	return 0;
++}
+ 
+ /*
+- *	Initiate the EAP-MD5 session by sending a challenge to the peer.
+- *  Initiate the EAP-TNC session by sending a EAP Request witch Start Bit set 
+- *  and with no data
++ * This function is called when the first EAP_IDENTITY_RESPONSE message
++ * was received.
++ *
++ * Initiates the EPA_TNC session by sending the first EAP_TNC_RESPONSE
++ * to the peer. The packet has the Start-Bit set and contains no data.
++ *
++ *  0                   1                   2                   3
++ *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ * |      Code     |   Identifier  |            Length             |
++ * |               |               |                               |
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ * |      Type     |  Flags  | Ver |
++ * |               |0 0 1 0 0|0 0 1|
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ *
++ * For this package, only 'Identifier' has to be set dynamically. Any
++ * other information is static.
+  */
+ static int tnc_initiate(void *type_data, EAP_HANDLER *handler)
+ {
+-	uint8_t flags_ver = 1; //set version to 1
+-	rlm_eap_tnc_t *inst = type_data;
+-	TNC_PACKET *reply;
++	size_t buflen = 71;
++	size_t ret = 0;
++	char buf[buflen];
++	REQUEST * request = NULL;
++	TNC_Result result;
++	TNC_ConnectionID conID;
++	TNC_BufferReference username;
+ 
++	// check if we run inside a secure EAP method.
++	// FIXME check concrete outer EAP method
+ 	if (!handler->request || !handler->request->parent) {
+-		DEBUG("rlm_eap_tnc: EAP-TNC can only be run inside of a TLS-based method.");
++		DEBUG2("rlm_eap_tnc: EAP_TNC must only be used as an inner method within a protected tunneled EAP created by an outer EAP method.");
++		request = handler->request;
+ 		return 0;
++	} else {
++		request = handler->request->parent;
+ 	}
+ 
+-	/*
+-	 *	FIXME: Update this when the TTLS and PEAP methods can
+-	 *	run EAP-TLC *after* the user has been authenticated.
+-	 *	This likely means moving the phase2 handlers to a
+-	 *	common code base.
+-	 */
+-	if (1) {
+-		DEBUG("rlm-eap_tnc: EAP-TNC can only be run after the user has been authenticated.");
++	if (request->packet == NULL) {
++		DEBUG2("rlm_eap_tnc: ERROR request->packet is NULL.");
+ 		return 0;
+ 	}
+ 
+ 	DEBUG("tnc_initiate: %ld", handler->timestamp);
+ 
+-	if(connectToTncs(inst->tnc_path)==-1){
+-		DEBUG("Could not connect to TNCS");
++	//calculate connectionString
++	ret = calculateConnectionString(request->packet, buf, buflen);
++	if(ret == 0){
++		radlog(L_ERR, "rlm_eap_tnc:tnc_attach: calculating connection String failed.");
++		return 0;
+ 	}
+ 
++	DEBUG2("TNC-INITIATE getting connection from NAA-EAP");
++
+ 	/*
+-	 *	Allocate an EAP-MD5 packet.
++	 * get connection
++	 * (uses a function from the NAA-EAP-library)
++	 * the presence of the library is checked via the configure-script
+ 	 */
+-	reply = eaptnc_alloc();
+-	if (reply == NULL)  {
+-		radlog(L_ERR, "rlm_eap_tnc: out of memory");
++	result = getConnection(buf, &conID);
++
++	// check for errors
++	if (result != TNC_RESULT_SUCCESS) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_initiate error while calling NAA-EAP getConnection");
+ 		return 0;
+ 	}
+ 
+ 	/*
+-	 *	Fill it with data.
++	 * tries to get the username from FreeRADIUS;
++	 * copied from modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+ 	 */
+-	reply->code = PW_TNC_REQUEST;
+-	flags_ver = SET_START(flags_ver); //set start-flag
+-	DEBUG("$$$$$$$$$$$$$$$$Flags: %d", flags_ver);
+-	reply->flags_ver = flags_ver;
+-	reply->length = 1+1; /* one byte of flags_ver */
++	VALUE_PAIR *usernameValuePair;
++	usernameValuePair = pairfind(request->packet->vps, PW_USER_NAME);
+ 
++	VALUE_PAIR *eapMessageValuePair;
++	if (!usernameValuePair) {
++		eapMessageValuePair = pairfind(request->packet->vps, PW_EAP_MESSAGE);
++
++		if (eapMessageValuePair &&
++			(eapMessageValuePair->length >= EAP_HEADER_LEN + 2) &&
++			(eapMessageValuePair->vp_strvalue[0] == PW_EAP_RESPONSE) &&
++			(eapMessageValuePair->vp_strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) &&
++			(eapMessageValuePair->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) {
++
++			/*
++			 *	Create & remember a User-Name
++			 */
++			usernameValuePair = pairmake("User-Name", "", T_OP_EQ);
++			rad_assert(usernameValuePair != NULL);
++
++			memcpy(usernameValuePair->vp_strvalue, eapMessageValuePair->vp_strvalue + 5,
++					eapMessageValuePair->length - 5);
++			usernameValuePair->length = eapMessageValuePair->length - 5;
++			usernameValuePair->vp_strvalue[usernameValuePair->length] = 0;
++		}
++	}
++
++	username = malloc(usernameValuePair->length + 1);
++	memcpy(username, usernameValuePair->vp_strvalue, usernameValuePair->length);
++	username[usernameValuePair->length] = '\0';
++
++	RDEBUG("Username for current TNC connection: %s", username);
++
++	/*
++	 * stores the username of this connection
++	 * (uses a function from the NAA-EAP-library)
++	 * the presence of the library is checked via the configure-script
++	 */
++	result = storeUsername(conID, username, usernameValuePair->length);
++
++	// check for errors
++	if (result != TNC_RESULT_SUCCESS) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_initiate error while calling NAA-EAP storeUsername");
++		return 0;
++	}
++
++	// set connection ID in FreeRADIUS
++	handler->opaque = malloc(sizeof(TNC_ConnectionID));
++	memcpy(handler->opaque, &conID, sizeof(TNC_ConnectionID));
++
++	// build first EAP TNC request
++	TNC_BufferReference eap_tnc_request = malloc(sizeof(unsigned char));
++	if (eap_tnc_request == NULL) {
++		radlog(L_ERR, "rlm_eap_tnc:tnc_initiate: malloc failed.");
++		return 0;
++	}
++	*eap_tnc_request = SET_START(1);
++	TNC_UInt32 eap_tnc_length = 1;
++	type_data = type_data; /* suppress -Wunused */
+ 
+ 	/*
+ 	 *	Compose the EAP-TNC packet out of the data structure,
+ 	 *	and free it.
+ 	 */
+-	eaptnc_compose(handler->eap_ds, reply);
+-	eaptnc_free(&reply);
++	eaptnc_compose(handler, eap_tnc_request, eap_tnc_length, PW_EAP_REQUEST);
+ 
+-    //put sessionAttribute to Handler and increase sessionCounter
+-    handler->opaque = calloc(sizeof(TNC_ConnectionID), 1);
+-    if (handler->opaque == NULL)  {
+-	radlog(L_ERR, "rlm_eap_tnc: out of memory");
+-	return 0;
+-    }
+-    handler->free_opaque = free;
+-    memcpy(handler->opaque, &sessionCounter, sizeof(int));
+-    sessionCounter++;
+-    
+ 	/*
+ 	 *	We don't need to authorize the user at this point.
+ 	 *
+@@ -124,246 +290,114 @@
+ 	 *	to us...
+ 	 */
+ 	handler->stage = AUTHENTICATE;
+-    
+-	return 1;
+-}
+ 
+-static void setVlanAttribute(rlm_eap_tnc_t *inst, EAP_HANDLER *handler,
+-			     VlanAccessMode mode){
+-	VALUE_PAIR *vp;
+-    char *vlanNumber = NULL;
+-    switch(mode){
+-        case VLAN_ISOLATE:
+-            vlanNumber = inst->vlan_isolate;
+-	    vp = pairfind(handler->request->config_items,
+-			  PW_TNC_VLAN_ISOLATE);
+-	    if (vp) vlanNumber = vp->vp_strvalue;
+-            break;
+-        case VLAN_ACCESS:
+-            vlanNumber = inst->vlan_access;
+-	    vp = pairfind(handler->request->config_items,
+-			  PW_TNC_VLAN_ACCESS);
+-	    if (vp) vlanNumber = vp->vp_strvalue;
+-            break;
+-
+-    default:
+-	    DEBUG2("  rlm_eap_tnc: Internal error.  Not setting vlan number");
+-	    return;
+-    }
+-    pairadd(&handler->request->reply->vps,
+-	    pairmake("Tunnel-Type", "VLAN", T_OP_SET));
+-    
+-    pairadd(&handler->request->reply->vps,
+-	    pairmake("Tunnel-Medium-Type", "IEEE-802", T_OP_SET));
+-    
+-    pairadd(&handler->request->reply->vps,
+-	    pairmake("Tunnel-Private-Group-ID", vlanNumber, T_OP_SET));
+-    
++	return 1;
+ }
+ 
+-/*
+- *	Authenticate a previously sent challenge.
++/**
++ * This function is called when a EAP_TNC_RESPONSE was received.
++ * It basically forwards the EAP_TNC data to NAA-TNCS and forms
++ * and appropriate EAP_RESPONSE. Furthermore, it sets the VlanID
++ * based on the TNC_ConnectionState determined by NAA-TNCS.
++ *
++ * @param type_arg The configuration data
++ * @param handler The EAP_HANDLER
++ * @return True, if successfully, else false.
+  */
+-static int tnc_authenticate(void *type_arg, EAP_HANDLER *handler)
+-{
+-    TNC_PACKET	*packet;
+-    TNC_PACKET	*reply;
+-    TNC_ConnectionID connId = *((TNC_ConnectionID *) (handler->opaque));
+-    TNC_ConnectionState state;
+-    rlm_eap_tnc_t *inst = type_arg;
+-    int isAcknowledgement = 0;
+-    TNC_UInt32 tnccsMsgLength = 0;
+-    int isLengthIncluded;
+-    int moreFragments;
+-    TNC_UInt32 overallLength;
+-    TNC_BufferReference outMessage;
+-    TNC_UInt32 outMessageLength = 2;
+-    int outIsLengthIncluded=0;
+-    int outMoreFragments=0;
+-    TNC_UInt32 outOverallLength=0;
++static int tnc_authenticate(void *type_arg, EAP_HANDLER *handler) {
+ 
+-    DEBUG2("HANDLER_OPAQUE: %d", (int) *((TNC_ConnectionID *) (handler->opaque)));
+-    DEBUG2("TNC-AUTHENTICATE is starting now for %d..........", (int) connId);
++	rad_assert(handler->request != NULL); // check that request has been sent previously
++	rad_assert(handler->stage == AUTHENTICATE); // check if initiate has been called
+ 
+-	/*
+-	 *	Get the User-Password for this user.
+-	 */
+-    rad_assert(handler->request != NULL);
+-	rad_assert(handler->stage == AUTHENTICATE);
+-    
+-	/*
+-	 *	Extract the EAP-TNC packet.
+-	 */
+-    if (!(packet = eaptnc_extract(handler->eap_ds)))
++	if (handler == NULL) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_authenticate invalid parameters: handler == NULL");
+ 		return 0;
++	}
++	if (handler->eap_ds == NULL) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds == NULL");
++		return 0;
++	}
++	if (handler->eap_ds->response == NULL) {
++		radlog(
++				L_ERR,
++				"rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds->resonse == NULL");
++		return 0;
++	}
++	if (handler->eap_ds->response->type.type != PW_EAP_TNC
++			|| handler->eap_ds->response->type.length < 1
++			|| handler->eap_ds->response->type.data == NULL) {
++		radlog(
++				L_ERR,
++				"rlm_eap_tnc: tnc_authenticate invalid parameters: handler->eap_ds->response->type.type == %X, ->type.length == %u, ->type.data == %p",
++				handler->eap_ds->response->type.type,
++				handler->eap_ds->response->type.length,
++				handler->eap_ds->response->type.data);
++		return 0;
++	}
+ 
+-	/*
+-	 *	Create a reply, and initialize it.
+-	 */
+-	reply = eaptnc_alloc();
+-	if (!reply) {
+-		eaptnc_free(&packet);
+-		return 0;
+-	}
+-    
+-	reply->id = handler->eap_ds->request->id;
+-	reply->length = 0;
+-    if(packet->data_length==0){
+-        tnccsMsgLength = packet->length-TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH;
+-    }else{
+-        tnccsMsgLength = packet->length-TNC_PACKET_LENGTH;
+-    }
+-    isLengthIncluded = TNC_LENGTH_INCLUDED(packet->flags_ver);
+-    moreFragments = TNC_MORE_FRAGMENTS(packet->flags_ver);
+-    overallLength = packet->data_length;
+-    if(isLengthIncluded == 0 
+-        && moreFragments == 0 
+-        && overallLength == 0 
+-        && tnccsMsgLength == 0
+-        && TNC_START(packet->flags_ver)==0){
+-        
+-        isAcknowledgement = 1;
+-    }
+-    
+-    DEBUG("Data received: (%d)", (int) tnccsMsgLength);
+-/*    int i;
+-    for(i=0;i<tnccsMsgLength;i++){
+-        DEBUG2("%c", (packet->data)[i]);
+-    }
+-    DEBUG2("\n");
+-   */
+-    state = exchangeTNCCSMessages(inst->tnc_path,
+-                                  connId,
+-                                  isAcknowledgement,
+-                                  packet->data, 
+-                                  tnccsMsgLength, 
+-                                  isLengthIncluded, 
+-                                  moreFragments, 
+-                                  overallLength, 
+-                                  &outMessage, 
+-                                  &outMessageLength,
+-                                  &outIsLengthIncluded,
+-                                  &outMoreFragments,
+-                                  &outOverallLength);
+-    DEBUG("GOT State %08x from TNCS", (unsigned int) state);
+-    if(state == TNC_CONNECTION_EAP_ACKNOWLEDGEMENT){ //send back acknoledgement
+-        reply->code = PW_TNC_REQUEST;
+-        reply->data = NULL;
+-        reply->data_length = 0;
+-        reply->flags_ver = 1;
+-        reply->length =TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH; 
+-    }else{ //send back normal message
+-        DEBUG("GOT Message from TNCS (length: %d)", (int) outMessageLength);
+-        
+- /*       for(i=0;i<outMessageLength;i++){
+-            DEBUG2("%c", outMessage[i]);
+-        }
+-        DEBUG2("\n");
+- */
+-        DEBUG("outIsLengthIncluded: %d, outMoreFragments: %d, outOverallLength: %d", 
+-                outIsLengthIncluded, outMoreFragments, (int) outOverallLength);
+-        DEBUG("NEW STATE: %08x", (unsigned int) state);
+-        switch(state){
+-            case TNC_CONNECTION_STATE_HANDSHAKE:
+-                reply->code = PW_TNC_REQUEST;
+-                DEBUG2("Set Reply->Code to EAP-REQUEST\n");
+-                break;
+-            case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
+-                reply->code = PW_TNC_SUCCESS;
+-                setVlanAttribute(inst, handler,VLAN_ACCESS);
+-                break;
+-            case TNC_CONNECTION_STATE_ACCESS_NONE:
+-                reply->code = PW_TNC_FAILURE;
+-                //setVlanAttribute(inst, handler, VLAN_ISOLATE);
+-                break;
+-            case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
+-                reply->code = PW_TNC_SUCCESS;
+-                setVlanAttribute(inst, handler, VLAN_ISOLATE);
+-                break;
+-            default:
+-                reply->code= PW_TNC_FAILURE;
+-                
+-        }
+-        if(outMessage!=NULL && outMessageLength!=0){
+-            reply->data = outMessage;
+-        }
+-        reply->flags_ver = 1;
+-        if(outIsLengthIncluded){
+-            reply->flags_ver = SET_LENGTH_INCLUDED(reply->flags_ver);
+-            reply->data_length = outOverallLength;
+-            reply->length = TNC_PACKET_LENGTH + outMessageLength;
+-            DEBUG("SET LENGTH: %d", reply->length);
+-            DEBUG("SET DATALENGTH: %d", (int) outOverallLength);
+-        }else{
+-            reply->data_length = 0;
+-            reply->length = TNC_PACKET_LENGTH_WITHOUT_DATA_LENGTH + outMessageLength;        
+-            DEBUG("SET LENGTH: %d", reply->length);
+-        }
+-        if(outMoreFragments){
+-            reply->flags_ver = SET_MORE_FRAGMENTS(reply->flags_ver);
+-        }
+-    }
+-    
+-	/*
+-	 *	Compose the EAP-MD5 packet out of the data structure,
+-	 *	and free it.
+-	 */
+-	eaptnc_compose(handler->eap_ds, reply);
+-    	eaptnc_free(&reply);
+-
+-    handler->stage = AUTHENTICATE;
+-    
+-	eaptnc_free(&packet);
+-	return 1;
+-}
+-
+-/*
+- *	Detach the EAP-TNC module.
+- */
+-static int tnc_detach(void *arg)
+-{
+-	free(arg);
+-	return 0;
+-}
+-
+-
+-static CONF_PARSER module_config[] = {
+-	{ "vlan_access", PW_TYPE_STRING_PTR,
+-	  offsetof(rlm_eap_tnc_t, vlan_access), NULL, NULL },
+-	{ "vlan_isolate", PW_TYPE_STRING_PTR,
+-	  offsetof(rlm_eap_tnc_t, vlan_isolate), NULL, NULL },
+-	{ "tnc_path", PW_TYPE_STRING_PTR,
+-	  offsetof(rlm_eap_tnc_t, tnc_path), NULL,
+-	"/usr/local/lib/libTNCS.so"},
++	// get connection ID
++	TNC_ConnectionID conID = *((TNC_ConnectionID *) (handler->opaque));
+ 
+- 	{ NULL, -1, 0, NULL, NULL }           /* end the list */
+-};
++	DEBUG2("TNC-AUTHENTICATE is starting now for connection ID %lX !", conID);
+ 
+-/*
+- *	Attach the EAP-TNC module.
+- */
+-static int tnc_attach(CONF_SECTION *cs, void **instance)
+-{
+-	rlm_eap_tnc_t *inst;
++	// pass EAP_TNC data to NAA-EAP and get answer data
++	TNC_BufferReference output = NULL;
++	TNC_UInt32 outputLength = 0;
++	TNC_ConnectionState connectionState = TNC_CONNECTION_STATE_CREATE;
+ 
+-	inst = malloc(sizeof(*inst));
+-	if (!inst) return -1;
+-	memset(inst, 0, sizeof(*inst));
++	/*
++	 * forwards the eap_tnc data to NAA-EAP and gets the response
++	 * (uses a function from the NAA-EAP-library)
++	 * the presence of the library is checked via the configure-script
++	 */
++	TNC_Result result = processEAPTNCData(conID, handler->eap_ds->response->type.data,
++			handler->eap_ds->response->type.length, &output, &outputLength,
++			&connectionState);
++
++	// check for errors
++	if (result != TNC_RESULT_SUCCESS) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_authenticate error while calling NAA-EAP processEAPTNCData");
++		return 0;
++	}
+ 
+-	if (cf_section_parse(cs, inst, module_config) < 0) {
+-		tnc_detach(inst);
+-		return -1;
++	// output contains now the answer from NAA-EAP
++	uint8_t eapCode = 0;
++	// determine eapCode for request
++	switch (connectionState) {
++	case TNC_CONNECTION_STATE_HANDSHAKE:
++		eapCode = PW_EAP_REQUEST;
++		break;
++	case TNC_CONNECTION_STATE_ACCESS_NONE:
++		eapCode = PW_EAP_FAILURE;
++		break;
++	case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
++		eapCode = PW_EAP_SUCCESS;
++		pairadd(&handler->request->config_items, pairmake("TNC-Status", "Access", T_OP_SET));
++		break;
++	case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
++		eapCode = PW_EAP_SUCCESS;
++		pairadd(&handler->request->config_items, pairmake("TNC-Status", "Isolate", T_OP_SET));
++		break;
++	default:
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_authenticate invalid TNC_CONNECTION_STATE.");
++		return 0;
+ 	}
+ 
+-	
+-	if (!inst->vlan_access || !inst->vlan_isolate) {
+-		radlog(L_ERR, "rlm_eap_tnc: Must set both vlan_access and vlan_isolate");
+-		tnc_detach(inst);
+-		return -1;
++	// form EAP_REQUEST
++	if (!eaptnc_compose(handler, output, outputLength, eapCode)) {
++		radlog(L_ERR,
++				"rlm_eap_tnc: tnc_authenticate error while forming EAP_REQUEST.");
++		return 0;
+ 	}
+ 
+-	*instance = inst;
+-	return 0;
++	// FIXME: Why is that needed?
++	handler->stage = AUTHENTICATE;
++
++	return 1;
+ }
+ 
+ /*
+@@ -371,10 +405,10 @@
+  *	That is, everything else should be 'static'.
+  */
+ EAP_TYPE rlm_eap_tnc = {
+-	"eap_tnc",
+-	tnc_attach,			/* attach */
+-	tnc_initiate,			/* Start the initial request */
+-	NULL,				/* authorization */
+-	tnc_authenticate,		/* authentication */
+-	tnc_detach		      	/* detach */
++		"eap_tnc",
++		tnc_attach, /* attach */
++		tnc_initiate, /* Start the initial request */
++		NULL, /* authorization */
++		tnc_authenticate, /* authentication */
++		tnc_detach /* detach */
+ };
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.c	1970-01-01 01:00:00.000000000 +0100
+@@ -1,146 +0,0 @@
+-/*
+- *   This software is Copyright (C) 2006,2007 FH Hannover
+- *
+- *   Portions of this code unrelated to FreeRADIUS are available
+- *   separately under a commercial license.  If you require an
+- *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
+- *
+- *   This program is free software; you can redistribute it and/or modify
+- *   it under the terms of the GNU General Public License as published by
+- *   the Free Software Foundation; either version 2 of the License, or
+- *   (at your option) any later version.
+- *
+- *   This program is distributed in the hope that it will be useful,
+- *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+- *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+- *   GNU General Public License for more details.
+- *
+- *   You should have received a copy of the GNU General Public License
+- *   along with this program; if not, write to the Free Software
+- *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+- *
+- */
+-#include <freeradius-devel/ident.h>
+-RCSID("$Id$")
+-
+-#include "tncs_connect.h"
+-#include <ltdl.h>
+-#include <stdlib.h>
+-#include <stdio.h>
+-#include <eap.h>
+-
+-     /*
+-      *	FIXME: This linking should really be done at compile time.
+-      */
+-static lt_dlhandle handle = NULL;
+-
+-static ExchangeTNCCSMessagePointer callTNCS = NULL;
+-
+-/*
+- * returns the function-pointer to a function of a shared-object
+- * 
+- * soHandle: handle to a shared-object
+- * name: name of the requested function
+- * 
+- * return: the procAddress if found, else NULL
+- */
+-static void *getProcAddress(lt_dlhandle soHandle, const char *name){
+-	void *proc = lt_dlsym(soHandle, name);
+-	DEBUG("Searching for function %s", name);
+-	if(proc == NULL){
+-		DEBUG("rlm_eap_tnc: Failed to resolve symbol %s: %s",
+-		      name, lt_dlerror());
+-	}
+-	return proc;
+-}
+-
+-
+-/*
+- * establishs the connection to the TNCCS without calling functionality.
+- * That means that the TNCS-shared-object is loaded and the function-pointer
+- * to "exchangeTNCCSMessages" is explored.
+- * 
+- * return: -1 if connect failed, 0 if connect was successful
+- */
+-int connectToTncs(char *pathToSO){
+-	int state = -1;
+-	if(handle==NULL){
+-		handle = lt_dlopen(pathToSO);
+-		DEBUG("OPENED HANDLE!");
+-	}
+-	
+-	if(handle==NULL){
+-		DEBUG("HANDLE IS NULL");
+-        DEBUG("rlm_eap_tnc: Failed to link to library %s: %s",
+-	      pathToSO, lt_dlerror());
+-	}else{
+-		DEBUG("SO %s found!", pathToSO);
+-		if(callTNCS==NULL){
+-			callTNCS = (ExchangeTNCCSMessagePointer) getProcAddress(handle, "exchangeTNCCSMessages");
+-		}
+-		if(callTNCS!=NULL){
+-			DEBUG("TNCS is connected");
+-			state = 0;
+-//			int ret = callTNCS2(2, "Bla", NULL);
+-	//		DEBUG("GOT %d from exchangeTNCCSMessages", ret);
+-		}else{
+-			DEBUG("Could not find exchangeTNCCSMessages");
+-		}
+-
+-	}
+-	return state;	
+-}
+-
+-/*
+- * Accesspoint to the TNCS for sending and receiving TNCCS-Messages.
+- * -pathToSO: Path to TNCCS-Shared Object 
+- * -connId: identifies the client which the passed message belongs to.
+- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
+- * -input: input-TNCCS-message received from the client with connId
+- * -inputLength: length of input-TNCCS-message
+- * -isFirst: 1 if first message in fragmentation else 0
+- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
+- * -overallLength: length of all fragments together (only set if fragmentation)
+- * -output: answer-TNCCS-message from the TNCS to the client
+- * -outputLength: length of answer-TNCCS-message
+- * -answerIsFirst: returned answer is first in row
+- * -moreFragmentsFollow: more fragments after this answer
+- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
+- * 
+- * return: state of connection as result of the exchange
+- */
+-TNC_ConnectionState exchangeTNCCSMessages(/*in*/ char *pathToSO,
+-                                          /*in*/ TNC_ConnectionID connId, 
+-                                          /*in*/ int isAcknoledgement,
+-					  /*in*/ TNC_BufferReference input, 
+-                                          /*in*/ TNC_UInt32 inputLength,
+-                                          /*in*/ int isFirst, 
+-                                          /*in*/ int moreFragments,
+-                                          /*in*/ TNC_UInt32 overallLength,
+-					  /*out*/ TNC_BufferReference *output,
+-                                          /*out*/ TNC_UInt32 *outputLength,
+-                                          /*out*/ int *answerIsFirst,
+-                                          /*out*/ int *moreFragmentsFollow,
+-                                          /*out*/ TNC_UInt32 *overallLengthOut){
+-	TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE;
+-	int connectStatus = connectToTncs(pathToSO);
+-    if(connectStatus!=-1){
+-		state = callTNCS(connId,
+-                            isAcknoledgement,
+-                            input,
+-                            inputLength, 
+-                            isFirst, 
+-                            moreFragments, 
+-                            overallLength, 
+-                            output, 
+-                            outputLength, 
+-                            answerIsFirst, 
+-                            moreFragmentsFollow, 
+-                            overallLengthOut);
+-        DEBUG("GOT TNC_ConnectionState (juhuuu): %u", (unsigned int) state);
+-	}else{
+-		DEBUG("CAN NOT CONNECT TO TNCS");
+-	}
+-	return state;
+-}
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs_connect.h	1970-01-01 01:00:00.000000000 +0100
+@@ -1,70 +0,0 @@
+-/*
+- *   This software is Copyright (C) 2006,2007 FH Hannover
+- *
+- *   Portions of this code unrelated to FreeRADIUS are available
+- *   separately under a commercial license.  If you require an
+- *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
+- *
+- *   This program is free software; you can redistribute it and/or modify
+- *   it under the terms of the GNU General Public License as published by
+- *   the Free Software Foundation; either version 2 of the License, or
+- *   (at your option) any later version.
+- *
+- *   This program is distributed in the hope that it will be useful,
+- *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+- *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+- *   GNU General Public License for more details.
+- *
+- *   You should have received a copy of the GNU General Public License
+- *   along with this program; if not, write to the Free Software
+- *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+- *
+- */
+-
+-#ifndef _TNCS_CONNECT_H_
+-#define _TNCS_CONNECT_H_
+-
+-#include "tncs.h"
+-
+-/*
+- * establishs the connection to the TNCCS without calling functionality.
+- * That means that the TNCS-shared-object is loaded and the function-pointer
+- * to "exchangeTNCCSMessages" is explored.
+- * 
+- * return: -1 if connect failed, 0 if connect was successful
+- */
+-int connectToTncs(char *pathToSO);
+-/*
+- * Accesspoint to the TNCS for sending and receiving TNCCS-Messages.
+- * -pathToSO: Path to TNCCS-Shared Object
+- * -connId: identifies the client which the passed message belongs to.
+- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
+- * -input: input-TNCCS-message received from the client with connId
+- * -inputLength: length of input-TNCCS-message
+- * -isFirst: 1 if first message in fragmentation else 0
+- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
+- * -overallLength: length of all fragments together (only set if fragmentation) 
+- * -output: answer-TNCCS-message from the TNCS to the client
+- * -outputLength: length of answer-TNCCS-message
+- * -answerIsFirst: returned answer is first in row
+- * -moreFragmentsFollow: more fragments after this answer
+- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
+- * 
+- * return: state of connection as result of the exchange
+- */
+-TNC_ConnectionState exchangeTNCCSMessages(/*in*/ char *pathToSO,
+-                                          /*in*/ TNC_ConnectionID connId, 
+-                                          /*in*/ int isAcknoledgement, 
+-                                          /*in*/ TNC_BufferReference input, 
+-                                          /*in*/ TNC_UInt32 inputLength,
+-                                          /*in*/ int isFirst,
+-                                          /*in*/ int moreFragments,
+-                                          /*in*/ TNC_UInt32 overallLength,
+-                                          /*out*/ TNC_BufferReference *output,
+-                                          /*out*/ TNC_UInt32 *outputLength,
+-                                          /*out*/ int *answerIsFirst,
+-                                          /*out*/ int *moreFragmentsFollow,
+-                                          /*out*/ TNC_UInt32 *overallLengthOut);
+-
+-#endif //_TNCS_CONNECT_H_
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_tnc/tncs.h	1970-01-01 01:00:00.000000000 +0100
+@@ -1,86 +0,0 @@
+-/*
+- *   This software is Copyright (C) 2006,2007 FH Hannover
+- *
+- *   Portions of this code unrelated to FreeRADIUS are available
+- *   separately under a commercial license.  If you require an
+- *   implementation of EAP-TNC that is not under the GPLv2, please
+- *   contact tnc@inform.fh-hannover.de for details.
+- *
+- *   This program is free software; you can redistribute it and/or modify
+- *   it under the terms of the GNU General Public License as published by
+- *   the Free Software Foundation; either version 2 of the License, or
+- *   (at your option) any later version.
+- *
+- *   This program is distributed in the hope that it will be useful,
+- *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+- *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+- *   GNU General Public License for more details.
+- *
+- *   You should have received a copy of the GNU General Public License
+- *   along with this program; if not, write to the Free Software
+- *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+- *
+- */
+-
+-#ifndef _TNCS_H_
+-#define _TNCS_H_
+-
+-
+-
+-#ifdef __cplusplus
+-extern "C" {
+-#endif 
+-
+-/*
+- * copied from tncimv.h:
+- */
+-typedef unsigned long TNC_UInt32;
+-typedef TNC_UInt32 TNC_ConnectionState;
+-typedef unsigned char *TNC_BufferReference;
+-typedef TNC_UInt32 TNC_ConnectionID;
+-
+-#define TNC_CONNECTION_STATE_CREATE 0
+-#define TNC_CONNECTION_STATE_HANDSHAKE 1
+-#define TNC_CONNECTION_STATE_ACCESS_ALLOWED 2
+-#define TNC_CONNECTION_STATE_ACCESS_ISOLATED 3
+-#define TNC_CONNECTION_STATE_ACCESS_NONE 4
+-#define TNC_CONNECTION_STATE_DELETE 5
+-#define TNC_CONNECTION_EAP_ACKNOWLEDGEMENT 6
+-
+-/*
+- * Accesspoint (as function-pointer) to the TNCS for sending and receiving 
+- * TNCCS-Messages.
+- * 
+- * -connId: identifies the client which the passed message belongs to.
+- * -isAcknoledgement: 1 if acknoledgement received (then all following in-parameters unimportant
+- * -input: input-TNCCS-message received from the client with connId
+- * -inputLength: length of input-TNCCS-message
+- * -isFirst: 1 if first message in fragmentation else 0
+- * -moreFragments: are there more Fragments to come (yes: 1, no: 0)?
+- * -overallLength: length of all fragments together (only set if fragmentation) 
+- * -output: answer-TNCCS-message from the TNCS to the client
+- * -outputLength: length of answer-TNCCS-message
+- * -answerIsFirst: returned answer is first in row
+- * -moreFragmentsFollow: more fragments after this answer
+- * -overallLengthOut: length of all fragments together (only set if fragmentation) as answer
+- * 
+- * return: state of connection as result of the exchange
+- */
+-typedef TNC_ConnectionState (*ExchangeTNCCSMessagePointer)(/*in*/ TNC_ConnectionID connId, 
+-                                          /*in*/ int isAcknoledgement, 
+-                                          /*in*/ TNC_BufferReference input, 
+-                                          /*in*/ TNC_UInt32 inputLength,
+-                                          /*in*/ int isFirst,
+-                                          /*in*/ int moreFragments,
+-                                          /*in*/ TNC_UInt32 overallLength,
+-                                          /*out*/ TNC_BufferReference *output,
+-                                          /*out*/ TNC_UInt32 *outputLength,
+-                                          /*out*/ int *answerIsFirst,
+-                                          /*out*/ int *moreFragmentsFollow,
+-                                          /*out*/ TNC_UInt32 *overallLengthOut
+-);
+-
+-#ifdef __cplusplus
+-}
+-#endif
+-#endif //_TNCS_H_
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h	2012-12-04 19:39:54.749423138 +0100
+@@ -37,6 +37,10 @@
+ 	int		copy_request_to_tunnel;
+ 	int		use_tunneled_reply;
+ 	const char	*virtual_server;
++	const char	*tnc_virtual_server;	// virtual server for EAP-TNC as the second inner method
++	VALUE_PAIR	*auth_reply;		// cache storage of the last reply of the first inner method
++	int		auth_code;		// cache storage of the reply-code of the first inner method
++	int		doing_tnc;		// status if we're doing EAP-TNC
+ } ttls_tunnel_t;
+ 
+ /*
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c	2012-12-04 19:39:54.749423138 +0100
+@@ -62,6 +62,11 @@
+ 	 *	Virtual server for inner tunnel session.
+ 	 */
+ 	char	*virtual_server;
++
++	/*
++	 *	Virtual server for the second inner tunnel method, which is EAP-TNC.
++	 */
++	char	*tnc_virtual_server;
+ } rlm_eap_ttls_t;
+ 
+ 
+@@ -78,6 +83,9 @@
+ 	{ "virtual_server", PW_TYPE_STRING_PTR,
+ 	  offsetof(rlm_eap_ttls_t, virtual_server), NULL, NULL },
+ 
++	{ "tnc_virtual_server", PW_TYPE_STRING_PTR,
++	  offsetof(rlm_eap_ttls_t, tnc_virtual_server), NULL, NULL },
++
+ 	{ "include_length", PW_TYPE_BOOLEAN,
+ 	  offsetof(rlm_eap_ttls_t, include_length), NULL, "yes" },
+ 
+@@ -171,6 +179,10 @@
+ 	t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
+ 	t->use_tunneled_reply = inst->use_tunneled_reply;
+ 	t->virtual_server = inst->virtual_server;
++	t->tnc_virtual_server = inst->tnc_virtual_server;	// virtual server for EAP-TNC as the second inner method
++	t->auth_reply = NULL;								// cache storage of the last reply of the first inner method
++	t->auth_code = -1;									// cache storage of the reply-code of the first inner method
++	t->doing_tnc = 0;									// status if we're doing EAP-TNC (on start we're doing NOT)
+ 	return t;
+ }
+ 
+diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+--- freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c	2012-09-10 13:51:34.000000000 +0200
++++ freeradius-server-2.2.0/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c	2012-12-04 19:39:54.749423138 +0100
+@@ -585,6 +585,94 @@
+ }
+ 
+ /*
++ *	Start EAP-TNC as a second inner method.
++ *	Creates a new fake-request out of the original incoming request (via EAP_HANDLER).
++ *	If it's the first time, we create a EAP-START-packet and send
++ *	EAP-START :=	code = PW_EAP_REQUEST
++ *
++ */
++static REQUEST* start_tnc(EAP_HANDLER *handler, ttls_tunnel_t *t) {
++	REQUEST* request = handler->request;
++	RDEBUG2("EAP-TNC as second inner authentication method starts now");
++
++	/*
++	 *	Allocate a fake REQUEST struct,
++	 *	to make a new request, based on the original request.
++	 */
++	REQUEST* fake = request_alloc_fake(request);
++
++	/*
++	 * Set the virtual server to that of EAP-TNC.
++	 */
++	fake->server = t->tnc_virtual_server;
++
++	/*
++	 * Build a new EAP-Message.
++	 */
++	VALUE_PAIR *eap_msg;
++	eap_msg = paircreate(PW_EAP_MESSAGE, PW_TYPE_OCTETS);
++
++	/*
++	 * Set the EAP-Message to look like EAP-Start
++	 */
++	eap_msg->vp_octets[0] = PW_EAP_RESPONSE;
++	eap_msg->vp_octets[1] = 0x00;
++
++	/*
++	 * Only setting EAP-TNC here,
++	 * because it is intended to do user-authentication in the first inner method,
++	 * and then a hardware-authentication (like EAP-TNC) as the second method.
++	 */
++	eap_msg->vp_octets[4] = PW_EAP_TNC;
++
++	eap_msg->length = 0;
++
++	/*
++	 * Add the EAP-Message to the request.
++	 */
++	pairadd(&(fake->packet->vps), eap_msg);
++
++	/*
++	 * Process the new request by the virtual server configured for
++	 * EAP-TNC.
++	 */
++	rad_authenticate(fake);
++
++	/*
++	 * From now on we're doing EAP-TNC as the second inner authentication method.
++	 */
++	t->doing_tnc = TRUE;
++
++	return fake;
++}
++
++/*
++ * 	Stop EAP-TNC as a second inner method.
++ *	Copy the value pairs from the cached Access-Accept of the first inner method
++ *	to the Access-Accept/Reject package of EAP-TNC.
++ */
++static REQUEST* stop_tnc(REQUEST *request, ttls_tunnel_t *t) {
++	RDEBUG2("EAP-TNC as second inner authentication method stops now");
++
++	/*
++	 * Copy the value-pairs of the origina Access-Accept of the first
++	 * inner authentication method to the Access-Accept/Reject of the
++	 * second inner authentication method (EAP-TNC).
++	 */
++	if (request->reply->code == PW_AUTHENTICATION_ACK) {
++		pairadd(&(request->reply->vps), t->auth_reply);
++	} else if (request->reply->code == PW_AUTHENTICATION_REJECT) {
++		pairadd(&(request->reply->vps), t->auth_reply);
++	}
++
++	pairdelete(&(request->reply->vps), PW_MESSAGE_AUTHENTICATOR);
++	pairdelete(&(request->reply->vps), PW_PROXY_STATE);
++	pairdelete(&(request->reply->vps), PW_USER_NAME);
++
++	return request;
++}
++
++/*
+  *	Use a reply packet to determine what to do.
+  */
+ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
+@@ -1135,6 +1223,16 @@
+ 
+ 	} /* else fake->server == request->server */
+ 
++	/*
++	 * If we're doing EAP-TNC as a second method,
++	 * then set the server to that one.
++	 * Then, rad_authenticate will run EAP-TNC,
++	 * so that afterwards we have to look for the state of
++	 * EAP-TNC.
++	 */
++	if (t->doing_tnc) {
++		fake->server = t->tnc_virtual_server;
++	}
+ 
+ 	if ((debug_flag > 0) && fr_log_fp) {
+ 		RDEBUG("Sending tunneled request");
+@@ -1248,6 +1346,53 @@
+ 
+ 	default:
+ 		/*
++		 * If the result of the first method was an acknowledgment OR
++		 * if were already running EAP-TNC,
++		 * we're doing additional things before processing the reply.
++		 * Also the configuration for EAP-TTLS has to contain a virtual server
++		 * for EAP-TNC as the second method.
++		 */
++		if (t->tnc_virtual_server) {
++			/*
++			 * If the reply code of the first inner method is PW_AUTHENTICATION_ACK
++			 * which means that the method was successful,
++			 * and we're not doing EAP-TNC as the second method,
++			 * then we want to intercept the Access-Accept and start EAP-TNC as the second inner method.
++			 */
++			if (fake->reply->code == PW_AUTHENTICATION_ACK
++				 && t->doing_tnc == FALSE) {
++				RDEBUG2("Reply-Code of the first inner method was: %d (PW_AUTHENTICATION_ACK)", fake->reply->code);
++
++				/*
++				 * Save reply-value pairs and reply-code of the first method.
++				 */
++				t->auth_reply = fake->reply->vps;
++				fake->reply->vps = NULL;
++				t->auth_code = fake->reply->code;
++
++				/*
++				 * Create the start package for EAP-TNC.
++				 */
++				fake = start_tnc(handler, t);
++
++				/*
++				 * If we're doing EAP-TNC as the second inner method,
++				 * and the reply->code was PW_AUTHENTICATION_ACK or PW_AUTHENTICATION_REJECT,
++				 * then we stop EAP-TNC and create an combined Access-Accept or Access-Reject.
++				 */
++			} else if (t->doing_tnc == TRUE
++					&& (fake->reply->code == PW_AUTHENTICATION_ACK || fake->reply->code == PW_AUTHENTICATION_REJECT)) {
++
++				/*
++				 * Create the combined Access-Accept or -Reject.
++				 */
++				RDEBUG2("Reply-Code of EAP-TNC as the second inner method was: %d (%s)", fake->reply->code,
++						fake->reply->code == PW_AUTHENTICATION_ACK ? "PW_AUTHENTICATION_ACK" : "PW_AUTHENTICATION_REJECT");
++				fake = stop_tnc(fake, t);
++			}
++		}
++
++		/*
+ 		 *	Returns RLM_MODULE_FOO, and we want to return
+ 		 *	PW_FOO
+ 		 */
diff --git a/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc b/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc
new file mode 100644
index 000000000..2e00e5b44
--- /dev/null
+++ b/testing/scripts/recipes/patches/wpa_supplicant-eap-tnc
@@ -0,0 +1,47 @@
+diff -urN wpa_supplicant-2.0.ori/src/eap_peer/tncc.c wpa_supplicant-2.0/src/eap_peer/tncc.c
+--- wpa_supplicant-2.0.ori/src/eap_peer/tncc.c	2013-01-12 16:42:53.000000000 +0100
++++ wpa_supplicant-2.0/src/eap_peer/tncc.c	2013-03-23 13:10:22.151059154 +0100
+@@ -465,7 +465,7 @@
+ 		return -1;
+ 	}
+ #else /* CONFIG_NATIVE_WINDOWS */
+-	imc->dlhandle = dlopen(imc->path, RTLD_LAZY);
++	imc->dlhandle = dlopen(imc->path, RTLD_LAZY | RTLD_GLOBAL);
+ 	if (imc->dlhandle == NULL) {
+ 		wpa_printf(MSG_ERROR, "TNC: Failed to open IMC '%s' (%s): %s",
+ 			   imc->name, imc->path, dlerror());
+diff -urN wpa_supplicant-2.0.ori/wpa_supplicant/defconfig wpa_supplicant-2.0/wpa_supplicant/defconfig
+--- wpa_supplicant-2.0.ori/wpa_supplicant/defconfig	2013-01-12 16:42:53.000000000 +0100
++++ wpa_supplicant-2.0/wpa_supplicant/defconfig	2013-03-23 13:06:08.759052370 +0100
+@@ -86,7 +86,7 @@
+ CONFIG_DRIVER_WEXT=y
+ 
+ # Driver interface for Linux drivers using the nl80211 kernel interface
+-CONFIG_DRIVER_NL80211=y
++#CONFIG_DRIVER_NL80211=y
+ 
+ # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
+ #CONFIG_DRIVER_BSD=y
+@@ -193,7 +193,7 @@
+ #CONFIG_EAP_GPSK_SHA256=y
+ 
+ # EAP-TNC and related Trusted Network Connect support (experimental)
+-#CONFIG_EAP_TNC=y
++CONFIG_EAP_TNC=y
+ 
+ # Wi-Fi Protected Setup (WPS)
+ #CONFIG_WPS=y
+diff -urN wpa_supplicant-2.0.ori/wpa_supplicant/Makefile wpa_supplicant-2.0/wpa_supplicant/Makefile
+--- wpa_supplicant-2.0.ori/wpa_supplicant/Makefile	2013-01-12 16:42:53.000000000 +0100
++++ wpa_supplicant-2.0/wpa_supplicant/Makefile	2013-03-23 13:06:08.759052370 +0100
+@@ -6,8 +6,8 @@
+ CFLAGS = -MMD -O2 -Wall -g
+ endif
+ 
+-export LIBDIR ?= /usr/local/lib/
+-export BINDIR ?= /usr/local/sbin/
++export LIBDIR ?= /usr/lib/
++export BINDIR ?= /usr/sbin/
+ PKG_CONFIG ?= pkg-config
+ 
+ CFLAGS += -I../src
diff --git a/testing/scripts/restore-defaults b/testing/scripts/restore-defaults
index 64cc0262e..173baf820 100755
--- a/testing/scripts/restore-defaults
+++ b/testing/scripts/restore-defaults
@@ -14,32 +14,21 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-##########################################################################
-# load-testconfig requires a testname as an argument
-#
+DIR=$(dirname `readlink -f $0`)
+. $DIR/../testing.conf
+. $DIR/function.sh
+SSHCONF="-F $DIR/../ssh_config"
 
 testname=$1
 
-HOSTCONFIGDIR=$BUILDDIR/hosts
+HOSTCONFIGDIR=$DIR/../hosts
 TESTSDIR=$BUILDDIR/tests
 
 [ -d $TESTSDIR ] || die "Directory '$TESTSDIR' not found"
 [ -d $TESTSDIR/$testname ] || die "Test '$testname' not found"
 [ -f $TESTSDIR/$testname/test.conf ] || die "File 'test.conf' is missing"
 
-source $TESTSDIR/$testname/test.conf
-
-##########################################################################
-# copy default host config back if necessary
-#
+. $TESTSDIR/$testname/test.conf
 
 if [ -d $TESTSDIR/${testname}/hosts ]
 then
@@ -47,5 +36,6 @@ then
     do
 	eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
 	scp $SSHCONF -r $HOSTCONFIGDIR/${host}/etc $HOSTLOGIN:/ > /dev/null 2>&1
+	scp $SSHCONF -r $HOSTCONFIGDIR/default/etc $HOSTLOGIN:/ > /dev/null 2>&1
     done
 fi
diff --git a/testing/scripts/shutdown-umls b/testing/scripts/shutdown-umls
deleted file mode 100755
index e71e46602..000000000
--- a/testing/scripts/shutdown-umls
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/bash
-# Install strongSwan from mounted strongswan-shared tree
-#
-# Copyright (C) 2006 Martin Willi
-# Hochschule fuer Technik Rapperswil
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-cecho "shutting down"
-cecho-n "  "
-
-for host in $STRONGSWANHOSTS
-do
-    eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    cecho-n "$host... "
-    ssh $HOSTLOGIN 'shutdown now -h' > /dev/null
-done
-
-cecho
diff --git a/testing/scripts/start-bridges b/testing/scripts/start-bridges
deleted file mode 100755
index 1e09d6e7d..000000000
--- a/testing/scripts/start-bridges
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/bin/bash
-# start the UML bridges in the kernel using the brctl command
-#
-# Copyright (C) 2009  Andreas Steffen
-# HSR Hochschule fuer Technik Rapperswil
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-# create umlbr1 and its taps 
-#
-if [ `brctl show | grep umlbr1 | wc -l` -eq 1 ]
-then
-	cecho " * Great, umlbr1 is already running!"
-else
-	cecho-n " * Starting umlbr1 with taps.."
-	umlbr_add     1 10.1.0.254 255.255.0.0
-	umlbr_add_tap 1 alice
-	umlbr_add_tap 1 venus
-	umlbr_add_tap 1 moon
-	cgecho "done"
-fi
-
-# create umlbr0 and its taps
-#
-if [ `brctl show | grep umlbr0 | wc -l` -eq 1 ]
-then
-	cecho " * Great, umlbr0 is already running!"
-else
-	cecho-n " * Starting umlbr0 with taps.."
-	umlbr_add     0 192.168.0.254 255.255.255.0
-	umlbr_add_tap 0 alice
-	umlbr_add_tap 0 moon
-	umlbr_add_tap 0 carol
-	umlbr_add_tap 0 winnetou
-	umlbr_add_tap 0 dave
-	umlbr_add_tap 0 sun
-	cgecho "done"
-fi
-
-# create umlbr2 and its taps
-#
-if [ `brctl show | grep umlbr2 | wc -l` -eq 1 ]
-then
-	cecho " * Great, umlbr2 is already running!"
-else
-	cecho-n " * Starting umlbr2 with taps.."
-	umlbr_add     2 10.2.0.254 255.255.0.0
-	umlbr_add_tap 2 sun
-	umlbr_add_tap 2 bob
-	cgecho "done"
-fi
-
diff --git a/testing/scripts/start-umls b/testing/scripts/start-umls
deleted file mode 100755
index 878494370..000000000
--- a/testing/scripts/start-umls
+++ /dev/null
@@ -1,117 +0,0 @@
-#!/bin/bash
-# starts the UML instances with a hidden screen
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-BOOTING_HOSTS=""
-count_max=12
-count=0
-
-for host in $HOSTS
-do
-    up=0
-
-    if [ -d ~/.uml/${host} ]
-    then
-	pid=`cat ~/.uml/${host}/pid`
-	up=`ps up $pid | wc -l`
-    fi
-    
-    if [ $up -eq 2 ]
-    then
-	cecho " * Great, ${host} is already running!"
-    else
-	rm -rf ~/.uml/${host}
-	BOOTING_HOSTS="$BOOTING_HOSTS ${host}"
-	let "count_max += 12"
-
-	UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host}
-	[ -f  $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found"
-
-	cecho-n " * Starting ${host}.."
-	eval screen -dmS ${host} "$UMLKERNEL \
-	    umid=${host} \
-	    ubda=$UMLHOSTFS \
-	    \$SWITCH_${host} \
-	    mem=${MEM}M con=pty con0=fd:0,fd:1"
-        cgecho "done"
-    fi
-done
-
-if [ -z "$BOOTING_HOSTS" ]
-then
-    exit 0
-fi
-
-cecho " * Waiting for the uml instances to finish booting"
-
-for host in $BOOTING_HOSTS
-do
-    cecho-n " * Checking on $host.."
-
-    while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ]
-    do
-	cecho-n "."
-	sleep 5
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    fi
-
-    up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-
-    while [ $count -lt $count_max ] && [ $up -eq 0 ]
-    do
-	cecho-n "."
-	sleep 5
-	up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    else
-	cgecho "up"
-    fi
-
-    if [ "$host" = "alice" ]
-    then
-	sleep 5
-	eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-	ssh root@$ipv4_alice /etc/init.d/net.eth1 stop
-    fi
-done
-
-cecho " * All uml instances are up now"
diff --git a/testing/scripts/stop-bridges b/testing/scripts/stop-bridges
deleted file mode 100755
index eb92bd0eb..000000000
--- a/testing/scripts/stop-bridges
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/bin/bash
-# stop the UML bridges in the kernel using the brctl command
-#
-# Copyright (C) 2009  Andreas Steffen
-# HSR Hochschule fuer Technik Rapperswil
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-# stop umlbr1 and its taps 
-#
-cecho-n " * Stopping umlbr1 with taps.."
-umlbr_del_tap 1 alice
-umlbr_del_tap 1 venus
-umlbr_del_tap 1 moon
-umlbr_del     1
-cgecho "done"
-
-# stop umlbr0 and its taps
-#
-cecho-n " * Stopping umlbr0 with taps.."
-umlbr_del_tap 0 alice
-umlbr_del_tap 0 moon
-umlbr_del_tap 0 carol
-umlbr_del_tap 0 winnetou
-umlbr_del_tap 0 dave
-umlbr_del_tap 0 sun
-umlbr_del     0
-cgecho "done"
-
-# stop umlbr2 and its taps
-#
-cecho-n " * Stopping umlbr2 with taps.."
-umlbr_del_tap 2 sun
-umlbr_del_tap 2 bob
-umlbr_del     2
-cgecho "done"
-
diff --git a/testing/scripts/xstart-umls b/testing/scripts/xstart-umls
deleted file mode 100755
index ed2662b6c..000000000
--- a/testing/scripts/xstart-umls
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/bin/bash
-# starts the UML instances in an xterm (requires X11R6)
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/function.sh
-
-[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
-
-source $DIR/../testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-BOOTING_HOSTS=""
-count_max=12
-count=0
-
-#position of xterm window on the desktop
-x0=8
-y0=8
-dx=12
-dy=24
-
-for host in $HOSTS
-do
-    up=0
-
-    if [ -d ~/.uml/${host} ]
-    then
-	pid=`cat ~/.uml/${host}/pid`
-	up=`ps up $pid | wc -l`
-    fi
-    
-    if [ $up -eq 2 ]
-    then
-	cecho " * Great, ${host} is already running!"
-    else
-	rm -rf ~/.uml/${host}
-	BOOTING_HOSTS="$BOOTING_HOSTS ${host}"
-	let "count_max += 12"
-
-	UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host}
-	[ -f  $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found"
-
-	cecho-n " * Starting ${host}.."
-	eval xterm -title ${host} -geometry "+${x0}+${y0}" -rightbar -sb -sl 500 -e "$UMLKERNEL \
-	    umid=${host} \
-	    ubda=$UMLHOSTFS \
-	    \$SWITCH_${host} \
-	    mem=${MEM}M con=pty con0=fd:0,fd:1" &
-        cgecho "done"
-        sleep 15
-    fi
-    let "x0+=dx"
-    let "y0+=dy"
-done
-
-if [ -z "$BOOTING_HOSTS" ]
-then
-    exit 0
-fi
-
-cecho " * Waiting for the uml instances to finish booting"
-
-for host in $BOOTING_HOSTS
-do
-    cecho-n " * Checking on $host.."
-
-    while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ]
-    do
-	cecho-n "."
-	sleep 5
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    fi
-
-    up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-
-    while [ $count -lt $count_max ] && [ $up -eq 0 ]
-    do
-	cecho-n "."
-	sleep 5
-	up=`uml_mconsole $host proc net/route 2> /dev/null | grep eth0 | wc -l`
-	let "count+=1"
-    done
-
-    if [ $count -ge $count_max ]
-    then
-	cecho "exit"
-	exit 1
-    else
-	cgecho "up"
-    fi
-
-    if [ "$host" = "alice" ]
-    then
-	sleep 5
-	eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-	ssh root@$ipv4_alice /etc/init.d/net.eth1 stop
-    fi
-done
-
-cecho " * All uml instances are up now"
diff --git a/testing/ssh_config b/testing/ssh_config
index 36569c07c..831b9dc1a 100644
--- a/testing/ssh_config
+++ b/testing/ssh_config
@@ -1,7 +1,8 @@
 Host *
 	# debian default
 	SendEnv LANG LC_*
-	HashKnownHosts yes
+	StrictHostKeyChecking no
+	UserKnownHostsFile /dev/null
 	GSSAPIAuthentication yes
 	# faster encryption
 	Ciphers arcfour
diff --git a/testing/start-testing b/testing/start-testing
index 278500e6f..45cf4c9b9 100755
--- a/testing/start-testing
+++ b/testing/start-testing
@@ -1,85 +1,51 @@
 #!/bin/bash
-# Start up the specified UML instances and wait for them to finish booting
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
 
-DIR=`dirname $0`
-
-source $DIR/scripts/function.sh
-
-[ -f $DIR/testing.conf ] || die "!! Configuration file 'testing.conf' not found"
-[ -d $DIR/hosts ] || die "Directory hosts cannot be found."
-
-source $DIR/testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-#####################################################
-# start the uml bridges
-#
-cecho "Start the uml bridges  (scripts/start-bridges)"
-$DIR/scripts/start-bridges
-
-
-#####################################################
-# start the uml instances
-#
-case $UMLSTARTMODE in
-    konsole)
-	cecho "Start the uml instances  (scripts/kstart-umls)"
-	$DIR/scripts/kstart-umls $HOSTS
-	;;
-    gnome-terminal)
-	cecho "Start the uml instances  (scripts/gstart-umls)"
-	$DIR/scripts/gstart-umls $HOSTS
-	;;
-    xterm)
-	cecho "Start the uml instances  (scripts/xstart-umls)"
-	$DIR/scripts/xstart-umls $HOSTS
-	;;
-    screen)
-	cecho "Start the uml instances  (scripts/start-umls)"
-	$DIR/scripts/start-umls $HOSTS
-	;;
-    *)
-        die "The start mode is unknown! Please set $UMLSTARTMODE properly."
-	;;
-esac
-
-
-#####################################################
-# do the automated testing
-#
-if [ $ENABLE_DO_TESTS = "yes" ]
-then
-   cecho "Run the automated tests (do-tests)"
-   $DIR/do-tests
-fi
-
-
-##############################################################################
-# stop all UML instances and switches
-#
-
-if [ $ENABLE_STOP_TESTING = "yes" ]
-then
-   cecho "Stopping all UML instances and switches (stop-testing)"
-   $DIR/stop-testing $HOSTS
-fi
+DIR=$(dirname `readlink -f $0`)
+. $DIR/testing.conf
+. $DIR/scripts/function.sh
+
+NETWORKS="vnet1 vnet2 vnet3"
+CONFDIR=$DIR/config/kvm
+KNLSRC=$BUILDDIR/$KERNEL/arch/x86/boot/bzImage
+KNLTARGET=/var/run/kvm-swan-kernel
+HOSTFSTARGET=/var/run/kvm-swan-hostfs
+MCASTBRS="test-br0 test-br1"
+
+echo "Starting test environment"
+
+[ `id -u` -eq 0 ] || die "You must be root to run $0"
+
+check_commands kvm virsh
+
+log_action "Deploying kernel $KERNEL"
+execute "ln -fs $KNLSRC $KNLTARGET"
+
+log_action "Deploying $SHAREDDIR as hostfs"
+execute "chown -R $KVMUSER:$KVMGROUP $SHAREDDIR" 0
+execute "ln -Tfs $SHAREDDIR $HOSTFSTARGET"
+
+for net in $NETWORKS
+do
+	log_action "Network $net"
+	execute "virsh net-create $CONFDIR/$net.xml"
+done
+
+for host in $STRONGSWANHOSTS
+do
+	ln -fs $IMGDIR/$host.$IMGEXT $VIRTIMGSTORE/$host.$IMGEXT
+	log_action "Guest $host"
+	execute "virsh create $CONFDIR/$host.xml"
+done
+
+# Enforce reception of multicast traffic on bridges
+for br in $MCASTBRS
+do
+	cd /sys/devices/virtual/net/$br/brif
+	for vnet in `find . -name "*eth?"`
+	do
+		echo 2 > $vnet/multicast_router
+	done
+done
+
+echo 0x08 > /sys/devices/virtual/net/test-br0/bridge/group_fwd_mask
 
diff --git a/testing/stop-testing b/testing/stop-testing
index 023a5b39e..704ae6667 100755
--- a/testing/stop-testing
+++ b/testing/stop-testing
@@ -1,48 +1,34 @@
 #!/bin/bash
-# Stop all UML instances and UML switches
-#
-# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-DIR=`dirname $0`
-
-source $DIR/scripts/function.sh
-
-[ -f $DIR/testing.conf ] || die "No configuration file testing.conf found."
-
-source $DIR/testing.conf
-
-if [ "$#" -eq 0 ]
-then
-    HOSTS=$STRONGSWANHOSTS
-else
-    HOSTS=$*
-fi
-
-#####################################################
-# Shutting down the uml instances
-#
-cecho-n " * Halting all UML instances.."
-for host in $HOSTS
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/testing.conf
+. $DIR/scripts/function.sh
+
+echo "Stopping test environment"
+
+NETWORKS="vnet1 vnet2 vnet3"
+KNLTARGET=/var/run/kvm-swan-kernel
+HOSTFSTARGET=/var/run/kvm-swan-hostfs
+
+[ `id -u` -eq 0 ] || die "You must be root to run $0"
+
+check_commands virsh
+
+for net in $NETWORKS
 do
-    uml_mconsole $host halt &> /dev/null
+	log_action "Network $net"
+	execute "virsh net-destroy $net"
 done
-cgecho "done"
 
-#####################################################
-# Shutting down the uml bridhges
-#
-cecho "Stop the uml bridges  (scripts/stop-bridges)"
-$DIR/scripts/stop-bridges
+for host in $STRONGSWANHOSTS
+do
+	log_action "Guest $host"
+	execute "virsh shutdown $host"
+	rm -f $VIRTIMGSTORE/$host.$IMGEXT
+done
 
+log_action "Removing kernel $KERNEL"
+execute "rm $KNLTARGET"
 
+log_action "Removing link to hostfs"
+execute "rm $HOSTFSTARGET"
diff --git a/testing/testing.conf b/testing/testing.conf
index 80cee18ac..638762f9b 100755..100644
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Global configuration file for strongswan UML testing.
+# Global configuration file for strongswan integration testing.
 #
 # Copyright (C) 2004  Eric Marchionni, Patrik Rayo
 # Zuercher Hochschule Winterthur
@@ -15,141 +15,63 @@
 # for more details.
 
 # Root directory of testing
-UMLTESTDIR=~/strongswan-testing
-
-# Bzipped kernel sources
-# (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-3.3.2.tar.bz2
-
-# Extract kernel version
-KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
-
-# Kernel configuration file
-KERNELCONFIG=$UMLTESTDIR/.config-3.3
-
-# Bzipped uml patch for kernel
-UMLPATCH=$UMLTESTDIR/ha-3.0.patch.bz2
-
-# Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.6.3.tar.bz2
-
-# strongSwan compile options (use "yes" or "no")
-USE_LIBCURL="yes"
-USE_LDAP="yes"
-USE_EAP_AKA="yes"
-USE_EAP_SIM="yes"
-USE_EAP_MD5="yes"
-USE_EAP_MSCHAPV2="yes"
-USE_EAP_IDENTITY="yes"
-USE_EAP_RADIUS="yes"
-USE_EAP_TLS="yes"
-USE_EAP_TTLS="yes"
-USE_EAP_PEAP="yes"
-USE_EAP_TNC="yes"
-USE_TNC_PDP="yes"
-USE_TNC_IMC="yes"
-USE_TNC_IMV="yes"
-USE_TNCCS_11="yes"
-USE_TNCCS_20="yes"
-USE_TNCCS_DYNAMIC="yes"
-USE_IMC_TEST="yes"
-USE_IMV_TEST="yes"
-USE_IMC_SCANNER="yes"
-USE_IMV_SCANNER="yes"
-USE_IMC_ATTESTATION="yes"
-USE_IMV_ATTESTATION="yes"
-USE_SQL="yes"
-USE_MEDIATION="yes"
-USE_OPENSSL="yes"
-USE_BLOWFISH="yes"
-USE_KERNEL_PFKEY="yes"
-USE_INTEGRITY_TEST="yes"
-USE_LEAK_DETECTIVE="no"
-USE_LOAD_TESTER="yes"
-USE_TEST_VECTORS="yes"
-USE_GCRYPT="yes"
-USE_SOCKET_DEFAULT="yes"
-USE_SOCKET_DYNAMIC="yes"
-USE_DHCP="yes"
-USE_FARP="yes"
-USE_ADDRBLOCK="yes"
-USE_CTR="yes"
-USE_CCM="yes"
-USE_GCM="yes"
-USE_CMAC="yes"
-USE_HA="yes"
-USE_AF_ALG="yes"
-USE_WHITELIST="yes"
-USE_PKCS8="yes"
-USE_IFMAP="no"
-USE_CISCO_QUIRKS="no"
-
-# Gentoo linux root filesystem
-ROOTFS=$UMLTESTDIR/gentoo-fs-20111212.tar.bz2
-
-# Size of the finished root filesystem in MB
-ROOTFSSIZE=850
-
-# Amount of Memory to use per UML [MB].
-# If "auto" is stated 1/12 of total host ram will be used.
-# Examples: MEM=64, MEM="128", MEM="auto"
-MEM=96
-
-# Directory where the UML kernels and file system will be built
-BUILDDIR=$UMLTESTDIR/umlbuild
-
-# Filename of the built UML Kernel
-UMLKERNEL=$BUILDDIR/linux-uml-$KERNELVERSION
+TESTDIR=/srv/strongswan-testing
+
+# Kernel configuration
+KERNELVERSION=3.8.1
+KERNEL=linux-$KERNELVERSION
+KERNELTARBALL=$KERNEL.tar.bz2
+KERNELCONFIG=$DIR/../config/kernel/config-3.8
+KERNELPATCH=ha-3.8-abicompat.patch.bz2
+
+# strongSwan version used in tests
+SWANVERSION=5.0.3
+
+# Build directory where the guest kernel and images will be built
+BUILDDIR=$TESTDIR/build
+# Directory shared between host and guests
+SHAREDDIR=$BUILDDIR/shared
+
+# Logfile
+LOGFILE=$BUILDDIR/testing.log
+
+# Directory used for loop-mounts
+LOOPDIR=$BUILDDIR/loop
+
+# Common image settings
+IMGEXT=qcow2
+IMGDIR=$BUILDDIR/images
+
+# Base image settings
+# The base image is a pristine OS installation created using debootstrap.
+BASEIMGSIZE=1280
+BASEIMGSUITE=wheezy
+BASEIMGARCH=amd64
+BASEIMG=$IMGDIR/debian-$BASEIMGSUITE-$BASEIMGARCH.$IMGEXT
+BASEIMGMIRROR=http://cdn.debian.net/debian
+
+# Root image settings
+# The root image is the origin of all guest images. It is a clone of the base
+# image and contains additional test-specific software and patches.
+ROOTIMG=$IMGDIR/root.$IMGEXT
+
+# libvirt config
+NBDEV=/dev/nbd0
+NBDPARTITION=${NBDEV}p1
+VIRTIMGSTORE=/var/lib/libvirt/images
+KVMUSER=libvirt-qemu
+KVMGROUP=kvm
 
 # Directory where test results will be stored
-TESTRESULTSDIR=$UMLTESTDIR/testresults
-
-# SSH configuration (speedup SSH)
-SSHCONF="-F $UMLTESTDIR/testing/ssh_config"
-
-# Path to a full strongswan tree on the host system, which is
-# mounted into /root/strongswan-shared. This gives us an easy
-# way to apply and test changes instantly.
-#SHAREDTREE=/home/martin/strongswan/trunk
-
-# Timezone for the UMLs, look in /usr/share/zoneinfo!
-TZUML="Europe/Zurich"
+TESTRESULTSDIR=$TESTDIR/testresults
 
 ##############################################################
-# Enable particular steps in the make-testing and
-# start-testing scripts
+# Enable particular steps in the make-testing
 #
-ENABLE_BUILD_UMLKERNEL="yes"
-ENABLE_BUILD_SSHKEYS="yes"
-ENABLE_BUILD_HOSTCONFIG="yes"
-ENABLE_BUILD_UMLROOTFS="yes"
-ENABLE_BUILD_UMLHOSTFS="yes"
-ENABLE_START_TESTING="yes"
-ENABLE_DO_TESTS="no"
-ENABLE_STOP_TESTING="no"
-
-##############################################################
-# How to start the UMLs?
-#
-# Start the UML instance in KDE konsole (requires KDE)
-# UMLSTARTMODE="konsole"
-# Start the UML instance in a gnome-terminal (requires gnome)
-UMLSTARTMODE="gnome-terminal"
-# Start the UML instance in an xterm (requires X11R6)
-# UMLSTARTMODE="xterm"
-# Start the UML instance without a terminal window
-# but screen -r <host> can open a window anytime
-# UMLSTARTMODE="screen"
-
-##############################################################
-# If set to "yes" only the tests stated at $SELECTEDTESTS
-# will be executed. (use "yes" or "no")
-#
-SELECTEDTESTSONLY="no"
-
-# Tests to do if $SELECTEDTESTSONLY is set "yes".
-#
-SELECTEDTESTS="ikev2/rw-cert"
+ENABLE_BUILD_BASEIMAGE="yes"
+ENABLE_BUILD_ROOTIMAGE="yes"
+ENABLE_BUILD_GUESTKERNEL="yes"
+ENABLE_BUILD_GUESTIMAGES="yes"
 
 ##############################################################
 # hostname and corresponding IPv4 and IPv6 addresses
@@ -181,35 +103,5 @@ bob,fec2::10"
 # VPN gateways / clients
 # The hosts stated here will be created. Possible values
 # are sun, moon, dave, carol, alice, venus, bob, winnetou.
-# It's fine to make them all unless you don't have much
-# resources. In this case we assume you know what you do!
-#
-STRONGSWANHOSTS="sun moon dave carol alice venus bob winnetou"
-
-##############################################################
-# Needed programs, do not change!
-#
-PROGRAMS="uml_switch uml_mconsole ssh ssh-keygen iptables \
-          chroot screen mkreiserfs"
-
-##############################################################
-# IP parameters of the UML switches
-#
-IFCONFIG_0="192.168.0.254 netmask 255.255.255.0"
-IFCONFIG_1="10.1.0.254 netmask 255.255.0.0"
-IFCONFIG_2="10.2.0.254 netmask 255.255.0.0"
-
-##############################################################
-# Network interfaces of the UML instances
 #
-SWITCH_alice="eth0=tuntap,tap1_alice,fe:fd:0a:01:00:0a \
-              eth1=tuntap,tap0_alice,fe:fd:c0:a8:00:32"
-SWITCH_venus="eth0=tuntap,tap1_venus,fe:fd:0a:01:00:14"
-SWITCH_moon="eth0=tuntap,tap0_moon,fe:fd:c0:a8:00:01 \
-             eth1=tuntap,tap1_moon,fe:fd:0a:01:00:01"
-SWITCH_carol="eth0=tuntap,tap0_carol,fe:fd:c0:a8:00:64"
-SWITCH_winnetou="eth0=tuntap,tap0_winnetou,fe:fd:c0:a8:00:96"
-SWITCH_dave="eth0=tuntap,tap0_dave,fe:fd:c0:a8:00:c8"
-SWITCH_sun="eth0=tuntap,tap0_sun,fe:fd:c0:a8:00:02 \
-            eth1=tuntap,tap2_sun,fe:fd:0a:02:00:01"
-SWITCH_bob="eth0=tuntap,tap2_bob,fe:fd:0a:02:00:0a"
+STRONGSWANHOSTS="alice bob carol dave moon sun venus winnetou"
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/description.txt b/testing/tests/af-alg-ikev1/alg-camellia/description.txt
deleted file mode 100644
index a9633ee84..000000000
--- a/testing/tests/af-alg-ikev1/alg-camellia/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the cipher suite
-<b>CAMELLIA_CBC_128 / HMAC_SHA2_256 / MODP_2048</b> for the IKE protocol and 
-<b>CAMELLIA_CBC_128 / HMAC_SHA2_256_128 </b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/evaltest.dat b/testing/tests/af-alg-ikev1/alg-camellia/evaltest.dat
deleted file mode 100644
index 93f82906e..000000000
--- a/testing/tests/af-alg-ikev1/alg-camellia/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_128/HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_128/HMAC_SHA2_256::YES
-carol::ip xfrm state::enc cbc(camellia)::YES
-moon::ip xfrm state::enc cbc(camellia)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index cf51269a5..000000000
--- a/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=camellia128-sha256-modp2048!
-	esp=camellia128-sha256!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 04c2358ed..000000000
--- a/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = pem pkcs1 x509 af-alg gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 5571dc086..000000000
--- a/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-       
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=camellia128-sha256-modp2048!
-	esp=camellia128-sha256!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 04c2358ed..000000000
--- a/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = pem pkcs1 x509 af-alg gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/pretest.dat b/testing/tests/af-alg-ikev1/alg-camellia/pretest.dat
deleted file mode 100644
index 6d2eeb5f9..000000000
--- a/testing/tests/af-alg-ikev1/alg-camellia/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2 
-carol::ipsec up home
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/test.conf b/testing/tests/af-alg-ikev1/alg-camellia/test.conf
deleted file mode 100644
index 6abbb89a9..000000000
--- a/testing/tests/af-alg-ikev1/alg-camellia/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/af-alg-ikev1/rw-cert/evaltest.dat b/testing/tests/af-alg-ikev1/rw-cert/evaltest.dat
deleted file mode 100644
index 1a9b9159f..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IPsec SA established::YES
-dave::ipsec statusall::IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 80dae3719..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-sha1-modp1536!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index fd687c13a..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors pem pkcs1 x509 af-alg gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
-}
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 73167caad..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes256-sha256-modp2048!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 5cc54b24f..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    required = yes
-    on_add = yes
-  } 
-}
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index f365b07da..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes256-sha256-modp2048,3des-sha1-modp1536!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index fd687c13a..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors pem pkcs1 x509 af-alg gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
-}
diff --git a/testing/tests/af-alg-ikev1/rw-cert/posttest.dat b/testing/tests/af-alg-ikev1/rw-cert/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/af-alg-ikev1/rw-cert/pretest.dat b/testing/tests/af-alg-ikev1/rw-cert/pretest.dat
deleted file mode 100644
index 42e9d7c24..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/af-alg-ikev1/rw-cert/test.conf b/testing/tests/af-alg-ikev1/rw-cert/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/evaltest.dat b/testing/tests/af-alg-ikev2/alg-camellia/evaltest.dat
deleted file mode 100644
index d77c4806e..000000000
--- a/testing/tests/af-alg-ikev2/alg-camellia/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-moon::ip xfrm state::enc cbc(camellia)::YES
-carol::ip xfrm state::enc cbc(camellia)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 37f8a7ecf..000000000
--- a/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=camellia256-sha512-modp2048!
-	esp=camellia192-sha1!
-
-conn home
-	left=PH_IP_CAROL
-	leftfirewall=yes
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add 
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 3cd390829..000000000
--- a/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl pem pkcs1 af-alg gmp random x509 revocation stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index f8d7e3fe9..000000000
--- a/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=camellia256-sha512-modp2048!
-	esp=camellia192-sha1!
-
-conn rw
-	left=PH_IP_MOON
-	leftfirewall=yes
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 3cd390829..000000000
--- a/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl pem pkcs1 af-alg gmp random x509 revocation stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/posttest.dat b/testing/tests/af-alg-ikev2/alg-camellia/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/af-alg-ikev2/alg-camellia/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/pretest.dat b/testing/tests/af-alg-ikev2/alg-camellia/pretest.dat
deleted file mode 100644
index 3c3df0196..000000000
--- a/testing/tests/af-alg-ikev2/alg-camellia/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 1 
-carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/test.conf b/testing/tests/af-alg-ikev2/alg-camellia/test.conf
deleted file mode 100644
index 9cd583b16..000000000
--- a/testing/tests/af-alg-ikev2/alg-camellia/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/af-alg-ikev2/rw-cert/description.txt b/testing/tests/af-alg-ikev2/rw-cert/description.txt
deleted file mode 100644
index d0c5e9200..000000000
--- a/testing/tests/af-alg-ikev2/rw-cert/description.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>Crypto API</b>
-of the Linux kernel via the <b>af_alg</b> userland interface for all symmetric
-encryption and hash functions whereas roadwarrior <b>dave</b> uses the default
-<b>strongSwan</b> cryptographical plugins <b>aes des sha1 sha2 md5 gmp</b>.
-<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
-to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
-the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/af-alg-ikev2/rw-cert/evaltest.dat b/testing/tests/af-alg-ikev2/rw-cert/evaltest.dat
deleted file mode 100644
index 06a0f8cda..000000000
--- a/testing/tests/af-alg-ikev2/rw-cert/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 4a8baa3ae..000000000
--- a/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=3des-sha1-modp1536!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 1c71b885f..000000000
--- a/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl test-vectors pem pkcs1 af-alg gmp random x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-
-libstrongswan {
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
-}
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 42f03aab3..000000000
--- a/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes256-sha256-modp2048!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index e483eba9d..000000000
--- a/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-
-libstrongswan {
-  integrity_test = yes
-  crypto_test {
-    required = yes
-    on_add = yes
-  }
-}
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 2e84f2e6a..000000000
--- a/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes256-sha256-modp2048,3des-sha1-modp1536!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 1c71b885f..000000000
--- a/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl test-vectors pem pkcs1 af-alg gmp random x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown
-}
-
-libstrongswan {
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
-}
diff --git a/testing/tests/af-alg-ikev2/rw-cert/posttest.dat b/testing/tests/af-alg-ikev2/rw-cert/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/af-alg-ikev2/rw-cert/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/af-alg-ikev2/rw-cert/pretest.dat b/testing/tests/af-alg-ikev2/rw-cert/pretest.dat
deleted file mode 100644
index 42e9d7c24..000000000
--- a/testing/tests/af-alg-ikev2/rw-cert/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/af-alg-ikev2/rw-cert/test.conf b/testing/tests/af-alg-ikev2/rw-cert/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/af-alg-ikev2/rw-cert/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/description.txt b/testing/tests/af-alg/alg-camellia/description.txt
index b3515c333..b3515c333 100644
--- a/testing/tests/af-alg-ikev2/alg-camellia/description.txt
+++ b/testing/tests/af-alg/alg-camellia/description.txt
diff --git a/testing/tests/af-alg/alg-camellia/evaltest.dat b/testing/tests/af-alg/alg-camellia/evaltest.dat
new file mode 100644
index 000000000..2096cb994
--- /dev/null
+++ b/testing/tests/af-alg/alg-camellia/evaltest.dat
@@ -0,0 +1,11 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+moon:: ip xfrm state::enc cbc(camellia)::YES
+carol::ip xfrm state::enc cbc(camellia)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..11dece402
--- /dev/null
+++ b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=camellia256-sha512-modp2048!
+	esp=camellia192-sha384!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..28b9e5822
--- /dev/null
+++ b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 af-alg gmp random nonce x509 revocation stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..ecbb94dca
--- /dev/null
+++ b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=camellia256-sha512-modp2048!
+	esp=camellia192-sha384!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..28b9e5822
--- /dev/null
+++ b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 af-alg gmp random nonce x509 revocation stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/af-alg/alg-camellia/posttest.dat b/testing/tests/af-alg/alg-camellia/posttest.dat
new file mode 100644
index 000000000..046d4cfdc
--- /dev/null
+++ b/testing/tests/af-alg/alg-camellia/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/af-alg/alg-camellia/pretest.dat b/testing/tests/af-alg/alg-camellia/pretest.dat
new file mode 100644
index 000000000..886fdf55c
--- /dev/null
+++ b/testing/tests/af-alg/alg-camellia/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/af-alg/alg-camellia/test.conf b/testing/tests/af-alg/alg-camellia/test.conf
new file mode 100644
index 000000000..4a5fc470f
--- /dev/null
+++ b/testing/tests/af-alg/alg-camellia/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/af-alg-ikev1/rw-cert/description.txt b/testing/tests/af-alg/rw-cert/description.txt
index d0c5e9200..d0c5e9200 100644
--- a/testing/tests/af-alg-ikev1/rw-cert/description.txt
+++ b/testing/tests/af-alg/rw-cert/description.txt
diff --git a/testing/tests/af-alg/rw-cert/evaltest.dat b/testing/tests/af-alg/rw-cert/evaltest.dat
new file mode 100644
index 000000000..ba661975b
--- /dev/null
+++ b/testing/tests/af-alg/rw-cert/evaltest.dat
@@ -0,0 +1,15 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/af-alg/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg/rw-cert/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..214a8de28
--- /dev/null
+++ b/testing/tests/af-alg/rw-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=3des-sha1-modp1536!
+	esp=3des-sha1!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e27685447
--- /dev/null
+++ b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors pem pkcs1 af-alg gmp random nonce x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    on_add = yes
+  }
+}
diff --git a/testing/tests/af-alg/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/af-alg/rw-cert/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..7fa2966d2
--- /dev/null
+++ b/testing/tests/af-alg/rw-cert/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-modp2048!
+	esp=aes128-sha256!
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..3ddd02fe7
--- /dev/null
+++ b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+}
diff --git a/testing/tests/af-alg/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg/rw-cert/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..fc3eea283
--- /dev/null
+++ b/testing/tests/af-alg/rw-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-modp2048,3des-sha1-modp1536!
+	esp=aes128-sha256,3des-sha1!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e27685447
--- /dev/null
+++ b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors pem pkcs1 af-alg gmp random nonce x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    on_add = yes
+  }
+}
diff --git a/testing/tests/af-alg/rw-cert/posttest.dat b/testing/tests/af-alg/rw-cert/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/af-alg/rw-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/af-alg/rw-cert/pretest.dat b/testing/tests/af-alg/rw-cert/pretest.dat
new file mode 100644
index 000000000..8bbea1412
--- /dev/null
+++ b/testing/tests/af-alg/rw-cert/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/af-alg/rw-cert/test.conf b/testing/tests/af-alg/rw-cert/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/af-alg/rw-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/description.txt b/testing/tests/gcrypt-ikev1/alg-camellia/description.txt
deleted file mode 100644
index a9633ee84..000000000
--- a/testing/tests/gcrypt-ikev1/alg-camellia/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the cipher suite
-<b>CAMELLIA_CBC_128 / HMAC_SHA2_256 / MODP_2048</b> for the IKE protocol and 
-<b>CAMELLIA_CBC_128 / HMAC_SHA2_256_128 </b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-camellia/evaltest.dat
deleted file mode 100644
index 93f82906e..000000000
--- a/testing/tests/gcrypt-ikev1/alg-camellia/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_128/HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_128/HMAC_SHA2_256::YES
-carol::ip xfrm state::enc cbc(camellia)::YES
-moon::ip xfrm state::enc cbc(camellia)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index cf51269a5..000000000
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=camellia128-sha256-modp2048!
-	esp=camellia128-sha256!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 5e09a3a1d..000000000
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 5571dc086..000000000
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-       
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=camellia128-sha256-modp2048!
-	esp=camellia128-sha256!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 5e09a3a1d..000000000
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/pretest.dat b/testing/tests/gcrypt-ikev1/alg-camellia/pretest.dat
deleted file mode 100644
index 6d2eeb5f9..000000000
--- a/testing/tests/gcrypt-ikev1/alg-camellia/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2 
-carol::ipsec up home
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/test.conf b/testing/tests/gcrypt-ikev1/alg-camellia/test.conf
deleted file mode 100644
index 6abbb89a9..000000000
--- a/testing/tests/gcrypt-ikev1/alg-camellia/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
index d9964314b..db5a76204 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
@@ -1,11 +1,13 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-moon::ipsec statusall::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: SERPENT_CBC_256/HMAC_SHA2_512::YES
-moon::ipsec statusall::ESP proposal: SERPENT_CBC_256/HMAC_SHA2_512::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512_256::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512_256::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ipsec statusall 2> /dev/null::SERPENT_CBC_256/HMAC_SHA2_512_256,::YES
+moon:: ipsec statusall 2> /dev/null::SERPENT_CBC_256/HMAC_SHA2_512_256,::YES
 carol::ip xfrm state::enc cbc(serpent)::YES
-moon::ip xfrm state::enc cbc(serpent)::YES
+moon:: ip xfrm state::enc cbc(serpent)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
index 462427a8c..ce9e54fec 100755..100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=serpent256-sha2_512-modp4096!
-	esp=serpent256-sha2_512!
+	ike=serpent256-sha512-modp4096!
+	esp=serpent256-sha512!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
index 5e09a3a1d..969a5f5aa 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
+charon {
+  load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
index de3c1d1c7..46dc368c4 100755..100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
        
 conn %default
 	ikelifetime=60m
@@ -12,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=serpent256-sha2_512-modp4096!
-	esp=serpent256-sha2_512!
+	ike=serpent256-sha512-modp4096!
+	esp=serpent256-sha512!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
index 5e09a3a1d..969a5f5aa 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
+charon {
+  load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
index 6d2eeb5f9..1b8fc3b79 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2 
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/test.conf b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/description.txt b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt
index f3fc61fe6..e1a7403e3 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/description.txt
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
 <b>TWOFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and 
-<b>TWOFISH_CBC_256 / HMAC_SHA2_512_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>TWOFISH_CBC_256 / HMAC_SHA2_512_256 </b> for ESP packets. A ping from <b>carol</b> to
 <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
index c69355b81..ac3b5e0b0 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
@@ -1,11 +1,13 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-moon::ipsec statusall::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: TWOFISH_CBC_256/HMAC_SHA2_512::YES
-moon::ipsec statusall::ESP proposal: TWOFISH_CBC_256/HMAC_SHA2_512::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512_256::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512_256::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ipsec statusall 2> /dev/null::TWOFISH_CBC_256/HMAC_SHA2_512_256,::YES
+moon:: ipsec statusall 2> /dev/null::TWOFISH_CBC_256/HMAC_SHA2_512_256,::YES
 carol::ip xfrm state::enc cbc(twofish)::YES
-moon::ip xfrm state::enc cbc(twofish)::YES
+moon:: ip xfrm state::enc cbc(twofish)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
index 4c02699b7..fe1a78d62 100755..100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=twofish256-sha2_512-modp4096!
-	esp=twofish256-sha2_512!
+	ike=twofish256-sha512-modp4096!
+	esp=twofish256-sha512!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
index 5e09a3a1d..969a5f5aa 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
+charon {
+  load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
index d608ac2f6..b4391cd1f 100755..100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
@@ -1,19 +1,15 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
+       
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=twofish256-sha2_512-modp4096!
-	esp=twofish256-sha2_512!
+	ike=twofish256-sha512-modp4096!
+	esp=twofish256-sha512!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
index 5e09a3a1d..969a5f5aa 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
+charon {
+  load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
index 7d077c126..1b8fc3b79 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
@@ -1,5 +1,4 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
-carol::sleep 2
+carol::sleep 2 
 carol::ipsec up home
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/test.conf b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/description.txt b/testing/tests/gcrypt-ikev1/rw-cert/description.txt
deleted file mode 100644
index f60f5b1ad..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/description.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>gcrypt</b>
-plugin based on the <b>GNU Libgcrypt</b> library for all cryptographical functions
-whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp</b>.
-<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
-to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
-the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat b/testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat
deleted file mode 100644
index 1a9b9159f..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IPsec SA established::YES
-dave::ipsec statusall::IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 80dae3719..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-sha1-modp1536!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 697565a38..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors pem pkcs1 x509 gcrypt hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
-}
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 73167caad..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes256-sha256-modp2048!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 5cc54b24f..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    required = yes
-    on_add = yes
-  } 
-}
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index f365b07da..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes256-sha256-modp2048,3des-sha1-modp1536!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 697565a38..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors pem pkcs1 x509 gcrypt hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
-}
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/posttest.dat b/testing/tests/gcrypt-ikev1/rw-cert/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/pretest.dat b/testing/tests/gcrypt-ikev1/rw-cert/pretest.dat
deleted file mode 100644
index 42e9d7c24..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/test.conf b/testing/tests/gcrypt-ikev1/rw-cert/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
index d77c4806e..5f0bb3cdc 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-moon::ip xfrm state::enc cbc(camellia)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+moon:: ip xfrm state::enc cbc(camellia)::YES
 carol::ip xfrm state::enc cbc(camellia)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
index 37f8a7ecf..11dece402 100755..100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	ike=camellia256-sha512-modp2048!
-	esp=camellia192-sha1!
+	esp=camellia192-sha384!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
index dafa85bd1..3c094be34 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
index f8d7e3fe9..ecbb94dca 100755..100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	ike=camellia256-sha512-modp2048!
-	esp=camellia192-sha1!
+	esp=camellia192-sha384!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
index dafa85bd1..3c094be34 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat
index 06a0f8cda..2342d024b 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat
+++ b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat
@@ -1,10 +1,14 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
index 4a8baa3ae..214a8de28 100755..100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	ike=3des-sha1-modp1536!
+	esp=3des-sha1!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 92fcbd641..671d97342 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
index 42f03aab3..603651a43 100755..100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes256-sha256-modp2048!
+	ike=aes256-sha512-modp2048!
+	esp=aes256-sha512!
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index e483eba9d..3ddd02fe7 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
index 2e84f2e6a..ce4c0decb 100755..100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes256-sha256-modp2048,3des-sha1-modp1536!
+	ike=aes256-sha512-modp2048,3des-sha1-modp1536!
+	esp=aes256-sha512,3des-sha1!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 92fcbd641..671d97342 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat
+++ b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
+++ b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/test.conf b/testing/tests/gcrypt-ikev2/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/test.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ha/both-active/evaltest.dat b/testing/tests/ha/both-active/evaltest.dat
index a26d8e568..89e5f4b6e 100644
--- a/testing/tests/ha/both-active/evaltest.dat
+++ b/testing/tests/ha/both-active/evaltest.dat
@@ -1,15 +1,15 @@
-alice::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES
-alice::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES
-moon::ipsec statusall::rw.*PASSIVE.*carol@strongswan.org::YES
-moon::ipsec statusall::rw.*PASSIVE.*dave@strongswan.org::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
+alice::ipsec status 2> /dev/null::rw\[1].*ESTABLISHED.*mars.strongswan.org.*carol@strongswan.org::YES
+alice::ipsec status 2> /dev/null::rw\[2].*ESTABLISHED.*mars.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1].*PASSIVE.*mars.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2].*PASSIVE.*mars.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*mars.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*mars.strongswan.org::YES
 alice::cat /var/log/daemon.log::HA segment 1 activated::YES
-moon::cat /var/log/daemon.log::HA segment 2 activated::YES
+moon:: cat /var/log/daemon.log::HA segment 2 activated::YES
 alice::cat /var/log/daemon.log::handling HA CHILD_SA::YES
-moon::cat /var/log/daemon.log::installed HA CHILD_SA::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::installed HA CHILD_SA::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 carol::tcpdump::IP carol.strongswan.org > mars.strongswan.org: ESP::YES
 carol::tcpdump::IP mars.strongswan.org > carol.strongswan.org: ESP::YES
 dave::tcpdump::IP dave.strongswan.org > mars.strongswan.org: ESP::YES
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables b/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 95d3b8828..000000000
--- a/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# forward ESP-tunneled traffic
-	iptables -A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
-	iptables -A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
-	iptables -A FORWARD -o eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-        # clusterip rules
-        iptables -A INPUT -i eth1 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip \
-                          --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 2 
-        iptables -A INPUT -i eth0 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip \
-                          --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 2 
-
-	# allow esp
-	iptables -A INPUT  -p 50 -j ACCEPT
-	iptables -A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
-	iptables -A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # allow heartbeat
-        iptables -A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
-
-	# allow ICMP type 3
-	iptables -A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
-
-	# allow IGMP multicasts
-	iptables -A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
-	iptables -A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
- 
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf
index 09a5364f4..363473bdd 100755..100644
--- a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/iptables.rules b/testing/tests/ha/both-active/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..cad1d202a
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/alice/etc/iptables.rules
@@ -0,0 +1,50 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# forward ESP-tunneled traffic
+-A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
+-A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
+-A FORWARD -o eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# clusterip rules
+-A INPUT -i eth1 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 2 
+-A INPUT -i eth0 -d 10.1.0.5    -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 2 
+
+# allow esp
+-A INPUT  -p 50 -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow heartbeat
+-A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
+-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
+
+# allow ICMP type 3
+-A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
+-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
+
+# allow IGMP multicasts
+-A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
+-A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf
index c1745ec29..2f527cf43 100644
--- a/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default ha 
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default ha 
   plugins {
     ha {
       local = PH_IP_ALICE
diff --git a/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf
index 79e06d4de..3040f6afa 100755..100644
--- a/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf
index af91a172a..dcafe679f 100644
--- a/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf
index f75e13d2e..27d6b8d99 100755..100644
--- a/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf
index 60dbb5ba2..825cfdc27 100644
--- a/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables b/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 6f7a0316b..000000000
--- a/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# forward ESP-tunneled traffic
-	iptables -A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
-	iptables -A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
-	iptables -A FORWARD -m policy -o eth0 --dir out --pol ipsec --proto esp -j ACCEPT
-
-        # clusterip rules
-        iptables -A INPUT -i eth0 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip \
-                          --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 1
-        iptables -A INPUT -i eth1 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip \
-                          --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 1
-
-	# allow esp
-	iptables -A INPUT  -p 50 -j ACCEPT
-	iptables -A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
-	iptables -A OUTPUT -p 50 -d PH_IP_DAVE  -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# allow heartbeat
-	iptables -A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
-
-	# allow ICMP type 3
-        iptables -A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
-
-	# allow IGMP multicasts
-	iptables -A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
-	iptables -A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf
index 09a5364f4..363473bdd 100755..100644
--- a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/iptables.rules b/testing/tests/ha/both-active/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..ab7fd7fcb
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/moon/etc/iptables.rules
@@ -0,0 +1,50 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# forward ESP-tunneled traffic
+-A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
+-A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
+-A FORWARD -m policy -o eth0 --dir out --pol ipsec --proto esp -j ACCEPT
+
+# clusterip rules
+-A INPUT -i eth0 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 1
+-A INPUT -i eth1 -d 10.1.0.5    -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 1
+
+# allow esp
+-A INPUT  -p 50 -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_DAVE  -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow heartbeat
+-A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
+-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
+
+# allow ICMP type 3
+-A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
+-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
+
+# allow IGMP multicasts
+-A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
+-A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf
index 1cece26d2..2693cf198 100644
--- a/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default ha
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default ha
   plugins {
     ha {
       local = PH_IP_MOON1
diff --git a/testing/tests/ha/both-active/posttest.dat b/testing/tests/ha/both-active/posttest.dat
index 49bf76055..e4ffe8eef 100644
--- a/testing/tests/ha/both-active/posttest.dat
+++ b/testing/tests/ha/both-active/posttest.dat
@@ -2,15 +2,15 @@ carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
 alice::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::ip addr del 192.168.0.5/24 dev eth0
 moon::ip addr del 10.1.0.5/16 dev eth1
 alice::ip addr del 192.168.0.5/24 dev eth1
 alice::ip addr del 10.1.0.5/16 dev eth0
-alice::/etc/init.d/net.eth1 stop
+alice::ifdown eth1
 venus::ip route del default via 10.1.0.5 dev eth0
 venus::ip route add default via 10.1.0.1 dev eth0
 moon::conntrack -F
diff --git a/testing/tests/ha/both-active/pretest.dat b/testing/tests/ha/both-active/pretest.dat
index e2e509855..af4d66cfc 100644
--- a/testing/tests/ha/both-active/pretest.dat
+++ b/testing/tests/ha/both-active/pretest.dat
@@ -1,14 +1,14 @@
 moon::ip addr add 192.168.0.5/24 dev eth0
 moon::ip addr add 10.1.0.5/16 dev eth1
-alice::/etc/init.d/net.eth1 start
+alice::ifup eth1
 alice::ip addr add 192.168.0.5/24 dev eth1
 alice::ip addr add 10.1.0.5/16 dev eth0
 venus::ip route del default via 10.1.0.1 dev eth0
 venus::ip route add default via 10.1.0.5 dev eth0
-moon::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 alice::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ha/both-active/test.conf b/testing/tests/ha/both-active/test.conf
index 0473013e1..8056d9ce4 100644
--- a/testing/tests/ha/both-active/test.conf
+++ b/testing/tests/ha/both-active/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="venus carol dave"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice moon carol dave"
diff --git a/testing/tests/ike/rw-cert/evaltest.dat b/testing/tests/ike/rw-cert/evaltest.dat
index 71496d2f2..e431ce533 100644
--- a/testing/tests/ike/rw-cert/evaltest.dat
+++ b/testing/tests/ike/rw-cert/evaltest.dat
@@ -1,9 +1,17 @@
-moon::ipsec statusall::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec statusall 2> /dev/null::home.*IKEv1::YES
+dave:: ipsec statusall 2> /dev/null::home.*IKEv2::YES
+moon:: ipsec statusall 2> /dev/null::rw\[1]: IKEv1::YES
+moon:: ipsec statusall 2> /dev/null::rw\[2]: IKEv2::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ike/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..06cb94146
--- /dev/null
+++ b/testing/tests/ike/rw-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
index 83c10cfdc..0fe8bd9c7 100644
--- a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,15 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
index 3be21d055..b28076511 100755..100644
--- a/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
index 3545a5734..0fe8bd9c7 100644
--- a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,12 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
-}
-
-libstrongswan {
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
index d90ab485c..b5e161893 100755..100644
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
@@ -1,15 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1 
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
index 7a066e53e..0fe8bd9c7 100644
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,16 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 revocation xcbc stroke kernel-netlink socket-raw
-}
-
-pluto {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
-}
-
-libstrongswan {
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ike/rw-cert/pretest.dat b/testing/tests/ike/rw-cert/pretest.dat
index 587b6aeed..e50793830 100644
--- a/testing/tests/ike/rw-cert/pretest.dat
+++ b/testing/tests/ike/rw-cert/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ike/rw-cert/test.conf b/testing/tests/ike/rw-cert/test.conf
index 845a6dcd7..51bf2b7f2 100644
--- a/testing/tests/ike/rw-cert/test.conf
+++ b/testing/tests/ike/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ike/rw_v1-net_v2/evaltest.dat b/testing/tests/ike/rw_v1-net_v2/evaltest.dat
index 4eace50b7..847a2d92d 100644
--- a/testing/tests/ike/rw_v1-net_v2/evaltest.dat
+++ b/testing/tests/ike/rw_v1-net_v2/evaltest.dat
@@ -1,10 +1,14 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES 
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/ipsec.conf b/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..06cb94146
--- /dev/null
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5ea53fde9
--- /dev/null
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac x509 revocation stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf
index 57c41b521..50d38564a 100755..100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
 
 conn %default
 	ikelifetime=60m
@@ -24,4 +22,3 @@ conn rw
 	rightid=carol@strongswan.org
 	keyexchange=ikev1
 	auto=add
-
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
index 8cb117c7b..ce2265a39 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 revocation xcbc stroke kernel-netlink socket-raw
-}
-
-pluto {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac x509 revocation stroke kernel-netlink socket-default 
 }
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/ipsec.conf b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/ipsec.conf
index e5a9fe396..c6bfaf8f1 100755..100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn net-net 
 	left=PH_IP_SUN
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
index 88f162098..5ea53fde9 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac x509 revocation stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ike/rw_v1-net_v2/pretest.dat b/testing/tests/ike/rw_v1-net_v2/pretest.dat
index 03b8dc218..f61a4cb51 100644
--- a/testing/tests/ike/rw_v1-net_v2/pretest.dat
+++ b/testing/tests/ike/rw_v1-net_v2/pretest.dat
@@ -1,5 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::ipsec start
 sun::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ike/rw_v1-net_v2/test.conf b/testing/tests/ike/rw_v1-net_v2/test.conf
index 983881e5d..864f944d7 100644
--- a/testing/tests/ike/rw_v1-net_v2/test.conf
+++ b/testing/tests/ike/rw_v1-net_v2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="carol moon sun"
diff --git a/testing/tests/ikev1/after-2038-certs/description.txt b/testing/tests/ikev1/after-2038-certs/description.txt
deleted file mode 100644
index fb622dc15..000000000
--- a/testing/tests/ikev1/after-2038-certs/description.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The authentication is based on <b>X.509 certificates</b> that are valid until
-the year 2039 and are issued by a certification authority with a root ca 
-certificate valid until the year 2059. On 32-bit platforms, dates after
-Jan 19 03:14:07 UTC 2038 cannot by represented by the time_t data type.
-Thus if a time wrap-around occurs during ASN.1 to time_t conversions,
-dates contained in the certificates are set to the maximum value,
-i.e. to Jan 19 03:14:07 UTC 2038.
-
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, <b>carol</b> ping the client <b>alice</b>
-behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/after-2038-certs/evaltest.dat b/testing/tests/ikev1/after-2038-certs/evaltest.dat
deleted file mode 100644
index 790811a61..000000000
--- a/testing/tests/ikev1/after-2038-certs/evaltest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 528e3f1b3..000000000
--- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index 03b57243b..000000000
--- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,55 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIJ0DCCBbigAwIBAgIJAIORWNruS4GuMA0GCSqGSIb3DQEBDQUAMEgxCzAJBgNV
-BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJv
-bmdTd2FuIE1vbnN0ZXIgQ0EwIBcNMDkwMzI4MDgwMDUzWhgPMjA1OTAzMTYwODAw
-NTNaMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4w
-HAYDVQQDExVzdHJvbmdTd2FuIE1vbnN0ZXIgQ0EwggQiMA0GCSqGSIb3DQEBAQUA
-A4IEDwAwggQKAoIEAQDL3Cy8fYlD/Lqc6vXnWakywyvB7rouV7CIdxZMGHz/6zO4
-4sZaeqWy4Fmp6zPuLI8RtxsIyrZAJzqnTDNRb6FhosdluTy/QL2N+M2U0fKeRjAd
-2IInFOabqSSheB8Np53xK28oZ3xe75vbpSRiqGItmqZHioFPpNV+gRv2NC2NSUqr
-ta9aRo35m2ZyQuav4+oOYalayApZWr44w8qQJRILvFo6jc7x5bE+LgFNRfe15/MY
-dyrabatILkOucP61VE7QqftLj465w1GG3kzyt4PsX5FKkSkhs3wMnQKLJyvxUIlk
-sC7m/NzABRAEAfLAODJJ9indUCVjcLDC81avQPoHOSD736hkYpWRnlrgvu14q+5d
-kBRvyCQu+SoBPj0oMtEEdaPk7aBGjXDvKkeJAZYEcOP8h9oKUQjwYUQhQ7Np0f33
-YBaQSCv/6kfl+260XXMWQrQd4iDY17x5H8wA6mncTQ01JHIJy5pixXt09dPmWaAh
-qZWaDbkSLslO05zai45QpTFQ2Qtw3d6w5BY3u2bREB7HnyFfZF8n43pvsInNv5pQ
-HLVHN5/TP/YVwbZj4UXXgAjkL/4t6DGELk62VkrxB1dQDopimFRmaGctAGWbo8ro
-UVpGDXnSHCn9SPmEqeetK1fJHcCeQskVFakIB3qdRJM+rsWcOFA4c40D6uKyvLHe
-xZbqaOjpL2r9vfuzMtbUMUinZNBqVf7dCkxY02gdi1HpTB5p1VBSRbXdaC1Zow4O
-Rn2Ekd6/lr5G45S8ljr7EeGnAUKFOoyU8F6dYmvgwBTgNwQsGa+MbWkuaaxuIq0f
-/e3J3PYkdQ+7tNXPsqoDXcOtc0ZPlBRwDx9Js+qh86e5HKh85DzBjjl97giv/3PC
-Ek6imgHhx0QsulWUfGzls+sd3SXf8azBFt6Jh7lUJQafNH++fLZvryGYa2gjEn4V
-Cwr8PTaWLm5TwgHlyJTH8Zkk7yEVZvzJfs6UC8tEaYitmAb8e9cYTztA0e4gPeY/
-9UTyb0XAnol368DGKi5T5L1x1NVHkPc5zVXcGUvUFpEd4q4aJWj9xUyskt13fl8V
-9BOKc1BJZUdCkxRSt1wF4tlcFs9EVbOoYOT2+KJiaWB59ke+O7HUxnjFzNfPFLO9
-ItgNHhahXrhX22e//B9QhzQ5O29UhXpX0y624DK/e/bj96c6ve5NqDIcZdOyVduT
-XiEyfUpP0ZjvwRbS42A1VYs34ELBt5ntUhRvgivXAbBnC19pv/WFurMzaxueQgjh
-e/TUX1FWXh8zq5qPvASxkupdo5GOrcjn6a8zTmRPS6V8jVLQmUHMsCsyFcVUECsL
-99wet1nlFAloL59Z6Cjj3LkyLpeIG/o4ItGEdw5bAgMBAAGjgbowgbcwDwYDVR0T
-AQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFBlirZarxvvXjxDEVv9A
-YyJCcHYOMHgGA1UdIwRxMG+AFBlirZarxvvXjxDEVv9AYyJCcHYOoUykSjBIMQsw
-CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMV
-c3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5Lga4wDQYJKoZIhvcNAQENBQAD
-ggQBAHcfJo343EP+u0T1DTa3oJbYtqON1F7UdkJcOUxRhp4HFlPEOFxSnHU5Qi2f
-hzxWZTQEKI2q62AXdyHDygI44dCpSFZNPcZHdwBl26maMHubv7JXFl7TWupvki57
-71ttz+0wc5iU38g3ktVkrcjzUiqKU2BXnvIuLteOHfnSMGR+JG0v94nYl60EEtZr
-/Ru0Orcq93mrQyih4MZMrcssNBI+2HSFmjITBSGAz9G81d/kojtCEsmY37dqpkqO
-lOo57HLTUzuMHW1W+c7wCLAl2rhy0xIJ/t5XpNBvPzc7xKZex01A7kKIcUV5vlvj
-8+NTuMF4NAZjgtODj0Z3kKsxaIlq0O1+SfubdnHE9pNZPXWm4SSW8w1C+n1+MAA2
-RpK7T1T7BiOQD2fSKsCPvocefiWFOUuHkyRPG5vE0Ob5XH5qT5R3xTq1ta1cpxsA
-Rq0s4QHYePZ+gU/7edI7LvZtueOGL4BeR1TSIcbij5+LfFlIjz9ETp3cWc5rxjsm
-xBGeHyCslH2EKuufzg5czqmnTdwC4zGNVUyn8c5YUVpOxEZOpnrrGpR7xCHG6n0s
-PFpXRuSp6JHSDVCFkJLLrIH0MNmXirgsNLQEOX3WBPeK2hj9X3kzV+iRd5YXqBld
-6x1Jnx66iNhJyKHDXfZ84PIZzxaKrDrR35PK3DsZUATx0l56uBWAY3n1Zl5ZrWkd
-c66yvP8/WXqO1IctddURFn1ohkkbCVd8ke45ZQoyHIb+cC2gTU53aYNNAZDHh/C/
-MrU7+d5yH29dLjtv+J3JrDwdtBLMZa4RcIOZxhk7MhheNW3K+Q5xpKrdsqourQ2T
-vBwEmrfiLHRb+Hk8UbPpDW5m3yaXYmn8bQinkD1BP2ru/f6r4Rj+aAtNvz8ofgAg
-RcUcD+jeIDAEWnFCKtHxtp+fLYm5npnwfyCyOID2Lr3K1Z7SpqzoYYq9bfc3AdtL
-uHr9RSjdfsuG0l44xESwC2+Pp6rHwvAIPfPgcZiOX1GObytxXexWYCy9g/DKmUVv
-inTJNjHpH48ffPmCBE2LoylgBv/dSmf6hQSf5lqsKQ3tKApJv8t0oO6jqyvn+aqs
-CTi4WALKhZn9YRKRzcwzYVav1g0fHkrwRQxv8TRM0tYWZ5V01qgumxD3L/37vqDR
-8bx9KvgiF3DbP2q8IbVuVMLwjU6xPH+5sWJCS0Cx2haW1oVw7ppd9sgAkj/wxzt8
-9jl/bx3rD3YwoobFvqry0Rhe4J1LidAAKX+E69c4GwoTIe3eqL/TYkis7YIFLjea
-cm2lumjrrFcnbZLvDK5S/+kfZ2Flt2QoUznNeTTNY1nAnJSgqOgOocvyYDA9vx6H
-d/Fp6btmZH31IEyJrRNVOpCwZPI=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index 2ce2ce3c9..000000000
--- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,46 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIINzCCBB+gAwIBAgIBATANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBN
-b25zdGVyIENBMB4XDTA5MDMyODE0MDYwOFoXDTM5MDMyMTE0MDYwOFowWTELMAkG
-A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB01v
-bnN0ZXIxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIICIjANBgkqhkiG
-9w0BAQEFAAOCAg8AMIICCgKCAgEAqYq89COSvnLQplrjtSrDyvqvJqXN7mfmgfgR
-yGVG6HVoA3DU/vJPo8xHT43eTIBkT9wxernYxGw7UZwG6iiY3Me7Q82f+2TmX8mp
-dYtP53SWASOHBiLk7d3yJJjCY2GGP8Vb0avJa8GEOy9ZHTOf5HWwMDt9EQKxOzkw
-BebpMLCf2Mi1robNUj/lEgE+3AGfikF39E3JaXhna3mm+7PwO5J5udpxC/rVa+bO
-FPoBoBOY7v4fuq0CV5x5q/bXn9oVWteF/U1fnnOf5Dhe3P057oj7kARsmGk8e0DW
-kk1vTt4jplSg6jhH7izy4OhiqWkR7QV/BMOQBqBd6bw9Ojk12LFZBQulM0Lmtou5
-mGabckTMvtI591UCGNqGMcVDsxFIX2ZMvfScMahS6pUq+hjiR95mwez2Z1Sg014l
-cFg11mzjXGGBFuTCl3smJqRT7UaI6JfjNz1f6p/7z8QhjKChVA/xnJ5yoJWNPest
-2X0psHe3AlocUFRxqnD2ZmNO6IuKN5bmN0O4Lfc50rl2hPATXdh0HC8HvcYbRK9C
-uezkuM1QEvkev5SFbzgivXb1A2hdRCc1/XRND7Pm9sCjjh3tn5otCMnalc1mk5v+
-t8GhCKV6B7RTzFqu+ry0pe6OlqqzU0yNdqYFK1hoCDXUQzEMJzmI9mIw+n6EE3Hh
-fTZstGECAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
-DgQWBBTy8LU5yQdnV8pfwhCPY7q/CiNyzjB4BgNVHSMEcTBvgBQZYq2Wq8b7148Q
-xFb/QGMiQnB2DqFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0
-cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gTW9uc3RlciBDQYIJAIORWNru
-S4GuMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMEEGA1UdHwQ6MDgw
-NqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi1tb25z
-dGVyLmNybDANBgkqhkiG9w0BAQ0FAAOCBAEAi39l78OCI9S0I3X62HbkxiLguvnc
-CbXY6Tqmz0Ms8xqZgYzJOk7FLB/4v/zJohOH5nd7KxJ81KbcERyASpybaLM0/V+V
-oGT0rDGGH5cS4H2uYfs9HsKFKKPbZeCnExFyCamXjBZkl5IZNjdpS9TLyXRJSyFN
-OIRNhILPSriqdtzgRuGOeX798U8o0ObizGQRVlT0p0lI4t64dzZbIh3jSXjCf1Tz
-cmVOC8qhhGvxLlorSy5K98t2zNY7DvzwtvoQrNFGtso1kvfmaO4XRCvSZsmqPpC5
-mmWJjNEG2qcbmfpt8TotyUHgEJTZXwXlPVVb5OXHTW6jXk/MN0UiMTLJYcvJ1gji
-kSnGNHzRH2rKlYRED+jlzzHAWSv0mBGcOTdmfBV6+TJ7QhWhLZBzAUfwqXpAy9Vk
-idtyB0eSWBTIvhZY6SzB0Rvkdj0FtZ+tNURT4dPtiO0D+LXm/ojpdKKI2tFNOgwY
-n8df2u3xnCRvHqcF6lvu+ptnwUkUDDGDuiM20+sm0HHhLIj51v8tTm3Q/MzI0BAb
-G4HOSQNDzymWDgzIE67UTxBwXVDbSLkzH1vhFXtZQlD1UHqOUT/4FQm5ZlVMF8na
-FKxHakqoh1CdI8TAmM64h3hp1zp+G9Zn0lfcHRhvWBvpU8mgF1cbEvgbzjd9+xLe
-q45/8xuZPnU7XIBvDcZTUk8LRIThcTxQRlQdI1UJnvPOBYG3mUrLs2UdEZGwsooG
-zMOj3EQwqrR67rQiuGo65IMPDix4mwHjcZ8Gr4eqLDwSUS5yoPX1qI2qNLQbI1Ni
-8PEYMXQ0Xm+9Z86ZkI0dAIBWLkEGkz5Ngqk4O3JLzF1O/XPG4E9hGJ8WsHQW6pk9
-+quv5nVNCAO0z6FYfQoYprdbDBur+N/no+BYIcSFSpLcNgafLXgj3I65iJ2VmRi0
-V0xAfxcRiQN2+/7aao2zLrrSPHU8YsW48ISw9ibQ9EckZMVtnhuYpBJuX8+auZ8f
-OgBmgRi7fCtEcMlXsiisQehymMs470eDRfWFUMzgJC8tMOQIWNdYM0Bo29wYUJPN
-jD+NO0n+PisFMilBEyoT2pD1i94+5DWQau/7STb3GbpBsLb7JbIrQEp0oSdsvsNR
-SaJQEqMxepJM0OGp3FMr79s+/a13+TMm+jl65M6sV/YTDdYFlplkWyHDjbL+WjUu
-lvDEURfBJrtT7u673RakCEzl5e53fP01HXFhqgMSloR7j2XNiyCeEUBp+zetXxwb
-8e6IKtbXWU+WcXIdNOHAL+OtD1vUK3gxupJPrRNW6daZKWUDbjRixzXnjeyIw8It
-bRldc5VjyM0G4FMbmIROgRcvjJ74MUwnHpgPl9zQ28HmbxKbANiJJZHIDw==
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index f0836ec33..000000000
--- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKQIBAAKCAgEAqYq89COSvnLQplrjtSrDyvqvJqXN7mfmgfgRyGVG6HVoA3DU
-/vJPo8xHT43eTIBkT9wxernYxGw7UZwG6iiY3Me7Q82f+2TmX8mpdYtP53SWASOH
-BiLk7d3yJJjCY2GGP8Vb0avJa8GEOy9ZHTOf5HWwMDt9EQKxOzkwBebpMLCf2Mi1
-robNUj/lEgE+3AGfikF39E3JaXhna3mm+7PwO5J5udpxC/rVa+bOFPoBoBOY7v4f
-uq0CV5x5q/bXn9oVWteF/U1fnnOf5Dhe3P057oj7kARsmGk8e0DWkk1vTt4jplSg
-6jhH7izy4OhiqWkR7QV/BMOQBqBd6bw9Ojk12LFZBQulM0Lmtou5mGabckTMvtI5
-91UCGNqGMcVDsxFIX2ZMvfScMahS6pUq+hjiR95mwez2Z1Sg014lcFg11mzjXGGB
-FuTCl3smJqRT7UaI6JfjNz1f6p/7z8QhjKChVA/xnJ5yoJWNPest2X0psHe3Aloc
-UFRxqnD2ZmNO6IuKN5bmN0O4Lfc50rl2hPATXdh0HC8HvcYbRK9CuezkuM1QEvke
-v5SFbzgivXb1A2hdRCc1/XRND7Pm9sCjjh3tn5otCMnalc1mk5v+t8GhCKV6B7RT
-zFqu+ry0pe6OlqqzU0yNdqYFK1hoCDXUQzEMJzmI9mIw+n6EE3HhfTZstGECAwEA
-AQKCAgAmHcjpYm4FXy7Fl72F531pTv69w50OslFCexEUaqCMdojR7TYVs0hwXObT
-XePSczMaOTjujIXNcz/K0zdCwanMSSMy1THYhRC+DEqK4K0wLifjTad3m7S4PaPI
-0ocxbKWQBMDl3KdGEJW38KcqR4b1B/h6f4VYo7BQzkSbrxRSHANz63vdJvVWPoMz
-jxAgykSiAqIDTNGxYp5trUX7ZLLn0cCIJjIwLU56GcPPN33SDVXetUdQ4sCaDdXU
-8YP8rj0K1VWMYy7SItCZsIqzSEMT+7wC3tvDUDWGyEb1UW9q3cpKBNDAl7KkO3rH
-UbeMutCK5ydtXMIumzNB704cnuwZ08sdM7BTTMhmu0VK+zjVzhBK+MFcF7pickD3
-SdNzOiqfgiXLGjsiMFJvJ7OUJczEJl2xIoZ+Otb113ep0An0PEuF6aZMaKPNP7xf
-ljnengym1Rq+f1mHBRRfool9zmeisnQSSecKo0htm6oRkQTcTwLj0TjiCugbmISf
-D7sUXWp/QFVdYhHTay1gWUnP1quflKYvEynd0UF0JOnCbpWAczdXf27fm7DVjgLp
-yZ4QyrCtyvtIITgmZOvkAcaflxe2E+cBN2F+hWGzqMJfoMtw008hRW9DcRji35Kn
-lCOj/87n8lL3dicDI0caBZO9tQIakh05XYW8xN+sYF9K/xKauQKCAQEA2txDchqB
-7719R6hBqdNqig2+telNHlN0amPKjqIvP7Tr/JnJx8A7cSasao1Fw0cGPReBT7Tb
-Z5IW7xvWiZYFMDI8q8ZGEIb+MveYs1gHlEaimMtwoVCNeNe3cEPIL7ffNT8y+xFc
-o55AjzgKAOHqmf6OidKqRs/B1sSmOrgugsY8KvYtA/JrieVHKrjNX5XqZNqrfsns
-K4DMcJvIrfBu9iyWenNoBOdEJsP0h3F39Zh2hkEg29eH+/8x6FGlezvSU89Jjs9O
-/2BdlyS82RbhPu2VIrsmpfoSrsFHRe8t/9yrnpY3ud6w2LP9QIEMd8FpWKGnNxJp
-AIZJ6u+NoWVlLwKCAQEAxk/7RSSvf6VJvi1gmOxKd79LkYUEiyZryP/M8kQFMqs5
-pU6BgFLVLZsaXz+1oYS0bEjVGGo5ppCVVUMN6RuFX9zVz9uVZBeiiItqw64UDbt/
-0u78m9ngvSpWaMQU2nS/kHVhKOY+Gfs0v5fBvZE+wxTfMBR+nbx7uJivpXnq6xMP
-fhDz6juap/lEK6HuvQN5xXBNL4wpd099lvy3NUuG0Dohb/+gWf3YzQtjs281iMZB
-G3/gGLcBSdk6PBwXueJ3NPj9FAII73MQNBNYS3zi3IYuulA/rMcvbA+IGeKTzRX5
-E47B8ZAhJxZ3OePalvZyVEaRHDFT+Y2YCv/G9Bw7bwKCAQBs97oE97m2Gcxkfxui
-aIblEY7gl7Yz4S1XQzQ46/tGZtgQPqm+cLGn1q+Fpa0UWyp6BFf3zX5oBM6yYlPg
-0PboVjrq858y32N1EN3QfYXYh4qxNKlxR+AISK8mkDj9uTjDFCJX6v8K3+IY7Lfe
-VJ0v6xQg/uiUtSA3xFVXaxiNOBIA+ezTyEFOuP9EABsQ+l1ntZApYnPZ/RjNAGNc
-Zxd4Lh8F/KvPtS2zd2Eqho5Jk41/rrGjg55LE3ZPy0bvIovH+q8PEZytfddbR4lX
-NRMU98mHL1NA1E+0/rpz0XA/sikonnZEbuHyIzt2gEoq3fuLi4Dr5JivEC2BcaA8
-uXU1AoIBAQDDxUdfXbTmxQxEctVuga2OA0mdkXwHxlkXZvcyntWmzIOu3g5X2O3c
-BMcHCoTKu4/Faiz72jmpZggV0IlV+zYyiXaFqNcUpYRtWXx/SkU/vT6VxBmZ3X/Q
-HpCJAjE365MFD+tnjcv2qBfNoAnBkzYrLVqbQ1AvdVeJxyl2qSGxCPL9V80DCe5G
-LnwOuuBMtbaro45/BtYUk2N+/2H5eeLPguNphigNTtyMpta412s458Z0WEuo+liK
-R6kGmBEQDzHxGG/2JYAeqi9vyT0b4GCwpMJSaVBCx6vX+Ik6TIPuLOfjV8W8K7We
-ub3fZ0FuUEJTUgqEk2m77P0Qtqn4aDp/AoIBAQDXI66F4POHVOPI/j584sSLhW6X
-j5VzFlmOhpyoourPYXsKyIFrLa/gYAe/wNH/5jg3Ap5DbBVZB87gOkaMz2oV+ZQ/
-5IWiFmiUxGrCXmWyI6Eqr2DUtSKispLnQ043bFN+HlhfQYTwD9ijqpwpUt/sC+IJ
-mLIGJs5B3cdcRQuSxh1HpvSJOuItjp0wfcGj3+RPh5cPdjHZW30FHGFomOk//6BO
-nWdoYUGrN9wXylDOHvlkYaP2Uj5rCWm51ZGaxzJR9S+WkHdNBzyygpGtEXdSAIzU
-tHufKwQdDnj22w8KSCvQ+KvwUn9UrIR5LyGKiYGWved9X2EQzIFC4dJ8h30G
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 991ae4368..000000000
--- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index 03b57243b..000000000
--- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,55 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIJ0DCCBbigAwIBAgIJAIORWNruS4GuMA0GCSqGSIb3DQEBDQUAMEgxCzAJBgNV
-BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJv
-bmdTd2FuIE1vbnN0ZXIgQ0EwIBcNMDkwMzI4MDgwMDUzWhgPMjA1OTAzMTYwODAw
-NTNaMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4w
-HAYDVQQDExVzdHJvbmdTd2FuIE1vbnN0ZXIgQ0EwggQiMA0GCSqGSIb3DQEBAQUA
-A4IEDwAwggQKAoIEAQDL3Cy8fYlD/Lqc6vXnWakywyvB7rouV7CIdxZMGHz/6zO4
-4sZaeqWy4Fmp6zPuLI8RtxsIyrZAJzqnTDNRb6FhosdluTy/QL2N+M2U0fKeRjAd
-2IInFOabqSSheB8Np53xK28oZ3xe75vbpSRiqGItmqZHioFPpNV+gRv2NC2NSUqr
-ta9aRo35m2ZyQuav4+oOYalayApZWr44w8qQJRILvFo6jc7x5bE+LgFNRfe15/MY
-dyrabatILkOucP61VE7QqftLj465w1GG3kzyt4PsX5FKkSkhs3wMnQKLJyvxUIlk
-sC7m/NzABRAEAfLAODJJ9indUCVjcLDC81avQPoHOSD736hkYpWRnlrgvu14q+5d
-kBRvyCQu+SoBPj0oMtEEdaPk7aBGjXDvKkeJAZYEcOP8h9oKUQjwYUQhQ7Np0f33
-YBaQSCv/6kfl+260XXMWQrQd4iDY17x5H8wA6mncTQ01JHIJy5pixXt09dPmWaAh
-qZWaDbkSLslO05zai45QpTFQ2Qtw3d6w5BY3u2bREB7HnyFfZF8n43pvsInNv5pQ
-HLVHN5/TP/YVwbZj4UXXgAjkL/4t6DGELk62VkrxB1dQDopimFRmaGctAGWbo8ro
-UVpGDXnSHCn9SPmEqeetK1fJHcCeQskVFakIB3qdRJM+rsWcOFA4c40D6uKyvLHe
-xZbqaOjpL2r9vfuzMtbUMUinZNBqVf7dCkxY02gdi1HpTB5p1VBSRbXdaC1Zow4O
-Rn2Ekd6/lr5G45S8ljr7EeGnAUKFOoyU8F6dYmvgwBTgNwQsGa+MbWkuaaxuIq0f
-/e3J3PYkdQ+7tNXPsqoDXcOtc0ZPlBRwDx9Js+qh86e5HKh85DzBjjl97giv/3PC
-Ek6imgHhx0QsulWUfGzls+sd3SXf8azBFt6Jh7lUJQafNH++fLZvryGYa2gjEn4V
-Cwr8PTaWLm5TwgHlyJTH8Zkk7yEVZvzJfs6UC8tEaYitmAb8e9cYTztA0e4gPeY/
-9UTyb0XAnol368DGKi5T5L1x1NVHkPc5zVXcGUvUFpEd4q4aJWj9xUyskt13fl8V
-9BOKc1BJZUdCkxRSt1wF4tlcFs9EVbOoYOT2+KJiaWB59ke+O7HUxnjFzNfPFLO9
-ItgNHhahXrhX22e//B9QhzQ5O29UhXpX0y624DK/e/bj96c6ve5NqDIcZdOyVduT
-XiEyfUpP0ZjvwRbS42A1VYs34ELBt5ntUhRvgivXAbBnC19pv/WFurMzaxueQgjh
-e/TUX1FWXh8zq5qPvASxkupdo5GOrcjn6a8zTmRPS6V8jVLQmUHMsCsyFcVUECsL
-99wet1nlFAloL59Z6Cjj3LkyLpeIG/o4ItGEdw5bAgMBAAGjgbowgbcwDwYDVR0T
-AQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFBlirZarxvvXjxDEVv9A
-YyJCcHYOMHgGA1UdIwRxMG+AFBlirZarxvvXjxDEVv9AYyJCcHYOoUykSjBIMQsw
-CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMV
-c3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5Lga4wDQYJKoZIhvcNAQENBQAD
-ggQBAHcfJo343EP+u0T1DTa3oJbYtqON1F7UdkJcOUxRhp4HFlPEOFxSnHU5Qi2f
-hzxWZTQEKI2q62AXdyHDygI44dCpSFZNPcZHdwBl26maMHubv7JXFl7TWupvki57
-71ttz+0wc5iU38g3ktVkrcjzUiqKU2BXnvIuLteOHfnSMGR+JG0v94nYl60EEtZr
-/Ru0Orcq93mrQyih4MZMrcssNBI+2HSFmjITBSGAz9G81d/kojtCEsmY37dqpkqO
-lOo57HLTUzuMHW1W+c7wCLAl2rhy0xIJ/t5XpNBvPzc7xKZex01A7kKIcUV5vlvj
-8+NTuMF4NAZjgtODj0Z3kKsxaIlq0O1+SfubdnHE9pNZPXWm4SSW8w1C+n1+MAA2
-RpK7T1T7BiOQD2fSKsCPvocefiWFOUuHkyRPG5vE0Ob5XH5qT5R3xTq1ta1cpxsA
-Rq0s4QHYePZ+gU/7edI7LvZtueOGL4BeR1TSIcbij5+LfFlIjz9ETp3cWc5rxjsm
-xBGeHyCslH2EKuufzg5czqmnTdwC4zGNVUyn8c5YUVpOxEZOpnrrGpR7xCHG6n0s
-PFpXRuSp6JHSDVCFkJLLrIH0MNmXirgsNLQEOX3WBPeK2hj9X3kzV+iRd5YXqBld
-6x1Jnx66iNhJyKHDXfZ84PIZzxaKrDrR35PK3DsZUATx0l56uBWAY3n1Zl5ZrWkd
-c66yvP8/WXqO1IctddURFn1ohkkbCVd8ke45ZQoyHIb+cC2gTU53aYNNAZDHh/C/
-MrU7+d5yH29dLjtv+J3JrDwdtBLMZa4RcIOZxhk7MhheNW3K+Q5xpKrdsqourQ2T
-vBwEmrfiLHRb+Hk8UbPpDW5m3yaXYmn8bQinkD1BP2ru/f6r4Rj+aAtNvz8ofgAg
-RcUcD+jeIDAEWnFCKtHxtp+fLYm5npnwfyCyOID2Lr3K1Z7SpqzoYYq9bfc3AdtL
-uHr9RSjdfsuG0l44xESwC2+Pp6rHwvAIPfPgcZiOX1GObytxXexWYCy9g/DKmUVv
-inTJNjHpH48ffPmCBE2LoylgBv/dSmf6hQSf5lqsKQ3tKApJv8t0oO6jqyvn+aqs
-CTi4WALKhZn9YRKRzcwzYVav1g0fHkrwRQxv8TRM0tYWZ5V01qgumxD3L/37vqDR
-8bx9KvgiF3DbP2q8IbVuVMLwjU6xPH+5sWJCS0Cx2haW1oVw7ppd9sgAkj/wxzt8
-9jl/bx3rD3YwoobFvqry0Rhe4J1LidAAKX+E69c4GwoTIe3eqL/TYkis7YIFLjea
-cm2lumjrrFcnbZLvDK5S/+kfZ2Flt2QoUznNeTTNY1nAnJSgqOgOocvyYDA9vx6H
-d/Fp6btmZH31IEyJrRNVOpCwZPI=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
deleted file mode 100644
index e83798c07..000000000
--- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ /dev/null
@@ -1,46 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIINTCCBB2gAwIBAgIBAjANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBN
-b25zdGVyIENBMB4XDTA5MDMyODE0MDcxNloXDTM5MDMyMTE0MDcxNlowWDELMAkG
-A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB01v
-bnN0ZXIxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggIiMA0GCSqGSIb3
-DQEBAQUAA4ICDwAwggIKAoICAQC/9647SgAcK/or/Qs/3cRc19po7oex5EBdPR7b
-vInAuzrVMK84+ifneBWscVhBnxcUI37D0SpKx0onrdskMOyv5nmkdcgQf8931eip
-scNsw8bC8MJsbc5Jfn3DKPurbKK2/uFFE8ot7S65HY9tVBsxKsrjS5YFPE+DKKP+
-BgVk/9hL0Kqq2iKuWTq8YTRMu5iskpLIxqvuz362G46BKoW52pFegeDzpz/Bs/7y
-0oWPRcNcuRQR5XFTpF2L3UosniMkr7aYU5Z8s7IqiEx7txGh5SxRB+TYIZwB1ODa
-L+bnclQeMsBiFqlO9UI38UaxEQgk/+UhgpaX/DPrZg8KJmjW3e+x8xcwL3ouRLy2
-2Z99WMnV6TlwpTKj24EQJALmLG+UJG+hbV9P9j6Mkql3FHb4aLZH71CvyCqeg2yh
-FGiuaGEe8vS9+Dj5LKv8hSbBe/MSQDiPhKT1gb84TiQMsWfxLN7oDXunohnhMZfu
-sydB/c/R/ooA5ri+lE5c65bP2Mk+ml61p6z7lJv+DXBDXW/o4v8Imjx2OMsL85LZ
-vYWJppdJrThd/m4OVnCXYfuHMZqedsIvNR5blnldATLBjWWbeoKhOyqZb8hZ6HFR
-dlJ11LhxnGg9itG385L3Espl+EVcakWBZWrOn5/LGNKZH3UedclEBNci6lSadZaP
-/UfRCwIDAQABo4IBGDCCARQwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O
-BBYEFOQpYirU7vrMZUWDkqDijTPuhPQiMHgGA1UdIwRxMG+AFBlirZarxvvXjxDE
-Vv9AYyJCcHYOoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ry
-b25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5L
-ga4wHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzBBBgNVHR8EOjA4MDag
-NKAyhjBodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4tbW9uc3Rl
-ci5jcmwwDQYJKoZIhvcNAQENBQADggQBAAEsjsebEspAIANEBVWRjRpowIJlVSLf
-WKzblIPlhClXafHGJbhiamdtS2FmEh/rkzz3Ml+9cJy1KnB1Pn6+4JLSJe5xAywK
-lKTT2iY0KDdOsaK5j+CNJ2tW9NrJPxwtIz+nGGqqyyEUPJE1FYxphbLgmwFNBm2o
-HyeUVYI+gyfmhyHaXHKOmbsDG0o+pUX2tVOs0KdyU6deaAtEf1E6aA5TpCAi1OZs
-pdRDXFUfjdekRkfRr1PZ41Xwk3t6E32YhIE++r7QneQPhXymxVO9nepmpuSoHvlX
-Hb4JN2EQ0zCkkkOfqCuF46zVxsR46/3cfKbRsaVmdfGjvmDSCDI47AreluYiPTGA
-zN4XN91Y5rPZuT9OJYV4UrYv9N1jH5StVmSz19rbYOeozJXX0PBjdCKHEonD1FHY
-xWRpijVUG6NWVLKpvdg3RiFw78wIrNPAeVDvLL+112nbszNDNLSoOJjOUBySHJda
-WYFtg2IoAUis9r/o7uykNcC6KiU4Y1nC8PEIhMi4AMA9UgBCn4ixYtHI9jkfHcrD
-O1kvPRUo3hKzrhftLYtfiBfTEh+3Xab615lt5vNNhdI7d4knqUXvVdURtvlfJLZv
-W0YdvwjJtrVJAiCtX3wyxy72O1ZOG5kHCcK5oHUHg5W172rK9hK4LByk5ESqtc/t
-YDG7TmZLtUceV5yK4gz7pwIwXthA8yayRy+lbk8BFxRMfOEfb6rPdm0vvmPpHHDu
-yHR5SJTgpGo+/I8N1zS6PNeUBh0RAbSnxHJSMLn+GYTs8s6Atnq05SIuVYxvXyAQ
-ULf+ppNN5lngSZHPaOFJNpC1QL1+DdMNueDITVxYx5DV8SkWRPhzS77tsYeUxVGI
-IpUVEqSggGe6Q4YWv2smAjSeqaS5HNGxstE+Ybat/cp9QMbLc7gwKxwRQHhVRZ5O
-0rVq2bZUyly8y4wX8G8WFMNuCoAcHAdMvKh4JtmdDDZlbxdC2mSVbLSuTBfGvKc1
-ScwOBtSqQkm9PsTMitZM31s97WJLQIZbq82g2ns7hfEXMMIgzcFLYlM1SovbDZI5
-ZM63NBVTaKyj+Gxy8FcAPBPtPWwAQT+Gdi8gFwtcEilTOBECL5y0hzlL9aJpsJEq
-4KV5nnM5rutUufiYzQMZqME3g9VWk0kQteVpa4x+4zsKH9lJSSS/y0eCo/jArS8l
-HSmzUDkj2cWmf/azdrcig7g/mHeEbKu1JH1X5lRdZekqcRCW6v1OjP025B/5nSnL
-WYPUI9RLb01fmPjWdrc4+hPnHjePp8w6tuM6U6huMCwstnOel6d2FL5hOWvXNmIH
-I+8zv7SHhIWQmUbC0YQn8BFqvqDC08In5x42YiTe+42YEtafkTkbY8o=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
deleted file mode 100644
index 6d39ac084..000000000
--- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKAIBAAKCAgEAv/euO0oAHCv6K/0LP93EXNfaaO6HseRAXT0e27yJwLs61TCv
-OPon53gVrHFYQZ8XFCN+w9EqSsdKJ63bJDDsr+Z5pHXIEH/Pd9XoqbHDbMPGwvDC
-bG3OSX59wyj7q2yitv7hRRPKLe0uuR2PbVQbMSrK40uWBTxPgyij/gYFZP/YS9Cq
-qtoirlk6vGE0TLuYrJKSyMar7s9+thuOgSqFudqRXoHg86c/wbP+8tKFj0XDXLkU
-EeVxU6Rdi91KLJ4jJK+2mFOWfLOyKohMe7cRoeUsUQfk2CGcAdTg2i/m53JUHjLA
-YhapTvVCN/FGsREIJP/lIYKWl/wz62YPCiZo1t3vsfMXMC96LkS8ttmffVjJ1ek5
-cKUyo9uBECQC5ixvlCRvoW1fT/Y+jJKpdxR2+Gi2R+9Qr8gqnoNsoRRormhhHvL0
-vfg4+Syr/IUmwXvzEkA4j4Sk9YG/OE4kDLFn8Sze6A17p6IZ4TGX7rMnQf3P0f6K
-AOa4vpROXOuWz9jJPppetaes+5Sb/g1wQ11v6OL/CJo8djjLC/OS2b2FiaaXSa04
-Xf5uDlZwl2H7hzGannbCLzUeW5Z5XQEywY1lm3qCoTsqmW/IWehxUXZSddS4cZxo
-PYrRt/OS9xLKZfhFXGpFgWVqzp+fyxjSmR91HnXJRATXIupUmnWWj/1H0QsCAwEA
-AQKCAgAn3928CQH+2A+uBXDJwlngYyHF/A4JoHzSITkAsaf3dayhzewHrMaPKP1v
-hVeswcv8becN66uaPs0jctR7LwJrAzevNpvo+XNx0+fxH7CVLhFiOrpX5XMdBv4+
-hIvKLtWZp1XJkHPFmGfFIePB9N91FgtwrSmrSrzFZLKzuDJ0qUQXc2+P76GWj4hI
-yvQfIDR1XDjLJaFfCJCsaQrvv5JpaYIanGXKlqoCpU3GyH3fpcEPyI3nrb4dfp3D
-yKJ4pBxuqWUHPQ2cN4NBnHAunnc2JrFO35HkZw7Nvpc6GwsedjwMzcPyW/ytHvqz
-PhXN/9iuPs0sacC4LzXlppxnIlVSOCoLUpyoe8zXxDJBLsU7d+zDnXZ/1guviHz+
-x4RsEKjlXcvsvnZGAy0pUzOEXIfmWOOSlA7iqkbPNud9nBS4YnOtiZIowLj6893k
-rN1GQ/jw7szBkNh5vjdZT7HAIhlBwyQI3hRJX/h0hdUPNiPW4/j9W94JWcRxk0tO
-vZq7mcTtJ8OFlsNyO12KgFIjT+Gwz7tmNrN+Of98pOt9jRN7hhxY8sQosmW1nePZ
-HuWR52CVShXX/N2d/09hwf48xjYBjF3Mjxc8ySIyERdcWqsWx3j5WaB8rEAAuMcF
-/gY5bb4Oc1MAUtX8aMidvKfVW0Owapj/ApgyOmGbO6YEQCKSIQKCAQEA6hbs2JoD
-8u9sCaabRKNxqnjzXzB7JrR1PKyOjp3Iiku29W1VQ/TMRUpO63LsE3lbv/3RIvi1
-wZN/dFhWC9wOY85iDUci5ZI0QcZA0OIQ/uetrE5/FBOmH9MVIQEXnGHSNPHUWMqk
-EBrykyt+7RMEb7Kldm0V57MesO1FA0y81+UCJP01KZM0D7Nq1Eb6GfNLENah3Fk2
-wHk6g36O1nMAEyjHvS+ht8C0rzNXIqCnkeAuxxAfJde9TYpuW7oCt1JEeh2VAmOO
-7QESq2x0OrPKLCUs00y5k0I9eqvAaQfCC6EcdiX7FyAfX5n5Vf5FbfbWhf9oheno
-CQ0uai4v1uqX2wKCAQEA0e91hlukBO2InB9j+54R3XA0buCr/eQFqJ4sAjgL9GCk
-n09tfytH/nLPw/g/l7snyVmGW3uZfmkOqnTP9Yfbx1dU0pPRN11qM9QG6YH+Odkv
-D+LpRnYRjj7QxQJQbGy+2IZN8cmtpJQziSmQMNZU/YoDpq7wYNVhwnP0Z3ZgUo3d
-GfRPbGw951dOAK0Z6S61+mXSQE9JhZBo49zOrmkgLa1fmLfJoukmz4MTZqoWFffq
-+1Q4vdYgRS8ToT2Rmba+7s4UAmVKyACEw8WEyjH3TXxd6tQy/smzcD0Vgg7Ghvg7
-Vs5ion9HcqDEcQ1YWvMDWPD/x4fyVgu4v2QW/k/KkQKCAQBPb04ZxlG2u1YfBEFG
-DmyA26BCWfJAVRY/a5LIhHRLsZu5NsurTsOOc8PKE+pWRWVEBj5Urq8GrCWg9mTk
-i1z6s0sElHIcEvvWog7WkxAPX9DIWq62wmAqBnfyBivb7jnlq3ZSVxlLOcm89RKS
-IlTsDmQlhqjbQiYVBb7Yes7OODD9GktS+1e8SDblJ9ywt6VuZlbwrfltYPXhLy4L
-SWTqG3mEEki/UQ4/MZ3M61VRpBBbjnXzYn0jdekzCTDowmroQWeSMvSKKkYKk7fx
-P5dIWakXXr7OYLj6CpQ1T+OiDJ7a3NKSq1zaFSbN7oXi5dMwD1aJsrEBeU6Zy2iC
-doLnAoIBAQCzC716J7JNmaCHNqZ5NKkb6NRvNCK72LuSwcPa6J4ZgEsmrAFBElLG
-inj0NEdYSwB102qpn1Kb41HkwteSGpqw+qSXLAalZ4BqT4zNnlaKU9a1f9tggtYa
-MSywuXaJ4n0qAfF8I3t7AAKsGsylOkcmLY1LnavZimNkCq0JiIZCIkfOGPWcDP0G
-zwjxvrB4laQSuMCGpJiZ1z3+CJYlXfdZvaHoh+bqkFrPZIUpbCqF9fls/Lmf/n1r
-Q+lD/VSuepOA7DVYjbcnuHmC1nSYVeELLuSSoQQVFUV6lj4/vAZJmnBRapfo6xCu
-jLq9iJowh031jyU2sZVXGYwpf12066xhAoIBADCtIvqwfy9pcqYs8PQMQTbDuz3G
-ZCe3E5SLJ00gk/PBVJihOYvdKgwoZAyWdWxOPDKzBJAaJBgpmpWKeX3k92HgLxyi
-50zKogbCc49mz2c6kRC13SviPAjO1XuM+FKo50AICenauu21/ZeMYuLt9gxnhEo5
-kkIYhD0irfTw5MMEKITAs71iB74Lxm9gv/+jOwsgoP23k562NHnIvPdbDzbR/ROD
-xb/3DsGbB4kmUXoLlWxradiZGczPddki+bMI4meMs8oH+XP14KyGqWC8LSuBDg8Y
-fADibXSIAHobiN+KhDtWz9Wnhtch9C8Q5+JDjixdspcn4lkMdMK532v/FBM=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/after-2038-certs/posttest.dat b/testing/tests/ikev1/after-2038-certs/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev1/after-2038-certs/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/after-2038-certs/pretest.dat b/testing/tests/ikev1/after-2038-certs/pretest.dat
deleted file mode 100644
index 4921d5097..000000000
--- a/testing/tests/ikev1/after-2038-certs/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 1
-carol::ipsec up home
diff --git a/testing/tests/ikev1/after-2038-certs/test.conf b/testing/tests/ikev1/after-2038-certs/test.conf
deleted file mode 100644
index 9cd583b16..000000000
--- a/testing/tests/ikev1/after-2038-certs/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/alg-3des-md5/description.txt b/testing/tests/ikev1/alg-3des-md5/description.txt
new file mode 100644
index 000000000..4c39d0b04
--- /dev/null
+++ b/testing/tests/ikev1/alg-3des-md5/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
+<b>3DES_CBC / HMAC_MD5_96</b> by defining <b>esp=3des-md5-modp1024!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-3des-md5/evaltest.dat b/testing/tests/ikev1/alg-3des-md5/evaltest.dat
new file mode 100644
index 000000000..abd29e97e
--- /dev/null
+++ b/testing/tests/ikev1/alg-3des-md5/evaltest.dat
@@ -0,0 +1,15 @@
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96,::YES
+carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96,::YES
+moon:: ip xfrm state::enc cbc(des3_ede)::YES
+carol::ip xfrm state::enc cbc(des3_ede)::YES
+moon:: ip xfrm state::auth-trunc hmac(md5)::YES
+carol::ip xfrm state::auth-trunc hmac(md5)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..11874bbe4
--- /dev/null
+++ b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=3des-md5-modp1024!
+	esp=3des-md5-modp1024!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..41fb1f7db
--- /dev/null
+++ b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=3des-md5-modp1024!
+	esp=3des-md5-modp1024!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-3des-md5/posttest.dat b/testing/tests/ikev1/alg-3des-md5/posttest.dat
new file mode 100644
index 000000000..046d4cfdc
--- /dev/null
+++ b/testing/tests/ikev1/alg-3des-md5/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-3des-md5/pretest.dat b/testing/tests/ikev1/alg-3des-md5/pretest.dat
new file mode 100644
index 000000000..4fc25772b
--- /dev/null
+++ b/testing/tests/ikev1/alg-3des-md5/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-3des-md5/test.conf b/testing/tests/ikev1/alg-3des-md5/test.conf
new file mode 100644
index 000000000..4a5fc470f
--- /dev/null
+++ b/testing/tests/ikev1/alg-3des-md5/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/alg-blowfish/description.txt b/testing/tests/ikev1/alg-blowfish/description.txt
index 7b14287f7..24b50b909 100644
--- a/testing/tests/ikev1/alg-blowfish/description.txt
+++ b/testing/tests/ikev1/alg-blowfish/description.txt
@@ -1,4 +1,6 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
-<b>BLOWFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and 
-<b>BLOWFISH_CBC_256 / HMAC_SHA2_512</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP
+encryption.  Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/alg-blowfish/evaltest.dat b/testing/tests/ikev1/alg-blowfish/evaltest.dat
index 4ea613d3d..cd83c56b4 100644
--- a/testing/tests/ikev1/alg-blowfish/evaltest.dat
+++ b/testing/tests/ikev1/alg-blowfish/evaltest.dat
@@ -1,11 +1,17 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-moon::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_512::YES
-moon::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_512::YES
-carol::ip xfrm state::enc cbc(blowfish)::YES
-moon::ip xfrm state::enc cbc(blowfish)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
+dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES
+dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES
+carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
+dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 192::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 192::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
+
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
index 57394c27a..db409be43 100755..100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=blowfish256-sha2_512-modp4096!
-	esp=blowfish256-sha2_512!
+	ike=blowfish256-sha512-modp2048!
+	esp=blowfish192-sha384!
 
 conn home
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
+	leftfirewall=yes
 	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
index 4dbdc67b3..1f0fd41a8 100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
+charon {
   dh_exponent_ansi_x9_42 = no
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..fd3343c1a
--- /dev/null
+++ b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=blowfish128-sha256-modp1536!
+	esp=blowfish128-sha256!
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..1f0fd41a8
--- /dev/null
+++ b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  dh_exponent_ansi_x9_42 = no
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
index 427c5d180..f3c84ece8 100755..100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=blowfish256-sha2_512-modp4096!
-	esp=blowfish256-sha2_512!
+	ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536!
+	esp=blowfish192-sha384,blowfish128-sha256!
 
 conn rw
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
 	right=%any
-	rightid=carol@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
index 4dbdc67b3..1f0fd41a8 100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
+charon {
   dh_exponent_ansi_x9_42 = no
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/alg-blowfish/posttest.dat b/testing/tests/ikev1/alg-blowfish/posttest.dat
index c6d6235f9..1865a1c60 100644
--- a/testing/tests/ikev1/alg-blowfish/posttest.dat
+++ b/testing/tests/ikev1/alg-blowfish/posttest.dat
@@ -1,2 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-blowfish/pretest.dat b/testing/tests/ikev1/alg-blowfish/pretest.dat
index 5e1e80e1d..8bbea1412 100644
--- a/testing/tests/ikev1/alg-blowfish/pretest.dat
+++ b/testing/tests/ikev1/alg-blowfish/pretest.dat
@@ -1,6 +1,9 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
-carol::sleep 2 
-carol::ipsec up home
+carol::ipsec start
+dave::ipsec start
 carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/alg-blowfish/test.conf b/testing/tests/ikev1/alg-blowfish/test.conf
index 6abbb89a9..f29298850 100644
--- a/testing/tests/ikev1/alg-blowfish/test.conf
+++ b/testing/tests/ikev1/alg-blowfish/test.conf
@@ -1,22 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
-
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat
index 0f71ba5f5..8230ee30c 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat
+++ b/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat
@@ -1,11 +1,15 @@
-moon::cat /var/log/auth.log::MODP_2048_224.*refused due to strict flag::YES
-moon::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1024_160::YES
-dave::ipsec statusall::IPsec SA established::YES
-dave::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES
+dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
index 944524020..15b6ec831 100755..100644
--- a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
index a9de84e91..b3f765477 100755..100644
--- a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
index 424f78bb4..192df5abd 100755..100644
--- a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-modp-subgroup/posttest.dat b/testing/tests/ikev1/alg-modp-subgroup/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/posttest.dat
+++ b/testing/tests/ikev1/alg-modp-subgroup/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat
+++ b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/alg-modp-subgroup/test.conf b/testing/tests/ikev1/alg-modp-subgroup/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/test.conf
+++ b/testing/tests/ikev1/alg-modp-subgroup/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/alg-sha256-96/description.txt b/testing/tests/ikev1/alg-sha256-96/description.txt
deleted file mode 100644
index c5ab23e51..000000000
--- a/testing/tests/ikev1/alg-sha256-96/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_128 / HMAC_SHA2_256_96</b> with 96 bit instead of the standard 128 bit
-truncation, allowing compatibility with Linux kernels older than 2.6.33
-by defining <b>esp=aes128-sha256_96!</b> in ipsec.conf.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha256-96/evaltest.dat b/testing/tests/ikev1/alg-sha256-96/evaltest.dat
deleted file mode 100644
index 6e8715b1f..000000000
--- a/testing/tests/ikev1/alg-sha256-96/evaltest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
-carol::ip xfrm state::auth hmac(sha256)::YES
-moon::ip xfrm state::auth hmac(sha256)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
-
diff --git a/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 2d6f87b17..000000000
--- a/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128-sha256-modp2048!
-	esp=aes128-sha256_96!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index b2a686db0..000000000
--- a/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128-sha256-modp2048!
-	esp=aes128-sha256_96!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/alg-sha256-96/posttest.dat b/testing/tests/ikev1/alg-sha256-96/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/alg-sha256-96/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/alg-sha256-96/pretest.dat b/testing/tests/ikev1/alg-sha256-96/pretest.dat
deleted file mode 100644
index 7d077c126..000000000
--- a/testing/tests/ikev1/alg-sha256-96/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha256-96/test.conf b/testing/tests/ikev1/alg-sha256-96/test.conf
deleted file mode 100644
index 6abbb89a9..000000000
--- a/testing/tests/ikev1/alg-sha256-96/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/alg-sha256/description.txt b/testing/tests/ikev1/alg-sha256/description.txt
index 628101921..826a8f10b 100644
--- a/testing/tests/ikev1/alg-sha256/description.txt
+++ b/testing/tests/ikev1/alg-sha256/description.txt
@@ -1,4 +1,4 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the cipher suite
-<b>AES_CBC_128 / HMAC_SHA2_256 / MODP_2048</b> for the IKE protocol and 
-<b>AES_CBC_128 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC_128 / HMAC_SHA2_256_128</b> by defining <b>esp=aes128-sha256-modp2048!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha256/evaltest.dat b/testing/tests/ikev1/alg-sha256/evaltest.dat
index 00fcb8862..eba856742 100644
--- a/testing/tests/ikev1/alg-sha256/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha256/evaltest.dat
@@ -1,12 +1,13 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
-carol::ip xfrm state::auth hmac(sha256)::YES
-moon::ip xfrm state::auth hmac(sha256)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
+carol::ip xfrm state::auth-trunc hmac(sha256)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
-
diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
index 66476b83e..73e25710b 100755..100644
--- a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,13 +9,14 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	ike=aes128-sha256-modp2048!
-	esp=aes128-sha256!
+	esp=aes128-sha256-modp2048!
 
 conn home
 	left=PH_IP_CAROL
+	leftfirewall=yes
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	auto=add
+	auto=add 
diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
index 2b97ff4f3..0a6f48e69 100755..100644
--- a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,13 +9,13 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	ike=aes128-sha256-modp2048!
-	esp=aes128-sha256!
+	esp=aes128-sha256-modp2048!
 
 conn rw
 	left=PH_IP_MOON
+	leftfirewall=yes
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	right=%any
-	rightid=carol@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-sha256/posttest.dat b/testing/tests/ikev1/alg-sha256/posttest.dat
index c6d6235f9..046d4cfdc 100644
--- a/testing/tests/ikev1/alg-sha256/posttest.dat
+++ b/testing/tests/ikev1/alg-sha256/posttest.dat
@@ -1,2 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-sha256/pretest.dat b/testing/tests/ikev1/alg-sha256/pretest.dat
index 7d077c126..4fc25772b 100644
--- a/testing/tests/ikev1/alg-sha256/pretest.dat
+++ b/testing/tests/ikev1/alg-sha256/pretest.dat
@@ -1,5 +1,6 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+carol::sleep 1 
 carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha256/test.conf b/testing/tests/ikev1/alg-sha256/test.conf
index 6abbb89a9..4a5fc470f 100644
--- a/testing/tests/ikev1/alg-sha256/test.conf
+++ b/testing/tests/ikev1/alg-sha256/test.conf
@@ -1,22 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/alg-sha384/description.txt b/testing/tests/ikev1/alg-sha384/description.txt
index 251e2e6a2..2255fe8fb 100644
--- a/testing/tests/ikev1/alg-sha384/description.txt
+++ b/testing/tests/ikev1/alg-sha384/description.txt
@@ -1,4 +1,4 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the cipher suite
-<b>AES_CBC_192 / HMAC_SHA2_384 / MODP_3072</b> for the IKE protocol and 
-<b>AES_CBC_192 / HMAC_SHA2_384</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC_192 / HMAC_SHA2_384_192</b> by defining <b>esp=aes192-sha384-modp3072!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha384/evaltest.dat b/testing/tests/ikev1/alg-sha384/evaltest.dat
index 4da5ec5e7..3b24217c5 100644
--- a/testing/tests/ikev1/alg-sha384/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha384/evaltest.dat
@@ -1,12 +1,13 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_3072::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_3072::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_384::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_384::YES
-carol::ip xfrm state::auth hmac(sha384)::YES
-moon::ip xfrm state::auth hmac(sha384)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
+carol::ip xfrm state::auth-trunc hmac(sha384)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
-
diff --git a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
index 42df1dccd..6f1519f2c 100755..100644
--- a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,13 +9,14 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	ike=aes192-sha384-modp3072!
-	esp=aes192-sha384!
+	esp=aes192-sha384-modp3072!
 
 conn home
 	left=PH_IP_CAROL
+	leftfirewall=yes
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	auto=add
+	auto=add 
diff --git a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
index a75d370aa..919ee9b09 100755..100644
--- a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,13 +9,13 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	ike=aes192-sha384-modp3072!
-	esp=aes192-sha384!
+	esp=aes192-sha384-modp3072!
 
 conn rw
 	left=PH_IP_MOON
+	leftfirewall=yes
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	right=%any
-	rightid=carol@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-sha384/posttest.dat b/testing/tests/ikev1/alg-sha384/posttest.dat
index c6d6235f9..046d4cfdc 100644
--- a/testing/tests/ikev1/alg-sha384/posttest.dat
+++ b/testing/tests/ikev1/alg-sha384/posttest.dat
@@ -1,2 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-sha384/pretest.dat b/testing/tests/ikev1/alg-sha384/pretest.dat
index 7d077c126..4fc25772b 100644
--- a/testing/tests/ikev1/alg-sha384/pretest.dat
+++ b/testing/tests/ikev1/alg-sha384/pretest.dat
@@ -1,5 +1,6 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+carol::sleep 1 
 carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha384/test.conf b/testing/tests/ikev1/alg-sha384/test.conf
index 6abbb89a9..4a5fc470f 100644
--- a/testing/tests/ikev1/alg-sha384/test.conf
+++ b/testing/tests/ikev1/alg-sha384/test.conf
@@ -1,22 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/alg-sha512/description.txt b/testing/tests/ikev1/alg-sha512/description.txt
index adfc548b8..bf79a3bff 100644
--- a/testing/tests/ikev1/alg-sha512/description.txt
+++ b/testing/tests/ikev1/alg-sha512/description.txt
@@ -1,4 +1,4 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the cipher suite
-<b>AES_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and 
-<b>AES_CBC_256 / HMAC_SHA2_512</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC_256 / HMAC_SHA2_512_256</b> by defining <b>esp=aes256-sha512-modp4096!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha512/evaltest.dat b/testing/tests/ikev1/alg-sha512/evaltest.dat
index 7e928d30b..6bdceeb44 100644
--- a/testing/tests/ikev1/alg-sha512/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha512/evaltest.dat
@@ -1,12 +1,13 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_512::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_512::YES
-carol::ip xfrm state::auth hmac(sha512)::YES
-moon::ip xfrm state::auth hmac(sha512)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
+carol::ip xfrm state::auth-trunc hmac(sha512)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
-
diff --git a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
index 329de395c..79272111c 100755..100644
--- a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,13 +9,14 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	ike=aes256-sha512-modp4096!
-	esp=aes256-sha512!
+	esp=aes256-sha512-modp4096!
 
 conn home
 	left=PH_IP_CAROL
+	leftfirewall=yes
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	auto=add
+	auto=add 
diff --git a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
index 8da459a8a..bdfcb4e4d 100755..100644
--- a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,13 +9,13 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	ike=aes256-sha512-modp4096!
-	esp=aes256-sha512!
+	esp=aes256-sha512-modp4096!
 
 conn rw
 	left=PH_IP_MOON
+	leftfirewall=yes
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	right=%any
-	rightid=carol@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-sha512/posttest.dat b/testing/tests/ikev1/alg-sha512/posttest.dat
index c6d6235f9..046d4cfdc 100644
--- a/testing/tests/ikev1/alg-sha512/posttest.dat
+++ b/testing/tests/ikev1/alg-sha512/posttest.dat
@@ -1,2 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-sha512/pretest.dat b/testing/tests/ikev1/alg-sha512/pretest.dat
index 7d077c126..4fc25772b 100644
--- a/testing/tests/ikev1/alg-sha512/pretest.dat
+++ b/testing/tests/ikev1/alg-sha512/pretest.dat
@@ -1,5 +1,6 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+carol::sleep 1 
 carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha512/test.conf b/testing/tests/ikev1/alg-sha512/test.conf
index 6abbb89a9..4a5fc470f 100644
--- a/testing/tests/ikev1/alg-sha512/test.conf
+++ b/testing/tests/ikev1/alg-sha512/test.conf
@@ -1,22 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/attr-cert/description.txt b/testing/tests/ikev1/attr-cert/description.txt
deleted file mode 100644
index b7f809c36..000000000
--- a/testing/tests/ikev1/attr-cert/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of <b>X.509 Attribute Certificates</b>. Access to <b>alice</b>
-is granted to members of the group 'Research' whereas <b>venus</b> can only
-be reached by members of the groups 'Accounting' and 'Sales'. The roadwarriors
-<b>carol</b> and <b>dave</b> belong to the groups 'Research' and 'Accounting',
-respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b>
-can reach <b>venus</b>.
\ No newline at end of file
diff --git a/testing/tests/ikev1/attr-cert/evaltest.dat b/testing/tests/ikev1/attr-cert/evaltest.dat
deleted file mode 100644
index c6c3c66c3..000000000
--- a/testing/tests/ikev1/attr-cert/evaltest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::alice.*peer with attributes .*Research.* is a member of the groups .*Research::YES
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::venus.*peer with attributes .*Research.* is not a member of the groups .*Accounting::YES
-moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::venus.*peer with attributes .*Accounting.* is a member of the groups .*Accounting::YES
-moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::alice.*peer with attributes .*Accounting.* is not a member of the groups .*Research::YES
-moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index a84b3a6b2..000000000
--- a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-
-conn alice
-	rightsubnet=PH_IP_ALICE/32
-	auto=add
-	
-conn venus
-	rightsubnet=PH_IP_VENUS/32
-	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index ce3903596..000000000
--- a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-
-conn alice
-	rightsubnet=PH_IP_ALICE/32
-	auto=add
-	
-conn venus
-	rightsubnet=PH_IP_VENUS/32
-	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 11cf4d5d1..000000000
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn alice
-	leftsubnet=PH_IP_ALICE/32
-	right=%any
-	rightgroups=Research
-	auto=add
-	
-conn venus
-	leftsubnet=PH_IP_VENUS/32
-	right=%any
-	rightgroups="Accounting, Sales"
-	auto=add
-	
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem
deleted file mode 100644
index 61d1c34e2..000000000
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEKjCCAxKgAwIBAgIBHzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTEwMDIyNzIxMDUzMFoXDTE1MDIyNjIxMDUzMFowZjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAsTF0F1dGhv
-cml6YXRpb24gQXV0aG9yaXR5MRowGAYDVQQDFBFhYUBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKw0NWg8FpkrWoItNzexEiaS
-dESF+blw2+2y51vVmbDk9edfJcjkzBNIEvY/0GXODmcthjExiTNgmNuCdQwapCHx
-p39HaD902rzmvflI40dZTmlFcn0Pp41wNbvjVaOpn7f6Mov68YmsoLQr47+OU6sn
-d3c8rx+BXO4g6YyRB0xpwB2kfO34FZh7FwOe4sVAJu5E7urK0hij2W1+adZNFg7K
-SP2i7llfooxWpS+6Vi6ZjuJ/dcGyvXpXnr0H2x58sZeaB5n8Ay+mhPDX72xXfwEm
-s7fztkhqmmix2TVEH96dR99ouCENF1Cm8OCbR1kkhWReL6P0tCbirbwFbZxKtOUC
-AwEAAaOCAQIwgf8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFEvO
-LmT1B7kU0IJsJtK+0nZMwxXgMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDq
-Lk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMBwGA1UdEQQVMBOBEWFh
-QHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ry
-b25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQELBQADggEBAI2K
-atqWeSWcxmcylrBJXkXDOsZtFZAE/kGWD5+T/lDFzE5D0GeDWfHehojtooWGpnL3
-u7xo3h3+qVliYcCFy1zKtPE0lwkBWKFPSw4UNfOmaF4De6Tp1V6FSQE9JPNpcTL/
-aPWFkX69Py8elR8OIsXPlFtOfTbtjZxoGuLNn7BX1XjctG5iIhKs/3TVMdzcyjVL
-wKiDE1xq8/Es2pPTgvF8jk7VcNyIGhrlj1IYq35h0RKTSXTCRlczf+lzoPo6Duov
-G0r/8VLpI4bBmKN4cIvaRCa4zew8SWpJzg/06zm2QT8eEJVVB499usVf9OVS3Qa5
-8mcNXcKmqcyP2Tlnvbo=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem
deleted file mode 100644
index 250441ad0..000000000
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArDQ1aDwWmStagi03N7ESJpJ0RIX5uXDb7bLnW9WZsOT1518l
-yOTME0gS9j/QZc4OZy2GMTGJM2CY24J1DBqkIfGnf0doP3TavOa9+UjjR1lOaUVy
-fQ+njXA1u+NVo6mft/oyi/rxiaygtCvjv45Tqyd3dzyvH4Fc7iDpjJEHTGnAHaR8
-7fgVmHsXA57ixUAm7kTu6srSGKPZbX5p1k0WDspI/aLuWV+ijFalL7pWLpmO4n91
-wbK9eleevQfbHnyxl5oHmfwDL6aE8NfvbFd/ASazt/O2SGqaaLHZNUQf3p1H32i4
-IQ0XUKbw4JtHWSSFZF4vo/S0JuKtvAVtnEq05QIDAQABAoIBAQCbfhUPhtp8+imi
-zANFFW2nSK0VxsgEi4T7MIU6Zjh+A3CLuF2c9gPUEUuV8W9SzeoxfmjieLFDpCDC
-bR0VjeTRBazR//+A9RoiYlP+CbO4FEr6QYwsovsPetf6TT9iJeMjtBb6UODTCP6f
-UdY3fOPN8zgrga87yorINw3MMJSfiI21zSzCkueOQloktBgih5Wueu8FDFUB2fVa
-uLTUa+wOhXUBPyF5OXLox5TxE6gBPkiUsnNXP8X/kHLPk2iBQmdxz+uwG/Pz6pS2
-JsmX2WzFJ0+Rj4cJpoa4Ev5uAx79kcXnQT3d5/HIwuh7ZEMKorb1m8w8lhAW4ARU
-ddjhLkWhAoGBAOCpDGfLwQHWVejOcjEwfWts0hHLdlNfZEgsLSex2k/U6Mk1TjCo
-tAHQOvmqxZDxypJEem3RPaWZh+gttTpHvGkS9fsvTpyARcDp0FXI40hwARPsnMbI
-0fDmpVfOOLZdQKMDg42TrZC/mipU68gFP/rYC7xalJs0pe0LL3ffsSC5AoGBAMQ5
-3V6nuucpL87I0fKg56z0/3lcRxI46KuIXhHSAjxNb76cQuxiK8s5TPCot3Unq6GQ
-R7Y+dYd1FVEh2i3Q7/Yh/BSeYiDcDf5aELCwY32O/OnSSoNTbgGR5FT+/SHJK5bg
-j/O5S7+dajqtC2JZJl8smOeB5c187bc4FU72+6eNAoGAZUiRSTI434Ur0ftQzBBa
-WtYClvctb0TwRwFzkhPCon8QO7YGfDVygebIz8pHq6L2ep7Yuy28Jy5icTA6Jf41
-WQGtWALp4/CIggJnZGVe4kdslPj1bUEYNQ0mucFFHCJKg7OP2YIcm8dlz3PdoJ2N
-TJ+eGtqTaK2BqK6ERfzZNDECgYBbVTOcYyWzgpAmB4LxE8PB1Sc0LadG7AYgERD3
-6m/v8XsZlVHxBKCtrrYJLf52IUjZonY+dUPvEKgjY0ZSHPYT8i2Ky02RTduVkAZE
-t1UXk/5UNvVHuwVw5Z8JkMXxe9k2GL/oCU8gmPxg4zpxRF1/3xosZ2G3C3b52LjS
-UFNB4QKBgDX2UmLgRHAXDsmksNZaMUSNk+xws0B1M/EDd9h7e79ilENkOPDLo5+E
-z22WPNrgzKEUz44FZZOsislfPE7ffgQcRTxtNWqoElwxuHLuy46jaReL7zJSDtpv
-wtn4YoOpH0DnC994nziTQif33FBF/2o8hWoq4vcXKNSMGTwGzi/a
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem
deleted file mode 100644
index f212e19cf..000000000
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBHDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA5MDgyNzEwMzczOVoXDTE0MDgyNjEwMzczOVowWzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291
-bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQDAB/JTbwVY5oNF0+8Behdbc0NOeX+bl0SOcgpZ
-ha6nbMBQO41jtOI5r5Xbg9sK9l+DYOnZQZEsEhIVZDoK8yGI/FIEE+gWRf+OLmI8
-k2K+G1dklTC/VP2tZWMQYQWs6UnX3iiVpHccI3CQqqJWe9fZsIsq0J9j9hu6h9dG
-IEbon6RXDLPI5DIiIKc3r0jDHNDsIUDzcjuUdCxKFCMuHUCfa1PBiqpj5pP6XT0G
-gI6UjbgnNWPTPb2axE7P1x5gQmVwiFiYs+VTh2fq9O9xNxnn/YmzLk4/YNly7xYX
-Q31NuhSvRpH7jsJ1p4VSuunYqvccPUKsp5PvCtCeGvNT2qt1AgMBAAGjggEFMIIB
-ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU7n842u6huBpBd394
-8mdL6EOdjg4wbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
-ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAyAbxrpMtTARw3
-jvBwuapaHXnTppz+TkWyfXVpgTwtPlf3rbhPk4DjhT2ygyMTI1azoqProf2aBbDr
-DldCSQPsZAcuzOdruKKMo2CQwgLuBFXL+JUX0hiIpFS1ZZHA2aDKyUw4OyADOvDU
-8r1/WiwRb91TdYP9nEu9qP30k0vkUg8DCbCmPI1/MVaxVzh9LRAFyOHrnKSCXG7o
-StmVFm2Yf3pE4HS1W6DtommyPs7aUD5XAaQdr3DYKI/TazoU6t5g2aEqigu+pj2M
-qk5idJkx5VCFvUU1hlChyX6NNNjJNnV6u5YiuatcdYQhpCTBsxnBoM+w0BvNOCl+
-1PdgEy1K
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf
deleted file mode 100644
index 134218eec..000000000
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf
+++ /dev/null
@@ -1,4 +0,0 @@
---cert /etc/ipsec.d/aacerts/aaCert.pem
---key /etc/openac/aaKey.pem
---quiet
---hours 8
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 1a47aeb7d..000000000
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-openac {
-  load = sha1 sha2 md5 pem pkcs1 x509 gmp random x509
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/attr-cert/posttest.dat b/testing/tests/ikev1/attr-cert/posttest.dat
deleted file mode 100644
index a59c3ff63..000000000
--- a/testing/tests/ikev1/attr-cert/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::rm /etc/openac/*
-moon::rm /etc/ipsec.d/aacerts/aaCert.pem
-moon::rm /etc/ipsec.d/acerts/*
diff --git a/testing/tests/ikev1/attr-cert/pretest.dat b/testing/tests/ikev1/attr-cert/pretest.dat
deleted file mode 100644
index 3c7fb5dc6..000000000
--- a/testing/tests/ikev1/attr-cert/pretest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::cat /etc/openac/default.conf
-moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/carolCert.pem --groups Research --out /etc/ipsec.d/acerts/carolAC.pem 2> /dev/null
-moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/daveCert.pem --groups Accounting --out /etc/ipsec.d/acerts/daveAC.pem 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up alice
-carol::ipsec up venus
-dave::ipsec up venus
-dave::ipsec up alice
diff --git a/testing/tests/ikev1/attr-cert/test.conf b/testing/tests/ikev1/attr-cert/test.conf
deleted file mode 100644
index 08e5cc145..000000000
--- a/testing/tests/ikev1/attr-cert/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/compress/evaltest.dat b/testing/tests/ikev1/compress/evaltest.dat
index ff72e1762..2ec840c68 100644
--- a/testing/tests/ikev1/compress/evaltest.dat
+++ b/testing/tests/ikev1/compress/evaltest.dat
@@ -1,10 +1,9 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec statusall::policy.*COMPRESS::YES
-carol::ipsec statusall::policy.*COMPRESS::YES
-moon::ipsec statusall::comp.::YES
-carol::ipsec statusall::comp.::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: ip xfrm state::proto comp spi::YES
+carol::ip xfrm state::proto comp spi::YES
 carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES
 moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::moon.strongswan.org >  carol.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
index f5050fef1..291b8cc93 100755..100644
--- a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
index aaf13f5fc..28cf2d1c0 100755..100644
--- a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/compress/pretest.dat b/testing/tests/ikev1/compress/pretest.dat
index 7d077c126..f5aa989fe 100644
--- a/testing/tests/ikev1/compress/pretest.dat
+++ b/testing/tests/ikev1/compress/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev1/compress/test.conf b/testing/tests/ikev1/compress/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/ikev1/compress/test.conf
+++ b/testing/tests/ikev1/compress/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/config-payload/description.txt b/testing/tests/ikev1/config-payload/description.txt
new file mode 100644
index 000000000..ff6928e89
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol
+by using the <b>leftsourceip=%config</b> parameter. <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
+tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
+<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b>
+and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev1/config-payload/evaltest.dat b/testing/tests/ikev1/config-payload/evaltest.dat
new file mode 100644
index 000000000..b46dfddf6
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/evaltest.dat
@@ -0,0 +1,26 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/config-payload/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/config-payload/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..5a77f8707
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..0e4e57729
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev1/config-payload/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/config-payload/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..6ea2d2bb1
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..0e4e57729
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev1/config-payload/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/config-payload/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..819a25437
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn rw-carol
+	right=%any
+	rightid=carol@strongswan.org
+	rightsourceip=PH_IP_CAROL1
+	auto=add
+
+conn rw-dave
+	right=%any
+	rightid=dave@strongswan.org
+	rightsourceip=PH_IP_DAVE1
+	auto=add
diff --git a/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..002166a54
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown attr
+
+  dns1 = PH_IP_WINNETOU
+  dns2 = PH_IP_VENUS
+}
diff --git a/testing/tests/ikev1/config-payload/posttest.dat b/testing/tests/ikev1/config-payload/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/config-payload/pretest.dat b/testing/tests/ikev1/config-payload/pretest.dat
new file mode 100644
index 000000000..3864bdac3
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/pretest.dat
@@ -0,0 +1,10 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev1/config-payload/test.conf b/testing/tests/ikev1/config-payload/test.conf
new file mode 100644
index 000000000..164b07ff9
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/crl-from-cache/description.txt b/testing/tests/ikev1/crl-from-cache/description.txt
deleted file mode 100644
index 17866f572..000000000
--- a/testing/tests/ikev1/crl-from-cache/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. When <b>carol</b> initiates
-an IPsec connection to <b>moon</b>, both VPN endpoints find a cached CRL in
-their <b>/etc/ipsec.d/crls/</b> directories which allows them to immediately verify
-the certificate received from their peer.
diff --git a/testing/tests/ikev1/crl-from-cache/evaltest.dat b/testing/tests/ikev1/crl-from-cache/evaltest.dat
deleted file mode 100644
index bdceddb79..000000000
--- a/testing/tests/ikev1/crl-from-cache/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::cat /var/log/auth.log::loaded crl from::YES
-carol::cat /var/log/auth.log::loaded crl from::YES
-moon::cat /var/log/auth.log::X.509 certificate rejected::NO
-carol::cat /var/log/auth.log::X.509 certificate rejected::NO
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::written crl file::NO
-carol::cat /var/log/auth.log::written crl file::NO
-moon::ipsec listcrls:: ok::YES
-carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index bb1879b1d..000000000
--- a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	cachecrls=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-
-conn home
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index ec0bc2e88..000000000
--- a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	cachecrls=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn net-net
-	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	auto=add
-        
-conn host-host
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	auto=add
-
-conn rw
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/crl-from-cache/posttest.dat b/testing/tests/ikev1/crl-from-cache/posttest.dat
deleted file mode 100644
index be17847c1..000000000
--- a/testing/tests/ikev1/crl-from-cache/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/crls/*
-carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/ikev1/crl-from-cache/pretest.dat b/testing/tests/ikev1/crl-from-cache/pretest.dat
deleted file mode 100644
index acdb265ed..000000000
--- a/testing/tests/ikev1/crl-from-cache/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::wget -q http://crl.strongswan.org/strongswan.crl
-moon::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
-carol::wget -q http://crl.strongswan.org/strongswan.crl
-carol::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/crl-from-cache/test.conf b/testing/tests/ikev1/crl-from-cache/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/crl-from-cache/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/crl-ldap/description.txt b/testing/tests/ikev1/crl-ldap/description.txt
deleted file mode 100644
index 02dc0cbbe..000000000
--- a/testing/tests/ikev1/crl-ldap/description.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
-the connection and only an expired CRL cache file in <b>/etc/ipsec.d/crls</b> is
-available, the Main Mode negotiation fails. A http fetch for an updated CRL fails
-because the web server is currently not reachable. Thus the second Main Mode negotiation
-fails, too. Finally an ldap fetch to get the CRL from the LDAP server <b>winnetou</b>
-is triggered. When the third Main Mode trial comes around, the fetched CRL has become
-available and the IKE negotiation completes. The new CRL is again cached locally as a
-file in <b>/etc/ipsec.d/crls</b> due to the <b>cachecrls=yes</b> option.
diff --git a/testing/tests/ikev1/crl-ldap/evaltest.dat b/testing/tests/ikev1/crl-ldap/evaltest.dat
deleted file mode 100644
index 80a84e1ef..000000000
--- a/testing/tests/ikev1/crl-ldap/evaltest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-moon::cat /var/log/auth.log::loaded crl from::YES
-carol::cat /var/log/auth.log::loaded crl from::YES
-moon::cat /var/log/auth.log::crl is stale::YES
-carol::cat /var/log/auth.log::crl is stale::YES
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-carol::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES
-carol::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::written crl file::YES
-carol::cat /var/log/auth.log::written crl file::YES
-moon::ipsec listcrls:: ok::YES
-carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 571459bae..000000000
--- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 5a7668c64..000000000
--- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	cachecrls=yes
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=2
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
deleted file mode 100644
index 75e8b0959..000000000
--- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
+++ /dev/null
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 71358d6c6..000000000
--- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 8de514a2e..000000000
--- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 1b80c0ddd..000000000
--- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,41 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	cachecrls=yes
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=2
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-
-conn net-net
-	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	auto=add
-        
-conn host-host
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	auto=add
-
-conn rw
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
deleted file mode 100644
index 75e8b0959..000000000
--- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
+++ /dev/null
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 71358d6c6..000000000
--- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/crl-ldap/posttest.dat b/testing/tests/ikev1/crl-ldap/posttest.dat
deleted file mode 100644
index bddd87424..000000000
--- a/testing/tests/ikev1/crl-ldap/posttest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-winnetou::/etc/init.d/slapd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-moon::rm /etc/ipsec.d/crls/*
-carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/ikev1/crl-ldap/pretest.dat b/testing/tests/ikev1/crl-ldap/pretest.dat
deleted file mode 100644
index 64fa8116b..000000000
--- a/testing/tests/ikev1/crl-ldap/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-winnetou::/etc/init.d/slapd start
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
-carol::sleep 3 
diff --git a/testing/tests/ikev1/crl-ldap/test.conf b/testing/tests/ikev1/crl-ldap/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/crl-ldap/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/crl-revoked/description.txt b/testing/tests/ikev1/crl-revoked/description.txt
deleted file mode 100644
index 780068ce6..000000000
--- a/testing/tests/ikev1/crl-revoked/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
-the connection and no current CRL is available, the Main Mode negotiation fails
-and a http fetch to get the CRL from the web server <b>winnetou</b> is triggered.
-When the second Main Mode trial comes around the fetched CRL will be available
-but because the certificate presented by carol has been revoked,
-the IKE negotatiation will fail.
diff --git a/testing/tests/ikev1/crl-revoked/evaltest.dat b/testing/tests/ikev1/crl-revoked/evaltest.dat
deleted file mode 100644
index 0fd1cae8c..000000000
--- a/testing/tests/ikev1/crl-revoked/evaltest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::certificate was revoked::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::ipsec listcrls:: ok::YES
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 77f6cfcb0..000000000
--- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolRevokedCert.pem
-	leftid=carol@strongswan.org
-
-conn home
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
deleted file mode 100644
index a92610c4f..000000000
--- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBGzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA5MDgyNzEwMzEwNloXDTE0MDgyNjEwMzEwNlowWjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAOHh/BBf9VwUbx3IU2ZvKJylwCUP2Gr40Velcexr
-lR1PoK3nwZrJxxfhhxrxdx7Wnt/PDiF2eyzA9U4cOyS1zPpWuRt69PEOWfzQJZkD
-e5C6bXZMHwJGaCM0h8EugnwI7/XgbEq8U/1PBwIeFh8xSyIwyn8NqyHWm+6haFZG
-Urz7y0ZOAYcX5ZldP8vjm2SyAl0hPlod0ypk2K1igmO8w3cRRFqD27XhztgIJyoi
-+BO3umc+BXcpPGoZ7IFaXvHcMVECrxbkrvRdpKiz/4+u8FakQJtBmYuqP2TLodRJ
-TKSJ4UvIPXZ8DTEYC/Ja/wrm1hNfH4T3YjWGT++lVbYF7qECAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQRnt9aYXsi/fgMXGVh
-ZpTfg8kSYjBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCY2EMqkuhtAls/
-jkjXm+sI5YVglE62itSYgJxKZhxoFn3l4Afc6+XBeftK8Y1IjXdeyQUg8qHhkctl
-nBiEzRCClporCOXl5hOzWi+ft2hyKgcx8mFB8Qw5ZE9z8dvY70jdPCB4cH5EVaiC
-6ElGcI02iO073iCe38b3rmpwfnkIWZ0FVjSFSsTiNPLXWH6m6tt9Gux/PFuLff4a
-cdGfEGs01DEp9t0bHqZd6ESf2rEUljT57i9wSBfT5ULj78VTgudw/WhB0CgiXD+f
-q2dZC/19B8Xmk6XmEpRQjFK6wFmfBiQdelJo17/8M4LdT/RfvTHJOxr2OAtvCm2Z
-0xafBd5x
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
deleted file mode 100644
index 60e7fdfa9..000000000
--- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA4eH8EF/1XBRvHchTZm8onKXAJQ/YavjRV6Vx7GuVHU+grefB
-msnHF+GHGvF3Htae388OIXZ7LMD1Thw7JLXM+la5G3r08Q5Z/NAlmQN7kLptdkwf
-AkZoIzSHwS6CfAjv9eBsSrxT/U8HAh4WHzFLIjDKfw2rIdab7qFoVkZSvPvLRk4B
-hxflmV0/y+ObZLICXSE+Wh3TKmTYrWKCY7zDdxFEWoPbteHO2AgnKiL4E7e6Zz4F
-dyk8ahnsgVpe8dwxUQKvFuSu9F2kqLP/j67wVqRAm0GZi6o/ZMuh1ElMpInhS8g9
-dnwNMRgL8lr/CubWE18fhPdiNYZP76VVtgXuoQIDAQABAoIBAQCbF5UAkUJgdM9O
-fat128DgvZXOXLDV0f261igAkmWR+Ih0n3n5E64VoY4oW77Ud7wiI4KqSzWLpvlH
-Jm8dZ45UHJOAYM4pbRcwVKJcC14eI0LhRKbN4xXBhmHnrE1/aIuKIQt5zRFGDarc
-M1gxFqFl2mZPEk18MGRkVoLTKfnJMzdHI1m0IAMwg3Rl9cmuVdkhTS+IAoULVNnI
-0iAOsFN8SdDaKBqRcPkypT5s4wjGH4s7zjW4PmEDwDhhfeHkVccCuH8n3un1bPT2
-oc73RSXdCYMgDTD3waXC+4cCQGPZmUCl6Mfq7YCECkUpUg6rHlaCYRSZZoQPf5vH
-VsBUvjABAoGBAPHSnJOL6tcqJCCZ27E3zIsmZ+d6dX4B/YN1Xk3vKHhavN5Ks6Gx
-ZCsaluMuB2qyBRrpKnSAz6lUQ1TOxzuphlVIX1EnLW+JvNgFyem9PARsP2SMsKqm
-VaqnId6pprdbP53NpL9Z7AsbS/i/Ab6WpVPyYHdqVsimCdRGK9/JlOnBAoGBAO8g
-I4a4dJKiwHBHyP6wkYrhWdYwmjTJlskNNjrvtn7bCJ/Lm0SaGFXKIHCExnenZji0
-bBp3XiFNPlPfjTaXG++3IH6fxYdHonsrkxbUHvGAVETmHVLzeFiAKuUBvrWuKecD
-yoywVenugORQIPal3AcLwPsVRfDU89tTQhiFq3zhAoGBAIqmfy/54URM3Tnz/Yq2
-u4htFNYb2JHPAlQFT3TP0xxuqiuqGSR0WUJ9lFXdZlM+jr7HQZha4rXrok9V39XN
-dUAgpsYY+GwjRSt25jYmUesXRaGZKRIvHJ8kBL9t9jDbGLaZ2gP8wuH7XKvamF12
-coSXS8gsKGYTDT+wnCdLpR4BAoGAFwuV4Ont8iPVP/zrFgCWRjgpnEba1bOH4KBx
-VYS8pcUeM6g/soDXT41HSxDAv89WPqjEslhGrhbvps2oolY1zwhrDUkAlGUG96/f
-YRfYU5X2iR1UPiZQttbDS4a7hm7egvEOmDh2TzE5IsfGJX8ekV9Ene4S637acYy4
-lfxr5oECgYEAzRuvh6aG7UmKwNTfatEKav7/gUH3QBGK+Pp3TPSmR5PKh/Pk4py6
-95bT4mHrKCBIfSv/8h+6baYZr9Ha1Oj++J94RXEi8wdjjl1w3LGQrM/X+0AVqn5P
-b5w1nvRK7bMikIXbZmPJmivrfChcjD21gvWeF6Osq8McWF8jW2HzrZw=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 8e31be4cb..000000000
--- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolRevokedKey.pem
diff --git a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 1c011dccb..000000000
--- a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn net-net
-	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	auto=add
-        
-conn host-host
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	auto=add
-
-conn rw
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/crl-revoked/posttest.dat b/testing/tests/ikev1/crl-revoked/posttest.dat
deleted file mode 100644
index d742e8410..000000000
--- a/testing/tests/ikev1/crl-revoked/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev1/crl-revoked/pretest.dat b/testing/tests/ikev1/crl-revoked/pretest.dat
deleted file mode 100644
index d92333d86..000000000
--- a/testing/tests/ikev1/crl-revoked/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/crl-revoked/test.conf b/testing/tests/ikev1/crl-revoked/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/crl-revoked/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/crl-strict/description.txt b/testing/tests/ikev1/crl-strict/description.txt
deleted file mode 100644
index 97011482e..000000000
--- a/testing/tests/ikev1/crl-strict/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
-the connection and no current CRL is available, the Main Mode negotiation fails
-but a http fetch to get the CRL from the web server <b>winnetou</b> is triggered.
-When the second Main Mode trial comes around, the fetched CRL will be available
-and the IKE negotiation completes.
diff --git a/testing/tests/ikev1/crl-strict/evaltest.dat b/testing/tests/ikev1/crl-strict/evaltest.dat
deleted file mode 100644
index 1d7adb05e..000000000
--- a/testing/tests/ikev1/crl-strict/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-carol::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec listcrls:: ok::YES
-carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index b4bc2101c..000000000
--- a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-
-conn home
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 1c011dccb..000000000
--- a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn net-net
-	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	auto=add
-        
-conn host-host
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	auto=add
-
-conn rw
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/crl-strict/posttest.dat b/testing/tests/ikev1/crl-strict/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/crl-strict/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/crl-strict/pretest.dat b/testing/tests/ikev1/crl-strict/pretest.dat
deleted file mode 100644
index d92333d86..000000000
--- a/testing/tests/ikev1/crl-strict/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/crl-strict/test.conf b/testing/tests/ikev1/crl-strict/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/crl-strict/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/crl-to-cache/description.txt b/testing/tests/ikev1/crl-to-cache/description.txt
deleted file mode 100644
index 9f542e73d..000000000
--- a/testing/tests/ikev1/crl-to-cache/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-By setting <b>cachecrls=yes</b> in ipsec.conf, a copy of the CRL fetched
-via http from the web server <b>winnetou</b> is saved locally in the
-directory <b>/etc/ipsec.d/crls</b> on both the roadwarrior <b>carol</b>
-and the gateway <b>moon</b> when the IPsec connection is set up. The
-<b>subjectKeyIdentifier</b> of the issuing CA plus the suffix <b>.crl</b>
-is used as a unique filename for the cached CRL. 
diff --git a/testing/tests/ikev1/crl-to-cache/evaltest.dat b/testing/tests/ikev1/crl-to-cache/evaltest.dat
deleted file mode 100644
index be7737185..000000000
--- a/testing/tests/ikev1/crl-to-cache/evaltest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
-carol::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
diff --git a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 3fbad9070..000000000
--- a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	cachecrls=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-
-conn home
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 0b9f891bd..000000000
--- a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	cachecrls=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn rw
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/crl-to-cache/posttest.dat b/testing/tests/ikev1/crl-to-cache/posttest.dat
deleted file mode 100644
index be17847c1..000000000
--- a/testing/tests/ikev1/crl-to-cache/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/crls/*
-carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/ikev1/crl-to-cache/pretest.dat b/testing/tests/ikev1/crl-to-cache/pretest.dat
deleted file mode 100644
index d92333d86..000000000
--- a/testing/tests/ikev1/crl-to-cache/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/crl-to-cache/test.conf b/testing/tests/ikev1/crl-to-cache/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/crl-to-cache/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/default-keys/description.txt b/testing/tests/ikev1/default-keys/description.txt
deleted file mode 100644
index 639e909da..000000000
--- a/testing/tests/ikev1/default-keys/description.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b>
-and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key
-and a self-signed X.509 certificate. Because the UML testing environment does
-not offer enough entropy, the non-blocking /dev/urandom device is used in place
-of /dev/random for generating the random primes.
-<p>
-The self-signed certificates are then distributed to the peers via scp
-and are used to set up a road warrior connection initiated by <b>carol</b> 
diff --git a/testing/tests/ikev1/default-keys/evaltest.dat b/testing/tests/ikev1/default-keys/evaltest.dat
deleted file mode 100644
index a18e3997e..000000000
--- a/testing/tests/ikev1/default-keys/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-carol::cat /var/log/auth.log::scepclient::YES
-moon::cat /var/log/auth.log::scepclient::YES
-carol::cat /var/log/auth.log::we have a cert but are not sending it::YES
-moon::cat /var/log/auth.log::we have a cert but are not sending it::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 4d5bff62c..000000000
--- a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=0
-	strictcrlpolicy=no
-	nocrsend=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=selfCert.der
-	leftsendcert=never
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightcert=peerCert.der
-	auto=add
diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index e589a9425..000000000
--- a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 13ad3063f..000000000
--- a/testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A INPUT  -p tcp --sport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index dd7ae0b20..000000000
--- a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=0
-	strictcrlpolicy=no
-	nocrsend=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn carol
-	left=PH_IP_MOON
-	leftcert=selfCert.der
-	leftsendcert=never
-	leftfirewall=yes
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightcert=peerCert.der
-	auto=add
-
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index e589a9425..000000000
--- a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/default-keys/posttest.dat b/testing/tests/ikev1/default-keys/posttest.dat
deleted file mode 100644
index 8cada5e7e..000000000
--- a/testing/tests/ikev1/default-keys/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev1/default-keys/pretest.dat b/testing/tests/ikev1/default-keys/pretest.dat
deleted file mode 100644
index 88f9a2ca9..000000000
--- a/testing/tests/ikev1/default-keys/pretest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::rm /etc/ipsec.secrets
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
-moon::rm /etc/ipsec.secrets
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-moon::sleep 5 
-moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der
-moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der
-moon::ipsec reload 
-carol::ipsec reload 
-carol::ipsec up home
diff --git a/testing/tests/ikev1/default-keys/test.conf b/testing/tests/ikev1/default-keys/test.conf
deleted file mode 100644
index 0baa48d90..000000000
--- a/testing/tests/ikev1/default-keys/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/double-nat-net/evaltest.dat b/testing/tests/ikev1/double-nat-net/evaltest.dat
index d00613c07..52c561964 100644
--- a/testing/tests/ikev1/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev1/double-nat-net/evaltest.dat
@@ -1,5 +1,7 @@
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
+bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
index caad279bb..836a8b322 100755..100644
--- a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
@@ -1,11 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
index 32d2ab0f6..fa1ccacb1 100755..100644
--- a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
@@ -1,11 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -21,5 +16,5 @@ conn nat-t
 	leftid=bob@strongswan.org
 	leftfirewall=yes
 	right=%any
-	rightsubnetwithin=10.1.0.0/16
+	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/iptables.rules b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/double-nat-net/posttest.dat b/testing/tests/ikev1/double-nat-net/posttest.dat
index 484297418..63d4f98e7 100644
--- a/testing/tests/ikev1/double-nat-net/posttest.dat
+++ b/testing/tests/ikev1/double-nat-net/posttest.dat
@@ -1,7 +1,7 @@
 bob::ipsec stop
 alice::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev1/double-nat-net/pretest.dat b/testing/tests/ikev1/double-nat-net/pretest.dat
index 84bc15092..17a4fe5eb 100644
--- a/testing/tests/ikev1/double-nat-net/pretest.dat
+++ b/testing/tests/ikev1/double-nat-net/pretest.dat
@@ -1,8 +1,5 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
-bob::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
@@ -12,4 +9,4 @@ alice::ipsec start
 bob::ipsec start
 alice::sleep 2
 alice::ipsec up nat-t
-
+alice::sleep 1
diff --git a/testing/tests/ikev1/double-nat-net/test.conf b/testing/tests/ikev1/double-nat-net/test.conf
index 1ca2ffe5a..d2e31d257 100644
--- a/testing/tests/ikev1/double-nat-net/test.conf
+++ b/testing/tests/ikev1/double-nat-net/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev1/double-nat/evaltest.dat b/testing/tests/ikev1/double-nat/evaltest.dat
index 05e751422..9ddad2de5 100644
--- a/testing/tests/ikev1/double-nat/evaltest.dat
+++ b/testing/tests/ikev1/double-nat/evaltest.dat
@@ -1,5 +1,7 @@
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
+bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
index 7de7a951e..6b40252cf 100755..100644
--- a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
@@ -1,11 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/double-nat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev1/double-nat/hosts/bob/etc/ipsec.conf
new file mode 100644
index 000000000..89640564d
--- /dev/null
+++ b/testing/tests/ikev1/double-nat/hosts/bob/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn nat-t
+	left=%defaultroute
+	leftcert=bobCert.pem
+	leftid=bob@strongswan.org
+	leftfirewall=yes
+	right=%any
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/double-nat/hosts/bob/etc/iptables.rules b/testing/tests/ikev1/double-nat/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev1/double-nat/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/double-nat/posttest.dat b/testing/tests/ikev1/double-nat/posttest.dat
index 5d39e406d..aa806bfc9 100644
--- a/testing/tests/ikev1/double-nat/posttest.dat
+++ b/testing/tests/ikev1/double-nat/posttest.dat
@@ -1,7 +1,7 @@
 bob::ipsec stop
 alice::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev1/double-nat/pretest.dat b/testing/tests/ikev1/double-nat/pretest.dat
index cf495b778..65f18b756 100644
--- a/testing/tests/ikev1/double-nat/pretest.dat
+++ b/testing/tests/ikev1/double-nat/pretest.dat
@@ -1,7 +1,5 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
@@ -10,4 +8,4 @@ alice::ipsec start
 bob::ipsec start
 alice::sleep 2
 alice::ipsec up nat-t
-
+alice::sleep 1
diff --git a/testing/tests/ikev1/double-nat/test.conf b/testing/tests/ikev1/double-nat/test.conf
index 1ca2ffe5a..d2e31d257 100644
--- a/testing/tests/ikev1/double-nat/test.conf
+++ b/testing/tests/ikev1/double-nat/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev1/dpd-clear/description.txt b/testing/tests/ikev1/dpd-clear/description.txt
index f76b2d741..7f62dc576 100644
--- a/testing/tests/ikev1/dpd-clear/description.txt
+++ b/testing/tests/ikev1/dpd-clear/description.txt
@@ -1,5 +1,5 @@
 The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b>
 which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s.
 When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted,
-<b>moon</b> clears the connection after the configured timeout of 30 s.
+<b>moon</b> clears the connection after 4 unsuccessful retransmits.
 
diff --git a/testing/tests/ikev1/dpd-clear/evaltest.dat b/testing/tests/ikev1/dpd-clear/evaltest.dat
index 98d5b146b..f6f18212c 100644
--- a/testing/tests/ikev1/dpd-clear/evaltest.dat
+++ b/testing/tests/ikev1/dpd-clear/evaltest.dat
@@ -1,7 +1,7 @@
-carol::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon::sleep 50::no output expected::NO
-moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES
-moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES
-moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES
-moon::cat /var/log/auth.log::DPD: Clearing connection::YES
+moon:: sleep 60::no output expected::NO
+moon:: cat /var/log/daemon.log::sending DPD request::YES
+moon::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
diff --git a/testing/tests/ikev1/dpd-clear/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..6812907e8
--- /dev/null
+++ b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev1
+	auto=add
diff --git a/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
index 34490a13a..83f2849a4 100755..100644
--- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,7 +10,7 @@ conn %default
 	keyexchange=ikev1
 	dpdaction=clear
 	dpddelay=10
-	dpdtimeout=30
+	dpdtimeout=45
 
 conn rw
 	left=PH_IP_MOON
@@ -24,6 +20,3 @@ conn rw
 	right=%any
 	rightid=carol@strongswan.org
 	auto=add
-
-
-
diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/dpd-clear/test.conf b/testing/tests/ikev1/dpd-clear/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev1/dpd-clear/test.conf
+++ b/testing/tests/ikev1/dpd-clear/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/dpd-restart/description.txt b/testing/tests/ikev1/dpd-restart/description.txt
index 0a309cf52..410d3d636 100644
--- a/testing/tests/ikev1/dpd-restart/description.txt
+++ b/testing/tests/ikev1/dpd-restart/description.txt
@@ -1,13 +1,7 @@
-The peer <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
-is defined symbolically by <b>right=%&lt;hostname&gt;</b>. The ipsec starter resolves the
-fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
-/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
-<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary
-IP address under the condition that the peer identity remains unchanged. When this happens
-the old tunnel is replaced by an IPsec connection to the new origin.
-<p>
-In this scenario <b>moon</b> first initiates a tunnel to <b>carol</b>. After some time
-the responder <b>carol</b> disconnects (simulated by iptables blocking IKE and ESP traffic).
-<b>moon</b> detects via Dead Peer Detection (DPD) that the connection is down and tries to
-reconnect. After a few seconds the firewall is opened again and the connection is 
-reestablished.
+The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway
+<b>moon</b>. Both end points activate <b>Dead Peer Detection</b> (DPD) with a
+polling interval of 10 s. When the network connectivity between <b>carol</b>
+and <b>moon</b> is forcefully disrupted for a duration of 100 s, <b>moon</b>
+clears the connection after 4 unsuccessful retransmits whereas <b>carol</b>
+also takes down the connection but immediately tries to reconnect which succeeds
+as soon as the connection becomes available again.
diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat
index 8bc2e8688..6a749b826 100644
--- a/testing/tests/ikev1/dpd-restart/evaltest.dat
+++ b/testing/tests/ikev1/dpd-restart/evaltest.dat
@@ -1,10 +1,13 @@
-moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES
-carol::iptables -I INPUT 1 -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-carol::sleep 35::no output expected::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
+carol::sleep 60::no output expected::NO
+carol::cat /var/log/daemon.log::sending DPD request::YES
+carol::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES
+carol::cat /var/log/daemon.log::restarting CHILD_SA home::YES
 carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES
-moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES
-moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES
-moon::cat /var/log/auth.log::DPD: Restarting connection::YES
-moon::sleep 10::no output expected::NO
-moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES
+moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+carol::sleep 10::no output expected::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
index 3c0b0bf15..d3c105c31 100755..100644
--- a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,15 +8,16 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	dpdaction=restart
+        dpddelay=10
+	dpdtimeout=45
 
-conn moon 
-	left=%defaultroute
-	leftnexthop=%direct
-	leftsourceip=PH_IP_CAROL1
+conn home
+	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
-	right=%moon.strongswan.org
-	rightsubnet=10.1.0.0/16
+	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
index 9f1aded0f..79db53614 100755..100644
--- a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,19 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-        dpdaction=restart
-        dpddelay=5
-        dpdtimeout=25
-
-conn carol
-	left=%defaultroute
-	leftnexthop=%direct
-	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP_MOON1
+	dpdaction=clear
+	dpddelay=10
+	dpdtimeout=45
+conn rw
+	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	right=%carol.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
 	rightid=carol@strongswan.org
-	rightsubnet=PH_IP_CAROL1/32
-	auto=start
+	auto=add
diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/dpd-restart/posttest.dat b/testing/tests/ikev1/dpd-restart/posttest.dat
index e092608cb..c6d6235f9 100644
--- a/testing/tests/ikev1/dpd-restart/posttest.dat
+++ b/testing/tests/ikev1/dpd-restart/posttest.dat
@@ -1,5 +1,2 @@
-carol::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
+carol::ipsec stop
diff --git a/testing/tests/ikev1/dpd-restart/pretest.dat b/testing/tests/ikev1/dpd-restart/pretest.dat
index caf89d6c6..14ed95322 100644
--- a/testing/tests/ikev1/dpd-restart/pretest.dat
+++ b/testing/tests/ikev1/dpd-restart/pretest.dat
@@ -1,5 +1,4 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
 moon::ipsec start
-moon::sleep 4
+carol::ipsec start
+carol::sleep 2 
+carol::ipsec up home
diff --git a/testing/tests/ikev1/dpd-restart/test.conf b/testing/tests/ikev1/dpd-restart/test.conf
index 4d648102b..892f51cd9 100644
--- a/testing/tests/ikev1/dpd-restart/test.conf
+++ b/testing/tests/ikev1/dpd-restart/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w-d.png"
+DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS="moon alice"
+TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/dynamic-initiator/evaltest.dat b/testing/tests/ikev1/dynamic-initiator/evaltest.dat
index 3105ae38c..61546f417 100644
--- a/testing/tests/ikev1/dynamic-initiator/evaltest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/evaltest.dat
@@ -1,8 +1,10 @@
-carol::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::PH_IP_CAROL.*IPsec SA established::YES
-moon::cat /var/log/auth.log::PH_IP_DAVE.*deleting connection.*with peer PH_IP_CAROL::YES 
-moon::cat /var/log/auth.log::PH_IP_DAVE.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES
+moon:: cat /var/log/daemon.log::deleting duplicate IKE_SA for.*carol@strongswan.org.*due to uniqueness policy::YES
+moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
index acf503f8e..ef0d102c0 100755..100644
--- a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,18 +10,12 @@ conn %default
 	keyexchange=ikev1
 
 conn moon 
-	left=%defaultroute
-	leftnexthop=%direct
-	leftsourceip=PH_IP_CAROL1
+	left=%any
+	leftsourceip=%config
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
-	right=moon.strongswan.org
-	rightallowany=yes
+	right=%moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
index acf503f8e..ef0d102c0 100755..100644
--- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,18 +10,12 @@ conn %default
 	keyexchange=ikev1
 
 conn moon 
-	left=%defaultroute
-	leftnexthop=%direct
-	leftsourceip=PH_IP_CAROL1
+	left=%any
+	leftsourceip=%config
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
-	right=moon.strongswan.org
-	rightallowany=yes
+	right=%moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
index ee28eebf3..6ab0ea5ab 100755..100644
--- a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,17 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	left=%defaultroute
-	leftnexthop=%direct
+
+conn carol
+	left=%any
 	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP_MOON1
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
-
-conn carol
-	right=carol.strongswan.org
-	rightallowany=yes
+	right=%carol.strongswan.org
 	rightid=carol@strongswan.org
-	rightsubnet=PH_IP_CAROL1/32
+	rightsourceip=PH_IP_CAROL1
 	auto=add
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-initiator/posttest.dat b/testing/tests/ikev1/dynamic-initiator/posttest.dat
index c30a35edd..32ac12ddc 100644
--- a/testing/tests/ikev1/dynamic-initiator/posttest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/posttest.dat
@@ -2,10 +2,6 @@ dave::ipsec stop
 carol::ipsec stop
 dave::sleep 1
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_CAROL1/32 dev eth0
+carol::iptables-restore < /etc/iptables.flush
 dave::rm /etc/ipsec.d/certs/*
 dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat
index 92681011f..9aadb2a4c 100644
--- a/testing/tests/ikev1/dynamic-initiator/pretest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat
@@ -1,6 +1,4 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+carol::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
@@ -10,4 +8,4 @@ carol::sleep 1
 carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 dave::ipsec up moon
-dave::sleep 2 
+dave::sleep 2
diff --git a/testing/tests/ikev1/dynamic-initiator/test.conf b/testing/tests/ikev1/dynamic-initiator/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/dynamic-initiator/test.conf
+++ b/testing/tests/ikev1/dynamic-initiator/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/dynamic-responder/evaltest.dat b/testing/tests/ikev1/dynamic-responder/evaltest.dat
index 391afaa42..61546f417 100644
--- a/testing/tests/ikev1/dynamic-responder/evaltest.dat
+++ b/testing/tests/ikev1/dynamic-responder/evaltest.dat
@@ -1,8 +1,10 @@
-carol::ipsec status::moon.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::PH_IP_CAROL.*IPsec SA established::YES
-moon::cat /var/log/auth.log::PH_IP_DAVE.*deleting connection.*with peer PH_IP_CAROL::YES 
-moon::cat /var/log/auth.log::PH_IP_DAVE.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES
+moon:: cat /var/log/daemon.log::deleting duplicate IKE_SA for.*carol@strongswan.org.*due to uniqueness policy::YES
+moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
index acf503f8e..ef0d102c0 100755..100644
--- a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,18 +10,12 @@ conn %default
 	keyexchange=ikev1
 
 conn moon 
-	left=%defaultroute
-	leftnexthop=%direct
-	leftsourceip=PH_IP_CAROL1
+	left=%any
+	leftsourceip=%config
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
-	right=moon.strongswan.org
-	rightallowany=yes
+	right=%moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
index acf503f8e..ef0d102c0 100755..100644
--- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,18 +10,12 @@ conn %default
 	keyexchange=ikev1
 
 conn moon 
-	left=%defaultroute
-	leftnexthop=%direct
-	leftsourceip=PH_IP_CAROL1
+	left=%any
+	leftsourceip=%config
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
-	right=moon.strongswan.org
-	rightallowany=yes
+	right=%moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
index ee28eebf3..6ab0ea5ab 100755..100644
--- a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,17 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	left=%defaultroute
-	leftnexthop=%direct
+
+conn carol
+	left=%any
 	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP_MOON1
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
-
-conn carol
-	right=carol.strongswan.org
-	rightallowany=yes
+	right=%carol.strongswan.org
 	rightid=carol@strongswan.org
-	rightsubnet=PH_IP_CAROL1/32
+	rightsourceip=PH_IP_CAROL1
 	auto=add
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-responder/posttest.dat b/testing/tests/ikev1/dynamic-responder/posttest.dat
index c30a35edd..32ac12ddc 100644
--- a/testing/tests/ikev1/dynamic-responder/posttest.dat
+++ b/testing/tests/ikev1/dynamic-responder/posttest.dat
@@ -2,10 +2,6 @@ dave::ipsec stop
 carol::ipsec stop
 dave::sleep 1
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_CAROL1/32 dev eth0
+carol::iptables-restore < /etc/iptables.flush
 dave::rm /etc/ipsec.d/certs/*
 dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat
index c0f166ff4..8dc744f9a 100644
--- a/testing/tests/ikev1/dynamic-responder/pretest.dat
+++ b/testing/tests/ikev1/dynamic-responder/pretest.dat
@@ -1,6 +1,4 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+carol::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
@@ -10,4 +8,4 @@ moon::sleep 1
 carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 dave::ipsec up moon
-dave::sleep 2 
+dave::sleep 2
diff --git a/testing/tests/ikev1/dynamic-responder/test.conf b/testing/tests/ikev1/dynamic-responder/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/dynamic-responder/test.conf
+++ b/testing/tests/ikev1/dynamic-responder/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/dynamic-two-peers/evaltest.dat b/testing/tests/ikev1/dynamic-two-peers/evaltest.dat
index f46a6a20b..82d2e7318 100644
--- a/testing/tests/ikev1/dynamic-two-peers/evaltest.dat
+++ b/testing/tests/ikev1/dynamic-two-peers/evaltest.dat
@@ -1,9 +1,13 @@
-carol::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::dave.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
index 0f37e6188..ef0d102c0 100755..100644
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,9 +10,8 @@ conn %default
 	keyexchange=ikev1
 
 conn moon 
-	left=%defaultroute
-	leftnexthop=%direct
-	leftsourceip=PH_IP_CAROL1
+	left=%any
+	leftsourceip=%config
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
@@ -24,7 +19,3 @@ conn moon
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
index ec35eac9a..d63566635 100755..100644
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,9 +10,8 @@ conn %default
 	keyexchange=ikev1
 
 conn moon
-	left=%defaultroute
-	leftnexthop=%direct
-	leftsourceip=PH_IP_DAVE1
+	left=%any
+	leftsourceip=%config
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
@@ -24,7 +19,3 @@ conn moon
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
index 21848bc1c..07cd49899 100755..100644
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,10 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	left=%defaultroute
-	leftnexthop=%direct
+	left=%any
 	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP_MOON1
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
@@ -23,11 +17,11 @@ conn %default
 conn carol
 	right=%carol.strongswan.org
 	rightid=carol@strongswan.org
-	rightsubnet=PH_IP_CAROL1/32
+	rightsourceip=PH_IP_CAROL1
 	auto=add
 
 conn dave
 	right=%dave.strongswan.org
 	rightid=dave@strongswan.org
-	rightsubnet=PH_IP_DAVE1/32
+	rightsourceip=PH_IP_DAVE1
 	auto=add
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-two-peers/posttest.dat b/testing/tests/ikev1/dynamic-two-peers/posttest.dat
index 65292daae..7b2609846 100644
--- a/testing/tests/ikev1/dynamic-two-peers/posttest.dat
+++ b/testing/tests/ikev1/dynamic-two-peers/posttest.dat
@@ -3,8 +3,6 @@ dave::ipsec stop
 moon::sleep 1
 moon::ipsec stop
 moon::mv /etc/hosts.ori /etc/hosts
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/dynamic-two-peers/pretest.dat b/testing/tests/ikev1/dynamic-two-peers/pretest.dat
index 6596a2527..4bb2a4686 100644
--- a/testing/tests/ikev1/dynamic-two-peers/pretest.dat
+++ b/testing/tests/ikev1/dynamic-two-peers/pretest.dat
@@ -1,8 +1,8 @@
 moon::mv /etc/hosts /etc/hosts.ori
 moon::mv /etc/hosts.stale /etc/hosts
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/dynamic-two-peers/test.conf b/testing/tests/ikev1/dynamic-two-peers/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/dynamic-two-peers/test.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/esp-ah-transport/description.txt b/testing/tests/ikev1/esp-ah-transport/description.txt
deleted file mode 100644
index f8ffce6e6..000000000
--- a/testing/tests/ikev1/esp-ah-transport/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
-the ESP AES 128 bit encryption algorithm combined with AH HMAC_SHA1 authentication.
-In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall
-marks all incoming AH packets with the ESP mark. The transport mode connection is
-tested by <b>carol</b> sending a ping to gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/esp-ah-transport/evaltest.dat b/testing/tests/ikev1/esp-ah-transport/evaltest.dat
deleted file mode 100644
index 526e0d96e..000000000
--- a/testing/tests/ikev1/esp-ah-transport/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
-moon::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_MOON::128 bytes from PH_IP_MOON: icmp_seq=1::YES
-carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES
-moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES
-moon::tcpdump::AH.*ESP::YES
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 8c8817539..000000000
--- a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow AH
-	iptables -A INPUT  -i eth0 -p 51 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
-			
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 299b6a831..000000000
--- a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	auth=ah
-	ike=aes128-sha
-	esp=aes128-sha1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	type=transport
-	auto=add
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 3e8922581..000000000
--- a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow AH
-	iptables -A INPUT  -i eth0 -p 51 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 45ada023f..000000000
--- a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	auth=ah
-	ike=aes128-sha
-	esp=aes128-sha1
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	right=%any
-	rightid=carol@strongswan.org
-	type=transport
-	auto=add
diff --git a/testing/tests/ikev1/esp-ah-transport/posttest.dat b/testing/tests/ikev1/esp-ah-transport/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev1/esp-ah-transport/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/esp-ah-transport/pretest.dat b/testing/tests/ikev1/esp-ah-transport/pretest.dat
deleted file mode 100644
index 4fe0ee90b..000000000
--- a/testing/tests/ikev1/esp-ah-transport/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-ah-transport/test.conf b/testing/tests/ikev1/esp-ah-transport/test.conf
deleted file mode 100644
index fd33cfb57..000000000
--- a/testing/tests/ikev1/esp-ah-transport/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/esp-ah-tunnel/description.txt b/testing/tests/ikev1/esp-ah-tunnel/description.txt
deleted file mode 100644
index 332f8177a..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
-the ESP AES 128 bit encryption algorithm combined with AH HMAC_SHA1 authentication.
-In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall
-marks all incoming AH packets with the ESP mark. The tunnel mode connection is
-tested by <b>carol</b> sending a ping to client <b>alice</b> hiding behind 
-gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat b/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat
deleted file mode 100644
index 5103a6318..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
-moon::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES
-moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES
-moon::tcpdump::AH.*ESP::YES
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 8c8817539..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow AH
-	iptables -A INPUT  -i eth0 -p 51 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
-			
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 168e5d2a8..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	auth=ah
-	ike=aes128-sha
-	esp=aes128-sha1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 3e8922581..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow AH
-	iptables -A INPUT  -i eth0 -p 51 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index b89d8e861..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	auth=ah
-	ike=aes128-sha
-	esp=aes128-sha1
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-ah-tunnel/posttest.dat b/testing/tests/ikev1/esp-ah-tunnel/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/esp-ah-tunnel/pretest.dat b/testing/tests/ikev1/esp-ah-tunnel/pretest.dat
deleted file mode 100644
index 49973a7a5..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2 
-carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-ah-tunnel/test.conf b/testing/tests/ikev1/esp-ah-tunnel/test.conf
deleted file mode 100644
index 6abbb89a9..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
index 9c17ae903..648920105 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
@@ -1,9 +1,11 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_CCM_12_128::YES
-carol::ipsec statusall::AES_CCM_12_128::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::AES_CCM_12_128::YES
+carol::ipsec statusall 2> /dev/null::AES_CCM_12_128::YES
 carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
-moon::ip xfrm state::aead rfc4309(ccm(aes))::YES
+moon:: ip xfrm state::aead rfc4309(ccm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
index f8baa00e1..1cef8f8c5 100755..100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutodebug="control crypt"
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..d70d7b989
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
index d4f0c3adc..72163aeec 100755..100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutodebug="control crypt"
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..d70d7b989
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
index c7992fbe4..c86f58081 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
@@ -1,9 +1,11 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_CTR_256/AES_XCBC_96::YES
-carol::ipsec statusall::AES_CTR_256/AES_XCBC_96::YES
-moon::ip xfrm state::rfc3686(ctr(aes))::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::AES_CTR_256/AES_XCBC_96::YES
+carol::ipsec statusall 2> /dev/null::AES_CTR_256/AES_XCBC_96::YES
+moon:: ip xfrm state::rfc3686(ctr(aes))::YES
 carol::ip xfrm state::rfc3686(ctr(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
index acb4126cf..08ff7dab2 100755..100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutodebug="control crypt"
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e607bbae7
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
index b5baa2b5d..f712ed86d 100755..100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutodebug="control crypt"
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e607bbae7
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
index da5d7c604..a7f52c72e 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
@@ -1,9 +1,11 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_GCM_16_256::YES
-carol::ipsec statusall::AES_GCM_16_256::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::AES_GCM_16_256::YES
+carol::ipsec statusall 2> /dev/null::AES_GCM_16_256::YES
 carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
-moon::ip xfrm state::aead rfc4106(gcm(aes))::YES
+moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
index 5026e0d9e..125ce919e 100755..100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutodebug="control crypt"
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e063e446a
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
index 5fa07962e..b5821cd07 100755..100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutodebug="control crypt"
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e063e446a
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/description.txt b/testing/tests/ikev1/esp-alg-aes-gmac/description.txt
index bc9b7c760..823ec253d 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/description.txt
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the authentication-only
-ESP cipher suite <b>NULL_AES_GMAC_256</b> by defining <b>esp=aes256gmac!</b>
+ESP cipher suite <b>NULL_AES_GMAC_256</b> by defining <b>esp=aes256gmac-modp2048!</b>
 in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks
 the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
index 4678155ee..d5d3bc0d3 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
@@ -1,9 +1,11 @@
-moon::ipsec statusall::rw.*IPsec SA established::YES
-carol::ipsec statusall::home.*IPsec SA established::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::ESP proposal: AES_GMAC_256::YES
-carol::ipsec statusall::ESP proposal: AES_GMAC_256::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
+carol::ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
 carol::ip xfrm state::aead rfc4543(gcm(aes))::YES
-moon::ip xfrm state::aead rfc4543(gcm(aes))::YES
+moon:: ip xfrm state::aead rfc4543(gcm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
index 69ef8d49d..5ad63657b 100755..100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes256-sha384-modp2048!
-	esp=aes256gmac!
+	ike=aes256-sha256-modp2048!
+	esp=aes256gmac-modp2048!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
index 41a583763..fba69aba3 100755..100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes256-sha384-modp2048!
-	esp=aes256gmac!
+	ike=aes256-sha256-modp2048!
+	esp=aes256gmac-modp2048!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/description.txt b/testing/tests/ikev1/esp-alg-aes-xcbc/description.txt
index 0c39352d9..0c39352d9 100644
--- a/testing/tests/ikev1/esp-alg-aesxcbc/description.txt
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/description.txt
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat
new file mode 100644
index 000000000..b466813fe
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat
@@ -0,0 +1,11 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ipsec statusall 2> /dev/null::AES_CBC_256/AES_XCBC_96,::YES
+moon:: ipsec statusall 2> /dev/null::AES_CBC_256/AES_XCBC_96,::YES
+carol::ip xfrm state::auth-trunc xcbc(aes)::YES
+moon:: ip xfrm state::auth-trunc xcbc(aes)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..94eb96f38
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes256-sha256-modp2048!
+	esp=aes256-aesxcbc!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..dbc468571
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes256-sha256-modp2048!
+	esp=aes256-aesxcbc!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/posttest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/af-alg-ikev1/alg-camellia/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/posttest.dat
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/pretest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat
index f5aa989fe..f5aa989fe 100644
--- a/testing/tests/ikev1/esp-alg-strict-fail/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf
new file mode 100644
index 000000000..d7b71426c
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat
deleted file mode 100644
index 5cee96b08..000000000
--- a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES
-carol::ip xfrm state::auth xcbc(aes)::YES
-moon::ip xfrm state::auth xcbc(aes)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
-
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 75ce0fbbe..000000000
--- a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes256-sha2_256-modp2048!
-	esp=aes256-aesxcbc!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index c2e0a6dde..000000000
--- a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes256-sha2_256-modp2048!
-	esp=aes256-aesxcbc!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/posttest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/esp-alg-aesxcbc/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/pretest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/pretest.dat
deleted file mode 100644
index 7d077c126..000000000
--- a/testing/tests/ikev1/esp-alg-aesxcbc/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf b/testing/tests/ikev1/esp-alg-aesxcbc/test.conf
deleted file mode 100644
index 6abbb89a9..000000000
--- a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/esp-alg-des/description.txt b/testing/tests/ikev1/esp-alg-des/description.txt
deleted file mode 100644
index 9546569dd..000000000
--- a/testing/tests/ikev1/esp-alg-des/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
-the ESP 1DES encryption algorithm with MD5 authentication. <b>moon</b> must
-explicitly accept the choice of this insecure algorithm by setting the strict
-flag '!' in <b>esp=des-md5!</b>. The tunnel is tested by <b>carol</b> 
-sending a ping to client <b>alice</b> behind gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/esp-alg-des/evaltest.dat b/testing/tests/ikev1/esp-alg-des/evaltest.dat
deleted file mode 100644
index 8e42707a2..000000000
--- a/testing/tests/ikev1/esp-alg-des/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES
-carol::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES
-moon::ip xfrm state::enc cbc(des)::YES
-carol::ip xfrm state::enc cbc(des)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index a5715a7f1..000000000
--- a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-md5-modp1024!
-	esp=des-md5!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 0329a533d..000000000
--- a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-md5-modp1024!
-	esp=des-md5!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-des/posttest.dat b/testing/tests/ikev1/esp-alg-des/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/esp-alg-des/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/esp-alg-des/pretest.dat b/testing/tests/ikev1/esp-alg-des/pretest.dat
deleted file mode 100644
index 7d077c126..000000000
--- a/testing/tests/ikev1/esp-alg-des/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-des/test.conf b/testing/tests/ikev1/esp-alg-des/test.conf
deleted file mode 100644
index 6abbb89a9..000000000
--- a/testing/tests/ikev1/esp-alg-des/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/esp-alg-null/description.txt b/testing/tests/ikev1/esp-alg-null/description.txt
index 7880a799c..8fd203098 100644
--- a/testing/tests/ikev1/esp-alg-null/description.txt
+++ b/testing/tests/ikev1/esp-alg-null/description.txt
@@ -1,5 +1,3 @@
-In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
-the ESP NULL encryption algorithm with SHA-1 authentication. <b>moon</b> must
-explicitly accept the choice of this insecure algorithm by setting the strict
-flag '!' in <b>esp=null-sha1!</b>. The tunnel is tested by <b>carol</b> 
-sending a ping to client <b>alice</b> behind gateway <b>moon</b>.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>NULL / HMAC_SHA1_96</b> by defining <b>esp=null-sha1</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-null/evaltest.dat b/testing/tests/ikev1/esp-alg-null/evaltest.dat
index a259e6d09..1b9c6c27e 100644
--- a/testing/tests/ikev1/esp-alg-null/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-null/evaltest.dat
@@ -1,9 +1,11 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES
-carol::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES
-moon::ip xfrm state::enc ecb(cipher_null)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
+carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
+moon:: ip xfrm state::enc ecb(cipher_null)::YES
 carol::ip xfrm state::enc ecb(cipher_null)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 172::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 172::YES
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
index fe76579ac..cd93d795f 100755..100644
--- a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes-sha1
+	ike=aes128-sha1-modp2048!
 	esp=null-sha1!
 
 conn home
 	left=PH_IP_CAROL
+	leftfirewall=yes
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	auto=add
+	auto=add 
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
index b768b8ee4..2e9b8de65 100755..100644
--- a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes-sha1!
+	ike=aes128-sha1-modp2048!
 	esp=null-sha1!
 
 conn rw
 	left=PH_IP_MOON
+	leftfirewall=yes
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	right=%any
-	rightid=carol@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-null/posttest.dat b/testing/tests/ikev1/esp-alg-null/posttest.dat
index c6d6235f9..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-null/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-null/posttest.dat
@@ -1,2 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-null/pretest.dat b/testing/tests/ikev1/esp-alg-null/pretest.dat
index 7d077c126..886fdf55c 100644
--- a/testing/tests/ikev1/esp-alg-null/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-null/pretest.dat
@@ -1,5 +1,7 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+carol::sleep 1 
 carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev1/esp-alg-null/test.conf b/testing/tests/ikev1/esp-alg-null/test.conf
index 6abbb89a9..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-null/test.conf
+++ b/testing/tests/ikev1/esp-alg-null/test.conf
@@ -1,22 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/description.txt b/testing/tests/ikev1/esp-alg-strict-fail/description.txt
deleted file mode 100644
index 252080e80..000000000
--- a/testing/tests/ikev1/esp-alg-strict-fail/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with HMAC_SHA1 authentication
-as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines
-<b>ike=aes128-sha1</b> only, but will accept any other support algorithm proposed by the peer,
-leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces
-<b>esp=aes128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat
deleted file mode 100644
index 83d99bea1..000000000
--- a/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::YES
-carol::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::YES
-moon::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*ISAKMP SA established::NO
-moon::cat /var/log/auth.log::IPSec Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
-moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 46a619016..000000000
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-sha1
-	esp=3des-sha1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 86a15c96d..000000000
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128-sha1
-	esp=aes128-sha1!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/posttest.dat b/testing/tests/ikev1/esp-alg-strict-fail/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/esp-alg-strict-fail/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/test.conf b/testing/tests/ikev1/esp-alg-strict-fail/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/esp-alg-strict-fail/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-strict/description.txt b/testing/tests/ikev1/esp-alg-strict/description.txt
deleted file mode 100644
index 149a1e013..000000000
--- a/testing/tests/ikev1/esp-alg-strict/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption (together with
-HMAC_SHA1 authentication) in the first place and <b>AES_CBC_128</b> encryption in
-second place for both the ISAKMP and IPsec SAs. Gateway <b>moon</b> defines
-<b>ike=aes128-sha1</b> but will accept any other supported algorithm proposed
-by the peer during Phase 1. But for ESP encryption <b>moon</b> enforces
-<b>esp=aes128-sha1!</b> by applying the strict flag '!'.
-
diff --git a/testing/tests/ikev1/esp-alg-strict/evaltest.dat b/testing/tests/ikev1/esp-alg-strict/evaltest.dat
deleted file mode 100644
index 912a8d830..000000000
--- a/testing/tests/ikev1/esp-alg-strict/evaltest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::IPSec Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
-moon::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA1::YES
-carol::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA1::YES
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 052541b21..000000000
--- a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-sha,aes128-sha1
-	esp=3des-sha1,aes128-sha1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 86a15c96d..000000000
--- a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128-sha1
-	esp=aes128-sha1!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-strict/posttest.dat b/testing/tests/ikev1/esp-alg-strict/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/esp-alg-strict/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/esp-alg-strict/pretest.dat b/testing/tests/ikev1/esp-alg-strict/pretest.dat
deleted file mode 100644
index f5aa989fe..000000000
--- a/testing/tests/ikev1/esp-alg-strict/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-strict/test.conf b/testing/tests/ikev1/esp-alg-strict/test.conf
deleted file mode 100644
index a6c8f026c..000000000
--- a/testing/tests/ikev1/esp-alg-strict/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/esp-alg-weak/description.txt b/testing/tests/ikev1/esp-alg-weak/description.txt
deleted file mode 100644
index e49b6c620..000000000
--- a/testing/tests/ikev1/esp-alg-weak/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The roadwarrior <b>carol</b> proposes <b>DES_CBC</b> encryption with HMAC_MD5 authentication
-as the only cipher suite for the IPsec SA. Because gateway <b>moon</b> does
-not use an explicit <b>esp</b> statement any strong encryption algorithm will be
-accepted but any weak key length will be rejected by default and thus the ISAKMP SA
-is bound to fail.
diff --git a/testing/tests/ikev1/esp-alg-weak/evaltest.dat b/testing/tests/ikev1/esp-alg-weak/evaltest.dat
deleted file mode 100644
index 72b14e805..000000000
--- a/testing/tests/ikev1/esp-alg-weak/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::IPSec Transform.*refused due to insecure key_len::YES
-moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES
diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index a5715a7f1..000000000
--- a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-md5-modp1024!
-	esp=des-md5!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index e5fed2f06..000000000
--- a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-weak/posttest.dat b/testing/tests/ikev1/esp-alg-weak/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/esp-alg-weak/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/esp-alg-weak/pretest.dat b/testing/tests/ikev1/esp-alg-weak/pretest.dat
deleted file mode 100644
index 7d077c126..000000000
--- a/testing/tests/ikev1/esp-alg-weak/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-weak/test.conf b/testing/tests/ikev1/esp-alg-weak/test.conf
deleted file mode 100644
index a6c8f026c..000000000
--- a/testing/tests/ikev1/esp-alg-weak/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/host2host-cert/evaltest.dat b/testing/tests/ikev1/host2host-cert/evaltest.dat
index d19f970f2..3305f4558 100644
--- a/testing/tests/ikev1/host2host-cert/evaltest.dat
+++ b/testing/tests/ikev1/host2host-cert/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..1b860a2a9
--- /dev/null
+++ b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn host-host
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..0ee8ea5a3
--- /dev/null
+++ b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn host-host
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/host2host-cert/posttest.dat b/testing/tests/ikev1/host2host-cert/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev1/host2host-cert/posttest.dat
+++ b/testing/tests/ikev1/host2host-cert/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/host2host-cert/pretest.dat b/testing/tests/ikev1/host2host-cert/pretest.dat
index 3536fd886..3bce9f6e5 100644
--- a/testing/tests/ikev1/host2host-cert/pretest.dat
+++ b/testing/tests/ikev1/host2host-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::sleep 1 
 moon::ipsec up host-host
diff --git a/testing/tests/ikev1/host2host-cert/test.conf b/testing/tests/ikev1/host2host-cert/test.conf
index cf2e704fd..55d6e9fd6 100644
--- a/testing/tests/ikev1/host2host-cert/test.conf
+++ b/testing/tests/ikev1/host2host-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
- 
+VIRTHOSTS="moon winnetou sun"
+
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
-
-# UML instances on which tcpdump is to be started
+ 
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/host2host-swapped/description.txt b/testing/tests/ikev1/host2host-swapped/description.txt
deleted file mode 100644
index 34cfe43cc..000000000
--- a/testing/tests/ikev1/host2host-swapped/description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Same scenario as test <a href="../host2host-cert/"><b>host2host-cert</b></a> but with
-swapped end definitions:  <b>right</b> denotes the <b>local</b> side whereas
-<b>left</b> stands for the <b>remote</b> peer.
diff --git a/testing/tests/ikev1/host2host-swapped/evaltest.dat b/testing/tests/ikev1/host2host-swapped/evaltest.dat
deleted file mode 100644
index d19f970f2..000000000
--- a/testing/tests/ikev1/host2host-swapped/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 95739fe51..000000000
--- a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn host-host
-	right=PH_IP_MOON
-	rightcert=moonCert.pem
-	rightid=@moon.strongswan.org
-	rightfirewall=yes
-	left=PH_IP_SUN
-	leftid=@sun.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index a0d600a6f..000000000
--- a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn host-host
-	right=PH_IP_SUN
-	rightcert=sunCert.pem
-	rightfirewall=yes
-	rightid=@sun.strongswan.org
-	left=PH_IP_MOON
-	leftid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/host2host-swapped/posttest.dat b/testing/tests/ikev1/host2host-swapped/posttest.dat
deleted file mode 100644
index 5a9150bc8..000000000
--- a/testing/tests/ikev1/host2host-swapped/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/host2host-swapped/pretest.dat b/testing/tests/ikev1/host2host-swapped/pretest.dat
deleted file mode 100644
index e2d98f2eb..000000000
--- a/testing/tests/ikev1/host2host-swapped/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-moon::ipsec up host-host
diff --git a/testing/tests/ikev1/host2host-swapped/test.conf b/testing/tests/ikev1/host2host-swapped/test.conf
deleted file mode 100644
index cf2e704fd..000000000
--- a/testing/tests/ikev1/host2host-swapped/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon winnetou sun"
- 
-# Corresponding block diagram
-#
-DIAGRAM="m-w-s.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/host2host-transport/evaltest.dat b/testing/tests/ikev1/host2host-transport/evaltest.dat
index 04c0eb3a2..fc49e57d8 100644
--- a/testing/tests/ikev1/host2host-transport/evaltest.dat
+++ b/testing/tests/ikev1/host2host-transport/evaltest.dat
@@ -1,7 +1,7 @@
-moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ip xfrm state::mode transport::YES
-sun::ip xfrm state::mode transport::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
index b56189c6c..a860a6946 100755..100644
--- a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
index 1f2ade20b..cc70f454f 100755..100644
--- a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -22,4 +18,3 @@ conn host-host
 	rightid=@moon.strongswan.org
 	type=transport
 	auto=add
-
diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev1/host2host-transport/posttest.dat b/testing/tests/ikev1/host2host-transport/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev1/host2host-transport/posttest.dat
+++ b/testing/tests/ikev1/host2host-transport/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/host2host-transport/pretest.dat b/testing/tests/ikev1/host2host-transport/pretest.dat
index e2d98f2eb..99789b90f 100644
--- a/testing/tests/ikev1/host2host-transport/pretest.dat
+++ b/testing/tests/ikev1/host2host-transport/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2
diff --git a/testing/tests/ikev1/host2host-transport/test.conf b/testing/tests/ikev1/host2host-transport/test.conf
index cf2e704fd..5a286c84f 100644
--- a/testing/tests/ikev1/host2host-transport/test.conf
+++ b/testing/tests/ikev1/host2host-transport/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/description.txt b/testing/tests/ikev1/ike-alg-strict-fail/description.txt
deleted file mode 100644
index 252080e80..000000000
--- a/testing/tests/ikev1/ike-alg-strict-fail/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with HMAC_SHA1 authentication
-as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines
-<b>ike=aes128-sha1</b> only, but will accept any other support algorithm proposed by the peer,
-leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces
-<b>esp=aes128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat
deleted file mode 100644
index 0c6bc7f7e..000000000
--- a/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
-carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
-moon::cat /var/log/auth.log::Oakley Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
-moon::cat /var/log/auth.log::no acceptable Oakley Transform::YES
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index d75a7022e..000000000
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-sha1
-	esp=3des-sha1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add 
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 460ff749c..000000000
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128-sha1!
-	esp=aes128-sha1
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/posttest.dat b/testing/tests/ikev1/ike-alg-strict-fail/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/ike-alg-strict-fail/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/pretest.dat b/testing/tests/ikev1/ike-alg-strict-fail/pretest.dat
deleted file mode 100644
index f5aa989fe..000000000
--- a/testing/tests/ikev1/ike-alg-strict-fail/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/test.conf b/testing/tests/ikev1/ike-alg-strict-fail/test.conf
deleted file mode 100644
index 7e7848831..000000000
--- a/testing/tests/ikev1/ike-alg-strict-fail/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-##!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/ike-alg-strict/description.txt b/testing/tests/ikev1/ike-alg-strict/description.txt
deleted file mode 100644
index af93b95c3..000000000
--- a/testing/tests/ikev1/ike-alg-strict/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with <b>HMAC_SHA1</b> authentication in the first place
-and <b>AES_CBC_128</b> encryption with <b>HMAC_SHA1</b> authentication in the second place for both the ISAKMP and IPsec SA.
-The gateway <b>moon</b> enforces <b>ike=aes128-sha!</b> for Phase 1 by using the strict flag '!', 
-but will accept any other supported algorithm proposed by the peer for Phase 2 , even though <b>moon</b>
-defines itself <b>esp=aes128-sha1</b> only.
diff --git a/testing/tests/ikev1/ike-alg-strict/evaltest.dat b/testing/tests/ikev1/ike-alg-strict/evaltest.dat
deleted file mode 100644
index 8acd0d039..000000000
--- a/testing/tests/ikev1/ike-alg-strict/evaltest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::Oakley Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA1::YES
-moon::ipsec statusall::ESP proposal: 3DES_CBC/HMAC_SHA1::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA::YES
-carol::ipsec statusall::ESP proposal: 3DES_CBC/HMAC_SHA1::YES
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 36bdc0fa4..000000000
--- a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-sha1,aes128-sha1
-	esp=3des-sha1,aes128-sha1
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 460ff749c..000000000
--- a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128-sha1!
-	esp=aes128-sha1
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ike-alg-strict/posttest.dat b/testing/tests/ikev1/ike-alg-strict/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/ike-alg-strict/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/ike-alg-strict/pretest.dat b/testing/tests/ikev1/ike-alg-strict/pretest.dat
deleted file mode 100644
index f5aa989fe..000000000
--- a/testing/tests/ikev1/ike-alg-strict/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/ike-alg-strict/test.conf b/testing/tests/ikev1/ike-alg-strict/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/ike-alg-strict/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/ip-pool-db-push/description.txt b/testing/tests/ikev1/ip-pool-db-push/description.txt
deleted file mode 100644
index dc510e21a..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Using Mode Config push mode (<b>modeconfig=push</b>) the gateway <b>moon</b> assigns virtual
-IP addresses from a pool named <b>bigpool</b> that was created in an SQL database by the command
-<b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0</b>.
diff --git a/testing/tests/ikev1/ip-pool-db-push/evaltest.dat b/testing/tests/ikev1/ip-pool-db-push/evaltest.dat
deleted file mode 100644
index 9a5c5c7ee..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/evaltest.dat
+++ /dev/null
@@ -1,30 +0,0 @@
-carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::cat /var/log/auth.log::handling INTERNAL_IP4_NBNS attribute failed::YES
-carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
-carol::ip addr list dev eth0::PH_IP_CAROL1::YES
-carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/auth.log::starting ModeCfg server in push mode::YES
-moon::cat /var/log/auth.log::acquired new lease for address.*in pool.*bigpool::YES
-moon::cat /var/log/auth.log::assigning virtual IP::YES
-moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
-moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
-moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 5e7cc89a7..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	modeconfig=push
-
-conn home
-	left=PH_IP_CAROL
-	leftsourceip=%config
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 56f13324a..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index e1c864e58..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	modeconfig=push
-
-conn home
-	left=PH_IP_DAVE
-	leftsourceip=%config
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 56f13324a..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index c365004bf..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	rekey=no
-	keyexchange=ikev1
-	modeconfig=push
-
-conn rw
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	right=%any
-	rightsourceip=%bigpool
-	auto=add
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 630135adc..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
-}
-
-libhydra {
-  plugins {
-    attr-sql {
-      database = sqlite:///etc/ipsec.d/ipsec.db
-    }
-  }
-}
-
-pool {
-  load = sqlite
-}
diff --git a/testing/tests/ikev1/ip-pool-db-push/posttest.dat b/testing/tests/ikev1/ip-pool-db-push/posttest.dat
deleted file mode 100644
index 5022c6cf1..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/posttest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
-moon::ipsec pool --del bigpool 2> /dev/null
-moon::ipsec pool --del dns 2> /dev/null
-moon::ipsec pool --del nbns 2> /dev/null
-moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev1/ip-pool-db-push/pretest.dat b/testing/tests/ikev1/ip-pool-db-push/pretest.dat
deleted file mode 100644
index 4a2add194..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/pretest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
-moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
-moon::ipsec pool --addattr dns  --server PH_IP_VENUS 2> /dev/null
-moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2 
-carol::ipsec up home
-dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/ip-pool-db-push/test.conf b/testing/tests/ikev1/ip-pool-db-push/test.conf
deleted file mode 100644
index 1a8f2a4e0..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/ip-pool-db/evaltest.dat b/testing/tests/ikev1/ip-pool-db/evaltest.dat
index 566bab972..42e353084 100644
--- a/testing/tests/ikev1/ip-pool-db/evaltest.dat
+++ b/testing/tests/ikev1/ip-pool-db/evaltest.dat
@@ -1,25 +1,33 @@
-carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::cat /var/log/auth.log::handling INTERNAL_IP4_NBNS attribute failed::YES
-carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/auth.log::peer requested virtual IP %any::YES
-moon::cat /var/log/auth.log::acquired new lease for address.*in pool.*bigpool::YES
-moon::cat /var/log/auth.log::assigning virtual IP::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
 moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
 moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
 moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*IPsec SA established::YES
+moon::ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon::ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon::ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon::ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf
index 0c770de9f..5a77f8707 100755..100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
index 56f13324a..bd19ffe3d 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf
index 163c19516..6ea2d2bb1 100755..100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
index 56f13324a..bd19ffe3d 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf
index 0cefb7ab0..47014a869 100755..100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf
@@ -1,17 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	rekey=no
 	keyexchange=ikev1
 
 conn rw
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
index 630135adc..04ffaf64d 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
 }
 
 libhydra {
diff --git a/testing/tests/ikev1/ip-pool-db/posttest.dat b/testing/tests/ikev1/ip-pool-db/posttest.dat
index 5022c6cf1..c99f347e3 100644
--- a/testing/tests/ikev1/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev1/ip-pool-db/posttest.dat
@@ -1,11 +1,9 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::ipsec pool --del bigpool 2> /dev/null
 moon::ipsec pool --del dns 2> /dev/null
 moon::ipsec pool --del nbns 2> /dev/null
diff --git a/testing/tests/ikev1/ip-pool-db/pretest.dat b/testing/tests/ikev1/ip-pool-db/pretest.dat
index 190672652..fce551c69 100644
--- a/testing/tests/ikev1/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev1/ip-pool-db/pretest.dat
@@ -4,10 +4,9 @@ moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2>
 moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
 moon::ipsec pool --addattr dns  --server PH_IP_VENUS 2> /dev/null
 moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
-moon::ipsec pool --statusattr
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/ip-pool-db/test.conf b/testing/tests/ikev1/ip-pool-db/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/ip-pool-db/test.conf
+++ b/testing/tests/ikev1/ip-pool-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/ip-pool/evaltest.dat b/testing/tests/ikev1/ip-pool/evaltest.dat
index f67ab321b..1fdc3f087 100644
--- a/testing/tests/ikev1/ip-pool/evaltest.dat
+++ b/testing/tests/ikev1/ip-pool/evaltest.dat
@@ -1,21 +1,25 @@
-carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/auth.log::adding virtual IP address pool::YES
-moon::cat /var/log/auth.log::peer requested virtual IP %any::YES
-moon::cat /var/log/auth.log::assigning virtual IP::YES
-moon::ipsec leases rw::2/15, 2 online::YES
-moon::ipsec leases rw 10.3.0.1::carol@strongswan.org::YES
-moon::ipsec leases rw 10.3.0.2::dave@strongswan.org::YES
-moon::ipsec statusall::rw.*carol@strongswan.org.*erouted::YES
-moon::ipsec statusall::rw.*dave@strongswan.org.*erouted::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon:: ipsec leases 10.3.0.0/28 2> /dev/null::2/14, 2 online::YES
+moon:: ipsec leases 10.3.0.0/28 10.3.0.1 2> /dev/null::carol@strongswan.org::YES
+moon:: ipsec leases 10.3.0.0/28 10.3.0.2 2> /dev/null::dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf
index 0c770de9f..5a77f8707 100755..100644
--- a/testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
index 4c40f76cc..dc937641c 100644
--- a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf
index 163c19516..6ea2d2bb1 100755..100644
--- a/testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
index 4c40f76cc..dc937641c 100644
--- a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf
index ddedd7e7b..c48172923 100755..100644
--- a/testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
index 4c40f76cc..dc937641c 100644
--- a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/ip-pool/posttest.dat b/testing/tests/ikev1/ip-pool/posttest.dat
index a68e84cbd..b757d8b15 100644
--- a/testing/tests/ikev1/ip-pool/posttest.dat
+++ b/testing/tests/ikev1/ip-pool/posttest.dat
@@ -1,8 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del 10.3.0.1/32 dev eth0
-dave::ip addr del 10.3.0.2/32 dev eth0
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/ip-pool/pretest.dat b/testing/tests/ikev1/ip-pool/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev1/ip-pool/pretest.dat
+++ b/testing/tests/ikev1/ip-pool/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/ip-pool/test.conf b/testing/tests/ikev1/ip-pool/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/ip-pool/test.conf
+++ b/testing/tests/ikev1/ip-pool/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/description.txt b/testing/tests/ikev1/ip-two-pools-mixed/description.txt
deleted file mode 100644
index 3869ced0a..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/description.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
-Both hosts request a <b>virtual IP</b> via the IKEv1 Mode Config payload by using the
-<b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual IP
-addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> to hosts connecting
-to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from an SQLite-based pool
-named <b>intpool</b> [10.4.0.1..10.4.1.244] to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
-<p>
-Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and 
-both ping the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/evaltest.dat b/testing/tests/ikev1/ip-two-pools-mixed/evaltest.dat
deleted file mode 100644
index f237ce53f..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/evaltest.dat
+++ /dev/null
@@ -1,17 +0,0 @@
-carol::ipsec status::home.*IPsec SA established::YES
-alice::ipsec status::home.*IPsec SA established::YES
-moon::ipsec status::ext.*carol@strongswan.org.*erouted::YES
-moon::ipsec status::int.*alice@strongswan.org.*erouted::YES
-moon::cat /var/log/auth.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES
-moon::ipsec leases ext::1/15, 1 online::YES
-moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES
-moon::ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*1::YES
-moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
-carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
-alice::cat /var/log/auth.log::setting virtual IP source address to 10.4.0.1::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
-alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf
deleted file mode 100755
index e8077b22a..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-		
-conn home 
-	left=%defaultroute
-	leftsourceip=%config
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON1
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 4c40f76cc..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 99a8c60ff..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftsourceip=%config
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 4c40f76cc..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index bb9d03acd..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# masquerade crl fetches to winnetou
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index e844ba989..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	right=%any
-
-conn int 
-	left=PH_IP_MOON1
-	rightsourceip=%intpool
-	auto=add
-
-conn ext 
-	left=PH_IP_MOON
-	rightsourceip=10.3.0.0/28
-	auto=add
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 630135adc..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
-}
-
-libhydra {
-  plugins {
-    attr-sql {
-      database = sqlite:///etc/ipsec.d/ipsec.db
-    }
-  }
-}
-
-pool {
-  load = sqlite
-}
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev1/ip-two-pools-mixed/posttest.dat
deleted file mode 100644
index 74e3cf2c0..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/posttest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-carol::ipsec stop
-alice::ipsec stop
-moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del 10.3.0.1/32 dev eth0
-alice::ip addr del 10.4.0.1/32 dev eth0
-moon::ip route del 10.3.0.0/16 via PH_IP_MOON
-moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
-moon::conntrack -F
-moon::ipsec pool --del intpool 2> /dev/null
-moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev1/ip-two-pools-mixed/pretest.dat
deleted file mode 100644
index 21e28ce0c..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/pretest.dat
+++ /dev/null
@@ -1,15 +0,0 @@
-moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout  0 2> /dev/null
-moon::ip route add 10.3.0.0/16 via PH_IP_MOON
-moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start
-alice::ipsec start
-carol::sleep 2 
-carol::ipsec up home
-alice::ipsec up home
-alice::sleep 1
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/test.conf b/testing/tests/ikev1/ip-two-pools-mixed/test.conf
deleted file mode 100644
index 329774c0a..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="alice carol"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice moon carol"
diff --git a/testing/tests/ikev1/ip-two-pools/description.txt b/testing/tests/ikev1/ip-two-pools/description.txt
deleted file mode 100644
index 33a5187c5..000000000
--- a/testing/tests/ikev1/ip-two-pools/description.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
-Both hosts request a <b>virtual IP</b> via the IKEv1 Mode Config payload by using the
-<b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual IP
-addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> to hosts connecting
-to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from a simple pool defined 
-by <b>rightsourceip=10.4.0.0/28</b> to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
-<p>
-Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and 
-both ping the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/ip-two-pools/evaltest.dat b/testing/tests/ikev1/ip-two-pools/evaltest.dat
deleted file mode 100644
index 2f19a77ba..000000000
--- a/testing/tests/ikev1/ip-two-pools/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::ipsec status::home.*IPsec SA established::YES
-alice::ipsec status::home.*IPsec SA established::YES
-moon::ipsec status::ext.*carol@strongswan.org.*erouted::YES
-moon::ipsec status::int.*alice@strongswan.org.*erouted::YES
-moon::cat /var/log/auth.log::adding virtual IP address pool.*int.*10.4.0.0/28::YES
-moon::cat /var/log/auth.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES
-moon::ipsec leases ext::1/15, 1 online::YES
-moon::ipsec leases int::1/15, 1 online::YES
-moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES
-moon::ipsec leases int 10.4.0.1::alice@strongswan.org::YES
-carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
-alice::cat /var/log/auth.log::setting virtual IP source address to 10.4.0.1::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
-alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/ipsec.conf
deleted file mode 100755
index e8077b22a..000000000
--- a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-		
-conn home 
-	left=%defaultroute
-	leftsourceip=%config
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON1
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 4c40f76cc..000000000
--- a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 99a8c60ff..000000000
--- a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftsourceip=%config
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 4c40f76cc..000000000
--- a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index bb9d03acd..000000000
--- a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# masquerade crl fetches to winnetou
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 4771e26d6..000000000
--- a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	right=%any
-
-conn int 
-	left=PH_IP_MOON1
-	rightsourceip=10.4.0.0/28
-	auto=add
-
-conn ext 
-	left=PH_IP_MOON
-	rightsourceip=10.3.0.0/28
-	auto=add
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4c40f76cc..000000000
--- a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/ip-two-pools/posttest.dat b/testing/tests/ikev1/ip-two-pools/posttest.dat
deleted file mode 100644
index 4474e5ade..000000000
--- a/testing/tests/ikev1/ip-two-pools/posttest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-alice::ipsec stop
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del 10.3.0.1/32 dev eth0
-alice::ip addr del 10.4.0.1/32 dev eth0
-moon::ip route del 10.3.0.0/16 via 192.168.0.1
-moon::ip route del 10.4.0.0/16 via 10.1.0.1
-moon::conntrack -F
-moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev1/ip-two-pools/pretest.dat b/testing/tests/ikev1/ip-two-pools/pretest.dat
deleted file mode 100644
index 8091a6ed2..000000000
--- a/testing/tests/ikev1/ip-two-pools/pretest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon::ip route add 10.3.0.0/16 via 192.168.0.1
-moon::ip route add 10.4.0.0/16 via 10.1.0.1
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start
-alice::ipsec start
-carol::sleep 2 
-carol::ipsec up home
-alice::ipsec up home
-alice::sleep 1 
diff --git a/testing/tests/ikev1/ip-two-pools/test.conf b/testing/tests/ikev1/ip-two-pools/test.conf
deleted file mode 100644
index 329774c0a..000000000
--- a/testing/tests/ikev1/ip-two-pools/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="alice carol"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice moon carol"
diff --git a/testing/tests/ikev1/mode-config-multiple/description.txt b/testing/tests/ikev1/mode-config-multiple/description.txt
deleted file mode 100644
index 6be00e744..000000000
--- a/testing/tests/ikev1/mode-config-multiple/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol
-by using the <b>leftsourceip=%modeconfig</b> parameter. After setting up an IPsec SA to reach
-the hosts <b>alice</b> and <b>venus</b>, respectively, both roadwarriors set up a second 
-IPsec SA to <b>venus</b> and <b>alice</b>, respectively, inheriting the virtual IP address
-from the previous Mode Config negotiation.
diff --git a/testing/tests/ikev1/mode-config-multiple/evaltest.dat b/testing/tests/ikev1/mode-config-multiple/evaltest.dat
deleted file mode 100644
index 735345315..000000000
--- a/testing/tests/ikev1/mode-config-multiple/evaltest.dat
+++ /dev/null
@@ -1,29 +0,0 @@
-carol::cat /var/log/auth.log::alice.*setting virtual IP source address to PH_IP_CAROL1::YES
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::cat /var/log/auth.log::venus.*inheriting virtual IP source address PH_IP_CAROL1 from ModeCfg::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::cat /var/log/auth.log::venus.*setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::cat /var/log/auth.log::alice.*inheriting virtual IP source address PH_IP_DAVE1 from ModeCfg::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::carol-alice.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::carol-venus.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::dave-venus.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::dave-alice.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
-venus::tcpdump::IP carol1.strongswan.org > venus.strongswan.org: ICMP echo request::YES
-venus::tcpdump::IP venus.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-venus::tcpdump::IP dave1.strongswan.org > venus.strongswan.org: ICMP echo request::YES
-venus::tcpdump::IP venus.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
-
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 3d6addb62..000000000
--- a/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn alice
-	also=home
-	rightsubnet=10.1.0.10/32
-	auto=add
-
-conn venus
-	also=home
-	rightsubnet=10.1.0.20/32
-	auto=add
-
-conn home
-	left=192.168.0.100
-	leftsourceip=%modeconfig
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=192.168.0.1
-	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 0b93eb58f..000000000
--- a/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn alice
-        also=home
-        rightsubnet=10.1.0.10/32
-        auto=add
-
-conn venus
-        also=home
-        rightsubnet=10.1.0.20/32
-        auto=add
-
-conn home
-	left=PH_IP_DAVE
-	leftsourceip=%modeconfig
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 7f5bb812f..000000000
--- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,52 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=192.168.0.1
-	leftsourceip=10.1.0.1
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-
-conn carol-alice
-	also=carol
-	leftsubnet=10.1.0.10/32
-	rightsourceip=10.3.0.1
-	auto=add
-
-conn carol-venus
-	also=carol
-	leftsubnet=10.1.0.20/32
-	rightsourceip=%carol-alice
-	auto=add
-	
-conn carol
-	right=%any
-	rightid=carol@strongswan.org
-
-conn dave-alice
-        also=dave
-        leftsubnet=10.1.0.10/32
-	rightsourceip=10.3.0.2
-        auto=add
-
-conn dave-venus
-        also=dave
-        leftsubnet=10.1.0.20/32
-	rightsourceip=%dave-alice
-        auto=add
-
-conn dave
-        right=%any
-        rightid=dave@strongswan.org
-
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index fb989daff..000000000
--- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
-  dns1 = PH_IP_WINNETOU
-  dns2 = PH_IP6_VENUS
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/mode-config-multiple/posttest.dat b/testing/tests/ikev1/mode-config-multiple/posttest.dat
deleted file mode 100644
index 42fa8359b..000000000
--- a/testing/tests/ikev1/mode-config-multiple/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/mode-config-multiple/pretest.dat b/testing/tests/ikev1/mode-config-multiple/pretest.dat
deleted file mode 100644
index 63f52e274..000000000
--- a/testing/tests/ikev1/mode-config-multiple/pretest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up alice
-carol::ipsec up venus 
-dave::ipsec up venus
-dave::ipsec up alice
-carol::sleep 1
diff --git a/testing/tests/ikev1/mode-config-multiple/test.conf b/testing/tests/ikev1/mode-config-multiple/test.conf
deleted file mode 100644
index d8fa5162d..000000000
--- a/testing/tests/ikev1/mode-config-multiple/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice venus"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/mode-config-push/description.txt b/testing/tests/ikev1/mode-config-push/description.txt
deleted file mode 100644
index 387c3b409..000000000
--- a/testing/tests/ikev1/mode-config-push/description.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol
-by using the <b>leftsourceip=%modeconfig</b> parameter. By setting the option <b>modeconfig=push</b>
-on both the roadwarriors and the gateway, the Mode Config server <b>moon</b> will actively push
-the configuration down to <b>carol</b> and <b>dave</b>.
-<p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
-tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client
-<b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings will
-be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev1/mode-config-push/evaltest.dat b/testing/tests/ikev1/mode-config-push/evaltest.dat
deleted file mode 100644
index 3135a18fb..000000000
--- a/testing/tests/ikev1/mode-config-push/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 64c97eb16..000000000
--- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	rekey=no
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftsourceip=%modeconfig
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	modeconfig=push
-	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 56f13324a..000000000
--- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index ba47559a0..000000000
--- a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_DAVE
-	leftsourceip=%modeconfig
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	modeconfig=push
-	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 56f13324a..000000000
--- a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 8b125ab80..000000000
--- a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	modeconfig=push
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP_MOON1
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-
-conn rw-carol
-	right=%any
-	rightid=carol@strongswan.org
-	rightsourceip=PH_IP_CAROL1
-	auto=add
-
-conn rw-dave
-	right=%any
-	rightid=dave@strongswan.org
-	rightsourceip=PH_IP_DAVE1
-	auto=add
diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index f8d952d21..000000000
--- a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
-  dns1 = PH_IP_WINNETOU
-  dns2 = PH_IP_VENUS
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/mode-config-push/posttest.dat b/testing/tests/ikev1/mode-config-push/posttest.dat
deleted file mode 100644
index 42fa8359b..000000000
--- a/testing/tests/ikev1/mode-config-push/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/mode-config-push/pretest.dat b/testing/tests/ikev1/mode-config-push/pretest.dat
deleted file mode 100644
index bb222992e..000000000
--- a/testing/tests/ikev1/mode-config-push/pretest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/mode-config-push/test.conf b/testing/tests/ikev1/mode-config-push/test.conf
deleted file mode 100644
index 1a8f2a4e0..000000000
--- a/testing/tests/ikev1/mode-config-push/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/mode-config-swapped/description.txt b/testing/tests/ikev1/mode-config-swapped/description.txt
deleted file mode 100644
index e29e6f654..000000000
--- a/testing/tests/ikev1/mode-config-swapped/description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Same scenario as test <a href="../mode-config/"><b>mode-config</b></a> but with
-swapped end definitions:  <b>right</b> denotes the <b>local</b> side whereas
-<b>left</b> stands for the <b>remote</b> peer.
diff --git a/testing/tests/ikev1/mode-config-swapped/evaltest.dat b/testing/tests/ikev1/mode-config-swapped/evaltest.dat
deleted file mode 100644
index 9d60cf7b0..000000000
--- a/testing/tests/ikev1/mode-config-swapped/evaltest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 4cea3d81b..000000000
--- a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	right=PH_IP_CAROL
-	rightsourceip=%modeconfig
-	rightcert=carolCert.pem
-	rightid=carol@strongswan.org
-	rightfirewall=yes
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftid=@moon.strongswan.org
-	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index cf96ddeca..000000000
--- a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	right=PH_IP_DAVE
-	rightsourceip=%modeconfig
-	rightcert=daveCert.pem
-	rightid=dave@strongswan.org
-	rightfirewall=yes
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftid=@moon.strongswan.org
-	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index b01f5b112..000000000
--- a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightsourceip=PH_IP_MOON1
-	rightcert=moonCert.pem
-	rightid=@moon.strongswan.org
-	rightfirewall=yes
-
-conn rw-carol
-	left=%any
-	leftid=carol@strongswan.org
-	leftsourceip=PH_IP_CAROL1
-	auto=add
-
-conn rw-dave
-	left=%any
-	leftid=dave@strongswan.org
-	leftsourceip=PH_IP_DAVE1
-	auto=add
diff --git a/testing/tests/ikev1/mode-config-swapped/posttest.dat b/testing/tests/ikev1/mode-config-swapped/posttest.dat
deleted file mode 100644
index 42fa8359b..000000000
--- a/testing/tests/ikev1/mode-config-swapped/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/mode-config-swapped/pretest.dat b/testing/tests/ikev1/mode-config-swapped/pretest.dat
deleted file mode 100644
index 1e45f00fd..000000000
--- a/testing/tests/ikev1/mode-config-swapped/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/ikev1/mode-config-swapped/test.conf b/testing/tests/ikev1/mode-config-swapped/test.conf
deleted file mode 100644
index 1a8f2a4e0..000000000
--- a/testing/tests/ikev1/mode-config-swapped/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/mode-config/description.txt b/testing/tests/ikev1/mode-config/description.txt
deleted file mode 100644
index 3e67f83f1..000000000
--- a/testing/tests/ikev1/mode-config/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol
-by using the <b>leftsourceip=%modeconfig</b> parameter. <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
-tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
-<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b>
-and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev1/mode-config/evaltest.dat b/testing/tests/ikev1/mode-config/evaltest.dat
deleted file mode 100644
index 7355a0560..000000000
--- a/testing/tests/ikev1/mode-config/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 9c75434c2..000000000
--- a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftsourceip=%modeconfig
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 56f13324a..000000000
--- a/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 726998e19..000000000
--- a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_DAVE
-	leftsourceip=%modeconfig
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 56f13324a..000000000
--- a/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 37278081e..000000000
--- a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	rekey=no
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP_MOON1
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-
-conn rw-carol
-	right=%any
-	rightid=carol@strongswan.org
-	rightsourceip=PH_IP_CAROL1
-	auto=add
-
-conn rw-dave
-	right=%any
-	rightid=dave@strongswan.org
-	rightsourceip=PH_IP_DAVE1
-	auto=add
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index f8d952d21..000000000
--- a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
-  dns1 = PH_IP_WINNETOU
-  dns2 = PH_IP_VENUS
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/mode-config/posttest.dat b/testing/tests/ikev1/mode-config/posttest.dat
deleted file mode 100644
index 42fa8359b..000000000
--- a/testing/tests/ikev1/mode-config/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/mode-config/pretest.dat b/testing/tests/ikev1/mode-config/pretest.dat
deleted file mode 100644
index bb222992e..000000000
--- a/testing/tests/ikev1/mode-config/pretest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/mode-config/test.conf b/testing/tests/ikev1/mode-config/test.conf
deleted file mode 100644
index 1a8f2a4e0..000000000
--- a/testing/tests/ikev1/mode-config/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/description.txt b/testing/tests/ikev1/multi-level-ca-cr-init/description.txt
new file mode 100644
index 000000000..602d026c2
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/description.txt
@@ -0,0 +1,6 @@
+The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
+<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored
+in the strongSwan Root CA.  The hosts <b>carol</b> and <b>dave</b> have certificates from
+the intermediate Research CA and Sales CA, respectively. Initiator <b>moon</b> does not possess
+copies of the Research and Sales CA certificates and must therefore request them from
+the responders <b>carol</b> and <b>dave</b>, respectively.
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/evaltest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/evaltest.dat
new file mode 100644
index 000000000..03426ac44
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
+dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..73e17062d
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn alice
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftsendcert=ifasked
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
index d53365f78..d53365f78 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 69e5c05e3..69e5c05e3 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 53e18680b..53e18680b 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets
index fac55d63b..fac55d63b 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..7140befe6
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn venus
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftsendcert=ifasked
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
index a10a18cba..a10a18cba 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index 91df37a81..91df37a81 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 86740e86a..86740e86a 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..25716969f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,33 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri=http://crl.strongswan.org/strongswan.crl
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftsendcert=ifasked
+	leftid=@moon.strongswan.org
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+	auto=add
+	
+conn venus
+	leftsubnet=PH_IP_VENUS/32
+	right=PH_IP_DAVE
+	rightid=dave@strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/posttest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/posttest.dat
new file mode 100644
index 000000000..24cd041ed
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat
new file mode 100644
index 000000000..2eebc0f84
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat
@@ -0,0 +1,6 @@
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+moon::sleep 2
+moon::ipsec up alice
+moon::ipsec up venus
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/test.conf b/testing/tests/ikev1/multi-level-ca-cr-init/test.conf
new file mode 100644
index 000000000..9bb88d79f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/description.txt b/testing/tests/ikev1/multi-level-ca-cr-resp/description.txt
new file mode 100644
index 000000000..06f9f6b91
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/description.txt
@@ -0,0 +1,6 @@
+The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
+<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored
+in the strongSwan Root CA.  The hosts <b>carol</b> and <b>dave</b> have certificates from
+the intermediate Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess
+copies of the Research and Sales CA certificates and must therefore request them from
+the initiators <b>carol</b> and <b>dave</b>, respectively.
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/evaltest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/evaltest.dat
new file mode 100644
index 000000000..dcd271772
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
+dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..96da6db1e
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftsendcert=ifasked
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
index d53365f78..d53365f78 100644
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 69e5c05e3..69e5c05e3 100644
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 53e18680b..53e18680b 100644
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets
index fac55d63b..fac55d63b 100644
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..bafec31f4
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftsendcert=ifasked
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
index a10a18cba..a10a18cba 100644
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index 91df37a81..91df37a81 100644
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 86740e86a..86740e86a 100644
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..7bae1ab0f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,31 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri=http://crl.strongswan.org/strongswan.crl
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftsendcert=ifasked
+	leftid=@moon.strongswan.org
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+	auto=add
+	
+conn venus
+	leftsubnet=PH_IP_VENUS/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/posttest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/posttest.dat
new file mode 100644
index 000000000..24cd041ed
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat
new file mode 100644
index 000000000..86dd31e83
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat
@@ -0,0 +1,6 @@
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up alice
+dave::ipsec up venus
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf
new file mode 100644
index 000000000..9bb88d79f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/description.txt b/testing/tests/ikev1/multi-level-ca-ldap/description.txt
deleted file mode 100644
index 18fb88840..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of two different Intermediate CAs. Access to
-<b>alice</b> is granted to users presenting a certificate issued by the Research CA
-whereas <b>venus</b> can only be reached with a certificate issued by the
-Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
-the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
-<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
-<p>
-By setting <b>strictcrlpolicy=yes</b> the CRLs from the strongSwan, Research and
-Sales CAs must be fetched from the LDAP server <b>winnetou</b> first, before the
-connection setups can be successfully completed.
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat
deleted file mode 100644
index 9cfa502aa..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES
-dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index d9e5b119e..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-ca strongswan
-        cacert=strongswanCert.pem
-        crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
-        auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-
-conn alice
-	rightsubnet=PH_IP_ALICE/32
-	auto=add
-	
-conn venus
-	rightsubnet=PH_IP_VENUS/32
-	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 71358d6c6..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index bf83264af..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-
-conn alice
-	rightsubnet=PH_IP_ALICE/32
-	auto=add
-	
-conn venus
-	rightsubnet=PH_IP_VENUS/32
-	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 71358d6c6..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 8de514a2e..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 50b896541..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,46 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
-	auto=add
-
-ca research 
-        cacert=researchCert.pem
-	crluri="ldap://ldap.strongswan.org/cn=Research CA, ou=Research, o=Linux strongSwan, c=CH?certificateRevocationList"
-	auto=add
-	
-ca sales 
-        cacert=salesCert.pem
-	crluri="ldap://ldap.strongswan.org/cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH?certificateRevocationList"
-	auto=add
-			
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-
-conn alice
-	leftsubnet=PH_IP_ALICE/32
-	right=%any
-	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
-	auto=add
-	
-conn venus
-	leftsubnet=PH_IP_VENUS/32
-	right=%any
-	rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
-	auto=add
-	
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 71358d6c6..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/posttest.dat b/testing/tests/ikev1/multi-level-ca-ldap/posttest.dat
deleted file mode 100644
index ec4ba6e10..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/posttest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
-winnetou::/etc/init.d/slapd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/pretest.dat b/testing/tests/ikev1/multi-level-ca-ldap/pretest.dat
deleted file mode 100644
index 322f42102..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/pretest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-winnetou::/etc/init.d/slapd start
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up alice
-carol::ipsec up venus
-dave::ipsec up venus
-dave::ipsec up alice
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/test.conf b/testing/tests/ikev1/multi-level-ca-ldap/test.conf
deleted file mode 100644
index 08e5cc145..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/multi-level-ca-loop/description.txt b/testing/tests/ikev1/multi-level-ca-loop/description.txt
deleted file mode 100644
index 9b63c2c66..000000000
--- a/testing/tests/ikev1/multi-level-ca-loop/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-The roadwarrior <b>carol</b>, possessing a certificate issued by the
-Research CA, tries to set up a tunnel to gateway <b>moon</b>.
-The Research CA's certificate is signed by the Sales CA and
-the Sales CA's certificate in turn is signed by the Research CA.
-This leads to an endless trust path loop but which is aborted by
-<b>moon</b> when the path level reaches a depth of 7 iterations.
diff --git a/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat
deleted file mode 100644
index 524846109..000000000
--- a/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-moon::cat /var/log/auth.log::maximum path length of 7 exceeded::YES
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 4d42b1419..000000000
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-
-conn alice
-	rightsubnet=PH_IP_ALICE/32
-	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index f91ca63a8..000000000
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn alice
-	leftsubnet=PH_IP_ALICE/32
-	right=%any
-	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
-	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
deleted file mode 100644
index 37ef9c665..000000000
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID/TCCAuWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTEwMDcwMzE1MjgyOVoXDTE1MDcwMjE1MjgyOVowUTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT
-CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf
-rxnGsvmDFCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9ID
-BxzQaQyUzsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx
-4PKJ54FO/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5q
-m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha
-/m0Ug494+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOB5TCB4jAPBgNV
-HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM
-x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
-ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDov
-L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQELBQADggEB
-ALRTVUS8bpb3NrwWV/aIE6K9MvtX1kPzMUbZgykwOm4g1jfDmqbPw28X6YZESQ2B
-bG1QRh3SUpSoT5vplPcD4OCv3ORKACzGhx4xemd7TpYP8dnptfk66cfFCP+It0t4
-hP45BqlgVZfd5ZAO/ogRQ+2s79Obc5XPq/ShGvConGVOPDuqkWrP/ISIMdBXFHqk
-WyW24e/Kzq7pPMG18Ect7NA4gRXSiWx0U33lhWNasPvSKtKgC6dcmRNqjyTHQoFy
-02FLgKP1p214ThLkSr9dgHT6e69R7ES9Vin3DUgPuJdlXcax/BWm6gLugqHcXVGF
-yuVPkDSgPds6m0KQcEVnuaU=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
deleted file mode 100644
index 0a435b90d..000000000
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEADCCAuigAwIBAgIBBzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDcwMzE1MTgzOVoXDTE1MDcwMjE1MTgz
-OVowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM
-BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH
-/QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq
-4JI87exSen1ggmCVEib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6
-XL9DKcRk3TxZtv9SuDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562
-kDtfQdwezat0LAyOsVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAj
-gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV
-HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1
-p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
-ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov
-L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQELBQAD
-ggEBADPiBfTbTkHwRdpt4iAY/wx0AKKwnF636+1E+m8dHn1HhTU8FZkiRCsRSRdx
-qpzprMga6v7ksV29CIJpTciaD48S2zWNsiQ2vfNB4UenG4wKVG8742CQakCzZk/7
-MrHutk+VDcN3oGcu4gFECPzrZiYPTVv74PCFRfd37SYlXmN0KF0Ivzgu2DNwJNMD
-Aa6sHs+/8H/7BbzHxUZkT7zrTuy4M5FGIKllQBxALp/8N/LN4vz0ZbLgbNU7Eo16
-EikbEASUs3Scmna+dFBSfexf0G9oqvHvxjWPiZRw6ZrS5TZkAE1DmdqLWwTNq/Fo
-aeDWsllgAdqMA2fL7i9tsFHZVYk=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-loop/posttest.dat b/testing/tests/ikev1/multi-level-ca-loop/posttest.dat
deleted file mode 100644
index 076f51f4d..000000000
--- a/testing/tests/ikev1/multi-level-ca-loop/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
-
diff --git a/testing/tests/ikev1/multi-level-ca-loop/pretest.dat b/testing/tests/ikev1/multi-level-ca-loop/pretest.dat
deleted file mode 100644
index 0a0ec22bf..000000000
--- a/testing/tests/ikev1/multi-level-ca-loop/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up alice
diff --git a/testing/tests/ikev1/multi-level-ca-loop/test.conf b/testing/tests/ikev1/multi-level-ca-loop/test.conf
deleted file mode 100644
index 3189fdfc7..000000000
--- a/testing/tests/ikev1/multi-level-ca-loop/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/description.txt b/testing/tests/ikev1/multi-level-ca-pathlen/description.txt
deleted file mode 100644
index 1852f7157..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The <b>strongSwan Root CA</b> constrains the path length to <b>one</b> intermediate CA
-but the <b>Research CA</b> creates a subsidiary <b>Duck Research CA</b> which in turn
-issues an end entity certificate to roadwarrior <b>carol</b> so that the total
-path length becomes <b>two</b>. This is detected by gateway <b>moon</b> which aborts
-the negotiation.
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/evaltest.dat b/testing/tests/ikev1/multi-level-ca-pathlen/evaltest.dat
deleted file mode 100644
index 235b7672e..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/evaltest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::cat /var/log/auth.log::path length of 2 violates constraint of 1::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::duck.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 39a1aa825..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftsendcert=ifasked
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
-
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index 4e13b52d0..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX
-BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz
-MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n
-c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y
-IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2
-30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb
-jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG
-veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii
-ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5
-7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
-VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx
-jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
-c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo
-IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
-DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH
-TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G
-4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6
-Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O
-3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok
-BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index 48727ed9d..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAui7ngouu2CBkQyj+W5MrBlmR6xa87au3pSBQjz0lMciDmKOF
-Kc6+VrLztHSH3GWN2oFdjXACNt9LAE5X01KfqG3nWTB28xN1Qb0Li44CuNqMdlyF
-w49t1cuPeplapcFELpYQXAITG45wW+E9Gke1gpyb388nJBMlq0zdGo0ckISRJk5/
-rKWDUF/9pYOoRJ/ytU/9z8u7Br3nhegUXpx0eS+tDUiu6lewFPoTOEdFCL4MGKs8
-UkrYBkvRugcI/UEzlsEldbboogAYkXWUgaDjdLjDKUY4BM7lXtH+FWzgiBFzvDLX
-aQru0cGvbXPDsJ3i3BgmFaJq+eyikSXbwuQLNwIDAQABAoIBAGK7cOXXsTbHpqO+
-33QsjQpnAWyLuFDJWS/l/RKYuFq4HKEbRgivrFxJtdciXNHRwPH43GWe2m3C6AEX
-ipd0H1qwPZkcjFfHH81mtPKismrY6tfxpLXaH8LamhHHtTxlSwTxa2d/aiaY2JjA
-zyhakrTa3AZJ0lXdGYLH1hC4eEdiPghIqwL8YNB0V2ldq+bMdtQ1i3dcmseV9TI2
-DEAKWzjc7oIcuY9HtfEEAIPzSSqwrM7wUWd9dk70o7b05eK9pnTF59Lnk5U1J1Ag
-QnXBHBZfLVDnTYd+dFWM8wUIpO0n6ccUToINppwSejyOs726jUuWGZCthxLBsFZp
-5Pj9B6ECgYEA3lRxGRJsAfMoyOc4kLfDmlDtrP88knRlqRW7mVYjclhMbVtrtaTP
-44VqmxKIVNQt1p5hB/Gn4kbhC7OnUja/FVHdosEjFhYNh+QCisyaS2V7RNyEidJX
-Q61V8v0Z7MxHxxDljVvWfSdAUDRrFwWYxRXZJWwStEmtdAbiZa6aydkCgYEA1mEV
-2D+gaR+oBouqcZMiSAjV/qHbnfw4EC2XFCw84JMPerBwl4noWCgvgf0lRirbI+Ar
-PDOfoclLnDQRgnqkK4okSIW0SddxttbKdDhhZ2c2CoyKxUqN7/NEyy/tZ2WZRcmX
-LILTLXzi/9qq8lF9odjIl5KKsRpXhqMsf5b1w48CgYEAqDT8yDo+yw7b6Xu+OQc/
-Ds5xs3P7sNYtX8qYfz9DXCxfzlDfYbMKsZlr+V0BFiTddUWoJal4GeMEOqU2TyYq
-VYf1hkBXOkt++zPPlJGNnsNtisDH6bng2cwXfdpttdEr8Pjgo5063r9GkifGacmL
-Nnj8K6rjT9F6UJEw0jtS0qkCgYAi3RMSYfaSYgWPWvNTGRyAHn++s0/l93iemOty
-6mbUFtZzm3IUEudoPtDLEQIY0StmQDSHy9VwGC5lrsoSMCO2uPaBnMzfHVxu4at3
-Dxw4Fr7hJE4FG8TNewB7EsZHBGzSvqAJKxVw1liMR2F5musVgQ3OKJTJjIEjcjHw
-Zfp93QKBgQCPp6SH510qK9Rf+HjeWXJpOB2ByruC5rBgqrxE4rbIB3/fAl86a3Kq
-Q1VqdGb+CW0FlkPshDmmdi3IoCliXywadSaXi/unPfPTel0pQAC8NM7WpPoaUfnS
-QgL5iNXshicKoE8U6PRhYvn81zVpt4bFn3DZRgIlau2GQnijLkGvQw==
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index fac55d63b..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index ca5919d5c..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn duck 
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftsendcert=ifasked
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Duck Research CA"
-	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
deleted file mode 100644
index bb205a0fd..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw
-M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
-BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu
-MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa
-ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO
-UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD
-h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY
-i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB
-o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2
-KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
-891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF
-AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv
-YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx
-rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C
-1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5
-wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v
-DSlBqDpnqK8tEI9V9YeroihTcygrEg==
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/posttest.dat b/testing/tests/ikev1/multi-level-ca-pathlen/posttest.dat
deleted file mode 100644
index f84b7e37b..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/posttest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/pretest.dat b/testing/tests/ikev1/multi-level-ca-pathlen/pretest.dat
deleted file mode 100644
index 9f0232a7b..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home 
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/test.conf b/testing/tests/ikev1/multi-level-ca-pathlen/test.conf
deleted file mode 100644
index b118cb7dc..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/description.txt b/testing/tests/ikev1/multi-level-ca-revoked/description.txt
deleted file mode 100644
index c91ac285b..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-The roadwarrior <b>carol</b> possesses a certificate issued by the Research CA.
-The certificate of the Research CA has been revoked by the Root CA by entering
-the serial number in the CRL. Therefore upon verification of the trust path
-the gateway <b>moon</b> will reject the roadwarrior's certificate  
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev1/multi-level-ca-revoked/evaltest.dat
deleted file mode 100644
index 0fd1cae8c..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/evaltest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::certificate was revoked::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::ipsec listcrls:: ok::YES
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index b4bc2101c..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-
-conn home
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index 69e5c05e3..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
-N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
-BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
-dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
-hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
-HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
-3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
-Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
-AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
-891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
-YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
-ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
-il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
-CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
-n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
-8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
-pwU12A3BovJKUaR0B7Uy2A==
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index 53e18680b..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
-azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
-nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
-b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
-H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
-GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
-N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
-er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
-kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
-BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
-Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
-DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
-waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
-1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
-RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
-CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
-eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
-FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
-auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
-rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
-iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
-qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
-/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
-hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
-5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index fac55d63b..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 0b9917b53..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	crluri=http://crl.strongswan.org/strongswan.crl
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn alice
-	leftsubnet=PH_IP_ALICE/32
-	right=%any
-	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
-	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
deleted file mode 100644
index c380a5110..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDMyMzA2MjUzNloXDTE0MDMyMTA2MjUzNlowUTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
-FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
-zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
-/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
-C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
-+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
-BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
-VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
-BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAA4jpa5Vc/q94/X1
-LAHO2m7v2AFPl68SwspZLbCL7Le+iv5BUQ814Y9qCXMySak+NpZ5RLzm/cC+3GCa
-6eyozhZnS5LDxIgtStXWaC3vIQKQhJMwnc43RgcqneqqS5/H5zNXz/f0g/bRG8bN
-T6nO0ZRdpy8Zu0+fH3f/u9/sQPRX3iNL/rd3x/UVLoowkQHdKzZfjcrFm+8CPl4r
-9xOKjzC6epPY2ApfXmLodd0zemf84CKSJCXfkVlk0cYw1YLKUINnHToFfDAw0kCL
-cVc7wHWZlzSVSE3u0PYXVssnsm08RWqAGPL3TO09fnUntNMzlIxNpOTuWsKVXZPq
-YO2C4HE=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/posttest.dat b/testing/tests/ikev1/multi-level-ca-revoked/posttest.dat
deleted file mode 100644
index f84b7e37b..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/posttest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/pretest.dat b/testing/tests/ikev1/multi-level-ca-revoked/pretest.dat
deleted file mode 100644
index d92333d86..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/test.conf b/testing/tests/ikev1/multi-level-ca-revoked/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/multi-level-ca-strict/description.txt b/testing/tests/ikev1/multi-level-ca-strict/description.txt
deleted file mode 100644
index 32413e3de..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/description.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of two different Intermediate CAs. Access to
-<b>alice</b> is granted to users presenting a certificate issued by the Research CA
-whereas <b>venus</b> can only be reached with a certificate issued by the
-Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
-the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
-<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
-<p>
-By setting <b>strictcrlpolicy=yes</b> the CRLs from the strongSwan, Research and
-Sales CAs must be fetched first, before the connection setups can be successfully completed.
diff --git a/testing/tests/ikev1/multi-level-ca-strict/evaltest.dat b/testing/tests/ikev1/multi-level-ca-strict/evaltest.dat
deleted file mode 100644
index 5a181a62d..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/evaltest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES
-dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index cf93bb231..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-
-conn alice
-	rightsubnet=PH_IP_ALICE/32
-	auto=add
-	
-conn venus
-	rightsubnet=PH_IP_VENUS/32
-	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index 69e5c05e3..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
-N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
-BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
-dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
-hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
-HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
-3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
-Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
-AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
-891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
-YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
-ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
-il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
-CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
-n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
-8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
-pwU12A3BovJKUaR0B7Uy2A==
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index 53e18680b..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
-azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
-nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
-b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
-H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
-GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
-N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
-er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
-kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
-BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
-Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
-DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
-waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
-1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
-RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
-CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
-eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
-FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
-auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
-rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
-iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
-qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
-/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
-hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
-5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index fac55d63b..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 5f04445d2..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-
-conn alice
-	rightsubnet=PH_IP_ALICE/32
-	auto=add
-	
-conn venus
-	rightsubnet=PH_IP_VENUS/32
-	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index f79c501a8..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	crluri=http://crl.strongswan.org/strongswan.crl
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn alice
-	leftsubnet=PH_IP_ALICE/32
-	right=%any
-	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
-	auto=add
-	
-conn venus
-	leftsubnet=PH_IP_VENUS/32
-	right=%any
-	rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
-	auto=add
-	
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
deleted file mode 100644
index d53365f78..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
-FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
-zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
-/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
-C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
-+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
-BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
-VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
-BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
-FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
-cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
-POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
-xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
-dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
-8sFmiZI=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-strict/posttest.dat b/testing/tests/ikev1/multi-level-ca-strict/posttest.dat
deleted file mode 100644
index 1646d5ed2..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
-
diff --git a/testing/tests/ikev1/multi-level-ca-strict/pretest.dat b/testing/tests/ikev1/multi-level-ca-strict/pretest.dat
deleted file mode 100644
index 67c50c2ef..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up alice
-carol::ipsec up venus
-dave::ipsec up venus
-dave::ipsec up alice
diff --git a/testing/tests/ikev1/multi-level-ca-strict/test.conf b/testing/tests/ikev1/multi-level-ca-strict/test.conf
deleted file mode 100644
index 08e5cc145..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/multi-level-ca/evaltest.dat b/testing/tests/ikev1/multi-level-ca/evaltest.dat
index 72f620b8e..ede771fb6 100644
--- a/testing/tests/ikev1/multi-level-ca/evaltest.dat
+++ b/testing/tests/ikev1/multi-level-ca/evaltest.dat
@@ -1,12 +1,18 @@
-carol::cat /var/log/auth.log::alice.*we have a cert and are sending it upon request::YES
-moon::cat /var/log/auth.log::alice.*we have a cert and are sending it upon request::YES
-dave::cat /var/log/auth.log::venus.*we have a cert and are sending it upon request::YES
-moon::cat /var/log/auth.log::venus.*we have a cert and are sending it upon request::YES
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org::YES
+carol::cat /var/log/daemon.log::received INVALID_ID_INFORMATION error notify::YES
+carol::ipsec status 2> /dev/null::venus.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org::NO
+moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
+moon:: cat /var/log/daemon.log::switching to peer config.*venus::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*dave@strongswan.org::YES
+dave:: cat /var/log/daemon.log::received INVALID_ID_INFORMATION error notify::YES
+dave:: ipsec status 2> /dev/null::alice.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
index d11724c28..3df94ba2d 100755..100644
--- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,6 +13,7 @@ conn %default
 	leftsendcert=ifasked
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
 
 conn alice
 	rightsubnet=PH_IP_ALICE/32
@@ -25,8 +22,3 @@ conn alice
 conn venus
 	rightsubnet=PH_IP_VENUS/32
 	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
index 2d80aad8a..28389112a 100755..100644
--- a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,6 +13,7 @@ conn %default
 	leftsendcert=ifasked
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
 
 conn alice
 	rightsubnet=PH_IP_ALICE/32
@@ -25,8 +22,3 @@ conn alice
 conn venus
 	rightsubnet=PH_IP_VENUS/32
 	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
index 9b97015fd..2dfd40f99 100755..100644
--- a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
@@ -33,4 +29,3 @@ conn venus
 	right=%any
 	rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
 	auto=add
-	
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/multi-level-ca/pretest.dat b/testing/tests/ikev1/multi-level-ca/pretest.dat
index 67c50c2ef..755564cbc 100644
--- a/testing/tests/ikev1/multi-level-ca/pretest.dat
+++ b/testing/tests/ikev1/multi-level-ca/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/multi-level-ca/test.conf b/testing/tests/ikev1/multi-level-ca/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev1/multi-level-ca/test.conf
+++ b/testing/tests/ikev1/multi-level-ca/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/nat-before-esp/description.txt b/testing/tests/ikev1/nat-before-esp/description.txt
deleted file mode 100644
index e42ace476..000000000
--- a/testing/tests/ikev1/nat-before-esp/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-An IPsec tunnel connecting the gateway <b>moon</b> with the subnet behind
-gateway <b>sun</b> is set up. This host-to-net connection can also be
-used by the clients <b>alice</b> and <b>venus</b> via the trick of NAT-ing
-them to the outer IP address of gateway <b>moon</b> prior to tunnelling.
-The IPsec tunnel is first tested by <b>moon</b> pinging <b>bob</b> and vice versa,
-followed by the NAT-ed clients <b>alice</b> and <b>venus</b> pinging <b>bob</b>.
diff --git a/testing/tests/ikev1/nat-before-esp/evaltest.dat b/testing/tests/ikev1/nat-before-esp/evaltest.dat
deleted file mode 100644
index d466038ed..000000000
--- a/testing/tests/ikev1/nat-before-esp/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::ipsec status::host-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::host-net.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-bob::tcpdump::ICMP::YES
diff --git a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index f87ec0e58..000000000
--- a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,83 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# NAT traffic from 10.1.0.0/16
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE
-	
-	# forward traffic from 10.1.0.0/16 to POSTROUTING chain
-	iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -d 10.2.0.0/16 -j ACCEPT
-	iptables -A FORWARD -o eth1 -i eth0 -d 10.1.0.0/16 -s 10.2.0.0/16 -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 1ee1b7749..000000000
--- a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn host-net
-	left=192.168.0.1
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	right=192.168.0.2
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index 57496e10e..000000000
--- a/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn host-net
-	left=192.168.0.2
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftfirewall=yes
-	leftsubnet=10.2.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/nat-before-esp/posttest.dat b/testing/tests/ikev1/nat-before-esp/posttest.dat
deleted file mode 100644
index 307b96888..000000000
--- a/testing/tests/ikev1/nat-before-esp/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::iptables -t nat -v -n -L
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/nat-before-esp/pretest.dat b/testing/tests/ikev1/nat-before-esp/pretest.dat
deleted file mode 100644
index 75565540a..000000000
--- a/testing/tests/ikev1/nat-before-esp/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-moon::ipsec up host-net
diff --git a/testing/tests/ikev1/nat-before-esp/test.conf b/testing/tests/ikev1/nat-before-esp/test.conf
deleted file mode 100644
index 4234eaf63..000000000
--- a/testing/tests/ikev1/nat-before-esp/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
- 
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun bob"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/nat-one-rw/description.txt b/testing/tests/ikev1/nat-one-rw/description.txt
deleted file mode 100644
index c3b9bb820..000000000
--- a/testing/tests/ikev1/nat-one-rw/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to
-gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel, the NAT-ed host <b>alice</b> pings the
-client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/nat-one-rw/evaltest.dat b/testing/tests/ikev1/nat-one-rw/evaltest.dat
deleted file mode 100644
index bc193963d..000000000
--- a/testing/tests/ikev1/nat-one-rw/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/nat-one-rw/posttest.dat b/testing/tests/ikev1/nat-one-rw/posttest.dat
deleted file mode 100644
index cd0d4df25..000000000
--- a/testing/tests/ikev1/nat-one-rw/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-alice::ipsec stop
-sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev1/nat-one-rw/pretest.dat b/testing/tests/ikev1/nat-one-rw/pretest.dat
deleted file mode 100644
index 9dacc672c..000000000
--- a/testing/tests/ikev1/nat-one-rw/pretest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-alice::ipsec start
-sun::ipsec start
-alice::sleep 5
-alice::ipsec up nat-t
-
diff --git a/testing/tests/ikev1/nat-one-rw/test.conf b/testing/tests/ikev1/nat-one-rw/test.conf
deleted file mode 100644
index d84149aaf..000000000
--- a/testing/tests/ikev1/nat-one-rw/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev1/nat-two-rw/description.txt b/testing/tests/ikev1/nat-rw/description.txt
index dcf4b94bd..dcf4b94bd 100644
--- a/testing/tests/ikev1/nat-two-rw/description.txt
+++ b/testing/tests/ikev1/nat-rw/description.txt
diff --git a/testing/tests/ikev1/nat-rw/evaltest.dat b/testing/tests/ikev1/nat-rw/evaltest.dat
new file mode 100644
index 000000000..387dbae23
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/evaltest.dat
@@ -0,0 +1,18 @@
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon:: sleep 6::no output expected::NO
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: isakmp-nat-keep-alive::YES
+alice::cat /var/log/daemon.log::sending keep alive::YES
+venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/ikev1/nat-rw/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/nat-rw/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..df626c201
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+		
+conn nat-t
+	left=%any
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..dabff38e4
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  keep_alive = 5
+}
diff --git a/testing/tests/ikev1/nat-rw/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-rw/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..c321102ce
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn nat-t
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	leftsubnet=10.2.0.0/16
+	right=%any
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/ikev1/nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ca23c6971
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/nat-rw/hosts/venus/etc/ipsec.conf
new file mode 100644
index 000000000..6c627e0a6
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn nat-t
+	left=%any
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..dabff38e4
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  keep_alive = 5
+}
diff --git a/testing/tests/ikev1/nat-rw/posttest.dat b/testing/tests/ikev1/nat-rw/posttest.dat
new file mode 100644
index 000000000..4643a3a7b
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/posttest.dat
@@ -0,0 +1,8 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/ikev1/nat-rw/pretest.dat b/testing/tests/ikev1/nat-rw/pretest.dat
new file mode 100644
index 000000000..d701a1d61
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/pretest.dat
@@ -0,0 +1,13 @@
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::sleep 2 
+alice::ipsec up nat-t
+venus::sleep 2 
+venus::ipsec up nat-t
+venus::sleep 2
diff --git a/testing/tests/ikev1/nat-rw/test.conf b/testing/tests/ikev1/nat-rw/test.conf
new file mode 100644
index 000000000..f515d4bc7
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/nat-two-rw-mark/description.txt b/testing/tests/ikev1/nat-two-rw-mark/description.txt
deleted file mode 100644
index 2a93d11d8..000000000
--- a/testing/tests/ikev1/nat-two-rw-mark/description.txt
+++ /dev/null
@@ -1,16 +0,0 @@
-The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
-tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT
-after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively.
-<p/>
-In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
-<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
-the <b>mark</b> parameter in ipsec.conf.
-<p/>
-<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
-and from <b>alice</b> and <b>venus</b>, respectively.
-<p/>
-The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts 
-iptables mangle rules that mark the inbound ESP_IN_UDP packets as well as iptables IPsec-policy rules 
-that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> 
-and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat b/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat
deleted file mode 100644
index fa64c3d88..000000000
--- a/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::alice.*alice@strongswan.org::YES
-sun::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::venus.*venus.strongswan.org::YES
-sun::ipsec statusall::alice.*10.2.0.0/16===.*===10.1.0.0/25::YES
-sun::ipsec statusall::venus.*10.2.0.0/16===.*===10.1.0.0/25::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4510.*: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4520.*: UDP::YES
-bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf
deleted file mode 100755
index 4ed556226..000000000
--- a/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn nat-t
-	left=%defaultroute
-	leftsubnet=10.1.0.0/25
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	leftfirewall=yes
-	lefthostaccess=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index 2b346430e..000000000
--- a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,36 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control parsing" #parsing to get knl 2 messages
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn alice
-	rightid=alice@strongswan.org
-	mark=10/0xffffffff
-	also=sun
-	auto=add
-
-conn venus
-	rightid=@venus.strongswan.org
-	mark=20  #0xffffffff is used by default
-	also=sun
-	auto=add
-
-conn sun
-	left=PH_IP_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftsubnet=10.2.0.0/16
-	leftupdown=/etc/mark_updown
-	right=%any
-	rightsubnet=10.1.0.0/25
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown
deleted file mode 100755
index 0d22e684d..000000000
--- a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown
+++ /dev/null
@@ -1,527 +0,0 @@
-#! /bin/sh
-# updown script setting inbound marks on ESP traffic in the mangle chain
-#
-# Copyright (C) 2003-2004 Nigel Meteringham
-# Copyright (C) 2003-2004 Tuomo Soini
-# Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-# CAUTION:  Installing a new version of strongSwan will install a new
-# copy of this script, wiping out any custom changes you make.  If
-# you need changes, make a copy of this under another name, and customize
-# that, and use the (left/right)updown parameters in ipsec.conf to make
-# strongSwan use yours instead of this default one.
-
-# things that this script gets (from ipsec_pluto(8) man page)
-#
-#      PLUTO_VERSION
-#              indicates  what  version of this interface is being
-#              used.  This document describes version  1.1.   This
-#              is upwardly compatible with version 1.0.
-#
-#       PLUTO_VERB
-#              specifies the name of the operation to be performed
-#              (prepare-host, prepare-client, up-host, up-client,
-#              down-host, or down-client).  If the address family
-#              for security gateway to security gateway communica-
-#              tions is IPv6, then a suffix of -v6 is added to the
-#              verb.
-#
-#       PLUTO_CONNECTION
-#              is the name of the  connection  for  which  we  are
-#              routing.
-#
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
-#       PLUTO_INTERFACE
-#              is the name of the ipsec interface to be used.
-#
-#       PLUTO_REQID
-#              is the requid of the ESP policy
-#
-#       PLUTO_ME
-#              is the IP address of our host.
-#
-#       PLUTO_MY_ID
-#              is the ID of our host.
-#
-#       PLUTO_MY_CLIENT
-#              is the IP address / count of our client subnet.  If
-#              the  client  is  just  the  host,  this will be the
-#              host's own IP address / max (where max  is  32  for
-#              IPv4 and 128 for IPv6).
-#
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
-#       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
-#
-#       PLUTO_MY_PROTOCOL
-#              is the IP protocol that will be transported.
-#
-#       PLUTO_MY_PORT
-#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
-#
-#       PLUTO_PEER
-#              is the IP address of our peer.
-#
-#       PLUTO_PEER_ID
-#              is the ID of our peer.
-#
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
-#       PLUTO_PEER_CLIENT
-#              is the IP address / count of the peer's client sub-
-#              net.   If the client is just the peer, this will be
-#              the peer's own IP address / max (where  max  is  32
-#              for IPv4 and 128 for IPv6).
-#
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
-#       PLUTO_PEER_PROTOCOL
-#              is the IP protocol that will be transported.
-#
-#       PLUTO_PEER_PORT
-#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
-#
-#       PLUTO_XAUTH_ID
-#              is an optional user ID employed by the XAUTH protocol
-#
-#       PLUTO_MARK_IN
-#              is an optional XFRM mark set on the inbound IPsec SA
-#
-#       PLUTO_MARK_OUT
-#              is an optional XFRM mark set on the outbound IPsec SA
-#
-#       PLUTO_UDP_ENC
-#              contains the remote UDP port in the case of ESP_IN_UDP
-#              encapsulation
-#
-
-# define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
-export PATH
-
-# uncomment to log VPN connections
-VPN_LOGGING=1
-#
-# tag put in front of each log entry:
-TAG=vpn
-#
-# syslog facility and priority used:
-FAC_PRIO=local0.notice
-#
-# to create a special vpn logging file, put the following line into
-# the syslog configuration file /etc/syslog.conf:
-#
-# local0.notice                   -/var/log/vpn
-
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
-# check interface version
-case "$PLUTO_VERSION" in
-1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
-	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
-	echo "$0: 	called by obsolete Pluto?" >&2
-	exit 2
-	;;
-1.*)	;;
-*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
-	exit 2
-	;;
-esac
-
-# check parameter(s)
-case "$1:$*" in
-':')			# no parameters
-	;;
-iptables:iptables)	# due to (left/right)firewall; for default script only
-	;;
-custom:*)		# custom parameters (see above CAUTION comment)
-	;;
-*)	echo "$0: unknown parameters \`$*'" >&2
-	exit 2
-	;;
-esac
-
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    for dir in /etc/sysconfig /etc/conf.d; do
-		if [ -f "$dir/defaultsource" ]
-		then
-		    . "$dir/defaultsource"
-		fi
-	    done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
-
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # leave because no route entry is required
-	    return $st
-	fi
-
-	parms1="$PLUTO_PEER_CLIENT"
-
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	    parms2="via $PLUTO_NEXT_HOP"
-	else
-	    parms2="via $PLUTO_PEER"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	parms3=
-	if [ -n "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if test "$1" = "add"
-	    then
-		addsource
-		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
-		then
-		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
-		fi
-	    fi
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
-	fi
-
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms1 $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
-	fi
-	if test " $oops" != " " -o " $st" != " 0"
-	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
-	fi
-	return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-	KLIPS=1
-	IPSEC_POLICY_IN=""
-	IPSEC_POLICY_OUT=""
-else
-	KLIPS=
-	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
-
-# is there an inbound mark to be set?
-if [ -n "$PLUTO_MARK_IN" ]
-then
-	if [ -n "$PLUTO_UDP_ENC" ]
-	then
-	    SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
-	else
-		SET_MARK="-p esp"
-	fi
-	SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
-fi
-
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
-	S_MY_PORT="--sport $PLUTO_MY_PORT"
-	D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
-	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
-
-# resolve octal escape sequences
-PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
-PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-
-# the big choice
-case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # exit because no route will be added,
-	    # so that existing routes can stay
-	    exit 0
-	fi
-
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
-up-host:)
-	# connection to me coming up
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -A PREROUTING $SET_MARK
-	fi
-	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-	#
-	# log IPsec host connection setup
-	if [ $VPN_LOGGING ]
-	then
-	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
-	  then
-	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
-	  else
-	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
-	  fi
-	fi
-	;;
-down-host:)
-	# connection to me going down
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -D PREROUTING $SET_MARK
-	fi
-	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-	#
-	# log IPsec host connection teardown
-	if [ $VPN_LOGGING ]
-	then
-	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
-	  then
-	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
-	  else
-	    logger -t $TAG -p $FAC_PRIO -- \
-	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
-	  fi
-	fi
-	;;
-up-client:)
-	# connection to my client subnet coming up
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -A PREROUTING $SET_MARK
-	fi
-	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-	then
-	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	fi
-	#
-	# a virtual IP requires an INPUT and OUTPUT rule on the host
-	# or sometimes host access via the internal IP is needed
-	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	fi
-	#
-	# log IPsec client connection setup
-	if [ $VPN_LOGGING ]
-	then
-	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
-	  then
-	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	  else
-	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	  fi
-	fi
-	;;
-down-client:)
-	# connection to my client subnet going down
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -D PREROUTING $SET_MARK
-	fi
-	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-	then
-	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
-	fi
-	#
-	# a virtual IP requires an INPUT and OUTPUT rule on the host
-	# or sometimes host access via the internal IP is needed
-	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	fi
-	#
-	# log IPsec client connection teardown
-	if [ $VPN_LOGGING ]
-	then
-	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
-	  then
-	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	  else
-	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	  fi
-	fi
-	;;
-*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
-	exit 1
-	;;
-esac
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf
deleted file mode 100755
index 0be3477c1..000000000
--- a/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn nat-t
-	left=%defaultroute
-	leftsubnet=10.1.0.0/25
-	leftcert=venusCert.pem
-	leftid=@venus.strongswan.org
-	leftfirewall=yes
-	lefthostaccess=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/nat-two-rw-mark/posttest.dat b/testing/tests/ikev1/nat-two-rw-mark/posttest.dat
deleted file mode 100644
index 89d5f534b..000000000
--- a/testing/tests/ikev1/nat-two-rw-mark/posttest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-sun::iptables -t mangle -v -n -L PREROUTING
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
-sun::conntrack -F
-sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev1/nat-two-rw-mark/pretest.dat b/testing/tests/ikev1/nat-two-rw-mark/pretest.dat
deleted file mode 100644
index 310e5be71..000000000
--- a/testing/tests/ikev1/nat-two-rw-mark/pretest.dat
+++ /dev/null
@@ -1,21 +0,0 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
-moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500  -j SNAT --to PH_IP_MOON:510
-moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500  -j SNAT --to PH_IP_MOON:520
-moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510
-moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20
-alice::ipsec start
-venus::ipsec start
-sun::ipsec start
-alice::sleep 2
-alice::ipsec up nat-t
-venus::sleep 2
-venus::ipsec up nat-t
-venus::sleep 2
diff --git a/testing/tests/ikev1/nat-two-rw-mark/test.conf b/testing/tests/ikev1/nat-two-rw-mark/test.conf
deleted file mode 100644
index ae3c190b8..000000000
--- a/testing/tests/ikev1/nat-two-rw-mark/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon bob"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/nat-two-rw-psk/evaltest.dat b/testing/tests/ikev1/nat-two-rw-psk/evaltest.dat
deleted file mode 100644
index e8aaf0b5f..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::nat-t.*\[PH_IP_ALICE\]::YES
-sun::ipsec status::nat-t.*\[PH_IP_VENUS\]::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
deleted file mode 100755
index eee3c45e8..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	nat_traversal=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=secret
-		
-conn nat-t
-	left=%defaultroute
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets
deleted file mode 100644
index e8c151f05..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 453cdc07c..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index a7c500fe2..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	nat_traversal=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=secret
-	
-conn nat-t
-	left=PH_IP_SUN
-	leftsubnet=10.2.0.0/16
-	leftfirewall=yes
-	right=%any
-	rightsubnetwithin=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets
deleted file mode 100644
index e8c151f05..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 453cdc07c..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
deleted file mode 100755
index eee3c45e8..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	nat_traversal=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=secret
-		
-conn nat-t
-	left=%defaultroute
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets
deleted file mode 100644
index e8c151f05..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
deleted file mode 100644
index 453cdc07c..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/nat-two-rw-psk/posttest.dat b/testing/tests/ikev1/nat-two-rw-psk/posttest.dat
deleted file mode 100644
index 52572ece8..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev1/nat-two-rw-psk/pretest.dat b/testing/tests/ikev1/nat-two-rw-psk/pretest.dat
deleted file mode 100644
index 6172bd088..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/pretest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-alice::rm /etc/ipsec.d/cacerts/*
-venus::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-alice::ipsec start
-venus::ipsec start
-sun::ipsec start
-alice::sleep 5 
-alice::ipsec up nat-t
-venus::sleep 5 
-venus::ipsec up nat-t
diff --git a/testing/tests/ikev1/nat-two-rw-psk/test.conf b/testing/tests/ikev1/nat-two-rw-psk/test.conf
deleted file mode 100644
index 84317fd70..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/nat-two-rw/evaltest.dat b/testing/tests/ikev1/nat-two-rw/evaltest.dat
deleted file mode 100644
index 03c6d8ae6..000000000
--- a/testing/tests/ikev1/nat-two-rw/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::nat-t.*alice@strongswan.org::YES
-sun::ipsec status::nat-t.*venus.strongswan.org::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/nat-two-rw/posttest.dat b/testing/tests/ikev1/nat-two-rw/posttest.dat
deleted file mode 100644
index 52572ece8..000000000
--- a/testing/tests/ikev1/nat-two-rw/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev1/nat-two-rw/pretest.dat b/testing/tests/ikev1/nat-two-rw/pretest.dat
deleted file mode 100644
index dd5259936..000000000
--- a/testing/tests/ikev1/nat-two-rw/pretest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-alice::ipsec start
-venus::ipsec start
-sun::ipsec start
-alice::sleep 5 
-alice::ipsec up nat-t
-venus::sleep 5 
-venus::ipsec up nat-t
diff --git a/testing/tests/ikev1/nat-two-rw/test.conf b/testing/tests/ikev1/nat-two-rw/test.conf
deleted file mode 100644
index 84317fd70..000000000
--- a/testing/tests/ikev1/nat-two-rw/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/nat-virtual-ip/description.txt b/testing/tests/ikev1/nat-virtual-ip/description.txt
new file mode 100644
index 000000000..31d24cda6
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/description.txt
@@ -0,0 +1,6 @@
+The router <b>moon</b> sets up a connection to gateway <b>sun</b> in order
+to reach the subnet hidden behind <b>sun</b>. The gateway <b>sun</b> assigns a
+virtual IP address to router <b>moon</b>. A special updown script on <b>moon</b>
+specified by <b>leftupdown=/etc/nat_updown</b> dynamically inserts a source NAT rule
+which maps the IP address of client <b>alice</b> to the virtual IP of <b>moon</b>.
+This allows <b>alice</b> to access client <b>bob</b> via the established IPsec tunnel.
diff --git a/testing/tests/ikev1/nat-virtual-ip/evaltest.dat b/testing/tests/ikev1/nat-virtual-ip/evaltest.dat
new file mode 100644
index 000000000..c60ffc772
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/evaltest.dat
@@ -0,0 +1,8 @@
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+bob::tcpdump::IP alice2.strongswan.org > bob.strongswan.org: ICMP::YES
+bob::tcpdump::IP bob.strongswan.org > alice2.strongswan.org: ICMP::YES
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts b/testing/tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts
new file mode 100644
index 000000000..ee854da09
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts
@@ -0,0 +1,70 @@
+# /etc/hosts:  This file describes a number of hostname-to-address
+#              mappings for the TCP/IP subsystem.  It is mostly
+#              used at boot time, when no name servers are running.
+#              On small systems, this file can be used instead of a
+#              "named" name server.  Just add the names, addresses
+#              and any aliases to this file...
+#
+
+127.0.0.1	localhost
+
+192.168.0.254	uml0.strongswan.org	uml0
+10.1.0.254	uml1.strongswan.org	uml1
+10.2.0.254	uml1.strongswan.org	uml2
+
+10.1.0.10	alice.strongswan.org	alice
+10.1.0.20	venus.strongswan.org	venus
+10.1.0.1	moon1.strongswan.org	moon1
+192.168.0.1	moon.strongswan.org	moon
+192.168.0.50	alice1.strongswan.org	alice1
+192.168.0.100	carol.strongswan.org	carol
+10.3.0.1	carol1.strongswan.org	carol1
+192.168.0.150	winnetou.strongswan.org	winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
+192.168.0.200	dave.strongswan.org	dave
+10.3.0.2	dave1.strongswan.org	dave1
+192.168.0.2	sun.strongswan.org	sun
+10.2.0.1	sun1.strongswan.org	sun1
+10.2.0.10	bob.strongswan.org	bob
+10.4.0.1	alice2.strongswan.org	alice2
+
+# IPv6 versions of localhost and co
+::1 ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
+
+# IPv6 solicited-node multicast addresses
+ff02::1:ff00:1	ip6-mcast-1
+ff02::1:ff00:2	ip6-mcast-2
+ff02::1:ff00:10	ip6-mcast-10
+ff02::1:ff00:15	ip6-mcast-15
+ff02::1:ff00:20	ip6-mcast-20
+
+# IPv6 site-local addresses
+fec0::5		ip6-alice1.strongswan.org   ip6-alice1
+fec1::10	ip6-alice.strongswan.org    ip6-alice
+fec1::20	ip6-venus.strongswan.org    ip6-venus
+fec1::1 	ip6-moon1.strongswan.org    ip6-moon1
+fec0::1 	ip6-moon.strongswan.org     ip6-moon
+fec0::10	ip6-carol.strongswan.org    ip6-carol
+fec3::1 	ip6-carol1.strongswan.org   ip6-carol1
+fec0::15	ip6-winnetou.strongswan.org ip6-winnetou 
+fec0::20	ip6-dave.strongswan.org     ip6-dave
+fec3::2 	ip6-dave1.strongswan.org    ip6-dave1
+fec0::2 	ip6-sun.strongswan.org      ip6-sun
+fec2::1 	ip6-sun1.strongswan.org     ip6-sun1
+fec2::10	ip6-bob.strongswan.org      ip6-bob
+
+# IPv6 link-local HW derived addresses
+fe80::fcfd:0aff:fe01:14	ip6-hw-venus.strongswan.org    ip6-hw-venus
+fe80::fcfd:0aff:fe01:0a	ip6-hw-alice.strongswan.org    ip6-hw-alice
+fe80::fcfd:0aff:fe01:01	ip6-hw-moon1.strongswan.org    ip6-hw-moon1
+fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org     ip6-hw-moon
+fe80::fcfd:c0ff:fea8:64	ip6-hw-carol.strongswan.org    ip6-hw-carol
+fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
+fe80::fcfd:c0ff:fea8:c8	ip6-hw-dave.strongswan.org     ip6-hw-dave
+fe80::fcfd:c0ff:fea8:02	ip6-hw-sun.strongswan.org      ip6-hw-sun
+fe80::fcfd:0aff:fe02:01	ip6-hw-sun1.strongswan.org     ip6-hw-sun1
+fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org      ip6-hw-bob
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..28853ce75
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsourceip=%config
+	leftupdown=/etc/nat_updown
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
new file mode 100755
index 000000000..aab1df687
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
@@ -0,0 +1,152 @@
+#! /bin/sh
+# NAT updown script
+#
+# Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#              if non-empty, then the source address for the route will be
+#              set to this IP address.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin"
+export PATH
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+case "$PLUTO_VERB:$1" in
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+	    -d $PLUTO_PEER_CLIENT -j ACCEPT
+        iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+            -s $PLUTO_PEER_CLIENT -j ACCEPT
+	iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+	    -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+	echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+        iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+            -d $PLUTO_PEER_CLIENT -j ACCEPT
+        iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+            -s $PLUTO_PEER_CLIENT -j ACCEPT
+         iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+            -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+        echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2    
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..ff030b5b5
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev1
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsourceip=10.4.0.0/24
+	auto=add
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev1/nat-virtual-ip/posttest.dat b/testing/tests/ikev1/nat-virtual-ip/posttest.dat
new file mode 100644
index 000000000..11bd19da7
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::conntrack -F
+moon::rm /etc/nat_updown
diff --git a/testing/tests/ikev1/nat-virtual-ip/pretest.dat b/testing/tests/ikev1/nat-virtual-ip/pretest.dat
new file mode 100644
index 000000000..eb0c28c7f
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::conntrack -F
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
+moon::sleep 1
diff --git a/testing/tests/ikev1/nat-virtual-ip/test.conf b/testing/tests/ikev1/nat-virtual-ip/test.conf
new file mode 100644
index 000000000..f46f137b4
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun bob"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-cert/evaltest.dat b/testing/tests/ikev1/net2net-cert/evaltest.dat
index 7cbf92687..2b37cad99 100644
--- a/testing/tests/ikev1/net2net-cert/evaltest.dat
+++ b/testing/tests/ikev1/net2net-cert/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..b1a8c98fc
--- /dev/null
+++ b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..5f0405b05
--- /dev/null
+++ b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev1
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-cert/posttest.dat b/testing/tests/ikev1/net2net-cert/posttest.dat
index 5a9150bc8..837738fc6 100644
--- a/testing/tests/ikev1/net2net-cert/posttest.dat
+++ b/testing/tests/ikev1/net2net-cert/posttest.dat
@@ -1,4 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+
diff --git a/testing/tests/ikev1/net2net-cert/pretest.dat b/testing/tests/ikev1/net2net-cert/pretest.dat
index 9f60760c6..c724e5df8 100644
--- a/testing/tests/ikev1/net2net-cert/pretest.dat
+++ b/testing/tests/ikev1/net2net-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2
+moon::sleep 1 
 moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-cert/test.conf b/testing/tests/ikev1/net2net-cert/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev1/net2net-cert/test.conf
+++ b/testing/tests/ikev1/net2net-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-fragmentation/description.txt b/testing/tests/ikev1/net2net-fragmentation/description.txt
new file mode 100644
index 000000000..6fe773299
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/description.txt
@@ -0,0 +1,9 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b>. The proprietary IKEv1 fragmentation
+protocol prevents the IP fragmentation of the IKEv1 messages carrying the large X.509
+certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
new file mode 100644
index 000000000..876787495
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
@@ -0,0 +1,15 @@
+moon::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
+sun::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
+moon::cat /var/log/daemon.log::sending IKE message with length of 1468 bytes in 2 fragments::YES
+sun::cat /var/log/daemon.log::sending IKE message with length of 1388 bytes in 2 fragments::YES
+moon::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
+moon::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES
+sun::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
+sun::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..cdd430408
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	fragmentation=yes
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9caf4fa37
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..448525bf7
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev1
+	fragmentation=yes
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..9caf4fa37
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-fragmentation/posttest.dat b/testing/tests/ikev1/net2net-fragmentation/posttest.dat
new file mode 100644
index 000000000..837738fc6
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+
diff --git a/testing/tests/ikev1/net2net-fragmentation/pretest.dat b/testing/tests/ikev1/net2net-fragmentation/pretest.dat
new file mode 100644
index 000000000..c724e5df8
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-fragmentation/test.conf b/testing/tests/ikev1/net2net-fragmentation/test.conf
new file mode 100644
index 000000000..646b8b3e6
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-pgp-v3/description.txt b/testing/tests/ikev1/net2net-pgp-v3/description.txt
deleted file mode 100644
index bd680b57a..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>OpenPGP V3 keys</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-pgp-v3/evaltest.dat b/testing/tests/ikev1/net2net-pgp-v3/evaltest.dat
deleted file mode 100644
index 7cbf92687..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index a38c66023..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control parsing"
-	nocrsend=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	
-conn net-net
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftcert=moonCert.asc
-	leftid=@#71270432cd763a18020ac988c0e75aed
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightcert=sunCert.asc
-	auto=add
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
deleted file mode 100644
index 135cfaec0..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID    Date       User ID
-pub  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
-vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
-f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
-t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
-=oaBj
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
deleted file mode 100644
index 32f204b10..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID    Date       User ID
-pub  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
-A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
-0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
-lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
-=lLvB
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
deleted file mode 100644
index 6524773e0..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
+++ /dev/null
@@ -1,19 +0,0 @@
-Type Bits/KeyID    Date       User ID
-sec  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP SECRET KEY BLOCK-----
-Version: 2.6.3i
-
-lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd
-JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9
-FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6
-7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3
-0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN
-8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7
-QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v
-biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4=
-=YFQm
------END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index afb1ff927..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.asc
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 71896491e..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index 6a373e29f..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	nocrsend=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	
-conn net-net
-	left=PH_IP_SUN
-	leftsubnet=10.2.0.0/16
-	leftcert=sunCert.asc
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightcert=moonCert.asc
-	rightid=@#71270432cd763a18020ac988c0e75aed
-	auto=add
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
deleted file mode 100644
index 135cfaec0..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID    Date       User ID
-pub  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
-vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
-f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
-t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
-=oaBj
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
deleted file mode 100644
index 32f204b10..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID    Date       User ID
-pub  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
-A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
-0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
-lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
-=lLvB
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
deleted file mode 100644
index de2393649..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
+++ /dev/null
@@ -1,19 +0,0 @@
-Type Bits/KeyID    Date       User ID
-sec  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP SECRET KEY BLOCK-----
-Version: 2.6.3i
-
-lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI
-Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1
-GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg
-vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2
-LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn
-2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs
-xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu
-IDxzdW4uc3Ryb25nc3dhbi5vcmc+
-=DwEu
------END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
deleted file mode 100644
index ee98b1611..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA sunKey.asc
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 71896491e..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/net2net-pgp-v3/posttest.dat b/testing/tests/ikev1/net2net-pgp-v3/posttest.dat
deleted file mode 100644
index fafcde975..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-sun::rm /etc/ipsec.d/certs/*
-sun::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/net2net-pgp-v3/pretest.dat b/testing/tests/ikev1/net2net-pgp-v3/pretest.dat
deleted file mode 100644
index 9e40684ab..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-pgp-v3/test.conf b/testing/tests/ikev1/net2net-pgp-v3/test.conf
deleted file mode 100644
index f74d0f7d6..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-pgp-v4/description.txt b/testing/tests/ikev1/net2net-pgp-v4/description.txt
deleted file mode 100644
index c82eec9ba..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>OpenPGP V4 keys</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat b/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat
deleted file mode 100644
index 7cbf92687..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 094ab3bed..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control parsing"
-	nocrsend=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	
-conn net-net
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftcert=moonCert.asc
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightcert=sunCert.asc
-	rightid=@#b42f31fec80ae3264a101c85977a04ac8d1638d3
-	auto=add
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc
deleted file mode 100644
index a512f8f52..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-mQENBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf
-UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A
-nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd
-6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/
-I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f
-JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAG0E21vb24uc3Ryb25nc3dh
-bi5vcmeJATcEEwECACEFAkpg0UQCGwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AA
-CgkQ9djQiWs7dNHHNQf/UiwJPioLef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8K
-N2yl6/L8djIdox0jw3yCYhCWxf94N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K
-1niLPYmJf5sMWXPAmetT6tNEHNhkmE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1Y
-D4HulHK0nfMxf1gVmFhRFtGpzrGS26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk
-/EoRdO7hDOAEk80Gp23bDX6ygnvsAqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv
-1I5GZ96wAo+s+KZAXaHlxFvq7r6OMzxgEWTtyNTtG4kBHAQQAQIABgUCSmDShgAK
-CRCXegSsjRY401hVB/9HlBSdkal26U8HmVSjblOpMhaEKWjAZG1VnhcA5/GstzHc
-ql7CuciAzOfRY9kcUvvonjLLBEb6P8H7mNaosE0XtqBI+Il8w6FIsfqXG+w2lISt
-21/OoS3uXmUD43xdGkJACgoQP3eAqscRnoiNq/Wrg4GFvMmhK3pu3UR0joFrxwoX
-mIbpJ1CZFrYDhLRFWUMV+93rzde7UfIeSuPwuE96yTJFgc4QKKFKT+msELTko9Fb
-G5N0Q//Rfy+mbqQlk7JVd2WqUMfSx6Fw9X8z88uQamdcgx2/6HzFSL1QiBNyF/3D
-spAwu2H5T4gSZH3FywlmRp+JJzNy+aci+M/eTvDz
-=j2hu
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc
deleted file mode 100644
index 5117cbb04..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-mQENBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB
-QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM
-/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV
-CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP
-B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN
-4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAG0EnN1bi5zdHJvbmdzd2Fu
-Lm9yZ4kBNwQTAQIAIQUCSmDRuAIbAwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAK
-CRCXegSsjRY407LCCACqHrnT1xqsQRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g
-0P+Scnu84xj1o5bRWX2WyPYZUgDY6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0
-eNYmehGoIes4JfQm08UM7roywGaaWAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/D
-RLu5rvCB6m5u62RncmppraAYuQWRjZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG
-6XXcCnBr/34g/bQXWRxBhbf91ewVaDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97j
-vnvvZKUwbd/TRFJkorkhkRpA1wSrJ0tAsvODgc8biQEcBBABAgAGBQJKYNK9AAoJ
-EPXY0IlrO3TR8X4H/2eabptQ49q6SX5bwZ+13QoGZdarAvFxVGbbhaRrOrbsYNbg
-Wd8k6R/Uwz1qkH3RJBmANm2wcDYhXsztprUrQ3a5jIgZfc+ZH/0cZiFUWk004m7t
-mXdvWsGkbxye0kUChQOP9/VJBgpOBnK4MngX7d3nwSIO75r4ugey2Aud/eOvrm5m
-t5MJBANTGAnBGwqXtsDm7v0L9VQY6PuLIgPwftB+vwy/Ea8vU5AmFKVkfAR/pVIT
-gELY5mDHaqLxgvfMVJ+PFkvb5HF7QdpIcxUjo3SNgyOyYpN+pfQQbVLkPoOs1xqf
-lIbIyjzMp02KM3iRElcuU/EBEfsp0/voJ/iyd+o=
-=tAh4
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc
deleted file mode 100644
index 59de821d6..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN PGP PRIVATE KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-lQOYBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf
-UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A
-nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd
-6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/
-I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f
-JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAEAB/42Vsa7NTpAgwe92+gx
-nscTQsjTs9xf5VSQV6gRKWmUAQYNZoNDue2Ot5AeBJFWV8x++fWAZfrrkLJUkwu/
-Z8UcPbSuJhEsrG4F5B3owTy8cBPbNYd9c6JZAKFPBY8W5l9M5OQyUF1amiuk/1jX
-BNPEN6SBK3j0IhZvQ2bIgCJrxUH9igvOig2HmfOYv11UMzOErSA/eGRSA+TrM+QK
-BDCG1ae3dLe/pXtIuh1/jkLo7Byk0ofgv2+Ty/LSwBCj0vtUjtMHHRNZFRYFrNiN
-S6FyrS7+Q9BJolNkuXT83i4dm208+6bKQBPxV3ZaLgf2y19/g5av8f745ercygQI
-MdGBBADaWGKpev55Oom2gNV4jaQFaAc4K4OqW1IbsXk8QSl1iaoHmt9VlGP+A+8O
-GG+h0cfIlUHnAC29Hs5lDnlByqdTnG9zTyOrnzZEY1+jFGGgs+O/ehS3riGI5dB8
-mwReZfY/aqp7naLkkymHuIAizmxkYORPZtTugyi99Zha4m8j4QQA+39fTOthVIYi
-RXMzGknEjh9fMLvCkx33ghapCtc4ftJRACfaatQJVBG2li7LHbPg9fboIyG/x/Ey
-iyGtPxwBLo7MJige6xpzVB4Qk+zLDCKouca29uY1rGQzZ0FTmMMtu3Rm+dKh9lLv
-vg7ZJNTfhxldC+R/L/gOIBWEzy/iXaMD/2A+wQuKDLDRb9/sOiq/6z7Ryl6FPbTC
-AvvNU3hJtRImfmHodob//zzYYgOY7exY/qubC6FsDW4AN+2iHesCdIzCrAG7v9X3
-Rn1WPq96FfY2y5b6qEl8Tx+a71TZi5RJRtoWPe3IolausE0T3IjRbWI4XgMu/T5o
-Rmv/f5gyc5OxPpG0E21vb24uc3Ryb25nc3dhbi5vcmeJATcEEwECACEFAkpg0UQC
-GwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AACgkQ9djQiWs7dNHHNQf/UiwJPioL
-ef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8KN2yl6/L8djIdox0jw3yCYhCWxf94
-N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K1niLPYmJf5sMWXPAmetT6tNEHNhk
-mE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1YD4HulHK0nfMxf1gVmFhRFtGpzrGS
-26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk/EoRdO7hDOAEk80Gp23bDX6ygnvs
-AqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv1I5GZ96wAo+s+KZAXaHlxFvq7r6O
-MzxgEWTtyNTtGw==
-=Vb4y
------END PGP PRIVATE KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index afb1ff927..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.asc
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 71896491e..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index 428b10ce6..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	nocrsend=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	
-conn net-net
-	left=PH_IP_SUN
-	leftsubnet=10.2.0.0/16
-	leftcert=sunCert.asc
-	leftid=@#b42f31fec80ae3264a101c85977a04ac8d1638d3
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightcert=moonCert.asc
-	auto=add
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc
deleted file mode 100644
index a512f8f52..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-mQENBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf
-UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A
-nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd
-6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/
-I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f
-JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAG0E21vb24uc3Ryb25nc3dh
-bi5vcmeJATcEEwECACEFAkpg0UQCGwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AA
-CgkQ9djQiWs7dNHHNQf/UiwJPioLef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8K
-N2yl6/L8djIdox0jw3yCYhCWxf94N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K
-1niLPYmJf5sMWXPAmetT6tNEHNhkmE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1Y
-D4HulHK0nfMxf1gVmFhRFtGpzrGS26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk
-/EoRdO7hDOAEk80Gp23bDX6ygnvsAqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv
-1I5GZ96wAo+s+KZAXaHlxFvq7r6OMzxgEWTtyNTtG4kBHAQQAQIABgUCSmDShgAK
-CRCXegSsjRY401hVB/9HlBSdkal26U8HmVSjblOpMhaEKWjAZG1VnhcA5/GstzHc
-ql7CuciAzOfRY9kcUvvonjLLBEb6P8H7mNaosE0XtqBI+Il8w6FIsfqXG+w2lISt
-21/OoS3uXmUD43xdGkJACgoQP3eAqscRnoiNq/Wrg4GFvMmhK3pu3UR0joFrxwoX
-mIbpJ1CZFrYDhLRFWUMV+93rzde7UfIeSuPwuE96yTJFgc4QKKFKT+msELTko9Fb
-G5N0Q//Rfy+mbqQlk7JVd2WqUMfSx6Fw9X8z88uQamdcgx2/6HzFSL1QiBNyF/3D
-spAwu2H5T4gSZH3FywlmRp+JJzNy+aci+M/eTvDz
-=j2hu
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc
deleted file mode 100644
index 5117cbb04..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-mQENBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB
-QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM
-/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV
-CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP
-B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN
-4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAG0EnN1bi5zdHJvbmdzd2Fu
-Lm9yZ4kBNwQTAQIAIQUCSmDRuAIbAwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAK
-CRCXegSsjRY407LCCACqHrnT1xqsQRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g
-0P+Scnu84xj1o5bRWX2WyPYZUgDY6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0
-eNYmehGoIes4JfQm08UM7roywGaaWAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/D
-RLu5rvCB6m5u62RncmppraAYuQWRjZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG
-6XXcCnBr/34g/bQXWRxBhbf91ewVaDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97j
-vnvvZKUwbd/TRFJkorkhkRpA1wSrJ0tAsvODgc8biQEcBBABAgAGBQJKYNK9AAoJ
-EPXY0IlrO3TR8X4H/2eabptQ49q6SX5bwZ+13QoGZdarAvFxVGbbhaRrOrbsYNbg
-Wd8k6R/Uwz1qkH3RJBmANm2wcDYhXsztprUrQ3a5jIgZfc+ZH/0cZiFUWk004m7t
-mXdvWsGkbxye0kUChQOP9/VJBgpOBnK4MngX7d3nwSIO75r4ugey2Aud/eOvrm5m
-t5MJBANTGAnBGwqXtsDm7v0L9VQY6PuLIgPwftB+vwy/Ea8vU5AmFKVkfAR/pVIT
-gELY5mDHaqLxgvfMVJ+PFkvb5HF7QdpIcxUjo3SNgyOyYpN+pfQQbVLkPoOs1xqf
-lIbIyjzMp02KM3iRElcuU/EBEfsp0/voJ/iyd+o=
-=tAh4
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc
deleted file mode 100644
index 68899ae37..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN PGP PRIVATE KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-lQOYBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB
-QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM
-/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV
-CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP
-B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN
-4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAEAB/0XU57hkU9R6mSoALnt
-Qh+aqsDjOEvEllPTGmH+icFipJP9g0lr+B8EQ0egCUyj3Kb36mS7Yw+0Bv4WDxlh
-9bm7Iohhn7vIWz9Y4HvjSWi+vGJLiWI+TkkqLz0zUAGemTjU2snKzNfwDrd3WFRn
-VsZxKxpiBAITzk+nWSHGp+yCfl3NVaA/MYAI+FgiQlq/qTCRreEsexAJ09weDLGN
-P95V4E6LACRy+wiy7X0lRzS1047UUtTcZUF6c5ERfgAGT5NKT/ZA4THZy5pPrSOw
-bRIHbozSlWbnrZNz8DNa4iyHsEw/42IvjU/LflmGWL2hvVxA40ezlxGVi5ea5gFV
-5q9dBADWGXToEaHMqie/HAC4+1/VCTmAvqIKcegNWHCL1PGYBBfRonF/TDcbkawy
-0ATlk+rkyTaRvkapb1LdqE1qThGQWC6iLb3v8E2UEizCM1VFo2EqcKxbCoJdsEtR
-mrK/zIqZ/h/4iEu/ekLPeDwdIWWdBlfYTtTwdMH40eoPOLyo/QQA7+dSOQcAUp8H
-1NuNpyK+9M3/mkpXRF3cqdiY7AnHIf4WWDtgDUHugtO8HlAkq4cL27QYBojVHCqB
-P+NLJo6A35nNbt2IPqAotCgk8NlgtsA+oJ9tvWGarOLMnIt0eBv80blqa5PGeoFt
-EuYxYO2bRAE2cQtMXPMLKpl3VKSRMR8EAKINBJ81zq2twDG1qvRg40XAz2LOKkFd
-B+fNAd0JSC8+qx4MMdn0iL6WaCIN6t1wzI7l1whLUc7f3MPF2dwrsrB9j3MgHppr
-GBLl0A3a1tIkWPAejMcpSgFR63ooQQgoX+XH0woST3wgHTZT6fF+zFn3eaGJ3wqv
-JNcE4vcbJf1COoi0EnN1bi5zdHJvbmdzd2FuLm9yZ4kBNwQTAQIAIQUCSmDRuAIb
-AwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAKCRCXegSsjRY407LCCACqHrnT1xqs
-QRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g0P+Scnu84xj1o5bRWX2WyPYZUgDY
-6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0eNYmehGoIes4JfQm08UM7roywGaa
-WAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/DRLu5rvCB6m5u62RncmppraAYuQWR
-jZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG6XXcCnBr/34g/bQXWRxBhbf91ewV
-aDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97jvnvvZKUwbd/TRFJkorkhkRpA1wSr
-J0tAsvODgc8b
-=QOF4
------END PGP PRIVATE KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets
deleted file mode 100644
index ee98b1611..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA sunKey.asc
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 71896491e..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/net2net-pgp-v4/posttest.dat b/testing/tests/ikev1/net2net-pgp-v4/posttest.dat
deleted file mode 100644
index fafcde975..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-sun::rm /etc/ipsec.d/certs/*
-sun::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/net2net-pgp-v4/pretest.dat b/testing/tests/ikev1/net2net-pgp-v4/pretest.dat
deleted file mode 100644
index 9e40684ab..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-pgp-v4/test.conf b/testing/tests/ikev1/net2net-pgp-v4/test.conf
deleted file mode 100644
index f74d0f7d6..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-psk-fail/description.txt b/testing/tests/ikev1/net2net-psk-fail/description.txt
index 5a794bd17..688182be4 100644
--- a/testing/tests/ikev1/net2net-psk-fail/description.txt
+++ b/testing/tests/ikev1/net2net-psk-fail/description.txt
@@ -1,7 +1,5 @@
-An IPsec tunnel connecting the subnets behind the gateways <b>moon</b> and 
-<b>sun</b> is set up. The authentication is based on <b>Preshared Keys</b>
-(PSK). Unfortunately the secret keys of <b>moon</b> and <b>sun</b> do not
-match, so that the responder cannot decrypt ISAKMP message MI3. The resulting
-encrypted notification message cannot in turn be read by the initiator
-<b>moon</b>. In order to avoid a <b>notify-war</b>, any further generation of
-PAYLOAD_MALFORMED messages is suppressed.
+A connection between the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>Preshared Keys</b> (PSK), but gateway <b>moon</b>
+uses a wrong PSK. This makes it impossible for gateway <b>sun</b> to decrypt the
+IKEv1 message correctly. Thus <b>sun</b> returns a <b>PAYLOAD-MALFORMED</b> error
+notify which in turn cannot be decrypted by <b>moon</b>.
diff --git a/testing/tests/ikev1/net2net-psk-fail/evaltest.dat b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat
index 7f7cb9726..36ad061ac 100644
--- a/testing/tests/ikev1/net2net-psk-fail/evaltest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat
@@ -1,6 +1,8 @@
-moon::cat /var/log/auth.log::malformed payload in packet::YES
-sun::cat /var/log/auth.log::probable authentication failure.*mismatch of preshared secrets.*malformed payload in packet::YES
-sun::cat /var/log/auth.log::sending encrypted notification PAYLOAD_MALFORMED::YES
-moon::ipsec status::net-net.*STATE_MAIN_I4.*ISAKMP SA established::NO
-sun::ipsec status::net-net.*STATE_MAIN_R3.*ISAKMP SA established::NO
-
+sun:: cat /var/log/daemon.log::invalid ID_V1 payload length, decryption failed::YES
+sun:: cat /var/log/daemon.log::generating INFORMATIONAL_V1 request.*HASH N(PLD_MAL)::YES
+moon::cat /var/log/daemon.log::invalid HASH_V1 payload length, decryption failed::YES
+moon::cat /var/log/daemon.log::ignore malformed INFORMATIONAL request::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::NO
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::NO
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
index ad0359f01..5917bab81 100755..100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
@@ -1,21 +1,20 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
 	authby=secret
-	
+	keyexchange=ikev1
+
 conn net-net
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
+	leftfirewall=yes
 	right=PH_IP_SUN
 	rightsubnet=10.2.0.0/16
 	rightid=@sun.strongswan.org
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
index be95c4d99..38ebf966c 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
@@ -1,7 +1,4 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
+@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2dxxxx
 
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
index 453cdc07c..5db4358d6 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
index 9bbff9039..8fe02b10b 100755..100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
@@ -1,21 +1,20 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
 	authby=secret
-	
+	keyexchange=ikev1
+
 conn net-net
 	left=PH_IP_SUN
 	leftsubnet=10.2.0.0/16
 	leftid=@sun.strongswan.org
+	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
index b53577e1d..be95c4d99 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
@@ -1,6 +1,6 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-@moon.strongswan.org @sun.strongswan.org : PSK 0sZNbttZkdViYmLWprfhiZBtDjJbNAMHil
+@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
 
 
 
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
index 453cdc07c..5db4358d6 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
@@ -1,11 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev1/net2net-psk-fail/posttest.dat b/testing/tests/ikev1/net2net-psk-fail/posttest.dat
index dff181797..1f7aa73a1 100644
--- a/testing/tests/ikev1/net2net-psk-fail/posttest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/posttest.dat
@@ -1,2 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/net2net-psk-fail/pretest.dat b/testing/tests/ikev1/net2net-psk-fail/pretest.dat
index aa8e332e0..0f4ae0f4f 100644
--- a/testing/tests/ikev1/net2net-psk-fail/pretest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/pretest.dat
@@ -1,5 +1,7 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2
diff --git a/testing/tests/ikev1/net2net-psk-fail/test.conf b/testing/tests/ikev1/net2net-psk-fail/test.conf
index f6e064e7d..eb4822b5d 100644
--- a/testing/tests/ikev1/net2net-psk-fail/test.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-psk/evaltest.dat b/testing/tests/ikev1/net2net-psk/evaltest.dat
index 7cbf92687..2b37cad99 100644
--- a/testing/tests/ikev1/net2net-psk/evaltest.dat
+++ b/testing/tests/ikev1/net2net-psk/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
index c63ec2f30..e4243e294 100755..100644
--- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
index 453cdc07c..238ec24b7 100644
--- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
index e21ee9910..38dab14b4 100755..100644
--- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
index 453cdc07c..238ec24b7 100644
--- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/net2net-psk/posttest.dat b/testing/tests/ikev1/net2net-psk/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev1/net2net-psk/posttest.dat
+++ b/testing/tests/ikev1/net2net-psk/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/net2net-psk/pretest.dat b/testing/tests/ikev1/net2net-psk/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev1/net2net-psk/pretest.dat
+++ b/testing/tests/ikev1/net2net-psk/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev1/net2net-psk/test.conf b/testing/tests/ikev1/net2net-psk/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev1/net2net-psk/test.conf
+++ b/testing/tests/ikev1/net2net-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-route/description.txt b/testing/tests/ikev1/net2net-route/description.txt
deleted file mode 100644
index 323f09555..000000000
--- a/testing/tests/ikev1/net2net-route/description.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-A tunnel that will connect the subnets behind the gateways <b>moon</b>
-and <b>sun</b>, respectively, is preconfigured by installing a %trap eroute
-on gateway <b>moon</b> by means of the setting <b>auto=route</b> in ipsec.conf.
-A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to
-<b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and
-leads to the automatic establishment of the subnet-to-subnet tunnel.
-<p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
-that let pass the tunneled traffic.
diff --git a/testing/tests/ikev1/net2net-route/evaltest.dat b/testing/tests/ikev1/net2net-route/evaltest.dat
deleted file mode 100644
index 38d589e5a..000000000
--- a/testing/tests/ikev1/net2net-route/evaltest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::cat /var/log/auth.log::initiate on demand from PH_IP_ALICE::YES
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index bc72fab0f..000000000
--- a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn net-net
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	auto=route
diff --git a/testing/tests/ikev1/net2net-route/posttest.dat b/testing/tests/ikev1/net2net-route/posttest.dat
deleted file mode 100644
index 5a9150bc8..000000000
--- a/testing/tests/ikev1/net2net-route/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/net2net-route/pretest.dat b/testing/tests/ikev1/net2net-route/pretest.dat
deleted file mode 100644
index 2eef7de19..000000000
--- a/testing/tests/ikev1/net2net-route/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2 
-alice::ping -c 10 PH_IP_BOB
diff --git a/testing/tests/ikev1/net2net-route/test.conf b/testing/tests/ikev1/net2net-route/test.conf
deleted file mode 100644
index d9a61590f..000000000
--- a/testing/tests/ikev1/net2net-route/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
- 
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-rsa/description.txt b/testing/tests/ikev1/net2net-rsa/description.txt
deleted file mode 100644
index a23fae8c3..000000000
--- a/testing/tests/ikev1/net2net-rsa/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>raw RSA keys</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-rsa/evaltest.dat b/testing/tests/ikev1/net2net-rsa/evaltest.dat
deleted file mode 100644
index 7cbf92687..000000000
--- a/testing/tests/ikev1/net2net-rsa/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 837c1ab56..000000000
--- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	
-conn net-net
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftid=@moon.strongswan.org
-	leftrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	rightrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
-	auto=add
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 9859ae8ed..000000000
--- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA	{
-	# RSA 2048 bits   moon.strongswan.org   Wed Dec  8 21:41:27 2004
-	# for signatures only, UNSAFE FOR ENCRYPTION
-	#pubkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
-	Modulus: 0x7e9a4784085e419bb5e70e49247e6827cbf4d99dd4e43755f3159581ee726ba0cddc4e4df332d7523d7f2163d190c551964ac99406aee6180e50c77f49a51369cb3c56ef045c31bc2a0eab86d4f45f6e52f35758b175738648b50d697a27a8323f8797c292a4ee66d2db138ab73dfe0f990030cd6556693650d605d7a94a8a94deb6d7c1e6daf6ef35113f0811ee14c99a0b3d758dc92f68fbdca812d9cd14f1f5bfcc8bea83eb14fb93d4696079ad686089f7979dd5b63a49991aa601d6bbcf3fdcce9bc42cc3d0a380de815bc25907905c9a196141dbe7dcecbe817d8ab4c2bfddf38b5074ec449f70702d3ad52a8efee80c43acc8b423e6e50f69ddf5cc63
-	PublicExponent: 0x03
-	# everything after this point is secret
-	PrivateExponent: 0x1519b69601650aef48fbd7b6db6a66b14ca8ceefa37b5e8e532e4395a7bdbc9accfa0d0cfdddce8db4ea8590a2ed763843b72198abc7d1040262cbea8c462de6f734b927d60f5d9f5c57c741237e0fe7b87de3e41d9393410c1e2ce6e9b146b30a96994b1870d2667879d8971e8a5502998008223b8e66de62ce564e9c37171893a0e8a94749590fef394b9deda1e73937b1c664d2e4764ae49572771130a097024380c258fa25f9083eefc5eabe762d8e856237bdd8ad8217f899688f70ac1f37650dc08bf3748b74a4f30873842fe27bdfbc49d0cb14c3861ff18b1219153ddb69e5bcb09ff691473a856e63e23d2f36389959f804e82b13a547decc7d6df7
-	Prime1: 0xc11b8705063c662ee0a168b904bbd9c514025360c75e43e7c60c3c17846ede31bba328dfaf8abf513175f312a4263645db0f0797ca7f36d04f996680772264a63c1f76a2a2fe250aa0ca8e96122438bdd5b327e925742047f2b7d0fe3fa6ea07a10cd9a40f8994a95af505116131584c5fc247a7d69df08bfac1b5a23b7c157f
-	Prime2: 0xa7d5dcc534e67a60b918109b7b66cfad37de43b7d51025bfda4fbd30ee3a73362c879f1e251c47ed98a442b33bdcb2112e5aa2b160426e5d6a2c1bb22e104e6db75f0575d979e38146d89db8948500fad36b0875570b3f0ac5754440d14d4b47fa55b77b1d2b9033991c4a858256632759d22c80060d52957643aa8ed789231d
-	Exponent1: 0x80bd04ae0428441f406b9b260327e68362ac3795da3ed7efd95d7d6502f4942127c21b3fca5c7f8b764ea20c6d6eced93cb4afba86ff79e03510ef004f6c43197d6a4f17175418b1c08709b9616d7b2939221a9b6e4d6adaa1cfe0a97fc49c05160891180a5bb870e74e0360eb763add952c2fc539bea05d51d67916d252b8ff
-	Exponent2: 0x6fe3e8837899a6eb26100b1252448a737a942d2538b56e7fe6dfd375f426f779730514bec3682ff3bb182c777d3dcc0b743c6c76402c49939c1d67cc1eb5899e7a3f58f93ba697ab84906925b858ab51e2475af8e4b22a072e4e2d808b88dcdaa6e3cfa768c7b577bb6831ae56e4421a3be173000408e1b8f98271b48fb0c213
-	Coefficient: 0x0a9ea0e995d8d635ac37b5d5f1121ecd4d6387262ea65ea969499ec4c7af9d7a79b256654bda5c972b6efaf5aba35d6790ce4db39258930488ddb2443d19c344312380bed3290f29f0ff5b0ce382622c849f3279f653a2b7c4cc8efbfc5098852fe39aee9da947e53ddfe58bb6b7bb02b693a1b1228dc0481b681d51865d0339
-	}
-# do not change the indenting of that "}"
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index c50c4c594..000000000
--- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index efd9c798a..000000000
--- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	
-conn net-net
-	left=PH_IP_SUN
-	leftsubnet=10.2.0.0/16
-	leftid=@sun.strongswan.org
-	leftrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	rightrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
-	auto=add
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.secrets
deleted file mode 100644
index bf976a8d3..000000000
--- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA	{
-	# RSA 2048 bits   sun.strongswan.org   Wed Dec  8 21:44:27 2004
-	# for signatures only, UNSAFE FOR ENCRYPTION
-	#pubkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
-	Modulus: 0xa24ae47d7bf58c6453b12b721d68504e4f60c6a0e6c50c95117a3a8b723329998db255b03d2e973e00418ac6a8dbdfb586eac568ddf0420c138086098cc3db346fa0d349e5da210968a96d4cf080bec5ed5f4fe17406c5b5b6d6843745931791fe27e6b8fdaad88381f2880fac8e8a876a09c254f335e519b99a49a0f75dd79920a0b647a70f8594abe35f3cbb8e72082a4e31c0028183d1da2cc116b7b1e6f2a8740d01bdf63d75bd79c2a2f44c5c3eb76be61479b8d5d13181ae981b68c5c13ac44bc233fb0f44ad616f2ca78b17399df310e5899be26742528b5419a0b22836b8a45e7cb1880feb1a5dfc75cc5c67513fe2b1a80e2c7deb38ea0a7c52e253
-	PublicExponent: 0x03
-	# everything after this point is secret
-	PrivateExponent: 0x04eaff2a9726789e3114e24946b595d3d3dc250ca22500619bae5edd701110c697b0121c9d01696e7c21043490c0d83bcdc90dbd5c0f09c24e2aaeba78a1162860793cb4a9dfd274a614a638a27081e6f7ad8e0e96e8eeb7ee448fa49580941bb25e4ccf4d814c611373f49ba061690bdc6ce6dbc94f357ce69811bf0f40e780b643cbe7e076031f234e842b41bc10fb2d359617c64b434cb3dd4d9add91dcbcaef9fba1fb6f217a8ad65bde553bd2792c939ea8b5c0591598e7291597609a779a088e36c1ebe15ebb5e9a7774d9d9cd90913030b88e215f9e66fe0daafb198a3bb9d4e6277b625460ede2d84ce7f3334bf641829c826dbc1549625377c517db
-	Prime1: 0xfee3308b1f16875eeb4ca7ba6a9b8f9279eceff06531aae2bb50d2ccbf7f2b0901f2c5e046856c54c338f4b79943f8ad6d20a97fe0a48786cd659aff3f55e3a8c4c09cad526975180d1c2905ba028b58dd05a71d3a268153fae62eb5e9fe9184b20f9fbd626b14054c4acd7e2de69934d91cbf239c7a63c9d2721cd466df26eb
-	Prime2: 0xa3003cd898c297323377adeed7b4b214dc78e8bf0d9c2c0bef54ed53686547971847d7400e1d8055149ef6425e5241f28b43c8d52b48d281ae4fc7d0589ef8ad9ae95a05e2298cf679135cc0dd7378611e363380852313bfdc259cdb2543d5d1d1b492f6035ec72a2025529c5dff6995ad64b1b7dec3a3755a512073a50ba839
-	Exponent1: 0xa9eccb076a0f04e9f2331a7c47125fb6fbf34aa0437671ec7ce08c887faa1cb0abf72e958458f2e32cd0a32510d7fb1e48c070ffeb185a59de43bcaa2a394270832b131e36f0f8bab3681b5926ac5ce5e8ae6f68d16f00e2a7441f23f1546103215fbfd396f20d58dd8733a973ef10cde6132a17bda6ed3136f6bde2ef3f6f47
-	Exponent2: 0x6caad33b1081ba2177a51e9f3a7876b892fb45d4b3bd72b29f8df38cf043850f65853a2ab413aae36314a42c3ee1814c5cd7db38c785e1abc98a85359069fb1e67463c03ec1bb34efb623dd5e8f7a59614242255ae17627fe819133cc3828e8be1230ca4023f2f716ac38c683eaa4663c8edcbcfe9d7c24e3c3615a26e07c57b
-	Coefficient: 0xbf865c3ed94693c7f16e04fd73929d7b4a3a296d6113eb9b01e87d5cf3be71afa2f838a5a82a97b55e8309025214312edefd3b77c989054bf28ec81bf3989d698671cb64eac9f016cc136f6ab78ce4d5d3837198eea5ec8ed057ba8e0e6f240a60202171f65be992d7bcd54ee0f803e5bd6b8385223b55440e095b28f01bbd0a
-	}
-# do not change the indenting of that "}"
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index c50c4c594..000000000
--- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/net2net-rsa/posttest.dat b/testing/tests/ikev1/net2net-rsa/posttest.dat
deleted file mode 100644
index 5a9150bc8..000000000
--- a/testing/tests/ikev1/net2net-rsa/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/net2net-rsa/pretest.dat b/testing/tests/ikev1/net2net-rsa/pretest.dat
deleted file mode 100644
index 9e40684ab..000000000
--- a/testing/tests/ikev1/net2net-rsa/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-rsa/test.conf b/testing/tests/ikev1/net2net-rsa/test.conf
deleted file mode 100644
index f74d0f7d6..000000000
--- a/testing/tests/ikev1/net2net-rsa/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-same-nets/description.txt b/testing/tests/ikev1/net2net-same-nets/description.txt
deleted file mode 100644
index d0eb3374f..000000000
--- a/testing/tests/ikev1/net2net-same-nets/description.txt
+++ /dev/null
@@ -1,15 +0,0 @@
-A connection between two identical <b>10.0.0.0/14</b> networks behind the gateways <b>moon</b>
-and <b>sun</b> is set up. In order to make network routing work, the subnet behind <b>moon</b>
-sees the subnet behind <b>sun</b> as <b>10.4.0.0/14</b> whereas the subnet behind <b>sun</b>
-sees the subnet behind <b>moon</b> as <b>10.8.0.0/14</b>. The necessary network mappings are
-done on gateway <b>sun</b> using the iptables <b>MARK</b> and <b>NETMAP</b> targets.
-<p/>
-Upon the successful establishment of the IPsec tunnel, on gateway <b>moon</b> the directive
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic whereas on gateway <b>sun</b> the script indicated by
-<b>leftupdown=/etc/mark_updown</b> inserts iptables rules that set marks defined in the
-connection definition of <b>ipsec.conf</b> both on the inbound and outbound traffic, create
-the necessary NETMAP operations and forward the tunneled traffic.
-<p/>
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b> and vice versa.
diff --git a/testing/tests/ikev1/net2net-same-nets/evaltest.dat b/testing/tests/ikev1/net2net-same-nets/evaltest.dat
deleted file mode 100644
index b5ad0628e..000000000
--- a/testing/tests/ikev1/net2net-same-nets/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::ipsec statusall::net-net.*IPsec SA established::YES
-sun::ipsec statusall::net-net.*IPsec SA established::YES
-alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES
-bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES
-bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES
-bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES 
diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 30af017ff..000000000
--- a/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn net-net 
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.0.0.0/14
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.4.0.0/14
-	auto=add
diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index 5e924cf25..000000000
--- a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-        keyingtries=1
-	keyexchange=ikev1
-
-conn net-net 
-	left=PH_IP_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftsubnet=10.4.0.0/14
-	leftupdown=/etc/mark_updown
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.0.0.0/14
-	mark_in=8
-	mark_out=4
-	auto=add
diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown
deleted file mode 100755
index 0bfdcad85..000000000
--- a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown
+++ /dev/null
@@ -1,376 +0,0 @@
-#! /bin/sh
-# updown script setting inbound marks on ESP traffic in the mangle chain
-#
-# Copyright (C) 2003-2004 Nigel Meteringham
-# Copyright (C) 2003-2004 Tuomo Soini
-# Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-# CAUTION:  Installing a new version of strongSwan will install a new
-# copy of this script, wiping out any custom changes you make.  If
-# you need changes, make a copy of this under another name, and customize
-# that, and use the (left/right)updown parameters in ipsec.conf to make
-# strongSwan use yours instead of this default one.
-
-# things that this script gets (from ipsec_pluto(8) man page)
-#
-#      PLUTO_VERSION
-#              indicates  what  version of this interface is being
-#              used.  This document describes version  1.1.   This
-#              is upwardly compatible with version 1.0.
-#
-#       PLUTO_VERB
-#              specifies the name of the operation to be performed
-#              (prepare-host, prepare-client, up-host, up-client,
-#              down-host, or down-client).  If the address family
-#              for security gateway to security gateway communica-
-#              tions is IPv6, then a suffix of -v6 is added to the
-#              verb.
-#
-#       PLUTO_CONNECTION
-#              is the name of the  connection  for  which  we  are
-#              routing.
-#
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
-#       PLUTO_INTERFACE
-#              is the name of the ipsec interface to be used.
-#
-#       PLUTO_REQID
-#              is the requid of the ESP policy
-#
-#       PLUTO_ME
-#              is the IP address of our host.
-#
-#       PLUTO_MY_ID
-#              is the ID of our host.
-#
-#       PLUTO_MY_CLIENT
-#              is the IP address / count of our client subnet.  If
-#              the  client  is  just  the  host,  this will be the
-#              host's own IP address / max (where max  is  32  for
-#              IPv4 and 128 for IPv6).
-#
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
-#       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
-#
-#       PLUTO_MY_PROTOCOL
-#              is the IP protocol that will be transported.
-#
-#       PLUTO_MY_PORT
-#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
-#
-#       PLUTO_PEER
-#              is the IP address of our peer.
-#
-#       PLUTO_PEER_ID
-#              is the ID of our peer.
-#
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
-#       PLUTO_PEER_CLIENT
-#              is the IP address / count of the peer's client sub-
-#              net.   If the client is just the peer, this will be
-#              the peer's own IP address / max (where  max  is  32
-#              for IPv4 and 128 for IPv6).
-#
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
-#       PLUTO_PEER_PROTOCOL
-#              is the IP protocol that will be transported.
-#
-#       PLUTO_PEER_PORT
-#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
-#
-#       PLUTO_XAUTH_ID
-#              is an optional user ID employed by the XAUTH protocol
-#
-#       PLUTO_MARK_IN
-#              is an optional XFRM mark set on the inbound IPsec SA
-#
-#       PLUTO_MARK_OUT
-#              is an optional XFRM mark set on the outbound IPsec SA
-#
-#       PLUTO_UDP_ENC
-#              contains the remote UDP port in the case of ESP_IN_UDP
-#              encapsulation
-#
-
-# define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
-export PATH
-
-# check parameter(s)
-case "$1:$*" in
-':')			# no parameters
-	;;
-iptables:iptables)	# due to (left/right)firewall; for default script only
-	;;
-custom:*)		# custom parameters (see above CAUTION comment)
-	;;
-*)	echo "$0: unknown parameters \`$*'" >&2
-	exit 2
-	;;
-esac
-
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    for dir in /etc/sysconfig /etc/conf.d; do
-		if [ -f "$dir/defaultsource" ]
-		then
-		    . "$dir/defaultsource"
-		fi
-	    done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
-
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # leave because no route entry is required
-	    return $st
-	fi
-
-	parms1="$PLUTO_PEER_CLIENT"
-
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	    parms2="via $PLUTO_NEXT_HOP"
-	else
-	    parms2="via $PLUTO_PEER"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	parms3=
-	if [ -n "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if test "$1" = "add"
-	    then
-		addsource
-		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
-		then
-		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
-		fi
-	    fi
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
-	fi
-
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms1 $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
-	fi
-	if test " $oops" != " " -o " $st" != " 0"
-	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
-	fi
-	return $st
-}
-# define NETMAP
-SAME_NET=$PLUTO_PEER_CLIENT
-IN_NET=$PLUTO_MY_CLIENT
-OUT_NET="10.8.0.0/14"
-
-# define internal interface
-INT_INTERFACE="eth1"
-
-# is there an inbound mark to be set?
-if [ -n "$PLUTO_MARK_IN" ]
-then
-	if [ -n "$PLUTO_UDP_ENC" ]
-	then
-	    SET_MARK_IN="-p udp --sport $PLUTO_UDP_ENC"
-	else
-		SET_MARK_IN="-p esp"
-	fi
-	SET_MARK_IN="$SET_MARK_IN -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
-fi
-
-# is there an outbound mark to be set?
-if [ -n "$PLUTO_MARK_OUT" ]
-then
-	SET_MARK_OUT="-i $INT_INTERFACE -s $SAME_NET -d $OUT_NET -j MARK --set-mark $PLUTO_MARK_OUT"
-fi
-
-# resolve octal escape sequences
-PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
-PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-
-# the big choice
-case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # exit because no route will be added,
-	    # so that existing routes can stay
-	    exit 0
-	fi
-
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
-up-client:)
-	# connection to my client subnet coming up
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -A PREROUTING $SET_MARK_IN
-	    iptables -t nat -A PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \
-		     -d $IN_NET -j NETMAP --to $SAME_NET 
-	    iptables -I FORWARD 1 -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT
-	    iptables -t nat -A POSTROUTING -o $INT_INTERFACE -m mark --mark $PLUTO_MARK_IN \
-	             -s $SAME_NET -j NETMAP --to $OUT_NET 
-	fi
-	if [ -n "$PLUTO_MARK_OUT" ]
-	then
-	    iptables -t mangle -A PREROUTING $SET_MARK_OUT 
-	    iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
-	             -d $OUT_NET -j NETMAP --to $SAME_NET
-	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
-            iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
-                     -s $SAME_NET -j NETMAP --to $IN_NET
-	fi
-	;;
-down-client:)
-	# connection to my client subnet going down
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -D PREROUTING $SET_MARK_IN
-	    iptables -t nat -D PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \
-	             -d $IN_NET -j NETMAP --to $SAME_NET 
-	    iptables -D FORWARD -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT
-	    iptables -t nat -D POSTROUTING -o eth1 -m mark --mark $PLUTO_MARK_IN \
-	             -s $SAME_NET -j NETMAP --to $OUT_NET 
-	fi
-	if [ -n "$PLUTO_MARK_OUT" ]
-	then
-	    iptables -t mangle -D PREROUTING $SET_MARK_OUT
-	    iptables -D FORWARD -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
-	fi
-	;;
-*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
-	exit 1
-	;;
-esac
diff --git a/testing/tests/ikev1/net2net-same-nets/posttest.dat b/testing/tests/ikev1/net2net-same-nets/posttest.dat
deleted file mode 100644
index e75e66650..000000000
--- a/testing/tests/ikev1/net2net-same-nets/posttest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-sun::iptables -t mangle -n -v -L PREROUTING
-sun::iptables -t nat -n -v -L
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-sun::conntrack -F
diff --git a/testing/tests/ikev1/net2net-same-nets/pretest.dat b/testing/tests/ikev1/net2net-same-nets/pretest.dat
deleted file mode 100644
index 2d7a78acb..000000000
--- a/testing/tests/ikev1/net2net-same-nets/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-sun::ipsec start
-moon::sleep 1 
-moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-same-nets/test.conf b/testing/tests/ikev1/net2net-same-nets/test.conf
deleted file mode 100644
index 1971a33ab..000000000
--- a/testing/tests/ikev1/net2net-same-nets/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
- 
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun bob"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-start/description.txt b/testing/tests/ikev1/net2net-start/description.txt
deleted file mode 100644
index f5320685e..000000000
--- a/testing/tests/ikev1/net2net-start/description.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-A tunnel connecting the subnets behind the gateways <b>moon</b> and <b>sun</b>,
-respectively, is automatically established by means of the setting
-<b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b>
-behind gateway <b>moon</b> pinging the client <b>bob</b> located behind
-gateway <b>sun</b>.
-<p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
-that let pass the tunneled traffic.
diff --git a/testing/tests/ikev1/net2net-start/evaltest.dat b/testing/tests/ikev1/net2net-start/evaltest.dat
deleted file mode 100644
index 7cbf92687..000000000
--- a/testing/tests/ikev1/net2net-start/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index acb12e7f3..000000000
--- a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn net-net
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	auto=start
diff --git a/testing/tests/ikev1/net2net-start/posttest.dat b/testing/tests/ikev1/net2net-start/posttest.dat
deleted file mode 100644
index 5a9150bc8..000000000
--- a/testing/tests/ikev1/net2net-start/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/net2net-start/pretest.dat b/testing/tests/ikev1/net2net-start/pretest.dat
deleted file mode 100644
index f0c5bcec6..000000000
--- a/testing/tests/ikev1/net2net-start/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-sun::ipsec start
-alice::sleep 20 
diff --git a/testing/tests/ikev1/net2net-start/test.conf b/testing/tests/ikev1/net2net-start/test.conf
deleted file mode 100644
index d9a61590f..000000000
--- a/testing/tests/ikev1/net2net-start/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
- 
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/no-priv-key/description.txt b/testing/tests/ikev1/no-priv-key/description.txt
deleted file mode 100644
index 21b8eccb1..000000000
--- a/testing/tests/ikev1/no-priv-key/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-This scenario tests whether the correct encrypted informational messages are
-generated by the initiator <b>carol</b> and subsequently decoded by the
-responder <b>moon</b> when roadwarrior <b>carol</b> finds out that she
-doesn't have a private RSA key to sign her hash with.
diff --git a/testing/tests/ikev1/no-priv-key/evaltest.dat b/testing/tests/ikev1/no-priv-key/evaltest.dat
deleted file mode 100644
index e5a8de0b9..000000000
--- a/testing/tests/ikev1/no-priv-key/evaltest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-carol::cat /var/log/auth.log::unable to locate my private key::YES
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
diff --git a/testing/tests/ikev1/no-priv-key/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/no-priv-key/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 23b311aa6..000000000
--- a/testing/tests/ikev1/no-priv-key/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-# missing private RSA key
diff --git a/testing/tests/ikev1/no-priv-key/posttest.dat b/testing/tests/ikev1/no-priv-key/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/no-priv-key/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/no-priv-key/pretest.dat b/testing/tests/ikev1/no-priv-key/pretest.dat
deleted file mode 100644
index d92333d86..000000000
--- a/testing/tests/ikev1/no-priv-key/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/no-priv-key/test.conf b/testing/tests/ikev1/no-priv-key/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/no-priv-key/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/ocsp-revoked/description.txt b/testing/tests/ikev1/ocsp-revoked/description.txt
deleted file mode 100644
index cbdd1305a..000000000
--- a/testing/tests/ikev1/ocsp-revoked/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
-the connection and no current revocation information is available, the Main Mode
-negotiation fails but an OCSP request issued to the OCSP server <b>winnetou</b>.
-When the second Main Mode trial comes around the OCSP response will be available
-but because the certificate presented by carol has been revoked,
-the IKE negotatiation will fail..
diff --git a/testing/tests/ikev1/ocsp-revoked/evaltest.dat b/testing/tests/ikev1/ocsp-revoked/evaltest.dat
deleted file mode 100644
index f5286cb61..000000000
--- a/testing/tests/ikev1/ocsp-revoked/evaltest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::certificate was revoked::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::ipsec listocsp:: revoked::YES
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index a62964829..000000000
--- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	ocspuri=http://ocsp.strongswan.org:8880
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolRevokedCert.pem
-	leftid=carol@strongswan.org
-
-conn home
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
deleted file mode 100644
index a92610c4f..000000000
--- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBGzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA5MDgyNzEwMzEwNloXDTE0MDgyNjEwMzEwNlowWjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAOHh/BBf9VwUbx3IU2ZvKJylwCUP2Gr40Velcexr
-lR1PoK3nwZrJxxfhhxrxdx7Wnt/PDiF2eyzA9U4cOyS1zPpWuRt69PEOWfzQJZkD
-e5C6bXZMHwJGaCM0h8EugnwI7/XgbEq8U/1PBwIeFh8xSyIwyn8NqyHWm+6haFZG
-Urz7y0ZOAYcX5ZldP8vjm2SyAl0hPlod0ypk2K1igmO8w3cRRFqD27XhztgIJyoi
-+BO3umc+BXcpPGoZ7IFaXvHcMVECrxbkrvRdpKiz/4+u8FakQJtBmYuqP2TLodRJ
-TKSJ4UvIPXZ8DTEYC/Ja/wrm1hNfH4T3YjWGT++lVbYF7qECAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQRnt9aYXsi/fgMXGVh
-ZpTfg8kSYjBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCY2EMqkuhtAls/
-jkjXm+sI5YVglE62itSYgJxKZhxoFn3l4Afc6+XBeftK8Y1IjXdeyQUg8qHhkctl
-nBiEzRCClporCOXl5hOzWi+ft2hyKgcx8mFB8Qw5ZE9z8dvY70jdPCB4cH5EVaiC
-6ElGcI02iO073iCe38b3rmpwfnkIWZ0FVjSFSsTiNPLXWH6m6tt9Gux/PFuLff4a
-cdGfEGs01DEp9t0bHqZd6ESf2rEUljT57i9wSBfT5ULj78VTgudw/WhB0CgiXD+f
-q2dZC/19B8Xmk6XmEpRQjFK6wFmfBiQdelJo17/8M4LdT/RfvTHJOxr2OAtvCm2Z
-0xafBd5x
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
deleted file mode 100644
index 60e7fdfa9..000000000
--- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA4eH8EF/1XBRvHchTZm8onKXAJQ/YavjRV6Vx7GuVHU+grefB
-msnHF+GHGvF3Htae388OIXZ7LMD1Thw7JLXM+la5G3r08Q5Z/NAlmQN7kLptdkwf
-AkZoIzSHwS6CfAjv9eBsSrxT/U8HAh4WHzFLIjDKfw2rIdab7qFoVkZSvPvLRk4B
-hxflmV0/y+ObZLICXSE+Wh3TKmTYrWKCY7zDdxFEWoPbteHO2AgnKiL4E7e6Zz4F
-dyk8ahnsgVpe8dwxUQKvFuSu9F2kqLP/j67wVqRAm0GZi6o/ZMuh1ElMpInhS8g9
-dnwNMRgL8lr/CubWE18fhPdiNYZP76VVtgXuoQIDAQABAoIBAQCbF5UAkUJgdM9O
-fat128DgvZXOXLDV0f261igAkmWR+Ih0n3n5E64VoY4oW77Ud7wiI4KqSzWLpvlH
-Jm8dZ45UHJOAYM4pbRcwVKJcC14eI0LhRKbN4xXBhmHnrE1/aIuKIQt5zRFGDarc
-M1gxFqFl2mZPEk18MGRkVoLTKfnJMzdHI1m0IAMwg3Rl9cmuVdkhTS+IAoULVNnI
-0iAOsFN8SdDaKBqRcPkypT5s4wjGH4s7zjW4PmEDwDhhfeHkVccCuH8n3un1bPT2
-oc73RSXdCYMgDTD3waXC+4cCQGPZmUCl6Mfq7YCECkUpUg6rHlaCYRSZZoQPf5vH
-VsBUvjABAoGBAPHSnJOL6tcqJCCZ27E3zIsmZ+d6dX4B/YN1Xk3vKHhavN5Ks6Gx
-ZCsaluMuB2qyBRrpKnSAz6lUQ1TOxzuphlVIX1EnLW+JvNgFyem9PARsP2SMsKqm
-VaqnId6pprdbP53NpL9Z7AsbS/i/Ab6WpVPyYHdqVsimCdRGK9/JlOnBAoGBAO8g
-I4a4dJKiwHBHyP6wkYrhWdYwmjTJlskNNjrvtn7bCJ/Lm0SaGFXKIHCExnenZji0
-bBp3XiFNPlPfjTaXG++3IH6fxYdHonsrkxbUHvGAVETmHVLzeFiAKuUBvrWuKecD
-yoywVenugORQIPal3AcLwPsVRfDU89tTQhiFq3zhAoGBAIqmfy/54URM3Tnz/Yq2
-u4htFNYb2JHPAlQFT3TP0xxuqiuqGSR0WUJ9lFXdZlM+jr7HQZha4rXrok9V39XN
-dUAgpsYY+GwjRSt25jYmUesXRaGZKRIvHJ8kBL9t9jDbGLaZ2gP8wuH7XKvamF12
-coSXS8gsKGYTDT+wnCdLpR4BAoGAFwuV4Ont8iPVP/zrFgCWRjgpnEba1bOH4KBx
-VYS8pcUeM6g/soDXT41HSxDAv89WPqjEslhGrhbvps2oolY1zwhrDUkAlGUG96/f
-YRfYU5X2iR1UPiZQttbDS4a7hm7egvEOmDh2TzE5IsfGJX8ekV9Ene4S637acYy4
-lfxr5oECgYEAzRuvh6aG7UmKwNTfatEKav7/gUH3QBGK+Pp3TPSmR5PKh/Pk4py6
-95bT4mHrKCBIfSv/8h+6baYZr9Ha1Oj++J94RXEi8wdjjl1w3LGQrM/X+0AVqn5P
-b5w1nvRK7bMikIXbZmPJmivrfChcjD21gvWeF6Osq8McWF8jW2HzrZw=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 8e31be4cb..000000000
--- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolRevokedKey.pem
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index cd2ab0aca..000000000
--- a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,39 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	ocspuri=http://ocsp.strongswan.org:8880
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn net-net
-	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	auto=add
-        
-conn host-host
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	auto=add
-
-conn rw
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/ocsp-revoked/posttest.dat b/testing/tests/ikev1/ocsp-revoked/posttest.dat
deleted file mode 100644
index d742e8410..000000000
--- a/testing/tests/ikev1/ocsp-revoked/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev1/ocsp-revoked/pretest.dat b/testing/tests/ikev1/ocsp-revoked/pretest.dat
deleted file mode 100644
index d92333d86..000000000
--- a/testing/tests/ikev1/ocsp-revoked/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/ocsp-revoked/test.conf b/testing/tests/ikev1/ocsp-revoked/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/ocsp-revoked/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/ocsp-strict/description.txt b/testing/tests/ikev1/ocsp-strict/description.txt
deleted file mode 100644
index 7cb983140..000000000
--- a/testing/tests/ikev1/ocsp-strict/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
-the connection and no current revocation information is available, the Main Mode
-negotiation fails but an OCSP request is issued to the OCSP server <b>winnetou</b>.
-When the second Main Mode trial comes around, the OCSP response will be available
-and the IKE negotiation completes.
diff --git a/testing/tests/ikev1/ocsp-strict/evaltest.dat b/testing/tests/ikev1/ocsp-strict/evaltest.dat
deleted file mode 100644
index 66b27aaac..000000000
--- a/testing/tests/ikev1/ocsp-strict/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-carol::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec listocsp:: good::YES
-carol::ipsec listocsp:: good::YES
diff --git a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index c79b1c3e2..000000000
--- a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	ocspuri=http://ocsp.strongswan.org:8880
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-
-conn home
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index cd2ab0aca..000000000
--- a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,39 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	ocspuri=http://ocsp.strongswan.org:8880
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn net-net
-	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	auto=add
-        
-conn host-host
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	auto=add
-
-conn rw
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/ocsp-strict/posttest.dat b/testing/tests/ikev1/ocsp-strict/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/ocsp-strict/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/ocsp-strict/pretest.dat b/testing/tests/ikev1/ocsp-strict/pretest.dat
deleted file mode 100644
index d92333d86..000000000
--- a/testing/tests/ikev1/ocsp-strict/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/ocsp-strict/test.conf b/testing/tests/ikev1/ocsp-strict/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/ocsp-strict/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/passthrough/description.txt b/testing/tests/ikev1/passthrough/description.txt
deleted file mode 100644
index 145c5b79c..000000000
--- a/testing/tests/ikev1/passthrough/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-All IP traffic from the subnet behind the gateway <b>moon</b> is tunneled
-to the gateway  <b>sun</b> using the 0.0.0.0/0 network mask. In order
-to prevent local subnet traffic from escaping through the tunnel, a
-passthrough policy for the 10.1.0.0/16 network is inserted on <b>moon</b>.
-A series of internal and external pings verifies the correct
-functioning of the setup.
diff --git a/testing/tests/ikev1/passthrough/evaltest.dat b/testing/tests/ikev1/passthrough/evaltest.dat
deleted file mode 100644
index 942222f08..000000000
--- a/testing/tests/ikev1/passthrough/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 25eec2a3e..000000000
--- a/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
-
-conn net-net
-	rightsubnet=0.0.0.0/0
-	rightid=@sun.strongswan.org
-	leftid=@moon.strongswan.org
-	leftcert=moonCert.pem
-	leftsourceip=10.1.0.1
-	leftfirewall=yes
-	lefthostaccess=yes
-	auto=add
-        
-conn pass
-	rightsubnet=10.1.0.0/16
-	type=passthrough
-	authby=never
-	auto=route
diff --git a/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index 7541aa894..000000000
--- a/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn net-net
-	left=PH_IP_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftfirewall=yes
-	leftsubnet=0.0.0.0/0
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/passthrough/posttest.dat b/testing/tests/ikev1/passthrough/posttest.dat
deleted file mode 100644
index db17f4c65..000000000
--- a/testing/tests/ikev1/passthrough/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::ip route flush table 50 
-moon::ip rule del table 50
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/passthrough/pretest.dat b/testing/tests/ikev1/passthrough/pretest.dat
deleted file mode 100644
index 6b5295469..000000000
--- a/testing/tests/ikev1/passthrough/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::iptables -I INPUT  -i eth1 -s 10.1.0.0/16 -j ACCEPT
-moon::iptables -I OUTPUT -o eth1 -d 10.1.0.0/16 -j ACCEPT
-moon::ip rule add pref 50 table 50
-moon::ip route add 192.168.0.254 via PH_IP_MOON table 50
-moon::ip route add 10.1.0.0/16 via PH_IP_MOON1 table 50
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-moon::ipsec up net-net
diff --git a/testing/tests/ikev1/passthrough/test.conf b/testing/tests/ikev1/passthrough/test.conf
deleted file mode 100644
index d9a61590f..000000000
--- a/testing/tests/ikev1/passthrough/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
- 
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/protoport-dual/evaltest.dat b/testing/tests/ikev1/protoport-dual/evaltest.dat
index 11c34929f..cf45f3b52 100644
--- a/testing/tests/ikev1/protoport-dual/evaltest.dat
+++ b/testing/tests/ikev1/protoport-dual/evaltest.dat
@@ -1,7 +1,9 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
index 48df689af..37eb67d51 100755..100644
--- a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
index c4bfebda1..26c6882f5 100755..100644
--- a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/protoport-dual/posttest.dat b/testing/tests/ikev1/protoport-dual/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/protoport-dual/posttest.dat
+++ b/testing/tests/ikev1/protoport-dual/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/protoport-dual/pretest.dat b/testing/tests/ikev1/protoport-dual/pretest.dat
index d3d0061c3..efb2e5712 100644
--- a/testing/tests/ikev1/protoport-dual/pretest.dat
+++ b/testing/tests/ikev1/protoport-dual/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev1/protoport-dual/test.conf b/testing/tests/ikev1/protoport-dual/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/protoport-dual/test.conf
+++ b/testing/tests/ikev1/protoport-dual/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/protoport-pass/description.txt b/testing/tests/ikev1/protoport-pass/description.txt
deleted file mode 100644
index 63744fa47..000000000
--- a/testing/tests/ikev1/protoport-pass/description.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-Using the <b>left|rightprotoport</b> selectors, the IPsec tunnel is
-restricted to the ICMP protocol. Upon the successful establishment of the
-IPsec tunnel, <b>firewall=yes</b> automatically inserts iptables-based
-firewall rules that let pass the tunneled ICMP traffic. In order to test
-both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind
-the gateway <b>moon</b> as well as the inner interface of the gateway.
-For the latter ping <b>lefthostaccess=yes</b> is required.
-<p>
-By default, the native IPsec stack of the Linux 2.6 kernel transmits
-protocols and ports not covered by any IPsec SA in the clear. Thus by
-selectively opening the firewalls, <b>carol</b> sets up an SSH session to
-<b>alice</b> that is not going through the tunnel.
diff --git a/testing/tests/ikev1/protoport-pass/evaltest.dat b/testing/tests/ikev1/protoport-pass/evaltest.dat
deleted file mode 100644
index 11c34929f..000000000
--- a/testing/tests/ikev1/protoport-pass/evaltest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index aae781b69..000000000
--- a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home-icmp
-	left=PH_IP_CAROL
-        leftid=carol@strongswan.org
-	leftcert=carolCert.pem
-	leftprotoport=icmp
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightprotoport=icmp
-        rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 7b80a299e..000000000
--- a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn rw-icmp
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftprotoport=icmp
-	leftid=@moon.strongswan.org
-	leftcert=moonCert.pem
-	leftfirewall=yes
-	lefthostaccess=yes
-	right=%any
-	rightprotoport=icmp
-	auto=add
diff --git a/testing/tests/ikev1/protoport-pass/posttest.dat b/testing/tests/ikev1/protoport-pass/posttest.dat
deleted file mode 100644
index d6f014882..000000000
--- a/testing/tests/ikev1/protoport-pass/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-carol::ip route del 10.1.0.0/16 via PH_IP_MOON
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/protoport-pass/pretest.dat b/testing/tests/ikev1/protoport-pass/pretest.dat
deleted file mode 100644
index 37f545062..000000000
--- a/testing/tests/ikev1/protoport-pass/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-moon::iptables -I FORWARD -i eth0 -p tcp -d 10.1.0.0/16 --dport ssh -jACCEPT
-moon::iptables -I FORWARD -o eth0 -p tcp -s 10.1.0.0/16 --sport ssh -jACCEPT
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::iptables -I INPUT  -i eth0 -p tcp -s 10.1.0.0/16 --sport ssh -d PH_IP_CAROL -jACCEPT
-carol::iptables -I OUTPUT -o eth0 -p tcp -d 10.1.0.0/16 --dport ssh -s PH_IP_CAROL -jACCEPT
-carol::ip route add 10.1.0.0/16 via PH_IP_MOON
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home-icmp
diff --git a/testing/tests/ikev1/protoport-pass/test.conf b/testing/tests/ikev1/protoport-pass/test.conf
deleted file mode 100644
index 9cd583b16..000000000
--- a/testing/tests/ikev1/protoport-pass/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/protoport-route/description.txt b/testing/tests/ikev1/protoport-route/description.txt
deleted file mode 100644
index ec7ec69b0..000000000
--- a/testing/tests/ikev1/protoport-route/description.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels 
-between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are
-defined. The first IPsec SA is restricted to ICMP packets and the second
-covers TCP-based SSH connections. Using <b>add=route</b> %trap
-eroutes for these IPsec SAs are prepared on <b>carol</b>. By sending
-a ping to the client <b>alice</b> behind <b>moon</b>, the ICMP eroute
-is triggered and the corresponding IPsec tunnel is set up. In the same
-way an ssh session to <b>alice</b> over the second IPsec SA is established.
diff --git a/testing/tests/ikev1/protoport-route/evaltest.dat b/testing/tests/ikev1/protoport-route/evaltest.dat
deleted file mode 100644
index b266d86d8..000000000
--- a/testing/tests/ikev1/protoport-route/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
-carol::ssh PH_IP_ALICE hostname::alice::YES
-carol::cat /var/log/auth.log::initiate on demand::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 2bb557410..000000000
--- a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=route
-	
-conn home-icmp
-	leftprotoport=icmp
-	rightprotoport=icmp
-
-conn home-ssh
-	leftprotoport=tcp
-	rightprotoport=tcp/ssh
diff --git a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index c4bfebda1..000000000
--- a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
-
-conn rw-icmp
-	lefthostaccess=yes
-	leftprotoport=icmp
-	rightprotoport=icmp
-
-conn rw-ssh
-	leftprotoport=tcp/ssh
-	rightprotoport=tcp
diff --git a/testing/tests/ikev1/protoport-route/posttest.dat b/testing/tests/ikev1/protoport-route/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev1/protoport-route/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/protoport-route/pretest.dat b/testing/tests/ikev1/protoport-route/pretest.dat
deleted file mode 100644
index d52aeaeb8..000000000
--- a/testing/tests/ikev1/protoport-route/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 3 
-carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname
-carol::ping -c 1 PH_IP_MOON1 > /dev/null
-carol::sleep 2 
diff --git a/testing/tests/ikev1/protoport-route/test.conf b/testing/tests/ikev1/protoport-route/test.conf
deleted file mode 100644
index 9cd583b16..000000000
--- a/testing/tests/ikev1/protoport-route/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/req-pkcs10/description.txt b/testing/tests/ikev1/req-pkcs10/description.txt
deleted file mode 100644
index a958cb8e8..000000000
--- a/testing/tests/ikev1/req-pkcs10/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-Both the roadwarrior <b>carol</b> and the gateway <b>moon</b> generate a
-PKCS#1 RSA private key and a PKCS#10 certificate request using the 
-<b>ipsec scepclient</b> function. Because the UML testing environment
-does not offer enough entropy, the non-blocking /dev/urandom device is
-used in place of /dev/random for generating the random primes.
-<p>
-The certificate requests are copied to <b>winnetou</b> where a certification
-authority based on OpenSSL issues X.509 certificates by verifying and
-signing the PCKS#10 requests. The certificates are then copied back to
-the corresponding hosts and used to set up a road warrior connection
-initiated by <b>carol</b> 
diff --git a/testing/tests/ikev1/req-pkcs10/evaltest.dat b/testing/tests/ikev1/req-pkcs10/evaltest.dat
deleted file mode 100644
index c7657801e..000000000
--- a/testing/tests/ikev1/req-pkcs10/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 7c2bb3a98..000000000
--- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=myCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 167d743df..000000000
--- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA myKey.der
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/scepclient.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/scepclient.conf
deleted file mode 100644
index 6afd3fa11..000000000
--- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/scepclient.conf
+++ /dev/null
@@ -1,3 +0,0 @@
---debug-control
---out pkcs1
---out pkcs10
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index e589a9425..000000000
--- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index b9ec17dbc..000000000
--- a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.der
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/scepclient.conf b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/scepclient.conf
deleted file mode 100644
index da8177348..000000000
--- a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/scepclient.conf
+++ /dev/null
@@ -1,4 +0,0 @@
---debug-control
---keylength 2064
---out pkcs1=moonKey.der
---out pkcs10=moonReq.der
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index e589a9425..000000000
--- a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt b/testing/tests/ikev1/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt
deleted file mode 100644
index 9b48ee4cf..000000000
--- a/testing/tests/ikev1/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-y
-y
diff --git a/testing/tests/ikev1/req-pkcs10/posttest.dat b/testing/tests/ikev1/req-pkcs10/posttest.dat
deleted file mode 100644
index 933b4b6c4..000000000
--- a/testing/tests/ikev1/req-pkcs10/posttest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-carol::rm /etc/ipsec.d/reqs/*
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/reqs/*
-winnetou::rm /etc/openssl/carol*
-winnetou::rm /etc/openssl/moon*
diff --git a/testing/tests/ikev1/req-pkcs10/pretest.dat b/testing/tests/ikev1/req-pkcs10/pretest.dat
deleted file mode 100644
index cb4355efa..000000000
--- a/testing/tests/ikev1/req-pkcs10/pretest.dat
+++ /dev/null
@@ -1,23 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-carol::cat /etc/scepclient.conf
-carol::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, CN=carol@strongswan.org\" --optionsfrom /etc/scepclient.conf
-winnetou::scp carol:/etc/ipsec.d/reqs/myReq.der /etc/openssl/carolReq.der
-winnetou::openssl req -inform der -in /etc/openssl/carolReq.der -out /etc/openssl/carolReq.pem
-winnetou::cd /etc/openssl; COMMON_NAME="carol@strongswan.org" openssl ca -in carolReq.pem -out carolCert.pem -notext -config openssl.cnf -extensions user_ext < yy.txt
-winnetou::scp /etc/openssl/carolCert.pem carol:/etc/ipsec.d/certs/myCert.pem
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
-moon::cat /etc/scepclient.conf
-moon::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, SN=01, CN=moon.strongswan.org\" --optionsfrom /etc/scepclient.conf
-winnetou::scp moon:/etc/ipsec.d/reqs/moonReq.der /etc/openssl/
-winnetou::openssl req -inform der -in /etc/openssl/moonReq.der -out /etc/openssl/moonReq.pem
-winnetou::cd /etc/openssl; COMMON_NAME="moon.strongswan.org" openssl ca -in moonReq.pem -out moonCert.pem -notext -config openssl.cnf -extensions host_ext < yy.txt
-winnetou::scp /etc/openssl/moonCert.pem moon:/etc/ipsec.d/certs/
-carol::sleep 2
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/req-pkcs10/test.conf b/testing/tests/ikev1/req-pkcs10/test.conf
deleted file mode 100644
index 9cd583b16..000000000
--- a/testing/tests/ikev1/req-pkcs10/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/rw-cert-aggressive/description.txt b/testing/tests/ikev1/rw-cert-aggressive/description.txt
new file mode 100644
index 000000000..1c4535c23
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b> using <b>IKEv1 Aggressive Mode</b>. The authentication is
+based on <b>X.509 certificates</b>. Upon the successful establishment of the IPsec
+tunnels, <b>leftfirewall=yes</b> automatically inserts iptables-based firewall
+rules that let pass the tunneled traffic. In order to test both tunnel and
+firewall, both <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind
+the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat b/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat
new file mode 100644
index 000000000..ba661975b
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat
@@ -0,0 +1,15 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..77ed2c0c9
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="job 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	aggressive=yes
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c032d8291
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..82a8f38c5
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="job 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	aggressive=yes
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c032d8291
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..49d0909a5
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	aggressive=yes
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..c032d8291
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-cert-aggressive/posttest.dat b/testing/tests/ikev1/rw-cert-aggressive/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-cert-aggressive/pretest.dat b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat
new file mode 100644
index 000000000..8bbea1412
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/rw-cert-aggressive/test.conf b/testing/tests/ikev1/rw-cert-aggressive/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-cert-unity/description.txt b/testing/tests/ikev1/rw-cert-unity/description.txt
new file mode 100644
index 000000000..5e887c7f4
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-unity/description.txt
@@ -0,0 +1,6 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The authentication is based on <b>X.509 certificates</b>. <b>carol</b>
+requests a virtual IP using <b>leftsourceip=%config</b> and indicates
+support for the Cisco Unity extension. Gateway <b>moon</b> responds with
+two Split-Include subnets configured in the <b>leftsubnet</b> definition and a
+global Local-LAN exclude option defined in strongswan.conf.
diff --git a/testing/tests/ikev1/rw-cert-unity/evaltest.dat b/testing/tests/ikev1/rw-cert-unity/evaltest.dat
new file mode 100644
index 000000000..c183f48e9
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-unity/evaltest.dat
@@ -0,0 +1,8 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::10.2.1.1/32 === 192.168.0.0/24 PASS::YES
+carol::ipsec status 2> /dev/null::home.*10.2.1.1/32 === 10.1.0.0/16 10.2.1.0/24::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 10.2.1.0/24 === 10.2.1.1/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..bad62811b
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftsourceip=%config
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=0.0.0.0/0
+	auto=add
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..14e061408
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default unity
+  cisco_unity = yes
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..ee8ee9093
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16,10.2.1.0/24
+	right=%any
+	rightsourceip=10.2.1.0/24
+	auto=add
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cbc51d38c
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default attr unity
+  cisco_unity = yes
+  plugins {
+    attr {
+      split-exclude = 192.168.0.0/24
+    }
+  }
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/posttest.dat b/testing/tests/ikev1/rw-cert-unity/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/gcrypt-ikev1/alg-camellia/posttest.dat
+++ b/testing/tests/ikev1/rw-cert-unity/posttest.dat
diff --git a/testing/tests/ikev1/rw-cert-unity/pretest.dat b/testing/tests/ikev1/rw-cert-unity/pretest.dat
new file mode 100644
index 000000000..4fbe475bf
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-unity/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/ikev1/rw-cert-unity/test.conf b/testing/tests/ikev1/rw-cert-unity/test.conf
new file mode 100644
index 000000000..09e6f6cdb
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-unity/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/rw-cert/description.txt b/testing/tests/ikev1/rw-cert/description.txt
index 8df6b1c0d..15b3822b5 100644
--- a/testing/tests/ikev1/rw-cert/description.txt
+++ b/testing/tests/ikev1/rw-cert/description.txt
@@ -1,6 +1,6 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The authentication is based on <b>X.509 certificates</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, <b>carol</b> pings the client
-<b>alice</b> behind the gateway <b>moon</b>.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-cert/evaltest.dat b/testing/tests/ikev1/rw-cert/evaltest.dat
index c7657801e..ba661975b 100644
--- a/testing/tests/ikev1/rw-cert/evaltest.dat
+++ b/testing/tests/ikev1/rw-cert/evaltest.dat
@@ -1,5 +1,15 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..58914391c
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index 7403971e9..8822cae64 100644
--- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
   integrity_test = yes
diff --git a/testing/tests/ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-cert/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..150c63bc7
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..8822cae64
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+  integrity_test = yes
+  crypto_test {
+    on_add = yes
+  }
+}
diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..5cf82c6b8
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index 7403971e9..8822cae64 100644
--- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
   integrity_test = yes
diff --git a/testing/tests/ikev1/rw-cert/posttest.dat b/testing/tests/ikev1/rw-cert/posttest.dat
index 94a400606..1865a1c60 100644
--- a/testing/tests/ikev1/rw-cert/posttest.dat
+++ b/testing/tests/ikev1/rw-cert/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-cert/pretest.dat b/testing/tests/ikev1/rw-cert/pretest.dat
index 4fe0ee90b..8bbea1412 100644
--- a/testing/tests/ikev1/rw-cert/pretest.dat
+++ b/testing/tests/ikev1/rw-cert/pretest.dat
@@ -1,6 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
 carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/rw-cert/test.conf b/testing/tests/ikev1/rw-cert/test.conf
index 9cd583b16..f29298850 100644
--- a/testing/tests/ikev1/rw-cert/test.conf
+++ b/testing/tests/ikev1/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-initiator-only/description.txt b/testing/tests/ikev1/rw-initiator-only/description.txt
new file mode 100644
index 000000000..478004162
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/description.txt
@@ -0,0 +1,10 @@
+The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
+but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
+she ignores the repeated IKE requests sent by <b>dave</b>.
+<p/>
+After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
+connection to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind
+the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-initiator-only/evaltest.dat b/testing/tests/ikev1/rw-initiator-only/evaltest.dat
new file mode 100644
index 000000000..80fd7c5be
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/evaltest.dat
@@ -0,0 +1,8 @@
+dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..58914391c
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc900c4f2
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..b262ecbea
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn peer
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..9251921ff
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  retransmit_timeout = 2
+  retransmit_base = 1.5
+  retransmit_tries = 3 
+}
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..4c5df8825
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekey=no
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..7f31b170b
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-initiator-only/posttest.dat b/testing/tests/ikev1/rw-initiator-only/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-initiator-only/pretest.dat b/testing/tests/ikev1/rw-initiator-only/pretest.dat
new file mode 100644
index 000000000..fc7173430
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+dave::ipsec up peer
+carol::ipsec up home
diff --git a/testing/tests/ikev1/rw-initiator-only/test.conf b/testing/tests/ikev1/rw-initiator-only/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-mark-in-out/description.txt b/testing/tests/ikev1/rw-mark-in-out/description.txt
deleted file mode 100644
index 4c35081b1..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/description.txt
+++ /dev/null
@@ -1,16 +0,0 @@
-The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up
-tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet,
-gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to 10.3.0.10
-and 10.3.0.20, respectively.
-<p/>
-In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
-<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
-the <b>mark_in</b> and <b>mark_out</b> parameters in ipsec.conf.
-<p/>
-<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
-and from <b>alice</b> and <b>venus</b>, respectively.
-<p/>
-The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts
-iptables mangle rules that mark the inbound ESP packets as well as iptables IPsec-policy rules
-that let pass the tunneled traffic. In order to test the tunnel, the hosts <b>alice</b>
-and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/rw-mark-in-out/evaltest.dat b/testing/tests/ikev1/rw-mark-in-out/evaltest.dat
deleted file mode 100644
index 168b3dfb9..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-alice::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-venus::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::alice.*alice@strongswan.org::YES
-sun::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::venus.*venus.strongswan.org::YES
-sun::ipsec statusall::alice.*10.2.0.0/16===.*===10.1.0.0/25::YES
-sun::ipsec statusall::venus.*10.2.0.0/16===.*===10.1.0.0/25::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES
-moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES
-moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES
-moon::tcpdump::IP sun.strongswan.org > venus.strongswan.org: ESP::YES
-bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 5594bbf52..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf
deleted file mode 100755
index 4256006c0..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=%defaultroute
-	leftsubnet=10.1.0.0/25
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	leftfirewall=yes
-	lefthostaccess=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index 83fe9eed2..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,37 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn alice
-	rightid=alice@strongswan.org
-	mark_in=10/0xffffffff
-	mark_out=11/0xffffffff
-	also=sun
-	auto=add
-
-conn venus
-	rightid=@venus.strongswan.org
-	mark_in=20  #0xffffffff is used by default
-	mark_out=21 #0xffffffff is used by default
-	also=sun
-	auto=add
-
-conn sun
-	left=PH_IP_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftsubnet=10.2.0.0/16
-	leftupdown=/etc/mark_updown
-	right=%any
-	rightsubnet=10.1.0.0/25
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown
deleted file mode 100755
index 0d22e684d..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown
+++ /dev/null
@@ -1,527 +0,0 @@
-#! /bin/sh
-# updown script setting inbound marks on ESP traffic in the mangle chain
-#
-# Copyright (C) 2003-2004 Nigel Meteringham
-# Copyright (C) 2003-2004 Tuomo Soini
-# Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-# CAUTION:  Installing a new version of strongSwan will install a new
-# copy of this script, wiping out any custom changes you make.  If
-# you need changes, make a copy of this under another name, and customize
-# that, and use the (left/right)updown parameters in ipsec.conf to make
-# strongSwan use yours instead of this default one.
-
-# things that this script gets (from ipsec_pluto(8) man page)
-#
-#      PLUTO_VERSION
-#              indicates  what  version of this interface is being
-#              used.  This document describes version  1.1.   This
-#              is upwardly compatible with version 1.0.
-#
-#       PLUTO_VERB
-#              specifies the name of the operation to be performed
-#              (prepare-host, prepare-client, up-host, up-client,
-#              down-host, or down-client).  If the address family
-#              for security gateway to security gateway communica-
-#              tions is IPv6, then a suffix of -v6 is added to the
-#              verb.
-#
-#       PLUTO_CONNECTION
-#              is the name of the  connection  for  which  we  are
-#              routing.
-#
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
-#       PLUTO_INTERFACE
-#              is the name of the ipsec interface to be used.
-#
-#       PLUTO_REQID
-#              is the requid of the ESP policy
-#
-#       PLUTO_ME
-#              is the IP address of our host.
-#
-#       PLUTO_MY_ID
-#              is the ID of our host.
-#
-#       PLUTO_MY_CLIENT
-#              is the IP address / count of our client subnet.  If
-#              the  client  is  just  the  host,  this will be the
-#              host's own IP address / max (where max  is  32  for
-#              IPv4 and 128 for IPv6).
-#
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
-#       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
-#
-#       PLUTO_MY_PROTOCOL
-#              is the IP protocol that will be transported.
-#
-#       PLUTO_MY_PORT
-#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
-#
-#       PLUTO_PEER
-#              is the IP address of our peer.
-#
-#       PLUTO_PEER_ID
-#              is the ID of our peer.
-#
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
-#       PLUTO_PEER_CLIENT
-#              is the IP address / count of the peer's client sub-
-#              net.   If the client is just the peer, this will be
-#              the peer's own IP address / max (where  max  is  32
-#              for IPv4 and 128 for IPv6).
-#
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
-#       PLUTO_PEER_PROTOCOL
-#              is the IP protocol that will be transported.
-#
-#       PLUTO_PEER_PORT
-#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
-#
-#       PLUTO_XAUTH_ID
-#              is an optional user ID employed by the XAUTH protocol
-#
-#       PLUTO_MARK_IN
-#              is an optional XFRM mark set on the inbound IPsec SA
-#
-#       PLUTO_MARK_OUT
-#              is an optional XFRM mark set on the outbound IPsec SA
-#
-#       PLUTO_UDP_ENC
-#              contains the remote UDP port in the case of ESP_IN_UDP
-#              encapsulation
-#
-
-# define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
-export PATH
-
-# uncomment to log VPN connections
-VPN_LOGGING=1
-#
-# tag put in front of each log entry:
-TAG=vpn
-#
-# syslog facility and priority used:
-FAC_PRIO=local0.notice
-#
-# to create a special vpn logging file, put the following line into
-# the syslog configuration file /etc/syslog.conf:
-#
-# local0.notice                   -/var/log/vpn
-
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
-# check interface version
-case "$PLUTO_VERSION" in
-1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
-	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
-	echo "$0: 	called by obsolete Pluto?" >&2
-	exit 2
-	;;
-1.*)	;;
-*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
-	exit 2
-	;;
-esac
-
-# check parameter(s)
-case "$1:$*" in
-':')			# no parameters
-	;;
-iptables:iptables)	# due to (left/right)firewall; for default script only
-	;;
-custom:*)		# custom parameters (see above CAUTION comment)
-	;;
-*)	echo "$0: unknown parameters \`$*'" >&2
-	exit 2
-	;;
-esac
-
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    for dir in /etc/sysconfig /etc/conf.d; do
-		if [ -f "$dir/defaultsource" ]
-		then
-		    . "$dir/defaultsource"
-		fi
-	    done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
-
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # leave because no route entry is required
-	    return $st
-	fi
-
-	parms1="$PLUTO_PEER_CLIENT"
-
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	    parms2="via $PLUTO_NEXT_HOP"
-	else
-	    parms2="via $PLUTO_PEER"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	parms3=
-	if [ -n "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if test "$1" = "add"
-	    then
-		addsource
-		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
-		then
-		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
-		fi
-	    fi
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
-	fi
-
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms1 $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
-	fi
-	if test " $oops" != " " -o " $st" != " 0"
-	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
-	fi
-	return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-	KLIPS=1
-	IPSEC_POLICY_IN=""
-	IPSEC_POLICY_OUT=""
-else
-	KLIPS=
-	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
-
-# is there an inbound mark to be set?
-if [ -n "$PLUTO_MARK_IN" ]
-then
-	if [ -n "$PLUTO_UDP_ENC" ]
-	then
-	    SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
-	else
-		SET_MARK="-p esp"
-	fi
-	SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
-fi
-
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
-	S_MY_PORT="--sport $PLUTO_MY_PORT"
-	D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
-	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
-
-# resolve octal escape sequences
-PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
-PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-
-# the big choice
-case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # exit because no route will be added,
-	    # so that existing routes can stay
-	    exit 0
-	fi
-
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
-up-host:)
-	# connection to me coming up
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -A PREROUTING $SET_MARK
-	fi
-	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-	#
-	# log IPsec host connection setup
-	if [ $VPN_LOGGING ]
-	then
-	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
-	  then
-	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
-	  else
-	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
-	  fi
-	fi
-	;;
-down-host:)
-	# connection to me going down
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -D PREROUTING $SET_MARK
-	fi
-	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-	#
-	# log IPsec host connection teardown
-	if [ $VPN_LOGGING ]
-	then
-	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
-	  then
-	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
-	  else
-	    logger -t $TAG -p $FAC_PRIO -- \
-	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
-	  fi
-	fi
-	;;
-up-client:)
-	# connection to my client subnet coming up
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -A PREROUTING $SET_MARK
-	fi
-	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-	then
-	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	fi
-	#
-	# a virtual IP requires an INPUT and OUTPUT rule on the host
-	# or sometimes host access via the internal IP is needed
-	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	fi
-	#
-	# log IPsec client connection setup
-	if [ $VPN_LOGGING ]
-	then
-	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
-	  then
-	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	  else
-	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	  fi
-	fi
-	;;
-down-client:)
-	# connection to my client subnet going down
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -D PREROUTING $SET_MARK
-	fi
-	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-	then
-	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
-	fi
-	#
-	# a virtual IP requires an INPUT and OUTPUT rule on the host
-	# or sometimes host access via the internal IP is needed
-	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	fi
-	#
-	# log IPsec client connection teardown
-	if [ $VPN_LOGGING ]
-	then
-	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
-	  then
-	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	  else
-	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	  fi
-	fi
-	;;
-*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
-	exit 1
-	;;
-esac
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 5594bbf52..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf
deleted file mode 100755
index e7561ebbe..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=%defaultroute
-	leftsubnet=10.1.0.0/25
-	leftcert=venusCert.pem
-	leftid=@venus.strongswan.org
-	leftfirewall=yes
-	lefthostaccess=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/rw-mark-in-out/posttest.dat b/testing/tests/ikev1/rw-mark-in-out/posttest.dat
deleted file mode 100644
index fae79271b..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/posttest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-sun::iptables -t mangle -v -n -L PREROUTING
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-sun::ip route del 10.1.0.0/16 via PH_IP_MOON
-sun::conntrack -F
-sun::rm /etc/mark_updown
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev1/rw-mark-in-out/pretest.dat b/testing/tests/ikev1/rw-mark-in-out/pretest.dat
deleted file mode 100644
index 427e5c67f..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/pretest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
-sun::ip route add 10.1.0.0/16 via PH_IP_MOON
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21
-alice::ipsec start
-venus::ipsec start
-sun::ipsec start
-alice::sleep 2
-alice::ipsec up home
-venus::sleep 2
-venus::ipsec up home
-venus::sleep 2
diff --git a/testing/tests/ikev1/rw-mark-in-out/test.conf b/testing/tests/ikev1/rw-mark-in-out/test.conf
deleted file mode 100644
index ae3c190b8..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon bob"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/rw-psk-aggressive/description.txt b/testing/tests/ikev1/rw-psk-aggressive/description.txt
new file mode 100644
index 000000000..32a476ee8
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b> using <b>IKEv1 Aggressive Mode</b>. The authentication
+is based on distinct <b>pre-shared keys</b> and <b>Fully Qualified Domain Names</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping the
+client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat b/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat
new file mode 100644
index 000000000..2342d024b
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat
@@ -0,0 +1,14 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..fe086b8d5
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	authby=secret
+	aggressive=yes
+	
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..47e31ca21
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..d84cba2b0
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..df2887263
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	authby=secret
+	aggressive=yes
+	
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..f6c1a22ef
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..d84cba2b0
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..cb8a0cd78
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	authby=secret
+	aggressive=yes
+
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e3dd0fba3
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon.strongswan.org carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+
+@moon.strongswan.org dave@strongswan.org  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..708a71c7e
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+
+  i_dont_care_about_security_and_use_aggressive_mode_psk = yes
+}
diff --git a/testing/tests/ikev1/rw-psk-aggressive/posttest.dat b/testing/tests/ikev1/rw-psk-aggressive/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-psk-aggressive/pretest.dat b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat
new file mode 100644
index 000000000..44f41f995
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat
@@ -0,0 +1,12 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/rw-psk-aggressive/test.conf b/testing/tests/ikev1/rw-psk-aggressive/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/description.txt b/testing/tests/ikev1/rw-psk-fqdn-named/description.txt
deleted file mode 100644
index adfab2f4d..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is
-based on <b>Preshared Keys</b> (PSK) and <b>Fully Qualified Domain Names</b> (ID_FQDN). 
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
-tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b> behind
-the gateway <b>moon</b>.
-<p>
-The significant difference between this scenario and the test
-<a href="../rw-psk-fqdn"><b>rw-psk-fqdn</b></a>
-is the additional line <b>rightid=@carol.strongswan.org</b> by which gateway
-<b>moon</b> restricts the roadwarrior connection to host <b>carol</b>.
-</p>
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/evaltest.dat b/testing/tests/ikev1/rw-psk-fqdn-named/evaltest.dat
deleted file mode 100644
index c7657801e..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index ffa211299..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=secret
-	
-conn home
-	left=PH_IP_CAROL
-	leftid=@carol.strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index db3884e57..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-@carol.strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 453cdc07c..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 5f7cdedd2..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=secret
-	
-conn rw-carol 
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	right=%any
-	rightid=@carol.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 6281340ae..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 453cdc07c..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat b/testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/pretest.dat b/testing/tests/ikev1/rw-psk-fqdn-named/pretest.dat
deleted file mode 100644
index dbf03f552..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/test.conf b/testing/tests/ikev1/rw-psk-fqdn-named/test.conf
deleted file mode 100644
index 9cd583b16..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/rw-psk-fqdn/description.txt b/testing/tests/ikev1/rw-psk-fqdn/description.txt
index d6c79afb2..47f6968ae 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/description.txt
+++ b/testing/tests/ikev1/rw-psk-fqdn/description.txt
@@ -1,5 +1,6 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is
-based on <b>Preshared Keys</b> (PSK) and <b>Fully Qualified Domain Names</b> (ID_FQDN). 
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
-tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b> behind
-the gateway <b>moon</b>.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
+and <b>Fully Qualified Domain Names</b>. Upon the successful establishment of the IPsec tunnels,
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
+let pass the tunneled traffic. In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat
index c7657801e..77f548848 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat
@@ -1,5 +1,14 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
index ffa211299..936a75401 100755..100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,7 +12,7 @@ conn %default
 	
 conn home
 	left=PH_IP_CAROL
-	leftid=@carol.strongswan.org
+	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets
index db3884e57..47e31ca21 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets
@@ -1,7 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-@carol.strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
+carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
index 453cdc07c..d84cba2b0 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..45cdd3eca
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	authby=secret
+	
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..f6c1a22ef
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..d84cba2b0
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
index efec3b33d..63bdd6bb8 100755..100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,11 +9,21 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	authby=secret
+
+conn rw-carol
+	also=rw
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	auto=add
+
+conn rw-dave
+	also=rw
+	right=PH_IP_DAVE
+	rightid=dave@strongswan.org
+	auto=add
 	
 conn rw
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets
index 661168fb5..e3dd0fba3 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets
@@ -1,3 +1,5 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+@moon.strongswan.org carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+
+@moon.strongswan.org dave@strongswan.org  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
index 453cdc07c..d84cba2b0 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/rw-psk-fqdn/posttest.dat b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat
index 94a400606..1865a1c60 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/posttest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
index dbf03f552..44f41f995 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
@@ -1,8 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
 carol::ipsec start
+dave::ipsec start
 moon::ipsec start
 carol::sleep 2
 carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/rw-psk-fqdn/test.conf b/testing/tests/ikev1/rw-psk-fqdn/test.conf
index 9cd583b16..f29298850 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/test.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-psk-ipv4/description.txt b/testing/tests/ikev1/rw-psk-ipv4/description.txt
index b3a0bc192..b4aaa6a6a 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/description.txt
+++ b/testing/tests/ikev1/rw-psk-ipv4/description.txt
@@ -1,5 +1,6 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is
-based on <b>Preshared Keys</b> (PSK) and <b>IPv4 addresses</b> (ID_IPV4_ADDR).
-<b>firewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b>
-behind the gateway <b>moon</b>.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
+and <b>IPv4</b> addresses. Upon the successful establishment of the IPsec tunnels,
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
+let pass the tunneled traffic. In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat
index c7657801e..df37719e9 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat
@@ -1,5 +1,14 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*\[192.168.0.1]::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*\[192.168.0.1]::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*\[192.168.0.1].*\[192.168.0.100]::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*\[192.168.0.1].*\[192.168.0.200]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
index 0d2a5d2c4..3214ace92 100755..100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
index 69313b289..18a074472 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
@@ -1,7 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-PH_IP_CAROL PH_IP_MOON : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
+192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index 453cdc07c..d84cba2b0 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..f59de5f72
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	authby=secret
+	
+conn home
+	left=PH_IP_DAVE
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..a048cb5f2
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+192.168.0.200 : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..d84cba2b0
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
index 41582eaef..b6bb51c0c 100755..100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,10 +9,18 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	authby=secret
+
+conn rw-carol
+	also=rw
+	right=PH_IP_CAROL
+	auto=add
+
+conn rw-dave
+	also=rw
+	right=PH_IP_DAVE
+	auto=add
 	
 conn rw
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
index a8e367950..55c639704 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
@@ -1,7 +1,5 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
+192.168.0.1 192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
 
+192.168.0.1 192.168.0.200 : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index 453cdc07c..d84cba2b0 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/rw-psk-ipv4/posttest.dat b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat
index 94a400606..1865a1c60 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/posttest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
index dbf03f552..44f41f995 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
@@ -1,8 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
 carol::ipsec start
+dave::ipsec start
 moon::ipsec start
 carol::sleep 2
 carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/rw-psk-ipv4/test.conf b/testing/tests/ikev1/rw-psk-ipv4/test.conf
index 9cd583b16..f29298850 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/test.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-psk-no-policy/description.txt b/testing/tests/ikev1/rw-psk-no-policy/description.txt
deleted file mode 100644
index 0e359414f..000000000
--- a/testing/tests/ikev1/rw-psk-no-policy/description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-The roadwarrior <b>carol</b> wants to set up a connection to gateway <b>moon</b> using
-<b>PSK</b>-based authentication. Since <b>moon</b> supports <b>RSASIG</b>-based
-authentication only, the connection setup fails.
diff --git a/testing/tests/ikev1/rw-psk-no-policy/evaltest.dat b/testing/tests/ikev1/rw-psk-no-policy/evaltest.dat
deleted file mode 100644
index a28377dbd..000000000
--- a/testing/tests/ikev1/rw-psk-no-policy/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::peer requests PSK authentication::YES
-moon::cat /var/log/auth.log::but no connection has been authorized with policy=PSK::YES
-moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO
-
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index c040fe88f..000000000
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	
-conn home
-	authby=secret
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 1b721dc58..000000000
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 453cdc07c..000000000
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index f0dbeb323..000000000
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 453cdc07c..000000000
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/rw-psk-no-policy/posttest.dat b/testing/tests/ikev1/rw-psk-no-policy/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/rw-psk-no-policy/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/rw-psk-no-policy/pretest.dat b/testing/tests/ikev1/rw-psk-no-policy/pretest.dat
deleted file mode 100644
index 3a7804ddd..000000000
--- a/testing/tests/ikev1/rw-psk-no-policy/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/rw-psk-no-policy/test.conf b/testing/tests/ikev1/rw-psk-no-policy/test.conf
deleted file mode 100644
index f622c18b7..000000000
--- a/testing/tests/ikev1/rw-psk-no-policy/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/description.txt b/testing/tests/ikev1/rw-psk-rsa-mixed/description.txt
deleted file mode 100644
index b99a8e5b3..000000000
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> each set up a connection to gateway <b>moon</b>.
-<b>carol</b>'s authentication is based on a Pre-Shared Key (<b>PSK</b>) whereas <b>dave</b>'s
-is based on an RSA signature (<b>RSASIG</b>). Gateway <b>moon</b> supports both authentication modes
-and automatically selects the correct roadwarrior connection definition based on policy
-information gained from pre-parsing the peers' ISAKMP proposal payload. 
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat
deleted file mode 100644
index 5ab6632cc..000000000
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::peer requests PSK authentication::YES
-moon::ipsec status::rw-psk.*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::peer requests PUBKEY authentication::YES
-moon::ipsec status::rw-rsasig.*PH_IP_DAVE STATE_QUICK_R2.*IPsec SA established::YES
-
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index f2a15af0a..000000000
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128,serpent128,twofish128,3des
-	
-conn home
-	authby=secret
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 1b721dc58..000000000
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 02270e004..000000000
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	
-conn rw-rsasig
-	authby=rsasig
-	leftcert=moonCert.pem
-	auto=add
-
-conn rw-psk
-	authby=secret
-	auto=add
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index fd33507a7..000000000
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-: RSA moonKey.pem
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/posttest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/posttest.dat
deleted file mode 100644
index ed530f6d9..000000000
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/posttest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/pretest.dat
deleted file mode 100644
index 35797b589..000000000
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/test.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/test.conf
deleted file mode 100644
index 699b88e88..000000000
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol dave winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/description.txt b/testing/tests/ikev1/rw-rsa-no-policy/description.txt
deleted file mode 100644
index c3336b769..000000000
--- a/testing/tests/ikev1/rw-rsa-no-policy/description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-The roadwarrior <b>carol</b> wants to set up a connection to gateway <b>moon</b> using
-<b>RSASIG</b>-based authentication. Since <b>moon</b> supports <b>PSK</b>-based
-authentication only, the connection setup fails.
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat b/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat
deleted file mode 100644
index 849ae5d66..000000000
--- a/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::peer requests PUBKEY authentication::YES
-moon::cat /var/log/auth.log::but no connection has been authorized with policy=PUBKEY::YES
-moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO
-
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index dbd3adb4c..000000000
--- a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn rw-psk
-	authby=secret
-	left=PH_IP_MOON
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index e8c151f05..000000000
--- a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/posttest.dat b/testing/tests/ikev1/rw-rsa-no-policy/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/rw-rsa-no-policy/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/pretest.dat b/testing/tests/ikev1/rw-rsa-no-policy/pretest.dat
deleted file mode 100644
index 0d2a0dd1f..000000000
--- a/testing/tests/ikev1/rw-rsa-no-policy/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/test.conf b/testing/tests/ikev1/rw-rsa-no-policy/test.conf
deleted file mode 100644
index f622c18b7..000000000
--- a/testing/tests/ikev1/rw-rsa-no-policy/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/self-signed/description.txt b/testing/tests/ikev1/self-signed/description.txt
deleted file mode 100644
index 2d7bfc2bf..000000000
--- a/testing/tests/ikev1/self-signed/description.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Roadwarrior <b>carol</b> and gateway <b>moon</b> each generate a
-PKCS#1 RSA private key and a self-signed X.509 certificate
-using the <b>ipsec scepclient</b> function. Because the UML testing
-environment does not offer enough entropy, the non-blocking /dev/urandom
-device is used in place of /dev/random for generating the random primes.
-<p>
-The self-signed certificates are then distributed to the peers via scp
-and are used to set up a road warrior connection initiated by <b>carol</b> 
diff --git a/testing/tests/ikev1/self-signed/evaltest.dat b/testing/tests/ikev1/self-signed/evaltest.dat
deleted file mode 100644
index f190d7066..000000000
--- a/testing/tests/ikev1/self-signed/evaltest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol::cat /var/log/auth.log::we have a cert but are not sending it::YES
-moon::cat /var/log/auth.log::we have a cert but are not sending it::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index f6859b8a4..000000000
--- a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=0
-	strictcrlpolicy=no
-	nocrsend=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=selfCert.der
-	leftsendcert=never
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightcert=peerCert.der
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 167d743df..000000000
--- a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA myKey.der
diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index e589a9425..000000000
--- a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/self-signed/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 13ad3063f..000000000
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A INPUT  -p tcp --sport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index f14352bf8..000000000
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=0
-	strictcrlpolicy=no
-	nocrsend=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn carol
-	left=PH_IP_MOON
-	leftcert=moonCert.der
-	leftid=@moon.strongswan.org
-	leftsendcert=never
-	leftfirewall=yes
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightcert=carolCert.der
-	auto=add
-
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index b9ec17dbc..000000000
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.der
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/scepclient.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/scepclient.conf
deleted file mode 100644
index b84f3e131..000000000
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/scepclient.conf
+++ /dev/null
@@ -1,6 +0,0 @@
---debug-control
---keylength 2032
---days 1460
---subjectAltName dns=moon.strongswan.org
---out pkcs1=moonKey.der
---out cert-self=moonCert.der 
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index e589a9425..000000000
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/self-signed/posttest.dat b/testing/tests/ikev1/self-signed/posttest.dat
deleted file mode 100644
index 8cada5e7e..000000000
--- a/testing/tests/ikev1/self-signed/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev1/self-signed/pretest.dat b/testing/tests/ikev1/self-signed/pretest.dat
deleted file mode 100644
index a7cddf677..000000000
--- a/testing/tests/ikev1/self-signed/pretest.dat
+++ /dev/null
@@ -1,17 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec scepclient --out pkcs1 --out cert-self
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/scepclient.conf
-moon::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, CN=moon.strongswan.org\" --optionsfrom /etc/scepclient.conf
-moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/carolCert.der
-moon::scp /etc/ipsec.d/certs/moonCert.der carol:/etc/ipsec.d/certs/peerCert.der
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/self-signed/test.conf b/testing/tests/ikev1/self-signed/test.conf
deleted file mode 100644
index 0baa48d90..000000000
--- a/testing/tests/ikev1/self-signed/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/starter-also-loop/description.txt b/testing/tests/ikev1/starter-also-loop/description.txt
deleted file mode 100644
index 7451f4e12..000000000
--- a/testing/tests/ikev1/starter-also-loop/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-This scenario is the same as test <b><a href="../rw-cert">rw-cert</a></b> but
-uses the <b>also</b> parameter in <b>moon</b>'s ipsec.conf in order to define
-the connections in a modular form. A closed also loop created by including
-<b>conn host-host</b> in <b>conn moon</b> is successfully detected.
diff --git a/testing/tests/ikev1/starter-also-loop/evaltest.dat b/testing/tests/ikev1/starter-also-loop/evaltest.dat
deleted file mode 100644
index 161772f8e..000000000
--- a/testing/tests/ikev1/starter-also-loop/evaltest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-moon::cat /var/log/auth.log::detected also loop::YES
-moon::cat /var/log/auth.log::errors in config::YES
-
diff --git a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index af2fcc5dc..000000000
--- a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,47 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn net-net
-	also=host-host
-	also=moon-net
-	also=sun-net
-        
-conn host-host
-	also=moon
-	also=sun
-	auto=add
-
-conn rw
-	right=%any
-	also=moon
-	also=moon-net
-	auto=add
-
-conn moon
-	left=PH_IP_MOON
-        leftcert=moonCert.pem
-        leftid=@moon.strongswan.org
-        leftfirewall=yes
-	also=host-host
-
-conn moon-net
-	leftsubnet=10.1.0.0/16
-
-conn sun
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-
-conn sun-net
-	rightsubnet=10.2.0.0/16
diff --git a/testing/tests/ikev1/starter-also-loop/posttest.dat b/testing/tests/ikev1/starter-also-loop/posttest.dat
deleted file mode 100644
index e69de29bb..000000000
--- a/testing/tests/ikev1/starter-also-loop/posttest.dat
+++ /dev/null
diff --git a/testing/tests/ikev1/starter-also-loop/pretest.dat b/testing/tests/ikev1/starter-also-loop/pretest.dat
deleted file mode 100644
index b135b12c3..000000000
--- a/testing/tests/ikev1/starter-also-loop/pretest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec start --debug-all
-moon::sleep 1
diff --git a/testing/tests/ikev1/starter-also-loop/test.conf b/testing/tests/ikev1/starter-also-loop/test.conf
deleted file mode 100644
index e7735308f..000000000
--- a/testing/tests/ikev1/starter-also-loop/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon"
diff --git a/testing/tests/ikev1/starter-also/description.txt b/testing/tests/ikev1/starter-also/description.txt
deleted file mode 100644
index 3d4ff7dbf..000000000
--- a/testing/tests/ikev1/starter-also/description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-This scenario is the same as test <b><a href="../rw-cert">rw-cert</a></b> but
-uses the <b>also</b> parameter in <b>moon</b>'s ipsec.conf in order to define
-the connections in a modular form.
diff --git a/testing/tests/ikev1/starter-also/evaltest.dat b/testing/tests/ikev1/starter-also/evaltest.dat
deleted file mode 100644
index c7657801e..000000000
--- a/testing/tests/ikev1/starter-also/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 2bd4985ca..000000000
--- a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,46 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn net-net
-	also=host-host
-	also=moon-net
-	also=sun-net
-        
-conn host-host
-	also=moon
-	also=sun
-	auto=add
-
-conn rw
-	right=%any
-	also=moon
-	also=moon-net
-	auto=add
-
-conn moon
-	left=PH_IP_MOON
-        leftcert=moonCert.pem
-        leftid=@moon.strongswan.org
-        leftfirewall=yes
-
-conn moon-net
-	leftsubnet=10.1.0.0/16
-
-conn sun
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-
-conn sun-net
-	rightsubnet=10.2.0.0/16
diff --git a/testing/tests/ikev1/starter-also/posttest.dat b/testing/tests/ikev1/starter-also/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev1/starter-also/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/starter-also/pretest.dat b/testing/tests/ikev1/starter-also/pretest.dat
deleted file mode 100644
index c7b4f43be..000000000
--- a/testing/tests/ikev1/starter-also/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start --debug-all
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/starter-also/test.conf b/testing/tests/ikev1/starter-also/test.conf
deleted file mode 100644
index 9cd583b16..000000000
--- a/testing/tests/ikev1/starter-also/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/starter-includes/description.txt b/testing/tests/ikev1/starter-includes/description.txt
deleted file mode 100644
index 6a05c0cca..000000000
--- a/testing/tests/ikev1/starter-includes/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-This test is based on the <a href="../mode-config">mode-config</a>
-scenario and demonstrates the multiple use of the <b>include</b>
-parameter in IPsec configuration files. At the top level <b>/etc/ipsec.conf</b>
-defines the config setup section and includes <b>/etc/ipsec.connections</b>
-which in turn includes <b>/etc/ipsec.host</b> and <b>/etc/ipsec.peers/*</b>
-thereby showing the use of wildcards in path definitions.
diff --git a/testing/tests/ikev1/starter-includes/evaltest.dat b/testing/tests/ikev1/starter-includes/evaltest.dat
deleted file mode 100644
index 7de32d681..000000000
--- a/testing/tests/ikev1/starter-includes/evaltest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 9c75434c2..000000000
--- a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftsourceip=%modeconfig
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 726998e19..000000000
--- a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_DAVE
-	leftsourceip=%modeconfig
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 4e7bfc1b4..000000000
--- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-include /etc/ipsec.connections
diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections
deleted file mode 100644
index bd47f9e09..000000000
--- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/ipsec.connections - connection definitions 
-
-conn %default
-        ikelifetime=60m
-        keylife=20m
-        rekeymargin=3m
-        keyingtries=1
-	keyexchange=ikev1
-
-include /etc/ipsec.host
-
-include /etc/ipsec.peers/*
-
diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.host b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.host
deleted file mode 100755
index acf753cc0..000000000
--- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.host
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/ipsec.host - my host configuration
-
-conn %default
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP_MOON1
-	leftnexthop=%direct
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-
diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol
deleted file mode 100644
index 84bedfef6..000000000
--- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol
+++ /dev/null
@@ -1,8 +0,0 @@
-# /etc/ipsec.peers/ipsec.carol - connection from carol 
-
-conn rw-carol
-	right=%any
-	rightid=carol@strongswan.org
-	rightsourceip=PH_IP_CAROL1
-	auto=add
-
diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave
deleted file mode 100644
index ee021c9be..000000000
--- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave
+++ /dev/null
@@ -1,8 +0,0 @@
-# /etc/ipsec.peers/ipsec.dave - connection from dave
-
-conn rw-dave
-	right=%any
-	rightid=dave@strongswan.org
-	rightsourceip=PH_IP_DAVE1
-	auto=add
-
diff --git a/testing/tests/ikev1/starter-includes/posttest.dat b/testing/tests/ikev1/starter-includes/posttest.dat
deleted file mode 100644
index ebf7525ef..000000000
--- a/testing/tests/ikev1/starter-includes/posttest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
-moon::rm /etc/ipsec.connections /etc/ipsec.host
-moon::rm -r /etc/ipsec.peers
diff --git a/testing/tests/ikev1/starter-includes/pretest.dat b/testing/tests/ikev1/starter-includes/pretest.dat
deleted file mode 100644
index b034a0c03..000000000
--- a/testing/tests/ikev1/starter-includes/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::cat /etc/ipsec.connections /etc/ipsec.host /etc/ipsec.peers/*
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start --debug-all
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/starter-includes/test.conf b/testing/tests/ikev1/starter-includes/test.conf
deleted file mode 100644
index 1a8f2a4e0..000000000
--- a/testing/tests/ikev1/starter-includes/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/strong-certs/description.txt b/testing/tests/ikev1/strong-certs/description.txt
deleted file mode 100644
index 8e6e8b4f9..000000000
--- a/testing/tests/ikev1/strong-certs/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-This is a remote-access scenario with two roadwarriors <b>carol</b> and <b>dave</b>
-setting up a connection each to the VPN gateway <b>moon</b>. Authentication is
-based on strong X.509 certificates with SHA-2 signatures.
-The X.509 certificate of the gateway <b>moon</b> uses a <b>SHA-224</b> hash in
-its signature whereas the certificates of the roadwarriors <b>carol</b>
-and <b>dave</b> use <b>SHA-384</b> and <b>SHA-512</b>, respectively.
diff --git a/testing/tests/ikev1/strong-certs/evaltest.dat b/testing/tests/ikev1/strong-certs/evaltest.dat
deleted file mode 100644
index 2fe4de76f..000000000
--- a/testing/tests/ikev1/strong-certs/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 2a1dad5c6..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert-sha384.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
deleted file mode 100644
index 929f737c8..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEITCCAwmgAwIBAgIBJTANBgkqhkiG9w0BAQwFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTExMTAxNzEyNDc1OVoXDTE2MTAxNTEyNDc1OVowWTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0z
-ODQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAuByYUPGv67XSQHjpfFjhuH/l/sMIQGhsFcO4ebYv
-7otSsjbH4gasmAOvEFxoIxkOG9IWFAHP1WyiqG3sOsyyfUg6wHl1FTe4Y3kHWZp0
-DvtT6CWnnxQwKibIhXfB3IPHRTcRG1zGN4J3Vl6IofIRlrl0K3NYUUofn0xMKAoS
-hLjwuqq2eviX5NIQDOTnoga2C5Ed58hIc6/YWXzfg9EpB194tcCWmSj7yfq6ruD9
-xAh32ywd10fsi4tt3F/BWzXjySxBlBhvvh6kL/Nqa6OSWaXsvZqXmrYm+hm4LKkO
-ZLZYzBqJRpRm1rEhYqMg2u0SSSTXsNFuw+027n7Vt8+DzwIDAQABo4IBBjCCAQIw
-CQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFPk6ATSleHErWFAYkCZD
-BhDo8X1qMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQsw
-CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMS
-c3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3
-YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
-cmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEMBQADggEBAHiE/MMyXJXuMuhw
-/lu/UwjCHbbJMA9QrBJe++34OwAV0siM98loVLs23vHXk/52QHRIwZgMLO2FF9Pk
-4JkFOvTXCgNPZKrUL28UhHsnJe8EZVOuir5o6yTSti+J/tR4M2YoY67JjW/KeTwU
-BVBtBVH88gf/xm2mSlIrkHxG3/GWqyEdeY7BOaft1sFTTZ1gKKXQlARtWidho1mf
-5Y1lZ//kOuvMjnk+hEWPWESq8lBzLOmQGBk65vaEH3LVZxSQVJbfG2E0dHgPZNgc
-hFOS8Oc6L6AfKlWHAT0ZCR5+1YsxxnlsftHzxiA0ayGCgpn2qcN+OPjfzPCtC80N
-6oXDLZM=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index 1c59bcfe5..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAuByYUPGv67XSQHjpfFjhuH/l/sMIQGhsFcO4ebYv7otSsjbH
-4gasmAOvEFxoIxkOG9IWFAHP1WyiqG3sOsyyfUg6wHl1FTe4Y3kHWZp0DvtT6CWn
-nxQwKibIhXfB3IPHRTcRG1zGN4J3Vl6IofIRlrl0K3NYUUofn0xMKAoShLjwuqq2
-eviX5NIQDOTnoga2C5Ed58hIc6/YWXzfg9EpB194tcCWmSj7yfq6ruD9xAh32ywd
-10fsi4tt3F/BWzXjySxBlBhvvh6kL/Nqa6OSWaXsvZqXmrYm+hm4LKkOZLZYzBqJ
-RpRm1rEhYqMg2u0SSSTXsNFuw+027n7Vt8+DzwIDAQABAoIBAQCMhpbjwXWLLd5r
-A18DYDv5PPXpvCdCMfG9swPNMnfnVUQrbpCmPn3iEX2/uShrEaapKXNclf1yY1bL
-xAr43mCmK0lcu9fX+A2vLyOjCrbm8IIcwRDt5NTWd3+6D6xSierBM8TE480PdW9s
-5v7WzRMLvkWjHIkekrsMNYozTWzRC6MgO99hzalWzKSeHHxlieoG7sN8KQ0hmwO+
-lMR6XDwrEnENbDbX//rbPjD4gdkqwAzCyf2IMNAHefAJUrjll2t1aQNknGwpDaAS
-g8Il7iAwIxoP2SrJ89K4Wq4Ifq+tLeX1sjwF0IESi41xNZZ/CrLiJbIPZSyBVRvx
-wwzObUPBAoGBAO6Gu2QaUoIZWpIL5TcAbQIGUx4FPKy2FbKWnU6VL9fmw8DGqKC0
-WX/CCSBmYHQyvlozutX4g8PI6YfgbbuPpgt/yJeLO+33PZK2Cps0//0EmEIvZ7ZM
-kOV+PRNuDIlKQNCaD8LdAcp0KSUc8vo3BAYArrjd1WZze85tqgAHmKR/AoGBAMWZ
-YkyQwBE0+W9P5gmGwuc+q2T3SjpGXjtzyo63K6ra892u49xIklfvNZ3PlgNbTSCo
-tTZLfwRu2uRhh2C8ZsjwfdpMAdT0BNCqEXtdp8JBJiNmrvY17NrSJnMginvu26qM
-QbsaF2Q1BV7OMZHvjgYrCqgokUGcJY6A0OlftjixAoGBALa3mPbOvyOP/nRgDl86
-wUZKyAL4Kgl3llluzOP0nmi6Cnwy8dvhK6oVXl5mbj603GJGvDnKnE0vK819WzHR
-kXW/lk6YRvk8avtm3esVB3+vtF8G52CbeGeEc47dv1av/cSOL8KrAAMxRo96hJqt
-6DQc87sDm8RWdKGmGhLZvtFLAoGAA+bJaBWblTtkiWwccKe2hXZZT/8J+iiVh7r7
-juHS/Oah1giz+w97xDy25EzK+3n8Bd8O5OmMsnu12riKQcC2jtUgxwSlLJ080xno
-inUI8O70X9KRNc9Ow+tOUwubcGMA91cZnSYgvBvH5V1Q4T7HoRuMdFGIvLDmlO+6
-MEFxiaECgYEAw7GqJYl2q6be56WANWA9ecNenr4+ekHZImpK0vb1bYD2LinfFNNK
-9jOHK2tK2jV3DgfUEieItz/uWV3iCJkIfErwu3ZS9qnDBu70OHGpsM1nXRUzZ0Ct
-5vOlBr5h6DMrP+ou/95yeraoibqs2kTUrAdkC80Yk5nbEHFDiD6cJcw=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index fac55d63b..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index e10e9d45c..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert-sha512.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
deleted file mode 100644
index fc769c1c9..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEHzCCAwegAwIBAgIBJjANBgkqhkiG9w0BAQ0FADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTExMTAxNzEyNTAzMFoXDTE2MTAxNTEyNTAzMFowWDELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS01
-MTIxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCs5SBCzV3Is/w7CIzfBXRGv6uXwyDivRXXYsczeSRf
-5mw/slRVAEtNbX8rQ8BWLIqiJPCLDek5ODkqKI+hArZVpJqMzZyql2Teosrtnokb
-h/yA8EWtEr0jII2RxQ0xb8r25h+DwBosAM15B1rCAMmJOjbEMMBGmAb7y7N0K8nr
-Z8RctwrRdCGVcg+f+LFrklF1tBLs0zGIrJsk1eB0XbrB+fEPar9Lmn+/q2QHGPCt
-aOlR2ZxRsjqsYJW9yI8r33PVVm2aGmS/19UguEG8FC3owud0boHfP91/NvSIWfhP
-iIuDPjJOBPEJ/I6OYjYXXQuOZYwFGau2WrpNDQioPgedAgMBAAGjggEFMIIBATAJ
-BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU5re6olyWAt1HfN2l92Rb
-7DDCnxMwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
-BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
-dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdzd2Fu
-Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
-L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDQUAA4IBAQAtRPFMSuEnPmqeC2mF
-OE5N26r2p8HfB4FAPwarlg66IIvKvkk1zqn5YfZIXfMU/x5q+85aO31iQmjlAPpo
-KXqRq7V0a0ldjXEr+Tz7xG3jno989dBrD3kQZnwXR57xGt1qTVGY7uQdbgXWzVHM
-GYS6gjUw7Df9vAQcTfUxUpZc5wlDoiRrFkyPc1raFCZF3//Ig9agjO4r1SzPHYw7
-LrHJR1xkd0IWVTW8Z6xB14j452IiimhyK1zAR3zmh1vH9VuHDLHMhyjSl1R+gk5U
-KzDPaqXd4NA7eIQNiAhysYTXfmUYytbFNZw9bamxTxlCmca1snuTIcFM5OYOfxRT
-iKMh
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
deleted file mode 100644
index 900f73bac..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEArOUgQs1dyLP8OwiM3wV0Rr+rl8Mg4r0V12LHM3kkX+ZsP7JU
-VQBLTW1/K0PAViyKoiTwiw3pOTg5KiiPoQK2VaSajM2cqpdk3qLK7Z6JG4f8gPBF
-rRK9IyCNkcUNMW/K9uYfg8AaLADNeQdawgDJiTo2xDDARpgG+8uzdCvJ62fEXLcK
-0XQhlXIPn/ixa5JRdbQS7NMxiKybJNXgdF26wfnxD2q/S5p/v6tkBxjwrWjpUdmc
-UbI6rGCVvciPK99z1VZtmhpkv9fVILhBvBQt6MLndG6B3z/dfzb0iFn4T4iLgz4y
-TgTxCfyOjmI2F10LjmWMBRmrtlq6TQ0IqD4HnQIDAQABAoIBAG0+sa3EGdgxcdTT
-SD+7MIdroL7Z+rOKCnz32yp5BzTZYdi1k3fKIcqgv1PVEXjh2A8wDBWxCoavMd+j
-lW2FSzS+NzF00eMwmfnbHyIZpESTHkdSipQbXQsPDKTov7dXDgYHzi3vehoHv80T
-ipM+8BkXgXdh3nw8n10GjzN+X62v73pQxXooC2JrsxKPubB9NkX8UtcYddrmMQpr
-xOixBsk3VwkIh+3CatBPKJH/Ryk/U9rMU7F7KlAi+xHj3UF3iAvUwYVaJWAeWfci
-KP07cFxsar8Vgf2IK+sbZP6LPky1oiYq+VkIrgX6UPtyyrS60Bf7OFIy5I0Hmm8K
-b0rChbkCgYEA2B1IVtBmNBt/rCwqWgRLf4vW86JGgKAOx15hucPdA1NAHygNLdZC
-bcM6OkP1PEp1mpA0mDgYQQdggzsWKYuJjtf8MN9sZwi6SrRI2Y3OCy7SFLsyDNkz
-xkWo6b5/WGH+cEzVRVkD0RU97xjXudXzcwm1PA5goRcGNg1zdvOi0XsCgYEAzM3d
-tbq3txVh5EK3IeCsvtQGY4IFADdjaC2wgTeOlHo/nGoCB8TuFMN32MHqlmAdspJQ
-PojDKVZhhOknJQpBI1iYVYTJTIwtJM5CeY5gwhnrPVru4LJaa8zXTJdIeZ++nJFR
-Dawt5rsJ+f2yTzQWPm2Ywbril8KBVwqD4V9uQ8cCgYBk/foqJ6U7QIZ/TPxVqKAn
-cI/4tqK/xQxi+qYsi20i+qqCZNMT0oakiJETXWKi1CD1I+KQJ9advPbLHLeUnpKf
-4CsII8CivZ9g/bL1h6D79NtTuM8A1het1ivDX7Re9xxSGnWnvJtd/9E7hJ57R5JG
-9ghtkkJxxTKv28VTlzNFNQKBgDuQ4Jv7a3V3ZZpTARp8UyHJXvZQGY4/jcz+BOkA
-NJrgl2Gxv1dtImWtmEzV0Znc6KZIQch+VGzQb9qNSVJPkjRqjxvIXBfEaVjcGJ9s
-Fp49lZqpuPJnTT8vO6tOEMk2+eRlq3JTkqIZ4kPwUo0QtCuCCrzF0yOaca3UJBlH
-fTV/AoGAElXK1jYXzxJLTik9TW3Jl9w45GP572HAYVBc+gpCtvxVvr9V8qsiDST2
-hovbkEcG6o+rCAgHnzdCxpK0Avnb8yyu4yvBGTWowoBqF9Nyv2aZts83gRxEapZC
-Mc8u9QuIB0QCea13jgWWkkMLr9lt7kmVjR+Nch4lcF4RVqagEEE=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 9031f323a..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA daveKey.pem
diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 98d9a8749..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert-sha224.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem
deleted file mode 100644
index bda4f528e..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIENDCCAxygAwIBAgIBJDANBgkqhkiG9w0BAQ4FADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTExMTAxNzEyNDUwN1oXDTE2MTAxNTEyNDUwN1owWDELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0y
-MjQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDEPYW1tmcbkgNMcnOHXAKHlgL2k7r1+rVWJ/8NF9vI
-7MpQ8qomHPV3G00CYSQsCDgBVvK71pasiz+dsYdHAY28ihb2m/lsaSquwsb0Fexj
-hJiqaohcLJk0MjTDUdArh6iddvDAYMDkfApM49TaXNxdz0sffV5KOIH0hrQe0wsw
-P2p/SHTATNh3ebTLr8Y7dMKecxFrKQswZc+d7gvIftZXRvjsUprc77dDURGByPw3
-N+/23chuDXNNaxMylWQhmiTUne8tIyg0vtur3do5Dq1IqQKqvxSfBjRL6ZJU0/6l
-KuhChV0cSVd2H2zzovuke5XzHzUsoESWXWYK9qIEj2HRAgMBAAGjggEaMIIBFjAJ
-BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUT4FJonJgeZBpFHc8iosc
-WWM+mPswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
-BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
-dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2Fu
-Lm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAwMC6gLKAqhihodHRw
-Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEB
-DgUAA4IBAQA60WN0QwQuFVYg/C156POjKENZP9CGF8NyiC/NUYqgbIrGGTTpwTxs
-pW/+YDG1tVtCkqtLGsO0uZRe8Ihs3afNsPMNlCiTCPgrs5erc4ZTv5MB7Ap2lyL5
-NSQ9SggICbQhkHQHP6TINtas9+FrAw10jWIa107DYLLC7Ea77Y5vryL6/ymrpwdL
-Vwm9kAkGYvm0lmzw6YfzPskKc3MpWnjBTraPG42Z8oWTEDJnBtS761k60lNwndKC
-JdRUxoOOegzsKIIzorRz9xCN2zA2CAeChqHMbBpNCRwl0dQ00ztXReONl97iNgw6
-NrdHsqCiH8Q+I2JCxU230Zl6UFKARLo+
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
deleted file mode 100644
index 51a33597e..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAxD2FtbZnG5IDTHJzh1wCh5YC9pO69fq1Vif/DRfbyOzKUPKq
-Jhz1dxtNAmEkLAg4AVbyu9aWrIs/nbGHRwGNvIoW9pv5bGkqrsLG9BXsY4SYqmqI
-XCyZNDI0w1HQK4eonXbwwGDA5HwKTOPU2lzcXc9LH31eSjiB9Ia0HtMLMD9qf0h0
-wEzYd3m0y6/GO3TCnnMRaykLMGXPne4LyH7WV0b47FKa3O+3Q1ERgcj8Nzfv9t3I
-bg1zTWsTMpVkIZok1J3vLSMoNL7bq93aOQ6tSKkCqr8UnwY0S+mSVNP+pSroQoVd
-HElXdh9s86L7pHuV8x81LKBEll1mCvaiBI9h0QIDAQABAoIBAEnZeTMb9ItslG81
-dwKOfqk1q+HNUIN3GLzWimYL/3sKmUyDNcLoDPwIux9VHT6wzRq79Nb5d3RxZrxa
-bbUsAYHdWazun5vLq/Nee26pvW7qHGWtd6lwYytAZZjHdhabk7nGY+2Ru6WAhIPR
-DW4rmgZ3lya/kDdQMp+p/ajH9SLvYdo8rc3e2a5pJJitR3iU9rFO8PRSD6is7ldr
-FxYDMWv+Latkscpku4fww8X6XlHo3u7usogs5FHjNePeJjNkzdj5X958OmzxN4JJ
-jKheFALXJuMYY/9MLWaygkZgWuD1yr8chBtH+kxJLqbv9/pBaQqehEDfGOgfPnQi
-OxccUS0CgYEA4VL/hsJvhziqd+MHryrYvPQgHZJf+ksMpRelD/zEJRjAGnyT2hDQ
-R1H9jKP689E6lhCire9ag79rkF4lOvVWpM4f1XOPwX9Oap93dRn5PZLCMKfmnuo7
-RSC3qsGRdzIB0j0e9XQXW3tzoSVJtASd0X7qMTujaWQef7hNPW/To9MCgYEA3vTk
-YQGARsJIjvF1xu7ut1NC1GyQbvDShylmrOBPTBRgzIEjWnifDH79BAXr9yTigqR/
-qHZhWC0bPPY2x6iFi4dTa30vNGqP61GU4HouQDZ/Lf7TXL7pTHRSihL3x9f2nIu+
-nyEhfrYomt0M960OHS5izXP/27vXItLTazshMUsCgYEAn3lOwOH8bYf9nrxgQ+nf
-XFysHkHrDArx+Caz/Iy5hkfuLtDdFAmyX8f33AJzKv16qZs8iD5Poc9pIdSAJSpf
-GGWKwlf39stThMM4mPi5HoswRZ+P6gl9yX9OftxhSCtsfpAjyTVREr5dKEBr2a0q
-xYs91XqQPZdOvraCdGkhMWECgYEAiQFTlYimmtSoYa5fAW+xoVW4q3BLEOFLfWMj
-hPgRwl6DXSe94cpdcgBW2jIJXkV8K2uKRqr4BocxRbTG1MnpxmPSDytN5pfU+HWZ
-Vpe99BeI72q31zY5hpG0ZsRhHpzHHkuBR6fEPWkSapeLcGcXVTc736R4hT5YZT3I
-TQx4ySECgYEArIxFy2zEbQH8znJoRwshSSanGovSCRxpoP+j5WHlccMQAjDhoFMg
-KLCXbbnNyM4qlvwHG4Z27Fgexvk5dPHYnQlW9A4YP4o6SFf6RnxW1ZdR/Kc4aY/6
-rXxt+Q0rf4qRKbTh90yDnc2YQj11g9BgvFliIM2GOTq8NUtjQVRgNm4=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/strong-certs/posttest.dat b/testing/tests/ikev1/strong-certs/posttest.dat
deleted file mode 100644
index fc0fbeb38..000000000
--- a/testing/tests/ikev1/strong-certs/posttest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-moon::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/private/*
-dave::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
-carol::rm /etc/ipsec.d/certs/*
-dave::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev1/strong-certs/pretest.dat b/testing/tests/ikev1/strong-certs/pretest.dat
deleted file mode 100644
index de51ccdfa..000000000
--- a/testing/tests/ikev1/strong-certs/pretest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
-carol::sleep 1 
diff --git a/testing/tests/ikev1/strong-certs/test.conf b/testing/tests/ikev1/strong-certs/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/ikev1/strong-certs/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/virtual-ip-swapped/description.txt b/testing/tests/ikev1/virtual-ip-swapped/description.txt
deleted file mode 100644
index 230906c5d..000000000
--- a/testing/tests/ikev1/virtual-ip-swapped/description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Same scenario as test <a href="../virtual-ip/"><b>virtual-ip</b></a> but with
-swapped end definitions:  <b>right</b> denotes the <b>local</b> side whereas
-<b>left</b> stands for the <b>remote</b> peer.
diff --git a/testing/tests/ikev1/virtual-ip-swapped/evaltest.dat b/testing/tests/ikev1/virtual-ip-swapped/evaltest.dat
deleted file mode 100644
index 23e109838..000000000
--- a/testing/tests/ikev1/virtual-ip-swapped/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 4dfa345f4..000000000
--- a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	right=PH_IP_CAROL
-	rightsourceip=PH_IP_CAROL1
-	rightcert=carolCert.pem
-	rightid=carol@strongswan.org
-	rightfirewall=yes
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftid=@moon.strongswan.org
-	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index b65d7a690..000000000
--- a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn rw
-	right=PH_IP_MOON
-	rightsourceip=PH_IP_MOON1
-	rightcert=moonCert.pem
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightfirewall=yes
-	leftsubnetwithin=10.3.0.0/16
-	left=%any
-	auto=add
diff --git a/testing/tests/ikev1/virtual-ip-swapped/posttest.dat b/testing/tests/ikev1/virtual-ip-swapped/posttest.dat
deleted file mode 100644
index 2116e86e0..000000000
--- a/testing/tests/ikev1/virtual-ip-swapped/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
diff --git a/testing/tests/ikev1/virtual-ip-swapped/pretest.dat b/testing/tests/ikev1/virtual-ip-swapped/pretest.dat
deleted file mode 100644
index 4fe0ee90b..000000000
--- a/testing/tests/ikev1/virtual-ip-swapped/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/virtual-ip-swapped/test.conf b/testing/tests/ikev1/virtual-ip-swapped/test.conf
deleted file mode 100644
index f106524e2..000000000
--- a/testing/tests/ikev1/virtual-ip-swapped/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/virtual-ip/description.txt b/testing/tests/ikev1/virtual-ip/description.txt
index 4ec6021ea..c16b70b70 100644
--- a/testing/tests/ikev1/virtual-ip/description.txt
+++ b/testing/tests/ikev1/virtual-ip/description.txt
@@ -1,8 +1,14 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. Both <b>carol</b>
-and <b>moon</b> define a static virtual IP using the <b>leftsourceip</b> parameter.
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel, <b>carol</b> pings the client <b>alice</b>
-behind the gateway <b>moon</b> as well as the inner interface of the gateway. The source IP
-of the two pings will be the virtual IP <b>carol1</b>. Also thanks to its virtual IP <b>moon1</b>
-the gateway <b>moon</b> is able to ping <b>carol1</b> by using the existing subnet-subnet IPsec
-tunnel.
+The roadwarriors <b>carol</b> and <b>dave</b> both set up a connection to gateway <b>moon</b>.
+The roadwarriors each unilaterally define a static virtual IP using the <b>leftsourceip</b>
+parameter. In order to detect potential address conflicts, the roadwarriors send
+their virtual IPs embedded in an IKEv1 Mode Config payload to <b>moon</b> for verification.
+In our scenario <b>moon</b> accepts the address choices thus allowing <b>carol</b> and
+<b>dave</b> to install their respective virtual IP addresses.
+<p>
+In order to test the tunnels both <b>carol</b> and <b>dave</b> ping the client <b>alice</b>
+behind the gateway <b>moon</b> as well as the inner interface of the gateway.
+The latter ping requires access to the gateway itself which is granted by the
+directive <b>lefthostaccess=yes</b>. The source IP of the two pings will be the virtual
+IP addresses <b>carol1</b> and <b>dave1</b>, respectively. Also thanks to the automatically
+configured source route entries, <b>moon</b> is able to ping both roadwarriors by using the
+established net-net IPsec tunnels.
diff --git a/testing/tests/ikev1/virtual-ip/evaltest.dat b/testing/tests/ikev1/virtual-ip/evaltest.dat
index 23e109838..0f5df71d7 100644
--- a/testing/tests/ikev1/virtual-ip/evaltest.dat
+++ b/testing/tests/ikev1/virtual-ip/evaltest.dat
@@ -1,9 +1,31 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_CAROL1 to peer::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_DAVE1 to peer::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::src PH_IP_CAROL1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::src PH_IP_DAVE1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+
diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
index e0ef16930..862f43606 100755..100644
--- a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -23,7 +19,3 @@ conn home
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/virtual-ip/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..5ba2b347a
--- /dev/null
+++ b/testing/tests/ikev1/virtual-ip/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=PH_IP_DAVE1
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/virtual-ip/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/virtual-ip/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
index 63a8c92b5..4f3fd61f8 100755..100644
--- a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -15,11 +11,11 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftsourceip=PH_IP_MOON1
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
-	rightsubnetwithin=10.3.0.0/16
+	lefthostaccess=yes
 	right=%any
+	rightsourceip=%config
 	auto=add
diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/virtual-ip/posttest.dat b/testing/tests/ikev1/virtual-ip/posttest.dat
index 2116e86e0..1865a1c60 100644
--- a/testing/tests/ikev1/virtual-ip/posttest.dat
+++ b/testing/tests/ikev1/virtual-ip/posttest.dat
@@ -1,5 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/virtual-ip/pretest.dat b/testing/tests/ikev1/virtual-ip/pretest.dat
index 0b2ae8d2b..1765a83cd 100644
--- a/testing/tests/ikev1/virtual-ip/pretest.dat
+++ b/testing/tests/ikev1/virtual-ip/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
+dave::ipsec start
 moon::ipsec start
-carol::sleep 2
+carol::sleep 1 
 carol::ipsec up home
-carol::sleep 1
+dave::ipsec up home
diff --git a/testing/tests/ikev1/virtual-ip/test.conf b/testing/tests/ikev1/virtual-ip/test.conf
index f106524e2..164b07ff9 100644
--- a/testing/tests/ikev1/virtual-ip/test.conf
+++ b/testing/tests/ikev1/virtual-ip/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/wildcards/description.txt b/testing/tests/ikev1/wildcards/description.txt
deleted file mode 100644
index e485f7066..000000000
--- a/testing/tests/ikev1/wildcards/description.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of wildcard parameters that must match the subject
-<b>Distinguished Name</b> contained in the peer's X.509 certificate. Access to
-<b>alice</b> is granted for DNs containing a OU=Research field whereas <b>venus</b>
-can only be reached with a DN containing OU=Accounting. The roadwarriors
-<b>carol</b> and <b>dave</b> belong to the departments 'Research' and 'Accounting',
-respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b>
-can reach <b>venus</b>.
diff --git a/testing/tests/ikev1/wildcards/evaltest.dat b/testing/tests/ikev1/wildcards/evaltest.dat
deleted file mode 100644
index cbc94b75a..000000000
--- a/testing/tests/ikev1/wildcards/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index cf93bb231..000000000
--- a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-
-conn alice
-	rightsubnet=PH_IP_ALICE/32
-	auto=add
-	
-conn venus
-	rightsubnet=PH_IP_VENUS/32
-	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 5f04445d2..000000000
--- a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-
-conn alice
-	rightsubnet=PH_IP_ALICE/32
-	auto=add
-	
-conn venus
-	rightsubnet=PH_IP_VENUS/32
-	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 39b031551..000000000
--- a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn alice
-	leftsubnet=PH_IP_ALICE/32
-	right=%any
-	rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
-	auto=add
-
-conn venus
-	leftsubnet=PH_IP_VENUS/32
-	right=%any
-	rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
-	auto=add
diff --git a/testing/tests/ikev1/wildcards/posttest.dat b/testing/tests/ikev1/wildcards/posttest.dat
deleted file mode 100644
index ed530f6d9..000000000
--- a/testing/tests/ikev1/wildcards/posttest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
diff --git a/testing/tests/ikev1/wildcards/pretest.dat b/testing/tests/ikev1/wildcards/pretest.dat
deleted file mode 100644
index 67c50c2ef..000000000
--- a/testing/tests/ikev1/wildcards/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up alice
-carol::ipsec up venus
-dave::ipsec up venus
-dave::ipsec up alice
diff --git a/testing/tests/ikev1/wildcards/test.conf b/testing/tests/ikev1/wildcards/test.conf
deleted file mode 100644
index 08e5cc145..000000000
--- a/testing/tests/ikev1/wildcards/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/wlan/description.txt b/testing/tests/ikev1/wlan/description.txt
deleted file mode 100644
index e018148bd..000000000
--- a/testing/tests/ikev1/wlan/description.txt
+++ /dev/null
@@ -1,15 +0,0 @@
-The WLAN clients <b>alice</b> and <b>venus</b> secure all their wireless traffic
-by setting up an IPsec tunnel to gateway <b>moon</b>. The VPN network mask is
-<b>0.0.0.0/0</b>. Traffic with destination outside the protected 10.1.0.0/10 network
-is NAT-ed by router <b>moon</b>. The IPsec connections are tested by pings from
-<b>alice</b> to <b>venus</b> tunneled  via <b>moon</b> and to both the internal
-and external interface of gateway <b>moon</b>. Access to the gateway is
-set up by <b>lefthostaccess=yes</b> in conjunction with <b>leftfirewall=yes</b>.
-At last <b>alice</b> and <b>venus</b> ping the external host <b>sun</b> via the NAT router.
-<p>
-The host system controls the UML instances <b>alice</b> and <b>carol</b> via
-ssh commands sent over the virtual <b>tap1</b> interface. In order to keep up 
-the control flow in the presence of the all-encompassing 0.0.0.0/0 tunnel
-to the gateway <b>moon</b> an auxiliary <b>passthrough</b> eroute restricted
-to the ssh port is statically set up by <b>conn system</b>.
-
diff --git a/testing/tests/ikev1/wlan/evaltest.dat b/testing/tests/ikev1/wlan/evaltest.dat
deleted file mode 100644
index 079ac4429..000000000
--- a/testing/tests/ikev1/wlan/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-alice::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES
-venus::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
-moon::tcpdump::ESP::YES
-sun::tcpdump::ICMP::YES
diff --git a/testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 86a76e2db..000000000
--- a/testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow esp
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
deleted file mode 100755
index e3cf9b15d..000000000
--- a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn system
-	left=PH_IP_ALICE
-	leftprotoport=tcp/ssh
-	authby=never
-	type=passthrough
-	right=10.1.0.254
-	rightprotoport=tcp
-	auto=route
-
-conn wlan 
-	left=PH_IP_ALICE
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON1
-	rightid=@moon.strongswan.org
-	rightsubnet=0.0.0.0/0
-	auto=add
-
diff --git a/testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index e95ef44c6..000000000
--- a/testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-        # allow crl fetch from winnetou
-	iptables -A INPUT   -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT  -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# enable SNAT
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p icmp -j SNAT --to-source PH_IP_MOON
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp  -j SNAT --to-source PH_IP_MOON:2000-2100
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 61ce28e6b..000000000
--- a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,36 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn alice
-	right=PH_IP_ALICE
-	rightid=alice@strongswan.org
-	also=wlan
-	auto=add
-
-conn venus
-	right=PH_IP_VENUS
-	rightid=@venus.strongswan.org
-	also=wlan
-	auto=add
-
-conn wlan
-        left=PH_IP_MOON1
-	leftsubnet=0.0.0.0/0
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	lefthostaccess=yes
-
diff --git a/testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 6f95e7576..000000000
--- a/testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-				
-				# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
deleted file mode 100755
index fa2dc953e..000000000
--- a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn system
-	left=PH_IP_VENUS
-	leftprotoport=tcp/ssh
-	authby=never
-	type=passthrough
-	right=10.1.0.254
-	rightprotoport=tcp
-	auto=route
-
-conn wlan 
-	left=PH_IP_VENUS
-	leftcert=venusCert.pem
-	leftid=@venus.strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON1
-	rightid=@moon.strongswan.org
-	rightsubnet=0.0.0.0/0
-	auto=add
-
diff --git a/testing/tests/ikev1/wlan/posttest.dat b/testing/tests/ikev1/wlan/posttest.dat
deleted file mode 100644
index 6bd2379d8..000000000
--- a/testing/tests/ikev1/wlan/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::iptables -t nat -v -n -L POSTROUTING
-moon::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-moon::conntrack -F
diff --git a/testing/tests/ikev1/wlan/pretest.dat b/testing/tests/ikev1/wlan/pretest.dat
deleted file mode 100644
index de4a6ad31..000000000
--- a/testing/tests/ikev1/wlan/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-alice::ipsec start
-venus::ipsec start
-alice::sleep 2 
-alice::ipsec up wlan 
-venus::sleep 2 
-venus::ipsec up wlan
-venus::sleep 2
diff --git a/testing/tests/ikev1/wlan/test.conf b/testing/tests/ikev1/wlan/test.conf
deleted file mode 100644
index b141c4f1b..000000000
--- a/testing/tests/ikev1/wlan/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon:eth1 sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus moon"
diff --git a/testing/tests/ikev1/xauth-id-psk-config/description.txt b/testing/tests/ikev1/xauth-id-psk-config/description.txt
new file mode 100644
index 000000000..fc417e416
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+The authentication is based on Pre-Shared Keys (<b>PSK</b>)
+followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
+based on user names and passwords. Next <b>carol</b> and <b>dave</b> request a
+<b>virtual IP</b> via the IKE Mode Config protocol by using the <b>leftsourceip=%config</b>
+parameter. The virtual IP addresses are registered under the users' XAUTH identity. 
+<p>
+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
+<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat b/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat
new file mode 100644
index 000000000..cd4ebd8ec
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat
@@ -0,0 +1,24 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*\[192.168.0.100]::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*\[192.168.0.200]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..f557eb961
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftid=PH_IP_CAROL
+	leftsourceip=%config
+	leftauth=psk
+	leftauth2=xauth
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=psk
+	xauth_identity=carol
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..e2cea4e3d
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,9 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@dave.strongswan.org : PSK 0sqc1FhzwoUSbpjYUSp8I6qUdxDacxLCTq
+
+@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+@sun.strongswan.org :  PSK 0sR64pR6y0S5d6d8rNhUIM7aPbdjND4st5
+
+carol : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..1fb5d14b1
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic resolve kernel-netlink socket-default stroke updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..ea707b50b
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_DAVE
+	leftid=PH_IP_DAVE
+	leftsourceip=%config
+	leftauth=psk
+	leftauth2=xauth
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=psk
+	xauth_identity=dave
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.secrets
index 25e8c2796..25e8c2796 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..1fb5d14b1
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic resolve kernel-netlink socket-default stroke updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..8b3524219
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftauth=psk
+	leftfirewall=yes
+	right=%any
+	rightsourceip=10.3.0.0/24
+	rightauth=psk
+	rightauth2=xauth
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.secrets
index 20d8e0269..20d8e0269 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..422538cec
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic attr kernel-netlink socket-default stroke updown
+  dns1 = 192.168.0.150
+  dns2 = 10.1.0.20
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-psk-config/posttest.dat b/testing/tests/ikev1/xauth-id-psk-config/posttest.dat
new file mode 100644
index 000000000..b757d8b15
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/posttest.dat
@@ -0,0 +1,6 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-psk-config/pretest.dat b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat
new file mode 100644
index 000000000..88a91ae86
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat
@@ -0,0 +1,12 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-psk-config/test.conf b/testing/tests/ikev1/xauth-id-psk-config/test.conf
new file mode 100644
index 000000000..9b1ec0b54
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/description.txt b/testing/tests/ikev1/xauth-id-psk-mode-config/description.txt
deleted file mode 100644
index 191011747..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
-The authentication is based on Pre-Shared Keys (<b>PSK</b>)
-followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
-based on user names and passwords. Next <b>carol</b> and <b>dave</b> request a
-<b>virtual IP</b> via the IKE Mode Config protocol by using the <b>leftsourceip=%modeconfig</b>
-parameter. The virtual IP addresses are registered under the users' XAUTH identity. 
-<p>
-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
-<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat
deleted file mode 100644
index 4552cfe61..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::ipsec leases rw 10.3.0.1::carol::YES
-moon::ipsec leases rw 10.3.0.2::dave::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index b7402d24b..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthpsk
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftsourceip=%modeconfig
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	xauth_identity=carol
-	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index e5adf3e8e..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org @dave.strongswan.org : PSK 0sqc1FhzwoUSbpjYUSp8I6qUdxDacxLCTq
-
-carol@strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-carol@strongswan.org @sun.strongswan.org :  PSK 0sR64pR6y0S5d6d8rNhUIM7aPbdjND4st5
-
-carol : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index e3f377d18..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 8f9226dd1..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthpsk
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftsourceip=%modeconfig
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	xauth_identity=dave
-	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index e3f377d18..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 452187f11..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthpsk
-	xauth=server
-
-conn rw
-	left=PH_IP_MOON
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	rightsourceip=10.3.0.0/24
-	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 089467da4..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth attr kernel-netlink
-  dns1 = 192.168.0.150
-  dns2 = 10.1.0.20
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat
deleted file mode 100644
index f90d222b5..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/pretest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/pretest.dat
deleted file mode 100644
index 95a6be131..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/pretest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/test.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/test.conf
deleted file mode 100644
index 75510b295..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="alice moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-psk/description.txt b/testing/tests/ikev1/xauth-id-psk/description.txt
deleted file mode 100644
index 0ac2043c2..000000000
--- a/testing/tests/ikev1/xauth-id-psk/description.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
-The authentication is based on Pre-Shared Keys (<b>PSK</b>)
-followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
-based on user names and passwords.
-<p>
-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
-<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-id-psk/evaltest.dat b/testing/tests/ikev1/xauth-id-psk/evaltest.dat
deleted file mode 100644
index b019f8d76..000000000
--- a/testing/tests/ikev1/xauth-id-psk/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::cat /var/log/auth.log::xauth user name is .*carol::YES
-moon::cat /var/log/auth.log::xauth user name is .*dave::YES
-moon::cat /var/log/auth.log::extended authentication was successful::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index da1a10513..000000000
--- a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthpsk
-
-conn home
-	left=PH_IP_CAROL
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	xauth_identity=carol
-	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 7a272a371..000000000
--- a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-carol : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index c9eb0bc97..000000000
--- a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 3a4b75af6..000000000
--- a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthpsk
-
-conn home
-	left=PH_IP_DAVE
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	xauth_identity=dave
-	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 25e8c2796..000000000
--- a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-dave : XAUTH "ryftzG4A" 
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index c9eb0bc97..000000000
--- a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 850ea561b..000000000
--- a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthpsk
-	xauth=server
-
-conn rw
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 3f86fa594..000000000
--- a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-carol : XAUTH "4iChxLT3"
-
-dave  : XAUTH "ryftzG4A"
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index c9eb0bc97..000000000
--- a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-id-psk/posttest.dat b/testing/tests/ikev1/xauth-id-psk/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/ikev1/xauth-id-psk/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-id-psk/pretest.dat b/testing/tests/ikev1/xauth-id-psk/pretest.dat
deleted file mode 100644
index 95a6be131..000000000
--- a/testing/tests/ikev1/xauth-id-psk/pretest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-psk/test.conf b/testing/tests/ikev1/xauth-id-psk/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/ikev1/xauth-id-psk/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/description.txt b/testing/tests/ikev1/xauth-id-rsa-aggressive/description.txt
new file mode 100644
index 000000000..90209c266
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>
+using <b>IKEv1 Aggressive Mode</b>.
+The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
+followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
+based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>,
+respectively) and corresponding user passwords defined and stored in ipsec.secrets.
+<p>
+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
+<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat
new file mode 100644
index 000000000..34c124c95
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat
@@ -0,0 +1,16 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..09308efad
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	aggressive=yes
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftauth=pubkey
+	leftauth2=xauth
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	xauth_identity=carol
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.secrets
index 29492b5f9..29492b5f9 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..8cc9f68dc
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	aggressive=yes
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftauth=pubkey
+	leftauth2=xauth
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	xauth_identity=dave
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.secrets
index 8cf7db530..8cf7db530 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..2a27145c8
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	aggressive=yes
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftauth=pubkey
+	leftfirewall=yes
+	right=%any
+	rightauth=pubkey
+	rightauth2=xauth
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..bd9b0dbfb
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol : XAUTH "4iChxLT3"
+
+dave : XAUTH "ryftzG4A"
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat
new file mode 100644
index 000000000..e5a06d44c
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/description.txt b/testing/tests/ikev1/xauth-id-rsa-config/description.txt
new file mode 100644
index 000000000..feb154d49
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/description.txt
@@ -0,0 +1,12 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
+followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
+based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>,
+respectively) and corresponding user passwords defined and stored in ipsec.secrets.
+Next both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config
+protocol by using the <b>leftsourceip=%config</b> parameter.
+<p>
+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
+<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat
new file mode 100644
index 000000000..7604a1527
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat
@@ -0,0 +1,20 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..ddb043278
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftauth=pubkey
+	leftauth2=xauth
+	leftfirewall=yes
+	xauth_identity=carol
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..29492b5f9
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
+
+carol : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..69950dc6d
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftauth=pubkey
+	leftauth2=xauth
+	leftfirewall=yes
+	xauth_identity=dave
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..8cf7db530
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA daveKey.pem
+
+dave : XAUTH "ryftzG4A" 
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..d9fcc27c4
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftauth=pubkey
+	leftfirewall=yes
+	right=%any
+	rightauth=pubkey
+	rightauth2=xauth
+	auto=add
+
+conn rw-carol
+	rightid=carol@strongswan.org
+	rightsourceip=PH_IP_CAROL1
+
+conn rw-dave
+ 	rightid=dave@strongswan.org
+ 	rightsourceip=PH_IP_DAVE1
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.secrets
index fef50218a..fef50218a 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat
new file mode 100644
index 000000000..e5a06d44c
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/test.conf b/testing/tests/ikev1/xauth-id-rsa-config/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/description.txt b/testing/tests/ikev1/xauth-id-rsa-hybrid/description.txt
new file mode 100644
index 000000000..88351ffda
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>
+using <b>IKEv1 Hybrid Mode</b>.
+The authentication of <b>moon</b> is based on an RSA signature combined with a X.509 certificate,
+followed by an extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
+based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>,
+respectively) and corresponding user passwords defined and stored in ipsec.secrets.
+<p>
+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
+<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat
new file mode 100644
index 000000000..34c124c95
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat
@@ -0,0 +1,16 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e12cefa65
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=xauth
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	xauth_identity=carol
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..cf2178e9b
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..03b29f6c9
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=xauth
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	xauth_identity=dave
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..19d918630
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave : XAUTH "ryftzG4A" 
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..d76dec16d
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftauth=pubkey
+	leftfirewall=yes
+	right=%any
+	rightauth=xauth
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..bd9b0dbfb
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol : XAUTH "4iChxLT3"
+
+dave : XAUTH "ryftzG4A"
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat
new file mode 100644
index 000000000..e5a06d44c
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-rsa/description.txt b/testing/tests/ikev1/xauth-id-rsa/description.txt
deleted file mode 100644
index 9483c8f39..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/description.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
-The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
-followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
-based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>,
-respectively) and corresponding user passwords defined and stored in ipsec.secrets.
-<p>
-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
-<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-id-rsa/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa/evaltest.dat
deleted file mode 100644
index b019f8d76..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::cat /var/log/auth.log::xauth user name is .*carol::YES
-moon::cat /var/log/auth.log::xauth user name is .*dave::YES
-moon::cat /var/log/auth.log::extended authentication was successful::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index be62c2b8f..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthrsasig
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	xauth_identity=carol
-	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index c09fb3c2c..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthrsasig
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	xauth_identity=dave
-	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 251041443..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthrsasig
-	xauth=server
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-id-rsa/posttest.dat b/testing/tests/ikev1/xauth-id-rsa/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-id-rsa/pretest.dat b/testing/tests/ikev1/xauth-id-rsa/pretest.dat
deleted file mode 100644
index 78e2d57f8..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-rsa/test.conf b/testing/tests/ikev1/xauth-id-rsa/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-psk/evaltest.dat b/testing/tests/ikev1/xauth-psk/evaltest.dat
index 786043065..c6637cbfe 100644
--- a/testing/tests/ikev1/xauth-psk/evaltest.dat
+++ b/testing/tests/ikev1/xauth-psk/evaltest.dat
@@ -1,13 +1,15 @@
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::cat /var/log/auth.log::xauth user name is .*carol@strongswan.org::YES
-moon::cat /var/log/auth.log::xauth user name is .*dave@strongswan.org::YES
-moon::cat /var/log/auth.log::extended authentication was successful::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
index 1c7d7002e..a6bba5b04 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,13 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthpsk
 
 conn home
 	left=PH_IP_CAROL
 	leftid=carol@strongswan.org
+	leftauth=psk
+	leftauth2=xauth
 	leftfirewall=yes
 	right=PH_IP_MOON
-	rightid=moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=psk
 	auto=add
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
index c9eb0bc97..61260f891 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
index 782c160c9..5b80edb9f 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,13 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthpsk
 
 conn home
 	left=PH_IP_DAVE
 	leftid=dave@strongswan.org
 	leftfirewall=yes
+	leftauth=psk
+	leftauth2=xauth
 	right=PH_IP_MOON
-	rightid=moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=psk
 	auto=add
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
index c9eb0bc97..61260f891 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
index 595e6588c..7e79c11f8 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,13 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthpsk
-	xauth=server
 
 conn rw
 	left=PH_IP_MOON
-	leftid=moon.strongswan.org
+	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
+	leftauth=psk
 	leftfirewall=yes
 	right=%any
+	rightauth=psk
+	rightauth2=xauth
 	auto=add
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
index c9eb0bc97..61260f891 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-psk/posttest.dat b/testing/tests/ikev1/xauth-psk/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/xauth-psk/posttest.dat
+++ b/testing/tests/ikev1/xauth-psk/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-psk/pretest.dat b/testing/tests/ikev1/xauth-psk/pretest.dat
index 95a6be131..88a91ae86 100644
--- a/testing/tests/ikev1/xauth-psk/pretest.dat
+++ b/testing/tests/ikev1/xauth-psk/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/xauth-psk/test.conf b/testing/tests/ikev1/xauth-psk/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/xauth-psk/test.conf
+++ b/testing/tests/ikev1/xauth-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/description.txt b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/description.txt
new file mode 100644
index 000000000..a586a14cb
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/description.txt
@@ -0,0 +1,8 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
+followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> based on a user name
+equal to the <b>IKEv1</b> identity (<b>carol@strongswan.org</b>) and a user password
+defined and stored by <b>carol</b> in ipsec.secrets. Gateway <b>moon</b> starts
+an EAP-RADIUS connection with AAA server <b>alice</b> and uses <b>carol</b>'s 
+forwarded XAUTH user credentials for an EAP-MD5 based client authentication with
+<b>alice</b>.
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat
new file mode 100644
index 000000000..d568273d1
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol@strongswan.org' successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of 'carol@strongswan.org' successful::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
index 623f42904..623f42904 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..4fb07b912
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "4iChxLT3"
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..2fdd60f00
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftauth=pubkey
+	leftauth2=xauth
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.secrets
index 4a77c3b97..4a77c3b97 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..5701b7a82
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	right=%any
+	rightauth=pubkey
+	rightauth2=xauth-eap
+	auto=add
diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.secrets
index e86d6aa5c..e86d6aa5c 100644
--- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e2e2164ae
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius eap-md5 xauth-eap updown
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
new file mode 100644
index 000000000..181949fb5
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
new file mode 100644
index 000000000..9adc43d3e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf
new file mode 100644
index 000000000..eb1e15dd2
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev1/xauth-rsa-fail/description.txt b/testing/tests/ikev1/xauth-rsa-fail/description.txt
deleted file mode 100644
index 98d85f30b..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509
-certificates followed by extended authentication (<b>XAUTH</b>) based
-on user name and password. Because user <b>carol</b> presents a wrong
-XAUTH password the IKE negotiation is aborted and the ISAKMP SA is deleted.
diff --git a/testing/tests/ikev1/xauth-rsa-fail/evaltest.dat b/testing/tests/ikev1/xauth-rsa-fail/evaltest.dat
deleted file mode 100644
index 0bcef388d..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/evaltest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-carol::cat /var/log/auth.log::extended authentication failed::YES
-moon::cat /var/log/auth.log::extended authentication failed::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 186d8e121..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthrsasig
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 13e6e0656..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
-
-carol@strongswan.org : XAUTH "4iChxLT8" 
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 251041443..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthrsasig
-	xauth=server
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2586f5f39..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-rsa-fail/posttest.dat b/testing/tests/ikev1/xauth-rsa-fail/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/xauth-rsa-fail/pretest.dat b/testing/tests/ikev1/xauth-rsa-fail/pretest.dat
deleted file mode 100644
index 4ac57ab16..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2 
-carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/xauth-rsa-fail/test.conf b/testing/tests/ikev1/xauth-rsa-fail/test.conf
deleted file mode 100644
index 5442565f8..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/description.txt b/testing/tests/ikev1/xauth-rsa-mode-config/description.txt
deleted file mode 100644
index aa2b31542..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
-The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
-followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
-based on user names and passwords. Next both <b>carol</b> and <b>dave</b> request a
-<b>virtual IP</b> via the IKE Mode Config protocol by using the
-<b>leftsourceip=%modeconfig</b> parameter.
-<p>
-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
-<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/evaltest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/evaltest.dat
deleted file mode 100644
index 15dd054a0..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::cat /var/log/auth.log::carol.*extended authentication was successful::YES
-moon::cat /var/log/auth.log::dave.*extended authentication was successful::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index ca2df4b28..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthrsasig
-
-conn home
-	left=PH_IP_CAROL
-	leftsourceip=%modeconfig
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 079c6b0d5..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthrsasig
-
-conn home
-	left=PH_IP_DAVE
-	leftsourceip=%modeconfig
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 1c0248b84..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA daveKey.pem
-
-dave@strongswan.org : XAUTH "ryftzG4A" 
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 0a65acb5d..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthrsasig
-	xauth=server
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
-
-conn rw-carol
-	rightid=carol@strongswan.org
-	rightsourceip=PH_IP_CAROL1
-
-conn rw-dave
-	rightid=dave@strongswan.org
-	rightsourceip=PH_IP_DAVE1
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 1ba66971a..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : XAUTH "4iChxLT3"
-
-dave@strongswan.org  : XAUTH "ryftzG4A"
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat
deleted file mode 100644
index f90d222b5..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/pretest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/pretest.dat
deleted file mode 100644
index 78e2d57f8..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/test.conf b/testing/tests/ikev1/xauth-rsa-mode-config/test.conf
deleted file mode 100644
index 75510b295..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="alice moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt
deleted file mode 100644
index a6fe82330..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509
-certificates followed by extended authentication (<b>XAUTH</b>) based
-on user name and password. Because user <b>carol</b> cannot find her 
-XAUTH credentials in ipsec.secrets, the IKE negotiation is aborted and the
-ISAKMP SA is deleted.
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/evaltest.dat b/testing/tests/ikev1/xauth-rsa-nosecret/evaltest.dat
deleted file mode 100644
index ddbb3ae2d..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/evaltest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-carol::cat /var/log/auth.log::xauth user credentials not found::YES
-moon::cat /var/log/auth.log::received FAIL status in XAUTH reply::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index fc86bab41..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control controlmore"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthrsasig
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index e2709cdf1..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control controlmore"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthrsasig
-	xauth=server
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2586f5f39..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/posttest.dat b/testing/tests/ikev1/xauth-rsa-nosecret/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat b/testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat
deleted file mode 100644
index 89e487ad3..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/test.conf b/testing/tests/ikev1/xauth-rsa-nosecret/test.conf
deleted file mode 100644
index 5442565f8..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/xauth-rsa-radius/description.txt b/testing/tests/ikev1/xauth-rsa-radius/description.txt
new file mode 100644
index 000000000..fb30d163e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
+followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> based on a user name
+equal to the <b>IKEv1</b> identity (<b>carol@strongswan.org</b>) and a user password
+defined and stored by <b>carol</b> in ipsec.secrets. Gateway <b>moon</b> verifies
+<b>carol</b>'s XAUTH user credentials using a RADIUS connection with AAA server
+<b>alice</b>.
diff --git a/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat
new file mode 100644
index 000000000..ee60292a3
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of 'carol@strongswan.org' successful::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/eap.conf
index 623f42904..623f42904 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..929b6cd74
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,39 @@
+authorize {
+  suffix
+  files
+}
+
+authenticate {
+  pap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+}
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..4fb07b912
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "4iChxLT3"
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..2fdd60f00
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftauth=pubkey
+	leftauth2=xauth
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..d66f3fc24
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
+
+carol@strongswan.org : XAUTH "4iChxLT3"
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..f4ee067d5
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	right=%any
+	rightauth=pubkey
+	rightauth2=xauth-radius
+	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..77266cfa0
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius updown
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat
new file mode 100644
index 000000000..181949fb5
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
new file mode 100644
index 000000000..9adc43d3e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev1/xauth-rsa-radius/test.conf b/testing/tests/ikev1/xauth-rsa-radius/test.conf
new file mode 100644
index 000000000..b4088e8b4
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
diff --git a/testing/tests/ikev1/xauth-rsa/evaltest.dat b/testing/tests/ikev1/xauth-rsa/evaltest.dat
index 786043065..c6637cbfe 100644
--- a/testing/tests/ikev1/xauth-rsa/evaltest.dat
+++ b/testing/tests/ikev1/xauth-rsa/evaltest.dat
@@ -1,13 +1,15 @@
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::cat /var/log/auth.log::xauth user name is .*carol@strongswan.org::YES
-moon::cat /var/log/auth.log::xauth user name is .*dave@strongswan.org::YES
-moon::cat /var/log/auth.log::extended authentication was successful::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
index 186d8e121..2fdd60f00 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,16 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthrsasig
 
 conn home
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
+	leftauth=pubkey
+	leftauth2=xauth
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
index de1cbb134..5cd9bf11e 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
index 478e732ae..36f0c581f 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,16 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthrsasig
 
 conn home
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
+	leftauth=pubkey
+	leftauth2=xauth
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
index de1cbb134..5cd9bf11e 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
index 251041443..3c6944910 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthrsasig
-	xauth=server
 
 conn rw
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
+	leftauth=pubkey
 	leftfirewall=yes
 	right=%any
+	rightauth=pubkey
+	rightauth2=xauth
 	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
index de1cbb134..5cd9bf11e 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-rsa/posttest.dat b/testing/tests/ikev1/xauth-rsa/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/xauth-rsa/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa/pretest.dat b/testing/tests/ikev1/xauth-rsa/pretest.dat
index 78e2d57f8..e5a06d44c 100644
--- a/testing/tests/ikev1/xauth-rsa/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/xauth-rsa/test.conf b/testing/tests/ikev1/xauth-rsa/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/xauth-rsa/test.conf
+++ b/testing/tests/ikev1/xauth-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/after-2038-certs/evaltest.dat b/testing/tests/ikev2/after-2038-certs/evaltest.dat
index 1bb9c105f..427aa74da 100644
--- a/testing/tests/ikev2/after-2038-certs/evaltest.dat
+++ b/testing/tests/ikev2/after-2038-certs/evaltest.dat
@@ -1,6 +1,8 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf
index bcdb8641b..e72f78742 100755..100644
--- a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf
index 274521386..1ee751360 100755..100644
--- a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/after-2038-certs/posttest.dat b/testing/tests/ikev2/after-2038-certs/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/after-2038-certs/posttest.dat
+++ b/testing/tests/ikev2/after-2038-certs/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/after-2038-certs/pretest.dat b/testing/tests/ikev2/after-2038-certs/pretest.dat
index 4921d5097..baacc1605 100644
--- a/testing/tests/ikev2/after-2038-certs/pretest.dat
+++ b/testing/tests/ikev2/after-2038-certs/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/after-2038-certs/test.conf b/testing/tests/ikev2/after-2038-certs/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/after-2038-certs/test.conf
+++ b/testing/tests/ikev2/after-2038-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-3des-md5/evaltest.dat b/testing/tests/ikev2/alg-3des-md5/evaltest.dat
index 6f598c6f3..abd29e97e 100644
--- a/testing/tests/ikev2/alg-3des-md5/evaltest.dat
+++ b/testing/tests/ikev2/alg-3des-md5/evaltest.dat
@@ -1,13 +1,15 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
-carol::ipsec statusall::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*3DES_CBC/HMAC_MD5_96,::YES
-carol::ipsec statusall::home.*3DES_CBC/HMAC_MD5_96,::YES
-moon::ip xfrm state::enc cbc(des3_ede)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96,::YES
+carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96,::YES
+moon:: ip xfrm state::enc cbc(des3_ede)::YES
 carol::ip xfrm state::enc cbc(des3_ede)::YES
-moon::ip xfrm state::auth hmac(md5)::YES
-carol::ip xfrm state::auth hmac(md5)::YES
+moon:: ip xfrm state::auth-trunc hmac(md5)::YES
+carol::ip xfrm state::auth-trunc hmac(md5)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf
index f2c71061d..1be5f1d8f 100755..100644
--- a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf
index c4fd80fc0..e961f081d 100755..100644
--- a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-3des-md5/posttest.dat b/testing/tests/ikev2/alg-3des-md5/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-3des-md5/posttest.dat
+++ b/testing/tests/ikev2/alg-3des-md5/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-3des-md5/pretest.dat b/testing/tests/ikev2/alg-3des-md5/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-3des-md5/pretest.dat
+++ b/testing/tests/ikev2/alg-3des-md5/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-3des-md5/test.conf b/testing/tests/ikev2/alg-3des-md5/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-3des-md5/test.conf
+++ b/testing/tests/ikev2/alg-3des-md5/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
index 0834a8db0..5a14b98d6 100644
--- a/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::IKE proposal: AES_CCM_12_128::YES
-carol::ipsec statusall::IKE proposal: AES_CCM_12_128::YES
-moon::ipsec statusall::AES_CCM_12_128,::YES
-carol::ipsec statusall::AES_CCM_12_128,::YES
-moon::ip xfrm state::aead rfc4309(ccm(aes))::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_CCM_12_128::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: AES_CCM_12_128::YES
+moon:: ipsec statusall 2> /dev/null::AES_CCM_12_128,::YES
+carol::ipsec statusall 2> /dev/null::AES_CCM_12_128,::YES
+moon:: ip xfrm state::aead rfc4309(ccm(aes))::YES
 carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf
index 6bcfbc28d..03707f89f 100755..100644
--- a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf
index db2c09bae..d70d7b989 100644
--- a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf
index 1d6f13861..d7ed92f7e 100755..100644
--- a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf
index db2c09bae..d70d7b989 100644
--- a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-ccm/posttest.dat b/testing/tests/ikev2/alg-aes-ccm/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-aes-ccm/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-aes-ccm/pretest.dat b/testing/tests/ikev2/alg-aes-ccm/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-aes-ccm/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-aes-ccm/test.conf b/testing/tests/ikev2/alg-aes-ccm/test.conf
index acb73b06f..11423f723 100644
--- a/testing/tests/ikev2/alg-aes-ccm/test.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-ctr/evaltest.dat b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
index 522ce6088..6a5203a2d 100644
--- a/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::IKE proposal: AES_CTR_128::YES
-carol::ipsec statusall::IKE proposal: AES_CTR_128::YES
-moon::ipsec statusall::AES_CTR_128/AES_XCBC_96,::YES
-carol::ipsec statusall::AES_CTR_128/AES_XCBC_96,::YES
-moon::ip xfrm state::rfc3686(ctr(aes))::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_CTR_128::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: AES_CTR_128::YES
+moon:: ipsec statusall 2> /dev/null::AES_CTR_128/AES_XCBC_96,::YES
+carol::ipsec statusall 2> /dev/null::AES_CTR_128/AES_XCBC_96,::YES
+moon:: ip xfrm state::rfc3686(ctr(aes))::YES
 carol::ip xfrm state::rfc3686(ctr(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf
index 70c482835..3be20c613 100755..100644
--- a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf
index be46d6d3e..e607bbae7 100644
--- a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf
index bf103742f..1cf16ee38 100755..100644
--- a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf
index be46d6d3e..e607bbae7 100644
--- a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-ctr/posttest.dat b/testing/tests/ikev2/alg-aes-ctr/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-aes-ctr/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-aes-ctr/pretest.dat b/testing/tests/ikev2/alg-aes-ctr/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-aes-ctr/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-aes-ctr/test.conf b/testing/tests/ikev2/alg-aes-ctr/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-aes-ctr/test.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
index 9cd3e8e15..ce27fcc05 100644
--- a/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::IKE proposal: AES_GCM_16_256::YES
-carol::ipsec statusall::IKE proposal: AES_GCM_16_256::YES
-moon::ipsec statusall::AES_GCM_16_256,::YES
-carol::ipsec statusall::AES_GCM_16_256,::YES
-moon::ip xfrm state::aead rfc4106(gcm(aes))::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES
+moon:: ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES
+carol::ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES
+moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES
 carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
index e3f19aff8..7a808ff65 100755..100644
--- a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
index 7fe7619f1..e063e446a 100644
--- a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
index 0d51a3ea8..12a35cb8a 100755..100644
--- a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
index 7fe7619f1..e063e446a 100644
--- a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-gcm/posttest.dat b/testing/tests/ikev2/alg-aes-gcm/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-aes-gcm/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-aes-gcm/pretest.dat b/testing/tests/ikev2/alg-aes-gcm/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-aes-gcm/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-aes-gcm/test.conf b/testing/tests/ikev2/alg-aes-gcm/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-aes-gcm/test.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
index 24e36eb77..f11018347 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
@@ -1,12 +1,14 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*AES_CBC_128/AES_XCBC_96,::YES
-carol::ipsec statusall::home.*AES_CBC_128/AES_XCBC_96,::YES
-moon::ip xfrm state::auth xcbc(aes)::YES
-carol::ip xfrm state::auth xcbc(aes)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
+moon:: ip xfrm state::auth-trunc xcbc(aes)::YES
+carol::ip xfrm state::auth-trunc xcbc(aes)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
 
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
index 33e6a842b..74668e7fb 100755..100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
index 208477deb..3cda72935 100755..100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-xcbc/posttest.dat b/testing/tests/ikev2/alg-aes-xcbc/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-aes-xcbc/test.conf b/testing/tests/ikev2/alg-aes-xcbc/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/test.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-blowfish/evaltest.dat b/testing/tests/ikev2/alg-blowfish/evaltest.dat
index f1b33895b..f76522c5c 100644
--- a/testing/tests/ikev2/alg-blowfish/evaltest.dat
+++ b/testing/tests/ikev2/alg-blowfish/evaltest.dat
@@ -1,14 +1,15 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::BLOWFISH_CBC_192/HMAC_SHA2_256_128,::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
+dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_256_128,::YES
+dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA1_96,::YES
 carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
-dave::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ipsec statusall::BLOWFISH_CBC_128/HMAC_SHA1_96,::YES
-dave::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
+dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
index a78724926..89674b2a1 100755..100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="cfg 2"
 
 conn %default
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
index fed4f5ece..1f0fd41a8 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   dh_exponent_ansi_x9_42 = no
-  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
index 26f3f3a04..df3242d61 100755..100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
index fed4f5ece..1f0fd41a8 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   dh_exponent_ansi_x9_42 = no
-  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
index 5183e26d2..82804a0fe 100755..100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="cfg 2"
 
 conn %default
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
index fed4f5ece..1f0fd41a8 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   dh_exponent_ansi_x9_42 = no
-  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-blowfish/posttest.dat b/testing/tests/ikev2/alg-blowfish/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/alg-blowfish/posttest.dat
+++ b/testing/tests/ikev2/alg-blowfish/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-blowfish/pretest.dat b/testing/tests/ikev2/alg-blowfish/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/alg-blowfish/pretest.dat
+++ b/testing/tests/ikev2/alg-blowfish/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/alg-blowfish/test.conf b/testing/tests/ikev2/alg-blowfish/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/alg-blowfish/test.conf
+++ b/testing/tests/ikev2/alg-blowfish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat
index 80df206bf..5e4ab98b3 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat
+++ b/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat
@@ -1,13 +1,17 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_1024_160::YES
-dave::cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_2048_256::YES
-moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_2048_256::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES
+dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
index 257923d02..84c9c8c7c 100755..100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
index 9b5247973..5402f24f3 100755..100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
index 2b66e3400..84b3d6880 100755..100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-modp-subgroup/posttest.dat b/testing/tests/ikev2/alg-modp-subgroup/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/posttest.dat
+++ b/testing/tests/ikev2/alg-modp-subgroup/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat
+++ b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/alg-modp-subgroup/test.conf b/testing/tests/ikev2/alg-modp-subgroup/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/test.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/alg-sha256-96/evaltest.dat b/testing/tests/ikev2/alg-sha256-96/evaltest.dat
index 7ec47aadf..6c4e23710 100644
--- a/testing/tests/ikev2/alg-sha256-96/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha256-96/evaltest.dat
@@ -1,13 +1,15 @@
-moon::cat /var/log/daemon.log::received strongSwan vendor id::YES
-carol::cat /var/log/daemon.log::received strongSwan vendor id::YES
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*AES_CBC_128/HMAC_SHA2_256_96,::YES
-carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_96,::YES
-moon::ip xfrm state::auth hmac(sha256)::YES
-carol::ip xfrm state::auth hmac(sha256)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::received strongSwan vendor ID::YES
+carol::cat /var/log/daemon.log::received strongSwan vendor ID::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_96,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_96,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
+carol::ip xfrm state::auth-trunc hmac(sha256)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf
index 47cf1e12c..0d3b9fd45 100755..100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
index 53061a59b..eacadc544 100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf
index d340aaf70..b0a5c4616 100755..100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
index 53061a59b..eacadc544 100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/alg-sha256-96/posttest.dat b/testing/tests/ikev2/alg-sha256-96/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-sha256-96/posttest.dat
+++ b/testing/tests/ikev2/alg-sha256-96/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-sha256-96/pretest.dat b/testing/tests/ikev2/alg-sha256-96/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-sha256-96/pretest.dat
+++ b/testing/tests/ikev2/alg-sha256-96/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-sha256-96/test.conf b/testing/tests/ikev2/alg-sha256-96/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-sha256-96/test.conf
+++ b/testing/tests/ikev2/alg-sha256-96/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha256/evaltest.dat b/testing/tests/ikev2/alg-sha256/evaltest.dat
index 2d1cc92bb..eba856742 100644
--- a/testing/tests/ikev2/alg-sha256/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha256/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
-carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
-moon::ip xfrm state::auth hmac(sha256)::YES
-carol::ip xfrm state::auth hmac(sha256)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
+carol::ip xfrm state::auth-trunc hmac(sha256)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf
index d2b763a1b..22d2cd38a 100755..100644
--- a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf
index 0e38bbb84..543374d76 100755..100644
--- a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha256/posttest.dat b/testing/tests/ikev2/alg-sha256/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-sha256/posttest.dat
+++ b/testing/tests/ikev2/alg-sha256/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-sha256/pretest.dat b/testing/tests/ikev2/alg-sha256/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-sha256/pretest.dat
+++ b/testing/tests/ikev2/alg-sha256/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-sha256/test.conf b/testing/tests/ikev2/alg-sha256/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-sha256/test.conf
+++ b/testing/tests/ikev2/alg-sha256/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha384/evaltest.dat b/testing/tests/ikev2/alg-sha384/evaltest.dat
index 31bb64c5e..3b24217c5 100644
--- a/testing/tests/ikev2/alg-sha384/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha384/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
-carol::ipsec statusall::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
-moon::ip xfrm state::auth hmac(sha384)::YES
-carol::ip xfrm state::auth hmac(sha384)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
+carol::ip xfrm state::auth-trunc hmac(sha384)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf
index d38b7dfcf..e02d90b78 100755..100644
--- a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf
index ea84cd8a4..990fce1d0 100755..100644
--- a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha384/posttest.dat b/testing/tests/ikev2/alg-sha384/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-sha384/posttest.dat
+++ b/testing/tests/ikev2/alg-sha384/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-sha384/pretest.dat b/testing/tests/ikev2/alg-sha384/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-sha384/pretest.dat
+++ b/testing/tests/ikev2/alg-sha384/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-sha384/test.conf b/testing/tests/ikev2/alg-sha384/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-sha384/test.conf
+++ b/testing/tests/ikev2/alg-sha384/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha512/evaltest.dat b/testing/tests/ikev2/alg-sha512/evaltest.dat
index e0f5fb7a3..6bdceeb44 100644
--- a/testing/tests/ikev2/alg-sha512/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha512/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
-carol::ipsec statusall::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
-moon::ip xfrm state::auth hmac(sha512)::YES
-carol::ip xfrm state::auth hmac(sha512)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
+carol::ip xfrm state::auth-trunc hmac(sha512)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf
index 583522d1b..13ab244bb 100755..100644
--- a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf
index 40fec93c0..e6d410442 100755..100644
--- a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha512/posttest.dat b/testing/tests/ikev2/alg-sha512/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-sha512/posttest.dat
+++ b/testing/tests/ikev2/alg-sha512/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-sha512/pretest.dat b/testing/tests/ikev2/alg-sha512/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-sha512/pretest.dat
+++ b/testing/tests/ikev2/alg-sha512/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-sha512/test.conf b/testing/tests/ikev2/alg-sha512/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-sha512/test.conf
+++ b/testing/tests/ikev2/alg-sha512/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/any-interface/evaltest.dat b/testing/tests/ikev2/any-interface/evaltest.dat
index f475ba70b..800ae4353 100644
--- a/testing/tests/ikev2/any-interface/evaltest.dat
+++ b/testing/tests/ikev2/any-interface/evaltest.dat
@@ -1,10 +1,17 @@
-moon::cat /var/log/daemon.log::creating acquire job::YES
-bob::cat /var/log/daemon.log::creating acquire job::YES
-moon::ipsec statusall::alice.*INSTALLED, TRANSPORT::YES
-moon::ipsec statusall::sun.*INSTALLED, TRANSPORT::YES
-alice::ipsec statusall::remote.*INSTALLED, TRANSPORT::YES
-sun::ipsec statusall::remote.*INSTALLED, TRANSPORT::YES
-bob::ipsec statusall::sun.*INSTALLED, TRANSPORT::YES
+moon:: cat /var/log/daemon.log::creating acquire job::YES
+bob::  cat /var/log/daemon.log::creating acquire job::YES
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*CN=moon.strongswan.org.*CN=alice@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::sun.*ESTABLISHED.*CN=moon.strongswan.org.*CN=sun.strongswan.org::YES
+alice::ipsec status 2> /dev/null::remote.*ESTABLISHED.*CN=alice@strongswan.org.*CN=moon.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::remote\[1]: ESTABLISHED.*CN=sun.strongswan.org.*CN=moon.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::remote\[2]: ESTABLISHED.*CN=sun.strongswan.org.*CN=bob@strongswan.org::YES
+bob::  ipsec status 2> /dev/null::sun.*ESTABLISHED.*CN=bob@strongswan.org.*CN=sun.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TRANSPORT::YES
+moon:: ipsec status 2> /dev/null::sun.*INSTALLED, TRANSPORT::YES
+alice::ipsec status 2> /dev/null::remote.*INSTALLED, TRANSPORT::YES
+sun::  ipsec status 2> /dev/null::remote[{]1}.*INSTALLED, TRANSPORT::YES
+sun::  ipsec status 2> /dev/null::remote[{]2}.*INSTALLED, TRANSPORT::YES
+bob::  ipsec status 2> /dev/null::sun.*INSTALLED, TRANSPORT::YES
 alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
 alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf
index eb7dfe848..4f2c78fd3 100755..100644
--- a/testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
index cb1485446..a14fc560c 100644
--- a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf
index 40d029b3e..c232c4332 100755..100644
--- a/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf
+++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
index cb1485446..a14fc560c 100644
--- a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf
index ab0534331..17fcf0a7a 100755..100644
--- a/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
index cb1485446..a14fc560c 100644
--- a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf
index 71699b08e..fce24ef25 100755..100644
--- a/testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
index cb1485446..a14fc560c 100644
--- a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/pretest.dat b/testing/tests/ikev2/any-interface/pretest.dat
index b8e91194e..0a6ce8be4 100644
--- a/testing/tests/ikev2/any-interface/pretest.dat
+++ b/testing/tests/ikev2/any-interface/pretest.dat
@@ -1,5 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
 winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON
 winnetou::ip route add 10.2.0.0/16 via PH_IP_SUN
 alice::ipsec start
diff --git a/testing/tests/ikev2/any-interface/test.conf b/testing/tests/ikev2/any-interface/test.conf
index 25e5cd872..cc04d45e6 100644
--- a/testing/tests/ikev2/any-interface/test.conf
+++ b/testing/tests/ikev2/any-interface/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice sun bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice moon sun bob"
diff --git a/testing/tests/ikev2/compress/evaltest.dat b/testing/tests/ikev2/compress/evaltest.dat
index 22dd94866..b989a7774 100644
--- a/testing/tests/ikev2/compress/evaltest.dat
+++ b/testing/tests/ikev2/compress/evaltest.dat
@@ -1,8 +1,10 @@
-moon::cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
-moon::cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
-carol::ipsec status::home.*INSTALLED::YES
-moon::ipsec status::rw.*INSTALLED::YES
-moon::ip xfrm state::proto comp spi::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
+moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
+moon:: ip xfrm state::proto comp spi::YES
 carol::ip xfrm state::proto comp spi::YES
 carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES
 moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf
index 670a50c00..7502175e7 100755..100644
--- a/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf
index 91abfd4da..aa1be047e 100755..100644
--- a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/compress/pretest.dat b/testing/tests/ikev2/compress/pretest.dat
index 7d077c126..f5aa989fe 100644
--- a/testing/tests/ikev2/compress/pretest.dat
+++ b/testing/tests/ikev2/compress/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/compress/test.conf b/testing/tests/ikev2/compress/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/ikev2/compress/test.conf
+++ b/testing/tests/ikev2/compress/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/config-payload-swapped/evaltest.dat b/testing/tests/ikev2/config-payload-swapped/evaltest.dat
index 73d5ea206..b6a1c96a6 100644
--- a/testing/tests/ikev2/config-payload-swapped/evaltest.dat
+++ b/testing/tests/ikev2/config-payload-swapped/evaltest.dat
@@ -1,15 +1,19 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*INSTALLED::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*INSTALLED::YES
-moon::ipsec status::rw-dave.*INSTALLED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf
index 6894a952c..c453475e0 100755..100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf
index cefbc8270..9da73d9a2 100755..100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf
index 222673704..ef974c98f 100755..100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/posttest.dat b/testing/tests/ikev2/config-payload-swapped/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/config-payload-swapped/posttest.dat
+++ b/testing/tests/ikev2/config-payload-swapped/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/config-payload-swapped/pretest.dat b/testing/tests/ikev2/config-payload-swapped/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev2/config-payload-swapped/pretest.dat
+++ b/testing/tests/ikev2/config-payload-swapped/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/config-payload-swapped/test.conf b/testing/tests/ikev2/config-payload-swapped/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/config-payload-swapped/test.conf
+++ b/testing/tests/ikev2/config-payload-swapped/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/config-payload/evaltest.dat b/testing/tests/ikev2/config-payload/evaltest.dat
index 3451112cc..b46dfddf6 100644
--- a/testing/tests/ikev2/config-payload/evaltest.dat
+++ b/testing/tests/ikev2/config-payload/evaltest.dat
@@ -1,17 +1,21 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
 carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*INSTALLED::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*INSTALLED::YES
-moon::ipsec status::rw-dave.*INSTALLED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
index cb5f6406b..0e4e57729 100644
--- a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
index cb5f6406b..0e4e57729 100644
--- a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf
index bb558fe25..a8cf08544 100755..100644
--- a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
index f763e3ef1..002166a54 100644
--- a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown attr
+
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP_VENUS
 }
diff --git a/testing/tests/ikev2/config-payload/posttest.dat b/testing/tests/ikev2/config-payload/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/config-payload/posttest.dat
+++ b/testing/tests/ikev2/config-payload/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/config-payload/pretest.dat b/testing/tests/ikev2/config-payload/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev2/config-payload/pretest.dat
+++ b/testing/tests/ikev2/config-payload/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/config-payload/test.conf b/testing/tests/ikev2/config-payload/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/config-payload/test.conf
+++ b/testing/tests/ikev2/config-payload/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/critical-extension/evaltest.dat b/testing/tests/ikev2/critical-extension/evaltest.dat
index 8c2f8ec9d..05c2c2f4d 100644
--- a/testing/tests/ikev2/critical-extension/evaltest.dat
+++ b/testing/tests/ikev2/critical-extension/evaltest.dat
@@ -1,6 +1,8 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED::NO
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED::NO
 moon::cat /var/log/daemon.log::sending end entity cert::YES
 moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-sun::cat /var/log/daemon.log::critical 'strongSwan' extension not supported::YES
-sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
-sun::cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
-sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
+sun:: cat /var/log/daemon.log::critical 'strongSwan' extension not supported::YES
+sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
+sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
+sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf
index 2e3c9dde4..3b065774f 100755..100644
--- a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
index bfc83ab4d..c393b298a 100644
--- a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
 
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf
index 19e197131..2b4406d75 100755..100644
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/critical-extension/posttest.dat b/testing/tests/ikev2/critical-extension/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/critical-extension/posttest.dat
+++ b/testing/tests/ikev2/critical-extension/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/critical-extension/pretest.dat b/testing/tests/ikev2/critical-extension/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/critical-extension/pretest.dat
+++ b/testing/tests/ikev2/critical-extension/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/critical-extension/test.conf b/testing/tests/ikev2/critical-extension/test.conf
index 41ee3037e..b286ef6eb 100644
--- a/testing/tests/ikev2/critical-extension/test.conf
+++ b/testing/tests/ikev2/critical-extension/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/crl-from-cache/evaltest.dat b/testing/tests/ikev2/crl-from-cache/evaltest.dat
index 2f4cf7afa..2d649bbee 100644
--- a/testing/tests/ikev2/crl-from-cache/evaltest.dat
+++ b/testing/tests/ikev2/crl-from-cache/evaltest.dat
@@ -1,10 +1,12 @@
-moon::cat /var/log/daemon.log::loaded crl from::YES
-moon::cat /var/log/daemon.log::crl is valid::YES
-moon::cat /var/log/daemon.log::certificate status is good::YES
-moon::ipsec listcrls:: ok::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::loaded crl from::YES
+moon:: cat /var/log/daemon.log::crl is valid::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
+moon:: cat /var/log/daemon.log::using cached crl::YES
+moon:: ipsec listcrls 2> /dev/null:: ok::YES
 carol::cat /var/log/daemon.log::loaded crl from::YES
 carol::cat /var/log/daemon.log::crl is valid::YES
 carol::cat /var/log/daemon.log::certificate status is good::YES
-carol::ipsec listcrls:: ok::YES
-moon::ipsec status::rw.*ESTABLISHED::YES
-carol::ipsec status::home.*ESTABLISHED::YES
+carol::cat /var/log/daemon.log::using cached crl::YES
+carol::ipsec listcrls 2> /dev/null:: ok::YES
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf
index 4d47c831c..17a58545c 100755..100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
 	cachecrls=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
index 9488a6822..3314f7538 100755..100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
 	cachecrls=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-from-cache/test.conf b/testing/tests/ikev2/crl-from-cache/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/crl-from-cache/test.conf
+++ b/testing/tests/ikev2/crl-from-cache/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/crl-ldap/evaltest.dat b/testing/tests/ikev2/crl-ldap/evaltest.dat
index 5ab094401..b0774c64d 100644
--- a/testing/tests/ikev2/crl-ldap/evaltest.dat
+++ b/testing/tests/ikev2/crl-ldap/evaltest.dat
@@ -1,12 +1,12 @@
-moon::cat /var/log/daemon.log::loaded crl from::YES
-moon::cat /var/log/daemon.log::crl is stale::YES
-moon::cat /var/log/daemon.log::fetching crl from.*ldap::YES
-moon::cat /var/log/daemon.log::crl is valid::YES
-moon::cat /var/log/daemon.log::certificate status is good::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::loaded crl from::YES
+moon:: cat /var/log/daemon.log::crl is stale::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*ldap::YES
+moon:: cat /var/log/daemon.log::crl is valid::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
 carol::cat /var/log/daemon.log::loaded crl from::YES
 carol::cat /var/log/daemon.log::crl is stale::YES
 carol::cat /var/log/daemon.log::fetching crl from.*ldap::YES
 carol::cat /var/log/daemon.log::crl is valid::YES
 carol::cat /var/log/daemon.log::certificate status is good::YES
-moon::ipsec status::rw.*ESTABLISHED::YES
-carol::ipsec status::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 999d0d183..000000000
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf
index 26d34de47..69ba4205f 100755..100644
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
 	cachecrls=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..debcc2181
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow ldap crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
index cccd6ae27..d0c3f8c49 100644
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 4f4f3228b..000000000
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
index 1d2a68528..25656cbda 100755..100644
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
 	cachecrls=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..debcc2181
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow ldap crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
index cccd6ae27..d0c3f8c49 100644
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/crl-ldap/posttest.dat b/testing/tests/ikev2/crl-ldap/posttest.dat
index bddd87424..8474bd3aa 100644
--- a/testing/tests/ikev2/crl-ldap/posttest.dat
+++ b/testing/tests/ikev2/crl-ldap/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 winnetou::/etc/init.d/slapd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/crls/*
 carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/ikev2/crl-ldap/pretest.dat b/testing/tests/ikev2/crl-ldap/pretest.dat
index 64fa8116b..8ffa9d3ed 100644
--- a/testing/tests/ikev2/crl-ldap/pretest.dat
+++ b/testing/tests/ikev2/crl-ldap/pretest.dat
@@ -1,6 +1,6 @@
 winnetou::/etc/init.d/slapd start
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/crl-ldap/test.conf b/testing/tests/ikev2/crl-ldap/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/crl-ldap/test.conf
+++ b/testing/tests/ikev2/crl-ldap/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/crl-revoked/evaltest.dat b/testing/tests/ikev2/crl-revoked/evaltest.dat
index 62ed8676a..4f3e10ba1 100644
--- a/testing/tests/ikev2/crl-revoked/evaltest.dat
+++ b/testing/tests/ikev2/crl-revoked/evaltest.dat
@@ -1,4 +1,4 @@
-moon::cat /var/log/daemon.log::certificate was revoked::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+moon:: cat /var/log/daemon.log::certificate was revoked::YES
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-moon::ipsec status::rw.*ESTABLISHED::NO
-carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf
index cbab29414..95cd144ba 100755..100644
--- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf
index dd50c335b..918d97413 100755..100644
--- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-revoked/test.conf b/testing/tests/ikev2/crl-revoked/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/crl-revoked/test.conf
+++ b/testing/tests/ikev2/crl-revoked/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/crl-to-cache/evaltest.dat b/testing/tests/ikev2/crl-to-cache/evaltest.dat
index afc8f67e4..fe6a55aae 100644
--- a/testing/tests/ikev2/crl-to-cache/evaltest.dat
+++ b/testing/tests/ikev2/crl-to-cache/evaltest.dat
@@ -1,4 +1,4 @@
-moon::ipsec status::rw.*ESTABLISHED::YES
-carol::ipsec status::home.*ESTABLISHED::YES
-moon::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
 carol::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf
index 4d47c831c..17a58545c 100755..100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
 	cachecrls=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
index 9488a6822..3314f7538 100755..100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
 	cachecrls=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-to-cache/test.conf b/testing/tests/ikev2/crl-to-cache/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/crl-to-cache/test.conf
+++ b/testing/tests/ikev2/crl-to-cache/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/default-keys/description.txt b/testing/tests/ikev2/default-keys/description.txt
index 639e909da..889f8297a 100644
--- a/testing/tests/ikev2/default-keys/description.txt
+++ b/testing/tests/ikev2/default-keys/description.txt
@@ -1,8 +1,8 @@
 Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b>
 and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key
-and a self-signed X.509 certificate. Because the UML testing environment does
-not offer enough entropy, the non-blocking /dev/urandom device is used in place
-of /dev/random for generating the random primes.
+and a self-signed X.509 certificate. Because the virtual testing environment
+does not offer enough entropy, the non-blocking /dev/urandom device is used in
+place of /dev/random for generating the random primes.
 <p>
 The self-signed certificates are then distributed to the peers via scp
 and are used to set up a road warrior connection initiated by <b>carol</b> 
diff --git a/testing/tests/ikev2/default-keys/evaltest.dat b/testing/tests/ikev2/default-keys/evaltest.dat
index 2c1e11c97..4df2d1e11 100644
--- a/testing/tests/ikev2/default-keys/evaltest.dat
+++ b/testing/tests/ikev2/default-keys/evaltest.dat
@@ -1,7 +1,9 @@
 carol::cat /var/log/auth.log::scepclient::YES
-moon::cat /var/log/auth.log::scepclient::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-moon::ipsec statusall::carol.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/auth.log::scepclient::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*CN=carol.*CN=moon::YES
+moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*CN=moon.*CN=carol::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
index 9574f18bb..15aba18e5 100755..100644
--- a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
index eabe265ca..5a243caab 100644
--- a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
 
 scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce
 }
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 5a262c084..000000000
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A INPUT  -p tcp --sport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
index 5b2c4e3f4..278943d28 100755..100644
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..72a1c17c3
--- /dev/null
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules
@@ -0,0 +1,30 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --sport 22 -j ACCEPT
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+-A OUTPUT -p tcp --dport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
index eabe265ca..5a243caab 100644
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
 
 scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce
 }
diff --git a/testing/tests/ikev2/default-keys/posttest.dat b/testing/tests/ikev2/default-keys/posttest.dat
index 8cada5e7e..25f737ecc 100644
--- a/testing/tests/ikev2/default-keys/posttest.dat
+++ b/testing/tests/ikev2/default-keys/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 carol::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/default-keys/pretest.dat b/testing/tests/ikev2/default-keys/pretest.dat
index 88f9a2ca9..ef5f67097 100644
--- a/testing/tests/ikev2/default-keys/pretest.dat
+++ b/testing/tests/ikev2/default-keys/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 carol::rm /etc/ipsec.secrets
 carol::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/certs/*
@@ -10,9 +10,10 @@ moon::rm /etc/ipsec.d/private/*
 moon::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
-moon::sleep 5 
+moon::sleep 5
 moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der
 moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der
-moon::ipsec reload 
-carol::ipsec reload 
+moon::ipsec reload
+carol::ipsec reload
+carol::sleep 1
 carol::ipsec up home
diff --git a/testing/tests/ikev2/default-keys/test.conf b/testing/tests/ikev2/default-keys/test.conf
index 0baa48d90..ce84ce41a 100644
--- a/testing/tests/ikev2/default-keys/test.conf
+++ b/testing/tests/ikev2/default-keys/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol"
+VIRTHOSTS="alice moon carol"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dhcp-dynamic/evaltest.dat b/testing/tests/ikev2/dhcp-dynamic/evaltest.dat
index b3814084f..9e536870e 100644
--- a/testing/tests/ikev2/dhcp-dynamic/evaltest.dat
+++ b/testing/tests/ikev2/dhcp-dynamic/evaltest.dat
@@ -1,21 +1,25 @@
-carol::ipsec status::home.*INSTALLED::YES
-alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ipsec status::home.*INSTALLED::YES
-alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.50/32::YES
-moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.51/32::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_req=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.50/32::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*10.1.0.0/16 === 10.1.0.51/32::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::arp reply carol3.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply carol3.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::arp reply dave3.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply dave3.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > dave3.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 058bebb2d..000000000
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow bootpc and bootps
-	iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
-	iptables -A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
-
-	# allow broadcasts from eth1
-	iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # log dropped packets
-        iptables -A INPUT  -j LOG --log-prefix " IN: "
-        iptables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf
index 3868a7a38..a774f2a76 100755..100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..2d9a466b0
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules
@@ -0,0 +1,39 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow bootpc and bootps
+-A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
+-A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
+
+# allow broadcasts from eth1
+-A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
index 317e4ddc0..609d35754 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
   plugins {
     dhcp {
       server = 10.1.255.255
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf
new file mode 100644
index 000000000..7a178505f
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf
@@ -0,0 +1,14 @@
+# dhcpd configuration file
+
+ddns-update-style none;
+
+subnet 10.1.0.0 netmask 255.255.0.0 {
+  option domain-name          "strongswan.org";
+  option domain-name-servers   PH_IP_VENUS;
+  option netbios-name-servers  PH_IP_ALICE;
+  option routers               PH_IP_MOON1;
+  option broadcast-address     10.1.255.255;
+  next-server                  PH_IP_VENUS;
+
+  range 10.1.0.50 10.1.0.60;
+}
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf
deleted file mode 100644
index 2176af702..000000000
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# dhcpd configuration file
-
-ddns-update-style none;
-
-subnet 10.1.0.0 netmask 255.255.0.0 {
-  option domain-name          "strongswan.org";
-  option domain-name-servers   10.1.0.20;
-  option netbios-name-servers  10.1.0.10;
-  option routers               10.1.0.1;
-  option broadcast-address     10.1.255.255;
-  next-server                  10.1.0.20;
-
-  range 10.1.0.50 10.1.0.60;
-}
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
index 2d35dfd64..ec8c945a7 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
@@ -1,7 +1,7 @@
 interface=eth0
 dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
-dhcp-option=option:router,10.1.0.1
-dhcp-option=option:dns-server,10.1.0.20
-dhcp-option=option:netbios-ns,10.1.0.10
+dhcp-option=option:router,PH_IP_MOON1
+dhcp-option=option:dns-server,PH_IP_VENUS
+dhcp-option=option:netbios-ns,PH_IP_ALICE
 dhcp-option=option:domain-name,strongswan.org
 log-dhcp
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd
deleted file mode 100755
index 4044dcc35..000000000
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop"
-
-depend() {
-	need net
-	need logger
-}
-
-start() {
-	ebegin "Starting DHCP server"
-	start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping DHCP server"
-	start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid
-	rm -f /var/state/dhcp/dhcpd.leases
-	touch /var/state/dhcp/dhcpd.leases
-	eend $?
-}
diff --git a/testing/tests/ikev2/dhcp-dynamic/posttest.dat b/testing/tests/ikev2/dhcp-dynamic/posttest.dat
index 1f5487596..f783127bf 100644
--- a/testing/tests/ikev2/dhcp-dynamic/posttest.dat
+++ b/testing/tests/ikev2/dhcp-dynamic/posttest.dat
@@ -2,9 +2,9 @@ moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 venus::cat /var/state/dhcp/dhcpd.leases
-venus::/etc/init.d/dhcpd stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/isc-dhcp-server stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 alice::arp -d 10.1.0.50
 alice::arp -d 10.1.0.51
diff --git a/testing/tests/ikev2/dhcp-dynamic/pretest.dat b/testing/tests/ikev2/dhcp-dynamic/pretest.dat
index bd36b4fe3..5670a2e89 100644
--- a/testing/tests/ikev2/dhcp-dynamic/pretest.dat
+++ b/testing/tests/ikev2/dhcp-dynamic/pretest.dat
@@ -1,12 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-venus::cat /etc/dhcpd.conf
-venus::/etc/init.d/dhcpd start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+venus::cat /etc/dhcp/dhcpd.conf
+venus::/etc/init.d/isc-dhcp-server start 2> /dev/null
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
-carol::sleep 2 
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/dhcp-dynamic/test.conf b/testing/tests/ikev2/dhcp-dynamic/test.conf
index a2ad7b25f..fd8a59c90 100644
--- a/testing/tests/ikev2/dhcp-dynamic/test.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat b/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat
index 8abd2416a..c95b69a11 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat
+++ b/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat
@@ -1,21 +1,25 @@
-carol::ipsec status::home.*INSTALLED::YES
-alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ipsec status::home.*INSTALLED::YES
-alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.30/32::YES
-moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.40/32::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_req=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.30/32::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*10.1.0.0/16 === 10.1.0.40/32::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 058bebb2d..000000000
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow bootpc and bootps
-	iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
-	iptables -A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
-
-	# allow broadcasts from eth1
-	iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # log dropped packets
-        iptables -A INPUT  -j LOG --log-prefix " IN: "
-        iptables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf
index 3868a7a38..a774f2a76 100755..100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..2d9a466b0
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules
@@ -0,0 +1,39 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow bootpc and bootps
+-A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
+-A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
+
+# allow broadcasts from eth1
+-A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
index 317e4ddc0..609d35754 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
   plugins {
     dhcp {
       server = 10.1.255.255
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf
new file mode 100644
index 000000000..334ea30e2
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf
@@ -0,0 +1,24 @@
+# dhcpd configuration file
+
+ddns-update-style none;
+
+subnet 10.1.0.0 netmask 255.255.0.0 {
+  option domain-name            "strongswan.org";
+  option domain-name-servers     PH_IP_VENUS;
+  option netbios-name-servers    PH_IP_ALICE;
+  option routers                 PH_IP_MOON1;
+  option broadcast-address       10.1.255.255;
+  next-server                    PH_IP_VENUS;
+
+  range 10.1.0.50 10.1.0.60;
+}
+
+host carol {
+  option dhcp-client-identifier "carol@strongswan.org";
+  fixed-address                  10.1.0.30;
+}
+
+host dave {
+  option dhcp-client-identifier "dave@strongswan.org";
+  fixed-address                  10.1.0.40;
+}
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcpd.conf
deleted file mode 100644
index 44ee681b6..000000000
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcpd.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# dhcpd configuration file
-
-ddns-update-style none;
-
-subnet 10.1.0.0 netmask 255.255.0.0 {
-  option domain-name            "strongswan.org";
-  option domain-name-servers     10.1.0.20;
-  option netbios-name-servers    10.1.0.10;
-  option routers                 10.1.0.1;
-  option broadcast-address       10.1.255.255;
-  next-server                    10.1.0.20;
-
-  range 10.1.0.50 10.1.0.60;
-}
-
-host carol {
-  option dhcp-client-identifier "carol@strongswan.org";
-  fixed-address                  10.1.0.30;
-}
-
-host dave {
-  option dhcp-client-identifier "dave@strongswan.org";
-  fixed-address                  10.1.0.40;
-}
-
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf
index 5672236a0..aca225955 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf
@@ -2,8 +2,8 @@ interface=eth0
 dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
 dhcp-host=id:carol@strongswan.org,10.1.0.30
 dhcp-host=id:dave@strongswan.org,10.1.0.40
-dhcp-option=option:router,10.1.0.1
-dhcp-option=option:dns-server,10.1.0.20
-dhcp-option=option:netbios-ns,10.1.0.10
+dhcp-option=option:router,PH_IP_MOON1
+dhcp-option=option:dns-server,PH_IP_VENUS
+dhcp-option=option:netbios-ns,PH_IP_ALICE
 dhcp-option=option:domain-name,strongswan.org
 log-dhcp
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd
deleted file mode 100755
index 4044dcc35..000000000
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop"
-
-depend() {
-	need net
-	need logger
-}
-
-start() {
-	ebegin "Starting DHCP server"
-	start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping DHCP server"
-	start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid
-	rm -f /var/state/dhcp/dhcpd.leases
-	touch /var/state/dhcp/dhcpd.leases
-	eend $?
-}
diff --git a/testing/tests/ikev2/dhcp-static-client-id/posttest.dat b/testing/tests/ikev2/dhcp-static-client-id/posttest.dat
index e1aadc618..7fff9981b 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/posttest.dat
+++ b/testing/tests/ikev2/dhcp-static-client-id/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-venus::/etc/init.d/dhcpd stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/isc-dhcp-server stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 alice::arp -d 10.1.0.30
 alice::arp -d 10.1.0.40
diff --git a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat
index bd36b4fe3..5670a2e89 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat
+++ b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat
@@ -1,12 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-venus::cat /etc/dhcpd.conf
-venus::/etc/init.d/dhcpd start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+venus::cat /etc/dhcp/dhcpd.conf
+venus::/etc/init.d/isc-dhcp-server start 2> /dev/null
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
-carol::sleep 2 
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/dhcp-static-client-id/test.conf b/testing/tests/ikev2/dhcp-static-client-id/test.conf
index a2ad7b25f..fd8a59c90 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/test.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/dhcp-static-mac/evaltest.dat b/testing/tests/ikev2/dhcp-static-mac/evaltest.dat
index 8abd2416a..c95b69a11 100644
--- a/testing/tests/ikev2/dhcp-static-mac/evaltest.dat
+++ b/testing/tests/ikev2/dhcp-static-mac/evaltest.dat
@@ -1,21 +1,25 @@
-carol::ipsec status::home.*INSTALLED::YES
-alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ipsec status::home.*INSTALLED::YES
-alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.30/32::YES
-moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.40/32::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_req=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.30/32::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*10.1.0.0/16 === 10.1.0.40/32::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 058bebb2d..000000000
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow bootpc and bootps
-	iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
-	iptables -A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
-
-	# allow broadcasts from eth1
-	iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # log dropped packets
-        iptables -A INPUT  -j LOG --log-prefix " IN: "
-        iptables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf
index 3868a7a38..a774f2a76 100755..100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..2d9a466b0
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules
@@ -0,0 +1,39 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow bootpc and bootps
+-A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
+-A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
+
+# allow broadcasts from eth1
+-A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
index ecfc51d44..75c605f60 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
   plugins {
     dhcp {
       server = 10.1.255.255
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf
new file mode 100644
index 000000000..97c5efac6
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf
@@ -0,0 +1,24 @@
+# dhcpd configuration file
+
+ddns-update-style none;
+
+subnet 10.1.0.0 netmask 255.255.0.0 {
+  option domain-name          "strongswan.org";
+  option domain-name-servers   PH_IP_VENUS;
+  option netbios-name-servers  PH_IP_ALICE;
+  option routers               PH_IP_MOON1;
+  option broadcast-address     10.1.255.255;
+  next-server                  PH_IP_VENUS;
+
+  range 10.1.0.50 10.1.0.60;
+}
+
+host carol {
+  hardware ethernet            7a:a7:51:cc:22:4a;
+  fixed-address                10.1.0.30;
+}
+
+host dave {
+  hardware ethernet            7a:a7:93:70:2b:21;
+  fixed-address                10.1.0.40;
+}
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcpd.conf
deleted file mode 100644
index 20666f701..000000000
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcpd.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# dhcpd configuration file
-
-ddns-update-style none;
-
-subnet 10.1.0.0 netmask 255.255.0.0 {
-  option domain-name          "strongswan.org";
-  option domain-name-servers   10.1.0.20;
-  option netbios-name-servers  10.1.0.10;
-  option routers               10.1.0.1;
-  option broadcast-address     10.1.255.255;
-  next-server                  10.1.0.20;
-
-  range 10.1.0.50 10.1.0.60;
-}
-
-host carol {
-  hardware ethernet            7a:a7:8f:fc:db:3b;
-  fixed-address                10.1.0.30;
-}
-
-host dave {
-  hardware ethernet            7a:a7:35:78:bc:85;
-  fixed-address                10.1.0.40;
-}
-
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
index e3729081f..ed28c69ac 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
@@ -1,9 +1,9 @@
 interface=eth0
 dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
-dhcp-host=7a:a7:8f:fc:db:3b,10.1.0.30
-dhcp-host=7a:a7:35:78:bc:85,10.1.0.40
-dhcp-option=option:router,10.1.0.1
-dhcp-option=option:dns-server,10.1.0.20
-dhcp-option=option:netbios-ns,10.1.0.10
+dhcp-host=7a:a7:51:cc:22:4a,10.1.0.30
+dhcp-host=7a:a7:93:70:2b:21,10.1.0.40
+dhcp-option=option:router,PH_IP_MOON1
+dhcp-option=option:dns-server,PH_IP_VENUS
+dhcp-option=option:netbios-ns,PH_IP_ALICE
 dhcp-option=option:domain-name,strongswan.org
 log-dhcp
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd
deleted file mode 100755
index 4044dcc35..000000000
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop"
-
-depend() {
-	need net
-	need logger
-}
-
-start() {
-	ebegin "Starting DHCP server"
-	start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping DHCP server"
-	start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid
-	rm -f /var/state/dhcp/dhcpd.leases
-	touch /var/state/dhcp/dhcpd.leases
-	eend $?
-}
diff --git a/testing/tests/ikev2/dhcp-static-mac/posttest.dat b/testing/tests/ikev2/dhcp-static-mac/posttest.dat
index e1aadc618..7fff9981b 100644
--- a/testing/tests/ikev2/dhcp-static-mac/posttest.dat
+++ b/testing/tests/ikev2/dhcp-static-mac/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-venus::/etc/init.d/dhcpd stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/isc-dhcp-server stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 alice::arp -d 10.1.0.30
 alice::arp -d 10.1.0.40
diff --git a/testing/tests/ikev2/dhcp-static-mac/pretest.dat b/testing/tests/ikev2/dhcp-static-mac/pretest.dat
index bd36b4fe3..5670a2e89 100644
--- a/testing/tests/ikev2/dhcp-static-mac/pretest.dat
+++ b/testing/tests/ikev2/dhcp-static-mac/pretest.dat
@@ -1,12 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-venus::cat /etc/dhcpd.conf
-venus::/etc/init.d/dhcpd start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+venus::cat /etc/dhcp/dhcpd.conf
+venus::/etc/init.d/isc-dhcp-server start 2> /dev/null
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
-carol::sleep 2 
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/dhcp-static-mac/test.conf b/testing/tests/ikev2/dhcp-static-mac/test.conf
index a2ad7b25f..fd8a59c90 100644
--- a/testing/tests/ikev2/dhcp-static-mac/test.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/double-nat-net/evaltest.dat b/testing/tests/ikev2/double-nat-net/evaltest.dat
index aa69dabfa..52c561964 100644
--- a/testing/tests/ikev2/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev2/double-nat-net/evaltest.dat
@@ -1,5 +1,7 @@
-alice::ipsec statusall::nat-t.*INSTALLED::YES
-bob::ipsec statusall::nat-t.*INSTALLED::YES
-alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
+bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf
index c8aa460cf..38629d12a 100755..100644
--- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf
index f0c5b6f15..1c4a80769 100755..100644
--- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/iptables.rules b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/double-nat-net/posttest.dat b/testing/tests/ikev2/double-nat-net/posttest.dat
index 484297418..63d4f98e7 100644
--- a/testing/tests/ikev2/double-nat-net/posttest.dat
+++ b/testing/tests/ikev2/double-nat-net/posttest.dat
@@ -1,7 +1,7 @@
 bob::ipsec stop
 alice::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev2/double-nat-net/pretest.dat b/testing/tests/ikev2/double-nat-net/pretest.dat
index 41b69aed6..17a4fe5eb 100644
--- a/testing/tests/ikev2/double-nat-net/pretest.dat
+++ b/testing/tests/ikev2/double-nat-net/pretest.dat
@@ -1,8 +1,5 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
-bob::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
diff --git a/testing/tests/ikev2/double-nat-net/test.conf b/testing/tests/ikev2/double-nat-net/test.conf
index 1ca2ffe5a..d2e31d257 100644
--- a/testing/tests/ikev2/double-nat-net/test.conf
+++ b/testing/tests/ikev2/double-nat-net/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev2/double-nat/evaltest.dat b/testing/tests/ikev2/double-nat/evaltest.dat
index 77deea2a7..9ddad2de5 100644
--- a/testing/tests/ikev2/double-nat/evaltest.dat
+++ b/testing/tests/ikev2/double-nat/evaltest.dat
@@ -1,5 +1,7 @@
-alice::ipsec statusall::nat-t.*INSTALLED::YES
-bob::ipsec statusall::nat-t.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
+bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf
index 26830f390..fe5b5f299 100755..100644
--- a/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf
index b4a24cb1f..1004ee971 100755..100644
--- a/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/iptables.rules b/testing/tests/ikev2/double-nat/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/double-nat/posttest.dat b/testing/tests/ikev2/double-nat/posttest.dat
index 5d39e406d..aa806bfc9 100644
--- a/testing/tests/ikev2/double-nat/posttest.dat
+++ b/testing/tests/ikev2/double-nat/posttest.dat
@@ -1,7 +1,7 @@
 bob::ipsec stop
 alice::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev2/double-nat/pretest.dat b/testing/tests/ikev2/double-nat/pretest.dat
index 10ba6d735..65f18b756 100644
--- a/testing/tests/ikev2/double-nat/pretest.dat
+++ b/testing/tests/ikev2/double-nat/pretest.dat
@@ -1,7 +1,5 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
diff --git a/testing/tests/ikev2/double-nat/test.conf b/testing/tests/ikev2/double-nat/test.conf
index 1ca2ffe5a..d2e31d257 100644
--- a/testing/tests/ikev2/double-nat/test.conf
+++ b/testing/tests/ikev2/double-nat/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev2/dpd-clear/evaltest.dat b/testing/tests/ikev2/dpd-clear/evaltest.dat
index 86c0227bd..c1a271903 100644
--- a/testing/tests/ikev2/dpd-clear/evaltest.dat
+++ b/testing/tests/ikev2/dpd-clear/evaltest.dat
@@ -1,6 +1,8 @@
-carol::ipsec statusall::home.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon::sleep 180::no output expected::NO
-moon::cat /var/log/daemon.log::sending DPD request::YES
-moon::cat /var/log/daemon.log::retransmit.*of request::YES
-moon::cat /var/log/daemon.log::giving up after 5 retransmits::YES
+moon:: sleep 180::no output expected::NO
+moon:: cat /var/log/daemon.log::sending DPD request::YES
+moon:: cat /var/log/daemon.log::retransmit.*of request::YES
+moon:: cat /var/log/daemon.log::giving up after 5 retransmits::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf
index bcdb8641b..e72f78742 100755..100644
--- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf
index cdb40d72d..75b377f5f 100755..100644
--- a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/dpd-clear/test.conf b/testing/tests/ikev2/dpd-clear/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/dpd-clear/test.conf
+++ b/testing/tests/ikev2/dpd-clear/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dpd-hold/evaltest.dat b/testing/tests/ikev2/dpd-hold/evaltest.dat
index 2cf063762..4c035a6e9 100644
--- a/testing/tests/ikev2/dpd-hold/evaltest.dat
+++ b/testing/tests/ikev2/dpd-hold/evaltest.dat
@@ -1,14 +1,14 @@
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*INSTALLED::YES
-moon::iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
 carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
 carol::sleep 180::no output expected::NO
 carol::cat /var/log/daemon.log::sending DPD request::YES
 carol::cat /var/log/daemon.log::retransmit.*of request::YES
 carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES
 carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon::iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
 carol::ping -c 1 PH_IP_ALICE::trigger route::NO
 carol::sleep 2::no output expected::NO
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf
index bfc8ac34c..aa1a05169 100755..100644
--- a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf
index cdb40d72d..75b377f5f 100755..100644
--- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/dpd-hold/test.conf b/testing/tests/ikev2/dpd-hold/test.conf
index 5442565f8..f8b62b953 100644
--- a/testing/tests/ikev2/dpd-hold/test.conf
+++ b/testing/tests/ikev2/dpd-hold/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dpd-restart/evaltest.dat b/testing/tests/ikev2/dpd-restart/evaltest.dat
index 28edd4823..962bd0636 100644
--- a/testing/tests/ikev2/dpd-restart/evaltest.dat
+++ b/testing/tests/ikev2/dpd-restart/evaltest.dat
@@ -1,13 +1,13 @@
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*INSTALLED::YES
-moon::iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
 carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
 carol::sleep 180::no output expected::NO
 carol::cat /var/log/daemon.log::sending DPD request::YES
 carol::cat /var/log/daemon.log::retransmit.*of request::YES
 carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES
 carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon::iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
 carol::sleep 10::no output expected::NO
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf
index 631eac9b6..dfc77a43a 100755..100644
--- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf
index cdb40d72d..75b377f5f 100755..100644
--- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/dpd-restart/test.conf b/testing/tests/ikev2/dpd-restart/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/dpd-restart/test.conf
+++ b/testing/tests/ikev2/dpd-restart/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dynamic-initiator/description.txt b/testing/tests/ikev2/dynamic-initiator/description.txt
new file mode 100644
index 000000000..e74ee1569
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/description.txt
@@ -0,0 +1,12 @@
+The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
+is defined symbolically by <b>right=&lt;hostname&gt;</b>. The ipsec starter resolves the
+fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
+/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
+<b>rightallowany=yes</b> will allow an IKE_SA rekeying to arrive from an arbitrary
+IP address under the condition that the peer identity remains unchanged. When this happens
+the old tunnel is replaced by an IPsec connection to the new origin.
+<p>
+In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b>
+suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the
+old tunnel first (simulated by iptables blocking IKE packets to and from
+<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity). 
diff --git a/testing/tests/ikev2/dynamic-initiator/evaltest.dat b/testing/tests/ikev2/dynamic-initiator/evaltest.dat
new file mode 100644
index 000000000..3db70be71
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/evaltest.dat
@@ -0,0 +1,10 @@
+carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES
+moon:: cat /var/log/daemon.log::destroying duplicate IKE_SA for.*carol@strongswan.org.*received INITIAL_CONTACT::YES
+moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..6fca045f6
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn moon 
+	left=%any
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=%moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..6fca045f6
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn moon 
+	left=%any
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=%moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem
index 6c41df9c7..6c41df9c7 100644
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..41a139954
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,01290773006220E4E96C2975C52D2429
+
+mSt4HT52dsYkDwk6DVYm+Uij1PnFAnYzJD7Jx6EJIA9HuWKfyHPSjtqEcCwZoKHq
+i18EuCZHkdMBc8+lY0iEpNwbs3UbCP73lGn+IIjlOrS0xi4PP9iV1jxg/k+WF4rH
+jhIUhi3wc1cAaFLLj8bBvnx6t4mF3nTZZ119wSsa5ewy5RZGWcdN8NKtyNgFYTFx
+m5ACRErFuq8aFmcKVgwzLZH+e9fd7xKHS7XoP9vla7+iKkW5bzfkGP5E8irbOqce
+pyUE81FrD8irD0uK4mnrMRDDGrD02mYNSMGyhT5o1RDQJbaRupih9nU+SaTR2Kxq
+J/ScYak4EwmCIXixwuhwokDPTB1EuyQ1h5ywarkgt1TCZKoI2odqoILB2Dbrsmdf
+dKLqI8Q/kR4h5meCc0e3401VXIaOJWk5GMbxz+6641uWnTdLKedzC5gWCI7QIDFB
+h5n5m3tsSe6LRksqJpgPL/+vV/r+OrNEi4KGK9NxETZxeb/7gBSVFWbDXH5AO+wC
+/RlPYHaoDt+peRm3LUDBGQBPtvZUDiDHlW4v8wtgCEZXAPZPdaFRUSDYMYdbbebY
+EsxWa6G00Gau08EOPSgFIReGuACRkP4diiSE4ZTiC9HD2cuUN/D01ck+SD6UgdHV
+pyf6tHej/AdVG3HD5dRCmCCyfucW0gS7R+/+C4DzVHwZKAXJRSxmXLOHT0Gk8Woe
+sM8gbHOoV8OfLAfZDwibvnDq7rc82q5sSiGOKH7Fg5LYIjRB0UazCToxGVtxfWMz
+kPrzZiQT45QDa3gQdkHzF21s+fNpx/cZ1V1Mv+1E3KAX9XsAm/sNl0NAZ6G0AbFk
+gHIWoseiKxouTCDGNe/gC40r9XNhZdFCEzzJ9A77eScu0aTa5FHrC2w9YO2wHcja
+OT2AyZrVqOWB1/hIwAqk8ApXA3FwJbnQE0FxyLcYiTvCNM+XYIPLstD09axLFb53
+D4DXEncmvW4+axDg8G3s84olPGLgJL3E8pTFPYWHKsJgqsloAc/GD2Qx0PCinySM
+bVQckgzpVL3SvxeRRfx8SHl9F9z+GS4gZtM/gT9cDgcVOpVQpOcln5AR/mF/aoyo
+BW96LSmEk5l4yeBBba63Qcz1HRr2NSvXJuqdjw6qTZNBWtjmSxHywKZYRlSqzNZx
+7B6DGHTIOfGNhcy2wsd4cuftVYByGxfFjw7bHIDa4/ySdDykL7J+REfg8QidlCJB
+UN/2VjaNipQo38RczWLUfloMkMMrWYpXOm9koes+Vldm7Bco+eCONIS50DJDOhZs
+H037A+UMElXmtCrHPJGxQf8k1Qirn6BWOuRmXg8sXqeblIrPlZU+DghYXzA/nRxB
+y+nUx+Ipbj022uJNVtFwhP70TIqYm/O6Ol/zRbo6yRsR6uEnnb4wRi5IxHnM/iGA
+zWPzLRDSeVPkhu2pZ7JygabCiXbbgFTN1enJvLWvIAcB0LS8wQz0yKQ7oj32T0Ty
+AD3c/qS8kmsrZDe3H+lEfMCcJRnHUrR/SBChSdx7LF9mnLlWuJLLHmrz87x7Z2o6
+nuRU15U5aQTniVikvFWchnwGy+23lgv5He9X99jxEu/U1pA4egejfMs3g070AY3J
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.secrets
index 6a2aea811..6a2aea811 100644
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..2e5f01a06
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn carol
+	left=%any
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%carol.strongswan.org
+	rightid=carol@strongswan.org
+	rightsourceip=PH_IP_CAROL1
+	auto=add
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev2/dynamic-initiator/posttest.dat b/testing/tests/ikev2/dynamic-initiator/posttest.dat
new file mode 100644
index 000000000..83063a23f
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/posttest.dat
@@ -0,0 +1,9 @@
+dave::ipsec stop
+carol::ipsec stop
+dave::sleep 1
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+dave::rm /etc/ipsec.d/certs/*
+dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/dynamic-initiator/pretest.dat b/testing/tests/ikev2/dynamic-initiator/pretest.dat
new file mode 100644
index 000000000..3e1cfce77
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up moon
+carol::sleep 1
+carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+dave::ipsec up moon
+dave::sleep 2 
diff --git a/testing/tests/ikev2/dynamic-initiator/test.conf b/testing/tests/ikev2/dynamic-initiator/test.conf
new file mode 100644
index 000000000..164b07ff9
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/dynamic-two-peers/description.txt b/testing/tests/ikev2/dynamic-two-peers/description.txt
new file mode 100644
index 000000000..a1616011e
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/description.txt
@@ -0,0 +1,14 @@
+The peers <b>carol</b>, <b>dave</b>, and <b>moon</b> all have dynamic IP addresses,
+so that the remote end is defined symbolically by <b>right=%&lt;hostname&gt;</b>.
+The ipsec starter resolves the fully-qualified hostname into the current IP address
+via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are
+expected to change over time, the prefix '%' is used as an implicit alternative to the
+explicit <b>rightallowany=yes</b> option which will allow an IKE_SA rekeying to arrive
+from an arbitrary IP address under the condition that the peer identity remains unchanged.
+When this happens the old tunnel is replaced by an IPsec connection to the new origin.
+<p>
+In this scenario both <b>carol</b> and <b>dave</b> initiate a tunnel to
+<b>moon</b> which has a named connection definition for each peer. Although
+the IP addresses of both <b>carol</b> and <b>dave</b> are stale, thanks to
+the '%' prefix <b>moon</b> will accept the IKE negotiations from the actual IP addresses.
+
diff --git a/testing/tests/ikev2/dynamic-two-peers/evaltest.dat b/testing/tests/ikev2/dynamic-two-peers/evaltest.dat
new file mode 100644
index 000000000..82d2e7318
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/evaltest.dat
@@ -0,0 +1,14 @@
+carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::dave.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..6fca045f6
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn moon 
+	left=%any
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=%moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..6493ce0b1
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn moon
+	left=%any
+	leftsourceip=%config
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=%moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/hosts.stale b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/hosts.stale
new file mode 100644
index 000000000..ebff4ec25
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/hosts.stale
@@ -0,0 +1,67 @@
+# /etc/hosts:  This file describes a number of hostname-to-address
+#              mappings for the TCP/IP subsystem.  It is mostly
+#              used at boot time, when no name servers are running.
+#              On small systems, this file can be used instead of a
+#              "named" name server.  Just add the names, addresses
+#              and any aliases to this file...
+#
+
+127.0.0.1	localhost
+
+192.168.0.254	uml0.strongswan.org	uml0
+10.1.0.254	uml1.strongswan.org	uml1
+10.2.0.254	uml1.strongswan.org	uml2
+
+10.1.0.10	alice.strongswan.org	alice
+10.1.0.20	venus.strongswan.org	venus
+10.1.0.1	moon1.strongswan.org	moon1
+192.168.0.1	moon.strongswan.org	moon
+192.168.0.110	carol.strongswan.org	carol
+10.3.0.1	carol1.strongswan.org	carol1
+192.168.0.150	winnetou.strongswan.org	winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
+192.168.0.220	dave.strongswan.org	dave
+10.3.0.2	dave1.strongswan.org	dave1
+192.168.0.2	sun.strongswan.org	sun
+10.2.0.1	sun1.strongswan.org	sun1
+10.2.0.10	bob.strongswan.org	bob
+
+# IPv6 versions of localhost and co
+::1 ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
+
+# IPv6 solicited-node multicast addresses
+ff02::1:ff00:1	ip6-mcast-1
+ff02::1:ff00:2	ip6-mcast-2
+ff02::1:ff00:10	ip6-mcast-10
+ff02::1:ff00:15	ip6-mcast-15
+ff02::1:ff00:20	ip6-mcast-20
+
+# IPv6 site-local addresses
+fec1::10	ip6-alice.strongswan.org    ip6-alice
+fec1::20	ip6-venus.strongswan.org    ip6-venus
+fec1::1 	ip6-moon1.strongswan.org    ip6-moon1
+fec0::1 	ip6-moon.strongswan.org     ip6-moon
+fec0::10	ip6-carol.strongswan.org    ip6-carol
+fec3::1 	ip6-carol1.strongswan.org   ip6-carol1
+fec0::15	ip6-winnetou.strongswan.org ip6-winnetou 
+fec0::20	ip6-dave.strongswan.org     ip6-dave
+fec3::2 	ip6-dave1.strongswan.org    ip6-dave1
+fec0::2 	ip6-sun.strongswan.org      ip6-sun
+fec2::1 	ip6-sun1.strongswan.org     ip6-sun1
+fec2::10	ip6-bob.strongswan.org      ip6-bob
+
+# IPv6 link-local HW derived addresses
+fe80::fcfd:0aff:fe01:14	ip6-hw-venus.strongswan.org    ip6-hw-venus
+fe80::fcfd:0aff:fe01:0a	ip6-hw-alice.strongswan.org    ip6-hw-alice
+fe80::fcfd:0aff:fe01:01	ip6-hw-moon1.strongswan.org    ip6-hw-moon1
+fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org     ip6-hw-moon
+fe80::fcfd:c0ff:fea8:64	ip6-hw-carol.strongswan.org    ip6-hw-carol
+fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
+fe80::fcfd:c0ff:fea8:c8	ip6-hw-dave.strongswan.org     ip6-hw-dave
+fe80::fcfd:c0ff:fea8:02	ip6-hw-sun.strongswan.org      ip6-hw-sun
+fe80::fcfd:0aff:fe02:01	ip6-hw-sun1.strongswan.org     ip6-hw-sun1
+fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org      ip6-hw-bob
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..d510e2e0c
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=%any
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn carol
+	right=%carol.strongswan.org
+	rightid=carol@strongswan.org
+	rightsourceip=PH_IP_CAROL1
+	auto=add
+
+conn dave
+	right=%dave.strongswan.org
+	rightid=dave@strongswan.org
+	rightsourceip=PH_IP_DAVE1
+	auto=add
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev2/dynamic-two-peers/posttest.dat b/testing/tests/ikev2/dynamic-two-peers/posttest.dat
new file mode 100644
index 000000000..7b2609846
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/posttest.dat
@@ -0,0 +1,8 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::sleep 1
+moon::ipsec stop
+moon::mv /etc/hosts.ori /etc/hosts
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/dynamic-two-peers/pretest.dat b/testing/tests/ikev2/dynamic-two-peers/pretest.dat
new file mode 100644
index 000000000..4bb2a4686
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/pretest.dat
@@ -0,0 +1,12 @@
+moon::mv /etc/hosts /etc/hosts.ori
+moon::mv /etc/hosts.stale /etc/hosts
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up moon
+dave::ipsec up moon
+carol::sleep 1
diff --git a/testing/tests/ikev2/dynamic-two-peers/test.conf b/testing/tests/ikev2/dynamic-two-peers/test.conf
new file mode 100644
index 000000000..164b07ff9
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
index 9377d9fd2..d5d3bc0d3 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
@@ -1,9 +1,11 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::NULL_AES_GMAC_256::YES
-carol::ipsec statusall::NULL_AES_GMAC_256::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
+carol::ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
 carol::ip xfrm state::aead rfc4543(gcm(aes))::YES
-moon::ip xfrm state::aead rfc4543(gcm(aes))::YES
+moon:: ip xfrm state::aead rfc4543(gcm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
index f3a266c7d..8f5b77cac 100755..100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
index bbdb38301..d41ba72e8 100755..100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat b/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat
index d65d71240..366539936 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat
@@ -1,9 +1,11 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::3DES_CBC/HMAC_MD5_128::YES
-carol::ipsec statusall::3DES_CBC/HMAC_MD5_128::YES
-moon::ip xfrm state::auth hmac(md5)::YES
-carol::ip xfrm state::auth hmac(md5)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::3DES_CBC/HMAC_MD5_128::YES
+carol::ipsec statusall 2> /dev/null::3DES_CBC/HMAC_MD5_128::YES
+moon:: ip xfrm state::auth-trunc hmac(md5)::YES
+carol::ip xfrm state::auth-trunc hmac(md5)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf
index 09797799f..a85034243 100755..100644
--- a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf
index ae83aaf58..13908da14 100755..100644
--- a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-md5-128/posttest.dat b/testing/tests/ikev2/esp-alg-md5-128/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/posttest.dat
+++ b/testing/tests/ikev2/esp-alg-md5-128/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/esp-alg-md5-128/test.conf b/testing/tests/ikev2/esp-alg-md5-128/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/test.conf
+++ b/testing/tests/ikev2/esp-alg-md5-128/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-null/evaltest.dat b/testing/tests/ikev2/esp-alg-null/evaltest.dat
index bebca1f61..1b9c6c27e 100644
--- a/testing/tests/ikev2/esp-alg-null/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-null/evaltest.dat
@@ -1,9 +1,11 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::NULL/HMAC_SHA1_96::YES
-carol::ipsec statusall::NULL/HMAC_SHA1_96::YES
-moon::ip xfrm state::enc ecb(cipher_null)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
+carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
+moon:: ip xfrm state::enc ecb(cipher_null)::YES
 carol::ip xfrm state::enc ecb(cipher_null)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 172::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 172::YES
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf
index 5640d74fc..1d8509115 100755..100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf
index 91f4a7c7f..38f8bd619 100755..100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-null/posttest.dat b/testing/tests/ikev2/esp-alg-null/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/esp-alg-null/posttest.dat
+++ b/testing/tests/ikev2/esp-alg-null/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-null/pretest.dat b/testing/tests/ikev2/esp-alg-null/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/ikev2/esp-alg-null/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-null/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/esp-alg-null/test.conf b/testing/tests/ikev2/esp-alg-null/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/esp-alg-null/test.conf
+++ b/testing/tests/ikev2/esp-alg-null/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat b/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat
index b0277271d..00c353686 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat
@@ -1,9 +1,11 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_CBC_128/HMAC_SHA1_160::YES
-carol::ipsec statusall::AES_CBC_128/HMAC_SHA1_160::YES
-moon::ip xfrm state::auth hmac(sha1)::YES
-carol::ip xfrm state::auth hmac(sha1)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_160::YES
+carol::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_160::YES
+moon:: ip xfrm state::auth-trunc hmac(sha1)::YES
+carol::ip xfrm state::auth-trunc hmac(sha1)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 204::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 204::YES
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf
index 3991d517d..52629873e 100755..100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf
index 893419585..d4cc3fbaf 100755..100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat b/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat
+++ b/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/test.conf b/testing/tests/ikev2/esp-alg-sha1-160/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/test.conf
+++ b/testing/tests/ikev2/esp-alg-sha1-160/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/farp/evaltest.dat b/testing/tests/ikev2/farp/evaltest.dat
index d48812f47..891ec20d5 100644
--- a/testing/tests/ikev2/farp/evaltest.dat
+++ b/testing/tests/ikev2/farp/evaltest.dat
@@ -1,21 +1,25 @@
-carol::ipsec status::home.*INSTALLED::YES
-alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ipsec status::home.*INSTALLED::YES
-alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*INSTALLED::YES
-moon::ipsec status::rw-dave.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_req=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf
index 19dd5d3e6..25ec162fe 100755..100644
--- a/testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
index 379edeefc..56eaebfc0 100644
--- a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP_VENUS
 }
diff --git a/testing/tests/ikev2/farp/posttest.dat b/testing/tests/ikev2/farp/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/farp/posttest.dat
+++ b/testing/tests/ikev2/farp/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/farp/pretest.dat b/testing/tests/ikev2/farp/pretest.dat
index 709931e1b..f0254da6c 100644
--- a/testing/tests/ikev2/farp/pretest.dat
+++ b/testing/tests/ikev2/farp/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 alice::arp -d 10.1.0.30
 alice::arp -d 10.1.0.40
 carol::ipsec start
diff --git a/testing/tests/ikev2/farp/test.conf b/testing/tests/ikev2/farp/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/farp/test.conf
+++ b/testing/tests/ikev2/farp/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/force-udp-encaps/evaltest.dat b/testing/tests/ikev2/force-udp-encaps/evaltest.dat
index 35f01d491..36af646d2 100644
--- a/testing/tests/ikev2/force-udp-encaps/evaltest.dat
+++ b/testing/tests/ikev2/force-udp-encaps/evaltest.dat
@@ -1,6 +1,8 @@
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat.t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
 alice::cat /var/log/daemon.log::faking NAT situation to enforce UDP encapsulation::YES
-alice::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec statusall::nat-t.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP alice.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > alice.strongswan.org.*: UDP::YES
+alice:: ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP alice.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > alice.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/ipsec.conf
index 2074646cc..3e10155a3 100755..100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 5bb63f5ac..000000000
--- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-        # allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/ipsec.conf
index a2c168601..3f00d6e1a 100755..100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/force-udp-encaps/posttest.dat b/testing/tests/ikev2/force-udp-encaps/posttest.dat
index 979f2fcd0..03edb42cb 100644
--- a/testing/tests/ikev2/force-udp-encaps/posttest.dat
+++ b/testing/tests/ikev2/force-udp-encaps/posttest.dat
@@ -1,6 +1,6 @@
 alice::ipsec stop
 sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::ip route del 10.1.0.0/16 via PH_IP_MOON
 winnetou::ip route del 10.1.0.0/16 via PH_IP_MOON
diff --git a/testing/tests/ikev2/force-udp-encaps/pretest.dat b/testing/tests/ikev2/force-udp-encaps/pretest.dat
index 6f00cd387..7be66867a 100644
--- a/testing/tests/ikev2/force-udp-encaps/pretest.dat
+++ b/testing/tests/ikev2/force-udp-encaps/pretest.dat
@@ -1,8 +1,7 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+alice::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ip route add 10.1.0.0/16 via PH_IP_MOON
 winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 alice::ipsec start
 sun::ipsec start
 alice::sleep 4
diff --git a/testing/tests/ikev2/force-udp-encaps/test.conf b/testing/tests/ikev2/force-udp-encaps/test.conf
index d84149aaf..42fa97190 100644
--- a/testing/tests/ikev2/force-udp-encaps/test.conf
+++ b/testing/tests/ikev2/force-udp-encaps/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/host2host-cert/evaltest.dat b/testing/tests/ikev2/host2host-cert/evaltest.dat
index 8d5d8167a..3305f4558 100644
--- a/testing/tests/ikev2/host2host-cert/evaltest.dat
+++ b/testing/tests/ikev2/host2host-cert/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec statusall::host-host.*ESTABLISHED::YES
-sun::ipsec statusall::host-host.*ESTABLISHED::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
index ec9ac5b80..1f4843f7d 100755..100644
--- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
index 484eb995f..2b2b26097 100755..100644
--- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-cert/posttest.dat b/testing/tests/ikev2/host2host-cert/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/host2host-cert/posttest.dat
+++ b/testing/tests/ikev2/host2host-cert/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-cert/pretest.dat b/testing/tests/ikev2/host2host-cert/pretest.dat
index 1fa70177c..3bce9f6e5 100644
--- a/testing/tests/ikev2/host2host-cert/pretest.dat
+++ b/testing/tests/ikev2/host2host-cert/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/host2host-cert/test.conf b/testing/tests/ikev2/host2host-cert/test.conf
index 305a67316..55d6e9fd6 100644
--- a/testing/tests/ikev2/host2host-cert/test.conf
+++ b/testing/tests/ikev2/host2host-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/host2host-swapped/evaltest.dat b/testing/tests/ikev2/host2host-swapped/evaltest.dat
index 8d5d8167a..3305f4558 100644
--- a/testing/tests/ikev2/host2host-swapped/evaltest.dat
+++ b/testing/tests/ikev2/host2host-swapped/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec statusall::host-host.*ESTABLISHED::YES
-sun::ipsec statusall::host-host.*ESTABLISHED::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
index 981c7f073..d8ef0c7be 100755..100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
index e3fc2b728..517bb3d41 100755..100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-swapped/posttest.dat b/testing/tests/ikev2/host2host-swapped/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/host2host-swapped/posttest.dat
+++ b/testing/tests/ikev2/host2host-swapped/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-swapped/pretest.dat b/testing/tests/ikev2/host2host-swapped/pretest.dat
index 1fa70177c..3bce9f6e5 100644
--- a/testing/tests/ikev2/host2host-swapped/pretest.dat
+++ b/testing/tests/ikev2/host2host-swapped/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/host2host-swapped/test.conf b/testing/tests/ikev2/host2host-swapped/test.conf
index 305a67316..55d6e9fd6 100644
--- a/testing/tests/ikev2/host2host-swapped/test.conf
+++ b/testing/tests/ikev2/host2host-swapped/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/host2host-transport/evaltest.dat b/testing/tests/ikev2/host2host-transport/evaltest.dat
index b3cade48c..fc49e57d8 100644
--- a/testing/tests/ikev2/host2host-transport/evaltest.dat
+++ b/testing/tests/ikev2/host2host-transport/evaltest.dat
@@ -1,8 +1,7 @@
-moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES
-moon::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
-sun::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
-moon::ip xfrm state::mode transport::YES
-sun::ip xfrm state::mode transport::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf
index 7f6c5a58a..de273e53a 100755..100644
--- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf
index af52fb22b..e96c1ca2e 100755..100644
--- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/host2host-transport/posttest.dat b/testing/tests/ikev2/host2host-transport/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/host2host-transport/posttest.dat
+++ b/testing/tests/ikev2/host2host-transport/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-transport/pretest.dat b/testing/tests/ikev2/host2host-transport/pretest.dat
index e2d98f2eb..99789b90f 100644
--- a/testing/tests/ikev2/host2host-transport/pretest.dat
+++ b/testing/tests/ikev2/host2host-transport/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2
diff --git a/testing/tests/ikev2/host2host-transport/test.conf b/testing/tests/ikev2/host2host-transport/test.conf
index cf2e704fd..5a286c84f 100644
--- a/testing/tests/ikev2/host2host-transport/test.conf
+++ b/testing/tests/ikev2/host2host-transport/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/inactivity-timeout/evaltest.dat b/testing/tests/ikev2/inactivity-timeout/evaltest.dat
index a8975481f..221c59318 100644
--- a/testing/tests/ikev2/inactivity-timeout/evaltest.dat
+++ b/testing/tests/ikev2/inactivity-timeout/evaltest.dat
@@ -1,8 +1,8 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::sleep 15::NO
 carol::cat /var/log/daemon.log::deleting CHILD_SA after 10 seconds of inactivity::YES
-moon::ipsec statusall::rw.*INSTALLED::NO
-carol::ipsec statusall::home.*INSTALLED::NO
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::NO
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED::NO
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf
index 5fbb99617..a7a53a4b7 100755..100644
--- a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf
index c3d417302..efc5b6cbd 100755..100644
--- a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/inactivity-timeout/posttest.dat b/testing/tests/ikev2/inactivity-timeout/posttest.dat
index 94a400606..6ca9c5b35 100644
--- a/testing/tests/ikev2/inactivity-timeout/posttest.dat
+++ b/testing/tests/ikev2/inactivity-timeout/posttest.dat
@@ -1,4 +1,3 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/inactivity-timeout/pretest.dat b/testing/tests/ikev2/inactivity-timeout/pretest.dat
index 3c3df0196..b949aaeaf 100644
--- a/testing/tests/ikev2/inactivity-timeout/pretest.dat
+++ b/testing/tests/ikev2/inactivity-timeout/pretest.dat
@@ -1,7 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
-carol::sleep 1 
+carol::sleep 1
 carol::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/inactivity-timeout/test.conf b/testing/tests/ikev2/inactivity-timeout/test.conf
index acb73b06f..11423f723 100644
--- a/testing/tests/ikev2/inactivity-timeout/test.conf
+++ b/testing/tests/ikev2/inactivity-timeout/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ip-pool-db/evaltest.dat b/testing/tests/ikev2/ip-pool-db/evaltest.dat
index f9d0cbb37..42e353084 100644
--- a/testing/tests/ikev2/ip-pool-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool-db/evaltest.dat
@@ -4,26 +4,30 @@ carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
 carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
-dave::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
-dave::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*INSTALLED::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon::cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
-moon::cat /var/log/daemon.log::assigning virtual IP::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
 moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
 moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
 moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+moon::ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon::ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon::ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon::ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf
index b3413830f..606b1500a 100755..100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
index e907021ce..04ffaf64d 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
 }
 
 libhydra {
diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat
index 5b88b2163..c99f347e3 100644
--- a/testing/tests/ikev2/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-db/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::ipsec pool --del bigpool 2> /dev/null
 moon::ipsec pool --del dns 2> /dev/null
 moon::ipsec pool --del nbns 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat
index 4a2add194..fce551c69 100644
--- a/testing/tests/ikev2/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev2/ip-pool-db/pretest.dat
@@ -4,9 +4,9 @@ moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2>
 moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
 moon::ipsec pool --addattr dns  --server PH_IP_VENUS 2> /dev/null
 moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ip-pool-db/test.conf b/testing/tests/ikev2/ip-pool-db/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/ip-pool-db/test.conf
+++ b/testing/tests/ikev2/ip-pool-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-pool-wish/evaltest.dat b/testing/tests/ikev2/ip-pool-wish/evaltest.dat
index d02d422ab..44310cd16 100644
--- a/testing/tests/ikev2/ip-pool-wish/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/evaltest.dat
@@ -1,18 +1,22 @@
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*INSTALLED::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/daemon.log::adding virtual IP address pool::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
-moon::cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org.::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf
index c9867c7d4..62c30cf28 100755..100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf
index 98dd99271..fa99a4c86 100755..100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf
index 0b4cded6c..85c48a7bb 100755..100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/posttest.dat b/testing/tests/ikev2/ip-pool-wish/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev2/ip-pool-wish/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/ip-pool-wish/pretest.dat b/testing/tests/ikev2/ip-pool-wish/pretest.dat
index 1f4ff286a..1466fd2f2 100644
--- a/testing/tests/ikev2/ip-pool-wish/pretest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ip-pool-wish/test.conf b/testing/tests/ikev2/ip-pool-wish/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/ip-pool-wish/test.conf
+++ b/testing/tests/ikev2/ip-pool-wish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-pool/evaltest.dat b/testing/tests/ikev2/ip-pool/evaltest.dat
index b130d4565..8ea7960b5 100644
--- a/testing/tests/ikev2/ip-pool/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool/evaltest.dat
@@ -1,21 +1,25 @@
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*INSTALLED::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/daemon.log::adding virtual IP address pool::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon::cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec leases rw::2/15, 2 online::YES
-moon::ipsec leases rw 10.3.0.1::carol@strongswan.org::YES
-moon::ipsec leases rw 10.3.0.2::dave@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon:: ipsec leases 10.3.0.0/28 2> /dev/null::2/14, 2 online::YES
+moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES
+moon:: ipsec leases 10.3.0.0/28 PH_IP_DAVE1 2> /dev/null::dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf
index 0b4cded6c..85c48a7bb 100755..100644
--- a/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool/posttest.dat b/testing/tests/ikev2/ip-pool/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev2/ip-pool/posttest.dat
+++ b/testing/tests/ikev2/ip-pool/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/ip-pool/pretest.dat b/testing/tests/ikev2/ip-pool/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev2/ip-pool/pretest.dat
+++ b/testing/tests/ikev2/ip-pool/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ip-pool/test.conf b/testing/tests/ikev2/ip-pool/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/ip-pool/test.conf
+++ b/testing/tests/ikev2/ip-pool/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-split-pools-db/evaltest.dat b/testing/tests/ikev2/ip-split-pools-db/evaltest.dat
index 8fd47dc34..60a537b02 100644
--- a/testing/tests/ikev2/ip-split-pools-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-split-pools-db/evaltest.dat
@@ -1,15 +1,19 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-carol::ipsec status::home.*INSTALLED::YES
-dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES
-dave::ipsec status::home.*INSTALLED::YES
-moon::cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES
-moon::cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
-moon::cat /var/log/daemon.log::no available address found in pool.*pool0::YES
-moon::cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES
-moon::cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
-moon::ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*48h.*1 .*1 .*1 ::YES
-moon::ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*48h.*1 .*1 .*1 ::YES
-moon::ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
+moon:: cat /var/log/daemon.log::no available address found in pool.*pool0::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
+moon:: ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*48h.*1 .*1 .*1 ::YES
+moon:: ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*48h.*1 .*1 .*1 ::YES
+moon:: ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf
index c0f9756e4..136022d5c 100755..100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -19,5 +16,5 @@ conn rw
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
 	right=%any
-	rightsourceip=%pool0,pool1
+	rightsourceip=%pool0,%pool1
 	auto=add
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
index e907021ce..04ffaf64d 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
 }
 
 libhydra {
diff --git a/testing/tests/ikev2/ip-split-pools-db/test.conf b/testing/tests/ikev2/ip-split-pools-db/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/ip-split-pools-db/test.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
index ba2b07a10..fdc3d4d3f 100644
--- a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
@@ -1,29 +1,37 @@
-carol::ipsec status::home.*INSTALLED::YES
-dave::ipsec status::home.*INSTALLED::YES
-alice::ipsec status::home.*INSTALLED::YES
-venus::ipsec status::home.*INSTALLED::YES
-moon::ipsec status::ext.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::ext.*ESTABLISHED.*dave@strongswan.org::YES
-moon::ipsec status::int.*ESTABLISHED.*alice@strongswan.org::YES
-moon::ipsec status::int.*ESTABLISHED.*venus.strongswan.org::YES
-moon::ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES
-moon::ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES
-moon::ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES
+venus::ipsec status 2> /dev/null::home.*ESTABLISHED.*venus.strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+venus::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::ext\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::ext\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::int\[3]: ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::int\[4]: ESTABLISHED.*moon.strongswan.org.*venus.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::ext[{]1}.*INSTALLED. TUNNEL::YES
+moon:: ipsec status 2> /dev/null::ext[{]2}.*INSTALLED. TUNNEL::YES
+moon:: ipsec status 2> /dev/null::int[{]3}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::int[{]4}.*INSTALLED, TUNNEL::YES
+moon:: ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES
+moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES
+moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
 alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
 venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES
 carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
-dave::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
 alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES
 venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES
-alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_seq=1::YES
-dave::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES
+alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_req=1::YES
+dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_req=1::YES
 alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
 alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
 dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf
index d925a2564..19cd1c8cd 100755..100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf
index 2b673ec4d..c891c643c 100755..100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf
index 22f9b6634..4066549e8 100755..100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index bb9d03acd..000000000
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# masquerade crl fetches to winnetou
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf
index a4c37e117..651642b04 100755..100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
index e44a3e251..2dc6a3a87 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
 }
 
 libhydra {
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf
index 2dbd84fe7..b8f01bd15 100755..100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
index 7b0393ebd..9c0bb5cae 100644
--- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
@@ -3,11 +3,11 @@ venus::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::ip route del 10.3.0.0/16 via PH_IP_MOON
 moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
 moon::conntrack -F
diff --git a/testing/tests/ikev2/ip-two-pools-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
index e4eb8b0b9..3aba87994 100644
--- a/testing/tests/ikev2/ip-two-pools-db/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
@@ -8,11 +8,11 @@ moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/nu
 moon::ipsec pool --statusattr 2> /dev/null
 moon::ip route add 10.3.0.0/16 via PH_IP_MOON
 moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 alice::ipsec start
 venus::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ikev2/ip-two-pools-db/test.conf b/testing/tests/ikev2/ip-two-pools-db/test.conf
index ea1307b16..c88e11d28 100644
--- a/testing/tests/ikev2/ip-two-pools-db/test.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice venus carol dave"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus moon carol dave"
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat b/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat
index 1505de751..0d7a36452 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat
@@ -1,16 +1,20 @@
-carol::ipsec status::home.*INSTALLED::YES
-alice::ipsec status::home.*INSTALLED::YES
-moon::ipsec status::ext.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::int.*ESTABLISHED.*alice@strongswan.org::YES
-moon::cat /var/log/daemon.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES
-moon::ipsec leases ext::1/15, 1 online::YES
-moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES
-moon::ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*1::YES
-moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::ext.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::int.*ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::ext.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::int.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.3.0.0/28::YES
+moon:: ipsec leases 10.3.0.0/28 2> /dev/null::1/14, 1 online::YES
+moon:: ipsec leases 10.3.0.0/28 10.3.0.1 2> /dev/null::carol@strongswan.org::YES
+moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*1::YES
+moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
 alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf
index f5ce1687e..180226eaa 100755..100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf
index e647f1e36..63509bc16 100755..100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index bb9d03acd..000000000
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# masquerade crl fetches to winnetou
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf
index d80bb5305..649d567c4 100755..100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
index e44a3e251..2dc6a3a87 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
 }
 
 libhydra {
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
index db5e6237f..a3924b2f6 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 alice::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
 moon::ipsec pool --del intpool 2> /dev/null
 moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
index b579464f2..b74c1e07a 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
@@ -1,9 +1,9 @@
 moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout  0 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 moon::ipsec start
 alice::ipsec start
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/test.conf b/testing/tests/ikev2/ip-two-pools-mixed/test.conf
index 329774c0a..1ed3473ab 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/test.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice carol"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice moon carol"
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt b/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt
new file mode 100644
index 000000000..7e8e7a69b
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt
@@ -0,0 +1,5 @@
+The host <b>carol</b> sets up a tunnel connection to gateway <b>moon</b>. It requests
+both an IPv4 and an IPv6 <b>virtual IP</b> via the IKEv2 configuration payload by using
+<b>leftsourceip=%config4,%config6</b>. Gateway <b>moon</b> assigns virtual IPs addresses
+from persistent pools stored in an SQL database using the <b>rightsourceip</b> option.
+The established tunnel carries both IPv4 and IPv6 in an IPv4 encapsulated tunnel.
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat
new file mode 100644
index 000000000..0bf3500b5
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat
@@ -0,0 +1,9 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES
+carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..d19399def
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config4,%config6
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=0.0.0.0/0,::/0
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..04a74fd44
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16,fec1::0/16
+	rightsourceip=%v4_pool,%v6_pool
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..73b0cb7be
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,17 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite attr-sql
+}
+
+libhydra {
+  plugins {
+    attr-sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db
+    }
+  }
+}
+
+pool {
+  load = sqlite
+}
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat
new file mode 100644
index 000000000..311e9f21d
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat
@@ -0,0 +1,5 @@
+alice::ip -6 route del default via fec1:\:1
+carol::ipsec stop
+moon::ipsec stop
+moon::conntrack -F
+moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat
new file mode 100644
index 000000000..e3d8f4a78
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat
@@ -0,0 +1,9 @@
+moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::ipsec pool --add v4_pool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null 
+moon::ipsec pool --add v6_pool --start fec3:\:1 --end fec3:\:fe --timeout  48 2> /dev/null
+alice::ip -6 route add default via fec1:\:1
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf
new file mode 100644
index 000000000..cd03759f0
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="carol"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/description.txt b/testing/tests/ikev2/ip-two-pools-v4v6/description.txt
new file mode 100644
index 000000000..32dd88d51
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/description.txt
@@ -0,0 +1,5 @@
+The host <b>carol</b> sets up a tunnel connection to gateway <b>moon</b>. It requests
+both an IPv4 and an IPv6 <b>virtual IP</b> via the IKEv2 configuration payload by using
+<b>leftsourceip=%config4,%config6</b>. Gateway <b>moon</b> assigns virtual IPs addresses
+from two in-memory pools using the <b>rightsourceip</b> option. The established tunnel
+carries both IPv4 and IPv6 in an IPv4 encapsulated tunnel.
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
new file mode 100644
index 000000000..0bf3500b5
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
@@ -0,0 +1,9 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES
+carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..d19399def
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config4,%config6
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=0.0.0.0/0,::/0
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..0777f6db5
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16,fec1::0/16
+	rightsourceip=10.3.0.0/28,fec3::/120
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat
new file mode 100644
index 000000000..bb20cae05
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat
@@ -0,0 +1,4 @@
+alice::ip -6 route del default via fec1:\:1
+carol::ipsec stop
+moon::ipsec stop
+moon::conntrack -F
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat
new file mode 100644
index 000000000..04139badf
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat
@@ -0,0 +1,5 @@
+alice::ip -6 route add default via fec1:\:1
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/test.conf b/testing/tests/ikev2/ip-two-pools-v4v6/test.conf
new file mode 100644
index 000000000..cd03759f0
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="carol"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ip-two-pools/evaltest.dat b/testing/tests/ikev2/ip-two-pools/evaltest.dat
index ac0a3eeb3..fad3781d7 100644
--- a/testing/tests/ikev2/ip-two-pools/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools/evaltest.dat
@@ -1,17 +1,21 @@
-carol::ipsec status::home.*INSTALLED::YES
-alice::ipsec status::home.*INSTALLED::YES
-moon::ipsec status::ext.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::int.*ESTABLISHED.*alice@strongswan.org::YES
-moon::cat /var/log/daemon.log::adding virtual IP address pool.*int.*10.4.0.0/28::YES
-moon::cat /var/log/daemon.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES
-moon::ipsec leases ext::1/15, 1 online::YES
-moon::ipsec leases int::1/15, 1 online::YES
-moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES
-moon::ipsec leases int 10.4.0.1::alice@strongswan.org::YES
-carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES
+alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::ext.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::int.*ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::ext.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::int.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.4.0.0/28::YES
+moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.3.0.0/28::YES
+moon:: ipsec leases 10.3.0.0/28 2> /dev/null::1/14, 1 online::YES
+moon:: ipsec leases 10.4.0.0/28 2> /dev/null::1/14, 1 online::YES
+moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES
+moon:: ipsec leases 10.4.0.0/28 10.4.0.1 2> /dev/null::alice@strongswan.org::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf
index f5ce1687e..180226eaa 100755..100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf
index e647f1e36..63509bc16 100755..100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index bb9d03acd..000000000
--- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# masquerade crl fetches to winnetou
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf
index 8435479fa..5773245d1 100755..100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools/posttest.dat b/testing/tests/ikev2/ip-two-pools/posttest.dat
index f41bb0fbc..2fbc2c3a0 100644
--- a/testing/tests/ikev2/ip-two-pools/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools/posttest.dat
@@ -1,8 +1,8 @@
 alice::ipsec stop
 carol::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
 moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools/pretest.dat b/testing/tests/ikev2/ip-two-pools/pretest.dat
index db422a105..4e8b639f4 100644
--- a/testing/tests/ikev2/ip-two-pools/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 moon::ipsec start
 alice::ipsec start
diff --git a/testing/tests/ikev2/ip-two-pools/test.conf b/testing/tests/ikev2/ip-two-pools/test.conf
index 329774c0a..1ed3473ab 100644
--- a/testing/tests/ikev2/ip-two-pools/test.conf
+++ b/testing/tests/ikev2/ip-two-pools/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice carol"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice moon carol"
diff --git a/testing/tests/ikev2/mobike-nat/evaltest.dat b/testing/tests/ikev2/mobike-nat/evaltest.dat
index f2758eb35..c71e3f7c1 100644
--- a/testing/tests/ikev2/mobike-nat/evaltest.dat
+++ b/testing/tests/ikev2/mobike-nat/evaltest.dat
@@ -1,15 +1,15 @@
-alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
-sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
-alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES
-sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
+sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
+alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES
+sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ifdown eth1::No output expected::NO
 alice::sleep 1::No output expected::NO
-alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
-sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES
-alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES
-sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
+sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES
+alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES
+sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES
 sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES
 moon::tcpdump::moon.strongswan.org.*sun.strongswan.org.*: UDP-encap: ESP.*seq=0x2::YES
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index cf0d65c58..000000000
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow IPsec tunnel traffic
-        iptables -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-        iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
index ed670efb1..ffb7f563a 100755..100644
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,7 +10,7 @@ conn %default
 	keyexchange=ikev2
 
 conn mobike
-	left=PH_IP_ALICE1
+	left=192.168.0.50
 	leftsourceip=%config
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..6dd261f20
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules
@@ -0,0 +1,38 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP 
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 642c414d5..000000000
--- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IPsec tunnel traffic
-	iptables -A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-	iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-        # allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf
index ca4d84e16..e187f9569 100755..100644
--- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..0a7d1fa40
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP 
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike-nat/posttest.dat b/testing/tests/ikev2/mobike-nat/posttest.dat
index cd0d4df25..f4e5316c9 100644
--- a/testing/tests/ikev2/mobike-nat/posttest.dat
+++ b/testing/tests/ikev2/mobike-nat/posttest.dat
@@ -1,6 +1,6 @@
 alice::ipsec stop
 sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev2/mobike-nat/pretest.dat b/testing/tests/ikev2/mobike-nat/pretest.dat
index 08c2be95c..86ac6e7e0 100644
--- a/testing/tests/ikev2/mobike-nat/pretest.dat
+++ b/testing/tests/ikev2/mobike-nat/pretest.dat
@@ -1,12 +1,11 @@
-alice::/etc/init.d/net.eth1 start
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+alice::ifup eth1
+alice::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::conntrack -F
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::ipsec start
 sun::ipsec start
-alice::sleep 2 
+alice::sleep 2
 alice::ipsec up mobike
 alice::sleep 1
diff --git a/testing/tests/ikev2/mobike-nat/test.conf b/testing/tests/ikev2/mobike-nat/test.conf
index 24a0cf3a4..70c64c503 100644
--- a/testing/tests/ikev2/mobike-nat/test.conf
+++ b/testing/tests/ikev2/mobike-nat/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="bob moon sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
index 94dea0b14..17593ef82 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
+++ b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
@@ -1,15 +1,15 @@
-alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
-sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
-alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES
-sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*192.168.0.50.*PH_IP_SUN::YES
+sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*192.168.0.50::YES
+alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES
+sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ifdown eth1::No output expected::NO
 alice::sleep 1::No output expected::NO
-alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
-sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
-alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES
-sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
+sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
+alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES
+sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES
 sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES
 moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP.*seq=0x2::YES
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index cf0d65c58..000000000
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow IPsec tunnel traffic
-        iptables -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-        iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
index ed670efb1..ffb7f563a 100755..100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,7 +10,7 @@ conn %default
 	keyexchange=ikev2
 
 conn mobike
-	left=PH_IP_ALICE1
+	left=192.168.0.50
 	leftsourceip=%config
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..a238c8d19
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules
@@ -0,0 +1,38 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 642c414d5..000000000
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IPsec tunnel traffic
-	iptables -A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-	iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-        # allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
index 1c8be1db4..2b0c8aebd 100755..100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,7 +14,7 @@ conn mobike
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftsubnet=10.2.0.0/16
-	right=PH_IP_ALICE1
+	right=192.168.0.50
 	rightsourceip=10.3.0.3
 	rightid=alice@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..d86a461ac
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike-virtual-ip/posttest.dat b/testing/tests/ikev2/mobike-virtual-ip/posttest.dat
index 32fdf0053..95c963091 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/posttest.dat
+++ b/testing/tests/ikev2/mobike-virtual-ip/posttest.dat
@@ -1,5 +1,5 @@
 alice::ipsec stop
 sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::ip route del 10.1.0.0/16 via PH_IP_MOON
diff --git a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
index 6666e7794..067c1a1ec 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
@@ -1,10 +1,9 @@
-alice::/etc/init.d/net.eth1 start
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::ifup eth1
+alice::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ip route add 10.1.0.0/16 via PH_IP_MOON
 alice::ipsec start
 sun::ipsec start
-alice::sleep 2 
+alice::sleep 2
 alice::ipsec up mobike
 alice::sleep 1
diff --git a/testing/tests/ikev2/mobike-virtual-ip/test.conf b/testing/tests/ikev2/mobike-virtual-ip/test.conf
index 24a0cf3a4..70c64c503 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/test.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="bob moon sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/mobike/evaltest.dat b/testing/tests/ikev2/mobike/evaltest.dat
index 6c49c0425..e3464040e 100644
--- a/testing/tests/ikev2/mobike/evaltest.dat
+++ b/testing/tests/ikev2/mobike/evaltest.dat
@@ -1,15 +1,15 @@
-alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
-sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
-alice::ipsec statusall::PH_IP_ALICE1/32 === 10.2.0.0/16::YES
-sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE1/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*192.168.0.50.*PH_IP_SUN::YES
+sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*192.168.0.50::YES
+alice::ipsec statusall 2> /dev/null::192.168.0.50/32 === 10.2.0.0/16::YES
+sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 192.168.0.50/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ifdown eth1::No output expected::NO
 alice::sleep 1::No output expected::NO
-alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
-sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
-alice::ipsec statusall::PH_IP_ALICE/32 === 10.2.0.0/16::YES
-sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
+sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
+alice::ipsec statusall 2> /dev/null::PH_IP_ALICE/32 === 10.2.0.0/16::YES
+sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === PH_IP_ALICE/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES
 sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES
 moon::tcpdump::alice.strongswan.org.*sun.strongswan.org: ESP.*seq=0x2::YES
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index cf0d65c58..000000000
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow IPsec tunnel traffic
-        iptables -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-        iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
index 6c87468bb..95683fdc3 100755..100644
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,7 +10,7 @@ conn %default
 	keyexchange=ikev2
 
 conn mobike
-	left=PH_IP_ALICE1
+	left=192.168.0.50
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
 	right=PH_IP_SUN
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..a238c8d19
--- /dev/null
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules
@@ -0,0 +1,38 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 6934b1948..000000000
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,90 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-        # enable IP forwarding
-        echo 1 > /proc/sys/net/ipv4/ip_forward
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow IPsec tunnel traffic
-        iptables -A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-        iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
index 4806cd9c8..f7693106f 100755..100644
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,6 +14,6 @@ conn mobike
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftsubnet=10.2.0.0/16
-	right=PH_IP_ALICE1
+	right=192.168.0.50
 	rightid=alice@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..d86a461ac
--- /dev/null
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike/posttest.dat b/testing/tests/ikev2/mobike/posttest.dat
index 32fdf0053..95c963091 100644
--- a/testing/tests/ikev2/mobike/posttest.dat
+++ b/testing/tests/ikev2/mobike/posttest.dat
@@ -1,5 +1,5 @@
 alice::ipsec stop
 sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::ip route del 10.1.0.0/16 via PH_IP_MOON
diff --git a/testing/tests/ikev2/mobike/pretest.dat b/testing/tests/ikev2/mobike/pretest.dat
index 6666e7794..067c1a1ec 100644
--- a/testing/tests/ikev2/mobike/pretest.dat
+++ b/testing/tests/ikev2/mobike/pretest.dat
@@ -1,10 +1,9 @@
-alice::/etc/init.d/net.eth1 start
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::ifup eth1
+alice::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ip route add 10.1.0.0/16 via PH_IP_MOON
 alice::ipsec start
 sun::ipsec start
-alice::sleep 2 
+alice::sleep 2
 alice::ipsec up mobike
 alice::sleep 1
diff --git a/testing/tests/ikev2/mobike/test.conf b/testing/tests/ikev2/mobike/test.conf
index 24a0cf3a4..70c64c503 100644
--- a/testing/tests/ikev2/mobike/test.conf
+++ b/testing/tests/ikev2/mobike/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="bob moon sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
index 897db40ed..65a003d23 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
@@ -1,12 +1,12 @@
-moon::cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES
-moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES
+moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA signature successful::YES
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
-moon::cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
-moon::cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES
-moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456001@strongswan.org::YES
-carol::ipsec statusall::home.*ESTABLISHED.*228060123456001@strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
+moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456001@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*228060123456001@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA signature successful::YES
@@ -15,7 +15,7 @@ dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
 moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES
 moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES
 moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 228060123456002@strongswan.org::YES
-moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO
+moon::ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO
 dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
new file mode 100644
index 000000000..10c26aa15
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
@@ -0,0 +1,3 @@
+sim_files {
+	simtriplets = "/etc/freeradius/triplets.dat"
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..91425f812
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,61 @@
+authorize {
+  preprocess
+  chap
+  mschap
+  sim_files
+  suffix
+  eap {
+    ok = return
+  }
+  unix
+  files
+  expiration
+  logintime
+  pap
+}
+
+authenticate {
+  Auth-Type PAP {
+    pap
+  }
+  Auth-Type CHAP {
+    chap
+  }
+  Auth-Type MS-CHAP {
+    mschap
+  }
+  unix
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
new file mode 100644
index 000000000..aaabab89e
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
@@ -0,0 +1,6 @@
+228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
+228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
+228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
+228060123456002,33000000000000000000000000000000,33112233,335566778899AABB
+228060123456002,34000000000000000000000000000000,34112233,345566778899AABB
+228060123456002,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
index e69de29bb..e69de29bb 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index a2020424e..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim 
-  sim {
-  }
-}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index d77b818fe..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,123 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-  sim_files {
-    simtriplets = "/etc/raddb/triplets.dat"
-  }
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index dfceb037d..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,62 +0,0 @@
-authorize {
-  preprocess
-  chap
-  mschap
-  sim_files
-  suffix
-  eap {
-    ok = return
-  }
-  unix
-  files
-  expiration
-  logintime
-  pap
-}
-
-authenticate {
-  Auth-Type PAP {
-    pap
-  }
-  Auth-Type CHAP {
-    chap
-  }
-  Auth-Type MS-CHAP {
-    mschap
-  }
-  unix
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat
deleted file mode 100644
index 002ee94d1..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
-228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
-228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
-228060123456002,33000000000000000000000000000000,33112233,335566778899AABB
-228060123456002,34000000000000000000000000000000,34112233,345566778899AABB
-228060123456002,35000000000000000000000000000000,35112233,355566778899AABB
-
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf
index 26cc0cd92..df4440768 100755..100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
index 7b4ab49e4..8e872ddae 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
 }
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf
index f8c52be78..01fb6b0a3 100755..100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -9,7 +8,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=eap
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
index 7b4ab49e4..8e872ddae 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
 }
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf
index 37d23b1f5..8dc0daeb5 100755..100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
index 2a18af887..aba7eefdf 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
   plugins {
     eap-radius {
       secret = gv6URkSs
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
index dbe56013a..6a4da6631 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
@@ -1,7 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
index b3fd4cbf1..2d54c6027 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
@@ -1,11 +1,8 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
-alice::cat /etc/raddb/triplets.dat
-alice::/etc/init.d/radiusd start
+alice::cat /etc/freeradius/clients.conf
+alice::cat /etc/freeradius/eap.conf
+alice::cat /etc/freeradius/proxy.conf
+alice::cat /etc/freeradius/triplets.dat
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
index 70416826e..42d23a50b 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
@@ -1,21 +1,25 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat
index d2453bbee..03426ac44 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat
@@ -1,12 +1,12 @@
 carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
-dave::cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::ipsec status::alice.*INSTALLED::YES
-moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
-dave::ipsec status::venus.*INSTALLED::YES
-moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
+dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf
index a8a6d2b8f..7f045801e 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf
index 8647ac813..9306bf9ec 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
index 4c84d183b..776b5a5b3 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
index c8e7adcb7..2eebc0f84 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/test.conf b/testing/tests/ikev2/multi-level-ca-cr-init/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat
index 4b827b4dd..dcd271772 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat
@@ -1,12 +1,12 @@
 carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
-dave::cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::ipsec status::alice.*INSTALLED::YES
-moon::ipsec status::alice.*INSTALLED::YES
-dave::ipsec status::venus.*INSTALLED::YES
-moon::ipsec status::venus.*INSTALLED::YES
+dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf
index 9031a948c..5ee8ba076 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf
index 0168be8e1..391bc91a6 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
index 75138581e..565d0d829 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
index f15265e32..86dd31e83 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
index 4a1c7208b..4abcde1e8 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
@@ -1,19 +1,19 @@
-moon::cat /var/log/daemon.log::fetching crl from.*ldap.*Research CA::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*ldap.*Sales CA::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*ldap.*strongSwan Root CA::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::ipsec status::alice.*INSTALLED::YES
-moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*Research CA::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*Sales CA::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*strongSwan Root CA::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
-carol::ipsec status::venus.*INSTALLED::NO
-moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
-moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
-moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES
-moon::cat /var/log/daemon.log::switching to peer config.*venus::YES
-dave::ipsec status::venus.*INSTALLED::YES
-moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
-dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
-dave::ipsec status::alice.*INSTALLED::NO
-moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
+carol::ipsec status 2> /dev/null::venus.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::NO
+moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
+moon:: cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES
+moon:: cat /var/log/daemon.log::switching to peer config.*venus::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+dave:: ipsec status 2> /dev/null::alice.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::alice.*moon.strongswan.org.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
index 39996cf42..995b347cf 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
         cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
index bbe0d3aa7..91ded3733 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
index e25636a7d..320c0713c 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
index bbe0d3aa7..91ded3733 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 4f4f3228b..000000000
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
index 46f1030cd..e67c9afb0 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..debcc2181
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow ldap crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
index cccd6ae27..d0c3f8c49 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat b/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat
index ec4ba6e10..6f0ec4b97 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat
+++ b/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat
@@ -3,5 +3,5 @@ carol::ipsec stop
 dave::ipsec stop
 moon::rm /etc/ipsec.d/cacerts/*
 winnetou::/etc/init.d/slapd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
index 322f42102..41319ae4d 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
@@ -1,5 +1,5 @@
 winnetou::/etc/init.d/slapd start
-moon::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/test.conf b/testing/tests/ikev2/multi-level-ca-ldap/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
index 6b77a8161..85bbe4ab9 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
@@ -1,4 +1,4 @@
-moon::cat /var/log/daemon.log::maximum path length of 7 exceeded::YES
+moon:: cat /var/log/daemon.log::maximum path length of 7 exceeded::YES
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-carol::ipsec status::alice.*INSTALLED::NO
-moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::NO
+carol::ipsec status 2> /dev/null::alice.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
index 5c34528a4..991daafe1 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
index 96e493719..7721b2347 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
index 0a0ec22bf..bb538c160 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
 carol::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-loop/test.conf b/testing/tests/ikev2/multi-level-ca-loop/test.conf
index 3189fdfc7..a24ec4f1d 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat
index 266f0d0da..913e8f454 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat
@@ -1,4 +1,4 @@
-moon::cat /var/log/daemon.log::path length of 2 violates constraint of 1::YES
+moon:: cat /var/log/daemon.log::path length of 2 violates constraint of 1::YES
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-carol::ipsec status::home.*INSTALLED::NO
-moon::ipsec status::duck.*INSTALLED::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::duck.*INSTALLED::NO
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
index 64539ccc2..e8398629c 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
index 47dab951f..bc90242f7 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random constraints x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce constraints x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
index 528dda39b..4d1286f4f 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
index 8335e51f6..77bd6782c 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation constraints hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation constraints hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
index 9f0232a7b..e209e60ff 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/test.conf b/testing/tests/ikev2/multi-level-ca-pathlen/test.conf
index b118cb7dc..587964390 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou"
+VIRTHOSTS="alice venus moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
index 182f9e0fc..008ff2cf8 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
@@ -1,4 +1,4 @@
-moon::cat /var/log/daemon.log::certificate was revoked::YES
+moon:: cat /var/log/daemon.log::certificate was revoked::YES
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-moon::ipsec status::alice.*ESTABLISHED::NO
-carol::ipsec status::home.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED::NO
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
index a042da6d5..297e348ea 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
index ef1beae7e..a3517967a 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/test.conf b/testing/tests/ikev2/multi-level-ca-revoked/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat b/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat
index a594745b7..90ee6a7a4 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat
@@ -1,6 +1,6 @@
-carol::ipsec status::alice.*INSTALLED::YES
-carol::ipsec status::venus.*INSTALLED::YES
-moon::ipsec status::ESTABLISHED.*carol@strongswan.org::YES
-dave::ipsec status::venus.*INSTALLED::YES
-dave::ipsec status::alice.*INSTALLED::YES
-moon::ipsec status::ESTABLISHED.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
index 6fcc1578e..d65d37be2 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
index c4b41aa06..121f7d41a 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
index 9c02993e7..a49c833b8 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
index 67c50c2ef..755564cbc 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-strict/test.conf b/testing/tests/ikev2/multi-level-ca-strict/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat
index b0814556d..e1c5be4ed 100644
--- a/testing/tests/ikev2/multi-level-ca/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca/evaltest.dat
@@ -1,19 +1,19 @@
-moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::ipsec status::alice.*INSTALLED::YES
-moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org::YES
 carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
-carol::ipsec status::venus.*INSTALLED::NO
-moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
-moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
-moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES
-moon::cat /var/log/daemon.log::switching to peer config.*venus::YES
-dave::ipsec status::venus.*INSTALLED::YES
-moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
-dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
-dave::ipsec status::alice.*INSTALLED::NO
-moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
+carol::ipsec status 2> /dev/null::venus.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org::NO
+moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
+moon:: cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES
+moon:: cat /var/log/daemon.log::switching to peer config.*venus::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*dave@strongswan.org::YES
+dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+dave:: ipsec status 2> /dev/null::alice.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf
index 174e248c2..909118fb1 100755..100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf
index 5c90dd4a2..95777460e 100755..100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
index d0240a333..3a5aaa6b6 100755..100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca/pretest.dat b/testing/tests/ikev2/multi-level-ca/pretest.dat
index 67c50c2ef..755564cbc 100644
--- a/testing/tests/ikev2/multi-level-ca/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca/test.conf b/testing/tests/ikev2/multi-level-ca/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca/test.conf
+++ b/testing/tests/ikev2/multi-level-ca/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/nat-one-rw/description.txt b/testing/tests/ikev2/nat-one-rw/description.txt
deleted file mode 100644
index c3b9bb820..000000000
--- a/testing/tests/ikev2/nat-one-rw/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to
-gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel, the NAT-ed host <b>alice</b> pings the
-client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-one-rw/evaltest.dat b/testing/tests/ikev2/nat-one-rw/evaltest.dat
deleted file mode 100644
index 7395e5571..000000000
--- a/testing/tests/ikev2/nat-one-rw/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-alice::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec statusall::nat-t.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/ipsec.conf
deleted file mode 100755
index 8db43213f..000000000
--- a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn nat-t
-	left=%defaultroute
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 6d9e62e1d..000000000
--- a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  keep_alive = 1d 
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index a2c168601..000000000
--- a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	left=PH_IP_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftfirewall=yes
-
-conn net-net
-	leftsubnet=10.2.0.0/16
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
-
-conn host-host
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	auto=add
-
-conn nat-t
-	leftsubnet=10.2.0.0/16
-	right=%any
-	rightsubnet=10.1.0.10/32
-	auto=add
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-one-rw/posttest.dat b/testing/tests/ikev2/nat-one-rw/posttest.dat
deleted file mode 100644
index cd0d4df25..000000000
--- a/testing/tests/ikev2/nat-one-rw/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-alice::ipsec stop
-sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-one-rw/pretest.dat b/testing/tests/ikev2/nat-one-rw/pretest.dat
deleted file mode 100644
index a4f5ecd79..000000000
--- a/testing/tests/ikev2/nat-one-rw/pretest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::conntrack -F
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-alice::ipsec start
-sun::ipsec start
-alice::sleep 4
-alice::ipsec up nat-t
-alice::sleep 1 
-
diff --git a/testing/tests/ikev2/nat-one-rw/test.conf b/testing/tests/ikev2/nat-one-rw/test.conf
deleted file mode 100644
index d84149aaf..000000000
--- a/testing/tests/ikev2/nat-one-rw/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/nat-portswitch/description.txt b/testing/tests/ikev2/nat-portswitch/description.txt
deleted file mode 100644
index 93b779ee1..000000000
--- a/testing/tests/ikev2/nat-portswitch/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a connection 
-to gateway <b>sun</b> using IKEv2. UDP encapsulation is used to traverse the NAT router.
-The authentication is based on locally loaded <b>X.509 certificates</b>.
-After the IPsec Setup NAT router moon "crashes" (i.e. flushes its conntrack
-table) and with the next dpd sent from <b>alice</b> a dynamical address update
-should occur in gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-portswitch/evaltest.dat b/testing/tests/ikev2/nat-portswitch/evaltest.dat
deleted file mode 100644
index 75b01a551..000000000
--- a/testing/tests/ikev2/nat-portswitch/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-sun::ipsec statusall::rw-alice.*ESTABLISHED::YES
-alice::ipsec statusall::home.*ESTABLISHED::YES
-moon::cmd::iptables -t nat -F::YES
-moon::cmd::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:3024-3100::YES
-moon::cmd::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:4000-4100::YES
-moon::cmd::conntrack -F::YES
-alice::cmd::sleep 75::YES
-bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP, length: 132::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP, length: 132::YES
diff --git a/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.conf
deleted file mode 100644
index cd9de533a..000000000
--- a/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-version	2.0	# conforms to second version of ipsec.conf specification
-
-config setup
-	plutostart=no
-
-conn home
-	left=PH_IP_ALICE
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	right=PH_IP_SUN
-	rightcert=sunCert.pem
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	keyexchange=ikev2
-	auto=add
diff --git a/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.d/certs/sunCert.pem
deleted file mode 100644
index e7825e3db..000000000
--- a/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.d/certs/sunCert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIECzCCAvOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMTU1M1oXDTA5MDkwOTExMTU1M1owRTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z
-dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQ8
-foB9h5BZ92gA5JkQTJNuoF6FAzoq91Gh7To27/g74p01+SUnsSaBfPmNfGp4avdS
-Ewy2dWMA/7uj0Dbe8MEKssNztp0JQubp2s7n8mrrQLGsqB6YAS09l75XDjS3yqTC
-AtH1kD4zAl/j/AyeQBuLR4CyJEmC/rqD3/a+pr42CaljuFBgBRpCTUpU4mlslZSe
-zv9wu61PwTFxb8VDlBHUd/lwkXThKgU3uEhWRxLahpSldEGmiTTmx30k/XbOMF2n
-HObEHt5EY9uWRGGbj81ZRWiNk0dNtbpneUHv/NvdWLc591M8cEGEQdWW2XTVbL2G
-N67q8hdzGgIvb7QJPMcCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgOoMB0GA1UdDgQWBBQ9xLkyCBbyQmRet0vvV1Fg6z5q2DBtBgNVHSMEZjBkgBRd
-p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
-EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
-ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwOQYDVR0fBDIwMDAuoCyg
-KoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLmNybDANBgkq
-hkiG9w0BAQQFAAOCAQEAGQQroiAa0SwwhJprGd7OM+rfBJAGbsa3DPzFCfHX1R7i
-ZyDs9aph1DK+IgUa377Ev1U7oB0EldpmOoJJugCjtNLfpW3t1RXBERL/QfpO2+VP
-Wt3SfZ0Oq48jiqB1MVLMZRPCICZEQjT4sJ3HYs5ZuucuvoxeMx3rQ4HxUtHtMD3S
-5JNMwFFiOXAjyIyrTlb7YuRJTT5hE+Rms8GUQ5Xnt7zKZ7yfoSLFzy0/cLFPdQvE
-JA7w8crODCZpDgEKVHVyUWuyt1O46N3ydUfDcnKJoQ9HWHm3xCbDex5MHTnvm1lk
-Stx71CGM7TE6VPy028UlrSw0JqEwCVwstei2cMzwgA==
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.conf
deleted file mode 100644
index a7722142f..000000000
--- a/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-version	2.0	# conforms to second version of ipsec.conf specification
-
-config setup
-	plutostart=no
-
-conn %default
-	left=PH_IP_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftsubnet=10.2.0.0/16
-	keyexchange=ikev2
-	
-conn rw-alice
-	right=%any
-	rightcert=aliceCert.pem
-	rightid=alice@strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.d/certs/aliceCert.pem
deleted file mode 100644
index e99ae8ec7..000000000
--- a/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.d/certs/aliceCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
-MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer
-GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4
-FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W
-6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH
-v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc
-KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG
-A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa
-60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG
-A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0
-cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu
-Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
-L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo
-2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ
-AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5
-D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S
-CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi
-6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re
-JGhV
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-portswitch/posttest.dat b/testing/tests/ikev2/nat-portswitch/posttest.dat
deleted file mode 100644
index 3b9f53e9b..000000000
--- a/testing/tests/ikev2/nat-portswitch/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-sun::ipsec stop
-alice::ipsec stop
-sun::rm /etc/ipsec.d/certs/*
-alice::rm /etc/ipsec.d/certs/*
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-portswitch/pretest.dat b/testing/tests/ikev2/nat-portswitch/pretest.dat
deleted file mode 100644
index 17cc4b070..000000000
--- a/testing/tests/ikev2/nat-portswitch/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-sun::ipsec start
-alice::ipsec start
-alice::sleep 1
-alice::ipsec up home
-alice::sleep 1 
diff --git a/testing/tests/ikev2/nat-portswitch/test.conf b/testing/tests/ikev2/nat-portswitch/test.conf
deleted file mode 100644
index d84149aaf..000000000
--- a/testing/tests/ikev2/nat-portswitch/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/nat-rw-mark/description.txt b/testing/tests/ikev2/nat-rw-mark/description.txt
new file mode 100644
index 000000000..b8074e665
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/description.txt
@@ -0,0 +1,16 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT
+after ESP decryption to map these subnets to PH_IP_CAROL10 and PH_IP_DAVE10, respectively.
+<p/>
+In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
+<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
+the <b>mark</b> parameter in ipsec.conf.
+<p/>
+<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
+and from <b>alice</b> and <b>venus</b>, respectively.
+<p/>
+The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts 
+iptables mangle rules that mark the inbound ESP_IN_UDP packets as well as iptables IPsec-policy rules 
+that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> 
+and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-rw-mark/evaltest.dat
new file mode 100644
index 000000000..bb8e856cc
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/evaltest.dat
@@ -0,0 +1,18 @@
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+sun::  ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+sun::  ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
+sun::  ipsec statusall 2> /dev/null::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4510.*: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4520.*: UDP::YES
+bob::tcpdump::PH_IP_CAROL10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::PH_IP_DAVE10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org > PH_IP_CAROL10: ICMP echo reply::YES
+bob::tcpdump::bob.strongswan.org > PH_IP_DAVE10: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..4c29a07d5
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+		
+conn nat-t
+	left=%defaultroute
+	leftsubnet=10.1.0.0/25
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..aac963e91
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="knl 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn alice 
+	rightid=alice@strongswan.org
+	mark=10/0xffffffff
+	also=sun
+	auto=add
+
+conn venus
+	rightid=@venus.strongswan.org
+	mark=20  #0xffffffff is used by default
+	also=sun
+	auto=add
+
+conn sun
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftupdown=/etc/mark_updown
+	right=%any
+	rightsubnet=0.0.0.0/0
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
new file mode 100755
index 000000000..421335ffb
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
@@ -0,0 +1,537 @@
+#! /bin/sh
+# updown script setting inbound marks on ESP traffic in the mangle chain
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# is there an inbound mark to be set?
+if [ -n "$PLUTO_MARK_IN" ]
+then
+	if [ -n "$PLUTO_UDP_ENC" ]
+	then
+	    SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
+	else
+		SET_MARK="-p esp"
+	fi
+	SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK
+	fi
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK
+	fi
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK
+	fi
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK
+	fi
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/ipsec.conf
new file mode 100644
index 000000000..38ef469c5
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn nat-t
+	left=%defaultroute
+	leftsubnet=10.1.0.0/25
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-rw-mark/posttest.dat b/testing/tests/ikev2/nat-rw-mark/posttest.dat
new file mode 100644
index 000000000..72dff4e10
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/posttest.dat
@@ -0,0 +1,12 @@
+sun::iptables -t mangle -v -n -L PREROUTING
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
+moon::conntrack -F
+sun::iptables-restore < /etc/iptables.flush
+sun::conntrack -F
+sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev2/nat-rw-mark/pretest.dat b/testing/tests/ikev2/nat-rw-mark/pretest.dat
new file mode 100644
index 000000000..6cddfd4fe
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/pretest.dat
@@ -0,0 +1,20 @@
+sun::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500  -j SNAT --to PH_IP_MOON:510
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500  -j SNAT --to PH_IP_MOON:520
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10
+sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 10
+sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 20
+sun::ipsec start
+alice::ipsec start
+venus::ipsec start
+alice::sleep 2
+alice::ipsec up nat-t
+venus::sleep 2
+venus::ipsec up nat-t
+venus::sleep 2
diff --git a/testing/tests/ikev2/nat-rw-mark/test.conf b/testing/tests/ikev2/nat-rw-mark/test.conf
new file mode 100644
index 000000000..105472cbe
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon bob"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-rw-mixed/description.txt b/testing/tests/ikev2/nat-rw-mixed/description.txt
deleted file mode 100644
index 511a1a874..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> 
-set up a connection to gateway <b>sun</b>. <b>alice</b> uses the IKEv2 key exchange protocol 
-whereas <b>venus</b> negotiates the connection via the IKEv1 protocol.
-UDP encapsulation is used to traverse the NAT router.
-In order to test the tunnel the NAT-ed hosts <b>alice</b> and <b>venus</b> ping the client
-<b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-rw-mixed/evaltest.dat b/testing/tests/ikev2/nat-rw-mixed/evaltest.dat
deleted file mode 100644
index 685c1b43f..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-sun::ipsec statusall::rw-alice.*ESTABLISHED::YES
-sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::nat-t.*@venus.strongswan.org::YES
-alice::ipsec statusall::home.*ESTABLISHED::YES
-sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.conf
deleted file mode 100644
index cd9de533a..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-version	2.0	# conforms to second version of ipsec.conf specification
-
-config setup
-	plutostart=no
-
-conn home
-	left=PH_IP_ALICE
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	right=PH_IP_SUN
-	rightcert=sunCert.pem
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	keyexchange=ikev2
-	auto=add
diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.d/certs/sunCert.pem
deleted file mode 100644
index e7825e3db..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.d/certs/sunCert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIECzCCAvOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMTU1M1oXDTA5MDkwOTExMTU1M1owRTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z
-dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQ8
-foB9h5BZ92gA5JkQTJNuoF6FAzoq91Gh7To27/g74p01+SUnsSaBfPmNfGp4avdS
-Ewy2dWMA/7uj0Dbe8MEKssNztp0JQubp2s7n8mrrQLGsqB6YAS09l75XDjS3yqTC
-AtH1kD4zAl/j/AyeQBuLR4CyJEmC/rqD3/a+pr42CaljuFBgBRpCTUpU4mlslZSe
-zv9wu61PwTFxb8VDlBHUd/lwkXThKgU3uEhWRxLahpSldEGmiTTmx30k/XbOMF2n
-HObEHt5EY9uWRGGbj81ZRWiNk0dNtbpneUHv/NvdWLc591M8cEGEQdWW2XTVbL2G
-N67q8hdzGgIvb7QJPMcCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgOoMB0GA1UdDgQWBBQ9xLkyCBbyQmRet0vvV1Fg6z5q2DBtBgNVHSMEZjBkgBRd
-p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
-EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
-ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwOQYDVR0fBDIwMDAuoCyg
-KoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLmNybDANBgkq
-hkiG9w0BAQQFAAOCAQEAGQQroiAa0SwwhJprGd7OM+rfBJAGbsa3DPzFCfHX1R7i
-ZyDs9aph1DK+IgUa377Ev1U7oB0EldpmOoJJugCjtNLfpW3t1RXBERL/QfpO2+VP
-Wt3SfZ0Oq48jiqB1MVLMZRPCICZEQjT4sJ3HYs5ZuucuvoxeMx3rQ4HxUtHtMD3S
-5JNMwFFiOXAjyIyrTlb7YuRJTT5hE+Rms8GUQ5Xnt7zKZ7yfoSLFzy0/cLFPdQvE
-JA7w8crODCZpDgEKVHVyUWuyt1O46N3ydUfDcnKJoQ9HWHm3xCbDex5MHTnvm1lk
-Stx71CGM7TE6VPy028UlrSw0JqEwCVwstei2cMzwgA==
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.conf
deleted file mode 100644
index b85bd607b..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-version	2.0	# conforms to second version of ipsec.conf specification
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180	
-	nat_traversal=yes
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	left=PH_IP_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftsubnet=10.2.0.0/16
-
-conn rw-alice
-	right=%any
-	rightcert=aliceCert.pem
-	rightid=alice@strongswan.org
-	rightsubnet=10.1.0.0/16
-	keyexchange=ikev2
-	auto=add
-
-conn nat-t
-	leftsubnet=10.2.0.0/16
-	right=%any
-	rightsubnetwithin=10.1.0.0/16
-	keyexchange=ikev1
-	auto=add
diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/aliceCert.pem
deleted file mode 100644
index e99ae8ec7..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/aliceCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
-MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer
-GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4
-FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W
-6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH
-v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc
-KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG
-A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa
-60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG
-A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0
-cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu
-Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
-L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo
-2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ
-AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5
-D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S
-CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi
-6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re
-JGhV
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/venusCert.pem b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/venusCert.pem
deleted file mode 100644
index 25a6941b0..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/venusCert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEDzCCAvegAwIBAgIBBDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMTgyNloXDTA5MDkwOTExMTgyNlowRzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHTAbBgNVBAMTFHZlbnVz
-LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-mlQ2s9J7bw73onkw0ZwwcM2JDJuU3KmmuzETlmLdtg7m8yFCdhoDg6cxrsIvPAWy
-Gs++1e+1qzy7LTnNHckaHHFwJQf0JoIGE1bbUrJidX8B1T3sDdvZFbyfmQTWSEyJ
-thrdqdPS92VJW/9XQOPeEhudIHr+NtWQfCm3OQFKDXGCEkHOjpVNHn3BPUiL99ON
-FiLZX3gZy6vTERpEE8ga66fHtpM3RJfIxYoUQUdRw8iIa8iOvRGtJa/MfOWX6L/H
-wquRv3SuCl4iMSph7e/VE+z5xx3OyKSAki914DgRFnQITKjyGxw1lORlDQlZy2w/
-nu0BAbXS1pb/2AiF8jDpbQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8E
-BAMCA6gwHQYDVR0OBBYEFEqPlXBYJh1knX0Q61HMcn9LOZ6sMG0GA1UdIwRmMGSA
-FF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UE
-ChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENB
-ggEAMB8GA1UdEQQYMBaCFHZlbnVzLnN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAw
-LqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmww
-DQYJKoZIhvcNAQEEBQADggEBAEx3kXh2Z5CMH+tX6cJPyi6gSeOgXy7NBiNsEdXN
-rwGp4DwN6uiSog4EYZJA203oqE3eaoYdBXKiOGvjW4vyigvpDr8H+MeW2HsNuMKX
-PFpY4NucV0fJlzFhtkp31zTLHNESCgTqNIwGj+CbN0rxhHGE6502krnu+C12nJ7B
-fdMzml1RmVp4JlZC5yfiTy0F2s/aH+8xQ2x509UoD+boNM9GR+IlWS2dDypISGid
-hbM4rpiMLBj2riWD8HiuljkKQ6LemBXeZQXuIPlusl7cH/synNkHk8iiALM8xfGh
-wTEmdo5Tp5sDI3cj3LVvhcsTxjiOA81her1F0itlxpEA/gA=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-rw-mixed/posttest.dat b/testing/tests/ikev2/nat-rw-mixed/posttest.dat
deleted file mode 100644
index 0a8ce2bbc..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-sun::rm /etc/ipsec.d/certs/*
-alice::rm /etc/ipsec.d/certs/*
-moon::iptables -t nat -F
diff --git a/testing/tests/ikev2/nat-rw-mixed/pretest.dat b/testing/tests/ikev2/nat-rw-mixed/pretest.dat
deleted file mode 100644
index d2c5c7df2..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-sun::ipsec start
-alice::ipsec start
-venus::ipsec start
-alice::sleep 1
-venus::ipsec up nat-t
-alice::ipsec up home
-alice::sleep 1 
diff --git a/testing/tests/ikev2/nat-rw-mixed/test.conf b/testing/tests/ikev2/nat-rw-mixed/test.conf
deleted file mode 100644
index 84317fd70..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/nat-two-rw-psk/description.txt b/testing/tests/ikev2/nat-rw-psk/description.txt
index c74897d9a..c74897d9a 100644
--- a/testing/tests/ikev1/nat-two-rw-psk/description.txt
+++ b/testing/tests/ikev2/nat-rw-psk/description.txt
diff --git a/testing/tests/ikev2/nat-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-rw-psk/evaltest.dat
new file mode 100644
index 000000000..6ec29c779
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/evaltest.dat
@@ -0,0 +1,9 @@
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL, ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t.*\[PH_IP_ALICE\]::YES
+sun::  ipsec status 2> /dev/null::nat-t.*\[PH_IP_VENUS\]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..089e91ed7
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+		
+conn nat-t
+	left=%defaultroute
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.secrets
index d61e3eb48..d61e3eb48 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..924fd4757
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..e939d89ae
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+	
+conn nat-t
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=%any
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.secrets
index 5f2955503..5f2955503 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..924fd4757
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.conf
new file mode 100644
index 000000000..089e91ed7
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+		
+conn nat-t
+	left=%defaultroute
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.secrets
index 9cd66b1df..9cd66b1df 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..924fd4757
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-rw-psk/posttest.dat b/testing/tests/ikev2/nat-rw-psk/posttest.dat
new file mode 100644
index 000000000..4643a3a7b
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/posttest.dat
@@ -0,0 +1,8 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-rw-psk/pretest.dat b/testing/tests/ikev2/nat-rw-psk/pretest.dat
new file mode 100644
index 000000000..c5d091f32
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/pretest.dat
@@ -0,0 +1,16 @@
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::rm /etc/ipsec.d/cacerts/*
+venus::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+sun::ipsec start
+alice::ipsec start
+venus::ipsec start
+alice::sleep 2 
+alice::ipsec up nat-t
+venus::sleep 2 
+venus::ipsec up nat-t
+venus::sleep 2
diff --git a/testing/tests/ikev2/nat-rw-psk/test.conf b/testing/tests/ikev2/nat-rw-psk/test.conf
new file mode 100644
index 000000000..f515d4bc7
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-two-rw/description.txt b/testing/tests/ikev2/nat-rw/description.txt
index dcf4b94bd..dcf4b94bd 100644
--- a/testing/tests/ikev2/nat-two-rw/description.txt
+++ b/testing/tests/ikev2/nat-rw/description.txt
diff --git a/testing/tests/ikev2/nat-rw/evaltest.dat b/testing/tests/ikev2/nat-rw/evaltest.dat
new file mode 100644
index 000000000..387dbae23
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/evaltest.dat
@@ -0,0 +1,18 @@
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon:: sleep 6::no output expected::NO
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: isakmp-nat-keep-alive::YES
+alice::cat /var/log/daemon.log::sending keep alive::YES
+venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/ikev2/nat-rw/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-rw/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..3e85551c9
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+		
+conn nat-t
+	left=%any
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..dabff38e4
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  keep_alive = 5
+}
diff --git a/testing/tests/ikev2/nat-rw/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-rw/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..06105ade0
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn nat-t
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	leftsubnet=10.2.0.0/16
+	right=%any
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ca23c6971
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/nat-rw/hosts/venus/etc/ipsec.conf
new file mode 100644
index 000000000..57364be7f
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn nat-t
+	left=%any
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..dabff38e4
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  keep_alive = 5
+}
diff --git a/testing/tests/ikev2/nat-rw/posttest.dat b/testing/tests/ikev2/nat-rw/posttest.dat
new file mode 100644
index 000000000..4643a3a7b
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/posttest.dat
@@ -0,0 +1,8 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-rw/pretest.dat b/testing/tests/ikev2/nat-rw/pretest.dat
new file mode 100644
index 000000000..f58e82adc
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/pretest.dat
@@ -0,0 +1,14 @@
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::conntrack -F
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::sleep 2 
+alice::ipsec up nat-t
+venus::sleep 2 
+venus::ipsec up nat-t
+venus::sleep 2
diff --git a/testing/tests/ikev2/nat-rw/test.conf b/testing/tests/ikev2/nat-rw/test.conf
new file mode 100644
index 000000000..f515d4bc7
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-two-rw-mark/description.txt b/testing/tests/ikev2/nat-two-rw-mark/description.txt
deleted file mode 100644
index 2a93d11d8..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/description.txt
+++ /dev/null
@@ -1,16 +0,0 @@
-The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
-tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT
-after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively.
-<p/>
-In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
-<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
-the <b>mark</b> parameter in ipsec.conf.
-<p/>
-<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
-and from <b>alice</b> and <b>venus</b>, respectively.
-<p/>
-The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts 
-iptables mangle rules that mark the inbound ESP_IN_UDP packets as well as iptables IPsec-policy rules 
-that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> 
-and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat
deleted file mode 100644
index 74ba178d9..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-alice::ipsec statusall::nat-t.*INSTALLED::YES
-venus::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec statusall::alice.*ESTABLISHED.*alice@strongswan.org::YES
-sun::ipsec statusall::venus.*ESTABLISHED.*venus.strongswan.org::YES
-sun::ipsec statusall::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
-sun::ipsec statusall::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4510.*: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4520.*: UDP::YES
-bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf
deleted file mode 100755
index 0f7c23845..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-		
-conn nat-t
-	left=%defaultroute
-	leftsubnet=10.1.0.0/25
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	leftfirewall=yes
-	lefthostaccess=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index ae4644c4b..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-	charondebug="knl 2"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn alice 
-	rightid=alice@strongswan.org
-	mark=10/0xffffffff
-	also=sun
-	auto=add
-
-conn venus
-	rightid=@venus.strongswan.org
-	mark=20  #0xffffffff is used by default
-	also=sun
-	auto=add
-
-conn sun
-	left=PH_IP_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftsubnet=10.2.0.0/16
-	leftupdown=/etc/mark_updown
-	right=%any
-	rightsubnet=0.0.0.0/0
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown
deleted file mode 100755
index 0d22e684d..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown
+++ /dev/null
@@ -1,527 +0,0 @@
-#! /bin/sh
-# updown script setting inbound marks on ESP traffic in the mangle chain
-#
-# Copyright (C) 2003-2004 Nigel Meteringham
-# Copyright (C) 2003-2004 Tuomo Soini
-# Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-# CAUTION:  Installing a new version of strongSwan will install a new
-# copy of this script, wiping out any custom changes you make.  If
-# you need changes, make a copy of this under another name, and customize
-# that, and use the (left/right)updown parameters in ipsec.conf to make
-# strongSwan use yours instead of this default one.
-
-# things that this script gets (from ipsec_pluto(8) man page)
-#
-#      PLUTO_VERSION
-#              indicates  what  version of this interface is being
-#              used.  This document describes version  1.1.   This
-#              is upwardly compatible with version 1.0.
-#
-#       PLUTO_VERB
-#              specifies the name of the operation to be performed
-#              (prepare-host, prepare-client, up-host, up-client,
-#              down-host, or down-client).  If the address family
-#              for security gateway to security gateway communica-
-#              tions is IPv6, then a suffix of -v6 is added to the
-#              verb.
-#
-#       PLUTO_CONNECTION
-#              is the name of the  connection  for  which  we  are
-#              routing.
-#
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
-#       PLUTO_INTERFACE
-#              is the name of the ipsec interface to be used.
-#
-#       PLUTO_REQID
-#              is the requid of the ESP policy
-#
-#       PLUTO_ME
-#              is the IP address of our host.
-#
-#       PLUTO_MY_ID
-#              is the ID of our host.
-#
-#       PLUTO_MY_CLIENT
-#              is the IP address / count of our client subnet.  If
-#              the  client  is  just  the  host,  this will be the
-#              host's own IP address / max (where max  is  32  for
-#              IPv4 and 128 for IPv6).
-#
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
-#       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
-#
-#       PLUTO_MY_PROTOCOL
-#              is the IP protocol that will be transported.
-#
-#       PLUTO_MY_PORT
-#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
-#
-#       PLUTO_PEER
-#              is the IP address of our peer.
-#
-#       PLUTO_PEER_ID
-#              is the ID of our peer.
-#
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
-#       PLUTO_PEER_CLIENT
-#              is the IP address / count of the peer's client sub-
-#              net.   If the client is just the peer, this will be
-#              the peer's own IP address / max (where  max  is  32
-#              for IPv4 and 128 for IPv6).
-#
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
-#       PLUTO_PEER_PROTOCOL
-#              is the IP protocol that will be transported.
-#
-#       PLUTO_PEER_PORT
-#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
-#
-#       PLUTO_XAUTH_ID
-#              is an optional user ID employed by the XAUTH protocol
-#
-#       PLUTO_MARK_IN
-#              is an optional XFRM mark set on the inbound IPsec SA
-#
-#       PLUTO_MARK_OUT
-#              is an optional XFRM mark set on the outbound IPsec SA
-#
-#       PLUTO_UDP_ENC
-#              contains the remote UDP port in the case of ESP_IN_UDP
-#              encapsulation
-#
-
-# define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
-export PATH
-
-# uncomment to log VPN connections
-VPN_LOGGING=1
-#
-# tag put in front of each log entry:
-TAG=vpn
-#
-# syslog facility and priority used:
-FAC_PRIO=local0.notice
-#
-# to create a special vpn logging file, put the following line into
-# the syslog configuration file /etc/syslog.conf:
-#
-# local0.notice                   -/var/log/vpn
-
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
-# check interface version
-case "$PLUTO_VERSION" in
-1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
-	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
-	echo "$0: 	called by obsolete Pluto?" >&2
-	exit 2
-	;;
-1.*)	;;
-*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
-	exit 2
-	;;
-esac
-
-# check parameter(s)
-case "$1:$*" in
-':')			# no parameters
-	;;
-iptables:iptables)	# due to (left/right)firewall; for default script only
-	;;
-custom:*)		# custom parameters (see above CAUTION comment)
-	;;
-*)	echo "$0: unknown parameters \`$*'" >&2
-	exit 2
-	;;
-esac
-
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    for dir in /etc/sysconfig /etc/conf.d; do
-		if [ -f "$dir/defaultsource" ]
-		then
-		    . "$dir/defaultsource"
-		fi
-	    done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
-
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # leave because no route entry is required
-	    return $st
-	fi
-
-	parms1="$PLUTO_PEER_CLIENT"
-
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	    parms2="via $PLUTO_NEXT_HOP"
-	else
-	    parms2="via $PLUTO_PEER"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	parms3=
-	if [ -n "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if test "$1" = "add"
-	    then
-		addsource
-		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
-		then
-		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
-		fi
-	    fi
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
-	fi
-
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms1 $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
-	fi
-	if test " $oops" != " " -o " $st" != " 0"
-	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
-	fi
-	return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-	KLIPS=1
-	IPSEC_POLICY_IN=""
-	IPSEC_POLICY_OUT=""
-else
-	KLIPS=
-	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
-
-# is there an inbound mark to be set?
-if [ -n "$PLUTO_MARK_IN" ]
-then
-	if [ -n "$PLUTO_UDP_ENC" ]
-	then
-	    SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
-	else
-		SET_MARK="-p esp"
-	fi
-	SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
-fi
-
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
-	S_MY_PORT="--sport $PLUTO_MY_PORT"
-	D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
-	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
-
-# resolve octal escape sequences
-PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
-PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-
-# the big choice
-case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # exit because no route will be added,
-	    # so that existing routes can stay
-	    exit 0
-	fi
-
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
-up-host:)
-	# connection to me coming up
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -A PREROUTING $SET_MARK
-	fi
-	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-	#
-	# log IPsec host connection setup
-	if [ $VPN_LOGGING ]
-	then
-	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
-	  then
-	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
-	  else
-	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
-	  fi
-	fi
-	;;
-down-host:)
-	# connection to me going down
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -D PREROUTING $SET_MARK
-	fi
-	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-	#
-	# log IPsec host connection teardown
-	if [ $VPN_LOGGING ]
-	then
-	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
-	  then
-	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
-	  else
-	    logger -t $TAG -p $FAC_PRIO -- \
-	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
-	  fi
-	fi
-	;;
-up-client:)
-	# connection to my client subnet coming up
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -A PREROUTING $SET_MARK
-	fi
-	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-	then
-	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	fi
-	#
-	# a virtual IP requires an INPUT and OUTPUT rule on the host
-	# or sometimes host access via the internal IP is needed
-	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	fi
-	#
-	# log IPsec client connection setup
-	if [ $VPN_LOGGING ]
-	then
-	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
-	  then
-	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	  else
-	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	  fi
-	fi
-	;;
-down-client:)
-	# connection to my client subnet going down
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -D PREROUTING $SET_MARK
-	fi
-	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-	then
-	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
-	fi
-	#
-	# a virtual IP requires an INPUT and OUTPUT rule on the host
-	# or sometimes host access via the internal IP is needed
-	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	fi
-	#
-	# log IPsec client connection teardown
-	if [ $VPN_LOGGING ]
-	then
-	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
-	  then
-	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	  else
-	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	  fi
-	fi
-	;;
-*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
-	exit 1
-	;;
-esac
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf
deleted file mode 100755
index c82c3e978..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn nat-t
-	left=%defaultroute
-	leftsubnet=10.1.0.0/25
-	leftcert=venusCert.pem
-	leftid=@venus.strongswan.org
-	leftfirewall=yes
-	lefthostaccess=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw-mark/posttest.dat b/testing/tests/ikev2/nat-two-rw-mark/posttest.dat
deleted file mode 100644
index 89d5f534b..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/posttest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-sun::iptables -t mangle -v -n -L PREROUTING
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
-sun::conntrack -F
-sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev2/nat-two-rw-mark/pretest.dat b/testing/tests/ikev2/nat-two-rw-mark/pretest.dat
deleted file mode 100644
index 105968f45..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/pretest.dat
+++ /dev/null
@@ -1,21 +0,0 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
-moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500  -j SNAT --to PH_IP_MOON:510
-moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500  -j SNAT --to PH_IP_MOON:520
-moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510
-moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20
-alice::ipsec start
-venus::ipsec start
-sun::ipsec start
-alice::sleep 2 
-alice::ipsec up nat-t
-venus::sleep 2 
-venus::ipsec up nat-t
-venus::sleep 2
diff --git a/testing/tests/ikev2/nat-two-rw-mark/test.conf b/testing/tests/ikev2/nat-two-rw-mark/test.conf
deleted file mode 100644
index ae3c190b8..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon bob"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-two-rw-psk/description.txt b/testing/tests/ikev2/nat-two-rw-psk/description.txt
deleted file mode 100644
index c74897d9a..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
-tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-Both roadwarriors share the same Pre-Shared Key (PSK) with the gateway <b>sun</b>.
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
-ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-two-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-two-rw-psk/evaltest.dat
deleted file mode 100644
index 2cab168f0..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-alice::ipsec statusall::nat-t.*INSTALLED::YES
-venus::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec status::nat-t.*\[PH_IP_ALICE\]::YES
-sun::ipsec status::nat-t.*\[PH_IP_VENUS\]::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
deleted file mode 100755
index e0ccbb812..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	authby=secret
-		
-conn nat-t
-	left=%defaultroute
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 882ea04a5..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index d6b5d4d6f..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	authby=secret
-	
-conn nat-t
-	left=PH_IP_SUN
-	leftsubnet=10.2.0.0/16
-	leftfirewall=yes
-	right=%any
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 882ea04a5..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
deleted file mode 100755
index e0ccbb812..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	authby=secret
-		
-conn nat-t
-	left=%defaultroute
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
deleted file mode 100644
index 882ea04a5..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw-psk/posttest.dat b/testing/tests/ikev2/nat-two-rw-psk/posttest.dat
deleted file mode 100644
index 52572ece8..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-two-rw-psk/pretest.dat b/testing/tests/ikev2/nat-two-rw-psk/pretest.dat
deleted file mode 100644
index 5e23259bb..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/pretest.dat
+++ /dev/null
@@ -1,17 +0,0 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-alice::rm /etc/ipsec.d/cacerts/*
-venus::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-alice::ipsec start
-venus::ipsec start
-sun::ipsec start
-alice::sleep 2 
-alice::ipsec up nat-t
-venus::sleep 2 
-venus::ipsec up nat-t
-venus::sleep 2
diff --git a/testing/tests/ikev2/nat-two-rw-psk/test.conf b/testing/tests/ikev2/nat-two-rw-psk/test.conf
deleted file mode 100644
index 84317fd70..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-two-rw/evaltest.dat b/testing/tests/ikev2/nat-two-rw/evaltest.dat
deleted file mode 100644
index bd0a4b52b..000000000
--- a/testing/tests/ikev2/nat-two-rw/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-alice::ipsec statusall::nat-t.*INSTALLED::YES
-venus::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec status::alice@strongswan.org::YES
-sun::ipsec status::venus.strongswan.org::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/ipsec.conf
deleted file mode 100755
index 3da2fcf86..000000000
--- a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-		
-conn nat-t
-	left=%defaultroute
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index d8b426318..000000000
--- a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	left=PH_IP_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftfirewall=yes
-
-conn net-net
-	leftsubnet=10.2.0.0/16
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
-
-conn host-host
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	auto=add
-
-conn nat-t
-	leftsubnet=10.2.0.0/16
-	right=%any
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/ipsec.conf
deleted file mode 100755
index 3a70b3434..000000000
--- a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn nat-t
-	left=%defaultroute
-	leftcert=venusCert.pem
-	leftid=@venus.strongswan.org
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw/posttest.dat b/testing/tests/ikev2/nat-two-rw/posttest.dat
deleted file mode 100644
index 52572ece8..000000000
--- a/testing/tests/ikev2/nat-two-rw/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-two-rw/pretest.dat b/testing/tests/ikev2/nat-two-rw/pretest.dat
deleted file mode 100644
index e365ff5c5..000000000
--- a/testing/tests/ikev2/nat-two-rw/pretest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-alice::ipsec start
-venus::ipsec start
-sun::ipsec start
-alice::sleep 2 
-alice::ipsec up nat-t
-venus::sleep 2 
-venus::ipsec up nat-t
-venus::sleep 2
diff --git a/testing/tests/ikev2/nat-two-rw/test.conf b/testing/tests/ikev2/nat-two-rw/test.conf
deleted file mode 100644
index 84317fd70..000000000
--- a/testing/tests/ikev2/nat-two-rw/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-virtual-ip/evaltest.dat b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat
index 75d5ffbd3..c60ffc772 100644
--- a/testing/tests/ikev2/nat-virtual-ip/evaltest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat
@@ -1,7 +1,7 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-moon::cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 bob::tcpdump::IP alice2.strongswan.org > bob.strongswan.org: ICMP::YES
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf
index e43e0d785..46fc364dd 100755..100644
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf
index cb3d46293..8e685c862 100644
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf
index 9cede8d56..1d7ba47ee 100755..100644
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf
index cb3d46293..8e685c862 100644
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/nat-virtual-ip/posttest.dat b/testing/tests/ikev2/nat-virtual-ip/posttest.dat
index ee30e2c59..11bd19da7 100644
--- a/testing/tests/ikev2/nat-virtual-ip/posttest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
 moon::rm /etc/nat_updown
diff --git a/testing/tests/ikev2/nat-virtual-ip/pretest.dat b/testing/tests/ikev2/nat-virtual-ip/pretest.dat
index abbca90d7..eb0c28c7f 100644
--- a/testing/tests/ikev2/nat-virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/pretest.dat
@@ -1,7 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::conntrack -F
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/nat-virtual-ip/test.conf b/testing/tests/ikev2/nat-virtual-ip/test.conf
index 1971a33ab..f46f137b4 100644
--- a/testing/tests/ikev2/nat-virtual-ip/test.conf
+++ b/testing/tests/ikev2/nat-virtual-ip/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-cert/evaltest.dat b/testing/tests/ikev2/net2net-cert/evaltest.dat
index e67c39a08..2b37cad99 100644
--- a/testing/tests/ikev2/net2net-cert/evaltest.dat
+++ b/testing/tests/ikev2/net2net-cert/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf
index 562f26826..2d31a19d2 100755..100644
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
index cb17a9e07..94e0b2a62 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf
index 24e5df519..06bfa038b 100755..100644
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
index cb17a9e07..94e0b2a62 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-cert/posttest.dat b/testing/tests/ikev2/net2net-cert/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/net2net-cert/posttest.dat
+++ b/testing/tests/ikev2/net2net-cert/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/net2net-cert/pretest.dat b/testing/tests/ikev2/net2net-cert/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/net2net-cert/pretest.dat
+++ b/testing/tests/ikev2/net2net-cert/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/net2net-cert/test.conf b/testing/tests/ikev2/net2net-cert/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-cert/test.conf
+++ b/testing/tests/ikev2/net2net-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-dnssec/description.txt b/testing/tests/ikev2/net2net-dnssec/description.txt
new file mode 100644
index 000000000..9893359c0
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b>
+resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-dnssec/evaltest.dat b/testing/tests/ikev2/net2net-dnssec/evaltest.dat
new file mode 100644
index 000000000..389cac7f3
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/evaltest.dat
@@ -0,0 +1,9 @@
+moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*sun.strongswan.org::YES
+sun::  cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..ea10eb0a3
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+	
+conn net-net
+	left=PH_IP_MOON
+	leftid=moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftsigkey=moonPub.der
+	leftauth=pubkey
+	leftfirewall=yes
+	right=sun.strongswan.org
+	rightid=sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der
new file mode 100644
index 000000000..71571044c
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..44a54a9dd
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound ipseckey random nonce curl kernel-netlink socket-default stroke updown
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+  }
+}
+
+libstrongswan {
+  plugins {
+    unbound {
+      # trust_anchors = /etc/ipsec.d/dnssec.keys
+      # resolv_conf = /etc/resolv.conf
+    }
+  }
+}
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..9e310050d
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+	
+conn net-net
+	left=PH_IP_SUN
+	leftid=sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftsigkey=sunPub.der
+	leftauth=pubkey
+	leftfirewall=yes
+	right=moon.strongswan.org
+	rightid=moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der
new file mode 100644
index 000000000..cc99934db
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..44a54a9dd
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound ipseckey random nonce curl kernel-netlink socket-default stroke updown
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+  }
+}
+
+libstrongswan {
+  plugins {
+    unbound {
+      # trust_anchors = /etc/ipsec.d/dnssec.keys
+      # resolv_conf = /etc/resolv.conf
+    }
+  }
+}
diff --git a/testing/tests/ikev2/net2net-dnssec/posttest.dat b/testing/tests/ikev2/net2net-dnssec/posttest.dat
new file mode 100644
index 000000000..c594c4dc8
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/resolv.conf
+sun::rm /etc/resolv.conf
+moon::rm /etc/ipsec.d/dnssec.keys
+sun::rm /etc/ipsec.d/dnssec.keys
diff --git a/testing/tests/ikev2/net2net-dnssec/pretest.dat b/testing/tests/ikev2/net2net-dnssec/pretest.dat
new file mode 100644
index 000000000..0f4ae0f4f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-dnssec/test.conf b/testing/tests/ikev2/net2net-dnssec/test.conf
new file mode 100644
index 000000000..afa2accbe
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-esn/evaltest.dat b/testing/tests/ikev2/net2net-esn/evaltest.dat
index 928783c87..63058eb88 100644
--- a/testing/tests/ikev2/net2net-esn/evaltest.dat
+++ b/testing/tests/ikev2/net2net-esn/evaltest.dat
@@ -1,14 +1,16 @@
-sun::cat /var/log/daemon.log::received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ/NO_EXT_SEQ::YES
-sun::cat /var/log/daemon.log::selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ::YES
-sun::cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
-moon::cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ip -s xfrm state::flag af-unspec.*(0x10100000)::YES
-moon::ip -s xfrm state::flag af-unspec.*(0x10100000)::YES
+sun::  cat /var/log/daemon.log::received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ/NO_EXT_SEQ::YES
+sun::  cat /var/log/daemon.log::selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ::YES
+sun::  cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
+moon:: cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ip -s xfrm state::flag af-unspec.*(0x10100000)::YES
+moon:: ip -s xfrm state::flag af-unspec.*(0x10100000)::YES
 alice::ping -c 10 -i 0 -f PH_IP_BOB::10 packets transmitted, 10 received, 0% packet loss::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-moon::ipsec statusall::AES_CBC_128/HMAC_SHA1_96/ESN::YES
-sun::ipsec statusall::AES_CBC_128/HMAC_SHA1_96/ESN::YES
+moon::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_96/ESN::YES
+sun:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_96/ESN::YES
 
diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf
index 98f4864d3..3418e63c4 100755..100644
--- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="cfg 2, knl 2"
 
 conn %default
diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf
index 26fde389e..f0b6c906f 100755..100644
--- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="cfg 2, knl 2"
 
 conn %default
diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-esn/posttest.dat b/testing/tests/ikev2/net2net-esn/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/net2net-esn/posttest.dat
+++ b/testing/tests/ikev2/net2net-esn/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/net2net-esn/pretest.dat b/testing/tests/ikev2/net2net-esn/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/net2net-esn/pretest.dat
+++ b/testing/tests/ikev2/net2net-esn/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/net2net-esn/test.conf b/testing/tests/ikev2/net2net-esn/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-esn/test.conf
+++ b/testing/tests/ikev2/net2net-esn/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat b/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat
index 1a3759e34..460c659d9 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*INSTALLED::YES
-sun::ipsec status::net-net.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed.*sun <sun.strongswan.org>::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun <sun.strongswan.org>.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
index 405cd06bf..7601113ab 100755..100644
--- a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
index 949b9af16..8accff27c 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink socket-default updown
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random nonce stroke kernel-netlink socket-default updown
 }
 
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
index 4460106de..641c3d929 100755..100644
--- a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
index 949b9af16..8accff27c 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink socket-default updown
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random nonce stroke kernel-netlink socket-default updown
 }
 
diff --git a/testing/tests/ikev2/net2net-pgp-v3/posttest.dat b/testing/tests/ikev2/net2net-pgp-v3/posttest.dat
index fafcde975..9a9513dc3 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/posttest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v3/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
 sun::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-pgp-v3/test.conf b/testing/tests/ikev2/net2net-pgp-v3/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/test.conf
+++ b/testing/tests/ikev2/net2net-pgp-v3/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat b/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat
index 1a3759e34..f74eb6a19 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*INSTALLED::YES
-sun::ipsec status::net-net.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*b4:2f:31:fe:c8:0a:e3:26:4a:10:1c:85:97:7a:04:ac:8d:16:38:d3::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*b4:2f:31:fe:c8:0a:e3:26:4a:10:1c:85:97:7a:04:ac:8d:16:38:d3.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
index d059cb1da..06a26b64b 100755..100644
--- a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
index 949b9af16..8accff27c 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink socket-default updown
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random nonce stroke kernel-netlink socket-default updown
 }
 
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
index 198f2a8a8..cff03c4c6 100755..100644
--- a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
index 949b9af16..8accff27c 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink socket-default updown
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random nonce stroke kernel-netlink socket-default updown
 }
 
diff --git a/testing/tests/ikev2/net2net-pgp-v4/posttest.dat b/testing/tests/ikev2/net2net-pgp-v4/posttest.dat
index fafcde975..9a9513dc3 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/posttest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v4/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
 sun::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-pgp-v4/test.conf b/testing/tests/ikev2/net2net-pgp-v4/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/test.conf
+++ b/testing/tests/ikev2/net2net-pgp-v4/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-pkcs12/description.txt b/testing/tests/ikev2/net2net-pkcs12/description.txt
new file mode 100644
index 000000000..e66ea1918
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and an RSA private key stored in
+<b>PKCS12</b> format.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-pkcs12/evaltest.dat b/testing/tests/ikev2/net2net-pkcs12/evaltest.dat
new file mode 100644
index 000000000..2b37cad99
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..0296e1804
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12
new file mode 100644
index 000000000..d3cca4fd5
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..802cfc681
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: P12 moonCert.p12 "kUqd8O7mzbjXNJKQ"
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4628e70ce
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 rc2 pem pkcs1 pkcs7 pkcs8 pkcs12 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..6dcedd0e6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12
new file mode 100644
index 000000000..1a9e2aa01
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..3dc85528c
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,8 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: P12 sunCert.p12 "IxjQVCF3JGI+MoPi"
+
+
+
+
+
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..4628e70ce
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 rc2 pem pkcs1 pkcs7 pkcs8 pkcs12 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-pkcs12/posttest.dat b/testing/tests/ikev2/net2net-pkcs12/posttest.dat
new file mode 100644
index 000000000..0fbba487c
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/ipsec.d/private/moonCert.p12
+sun::rm /etc/ipsec.d/private/sunCert.p12
diff --git a/testing/tests/ikev2/net2net-pkcs12/pretest.dat b/testing/tests/ikev2/net2net-pkcs12/pretest.dat
new file mode 100644
index 000000000..3492238f0
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/pretest.dat
@@ -0,0 +1,10 @@
+moon::rm /etc/ipsec.d/private/moonKey.pem
+moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+sun::rm /etc/ipsec.d/private/sunKey.pem
+sun::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-pkcs12/test.conf b/testing/tests/ikev2/net2net-pkcs12/test.conf
new file mode 100644
index 000000000..646b8b3e6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat
index 5881d9246..113c3d9c0 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat
+++ b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat
@@ -1,8 +1,8 @@
-moon::ipsec statusall::dscp-be.*ESTABLISHED::YES
-moon::ipsec statusall::dscp-ef.*ESTABLISHED::YES
-sun::ipsec statusall::dscp-be.*ESTABLISHED::YES
-sun::ipsec statusall::dscp-ef.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::dscp-be.*ESTABLISHED.*moon-be.*sun-be::YES
+moon:: ipsec status 2> /dev/null::dscp-ef.*ESTABLISHED.*moon-ef.*sun-ef::YES
+sun::  ipsec status 2> /dev/null::dscp-be.*ESTABLISHED.*sun-be.*moon-be::YES
+sun::  ipsec status 2> /dev/null::dscp-ef.*ESTABLISHED.*sun-ef.*moon-ef::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf
index d78d27c1a..aeaebe1f4 100755..100644
--- a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="knl 2"
 
 conn %default
@@ -15,15 +12,15 @@ conn %default
 	mobike=no
 
 conn dscp-be
-	leftid=@sun-be
-	rightid=@moon-be
+	leftid=@moon-be
+	rightid=@sun-be
 	mark=10
 	also=net-net
 	auto=add
 
 conn dscp-ef
-	leftid=@sun-ef
-	rightid=@moon-ef
+	leftid=@moon-ef
+	rightid=@sun-ef
 	mark=20
 	also=net-net
 	auto=add
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf
index 5e8f49b17..54cdfd9bc 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf
index 9d2ef7471..8b54476fd 100755..100644
--- a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="knl 2"
 
 conn %default
@@ -15,15 +12,15 @@ conn %default
 	mobike=no
 
 conn dscp-be
-	leftid=@moon-be
-	rightid=@sun-be
+	leftid=@sun-be
+	rightid=@moon-be
 	mark=10
 	also=net-net
 	auto=add
 
 conn dscp-ef
-	leftid=@moon-ef
-	rightid=@sun-ef
+	leftid=@sun-ef
+	rightid=@moon-ef
 	mark=20
 	also=net-net
 	auto=add
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf
index 5e8f49b17..54cdfd9bc 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-psk-dscp/posttest.dat b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat
index d070c1443..21a22bfb8 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/posttest.dat
+++ b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 alice::iptables -t mangle -F OUTPUT
 venus::iptables -t mangle -F OUTPUT
 bob::iptables -t mangle -F OUTPUT
diff --git a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat
index 058c24f8f..0495890dd 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat
+++ b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat
@@ -1,7 +1,7 @@
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 alice::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE
 venus::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class EF
 moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10
diff --git a/testing/tests/ikev2/net2net-psk-dscp/test.conf b/testing/tests/ikev2/net2net-psk-dscp/test.conf
index 13a8a2a48..10c582c9b 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/test.conf
+++ b/testing/tests/ikev2/net2net-psk-dscp/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-psk-fail/description.txt b/testing/tests/ikev2/net2net-psk-fail/description.txt
new file mode 100644
index 000000000..d41b2c954
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/description.txt
@@ -0,0 +1,4 @@
+A connection between the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>Preshared Keys</b> (PSK), but gateway <b>moon</b>
+uses a wrong PSK. Therefore the connection setup is aborted by gateway <b>sun</b>
+by sending an <b>AUTHENTICATION_FAILED</b> notify error.
diff --git a/testing/tests/ikev2/net2net-psk-fail/evaltest.dat b/testing/tests/ikev2/net2net-psk-fail/evaltest.dat
new file mode 100644
index 000000000..3f5092893
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/evaltest.dat
@@ -0,0 +1,6 @@
+sun:: cat /var/log/daemon.log::tried 1 shared key for.*sun.strongswan.org.*moon.strongswan.org.*but MAC mismatched::YES
+moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::NO
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::NO
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..f495194a7
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..38ebf966c
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,4 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2dxxxx
+
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5db4358d6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..26f16ac6e
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..be95c4d99
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+
+
+
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..5db4358d6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-psk-fail/posttest.dat b/testing/tests/ikev2/net2net-psk-fail/posttest.dat
new file mode 100644
index 000000000..1f7aa73a1
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-psk-fail/pretest.dat b/testing/tests/ikev2/net2net-psk-fail/pretest.dat
new file mode 100644
index 000000000..cb9282595
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-psk-fail/test.conf b/testing/tests/ikev2/net2net-psk-fail/test.conf
new file mode 100644
index 000000000..eb4822b5d
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-psk/evaltest.dat b/testing/tests/ikev2/net2net-psk/evaltest.dat
index e67c39a08..2b37cad99 100644
--- a/testing/tests/ikev2/net2net-psk/evaltest.dat
+++ b/testing/tests/ikev2/net2net-psk/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf
index 15d8ddb11..f495194a7 100755..100644
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets
index cbdddfb18..ba909a234 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets
@@ -8,5 +8,5 @@
 
 : PSK 'My "home" is my "castle"!'
 
-192.168.0.1 : PSK   "Andi's home"
+PH_IP_MOON : PSK   "Andi's home"
 
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
index 4e2fcf17b..5db4358d6 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf
index e145d9974..26f16ac6e 100755..100644
--- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
index 4e2fcf17b..5db4358d6 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-psk/posttest.dat b/testing/tests/ikev2/net2net-psk/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/net2net-psk/posttest.dat
+++ b/testing/tests/ikev2/net2net-psk/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-psk/pretest.dat b/testing/tests/ikev2/net2net-psk/pretest.dat
index 976a196db..cb9282595 100644
--- a/testing/tests/ikev2/net2net-psk/pretest.dat
+++ b/testing/tests/ikev2/net2net-psk/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-psk/test.conf b/testing/tests/ikev2/net2net-psk/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-psk/test.conf
+++ b/testing/tests/ikev2/net2net-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-pubkey/evaltest.dat b/testing/tests/ikev2/net2net-pubkey/evaltest.dat
index 0ccfb7efd..bc03a39fb 100644
--- a/testing/tests/ikev2/net2net-pubkey/evaltest.dat
+++ b/testing/tests/ikev2/net2net-pubkey/evaltest.dat
@@ -1,7 +1,7 @@
-moon::ipsec status::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status::INSTALLED, TUNNEL::YES
-sun::ipsec status::INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf
index 945cf3a40..bcc6d5b69 100755..100644
--- a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,12 +13,12 @@ conn net-net
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
-	leftrsasigkey=moonPub.der
+	leftsigkey=moonPub.der
 	leftauth=pubkey
 	leftfirewall=yes
 	right=PH_IP_SUN
 	rightsubnet=10.2.0.0/16
 	rightid=@sun.strongswan.org
-	rightrsasigkey=sunPub.der
+	rightsigkey=sunPub.der
 	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf
index 0581bae5c..3cd90047f 100644
--- a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac gmp pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown
+  load = sha1 sha2 md5 aes des hmac gmp pem pkcs1 pubkey random nonce curl kernel-netlink socket-default stroke updown
 }
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf
index 5c07de8a2..4fe2e67de 100755..100644
--- a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,10 +13,10 @@ conn net-net
 	left=PH_IP_SUN
 	leftsubnet=10.2.0.0/16
 	leftid=@sun.strongswan.org
-	leftrsasigkey=sunPub.der
+	leftsigkey=sunPub.der
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	rightrsasigkey=moonPub.der
+	rightsigkey=moonPub.der
 	auto=add
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf
index 0581bae5c..3cd90047f 100644
--- a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac gmp pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown
+  load = sha1 sha2 md5 aes des hmac gmp pem pkcs1 pubkey random nonce curl kernel-netlink socket-default stroke updown
 }
diff --git a/testing/tests/ikev2/net2net-pubkey/posttest.dat b/testing/tests/ikev2/net2net-pubkey/posttest.dat
index 65b18b7ca..675b02976 100644
--- a/testing/tests/ikev2/net2net-pubkey/posttest.dat
+++ b/testing/tests/ikev2/net2net-pubkey/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/private/moonKey.der
 sun::rm /etc/ipsec.d/private/sunKey.der
 moon::rm /etc/ipsec.d/certs/*.der
diff --git a/testing/tests/ikev2/net2net-pubkey/pretest.dat b/testing/tests/ikev2/net2net-pubkey/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev2/net2net-pubkey/pretest.dat
+++ b/testing/tests/ikev2/net2net-pubkey/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-pubkey/test.conf b/testing/tests/ikev2/net2net-pubkey/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-pubkey/test.conf
+++ b/testing/tests/ikev2/net2net-pubkey/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-rfc3779/evaltest.dat b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
index 149cf727a..e8e1a46e4 100644
--- a/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
@@ -1,15 +1,15 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-moon::cat /var/log/daemon.log::subject address block 10.2.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES 
-moon::cat /var/log/daemon.log::subject address block 192.168.0.2/32 is contained in issuer address block 192.168.0.0/24::YES 
-moon::cat /var/log/daemon.log::subject address block fec0:\:2/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
-moon::cat /var/log/daemon.log::subject address block fec2:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
-sun::cat /var/log/daemon.log::subject address block 10.1.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES 
-sun::cat /var/log/daemon.log::subject address block 192.168.0.1/32 is contained in issuer address block 192.168.0.0/24::YES 
-sun::cat /var/log/daemon.log::subject address block fec0:\:1/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
-sun::cat /var/log/daemon.log::subject address block fec1:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
-moon::cat /var/log/daemon.log::TS 10.2.0.0/16 is contained in address block constraint 10.2.0.0/16::YES
-sun::cat /var/log/daemon.log::TS 10.1.0.0/16 is contained in address block constraint 10.1.0.0/16::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::subject address block 10.2.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES 
+moon:: cat /var/log/daemon.log::subject address block PH_IP_SUN/32 is contained in issuer address block 192.168.0.0/24::YES
+moon:: cat /var/log/daemon.log::subject address block fec0:\:2/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
+moon:: cat /var/log/daemon.log::subject address block fec2:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
+sun::  cat /var/log/daemon.log::subject address block 10.1.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES 
+sun::  cat /var/log/daemon.log::subject address block PH_IP_MOON/32 is contained in issuer address block 192.168.0.0/24::YES
+sun::  cat /var/log/daemon.log::subject address block fec0:\:1/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
+sun::  cat /var/log/daemon.log::subject address block fec1:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
+moon:: cat /var/log/daemon.log::TS 10.2.0.0/16 is contained in address block constraint 10.2.0.0/16::YES
+sun::  cat /var/log/daemon.log::TS 10.1.0.0/16 is contained in address block constraint 10.1.0.0/16::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf
index ce59d849c..9ba918893 100755..100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="cfg 2"
 
 conn %default
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
index 025e1c222..f1e81ea2f 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf
index afc2e399e..d41e43a5c 100755..100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="cfg 2"
 
 conn %default
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
index 025e1c222..f1e81ea2f 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-rfc3779/posttest.dat b/testing/tests/ikev2/net2net-rfc3779/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/net2net-rfc3779/posttest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/net2net-rfc3779/pretest.dat b/testing/tests/ikev2/net2net-rfc3779/pretest.dat
index 545a3690e..9fe2860b9 100644
--- a/testing/tests/ikev2/net2net-rfc3779/pretest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/net2net-rfc3779/test.conf b/testing/tests/ikev2/net2net-rfc3779/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-rfc3779/test.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-route/evaltest.dat b/testing/tests/ikev2/net2net-route/evaltest.dat
index a89e5a298..77ab6e7c6 100644
--- a/testing/tests/ikev2/net2net-route/evaltest.dat
+++ b/testing/tests/ikev2/net2net-route/evaltest.dat
@@ -1,6 +1,8 @@
-moon::cat /var/log/daemon.log::creating acquire job::YES
-moon::ipsec statusall::net-net.*INSTALLED::YES
-sun::ipsec statusall::net-net.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::creating acquire job::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
index 8a2f8b77c..c374cd6b4 100755..100644
--- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf
index 24e5df519..06bfa038b 100755..100644
--- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-route/posttest.dat b/testing/tests/ikev2/net2net-route/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/net2net-route/posttest.dat
+++ b/testing/tests/ikev2/net2net-route/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-route/pretest.dat b/testing/tests/ikev2/net2net-route/pretest.dat
index 2eef7de19..e4ee3fac2 100644
--- a/testing/tests/ikev2/net2net-route/pretest.dat
+++ b/testing/tests/ikev2/net2net-route/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2 
diff --git a/testing/tests/ikev2/net2net-route/test.conf b/testing/tests/ikev2/net2net-route/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-route/test.conf
+++ b/testing/tests/ikev2/net2net-route/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-rsa/evaltest.dat b/testing/tests/ikev2/net2net-rsa/evaltest.dat
index 0ccfb7efd..bc03a39fb 100644
--- a/testing/tests/ikev2/net2net-rsa/evaltest.dat
+++ b/testing/tests/ikev2/net2net-rsa/evaltest.dat
@@ -1,7 +1,7 @@
-moon::ipsec status::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status::INSTALLED, TUNNEL::YES
-sun::ipsec status::INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf
index 61b9b710a..c0ee06240 100755..100644
--- a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,12 +13,12 @@ conn net-net
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
-	leftrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+	leftsigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
 	leftauth=pubkey
 	leftfirewall=yes
 	right=PH_IP_SUN
 	rightsubnet=10.2.0.0/16
 	rightid=@sun.strongswan.org
-	rightrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+	rightsigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
 	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf
index 3bc16ccda..e1efec866 100644
--- a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown
+  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random nonce curl kernel-netlink socket-default stroke updown
 }
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf
index 24e20dc25..b089e9f48 100755..100644
--- a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,10 +13,10 @@ conn net-net
 	left=PH_IP_SUN
 	leftsubnet=10.2.0.0/16
 	leftid=@sun.strongswan.org
-	leftrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+	leftsigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	rightrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+	rightsigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
 	auto=add
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf
index 3bc16ccda..e1efec866 100644
--- a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown
+  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random nonce curl kernel-netlink socket-default stroke updown
 }
diff --git a/testing/tests/ikev2/net2net-rsa/posttest.dat b/testing/tests/ikev2/net2net-rsa/posttest.dat
index a199946aa..f7fe7dc48 100644
--- a/testing/tests/ikev2/net2net-rsa/posttest.dat
+++ b/testing/tests/ikev2/net2net-rsa/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/private/moonKey.der
 sun::rm /etc/ipsec.d/private/sunKey.der
diff --git a/testing/tests/ikev2/net2net-rsa/pretest.dat b/testing/tests/ikev2/net2net-rsa/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev2/net2net-rsa/pretest.dat
+++ b/testing/tests/ikev2/net2net-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-rsa/test.conf b/testing/tests/ikev2/net2net-rsa/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-rsa/test.conf
+++ b/testing/tests/ikev2/net2net-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-same-nets/evaltest.dat b/testing/tests/ikev2/net2net-same-nets/evaltest.dat
index bf99bb278..3b479cefa 100644
--- a/testing/tests/ikev2/net2net-same-nets/evaltest.dat
+++ b/testing/tests/ikev2/net2net-same-nets/evaltest.dat
@@ -1,7 +1,9 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES
-bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_req=1::YES
+bob::  ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf
index 8f43a4f6e..077a3ed08 100755..100644
--- a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf
index 33e1e6656..af85e186a 100755..100644
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
index c64158a2f..bdba3fb05 100755
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
@@ -73,8 +73,12 @@
 #              just the host, this will be 255.255.255.255.
 #
 #       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
 #              is the IP protocol that will be transported.
@@ -128,9 +132,15 @@
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
 
 # define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
 export PATH
 
 # check parameter(s)
@@ -196,8 +206,8 @@ up-client:)
 	    iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
 	             -d $OUT_NET -j NETMAP --to $SAME_NET
 	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
-            iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
-                     -s $SAME_NET -j NETMAP --to $IN_NET
+	    iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+	             -s $SAME_NET -j NETMAP --to $IN_NET
 	fi
 	;;
 down-client:)
@@ -215,7 +225,11 @@ down-client:)
 	if [ -n "$PLUTO_MARK_OUT" ]
 	then
 	    iptables -t mangle -D PREROUTING $SET_MARK_OUT
+	    iptables -t nat -D PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+	             -d $OUT_NET -j NETMAP --to $SAME_NET
 	    iptables -D FORWARD -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
+	    iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+	             -s $SAME_NET -j NETMAP --to $IN_NET
 	fi
 	;;
 *)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-same-nets/posttest.dat b/testing/tests/ikev2/net2net-same-nets/posttest.dat
index e75e66650..b0225c37e 100644
--- a/testing/tests/ikev2/net2net-same-nets/posttest.dat
+++ b/testing/tests/ikev2/net2net-same-nets/posttest.dat
@@ -2,6 +2,6 @@ sun::iptables -t mangle -n -v -L PREROUTING
 sun::iptables -t nat -n -v -L
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::conntrack -F
diff --git a/testing/tests/ikev2/net2net-same-nets/pretest.dat b/testing/tests/ikev2/net2net-same-nets/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/net2net-same-nets/pretest.dat
+++ b/testing/tests/ikev2/net2net-same-nets/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/net2net-same-nets/test.conf b/testing/tests/ikev2/net2net-same-nets/test.conf
index 1971a33ab..f46f137b4 100644
--- a/testing/tests/ikev2/net2net-same-nets/test.conf
+++ b/testing/tests/ikev2/net2net-same-nets/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-start/evaltest.dat b/testing/tests/ikev2/net2net-start/evaltest.dat
index 244dec5bf..f003f822f 100644
--- a/testing/tests/ikev2/net2net-start/evaltest.dat
+++ b/testing/tests/ikev2/net2net-start/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec statusall::net-net.*INSTALLED::YES
-sun::ipsec statusall::net-net.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
index 1cc812864..fa611ff09 100755..100644
--- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
index 24e5df519..06bfa038b 100755..100644
--- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-start/posttest.dat b/testing/tests/ikev2/net2net-start/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/net2net-start/posttest.dat
+++ b/testing/tests/ikev2/net2net-start/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-start/pretest.dat b/testing/tests/ikev2/net2net-start/pretest.dat
index 6e41d5245..9d23c553e 100644
--- a/testing/tests/ikev2/net2net-start/pretest.dat
+++ b/testing/tests/ikev2/net2net-start/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ipsec start
 sun::sleep 2
 moon::ipsec start
-alice::sleep 3 
+moon::sleep 3 
diff --git a/testing/tests/ikev2/net2net-start/test.conf b/testing/tests/ikev2/net2net-start/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-start/test.conf
+++ b/testing/tests/ikev2/net2net-start/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat
index c08a17943..e931afb7e 100644
--- a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat
@@ -1,12 +1,12 @@
-moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
-moon::cat /var/log/daemon.log::requesting ocsp status from::YES
-moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES
-moon::cat /var/log/daemon.log::ocsp response is valid::YES
-moon::cat /var/log/daemon.log::certificate status is good::YES
-carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
+moon:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES
+moon:: cat /var/log/daemon.log::requesting ocsp status from::YES
+moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon:: cat /var/log/daemon.log::ocsp response is valid::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
+carol::ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES
 carol::cat /var/log/daemon.log::requesting ocsp status from::YES
 carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
 carol::cat /var/log/daemon.log::ocsp response is valid::YES
 carol::cat /var/log/daemon.log::certificate status is good::YES
-moon::ipsec status::rw.*ESTABLISHED::YES
-carol::ipsec status::home.*ESTABLISHED::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf
index e2602f08a..05e27f641 100755..100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf
index 119d14a42..e441e661f 100755..100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index dda793f44..4e2cc2860 100755
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
-		      -resp_no_certs -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
+	-resp_no_certs -nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-local-cert/test.conf b/testing/tests/ikev2/ocsp-local-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-local-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
index 768de938b..c41a668f0 100644
--- a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
@@ -1,10 +1,10 @@
-moon::ipsec listocspcerts::altNames.*ocsp.*strongswan.org::YES
-carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
-dave::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
-moon::cat /var/log/daemon.log::certificate status is good::YES
+moon:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.*strongswan.org::YES
+carol::ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES
+dave:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
 carol::cat /var/log/daemon.log::certificate status is good::YES
-dave::cat /var/log/daemon.log::certificate status is good::YES
-moon::ipsec status::ESTABLISHED.*carol::YES
-moon::ipsec status::ESTABLISHED.*dave::YES
-carol::ipsec status::ESTABLISHED::YES
-dave::ipsec status::ESTABLISHED::YES
+dave:: cat /var/log/daemon.log::certificate status is good::YES
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*CN=carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*CN=dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::ESTABLISHED.*CN=carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::ESTABLISHED.*CN=dave@strongswan.org.*moon.strongswan.org::YES
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
index 259997f5c..4d3aa1cc6 100755..100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
index 0763d1734..756d6ec51 100755..100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf
index b0e8336e6..630117af9 100755..100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/pretest.dat b/testing/tests/ikev2/ocsp-multi-level/pretest.dat
index f15265e32..86dd31e83 100644
--- a/testing/tests/ikev2/ocsp-multi-level/pretest.dat
+++ b/testing/tests/ikev2/ocsp-multi-level/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ocsp-multi-level/test.conf b/testing/tests/ikev2/ocsp-multi-level/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/ocsp-multi-level/test.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
index a0a045ce8..a2ce5ad93 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
@@ -1,7 +1,7 @@
-moon::cat /var/log/daemon.log::requesting ocsp status from::YES
-moon::cat /var/log/daemon.log::ocsp response verification failed::YES
-moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
-moon::ipsec status::rw.*ESTABLISHED::NO
+moon:: cat /var/log/daemon.log::requesting ocsp status from::YES
+moon:: cat /var/log/daemon.log::ocsp response verification failed::YES
+moon:: cat /var/log/daemon.log::certificate status is not available::YES
+moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-carol::ipsec status::home.*ESTABLISHED::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf
index ba9779cb5..05e27f641 100755..100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf
@@ -2,7 +2,6 @@
 
 config setup
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf
index b79c056ab..e441e661f 100755..100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf
@@ -2,7 +2,6 @@
 
 config setup
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index 74d22b90d..429061376 100755
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey winnetouKey.pem -rsigner winnetouCert.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey winnetouKey.pem -rsigner winnetouCert.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/test.conf b/testing/tests/ikev2/ocsp-no-signer-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-revoked/evaltest.dat b/testing/tests/ikev2/ocsp-revoked/evaltest.dat
index 2c3196103..97006c93e 100644
--- a/testing/tests/ikev2/ocsp-revoked/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-revoked/evaltest.dat
@@ -1,8 +1,8 @@
-moon::cat /var/log/daemon.log::requesting ocsp status from::YES
-moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES
-moon::cat /var/log/daemon.log::certificate was revoked on::YES
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature failed
+moon:: cat /var/log/daemon.log::requesting ocsp status from::YES
+moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon:: cat /var/log/daemon.log::certificate was revoked on::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature failed
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-moon::ipsec status::rw.*ESTABLISHED::NO
-carol::ipsec status::home.*ESTABLISHED::NO
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
 
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
index 0d7cf5928..94eb58621 100755..100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf
index 119d14a42..e441e661f 100755..100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-revoked/test.conf b/testing/tests/ikev2/ocsp-revoked/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-revoked/test.conf
+++ b/testing/tests/ikev2/ocsp-revoked/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat
index 5bb322acc..0f852d7b1 100644
--- a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat
@@ -1,10 +1,10 @@
-moon::cat /var/log/daemon.log::requesting ocsp status::YES
-moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES
-moon::cat /var/log/daemon.log::ocsp response is valid::YES
-moon::cat /var/log/daemon.log::certificate status is good::YES
+moon:: cat /var/log/daemon.log::requesting ocsp status::YES
+moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon:: cat /var/log/daemon.log::ocsp response is valid::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
 carol::cat /var/log/daemon.log::requesting ocsp status::YES
 carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
 carol::cat /var/log/daemon.log::ocsp response is valid::YES
 carol::cat /var/log/daemon.log::certificate status is good::YES
-moon::ipsec status::rw.*ESTABLISHED::YES
-carol::ipsec status::home.*ESTABLISHED::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf
index e2602f08a..05e27f641 100755..100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf
index 119d14a42..e441e661f 100755..100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index e998b6ad0..59c356302 100755
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey strongswanKey.pem -rsigner strongswanCert.pem \
-		      -resp_no_certs -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey strongswanKey.pem -rsigner strongswanCert.pem \
+	-resp_no_certs -nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-root-cert/test.conf b/testing/tests/ikev2/ocsp-root-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-root-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat
index f8bf0326a..7c7813cff 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat
@@ -1,12 +1,12 @@
-carol::ipsec listcainfos::ocspuris.*http://ocsp.strongswan.org::YES
-moon::cat /var/log/daemon.log::requesting ocsp status::YES
-moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES
-moon::cat /var/log/daemon.log::ocsp response is valid::YES
-moon::cat /var/log/daemon.log::certificate status is good::YES
+carol::ipsec listcainfos 2> /dev/null::ocspuris.*http://ocsp.strongswan.org::YES
+moon:: cat /var/log/daemon.log::requesting ocsp status::YES
+moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon:: cat /var/log/daemon.log::ocsp response is valid::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
 carol::cat /var/log/daemon.log::requesting ocsp status::YES
 carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
 carol::cat /var/log/daemon.log::ocsp response is valid::YES
 carol::cat /var/log/daemon.log::certificate status is good::YES
-moon::ipsec status::rw.*ESTABLISHED::YES
-carol::ipsec status::home.*ESTABLISHED::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
index 4011a6c17..a1bc9b014 100755..100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf
index ce653cf08..2cec8851c 100755..100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	keyexchange=ikev2
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-signer-cert/test.conf b/testing/tests/ikev2/ocsp-signer-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
index 2e0f059c6..c31e05ef5 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
@@ -1,8 +1,8 @@
-moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES
-moon::cat /var/log/daemon.log::libcurl http request failed::YES
-moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES
-moon::ipsec status::ESTABLISHED.*carol::YES
-moon::ipsec status::ESTABLISHED.*dave::NO
-carol::ipsec status::ESTABLISHED::YES
-dave::ipsec status::ESTABLISHED::NO
+moon:: cat /var/log/daemon.log::authentication of.*carol.*successful::YES
+moon:: cat /var/log/daemon.log::libcurl http request failed::YES
+moon:: cat /var/log/daemon.log::certificate status is not available::YES
+moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES
+moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
+carol::ipsec status 2> /dev/null::ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
index bce685c53..27af8e7a8 100755..100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=ifuri
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
index 1ab63e84b..aa07085f4 100755..100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=ifuri
-	plutostart=no
 	
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
index 401e9b567..02db316d7 100755..100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=ifuri
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
index f15265e32..86dd31e83 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/test.conf b/testing/tests/ikev2/ocsp-strict-ifuri/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/test.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
index 777c32699..f50d5e88c 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
@@ -1,13 +1,12 @@
-moon::cat /var/log/daemon.log::libcurl http request failed::YES
-moon::cat /var/log/daemon.log::ocsp request to.*ocsp2.strongswan.org:8880.*failed::YES
-moon::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES
-moon::cat /var/log/daemon.log::ocsp response is valid::YES
-moon::cat /var/log/daemon.log::certificate status is good::YES
+moon:: cat /var/log/daemon.log::libcurl http request failed::YES
+moon:: cat /var/log/daemon.log::ocsp request to.*ocsp2.strongswan.org:8880.*failed::YES
+moon:: cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES
+moon:: cat /var/log/daemon.log::ocsp response is valid::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
 carol::cat /var/log/daemon.log::libcurl http request failed::YES
 carol::cat /var/log/daemon.log::ocsp request to.*bob.strongswan.org:8800.*failed::YES
 carol::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES
 carol::cat /var/log/daemon.log::ocsp response is valid::YES
 carol::cat /var/log/daemon.log::certificate status is good::YES
-moon::ipsec status::rw.*ESTABLISHED::YES
-carol::ipsec status::home.*ESTABLISHED::YES
-
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
index ff312cc6b..816db6e1e 100755..100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf
index 394d94160..f307c12d0 100755..100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index 92aa920aa..aa70321d5 100755
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -6,9 +6,9 @@ echo "Content-type: application/ocsp-response"
 echo ""
 
 # simulate a delayed response
-sleep 5 
+sleep 5
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey ocspKey.pem -rsigner ocspCert.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey ocspKey.pem -rsigner ocspCert.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/test.conf b/testing/tests/ikev2/ocsp-timeouts-good/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/test.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
index 1b281507b..7c0a9a5a4 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
@@ -1,7 +1,7 @@
-moon::cat /var/log/daemon.log::libcurl http request failed::YES
-moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed::YES
+moon:: cat /var/log/daemon.log::libcurl http request failed::YES
+moon:: cat /var/log/daemon.log::certificate status is not available::YES
+moon:: cat /var/log/daemon.log::constraint check failed::YES
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED::YES
-moon::ipsec status::rw.*ESTABLISHED::NO
-carol::ipsec status::home.*ESTABLISHED::NO
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
 
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf
index ef24ea191..459da1467 100755..100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf
index fe657b4a6..a464f017a 100755..100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
index 45c6ce7c5..6ba1be6b1 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
@@ -1,7 +1,7 @@
-moon::cat /var/log/daemon.log::requesting ocsp status from::YES
-moon::cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES
-moon::cat /var/log/daemon.log::ocsp response verification failed::YES
-moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
-moon::ipsec status::rw.*ESTABLISHED::NO
-carol::ipsec status::home.*ESTABLISHED::NO
+moon:: cat /var/log/daemon.log::requesting ocsp status from::YES
+moon:: cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES
+moon:: cat /var/log/daemon.log::ocsp response verification failed::YES
+moon:: cat /var/log/daemon.log::certificate status is not available::YES
+moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf
index ba9779cb5..05e27f641 100755..100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf
@@ -2,7 +2,6 @@
 
 config setup
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf
index b79c056ab..e441e661f 100755..100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf
@@ -2,7 +2,6 @@
 
 config setup
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index 20c4b2a22..72aa7a6c4 100755
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/test.conf b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/protoport-dual/evaltest.dat b/testing/tests/ikev2/protoport-dual/evaltest.dat
index bd24b911c..cf45f3b52 100644
--- a/testing/tests/ikev2/protoport-dual/evaltest.dat
+++ b/testing/tests/ikev2/protoport-dual/evaltest.dat
@@ -1,9 +1,9 @@
-carol::ipsec statusall::home-icmp.*INSTALLED::YES
-carol::ipsec statusall::home-ssh.*INSTALLED::YES
-moon::ipsec statusall::rw-icmp.*INSTALLED::YES
-moon::ipsec statusall::rw-ssh.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf
index 51971a13c..e15382bad 100755..100644
--- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf
index 0d7e8db3f..bc131cd71 100755..100644
--- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/protoport-dual/posttest.dat b/testing/tests/ikev2/protoport-dual/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/protoport-dual/posttest.dat
+++ b/testing/tests/ikev2/protoport-dual/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/protoport-dual/pretest.dat b/testing/tests/ikev2/protoport-dual/pretest.dat
index d3d0061c3..efb2e5712 100644
--- a/testing/tests/ikev2/protoport-dual/pretest.dat
+++ b/testing/tests/ikev2/protoport-dual/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/protoport-dual/test.conf b/testing/tests/ikev2/protoport-dual/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/protoport-dual/test.conf
+++ b/testing/tests/ikev2/protoport-dual/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/protoport-route/evaltest.dat b/testing/tests/ikev2/protoport-route/evaltest.dat
index 78d062918..75c547995 100644
--- a/testing/tests/ikev2/protoport-route/evaltest.dat
+++ b/testing/tests/ikev2/protoport-route/evaltest.dat
@@ -1,10 +1,10 @@
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req::YES
 carol::ssh PH_IP_ALICE hostname::alice::YES
 carol::cat /var/log/daemon.log::creating acquire job::YES
-carol::ipsec statusall::home-icmp.*INSTALLED::YES
-carol::ipsec statusall::home-ssh.*INSTALLED::YES
-moon::ipsec statusall::rw-icmp.*INSTALLED::YES
-moon::ipsec statusall::rw-ssh.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED::YES
+moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED::YES
+moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf
index d76a6ee17..f4d112daf 100755..100644
--- a/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf
index 0d7e8db3f..bc131cd71 100755..100644
--- a/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/protoport-route/posttest.dat b/testing/tests/ikev2/protoport-route/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/protoport-route/posttest.dat
+++ b/testing/tests/ikev2/protoport-route/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/protoport-route/pretest.dat b/testing/tests/ikev2/protoport-route/pretest.dat
index 0aded0f4d..5a15574d6 100644
--- a/testing/tests/ikev2/protoport-route/pretest.dat
+++ b/testing/tests/ikev2/protoport-route/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/protoport-route/test.conf b/testing/tests/ikev2/protoport-route/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/protoport-route/test.conf
+++ b/testing/tests/ikev2/protoport-route/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/reauth-early/evaltest.dat b/testing/tests/ikev2/reauth-early/evaltest.dat
index b4cbe2f41..dbc6f8d97 100644
--- a/testing/tests/ikev2/reauth-early/evaltest.dat
+++ b/testing/tests/ikev2/reauth-early/evaltest.dat
@@ -1,6 +1,6 @@
-moon::ipsec statusall::rw\[2\].*ESTABLISHED::YES
-carol::ipsec statusall::home\[2\].*ESTABLISHED::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 30s, scheduling reauthentication in 25s::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/ipsec.conf
index 311dc3dc5..2277bcd59 100755..100644
--- a/testing/tests/ikev2/reauth-early/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/ipsec.conf
index 64a7aef6d..fb09e74b3 100755..100644
--- a/testing/tests/ikev2/reauth-early/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=30s
diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/reauth-early/posttest.dat b/testing/tests/ikev2/reauth-early/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/reauth-early/posttest.dat
+++ b/testing/tests/ikev2/reauth-early/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-early/pretest.dat b/testing/tests/ikev2/reauth-early/pretest.dat
index 7ed2423be..153ea7c43 100644
--- a/testing/tests/ikev2/reauth-early/pretest.dat
+++ b/testing/tests/ikev2/reauth-early/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/reauth-early/test.conf b/testing/tests/ikev2/reauth-early/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/reauth-early/test.conf
+++ b/testing/tests/ikev2/reauth-early/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/reauth-late/evaltest.dat b/testing/tests/ikev2/reauth-late/evaltest.dat
index c0893df65..205a4d9e7 100644
--- a/testing/tests/ikev2/reauth-late/evaltest.dat
+++ b/testing/tests/ikev2/reauth-late/evaltest.dat
@@ -1,7 +1,7 @@
-moon::ipsec statusall::rw\[2\].*ESTABLISHED::YES
-carol::ipsec statusall::home\[2\].*ESTABLISHED::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::cat /var/log/daemon.log::scheduling reauthentication in 2[0-5]s::YES
 carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 360[01]s, reauthentication already scheduled in 2[0-5]s::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/ipsec.conf
index 32a43efac..9de0dda86 100755..100644
--- a/testing/tests/ikev2/reauth-late/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=30s
diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf
index cb5e86a66..225e2aab1 100755..100644
--- a/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=3601
diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/reauth-late/posttest.dat b/testing/tests/ikev2/reauth-late/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/reauth-late/posttest.dat
+++ b/testing/tests/ikev2/reauth-late/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-late/pretest.dat b/testing/tests/ikev2/reauth-late/pretest.dat
index 7ed2423be..153ea7c43 100644
--- a/testing/tests/ikev2/reauth-late/pretest.dat
+++ b/testing/tests/ikev2/reauth-late/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/reauth-late/test.conf b/testing/tests/ikev2/reauth-late/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/reauth-late/test.conf
+++ b/testing/tests/ikev2/reauth-late/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-cert/evaltest.dat b/testing/tests/ikev2/rw-cert/evaltest.dat
index 06a0f8cda..ba661975b 100644
--- a/testing/tests/ikev2/rw-cert/evaltest.dat
+++ b/testing/tests/ikev2/rw-cert/evaltest.dat
@@ -1,8 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
index bcdb8641b..dd2ceea60 100755..100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
@@ -1,15 +1,13 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev2
 
 conn home
 	left=PH_IP_CAROL
@@ -19,5 +17,4 @@ conn home
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
-	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index e070f9a27..102801a92 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
index ea8bc92a7..4c6e11f16 100755..100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
@@ -1,15 +1,13 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev2
 
 conn home
 	left=PH_IP_DAVE
@@ -19,5 +17,4 @@ conn home
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
-	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index e070f9a27..102801a92 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
index 274521386..e67d9af9b 100755..100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
@@ -1,15 +1,13 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev2
 
 conn rw
 	left=PH_IP_MOON
@@ -18,5 +16,4 @@ conn rw
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
 	right=%any
-	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index e070f9a27..102801a92 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/posttest.dat b/testing/tests/ikev2/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-cert/posttest.dat
+++ b/testing/tests/ikev2/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-cert/pretest.dat b/testing/tests/ikev2/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/rw-cert/pretest.dat
+++ b/testing/tests/ikev2/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-cert/test.conf b/testing/tests/ikev2/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-cert/test.conf
+++ b/testing/tests/ikev2/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-dnssec/description.txt b/testing/tests/ikev2/rw-dnssec/description.txt
new file mode 100644
index 000000000..0135f078c
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b>
+resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>.
+</p>
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
+tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
+<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b>
+and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev2/rw-dnssec/evaltest.dat b/testing/tests/ikev2/rw-dnssec/evaltest.dat
new file mode 100644
index 000000000..49183fb42
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/evaltest.dat
@@ -0,0 +1,24 @@
+carol::cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave.strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*carol.strongswan.org::YES
+moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*dave.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..082b18a7f
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=%any
+	leftsourceip=%config
+	leftid=carol.strongswan.org
+	leftsigkey="dns:0sAwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVE="
+	leftauth=pubkey
+	leftfirewall=yes
+	right=moon.strongswan.org
+	rightid=moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..825af9dd0
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..a68f981d1
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=%any
+	leftsourceip=%config
+	leftid=dave.strongswan.org
+	leftsigkey="dns:0sAwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO04jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4bV2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GKqmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K0J4a81Paq3U="
+	leftauth=pubkey
+	leftfirewall=yes
+	right=moon.strongswan.org
+	rightid=moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..825af9dd0
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..74ddc6e01
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default 
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw 
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=moon.strongswan.org
+	leftauth=pubkey
+	leftsigkey=moonPub.der
+	leftfirewall=yes
+	right=%any
+	rightauth=pubkey
+	rightsourceip=10.3.0.0/24
+	auto=add
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der
new file mode 100644
index 000000000..71571044c
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..644ac3d6a
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 dnskey pubkey unbound ipseckey gmp random nonce hmac stroke kernel-netlink socket-default updown attr
+
+  dns1 = PH_IP_WINNETOU
+  dns2 = PH_IP_VENUS
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-dnssec/posttest.dat b/testing/tests/ikev2/rw-dnssec/posttest.dat
new file mode 100644
index 000000000..3d55e09f9
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/posttest.dat
@@ -0,0 +1,12 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon:rm /etc/resolv.conf
+carol:rm /etc/resolv.conf
+dave:rm /etc/resolv.conf
+moon:rm /etc/ipsec.d/dnssec.key
+carol:rm /etc/ipsec.d/dnssec.key
+dave:rm /etc/ipse.cd/dnssec.key
diff --git a/testing/tests/ikev2/rw-dnssec/pretest.dat b/testing/tests/ikev2/rw-dnssec/pretest.dat
new file mode 100644
index 000000000..40eaede87
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-dnssec/test.conf b/testing/tests/ikev2/rw-dnssec/test.conf
new file mode 100644
index 000000000..164b07ff9
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
index 661e6cfe7..d59eef513 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
@@ -1,11 +1,13 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::received EAP identity.*carol::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf
index 22bba57a7..f1f761186 100755..100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
index ccf446f79..2f8bf5d9e 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf
index 16171feb3..12431486c 100755..100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
index ccf446f79..2f8bf5d9e 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
index 3064f02a6..0ea4e21ab 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
@@ -1,10 +1,12 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap-aka.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap-aka.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap-aka.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
index ba9294f6a..b4825fb82 100755..100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index d8c77f5b1..69f9845af 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
index 3a1fd98d3..cd2e42d9f 100755..100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index d8c77f5b1..69f9845af 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-dynamic/description.txt b/testing/tests/ikev2/rw-eap-dynamic/description.txt
new file mode 100644
index 000000000..2bd9aaaac
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/description.txt
@@ -0,0 +1,5 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+<b>carol</b> uses the default <i>EAP-MD5</i> password-based client authentication
+method as proposed by EAP server <b>moon</b> whereas <b>dave</b> requests an <i>EAP-TLS</i>
+certificate-based client authentication by sending this proposal in an <i>EAP-NAK</i> message
+back to the EAP server.
diff --git a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
new file mode 100644
index 000000000..6a20b8e8c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
@@ -0,0 +1,23 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::requesting EAP_TLS authentication, sending EAP_NAK::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TLS succeeded, MSK established::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..b8b628758
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap-md5
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..0fd7117dd
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
+}
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..981dee3cd
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftauth=eap-tls
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..0979b9afd
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA daveKey.pem 
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5f9eedba1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+}
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..191989e7b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	rightid=*@strongswan.org
+	rightauth=eap-dynamic
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..c991683b8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..a0682268d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-md5 eap-tls eap-dynamic updown
+
+  plugins {
+    eap-dynamic {
+      prefer_user = yes
+      preferred = md5, tls
+    }
+  }  
+}
diff --git a/testing/tests/ikev2/rw-eap-dynamic/posttest.dat b/testing/tests/ikev2/rw-eap-dynamic/posttest.dat
new file mode 100644
index 000000000..b757d8b15
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/posttest.dat
@@ -0,0 +1,6 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-dynamic/pretest.dat b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat
new file mode 100644
index 000000000..17f1b5f2b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat
@@ -0,0 +1,10 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-dynamic/test.conf b/testing/tests/ikev2/rw-eap-dynamic/test.conf
new file mode 100644
index 000000000..a5525e6aa
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice  moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt b/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt
new file mode 100644
index 000000000..46ffc0611
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> an <b>dave</b> set up a connection to gateway
+<b>moon</b>. At the outset the gateway authenticates itself to the client by
+sending an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then use the <b>EAP-MD5</b> protocol to authenticate
+against the gateway <b>moon</b>.
+<p/>
+The roadwarriors <b>carol</b> and <b>dave</b> request a virtual IP which is
+assigned by the RADIUS server <b>alice</b> using the <b>Framed-IP-Address</b>
+RADIUS attribute.
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
new file mode 100644
index 000000000..1460ec8f9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
@@ -0,0 +1,26 @@
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
+moon ::ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
+dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES
+moon ::ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES
+dave ::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED, TUNNEL::YES
+dave ::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave ::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf
index 623f42904..623f42904 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf
index 783587b55..783587b55 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..a67a5dcb4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,42 @@
+authorize {
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..ba92f0080
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,4 @@
+carol	Cleartext-Password := "Ar3etTnp"
+		Framed-IP-Address = 10.3.0.1
+dave	Cleartext-Password := "W7R0g3do"
+		Framed-IP-Address = 10.3.0.2
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..ed908db4d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=%any
+	leftauth=eap
+	leftfirewall=yes
+	leftsourceip=%config
+	eap_identity=carol
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..23d79cf2e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..b1b418060
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..97aa8bbff
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=%any
+	leftauth=eap
+	leftfirewall=yes
+	leftsourceip=%config
+	eap_identity=dave
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..02e0c9963
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..b1b418060
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..a3299393a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	rightsendcert=never
+	rightauth=eap-radius
+	rightsourceip=%radius
+	eap_identity=%any
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4297a3056
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  plugins {
+    eap-radius {
+      class_group = yes
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat
new file mode 100644
index 000000000..670d2e72f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
new file mode 100644
index 000000000..698a719f7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::radiusd
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home 
+dave::ipsec up home 
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf
new file mode 100644
index 000000000..5dfb41723
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt b/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt
new file mode 100644
index 000000000..6860700db
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> an <b>dave</b> set up a connection to gateway
+<b>moon</b>. At the outset the gateway authenticates itself to the client by
+sending an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then use the <b>EAP-MD5</b> protocol to authenticate
+against the gateway <b>moon</b>. The user credentials of <b>carol</b>
+and <b>dave</b> are kept both on the local clients and the RADIUS server <b>alice</b>.
+<b>carol</b> possesses the RADIUS class attribute <b>Research</b> and therefore obtains
+access to the <b>research</b> subnet behind gateway <b>moon</b> whereas <b>dave</b>
+belongs to the class <b>Accounting</b> and has access to the <b>acccess</b> subnet.
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
new file mode 100644
index 000000000..aa6d4291b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
@@ -0,0 +1,26 @@
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
+moon ::ipsec status 2> /dev/null::research.*ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES
+carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
+dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES
+moon ::ipsec status 2> /dev/null::accounting.*ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES
+dave ::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::accounting.*INSTALLED, TUNNEL::YES
+dave ::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::NO
+dave ::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf
index 783587b55..783587b55 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..a67a5dcb4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,42 @@
+authorize {
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..62d459115
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,4 @@
+carol	Cleartext-Password := "Ar3etTnp"
+		Class = "Research"
+dave	Cleartext-Password := "W7R0g3do"
+		Class = "Accounting"
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..53e2be638
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn alice
+	rightsubnet=10.1.0.10/32
+	also=home
+	auto=add
+
+conn venus
+	rightsubnet=10.1.0.20/32
+	also=home
+	auto=add
+
+conn home
+	left=%any
+	leftauth=eap
+	leftfirewall=yes
+	eap_identity=carol
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..23d79cf2e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..b1b418060
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..9428f323a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn alice
+	rightsubnet=10.1.0.10/32
+	also=home
+	auto=add
+
+conn venus
+	rightsubnet=10.1.0.20/32
+	also=home
+	auto=add
+
+conn home
+	left=%any
+	leftauth=eap
+	leftfirewall=yes
+	eap_identity=dave
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..02e0c9963
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..b1b418060
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..9dcbcca75
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,33 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn research
+	rightgroups=Research
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn accounting
+	rightgroups=Accounting
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	rightsendcert=never
+	rightauth=eap-radius
+	eap_identity=%any
+	right=%any
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4297a3056
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  plugins {
+    eap-radius {
+      class_group = yes
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
new file mode 100644
index 000000000..670d2e72f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
new file mode 100644
index 000000000..a2704e833
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::radiusd
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up alice
+dave::ipsec up venus
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf
new file mode 100644
index 000000000..5dfb41723
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
index 3f828141c..42d2c319e 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
@@ -2,11 +2,13 @@ carol::cat /var/log/daemon.log::configured EAP-Identity carol::YES
 carol::cat /var/log/daemon.log::added EAP secret for carol moon.strongswan.org::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
-moon::cat /var/log/daemon.log::received EAP identity.*carol::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[PH_IP_CAROL]::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf
index 7859ee9cc..176c1af2e 100755..100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf
index fe067d344..b1b418060 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf
index c132b9ab8..ea4185355 100755..100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf
index fe067d344..b1b418060 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
index 9c301f484..180537f5f 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
index 2ee440cdb..8f813395a 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
@@ -1,11 +1,13 @@
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
-moon::cat /var/log/daemon.log::received EAP identity .*carol::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
index 783587b55..783587b55 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..a67a5dcb4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,42 @@
+authorize {
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users
index 247b918e3..247b918e3 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 2de32a6f2..000000000
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,43 +0,0 @@
-authorize {
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
index 5f779d1af..881971e80 100755..100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
index fe067d344..b1b418060 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf
index 11ff84400..8ce1721f5 100755..100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
index 2a18af887..aba7eefdf 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
   plugins {
     eap-radius {
       secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
index 280d62e3c..9adc43d3e 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
index 5e8dce9cf..a8019b3e7 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
@@ -1,11 +1,11 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/users
index 247b918e3..247b918e3 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 802fcfd8d..000000000
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  suffix
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
index ba9294f6a..b4825fb82 100755..100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
index 57bd6cceb..0fd7117dd 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf
index 4a885babc..efdf6f7ed 100755..100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
index f21745bcd..f634316f8 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
   plugins {
     eap-radius {
       secret = gv6URkSs 
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
index 280d62e3c..9adc43d3e 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
index fadcdc635..84f41fd93 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
@@ -1,9 +1,11 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
index ba9294f6a..b4825fb82 100755..100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
index 57bd6cceb..0fd7117dd 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
index 28d52b9eb..5d799a870 100755..100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
index 57bd6cceb..0fd7117dd 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/test.conf b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
index 5b632bfe8..010f48315 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
@@ -1,11 +1,13 @@
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
-moon::cat /var/log/daemon.log::received EAP identity.*carol::YES
-moon::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
+moon:: cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[PH_IP_CAROL]::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf
index c1497ca0e..59a0d66c3 100755..100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
index fd717317c..66dee832b 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
+  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf
index a4a45f06c..086a734e3 100755..100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
index fd717317c..66dee832b 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
+  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
index 0908e1c97..4ed5257b1 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
@@ -3,17 +3,21 @@ carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
-dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-moon::cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*CN=moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*CN=moon.strongswan.org.*dave@stronswan.org::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*CN=moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*CN=moon.strongswan.org::NO
+moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO 
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf
index 2f8b9dfda..dd1b89302 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,6 +16,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
index fd5d3f5f4..e9958df28 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf
index 3a29329d5..a46071a3a 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,6 +16,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
index fd5d3f5f4..e9958df28 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf
index 129486c05..d12eafbb2 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
index f5024111c..5f00ef57f 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
   multiple_authentication=no
   plugins {
     eap-peap {
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
index 369596177..17f1b5f2b 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/test.conf b/testing/tests/ikev2/rw-eap-peap-md5/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/test.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
index 8743b9643..fc75e1c9a 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
@@ -3,17 +3,17 @@ carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
-dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-dave::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-moon::cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@stronswan.org::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf
index 2f8b9dfda..dd1b89302 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,6 +16,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
index 2cbfb2484..613ceee06 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf
index 3a29329d5..a46071a3a 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,6 +16,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
index 2cbfb2484..613ceee06 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf
index 129486c05..d12eafbb2 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
index 19d12447f..58e8df0da 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
   multiple_authentication=no
   plugins {
     eap-peap {
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
index 369596177..17f1b5f2b 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
index 39a24f15e..95c29b7f5 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
@@ -3,19 +3,17 @@ carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
-dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
-moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..11d3e2acd
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,18 @@
+eap {
+  md5 {
+  }
+  default_eap_type = peap
+  tls {
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+  peap {
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index df50901d5..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-eap {
-  md5 {
-  }
-  default_eap_type = peap 
-  tls {
-    private_key_file = /etc/raddb/certs/aaaKey.pem
-    certificate_file = /etc/raddb/certs/aaaCert.pem
-    CA_file = /etc/raddb/certs/strongswanCert.pem
-    cipher_list = "DEFAULT"
-    dh_file = /etc/raddb/certs/dh
-    random_file = /etc/raddb/certs/random
-  }
-  peap {
-    default_eap_type = md5
-    use_tunneled_reply = yes
-    virtual_server = "inner-tunnel"
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 802fcfd8d..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  suffix
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf
index b2eef5785..944546ff8 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
index 2c06d26a6..0e20d1c68 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf
index 3c8ea5c58..b1a22e78a 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
index 2c06d26a6..0e20d1c68 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf
index fc8f84638..98e2525ba 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
index 4d2d3058d..38d78e7a0 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
   multiple_authentication=no
   plugins {
     eap-radius {
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
index dbe56013a..670d2e72f 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
index cbe1ae229..3e7fc0bb1 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
@@ -1,7 +1,7 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/test.conf b/testing/tests/ikev2/rw-eap-peap-radius/test.conf
index e6a786a94..20d586309 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol winnetou dave moon"
+VIRTHOSTS="alice carol winnetou dave moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
index 4305a1400..f1a68bc19 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
@@ -1,12 +1,12 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-moon::cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
 carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files
new file mode 100644
index 000000000..10c26aa15
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files
@@ -0,0 +1,3 @@
+sim_files {
+	simtriplets = "/etc/freeradius/triplets.dat"
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..783587b55
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm LOCAL {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..893529324
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,42 @@
+authorize {
+  sim_files
+  eap {
+    ok = return
+  }
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat
index c167ba940..c167ba940 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
index e69de29bb..e69de29bb 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index a2020424e..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim 
-  sim {
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index d77b818fe..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,123 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-  sim_files {
-    simtriplets = "/etc/raddb/triplets.dat"
-  }
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 92896b11e..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,43 +0,0 @@
-authorize {
-  sim_files
-  eap {
-    ok = return
-  }
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf
index d3a99fe41..97ce965a0 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +11,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	leftauth=eap
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
index 7b4ab49e4..8e872ddae 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf
index a86bb3d73..8216627ba 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
index 2a18af887..aba7eefdf 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
   plugins {
     eap-radius {
       secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
index 0da980c07..b9117af36 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
@@ -1,7 +1,7 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/triplets.dat
-alice::/etc/init.d/radiusd start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::cat /etc/freeradius/triplets.dat
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
index 852d424af..f434ddfc6 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
@@ -1,15 +1,15 @@
 carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
-moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files
new file mode 100644
index 000000000..10c26aa15
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files
@@ -0,0 +1,3 @@
+sim_files {
+	simtriplets = "/etc/freeradius/triplets.dat"
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..fbdf75f4c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  sim_files
+  suffix
+  eap {
+    ok = return
+  }
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat
new file mode 100644
index 000000000..3e9a644eb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat
@@ -0,0 +1,6 @@
+carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
+carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
+carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
+dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
+dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
+dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
index e69de29bb..e69de29bb 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index a2020424e..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim 
-  sim {
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index d77b818fe..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,123 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-  sim_files {
-    simtriplets = "/etc/raddb/triplets.dat"
-  }
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 126d61d05..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  sim_files
-  suffix
-  eap {
-    ok = return
-  }
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/triplets.dat
deleted file mode 100644
index fd0eb19b9..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/triplets.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
-carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
-carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
-dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
-dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
-dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
-
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf
index 11b9f0d71..0e6090c40 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,5 +16,6 @@ conn home
 	leftauth=eap
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
index e468cd4f9..691bec865 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf
index dca65c09f..0507a6b6c 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
index e468cd4f9..691bec865 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf
index e3f4694bd..b80a47bf1 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
index f21745bcd..f634316f8 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
   plugins {
     eap-radius {
       secret = gv6URkSs 
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
index dbe56013a..670d2e72f 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
index 5a51733dc..0b3e901c2 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
@@ -1,11 +1,11 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-alice::cat /etc/raddb/triplets.dat
-alice::/etc/init.d/radiusd start
+alice::cat /etc/freeradius/triplets.dat
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
index bb6b68687..29bfaa78c 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
index b4d66adc6..21cfe429a 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
@@ -1,15 +1,15 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
-moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..91425f812
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,61 @@
+authorize {
+  preprocess
+  chap
+  mschap
+  sim_files
+  suffix
+  eap {
+    ok = return
+  }
+  unix
+  files
+  expiration
+  logintime
+  pap
+}
+
+authenticate {
+  Auth-Type PAP {
+    pap
+  }
+  Auth-Type CHAP {
+    chap
+  }
+  Auth-Type MS-CHAP {
+    mschap
+  }
+  unix
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat
new file mode 100644
index 000000000..3e9a644eb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat
@@ -0,0 +1,6 @@
+carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
+carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
+carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
+dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
+dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
+dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
index e69de29bb..e69de29bb 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index a2020424e..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim 
-  sim {
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index d77b818fe..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,123 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-  sim_files {
-    simtriplets = "/etc/raddb/triplets.dat"
-  }
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index dfceb037d..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,62 +0,0 @@
-authorize {
-  preprocess
-  chap
-  mschap
-  sim_files
-  suffix
-  eap {
-    ok = return
-  }
-  unix
-  files
-  expiration
-  logintime
-  pap
-}
-
-authenticate {
-  Auth-Type PAP {
-    pap
-  }
-  Auth-Type CHAP {
-    chap
-  }
-  Auth-Type MS-CHAP {
-    mschap
-  }
-  unix
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat
deleted file mode 100644
index fd0eb19b9..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
-carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
-carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
-dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
-dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
-dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
-
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf
index 4f0d40b3e..951008d2b 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -9,13 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=eap
 
 conn home
 	left=PH_IP_CAROL
 	leftid=carol@strongswan.org
+	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=pubkey
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
index e468cd4f9..691bec865 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf
index 511eb6172..a9d04ebfa 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -9,13 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=eap
 
 conn home
 	left=PH_IP_DAVE
 	leftid=dave@strongswan.org
+	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=pubkey
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
index e468cd4f9..691bec865 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf
index 825994278..a246bd172 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,13 +11,14 @@ conn %default
 
 conn rw-eap
 	authby=rsasig
-	eap=radius
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
+	leftauth=pubkey
 	leftcert=moonCert.pem
 	leftfirewall=yes
 	rightid=*@strongswan.org
+	rightauth=eap-radius
 	rightsendcert=never
 	right=%any
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
index f21745bcd..f634316f8 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
   plugins {
     eap-radius {
       secret = gv6URkSs 
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
index dbe56013a..670d2e72f 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
index b3fd4cbf1..c17bec0f7 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
@@ -1,11 +1,11 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
-alice::cat /etc/raddb/triplets.dat
-alice::/etc/init.d/radiusd start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::cat /etc/freeradius/clients.conf
+alice::cat /etc/freeradius/eap.conf
+alice::cat /etc/freeradius/proxy.conf
+alice::cat /etc/freeradius/triplets.dat
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-radius/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
index 53c7e71ce..ab27b4510 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
@@ -1,10 +1,10 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap-sim.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap-sim.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap-sim.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
index ba9294f6a..b4825fb82 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
index 0add0f360..8caa11c97 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
index ea62749be..ab49aa0f3 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
index 527cb2b37..6c8911e5a 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat
index 23c7a62b2..ae464b51c 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::cat /etc/ipsec.d/triplets.dat
 carol::cat /etc/ipsec.d/triplets.dat
 moon::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/test.conf b/testing/tests/ikev2/rw-eap-sim-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
index f4d534051..314769b3e 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.d.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=carol@d.strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=carol@d.strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf
index 889a47d80..b7b27b720 100755..100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=strongSwan Project, CN=moon.d.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
index dc0bcdff5..535b37210 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 
   plugins {
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf
index 9f979e17b..ee4bfd27d 100755..100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
index dc0bcdff5..535b37210 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 
   plugins {
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
index 085b19509..e8156ea70 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/cacerts/*
 moon::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
index 35d35dc86..3d680ab78 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
@@ -1,7 +1,7 @@
 moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
 carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/test.conf b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
index 1e9bdb2af..a436131bf 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
index 3aeab002f..4272d98be 100755..100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,6 +16,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
index 4e47e632c..2eb2adc78 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
index 430211020..b9a58e902 100755..100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
index 4e47e632c..2eb2adc78 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-only/test.conf b/testing/tests/ikev2/rw-eap-tls-only/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/test.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
index f0a674063..7584e14dc 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
@@ -1,11 +1,9 @@
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf
index 92f96ad66..92f96ad66 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..18ebf9e9d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,41 @@
+authorize {
+  eap {
+    ok = return
+  }
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/users
index 247b918e3..247b918e3 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 990184919..000000000
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,42 +0,0 @@
-authorize {
-  eap {
-    ok = return
-  }
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf
index 4f4c8abcf..fc6f1e633 100755..100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
index 4e47e632c..2eb2adc78 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf
index be907f839..deadcff6d 100755..100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
index ab71e5908..5bf9dc03b 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
   multiple_authentication=no
   plugins {
     eap-radius {
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
index 280d62e3c..9adc43d3e 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/test.conf b/testing/tests/ikev2/rw-eap-tls-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
index 9586fe558..d22dd18db 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
@@ -3,17 +3,17 @@ carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
-dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-moon::cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf
index 967598643..8ff3c2ab6 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
index 96620d0c2..32b4d2eb1 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf
index ad1255212..367c0b527 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
index 96620d0c2..32b4d2eb1 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf
index d37848bac..cd93a48e7 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
index a68a74712..9401ffb00 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
index 369596177..589d478e7 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
@@ -1,10 +1,10 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 1
+dave::sleep 2
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/test.conf b/testing/tests/ikev2/rw-eap-ttls-only/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/test.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
index 9586fe558..d22dd18db 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
@@ -3,17 +3,17 @@ carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
-dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-moon::cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
index 967598643..8ff3c2ab6 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
index 378bdc540..8de5ec68f 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
index ad1255212..367c0b527 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
index 378bdc540..8de5ec68f 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
index d37848bac..cd93a48e7 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
index b065251ea..c730346a6 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
index 369596177..17f1b5f2b 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
index 2c0f65159..a471a2cfa 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
@@ -3,18 +3,18 @@ carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
-dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
-moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf
index c91cd40fb..c91cd40fb 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 802fcfd8d..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  suffix
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf
index 97a2e02c9..5b1ac90a3 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
index 96620d0c2..32b4d2eb1 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf
index d388060be..8aa168745 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
index 96620d0c2..32b4d2eb1 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf
index fc8f84638..98e2525ba 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
index ab71e5908..5bf9dc03b 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
   multiple_authentication=no
   plugins {
     eap-radius {
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
index dbe56013a..670d2e72f 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
index cbe1ae229..3e7fc0bb1 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
@@ -1,7 +1,7 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
index e6a786a94..20d586309 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol winnetou dave moon"
+VIRTHOSTS="alice carol winnetou dave moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-hash-and-url/evaltest.dat b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat
index fe2a8d063..7a9a70939 100644
--- a/testing/tests/ikev2/rw-hash-and-url/evaltest.dat
+++ b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat
@@ -1,14 +1,18 @@
-moon::cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES
-moon::cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES
 carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
-dave::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf
index 77046eb7d..acf5789d8 100755..100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
index d9349846c..b294b7c22 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf
index febaf9be2..1e1439560 100755..100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
index d9349846c..b294b7c22 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf
index cbc60000a..cd626a720 100755..100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
index d9349846c..b294b7c22 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/posttest.dat b/testing/tests/ikev2/rw-hash-and-url/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-hash-and-url/posttest.dat
+++ b/testing/tests/ikev2/rw-hash-and-url/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-hash-and-url/pretest.dat b/testing/tests/ikev2/rw-hash-and-url/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/rw-hash-and-url/pretest.dat
+++ b/testing/tests/ikev2/rw-hash-and-url/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-hash-and-url/test.conf b/testing/tests/ikev2/rw-hash-and-url/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-hash-and-url/test.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-initiator-only/description.txt b/testing/tests/ikev2/rw-initiator-only/description.txt
new file mode 100644
index 000000000..478004162
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/description.txt
@@ -0,0 +1,10 @@
+The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
+but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
+she ignores the repeated IKE requests sent by <b>dave</b>.
+<p/>
+After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
+connection to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind
+the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-initiator-only/evaltest.dat b/testing/tests/ikev2/rw-initiator-only/evaltest.dat
new file mode 100644
index 000000000..80fd7c5be
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/evaltest.dat
@@ -0,0 +1,8 @@
+dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..dd2ceea60
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc900c4f2
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..b417977c9
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn peer
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..9251921ff
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  retransmit_timeout = 2
+  retransmit_base = 1.5
+  retransmit_tries = 3 
+}
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..acc2ef758
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekey=no
+	reauth=no
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..7f31b170b
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-initiator-only/posttest.dat b/testing/tests/ikev2/rw-initiator-only/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-initiator-only/pretest.dat b/testing/tests/ikev2/rw-initiator-only/pretest.dat
new file mode 100644
index 000000000..fc7173430
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+dave::ipsec up peer
+carol::ipsec up home
diff --git a/testing/tests/ikev2/rw-initiator-only/test.conf b/testing/tests/ikev2/rw-initiator-only/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-mark-in-out/description.txt b/testing/tests/ikev2/rw-mark-in-out/description.txt
index 4c35081b1..3012fc656 100644
--- a/testing/tests/ikev2/rw-mark-in-out/description.txt
+++ b/testing/tests/ikev2/rw-mark-in-out/description.txt
@@ -1,7 +1,7 @@
 The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up
 tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet,
-gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to 10.3.0.10
-and 10.3.0.20, respectively.
+gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to PH_IP_CAROL10
+and PH_IP_DAVE10, respectively.
 <p/>
 In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
 <b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
diff --git a/testing/tests/ikev2/rw-mark-in-out/evaltest.dat b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat
index c248a508a..26b26204c 100644
--- a/testing/tests/ikev2/rw-mark-in-out/evaltest.dat
+++ b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat
@@ -1,11 +1,11 @@
-alice::ipsec statusall::home.*INSTALLED::YES
-venus::ipsec statusall::home.*INSTALLED::YES
-sun::ipsec statusall::alice.*ESTABLISHED.*alice@strongswan.org::YES
-sun::ipsec statusall::venus.*ESTABLISHED.*venus.strongswan.org::YES
-sun::ipsec statusall::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
-sun::ipsec statusall::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+venus::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+sun::  ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+sun::  ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
+sun::  ipsec statusall 2> /dev/null::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES
 moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES
 moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 5594bbf52..000000000
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf
index dd0240b07..726aa616b 100755..100644
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf
index 5fa211c2a..4b549cbd5 100755..100644
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="knl 2"
 
 conn %default
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
index 0d22e684d..421335ffb 100755
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
@@ -73,8 +73,12 @@
 #              just the host, this will be 255.255.255.255.
 #
 #       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
 #              is the IP protocol that will be transported.
@@ -128,9 +132,15 @@
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
 
 # define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
 export PATH
 
 # uncomment to log VPN connections
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 5594bbf52..000000000
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf
index 4af93df8d..cb9b27ed7 100755..100644
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-mark-in-out/posttest.dat b/testing/tests/ikev2/rw-mark-in-out/posttest.dat
index fae79271b..283099acb 100644
--- a/testing/tests/ikev2/rw-mark-in-out/posttest.dat
+++ b/testing/tests/ikev2/rw-mark-in-out/posttest.dat
@@ -2,9 +2,9 @@ sun::iptables -t mangle -v -n -L PREROUTING
 sun::ipsec stop
 alice::ipsec stop
 venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::ip route del 10.1.0.0/16 via PH_IP_MOON
 sun::conntrack -F
 sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev2/rw-mark-in-out/pretest.dat b/testing/tests/ikev2/rw-mark-in-out/pretest.dat
index 3d9a5f340..8e9dd2f51 100644
--- a/testing/tests/ikev2/rw-mark-in-out/pretest.dat
+++ b/testing/tests/ikev2/rw-mark-in-out/pretest.dat
@@ -1,13 +1,12 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON 
 sun::ip route add 10.1.0.0/16 via PH_IP_MOON 
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10
+sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 11
+sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 21
 alice::ipsec start
 venus::ipsec start
 sun::ipsec start
diff --git a/testing/tests/ikev2/rw-mark-in-out/test.conf b/testing/tests/ikev2/rw-mark-in-out/test.conf
index ae3c190b8..105472cbe 100644
--- a/testing/tests/ikev2/rw-mark-in-out/test.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/rw-pkcs8/evaltest.dat b/testing/tests/ikev2/rw-pkcs8/evaltest.dat
index 06a0f8cda..2342d024b 100644
--- a/testing/tests/ikev2/rw-pkcs8/evaltest.dat
+++ b/testing/tests/ikev2/rw-pkcs8/evaltest.dat
@@ -1,10 +1,14 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf
index bcdb8641b..e72f78742 100755..100644
--- a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf
index 3c22edc23..9802ea724 100644
--- a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf
index ea8bc92a7..65c9819bb 100755..100644
--- a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf
index 3c22edc23..9802ea724 100644
--- a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf
index 274521386..1ee751360 100755..100644
--- a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf
index 9333bcdf4..597aebf61 100644
--- a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-pkcs8/posttest.dat b/testing/tests/ikev2/rw-pkcs8/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-pkcs8/posttest.dat
+++ b/testing/tests/ikev2/rw-pkcs8/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-pkcs8/pretest.dat b/testing/tests/ikev2/rw-pkcs8/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/rw-pkcs8/pretest.dat
+++ b/testing/tests/ikev2/rw-pkcs8/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-pkcs8/test.conf b/testing/tests/ikev2/rw-pkcs8/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-pkcs8/test.conf
+++ b/testing/tests/ikev2/rw-pkcs8/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-fqdn/description.txt b/testing/tests/ikev2/rw-psk-fqdn/description.txt
index d4a7c3878..47f6968ae 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/description.txt
+++ b/testing/tests/ikev2/rw-psk-fqdn/description.txt
@@ -1,6 +1,6 @@
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
 to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
-and fully qualified domain names. Upon the successful establishment of the IPsec tunnels,
+and <b>Fully Qualified Domain Names</b>. Upon the successful establishment of the IPsec tunnels,
 <b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
 let pass the tunneled traffic. In order to test both tunnel and firewall, both
 <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat
index 06a0f8cda..2fbcc474f 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat
@@ -1,8 +1,14 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
index 6c821010a..594affa28 100755..100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
index 882ea04a5..d84cba2b0 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
index 1af9be7f7..57f7303be 100755..100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
index 882ea04a5..d84cba2b0 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
index 97edc9047..8dc61b0b3 100755..100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
index 882ea04a5..d84cba2b0 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/posttest.dat b/testing/tests/ikev2/rw-psk-fqdn/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-fqdn/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
index 282b2aec0..64ce593fb 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/rw-psk-fqdn/test.conf b/testing/tests/ikev2/rw-psk-fqdn/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/test.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-ipv4/description.txt b/testing/tests/ikev2/rw-psk-ipv4/description.txt
index 4eb66c540..b4aaa6a6a 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/description.txt
+++ b/testing/tests/ikev2/rw-psk-ipv4/description.txt
@@ -1,6 +1,6 @@
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
 to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
-and IPv4 addresses. Upon the successful establishment of the IPsec tunnels,
+and <b>IPv4</b> addresses. Upon the successful establishment of the IPsec tunnels,
 <b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
 let pass the tunneled traffic. In order to test both tunnel and firewall, both
 <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat
index 06a0f8cda..2bd97b76c 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat
@@ -1,8 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*\[PH_IP_MOON]::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_DAVE].*\[PH_IP_MOON]::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_CAROL]::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_DAVE]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
index 5990f6875..13b737a91 100755..100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
index 18a074472..57ce85d61 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+PH_IP_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index 882ea04a5..d84cba2b0 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
index bdd50899a..27c70c125 100755..100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
index e989540e9..111de272b 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-192.168.0.200  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
+PH_IP_DAVE  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index 882ea04a5..d84cba2b0 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
index b99f43ef4..335977da6 100755..100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
index ab3fb129b..6706534eb 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
@@ -1,5 +1,5 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+PH_IP_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
 
-192.168.0.200 : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
+PH_IP_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index 882ea04a5..d84cba2b0 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/posttest.dat b/testing/tests/ikev2/rw-psk-ipv4/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-ipv4/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
index 282b2aec0..64ce593fb 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/rw-psk-ipv4/test.conf b/testing/tests/ikev2/rw-psk-ipv4/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/test.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat b/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat
index 06a0f8cda..2342d024b 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat
@@ -1,10 +1,14 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf
index 150687104..5bc8dbe3f 100755..100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
index 882ea04a5..924fd4757 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf
index 2397d6d6d..315634745 100755..100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
index 882ea04a5..924fd4757 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf
index 97edc9047..8dc61b0b3 100755..100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
index 882ea04a5..924fd4757 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/posttest.dat b/testing/tests/ikev2/rw-psk-no-idr/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-no-idr/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat
index 282b2aec0..64ce593fb 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/rw-psk-no-idr/test.conf b/testing/tests/ikev2/rw-psk-no-idr/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/test.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
index 236684c57..ab398a3bb 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
@@ -1,15 +1,14 @@
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
-moon::cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-shared key::YES
-moon::ipsec statusall::rw-psk.*INSTALLED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
-moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
-moon::ipsec statusall::rw-rsasig.*INSTALLED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-shared key::YES
+moon:: ipsec status 2> /dev/null::rw-psk.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*\[PH_IP_MOON]::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
+moon:: ipsec status 2> /dev/null::rw-rsasig.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
index 78c33df12..ee62325b7 100755..100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf
index e533b4b4e..65c9819bb 100755..100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-        crlcheckinterval=180
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
index 004993d94..c86e82b64 100755..100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat
index e48d11e42..446f81426 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
index 0e5bd03db..1648c9557 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
@@ -1,11 +1,16 @@
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
-moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
index da59dfdae..72e2f7d4a 100755..100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,14 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=secret
 
 conn home
 	left=PH_IP_CAROL
 	leftsourceip=%config
 	leftid=carol@strongswan.org
+	leftauth=psk
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=pubkey
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
index f09d46c5b..cd7c7ae7f 100755..100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,14 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=secret
 
 conn home
 	left=PH_IP_DAVE
 	leftsourceip=%config
 	leftid=dave@strongswan.org
+	leftauth=psk
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=pubkey
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
index fb4b9ed3a..5e743101a 100755..100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,9 +13,11 @@ conn rw
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
+	leftauth=pubkey
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
 	right=%any
+	rightauth=psk
 	rightsourceip=10.3.0.0/28
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat b/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/test.conf b/testing/tests/ikev2/rw-psk-rsa-split/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/test.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
index d23d6360b..ccbc769e2 100644
--- a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
@@ -1,15 +1,14 @@
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
-moon::cat /var/log/daemon.log::received EAP identity .*carol::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
+moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ping -c 5 -s 1392 PH_IP_ALICE::1400 bytes from PH_IP_ALICE::YES
-carol::ipsec down home::no output expected::NO
+carol::ipsec down home 2> /dev/null::no output expected::NO
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-alice::cat /var/log/radius/radacct/10.1.0.1/*::User-Name =.*carol::YES
-alice::cat /var/log/radius/radacct/10.1.0.1/*::Acct-Output-Octets = 7100::YES
-alice::cat /var/log/radius/radacct/10.1.0.1/*::Acct-Input-Octets = 7100::YES
-
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::User-Name =.*carol::YES
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Output-Octets = 7100::YES
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Input-Octets = 7100::YES
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..783587b55
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm LOCAL {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..a67a5dcb4
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,42 @@
+authorize {
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users
index 247b918e3..247b918e3 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 2de32a6f2..000000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,43 +0,0 @@
-authorize {
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
index 5f779d1af..438e1c14c 100755..100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -16,6 +15,7 @@ conn home
 	leftid=carol@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
+	leftsourceip=%config,%config6
 	eap_identity=carol
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf
index fe067d344..b1b418060 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 962a418d9..000000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,88 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow RADIUS accounting protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1813 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1813 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf
index 11ff84400..7d4f94f48 100755..100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -21,6 +19,7 @@ conn rw-eap
 	rightid=*@strongswan.org
 	rightsendcert=never
 	rightauth=eap-radius
+	rightsourceip=10.3.0.0/24,fec3::0/120
 	eap_identity=%any
 	right=%any
 	auto=add
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..b9560a38e
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules
@@ -0,0 +1,36 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+# allow RADIUS accounting protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1813 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1813 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf
index 52927c1fd..3bf573f5d 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
   plugins {
     eap-radius {
       secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-radius-accounting/posttest.dat b/testing/tests/ikev2/rw-radius-accounting/posttest.dat
index b1f971402..98f7a6954 100644
--- a/testing/tests/ikev2/rw-radius-accounting/posttest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/posttest.dat
@@ -1,7 +1,6 @@
 carol::ipsec stop
 moon::ipsec stop
-alice::/etc/init.d/radiusd stop
-alice::cat /var/log/radius/radacct/10.1.0.1/*
-carol::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-
+alice::killall radiusd
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*
+carol::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-radius-accounting/pretest.dat b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
index 30c8bd573..9f437fe85 100644
--- a/testing/tests/ikev2/rw-radius-accounting/pretest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
@@ -1,7 +1,7 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::rm /var/log/radius/radacct/10.1.0.1/*
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::rm /var/log/freeradius/radacct/PH_IP_MOON1/*
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-radius-accounting/test.conf b/testing/tests/ikev2/rw-radius-accounting/test.conf
index e0d77b583..6dbb1c7fd 100644
--- a/testing/tests/ikev2/rw-radius-accounting/test.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/test.conf
@@ -1,26 +1,25 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c.png"
+DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
-
diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat
index 733cfd844..9418d6ee1 100644
--- a/testing/tests/ikev2/rw-whitelist/evaltest.dat
+++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat
@@ -1,14 +1,14 @@
-moon::cat /var/log/daemon.log::whitelist functionality was already enabled::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA signature successful::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
-moon::cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log:: received AUTHENTICATION_FAILED notify error::YES
-dave::ipsec status::home.*INSTALLED::NO
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::NO
+moon:: cat /var/log/daemon.log::whitelist functionality was already enabled::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log:: received AUTHENTICATION_FAILED notify error::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf
index 0b4cded6c..85c48a7bb 100755..100644
--- a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf
index 938b45518..984985a1a 100644
--- a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc whitelist stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc whitelist stroke kernel-netlink socket-default updown
   plugins {
     whitelist {
       enable = yes
diff --git a/testing/tests/ikev2/rw-whitelist/posttest.dat b/testing/tests/ikev2/rw-whitelist/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev2/rw-whitelist/posttest.dat
+++ b/testing/tests/ikev2/rw-whitelist/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-whitelist/pretest.dat b/testing/tests/ikev2/rw-whitelist/pretest.dat
index c4ac77d77..87760775a 100644
--- a/testing/tests/ikev2/rw-whitelist/pretest.dat
+++ b/testing/tests/ikev2/rw-whitelist/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/rw-whitelist/test.conf b/testing/tests/ikev2/rw-whitelist/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/rw-whitelist/test.conf
+++ b/testing/tests/ikev2/rw-whitelist/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/shunt-policies/evaltest.dat b/testing/tests/ikev2/shunt-policies/evaltest.dat
index 2f6e1a91f..a6e40a817 100644
--- a/testing/tests/ikev2/shunt-policies/evaltest.dat
+++ b/testing/tests/ikev2/shunt-policies/evaltest.dat
@@ -1,16 +1,16 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO
-venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon::ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
+venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 venus::ssh PH_IP_BOB hostname::bob::YES
-bob::ssh PH_IP_VENUS hostname::venus::YES
+bob::  ssh PH_IP_VENUS hostname::venus::YES
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 2b90a14c7..000000000
--- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# allow icmp in local net
-	iptables -A INPUT  -i eth1 -p icmp -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf
index a4958f295..46ca4cdc3 100755..100644
--- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -21,7 +18,7 @@ conn local-net
 	auto=route
 
 conn venus-icmp
-	leftsubnet=10.1.0.20/32
+	leftsubnet=PH_IP_VENUS/32
 	rightsubnet=0.0.0.0/0
 	leftprotoport=icmp
 	rightprotoport=icmp
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..af0f25209
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow icmp in local net
+-A INPUT  -i eth1 -p icmp -j ACCEPT
+-A OUTPUT -o eth1 -p icmp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf
index a2e9134c0..a5cd14b30 100644
--- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
   install_routes = no
 }
diff --git a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf
index c3b36fb7c..cd8ea23c3 100755..100644
--- a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/shunt-policies/posttest.dat b/testing/tests/ikev2/shunt-policies/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/shunt-policies/posttest.dat
+++ b/testing/tests/ikev2/shunt-policies/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/shunt-policies/pretest.dat b/testing/tests/ikev2/shunt-policies/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/shunt-policies/pretest.dat
+++ b/testing/tests/ikev2/shunt-policies/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/shunt-policies/test.conf b/testing/tests/ikev2/shunt-policies/test.conf
index cf2ef7424..6b7432ca6 100644
--- a/testing/tests/ikev2/shunt-policies/test.conf
+++ b/testing/tests/ikev2/shunt-policies/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/strong-keys-certs/evaltest.dat b/testing/tests/ikev2/strong-keys-certs/evaltest.dat
index 06a0f8cda..2342d024b 100644
--- a/testing/tests/ikev2/strong-keys-certs/evaltest.dat
+++ b/testing/tests/ikev2/strong-keys-certs/evaltest.dat
@@ -1,10 +1,14 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf
index a7b55db24..732966f20 100755..100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf
index 080073cd3..13636bc1e 100755..100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
index f33f26797..f36555445 100755..100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/posttest.dat b/testing/tests/ikev2/strong-keys-certs/posttest.dat
index 9ccbaa1c2..3fd6a690e 100644
--- a/testing/tests/ikev2/strong-keys-certs/posttest.dat
+++ b/testing/tests/ikev2/strong-keys-certs/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/private/*
 dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/strong-keys-certs/pretest.dat b/testing/tests/ikev2/strong-keys-certs/pretest.dat
index de51ccdfa..dea5fc162 100644
--- a/testing/tests/ikev2/strong-keys-certs/pretest.dat
+++ b/testing/tests/ikev2/strong-keys-certs/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/strong-keys-certs/test.conf b/testing/tests/ikev2/strong-keys-certs/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/strong-keys-certs/test.conf
+++ b/testing/tests/ikev2/strong-keys-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat
index d32e32660..2b4476afa 100644
--- a/testing/tests/ikev2/two-certs/evaltest.dat
+++ b/testing/tests/ikev2/two-certs/evaltest.dat
@@ -1,12 +1,11 @@
-moon::cat /var/log/daemon.log::using certificate.*OU=Research, CN=carol@strongswan.org::YES
-moon::ipsec statusall::alice.*INSTALLED::YES
-carol::ipsec statusall::alice.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES
-moon::cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES
-moon::ipsec statusall::venus.*INSTALLED::YES
-carol::ipsec statusall::venus.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::using certificate.*OU=Research, CN=carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::signature validation failed, looking for another key::YES
+moon:: cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
index 08b95659f..9ec202e3d 100755..100644
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
 	uniqueids=no
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -20,11 +18,11 @@ conn %default
 
 conn alice 
 	leftcert=carolCert.pem
-	rightsubnet=10.1.0.10/32
+	rightsubnet=PH_IP_ALICE/32
 	auto=add
 
 conn venus
 	leftcert=carolCert-002.pem
-	rightsubnet=10.1.0.20/32
+	rightsubnet=PH_IP_VENUS/32
 	auto=add
 
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
index a93ccbc9a..d8f1443ac 100755..100644
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
 	uniqueids=no
-	plutostart=no
+	strictcrlpolicy=yes
 
 ca strongswan
         cacert=strongswanCert.pem
@@ -25,10 +23,10 @@ conn %default
 	keyexchange=ikev2
 
 conn alice 
-	leftsubnet=10.1.0.10/32
+	leftsubnet=PH_IP_ALICE/32
 	auto=add
 
 conn venus 
-	leftsubnet=10.1.0.20/32
+	leftsubnet=PH_IP_VENUS/32
 	auto=add
 
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/two-certs/posttest.dat b/testing/tests/ikev2/two-certs/posttest.dat
index a1f067838..eae8c27d4 100644
--- a/testing/tests/ikev2/two-certs/posttest.dat
+++ b/testing/tests/ikev2/two-certs/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 carol::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/two-certs/pretest.dat b/testing/tests/ikev2/two-certs/pretest.dat
index 716cf71e8..fe2aaec19 100644
--- a/testing/tests/ikev2/two-certs/pretest.dat
+++ b/testing/tests/ikev2/two-certs/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/two-certs/test.conf b/testing/tests/ikev2/two-certs/test.conf
index d0306cd25..3f6afa02e 100644
--- a/testing/tests/ikev2/two-certs/test.conf
+++ b/testing/tests/ikev2/two-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou"
+VIRTHOSTS="alice venus moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/virtual-ip-override/evaltest.dat b/testing/tests/ikev2/virtual-ip-override/evaltest.dat
index 34ccb76ca..cb023b1fc 100644
--- a/testing/tests/ikev2/virtual-ip-override/evaltest.dat
+++ b/testing/tests/ikev2/virtual-ip-override/evaltest.dat
@@ -1,13 +1,17 @@
-moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-dave::ipsec statusall::home.*INSTALLED::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::NO
-moon::cat /var/log/daemon.log::assigning virtual IP PH_IP_CAROL1 to peer::YES
-moon::cat /var/log/daemon.log::assigning virtual IP PH_IP_DAVE1 to peer::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::NO
+moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_CAROL1 to peer::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_DAVE1 to peer::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::src PH_IP_CAROL1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::src PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::src PH_IP_DAVE1::YES
 
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf
index c9867c7d4..62c30cf28 100755..100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf
index 98dd99271..fa99a4c86 100755..100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf
index bafd1b155..a8cf08544 100755..100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,7 +10,6 @@ conn %default
 	keyexchange=ikev2
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP_MOON1
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/posttest.dat b/testing/tests/ikev2/virtual-ip-override/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/virtual-ip-override/posttest.dat
+++ b/testing/tests/ikev2/virtual-ip-override/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/virtual-ip-override/pretest.dat b/testing/tests/ikev2/virtual-ip-override/pretest.dat
index 5ec37aae1..1765a83cd 100644
--- a/testing/tests/ikev2/virtual-ip-override/pretest.dat
+++ b/testing/tests/ikev2/virtual-ip-override/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/virtual-ip-override/test.conf b/testing/tests/ikev2/virtual-ip-override/test.conf
index 01c94f7fb..5139506ac 100644
--- a/testing/tests/ikev2/virtual-ip-override/test.conf
+++ b/testing/tests/ikev2/virtual-ip-override/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/virtual-ip/evaltest.dat b/testing/tests/ikev2/virtual-ip/evaltest.dat
index e3c3c7f3c..0f5df71d7 100644
--- a/testing/tests/ikev2/virtual-ip/evaltest.dat
+++ b/testing/tests/ikev2/virtual-ip/evaltest.dat
@@ -1,21 +1,25 @@
-moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-dave::ipsec statusall::home.*INSTALLED::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::YES
-moon::cat /var/log/daemon.log::assigning virtual IP PH_IP_CAROL1 to peer::YES
-moon::cat /var/log/daemon.log::assigning virtual IP PH_IP_DAVE1 to peer::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_CAROL1 to peer::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_DAVE1 to peer::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::src PH_IP_CAROL1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::src PH_IP_DAVE1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_seq=1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::src PH_IP_DAVE1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf
index c9867c7d4..62c30cf28 100755..100644
--- a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf
index b58ba5460..3ecb3b830 100755..100644
--- a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf
index fb7abe556..42e4ff453 100755..100644
--- a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/posttest.dat b/testing/tests/ikev2/virtual-ip/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/virtual-ip/posttest.dat
+++ b/testing/tests/ikev2/virtual-ip/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/virtual-ip/pretest.dat b/testing/tests/ikev2/virtual-ip/pretest.dat
index 5ec37aae1..1765a83cd 100644
--- a/testing/tests/ikev2/virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/virtual-ip/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/virtual-ip/test.conf b/testing/tests/ikev2/virtual-ip/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/virtual-ip/test.conf
+++ b/testing/tests/ikev2/virtual-ip/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/wildcards/evaltest.dat b/testing/tests/ikev2/wildcards/evaltest.dat
index 2bc83eacd..4789640ec 100644
--- a/testing/tests/ikev2/wildcards/evaltest.dat
+++ b/testing/tests/ikev2/wildcards/evaltest.dat
@@ -1,8 +1,8 @@
-carol::ipsec status::alice.*PH_IP_CAROL.*PH_IP_ALICE::YES
-moon::ipsec status::alice.*PH_IP_ALICE.*PH_IP_CAROL::YES
-carol::ipsec status::venus.*PH_IP_CAROL.*PH_IP_VENUS::NO
-moon::ipsec status::venus.*PH_IP_VENUS.*PH_IP_CAROL::NO
-dave::ipsec status::venus.*PH_IP_DAVE.*PH_IP_VENUS::YES
-moon::ipsec status::venus.*PH_IP_VENUS.*PH_IP_DAVE::YES
-dave::ipsec status::alice.*PH_IP_DAVE.*PH_IP_ALICE::NO
-moon::ipsec status::alice.*PH_IP_ALICE.*PH_IP_DAVE::NO
+carol::ipsec status 2> /dev/null::alice..*PH_IP_CAROL.*PH_IP_ALICE::YES
+moon:: ipsec status 2> /dev/null::alice.*PH_IP_ALICE.*PH_IP_CAROL::YES
+carol::ipsec status 2> /dev/null::venus.*PH_IP_CAROL.*PH_IP_VENUS::NO
+moon:: ipsec status 2> /dev/null::venus.*PH_IP_VENUS.*PH_IP_CAROL::NO
+dave:: ipsec status 2> /dev/null::venus.*PH_IP_DAVE.*PH_IP_VENUS::YES
+moon:: ipsec status 2> /dev/null::venus.*PH_IP_VENUS.*PH_IP_DAVE::YES
+dave:: ipsec status 2> /dev/null::alice.*PH_IP_DAVE.*PH_IP_ALICE::NO
+moon:: ipsec status 2> /dev/null::alice.*PH_IP_ALICE.*PH_IP_DAVE::NO
diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf
index 043160a0f..2ff604dfa 100755..100644
--- a/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf
index a01676be3..fbdc9c6a3 100755..100644
--- a/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf
index 0523d56dd..a8183f59e 100755..100644
--- a/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/wildcards/pretest.dat b/testing/tests/ikev2/wildcards/pretest.dat
index e3da87520..3c4832e5e 100644
--- a/testing/tests/ikev2/wildcards/pretest.dat
+++ b/testing/tests/ikev2/wildcards/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/wildcards/test.conf b/testing/tests/ikev2/wildcards/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/wildcards/test.conf
+++ b/testing/tests/ikev2/wildcards/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/host2host-ikev1/evaltest.dat b/testing/tests/ipv6/host2host-ikev1/evaltest.dat
index 62fc85953..186ce4e06 100644
--- a/testing/tests/ipv6/host2host-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/host2host-ikev1/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
 moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
index 9940e81a5..9e68eb674 100755..100644
--- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn net-net
 	also=host-host
@@ -26,3 +29,4 @@ conn host-host
 	right=PH_IP6_SUN
 	rightid=@sun.strongswan.org
 	auto=add
+
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..7f26bc4d4
--- /dev/null
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
index 016adc095..23bc5c627 100755..100644
--- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..7f26bc4d4
--- /dev/null
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/host2host-ikev1/posttest.dat b/testing/tests/ipv6/host2host-ikev1/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/host2host-ikev1/posttest.dat
+++ b/testing/tests/ipv6/host2host-ikev1/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/host2host-ikev1/pretest.dat b/testing/tests/ipv6/host2host-ikev1/pretest.dat
index 3536fd886..46c015387 100644
--- a/testing/tests/ipv6/host2host-ikev1/pretest.dat
+++ b/testing/tests/ipv6/host2host-ikev1/pretest.dat
@@ -1,6 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection host-host
+sun::expect-connection host-host
 moon::ipsec up host-host
diff --git a/testing/tests/ipv6/host2host-ikev1/test.conf b/testing/tests/ipv6/host2host-ikev1/test.conf
index 6ab5b8a96..56df1a0da 100644
--- a/testing/tests/ipv6/host2host-ikev1/test.conf
+++ b/testing/tests/ipv6/host2host-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/host2host-ikev2/evaltest.dat b/testing/tests/ipv6/host2host-ikev2/evaltest.dat
index e658398db..186ce4e06 100644
--- a/testing/tests/ipv6/host2host-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/host2host-ikev2/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::host-host.*INSTALLED::YES
-sun::ipsec status::host-host.*INSTALLED::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
 moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf
index 930ae5785..faee5c854 100755..100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf
index d7653f1c3..f4dc393ee 100755..100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/host2host-ikev2/posttest.dat b/testing/tests/ipv6/host2host-ikev2/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/host2host-ikev2/posttest.dat
+++ b/testing/tests/ipv6/host2host-ikev2/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/host2host-ikev2/pretest.dat b/testing/tests/ipv6/host2host-ikev2/pretest.dat
index 7e97e7783..46c015387 100644
--- a/testing/tests/ipv6/host2host-ikev2/pretest.dat
+++ b/testing/tests/ipv6/host2host-ikev2/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection host-host
+sun::expect-connection host-host
 moon::ipsec up host-host
-moon::sleep 1
diff --git a/testing/tests/ipv6/host2host-ikev2/test.conf b/testing/tests/ipv6/host2host-ikev2/test.conf
index 6ab5b8a96..56df1a0da 100644
--- a/testing/tests/ipv6/host2host-ikev2/test.conf
+++ b/testing/tests/ipv6/host2host-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ikev1/evaltest.dat
index 459b0a630..4cf23a31b 100644
--- a/testing/tests/ipv6/net2net-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ikev1/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
 alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
index bb96a71e0..4821989a9 100755..100644
--- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn net-net
 	also=host-host
@@ -26,4 +29,3 @@ conn host-host
 	right=PH_IP6_SUN
 	rightid=@sun.strongswan.org
 	auto=add
-
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5ffc1a22a
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
index 016adc095..23bc5c627 100755..100644
--- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..5ffc1a22a
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/net2net-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ikev1/posttest.dat
index 4c95e2afe..078fca541 100644
--- a/testing/tests/ipv6/net2net-ikev1/posttest.dat
+++ b/testing/tests/ipv6/net2net-ikev1/posttest.dat
@@ -4,5 +4,7 @@ alice::"ip route del fec2:\:/16 via fec1:\:1"
 moon::"ip route del fec2:\:/16 via fec0:\:2"
 sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ikev1/pretest.dat
index e360bfbaa..a14b3cf79 100644
--- a/testing/tests/ipv6/net2net-ikev1/pretest.dat
+++ b/testing/tests/ipv6/net2net-ikev1/pretest.dat
@@ -1,10 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
 moon::"ip route add fec2:\:/16 via fec0:\:2"
 sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
diff --git a/testing/tests/ipv6/net2net-ikev1/test.conf b/testing/tests/ipv6/net2net-ikev1/test.conf
index 991d884db..55b90befe 100644
--- a/testing/tests/ipv6/net2net-ikev1/test.conf
+++ b/testing/tests/ipv6/net2net-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ikev2/evaltest.dat
index 1b4e7c88a..4cf23a31b 100644
--- a/testing/tests/ipv6/net2net-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ikev2/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*INSTALLED::YES
-sun::ipsec status::net.net.*INSTALLED::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
 alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf
index 155cf1d4c..c3dca0d7e 100755..100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf
index 09abc7b02..d2673d93d 100755..100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ikev2/posttest.dat
index 4c95e2afe..078fca541 100644
--- a/testing/tests/ipv6/net2net-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-ikev2/posttest.dat
@@ -4,5 +4,7 @@ alice::"ip route del fec2:\:/16 via fec1:\:1"
 moon::"ip route del fec2:\:/16 via fec0:\:2"
 sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ikev2/pretest.dat
index 8a8af2ccb..a14b3cf79 100644
--- a/testing/tests/ipv6/net2net-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-ikev2/pretest.dat
@@ -1,11 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
 moon::"ip route add fec2:\:/16 via fec0:\:2"
 sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-ikev2/test.conf b/testing/tests/ipv6/net2net-ikev2/test.conf
index 991d884db..55b90befe 100644
--- a/testing/tests/ipv6/net2net-ikev2/test.conf
+++ b/testing/tests/ipv6/net2net-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat
index 077899e36..151b73c27 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net.net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf
index 1781313cc..c43086f76 100755..100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	charonstart=no
-	plutodebug=control
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	mobike=no
+	fragmentation=yes
 
 conn net-net
 	also=host-host
@@ -23,6 +25,7 @@ conn host-host
 	left=PH_IP6_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
+	leftfirewall=yes
 	right=PH_IP6_SUN
 	rightid=@sun.strongswan.org
 	auto=add
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5ffc1a22a
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf
index 2caf09104..8e6478c51 100755..100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	charonstart=no
-	plutodebug=control
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	mobike=no
+	fragmentation=yes
 
 conn net-net
 	also=host-host
@@ -23,6 +25,7 @@ conn host-host
 	left=PH_IP6_SUN
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
+	leftfirewall=yes
 	right=PH_IP6_MOON
 	rightid=@moon.strongswan.org
 	auto=add
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..d4b9a55a4
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size=1024
+}
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat
index dff181797..d3bebd0c6 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat
@@ -1,2 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat
index a96b719bf..812ccd162 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat
@@ -1,7 +1,9 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 2 
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf
index cab801a1c..8f8d9222d 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip4-in-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat
index 76c138e63..151b73c27 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*INSTALLED::YES
-sun::ipsec status::net.net.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf
index c47ff8059..704737eaf 100755..100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf
index c1041bd87..a880b12a1 100755..100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
index a88456d52..812ccd162 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 2 
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf
index cab801a1c..8f8d9222d 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip4-in-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
index 2f73ef7d8..803cf5ef5 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net.net.*STATE_QUICK_R2.*IPsec SA established::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
 alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf
index 773d2ed48..93660a2d8 100755..100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -15,10 +11,10 @@ conn %default
 
 conn net-net 
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftsubnet=fec1::0/16
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
+	leftfirewall=yes
 	right=PH_IP_SUN
 	rightsubnet=fec2::0/16
 	rightid=@sun.strongswan.org
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
index 1cfd1eb1f..d18c788fa 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+  install_routes = no
 }
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf
index bb3f4f765..30dadee78 100755..100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -15,10 +11,10 @@ conn %default
 
 conn net-net
 	left=PH_IP_SUN
-	leftnexthop=%direct
 	leftsubnet=fec2::0/16
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
+	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=fec1::0/16
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
index 1cfd1eb1f..be176e981 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+  install_routes=no
 }
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat
index 7a8af32bc..078fca541 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat
@@ -1,6 +1,10 @@
 moon::ipsec stop
 sun::ipsec stop
 alice::"ip route del fec2:\:/16 via fec1:\:1"
-moon::"ip route del fec2:\:/16 via fec0:\:2" 
-sun::"ip route del fec1:\:/16 via fec0:\:1" 
+moon::"ip route del fec2:\:/16 via fec0:\:2"
+sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat
index 130058a40..58711bc06 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat
@@ -1,11 +1,13 @@
-moon::echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-sun::echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
-moon::"ip route add fec2:\:/16 via fec0:\:2" 
-sun::"ip route add fec1:\:/16 via fec0:\:1" 
+moon::"ip route add fec2:\:/16 via fec0:\:2"
+sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf
index d5d55c749..fe141076d 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6-in-ip4.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
index 833553f27..803cf5ef5 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*INSTALLED::YES
-sun::ipsec status::net.net.*INSTALLED::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
 alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index d556762b7..000000000
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # allow ICMPv6 neighbor-solicitations
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-
-        # allow ICMPv6 neighbor-advertisements
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf
index a452c7a35..f1cbd5576 100755..100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
index 393ea64f9..d18c788fa 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
   install_routes = no
 }
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 21ff88d0d..000000000
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # allow ICMPv6 neighbor-solicitations
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-
-        # allow ICMPv6 neighbor-advertisements
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-        # allow crl fetch from winnetou
-        iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf
index 448cccbb7..1f1fa6c51 100755..100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
index 014b5d935..be176e981 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
   install_routes=no
 }
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
index c78d884ee..078fca541 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
@@ -1,8 +1,10 @@
 moon::ipsec stop
 sun::ipsec stop
 alice::"ip route del fec2:\:/16 via fec1:\:1"
-moon::"ip route del fec2:\:/16 via fec0:\:2" 
-sun::"ip route del fec1:\:/16 via fec0:\:1" 
+moon::"ip route del fec2:\:/16 via fec0:\:2"
+sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
index 7781f9b9f..58711bc06 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
@@ -1,11 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
-moon::"ip route add fec2:\:/16 via fec0:\:2" 
-sun::"ip route add fec1:\:/16 via fec0:\:1" 
+moon::"ip route add fec2:\:/16 via fec0:\:2"
+sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf
index d5d55c749..fe141076d 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6-in-ip4.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
index a311992b7..3b0a3eeca 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
@@ -1,7 +1,9 @@
-moon::ipsec status::net-net.*INSTALLED::YES
-sun::ipsec status::net.net.*INSTALLED::YES
-moon::cat /var/log/daemon.log::TS fec2:\:/16 is contained in address block constraint fec2:\:/16::YES
-sun::cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::TS fec2:\:/16 is contained in address block constraint fec2:\:/16::YES
+sun::  cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
 alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
index 846a3f794..46b9ad415 100755..100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
index 94873ddeb..2b824dc55 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation addrblock hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf
index adf411da5..4a0f911a3 100755..100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
index 94873ddeb..2b824dc55 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation addrblock hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat
index 4c95e2afe..078fca541 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat
@@ -4,5 +4,7 @@ alice::"ip route del fec2:\:/16 via fec1:\:1"
 moon::"ip route del fec2:\:/16 via fec0:\:2"
 sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat
index 8a8af2ccb..a14b3cf79 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat
@@ -1,11 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
 moon::"ip route add fec2:\:/16 via fec0:\:2"
 sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf
index 991d884db..55b90befe 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/rw-ikev1/description.txt b/testing/tests/ipv6/rw-ikev1/description.txt
index 046c4b50c..17461370e 100644
--- a/testing/tests/ipv6/rw-ikev1/description.txt
+++ b/testing/tests/ipv6/rw-ikev1/description.txt
@@ -1,7 +1,7 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The authentication is based on <b>X.509 certificates</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically inserts
-ip6tables-based firewall rules that let pass the tunneled traffic.
-In order to test both the IPv6 ESP tunnel and the firewall rules, <b>carol</b>
-sends an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b>
+The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6 connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPv6 ESP tunnels, <b>leftfirewall=yes</b>
+automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send
+an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b>
 using the ping6 command.
diff --git a/testing/tests/ipv6/rw-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ikev1/evaltest.dat
index 894e9118e..0e125b70e 100644
--- a/testing/tests/ipv6/rw-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/rw-ikev1/evaltest.dat
@@ -1,5 +1,15 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
+moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
+moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
index 363c910b0..4bcfd19dd 100755..100644
--- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn home
 	left=PH_IP6_CAROL
@@ -19,10 +22,6 @@ conn home
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP6_MOON
-	rightsubnet=fec1::/16
 	rightid=@moon.strongswan.org
+	rightsubnet=fec1::/16
 	auto=add
-
-
-
-
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5ffc1a22a
--- /dev/null
+++ b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..125303638
--- /dev/null
+++ b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	fragmentation=yes
+
+conn home
+	left=PH_IP6_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP6_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=fec1::/16
+	auto=add
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5ffc1a22a
--- /dev/null
+++ b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
index 1b5a2aced..880b1b2e7 100755..100644
--- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn rw
 	left=PH_IP6_MOON
@@ -19,5 +22,5 @@ conn rw
 	leftid=@moon.strongswan.org
 	leftsubnet=fec1::/16
 	leftfirewall=yes
-	right=%any6
+	right=%any
 	auto=add
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5ffc1a22a
--- /dev/null
+++ b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/rw-ikev1/posttest.dat b/testing/tests/ipv6/rw-ikev1/posttest.dat
index d37b96f9c..4e59395e3 100644
--- a/testing/tests/ipv6/rw-ikev1/posttest.dat
+++ b/testing/tests/ipv6/rw-ikev1/posttest.dat
@@ -1,6 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-ikev1/pretest.dat b/testing/tests/ipv6/rw-ikev1/pretest.dat
index 2b3bf90a7..f60be3887 100644
--- a/testing/tests/ipv6/rw-ikev1/pretest.dat
+++ b/testing/tests/ipv6/rw-ikev1/pretest.dat
@@ -1,8 +1,17 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
-carol::ipsec start
+dave::"ip route add fec1:\:/16 via fec0:\:1"
 moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ipv6/rw-ikev1/test.conf b/testing/tests/ipv6/rw-ikev1/test.conf
index bce9814db..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-ikev1/test.conf
+++ b/testing/tests/ipv6/rw-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w-ip6.png"
+DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ikev2/evaltest.dat
index cee1853c4..0e125b70e 100644
--- a/testing/tests/ipv6/rw-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-ikev2/evaltest.dat
@@ -1,8 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf
index e544e948f..21166b2d0 100755..100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf
index 58bc25b0b..9513be833 100755..100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf
index 378e7bfd7..4bed27ec5 100755..100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/posttest.dat b/testing/tests/ipv6/rw-ikev2/posttest.dat
index 07e89d7da..4e59395e3 100644
--- a/testing/tests/ipv6/rw-ikev2/posttest.dat
+++ b/testing/tests/ipv6/rw-ikev2/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-ikev2/pretest.dat b/testing/tests/ipv6/rw-ikev2/pretest.dat
index 7da0c1028..f60be3887 100644
--- a/testing/tests/ipv6/rw-ikev2/pretest.dat
+++ b/testing/tests/ipv6/rw-ikev2/pretest.dat
@@ -1,13 +1,17 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-ikev2/test.conf b/testing/tests/ipv6/rw-ikev2/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-ikev2/test.conf
+++ b/testing/tests/ipv6/rw-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt
new file mode 100644
index 000000000..f9412611b
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6-in-IPv4 tunnel connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Both <b>carol</b> and <b>dave</b> request a virtual IPv6 address from <b>moon</b> via
+the IKEv1 mode config payload.
+<p/>
+Upon the successful establishment of the ESP tunnels, <b>leftfirewall=yes</b>
+automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send
+an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b>
+using the ping6 command.
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat
new file mode 100644
index 000000000..f6dc9aa3e
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat
@@ -0,0 +1,15 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..8aba6f0b1
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftsourceip=%config
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=fec1::/16
+	auto=add
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5ef523e47
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..d0ff82c2d
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftsourceip=%config
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=fec1::/16
+	auto=add
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5ef523e47
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..e77d7b608
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=fec1::/16
+	leftfirewall=yes
+	right=%any
+	rightsourceip=fec3::/120
+	auto=add
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5ef523e47
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat
new file mode 100644
index 000000000..ebe5e2a80
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat
@@ -0,0 +1,10 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
+alice::"ip route del fec3:\:/16 via fec1:\:1"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat
new file mode 100644
index 000000000..e73bde487
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat
@@ -0,0 +1,15 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
+alice::"ip route add fec3:\:/16 via fec1:\:1"
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf
new file mode 100644
index 000000000..05bb8ab6d
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d-ip6.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt
new file mode 100644
index 000000000..237e6fa52
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6-in-IPv4 tunnel connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Both <b>carol</b> and <b>dave</b> request a virtual IPv6 address from <b>moon</b> via
+the IKEv2 configuration payload.
+<p/>
+Upon the successful establishment of the ESP tunnels, <b>leftfirewall=yes</b>
+automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send
+an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b>
+using the ping6 command.
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat
new file mode 100644
index 000000000..f6dc9aa3e
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat
@@ -0,0 +1,15 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..1ca1c6c26
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftsourceip=%config
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=fec1::/16
+	auto=add
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5ef523e47
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..bba2d96f7
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftsourceip=%config
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=fec1::/16
+	auto=add
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5ef523e47
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..5ea245568
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=fec1::/16
+	leftfirewall=yes
+	right=%any
+	rightsourceip=fec3::/120
+	auto=add
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5ef523e47
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat
new file mode 100644
index 000000000..ebe5e2a80
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat
@@ -0,0 +1,10 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
+alice::"ip route del fec3:\:/16 via fec1:\:1"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat
new file mode 100644
index 000000000..e73bde487
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat
@@ -0,0 +1,15 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
+alice::"ip route add fec3:\:/16 via fec1:\:1"
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf
new file mode 100644
index 000000000..05bb8ab6d
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d-ip6.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-psk-ikev1/description.txt b/testing/tests/ipv6/rw-psk-ikev1/description.txt
index 81072ebf6..66fc09053 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/description.txt
+++ b/testing/tests/ipv6/rw-psk-ikev1/description.txt
@@ -1,5 +1,7 @@
-The roadwarrior <b>carol</b> sets up an IPv6 tunnel connection to gateway <b>moon</b>.
-The authentication is based on <b>Preshared Keys</b> (PSK) and <b>IPv6 addresses</b> (ID_IPV6_ADDR).
-<b>firewall=yes</b> automatically inserts ip6tables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel <b>carol</b> sends an IPv6
-ICMP request to client <b>alice</b> behind the gateway <b>moon</b> using the ping6 command.
+The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6 tunnel connection each 
+to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
+and IPv6 addresses. Upon the successful establishment of the IPsec tunnels,
+<b>leftfirewall=yes</b> automatically inserts ip6tables-based firewall rules that
+let pass the tunneled traffic. In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> send an IPv6 ICMP request to client <b>alice</b>
+behind the gateway <b>moon</b> using the ping6 command.
diff --git a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat
index 4046d0bbc..16982a736 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat
@@ -1,5 +1,15 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:10].*\[fec0.*:1]::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:20].*\[fec0.*:1]::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:10]::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:20]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
-moon::tcpdump::IP6 ip6-moon.strongswan.org  > ip6-carol.strongswan.org: ESP::YES
+moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
+moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
+moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf
index 76135d1ee..47080139f 100755..100644
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	authby=secret
-	
+
 conn home
 	left=PH_IP6_CAROL
 	leftfirewall=yes
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets
index 42c84fc49..2abcb4e0a 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-PH_IP6_CAROL PH_IP6_MOON : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..699d8fdb1
--- /dev/null
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..c59d32a14
--- /dev/null
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	authby=secret
+
+conn home
+	left=PH_IP6_DAVE
+	leftfirewall=yes
+	right=PH_IP6_MOON
+	rightsubnet=fec1::/16
+	auto=add
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..2375cd559
--- /dev/null
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+PH_IP6_DAVE  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..699d8fdb1
--- /dev/null
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf
index 69b154bcf..7d32866b5 100755..100644
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,10 +9,10 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	authby=secret
-	
+
 conn rw
 	left=PH_IP6_MOON
 	leftsubnet=fec1::/16
 	leftfirewall=yes
-	right=%any6
+	right=%any
 	auto=add
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets
index ac738c1aa..88c418353 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets
@@ -1,3 +1,5 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-PH_IP6_MOON %any6 : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+
+PH_IP6_DAVE  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..699d8fdb1
--- /dev/null
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-psk-ikev1/posttest.dat b/testing/tests/ipv6/rw-psk-ikev1/posttest.dat
index d37b96f9c..4e59395e3 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/posttest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev1/posttest.dat
@@ -1,6 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-psk-ikev1/pretest.dat b/testing/tests/ipv6/rw-psk-ikev1/pretest.dat
index 6fbbccaae..93a96ec36 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/pretest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev1/pretest.dat
@@ -1,10 +1,20 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
+dave::"ip route add fec1:\:/16 via fec0:\:1"
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
+dave::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ipv6/rw-psk-ikev1/test.conf b/testing/tests/ipv6/rw-psk-ikev1/test.conf
index bce9814db..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/test.conf
+++ b/testing/tests/ipv6/rw-psk-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w-ip6.png"
+DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat
index cee1853c4..16982a736 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat
@@ -1,8 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:10].*\[fec0.*:1]::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:20].*\[fec0.*:1]::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:10]::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:20]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf
index b656b9ec7..eed683f72 100755..100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
index 882ea04a5..699d8fdb1 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf
index c62f4ff07..3b45adb0d 100755..100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf
@@ -2,7 +2,6 @@
 
 config setup
 	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
index 882ea04a5..699d8fdb1 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf
index 0cf988768..f6c4c6ab9 100755..100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
index 882ea04a5..699d8fdb1 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/posttest.dat b/testing/tests/ipv6/rw-psk-ikev2/posttest.dat
index 07e89d7da..4e59395e3 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/posttest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev2/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-psk-ikev2/pretest.dat b/testing/tests/ipv6/rw-psk-ikev2/pretest.dat
index e3040d125..93a96ec36 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/pretest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev2/pretest.dat
@@ -1,6 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
@@ -10,7 +13,8 @@ dave::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ipv6/rw-psk-ikev2/test.conf b/testing/tests/ipv6/rw-psk-ikev2/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/test.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
index 4ed973ca4..551eae263 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
@@ -1,12 +1,17 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-moon::cat /var/log/daemon.log::TS fec0:\:10/128 is contained in address block constraint fec0:\:10/128::YES
-moon::cat /var/log/daemon.log::TS fec0:\:20/128 is contained in address block constraint fec0:\:20/128::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::TS fec0:\:10/128 is contained in address block constraint fec0:\:10/128::YES
+moon:: cat /var/log/daemon.log::TS fec0:\:20/128 is contained in address block constraint fec0:\:20/128::YES
 carol::cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
-dave::cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
+dave:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
 carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf
index b4138be8d..a2e054e13 100755..100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
index 94873ddeb..2b824dc55 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation addrblock hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf
index cc7e09b4e..8d275e2bd 100755..100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
index 94873ddeb..e2593c173 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 nonce revocation addrblock hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
index 4832bb89f..236302350 100755..100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
index 94873ddeb..2b824dc55 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation addrblock hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat
index 07e89d7da..4e59395e3 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat
index 7da0c1028..f60be3887 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat
@@ -1,13 +1,17 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/transport-ikev1/evaltest.dat b/testing/tests/ipv6/transport-ikev1/evaltest.dat
index 2010557c1..5ae9d2c12 100644
--- a/testing/tests/ipv6/transport-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/transport-ikev1/evaltest.dat
@@ -1,7 +1,9 @@
-moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
 moon::ip xfrm state::mode transport::YES
-sun::ip xfrm state::mode transport::YES
+sun:: ip xfrm state::mode transport::YES
 moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
index 69ba50530..f2938f307 100755..100644
--- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn host-host
 	left=PH_IP6_MOON
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5ffc1a22a
--- /dev/null
+++ b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
index a7c6b18c7..9af8aa862 100755..100644
--- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn host-host
 	left=PH_IP6_SUN
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..5ffc1a22a
--- /dev/null
+++ b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/transport-ikev1/posttest.dat b/testing/tests/ipv6/transport-ikev1/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/transport-ikev1/posttest.dat
+++ b/testing/tests/ipv6/transport-ikev1/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/transport-ikev1/pretest.dat b/testing/tests/ipv6/transport-ikev1/pretest.dat
index 3536fd886..46c015387 100644
--- a/testing/tests/ipv6/transport-ikev1/pretest.dat
+++ b/testing/tests/ipv6/transport-ikev1/pretest.dat
@@ -1,6 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection host-host
+sun::expect-connection host-host
 moon::ipsec up host-host
diff --git a/testing/tests/ipv6/transport-ikev1/test.conf b/testing/tests/ipv6/transport-ikev1/test.conf
index 6ab5b8a96..56df1a0da 100644
--- a/testing/tests/ipv6/transport-ikev1/test.conf
+++ b/testing/tests/ipv6/transport-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/transport-ikev2/evaltest.dat b/testing/tests/ipv6/transport-ikev2/evaltest.dat
index f1e26e7ea..0dfba54ea 100644
--- a/testing/tests/ipv6/transport-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/transport-ikev2/evaltest.dat
@@ -1,8 +1,10 @@
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
 moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES
-moon::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
-sun::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
 moon::ip xfrm state::mode transport::YES
-sun::ip xfrm state::mode transport::YES
+sun:: ip xfrm state::mode transport::YES
 moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b1e7073af..000000000
--- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certficate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf
index 0d9e275b7..a48b6cbc6 100755..100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf
index 26949985e..e80eb8101 100755..100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/transport-ikev2/posttest.dat b/testing/tests/ipv6/transport-ikev2/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/transport-ikev2/posttest.dat
+++ b/testing/tests/ipv6/transport-ikev2/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/transport-ikev2/pretest.dat b/testing/tests/ipv6/transport-ikev2/pretest.dat
index 7e97e7783..46c015387 100644
--- a/testing/tests/ipv6/transport-ikev2/pretest.dat
+++ b/testing/tests/ipv6/transport-ikev2/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection host-host
+sun::expect-connection host-host
 moon::ipsec up host-host
-moon::sleep 1
diff --git a/testing/tests/ipv6/transport-ikev2/test.conf b/testing/tests/ipv6/transport-ikev2/test.conf
index 6ab5b8a96..56df1a0da 100644
--- a/testing/tests/ipv6/transport-ikev2/test.conf
+++ b/testing/tests/ipv6/transport-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/libipsec/net2net-cert/description.txt b/testing/tests/libipsec/net2net-cert/description.txt
new file mode 100644
index 000000000..433d97574
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and the <b>kernel-libipsec</b> 
+plugin is used for userland IPsec ESP encryption.
+<p/>
+Upon the successful establishment of the IPsec tunnel, an updown script automatically
+inserts iptables-based firewall rules that let pass the traffic tunneled via the
+<b>ipsec0</b> tun interface. In order to test both tunnel and firewall, client <b>alice</b>
+behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/libipsec/net2net-cert/evaltest.dat b/testing/tests/libipsec/net2net-cert/evaltest.dat
new file mode 100644
index 000000000..f702ceadf
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org.4500 > sun.strongswan.org.4500: UDP-encap: ESP::YES
+sun::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..631adfcd3
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftupdown=/etc/updown
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..97bb34aed
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
new file mode 100755
index 000000000..1a68ada0e
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
@@ -0,0 +1,705 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..b16440aa1
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftupdown=/etc/updown
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..97bb34aed
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
new file mode 100755
index 000000000..1a68ada0e
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
@@ -0,0 +1,705 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/net2net-cert/posttest.dat b/testing/tests/libipsec/net2net-cert/posttest.dat
new file mode 100644
index 000000000..1f7aa73a1
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/libipsec/net2net-cert/pretest.dat b/testing/tests/libipsec/net2net-cert/pretest.dat
new file mode 100644
index 000000000..c724e5df8
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/libipsec/net2net-cert/test.conf b/testing/tests/libipsec/net2net-cert/test.conf
new file mode 100644
index 000000000..646b8b3e6
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/libipsec/rw-suite-b/description.txt b/testing/tests/libipsec/rw-suite-b/description.txt
new file mode 100644
index 000000000..a1b09405a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+The authentication is based on Suite B with <b>128 bit</b> security based on <b>X.509 ECDSA</b>
+certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b> authenticated encryption.
+The <b>kernel-libipsec</b> plugin is used for userland IPsec AES-GCM authenticated ESP
+encryption.
+<p/>
+Upon the successful establishment of the IPsec tunnel, an updown script automatically
+inserts iptables-based firewall rules that let pass the traffic tunneled via the <b>ipsec0</b>
+tun interface. In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/libipsec/rw-suite-b/evaltest.dat b/testing/tests/libipsec/rw-suite-b/evaltest.dat
new file mode 100644
index 000000000..d59ea3c34
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES 
+moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-256 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.4500 > carol.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP dave.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.4500 > dave.strongswan.org.4500: UDP-encap: ESP::YES
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..8106e28d2
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftsourceip=%config
+	leftupdown=/etc/updown
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..a85635faf
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..d29ddb9ee
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIMDstKxdv/vNBPfM8iHvn5g5/8T5aRSnlh27HHt6iTfGoAoGCCqGSM49
+AwEHoUQDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAjBuX3bs5ZIn7B
+rRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2nw==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..3d6725162
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..06bcaa1e5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
+
+libstrongswan {
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
new file mode 100755
index 000000000..15c239466
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+ 	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+        then
+	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ 		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..9b6ca682a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn home 
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftsourceip=%config
+	leftupdown=/etc/updown
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..c83be145d
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBCzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzMyOFoXDTE4MDYwMjA3MzMyOFowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQ0aUuue3BcBvF6aEISID4c+mVBJyvSm2fPVRRkAQqh
+RktTHMYDWY6B8e/iGr4GDeF5bjr46vMB5eEtVx3chWbQo4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAd5ols9c
+CP6HPtfMXbPlSpUDKSRyB3c5Ix2Yn3z5ogMM1QSoS88FW8D7KKsb0qTY5TnlAls3
+45PmauVwEbI2cV6qAkIBphvsmhYWMnt/QMOij7DinihEL9Ib1vxOS2boUos6sHWi
+gj3wfHyfgHM3Pgt0YYoZxELDIxcLVJeoa1TmNey7IaI=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..17e94022e
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICwxFtCsSqIAzwZDyxHclTRdz/tGzAY7fP/vPoxqr8vuoAoGCCqGSM49
+AwEHoUQDQgAENGlLrntwXAbxemhCEiA+HPplQScr0ptnz1UUZAEKoUZLUxzGA1mO
+gfHv4hq+Bg3heW46+OrzAeXhLVcd3IVm0A==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ebd3a2839
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA daveKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..06bcaa1e5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
+
+libstrongswan {
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
new file mode 100755
index 000000000..15c239466
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+ 	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+        then
+	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ 		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..733592087
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekey=no
+	reauth=no
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftupdown=/etc/updown
+	right=%any
+	rightsourceip=10.3.0.0/24
+	auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..a3b043e82
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBBzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MTc0M1oXDTE4MDYwMjA3MTc0M1owXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAATf97+pfDnyPIA9gf6bYTZiIjNBAbCjCIqxxWou/oMq
+/9V1O20vyI/dg2g3yzTdzESUa+X81fop+i2n9ymBqI1No4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCALNndw3C
+DDWCb0f+6P6hxkqiYmUpv39XrioZrLbw+MjMD2WAchbj60KibBep1cVwIq3kWIJ6
+Jj0tYXG+f6yjmImqAkIBGOGRm+MQZxPFdYZoJZq5QXwIN0w2hJxmLIxBASW4PLdl
+RLIlvW/XTJObdb0VVYmClg0HTSvuuYOJrzwdyd8D1w0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..5bd2778a9
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHWBnv6tDi/CTTWOQi/0XME7r8Wd5GRPaXx3wNTElpSvoAoGCCqGSM49
+AwEHoUQDQgAE3/e/qXw58jyAPYH+m2E2YiIzQQGwowiKscVqLv6DKv/VdTttL8iP
+3YNoN8s03cxElGvl/NX6Kfotp/cpgaiNTQ==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..1ef3eccb5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moonKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..efa0575e5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  plugins {
+    openssl {
+      fips_mode = 2 
+    }
+  }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
new file mode 100755
index 000000000..15c239466
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+ 	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+        then
+	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ 		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/posttest.dat b/testing/tests/libipsec/rw-suite-b/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/libipsec/rw-suite-b/pretest.dat b/testing/tests/libipsec/rw-suite-b/pretest.dat
new file mode 100644
index 000000000..8bbea1412
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/libipsec/rw-suite-b/test.conf b/testing/tests/libipsec/rw-suite-b/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev1/alg-camellia/description.txt b/testing/tests/openssl-ikev1/alg-camellia/description.txt
index 915e6c211..b3515c333 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/description.txt
+++ b/testing/tests/openssl-ikev1/alg-camellia/description.txt
@@ -1,4 +1,4 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the cipher suite
-<b>CAMELLIA_CBC_192 / HMAC_SHA2_384 / MODP_3072</b> for the IKE protocol and 
-<b>CAMELLIA_CBC_192 / HMAC_SHA2_384_192 </b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 /
+HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as
+the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b>
+in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
index a3360e5a5..4d614bf7e 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
@@ -1,11 +1,11 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_192/HMAC_SHA2_384/MODP_3072::YES
-moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_192/HMAC_SHA2_384/MODP_3072::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_384::YES
-moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_384::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+moon:: ip xfrm state::enc cbc(camellia)::YES
 carol::ip xfrm state::enc cbc(camellia)::YES
-moon::ip xfrm state::enc cbc(camellia)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
index 982b2fdb2..7a276806e 100755..100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=camellia192-sha384-modp3072!
-	esp=camellia192-sha384!
+	ike=camellia256-sha512-modp2048!
+	esp=camellia192-sha1!
 
 conn home
 	left=PH_IP_CAROL
+	leftfirewall=yes
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	auto=add
+	auto=add 
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
index 1ea14c6f2..c4ac99166 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
index b6f719256..fb892a041 100755..100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -1,25 +1,21 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-       
+
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=camellia192-sha384-modp3072!
-	esp=camellia192-sha384!
+	ike=camellia256-sha512-modp2048!
+	esp=camellia192-sha1!
 
 conn rw
 	left=PH_IP_MOON
+	leftfirewall=yes
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	right=%any
-	rightid=carol@strongswan.org
 	auto=add
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
index 1ea14c6f2..c4ac99166 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
index c6d6235f9..046d4cfdc 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
@@ -1,2 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
index 6d2eeb5f9..388339fb8 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
@@ -1,5 +1,7 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
-carol::sleep 2 
+carol::ipsec start
+carol::sleep 1
 carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/openssl-ikev1/alg-camellia/test.conf b/testing/tests/openssl-ikev1/alg-camellia/test.conf
index 6abbb89a9..4a5fc470f 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/test.conf
@@ -1,22 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
index f2b26fd7c..a1f31495d 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
@@ -1,8 +1,8 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
-functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b> plugin for 
-the Elliptic Curve Diffie-Hellman groups only.
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
+certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
+cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+plugin for the Elliptic Curve Diffie-Hellman groups only.
 <p>
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
index 6a6802780..ac7d8cd98 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
@@ -1,11 +1,15 @@
-moon::cat /var/log/auth.log::ECP_256.*refused due to strict flag::YES
-moon::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/ECP_384::YES
-dave::ipsec statusall::IPsec SA established::YES
-dave::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/ECP_521::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
+dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf
index 432fa52ea..2ed83f06a 100755..100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes192-sha384-ecp256,aes192-sha384-ecp384!
+	ike=aes128-sha256-ecp256,aes192-sha384-ecp384!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
index 1ea14c6f2..0bbf93a18 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf
index 28304eb41..105ec3ce4 100755..100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes256-sha512-ecp256,aes256-sha512-ecp521!
+	ike=aes128-sha256-ecp256,aes256-sha512-ecp521!
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
index 913e599ae..785772254 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = aes des sha1 sha2 md5 random pem pkcs1 x509 gmp pem pkcs1 openssl hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf
index d6737f6e0..0a312b394 100755..100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
index 1ea14c6f2..0bbf93a18 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
index 5b0241433..84b6eb4bf 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
@@ -1,8 +1,8 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
-functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b> plugin for 
-the Elliptic Curve Diffie-Hellman groups only.
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 
+certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
+cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+plugin for the Elliptic Curve Diffie-Hellman groups only.
 <p>
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
index 3c5ae4138..178d541da 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
@@ -1,11 +1,15 @@
-moon::cat /var/log/auth.log::ECP_192.*refused due to strict flag::YES
-moon::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_224::YES
-dave::ipsec statusall::IPsec SA established::YES
-dave::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
+dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf
index 5a4d82699..6fe17a9ee 100755..100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes128-sha256-ecp192,aes128-sha256-ecp224!
+	ike=aes192-sha384-ecp192,3des-sha256-ecp224!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
index 1ea14c6f2..0bbf93a18 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf
index ac828c182..ade897727 100755..100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes128-sha256-ecp192,aes128-sha256-ecp256!
+	ike=aes192-sha384-ecp192,aes128-sha256-ecp256!
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
index 913e599ae..785772254 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = aes des sha1 sha2 md5 random pem pkcs1 x509 gmp pem pkcs1 openssl hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf
index 870271c87..3992b52fb 100755..100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes128-sha256-ecp224,aes128-sha256-ecp256!
+	ike=3des-sha256-ecp224,aes128-sha256-ecp256!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
index 1ea14c6f2..0bbf93a18 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
index 2aea10135..69c893f0c 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
@@ -1,13 +1,19 @@
-moon::cat /var/log/auth.log::ECDSA-256 signature check passed::YES
-moon::cat /var/log/auth.log::ECDSA-384 signature check passed::YES 
-carol::cat /var/log/auth.log::ECDSA-256 signature check passed::YES
-dave::cat /var/log/auth.log::ECDSA-384 signature check passed::YES 
-moon::ipsec statusall::carol.*IPsec SA established::YES
-moon::ipsec statusall::dave.*IPsec SA established::YES
-carol::ipsec statusall::home.*IPsec SA established::YES
-dave::ipsec statusall::home.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::looking for ECDSA-256 signature peer configs matching.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::looking for ECDSA-384 signature peer configs matching.*dave@strongswan.org::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA successful::YES
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA successful::YES
+dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
index b0b6ff738..58914391c 100755..100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 29709926a..a85635faf 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,18 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
-4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
-b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
-d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
-sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
-ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
-s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 5f21c1012..0a0b83889 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,8 +1,8 @@
 -----BEGIN EC PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E
+DEK-Info: DES-EDE3-CBC,0F93D8FBCA4CAA40
 
-Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt
-KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble
-RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk=
+jyvWqe7yjLux30mLeMsjlEjWu1A7u4xdRUg/R+JzsUxnFDpJKOEd5LgXSExrgVwD
+RMlH6vVkZPboxmveOH8lXDVUyscYLLLTianw9R+Vj3zm6x7kT1CaNryLKfQSCVE8
+QGsF+LrF7/uIS+4RePGQyGv4C3pbBCB168+e362WnjQ=
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
index 1ea14c6f2..0bbf93a18 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
index 23813b20b..150c63bc7 100755..100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	plutodebug=control
-	charonstart=no
-	
+
 conn %default
 	ikelifetime=60m
 	keylife=20m
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index 075d8f1e5..e97709a3f 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,19 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
-AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y
-IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA
-zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
-A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1
-atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
-IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
-dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
-MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
-LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH
-ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/
-wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv
-g+Z+grJzTppAqpwRpg==
+MIICeTCCAdqgAwIBAgIBDDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzUxOVoXDTE4MDYwMjA3MzUxOVowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwpnPP1dWQl4Dpr
+DokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6QqQt/AtuPjCL7r
+3k3F0Nsj/TGSjRmcMr6jgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIB/x2+UiGE5T7229M2Ic2BMYLWSBQlZJeT
+d3uniJb3NAkeQAhDgj0TOxVdMz1SkgScLRS2RKYpsxiVsV+tVuijTMQCQgHn1WtY
+iiSY7OWcX9hQEqWDV0TxoNcgInEhsmtMbseCpR0dYXYsm54oC0pqVBeKp0GC7KJr
+ZEmeb0/mRB56osgppA==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
index f628f88e5..574c86a2e 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,6 +1,6 @@
 -----BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDCF8kl4ftfgcvWH2myFxhc22CUT63uPy28fqUMibnpRS/wf/pfxIrVX
-+BhxpUhWS2agBwYFK4EEACKhZANiAAT8RIPAGlTQMAl6oNKdtWXO2MzywN76AFn9
-t9wmSabI29cN8iHk1HiHhlO2i1gMrl4HgbMfpSs1stNC8zxCzoCvt7pUx8wWYO7P
-JDBocD1n1eCSwM67KOfouuPmOML0QgU=
+MIGkAgEBBDCFbFPkGF4ez8EzHm6pTVCr17Q1+GACxn7m0EE4UVoq7RQBNk4NOxhE
+hJZpquwjgqegBwYFK4EEACKhZANiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwp
+nPP1dWQl4DprDokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6Qq
+Qt/AtuPjCL7r3k3F0Nsj/TGSjRmcMr4=
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
index 4c5d53dff..0bbf93a18 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
index f22a4ac4c..5cf82c6b8 100755..100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,21 +9,11 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 
-conn carol
-	also=moon
-	leftcert=moon_ec256_Cert.pem
-	rightid=carol@strongswan.org
-	auto=add
-
-conn dave
-	also=moon
-	leftcert=moon_ec384_Cert.pem
-	rightid=dave@strongswan.org
-	auto=add
-
-conn moon 
+conn rw
 	left=PH_IP_MOON
+	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
 	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..25f0538a7
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICnTCCAf+gAwIBAgIBDTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODEwMDIxNloXDTE4MDYwMjEwMDIxNlowXTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsTDEVDU0Eg
+NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
+PQIBBgUrgQQAIwOBhgAEAGWctqQ4b4fNSACnlcg5A3nxHU5X5qir+Ep8QziYNokU
+ri9N6ZPX3ipNlVAi6AYS7MXWZCBiT2g0yGFfwSxPha/rATR3m7acgyGQt0BE2UJ0
+Z7ZfjkjUPaKKEhmw0fy2t5gUhPaXMBXnu5hGjUz4gaaApsaJtr5eEwdQ0II9DG71
+tSA2o4GBMH8wHwYDVR0jBBgwFoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0R
+BBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRw
+Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49
+BAMEA4GLADCBhwJBAjPn1KkfPOlfn51b6AtISSpccCsKJ6LhJiSLuQp0SzMrg3mv
+vSIkNpVrUigW0VVMwcanW3UuYKSxMBl3Z30+RpYCQgGh8v1XO4SO3DmVLD9+JLil
+9Dp0TNkzNLdOqeuIX6ili5yhnLU8chwSlpJ9d81FdAjHP9EDPO+7fTswC2vYL+Rm
+2A==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec256_Cert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec256_Cert.pem
deleted file mode 100644
index d5e61558e..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec256_Cert.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC7DCCAk+gAwIBAgIBBTAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDkwNjEyMTYwNjMzWhcNMTQwNjExMTYwNjMzWjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-MjU2IGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzBZMBMGByqGSM49
-AgEGCCqGSM49AwEHA0IABIU/UvJ7ro2AYsFWXZKH9K4FD9O5kNfi3/H3+10kAy6s
-eQUab8qaAhTahBHuywzanVTiJPK5caQSvnpt+z1RJDqjggETMIIBDzAJBgNVHRME
-AjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUq1PybZZ+RZuJICuoDUhXdLy/iacw
-eAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAeBgNVHREEFzAVghNtb29uLnN0cm9u
-Z3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dh
-bi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCQYHKoZIzj0EAQOBiwAwgYcCQWYZnZLl
-iimVcAs5p7SXpHmcnlIX9C4EFzNtY+zoDfPM9Qx/vGY2hKa65tyhepn5RFyNqH6d
-slr5EBqoT5Vt86kJAkIAx/dyiLLqT0+lJiyxjLQuAaLRWHwlgq7jaUhoQusxno62
-dIfe0U1QjgumA+zXoAnbLBF3KnnrKvHByv7ejeH0Ys4=
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec384_Cert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec384_Cert.pem
deleted file mode 100644
index 45224b09b..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec384_Cert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCjCCAmygAwIBAgIBBjAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDkwNjEyMTYwNzA2WhcNMTQwNjExMTYwNzA2WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-Mzg0IGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
-AgEGBSuBBAAiA2IABK4TajAd1pgzhJJsmyjw1Zb/CdEe0eWKmEyP1OjmwRwS37Tx
-3wV9C9ZzCYBsJlvbH53kyeZYoAojUL5sXDVBq8qu23jSjBCesypSiNt/8akt+4bg
-a4qMN2zutd/U1fC5C6OCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
-A1UdDgQWBBT43sZUBjwcO+QW4PXk7KoOxxkm3jB4BgNVHSMEcTBvgBS6XflxthO1
-atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
-IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
-dX4i76aJMB4GA1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
-MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
-LmNybDAJBgcqhkjOPQQBA4GMADCBiAJCAUfrzEnQUA0dqpo9I2YaFh3Y+QnFosTg
-b46jcbxm/LbIeWDxwU2HK3Qfo+tGsXJnh73lKo8B0o+OsXt4gP+GQutCAkIBu7Aw
-0iUx8d84SqHiBZBDIk/X6NV62YZXVhO9rPON0r/kdmeZ8OvPD53JgE64irFf6Wp+
-3ictLD61ItW0nxNHlcE=
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..a1ba4c9b9
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIB2FqpGVb6Q8oGdL/boMxg+9G1lKAFqWXVm1jhjmrTyyc6lFJ5Hcix
++G8ZaNPJ7fLC3NU4uxW3Y9wo1K6yMDfqZhugBwYFK4EEACOhgYkDgYYABABlnLak
+OG+HzUgAp5XIOQN58R1OV+aoq/hKfEM4mDaJFK4vTemT194qTZVQIugGEuzF1mQg
+Yk9oNMhhX8EsT4Wv6wE0d5u2nIMhkLdARNlCdGe2X45I1D2iihIZsNH8treYFIT2
+lzAV57uYRo1M+IGmgKbGiba+XhMHUNCCPQxu9bUgNg==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec256_Key.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec256_Key.pem
deleted file mode 100644
index 66b6315f9..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec256_Key.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIE+rz/5axOOEvTVs9nnmKyF1v/rgmdIvam+BfSSS1SGpoAoGCCqGSM49
-AwEHoUQDQgAEhT9S8nuujYBiwVZdkof0rgUP07mQ1+Lf8ff7XSQDLqx5BRpvypoC
-FNqEEe7LDNqdVOIk8rlxpBK+em37PVEkOg==
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec384_Key.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec384_Key.pem
deleted file mode 100644
index 64f7fcfd1..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec384_Key.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDDvvge4iZDHIaL0IDBs4gVesErZZWOud3NysAEayGW4iTb6wjQLtIVF
-1i7d8lV6Uc2gBwYFK4EEACKhZANiAASuE2owHdaYM4SSbJso8NWW/wnRHtHliphM
-j9To5sEcEt+08d8FfQvWcwmAbCZb2x+d5MnmWKAKI1C+bFw1QavKrtt40owQnrMq
-Uojbf/GpLfuG4GuKjDds7rXf1NXwuQs=
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets
index 8a8812e0f..1ef3eccb5 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets
@@ -1,5 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-: ECDSA moon_ec256_Key.pem
-
-: ECDSA moon_ec384_Key.pem
+: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
index 1ea14c6f2..0bbf93a18 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
index 73fe3096d..1865a1c60 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
@@ -1,8 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev1/rw-cert/description.txt b/testing/tests/openssl-ikev1/rw-cert/description.txt
deleted file mode 100644
index 5185b5216..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/description.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
-certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp</b> and <b>x509</b>.
-<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
-to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
-the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/openssl-ikev1/rw-cert/evaltest.dat b/testing/tests/openssl-ikev1/rw-cert/evaltest.dat
deleted file mode 100644
index 1a9b9159f..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IPsec SA established::YES
-dave::ipsec statusall::IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 80dae3719..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-sha1-modp1536!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index a8fecbc2f..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
-}
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 73167caad..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes256-sha256-modp2048!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 85164eeb7..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    required = yes
-    on_add = yes
-  }
-}
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index f365b07da..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes256-sha256-modp2048,3des-sha1-modp1536!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 763503e29..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
-}
-
diff --git a/testing/tests/openssl-ikev1/rw-cert/posttest.dat b/testing/tests/openssl-ikev1/rw-cert/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/rw-cert/pretest.dat b/testing/tests/openssl-ikev1/rw-cert/pretest.dat
deleted file mode 100644
index 42e9d7c24..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/openssl-ikev1/rw-cert/test.conf b/testing/tests/openssl-ikev1/rw-cert/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt b/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt
new file mode 100644
index 000000000..cfa7a11b9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt
@@ -0,0 +1,16 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
+functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp hmac gcm</b> and <b>x509</b>.
+<p/>
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
+<b>AES_GCM_16_256</b> both for IKE and ESP by defining <b>ike=aes256gcm16-prfsha512-modp2048</b>
+(or alternatively <b>aes256gcm128</b>) and <b>esp=aes256gcm16-modp2048</b> in ipsec.conf,
+respectively.
+<p/>
+Roadwarrior <b>dave</b> proposes to gateway <b>moon</b> the cipher suite
+<b>AES_GCM_16_128</b> both for IKE and ESP by defining <b>ike=aes128gcm16-prfsha256-modp1536</b>
+(or alternatively <b>aes128gcm128</b>) and <b>esp=aes128gcm16-modp1536</b> in ipsec.conf,
+respectively.
+<p/>
+A ping by <b>carol</b> and <b>dave</b> to <b>alice</b> successfully checks the established tunnels.
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat
new file mode 100644
index 000000000..4cf89b765
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat
@@ -0,0 +1,26 @@
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw\[1].*IKE proposal: AES_GCM_16_256::YES
+moon:: ipsec statusall 2> /dev/null::rw\[2].*IKE proposal: AES_GCM_16_128::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES
+dave:: ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_128::YES
+moon:: ipsec statusall 2> /dev/null::rw[{]1}.*AES_GCM_16_256,::YES
+moon:: ipsec statusall 2> /dev/null::rw[{]2}.*AES_GCM_16_128,::YES
+carol::ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES
+dave:: ipsec statusall 2> /dev/null::AES_GCM_16_128,::YES
+moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES
+carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
+dave:: ip xfrm state::aead rfc4106(gcm(aes))::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
+
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..c0016ff61
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256gcm128-prfsha512-modp2048!
+	esp=aes256gcm128-modp2048!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5481f7b72
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 random nonce revocation openssl stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..335eda02c
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-modp1536!
+	esp=aes128gcm128-modp1536!
+
+conn home
+	left=PH_IP_DAVE
+	leftfirewall=yes
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..564e4ea8c
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..566298bed
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256gcm16-prfsha512-modp2048,aes128gcm16-prfsha256-modp1536!
+	esp=aes256gcm16-modp2048,aes128gcm16-modp1536!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5481f7b72
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 random nonce revocation openssl stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat
new file mode 100644
index 000000000..972d93053
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1 
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf
new file mode 100644
index 000000000..c3f38054b
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol dave winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
index f1b33895b..cd83c56b4 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
@@ -1,16 +1,17 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::BLOWFISH_CBC_192/HMAC_SHA2_256_128,::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
+dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES
+dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES
 carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
-dave::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ipsec statusall::BLOWFISH_CBC_128/HMAC_SHA1_96,::YES
-dave::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 180::YES
+dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 192::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 192::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
 
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
index 62e181012..adee238e6 100755..100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	ike=blowfish256-sha512-modp2048!
-	esp=blowfish192-sha256!
+	esp=blowfish192-sha384!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
index bdbdad2e5..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
index 26f3f3a04..e22322431 100755..100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	ike=blowfish128-sha256-modp1536!
-	esp=blowfish128-sha1!
+	esp=blowfish128-sha256!
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
index bdbdad2e5..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
index 31a00f7fb..43bbb36a9 100755..100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536!
-	esp=blowfish192-sha256,blowfish128-sha1!
+	esp=blowfish192-sha384,blowfish128-sha256!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
index bdbdad2e5..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/test.conf b/testing/tests/openssl-ikev2/alg-blowfish/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/test.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
index d77c4806e..4d614bf7e 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
@@ -1,11 +1,11 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-moon::ip xfrm state::enc cbc(camellia)::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+moon:: ip xfrm state::enc cbc(camellia)::YES
 carol::ip xfrm state::enc cbc(camellia)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
index 37f8a7ecf..004295437 100755..100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
index e96dfe574..c4ac99166 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
index f8d7e3fe9..0f6a4f569 100755..100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
index e96dfe574..c4ac99166 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/openssl-ikev2/alg-camellia/test.conf b/testing/tests/openssl-ikev2/alg-camellia/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
index 009936466..375ed86a1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
@@ -1,12 +1,17 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::ECP_256.*ECP_384::YES
-dave::cat /var/log/daemon.log::ECP_256.*ECP_521::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::ECP_256.*ECP_521::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
+dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
index 0550a09b4..2fd776e25 100755..100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes192-sha384-ecp256,aes192-sha384-ecp384!
+	ike=aes128-sha256-ecp256,aes192-sha384-ecp384!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
index b9da84efb..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
-}
-
-libstrongswan {
-  ecp_x_coordinate_only = no
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
index 22026fc36..8d8989ed7 100755..100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes256-sha512-ecp256,aes256-sha512-ecp521!
+	ike=aes128-sha256-ecp256,aes256-sha512-ecp521!
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
index 01fd353c1..785772254 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 random gmp pem pkcs1 x509 openssl revocation hmac stroke kernel-netlink socket-default updown
-}
-
-libstrongswan {
-  ecp_x_coordinate_only = no
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
index ffe13d259..addcc6175 100755..100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
index b9da84efb..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
-}
-
-libstrongswan {
-  ecp_x_coordinate_only = no
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
index e2073d9be..c46ed1dd2 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
@@ -1,12 +1,17 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::ECP_192.*ECP_224::YES
-dave::cat /var/log/daemon.log::ECP_192.*ECP_256::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::ECP_192.*ECP_256::YES
+carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
+dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
index 6a15b3f54..b754c29ba 100755..100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-sha256-ecp192,aes128-sha256-ecp224!
+	ike=aes192-sha384-ecp192,3des-sha256-ecp224!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
index b9da84efb..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
-}
-
-libstrongswan {
-  ecp_x_coordinate_only = no
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
index b4bdf456f..b5e9215c5 100755..100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-sha256-ecp192,aes128-sha256-ecp256!
+	ike=aes192-sha384-ecp192,aes128-sha256-ecp256!
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
index 01fd353c1..785772254 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 random gmp pem pkcs1 x509 openssl revocation hmac stroke kernel-netlink socket-default updown
-}
-
-libstrongswan {
-  ecp_x_coordinate_only = no
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
index 64ec0f12c..2e4a15ec3 100755..100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-sha256-ecp224,aes128-sha256-ecp256!
+	ike=3des-sha256-ecp224,aes128-sha256-ecp256!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
index b9da84efb..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
-}
-
-libstrongswan {
-  ecp_x_coordinate_only = no
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
index 1c23dcad6..cc904c8bc 100644
--- a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
@@ -1,6 +1,6 @@
 moon::cat /var/log/daemon.log::sending end entity cert::YES
 moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-sun::cat /var/log/daemon.log::found unsupported critical X.509 extension::YES
-sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
-sun::cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
-sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
+sun:: cat /var/log/daemon.log::found unsupported critical X.509 extension::YES
+sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
+sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
+sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf
index 2e3c9dde4..3b065774f 100755..100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
index f4ab41f2c..628476313 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 random openssl revocation hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 random nonce openssl revocation hmac stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
 
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf
index 19e197131..2b4406d75 100755..100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
index c45805ca6..444a41dbc 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 random openssl revocation hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 random nonce openssl revocation hmac stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/openssl-ikev2/critical-extension/posttest.dat b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/openssl-ikev2/critical-extension/posttest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/openssl-ikev2/critical-extension/pretest.dat b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/openssl-ikev2/critical-extension/pretest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/openssl-ikev2/critical-extension/test.conf b/testing/tests/openssl-ikev2/critical-extension/test.conf
index 41ee3037e..b286ef6eb 100644
--- a/testing/tests/openssl-ikev2/critical-extension/test.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
index 868da5776..0110bb996 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
@@ -1,12 +1,17 @@
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
-moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
 carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
index c75d6b2a1..dd2ceea60 100755..100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 29709926a..a85635faf 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,18 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
-4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
-b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
-d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
-sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
-ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
-s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 5f21c1012..d2f97f858 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,8 +1,8 @@
 -----BEGIN EC PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E
+DEK-Info: AES-128-CBC,0C53E74E6B5AC2D7475EFF30478B9D5F
 
-Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt
-KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble
-RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk=
+eHLtgaAjHt0sWRnBnRAt8CEPjak58pCwVbH+7Vfz2dy//GRvZviPA/TEQDtznPde
+v5yIDGUe6vvtoY4oXemGi5SQiP8KAuaKylMQEjm2FHYwT/SgIwk5EZZjI4CcFBnK
+NWV3z5oPiW6hZebwUHWaioSAYK1awOtFcp0l4UGA31U=
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
index bdbdad2e5..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
index 080ce9bce..4c6e11f16 100755..100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index 075d8f1e5..e97709a3f 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,19 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
-AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y
-IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA
-zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
-A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1
-atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
-IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
-dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
-MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
-LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH
-ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/
-wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv
-g+Z+grJzTppAqpwRpg==
+MIICeTCCAdqgAwIBAgIBDDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzUxOVoXDTE4MDYwMjA3MzUxOVowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwpnPP1dWQl4Dpr
+DokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6QqQt/AtuPjCL7r
+3k3F0Nsj/TGSjRmcMr6jgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIB/x2+UiGE5T7229M2Ic2BMYLWSBQlZJeT
+d3uniJb3NAkeQAhDgj0TOxVdMz1SkgScLRS2RKYpsxiVsV+tVuijTMQCQgHn1WtY
+iiSY7OWcX9hQEqWDV0TxoNcgInEhsmtMbseCpR0dYXYsm54oC0pqVBeKp0GC7KJr
+ZEmeb0/mRB56osgppA==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
index f628f88e5..574c86a2e 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,6 +1,6 @@
 -----BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDCF8kl4ftfgcvWH2myFxhc22CUT63uPy28fqUMibnpRS/wf/pfxIrVX
-+BhxpUhWS2agBwYFK4EEACKhZANiAAT8RIPAGlTQMAl6oNKdtWXO2MzywN76AFn9
-t9wmSabI29cN8iHk1HiHhlO2i1gMrl4HgbMfpSs1stNC8zxCzoCvt7pUx8wWYO7P
-JDBocD1n1eCSwM67KOfouuPmOML0QgU=
+MIGkAgEBBDCFbFPkGF4ez8EzHm6pTVCr17Q1+GACxn7m0EE4UVoq7RQBNk4NOxhE
+hJZpquwjgqegBwYFK4EEACKhZANiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwp
+nPP1dWQl4DprDokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6Qq
+Qt/AtuPjCL7r3k3F0Nsj/TGSjRmcMr4=
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
index bdbdad2e5..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
index c932101d2..e67d9af9b 100755..100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 5178c7f38..25f0538a7 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,20 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MIICnTCCAf+gAwIBAgIBDTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODEwMDIxNloXDTE4MDYwMjEwMDIxNlowXTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsTDEVDU0Eg
 NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
-PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
-5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
-BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
-Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
-Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
-j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
-VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
-dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
-SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
-l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
-mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
-CI9WpQ==
+PQIBBgUrgQQAIwOBhgAEAGWctqQ4b4fNSACnlcg5A3nxHU5X5qir+Ep8QziYNokU
+ri9N6ZPX3ipNlVAi6AYS7MXWZCBiT2g0yGFfwSxPha/rATR3m7acgyGQt0BE2UJ0
+Z7ZfjkjUPaKKEhmw0fy2t5gUhPaXMBXnu5hGjUz4gaaApsaJtr5eEwdQ0II9DG71
+tSA2o4GBMH8wHwYDVR0jBBgwFoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0R
+BBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRw
+Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49
+BAMEA4GLADCBhwJBAjPn1KkfPOlfn51b6AtISSpccCsKJ6LhJiSLuQp0SzMrg3mv
+vSIkNpVrUigW0VVMwcanW3UuYKSxMBl3Z30+RpYCQgGh8v1XO4SO3DmVLD9+JLil
+9Dp0TNkzNLdOqeuIX6ili5yhnLU8chwSlpJ9d81FdAjHP9EDPO+7fTswC2vYL+Rm
+2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
index beab0485f..a1ba4c9b9 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,7 +1,7 @@
 -----BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42
-yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz
-1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw
-tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq
-pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg==
+MIHcAgEBBEIB2FqpGVb6Q8oGdL/boMxg+9G1lKAFqWXVm1jhjmrTyyc6lFJ5Hcix
++G8ZaNPJ7fLC3NU4uxW3Y9wo1K6yMDfqZhugBwYFK4EEACOhgYkDgYYABABlnLak
+OG+HzUgAp5XIOQN58R1OV+aoq/hKfEM4mDaJFK4vTemT194qTZVQIugGEuzF1mQg
+Yk9oNMhhX8EsT4Wv6wE0d5u2nIMhkLdARNlCdGe2X45I1D2iihIZsNH8treYFIT2
+lzAV57uYRo1M+IGmgKbGiba+XhMHUNCCPQxu9bUgNg==
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
index bdbdad2e5..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
index 868da5776..8a4215dcc 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
@@ -1,12 +1,13 @@
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
-moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
 carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
index c75d6b2a1..dd2ceea60 100755..100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 29709926a..a85635faf 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,18 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
-4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
-b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
-d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
-sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
-ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
-s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 5151408c4..681c1ee67 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,6 +1,6 @@
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIGwMBsGCSqGSIb3DQEFAzAOBAgzSp1guD3Y3wICCAAEgZD3lUKsfeQ6rwQA2Q2U
-VIyw2+53Z6kfn2vs9I8M197o4AtunwMJ7N6XY441fzcCbstmZ4HoubcuqCXsw5BA
-liVtV0+vnMY6ViJ5OKgzBNGYW39Bu1A5/2NHh0Hsaoop6VPEY67KyhxHBrBrX6fk
-Hn5eZyUKHa6NNGK9bWLqR8CjRNYQpg8NlwUIIxuFFTBw9oc=
+MIGwMBsGCSqGSIb3DQEFAzAOBAhvrv2j+DAo4AICCAAEgZAkhslW1CuYRZ7SKigR
+p/5suJU4xR6scHyS1yVYtrTC99Ha287MuS1/KUf0DZasx89AxoYcOgr+YvuIrUYw
+/f8cNmkcw3E2EvGwy7VVtqf12M+j4B2eUSNjaQvw4sQvxFPlbETocWYaLOOZrgr1
+/+b5n4o4VZ/MYDyfxmgNNluXaVGz9xP5pTvHI7ocDJzh5d4=
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf
index 35c522d0e..440bdaa4b 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 pkcs8 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 pkcs8 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
index 080ce9bce..4c6e11f16 100755..100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index 075d8f1e5..e97709a3f 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,19 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
-AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y
-IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA
-zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
-A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1
-atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
-IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
-dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
-MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
-LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH
-ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/
-wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv
-g+Z+grJzTppAqpwRpg==
+MIICeTCCAdqgAwIBAgIBDDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzUxOVoXDTE4MDYwMjA3MzUxOVowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwpnPP1dWQl4Dpr
+DokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6QqQt/AtuPjCL7r
+3k3F0Nsj/TGSjRmcMr6jgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIB/x2+UiGE5T7229M2Ic2BMYLWSBQlZJeT
+d3uniJb3NAkeQAhDgj0TOxVdMz1SkgScLRS2RKYpsxiVsV+tVuijTMQCQgHn1WtY
+iiSY7OWcX9hQEqWDV0TxoNcgInEhsmtMbseCpR0dYXYsm54oC0pqVBeKp0GC7KJr
+ZEmeb0/mRB56osgppA==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 6555adac1..6dca1f239 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,8 +1,8 @@
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBBTBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIYdanoOIx6X4CAggA
-MBQGCCqGSIb3DQMHBAjoXTbsYeKpJwSBwBRbP2I3UOHWIrQhM7OqdWGt1+phdNy8
-5Xbus6e/DUp8xalohZD/QTZT3QpMEDuqJ0U3OIB01RWUmlPeUBx+NaPvLb/tQCZg
-iLwdq5E9otbO9nK9G7NDeV22VigMZhZgtpdKqw7TAqgkzqpGfyM+mcUygiGxWwWC
-UyC4G3rxyZVL2zRS/iDpJCIn2kceQk+mu+or3oX5rzzH82b69RQt36gEvd2rX/WU
-gHH/XkNXhL0y0yRkVhowKHE2ZwMNTDbM3g==
+MIIBBTBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI9Dxjbv7bnuoCAggA
+MBQGCCqGSIb3DQMHBAjONh5rePJ/owSBwG8qgvCeUae7yZQRM1iEa90zq1yrS71z
+l5dEFzeFnYcu25qVK6IkYRHUFZIDGep+2Ep33+IrCYadV69AjCdM3Lnl+cjp+vVn
+o1ZvXoNKMor0AHyuTbHI/xdOrd2ZFjkWITnXX2qHTKViFFBoMGo7Jb9XI2eAT4hF
+0Z2EaAzl383eBQ/Wb/Jr0c+cwi5lvRLW5OKp48mQ5++8wJlaw+7W1MxPVhggG6U3
+lVzl9N+aLEFOSr0b8EMTDywJNBJZcNOQZw==
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf
index 35c522d0e..440bdaa4b 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 pkcs8 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 pkcs8 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
index c932101d2..e67d9af9b 100755..100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 5178c7f38..25f0538a7 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,20 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MIICnTCCAf+gAwIBAgIBDTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODEwMDIxNloXDTE4MDYwMjEwMDIxNlowXTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsTDEVDU0Eg
 NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
-PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
-5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
-BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
-Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
-Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
-j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
-VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
-dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
-SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
-l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
-mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
-CI9WpQ==
+PQIBBgUrgQQAIwOBhgAEAGWctqQ4b4fNSACnlcg5A3nxHU5X5qir+Ep8QziYNokU
+ri9N6ZPX3ipNlVAi6AYS7MXWZCBiT2g0yGFfwSxPha/rATR3m7acgyGQt0BE2UJ0
+Z7ZfjkjUPaKKEhmw0fy2t5gUhPaXMBXnu5hGjUz4gaaApsaJtr5eEwdQ0II9DG71
+tSA2o4GBMH8wHwYDVR0jBBgwFoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0R
+BBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRw
+Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49
+BAMEA4GLADCBhwJBAjPn1KkfPOlfn51b6AtISSpccCsKJ6LhJiSLuQp0SzMrg3mv
+vSIkNpVrUigW0VVMwcanW3UuYKSxMBl3Z30+RpYCQgGh8v1XO4SO3DmVLD9+JLil
+9Dp0TNkzNLdOqeuIX6ili5yhnLU8chwSlpJ9d81FdAjHP9EDPO+7fTswC2vYL+Rm
+2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem
index 5c31d677c..04db7f7e0 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,8 +1,8 @@
 -----BEGIN PRIVATE KEY-----
-MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIBrBxHEGICJRNkhm0H
-WfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42yOKQqifWEcNWxO+wWtBaz91IF5hz
-/m4TbOGhgYkDgYYABAC5p5fz1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp
-1kiaM98op6Tx3XIR9FJJyrfwtiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4
-m62p4gFEqUmg4Ylq307XkTVqpM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHq
-bg==
+MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIB2FqpGVb6Q8oGdL/b
+oMxg+9G1lKAFqWXVm1jhjmrTyyc6lFJ5Hcix+G8ZaNPJ7fLC3NU4uxW3Y9wo1K6y
+MDfqZhuhgYkDgYYABABlnLakOG+HzUgAp5XIOQN58R1OV+aoq/hKfEM4mDaJFK4v
+TemT194qTZVQIugGEuzF1mQgYk9oNMhhX8EsT4Wv6wE0d5u2nIMhkLdARNlCdGe2
+X45I1D2iihIZsNH8treYFIT2lzAV57uYRo1M+IGmgKbGiba+XhMHUNCCPQxu9bUg
+Ng==
 -----END PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf
index 35c522d0e..440bdaa4b 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 pkcs8 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 pkcs8 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt b/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt
new file mode 100644
index 000000000..e66ea1918
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and an RSA private key stored in
+<b>PKCS12</b> format.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat
new file mode 100644
index 000000000..2b37cad99
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..0296e1804
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12
new file mode 100644
index 000000000..d3cca4fd5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..802cfc681
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: P12 moonCert.p12 "kUqd8O7mzbjXNJKQ"
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..2074a4d8f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem nonce revocation openssl stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..6dcedd0e6
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12
new file mode 100644
index 000000000..1a9e2aa01
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..3dc85528c
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,8 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: P12 sunCert.p12 "IxjQVCF3JGI+MoPi"
+
+
+
+
+
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..2074a4d8f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem nonce revocation openssl stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat
new file mode 100644
index 000000000..0fbba487c
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/ipsec.d/private/moonCert.p12
+sun::rm /etc/ipsec.d/private/sunCert.p12
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
new file mode 100644
index 000000000..3492238f0
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
@@ -0,0 +1,10 @@
+moon::rm /etc/ipsec.d/private/moonKey.pem
+moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+sun::rm /etc/ipsec.d/private/sunKey.pem
+sun::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf
new file mode 100644
index 000000000..646b8b3e6
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
index 06a0f8cda..ba661975b 100644
--- a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
@@ -1,8 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
index 4a8baa3ae..213cd70fa 100755..100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 2b862e1b3..9f31821cd 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 openssl revocation random hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 openssl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
index 42f03aab3..653316fde 100755..100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 4e74127fe..5708510ef 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
index 2e84f2e6a..16299b339 100755..100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 48b7d16f2..f065861dc 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 openssl revocation random hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 openssl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/posttest.dat b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/rw-cert/posttest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-cert/pretest.dat b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/rw-cert/pretest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/rw-cert/test.conf b/testing/tests/openssl-ikev2/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/rw-cert/test.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
index 41ebec307..a2c02f630 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
@@ -1,10 +1,10 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
 carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
index 02ece4738..c8f63bced 100755..100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
@@ -19,7 +18,8 @@ conn home
 	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
-	rightid="C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org"
+	rightid="C=CH, O=Linux strongSwan, OU=ECSA 521 bit, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 29709926a..a85635faf 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,18 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
-4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
-b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
-d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
-sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
-ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
-s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 5f21c1012..d2f97f858 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,8 +1,8 @@
 -----BEGIN EC PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E
+DEK-Info: AES-128-CBC,0C53E74E6B5AC2D7475EFF30478B9D5F
 
-Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt
-KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble
-RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk=
+eHLtgaAjHt0sWRnBnRAt8CEPjak58pCwVbH+7Vfz2dy//GRvZviPA/TEQDtznPde
+v5yIDGUe6vvtoY4oXemGi5SQiP8KAuaKylMQEjm2FHYwT/SgIwk5EZZjI4CcFBnK
+NWV3z5oPiW6hZebwUHWaioSAYK1awOtFcp0l4UGA31U=
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
index ed9b8c764..6072bb335 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 random openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  load = curl pem pkcs1 random nonce openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
index 2679d4f9b..28a5cad31 100755..100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 5178c7f38..25f0538a7 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,20 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MIICnTCCAf+gAwIBAgIBDTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODEwMDIxNloXDTE4MDYwMjEwMDIxNlowXTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsTDEVDU0Eg
 NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
-PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
-5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
-BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
-Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
-Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
-j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
-VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
-dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
-SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
-l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
-mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
-CI9WpQ==
+PQIBBgUrgQQAIwOBhgAEAGWctqQ4b4fNSACnlcg5A3nxHU5X5qir+Ep8QziYNokU
+ri9N6ZPX3ipNlVAi6AYS7MXWZCBiT2g0yGFfwSxPha/rATR3m7acgyGQt0BE2UJ0
+Z7ZfjkjUPaKKEhmw0fy2t5gUhPaXMBXnu5hGjUz4gaaApsaJtr5eEwdQ0II9DG71
+tSA2o4GBMH8wHwYDVR0jBBgwFoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0R
+BBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRw
+Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49
+BAMEA4GLADCBhwJBAjPn1KkfPOlfn51b6AtISSpccCsKJ6LhJiSLuQp0SzMrg3mv
+vSIkNpVrUigW0VVMwcanW3UuYKSxMBl3Z30+RpYCQgGh8v1XO4SO3DmVLD9+JLil
+9Dp0TNkzNLdOqeuIX6ili5yhnLU8chwSlpJ9d81FdAjHP9EDPO+7fTswC2vYL+Rm
+2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
index beab0485f..a1ba4c9b9 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,7 +1,7 @@
 -----BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42
-yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz
-1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw
-tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq
-pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg==
+MIHcAgEBBEIB2FqpGVb6Q8oGdL/boMxg+9G1lKAFqWXVm1jhjmrTyyc6lFJ5Hcix
++G8ZaNPJ7fLC3NU4uxW3Y9wo1K6yMDfqZhugBwYFK4EEACOhgYkDgYYABABlnLak
+OG+HzUgAp5XIOQN58R1OV+aoq/hKfEM4mDaJFK4vTemT194qTZVQIugGEuzF1mQg
+Yk9oNMhhX8EsT4Wv6wE0d5u2nIMhkLdARNlCdGe2X45I1D2iihIZsNH8treYFIT2
+lzAV57uYRo1M+IGmgKbGiba+XhMHUNCCPQxu9bUgNg==
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
index 46d8e2933..5660f4376 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 random openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  load = curl pem pkcs1 random nonce openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 }
 
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt
new file mode 100644
index 000000000..c1a3da88e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt
@@ -0,0 +1,12 @@
+The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
+but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
+she ignores the repeated IKE requests sent by <b>dave</b>.
+<p/>
+After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
+connection to gateway <b>moon</b>. The authentication is based on Suite B with 128 bit 
+security based on <b>X.509 ECDSA</b> certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b>
+authenticated encryption.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of
+an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall,
+<b>carol</b> pings the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
new file mode 100644
index 000000000..7169a091d
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
@@ -0,0 +1,11 @@
+dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
+carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..61e13df41
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..a85635faf
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..d29ddb9ee
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIMDstKxdv/vNBPfM8iHvn5g5/8T5aRSnlh27HHt6iTfGoAoGCCqGSM49
+AwEHoUQDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAjBuX3bs5ZIn7B
+rRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2nw==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..3d6725162
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..128d4f2d9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+
+  initiator_only = yes
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..22fcb3eb5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn peer
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..c83be145d
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBCzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzMyOFoXDTE4MDYwMjA3MzMyOFowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQ0aUuue3BcBvF6aEISID4c+mVBJyvSm2fPVRRkAQqh
+RktTHMYDWY6B8e/iGr4GDeF5bjr46vMB5eEtVx3chWbQo4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAd5ols9c
+CP6HPtfMXbPlSpUDKSRyB3c5Ix2Yn3z5ogMM1QSoS88FW8D7KKsb0qTY5TnlAls3
+45PmauVwEbI2cV6qAkIBphvsmhYWMnt/QMOij7DinihEL9Ib1vxOS2boUos6sHWi
+gj3wfHyfgHM3Pgt0YYoZxELDIxcLVJeoa1TmNey7IaI=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..17e94022e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICwxFtCsSqIAzwZDyxHclTRdz/tGzAY7fP/vPoxqr8vuoAoGCCqGSM49
+AwEHoUQDQgAENGlLrntwXAbxemhCEiA+HPplQScr0ptnz1UUZAEKoUZLUxzGA1mO
+gfHv4hq+Bg3heW46+OrzAeXhLVcd3IVm0A==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ebd3a2839
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..958a502c2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+
+  retransmit_timeout = 2
+  retransmit_base = 1.5
+  retransmit_tries = 3 
+  initiator_only = yes
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..f7044e51d
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekey=no
+	reauth=no
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..a3b043e82
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBBzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MTc0M1oXDTE4MDYwMjA3MTc0M1owXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAATf97+pfDnyPIA9gf6bYTZiIjNBAbCjCIqxxWou/oMq
+/9V1O20vyI/dg2g3yzTdzESUa+X81fop+i2n9ymBqI1No4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCALNndw3C
+DDWCb0f+6P6hxkqiYmUpv39XrioZrLbw+MjMD2WAchbj60KibBep1cVwIq3kWIJ6
+Jj0tYXG+f6yjmImqAkIBGOGRm+MQZxPFdYZoJZq5QXwIN0w2hJxmLIxBASW4PLdl
+RLIlvW/XTJObdb0VVYmClg0HTSvuuYOJrzwdyd8D1w0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..5bd2778a9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHWBnv6tDi/CTTWOQi/0XME7r8Wd5GRPaXx3wNTElpSvoAoGCCqGSM49
+AwEHoUQDQgAE3/e/qXw58jyAPYH+m2E2YiIzQQGwowiKscVqLv6DKv/VdTttL8iP
+3YNoN8s03cxElGvl/NX6Kfotp/cpgaiNTQ==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..1ef3eccb5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..cc12d1659
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A FORWARD -i eth0 -o eth1 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fc49f9fd2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,18 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2 
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat
new file mode 100644
index 000000000..fc7173430
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+dave::ipsec up peer
+carol::ipsec up home
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt
new file mode 100644
index 000000000..24bb2b3df
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt
@@ -0,0 +1,12 @@
+The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
+but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
+she ignores the repeated IKE requests sent by <b>dave</b>.
+<p/>
+After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
+connection to gateway <b>moon</b>. The authentication is based on Suite B with 192 bit 
+security based on <b>X.509 ECDSA</b> certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b>
+authenticated encryption.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of
+an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall,
+<b>carol</b> pings the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
new file mode 100644
index 000000000..57cbee1d4
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
@@ -0,0 +1,11 @@
+dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
+carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-384 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..14146ef01
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256gcm128-prfsha384-ecp384!
+	esp=aes256gcm128-ecp384!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..f43957143
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICfDCCAd2gAwIBAgIBCjAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzE1NFoXDTE4MDYwMjA3MzE1NFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMHYwEAYHKoZI
+zj0CAQYFK4EEACIDYgAERiDlh/bOFDq6bSRdDq2ivOcNcxWSGlO5dy5yBRvAhTWl
+NJcy93jxhDIzF5mxPpmgNXpdmSBRKbm3ydkw8LbWI+5/lje06Yl6nOLBO6Zb7GqH
+XFO+BqJrUxzbdHXwxWqto4GDMIGAMB8GA1UdIwQYMBaAFLpd+XG2E7Vq0d26Nreq
+0sHuj9jSMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1
+MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l
+Yy5jcmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIA8mbKzo+mp8umjvpoQUo5pIvR1CQQ
+lvBGCUWv7mtq1CVBXzv7Z+HQqPsrL388RymEErA7BzDMkPKTa5E3ZV5LL38CQgDx
++v/cIcJdYngOOF0IgVSDzcGgSvOmMlPF/D97eC4Od7XwdYl5p9Sxi4SjmDZZi4r/
+EArN3teDfoc7CZcRxWcDhQ==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b94625718
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDCkhn8iMx3xfYLzonabc5FVG700UU6WKdke251F8ncgj1sGd5HZCV+N
+6pHODLMII96gBwYFK4EEACKhZANiAARGIOWH9s4UOrptJF0OraK85w1zFZIaU7l3
+LnIFG8CFNaU0lzL3ePGEMjMXmbE+maA1el2ZIFEpubfJ2TDwttYj7n+WN7TpiXqc
+4sE7plvsaodcU74GomtTHNt0dfDFaq0=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..3d6725162
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..128d4f2d9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+
+  initiator_only = yes
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..f6feda0bb
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256gcm128-prfsha384-ecp384!
+	esp=aes256cm128-ecp384!
+
+conn peer
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..e97709a3f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICeTCCAdqgAwIBAgIBDDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzUxOVoXDTE4MDYwMjA3MzUxOVowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwpnPP1dWQl4Dpr
+DokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6QqQt/AtuPjCL7r
+3k3F0Nsj/TGSjRmcMr6jgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIB/x2+UiGE5T7229M2Ic2BMYLWSBQlZJeT
+d3uniJb3NAkeQAhDgj0TOxVdMz1SkgScLRS2RKYpsxiVsV+tVuijTMQCQgHn1WtY
+iiSY7OWcX9hQEqWDV0TxoNcgInEhsmtMbseCpR0dYXYsm54oC0pqVBeKp0GC7KJr
+ZEmeb0/mRB56osgppA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..574c86a2e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDCFbFPkGF4ez8EzHm6pTVCr17Q1+GACxn7m0EE4UVoq7RQBNk4NOxhE
+hJZpquwjgqegBwYFK4EEACKhZANiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwp
+nPP1dWQl4DprDokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6Qq
+Qt/AtuPjCL7r3k3F0Nsj/TGSjRmcMr4=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ebd3a2839
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..958a502c2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+
+  retransmit_timeout = 2
+  retransmit_base = 1.5
+  retransmit_tries = 3 
+  initiator_only = yes
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..f37dae945
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekey=no
+	reauth=no
+	keyexchange=ikev2
+	ike=aes256gcm128-prfsha384-ecp384!
+	esp=aes256gcm128-ecp384!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..7bf96cdc8
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICdzCCAdqgAwIBAgIBCDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjA1MFoXDTE4MDYwMjA3MjA1MFowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAAQh4YOVBbRxtdaM7uJvDrZqt6a1jJo+rijEV5Nw1OqU5jlk
+srCtZwcZXrR67MlqzFNyvkHtbcWRuBjL55xjQE+YavKnltuKu42COUhWXh760M/c
+2SNzsjvsJgGXAsiPwiajgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVghNtb29uLnN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYoAMIGGAkE35mfDj/fFUXGsetoU9l9Kt3jbIKYugJgE
+2gmv/MW8jwrqoP7y6ATHXJkonA6AvEK+o0ZMrae55lIKPkBh5xk3XQJBfp5Eqg6Y
+efRIXUeLksM56fRjVwJS6es7qb8l1q6+c1wC1A3lEHQvAs+kJxFfFyni2oxA923F
+h2eoaYy9vSqET5Q=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..231aa3bdc
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDDlpnLnnwL+nIt/+e+cY2PoTtyHPM10qgck9nYj/f3bPd3ZfiraSBhZ
+KttBZfw5xQKgBwYFK4EEACKhZANiAAQh4YOVBbRxtdaM7uJvDrZqt6a1jJo+rijE
+V5Nw1OqU5jlksrCtZwcZXrR67MlqzFNyvkHtbcWRuBjL55xjQE+YavKnltuKu42C
+OUhWXh760M/c2SNzsjvsJgGXAsiPwiY=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..1ef3eccb5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..cc12d1659
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A FORWARD -i eth0 -o eth1 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fc49f9fd2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,18 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2 
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat
new file mode 100644
index 000000000..fc7173430
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+dave::ipsec up peer
+carol::ipsec up home
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/p2pnat/behind-same-nat/evaltest.dat b/testing/tests/p2pnat/behind-same-nat/evaltest.dat
index e59334db9..378520596 100644
--- a/testing/tests/p2pnat/behind-same-nat/evaltest.dat
+++ b/testing/tests/p2pnat/behind-same-nat/evaltest.dat
@@ -1,11 +1,11 @@
-alice::ipsec statusall::medsrv.*ESTABLISHED::YES
-venus::ipsec statusall::medsrv.*ESTABLISHED::YES
-carol::ipsec statusall::medsrv.*ESTABLISHED.*PH_IP_MOON.*6cu1UTVw@medsrv.org::YES
-carol::ipsec statusall::medsrv.*ESTABLISHED.*PH_IP_MOON.*F1ubAio8@medsrv.org::YES
+alice::ipsec status 2> /dev/null::medsrv.*ESTABLISHED.*6cu1UTVw@medsrv.org.*carol@strongswan.org::YES
+venus::ipsec status 2> /dev/null::medsrv.*ESTABLISHED.*F1ubAio8@medsrv.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::medsrv.*ESTABLISHED.*PH_IP_MOON.*6cu1UTVw@medsrv.org::YES
+carol::ipsec status 2> /dev/null::medsrv.*ESTABLISHED.*PH_IP_MOON.*F1ubAio8@medsrv.org::YES
 alice::cat /var/log/daemon.log::received ME_CALLBACK::YES
-alice::ipsec statusall::peer.*ESTABLISHED::YES
-venus::ipsec statusall::peer.*ESTABLISHED::YES
-alice::ipsec statusall::peer.*INSTALLED::YES
-venus::ipsec statusall::peer.*INSTALLED::YES
-alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ipsec status 2> /dev/null::peer.*ESTABLISHED.*alice@strongswan.org.*venus.strongswan.org::YES
+venus::ipsec status 2> /dev/null::peer.*ESTABLISHED.*venus.strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::peer.*INSTALLED, TUNNEL::YES
+venus::ipsec status 2> /dev/null::peer.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 1eb88c15c..000000000
--- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/ipsec.conf b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/ipsec.conf
index b47f157f6..4e70be4a0 100755..100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -19,10 +16,11 @@ conn %default
 		
 conn medsrv
 	leftid=6cu1UTVw@medsrv.org
+	leftauth=psk
 	right=PH_IP_CAROL
 	rightid=carol@strongswan.org
+	rightauth=pubkey
 	mediation=yes
-	authby=psk
 	auto=add
 
 conn peer
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/iptables.rules b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..da385d22a
--- /dev/null
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/init.d/iptables b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 40510ce60..000000000
--- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE behind NAT
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-	# allow NAT-T
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/ipsec.conf b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/ipsec.conf
index e38922cf4..4e8a50fb9 100755..100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -19,7 +16,9 @@ conn medsrv
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
+	leftauth=pubkey
 	leftfirewall=yes
 	right=%any
+	rightauth=psk
 	mediation=yes
 	auto=add
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/iptables.rules b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 6fca87b4a..000000000
--- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/ipsec.conf b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/ipsec.conf
index 3943c361e..4baa7b59f 100755..100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -19,9 +16,10 @@ conn %default
 
 conn medsrv
 	leftid=F1ubAio8@medsrv.org
+	leftauth=psk
 	right=PH_IP_CAROL
 	rightid=carol@strongswan.org
-	authby=psk
+	rightauth=pubkeye
 	mediation=yes
 	auto=start
 
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/iptables.rules b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/iptables.rules
new file mode 100644
index 000000000..da385d22a
--- /dev/null
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/posttest.dat b/testing/tests/p2pnat/behind-same-nat/posttest.dat
index 36cd0f36d..a1d5b4612 100644
--- a/testing/tests/p2pnat/behind-same-nat/posttest.dat
+++ b/testing/tests/p2pnat/behind-same-nat/posttest.dat
@@ -1,8 +1,8 @@
 venus::ipsec stop
 alice::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
diff --git a/testing/tests/p2pnat/behind-same-nat/pretest.dat b/testing/tests/p2pnat/behind-same-nat/pretest.dat
index f1e33dc39..eb1d67fa2 100644
--- a/testing/tests/p2pnat/behind-same-nat/pretest.dat
+++ b/testing/tests/p2pnat/behind-same-nat/pretest.dat
@@ -1,7 +1,7 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1100-1200
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16  -j ACCEPT
@@ -10,5 +10,5 @@ carol::ipsec start
 carol::sleep 1
 alice::ipsec start
 alice::sleep 1
-venus::ipsec start 
-venus::sleep 4 
+venus::ipsec start
+venus::sleep 4
diff --git a/testing/tests/p2pnat/behind-same-nat/test.conf b/testing/tests/p2pnat/behind-same-nat/test.conf
index f98a0ab1b..fe44ff97b 100644
--- a/testing/tests/p2pnat/behind-same-nat/test.conf
+++ b/testing/tests/p2pnat/behind-same-nat/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou"
+VIRTHOSTS="alice venus moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-med.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus carol"
diff --git a/testing/tests/p2pnat/medsrv-psk/evaltest.dat b/testing/tests/p2pnat/medsrv-psk/evaltest.dat
index ba14bb858..2c6080775 100644
--- a/testing/tests/p2pnat/medsrv-psk/evaltest.dat
+++ b/testing/tests/p2pnat/medsrv-psk/evaltest.dat
@@ -1,12 +1,12 @@
-alice::ipsec statusall::medsrv.*ESTABLISHED::YES
-bob::ipsec statusall::medsrv.*ESTABLISHED::YES
-carol::ipsec statusall::medsrv.*ESTABLISHED.*PH_IP_MOON.*6cu1UTVw@medsrv.org::YES
-carol::ipsec statusall::medsrv.*ESTABLISHED.*PH_IP_SUN.*v9oEPMz@medsrv.org::YES
-alice::ipsec statusall::peer.*ESTABLISHED::YES
-bob::ipsec statusall::peer.*ESTABLISHED::YES
-alice::ipsec statusall::peer.*INSTALLED::YES
-bob::ipsec statusall::peer.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ipsec status 2> /dev/null::medsrv.*ESTABLISHED.*6cu1UTVw@medsrv.org.*carol@strongswan.org::YES
+bob::  ipsec status 2> /dev/null::medsrv.*ESTABLISHED.*av9oEPMz@medsrv.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::medsrv.*ESTABLISHED.*PH_IP_MOON.*6cu1UTVw@medsrv.org::YES
+carol::ipsec status 2> /dev/null::medsrv.*ESTABLISHED.*PH_IP_SUN.*v9oEPMz@medsrv.org::YES
+alice::ipsec status 2> /dev/null::peer.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
+bob::  ipsec status 2> /dev/null::peer.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::peer.*INSTALLED, TUNNEL::YES
+bob::  ipsec status 2> /dev/null::peer.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES
 moon::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index c6371c745..000000000
--- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/ipsec.conf b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/ipsec.conf
index 99a50d5d8..6ac413a1b 100755..100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -19,10 +16,11 @@ conn %default
 		
 conn medsrv
 	leftid=6cu1UTVw@medsrv.org
+	leftauth=psk
 	right=PH_IP_CAROL
 	rightid=carol@strongswan.org
+	rightauth=pubkey
 	mediation=yes
-	authby=psk
 	auto=add
 
 conn peer 
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/iptables.rules b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/ipsec.conf b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/ipsec.conf
index 39dee8521..fb95f5637 100755..100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/ipsec.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -19,9 +16,10 @@ conn %default
 
 conn medsrv
 	leftid=av9oEPMz@medsrv.org
+	leftauth=psk
 	right=PH_IP_CAROL
 	rightid=carol@strongswan.org
-	authby=psk
+	rightauth=pubkey
 	mediation=yes
 	auto=start
 
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/iptables.rules b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/init.d/iptables b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 40510ce60..000000000
--- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE behind NAT
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-	# allow NAT-T
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/ipsec.conf b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/ipsec.conf
index e38922cf4..4e8a50fb9 100755..100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -19,7 +16,9 @@ conn medsrv
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
+	leftauth=pubkey
 	leftfirewall=yes
 	right=%any
+	rightauth=psk
 	mediation=yes
 	auto=add
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/iptables.rules b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/posttest.dat b/testing/tests/p2pnat/medsrv-psk/posttest.dat
index ca3cebc0a..4b696b90f 100644
--- a/testing/tests/p2pnat/medsrv-psk/posttest.dat
+++ b/testing/tests/p2pnat/medsrv-psk/posttest.dat
@@ -1,10 +1,10 @@
 bob::ipsec stop
 alice::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
 sun::conntrack -F
diff --git a/testing/tests/p2pnat/medsrv-psk/pretest.dat b/testing/tests/p2pnat/medsrv-psk/pretest.dat
index fba7be01d..09b658318 100644
--- a/testing/tests/p2pnat/medsrv-psk/pretest.dat
+++ b/testing/tests/p2pnat/medsrv-psk/pretest.dat
@@ -1,8 +1,8 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
+alice::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1100-1200
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16  -j ACCEPT
@@ -15,5 +15,5 @@ carol::ipsec start
 carol::sleep 1
 bob::ipsec start
 bob::sleep 1
-alice::ipsec start 
-alice::sleep 4 
+alice::ipsec start
+alice::sleep 4
diff --git a/testing/tests/p2pnat/medsrv-psk/test.conf b/testing/tests/p2pnat/medsrv-psk/test.conf
index 2dc4cd8c1..a1c6b8c15 100644
--- a/testing/tests/p2pnat/medsrv-psk/test.conf
+++ b/testing/tests/p2pnat/medsrv-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou sun bob"
+VIRTHOSTS="alice moon carol winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-s-b-med.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice carol bob"
diff --git a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
index 24e36eb77..590b7fe9c 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
@@ -1,12 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*AES_CBC_128/AES_XCBC_96,::YES
-carol::ipsec statusall::home.*AES_CBC_128/AES_XCBC_96,::YES
-moon::ip xfrm state::auth xcbc(aes)::YES
-carol::ip xfrm state::auth xcbc(aes)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
+moon:: ip xfrm state::auth-trunc xcbc(aes)::YES
+carol::ip xfrm state::auth-trunc xcbc(aes)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
-
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
index 33e6a842b..74668e7fb 100755..100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
index 208477deb..3cda72935 100755..100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-aes-xcbc/posttest.dat b/testing/tests/pfkey/alg-aes-xcbc/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/posttest.dat
+++ b/testing/tests/pfkey/alg-aes-xcbc/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/alg-aes-xcbc/pretest.dat b/testing/tests/pfkey/alg-aes-xcbc/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/pretest.dat
+++ b/testing/tests/pfkey/alg-aes-xcbc/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/pfkey/alg-aes-xcbc/test.conf b/testing/tests/pfkey/alg-aes-xcbc/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/test.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/alg-sha384/evaltest.dat b/testing/tests/pfkey/alg-sha384/evaltest.dat
index 31bb64c5e..3b24217c5 100644
--- a/testing/tests/pfkey/alg-sha384/evaltest.dat
+++ b/testing/tests/pfkey/alg-sha384/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
-carol::ipsec statusall::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
-moon::ip xfrm state::auth hmac(sha384)::YES
-carol::ip xfrm state::auth hmac(sha384)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
+carol::ip xfrm state::auth-trunc hmac(sha384)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/ipsec.conf
index d38b7dfcf..e02d90b78 100755..100644
--- a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/ipsec.conf
index ea84cd8a4..990fce1d0 100755..100644
--- a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-sha384/posttest.dat b/testing/tests/pfkey/alg-sha384/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/alg-sha384/posttest.dat
+++ b/testing/tests/pfkey/alg-sha384/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/alg-sha384/pretest.dat b/testing/tests/pfkey/alg-sha384/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/pfkey/alg-sha384/pretest.dat
+++ b/testing/tests/pfkey/alg-sha384/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/pfkey/alg-sha384/test.conf b/testing/tests/pfkey/alg-sha384/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/alg-sha384/test.conf
+++ b/testing/tests/pfkey/alg-sha384/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/alg-sha512/evaltest.dat b/testing/tests/pfkey/alg-sha512/evaltest.dat
index e0f5fb7a3..6bdceeb44 100644
--- a/testing/tests/pfkey/alg-sha512/evaltest.dat
+++ b/testing/tests/pfkey/alg-sha512/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
-carol::ipsec statusall::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
-moon::ip xfrm state::auth hmac(sha512)::YES
-carol::ip xfrm state::auth hmac(sha512)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
+carol::ip xfrm state::auth-trunc hmac(sha512)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/ipsec.conf
index 583522d1b..13ab244bb 100755..100644
--- a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/ipsec.conf
index 40fec93c0..e6d410442 100755..100644
--- a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-sha512/posttest.dat b/testing/tests/pfkey/alg-sha512/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/alg-sha512/posttest.dat
+++ b/testing/tests/pfkey/alg-sha512/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/alg-sha512/pretest.dat b/testing/tests/pfkey/alg-sha512/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/pfkey/alg-sha512/pretest.dat
+++ b/testing/tests/pfkey/alg-sha512/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/pfkey/alg-sha512/test.conf b/testing/tests/pfkey/alg-sha512/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/alg-sha512/test.conf
+++ b/testing/tests/pfkey/alg-sha512/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/esp-alg-null/evaltest.dat b/testing/tests/pfkey/esp-alg-null/evaltest.dat
index d5c0a64c4..c50b188bb 100644
--- a/testing/tests/pfkey/esp-alg-null/evaltest.dat
+++ b/testing/tests/pfkey/esp-alg-null/evaltest.dat
@@ -1,9 +1,11 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::NULL/HMAC_SHA1_96::YES
-carol::ipsec statusall::NULL/HMAC_SHA1_96::YES
-moon::ip xfrm state::enc ecb(cipher_null)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
+carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
+moon:: ip xfrm state::enc ecb(cipher_null)::YES
 carol::ip xfrm state::enc ecb(cipher_null)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length::YES
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/ipsec.conf
index 5640d74fc..1d8509115 100755..100644
--- a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/ipsec.conf
index 91f4a7c7f..38f8bd619 100755..100644
--- a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/esp-alg-null/posttest.dat b/testing/tests/pfkey/esp-alg-null/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/esp-alg-null/posttest.dat
+++ b/testing/tests/pfkey/esp-alg-null/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/esp-alg-null/pretest.dat b/testing/tests/pfkey/esp-alg-null/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/pfkey/esp-alg-null/pretest.dat
+++ b/testing/tests/pfkey/esp-alg-null/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/pfkey/esp-alg-null/test.conf b/testing/tests/pfkey/esp-alg-null/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/esp-alg-null/test.conf
+++ b/testing/tests/pfkey/esp-alg-null/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/host2host-transport/evaltest.dat b/testing/tests/pfkey/host2host-transport/evaltest.dat
index b3cade48c..fbd0c1c96 100644
--- a/testing/tests/pfkey/host2host-transport/evaltest.dat
+++ b/testing/tests/pfkey/host2host-transport/evaltest.dat
@@ -1,8 +1,10 @@
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
 moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES
-moon::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
-sun::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
 moon::ip xfrm state::mode transport::YES
-sun::ip xfrm state::mode transport::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+sun:: ip xfrm state::mode transport::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/ipsec.conf
index 7f6c5a58a..de273e53a 100755..100644
--- a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/ipsec.conf
index af52fb22b..e96c1ca2e 100755..100644
--- a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/host2host-transport/posttest.dat b/testing/tests/pfkey/host2host-transport/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/pfkey/host2host-transport/posttest.dat
+++ b/testing/tests/pfkey/host2host-transport/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/host2host-transport/pretest.dat b/testing/tests/pfkey/host2host-transport/pretest.dat
index e2d98f2eb..99789b90f 100644
--- a/testing/tests/pfkey/host2host-transport/pretest.dat
+++ b/testing/tests/pfkey/host2host-transport/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2
diff --git a/testing/tests/pfkey/host2host-transport/test.conf b/testing/tests/pfkey/host2host-transport/test.conf
index cf2e704fd..5a286c84f 100644
--- a/testing/tests/pfkey/host2host-transport/test.conf
+++ b/testing/tests/pfkey/host2host-transport/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/pfkey/nat-two-rw/description.txt b/testing/tests/pfkey/nat-rw/description.txt
index dcf4b94bd..dcf4b94bd 100644
--- a/testing/tests/pfkey/nat-two-rw/description.txt
+++ b/testing/tests/pfkey/nat-rw/description.txt
diff --git a/testing/tests/pfkey/nat-rw/evaltest.dat b/testing/tests/pfkey/nat-rw/evaltest.dat
new file mode 100644
index 000000000..ac09e2d6b
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/evaltest.dat
@@ -0,0 +1,12 @@
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/pfkey/nat-rw/hosts/alice/etc/ipsec.conf b/testing/tests/pfkey/nat-rw/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..b04ffa7e8
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+		
+conn nat-t
+	left=%defaultroute
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/pfkey/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/pfkey/nat-rw/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..2061e52e9
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+}
diff --git a/testing/tests/pfkey/nat-rw/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/nat-rw/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..59762b1fe
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+
+conn net-net
+	leftsubnet=10.2.0.0/16
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+conn host-host
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	auto=add
+
+conn nat-t
+	leftsubnet=10.2.0.0/16
+	right=%any
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/pfkey/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/pfkey/nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/pfkey/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/nat-rw/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..2061e52e9
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+}
diff --git a/testing/tests/pfkey/nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/pfkey/nat-rw/hosts/venus/etc/ipsec.conf
new file mode 100644
index 000000000..c6ee10979
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn nat-t
+	left=%defaultroute
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/pfkey/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/pfkey/nat-rw/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..2061e52e9
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+}
diff --git a/testing/tests/pfkey/nat-rw/posttest.dat b/testing/tests/pfkey/nat-rw/posttest.dat
new file mode 100644
index 000000000..4643a3a7b
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/posttest.dat
@@ -0,0 +1,8 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/pfkey/nat-rw/pretest.dat b/testing/tests/pfkey/nat-rw/pretest.dat
new file mode 100644
index 000000000..d701a1d61
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/pretest.dat
@@ -0,0 +1,13 @@
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::sleep 2 
+alice::ipsec up nat-t
+venus::sleep 2 
+venus::ipsec up nat-t
+venus::sleep 2
diff --git a/testing/tests/pfkey/nat-rw/test.conf b/testing/tests/pfkey/nat-rw/test.conf
new file mode 100644
index 000000000..f515d4bc7
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/pfkey/nat-two-rw/evaltest.dat b/testing/tests/pfkey/nat-two-rw/evaltest.dat
deleted file mode 100644
index bd0a4b52b..000000000
--- a/testing/tests/pfkey/nat-two-rw/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-alice::ipsec statusall::nat-t.*INSTALLED::YES
-venus::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec status::alice@strongswan.org::YES
-sun::ipsec status::venus.strongswan.org::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/ipsec.conf b/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/ipsec.conf
deleted file mode 100755
index 3da2fcf86..000000000
--- a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-		
-conn nat-t
-	left=%defaultroute
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 21015f8a2..000000000
--- a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
-}
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index d8b426318..000000000
--- a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	left=PH_IP_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftfirewall=yes
-
-conn net-net
-	leftsubnet=10.2.0.0/16
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
-
-conn host-host
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	auto=add
-
-conn nat-t
-	leftsubnet=10.2.0.0/16
-	right=%any
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 21015f8a2..000000000
--- a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
-}
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/ipsec.conf b/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/ipsec.conf
deleted file mode 100755
index 3a70b3434..000000000
--- a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn nat-t
-	left=%defaultroute
-	leftcert=venusCert.pem
-	leftid=@venus.strongswan.org
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf
deleted file mode 100644
index 21015f8a2..000000000
--- a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
-}
diff --git a/testing/tests/pfkey/nat-two-rw/posttest.dat b/testing/tests/pfkey/nat-two-rw/posttest.dat
deleted file mode 100644
index 52572ece8..000000000
--- a/testing/tests/pfkey/nat-two-rw/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/pfkey/nat-two-rw/pretest.dat b/testing/tests/pfkey/nat-two-rw/pretest.dat
deleted file mode 100644
index e365ff5c5..000000000
--- a/testing/tests/pfkey/nat-two-rw/pretest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-alice::ipsec start
-venus::ipsec start
-sun::ipsec start
-alice::sleep 2 
-alice::ipsec up nat-t
-venus::sleep 2 
-venus::ipsec up nat-t
-venus::sleep 2
diff --git a/testing/tests/pfkey/nat-two-rw/test.conf b/testing/tests/pfkey/nat-two-rw/test.conf
deleted file mode 100644
index 84317fd70..000000000
--- a/testing/tests/pfkey/nat-two-rw/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/pfkey/net2net-route/evaltest.dat b/testing/tests/pfkey/net2net-route/evaltest.dat
index a89e5a298..1de6ca8e1 100644
--- a/testing/tests/pfkey/net2net-route/evaltest.dat
+++ b/testing/tests/pfkey/net2net-route/evaltest.dat
@@ -1,6 +1,9 @@
-moon::cat /var/log/daemon.log::creating acquire job::YES
-moon::ipsec statusall::net-net.*INSTALLED::YES
-sun::ipsec statusall::net-net.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ROUTED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::creating acquire job::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/net2net-route/hosts/moon/etc/ipsec.conf
index 8a2f8b77c..c374cd6b4 100755..100644
--- a/testing/tests/pfkey/net2net-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/net2net-route/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/net2net-route/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/net2net-route/hosts/sun/etc/ipsec.conf
index 24e5df519..06bfa038b 100755..100644
--- a/testing/tests/pfkey/net2net-route/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/pfkey/net2net-route/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/net2net-route/posttest.dat b/testing/tests/pfkey/net2net-route/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/pfkey/net2net-route/posttest.dat
+++ b/testing/tests/pfkey/net2net-route/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/net2net-route/pretest.dat b/testing/tests/pfkey/net2net-route/pretest.dat
index 2eef7de19..e4ee3fac2 100644
--- a/testing/tests/pfkey/net2net-route/pretest.dat
+++ b/testing/tests/pfkey/net2net-route/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2 
diff --git a/testing/tests/pfkey/net2net-route/test.conf b/testing/tests/pfkey/net2net-route/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/pfkey/net2net-route/test.conf
+++ b/testing/tests/pfkey/net2net-route/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/pfkey/protoport-dual/evaltest.dat b/testing/tests/pfkey/protoport-dual/evaltest.dat
index bd24b911c..50b53cc00 100644
--- a/testing/tests/pfkey/protoport-dual/evaltest.dat
+++ b/testing/tests/pfkey/protoport-dual/evaltest.dat
@@ -1,9 +1,11 @@
-carol::ipsec statusall::home-icmp.*INSTALLED::YES
-carol::ipsec statusall::home-ssh.*INSTALLED::YES
-moon::ipsec statusall::rw-icmp.*INSTALLED::YES
-moon::ipsec statusall::rw-ssh.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home-icmp.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-icmp.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/ipsec.conf
index 51971a13c..e15382bad 100755..100644
--- a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/ipsec.conf
index 0d7e8db3f..bc131cd71 100755..100644
--- a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/protoport-dual/posttest.dat b/testing/tests/pfkey/protoport-dual/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/protoport-dual/posttest.dat
+++ b/testing/tests/pfkey/protoport-dual/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/protoport-dual/pretest.dat b/testing/tests/pfkey/protoport-dual/pretest.dat
index d3d0061c3..efb2e5712 100644
--- a/testing/tests/pfkey/protoport-dual/pretest.dat
+++ b/testing/tests/pfkey/protoport-dual/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/pfkey/protoport-dual/test.conf b/testing/tests/pfkey/protoport-dual/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/protoport-dual/test.conf
+++ b/testing/tests/pfkey/protoport-dual/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/protoport-route/evaltest.dat b/testing/tests/pfkey/protoport-route/evaltest.dat
index 78d062918..9e970f055 100644
--- a/testing/tests/pfkey/protoport-route/evaltest.dat
+++ b/testing/tests/pfkey/protoport-route/evaltest.dat
@@ -1,10 +1,12 @@
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req::YES
 carol::ssh PH_IP_ALICE hostname::alice::YES
 carol::cat /var/log/daemon.log::creating acquire job::YES
-carol::ipsec statusall::home-icmp.*INSTALLED::YES
-carol::ipsec statusall::home-ssh.*INSTALLED::YES
-moon::ipsec statusall::rw-icmp.*INSTALLED::YES
-moon::ipsec statusall::rw-ssh.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home-icmp.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-icmp.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/protoport-route/hosts/carol/etc/ipsec.conf
index d76a6ee17..f4d112daf 100755..100644
--- a/testing/tests/pfkey/protoport-route/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/pfkey/protoport-route/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/protoport-route/hosts/moon/etc/ipsec.conf
index 0d7e8db3f..bc131cd71 100755..100644
--- a/testing/tests/pfkey/protoport-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/protoport-route/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/protoport-route/posttest.dat b/testing/tests/pfkey/protoport-route/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/protoport-route/posttest.dat
+++ b/testing/tests/pfkey/protoport-route/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/protoport-route/pretest.dat b/testing/tests/pfkey/protoport-route/pretest.dat
index 0aded0f4d..5a15574d6 100644
--- a/testing/tests/pfkey/protoport-route/pretest.dat
+++ b/testing/tests/pfkey/protoport-route/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/pfkey/protoport-route/test.conf b/testing/tests/pfkey/protoport-route/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/protoport-route/test.conf
+++ b/testing/tests/pfkey/protoport-route/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/rw-cert/evaltest.dat b/testing/tests/pfkey/rw-cert/evaltest.dat
index 06a0f8cda..2342d024b 100644
--- a/testing/tests/pfkey/rw-cert/evaltest.dat
+++ b/testing/tests/pfkey/rw-cert/evaltest.dat
@@ -1,10 +1,14 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/ipsec.conf
index bcdb8641b..e72f78742 100755..100644
--- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
index d59e04ef3..3da60b82f 100644
--- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/ipsec.conf
index ea8bc92a7..65c9819bb 100755..100644
--- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
index d59e04ef3..3da60b82f 100644
--- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/ipsec.conf
index 274521386..1ee751360 100755..100644
--- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
index d59e04ef3..3da60b82f 100644
--- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/pfkey/rw-cert/posttest.dat b/testing/tests/pfkey/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/pfkey/rw-cert/posttest.dat
+++ b/testing/tests/pfkey/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/rw-cert/pretest.dat b/testing/tests/pfkey/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/pfkey/rw-cert/pretest.dat
+++ b/testing/tests/pfkey/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/pfkey/rw-cert/test.conf b/testing/tests/pfkey/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/pfkey/rw-cert/test.conf
+++ b/testing/tests/pfkey/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/pfkey/shunt-policies/evaltest.dat b/testing/tests/pfkey/shunt-policies/evaltest.dat
index 2f6e1a91f..6ba3a988f 100644
--- a/testing/tests/pfkey/shunt-policies/evaltest.dat
+++ b/testing/tests/pfkey/shunt-policies/evaltest.dat
@@ -1,15 +1,19 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO
-venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon::ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+moon:: ipsec status 2> /dev/null::local-net.*PASS::YES
+moon:: ipsec status 2> /dev/null::venus-icmp.*DROP::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
+venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 venus::ssh PH_IP_BOB hostname::bob::YES
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/init.d/iptables b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 2b90a14c7..000000000
--- a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# allow icmp in local net
-	iptables -A INPUT  -i eth1 -p icmp -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf
index a4958f295..90a5d61b1 100755..100644
--- a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..af0f25209
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow icmp in local net
+-A INPUT  -i eth1 -p icmp -j ACCEPT
+-A OUTPUT -o eth1 -p icmp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf
index 87b70994f..4582e1473 100644
--- a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
   multiple_authentication = no
   install_routes = no
 }
diff --git a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf
index c3b36fb7c..cd8ea23c3 100755..100644
--- a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf
index 10efed787..902d83c69 100644
--- a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/pfkey/shunt-policies/posttest.dat b/testing/tests/pfkey/shunt-policies/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/pfkey/shunt-policies/posttest.dat
+++ b/testing/tests/pfkey/shunt-policies/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/pfkey/shunt-policies/pretest.dat b/testing/tests/pfkey/shunt-policies/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/pfkey/shunt-policies/pretest.dat
+++ b/testing/tests/pfkey/shunt-policies/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/pfkey/shunt-policies/test.conf b/testing/tests/pfkey/shunt-policies/test.conf
index cf2ef7424..6b7432ca6 100644
--- a/testing/tests/pfkey/shunt-policies/test.conf
+++ b/testing/tests/pfkey/shunt-policies/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/ip-pool-db-expired/evaltest.dat b/testing/tests/sql/ip-pool-db-expired/evaltest.dat
index 9633fde10..5ff5edbf8 100644
--- a/testing/tests/sql/ip-pool-db-expired/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/evaltest.dat
@@ -1,21 +1,25 @@
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*INSTALLED::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon::cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
-moon::cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*1h.*2::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*1h.*2::YES
+moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
index 3300d3ee8..69f7bb692 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-pool-db-expired/posttest.dat b/testing/tests/sql/ip-pool-db-expired/posttest.dat
index 40b1a403e..1b963fcec 100644
--- a/testing/tests/sql/ip-pool-db-expired/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/ip-pool-db-expired/pretest.dat b/testing/tests/sql/ip-pool-db-expired/pretest.dat
index 4df33509f..391785a1c 100644
--- a/testing/tests/sql/ip-pool-db-expired/pretest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/pretest.dat
@@ -8,9 +8,9 @@ moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --leases 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/ip-pool-db-expired/test.conf b/testing/tests/sql/ip-pool-db-expired/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-pool-db-expired/test.conf
+++ b/testing/tests/sql/ip-pool-db-expired/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-pool-db-restart/evaltest.dat b/testing/tests/sql/ip-pool-db-restart/evaltest.dat
index f4c713c9f..f70e2d2de 100644
--- a/testing/tests/sql/ip-pool-db-restart/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/evaltest.dat
@@ -1,21 +1,25 @@
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*INSTALLED::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon::cat /var/log/daemon.log::acquired existing lease for address.*in pool.*bigpool::YES
-moon::cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::acquired existing lease for address.*in pool.*bigpool::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES
+moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
index 3300d3ee8..69f7bb692 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-pool-db-restart/posttest.dat b/testing/tests/sql/ip-pool-db-restart/posttest.dat
index 40b1a403e..1b963fcec 100644
--- a/testing/tests/sql/ip-pool-db-restart/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/ip-pool-db-restart/pretest.dat b/testing/tests/sql/ip-pool-db-restart/pretest.dat
index b5108051c..20b1937b7 100644
--- a/testing/tests/sql/ip-pool-db-restart/pretest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/pretest.dat
@@ -8,9 +8,9 @@ moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --leases 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/ip-pool-db-restart/test.conf b/testing/tests/sql/ip-pool-db-restart/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-pool-db-restart/test.conf
+++ b/testing/tests/sql/ip-pool-db-restart/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-pool-db/evaltest.dat b/testing/tests/sql/ip-pool-db/evaltest.dat
index 11be09d38..cfa87ae3f 100644
--- a/testing/tests/sql/ip-pool-db/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db/evaltest.dat
@@ -5,28 +5,32 @@ carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
 carol::cat /var/log/daemon.log::handling APPLICATION_VERSION attribute failed::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
-dave::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
-dave::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
-dave::cat /var/log/daemon.log::handling APPLICATION_VERSION attribute failed::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*INSTALLED::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon::cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
-moon::cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
-moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
-moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
+dave:: cat /var/log/daemon.log::handling APPLICATION_VERSION attribute failed::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon:: ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
+moon:: ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
+moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES
+moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
index d09387c35..145ca9029 100644
--- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
index d09387c35..145ca9029 100644
--- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
index 3300d3ee8..69f7bb692 100644
--- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-pool-db/posttest.dat b/testing/tests/sql/ip-pool-db/posttest.dat
index 40b1a403e..1b963fcec 100644
--- a/testing/tests/sql/ip-pool-db/posttest.dat
+++ b/testing/tests/sql/ip-pool-db/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/ip-pool-db/pretest.dat b/testing/tests/sql/ip-pool-db/pretest.dat
index a5d786b3f..819aca3d9 100644
--- a/testing/tests/sql/ip-pool-db/pretest.dat
+++ b/testing/tests/sql/ip-pool-db/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/ip-pool-db/test.conf b/testing/tests/sql/ip-pool-db/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-pool-db/test.conf
+++ b/testing/tests/sql/ip-pool-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat b/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat
index 6c912eb47..5f7f5ec3d 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat
+++ b/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat
@@ -1,14 +1,18 @@
 dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES
-dave::ipsec status::home.*INSTALLED::YES
+dave::ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-carol::ipsec status::home.*INSTALLED::YES
-moon::cat /var/log/daemon.log::acquired existing lease for address 10.3.1.1 in pool.*pool1::YES
-moon::cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
-moon::cat /var/log/daemon.log::acquired existing lease for address 10.3.0.1 in pool.*pool0::YES
-moon::cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
-moon::ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.2.*static.*2 .*1 .*1 ::YES
-moon::ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.2.*static.*2 .*1 .*1 ::YES
-moon::ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::acquired existing lease for address 10.3.1.1 in pool.*pool1::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
+moon:: cat /var/log/daemon.log::acquired existing lease for address 10.3.0.1 in pool.*pool0::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
+moon:: ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.2.*static.*2 .*1 .*1 ::YES
+moon:: ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.2.*static.*2 .*1 .*1 ::YES
+moon:: ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
index 3300d3ee8..69f7bb692 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-split-pools-db-restart/test.conf b/testing/tests/sql/ip-split-pools-db-restart/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/test.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-split-pools-db/evaltest.dat b/testing/tests/sql/ip-split-pools-db/evaltest.dat
index f358b62c8..f186d8927 100644
--- a/testing/tests/sql/ip-split-pools-db/evaltest.dat
+++ b/testing/tests/sql/ip-split-pools-db/evaltest.dat
@@ -1,15 +1,17 @@
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-carol::ipsec status::home.*INSTALLED::YES
-dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES
-dave::ipsec status::home.*INSTALLED::YES
-moon::cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES
-moon::cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
-moon::cat /var/log/daemon.log::no available address found in pool.*pool0::YES
-moon::cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES
-moon::cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
-moon::ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*static.*1 .*1 .*1 ::YES
-moon::ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*static.*1 .*1 .*1 ::YES
-moon::ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
+moon:: cat /var/log/daemon.log::no available address found in pool.*pool0::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
+moon:: ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*static.*1 .*1 .*1 ::YES
+moon:: ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*static.*1 .*1 .*1 ::YES
+moon:: ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
index 3300d3ee8..69f7bb692 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-split-pools-db/test.conf b/testing/tests/sql/ip-split-pools-db/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-split-pools-db/test.conf
+++ b/testing/tests/sql/ip-split-pools-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/multi-level-ca/evaltest.dat b/testing/tests/sql/multi-level-ca/evaltest.dat
index 91113ce11..72a555d4b 100644
--- a/testing/tests/sql/multi-level-ca/evaltest.dat
+++ b/testing/tests/sql/multi-level-ca/evaltest.dat
@@ -1,16 +1,21 @@
 carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
-dave::cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf
index 96eb832ae..d77a4c0c9 100755..100644
--- a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf
@@ -2,6 +2,5 @@
 
 config setup
         strictcrlpolicy=yes
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf
index 96eb832ae..d77a4c0c9 100755..100644
--- a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf
@@ -2,6 +2,5 @@
 
 config setup
         strictcrlpolicy=yes
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf
index 96eb832ae..296ed1e93 100644
--- a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        strictcrlpolicy=yes
-        plutostart=no
+	strictcrlpolicy=yes
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/multi-level-ca/posttest.dat b/testing/tests/sql/multi-level-ca/posttest.dat
index d4d57ad83..e9ad4bea6 100644
--- a/testing/tests/sql/multi-level-ca/posttest.dat
+++ b/testing/tests/sql/multi-level-ca/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/multi-level-ca/pretest.dat b/testing/tests/sql/multi-level-ca/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/multi-level-ca/pretest.dat
+++ b/testing/tests/sql/multi-level-ca/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/multi-level-ca/test.conf b/testing/tests/sql/multi-level-ca/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/multi-level-ca/test.conf
+++ b/testing/tests/sql/multi-level-ca/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/net2net-cert/evaltest.dat b/testing/tests/sql/net2net-cert/evaltest.dat
index e67c39a08..f003f822f 100644
--- a/testing/tests/sql/net2net-cert/evaltest.dat
+++ b/testing/tests/sql/net2net-cert/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-cert/posttest.dat b/testing/tests/sql/net2net-cert/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/net2net-cert/posttest.dat
+++ b/testing/tests/sql/net2net-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-cert/pretest.dat b/testing/tests/sql/net2net-cert/pretest.dat
index 2ab18542f..a1777efb0 100644
--- a/testing/tests/sql/net2net-cert/pretest.dat
+++ b/testing/tests/sql/net2net-cert/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/sql/net2net-cert/test.conf b/testing/tests/sql/net2net-cert/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/sql/net2net-cert/test.conf
+++ b/testing/tests/sql/net2net-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/net2net-psk/evaltest.dat b/testing/tests/sql/net2net-psk/evaltest.dat
index e67c39a08..f003f822f 100644
--- a/testing/tests/sql/net2net-psk/evaltest.dat
+++ b/testing/tests/sql/net2net-psk/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
index 1120fe649..5e4eb1246 100644
--- a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
index 1120fe649..5e4eb1246 100644
--- a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-psk/posttest.dat b/testing/tests/sql/net2net-psk/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/net2net-psk/posttest.dat
+++ b/testing/tests/sql/net2net-psk/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-psk/pretest.dat b/testing/tests/sql/net2net-psk/pretest.dat
index 2ab18542f..a1777efb0 100644
--- a/testing/tests/sql/net2net-psk/pretest.dat
+++ b/testing/tests/sql/net2net-psk/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/sql/net2net-psk/test.conf b/testing/tests/sql/net2net-psk/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/sql/net2net-psk/test.conf
+++ b/testing/tests/sql/net2net-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/net2net-route-pem/evaltest.dat b/testing/tests/sql/net2net-route-pem/evaltest.dat
index eaca715d5..3fd32907c 100644
--- a/testing/tests/sql/net2net-route-pem/evaltest.dat
+++ b/testing/tests/sql/net2net-route-pem/evaltest.dat
@@ -1,16 +1,16 @@
-moon::ipsec statusall::net-1.*ROUTED::YES
-sun::ipsec statusall::net-1.*ROUTED::YES
-moon::ipsec statusall::net-2.*ROUTED::YES
-sun::ipsec statusall::net-2.*ROUTED::YES
-moon::cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8\] === 10.2.0.10/32\[icmp\] with reqid {1}::YES
-moon::ipsec statusall::net-1.*INSTALLED::YES
-sun::ipsec statusall::net-1.*INSTALLED::YES
-sun::cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8\] === 10.1.0.20/32\[icmp\] with reqid {2}::YES
-moon::ipsec statusall::net-2.*INSTALLED::YES
-sun::ipsec statusall::net-2.*INSTALLED::YES
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-1.*ROUTED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-1.*ROUTED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::net-2.*ROUTED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-2.*ROUTED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8\] === 10.2.0.10/32\[icmp\] with reqid {1}::YES
+moon:: ipsec status 2> /dev/null::net-1.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-1.*INSTALLED. TUNNEL::YES
+sun::  cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8\] === 10.1.0.20/32\[icmp\] with reqid {2}::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-route-pem/posttest.dat b/testing/tests/sql/net2net-route-pem/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/net2net-route-pem/posttest.dat
+++ b/testing/tests/sql/net2net-route-pem/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-route-pem/pretest.dat b/testing/tests/sql/net2net-route-pem/pretest.dat
index 5a537e15b..8ca573ee5 100644
--- a/testing/tests/sql/net2net-route-pem/pretest.dat
+++ b/testing/tests/sql/net2net-route-pem/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ipsec start
 moon::ipsec start
 moon::sleep 1
diff --git a/testing/tests/sql/net2net-route-pem/test.conf b/testing/tests/sql/net2net-route-pem/test.conf
index 13a8a2a48..10c582c9b 100644
--- a/testing/tests/sql/net2net-route-pem/test.conf
+++ b/testing/tests/sql/net2net-route-pem/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/net2net-start-pem/evaltest.dat b/testing/tests/sql/net2net-start-pem/evaltest.dat
index eaacd0133..6534adc07 100644
--- a/testing/tests/sql/net2net-start-pem/evaltest.dat
+++ b/testing/tests/sql/net2net-start-pem/evaltest.dat
@@ -1,12 +1,12 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-moon::ipsec statusall::net-1.*INSTALLED::YES
-sun::ipsec statusall::net-1.*INSTALLED::YES
-moon::ipsec statusall::net-2.*INSTALLED::YES
-sun::ipsec statusall::net-2.*INSTALLED::YES
-moon::ipsec statusall::net-3.*INSTALLED::YES
-sun::ipsec statusall::net-3.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-1.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-1.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::net-3.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-3.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-start-pem/posttest.dat b/testing/tests/sql/net2net-start-pem/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/net2net-start-pem/posttest.dat
+++ b/testing/tests/sql/net2net-start-pem/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-start-pem/pretest.dat b/testing/tests/sql/net2net-start-pem/pretest.dat
index 3e168960d..1c71f0c14 100644
--- a/testing/tests/sql/net2net-start-pem/pretest.dat
+++ b/testing/tests/sql/net2net-start-pem/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ipsec start
 moon::ipsec start
-moon::sleep 2
+moon::sleep 3
diff --git a/testing/tests/sql/net2net-start-pem/test.conf b/testing/tests/sql/net2net-start-pem/test.conf
index 13a8a2a48..10c582c9b 100644
--- a/testing/tests/sql/net2net-start-pem/test.conf
+++ b/testing/tests/sql/net2net-start-pem/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/rw-cert/evaltest.dat b/testing/tests/sql/rw-cert/evaltest.dat
index 06a0f8cda..2342d024b 100644
--- a/testing/tests/sql/rw-cert/evaltest.dat
+++ b/testing/tests/sql/rw-cert/evaltest.dat
@@ -1,10 +1,14 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
index a09081afe..7cd88f5da 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
index a09081afe..7cd88f5da 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
index a09081afe..7cd88f5da 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-cert/posttest.dat b/testing/tests/sql/rw-cert/posttest.dat
index d4d57ad83..e9ad4bea6 100644
--- a/testing/tests/sql/rw-cert/posttest.dat
+++ b/testing/tests/sql/rw-cert/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/rw-cert/pretest.dat b/testing/tests/sql/rw-cert/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-cert/pretest.dat
+++ b/testing/tests/sql/rw-cert/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-cert/test.conf b/testing/tests/sql/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-cert/test.conf
+++ b/testing/tests/sql/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
index aca7b045b..e1d33feb7 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
@@ -1,9 +1,11 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap-aka.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap-aka.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-eap-aka.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index 2fdfe3282..f48c123d1 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db
     }
   }
-  load = curl aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
+  load = curl aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
 }
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index 3661a7bb9..41951083c 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
+  load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
 }
diff --git a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
index 23eeb0d17..584356d8e 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 ~
diff --git a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
index b78fd480f..8f2387ba1 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/sql/rw-eap-aka-rsa/test.conf b/testing/tests/sql/rw-eap-aka-rsa/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/test.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/sql/rw-psk-ipv4/evaltest.dat b/testing/tests/sql/rw-psk-ipv4/evaltest.dat
index 06a0f8cda..eaf47395e 100644
--- a/testing/tests/sql/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/evaltest.dat
@@ -1,8 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*\[192.168.0.1]::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*\[192.168.0.1]::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[192.168.0.1].*\[192.168.0.100]::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[192.168.0.1].*\[192.168.0.200]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index 1120fe649..5e4eb1246 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index 1120fe649..5e4eb1246 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index 1120fe649..5e4eb1246 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/posttest.dat b/testing/tests/sql/rw-psk-ipv4/posttest.dat
index d4d57ad83..e9ad4bea6 100644
--- a/testing/tests/sql/rw-psk-ipv4/posttest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/rw-psk-ipv4/pretest.dat b/testing/tests/sql/rw-psk-ipv4/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-psk-ipv4/test.conf b/testing/tests/sql/rw-psk-ipv4/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-psk-ipv4/test.conf
+++ b/testing/tests/sql/rw-psk-ipv4/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-psk-ipv6/evaltest.dat b/testing/tests/sql/rw-psk-ipv6/evaltest.dat
index cee1853c4..344dfa809 100644
--- a/testing/tests/sql/rw-psk-ipv6/evaltest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/evaltest.dat
@@ -1,8 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*10].*\[fec0.*1]::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*20].*\[fec0.*1]::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*1].*\[fec0.*10]::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*1].*\[fec0.*20]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/iptables.rules b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..7362b2e25
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/iptables.rules
@@ -0,0 +1,16 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
index 1120fe649..5e4eb1246 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/iptables.rules b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..7362b2e25
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/iptables.rules
@@ -0,0 +1,16 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
index 1120fe649..5e4eb1246 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/iptables.rules b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..7362b2e25
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/iptables.rules
@@ -0,0 +1,16 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
index 1120fe649..5e4eb1246 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/posttest.dat b/testing/tests/sql/rw-psk-ipv6/posttest.dat
index bdfd9ed00..ab753507f 100644
--- a/testing/tests/sql/rw-psk-ipv6/posttest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/sql/rw-psk-ipv6/pretest.dat b/testing/tests/sql/rw-psk-ipv6/pretest.dat
index 253438dbf..587dd7f85 100644
--- a/testing/tests/sql/rw-psk-ipv6/pretest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/pretest.dat
@@ -7,9 +7,12 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/sql/rw-psk-ipv6/test.conf b/testing/tests/sql/rw-psk-ipv6/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/sql/rw-psk-ipv6/test.conf
+++ b/testing/tests/sql/rw-psk-ipv6/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
index 0e5bd03db..1648c9557 100644
--- a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
@@ -1,11 +1,16 @@
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
-moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/posttest.dat b/testing/tests/sql/rw-psk-rsa-split/posttest.dat
index d4d57ad83..e9ad4bea6 100644
--- a/testing/tests/sql/rw-psk-rsa-split/posttest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/rw-psk-rsa-split/pretest.dat b/testing/tests/sql/rw-psk-rsa-split/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-psk-rsa-split/pretest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-psk-rsa-split/test.conf b/testing/tests/sql/rw-psk-rsa-split/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-psk-rsa-split/test.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-rsa-keyid/evaltest.dat b/testing/tests/sql/rw-rsa-keyid/evaltest.dat
index 941df6ac9..4f5cd724c 100644
--- a/testing/tests/sql/rw-rsa-keyid/evaltest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/evaltest.dat
@@ -1,11 +1,14 @@
-moon::ipsec statusall::rw.*ESTABLISHED.*6a:9c:.*:29:2e.*1f:a1:.*:6e:7c::YES
-moon::ipsec statusall::rw.*ESTABLISHED.*6a:9c:.*:29:2e.*ee:7f:.*:8e:0e::YES
-carol::ipsec statusall::home.*ESTABLISHED.*1f:a1:.*:6e:7c.*6a:9c:.*:29:2e::YES
-dave::ipsec statusall::home.*ESTABLISHED.*ee:7f:.*:8e:0e.*6a:9c:.*:29:2e::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*1f:a1:.*:6e:7c.*6a:9c:.*:29:2e::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*ee:7f:.*:8e:0e.*6a:9c:.*:29:2e::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*6a:9c:.*:29:2e.*1f:a1:.*:6e:7c::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*6a:9c:.*:29:2e.*ee:7f:.*:8e:0e::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
index 137aecdeb..d37a13039 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
index 137aecdeb..d37a13039 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
index 137aecdeb..d37a13039 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/posttest.dat b/testing/tests/sql/rw-rsa-keyid/posttest.dat
index b10aeb3aa..892650ccb 100644
--- a/testing/tests/sql/rw-rsa-keyid/posttest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.db
 carol::rm /etc/ipsec.d/ipsec.db
 dave::rm /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/rw-rsa-keyid/pretest.dat b/testing/tests/sql/rw-rsa-keyid/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-rsa-keyid/pretest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-rsa-keyid/test.conf b/testing/tests/sql/rw-rsa-keyid/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-rsa-keyid/test.conf
+++ b/testing/tests/sql/rw-rsa-keyid/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-rsa/evaltest.dat b/testing/tests/sql/rw-rsa/evaltest.dat
index cc565fb98..ba661975b 100644
--- a/testing/tests/sql/rw-rsa/evaltest.dat
+++ b/testing/tests/sql/rw-rsa/evaltest.dat
@@ -1,9 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon::ipsec statusall::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec statusall::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave::ipsec statusall::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
index 137aecdeb..d37a13039 100644
--- a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
index 137aecdeb..d37a13039 100644
--- a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
index 137aecdeb..d37a13039 100644
--- a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/posttest.dat b/testing/tests/sql/rw-rsa/posttest.dat
index b10aeb3aa..892650ccb 100644
--- a/testing/tests/sql/rw-rsa/posttest.dat
+++ b/testing/tests/sql/rw-rsa/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.db
 carol::rm /etc/ipsec.d/ipsec.db
 dave::rm /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/rw-rsa/pretest.dat b/testing/tests/sql/rw-rsa/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-rsa/pretest.dat
+++ b/testing/tests/sql/rw-rsa/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-rsa/test.conf b/testing/tests/sql/rw-rsa/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-rsa/test.conf
+++ b/testing/tests/sql/rw-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/shunt-policies/evaltest.dat b/testing/tests/sql/shunt-policies/evaltest.dat
index 2f6e1a91f..51dd9610b 100644
--- a/testing/tests/sql/shunt-policies/evaltest.dat
+++ b/testing/tests/sql/shunt-policies/evaltest.dat
@@ -1,15 +1,19 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO
-venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon::ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::local-net.*PASS::YES
+moon:: ipsec status 2> /dev/null::venus-icmp.*DROP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
+venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 venus::ssh PH_IP_BOB hostname::bob::YES
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables b/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 2b90a14c7..000000000
--- a/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# allow icmp in local net
-	iptables -A INPUT  -i eth1 -p icmp -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..af0f25209
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow icmp in local net
+-A INPUT  -i eth1 -p icmp -j ACCEPT
+-A OUTPUT -o eth1 -p icmp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf
index 90be03f69..b3a7bc0de 100644
--- a/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf
@@ -6,6 +6,6 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
   install_routes = no
 }
diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/shunt-policies/posttest.dat b/testing/tests/sql/shunt-policies/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/shunt-policies/posttest.dat
+++ b/testing/tests/sql/shunt-policies/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/shunt-policies/pretest.dat b/testing/tests/sql/shunt-policies/pretest.dat
index 2ab18542f..a1777efb0 100644
--- a/testing/tests/sql/shunt-policies/pretest.dat
+++ b/testing/tests/sql/shunt-policies/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/sql/shunt-policies/test.conf b/testing/tests/sql/shunt-policies/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/sql/shunt-policies/test.conf
+++ b/testing/tests/sql/shunt-policies/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/tkm/host2host-initiator/description.txt b/testing/tests/tkm/host2host-initiator/description.txt
new file mode 100644
index 000000000..467693b1e
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/description.txt
@@ -0,0 +1,3 @@
+A connection between the hosts <b>moon</b> and <b>sun</b> is set up. The host
+<b>moon</b> uses the Trusted Key Manager (TKM) and is the initiator of the
+transport connection. The authentication is based on X.509 certificates.
diff --git a/testing/tests/tkm/host2host-initiator/evaltest.dat b/testing/tests/tkm/host2host-initiator/evaltest.dat
new file mode 100644
index 000000000..d8d44dff6
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/evaltest.dat
@@ -0,0 +1,12 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
diff --git a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..97f0963f8
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/moonKey.der
diff --git a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/strongswanCert.der
diff --git a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..2619c0089
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,21 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..e52a04f42
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	type=transport
+	auto=add
diff --git a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/host2host-initiator/posttest.dat b/testing/tests/tkm/host2host-initiator/posttest.dat
new file mode 100644
index 000000000..34037bc23
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/posttest.dat
@@ -0,0 +1,4 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/host2host-initiator/pretest.dat b/testing/tests/tkm/host2host-initiator/pretest.dat
new file mode 100644
index 000000000..7cb90ac26
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/pretest.dat
@@ -0,0 +1,10 @@
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+sun::ipsec start
+sun::expect-connection host-host
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+moon::DAEMON_NAME=charon-tkm ipsec up conn1
diff --git a/testing/tests/tkm/host2host-initiator/test.conf b/testing/tests/tkm/host2host-initiator/test.conf
new file mode 100644
index 000000000..9647dc6a2
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tkm/host2host-responder/description.txt b/testing/tests/tkm/host2host-responder/description.txt
new file mode 100644
index 000000000..72eabdb6c
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/description.txt
@@ -0,0 +1,3 @@
+A connection between the hosts <b>moon</b> and <b>sun</b> is set up. The host
+<b>moon</b> uses the Trusted Key Manager (TKM) and is the responder of the
+transport connection. The authentication is based on X.509 certificates.
diff --git a/testing/tests/tkm/host2host-responder/evaltest.dat b/testing/tests/tkm/host2host-responder/evaltest.dat
new file mode 100644
index 000000000..d8d44dff6
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/evaltest.dat
@@ -0,0 +1,12 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
diff --git a/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..97f0963f8
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/moonKey.der
diff --git a/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/strongswanCert.der
diff --git a/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..2619c0089
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,21 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..6681dad11
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	auto=add
+	type=transport
diff --git a/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/host2host-responder/posttest.dat b/testing/tests/tkm/host2host-responder/posttest.dat
new file mode 100644
index 000000000..34037bc23
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/posttest.dat
@@ -0,0 +1,4 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/host2host-responder/pretest.dat b/testing/tests/tkm/host2host-responder/pretest.dat
new file mode 100644
index 000000000..40e84453f
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/pretest.dat
@@ -0,0 +1,10 @@
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+sun::ipsec start
+sun::expect-connection host-host
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+sun::ipsec up host-host
diff --git a/testing/tests/tkm/host2host-responder/test.conf b/testing/tests/tkm/host2host-responder/test.conf
new file mode 100644
index 000000000..9647dc6a2
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tkm/host2host-xfrmproxy/description.txt b/testing/tests/tkm/host2host-xfrmproxy/description.txt
new file mode 100644
index 000000000..b728a317d
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/description.txt
@@ -0,0 +1,5 @@
+A transport connection between the hosts <b>moon</b> and <b>sun</b> is set up.
+The host <b>moon</b> starts the Trusted Key Manager (TKM) and the Ada XFRM
+proxy, which relays XFRM kernel messages to charon. The authentication is based
+on X.509 certificates. The connection is initiated by a ping from <b>moon</b> to
+<b>sun</b>.
diff --git a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat
new file mode 100644
index 000000000..7c8c6b24a
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat
@@ -0,0 +1,13 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
+moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..97f0963f8
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/moonKey.der
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..2619c0089
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,21 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..e52a04f42
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	type=transport
+	auto=add
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/host2host-xfrmproxy/posttest.dat b/testing/tests/tkm/host2host-xfrmproxy/posttest.dat
new file mode 100644
index 000000000..99efe7b00
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/posttest.dat
@@ -0,0 +1,5 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall xfrm_proxy
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/host2host-xfrmproxy/pretest.dat b/testing/tests/tkm/host2host-xfrmproxy/pretest.dat
new file mode 100644
index 000000000..d645ddbfe
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/pretest.dat
@@ -0,0 +1,12 @@
+sun::ipsec start
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+moon::expect-file /tmp/tkm.rpc.ees
+moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+sun::expect-connection host-host
+moon::ping -c 3 192.168.0.2
diff --git a/testing/tests/tkm/host2host-xfrmproxy/test.conf b/testing/tests/tkm/host2host-xfrmproxy/test.conf
new file mode 100644
index 000000000..9647dc6a2
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tkm/multiple-clients/description.txt b/testing/tests/tkm/multiple-clients/description.txt
new file mode 100644
index 000000000..c8e72d51d
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/description.txt
@@ -0,0 +1,5 @@
+Two transport connections to gateway <b>sun</b> are set up, one from client
+<b>carol</b> and the other from client <b>dave</b>. The gateway <b>sun</b> uses
+the Trusted Key Manager (TKM) and is the responder for both connections. The
+authentication is based on X.509 certificates. In order to test the connections,
+both <b>carol</b> and <b>dave</b> ping gateway <b>sun</b>.
diff --git a/testing/tests/tkm/multiple-clients/evaltest.dat b/testing/tests/tkm/multiple-clients/evaltest.dat
new file mode 100644
index 000000000..8e0042102
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/evaltest.dat
@@ -0,0 +1,23 @@
+sun::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*sun.strongswan.org.*carol.strongswan.org::YES
+sun::ipsec stroke status 2> /dev/null::conn2.*ESTABLISHED.*sun.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*carol.strongswan.org.*sun.strongswan.org::YES
+dave::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*dave.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec stroke status 2> /dev/null::conn2.*INSTALLED, TRANSPORT::YES
+carol::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+dave::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+carol::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+dave::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+carol::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
+carol::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES
+dave::tcpdump::IP dave.strongswan.org > sun.strongswan.org: ESP::YES
+dave::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES
+sun::cat /tmp/tkm.log::RSA private key '/etc/tkm/sunKey.der' loaded::YES
+sun::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.2 <-> 192.168.0.100 \]::YES
+sun::cat /tmp/tkm.log::Adding policy \[ 2, 192.168.0.2 <-> 192.168.0.200 \]::YES
+sun::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+sun::cat /tmp/tkm.log::Checked CA certificate of CC context 2::YES
+sun::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+sun::cat /tmp/tkm.log::Authentication of ISA context 2 successful::YES
+sun::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.2 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
+sun::cat /tmp/tkm.log::Adding SA \[ 2, 192.168.0.2 <-> 192.168.0.200, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
diff --git a/testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf b/testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..10ee3e89d
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn host-host
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_SUN
+	rightid=sun.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	type=transport
+	auto=add
diff --git a/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf b/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca23c6971
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf b/testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..6ba0a97ce
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn host-host
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	right=PH_IP_SUN
+	rightid=sun.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	type=transport
+	auto=add
diff --git a/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf b/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca23c6971
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/strongswanCert.der b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/strongswanCert.der
diff --git a/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/sunKey.der b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/sunKey.der
new file mode 100644
index 000000000..4c47db093
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/sunKey.der
diff --git a/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/tkm.conf b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/tkm.conf
new file mode 100644
index 000000000..216625e4c
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/tkm.conf
@@ -0,0 +1,36 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>sun.strongswan.org</identity>
+        <certificate>sunCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.2</ip>
+        </local>
+        <remote>
+            <identity>carol@strongswan.org</identity>
+            <ip>192.168.0.100</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+    <policy id="2">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.2</ip>
+        </local>
+        <remote>
+            <identity>dave@strongswan.org</identity>
+            <ip>192.168.0.200</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/multiple-clients/posttest.dat b/testing/tests/tkm/multiple-clients/posttest.dat
new file mode 100644
index 000000000..9a4a9bc9d
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/posttest.dat
@@ -0,0 +1,5 @@
+sun::DAEMON_NAME=charon-tkm ipsec stop
+sun::killall tkm_keymanager
+sun::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
+carol::ipsec stop
+dave::ipsec stop
diff --git a/testing/tests/tkm/multiple-clients/pretest.dat b/testing/tests/tkm/multiple-clients/pretest.dat
new file mode 100644
index 000000000..ec83662f5
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/pretest.dat
@@ -0,0 +1,14 @@
+sun::rm /etc/ipsec.secrets
+sun::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+sun::cat /etc/ipsec.conf
+sun::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/sunKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+sun::expect-file /tmp/tkm.rpc.ike
+sun::DAEMON_NAME=charon-tkm ipsec start
+carol::ipsec start
+carol::expect-connection host-host
+dave::ipsec start
+dave::expect-connection host-host
+sun::DAEMON_NAME=charon-tkm expect-connection conn1
+sun::DAEMON_NAME=charon-tkm expect-connection conn2
+carol::ipsec up host-host
+dave::ipsec up host-host
diff --git a/testing/tests/tkm/multiple-clients/test.conf b/testing/tests/tkm/multiple-clients/test.conf
new file mode 100644
index 000000000..1dd36309d
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="carol dave sun winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="carol dave"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="carol dave sun"
diff --git a/testing/tests/tkm/net2net-initiator/description.txt b/testing/tests/tkm/net2net-initiator/description.txt
new file mode 100644
index 000000000..40f2a8013
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/description.txt
@@ -0,0 +1,5 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
+is set up. The host <b>moon</b> uses the Trusted Key Manager (TKM) and is the
+initiator of the tunnel connection. The authentication is based on X.509
+certificates. In order to test the tunnel, client <b>alice</b> behind gateway
+<b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/tkm/net2net-initiator/evaltest.dat b/testing/tests/tkm/net2net-initiator/evaltest.dat
new file mode 100644
index 000000000..8d4794f0d
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/evaltest.dat
@@ -0,0 +1,12 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TUNNEL::YES
+sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Adding SA \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
diff --git a/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..97f0963f8
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/moonKey.der
diff --git a/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..717b0a6f4
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,23 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>tunnel</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+            <net mask="16">10.1.0.0</net>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+            <net mask="16">10.2.0.0</net>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..21b613d20
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	auto=add
diff --git a/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..94e0b2a62
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/tkm/net2net-initiator/posttest.dat b/testing/tests/tkm/net2net-initiator/posttest.dat
new file mode 100644
index 000000000..34037bc23
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/posttest.dat
@@ -0,0 +1,4 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/net2net-initiator/pretest.dat b/testing/tests/tkm/net2net-initiator/pretest.dat
new file mode 100644
index 000000000..f84c8fcd2
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/pretest.dat
@@ -0,0 +1,10 @@
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+sun::ipsec start
+sun::expect-connection net-net
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+moon::DAEMON_NAME=charon-tkm ipsec up conn1
diff --git a/testing/tests/tkm/net2net-initiator/test.conf b/testing/tests/tkm/net2net-initiator/test.conf
new file mode 100644
index 000000000..afa2accbe
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tkm/net2net-xfrmproxy/description.txt b/testing/tests/tkm/net2net-xfrmproxy/description.txt
new file mode 100644
index 000000000..b42c89c52
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
+is set up. The host <b>moon</b> starts the Trusted Key Manager (TKM) and the Ada
+XFRM proxy, which relays XFRM kernel messages to charon. The authentication is
+based on X.509 certificates. In order to test the tunnel, client <b>alice</b>
+behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway
+<b>sun</b>.
diff --git a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat
new file mode 100644
index 000000000..a38dba0ee
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat
@@ -0,0 +1,13 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TUNNEL::YES
+sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Adding SA \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
+moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..97f0963f8
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/moonKey.der
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..717b0a6f4
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,23 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>tunnel</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+            <net mask="16">10.1.0.0</net>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+            <net mask="16">10.2.0.0</net>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..21b613d20
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	auto=add
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..94e0b2a62
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/tkm/net2net-xfrmproxy/posttest.dat b/testing/tests/tkm/net2net-xfrmproxy/posttest.dat
new file mode 100644
index 000000000..24544307a
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/posttest.dat
@@ -0,0 +1,4 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/net2net-xfrmproxy/pretest.dat b/testing/tests/tkm/net2net-xfrmproxy/pretest.dat
new file mode 100644
index 000000000..4732a37f6
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/pretest.dat
@@ -0,0 +1,12 @@
+sun::ipsec start
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+moon::expect-file /tmp/tkm.rpc.ees
+moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+sun::expect-connection net-net
+alice::ping -c 3 PH_IP_BOB
diff --git a/testing/tests/tkm/net2net-xfrmproxy/test.conf b/testing/tests/tkm/net2net-xfrmproxy/test.conf
new file mode 100644
index 000000000..afa2accbe
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
index a02755148..6b7c713ef 100644
--- a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf
index ca55d84a2..caa5bc17a 100755..100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
index 579601b85..73646f8db 100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf
index 93807bb66..ba149c4ba 100755..100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
index 579601b85..73646f8db 100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf
index 32c3357a3..0fdad8607 100755..100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tnc 3"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
index e3518f5b9..3975f09a9 100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/tnc/tnccs-11-fhh/posttest.dat b/testing/tests/tnc/tnccs-11-fhh/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-11-fhh/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/tnc/tnccs-11-fhh/pretest.dat
index c7a30ee7c..8fab1fb6c 100644
--- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/pretest.dat
@@ -1,14 +1,14 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
 carol::cat /etc/tnc/dummyimc.file
 dave::cat /etc/tnc/dummyimc.file
-moon::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-carol::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-dave::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-11-fhh/test.conf b/testing/tests/tnc/tnccs-11-fhh/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-11-fhh/test.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
index 517ea9ab2..d93407434 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
@@ -2,13 +2,13 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES         
-moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
-moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf
index 31556361e..31556361e 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
index 2d4961288..2d4961288 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/users b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/users
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary
deleted file mode 100644
index 1a27a02fc..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary
+++ /dev/null
@@ -1,2 +0,0 @@
-$INCLUDE	/usr/share/freeradius/dictionary
-$INCLUDE	/etc/raddb/dictionary.tnc
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc
deleted file mode 100644
index f295467a9..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc
+++ /dev/null
@@ -1,5 +0,0 @@
-ATTRIBUTE	TNC-Status	3001	integer
-
-VALUE	TNC-Status	Access	0 
-VALUE	TNC-Status	Isolate	1
-VALUE	TNC-Status	None	2
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 802fcfd8d..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  suffix
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
index acd4630d2..06c34ed9a 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
@@ -2,6 +2,7 @@
 
 libimcv {
   debug_level = 3
+  assessment_result = no
   plugins {
     imv-scanner {
       closed_port_policy = no
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf
index a639b0426..e9152e0d8 100755..100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
index 7bff51d6b..4cc205cf7 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
 
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf
index 5da78b4ab..25589bcf1 100755..100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
index 579601b85..ac469590c 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,14 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
+
+libimcv {
+  plugins {
+    imc-scanner {
+      push_info = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf
index fc8f84638..98e2525ba 100755..100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
index ab71e5908..5bf9dc03b 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
   multiple_authentication=no
   plugins {
     eap-radius {
diff --git a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
index 51d8ca1b3..5e5a8514d 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
@@ -2,8 +2,8 @@ moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 alice::killall radiusd
-alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 dave::/etc/init.d/apache2 stop 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
index 0fa88dbc7..96163aa36 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
@@ -1,13 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 dave::/etc/init.d/apache2 start 2> /dev/null
-alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
-alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
+alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
 alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
 moon::ipsec start
-carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
-dave::LEAK_DETECTIVE_DISABLE=1 ipsec start
+carol::ipsec start
+dave::ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-11-radius-block/test.conf b/testing/tests/tnc/tnccs-11-radius-block/test.conf
index bb6b68687..29bfaa78c 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/test.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/description.txt b/testing/tests/tnc/tnccs-11-radius-pts/description.txt
new file mode 100644
index 000000000..f71837b6d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/description.txt
@@ -0,0 +1,14 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the
+<a href="http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh" target="popup">
+<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+The communication between the OS and Attestation IMC and the Attestation IMV is based on the
+ <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
+are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
new file mode 100644
index 000000000..e22b767f7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf
index 31556361e..31556361e 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
new file mode 100644
index 000000000..c5bde6a9e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
@@ -0,0 +1,36 @@
+server inner-tunnel-second {
+
+authorize {
+	eap_tnc {
+		ok = return
+	}
+}
+
+authenticate {
+	eap_tnc
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	if (control:TNC-Status == "Access") {
+		update reply {
+			Tunnel-Type := ESP
+			Filter-Id := "allow"
+		}
+	}
+	elsif (control:TNC-Status == "Isolate") {
+		update reply {
+			Tunnel-Type := ESP
+			Filter-Id := "isolate"
+		}
+	}
+
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/users b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql
new file mode 100644
index 000000000..090eb47ff
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql
@@ -0,0 +1,873 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 6.0 i686'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 6.0 x86_64'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Debian 8.0 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Debian 8.0 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+INSERT INTO directories (		/* 13 */
+  path
+) VALUES (
+ '/system/bin'
+);
+
+INSERT INTO directories (		/* 14 */
+  path
+) VALUES (
+ '/system/lib'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 4, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name
+) VALUES (
+  'Default'
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Linux', 1
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Android', 1
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Debian i686', 2
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 2
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 2
+);
+
+INSERT INTO groups (			/*  7 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 2
+);
+
+INSERT INTO groups (			/*  8 */
+  name
+) VALUES (
+  'Reference'
+);
+
+INSERT INTO groups (			/*  9 */
+  name, parent
+) VALUES (
+  'Ref. Android', 8
+);
+
+INSERT INTO groups (			/* 10 */
+  name, parent
+) VALUES (
+  'Ref. Linux', 8
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 1
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 4
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 7
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 13
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 19
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 10
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 16
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 22
+);
+
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created  
+) VALUES (
+  'aabbccddeeff11223344556677889900', 4, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  10, 1
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled',  1, 1
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+INSERT INTO policies (			/* 14 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/bin', 13, 0, 0
+);
+
+INSERT INTO policies (			/* 15 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/lib', 14, 0, 0
+);
+
+INSERT INTO policies (                  /* 16 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  9, 'Measure /bin', 1, 2, 2
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 3, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 2, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 2, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 10, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  14, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  15, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  16, 2, 0
+);
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..23f840f69
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libimcv {
+  load = random nonce openssl pubkey sqlite
+  debug_level = 3 
+  database = sqlite:///etc/pts/config.db
+  policy_script = ipsec imv_policy_manager
+  assessment_result = no
+}
+
+attest {
+  database = sqlite:///etc/pts/config.db
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties
new file mode 100644
index 000000000..2bdc6e4de
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties
@@ -0,0 +1,15 @@
+# Set root logger level to DEBUG and its appenders to A1 and A2.
+log4j.rootLogger=DEBUG, A1, A2
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
+
+# A2 is set to be a SyslogAppender
+log4j.appender.A2=org.apache.log4j.net.SyslogAppender
+log4j.appender.A2.Facility=DAEMON
+log4j.appender.A2.SyslogHost=localhost
+log4j.appender.A2.Threshold=DEBUG
+log4j.appender.A2.layout=org.apache.log4j.PatternLayout
+log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..b5ac8c178
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e9152e0d8
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..56c6b9f57
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  multiple_authentication=no
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..15dc93a0a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..25589bcf1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..145ad9d2d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,17 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  multiple_authentication=no
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+    imc-scanner {
+      push_info = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..15dc93a0a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..294964fe7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,33 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=pubkey
+	leftfirewall=yes
+	rightauth=eap-radius
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..390c42ccf
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  multiple_authentication=no
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+      filter_id = yes
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
new file mode 100644
index 000000000..dc8507d26
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
@@ -0,0 +1,10 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::killall radiusd
+alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::rm /etc/pts/config.db
+carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
new file mode 100644
index 000000000..5f94f8dbb
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
@@ -0,0 +1,21 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db
+alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+dave::ipsec start
+carol::ipsec start
+dave::sleep 1
+dave::ipsec up home
+carol::ipsec up home
+carol::sleep 1
+alice::ipsec attest --sessions
+alice::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/test.conf b/testing/tests/tnc/tnccs-11-radius-pts/test.conf
new file mode 100644
index 000000000..f23a19329
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
index d0ea22ba9..e22b767f7 100644
--- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES            
-moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..31556361e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,25 @@
+eap {
+  md5 {
+  }
+  default_eap_type = ttls
+  tls {
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+  ttls {
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+    tnc_virtual_server = "inner-tunnel-second"
+  }
+}
+
+eap eap_tnc {
+      default_eap_type = tnc
+      tnc {
+      }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+	suffix
+	eap {
+		ok = return
+	}
+	files
+}
+
+authenticate {
+	eap
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+pre-proxy {
+}
+
+post-proxy {
+	eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
new file mode 100644
index 000000000..c5bde6a9e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
@@ -0,0 +1,36 @@
+server inner-tunnel-second {
+
+authorize {
+	eap_tnc {
+		ok = return
+	}
+}
+
+authenticate {
+	eap_tnc
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	if (control:TNC-Status == "Access") {
+		update reply {
+			Tunnel-Type := ESP
+			Filter-Id := "allow"
+		}
+	}
+	elsif (control:TNC-Status == "Isolate") {
+		update reply {
+			Tunnel-Type := ESP
+			Filter-Id := "isolate"
+		}
+	}
+
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol	Cleartext-Password := "Ar3etTnp"
+dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary
deleted file mode 100644
index 1a27a02fc..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary
+++ /dev/null
@@ -1,2 +0,0 @@
-$INCLUDE	/usr/share/freeradius/dictionary
-$INCLUDE	/etc/raddb/dictionary.tnc
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc
deleted file mode 100644
index f295467a9..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc
+++ /dev/null
@@ -1,5 +0,0 @@
-ATTRIBUTE	TNC-Status	3001	integer
-
-VALUE	TNC-Status	Access	0 
-VALUE	TNC-Status	Isolate	1
-VALUE	TNC-Status	None	2
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 802fcfd8d..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  suffix
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
deleted file mode 100644
index f91bccc72..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
+++ /dev/null
@@ -1,36 +0,0 @@
-server inner-tunnel-second {
-
-authorize {
-	eap_tnc {
-		ok = return
-	}
-}
-
-authenticate {
-	eap_tnc
-}
-
-session {
-	radutmp
-}
-
-post-auth {
-	if (control:TNC-Status == "Access") {
-		update reply {
-			Tunnel-Type := ESP 
-			Filter-Id := "allow"
-		}
-	}
-	elsif (control:TNC-Status == "Isolate") {
-		update reply {
-			Tunnel-Type := ESP 
-			Filter-Id := "isolate"	
-		}
-	}
-
-	Post-Auth-Type REJECT {
-		attr_filter.access_reject
-	}
-}
-
-} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
index 5d586066b..45050f7e1 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
@@ -2,14 +2,10 @@
 
 libimcv {
   debug_level = 3 
+  assessment_result = no
   plugins {
     imv-test {
       rounds = 1 
     }
-    imv-scanner {
-      closed_port_policy = yes
-      tcp_ports = 22
-      udp_ports = 500 4500
-    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf
index a639b0426..e9152e0d8 100755..100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
index 7bff51d6b..4cc205cf7 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
 
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf
index 5da78b4ab..25589bcf1 100755..100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
index a599122bc..5dbee558f 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
 
@@ -10,5 +10,8 @@ libimcv {
     imc-test {
       command = isolate
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf
index 33dcdcfb0..294964fe7 100755..100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
index 40be81b48..390c42ccf 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
   multiple_authentication=no
   plugins {
     eap-radius {
diff --git a/testing/tests/tnc/tnccs-11-radius/posttest.dat b/testing/tests/tnc/tnccs-11-radius/posttest.dat
index 86bd89dea..a64a9147c 100644
--- a/testing/tests/tnc/tnccs-11-radius/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/posttest.dat
@@ -2,7 +2,7 @@ moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 alice::killall radiusd
-alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat
index b5d284278..71dff71b7 100644
--- a/testing/tests/tnc/tnccs-11-radius/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/pretest.dat
@@ -1,15 +1,15 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
-alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
 alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
 alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
 moon::ipsec start
-carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
-dave::LEAK_DETECTIVE_DISABLE=1 ipsec start
+carol::ipsec start
+dave::ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-11-radius/test.conf b/testing/tests/tnc/tnccs-11-radius/test.conf
index 2a52df203..f23a19329 100644
--- a/testing/tests/tnc/tnccs-11-radius/test.conf
+++ b/testing/tests/tnc/tnccs-11-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/tnc/tnccs-11/evaltest.dat b/testing/tests/tnc/tnccs-11/evaltest.dat
index a02755148..6b7c713ef 100644
--- a/testing/tests/tnc/tnccs-11/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf
index 105fcbec6..e2bf349d9 100755..100644
--- a/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
index 7bff51d6b..4cc205cf7 100644
--- a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
 
diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf
index 97f322c28..77446cbae 100755..100644
--- a/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
index a599122bc..5dbee558f 100644
--- a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
 
@@ -10,5 +10,8 @@ libimcv {
     imc-test {
       command = isolate
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf
index 997db0df7..e21ef0d14 100755..100644
--- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tnc 3, imv 3"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
index 60313e946..2fe4cf001 100644
--- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
@@ -17,10 +17,5 @@ libimcv {
     imv-test {
       rounds = 1
     }
-    imv-scanner {
-      closed_port_policy = yes
-      tcp_ports = 22
-      udp_ports = 500 4500
-    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11/posttest.dat b/testing/tests/tnc/tnccs-11/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-11/posttest.dat
+++ b/testing/tests/tnc/tnccs-11/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11/pretest.dat b/testing/tests/tnc/tnccs-11/pretest.dat
index dd729cb0b..cac1cfafc 100644
--- a/testing/tests/tnc/tnccs-11/pretest.dat
+++ b/testing/tests/tnc/tnccs-11/pretest.dat
@@ -1,12 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::LEAK_DETECTIVE_DISABLE=1 ipsec start
-carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
-dave::LEAK_DETECTIVE_DISABLE=1 ipsec start
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-11/test.conf b/testing/tests/tnc/tnccs-11/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-11/test.conf
+++ b/testing/tests/tnc/tnccs-11/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-block/evaltest.dat b/testing/tests/tnc/tnccs-20-block/evaltest.dat
index f1753c208..03b576efa 100644
--- a/testing/tests/tnc/tnccs-20-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-block/evaltest.dat
@@ -2,11 +2,11 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
-dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES 
-moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf
index 105fcbec6..e2bf349d9 100755..100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
index 264e8d121..ced332cc4 100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf
index 97f322c28..77446cbae 100755..100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
index 9167adb47..70a1b07e6 100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
@@ -12,3 +12,11 @@ charon {
     }
   }
 }
+
+libimcv {
+  plugins {
+    imc-scanner {
+      push_info = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf
index 106cde446..9aeb02ac2 100755..100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tnc 3, imv 3"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
index d64c89ab8..59dce1874 100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/tnc/tnccs-20-block/posttest.dat b/testing/tests/tnc/tnccs-20-block/posttest.dat
index 50bb7e117..2258e03ff 100644
--- a/testing/tests/tnc/tnccs-20-block/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-block/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 dave::/etc/init.d/apache2 stop 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20-block/pretest.dat b/testing/tests/tnc/tnccs-20-block/pretest.dat
index 7b0a42fcd..f5b3b2e8c 100644
--- a/testing/tests/tnc/tnccs-20-block/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-block/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 dave::/etc/init.d/apache2 start 2> /dev/null
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-block/test.conf b/testing/tests/tnc/tnccs-20-block/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-block/test.conf
+++ b/testing/tests/tnc/tnccs-20-block/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
index 737c9b9ef..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf
index 847ca2e7f..a483d6df8 100755..100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
index 885271160..f202bbfa8 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf
index f0ad4721f..11378131a 100755..100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
index 7e848a25b..996169add 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
@@ -19,5 +19,8 @@ libimcv {
       command = isolate
       retry = yes
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf
index 9eec48402..b1093d46d 100755..100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tnc 3, imv 2"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
index bfc5d9531..3e6bc65a6 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
index 208f9daa9..b2b243ba3 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-client-retry/test.conf b/testing/tests/tnc/tnccs-20-client-retry/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/test.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
index 737c9b9ef..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf
index 847ca2e7f..a483d6df8 100755..100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
index 8d52bc084..18e715785 100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf
index f0ad4721f..11378131a 100755..100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
index 8d52bc084..18e715785 100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf
index 9eec48402..b1093d46d 100755..100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tnc 3, imv 2"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
index 04cae2ebb..602979cf6 100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/tnc/tnccs-20-fhh/posttest.dat b/testing/tests/tnc/tnccs-20-fhh/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20-fhh/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-fhh/pretest.dat b/testing/tests/tnc/tnccs-20-fhh/pretest.dat
index 76ad91f98..72c9b1665 100644
--- a/testing/tests/tnc/tnccs-20-fhh/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-fhh/test.conf b/testing/tests/tnc/tnccs-20-fhh/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-fhh/test.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-os/description.txt b/testing/tests/tnc/tnccs-20-os/description.txt
new file mode 100644
index 000000000..f660a0b63
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/description.txt
@@ -0,0 +1,24 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
+is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
+exchange PA-TNC attributes.
+<p>
+<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
+<em>Product Information</em>, <em>String Version</em>, <em>Numeric Version</em>,
+<em>Operational Status</em>, <em>Forwarding Enabled</em>, <em>Factory Default Password Enabled</em>
+and <em>Device ID> up-front, whereas <b>dave</b> must be prompted by the IMV to do so via an
+<em>Attribute Request</em> PA-TNC attribute. <b>carol</b> is then prompted to send a list of
+installed packages using the <em>Installed Packages</em> PA-TNC attribute. Since <b>dave</b>
+successfully connected to the VPN gateway shortly before, no new list of installed packages is
+requested again but because IP forwarding is enabled <b>dave</b> receives a corresponding
+<em>Remediation Instructions</em> PA-TNC attribute.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these assessments
+which are communicated to the IMCs using the <em>Assessment Result</em> PA-TNC attribute,
+the clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate"
+subnets, respectively.
+</p>
diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat
new file mode 100644
index 000000000..0d3f55b45
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat
@@ -0,0 +1,20 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: ipsec attest --sessions 2> /dev/null::Debian 7.0 x86_64.*carol@strongswan.org - allow::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec attest --sessions 2> /dev/null::Debian 7.0 x86_64.*dave@strongswan.org - isolate::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e2bf349d9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..34941e52c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,19 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = yes
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..25c28442f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..77446cbae
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..49f778f5b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,22 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imc {
+      preferred_language = de
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..25c28442f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..e21ef0d14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imv 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql
new file mode 100644
index 000000000..d17aac15e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql
@@ -0,0 +1,892 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 6.0 i686'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 6.0 x86_64'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Debian 8.0 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Debian 8.0 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+INSERT INTO directories (		/* 13 */
+  path
+) VALUES (
+ '/system/bin'
+);
+
+INSERT INTO directories (		/* 14 */
+  path
+) VALUES (
+ '/system/lib'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 4, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name
+) VALUES (
+  'Default'
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Linux', 1
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Android', 1
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Debian i686', 2
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 2
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 2
+);
+
+INSERT INTO groups (			/*  7 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 2
+);
+
+INSERT INTO groups (			/*  8 */
+  name
+) VALUES (
+  'Reference'
+);
+
+INSERT INTO groups (			/*  9 */
+  name, parent
+) VALUES (
+  'Ref. Android', 8
+);
+
+INSERT INTO groups (			/* 10 */
+  name, parent
+) VALUES (
+  'Ref. Linux', 8
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 1
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 4
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 7
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 13
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 19
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 10
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 16
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 22
+);
+
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created  
+) VALUES (
+  'aabbccddeeff11223344556677889900', 4, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  5, 1
+);
+
+/* Identities */
+
+INSERT INTO identities (
+  type, value
+) VALUES ( /* dave@strongswan.org */
+  4, X'64617665407374726f6e677377616e2e6f7267'
+);
+
+/* Sessions */
+
+INSERT INTO sessions (
+  time, connection, identity, device, product, rec
+) VALUES (
+  NOW, 1, 1, 1, 4, 0
+);
+
+/* Results */
+
+INSERT INTO results (
+  session, policy, rec, result
+) VALUES (
+  1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled',  1, 1
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+INSERT INTO policies (			/* 14 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/bin', 13, 0, 0
+);
+
+INSERT INTO policies (			/* 15 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/lib', 14, 0, 0
+);
+
+INSERT INTO policies (                  /* 16 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  9, 'Measure /bin', 1, 2, 2
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  1, 1, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 3, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 2, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 2, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 10, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  14, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  15, 9, 0
+);
+
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql~ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql~
new file mode 100644
index 000000000..7373dd4b6
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql~
@@ -0,0 +1,852 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 6.0 i686'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 6.0 x86_64'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Debian 8.0 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Debian 8.0 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+INSERT INTO directories (		/* 13 */
+  path
+) VALUES (
+ '/system/bin'
+);
+
+INSERT INTO directories (		/* 14 */
+  path
+) VALUES (
+ '/system/lib'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 4, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name
+) VALUES (
+  'Default'
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Linux', 1
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Android', 1
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Debian i686', 2
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 2
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 2
+);
+
+INSERT INTO groups (			/*  7 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 2
+);
+
+INSERT INTO groups (			/*  8 */
+  name
+) VALUES (
+  'Reference'
+);
+
+INSERT INTO groups (			/*  9 */
+  name, parent
+) VALUES (
+  'Ref. Android', 8
+);
+
+INSERT INTO groups (			/* 10 */
+  name, parent
+) VALUES (
+  'Ref. Linux', 8
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 1
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 4
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 7
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 13
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 19
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 10
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 16
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 22
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled', 1, 1 
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+INSERT INTO policies (			/* 14 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/bin', 13, 0, 0
+);
+
+INSERT INTO policies (			/* 15 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/lib', 14, 0, 0
+);
+
+INSERT INTO policies (                  /* 16 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  9, 'Measure /bin', 1, 2, 2
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  1, 1, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 3, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 2, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 2, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 10, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  14, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  15, 9, 0
+);
+
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..3e017e905
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,26 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  database = sqlite:///etc/pts/config.db
+  policy_script = ipsec imv_policy_manager
+}
+
+attest {
+  load = random nonce openssl sqlite
+  database = sqlite:///etc/pts/config.db
+}
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..b75a9cb1e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
diff --git a/testing/tests/tnc/tnccs-20-os/posttest.dat b/testing/tests/tnc/tnccs-20-os/posttest.dat
new file mode 100644
index 000000000..48514d6e0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::rm /etc/pts/config.db
diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat
new file mode 100644
index 000000000..333ac7462
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/pretest.dat
@@ -0,0 +1,19 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+moon::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+carol::ipsec start 
+dave::ipsec start 
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
+moon::ipsec attest --packages --product 'Debian 7.0 x86_64'
+moon::ipsec attest --sessions
+moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-os/test.conf b/testing/tests/tnc/tnccs-20-os/test.conf
new file mode 100644
index 000000000..a8a05af19
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
index ab78a9b76..f028ec609 100644
--- a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
@@ -1,19 +1,20 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-dave::cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES            
-moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
-
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES
+moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf
index bdba8d32d..6f673dcc5 100755..100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imv 3"
 
 conn aaa
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets
index 96b9a8dd5..11d45cd14 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets
@@ -2,5 +2,5 @@
 
 : RSA aaaKey.pem
 
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
+carol : EAP "Ar3etTnp"
+dave  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf
index b3769c7d9..70da7766a 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -24,10 +24,5 @@ libimcv {
     imv-test {
       rounds = 1 
     }
-    imv-scanner {
-      closed_port_policy = yes
-      tcp_ports = 22
-      udp_ports = 500 4500
-    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf
index a639b0426..59563730b 100755..100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
@@ -13,12 +12,12 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	rightauth=pubkey
+	eap_identity=carol
 	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets
index 74942afda..23d79cf2e 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-carol@strongswan.org : EAP "Ar3etTnp"
+carol : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf
index 2f9a6d0b7..808f1d11a 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   plugins {
     eap-tnc {
       protocol = tnccs-2.0
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf
index 5da78b4ab..8c27c78d2 100755..100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
@@ -13,12 +12,12 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	rightauth=pubkey
+	eap_identity=dave
 	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets
index 5496df7ad..02e0c9963 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-dave@strongswan.org : EAP "W7R0g3do"
+dave : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf
index 050d41b9f..96ff63ab1 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   plugins {    
     eap-tnc {
       protocol = tnccs-2.0
@@ -14,5 +14,8 @@ libimcv {
     imc-test {
       command = isolate
     }
+    imc-scannner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/init.d/iptables b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf
index 33dcdcfb0..02ada5665 100755..100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -30,6 +28,6 @@ conn rw-eap
 	leftauth=pubkey
 	leftfirewall=yes
 	rightauth=eap-radius
-	rightid=*@strongswan.org
 	rightsendcert=never
 	right=%any
+	eap_identity=%any
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf
index d298c17ad..d32951866 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown
   multiple_authentication=no
   plugins {
     eap-radius {
diff --git a/testing/tests/tnc/tnccs-20-pdp/posttest.dat b/testing/tests/tnc/tnccs-20-pdp/posttest.dat
index 16218f385..e7eecd5f4 100644
--- a/testing/tests/tnc/tnccs-20-pdp/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp/posttest.dat
@@ -2,6 +2,6 @@ moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 alice::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-pdp/pretest.dat b/testing/tests/tnc/tnccs-20-pdp/pretest.dat
index 9b9d6b699..32ed4d854 100644
--- a/testing/tests/tnc/tnccs-20-pdp/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-pdp/test.conf b/testing/tests/tnc/tnccs-20-pdp/test.conf
index 400628531..c4ca1a19f 100644
--- a/testing/tests/tnc/tnccs-20-pdp/test.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave alice"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-pts/description.txt b/testing/tests/tnc/tnccs-20-pts/description.txt
new file mode 100644
index 000000000..e78a70091
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/description.txt
@@ -0,0 +1,22 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
+is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
+exchange PA-TNC attributes.
+<p>
+<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
+<em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front
+to the Attestation IMV, whereas <b>dave</b> must be prompted by the IMV to do so via an
+<em>Attribute Request</em> PA-TNC attribute. <b>dave</b> is instructed to do a reference
+measurement on all files in the <b>/bin</b> directory. <b>carol</b> is then prompted to
+measure a couple of individual files and the files in the <b>/bin</b> directory as
+well as to get metadata on the <b>/etc/tnc_confg</b> configuration file.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails because IP forwarding is
+enabled. Based on these assessments which are communicated to the IMCs using the
+<em>Assessment Result</em> PA-TNC attribute, the clients are connected by gateway <b>moon</b>
+to the "rw-allow" and "rw-isolate" subnets, respectively.
+</p>
diff --git a/testing/tests/tnc/tnccs-20-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-pts/evaltest.dat
new file mode 100644
index 000000000..100754332
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/evaltest.dat
@@ -0,0 +1,20 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.0 x86_64.*carol@strongswan.org - allow::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.0 x86_64.*dave@strongswan.org - isolate::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..d17473db1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3, pts 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e6046833c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,19 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = yes
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..15dc93a0a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..d459bfc6c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3, pts 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..3236a18fa
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,22 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imc {
+      preferred_language = de
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..15dc93a0a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..bc8b2d8f9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imv 3, pts 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql
new file mode 100644
index 000000000..090eb47ff
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql
@@ -0,0 +1,873 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 6.0 i686'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 6.0 x86_64'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Debian 8.0 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Debian 8.0 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+INSERT INTO directories (		/* 13 */
+  path
+) VALUES (
+ '/system/bin'
+);
+
+INSERT INTO directories (		/* 14 */
+  path
+) VALUES (
+ '/system/lib'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 4, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name
+) VALUES (
+  'Default'
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Linux', 1
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Android', 1
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Debian i686', 2
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 2
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 2
+);
+
+INSERT INTO groups (			/*  7 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 2
+);
+
+INSERT INTO groups (			/*  8 */
+  name
+) VALUES (
+  'Reference'
+);
+
+INSERT INTO groups (			/*  9 */
+  name, parent
+) VALUES (
+  'Ref. Android', 8
+);
+
+INSERT INTO groups (			/* 10 */
+  name, parent
+) VALUES (
+  'Ref. Linux', 8
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 1
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 4
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 7
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 13
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 19
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 10
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 16
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 22
+);
+
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created  
+) VALUES (
+  'aabbccddeeff11223344556677889900', 4, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  10, 1
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled',  1, 1
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+INSERT INTO policies (			/* 14 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/bin', 13, 0, 0
+);
+
+INSERT INTO policies (			/* 15 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/lib', 14, 0, 0
+);
+
+INSERT INTO policies (                  /* 16 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  9, 'Measure /bin', 1, 2, 2
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 3, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 2, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 2, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 10, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  14, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  15, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  16, 2, 0
+);
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..0298a5151
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,32 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  database = sqlite:///etc/pts/config.db
+  policy_script = ipsec imv_policy_manager
+  plugins {
+    imv-attestation {
+      hash_algorithm = sha1
+    }
+  }
+}
+
+attest {
+  load = random nonce openssl sqlite
+  database = sqlite:///etc/pts/config.db
+}
+
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..6507baaa1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS"          /usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-pts/posttest.dat b/testing/tests/tnc/tnccs-20-pts/posttest.dat
new file mode 100644
index 000000000..48514d6e0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::rm /etc/pts/config.db
diff --git a/testing/tests/tnc/tnccs-20-pts/pretest.dat b/testing/tests/tnc/tnccs-20-pts/pretest.dat
new file mode 100644
index 000000000..cb6c131ef
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/pretest.dat
@@ -0,0 +1,18 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+moon::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+dave::ipsec start 
+carol::ipsec start 
+dave::sleep 1
+dave::ipsec up home
+carol::ipsec up home
+carol::sleep 1
+moon::ipsec attest --sessions
+moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-pts/test.conf b/testing/tests/tnc/tnccs-20-pts/test.conf
new file mode 100644
index 000000000..a8a05af19
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
index 737c9b9ef..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf
index 847ca2e7f..a483d6df8 100755..100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf
index e296bcf0b..6f145ab0b 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf
index f0ad4721f..11378131a 100755..100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
index fc9c86b86..fce949901 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
@@ -19,5 +19,8 @@ libimcv {
       command = retry 
       retry_command = isolate
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf
index 9eec48402..b1093d46d 100755..100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tnc 3, imv 2"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf
index bfc5d9531..3e6bc65a6 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
index 208f9daa9..b2b243ba3 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-server-retry/test.conf b/testing/tests/tnc/tnccs-20-server-retry/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/test.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-tls/evaltest.dat
index bbc0603b6..40d5e24d5 100644
--- a/testing/tests/tnc/tnccs-20-tls/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES              
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf
index fe26aaede..eece9f294 100755..100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 2, imc 2"
 
 conn %default
@@ -14,11 +13,11 @@ conn %default
 conn home
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
index c38dc7de5..ada13a325 100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf
index e1cfd14bb..362042656 100755..100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 2, imc 2"
 
 conn %default
@@ -14,11 +13,11 @@ conn %default
 conn home
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
index f8fe44563..0870ca667 100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
@@ -15,5 +15,8 @@ libimcv {
     imc-test {
       command = isolate
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf
index 80bcb5a5a..0ec930286 100755..100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tnc 2, imv 2"
 
 conn %default
@@ -31,6 +29,6 @@ conn rw-eap
 	leftauth=eap-ttls
 	leftfirewall=yes
 	rightauth=eap-ttls
-	rightid=*@strongswan.org
+	rightid="C=CH, O=Linux strongSwan, OU=*, CN=*"
 	rightsendcert=never
 	right=%any
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
index 47fb3253f..bc1d421c1 100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/tnc/tnccs-20-tls/posttest.dat b/testing/tests/tnc/tnccs-20-tls/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20-tls/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-tls/pretest.dat b/testing/tests/tnc/tnccs-20-tls/pretest.dat
index c332f131b..cac1cfafc 100644
--- a/testing/tests/tnc/tnccs-20-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-tls/test.conf b/testing/tests/tnc/tnccs-20-tls/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-tls/test.conf
+++ b/testing/tests/tnc/tnccs-20-tls/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20/evaltest.dat b/testing/tests/tnc/tnccs-20/evaltest.dat
index 737c9b9ef..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf
index 847ca2e7f..e2bf349d9 100755..100644
--- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
-	charondebug="tnc 3, imc 2"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
index 50d7af66b..6d8c10eab 100644
--- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf
index f0ad4721f..77446cbae 100755..100644
--- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
-	charondebug="tnc 3, imc 2"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
index b67541c3c..1e5f50b05 100644
--- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
@@ -19,5 +19,8 @@ libimcv {
       command = isolate
       additional_ids = 1
     }
+    imc-scanner {
+      push_info = no
+   }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf
index 9eec48402..e21ef0d14 100755..100644
--- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
-	charondebug="tnc 3, imv 2"
+	charondebug="tnc 3, imv 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql b/testing/tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql
new file mode 100644
index 000000000..dcc4e75d1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql
@@ -0,0 +1,793 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 7.0'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Ubuntu 10.04'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.10'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 11.04'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 12.10'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Ubuntu 13.04'
+);
+
+INSERT INTO products (			/* 23 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 24 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 25 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 26 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 1, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 1, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 1, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 1, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name, parent
+) VALUES (
+  'Debian i686', 6
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 6
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 6
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 6
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Android', 7
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Linux', 7
+);
+
+INSERT INTO groups (			/*  7 */
+  name
+) VALUES (
+  'Default'
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  1, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  2, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 23
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 24
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 25
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 26
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled',  1, 1
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  13, 'No Open UDP Ports', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Measure as reference /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  1, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 5, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  3, 6, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 4, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 4, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 6, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 7, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 7, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 6, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 6, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 2, 86400
+);
+
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
index 9e4ebcf04..032ae7e91 100644
--- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/tnc/tnccs-20/posttest.dat b/testing/tests/tnc/tnccs-20/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20/posttest.dat
+++ b/testing/tests/tnc/tnccs-20/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20/pretest.dat b/testing/tests/tnc/tnccs-20/pretest.dat
index 208f9daa9..b2b243ba3 100644
--- a/testing/tests/tnc/tnccs-20/pretest.dat
+++ b/testing/tests/tnc/tnccs-20/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20/test.conf b/testing/tests/tnc/tnccs-20/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20/test.conf
+++ b/testing/tests/tnc/tnccs-20/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-dynamic/evaltest.dat b/testing/tests/tnc/tnccs-dynamic/evaltest.dat
index 5cc395ef8..405298381 100644
--- a/testing/tests/tnc/tnccs-dynamic/evaltest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/evaltest.dat
@@ -1,27 +1,27 @@
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES
-moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 1::YES
-moon::cat /var/log/daemon.log::final recommendation is 'allow' and evaluation is 'compliant'::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::removed TNCCS Connection ID 1::YES
-moon::cat /var/log/daemon.log::TNCCS 2.0 protocol detected dynamically::YES
-moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 2::YES
-moon::cat /var/log/daemon.log::final recommendation is 'isolate' and evaluation is 'non-compliant minor'::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES
+moon:: cat /var/log/daemon.log::assigned TNCCS Connection ID 1::YES
+moon:: cat /var/log/daemon.log::final recommendation is 'allow' and evaluation is 'compliant'::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::removed TNCCS Connection ID 1::YES
+moon:: cat /var/log/daemon.log::TNCCS 2.0 protocol detected dynamically::YES
+moon:: cat /var/log/daemon.log::assigned TNCCS Connection ID 2::YES
+moon:: cat /var/log/daemon.log::final recommendation is 'isolate' and evaluation is 'non-compliant minor'::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf
index 105fcbec6..e2bf349d9 100755..100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
index 286eab61d..e6f5ad365 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf
index 97f322c28..77446cbae 100755..100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
index a9564bd38..db91eace4 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
@@ -19,5 +19,8 @@ libimcv {
     imc-test {
       command = isolate
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf
index 997db0df7..e21ef0d14 100755..100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tnc 3, imv 3"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
index ca5fdd041..3fc6c3a4b 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/tnc/tnccs-dynamic/posttest.dat b/testing/tests/tnc/tnccs-dynamic/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-dynamic/posttest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-dynamic/pretest.dat b/testing/tests/tnc/tnccs-dynamic/pretest.dat
index a7a3bf412..60775a11e 100644
--- a/testing/tests/tnc/tnccs-dynamic/pretest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-dynamic/test.conf b/testing/tests/tnc/tnccs-dynamic/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-dynamic/test.conf
+++ b/testing/tests/tnc/tnccs-dynamic/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/ylwrap b/ylwrap
index 84d563405..92536350c 100755
--- a/ylwrap
+++ b/ylwrap
@@ -1,10 +1,10 @@
 #! /bin/sh
 # ylwrap - wrapper for lex/yacc invocations.
 
-scriptversion=2009-04-28.21; # UTC
+scriptversion=2011-08-25.18; # UTC
 
 # Copyright (C) 1996, 1997, 1998, 1999, 2001, 2002, 2003, 2004, 2005,
-# 2007, 2009 Free Software Foundation, Inc.
+# 2007, 2009, 2010, 2011 Free Software Foundation, Inc.
 #
 # Written by Tom Tromey <tromey@cygnus.com>.
 #
@@ -99,7 +99,11 @@ esac
 # FIXME: add hostname here for parallel makes that run commands on
 # other machines.  But that might take us over the 14-char limit.
 dirname=ylwrap$$
-trap "cd '`pwd`'; rm -rf $dirname > /dev/null 2>&1" 1 2 3 15
+do_exit="cd '`pwd`' && rm -rf $dirname > /dev/null 2>&1;"' (exit $ret); exit $ret'
+trap "ret=129; $do_exit" 1
+trap "ret=130; $do_exit" 2
+trap "ret=141; $do_exit" 13
+trap "ret=143; $do_exit" 15
 mkdir $dirname || exit 1
 
 cd $dirname
@@ -133,19 +137,19 @@ if test $ret -eq 0; then
     # Handle y_tab.c and y_tab.h output by DOS
     if test $y_tab_nodot = "yes"; then
       if test $from = "y.tab.c"; then
-    	from="y_tab.c"
+        from="y_tab.c"
       else
-    	if test $from = "y.tab.h"; then
-    	  from="y_tab.h"
-    	fi
+        if test $from = "y.tab.h"; then
+          from="y_tab.h"
+        fi
       fi
     fi
     if test -f "$from"; then
       # If $2 is an absolute path name, then just use that,
       # otherwise prepend `../'.
       case "$2" in
-    	[\\/]* | ?:[\\/]*) target="$2";;
-    	*) target="../$2";;
+        [\\/]* | ?:[\\/]*) target="$2";;
+        *) target="../$2";;
       esac
 
       # We do not want to overwrite a header file if it hasn't
@@ -155,8 +159,8 @@ if test $ret -eq 0; then
       # Makefile.  Divert the output of all other files to a temporary
       # file so we can compare them to existing versions.
       if test $first = no; then
-	realtarget="$target"
-	target="tmp-`echo $target | sed s/.*[\\/]//g`"
+        realtarget="$target"
+        target="tmp-`echo $target | sed s/.*[\\/]//g`"
       fi
       # Edit out `#line' or `#' directives.
       #
@@ -180,10 +184,10 @@ if test $ret -eq 0; then
 
       # Check whether header files must be updated.
       if test $first = no; then
-	if test -f "$realtarget" && cmp -s "$realtarget" "$target"; then
-	  echo "$2" is unchanged
-	  rm -f "$target"
-	else
+        if test -f "$realtarget" && cmp -s "$realtarget" "$target"; then
+          echo "$2" is unchanged
+          rm -f "$target"
+        else
           echo updating "$2"
           mv -f "$target" "$realtarget"
         fi